PERFORCE change 174156 for review
Robert Watson
rwatson at FreeBSD.org
Tue Feb 2 16:50:55 UTC 2010
http://p4web.freebsd.org/chv.cgi?CH=174156
Change 174156 by rwatson at rwatson_vimage_client on 2010/02/02 16:50:26
Style tweaks.
Affected files ...
.. //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum.c#4 edit
.. //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum.h#12 edit
.. //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_fdlist.c#10 edit
.. //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_host.c#11 edit
.. //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_host_io.c#3 edit
.. //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_internal.h#6 edit
.. //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_sandbox.c#4 edit
.. //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_sandbox_api.h#4 edit
.. //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_sandbox_io.c#3 edit
Differences ...
==== //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum.c#4 (text+ko) ====
@@ -5,9 +5,9 @@
* WARNING: THIS IS EXPERIMENTAL SECURITY SOFTWARE THAT MUST NOT BE RELIED
* ON IN PRODUCTION SYSTEMS. IT WILL BREAK YOUR SOFTWARE IN NEW AND
* UNEXPECTED WAYS.
- *
+ *
* This software was developed at the University of Cambridge Computer
- * Laboratory with support from a grant from Google, Inc.
+ * Laboratory with support from a grant from Google, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -30,7 +30,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum.c#3 $
+ * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum.c#4 $
*/
#include <sys/types.h>
==== //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum.h#12 (text+ko) ====
@@ -5,9 +5,9 @@
* WARNING: THIS IS EXPERIMENTAL SECURITY SOFTWARE THAT MUST NOT BE RELIED
* ON IN PRODUCTION SYSTEMS. IT WILL BREAK YOUR SOFTWARE IN NEW AND
* UNEXPECTED WAYS.
- *
+ *
* This software was developed at the University of Cambridge Computer
- * Laboratory with support from a grant from Google, Inc.
+ * Laboratory with support from a grant from Google, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -30,7 +30,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum.h#11 $
+ * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum.h#12 $
*/
#ifndef _LIBCAPSICUM_H_
@@ -45,15 +45,6 @@
struct lc_host;
/*
- * Description of a library passed to lch_start_libs().
- */
-struct lc_library {
- const char *lcl_libpath;
- const char *lcl_libname;
- int lcl_fd;
-};
-
-/*
* A list of file descriptors, which can be passed around in shared memory.
*/
struct lc_fdlist;
==== //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_fdlist.c#10 (text+ko) ====
@@ -6,9 +6,9 @@
* WARNING: THIS IS EXPERIMENTAL SECURITY SOFTWARE THAT MUST NOT BE RELIED
* ON IN PRODUCTION SYSTEMS. IT WILL BREAK YOUR SOFTWARE IN NEW AND
* UNEXPECTED WAYS.
- *
+ *
* This software was developed at the University of Cambridge Computer
- * Laboratory with support from a grant from Google, Inc.
+ * Laboratory with support from a grant from Google, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -31,7 +31,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_fdlist.c#9 $
+ * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_fdlist.c#10 $
*/
#include <sys/mman.h>
@@ -99,7 +99,6 @@
UNLOCK(&global_fdlist);
return (&global_fdlist);
}
-
env = getenv(LIBCAPSICUM_SANDBOX_FDLIST);
if ((env != NULL) && (strnlen(env, 8) < 7)) {
struct lc_fdlist_storage *lfsp;
@@ -430,8 +429,8 @@
LOCK(lfp);
lfsp = lfp->lf_storage;
- if ((subsystem == NULL) || (classname == NULL) || (name == NULL)
- || (fdp == NULL) || ((pos != NULL) && (*pos >= (int) lfsp->count))) {
+ if ((subsystem == NULL) || (classname == NULL) || (name == NULL) ||
+ (fdp == NULL) || ((pos != NULL) && (*pos >= (int) lfsp->count))) {
errno = EINVAL;
return (-1);
}
@@ -441,23 +440,22 @@
int size = entry->syslen + entry->classnamelen + entry->namelen;
char *head = malloc(size);
- strncpy(head, names + entry->sysoff, entry->syslen + 1);
+ strncpy(head, names + entry->sysoff, entry->syslen + 1);
*subsystem = head;
head += size;
- strncpy(head, names + entry->classoff, entry->classnamelen + 1);
+ strncpy(head, names + entry->classoff, entry->classnamelen + 1);
*classname = head;
head += size;
- strncpy(head, names + entry->nameoff, entry->namelen + 1);
+ strncpy(head, names + entry->nameoff, entry->namelen + 1);
*name = head;
head += size;
*fdp = entry->fd;
UNLOCK(lfp);
-
- if (pos) (*pos)++;
-
+ if (pos)
+ (*pos)++;
return (0);
}
@@ -547,7 +545,8 @@
}
void*
-_lc_fdlist_getstorage(struct lc_fdlist* lfp) {
- return lfp->lf_storage;
+_lc_fdlist_getstorage(struct lc_fdlist* lfp)
+{
+
+ return (lfp->lf_storage);
}
-
==== //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_host.c#11 (text+ko) ====
@@ -5,9 +5,9 @@
* WARNING: THIS IS EXPERIMENTAL SECURITY SOFTWARE THAT MUST NOT BE RELIED
* ON IN PRODUCTION SYSTEMS. IT WILL BREAK YOUR SOFTWARE IN NEW AND
* UNEXPECTED WAYS.
- *
+ *
* This software was developed at the University of Cambridge Computer
- * Laboratory with support from a grant from Google, Inc.
+ * Laboratory with support from a grant from Google, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -30,7 +30,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_host.c#10 $
+ * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_host.c#11 $
*/
#include <sys/param.h>
@@ -89,10 +89,16 @@
return (1);
}
-
+/*
+ * Once in the child process, create the new sandbox.
+ *
+ * XXX: A number of things happen here that are not safe after fork(),
+ * especially calls to err().
+ */
static void
-lch_sandbox(int fd_sock, int fd_binary, int fd_rtld, int fd_devnull, u_int flags,
- const char *binname, char *const argv[], __unused struct lc_fdlist *userfds)
+lch_sandbox(int fd_sock, int fd_binary, int fd_rtld, int fd_devnull,
+ u_int flags, const char *binname, char *const argv[],
+ struct lc_fdlist *userfds)
{
struct sbuf *sbufp;
int shmfd = -1;
@@ -160,41 +166,38 @@
/*
* Ask RTLD for library path descriptors.
*
- * NOTE: This is FreeBSD-specific; porting to other operating systems will
- * require dynamic linkers capable of answering similar queries.
+ * NOTE: This is FreeBSD-specific; porting to other operating systems
+ * will require dynamic linkers capable of answering similar queries.
*/
int size = 16;
int *libdirs;
while (1) {
libdirs = malloc(size * sizeof(int));
-
if (ld_libdirs(libdirs, &size) < 0) {
free(libdirs);
-
- if (size > 0) continue;
- else err(-1, "Error in ld_libdirs()");
- }
- else break;
+ if (size > 0)
+ continue;
+ err(-1, "Error in ld_libdirs()");
+ } else
+ break;
}
-
for (int j = 0; j < size; j++)
if (lc_fdlist_addcap(fds, RTLD_CAP_FQNAME, "libdir", "",
- libdirs[j], LIBCAPSICUM_CAPMASK_LIBDIR) < 0)
+ libdirs[j], LIBCAPSICUM_CAPMASK_LIBDIR) < 0)
err(-1, "Error in lc_fdlist_addcap(libdirs[%d]: %d)",
j, libdirs[j]);
if (lc_fdlist_reorder(fds) < 0)
err(-1, "Error in lc_fdlist_reorder()");
-
/*
* Find the fdlist shared memory segment.
*/
int pos = 0;
- if (lc_fdlist_lookup(fds, LIBCAPSICUM_FQNAME, "fdlist", NULL,
- &shmfd, &pos) < 0)
+ if (lc_fdlist_lookup(fds, LIBCAPSICUM_FQNAME, "fdlist", NULL, &shmfd,
+ &pos) < 0)
err(-1, "Error in lc_fdlist_lookup(fdlist)");
char tmp[8];
@@ -229,8 +232,8 @@
/*
* Find the binary for RTLD.
*/
- if (lc_fdlist_lookup(fds, RTLD_CAP_FQNAME, "binary", NULL, &fd_binary,
- NULL) < 0)
+ if (lc_fdlist_lookup(fds, RTLD_CAP_FQNAME, "binary", NULL,
+ &fd_binary, NULL) < 0)
err(-1, "Error in lc_fdlist_lookup(RTLD binary)");
sprintf(tmp, "%d", fd_binary);
@@ -240,8 +243,9 @@
/*
* Build LD_LIBRARY_DIRS for RTLD.
*
- * NOTE: This is FreeBSD-specific; porting to other operating systems will
- * require dynamic linkers capable of operating on file descriptors.
+ * NOTE: This is FreeBSD-specific; porting to other operating systems
+ * will require dynamic linkers capable of operating on file
+ * descriptors.
*/
sbufp = sbuf_new_auto();
if (sbufp == NULL)
@@ -249,8 +253,8 @@
{
int fd;
- while (lc_fdlist_lookup(fds, RTLD_CAP_FQNAME, "libdir",
- NULL, &fd, &pos) >= 0)
+ while (lc_fdlist_lookup(fds, RTLD_CAP_FQNAME, "libdir", NULL,
+ &fd, &pos) >= 0)
sbuf_printf(sbufp, "%d:", fd);
}
@@ -261,7 +265,6 @@
err(-1, "Error in setenv(LD_LIBRARY_DIRS)");
sbuf_delete(sbufp);
-
if (cap_enter() < 0)
err(-1, "cap_enter() failed");
@@ -334,8 +337,8 @@
goto out_error;
}
if (pid == 0) {
- lch_sandbox(fd_sockpair[1], fd_binary, fd_rtld, fd_devnull, flags,
- binname, argv, fds);
+ lch_sandbox(fd_sockpair[1], fd_binary, fd_rtld, fd_devnull,
+ flags, binname, argv, fds);
exit(-1);
}
#ifndef IN_CAP_MODE
@@ -380,11 +383,11 @@
int
lch_startfd(int fd_binary, const char *binname, char *const argv[],
- u_int flags, __unused struct lc_fdlist *fds, struct lc_sandbox **lcspp)
+ u_int flags, struct lc_fdlist *fds, struct lc_sandbox **lcspp)
{
- return (lch_startfd_libs(fd_binary, binname, argv, flags,
- fds, lcspp));
+ return (lch_startfd_libs(fd_binary, binname, argv, flags, fds,
+ lcspp));
}
int
==== //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_host_io.c#3 (text+ko) ====
@@ -5,9 +5,9 @@
* WARNING: THIS IS EXPERIMENTAL SECURITY SOFTWARE THAT MUST NOT BE RELIED
* ON IN PRODUCTION SYSTEMS. IT WILL BREAK YOUR SOFTWARE IN NEW AND
* UNEXPECTED WAYS.
- *
+ *
* This software was developed at the University of Cambridge Computer
- * Laboratory with support from a grant from Google, Inc.
+ * Laboratory with support from a grant from Google, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -30,7 +30,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_host_io.c#2 $
+ * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_host_io.c#3 $
*/
#include <sys/param.h>
==== //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_internal.h#6 (text+ko) ====
@@ -5,9 +5,9 @@
* WARNING: THIS IS EXPERIMENTAL SECURITY SOFTWARE THAT MUST NOT BE RELIED
* ON IN PRODUCTION SYSTEMS. IT WILL BREAK YOUR SOFTWARE IN NEW AND
* UNEXPECTED WAYS.
- *
+ *
* This software was developed at the University of Cambridge Computer
- * Laboratory with support from a grant from Google, Inc.
+ * Laboratory with support from a grant from Google, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -30,14 +30,14 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_internal.h#5 $
+ * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_internal.h#6 $
*/
#ifndef _LIBCAPSICUM_INTERNAL_H_
#define _LIBCAPSICUM_INTERNAL_H_
-#define LIBCAPSICUM_FQNAME "org.freebsd.libcapsicum"
-#define RTLD_CAP_FQNAME "org.freebsd.rtld-elf-cap"
+#define LIBCAPSICUM_FQNAME "org.freebsd.libcapsicum"
+#define RTLD_CAP_FQNAME "org.freebsd.rtld-elf-cap"
struct lc_host {
int lch_fd_sock;
==== //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_sandbox.c#4 (text+ko) ====
@@ -5,9 +5,9 @@
* WARNING: THIS IS EXPERIMENTAL SECURITY SOFTWARE THAT MUST NOT BE RELIED
* ON IN PRODUCTION SYSTEMS. IT WILL BREAK YOUR SOFTWARE IN NEW AND
* UNEXPECTED WAYS.
- *
+ *
* This software was developed at the University of Cambridge Computer
- * Laboratory with support from a grant from Google, Inc.
+ * Laboratory with support from a grant from Google, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
==== //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_sandbox_api.h#4 (text+ko) ====
@@ -5,9 +5,9 @@
* WARNING: THIS IS EXPERIMENTAL SECURITY SOFTWARE THAT MUST NOT BE RELIED
* ON IN PRODUCTION SYSTEMS. IT WILL BREAK YOUR SOFTWARE IN NEW AND
* UNEXPECTED WAYS.
- *
+ *
* This software was developed at the University of Cambridge Computer
- * Laboratory with support from a grant from Google, Inc.
+ * Laboratory with support from a grant from Google, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -30,7 +30,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_sandbox_api.h#3 $
+ * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_sandbox_api.h#4 $
*/
#ifndef _LIBCAPSICUM_SANDBOX_API_H_
@@ -41,7 +41,7 @@
* make about the runtime environment set up by libcapsicum hosts.
*/
#define LIBCAPSICUM_SANDBOX_API_ENV "LIBCAPSICUM_SANDBOX"
-#define LIBCAPSICUM_SANDBOX_FDLIST "LIBCAPSICUM_FDLIST"
+#define LIBCAPSICUM_SANDBOX_FDLIST "LIBCAPSICUM_FDLIST"
#define LIBCAPSICUM_SANDBOX_API_SOCK "sock"
/*
==== //depot/projects/trustedbsd/capabilities/src/lib/libcapsicum/libcapsicum_sandbox_io.c#3 (text+ko) ====
@@ -5,9 +5,9 @@
* WARNING: THIS IS EXPERIMENTAL SECURITY SOFTWARE THAT MUST NOT BE RELIED
* ON IN PRODUCTION SYSTEMS. IT WILL BREAK YOUR SOFTWARE IN NEW AND
* UNEXPECTED WAYS.
- *
+ *
* This software was developed at the University of Cambridge Computer
- * Laboratory with support from a grant from Google, Inc.
+ * Laboratory with support from a grant from Google, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
More information about the p4-projects
mailing list