/*
 * Policy: screen.
 *
 * (c) 2003 Pawel Jakub Dawidek <nick@garage.freebsd.pl>
 *
 * $Id: screen.cb,v 1.17 2003/08/12 12:56:59 dawidek Exp $
 */

#include "addons.cbh"

#if CERB_VERSION < 2003032101
#error	Newer CerbNG required for this policy.
#endif


#define SCREEN_PNAME	"screen"
#define SCREEN_PATH	"/usr/local/bin/screen"
#define SCREEN_INODE	GET_INODE(SCREEN_PATH)
#define SCREEN_DEV	GET_DEV(SCREEN_PATH)
#define	SCREEN_DEV_PERM	(S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH) 
#define	SCREEN_VERBOSE	1


beginrules

REGISTER("screen");

#if CERB_VERSION >= 2003062901
if (INITRUN()) {
	crsysctl("screen");
	crsysctl("screen.pname", SCREEN_PNAME, CTLFLAG_RD);
	crsysctl("screen.path", SCREEN_PATH, CTLFLAG_RD);
	crsysctl("screen.inode", SCREEN_INODE);
#undef	SCREEN_INODE
#define	SCREEN_INODE	CB_SYSCTL("screen.inode")
	crsysctl("screen.dev", SCREEN_DEV);
#undef	SCREEN_DEV
#define	SCREEN_DEV	CB_SYSCTL("screen.dev")
	crsysctl("screen.dev_perm", SCREEN_DEV_PERM);
#undef	SCREEN_DEV_PERM
#define	SCREEN_DEV_PERM	CB_SYSCTL("screen.dev_perm")
	crsysctl("screen.verbose", SCREEN_VERBOSE);
#undef	SCREEN_VERBOSE
#define	SCREEN_VERBOSE	CB_SYSCTL("screen.verbose")
}
#endif

ADD_SYSCALL(
	SYS_open,
	SYS_execve,
	SYS_geteuid,
	SYS_seteuid,
	SYS_chown
);

if (syscall == SYS_execve && ruid > 0) {
	if (getinode(arg[0]) == SCREEN_INODE &&
	    getdev(arg[0]) == SCREEN_DEV) {
		reg[1] = call();
		if (reg[1] != 0) {
			return reg[1];
		}
		/* everything is correct, removing uid 0 */
		if (euid == 0) {
			CB_LOGEXT(SCREEN_VERBOSE, LOG_INFO, "Removed uid 0.");
			setpeuid(ruid);
			setpsvuid(ruid);
		}
		return 0;
	}
}

if (finode == SCREEN_INODE && fdev == SCREEN_DEV && ruid > 0) {
	if (syscall == SYS_chown) {
		if (arg[0] @ "/dev/ttyp?") {
			if (arg[1] == ruid && arg[2] == GET_GID("tty") &&
			    getouid(arg[0]) == 0 && getogid(arg[0]) == 0 &&
			    getmode(arg[0]) == SCREEN_DEV_PERM) {
				reg[0] = sucall();
				CB_LOGEXT(SCREEN_VERBOSE, LOG_INFO, "Changing "
				    "owner of %s (%u:%u) [ret=%d].", arg[0],
				    arg[1], arg[2], reg[0]);
				return reg[0];
			}
			if (arg[1] == 0 && arg[2] == 0 &&
			    getouid(arg[0]) == ruid) {
				reg[0] = sucall();
				CB_LOGEXT(SCREEN_VERBOSE, LOG_INFO, "Changing "
				    "owner of %s (%u:%u) [ret=%d].", arg[0],
				    arg[1], arg[2], reg[0]);
				return reg[0];
			}
		}
	}
	if (syscall == SYS_open) {
		if (arg[0] == "/var/run/utmp" && arg[1] == O_RDWR) {
			reg[0] = sucall();
			CB_LOGEXT(SCREEN_VERBOSE, LOG_INFO, "Openning %s "
			    "(flags=%x) [ret=%d].", arg[0], arg[1], reg[0]);
			return reg[0];
		}
		if (arg[0] == "/etc/spwd.db" && arg[1] == O_RDONLY) {
			reg[0] = sucall();
			CB_LOGEXT(SCREEN_VERBOSE, LOG_INFO, "Openning %s "
			    "(flags=%x) [ret=%d].", arg[0], arg[1], reg[0]);
			return reg[0];
		}
	}
	if (syscall == SYS_seteuid) {
		/* Sending fake answer. */
		return 0;
	}
	if (syscall == SYS_geteuid) {
		/* Sending fake answer. */
		retval = 0;
		return 0;
	}
}

endrules