From owner-p4-projects@FreeBSD.ORG Tue Jun 16 09:01:28 2009 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 796541065674; Tue, 16 Jun 2009 09:01:28 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 394A01065672 for ; Tue, 16 Jun 2009 09:01:28 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id 249CD8FC08 for ; Tue, 16 Jun 2009 09:01:28 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.3/8.14.3) with ESMTP id n5G91SQf024357 for ; Tue, 16 Jun 2009 09:01:28 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.3/8.14.3/Submit) id n5G91RDL024355 for perforce@freebsd.org; Tue, 16 Jun 2009 09:01:27 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Tue, 16 Jun 2009 09:01:27 GMT Message-Id: <200906160901.n5G91RDL024355@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson To: Perforce Change Reviews Cc: Subject: PERFORCE change 164486 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Jun 2009 09:01:29 -0000 http://perforce.freebsd.org/chv.cgi?CH=164486 Change 164486 by rwatson@rwatson_freebsd_capabilities on 2009/06/16 09:01:21 Add a new libcapability host API function, lch_autosandbox_isenabled(), which allows self-compartmentalizing libraries and tools to query policy of an unspecified source for whether they should run in sandboxes or not. Implement one source of policy, the environmental variable LIBCAPABILITY_NOAUTOSANDBOX. Pass libbz2.so into sandboxes for experimentation purposes -- we'll teach rtld to do something more sensible in the future. Pass in libcapability rather than libcapabilitym -- still thinking about the best way to differentiate the link-time environments inside sandboxes from those outside, and one good reason to provide the extra-sandbox symbols in a sandbox is that then we can run the same binary in both environments avoiding the need for extra binaries. Affected files ... .. //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability.h#18 edit .. //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability_host.3#5 edit .. //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability_host.c#15 edit Differences ... ==== //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability.h#18 (text+ko) ==== @@ -30,7 +30,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability.h#17 $ + * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability.h#18 $ */ #ifndef _LIBCAPABILITY_H_ @@ -45,6 +45,12 @@ int lc_limitfd(int fd, cap_rights_t rights); /* + * Global policy interface to ask whether we should, in fact, sandbox a + * particular optionally sandboxed service, by name. + */ +int lch_autosandbox_isenabled(const char *servicename); + +/* * Interfaces to start and stop capability mode sandboxs. */ int lch_start(const char *sandbox, char *const argv[], ==== //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability_host.3#5 (text+ko) ==== @@ -55,6 +55,8 @@ .Ft void .Fn lch_stop "struct lc_sandbox *lcsp" .Ft int +.Fn lch_autosandbox_isenabled "const char *servicename" +.Ft int .Fn lch_getsock "struct lc_sandbox *lcsp" "int *fdp" .Ft int .Fn lch_getpid "struct lc_sandbox *lcsp" "pid_t *pidp" @@ -139,6 +141,13 @@ .Va lchp argument will no longer be valid. .Pp +Libraries and tools performing self-compartmentalization can use the +interface +.Nm lch_autosandbox_isenabled +along with a unique string identifying their service to determine whether or +not a global policy affecting the service requires sandboxing to be enabled +or not. +.Pp Properties of the sandbox, such as the socket used to communicate with it, the proces descriptor for the sandbox process, and the pid, may be queried using ==== //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability_host.c#15 (text+ko) ==== @@ -30,7 +30,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability_host.c#14 $ + * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability_host.c#15 $ */ #include @@ -61,14 +61,16 @@ #define LIBCAPABILITY_CAPMASK_SANDBOX LIBCAPABILITY_CAPMASK_BIN #define LIBCAPABILITY_CAPMASK_LDSO LIBCAPABILITY_CAPMASK_BIN #define LIBCAPABILITY_CAPMASK_LIBC LIBCAPABILITY_CAPMASK_BIN -#define LIBCAPABILITY_CAPMASK_LIBCAPABILITYM LIBCAPABILITY_CAPMASK_BIN +#define LIBCAPABILITY_CAPMASK_LIBCAPABILITY LIBCAPABILITY_CAPMASK_BIN #define LIBCAPABILITY_CAPMASK_LIBZ LIBCAPABILITY_CAPMASK_BIN +#define LIBCAPABILITY_CAPMASK_LIBBZ2 LIBCAPABILITY_CAPMASK_BIN #define _PATH_LIB "/lib" #define _PATH_USR_LIB "/usr/lib" #define LIBC_SO "libc.so.7" #define LIBZ_SO "libz.so.4" -#define LIBCAPABILITYM_SO "libcapabilitym.so.1" +#define LIBBZ2_SO "libbz2.so.3" +#define LIBCAPABILITY_SO "libcapability.so.1" extern char **environ; @@ -81,6 +83,15 @@ int closefrom(int lowfd); +int +lch_autosandbox_isenabled(__unused const char *servicename) +{ + + if (getenv("LIBCAPABILITY_NOAUTOSANDBOX") != NULL) + return (0); + return (1); +} + /* * Install an array of file descriptors using the array index of each * descriptor in the array as its destination file descriptor number. All @@ -141,11 +152,11 @@ static void lch_sandbox(int fd_sock, int fd_sandbox, int fd_ldso, int fd_libc, - int fd_libz, int fd_libcapabilitym, int fd_devnull, u_int flags, - const char *binname, char *const argv[]) + int fd_libz, int fd_libbz2, int fd_libcapability, int fd_devnull, + u_int flags, const char *binname, char *const argv[]) { char *env_caplibindex, *env_libcapability_sandbox_api; - int fd_array[10]; + int fd_array[11]; if (lc_limitfd(fd_devnull, LIBCAPABILITY_CAPMASK_DEVNULL) < 0) return; @@ -159,8 +170,10 @@ return; if (lc_limitfd(fd_libz, LIBCAPABILITY_CAPMASK_LIBZ) < 0) return; - if (lc_limitfd(fd_libcapabilitym, - LIBCAPABILITY_CAPMASK_LIBCAPABILITYM) < 0) + if (lc_limitfd(fd_libbz2, LIBCAPABILITY_CAPMASK_LIBBZ2) < 0) + return; + if (lc_limitfd(fd_libcapability, + LIBCAPABILITY_CAPMASK_LIBCAPABILITY) < 0) return; fd_array[0] = fd_devnull; @@ -176,18 +189,20 @@ fd_array[5] = fd_ldso; fd_array[6] = fd_libc; fd_array[7] = fd_libz; - fd_array[8] = fd_libcapabilitym; - fd_array[9] = fd_devnull; + fd_array[8] = fd_libbz2; + fd_array[9] = fd_libcapability; + fd_array[10] = fd_devnull; - if (lch_installfds(10, fd_array) < 0) + if (lch_installfds(11, fd_array) < 0) return; /* * Pass library list into rtld-elf-cap. */ - if (asprintf(&env_caplibindex, "%d:%s,%d:%s,%d:%s,%d:%s,%d:%s,%d:%s", + if (asprintf(&env_caplibindex, + "%d:%s,%d:%s,%d:%s,%d:%s,%d:%s,%d:%s,%d:%s", 3, binname, 5, LD_ELF_CAP_SO, 6, LIBC_SO, 7, LIBZ_SO, 8, - LIBCAPABILITYM_SO, 9, _PATH_DEVNULL) == -1) + LIBBZ2_SO, 9, LIBCAPABILITY_SO, 10, _PATH_DEVNULL) == -1) return; if (setenv("LD_CAPLIBINDEX", env_caplibindex, 1) == -1) return; @@ -216,13 +231,14 @@ u_int flags, struct lc_sandbox **lcspp) { struct lc_sandbox *lcsp; - int fd_devnull, fd_ldso, fd_libc, fd_libcapabilitym, fd_libz; - int fd_procdesc, fd_sockpair[2]; + int fd_devnull, fd_ldso, fd_libc, fd_libcapability, fd_libz; + int fd_libbz2, fd_procdesc, fd_sockpair[2]; int error, val; pid_t pid; - fd_devnull = fd_ldso = fd_libc = fd_libz = fd_libcapabilitym = - fd_procdesc = fd_sockpair[0] = fd_sockpair[1] = -1; + fd_devnull = fd_ldso = fd_libc = fd_libz = fd_libbz2 = + fd_libcapability = fd_procdesc = fd_sockpair[0] = + fd_sockpair[1] = -1; lcsp = malloc(sizeof(*lcsp)); if (lcsp == NULL) @@ -236,7 +252,9 @@ goto out_error; if (ld_caplibindex_lookup(LIBZ_SO, &fd_libz) < 0) goto out_error; - if (ld_caplibindex_lookup(LIBCAPABILITYM_SO, &fd_libcapabilitym) < 0) + if (ld_caplibindex_lookup(LIBBZ2_SO, &fd_libbz2) < 0) + goto out_error; + if (ld_caplibindex_lookup(LIBCAPABILITY_SO, &fd_libcapability) < 0) goto out_error; if (ld_caplibindex_lookup(_PATH_DEVNULL, &fd_devnull) < 0) goto out_error; @@ -253,9 +271,13 @@ if (fd_libz < 0) goto out_error; - fd_libcapabilitym = open(_PATH_USR_LIB "/" LIBCAPABILITYM_SO, + fd_libbz2 = open(_PATH_USR_LIB "/" LIBBZ2_SO, O_RDONLY); + if (fd_libbz2 < 0) + goto out_error; + + fd_libcapability = open(_PATH_USR_LIB "/" LIBCAPABILITY_SO, O_RDONLY); - if (fd_libcapabilitym < 0) + if (fd_libcapability < 0) goto out_error; fd_devnull = open(_PATH_DEVNULL, O_RDWR); @@ -280,14 +302,15 @@ } if (pid == 0) { lch_sandbox(fd_sockpair[1], fd_sandbox, fd_ldso, fd_libc, - fd_libz, fd_libcapabilitym, fd_devnull, flags, binname, - argv); + fd_libz, fd_libbz2, fd_libcapability, fd_devnull, flags, + binname, argv); exit(-1); } #ifndef IN_CAP_MODE close(fd_devnull); - close(fd_libcapabilitym); + close(fd_libcapability); close(fd_libz); + close(fd_libbz2); close(fd_libc); close(fd_ldso); #endif @@ -309,10 +332,12 @@ #ifndef IN_CAP_MODE if (fd_devnull != -1) close(fd_devnull); - if (fd_libcapabilitym != -1) - close(fd_libcapabilitym); + if (fd_libcapability != -1) + close(fd_libcapability); if (fd_libz != -1) close(fd_libz); + if (fd_libbz2 != -1) + close(fd_libbz2); if (fd_libc != -1) close(fd_libc); if (fd_ldso != -1)