1*edd09a25SMariusz Zaborski.\" Copyright (c) 2018 Mariusz Zaborski <oshogbo@FreeBSD.org> 2*edd09a25SMariusz Zaborski.\" All rights reserved. 3*edd09a25SMariusz Zaborski.\" 4*edd09a25SMariusz Zaborski.\" Redistribution and use in source and binary forms, with or without 5*edd09a25SMariusz Zaborski.\" modification, are permitted provided that the following conditions 6*edd09a25SMariusz Zaborski.\" are met: 7*edd09a25SMariusz Zaborski.\" 1. Redistributions of source code must retain the above copyright 8*edd09a25SMariusz Zaborski.\" notice, this list of conditions and the following disclaimer. 9*edd09a25SMariusz Zaborski.\" 2. Redistributions in binary form must reproduce the above copyright 10*edd09a25SMariusz Zaborski.\" notice, this list of conditions and the following disclaimer in the 11*edd09a25SMariusz Zaborski.\" documentation and/or other materials provided with the distribution. 12*edd09a25SMariusz Zaborski.\" 13*edd09a25SMariusz Zaborski.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 14*edd09a25SMariusz Zaborski.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15*edd09a25SMariusz Zaborski.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16*edd09a25SMariusz Zaborski.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 17*edd09a25SMariusz Zaborski.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18*edd09a25SMariusz Zaborski.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19*edd09a25SMariusz Zaborski.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20*edd09a25SMariusz Zaborski.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21*edd09a25SMariusz Zaborski.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22*edd09a25SMariusz Zaborski.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23*edd09a25SMariusz Zaborski.\" SUCH DAMAGE. 24*edd09a25SMariusz Zaborski.\" 25*edd09a25SMariusz Zaborski.\" $FreeBSD$ 26*edd09a25SMariusz Zaborski.\" 27*edd09a25SMariusz Zaborski.Dd March 18, 2018 28*edd09a25SMariusz Zaborski.Dt CAP_SYSCTL 3 29*edd09a25SMariusz Zaborski.Os 30*edd09a25SMariusz Zaborski.Sh NAME 31*edd09a25SMariusz Zaborski.Nm cap_sysctlbyname 32*edd09a25SMariusz Zaborski.Nd "library for getting or setting system information in capability mode" 33*edd09a25SMariusz Zaborski.Sh LIBRARY 34*edd09a25SMariusz Zaborski.Lb libcap_sysctl 35*edd09a25SMariusz Zaborski.Sh SYNOPSIS 36*edd09a25SMariusz Zaborski.In sys/nv.h 37*edd09a25SMariusz Zaborski.In libcasper.h 38*edd09a25SMariusz Zaborski.In casper/cap_sysctl.h 39*edd09a25SMariusz Zaborski.Ft int 40*edd09a25SMariusz Zaborski.Fn cap_sysctlbyname "cap_channel_t *chan" " const char *name" " void *oldp" " size_t *oldlenp" " const void *newp" " size_t newlen" 41*edd09a25SMariusz Zaborski.Sh DESCRIPTION 42*edd09a25SMariusz ZaborskiThe function 43*edd09a25SMariusz Zaborski.Fn cap_sysctlbyname 44*edd09a25SMariusz Zaborskiis equivalent to 45*edd09a25SMariusz Zaborski.Xr sysctlbyname 3 46*edd09a25SMariusz Zaborskiexcept that the connection to the 47*edd09a25SMariusz Zaborski.Nm system.sysctl 48*edd09a25SMariusz Zaborskiservice needs to be provided. 49*edd09a25SMariusz Zaborski.Sh LIMITS 50*edd09a25SMariusz ZaborskiThe service can be limited using 51*edd09a25SMariusz Zaborski.Xr cap_limit_set 3 52*edd09a25SMariusz Zaborskifunction. 53*edd09a25SMariusz ZaborskiThe 54*edd09a25SMariusz Zaborski.Xr nvlist 9 55*edd09a25SMariusz Zaborskifor that function can contain the following values and types: 56*edd09a25SMariusz Zaborski.Bl -ohang -offset indent 57*edd09a25SMariusz Zaborski.It ( NV_TYPE_NUMBER ) 58*edd09a25SMariusz ZaborskiThe name of the element with type number will be treated as the limited sysctl. 59*edd09a25SMariusz ZaborskiThe value of the element will describe the access rights for given sysctl. 60*edd09a25SMariusz ZaborskiThere are four different rights 61*edd09a25SMariusz Zaborski.Dv CAP_SYSCTL_READ , 62*edd09a25SMariusz Zaborski.Dv CAP_SYSCTL_WRITE , 63*edd09a25SMariusz Zaborski.Dv CAP_SYSCTL_RDWR , 64*edd09a25SMariusz Zaborskiand 65*edd09a25SMariusz Zaborski.Dv CAP_SYSCTL_RECURSIVE . 66*edd09a25SMariusz ZaborskiThe 67*edd09a25SMariusz Zaborski.Dv CAP_SYSCTL_READ 68*edd09a25SMariusz Zaborskiflag allows to fetch the value of a given sysctl. 69*edd09a25SMariusz ZaborskiThe 70*edd09a25SMariusz Zaborski.Dv CAP_SYSCTL_WIRTE 71*edd09a25SMariusz Zaborskiflag allows to override the value of a given sysctl. 72*edd09a25SMariusz ZaborskiThe 73*edd09a25SMariusz Zaborski.Dv CAP_SYSCTL_RDWR 74*edd09a25SMariusz Zaborskiis combination of the 75*edd09a25SMariusz Zaborski.Dv CAP_SYSCTL_WIRTE 76*edd09a25SMariusz Zaborskiand 77*edd09a25SMariusz Zaborski.Dv CAP_SYSCTL_READ 78*edd09a25SMariusz Zaborskiand allows to read and write the value of a given sysctl. 79*edd09a25SMariusz ZaborskiThe 80*edd09a25SMariusz Zaborski.Dv CAP_SYSCTL_RECURSIVE 81*edd09a25SMariusz Zaborskiallows access to all children of a given sysctl. 82*edd09a25SMariusz ZaborskiThis right must be combined with at least one other right. 83*edd09a25SMariusz Zaborski.Sh EXAMPLES 84*edd09a25SMariusz ZaborskiThe following example first opens a capability to casper and then uses this 85*edd09a25SMariusz Zaborskicapability to create the 86*edd09a25SMariusz Zaborski.Nm system.sysctl 87*edd09a25SMariusz Zaborskicasper service and uses it to get the value of 88*edd09a25SMariusz Zaborski.Dv kern.trap_enotcap . 89*edd09a25SMariusz Zaborski.Bd -literal 90*edd09a25SMariusz Zaborskicap_channel_t *capcas, *capsysctl; 91*edd09a25SMariusz Zaborskiconst char *name = "kern.trap_enotcap"; 92*edd09a25SMariusz Zaborskinvlist_t *limits; 93*edd09a25SMariusz Zaborskiint value; 94*edd09a25SMariusz Zaborskisize_t size; 95*edd09a25SMariusz Zaborski 96*edd09a25SMariusz Zaborski/* Open capability to Casper. */ 97*edd09a25SMariusz Zaborskicapcas = cap_init(); 98*edd09a25SMariusz Zaborskiif (capcas == NULL) 99*edd09a25SMariusz Zaborski err(1, "Unable to contact Casper"); 100*edd09a25SMariusz Zaborski 101*edd09a25SMariusz Zaborski/* Enter capability mode sandbox. */ 102*edd09a25SMariusz Zaborskiif (cap_enter() < 0 && errno != ENOSYS) 103*edd09a25SMariusz Zaborski err(1, "Unable to enter capability mode"); 104*edd09a25SMariusz Zaborski 105*edd09a25SMariusz Zaborski/* Use Casper capability to create capability to the system.sysctl service. */ 106*edd09a25SMariusz Zaborskicapsysctl = cap_service_open(capcas, "system.sysctl"); 107*edd09a25SMariusz Zaborskiif (capsysctl == NULL) 108*edd09a25SMariusz Zaborski err(1, "Unable to open system.sysctl service"); 109*edd09a25SMariusz Zaborski 110*edd09a25SMariusz Zaborski/* Close Casper capability, we don't need it anymore. */ 111*edd09a25SMariusz Zaborskicap_close(capcas); 112*edd09a25SMariusz Zaborski 113*edd09a25SMariusz Zaborski/* Create limit for one MIB with read access only. */ 114*edd09a25SMariusz Zaborskilimits = nvlist_create(0); 115*edd09a25SMariusz Zaborskinvlist_add_number(limits, name, CAP_SYSCTL_READ); 116*edd09a25SMariusz Zaborski 117*edd09a25SMariusz Zaborski/* Limit system.sysctl. */ 118*edd09a25SMariusz Zaborskiif (cap_limit_set(capsysctl, limits) < 0) 119*edd09a25SMariusz Zaborski err(1, "Unable to set limits"); 120*edd09a25SMariusz Zaborski 121*edd09a25SMariusz Zaborski/* Fetch value. */ 122*edd09a25SMariusz Zaborskiif (cap_sysctlbyname(capsysctl, name, &value, &size, NULL, 0) < 0) 123*edd09a25SMariusz Zaborski err(1, "Unable to get value of sysctl"); 124*edd09a25SMariusz Zaborski 125*edd09a25SMariusz Zaborskiprintf("The value of %s is %d.\\n", name, value); 126*edd09a25SMariusz Zaborski 127*edd09a25SMariusz Zaborskicap_close(capsysctl); 128*edd09a25SMariusz Zaborski.Ed 129*edd09a25SMariusz Zaborski.Sh SEE ALSO 130*edd09a25SMariusz Zaborski.Xr cap_enter 2 , 131*edd09a25SMariusz Zaborski.Xr err 3 , 132*edd09a25SMariusz Zaborski.Xr sysctlbyname 3, 133*edd09a25SMariusz Zaborski.Xr capsicum 4 , 134*edd09a25SMariusz Zaborski.Xr nv 9 135*edd09a25SMariusz Zaborski.Sh AUTHORS 136*edd09a25SMariusz ZaborskiThe 137*edd09a25SMariusz Zaborski.Nm cap_sysctl 138*edd09a25SMariusz Zaborskiservice was implemented by 139*edd09a25SMariusz Zaborski.An Pawel Jakub Dawidek Aq Mt pawel@dawidek.net 140*edd09a25SMariusz Zaborskiunder sponsorship from the FreeBSD Foundation. 141*edd09a25SMariusz Zaborski.Pp 142*edd09a25SMariusz ZaborskiThis manual page was written by 143*edd09a25SMariusz Zaborski.An Mariusz Zaborski Aq Mt oshogbo@FreeBSD.org . 144