libcasper: ange the name of limits in cap_dns so the intentions are obvious.
Reported by: pjd MFC after: 3 weeks
This commit is contained in:
parent
970bdbf5d7
commit
752d135e0d
@ -38,6 +38,9 @@
|
||||
# xargs -n1 | sort | uniq -d;
|
||||
# done
|
||||
|
||||
# 20181112: Cleanup old libcap_dns.
|
||||
OLD_LIBS+=lib/casper/libcap_dns.so.1
|
||||
OLD_LIBS+=usr/lib32/libcap_dns.so.1
|
||||
# 20181030: malloc_domain(9) KPI change
|
||||
OLD_FILES+=share/man/man9/malloc_domain.9.gz
|
||||
# 20181026: joy(4) removal
|
||||
|
@ -741,7 +741,7 @@ capdns_setup(void)
|
||||
if (capdnsloc == NULL)
|
||||
error("unable to open system.dns service");
|
||||
/* Limit system.dns to reverse DNS lookups. */
|
||||
types[0] = "ADDR";
|
||||
types[0] = "ADDR2NAME";
|
||||
if (cap_dns_type_limit(capdnsloc, types, 1) < 0)
|
||||
error("unable to limit access to system.dns service");
|
||||
families[0] = AF_INET;
|
||||
|
@ -523,7 +523,7 @@ main(int argc, char **argv)
|
||||
int sump = 0;
|
||||
int sockerrno;
|
||||
#ifdef WITH_CASPER
|
||||
const char *types[] = { "NAME", "ADDR" };
|
||||
const char *types[] = { "NAME2ADDR", "ADDR2NAME" };
|
||||
int families[1];
|
||||
cap_channel_t *casper;
|
||||
#endif
|
||||
|
@ -6,7 +6,7 @@ SHLIBDIR?= /lib/casper
|
||||
|
||||
PACKAGE=libcasper
|
||||
|
||||
SHLIB_MAJOR= 1
|
||||
SHLIB_MAJOR= 2
|
||||
INCSDIR?= ${INCLUDEDIR}/casper
|
||||
|
||||
.if ${MK_CASPER} != "no"
|
||||
|
@ -24,7 +24,7 @@
|
||||
.\"
|
||||
.\" $FreeBSD$
|
||||
.\"
|
||||
.Dd November 4, 2018
|
||||
.Dd November 12, 2018
|
||||
.Dt CAP_DNS 3
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -92,9 +92,9 @@ function limits the functions allowed in the service.
|
||||
The
|
||||
.Fa types
|
||||
variable can be set to
|
||||
.Dv ADDR
|
||||
.Dv ADDR2NAME
|
||||
or
|
||||
.Dv NAME .
|
||||
.Dv NAME2ADDR .
|
||||
See the
|
||||
.Sx LIMITS
|
||||
section for more details.
|
||||
@ -129,9 +129,9 @@ for that function can contain the following values and types:
|
||||
The
|
||||
.Va type
|
||||
can have two values:
|
||||
.Dv ADDR
|
||||
.Dv ADDR2NAME
|
||||
or
|
||||
.Dv NAME .
|
||||
.Dv NAME2ADDR .
|
||||
The
|
||||
.Dv ADDR
|
||||
means that reverse DNS lookups are allowed with
|
||||
|
@ -474,7 +474,7 @@ dns_gethostbyname(const nvlist_t *limits, const nvlist_t *nvlin,
|
||||
struct hostent *hp;
|
||||
int family;
|
||||
|
||||
if (!dns_allowed_type(limits, "NAME"))
|
||||
if (!dns_allowed_type(limits, "NAME2ADDR"))
|
||||
return (NO_RECOVERY);
|
||||
|
||||
family = (int)nvlist_get_number(nvlin, "family");
|
||||
@ -498,7 +498,7 @@ dns_gethostbyaddr(const nvlist_t *limits, const nvlist_t *nvlin,
|
||||
size_t addrsize;
|
||||
int family;
|
||||
|
||||
if (!dns_allowed_type(limits, "ADDR"))
|
||||
if (!dns_allowed_type(limits, "ADDR2NAME"))
|
||||
return (NO_RECOVERY);
|
||||
|
||||
family = (int)nvlist_get_number(nvlin, "family");
|
||||
@ -524,7 +524,7 @@ dns_getnameinfo(const nvlist_t *limits, const nvlist_t *nvlin, nvlist_t *nvlout)
|
||||
socklen_t salen;
|
||||
int error, flags;
|
||||
|
||||
if (!dns_allowed_type(limits, "ADDR"))
|
||||
if (!dns_allowed_type(limits, "ADDR2NAME"))
|
||||
return (NO_RECOVERY);
|
||||
|
||||
error = 0;
|
||||
@ -617,7 +617,7 @@ dns_getaddrinfo(const nvlist_t *limits, const nvlist_t *nvlin, nvlist_t *nvlout)
|
||||
unsigned int ii;
|
||||
int error, family, n;
|
||||
|
||||
if (!dns_allowed_type(limits, "NAME"))
|
||||
if (!dns_allowed_type(limits, "NAME2ADDR"))
|
||||
return (NO_RECOVERY);
|
||||
|
||||
hostname = dnvlist_get_string(nvlin, "hostname", NULL);
|
||||
@ -702,8 +702,8 @@ dns_limit(const nvlist_t *oldlimits, const nvlist_t *newlimits)
|
||||
if (strncmp(name, "type", sizeof("type") - 1) != 0)
|
||||
return (EINVAL);
|
||||
type = nvlist_get_string(newlimits, name);
|
||||
if (strcmp(type, "ADDR") != 0 &&
|
||||
strcmp(type, "NAME") != 0) {
|
||||
if (strcmp(type, "ADDR2NAME") != 0 &&
|
||||
strcmp(type, "NAME2ADDR") != 0) {
|
||||
return (EINVAL);
|
||||
}
|
||||
if (!dns_allowed_type(oldlimits, type))
|
||||
|
@ -357,8 +357,8 @@ main(void)
|
||||
capdns = cap_clone(origcapdns);
|
||||
CHECK(capdns != NULL);
|
||||
|
||||
types[0] = "NAME";
|
||||
types[1] = "ADDR";
|
||||
types[0] = "NAME2ADDR";
|
||||
types[1] = "ADDR2NAME";
|
||||
CHECK(cap_dns_type_limit(capdns, types, 2) == 0);
|
||||
families[0] = AF_INET;
|
||||
families[1] = AF_INET6;
|
||||
@ -380,12 +380,12 @@ main(void)
|
||||
capdns = cap_clone(origcapdns);
|
||||
CHECK(capdns != NULL);
|
||||
|
||||
types[0] = "NAME";
|
||||
types[0] = "NAME2ADDR";
|
||||
CHECK(cap_dns_type_limit(capdns, types, 1) == 0);
|
||||
types[1] = "ADDR";
|
||||
types[1] = "ADDR2NAME";
|
||||
CHECK(cap_dns_type_limit(capdns, types, 2) == -1 &&
|
||||
errno == ENOTCAPABLE);
|
||||
types[0] = "ADDR";
|
||||
types[0] = "ADDR2NAME";
|
||||
CHECK(cap_dns_type_limit(capdns, types, 1) == -1 &&
|
||||
errno == ENOTCAPABLE);
|
||||
families[0] = AF_INET;
|
||||
@ -407,12 +407,12 @@ main(void)
|
||||
capdns = cap_clone(origcapdns);
|
||||
CHECK(capdns != NULL);
|
||||
|
||||
types[0] = "ADDR";
|
||||
types[0] = "ADDR2NAME";
|
||||
CHECK(cap_dns_type_limit(capdns, types, 1) == 0);
|
||||
types[1] = "NAME";
|
||||
types[1] = "NAME2ADDR";
|
||||
CHECK(cap_dns_type_limit(capdns, types, 2) == -1 &&
|
||||
errno == ENOTCAPABLE);
|
||||
types[0] = "NAME";
|
||||
types[0] = "NAME2ADDR";
|
||||
CHECK(cap_dns_type_limit(capdns, types, 1) == -1 &&
|
||||
errno == ENOTCAPABLE);
|
||||
families[0] = AF_INET;
|
||||
@ -432,8 +432,8 @@ main(void)
|
||||
capdns = cap_clone(origcapdns);
|
||||
CHECK(capdns != NULL);
|
||||
|
||||
types[0] = "NAME";
|
||||
types[1] = "ADDR";
|
||||
types[0] = "NAME2ADDR";
|
||||
types[1] = "ADDR2NAME";
|
||||
CHECK(cap_dns_type_limit(capdns, types, 2) == 0);
|
||||
families[0] = AF_INET;
|
||||
CHECK(cap_dns_family_limit(capdns, families, 1) == 0);
|
||||
@ -459,8 +459,8 @@ main(void)
|
||||
capdns = cap_clone(origcapdns);
|
||||
CHECK(capdns != NULL);
|
||||
|
||||
types[0] = "NAME";
|
||||
types[1] = "ADDR";
|
||||
types[0] = "NAME2ADDR";
|
||||
types[1] = "ADDR2NAME";
|
||||
CHECK(cap_dns_type_limit(capdns, types, 2) == 0);
|
||||
families[0] = AF_INET6;
|
||||
CHECK(cap_dns_family_limit(capdns, families, 1) == 0);
|
||||
@ -488,18 +488,18 @@ main(void)
|
||||
capdns = cap_clone(origcapdns);
|
||||
CHECK(capdns != NULL);
|
||||
|
||||
types[0] = "NAME";
|
||||
types[1] = "ADDR";
|
||||
types[0] = "NAME2ADDR";
|
||||
types[1] = "ADDR2NAME";
|
||||
CHECK(cap_dns_type_limit(capdns, types, 2) == 0);
|
||||
families[0] = AF_INET;
|
||||
families[1] = AF_INET6;
|
||||
CHECK(cap_dns_family_limit(capdns, families, 2) == 0);
|
||||
types[0] = "NAME";
|
||||
types[0] = "NAME2ADDR";
|
||||
CHECK(cap_dns_type_limit(capdns, types, 1) == 0);
|
||||
types[1] = "ADDR";
|
||||
types[1] = "ADDR2NAME";
|
||||
CHECK(cap_dns_type_limit(capdns, types, 2) == -1 &&
|
||||
errno == ENOTCAPABLE);
|
||||
types[0] = "ADDR";
|
||||
types[0] = "ADDR2NAME";
|
||||
CHECK(cap_dns_type_limit(capdns, types, 1) == -1 &&
|
||||
errno == ENOTCAPABLE);
|
||||
families[0] = AF_INET;
|
||||
@ -525,18 +525,18 @@ main(void)
|
||||
capdns = cap_clone(origcapdns);
|
||||
CHECK(capdns != NULL);
|
||||
|
||||
types[0] = "NAME";
|
||||
types[1] = "ADDR";
|
||||
types[0] = "NAME2ADDR";
|
||||
types[1] = "ADDR2NAME";
|
||||
CHECK(cap_dns_type_limit(capdns, types, 2) == 0);
|
||||
families[0] = AF_INET;
|
||||
families[1] = AF_INET6;
|
||||
CHECK(cap_dns_family_limit(capdns, families, 2) == 0);
|
||||
types[0] = "NAME";
|
||||
types[0] = "NAME2ADDR";
|
||||
CHECK(cap_dns_type_limit(capdns, types, 1) == 0);
|
||||
types[1] = "ADDR";
|
||||
types[1] = "ADDR2NAME";
|
||||
CHECK(cap_dns_type_limit(capdns, types, 2) == -1 &&
|
||||
errno == ENOTCAPABLE);
|
||||
types[0] = "ADDR";
|
||||
types[0] = "ADDR2NAME";
|
||||
CHECK(cap_dns_type_limit(capdns, types, 1) == -1 &&
|
||||
errno == ENOTCAPABLE);
|
||||
families[0] = AF_INET6;
|
||||
@ -562,18 +562,18 @@ main(void)
|
||||
capdns = cap_clone(origcapdns);
|
||||
CHECK(capdns != NULL);
|
||||
|
||||
types[0] = "NAME";
|
||||
types[1] = "ADDR";
|
||||
types[0] = "NAME2ADDR";
|
||||
types[1] = "ADDR2NAME";
|
||||
CHECK(cap_dns_type_limit(capdns, types, 2) == 0);
|
||||
families[0] = AF_INET;
|
||||
families[1] = AF_INET6;
|
||||
CHECK(cap_dns_family_limit(capdns, families, 2) == 0);
|
||||
types[0] = "ADDR";
|
||||
types[0] = "ADDR2NAME";
|
||||
CHECK(cap_dns_type_limit(capdns, types, 1) == 0);
|
||||
types[1] = "NAME";
|
||||
types[1] = "NAME2ADDR";
|
||||
CHECK(cap_dns_type_limit(capdns, types, 2) == -1 &&
|
||||
errno == ENOTCAPABLE);
|
||||
types[0] = "NAME";
|
||||
types[0] = "NAME2ADDR";
|
||||
CHECK(cap_dns_type_limit(capdns, types, 1) == -1 &&
|
||||
errno == ENOTCAPABLE);
|
||||
families[0] = AF_INET;
|
||||
@ -598,18 +598,18 @@ main(void)
|
||||
capdns = cap_clone(origcapdns);
|
||||
CHECK(capdns != NULL);
|
||||
|
||||
types[0] = "NAME";
|
||||
types[1] = "ADDR";
|
||||
types[0] = "NAME2ADDR";
|
||||
types[1] = "ADDR2NAME";
|
||||
CHECK(cap_dns_type_limit(capdns, types, 2) == 0);
|
||||
families[0] = AF_INET;
|
||||
families[1] = AF_INET6;
|
||||
CHECK(cap_dns_family_limit(capdns, families, 2) == 0);
|
||||
types[0] = "ADDR";
|
||||
types[0] = "ADDR2NAME";
|
||||
CHECK(cap_dns_type_limit(capdns, types, 1) == 0);
|
||||
types[1] = "NAME";
|
||||
types[1] = "NAME2ADDR";
|
||||
CHECK(cap_dns_type_limit(capdns, types, 2) == -1 &&
|
||||
errno == ENOTCAPABLE);
|
||||
types[0] = "NAME";
|
||||
types[0] = "NAME2ADDR";
|
||||
CHECK(cap_dns_type_limit(capdns, types, 1) == -1 &&
|
||||
errno == ENOTCAPABLE);
|
||||
families[0] = AF_INET6;
|
||||
@ -630,13 +630,13 @@ main(void)
|
||||
capdns = cap_clone(origcapdns);
|
||||
CHECK(capdns != NULL);
|
||||
|
||||
types[0] = "NAME";
|
||||
types[0] = "NAME2ADDR";
|
||||
CHECK(cap_dns_type_limit(capdns, types, 1) == 0);
|
||||
families[0] = AF_INET;
|
||||
CHECK(cap_dns_family_limit(capdns, families, 1) == 0);
|
||||
|
||||
types[0] = "NAME";
|
||||
types[1] = "ADDR";
|
||||
types[0] = "NAME2ADDR";
|
||||
types[1] = "ADDR2NAME";
|
||||
CHECK(cap_dns_type_limit(capdns, types, 2) == -1 &&
|
||||
errno == ENOTCAPABLE);
|
||||
families[0] = AF_INET;
|
||||
@ -644,7 +644,7 @@ main(void)
|
||||
CHECK(cap_dns_family_limit(capdns, families, 2) == -1 &&
|
||||
errno == ENOTCAPABLE);
|
||||
|
||||
types[0] = "ADDR";
|
||||
types[0] = "ADDR2NAME";
|
||||
CHECK(cap_dns_type_limit(capdns, types, 1) == -1 &&
|
||||
errno == ENOTCAPABLE);
|
||||
families[0] = AF_INET6;
|
||||
@ -665,13 +665,13 @@ main(void)
|
||||
capdns = cap_clone(origcapdns);
|
||||
CHECK(capdns != NULL);
|
||||
|
||||
types[0] = "ADDR";
|
||||
types[0] = "ADDR2NAME";
|
||||
CHECK(cap_dns_type_limit(capdns, types, 1) == 0);
|
||||
families[0] = AF_INET6;
|
||||
CHECK(cap_dns_family_limit(capdns, families, 1) == 0);
|
||||
|
||||
types[0] = "NAME";
|
||||
types[1] = "ADDR";
|
||||
types[0] = "NAME2ADDR";
|
||||
types[1] = "ADDR2NAME";
|
||||
CHECK(cap_dns_type_limit(capdns, types, 2) == -1 &&
|
||||
errno == ENOTCAPABLE);
|
||||
families[0] = AF_INET;
|
||||
@ -679,7 +679,7 @@ main(void)
|
||||
CHECK(cap_dns_family_limit(capdns, families, 2) == -1 &&
|
||||
errno == ENOTCAPABLE);
|
||||
|
||||
types[0] = "NAME";
|
||||
types[0] = "NAME2ADDR";
|
||||
CHECK(cap_dns_type_limit(capdns, types, 1) == -1 &&
|
||||
errno == ENOTCAPABLE);
|
||||
families[0] = AF_INET;
|
||||
|
@ -612,7 +612,7 @@ main(int argc, char *const *argv)
|
||||
if (capdns != NULL) {
|
||||
const char *types[1];
|
||||
|
||||
types[0] = "ADDR";
|
||||
types[0] = "ADDR2NAME";
|
||||
if (cap_dns_type_limit(capdns, types, 1) < 0)
|
||||
err(1, "unable to limit access to system.dns service");
|
||||
}
|
||||
@ -1781,8 +1781,8 @@ capdns_setup(void)
|
||||
cap_close(capcas);
|
||||
if (capdnsloc == NULL)
|
||||
err(1, "unable to open system.dns service");
|
||||
types[0] = "NAME";
|
||||
types[1] = "ADDR";
|
||||
types[0] = "NAME2ADDR";
|
||||
types[1] = "ADDR2NAME";
|
||||
if (cap_dns_type_limit(capdnsloc, types, 2) < 0)
|
||||
err(1, "unable to limit access to system.dns service");
|
||||
families[0] = AF_INET;
|
||||
|
Loading…
Reference in New Issue
Block a user