From cfb13e0a97c5aa7048fef1ee55f631757a2422d7 Mon Sep 17 00:00:00 2001 From: Mariusz Zaborski Date: Mon, 7 May 2018 20:38:09 +0000 Subject: [PATCH] Introduce caph_enter and caph_enter_casper. The caph_enter function should made it easier to sandbox application and not force us to remember that we need to check errno on failure. Another function is also checking if casper is present. Reviewed by: emaste, cem (partially) Differential Revision: https://reviews.freebsd.org/D14557 --- lib/libcapsicum/capsicum_helpers.3 | 19 ++++++++++++++++++- lib/libcapsicum/capsicum_helpers.h | 20 ++++++++++++++++++++ 2 files changed, 38 insertions(+), 1 deletion(-) diff --git a/lib/libcapsicum/capsicum_helpers.3 b/lib/libcapsicum/capsicum_helpers.3 index 98ea1dc64179..b25a0ad9c5ff 100644 --- a/lib/libcapsicum/capsicum_helpers.3 +++ b/lib/libcapsicum/capsicum_helpers.3 @@ -24,7 +24,7 @@ .\" .\" $FreeBSD$ .\" -.Dd October 21, 2016 +.Dd May 7, 2018 .Dt CAPSICUM_HELPERS 3 .Os .Sh NAME @@ -41,6 +41,10 @@ .Sh SYNOPSIS .In capsicum_helpers.h .Ft int +.Fn caph_enter "void" +.Ft int +.Fn caph_enter_casper "void" +.Ft int .Fn caph_limit_stream "int fd, int flags" .Ft int .Fn caph_limit_stdin "void" @@ -56,6 +60,19 @@ .Fn caph_cache_catpages "void" .Sh DESCRIPTION The +.Nm caph_enter +is equivalent to the +.Xr cap_enter 2 +it returns success when the kernel is built without support of the capability +mode. +.Pp +The +.Nm caph_enter_casper +is equivalent to the +.Nm caph_enter +it returns success when the system is built without Casper support. +.Pp +The .Nm capsicum helpers are a set of a inline functions which simplify modifying programs to use Capsicum. diff --git a/lib/libcapsicum/capsicum_helpers.h b/lib/libcapsicum/capsicum_helpers.h index 1ff2b3587cb1..dfc50d925e82 100644 --- a/lib/libcapsicum/capsicum_helpers.h +++ b/lib/libcapsicum/capsicum_helpers.h @@ -39,6 +39,8 @@ #include #include +#include + #define CAPH_IGNORE_EBADF 0x0001 #define CAPH_READ 0x0002 #define CAPH_WRITE 0x0004 @@ -122,4 +124,22 @@ caph_cache_catpages(void) (void)catopen("libc", NL_CAT_LOCALE); } +static __inline int +caph_enter(void) +{ + + if (cap_enter() < 0 && errno != ENOSYS) + return (-1); + + return (0); +} + + +static __inline int +caph_enter_casper(void) +{ + + return (CASPER_SUPPORT == 0 ? 0 : caph_enter()); +} + #endif /* _CAPSICUM_HELPERS_H_ */