Date: Wed, 4 Sep 2013 18:59:39 GMT From: dpl@FreeBSD.org To: svn-soc-all@FreeBSD.org Subject: socsvn commit: r256906 - soc2013/dpl/head/lib/libzcap Message-ID: <201309041859.r84Ixdxp095335@socsvn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dpl Date: Wed Sep 4 18:59:39 2013 New Revision: 256906 URL: http://svnweb.FreeBSD.org/socsvn/?view=rev&rev=256906 Log: mini-update. Modified: soc2013/dpl/head/lib/libzcap/capsicum.c soc2013/dpl/head/lib/libzcap/capsicum.h Modified: soc2013/dpl/head/lib/libzcap/capsicum.c ============================================================================== --- soc2013/dpl/head/lib/libzcap/capsicum.c Wed Sep 4 18:28:03 2013 (r256905) +++ soc2013/dpl/head/lib/libzcap/capsicum.c Wed Sep 4 18:59:39 2013 (r256906) @@ -13,76 +13,20 @@ #include <stdio.h> #include <err.h> -external struct sandbox; -external struct slisthead sandboxes; +extern struct sandbox; +extern struct slisthead sandboxes; -int startChild(void); +struct sandbox * startSandbox(void *data); +int stopSandbox(struct sandbox *sandbox); +void startNullSandbox(void); +struct sandbox * findSandbox(void *ptr); +struct sandbox *startChild(void *data); void killChild(void); void suicide(int signal); -nvlist_t * sendCommand(nvlist_t *nvl); +nvlist_t * sendCommand(nvlist_t *nvl, int socket); bool slist_initiated = 0; -nvlist_t * -sendCommand(nvlist_t *nvl, int socket) -{ - nvlist_t *new; - if( nvlist_send(socket, nvl) != 0 ) - err(1, "zcaplib: nvlist_send() Went wrong"); - if ((new = nvlist_recv(socket)) == NULL) - err(1, "nvlist_recv(): nvlist_t is NULL"); - return (new); -} - -void killChild(void) { - kill(pid, SIGKILL); -} -void suicide(int signal) { - kill(getpid(), SIGKILL); -} - -void -startChild(void *data) -{ - int procd, sv[2]; - struct sandbox *newsandbox; - - if ((newsandbox = malloc(sizeof (struct sandbox)) == NULL) - err(1, "Couldn't allocate memory for sandboxes"); - - sv[0] = sv[1] = 0; - if (socketpair(PF_LOCAL, SOCK_STREAM, 0, sv) < 0 ) - perror("zcaplib: socketpair()"); - - procd = pdfork(); - if (pid == 0 ){ - if (cap_rights_limit(STDIN_FILENO, CAP_READ) < 0) - err(1, "Couldn't limit rights"); - if (cap_rights_limit(STDOUT_FILENO, CAP_WRITE|CAP_FSTAT) < 0) - err(1, "Couldn't limit rights"); - if (cap_rights_limit(STDERR_FILENO, CAP_WRITE) < 0) - err(1, "Couldn't limit rights"); - dup2(sv[0], 3); - if (cap_rights_limit(3, CAP_WRITE|CAP_READ|CAP_POLL_EVENT) < 0) - err(1, "Couldn't limit rights"); - closefrom(4); - - /* execl() zlibworker */ - if ( execl("/usr/libexec/zlibworker", "zlibworker", NULL) < 0) { - err(1, "Couldn't find zlibworker."); - } - exit(0); - } else if (pid == -1) { - err(1, "Couldn't fork"); - } else { - close(sv[1]); - signal(SIGCHLD, suicide); - atexit(killChild); - sandbox->dataptr = data; - sandbox->pd = procd; - sandbox->socket = sv[0]; - } -} /* * This function should be called only by: @@ -104,22 +48,6 @@ return (newsandbox); } -void -startNullSandbox(void) -{ - if (!slist_initiated) { - SLIST_INIT(&sandboxes); - - /* Here we add a sandbox used for non-structure related stuff */ - /* This will be the first sandbox always */ - if (SLIST_EMPTY(&sandboxes)) { - newsandbox = startChild(newsandbox, NULL); - SLIST_INSERT_HEAD(&sandboxes, newsandbox, entries); - } - } - slist_initiated = 1; -} - /* * Kills the sandbox, and deletes the associated * struct sandbox. Should be called by: gzclose, @@ -140,19 +68,33 @@ free(sandbox); } +/* Starts the default sandbox. */ +void +startNullSandbox(void) +{ + if (!slist_initiated) { + sandboxes = SLIST_HEAD_INITIALIZER(head); + SLIST_INIT(&sandboxes); + /* Here we add a sandbox used for non-structure related stuff */ + /* This will be the first sandbox always */ + if (SLIST_EMPTY(&sandboxes)) { + newsandbox = startChild(newsandbox, NULL); + SLIST_INSERT_HEAD(&sandboxes, newsandbox, entries); + } + } + slist_initiated = 1; +} + /* * Finds the struct sandbox for * a pointer to the data structure * the sandbox is related to. - * Returns NULL if not found. */ struct sandbox * -findsandbox(void *ptr) +findSandbox(void *ptr) { struct sandbox *sandbox; - sandbox = NULL; - if (ptr == NULL) return (SLIST_FIRST(&sandboxes)); @@ -162,4 +104,65 @@ /* Not found */ return (NULL); -} \ No newline at end of file +} + +struct sandbox * +startChild(void *data) +{ + int procd, sv[2]; + struct sandbox *newsandbox; + + if ((newsandbox = malloc(sizeof (struct sandbox)) == NULL) + err(1, "Couldn't allocate memory for sandboxes"); + + sv[0] = sv[1] = 0; + if (socketpair(PF_LOCAL, SOCK_STREAM, 0, sv) < 0 ) + perror("zcaplib: socketpair()"); + + procd = pdfork(); + if (pid == 0 ){ + if (cap_rights_limit(STDIN_FILENO, CAP_READ) < 0) + err(1, "Couldn't limit rights"); + if (cap_rights_limit(STDOUT_FILENO, CAP_WRITE|CAP_FSTAT) < 0) + err(1, "Couldn't limit rights"); + if (cap_rights_limit(STDERR_FILENO, CAP_WRITE) < 0) + err(1, "Couldn't limit rights"); + dup2(sv[0], 3); + if (cap_rights_limit(3, CAP_WRITE|CAP_READ|CAP_POLL_EVENT) < 0) + err(1, "Couldn't limit rights"); + closefrom(4); + + /* execl() zlibworker */ + if ( execl("/usr/libexec/zlibworker", "zlibworker", NULL) < 0) { + err(1, "Couldn't find zlibworker."); + } + exit(0); + } else if (pid == -1) { + err(1, "Couldn't fork"); + } else { + close(sv[1]); + signal(SIGCHLD, suicide); + atexit(killChild); + sandbox->dataptr = data; + sandbox->pd = procd; + sandbox->socket = sv[0]; + } +} + +void killChild(void) { + kill(pid, SIGKILL); +} +void suicide(int signal) { + kill(getpid(), SIGKILL); +} + +nvlist_t * +sendCommand(nvlist_t *nvl, int socket) +{ + nvlist_t *new; + if( nvlist_send(socket, nvl) != 0 ) + err(1, "zcaplib: nvlist_send() Went wrong"); + if ((new = nvlist_recv(socket)) == NULL) + err(1, "nvlist_recv(): nvlist_t is NULL"); + return (new); +} Modified: soc2013/dpl/head/lib/libzcap/capsicum.h ============================================================================== --- soc2013/dpl/head/lib/libzcap/capsicum.h Wed Sep 4 18:28:03 2013 (r256905) +++ soc2013/dpl/head/lib/libzcap/capsicum.h Wed Sep 4 18:59:39 2013 (r256906) @@ -18,16 +18,18 @@ #define MAXLEN (5*1024) -extern int pid; -extern int sv[2]; -extern struct sandbox * sandboxes; - -extern int startChild(void); -extern void killChild(void); -extern nvlist_t * sendCommand(nvlist_t *nvl); +struct sandbox * startSandbox(void *data); +int stopSandbox(struct sandbox *sandbox); +void startNullSandbox(void); +struct sandbox * findSandbox(void *ptr); +struct sandbox *startChild(void *data); +void killChild(void); +void suicide(int signal); +nvlist_t * sendCommand(nvlist_t *nvl, int socket); /* head of singly-linked list. */ -SLIST_HEAD(slisthead, sandbox) sandboxes = SLIST_HEAD_INITIALIZER(head); +struct slisthead sandboxes; +SLIST_HEAD(slisthead, sandbox) sandboxes; /* * This structure holds a relation of structs of data structs, @@ -38,4 +40,4 @@ int pd; /* Process descriptor */ int socket; /* Socket we have to pass the data through */ SLIST_ENTRY(entry) entries; /* Singly-linked list. */ -} +};
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201309041859.r84Ixdxp095335>