1cdd6ea94SMariusz Zaborski.\" Copyright (c) 2018 Mariusz Zaborski <oshogbo@FreeBSD.org> 2cdd6ea94SMariusz Zaborski.\" All rights reserved. 3cdd6ea94SMariusz Zaborski.\" 4cdd6ea94SMariusz Zaborski.\" Redistribution and use in source and binary forms, with or without 5cdd6ea94SMariusz Zaborski.\" modification, are permitted provided that the following conditions 6cdd6ea94SMariusz Zaborski.\" are met: 7cdd6ea94SMariusz Zaborski.\" 1. Redistributions of source code must retain the above copyright 8cdd6ea94SMariusz Zaborski.\" notice, this list of conditions and the following disclaimer. 9cdd6ea94SMariusz Zaborski.\" 2. Redistributions in binary form must reproduce the above copyright 10cdd6ea94SMariusz Zaborski.\" notice, this list of conditions and the following disclaimer in the 11cdd6ea94SMariusz Zaborski.\" documentation and/or other materials provided with the distribution. 12cdd6ea94SMariusz Zaborski.\" 13cdd6ea94SMariusz Zaborski.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 14cdd6ea94SMariusz Zaborski.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15cdd6ea94SMariusz Zaborski.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16cdd6ea94SMariusz Zaborski.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 17cdd6ea94SMariusz Zaborski.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18cdd6ea94SMariusz Zaborski.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19cdd6ea94SMariusz Zaborski.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20cdd6ea94SMariusz Zaborski.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21cdd6ea94SMariusz Zaborski.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22cdd6ea94SMariusz Zaborski.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23cdd6ea94SMariusz Zaborski.\" SUCH DAMAGE. 24cdd6ea94SMariusz Zaborski.\" 25*cf037972SAlan Somers.Dd December 6, 2023 26cdd6ea94SMariusz Zaborski.Dt CAP_FILEARGS 3 27cdd6ea94SMariusz Zaborski.Os 28cdd6ea94SMariusz Zaborski.Sh NAME 29cdd6ea94SMariusz Zaborski.Nm fileargs_cinit , 30cdd6ea94SMariusz Zaborski.Nm fileargs_cinitnv , 31cdd6ea94SMariusz Zaborski.Nm fileargs_init , 32cdd6ea94SMariusz Zaborski.Nm fileargs_initnv , 33cdd6ea94SMariusz Zaborski.Nm fileargs_free , 347b558caeSEd Maste.Nm fileargs_lstat , 35cdd6ea94SMariusz Zaborski.Nm fileargs_open , 36cdd6ea94SMariusz Zaborski.Nm fileargs_fopen 37cdd6ea94SMariusz Zaborski.Nd "library for handling files in capability mode" 38cdd6ea94SMariusz Zaborski.Sh LIBRARY 39cdd6ea94SMariusz Zaborski.Lb libcap_fileargs 40cdd6ea94SMariusz Zaborski.Sh SYNOPSIS 41cdd6ea94SMariusz Zaborski.In sys/nv.h 42cdd6ea94SMariusz Zaborski.In libcasper.h 43cdd6ea94SMariusz Zaborski.In casper/cap_fileargs.h 44cdd6ea94SMariusz Zaborski.Ft "fileargs_t *" 457b558caeSEd Maste.Fn fileargs_init "int argc" "char *argv[]" "int flags" "mode_t mode" "cap_rights_t *rightsp" "int operations" 46cdd6ea94SMariusz Zaborski.Ft "fileargs_t *" 477b558caeSEd Maste.Fn fileargs_cinit "cap_channel_t *cas" "int argc" "char *argv[]" "int flags" "mode_t mode" "cap_rights_t *rightsp" "int operations" 48cdd6ea94SMariusz Zaborski.Ft "fileargs_t *" 49cdd6ea94SMariusz Zaborski.Fn fileargs_cinitnv "cap_channel_t *cas" "nvlist_t *limits" 50cdd6ea94SMariusz Zaborski.Ft "fileargs_t *" 51cdd6ea94SMariusz Zaborski.Fn fileargs_initnv "nvlist_t *limits" 52cdd6ea94SMariusz Zaborski.Ft "void" 53cdd6ea94SMariusz Zaborski.Fn fileargs_free "fileargs_t *fa" 54cdd6ea94SMariusz Zaborski.Ft "int" 557b558caeSEd Maste.Fn fileargs_lstat "fileargs_t *fa" "const char *path" "struct stat *sb" 567b558caeSEd Maste.Ft "int" 57cdd6ea94SMariusz Zaborski.Fn fileargs_open "fileargs_t *fa" "const char *name" 58cdd6ea94SMariusz Zaborski.Ft "FILE *" 59cdd6ea94SMariusz Zaborski.Fn fileargs_fopen "fileargs_t *fa" "const char *name" "const char *mode" 60dcdad299SMariusz Zaborski.Ft "char *" 61dcdad299SMariusz Zaborski.Fn fileargs_realpath "fileargs_t *fa" "const char *pathname" "char *reserved_path" 62cdd6ea94SMariusz Zaborski.Sh DESCRIPTION 63cdd6ea94SMariusz ZaborskiThe library is used to simplify Capsicumizing a tools that are using file system. 64cdd6ea94SMariusz ZaborskiIdea behind the library is that we are passing a remaining 65cdd6ea94SMariusz Zaborski.Fa argc 66cdd6ea94SMariusz Zaborskiand 67cdd6ea94SMariusz Zaborski.Fa argv 68cdd6ea94SMariusz Zaborskiwhich contains a list of files that should be open for this program. 69cdd6ea94SMariusz ZaborskiThe library will create a service that will serve those files. 70cdd6ea94SMariusz Zaborski.Pp 71cdd6ea94SMariusz ZaborskiThe function 72cdd6ea94SMariusz Zaborski.Fn fileargs_init 73cdd6ea94SMariusz Zaborskicreate a service to the 74cdd6ea94SMariusz Zaborski.Nm system.fileargs . 75cdd6ea94SMariusz ZaborskiThe 76cdd6ea94SMariusz Zaborski.Fa argv 77cdd6ea94SMariusz Zaborskicontains a list of files that should be opened. 78cdd6ea94SMariusz ZaborskiThe argument can be set to 79cdd6ea94SMariusz Zaborski.Dv NULL 80cdd6ea94SMariusz Zaborskiwhich will not create a service and all files will be prohibited to be opened. 81cdd6ea94SMariusz ZaborskiThe 82cdd6ea94SMariusz Zaborski.Fa argc 83cdd6ea94SMariusz Zaborskiargument contains a number of passed files. 84cdd6ea94SMariusz ZaborskiThe 85cdd6ea94SMariusz Zaborski.Fa flags 86cdd6ea94SMariusz Zaborskiargument limits opened files for either execution or reading and/or writing. 87cdd6ea94SMariusz ZaborskiThe 88cdd6ea94SMariusz Zaborski.Fa mode 89cdd6ea94SMariusz Zaborskiargument tells which what mode file should be created if the 90cdd6ea94SMariusz Zaborski.Dv O_CREATE 91cdd6ea94SMariusz Zaborskiflag is present . 92cdd6ea94SMariusz ZaborskiFor more details of the 93cdd6ea94SMariusz Zaborski.Fa flags 94cdd6ea94SMariusz Zaborskiand 95cdd6ea94SMariusz Zaborski.Fa mode 96cdd6ea94SMariusz Zaborskiarguments see 97cdd6ea94SMariusz Zaborski.Xr open 2 . 98cdd6ea94SMariusz ZaborskiThe 99cdd6ea94SMariusz Zaborski.Fa rightsp 100cdd6ea94SMariusz Zaborskiargument contains a list of the capability rights which file should be limited to. 101cdd6ea94SMariusz ZaborskiFor more details of the capability rights see 102cdd6ea94SMariusz Zaborski.Xr cap_rights_init 3 . 1037b558caeSEd MasteThe 1047b558caeSEd Maste.Fa operations 1057b558caeSEd Masteargument limits the operations that are available using 1067b558caeSEd Maste.Nm system.fileargs . 1077b558caeSEd Maste.Fa operations 1087b558caeSEd Masteis a combination of: 1097b558caeSEd Maste.Bl -ohang -offset indent 1107b558caeSEd Maste.It FA_OPEN 1117b558caeSEd MasteAllow 1127b558caeSEd Maste.Fn fileargs_open 1137b558caeSEd Masteand 1147b558caeSEd Maste.Fn fileargs_fopen . 1157b558caeSEd Maste.It FA_LSTAT 1167b558caeSEd MasteAllow 1177b558caeSEd Maste.Fn fileargs_lstat . 118dcdad299SMariusz Zaborski.It FA_REALPATH 119dcdad299SMariusz ZaborskiAllow 120dcdad299SMariusz Zaborski.Fn fileargs_realpath . 1217b558caeSEd Maste.El 122cdd6ea94SMariusz Zaborski.Pp 123cdd6ea94SMariusz ZaborskiThe function 124cdd6ea94SMariusz Zaborski.Fn fileargs_cinit 125cdd6ea94SMariusz Zaborskiis equivalent to 126cdd6ea94SMariusz Zaborski.Fn fileargs_init 127cdd6ea94SMariusz Zaborskiexcept that the connection to the Casper needs to be provided. 128cdd6ea94SMariusz Zaborski.Pp 129cdd6ea94SMariusz ZaborskiThe functions 130fc07a84fSEd Maste.Fn fileargs_initnv 131cdd6ea94SMariusz Zaborskiand 132fc07a84fSEd Maste.Fn fileargs_cinitnv 133cdd6ea94SMariusz Zaborskiare respectively equivalent to 134cdd6ea94SMariusz Zaborski.Fn fileargs_init 135cdd6ea94SMariusz Zaborskiand 136cdd6ea94SMariusz Zaborski.Fn fileargs_cinit 137cdd6ea94SMariusz Zaborskiexpect that all arguments all provided as 138cdd6ea94SMariusz Zaborski.Xr nvlist 9 . 139cdd6ea94SMariusz ZaborskiFor details see 140cdd6ea94SMariusz Zaborski.Sx LIMITS . 141cdd6ea94SMariusz Zaborski.Pp 142cdd6ea94SMariusz ZaborskiThe 143cdd6ea94SMariusz Zaborski.Fa fileargs_free 144cdd6ea94SMariusz Zaborskiclose connection to the 145731d06abSEd Maste.Nm system.fileargs 146cdd6ea94SMariusz Zaborskiservice and free are structures. 147cdd6ea94SMariusz ZaborskiThe function handle 148cdd6ea94SMariusz Zaborski.Dv NULL 149cdd6ea94SMariusz Zaborskiargument. 150cdd6ea94SMariusz Zaborski.Pp 1517b558caeSEd MasteThe function 1527b558caeSEd Maste.Fn fileargs_lstat 1537b558caeSEd Masteis equivalent to 1547b558caeSEd Maste.Xr lstat 2 . 1557b558caeSEd Maste.Pp 156cdd6ea94SMariusz ZaborskiThe functions 157cdd6ea94SMariusz Zaborski.Fn fileargs_open 158cdd6ea94SMariusz Zaborskiand 159cdd6ea94SMariusz Zaborski.Fn fileargs_fopen 160cdd6ea94SMariusz Zaborskiare respectively equivalent to 161cdd6ea94SMariusz Zaborski.Xr open 2 162cdd6ea94SMariusz Zaborskiand 163cdd6ea94SMariusz Zaborski.Xr fopen 3 164cdd6ea94SMariusz Zaborskiexpect that all arguments are fetched from the 165cdd6ea94SMariusz Zaborski.Va fileargs_t 166cdd6ea94SMariusz Zaborskistructure. 167dcdad299SMariusz Zaborski.Pp 168dcdad299SMariusz ZaborskiThe function 169dcdad299SMariusz Zaborski.Fn fileargs_realpath 170dcdad299SMariusz Zaborskiis equivalent to 171dcdad299SMariusz Zaborski.Xr realpath 3 . 172*cf037972SAlan Somers.Pp 173*cf037972SAlan Somers.Fn fileargs_open , 174*cf037972SAlan Somers.Fn fileargs_lstat , 175*cf037972SAlan Somers.Fn fileargs_realpath , 176*cf037972SAlan Somers.Fn fileargs_cinitnv , 177*cf037972SAlan Somers.Fn fileargs_initnv , 178*cf037972SAlan Somersand 179*cf037972SAlan Somers.Fn fileargs_fopen 180*cf037972SAlan Somersare reentrant but not thread-safe. 181*cf037972SAlan SomersThat is, they may be called from separate threads only with different 182*cf037972SAlan Somers.Vt cap_channel_t 183*cf037972SAlan Somersarguments or with synchronization. 184cdd6ea94SMariusz Zaborski.Sh LIMITS 185cdd6ea94SMariusz ZaborskiThis section describe which values and types should be used to pass arguments to the 186731d06abSEd Maste.Fa system.fileargs 187cdd6ea94SMariusz Zaborskithrough the 188fc07a84fSEd Maste.Fn fileargs_initnv 189cdd6ea94SMariusz Zaborskiand 190fc07a84fSEd Maste.Fn fileargs_cinitnv 191cdd6ea94SMariusz Zaborskifunctions. 192cdd6ea94SMariusz ZaborskiThe 193cdd6ea94SMariusz Zaborski.Xr nvlist 9 194cdd6ea94SMariusz Zaborskifor that functions must contain the following values and types: 195cdd6ea94SMariusz Zaborski.Bl -ohang -offset indent 196cdd6ea94SMariusz Zaborski.It flags ( NV_TYPE_NUMBER ) 197cdd6ea94SMariusz ZaborskiThe 198cdd6ea94SMariusz Zaborski.Va flags 199cdd6ea94SMariusz Zaborskilimits opened files for either execution or reading and/or writing. 200cdd6ea94SMariusz Zaborski.It mode (NV_TYPE_NUMBER) 201cdd6ea94SMariusz ZaborskiIf in the 202cdd6ea94SMariusz Zaborski.Va flags 203cdd6ea94SMariusz Zaborskiargument the 204cdd6ea94SMariusz Zaborski.Dv O_CREATE 205cdd6ea94SMariusz Zaborskiflag was defined the 206cdd6ea94SMariusz Zaborski.Xr nvlist 9 207cdd6ea94SMariusz Zaborskimust contain the 208cdd6ea94SMariusz Zaborski.Va mode . 209cdd6ea94SMariusz ZaborskiThe 210cdd6ea94SMariusz Zaborski.Va mode 211cdd6ea94SMariusz Zaborskiargument tells which what mode file should be created. 2127b558caeSEd Maste.It operations (NV_TYPE_NUMBER) 2137b558caeSEd MasteThe 2147b558caeSEd Maste.Va operations 2157b558caeSEd Mastelimits the usable operations for 2167b558caeSEd Maste.Fa system.fileargs . 2177b558caeSEd MasteThe possible values are explained as 2187b558caeSEd Maste.Va operations 2197b558caeSEd Masteargument with 2207b558caeSEd Maste.Fn fileargs_init . 221cdd6ea94SMariusz Zaborski.El 222cdd6ea94SMariusz Zaborski.Pp 223cdd6ea94SMariusz ZaborskiThe 224cdd6ea94SMariusz Zaborski.Xr nvlist 9 225cdd6ea94SMariusz Zaborskifor that functions may contain the following values and types: 226cdd6ea94SMariusz Zaborski.Bl -ohang -offset indent 227cdd6ea94SMariusz Zaborski.It cap_rights ( NV_TYPE_BINARY ) 228cdd6ea94SMariusz ZaborskiThe 229cdd6ea94SMariusz Zaborski.Va cap_rights 230cdd6ea94SMariusz Zaborskiargument contains a list of the capability rights which file should be limited to. 231cdd6ea94SMariusz Zaborski.It ( NV_TYPE_NULL ) 232cdd6ea94SMariusz ZaborskiAny number of 233cdd6ea94SMariusz Zaborski.Dv NV_TYPE_NULL 234cdd6ea94SMariusz Zaborskiwhere the name of the element is name of the file which can be opened. 2353251ad29SGordon Bergling.El 236cdd6ea94SMariusz Zaborski.Sh EXAMPLES 237cdd6ea94SMariusz ZaborskiThe following example first parse some options and then create the 238731d06abSEd Maste.Nm system.fileargs 239cdd6ea94SMariusz Zaborskiservice with remaining arguments. 240cdd6ea94SMariusz Zaborski.Bd -literal 241cdd6ea94SMariusz Zaborskiint ch, fd, i; 242cdd6ea94SMariusz Zaborskicap_rights_t rights; 243cdd6ea94SMariusz Zaborskifileargs_t *fa; 244cdd6ea94SMariusz Zaborski 245cdd6ea94SMariusz Zaborskiwhile ((ch = getopt(argc, argv, "h")) != -1) { 246cdd6ea94SMariusz Zaborski switch (ch) { 247cdd6ea94SMariusz Zaborski case 'h': 248cdd6ea94SMariusz Zaborski default: 249cdd6ea94SMariusz Zaborski usage(); 250cdd6ea94SMariusz Zaborski } 251cdd6ea94SMariusz Zaborski} 252cdd6ea94SMariusz Zaborski 253cdd6ea94SMariusz Zaborskiargc -= optind; 254cdd6ea94SMariusz Zaborskiargv += optind; 255cdd6ea94SMariusz Zaborski 256cdd6ea94SMariusz Zaborski/* Create capability to the system.fileargs service. */ 257cdd6ea94SMariusz Zaborskifa = fileargs_init(argc, argv, O_RDONLY, 0, 2587b558caeSEd Maste cap_rights_init(&rights, CAP_READ), FA_OPEN); 259cdd6ea94SMariusz Zaborskiif (fa == NULL) 260cdd6ea94SMariusz Zaborski err(1, "unable to open system.fileargs service"); 261cdd6ea94SMariusz Zaborski 262cdd6ea94SMariusz Zaborski/* Enter capability mode sandbox. */ 263cdd6ea94SMariusz Zaborskiif (cap_enter() < 0 && errno != ENOSYS) 264cdd6ea94SMariusz Zaborski err(1, "unable to enter capability mode"); 265cdd6ea94SMariusz Zaborski 266cdd6ea94SMariusz Zaborski/* Open files. */ 267cdd6ea94SMariusz Zaborskifor (i = 0; i < argc; i++) { 268cdd6ea94SMariusz Zaborski fd = fileargs_open(fa, argv[i]); 269cdd6ea94SMariusz Zaborski if (fd < 0) 270cdd6ea94SMariusz Zaborski err(1, "unable to open file %s", argv[i]); 27164b3a6b3SMariusz Zaborski printf("File %s opened in capability mode\en", argv[i]); 272cdd6ea94SMariusz Zaborski close(fd); 273cdd6ea94SMariusz Zaborski} 274cdd6ea94SMariusz Zaborski 275cdd6ea94SMariusz Zaborskifileargs_free(fa); 276cdd6ea94SMariusz Zaborski.Ed 277cdd6ea94SMariusz Zaborski.Sh SEE ALSO 278cdd6ea94SMariusz Zaborski.Xr cap_enter 2 , 2797b558caeSEd Maste.Xr lstat 2 , 280cdd6ea94SMariusz Zaborski.Xr open 2 , 281cdd6ea94SMariusz Zaborski.Xr cap_rights_init 3 , 282cdd6ea94SMariusz Zaborski.Xr err 3 , 283cdd6ea94SMariusz Zaborski.Xr fopen 3 , 284cdd6ea94SMariusz Zaborski.Xr getopt 3 , 285dcdad299SMariusz Zaborski.Xr realpath 3 , 286cdd6ea94SMariusz Zaborski.Xr capsicum 4 , 287cdd6ea94SMariusz Zaborski.Xr nv 9 288421f325eSGordon Bergling.Sh HISTORY 289421f325eSGordon BerglingThe 290421f325eSGordon Bergling.Nm cap_fileargs 291421f325eSGordon Berglingservice first appeared in 292421f325eSGordon Bergling.Fx 10.3 . 2933251ad29SGordon Bergling.Sh AUTHORS 2943251ad29SGordon Bergling.An Mariusz Zaborski Aq Mt oshogbo@FreeBSD.org 295cdd6ea94SMariusz Zaborski.Sh BUGS 296cdd6ea94SMariusz ZaborskiThe 297cdd6ea94SMariusz Zaborski.Lb cap_fileargs 298cdd6ea94SMariusz Zaborskiincluded in 299cdd6ea94SMariusz Zaborski.Fx 300cdd6ea94SMariusz Zaborskiis considered experimental, and should not be deployed in production 301cdd6ea94SMariusz Zaborskienvironments without careful consideration of the risks associated with 302cdd6ea94SMariusz Zaborskithe use of experimental operating system features. 303