Page MenuHomeFreeBSD
Feed Advanced Search

Sun, Mar 10

jfree updated the diff for D40680: ktrace: Record namei violations with KTR_CAPFAIL.
  • Record *namei* violations instead of vfs. Slight wording change for clarity.
  • Rebase on main after several months
Sun, Mar 10, 4:25 AM · capsicum
jfree retitled D40680: ktrace: Record namei violations with KTR_CAPFAIL from ktrace: Record vfs violations with KTR_CAPFAIL to ktrace: Record namei violations with KTR_CAPFAIL.
Sun, Mar 10, 4:23 AM · capsicum
jfree updated the summary of D40682: tests: Add ktrace capability violation test cases.
Sun, Mar 10, 4:21 AM · capsicum
jfree updated the diff for D40682: tests: Add ktrace capability violation test cases.
  • Rename all instances of CAPFAIL_VFS to CAPFAIL_NAMEI
  • Rebase on main after several months
Sun, Mar 10, 4:21 AM · capsicum
jfree updated the summary of D40676: ktrace: Record detailed ECAPMODE violations.
Sun, Mar 10, 4:15 AM · capsicum
jfree updated the diff for D40676: ktrace: Record detailed ECAPMODE violations.
  • Address Mark's comments
  • Rebase on main after several months
Sun, Mar 10, 4:15 AM · capsicum
jfree added inline comments to D40676: ktrace: Record detailed ECAPMODE violations.
Sun, Mar 10, 4:13 AM · capsicum

Jan 18 2024

markj accepted D40682: tests: Add ktrace capability violation test cases.
Jan 18 2024, 3:46 PM · capsicum
markj accepted D40680: ktrace: Record namei violations with KTR_CAPFAIL.
Jan 18 2024, 3:46 PM · capsicum

Jan 9 2024

jfree updated the diff for D40680: ktrace: Record namei violations with KTR_CAPFAIL.

Replace all instances of "AT_FDCWD" with "<AT_FDCWD>" when reporting a violation via ktrcapfail().

Jan 9 2024, 4:28 AM · capsicum
jfree added inline comments to D40680: ktrace: Record namei violations with KTR_CAPFAIL.
Jan 9 2024, 4:22 AM · capsicum
jfree added inline comments to D40680: ktrace: Record namei violations with KTR_CAPFAIL.
Jan 9 2024, 4:14 AM · capsicum
jfree added a comment to D40677: ktrace: Record cpuset violations with KTR_CAPFAIL.

I would frown at that. :) It introduces hidden control flow which makes it hard to see quickly what a function does.

Consider the common case where a function allocates some memory and is supposed to free it before returning: if I'm reviewing the code and want to verify it behaves properly with respect to that free() call, it's much easier to check if I just have to look for the "return" keyword in the function.

Once in a while it's handy, but it should be avoided if possible.

Jan 9 2024, 12:52 AM · capsicum

Jan 8 2024

markj accepted D40677: ktrace: Record cpuset violations with KTR_CAPFAIL.

Actually, scratch that. I just understood your comment and this is a better solution.

As a side note though... Is returning in macros usually frowned upon?

Jan 8 2024, 2:55 PM · capsicum

Jan 7 2024

jfree updated the diff for D40677: ktrace: Record cpuset violations with KTR_CAPFAIL.

Actually, scratch that. I just understood your comment and this is a better solution.

Jan 7 2024, 8:24 AM · capsicum
jfree updated the diff for D40677: ktrace: Record cpuset violations with KTR_CAPFAIL.

It feels wrong to return inside of a macro, but I did not see any comments about it in style(9). This seems to be the solution that is most elegant in minimizing code duplication. Let me know your thoughts.

Jan 7 2024, 7:53 AM · capsicum

Oct 6 2023

oshogbo added a comment to D40676: ktrace: Record detailed ECAPMODE violations.

Hello Jake,

Oct 6 2023, 7:27 AM · capsicum
theraven added a comment to D40676: ktrace: Record detailed ECAPMODE violations.

I created this patch to make the Capsicumization experience less intimidating for inexperienced developers. Both David and Mariusz may not be the target audience for this change

Oct 6 2023, 7:04 AM · capsicum

Oct 5 2023

jfree added a comment to D40676: ktrace: Record detailed ECAPMODE violations.

I created this patch to make the Capsicumization experience less intimidating for inexperienced developers. Both David and Mariusz may not be the target audience for this change because they already know how to extract the information that the tracing provides. Developers that are unfamiliar with Capsicum's semantics could use this tracing mode to easily determine why their program is not working in capability mode. I think it provides a solid starting point so new developers don't get lost and discouraged.

Oct 5 2023, 11:50 PM · capsicum

Oct 4 2023

theraven added a comment to D40676: ktrace: Record detailed ECAPMODE violations.

It's doable in principle, but in practice dtrace's inability to resolve backtraces in the face of fork/exec makes it mostly unusable

Oct 4 2023, 3:44 PM · capsicum
markj added a comment to D40676: ktrace: Record detailed ECAPMODE violations.

Are these events exposed to DTrace? When sandboxing, the thing I really want is a stack trace in userspace at the point where the violation happened. If so, it would be great to include a script that logged them. Ideally with an option of an explicit start marker so you can put in a fake cap_enter and be told what you still need to fix.

Oct 4 2023, 2:57 PM · capsicum

Sep 29 2023

theraven added a comment to D40676: ktrace: Record detailed ECAPMODE violations.

Are these events exposed to DTrace? When sandboxing, the thing I really want is a stack trace in userspace at the point where the violation happened. If so, it would be great to include a script that logged them. Ideally with an option of an explicit start marker so you can put in a fake cap_enter and be told what you still need to fix.

Sep 29 2023, 6:55 AM · capsicum

Sep 28 2023

oshogbo added a comment to D40676: ktrace: Record detailed ECAPMODE violations.

Ah, ok I thought it was printed by default.
Then I don't think I have any complaints through the idea.

Sep 28 2023, 7:47 PM · capsicum
markj added a comment to D40676: ktrace: Record detailed ECAPMODE violations.

If I understand correctly, for application like:

localtime();
open();
cap_enter()
openat()

The first two operations will always cause ktrace to report insufficient capabilities. Which is a false-postive statement, and will be misleading for "normal" users.

Sep 28 2023, 7:39 PM · capsicum
oshogbo added a comment to D40676: ktrace: Record detailed ECAPMODE violations.

If I understand correctly, for application like:

localtime();
open();
cap_enter()
openat()
Sep 28 2023, 7:31 PM · capsicum
markj added a comment to D40676: ktrace: Record detailed ECAPMODE violations.

To summarize the patch very briefly, this lets you ktrace an application that does not run in capability mode, and ktrace will log all events which would have triggered a Capsicum violation.

I haven't looked into the code, to be honest. However, I don't see a real application for this approach, or maybe I misread how this is supposed to work.
Is this a tool for improving debugging sandboxed applications or sandboxing new applications?

Sep 28 2023, 6:45 PM · capsicum
jfree added a comment to D40676: ktrace: Record detailed ECAPMODE violations.

Again, maybe I just need some more context to understand the reasoning behind this change.

Sep 28 2023, 6:39 PM · capsicum
oshogbo added a comment to D40676: ktrace: Record detailed ECAPMODE violations.

To summarize the patch very briefly, this lets you ktrace an application that does not run in capability mode, and ktrace will log all events which would have triggered a Capsicum violation.

Sep 28 2023, 5:38 PM · capsicum
markj added a comment to D40676: ktrace: Record detailed ECAPMODE violations.

To summarize the patch very briefly, this lets you ktrace an application that does not run in capability mode, and ktrace will log all events which would have triggered a Capsicum violation.

So this traces the system calls that are not on the allowed-in-cap-mode list?

Sep 28 2023, 5:06 PM · capsicum
theraven added a comment to D40676: ktrace: Record detailed ECAPMODE violations.

To summarize the patch very briefly, this lets you ktrace an application that does not run in capability mode, and ktrace will log all events which would have triggered a Capsicum violation.

Sep 28 2023, 4:54 PM · capsicum
markj updated subscribers of D40676: ktrace: Record detailed ECAPMODE violations.

Overall this looks good to me. I wonder if @emaste, @oshogbo or @theraven have any thoughts on it? To summarize the patch very briefly, this lets you ktrace an application that does not run in capability mode, and ktrace will log all events which would have triggered a Capsicum violation.

Sep 28 2023, 4:45 PM · capsicum
markj added inline comments to D40680: ktrace: Record namei violations with KTR_CAPFAIL.
Sep 28 2023, 4:42 PM · capsicum
markj accepted D40678: ktrace: Record syscall violations with KTR_CAPFAIL.
Sep 28 2023, 4:24 PM · capsicum
markj added inline comments to D40677: ktrace: Record cpuset violations with KTR_CAPFAIL.
Sep 28 2023, 4:20 PM · capsicum
markj accepted D40679: ktrace: Record signal violations with KTR_CAPFAIL.
Sep 28 2023, 4:15 PM · capsicum
markj accepted D40681: ktrace: Record socket violations with KTR_CAPFAIL.
Sep 28 2023, 4:14 PM · capsicum

Jul 28 2023

jfree updated the diff for D40682: tests: Add ktrace capability violation test cases.

Fix formatting issue in license text

Jul 28 2023, 4:07 PM · capsicum

Jun 20 2023

jfree updated the diff for D40682: tests: Add ktrace capability violation test cases.

Use cap_svflags instead of cap_flags when determining kernel ABI with syscallabi().

Jun 20 2023, 10:40 PM · capsicum
jfree updated the diff for D40680: ktrace: Record namei violations with KTR_CAPFAIL.

Change NI_LCF_STRICTRELATIVE to NI_LCF_STRICTREL where applicable.

Jun 20 2023, 10:19 PM · capsicum
jfree requested review of D40682: tests: Add ktrace capability violation test cases.
Jun 20 2023, 10:10 PM · capsicum
jfree requested review of D40681: ktrace: Record socket violations with KTR_CAPFAIL.
Jun 20 2023, 10:09 PM · capsicum
jfree requested review of D40680: ktrace: Record namei violations with KTR_CAPFAIL.
Jun 20 2023, 10:08 PM · capsicum
jfree added a project to D40678: ktrace: Record syscall violations with KTR_CAPFAIL: capsicum.
Jun 20 2023, 10:07 PM · capsicum
jfree requested review of D40679: ktrace: Record signal violations with KTR_CAPFAIL.
Jun 20 2023, 10:07 PM · capsicum
jfree requested review of D40677: ktrace: Record cpuset violations with KTR_CAPFAIL.
Jun 20 2023, 10:04 PM · capsicum
jfree requested review of D40676: ktrace: Record detailed ECAPMODE violations.
Jun 20 2023, 10:03 PM · capsicum

Apr 28 2023

corvink closed D38860: bhyve: Enable Capsicum for snapshots.
Apr 28 2023, 7:07 AM · capsicum, bhyve

Apr 26 2023

def added a watcher for capsicum: def.
Apr 26 2023, 5:05 PM
def removed a member for capsicum: def.
Apr 26 2023, 5:05 PM
def added a member for capsicum: def.
Apr 26 2023, 5:04 PM

Mar 30 2023

jfree added inline comments to D39171: readpassphrase: Add readpassphraseat() function.
Mar 30 2023, 11:23 PM · capsicum
jfree updated the diff for D39171: readpassphrase: Add readpassphraseat() function.

Use AT_STDIN instead of STDIN_FILENO to force read from stdin in readpassphraseat().

Mar 30 2023, 11:15 PM · capsicum

Mar 27 2023

corvink accepted D38860: bhyve: Enable Capsicum for snapshots.
Mar 27 2023, 11:13 AM · capsicum, bhyve

Mar 21 2023

markj added a comment to D39009: unzip: Capsicumize it.

The diff looks good.

Mar 21 2023, 6:41 PM · capsicum
markj added inline comments to D39171: readpassphrase: Add readpassphraseat() function.
Mar 21 2023, 4:41 PM · capsicum

Mar 19 2023

jfree updated the diff for D39009: unzip: Capsicumize it.
  • cdfd is no longer a global variable. Instead, it is passed locally per function call.
  • Open _PATH_TTY, limit its rights, and use readpassphraseat() instead of readpassphrase().
  • Limit stdio instead of just stdin.
Mar 19 2023, 6:01 AM · capsicum
jfree requested review of D39171: readpassphrase: Add readpassphraseat() function.
Mar 19 2023, 4:36 AM · capsicum

Mar 13 2023

markj added a comment to D39009: unzip: Capsicumize it.

This looks good! Three comments:

  • I don't like that cdfd is a global variable. I'd rather see it plumbed everywhere that we pass a path, even though that's kind of onerous.

I am curious why cdfd would be better suited as a local variable? Namespace pollution doesn't seem to be an issue in a small userspace program and passing it would just add one extra argument to the stack for every function call. Is the idea to isolate its scope?

Mar 13 2023, 5:10 PM · capsicum
jfree added a comment to D39009: unzip: Capsicumize it.

This looks good! Three comments:

  • I don't like that cdfd is a global variable. I'd rather see it plumbed everywhere that we pass a path, even though that's kind of onerous.
Mar 13 2023, 4:53 PM · capsicum
markj added a comment to D39009: unzip: Capsicumize it.

This looks good! Three comments:

  • I don't like that cdfd is a global variable. I'd rather see it plumbed everywhere that we pass a path, even though that's kind of onerous.
  • I think readpassphrase() does not quite work in capability mode. See the implementation in lib/libc/gen/readpassphrase.c - it opens /dev/tty. It does have a fallback path, but I'm not sure how well that works. Could you please try writing a little standalone program that enters capability mode and tries to use readpassphrase()? Depending on how that goes, we may want to add a new variant of that function which takes fds from the caller.
  • Have you tried testing with kern.trap_enotcap set to 1? That'll help catch any system calls that might be silently failing because we're in capability mode.
Mar 13 2023, 2:41 PM · capsicum

Mar 11 2023

jfree updated the diff for D39009: unzip: Capsicumize it.

Open current directory, enter capability mode, then use *at() syscalls to extract archive files.

Mar 11 2023, 1:27 AM · capsicum

Mar 10 2023

markj added inline comments to D39009: unzip: Capsicumize it.
Mar 10 2023, 3:42 PM · capsicum

Mar 9 2023

jfree updated the diff for D39009: unzip: Capsicumize it.

Alter function names and comments for clarity

Mar 9 2023, 10:38 PM · capsicum
jfree requested review of D39009: unzip: Capsicumize it.
Mar 9 2023, 10:24 PM · capsicum
gusev.vitaliy_gmail.com updated the diff for D38860: bhyve: Enable Capsicum for snapshots.

Rebased

Mar 9 2023, 2:52 PM · capsicum, bhyve
gusev.vitaliy_gmail.com added a comment to D38860: bhyve: Enable Capsicum for snapshots.
In D38860#887537, @rew wrote:
In D38860#887381, @rew wrote:

https://reviews.freebsd.org/D38858 also needs to be addressed before this patch is committed.

I've dropped my request for changes in D38858 - there's nothing blocking this review from being landed.

Mar 9 2023, 2:51 PM · capsicum, bhyve

Mar 8 2023

rew added a comment to D38860: bhyve: Enable Capsicum for snapshots.
In D38860#887381, @rew wrote:

https://reviews.freebsd.org/D38858 also needs to be addressed before this patch is committed.

Mar 8 2023, 8:16 PM · capsicum, bhyve
rew added a comment to D38860: bhyve: Enable Capsicum for snapshots.

Looks like this patch needs to be rebased.

Mar 8 2023, 4:37 PM · capsicum, bhyve
markj added a comment to D38860: bhyve: Enable Capsicum for snapshots.

Looks like this patch needs to be rebased.

Mar 8 2023, 3:22 PM · capsicum, bhyve

Mar 3 2023

gusev.vitaliy_gmail.com added inline comments to D38860: bhyve: Enable Capsicum for snapshots.
Mar 3 2023, 5:13 PM · capsicum, bhyve
gusev.vitaliy_gmail.com updated the diff for D38860: bhyve: Enable Capsicum for snapshots.

Moved casper dependency to lib9p.

Mar 3 2023, 5:11 PM · capsicum, bhyve
markj added inline comments to D38860: bhyve: Enable Capsicum for snapshots.
Mar 3 2023, 3:47 PM · capsicum, bhyve
gusev.vitaliy_gmail.com updated the diff for D38860: bhyve: Enable Capsicum for snapshots.

Added revert commit 966026246e62769f3bcd8247a47fe0f4f0433aba

Mar 3 2023, 3:41 PM · capsicum, bhyve
gusev.vitaliy_gmail.com added inline comments to D38860: bhyve: Enable Capsicum for snapshots.
Mar 3 2023, 3:33 PM · capsicum, bhyve
gusev.vitaliy_gmail.com added inline comments to D38860: bhyve: Enable Capsicum for snapshots.
Mar 3 2023, 3:22 PM · capsicum, bhyve
markj added inline comments to D38860: bhyve: Enable Capsicum for snapshots.
Mar 3 2023, 3:09 PM · capsicum, bhyve

Mar 2 2023

gusev.vitaliy_gmail.com requested review of D38860: bhyve: Enable Capsicum for snapshots.
Mar 2 2023, 6:23 PM · capsicum, bhyve

Feb 4 2023

val_packett.cool abandoned D23043: rtld-elf: Fix loading libraries with ORIGIN flag (like LLVM) via LD_LIBRARY_PATH_FDS.
Feb 4 2023, 8:32 PM · capsicum

Jun 5 2021

freqlabs closed D24832: libcasper: Create a minimal cap_netdb service.
Jun 5 2021, 12:37 PM · capsicum

Apr 6 2021

oshogbo accepted D24832: libcasper: Create a minimal cap_netdb service.

LGTM.
Do you have commit bit or should I commit this?

Apr 6 2021, 8:21 AM · capsicum

Mar 26 2021

freqlabs added a comment to D24832: libcasper: Create a minimal cap_netdb service.

@oshogbo okay to commit?

Mar 26 2021, 7:23 PM · capsicum

Feb 2 2021

kib closed D28442: Fix null-pointer dereference in rtld.
Feb 2 2021, 2:15 PM · capsicum

Feb 1 2021

theraven added a comment to D28442: Fix null-pointer dereference in rtld.

Thanks, I'll see if I can chase this down later. My commit bit lapsed, please can you land it?

Feb 1 2021, 3:36 PM · capsicum
kib accepted D28442: Fix null-pointer dereference in rtld.

Ok, go ahead with the proposed patch, I do not think it is worth the time to try to make it more advanced now.

Feb 1 2021, 3:17 PM · capsicum
theraven updated the diff for D28442: Fix null-pointer dereference in rtld.
Feb 1 2021, 3:11 PM · capsicum
theraven added a comment to D28442: Fix null-pointer dereference in rtld.

Yes it should be strdup'ed somewhere but I am surprised that it works. Look at the start of load_object(): if name != NULL, it searches for existing loaded object with the specified name.

Feb 1 2021, 2:35 PM · capsicum
kib added a comment to D28442: Fix null-pointer dereference in rtld.

Yes it should be strdup'ed somewhere but I am surprised that it works. Look at the start of load_object(): if name != NULL, it searches for existing loaded object with the specified name. I believe that the right patch would set path somewhere in load_object() in the 'then' case for fd >= 0 (see below).

Feb 1 2021, 12:08 PM · capsicum
theraven added a comment to D28442: Fix null-pointer dereference in rtld.

Thanks. I can confirm that this change also fixes this problem:

Feb 1 2021, 11:52 AM · capsicum
kib added a comment to D28442: Fix null-pointer dereference in rtld.

I suspect that PATH_FDS is simply not tested enough if such issue popped up. For instance some combination of rpath in the loaded library and unsuccessful load from pathfds could make rtld to try to use refobj path.

Feb 1 2021, 11:11 AM · capsicum
theraven requested review of D28442: Fix null-pointer dereference in rtld.
Feb 1 2021, 9:33 AM · capsicum

Jan 21 2021

freqlabs updated the diff for D24832: libcasper: Create a minimal cap_netdb service.

Address feedback

Jan 21 2021, 12:16 AM · capsicum

Jan 11 2021

kib closed D28088: libthr: wrap pdfork(2), same as fork(2)..
Jan 11 2021, 9:02 PM · capsicum
markj accepted D28088: libthr: wrap pdfork(2), same as fork(2)..
Jan 11 2021, 2:53 PM · capsicum

Jan 10 2021

kib updated the diff for D28088: libthr: wrap pdfork(2), same as fork(2)..

Remove unused alias, sort symbols in map file.

Jan 10 2021, 11:15 PM · capsicum
kib added inline comments to D28088: libthr: wrap pdfork(2), same as fork(2)..
Jan 10 2021, 11:14 PM · capsicum
markj accepted D28088: libthr: wrap pdfork(2), same as fork(2)..
Jan 10 2021, 11:04 PM · capsicum
kib requested review of D28088: libthr: wrap pdfork(2), same as fork(2)..
Jan 10 2021, 10:27 PM · capsicum

Nov 19 2020

gbe added a comment to D24832: libcasper: Create a minimal cap_netdb service.

Small nit for the copyright section of the man page.

Nov 19 2020, 3:25 PM · capsicum

Nov 18 2020

oshogbo added inline comments to D24832: libcasper: Create a minimal cap_netdb service.
Nov 18 2020, 9:15 PM · capsicum
naito.yuichiro_gmail.com added a comment to D17128: [sshd 7.8p1] avoid to violate capability mode.
In D17128#371823, @des wrote:

I would strongly recommend submitting the sshbuf_{get,put,free}_passwd() part of this patch upstream.

Was this done?

Nov 18 2020, 8:44 AM · capsicum