Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 12 Nov 2018 17:47:51 +0000 (UTC)
From:      Mariusz Zaborski <oshogbo@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r340374 - head/usr.bin/wc
Message-ID:  <201811121747.wACHlpQb060458@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: oshogbo
Date: Mon Nov 12 17:47:51 2018
New Revision: 340374
URL: https://svnweb.freebsd.org/changeset/base/340374

Log:
  wc: sandbox wc using capsicum
  
  Reviewed by:	AllanJude, emaste
  Differential Revision:	https://reviews.freebsd.org/D14409

Modified:
  head/usr.bin/wc/Makefile
  head/usr.bin/wc/wc.c

Modified: head/usr.bin/wc/Makefile
==============================================================================
--- head/usr.bin/wc/Makefile	Mon Nov 12 17:40:47 2018	(r340373)
+++ head/usr.bin/wc/Makefile	Mon Nov 12 17:47:51 2018	(r340374)
@@ -1,7 +1,15 @@
 #	@(#)Makefile	8.1 (Berkeley) 6/6/93
 # $FreeBSD$
 
+.include <src.opts.mk>
+
 PROG=	wc
 LIBADD=	xo
+
+.if ${MK_CASPER} != "no"
+LIBADD+=        casper
+LIBADD+=        cap_fileargs
+CFLAGS+=-DWITH_CASPER
+.endif
 
 .include <bsd.prog.mk>

Modified: head/usr.bin/wc/wc.c
==============================================================================
--- head/usr.bin/wc/wc.c	Mon Nov 12 17:40:47 2018	(r340373)
+++ head/usr.bin/wc/wc.c	Mon Nov 12 17:47:51 2018	(r340374)
@@ -44,9 +44,11 @@ static char sccsid[] = "@(#)wc.c	8.1 (Berkeley) 6/6/93
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD$");
 
+#include <sys/capsicum.h>
 #include <sys/param.h>
 #include <sys/stat.h>
 
+#include <capsicum_helpers.h>
 #include <ctype.h>
 #include <err.h>
 #include <errno.h>
@@ -61,6 +63,10 @@ __FBSDID("$FreeBSD$");
 #include <wctype.h>
 #include <libxo/xo.h>
 
+#include <libcasper.h>
+#include <casper/cap_fileargs.h>
+
+static fileargs_t *fa;
 static uintmax_t tlinect, twordct, tcharct, tlongline;
 static int doline, doword, dochar, domulti, dolongline;
 static volatile sig_atomic_t siginfo;
@@ -90,6 +96,7 @@ int
 main(int argc, char *argv[])
 {
 	int ch, errors, total;
+	cap_rights_t rights;
 
 	(void) setlocale(LC_CTYPE, "");
 
@@ -125,6 +132,26 @@ main(int argc, char *argv[])
 
 	(void)signal(SIGINFO, siginfo_handler);
 
+	fa = fileargs_init(argc, argv, O_RDONLY, 0,
+	    cap_rights_init(&rights, CAP_READ, CAP_FSTAT));
+	if (fa == NULL) {
+		xo_warn("Unable to init casper");
+		exit(1);
+	}
+
+	caph_cache_catpages();
+	if (caph_limit_stdio() < 0) {
+		xo_warn("Unable to limit stdio");
+		fileargs_free(fa);
+		exit(1);
+	}
+
+	if (caph_enter() < 0) {
+		xo_warn("Unable to enter capability mode");
+		fileargs_free(fa);
+		exit(1);
+	}
+
 	/* Wc's flags are on by default. */
 	if (doline + doword + dochar + domulti + dolongline == 0)
 		doline = doword = dochar = 1;
@@ -158,6 +185,7 @@ main(int argc, char *argv[])
 		xo_close_container("total");
 	}
 
+	fileargs_free(fa);
 	xo_close_container("wc");
 	xo_finish();
 	exit(errors == 0 ? 0 : 1);
@@ -206,7 +234,7 @@ cnt(const char *file)
 	linect = wordct = charct = llct = tmpll = 0;
 	if (file == NULL)
 		fd = STDIN_FILENO;
-	else if ((fd = open(file, O_RDONLY, 0)) < 0) {
+	else if ((fd = fileargs_open(fa, file)) < 0) {
 		xo_warn("%s: open", file);
 		return (1);
 	}



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201811121747.wACHlpQb060458>