/*
 * Policy: restricted-link.
 *
 * (c) 2002, 2003 Pawel Jakub Dawidek <nick@garage.freebsd.pl>
 *
 * $Id: restricted-link.cb,v 1.11 2003/09/24 21:21:27 dawidek Exp $
 */

#include "addons.cbh"

#if CERB_VERSION < 2003032101
#error	Newer CerbNG required for this policy.
#endif


#define	RESTRICTED_LINK_ALLOW_GID	GET_GID("linkallow")
#define	RESTRICTED_LINK_VERBOSE		1


beginrules

REGISTER("restricted-link");

#if CERB_VERSION >= 2003062901
if (INITRUN()) {
	crsysctl("restricted_link");
	crsysctl("restricted_link.allow_gid", RESTRICTED_LINK_ALLOW_GID);
#undef	RESTRICTED_LINK_ALLOW_GID
#define	RESTRICTED_LINK_ALLOW_GID	CB_SYSCTL("restricted_link.allow_gid")
	crsysctl("restricted_link.verbose", RESTRICTED_LINK_VERBOSE);
#undef	RESTRICTED_LINK_VERBOSE
#define	RESTRICTED_LINK_VERBOSE	CB_SYSCTL("restricted_link.verbose")
}
#endif

ADD_SYSCALL(SYS_link);

if (syscall == SYS_link && ruid > 0 &&
    tabindex(RESTRICTED_LINK_ALLOW_GID, groups) < 0) {
	if (getouid(arg[0]) != ruid) {
		CB_LOGEXT(RESTRICTED_LINK_VERBOSE, LOG_WARNING, "!WARN! Don't "
		    "have permission for link creation to %s (%s).", arg[0],
		    realpath(arg[0]));
		return EPERM;
	}
}

endrules