d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sockstat: use cap_pwd

Browse Source 
The sockstat is using password database operations to obtain
the username. Such operations are disallowed in capability mode.
For such operations Casper is required.

Reported by:	olivier@
Tested by:	olivier@
This commit is contained in:
Mariusz Zaborski 2021-06-18 18:06:03 +02:00
parent bfb5947bb1
commit 7ad30f58dd
2 changed files with 15 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
usr.bin/sockstat/Makefile
View File

@ -10,6 +10,7 @@ LIBADD= jail
LIBADD+= casper LIBADD+= casper
LIBADD+= cap_net LIBADD+= cap_net
LIBADD+= cap_netdb LIBADD+= cap_netdb
LIBADD+= cap_pwd
LIBADD+= cap_sysctl LIBADD+= cap_sysctl
CFLAGS+= -DWITH_CASPER CFLAGS+= -DWITH_CASPER
.endif .endif

16
usr.bin/sockstat/sockstat.c
View File

@ -71,6 +71,7 @@ __FBSDID("$FreeBSD$");
#include <libcasper.h> #include <libcasper.h>
#include <casper/cap_net.h> #include <casper/cap_net.h>
#include <casper/cap_netdb.h> #include <casper/cap_netdb.h>
#include <casper/cap_pwd.h>
#include <casper/cap_sysctl.h> #include <casper/cap_sysctl.h>
#define sstosin(ss) ((struct sockaddr_in *)(ss)) #define sstosin(ss) ((struct sockaddr_in *)(ss))
@ -141,6 +142,7 @@ static int nxfiles;
static cap_channel_t *capnet; static cap_channel_t *capnet;
static cap_channel_t *capnetdb; static cap_channel_t *capnetdb;
static cap_channel_t *capsysctl; static cap_channel_t *capsysctl;
static cap_channel_t *cappwd;
static int static int
xprintf(const char *fmt, ...) xprintf(const char *fmt, ...)
@ -1215,7 +1217,7 @@ display(void)
printf(" %-.*s", TCP_CA_NAME_MAX, "CC"); printf(" %-.*s", TCP_CA_NAME_MAX, "CC");
printf("\n"); printf("\n");
} }
setpassent(1); cap_setpassent(cappwd, 1);
for (xf = xfiles, n = 0; n < nxfiles; ++n, ++xf) { for (xf = xfiles, n = 0; n < nxfiles; ++n, ++xf) {
if (xf->xf_data == 0) if (xf->xf_data == 0)
continue; continue;
@ -1229,7 +1231,8 @@ display(void)
continue; continue;
s->shown = 1; s->shown = 1;
pos = 0; pos = 0;
if (opt_n || (pwd = getpwuid(xf->xf_uid)) == NULL) if (opt_n ||
(pwd = cap_getpwuid(cappwd, xf->xf_uid)) == NULL)
pos += xprintf("%lu ", (u_long)xf->xf_uid); pos += xprintf("%lu ", (u_long)xf->xf_uid);
else else
pos += xprintf("%s ", pwd->pw_name); pos += xprintf("%s ", pwd->pw_name);
@ -1326,6 +1329,8 @@ main(int argc, char *argv[])
{ {
cap_channel_t *capcas; cap_channel_t *capcas;
cap_net_limit_t *limit; cap_net_limit_t *limit;
const char *pwdcmds[] = { "setpassent", "getpwuid" };
const char *pwdfields[] = { "pw_name" };
int protos_defined = -1; int protos_defined = -1;
int o, i; int o, i;
@ -1424,12 +1429,19 @@ main(int argc, char *argv[])
capsysctl = cap_service_open(capcas, "system.sysctl"); capsysctl = cap_service_open(capcas, "system.sysctl");
if (capsysctl == NULL) if (capsysctl == NULL)
err(1, "Unable to open system.sysctl service"); err(1, "Unable to open system.sysctl service");
cappwd = cap_service_open(capcas, "system.pwd");
if (cappwd == NULL)
err(1, "Unable to open system.pwd service");
cap_close(capcas); cap_close(capcas);
limit = cap_net_limit_init(capnet, CAPNET_ADDR2NAME); limit = cap_net_limit_init(capnet, CAPNET_ADDR2NAME);
if (limit == NULL) if (limit == NULL)
err(1, "Unable to init cap_net limits"); err(1, "Unable to init cap_net limits");
if (cap_net_limit(limit) < 0) if (cap_net_limit(limit) < 0)
err(1, "Unable to apply limits"); err(1, "Unable to apply limits");
if (cap_pwd_limit_cmds(cappwd, pwdcmds, nitems(pwdcmds)) < 0)
err(1, "Unable to apply pwd commands limits");
if (cap_pwd_limit_fields(cappwd, pwdfields, nitems(pwdfields)) < 0)
err(1, "Unable to apply pwd commands limits");
if ((!opt_4 && !opt_6) && protos_defined != -1) if ((!opt_4 && !opt_6) && protos_defined != -1)
opt_4 = opt_6 = 1; opt_4 = opt_6 = 1;