_ftello() modification requires additional capsicum rights, breaking tcpdump and dhclient
Andrey Chernov
ache at freebsd.org
Wed Sep 10 07:00:26 UTC 2014
On 09.09.2014 21:53, Patrick Kelsey wrote:
> I don't think it is worth the trouble, as given the larger pattern of
> libc routines requiring multiple capsicum rights, it seems one will in
> general have to have libc implementation knowledge when using it in
> concert with capsicum. For example, consider the limitfd() routine in
> kdump.c, which provides rights for the TIOCGETA ioctl to be used on
> stdout so the eventual call to isatty() via printf() will work as intended.
>
> I think the above kdump example is a good one for the subtle issues that
> can arise when using capsicum with libc. That call to isatty() is via a
> widely-used internal libc routine __smakebuf(). __smakebuf() also calls
> __swhatbuf(), which in turn calls _fstat(), all to make sure that output
> to a tty is line buffered by default. It would appear that programs
> that restrict rights on stdout without allowing CAP_IOCTL and CAP_FSTAT
> could be disabling the normally default line buffering when stdout is a
> tty. kdump goes the distance, but dhclient does not (restricting stdout
> to CAP_WRITE only).
>
> In any event, the patch attached to my first message is seeming like the
> way to go.
Well, then commit it (if capsicum team agrees).
--
http://ache.vniz.net/
More information about the freebsd-current
mailing list