1*d06b4cefSMariusz Zaborski.\" Copyright (c) 2018 Mariusz Zaborski <oshogbo@FreeBSD.org> 2*d06b4cefSMariusz Zaborski.\" All rights reserved. 3*d06b4cefSMariusz Zaborski.\" 4*d06b4cefSMariusz Zaborski.\" Redistribution and use in source and binary forms, with or without 5*d06b4cefSMariusz Zaborski.\" modification, are permitted provided that the following conditions 6*d06b4cefSMariusz Zaborski.\" are met: 7*d06b4cefSMariusz Zaborski.\" 1. Redistributions of source code must retain the above copyright 8*d06b4cefSMariusz Zaborski.\" notice, this list of conditions and the following disclaimer. 9*d06b4cefSMariusz Zaborski.\" 2. Redistributions in binary form must reproduce the above copyright 10*d06b4cefSMariusz Zaborski.\" notice, this list of conditions and the following disclaimer in the 11*d06b4cefSMariusz Zaborski.\" documentation and/or other materials provided with the distribution. 12*d06b4cefSMariusz Zaborski.\" 13*d06b4cefSMariusz Zaborski.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 14*d06b4cefSMariusz Zaborski.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15*d06b4cefSMariusz Zaborski.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16*d06b4cefSMariusz Zaborski.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 17*d06b4cefSMariusz Zaborski.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18*d06b4cefSMariusz Zaborski.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19*d06b4cefSMariusz Zaborski.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20*d06b4cefSMariusz Zaborski.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21*d06b4cefSMariusz Zaborski.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22*d06b4cefSMariusz Zaborski.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23*d06b4cefSMariusz Zaborski.\" SUCH DAMAGE. 24*d06b4cefSMariusz Zaborski.\" 25*d06b4cefSMariusz Zaborski.\" $FreeBSD$ 26*d06b4cefSMariusz Zaborski.\" 27*d06b4cefSMariusz Zaborski.Dd January 8, 2018 28*d06b4cefSMariusz Zaborski.Dt CAP_DNS 3 29*d06b4cefSMariusz Zaborski.Os 30*d06b4cefSMariusz Zaborski.Sh NAME 31*d06b4cefSMariusz Zaborski.Nm cap_gethostbyname , 32*d06b4cefSMariusz Zaborski.Nm cap_gethostbyname2 , 33*d06b4cefSMariusz Zaborski.Nm cap_gethostbyaddr , 34*d06b4cefSMariusz Zaborski.Nm cap_getnameinfo , 35*d06b4cefSMariusz Zaborski.Nm cap_dns_type_limit , 36*d06b4cefSMariusz Zaborski.Nm cap_dns_family_limit 37*d06b4cefSMariusz Zaborski.Nd "library for getting network host entry in capability mode" 38*d06b4cefSMariusz Zaborski.Sh LIBRARY 39*d06b4cefSMariusz Zaborski.Lb libcap_dns 40*d06b4cefSMariusz Zaborski.Sh SYNOPSIS 41*d06b4cefSMariusz Zaborski.In sys/nv.h 42*d06b4cefSMariusz Zaborski.In libcasper.h 43*d06b4cefSMariusz Zaborski.In casper/cap_dns.h 44*d06b4cefSMariusz Zaborski.Ft "struct hostent *" 45*d06b4cefSMariusz Zaborski.Fn cap_gethostbyname "const cap_channel_t *chan" "const char *name" 46*d06b4cefSMariusz Zaborski.Ft "struct hostent *" 47*d06b4cefSMariusz Zaborski.Fn cap_gethostbyname2 "const cap_channel_t *chan" "const char *name" "int af" 48*d06b4cefSMariusz Zaborski.Ft "struct hostent *" 49*d06b4cefSMariusz Zaborski.Fn cap_gethostbyaddr "const cap_channel_t *chan" "const void *addr" "socklen_t len" "int af" 50*d06b4cefSMariusz Zaborski.Ft "int" 51*d06b4cefSMariusz Zaborski.Fn cap_getnameinfo "const cap_channel_t *chan" "const void *name" "int namelen" 52*d06b4cefSMariusz Zaborski.Ft "int" 53*d06b4cefSMariusz Zaborski.Fn cap_dns_type_limit "cap_channel_t *chan" "const char * const *types" "size_t ntypes" 54*d06b4cefSMariusz Zaborski.Ft "int" 55*d06b4cefSMariusz Zaborski.Fn cap_dns_family_limit "const cap_channel_t *chan" "const int *families" "size_t nfamilies" 56*d06b4cefSMariusz Zaborski.Sh DESCRIPTION 57*d06b4cefSMariusz ZaborskiThe functions 58*d06b4cefSMariusz Zaborski.Fn cap_gethostbyname , 59*d06b4cefSMariusz Zaborski.Fn cap_gethostbyname2 , 60*d06b4cefSMariusz Zaborski.Fn cep_gethostbyaddr 61*d06b4cefSMariusz Zaborskiand 62*d06b4cefSMariusz Zaborski.Xr cap_getnameinfo 63*d06b4cefSMariusz Zaborskiare respectively equivalent to 64*d06b4cefSMariusz Zaborski.Xr gethostbyname 2 , 65*d06b4cefSMariusz Zaborski.Xr gethostbyname2 2 , 66*d06b4cefSMariusz Zaborski.Xr gethostbyaddr 2 67*d06b4cefSMariusz Zaborskiand 68*d06b4cefSMariusz Zaborski.Xr getnameinfo 2 69*d06b4cefSMariusz Zaborskiexcept that the connection to the 70*d06b4cefSMariusz Zaborski.Nm system.dns 71*d06b4cefSMariusz Zaborskiservice needs to be provided. 72*d06b4cefSMariusz Zaborski.Pp 73*d06b4cefSMariusz ZaborskiThe 74*d06b4cefSMariusz Zaborski.Fn cap_dns_type_limit 75*d06b4cefSMariusz Zaborskifunction limits the functions allowed in the service. 76*d06b4cefSMariusz ZaborskiThe 77*d06b4cefSMariusz Zaborski.Fa types 78*d06b4cefSMariusz Zaborskivariable can be set to 79*d06b4cefSMariusz Zaborski.Dv ADDR 80*d06b4cefSMariusz Zaborskior 81*d06b4cefSMariusz Zaborski.Dv NAME . 82*d06b4cefSMariusz ZaborskiSee the 83*d06b4cefSMariusz Zaborski.Sx LIMITS 84*d06b4cefSMariusz Zaborskisection for more details. 85*d06b4cefSMariusz ZaborskiThe 86*d06b4cefSMariusz Zaborski.Fa ntpyes 87*d06b4cefSMariusz Zaborskivariable contains the number of 88*d06b4cefSMariusz Zaborski.Fa types 89*d06b4cefSMariusz Zaborskiprovided. 90*d06b4cefSMariusz Zaborski.Pp 91*d06b4cefSMariusz ZaborskiThe 92*d06b4cefSMariusz Zaborski.Fn cap_dns_family_limit 93*d06b4cefSMariusz Zaborskifunctions allows to limit address families. 94*d06b4cefSMariusz ZaborskiFor details see 95*d06b4cefSMariusz Zaborski.Sx LIMITS . 96*d06b4cefSMariusz ZaborskiThe 97*d06b4cefSMariusz Zaborski.Fa nfamilies 98*d06b4cefSMariusz Zaborskivariable contains the number of 99*d06b4cefSMariusz Zaborski.Fa families 100*d06b4cefSMariusz Zaborskiprovided. 101*d06b4cefSMariusz Zaborski.Sh LIMITS 102*d06b4cefSMariusz ZaborskiThe preferred way of setting limits is to use the 103*d06b4cefSMariusz Zaborski.Fn cap_dns_type_limit 104*d06b4cefSMariusz Zaborskiand 105*d06b4cefSMariusz Zaborski.Fn cap_dns_family_limit 106*d06b4cefSMariusz Zaborskifunctions, but the limits of service can be set also using 107*d06b4cefSMariusz Zaborski.Xr cap_limit_set 3 . 108*d06b4cefSMariusz ZaborskiThe nvlist for that function can contain the following values and types: 109*d06b4cefSMariusz Zaborski.Bl -ohang -offset indent 110*d06b4cefSMariusz Zaborski.It type ( NV_TYPE_STRING ) 111*d06b4cefSMariusz ZaborskiThe 112*d06b4cefSMariusz Zaborski.Va type 113*d06b4cefSMariusz Zaborskican have two values: 114*d06b4cefSMariusz Zaborski.Dv ADDR 115*d06b4cefSMariusz Zaborskior 116*d06b4cefSMariusz Zaborski.Dv NAME . 117*d06b4cefSMariusz ZaborskiThe 118*d06b4cefSMariusz Zaborski.Dv ADDR 119*d06b4cefSMariusz Zaborskimeans that functions 120*d06b4cefSMariusz Zaborski.Fn cap_gethostbyname , 121*d06b4cefSMariusz Zaborski.Fn cap_gethostbyname2 122*d06b4cefSMariusz Zaborskiand 123*d06b4cefSMariusz Zaborski.Fn cap_gethostbyaddr 124*d06b4cefSMariusz Zaborskiare allowed. 125*d06b4cefSMariusz ZaborskiIn case when 126*d06b4cefSMariusz Zaborski.Va type 127*d06b4cefSMariusz Zaborskiis set to 128*d06b4cefSMariusz Zaborski.Dv NAME 129*d06b4cefSMariusz Zaborskithe 130*d06b4cefSMariusz Zaborski.Fn cap_getnameinfo 131*d06b4cefSMariusz Zaborskifunction is allowed. 132*d06b4cefSMariusz Zaborski.It family ( NV_TYPE_NUMBER ) 133*d06b4cefSMariusz ZaborskiThe 134*d06b4cefSMariusz Zaborski.Va family 135*d06b4cefSMariusz Zaborskilimits service to one of the address families (e.g. 136*d06b4cefSMariusz Zaborski.Dv AF_INET , AF_INET6 , 137*d06b4cefSMariusz Zaborskietc.). 138*d06b4cefSMariusz Zaborski.Sh EXAMPLES 139*d06b4cefSMariusz ZaborskiThe following example first opens a capability to casper and then uses this 140*d06b4cefSMariusz Zaborskicapability to create the 141*d06b4cefSMariusz Zaborski.Nm system.dns 142*d06b4cefSMariusz Zaborskicasper service and uses it to resolve an IP address. 143*d06b4cefSMariusz Zaborski.Bd -literal 144*d06b4cefSMariusz Zaborskicap_channel_t *capcas, *capdns; 145*d06b4cefSMariusz Zaborskiconst char *typelimit = "ADDR"; 146*d06b4cefSMariusz Zaborskiint familylimit; 147*d06b4cefSMariusz Zaborskiconst char *ipstr = "127.0.0.1"; 148*d06b4cefSMariusz Zaborskistruct in_addr ip; 149*d06b4cefSMariusz Zaborskistruct hostent *hp; 150*d06b4cefSMariusz Zaborski 151*d06b4cefSMariusz Zaborski/* Open capability to Casper. */ 152*d06b4cefSMariusz Zaborskicapcas = cap_init(); 153*d06b4cefSMariusz Zaborskiif (capcas == NULL) 154*d06b4cefSMariusz Zaborski err(1, "Unable to contact Casper"); 155*d06b4cefSMariusz Zaborski 156*d06b4cefSMariusz Zaborski/* Enter capability mode sandbox. */ 157*d06b4cefSMariusz Zaborskiif (cap_enter() < 0 && errno != ENOSYS) 158*d06b4cefSMariusz Zaborski err(1, "Unable to enter capability mode"); 159*d06b4cefSMariusz Zaborski 160*d06b4cefSMariusz Zaborski/* Use Casper capability to create capability to the system.dns service. */ 161*d06b4cefSMariusz Zaborskicapdns = cap_service_open(capcas, "system.dns"); 162*d06b4cefSMariusz Zaborskiif (capdns == NULL) 163*d06b4cefSMariusz Zaborski err(1, "Unable to open system.dns service"); 164*d06b4cefSMariusz Zaborski 165*d06b4cefSMariusz Zaborski/* Close Casper capability, we don't need it anymore. */ 166*d06b4cefSMariusz Zaborskicap_close(capcas); 167*d06b4cefSMariusz Zaborski 168*d06b4cefSMariusz Zaborski/* Limit system.dns to reverse DNS lookups. */ 169*d06b4cefSMariusz Zaborskiif (cap_dns_type_limit(capdns, &typelimit, 1) < 0) 170*d06b4cefSMariusz Zaborski err(1, "Unable to limit access to the system.dns service"); 171*d06b4cefSMariusz Zaborski 172*d06b4cefSMariusz Zaborski/* Limit system.dns to reserve IPv4 addresses */ 173*d06b4cefSMariusz Zaborskifamilylimit = AF_INET; 174*d06b4cefSMariusz Zaborskiif (cap_dns_family_limit(capdns, &familylimit, 1) < 0) 175*d06b4cefSMariusz Zaborski err(1, "Unable to limit access to the system.dns service"); 176*d06b4cefSMariusz Zaborski 177*d06b4cefSMariusz Zaborski/* Convert IP address in C-string to in_addr. */ 178*d06b4cefSMariusz Zaborskiif (!inet_aton(ipstr, &ip)) 179*d06b4cefSMariusz Zaborski errx(1, "Unable to parse IP address %s.", ipstr); 180*d06b4cefSMariusz Zaborski 181*d06b4cefSMariusz Zaborski/* Find hostname for the given IP address. */ 182*d06b4cefSMariusz Zaborskihp = cap_gethostbyaddr(capdns, (const void *)&ip, sizeof(ip), AF_INET); 183*d06b4cefSMariusz Zaborskiif (hp == NULL) 184*d06b4cefSMariusz Zaborski errx(1, "No name associated with %s.", ipstr); 185*d06b4cefSMariusz Zaborski 186*d06b4cefSMariusz Zaborskiprintf("Name associated with %s is %s.\\n", ipstr, hp->h_name); 187*d06b4cefSMariusz Zaborski.Ed 188*d06b4cefSMariusz Zaborski.Sh SEE ALSO 189*d06b4cefSMariusz Zaborski.Xr cap_enter 2 , 190*d06b4cefSMariusz Zaborski.Xr err 3 , 191*d06b4cefSMariusz Zaborski.Xr gethostbyaddr 3 , 192*d06b4cefSMariusz Zaborski.Xr gethostbyname 3 , 193*d06b4cefSMariusz Zaborski.Xr gethostbyname2 3 , 194*d06b4cefSMariusz Zaborski.Xr getnameinfo 3, 195*d06b4cefSMariusz Zaborski.Xr nv 3 , 196*d06b4cefSMariusz Zaborski.Xr capsicum 4 197*d06b4cefSMariusz Zaborski.Sh AUTHORS 198*d06b4cefSMariusz ZaborskiThe 199*d06b4cefSMariusz Zaborski.Nm cap_dns 200*d06b4cefSMariusz Zaborskiservice was implemented by 201*d06b4cefSMariusz Zaborski.An Pawel Jakub Dawidek Aq Mt pawel@dawidek.net 202*d06b4cefSMariusz Zaborskiunder sponsorship from the FreeBSD Foundation. 203*d06b4cefSMariusz Zaborski.Pp 204*d06b4cefSMariusz ZaborskiThis manual page was written by 205*d06b4cefSMariusz Zaborski.An Mariusz Zaborski Aq Mt oshogbo@FreeBSD.org . 206