blob: 53a068a198cfdb65000946d7f4a49f52224d76a7 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
syntax = "proto3";
/*
* Intercept message from sudo_intercept.so. Messages on the
* wire are prefixed with a 32-bit size in network byte order.
*/
message InterceptRequest {
oneof type {
PolicyCheckRequest policy_check_req = 1;
InterceptHello hello = 2;
}
}
/*
* Hello message from sudo_intercept.so to main sudo process.
* Sudo sends back the token and localhost port number.
*/
message InterceptHello {
int32 pid = 1;
}
/*
* Sudo response to an InterceptHello from sudo_intercept.so.
* The client uses the port number and token to connect back to sudo.
* If log_only is set there is no InterceptResponse to a PolicyCheckRequest.
*/
message HelloResponse {
fixed64 token_lo = 1;
fixed64 token_hi = 2;
int32 portno = 3;
bool log_only = 4;
}
/*
* Policy check request from sudo_intercept.so.
* Note that the plugin API only currently supports passing
* the new environment in to the open() function.
*/
message PolicyCheckRequest {
string command = 1;
string cwd = 2;
repeated string argv = 3;
repeated string envp = 4;
int32 intercept_fd = 5;
}
message PolicyAcceptMessage {
string run_command = 1;
repeated string run_argv = 2;
repeated string run_envp = 3;
}
message PolicyRejectMessage {
string reject_message = 1;
}
message PolicyErrorMessage {
string error_message = 1;
}
/*
* Response sent back to sudo_intercept.so.
*/
message InterceptResponse {
oneof type {
HelloResponse hello_resp = 1;
PolicyAcceptMessage accept_msg = 2;
PolicyRejectMessage reject_msg = 3;
PolicyErrorMessage error_msg = 4;
}
}
|
