PERFORCE change 177356 for review
Jonathan Anderson
jona at FreeBSD.org
Mon Apr 26 14:48:35 UTC 2010
http://p4web.freebsd.org/@@177356?ac=10
Change 177356 by jona at jona-belle-freebsd8 on 2010/04/26 14:47:37
Create LD_PRELOAD for sanbdox
Affected files ...
.. //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_host.c#19 edit
Differences ...
==== //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_host.c#19 (text+ko) ====
@@ -30,7 +30,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_host.c#18 $
+ * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_host.c#19 $
*/
#include <sys/param.h>
@@ -41,6 +41,7 @@
#include <sys/socket.h>
#include <sys/uio.h>
+#define _WITH_DPRINTF
#include <err.h>
#include <errno.h>
#include <fcntl.h>
@@ -67,6 +68,8 @@
#define LIBCAPSICUM_CAPMASK_FDLIST CAP_READ | CAP_WRITE | CAP_FTRUNCATE \
| CAP_FSTAT | CAP_MMAP
+#define LIBCAPSICUM_CAPMASK_STDOUT CAP_WRITE | CAP_SEEK | CAP_FSTAT
+
extern char **environ;
#define LD_ELF_CAP_SO "ld-elf-cap.so.1"
@@ -123,12 +126,12 @@
if (lc_fdlist_addcap(fds, LIBCAPSICUM_FQNAME, "stdout", "",
STDOUT_FILENO,
- (flags & LCH_PERMIT_STDOUT) ? CAP_WRITE | CAP_SEEK : 0) < 0)
+ (flags & LCH_PERMIT_STDOUT) ? LIBCAPSICUM_CAPMASK_STDOUT : 0) < 0)
err(-1, "Error in lc_fdlist_addcap(stdout)");
if (lc_fdlist_addcap(fds, LIBCAPSICUM_FQNAME, "stderr", "",
STDERR_FILENO,
- (flags & LCH_PERMIT_STDERR) ? CAP_WRITE | CAP_SEEK : 0) < 0)
+ (flags & LCH_PERMIT_STDERR) ? LIBCAPSICUM_CAPMASK_STDOUT : 0) < 0)
err(-1, "Error in lc_fdlist_addcap(stderr)");
if (lc_fdlist_addcap(fds, LIBCAPSICUM_FQNAME, "socket", "",
@@ -147,9 +150,6 @@
fd_binary, LIBCAPSICUM_CAPMASK_SANDBOX) < 0)
err(-1, "Error in lc_fdlist_addcap(fd_binary)");
- if (lc_fdlist_append(fds, userfds) < 0)
- err(-1, "Error in lc_fdlist_append()");
-
/*
* Ask RTLD for library path descriptors.
*
@@ -170,15 +170,23 @@
break;
}
- for (int j = 0; j < size; j++)
- if (lc_fdlist_addcap(fds, RTLD_CAP_FQNAME, "libdir", "",
+ for (int j = 0; j < size; j++) {
+ if (lc_fdlist_addcap(fds, RTLD_CAP_FQNAME, "LibraryDirectory", "",
libdirs[j], LIBCAPSICUM_CAPMASK_LIBDIR) < 0)
err(-1, "Error in lc_fdlist_addcap(libdirs[%d]: %d)",
j, libdirs[j]);
+ }
+ /* Append user FD list and reorder the descriptors */
+ if (lc_fdlist_append(fds, userfds) < 0)
+ err(-1, "Error in lc_fdlist_append()");
+
if (lc_fdlist_reorder(fds) < 0)
err(-1, "Error in lc_fdlist_reorder()");
+
+
+
/*
* Find the fdlist shared memory segment.
*/
@@ -228,7 +236,7 @@
err(-1, "Error in setenv(LD_BINARY)");
/*
- * Build LD_LIBRARY_DIRS for RTLD.
+ * Build LD_LIBRARY_DIRS and LD_PRELOAD for RTLD.
*
* NOTE: This is FreeBSD-specific; porting to other operating systems
* will require dynamic linkers capable of operating on file
@@ -240,8 +248,9 @@
{
int fd;
- while (lc_fdlist_lookup(fds, RTLD_CAP_FQNAME, "libdir", NULL,
- &fd, &pos) >= 0)
+ pos = 0;
+ while (lc_fdlist_lookup(fds, RTLD_CAP_FQNAME, "LibraryDirectory",
+ NULL, &fd, &pos) >= 0)
sbuf_printf(sbufp, "%d:", fd);
}
@@ -252,10 +261,30 @@
err(-1, "Error in setenv(LD_LIBRARY_DIRS)");
sbuf_delete(sbufp);
+ sbufp = sbuf_new_auto();
+ if (sbufp == NULL)
+ err(-1, "Error in sbuf_new_auto()");
+
+ {
+ int fd;
+ pos = 0;
+ while (lc_fdlist_lookup(fds, RTLD_CAP_FQNAME, "PreloadLibrary",
+ NULL, &fd, &pos) >= 0)
+ sbuf_printf(sbufp, "%d:", fd);
+ }
+
+ sbuf_finish(sbufp);
+ if (sbuf_overflowed(sbufp))
+ err(-1, "sbuf_overflowed()");
+ if (setenv("LD_PRELOAD", sbuf_data(sbufp), 1) == -1)
+ err(-1, "Error in setenv(LD_PRELOAD)");
+ sbuf_delete(sbufp);
+
if (cap_enter() < 0)
err(-1, "cap_enter() failed");
(void)fexecve(fd_rtld, argv, environ);
+ dprintf(2, "ERROR: fexecve() failed; errno = %d\n", errno);
}
int
More information about the p4-projects
mailing list