dma-mbox-create: Restrict with Capsicum

The restriction here is pretty late and pretty minimal. We need a lot of authority to open password databases, and don't do much after that point. Feedback from: lifanov at mail.lifanov.com (earlier version), emaste (earlier version) Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D7988
2016-12-16 01:48:55 +00:00 · 2016-12-16 01:48:55 +00:00 · 648117d061
commit 648117d061
parent 62bff6daf6
1 changed files with 38 additions and 1 deletions
--- a/contrib/dma/dma-mbox-create.c
+++ b/contrib/dma/dma-mbox-create.c
@ -38,9 +38,18 @@
 * user-supplied information.  Keep the root window as small as possible.
 */

+#ifdef __FreeBSD__
+#define	USE_CAPSICUM	1
+#endif
+
 #include <sys/param.h>
+#if USE_CAPSICUM
+#include <sys/capsicum.h>
+#endif
 #include <sys/stat.h>

+#include <capsicum_helpers.h>
+#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <grp.h>
@ -84,6 +93,9 @@ logfail(int exitcode, const char *fmt, ...)
 int
 main(int argc, char **argv)
 {
+#if USE_CAPSICUM
+	cap_rights_t rights;
+#endif
 	const char *user;
 	struct passwd *pw;
 	struct group *gr;
@ -91,7 +103,10 @@ main(int argc, char **argv)
 	gid_t mail_gid;
 	int f, maildirfd;

-	openlog("dma-mbox-create", 0, LOG_MAIL);
+	/*
+	 * Open log fd now for capability sandbox.
+	 */
+	openlog("dma-mbox-create", LOG_NDELAY, LOG_MAIL);

 	errno = 0;
 	gr = getgrnam(DMA_GROUP);
@ -133,6 +148,28 @@ main(int argc, char **argv)
 	if (maildirfd < 0)
 		logfail(EX_NOINPUT, "cannot open maildir %s", _PATH_MAILDIR);

+	/*
+	 * Cache NLS data, for strerror, for err(3), before entering capability
+	 * mode.
+	 */
+	caph_cache_catpages();
+
+	/*
+	 * Cache local time before entering Capsicum capability sandbox.
+	 */
+	caph_cache_tzdata();
+
+#if USE_CAPSICUM
+	cap_rights_init(&rights, CAP_CREATE, CAP_FCHMOD, CAP_FCHOWN,
+	    CAP_LOOKUP, CAP_READ);
+	if (cap_rights_limit(maildirfd, &rights) < 0 && errno != ENOSYS)
+		err(EX_OSERR, "can't limit maildirfd rights");
+
+	/* Enter Capsicum capability sandbox */
+	if (cap_enter() < 0 && errno != ENOSYS)
+		err(EX_OSERR, "cap_enter");
+#endif
+
 	user_uid = pw->pw_uid;

 	f = openat(maildirfd, user, O_RDONLY|O_CREAT|O_NOFOLLOW, 0600);