OpenVPN
run_command.h
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifndef RUN_COMMAND_H
25 #define RUN_COMMAND_H
26 
27 #include "basic.h"
28 #include "env_set.h"
29 
30 /* Script security */
31 #define SSEC_NONE 0 /* strictly no calling of external programs */
32 #define SSEC_BUILT_IN 1 /* only call built-in programs such as ifconfig, route, netsh, etc.*/
33 #define SSEC_SCRIPTS 2 /* allow calling of built-in programs and user-defined scripts */
34 #define SSEC_PW_ENV 3 /* allow calling of built-in programs and user-defined scripts that may receive a password as an environmental variable */
35 
36 int script_security(void);
37 
38 void script_security_set(int level);
39 
40 /* openvpn_execve flags */
41 #define S_SCRIPT (1<<0)
42 #define S_FATAL (1<<1)
43 
44 /* wrapper around the execve() call */
45 int openvpn_popen(const struct argv *a, const struct env_set *es);
46 
47 bool openvpn_execve_allowed(const unsigned int flags);
48 
49 bool openvpn_execve_check(const struct argv *a, const struct env_set *es,
50  const unsigned int flags, const char *error_message);
51 
52 static inline bool
53 openvpn_run_script(const struct argv *a, const struct env_set *es,
54  const unsigned int flags, const char *hook)
55 {
56  char msg[256];
57 
58  openvpn_snprintf(msg, sizeof(msg),
59  "WARNING: Failed running command (%s)", hook);
60  return openvpn_execve_check(a, es, flags | S_SCRIPT, msg);
61 }
62 
63 #endif /* ifndef RUN_COMMAND_H */
bool openvpn_execve_allowed(const unsigned int flags)
Definition: run_command.c:99
list flags
#define S_SCRIPT
Definition: run_command.h:41
bool openvpn_snprintf(char *str, size_t size, const char *format,...)
Definition: buffer.c:299
int openvpn_popen(const struct argv *a, const struct env_set *es)
Definition: run_command.c:205
bool openvpn_execve_check(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *error_message)
Definition: run_command.c:176
#define msg
Definition: error.h:173
int script_security(void)
Definition: run_command.c:45
void script_security_set(int level)
Definition: run_command.c:51
Definition: argv.h:35
static bool openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Definition: run_command.h:53