socsvn commit: r224094 - soc2011/kibab/freebsd-src-head/usr.sbin/syslogd

[kibab at FreeBSD.org]

Author: kibab
Date: Sun Jul 10 12:22:07 2011
New Revision: 224094
URL: http://svnweb.FreeBSD.org/socsvn/?view=rev&rev=224094

Log:
  Task-9: add limiting capabilities on different descriptors. This requires libcapsicum.

Modified:
  soc2011/kibab/freebsd-src-head/usr.sbin/syslogd/Makefile
  soc2011/kibab/freebsd-src-head/usr.sbin/syslogd/syslogd.c

Modified: soc2011/kibab/freebsd-src-head/usr.sbin/syslogd/Makefile
==============================================================================
--- soc2011/kibab/freebsd-src-head/usr.sbin/syslogd/Makefile	Sun Jul 10 07:25:34 2011	(r224093)
+++ soc2011/kibab/freebsd-src-head/usr.sbin/syslogd/Makefile	Sun Jul 10 12:22:07 2011	(r224094)
@@ -10,7 +10,7 @@
 SRCS=	syslogd.c ttymsg.c
 
 DPADD=	${LIBUTIL}
-LDADD=	-lutil
+LDADD=	-lutil -lcapsicum
 
 WARNS?= 3
 

Modified: soc2011/kibab/freebsd-src-head/usr.sbin/syslogd/syslogd.c
==============================================================================
--- soc2011/kibab/freebsd-src-head/usr.sbin/syslogd/syslogd.c	Sun Jul 10 07:25:34 2011	(r224093)
+++ soc2011/kibab/freebsd-src-head/usr.sbin/syslogd/syslogd.c	Sun Jul 10 12:22:07 2011	(r224094)
@@ -76,6 +76,7 @@
 #define	TTYMSGTIME	1		/* timeout passed to ttymsg */
 
 #include <sys/capability.h>
+#include <libcapsicum.h>
 #include <sys/param.h>
 #include <sys/ioctl.h>
 #include <sys/mman.h>
@@ -502,7 +503,7 @@
 
 	int fork_count = 0; /* XXX For debug purposes only, remove in production code! */
 	int chpid;
-	if(feature_present("security_capabilities")) {
+	if(1 || feature_present("security_capabilities")) {
 	  dprintf("Running with Capsicum support!\n");
 	  do {
 	    chpid = fork();
@@ -517,6 +518,7 @@
 	      parent_duty(chpid);
 	    } else { /* Child process */
 	      setproctitle("child process (capability mode)");
+	      pidfile_close(pfh);
 	    }
 	    if(fork_count>10)
 	      errx(1, "ACHTUNG, high fork count");
@@ -571,6 +573,10 @@
 				continue;
 			}
 			double_rbuf(fx->s);
+		} else {
+			if(lc_limitfd(fx->s, CAP_READ | CAP_EVENT) < 0) {
+				errx(1, "Cannot limit operations on %s", fx->name);
+			}
 		}
 	}
 	if (SecureMode <= 1)
@@ -596,7 +602,10 @@
 			fklog = -1;
 	if (fklog < 0)
 		dprintf("can't open %s (%d)\n", _PATH_KLOG, errno);
-
+	/* Limit operations on fklog to read and select only */
+	if(lc_limitfd(fklog, CAP_READ | CAP_EVENT) < 0) {
+	  errx(1, "Cannot limit operations on "_PATH_KLOG);
+	}
 	/* tuck my process id away */
 	/*
 	 * pidfile_write(pfh);  this should be done earlier if forking. 
@@ -612,6 +621,9 @@
 	  err(32, "Could not enter capability mode!");
 	} else {
 	  dprintf("FreeBSD capability mode enabled!\n");
+	  if (lc_limitfd(STDIN_FILENO, CAP_FSTAT) < 0) errx(1, "lc_limitfd: unable to limit STDIN_FILENO");
+	  if (lc_limitfd(STDOUT_FILENO, CAP_FSTAT | CAP_SEEK | CAP_WRITE) < 0) errx(1, "lc_limitfd: unable to limit STDOUT_FILENO");
+	  if (lc_limitfd(STDERR_FILENO, CAP_FSTAT | CAP_SEEK | CAP_WRITE) < 0) errx(1, "lc_limitfd: unable to limit STDERR_FILENO");
 	}
 	
 	/* prevent SIGHUP and SIGCHLD handlers from running in parallel */
@@ -2046,6 +2058,10 @@
 			(void)strlcpy(f->f_un.f_fname, p, sizeof(f->f_un.f_fname));
 			f->f_type = F_FILE;
 		}
+		/* Limit the set of operations for this fd */
+		if(lc_limitfd(f->f_file, CAP_SEEK | CAP_WRITE) < 0) {
+			errx(1, "Cannot limit operations on %s", p);
+		}
 		break;
 
 	case '|':
@@ -2759,7 +2775,9 @@
 			logerror("bind");
 			continue;
 		}
-
+		if(lc_limitfd(*s, CAP_READ | CAP_EVENT) < 0) {
+			errx(1, "Cannot limit capabilities on inet sockets");
+		}
 		double_rbuf(*s);
 
 		(*socks)++;