Bug 245314

Summary:	/usr/bin/logger: cannot write to unix socket or network socket to log since r358919
Product:	Base System	Reporter:	Dave Cottlehuber <dch>
Component:	bin	Assignee:	freebsd-bugs (Nobody) <bugs>
Status:	Closed FIXED
Severity:	Affects Many People	CC:	emaste, oshogbo, tig
Priority:	---
Version:	CURRENT
Hardware:	Any
OS:	Any
URL:	https://reviews.freebsd.org/D23744
See Also:	https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255339

Description Dave Cottlehuber freebsd_committer

2020-04-03 11:15:25 UTC

> logger -h /var/run/log miaow
logger: sendto: Not permitted in capability mode

> logger -h 100.64.0.0 miaow
logger: sendto: Not permitted in capability mode

this was committed in r358919 after https://reviews.freebsd.org/D23744

Reading logger.c we open socksetup/4 before entering capsicum so I guess we are missing the CAP_SEND or CAP_WRITE somewhere, but I didn't find that in cap_syslog.* - where is that done?

Comment 1 Mariusz Zaborski freebsd_committer

2020-04-03 12:26:43 UTC

The problem is not with the missing rights on a descriptor.
The problem is that sendto is forbidden when the "to" argument is given.

static int
sendit(struct thread *td, int s, struct msghdr *mp, int flags)
{

#ifdef CAPABILITY_MODE
        if (IN_CAPABILITY_MODE(td) && (mp->msg_name != NULL))
                return (ECAPMODE);
#endif

So I guess we have to revert the part when we enter the Capability mode and fix this with the Casper service.

Comment 2 Mariusz Zaborski freebsd_committer

2020-04-03 12:27:46 UTC

Or somehow rewrite this part.

Comment 3 Ed Maste freebsd_committer

2020-04-06 15:03:12 UTC

(In reply to Mariusz Zaborski from comment #1)
Or perhaps for now change to entering cap mode only if nsock == 0, then implement the casper service after.

Comment 4 commit-hook freebsd_committer

2020-04-08 18:43:52 UTC

A commit references this bug:

Author: oshogbo
Date: Wed Apr  8 18:43:01 UTC 2020
New revision: 359730
URL: https://svnweb.freebsd.org/changeset/base/359730

Log:
  logger: temporarily disable Capsicum when a host is provided

  We don't have a way to send a UDP package.

  PR:		245314
  Reported by:	dch
  Discussed with:	emaste

Changes:
  head/usr.bin/logger/logger.c

Comment 5 Conrad Meyer freebsd_committer

2020-04-08 19:25:18 UTC

It seems like that check in sendit() is bogus.  In kern_sendit(), we permit msg_name == NULL if CAP_CONNECT is present:

   730 int
   731 kern_sendit(struct thread *td, int s, struct msghdr *mp, int flags,
   732     struct mbuf *control, enum uio_seg segflg)
   733 {
   734         struct file *fp;
   735         struct uio auio;
   736         struct iovec *iov;
   737         struct socket *so;
   738         cap_rights_t *rights;
   739 #ifdef KTRACE
   740         struct uio *ktruio = NULL;
   741 #endif
   742         ssize_t len;
   743         int i, error;
   744
   745         AUDIT_ARG_FD(s);
   746         rights = &cap_send_rights;
   747         if (mp->msg_name != NULL) {
   748                 AUDIT_ARG_SOCKADDR(td, AT_FDCWD, mp->msg_name);
   749                 rights = &cap_send_connect_rights;
   750         }
   751         error = getsock_cap(td, s, rights, &fp, NULL, NULL);


And sendit() is just a shim around kern_sendit().