/*
 * Policy: restricted-debug.
 *
 * (c) 2002, 2003 Pawel Jakub Dawidek <nick@garage.freebsd.pl>
 *
 * $Id: restricted-debug.cb,v 1.12 2003/09/24 21:21:27 dawidek Exp $
 */

#include "addons.cbh"

#if CERB_VERSION < 2003032101
#error	Newer CerbNG required for this policy.
#endif


#define	RESTRICTED_DEBUG_GID	GET_GID("debug")
#define	RESTRICTED_DEBUG_VERBOSE 1


beginrules

REGISTER("restricted-debug");

#if CERB_VERSION >= 2003062901
if (INITRUN()) {
	crsysctl("restricted_debug");
	crsysctl("restricted_debug.gid", RESTRICTED_DEBUG_GID);
#undef	RESTRICTED_DEBUG_GID
#define	RESTRICTED_DEBUG_GID	CB_SYSCTL("restricted_debug.gid")
	crsysctl("restricted_debug.verbose", RESTRICTED_DEBUG_VERBOSE);
#undef	RESTRICTED_DEBUG_VERBOSE
#define	RESTRICTED_DEBUG_VERBOSE CB_SYSCTL("restricted_debug.verbose")
}
#endif

ADD_SYSCALL(SYS_ktrace, SYS_ptrace);

/*
 * Allow debug syscalls only for root and ,,debug'' group members.
 */
if (syscall == SYS_ptrace || syscall == SYS_ktrace) {
	if (ruid > 0 && tabindex(RESTRICTED_DEBUG_GID, groups) < 0) {
		CB_LOGEXT(RESTRICTED_DEBUG_VERBOSE, LOG_WARNING, "!!WARN!! "
		    "Syscall %s() isn't permited.", syscallname);
		return EPERM;
	}
}

endrules