Page MenuHomeFreeBSD

First pass at capsicumizing file(1)
Needs ReviewPublic

Authored by allanjude on Sep 1 2016, 2:30 AM.

Details

Summary

This opens all of the fd's before entering the sandbox

This takes some extra care because the -f flag specifies a file full of filenames, which we also need to pre-open

While here, also fixed two other bugs:
wid(th) of output column (longest filename) was not shared between argv and -f file
nobuffer flag was only applied in the case of -f flag

Diff Detail

Repository
rS FreeBSD src repository
Lint
No Linters Available
Unit
No Unit Test Coverage
Build Status
Buildable 4997
Build 5064: arc lint + arc unit

Event Timeline

allanjude updated this revision to Diff 19903.Sep 1 2016, 2:30 AM
allanjude retitled this revision from to First pass at capsicumizing file(1).
allanjude updated this object.
allanjude edited the test plan for this revision. (Show Details)
allanjude added reviewers: emaste, oshogbo.
allanjude updated this revision to Diff 19904.Sep 1 2016, 2:33 AM

Fix whitespace

emaste edited edge metadata.Sep 9 2016, 6:19 PM

Note that OpenBSD has modified file(1) to introduce privsep, and it's a trivial port to Capsicum:

% git show | diffstat
 file.c |   17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)
jonathan edited edge metadata.Sep 19 2016, 9:37 PM

I think I'd be more comfortable if the bug fixes were committed separately from the Capsicum changes (making everything easier to upstream?) and if the Capsicum-specific stuff could be refactored out as much as possible to reduce the in-line #ifdef content. In particular, it would be nice if there could be struct sandbox or the like to capture all of the additional state required by Capsicum, and the contents of that structure could be different on FreeBSD, OpenBSD, etc. If there were a function called start_sandbox(struct sandbox *sbp) or the like, possibly together with a set_flags(int fd, struct sandbox *) or something, it would allow a nice, fair comparison between the Capsicum and Pledge LoC.

So... should this revision be abandoned in favour of an approach that uses the new enable_sandbox_{basic,full}() functions?

So... should this revision be abandoned in favour of an approach that uses the new enable_sandbox_{basic,full}() functions?

Probably. I am not familiar with the new approach. I am happy to let someone else take over this project, I have lots of other stuff going on.