From owner-svn-src-all@freebsd.org  Fri Dec  6 18:27:51 2019
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8D65D1B2C40;
 Fri,  6 Dec 2019 18:27:51 +0000 (UTC)
 (envelope-from markj@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 47V1Kg39j8z3Dhy;
 Fri,  6 Dec 2019 18:27:51 +0000 (UTC)
 (envelope-from markj@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 5166E55F2;
 Fri,  6 Dec 2019 18:27:51 +0000 (UTC)
 (envelope-from markj@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id xB6IRpfw006910;
 Fri, 6 Dec 2019 18:27:51 GMT (envelope-from markj@FreeBSD.org)
Received: (from markj@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id xB6IRoMB006907;
 Fri, 6 Dec 2019 18:27:50 GMT (envelope-from markj@FreeBSD.org)
Message-Id: <201912061827.xB6IRoMB006907@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: markj set sender to
 markj@FreeBSD.org using -f
From: Mark Johnston <markj@FreeBSD.org>
Date: Fri, 6 Dec 2019 18:27:50 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org
Subject: svn commit: r355456 - in stable/12/usr.bin/cmp: . tests
X-SVN-Group: stable-12
X-SVN-Commit-Author: markj
X-SVN-Commit-Paths: in stable/12/usr.bin/cmp: . tests
X-SVN-Commit-Revision: 355456
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Dec 2019 18:27:51 -0000

Author: markj
Date: Fri Dec  6 18:27:50 2019
New Revision: 355456
URL: https://svnweb.freebsd.org/changeset/base/355456

Log:
  MFC r344551:
  Fix handling of rights on stdio streams, take two.
  
  PR:	234885

Modified:
  stable/12/usr.bin/cmp/cmp.c
  stable/12/usr.bin/cmp/regular.c
  stable/12/usr.bin/cmp/special.c
  stable/12/usr.bin/cmp/tests/cmp_test2.sh
Directory Properties:
  stable/12/   (props changed)

Modified: stable/12/usr.bin/cmp/cmp.c
==============================================================================
--- stable/12/usr.bin/cmp/cmp.c	Fri Dec  6 18:26:34 2019	(r355455)
+++ stable/12/usr.bin/cmp/cmp.c	Fri Dec  6 18:27:50 2019	(r355456)
@@ -45,7 +45,6 @@ static char sccsid[] = "@(#)cmp.c	8.3 (Berkeley) 4/2/9
 __FBSDID("$FreeBSD$");
 
 #include <sys/types.h>
-#include <sys/capsicum.h>
 #include <sys/stat.h>
 
 #include <capsicum_helpers.h>
@@ -80,8 +79,6 @@ main(int argc, char *argv[])
 	off_t skip1, skip2;
 	int ch, fd1, fd2, oflag, special;
 	const char *file1, *file2;
-	cap_rights_t rights;
-	uint32_t fcntls;
 
 	oflag = O_RDONLY;
 	while ((ch = getopt_long(argc, argv, "+hlsxz", long_opts, NULL)) != -1)
@@ -116,14 +113,19 @@ main(int argc, char *argv[])
 	if (argc < 2 || argc > 4)
 		usage();
 
+	/* Don't limit rights on stdin since it may be one of the inputs. */
+	if (caph_limit_stream(STDOUT_FILENO, CAPH_WRITE | CAPH_IGNORE_EBADF))
+		err(ERR_EXIT, "unable to limit rights on stdout");
+	if (caph_limit_stream(STDERR_FILENO, CAPH_WRITE | CAPH_IGNORE_EBADF))
+		err(ERR_EXIT, "unable to limit rights on stderr");
+
 	/* Backward compatibility -- handle "-" meaning stdin. */
 	special = 0;
 	if (strcmp(file1 = argv[0], "-") == 0) {
 		special = 1;
-		fd1 = 0;
+		fd1 = STDIN_FILENO;
 		file1 = "stdin";
-	}
-	else if ((fd1 = open(file1, oflag, 0)) < 0 && errno != EMLINK) {
+	} else if ((fd1 = open(file1, oflag, 0)) < 0 && errno != EMLINK) {
 		if (!sflag)
 			err(ERR_EXIT, "%s", file1);
 		else
@@ -134,10 +136,9 @@ main(int argc, char *argv[])
 			errx(ERR_EXIT,
 				"standard input may only be specified once");
 		special = 1;
-		fd2 = 0;
+		fd2 = STDIN_FILENO;
 		file2 = "stdin";
-	}
-	else if ((fd2 = open(file2, oflag, 0)) < 0 && errno != EMLINK) {
+	} else if ((fd2 = open(file2, oflag, 0)) < 0 && errno != EMLINK) {
 		if (!sflag)
 			err(ERR_EXIT, "%s", file2);
 		else
@@ -162,33 +163,8 @@ main(int argc, char *argv[])
 			exit(ERR_EXIT);
 	}
 
-	cap_rights_init(&rights, CAP_FCNTL, CAP_FSTAT, CAP_MMAP_R);
-	if (caph_rights_limit(fd1, &rights) < 0)
-		err(ERR_EXIT, "unable to limit rights for %s", file1);
-	if (caph_rights_limit(fd2, &rights) < 0)
-		err(ERR_EXIT, "unable to limit rights for %s", file2);
-
-	/* Required for fdopen(3). */
-	fcntls = CAP_FCNTL_GETFL;
-	if (caph_fcntls_limit(fd1, fcntls) < 0)
-		err(ERR_EXIT, "unable to limit fcntls for %s", file1);
-	if (caph_fcntls_limit(fd2, fcntls) < 0)
-		err(ERR_EXIT, "unable to limit fcntls for %s", file2);
-
-	if (!special) {
-		cap_rights_init(&rights);
-		if (caph_rights_limit(STDIN_FILENO, &rights) < 0) {
-			err(ERR_EXIT, "unable to limit stdio");
-		}
-	}
-
-	if (caph_limit_stdout() == -1 || caph_limit_stderr() == -1)
-		err(ERR_EXIT, "unable to limit stdio");
-
+	/* FD rights are limited in c_special() and c_regular(). */
 	caph_cache_catpages();
-
-	if (caph_enter() < 0)
-		err(ERR_EXIT, "unable to enter capability mode");
 
 	if (!special) {
 		if (fstat(fd1, &sb1)) {

Modified: stable/12/usr.bin/cmp/regular.c
==============================================================================
--- stable/12/usr.bin/cmp/regular.c	Fri Dec  6 18:26:34 2019	(r355455)
+++ stable/12/usr.bin/cmp/regular.c	Fri Dec  6 18:27:50 2019	(r355456)
@@ -42,6 +42,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/mman.h>
 #include <sys/stat.h>
 
+#include <capsicum_helpers.h>
 #include <err.h>
 #include <limits.h>
 #include <signal.h>
@@ -61,12 +62,13 @@ void
 c_regular(int fd1, const char *file1, off_t skip1, off_t len1,
     int fd2, const char *file2, off_t skip2, off_t len2)
 {
+	struct sigaction act, oact;
+	cap_rights_t rights;
 	u_char ch, *p1, *p2, *m1, *m2, *e1, *e2;
 	off_t byte, length, line;
-	int dfound;
 	off_t pagemask, off1, off2;
 	size_t pagesize;
-	struct sigaction act, oact;
+	int dfound;
 
 	if (skip1 > len1)
 		eofmsg(file1);
@@ -78,12 +80,6 @@ c_regular(int fd1, const char *file1, off_t skip1, off
 	if (sflag && len1 != len2)
 		exit(DIFF_EXIT);
 
-	sigemptyset(&act.sa_mask);
-	act.sa_flags = SA_NODEFER;
-	act.sa_handler = segv_handler;
-	if (sigaction(SIGSEGV, &act, &oact))
-		err(ERR_EXIT, "sigaction()");
-
 	pagesize = getpagesize();
 	pagemask = (off_t)pagesize - 1;
 	off1 = ROUNDPAGE(skip1);
@@ -101,6 +97,19 @@ c_regular(int fd1, const char *file1, off_t skip1, off
 		c_special(fd1, file1, skip1, fd2, file2, skip2);
 		return;
 	}
+
+	if (caph_rights_limit(fd1, cap_rights_init(&rights, CAP_MMAP_R)) < 0)
+		err(1, "unable to limit rights for %s", file1);
+	if (caph_rights_limit(fd2, cap_rights_init(&rights, CAP_MMAP_R)) < 0)
+		err(1, "unable to limit rights for %s", file2);
+	if (caph_enter() < 0)
+		err(ERR_EXIT, "unable to enter capability mode");
+
+	sigemptyset(&act.sa_mask);
+	act.sa_flags = SA_NODEFER;
+	act.sa_handler = segv_handler;
+	if (sigaction(SIGSEGV, &act, &oact))
+		err(ERR_EXIT, "sigaction()");
 
 	dfound = 0;
 	e1 = m1 + MMAP_CHUNK;

Modified: stable/12/usr.bin/cmp/special.c
==============================================================================
--- stable/12/usr.bin/cmp/special.c	Fri Dec  6 18:26:34 2019	(r355455)
+++ stable/12/usr.bin/cmp/special.c	Fri Dec  6 18:27:50 2019	(r355456)
@@ -40,6 +40,7 @@ __FBSDID("$FreeBSD$");
 
 #include <sys/types.h>
 
+#include <capsicum_helpers.h>
 #include <err.h>
 #include <stdlib.h>
 #include <stdio.h>
@@ -54,6 +55,13 @@ c_special(int fd1, const char *file1, off_t skip1,
 	off_t byte, line;
 	FILE *fp1, *fp2;
 	int dfound;
+
+	if (caph_limit_stream(fd1, CAPH_READ) < 0)
+		err(ERR_EXIT, "caph_limit_stream(%s)", file1);
+	if (caph_limit_stream(fd2, CAPH_READ) < 0)
+		err(ERR_EXIT, "caph_limit_stream(%s)", file2);
+	if (caph_enter() < 0)
+		err(ERR_EXIT, "unable to enter capability mode");
 
 	if ((fp1 = fdopen(fd1, "r")) == NULL)
 		err(ERR_EXIT, "%s", file1);

Modified: stable/12/usr.bin/cmp/tests/cmp_test2.sh
==============================================================================
--- stable/12/usr.bin/cmp/tests/cmp_test2.sh	Fri Dec  6 18:26:34 2019	(r355455)
+++ stable/12/usr.bin/cmp/tests/cmp_test2.sh	Fri Dec  6 18:27:50 2019	(r355456)
@@ -36,6 +36,8 @@ special_body() {
 	atf_check -s exit:0 -o empty -e empty -x "cat a | cmp - a"
 	atf_check -s exit:1 -o not-empty -e empty -x "cat b | cmp a -"
 	atf_check -s exit:1 -o not-empty -e empty -x "cat b | cmp - a"
+
+	atf_check -s exit:0 -o empty -e empty -x "cmp a a <&-"
 }
 
 atf_test_case symlink