From owner-svn-src-head@freebsd.org Fri Dec 9 14:51:07 2016 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2A87CC6D34C; Fri, 9 Dec 2016 14:51:07 +0000 (UTC) (envelope-from robak@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E12BD183F; Fri, 9 Dec 2016 14:51:06 +0000 (UTC) (envelope-from robak@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uB9Ep673011273; Fri, 9 Dec 2016 14:51:06 GMT (envelope-from robak@FreeBSD.org) Received: (from robak@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uB9Ep6xv011272; Fri, 9 Dec 2016 14:51:06 GMT (envelope-from robak@FreeBSD.org) Message-Id: <201612091451.uB9Ep6xv011272@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: robak set sender to robak@FreeBSD.org using -f From: Bartek Rutkowski Date: Fri, 9 Dec 2016 14:51:06 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r309735 - head/bin/dd X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Dec 2016 14:51:07 -0000 Author: robak (ports committer) Date: Fri Dec 9 14:51:05 2016 New Revision: 309735 URL: https://svnweb.freebsd.org/changeset/base/309735 Log: Capsicum support for dd(1) Adds Capsicum sandboxing to dd utility. Submitted by: Pawel Biernacki Reviewed by: allanjude, emaste, oshogbo Approved by: oshogbo Sponsored by: Mysterious Code Ltd. Differential Revision: https://reviews.freebsd.org/D8543 Modified: head/bin/dd/dd.c Modified: head/bin/dd/dd.c ============================================================================== --- head/bin/dd/dd.c Fri Dec 9 14:06:22 2016 (r309734) +++ head/bin/dd/dd.c Fri Dec 9 14:51:05 2016 (r309735) @@ -47,11 +47,14 @@ __FBSDID("$FreeBSD$"); #include #include +#include #include #include #include +#include #include +#include #include #include #include @@ -92,6 +95,10 @@ main(int argc __unused, char *argv[]) jcl(argv); setup(); + caph_cache_catpages(); + if (cap_enter() == -1 && errno != ENOSYS) + err(1, "unable to enter capability mode"); + (void)signal(SIGINFO, siginfo_handler); (void)signal(SIGINT, terminate); @@ -125,6 +132,8 @@ static void setup(void) { u_int cnt; + cap_rights_t rights; + unsigned long cmds[] = { FIODTYPE, MTIOCTOP }; if (in.name == NULL) { in.name = "stdin"; @@ -133,13 +142,20 @@ setup(void) in.fd = open(in.name, O_RDONLY, 0); if (in.fd == -1) err(1, "%s", in.name); + if (caph_limit_stdin() == -1) + err(1, "unable to limit capability rights"); } getfdtype(&in); + cap_rights_init(&rights, CAP_READ, CAP_SEEK); + if (cap_rights_limit(in.fd, &rights) == -1 && errno != ENOSYS) + err(1, "unable to limit capability rights"); + if (files_cnt > 1 && !(in.flags & ISTAPE)) errx(1, "files is not supported for non-tape devices"); + cap_rights_set(&rights, CAP_FTRUNCATE, CAP_IOCTL, CAP_WRITE); if (out.name == NULL) { /* No way to check for read access here. */ out.fd = STDOUT_FILENO; @@ -156,13 +172,27 @@ setup(void) if (out.fd == -1) { out.fd = open(out.name, O_WRONLY | OFLAGS, DEFFILEMODE); out.flags |= NOREAD; + cap_rights_clear(&rights, CAP_READ); } if (out.fd == -1) err(1, "%s", out.name); + if (caph_limit_stdout() == -1) + err(1, "unable to limit capability rights"); } getfdtype(&out); + if (cap_rights_limit(out.fd, &rights) == -1 && errno != ENOSYS) + err(1, "unable to limit capability rights"); + if (cap_ioctls_limit(out.fd, cmds, nitems(cmds)) == -1 && + errno != ENOSYS) + err(1, "unable to limit capability rights"); + + if (in.fd != STDERR_FILENO && out.fd != STDERR_FILENO) { + if (caph_limit_stderr() == -1) + err(1, "unable to limit capability rights"); + } + /* * Allocate space for the input and output buffers. If not doing * record oriented I/O, only need a single buffer.