[Bug 243252] www/firefox core dumps after r522486 (failed to freeze shm)

Mon Jan 20 18:33:35 UTC 2020

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=243252

--- Comment #21 from rozhuk.im at gmail.com ---
Base system software uses cap_rights_limit(), but respect user:

/usr/src/contrib/dma/dma-mbox-create.c: if (cap_rights_limit(maildirfd,
&rights) < 0 && errno != ENOSYS)

/usr/src/contrib/tcpdump/tcpdump.c:     if (cap_rights_limit(fd, &rights) < 0
&& errno != ENOSYS) {

/usr/src/contrib/traceroute/traceroute.c:
#ifdef WITH_CASPER
        cansandbox = true;
#else
        if (nflag)
                cansandbox = true;
        else
                cansandbox = false;
#endif
...

/usr/src/contrib/xz/src/xz/file_io.c:
#ifdef HAVE_CAPSICUM
        // Capsicum needs FreeBSD 10.0 or later.
        cap_rights_t rights;

        if (cap_rights_limit(src_fd, cap_rights_init(&rights,
                        CAP_EVENT, CAP_FCNTL, CAP_LOOKUP, CAP_READ, CAP_SEEK)))
                goto error;

/usr/src/crypto/openssh/sandbox-capsicum.c:     if
(cap_rights_limit(STDIN_FILENO, &rights) < 0 && errno != ENOSYS)

/usr/src/lib/libutil/pidfile.c:
        if (cap_rights_limit(dirfd,
            cap_rights_init(&caprights, CAP_UNLINKAT)) < 0 && errno != ENOSYS)
{
                goto failed;
        }
...

/usr/src/sbin/hastd/subr.c:
#ifdef HAVE_CAPSICUM
        capsicum = (cap_enter() == 0);
        if (!capsicum) {
                pjdlog_common(LOG_DEBUG, 1, errno,
                    "Unable to sandbox using capsicum");
        } else if (res != NULL) {
                cap_rights_t rights;
                static const unsigned long geomcmds[] = {
                    DIOCGDELETE,
                    DIOCGFLUSH
                };

                PJDLOG_ASSERT(res->hr_role == HAST_ROLE_PRIMARY ||
                    res->hr_role == HAST_ROLE_SECONDARY);

                cap_rights_init(&rights, CAP_FLOCK, CAP_IOCTL, CAP_PREAD,
                    CAP_PWRITE);
                if (cap_rights_limit(res->hr_localfd, &rights) == -1) {
                        pjdlog_errno(LOG_ERR,
                            "Unable to limit capability rights on local
descriptor");
                }
                if (cap_ioctls_limit(res->hr_localfd, geomcmds,
                    nitems(geomcmds)) == -1) {
                        pjdlog_errno(LOG_ERR,
                            "Unable to limit allowed GEOM ioctls");
                }
...

/usr/src/sbin/ping/ping.c:      if (cap_rights_limit(srecv, &rights) < 0 &&
errno != ENOSYS)

/usr/src/usr.bin/bsdiff/bspatch/bspatch.c:
#ifndef WITHOUT_CAPSICUM
        if (cap_enter() < 0) {
                /* Failed to sandbox, fatal if CAPABILITY_MODE enabled */
                if (errno != ENOSYS)
                        err(1, "failed to enter security sandbox");
        } else {
                /* Capsicum Available */
                cap_rights_init(&rights_ro, CAP_READ, CAP_FSTAT, CAP_SEEK);
                cap_rights_init(&rights_wr, CAP_WRITE);
                cap_rights_init(&rights_dir, CAP_UNLINKAT);

                if (cap_rights_limit(fileno(f), &rights_ro) < 0 ||

/usr/src/usr.sbin/iscsid/iscsid.c:
        error = cap_rights_limit(conn->conn_iscsi_fd, &rights);
        if (error != 0 && errno != ENOSYS)
                log_err(1, "cap_rights_limit");

So if you decide that cap_rights_limit() "must have" - ensure that other agree
with you and remove WITHO_CAPSICUM/WITHOUT_CAPSICUM from src and base system
software before this patch.

-- 
You are receiving this mail because:
You are the assignee for the bug.