Date: Wed, 12 Apr 2023 14:59:21 -0400 From: Ed Maste <emaste@freebsd.org> To: Steffen Nurpmeso <steffen@sdaoden.eu> Cc: freebsd-hackers@freebsd.org Subject: Re: capsicum(4): .. and SIGTRAP causing syscall really is in siginfo_t.si_errno? Message-ID: <CAPyFy2Do80xZmNFdtG=xbRuscKaQQM7rQ5ir5TVZENX3UfyKtg@mail.gmail.com> In-Reply-To: <20230412144921.8plun%steffen@sdaoden.eu> References: <20230412144921.8plun%steffen@sdaoden.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 12 Apr 2023 at 10:49, Steffen Nurpmeso <steffen@sdaoden.eu> wrote:
>
> Hello.
>
> I am trying to capsicumize a simple daemon (for learning purposes
> as that runs only in the second line behind postfix), and i have
> a hard time as that thing is not designed for that (for said
> reasons). And want to say OpenBSD pledge/unveil was very easy,
Excellent, always happy to see folks exploring Capsicum.
Keep in mind that Capsicum and pledge/unvil are not equivalent, so
comparing the ease of applying one or the other isn't particularly
meaningful. Achieving similar security properties with pledge/unveil
as with Capsicum requires similar effort in decomposing and
refactoring existing applications.
> Anyhow. Regardless of 13.1-i386 or 12.2-amd64 (despite
> no_new_privs) i only see
>
> capsicum(4) violation (syscall 93, 4, 5, 0); please report this bug
I'm not sure what you mean in the subject with respect to the syscall
in siginfo_t.si_errno. It looks like this is ENOTCAPABLE, which means
an attempt to perform an operation on an fd that you are not allowed
to do - for example, calling write() on an fd which has had
cap_rights_limit() applied without CAP_WRITE. errno 94 is ECAPMODE.
This could be for example trying to use open() in capability mode,
which is just not permitted (openat() is).
> This takes the usual shortcut of only sandboxing the last input file.
> It's a first cut and this program will be easy to adapt to sandbox all
> files in the future
>
> from a December 2016 commit message, and i like the word "easy".
cap_fileargs() didn't exist in December 2016 and there was not yet a
straightforward, performant and desirable way to apply Capsicum to
existing applications that operate on a list of files provided on the
commandline.
For a more recent change that makes use of cap_fileargs a good example
commit is:
commit 802c2095b5a6dcf0f63c473cbba1e40445e9052a
Author: Mark Johnston <markj@FreeBSD.org>
Date: Thu Aug 1 18:57:08 2019 +0000
Capsicumize readelf(1).
Reviewed by: oshogbo
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D21108
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPyFy2Do80xZmNFdtG=xbRuscKaQQM7rQ5ir5TVZENX3UfyKtg>