/*
 * Policy: noexec-by-group.
 *
 * (c) 2002, 2003 Pawel Jakub Dawidek <nick@garage.freebsd.pl>
 *
 * $Id: noexec-by-group.cb,v 1.15 2003/09/24 21:21:26 dawidek Exp $
 */

#include "addons.cbh"

#if CERB_VERSION < 2003032101
#error	Newer CerbNG required for this policy.
#endif


#define NOEXEC_BY_GROUP_GID	GET_GID("exec")
#define NOEXEC_BY_GROUP_VERBOSE	1


beginrules

REGISTER("noexec-by-group");

#if CERB_VERSION >= 2003062901
if (INITRUN()) {
	crsysctl("noexec_by_group");
	crsysctl("noexec_by_group.gid", NOEXEC_BY_GROUP_GID);
#undef	NOEXEC_BY_GROUP_GID
#define	NOEXEC_BY_GROUP_GID	CB_SYSCTL("noexec_by_group.gid")
	crsysctl("noexec_by_group.verbose", NOEXEC_BY_GROUP_VERBOSE);
#undef	NOEXEC_BY_GROUP_VERBOSE
#define	NOEXEC_BY_GROUP_VERBOSE	CB_SYSCTL("noexec_by_group.verbose")
}
#endif

ADD_SYSCALL(SYS_execve);

if (syscall == SYS_execve && ruid >= 1000 &&
    tabindex(NOEXEC_BY_GROUP_GID, groups) < 0) {
	reg[0] = rmenv("LD_*");	/* Removing enviroments that match to LD_* */
	if (reg[0] > 0) {
		CB_LOGEXT(NOEXEC_BY_GROUP_VERBOSE, LOG_WARNING, "Removed %u "
		    "environments.", reg[0]);
	}
	/*
	 * Getting owner uid of file specified as first argument of syscall.
	 */
	if (getouid(arg[0]) >= 1000) {	/*
					 * user can only
					 * run system binaries
					 */
		CB_LOGEXT(NOEXEC_BY_GROUP_VERBOSE, LOG_WARNING, "!WARN! Don't "
		    "have permission to run %s (%s).", arg[0],
		    realpath(arg[0]));
		return EPERM;
	}
}

endrules