Page MenuHomeFreeBSD

ident(1): Capsicumify
ClosedPublic

Authored by cem on Sep 18 2016, 4:28 AM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Dec 16, 5:16 AM
Unknown Object (File)
Thu, Dec 5, 1:36 AM
Unknown Object (File)
Oct 30 2024, 9:00 AM
Unknown Object (File)
Oct 22 2024, 11:29 PM
Unknown Object (File)
Oct 22 2024, 11:29 PM
Unknown Object (File)
Oct 22 2024, 11:29 PM
Unknown Object (File)
Oct 22 2024, 11:29 PM
Unknown Object (File)
Oct 22 2024, 11:29 PM
Subscribers

Details

Summary

As usual for a first cut, punt on sandboxing multiple files and just
sandbox the last input file.

Test Plan
  • kyua test passed (1/1)
  • ident tests/test.in tests/test.in tests/test.in /dev/stdin (multiple files)
  • ident (tty input)
  • ident < tests/test.in (non-tty stdin)

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

cem retitled this revision from to ident(1): Capsicumify.
cem updated this object.
cem edited the test plan for this revision. (Show Details)
cem added reviewers: emaste, oshogbo, allanjude, bapt.

It would be nicer to fork and cap_enter for each arguments but the last one if there are more than 1 arguments, what do you think?

In D7918#164191, @bapt wrote:

It would be nicer to fork and cap_enter for each arguments but the last one if there are more than 1 arguments, what do you think?

I'd prefer to defer multiple-argument support to a follow-up patch.

what about an open(/) then replace fopen with openat/fdopen that would avoid a fork and will make it work properly

The approach I have in mind is equivalent to D7936

usr.bin/ident/ident.c
266 ↗(On Diff #20415)

Since this application already has the processing split out, you could do an array of fp's (malloc fp * argc - 1) then cap_enter and do a second for loop for the scan()

or do the fork() thing

usr.bin/ident/ident.c
266 ↗(On Diff #20415)

I still find my open("/", O_DIRECTORY) approach nicer than what you propose :)

In D7918#164209, @bapt wrote:

what about an open(/) then replace fopen with openat/fdopen that would avoid a fork and will make it work properly

This requires resolving all paths into absolute paths, right? Why not open the current working directory and openat on that? Or does openat in the sandbox actually restrict to paths below dirfd?

In D7918#164437, @cem wrote:

Why not open the current working directory and openat on that? Or does openat in the sandbox actually restrict to paths below dirfd?

Answer: yes, openat can't open paths above fd in capability mode.

cem edited edge metadata.
  • Group multiple related capability restrictions into a single if clause.
  • Preopen input files; enter capability mode for all processing.
cem marked an inline comment as done.Sep 19 2016, 11:56 PM

Can update to use capsicum helpers

usr.bin/ident/ident.c
266 ↗(On Diff #20415)

One problem with that approach is paths containing .. are (currently, see D8110) disallowed in capability mode.

cem edited edge metadata.

Update to use helpers.

This revision was automatically updated to reflect the committed changes.