Date: Wed, 12 Apr 2023 16:49:21 +0200 From: Steffen Nurpmeso <steffen@sdaoden.eu> To: freebsd-hackers@freebsd.org Subject: capsicum(4): .. and SIGTRAP causing syscall really is in siginfo_t.si_errno? Message-ID: <20230412144921.8plun%steffen@sdaoden.eu>
next in thread | raw e-mail | index | archive | help
Hello.
I am trying to capsicumize a simple daemon (for learning purposes
as that runs only in the second line behind postfix), and i have
a hard time as that thing is not designed for that (for said
reasons). And want to say OpenBSD pledge/unveil was very easy,
Linux seccomp required design split with dedicated syslog logger
process as C libraries are a block box etc etc. (That is needed
for FreeBSD, too, and it keeps the casper out. One would really
think "just pack it in a ip netns + unshare + capsh or whatever
container, or a jail, and do not do anything regarding such
restrictions in a daemon, my code blow is about 30 percent by
now.)
Anyhow. Regardless of 13.1-i386 or 12.2-amd64 (despite
no_new_privs) i only see
capsicum(4) violation (syscall 93, 4, 5, 0); please report this bug
for
sip->si_errno, sip->si_code, sip->si_signo, sip->si_status);
Mind you (anything but si_errno a sign of despair), i also saw
capsicum(4) violation (syscall 94, 4, 5, 0); please report this bug
I only ever saw 93 (and the never-existed-it-seems 94), regardless
of whatever syscall was missing still (read(2), the false unlink(2),
fsync(2), .. and what not). If only realpath(3->2!) would be
accessible, i should have placed the configuration file evaluation
in its own process, that would make reloading much easier. But
that is my problem, sigh. Not insult desired, just interested
$ git show origin/main:sbin | grep /\$ | wc -l
84
$ git grep -lE caph?_enter origin/main -- sbin|wc -l
8
$ git show origin/main:usr.sbin | grep /\$ | wc -l
224
$ git grep -lE caph?_enter origin/main -- usr.sbin|wc -l
10
$ git show origin/main:bin | grep /\$ | wc -l
41
$ git grep -lE caph?_enter origin/main -- bin|wc -l
5
$ git show origin/main:usr.bin | grep /\$ | wc -l
275
$ git grep -lE caph?_enter origin/main -- usr.bin|wc -l
42
to see how hard to put it onto existing code. Luckily i test with
that simple thing, so a possibly happening different one can be
designed a bit more conforming from scratch. But hey, i read
This takes the usual shortcut of only sandboxing the last input file.
It's a first cut and this program will be easy to adapt to sandbox all
files in the future
from a December 2016 commit message, and i like the word "easy".
Ciao,
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20230412144921.8plun%steffen>