Changeset View
Changeset View
Standalone View
Standalone View
lib/libcasper/services/cap_net/cap_net.3
Show All 28 Lines | |||||
.Sh NAME | .Sh NAME | ||||
.Nm cap_bind , | .Nm cap_bind , | ||||
.Nm cap_connect , | .Nm cap_connect , | ||||
.Nm cap_getaddrinfo , | .Nm cap_getaddrinfo , | ||||
.Nm cap_gethostbyaddr , | .Nm cap_gethostbyaddr , | ||||
.Nm cap_gethostbyname , | .Nm cap_gethostbyname , | ||||
.Nm cap_gethostbyname2 , | .Nm cap_gethostbyname2 , | ||||
.Nm cap_getnameinfo , | .Nm cap_getnameinfo , | ||||
.Nm cap_getprotobyname , | |||||
.Nm cap_net_free , | .Nm cap_net_free , | ||||
.Nm cap_net_limit , | .Nm cap_net_limit , | ||||
.Nm cap_net_limit_addr2name , | .Nm cap_net_limit_addr2name , | ||||
.Nm cap_net_limit_addr2name_family , | .Nm cap_net_limit_addr2name_family , | ||||
.Nm cap_net_limit_bind , | .Nm cap_net_limit_bind , | ||||
.Nm cap_net_limit_connect , | .Nm cap_net_limit_connect , | ||||
.Nm cap_net_limit_init , | .Nm cap_net_limit_init , | ||||
.Nm cap_net_limit_name2addr , | .Nm cap_net_limit_name2addr , | ||||
Show All 14 Lines | |||||
.Ft int | .Ft int | ||||
.Fn cap_getnameinfo "cap_channel_t *chan" "const struct sockaddr *sa" "socklen_t salen" "char *host" "size_t hostlen" "char *serv" "size_t servlen" "int flags" | .Fn cap_getnameinfo "cap_channel_t *chan" "const struct sockaddr *sa" "socklen_t salen" "char *host" "size_t hostlen" "char *serv" "size_t servlen" "int flags" | ||||
.Ft "struct hostent *" | .Ft "struct hostent *" | ||||
.Fn cap_gethostbyname "const cap_channel_t *chan" "const char *name" | .Fn cap_gethostbyname "const cap_channel_t *chan" "const char *name" | ||||
.Ft "struct hostent *" | .Ft "struct hostent *" | ||||
.Fn cap_gethostbyname2 "const cap_channel_t *chan" "const char *name" "int af" | .Fn cap_gethostbyname2 "const cap_channel_t *chan" "const char *name" "int af" | ||||
.Ft "struct hostent *" | .Ft "struct hostent *" | ||||
.Fn cap_gethostbyaddr "const cap_channel_t *chan" "const void *addr" "socklen_t len" "int af" | .Fn cap_gethostbyaddr "const cap_channel_t *chan" "const void *addr" "socklen_t len" "int af" | ||||
.Ft "struct protoent *" | |||||
.Fn cap_getprotobyname "const cap_channel_t *chan" "const char *name" | |||||
.Ft "cap_net_limit_t *" | .Ft "cap_net_limit_t *" | ||||
.Fn cap_net_limit_init "cap_channel_t *chan" "uint64_t mode" | .Fn cap_net_limit_init "cap_channel_t *chan" "uint64_t mode" | ||||
.Ft int | .Ft int | ||||
.Fn cap_net_limit "cap_net_limit_t *limit" | .Fn cap_net_limit "cap_net_limit_t *limit" | ||||
.Ft void | .Ft void | ||||
.Fn cap_net_free "cap_net_limit_t *limit" | .Fn cap_net_free "cap_net_limit_t *limit" | ||||
.Ft "cap_net_limit_t *" | .Ft "cap_net_limit_t *" | ||||
.Fn cap_net_limit_addr2name_family "cap_net_limit_t *limit" "int *family" "size_t size" | .Fn cap_net_limit_addr2name_family "cap_net_limit_t *limit" "int *family" "size_t size" | ||||
Show All 9 Lines | |||||
.Fn cap_net_limit_bind "cap_net_limit_t *limit" "const struct sockaddr *sa" "socklen_t salen" | .Fn cap_net_limit_bind "cap_net_limit_t *limit" "const struct sockaddr *sa" "socklen_t salen" | ||||
.Sh DESCRIPTION | .Sh DESCRIPTION | ||||
.Pp | .Pp | ||||
The functions | The functions | ||||
.Fn cap_bind, | .Fn cap_bind, | ||||
.Fn cap_connect, | .Fn cap_connect, | ||||
.Fn cap_gethostbyname , | .Fn cap_gethostbyname , | ||||
.Fn cap_gethostbyname2 , | .Fn cap_gethostbyname2 , | ||||
.Fn cap_gethostbyaddr | .Fn cap_gethostbyaddr , | ||||
.Fn cap_getnameinfo , | |||||
and | and | ||||
.Fn cap_getnameinfo | .Fn cap_getprotobyname | ||||
are respectively equivalent to | are respectively equivalent to | ||||
.Xr bind 2 , | .Xr bind 2 , | ||||
.Xr connect 2 , | .Xr connect 2 , | ||||
.Xr gethostbyname 3 , | .Xr gethostbyname 3 , | ||||
.Xr gethostbyname2 3 , | .Xr gethostbyname2 3 , | ||||
.Xr gethostbyaddr 3 | .Xr gethostbyaddr 3 , | ||||
.Xr getnameinfo 3 , | |||||
and | and | ||||
.Xr getnameinfo 3 | .Xr getprotobyname 3 | ||||
except that the connection to the | except that the connection to the | ||||
.Nm system.net | .Nm system.net | ||||
service needs to be provided. | service needs to be provided. | ||||
.Sh LIMITS | .Sh LIMITS | ||||
By default, the cap_net capability provides unrestricted access to the network | By default, the cap_net capability provides unrestricted access to the network | ||||
namespace. | namespace. | ||||
Applications typically only require access to a small portion of the network | Applications typically only require access to a small portion of the network | ||||
namespace: | namespace: | ||||
▲ Show 20 Lines • Show All 108 Lines • ▼ Show 20 Lines | |||||
.Nm system.net | .Nm system.net | ||||
casper service and uses it to resolve a host and connect to it. | casper service and uses it to resolve a host and connect to it. | ||||
.Bd -literal | .Bd -literal | ||||
cap_channel_t *capcas, *capnet; | cap_channel_t *capcas, *capnet; | ||||
cap_net_limit_t *limit; | cap_net_limit_t *limit; | ||||
int familylimit, error, s; | int familylimit, error, s; | ||||
const char *host = "example.com"; | const char *host = "example.com"; | ||||
struct addrinfo hints, *res; | struct addrinfo hints, *res; | ||||
struct protoent *ent; | |||||
/* Open capability to Casper. */ | /* Open capability to Casper. */ | ||||
capcas = cap_init(); | capcas = cap_init(); | ||||
if (capcas == NULL) | if (capcas == NULL) | ||||
err(1, "Unable to contact Casper"); | err(1, "Unable to contact Casper"); | ||||
/* Cache NLA for gai_strerror. */ | /* Cache NLA for gai_strerror. */ | ||||
caph_cache_catpages(); | caph_cache_catpages(); | ||||
/* Enter capability mode sandbox. */ | /* Enter capability mode sandbox. */ | ||||
if (caph_enter_casper() < 0) | if (caph_enter_casper() < 0) | ||||
err(1, "Unable to enter capability mode"); | err(1, "Unable to enter capability mode"); | ||||
/* Use Casper capability to create capability to the system.net service. */ | /* Use Casper capability to create capability to the system.net service. */ | ||||
capnet = cap_service_open(capcas, "system.net"); | capnet = cap_service_open(capcas, "system.net"); | ||||
if (capnet == NULL) | if (capnet == NULL) | ||||
err(1, "Unable to open system.net service"); | err(1, "Unable to open system.net service"); | ||||
/* Close Casper capability. */ | /* Close Casper capability. */ | ||||
cap_close(capcas); | cap_close(capcas); | ||||
/* Get information about TCP. */ | |||||
ent = cap_getprotobyname(capnet, "tcp"); | |||||
if (ent == NULL) | |||||
err(1, "Unable to get TCP info"); | |||||
/* Limit system.net to reserve IPv4 addresses, to host example.com . */ | /* Limit system.net to reserve IPv4 addresses, to host example.com . */ | ||||
limit = cap_net_limit_init(capnet, CAPNET_NAME2ADDR | CAPNET_CONNECTDNS); | limit = cap_net_limit_init(capnet, CAPNET_NAME2ADDR | CAPNET_CONNECTDNS); | ||||
if (limit == NULL) | if (limit == NULL) | ||||
err(1, "Unable to create limits."); | err(1, "Unable to create limits"); | ||||
cap_net_limit_name2addr(limit, host, "80"); | cap_net_limit_name2addr(limit, host, "80"); | ||||
familylimit = AF_INET; | familylimit = AF_INET; | ||||
cap_net_limit_name2addr_family(limit, &familylimit, 1); | cap_net_limit_name2addr_family(limit, &familylimit, 1); | ||||
if (cap_net_limit(limit) < 0) | if (cap_net_limit(limit) < 0) | ||||
err(1, "Unable to apply limits."); | err(1, "Unable to apply limits"); | ||||
/* Find IP addresses for the given host. */ | /* Find IP addresses for the given host. */ | ||||
memset(&hints, 0, sizeof(hints)); | memset(&hints, 0, sizeof(hints)); | ||||
hints.ai_family = AF_INET; | hints.ai_family = AF_INET; | ||||
hints.ai_socktype = SOCK_STREAM; | hints.ai_socktype = SOCK_STREAM; | ||||
hints.ai_protocol = ent->p_proto; | |||||
error = cap_getaddrinfo(capnet, host, "80", &hints, &res); | error = cap_getaddrinfo(capnet, host, "80", &hints, &res); | ||||
if (error != 0) | if (error != 0) | ||||
errx(1, "cap_getaddrinfo(): %s: %s", host, gai_strerror(error)); | errx(1, "cap_getaddrinfo(): %s: %s", host, gai_strerror(error)); | ||||
s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); | s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); | ||||
if (s < 0) | if (s < 0) | ||||
err(1, "Unable to create socket"); | err(1, "Unable to create socket"); | ||||
if (cap_connect(capnet, s, res->ai_addr, res->ai_addrlen) < 0) | if (cap_connect(capnet, s, res->ai_addr, res->ai_addrlen) < 0) | ||||
err(1, "Unable to connect to host"); | err(1, "Unable to connect to host"); | ||||
.Ed | .Ed | ||||
.Sh SEE ALSO | .Sh SEE ALSO | ||||
.Xr bind 2 , | .Xr bind 2 , | ||||
.Xr cap_enter 2 , | .Xr cap_enter 2 , | ||||
.Xr connect 2 , | .Xr connect 2 , | ||||
.Xr caph_enter 3 , | .Xr caph_enter 3 , | ||||
.Xr err 3 , | .Xr err 3 , | ||||
.Xr gethostbyaddr 3 , | .Xr gethostbyaddr 3 , | ||||
.Xr gethostbyname 3 , | .Xr gethostbyname 3 , | ||||
.Xr gethostbyname2 3 , | .Xr gethostbyname2 3 , | ||||
.Xr getnameinfo 3 , | .Xr getnameinfo 3 , | ||||
.Xr getprotobyname 3 , | |||||
.Xr capsicum 4 , | .Xr capsicum 4 , | ||||
.Xr nv 9 | .Xr nv 9 | ||||
.Sh AUTHORS | .Sh AUTHORS | ||||
.An Mariusz Zaborski Aq Mt oshogbo@FreeBSD.org | .An Mariusz Zaborski Aq Mt oshogbo@FreeBSD.org | ||||
.An Ryan Moeller Aq Mt freqlabs@FreeBSD.org |