libcasper: fix limitations in dns service

The getaddrinfo(3) and gethostbyname(3) are used to return the address for a given hostname. The getnameinfo(3) and gethostbyaddr(3) are used to return hostname for a given address. Right now in casper, we have two limitations: - NAME which allows resolving DNS names. - ADDR which allows to do revert DNS lookups. Before this change the rights was mixed up: NAME - getnameinfo(3) and gethostbyname(3) ADDR - gethostbyaddr(3) and getaddrinfo(3) Which no matters on limitation allowed us to resolve DNS names and do DNS lookups basically by using a different set of functions. Now the NAME type allows getaddrinfo(3) and gethostbyname (3)functions, and the ADDR names allow to use gethostbyaddr(3) and getnameinfo(3) functions. Reviewed by: pjd, bcr MFC after: 3 weeks Discussed with: hrs Differential Revision: https://reviews.freebsd.org/D16930
2018-11-04 19:38:54 +00:00 · 2018-11-04 19:38:54 +00:00 · 577dff6a8d
commit 577dff6a8d
parent db9a6e4178
3 changed files with 23 additions and 21 deletions
--- a/lib/libcasper/services/cap_dns/cap_dns.3
+++ b/lib/libcasper/services/cap_dns/cap_dns.3
@ -134,19 +134,21 @@ or
 .Dv NAME .
 The
 .Dv ADDR
-means that functions
-.Fn cap_gethostbyname ,
-.Fn cap_gethostbyname2
+means that reverse DNS lookups are allowed with
+.Fn cap_getnameinfo
 and
 .Fn cap_gethostbyaddr
-are allowed.
+functions.
 In case when
 .Va type
 is set to
 .Dv NAME
-the
-.Fn cap_getnameinfo
-function is allowed.
+the name resolution is allowed with
+.Fn cap_getaddrinfo ,
+.Fn cap_gethostbyname ,
+and
+.Fn cap_gethostbyname2
+functions.
 .It family ( NV_TYPE_NUMBER )
 The
 .Va family
--- a/lib/libcasper/services/cap_dns/cap_dns.c
+++ b/lib/libcasper/services/cap_dns/cap_dns.c
@ -524,7 +524,7 @@ dns_getnameinfo(const nvlist_t *limits, const nvlist_t *nvlin, nvlist_t *nvlout)
 	socklen_t salen;
 	int error, flags;

-	if (!dns_allowed_type(limits, "NAME"))
+	if (!dns_allowed_type(limits, "ADDR"))
 		return (NO_RECOVERY);

 	error = 0;
@ -617,7 +617,7 @@ dns_getaddrinfo(const nvlist_t *limits, const nvlist_t *nvlin, nvlist_t *nvlout)
 	unsigned int ii;
 	int error, family, n;

-	if (!dns_allowed_type(limits, "ADDR"))
+	if (!dns_allowed_type(limits, "NAME"))
 		return (NO_RECOVERY);

 	hostname = dnvlist_get_string(nvlin, "hostname", NULL);
--- a/lib/libcasper/services/cap_dns/tests/dns_test.c
+++ b/lib/libcasper/services/cap_dns/tests/dns_test.c
@ -393,7 +393,8 @@ main(void)
 	CHECK(cap_dns_family_limit(capdns, families, 2) == 0);

 	CHECK(runtest(capdns) ==
-	    (GETHOSTBYNAME | GETHOSTBYNAME2_AF_INET | GETHOSTBYNAME2_AF_INET6));
+	    (GETHOSTBYNAME | GETHOSTBYNAME2_AF_INET | GETHOSTBYNAME2_AF_INET6 |
+	    GETADDRINFO_AF_INET | GETADDRINFO_AF_INET6));

 	cap_close(capdns);

@ -419,9 +420,7 @@ main(void)
 	CHECK(cap_dns_family_limit(capdns, families, 2) == 0);

 	CHECK(runtest(capdns) ==
-	    (GETHOSTBYADDR_AF_INET | GETHOSTBYADDR_AF_INET6 |
-	    GETADDRINFO_AF_INET | GETADDRINFO_AF_INET6));
-
+	    (GETHOSTBYADDR_AF_INET | GETHOSTBYADDR_AF_INET6));
 	cap_close(capdns);

 	/*
@ -512,7 +511,8 @@ main(void)
 	CHECK(cap_dns_family_limit(capdns, families, 1) == -1 &&
 	    errno == ENOTCAPABLE);

-	CHECK(runtest(capdns) == (GETHOSTBYNAME | GETHOSTBYNAME2_AF_INET));
+	CHECK(runtest(capdns) ==
+	    (GETHOSTBYNAME | GETHOSTBYNAME2_AF_INET | GETADDRINFO_AF_INET));

 	cap_close(capdns);

@ -548,7 +548,8 @@ main(void)
 	CHECK(cap_dns_family_limit(capdns, families, 1) == -1 &&
 	    errno == ENOTCAPABLE);

-	CHECK(runtest(capdns) == GETHOSTBYNAME2_AF_INET6);
+	CHECK(runtest(capdns) ==
+	    (GETHOSTBYNAME2_AF_INET6 | GETADDRINFO_AF_INET6));

 	cap_close(capdns);

@ -584,7 +585,7 @@ main(void)
 	CHECK(cap_dns_family_limit(capdns, families, 1) == -1 &&
 	    errno == ENOTCAPABLE);

-	CHECK(runtest(capdns) == (GETHOSTBYADDR_AF_INET | GETADDRINFO_AF_INET));
+	CHECK(runtest(capdns) == GETHOSTBYADDR_AF_INET);

 	cap_close(capdns);

@ -620,8 +621,7 @@ main(void)
 	CHECK(cap_dns_family_limit(capdns, families, 1) == -1 &&
 	    errno == ENOTCAPABLE);

-	CHECK(runtest(capdns) == (GETHOSTBYADDR_AF_INET6 |
-	    GETADDRINFO_AF_INET6));
+	CHECK(runtest(capdns) == GETHOSTBYADDR_AF_INET6);

 	cap_close(capdns);

@ -657,7 +657,8 @@ main(void)
 	    errno == ENOTCAPABLE);

 	/* Do the limits still hold? */
-	CHECK(runtest(capdns) == (GETHOSTBYNAME | GETHOSTBYNAME2_AF_INET));
+	CHECK(runtest(capdns) == (GETHOSTBYNAME | GETHOSTBYNAME2_AF_INET |
+	    GETADDRINFO_AF_INET));

 	cap_close(capdns);

@ -691,8 +692,7 @@ main(void)
 	    errno == ENOTCAPABLE);

 	/* Do the limits still hold? */
-	CHECK(runtest(capdns) == (GETHOSTBYADDR_AF_INET6 |
-	    GETADDRINFO_AF_INET6));
+	CHECK(runtest(capdns) == GETHOSTBYADDR_AF_INET6);

 	cap_close(capdns);