PERFORCE change 164654 for review

Thu Jun 18 10:57:19 UTC 2009

http://perforce.freebsd.org/chv.cgi?CH=164654

Change 164654 by rwatson at rwatson_freebsd_capabilities on 2009/06/18 10:56:22

	Sandbox bzip2 decompression in gzip(1).

Affected files ...

.. //depot/projects/trustedbsd/capabilities/src/usr.bin/gzip/gzip.c#6 edit
.. //depot/projects/trustedbsd/capabilities/src/usr.bin/gzip/gzip.h#2 edit
.. //depot/projects/trustedbsd/capabilities/src/usr.bin/gzip/gzsandbox.c#3 edit
.. //depot/projects/trustedbsd/capabilities/src/usr.bin/gzip/unbzip2.c#3 edit

Differences ...

==== //depot/projects/trustedbsd/capabilities/src/usr.bin/gzip/gzip.c#6 (text+ko) ====

@@ -239,10 +239,6 @@
 static	int	check_outfile(const char *outfile);
 #endif
 
-#ifndef NO_BZIP2_SUPPORT
-static	off_t	unbzip2(int, int, char *, size_t, off_t *);
-#endif
-
 #ifndef NO_COMPRESS_SUPPORT
 static	FILE 	*zdopen(int);
 static	off_t	zuncompress(FILE *, FILE *, char *, size_t, off_t *);
@@ -1417,7 +1413,7 @@
 			goto lose;
 		}
 
-		size = unbzip2(fd, zfd, NULL, 0, NULL);
+		size = unbzip2_wrapper(fd, zfd, NULL, 0, NULL);
 	} else
 #endif
 
@@ -1636,7 +1632,7 @@
 		break;
 #ifndef NO_BZIP2_SUPPORT
 	case FT_BZIP2:
-		usize = unbzip2(STDIN_FILENO, STDOUT_FILENO,
+		usize = unbzip2_wrapper(STDIN_FILENO, STDOUT_FILENO,
 				(char *)header1, sizeof header1, &gsize);
 		break;
 #endif

==== //depot/projects/trustedbsd/capabilities/src/usr.bin/gzip/gzip.h#2 (text+ko) ====

@@ -42,5 +42,8 @@
 	    off_t *gsizep, const char *filename);
 off_t	gz_uncompress_wrapper(int in, int out, char *pre, size_t prelen,
 	    off_t *gsizep, const char *filename);
+off_t	unbzip2(int in, int out, char *pre, size_t prelen, off_t *bytes_in);
+off_t	unbzip2_wrapper(int in, int out, char *pre, size_t prelen,
+	    off_t *bytes_in);
 
 #endif /* !_GZIP_H_ */

==== //depot/projects/trustedbsd/capabilities/src/usr.bin/gzip/gzsandbox.c#3 (text+ko) ====

@@ -54,6 +54,7 @@
 
 #define	PROXIED_GZ_COMPRESS	1
 #define	PROXIED_GZ_UNCOMPRESS	2
+#define	PROXIED_UNBZIP2		3
 
 static struct lc_sandbox	*lcsp;
 static int			 gzsandbox_initialized;
@@ -243,6 +244,88 @@
 		    filename));
 }
 
+struct host_unbzip2_req {
+	size_t	hub_req_prelen;
+	/* ... followed by data ... */
+};
+
+struct host_unbzip2_rep {
+	off_t	hub_rep_bytes_in;
+	off_t	hub_rep_retval;
+};
+
+static off_t
+unbzip2_insandbox(int in, int out, char *pre, size_t prelen, off_t *bytes_in)
+{
+	struct host_unbzip2_req req;
+	struct host_unbzip2_rep rep;
+	struct iovec iov_req[2], iov_rep;
+	int fdarray[2];
+	size_t len;
+
+	if (lcsp == NULL) {
+		if (lch_start_flags(LC_USR_BIN_GZIP_SANDBOX, lc_sandbox_argv,
+		    LCH_PERMIT_STDERR, &lcsp) < 0)
+			err(-1, "lch_start %s", LC_USR_BIN_GZIP_SANDBOX);
+	}
+
+	bzero(&req, sizeof(req));
+	req.hub_req_prelen = prelen;
+	iov_req[0].iov_base = &req;
+	iov_req[0].iov_len = sizeof(req);
+	iov_req[1].iov_base = pre;
+	iov_req[1].iov_len = prelen;
+	iov_rep.iov_base = &rep;
+	iov_rep.iov_len = sizeof(rep);
+	fdarray[0] = cap_new(in, CAP_FSTAT | CAP_READ | CAP_SEEK);
+	fdarray[1] = cap_new(out, CAP_FSTAT | CAP_WRITE | CAP_SEEK);
+	if (fdarray[0] == -1 || fdarray[1] == -1)
+		err(-1, "cap_new");
+	if (lch_rpc_rights(lcsp, PROXIED_UNBZIP2, iov_req, 1,
+	    fdarray, 2, &iov_rep, 1, &len, NULL, NULL) < 0)
+		err(-1, "lch_rpc_rights");
+	if (len != sizeof(rep))
+		errx(-1, "lch_rpc_rights len %d", len);
+	if (bytes_in != NULL)
+		*bytes_in = rep.hub_rep_bytes_in;
+	close(fdarray[0]);
+	close(fdarray[1]);
+	return (rep.hub_rep_retval);
+}
+
+static void
+sandbox_unbzip2_buffer(struct lc_host *lchp, uint32_t opno,
+    uint32_t seqno, char *buffer, size_t len, int fd_in, int fd_out)
+{
+	struct host_unbzip2_req req;
+	struct host_unbzip2_rep rep;
+	struct iovec iov;
+	char *pre;
+
+	if (len != sizeof(req))
+		err(-1, "sandbox_gz_uncompress_buffer: len %d", len);
+
+	bcopy(buffer, &req, sizeof(req));
+	pre = buffer + sizeof(req);
+	bzero(&rep, sizeof(rep));
+	rep.hub_rep_retval = unbzip2(fd_in, fd_out, pre, req.hub_req_prelen,
+	    &rep.hub_rep_bytes_in);
+	iov.iov_base = &rep;
+	iov.iov_len = sizeof(rep);
+	if (lcs_sendrpc(lchp, opno, seqno, &iov, 1) < 0)
+		err(-1, "lcs_sendrpc");
+}
+off_t
+unbzip2_wrapper(int in, int out, char *pre, size_t prelen, off_t *bytes_in)
+{
+
+	if (!gzsandbox_initialized)
+		gzsandbox_initialize();
+	if (gzsandbox_enabled)
+		return (unbzip2_insandbox(in, out, pre, prelen, bytes_in));
+	else
+		return (unbzip2(in, out, pre, prelen, bytes_in));
+}
 
 int
 cap_main(__unused int argc, __unused char *argv[])
@@ -284,6 +367,15 @@
 			close(fdarray[1]);
 			break;
 
+		case PROXIED_UNBZIP2:
+			if (fdcount != 2)
+				errx(-1, "sandbox_workloop: %d fds", fdcount);
+			sandbox_unbzip2_buffer(lchp, opno, seqno, buffer, len,
+			    fdarray[0], fdarray[1]);
+			close(fdarray[0]);
+			close(fdarray[1]);
+			break;
+
 		default:
 			errx(-1, "sandbox_workloop: unknown op %d", opno);
 		}

==== //depot/projects/trustedbsd/capabilities/src/usr.bin/gzip/unbzip2.c#3 (text+ko) ====

@@ -33,7 +33,7 @@
 
 /* This file is #included by gzip.c */
 
-static off_t
+off_t
 unbzip2(int in, int out, char *pre, size_t prelen, off_t *bytes_in)
 {
 	int		ret, end_of_file;
