From nobody Wed Apr 12 18:59:21 2023
X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PxX7q5JBsz44Xvp
	for <freebsd-hackers@mlmmj.nyi.freebsd.org>; Wed, 12 Apr 2023 18:59:35 +0000 (UTC)
	(envelope-from carpeddiem@gmail.com)
Received: from mail-lf1-f53.google.com (mail-lf1-f53.google.com [209.85.167.53])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4PxX7q3jY6z3RDn
	for <freebsd-hackers@freebsd.org>; Wed, 12 Apr 2023 18:59:35 +0000 (UTC)
	(envelope-from carpeddiem@gmail.com)
Authentication-Results: mx1.freebsd.org;
	none
Received: by mail-lf1-f53.google.com with SMTP id a23so16517463lfk.4
        for <freebsd-hackers@freebsd.org>; Wed, 12 Apr 2023 11:59:35 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1681325974; x=1683917974;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=EP1EYp6wOD7iDBv/or/GtVqjg+hBf/sLNi5MRbA9Pt0=;
        b=gRbCE3BSw5BL2TXmXeRL653Kw632hS26NQAtiNbG/aazF5xRcfqiSiL4MR00IZKuhf
         ov76aNxlz+86eCjtf930f7tsl9UuUZjPwyQwbdafRagqD3cHWaMLrZcOzO0nQsiZkMtk
         dFBw/mElakCvgP937uN00BSOcqUhkJsjaD0+/WDxs5CahgxWy1v5LlYK0N0iwV7jVQzq
         MdpQyacnug9GBgarzRcWcdXpeRtE3uxpkTWpLwcfRjXuN67O0pJT3S7i+ilJTa5F4ZTp
         GlE/26lzB4c683/dbXTIlIwQYAb8eQ6wxc6FAo/iH2kg6ZH7hwQzJETd+hUSfR193oLg
         akLA==
X-Gm-Message-State: AAQBX9c1U9LdRCZOxNP7LvTO2g1bKAAB+YBwtVaCt5L732VQsPyHbDs2
	WFtt21+dkNZpwyhaQ3BbVXZVn3S/rvKHDc3Kpa2uMRfLIcY=
X-Google-Smtp-Source: AKy350YbHr1bWlpAiSsHz2SxhSQgv17KgujcU3jZOay+9jZAFUGWjU3sDhri6JxE/5TneDcG3KwFtKaDMgyrh/zN9Zo=
X-Received: by 2002:ac2:5681:0:b0:4eb:3f84:8082 with SMTP id
 1-20020ac25681000000b004eb3f848082mr4457916lfr.5.1681325973636; Wed, 12 Apr
 2023 11:59:33 -0700 (PDT)
List-Id: Technical discussions relating to FreeBSD <freebsd-hackers.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-hackers
List-Help: <mailto:freebsd-hackers+help@freebsd.org>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Subscribe: <mailto:freebsd-hackers+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-hackers+unsubscribe@freebsd.org>
Sender: owner-freebsd-hackers@freebsd.org
MIME-Version: 1.0
References: <20230412144921.8plun%steffen@sdaoden.eu>
In-Reply-To: <20230412144921.8plun%steffen@sdaoden.eu>
From: Ed Maste <emaste@freebsd.org>
Date: Wed, 12 Apr 2023 14:59:21 -0400
Message-ID: <CAPyFy2Do80xZmNFdtG=xbRuscKaQQM7rQ5ir5TVZENX3UfyKtg@mail.gmail.com>
Subject: Re: capsicum(4): .. and SIGTRAP causing syscall really is in siginfo_t.si_errno?
To: Steffen Nurpmeso <steffen@sdaoden.eu>
Cc: freebsd-hackers@freebsd.org
Content-Type: text/plain; charset="UTF-8"
X-Rspamd-Queue-Id: 4PxX7q3jY6z3RDn
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-ThisMailContainsUnwantedMimeParts: N

On Wed, 12 Apr 2023 at 10:49, Steffen Nurpmeso <steffen@sdaoden.eu> wrote:
>
> Hello.
>
> I am trying to capsicumize a simple daemon (for learning purposes
> as that runs only in the second line behind postfix), and i have
> a hard time as that thing is not designed for that (for said
> reasons).  And want to say OpenBSD pledge/unveil was very easy,

Excellent, always happy to see folks exploring Capsicum.

Keep in mind that Capsicum and pledge/unvil are not equivalent, so
comparing the ease of applying one or the other isn't particularly
meaningful. Achieving similar security properties with pledge/unveil
as with Capsicum requires similar effort in decomposing and
refactoring existing applications.

> Anyhow.  Regardless of 13.1-i386 or 12.2-amd64 (despite
> no_new_privs) i only see
>
>   capsicum(4) violation (syscall 93, 4, 5, 0); please report this bug

I'm not sure what you mean in the subject with respect to the syscall
in siginfo_t.si_errno. It looks like this is ENOTCAPABLE, which means
an attempt to perform an operation on an fd that you are not allowed
to do - for example, calling write() on an fd which has had
cap_rights_limit() applied without CAP_WRITE. errno 94 is ECAPMODE.
This could be for example trying to use open() in capability mode,
which is just not permitted (openat() is).

>     This takes the usual shortcut of only sandboxing the last input file.
>     It's a first cut and this program will be easy to adapt to sandbox all
>     files in the future
>
> from a December 2016 commit message, and i like the word "easy".

cap_fileargs() didn't exist in December 2016 and there was not yet a
straightforward, performant and desirable way to apply Capsicum to
existing applications that operate on a list of files provided on the
commandline.

For a more recent change that makes use of cap_fileargs a good example
commit is:

commit 802c2095b5a6dcf0f63c473cbba1e40445e9052a
Author: Mark Johnston <markj@FreeBSD.org>
Date:   Thu Aug 1 18:57:08 2019 +0000

    Capsicumize readelf(1).

    Reviewed by:    oshogbo
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D21108