Introduce implementations of POSIX.1e non-portable form capability

  support functions:
     cap_subset_np()    - Is cap1 a subset of cap2
     cap_equal_np()     - Is cap1 equal to cap2

o Introduce implementations of POSIX.1e capability support functions:
     cap_copy_ext()     - Externalize capability
     cap_copy_int()     - Internalize capability
     cap_size()         - Determine size required for cap_copy_ext()

Submitted by:		tmm
Obtained from:	TrustedBSD Project

4 files changed, 366 insertions, 0 deletions

diff --git a/lib/libc/posix1e/cap_cmp.c b/lib/libc/posix1e/cap_cmp.c
new file mode 100644
index 0000000..77bb6ca
--- /dev/null
+++ b/lib/libc/posix1e/cap_cmp.c
@@ -0,0 +1,50 @@
+/*
+ * Copyright 2001 by Thomas Moestl <tmm@FreeBSD.org>.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+ * USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+/*
+ * Capabiltiy comparison functions cap_subset, cap_equal.
+ */
+
+/* define this to pull in the cap macros the kernel uses */
+#include <sys/types.h>
+#define _CAPABILITY_NEEDMACROS
+#include <sys/capability.h>
+#undef _CAPABILITY_NEEDMACROS
+
+int
+cap_subset_np(cap_t c1, cap_t c2)
+{
+	return CAP_SUBSET(*c1, *c2);
+}
+
+int
+cap_equal_np(cap_t c1, cap_t c2)
+{
+	return  c1->c_effective == c2->c_effective &&
+	    c1->c_permitted == c2->c_permitted &&
+	    c1->c_inheritable == c2->c_inheritable;
+}
+    
diff --git a/lib/libc/posix1e/cap_copy.c b/lib/libc/posix1e/cap_copy.c
new file mode 100644
index 0000000..591e1b2
--- /dev/null
+++ b/lib/libc/posix1e/cap_copy.c
@@ -0,0 +1,81 @@
+/*
+ * Copyright 2001 by Thomas Moestl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+ * USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+/*
+ * TrustedBSD implementation of cap_copy_ext()/cap_copy_int()
+ *
+ * These are largely nops currently, because our internal format is contiguous.
+ * We just copy our representation out, and do some minumum validations on
+ * external data.
+ *
+ * XXX: we cannot detect cap being invalid. If it is, the program will probably
+ * segfault.
+ */
+
+#include <sys/types.h>
+#include <sys/capability.h>
+
+#include <errno.h>
+#include <stdlib.h>
+
+int
+cap_copy_ext(void *ext_p, cap_t cap, ssize_t size)
+{
+	if (size < 0) {
+		errno = EINVAL;
+		return (-1);
+	}
+	if (size < sizeof(struct cap)) {
+		errno = ERANGE;
+		return (-1);
+	}
+	memcpy(ext_p, cap, sizeof(struct cap));
+	return (sizeof(struct cap));
+}
+
+cap_t
+cap_copy_int(const void *ext_p)
+{
+	cap_t c;
+	/* We can use cap_dup here, because the format is the same */
+	if ((c = cap_dup((cap_t)ext_p)) == NULL)
+		return ((cap_t)NULL);
+	/* Basic validation */
+	if ((c->c_effective & ~CAP_ALL_ON) || (c->c_permitted & ~CAP_ALL_ON) ||
+	    (c->c_inheritable & ~CAP_ALL_ON)) {
+		cap_free(c);
+		errno = EINVAL;
+		return ((cap_t)NULL);
+	}
+	return (c);
+}
+	    
+int
+cap_size(cap_t cap)
+{
+	(void)cap; /* silence warning */
+	return (sizeof(struct cap));
+}
diff --git a/lib/libc/posix1e/cap_copy_ext.3 b/lib/libc/posix1e/cap_copy_ext.3
new file mode 100644
index 0000000..26d4b34
--- /dev/null
+++ b/lib/libc/posix1e/cap_copy_ext.3
@@ -0,0 +1,134 @@
+.\"-
+.\" Copyright (c) 2000 Robert N. M. Watson
+.\" Copyright (c) 2001 Thomas Moestl
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.  
+.\"
+.\" $FreeBSD$
+.\"
+.Dd March 21, 2001
+.Dt CAP_COPY_EXT 3
+.Os
+.Sh NAME
+.Nm cap_copy_ext
+.Nd Convert a Capability State in Working Storage to an External Representation
+.Sh LIBRARY
+.Lb libc
+.Sh SYNOPSIS
+.Fd #include <sys/types.h>
+.Fd #include <sys/capability.h>
+.Ft ssize_t
+.Fn cap_copy_ext "void *ext_p" "cap_t cap" "ssize_t len"
+.Ft ssize_t
+.Fn cap_size "cap_t cap"
+.Sh DESCRIPTION
+The
+.Nm
+function converts the capability state in working storage identified by
+.Va cap
+to an opaque contiguous external representation in the buffer
+.Va ext_p
+points to.
+.Va size
+specifies the maximum number of bytes that may be written into the buffer.
+.Pp
+An application can use the
+.Nm cap_size
+function to determine the amount of storage in bytes that are needed for
+the external representation of
+.Va cap .
+.Sh IMPLEMENTATION NOTES
+The format of the external representation is not specified in the POSIX.1e
+draft. Applications that need a portable representation should use
+.Xr cap_to_text 3 .
+.Pp
+This function is appropriate in cases where a persistent representation is
+needed that needs no to be portable. Due to endianess issues, this format might
+not even be portable between machines of different architectures running this
+implementation.
+.Pp
+.Xr cap_copy_int 3
+can be used to convert the external representation back to a
+.Va cap_t .
+.Sh RETURN VALUES
+Upon successful completion, the
+.Nm
+function returns the number of bytes written to
+.Va ext_t .
+.Nm cap_size
+returns the number of bytes needed for the external representation of
+.Va cap
+if it is valid.
+On error, both return
+.Va -1
+and set
+.Va errno
+appropriately.
+.Sh ERRORS
+.Nm
+can set
+.Dv errno
+to the following values:
+.Bl -tag -width Er
+.It Bq Er EINVAL
+Either the
+.Va cap
+argument does not refer to a capability state in working storage
+or the
+.Va len
+argument is below zero, or both.
+.It Bq Er ERANGE
+The buffer size specified by
+.Va len
+argument is too small to hold the external representation.
+.El
+.Pp
+.Nm cap_size
+can set
+.Dv errno
+to the following values:
+.Bl -tag -width Er
+.It Bq Er EINVAL
+The
+.Va cap
+argument does not refer to a capability state in working storage.
+.El
+.Sh SEE ALSO
+.Xr cap_copy_int 3 ,
+.Xr cap_free 3 ,
+.Xr cap_from_text 3 ,
+.Xr cap_get_flag 3 ,
+.Xr cap_to_text 3 ,
+.Xr posix1e 3
+.Sh STANDARDS
+This function is expected to conform to the withdrawn
+IEEE draft 1003.1e
+.Po
+.Do  POSIX.1e
+.Dc
+.Pc .
+.Sh HISTORY
+This function first appeared in
+.Fx 5.0 .
+.Sh AUTHORS
+.An Thomas Moestl Aq tmm@FreeBSD.org
diff --git a/lib/libc/posix1e/cap_copy_int.3 b/lib/libc/posix1e/cap_copy_int.3
new file mode 100644
index 0000000..5e12701
--- /dev/null
+++ b/lib/libc/posix1e/cap_copy_int.3
@@ -0,0 +1,101 @@
+.\"-
+.\" Copyright (c) 2000 Robert N. M. Watson
+.\" Copyright (c) 2001 Thomas Moestl
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.  
+.\"
+.\" $FreeBSD$
+.\"
+.Dd March 21, 2001
+.Dt CAP_COPY_INT 3
+.Os
+.Sh NAME
+.Nm cap_copy_int
+.Nd Convert an External Capability Representation to a Capability State in
+Working Storage
+.Sh LIBRARY
+.Lb libc
+.Sh SYNOPSIS
+.Fd #include <sys/types.h>
+.Fd #include <sys/capability.h>
+.Ft cap_t
+.Fn cap_copy_int "void *ext_p"
+.Sh DESCRIPTION
+The
+.Nm
+function converts an external capability representation as returned by
+.Nm cap_copy_ext
+in the memory that
+.Va ext_p
+points to to a handle to a capability state in working storage.
+.Pp
+This function may cause memory to be allocated.
+The caller should free any releasable memory, when the capability state
+in working memory is no longer required, by calling
+.Xr cap_free 3
+with the
+.Va cap_t
+as an argument.
+.Sh RETURN VALUES
+Upon successful completion, the
+.Nm
+function returns a handle to a capability state in working storage.
+On error, it returns
+.Va (cap_t)NULL
+and sets
+.Va errno
+appropriately.
+.Sh ERRORS
+The following
+.Dv errno
+values can be set by
+.Nm cap_copy_ext :
+.Bl -tag -width Er
+.It Bq Er EINVAL
+The
+.Va ext_p
+does not refer to an external representation as returned by
+.Xr cap_copy_ext 3
+.It Bq Er ENOMEM
+Not enough memory could be allocated in the working storage to hold the
+capability state.
+.El
+.Sh SEE ALSO
+.Xr cap_copy_int 3 ,
+.Xr cap_free 3 ,
+.Xr cap_from_text 3 ,
+.Xr cap_get_flag 3 ,
+.Xr cap_to_text 3 ,
+.Xr posix1e 3
+.Sh STANDARDS
+This function is expected to conform to the withdrawn
+IEEE draft 1003.1e
+.Po
+.Do  POSIX.1e
+.Dc
+.Pc .
+.Sh HISTORY
+This function first appeared in
+.Fx 5.0 .
+.Sh AUTHORS
+.An Thomas Moestl Aq tmm@FreeBSD.org