1.\" Copyright (c) 2020 Mariusz Zaborski <oshogbo@FreeBSD.org> 2.\" 3.\" Redistribution and use in source and binary forms, with or without 4.\" modification, are permitted provided that the following conditions 5.\" are met: 6.\" 1. Redistributions of source code must retain the above copyright 7.\" notice, this list of conditions and the following disclaimer. 8.\" 2. Redistributions in binary form must reproduce the above copyright 9.\" notice, this list of conditions and the following disclaimer in the 10.\" documentation and/or other materials provided with the distribution. 11.\" 12.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 13.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 14.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 15.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 16.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 17.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 18.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 19.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 20.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 21.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 22.\" SUCH DAMAGE. 23.\" 24.\" $FreeBSD$ 25.\" 26.Dd August 15, 2020 27.Dt CAP_NET 3 28.Os 29.Sh NAME 30.Nm cap_bind , 31.Nm cap_connect , 32.Nm cap_getaddrinfo , 33.Nm cap_gethostbyaddr , 34.Nm cap_gethostbyname , 35.Nm cap_gethostbyname2 , 36.Nm cap_getnameinfo , 37.Nm cap_net_free , 38.Nm cap_net_limit , 39.Nm cap_net_limit_addr2name , 40.Nm cap_net_limit_addr2name_family , 41.Nm cap_net_limit_bind , 42.Nm cap_net_limit_connect , 43.Nm cap_net_limit_init , 44.Nm cap_net_limit_name2addr , 45.Nm cap_net_limit_name2addr_family , 46.Nd "library for networking in capability mode" 47.Sh LIBRARY 48.Lb libcap_net 49.Sh SYNOPSIS 50.In sys/nv.h 51.In libcasper.h 52.In casper/cap_net.h 53.Ft int 54.Fn cap_bind "cap_channel_t *chan" "int s" "const struct sockaddr *addr" "socklen_t addrlen" 55.Ft int 56.Fn cap_connect "cap_channel_t *chan" "int s" "const struct sockaddr *name" "socklen_t namelen" 57.Ft int 58.Fn cap_getaddrinfo "cap_channel_t *chan" "const char *hostname" "const char *servname" "const struct addrinfo *hints" "struct addrinfo **res" 59.Ft int 60.Fn cap_getnameinfo "cap_channel_t *chan" "const struct sockaddr *sa" "socklen_t salen" "char *host" "size_t hostlen" "char *serv" "size_t servlen" "int flags" 61.Ft "struct hostent *" 62.Fn cap_gethostbyname "const cap_channel_t *chan" "const char *name" 63.Ft "struct hostent *" 64.Fn cap_gethostbyname2 "const cap_channel_t *chan" "const char *name" "int af" 65.Ft "struct hostent *" 66.Fn cap_gethostbyaddr "const cap_channel_t *chan" "const void *addr" "socklen_t len" "int af" 67.Ft "cap_net_limit_t *" 68.Fn cap_net_limit_init "cap_channel_t *chan" "uint64_t mode" 69.Ft int 70.Fn cap_net_limit "cap_net_limit_t *limit" 71.Ft void 72.Fn cap_net_free "cap_net_limit_t *limit" 73.Ft "cap_net_limit_t *" 74.Fn cap_net_limit_addr2name_family "cap_net_limit_t *limit" "int *family" "size_t size" 75.Ft "cap_net_limit_t *" 76.Fn cap_net_limit_addr2name "cap_net_limit_t *limit" "const struct sockaddr *sa" "socklen_t salen" 77.Ft "cap_net_limit_t *" 78.Fn cap_net_limit_name2addr_family "cap_net_limit_t *limit" "int *family" "size_t size" 79.Ft "cap_net_limit_t *" 80.Fn cap_net_limit_name2addr "cap_net_limit_t *limit" "const char *name" "const char *serv" 81.Ft "cap_net_limit_t *" 82.Fn cap_net_limit_connect "cap_net_limit_t *limit" "const struct sockaddr *sa" "socklen_t salen" 83.Ft "cap_net_limit_t *" 84.Fn cap_net_limit_bind "cap_net_limit_t *limit" "const struct sockaddr *sa" "socklen_t salen" 85.Sh DESCRIPTION 86The functions 87.Fn cap_bind , 88.Fn cap_connect , 89.Fn cap_gethostbyname , 90.Fn cap_gethostbyname2 , 91.Fn cap_gethostbyaddr 92and 93.Fn cap_getnameinfo 94are respectively equivalent to 95.Xr bind 2 , 96.Xr connect 2 , 97.Xr gethostbyname 3 , 98.Xr gethostbyname2 3 , 99.Xr gethostbyaddr 3 100and 101.Xr getnameinfo 3 102except that the connection to the 103.Nm system.net 104service needs to be provided. 105.Sh LIMITS 106By default, the cap_net capability provides unrestricted access to the network 107namespace. 108Applications typically only require access to a small portion of the network 109namespace: 110.Fn cap_net_limit 111interface can be used to restrict access to the network. 112.Fn cap_net_limit_init 113returns an opaque limit handle used to store a list of capabilities. 114The 115.Fv mode 116restricts the functionality of the service. 117Modes are encoded using the following flags: 118.Pp 119.Bd -literal -offset indent -compact 120CAPNET_ADDR2NAME reverse DNS lookups are allowed with 121 cap_getnameinfo 122CAPNET_NAME2ADDR name resolution is allowed with 123 cap_getaddrinfo 124CAPNET_DEPRECATED_ADDR2NAME reverse DNS lookups are allowed with 125 cap_gethostbyaddr 126CAPNET_DEPRECATED_NAME2ADDR name resolution is allowed with 127 cap_gethostbyname and cap_gethostbyname2 128CAPNET_BIND bind syscall is allowed 129CAPNET_CONNECT connect syscall is allowed 130CAPNET_CONNECTDNS connect syscall is allowed to the values 131 returned from privies call to 132 the cap_getaddrinfo or cap_gethostbyname 133.Ed 134.Pp 135.Fn cap_net_limit_addr2name_family 136limits the 137.Fn cap_getnameinfo 138and 139.Fn cap_gethostbyaddr 140to do reverse DNS lookups to specific family (AF_INET, AF_INET6, etc.) 141.Pp 142.Fn cap_net_limit_addr2name 143limits the 144.Fn cap_getnameinfo 145and 146.Fn cap_gethostbyaddr 147to do reverse DNS lookups only on those specific structures. 148.Pp 149.Fn cap_net_limit_name2addr_family 150limits the 151.Fn cap_getaddrinfo , 152.Fn cap_gethostbyname 153and 154.Fn cap_gethostbyname2 155to do the name resolution on specific family (AF_INET, AF_INET6, etc.) 156.Pp 157.Fn cap_net_limit_addr2name 158restricts 159.Fn cap_getaddrinfo , 160.Fn cap_gethostbyname 161and 162.Fn cap_gethostbyname2 163to a set of domains. 164.Pp 165.Fn cap_net_limit_bind 166limits 167.Fn cap_bind 168to bind only on those specific structures. 169.Pp 170.Fn cap_net_limit_connect 171limits 172.Fn cap_connect 173to connect only on those specific structures. 174If the CAPNET_CONNECTDNS is set the limits are extended to the values returned 175by 176.Fn cap_getaddrinfo , 177.Fn cap_gethostbyname 178and 179.Fn cap_gethostbyname2 180In case of the 181.Fn cap_getaddrinfo 182the restriction is strict. 183In case of the 184.Fn cap_gethostbyname 185and 186.Fn cap_gethostbyname2 187any port will be accepted in the 188.Fn cap_connect 189function. 190.Pp 191.Fn cap_net_limit 192applies a set of sysctl limits to the capability, denying access to sysctl 193variables not belonging to the set. 194.Pp 195Once a set of limits is applied, subsequent calls to 196.Fn cap_net_limit 197will fail unless the new set is a subset of the current set. 198.Pp 199The 200.Fn cap_net_limit 201will consume the limits. 202If the 203.Fn cap_net_limit 204was not called the rights may be freed using 205.Fn cap_net_free . 206Multiple calls to 207.Fn cap_net_limit_addr2name_family , 208.Fn cap_net_limit_addr2name , 209.Fn cap_net_limit_name2addr_family , 210.Fn cap_net_limit_name2addr , 211.Fn cap_net_limit_connect , 212and 213.Fn cap_net_limit_bind 214is supported, each call is extending preview capabilities. 215.Sh EXAMPLES 216The following example first opens a capability to casper and then uses this 217capability to create the 218.Nm system.net 219casper service and uses it to resolve a host and connect to it. 220.Bd -literal 221cap_channel_t *capcas, *capnet; 222cap_net_limit_t *limit; 223int familylimit, error, s; 224const char *host = "example.com"; 225struct addrinfo hints, *res; 226 227/* Open capability to Casper. */ 228capcas = cap_init(); 229if (capcas == NULL) 230 err(1, "Unable to contact Casper"); 231 232/* Cache NLA for gai_strerror. */ 233caph_cache_catpages(); 234 235/* Enter capability mode sandbox. */ 236if (caph_enter_casper() < 0) 237 err(1, "Unable to enter capability mode"); 238 239/* Use Casper capability to create capability to the system.net service. */ 240capnet = cap_service_open(capcas, "system.net"); 241if (capnet == NULL) 242 err(1, "Unable to open system.net service"); 243 244/* Close Casper capability. */ 245cap_close(capcas); 246 247/* Limit system.net to reserve IPv4 addresses, to host example.com . */ 248limit = cap_net_limit_init(capnet, CAPNET_NAME2ADDR | CAPNET_CONNECTDNS); 249if (limit == NULL) 250 err(1, "Unable to create limits."); 251cap_net_limit_name2addr(limit, host, "80"); 252familylimit = AF_INET; 253cap_net_limit_name2addr_family(limit, &familylimit, 1); 254if (cap_net_limit(limit) < 0) 255 err(1, "Unable to apply limits."); 256 257/* Find IP addresses for the given host. */ 258memset(&hints, 0, sizeof(hints)); 259hints.ai_family = AF_INET; 260hints.ai_socktype = SOCK_STREAM; 261 262error = cap_getaddrinfo(capnet, host, "80", &hints, &res); 263if (error != 0) 264 errx(1, "cap_getaddrinfo(): %s: %s", host, gai_strerror(error)); 265 266s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); 267if (s < 0) 268 err(1, "Unable to create socket"); 269 270if (cap_connect(capnet, s, res->ai_addr, res->ai_addrlen) < 0) 271 err(1, "Unable to connect to host"); 272.Ed 273.Sh SEE ALSO 274.Xr bind 2 , 275.Xr cap_enter 2 , 276.Xr connect 2 , 277.Xr caph_enter 3 , 278.Xr err 3 , 279.Xr gethostbyaddr 3 , 280.Xr gethostbyname 3 , 281.Xr gethostbyname2 3 , 282.Xr getnameinfo 3 , 283.Xr capsicum 4 , 284.Xr nv 9 285.Sh AUTHORS 286.An Mariusz Zaborski Aq Mt oshogbo@FreeBSD.org 287