Bump plugin minor version and document new intercept-related settings.

There should have been a minor version bump for sudo 1.9.8 when
intercept was originally implemented.

5 files changed, 191 insertions, 9 deletions

diff --git a/docs/sudo_plugin.man.in b/docs/sudo_plugin.man.in
index 8fee422f8..4fa699e21 100644
--- a/docs/sudo_plugin.man.in
+++ b/docs/sudo_plugin.man.in
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.TH "SUDO_PLUGIN" "5" "February 16, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDO_PLUGIN" "5" "May 26, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -291,6 +291,36 @@ implied_shell=bool
 If the user does not specify a program on the command line,
 \fBsudo\fR
 will pass the plugin the path to the user's shell and set
+\fIimplied_shell\fR.
+.TP 6n
+intercept_ptrace=bool
+Indicates whether or not the system supports intercept
+mode using
+ptrace(2).
+This is currently only true for Linux systems that support
+seccomp(2)
+filtering and the
+\(lqtrap\(rq
+action.
+Other systems will use a dynamic shared object to implement
+intercept.
+.TP 6n
+intercept_setid=bool
+Indicates whether or not the system supports running set-user-ID
+and set-group-ID binaries in intercept mode.
+This is currently only true for Linux systems that support
+seccomp(2)
+filtering and the
+\(lqtrap\(rq
+action.
+On systems that use a dynamic shared object to implement
+intercept, the dynamic linker (ld.so or the equivalent)
+will disable preloading of shared objects when executing a
+set-user-ID or set-group-ID binary.
+This will disable intercept mode for that program and any other
+programs that it executes.
+The policy plugin may refuse to execute a set-user-ID or set-group-ID
+binary in intercept mode to avoid this.
 .TP 6n
 login_class=string
 BSD
@@ -1078,6 +1108,21 @@ The specified
 \fInumber\fR
 must refer to an open file descriptor.
 .TP 6n
+intercept=bool
+If specified,
+\fBsudo\fR
+will intercept attempts to execute a subsequent command and perform
+a policy check via the policy plugin's
+\fBcheck_policy\fR()
+function to determine whether or not the command is permitted.
+This can be used to prevent shell escapes on supported platforms
+but it has a number of limitations.
+See
+\fBPreventing shell escapes\fR
+in
+sudoers(@mansectform@)
+for details.
+.TP 6n
 iolog_compress=bool
 Set to true if the I/O logging plugins, if any, should compress the
 log data.
@@ -1142,6 +1187,24 @@ on
 BSD
 systems.
 .TP 6n
+log_subcmds=bool
+If specified,
+\fBsudo\fR
+will call the audit plugin's
+\fBaccept\fR()
+function to log when the command runs a subsequent command, if supported
+by the system.
+If
+\fIintercept\fR
+is also specified,
+\fIlog_subcmds\fR
+will be ignored.
+See
+\fBPreventing shell escapes\fR
+in
+sudoers(@mansectform@)
+for more information.
+.TP 6n
 noexec=bool
 If set, prevent the command from executing other programs.
 .TP 6n
@@ -1466,6 +1529,16 @@ Force the value specified by the
 \fIumask\fR
 option to override any umask set by PAM or login.conf.
 .TP 6n
+use_ptrace=bool
+If specified,
+\fBsudo\fR
+will use
+ptrace(2)
+to implement intercept mode if supported by the system.
+This setting has no effect unless
+\fIintercept\fR
+is also set.
+.TP 6n
 use_pty=bool
 Allocate a pseudo-terminal to run the command in, regardless of whether
 or not I/O logging is in use.
@@ -5280,7 +5353,7 @@ The
 \fIcmnd_chroot\fR
 and
 \fIcmnd_cwd\fR
-enties were added to the
+entries were added to the
 \fRsettings\fR
 list.
 .TP 6n
@@ -5293,6 +5366,27 @@ Version 1.18 (sudo 1.9.9)
 The policy may now set resource limit values in the
 \fRcommand_info\fR
 list.
+The
+\fIintercept\fR
+and
+\fIlog_subcmds\fR
+entries were added to the
+\fRcommand_info\fR
+list.
+.TP 6n
+Version 1.19 (sudo 1.9.11)
+The
+\fIintercept_ptrace\fR
+and
+\fIintercept_setid\fR
+entries were added to the
+\fRsettings\fR
+list.
+The
+\fIuser_ptrace\fR
+entry was added to the
+\fRcommand_info\fR
+list.
 .SH "SEE ALSO"
 sudo.conf(@mansectform@),
 sudoers(@mansectform@),
diff --git a/docs/sudo_plugin.mdoc.in b/docs/sudo_plugin.mdoc.in
index e4432b839..24f2f5976 100644
--- a/docs/sudo_plugin.mdoc.in
+++ b/docs/sudo_plugin.mdoc.in
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd February 16, 2022
+.Dd May 26, 2022
 .Dt SUDO_PLUGIN @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -269,6 +269,34 @@ to print a usage message and exit.
 If the user does not specify a program on the command line,
 .Nm sudo
 will pass the plugin the path to the user's shell and set
+.Em implied_shell .
+.It intercept_ptrace=bool
+Indicates whether or not the system supports intercept
+mode using
+.Xr ptrace 2 .
+This is currently only true for Linux systems that support
+.Xr seccomp 2
+filtering and the
+.Dq trap
+action.
+Other systems will use a dynamic shared object to implement
+intercept.
+.It intercept_setid=bool
+Indicates whether or not the system supports running set-user-ID
+and set-group-ID binaries in intercept mode.
+This is currently only true for Linux systems that support
+.Xr seccomp 2
+filtering and the
+.Dq trap
+action.
+On systems that use a dynamic shared object to implement
+intercept, the dynamic linker (ld.so or the equivalent)
+will disable preloading of shared objects when executing a
+set-user-ID or set-group-ID binary.
+This will disable intercept mode for that program and any other
+programs that it executes.
+The policy plugin may refuse to execute a set-user-ID or set-group-ID
+binary in intercept mode to avoid this.
 .It login_class=string
 .Bx
 login class to use when setting resource limits and nice value,
@@ -965,6 +993,20 @@ system call to execute the command instead of
 The specified
 .Em number
 must refer to an open file descriptor.
+.It intercept=bool
+If specified,
+.Nm sudo
+will intercept attempts to execute a subsequent command and perform
+a policy check via the policy plugin's
+.Fn check_policy
+function to determine whether or not the command is permitted.
+This can be used to prevent shell escapes on supported platforms
+but it has a number of limitations.
+See
+.Sy Preventing shell escapes
+in
+.Xr sudoers @mansectform@
+for details.
 .It iolog_compress=bool
 Set to true if the I/O logging plugins, if any, should compress the
 log data.
@@ -1017,6 +1059,23 @@ The nice value, if specified, overrides the priority associated with the
 on
 .Bx
 systems.
+.It log_subcmds=bool
+If specified,
+.Nm sudo
+will call the audit plugin's
+.Fn accept
+function to log when the command runs a subsequent command, if supported
+by the system.
+If
+.Em intercept
+is also specified,
+.Em log_subcmds
+will be ignored.
+See
+.Sy Preventing shell escapes
+in
+.Xr sudoers @mansectform@
+for more information.
 .It noexec=bool
 If set, prevent the command from executing other programs.
 .It preserve_fds=list
@@ -1311,6 +1370,15 @@ option is also set.
 Force the value specified by the
 .Em umask
 option to override any umask set by PAM or login.conf.
+.It use_ptrace=bool
+If specified,
+.Nm sudo
+will use
+.Xr ptrace 2
+to implement intercept mode if supported by the system.
+This setting has no effect unless
+.Em intercept
+is also set.
 .It use_pty=bool
 Allocate a pseudo-terminal to run the command in, regardless of whether
 or not I/O logging is in use.
@@ -4676,7 +4744,7 @@ The
 .Em cmnd_chroot
 and
 .Em cmnd_cwd
-enties were added to the
+entries were added to the
 .Li settings
 list.
 .It Version 1.17 (sudo 1.9.4)
@@ -4687,6 +4755,26 @@ field was added to the audit_plugin and approval_plugin structs.
 The policy may now set resource limit values in the
 .Li command_info
 list.
+The
+.Em intercept
+and
+.Em log_subcmds
+entries were added to the
+.Li command_info
+list.
+.It Version 1.19 (sudo 1.9.11)
+The
+.Em intercept_ptrace
+and
+.Em intercept_setid
+entries were added to the
+.Li settings
+list.
+The
+.Em user_ptrace
+entry was added to the
+.Li command_info
+list.
 .El
 .Sh SEE ALSO
 .Xr sudo.conf @mansectform@ ,
diff --git a/include/sudo_plugin.h b/include/sudo_plugin.h
index 873805cdb..032a5fd48 100644
--- a/include/sudo_plugin.h
+++ b/include/sudo_plugin.h
@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 2009-2020 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 2009-2022 Todd C. Miller <Todd.Miller@sudo.ws>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -21,7 +21,7 @@
 
 /* API version major/minor */
 #define SUDO_API_VERSION_MAJOR 1
-#define SUDO_API_VERSION_MINOR 18
+#define SUDO_API_VERSION_MINOR 19
 #define SUDO_API_MKVERSION(x, y) (((x) << 16) | (y))
 #define SUDO_API_VERSION SUDO_API_MKVERSION(SUDO_API_VERSION_MAJOR, SUDO_API_VERSION_MINOR)
 
diff --git a/plugins/python/regress/testdata/check_multiple_approval_plugin_and_arguments.stdout b/plugins/python/regress/testdata/check_multiple_approval_plugin_and_arguments.stdout
index fa29e46a5..d0c1566cf 100644
--- a/plugins/python/regress/testdata/check_multiple_approval_plugin_and_arguments.stdout
+++ b/plugins/python/regress/testdata/check_multiple_approval_plugin_and_arguments.stdout
@@ -26,7 +26,7 @@
         "INFO1=VALUE1",
         "info2=value2"
     ],
-    "version": "1.18"
+    "version": "1.19"
 }
 (APPROVAL 2) Constructed:
 {
@@ -56,7 +56,7 @@
         "INFO1=VALUE1",
         "info2=value2"
     ],
-    "version": "1.18"
+    "version": "1.19"
 }
 (APPROVAL 1) Show version was called with arguments: (0,)
 Python approval plugin (API 1.0): ApprovalTestPlugin (loaded from 'SRC_DIR/regress/plugin_approval_test.py')
diff --git a/src/exec.c b/src/exec.c
index 111ed2d02..db3c8f4ce 100644
--- a/src/exec.c
+++ b/src/exec.c
@@ -321,7 +321,7 @@ sudo_terminated(struct command_status *cstat)
     debug_return_bool(false);
 }
 
-#if SUDO_API_VERSION != SUDO_API_MKVERSION(1, 18)
+#if SUDO_API_VERSION != SUDO_API_MKVERSION(1, 19)
 # error "Update sudo_needs_pty() after changing the plugin API"
 #endif
 static bool