From owner-dev-commits-src-main@freebsd.org Sun Jan 3 16:12:03 2021 Return-Path: Delivered-To: dev-commits-src-main@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 42B1B4D5E0C; Sun, 3 Jan 2021 16:12:03 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D83g71PhPz3LTM; Sun, 3 Jan 2021 16:12:03 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 231A82909; Sun, 3 Jan 2021 16:12:03 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 103GC3tB050923; Sun, 3 Jan 2021 16:12:03 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 103GC3Bv050922; Sun, 3 Jan 2021 16:12:03 GMT (envelope-from git) Date: Sun, 3 Jan 2021 16:12:03 GMT Message-Id: <202101031612.103GC3Bv050922@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Mariusz Zaborski Subject: git: 34535dace9f0 - main - cap_net: CAPNET_CONNECT and CAPNET_CONNECTDNS are not mutually exclusive MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: oshogbo X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 34535dace9f0eacd4d01c3694edfe3a37e28c35c Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-main@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for the main branch of the src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jan 2021 16:12:03 -0000 The branch main has been updated by oshogbo: URL: https://cgit.FreeBSD.org/src/commit/?id=34535dace9f0eacd4d01c3694edfe3a37e28c35c commit 34535dace9f0eacd4d01c3694edfe3a37e28c35c Author: Mariusz Zaborski AuthorDate: 2021-01-03 16:10:35 +0000 Commit: Mariusz Zaborski CommitDate: 2021-01-03 16:10:35 +0000 cap_net: CAPNET_CONNECT and CAPNET_CONNECTDNS are not mutually exclusive Fix the for the CAPNET_CONNECT and CAPNET_CONNECTDNS. Add test to ensure that this is possible. --- lib/libcasper/services/cap_net/cap_net.c | 18 ++++++++++---- lib/libcasper/services/cap_net/tests/net_test.c | 33 +++++++++++++++++++++++++ 2 files changed, 46 insertions(+), 5 deletions(-) diff --git a/lib/libcasper/services/cap_net/cap_net.c b/lib/libcasper/services/cap_net/cap_net.c index a963c753494b..1d5531676268 100644 --- a/lib/libcasper/services/cap_net/cap_net.c +++ b/lib/libcasper/services/cap_net/cap_net.c @@ -1058,7 +1058,7 @@ net_connect(const nvlist_t *limits, nvlist_t *nvlin, nvlist_t *nvlout) const void *saddr; const nvlist_t *funclimit; size_t len; - bool conn, conndns; + bool conn, conndns, allowed; conn = net_allowed_mode(limits, CAPNET_CONNECT); conndns = net_allowed_mode(limits, CAPNET_CONNECTDNS); @@ -1071,12 +1071,20 @@ net_connect(const nvlist_t *limits, nvlist_t *nvlin, nvlist_t *nvlout) funclimit = dnvlist_get_nvlist(limits, LIMIT_NV_CONNECT, NULL); saddr = nvlist_get_binary(nvlin, "saddr", &len); - if (conn && !net_allowed_bsaddr(funclimit, saddr, len)) { - return (ENOTCAPABLE); - } else if (conndns && (capdnscache == NULL || - !net_allowed_bsaddr_impl(capdnscache, saddr, len))) { + allowed = false; + + if (conn && net_allowed_bsaddr(funclimit, saddr, len)) { + allowed = true; + } + if (conndns && capdnscache != NULL && + net_allowed_bsaddr_impl(capdnscache, saddr, len)) { + allowed = true; + } + + if (allowed == false) { return (ENOTCAPABLE); } + socket = dup(nvlist_get_descriptor(nvlin, "s")); if (connect(socket, saddr, len) < 0) { serrno = errno; diff --git a/lib/libcasper/services/cap_net/tests/net_test.c b/lib/libcasper/services/cap_net/tests/net_test.c index c2dce467ef3b..49cb0da44a4e 100644 --- a/lib/libcasper/services/cap_net/tests/net_test.c +++ b/lib/libcasper/services/cap_net/tests/net_test.c @@ -1068,6 +1068,38 @@ ATF_TC_BODY(capnet__limits_connect_mode, tc) cap_close(capnet); } +ATF_TC_WITHOUT_HEAD(capnet__limits_connect_dns_mode); +ATF_TC_BODY(capnet__limits_connect_dns_mode, tc) +{ + cap_channel_t *capnet; + cap_net_limit_t *limit; + + capnet = create_network_service(); + + /* LIMIT */ + limit = cap_net_limit_init(capnet, CAPNET_CONNECT | CAPNET_CONNECTDNS); + ATF_REQUIRE(limit != NULL); + ATF_REQUIRE(cap_net_limit(limit) == 0); + + /* ALLOWED */ + ATF_REQUIRE(test_connect(capnet, TEST_IPV4, 80) == 0); + + /* DISALLOWED */ + ATF_REQUIRE( + test_gethostbyname(capnet, AF_INET, TEST_DOMAIN_0) == ENOTCAPABLE); + ATF_REQUIRE(test_getnameinfo(capnet, AF_INET, TEST_IPV4) == + ENOTCAPABLE); + ATF_REQUIRE(test_gethostbyaddr(capnet, AF_INET, TEST_IPV4) == + ENOTCAPABLE); + ATF_REQUIRE(test_getaddrinfo(capnet, AF_INET, TEST_DOMAIN_0, NULL) == + ENOTCAPABLE); + ATF_REQUIRE(test_bind(capnet, TEST_BIND_IPV4) == ENOTCAPABLE); + + test_extend_mode(capnet, CAPNET_ADDR2NAME); + + cap_close(capnet); +} + ATF_TC_WITHOUT_HEAD(capnet__limits_connect); ATF_TC_BODY(capnet__limits_connect, tc) { @@ -1238,6 +1270,7 @@ ATF_TP_ADD_TCS(tp) ATF_TP_ADD_TC(tp, capnet__limits_bind); ATF_TP_ADD_TC(tp, capnet__limits_connect_mode); + ATF_TP_ADD_TC(tp, capnet__limits_connect_dns_mode); ATF_TP_ADD_TC(tp, capnet__limits_connect); ATF_TP_ADD_TC(tp, capnet__limits_connecttodns);