From owner-svn-src-head@freebsd.org Mon May 22 11:43:20 2017 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C6F2BD7622D; Mon, 22 May 2017 11:43:20 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9718210D1; Mon, 22 May 2017 11:43:20 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v4MBhJx1074142; Mon, 22 May 2017 11:43:19 GMT (envelope-from emaste@FreeBSD.org) Received: (from emaste@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v4MBhJer074140; Mon, 22 May 2017 11:43:19 GMT (envelope-from emaste@FreeBSD.org) Message-Id: <201705221143.v4MBhJer074140@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: emaste set sender to emaste@FreeBSD.org using -f From: Ed Maste Date: Mon, 22 May 2017 11:43:19 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r318634 - in head/sys: compat/freebsd32 kern X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2017 11:43:20 -0000 Author: emaste Date: Mon May 22 11:43:19 2017 New Revision: 318634 URL: https://svnweb.freebsd.org/changeset/base/318634 Log: disallow open(2) in capability mode Previously open(2) was allowed in capability mode, with a comment that suggested this was likely the case to facilitate debugging. The system call would still fail later on, but it's better to disallow the syscall altogether. We now have the kern.trap_enotcap sysctl or PROC_TRAPCAP_CTL proccontrol to aid in debugging. In any case libc has translated open() to the openat syscall since r277032. Reviewed by: kib, rwatson Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D10850 Modified: head/sys/compat/freebsd32/capabilities.conf head/sys/kern/capabilities.conf Modified: head/sys/compat/freebsd32/capabilities.conf ============================================================================== --- head/sys/compat/freebsd32/capabilities.conf Mon May 22 11:41:17 2017 (r318633) +++ head/sys/compat/freebsd32/capabilities.conf Mon May 22 11:43:19 2017 (r318634) @@ -188,7 +188,6 @@ renameat symlinkat unlinkat freebsd32_utimensat -open pdfork pdgetpid pdkill Modified: head/sys/kern/capabilities.conf ============================================================================== --- head/sys/kern/capabilities.conf Mon May 22 11:41:17 2017 (r318633) +++ head/sys/kern/capabilities.conf Mon May 22 11:43:19 2017 (r318634) @@ -460,14 +460,6 @@ unlinkat utimensat ## -## Allow entry into open(2). This system call will fail, since access to the -## global file namespace has been disallowed, but allowing entry into the -## syscall means that an audit trail will be generated (which is also very -## useful for debugging). -## -open - -## ## Process descriptor-related system calls are allowed. ## pdfork