From owner-p4-projects@FreeBSD.ORG  Mon Jul  9 23:47:01 2012
Return-Path: <owner-p4-projects@FreeBSD.ORG>
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 9248A1065675; Mon,  9 Jul 2012 23:47:00 +0000 (UTC)
Delivered-To: perforce@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 46F0B1065672
	for <perforce@freebsd.org>; Mon,  9 Jul 2012 23:47:00 +0000 (UTC)
	(envelope-from brooks@freebsd.org)
Received: from skunkworks.freebsd.org (skunkworks.freebsd.org
	[IPv6:2001:4f8:fff6::2d])
	by mx1.freebsd.org (Postfix) with ESMTP id 16CA48FC1A
	for <perforce@freebsd.org>; Mon,  9 Jul 2012 23:46:59 +0000 (UTC)
Received: from skunkworks.freebsd.org (localhost [127.0.0.1])
	by skunkworks.freebsd.org (8.14.4/8.14.4) with ESMTP id q69NkxeR068629
	for <perforce@freebsd.org>; Mon, 9 Jul 2012 23:46:59 GMT
	(envelope-from brooks@freebsd.org)
Received: (from perforce@localhost)
	by skunkworks.freebsd.org (8.14.4/8.14.4/Submit) id q69NkxE8068626
	for perforce@freebsd.org; Mon, 9 Jul 2012 23:46:59 GMT
	(envelope-from brooks@freebsd.org)
Date: Mon, 9 Jul 2012 23:46:59 GMT
Message-Id: <201207092346.q69NkxE8068626@skunkworks.freebsd.org>
X-Authentication-Warning: skunkworks.freebsd.org: perforce set sender to
	brooks@freebsd.org using -f
From: Brooks Davis <brooks@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Precedence: bulk
Cc: 
Subject: PERFORCE change 214152 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2012 23:47:01 -0000

http://p4web.freebsd.org/@@214152?ac=10

Change 214152 by brooks@brooks_ecr_current on 2012/07/09 23:46:57

	Implement a basic Capsicum sandbox which protects the main process from
	a file that exploites the BADMAGIC back door in libvuln_magic and
	displays a toxic hazard icon.

Affected files ...

.. //depot/projects/ctsrd/beribsd/src/ctsrd/browser/browser.c#8 edit

Differences ...

==== //depot/projects/ctsrd/beribsd/src/ctsrd/browser/browser.c#8 (text+ko) ====

@@ -31,6 +31,7 @@
 
 #include <sys/types.h>
 #include <sys/param.h>
+#include <sys/capability.h>
 #include <sys/stat.h>
 #include <sys/wait.h>
 
@@ -44,12 +45,14 @@
 #include <fnmatch.h>
 #include <libutil.h>
 #include <magic.h>
+#define _WITH_DPRINTF
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <syslog.h>
 #include <time.h>
 #include <unistd.h>
+#include <vis.h>
 
 #define	BASEIMG		"/usr/share/images/browser.png"
 #define	ICONS		"/usr/share/images/icons.png"
@@ -222,12 +225,71 @@
 static const char *
 get_magic(int fd)
 {
+	pid_t pid;
+	ssize_t rlen;
+	char buf[4096], *desc;
+	const char *cdesc;
+	int pfd[2], status;
 
+	rlen = read(fd, buf, sizeof(buf));
+	if (rlen == -1)
+		return "read-error";
+	if (rlen == 0)
+		return "empty";
+
 	switch (sbtype) {
 	case SB_NONE:
-		return magic_descriptor(magic, fd);
+		return magic_buffer(magic, buf, rlen);
 	case SB_CAPSICUM:
-		return "devil";
+		if (pipe(pfd) == -1)
+			err(1, "pipe()");
+		pid = fork();
+		if (pid < 0)
+			err(1, "fork()");
+		else if (pid == 0) {
+			close(fd);
+			close(pfd[0]);
+			fb_fini();
+			/* XXX: do more cleanup here */
+			cap_enter();
+
+			cdesc = magic_buffer(magic, buf, rlen);
+			if (cdesc == NULL)
+				dprintf(pfd[1], "badmagic");
+			else
+				dprintf(pfd[1], "%s", cdesc);
+			close(pfd[1]);
+			exit(0);
+		} else {
+			close(pfd[1]);
+			if (wait4(pid, &status, 0, NULL) == -1)
+				err(1, "wait4()");
+			if (WIFEXITED(status) &&
+			    WEXITSTATUS(status) != 0) {
+				warnx("child exited with %d",
+				    WEXITSTATUS(status));
+				close(pfd[0]);
+				return "badmagic";
+			}
+			else if(WIFSIGNALED(status)) {
+				warn("child killed by signal %d",
+				    WTERMSIG(status));
+				close(pfd[0]);
+				return "badmagic";
+			} else {
+				rlen = read(pfd[0], buf, 128);
+				close(pfd[0]);
+				if (rlen == -1)
+					return "read error";
+				if (rlen == 0 || rlen == 1)
+					return "unknown";
+				/* Don't trust the result */
+				desc = buf + rlen;
+				strvisx(desc, buf, rlen - 1, 0);
+				return (desc);
+			}
+		}
+		break;
 	case SB_CHERI:
 		return "devil";
 	default: