[Bug 2140] Capsicum support for FreeBSD 10 (-current)

Sun Oct 13 17:50:59 EST 2013

https://bugzilla.mindrot.org/show_bug.cgi?id=2140

--- Comment #3 from Loganaden Velvindron <loganaden at gmail.com> ---
(In reply to Damien Miller from comment #1)
> Comment on attachment 2326 [details]
> openssh-capsicum
> 
> Looks good - a couple of small things.
> 
> >Index: sandbox-capsicum.c
> >===================================================================
> >RCS file: sandbox-capsicum.c
> >diff -N sandbox-capsicum.c
> >--- /dev/null	1 Jan 1970 00:00:00 -0000
> >+++ sandbox-capsicum.c	7 Aug 2013 19:39:21 -0000
> >@@ -0,0 +1,90 @@
> >+
> 
> Please add a license block here.
> http://www.openbsd.org/cgi-bin/cvsweb/src/share/misc/license.
> template?rev=1.3;content-type=text%2Fplain is our preferred one.

The diff is based on an older patch for OpenSSH written by des at freebsd.

http://people.freebsd.org/~pjd/patches/openssh-capsicum.patch

I added his copyright.

> 
> >+/* Capsicum sandbox that sets zero nfiles, nprocs and filesize rlimits,
> >+ * limits file descriptors on monitoring object,
> >+ * and switches to capability mode
> >+*/
> 
> Minor style nit. The first line of a multiline comment should be
> "/*" by itself.

Corrected.

> The last line's '*' should be aligned to the previous line's (i.e.
> add a space at the start of the line).
> 
> >+struct ssh_sandbox {
> >+	struct monitor *monitor;
> 
> This isn't used and can be removed.
> 
> >+extern struct monitor *pmonitor;
> 
> This can go too.
> 
> >+	box->monitor = pmonitor;
> 
> and this.
> 

Removed and tested on FreeBSD 10 ALPHA.

> 
> >+	if (cap_rights_limit(box->monitor->m_recvfd, CAP_READ | CAP_WRITE) == -1)
> >+		fatal("%s: failed to limit the network socket", __func__);
> >+	if (cap_rights_limit(box->monitor->m_log_sendfd, CAP_WRITE) == -1)
> >+		fatal("%s: failed to limit the logging socket", __func__);
> 
> Are there any other fds open at this point? How about 0, 1 and 2 -
> could they be limited?

Yep, we can limit them completely.

No read and write possible on 0,1 & 2.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.