ktrdump(8): Capsicumify

We restrict the (optional) input file and output files. It would be nice to restrict the KVM files, but that's up to libkvm. We wait until after kvm_nlist() is invoked to cap_enter() because kldsym() isn't supported in the Capsicum sandbox. Feedback from: emaste@ (earlier versions) Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D7921
nhuff · Dec 16, 2016 · 208a859 · 208a859
1 parent 20502a1
commit 208a859
Showing 1 changed file with 32 additions and 0 deletions.
diff --git a/usr.bin/ktrdump/ktrdump.c b/usr.bin/ktrdump/ktrdump.c
@@ -29,11 +29,14 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/types.h>
+#include <sys/capsicum.h>
 #include <sys/ktr.h>
 #include <sys/mman.h>
 #include <sys/stat.h>
 
+#include <capsicum_helpers.h>
 #include <err.h>
+#include <errno.h>
 #include <fcntl.h>
 #include <kvm.h>
 #include <limits.h>
@@ -70,6 +73,7 @@ static int hflag;
 
 static char corefile[PATH_MAX];
 static char execfile[PATH_MAX];
+static char outfile[PATH_MAX] = "stdout";
 
 static char desc[SBUFLEN];
 static char errbuf[_POSIX2_LINE_MAX];
@@ -87,6 +91,7 @@ main(int ac, char **av)
 	struct ktr_entry *buf;
 	uintmax_t tlast, tnow;
 	unsigned long bufptr;
+	cap_rights_t rights;
 	struct stat sb;
 	kvm_t *kd;
 	FILE *out;
@@ -122,6 +127,11 @@ main(int ac, char **av)
 			iflag = 1;
 			if ((in = open(optarg, O_RDONLY)) == -1)
 				err(1, "%s", optarg);
+			cap_rights_init(&rights, CAP_FSTAT, CAP_MMAP_R);
+			if (cap_rights_limit(in, &rights) < 0 &&
+			    errno != ENOSYS)
+				err(1, "unable to limit rights for %s",
+				    optarg);
 			break;
 		case 'M':
 		case 'm':
@@ -133,6 +143,7 @@ main(int ac, char **av)
 		case 'o':
 			if ((out = fopen(optarg, "w")) == NULL)
 				err(1, "%s", optarg);
+			strlcpy(outfile, optarg, sizeof(outfile));
 			break;
 		case 'q':
 			qflag++;
@@ -155,18 +166,39 @@ main(int ac, char **av)
 	if (ac != 0)
 		usage();
 
+	cap_rights_init(&rights, CAP_FSTAT, CAP_WRITE);
+	if (cap_rights_limit(fileno(out), &rights) < 0 && errno != ENOSYS)
+		err(1, "unable to limit rights for %s", outfile);
+
 	/*
 	 * Open our execfile and corefile, resolve needed symbols and read in
 	 * the trace buffer.
 	 */
 	if ((kd = kvm_openfiles(Nflag ? execfile : NULL,
 	    Mflag ? corefile : NULL, NULL, O_RDONLY, errbuf)) == NULL)
 		errx(1, "%s", errbuf);
+
+	/*
+	 * Cache NLS data, for strerror, for err(3), before entering capability
+	 * mode.
+	 */
+	caph_cache_catpages();
+
 	if (kvm_nlist(kd, nl) != 0 ||
 	    kvm_read(kd, nl[0].n_value, &version, sizeof(version)) == -1)
 		errx(1, "%s", kvm_geterr(kd));
 	if (version != KTR_VERSION)
 		errx(1, "ktr version mismatch");
+
+	/*
+	 * Enter Capsicum sandbox.
+	 *
+	 * kvm_nlist() above uses kldsym(2) for native kernels, and that isn't
+	 * allowed in the sandbox.
+	 */
+	if (cap_enter() < 0 && errno != ENOSYS)
+		err(1, "unable to enter capability mode");
+
 	if (iflag) {
 		if (fstat(in, &sb) == -1)
 			errx(1, "stat");