From owner-svn-src-stable@freebsd.org Wed Sep 28 09:33:47 2016 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5EA4AC00CD1; Wed, 28 Sep 2016 09:33:47 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 226F8840; Wed, 28 Sep 2016 09:33:47 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u8S9XkcE076907; Wed, 28 Sep 2016 09:33:46 GMT (envelope-from kib@FreeBSD.org) Received: (from kib@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u8S9Xk98076905; Wed, 28 Sep 2016 09:33:46 GMT (envelope-from kib@FreeBSD.org) Message-Id: <201609280933.u8S9Xk98076905@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kib set sender to kib@FreeBSD.org using -f From: Konstantin Belousov Date: Wed, 28 Sep 2016 09:33:46 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r306399 - stable/11/lib/libc/sys X-SVN-Group: stable-11 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Sep 2016 09:33:47 -0000 Author: kib Date: Wed Sep 28 09:33:46 2016 New Revision: 306399 URL: https://svnweb.freebsd.org/changeset/base/306399 Log: MFC r306257: Document r306081, i.e. procctl(PROC_TRAPCAP) and sysctl kern.trap_enocap. MFC r306366: Editing fixes for r306257, documentation for trapcap. Modified: stable/11/lib/libc/sys/cap_enter.2 stable/11/lib/libc/sys/procctl.2 Directory Properties: stable/11/ (props changed) Modified: stable/11/lib/libc/sys/cap_enter.2 ============================================================================== --- stable/11/lib/libc/sys/cap_enter.2 Wed Sep 28 09:28:26 2016 (r306398) +++ stable/11/lib/libc/sys/cap_enter.2 Wed Sep 28 09:33:46 2016 (r306399) @@ -28,7 +28,7 @@ .\" .\" $FreeBSD$ .\" -.Dd March 27, 2014 +.Dd September 27, 2016 .Dt CAP_ENTER 2 .Os .Sh NAME @@ -69,6 +69,34 @@ appropriately-crafted applications or ap .Fn cap_getmode returns a flag indicating whether or not the process is in a capability mode sandbox. +.Sh RUN-TIME SETTINGS +If the +.Dv kern.trap_enocap +sysctl MIB is set to a non-zero value, then for any process executing in a +capability mode sandbox, any syscall which results in either +.Er ENOTCAPABLE +or +.Er ECAPMODE +error also generates the synchronous +.Dv SIGTRAP +signal to the thread on the syscall return. +On signal delivery, the +.Va si_errno +member of the +.Fa siginfo +signal handler parameter is set to the syscall error value, +and the +.Va si_code +member is set to +.Dv TRAP_CAP . +.Pp +See also the +.Dv PROC_TRAPCAP_CTL +and +.Dv PROC_TRAPCAP_STATUS +operations of the +.Xr procctl 2 +function for similar per-process functionality. .Sh CAVEAT Creating effective process sandboxes is a tricky process that involves identifying the least possible rights required by the process and then @@ -111,6 +139,8 @@ points outside the process's allocated a .Xr cap_fcntls_limit 2 , .Xr cap_ioctls_limit 2 , .Xr cap_rights_limit 2 , +.Xr procctl 2 , +.Xr sysctl 2 , .Xr fexecve 2 , .Xr cap_sandboxed 3 , .Xr capsicum 4 Modified: stable/11/lib/libc/sys/procctl.2 ============================================================================== --- stable/11/lib/libc/sys/procctl.2 Wed Sep 28 09:28:26 2016 (r306398) +++ stable/11/lib/libc/sys/procctl.2 Wed Sep 28 09:33:46 2016 (r306399) @@ -29,7 +29,7 @@ .\" .\" $FreeBSD$ .\" -.Dd August 21, 2015 +.Dd September 27, 2016 .Dt PROCCTL 2 .Os .Sh NAME @@ -71,7 +71,7 @@ The control request to perform is specif .Fa cmd argument. The following commands are supported: -.Bl -tag -width "PROC_REAP_GETPIDS" +.Bl -tag -width "Dv PROC_TRAPCAP_STATUS" .It Dv PROC_SPROTECT Set process protection state. This is used to mark a process as protected from being killed if the system @@ -327,6 +327,67 @@ is set to 0. If a debugger is attached, .Fa data is set to the pid of the debugger process. +.It Dv PROC_TRAPCAP_CTL +Controls the capability mode sandbox actions for the specified +sandboxed processes, +on a return from any syscall which gives either a +.Er ENOTCAPABLE +or +.Er ECAPMODE +error. +If the control is enabled, such errors from the syscalls cause +delivery of the synchronous +.Dv SIGTRAP +signal to the thread immediately before returning from the syscalls. +.Pp +Possible values for the +.Fa data +argument are: +.Bl -tag -width "Dv PROC_TRAPCAP_CTL_DISABLE" +.It Dv PROC_TRAPCAP_CTL_ENABLE +Enable the +.Dv SIGTRAP +signal delivery on capability mode access violations. +The enabled mode is inherited by the children of the process, +and is kept after +.Xr fexecve 2 +calls. +.It Dv PROC_TRAPCAP_CTL_DISABLE +Disable the signal delivery on capability mode access violations. +Note that the global sysctl +.Dv kern.trap_enocap +might still cause the signal to be delivered. +See +.Xr capsicum 4 . +.El +.Pp +On signal delivery, the +.Va si_errno +member of the +.Fa siginfo +signal handler parameter is set to the syscall error value, +and the +.Va si_code +member is set to +.Dv TRAP_CAP . +.Pp +See +.Xr capsicum 4 +for more information about the capability mode. +.It Dv PROC_TRAPCAP_STATUS +Return the current status of signalling capability mode access +violations for the specified process. +The integer value pointed to by the +.Fa data +argument is set to the +.Dv PROC_TRAPCAP_CTL_ENABLE +value if the process control enables signal delivery, and to +.Dv PROC_TRAPCAP_CTL_DISABLE +otherwise. +.Pp +See the note about sysctl +.Dv kern.trap_enocap +above, which gives independent global control of signal delivery. .El .Sh NOTES Disabling tracing on a process should not be considered a security @@ -420,14 +481,18 @@ The value of the integer .Fa data parameter for the .Dv PROC_TRACE_CTL +or +.Dv PROC_TRAPCAP_CTL request is invalid. .El .Sh SEE ALSO .Xr dtrace 1 , +.Xr cap_enter 2, .Xr kill 2 , .Xr ktrace 2 , .Xr ptrace 2 , .Xr wait 2 , +.Xr capsicum 4 , .Xr hwpmc 4 , .Xr init 8 .Sh HISTORY