diff options
Diffstat (limited to 'src/intercept.proto')
-rw-r--r-- | src/intercept.proto | 71 |
1 files changed, 71 insertions, 0 deletions
diff --git a/src/intercept.proto b/src/intercept.proto new file mode 100644 index 0000000..53a068a --- /dev/null +++ b/src/intercept.proto @@ -0,0 +1,71 @@ +syntax = "proto3"; + +/* + * Intercept message from sudo_intercept.so. Messages on the + * wire are prefixed with a 32-bit size in network byte order. + */ +message InterceptRequest { + oneof type { + PolicyCheckRequest policy_check_req = 1; + InterceptHello hello = 2; + } +} + +/* + * Hello message from sudo_intercept.so to main sudo process. + * Sudo sends back the token and localhost port number. + */ +message InterceptHello { + int32 pid = 1; +} + +/* + * Sudo response to an InterceptHello from sudo_intercept.so. + * The client uses the port number and token to connect back to sudo. + * If log_only is set there is no InterceptResponse to a PolicyCheckRequest. + */ +message HelloResponse { + fixed64 token_lo = 1; + fixed64 token_hi = 2; + int32 portno = 3; + bool log_only = 4; +} + +/* + * Policy check request from sudo_intercept.so. + * Note that the plugin API only currently supports passing + * the new environment in to the open() function. + */ +message PolicyCheckRequest { + string command = 1; + string cwd = 2; + repeated string argv = 3; + repeated string envp = 4; + int32 intercept_fd = 5; +} + +message PolicyAcceptMessage { + string run_command = 1; + repeated string run_argv = 2; + repeated string run_envp = 3; +} + +message PolicyRejectMessage { + string reject_message = 1; +} + +message PolicyErrorMessage { + string error_message = 1; +} + +/* + * Response sent back to sudo_intercept.so. + */ +message InterceptResponse { + oneof type { + HelloResponse hello_resp = 1; + PolicyAcceptMessage accept_msg = 2; + PolicyRejectMessage reject_msg = 3; + PolicyErrorMessage error_msg = 4; + } +} |