git: 7ad30f58dd63 - main - sockstat: use cap_pwd

Fri Jun 18 16:12:24 UTC 2021

The branch main has been updated by oshogbo:

URL: https://cgit.FreeBSD.org/src/commit/?id=7ad30f58dd63bfabfdf34f6ea93ab270fde8de36

commit 7ad30f58dd63bfabfdf34f6ea93ab270fde8de36
Author:     Mariusz Zaborski <oshogbo at FreeBSD.org>
AuthorDate: 2021-06-18 16:06:03 +0000
Commit:     Mariusz Zaborski <oshogbo at FreeBSD.org>
CommitDate: 2021-06-18 16:08:30 +0000

    sockstat: use cap_pwd
    
    The sockstat is using password database operations to obtain
    the username. Such operations are disallowed in capability mode.
    For such operations Casper is required.
    
    Reported by:    olivier@
    Tested by:      olivier@
---
 usr.bin/sockstat/Makefile   |  1 +
 usr.bin/sockstat/sockstat.c | 16 ++++++++++++++--
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/usr.bin/sockstat/Makefile b/usr.bin/sockstat/Makefile
index 6d0de7dc22d0..bf1cd0b9a443 100644
--- a/usr.bin/sockstat/Makefile
+++ b/usr.bin/sockstat/Makefile
@@ -10,6 +10,7 @@ LIBADD=		jail
 LIBADD+=	casper
 LIBADD+=	cap_net
 LIBADD+=	cap_netdb
+LIBADD+=	cap_pwd
 LIBADD+=	cap_sysctl
 CFLAGS+=	-DWITH_CASPER
 .endif
diff --git a/usr.bin/sockstat/sockstat.c b/usr.bin/sockstat/sockstat.c
index 285889a07b7b..5318a43f8585 100644
--- a/usr.bin/sockstat/sockstat.c
+++ b/usr.bin/sockstat/sockstat.c
@@ -71,6 +71,7 @@ __FBSDID("$FreeBSD$");
 #include <libcasper.h>
 #include <casper/cap_net.h>
 #include <casper/cap_netdb.h>
+#include <casper/cap_pwd.h>
 #include <casper/cap_sysctl.h>
 
 #define	sstosin(ss)	((struct sockaddr_in *)(ss))
@@ -141,6 +142,7 @@ static int nxfiles;
 static cap_channel_t *capnet;
 static cap_channel_t *capnetdb;
 static cap_channel_t *capsysctl;
+static cap_channel_t *cappwd;
 
 static int
 xprintf(const char *fmt, ...)
@@ -1215,7 +1217,7 @@ display(void)
 			printf(" %-.*s", TCP_CA_NAME_MAX, "CC");
 		printf("\n");
 	}
-	setpassent(1);
+	cap_setpassent(cappwd, 1);
 	for (xf = xfiles, n = 0; n < nxfiles; ++n, ++xf) {
 		if (xf->xf_data == 0)
 			continue;
@@ -1229,7 +1231,8 @@ display(void)
 				continue;
 			s->shown = 1;
 			pos = 0;
-			if (opt_n || (pwd = getpwuid(xf->xf_uid)) == NULL)
+			if (opt_n ||
+			    (pwd = cap_getpwuid(cappwd, xf->xf_uid)) == NULL)
 				pos += xprintf("%lu ", (u_long)xf->xf_uid);
 			else
 				pos += xprintf("%s ", pwd->pw_name);
@@ -1326,6 +1329,8 @@ main(int argc, char *argv[])
 {
 	cap_channel_t *capcas;
 	cap_net_limit_t *limit;
+	const char *pwdcmds[] = { "setpassent", "getpwuid" };
+	const char *pwdfields[] = { "pw_name" };
 	int protos_defined = -1;
 	int o, i;
 
@@ -1424,12 +1429,19 @@ main(int argc, char *argv[])
 	capsysctl = cap_service_open(capcas, "system.sysctl");
 	if (capsysctl == NULL)
 		err(1, "Unable to open system.sysctl service");
+	cappwd = cap_service_open(capcas, "system.pwd");
+	if (cappwd == NULL)
+		err(1, "Unable to open system.pwd service");
 	cap_close(capcas);
 	limit = cap_net_limit_init(capnet, CAPNET_ADDR2NAME);
 	if (limit == NULL)
 		err(1, "Unable to init cap_net limits");
 	if (cap_net_limit(limit) < 0)
 		err(1, "Unable to apply limits");
+	if (cap_pwd_limit_cmds(cappwd, pwdcmds, nitems(pwdcmds)) < 0)
+		err(1, "Unable to apply pwd commands limits");
+	if (cap_pwd_limit_fields(cappwd, pwdfields, nitems(pwdfields)) < 0)
+		err(1, "Unable to apply pwd commands limits");
 
 	if ((!opt_4 && !opt_6) && protos_defined != -1)
 		opt_4 = opt_6 = 1;
