From owner-svn-src-head@freebsd.org  Fri Dec  9 14:51:07 2016
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2A87CC6D34C;
 Fri,  9 Dec 2016 14:51:07 +0000 (UTC)
 (envelope-from robak@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id E12BD183F;
 Fri,  9 Dec 2016 14:51:06 +0000 (UTC)
 (envelope-from robak@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uB9Ep673011273;
 Fri, 9 Dec 2016 14:51:06 GMT (envelope-from robak@FreeBSD.org)
Received: (from robak@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id uB9Ep6xv011272;
 Fri, 9 Dec 2016 14:51:06 GMT (envelope-from robak@FreeBSD.org)
Message-Id: <201612091451.uB9Ep6xv011272@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: robak set sender to
 robak@FreeBSD.org using -f
From: Bartek Rutkowski <robak@FreeBSD.org>
Date: Fri, 9 Dec 2016 14:51:06 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r309735 - head/bin/dd
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Dec 2016 14:51:07 -0000

Author: robak (ports committer)
Date: Fri Dec  9 14:51:05 2016
New Revision: 309735
URL: https://svnweb.freebsd.org/changeset/base/309735

Log:
  Capsicum support for dd(1)
  
  Adds Capsicum sandboxing to dd utility.
  
  Submitted by:	Pawel Biernacki <pawel.biernacki@gmail.com>
  Reviewed by:	allanjude, emaste, oshogbo
  Approved by:	oshogbo
  Sponsored by:	Mysterious Code Ltd.
  Differential Revision:	https://reviews.freebsd.org/D8543

Modified:
  head/bin/dd/dd.c

Modified: head/bin/dd/dd.c
==============================================================================
--- head/bin/dd/dd.c	Fri Dec  9 14:06:22 2016	(r309734)
+++ head/bin/dd/dd.c	Fri Dec  9 14:51:05 2016	(r309735)
@@ -47,11 +47,14 @@ __FBSDID("$FreeBSD$");
 
 #include <sys/param.h>
 #include <sys/stat.h>
+#include <sys/capsicum.h>
 #include <sys/conf.h>
 #include <sys/disklabel.h>
 #include <sys/filio.h>
+#include <sys/mtio.h>
 
 #include <assert.h>
+#include <capsicum_helpers.h>
 #include <ctype.h>
 #include <err.h>
 #include <errno.h>
@@ -92,6 +95,10 @@ main(int argc __unused, char *argv[])
 	jcl(argv);
 	setup();
 
+	caph_cache_catpages();
+	if (cap_enter() == -1 && errno != ENOSYS)
+		err(1, "unable to enter capability mode");
+
 	(void)signal(SIGINFO, siginfo_handler);
 	(void)signal(SIGINT, terminate);
 
@@ -125,6 +132,8 @@ static void
 setup(void)
 {
 	u_int cnt;
+	cap_rights_t rights;
+	unsigned long cmds[] = { FIODTYPE, MTIOCTOP };
 
 	if (in.name == NULL) {
 		in.name = "stdin";
@@ -133,13 +142,20 @@ setup(void)
 		in.fd = open(in.name, O_RDONLY, 0);
 		if (in.fd == -1)
 			err(1, "%s", in.name);
+		if (caph_limit_stdin() == -1)
+			err(1, "unable to limit capability rights");
 	}
 
 	getfdtype(&in);
 
+	cap_rights_init(&rights, CAP_READ, CAP_SEEK);
+	if (cap_rights_limit(in.fd, &rights) == -1 && errno != ENOSYS)
+		err(1, "unable to limit capability rights");
+
 	if (files_cnt > 1 && !(in.flags & ISTAPE))
 		errx(1, "files is not supported for non-tape devices");
 
+	cap_rights_set(&rights, CAP_FTRUNCATE, CAP_IOCTL, CAP_WRITE);
 	if (out.name == NULL) {
 		/* No way to check for read access here. */
 		out.fd = STDOUT_FILENO;
@@ -156,13 +172,27 @@ setup(void)
 		if (out.fd == -1) {
 			out.fd = open(out.name, O_WRONLY | OFLAGS, DEFFILEMODE);
 			out.flags |= NOREAD;
+			cap_rights_clear(&rights, CAP_READ);
 		}
 		if (out.fd == -1)
 			err(1, "%s", out.name);
+		if (caph_limit_stdout() == -1)
+			err(1, "unable to limit capability rights");
 	}
 
 	getfdtype(&out);
 
+	if (cap_rights_limit(out.fd, &rights) == -1 && errno != ENOSYS)
+		err(1, "unable to limit capability rights");
+	if (cap_ioctls_limit(out.fd, cmds, nitems(cmds)) == -1 &&
+	    errno != ENOSYS)
+		err(1, "unable to limit capability rights");
+
+	if (in.fd != STDERR_FILENO && out.fd != STDERR_FILENO) {
+		if (caph_limit_stderr() == -1)
+			err(1, "unable to limit capability rights");
+	}
+
 	/*
 	 * Allocate space for the input and output buffers.  If not doing
 	 * record oriented I/O, only need a single buffer.