func TestRuleAddAndLoad(t *testing.T) {
// Test #1: Add a trivial filter
filter1, err := NewFilter(ActAllow)
if err != nil {
t.Errorf("Error creating filter: %s", err)
}
defer filter1.Release()
call, err := GetSyscallFromName("getpid")
if err != nil {
t.Errorf("Error getting syscall number of getpid: %s", err)
}
call2, err := GetSyscallFromName("setreuid")
if err != nil {
t.Errorf("Error getting syscall number of setreuid: %s", err)
}
uid := syscall.Getuid()
euid := syscall.Geteuid()
err = filter1.AddRule(call, ActErrno.SetReturnCode(0x1))
if err != nil {
t.Errorf("Error adding rule to restrict syscall: %s", err)
}
cond, err := MakeCondition(1, CompareEqual, uint64(euid))
if err != nil {
t.Errorf("Error making rule to restrict syscall: %s", err)
}
cond2, err := MakeCondition(0, CompareEqual, uint64(uid))
if err != nil {
t.Errorf("Error making rule to restrict syscall: %s", err)
}
conditions := []ScmpCondition{cond, cond2}
err = filter1.AddRuleConditional(call2, ActErrno.SetReturnCode(0x2), conditions)
if err != nil {
t.Errorf("Error adding conditional rule: %s", err)
}
err = filter1.Load()
if err != nil {
t.Errorf("Error loading filter: %s", err)
}
// Try making a simple syscall, it should error
pid := syscall.Getpid()
if pid != -1 {
t.Errorf("Syscall should have returned error code!")
}
// Try making a Geteuid syscall that should normally succeed
err = syscall.Setreuid(uid, euid)
if err != syscall.Errno(2) {
t.Errorf("Syscall should have returned error code!")
}
}
func setuid(username string) {
usr, err := user.Lookup(username)
checkFatal(err)
uid, err := strconv.Atoi(usr.Uid)
checkFatal(err)
err = syscall.Setreuid(uid, uid)
checkFatal(err)
}
// Change effective run permissions to settings.AdminUID
func AdminOn() error {
origUID = syscall.Geteuid()
// note that Setuid equiv seems buggy, Setreuid is solid currently
if err := syscall.Setreuid(s.AdminUID, s.AdminUID); err != nil {
return err
}
return nil
}
func setUserId() {
userName := beego.AppConfig.String("user")
u, err := user.Lookup(userName)
if err != nil {
fmt.Println("user config:", err)
return
}
gid, _ := strconv.ParseInt(u.Gid, 0, 0)
uid, _ := strconv.ParseInt(u.Uid, 0, 0)
if err := syscall.Setregid(int(gid), int(gid)); err != nil {
fmt.Println("setregid:", err)
}
if err := syscall.Setreuid(int(uid), int(uid)); err != nil {
fmt.Println("setreuid:", err)
}
}
// darwin doesn't seem to have saved UIDs, so use setreuid
func setresuid(ruid, euid, suid int) error {
return syscall.Setreuid(ruid, euid)
}
func main() {
flag.Usage = usage
var helpFlag_p = flag.Bool("h", false, "help")
var versionFlag_p = flag.Bool("v", false, "version")
flag.Parse()
if *helpFlag_p {
usage()
os.Exit(0)
} else if *versionFlag_p {
fmt.Printf("%v\n", jobber.LongVersionStr())
os.Exit(0)
} else {
if len(flag.Args()) == 0 {
fmt.Fprintf(os.Stderr, "Please specify a command.\n\n")
flag.Usage()
os.Exit(1)
}
// make sure the daemon is running
if _, err := os.Stat(jobber.DaemonSocketAddr); os.IsNotExist(err) {
if flag.Arg(0) == StopCmdStr {
os.Exit(0)
} else {
fmt.Fprintf(os.Stderr, "jobberd isn't running.\n")
os.Exit(1)
}
}
// connect to daemon
addr, err := net.ResolveUnixAddr("unix", jobber.DaemonSocketAddr)
if err != nil {
fmt.Fprintf(os.Stderr, "Couldn't resolve Unix addr: %v\n", err)
os.Exit(1)
}
conn, err := net.DialUnix("unix", nil, addr)
if err != nil {
fmt.Fprintf(os.Stderr, "Couldn't connect to daemon: %v\n", err)
os.Exit(1)
}
defer conn.Close()
rpcClient := rpc.NewClient(conn)
if err != nil {
fmt.Fprintf(os.Stderr, "Couldn't make RPC client: %v\n", err)
os.Exit(1)
}
// drop privileges
err = syscall.Setreuid(syscall.Getuid(), syscall.Getuid())
if err != nil {
fmt.Fprintf(os.Stderr, "Couldn't drop privileges: %v\n", err)
os.Exit(1)
}
// get current username
user, err := user.Current()
if err != nil {
fmt.Fprintf(os.Stderr, "Couldn't get current user: %v\n", err)
os.Exit(1)
}
// do command
switch flag.Arg(0) {
case ListCmdStr:
doListCmd(flag.Args()[1:], rpcClient, user)
case LogCmdStr:
doLogCmd(flag.Args()[1:], rpcClient, user)
case ReloadCmdStr:
doReloadCmd(flag.Args()[1:], rpcClient, user)
case StopCmdStr:
var result string
arg := jobber.IpcArg{User: user.Username, ForAllUsers: false}
err = rpcClient.Call("RealIpcServer.Stop", arg, &result)
if err != nil {
fmt.Fprintf(os.Stderr, "%v\n", err)
os.Exit(1)
}
case TestCmdStr:
doTestCmd(flag.Args()[1:], rpcClient, user)
case CatCmdStr:
doCatCmd(flag.Args()[1:], rpcClient, user)
default:
fmt.Fprintf(os.Stderr, "Invalid command: \"%v\".\n", flag.Arg(0))
flag.Usage()
os.Exit(1)
}
}
}
func dropRoot() {
if hasRoot && syscall.Geteuid() != realUid {
e := syscall.Setreuid(-1, realUid)
fatalErr(e)
}
}
func becomeRoot() {
if hasRoot && syscall.Geteuid() != 0 {
e := syscall.Setreuid(-1, 0)
fatalErr(e)
}
}
func setAllUid(uid int) error {
return syscall.Setreuid(uid, uid)
}
// Change effective run permissions back to read uid
func AdminOff() error {
if err := syscall.Setreuid(origUID, origUID); err != nil {
return err
}
return nil
}