svn commit: r203447 - in projects/capabilities8/tools/cap: . sandbox_world

Robert Watson rwatson at FreeBSD.org
Wed Feb 3 21:29:51 UTC 2010


Author: rwatson
Date: Wed Feb  3 21:29:50 2010
New Revision: 203447
URL: http://svn.freebsd.org/changeset/base/203447

Log:
  Merge cap/sandbox_world test tool from the p4 TrustedBSD Capabilities to
  capabilities8.
  
  Sponsored by:	Google, Inc.

Added:
  projects/capabilities8/tools/cap/
  projects/capabilities8/tools/cap/sandbox_world/
  projects/capabilities8/tools/cap/sandbox_world/Makefile
  projects/capabilities8/tools/cap/sandbox_world/sandbox_world.c

Added: projects/capabilities8/tools/cap/sandbox_world/Makefile
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ projects/capabilities8/tools/cap/sandbox_world/Makefile	Wed Feb  3 21:29:50 2010	(r203447)
@@ -0,0 +1,8 @@
+PROG=sandbox_world
+NO_MAN=
+CFLAGS=-Wall -g -rdynamic
+
+DPADD=	${LIBCAPABILITY} ${LIBSBUF}
+LDADD=	-lcapsicum -lsbuf
+
+.include <bsd.prog.mk>

Added: projects/capabilities8/tools/cap/sandbox_world/sandbox_world.c
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ projects/capabilities8/tools/cap/sandbox_world/sandbox_world.c	Wed Feb  3 21:29:50 2010	(r203447)
@@ -0,0 +1,145 @@
+/*-
+ * Copyright (c) 2009-2010 Robert N. M. Watson
+ * All rights reserved.
+ *
+ * WARNING: THIS IS EXPERIMENTAL SECURITY SOFTWARE THAT MUST NOT BE RELIED
+ * ON IN PRODUCTION SYSTEMS.  IT WILL BREAK YOUR SOFTWARE IN NEW AND
+ * UNEXPECTED WAYS.
+ * 
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc. 
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <sys/types.h>
+#include <sys/uio.h>
+
+#include <err.h>
+#include <errno.h>
+#include <libcapsicum.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+/*
+ * Almost your standard "hello world" application, only we run the printf in
+ * a sandbox, and we use a 1-byte synchronous RPC to make sure that the host
+ * doesn't exit until the sandbox is done.
+ */
+
+#define	MYNAME	"sandbox_world"		/* Binary to run in sandbox. */
+
+/*
+ * Unsandboxed host process with full user rights.
+ */
+int
+main(int argc, char *argv[])
+{
+	struct lc_sandbox *lcsp;
+	char *sandbox_argv[3] = { argv[1], "nested", NULL };
+	struct iovec iov;
+	size_t len;
+	char ch;
+
+	if (argc != 1)
+		errx(-1, "usage: sandbox_world");
+
+	/*
+	 * Create a sandbox, do permit access to stdout and stderr.
+	 */
+	if (lch_start(MYNAME, sandbox_argv, LCH_PERMIT_STDERR |
+	    LCH_PERMIT_STDOUT, NULL, &lcsp) < 0)
+		err(-1, "lch_start %s", argv[1]);
+
+	/*
+	 * Send a one-byte message to the sandbox and wait for a one-byte
+	 * reply.
+	 */
+	ch = 'X';
+	iov.iov_base = &ch;
+	iov.iov_len = sizeof(ch);
+	if (lch_rpc(lcsp, 0, &iov, 1, &iov, 1, &len) < 0)
+		err(-1, "lch_rpc");
+	if (len != sizeof(ch))
+		errx(-1, "lch_rpc returned size %zd not %zd", len, sizeof(ch));
+	if (ch != 'X')
+		errx(-1, "lch_recv: expected %d and got %d", 'X', ch);
+
+	/*
+	 * Terminate the sandbox when done.
+	 */
+	lch_stop(lcsp);
+}
+
+/*
+ * Sandboxed process implementing a 'printf hello world' RPC.
+ */
+int
+cap_main(int argc, char *argv[])
+{
+	struct lc_host *lchp;
+	u_int32_t opno, seqno;
+	struct iovec iov;
+	u_char *buffer;
+	size_t len;
+
+	if (lcs_get(&lchp) < 0)
+		err(-1, "lcs_get");
+
+	/*
+	 * Serve RPCs from the host until the sandbox is killed.
+	 */
+	while (1) {
+		/*
+		 * Receive a one-byte RPC from the host.
+		 */
+		if (lcs_recvrpc(lchp, &opno, &seqno, &buffer, &len) < 0) {
+			if (errno != EPIPE)
+				err(-6, "lcs_recvrpc");
+			else
+				exit(-6);
+		}
+		if (len != 1)
+			errx(-7, "lcs_recvrpc len");
+		printf("Hello world!\n");
+		fflush(stdout);
+
+		/*
+		 * Reply with the same message.  Remember to free the message
+		 * when done.
+		 */
+		iov.iov_base = buffer;
+		iov.iov_len = 1;
+		if (lcs_sendrpc(lchp, opno, seqno, &iov, 1) < 0) {
+			if (errno != EPIPE)
+				err(-8, "lcs_sendrpc");
+			else
+				exit(-8);
+		}
+		free(buffer);
+	}
+}


More information about the svn-src-projects mailing list