Date: Tue, 2 Feb 2010 16:50:55 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 174156 for review Message-ID: <201002021650.o12GotxS088969@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://p4web.freebsd.org/chv.cgi?CH=174156 Change 174156 by rwatson@rwatson_vimage_client on 2010/02/02 16:50:26 Style tweaks. Affected files ... .. //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum.c#4 edit .. //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum.h#12 edit .. //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_fdlist.c#10 edit .. //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_host.c#11 edit .. //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_host_io.c#3 edit .. //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_internal.h#6 edit .. //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_sandbox.c#4 edit .. //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_sandbox_api.h#4 edit .. //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_sandbox_io.c#3 edit Differences ... ==== //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum.c#4 (text+ko) ==== @@ -5,9 +5,9 @@ * WARNING: THIS IS EXPERIMENTAL SECURITY SOFTWARE THAT MUST NOT BE RELIED * ON IN PRODUCTION SYSTEMS. IT WILL BREAK YOUR SOFTWARE IN NEW AND * UNEXPECTED WAYS. - * + * * This software was developed at the University of Cambridge Computer - * Laboratory with support from a grant from Google, Inc. + * Laboratory with support from a grant from Google, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -30,7 +30,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum.c#3 $ + * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum.c#4 $ */ #include <sys/types.h> ==== //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum.h#12 (text+ko) ==== @@ -5,9 +5,9 @@ * WARNING: THIS IS EXPERIMENTAL SECURITY SOFTWARE THAT MUST NOT BE RELIED * ON IN PRODUCTION SYSTEMS. IT WILL BREAK YOUR SOFTWARE IN NEW AND * UNEXPECTED WAYS. - * + * * This software was developed at the University of Cambridge Computer - * Laboratory with support from a grant from Google, Inc. + * Laboratory with support from a grant from Google, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -30,7 +30,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum.h#11 $ + * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum.h#12 $ */ #ifndef _LIBCAPSICUM_H_ @@ -45,15 +45,6 @@ struct lc_host; /* - * Description of a library passed to lch_start_libs(). - */ -struct lc_library { - const char *lcl_libpath; - const char *lcl_libname; - int lcl_fd; -}; - -/* * A list of file descriptors, which can be passed around in shared memory. */ struct lc_fdlist; ==== //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_fdlist.c#10 (text+ko) ==== @@ -6,9 +6,9 @@ * WARNING: THIS IS EXPERIMENTAL SECURITY SOFTWARE THAT MUST NOT BE RELIED * ON IN PRODUCTION SYSTEMS. IT WILL BREAK YOUR SOFTWARE IN NEW AND * UNEXPECTED WAYS. - * + * * This software was developed at the University of Cambridge Computer - * Laboratory with support from a grant from Google, Inc. + * Laboratory with support from a grant from Google, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_fdlist.c#9 $ + * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_fdlist.c#10 $ */ #include <sys/mman.h> @@ -99,7 +99,6 @@ UNLOCK(&global_fdlist); return (&global_fdlist); } - env = getenv(LIBCAPSICUM_SANDBOX_FDLIST); if ((env != NULL) && (strnlen(env, 8) < 7)) { struct lc_fdlist_storage *lfsp; @@ -430,8 +429,8 @@ LOCK(lfp); lfsp = lfp->lf_storage; - if ((subsystem == NULL) || (classname == NULL) || (name == NULL) - || (fdp == NULL) || ((pos != NULL) && (*pos >= (int) lfsp->count))) { + if ((subsystem == NULL) || (classname == NULL) || (name == NULL) || + (fdp == NULL) || ((pos != NULL) && (*pos >= (int) lfsp->count))) { errno = EINVAL; return (-1); } @@ -441,23 +440,22 @@ int size = entry->syslen + entry->classnamelen + entry->namelen; char *head = malloc(size); - strncpy(head, names + entry->sysoff, entry->syslen + 1); + strncpy(head, names + entry->sysoff, entry->syslen + 1); *subsystem = head; head += size; - strncpy(head, names + entry->classoff, entry->classnamelen + 1); + strncpy(head, names + entry->classoff, entry->classnamelen + 1); *classname = head; head += size; - strncpy(head, names + entry->nameoff, entry->namelen + 1); + strncpy(head, names + entry->nameoff, entry->namelen + 1); *name = head; head += size; *fdp = entry->fd; UNLOCK(lfp); - - if (pos) (*pos)++; - + if (pos) + (*pos)++; return (0); } @@ -547,7 +545,8 @@ } void* -_lc_fdlist_getstorage(struct lc_fdlist* lfp) { - return lfp->lf_storage; +_lc_fdlist_getstorage(struct lc_fdlist* lfp) +{ + + return (lfp->lf_storage); } - ==== //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_host.c#11 (text+ko) ==== @@ -5,9 +5,9 @@ * WARNING: THIS IS EXPERIMENTAL SECURITY SOFTWARE THAT MUST NOT BE RELIED * ON IN PRODUCTION SYSTEMS. IT WILL BREAK YOUR SOFTWARE IN NEW AND * UNEXPECTED WAYS. - * + * * This software was developed at the University of Cambridge Computer - * Laboratory with support from a grant from Google, Inc. + * Laboratory with support from a grant from Google, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -30,7 +30,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_host.c#10 $ + * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_host.c#11 $ */ #include <sys/param.h> @@ -89,10 +89,16 @@ return (1); } - +/* + * Once in the child process, create the new sandbox. + * + * XXX: A number of things happen here that are not safe after fork(), + * especially calls to err(). + */ static void -lch_sandbox(int fd_sock, int fd_binary, int fd_rtld, int fd_devnull, u_int flags, - const char *binname, char *const argv[], __unused struct lc_fdlist *userfds) +lch_sandbox(int fd_sock, int fd_binary, int fd_rtld, int fd_devnull, + u_int flags, const char *binname, char *const argv[], + struct lc_fdlist *userfds) { struct sbuf *sbufp; int shmfd = -1; @@ -160,41 +166,38 @@ /* * Ask RTLD for library path descriptors. * - * NOTE: This is FreeBSD-specific; porting to other operating systems will - * require dynamic linkers capable of answering similar queries. + * NOTE: This is FreeBSD-specific; porting to other operating systems + * will require dynamic linkers capable of answering similar queries. */ int size = 16; int *libdirs; while (1) { libdirs = malloc(size * sizeof(int)); - if (ld_libdirs(libdirs, &size) < 0) { free(libdirs); - - if (size > 0) continue; - else err(-1, "Error in ld_libdirs()"); - } - else break; + if (size > 0) + continue; + err(-1, "Error in ld_libdirs()"); + } else + break; } - for (int j = 0; j < size; j++) if (lc_fdlist_addcap(fds, RTLD_CAP_FQNAME, "libdir", "", - libdirs[j], LIBCAPSICUM_CAPMASK_LIBDIR) < 0) + libdirs[j], LIBCAPSICUM_CAPMASK_LIBDIR) < 0) err(-1, "Error in lc_fdlist_addcap(libdirs[%d]: %d)", j, libdirs[j]); if (lc_fdlist_reorder(fds) < 0) err(-1, "Error in lc_fdlist_reorder()"); - /* * Find the fdlist shared memory segment. */ int pos = 0; - if (lc_fdlist_lookup(fds, LIBCAPSICUM_FQNAME, "fdlist", NULL, - &shmfd, &pos) < 0) + if (lc_fdlist_lookup(fds, LIBCAPSICUM_FQNAME, "fdlist", NULL, &shmfd, + &pos) < 0) err(-1, "Error in lc_fdlist_lookup(fdlist)"); char tmp[8]; @@ -229,8 +232,8 @@ /* * Find the binary for RTLD. */ - if (lc_fdlist_lookup(fds, RTLD_CAP_FQNAME, "binary", NULL, &fd_binary, - NULL) < 0) + if (lc_fdlist_lookup(fds, RTLD_CAP_FQNAME, "binary", NULL, + &fd_binary, NULL) < 0) err(-1, "Error in lc_fdlist_lookup(RTLD binary)"); sprintf(tmp, "%d", fd_binary); @@ -240,8 +243,9 @@ /* * Build LD_LIBRARY_DIRS for RTLD. * - * NOTE: This is FreeBSD-specific; porting to other operating systems will - * require dynamic linkers capable of operating on file descriptors. + * NOTE: This is FreeBSD-specific; porting to other operating systems + * will require dynamic linkers capable of operating on file + * descriptors. */ sbufp = sbuf_new_auto(); if (sbufp == NULL) @@ -249,8 +253,8 @@ { int fd; - while (lc_fdlist_lookup(fds, RTLD_CAP_FQNAME, "libdir", - NULL, &fd, &pos) >= 0) + while (lc_fdlist_lookup(fds, RTLD_CAP_FQNAME, "libdir", NULL, + &fd, &pos) >= 0) sbuf_printf(sbufp, "%d:", fd); } @@ -261,7 +265,6 @@ err(-1, "Error in setenv(LD_LIBRARY_DIRS)"); sbuf_delete(sbufp); - if (cap_enter() < 0) err(-1, "cap_enter() failed"); @@ -334,8 +337,8 @@ goto out_error; } if (pid == 0) { - lch_sandbox(fd_sockpair[1], fd_binary, fd_rtld, fd_devnull, flags, - binname, argv, fds); + lch_sandbox(fd_sockpair[1], fd_binary, fd_rtld, fd_devnull, + flags, binname, argv, fds); exit(-1); } #ifndef IN_CAP_MODE @@ -380,11 +383,11 @@ int lch_startfd(int fd_binary, const char *binname, char *const argv[], - u_int flags, __unused struct lc_fdlist *fds, struct lc_sandbox **lcspp) + u_int flags, struct lc_fdlist *fds, struct lc_sandbox **lcspp) { - return (lch_startfd_libs(fd_binary, binname, argv, flags, - fds, lcspp)); + return (lch_startfd_libs(fd_binary, binname, argv, flags, fds, + lcspp)); } int ==== //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_host_io.c#3 (text+ko) ==== @@ -5,9 +5,9 @@ * WARNING: THIS IS EXPERIMENTAL SECURITY SOFTWARE THAT MUST NOT BE RELIED * ON IN PRODUCTION SYSTEMS. IT WILL BREAK YOUR SOFTWARE IN NEW AND * UNEXPECTED WAYS. - * + * * This software was developed at the University of Cambridge Computer - * Laboratory with support from a grant from Google, Inc. + * Laboratory with support from a grant from Google, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -30,7 +30,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_host_io.c#2 $ + * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_host_io.c#3 $ */ #include <sys/param.h> ==== //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_internal.h#6 (text+ko) ==== @@ -5,9 +5,9 @@ * WARNING: THIS IS EXPERIMENTAL SECURITY SOFTWARE THAT MUST NOT BE RELIED * ON IN PRODUCTION SYSTEMS. IT WILL BREAK YOUR SOFTWARE IN NEW AND * UNEXPECTED WAYS. - * + * * This software was developed at the University of Cambridge Computer - * Laboratory with support from a grant from Google, Inc. + * Laboratory with support from a grant from Google, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -30,14 +30,14 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_internal.h#5 $ + * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_internal.h#6 $ */ #ifndef _LIBCAPSICUM_INTERNAL_H_ #define _LIBCAPSICUM_INTERNAL_H_ -#define LIBCAPSICUM_FQNAME "org.freebsd.libcapsicum" -#define RTLD_CAP_FQNAME "org.freebsd.rtld-elf-cap" +#define LIBCAPSICUM_FQNAME "org.freebsd.libcapsicum" +#define RTLD_CAP_FQNAME "org.freebsd.rtld-elf-cap" struct lc_host { int lch_fd_sock; ==== //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_sandbox.c#4 (text+ko) ==== @@ -5,9 +5,9 @@ * WARNING: THIS IS EXPERIMENTAL SECURITY SOFTWARE THAT MUST NOT BE RELIED * ON IN PRODUCTION SYSTEMS. IT WILL BREAK YOUR SOFTWARE IN NEW AND * UNEXPECTED WAYS. - * + * * This software was developed at the University of Cambridge Computer - * Laboratory with support from a grant from Google, Inc. + * Laboratory with support from a grant from Google, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions ==== //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_sandbox_api.h#4 (text+ko) ==== @@ -5,9 +5,9 @@ * WARNING: THIS IS EXPERIMENTAL SECURITY SOFTWARE THAT MUST NOT BE RELIED * ON IN PRODUCTION SYSTEMS. IT WILL BREAK YOUR SOFTWARE IN NEW AND * UNEXPECTED WAYS. - * + * * This software was developed at the University of Cambridge Computer - * Laboratory with support from a grant from Google, Inc. + * Laboratory with support from a grant from Google, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -30,7 +30,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_sandbox_api.h#3 $ + * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_sandbox_api.h#4 $ */ #ifndef _LIBCAPSICUM_SANDBOX_API_H_ @@ -41,7 +41,7 @@ * make about the runtime environment set up by libcapsicum hosts. */ #define LIBCAPSICUM_SANDBOX_API_ENV "LIBCAPSICUM_SANDBOX" -#define LIBCAPSICUM_SANDBOX_FDLIST "LIBCAPSICUM_FDLIST" +#define LIBCAPSICUM_SANDBOX_FDLIST "LIBCAPSICUM_FDLIST" #define LIBCAPSICUM_SANDBOX_API_SOCK "sock" /* ==== //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_sandbox_io.c#3 (text+ko) ==== @@ -5,9 +5,9 @@ * WARNING: THIS IS EXPERIMENTAL SECURITY SOFTWARE THAT MUST NOT BE RELIED * ON IN PRODUCTION SYSTEMS. IT WILL BREAK YOUR SOFTWARE IN NEW AND * UNEXPECTED WAYS. - * + * * This software was developed at the University of Cambridge Computer - * Laboratory with support from a grant from Google, Inc. + * Laboratory with support from a grant from Google, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201002021650.o12GotxS088969>