diff options
author | Bartek Rutkowski <robak@FreeBSD.org> | 2016-12-09 14:51:05 +0000 |
---|---|---|
committer | Bartek Rutkowski <robak@FreeBSD.org> | 2016-12-09 14:51:05 +0000 |
commit | 2a65657fc88f7ab559a6b50760b01b07a6b6e508 (patch) | |
tree | 23e9cef1e285b3f329527783935b3bd76fd7104c /bin | |
parent | be48ab92ac55e1168fdf49c4a046cea6747ad575 (diff) | |
download | src-2a65657fc88f7ab559a6b50760b01b07a6b6e508.tar.gz src-2a65657fc88f7ab559a6b50760b01b07a6b6e508.zip |
Capsicum support for dd(1)
Adds Capsicum sandboxing to dd utility.
Submitted by: Pawel Biernacki <pawel.biernacki@gmail.com>
Reviewed by: allanjude, emaste, oshogbo
Approved by: oshogbo
Sponsored by: Mysterious Code Ltd.
Differential Revision: https://reviews.freebsd.org/D8543
Notes
Notes:
svn path=/head/; revision=309735
Diffstat (limited to 'bin')
-rw-r--r-- | bin/dd/dd.c | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/bin/dd/dd.c b/bin/dd/dd.c index 56f8efef7a53..3c6720bacef4 100644 --- a/bin/dd/dd.c +++ b/bin/dd/dd.c @@ -47,11 +47,14 @@ __FBSDID("$FreeBSD$"); #include <sys/param.h> #include <sys/stat.h> +#include <sys/capsicum.h> #include <sys/conf.h> #include <sys/disklabel.h> #include <sys/filio.h> +#include <sys/mtio.h> #include <assert.h> +#include <capsicum_helpers.h> #include <ctype.h> #include <err.h> #include <errno.h> @@ -92,6 +95,10 @@ main(int argc __unused, char *argv[]) jcl(argv); setup(); + caph_cache_catpages(); + if (cap_enter() == -1 && errno != ENOSYS) + err(1, "unable to enter capability mode"); + (void)signal(SIGINFO, siginfo_handler); (void)signal(SIGINT, terminate); @@ -125,6 +132,8 @@ static void setup(void) { u_int cnt; + cap_rights_t rights; + unsigned long cmds[] = { FIODTYPE, MTIOCTOP }; if (in.name == NULL) { in.name = "stdin"; @@ -133,13 +142,20 @@ setup(void) in.fd = open(in.name, O_RDONLY, 0); if (in.fd == -1) err(1, "%s", in.name); + if (caph_limit_stdin() == -1) + err(1, "unable to limit capability rights"); } getfdtype(&in); + cap_rights_init(&rights, CAP_READ, CAP_SEEK); + if (cap_rights_limit(in.fd, &rights) == -1 && errno != ENOSYS) + err(1, "unable to limit capability rights"); + if (files_cnt > 1 && !(in.flags & ISTAPE)) errx(1, "files is not supported for non-tape devices"); + cap_rights_set(&rights, CAP_FTRUNCATE, CAP_IOCTL, CAP_WRITE); if (out.name == NULL) { /* No way to check for read access here. */ out.fd = STDOUT_FILENO; @@ -156,13 +172,27 @@ setup(void) if (out.fd == -1) { out.fd = open(out.name, O_WRONLY | OFLAGS, DEFFILEMODE); out.flags |= NOREAD; + cap_rights_clear(&rights, CAP_READ); } if (out.fd == -1) err(1, "%s", out.name); + if (caph_limit_stdout() == -1) + err(1, "unable to limit capability rights"); } getfdtype(&out); + if (cap_rights_limit(out.fd, &rights) == -1 && errno != ENOSYS) + err(1, "unable to limit capability rights"); + if (cap_ioctls_limit(out.fd, cmds, nitems(cmds)) == -1 && + errno != ENOSYS) + err(1, "unable to limit capability rights"); + + if (in.fd != STDERR_FILENO && out.fd != STDERR_FILENO) { + if (caph_limit_stderr() == -1) + err(1, "unable to limit capability rights"); + } + /* * Allocate space for the input and output buffers. If not doing * record oriented I/O, only need a single buffer. |