Paths

Table of Contentst

ident(1): Capsicumify
ClosedPublic
Actions

Authored by cem on Sep 18 2016, 4:28 AM.

Details

Reviewers

emaste
allanjude
bapt
oshogbo

Commits

rS310145: ident(1): Capsicumify

Summary

As usual for a first cut, punt on sandboxing multiple files and just
sandbox the last input file.

Test Plan

kyua test passed (1/1)
ident tests/test.in tests/test.in tests/test.in /dev/stdin (multiple files)
ident (tty input)
ident < tests/test.in (non-tty stdin)

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

cem updated this revision to Diff 20415.Sep 18 2016, 4:28 AM

cem retitled this revision from to ident(1): Capsicumify.

cem updated this object.

cem edited the test plan for this revision. (Show Details)

cem added reviewers: emaste, oshogbo, allanjude, bapt.

Herald added a subscriber: imp. · View Herald TranscriptSep 18 2016, 4:28 AM

It would be nicer to fork and cap_enter for each arguments but the last one if there are more than 1 arguments, what do you think?

In D7918#164191, @bapt wrote:

It would be nicer to fork and cap_enter for each arguments but the last one if there are more than 1 arguments, what do you think?

I'd prefer to defer multiple-argument support to a follow-up patch.

what about an open(/) then replace fopen with openat/fdopen that would avoid a fork and will make it work properly

The approach I have in mind is equivalent to D7936

allanjude added inline comments.Sep 18 2016, 5:35 PM

usr.bin/ident/ident.c
266 ↗	(On Diff #20415)	Since this application already has the processing split out, you could do an array of fp's (malloc fp * argc - 1) then cap_enter and do a second for loop for the scan() or do the fork() thing

bapt added inline comments.Sep 18 2016, 5:40 PM

usr.bin/ident/ident.c
266 ↗	(On Diff #20415)	I still find my open("/", O_DIRECTORY) approach nicer than what you propose :)

In D7918#164209, @bapt wrote:

what about an open(/) then replace fopen with openat/fdopen that would avoid a fork and will make it work properly

This requires resolving all paths into absolute paths, right? Why not open the current working directory and openat on that? Or does openat in the sandbox actually restrict to paths below dirfd?

In D7918#164437, @cem wrote:

Why not open the current working directory and openat on that? Or does openat in the sandbox actually restrict to paths below dirfd?

Answer: yes, openat can't open paths above fd in capability mode.

Group multiple related capability restrictions into a single if clause.
Preopen input files; enter capability mode for all processing.

cem marked an inline comment as done.Sep 19 2016, 11:56 PM

Can update to use capsicum helpers

usr.bin/ident/ident.c
266 ↗	(On Diff #20415)	One problem with that approach is paths containing `..` are (currently, see D8110) disallowed in capability mode.

Update to use helpers.

Closed by commit rS310145: ident(1): Capsicumify (authored by cem). · Explain WhyDec 16 2016, 2:10 AM

This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

Path

Size

head/

usr.bin/

ident/

ident.c

49 lines

Diff 22986

View Options

head/usr.bin/ident/ident.c

ident(1): CapsicumifyClosedPublicActions