| subr.c (229945) | subr.c (248297) |
|---|---|
| 1/*- 2 * Copyright (c) 2010 The FreeBSD Foundation 3 * Copyright (c) 2011 Pawel Jakub Dawidek <pawel@dawidek.net> 4 * All rights reserved. 5 * 6 * This software was developed by Pawel Jakub Dawidek under sponsorship from 7 * the FreeBSD Foundation. 8 * --- 15 unchanged lines hidden (view full) --- 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28 * SUCH DAMAGE. 29 */ 30 31#include <sys/cdefs.h> | 1/*- 2 * Copyright (c) 2010 The FreeBSD Foundation 3 * Copyright (c) 2011 Pawel Jakub Dawidek <pawel@dawidek.net> 4 * All rights reserved. 5 * 6 * This software was developed by Pawel Jakub Dawidek under sponsorship from 7 * the FreeBSD Foundation. 8 * --- 15 unchanged lines hidden (view full) --- 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28 * SUCH DAMAGE. 29 */ 30 31#include <sys/cdefs.h> |
| 32__FBSDID("$FreeBSD: head/sbin/hastd/subr.c 229945 2012-01-10 22:39:07Z pjd $"); | 32__FBSDID("$FreeBSD: head/sbin/hastd/subr.c 248297 2013-03-14 23:14:47Z pjd $"); |
| 33 | 33 |
| 34#ifdef HAVE_CAPSICUM 35#include <sys/capability.h> 36#endif | |
| 37#include <sys/param.h> 38#include <sys/disk.h> 39#include <sys/ioctl.h> 40#include <sys/jail.h> 41#include <sys/stat.h> | 34#include <sys/param.h> 35#include <sys/disk.h> 36#include <sys/ioctl.h> 37#include <sys/jail.h> 38#include <sys/stat.h> |
| 39#ifdef HAVE_CAPSICUM 40#include <sys/capability.h> 41#include <geom/gate/g_gate.h> 42#endif |
|
| 42 43#include <errno.h> 44#include <fcntl.h> 45#include <pwd.h> 46#include <stdarg.h> 47#include <stdbool.h> 48#include <stdio.h> 49#include <string.h> --- 169 unchanged lines hidden (view full) --- 219 return (-1); 220 } 221 if (setuid(pw->pw_uid) == -1) { 222 pjdlog_errno(LOG_ERR, "Unable to set uid to %u", 223 (unsigned int)pw->pw_uid); 224 return (-1); 225 } 226 | 43 44#include <errno.h> 45#include <fcntl.h> 46#include <pwd.h> 47#include <stdarg.h> 48#include <stdbool.h> 49#include <stdio.h> 50#include <string.h> --- 169 unchanged lines hidden (view full) --- 220 return (-1); 221 } 222 if (setuid(pw->pw_uid) == -1) { 223 pjdlog_errno(LOG_ERR, "Unable to set uid to %u", 224 (unsigned int)pw->pw_uid); 225 return (-1); 226 } 227 |
| 227 /* 228 * Until capsicum doesn't allow ioctl(2) we cannot use it to sandbox 229 * primary and secondary worker processes, as primary uses GGATE 230 * ioctls and secondary uses ioctls to handle BIO_DELETE and BIO_FLUSH. 231 * For now capsicum is only used to sandbox hastctl. 232 */ | |
| 233#ifdef HAVE_CAPSICUM | 228#ifdef HAVE_CAPSICUM |
| 234 if (res == NULL) { 235 capsicum = (cap_enter() == 0); 236 if (!capsicum) { 237 pjdlog_common(LOG_DEBUG, 1, errno, 238 "Unable to sandbox using capsicum"); | 229 capsicum = (cap_enter() == 0); 230 if (!capsicum) { 231 pjdlog_common(LOG_DEBUG, 1, errno, 232 "Unable to sandbox using capsicum"); 233 } else if (res != NULL) { 234 static const unsigned long geomcmds[] = { 235 DIOCGDELETE, 236 DIOCGFLUSH 237 }; 238 239 PJDLOG_ASSERT(res->hr_role == HAST_ROLE_PRIMARY || 240 res->hr_role == HAST_ROLE_SECONDARY); 241 242 if (cap_rights_limit(res->hr_localfd, 243 CAP_FLOCK | CAP_IOCTL | CAP_PREAD | CAP_PWRITE) == -1) { 244 pjdlog_errno(LOG_ERR, 245 "Unable to limit capability rights on local descriptor"); |
| 239 } | 246 } |
| 240 } else | 247 if (cap_ioctls_limit(res->hr_localfd, geomcmds, 248 sizeof(geomcmds) / sizeof(geomcmds[0])) == -1) { 249 pjdlog_errno(LOG_ERR, 250 "Unable to limit allowed GEOM ioctls"); 251 } 252 253 if (res->hr_role == HAST_ROLE_PRIMARY) { 254 static const unsigned long ggatecmds[] = { 255 G_GATE_CMD_MODIFY, 256 G_GATE_CMD_START, 257 G_GATE_CMD_DONE, 258 G_GATE_CMD_DESTROY 259 }; 260 261 if (cap_rights_limit(res->hr_ggatefd, CAP_IOCTL) == -1) { 262 pjdlog_errno(LOG_ERR, 263 "Unable to limit capability rights to CAP_IOCTL on ggate descriptor"); 264 } 265 if (cap_ioctls_limit(res->hr_ggatefd, ggatecmds, 266 sizeof(ggatecmds) / sizeof(ggatecmds[0])) == -1) { 267 pjdlog_errno(LOG_ERR, 268 "Unable to limit allowed ggate ioctls"); 269 } 270 } 271 } 272#else 273 capsicum = false; |
| 241#endif | 274#endif |
| 242 capsicum = false; | |
| 243 244 /* 245 * Better be sure that everything succeeded. 246 */ 247 PJDLOG_VERIFY(getresuid(&ruid, &euid, &suid) == 0); 248 PJDLOG_VERIFY(ruid == pw->pw_uid); 249 PJDLOG_VERIFY(euid == pw->pw_uid); 250 PJDLOG_VERIFY(suid == pw->pw_uid); --- 14 unchanged lines hidden --- | 275 276 /* 277 * Better be sure that everything succeeded. 278 */ 279 PJDLOG_VERIFY(getresuid(&ruid, &euid, &suid) == 0); 280 PJDLOG_VERIFY(ruid == pw->pw_uid); 281 PJDLOG_VERIFY(euid == pw->pw_uid); 282 PJDLOG_VERIFY(suid == pw->pw_uid); --- 14 unchanged lines hidden --- |