Page MenuHomeFreeBSD
Differential D46281

tftpd:capsicumize tftpd
Needs ReviewPublic
Actions

Authored by hanslu952_gmail.com on Aug 13 2024, 11:54 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Jul 20, 10:26 PM
Unknown Object (File)
Sun, Jul 20, 4:29 AM
Unknown Object (File)
Wed, Jul 9, 8:20 PM
Unknown Object (File)
Jun 23 2025, 11:12 PM
Unknown Object (File)
Jun 22 2025, 10:39 AM
Unknown Object (File)
Jun 20 2025, 11:48 PM
Unknown Object (File)
Jun 14 2025, 9:05 PM
Unknown Object (File)
Jun 8 2025, 1:07 AM
View All 63 Files
Subscribers
imp
jonathan

Details

Reviewers
oshogbo
lwhsu
Summary

Enter libcasper service to enter capability mode,and adjust how tftpd interacts with
socket,because it violates capability.
I reimplemented the underlying file operation with cap_fileargs.

Sponsored by: Google, Inc. (GSoC 2024)

Test Plan

Trivial:

$ mkdir /tftproot
$ cd /tftproot
$ vim testfile
$ tftp localhost

tftp> get testfile

Normal:

$ cd /usr/tests/libexec/tftpd
$ kyua test -k Kyuafile
one case testing
$ kyua debug -k Kyuafile functional:testcase

Set up enotcapable to get coredump

sysctl kern.trap_enotcap=1
sysctl kern.corefile= /tmp/coredumps/%N.core
gdb executable corefile

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 59001
Build 55888: arc lint + arc unit

Event Timeline

hanslu952_gmail.com created this revision.Aug 13 2024, 11:54 AM
Herald added subscribers: jonathan, imp. · View Herald TranscriptAug 13 2024, 11:54 AM
hanslu952_gmail.com requested review of this revision.Aug 13 2024, 11:54 AM
Harbormaster completed remote builds in B59001: Diff 142037.Aug 13 2024, 11:54 AM
hanslu952_gmail.com edited the summary of this revision. (Show Details)Aug 15 2024, 5:29 PM
hanslu952_gmail.com edited the test plan for this revision. (Show Details)
oshogbo added inline comments.Aug 20 2024, 12:43 PM
libexec/tftpd/tftpd.c
247

Are we in a capability mode?
Why we need casper?

579

Style.

720

Wy style change?

735

Style.

745

Please reformat this whole section.

747

Do we expect function validate_access to enter capability mode? We don't have a better place?

Revision Contents
Changeset List

PathSize
libexec/
tftpd/
10 lines
22 lines
182 lines

Diff 142037

View Options

libexec/tftpd/Makefile

Show First 20 LinesShow All 290 Lines▼ Show 20 Lines
static int static int
xen_pv_lapic_ipi_wait(int delay) xen_pv_lapic_ipi_wait(int delay)
{ {
XEN_APIC_UNSUPPORTED; XEN_APIC_UNSUPPORTED;
return (0); return (0);
} }
#endif /* SMP */
static int static int
xen_pv_lapic_ipi_alloc(inthand_t *ipifunc) xen_pv_lapic_ipi_alloc(inthand_t *ipifunc)
{ {
XEN_APIC_UNSUPPORTED; XEN_APIC_UNSUPPORTED;
return (-1); return (-1);
} }
static void static void
xen_pv_lapic_ipi_free(int vector) xen_pv_lapic_ipi_free(int vector)
{ {
XEN_APIC_UNSUPPORTED; XEN_APIC_UNSUPPORTED;
} }
#endif /* SMP */
static int static int
xen_pv_lapic_set_lvt_mask(u_int apic_id, u_int lvt, u_char masked) xen_pv_lapic_set_lvt_mask(u_int apic_id, u_int lvt, u_char masked)
{ {
XEN_APIC_UNSUPPORTED; XEN_APIC_UNSUPPORTED;
return (0); return (0);
} }
▲ Show 20 LinesShow All 44 Lines▼ Show 20 Linesstruct apic_ops xen_apic_ops = {
.enable_pmc = xen_pv_lapic_enable_pmc, .enable_pmc = xen_pv_lapic_enable_pmc,
.disable_pmc = xen_pv_lapic_disable_pmc, .disable_pmc = xen_pv_lapic_disable_pmc,
.reenable_pmc = xen_pv_lapic_reenable_pmc, .reenable_pmc = xen_pv_lapic_reenable_pmc,
.enable_cmc = xen_pv_lapic_enable_cmc, .enable_cmc = xen_pv_lapic_enable_cmc,
#ifdef SMP #ifdef SMP
.ipi_raw = xen_pv_lapic_ipi_raw, .ipi_raw = xen_pv_lapic_ipi_raw,
.ipi_vectored = xen_pv_lapic_ipi_vectored, .ipi_vectored = xen_pv_lapic_ipi_vectored,
.ipi_wait = xen_pv_lapic_ipi_wait, .ipi_wait = xen_pv_lapic_ipi_wait,
#endif
.ipi_alloc = xen_pv_lapic_ipi_alloc, .ipi_alloc = xen_pv_lapic_ipi_alloc,
.ipi_free = xen_pv_lapic_ipi_free, .ipi_free = xen_pv_lapic_ipi_free,
#endif
.set_lvt_mask = xen_pv_lapic_set_lvt_mask, .set_lvt_mask = xen_pv_lapic_set_lvt_mask,
.set_lvt_mode = xen_pv_lapic_set_lvt_mode, .set_lvt_mode = xen_pv_lapic_set_lvt_mode,
.set_lvt_polarity = xen_pv_lapic_set_lvt_polarity, .set_lvt_polarity = xen_pv_lapic_set_lvt_polarity,
.set_lvt_triggermode = xen_pv_lapic_set_lvt_triggermode, .set_lvt_triggermode = xen_pv_lapic_set_lvt_triggermode,
}; };
#ifdef SMP #ifdef SMP
/*---------------------------- XEN PV IPI Handlers ---------------------------*/ /*---------------------------- XEN PV IPI Handlers ---------------------------*/
▲ Show 20 LinesShow All 156 LinesShow Last 20 Lines
View Options

libexec/tftpd/tftp-io.c

Show First 20 LinesShow All 290 Lines▼ Show 20 Lines
static int static int
xen_pv_lapic_ipi_wait(int delay) xen_pv_lapic_ipi_wait(int delay)
{ {
XEN_APIC_UNSUPPORTED; XEN_APIC_UNSUPPORTED;
return (0); return (0);
} }
#endif /* SMP */
static int static int
xen_pv_lapic_ipi_alloc(inthand_t *ipifunc) xen_pv_lapic_ipi_alloc(inthand_t *ipifunc)
{ {
XEN_APIC_UNSUPPORTED; XEN_APIC_UNSUPPORTED;
return (-1); return (-1);
} }
static void static void
xen_pv_lapic_ipi_free(int vector) xen_pv_lapic_ipi_free(int vector)
{ {
XEN_APIC_UNSUPPORTED; XEN_APIC_UNSUPPORTED;
} }
#endif /* SMP */
static int static int
xen_pv_lapic_set_lvt_mask(u_int apic_id, u_int lvt, u_char masked) xen_pv_lapic_set_lvt_mask(u_int apic_id, u_int lvt, u_char masked)
{ {
XEN_APIC_UNSUPPORTED; XEN_APIC_UNSUPPORTED;
return (0); return (0);
} }
▲ Show 20 LinesShow All 44 Lines▼ Show 20 Linesstruct apic_ops xen_apic_ops = {
.enable_pmc = xen_pv_lapic_enable_pmc, .enable_pmc = xen_pv_lapic_enable_pmc,
.disable_pmc = xen_pv_lapic_disable_pmc, .disable_pmc = xen_pv_lapic_disable_pmc,
.reenable_pmc = xen_pv_lapic_reenable_pmc, .reenable_pmc = xen_pv_lapic_reenable_pmc,
.enable_cmc = xen_pv_lapic_enable_cmc, .enable_cmc = xen_pv_lapic_enable_cmc,
#ifdef SMP #ifdef SMP
.ipi_raw = xen_pv_lapic_ipi_raw, .ipi_raw = xen_pv_lapic_ipi_raw,
.ipi_vectored = xen_pv_lapic_ipi_vectored, .ipi_vectored = xen_pv_lapic_ipi_vectored,
.ipi_wait = xen_pv_lapic_ipi_wait, .ipi_wait = xen_pv_lapic_ipi_wait,
#endif
.ipi_alloc = xen_pv_lapic_ipi_alloc, .ipi_alloc = xen_pv_lapic_ipi_alloc,
.ipi_free = xen_pv_lapic_ipi_free, .ipi_free = xen_pv_lapic_ipi_free,
#endif
.set_lvt_mask = xen_pv_lapic_set_lvt_mask, .set_lvt_mask = xen_pv_lapic_set_lvt_mask,
.set_lvt_mode = xen_pv_lapic_set_lvt_mode, .set_lvt_mode = xen_pv_lapic_set_lvt_mode,
.set_lvt_polarity = xen_pv_lapic_set_lvt_polarity, .set_lvt_polarity = xen_pv_lapic_set_lvt_polarity,
.set_lvt_triggermode = xen_pv_lapic_set_lvt_triggermode, .set_lvt_triggermode = xen_pv_lapic_set_lvt_triggermode,
}; };
#ifdef SMP #ifdef SMP
/*---------------------------- XEN PV IPI Handlers ---------------------------*/ /*---------------------------- XEN PV IPI Handlers ---------------------------*/
▲ Show 20 LinesShow All 156 LinesShow Last 20 Lines
View Options

libexec/tftpd/tftpd.c

Show First 20 LinesShow All 290 Lines▼ Show 20 Lines
static int static int
xen_pv_lapic_ipi_wait(int delay) xen_pv_lapic_ipi_wait(int delay)
{ {
XEN_APIC_UNSUPPORTED; XEN_APIC_UNSUPPORTED;
return (0); return (0);
} }
#endif /* SMP */
static int static int
xen_pv_lapic_ipi_alloc(inthand_t *ipifunc) xen_pv_lapic_ipi_alloc(inthand_t *ipifunc)
{ {
XEN_APIC_UNSUPPORTED; XEN_APIC_UNSUPPORTED;
return (-1); return (-1);
} }
static void static void
xen_pv_lapic_ipi_free(int vector) xen_pv_lapic_ipi_free(int vector)
{ {
XEN_APIC_UNSUPPORTED; XEN_APIC_UNSUPPORTED;
} }
#endif /* SMP */
static int static int
xen_pv_lapic_set_lvt_mask(u_int apic_id, u_int lvt, u_char masked) xen_pv_lapic_set_lvt_mask(u_int apic_id, u_int lvt, u_char masked)
{ {
XEN_APIC_UNSUPPORTED; XEN_APIC_UNSUPPORTED;
return (0); return (0);
} }
▲ Show 20 LinesShow All 44 Lines▼ Show 20 Linesstruct apic_ops xen_apic_ops = {
.enable_pmc = xen_pv_lapic_enable_pmc, .enable_pmc = xen_pv_lapic_enable_pmc,
.disable_pmc = xen_pv_lapic_disable_pmc, .disable_pmc = xen_pv_lapic_disable_pmc,
.reenable_pmc = xen_pv_lapic_reenable_pmc, .reenable_pmc = xen_pv_lapic_reenable_pmc,
.enable_cmc = xen_pv_lapic_enable_cmc, .enable_cmc = xen_pv_lapic_enable_cmc,
#ifdef SMP #ifdef SMP
.ipi_raw = xen_pv_lapic_ipi_raw, .ipi_raw = xen_pv_lapic_ipi_raw,
.ipi_vectored = xen_pv_lapic_ipi_vectored, .ipi_vectored = xen_pv_lapic_ipi_vectored,
.ipi_wait = xen_pv_lapic_ipi_wait, .ipi_wait = xen_pv_lapic_ipi_wait,
#endif
.ipi_alloc = xen_pv_lapic_ipi_alloc, .ipi_alloc = xen_pv_lapic_ipi_alloc,
.ipi_free = xen_pv_lapic_ipi_free, .ipi_free = xen_pv_lapic_ipi_free,
#endif
.set_lvt_mask = xen_pv_lapic_set_lvt_mask, .set_lvt_mask = xen_pv_lapic_set_lvt_mask,
.set_lvt_mode = xen_pv_lapic_set_lvt_mode, .set_lvt_mode = xen_pv_lapic_set_lvt_mode,
.set_lvt_polarity = xen_pv_lapic_set_lvt_polarity, .set_lvt_polarity = xen_pv_lapic_set_lvt_polarity,
.set_lvt_triggermode = xen_pv_lapic_set_lvt_triggermode, .set_lvt_triggermode = xen_pv_lapic_set_lvt_triggermode,
}; };
#ifdef SMP #ifdef SMP
/*---------------------------- XEN PV IPI Handlers ---------------------------*/ /*---------------------------- XEN PV IPI Handlers ---------------------------*/
▲ Show 20 LinesShow All 156 LinesShow Last 20 Lines