MFC r306657, r306673, r306726, r307737, r309366, r310135, r323990, r324414

r306657:
libcapsicum: introduce Capsicum helpers

Capsicum helpers are a set of inline functions which goal is to reduce
duplicated patterns used to Capsicumize applications.

Reviewed by:	cem, AllanJude, bapt, ed, emaste
Differential Revision:	https://reviews.freebsd.org/D8013

r306673:
libcapsicum: limit stderr

Don't limit stdout twice, instead limit stderr.

Pointed out by:	rpokala@

r306726:
Add man pages for Capsicum helpers.

Reviewed by:	cem
Differential Revision:	https://reviews.freebsd.org/D8154

r307737:
Fix few sentence in the man page.

Pointed out by:	wblock

r309366:
capsicum_helpers: Squash errors from closed fds

Squash EBADF from closed stdin, stdout, or stderr in caph_limit_stdio().
Any program used during special shell scripts may commonly be forked
from a parent process with closed standard stream.  Do the common sense
thing for this common use.

Reported by:	Iblis Lin <iblis AT hs.ntnu.edu.tw>
Reviewed by:	oshogbo@ (earlier version)
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D8657

r310135:
capsicum_helpers: Add LOOKUP flag

Add a helper routine for opening a directory that is restricted to being
used for opening relative files as stdio streams.

I think this will really help basic adaptation of multi-file programs to
Capsicum. Rather than having each program initialize a rights object and
ioctl/fcntl arrays for their root fd for relative opens, consolidate in the
logical place.

Reviewed by:	oshogbo@
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D8743

r323990:
capsicum_helpers: Add SEEK to default stdio rights set

PR:		219173
Sponsored by:	Dell EMC Isilon

r324414:
capsicum_helpers: Add EVENT to default stdio rights set

Without it, calling caph_limit_stdio(3) breaks Irssi.

Reviewed by:	oshogbo
Sponsored by:	DARPA, AFRL
Differential Revision:	https://reviews.freebsd.org/D12622

5 files changed, 264 insertions, 0 deletions

diff --git a/lib/Makefile b/lib/Makefile
index 91a88e9..ae8ab9b 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -38,6 +38,7 @@ SUBDIR=	${SUBDIR_BOOTSTRAP} \
 	libbz2 \
 	libcalendar \
 	libcam \
+	libcapsicum \
 	${_libcasper} \
 	${_libcom_err} \
 	libcompat \
diff --git a/lib/libcapsicum/Makefile b/lib/libcapsicum/Makefile
new file mode 100644
index 0000000..9dd3b80
--- /dev/null
+++ b/lib/libcapsicum/Makefile
@@ -0,0 +1,17 @@
+# $FreeBSD$
+
+PACKAGE=lib${LIB}
+
+INCS=	capsicum_helpers.h
+
+MAN+=	capsicum_helpers.3
+
+MLINKS+=capsicum_helpers.3 caph_limit_stream.3
+MLINKS+=capsicum_helpers.3 caph_limit_stdin.3
+MLINKS+=capsicum_helpers.3 caph_limit_stderr.3
+MLINKS+=capsicum_helpers.3 caph_limit_stdout.3
+MLINKS+=capsicum_helpers.3 caph_limit_stdio.3
+MLINKS+=capsicum_helpers.3 caph_cache_tzdata.3
+MLINKS+=capsicum_helpers.3 caph_cache_catpages.3
+
+.include <bsd.lib.mk>
diff --git a/lib/libcapsicum/Makefile.depend b/lib/libcapsicum/Makefile.depend
new file mode 100644
index 0000000..f80275d
--- /dev/null
+++ b/lib/libcapsicum/Makefile.depend
@@ -0,0 +1,11 @@
+# $FreeBSD$
+# Autogenerated - do NOT edit!
+
+DIRDEPS = \
+
+
+.include <dirdeps.mk>
+
+.if ${DEP_RELDIR} == ${_DEP_RELDIR}
+# local dependencies - needed for -jN in clean tree
+.endif
diff --git a/lib/libcapsicum/capsicum_helpers.3 b/lib/libcapsicum/capsicum_helpers.3
new file mode 100644
index 0000000..98ea1dc
--- /dev/null
+++ b/lib/libcapsicum/capsicum_helpers.3
@@ -0,0 +1,111 @@
+.\" Copyright (c) 2016 Mariusz Zaborski <oshogbo@FreeBSD.org>
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.Dd October 21, 2016
+.Dt CAPSICUM_HELPERS 3
+.Os
+.Sh NAME
+.Nm caph_limit_stream ,
+.Nm caph_limit_stdin ,
+.Nm caph_limit_stderr ,
+.Nm caph_limit_stdout ,
+.Nm caph_limit_stdio ,
+.Nm caph_cache_tzdata ,
+.Nm caph_cache_catpages
+.Nd "set of the functions , part of the libcapsicum"
+.Sh LIBRARY
+.Lb libcapsicum
+.Sh SYNOPSIS
+.In capsicum_helpers.h
+.Ft int
+.Fn caph_limit_stream "int fd, int flags"
+.Ft int
+.Fn caph_limit_stdin "void"
+.Ft int
+.Fn caph_limit_stderr "void"
+.Ft int
+.Fn caph_limit_stdout "void"
+.Ft int
+.Fn caph_limit_stdio "void"
+.Ft void
+.Fn caph_cache_tzdata "void"
+.Ft void
+.Fn caph_cache_catpages "void"
+.Sh DESCRIPTION
+The
+.Nm capsicum helpers
+are a set of a inline functions which simplify modifying programs to use
+Capsicum.
+The goal is to reduce duplicated code patterns.
+The
+.Nm capsicum helpers
+are part of
+.Nm libcapsicum
+but there is no need to link to the library.
+.Pp
+.Fn caph_limit_stream
+restricts capabilities on
+.Fa fd
+to only those needed by POSIX stream objects (that is, FILEs).
+.Pp
+These flags can be provided:
+.Pp
+.Bl -tag -width "CAPH_IGNORE_EBADF" -compact -offset indent
+.It Dv CAPH_IGNORE_EBADF
+Do not return an error if file descriptor is invalid.
+.It Dv CAPH_READ
+Set CAP_READ on limited descriptor.
+.It Dv CAPH_WRITE
+Set CAP_WRITE on limited descriptor.
+.El
+.Pp
+.Fn caph_limit_stdin ,
+.Fn caph_limit_stderr
+and
+.Fn caph_limit_stdout
+limit standard descriptors using the
+.Nm caph_limit_stream
+function.
+.Pp
+.Fn caph_limit_stdio
+limits stdin, stderr and stdout.
+.Pp
+.Fn caph_cache_tzdata
+precaches all timezone data needed to use
+.Li libc
+local time functions.
+.Pp
+.Fn caph_cache_catpages
+caches Native Language Support (NLS) data.
+NLS data is used for localized error printing by
+.Xr strerror 3
+and
+.Xr err 3 ,
+among others.
+.Ed
+.Sh SEE ALSO
+.Xr cap_enter 2 ,
+.Xr rights 4
diff --git a/lib/libcapsicum/capsicum_helpers.h b/lib/libcapsicum/capsicum_helpers.h
new file mode 100644
index 0000000..967889c
--- /dev/null
+++ b/lib/libcapsicum/capsicum_helpers.h
@@ -0,0 +1,124 @@
+/*-
+ * Copyright (c) 2016 Mariusz Zaborski <oshogbo@FreeBSD.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#ifndef _CAPSICUM_HELPERS_H_
+#define	_CAPSICUM_HELPERS_H_
+
+#include <sys/param.h>
+#include <sys/capsicum.h>
+
+#include <errno.h>
+#include <nl_types.h>
+#include <termios.h>
+#include <time.h>
+#include <unistd.h>
+
+#define	CAPH_IGNORE_EBADF	0x0001
+#define	CAPH_READ		0x0002
+#define	CAPH_WRITE		0x0004
+#define	CAPH_LOOKUP		0x0008
+
+static __inline int
+caph_limit_stream(int fd, int flags)
+{
+	cap_rights_t rights;
+	unsigned long cmds[] = { TIOCGETA, TIOCGWINSZ };
+
+	cap_rights_init(&rights, CAP_EVENT, CAP_FCNTL, CAP_FSTAT,
+	    CAP_IOCTL, CAP_SEEK);
+
+	if ((flags & CAPH_READ) != 0)
+		cap_rights_set(&rights, CAP_READ);
+	if ((flags & CAPH_WRITE) != 0)
+		cap_rights_set(&rights, CAP_WRITE);
+	if ((flags & CAPH_LOOKUP) != 0)
+		cap_rights_set(&rights, CAP_LOOKUP);
+
+	if (cap_rights_limit(fd, &rights) < 0 && errno != ENOSYS) {
+		if (errno == EBADF && (flags & CAPH_IGNORE_EBADF) != 0)
+			return (0);
+		return (-1);
+	}
+
+	if (cap_ioctls_limit(fd, cmds, nitems(cmds)) < 0 && errno != ENOSYS)
+		return (-1);
+
+	if (cap_fcntls_limit(fd, CAP_FCNTL_GETFL) < 0 && errno != ENOSYS)
+		return (-1);
+
+	return (0);
+}
+
+static __inline int
+caph_limit_stdin(void)
+{
+
+	return (caph_limit_stream(STDIN_FILENO, CAPH_READ));
+}
+
+static __inline int
+caph_limit_stderr(void)
+{
+
+	return (caph_limit_stream(STDERR_FILENO, CAPH_WRITE));
+}
+
+static __inline int
+caph_limit_stdout(void)
+{
+
+	return (caph_limit_stream(STDOUT_FILENO, CAPH_WRITE));
+}
+
+static __inline int
+caph_limit_stdio(void)
+{
+	const int iebadf = CAPH_IGNORE_EBADF;
+
+	if (caph_limit_stream(STDIN_FILENO, CAPH_READ | iebadf) == -1 ||
+	    caph_limit_stream(STDOUT_FILENO, CAPH_WRITE | iebadf) == -1 ||
+	    caph_limit_stream(STDERR_FILENO, CAPH_WRITE | iebadf) == -1)
+		return (-1);
+	return (0);
+}
+
+static __inline void
+caph_cache_tzdata(void)
+{
+
+	tzset();
+}
+
+static __inline void
+caph_cache_catpages(void)
+{
+
+	(void)catopen("libc", NL_CAT_LOCALE);
+}
+
+#endif /* _CAPSICUM_HELPERS_H_ */