libcasper: ange the name of limits in cap_dns so the intentions are obvious.

Reported by:	pjd
MFC after:	3 weeks
This commit is contained in:
Mariusz Zaborski 2018-11-12 15:52:45 +00:00
parent 970bdbf5d7
commit 752d135e0d
8 changed files with 60 additions and 57 deletions

View File

@ -38,6 +38,9 @@
# xargs -n1 | sort | uniq -d;
# done
# 20181112: Cleanup old libcap_dns.
OLD_LIBS+=lib/casper/libcap_dns.so.1
OLD_LIBS+=usr/lib32/libcap_dns.so.1
# 20181030: malloc_domain(9) KPI change
OLD_FILES+=share/man/man9/malloc_domain.9.gz
# 20181026: joy(4) removal

View File

@ -741,7 +741,7 @@ capdns_setup(void)
if (capdnsloc == NULL)
error("unable to open system.dns service");
/* Limit system.dns to reverse DNS lookups. */
types[0] = "ADDR";
types[0] = "ADDR2NAME";
if (cap_dns_type_limit(capdnsloc, types, 1) < 0)
error("unable to limit access to system.dns service");
families[0] = AF_INET;

View File

@ -523,7 +523,7 @@ main(int argc, char **argv)
int sump = 0;
int sockerrno;
#ifdef WITH_CASPER
const char *types[] = { "NAME", "ADDR" };
const char *types[] = { "NAME2ADDR", "ADDR2NAME" };
int families[1];
cap_channel_t *casper;
#endif

View File

@ -6,7 +6,7 @@ SHLIBDIR?= /lib/casper
PACKAGE=libcasper
SHLIB_MAJOR= 1
SHLIB_MAJOR= 2
INCSDIR?= ${INCLUDEDIR}/casper
.if ${MK_CASPER} != "no"

View File

@ -24,7 +24,7 @@
.\"
.\" $FreeBSD$
.\"
.Dd November 4, 2018
.Dd November 12, 2018
.Dt CAP_DNS 3
.Os
.Sh NAME
@ -92,9 +92,9 @@ function limits the functions allowed in the service.
The
.Fa types
variable can be set to
.Dv ADDR
.Dv ADDR2NAME
or
.Dv NAME .
.Dv NAME2ADDR .
See the
.Sx LIMITS
section for more details.
@ -129,9 +129,9 @@ for that function can contain the following values and types:
The
.Va type
can have two values:
.Dv ADDR
.Dv ADDR2NAME
or
.Dv NAME .
.Dv NAME2ADDR .
The
.Dv ADDR
means that reverse DNS lookups are allowed with

View File

@ -474,7 +474,7 @@ dns_gethostbyname(const nvlist_t *limits, const nvlist_t *nvlin,
struct hostent *hp;
int family;
if (!dns_allowed_type(limits, "NAME"))
if (!dns_allowed_type(limits, "NAME2ADDR"))
return (NO_RECOVERY);
family = (int)nvlist_get_number(nvlin, "family");
@ -498,7 +498,7 @@ dns_gethostbyaddr(const nvlist_t *limits, const nvlist_t *nvlin,
size_t addrsize;
int family;
if (!dns_allowed_type(limits, "ADDR"))
if (!dns_allowed_type(limits, "ADDR2NAME"))
return (NO_RECOVERY);
family = (int)nvlist_get_number(nvlin, "family");
@ -524,7 +524,7 @@ dns_getnameinfo(const nvlist_t *limits, const nvlist_t *nvlin, nvlist_t *nvlout)
socklen_t salen;
int error, flags;
if (!dns_allowed_type(limits, "ADDR"))
if (!dns_allowed_type(limits, "ADDR2NAME"))
return (NO_RECOVERY);
error = 0;
@ -617,7 +617,7 @@ dns_getaddrinfo(const nvlist_t *limits, const nvlist_t *nvlin, nvlist_t *nvlout)
unsigned int ii;
int error, family, n;
if (!dns_allowed_type(limits, "NAME"))
if (!dns_allowed_type(limits, "NAME2ADDR"))
return (NO_RECOVERY);
hostname = dnvlist_get_string(nvlin, "hostname", NULL);
@ -702,8 +702,8 @@ dns_limit(const nvlist_t *oldlimits, const nvlist_t *newlimits)
if (strncmp(name, "type", sizeof("type") - 1) != 0)
return (EINVAL);
type = nvlist_get_string(newlimits, name);
if (strcmp(type, "ADDR") != 0 &&
strcmp(type, "NAME") != 0) {
if (strcmp(type, "ADDR2NAME") != 0 &&
strcmp(type, "NAME2ADDR") != 0) {
return (EINVAL);
}
if (!dns_allowed_type(oldlimits, type))

View File

@ -357,8 +357,8 @@ main(void)
capdns = cap_clone(origcapdns);
CHECK(capdns != NULL);
types[0] = "NAME";
types[1] = "ADDR";
types[0] = "NAME2ADDR";
types[1] = "ADDR2NAME";
CHECK(cap_dns_type_limit(capdns, types, 2) == 0);
families[0] = AF_INET;
families[1] = AF_INET6;
@ -380,12 +380,12 @@ main(void)
capdns = cap_clone(origcapdns);
CHECK(capdns != NULL);
types[0] = "NAME";
types[0] = "NAME2ADDR";
CHECK(cap_dns_type_limit(capdns, types, 1) == 0);
types[1] = "ADDR";
types[1] = "ADDR2NAME";
CHECK(cap_dns_type_limit(capdns, types, 2) == -1 &&
errno == ENOTCAPABLE);
types[0] = "ADDR";
types[0] = "ADDR2NAME";
CHECK(cap_dns_type_limit(capdns, types, 1) == -1 &&
errno == ENOTCAPABLE);
families[0] = AF_INET;
@ -407,12 +407,12 @@ main(void)
capdns = cap_clone(origcapdns);
CHECK(capdns != NULL);
types[0] = "ADDR";
types[0] = "ADDR2NAME";
CHECK(cap_dns_type_limit(capdns, types, 1) == 0);
types[1] = "NAME";
types[1] = "NAME2ADDR";
CHECK(cap_dns_type_limit(capdns, types, 2) == -1 &&
errno == ENOTCAPABLE);
types[0] = "NAME";
types[0] = "NAME2ADDR";
CHECK(cap_dns_type_limit(capdns, types, 1) == -1 &&
errno == ENOTCAPABLE);
families[0] = AF_INET;
@ -432,8 +432,8 @@ main(void)
capdns = cap_clone(origcapdns);
CHECK(capdns != NULL);
types[0] = "NAME";
types[1] = "ADDR";
types[0] = "NAME2ADDR";
types[1] = "ADDR2NAME";
CHECK(cap_dns_type_limit(capdns, types, 2) == 0);
families[0] = AF_INET;
CHECK(cap_dns_family_limit(capdns, families, 1) == 0);
@ -459,8 +459,8 @@ main(void)
capdns = cap_clone(origcapdns);
CHECK(capdns != NULL);
types[0] = "NAME";
types[1] = "ADDR";
types[0] = "NAME2ADDR";
types[1] = "ADDR2NAME";
CHECK(cap_dns_type_limit(capdns, types, 2) == 0);
families[0] = AF_INET6;
CHECK(cap_dns_family_limit(capdns, families, 1) == 0);
@ -488,18 +488,18 @@ main(void)
capdns = cap_clone(origcapdns);
CHECK(capdns != NULL);
types[0] = "NAME";
types[1] = "ADDR";
types[0] = "NAME2ADDR";
types[1] = "ADDR2NAME";
CHECK(cap_dns_type_limit(capdns, types, 2) == 0);
families[0] = AF_INET;
families[1] = AF_INET6;
CHECK(cap_dns_family_limit(capdns, families, 2) == 0);
types[0] = "NAME";
types[0] = "NAME2ADDR";
CHECK(cap_dns_type_limit(capdns, types, 1) == 0);
types[1] = "ADDR";
types[1] = "ADDR2NAME";
CHECK(cap_dns_type_limit(capdns, types, 2) == -1 &&
errno == ENOTCAPABLE);
types[0] = "ADDR";
types[0] = "ADDR2NAME";
CHECK(cap_dns_type_limit(capdns, types, 1) == -1 &&
errno == ENOTCAPABLE);
families[0] = AF_INET;
@ -525,18 +525,18 @@ main(void)
capdns = cap_clone(origcapdns);
CHECK(capdns != NULL);
types[0] = "NAME";
types[1] = "ADDR";
types[0] = "NAME2ADDR";
types[1] = "ADDR2NAME";
CHECK(cap_dns_type_limit(capdns, types, 2) == 0);
families[0] = AF_INET;
families[1] = AF_INET6;
CHECK(cap_dns_family_limit(capdns, families, 2) == 0);
types[0] = "NAME";
types[0] = "NAME2ADDR";
CHECK(cap_dns_type_limit(capdns, types, 1) == 0);
types[1] = "ADDR";
types[1] = "ADDR2NAME";
CHECK(cap_dns_type_limit(capdns, types, 2) == -1 &&
errno == ENOTCAPABLE);
types[0] = "ADDR";
types[0] = "ADDR2NAME";
CHECK(cap_dns_type_limit(capdns, types, 1) == -1 &&
errno == ENOTCAPABLE);
families[0] = AF_INET6;
@ -562,18 +562,18 @@ main(void)
capdns = cap_clone(origcapdns);
CHECK(capdns != NULL);
types[0] = "NAME";
types[1] = "ADDR";
types[0] = "NAME2ADDR";
types[1] = "ADDR2NAME";
CHECK(cap_dns_type_limit(capdns, types, 2) == 0);
families[0] = AF_INET;
families[1] = AF_INET6;
CHECK(cap_dns_family_limit(capdns, families, 2) == 0);
types[0] = "ADDR";
types[0] = "ADDR2NAME";
CHECK(cap_dns_type_limit(capdns, types, 1) == 0);
types[1] = "NAME";
types[1] = "NAME2ADDR";
CHECK(cap_dns_type_limit(capdns, types, 2) == -1 &&
errno == ENOTCAPABLE);
types[0] = "NAME";
types[0] = "NAME2ADDR";
CHECK(cap_dns_type_limit(capdns, types, 1) == -1 &&
errno == ENOTCAPABLE);
families[0] = AF_INET;
@ -598,18 +598,18 @@ main(void)
capdns = cap_clone(origcapdns);
CHECK(capdns != NULL);
types[0] = "NAME";
types[1] = "ADDR";
types[0] = "NAME2ADDR";
types[1] = "ADDR2NAME";
CHECK(cap_dns_type_limit(capdns, types, 2) == 0);
families[0] = AF_INET;
families[1] = AF_INET6;
CHECK(cap_dns_family_limit(capdns, families, 2) == 0);
types[0] = "ADDR";
types[0] = "ADDR2NAME";
CHECK(cap_dns_type_limit(capdns, types, 1) == 0);
types[1] = "NAME";
types[1] = "NAME2ADDR";
CHECK(cap_dns_type_limit(capdns, types, 2) == -1 &&
errno == ENOTCAPABLE);
types[0] = "NAME";
types[0] = "NAME2ADDR";
CHECK(cap_dns_type_limit(capdns, types, 1) == -1 &&
errno == ENOTCAPABLE);
families[0] = AF_INET6;
@ -630,13 +630,13 @@ main(void)
capdns = cap_clone(origcapdns);
CHECK(capdns != NULL);
types[0] = "NAME";
types[0] = "NAME2ADDR";
CHECK(cap_dns_type_limit(capdns, types, 1) == 0);
families[0] = AF_INET;
CHECK(cap_dns_family_limit(capdns, families, 1) == 0);
types[0] = "NAME";
types[1] = "ADDR";
types[0] = "NAME2ADDR";
types[1] = "ADDR2NAME";
CHECK(cap_dns_type_limit(capdns, types, 2) == -1 &&
errno == ENOTCAPABLE);
families[0] = AF_INET;
@ -644,7 +644,7 @@ main(void)
CHECK(cap_dns_family_limit(capdns, families, 2) == -1 &&
errno == ENOTCAPABLE);
types[0] = "ADDR";
types[0] = "ADDR2NAME";
CHECK(cap_dns_type_limit(capdns, types, 1) == -1 &&
errno == ENOTCAPABLE);
families[0] = AF_INET6;
@ -665,13 +665,13 @@ main(void)
capdns = cap_clone(origcapdns);
CHECK(capdns != NULL);
types[0] = "ADDR";
types[0] = "ADDR2NAME";
CHECK(cap_dns_type_limit(capdns, types, 1) == 0);
families[0] = AF_INET6;
CHECK(cap_dns_family_limit(capdns, families, 1) == 0);
types[0] = "NAME";
types[1] = "ADDR";
types[0] = "NAME2ADDR";
types[1] = "ADDR2NAME";
CHECK(cap_dns_type_limit(capdns, types, 2) == -1 &&
errno == ENOTCAPABLE);
families[0] = AF_INET;
@ -679,7 +679,7 @@ main(void)
CHECK(cap_dns_family_limit(capdns, families, 2) == -1 &&
errno == ENOTCAPABLE);
types[0] = "NAME";
types[0] = "NAME2ADDR";
CHECK(cap_dns_type_limit(capdns, types, 1) == -1 &&
errno == ENOTCAPABLE);
families[0] = AF_INET;

View File

@ -612,7 +612,7 @@ main(int argc, char *const *argv)
if (capdns != NULL) {
const char *types[1];
types[0] = "ADDR";
types[0] = "ADDR2NAME";
if (cap_dns_type_limit(capdns, types, 1) < 0)
err(1, "unable to limit access to system.dns service");
}
@ -1781,8 +1781,8 @@ capdns_setup(void)
cap_close(capcas);
if (capdnsloc == NULL)
err(1, "unable to open system.dns service");
types[0] = "NAME";
types[1] = "ADDR";
types[0] = "NAME2ADDR";
types[1] = "ADDR2NAME";
if (cap_dns_type_limit(capdnsloc, types, 2) < 0)
err(1, "unable to limit access to system.dns service");
families[0] = AF_INET;