Re: capsicum(4): .. and SIGTRAP causing syscall really is in siginfo_t.si_errno?

Reply: Steffen Nurpmeso : "Re: capsicum(4): .. and SIGTRAP causing syscall really is in siginfo_t.si_errno?"
In reply to: Steffen Nurpmeso : "capsicum(4): .. and SIGTRAP causing syscall really is in siginfo_t.si_errno?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Ed Maste <emaste_at_freebsd.org>
Date: Wed, 12 Apr 2023 18:59:21 UTC

On Wed, 12 Apr 2023 at 10:49, Steffen Nurpmeso <steffen@sdaoden.eu> wrote:
>
> Hello.
>
> I am trying to capsicumize a simple daemon (for learning purposes
> as that runs only in the second line behind postfix), and i have
> a hard time as that thing is not designed for that (for said
> reasons).  And want to say OpenBSD pledge/unveil was very easy,

Excellent, always happy to see folks exploring Capsicum.

Keep in mind that Capsicum and pledge/unvil are not equivalent, so
comparing the ease of applying one or the other isn't particularly
meaningful. Achieving similar security properties with pledge/unveil
as with Capsicum requires similar effort in decomposing and
refactoring existing applications.

> Anyhow.  Regardless of 13.1-i386 or 12.2-amd64 (despite
> no_new_privs) i only see
>
>   capsicum(4) violation (syscall 93, 4, 5, 0); please report this bug

I'm not sure what you mean in the subject with respect to the syscall
in siginfo_t.si_errno. It looks like this is ENOTCAPABLE, which means
an attempt to perform an operation on an fd that you are not allowed
to do - for example, calling write() on an fd which has had
cap_rights_limit() applied without CAP_WRITE. errno 94 is ECAPMODE.
This could be for example trying to use open() in capability mode,
which is just not permitted (openat() is).

>     This takes the usual shortcut of only sandboxing the last input file.
>     It's a first cut and this program will be easy to adapt to sandbox all
>     files in the future
>
> from a December 2016 commit message, and i like the word "easy".

cap_fileargs() didn't exist in December 2016 and there was not yet a
straightforward, performant and desirable way to apply Capsicum to
existing applications that operate on a list of files provided on the
commandline.

For a more recent change that makes use of cap_fileargs a good example
commit is:

commit 802c2095b5a6dcf0f63c473cbba1e40445e9052a
Author: Mark Johnston <markj@FreeBSD.org>
Date:   Thu Aug 1 18:57:08 2019 +0000

    Capsicumize readelf(1).

    Reviewed by:    oshogbo
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D21108