Date: Fri, 18 Jun 2021 16:12:24 GMT From: Mariusz Zaborski <oshogbo@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 7ad30f58dd63 - main - sockstat: use cap_pwd Message-ID: <202106181612.15IGCOH0027975@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by oshogbo: URL: https://cgit.FreeBSD.org/src/commit/?id=7ad30f58dd63bfabfdf34f6ea93ab270fde8de36 commit 7ad30f58dd63bfabfdf34f6ea93ab270fde8de36 Author: Mariusz Zaborski <oshogbo@FreeBSD.org> AuthorDate: 2021-06-18 16:06:03 +0000 Commit: Mariusz Zaborski <oshogbo@FreeBSD.org> CommitDate: 2021-06-18 16:08:30 +0000 sockstat: use cap_pwd The sockstat is using password database operations to obtain the username. Such operations are disallowed in capability mode. For such operations Casper is required. Reported by: olivier@ Tested by: olivier@ --- usr.bin/sockstat/Makefile | 1 + usr.bin/sockstat/sockstat.c | 16 ++++++++++++++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/usr.bin/sockstat/Makefile b/usr.bin/sockstat/Makefile index 6d0de7dc22d0..bf1cd0b9a443 100644 --- a/usr.bin/sockstat/Makefile +++ b/usr.bin/sockstat/Makefile @@ -10,6 +10,7 @@ LIBADD= jail LIBADD+= casper LIBADD+= cap_net LIBADD+= cap_netdb +LIBADD+= cap_pwd LIBADD+= cap_sysctl CFLAGS+= -DWITH_CASPER .endif diff --git a/usr.bin/sockstat/sockstat.c b/usr.bin/sockstat/sockstat.c index 285889a07b7b..5318a43f8585 100644 --- a/usr.bin/sockstat/sockstat.c +++ b/usr.bin/sockstat/sockstat.c @@ -71,6 +71,7 @@ __FBSDID("$FreeBSD$"); #include <libcasper.h> #include <casper/cap_net.h> #include <casper/cap_netdb.h> +#include <casper/cap_pwd.h> #include <casper/cap_sysctl.h> #define sstosin(ss) ((struct sockaddr_in *)(ss)) @@ -141,6 +142,7 @@ static int nxfiles; static cap_channel_t *capnet; static cap_channel_t *capnetdb; static cap_channel_t *capsysctl; +static cap_channel_t *cappwd; static int xprintf(const char *fmt, ...) @@ -1215,7 +1217,7 @@ display(void) printf(" %-.*s", TCP_CA_NAME_MAX, "CC"); printf("\n"); } - setpassent(1); + cap_setpassent(cappwd, 1); for (xf = xfiles, n = 0; n < nxfiles; ++n, ++xf) { if (xf->xf_data == 0) continue; @@ -1229,7 +1231,8 @@ display(void) continue; s->shown = 1; pos = 0; - if (opt_n || (pwd = getpwuid(xf->xf_uid)) == NULL) + if (opt_n || + (pwd = cap_getpwuid(cappwd, xf->xf_uid)) == NULL) pos += xprintf("%lu ", (u_long)xf->xf_uid); else pos += xprintf("%s ", pwd->pw_name); @@ -1326,6 +1329,8 @@ main(int argc, char *argv[]) { cap_channel_t *capcas; cap_net_limit_t *limit; + const char *pwdcmds[] = { "setpassent", "getpwuid" }; + const char *pwdfields[] = { "pw_name" }; int protos_defined = -1; int o, i; @@ -1424,12 +1429,19 @@ main(int argc, char *argv[]) capsysctl = cap_service_open(capcas, "system.sysctl"); if (capsysctl == NULL) err(1, "Unable to open system.sysctl service"); + cappwd = cap_service_open(capcas, "system.pwd"); + if (cappwd == NULL) + err(1, "Unable to open system.pwd service"); cap_close(capcas); limit = cap_net_limit_init(capnet, CAPNET_ADDR2NAME); if (limit == NULL) err(1, "Unable to init cap_net limits"); if (cap_net_limit(limit) < 0) err(1, "Unable to apply limits"); + if (cap_pwd_limit_cmds(cappwd, pwdcmds, nitems(pwdcmds)) < 0) + err(1, "Unable to apply pwd commands limits"); + if (cap_pwd_limit_fields(cappwd, pwdfields, nitems(pwdfields)) < 0) + err(1, "Unable to apply pwd commands limits"); if ((!opt_4 && !opt_6) && protos_defined != -1) opt_4 = opt_6 = 1;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202106181612.15IGCOH0027975>