hexdump: actually enter Capsicum sandbox on last file
ClosedPublic
Actions

Authored by emaste on May 25 2017, 1:01 PM.

Details

Reviewers

cem
allanjude
kevans

Commits

rS319887: hexdump: actually enter capability mode on last file

Test Plan

Without D10893 applied hexdump fails with -s. Verify that this is caught as ENOTCAPABLE or ECAPMODE in capability mode:

nuc% proccontrol -m trapcap usr.bin/hexdump/obj/hexdump -s 1 /bin/ls
zsh: trace trap  proccontrol -m trapcap usr.bin/hexdump/obj/hexdump -s 1 /bin/ls
nuc%

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

emaste created this revision.May 25 2017, 1:01 PM

emaste added a subscriber: jhb.

cem accepted this revision.May 25 2017, 2:15 PM

cem added inline comments.

usr.bin/hexdump/display.c
369 ↗	(On Diff #28776)	This can be spelled `if (_argv[1] == NULL) {`, I think.

This revision is now accepted and ready to land.May 25 2017, 2:15 PM

kib added a subscriber: kib.May 25 2017, 2:17 PM

kib added inline comments.

usr.bin/hexdump/display.c
376 ↗	(On Diff #28776)	I am looking simultaneously at this line and at the test that you changed in the review, and I think that at least one more thing is wrong after it. If _argv can be NULL, i..e. point past the last argument, then testing (_argv + 1) is not safe.

print correct arg in err case
do not access *(argv + 1) if already at end of argv list

This revision now requires review to proceed.May 25 2017, 4:14 PM

emaste added inline comments.May 25 2017, 4:16 PM

usr.bin/hexdump/display.c
369 ↗	(On Diff #28776)	It could although I'm not sure that's clearer. I dislike combining array access and `++_argv` pointer manipulation.

emaste added a subscriber: oshogbo.May 25 2017, 5:51 PM

emaste added a reviewer: kevans.Jun 2 2017, 2:52 PM

kevans accepted this revision.Jun 3 2017, 1:41 AM

This revision is now accepted and ready to land.Jun 3 2017, 1:41 AM

This entire approach seems sketchy. If you give hexdump multiple files, it only cap_enter()'s for the last file but not the first N files? That just means that if there is a malicious file that triggers some sort of overflow, etc. I just need (as the user) to append "/dev/null" on the command line to get hexdump to parse the malicious file without being in capability mode. It seems to me that you should either open all the files up front, or you pass fds of files into a compartment that does the actual hexdump.

In D10897#229437, @jhb wrote:

This entire approach seems sketchy. If you give hexdump multiple files, it only cap_enter()'s for the last file but not the first N files? That just means that if there is a malicious file that triggers some sort of overflow, etc. I just need (as the user) to append "/dev/null" on the command line to get hexdump to parse the malicious file without being in capability mode. It seems to me that you should either open all the files up front, or you pass fds of files into a compartment that does the actual hexdump.

Yeah, it's a limited form of capisicumization. It's a pattern used elsewhere in the tree, too. It still helps when the malicious actor cannot control program arguments, and especially in the common case where only one file is passed.

Unfortunately, neither opening all files up front or rearchitecting the program as a two-process sandbox is totally trivial.

Closed by commit rS319887: hexdump: actually enter capability mode on last file (authored by emaste). · Explain WhyJun 13 2017, 1:06 AM

This revision was automatically updated to reflect the committed changes.