Add "intercept" Defaults setting to allow interception of sub-commands.

This causes "intercept" to be set to true in command_info[] which
the sudo front-end will use to determine whether or not to intercept
attempts to run further commands, such as from a shell.  Also add
"log_children" which will use the same mechanism but only log (audit)
further commands.

plugins/sudoers/policy.c

@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 2010-2020 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 2010-2021 Todd C. Miller <Todd.Miller@sudo.ws>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -611,7 +611,7 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
 	debug_return_bool(true);	/* nothing to do */
 
     /* Increase the length of command_info as needed, it is *not* checked. */
-    command_info = calloc(55, sizeof(char *));
+    command_info = calloc(57, sizeof(char *));
     if (command_info == NULL)
 	goto oom;
 
@@ -620,6 +620,10 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
 	if (command_info[info_len++] == NULL)
 	    goto oom;
     }
+    if (def_log_children) {
+	if ((command_info[info_len++] = strdup("log_children=true")) == NULL)
+	    goto oom;
+    }
     if (def_log_input || def_log_output) {
 	if (iolog_path)
 	    command_info[info_len++] = iolog_path;	/* now owned */
@@ -765,6 +769,10 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
 	if ((command_info[info_len++] = strdup("ignore_iolog_errors=true")) == NULL)
 	    goto oom;
     }
+    if (def_intercept) {
+	if ((command_info[info_len++] = strdup("intercept=true")) == NULL)
+	    goto oom;
+    }
     if (def_noexec) {
 	if ((command_info[info_len++] = strdup("noexec=true")) == NULL)
 	    goto oom;