libcasper: Introduce cap_net a network service for Casper.
Reviewed by: emaste, markj (previous version), bcr (man page) Differential Revision: https://reviews.freebsd.org/D24688
This commit is contained in:
parent
9cce1e4cc3
commit
3975e1d04d
@ -5,6 +5,7 @@
|
||||
SUBDIR= cap_dns
|
||||
SUBDIR+= cap_fileargs
|
||||
SUBDIR+= cap_grp
|
||||
SUBDIR+= cap_net
|
||||
SUBDIR+= cap_pwd
|
||||
SUBDIR+= cap_sysctl
|
||||
SUBDIR+= cap_syslog
|
||||
|
@ -27,11 +27,6 @@ SUBDIR.${MK_TESTS}+= tests
|
||||
MAN+= cap_dns.3
|
||||
|
||||
MLINKS+=cap_dns.3 libcap_dns.3
|
||||
MLINKS+=cap_dns.3 cap_gethostbyname.3
|
||||
MLINKS+=cap_dns.3 cap_gethostbyname2.3
|
||||
MLINKS+=cap_dns.3 cap_gethostbyaddr.3
|
||||
MLINKS+=cap_dns.3 cap_getaddrinfo.3
|
||||
MLINKS+=cap_dns.3 cap_getnameinfo.3
|
||||
MLINKS+=cap_dns.3 cap_dns_type_limit.3
|
||||
MLINKS+=cap_dns.3 cap_dns_family_limit.3
|
||||
|
||||
|
@ -24,7 +24,7 @@
|
||||
.\"
|
||||
.\" $FreeBSD$
|
||||
.\"
|
||||
.Dd May 5, 2020
|
||||
.Dd August 15, 2020
|
||||
.Dt CAP_DNS 3
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -58,6 +58,9 @@
|
||||
.Fn cap_dns_family_limit "const cap_channel_t *chan" "const int *families" "size_t nfamilies"
|
||||
.Sh DESCRIPTION
|
||||
.Bf -symbolic
|
||||
This service is obsolete and
|
||||
.Xr cap_net 3
|
||||
should be used instead.
|
||||
The
|
||||
.Fn cap_getaddrinfo ,
|
||||
and
|
||||
|
48
lib/libcasper/services/cap_net/Makefile
Normal file
48
lib/libcasper/services/cap_net/Makefile
Normal file
@ -0,0 +1,48 @@
|
||||
# $FreeBSD$
|
||||
|
||||
SHLIBDIR?= /lib/casper
|
||||
|
||||
.include <src.opts.mk>
|
||||
|
||||
PACKAGE=libcasper
|
||||
|
||||
SHLIB_MAJOR= 1
|
||||
INCSDIR?= ${INCLUDEDIR}/casper
|
||||
|
||||
.if ${MK_CASPER} != "no"
|
||||
SHLIB= cap_net
|
||||
|
||||
SRCS= cap_net.c
|
||||
.endif
|
||||
|
||||
INCS= cap_net.h
|
||||
|
||||
LIBADD= nv
|
||||
|
||||
CFLAGS+=-I${.CURDIR}
|
||||
CFLAGS+=-DWITH_CASPER
|
||||
|
||||
HAS_TESTS=
|
||||
SUBDIR.${MK_TESTS}+= tests
|
||||
|
||||
MAN+= cap_net.3
|
||||
|
||||
MLINKS+=cap_net.3 libcap_net.3
|
||||
MLINKS+=cap_net.3 cap_bind.3
|
||||
MLINKS+=cap_net.3 cap_connect.3
|
||||
MLINKS+=cap_net.3 cap_net_free.3
|
||||
MLINKS+=cap_net.3 cap_net_limit.3
|
||||
MLINKS+=cap_net.3 cap_net_limit_addr2name.3
|
||||
MLINKS+=cap_net.3 cap_net_limit_addr2name_family.3
|
||||
MLINKS+=cap_net.3 cap_net_limit_bind.3
|
||||
MLINKS+=cap_net.3 cap_net_limit_connect.3
|
||||
MLINKS+=cap_net.3 cap_net_limit_init.3
|
||||
MLINKS+=cap_net.3 cap_net_limit_name2addr.3
|
||||
MLINKS+=cap_net.3 cap_net_limit_name2addr_family.3
|
||||
MLINKS+=cap_net.3 cap_getaddrinfo.3
|
||||
MLINKS+=cap_net.3 cap_gethostbyaddr.3
|
||||
MLINKS+=cap_net.3 cap_gethostbyname.3
|
||||
MLINKS+=cap_net.3 cap_gethostbyname2.3
|
||||
MLINKS+=cap_net.3 cap_getnameinfo.3
|
||||
|
||||
.include <bsd.lib.mk>
|
287
lib/libcasper/services/cap_net/cap_net.3
Normal file
287
lib/libcasper/services/cap_net/cap_net.3
Normal file
@ -0,0 +1,287 @@
|
||||
.\" Copyright (c) 2020 Mariusz Zaborski <oshogbo@FreeBSD.org>
|
||||
.\"
|
||||
.\" Redistribution and use in source and binary forms, with or without
|
||||
.\" modification, are permitted provided that the following conditions
|
||||
.\" are met:
|
||||
.\" 1. Redistributions of source code must retain the above copyright
|
||||
.\" notice, this list of conditions and the following disclaimer.
|
||||
.\" 2. Redistributions in binary form must reproduce the above copyright
|
||||
.\" notice, this list of conditions and the following disclaimer in the
|
||||
.\" documentation and/or other materials provided with the distribution.
|
||||
.\"
|
||||
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
|
||||
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
|
||||
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $FreeBSD$
|
||||
.\"
|
||||
.Dd August 15, 2020
|
||||
.Dt CAP_NET 3
|
||||
.Os
|
||||
.Sh NAME
|
||||
.Nm cap_bind ,
|
||||
.Nm cap_connect ,
|
||||
.Nm cap_getaddrinfo ,
|
||||
.Nm cap_gethostbyaddr ,
|
||||
.Nm cap_gethostbyname ,
|
||||
.Nm cap_gethostbyname2 ,
|
||||
.Nm cap_getnameinfo ,
|
||||
.Nm cap_net_free ,
|
||||
.Nm cap_net_limit ,
|
||||
.Nm cap_net_limit_addr2name ,
|
||||
.Nm cap_net_limit_addr2name_family ,
|
||||
.Nm cap_net_limit_bind ,
|
||||
.Nm cap_net_limit_connect ,
|
||||
.Nm cap_net_limit_init ,
|
||||
.Nm cap_net_limit_name2addr ,
|
||||
.Nm cap_net_limit_name2addr_family ,
|
||||
.Nd "library for networking in capability mode"
|
||||
.Sh LIBRARY
|
||||
.Lb libcap_net
|
||||
.Sh SYNOPSIS
|
||||
.In sys/nv.h
|
||||
.In libcasper.h
|
||||
.In casper/cap_net.h
|
||||
.Ft int
|
||||
.Fn cap_bind "cap_channel_t *chan" "int s" "const struct sockaddr *addr" "socklen_t addrlen"
|
||||
.Ft int
|
||||
.Fn cap_connect "cap_channel_t *chan" "int s" "const struct sockaddr *name" "socklen_t namelen"
|
||||
.Ft int
|
||||
.Fn cap_getaddrinfo "cap_channel_t *chan" "const char *hostname" "const char *servname" "const struct addrinfo *hints" "struct addrinfo **res"
|
||||
.Ft int
|
||||
.Fn cap_getnameinfo "cap_channel_t *chan" "const struct sockaddr *sa" "socklen_t salen" "char *host" "size_t hostlen" "char *serv" "size_t servlen" "int flags"
|
||||
.Ft "struct hostent *"
|
||||
.Fn cap_gethostbyname "const cap_channel_t *chan" "const char *name"
|
||||
.Ft "struct hostent *"
|
||||
.Fn cap_gethostbyname2 "const cap_channel_t *chan" "const char *name" "int af"
|
||||
.Ft "struct hostent *"
|
||||
.Fn cap_gethostbyaddr "const cap_channel_t *chan" "const void *addr" "socklen_t len" "int af"
|
||||
.Ft "cap_net_limit_t *"
|
||||
.Fn cap_net_limit_init "cap_channel_t *chan" "uint64_t mode"
|
||||
.Ft int
|
||||
.Fn cap_net_limit "cap_net_limit_t *limit"
|
||||
.Ft void
|
||||
.Fn cap_net_free "cap_net_limit_t *limit"
|
||||
.Ft "cap_net_limit_t *"
|
||||
.Fn cap_net_limit_addr2name_family "cap_net_limit_t *limit" "int *family" "size_t size"
|
||||
.Ft "cap_net_limit_t *"
|
||||
.Fn cap_net_limit_addr2name "cap_net_limit_t *limit" "const struct sockaddr *sa" "socklen_t salen"
|
||||
.Ft "cap_net_limit_t *"
|
||||
.Fn cap_net_limit_name2addr_family "cap_net_limit_t *limit" "int *family" "size_t size"
|
||||
.Ft "cap_net_limit_t *"
|
||||
.Fn cap_net_limit_name2addr "cap_net_limit_t *limit" "const char *name" "const char *serv"
|
||||
.Ft "cap_net_limit_t *"
|
||||
.Fn cap_net_limit_connect "cap_net_limit_t *limit" "const struct sockaddr *sa" "socklen_t salen"
|
||||
.Ft "cap_net_limit_t *"
|
||||
.Fn cap_net_limit_bind "cap_net_limit_t *limit" "const struct sockaddr *sa" "socklen_t salen"
|
||||
.Sh DESCRIPTION
|
||||
.Pp
|
||||
The functions
|
||||
.Fn cap_bind,
|
||||
.Fn cap_connect,
|
||||
.Fn cap_gethostbyname ,
|
||||
.Fn cap_gethostbyname2 ,
|
||||
.Fn cap_gethostbyaddr
|
||||
and
|
||||
.Fn cap_getnameinfo
|
||||
are respectively equivalent to
|
||||
.Xr bind 2 ,
|
||||
.Xr connect 2 ,
|
||||
.Xr gethostbyname 3 ,
|
||||
.Xr gethostbyname2 3 ,
|
||||
.Xr gethostbyaddr 3
|
||||
and
|
||||
.Xr getnameinfo 3
|
||||
except that the connection to the
|
||||
.Nm system.net
|
||||
service needs to be provided.
|
||||
.Sh LIMITS
|
||||
By default, the cap_net capability provides unrestricted access to the network
|
||||
namespace.
|
||||
Applications typically only require access to a small portion of the network
|
||||
namespace:
|
||||
.Fn cap_net_limit
|
||||
interface can be used to restrict access to the network.
|
||||
.Fn cap_net_limit_init
|
||||
returns an opaque limit handle used to store a list of capabilities.
|
||||
The
|
||||
.Fv mode
|
||||
restricts the functionality of the service.
|
||||
Modes are encoded using the following flags:
|
||||
.Pp
|
||||
.Bd -literal -offset indent -compact
|
||||
CAPNET_ADDR2NAME reverse DNS lookups are allowed with
|
||||
cap_getnameinfo
|
||||
CAPNET_NAME2ADDR name resolution is allowed with
|
||||
cap_getaddrinfo
|
||||
CAPNET_DEPRECATED_ADDR2NAME reverse DNS lookups are allowed with
|
||||
cap_gethostbyaddr
|
||||
CAPNET_DEPRECATED_NAME2ADDR name resolution is allowed with
|
||||
cap_gethostbyname and cap_gethostbyname2
|
||||
CAPNET_BIND bind syscall is allowed
|
||||
CAPNET_CONNECT connect syscall is allowed
|
||||
CAPNET_CONNECTDNS connect syscall is allowed to the values
|
||||
returned from privies call to
|
||||
the cap_getaddrinfo or cap_gethostbyname
|
||||
.Ed
|
||||
.Pp
|
||||
.Fn cap_net_limit_addr2name_family
|
||||
limits the
|
||||
.Fn cap_getnameinfo
|
||||
and
|
||||
.Fn cap_gethostbyaddr
|
||||
to do reverse DNS lookups to specific family (AF_INET, AF_INET6, etc.)
|
||||
.Pp
|
||||
.Fn cap_net_limit_addr2name
|
||||
limits the
|
||||
.Fn cap_getnameinfo
|
||||
and
|
||||
.Fn cap_gethostbyaddr
|
||||
to do reverse DNS lookups only on those specific structures.
|
||||
.Pp
|
||||
.Fn cap_net_limit_name2addr_family
|
||||
limits the
|
||||
.Fn cap_getaddrinfo ,
|
||||
.Fn cap_gethostbyname
|
||||
and
|
||||
.Fn cap_gethostbyname2
|
||||
to do the name resolution on specific family (AF_INET, AF_INET6, etc.)
|
||||
.Pp
|
||||
.Fn cap_net_limit_addr2name
|
||||
restricts
|
||||
.Fn cap_getaddrinfo ,
|
||||
.Fn cap_gethostbyname
|
||||
and
|
||||
.Fn cap_gethostbyname2
|
||||
to a set of domains.
|
||||
.Pp
|
||||
.Fn cap_net_limit_bind
|
||||
limits
|
||||
.Fn cap_bind
|
||||
to bind only on those specific structures.
|
||||
.Pp
|
||||
.Fn cap_net_limit_connect
|
||||
limits
|
||||
.Fn cap_connect
|
||||
to connect only on those specific structures.
|
||||
If the CAPNET_CONNECTDNS is set the limits are extended to the values returned
|
||||
by
|
||||
.Fn cap_getaddrinfo ,
|
||||
.Fn cap_gethostbyname
|
||||
and
|
||||
.Fn cap_gethostbyname2
|
||||
In case of the
|
||||
.Fn cap_getaddrinfo
|
||||
the restriction is strict.
|
||||
In case of the
|
||||
.Fn cap_gethostbyname
|
||||
and
|
||||
.Fn cap_gethostbyname2
|
||||
any port will be accepted in the
|
||||
.Fn cap_connect
|
||||
function.
|
||||
.Pp
|
||||
.Fn cap_net_limit
|
||||
applies a set of sysctl limits to the capability, denying access to sysctl
|
||||
variables not belonging to the set.
|
||||
.Pp
|
||||
Once a set of limits is applied, subsequent calls to
|
||||
.Fn cap_net_limit
|
||||
will fail unless the new set is a subset of the current set.
|
||||
.Pp
|
||||
The
|
||||
.Fn cap_net_limit
|
||||
will consume the limits.
|
||||
If the
|
||||
.Fn cap_net_limit
|
||||
was not called the rights may be freed using
|
||||
.Fn cap_net_free .
|
||||
Multiple calls to
|
||||
.Fn cap_net_limit_addr2name_family ,
|
||||
.Fn cap_net_limit_addr2name ,
|
||||
.Fn cap_net_limit_name2addr_family ,
|
||||
.Fn cap_net_limit_name2addr ,
|
||||
.Fn cap_net_limit_connect ,
|
||||
and
|
||||
.Fn cap_net_limit_bind
|
||||
is supported, each call is extending preview capabilities.
|
||||
.Sh EXAMPLES
|
||||
The following example first opens a capability to casper and then uses this
|
||||
capability to create the
|
||||
.Nm system.net
|
||||
casper service and uses it to resolve a host and connect to it.
|
||||
.Bd -literal
|
||||
cap_channel_t *capcas, *capnet;
|
||||
cap_net_limit_t *limit;
|
||||
int familylimit, error, s;
|
||||
const char *host = "example.com";
|
||||
struct addrinfo hints, *res;
|
||||
|
||||
/* Open capability to Casper. */
|
||||
capcas = cap_init();
|
||||
if (capcas == NULL)
|
||||
err(1, "Unable to contact Casper");
|
||||
|
||||
/* Cache NLA for gai_strerror. */
|
||||
caph_cache_catpages();
|
||||
|
||||
/* Enter capability mode sandbox. */
|
||||
if (caph_enter_casper() < 0)
|
||||
err(1, "Unable to enter capability mode");
|
||||
|
||||
/* Use Casper capability to create capability to the system.net service. */
|
||||
capnet = cap_service_open(capcas, "system.net");
|
||||
if (capnet == NULL)
|
||||
err(1, "Unable to open system.net service");
|
||||
|
||||
/* Close Casper capability. */
|
||||
cap_close(capcas);
|
||||
|
||||
/* Limit system.net to reserve IPv4 addresses, to host example.com . */
|
||||
limit = cap_net_limit_init(capnet, CAPNET_NAME2ADDR | CAPNET_CONNECTDNS);
|
||||
if (limit == NULL)
|
||||
err(1, "Unable to create limits.");
|
||||
cap_net_limit_name2addr(limit, host, "80");
|
||||
familylimit = AF_INET;
|
||||
cap_net_limit_name2addr_family(limit, &familylimit, 1);
|
||||
if (cap_net_limit(limit) < 0)
|
||||
err(1, "Unable to apply limits.");
|
||||
|
||||
/* Find IP addresses for the given host. */
|
||||
memset(&hints, 0, sizeof(hints));
|
||||
hints.ai_family = AF_INET;
|
||||
hints.ai_socktype = SOCK_STREAM;
|
||||
|
||||
error = cap_getaddrinfo(capnet, host, "80", &hints, &res);
|
||||
if (error != 0)
|
||||
errx(1, "cap_getaddrinfo(): %s: %s", host, gai_strerror(error));
|
||||
|
||||
s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
|
||||
if (s < 0)
|
||||
err(1, "Unable to create socket");
|
||||
|
||||
if (cap_connect(capnet, s, res->ai_addr, res->ai_addrlen) < 0)
|
||||
err(1, "Unable to connect to host");
|
||||
.Ed
|
||||
.Sh SEE ALSO
|
||||
.Xr bind 2 ,
|
||||
.Xr cap_enter 2 ,
|
||||
.Xr connect 2 ,
|
||||
.Xr caph_enter 3 ,
|
||||
.Xr err 3 ,
|
||||
.Xr gethostbyaddr 3 ,
|
||||
.Xr gethostbyname 3 ,
|
||||
.Xr gethostbyname2 3 ,
|
||||
.Xr getnameinfo 3 ,
|
||||
.Xr capsicum 4 ,
|
||||
.Xr nv 9
|
||||
.Sh AUTHORS
|
||||
.An Mariusz Zaborski Aq Mt oshogbo@FreeBSD.org
|
1385
lib/libcasper/services/cap_net/cap_net.c
Normal file
1385
lib/libcasper/services/cap_net/cap_net.c
Normal file
File diff suppressed because it is too large
Load Diff
165
lib/libcasper/services/cap_net/cap_net.h
Normal file
165
lib/libcasper/services/cap_net/cap_net.h
Normal file
@ -0,0 +1,165 @@
|
||||
/*-
|
||||
* SPDX-License-Identifier: BSD-2-Clause-FreeBSD
|
||||
*
|
||||
* Copyright (c) 2020 Mariusz Zaborski <oshogbo@FreeBSD.org>
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $FreeBSD$
|
||||
*/
|
||||
|
||||
#ifndef _CAP_NETWORK_H_
|
||||
#define _CAP_NETWORK_H_
|
||||
|
||||
#ifdef HAVE_CASPER
|
||||
#define WITH_CASPER
|
||||
#endif
|
||||
|
||||
#include <sys/dnv.h>
|
||||
#include <sys/nv.h>
|
||||
|
||||
#include <sys/socket.h>
|
||||
|
||||
struct addrinfo;
|
||||
struct hostent;
|
||||
|
||||
struct cap_net_limit;
|
||||
typedef struct cap_net_limit cap_net_limit_t;
|
||||
|
||||
#define CAPNET_ADDR2NAME (0x01)
|
||||
#define CAPNET_NAME2ADDR (0x02)
|
||||
#define CAPNET_DEPRECATED_ADDR2NAME (0x04)
|
||||
#define CAPNET_DEPRECATED_NAME2ADDR (0x08)
|
||||
#define CAPNET_CONNECT (0x10)
|
||||
#define CAPNET_BIND (0x20)
|
||||
#define CAPNET_CONNECTDNS (0x40)
|
||||
|
||||
#ifdef WITH_CASPER
|
||||
/* Capability functions. */
|
||||
int cap_bind(cap_channel_t *chan, int s, const struct sockaddr *addr,
|
||||
socklen_t addrlen);
|
||||
int cap_connect(cap_channel_t *chan, int s, const struct sockaddr *name,
|
||||
socklen_t namelen);
|
||||
|
||||
int cap_getaddrinfo(cap_channel_t *chan, const char *hostname,
|
||||
const char *servname, const struct addrinfo *hints, struct addrinfo **res);
|
||||
int cap_getnameinfo(cap_channel_t *chan, const struct sockaddr *sa,
|
||||
socklen_t salen, char *host, size_t hostlen, char *serv, size_t servlen,
|
||||
int flags);
|
||||
|
||||
/* Limit functions. */
|
||||
cap_net_limit_t *cap_net_limit_init(cap_channel_t *chan, uint64_t mode);
|
||||
int cap_net_limit(cap_net_limit_t *limit);
|
||||
void cap_net_free(cap_net_limit_t *limit);
|
||||
|
||||
cap_net_limit_t *cap_net_limit_addr2name_family(cap_net_limit_t *limit,
|
||||
int *family, size_t size);
|
||||
cap_net_limit_t *cap_net_limit_addr2name(cap_net_limit_t *limit,
|
||||
const struct sockaddr *sa, socklen_t salen);
|
||||
|
||||
cap_net_limit_t *cap_net_limit_name2addr_family(cap_net_limit_t *limit,
|
||||
int *family, size_t size);
|
||||
cap_net_limit_t *cap_net_limit_name2addr(cap_net_limit_t *limit,
|
||||
const char *name, const char *serv);
|
||||
|
||||
cap_net_limit_t *cap_net_limit_connect(cap_net_limit_t *limit,
|
||||
const struct sockaddr *sa, socklen_t salen);
|
||||
|
||||
cap_net_limit_t *cap_net_limit_bind(cap_net_limit_t *limit,
|
||||
const struct sockaddr *sa, socklen_t salen);
|
||||
|
||||
/* Deprecated functions. */
|
||||
struct hostent *cap_gethostbyname(cap_channel_t *chan, const char *name);
|
||||
struct hostent *cap_gethostbyname2(cap_channel_t *chan, const char *name,
|
||||
int af);
|
||||
struct hostent *cap_gethostbyaddr(cap_channel_t *chan, const void *addr,
|
||||
socklen_t len, int af);
|
||||
#else
|
||||
/* Capability functions. */
|
||||
#define cap_bind(chan, s, addr, addrlen) \
|
||||
bind(s, addr, addrlen)
|
||||
#define cap_connect(chan, s, name, namelen) \
|
||||
connect(s, name, namelen)
|
||||
#define cap_getaddrinfo(chan, hostname, servname, hints, res) \
|
||||
getaddrinfo(hostname, servname, hints, res)
|
||||
#define cap_getnameinfo(chan, sa, salen, host, hostlen, serv, servlen, flags) \
|
||||
getnameinfo(sa, salen, host, hostlen, serv, servlen, flags)
|
||||
|
||||
/* Limit functions. */
|
||||
#define cap_net_limit_init(chan, mode) ((cap_net_limit_t *)malloc(8))
|
||||
#define cap_net_free(limit) free(limit)
|
||||
static inline int
|
||||
cap_net_limit(cap_net_limit_t *limit)
|
||||
{
|
||||
free(limit);
|
||||
return (0);
|
||||
}
|
||||
|
||||
static inline cap_net_limit_t *
|
||||
cap_net_limit_addr2name_family(cap_net_limit_t *limit,
|
||||
int *family __unused, size_t size __unused)
|
||||
{
|
||||
return (limit);
|
||||
}
|
||||
|
||||
static inline cap_net_limit_t *
|
||||
cap_net_limit_addr2name(cap_net_limit_t *limit,
|
||||
const struct sockaddr *sa __unused, socklen_t salen __unused)
|
||||
{
|
||||
return (limit);
|
||||
}
|
||||
|
||||
static inline cap_net_limit_t *
|
||||
cap_net_limit_name2addr_family(cap_net_limit_t *limit,
|
||||
int *family __unused, size_t size __unused)
|
||||
{
|
||||
return (limit);
|
||||
}
|
||||
|
||||
static inline cap_net_limit_t *
|
||||
cap_net_limit_name2addr(cap_net_limit_t *limit,
|
||||
const char *name __unused, const char *serv __unused)
|
||||
{
|
||||
return (limit);
|
||||
}
|
||||
|
||||
static inline cap_net_limit_t *
|
||||
cap_net_limit_connect(cap_net_limit_t *limit,
|
||||
const struct sockaddr *sa __unused, socklen_t salen __unused)
|
||||
{
|
||||
return (limit);
|
||||
}
|
||||
|
||||
static inline cap_net_limit_t *
|
||||
cap_net_limit_bind(cap_net_limit_t *limit,
|
||||
const struct sockaddr *sa __unused, socklen_t salen __unused)
|
||||
{
|
||||
return (limit);
|
||||
}
|
||||
|
||||
/* Deprecated functions. */
|
||||
#define cap_gethostbyname(chan, name) gethostbyname(name)
|
||||
#define cap_gethostbyname2(chan, name, type) gethostbyname2(name, type)
|
||||
#define cap_gethostbyaddr(chan, addr, len, type) gethostbyaddr(addr, len, type)
|
||||
#endif
|
||||
|
||||
#endif /* !_CAP_NETWORK_H_ */
|
16
lib/libcasper/services/cap_net/tests/Makefile
Normal file
16
lib/libcasper/services/cap_net/tests/Makefile
Normal file
@ -0,0 +1,16 @@
|
||||
# $FreeBSD$
|
||||
|
||||
.include <src.opts.mk>
|
||||
|
||||
ATF_TESTS_C= net_test
|
||||
|
||||
.if ${MK_CASPER} != "no"
|
||||
LIBADD+= casper
|
||||
LIBADD+= cap_net
|
||||
CFLAGS+=-DWITH_CASPER
|
||||
.endif
|
||||
LIBADD+= nv
|
||||
|
||||
WARNS?= 3
|
||||
|
||||
.include <bsd.test.mk>
|
1160
lib/libcasper/services/cap_net/tests/net_test.c
Normal file
1160
lib/libcasper/services/cap_net/tests/net_test.c
Normal file
File diff suppressed because it is too large
Load Diff
@ -89,6 +89,7 @@ _LIBRARIES= \
|
||||
cap_dns \
|
||||
cap_fileargs \
|
||||
cap_grp \
|
||||
cap_net \
|
||||
cap_pwd \
|
||||
cap_sysctl \
|
||||
cap_syslog \
|
||||
@ -637,6 +638,7 @@ LIBBSNMPDIR= ${OBJTOP}/lib/libbsnmp/libbsnmp
|
||||
LIBCASPERDIR= ${OBJTOP}/lib/libcasper/libcasper
|
||||
LIBCAP_DNSDIR= ${OBJTOP}/lib/libcasper/services/cap_dns
|
||||
LIBCAP_GRPDIR= ${OBJTOP}/lib/libcasper/services/cap_grp
|
||||
LIBCAP_NETDIR= ${OBJTOP}/lib/libcasper/services/cap_net
|
||||
LIBCAP_PWDDIR= ${OBJTOP}/lib/libcasper/services/cap_pwd
|
||||
LIBCAP_SYSCTLDIR= ${OBJTOP}/lib/libcasper/services/cap_sysctl
|
||||
LIBCAP_SYSLOGDIR= ${OBJTOP}/lib/libcasper/services/cap_syslog
|
||||
|
Loading…
x
Reference in New Issue
Block a user