From owner-p4-projects@FreeBSD.ORG Wed Jun 10 11:00:51 2009 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 7821C10656F0; Wed, 10 Jun 2009 11:00:51 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1788610656D3 for ; Wed, 10 Jun 2009 11:00:51 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id 015208FC18 for ; Wed, 10 Jun 2009 11:00:51 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.3/8.14.3) with ESMTP id n5AB0odn040528 for ; Wed, 10 Jun 2009 11:00:50 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.3/8.14.3/Submit) id n5AB0oQp040526 for perforce@freebsd.org; Wed, 10 Jun 2009 11:00:50 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Wed, 10 Jun 2009 11:00:50 GMT Message-Id: <200906101100.n5AB0oQp040526@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson To: Perforce Change Reviews Cc: Subject: PERFORCE change 163967 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jun 2009 11:00:54 -0000 http://perforce.freebsd.org/chv.cgi?CH=163967 Change 163967 by rwatson@rwatson_freebsd_capabilities on 2009/06/10 11:00:14 Start also implementing an agent API, simplify host API a bit. Affected files ... .. //depot/projects/trustedbsd/capabilities/src/lib/libcapability/Makefile#3 edit .. //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability.3#3 edit .. //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability.c#2 edit .. //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability.h#5 edit .. //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability_agent.c#1 add .. //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability_agent_api.h#1 add Differences ... ==== //depot/projects/trustedbsd/capabilities/src/lib/libcapability/Makefile#3 (text+ko) ==== @@ -3,7 +3,8 @@ LIB= capability SRCS= \ - libcapability.c + libcapability.c \ + libcapability_agent.c INCS= libcapability.h ==== //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability.3#3 (text+ko) ==== @@ -47,19 +47,27 @@ .Ft int .Fn lc_limitfd "int fd" "cap_rights_t rights" .Ft int -.Fn lch_agent_start "const char *agent" "struct lc_agent **lcap" +.Fn lch_start "const char *agent" "struct lc_agent **lcap" .Ft void -.Fn lch_agent_stop "struct lc_agent *lcap" +.Fn lch_stop "struct lc_agent *lcap" +.Ft int +.Fn lch_getsock "struct lc_agent *lcap" "int *fdp" +.Ft int +.Fn lch_getpid "struct lc_agent *lcap" "pid_t *pidp" .Ft int -.Fn lch_agent_getsock "struct lc_agent *lcap" "int *fdp" +.Fn lch_getprocdesc "struct lc_agent *lcap" "int *fdp" +.Ft ssize_t +.Fn lch_recv "struct lc_agent *lcap, void *buf" "size_t len" "int flags" +.Ft ssize_t +.Fn lch_send "struct lc_agent *lcap" "const void *msg" "size_t len" "int flags" .Ft int -.Fn lch_agent_getpid "struct lc_agent *lcap" "pid_t *pidp" +.Fn lca_get "struct lc_host **lchpp" .Ft int -.Fn lch_agent_getprocdesc "struct lc_agent *lcap" "int *fdp" +.Fn lca_getsock "struct lc_host *lchp" "int *fdp" .Ft ssize_t -.Fn lch_agent_recv "struct lc_agent *lcap, void *buf" "size_t len" "int flags" +.Fn lca_recv "struct lc_host *lchp" "void *buf" "size_t len" "int flags" .Ft ssize_t -.Fn lch_agent_send "struct lc_agent *lcap" "const void *msg" "size_t len" "int flags" +.Fn lca_send "struct lc_host *lchp" "const void *msg" "size_t len" "int flags" .Sh DESCRIPTION The .Nm @@ -76,26 +84,26 @@ Each executing agent instance is described by an opaque .Dt "struct lc_agent" , which is returned by -.Fn lch_agent_start +.Fn lch_start for successfully started agents, and passed into other APIs to indicate which agent should be acted on. -.Fn lch_agent_start +.Fn lch_start creates a new executing agent, given the name of the agent binary via .Va agent . Executing agents may be stopped (and state freed) using -.Fn lch_agent_stop . +.Fn lch_stop . .Pp Properties of the agent, such as the socket used to communicate with it, the proces descriptor for the agent process, and the pid, may be queried using -.Fn lch_agent_getsock , -.Fn lch_agent_getprocdesc , +.Fn lch_getsock , +.Fn lch_getprocdesc , and -.Fn lch_agent_getpid . +.Fn lch_getpid . .Pp -.Fn lch_agent_recv +.Fn lch_recv and -.Fn lch_agent_send +.Fn lch_send provide simple wrappers around .Xr recv 2 and @@ -108,6 +116,24 @@ agent API allows agent processes to interact with their host process. Agent API functions can be identified by their function name prefix, .Dv lca_ . +.Pp +Each executing agent will have a single corresponding host instance, +described by an opaque +.Dt "struct lc_host" , +which is returned by +.Fn lca_get . +.Pp +The socket for the host may be queried using +.Fn lca_getsock . +.Pp +.Fn lca_recv +and +.Fn lca_send +provide simple wrappers around +.Xr recv 2 +and +.Xr send 2 +to avoid agents having to query host socket file descriptors before use. .Sh SEE ALSO .Xr cap_enter 2 .Xr cap_new 2 ==== //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability.c#2 (text+ko) ==== @@ -30,7 +30,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability.c#1 $ + * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability.c#2 $ */ #include @@ -47,6 +47,7 @@ #include #include "libcapability.h" +#include "libcapability_agent_api.h" #define LIBCAPABILITY_CAPMASK_DEVNULL (CAP_EVENT | CAP_READ | CAP_WRITE) #define LIBCAPABILITY_CAPMASK_SOCK (CAP_EVENT | CAP_READ | CAP_WRITE) @@ -143,7 +144,7 @@ static void lch_agent(int fd_sock, int fd_agent, int fd_ldso, int fd_libc, int fd_libz) { - char *env_caplibindex; + char *env_caplibindex, *env_libcapability_agent_api; int fd_array[8], fd_devnull; fd_devnull = open(_PATH_DEVNULL, O_RDWR); @@ -172,10 +173,27 @@ if (lch_installfds(7, fd_array) < 0) return; + /* + * Pass library list into rtld-elf-cap. + */ if (asprintf(&env_caplibindex, "%d:%s,%d:%s", fd_libc, LIBC_SO, fd_libz, LIBZ_SO) == -1) return; - setenv("LD_CAPLIBINDEX", env_caplibindex, 1); + if (setenv("LD_CAPLIBINDEX", env_caplibindex, 1) == -1) + return; + free(env_caplibindex); + + /* + * Make sure that libcapability in the sandbox knows that its API + * assumptions hold. + */ + if (asprintf(&env_libcapability_agent_api, "%s:%d", + LIBCAPABILITY_AGENT_API_SOCK, fd_sock) == -1) + return; + if (setenv(LIBCAPABILITY_AGENT_API_ENV, env_libcapability_agent_api, + 1) == -1) + return; + free(env_libcapability_agent_api); if (cap_enter() < 0) return; @@ -184,7 +202,7 @@ } int -lch_agent_start(const char *agent, struct lc_agent **lcapp) +lch_start(const char *agent, struct lc_agent **lcapp) { struct lc_agent *lcap; int fd_agent, fd_ldso, fd_libc, fd_libz, fd_procdesc, fd_sockpair[2]; @@ -270,7 +288,7 @@ } void -lch_agent_stop(struct lc_agent *lcap) +lch_stop(struct lc_agent *lcap) { close(lcap->lca_fd_sock); @@ -281,7 +299,7 @@ } int -lch_agent_getsock(struct lc_agent *lcap, int *fdp) +lch_getsock(struct lc_agent *lcap, int *fdp) { *fdp = lcap->lca_fd_sock; @@ -289,7 +307,7 @@ } int -lch_agent_getpid(struct lc_agent *lcap, pid_t *pidp) +lch_getpid(struct lc_agent *lcap, pid_t *pidp) { *pidp = lcap->lca_pid; @@ -297,7 +315,7 @@ } int -lch_agent_getprocdesc(struct lc_agent *lcap, int *fdp) +lch_getprocdesc(struct lc_agent *lcap, int *fdp) { *fdp = lcap->lca_fd_procdesc; @@ -309,7 +327,7 @@ * on the worker should take place here. */ ssize_t -lch_agent_send(struct lc_agent *lcap, const void *msg, size_t len, int flags) +lch_send(struct lc_agent *lcap, const void *msg, size_t len, int flags) { if (lcap->lca_fd_sock == -1 || @@ -321,7 +339,7 @@ } ssize_t -lch_agent_recv(struct lc_agent *lcap, void *buf, size_t len, int flags) +lch_recv(struct lc_agent *lcap, void *buf, size_t len, int flags) { if (lcap->lca_fd_sock == -1 || ==== //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability.h#5 (text+ko) ==== @@ -30,13 +30,14 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability.h#4 $ + * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability.h#5 $ */ #ifndef _LIBCAPABILITY_H_ #define _LIBCAPABILITY_H_ struct lc_agent; +struct lc_host; /* * Capability interfaces. @@ -46,22 +47,30 @@ /* * Interfaces to start and stop capability mode agents. */ -int lch_agent_start(const char *agent, struct lc_agent **lcap); -void lch_agent_stop(struct lc_agent *lcap); +int lch_start(const char *agent, struct lc_agent **lcapp); +void lch_stop(struct lc_agent *lcap); /* * Interfaces to query state about capability mode agents. */ -int lch_agent_getsock(struct lc_agent *lcap, int *fdp); -int lch_agent_getpid(struct lc_agent *lcap, pid_t *pidp); -int lch_agent_getprocdesc(struct lc_agent *lcap, int *fdp); +int lch_getsock(struct lc_agent *lcap, int *fdp); +int lch_getpid(struct lc_agent *lcap, pid_t *pidp); +int lch_getprocdesc(struct lc_agent *lcap, int *fdp); /* * I/O interfaces for capability mode agents. */ -ssize_t lch_agent_recv(struct lc_agent *lcap, void *buf, size_t len, +ssize_t lch_recv(struct lc_agent *lcap, void *buf, size_t len, int flags); +ssize_t lch_send(struct lc_agent *lcap, const void *msg, size_t len, int flags); -ssize_t lch_agent_send(struct lc_agent *lcap, const void *msg, size_t len, + +/* + * Capability mode agent APIs. + */ +int lca_get(struct lc_host **lchpp); +int lca_getsock(struct lc_host *lchp, int *fdp); +ssize_t lca_recv(struct lc_host *lchp, void *buf, size_t len, int flags); +ssize_t lca_send(struct lc_host *lchp, const void *msg, size_t len, int flags); #endif /* !_LIBCAPABILITY_H_ */