Page MenuHomeFreeBSD

Capsicumize uudecode/b64decode
Needs ReviewPublic

Authored by allanjude on Aug 26 2016, 4:28 AM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Jan 6, 8:24 PM
Unknown Object (File)
Mon, Jan 6, 7:21 PM
Unknown Object (File)
Sat, Jan 4, 9:48 PM
Unknown Object (File)
Mon, Dec 23, 10:36 AM
Unknown Object (File)
Dec 5 2024, 1:32 PM
Unknown Object (File)
Dec 2 2024, 8:34 PM
Unknown Object (File)
Dec 2 2024, 4:24 AM
Unknown Object (File)
Nov 16 2024, 10:43 AM
Subscribers

Details

Summary

Special handling for -o, open the fd before entering the sandbox, then set the mode on it later (the intended mode is specified in the input)

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 4972
Build 5038: arc lint + arc unit

Event Timeline

allanjude retitled this revision from to Capsicumize uudecode/b64decode.
allanjude updated this object.
allanjude edited the test plan for this revision. (Show Details)
allanjude added reviewers: emaste, oshogbo.
usr.bin/uudecode/uudecode.c
342

missing space

373

leftover debugging

Some comments.
Later in a day I will review this more ;)

usr.bin/uudecode/uudecode.c
185

This can fail.

200

malloc can fail.

202

strdup as well.

222

This can be done in oneline.

allanjude edited edge metadata.

Updated with feedback from oshogbo

bapt edited edge metadata.
This revision is now accepted and ready to land.Sep 18 2016, 5:43 PM

Just some high level comments. I think if the diff is smaller, it's easier to review the rest.

usr.bin/uudecode/uudecode.c
79–81

Why have this at all?

We keep a dirfd around which can open outfile anyway — no need to open the file before entering sandbox.

It duplicates the safe-output-file checking logic below, except for potential time-of-check vs time-of-use attacks. IMO, this whole function can be removed.

189

I think in general we should preopen an array of fds rather than FILE objects, then fdopen as needed. (The concern is that the overhead of FILE objects vs fds is meaningful.)

One potential cost is the size of the stdio buffering. I guess I would be a little shocked if FILE prefetched file contents or allocated much memory on open. But even so a FILE is bulkier than just an fd.

228–242

I think you could avoid a lot of unnecessary code churn of this patch by setting globals infile, infp, (as is the existing pattern in this code) rather than passing these things as parameters.

allanjude edited edge metadata.

Use new capsicum_helpers.h

Greatly reduce the diff as suggested by cem

Address a bug where input is provided via stdin

This revision now requires review to proceed.Oct 13 2016, 2:44 AM
usr.bin/uudecode/uudecode.c
210

should be place limits on this directory FD?

374

do we need to limit FDs opened within the sandbox?

usr.bin/uudecode/uudecode.c
210

Yep. Whatever rights you want openated fds to have, plus CAP_LOOKUP.

374

I think openat from a restricted dirfd inherits dirfd's restrictions. Not 100% sure of this.

Even if so, maybe child fds don't need CAP_LOOKUP.

LGTM. I'd like to see restriction on cwdfd and openated child fds (if they don't inherit restrictions).

usr.bin/uudecode/uudecode.c
210

And rights for fstatat and unlinkat.

This revision is now accepted and ready to land.Jun 12 2017, 7:22 PM
This revision now requires review to proceed.Jan 27 2018, 11:01 PM

@allanjude Would you be interested to try sandbox uudecode with fileargs?