PERFORCE change 164486 for review
Robert Watson
rwatson at FreeBSD.org
Tue Jun 16 09:01:29 UTC 2009
http://perforce.freebsd.org/chv.cgi?CH=164486
Change 164486 by rwatson at rwatson_freebsd_capabilities on 2009/06/16 09:01:21
Add a new libcapability host API function,
lch_autosandbox_isenabled(), which allows self-compartmentalizing
libraries and tools to query policy of an unspecified source for
whether they should run in sandboxes or not. Implement one source
of policy, the environmental variable LIBCAPABILITY_NOAUTOSANDBOX.
Pass libbz2.so into sandboxes for experimentation purposes -- we'll
teach rtld to do something more sensible in the future.
Pass in libcapability rather than libcapabilitym -- still thinking
about the best way to differentiate the link-time environments
inside sandboxes from those outside, and one good reason to provide
the extra-sandbox symbols in a sandbox is that then we can run the
same binary in both environments avoiding the need for extra
binaries.
Affected files ...
.. //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability.h#18 edit
.. //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability_host.3#5 edit
.. //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability_host.c#15 edit
Differences ...
==== //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability.h#18 (text+ko) ====
@@ -30,7 +30,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability.h#17 $
+ * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability.h#18 $
*/
#ifndef _LIBCAPABILITY_H_
@@ -45,6 +45,12 @@
int lc_limitfd(int fd, cap_rights_t rights);
/*
+ * Global policy interface to ask whether we should, in fact, sandbox a
+ * particular optionally sandboxed service, by name.
+ */
+int lch_autosandbox_isenabled(const char *servicename);
+
+/*
* Interfaces to start and stop capability mode sandboxs.
*/
int lch_start(const char *sandbox, char *const argv[],
==== //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability_host.3#5 (text+ko) ====
@@ -55,6 +55,8 @@
.Ft void
.Fn lch_stop "struct lc_sandbox *lcsp"
.Ft int
+.Fn lch_autosandbox_isenabled "const char *servicename"
+.Ft int
.Fn lch_getsock "struct lc_sandbox *lcsp" "int *fdp"
.Ft int
.Fn lch_getpid "struct lc_sandbox *lcsp" "pid_t *pidp"
@@ -139,6 +141,13 @@
.Va lchp
argument will no longer be valid.
.Pp
+Libraries and tools performing self-compartmentalization can use the
+interface
+.Nm lch_autosandbox_isenabled
+along with a unique string identifying their service to determine whether or
+not a global policy affecting the service requires sandboxing to be enabled
+or not.
+.Pp
Properties of the sandbox, such as the socket used to communicate with it,
the proces descriptor for the sandbox process, and the pid, may be queried
using
==== //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability_host.c#15 (text+ko) ====
@@ -30,7 +30,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability_host.c#14 $
+ * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability_host.c#15 $
*/
#include <sys/param.h>
@@ -61,14 +61,16 @@
#define LIBCAPABILITY_CAPMASK_SANDBOX LIBCAPABILITY_CAPMASK_BIN
#define LIBCAPABILITY_CAPMASK_LDSO LIBCAPABILITY_CAPMASK_BIN
#define LIBCAPABILITY_CAPMASK_LIBC LIBCAPABILITY_CAPMASK_BIN
-#define LIBCAPABILITY_CAPMASK_LIBCAPABILITYM LIBCAPABILITY_CAPMASK_BIN
+#define LIBCAPABILITY_CAPMASK_LIBCAPABILITY LIBCAPABILITY_CAPMASK_BIN
#define LIBCAPABILITY_CAPMASK_LIBZ LIBCAPABILITY_CAPMASK_BIN
+#define LIBCAPABILITY_CAPMASK_LIBBZ2 LIBCAPABILITY_CAPMASK_BIN
#define _PATH_LIB "/lib"
#define _PATH_USR_LIB "/usr/lib"
#define LIBC_SO "libc.so.7"
#define LIBZ_SO "libz.so.4"
-#define LIBCAPABILITYM_SO "libcapabilitym.so.1"
+#define LIBBZ2_SO "libbz2.so.3"
+#define LIBCAPABILITY_SO "libcapability.so.1"
extern char **environ;
@@ -81,6 +83,15 @@
int closefrom(int lowfd);
+int
+lch_autosandbox_isenabled(__unused const char *servicename)
+{
+
+ if (getenv("LIBCAPABILITY_NOAUTOSANDBOX") != NULL)
+ return (0);
+ return (1);
+}
+
/*
* Install an array of file descriptors using the array index of each
* descriptor in the array as its destination file descriptor number. All
@@ -141,11 +152,11 @@
static void
lch_sandbox(int fd_sock, int fd_sandbox, int fd_ldso, int fd_libc,
- int fd_libz, int fd_libcapabilitym, int fd_devnull, u_int flags,
- const char *binname, char *const argv[])
+ int fd_libz, int fd_libbz2, int fd_libcapability, int fd_devnull,
+ u_int flags, const char *binname, char *const argv[])
{
char *env_caplibindex, *env_libcapability_sandbox_api;
- int fd_array[10];
+ int fd_array[11];
if (lc_limitfd(fd_devnull, LIBCAPABILITY_CAPMASK_DEVNULL) < 0)
return;
@@ -159,8 +170,10 @@
return;
if (lc_limitfd(fd_libz, LIBCAPABILITY_CAPMASK_LIBZ) < 0)
return;
- if (lc_limitfd(fd_libcapabilitym,
- LIBCAPABILITY_CAPMASK_LIBCAPABILITYM) < 0)
+ if (lc_limitfd(fd_libbz2, LIBCAPABILITY_CAPMASK_LIBBZ2) < 0)
+ return;
+ if (lc_limitfd(fd_libcapability,
+ LIBCAPABILITY_CAPMASK_LIBCAPABILITY) < 0)
return;
fd_array[0] = fd_devnull;
@@ -176,18 +189,20 @@
fd_array[5] = fd_ldso;
fd_array[6] = fd_libc;
fd_array[7] = fd_libz;
- fd_array[8] = fd_libcapabilitym;
- fd_array[9] = fd_devnull;
+ fd_array[8] = fd_libbz2;
+ fd_array[9] = fd_libcapability;
+ fd_array[10] = fd_devnull;
- if (lch_installfds(10, fd_array) < 0)
+ if (lch_installfds(11, fd_array) < 0)
return;
/*
* Pass library list into rtld-elf-cap.
*/
- if (asprintf(&env_caplibindex, "%d:%s,%d:%s,%d:%s,%d:%s,%d:%s,%d:%s",
+ if (asprintf(&env_caplibindex,
+ "%d:%s,%d:%s,%d:%s,%d:%s,%d:%s,%d:%s,%d:%s",
3, binname, 5, LD_ELF_CAP_SO, 6, LIBC_SO, 7, LIBZ_SO, 8,
- LIBCAPABILITYM_SO, 9, _PATH_DEVNULL) == -1)
+ LIBBZ2_SO, 9, LIBCAPABILITY_SO, 10, _PATH_DEVNULL) == -1)
return;
if (setenv("LD_CAPLIBINDEX", env_caplibindex, 1) == -1)
return;
@@ -216,13 +231,14 @@
u_int flags, struct lc_sandbox **lcspp)
{
struct lc_sandbox *lcsp;
- int fd_devnull, fd_ldso, fd_libc, fd_libcapabilitym, fd_libz;
- int fd_procdesc, fd_sockpair[2];
+ int fd_devnull, fd_ldso, fd_libc, fd_libcapability, fd_libz;
+ int fd_libbz2, fd_procdesc, fd_sockpair[2];
int error, val;
pid_t pid;
- fd_devnull = fd_ldso = fd_libc = fd_libz = fd_libcapabilitym =
- fd_procdesc = fd_sockpair[0] = fd_sockpair[1] = -1;
+ fd_devnull = fd_ldso = fd_libc = fd_libz = fd_libbz2 =
+ fd_libcapability = fd_procdesc = fd_sockpair[0] =
+ fd_sockpair[1] = -1;
lcsp = malloc(sizeof(*lcsp));
if (lcsp == NULL)
@@ -236,7 +252,9 @@
goto out_error;
if (ld_caplibindex_lookup(LIBZ_SO, &fd_libz) < 0)
goto out_error;
- if (ld_caplibindex_lookup(LIBCAPABILITYM_SO, &fd_libcapabilitym) < 0)
+ if (ld_caplibindex_lookup(LIBBZ2_SO, &fd_libbz2) < 0)
+ goto out_error;
+ if (ld_caplibindex_lookup(LIBCAPABILITY_SO, &fd_libcapability) < 0)
goto out_error;
if (ld_caplibindex_lookup(_PATH_DEVNULL, &fd_devnull) < 0)
goto out_error;
@@ -253,9 +271,13 @@
if (fd_libz < 0)
goto out_error;
- fd_libcapabilitym = open(_PATH_USR_LIB "/" LIBCAPABILITYM_SO,
+ fd_libbz2 = open(_PATH_USR_LIB "/" LIBBZ2_SO, O_RDONLY);
+ if (fd_libbz2 < 0)
+ goto out_error;
+
+ fd_libcapability = open(_PATH_USR_LIB "/" LIBCAPABILITY_SO,
O_RDONLY);
- if (fd_libcapabilitym < 0)
+ if (fd_libcapability < 0)
goto out_error;
fd_devnull = open(_PATH_DEVNULL, O_RDWR);
@@ -280,14 +302,15 @@
}
if (pid == 0) {
lch_sandbox(fd_sockpair[1], fd_sandbox, fd_ldso, fd_libc,
- fd_libz, fd_libcapabilitym, fd_devnull, flags, binname,
- argv);
+ fd_libz, fd_libbz2, fd_libcapability, fd_devnull, flags,
+ binname, argv);
exit(-1);
}
#ifndef IN_CAP_MODE
close(fd_devnull);
- close(fd_libcapabilitym);
+ close(fd_libcapability);
close(fd_libz);
+ close(fd_libbz2);
close(fd_libc);
close(fd_ldso);
#endif
@@ -309,10 +332,12 @@
#ifndef IN_CAP_MODE
if (fd_devnull != -1)
close(fd_devnull);
- if (fd_libcapabilitym != -1)
- close(fd_libcapabilitym);
+ if (fd_libcapability != -1)
+ close(fd_libcapability);
if (fd_libz != -1)
close(fd_libz);
+ if (fd_libbz2 != -1)
+ close(fd_libbz2);
if (fd_libc != -1)
close(fd_libc);
if (fd_ldso != -1)
More information about the p4-projects
mailing list