From owner-freebsd-current@FreeBSD.ORG Mon Sep 29 17:27:15 2014 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B6DBC4A5 for ; Mon, 29 Sep 2014 17:27:15 +0000 (UTC) Received: from spindle.one-eyed-alien.net (spindle.one-eyed-alien.net [199.48.129.229]) by mx1.freebsd.org (Postfix) with ESMTP id 928589DD for ; Mon, 29 Sep 2014 17:27:15 +0000 (UTC) Received: by spindle.one-eyed-alien.net (Postfix, from userid 3001) id 99AFC5A9F25; Mon, 29 Sep 2014 17:27:09 +0000 (UTC) Date: Mon, 29 Sep 2014 17:27:09 +0000 From: Brooks Davis To: Luigi Rizzo Subject: Re: capsicum and netmap ? Message-ID: <20140929172709.GC99239@spindle.one-eyed-alien.net> References: <20140929153043.GA78397@onelab2.iet.unipi.it> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="0vzXIDBeUiKkjNJl" Content-Disposition: inline In-Reply-To: <20140929153043.GA78397@onelab2.iet.unipi.it> User-Agent: Mutt/1.5.23 (2014-03-12) Cc: current@freebsd.org X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2014 17:27:15 -0000 --0vzXIDBeUiKkjNJl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 29, 2014 at 05:30:43PM +0200, Luigi Rizzo wrote: >=20 > Hi, > while trying the netmap-enabled libpcap library with tcpdump, i > noticed it fails to return data on a kernel with capsicum (the > string "capability mode sandbox enabled" made me suspicious, and > removing the cap_*() calls from tcpdump.c seems to make things > work again). >=20 > Would anyone be able to point me what should be done in the netmap > kernel module to make it work with capsicum ? >=20 > I am sure the cambridge folks are very interested in this :) Without knowing what modifications have been made to libpcap, it's hard to say what you need to change, but the short version is that once cap_enter is called, you must not attempt to open any file handles as that's won't work. I can't think of any other likely cause. Are all the returns of all open(), socket(), etc calls checked? In practice that means that either opening files must come earlier, or a singling mechanism needs to be added to tcpdump and libpcap to tell tcpdump not to enter capability mode when using netmap. -- Brooks --0vzXIDBeUiKkjNJl Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlQplm0ACgkQXY6L6fI4GtQRJQCfcYvLpO5yLtQ1YxXp72Y/Zf3i HeEAn3MalT5aN36Dr9XfKhACZgFxgc6p =KItP -----END PGP SIGNATURE----- --0vzXIDBeUiKkjNJl--