Capsicumize nm(1).

Reviewed by: emaste Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D21107
2019-09-30 17:27:59 +00:00 · 2019-09-30 17:27:59 +00:00 · 052ad61b7e
commit 052ad61b7e
parent 8d3d724796
2 changed files with 46 additions and 1 deletions
--- a/contrib/elftoolchain/nm/nm.c
+++ b/contrib/elftoolchain/nm/nm.c
@ -29,6 +29,7 @@
 #include <sys/stat.h>
 #include <ar.h>
 #include <assert.h>
+#include <capsicum_helpers.h>
 #include <ctype.h>
 #include <dwarf.h>
 #include <err.h>
@ -46,6 +47,9 @@
 #include <strings.h>
 #include <unistd.h>

+#include <libcasper.h>
+#include <casper/cap_fileargs.h>
+
 #include "_elftc.h"

 ELFTC_VCSID("$Id: nm.c 3504 2016-12-17 15:33:16Z kaiwang27 $");
@ -165,6 +169,8 @@ struct nm_prog_options {

 	fn_sym_print		value_print_fn;
 	fn_sym_print		size_print_fn;
+
+	fileargs_t		*fileargs;
 };

 #define	CHECK_SYM_PRINT_DATA(p)	(p->headp == NULL || p->sh_num == 0 ||	      \
@ -177,6 +183,7 @@ static int		cmp_name(const void *, const void *);
 static int		cmp_none(const void *, const void *);
 static int		cmp_size(const void *, const void *);
 static int		cmp_value(const void *, const void *);
+static void		enter_cap_mode(int, char **);
 static void		filter_dest(void);
 static int		filter_insert(fn_filter);
 static void		get_opt(int *, char ***);
@ -392,6 +399,36 @@ cmp_value(const void *lp, const void *rp)
 	return (l->sym->st_value - r->sym->st_value);
 }

+static void
+enter_cap_mode(int argc, char **argv)
+{
+	cap_rights_t rights;
+	fileargs_t *fa;
+	char *defaultfn;
+
+	cap_rights_init(&rights, CAP_FSTAT, CAP_MMAP_R);
+
+	if (argc == 0) {
+		defaultfn = strdup(nm_info.def_filename);
+		if (defaultfn == NULL)
+			err(EXIT_FAILURE, "strdup");
+		argc = 1;
+		argv = &defaultfn;
+	}
+
+	fa = fileargs_init(argc, argv, O_RDONLY, 0, &rights, FA_OPEN);
+	if (fa == NULL)
+		err(EXIT_FAILURE, "failed to initialize fileargs");
+
+	caph_cache_catpages();
+	if (caph_limit_stdio() < 0)
+		err(EXIT_FAILURE, "failed to limit stdio rights");
+	if (caph_enter_casper() < 0)
+		err(EXIT_FAILURE, "failed to enter capability mode");
+
+	nm_opts.fileargs = fa;
+}
+
 static void
 filter_dest(void)
 {
@ -766,6 +803,7 @@ global_init(void)
 	nm_opts.elem_print_fn = &sym_elem_print_all;
 	nm_opts.value_print_fn = &sym_value_dec_print;
 	nm_opts.size_print_fn = &sym_size_dec_print;
+	nm_opts.fileargs = NULL;
 	SLIST_INIT(&nm_out_filter);
 }

@ -1469,7 +1507,7 @@ read_object(const char *filename)

 	assert(filename != NULL && "filename is null");

-	if ((fd = open(filename, O_RDONLY)) == -1) {
+	if ((fd = fileargs_open(nm_opts.fileargs, filename)) == -1) {
 		warn("'%s'", filename);
 		return (1);
 	}
@ -2118,6 +2156,7 @@ main(int argc, char **argv)

 	global_init();
 	get_opt(&argc, &argv);
+	enter_cap_mode(argc, argv);
 	rtn = read_files(argc, argv);
 	global_dest();

--- a/usr.bin/nm/Makefile
+++ b/usr.bin/nm/Makefile
@ -11,6 +11,12 @@ PROG=	nm

 LIBADD=	dwarf elftc elf

+.if ${MK_CASPER} != "no" && !defined(BOOTSTRAPPING) && !defined(NXB_TARGET)
+LIBADD+=	casper
+LIBADD+=	cap_fileargs
+CFLAGS+=	-DWITH_CASPER
+.endif
+
 CFLAGS+=-I${ELFTCDIR}/libelftc -I${ELFTCDIR}/common

 .include <bsd.prog.mk>