diff options
Diffstat (limited to '')
-rw-r--r-- | src/sudo.h | 352 |
1 files changed, 352 insertions, 0 deletions
diff --git a/src/sudo.h b/src/sudo.h new file mode 100644 index 0000000..5156cc3 --- /dev/null +++ b/src/sudo.h @@ -0,0 +1,352 @@ +/* + * SPDX-License-Identifier: ISC + * + * Copyright (c) 1993-1996, 1998-2005, 2007-2023 + * Todd C. Miller <Todd.Miller@sudo.ws> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * + * Sponsored in part by the Defense Advanced Research Projects + * Agency (DARPA) and Air Force Research Laboratory, Air Force + * Materiel Command, USAF, under agreement number F39502-99-1-0512. + */ + +#ifndef SUDO_SUDO_H +#define SUDO_SUDO_H + +#include <limits.h> +#ifdef HAVE_STDBOOL_H +# include <stdbool.h> +#else +# include <compat/stdbool.h> +#endif /* HAVE_STDBOOL_H */ +#ifdef HAVE_PRIV_SET +# include <priv.h> +#endif + +#include <pathnames.h> +#include <sudo_compat.h> +#include <sudo_conf.h> +#include <sudo_debug.h> +#include <sudo_event.h> +#include <sudo_fatal.h> +#include <sudo_gettext.h> +#include <sudo_queue.h> +#include <sudo_util.h> + +/* Enable asserts() to avoid static analyzer false positives. */ +#if !(defined(SUDO_DEVEL) || defined(__clang_analyzer__) || defined(__COVERITY__)) +# define NDEBUG +#endif + +/* + * Various modes sudo can be in (based on arguments) in hex + */ +#define MODE_RUN 0x00000001U +#define MODE_EDIT 0x00000002U +#define MODE_VALIDATE 0x00000004U +#define MODE_INVALIDATE 0x00000008U +#define MODE_KILL 0x00000010U +#define MODE_VERSION 0x00000020U +#define MODE_HELP 0x00000040U +#define MODE_LIST 0x00000080U +#define MODE_CHECK 0x00000100U +#define MODE_MASK 0x0000ffffU + +/* Mode flags */ +/* XXX - prune this */ +#define MODE_BACKGROUND 0x00010000U +#define MODE_SHELL 0x00020000U +#define MODE_LOGIN_SHELL 0x00040000U +#define MODE_IMPLIED_SHELL 0x00080000U +#define MODE_RESET_HOME 0x00100000U +#define MODE_PRESERVE_GROUPS 0x00200000U +#define MODE_PRESERVE_ENV 0x00400000U +#define MODE_NONINTERACTIVE 0x00800000U +#define MODE_LONG_LIST 0x01000000U + +/* Indexes into sudo_settings[] args, must match parse_args.c. */ +#define ARG_BSDAUTH_TYPE 0 +#define ARG_LOGIN_CLASS 1 +#define ARG_PRESERVE_ENVIRONMENT 2 +#define ARG_RUNAS_GROUP 3 +#define ARG_SET_HOME 4 +#define ARG_USER_SHELL 5 +#define ARG_LOGIN_SHELL 6 +#define ARG_IGNORE_TICKET 7 +#define ARG_UPDATE_TICKET 8 +#define ARG_PROMPT 9 +#define ARG_SELINUX_ROLE 10 +#define ARG_SELINUX_TYPE 11 +#define ARG_RUNAS_USER 12 +#define ARG_PROGNAME 13 +#define ARG_IMPLIED_SHELL 14 +#define ARG_PRESERVE_GROUPS 15 +#define ARG_NONINTERACTIVE 16 +#define ARG_SUDOEDIT 17 +#define ARG_CLOSEFROM 18 +#define ARG_NET_ADDRS 19 +#define ARG_MAX_GROUPS 20 +#define ARG_PLUGIN_DIR 21 +#define ARG_REMOTE_HOST 22 +#define ARG_TIMEOUT 23 +#define ARG_CHROOT 24 +#define ARG_CWD 25 +#define ARG_ASKPASS 26 +#define ARG_INTERCEPT_SETID 27 +#define ARG_INTERCEPT_PTRACE 28 +#define ARG_APPARMOR_PROFILE 29 + +/* + * Flags for tgetpass() + */ +#define TGP_NOECHO 0x00U /* turn echo off reading pw (default) */ +#define TGP_ECHO 0x01U /* leave echo on when reading passwd */ +#define TGP_STDIN 0x02U /* read from stdin, not /dev/tty */ +#define TGP_ASKPASS 0x04U /* read from askpass helper program */ +#define TGP_MASK 0x08U /* mask user input when reading */ +#define TGP_NOECHO_TRY 0x10U /* turn off echo if possible */ +#define TGP_BELL 0x20U /* bell on password prompt */ + +/* name/value pairs for command line settings. */ +struct sudo_settings { + const char *name; + const char *value; +}; + +/* Sudo user credentials */ +struct sudo_cred { + uid_t uid; + uid_t euid; + uid_t gid; + uid_t egid; + int ngroups; + GETGROUPS_T *groups; +}; + +struct user_details { + struct sudo_cred cred; + pid_t pid; + pid_t ppid; + pid_t pgid; + pid_t tcpgid; + pid_t sid; + const char *username; + const char *cwd; + const char *tty; + const char *host; + const char *shell; + int ts_rows; + int ts_cols; +}; + +#define CD_SET_UID 0x00000001U +#define CD_SET_EUID 0x00000002U +#define CD_SET_GID 0x00000004U +#define CD_SET_EGID 0x00000008U +#define CD_PRESERVE_GROUPS 0x00000010U +#define CD_INTERCEPT 0x00000020U +#define CD_NOEXEC 0x00000040U +#define CD_SET_PRIORITY 0x00000080U +#define CD_SET_UMASK 0x00000100U +#define CD_SET_TIMEOUT 0x00000200U +#define CD_SUDOEDIT 0x00000400U +#define CD_BACKGROUND 0x00000800U +#define CD_RBAC_ENABLED 0x00001000U +#define CD_USE_PTY 0x00002000U +#define CD_SET_UTMP 0x00004000U +#define CD_EXEC_BG 0x00008000U +#define CD_SUDOEDIT_FOLLOW 0x00010000U +#define CD_SUDOEDIT_CHECKDIR 0x00020000U +#define CD_SET_GROUPS 0x00040000U +#define CD_LOGIN_SHELL 0x00080000U +#define CD_OVERRIDE_UMASK 0x00100000U +#define CD_LOG_SUBCMDS 0x00200000U +#define CD_USE_PTRACE 0x00400000U +#define CD_FEXECVE 0x00800000U +#define CD_INTERCEPT_VERIFY 0x01000000U +#define CD_RBAC_SET_CWD 0x02000000U +#define CD_CWD_OPTIONAL 0x04000000U + +struct preserved_fd { + TAILQ_ENTRY(preserved_fd) entries; + int lowfd; + int highfd; + int flags; +}; +TAILQ_HEAD(preserved_fd_list, preserved_fd); + +struct command_details { + struct sudo_cred cred; + mode_t umask; + int argc; + int priority; + unsigned int timeout; + int closefrom; + unsigned int flags; + int execfd; + int nfiles; + struct preserved_fd_list preserved_fds; + struct passwd *pw; + const char *command; + const char *runas_user; + const char *runcwd; + const char *submitcwd; + const char *login_class; + const char *chroot; + const char *selinux_role; + const char *selinux_type; + const char *apparmor_profile; + const char *utmp_user; + const char *tty; + char **argv; + char **envp; +#ifdef HAVE_PRIV_SET + priv_set_t *privs; + priv_set_t *limitprivs; +#endif + char * const *info; +}; + +/* Status passed between parent and child via socketpair */ +struct command_status { +#define CMD_INVALID 0 +#define CMD_ERRNO 1 +#define CMD_WSTATUS 2 +#define CMD_SIGNO 3 +#define CMD_PID 4 + int type; + int val; +}; + +/* Garbage collector data types. */ +enum sudo_gc_types { + GC_UNKNOWN, + GC_VECTOR, + GC_PTR +}; + +/* For fatal() and fatalx() (XXX - needed?) */ +void cleanup(int); + +/* tgetpass.c */ +char *tgetpass(const char *prompt, int timeout, unsigned int flags, + struct sudo_conv_callback *callback); +const struct sudo_cred *sudo_askpass_cred(const struct sudo_cred *cred); + +/* exec.c */ +int sudo_execute(struct command_details *details, const struct user_details *ud, struct sudo_event_base *evbase, struct command_status *cstat); + +/* parse_args.c */ +unsigned int parse_args(int argc, char **argv, const char *shell, + int *old_optind, int *nargc, char ***nargv, + struct sudo_settings **settingsp, char ***env_addp, const char **list_user); +extern unsigned int tgetpass_flags; + +/* get_pty.c */ +char *get_pty(int *leader, int *follower, uid_t uid); + +/* sudo.c */ +int policy_init_session(struct command_details *details); +int run_command(struct command_details *command_details, const struct user_details *user_details); +int os_init_common(int argc, char *argv[], char *envp[]); +bool gc_add(enum sudo_gc_types type, void *v); +bool set_user_groups(struct command_details *details); +struct sudo_plugin_event *sudo_plugin_event_alloc(void); +bool audit_accept(const char *plugin_name, unsigned int plugin_type, + char * const command_info[], char * const run_argv[], + char * const run_envp[]); +bool audit_reject(const char *plugin_name, unsigned int plugin_type, + const char *audit_msg, char * const command_info[]); +bool audit_error(const char *plugin_name, unsigned int plugin_type, + const char *audit_msg, char * const command_info[]); +bool approval_check(char * const command_info[], char * const run_argv[], + char * const run_envp[]); +extern int sudo_debug_instance; + +/* sudo_edit.c */ +int sudo_edit(struct command_details *command_details, const struct user_details *user_details); + +/* parse_args.c */ +sudo_noreturn void usage(void); + +/* openbsd.c */ +int os_init_openbsd(int argc, char *argv[], char *envp[]); + +/* selinux.c */ +int selinux_audit_role_change(void); +int selinux_getexeccon(const char *role, const char *type); +int selinux_relabel_tty(const char *ttyn, int ttyfd); +int selinux_restore_tty(void); +int selinux_setexeccon(void); +void selinux_execve(int fd, const char *path, char *const argv[], + char *envp[], const char *rundir, unsigned int flags); + +/* apparmor.c */ +int apparmor_is_enabled(void); +int apparmor_prepare(const char* new_profile); + +/* solaris.c */ +void set_project(struct passwd *); +int os_init_solaris(int argc, char *argv[], char *envp[]); + +/* hooks.c */ +/* XXX - move to sudo_plugin_int.h? */ +struct sudo_hook; +int register_hook(struct sudo_hook *hook); +int deregister_hook(struct sudo_hook *hook); +int process_hooks_getenv(const char *name, char **val); +int process_hooks_setenv(const char *name, const char *value, int overwrite); +int process_hooks_putenv(char *string); +int process_hooks_unsetenv(const char *name); + +/* env_hooks.c */ +char *getenv_unhooked(const char *name); + +/* interfaces.c */ +int get_net_ifs(char **addrinfo); + +char *get_process_ttyname(char *name, size_t namelen); + +/* signal.c */ +struct sigaction; +int sudo_sigaction(int signo, struct sigaction *sa, struct sigaction *osa); +void init_signals(void); +void restore_signals(void); +void save_signals(void); +bool signal_pending(int signo); + +/* preload.c */ +void preload_static_symbols(void); + +/* preserve_fds.c */ +int add_preserved_fd(struct preserved_fd_list *pfds, int fd); +void closefrom_except(int startfd, struct preserved_fd_list *pfds); +void parse_preserved_fds(struct preserved_fd_list *pfds, const char *fdstr); + +/* limits.c */ +void disable_coredump(void); +void restore_limits(void); +void restore_nproc(void); +void set_policy_rlimits(void); +void unlimit_nproc(void); +void unlimit_sudo(void); +size_t serialize_rlimits(char **info, size_t info_max); +bool parse_policy_rlimit(const char *str); + +/* exec_ptrace.c */ +void exec_ptrace_fix_flags(struct command_details *details); +bool exec_ptrace_intercept_supported(void); +bool exec_ptrace_subcmds_supported(void); + +#endif /* SUDO_SUDO_H */ |