From owner-freebsd-security@FreeBSD.ORG  Wed Jan 22 11:47:15 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id DE84CFE4
 for <freebsd-security@freebsd.org>; Wed, 22 Jan 2014 11:47:15 +0000 (UTC)
Received: from shiki.nanohz.org (shiki.nanohz.org [49.212.134.214])
 by mx1.freebsd.org (Postfix) with ESMTP id A899A1FE8
 for <freebsd-security@freebsd.org>; Wed, 22 Jan 2014 11:47:15 +0000 (UTC)
Received: from shiki.nanohz.org (localhost [IPv6:::1])
 by shiki.nanohz.org (Postfix) with ESMTP id AC4E12280B5
 for <freebsd-security@freebsd.org>; Wed, 22 Jan 2014 20:47:13 +0900 (JST)
Received: from hisa.nanohz.org by shiki.nanohz.org (smtpsugar 1.1) with ESMTPA
 id 2pPrSm; Wed, 22 Jan 2014 20:47:13 +0900 (JST)
Date: Wed, 22 Jan 2014 20:47:13 +0900
Message-ID: <20140122204713WF%kamada@nanohz.org>
From: KAMADA Ken'ichi <kamada@nanohz.org>
To: freebsd-security@freebsd.org
Subject: Re: Capsicum and sendto(2)
In-Reply-To: <20140121182150.GB80341@lor.one-eyed-alien.net>
References: <20140121224511WQ%kamada@nanohz.org>
 <20140121182150.GB80341@lor.one-eyed-alien.net>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.7 (Harue)
 FLIM/1.14.9 (=?ISO-8859-4?Q?Goj=F2?=) APEL/10.8 Emacs/24.3
 (x86_64-unknown-netbsd6) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jan 2014 11:47:15 -0000

At Tue, 21 Jan 2014 12:21:50 -0600, Brooks Davis wrote:
> 
> On Tue, Jan 21, 2014 at 10:45:11PM +0900, KAMADA Ken'ichi wrote:
> > 
> > What is the intended behavior of sendto() with non-NULL destination
> > when the capability mode is enabled?
> > 
> > If the capability mode is *not* enabled, it is checked against
> > CAP_CONNECT in kern_sendit() @ uipc_syscall.c.
> > This matches the explanation in the rights(4) manual page.
> > 
> > However, if the capability mode is enabled, it is always
> > rejected in sendit().  Is this intended?
> 
> Yes, this is intended.  In capabilty mode all access to namespaces is 
> restricted including the IP address namespace.  You must either connect
> your sockets before entereing capabilty mode or use casper to provide
> connected sockets.

Understood.
The capability mode forbids access to the global name space.

What I was trying to do was applying Capsicum to a packet translator,
which inherently needs to send packets to many addresses.
Maybe I need something analogous to opening a subdirectory in
a filesystem name space, say, a new API to "open" an subnet
before entering capability mode...

Thanks,
Ken