1#!/bin/mksh 2# $MirOS: src/scripts/systrace.mk,v 1.7 2008/10/05 16:26:18 tg Exp $ 3#- 4# Copyright (c) 2004, 2005 5# Thorsten Glaser <tg@mirbsd.de> 6# 7# Provided that these terms and disclaimer and all copyright notices 8# are retained or reproduced in an accompanying document, permission 9# is granted to deal in this work without restriction, including un- 10# limited rights to use, publicly perform, distribute, sell, modify, 11# merge, give away, or sublicence. 12# 13# Advertising materials mentioning features or use of this work must 14# display the following acknowledgement: 15# This product includes material provided by Thorsten Glaser. 16# 17# This work is provided "AS IS" and WITHOUT WARRANTY of any kind, to 18# the utmost extent permitted by applicable law, neither express nor 19# implied; without malicious intent or gross negligence. In no event 20# may a licensor, author or contributor be held liable for indirect, 21# direct, other damage, loss, or other issues arising in any way out 22# of dealing in the work, even if advised of the possibility of such 23# damage or existence of a defect, except proven that it results out 24# of said person's immediate fault when using the work as intended. 25#- 26# Call a programme with an appropriate systrace policy 27# Syntax: 28# cd ${policydir}; env WRITEDIR="/a:/b:/c" NOWRITEDIR="/usr/obj" \ 29# ${SHELL} systrace.mk prog ... 30# To call the protected programmes: 31# /bin/systrace -e -i -a -f ${policydir}/.policy.mk prog args 32 33[[ -n $WRITEDIR && -n $1 ]] || exit 1 34saveIFS="$IFS" 35IFS=: 36set -o noglob 37set -A rwdirs -- $WRITEDIR 38set -A rodirs -- $NOWRITEDIR 39set +o noglob 40IFS="$saveIFS" 41 42set -A progs 43let i=0 44for prog in "$@"; do 45 [[ -x $prog ]] || prog=$(whence -p $prog) 46 if [[ -x $prog ]]; then 47 progs[i++]="$prog" 48 else 49 print -u2 "Warning: $prog not executable!" 50 fi 51done 52(( i > 0 )) || exit 1 53 54mydir=${0%/*} 55[[ $mydir = $0 ]] && mydir=. 56mydir=$(realpath $mydir) 57 58for prog in "${progs[@]}"; do 59 sed "s#@@PROG@@#$prog#g" <$mydir/systrace.sed 60done >.policy.mk 61 62ed -s .policy.mk |& 63set -o noglob 64for dir in "${rwdirs[@]}"; do 65 print -p '1,$g/@@RW_DIR@@/t.\\\n'"s:@@RW_DIR@@:$dir:g" 66done 67for dir in "${rodirs[@]}"; do 68 print -p '1,$g/@@RO_DIR@@/t.\\\n'"s:@@RO_DIR@@:$dir:g" 69done 70set +o noglob 71print -p "1,\$g/@@R[OW]_DIR@@/d\nwq" 72 73sync 74sleep 1 75exit 0 76