rights(4) says: The following rights may be specified in a rights mask: and proceeds to list most of the CAP_* rights, excluding only the UNUSED ones and the some of compounds (like CAP_SOCK_CLIENT). And software does use them that way, for example: bin/cat/cat.c 144: cap_rights_init(&rights, CAP_READ | CAP_FSTAT | CAP_FCNTL | CAP_SEEK), However, not all rights may be specified in a mask together. It appears, from testing, that only rights whose index is 0 may be ORed with other rights whose index is 0, and similarly for index 1. Attempting to violate this rule will trigger an assertion and abort the program: Assertion failed: (i >= 0), function cap_rights_vset, file /usr/home/somers/src/freebsd.org/src/sys/kern/subr_capability.c, line 188. Process with PID 3539 exited with signal 6 and dumped core; attempting to gather stack trace [New LWP 100728] Core was generated by `/usr/tests/sys/capsicum/rights -vdisks=/dev/vtbd1 /dev/vtbd2 /dev/vtbd3 /dev/vtb'. Program terminated with signal SIGABRT, Aborted. Sent by thr_kill() from pid 3539 and user 1000. #0 thr_kill () at thr_kill.S:4 4 RSYSCALL(thr_kill) #0 thr_kill () at thr_kill.S:4 #1 0x00003199593035d4 in __raise (s=s@entry=6) at /usr/home/somers/src/freebsd.org/src/lib/libc/gen/raise.c:48 #2 0x00003199593b6999 in abort () at /usr/home/somers/src/freebsd.org/src/lib/libc/stdlib/abort.c:61 #3 0x00003199592e68a1 in __assert (func=<optimized out>, file=<optimized out>, line=line@entry=188, failedexpr=<optimized out>) at /usr/home/somers/src/freebsd.org/src/lib/libc/gen/assert.c:47 #4 0x00003199593a93d0 in cap_rights_vset (rights=rights@entry=0x3199575d8c20, ap=ap@entry=0x3199575d8bc0) at /usr/home/somers/src/freebsd.org/src/sys/kern/subr_capability.c:188 #5 0x00003199593a9274 in __cap_rights_init (version=version@entry=0, rights=rights@entry=0x3199575d8c20) at /usr/home/somers/src/freebsd.org/src/sys/kern/subr_capability.c:260 #6 0x00003191372b3640 in atfu_orable_01_body (tc=<optimized out>) at /usr/home/somers/src/freebsd.org/src/tests/sys/capsicum/rights.c:142 #7 0x0000319958eccff7 in atf_tc_run (tc=0x3191372b5bf0 <atfu_orable_01_tc>, resfile=<optimized out>) at /usr/home/somers/src/freebsd.org/src/contrib/atf/atf-c/tc.c:1054 #8 0x0000319958ecf0de in atf_tp_run (tp=tp@entry=0x3199575d90e8, tcname=tcname@entry=0x37fd6da09020 "orable_01", resfile=0x6 <error: Cannot access memory at address 0x6>) at /usr/home/somers/src/freebsd.org/src/contrib/atf/atf-c/tp.c:201 #9 0x0000319958ecfaae in run_tc (tp=0x3199575d90e8, p=0x3199575d9100, exitcode=<optimized out>) at /usr/home/somers/src/freebsd.org/src/contrib/atf/atf-c/detail/tp_main.c:504 #10 controlled_main (argc=5, argv=<optimized out>, add_tcs_hook=0x3191372b30a0 <atfu_tp_add_tcs>, exitcode=<optimized out>) at /usr/home/somers/src/freebsd.org/src/contrib/atf/atf-c/detail/tp_main.c:574 #11 atf_tp_main (argc=5, argv=<optimized out>, add_tcs_hook=0x3191372b30a0 <atfu_tp_add_tcs>) at /usr/home/somers/src/freebsd.org/src/contrib/atf/atf-c/detail/tp_main.c:604 #12 0x00003199592d806a in __libc_start1 (argc=5, argv=0x3199575da1b0, env=0x3199575da1e0, cleanup=<optimized out>, mainX=0x3191372b3080 <main>) at /usr/home/somers/src/freebsd.org/src/lib/libc/csu/libc_start1.c:157 #13 0x00003191372b2ffd in _start () at /usr/home/somers/src/freebsd.org/src/lib/csu/amd64/crt1_s.S:83
Created attachment 248468 [details] test case Add a test case.
> 144: cap_rights_init(&rights, CAP_READ | CAP_FSTAT | CAP_FCNTL | CAP_SEEK), But the right(!) way to write this is cap_rights_init(&rights, CAP_READ, CAP_FSTAT, ...). I'd expect that to work for mixed-index rights. If it doesn't that's certainly a bug. Most of the code in the tree does this properly (and at least one of the few exceptions is my fault, sorry). Using plain OR works except when it doesn't, as you note. Maybe rights(4) should be more clear. cap_rights_set() should be used to incrementally add rights to a set.
(In reply to Mark Johnston from comment #2) That was fast, Mark. Are you of the opinion then that the man page should be adjusted to remove the mask terminology, and programs like cat should stop using | ? That's what I think would be cleanest.
(In reply to Alan Somers from comment #3) Yes, cap's use is absolutely a bug. rights(4) needs an explicit note, probably with an example.
(In reply to Ed Maste from comment #4) That should be cat not cap, of course I see the same issue in: lib/libcasper/services/cap_fileargs/tests/fileargs_test.c tests/sys/file/path_test.c
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=05f530f4d2bb15fda3d258b3bd92d4515d9ef39f commit 05f530f4d2bb15fda3d258b3bd92d4515d9ef39f Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2024-02-15 00:03:40 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2024-02-15 00:37:54 +0000 cat: fix cap_rights_init usage Capability rights passed to cap_rights_* are not simple bitmaks and cannot be ORed together in general (although it will work for certain subsets of rights). PR: 277057 Reported by: asomers, markj bin/cat/cat.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3733d82c4deb49035a39e18744085d1e3e9b8dc5 commit 3733d82c4deb49035a39e18744085d1e3e9b8dc5 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2024-02-15 00:42:48 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2024-02-15 03:33:24 +0000 libcasper: fix cap_rights_init usage Capability rights passed to cap_rights_* are not simple bitmaks and cannot be ORed together in general (although it will work for certain subsets of rights). PR: 277057 Fixes: faaf43b2a750 ("fileargs: add tests") Sponsored by: The FreeBSD Foundation .../services/cap_fileargs/tests/fileargs_test.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-)
Thanks guys, for working on that!
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=8d1348f55aed6873f34f54bc3b275b73ef0ff66d commit 8d1348f55aed6873f34f54bc3b275b73ef0ff66d Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2024-02-15 00:45:42 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2024-02-15 13:58:39 +0000 path_test: fix cap_rights_init usage Capability rights passed to cap_rights_* are not simple bitmaks and cannot be ORed together in general (although it will work for certain subsets of rights). PR: 277057 Fixes: e5e1d9c7b781 ("path_test: Add a test case for...") Sponsored by: The FreeBSD Foundation tests/sys/file/path_test.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=2c5ff9118c1ed8483a9477db3595b1d154615e2c commit 2c5ff9118c1ed8483a9477db3595b1d154615e2c Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2024-02-15 14:55:39 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2024-02-15 15:00:52 +0000 rights.4: Remove sentence implying that rights are a mask Capability rights passed to cap_rights_* are (now) not simple bitmaks and cannot be ORed together in general (although it will work for certain subsets of rights). Remove sentence that implied rights are masks. We already have the sentence "The complete list of capability rights is provided below" so listing the rights without an introductory sentence seems fine. PR: 277057 share/man/man4/rights.4 | 1 - 1 file changed, 1 deletion(-)
I have now removed the sentence from rights.4 that implied they're a mask. I do think we should have an explicit description possibly with an example or at least a reference to the example in cap_rights_init.
For reference the current rights definition comes from: commit 7008be5bd7341259037f383434a72960413cfeb8 Author: Pawel Jakub Dawidek <pjd@FreeBSD.org> Date: Thu Sep 5 00:09:56 2013 +0000 Change the cap_rights_t type from uint64_t to a structure that we can extend in the future in a backward compatible (API and ABI) way. The cap_rights_t represents capability rights. We used to use one bit to represent one right, but we are running out of spare bits. Currently the new structure provides place for 114 rights (so 50 more than the previous cap_rights_t), but it is possible to grow the structure to hold at least 285 rights, although we can make it even larger if 285 rights won't be enough. The structure definition looks like this: struct cap_rights { uint64_t cr_rights[CAP_RIGHTS_VERSION + 2]; }; The initial CAP_RIGHTS_VERSION is 0.
A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=2031b368f8956acbc2ef3b3715af9dc66670d120 commit 2031b368f8956acbc2ef3b3715af9dc66670d120 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2024-02-15 14:55:39 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2024-03-22 13:30:32 +0000 rights.4: Remove sentence implying that rights are a mask Capability rights passed to cap_rights_* are (now) not simple bitmaks and cannot be ORed together in general (although it will work for certain subsets of rights). Remove sentence that implied rights are masks. We already have the sentence "The complete list of capability rights is provided below" so listing the rights without an introductory sentence seems fine. PR: 277057 (cherry picked from commit 2c5ff9118c1ed8483a9477db3595b1d154615e2c) share/man/man4/rights.4 | 1 - 1 file changed, 1 deletion(-)
A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=dbf34bbb188876551dcfec32fbbed2ba8ba24f12 commit dbf34bbb188876551dcfec32fbbed2ba8ba24f12 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2024-02-15 00:03:40 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2024-03-22 13:30:32 +0000 cat: fix cap_rights_init usage Capability rights passed to cap_rights_* are not simple bitmaks and cannot be ORed together in general (although it will work for certain subsets of rights). PR: 277057 Reported by: asomers, markj (cherry picked from commit 05f530f4d2bb15fda3d258b3bd92d4515d9ef39f) bin/cat/cat.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=be83aa2a01b35f9e7aa94a3d45a851305fa22c83 commit be83aa2a01b35f9e7aa94a3d45a851305fa22c83 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2024-02-15 00:42:48 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2024-03-22 13:30:32 +0000 libcasper: fix cap_rights_init usage Capability rights passed to cap_rights_* are not simple bitmaks and cannot be ORed together in general (although it will work for certain subsets of rights). PR: 277057 Fixes: faaf43b2a750 ("fileargs: add tests") Sponsored by: The FreeBSD Foundation (cherry picked from commit 3733d82c4deb49035a39e18744085d1e3e9b8dc5) .../services/cap_fileargs/tests/fileargs_test.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-)
A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=ea3910c452cf44342e0b65d6283aebeb77a10863 commit ea3910c452cf44342e0b65d6283aebeb77a10863 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2024-02-15 00:45:42 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2024-03-22 13:30:32 +0000 path_test: fix cap_rights_init usage Capability rights passed to cap_rights_* are not simple bitmaks and cannot be ORed together in general (although it will work for certain subsets of rights). PR: 277057 Fixes: e5e1d9c7b781 ("path_test: Add a test case for...") Sponsored by: The FreeBSD Foundation (cherry picked from commit 8d1348f55aed6873f34f54bc3b275b73ef0ff66d) tests/sys/file/path_test.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=e8d01b2efaa358b5ff8991b7defefbf970f871ff commit e8d01b2efaa358b5ff8991b7defefbf970f871ff Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2024-02-15 00:45:42 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2024-03-22 13:35:44 +0000 path_test: fix cap_rights_init usage Capability rights passed to cap_rights_* are not simple bitmaks and cannot be ORed together in general (although it will work for certain subsets of rights). PR: 277057 Fixes: e5e1d9c7b781 ("path_test: Add a test case for...") Sponsored by: The FreeBSD Foundation (cherry picked from commit 8d1348f55aed6873f34f54bc3b275b73ef0ff66d) (cherry picked from commit ea3910c452cf44342e0b65d6283aebeb77a10863) tests/sys/file/path_test.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=8a17cc127bb0a404d8f641926ad4a3cc42c482da commit 8a17cc127bb0a404d8f641926ad4a3cc42c482da Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2024-02-15 00:03:40 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2024-03-22 13:35:44 +0000 cat: fix cap_rights_init usage Capability rights passed to cap_rights_* are not simple bitmaks and cannot be ORed together in general (although it will work for certain subsets of rights). PR: 277057 Reported by: asomers, markj (cherry picked from commit 05f530f4d2bb15fda3d258b3bd92d4515d9ef39f) (cherry picked from commit dbf34bbb188876551dcfec32fbbed2ba8ba24f12) bin/cat/cat.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=a2ef45a0656f9f3c4364a3779c042991918c42c5 commit a2ef45a0656f9f3c4364a3779c042991918c42c5 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2024-02-15 14:55:39 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2024-03-22 13:35:44 +0000 rights.4: Remove sentence implying that rights are a mask Capability rights passed to cap_rights_* are (now) not simple bitmaks and cannot be ORed together in general (although it will work for certain subsets of rights). Remove sentence that implied rights are masks. We already have the sentence "The complete list of capability rights is provided below" so listing the rights without an introductory sentence seems fine. PR: 277057 (cherry picked from commit 2c5ff9118c1ed8483a9477db3595b1d154615e2c) (cherry picked from commit 2031b368f8956acbc2ef3b3715af9dc66670d120) share/man/man4/rights.4 | 1 - 1 file changed, 1 deletion(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=ec44cc4e28824b83b2b53b4afd39663345823613 commit ec44cc4e28824b83b2b53b4afd39663345823613 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2024-02-15 00:42:48 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2024-03-22 13:35:44 +0000 libcasper: fix cap_rights_init usage Capability rights passed to cap_rights_* are not simple bitmaks and cannot be ORed together in general (although it will work for certain subsets of rights). PR: 277057 Fixes: faaf43b2a750 ("fileargs: add tests") Sponsored by: The FreeBSD Foundation (cherry picked from commit 3733d82c4deb49035a39e18744085d1e3e9b8dc5) (cherry picked from commit be83aa2a01b35f9e7aa94a3d45a851305fa22c83) .../services/cap_fileargs/tests/fileargs_test.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=537bdafbc25d39b4bb3dce124691913f86c08288 commit 537bdafbc25d39b4bb3dce124691913f86c08288 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2024-03-22 13:47:57 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2024-03-22 14:02:31 +0000 rights.4: add note about rights not being simple bitmasks PR: 277057 Reviewed by: oshogbo, asomers Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D44473 share/man/man4/rights.4 | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)
A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=6ac10e8a72a730e9078738e317f5c3e2475bd7bd commit 6ac10e8a72a730e9078738e317f5c3e2475bd7bd Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2024-03-22 13:47:57 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2024-04-07 16:34:04 +0000 rights.4: add note about rights not being simple bitmasks PR: 277057 Reviewed by: oshogbo, asomers Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D44473 (cherry picked from commit 537bdafbc25d39b4bb3dce124691913f86c08288) share/man/man4/rights.4 | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=9031978083ce158f54fb5dadc0e1c683bbad762b commit 9031978083ce158f54fb5dadc0e1c683bbad762b Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2024-03-22 13:47:57 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2024-04-07 16:58:50 +0000 rights.4: add note about rights not being simple bitmasks PR: 277057 Reviewed by: oshogbo, asomers Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D44473 (cherry picked from commit 537bdafbc25d39b4bb3dce124691913f86c08288) (cherry picked from commit 6ac10e8a72a730e9078738e317f5c3e2475bd7bd) share/man/man4/rights.4 | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)