PERFORCE change 164486 for review

[Robert Watson]

http://perforce.freebsd.org/chv.cgi?CH=164486

Change 164486 by rwatson at rwatson_freebsd_capabilities on 2009/06/16 09:01:21

	Add a new libcapability host API function,
	lch_autosandbox_isenabled(), which allows self-compartmentalizing
	libraries and tools to query policy of an unspecified source for
	whether they should run in sandboxes or not.  Implement one source
	of policy, the environmental variable LIBCAPABILITY_NOAUTOSANDBOX.
	
	Pass libbz2.so into sandboxes for experimentation purposes -- we'll 
	teach rtld to do something more sensible in the future.
	
	Pass in libcapability rather than libcapabilitym -- still thinking
	about the best way to differentiate the link-time environments
	inside sandboxes from those outside, and one good reason to provide
	the extra-sandbox symbols in a sandbox is that then we can run the
	same binary in both environments avoiding the need for extra
	binaries.

Affected files ...

.. //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability.h#18 edit
.. //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability_host.3#5 edit
.. //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability_host.c#15 edit

Differences ...

==== //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability.h#18 (text+ko) ====

@@ -30,7 +30,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability.h#17 $
+ * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability.h#18 $
  */
 
 #ifndef _LIBCAPABILITY_H_
@@ -45,6 +45,12 @@
 int	lc_limitfd(int fd, cap_rights_t rights);
 
 /*
+ * Global policy interface to ask whether we should, in fact, sandbox a
+ * particular optionally sandboxed service, by name.
+ */
+int	lch_autosandbox_isenabled(const char *servicename);
+
+/*
  * Interfaces to start and stop capability mode sandboxs.
  */
 int	lch_start(const char *sandbox, char *const argv[],

==== //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability_host.3#5 (text+ko) ====

@@ -55,6 +55,8 @@
 .Ft void
 .Fn lch_stop "struct lc_sandbox *lcsp"
 .Ft int
+.Fn lch_autosandbox_isenabled "const char *servicename"
+.Ft int
 .Fn lch_getsock "struct lc_sandbox *lcsp" "int *fdp"
 .Ft int
 .Fn lch_getpid "struct lc_sandbox *lcsp" "pid_t *pidp"
@@ -139,6 +141,13 @@
 .Va lchp
 argument will no longer be valid.
 .Pp
+Libraries and tools performing self-compartmentalization can use the
+interface
+.Nm lch_autosandbox_isenabled
+along with a unique string identifying their service to determine whether or
+not a global policy affecting the service requires sandboxing to be enabled
+or not.
+.Pp
 Properties of the sandbox, such as the socket used to communicate with it,
 the proces descriptor for the sandbox process, and the pid, may be queried
 using

==== //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability_host.c#15 (text+ko) ====

@@ -30,7 +30,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability_host.c#14 $
+ * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability_host.c#15 $
  */
 
 #include <sys/param.h>
@@ -61,14 +61,16 @@
 #define	LIBCAPABILITY_CAPMASK_SANDBOX	LIBCAPABILITY_CAPMASK_BIN
 #define	LIBCAPABILITY_CAPMASK_LDSO	LIBCAPABILITY_CAPMASK_BIN
 #define	LIBCAPABILITY_CAPMASK_LIBC	LIBCAPABILITY_CAPMASK_BIN
-#define	LIBCAPABILITY_CAPMASK_LIBCAPABILITYM	LIBCAPABILITY_CAPMASK_BIN
+#define	LIBCAPABILITY_CAPMASK_LIBCAPABILITY	LIBCAPABILITY_CAPMASK_BIN
 #define	LIBCAPABILITY_CAPMASK_LIBZ	LIBCAPABILITY_CAPMASK_BIN
+#define	LIBCAPABILITY_CAPMASK_LIBBZ2	LIBCAPABILITY_CAPMASK_BIN
 
 #define	_PATH_LIB	"/lib"
 #define	_PATH_USR_LIB	"/usr/lib"
 #define	LIBC_SO	"libc.so.7"
 #define	LIBZ_SO	"libz.so.4"
-#define	LIBCAPABILITYM_SO	"libcapabilitym.so.1"
+#define	LIBBZ2_SO	"libbz2.so.3"
+#define	LIBCAPABILITY_SO	"libcapability.so.1"
 
 extern char **environ;
 
@@ -81,6 +83,15 @@
 
 int	closefrom(int lowfd);
 
+int
+lch_autosandbox_isenabled(__unused const char *servicename)
+{
+
+	if (getenv("LIBCAPABILITY_NOAUTOSANDBOX") != NULL)
+		return (0);
+	return (1);
+}
+
 /*
  * Install an array of file descriptors using the array index of each
  * descriptor in the array as its destination file descriptor number.  All
@@ -141,11 +152,11 @@
 
 static void
 lch_sandbox(int fd_sock, int fd_sandbox, int fd_ldso, int fd_libc,
-    int fd_libz, int fd_libcapabilitym, int fd_devnull, u_int flags,
-    const char *binname, char *const argv[])
+    int fd_libz, int fd_libbz2, int fd_libcapability, int fd_devnull,
+    u_int flags, const char *binname, char *const argv[])
 {
 	char *env_caplibindex, *env_libcapability_sandbox_api;
-	int fd_array[10];
+	int fd_array[11];
 
 	if (lc_limitfd(fd_devnull, LIBCAPABILITY_CAPMASK_DEVNULL) < 0)
 		return;
@@ -159,8 +170,10 @@
 		return;
 	if (lc_limitfd(fd_libz, LIBCAPABILITY_CAPMASK_LIBZ) < 0)
 		return;
-	if (lc_limitfd(fd_libcapabilitym,
-	    LIBCAPABILITY_CAPMASK_LIBCAPABILITYM) < 0)
+	if (lc_limitfd(fd_libbz2, LIBCAPABILITY_CAPMASK_LIBBZ2) < 0)
+		return;
+	if (lc_limitfd(fd_libcapability,
+	    LIBCAPABILITY_CAPMASK_LIBCAPABILITY) < 0)
 		return;
 
 	fd_array[0] = fd_devnull;
@@ -176,18 +189,20 @@
 	fd_array[5] = fd_ldso;
 	fd_array[6] = fd_libc;
 	fd_array[7] = fd_libz;
-	fd_array[8] = fd_libcapabilitym;
-	fd_array[9] = fd_devnull;
+	fd_array[8] = fd_libbz2;
+	fd_array[9] = fd_libcapability;
+	fd_array[10] = fd_devnull;
 
-	if (lch_installfds(10, fd_array) < 0)
+	if (lch_installfds(11, fd_array) < 0)
 		return;
 
 	/*
 	 * Pass library list into rtld-elf-cap.
 	 */
-	if (asprintf(&env_caplibindex, "%d:%s,%d:%s,%d:%s,%d:%s,%d:%s,%d:%s",
+	if (asprintf(&env_caplibindex,
+	    "%d:%s,%d:%s,%d:%s,%d:%s,%d:%s,%d:%s,%d:%s",
 	    3, binname, 5, LD_ELF_CAP_SO, 6, LIBC_SO, 7, LIBZ_SO, 8,
-	    LIBCAPABILITYM_SO, 9, _PATH_DEVNULL) == -1)
+	    LIBBZ2_SO, 9, LIBCAPABILITY_SO, 10, _PATH_DEVNULL) == -1)
 		return;
 	if (setenv("LD_CAPLIBINDEX", env_caplibindex, 1) == -1)
 		return;
@@ -216,13 +231,14 @@
     u_int flags, struct lc_sandbox **lcspp)
 {
 	struct lc_sandbox *lcsp;
-	int fd_devnull, fd_ldso, fd_libc, fd_libcapabilitym, fd_libz;
-	int fd_procdesc, fd_sockpair[2];
+	int fd_devnull, fd_ldso, fd_libc, fd_libcapability, fd_libz;
+	int fd_libbz2, fd_procdesc, fd_sockpair[2];
 	int error, val;
 	pid_t pid;
 
-	fd_devnull = fd_ldso = fd_libc = fd_libz = fd_libcapabilitym =
-	    fd_procdesc = fd_sockpair[0] = fd_sockpair[1] = -1;
+	fd_devnull = fd_ldso = fd_libc = fd_libz = fd_libbz2 =
+	    fd_libcapability = fd_procdesc = fd_sockpair[0] =
+	    fd_sockpair[1] = -1;
 
 	lcsp = malloc(sizeof(*lcsp));
 	if (lcsp == NULL)
@@ -236,7 +252,9 @@
 		goto out_error;
 	if (ld_caplibindex_lookup(LIBZ_SO, &fd_libz) < 0)
 		goto out_error;
-	if (ld_caplibindex_lookup(LIBCAPABILITYM_SO, &fd_libcapabilitym) < 0)
+	if (ld_caplibindex_lookup(LIBBZ2_SO, &fd_libbz2) < 0)
+		goto out_error;
+	if (ld_caplibindex_lookup(LIBCAPABILITY_SO, &fd_libcapability) < 0)
 		goto out_error;
 	if (ld_caplibindex_lookup(_PATH_DEVNULL, &fd_devnull) < 0)
 		goto out_error;
@@ -253,9 +271,13 @@
 	if (fd_libz < 0)
 		goto out_error;
 
-	fd_libcapabilitym = open(_PATH_USR_LIB "/" LIBCAPABILITYM_SO,
+	fd_libbz2 = open(_PATH_USR_LIB "/" LIBBZ2_SO, O_RDONLY);
+	if (fd_libbz2 < 0)
+		goto out_error;
+
+	fd_libcapability = open(_PATH_USR_LIB "/" LIBCAPABILITY_SO,
 	    O_RDONLY);
-	if (fd_libcapabilitym < 0)
+	if (fd_libcapability < 0)
 		goto out_error;
 
 	fd_devnull = open(_PATH_DEVNULL, O_RDWR);
@@ -280,14 +302,15 @@
 	}
 	if (pid == 0) {
 		lch_sandbox(fd_sockpair[1], fd_sandbox, fd_ldso, fd_libc,
-		    fd_libz, fd_libcapabilitym, fd_devnull, flags, binname,
-		    argv);
+		    fd_libz, fd_libbz2, fd_libcapability, fd_devnull, flags,
+		    binname, argv);
 		exit(-1);
 	}
 #ifndef IN_CAP_MODE
 	close(fd_devnull);
-	close(fd_libcapabilitym);
+	close(fd_libcapability);
 	close(fd_libz);
+	close(fd_libbz2);
 	close(fd_libc);
 	close(fd_ldso);
 #endif
@@ -309,10 +332,12 @@
 #ifndef IN_CAP_MODE
 	if (fd_devnull != -1)
 		close(fd_devnull);
-	if (fd_libcapabilitym != -1)
-		close(fd_libcapabilitym);
+	if (fd_libcapability != -1)
+		close(fd_libcapability);
 	if (fd_libz != -1)
 		close(fd_libz);
+	if (fd_libbz2 != -1)
+		close(fd_libbz2);
 	if (fd_libc != -1)
 		close(fd_libc);
 	if (fd_ldso != -1)