Date: Tue, 26 Sep 2017 15:37:53 -0400 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: freebsd-security@freebsd.org Subject: Capsicum and connect(2) Message-ID: <20170926193753.eolxa6lk5qvejtgc@mutt-hbsd>
next in thread | raw e-mail | index | archive | help
--wkj2rsx7jlinq6vs Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hey All, I'm working on applying Capsicum to Tor. I've got a PoC design for how I'm going to do it posted here: https://github.com/lattera/PoCs/tree/master/capsicum_fdpassing Note that the above code might have ugly spots. It's mostly just a brain dump. Essentially, the child process creates the socket and passes the socket's file descriptor back to the parent. The socket file descriptor has the capabilities sets already applied to it before it goes back to the parent. The socket creation and file descriptor passing seems to work well. However, what isn't working is calling connect(2) on the socket file descriptor in the parent. errno gets set to ECAPMODE. This is puzzling to me since CAP_CONNECT is set on the descriptor. Any help would be appreciated. Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --wkj2rsx7jlinq6vs Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAlnKrI4ACgkQaoRlj1JF bu5Qxw/9H+ugIwe2NcbsK8smTsw4JLLMlnHURGQWXNWE7qIXOpkVBRlMW6pbwiX1 3l4Te7VYJhBqsMIhdj4ekf9uPmAQDpFO65Q5e2uPF6FN3cg4iMp6hcIL1mNzeBo4 xvAGyEvqipMZBlIH5N/MYQ3WC5cdp3rJDvdYla46AAn0jSRP3VCjKNQDa7LgrO5R ZIA/8d8Ifa5FWHgIYoHbdyyflfqxaf60zQ2R/D1W3kKzSWvCmQEXvyqmJE8JLgnz 0nqzUKFmApAmExxepU7HTSjoP09A4o0X6f7FxpnrJW8JqONN+7MjUbsymKPRmAKl mFJsNFuC9crcTpCMCE3DKUoq9Hreofpp9U4mqGMIfO2Aur8elo9jhqDyb4gIn2bh 5cwdQHWESirGdCQ1TT8rkGLvdFXiiXc7CS/NQhwkBbKqX2UNlAlLTpHMM93rMSWS QRaPBERQlbe6RbsivkG7iBWuqIz+1mpK7Ozatc+R5cB25eInjR36utp10VFDih3p iPt9VGkfZbKNbSf1t50uJk2llFEHjQPFMLLhVMhtTGVeEPzGufMmoZbW351rlS2b l9Qurrx5yDRjpu6M1lr4oUWXhJSXEJCLuY+bgS02B+nKJj4h9b22FCZjKtTV+vwO pXxfHU5Y6U791/D5+OLsHMYsd/nMvtpjA85TPwGx5J7Fh8kruxE= =hkk5 -----END PGP SIGNATURE----- --wkj2rsx7jlinq6vs--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170926193753.eolxa6lk5qvejtgc>