From owner-cvs-src-old@FreeBSD.ORG Sun Jul 3 16:54:47 2011 Return-Path: Delivered-To: cvs-src-old@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D84CA1065676 for ; Sun, 3 Jul 2011 16:54:47 +0000 (UTC) (envelope-from trociny@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id ACB698FC0A for ; Sun, 3 Jul 2011 16:54:47 +0000 (UTC) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.4/8.14.4) with ESMTP id p63Gslsd053185 for ; Sun, 3 Jul 2011 16:54:47 GMT (envelope-from trociny@repoman.freebsd.org) Received: (from svn2cvs@localhost) by repoman.freebsd.org (8.14.4/8.14.4/Submit) id p63Gsl1S053184 for cvs-src-old@freebsd.org; Sun, 3 Jul 2011 16:54:47 GMT (envelope-from trociny@repoman.freebsd.org) Message-Id: <201107031654.p63Gsl1S053184@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: svn2cvs set sender to trociny@repoman.freebsd.org using -f From: Mikolaj Golub Date: Sun, 3 Jul 2011 16:54:27 +0000 (UTC) To: cvs-src-old@freebsd.org X-FreeBSD-CVS-Branch: RELENG_8 Subject: cvs commit: src/sbin/hastctl hastctl.c src/sbin/hastd primary.c secondary.c subr.c subr.h X-BeenThere: cvs-src-old@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: **OBSOLETE** CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jul 2011 16:54:47 -0000 trociny 2011-07-03 16:54:27 UTC FreeBSD src repository Modified files: (Branch: RELENG_8) sbin/hastctl hastctl.c sbin/hastd primary.c secondary.c subr.c subr.h Log: SVN rev 223743 on 2011-07-03 16:54:27Z by trociny MFC r219847, r221898, r221899, r222224, r223584, r223585: r219847 (pjd): When dropping privileges prefer capsicum over chroot+setgid+setuid. We can use capsicum for secondary worker processes and hastctl. When working as primary we drop privileges using chroot+setgid+setuid still as we need to send ioctl(2)s to ggate device, for which capsicum doesn't allow (yet). r221898 (pjd): When using capsicum to sanbox, still use other methods first, just in case one of them have some problems. r221899 (pjd): Currently we are unable to use capsicum for the primary worker process, because we need to do ioctl(2)s, which are not permitted in the capability mode. What we do now is to chroot(2) to /var/empty, which restricts access to file system name space and we drop privileges to hast user and hast group. This still allows to access to other name spaces, like list of processes, network and sysvipc. To address that, use jail(2) instead of chroot(2). Using jail(2) will restrict access to process table, network (we use ip-less jails) and sysvipc (if security.jail.sysvipc_allowed is turned off). This provides much better separation. r222224 (pjd): To handle BIO_FLUSH and BIO_DELETE requests in secondary worker we need to use ioctl(2). This is why we can't use capsicum for now to sandbox secondary. Capsicum is still used to sandbox hastctl. r223584 (pjd): Log a warning if we cannot sandbox using capsicum, but only under debug level 1. It would be too noisy to log it as a proper warning as CAPABILITIES are not compiled into GENERIC by default. r223585 (pjd): Compile capsicum support only if HAVE_CAPSICUM is defined. Approved by: pjd (mentor) Revision Changes Path 1.1.2.9 +1 -2 src/sbin/hastctl/hastctl.c 1.3.2.16 +1 -1 src/sbin/hastd/primary.c 1.1.2.12 +1 -1 src/sbin/hastd/secondary.c 1.1.2.5 +59 -6 src/sbin/hastd/subr.c 1.1.2.5 +1 -1 src/sbin/hastd/subr.h