d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

iscsi: simplify the capsicumization

Browse Source 
Approved by:	trasz
Differential Revision:	https://reviews.freebsd.org/D17962
This commit is contained in:
Mariusz Zaborski 2018-11-30 19:40:16 +00:00
parent 77ebcc05ea
commit 1489776d43
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=341348
2 changed files with 8 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
usr.sbin/ctld/kernel.c
View File

@ -52,6 +52,7 @@ __FBSDID("$FreeBSD$");
#include <sys/stat.h>
#include <assert.h>
#include <bsdxml.h>
#include <capsicum_helpers.h>
#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
@ -1313,22 +1314,17 @@ kernel_receive(struct pdu *pdu)
void
kernel_capsicate(void)
{
int error;
cap_rights_t rights;
const unsigned long cmds[] = { CTL_ISCSI };
cap_rights_init(&rights, CAP_IOCTL);
error = cap_rights_limit(ctl_fd, &rights);
if (error != 0 && errno != ENOSYS)
if (caph_rights_limit(ctl_fd, &rights) < 0)
log_err(1, "cap_rights_limit");
error = cap_ioctls_limit(ctl_fd, cmds, nitems(cmds));
if (error != 0 && errno != ENOSYS)
if (caph_ioctls_limit(ctl_fd, cmds, nitems(cmds)) < 0)
log_err(1, "cap_ioctls_limit");
error = cap_enter();
if (error != 0 && errno != ENOSYS)
if (caph_enter() < 0)
log_err(1, "cap_enter");
if (cap_sandboxed())

12
usr.sbin/iscsid/iscsid.c
View File

@ -42,6 +42,7 @@ __FBSDID("$FreeBSD$");
#include <sys/capsicum.h>
#include <sys/wait.h>
#include <assert.h>
#include <capsicum_helpers.h>
#include <errno.h>
#include <fcntl.h>
#include <libutil.h>
@ -349,7 +350,6 @@ fail(const struct connection *conn, const char *reason)
static void
capsicate(struct connection *conn)
{
int error;
cap_rights_t rights;
#ifdef ICL_KERNEL_PROXY
const unsigned long cmds[] = { ISCSIDCONNECT, ISCSIDSEND, ISCSIDRECEIVE,
@ -360,17 +360,13 @@ capsicate(struct connection *conn)
#endif
cap_rights_init(&rights, CAP_IOCTL);
error = cap_rights_limit(conn->conn_iscsi_fd, &rights);
if (error != 0 && errno != ENOSYS)
if (caph_rights_limit(conn->conn_iscsi_fd, &rights) < 0)
log_err(1, "cap_rights_limit");
error = cap_ioctls_limit(conn->conn_iscsi_fd, cmds, nitems(cmds));
if (error != 0 && errno != ENOSYS)
if (caph_ioctls_limit(conn->conn_iscsi_fd, cmds, nitems(cmds)) < 0)
log_err(1, "cap_ioctls_limit");
error = cap_enter();
if (error != 0 && errno != ENOSYS)
if (caph_enter() != 0)
log_err(1, "cap_enter");
if (cap_sandboxed())