From owner-svn-src-all@freebsd.org Sat Jan 27 11:54:52 2018 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D593EEB6EEF; Sat, 27 Jan 2018 11:54:51 +0000 (UTC) (envelope-from oshogbo@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8631584BF4; Sat, 27 Jan 2018 11:54:51 +0000 (UTC) (envelope-from oshogbo@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 811682045; Sat, 27 Jan 2018 11:54:51 +0000 (UTC) (envelope-from oshogbo@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w0RBspUP048346; Sat, 27 Jan 2018 11:54:51 GMT (envelope-from oshogbo@FreeBSD.org) Received: (from oshogbo@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w0RBsphk048344; Sat, 27 Jan 2018 11:54:51 GMT (envelope-from oshogbo@FreeBSD.org) Message-Id: <201801271154.w0RBsphk048344@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: oshogbo set sender to oshogbo@FreeBSD.org using -f From: Mariusz Zaborski Date: Sat, 27 Jan 2018 11:54:51 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r328471 - head/lib/libcasper/services/cap_grp X-SVN-Group: head X-SVN-Commit-Author: oshogbo X-SVN-Commit-Paths: head/lib/libcasper/services/cap_grp X-SVN-Commit-Revision: 328471 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Jan 2018 11:54:52 -0000 Author: oshogbo Date: Sat Jan 27 11:54:51 2018 New Revision: 328471 URL: https://svnweb.freebsd.org/changeset/base/328471 Log: Document the grp Casper service. Reviewed by: brueffer@, bcr@ Differential Revision: https://reviews.freebsd.org/D13821 Added: head/lib/libcasper/services/cap_grp/cap_grp.3 (contents, props changed) Modified: head/lib/libcasper/services/cap_grp/Makefile Modified: head/lib/libcasper/services/cap_grp/Makefile ============================================================================== --- head/lib/libcasper/services/cap_grp/Makefile Sat Jan 27 11:49:37 2018 (r328470) +++ head/lib/libcasper/services/cap_grp/Makefile Sat Jan 27 11:54:51 2018 (r328471) @@ -24,4 +24,20 @@ CFLAGS+=-I${.CURDIR} HAS_TESTS= SUBDIR.${MK_TESTS}+= tests +MAN+= cap_grp.3 + +MLINKS+=cap_grp.3 libcap_grp.3 +MLINKS+=cap_grp.3 cap_getgrent.3 +MLINKS+=cap_grp.3 cap_getgrnam.3 +MLINKS+=cap_grp.3 cap_getgrgid.3 +MLINKS+=cap_grp.3 cap_getgrent_r.3 +MLINKS+=cap_grp.3 cap_getgrnam_r.3 +MLINKS+=cap_grp.3 cap_getgrgid_r.3 +MLINKS+=cap_grp.3 cap_setgroupent.3 +MLINKS+=cap_grp.3 cap_setgrent.3 +MLINKS+=cap_grp.3 cap_endgrent.3 +MLINKS+=cap_grp.3 cap_grp_limit_cmds.3 +MLINKS+=cap_grp.3 cap_grp_limit_fields.3 +MLINKS+=cap_grp.3 cap_grp_limit_groups.3 + .include Added: head/lib/libcasper/services/cap_grp/cap_grp.3 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/lib/libcasper/services/cap_grp/cap_grp.3 Sat Jan 27 11:54:51 2018 (r328471) @@ -0,0 +1,228 @@ +.\" Copyright (c) 2018 Mariusz Zaborski +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd January 27, 2018 +.Dt CAP_GRP 3 +.Os +.Sh NAME +.Nm cap_getgrent , +.Nm cap_getgrnam , +.Nm cap_getgrgid , +.Nm cap_getgrent_r , +.Nm cap_getgrnam_r , +.Nm cap_getgrgid_r , +.Nm cap_setgroupent , +.Nm cap_setgrent , +.Nm cap_endgrent , +.Nm cap_grp_limit_cmds , +.Nm cap_grp_limit_fields , +.Nm cap_grp_limit_groups +.Nd "library for group database operations in capability mode" +.Sh LIBRARY +.Lb libcap_grp +.Sh SYNOPSIS +.In sys/nv.h +.In libcasper.h +.In casper/cap_grp.h +.Ft "struct group *" +.Fn cap_getgrent "cap_channel_t *chan" +.Ft "struct group *" +.Fn cap_getgrnam "cap_channel_t *chan" "const char *name" +.Ft "struct group *" +.Fn cap_getgrgid "cap_channel_t *chan" "gid_t gid" +.Ft "int" +.Fn cap_getgrent_r "cap_channel_t *chan" "struct group *grp" "char *buffer" "size_t bufsize" "struct group **result" +.Ft "int" +.Fn cap_getgrnam_r "cap_channel_t *chan" "const char *name" "struct group *grp" "char *buffer" "size_t bufsize" "struct group **result" +.Ft int +.Fn cap_getgrgid_r "cap_channel_t *chan" "gid_t gid" "struct group *grp" "char *buffer" "size_t bufsize" "struct group **result" +.Ft int +.Fn cap_setgroupent "cap_channel_t *chan" "int stayopen" +.Ft int +.Fn cap_setgrent "cap_channel_t *chan" +.Ft void +.Fn cap_endgrent "cap_channel_t *chan" +.Ft int +.Fn cap_grp_limit_cmds "cap_channel_t *chan" "const char * const *cmds" "size_t ncmds" +.Ft int +.Fn cap_grp_limit_fields "cap_channel_t *chan" "const char * const *fields" "size_t nfields" +.Ft int +.Fn cap_grp_limit_groups "cap_channel_t *chan" "const char * const *names" "size_t nnames" "gid_t *gids" "size_t ngids" +.Sh DESCRIPTION +The functions +.Fn cap_getgrent , +.Fn cap_getgrnam , +.Fn cap_getgrgid , +.Fn cap_getgrent_r , +.Fn cap_getgrnam_r , +.Fn cap_getgrgid_r , +.Fn cap_setgroupent , +.Fn cap_setgrent , +and +.Fn cap_endgrent +are respectively equivalent to +.Xr getgrent 3 , +.Xr getgrnam 3 , +.Xr getgrgid 3 , +.Xr getgrent_r 3 , +.Xr getgrnam_r 3 , +.Xr getgrgid_r 3 , +.Xr setgroupent 3 , +.Xr setgrent 3 , +and +.Xr endgrent 3 +except that the connection to the +.Nm system.grp +service needs to be provided. +.Pp +The +.Fn cap_grp_limit_cmds +function limits the functions allowed in the service. +The +.Fa cmds +vriable can be set to +.Dv getgrent , +.Dv getgrnam , +.Dv getgrgid , +.Dv getgrent_r , +.Dv getgrnam_r , +.Dv getgrgid_r , +.Dv setgroupent , +.Dv setgrent , +or +.Dv endgrent +which will allow to use the function associated with the name. +The +.Fa ncmds +variable contains the number of +.Fa cmds +provided. +.Pp +The +.Fn cap_grp_limit_fields +function allows limit fields returned in the structure +.Vt group . +The +.Fa fields +variable can be set to +.Dv gr_name +.Dv gr_passwd +.Dv gr_gid +or +.Dv gr_mem . +The field which was set as the limit will be returned, while the rest of the +values not set this way will have default values. +The +.Fa nfields +variable contains the number of +.Fa fields +provided. +.Pp +The +.Fn cap_grp_limit_groups +function allows to limit access to groups. +The +.Fa names +variable allows to limit groups by name and the +.Fa gids +variable by the group number. +The +.Fa nnames +and +.Fa ngids +variables provide numbers of limited names and gids. +.Sh EXAMPLES +The following example first opens a capability to casper and then uses this +capability to create the +.Nm system.grp +casper service and uses it to get a group name. +.Bd -literal +cap_channel_t *capcas, *capgrp; +const char *cmds[] = { "getgrgid" }; +const char *fields[] = { "gr_name" }; +gid_t gid[] = { 1 }; +struct group *group; + +/* Open capability to Casper. */ +capcas = cap_init(); +if (capcas == NULL) + err(1, "Unable to contact Casper"); + +/* Enter capability mode sandbox. */ +if (cap_enter() < 0 && errno != ENOSYS) + err(1, "Unable to enter capability mode"); + +/* Use Casper capability to create capability to the system.grp service. */ +capgrp = cap_service_open(capcas, "system.grp"); +if (capgrp == NULL) + err(1, "Unable to open system.grp service"); + +/* Close Casper capability, we don't need it anymore. */ +cap_close(capcas); + +/* Limit service to one single function. */ +if (cap_grp_limit_cmds(capgrp, cmds, nitems(cmds))) + err(1, "Unable to limit access to system.grp service"); + +/* Limit service to one field as we only need name of the group. */ +if (cap_grp_limit_fields(capgrp, fields, nitems(fields))) + err(1, "Unable to limit access to system.grp service"); + +/* Limit service to one gid. */ +if (cap_grp_limit_groups(capgrp, NULL, 0, gid, nitems(gid))) + err(1, "Unable to limit access to system.grp service"); + +group = cap_getgrgid(capgrp, gid[0]); +if (group == NULL) + err(1, "Unable to get name of group"); + +printf("GID %d is associated with name %s.\\n", gid[0], group->gr_name); + +cap_close(capgrp); +.Ed +.Sh SEE ALSO +.Xr cap_enter 2 , +.Xr endgrent 3 , +.Xr err 3 , +.Xr getgrent 3 , +.Xr getgrent_r 3 , +.Xr getgrgid 3 , +.Xr getgrgid_r 3 , +.Xr getgrnam 3 , +.Xr getgrnam_r 3 , +.Xr nv 3 , +.Xr setgrent 3 , +.Xr setgroupent 3 , +.Xr capsicum 4 +.Sh AUTHORS +The +.Nm cap_grp +service was implemented by +.An Pawel Jakub Dawidek Aq Mt pawel@dawidek.net +under sponsorship from the FreeBSD Foundation. +.Pp +This manual page was written by +.An Mariusz Zaborski Aq Mt oshogbo@FreeBSD.org .