Changeset View
Changeset View
Standalone View
Standalone View
head/lib/libcasper/services/cap_dns/cap_dns.3
| Show First 20 Lines • Show All 154 Lines • ▼ Show 20 Lines | |||||
| etc.). | etc.). | ||||
| .Sh EXAMPLES | .Sh EXAMPLES | ||||
| The following example first opens a capability to casper and then uses this | The following example first opens a capability to casper and then uses this | ||||
| capability to create the | capability to create the | ||||
| .Nm system.dns | .Nm system.dns | ||||
| casper service and uses it to resolve an IP address. | casper service and uses it to resolve an IP address. | ||||
| .Bd -literal | .Bd -literal | ||||
| cap_channel_t *capcas, *capdns; | cap_channel_t *capcas, *capdns; | ||||
| const char *typelimit = "ADDR"; | int familylimit, error; | ||||
| int familylimit; | |||||
| const char *ipstr = "127.0.0.1"; | const char *ipstr = "127.0.0.1"; | ||||
| struct in_addr ip; | const char *typelimit = "ADDR"; | ||||
| struct hostent *hp; | char hname[NI_MAXHOST]; | ||||
| struct addrinfo hints, *res; | |||||
| /* Open capability to Casper. */ | /* Open capability to Casper. */ | ||||
| capcas = cap_init(); | capcas = cap_init(); | ||||
| if (capcas == NULL) | if (capcas == NULL) | ||||
| err(1, "Unable to contact Casper"); | err(1, "Unable to contact Casper"); | ||||
| /* Cache NLA for gai_strerror. */ | |||||
| caph_cache_catpages(); | |||||
| /* Enter capability mode sandbox. */ | /* Enter capability mode sandbox. */ | ||||
| if (cap_enter() < 0 && errno != ENOSYS) | if (caph_enter() < 0) | ||||
| err(1, "Unable to enter capability mode"); | err(1, "Unable to enter capability mode"); | ||||
| /* Use Casper capability to create capability to the system.dns service. */ | /* Use Casper capability to create capability to the system.dns service. */ | ||||
| capdns = cap_service_open(capcas, "system.dns"); | capdns = cap_service_open(capcas, "system.dns"); | ||||
| if (capdns == NULL) | if (capdns == NULL) | ||||
| err(1, "Unable to open system.dns service"); | err(1, "Unable to open system.dns service"); | ||||
| /* Close Casper capability, we don't need it anymore. */ | /* Close Casper capability, we don't need it anymore. */ | ||||
| cap_close(capcas); | cap_close(capcas); | ||||
| /* Limit system.dns to reverse DNS lookups. */ | |||||
| if (cap_dns_type_limit(capdns, &typelimit, 1) < 0) | |||||
| err(1, "Unable to limit access to the system.dns service"); | |||||
| /* Limit system.dns to reserve IPv4 addresses */ | /* Limit system.dns to reserve IPv4 addresses */ | ||||
| familylimit = AF_INET; | familylimit = AF_INET; | ||||
| if (cap_dns_family_limit(capdns, &familylimit, 1) < 0) | if (cap_dns_family_limit(capdns, &familylimit, 1) < 0) | ||||
| err(1, "Unable to limit access to the system.dns service"); | err(1, "Unable to limit access to the system.dns service"); | ||||
| /* Convert IP address in C-string to in_addr. */ | /* Convert IP address in C-string to struct sockaddr. */ | ||||
| if (!inet_aton(ipstr, &ip)) | memset(&hints, 0, sizeof(hints)); | ||||
| errx(1, "Unable to parse IP address %s.", ipstr); | hints.ai_family = familylimit; | ||||
| hints.ai_flags = AI_NUMERICHOST; | |||||
| error = cap_getaddrinfo(capdns, ipstr, NULL, &hints, &res); | |||||
| if (error != 0) | |||||
| errx(1, "cap_getaddrinfo(): %s: %s", ipstr, gai_strerror(error)); | |||||
| /* Limit system.dns to reverse DNS lookups. */ | |||||
| if (cap_dns_type_limit(capdns, &typelimit, 1) < 0) | |||||
| err(1, "Unable to limit access to the system.dns service"); | |||||
| /* Find hostname for the given IP address. */ | /* Find hostname for the given IP address. */ | ||||
| hp = cap_gethostbyaddr(capdns, (const void *)&ip, sizeof(ip), AF_INET); | error = cap_getnameinfo(capdns, res->ai_addr, res->ai_addrlen, hname, sizeof(hname), | ||||
| if (hp == NULL) | NULL, 0, 0); | ||||
| errx(1, "No name associated with %s.", ipstr); | if (error != 0) | ||||
| errx(1, "cap_getnameinfo(): %s: %s", ipstr, gai_strerror(error)); | |||||
| printf("Name associated with %s is %s.\\n", ipstr, hp->h_name); | printf("Name associated with %s is %s.\\n", ipstr, hname); | ||||
| .Ed | .Ed | ||||
| .Sh SEE ALSO | .Sh SEE ALSO | ||||
| .Xr cap_enter 2 , | .Xr cap_enter 2 , | ||||
| .Xr caph_enter 3 , | |||||
| .Xr err 3 , | .Xr err 3 , | ||||
| .Xr gethostbyaddr 3 , | .Xr gethostbyaddr 3 , | ||||
| .Xr gethostbyname 3 , | .Xr gethostbyname 3 , | ||||
| .Xr gethostbyname2 3 , | .Xr gethostbyname2 3 , | ||||
| .Xr getnameinfo 3 , | .Xr getnameinfo 3 , | ||||
| .Xr capsicum 4 , | .Xr capsicum 4 , | ||||
| .Xr nv 9 | .Xr nv 9 | ||||
| .Sh AUTHORS | .Sh AUTHORS | ||||
| The | The | ||||
| .Nm cap_dns | .Nm cap_dns | ||||
| service was implemented by | service was implemented by | ||||
| .An Pawel Jakub Dawidek Aq Mt pawel@dawidek.net | .An Pawel Jakub Dawidek Aq Mt pawel@dawidek.net | ||||
| under sponsorship from the FreeBSD Foundation. | under sponsorship from the FreeBSD Foundation. | ||||
| .Pp | .Pp | ||||
| This manual page was written by | This manual page was written by | ||||
| .An Mariusz Zaborski Aq Mt oshogbo@FreeBSD.org . | .An Mariusz Zaborski Aq Mt oshogbo@FreeBSD.org . | ||||