freebsd-nq/sbin
Mark Johnston 04e9edb544 Capsicumize rtsol(8) and rtsold(8).
These programs parse ND6 Router Advertisement messages; rtsold(8) has
required an SA, SA-14:20.rtsold, for a bug in this code.  Thus, they
are good candidates for sandboxing.

The approach taken is to run the main executable in capability mode
and use Casper services to provide functionality that cannot be
implemented within the sandbox.  In particular, several custom services
were required.

- A Casper service is used to send Router Solicitation messages on a
  raw ICMP6 socket.  Initially I took the approach of creating a
  socket for each interface upon startup, and connect(2)ing it to
  the all-routers multicast group for the interface.  This permits
  the use of sendmsg(2) in capability mode, but only works if the
  interface's link is up when rtsol(d) starts.  So, instead, the
  rtsold.sendmsg service is used to transmit RS messages on behalf
  of the main process.  One could alternately define a service
  which simply creates and connects a socket for each destination
  address, and returns the socket to the sandboxed process.  However,
  to implement rtsold's -m option we also need to read the ND6 default
  router list, and this cannot be done in capability mode.
- rtsold may execute resolvconf(8) in response to RDNSS and DNSSL
  options in received RA messages.  A Casper service is used to
  fork and exec resolvconf(8), and to reap the child process.
- A service is used to determine whether a given interface's
  link-local address is useable (i.e., not duplicated or undergoing
  DAD).  This information is supplied by getifaddrs(3), which reads
  a sysctl not available in capability mode.  The SIOCGIFCONF socket
  ioctl provides equivalent information and can be used in capability
  mode, but I decided against it for now because of some limitations
  of that interface.

In addition to these new services, cap_syslog(3) is used to send
messages to syslogd.

Reviewed by:	oshogbo
Tested by:	bz (previous versions)
MFC after:	2 months
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D17572
2019-01-05 16:05:39 +00:00
..
adjkerntz
bectl bectl: use jail id as the default jail name for a boot environment 2018-12-25 15:18:41 +00:00
bsdlabel Move disktab to sbin/bsdlabel/ 2018-09-18 20:52:24 +00:00
camcontrol
ccdconfig
clri In preparation for adding inode check-hashes, clean up and 2018-11-13 21:40:56 +00:00
comcontrol
conscontrol
ddb Move ddb.conf to sbin/ddb/ and switch to CONFS. 2018-08-11 13:25:39 +00:00
decryptcore Make decryptcore(8) buildable. 2018-09-19 07:07:03 +00:00
devd Further research shows usbdump(8) is what we should point people at 2018-11-02 22:18:02 +00:00
devfs Move all devfs related files to sbin/devfs/ 2018-08-22 15:55:23 +00:00
devmatch Add in a missing newline 2018-08-25 15:47:52 +00:00
dhclient capsicum: use a new capsicum helpers in tools 2018-11-04 19:24:49 +00:00
dmesg
dump Normally when an attempt is made to mount a UFS/FFS filesystem whose 2018-12-06 00:09:39 +00:00
dumpfs
dumpon Avoid clobbering a user-specified -g value after r340547. 2018-11-20 18:10:56 +00:00
etherswitchcfg
fdisk Allow fdisk(8) to deal with sectors larger than 2048 2018-10-25 12:13:13 +00:00
ffsinfo In preparation for adding inode check-hashes, clean up and 2018-11-13 21:40:56 +00:00
fsck
fsck_ffs Fsck would find, report, and offer to fix inode check-hash failures. 2018-12-15 17:32:47 +00:00
fsck_msdosfs
fsdb In preparation for adding inode check-hashes, change the fsck_ffs 2018-10-31 05:17:53 +00:00
fsirand Continuing efforts to provide hardening of FFS. This change adds a 2018-12-11 22:14:37 +00:00
gbde
geom Add the "-t" option to geom(8) utility, to display geoms hierarchy. 2018-09-14 15:29:45 +00:00
ggate ggated: do not expose stack data in sendfail() 2018-12-04 15:25:15 +00:00
growfs Normally when an attempt is made to mount a UFS/FFS filesystem whose 2018-12-06 00:09:39 +00:00
gvinum
hastctl
hastd
ifconfig ifconfig.4, lagg.4: fix documentation bug: -use_flowid needs to be used 2018-12-22 11:38:54 +00:00
init Move the rc framework out of sbin/init into libexec/rc. 2018-10-17 16:49:11 +00:00
ipf
ipfw Allow use underscores and dots in service names without escaping. 2018-12-21 10:41:45 +00:00
iscontrol
kldconfig
kldload
kldstat
kldunload
ldconfig Make ldconfig(8) atomic, by removing an unneccessary call to unlink(2) 2018-08-09 11:46:12 +00:00
md5 capsicum: use a new capsicum helpers in tools 2018-11-04 19:24:49 +00:00
mdconfig Use VOP_ADVISE() with POSIX_FADV_DONTNEED instead of IO_DIRECT to 2018-12-21 08:15:31 +00:00
mdmfs mdmfs(8): Check for other types of helper-program failure 2018-10-20 21:33:00 +00:00
mknod
mksnap_ffs
mount When getting mount information for all filesystems, mount uses the 2018-08-07 21:17:45 +00:00
mount_cd9660 Advise reader to also see mdconfig(8) in mount_cd9660(8). 2018-08-11 08:34:24 +00:00
mount_fusefs mount_fusefs.8: expand HISTORY section 2018-11-17 21:35:01 +00:00
mount_msdosfs mount_msdosfs: do not fail mounts requiring locale name conversion table 2018-10-27 16:41:34 +00:00
mount_nfs
mount_nullfs
mount_udf
mount_unionfs
nandfs
natd
newfs Continuing efforts to provide hardening of FFS. This change adds a 2018-12-11 22:14:37 +00:00
newfs_msdos
newfs_nandfs
nfsiod
nos-tun
nvmecontrol Try the first 256 units with nvmecontrol devlist. 2018-12-21 23:22:37 +00:00
pfctl pfctl: Populate ifname in ifa_lookup() 2018-11-08 21:53:09 +00:00
pflogd
ping Use caph_enter_casper() in ping(8). 2018-12-18 16:47:03 +00:00
ping6
quotacheck Normally when an attempt is made to mount a UFS/FFS filesystem whose 2018-12-06 00:09:39 +00:00
rcorder rcorder(8): add support for /etc/rc.resume, so it calls "rcorder -k resume" 2018-10-27 17:21:13 +00:00
reboot Fix "fasthalt" to halt instead of reboot 2018-09-14 18:12:30 +00:00
recoverdisk
resolvconf
restore Re-enable reading byte swapped NFS_MAGIC dumps. 2018-08-11 16:12:23 +00:00
route route(8): correctly return exit status when "-q" flag is used. 2018-10-27 07:59:19 +00:00
routed
rtsol Capsicumize rtsol(8) and rtsold(8). 2019-01-05 16:05:39 +00:00
savecore Disable savecore(8)'s libcasper support when WITHOUT_DYNAMICROOT=yes. 2019-01-04 19:20:19 +00:00
sconfig
setkey
shutdown
spppcontrol
sunlabel
swapon
sysctl sysctl(8): Add a standard exit status section. 2018-09-24 20:46:45 +00:00
tests
tunefs In preparation for adding inode check-hashes, clean up and 2018-11-13 21:40:56 +00:00
umount umount: remove sync(2) call when used with -f 2018-09-13 13:57:42 +00:00
zfsbootcfg
Makefile Rename be(1) to bectl(8); continues to live in /sbin 2018-07-24 13:21:44 +00:00
Makefile.amd64
Makefile.arm
Makefile.i386
Makefile.inc
Makefile.mips
Makefile.powerpc64
Makefile.sparc64