From owner-p4-projects@FreeBSD.ORG Sun Jun 7 20:11:41 2009 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id B756810656C0; Sun, 7 Jun 2009 20:11:40 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4F81B1065697 for ; Sun, 7 Jun 2009 20:11:40 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id 3BCD08FC13 for ; Sun, 7 Jun 2009 20:11:40 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.3/8.14.3) with ESMTP id n57KBeNJ079223 for ; Sun, 7 Jun 2009 20:11:40 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.3/8.14.3/Submit) id n57KBe55079221 for perforce@freebsd.org; Sun, 7 Jun 2009 20:11:40 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Sun, 7 Jun 2009 20:11:40 GMT Message-Id: <200906072011.n57KBe55079221@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson To: Perforce Change Reviews Cc: Subject: PERFORCE change 163732 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Jun 2009 20:11:41 -0000 http://perforce.freebsd.org/chv.cgi?CH=163732 Change 163732 by rwatson@rwatson_freebsd_capabilities on 2009/06/07 20:11:31 Pass libc.so.7 into programs launched by capexec when running with rtld-elf-cap.so. Affected files ... .. //depot/projects/trustedbsd/capabilities/src/tools/cap/cap_exec/cap_exec.c#2 edit Differences ... ==== //depot/projects/trustedbsd/capabilities/src/tools/cap/cap_exec/cap_exec.c#2 (text+ko) ==== @@ -5,6 +5,7 @@ #include #include +#include #include #include @@ -16,17 +17,24 @@ LD_ELF_CAP_SO, NULL, }; + +#define LIBC_SO "libc.so.7" +#define LIBPATH "/lib/" #endif #define BASE_CAPS (CAP_IOCTL | CAP_EVENT | CAP_SEEK | CAP_FSTAT) #define STDIN_CAPS (BASE_CAPS | CAP_READ) #define STDOUT_CAPS (BASE_CAPS | CAP_WRITE) #define STDERR_CAPS (BASE_CAPS | CAP_WRITE) +#define BIN_CAPS (CAP_SEEK | CAP_FSTAT | CAP_FSTATFS | CAP_READ | \ + CAP_FEXECVE | CAP_MMAP | CAP_MAPEXEC) int main(int argc, char *argv[]) { - int fd_exec, fd_stdin, fd_stdout, fd_stderr, fd_procdesc; + int fd_exec, fd_libc, fd_new; + int fd_stdin, fd_stdout, fd_stderr, fd_procdesc; + char *env_caplibindex; struct pollfd pollfd; #ifdef LDSO_MODE int fd_ldso; @@ -53,8 +61,24 @@ fd_ldso = open(LD_ELF_CAP_SO, O_RDONLY); if (fd_ldso < 0) err(-1, "open: %s", LD_ELF_CAP_SO); + fd_new = cap_new(fd_ldso, BIN_CAPS); + if (fd_new < 0) + err(-1, "cap_new"); + if (dup2(fd_new, fd_ldso) < 0) + err(-1, "dup2"); + close(fd_new); if (fcntl(fd_ldso, F_SETFD, FD_CLOEXEC) < 0) err(-1, "fcntl FD_CLOEXEC"); + + fd_libc = open(LIBPATH LIBC_SO, O_RDONLY); + if (fd_libc < 0) + err(-1, "open: %s", LIBPATH LIBC_SO); + fd_new = cap_new(fd_libc, BIN_CAPS); + if (fd_new < 0) + err(-1, "cap_new"); + if (dup2(fd_new, fd_libc) < 0) + err(-1, "dup2"); + close(fd_new); #else if (fcntl(fd_exec, F_SETFD, FD_CLOEXEC) < 0) err(-1, "fcntl FD_CLOEXEC"); @@ -95,9 +119,16 @@ close(fd_stderr); /* - * Similarly constrain file descriptors for execution. + * Set up environmental variable so that the runtime linker + * can access libc in a sandbox. */ - +#ifdef LDSO_MODE + if (asprintf(&env_caplibindex, "%d:%s", fd_libc, LIBC_SO) == + -1) + err(-1, "asprintf"); + printf("caplibindex: %s\n", env_caplibindex); + setenv("LD_CAPLIBINDEX", env_caplibindex, 1); +#endif /* * Perhaps a closeall() or something to clear any remaining