added 'pretend' action and dlopen/dlclose functions

Makefile

@@ -1,6 +1,7 @@
-OBJ=common.o vars.o iplist.o sockinfo.o actions.o exit.o hooks.o exec_hooks.o time_hooks.o file_hooks.o socket_hooks.o config.o net.o socks.o 
+OBJ=common.o vars.o iplist.o sockinfo.o actions.o exit.o hooks.o dl_hooks.o exec_hooks.o time_hooks.o file_hooks.o socket_hooks.o config.o net.o socks.o 
 FLAGS=-g -fPIC -g -O2
 CC=gcc
+VERSION=1.2
 
 all: enhancer.so
 
@@ -31,6 +32,9 @@ config.o: config.c config.h common.h
 hooks.o: hooks.c hooks.h common.h
 	$(CC) $(FLAGS) -c hooks.c
 
+dl_hooks.o: dl_hooks.c dl_hooks.h common.h
+	$(CC) $(FLAGS) -c dl_hooks.c
+
 exec_hooks.o: exec_hooks.c exec_hooks.h common.h
 	$(CC) $(FLAGS) -c exec_hooks.c
 

Makefile.in

@@ -1,7 +1,7 @@
-OBJ=common.o vars.o iplist.o sockinfo.o actions.o exit.o hooks.o exec_hooks.o time_hooks.o file_hooks.o socket_hooks.o config.o net.o socks.o @X11_HOOKS_OBJ@
+OBJ=common.o vars.o iplist.o sockinfo.o actions.o exit.o hooks.o dl_hooks.o exec_hooks.o time_hooks.o file_hooks.o socket_hooks.o config.o net.o socks.o @X11_HOOKS_OBJ@
 FLAGS=-g -fPIC @CFLAGS@
 CC=gcc
-VERSION=1.1
+VERSION=1.2
 
 all: enhancer.so
 
@@ -32,6 +32,9 @@ config.o: config.c config.h common.h
 hooks.o: hooks.c hooks.h common.h
 	$(CC) $(FLAGS) -c hooks.c
 
+dl_hooks.o: dl_hooks.c dl_hooks.h common.h
+	$(CC) $(FLAGS) -c dl_hooks.c
+
 exec_hooks.o: exec_hooks.c exec_hooks.h common.h
 	$(CC) $(FLAGS) -c exec_hooks.c
 

README.md

@@ -117,6 +117,8 @@ settime
 select     applies to both select and poll
 fsync
 fdatasync
+dlopen
+dlclose
 ```
 
 X11 Hooked Functions
@@ -165,6 +167,7 @@ The following actions can be booked against a function, to be carried out when i
 
 ```
 deny            do not perform the function, return and error code indicating failure
+pretend         do not perform the function, return and error code indicating success
 allow           perform the function as expected
 die             cause the program to exit
 die-on-fail     cause the program to exit if function call fails
@@ -229,6 +232,8 @@ ipmap           only for 'gethostbyname/getaddrinfo'. Map name to 'fake' IP addr
 writejail       prefix all writes with the filepath given as a string argument (poor man's chroot)
 ```
 
+The 'pretend' action is only supported for the functions: bind, dlclose, unlink, unlinkat, fsync, fdatasync, fchown, chown, fchmod, chmod, chroot, fchroot.
+
 
 ACTION ARGUMENTS
 ================
@@ -630,4 +635,15 @@ XLoadFont path=-*-helvetica-bold-r-*-*-10-*-*-*-*-*-*-* fallback kates,-xos4-ter
 ```
 
 
+## Make dlopen libraries compatible with valgrind
+
+Valgrind is a utility that checks for various memory errors. Unfortunately it has an issue with libraries/plugins that are loaded with dlopen. Valgrind doesn't map function addresses to function names until the program exits, but unfortunately by then some libraries that were opened with dlopen may have been unloaded from memory by dlclose, producting valgrind output that does not know which functions were called. This can be solved using the 'pretend' action against the 'dlclose' function, like so:
+
+```
+program lua
+{
+dlclose pretend
+}
+```
 
+This will prevent dlclose from being called at program exit, and thus function call names should be output correctly from valgrind.

actions.c

@@ -2,17 +2,19 @@
 #include "common.h"
 #include "config.h"
 #include "vars.h"
+#include "iplist.h"
 #define _GNU_SOURCE
 #include <sched.h>
 #include <syslog.h>
 #include <wait.h>
+#include <sys/file.h>
 #include "net.h"
 
 char *EnhancerChrootDir=NULL;
 
 
 
-const char *EnhancerConvertPathToChroot(const char *Path)
+const char *enhancer_ConvertPathToChroot(const char *Path)
 {
 if (! EnhancerChrootDir) return(Path);
 if (strcmp(Path,EnhancerChrootDir)==0) return(Path+strlen(EnhancerChrootDir));

actions.h

@@ -3,6 +3,7 @@
 
 #include "common.h"
 
+const char *enhancer_ConvertPathToChroot(const char *Path);
 int enhancer_actions(TEnhancerConfig *Conf, const char *FuncName, const char *Str1, const char *Str2, char **Redirect);
 
 #endif

common.c

@@ -16,7 +16,7 @@ unsigned int enhancer_flags=0;
 int enhancer_log_fd=-1;
 
 int enhancer_argc;
-const char **enhancer_argv;
+char **enhancer_argv;
 
 
 

common.h

@@ -64,7 +64,7 @@ TEnhancerConfig *Items;
 extern unsigned int enhancer_flags;
 extern int enhancer_log_fd;
 extern int enhancer_argc;
-extern const char **enhancer_argv;
+extern char **enhancer_argv;
 
 void __attribute__ ((constructor)) enhancer_init(void);
 

config.c

@@ -6,7 +6,7 @@
 #include "exit.h"
 
 extern char *enhancer_prog_name;
-
+int line=1;
 
 
 typedef enum {MATCH_ALL, MATCH_PATH, MATCH_BASENAME, MATCH_FAMILY, MATCH_PROTO, MATCH_PEER, MATCH_PORT, MATCH_USER, MATCH_GROUP, MATCH_FD, MATCH_ARG, MATCH_CHROOTED} EMatchTypes;
@@ -18,12 +18,12 @@ typedef enum {MATCH_ALL, MATCH_PATH, MATCH_BASENAME, MATCH_FAMILY, MATCH_PROTO,
 #define OP_LT  3
 
 
-char *EnhancerFuncNames[]={"all","main", "onexit", "arg", "open", "close", "read", "write", "uname", "socket", "connect", "bind", "listen", "accept", "gethostip", "sprintf", "fork", "exec", "system", "sysexec", "unlink", "setuid", "setgid", "chown", "chmod", "chdir", "chroot", "time","settime","mprotect", "fsync", "fdatasync", "select", "XMapWindow","XRaiseWindow", "XLowerWindow", "XSendEvent", "XLoadFont", "XChangeProperty", NULL};
+char *EnhancerFuncNames[]={"all","main", "onexit", "arg", "open", "close", "read", "write", "uname", "dlopen", "dlclose", "socket", "connect", "bind", "listen", "accept", "gethostip", "sprintf", "fork", "exec", "system", "sysexec", "unlink", "setuid", "setgid", "chown", "chmod", "chdir", "chroot", "time","settime","mprotect", "fsync", "fdatasync", "select", "XMapWindow","XRaiseWindow", "XLowerWindow", "XSendEvent", "XLoadFont", "XChangeProperty", NULL};
 
 
-char *EnhancerTokNames[]={"deny","allow","die","abort","setvar","setbasename","log","syslog","syslogcrit","echo", "debug", "send", "exec", "die-on-fail", "collect", "sleep", "usleep", "deny-links","deny-symlinks","redirect","fallback","chrooted","if-chrooted","path","basename","peer","port","user","group","family","fd", "arg", "keepalive", "localnet", "reuseport", "tcp-qack", "tcp-nodelay", "ttl", "freebind", "cmod", "lock", "fdcache","create", "shred", "searchpath", "xstayabove", "xstaybelow", "xiconized", "xunmanaged", "xfullscreen", "xtransparent", "xnormal","pidfile","lockfile", "xtermtitle","backup", "nosync", "fsync", "fdatasync", "writejail", "unshare", "setenv", "getip", "cd", "chroot", "copyclone", "linkclone", "ipmap", "fadv_seq", "fadv_rand", "fadv_nocache", "qlen", "sanitise", "die-on-taint", "deny-on-taint", NULL};
+char *EnhancerTokNames[]={"deny","allow","die","abort","pretend","setvar","setbasename","log","syslog","syslogcrit","echo", "debug", "send", "exec", "die-on-fail", "collect", "sleep", "usleep", "deny-links","deny-symlinks","redirect","fallback","chrooted","if-chrooted","path","basename","peer","port","user","group","family","fd", "arg", "keepalive", "localnet", "reuseport", "tcp-qack", "tcp-nodelay", "ttl", "freebind", "cmod", "lock", "fdcache","create", "shred", "searchpath", "xstayabove", "xstaybelow", "xiconized", "xunmanaged", "xfullscreen", "xtransparent", "xnormal","pidfile","lockfile", "xtermtitle","backup", "nosync", "fsync", "fdatasync", "writejail", "unshare", "setenv", "getip", "cd", "chroot", "copyclone", "linkclone", "ipmap", "fadv_seq", "fadv_rand", "fadv_nocache", "qlen", "sanitise", "die-on-taint", "deny-on-taint", NULL};
 
-typedef enum {TOK_DENY, TOK_ALLOW, TOK_DIE, TOK_ABORT, TOK_SETVAR, TOK_SETBASENAME, TOK_LOG, TOK_SYSLOG, TOK_SYSLOGCRIT, TOK_ECHO, TOK_DEBUG, TOK_SEND, TOK_EXEC, TOK_FAILDIE, TOK_COLLECT, TOK_SLEEP, TOK_USLEEP, TOK_DENYLINKS, TOK_DENYSYMLINKS, TOK_REDIRECT, TOK_FALLBACK, TOK_CHROOTED, TOK_CHROOTED2, TOK_PATH, TOK_BASENAME, TOK_PEER, TOK_PORT, TOK_USER, TOK_GROUP, TOK_FAMILY, TOK_FD, TOK_ARG, TOK_KEEPALIVE, TOK_LOCALNET, TOK_REUSEPORT, TOK_TCP_QACK, TOK_TCP_NODELAY, TOK_TTL, TOK_FREEBIND, TOK_CMOD, TOK_LOCK, TOK_FDCACHE, TOK_CREATE, TOK_SHRED, TOK_SEARCHPATH, TOK_X11_STAY_ABOVE, TOK_X11_STAY_BELOW, TOK_X11_ICONIZED, TOK_X11_UNMANAGED, TOK_X11_FULLSCREEN, TOK_X11_TRANSPARENT, TOK_X11_NORMAL, TOK_PIDFILE, TOK_LOCKFILE, TOK_XTERM_TITLE, TOK_BACKUP, TOK_NOSYNC, TOK_FSYNC, TOK_FDATASYNC, TOK_WRITEJAIL, TOK_UNSHARE, TOK_SETENV, TOK_GETIP, TOK_CHDIR, TOK_CHROOT, TOK_COPY_CLONE, TOK_LINK_CLONE, TOK_IPMAP, TOK_FADV_SEQU, TOK_FADV_RAND, TOK_FADV_NOCACHE, TOK_QLEN, TOK_SANITISE, TOK_DIE_ON_TAINT, TOK_DENY_ON_TAINT} TActions;
+typedef enum {TOK_DENY, TOK_ALLOW, TOK_DIE, TOK_ABORT, TOK_PRETEND, TOK_SETVAR, TOK_SETBASENAME, TOK_LOG, TOK_SYSLOG, TOK_SYSLOGCRIT, TOK_ECHO, TOK_DEBUG, TOK_SEND, TOK_EXEC, TOK_FAILDIE, TOK_COLLECT, TOK_SLEEP, TOK_USLEEP, TOK_DENYLINKS, TOK_DENYSYMLINKS, TOK_REDIRECT, TOK_FALLBACK, TOK_CHROOTED, TOK_CHROOTED2, TOK_PATH, TOK_BASENAME, TOK_PEER, TOK_PORT, TOK_USER, TOK_GROUP, TOK_FAMILY, TOK_FD, TOK_ARG, TOK_KEEPALIVE, TOK_LOCALNET, TOK_REUSEPORT, TOK_TCP_QACK, TOK_TCP_NODELAY, TOK_TTL, TOK_FREEBIND, TOK_CMOD, TOK_LOCK, TOK_FDCACHE, TOK_CREATE, TOK_SHRED, TOK_SEARCHPATH, TOK_X11_STAY_ABOVE, TOK_X11_STAY_BELOW, TOK_X11_ICONIZED, TOK_X11_UNMANAGED, TOK_X11_FULLSCREEN, TOK_X11_TRANSPARENT, TOK_X11_NORMAL, TOK_PIDFILE, TOK_LOCKFILE, TOK_XTERM_TITLE, TOK_BACKUP, TOK_NOSYNC, TOK_FSYNC, TOK_FDATASYNC, TOK_WRITEJAIL, TOK_UNSHARE, TOK_SETENV, TOK_GETIP, TOK_CHDIR, TOK_CHROOT, TOK_COPY_CLONE, TOK_LINK_CLONE, TOK_IPMAP, TOK_FADV_SEQU, TOK_FADV_RAND, TOK_FADV_NOCACHE, TOK_QLEN, TOK_SANITISE, TOK_DIE_ON_TAINT, TOK_DENY_ON_TAINT} TActions;
 
 char *EnhancerFamilyNames[]={"unix","raw","netlink","net","ip4","ip6",NULL};
 typedef enum {FAMILY_UNIX, FAMILY_RAW, FAMILY_NETLINK, FAMILY_NET, FAMILY_IP4, FAMILY_IP6} E_NETFAM;
@@ -845,6 +845,10 @@ if (strcmp(Name,"\n")==0) break;
 			enhancer_set_config(Conf, val, Name, 0, FLAG_DENY);
 		break;
 
+		case TOK_PRETEND:
+			enhancer_set_config(Conf, val, Name, 0, FLAG_PRETEND);
+		break;
+
 		case TOK_ALLOW:
 			enhancer_set_config(Conf, val, Name, 0, FLAG_ALLOW);
 		break;
@@ -1169,10 +1173,11 @@ while (ptr)
 	if (Tempstr && strlen(Tempstr))
 	{
 		if (strcmp(Tempstr,"{")==0) /* do nothing  */;
-		else if (strcmp(Tempstr,"\n")==0) /* do nothing  */;
+		else if (strcmp(Tempstr,"\n")==0) line++;
 		else if (strcmp(Tempstr,"#")==0) 
 		{
 			while ((*ptr !='\n') && (*ptr != '\0')) ptr++;
+			line++;
 		}
 		else if (strcmp(Tempstr,"}")==0) break;
  		else 

config.h

@@ -57,7 +57,7 @@ int strcpy_max;
 
 struct enhancer_settings_struct enhancer_settings;
 
-typedef enum {FUNC_ALL, FUNC_MAIN, FUNC_ONEXIT, FUNC_PROGRAM_ARG, FUNC_OPEN, FUNC_CLOSE, FUNC_READ, FUNC_WRITE, FUNC_UNAME, FUNC_SOCKET, FUNC_CONNECT, FUNC_BIND, FUNC_LISTEN, FUNC_ACCEPT, FUNC_GETHOSTIP, FUNC_SPRINTF, FUNC_FORK, FUNC_EXEC, FUNC_SYSTEM, FUNC_SYSEXEC, FUNC_UNLINK, FUNC_SETUID, FUNC_SETGID, FUNC_CHOWN, FUNC_CHMOD, FUNC_CHDIR, FUNC_CHROOT, FUNC_TIME, FUNC_SETTIME, FUNC_MPROTECT, FUNC_FSYNC, FUNC_FDATASYNC, FUNC_SELECT, FUNC_XMapWindow, FUNC_XRaiseWindow, FUNC_XLowerWindow, FUNC_XSendEvent, FUNC_XLoadFont, FUNC_XChangeProperty} E_Funcs;
+typedef enum {FUNC_ALL, FUNC_MAIN, FUNC_ONEXIT, FUNC_PROGRAM_ARG, FUNC_OPEN, FUNC_CLOSE, FUNC_READ, FUNC_WRITE, FUNC_UNAME, FUNC_DLOPEN, FUNC_DLCLOSE, FUNC_SOCKET, FUNC_CONNECT, FUNC_BIND, FUNC_LISTEN, FUNC_ACCEPT, FUNC_GETHOSTIP, FUNC_SPRINTF, FUNC_FORK, FUNC_EXEC, FUNC_SYSTEM, FUNC_SYSEXEC, FUNC_UNLINK, FUNC_SETUID, FUNC_SETGID, FUNC_CHOWN, FUNC_CHMOD, FUNC_CHDIR, FUNC_CHROOT, FUNC_TIME, FUNC_SETTIME, FUNC_MPROTECT, FUNC_FSYNC, FUNC_FDATASYNC, FUNC_SELECT, FUNC_XMapWindow, FUNC_XRaiseWindow, FUNC_XLowerWindow, FUNC_XSendEvent, FUNC_XLoadFont, FUNC_XChangeProperty} E_Funcs;
 
 void enhancer_load_config();
 int enhancer_checkconfig_default(int FuncID, const char *FuncName, const char *Str1, const char *Str2, int Int1, int Int2);
@@ -68,5 +68,6 @@ int enhancer_checkconfig_program_arg(const char *Arg, char **Redirect);
 TEnhancerConfig *enhancer_checkconfig_open_function(int FuncID, const char *FuncName, const char *Path, int Int1, int Int2, char **Redirect);
 int enhancer_checkconfig_socket_function(int FuncID, const char *FuncName, TSockInfo *SockInfo);
 int enhancer_checkconfig_exec_function(int FuncID, const char *FuncName, const char *Path, char **Redirect, char **TrustedPath);
+void enhancer_config_destroy(TEnhancerConfig *Config);
 
 #endif