Author: markj Date: Mon Feb 25 19:47:27 2019 New Revision: 344551 URL: https://svnweb.freebsd.org/changeset/base/344551
Log: Fix handling of rights on stdio streams, take two. Split the rights-limiting code into two cases: if one of the input files isn't a regular file, use caph_limit_stream(3) instead of open-coding the same logic; if both input files are regular files, and the initial attempts to map them succeed, we limit the rights on those files to CAP_MMAP_R. Add a regression test for PR 234885. PR: 234885 Reviewed by: delphij MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D19216 Modified: head/usr.bin/cmp/cmp.c head/usr.bin/cmp/regular.c head/usr.bin/cmp/special.c head/usr.bin/cmp/tests/cmp_test2.sh Modified: head/usr.bin/cmp/cmp.c ============================================================================== --- head/usr.bin/cmp/cmp.c Mon Feb 25 19:22:13 2019 (r344550) +++ head/usr.bin/cmp/cmp.c Mon Feb 25 19:47:27 2019 (r344551) @@ -45,7 +45,6 @@ static char sccsid[] = "@(#)cmp.c 8.3 (Berkeley) 4/2/9 __FBSDID("$FreeBSD$"); #include <sys/types.h> -#include <sys/capsicum.h> #include <sys/stat.h> #include <capsicum_helpers.h> @@ -80,8 +79,6 @@ main(int argc, char *argv[]) off_t skip1, skip2; int ch, fd1, fd2, oflag, special; const char *file1, *file2; - cap_rights_t rights; - uint32_t fcntls; oflag = O_RDONLY; while ((ch = getopt_long(argc, argv, "+hlsxz", long_opts, NULL)) != -1) @@ -116,14 +113,19 @@ main(int argc, char *argv[]) if (argc < 2 || argc > 4) usage(); + /* Don't limit rights on stdin since it may be one of the inputs. */ + if (caph_limit_stream(STDOUT_FILENO, CAPH_WRITE | CAPH_IGNORE_EBADF)) + err(ERR_EXIT, "unable to limit rights on stdout"); + if (caph_limit_stream(STDERR_FILENO, CAPH_WRITE | CAPH_IGNORE_EBADF)) + err(ERR_EXIT, "unable to limit rights on stderr"); + /* Backward compatibility -- handle "-" meaning stdin. */ special = 0; if (strcmp(file1 = argv[0], "-") == 0) { special = 1; - fd1 = 0; + fd1 = STDIN_FILENO; file1 = "stdin"; - } - else if ((fd1 = open(file1, oflag, 0)) < 0 && errno != EMLINK) { + } else if ((fd1 = open(file1, oflag, 0)) < 0 && errno != EMLINK) { if (!sflag) err(ERR_EXIT, "%s", file1); else @@ -134,10 +136,9 @@ main(int argc, char *argv[]) errx(ERR_EXIT, "standard input may only be specified once"); special = 1; - fd2 = 0; + fd2 = STDIN_FILENO; file2 = "stdin"; - } - else if ((fd2 = open(file2, oflag, 0)) < 0 && errno != EMLINK) { + } else if ((fd2 = open(file2, oflag, 0)) < 0 && errno != EMLINK) { if (!sflag) err(ERR_EXIT, "%s", file2); else @@ -162,33 +163,8 @@ main(int argc, char *argv[]) exit(ERR_EXIT); } - cap_rights_init(&rights, CAP_FCNTL, CAP_FSTAT, CAP_MMAP_R); - if (caph_rights_limit(fd1, &rights) < 0) - err(ERR_EXIT, "unable to limit rights for %s", file1); - if (caph_rights_limit(fd2, &rights) < 0) - err(ERR_EXIT, "unable to limit rights for %s", file2); - - /* Required for fdopen(3). */ - fcntls = CAP_FCNTL_GETFL; - if (caph_fcntls_limit(fd1, fcntls) < 0) - err(ERR_EXIT, "unable to limit fcntls for %s", file1); - if (caph_fcntls_limit(fd2, fcntls) < 0) - err(ERR_EXIT, "unable to limit fcntls for %s", file2); - - if (!special) { - cap_rights_init(&rights); - if (caph_rights_limit(STDIN_FILENO, &rights) < 0) { - err(ERR_EXIT, "unable to limit stdio"); - } - } - - if (caph_limit_stdout() == -1 || caph_limit_stderr() == -1) - err(ERR_EXIT, "unable to limit stdio"); - + /* FD rights are limited in c_special() and c_regular(). */ caph_cache_catpages(); - - if (caph_enter() < 0) - err(ERR_EXIT, "unable to enter capability mode"); if (!special) { if (fstat(fd1, &sb1)) { Modified: head/usr.bin/cmp/regular.c ============================================================================== --- head/usr.bin/cmp/regular.c Mon Feb 25 19:22:13 2019 (r344550) +++ head/usr.bin/cmp/regular.c Mon Feb 25 19:47:27 2019 (r344551) @@ -42,6 +42,7 @@ __FBSDID("$FreeBSD$"); #include <sys/mman.h> #include <sys/stat.h> +#include <capsicum_helpers.h> #include <err.h> #include <limits.h> #include <signal.h> @@ -61,12 +62,13 @@ void c_regular(int fd1, const char *file1, off_t skip1, off_t len1, int fd2, const char *file2, off_t skip2, off_t len2) { + struct sigaction act, oact; + cap_rights_t rights; u_char ch, *p1, *p2, *m1, *m2, *e1, *e2; off_t byte, length, line; - int dfound; off_t pagemask, off1, off2; size_t pagesize; - struct sigaction act, oact; + int dfound; if (skip1 > len1) eofmsg(file1); @@ -78,12 +80,6 @@ c_regular(int fd1, const char *file1, off_t skip1, off if (sflag && len1 != len2) exit(DIFF_EXIT); - sigemptyset(&act.sa_mask); - act.sa_flags = SA_NODEFER; - act.sa_handler = segv_handler; - if (sigaction(SIGSEGV, &act, &oact)) - err(ERR_EXIT, "sigaction()"); - pagesize = getpagesize(); pagemask = (off_t)pagesize - 1; off1 = ROUNDPAGE(skip1); @@ -101,6 +97,19 @@ c_regular(int fd1, const char *file1, off_t skip1, off c_special(fd1, file1, skip1, fd2, file2, skip2); return; } + + if (caph_rights_limit(fd1, cap_rights_init(&rights, CAP_MMAP_R)) < 0) + err(1, "unable to limit rights for %s", file1); + if (caph_rights_limit(fd2, cap_rights_init(&rights, CAP_MMAP_R)) < 0) + err(1, "unable to limit rights for %s", file2); + if (caph_enter() < 0) + err(ERR_EXIT, "unable to enter capability mode"); + + sigemptyset(&act.sa_mask); + act.sa_flags = SA_NODEFER; + act.sa_handler = segv_handler; + if (sigaction(SIGSEGV, &act, &oact)) + err(ERR_EXIT, "sigaction()"); dfound = 0; e1 = m1 + MMAP_CHUNK; Modified: head/usr.bin/cmp/special.c ============================================================================== --- head/usr.bin/cmp/special.c Mon Feb 25 19:22:13 2019 (r344550) +++ head/usr.bin/cmp/special.c Mon Feb 25 19:47:27 2019 (r344551) @@ -40,6 +40,7 @@ __FBSDID("$FreeBSD$"); #include <sys/types.h> +#include <capsicum_helpers.h> #include <err.h> #include <stdlib.h> #include <stdio.h> @@ -54,6 +55,13 @@ c_special(int fd1, const char *file1, off_t skip1, off_t byte, line; FILE *fp1, *fp2; int dfound; + + if (caph_limit_stream(fd1, CAPH_READ) < 0) + err(ERR_EXIT, "caph_limit_stream(%s)", file1); + if (caph_limit_stream(fd2, CAPH_READ) < 0) + err(ERR_EXIT, "caph_limit_stream(%s)", file2); + if (caph_enter() < 0) + err(ERR_EXIT, "unable to enter capability mode"); if ((fp1 = fdopen(fd1, "r")) == NULL) err(ERR_EXIT, "%s", file1); Modified: head/usr.bin/cmp/tests/cmp_test2.sh ============================================================================== --- head/usr.bin/cmp/tests/cmp_test2.sh Mon Feb 25 19:22:13 2019 (r344550) +++ head/usr.bin/cmp/tests/cmp_test2.sh Mon Feb 25 19:47:27 2019 (r344551) @@ -35,6 +35,8 @@ special_body() { atf_check -s exit:0 -o empty -e empty -x "cat a | cmp - a" atf_check -s exit:1 -o not-empty -e empty -x "cat b | cmp a -" atf_check -s exit:1 -o not-empty -e empty -x "cat b | cmp - a" + + atf_check -s exit:0 -o empty -e empty -x "cmp a a <&-" } atf_test_case symlink _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
