[C] reopen file while in capsicum

kisscool-fr

Active Member

Reaction score: 23
Messages: 207

Hello,

I have a soft I try to do some changes in.

Currently the soft works like that. (simplified version)
- starting
- open a file with fopen
- read from the file once at startup
- enter in restricted mode with cap_enter()
- append to the file n times

What I try to do is to do some changes in the file and make the soft be aware of the changes and that without restarting the soft.

With capsicum disabled, I can do what I want with fclose/fopen, freopen, openat, ...

When enabled, the best I can have is an error that says
openat(4,"FILEPATH",O_RDONLY,00) ERR#93 'Capabilities insufficient'

And that with rights set like this
CAP_FSTAT, CAP_READ, CAP_WRITE, CAP_SEEK, CAP_CREATE, CAP_FCNTL, CAP_LOOKUP

I am working on this for 3/4 days now and reading docs/manpages does not help me to see how I can have a working situation after all I tried.

So maybe somebody have any experience with capsicum and/or can point me to a working code for what I am trying to do.

Thanks for the help.
K.

P.S.: I am not sure I am in the good category.
 
OP
K

kisscool-fr

Active Member

Reaction score: 23
Messages: 207

After some trial and error I am able to achieve was I was looking for.

The trick is to open the directory where FILEPATH points to with fdopen before calling cap_enter and then, while in restricted mode, reopen the file with openat and the fd returned from fdopen call.

Default rights set at cap_enter are sufficient but they can be tuned if desired.

K.
 
Top