diff --git a/lib/libcasper/services/cap_fileargs/Makefile b/lib/libcasper/services/cap_fileargs/Makefile index 04787c01db35..22230f82d9f4 100644 --- a/lib/libcasper/services/cap_fileargs/Makefile +++ b/lib/libcasper/services/cap_fileargs/Makefile @@ -1,39 +1,40 @@ # $FreeBSD$ SHLIBDIR?= /lib/casper .include PACKAGE= runtime SHLIB_MAJOR= 1 INCSDIR?= ${INCLUDEDIR}/casper .if ${MK_CASPER} != "no" SHLIB= cap_fileargs SRCS= cap_fileargs.c .endif INCS= cap_fileargs.h LIBADD= nv CFLAGS+=-I${.CURDIR} HAS_TESTS= SUBDIR.${MK_TESTS}+= tests MAN+= cap_fileargs.3 MLINKS+=cap_fileargs.3 libcap_fileargs.3 MLINKS+=cap_fileargs.3 fileargs_cinit.3 MLINKS+=cap_fileargs.3 fileargs_cinitnv.3 MLINKS+=cap_fileargs.3 fileargs_fopen.3 MLINKS+=cap_fileargs.3 fileargs_free.3 MLINKS+=cap_fileargs.3 fileargs_init.3 MLINKS+=cap_fileargs.3 fileargs_initnv.3 MLINKS+=cap_fileargs.3 fileargs_lstat.3 MLINKS+=cap_fileargs.3 fileargs_open.3 +MLINKS+=cap_fileargs.3 fileargs_realpath.3 .include diff --git a/lib/libcasper/services/cap_fileargs/cap_fileargs.3 b/lib/libcasper/services/cap_fileargs/cap_fileargs.3 index b59d30b2d595..acf51e4ed62b 100644 --- a/lib/libcasper/services/cap_fileargs/cap_fileargs.3 +++ b/lib/libcasper/services/cap_fileargs/cap_fileargs.3 @@ -1,280 +1,291 @@ .\" Copyright (c) 2018 Mariusz Zaborski .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" .\" $FreeBSD$ .\" -.Dd May 5, 2020 +.Dd January 10, 2021 .Dt CAP_FILEARGS 3 .Os .Sh NAME .Nm fileargs_cinit , .Nm fileargs_cinitnv , .Nm fileargs_init , .Nm fileargs_initnv , .Nm fileargs_free , .Nm fileargs_lstat , .Nm fileargs_open , .Nm fileargs_fopen .Nd "library for handling files in capability mode" .Sh LIBRARY .Lb libcap_fileargs .Sh SYNOPSIS .In sys/nv.h .In libcasper.h .In casper/cap_fileargs.h .Ft "fileargs_t *" .Fn fileargs_init "int argc" "char *argv[]" "int flags" "mode_t mode" "cap_rights_t *rightsp" "int operations" .Ft "fileargs_t *" .Fn fileargs_cinit "cap_channel_t *cas" "int argc" "char *argv[]" "int flags" "mode_t mode" "cap_rights_t *rightsp" "int operations" .Ft "fileargs_t *" .Fn fileargs_cinitnv "cap_channel_t *cas" "nvlist_t *limits" .Ft "fileargs_t *" .Fn fileargs_initnv "nvlist_t *limits" .Ft "void" .Fn fileargs_free "fileargs_t *fa" .Ft "int" .Fn fileargs_lstat "fileargs_t *fa" "const char *path" "struct stat *sb" .Ft "int" .Fn fileargs_open "fileargs_t *fa" "const char *name" .Ft "FILE *" .Fn fileargs_fopen "fileargs_t *fa" "const char *name" "const char *mode" +.Ft "char *" +.Fn fileargs_realpath "fileargs_t *fa" "const char *pathname" "char *reserved_path" .Sh DESCRIPTION The library is used to simplify Capsicumizing a tools that are using file system. Idea behind the library is that we are passing a remaining .Fa argc and .Fa argv which contains a list of files that should be open for this program. The library will create a service that will serve those files. .Pp The function .Fn fileargs_init create a service to the .Nm system.fileargs . The .Fa argv contains a list of files that should be opened. The argument can be set to .Dv NULL which will not create a service and all files will be prohibited to be opened. The .Fa argc argument contains a number of passed files. The .Fa flags argument limits opened files for either execution or reading and/or writing. The .Fa mode argument tells which what mode file should be created if the .Dv O_CREATE flag is present . For more details of the .Fa flags and .Fa mode arguments see .Xr open 2 . The .Fa rightsp argument contains a list of the capability rights which file should be limited to. For more details of the capability rights see .Xr cap_rights_init 3 . The .Fa operations argument limits the operations that are available using .Nm system.fileargs . .Fa operations is a combination of: .Bl -ohang -offset indent .It FA_OPEN Allow .Fn fileargs_open and .Fn fileargs_fopen . .It FA_LSTAT Allow .Fn fileargs_lstat . +.It FA_REALPATH +Allow +.Fn fileargs_realpath . .El .Pp The function .Fn fileargs_cinit is equivalent to .Fn fileargs_init except that the connection to the Casper needs to be provided. .Pp The functions .Fn fileargs_initnv and .Fn fileargs_cinitnv are respectively equivalent to .Fn fileargs_init and .Fn fileargs_cinit expect that all arguments all provided as .Xr nvlist 9 . For details see .Sx LIMITS . .Pp The .Fa fileargs_free close connection to the .Nm system.fileargs service and free are structures. The function handle .Dv NULL argument. .Pp The function .Fn fileargs_lstat is equivalent to .Xr lstat 2 . .Pp The functions .Fn fileargs_open and .Fn fileargs_fopen are respectively equivalent to .Xr open 2 and .Xr fopen 3 expect that all arguments are fetched from the .Va fileargs_t structure. +.Pp +The function +.Fn fileargs_realpath +is equivalent to +.Xr realpath 3 . .Sh LIMITS This section describe which values and types should be used to pass arguments to the .Fa system.fileargs through the .Fn fileargs_initnv and .Fn fileargs_cinitnv functions. The .Xr nvlist 9 for that functions must contain the following values and types: .Bl -ohang -offset indent .It flags ( NV_TYPE_NUMBER ) The .Va flags limits opened files for either execution or reading and/or writing. .It mode (NV_TYPE_NUMBER) If in the .Va flags argument the .Dv O_CREATE flag was defined the .Xr nvlist 9 must contain the .Va mode . The .Va mode argument tells which what mode file should be created. .It operations (NV_TYPE_NUMBER) The .Va operations limits the usable operations for .Fa system.fileargs . The possible values are explained as .Va operations argument with .Fn fileargs_init . .El .Pp The .Xr nvlist 9 for that functions may contain the following values and types: .Bl -ohang -offset indent .It cap_rights ( NV_TYPE_BINARY ) The .Va cap_rights argument contains a list of the capability rights which file should be limited to. .It ( NV_TYPE_NULL ) Any number of .Dv NV_TYPE_NULL where the name of the element is name of the file which can be opened. .Sh EXAMPLES The following example first parse some options and then create the .Nm system.fileargs service with remaining arguments. .Bd -literal int ch, fd, i; cap_rights_t rights; fileargs_t *fa; while ((ch = getopt(argc, argv, "h")) != -1) { switch (ch) { case 'h': default: usage(); } } argc -= optind; argv += optind; /* Create capability to the system.fileargs service. */ fa = fileargs_init(argc, argv, O_RDONLY, 0, cap_rights_init(&rights, CAP_READ), FA_OPEN); if (fa == NULL) err(1, "unable to open system.fileargs service"); /* Enter capability mode sandbox. */ if (cap_enter() < 0 && errno != ENOSYS) err(1, "unable to enter capability mode"); /* Open files. */ for (i = 0; i < argc; i++) { fd = fileargs_open(fa, argv[i]); if (fd < 0) err(1, "unable to open file %s", argv[i]); printf("File %s opened in capability mode\en", argv[i]); close(fd); } fileargs_free(fa); .Ed .Sh SEE ALSO .Xr cap_enter 2 , .Xr lstat 2 , .Xr open 2 , .Xr cap_rights_init 3 , .Xr err 3 , .Xr fopen 3 , .Xr getopt 3 , +.Xr realpath 3 , .Xr capsicum 4 , .Xr nv 9 .Sh HISTORY The .Nm cap_fileargs service first appeared in .Fx 10.3 . .Sh BUGS The .Lb cap_fileargs included in .Fx is considered experimental, and should not be deployed in production environments without careful consideration of the risks associated with the use of experimental operating system features. .Sh AUTHORS .An Mariusz Zaborski Aq Mt oshogbo@FreeBSD.org diff --git a/lib/libcasper/services/cap_fileargs/cap_fileargs.c b/lib/libcasper/services/cap_fileargs/cap_fileargs.c index a777647b1720..ecab23004fcf 100644 --- a/lib/libcasper/services/cap_fileargs/cap_fileargs.c +++ b/lib/libcasper/services/cap_fileargs/cap_fileargs.c @@ -1,679 +1,737 @@ /*- * SPDX-License-Identifier: BSD-2-Clause-FreeBSD * - * Copyright (c) 2018 Mariusz Zaborski + * Copyright (c) 2018-2021 Mariusz Zaborski * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include __FBSDID("$FreeBSD$"); #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "cap_fileargs.h" #define CACHE_SIZE 128 #define FILEARGS_MAGIC 0xFA00FA00 struct fileargs { uint32_t fa_magic; nvlist_t *fa_cache; cap_channel_t *fa_chann; int fa_fdflags; }; static int fileargs_get_lstat_cache(fileargs_t *fa, const char *name, struct stat *sb) { const nvlist_t *nvl; size_t size; const void *buf; assert(fa != NULL); assert(fa->fa_magic == FILEARGS_MAGIC); assert(name != NULL); if (fa->fa_cache == NULL) return (-1); nvl = dnvlist_get_nvlist(fa->fa_cache, name, NULL); if (nvl == NULL) return (-1); if (!nvlist_exists_binary(nvl, "stat")) { return (-1); } buf = nvlist_get_binary(nvl, "stat", &size); assert(size == sizeof(*sb)); memcpy(sb, buf, size); return (0); } static int fileargs_get_fd_cache(fileargs_t *fa, const char *name) { int fd; const nvlist_t *nvl; nvlist_t *tnvl; assert(fa != NULL); assert(fa->fa_magic == FILEARGS_MAGIC); assert(name != NULL); if (fa->fa_cache == NULL) return (-1); if ((fa->fa_fdflags & O_CREAT) != 0) return (-1); nvl = dnvlist_get_nvlist(fa->fa_cache, name, NULL); if (nvl == NULL) return (-1); tnvl = nvlist_take_nvlist(fa->fa_cache, name); if (!nvlist_exists_descriptor(tnvl, "fd")) { nvlist_destroy(tnvl); return (-1); } fd = nvlist_take_descriptor(tnvl, "fd"); nvlist_destroy(tnvl); if ((fa->fa_fdflags & O_CLOEXEC) != O_CLOEXEC) { if (fcntl(fd, F_SETFD, fa->fa_fdflags) == -1) { close(fd); return (-1); } } return (fd); } static void fileargs_set_cache(fileargs_t *fa, nvlist_t *nvl) { nvlist_destroy(fa->fa_cache); fa->fa_cache = nvl; } static nvlist_t* fileargs_fetch(fileargs_t *fa, const char *name, const char *cmd) { nvlist_t *nvl; int serrno; assert(fa != NULL); assert(name != NULL); nvl = nvlist_create(NV_FLAG_NO_UNIQUE); nvlist_add_string(nvl, "cmd", cmd); nvlist_add_string(nvl, "name", name); nvl = cap_xfer_nvlist(fa->fa_chann, nvl); if (nvl == NULL) return (NULL); if (nvlist_get_number(nvl, "error") != 0) { serrno = (int)nvlist_get_number(nvl, "error"); nvlist_destroy(nvl); errno = serrno; return (NULL); } return (nvl); } static nvlist_t * fileargs_create_limit(int argc, const char * const *argv, int flags, mode_t mode, cap_rights_t *rightsp, int operations) { nvlist_t *limits; int i; limits = nvlist_create(NV_FLAG_NO_UNIQUE); if (limits == NULL) return (NULL); nvlist_add_number(limits, "flags", flags); nvlist_add_number(limits, "operations", operations); if (rightsp != NULL) { nvlist_add_binary(limits, "cap_rights", rightsp, sizeof(*rightsp)); } if ((flags & O_CREAT) != 0) nvlist_add_number(limits, "mode", (uint64_t)mode); for (i = 0; i < argc; i++) { if (strlen(argv[i]) >= MAXPATHLEN) { nvlist_destroy(limits); errno = ENAMETOOLONG; return (NULL); } nvlist_add_null(limits, argv[i]); } return (limits); } static fileargs_t * fileargs_create(cap_channel_t *chan, int fdflags) { fileargs_t *fa; fa = malloc(sizeof(*fa)); if (fa != NULL) { fa->fa_cache = NULL; fa->fa_chann = chan; fa->fa_fdflags = fdflags; fa->fa_magic = FILEARGS_MAGIC; } return (fa); } fileargs_t * fileargs_init(int argc, char *argv[], int flags, mode_t mode, cap_rights_t *rightsp, int operations) { nvlist_t *limits; if (argc <= 0 || argv == NULL) { return (fileargs_create(NULL, 0)); } limits = fileargs_create_limit(argc, (const char * const *)argv, flags, mode, rightsp, operations); if (limits == NULL) return (NULL); return (fileargs_initnv(limits)); } fileargs_t * fileargs_cinit(cap_channel_t *cas, int argc, char *argv[], int flags, mode_t mode, cap_rights_t *rightsp, int operations) { nvlist_t *limits; if (argc <= 0 || argv == NULL) { return (fileargs_create(NULL, 0)); } limits = fileargs_create_limit(argc, (const char * const *)argv, flags, mode, rightsp, operations); if (limits == NULL) return (NULL); return (fileargs_cinitnv(cas, limits)); } fileargs_t * fileargs_initnv(nvlist_t *limits) { cap_channel_t *cas; fileargs_t *fa; if (limits == NULL) { return (fileargs_create(NULL, 0)); } cas = cap_init(); if (cas == NULL) { nvlist_destroy(limits); return (NULL); } fa = fileargs_cinitnv(cas, limits); cap_close(cas); return (fa); } fileargs_t * fileargs_cinitnv(cap_channel_t *cas, nvlist_t *limits) { cap_channel_t *chann; fileargs_t *fa; int serrno, ret; int flags, operations; assert(cas != NULL); if (limits == NULL) { return (fileargs_create(NULL, 0)); } chann = NULL; fa = NULL; chann = cap_service_open(cas, "system.fileargs"); if (chann == NULL) { nvlist_destroy(limits); return (NULL); } flags = nvlist_get_number(limits, "flags"); operations = nvlist_get_number(limits, "operations"); /* Limits are consumed no need to free them. */ ret = cap_limit_set(chann, limits); if (ret < 0) goto out; fa = fileargs_create(chann, flags); if (fa == NULL) goto out; return (fa); out: serrno = errno; if (chann != NULL) cap_close(chann); errno = serrno; return (NULL); } int fileargs_open(fileargs_t *fa, const char *name) { int fd; nvlist_t *nvl; char *cmd; assert(fa != NULL); assert(fa->fa_magic == FILEARGS_MAGIC); if (name == NULL) { errno = EINVAL; return (-1); } if (fa->fa_chann == NULL) { errno = ENOTCAPABLE; return (-1); } fd = fileargs_get_fd_cache(fa, name); if (fd != -1) return (fd); nvl = fileargs_fetch(fa, name, "open"); if (nvl == NULL) return (-1); fd = nvlist_take_descriptor(nvl, "fd"); cmd = nvlist_take_string(nvl, "cmd"); if (strcmp(cmd, "cache") == 0) fileargs_set_cache(fa, nvl); else nvlist_destroy(nvl); free(cmd); return (fd); } FILE * fileargs_fopen(fileargs_t *fa, const char *name, const char *mode) { int fd; if ((fd = fileargs_open(fa, name)) < 0) { return (NULL); } return (fdopen(fd, mode)); } int fileargs_lstat(fileargs_t *fa, const char *name, struct stat *sb) { nvlist_t *nvl; const void *buf; size_t size; char *cmd; assert(fa != NULL); assert(fa->fa_magic == FILEARGS_MAGIC); if (name == NULL) { errno = EINVAL; return (-1); } if (sb == NULL) { errno = EFAULT; return (-1); } if (fa->fa_chann == NULL) { errno = ENOTCAPABLE; return (-1); } if (fileargs_get_lstat_cache(fa, name, sb) != -1) return (0); nvl = fileargs_fetch(fa, name, "lstat"); if (nvl == NULL) return (-1); buf = nvlist_get_binary(nvl, "stat", &size); assert(size == sizeof(*sb)); memcpy(sb, buf, size); cmd = nvlist_take_string(nvl, "cmd"); if (strcmp(cmd, "cache") == 0) fileargs_set_cache(fa, nvl); else nvlist_destroy(nvl); free(cmd); return (0); } +char * +fileargs_realpath(fileargs_t *fa, const char *pathname, char *reserved_path) +{ + nvlist_t *nvl; + char *ret; + + assert(fa != NULL); + assert(fa->fa_magic == FILEARGS_MAGIC); + + if (pathname == NULL) { + errno = EINVAL; + return (NULL); + } + + if (fa->fa_chann == NULL) { + errno = ENOTCAPABLE; + return (NULL); + } + + nvl = fileargs_fetch(fa, pathname, "realpath"); + if (nvl == NULL) + return (NULL); + + if (reserved_path != NULL) { + ret = reserved_path; + strcpy(reserved_path, + nvlist_get_string(nvl, "realpath")); + } else { + ret = nvlist_take_string(nvl, "realpath"); + } + nvlist_destroy(nvl); + + return (ret); +} + void fileargs_free(fileargs_t *fa) { if (fa == NULL) return; assert(fa->fa_magic == FILEARGS_MAGIC); nvlist_destroy(fa->fa_cache); if (fa->fa_chann != NULL) { cap_close(fa->fa_chann); } explicit_bzero(&fa->fa_magic, sizeof(fa->fa_magic)); free(fa); } cap_channel_t * fileargs_unwrap(fileargs_t *fa, int *flags) { cap_channel_t *chan; if (fa == NULL) return (NULL); assert(fa->fa_magic == FILEARGS_MAGIC); chan = fa->fa_chann; if (flags != NULL) { *flags = fa->fa_fdflags; } nvlist_destroy(fa->fa_cache); explicit_bzero(&fa->fa_magic, sizeof(fa->fa_magic)); free(fa); return (chan); } fileargs_t * fileargs_wrap(cap_channel_t *chan, int fdflags) { if (chan == NULL) { return (NULL); } return (fileargs_create(chan, fdflags)); } /* * Service functions. */ static const char *lastname; static void *cacheposition; static bool allcached; static const cap_rights_t *caprightsp; static int capflags; static int allowed_operations; static mode_t capmode; static int open_file(const char *name) { int fd, serrno; if ((capflags & O_CREAT) == 0) fd = open(name, capflags); else fd = open(name, capflags, capmode); if (fd < 0) return (-1); if (caprightsp != NULL) { if (cap_rights_limit(fd, caprightsp) < 0 && errno != ENOSYS) { serrno = errno; close(fd); errno = serrno; return (-1); } } return (fd); } static void fileargs_add_cache(nvlist_t *nvlout, const nvlist_t *limits, const char *current_name) { int type, i, fd; void *cookie; nvlist_t *new; const char *fname; struct stat sb; if ((capflags & O_CREAT) != 0) { allcached = true; return; } cookie = cacheposition; for (i = 0; i < CACHE_SIZE + 1; i++) { fname = nvlist_next(limits, &type, &cookie); if (fname == NULL) { cacheposition = NULL; lastname = NULL; allcached = true; return; } /* We doing that to catch next element name. */ if (i == CACHE_SIZE) { break; } if (type != NV_TYPE_NULL || (current_name != NULL && strcmp(fname, current_name) == 0)) { current_name = NULL; i--; continue; } new = nvlist_create(NV_FLAG_NO_UNIQUE); if ((allowed_operations & FA_OPEN) != 0) { fd = open_file(fname); if (fd < 0) { i--; nvlist_destroy(new); continue; } nvlist_move_descriptor(new, "fd", fd); } if ((allowed_operations & FA_LSTAT) != 0) { if (lstat(fname, &sb) < 0) { i--; nvlist_destroy(new); continue; } nvlist_add_binary(new, "stat", &sb, sizeof(sb)); } nvlist_move_nvlist(nvlout, fname, new); } cacheposition = cookie; lastname = fname; } static bool fileargs_allowed(const nvlist_t *limits, const nvlist_t *request, int operation) { const char *name; if ((allowed_operations & operation) == 0) return (false); name = dnvlist_get_string(request, "name", NULL); if (name == NULL) return (false); /* Fast path. */ if (lastname != NULL && strcmp(name, lastname) == 0) return (true); if (!nvlist_exists_null(limits, name)) return (false); return (true); } static int fileargs_limit(const nvlist_t *oldlimits, const nvlist_t *newlimits) { if (oldlimits != NULL) return (ENOTCAPABLE); capflags = (int)dnvlist_get_number(newlimits, "flags", 0); allowed_operations = (int)dnvlist_get_number(newlimits, "operations", 0); if ((capflags & O_CREAT) != 0) capmode = (mode_t)nvlist_get_number(newlimits, "mode"); else capmode = 0; caprightsp = dnvlist_get_binary(newlimits, "cap_rights", NULL, NULL, 0); return (0); } static int fileargs_command_lstat(const nvlist_t *limits, nvlist_t *nvlin, nvlist_t *nvlout) { int error; const char *name; struct stat sb; if (limits == NULL) return (ENOTCAPABLE); if (!fileargs_allowed(limits, nvlin, FA_LSTAT)) return (ENOTCAPABLE); name = nvlist_get_string(nvlin, "name"); error = lstat(name, &sb); if (error < 0) return (errno); if (!allcached && (lastname == NULL || strcmp(name, lastname) == 0)) { nvlist_add_string(nvlout, "cmd", "cache"); fileargs_add_cache(nvlout, limits, name); } else { nvlist_add_string(nvlout, "cmd", "lstat"); } nvlist_add_binary(nvlout, "stat", &sb, sizeof(sb)); return (0); } +static int +fileargs_command_realpath(const nvlist_t *limits, nvlist_t *nvlin, + nvlist_t *nvlout) +{ + const char *pathname; + char *resolvedpath; + + if (limits == NULL) + return (ENOTCAPABLE); + + if (!fileargs_allowed(limits, nvlin, FA_REALPATH)) + return (ENOTCAPABLE); + + pathname = nvlist_get_string(nvlin, "name"); + resolvedpath = realpath(pathname, NULL); + if (resolvedpath == NULL) + return (errno); + + nvlist_move_string(nvlout, "realpath", resolvedpath); + return (0); +} + static int fileargs_command_open(const nvlist_t *limits, nvlist_t *nvlin, nvlist_t *nvlout) { int fd; const char *name; if (limits == NULL) return (ENOTCAPABLE); if (!fileargs_allowed(limits, nvlin, FA_OPEN)) return (ENOTCAPABLE); name = nvlist_get_string(nvlin, "name"); fd = open_file(name); if (fd < 0) return (errno); if (!allcached && (lastname == NULL || strcmp(name, lastname) == 0)) { nvlist_add_string(nvlout, "cmd", "cache"); fileargs_add_cache(nvlout, limits, name); } else { nvlist_add_string(nvlout, "cmd", "open"); } nvlist_move_descriptor(nvlout, "fd", fd); return (0); } static int fileargs_command(const char *cmd, const nvlist_t *limits, nvlist_t *nvlin, nvlist_t *nvlout) { if (strcmp(cmd, "open") == 0) return (fileargs_command_open(limits, nvlin, nvlout)); - if (strcmp(cmd, "lstat") == 0) return (fileargs_command_lstat(limits, nvlin, nvlout)); + if (strcmp(cmd, "realpath") == 0) + return (fileargs_command_realpath(limits, nvlin, nvlout)); return (EINVAL); } CREATE_SERVICE("system.fileargs", fileargs_limit, fileargs_command, CASPER_SERVICE_FD | CASPER_SERVICE_STDIO | CASPER_SERVICE_NO_UNIQ_LIMITS); diff --git a/lib/libcasper/services/cap_fileargs/cap_fileargs.h b/lib/libcasper/services/cap_fileargs/cap_fileargs.h index 03ff5c29d6c0..6e8523cb9423 100644 --- a/lib/libcasper/services/cap_fileargs/cap_fileargs.h +++ b/lib/libcasper/services/cap_fileargs/cap_fileargs.h @@ -1,149 +1,155 @@ /*- * SPDX-License-Identifier: BSD-2-Clause-FreeBSD * * Copyright (c) 2018 Mariusz Zaborski * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $FreeBSD$ */ #ifndef _FILEARGS_H_ #define _FILEARGS_H_ #include #include #include #include #define FA_OPEN 1 #define FA_LSTAT 2 +#define FA_REALPATH 4 #ifdef WITH_CASPER struct fileargs; typedef struct fileargs fileargs_t; struct stat; __BEGIN_DECLS fileargs_t *fileargs_init(int argc, char *argv[], int flags, mode_t mode, cap_rights_t *rightsp, int operations); fileargs_t *fileargs_cinit(cap_channel_t *cas, int argc, char *argv[], int flags, mode_t mode, cap_rights_t *rightsp, int operations); fileargs_t *fileargs_initnv(nvlist_t *limits); fileargs_t *fileargs_cinitnv(cap_channel_t *cas, nvlist_t *limits); int fileargs_lstat(fileargs_t *fa, const char *name, struct stat *sb); int fileargs_open(fileargs_t *fa, const char *name); +char *fileargs_realpath(fileargs_t *fa, const char *pathname, + char *reserved_path); void fileargs_free(fileargs_t *fa); FILE *fileargs_fopen(fileargs_t *fa, const char *name, const char *mode); fileargs_t *fileargs_wrap(cap_channel_t *chan, int fdflags); cap_channel_t *fileargs_unwrap(fileargs_t *fa, int *fdflags); __END_DECLS #else typedef struct fileargs { int fa_flags; mode_t fa_mode; } fileargs_t; static inline fileargs_t * fileargs_init(int argc __unused, char *argv[] __unused, int flags, mode_t mode, cap_rights_t *rightsp __unused, int operations __unused) { fileargs_t *fa; fa = malloc(sizeof(*fa)); if (fa != NULL) { fa->fa_flags = flags; fa->fa_mode = mode; } return (fa); } static inline fileargs_t * fileargs_cinit(cap_channel_t *cas __unused, int argc, char *argv[], int flags, mode_t mode, cap_rights_t *rightsp, int operations) { return (fileargs_init(argc, argv, flags, mode, rightsp, operations)); } static inline fileargs_t * fileargs_initnv(nvlist_t *limits) { fileargs_t *fa; fa = fileargs_init(0, NULL, nvlist_get_number(limits, "flags"), dnvlist_get_number(limits, "mode", 0), NULL, nvlist_get_number(limits, "operations")); nvlist_destroy(limits); return (fa); } static inline fileargs_t * fileargs_cinitnv(cap_channel_t *cas __unused, nvlist_t *limits) { return (fileargs_initnv(limits)); } #define fileargs_lstat(fa, name, sb) \ lstat(name, sb) #define fileargs_open(fa, name) \ open(name, fa->fa_flags, fa->fa_mode) +#define fileargs_realpath(fa, pathname, reserved_path) \ + realpath(pathname, reserved_path) + static inline FILE *fileargs_fopen(fileargs_t *fa, const char *name, const char *mode) { (void) fa; return (fopen(name, mode)); } #define fileargs_free(fa) (free(fa)) static inline fileargs_t * fileargs_wrap(cap_channel_t *chan, int fdflags) { cap_close(chan); return (fileargs_init(0, NULL, fdflags, 0, NULL, 0)); } static inline cap_channel_t * fileargs_unwrap(fileargs_t *fa, int *fdflags) { if (fdflags != NULL) { *fdflags = fa->fa_flags; } fileargs_free(fa); return (cap_init()); } #endif #endif /* !_FILEARGS_H_ */ diff --git a/lib/libcasper/services/cap_fileargs/tests/fileargs_test.c b/lib/libcasper/services/cap_fileargs/tests/fileargs_test.c index ad889bb2986f..9a7f9dfcb9aa 100644 --- a/lib/libcasper/services/cap_fileargs/tests/fileargs_test.c +++ b/lib/libcasper/services/cap_fileargs/tests/fileargs_test.c @@ -1,606 +1,751 @@ /*- * Copyright (c) 2021 Mariusz Zaborski * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. */ #include __FBSDID("$FreeBSD$"); #include #include #include #include #include #include #include #include #include #define MAX_FILES 200 static char *files[MAX_FILES]; static int fds[MAX_FILES]; #define TEST_FILE "/etc/passwd" static void prepare_files(size_t num, bool create) { const char template[] = "testsfiles.XXXXXXXX"; size_t i; for (i = 0; i < num; i++) { files[i] = calloc(1, sizeof(template)); ATF_REQUIRE(files[i] != NULL); strncpy(files[i], template, sizeof(template) - 1); if (create) { fds[i] = mkstemp(files[i]); ATF_REQUIRE(fds[i] >= 0); } else { fds[i] = -1; ATF_REQUIRE(mktemp(files[i]) != NULL); } } } static void clear_files(void) { size_t i; for (i = 0; files[i] != NULL; i++) { unlink(files[i]); free(files[i]); if (fds[i] != -1) close(fds[i]); } } static int test_file_open(fileargs_t *fa, const char *file, int *fdp) { int fd; fd = fileargs_open(fa, file); if (fd < 0) return (errno); if (fdp != NULL) { *fdp = fd; } return (0); } static int test_file_fopen(fileargs_t *fa, const char *file, const char *mode, FILE **retfile) { FILE *pfile; pfile = fileargs_fopen(fa, file, mode); if (pfile == NULL) return (errno); if (retfile != NULL) { *retfile = pfile; } return (0); } static int test_file_lstat(fileargs_t *fa, const char *file) { struct stat fasb, origsb; bool equals; if (fileargs_lstat(fa, file, &fasb) < 0) return (errno); ATF_REQUIRE(lstat(file, &origsb) == 0); equals = true; equals &= (origsb.st_dev == fasb.st_dev); equals &= (origsb.st_ino == fasb.st_ino); equals &= (origsb.st_nlink == fasb.st_nlink); equals &= (origsb.st_flags == fasb.st_flags); equals &= (memcmp(&origsb.st_ctim, &fasb.st_ctim, sizeof(fasb.st_ctim)) == 0); equals &= (memcmp(&origsb.st_birthtim, &fasb.st_birthtim, sizeof(fasb.st_birthtim)) == 0); if (!equals) { return (EINVAL); } return (0); } +static int +test_file_realpath_static(fileargs_t *fa, const char *file) +{ + char fapath[PATH_MAX], origpath[PATH_MAX]; + + if (fileargs_realpath(fa, file, fapath) == NULL) + return (errno); + + ATF_REQUIRE(realpath(file, origpath) != NULL); + + if (strcmp(fapath, origpath) != 0) + return (EINVAL); + + return (0); +} + +static int +test_file_realpath_alloc(fileargs_t *fa, const char *file) +{ + char *fapath, *origpath; + int serrno; + + fapath = fileargs_realpath(fa, file, NULL); + if (fapath == NULL) + return (errno); + + origpath = realpath(file, NULL); + ATF_REQUIRE(origpath != NULL); + + serrno = 0; + if (strcmp(fapath, origpath) != 0) + serrno = EINVAL; + + free(fapath); + free(origpath); + + return (serrno); +} + +static int +test_file_realpath(fileargs_t *fa, const char *file) +{ + int serrno; + + serrno = test_file_realpath_static(fa, file); + if (serrno != 0) + return serrno; + + return (test_file_realpath_alloc(fa, file)); +} + static int test_file_mode(int fd, int mode) { int flags; flags = fcntl(fd, F_GETFL, 0); if (flags < 0) return (errno); if ((flags & O_ACCMODE) != mode) return (errno); return (0); } static bool test_file_cap(int fd, cap_rights_t *rights) { cap_rights_t fdrights; ATF_REQUIRE(cap_rights_get(fd, &fdrights) == 0); return (cap_rights_contains(&fdrights, rights)); } static int test_file_write(int fd) { char buf; buf = 't'; if (write(fd, &buf, sizeof(buf)) != sizeof(buf)) { return (errno); } return (0); } static int test_file_read(int fd) { char buf; if (read(fd, &buf, sizeof(buf)) < 0) { return (errno); } return (0); } static int test_file_fwrite(FILE *pfile) { char buf; buf = 't'; if (fwrite(&buf, sizeof(buf), 1, pfile) != sizeof(buf)) return (errno); return (0); } static int test_file_fread(FILE *pfile) { char buf; int ret, serrno; errno = 0; ret = fread(&buf, sizeof(buf), 1, pfile); serrno = errno; if (ret < 0) { return (serrno); } else if (ret == 0 && feof(pfile) == 0) { return (serrno != 0 ? serrno : EINVAL); } return (0); } ATF_TC_WITH_CLEANUP(fileargs__open_read); ATF_TC_HEAD(fileargs__open_read, tc) {} ATF_TC_BODY(fileargs__open_read, tc) { cap_rights_t rights, norights; fileargs_t *fa; size_t i; int fd; prepare_files(MAX_FILES, true); cap_rights_init(&rights, CAP_READ | CAP_FCNTL); cap_rights_init(&norights, CAP_WRITE); fa = fileargs_init(MAX_FILES, files, O_RDONLY, 0, &rights, FA_OPEN); ATF_REQUIRE(fa != NULL); for (i = 0; i < MAX_FILES; i++) { /* ALLOWED */ /* We open file twice to check if we can. */ ATF_REQUIRE(test_file_open(fa, files[i], &fd) == 0); ATF_REQUIRE(close(fd) == 0); ATF_REQUIRE(test_file_open(fa, files[i], &fd) == 0); ATF_REQUIRE(test_file_mode(fd, O_RDONLY) == 0); ATF_REQUIRE(test_file_cap(fd, &rights) == true); ATF_REQUIRE(test_file_read(fd) == 0); /* DISALLOWED */ ATF_REQUIRE(test_file_lstat(fa, files[i]) == ENOTCAPABLE); ATF_REQUIRE(test_file_open(fa, TEST_FILE, NULL) == ENOTCAPABLE); ATF_REQUIRE(test_file_cap(fd, &norights) == false); ATF_REQUIRE(test_file_write(fd) == ENOTCAPABLE); + ATF_REQUIRE(test_file_realpath(fa, files[i]) == ENOTCAPABLE); + ATF_REQUIRE(test_file_realpath(fa, TEST_FILE) == ENOTCAPABLE); /* CLOSE */ ATF_REQUIRE(close(fd) == 0); } } ATF_TC_CLEANUP(fileargs__open_read, tc) { clear_files(); } ATF_TC_WITH_CLEANUP(fileargs__open_write); ATF_TC_HEAD(fileargs__open_write, tc) {} ATF_TC_BODY(fileargs__open_write, tc) { cap_rights_t rights, norights; fileargs_t *fa; size_t i; int fd; prepare_files(MAX_FILES, true); cap_rights_init(&rights, CAP_WRITE | CAP_FCNTL); cap_rights_init(&norights, CAP_READ); fa = fileargs_init(MAX_FILES, files, O_WRONLY, 0, &rights, FA_OPEN); ATF_REQUIRE(fa != NULL); for (i = 0; i < MAX_FILES; i++) { /* ALLOWED */ /* We open file twice to check if we can. */ ATF_REQUIRE(test_file_open(fa, files[i], &fd) == 0); ATF_REQUIRE(close(fd) == 0); ATF_REQUIRE(test_file_open(fa, files[i], &fd) == 0); ATF_REQUIRE(test_file_mode(fd, O_WRONLY) == 0); ATF_REQUIRE(test_file_cap(fd, &rights) == true); ATF_REQUIRE(test_file_write(fd) == 0); /* DISALLOWED */ ATF_REQUIRE(test_file_lstat(fa, files[i]) == ENOTCAPABLE); ATF_REQUIRE(test_file_open(fa, TEST_FILE, NULL) == ENOTCAPABLE); ATF_REQUIRE(test_file_cap(fd, &norights) == false); ATF_REQUIRE(test_file_read(fd) == ENOTCAPABLE); + ATF_REQUIRE(test_file_realpath(fa, files[i]) == ENOTCAPABLE); + ATF_REQUIRE(test_file_realpath(fa, TEST_FILE) == ENOTCAPABLE); /* CLOSE */ ATF_REQUIRE(close(fd) == 0); } } ATF_TC_CLEANUP(fileargs__open_write, tc) { clear_files(); } ATF_TC_WITH_CLEANUP(fileargs__open_create); ATF_TC_HEAD(fileargs__open_create, tc) {} ATF_TC_BODY(fileargs__open_create, tc) { cap_rights_t rights, norights; fileargs_t *fa; size_t i; int fd; prepare_files(MAX_FILES, false); cap_rights_init(&rights, CAP_WRITE | CAP_FCNTL | CAP_READ); cap_rights_init(&norights, CAP_FCHMOD); fa = fileargs_init(MAX_FILES, files, O_RDWR | O_CREAT, 666, &rights, FA_OPEN); ATF_REQUIRE(fa != NULL); for (i = 0; i < MAX_FILES; i++) { /* ALLOWED */ ATF_REQUIRE(test_file_open(fa, files[i], &fd) == 0); ATF_REQUIRE(test_file_mode(fd, O_RDWR) == 0); ATF_REQUIRE(test_file_cap(fd, &rights) == true); ATF_REQUIRE(test_file_write(fd) == 0); ATF_REQUIRE(test_file_read(fd) == 0); /* DISALLOWED */ ATF_REQUIRE(test_file_lstat(fa, files[i]) == ENOTCAPABLE); ATF_REQUIRE(test_file_open(fa, TEST_FILE, NULL) == ENOTCAPABLE); ATF_REQUIRE(test_file_cap(fd, &norights) == false); + ATF_REQUIRE(test_file_realpath(fa, files[i]) == ENOTCAPABLE); + ATF_REQUIRE(test_file_realpath(fa, TEST_FILE) == ENOTCAPABLE); /* CLOSE */ ATF_REQUIRE(close(fd) == 0); } } ATF_TC_CLEANUP(fileargs__open_create, tc) { clear_files(); } ATF_TC_WITH_CLEANUP(fileargs__open_with_casper); ATF_TC_HEAD(fileargs__open_with_casper, tc) {} ATF_TC_BODY(fileargs__open_with_casper, tc) { cap_channel_t *capcas; cap_rights_t rights; fileargs_t *fa; size_t i; int fd; prepare_files(MAX_FILES, true); capcas = cap_init(); ATF_REQUIRE(capcas != NULL); cap_rights_init(&rights, CAP_READ); fa = fileargs_cinit(capcas, MAX_FILES, files, O_RDONLY, 0, &rights, FA_OPEN); ATF_REQUIRE(fa != NULL); for (i = 0; i < MAX_FILES; i++) { /* ALLOWED */ ATF_REQUIRE(test_file_open(fa, files[i], &fd) == 0); ATF_REQUIRE(test_file_read(fd) == 0); /* CLOSE */ ATF_REQUIRE(close(fd) == 0); } } ATF_TC_CLEANUP(fileargs__open_with_casper, tc) { clear_files(); } ATF_TC_WITH_CLEANUP(fileargs__fopen_read); ATF_TC_HEAD(fileargs__fopen_read, tc) {} ATF_TC_BODY(fileargs__fopen_read, tc) { cap_rights_t rights, norights; fileargs_t *fa; size_t i; FILE *pfile; int fd; prepare_files(MAX_FILES, true); cap_rights_init(&rights, CAP_READ | CAP_FCNTL); cap_rights_init(&norights, CAP_WRITE); fa = fileargs_init(MAX_FILES, files, O_RDONLY, 0, &rights, FA_OPEN); ATF_REQUIRE(fa != NULL); for (i = 0; i < MAX_FILES; i++) { /* ALLOWED */ /* We fopen file twice to check if we can. */ ATF_REQUIRE(test_file_fopen(fa, files[i], "r", &pfile) == 0); ATF_REQUIRE(fclose(pfile) == 0); ATF_REQUIRE(test_file_fopen(fa, files[i], "r", &pfile) == 0); fd = fileno(pfile); ATF_REQUIRE(test_file_mode(fd, O_RDONLY) == 0); ATF_REQUIRE(test_file_cap(fd, &rights) == true); ATF_REQUIRE(test_file_fread(pfile) == 0); /* DISALLOWED */ ATF_REQUIRE(test_file_lstat(fa, files[i]) == ENOTCAPABLE); ATF_REQUIRE(test_file_fopen(fa, TEST_FILE, "r", NULL) == ENOTCAPABLE); ATF_REQUIRE(test_file_cap(fd, &norights) == false); ATF_REQUIRE(test_file_fwrite(pfile) == EBADF); + ATF_REQUIRE(test_file_realpath(fa, files[i]) == ENOTCAPABLE); + ATF_REQUIRE(test_file_realpath(fa, TEST_FILE) == ENOTCAPABLE); /* CLOSE */ ATF_REQUIRE(fclose(pfile) == 0); } } ATF_TC_CLEANUP(fileargs__fopen_read, tc) { clear_files(); } ATF_TC_WITH_CLEANUP(fileargs__fopen_write); ATF_TC_HEAD(fileargs__fopen_write, tc) {} ATF_TC_BODY(fileargs__fopen_write, tc) { cap_rights_t rights, norights; fileargs_t *fa; size_t i; FILE *pfile; int fd; prepare_files(MAX_FILES, true); cap_rights_init(&rights, CAP_WRITE | CAP_FCNTL); cap_rights_init(&norights, CAP_READ); fa = fileargs_init(MAX_FILES, files, O_WRONLY, 0, &rights, FA_OPEN); ATF_REQUIRE(fa != NULL); for (i = 0; i < MAX_FILES; i++) { /* ALLOWED */ /* We fopen file twice to check if we can. */ ATF_REQUIRE(test_file_fopen(fa, files[i], "w", &pfile) == 0); ATF_REQUIRE(fclose(pfile) == 0); ATF_REQUIRE(test_file_fopen(fa, files[i], "w", &pfile) == 0); fd = fileno(pfile); ATF_REQUIRE(test_file_mode(fd, O_WRONLY) == 0); ATF_REQUIRE(test_file_cap(fd, &rights) == true); ATF_REQUIRE(test_file_fwrite(pfile) == 0); /* DISALLOWED */ ATF_REQUIRE(test_file_lstat(fa, files[i]) == ENOTCAPABLE); ATF_REQUIRE(test_file_fopen(fa, TEST_FILE, "w", NULL) == ENOTCAPABLE); ATF_REQUIRE(test_file_cap(fd, &norights) == false); ATF_REQUIRE(test_file_fread(pfile) == EBADF); + ATF_REQUIRE(test_file_realpath(fa, files[i]) == ENOTCAPABLE); + ATF_REQUIRE(test_file_realpath(fa, TEST_FILE) == ENOTCAPABLE); /* CLOSE */ ATF_REQUIRE(fclose(pfile) == 0); } } ATF_TC_CLEANUP(fileargs__fopen_write, tc) { clear_files(); } ATF_TC_WITH_CLEANUP(fileargs__fopen_create); ATF_TC_HEAD(fileargs__fopen_create, tc) {} ATF_TC_BODY(fileargs__fopen_create, tc) { cap_rights_t rights; fileargs_t *fa; size_t i; FILE *pfile; int fd; prepare_files(MAX_FILES, false); cap_rights_init(&rights, CAP_READ | CAP_WRITE | CAP_FCNTL); fa = fileargs_init(MAX_FILES, files, O_RDWR | O_CREAT, 0, &rights, FA_OPEN); ATF_REQUIRE(fa != NULL); for (i = 0; i < MAX_FILES; i++) { /* ALLOWED */ /* We fopen file twice to check if we can. */ ATF_REQUIRE(test_file_fopen(fa, files[i], "w+", &pfile) == 0); fd = fileno(pfile); ATF_REQUIRE(test_file_mode(fd, O_RDWR) == 0); ATF_REQUIRE(test_file_cap(fd, &rights) == true); ATF_REQUIRE(test_file_fwrite(pfile) == 0); ATF_REQUIRE(test_file_fread(pfile) == 0); /* DISALLOWED */ ATF_REQUIRE(test_file_lstat(fa, files[i]) == ENOTCAPABLE); ATF_REQUIRE(test_file_fopen(fa, TEST_FILE, "w+", NULL) == ENOTCAPABLE); + ATF_REQUIRE(test_file_realpath(fa, files[i]) == ENOTCAPABLE); + ATF_REQUIRE(test_file_realpath(fa, TEST_FILE) == ENOTCAPABLE); /* CLOSE */ ATF_REQUIRE(fclose(pfile) == 0); } } ATF_TC_CLEANUP(fileargs__fopen_create, tc) { clear_files(); } ATF_TC_WITH_CLEANUP(fileargs__lstat); ATF_TC_HEAD(fileargs__lstat, tc) {} ATF_TC_BODY(fileargs__lstat, tc) { fileargs_t *fa; size_t i; int fd; prepare_files(MAX_FILES, true); fa = fileargs_init(MAX_FILES, files, 0, 0, NULL, FA_LSTAT); ATF_REQUIRE(fa != NULL); for (i = 0; i < MAX_FILES; i++) { /* ALLOWED */ ATF_REQUIRE(test_file_lstat(fa, files[i]) == 0); /* DISALLOWED */ ATF_REQUIRE(test_file_open(fa, files[i], &fd) == ENOTCAPABLE); ATF_REQUIRE(test_file_lstat(fa, TEST_FILE) == ENOTCAPABLE); ATF_REQUIRE(test_file_open(fa, TEST_FILE, &fd) == ENOTCAPABLE); + ATF_REQUIRE(test_file_realpath(fa, files[i]) == ENOTCAPABLE); + ATF_REQUIRE(test_file_realpath(fa, TEST_FILE) == ENOTCAPABLE); } } ATF_TC_CLEANUP(fileargs__lstat, tc) { clear_files(); } +ATF_TC_WITH_CLEANUP(fileargs__realpath); +ATF_TC_HEAD(fileargs__realpath, tc) {} +ATF_TC_BODY(fileargs__realpath, tc) +{ + fileargs_t *fa; + size_t i; + int fd; + + prepare_files(MAX_FILES, true); + + fa = fileargs_init(MAX_FILES, files, 0, 0, NULL, FA_REALPATH); + ATF_REQUIRE(fa != NULL); + + for (i = 0; i < MAX_FILES; i++) { + /* ALLOWED */ + ATF_REQUIRE(test_file_realpath(fa, files[i]) == 0); + + /* DISALLOWED */ + ATF_REQUIRE(test_file_open(fa, files[i], &fd) == ENOTCAPABLE); + ATF_REQUIRE(test_file_lstat(fa, files[i]) == ENOTCAPABLE); + ATF_REQUIRE(test_file_lstat(fa, TEST_FILE) == ENOTCAPABLE); + ATF_REQUIRE(test_file_open(fa, TEST_FILE, &fd) == ENOTCAPABLE); + ATF_REQUIRE(test_file_realpath(fa, TEST_FILE) == ENOTCAPABLE); + } +} +ATF_TC_CLEANUP(fileargs__realpath, tc) +{ + clear_files(); +} + ATF_TC_WITH_CLEANUP(fileargs__open_lstat); ATF_TC_HEAD(fileargs__open_lstat, tc) {} ATF_TC_BODY(fileargs__open_lstat, tc) { cap_rights_t rights, norights; fileargs_t *fa; size_t i; int fd; prepare_files(MAX_FILES, true); cap_rights_init(&rights, CAP_READ | CAP_FCNTL); cap_rights_init(&norights, CAP_WRITE); fa = fileargs_init(MAX_FILES, files, O_RDONLY, 0, &rights, FA_OPEN | FA_LSTAT); ATF_REQUIRE(fa != NULL); for (i = 0; i < MAX_FILES; i++) { /* ALLOWED */ /* We open file twice to check if we can. */ ATF_REQUIRE(test_file_lstat(fa, files[i]) == 0); ATF_REQUIRE(test_file_open(fa, files[i], &fd) == 0); ATF_REQUIRE(close(fd) == 0); ATF_REQUIRE(test_file_open(fa, files[i], &fd) == 0); ATF_REQUIRE(test_file_lstat(fa, files[i]) == 0); ATF_REQUIRE(test_file_mode(fd, O_RDONLY) == 0); ATF_REQUIRE(test_file_cap(fd, &rights) == true); ATF_REQUIRE(test_file_read(fd) == 0); /* DISALLOWED */ ATF_REQUIRE(test_file_open(fa, TEST_FILE, NULL) == ENOTCAPABLE); ATF_REQUIRE(test_file_cap(fd, &norights) == false); ATF_REQUIRE(test_file_write(fd) == ENOTCAPABLE); + ATF_REQUIRE(test_file_realpath(fa, files[i]) == ENOTCAPABLE); + ATF_REQUIRE(test_file_realpath(fa, TEST_FILE) == ENOTCAPABLE); /* CLOSE */ ATF_REQUIRE(close(fd) == 0); } } ATF_TC_CLEANUP(fileargs__open_lstat, tc) { clear_files(); } +ATF_TC_WITH_CLEANUP(fileargs__open_realpath); +ATF_TC_HEAD(fileargs__open_realpath, tc) {} +ATF_TC_BODY(fileargs__open_realpath, tc) +{ + cap_rights_t rights, norights; + fileargs_t *fa; + size_t i; + int fd; + + prepare_files(MAX_FILES, true); + + cap_rights_init(&rights, CAP_READ | CAP_FCNTL); + cap_rights_init(&norights, CAP_WRITE); + fa = fileargs_init(MAX_FILES, files, O_RDONLY, 0, &rights, + FA_OPEN | FA_REALPATH); + ATF_REQUIRE(fa != NULL); + + for (i = 0; i < MAX_FILES; i++) { + /* ALLOWED */ + /* We open file twice to check if we can. */ + ATF_REQUIRE(test_file_realpath(fa, files[i]) == 0); + ATF_REQUIRE(test_file_open(fa, files[i], &fd) == 0); + ATF_REQUIRE(close(fd) == 0); + + ATF_REQUIRE(test_file_open(fa, files[i], &fd) == 0); + ATF_REQUIRE(test_file_realpath(fa, files[i]) == 0); + ATF_REQUIRE(test_file_mode(fd, O_RDONLY) == 0); + ATF_REQUIRE(test_file_cap(fd, &rights) == true); + ATF_REQUIRE(test_file_read(fd) == 0); + + /* DISALLOWED */ + ATF_REQUIRE(test_file_open(fa, TEST_FILE, NULL) == ENOTCAPABLE); + ATF_REQUIRE(test_file_cap(fd, &norights) == false); + ATF_REQUIRE(test_file_write(fd) == ENOTCAPABLE); + ATF_REQUIRE(test_file_lstat(fa, files[i]) == ENOTCAPABLE); + + /* CLOSE */ + ATF_REQUIRE(close(fd) == 0); + } +} +ATF_TC_CLEANUP(fileargs__open_realpath, tc) +{ + clear_files(); +} + ATF_TP_ADD_TCS(tp) { ATF_TP_ADD_TC(tp, fileargs__open_create); ATF_TP_ADD_TC(tp, fileargs__open_read); ATF_TP_ADD_TC(tp, fileargs__open_write); ATF_TP_ADD_TC(tp, fileargs__open_with_casper); ATF_TP_ADD_TC(tp, fileargs__fopen_create); ATF_TP_ADD_TC(tp, fileargs__fopen_read); ATF_TP_ADD_TC(tp, fileargs__fopen_write); ATF_TP_ADD_TC(tp, fileargs__lstat); + ATF_TP_ADD_TC(tp, fileargs__realpath); + ATF_TP_ADD_TC(tp, fileargs__open_lstat); + ATF_TP_ADD_TC(tp, fileargs__open_realpath); return (atf_no_error()); }