Please welcome casperd daemon. It (and its services) will be responsible for

giving access to functionality that is not available in capability mode sandbox. The functionality can be precisely restricted. Start with the following services: - system.dns - provides API compatible to: - gethostbyname(3), - gethostbyname2(3), - gethostbyaddr(3), - getaddrinfo(3), - getnameinfo(3), - system.grp - provides getgrent(3)-compatible API, - system.pwd - provides getpwent(3)-compatible API, - system.random - allows to obtain entropy from /dev/random, - system.sysctl - provides sysctlbyname(3-compatible API. Sponsored by: The FreeBSD Foundation
author: pjd <pjd@FreeBSD.org> 2013-12-02 08:21:28 +0000
committer: pjd <pjd@FreeBSD.org> 2013-12-02 08:21:28 +0000
commit: 1073fb03ac28ecce11c4757fb70eeed6ddf75454 (patch)
tree: e5362e2638f535b165335ebb4508efffb47ea68d /libexec
parent: 9817dff3a754684d82b9c2f620056071d729718a (diff)
download: FreeBSD-src-1073fb03ac28ecce11c4757fb70eeed6ddf75454.zip
FreeBSD-src-1073fb03ac28ecce11c4757fb70eeed6ddf75454.tar.gz
12 files changed, 1694 insertions, 0 deletions
diff --git a/libexec/Makefile b/libexec/Makefile
index cf5c120..e4781b8 100644
--- a/libexec/Makefile
+++ b/libexec/Makefile
@@ -6,6 +6,7 @@
 SUBDIR=	${_atf} \
 	${_atrun} \
 	bootpd \
+	${_casper} \
 	${_comsat} \
 	fingerd \
 	ftpd \
@@ -38,6 +39,10 @@ SUBDIR=	${_atf} \
 _atrun=		atrun
 .endif
 
+.if ${MK_CASPER} != "no"
+_casper=	casper
+.endif
+
 .if ${MK_MAIL} != "no"
 _comsat=	comsat
 .endif
diff --git a/libexec/casper/Makefile b/libexec/casper/Makefile
new file mode 100644
index 0000000..ed6bd7b
--- /dev/null
+++ b/libexec/casper/Makefile
@@ -0,0 +1,11 @@
+# $FreeBSD$
+
+.include <bsd.own.mk>
+
+SUBDIR=	dns
+SUBDIR+=grp
+SUBDIR+=pwd
+SUBDIR+=random
+SUBDIR+=sysctl
+
+.include <bsd.subdir.mk>
diff --git a/libexec/casper/dns/Makefile b/libexec/casper/dns/Makefile
new file mode 100644
index 0000000..82bd4c0
--- /dev/null
+++ b/libexec/casper/dns/Makefile
@@ -0,0 +1,22 @@
+# $FreeBSD$
+
+.PATH:	${.CURDIR} ${.CURDIR}/../../../sbin/casper
+
+PROG=	dns
+
+SRCS=	dns.c
+
+DPADD=	${LIBCAPSICUM} ${LIBCASPER} ${LIBNV} ${LIBPJDLOG} ${LIBUTIL}
+LDADD=	-lcapsicum -lcasper -lnv -lpjdlog -lutil
+
+BINDIR=	/libexec/casper
+
+CFLAGS+=-I${.CURDIR}
+CFLAGS+=-I${.CURDIR}/../../../lib/libcapsicum
+CFLAGS+=-I${.CURDIR}/../../../lib/libcasper
+CFLAGS+=-I${.CURDIR}/../../../lib/libpjdlog
+CFLAGS+=-I${.CURDIR}/../../../sbin/casper
+
+NO_MAN=
+
+.include <bsd.prog.mk>
diff --git a/libexec/casper/dns/dns.c b/libexec/casper/dns/dns.c
new file mode 100644
index 0000000..6be022a
--- /dev/null
+++ b/libexec/casper/dns/dns.c
@@ -0,0 +1,425 @@
+/*-
+ * Copyright (c) 2012-2013 The FreeBSD Foundation
+ * All rights reserved.
+ *
+ * This software was developed by Pawel Jakub Dawidek under sponsorship from
+ * the FreeBSD Foundation.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <netinet/in.h>
+
+#include <errno.h>
+#include <netdb.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <libcapsicum.h>
+#include <libcapsicum_dns.h>
+#include <libcasper.h>
+#include <nv.h>
+#include <pjdlog.h>
+
+static bool
+dns_allowed_type(const nvlist_t *limits, const char *type)
+{
+	const char *name;
+	bool notypes;
+	void *cookie;
+
+	if (limits == NULL)
+		return (true);
+
+	notypes = true;
+	cookie = NULL;
+	while ((name = nvlist_next(limits, NULL, &cookie)) != NULL) {
+		if (strncmp(name, "type", sizeof("type") - 1) != 0)
+			continue;
+		notypes = false;
+		if (strcmp(nvlist_get_string(limits, name), type) == 0)
+			return (true);
+	}
+
+	/* If there are no types at all, allow any type. */
+	if (notypes)
+		return (true);
+
+	return (false);
+}
+
+static bool
+dns_allowed_family(const nvlist_t *limits, int family)
+{
+	const char *name;
+	bool nofamilies;
+	void *cookie;
+
+	if (limits == NULL)
+		return (true);
+
+	nofamilies = true;
+	cookie = NULL;
+	while ((name = nvlist_next(limits, NULL, &cookie)) != NULL) {
+		if (strncmp(name, "family", sizeof("family") - 1) != 0)
+			continue;
+		nofamilies = false;
+		if (family == AF_UNSPEC)
+			continue;
+		if (nvlist_get_number(limits, name) == (uint64_t)family)
+			return (true);
+	}
+
+	/* If there are no families at all, allow any family. */
+	if (nofamilies)
+		return (true);
+
+	return (false);
+}
+
+static void
+hostent_pack(const struct hostent *hp, nvlist_t *nvl)
+{
+	unsigned int ii;
+
+	nvlist_add_string(nvl, "name", hp->h_name);
+	nvlist_add_number(nvl, "addrtype", (uint64_t)hp->h_addrtype);
+	nvlist_add_number(nvl, "length", (uint64_t)hp->h_length);
+
+	if (hp->h_aliases == NULL) {
+		nvlist_add_number(nvl, "naliases", 0);
+	} else {
+		for (ii = 0; hp->h_aliases[ii] != NULL; ii++) {
+			nvlist_addf_string(nvl, hp->h_aliases[ii], "alias%u",
+			    ii);
+		}
+		nvlist_add_number(nvl, "naliases", (uint64_t)ii);
+	}
+
+	if (hp->h_addr_list == NULL) {
+		nvlist_add_number(nvl, "naddrs", 0);
+	} else {
+		for (ii = 0; hp->h_addr_list[ii] != NULL; ii++) {
+			nvlist_addf_binary(nvl, hp->h_addr_list[ii],
+			    (size_t)hp->h_length, "addr%u", ii);
+		}
+		nvlist_add_number(nvl, "naddrs", (uint64_t)ii);
+	}
+}
+
+static int
+dns_gethostbyname(const nvlist_t *limits, const nvlist_t *nvlin,
+    nvlist_t *nvlout)
+{
+	struct hostent *hp;
+	int family;
+
+	if (!dns_allowed_type(limits, "NAME"))
+		return (NO_RECOVERY);
+
+	family = (int)nvlist_get_number(nvlin, "family");
+
+	if (!dns_allowed_family(limits, family))
+		return (NO_RECOVERY);
+
+	hp = gethostbyname2(nvlist_get_string(nvlin, "name"), family);
+	if (hp == NULL)
+		return (h_errno);
+	hostent_pack(hp, nvlout);
+	return (0);
+}
+
+static int
+dns_gethostbyaddr(const nvlist_t *limits, const nvlist_t *nvlin,
+    nvlist_t *nvlout)
+{
+	struct hostent *hp;
+	const void *addr;
+	size_t addrsize;
+	int family;
+
+	if (!dns_allowed_type(limits, "ADDR"))
+		return (NO_RECOVERY);
+
+	family = (int)nvlist_get_number(nvlin, "family");
+
+	if (!dns_allowed_family(limits, family))
+		return (NO_RECOVERY);
+
+	addr = nvlist_get_binary(nvlin, "addr", &addrsize);
+	hp = gethostbyaddr(addr, (socklen_t)addrsize, family);
+	if (hp == NULL)
+		return (h_errno);
+	hostent_pack(hp, nvlout);
+	return (0);
+}
+
+static int
+dns_getnameinfo(const nvlist_t *limits, const nvlist_t *nvlin, nvlist_t *nvlout)
+{
+	struct sockaddr_storage sast;
+	const void *sabin;
+	char *host, *serv;
+	size_t sabinsize, hostlen, servlen;
+	socklen_t salen;
+	int error, flags;
+
+	if (!dns_allowed_type(limits, "NAME"))
+		return (NO_RECOVERY);
+
+	error = 0;
+	host = serv = NULL;
+	memset(&sast, 0, sizeof(sast));
+
+	hostlen = (size_t)nvlist_get_number(nvlin, "hostlen");
+	servlen = (size_t)nvlist_get_number(nvlin, "servlen");
+
+	if (hostlen > 0) {
+		host = calloc(1, hostlen + 1);
+		if (host == NULL) {
+			error = EAI_MEMORY;
+			goto out;
+		}
+	}
+	if (servlen > 0) {
+		serv = calloc(1, servlen + 1);
+		if (serv == NULL) {
+			error = EAI_MEMORY;
+			goto out;
+		}
+	}
+
+	sabin = nvlist_get_binary(nvlin, "sa", &sabinsize);
+	if (sabinsize > sizeof(sast)) {
+		error = EAI_FAIL;
+		goto out;
+	}
+
+	memcpy(&sast, sabin, sabinsize);
+	salen = (socklen_t)sabinsize;
+
+	if ((sast.ss_family != AF_INET ||
+	     salen != sizeof(struct sockaddr_in)) &&
+	    (sast.ss_family != AF_INET6 ||
+	     salen != sizeof(struct sockaddr_in6))) {
+		error = EAI_FAIL;
+		goto out;
+	}
+
+	if (!dns_allowed_family(limits, (int)sast.ss_family))
+		return (NO_RECOVERY);
+
+	flags = (int)nvlist_get_number(nvlin, "flags");
+
+	error = getnameinfo((struct sockaddr *)&sast, salen, host, hostlen,
+	    serv, servlen, flags);
+	if (error != 0)
+		goto out;
+
+	nvlist_move_string(nvlout, "host", host);
+	nvlist_move_string(nvlout, "serv", serv);
+out:
+	if (error != 0) {
+		free(host);
+		free(serv);
+	}
+	return (error);
+}
+
+static nvlist_t *
+addrinfo_pack(const struct addrinfo *ai)
+{
+	nvlist_t *nvl;
+
+	nvl = nvlist_create(0);
+	nvlist_add_number(nvl, "ai_flags", (uint64_t)ai->ai_flags);
+	nvlist_add_number(nvl, "ai_family", (uint64_t)ai->ai_family);
+	nvlist_add_number(nvl, "ai_socktype", (uint64_t)ai->ai_socktype);
+	nvlist_add_number(nvl, "ai_protocol", (uint64_t)ai->ai_protocol);
+	nvlist_add_binary(nvl, "ai_addr", ai->ai_addr, (size_t)ai->ai_addrlen);
+	nvlist_add_string(nvl, "ai_canonname", ai->ai_canonname);
+
+	return (nvl);
+}
+
+static int
+dns_getaddrinfo(const nvlist_t *limits, const nvlist_t *nvlin, nvlist_t *nvlout)
+{
+	struct addrinfo hints, *hintsp, *res, *cur;
+	const char *hostname, *servname;
+	nvlist_t *elem;
+	unsigned int ii;
+	int error, family;
+
+	if (!dns_allowed_type(limits, "ADDR"))
+		return (NO_RECOVERY);
+
+	hostname = nvlist_get_string(nvlin, "hostname");
+	servname = nvlist_get_string(nvlin, "servname");
+	if (nvlist_exists_number(nvlin, "hints.ai_flags")) {
+		size_t addrlen;
+
+		hints.ai_flags = (int)nvlist_get_number(nvlin,
+		    "hints.ai_flags");
+		hints.ai_family = (int)nvlist_get_number(nvlin,
+		    "hints.ai_family");
+		hints.ai_socktype = (int)nvlist_get_number(nvlin,
+		    "hints.ai_socktype");
+		hints.ai_protocol = (int)nvlist_get_number(nvlin,
+		    "hints.ai_protocol");
+		hints.ai_addrlen = 0;
+		hints.ai_addr = NULL;
+		hints.ai_canonname = NULL;
+		hintsp = &hints;
+		family = hints.ai_family;
+	} else {
+		hintsp = NULL;
+		family = AF_UNSPEC;
+	}
+
+	if (!dns_allowed_family(limits, family))
+		return (NO_RECOVERY);
+
+	error = getaddrinfo(hostname, servname, hintsp, &res);
+	if (error != 0)
+		goto out;
+
+	for (cur = res, ii = 0; cur != NULL; cur = cur->ai_next, ii++) {
+		elem = addrinfo_pack(cur);
+		nvlist_movef_nvlist(nvlout, elem, "res%u", ii);
+	}
+
+	freeaddrinfo(res);
+	error = 0;
+out:
+	return (error);
+}
+
+static bool
+limit_has_entry(const nvlist_t *limits, const char *prefix)
+{
+	const char *name;
+	size_t prefixlen;
+	void *cookie;
+
+	if (limits == NULL)
+		return (false);
+
+	prefixlen = strlen(prefix);
+
+	cookie = NULL;
+	while ((name = nvlist_next(limits, NULL, &cookie)) != NULL) {
+		if (strncmp(name, prefix, prefixlen) == 0)
+			return (true);
+	}
+
+	return (false);
+}
+
+static int
+dns_limit(const nvlist_t *oldlimits, const nvlist_t *newlimits)
+{
+	const char *name;
+	void *cookie;
+	int nvtype;
+	bool hastype, hasfamily;
+
+	hastype = false;
+	hasfamily = false;
+
+	cookie = NULL;
+	while ((name = nvlist_next(newlimits, &nvtype, &cookie)) != NULL) {
+		if (nvtype == NV_TYPE_STRING) {
+			const char *type;
+
+			if (strncmp(name, "type", sizeof("type") - 1) != 0)
+				return (EINVAL);
+			type = nvlist_get_string(newlimits, name);
+			if (strcmp(type, "ADDR") != 0 &&
+			    strcmp(type, "NAME") != 0) {
+				return (EINVAL);
+			}
+			if (!dns_allowed_type(oldlimits, type))
+				return (ENOTCAPABLE);
+			hastype = true;
+		} else if (nvtype == NV_TYPE_NUMBER) {
+			int family;
+
+			if (strncmp(name, "family", sizeof("family") - 1) != 0)
+				return (EINVAL);
+			family = (int)nvlist_get_number(newlimits, name);
+			if (!dns_allowed_family(oldlimits, family))
+				return (ENOTCAPABLE);
+			hasfamily = true;
+		} else {
+			return (EINVAL);
+		}
+	}
+
+	/*
+	 * If the new limit doesn't mention type or family we have to
+	 * check if the current limit does have those. Missing type or
+	 * family in the limit means that all types or families are
+	 * allowed.
+	 */
+	if (!hastype) {
+		if (limit_has_entry(oldlimits, "type"))
+			return (ENOTCAPABLE);
+	}
+	if (!hasfamily) {
+		if (limit_has_entry(oldlimits, "family"))
+			return (ENOTCAPABLE);
+	}
+
+	return (0);
+}
+
+static int
+dns_command(const char *cmd, const nvlist_t *limits, nvlist_t *nvlin,
+    nvlist_t *nvlout)
+{
+	int error;
+
+	if (strcmp(cmd, "gethostbyname") == 0)
+		error = dns_gethostbyname(limits, nvlin, nvlout);
+	else if (strcmp(cmd, "gethostbyaddr") == 0)
+		error = dns_gethostbyaddr(limits, nvlin, nvlout);
+	else if (strcmp(cmd, "getnameinfo") == 0)
+		error = dns_getnameinfo(limits, nvlin, nvlout);
+	else if (strcmp(cmd, "getaddrinfo") == 0)
+		error = dns_getaddrinfo(limits, nvlin, nvlout);
+	else
+		error = NO_RECOVERY;
+
+	return (error);
+}
+
+int
+main(int argc, char *argv[])
+{
+
+	return (service_start("system.dns", PARENT_FILENO, dns_limit,
+	    dns_command, argc, argv));
+}
diff --git a/libexec/casper/grp/Makefile b/libexec/casper/grp/Makefile
new file mode 100644
index 0000000..6f166b8
--- /dev/null
+++ b/libexec/casper/grp/Makefile
@@ -0,0 +1,22 @@
+# $FreeBSD$
+
+.PATH:	${.CURDIR} ${.CURDIR}/../../../sbin/casper
+
+PROG=	grp
+
+SRCS=	grp.c
+
+DPADD=	${LIBCAPSICUM} ${LIBCASPER} ${LIBNV} ${LIBPJDLOG} ${LIBUTIL}
+LDADD=	-lcapsicum -lcasper -lnv -lpjdlog -lutil
+
+BINDIR=	/libexec/casper
+
+CFLAGS+=-I${.CURDIR}
+CFLAGS+=-I${.CURDIR}/../../../lib/libcapsicum
+CFLAGS+=-I${.CURDIR}/../../../lib/libcasper
+CFLAGS+=-I${.CURDIR}/../../../lib/libpjdlog
+CFLAGS+=-I${.CURDIR}/../../../sbin/casper
+
+NO_MAN=
+
+.include <bsd.prog.mk>
diff --git a/libexec/casper/grp/grp.c b/libexec/casper/grp/grp.c
new file mode 100644
index 0000000..ba22f62
--- /dev/null
+++ b/libexec/casper/grp/grp.c
@@ -0,0 +1,384 @@
+/*-
+ * Copyright (c) 2013 The FreeBSD Foundation
+ * All rights reserved.
+ *
+ * This software was developed by Pawel Jakub Dawidek under sponsorship from
+ * the FreeBSD Foundation.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <errno.h>
+#include <grp.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <libcapsicum.h>
+#include <libcasper.h>
+#include <nv.h>
+#include <pjdlog.h>
+
+static bool
+grp_allowed_cmd(const nvlist_t *limits, const char *cmd)
+{
+
+	if (limits == NULL)
+		return (true);
+
+	/*
+	 * If no limit was set on allowed commands, then all commands
+	 * are allowed.
+	 */
+	if (!nvlist_exists_nvlist(limits, "cmds"))
+		return (true);
+
+	limits = nvlist_get_nvlist(limits, "cmds");
+	return (nvlist_exists_null(limits, cmd));
+}
+
+static int
+grp_allowed_cmds(const nvlist_t *oldlimits, const nvlist_t *newlimits)
+{
+	const char *name;
+	void *cookie;
+	int type;
+
+	cookie = NULL;
+	while ((name = nvlist_next(newlimits, &type, &cookie)) != NULL) {
+		if (type != NV_TYPE_NULL)
+			return (EINVAL);
+		if (!grp_allowed_cmd(oldlimits, name))
+			return (ENOTCAPABLE);
+	}
+
+	return (0);
+}
+
+static bool
+grp_allowed_group(const nvlist_t *limits, const char *gname, gid_t gid)
+{
+	const char *name;
+	void *cookie;
+	int type;
+
+	if (limits == NULL)
+		return (true);
+
+	/*
+	 * If no limit was set on allowed groups, then all groups are allowed.
+	 */
+	if (!nvlist_exists_nvlist(limits, "groups"))
+		return (true);
+
+	limits = nvlist_get_nvlist(limits, "groups");
+	cookie = NULL;
+	while ((name = nvlist_next(limits, &type, &cookie)) != NULL) {
+		switch (type) {
+		case NV_TYPE_NUMBER:
+			if (gid != (gid_t)-1 &&
+			    nvlist_get_number(limits, name) == (uint64_t)gid) {
+				return (true);
+			}
+			break;
+		case NV_TYPE_STRING:
+			if (gname != NULL &&
+			    strcmp(nvlist_get_string(limits, name),
+			    gname) == 0) {
+				return (true);
+			}
+			break;
+		default:
+			PJDLOG_ABORT("Unexpected type %d.", type);
+		}
+	}
+
+	return (false);
+}
+
+static int
+grp_allowed_groups(const nvlist_t *oldlimits, const nvlist_t *newlimits)
+{
+	const char *name, *gname;
+	void *cookie;
+	gid_t gid;
+	int type;
+
+	cookie = NULL;
+	while ((name = nvlist_next(newlimits, &type, &cookie)) != NULL) {
+		switch (type) {
+		case NV_TYPE_NUMBER:
+			gid = (gid_t)nvlist_get_number(newlimits, name);
+			gname = NULL;
+			break;
+		case NV_TYPE_STRING:
+			gid = (gid_t)-1;
+			gname = nvlist_get_string(newlimits, name);
+			break;
+		default:
+			return (EINVAL);
+		}
+		if (!grp_allowed_group(oldlimits, gname, gid))
+			return (ENOTCAPABLE);
+	}
+
+	return (0);
+}
+
+static bool
+grp_allowed_field(const nvlist_t *limits, const char *field)
+{
+
+	if (limits == NULL)
+		return (true);
+
+	/*
+	 * If no limit was set on allowed fields, then all fields are allowed.
+	 */
+	if (!nvlist_exists_nvlist(limits, "fields"))
+		return (true);
+
+	limits = nvlist_get_nvlist(limits, "fields");
+	return (nvlist_exists_null(limits, field));
+}
+
+static int
+grp_allowed_fields(const nvlist_t *oldlimits, const nvlist_t *newlimits)
+{
+	const char *name;
+	void *cookie;
+	int type;
+
+	cookie = NULL;
+	while ((name = nvlist_next(newlimits, &type, &cookie)) != NULL) {
+		if (type != NV_TYPE_NULL)
+			return (EINVAL);
+		if (!grp_allowed_field(oldlimits, name))
+			return (ENOTCAPABLE);
+	}
+
+	return (0);
+}
+
+static bool
+grp_pack(const nvlist_t *limits, const struct group *grp, nvlist_t *nvl)
+{
+
+	if (grp == NULL)
+		return (true);
+
+	/*
+	 * If either name or GID is allowed, we allow it.
+	 */
+	if (!grp_allowed_group(limits, grp->gr_name, grp->gr_gid))
+		return (false);
+
+	if (grp_allowed_field(limits, "gr_name"))
+		nvlist_add_string(nvl, "gr_name", grp->gr_name);
+	else
+		nvlist_add_string(nvl, "gr_name", "");
+	if (grp_allowed_field(limits, "gr_passwd"))
+		nvlist_add_string(nvl, "gr_passwd", grp->gr_passwd);
+	else
+		nvlist_add_string(nvl, "gr_passwd", "");
+	if (grp_allowed_field(limits, "gr_gid"))
+		nvlist_add_number(nvl, "gr_gid", (uint64_t)grp->gr_gid);
+	else
+		nvlist_add_number(nvl, "gr_gid", (uint64_t)-1);
+	if (grp_allowed_field(limits, "gr_mem") && grp->gr_mem[0] != NULL) {
+		unsigned int ngroups;
+
+		for (ngroups = 0; grp->gr_mem[ngroups] != NULL; ngroups++) {
+			nvlist_addf_string(nvl, grp->gr_mem[ngroups],
+			    "gr_mem[%u]", ngroups);
+		}
+		nvlist_add_number(nvl, "gr_nmem", (uint64_t)ngroups);
+	}
+
+	return (true);
+}
+
+static int
+grp_getgrent(const nvlist_t *limits, const nvlist_t *nvlin, nvlist_t *nvlout)
+{
+	struct group *grp;
+
+	for (;;) {
+		errno = 0;
+		grp = getgrent();
+		if (errno != 0)
+			return (errno);
+		if (grp_pack(limits, grp, nvlout))
+			return (0);
+	}
+
+	/* NOTREACHED */
+}
+
+static int
+grp_getgrnam(const nvlist_t *limits, const nvlist_t *nvlin, nvlist_t *nvlout)
+{
+	struct group *grp;
+	const char *name;
+
+	if (!nvlist_exists_string(nvlin, "name"))
+		return (EINVAL);
+	name = nvlist_get_string(nvlin, "name");
+	PJDLOG_ASSERT(name != NULL);
+
+	errno = 0;
+	grp = getgrnam(name);
+	if (errno != 0)
+		return (errno);
+
+	(void)grp_pack(limits, grp, nvlout);
+
+	return (0);
+}
+
+static int
+grp_getgrgid(const nvlist_t *limits, const nvlist_t *nvlin, nvlist_t *nvlout)
+{
+	struct group *grp;
+	gid_t gid;
+
+	if (!nvlist_exists_number(nvlin, "gid"))
+		return (EINVAL);
+
+	gid = (gid_t)nvlist_get_number(nvlin, "gid");
+
+	errno = 0;
+	grp = getgrgid(gid);
+	if (errno != 0)
+		return (errno);
+
+	(void)grp_pack(limits, grp, nvlout);
+
+	return (0);
+}
+
+static int
+grp_setgroupent(const nvlist_t *limits, const nvlist_t *nvlin, nvlist_t *nvlout)
+{
+	int stayopen;
+
+	if (!nvlist_exists_bool(nvlin, "stayopen"))
+		return (EINVAL);
+
+	stayopen = nvlist_get_bool(nvlin, "stayopen") ? 1 : 0;
+
+	return (setgroupent(stayopen) == 0 ? EFAULT : 0);
+}
+
+static int
+grp_setgrent(const nvlist_t *limits, const nvlist_t *nvlin, nvlist_t *nvlout)
+{
+
+	return (setgrent() == 0 ? EFAULT : 0);
+}
+
+static int
+grp_endgrent(const nvlist_t *limits, const nvlist_t *nvlin, nvlist_t *nvlout)
+{
+
+	endgrent();
+
+	return (0);
+}
+
+static int
+grp_limit(const nvlist_t *oldlimits, const nvlist_t *newlimits)
+{
+	const nvlist_t *limits;
+	const char *name;
+	void *cookie;
+	int error, type;
+
+	if (oldlimits != NULL && nvlist_exists_nvlist(oldlimits, "cmds") &&
+	    !nvlist_exists_nvlist(newlimits, "cmds")) {
+		return (ENOTCAPABLE);
+	}
+	if (oldlimits != NULL && nvlist_exists_nvlist(oldlimits, "fields") &&
+	    !nvlist_exists_nvlist(newlimits, "fields")) {
+		return (ENOTCAPABLE);
+	}
+	if (oldlimits != NULL && nvlist_exists_nvlist(oldlimits, "groups") &&
+	    !nvlist_exists_nvlist(newlimits, "groups")) {
+		return (ENOTCAPABLE);
+	}
+
+	cookie = NULL;
+	while ((name = nvlist_next(newlimits, &type, &cookie)) != NULL) {
+		if (type != NV_TYPE_NVLIST)
+			return (EINVAL);
+		limits = nvlist_get_nvlist(newlimits, name);
+		if (strcmp(name, "cmds") == 0)
+			error = grp_allowed_cmds(oldlimits, limits);
+		else if (strcmp(name, "fields") == 0)
+			error = grp_allowed_fields(oldlimits, limits);
+		else if (strcmp(name, "groups") == 0)
+			error = grp_allowed_groups(oldlimits, limits);
+		else
+			error = EINVAL;
+		if (error != 0)
+			return (error);
+	}
+
+	return (0);
+}
+
+static int
+grp_command(const char *cmd, const nvlist_t *limits, nvlist_t *nvlin,
+    nvlist_t *nvlout)
+{
+	int error;
+
+	if (!grp_allowed_cmd(limits, cmd))
+		return (ENOTCAPABLE);
+
+	if (strcmp(cmd, "getgrent") == 0 || strcmp(cmd, "getgrent_r") == 0)
+		error = grp_getgrent(limits, nvlin, nvlout);
+	else if (strcmp(cmd, "getgrnam") == 0 || strcmp(cmd, "getgrnam_r") == 0)
+		error = grp_getgrnam(limits, nvlin, nvlout);
+	else if (strcmp(cmd, "getgrgid") == 0 || strcmp(cmd, "getgrgid_r") == 0)
+		error = grp_getgrgid(limits, nvlin, nvlout);
+	else if (strcmp(cmd, "setgroupent") == 0)
+		error = grp_setgroupent(limits, nvlin, nvlout);
+	else if (strcmp(cmd, "setgrent") == 0)
+		error = grp_setgrent(limits, nvlin, nvlout);
+	else if (strcmp(cmd, "endgrent") == 0)
+		error = grp_endgrent(limits, nvlin, nvlout);
+	else
+		error = EINVAL;
+
+	return (error);
+}
+
+int
+main(int argc, char *argv[])
+{
+
+	return (service_start("system.grp", PARENT_FILENO, grp_limit,
+	    grp_command, argc, argv));
+}
diff --git a/libexec/casper/pwd/Makefile b/libexec/casper/pwd/Makefile
new file mode 100644
index 0000000..b2dcfec
--- /dev/null
+++ b/libexec/casper/pwd/Makefile
@@ -0,0 +1,22 @@
+# $FreeBSD$
+
+.PATH:	${.CURDIR} ${.CURDIR}/../../../sbin/casper
+
+PROG=	pwd
+
+SRCS=	pwd.c
+
+DPADD=	${LIBCAPSICUM} ${LIBCASPER} ${LIBNV} ${LIBPJDLOG} ${LIBUTIL}
+LDADD=	-lcapsicum -lcasper -lnv -lpjdlog -lutil
+
+BINDIR=	/libexec/casper
+
+CFLAGS+=-I${.CURDIR}
+CFLAGS+=-I${.CURDIR}/../../../lib/libcapsicum
+CFLAGS+=-I${.CURDIR}/../../../lib/libcasper
+CFLAGS+=-I${.CURDIR}/../../../lib/libpjdlog
+CFLAGS+=-I${.CURDIR}/../../../sbin/casper
+
+NO_MAN=
+
+.include <bsd.prog.mk>
diff --git a/libexec/casper/pwd/pwd.c b/libexec/casper/pwd/pwd.c
new file mode 100644
index 0000000..be51ad0
--- /dev/null
+++ b/libexec/casper/pwd/pwd.c
@@ -0,0 +1,429 @@
+/*-
+ * Copyright (c) 2013 The FreeBSD Foundation
+ * All rights reserved.
+ *
+ * This software was developed by Pawel Jakub Dawidek under sponsorship from
+ * the FreeBSD Foundation.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <errno.h>
+#include <pwd.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <libcapsicum.h>
+#include <libcasper.h>
+#include <nv.h>
+#include <pjdlog.h>
+
+static bool
+pwd_allowed_cmd(const nvlist_t *limits, const char *cmd)
+{
+
+	if (limits == NULL)
+		return (true);
+
+	/*
+	 * If no limit was set on allowed commands, then all commands
+	 * are allowed.
+	 */
+	if (!nvlist_exists_nvlist(limits, "cmds"))
+		return (true);
+
+	limits = nvlist_get_nvlist(limits, "cmds");
+	return (nvlist_exists_null(limits, cmd));
+}
+
+static int
+pwd_allowed_cmds(const nvlist_t *oldlimits, const nvlist_t *newlimits)
+{
+	const char *name;
+	void *cookie;
+	int type;
+
+	cookie = NULL;
+	while ((name = nvlist_next(newlimits, &type, &cookie)) != NULL) {
+		if (type != NV_TYPE_NULL)
+			return (EINVAL);
+		if (!pwd_allowed_cmd(oldlimits, name))
+			return (ENOTCAPABLE);
+	}
+
+	return (0);
+}
+
+static bool
+pwd_allowed_user(const nvlist_t *limits, const char *uname, uid_t uid)
+{
+	const char *name;
+	void *cookie;
+	int type;
+
+	if (limits == NULL)
+		return (true);
+
+	/*
+	 * If no limit was set on allowed users, then all users are allowed.
+	 */
+	if (!nvlist_exists_nvlist(limits, "users"))
+		return (true);
+
+	limits = nvlist_get_nvlist(limits, "users");
+	cookie = NULL;
+	while ((name = nvlist_next(limits, &type, &cookie)) != NULL) {
+		switch (type) {
+		case NV_TYPE_NUMBER:
+			if (uid != (uid_t)-1 &&
+			    nvlist_get_number(limits, name) == (uint64_t)uid) {
+				return (true);
+			}
+			break;
+		case NV_TYPE_STRING:
+			if (uname != NULL &&
+			    strcmp(nvlist_get_string(limits, name),
+			    uname) == 0) {
+				return (true);
+			}
+			break;
+		default:
+			PJDLOG_ABORT("Unexpected type %d.", type);
+		}
+	}
+
+	return (false);
+}
+
+static int
+pwd_allowed_users(const nvlist_t *oldlimits, const nvlist_t *newlimits)
+{
+	const char *name, *uname;
+	void *cookie;
+	uid_t uid;
+	int type;
+
+	cookie = NULL;
+	while ((name = nvlist_next(newlimits, &type, &cookie)) != NULL) {
+		switch (type) {
+		case NV_TYPE_NUMBER:
+			uid = (uid_t)nvlist_get_number(newlimits, name);
+			uname = NULL;
+			break;
+		case NV_TYPE_STRING:
+			uid = (uid_t)-1;
+			uname = nvlist_get_string(newlimits, name);
+			break;
+		default:
+			return (EINVAL);
+		}
+		if (!pwd_allowed_user(oldlimits, uname, uid))
+			return (ENOTCAPABLE);
+	}
+
+	return (0);
+}
+
+static bool
+pwd_allowed_field(const nvlist_t *limits, const char *field)
+{
+
+	if (limits == NULL)
+		return (true);
+
+	/*
+	 * If no limit was set on allowed fields, then all fields are allowed.
+	 */
+	if (!nvlist_exists_nvlist(limits, "fields"))
+		return (true);
+
+	limits = nvlist_get_nvlist(limits, "fields");
+	return (nvlist_exists_null(limits, field));
+}
+
+static int
+pwd_allowed_fields(const nvlist_t *oldlimits, const nvlist_t *newlimits)
+{
+	const char *name;
+	void *cookie;
+	int type;
+
+	cookie = NULL;
+	while ((name = nvlist_next(newlimits, &type, &cookie)) != NULL) {
+		if (type != NV_TYPE_NULL)
+			return (EINVAL);
+		if (!pwd_allowed_field(oldlimits, name))
+			return (ENOTCAPABLE);
+	}
+
+	return (0);
+}
+
+static bool
+pwd_pack(const nvlist_t *limits, const struct passwd *pwd, nvlist_t *nvl)
+{
+	int fields;
+
+	if (pwd == NULL)
+		return (true);
+
+	/*
+	 * If either name or UID is allowed, we allow it.
+	 */
+	if (!pwd_allowed_user(limits, pwd->pw_name, pwd->pw_uid))
+		return (false);
+
+	fields = pwd->pw_fields;
+
+	if (pwd_allowed_field(limits, "pw_name")) {
+		nvlist_add_string(nvl, "pw_name", pwd->pw_name);
+	} else {
+		nvlist_add_string(nvl, "pw_name", "");
+		fields &= ~_PWF_NAME;
+	}
+	if (pwd_allowed_field(limits, "pw_uid")) {
+		nvlist_add_number(nvl, "pw_uid", (uint64_t)pwd->pw_uid);
+	} else {
+		nvlist_add_number(nvl, "pw_uid", (uint64_t)-1);
+		fields &= ~_PWF_UID;
+	}
+	if (pwd_allowed_field(limits, "pw_gid")) {
+		nvlist_add_number(nvl, "pw_gid", (uint64_t)pwd->pw_gid);
+	} else {
+		nvlist_add_number(nvl, "pw_gid", (uint64_t)-1);
+		fields &= ~_PWF_GID;
+	}
+	if (pwd_allowed_field(limits, "pw_change")) {
+		nvlist_add_number(nvl, "pw_change", (uint64_t)pwd->pw_change);
+	} else {
+		nvlist_add_number(nvl, "pw_change", (uint64_t)0);
+		fields &= ~_PWF_CHANGE;
+	}
+	if (pwd_allowed_field(limits, "pw_passwd")) {
+		nvlist_add_string(nvl, "pw_passwd", pwd->pw_passwd);
+	} else {
+		nvlist_add_string(nvl, "pw_passwd", "");
+		fields &= ~_PWF_PASSWD;
+	}
+	if (pwd_allowed_field(limits, "pw_class")) {
+		nvlist_add_string(nvl, "pw_class", pwd->pw_class);
+	} else {
+		nvlist_add_string(nvl, "pw_class", "");
+		fields &= ~_PWF_CLASS;
+	}
+	if (pwd_allowed_field(limits, "pw_gecos")) {
+		nvlist_add_string(nvl, "pw_gecos", pwd->pw_gecos);
+	} else {
+		nvlist_add_string(nvl, "pw_gecos", "");
+		fields &= ~_PWF_GECOS;
+	}
+	if (pwd_allowed_field(limits, "pw_dir")) {
+		nvlist_add_string(nvl, "pw_dir", pwd->pw_dir);
+	} else {
+		nvlist_add_string(nvl, "pw_dir", "");
+		fields &= ~_PWF_DIR;
+	}
+	if (pwd_allowed_field(limits, "pw_shell")) {
+		nvlist_add_string(nvl, "pw_shell", pwd->pw_shell);
+	} else {
+		nvlist_add_string(nvl, "pw_shell", "");
+		fields &= ~_PWF_SHELL;
+	}
+	if (pwd_allowed_field(limits, "pw_expire")) {
+		nvlist_add_number(nvl, "pw_expire", (uint64_t)pwd->pw_expire);
+	} else {
+		nvlist_add_number(nvl, "pw_expire", (uint64_t)0);
+		fields &= ~_PWF_EXPIRE;
+	}
+	nvlist_add_number(nvl, "pw_fields", (uint64_t)fields);
+
+	return (true);
+}
+
+static int
+pwd_getpwent(const nvlist_t *limits, const nvlist_t *nvlin, nvlist_t *nvlout)
+{
+	struct passwd *pwd;
+
+	for (;;) {
+		errno = 0;
+		pwd = getpwent();
+		if (errno != 0)
+			return (errno);
+		if (pwd_pack(limits, pwd, nvlout))
+			return (0);
+	}
+
+	/* NOTREACHED */
+}
+
+static int
+pwd_getpwnam(const nvlist_t *limits, const nvlist_t *nvlin, nvlist_t *nvlout)
+{
+	struct passwd *pwd;
+	const char *name;
+
+	if (!nvlist_exists_string(nvlin, "name"))
+		return (EINVAL);
+	name = nvlist_get_string(nvlin, "name");
+	PJDLOG_ASSERT(name != NULL);
+
+	errno = 0;
+	pwd = getpwnam(name);
+	if (errno != 0)
+		return (errno);
+
+	(void)pwd_pack(limits, pwd, nvlout);
+
+	return (0);
+}
+
+static int
+pwd_getpwuid(const nvlist_t *limits, const nvlist_t *nvlin, nvlist_t *nvlout)
+{
+	struct passwd *pwd;
+	uid_t uid;
+
+	if (!nvlist_exists_number(nvlin, "uid"))
+		return (EINVAL);
+
+	uid = (uid_t)nvlist_get_number(nvlin, "uid");
+
+	errno = 0;
+	pwd = getpwuid(uid);
+	if (errno != 0)
+		return (errno);
+
+	(void)pwd_pack(limits, pwd, nvlout);
+
+	return (0);
+}
+
+static int
+pwd_setpassent(const nvlist_t *limits, const nvlist_t *nvlin, nvlist_t *nvlout)
+{
+	int stayopen;
+
+	if (!nvlist_exists_bool(nvlin, "stayopen"))
+		return (EINVAL);
+
+	stayopen = nvlist_get_bool(nvlin, "stayopen") ? 1 : 0;
+
+	return (setpassent(stayopen) == 0 ? EFAULT : 0);
+}
+
+static int
+pwd_setpwent(const nvlist_t *limits, const nvlist_t *nvlin, nvlist_t *nvlout)
+{
+
+	setpwent();
+
+	return (0);
+}
+
+static int
+pwd_endpwent(const nvlist_t *limits, const nvlist_t *nvlin, nvlist_t *nvlout)
+{
+
+	endpwent();
+
+	return (0);
+}
+
+static int
+pwd_limit(const nvlist_t *oldlimits, const nvlist_t *newlimits)
+{
+	const nvlist_t *limits;
+	const char *name;
+	void *cookie;
+	int error, type;
+
+	if (oldlimits != NULL && nvlist_exists_nvlist(oldlimits, "cmds") &&
+	    !nvlist_exists_nvlist(newlimits, "cmds")) {
+		return (ENOTCAPABLE);
+	}
+	if (oldlimits != NULL && nvlist_exists_nvlist(oldlimits, "fields") &&
+	    !nvlist_exists_nvlist(newlimits, "fields")) {
+		return (ENOTCAPABLE);
+	}
+	if (oldlimits != NULL && nvlist_exists_nvlist(oldlimits, "users") &&
+	    !nvlist_exists_nvlist(newlimits, "users")) {
+		return (ENOTCAPABLE);
+	}
+
+	cookie = NULL;
+	while ((name = nvlist_next(newlimits, &type, &cookie)) != NULL) {
+		if (type != NV_TYPE_NVLIST)
+			return (EINVAL);
+		limits = nvlist_get_nvlist(newlimits, name);
+		if (strcmp(name, "cmds") == 0)
+			error = pwd_allowed_cmds(oldlimits, limits);
+		else if (strcmp(name, "fields") == 0)
+			error = pwd_allowed_fields(oldlimits, limits);
+		else if (strcmp(name, "users") == 0)
+			error = pwd_allowed_users(oldlimits, limits);
+		else
+			error = EINVAL;
+		if (error != 0)
+			return (error);
+	}
+
+	return (0);
+}
+
+static int
+pwd_command(const char *cmd, const nvlist_t *limits, nvlist_t *nvlin,
+    nvlist_t *nvlout)
+{
+	int error;
+
+	if (!pwd_allowed_cmd(limits, cmd))
+		return (ENOTCAPABLE);
+
+	if (strcmp(cmd, "getpwent") == 0 || strcmp(cmd, "getpwent_r") == 0)
+		error = pwd_getpwent(limits, nvlin, nvlout);
+	else if (strcmp(cmd, "getpwnam") == 0 || strcmp(cmd, "getpwnam_r") == 0)
+		error = pwd_getpwnam(limits, nvlin, nvlout);
+	else if (strcmp(cmd, "getpwuid") == 0 || strcmp(cmd, "getpwuid_r") == 0)
+		error = pwd_getpwuid(limits, nvlin, nvlout);
+	else if (strcmp(cmd, "setpassent") == 0)
+		error = pwd_setpassent(limits, nvlin, nvlout);
+	else if (strcmp(cmd, "setpwent") == 0)
+		error = pwd_setpwent(limits, nvlin, nvlout);
+	else if (strcmp(cmd, "endpwent") == 0)
+		error = pwd_endpwent(limits, nvlin, nvlout);
+	else
+		error = EINVAL;
+
+	return (error);
+}
+
+int
+main(int argc, char *argv[])
+{
+
+	return (service_start("system.pwd", PARENT_FILENO, pwd_limit,
+	    pwd_command, argc, argv));
+}
diff --git a/libexec/casper/random/Makefile b/libexec/casper/random/Makefile
new file mode 100644
index 0000000..87efe21
--- /dev/null
+++ b/libexec/casper/random/Makefile
@@ -0,0 +1,22 @@
+# $FreeBSD$
+
+.PATH:	${.CURDIR} ${.CURDIR}/../../../sbin/casper
+
+PROG=	random
+
+SRCS=	random.c
+
+DPADD=	${LIBCAPSICUM} ${LIBCASPER} ${LIBNV} ${LIBPJDLOG} ${LIBUTIL}
+LDADD=	-lcapsicum -lcasper -lnv -lpjdlog -lutil
+
+BINDIR=	/libexec/casper
+
+CFLAGS+=-I${.CURDIR}
+CFLAGS+=-I${.CURDIR}/../../../lib/libcapsicum
+CFLAGS+=-I${.CURDIR}/../../../lib/libcasper
+CFLAGS+=-I${.CURDIR}/../../../lib/libpjdlog
+CFLAGS+=-I${.CURDIR}/../../../sbin/casper
+
+NO_MAN=
+
+.include <bsd.prog.mk>
diff --git a/libexec/casper/random/random.c b/libexec/casper/random/random.c
new file mode 100644
index 0000000..56f1afb
--- /dev/null
+++ b/libexec/casper/random/random.c
@@ -0,0 +1,81 @@
+/*-
+ * Copyright (c) 2012-2013 The FreeBSD Foundation
+ * All rights reserved.
+ *
+ * This software was developed by Pawel Jakub Dawidek under sponsorship from
+ * the FreeBSD Foundation.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <errno.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <libcapsicum.h>
+#include <libcasper.h>
+#include <nv.h>
+#include <pjdlog.h>
+
+#define	MAXSIZE	(1024 * 1024)
+
+static int
+random_command(const char *cmd, const nvlist_t *limits, nvlist_t *nvlin,
+    nvlist_t *nvlout)
+{
+	void *data;
+	size_t size;
+
+	if (strcmp(cmd, "generate") != 0)
+		return (EINVAL);
+	if (!nvlist_exists_number(nvlin, "size"))
+		return (EINVAL);
+
+	size = (size_t)nvlist_get_number(nvlin, "size");
+	if (size == 0 || size > MAXSIZE)
+		return (EINVAL);
+
+	data = malloc(size);
+	if (data == NULL)
+		return (ENOMEM);
+
+	arc4random_buf(data, size);
+
+	nvlist_move_binary(nvlout, "data", data, size);
+
+	return (0);
+}
+
+int
+main(int argc, char *argv[])
+{
+
+	/*
+	 * TODO: Sandbox this.
+	 */
+
+	return (service_start("system.random", PARENT_FILENO, NULL,
+	    random_command, argc, argv));
+}
diff --git a/libexec/casper/sysctl/Makefile b/libexec/casper/sysctl/Makefile
new file mode 100644
index 0000000..dc15099
--- /dev/null
+++ b/libexec/casper/sysctl/Makefile
@@ -0,0 +1,22 @@
+# $FreeBSD$
+
+.PATH:	${.CURDIR} ${.CURDIR}/../../../sbin/casper
+
+PROG=	sysctl
+
+SRCS=	sysctl.c
+
+DPADD=	${LIBCAPSICUM} ${LIBCASPER} ${LIBNV} ${LIBPJDLOG} ${LIBUTIL}
+LDADD=	-lcapsicum -lcasper -lnv -lpjdlog -lutil
+
+BINDIR=	/libexec/casper
+
+CFLAGS+=-I${.CURDIR}
+CFLAGS+=-I${.CURDIR}/../../../lib/libcapsicum
+CFLAGS+=-I${.CURDIR}/../../../lib/libcasper
+CFLAGS+=-I${.CURDIR}/../../../lib/libpjdlog
+CFLAGS+=-I${.CURDIR}/../../../sbin/casper
+
+NO_MAN=
+
+.include <bsd.prog.mk>
diff --git a/libexec/casper/sysctl/sysctl.c b/libexec/casper/sysctl/sysctl.c
new file mode 100644
index 0000000..8bb43b6
--- /dev/null
+++ b/libexec/casper/sysctl/sysctl.c
@@ -0,0 +1,249 @@
+/*-
+ * Copyright (c) 2013 The FreeBSD Foundation
+ * All rights reserved.
+ *
+ * This software was developed by Pawel Jakub Dawidek under sponsorship from
+ * the FreeBSD Foundation.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <sys/types.h>
+#include <sys/sysctl.h>
+
+#include <errno.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <libcapsicum.h>
+#include <libcapsicum_sysctl.h>
+#include <libcasper.h>
+#include <nv.h>
+#include <pjdlog.h>
+
+static int
+sysctl_check_one(const nvlist_t *nvl, bool islimit)
+{
+	const char *name;
+	void *cookie;
+	int type;
+	unsigned int fields;
+
+	/* NULL nvl is of course invalid. */
+	if (nvl == NULL)
+		return (EINVAL);
+	if (nvlist_error(nvl) != 0)
+		return (nvlist_error(nvl));
+
+#define	HAS_NAME	0x01
+#define	HAS_OPERATION	0x02
+
+	fields = 0;
+	cookie = NULL;
+	while ((name = nvlist_next(nvl, &type, &cookie)) != NULL) {
+		/* We accept only one 'name' and one 'operation' in nvl. */
+		if (strcmp(name, "name") == 0) {
+			if (type != NV_TYPE_STRING)
+				return (EINVAL);
+			/* Only one 'name' can be present. */
+			if ((fields & HAS_NAME) != 0)
+				return (EINVAL);
+			fields |= HAS_NAME;
+		} else if (strcmp(name, "operation") == 0) {
+			uint64_t operation;
+
+			if (type != NV_TYPE_NUMBER)
+				return (EINVAL);
+			/*
+			 * We accept only CAP_SYSCTL_READ and
+			 * CAP_SYSCTL_WRITE flags.
+			 */
+			operation = nvlist_get_number(nvl, name);
+			if ((operation & ~(CAP_SYSCTL_RDWR)) != 0)
+				return (EINVAL);
+			/* ...but there has to be at least one of them. */
+			if ((operation & (CAP_SYSCTL_RDWR)) == 0)
+				return (EINVAL);
+			/* Only one 'operation' can be present. */
+			if ((fields & HAS_OPERATION) != 0)
+				return (EINVAL);
+			fields |= HAS_OPERATION;
+		} else if (islimit) {
+			/* If this is limit, there can be no other fields. */
+			return (EINVAL);
+		}
+	}
+
+	/* Both fields has to be there. */
+	if (fields != (HAS_NAME | HAS_OPERATION))
+		return (EINVAL);
+
+#undef	HAS_OPERATION
+#undef	HAS_NAME
+
+	return (0);
+}
+
+static bool
+sysctl_allowed(const nvlist_t *limits, const char *chname, uint64_t choperation)
+{
+	uint64_t operation;
+	const char *name;
+	void *cookie;
+	int type;
+
+	if (limits == NULL)
+		return (true);
+
+	cookie = NULL;
+	while ((name = nvlist_next(limits, &type, &cookie)) != NULL) {
+		PJDLOG_ASSERT(type == NV_TYPE_NUMBER);
+
+		operation = nvlist_get_number(limits, name);
+		if ((operation & choperation) != choperation)
+			continue;
+
+		if ((operation & CAP_SYSCTL_RECURSIVE) == 0) {
+			if (strcmp(name, chname) != 0)
+				continue;
+		} else {
+			size_t namelen;
+
+			namelen = strlen(name);
+			if (strncmp(name, chname, namelen) != 0)
+				continue;
+			if (chname[namelen] != '.' && chname[namelen] != '\0')
+				continue;
+		}
+
+		return (true);
+	}
+
+	return (false);
+}
+
+static int
+sysctl_limit(const nvlist_t *oldlimits, const nvlist_t *newlimits)
+{
+	const nvlist_t *nvl;
+	const char *name;
+	void *cookie;
+	uint64_t operation;
+	int error, type;
+
+	cookie = NULL;
+	while ((name = nvlist_next(newlimits, &type, &cookie)) != NULL) {
+		if (type != NV_TYPE_NUMBER)
+			return (EINVAL);
+		operation = nvlist_get_number(newlimits, name);
+		if ((operation & ~(CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE)) != 0)
+			return (EINVAL);
+		if ((operation & (CAP_SYSCTL_RDWR | CAP_SYSCTL_RECURSIVE)) == 0)
+			return (EINVAL);
+		if (!sysctl_allowed(oldlimits, name, operation))
+			return (ENOTCAPABLE);
+	}
+
+	return (0);
+}
+
+static int
+sysctl_command(const char *cmd, const nvlist_t *limits, nvlist_t *nvlin,
+    nvlist_t *nvlout)
+{
+	const char *name;
+	const void *newp;
+	void *oldp;
+	uint64_t operation;
+	size_t oldlen, newlen;
+	size_t *oldlenp;
+	int error;
+
+	if (strcmp(cmd, "sysctl") != 0)
+		return (EINVAL);
+	error = sysctl_check_one(nvlin, false);
+	if (error != 0)
+		return (error);
+
+	name = nvlist_get_string(nvlin, "name");
+	operation = nvlist_get_number(nvlin, "operation");
+	if (!sysctl_allowed(limits, name, operation))
+		return (ENOTCAPABLE);
+
+	if ((operation & CAP_SYSCTL_WRITE) != 0) {
+		if (!nvlist_exists_binary(nvlin, "newp"))
+			return (EINVAL);
+		newp = nvlist_get_binary(nvlin, "newp", &newlen);
+		PJDLOG_ASSERT(newp != NULL && newlen > 0);
+	} else {
+		newp = NULL;
+		newlen = 0;
+	}
+
+	if ((operation & CAP_SYSCTL_READ) != 0) {
+		if (nvlist_exists_null(nvlin, "justsize")) {
+			oldp = NULL;
+			oldlen = 0;
+			oldlenp = &oldlen;
+		} else {
+			if (!nvlist_exists_number(nvlin, "oldlen"))
+				return (EINVAL);
+			oldlen = (size_t)nvlist_get_number(nvlin, "oldlen");
+			if (oldlen == 0)
+				return (EINVAL);
+			oldp = calloc(1, oldlen);
+			if (oldp == NULL)
+				return (ENOMEM);
+			oldlenp = &oldlen;
+		}
+	} else {
+		oldp = NULL;
+		oldlen = 0;
+		oldlenp = NULL;
+	}
+
+	if (sysctlbyname(name, oldp, oldlenp, newp, newlen) == -1) {
+		error = errno;
+		free(oldp);
+		return (error);
+	}
+
+	if ((operation & CAP_SYSCTL_READ) != 0) {
+		if (nvlist_exists_null(nvlin, "justsize"))
+			nvlist_add_number(nvlout, "oldlen", (uint64_t)oldlen);
+		else
+			nvlist_move_binary(nvlout, "oldp", oldp, oldlen);
+	}
+
+	return (0);
+}
+
+int
+main(int argc, char *argv[])
+{
+
+	return (service_start("system.sysctl", PARENT_FILENO, sysctl_limit,
+	    sysctl_command, argc, argv));
+}
author	pjd <pjd@FreeBSD.org>	2013-12-02 08:21:28 +0000
committer	pjd <pjd@FreeBSD.org>	2013-12-02 08:21:28 +0000
commit	1073fb03ac28ecce11c4757fb70eeed6ddf75454 (patch)
tree	e5362e2638f535b165335ebb4508efffb47ea68d /libexec
parent	9817dff3a754684d82b9c2f620056071d729718a (diff)
download	FreeBSD-src-1073fb03ac28ecce11c4757fb70eeed6ddf75454.zip FreeBSD-src-1073fb03ac28ecce11c4757fb70eeed6ddf75454.tar.gz