Index: head/lib/Makefile =================================================================== --- head/lib/Makefile (revision 306656) +++ head/lib/Makefile (revision 306657) @@ -1,329 +1,330 @@ # @(#)Makefile 8.1 (Berkeley) 6/4/93 # $FreeBSD$ .include # The SUBDIR_BOOTSTRAP list is a small set of libraries which are used by many # of the other libraries. These are built first with a .WAIT between them # and the main list to avoid needing a SUBDIR_DEPEND line on every library # naming just these few items. SUBDIR_BOOTSTRAP= \ csu \ .WAIT \ libc \ libc_nonshared \ libcompiler_rt \ ${_libclang_rt} \ ${_libcplusplus} \ ${_libcxxrt} \ libelf \ msun # The main list; please keep these sorted alphabetically. SUBDIR= ${SUBDIR_BOOTSTRAP} \ .WAIT \ libalias \ libarchive \ ${_libatm} \ libauditd \ libbegemot \ ${_libblacklist} \ libblocksruntime \ ${_libbluetooth} \ ${_libbsnmp} \ libbsdstat \ libbsm \ libbz2 \ libcalendar \ libcam \ + libcapsicum \ ${_libcasper} \ ${_libcom_err} \ libcompat \ libcrypt \ libdevctl \ ${_libdevdctl} \ libdevinfo \ libdevstat \ libdwarf \ libedit \ ${_libelftc} \ libevent \ libexecinfo \ libexpat \ libfetch \ libfigpar \ libgeom \ ${_libgpio} \ ${_libgssapi} \ ${_librpcsec_gss} \ ${_libiconv_modules} \ libifconfig \ libipsec \ libjail \ libkiconv \ libkvm \ ${_libldns} \ liblzma \ ${_libmagic} \ libmemstat \ libmd \ ${_libmilter} \ ${_libmp} \ libmt \ ${_libnandfs} \ lib80211 \ libnetbsd \ ${_libnetgraph} \ ${_libngatm} \ libnv \ libopenbsd \ libopie \ libpam \ libpcap \ ${_libpe} \ libpjdlog \ ${_libpmc} \ ${_libproc} \ libprocstat \ ${_libradius} \ librpcsvc \ librss \ librt \ ${_librtld_db} \ libsbuf \ ${_libsdp} \ ${_libsm} \ libsmb \ ${_libsmdb} \ ${_libsmutil} \ libsqlite3 \ libstand \ libstdbuf \ libstdthreads \ libsysdecode \ libtacplus \ ${_libtelnet} \ ${_libthr} \ libthread_db \ libucl \ libufs \ libugidfw \ libulog \ ${_libunbound} \ ${_libusbhid} \ ${_libusb} \ libutil \ ${_libvgl} \ ${_libvmmapi} \ libwrap \ libxo \ liby \ ${_libypclnt} \ libz \ ncurses \ ${_atf} \ ${_clang} \ ${_cuse} \ ${_tests} # Inter-library dependencies. When the makefile for a library contains LDADD # libraries, those libraries should be listed as build order dependencies here. SUBDIR_DEPEND_libarchive= libz libbz2 libexpat liblzma libmd SUBDIR_DEPEND_libatm= libmd SUBDIR_DEPEND_libauditdm= libbsm SUBDIR_DEPEND_libbsnmp= ${_libnetgraph} SUBDIR_DEPEND_libc++:= libcxxrt SUBDIR_DEPEND_libc= libcompiler_rt SUBDIR_DEPEND_libcam= libsbuf SUBDIR_DEPEND_libcasper= libnv SUBDIR_DEPEND_libdevstat= libkvm SUBDIR_DEPEND_libdpv= libfigpar ncurses libutil SUBDIR_DEPEND_libedit= ncurses SUBDIR_DEPEND_libgeom= libexpat libsbuf SUBDIR_DEPEND_liblibrpcsec_gss= libgssapi SUBDIR_DEPEND_libmagic= libz SUBDIR_DEPEND_libmemstat= libkvm SUBDIR_DEPEND_libopie= libmd SUBDIR_DEPEND_libpam= libcrypt libopie ${_libradius} librpcsvc libtacplus libutil ${_libypclnt} ${_libcom_err} SUBDIR_DEPEND_libpjdlog= libutil SUBDIR_DEPEND_libprocstat= libkvm libutil SUBDIR_DEPEND_libradius= libmd SUBDIR_DEPEND_libsmb= libkiconv SUBDIR_DEPEND_libtacplus= libmd SUBDIR_DEPEND_libulog= libmd SUBDIR_DEPEND_libunbound= ${_libldns} SUBDIR_DEPEND_liblzma= ${_libthr} # NB: keep these sorted by MK_* knobs .if ${MK_ATM} != "no" _libngatm= libngatm .endif .if ${MK_BLACKLIST} != "no" _libblacklist= libblacklist .endif .if ${MK_BLUETOOTH} != "no" _libbluetooth= libbluetooth _libsdp= libsdp .endif .if ${MK_BSNMP} != "no" _libbsnmp= libbsnmp .endif .if ${MK_CASPER} != "no" _libcasper= libcasper .endif .if ${MK_CLANG} != "no" && !defined(COMPAT_32BIT) && !defined(COMPAT_SOFTFP) _clang= clang .endif .if ${MK_CUSE} != "no" _cuse= libcuse .endif .if ${MK_CXX} != "no" _libdevdctl= libdevdctl .endif .if ${MK_TOOLCHAIN} != "no" _libelftc= libelftc _libpe= libpe .endif SUBDIR.${MK_DIALOG}+= libdpv .if ${MK_FILE} != "no" _libmagic= libmagic .endif .if ${MK_GPIO} != "no" _libgpio= libgpio .endif .if ${MK_GSSAPI} != "no" _libgssapi= libgssapi _librpcsec_gss= librpcsec_gss .endif .if ${MK_ICONV} != "no" _libiconv_modules= libiconv_modules .endif .if ${MK_KERBEROS_SUPPORT} != "no" _libcom_err= libcom_err .endif .if ${MK_LDNS} != "no" _libldns= libldns .endif # The libraries under libclang_rt can only be built by clang, and only make # sense to build when clang is enabled at all. Furthermore, they can only be # built for certain architectures. .if ${MK_CLANG} != "no" && ${COMPILER_TYPE} == "clang" && \ (${MACHINE_CPUARCH} == "aarch64" || ${MACHINE_CPUARCH} == "amd64" || \ (${MACHINE_CPUARCH} == "arm" && ${MACHINE_ARCH} != "armeb") || \ (${MACHINE_CPUARCH} == "i386")) _libclang_rt= libclang_rt .endif .if ${MK_LIBCPLUSPLUS} != "no" _libcxxrt= libcxxrt _libcplusplus= libc++ .endif .if ${MK_LIBTHR} != "no" _libthr= libthr .endif .if ${MK_NAND} != "no" _libnandfs= libnandfs .endif .if ${MK_NETGRAPH} != "no" _libnetgraph= libnetgraph .endif .if ${MK_NIS} != "no" _libypclnt= libypclnt .endif .if ${MACHINE_CPUARCH} == "i386" || ${MACHINE_CPUARCH} == "amd64" _libvgl= libvgl _libproc= libproc _librtld_db= librtld_db .endif .if ${MACHINE_CPUARCH} == "amd64" .if ${MK_BHYVE} != "no" _libvmmapi= libvmmapi .endif .endif .if ${MACHINE_CPUARCH} == "mips" _libproc= libproc _librtld_db= librtld_db .endif .if ${MACHINE_CPUARCH} == "powerpc" _libproc= libproc _librtld_db= librtld_db .endif .if ${MACHINE_CPUARCH} == "aarch64" || ${MACHINE_CPUARCH} == "arm" || \ ${MACHINE_CPUARCH} == "riscv" _libproc= libproc _librtld_db= librtld_db .endif .if ${MK_OPENSSL} != "no" _libmp= libmp .endif .if ${MK_PMC} != "no" _libpmc= libpmc .endif .if ${MK_RADIUS_SUPPORT} != "no" _libradius= libradius .endif .if ${MK_SENDMAIL} != "no" _libmilter= libmilter _libsm= libsm _libsmdb= libsmdb _libsmutil= libsmutil .endif .if ${MK_TELNET} != "no" _libtelnet= libtelnet .endif .if ${MK_TESTS_SUPPORT} != "no" _atf= atf .endif .if ${MK_TESTS} != "no" _tests= tests .endif .if ${MK_UNBOUND} != "no" _libunbound= libunbound .endif .if ${MK_USB} != "no" _libusbhid= libusbhid _libusb= libusb .endif .if !make(install) SUBDIR_PARALLEL= .endif .include Index: head/lib/libcapsicum/Makefile =================================================================== --- head/lib/libcapsicum/Makefile (nonexistent) +++ head/lib/libcapsicum/Makefile (revision 306657) @@ -0,0 +1,7 @@ +# $FreeBSD$ + +PACKAGE=lib${LIB} + +INCS= capsicum_helpers.h + +.include Property changes on: head/lib/libcapsicum/Makefile ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +FreeBSD=%H \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/lib/libcapsicum/capsicum_helpers.h =================================================================== --- head/lib/libcapsicum/capsicum_helpers.h (nonexistent) +++ head/lib/libcapsicum/capsicum_helpers.h (revision 306657) @@ -0,0 +1,120 @@ +/*- + * Copyright (c) 2016 Mariusz Zaborski + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#ifndef _CAPSICUM_HELPERS_H_ +#define _CAPSICUM_HELPERS_H_ + +#include +#include + +#include +#include +#include +#include +#include + +#define CAPH_IGNORE_EBADF 0x0001 +#define CAPH_READ 0x0002 +#define CAPH_WRITE 0x0004 + +static __inline int +caph_limit_stream(int fd, int flags) +{ + cap_rights_t rights; + unsigned long cmds[] = { TIOCGETA, TIOCGWINSZ }; + + cap_rights_init(&rights, CAP_FCNTL, CAP_FSTAT, CAP_IOCTL); + + if ((flags & CAPH_READ) != 0) + cap_rights_set(&rights, CAP_READ); + if ((flags & CAPH_WRITE) != 0) + cap_rights_set(&rights, CAP_WRITE); + + if (cap_rights_limit(fd, &rights) < 0 && errno != ENOSYS) { + if (errno == EBADF && (flags & CAPH_IGNORE_EBADF) != 0) + return (0); + return (-1); + } + + if (cap_ioctls_limit(fd, cmds, nitems(cmds)) < 0 && errno != ENOSYS) + return (-1); + + if (cap_fcntls_limit(fd, CAP_FCNTL_GETFL) < 0 && errno != ENOSYS) + return (-1); + + return (0); +} + +static __inline int +caph_limit_stdin(void) +{ + + return (caph_limit_stream(STDIN_FILENO, CAPH_READ)); +} + +static __inline int +caph_limit_stderr(void) +{ + + return (caph_limit_stream(STDERR_FILENO, CAPH_WRITE)); +} + +static __inline int +caph_limit_stdout(void) +{ + + return (caph_limit_stream(STDOUT_FILENO, CAPH_WRITE)); +} + +static __inline int +caph_limit_stdio(void) +{ + + if (caph_limit_stdin() == -1 || caph_limit_stdout() == -1 || + caph_limit_stdout() == -1) { + return (-1); + } + + return (0); +} + +static __inline void +caph_cache_tzdata(void) +{ + + tzset(); +} + +static __inline void +caph_cache_catpages(void) +{ + + (void)catopen("libc", NL_CAT_LOCALE); +} + +#endif /* _CAPSICUM_HELPERS_H_ */ Property changes on: head/lib/libcapsicum/capsicum_helpers.h ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +FreeBSD=%H \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property