From nobody Tue Feb 20 01:53:15 2024 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Tf2W75mv6z5B0Fg for ; Tue, 20 Feb 2024 01:53:39 +0000 (UTC) (envelope-from jfadams1963@proton.me) Received: from mail-40131.protonmail.ch (mail-40131.protonmail.ch [185.70.40.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "protonmail.com", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Tf2W55K2Vz3xTH for ; Tue, 20 Feb 2024 01:53:37 +0000 (UTC) (envelope-from jfadams1963@proton.me) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=proton.me header.s=2qs25wmjfzadfmi3aeq67spv7u.protonmail header.b=mhpvwQ4O; spf=pass (mx1.freebsd.org: domain of jfadams1963@proton.me designates 185.70.40.131 as permitted sender) smtp.mailfrom=jfadams1963@proton.me; dmarc=pass (policy=quarantine) header.from=proton.me DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proton.me; s=2qs25wmjfzadfmi3aeq67spv7u.protonmail; t=1708394014; x=1708653214; bh=YXLY+YTTVrtMgqCwDxBviE0ve/+fbAJMUUgFQBNckjg=; h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=mhpvwQ4OqIq+X4M/ifEL3W8h37BnNCoC6NLvMuL104zI9dtkgn/vPCDqvMCwORsCu mArJ9YMlen5rjbxIKlSQEBUkQ8JJI56/qUogs6NkzzoLnyI5bU9MW/ZHq9iLTTiCG7 +PdcK/r+b/i/HHsdL9xtX3nPmiN5oTLQ+xxmSeZc+e+6t3FZKao1ZBAHZBsd4J20Vy +A+WKK3I9gySzVWq9KrKRTgSrkgPKDATUIGsXddYPUXAMufgZIuMJeZ5uOCoWBWRCP jYfAYDMsiY6oe6chlcwi7YKanzhrA/Z8UWr2h8IgtCI6U+ovo6RI55ogCa0y7CWu6u VIXfuSVMvfZMA== Date: Tue, 20 Feb 2024 01:53:15 +0000 To: FreeBSD-questions From: Jonathan Adams Subject: Re: Limiting Capsicum capabilities rights [RESOLVED] Message-ID: Feedback-ID: 80741059:user:proton List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha512; boundary="------c7c9e8e6d9d76d20a9494a200a230b58de47a35fbb1b4f6e5bf202f9ef315cc6"; charset=utf-8 X-Rspamd-Queue-Id: 4Tf2W55K2Vz3xTH X-Spamd-Bar: ----- X-Spamd-Result: default: False [-5.13 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FAKE_REPLY(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.93)[-0.927]; DMARC_POLICY_ALLOW(-0.50)[proton.me,quarantine]; R_DKIM_ALLOW(-0.20)[proton.me:s=2qs25wmjfzadfmi3aeq67spv7u.protonmail]; R_SPF_ALLOW(-0.20)[+ip4:185.70.40.0/24]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; RWL_MAILSPIKE_GOOD(-0.10)[185.70.40.131:from]; MISSING_XM_UA(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~]; ASN(0.00)[asn:62371, ipnet:185.70.40.0/24, country:CH]; DKIM_TRACE(0.00)[proton.me:+]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCVD_COUNT_ZERO(0.00)[0]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org]; TO_DN_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; HAS_ATTACHMENT(0.00)[] This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------c7c9e8e6d9d76d20a9494a200a230b58de47a35fbb1b4f6e5bf202f9ef315cc6 Content-Type: multipart/mixed;boundary=---------------------05c9d11b864c49492852b2ed8020ef19 -----------------------05c9d11b864c49492852b2ed8020ef19 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain;charset=utf-8 On Tuesday, February 13th, 2024 at 11:22 AM, Jonathan Adams wrote: > As I say, this all works fine. But if I add in the following declaration= and calls to set and limit rights, it fails; clearly too restrictive: > ---------- > 28 =E2=94=82 cap_rights_t rights; > ... > 86 =E2=94=82 // Set rights on directory fd > 87 =E2=94=82 cap_rights_init(&rights, CAP_LOOKUP, CAP_CREATE, CAP_PREAD,= \ > 88 =E2=94=82 CAP_PWRITE, CAP_FCHMOD); > 89 =E2=94=82 cap_rights_limit(dirfd, &rights); > ---------- For posterity's sake, the missing right in cap_rights_init() was CAP_FCNTL= . I finally found the answer in Mariusz Zaborski's 2018 article "Capsicum:= Just Apply Me!" The relevant text is from his example of Capsicumizing cm= p(1): cmp(1) is work- ing on two descriptors fd1 and fd2 and both have capability CAP_FSTAT and CAP_FCNTL, which respectively allow us to get a file status using the fstat(2) function and fcntl(2) for file control. (The cmp(1) uses the fdopen(3) function that requires fcntl(F_GETFL)). -=C2=A0Jonathan ____________________________________________ "Before Turing, things were done to numbers. After Turing, numbers began doing things" - George Dyson -----------------------05c9d11b864c49492852b2ed8020ef19-- --------c7c9e8e6d9d76d20a9494a200a230b58de47a35fbb1b4f6e5bf202f9ef315cc6 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: ProtonMail wnUEARYKACcFgmXUBekJkI6O/sbt8r3IFiEEcBGzOO9wDbcpT/10jo7+xu3y vcgAAOuMAP4wMGBoyl4NGu5QOWWY4CvBfKczWmn6BqmdPNpf259cFgD/SMBK QXX7gLFAXVcqwbLFpM1lguEiPtntAxukjoKadQY= =d8WN -----END PGP SIGNATURE----- --------c7c9e8e6d9d76d20a9494a200a230b58de47a35fbb1b4f6e5bf202f9ef315cc6--