D41467.id126024.diff
No OneTemporary
Actions

Size

4 KB

Referenced Files

None

Subscribers

None

D41467.id126024.diff
View Options

	diff --git a/usr.sbin/syslogd/syslogd.c b/usr.sbin/syslogd/syslogd.c
	--- a/usr.sbin/syslogd/syslogd.c
	+++ b/usr.sbin/syslogd/syslogd.c
	@@ -276,6 +276,16 @@
	SIGCHLD,
	};

	+/*
	+ * Communication channels between syslogd and libcasper
	+ * services. These channels are used to request external
	+ * resources while in capability mode.
	+ */
	+#ifdef WITH_CASPER
	+static cap_channel_t *cap_syslogd;
	+static cap_channel_t *cap_net;
	+#endif
	+
	static int nulldesc; /* /dev/null descriptor */
	static bool Debug; /* debug flag */
	static bool Foreground = false; /* Run in foreground, instead of daemonizing */
	@@ -1791,7 +1801,7 @@
	dprintf(" %s\n", f->fu_pipe_pname);
	iovlist_append(il, "\n");
	if (f->fu_pipe_pd == -1) {
	- f->f_file = p_open(f, &f->fu_pipe_pd);
	+ f->f_file = cap_p_open(cap_syslogd, f, &f->fu_pipe_pd);
	if (f->f_file < 0) {
	logerror(f->fu_pipe_pname);
	break;
	@@ -1814,7 +1824,7 @@
	dprintf(" %s%s\n", _PATH_DEV, f->fu_fname);
	iovlist_append(il, "\r\n");
	errno = 0; /* ttymsg() only sometimes returns an errno */
	- if ((msgret = ttymsg(il->iov, il->iovcnt, f->fu_fname, 10))) {
	+ if ((msgret = ttymsgat(f->f_file, il->iov, il->iovcnt, 10))) {
	f->f_type = F_UNUSED;
	logerror(msgret);
	}
	@@ -1824,7 +1834,7 @@
	case F_WALL:
	dprintf("\n");
	iovlist_append(il, "\r\n");
	- wallmsg(f, il->iov, il->iovcnt);
	+ cap_wallmsg(cap_syslogd, f, il->iov, il->iovcnt);
	break;
	default:
	break;
	@@ -2108,7 +2118,7 @@
	static char hname[NI_MAXHOST], ip[NI_MAXHOST];

	dprintf("cvthname(%d) len = %d\n", f->sa_family, f->sa_len);
	- error = getnameinfo(f, f->sa_len, ip, sizeof(ip), NULL, 0,
	+ error = cap_getnameinfo(cap_net, f, f->sa_len, ip, sizeof(ip), NULL, 0,
	NI_NUMERICHOST);
	if (error) {
	dprintf("Malformed from address %s\n", gai_strerror(error));
	@@ -2119,7 +2129,7 @@
	if (!resolve)
	return (ip);

	- error = getnameinfo(f, f->sa_len, hname, sizeof(hname),
	+ error = cap_getnameinfo(cap_net, f, f->sa_len, hname, sizeof(hname),
	NULL, 0, NI_NAMEREQD);
	if (error) {
	dprintf("Host name for your address (%s) unknown\n", ip);
	@@ -2349,6 +2359,7 @@
	}
	}

	+#ifndef WITH_CASPER
	static void
	readconfigfile(const char *path)
	{
	@@ -2363,6 +2374,7 @@
	cfline(".PANIC\t", "", "", "*");
	}
	}
	+#endif

	/*
	* Close all open log files.
	@@ -2412,6 +2424,36 @@
	}
	}

	+static void
	+syslogd_cap_enter(void)
	+{
	+#ifdef WITH_CASPER
	+ cap_channel_t *cap_casper;
	+ cap_net_limit_t *limit;
	+
	+ cap_casper = cap_init();
	+ if (cap_casper == NULL)
	+ err(1, "Failed to communicate with libcasper");
	+ cap_syslogd = cap_service_open(cap_casper, "syslogd.*");
	+ if (cap_syslogd == NULL)
	+ err(1, "Failed to open the syslogd libcasper service");
	+ cap_net = cap_service_open(cap_casper, "system.net");
	+ if (cap_syslogd == NULL)
	+ err(1, "Failed to open the system.net libcasper service");
	+ cap_close(cap_casper);
	+ limit = cap_net_limit_init(cap_net,
	+ CAPNET_ADDR2NAME \| CAPNET_NAME2ADDR);
	+ if (limit == NULL)
	+ err(1, "Failed to create system.net limits");
	+ if (cap_net_limit(limit) == -1)
	+ err(1, "Failed to apply system.net limits");
	+ caph_cache_tzdata();
	+ caph_cache_catpages();
	+ if (caph_enter_casper() == -1)
	+ err(1, "Failed to enter capability mode");
	+#endif
	+}
	+
	/*
	* INIT -- Initialize syslogd from configuration table
	*/
	@@ -2463,9 +2505,16 @@
	}
	#endif

	+ if (!reload) {
	+ struct tm tm;
	+ /* Cache time files before entering capability mode. */
	+ timegm(&tm);
	+ syslogd_cap_enter();
	+ }
	+
	Initialized = false;
	closelogfiles();
	- readconfigfile(ConfFile);
	+ cap_readconfigfile(cap_syslogd, ConfFile);
	Initialized = true;

	if (Debug) {
	@@ -2888,6 +2937,11 @@
	if (syncfile)
	f->f_flags \|= FFLAG_SYNC;
	if (isatty(f->f_file)) {
	+ /*
	+ * ttymsgat() is used for logging to consoles/ttys
	+ * and requires a nonblocking file descriptor.
	+ */
	+ (void)fcntl(f->f_file, F_SETFL, O_NONBLOCK);
	if (strcmp(p, _PATH_CONSOLE) == 0)
	f->f_type = F_CONSOLE;
	else
	@@ -3339,14 +3393,14 @@
	.ai_socktype = SOCK_DGRAM,
	.ai_flags = AI_PASSIVE \| AI_NUMERICHOST
	};
	- if (getaddrinfo(name, NULL, &hints, &res) == 0)
	+ if (cap_getaddrinfo(cap_net, name, NULL, &hints, &res) == 0)
	freeaddrinfo(res);
	else if (strchr(name, '.') == NULL) {
	strlcat(name, ".", sizeof(name));
	strlcat(name, LocalDomain, sizeof(name));
	}
	- if (getnameinfo(sa, sa->sa_len, ip, sizeof(ip), port, sizeof(port),
	- NI_NUMERICHOST \| NI_NUMERICSERV) != 0)
	+ if (cap_getnameinfo(cap_net, sa, sa->sa_len, ip, sizeof(ip), port,
	+ sizeof(port), NI_NUMERICHOST \| NI_NUMERICSERV) != 0)
	return (false); /* for safety, should not occur */
	dprintf("validate: dgram from IP %s, port %s, name %s;\n",
	ip, port, name);
	diff --git a/usr.sbin/syslogd/syslogd_cap.h b/usr.sbin/syslogd/syslogd_cap.h
	--- a/usr.sbin/syslogd/syslogd_cap.h
	+++ b/usr.sbin/syslogd/syslogd_cap.h
	@@ -41,6 +41,8 @@
	#include <libcasper.h>
	#include <libcasper_service.h>

	+#include <casper/cap_net.h>
	+
	#include "syslogd.h"

	int cap_p_open(cap_channel_t , struct filed , int *);

File Metadata

Mime Type: text/plain
Expires: Wed, Apr 22, 12:27 PM (8 h, 43 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 31978913
Default Alt Text: D41467.id126024.diff (4 KB)

D41467.id126024.diffNo OneTemporaryActions

D41467.id126024.diffView Options

File Metadata

Event Timeline

D41467.id126024.diff
No OneTemporary
Actions

D41467.id126024.diff
View Options