Gotweb

Commit Diff

Commit:: 5d120ea8410ddc2808e476d554ba931dc19d8c50
From:: Omar Polo <op@omarpolo.com>
Date:: Thu Jun 23 14:58:40 2022 UTC
Message:: use capsicum on FreeBSD Thanks to the design of Got, the libexec helpers don't need any resource (in fact they run under pledge "stdio recvfd" on OpenBSD) and so using cap_enter(2) on FreeBSD is dead-easy. While the main process can't be sandboxed on FreeBSD (needs to exec the helpers), all the tough work is done by these small libexec helpers which is also the biggest attack surface. tested by naddy, ok thomas
Actions:: Patch | Tree
commit - f620ae20ad85d852b04f084cdb86549ee4fff1bb
commit + 5d120ea8410ddc2808e476d554ba931dc19d8c50
blob - 84c18d08658195752f0bf61d826c1f78d5127026
blob + 6cc8083dc2e768ace9adaf6c9c9a767b69b82e4d
--- include/got_compat.h
+++ include/got_compat.h
@@ -67,6 +67,12 @@
 #ifndef __OpenBSD__
 #define pledge(s, p) (0)
 #define unveil(s, p) (0)
+#endif
+
+#ifdef __FreeBSD__
+#include <sys/capsicum.h>
+#else
+#define cap_enter() (0)
 #endif
 
 #ifndef HAVE_LINUX_LANDLOCK_H
blob - 7b6521625b84fc12679b84419662568f5f0852a1
blob + 1e6bf21a70b5d71aa3b12453c7427e1cad9f6980
--- libexec/got-fetch-pack/got-fetch-pack.c
+++ libexec/got-fetch-pack/got-fetch-pack.c
@@ -806,6 +806,11 @@ main(int argc, char **argv)
 		got_privsep_send_error(&ibuf, err);
 		return 1;
 	}
+	if (cap_enter() == -1) {
+		err = got_error_from_errno("cap_enter");
+		got_privsep_send_error(&ibuf, err);
+		return 1;
+	}
 #endif
 	err = got_privsep_recv_imsg(&imsg, &ibuf, 0);
 	if (err) {
blob - bdacb5506ed2ddd855aa4c7392923248c0f2b660
blob + 69517e0d0138f02236f127c0f31b2113c5a9e1f9
--- libexec/got-index-pack/got-index-pack.c
+++ libexec/got-index-pack/got-index-pack.c
@@ -1026,6 +1026,11 @@ main(int argc, char **argv)
 		got_privsep_send_error(&ibuf, err);
 		return 1;
 	}
+	if (cap_enter() == -1) {
+		err = got_error_from_errno("cap_enter");
+		got_privsep_send_error(&ibuf, err);
+		return 1;
+	}
 #endif
 	err = got_privsep_recv_imsg(&imsg, &ibuf, 0);
 	if (err)
blob - cea6f43adac14aa61fc01c67ea2223fe2ec4b367
blob + 299dfb1ae0a14b4b599bb567807748669f2fe2cc
--- libexec/got-read-blob/got-read-blob.c
+++ libexec/got-read-blob/got-read-blob.c
@@ -72,6 +72,11 @@ main(int argc, char *argv[])
 		got_privsep_send_error(&ibuf, err);
 		return 1;
 	}
+	if (cap_enter() == -1) {
+		err = got_error_from_errno("cap_enter");
+		got_privsep_send_error(&ibuf, err);
+		return 1;
+	}
 #endif
 
 	for (;;) {
blob - 75b69cf033167c2237a8a02aeebd0f48a8d649ea
blob + 31d32d460579f8928aefb999066e715216e80c1b
--- libexec/got-read-commit/got-read-commit.c
+++ libexec/got-read-commit/got-read-commit.c
@@ -126,6 +126,11 @@ main(int argc, char *argv[])
 		got_privsep_send_error(&ibuf, err);
 		return 1;
 	}
+	if (cap_enter() == -1) {
+		err = got_error_from_errno("cap_enter");
+		got_privsep_send_error(&ibuf, err);
+		return 1;
+	}
 #endif
 
 	for (;;) {
blob - 9a8444f947cbb287dff1d1c50162e40102463510
blob + f97c7ff67358e322a048152177e2f9d0b5b81712
--- libexec/got-read-gitconfig/got-read-gitconfig.c
+++ libexec/got-read-gitconfig/got-read-gitconfig.c
@@ -336,6 +336,11 @@ main(int argc, char *argv[])
 		got_privsep_send_error(&ibuf, err);
 		return 1;
 	}
+	if (cap_enter() == -1) {
+		err = got_error_from_errno("cap_enter");
+		got_privsep_send_error(&ibuf, err);
+		return 1;
+	}
 #endif
 
 	for (;;) {
blob - 6bfa6e6d2db2689f8b43a6da77858220f198e083
blob + ccb786281d0d837592d77d712cd547f65ec906ad
--- libexec/got-read-gotconfig/got-read-gotconfig.c
+++ libexec/got-read-gotconfig/got-read-gotconfig.c
@@ -501,6 +501,11 @@ main(int argc, char *argv[])
 		got_privsep_send_error(&ibuf, err);
 		return 1;
 	}
+	if (cap_enter() == -1) {
+		err = got_error_from_errno("cap_enter");
+		got_privsep_send_error(&ibuf, err);
+		return 1;
+	}
 #endif
 
 	if (argc > 1)
blob - dc0a31bec0e6ec9ca5b23fbc47165af5c10063e5
blob + 2d058e778766c79c6faacb6f95aba7bc0ffa1b47
--- libexec/got-read-object/got-read-object.c
+++ libexec/got-read-object/got-read-object.c
@@ -147,6 +147,11 @@ main(int argc, char *argv[])
 		got_privsep_send_error(&ibuf, err);
 		return 1;
 	}
+	if (cap_enter() == -1) {
+		err = got_error_from_errno("cap_enter");
+		got_privsep_send_error(&ibuf, err);
+		return 1;
+	}
 #endif
 
 	for (;;) {
blob - a3715f9d5f111b916bec81a7400b2e4ab7b44f37
blob + 7b38790c226690f59f6a5f642379bef1399195cb
--- libexec/got-read-pack/got-read-pack.c
+++ libexec/got-read-pack/got-read-pack.c
@@ -1653,6 +1653,11 @@ main(int argc, char *argv[])
 		got_privsep_send_error(&ibuf, err);
 		return 1;
 	}
+	if (cap_enter() == -1) {
+		err = got_error_from_errno("cap_enter");
+		got_privsep_send_error(&ibuf, err);
+		return 1;
+	}
 #endif
 
 	err = receive_packidx(&packidx, &ibuf);
blob - 57b57caa1ba90f49fd985a8aa10b7961a4c1ce7f
blob + fae7779801eff69eff31c4d04e25c03dc88ed9a0
--- libexec/got-read-patch/got-read-patch.c
+++ libexec/got-read-patch/got-read-patch.c
@@ -536,6 +536,11 @@ main(int argc, char **argv)
 		got_privsep_send_error(&ibuf, err);
 		return 1;
 	}
+	if (cap_enter() == -1) {
+		err = got_error_from_errno("cap_enter");
+		got_privsep_send_error(&ibuf, err);
+		return 1;
+	}
 #endif
 
 	err = got_privsep_recv_imsg(&imsg, &ibuf, 0);
blob - 57787944b6605bdc56c8281731a46bb5a54f9442
blob + 83d70fe7b21329db35df0e8293775ac32eefeb90
--- libexec/got-read-tag/got-read-tag.c
+++ libexec/got-read-tag/got-read-tag.c
@@ -121,6 +121,11 @@ main(int argc, char *argv[])
 		got_privsep_send_error(&ibuf, err);
 		return 1;
 	}
+	if (cap_enter() == -1) {
+		err = got_error_from_errno("cap_enter");
+		got_privsep_send_error(&ibuf, err);
+		return 1;
+	}
 #endif
 
 	for (;;) {
blob - cc2d892a4bf2ba8782971f3d1c9761e522456476
blob + d83b9c856cc4d9c93e359dfd5a23171099a23b73
--- libexec/got-read-tree/got-read-tree.c
+++ libexec/got-read-tree/got-read-tree.c
@@ -120,6 +120,11 @@ main(int argc, char *argv[])
 		got_privsep_send_error(&ibuf, err);
 		return 1;
 	}
+	if (cap_enter() == -1) {
+		err = got_error_from_errno("cap_enter");
+		got_privsep_send_error(&ibuf, err);
+		return 1;
+	}
 #endif
 
 	for (;;) {
blob - 615521693614965f7f1635a2161b3da35c245f85
blob + 128d46236a43f93321fb66a86cb2e648d82eb2b4
--- libexec/got-send-pack/got-send-pack.c
+++ libexec/got-send-pack/got-send-pack.c
@@ -600,6 +600,11 @@ main(int argc, char **argv)
 		got_privsep_send_error(&ibuf, err);
 		return 1;
 	}
+	if (cap_enter() == -1) {
+		err = got_error_from_errno("cap_enter");
+		got_privsep_send_error(&ibuf, err);
+		return 1;
+	}
 #endif
 	if ((err = got_privsep_recv_imsg(&imsg, &ibuf, 0)) != 0) {
 		if (err->code == GOT_ERR_PRIVSEP_PIPE)