From owner-svn-soc-all@FreeBSD.ORG  Sun Jul 10 12:22:10 2011
Return-Path: <owner-svn-soc-all@FreeBSD.ORG>
Delivered-To: svn-soc-all@FreeBSD.org
Received: from socsvn.FreeBSD.org (unknown [IPv6:2001:4f8:fff6::2f])
	by hub.freebsd.org (Postfix) with SMTP id DB4D4106564A
	for <svn-soc-all@FreeBSD.org>; Sun, 10 Jul 2011 12:22:07 +0000 (UTC)
	(envelope-from kibab@FreeBSD.org)
Received: by socsvn.FreeBSD.org (sSMTP sendmail emulation);
	Sun, 10 Jul 2011 12:22:07 +0000
Date: Sun, 10 Jul 2011 12:22:07 +0000
From: kibab@FreeBSD.org
To: svn-soc-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Message-Id: <20110710122207.DB4D4106564A@hub.freebsd.org>
Cc: 
Subject: socsvn commit: r224094 -
	soc2011/kibab/freebsd-src-head/usr.sbin/syslogd
X-BeenThere: svn-soc-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for the entire Summer of Code repository
	<svn-soc-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-soc-all>,
	<mailto:svn-soc-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-soc-all>
List-Post: <mailto:svn-soc-all@freebsd.org>
List-Help: <mailto:svn-soc-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-soc-all>,
	<mailto:svn-soc-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Jul 2011 12:22:10 -0000

Author: kibab
Date: Sun Jul 10 12:22:07 2011
New Revision: 224094
URL: http://svnweb.FreeBSD.org/socsvn/?view=rev&rev=224094

Log:
  Task-9: add limiting capabilities on different descriptors. This requires libcapsicum.

Modified:
  soc2011/kibab/freebsd-src-head/usr.sbin/syslogd/Makefile
  soc2011/kibab/freebsd-src-head/usr.sbin/syslogd/syslogd.c

Modified: soc2011/kibab/freebsd-src-head/usr.sbin/syslogd/Makefile
==============================================================================
--- soc2011/kibab/freebsd-src-head/usr.sbin/syslogd/Makefile	Sun Jul 10 07:25:34 2011	(r224093)
+++ soc2011/kibab/freebsd-src-head/usr.sbin/syslogd/Makefile	Sun Jul 10 12:22:07 2011	(r224094)
@@ -10,7 +10,7 @@
 SRCS=	syslogd.c ttymsg.c
 
 DPADD=	${LIBUTIL}
-LDADD=	-lutil
+LDADD=	-lutil -lcapsicum
 
 WARNS?= 3
 

Modified: soc2011/kibab/freebsd-src-head/usr.sbin/syslogd/syslogd.c
==============================================================================
--- soc2011/kibab/freebsd-src-head/usr.sbin/syslogd/syslogd.c	Sun Jul 10 07:25:34 2011	(r224093)
+++ soc2011/kibab/freebsd-src-head/usr.sbin/syslogd/syslogd.c	Sun Jul 10 12:22:07 2011	(r224094)
@@ -76,6 +76,7 @@
 #define	TTYMSGTIME	1		/* timeout passed to ttymsg */
 
 #include <sys/capability.h>
+#include <libcapsicum.h>
 #include <sys/param.h>
 #include <sys/ioctl.h>
 #include <sys/mman.h>
@@ -502,7 +503,7 @@
 
 	int fork_count = 0; /* XXX For debug purposes only, remove in production code! */
 	int chpid;
-	if(feature_present("security_capabilities")) {
+	if(1 || feature_present("security_capabilities")) {
 	  dprintf("Running with Capsicum support!\n");
 	  do {
 	    chpid = fork();
@@ -517,6 +518,7 @@
 	      parent_duty(chpid);
 	    } else { /* Child process */
 	      setproctitle("child process (capability mode)");
+	      pidfile_close(pfh);
 	    }
 	    if(fork_count>10)
 	      errx(1, "ACHTUNG, high fork count");
@@ -571,6 +573,10 @@
 				continue;
 			}
 			double_rbuf(fx->s);
+		} else {
+			if(lc_limitfd(fx->s, CAP_READ | CAP_EVENT) < 0) {
+				errx(1, "Cannot limit operations on %s", fx->name);
+			}
 		}
 	}
 	if (SecureMode <= 1)
@@ -596,7 +602,10 @@
 			fklog = -1;
 	if (fklog < 0)
 		dprintf("can't open %s (%d)\n", _PATH_KLOG, errno);
-
+	/* Limit operations on fklog to read and select only */
+	if(lc_limitfd(fklog, CAP_READ | CAP_EVENT) < 0) {
+	  errx(1, "Cannot limit operations on "_PATH_KLOG);
+	}
 	/* tuck my process id away */
 	/*
 	 * pidfile_write(pfh);  this should be done earlier if forking. 
@@ -612,6 +621,9 @@
 	  err(32, "Could not enter capability mode!");
 	} else {
 	  dprintf("FreeBSD capability mode enabled!\n");
+	  if (lc_limitfd(STDIN_FILENO, CAP_FSTAT) < 0) errx(1, "lc_limitfd: unable to limit STDIN_FILENO");
+	  if (lc_limitfd(STDOUT_FILENO, CAP_FSTAT | CAP_SEEK | CAP_WRITE) < 0) errx(1, "lc_limitfd: unable to limit STDOUT_FILENO");
+	  if (lc_limitfd(STDERR_FILENO, CAP_FSTAT | CAP_SEEK | CAP_WRITE) < 0) errx(1, "lc_limitfd: unable to limit STDERR_FILENO");
 	}
 	
 	/* prevent SIGHUP and SIGCHLD handlers from running in parallel */
@@ -2046,6 +2058,10 @@
 			(void)strlcpy(f->f_un.f_fname, p, sizeof(f->f_un.f_fname));
 			f->f_type = F_FILE;
 		}
+		/* Limit the set of operations for this fd */
+		if(lc_limitfd(f->f_file, CAP_SEEK | CAP_WRITE) < 0) {
+			errx(1, "Cannot limit operations on %s", p);
+		}
 		break;
 
 	case '|':
@@ -2759,7 +2775,9 @@
 			logerror("bind");
 			continue;
 		}
-
+		if(lc_limitfd(*s, CAP_READ | CAP_EVENT) < 0) {
+			errx(1, "Cannot limit capabilities on inet sockets");
+		}
 		double_rbuf(*s);
 
 		(*socks)++;