From owner-freebsd-security@freebsd.org Tue Sep 26 19:38:05 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 79EDCE16CD0 for ; Tue, 26 Sep 2017 19:38:05 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-wr0-x231.google.com (mail-wr0-x231.google.com [IPv6:2a00:1450:400c:c0c::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0AD35731C4 for ; Tue, 26 Sep 2017 19:38:05 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-wr0-x231.google.com with SMTP id w12so14082684wrc.7 for ; Tue, 26 Sep 2017 12:38:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:subject:message-id:mime-version:content-disposition :user-agent; bh=MOuoyaCkWNtGReyzWdraLaSTNI3IfcSL6vPlZfXwrRI=; b=jEdc0BV2wQN6ic2PToqvOhy0MKScrD2NkEhuODWqZDCEc4uJk32YJAWNj88uxV0a46 RswNaLXiC7FMtAt1NuXHzUH4agb71NHONRPv5bVByo+S3PfuII6Kta7rXKI+1JPEd0eb jVG2FFZrpAsOgg3ki9D9AApZ+a5tWRSuLRWRUfLuLPyyC1NtHJ6sFQ2DRVB9Kl5xXRpi 0NRziHsUl0D3vfEmKNJQ8opbdPseey8s5PJtTeGxnfozeTNuiryTuJiPDShY+nWvKbZJ U/N8DLRwQcoY3n7AL+4/X9E0N/IyjQcvl3TLMvP8QKIje8ncQTuD72RRcRVU0rZw/8ls x75A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:mime-version :content-disposition:user-agent; bh=MOuoyaCkWNtGReyzWdraLaSTNI3IfcSL6vPlZfXwrRI=; b=lskmWAuSsoIM9L+xcIRpguTBues0s83LE9XGb2Mmyr0TZeWtkkhfwKY/Mu5Kk8Rtyc MfJI/3w8GKvNe7DdVuJ3GgkeucWrRtPHV1unlk/dvlGCxDJosBHyPxsXsIcQOzip5AZG j5UUpMyId0bDIQfwoIGnj+8bzq4iGnKne9VuNYuXSUWLFHT60erUU5ToP9gyesm87Plm bF1x6cK2YsPW49WsuCJHOWtiTYIlDvujDYSubjATIEnoci4QT6gtXAxsDiWka3B1byMZ bkZrEFAcOKeDcMDrqqVJHlj//TBgPi69YVAQzEr12guM78L40YmMkENtX5fEs2lbx01s df1g== X-Gm-Message-State: AHPjjUgUkP3OyJsZ1eTs43Owh5Rixv0USy0TX4zV7/qWN+JT6Vi1MS82 3POjo/+TIK03PnUP07SJUpfqmzBYs+se+X69DqWiMLVUXyZ0uHlYjIEZdxmrQLpXDmPb3e6DbFL lqz0cmXy8rLpklxqz4GLlYhLyAm6VUYgzV5Qh0D1SS2NnPgHvygvXzIVl4qUTL2GymERPTl92Oi bnoypNQaZP X-Google-Smtp-Source: AOwi7QDlEl8NbWG3ch5iDELYDdEtpZ0c7tZvf7inlixeSnoBtEJDMPYZkj6zQh4wLXoEPo+mrYLSwg== X-Received: by 10.223.182.71 with SMTP id i7mr9360452wre.43.1506454683025; Tue, 26 Sep 2017 12:38:03 -0700 (PDT) Received: from mutt-hbsd ([91.223.82.156]) by smtp.gmail.com with ESMTPSA id x5sm5704577wre.18.2017.09.26.12.37.59 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 26 Sep 2017 12:38:02 -0700 (PDT) Date: Tue, 26 Sep 2017 15:37:53 -0400 From: Shawn Webb To: freebsd-security@freebsd.org Subject: Capsicum and connect(2) Message-ID: <20170926193753.eolxa6lk5qvejtgc@mutt-hbsd> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="wkj2rsx7jlinq6vs" Content-Disposition: inline X-Operating-System: FreeBSD mutt-hbsd 12.0-CURRENT FreeBSD 12.0-CURRENT X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: NeoMutt/20170912 (1.9.0) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Sep 2017 19:38:05 -0000 --wkj2rsx7jlinq6vs Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hey All, I'm working on applying Capsicum to Tor. I've got a PoC design for how I'm going to do it posted here: https://github.com/lattera/PoCs/tree/master/capsicum_fdpassing Note that the above code might have ugly spots. It's mostly just a brain dump. Essentially, the child process creates the socket and passes the socket's file descriptor back to the parent. The socket file descriptor has the capabilities sets already applied to it before it goes back to the parent. The socket creation and file descriptor passing seems to work well. However, what isn't working is calling connect(2) on the socket file descriptor in the parent. errno gets set to ECAPMODE. This is puzzling to me since CAP_CONNECT is set on the descriptor. Any help would be appreciated. Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --wkj2rsx7jlinq6vs Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAlnKrI4ACgkQaoRlj1JF bu5Qxw/9H+ugIwe2NcbsK8smTsw4JLLMlnHURGQWXNWE7qIXOpkVBRlMW6pbwiX1 3l4Te7VYJhBqsMIhdj4ekf9uPmAQDpFO65Q5e2uPF6FN3cg4iMp6hcIL1mNzeBo4 xvAGyEvqipMZBlIH5N/MYQ3WC5cdp3rJDvdYla46AAn0jSRP3VCjKNQDa7LgrO5R ZIA/8d8Ifa5FWHgIYoHbdyyflfqxaf60zQ2R/D1W3kKzSWvCmQEXvyqmJE8JLgnz 0nqzUKFmApAmExxepU7HTSjoP09A4o0X6f7FxpnrJW8JqONN+7MjUbsymKPRmAKl mFJsNFuC9crcTpCMCE3DKUoq9Hreofpp9U4mqGMIfO2Aur8elo9jhqDyb4gIn2bh 5cwdQHWESirGdCQ1TT8rkGLvdFXiiXc7CS/NQhwkBbKqX2UNlAlLTpHMM93rMSWS QRaPBERQlbe6RbsivkG7iBWuqIz+1mpK7Ozatc+R5cB25eInjR36utp10VFDih3p iPt9VGkfZbKNbSf1t50uJk2llFEHjQPFMLLhVMhtTGVeEPzGufMmoZbW351rlS2b l9Qurrx5yDRjpu6M1lr4oUWXhJSXEJCLuY+bgS02B+nKJj4h9b22FCZjKtTV+vwO pXxfHU5Y6U791/D5+OLsHMYsd/nMvtpjA85TPwGx5J7Fh8kruxE= =hkk5 -----END PGP SIGNATURE----- --wkj2rsx7jlinq6vs-- From owner-freebsd-security@freebsd.org Tue Sep 26 22:06:31 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E19ACE234D5 for ; Tue, 26 Sep 2017 22:06:31 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com [IPv6:2a00:1450:400c:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 70E6D7CAF5 for ; Tue, 26 Sep 2017 22:06:31 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-wm0-x22f.google.com with SMTP id q124so12243554wmb.0 for ; Tue, 26 Sep 2017 15:06:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=oXKBpz6IrorrArOu2IDtvkIZv1jWqQMp+Cu6XqO3JkA=; b=H7zXuVhDixQIv2GH8LxuVA/EdP1A7Bb5PrF7TKPJoesY+x6s1gx6ZyRAiVlL6Dvi+f iI2tM3lzORXXjoh3EQvBNhIGCxy9vhh1Vr0dOoKI/ifvyvwzfOb8ap3fuWd4/n5JSYof EYZRCpequ2KzUKrAUNPpSCPGCEAwX3KFQ3QfJI5IcCWo+O+hyoJDD18nBrwKM2FArZbV EDFqr4q7QfkH13NmjOpMoR69FzCKabAP8RXH/+qXgF9oTsgBMGvknrosNjMT72udLd8u oyXtM53kGvSBQ0otL33ppTJLTD1hzqwwOLEHI17t51qZtnWwmIA8c3ekfJC048pKejtA QFqw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=oXKBpz6IrorrArOu2IDtvkIZv1jWqQMp+Cu6XqO3JkA=; b=ZqsYVScnj9QxtQT6AAnlvulFWATcPTVWGRaoxfdINgh1sgMCzGSBj51SSv8FqC0CRm Etx63drT5ITv9+NijSvjnCVZP1fVPaOEAQ6WNNJqVBxbnIHfI37JbLgVBFs6ZvHCpFZM XUkvX895V7Y18mfsYHeSz1B7rgqEqQKj8S04yO1FLxZZcS+0L3jK1R0HfKL1WJcH6iro QRvn/t3CtRt7TUFeKiTJwmdVOM/l5nw/pAAKWa3FVCjZFNyrIJVuFIJIOesaQJdtJqoJ Jr5/V4Jw3h5HjYsdC/yhGFVxe6mIz2RycBLQAL/SfVjf0ccRR2qAFawRAh2QdsJglAIY eY6g== X-Gm-Message-State: AHPjjUgRhfNB/imLToAHyquTzSGb6DRMJS211Qxi7cHRzphcyz6UjOfE IUERgwVhdR7bmKe4XJDwchDBgYLwxLY= X-Google-Smtp-Source: AOwi7QB0GnVIVislLuXJQwxQLsWFt+AYLYrTJkxoArb4n02npsmP2SBAVKJBdLkncvt6aXMgJtyvXA== X-Received: by 10.28.218.209 with SMTP id r200mr4089625wmg.97.1506463589078; Tue, 26 Sep 2017 15:06:29 -0700 (PDT) Received: from mutt-hbsd (tor-exit-readme.memcpy.io. [163.172.67.180]) by smtp.gmail.com with ESMTPSA id n9sm4246625wmd.12.2017.09.26.15.06.23 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 26 Sep 2017 15:06:24 -0700 (PDT) Date: Tue, 26 Sep 2017 18:06:15 -0400 From: Shawn Webb To: Ben Laurie Cc: "freebsd-security@freebsd.org security" Subject: Re: Capsicum and connect(2) Message-ID: <20170926220615.qd5e5pzmgmkrdg3x@mutt-hbsd> References: <20170926193753.eolxa6lk5qvejtgc@mutt-hbsd> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="rzfg4urtcvrq6tkd" Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD mutt-hbsd 12.0-CURRENT FreeBSD 12.0-CURRENT X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: NeoMutt/20170912 (1.9.0) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Sep 2017 22:06:32 -0000 --rzfg4urtcvrq6tkd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Perhaps. But if the file descriptor is given the CAP_CONNECT capability, I should be able to call connect(2) on it, right? The manpage for connect(2) does not state that connect(2) is fully disallowed, even if CAP_CONNECT is a granted capability. On Tue, Sep 26, 2017 at 10:02:53PM +0000, Ben Laurie wrote: > ECAPMODE means the syscall is forbidden, surely? >=20 > On 26 September 2017 at 20:37, Shawn Webb wr= ote: > > Hey All, > > > > I'm working on applying Capsicum to Tor. I've got a PoC design for how > > I'm going to do it posted here: > > > > https://github.com/lattera/PoCs/tree/master/capsicum_fdpassing > > > > Note that the above code might have ugly spots. It's mostly just a brain > > dump. > > > > Essentially, the child process creates the socket and passes the > > socket's file descriptor back to the parent. The socket file descriptor > > has the capabilities sets already applied to it before it goes back to > > the parent. The socket creation and file descriptor passing seems to > > work well. > > > > However, what isn't working is calling connect(2) on the socket file > > descriptor in the parent. errno gets set to ECAPMODE. This is puzzling > > to me since CAP_CONNECT is set on the descriptor. > > > > Any help would be appreciated. > > > > Thanks, > > > > -- > > Shawn Webb > > Cofounder and Security Engineer > > HardenedBSD > > > > GPG Key ID: 0x6A84658F52456EEE > > GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --rzfg4urtcvrq6tkd Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAlnKz1QACgkQaoRlj1JF bu733w/+IVGgbh9H//ckTZUcfBQfonroG7rC9uEU5cg7GGm9PAtrAps3s/54W0NC SRhi8RIkjdOelyuNYy67uUHk2SCycrPR0QTKIHwTHFoPsngK5oJh266c4f1vJyKE HDCxg6CdrvqRTZfn0QKS7GEJFBxcn3Vj9Zbk8s4YaZGMfm7X7T0rTS8xgytHQPX7 wvBxw/VEM5expMtXJkSwqhabUwx2NoRvRZDtZGnZsjd4GUtvY8xK5A3gwa8ae8hH ztsniEQCrY8TzfuR9NvEkVIAjR3aFFPulMNlfr6TQFUseOf9nI5HXxA1NJsk5ZX5 QJhJdzLKDgwNAlSPFZXatSQMC93V5RCp90akqfLsaIo5V1HdvLlifCzdtjl+ItuW P+mkr0ccDZnyJxZa/1XS3FLE1vbBo2pmro65C0Mt2vt5XUaIoIRXNwKEkbZvONLy E2sA8bXZax9oV4lWh2mfB5MlpzR/4ePu92QwmU3UUpiJ2HZAEOQesLr6r3xIstGM 5I/vaFJHG0dgyChDN4gFLjrpE9IPx4Fgc3oh11md//0S5ZXyT1nyKxZVyL221boZ J9mVAzLnTevNnxpclfwTS0zxOhnxQwbPDMdxsu11jRkBRMfk9QeX52gAJEjPe8Sj uw1NstAIGwLjdgqSe4dR2iJukA1th7FdvWJm7ZCWYiwHYmroIvA= =wqJu -----END PGP SIGNATURE----- --rzfg4urtcvrq6tkd-- From owner-freebsd-security@freebsd.org Tue Sep 26 22:02:55 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 50757E233B5 for ; Tue, 26 Sep 2017 22:02:55 +0000 (UTC) (envelope-from benlaurie@gmail.com) Received: from mail-qt0-x22b.google.com (mail-qt0-x22b.google.com [IPv6:2607:f8b0:400d:c0d::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0ABE27C9E4 for ; Tue, 26 Sep 2017 22:02:55 +0000 (UTC) (envelope-from benlaurie@gmail.com) Received: by mail-qt0-x22b.google.com with SMTP id i50so11922473qtf.0 for ; Tue, 26 Sep 2017 15:02:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=B+wFVOIrukL+bN5b+ljDrJDSYc8Mk5uaqINn6/R3xPc=; b=CUs4XGcalWDFLAQ114vVG6Jf4J6v2h492WtM4TtDFZWbGUS6zhJ6vsq2MeOojfLAzA O5Mfyu9AVUKfWz+ybQ7FrOoXKyeYfpIHFczBs+VzvSe/2ewi5DYT3Sbkve6kvotfW0bb S6i6x3tem5wHrzgcHUriW+SKiZG9wfmkZUlADELS0G0KQ5ulWXR4lvcZJ5DpeCU6G+XP hY5CS7j8hypqCwRRyNt1vYIvuP5ZkuvU9vYOzswW3oryhGadbEGl1uVy8T4E2t5JEitY 5q/XzVmQFZJaZbpg2V606L359lRddIxQaLM4QcxFVUHtN4LPe3gmqDex43i6Cg6rgV+0 rsoQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=B+wFVOIrukL+bN5b+ljDrJDSYc8Mk5uaqINn6/R3xPc=; b=ujy1cLIjGlm6goiwmB0LDNvWbQqQYYYQeh1wQU8U2YUTXTRxBlsyym8Gn+73z02Vyq VVRUS/OPQ4cSiClq9Rl8mOiTtZfnw08+/+HMCiOjbjz6YD6NczN/svMvkY1RwCxPtxCD +9WNNUqF7UAyNntT/q7nGUT4ZRln+DYCXhZDjm4XPFRavqzTZ69M1YeBvcLB0PuU+02/ RrIcD4llk9nd/4z8kwseAUnCoK5pcVk1WJNTi4c5ngPMdQez4LNKNQfzXtMOyrnaYBb0 lw8h+P7pwJDJFwzYh8kD6xMYxh7PSjro5EkZQKWyCrOsBpO+O2XiaZU7nxvXQsjydrmz Jnlw== X-Gm-Message-State: AHPjjUjcjjShAGe2gBarLVJ2aWQRqofOkdPdr3THvBLBUaQuqFPRXeAP f5HdcZGlWgok6fhXw1cofQoujh0+qck4w061TXNJ1g== X-Google-Smtp-Source: AOwi7QBxmsZRG/gWa4ASIOsc6F40F1gyZjg3gbZPxgfiotknFHLVQLB9rsuMDFvFvPzCQbIP1ipQE8NFBzciTPHRGcg= X-Received: by 10.200.3.224 with SMTP id z32mr18337667qtg.72.1506463374168; Tue, 26 Sep 2017 15:02:54 -0700 (PDT) MIME-Version: 1.0 Sender: benlaurie@gmail.com Received: by 10.200.3.80 with HTTP; Tue, 26 Sep 2017 15:02:53 -0700 (PDT) In-Reply-To: <20170926193753.eolxa6lk5qvejtgc@mutt-hbsd> References: <20170926193753.eolxa6lk5qvejtgc@mutt-hbsd> From: Ben Laurie Date: Tue, 26 Sep 2017 23:02:53 +0100 X-Google-Sender-Auth: 0yHFv9DIpAQc0guSMc23gHdUfIo Message-ID: Subject: Re: Capsicum and connect(2) To: Shawn Webb Cc: "freebsd-security@freebsd.org security" Content-Type: text/plain; charset="UTF-8" X-Mailman-Approved-At: Tue, 26 Sep 2017 22:32:48 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Sep 2017 22:02:55 -0000 ECAPMODE means the syscall is forbidden, surely? On 26 September 2017 at 20:37, Shawn Webb wrote: > Hey All, > > I'm working on applying Capsicum to Tor. I've got a PoC design for how > I'm going to do it posted here: > > https://github.com/lattera/PoCs/tree/master/capsicum_fdpassing > > Note that the above code might have ugly spots. It's mostly just a brain > dump. > > Essentially, the child process creates the socket and passes the > socket's file descriptor back to the parent. The socket file descriptor > has the capabilities sets already applied to it before it goes back to > the parent. The socket creation and file descriptor passing seems to > work well. > > However, what isn't working is calling connect(2) on the socket file > descriptor in the parent. errno gets set to ECAPMODE. This is puzzling > to me since CAP_CONNECT is set on the descriptor. > > Any help would be appreciated. > > Thanks, > > -- > Shawn Webb > Cofounder and Security Engineer > HardenedBSD > > GPG Key ID: 0x6A84658F52456EEE > GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE From owner-freebsd-security@freebsd.org Tue Sep 26 22:42:12 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 92B1FE244A1 for ; Tue, 26 Sep 2017 22:42:12 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-ua0-x231.google.com (mail-ua0-x231.google.com [IPv6:2607:f8b0:400c:c08::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4105A7E120 for ; Tue, 26 Sep 2017 22:42:12 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-ua0-x231.google.com with SMTP id q29so7412532uaf.3 for ; Tue, 26 Sep 2017 15:42:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=AYaLmVFw8eXxu2EkkwWj7pCa35P+YCgZqS7c/hdTakA=; b=GZhRgY8Lrg5Ze+1Tuujw+18kYHUqA8j3yCL6hmvkCm3GndJLGEfnWDzDt8kS86uXGV ZvjxnvCRwA5D+C56v/rl5sbUJ6EC2zGXl8OqTMhBX/0EbrjeZ3ibqVbs6NAwGpjF752C Uo56KKyBxZKwKtNg0TqEiPWdCPS7YBqoT0HRGd6THTp7QEtksJbFFGdyyZQRhPalwGCX G3eDbDoMxqTMKpHI5byaFXnVQ6M0T7bAL9tLMNAWfmmbkNHhLCADEz2v9ehZE1qtb6lJ 0DydWFLzkKBHXEV9I4n5c9Gs7MOh41DzRfnGLyTAS9D/PrYd0EueoSZArNhodvSBHb7S BR2g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=AYaLmVFw8eXxu2EkkwWj7pCa35P+YCgZqS7c/hdTakA=; b=uhVoecGS1VlLTK0/Z76ManvaNypbFtX9tr8cs4gBKnmlaf/U46sWiH57Dmv1jT3SKA JKyL5S2ZFu4HpSOMPRnZdbquACS0Nlm6pT55rIpXipMS9q0wSKP+lqzG2ap1bEOZizuo jf1Sts4cN6N/VL/UuhnYsHv9PX20dxnghwo5p8fxz/57/Queu5dftBh/RVMSMy/8ykcW pon3pHvxXQq8vQMWVi/hslOQrtIjwf9nkpreXXVmL5NFp6ZQSmME1HYOEx71vpRGO9TS z21LrcHQvPNTrmROSpIaxDTggnQj4dORngATwrbZsU8MqjA0T39ACBWSxh7nhDbpBl2b 14Ug== X-Gm-Message-State: AHPjjUh5W9QpmmPqqJvgUokQg0dA4btnAgkNMWkbakB+79ffRNebYY4p ywL+mAOJZhoxhKAO16SW/4BDR3rZil9nLsAdmCvCSXepx1FXepu4tLrpbSVOkliY491uzeBxMES Y+oeaiFEDgNLwF4PdaqDdjnYc6NnTpkCAfMuexmNDfDoKxeMGtN5Yy9heKUxfUUKanw/HZQexA/ NMTRLxzCKj X-Google-Smtp-Source: AOwi7QB6gOqDG+V6yAEwdnYH3vxIK0wpsN+mW9tX0fGiyqh5VOnegVfpyIwJK9NG72jUwwBiMYUTPQ== X-Received: by 10.176.78.221 with SMTP id x29mr11304070uah.134.1506465730383; Tue, 26 Sep 2017 15:42:10 -0700 (PDT) Received: from mutt-hbsd (exit1.ipredator.se. [197.231.221.211]) by smtp.gmail.com with ESMTPSA id n186sm2266078vkc.53.2017.09.26.15.42.07 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 26 Sep 2017 15:42:09 -0700 (PDT) Date: Tue, 26 Sep 2017 18:42:01 -0400 From: Shawn Webb To: freebsd-security@freebsd.org Subject: Re: Capsicum and connect(2) Message-ID: <20170926224201.tp6pndwkvcuishcr@mutt-hbsd> References: <20170926193753.eolxa6lk5qvejtgc@mutt-hbsd> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="waykogcjrf24npyj" Content-Disposition: inline In-Reply-To: <20170926193753.eolxa6lk5qvejtgc@mutt-hbsd> X-Operating-System: FreeBSD mutt-hbsd 12.0-CURRENT FreeBSD 12.0-CURRENT X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: NeoMutt/20170912 (1.9.0) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Sep 2017 22:42:12 -0000 --waykogcjrf24npyj Content-Type: multipart/mixed; boundary="qo7b23ct5fr7e35b" Content-Disposition: inline --qo7b23ct5fr7e35b Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 26, 2017 at 07:37:53PM +0000, Shawn Webb wrote: > Hey All, >=20 > I'm working on applying Capsicum to Tor. I've got a PoC design for how > I'm going to do it posted here: >=20 > https://github.com/lattera/PoCs/tree/master/capsicum_fdpassing >=20 > Note that the above code might have ugly spots. It's mostly just a brain > dump. >=20 > Essentially, the child process creates the socket and passes the > socket's file descriptor back to the parent. The socket file descriptor > has the capabilities sets already applied to it before it goes back to > the parent. The socket creation and file descriptor passing seems to > work well. >=20 > However, what isn't working is calling connect(2) on the socket file > descriptor in the parent. errno gets set to ECAPMODE. This is puzzling > to me since CAP_CONNECT is set on the descriptor. >=20 > Any help would be appreciated. It turns out that connect(2) isn't annotated with SYF_CAPENABLED, even though the CAP_CONNECT capability exists. I've fixed it in HardenedBSD: https://github.com/HardenedBSD/hardenedBSD/commit/1b1b6b8f1ec1fbbefc5de82f0= b15bb470beda370 I've also filed a bug report: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D222632 Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --qo7b23ct5fr7e35b Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="capsicum_connect_r01.patch" diff --git a/sys/kern/init_sysent.c b/sys/kern/init_sysent.c index 125587d5057..3e216996c94 100644 --- a/sys/kern/init_sysent.c +++ b/sys/kern/init_sysent.c @@ -149,7 +149,7 @@ struct sysent sysent[] = { { AS(fsync_args), (sy_call_t *)sys_fsync, AUE_FSYNC, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 95 = fsync */ { AS(setpriority_args), (sy_call_t *)sys_setpriority, AUE_SETPRIORITY, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 96 = setpriority */ { AS(socket_args), (sy_call_t *)sys_socket, AUE_SOCKET, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 97 = socket */ - { AS(connect_args), (sy_call_t *)sys_connect, AUE_CONNECT, NULL, 0, 0, 0, SY_THR_STATIC }, /* 98 = connect */ + { AS(connect_args), (sy_call_t *)sys_connect, AUE_CONNECT, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 98 = connect */ { compat(AS(accept_args),accept), AUE_ACCEPT, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 99 = old accept */ { AS(getpriority_args), (sy_call_t *)sys_getpriority, AUE_GETPRIORITY, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 100 = getpriority */ { compat(AS(osend_args),send), AUE_SEND, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 101 = old send */ --qo7b23ct5fr7e35b-- --waykogcjrf24npyj Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAlnK17YACgkQaoRlj1JF bu68lRAAqilzz3/s3wwtZEd6dG8hDb8nUpRcbxNveXOXaT63rznI4/c6BE51xsnh DEY3heWX4CUQSLEpWiijPgRw0e8tFUZ8QPukkzXqp1W5zuRK0S7P4O3Ol4nKulY0 Kl/3KJibHTaSjHWlkblLljlU7nTH0+jMFmilMftBmTOVeNIcqvNUTw4eHhRlnJYw bes0Ds9cjALE3/Ht4eyx8bzDjAkvZ97EJ8G2QF5FzNE38yyUYubJ4OeOkHZyavyq ZNW3ULe0bzHeVDVIqBrK6GQJxq1lXr4SzggMmHWZ9OEjoGYHXKdeUoszRdwb8xmI UXE5HtX5VRuRZsEyMxhafR6bo4ZAJ1ITDj9gRSJKshMCxR8Epl4go4pGJuwCLtPE XcW39RSR+o3i1xiPPt1hcx9KTlHIV9x0ycfniNi0lrdPluVdt6mDDgm5NEnrZ5/q FvUU4wEx/xbGMthONe+GVY9wvXW7UejQ1NHrNzGb5pyqoqZYRO6RXndI7Y2B+8GT c6ZbaiZ7GXdJEGm8PVkESFnakrnJ8SPZ9SrPJpZSUetPi+2URa32cnzTYz/5h9f1 UzqiEcKqvc7nz3gCMQtiE/LxBTaiyyiX9x7/6lTA7FWOUWJcYETSZu9JDCGDjOFp czW24LfpNzID5LJ6doFeAB9ALiD/a7HeoMrJIyaq41aGZ557q7A= =KkY0 -----END PGP SIGNATURE----- --waykogcjrf24npyj--