Fix handling of rights on stdio streams, take two.

Split the rights-limiting code into two cases: if one of the input
files isn't a regular file, use caph_limit_stream(3) instead of
open-coding the same logic; if both input files are regular files,
and the initial attempts to map them succeed, we limit the rights on
those files to CAP_MMAP_R.

Add a regression test for PR 234885.

PR:		234885
Reviewed by:	delphij
MFC after:	2 weeks
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D19216

usr.bin/cmp/cmp.c

@@ -45,7 +45,6 @@ static char sccsid[] = "@(#)cmp.c	8.3 (Berkeley) 4/2/94";
 __FBSDID("$FreeBSD$");
 
 #include <sys/types.h>
-#include <sys/capsicum.h>
 #include <sys/stat.h>
 
 #include <capsicum_helpers.h>
@@ -80,8 +79,6 @@ main(int argc, char *argv[])
 	off_t skip1, skip2;
 	int ch, fd1, fd2, oflag, special;
 	const char *file1, *file2;
-	cap_rights_t rights;
-	uint32_t fcntls;
 
 	oflag = O_RDONLY;
 	while ((ch = getopt_long(argc, argv, "+hlsxz", long_opts, NULL)) != -1)
@@ -116,14 +113,19 @@ main(int argc, char *argv[])
 	if (argc < 2 || argc > 4)
 		usage();
 
+	/* Don't limit rights on stdin since it may be one of the inputs. */
+	if (caph_limit_stream(STDOUT_FILENO, CAPH_WRITE | CAPH_IGNORE_EBADF))
+		err(ERR_EXIT, "unable to limit rights on stdout");
+	if (caph_limit_stream(STDERR_FILENO, CAPH_WRITE | CAPH_IGNORE_EBADF))
+		err(ERR_EXIT, "unable to limit rights on stderr");
+
 	/* Backward compatibility -- handle "-" meaning stdin. */
 	special = 0;
 	if (strcmp(file1 = argv[0], "-") == 0) {
 		special = 1;
-		fd1 = 0;
+		fd1 = STDIN_FILENO;
 		file1 = "stdin";
-	}
+	} else if ((fd1 = open(file1, oflag, 0)) < 0 && errno != EMLINK) {
-	else if ((fd1 = open(file1, oflag, 0)) < 0 && errno != EMLINK) {
 		if (!sflag)
 			err(ERR_EXIT, "%s", file1);
 		else
@@ -134,10 +136,9 @@ main(int argc, char *argv[])
 			errx(ERR_EXIT,
 				"standard input may only be specified once");
 		special = 1;
-		fd2 = 0;
+		fd2 = STDIN_FILENO;
 		file2 = "stdin";
-	}
+	} else if ((fd2 = open(file2, oflag, 0)) < 0 && errno != EMLINK) {
-	else if ((fd2 = open(file2, oflag, 0)) < 0 && errno != EMLINK) {
 		if (!sflag)
 			err(ERR_EXIT, "%s", file2);
 		else
@@ -162,34 +163,9 @@ main(int argc, char *argv[])
 			exit(ERR_EXIT);
 	}
 
-	cap_rights_init(&rights, CAP_FCNTL, CAP_FSTAT, CAP_MMAP_R);
+	/* FD rights are limited in c_special() and c_regular(). */
-	if (caph_rights_limit(fd1, &rights) < 0)
-		err(ERR_EXIT, "unable to limit rights for %s", file1);
-	if (caph_rights_limit(fd2, &rights) < 0)
-		err(ERR_EXIT, "unable to limit rights for %s", file2);
-
-	/* Required for fdopen(3). */
-	fcntls = CAP_FCNTL_GETFL;
-	if (caph_fcntls_limit(fd1, fcntls) < 0)
-		err(ERR_EXIT, "unable to limit fcntls for %s", file1);
-	if (caph_fcntls_limit(fd2, fcntls) < 0)
-		err(ERR_EXIT, "unable to limit fcntls for %s", file2);
-
-	if (!special) {
-		cap_rights_init(&rights);
-		if (caph_rights_limit(STDIN_FILENO, &rights) < 0) {
-			err(ERR_EXIT, "unable to limit stdio");
-		}
-	}
-
-	if (caph_limit_stdout() == -1 || caph_limit_stderr() == -1)
-		err(ERR_EXIT, "unable to limit stdio");
-
 	caph_cache_catpages();
 
-	if (caph_enter() < 0)
-		err(ERR_EXIT, "unable to enter capability mode");
-
 	if (!special) {
 		if (fstat(fd1, &sb1)) {
 			if (!sflag)

usr.bin/cmp/regular.c

@@ -42,6 +42,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/mman.h>
 #include <sys/stat.h>
 
+#include <capsicum_helpers.h>
 #include <err.h>
 #include <limits.h>
 #include <signal.h>
@@ -61,12 +62,13 @@ void
 c_regular(int fd1, const char *file1, off_t skip1, off_t len1,
     int fd2, const char *file2, off_t skip2, off_t len2)
 {
+	struct sigaction act, oact;
+	cap_rights_t rights;
 	u_char ch, *p1, *p2, *m1, *m2, *e1, *e2;
 	off_t byte, length, line;
-	int dfound;
 	off_t pagemask, off1, off2;
 	size_t pagesize;
-	struct sigaction act, oact;
+	int dfound;
 
 	if (skip1 > len1)
 		eofmsg(file1);
@@ -78,12 +80,6 @@ c_regular(int fd1, const char *file1, off_t skip1, off_t len1,
 	if (sflag && len1 != len2)
 		exit(DIFF_EXIT);
 
-	sigemptyset(&act.sa_mask);
-	act.sa_flags = SA_NODEFER;
-	act.sa_handler = segv_handler;
-	if (sigaction(SIGSEGV, &act, &oact))
-		err(ERR_EXIT, "sigaction()");
-
 	pagesize = getpagesize();
 	pagemask = (off_t)pagesize - 1;
 	off1 = ROUNDPAGE(skip1);
@@ -102,6 +98,19 @@ c_regular(int fd1, const char *file1, off_t skip1, off_t len1,
 		return;
 	}
 
+	if (caph_rights_limit(fd1, cap_rights_init(&rights, CAP_MMAP_R)) < 0)
+		err(1, "unable to limit rights for %s", file1);
+	if (caph_rights_limit(fd2, cap_rights_init(&rights, CAP_MMAP_R)) < 0)
+		err(1, "unable to limit rights for %s", file2);
+	if (caph_enter() < 0)
+		err(ERR_EXIT, "unable to enter capability mode");
+
+	sigemptyset(&act.sa_mask);
+	act.sa_flags = SA_NODEFER;
+	act.sa_handler = segv_handler;
+	if (sigaction(SIGSEGV, &act, &oact))
+		err(ERR_EXIT, "sigaction()");
+
 	dfound = 0;
 	e1 = m1 + MMAP_CHUNK;
 	e2 = m2 + MMAP_CHUNK;

usr.bin/cmp/special.c

@@ -40,6 +40,7 @@ __FBSDID("$FreeBSD$");
 
 #include <sys/types.h>
 
+#include <capsicum_helpers.h>
 #include <err.h>
 #include <stdlib.h>
 #include <stdio.h>
@@ -55,6 +56,13 @@ c_special(int fd1, const char *file1, off_t skip1,
 	FILE *fp1, *fp2;
 	int dfound;
 
+	if (caph_limit_stream(fd1, CAPH_READ) < 0)
+		err(ERR_EXIT, "caph_limit_stream(%s)", file1);
+	if (caph_limit_stream(fd2, CAPH_READ) < 0)
+		err(ERR_EXIT, "caph_limit_stream(%s)", file2);
+	if (caph_enter() < 0)
+		err(ERR_EXIT, "unable to enter capability mode");
+
 	if ((fp1 = fdopen(fd1, "r")) == NULL)
 		err(ERR_EXIT, "%s", file1);
 	if ((fp2 = fdopen(fd2, "r")) == NULL)

usr.bin/cmp/tests/cmp_test2.sh

@@ -35,6 +35,8 @@ special_body() {
 	atf_check -s exit:0 -o empty -e empty -x "cat a | cmp - a"
 	atf_check -s exit:1 -o not-empty -e empty -x "cat b | cmp a -"
 	atf_check -s exit:1 -o not-empty -e empty -x "cat b | cmp - a"
+
+	atf_check -s exit:0 -o empty -e empty -x "cmp a a <&-"
 }
 
 atf_test_case symlink