1cdd6ea94SMariusz Zaborski.\" Copyright (c) 2018 Mariusz Zaborski <oshogbo@FreeBSD.org> 2cdd6ea94SMariusz Zaborski.\" All rights reserved. 3cdd6ea94SMariusz Zaborski.\" 4cdd6ea94SMariusz Zaborski.\" Redistribution and use in source and binary forms, with or without 5cdd6ea94SMariusz Zaborski.\" modification, are permitted provided that the following conditions 6cdd6ea94SMariusz Zaborski.\" are met: 7cdd6ea94SMariusz Zaborski.\" 1. Redistributions of source code must retain the above copyright 8cdd6ea94SMariusz Zaborski.\" notice, this list of conditions and the following disclaimer. 9cdd6ea94SMariusz Zaborski.\" 2. Redistributions in binary form must reproduce the above copyright 10cdd6ea94SMariusz Zaborski.\" notice, this list of conditions and the following disclaimer in the 11cdd6ea94SMariusz Zaborski.\" documentation and/or other materials provided with the distribution. 12cdd6ea94SMariusz Zaborski.\" 13cdd6ea94SMariusz Zaborski.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 14cdd6ea94SMariusz Zaborski.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15cdd6ea94SMariusz Zaborski.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16cdd6ea94SMariusz Zaborski.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 17cdd6ea94SMariusz Zaborski.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18cdd6ea94SMariusz Zaborski.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19cdd6ea94SMariusz Zaborski.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20cdd6ea94SMariusz Zaborski.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21cdd6ea94SMariusz Zaborski.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22cdd6ea94SMariusz Zaborski.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23cdd6ea94SMariusz Zaborski.\" SUCH DAMAGE. 24cdd6ea94SMariusz Zaborski.\" 25cdd6ea94SMariusz Zaborski.\" $FreeBSD$ 26cdd6ea94SMariusz Zaborski.\" 27*dcdad299SMariusz Zaborski.Dd January 10, 2021 28cdd6ea94SMariusz Zaborski.Dt CAP_FILEARGS 3 29cdd6ea94SMariusz Zaborski.Os 30cdd6ea94SMariusz Zaborski.Sh NAME 31cdd6ea94SMariusz Zaborski.Nm fileargs_cinit , 32cdd6ea94SMariusz Zaborski.Nm fileargs_cinitnv , 33cdd6ea94SMariusz Zaborski.Nm fileargs_init , 34cdd6ea94SMariusz Zaborski.Nm fileargs_initnv , 35cdd6ea94SMariusz Zaborski.Nm fileargs_free , 367b558caeSEd Maste.Nm fileargs_lstat , 37cdd6ea94SMariusz Zaborski.Nm fileargs_open , 38cdd6ea94SMariusz Zaborski.Nm fileargs_fopen 39cdd6ea94SMariusz Zaborski.Nd "library for handling files in capability mode" 40cdd6ea94SMariusz Zaborski.Sh LIBRARY 41cdd6ea94SMariusz Zaborski.Lb libcap_fileargs 42cdd6ea94SMariusz Zaborski.Sh SYNOPSIS 43cdd6ea94SMariusz Zaborski.In sys/nv.h 44cdd6ea94SMariusz Zaborski.In libcasper.h 45cdd6ea94SMariusz Zaborski.In casper/cap_fileargs.h 46cdd6ea94SMariusz Zaborski.Ft "fileargs_t *" 477b558caeSEd Maste.Fn fileargs_init "int argc" "char *argv[]" "int flags" "mode_t mode" "cap_rights_t *rightsp" "int operations" 48cdd6ea94SMariusz Zaborski.Ft "fileargs_t *" 497b558caeSEd Maste.Fn fileargs_cinit "cap_channel_t *cas" "int argc" "char *argv[]" "int flags" "mode_t mode" "cap_rights_t *rightsp" "int operations" 50cdd6ea94SMariusz Zaborski.Ft "fileargs_t *" 51cdd6ea94SMariusz Zaborski.Fn fileargs_cinitnv "cap_channel_t *cas" "nvlist_t *limits" 52cdd6ea94SMariusz Zaborski.Ft "fileargs_t *" 53cdd6ea94SMariusz Zaborski.Fn fileargs_initnv "nvlist_t *limits" 54cdd6ea94SMariusz Zaborski.Ft "void" 55cdd6ea94SMariusz Zaborski.Fn fileargs_free "fileargs_t *fa" 56cdd6ea94SMariusz Zaborski.Ft "int" 577b558caeSEd Maste.Fn fileargs_lstat "fileargs_t *fa" "const char *path" "struct stat *sb" 587b558caeSEd Maste.Ft "int" 59cdd6ea94SMariusz Zaborski.Fn fileargs_open "fileargs_t *fa" "const char *name" 60cdd6ea94SMariusz Zaborski.Ft "FILE *" 61cdd6ea94SMariusz Zaborski.Fn fileargs_fopen "fileargs_t *fa" "const char *name" "const char *mode" 62*dcdad299SMariusz Zaborski.Ft "char *" 63*dcdad299SMariusz Zaborski.Fn fileargs_realpath "fileargs_t *fa" "const char *pathname" "char *reserved_path" 64cdd6ea94SMariusz Zaborski.Sh DESCRIPTION 65cdd6ea94SMariusz ZaborskiThe library is used to simplify Capsicumizing a tools that are using file system. 66cdd6ea94SMariusz ZaborskiIdea behind the library is that we are passing a remaining 67cdd6ea94SMariusz Zaborski.Fa argc 68cdd6ea94SMariusz Zaborskiand 69cdd6ea94SMariusz Zaborski.Fa argv 70cdd6ea94SMariusz Zaborskiwhich contains a list of files that should be open for this program. 71cdd6ea94SMariusz ZaborskiThe library will create a service that will serve those files. 72cdd6ea94SMariusz Zaborski.Pp 73cdd6ea94SMariusz ZaborskiThe function 74cdd6ea94SMariusz Zaborski.Fn fileargs_init 75cdd6ea94SMariusz Zaborskicreate a service to the 76cdd6ea94SMariusz Zaborski.Nm system.fileargs . 77cdd6ea94SMariusz ZaborskiThe 78cdd6ea94SMariusz Zaborski.Fa argv 79cdd6ea94SMariusz Zaborskicontains a list of files that should be opened. 80cdd6ea94SMariusz ZaborskiThe argument can be set to 81cdd6ea94SMariusz Zaborski.Dv NULL 82cdd6ea94SMariusz Zaborskiwhich will not create a service and all files will be prohibited to be opened. 83cdd6ea94SMariusz ZaborskiThe 84cdd6ea94SMariusz Zaborski.Fa argc 85cdd6ea94SMariusz Zaborskiargument contains a number of passed files. 86cdd6ea94SMariusz ZaborskiThe 87cdd6ea94SMariusz Zaborski.Fa flags 88cdd6ea94SMariusz Zaborskiargument limits opened files for either execution or reading and/or writing. 89cdd6ea94SMariusz ZaborskiThe 90cdd6ea94SMariusz Zaborski.Fa mode 91cdd6ea94SMariusz Zaborskiargument tells which what mode file should be created if the 92cdd6ea94SMariusz Zaborski.Dv O_CREATE 93cdd6ea94SMariusz Zaborskiflag is present . 94cdd6ea94SMariusz ZaborskiFor more details of the 95cdd6ea94SMariusz Zaborski.Fa flags 96cdd6ea94SMariusz Zaborskiand 97cdd6ea94SMariusz Zaborski.Fa mode 98cdd6ea94SMariusz Zaborskiarguments see 99cdd6ea94SMariusz Zaborski.Xr open 2 . 100cdd6ea94SMariusz ZaborskiThe 101cdd6ea94SMariusz Zaborski.Fa rightsp 102cdd6ea94SMariusz Zaborskiargument contains a list of the capability rights which file should be limited to. 103cdd6ea94SMariusz ZaborskiFor more details of the capability rights see 104cdd6ea94SMariusz Zaborski.Xr cap_rights_init 3 . 1057b558caeSEd MasteThe 1067b558caeSEd Maste.Fa operations 1077b558caeSEd Masteargument limits the operations that are available using 1087b558caeSEd Maste.Nm system.fileargs . 1097b558caeSEd Maste.Fa operations 1107b558caeSEd Masteis a combination of: 1117b558caeSEd Maste.Bl -ohang -offset indent 1127b558caeSEd Maste.It FA_OPEN 1137b558caeSEd MasteAllow 1147b558caeSEd Maste.Fn fileargs_open 1157b558caeSEd Masteand 1167b558caeSEd Maste.Fn fileargs_fopen . 1177b558caeSEd Maste.It FA_LSTAT 1187b558caeSEd MasteAllow 1197b558caeSEd Maste.Fn fileargs_lstat . 120*dcdad299SMariusz Zaborski.It FA_REALPATH 121*dcdad299SMariusz ZaborskiAllow 122*dcdad299SMariusz Zaborski.Fn fileargs_realpath . 1237b558caeSEd Maste.El 124cdd6ea94SMariusz Zaborski.Pp 125cdd6ea94SMariusz ZaborskiThe function 126cdd6ea94SMariusz Zaborski.Fn fileargs_cinit 127cdd6ea94SMariusz Zaborskiis equivalent to 128cdd6ea94SMariusz Zaborski.Fn fileargs_init 129cdd6ea94SMariusz Zaborskiexcept that the connection to the Casper needs to be provided. 130cdd6ea94SMariusz Zaborski.Pp 131cdd6ea94SMariusz ZaborskiThe functions 132fc07a84fSEd Maste.Fn fileargs_initnv 133cdd6ea94SMariusz Zaborskiand 134fc07a84fSEd Maste.Fn fileargs_cinitnv 135cdd6ea94SMariusz Zaborskiare respectively equivalent to 136cdd6ea94SMariusz Zaborski.Fn fileargs_init 137cdd6ea94SMariusz Zaborskiand 138cdd6ea94SMariusz Zaborski.Fn fileargs_cinit 139cdd6ea94SMariusz Zaborskiexpect that all arguments all provided as 140cdd6ea94SMariusz Zaborski.Xr nvlist 9 . 141cdd6ea94SMariusz ZaborskiFor details see 142cdd6ea94SMariusz Zaborski.Sx LIMITS . 143cdd6ea94SMariusz Zaborski.Pp 144cdd6ea94SMariusz ZaborskiThe 145cdd6ea94SMariusz Zaborski.Fa fileargs_free 146cdd6ea94SMariusz Zaborskiclose connection to the 147731d06abSEd Maste.Nm system.fileargs 148cdd6ea94SMariusz Zaborskiservice and free are structures. 149cdd6ea94SMariusz ZaborskiThe function handle 150cdd6ea94SMariusz Zaborski.Dv NULL 151cdd6ea94SMariusz Zaborskiargument. 152cdd6ea94SMariusz Zaborski.Pp 1537b558caeSEd MasteThe function 1547b558caeSEd Maste.Fn fileargs_lstat 1557b558caeSEd Masteis equivalent to 1567b558caeSEd Maste.Xr lstat 2 . 1577b558caeSEd Maste.Pp 158cdd6ea94SMariusz ZaborskiThe functions 159cdd6ea94SMariusz Zaborski.Fn fileargs_open 160cdd6ea94SMariusz Zaborskiand 161cdd6ea94SMariusz Zaborski.Fn fileargs_fopen 162cdd6ea94SMariusz Zaborskiare respectively equivalent to 163cdd6ea94SMariusz Zaborski.Xr open 2 164cdd6ea94SMariusz Zaborskiand 165cdd6ea94SMariusz Zaborski.Xr fopen 3 166cdd6ea94SMariusz Zaborskiexpect that all arguments are fetched from the 167cdd6ea94SMariusz Zaborski.Va fileargs_t 168cdd6ea94SMariusz Zaborskistructure. 169*dcdad299SMariusz Zaborski.Pp 170*dcdad299SMariusz ZaborskiThe function 171*dcdad299SMariusz Zaborski.Fn fileargs_realpath 172*dcdad299SMariusz Zaborskiis equivalent to 173*dcdad299SMariusz Zaborski.Xr realpath 3 . 174cdd6ea94SMariusz Zaborski.Sh LIMITS 175cdd6ea94SMariusz ZaborskiThis section describe which values and types should be used to pass arguments to the 176731d06abSEd Maste.Fa system.fileargs 177cdd6ea94SMariusz Zaborskithrough the 178fc07a84fSEd Maste.Fn fileargs_initnv 179cdd6ea94SMariusz Zaborskiand 180fc07a84fSEd Maste.Fn fileargs_cinitnv 181cdd6ea94SMariusz Zaborskifunctions. 182cdd6ea94SMariusz ZaborskiThe 183cdd6ea94SMariusz Zaborski.Xr nvlist 9 184cdd6ea94SMariusz Zaborskifor that functions must contain the following values and types: 185cdd6ea94SMariusz Zaborski.Bl -ohang -offset indent 186cdd6ea94SMariusz Zaborski.It flags ( NV_TYPE_NUMBER ) 187cdd6ea94SMariusz ZaborskiThe 188cdd6ea94SMariusz Zaborski.Va flags 189cdd6ea94SMariusz Zaborskilimits opened files for either execution or reading and/or writing. 190cdd6ea94SMariusz Zaborski.It mode (NV_TYPE_NUMBER) 191cdd6ea94SMariusz ZaborskiIf in the 192cdd6ea94SMariusz Zaborski.Va flags 193cdd6ea94SMariusz Zaborskiargument the 194cdd6ea94SMariusz Zaborski.Dv O_CREATE 195cdd6ea94SMariusz Zaborskiflag was defined the 196cdd6ea94SMariusz Zaborski.Xr nvlist 9 197cdd6ea94SMariusz Zaborskimust contain the 198cdd6ea94SMariusz Zaborski.Va mode . 199cdd6ea94SMariusz ZaborskiThe 200cdd6ea94SMariusz Zaborski.Va mode 201cdd6ea94SMariusz Zaborskiargument tells which what mode file should be created. 2027b558caeSEd Maste.It operations (NV_TYPE_NUMBER) 2037b558caeSEd MasteThe 2047b558caeSEd Maste.Va operations 2057b558caeSEd Mastelimits the usable operations for 2067b558caeSEd Maste.Fa system.fileargs . 2077b558caeSEd MasteThe possible values are explained as 2087b558caeSEd Maste.Va operations 2097b558caeSEd Masteargument with 2107b558caeSEd Maste.Fn fileargs_init . 211cdd6ea94SMariusz Zaborski.El 212cdd6ea94SMariusz Zaborski.Pp 213cdd6ea94SMariusz ZaborskiThe 214cdd6ea94SMariusz Zaborski.Xr nvlist 9 215cdd6ea94SMariusz Zaborskifor that functions may contain the following values and types: 216cdd6ea94SMariusz Zaborski.Bl -ohang -offset indent 217cdd6ea94SMariusz Zaborski.It cap_rights ( NV_TYPE_BINARY ) 218cdd6ea94SMariusz ZaborskiThe 219cdd6ea94SMariusz Zaborski.Va cap_rights 220cdd6ea94SMariusz Zaborskiargument contains a list of the capability rights which file should be limited to. 221cdd6ea94SMariusz Zaborski.It ( NV_TYPE_NULL ) 222cdd6ea94SMariusz ZaborskiAny number of 223cdd6ea94SMariusz Zaborski.Dv NV_TYPE_NULL 224cdd6ea94SMariusz Zaborskiwhere the name of the element is name of the file which can be opened. 225cdd6ea94SMariusz Zaborski.Sh EXAMPLES 226cdd6ea94SMariusz ZaborskiThe following example first parse some options and then create the 227731d06abSEd Maste.Nm system.fileargs 228cdd6ea94SMariusz Zaborskiservice with remaining arguments. 229cdd6ea94SMariusz Zaborski.Bd -literal 230cdd6ea94SMariusz Zaborskiint ch, fd, i; 231cdd6ea94SMariusz Zaborskicap_rights_t rights; 232cdd6ea94SMariusz Zaborskifileargs_t *fa; 233cdd6ea94SMariusz Zaborski 234cdd6ea94SMariusz Zaborskiwhile ((ch = getopt(argc, argv, "h")) != -1) { 235cdd6ea94SMariusz Zaborski switch (ch) { 236cdd6ea94SMariusz Zaborski case 'h': 237cdd6ea94SMariusz Zaborski default: 238cdd6ea94SMariusz Zaborski usage(); 239cdd6ea94SMariusz Zaborski } 240cdd6ea94SMariusz Zaborski} 241cdd6ea94SMariusz Zaborski 242cdd6ea94SMariusz Zaborskiargc -= optind; 243cdd6ea94SMariusz Zaborskiargv += optind; 244cdd6ea94SMariusz Zaborski 245cdd6ea94SMariusz Zaborski/* Create capability to the system.fileargs service. */ 246cdd6ea94SMariusz Zaborskifa = fileargs_init(argc, argv, O_RDONLY, 0, 2477b558caeSEd Maste cap_rights_init(&rights, CAP_READ), FA_OPEN); 248cdd6ea94SMariusz Zaborskiif (fa == NULL) 249cdd6ea94SMariusz Zaborski err(1, "unable to open system.fileargs service"); 250cdd6ea94SMariusz Zaborski 251cdd6ea94SMariusz Zaborski/* Enter capability mode sandbox. */ 252cdd6ea94SMariusz Zaborskiif (cap_enter() < 0 && errno != ENOSYS) 253cdd6ea94SMariusz Zaborski err(1, "unable to enter capability mode"); 254cdd6ea94SMariusz Zaborski 255cdd6ea94SMariusz Zaborski/* Open files. */ 256cdd6ea94SMariusz Zaborskifor (i = 0; i < argc; i++) { 257cdd6ea94SMariusz Zaborski fd = fileargs_open(fa, argv[i]); 258cdd6ea94SMariusz Zaborski if (fd < 0) 259cdd6ea94SMariusz Zaborski err(1, "unable to open file %s", argv[i]); 26064b3a6b3SMariusz Zaborski printf("File %s opened in capability mode\en", argv[i]); 261cdd6ea94SMariusz Zaborski close(fd); 262cdd6ea94SMariusz Zaborski} 263cdd6ea94SMariusz Zaborski 264cdd6ea94SMariusz Zaborskifileargs_free(fa); 265cdd6ea94SMariusz Zaborski.Ed 266cdd6ea94SMariusz Zaborski.Sh SEE ALSO 267cdd6ea94SMariusz Zaborski.Xr cap_enter 2 , 2687b558caeSEd Maste.Xr lstat 2 , 269cdd6ea94SMariusz Zaborski.Xr open 2 , 270cdd6ea94SMariusz Zaborski.Xr cap_rights_init 3 , 271cdd6ea94SMariusz Zaborski.Xr err 3 , 272cdd6ea94SMariusz Zaborski.Xr fopen 3 , 273cdd6ea94SMariusz Zaborski.Xr getopt 3 , 274*dcdad299SMariusz Zaborski.Xr realpath 3 , 275cdd6ea94SMariusz Zaborski.Xr capsicum 4 , 276cdd6ea94SMariusz Zaborski.Xr nv 9 277421f325eSGordon Bergling.Sh HISTORY 278421f325eSGordon BerglingThe 279421f325eSGordon Bergling.Nm cap_fileargs 280421f325eSGordon Berglingservice first appeared in 281421f325eSGordon Bergling.Fx 10.3 . 282cdd6ea94SMariusz Zaborski.Sh BUGS 283cdd6ea94SMariusz ZaborskiThe 284cdd6ea94SMariusz Zaborski.Lb cap_fileargs 285cdd6ea94SMariusz Zaborskiincluded in 286cdd6ea94SMariusz Zaborski.Fx 287cdd6ea94SMariusz Zaborskiis considered experimental, and should not be deployed in production 288cdd6ea94SMariusz Zaborskienvironments without careful consideration of the risks associated with 289cdd6ea94SMariusz Zaborskithe use of experimental operating system features. 290cdd6ea94SMariusz Zaborski.Sh AUTHORS 291cdd6ea94SMariusz Zaborski.An Mariusz Zaborski Aq Mt oshogbo@FreeBSD.org 292