ministat(1): Capsicumify
ClosedPublic
Actions

Authored by cem on Sep 18 2016, 7:21 AM.

Details

Reviewers

emaste
jhb
allanjude

Commits

rS310141: ministat(1): Capsicumify

Summary

Separate dataset opening from reading/parsing. The number of input
files is already capped to a small number, so just open all input files
before sandboxing.

Test Plan

ministat < iguana
ministat iguana chameleon iguana
'make test'

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

cem updated this revision to Diff 20423.Sep 18 2016, 7:21 AM

cem retitled this revision from to ministat(1): Capsicumify.

cem updated this object.

cem edited the test plan for this revision. (Show Details)

cem added reviewers: emaste, allanjude, jhb.

Herald added a subscriber: imp. · View Herald TranscriptSep 18 2016, 7:21 AM

allanjude added inline comments.Sep 18 2016, 4:37 PM

usr.bin/ministat/ministat.c
619 ↗	(On Diff #20423)	Do you need to allow TIOCGETA for STDIN and friends?

cem added inline comments.Sep 18 2016, 5:59 PM

usr.bin/ministat/ministat.c
619 ↗	(On Diff #20423)	Stdin — I don't think so. (`fread` or whatever invokes `isatty()` doesn't seem to behave wrongly when that call fails.) Stdout/stderr — I also don't think so. It seems to work fine without that privilege. I believe `isatty()` on std output streams controls line-buffering, but I'm not sure that matters for ministat. Ministat output, unlike e.g. logs, doesn't really make sense one line at a time. I'm not especially confident of either of those statements. I've just observed it seems to work fine as-is. In the absence of any other factor, I prefer fewer lines of code. :-)

jhb added inline comments.Sep 20 2016, 6:01 PM

usr.bin/ministat/ministat.c
619 ↗	(On Diff #20423)	I wonder if it makes sense to have some kind of wrapper for the "normal" stdio cases i.e. something like: cap_permit_stdio_read(fd); cap_permit_stdio_write(fd); And then another small wrapper: cap_permit_stdio_std() { cap_permit_stdio_read(STDIN_FILENO); cap_permit_stdio_write(STDOUT_FILENO); cap_permit_stdio_write(STDERR_FILENO); } Only in the sense of if having these would reduce the boilerplate required in N utilities.

cem added inline comments.Sep 20 2016, 6:10 PM

usr.bin/ministat/ministat.c
619 ↗	(On Diff #20423)	Yep, I think something like that would make sense.

I have an alternative suggestion in D7982 for these sorts of programs - just don't bother restricting stdio rights, at least initially, and we can introduce the wrappers jhb mentions later on.

In D7925#165071, @emaste wrote:

I have an alternative suggestion in D7982 for these sorts of programs - just don't bother restricting stdio rights, at least initially, and we can introduce the wrappers jhb mentions later on.

Sure, we could remove the stdio restrictions. It wouldn't reduce the diff very much, though. (Most of the change is around preopening input files, of which there are a limited number (up to ~8).)

We can always change the code as it is in this patch when such wrappers are introduced, too.

In D7925#165141, @cem wrote:

Sure, we could remove the stdio restrictions.

I think we need to either remove them or add fstat and TIOCGETA.

In D7925#165616, @emaste wrote:

In D7925#165141, @cem wrote:

Sure, we could remove the stdio restrictions.

I think we need to either remove them or add fstat and TIOCGETA.

Why? They appear to have zero impact on this program.

Why? They appear to have zero impact on this program.

As a matter of principle I think we should not attempt to perform operations for which we do not hold a sufficient capability. As of rS306081 as a debugging aid you can make software trap when attempting to perform an operation not permitted in capability mode or not permitted by the rights held on the fd.

emaste added a comment.Sep 29 2016, 9:35 PM

This comment was removed by emaste.