Date: Sat, 2 Jun 2018 00:18:35 +0000 From: Shubh Gupta <shubhgupta2104@gmail.com> To: soc-status@freebsd.org Subject: Weekly Report Message-ID: <CANOQ3vSqhHL%2BunpJ3cs3N39ADgKmtrrdR%2BUPdsfieZ2Bm_UKbQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
I have been working on integrating libpreopen and capsh, and providing capsh the functionality to preopen all the files given in the argument(tries to preopen the argument even though it may not be a file) such that those files can be traversed and read after we have entered into the capability mode. All this time, I was trying to figure out how could capsh leverage libpreopen. 1. I included libpreopen.h in capsh/src/platform/FreeBSD.hh 2. I made the po_map in FreeBSD.cc when arguments were being parsed and preopened all the arguments into file descriptors and made a po_map_entry corresponding to each of the files. 3. Initially, I was trying to open the directory in which the argument file was present so that the openat wrapper call for open could be used. But, i observed directories like ".." could not be preopened because of the capability mode. hence i had to make some changes in the open wrapper function and hence the preopening of the file was made possible. 4. The shared memory map which was packing the po_map into the shared memory was not able to unwrap from the shared memory, where I figured out that the close-on-exec flag had to be passed for this to be made possible. The result is, that I am able to leverage the functionality of cat, in the oblivious sandbox, wherein it gets just the resources it requires, which was the goal of my first evaluation. The results can be seen in the latest commits on my repositories which are mentioned in my wiki. I have deleted the lame commits that I had made earlier and made the latest commit as the final working one, encompassing all the good work in just one commit. Now, I am beginning to work on the stretch goal for my first evaluation, i.e making it possible for telnet to run. The plan that I will follow for telnet will be: 1. Just like files, make it possible for the sockets to be pre-opened as descriptors. 2. Figure out what extra resources telnet might need to leverage the functionality of an Oblivious Sandbox, which would be provided before entering into the capability mode. 3. Implement the third entry in po_map_entry which specifies that the preopened descriptor is a file or a socket.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CANOQ3vSqhHL%2BunpJ3cs3N39ADgKmtrrdR%2BUPdsfieZ2Bm_UKbQ>