1cdd6ea94SMariusz Zaborski.\" Copyright (c) 2018 Mariusz Zaborski <oshogbo@FreeBSD.org> 2cdd6ea94SMariusz Zaborski.\" All rights reserved. 3cdd6ea94SMariusz Zaborski.\" 4cdd6ea94SMariusz Zaborski.\" Redistribution and use in source and binary forms, with or without 5cdd6ea94SMariusz Zaborski.\" modification, are permitted provided that the following conditions 6cdd6ea94SMariusz Zaborski.\" are met: 7cdd6ea94SMariusz Zaborski.\" 1. Redistributions of source code must retain the above copyright 8cdd6ea94SMariusz Zaborski.\" notice, this list of conditions and the following disclaimer. 9cdd6ea94SMariusz Zaborski.\" 2. Redistributions in binary form must reproduce the above copyright 10cdd6ea94SMariusz Zaborski.\" notice, this list of conditions and the following disclaimer in the 11cdd6ea94SMariusz Zaborski.\" documentation and/or other materials provided with the distribution. 12cdd6ea94SMariusz Zaborski.\" 13cdd6ea94SMariusz Zaborski.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 14cdd6ea94SMariusz Zaborski.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15cdd6ea94SMariusz Zaborski.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16cdd6ea94SMariusz Zaborski.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 17cdd6ea94SMariusz Zaborski.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18cdd6ea94SMariusz Zaborski.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19cdd6ea94SMariusz Zaborski.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20cdd6ea94SMariusz Zaborski.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21cdd6ea94SMariusz Zaborski.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22cdd6ea94SMariusz Zaborski.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23cdd6ea94SMariusz Zaborski.\" SUCH DAMAGE. 24cdd6ea94SMariusz Zaborski.\" 25cdd6ea94SMariusz Zaborski.\" $FreeBSD$ 26cdd6ea94SMariusz Zaborski.\" 277b558caeSEd Maste.Dd April 17, 2019 28cdd6ea94SMariusz Zaborski.Dt CAP_FILEARGS 3 29cdd6ea94SMariusz Zaborski.Os 30cdd6ea94SMariusz Zaborski.Sh NAME 31cdd6ea94SMariusz Zaborski.Nm fileargs_cinit , 32cdd6ea94SMariusz Zaborski.Nm fileargs_cinitnv , 33cdd6ea94SMariusz Zaborski.Nm fileargs_init , 34cdd6ea94SMariusz Zaborski.Nm fileargs_initnv , 35cdd6ea94SMariusz Zaborski.Nm fileargs_free , 367b558caeSEd Maste.Nm fileargs_lstat , 37cdd6ea94SMariusz Zaborski.Nm fileargs_open , 38cdd6ea94SMariusz Zaborski.Nm fileargs_fopen 39cdd6ea94SMariusz Zaborski.Nd "library for handling files in capability mode" 40cdd6ea94SMariusz Zaborski.Sh LIBRARY 41cdd6ea94SMariusz Zaborski.Lb libcap_fileargs 42cdd6ea94SMariusz Zaborski.Sh SYNOPSIS 43cdd6ea94SMariusz Zaborski.In sys/nv.h 44cdd6ea94SMariusz Zaborski.In libcasper.h 45cdd6ea94SMariusz Zaborski.In casper/cap_fileargs.h 46cdd6ea94SMariusz Zaborski.Ft "fileargs_t *" 477b558caeSEd Maste.Fn fileargs_init "int argc" "char *argv[]" "int flags" "mode_t mode" "cap_rights_t *rightsp" "int operations" 48cdd6ea94SMariusz Zaborski.Ft "fileargs_t *" 497b558caeSEd Maste.Fn fileargs_cinit "cap_channel_t *cas" "int argc" "char *argv[]" "int flags" "mode_t mode" "cap_rights_t *rightsp" "int operations" 50cdd6ea94SMariusz Zaborski.Ft "fileargs_t *" 51cdd6ea94SMariusz Zaborski.Fn fileargs_cinitnv "cap_channel_t *cas" "nvlist_t *limits" 52cdd6ea94SMariusz Zaborski.Ft "fileargs_t *" 53cdd6ea94SMariusz Zaborski.Fn fileargs_initnv "nvlist_t *limits" 54cdd6ea94SMariusz Zaborski.Ft "void" 55cdd6ea94SMariusz Zaborski.Fn fileargs_free "fileargs_t *fa" 56cdd6ea94SMariusz Zaborski.Ft "int" 577b558caeSEd Maste.Fn fileargs_lstat "fileargs_t *fa" "const char *path" "struct stat *sb" 587b558caeSEd Maste.Ft "int" 59cdd6ea94SMariusz Zaborski.Fn fileargs_open "fileargs_t *fa" "const char *name" 60cdd6ea94SMariusz Zaborski.Ft "FILE *" 61cdd6ea94SMariusz Zaborski.Fn fileargs_fopen "fileargs_t *fa" "const char *name" "const char *mode" 62cdd6ea94SMariusz Zaborski.Sh DESCRIPTION 63cdd6ea94SMariusz ZaborskiThe library is used to simplify Capsicumizing a tools that are using file system. 64cdd6ea94SMariusz ZaborskiIdea behind the library is that we are passing a remaining 65cdd6ea94SMariusz Zaborski.Fa argc 66cdd6ea94SMariusz Zaborskiand 67cdd6ea94SMariusz Zaborski.Fa argv 68cdd6ea94SMariusz Zaborskiwhich contains a list of files that should be open for this program. 69cdd6ea94SMariusz ZaborskiThe library will create a service that will serve those files. 70cdd6ea94SMariusz Zaborski.Pp 71cdd6ea94SMariusz ZaborskiThe function 72cdd6ea94SMariusz Zaborski.Fn fileargs_init 73cdd6ea94SMariusz Zaborskicreate a service to the 74cdd6ea94SMariusz Zaborski.Nm system.fileargs . 75cdd6ea94SMariusz ZaborskiThe 76cdd6ea94SMariusz Zaborski.Fa argv 77cdd6ea94SMariusz Zaborskicontains a list of files that should be opened. 78cdd6ea94SMariusz ZaborskiThe argument can be set to 79cdd6ea94SMariusz Zaborski.Dv NULL 80cdd6ea94SMariusz Zaborskiwhich will not create a service and all files will be prohibited to be opened. 81cdd6ea94SMariusz ZaborskiThe 82cdd6ea94SMariusz Zaborski.Fa argc 83cdd6ea94SMariusz Zaborskiargument contains a number of passed files. 84cdd6ea94SMariusz ZaborskiThe 85cdd6ea94SMariusz Zaborski.Fa flags 86cdd6ea94SMariusz Zaborskiargument limits opened files for either execution or reading and/or writing. 87cdd6ea94SMariusz ZaborskiThe 88cdd6ea94SMariusz Zaborski.Fa mode 89cdd6ea94SMariusz Zaborskiargument tells which what mode file should be created if the 90cdd6ea94SMariusz Zaborski.Dv O_CREATE 91cdd6ea94SMariusz Zaborskiflag is present . 92cdd6ea94SMariusz ZaborskiFor more details of the 93cdd6ea94SMariusz Zaborski.Fa flags 94cdd6ea94SMariusz Zaborskiand 95cdd6ea94SMariusz Zaborski.Fa mode 96cdd6ea94SMariusz Zaborskiarguments see 97cdd6ea94SMariusz Zaborski.Xr open 2 . 98cdd6ea94SMariusz ZaborskiThe 99cdd6ea94SMariusz Zaborski.Fa rightsp 100cdd6ea94SMariusz Zaborskiargument contains a list of the capability rights which file should be limited to. 101cdd6ea94SMariusz ZaborskiFor more details of the capability rights see 102cdd6ea94SMariusz Zaborski.Xr cap_rights_init 3 . 1037b558caeSEd MasteThe 1047b558caeSEd Maste.Fa operations 1057b558caeSEd Masteargument limits the operations that are available using 1067b558caeSEd Maste.Nm system.fileargs . 1077b558caeSEd Maste.Fa operations 1087b558caeSEd Masteis a combination of: 1097b558caeSEd Maste.Bl -ohang -offset indent 1107b558caeSEd Maste.It FA_OPEN 1117b558caeSEd MasteAllow 1127b558caeSEd Maste.Fn fileargs_open 1137b558caeSEd Masteand 1147b558caeSEd Maste.Fn fileargs_fopen . 1157b558caeSEd Maste.It FA_LSTAT 1167b558caeSEd MasteAllow 1177b558caeSEd Maste.Fn fileargs_lstat . 1187b558caeSEd Maste.El 119cdd6ea94SMariusz Zaborski.Pp 120cdd6ea94SMariusz ZaborskiThe function 121cdd6ea94SMariusz Zaborski.Fn fileargs_cinit 122cdd6ea94SMariusz Zaborskiis equivalent to 123cdd6ea94SMariusz Zaborski.Fn fileargs_init 124cdd6ea94SMariusz Zaborskiexcept that the connection to the Casper needs to be provided. 125cdd6ea94SMariusz Zaborski.Pp 126cdd6ea94SMariusz ZaborskiThe functions 127fc07a84fSEd Maste.Fn fileargs_initnv 128cdd6ea94SMariusz Zaborskiand 129fc07a84fSEd Maste.Fn fileargs_cinitnv 130cdd6ea94SMariusz Zaborskiare respectively equivalent to 131cdd6ea94SMariusz Zaborski.Fn fileargs_init 132cdd6ea94SMariusz Zaborskiand 133cdd6ea94SMariusz Zaborski.Fn fileargs_cinit 134cdd6ea94SMariusz Zaborskiexpect that all arguments all provided as 135cdd6ea94SMariusz Zaborski.Xr nvlist 9 . 136cdd6ea94SMariusz ZaborskiFor details see 137cdd6ea94SMariusz Zaborski.Sx LIMITS . 138cdd6ea94SMariusz Zaborski.Pp 139cdd6ea94SMariusz ZaborskiThe 140cdd6ea94SMariusz Zaborski.Fa fileargs_free 141cdd6ea94SMariusz Zaborskiclose connection to the 142731d06abSEd Maste.Nm system.fileargs 143cdd6ea94SMariusz Zaborskiservice and free are structures. 144cdd6ea94SMariusz ZaborskiThe function handle 145cdd6ea94SMariusz Zaborski.Dv NULL 146cdd6ea94SMariusz Zaborskiargument. 147cdd6ea94SMariusz Zaborski.Pp 1487b558caeSEd MasteThe function 1497b558caeSEd Maste.Fn fileargs_lstat 1507b558caeSEd Masteis equivalent to 1517b558caeSEd Maste.Xr lstat 2 . 1527b558caeSEd Maste.Pp 153cdd6ea94SMariusz ZaborskiThe functions 154cdd6ea94SMariusz Zaborski.Fn fileargs_open 155cdd6ea94SMariusz Zaborskiand 156cdd6ea94SMariusz Zaborski.Fn fileargs_fopen 157cdd6ea94SMariusz Zaborskiare respectively equivalent to 158cdd6ea94SMariusz Zaborski.Xr open 2 159cdd6ea94SMariusz Zaborskiand 160cdd6ea94SMariusz Zaborski.Xr fopen 3 161cdd6ea94SMariusz Zaborskiexpect that all arguments are fetched from the 162cdd6ea94SMariusz Zaborski.Va fileargs_t 163cdd6ea94SMariusz Zaborskistructure. 164cdd6ea94SMariusz Zaborski.Sh LIMITS 165cdd6ea94SMariusz ZaborskiThis section describe which values and types should be used to pass arguments to the 166731d06abSEd Maste.Fa system.fileargs 167cdd6ea94SMariusz Zaborskithrough the 168fc07a84fSEd Maste.Fn fileargs_initnv 169cdd6ea94SMariusz Zaborskiand 170fc07a84fSEd Maste.Fn fileargs_cinitnv 171cdd6ea94SMariusz Zaborskifunctions. 172cdd6ea94SMariusz ZaborskiThe 173cdd6ea94SMariusz Zaborski.Xr nvlist 9 174cdd6ea94SMariusz Zaborskifor that functions must contain the following values and types: 175cdd6ea94SMariusz Zaborski.Bl -ohang -offset indent 176cdd6ea94SMariusz Zaborski.It flags ( NV_TYPE_NUMBER ) 177cdd6ea94SMariusz ZaborskiThe 178cdd6ea94SMariusz Zaborski.Va flags 179cdd6ea94SMariusz Zaborskilimits opened files for either execution or reading and/or writing. 180cdd6ea94SMariusz Zaborski.It mode (NV_TYPE_NUMBER) 181cdd6ea94SMariusz ZaborskiIf in the 182cdd6ea94SMariusz Zaborski.Va flags 183cdd6ea94SMariusz Zaborskiargument the 184cdd6ea94SMariusz Zaborski.Dv O_CREATE 185cdd6ea94SMariusz Zaborskiflag was defined the 186cdd6ea94SMariusz Zaborski.Xr nvlist 9 187cdd6ea94SMariusz Zaborskimust contain the 188cdd6ea94SMariusz Zaborski.Va mode . 189cdd6ea94SMariusz ZaborskiThe 190cdd6ea94SMariusz Zaborski.Va mode 191cdd6ea94SMariusz Zaborskiargument tells which what mode file should be created. 1927b558caeSEd Maste.It operations (NV_TYPE_NUMBER) 1937b558caeSEd MasteThe 1947b558caeSEd Maste.Va operations 1957b558caeSEd Mastelimits the usable operations for 1967b558caeSEd Maste.Fa system.fileargs . 1977b558caeSEd MasteThe possible values are explained as 1987b558caeSEd Maste.Va operations 1997b558caeSEd Masteargument with 2007b558caeSEd Maste.Fn fileargs_init . 201cdd6ea94SMariusz Zaborski.El 202cdd6ea94SMariusz Zaborski.Pp 203cdd6ea94SMariusz ZaborskiThe 204cdd6ea94SMariusz Zaborski.Xr nvlist 9 205cdd6ea94SMariusz Zaborskifor that functions may contain the following values and types: 206cdd6ea94SMariusz Zaborski.Bl -ohang -offset indent 207cdd6ea94SMariusz Zaborski.It cap_rights ( NV_TYPE_BINARY ) 208cdd6ea94SMariusz ZaborskiThe 209cdd6ea94SMariusz Zaborski.Va cap_rights 210cdd6ea94SMariusz Zaborskiargument contains a list of the capability rights which file should be limited to. 211cdd6ea94SMariusz Zaborski.It ( NV_TYPE_NULL ) 212cdd6ea94SMariusz ZaborskiAny number of 213cdd6ea94SMariusz Zaborski.Dv NV_TYPE_NULL 214cdd6ea94SMariusz Zaborskiwhere the name of the element is name of the file which can be opened. 215cdd6ea94SMariusz Zaborski.Sh EXAMPLES 216cdd6ea94SMariusz ZaborskiThe following example first parse some options and then create the 217731d06abSEd Maste.Nm system.fileargs 218cdd6ea94SMariusz Zaborskiservice with remaining arguments. 219cdd6ea94SMariusz Zaborski.Bd -literal 220cdd6ea94SMariusz Zaborskiint ch, fd, i; 221cdd6ea94SMariusz Zaborskicap_rights_t rights; 222cdd6ea94SMariusz Zaborskifileargs_t *fa; 223cdd6ea94SMariusz Zaborski 224cdd6ea94SMariusz Zaborskiwhile ((ch = getopt(argc, argv, "h")) != -1) { 225cdd6ea94SMariusz Zaborski switch (ch) { 226cdd6ea94SMariusz Zaborski case 'h': 227cdd6ea94SMariusz Zaborski default: 228cdd6ea94SMariusz Zaborski usage(); 229cdd6ea94SMariusz Zaborski } 230cdd6ea94SMariusz Zaborski} 231cdd6ea94SMariusz Zaborski 232cdd6ea94SMariusz Zaborskiargc -= optind; 233cdd6ea94SMariusz Zaborskiargv += optind; 234cdd6ea94SMariusz Zaborski 235cdd6ea94SMariusz Zaborski/* Create capability to the system.fileargs service. */ 236cdd6ea94SMariusz Zaborskifa = fileargs_init(argc, argv, O_RDONLY, 0, 2377b558caeSEd Maste cap_rights_init(&rights, CAP_READ), FA_OPEN); 238cdd6ea94SMariusz Zaborskiif (fa == NULL) 239cdd6ea94SMariusz Zaborski err(1, "unable to open system.fileargs service"); 240cdd6ea94SMariusz Zaborski 241cdd6ea94SMariusz Zaborski/* Enter capability mode sandbox. */ 242cdd6ea94SMariusz Zaborskiif (cap_enter() < 0 && errno != ENOSYS) 243cdd6ea94SMariusz Zaborski err(1, "unable to enter capability mode"); 244cdd6ea94SMariusz Zaborski 245cdd6ea94SMariusz Zaborski/* Open files. */ 246cdd6ea94SMariusz Zaborskifor (i = 0; i < argc; i++) { 247cdd6ea94SMariusz Zaborski fd = fileargs_open(fa, argv[i]); 248cdd6ea94SMariusz Zaborski if (fd < 0) 249cdd6ea94SMariusz Zaborski err(1, "unable to open file %s", argv[i]); 250*64b3a6b3SMariusz Zaborski printf("File %s opened in capability mode\en", argv[i]); 251cdd6ea94SMariusz Zaborski close(fd); 252cdd6ea94SMariusz Zaborski} 253cdd6ea94SMariusz Zaborski 254cdd6ea94SMariusz Zaborskifileargs_free(fa); 255cdd6ea94SMariusz Zaborski.Ed 256cdd6ea94SMariusz Zaborski.Sh SEE ALSO 257cdd6ea94SMariusz Zaborski.Xr cap_enter 2 , 2587b558caeSEd Maste.Xr lstat 2 , 259cdd6ea94SMariusz Zaborski.Xr open 2 , 260cdd6ea94SMariusz Zaborski.Xr cap_rights_init 3 , 261cdd6ea94SMariusz Zaborski.Xr err 3 , 262cdd6ea94SMariusz Zaborski.Xr fopen 3 , 263cdd6ea94SMariusz Zaborski.Xr getopt 3 , 264cdd6ea94SMariusz Zaborski.Xr capsicum 4 , 265cdd6ea94SMariusz Zaborski.Xr nv 9 266cdd6ea94SMariusz Zaborski.Sh BUGS 267cdd6ea94SMariusz ZaborskiThe 268cdd6ea94SMariusz Zaborski.Lb cap_fileargs 269cdd6ea94SMariusz Zaborskiincluded in 270cdd6ea94SMariusz Zaborski.Fx 271cdd6ea94SMariusz Zaborskiis considered experimental, and should not be deployed in production 272cdd6ea94SMariusz Zaborskienvironments without careful consideration of the risks associated with 273cdd6ea94SMariusz Zaborskithe use of experimental operating system features. 274cdd6ea94SMariusz Zaborski.Sh AUTHORS 275cdd6ea94SMariusz Zaborski.An Mariusz Zaborski Aq Mt oshogbo@FreeBSD.org 276