mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2025-01-11 17:04:19 +01:00
462 lines
12 KiB
Tcl
462 lines
12 KiB
Tcl
# safeinit.tcl --
|
|
#
|
|
# This code runs in a master to manage a safe slave with Safe Tcl.
|
|
# See the safe.n man page for details.
|
|
#
|
|
# Copyright (c) 1996-1997 Sun Microsystems, Inc.
|
|
#
|
|
# See the file "license.terms" for information on usage and redistribution
|
|
# of this file, and for a DISCLAIMER OF ALL WARRANTIES.
|
|
#
|
|
# SCCS: @(#) safeinit.tcl 1.38 97/06/20 12:57:39
|
|
|
|
# This procedure creates a safe slave, initializes it with the
|
|
# safe base and installs the aliases for the security policy mechanism.
|
|
|
|
proc tcl_safeCreateInterp {slave} {
|
|
global auto_path
|
|
|
|
# Create the slave.
|
|
interp create -safe $slave
|
|
|
|
# Set its auto_path
|
|
interp eval $slave [list set auto_path $auto_path]
|
|
|
|
# And initialize it.
|
|
return [tcl_safeInitInterp $slave]
|
|
}
|
|
|
|
# This procedure applies the initializations to an already existing
|
|
# interpreter. It is useful when you want to enable an interpreter
|
|
# created with "interp create -safe" to use security policies.
|
|
|
|
proc tcl_safeInitInterp {slave} {
|
|
upvar #0 tclSafe$slave state
|
|
global tcl_library tk_library auto_path tcl_platform
|
|
|
|
# These aliases let the slave load files to define new commands
|
|
|
|
interp alias $slave source {} tclSafeAliasSource $slave
|
|
interp alias $slave load {} tclSafeAliasLoad $slave
|
|
|
|
# This alias lets the slave have access to a subset of the 'file'
|
|
# command functionality.
|
|
tclAliasSubset $slave file file dir.* join root.* ext.* tail \
|
|
path.* split
|
|
|
|
# This alias interposes on the 'exit' command and cleanly terminates
|
|
# the slave.
|
|
interp alias $slave exit {} tcl_safeDeleteInterp $slave
|
|
|
|
# Source init.tcl into the slave, to get auto_load and other
|
|
# procedures defined:
|
|
|
|
if {$tcl_platform(platform) == "macintosh"} {
|
|
if {[catch {interp eval $slave [list source -rsrc Init]}]} {
|
|
if {[catch {interp eval $slave \
|
|
[list source [file join $tcl_library init.tcl]]}]} {
|
|
error "can't source init.tcl into slave $slave"
|
|
}
|
|
}
|
|
} else {
|
|
if {[catch {interp eval $slave \
|
|
[list source [file join $tcl_library init.tcl]]}]} {
|
|
error "can't source init.tcl into slave $slave"
|
|
}
|
|
}
|
|
|
|
# Loading packages into slaves is handled by their master.
|
|
# This is overloaded to deal with regular packages and security policies
|
|
|
|
interp alias $slave tclPkgUnknown {} tclSafeAliasPkgUnknown $slave
|
|
interp eval $slave {package unknown tclPkgUnknown}
|
|
|
|
# We need a helper procedure to define a $dir variable and then
|
|
# do a source of the pkgIndex.tcl file
|
|
interp eval $slave \
|
|
[list proc tclPkgSource {dir args} {
|
|
if {[llength $args] == 2} {
|
|
source [lindex $args 0] [lindex $args 1]
|
|
} else {
|
|
source [lindex $args 0]
|
|
}
|
|
}]
|
|
|
|
# Let the slave inherit a few variables
|
|
foreach varName \
|
|
{tcl_library tcl_version tcl_patchLevel \
|
|
tcl_platform(platform) auto_path} {
|
|
upvar #0 $varName var
|
|
interp eval $slave [list set $varName $var]
|
|
}
|
|
|
|
# Other variables are predefined with set values
|
|
foreach {varName value} {
|
|
auto_noexec 1
|
|
errorCode {}
|
|
errorInfo {}
|
|
env() {}
|
|
argv0 {}
|
|
argv {}
|
|
argc 0
|
|
tcl_interactive 0
|
|
} {
|
|
interp eval $slave [list set $varName $value]
|
|
}
|
|
|
|
# If auto_path is not set in the slave, set it to empty so it has
|
|
# a value and exists. Otherwise auto_loading and package require
|
|
# will complain.
|
|
|
|
interp eval $slave {
|
|
if {![info exists auto_path]} {
|
|
set auto_path {}
|
|
}
|
|
}
|
|
|
|
# If we have Tk, make the slave have the same library as us:
|
|
|
|
if {[info exists tk_library]} {
|
|
interp eval $slave [list set tk_library $tk_library]
|
|
}
|
|
|
|
# Stub out auto-exec mechanism in slave
|
|
interp eval $slave [list proc auto_execok {name} {return {}}]
|
|
|
|
return $slave
|
|
}
|
|
|
|
# This procedure deletes a safe slave managed by Safe Tcl and
|
|
# cleans up associated state:
|
|
|
|
proc tcl_safeDeleteInterp {slave args} {
|
|
upvar #0 tclSafe$slave state
|
|
|
|
# If the slave has a policy loaded, clean it up now.
|
|
if {[info exists state(policyLoaded)]} {
|
|
set policy $state(policyLoaded)
|
|
set proc ${policy}_PolicyCleanup
|
|
if {[string compare [info proc $proc] $proc] == 0} {
|
|
$proc $slave
|
|
}
|
|
}
|
|
|
|
# Discard the global array of state associated with the slave, and
|
|
# delete the interpreter.
|
|
catch {unset state}
|
|
catch {interp delete $slave}
|
|
|
|
return
|
|
}
|
|
|
|
# This procedure computes the global security policy search path.
|
|
|
|
proc tclSafeComputePolicyPath {} {
|
|
global auto_path tclSafeAutoPathComputed tclSafePolicyPath
|
|
|
|
set recompute 0
|
|
if {(![info exists tclSafePolicyPath]) ||
|
|
("$tclSafePolicyPath" == "")} {
|
|
set tclSafePolicyPath ""
|
|
set tclSafeAutoPathComputed ""
|
|
set recompute 1
|
|
}
|
|
if {"$tclSafeAutoPathComputed" != "$auto_path"} {
|
|
set recompute 1
|
|
set tclSafeAutoPathComputed $auto_path
|
|
}
|
|
if {$recompute == 1} {
|
|
set tclSafePolicyPath ""
|
|
foreach i $auto_path {
|
|
lappend tclSafePolicyPath [file join $i policies]
|
|
}
|
|
}
|
|
return $tclSafePolicyPath
|
|
}
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# ---------------------------------------------------------------------------
|
|
|
|
# tclSafeAliasSource is the target of the "source" alias in safe interpreters.
|
|
|
|
proc tclSafeAliasSource {slave args} {
|
|
global auto_path errorCode errorInfo
|
|
|
|
if {[llength $args] == 2} {
|
|
if {[string compare "-rsrc" [lindex $args 0]] != 0} {
|
|
return -code error "incorrect arguments to source"
|
|
}
|
|
if {[catch {interp invokehidden $slave source -rsrc [lindex $args 1]} \
|
|
msg]} {
|
|
return -code error $msg
|
|
}
|
|
} else {
|
|
set file [lindex $args 0]
|
|
if {[catch {tclFileInPath $file $auto_path $slave} msg]} {
|
|
return -code error "permission denied"
|
|
}
|
|
set errorInfo ""
|
|
if {[catch {interp invokehidden $slave source $file} msg]} {
|
|
return -code error $msg
|
|
}
|
|
}
|
|
return $msg
|
|
}
|
|
|
|
# tclSafeAliasLoad is the target of the "load" alias in safe interpreters.
|
|
|
|
proc tclSafeAliasLoad {slave file args} {
|
|
global auto_path
|
|
|
|
if {[llength $args] == 2} {
|
|
# Trying to load into another interpreter
|
|
# Allow this for a child of the slave, or itself
|
|
set other [lindex $args 1]
|
|
foreach x $slave y $other {
|
|
if {[string length $x] == 0} {
|
|
break
|
|
} elseif {[string compare $x $y] != 0} {
|
|
return -code error "permission denied"
|
|
}
|
|
}
|
|
set slave $other
|
|
}
|
|
|
|
if {[string length $file] && \
|
|
[catch {tclFileInPath $file $auto_path $slave} msg]} {
|
|
return -code error "permission denied"
|
|
}
|
|
if {[catch {
|
|
switch [llength $args] {
|
|
0 {
|
|
interp invokehidden $slave load $file
|
|
}
|
|
1 -
|
|
2 {
|
|
interp invokehidden $slave load $file [lindex $args 0]
|
|
}
|
|
default {
|
|
error "too many arguments to load"
|
|
}
|
|
}
|
|
} msg]} {
|
|
return -code error $msg
|
|
}
|
|
return $msg
|
|
}
|
|
|
|
# tclFileInPath raises an error if the file is not found in
|
|
# the list of directories contained in path.
|
|
|
|
proc tclFileInPath {file path slave} {
|
|
set realcheckpath [tclSafeCheckAutoPath $path $slave]
|
|
set pwd [pwd]
|
|
if {[file isdirectory $file]} {
|
|
error "$file: not found"
|
|
}
|
|
set parent [file dirname $file]
|
|
if {[catch {cd $parent} msg]} {
|
|
error "$file: not found"
|
|
}
|
|
set realfilepath [file split [pwd]]
|
|
foreach dir $realcheckpath {
|
|
set match 1
|
|
foreach a [file split $dir] b $realfilepath {
|
|
if {[string length $a] == 0} {
|
|
break
|
|
} elseif {[string compare $a $b] != 0} {
|
|
set match 0
|
|
break
|
|
}
|
|
}
|
|
if {$match} {
|
|
cd $pwd
|
|
return 1
|
|
}
|
|
}
|
|
cd $pwd
|
|
error "$file: not found"
|
|
}
|
|
|
|
# This procedure computes our expanded copy of the path, as needed.
|
|
# It returns the path after expanding out all aliases.
|
|
|
|
proc tclSafeCheckAutoPath {path slave} {
|
|
global auto_path
|
|
upvar #0 tclSafe$slave state
|
|
|
|
if {![info exists state(expanded_auto_path)]} {
|
|
# Compute for the first time:
|
|
set state(cached_auto_path) $path
|
|
} elseif {"$state(cached_auto_path)" != "$path"} {
|
|
# The value of our path changed, so recompute:
|
|
set state(cached_auto_path) $path
|
|
} else {
|
|
# No change: no need to recompute.
|
|
return $state(expanded_auto_path)
|
|
}
|
|
|
|
set pwd [pwd]
|
|
set state(expanded_auto_path) ""
|
|
foreach dir $state(cached_auto_path) {
|
|
if {![catch {cd $dir}]} {
|
|
lappend state(expanded_auto_path) [pwd]
|
|
}
|
|
}
|
|
cd $pwd
|
|
return $state(expanded_auto_path)
|
|
}
|
|
|
|
proc tclSafeAliasPkgUnknown {slave package version {exact {}}} {
|
|
tclSafeLoadPkg $slave $package $version $exact
|
|
}
|
|
|
|
proc tclSafeLoadPkg {slave package version exact} {
|
|
if {[string length $version] == 0} {
|
|
set version 1.0
|
|
}
|
|
tclSafeLoadPkgInternal $slave $package $version $exact 0
|
|
}
|
|
|
|
proc tclSafeLoadPkgInternal {slave package version exact round} {
|
|
global auto_path
|
|
upvar #0 tclSafe$slave state
|
|
|
|
# Search the policy path again; it might have changed in the meantime.
|
|
|
|
if {$round == 1} {
|
|
tclSafeResearchPolicyPath
|
|
|
|
if {[tclSafeLoadPolicy $slave $package $version]} {
|
|
return
|
|
}
|
|
}
|
|
|
|
# Try to load as a policy.
|
|
|
|
if [tclSafeLoadPolicy $slave $package $version] {
|
|
return
|
|
}
|
|
|
|
# The package is not a security policy, so do the regular setup.
|
|
|
|
# Here we run tclPkgUnknown in the master, but we hijack
|
|
# the source command so the setup ends up happening in the slave.
|
|
|
|
rename source source.orig
|
|
proc source {args} "upvar dir dir
|
|
interp eval [list $slave] tclPkgSource \[list \$dir\] \$args"
|
|
|
|
if [catch {tclPkgUnknown $package $version $exact} err] {
|
|
global errorInfo
|
|
|
|
rename source {}
|
|
rename source.orig source
|
|
|
|
error "$err\n$errorInfo"
|
|
}
|
|
rename source {}
|
|
rename source.orig source
|
|
|
|
# If we are in the first round, check if the package
|
|
# is now known in the slave:
|
|
|
|
if {$round == 0} {
|
|
set ifneeded \
|
|
[interp eval $slave [list package ifneeded $package $version]]
|
|
|
|
if {"$ifneeded" == ""} {
|
|
return [tclSafeLoadPkgInternal $slave $package $version $exact 1]
|
|
}
|
|
}
|
|
}
|
|
|
|
proc tclSafeResearchPolicyPath {} {
|
|
global tclSafePolicyPath auto_index auto_path
|
|
|
|
# If there was no change, do not search again.
|
|
|
|
if {![info exists tclSafePolicyPath]} {
|
|
set tclSafePolicyPath ""
|
|
}
|
|
set oldPolicyPath $tclSafePolicyPath
|
|
set newPolicyPath [tclSafeComputePolicyPath]
|
|
if {"$newPolicyPath" == "$oldPolicyPath"} {
|
|
return
|
|
}
|
|
|
|
# Loop through the path from back to front so early directories
|
|
# end up overriding later directories. This code is like auto_load,
|
|
# but only new-style tclIndex files (version 2) are supported.
|
|
|
|
for {set i [expr [llength $newPolicyPath] - 1]} \
|
|
{$i >= 0} \
|
|
{incr i -1} {
|
|
set dir [lindex $newPolicyPath $i]
|
|
set file [file join $dir tclIndex]
|
|
if {[file exists $file]} {
|
|
if {[catch {source $file} msg]} {
|
|
puts stderr "error sourcing $file: $msg"
|
|
}
|
|
}
|
|
foreach file [lsort [glob -nocomplain [file join $dir *]]] {
|
|
if {[file isdir $file]} {
|
|
set dir $file
|
|
set file [file join $file tclIndex]
|
|
if {[file exists $file]} {
|
|
if {[catch {source $file} msg]} {
|
|
puts stderr "error sourcing $file: $msg"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
proc tclSafeLoadPolicy {slave package version} {
|
|
upvar #0 tclSafe$slave state
|
|
global auto_index
|
|
|
|
set proc ${package}_PolicyInit
|
|
|
|
if {[info command $proc] == "$proc" ||
|
|
[info exists auto_index($proc)]} {
|
|
if [info exists state(policyLoaded)] {
|
|
error "security policy $state(policyLoaded) already loaded"
|
|
}
|
|
$proc $slave $version
|
|
interp eval $slave [list package provide $package $version]
|
|
set state(policyLoaded) $package
|
|
return 1
|
|
} else {
|
|
return 0
|
|
}
|
|
}
|
|
# This procedure enables access from a safe interpreter to only a subset of
|
|
# the subcommands of a command:
|
|
|
|
proc tclSafeSubset {command okpat args} {
|
|
set subcommand [lindex $args 0]
|
|
if {[regexp $okpat $subcommand]} {
|
|
return [eval {$command $subcommand} [lrange $args 1 end]]
|
|
}
|
|
error "not allowed to invoke subcommand $subcommand of $command"
|
|
}
|
|
|
|
# This procedure installs an alias in a slave that invokes "safesubset"
|
|
# in the master to execute allowed subcommands. It precomputes the pattern
|
|
# of allowed subcommands; you can use wildcards in the pattern if you wish
|
|
# to allow subcommand abbreviation.
|
|
#
|
|
# Syntax is: tclAliasSubset slave alias target subcommand1 subcommand2...
|
|
|
|
proc tclAliasSubset {slave alias target args} {
|
|
set pat ^(; set sep ""
|
|
foreach sub $args {
|
|
append pat $sep$sub
|
|
set sep |
|
|
}
|
|
append pat )\$
|
|
interp alias $slave $alias {} tclSafeSubset $target $pat
|
|
}
|