The service handler for fileargs_open() tries to pre-open multiple files
and pass descriptors for each back to the sandboxed process in a single
message. This is to amortize the cost of round-trips between the two
processes.
The service process adds a "cache" nvlist to the reply to "open",
containing file descriptors for pre-opened files. However, when adding
that nvlist to the reply, it was making a copy, effectively leaking the
cached descriptors.
While here, fix spelling in a local variable name.
PR: 241226
Reviewed by: oshogbo
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D25095
We must wrap C declarations in __BEGIN / __END_DECLS to avoid C++ name-mangling
of the declaration when including the C header; name-mangling causes the linker
to attempt to locate the wrong (C++ ABI) symbol name.
Reviewed by: markj, oshogbo (earlier version both)
Differential Revision: https://reviews.freebsd.org/D24323
No functional change. Minor API change that is nicer for consumers. ABI is
identical; the routine never needed to modify the pointed to value.
Reviewed by: emaste, markj
Differential Revision: https://reviews.freebsd.org/D24319
Update a bunch of Makefile.depend files as
a result of adding Makefile.depend.options files
Reviewed by: bdrewery
MFC after: 1 week
Sponsored by: Juniper Networks
Differential Revision: https://reviews.freebsd.org/D22494
operation & ~limit where limit is a bool is clearly not what was intended,
given the line prior. Correct it to use the calculated mask for validation.
The cap_sysctl tests should now be functional again.
A lot of binaries present in FreeBSD-runtime depend on it so move
the libs there.
Reviewed by: bapt, gjb
Differential Revision: https://reviews.freebsd.org/D21501
The limit of the name in fileargs is twice the size of the MAXPATH.
The nvlist will not add an element with the longer name.
We can detect at this point that the path is too big, and simple return
the same error as open(2) would.
PR: 239700
Reported by: markj
Tested by: markj
MFC after: 2 weeks
Now that we have a way to obtain entropy in capability mode
(getrandom(2)), libcap_random is obsolete. Remove it.
Bump __FreeBSD_version in case anything happens to use it, though I've
found no consumers.
Reviewed by: delphij, emaste, oshogbo
Relnotes: yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D21033
- Add some coverage for cap_sysctl(3).
- Add a test for the case where the caller wishes to find the sysctl
output length without specifying an output buffer.
Reviewed by: oshogbo
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D17856
These complement cap_sysctlbyname(3) to provide a drop-in
replacement for the corresponding libc functions.
Also revise the libcap_sysctl limit interface to provide access
to sysctls by MIB, and to avoid direct manipulation of nvlists
by the caller.
Reviewed by: oshogbo
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D17854
Add fileargs_lstat function to cap_fileargs casper service to be able to
lstat files while in capability mode. It can only lstat files given in
fileargs_init.
Submitted by: Bora Özarslan <borako.ozarslan@gmail.com>
Reviewed by: oshogbo, cem (partial)
MFC after: 3 weeks
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D19548
from its parent so that LOG_PERROR would work. However, this caused
dhclient(8)'s stdio streams to remain open across daemonization, breaking
the ability to capture its foreground output as done in netconfig_ipv4.
Fix this by reverting r341692 and instead passing the parent's stderr
descriptor as an argument to cap_openlog() only when LOG_PERROR is specified
in logopt.
PR: 234514
Suggested by: markj
Reported by: Shawn Webb
Reviewed by: markj, oshogbo
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D18989
Casper library should not use exit(3) function because before setting it up
applications may register it. Casper doesn't depend on any registered exit
function, so it safe to change this.
Reported by: jceel
MFC after: 2 weeks
Some external tools like tcpdump(1) have upstream the changes with old limits
name. Because of that provide compatibility with the old names.
Reported by: emaste
cap_fileargs is a Casper service which helps to sandbox applications that need
access to the filesystem namespace. The main purpose of the service is to make
easy to capsicumize applications that works on multiple files passed in argv.
We have a couple example of using it but we still treat this service as an
experimental one.
Reviewed by: emsate (previous version), jonathan (partially)
Discussed with: many
Differential Revision: https://reviews.freebsd.org/D14407
Please notice that we still don't clean information in nvlist structures.
Submitted by: David CARLIER <devnexen@gmail.com>
Differential Revision: https://reviews.freebsd.org/D16777
The getaddrinfo(3) and gethostbyname(3) are used to return the address for a
given hostname. The getnameinfo(3) and gethostbyaddr(3) are used to return
hostname for a given address. Right now in casper, we have two limitations:
- NAME which allows resolving DNS names.
- ADDR which allows to do revert DNS lookups.
Before this change the rights was mixed up:
NAME - getnameinfo(3) and gethostbyname(3)
ADDR - gethostbyaddr(3) and getaddrinfo(3)
Which no matters on limitation allowed us to resolve DNS names and do DNS
lookups basically by using a different set of functions.
Now the NAME type allows getaddrinfo(3) and gethostbyname (3)functions,
and the ADDR names allow to use gethostbyaddr(3) and getnameinfo(3) functions.
Reviewed by: pjd, bcr
MFC after: 3 weeks
Discussed with: hrs
Differential Revision: https://reviews.freebsd.org/D16930
Remove obsolete example. All services has they own example.
This example also show old type of limiting method which is
not recommended to use.
Reviewed by: bcr@
Differential Revision: https://reviews.freebsd.org/D14607
Instead of passing flags (which describe a type of nvlist)
every send/recv we remember them in channel.
It's enough for use to extract them only during unwrap.
This simplify use of Casper.
Reviewed by: bruffer@, bcr@ (both man page)
Differential Revision: https://reviews.freebsd.org/D14196 (man page)
syslog in libc secretly reconnects to the daemon.
Another issue is that we don't have any information from openlog(3) if we
succeeded to open log or not so we don't know if we are ready
to enter cabability mode.
Because all of that we decided we need a syslog service for Caspser.
Reviewed by: bapt@
Differential Revision: https://reviews.freebsd.org/D12824
function, so check if cap_chanel_t is NULL is not enough.
Casper with a normal libc will still fail in capability mote so let's not
enter capability mode without casper support when we need to resolve DNS.
Reviewed by: cem
Differential Revision: https://reviews.freebsd.org/D12823
respected.
Please notice that libcasper is already in ObsoleteFiles so we don't add it
again.
Reported by: Herbert J. Skuhra <herbert@mailbox.org>
Reviewed by: bdrewery@
Differential Revision: https://reviews.freebsd.org/D12918
The idea behinds mocks is that we don't need to ifdef a lot of code in
tools itself but those defines are hidden in the casper library.
Right now the mocks are implemented as define/inlines functions.
There was a very long discussion how this should be implemented.
This approach has some advantages like we don't need to link to any additional
libraries. Unfortunately there are also some disadvantages for example it is
easy to get library out of sync between two versions of functions or that we
need extra define to compile program with casper support.
This isn't an ideal solution but it's good enough for now and should simplify
capsicumizing programs. This also doesn't close us any other ways to do those
mocks and this should evolve in time.
Discussed with: pjd, emaste, ed, rwatson, bapt, cem, bdrewery
Differential Revision: https://reviews.freebsd.org/D8753
Non-tests/... changes:
- Add HAS_TESTS= to Makefiles with libraries and programs to enable iteration
and propagate the appropriate environment down to *.test.mk.
tests/... changes:
- Add appropriate support Makefile.inc's to set HAS_TESTS in a minimal manner,
since tests/... is a special subdirectory tree compared to the others.
MFC after: 2 months
MFC with: r322511
Reviewed by: arch (silence), testing (silence)
Differential Revision: D12014
The reachover Kyuafiles were never added, and thus the tests were installed
as standalone tests, and not integrated into the full suite.
MFC after: 1 week
MFC with: r305626, 305629, r307863, r322447, r322448, r322449
of freefall.freebsd.org to unbreak the DNS tests
The address allocations for freefall.freebsd.org have changed in the past 4 years.
Use a more stable set of hardcoded addresses for now to make the tests succeed
reliably.
The hostname should be resolved dynamically instead of hardcoding the addresses in
the future. This is just a bandaid.
MFC after: 1 week
Some of the testcases try to manipulate sysctls that require root privileges,
e.g., "kern.sync_on_panic". Make root-privileges a hard requirement so the
tests don't raise false positives due to privilege issues when calling
sysctlbyname(3) on writable sysctls.
MFC after: 1 week
- Flushing stdout prevents the buffer from being printed twice, fixing
issues with stdout printing out the testplan, etc, twice.
- Don't print out raw source/line numbers; hide them behind comments.
MFC after: 1 week
directories to SUBDIR.${MK_TESTS} idiom
This is being done to pave the way for future work (and homogenity) in
^/projects/make-check-sandbox .
No functional change intended.
MFC after: 1 weeks
channel to a zygote process, rather than sending a function pointer or
service pointer. This avoids transfering pointers between address spaces,
which while robust in this case (due to the zygote being forked() from the
parent) is not generally a good idea, especially in the presence of
increasingly popular control-flow integrity and pointer protection
mitigation schemes. With this change, ping(8) and other sandboxed tools
using libcasper for DNS resolution now work on architectures with tagged
memory again.
Reviewed by: oshogbo
MFC after: 1 week
Sponsored by: DARPA, AFRL
bsd.own.mk (included from src.opts.mk) sets SHLIBDIR?=${LIBDIR}, so
SHLIBDIR must be set before including either one of them.
MFC with: 305626
Sponsored by: The FreeBSD Foundation
CASPER_SERVICE_STDIO - Casper will not close the first three descriptors (stdin,
stdout and stderr) this can be helpful for debugging.
CASPER_SERVICE_FD - Capser will not close all other descriptors, this can
be useful for a filesystem service.
For FreeBSD 12, I'm considering updating setgrent() to have a function
prototype that conforms to POSIX. FreeBSD seems to be the only operating
system that lets setgrent() return an integer. It's also inconsistent
with setpwent().
It looks like our libcasper depends on setgrent() returning an integer.
Get rid of that.
Reviewed by: oshogbo
Differential Revision: https://reviews.freebsd.org/D6659