Training courses

Kernel and Embedded Linux

Bootlin training courses

Embedded Linux, kernel,
Yocto Project, Buildroot, real-time,
graphics, boot time, debugging...

Bootlin logo

Elixir Cross Referencer

Open Menu /lib/libcasper/services/cap_fileargs/cap_fileargs.3 
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
.\" Copyright (c) 2018 Mariusz Zaborski <oshogbo@FreeBSD.org>
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD$
.\"
.Dd April 17, 2019
.Dt CAP_FILEARGS 3
.Os
.Sh NAME
.Nm fileargs_cinit ,
.Nm fileargs_cinitnv ,
.Nm fileargs_init ,
.Nm fileargs_initnv ,
.Nm fileargs_free ,
.Nm fileargs_lstat ,
.Nm fileargs_open ,
.Nm fileargs_fopen
.Nd "library for handling files in capability mode"
.Sh LIBRARY
.Lb libcap_fileargs
.Sh SYNOPSIS
.In sys/nv.h
.In libcasper.h
.In casper/cap_fileargs.h
.Ft "fileargs_t *"
.Fn fileargs_init "int argc" "char *argv[]" "int flags" "mode_t mode" "cap_rights_t *rightsp" "int operations"
.Ft "fileargs_t *"
.Fn fileargs_cinit "cap_channel_t *cas" "int argc" "char *argv[]" "int flags" "mode_t mode" "cap_rights_t *rightsp" "int operations"
.Ft "fileargs_t *"
.Fn fileargs_cinitnv "cap_channel_t *cas" "nvlist_t *limits"
.Ft "fileargs_t *"
.Fn fileargs_initnv "nvlist_t *limits"
.Ft "void"
.Fn fileargs_free "fileargs_t *fa"
.Ft "int"
.Fn fileargs_lstat "fileargs_t *fa" "const char *path" "struct stat *sb"
.Ft "int"
.Fn fileargs_open "fileargs_t *fa" "const char *name"
.Ft "FILE *"
.Fn fileargs_fopen "fileargs_t *fa" "const char *name" "const char *mode"
.Sh DESCRIPTION
The library is used to simplify Capsicumizing a tools that are using file system.
Idea behind the library is that we are passing a remaining
.Fa argc
and
.Fa argv
which contains a list of files that should be open for this program.
The library will create a service that will serve those files.
.Pp
The function
.Fn fileargs_init
create a service to the
.Nm system.fileargs .
The
.Fa argv
contains a list of files that should be opened.
The argument can be set to
.Dv NULL
which will not create a service and all files will be prohibited to be opened.
The
.Fa argc
argument contains a number of passed files.
The
.Fa flags
argument limits opened files for either execution or reading and/or writing.
The
.Fa mode
argument tells which what mode file should be created if the
.Dv O_CREATE
flag is present .
For more details of the
.Fa flags
and
.Fa mode
arguments see
.Xr open 2 .
The
.Fa rightsp
argument contains a list of the capability rights which file should be limited to.
For more details of the capability rights see
.Xr cap_rights_init 3 .
The
.Fa operations
argument limits the operations that are available using
.Nm system.fileargs .
.Fa operations
is a combination of:
.Bl -ohang -offset indent
.It FA_OPEN
Allow
.Fn fileargs_open
and
.Fn fileargs_fopen .
.It FA_LSTAT
Allow
.Fn fileargs_lstat .
.El
.Pp
The function
.Fn fileargs_cinit
is equivalent to
.Fn fileargs_init
except that the connection to the Casper needs to be provided.
.Pp
The functions
.Fn fileargs_initnv
and
.Fn fileargs_cinitnv
are respectively equivalent to
.Fn fileargs_init
and
.Fn fileargs_cinit
expect that all arguments all provided as
.Xr nvlist 9 .
For details see
.Sx LIMITS .
.Pp
The
.Fa fileargs_free
close connection to the
.Nm system.fileargs
service and free are structures.
The function handle
.Dv NULL
argument.
.Pp
The function
.Fn fileargs_lstat
is equivalent to
.Xr lstat 2 .
.Pp
The functions
.Fn fileargs_open
and
.Fn fileargs_fopen
are respectively equivalent to
.Xr open 2
and
.Xr fopen 3
expect that all arguments are fetched from the
.Va fileargs_t
structure.
.Sh LIMITS
This section describe which values and types should be used to pass arguments to the
.Fa system.fileargs
through the
.Fn fileargs_initnv
and
.Fn fileargs_cinitnv
functions.
The
.Xr nvlist 9
for that functions must contain the following values and types:
.Bl -ohang -offset indent
.It flags ( NV_TYPE_NUMBER )
The
.Va flags
limits opened files for either execution or reading and/or writing.
.It mode (NV_TYPE_NUMBER)
If in the
.Va flags
argument the
.Dv O_CREATE
flag was defined the
.Xr nvlist 9
must contain the
.Va mode .
The
.Va mode
argument tells which what mode file should be created.
.It operations (NV_TYPE_NUMBER)
The
.Va operations
limits the usable operations for
.Fa system.fileargs .
The possible values are explained as
.Va operations
argument with
.Fn fileargs_init .
.El
.Pp
The
.Xr nvlist 9
for that functions may contain the following values and types:
.Bl -ohang -offset indent
.It cap_rights ( NV_TYPE_BINARY )
The
.Va cap_rights
argument contains a list of the capability rights which file should be limited to.
.It ( NV_TYPE_NULL )
Any number of
.Dv NV_TYPE_NULL
where the name of the element is name of the file which can be opened.
.Sh EXAMPLES
The following example first parse some options and then create the
.Nm system.fileargs
service with remaining arguments.
.Bd -literal
int ch, fd, i;
cap_rights_t rights;
fileargs_t *fa;

while ((ch = getopt(argc, argv, "h")) != -1) {
	switch (ch) {
		case 'h':
		default:
			usage();
	}
}

argc -= optind;
argv += optind;

/* Create capability to the system.fileargs service. */
fa = fileargs_init(argc, argv, O_RDONLY, 0,
    cap_rights_init(&rights, CAP_READ), FA_OPEN);
if (fa == NULL)
	err(1, "unable to open system.fileargs service");

/* Enter capability mode sandbox. */
if (cap_enter() < 0 && errno != ENOSYS)
	err(1, "unable to enter capability mode");

/* Open files. */
for (i = 0; i < argc; i++) {
	fd = fileargs_open(fa, argv[i]);
	if (fd < 0)
		err(1, "unable to open file %s", argv[i]);
	printf("File %s opened in capability mode\n", argv[i]);
	close(fd);
}

fileargs_free(fa);
.Ed
.Sh SEE ALSO
.Xr cap_enter 2 ,
.Xr lstat 2 ,
.Xr open 2 ,
.Xr cap_rights_init 3 ,
.Xr err 3 ,
.Xr fopen 3 ,
.Xr getopt 3 ,
.Xr capsicum 4 ,
.Xr nv 9
.Sh BUGS
The
.Lb cap_fileargs
included in
.Fx
is considered experimental, and should not be deployed in production
environments without careful consideration of the risks associated with
the use of experimental operating system features.
.Sh AUTHORS
.An Mariusz Zaborski Aq Mt oshogbo@FreeBSD.org