From owner-dev-commits-src-main@freebsd.org Fri Jun 18 16:12:24 2021 Return-Path: Delivered-To: dev-commits-src-main@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BE836649482; Fri, 18 Jun 2021 16:12:24 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4G63pw533tz4tlm; Fri, 18 Jun 2021 16:12:24 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 888D4259FB; Fri, 18 Jun 2021 16:12:24 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 15IGCOiL027989; Fri, 18 Jun 2021 16:12:24 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 15IGCOH0027975; Fri, 18 Jun 2021 16:12:24 GMT (envelope-from git) Date: Fri, 18 Jun 2021 16:12:24 GMT Message-Id: <202106181612.15IGCOH0027975@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Mariusz Zaborski Subject: git: 7ad30f58dd63 - main - sockstat: use cap_pwd MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: oshogbo X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 7ad30f58dd63bfabfdf34f6ea93ab270fde8de36 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-main@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for the main branch of the src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jun 2021 16:12:24 -0000 The branch main has been updated by oshogbo: URL: https://cgit.FreeBSD.org/src/commit/?id=7ad30f58dd63bfabfdf34f6ea93ab270fde8de36 commit 7ad30f58dd63bfabfdf34f6ea93ab270fde8de36 Author: Mariusz Zaborski AuthorDate: 2021-06-18 16:06:03 +0000 Commit: Mariusz Zaborski CommitDate: 2021-06-18 16:08:30 +0000 sockstat: use cap_pwd The sockstat is using password database operations to obtain the username. Such operations are disallowed in capability mode. For such operations Casper is required. Reported by: olivier@ Tested by: olivier@ --- usr.bin/sockstat/Makefile | 1 + usr.bin/sockstat/sockstat.c | 16 ++++++++++++++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/usr.bin/sockstat/Makefile b/usr.bin/sockstat/Makefile index 6d0de7dc22d0..bf1cd0b9a443 100644 --- a/usr.bin/sockstat/Makefile +++ b/usr.bin/sockstat/Makefile @@ -10,6 +10,7 @@ LIBADD= jail LIBADD+= casper LIBADD+= cap_net LIBADD+= cap_netdb +LIBADD+= cap_pwd LIBADD+= cap_sysctl CFLAGS+= -DWITH_CASPER .endif diff --git a/usr.bin/sockstat/sockstat.c b/usr.bin/sockstat/sockstat.c index 285889a07b7b..5318a43f8585 100644 --- a/usr.bin/sockstat/sockstat.c +++ b/usr.bin/sockstat/sockstat.c @@ -71,6 +71,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #define sstosin(ss) ((struct sockaddr_in *)(ss)) @@ -141,6 +142,7 @@ static int nxfiles; static cap_channel_t *capnet; static cap_channel_t *capnetdb; static cap_channel_t *capsysctl; +static cap_channel_t *cappwd; static int xprintf(const char *fmt, ...) @@ -1215,7 +1217,7 @@ display(void) printf(" %-.*s", TCP_CA_NAME_MAX, "CC"); printf("\n"); } - setpassent(1); + cap_setpassent(cappwd, 1); for (xf = xfiles, n = 0; n < nxfiles; ++n, ++xf) { if (xf->xf_data == 0) continue; @@ -1229,7 +1231,8 @@ display(void) continue; s->shown = 1; pos = 0; - if (opt_n || (pwd = getpwuid(xf->xf_uid)) == NULL) + if (opt_n || + (pwd = cap_getpwuid(cappwd, xf->xf_uid)) == NULL) pos += xprintf("%lu ", (u_long)xf->xf_uid); else pos += xprintf("%s ", pwd->pw_name); @@ -1326,6 +1329,8 @@ main(int argc, char *argv[]) { cap_channel_t *capcas; cap_net_limit_t *limit; + const char *pwdcmds[] = { "setpassent", "getpwuid" }; + const char *pwdfields[] = { "pw_name" }; int protos_defined = -1; int o, i; @@ -1424,12 +1429,19 @@ main(int argc, char *argv[]) capsysctl = cap_service_open(capcas, "system.sysctl"); if (capsysctl == NULL) err(1, "Unable to open system.sysctl service"); + cappwd = cap_service_open(capcas, "system.pwd"); + if (cappwd == NULL) + err(1, "Unable to open system.pwd service"); cap_close(capcas); limit = cap_net_limit_init(capnet, CAPNET_ADDR2NAME); if (limit == NULL) err(1, "Unable to init cap_net limits"); if (cap_net_limit(limit) < 0) err(1, "Unable to apply limits"); + if (cap_pwd_limit_cmds(cappwd, pwdcmds, nitems(pwdcmds)) < 0) + err(1, "Unable to apply pwd commands limits"); + if (cap_pwd_limit_fields(cappwd, pwdfields, nitems(pwdfields)) < 0) + err(1, "Unable to apply pwd commands limits"); if ((!opt_4 && !opt_6) && protos_defined != -1) opt_4 = opt_6 = 1;