Page MenuHomeFreeBSD

Capsicumify open.2
ClosedPublic

Authored by cem on Sep 19 2016, 3:39 AM.
Tags
None
Referenced Files
Unknown Object (File)
Oct 31 2024, 6:17 AM
Unknown Object (File)
Oct 2 2024, 4:29 PM
Unknown Object (File)
Oct 1 2024, 6:44 AM
Unknown Object (File)
Sep 26 2024, 6:52 AM
Unknown Object (File)
Sep 25 2024, 4:30 PM
Unknown Object (File)
Sep 23 2024, 9:48 PM
Unknown Object (File)
Sep 22 2024, 2:57 PM
Unknown Object (File)
Sep 17 2024, 2:04 PM
Subscribers

Details

Summary

Document open(2) and openat(2) behavior in Capsicum capability mode.

Test Plan

igor clean

Diff Detail

Event Timeline

cem retitled this revision from to Capsicumify open.2.
cem updated this object.
cem edited the test plan for this revision. (Show Details)
cem added reviewers: allanjude, emaste, wblock, rwatson.
lib/libc/sys/open.2
105

might be good to mention that it is a DIRECTORY descriptor

lib/libc/sys/open.2
105

That's covered on line 79-80. In this paragraph, I just want to highlight the difference in behavior in the capability mode sandbox.

ed requested changes to this revision.Sep 19 2016, 5:23 AM
ed added a reviewer: ed.
ed added a subscriber: ed.
ed added inline comments.
lib/libc/sys/open.2
108

I'm not sure this is true. I thought the actual rules were:

  • Paths must be relative. Absolute paths are rejected immediately.
  • During resolution, the path must stay below the directory at all times.

"a/../b/../c/d/../.." is okay. "a/../../b" is not.

This revision now requires changes to proceed.Sep 19 2016, 5:23 AM
lib/libc/sys/open.2
108

Ah, got it. Then disregard my comment. :-)

lib/libc/sys/open.2
105

It's hard to tell what the quote marks mean. They kind of look sarcastic, and might give the opposite of the intended meaning. But the intended meaning is not clear. Maybe remove the quotes and be more specific about the term, or use .Xr to refer to a definition.

lib/libc/sys/open.2
105

This is a technical document; they're not sarcasm quotes.

They refer to a specific clause with identical quotation in the source code. There's no definition elsewhere in .Xr.

201 #ifdef CAPABILITY_MODE
202         /*
203          * In capability mode, lookups must be "strictly relative" (i.e.
204          * not an absolute path, and not containing '..' components) to
205          * a real file descriptor, not the pseudo-descriptor AT_FDCWD.
206          */
lib/libc/sys/open.2
105

Maybe just removing the quotes is a good solution?

lib/libc/sys/open.2
105

And possibly add a reference to the source file:

must be strictly relative to a real file descriptor
.Fa fd ,
as defined in
.Pa sys/kern/vfs_lookup.c .

In general, this seems like a good idea. A bit of wordsmithing does help, and reviewing an updated commit candidate before it goes into the tree wouldn't hurt if you can tolerate another RTT with reviewers :-).

lib/libc/sys/open.2
98

I wonder if an explicit .Xr to capsicum(4) might be appropriate here?

112

I'm not sure we need to mention bogus values? People who pass bogus values to openat(2) deserve failure modes.

Just to confirm the above: no use of "..", either in the string passed, nor in symbolic links, is permitted in paths looked up in capability mode.

cem edited edge metadata.
cem marked 5 inline comments as done.

Remove quotes; reference source file.

cem marked 2 inline comments as done.
cem edited edge metadata.
  • Xr capsicum 4
  • Specify symlinks may not contain .. too
  • Remove mention of bogus fd values
ed edited edge metadata.
This revision is now accepted and ready to land.Sep 30 2016, 7:19 PM
emaste edited edge metadata.
emaste added inline comments.
lib/libc/sys/open.2
107

I would drop "real" here.

cem edited edge metadata.

Remove "real". File descriptor + no AT_FDCWD later in paragraph is sufficient, per emaste@.

This revision now requires review to proceed.Sep 30 2016, 7:25 PM
emaste edited edge metadata.
This revision is now accepted and ready to land.Sep 30 2016, 8:41 PM
This revision was automatically updated to reflect the committed changes.