Page MenuHomeFreeBSD
Differential D26546

bspatch: enter capability mode after dropping fd rights
AbandonedPublic
Actions

Authored by emaste on Sep 24 2020, 2:15 PM.
Tags
None
Referenced Files
Unknown Object (File)
Dec 22 2023, 11:37 PM
Unknown Object (File)
Jul 15 2023, 9:05 PM
Unknown Object (File)
Jul 15 2023, 8:25 AM
Unknown Object (File)
May 2 2023, 6:19 AM
Unknown Object (File)
Apr 8 2023, 2:15 AM
Unknown Object (File)
Mar 27 2023, 6:49 AM
Unknown Object (File)
Mar 17 2023, 6:09 AM
Unknown Object (File)
Mar 4 2023, 9:03 PM
View All 13 Files
Subscribers
cperciva
oshogbo
pjd

Details

Reviewers
None
Group Reviewers
capsicum
Summary

This change has no functional difference, but this order might discourage mistakes in the future.

One could argue that entering capability mode as early as possible is preferred. However, a future developer may assume the`cap_enter()` indicates where the sandbox has been entered and is ready for potentially unsafe operations, so I feel it makes sense to have fd rights limited before that point.

Diff Detail

Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

emaste requested review of this revision.Sep 24 2020, 2:15 PM
emaste created this revision.
emaste edited the summary of this revision. (Show Details)
emaste added a subscriber: cperciva.
oshogbo added a subscriber: oshogbo.Sep 28 2020, 7:40 AM
oshogbo added inline comments.
usr.bin/bsdiff/bspatch/bspatch.c
173

Is there any issue with that?
You can limit descriptors after entering the sandbox.

emaste added inline comments.Sep 28 2020, 3:41 PM
usr.bin/bsdiff/bspatch/bspatch.c
173

See the review description above - there's no issue with it as is, but IMO it's more clear to enter capability mode after limiting fd rights, because the cap_enter() servers as a marker that we're now in the sandbox and may use potentially-unsafe code.

pjd added a subscriber: pjd.Sep 29 2020, 9:48 AM
pjd added inline comments.
usr.bin/bsdiff/bspatch/bspatch.c
173

To be honest, even after reading the reasoning behind this change I still would prefer to enter capability mode as soon as possible. Entering a sandbox doesn't have to be a one-step process. For example:

  1. Enter capability mode.
  2. Limit descriptors 1&2.
  3. Do some work.
  4. Limit descriptors 3&4; close descriptor 2.
  5. Do more work.
  6. Limit descriptor 4 even further.

etc.
I'd encourage this kind of examples wherever possible.
Sandboxing is about limiting TCB, so in my opinion entering the sandbox as soon as possible and then limit further is a better example.

emaste abandoned this revision.Sep 30 2020, 1:29 PM

Revision Contents
Changeset List

PathSize
usr.bin/
bsdiff/
bspatch/
6 lines

Diff 77484

View Options

usr.bin/bsdiff/bspatch/bspatch.c

Loading...