Found today that using 'hexdump -s' on HEAD fails with ENOTCAPABLE. To reproduce, create a non-empty file (e.g. /tmp/foo) and use 'hexdump -s 1': # hexdump -s 1 /tmp/foo hexdump: /tmp/foo: Capabilities insufficient From truss, it seems that lseek() fails, so perhaps CAP_SEEK or the like is missing? open("/tmp/foo",O_RDONLY,0666) = 3 (0x3) dup2(0x3,0x0) = 0 (0x0) close(3) = 0 (0x0) cap_rights_limit(0x0,0x7fffffffe990) = 0 (0x0) cap_ioctls_limit(0x0,0x7fffffffe980,0x2) = 0 (0x0) cap_fcntls_limit(0x0,0x8) = 0 (0x0) fstat(0,{ mode=-rw-r--r-- ,inode=20,size=336,blksize=4096 }) = 0 (0x0) fstat(0,{ mode=-rw-r--r-- ,inode=20,size=336,blksize=4096 }) = 0 (0x0) lseek(0,0x0,SEEK_CUR) ERR#93 'Capabilities insufficient' lseek(0,0x1,SEEK_SET) ERR#93 'Capabilities insufficient'
hexdump() just uses caph_limit_stdio(). Perhaps SEEK should be added to caph_limit_stdio / caph_limit_stream capabilities in capsicum_helpers?
See https://reviews.freebsd.org/D10893 and https://reviews.freebsd.org/D10897
A commit references this bug: Author: cem Date: Mon Sep 25 19:33:32 UTC 2017 New revision: 323990 URL: https://svnweb.freebsd.org/changeset/base/323990 Log: capsicum_helpers: Add SEEK to default stdio rights set PR: 219173 Sponsored by: Dell EMC Isilon Changes: head/lib/libcapsicum/capsicum_helpers.h
A commit references this bug: Author: ian Date: Fri Mar 23 16:15:08 UTC 2018 New revision: 331434 URL: https://svnweb.freebsd.org/changeset/base/331434 Log: MFC r306657, r306673, r306726, r307737, r309366, r310135, r323990, r324414 r306657: libcapsicum: introduce Capsicum helpers Capsicum helpers are a set of inline functions which goal is to reduce duplicated patterns used to Capsicumize applications. Reviewed by: cem, AllanJude, bapt, ed, emaste Differential Revision: https://reviews.freebsd.org/D8013 r306673: libcapsicum: limit stderr Don't limit stdout twice, instead limit stderr. Pointed out by: rpokala@ r306726: Add man pages for Capsicum helpers. Reviewed by: cem Differential Revision: https://reviews.freebsd.org/D8154 r307737: Fix few sentence in the man page. Pointed out by: wblock r309366: capsicum_helpers: Squash errors from closed fds Squash EBADF from closed stdin, stdout, or stderr in caph_limit_stdio(). Any program used during special shell scripts may commonly be forked from a parent process with closed standard stream. Do the common sense thing for this common use. Reported by: Iblis Lin <iblis AT hs.ntnu.edu.tw> Reviewed by: oshogbo@ (earlier version) Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D8657 r310135: capsicum_helpers: Add LOOKUP flag Add a helper routine for opening a directory that is restricted to being used for opening relative files as stdio streams. I think this will really help basic adaptation of multi-file programs to Capsicum. Rather than having each program initialize a rights object and ioctl/fcntl arrays for their root fd for relative opens, consolidate in the logical place. Reviewed by: oshogbo@ Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D8743 r323990: capsicum_helpers: Add SEEK to default stdio rights set PR: 219173 Sponsored by: Dell EMC Isilon r324414: capsicum_helpers: Add EVENT to default stdio rights set Without it, calling caph_limit_stdio(3) breaks Irssi. Reviewed by: oshogbo Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D12622 Changes: _U stable/11/ stable/11/lib/Makefile stable/11/lib/libcapsicum/ stable/11/lib/libcapsicum/Makefile stable/11/lib/libcapsicum/Makefile.depend stable/11/lib/libcapsicum/capsicum_helpers.3 stable/11/lib/libcapsicum/capsicum_helpers.h