32c32
< __FBSDID("$FreeBSD: head/sbin/hastd/subr.c 229945 2012-01-10 22:39:07Z pjd $");
---
> __FBSDID("$FreeBSD: head/sbin/hastd/subr.c 248297 2013-03-14 23:14:47Z pjd $");
34,36d33
< #ifdef HAVE_CAPSICUM
< #include <sys/capability.h>
< #endif
41a39,42
> #ifdef HAVE_CAPSICUM
> #include <sys/capability.h>
> #include <geom/gate/g_gate.h>
> #endif
227,232d227
< /*
< * Until capsicum doesn't allow ioctl(2) we cannot use it to sandbox
< * primary and secondary worker processes, as primary uses GGATE
< * ioctls and secondary uses ioctls to handle BIO_DELETE and BIO_FLUSH.
< * For now capsicum is only used to sandbox hastctl.
< */
234,238c229,245
< if (res == NULL) {
< capsicum = (cap_enter() == 0);
< if (!capsicum) {
< pjdlog_common(LOG_DEBUG, 1, errno,
< "Unable to sandbox using capsicum");
---
> capsicum = (cap_enter() == 0);
> if (!capsicum) {
> pjdlog_common(LOG_DEBUG, 1, errno,
> "Unable to sandbox using capsicum");
> } else if (res != NULL) {
> static const unsigned long geomcmds[] = {
> DIOCGDELETE,
> DIOCGFLUSH
> };
>
> PJDLOG_ASSERT(res->hr_role == HAST_ROLE_PRIMARY ||
> res->hr_role == HAST_ROLE_SECONDARY);
>
> if (cap_rights_limit(res->hr_localfd,
> CAP_FLOCK | CAP_IOCTL | CAP_PREAD | CAP_PWRITE) == -1) {
> pjdlog_errno(LOG_ERR,
> "Unable to limit capability rights on local descriptor");
240c247,273
< } else
---
> if (cap_ioctls_limit(res->hr_localfd, geomcmds,
> sizeof(geomcmds) / sizeof(geomcmds[0])) == -1) {
> pjdlog_errno(LOG_ERR,
> "Unable to limit allowed GEOM ioctls");
> }
>
> if (res->hr_role == HAST_ROLE_PRIMARY) {
> static const unsigned long ggatecmds[] = {
> G_GATE_CMD_MODIFY,
> G_GATE_CMD_START,
> G_GATE_CMD_DONE,
> G_GATE_CMD_DESTROY
> };
>
> if (cap_rights_limit(res->hr_ggatefd, CAP_IOCTL) == -1) {
> pjdlog_errno(LOG_ERR,
> "Unable to limit capability rights to CAP_IOCTL on ggate descriptor");
> }
> if (cap_ioctls_limit(res->hr_ggatefd, ggatecmds,
> sizeof(ggatecmds) / sizeof(ggatecmds[0])) == -1) {
> pjdlog_errno(LOG_ERR,
> "Unable to limit allowed ggate ioctls");
> }
> }
> }
> #else
> capsicum = false;
242d274
< capsicum = false;
< __FBSDID("$FreeBSD: head/sbin/hastd/subr.c 229945 2012-01-10 22:39:07Z pjd $");
---
> __FBSDID("$FreeBSD: head/sbin/hastd/subr.c 248297 2013-03-14 23:14:47Z pjd $");
34,36d33
< #ifdef HAVE_CAPSICUM
< #include <sys/capability.h>
< #endif
41a39,42
> #ifdef HAVE_CAPSICUM
> #include <sys/capability.h>
> #include <geom/gate/g_gate.h>
> #endif
227,232d227
< /*
< * Until capsicum doesn't allow ioctl(2) we cannot use it to sandbox
< * primary and secondary worker processes, as primary uses GGATE
< * ioctls and secondary uses ioctls to handle BIO_DELETE and BIO_FLUSH.
< * For now capsicum is only used to sandbox hastctl.
< */
234,238c229,245
< if (res == NULL) {
< capsicum = (cap_enter() == 0);
< if (!capsicum) {
< pjdlog_common(LOG_DEBUG, 1, errno,
< "Unable to sandbox using capsicum");
---
> capsicum = (cap_enter() == 0);
> if (!capsicum) {
> pjdlog_common(LOG_DEBUG, 1, errno,
> "Unable to sandbox using capsicum");
> } else if (res != NULL) {
> static const unsigned long geomcmds[] = {
> DIOCGDELETE,
> DIOCGFLUSH
> };
>
> PJDLOG_ASSERT(res->hr_role == HAST_ROLE_PRIMARY ||
> res->hr_role == HAST_ROLE_SECONDARY);
>
> if (cap_rights_limit(res->hr_localfd,
> CAP_FLOCK | CAP_IOCTL | CAP_PREAD | CAP_PWRITE) == -1) {
> pjdlog_errno(LOG_ERR,
> "Unable to limit capability rights on local descriptor");
240c247,273
< } else
---
> if (cap_ioctls_limit(res->hr_localfd, geomcmds,
> sizeof(geomcmds) / sizeof(geomcmds[0])) == -1) {
> pjdlog_errno(LOG_ERR,
> "Unable to limit allowed GEOM ioctls");
> }
>
> if (res->hr_role == HAST_ROLE_PRIMARY) {
> static const unsigned long ggatecmds[] = {
> G_GATE_CMD_MODIFY,
> G_GATE_CMD_START,
> G_GATE_CMD_DONE,
> G_GATE_CMD_DESTROY
> };
>
> if (cap_rights_limit(res->hr_ggatefd, CAP_IOCTL) == -1) {
> pjdlog_errno(LOG_ERR,
> "Unable to limit capability rights to CAP_IOCTL on ggate descriptor");
> }
> if (cap_ioctls_limit(res->hr_ggatefd, ggatecmds,
> sizeof(ggatecmds) / sizeof(ggatecmds[0])) == -1) {
> pjdlog_errno(LOG_ERR,
> "Unable to limit allowed ggate ioctls");
> }
> }
> }
> #else
> capsicum = false;
242d274
< capsicum = false;