Date: Thu, 24 Jan 2008 16:19:27 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 134017 for review Message-ID: <200801241619.m0OGJRAi070915@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=134017 Change 134017 by rwatson@rwatson_freebsd_capabilities on 2008/01/24 16:18:38 Don't use fileops passthrough as we now filter capabilities when a file descriptor is used rather than on the way down the operation stack. Panic in the passthrough functions, except for close, which is still needed. Update comments. Affected files ... .. //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#9 edit Differences ... ==== //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#9 (text+ko) ==== @@ -38,16 +38,12 @@ * rather than referencing the previous capability. * * XXXRW: - * - Does it make sense that each capability maintains a separate seek - * location from the file descriptor it wraps? What about DSEEKABLE, which - * appears to be static for a particular fileops? - * - Does it make sense that each capability maintains a separate f_flags - * from the file descriptor it wraps? - * - Currently we can only forward operations that are handled via fileops. * - Some operations, such as poll/select/kqueue are explicitly aware of file * descriptors and may need adapting. * - UNIX domain socket passing of file descriptors will likely need work, - * especially relating to garbage collection. + * especially relating to garbage collection. Do we need to teach the GC + * routines to walk through capabilities to the underlying object + * descriptors so it knows they are reachable? * - The list of capability rights is probably inadequate. * - Should there be a privilege to expand capability rights? * - Should different underlying object sets have different valid capability @@ -56,15 +52,14 @@ * approved system calls. A flag in syscalls.master? * - Need to refine access control on sysctl infrastructe sysctls, such as * name lookup. - * - masking in fo_read/fo_write/etc is undesirable because really we want - * only the original file to be used, as it might have state (cred, flags, - * etc) that should be used instead. seekable is a particular issue. * - mmap should incorporate capability rights into maxprot, not just file * flags. + * - Need fexec() or similar primitive to launch code in a sandbox. What + * should this look like? */ #include <sys/cdefs.h> -__FBSDID("$P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#8 $"); +__FBSDID("$P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#9 $"); #include <sys/param.h> #include <sys/capability.h> @@ -297,117 +292,63 @@ } /* - * Various pass-through operations for the capability. + * In general, file descriptor operations should never make it to the + * capability, only the underlying file descriptor operation vector, so with + * the exception of close(), panic if we do turn up here. */ static int capability_read(struct file *fp, struct uio *uio, struct ucred *active_cred, int flags, struct thread *td) { - struct capability *c; - int error; - KASSERT(fp->f_type == DTYPE_CAPABILITY, - ("capability_read: !capability")); - c = fp->f_data; - error = cap_check(c, CAP_READ); - if (error) - return (error); - return (fo_read(c->cap_file, uio, active_cred, flags, td)); + panic("capability_read"); } static int capability_write(struct file *fp, struct uio *uio, struct ucred *active_cred, int flags, struct thread *td) { - struct capability *c; - int error; - KASSERT(fp->f_type == DTYPE_CAPABILITY, - ("capability_write: !capability")); - c = fp->f_data; - error = cap_check(c, CAP_WRITE); - if (error) - return (error); - return (fo_write(c->cap_file, uio, active_cred, flags, td)); + panic("capability_write"); } static int capability_truncate(struct file *fp, off_t length, struct ucred *active_cred, struct thread *td) { - struct capability *c; - int error; - KASSERT(fp->f_type == DTYPE_CAPABILITY, - ("capability_truncate: !capability")); - c = fp->f_data; - error = cap_check(c, CAP_FTRUNCATE); - if (error) - return (error); - return (fo_truncate(c->cap_file, length, active_cred, td)); + panic("capability_truncate"); } static int capability_ioctl(struct file *fp, u_long com, void *data, struct ucred *active_cred, struct thread *td) { - struct capability *c; - int error; - KASSERT(fp->f_type == DTYPE_CAPABILITY, - ("capability_ioctl: !capability")); - c = fp->f_data; - error = cap_check(c, CAP_IOCTL); - if (error) - return (error); - return (fo_ioctl(c->cap_file, com, data, active_cred, td)); + panic("capability_ioctl"); } static int capability_poll(struct file *fp, int events, struct ucred *active_cred, struct thread *td) { - struct capability *c; - int error; - KASSERT(fp->f_type == DTYPE_CAPABILITY, - ("capability_poll: !capability")); - c = fp->f_data; - error = cap_check(c, CAP_EVENT); - if (error) - return (error); - return (fo_poll(c->cap_file, events, active_cred, td)); + panic("capability_poll"); } static int capability_kqfilter(struct file *fp, struct knote *kn) { - struct capability *c; - int error; - KASSERT(fp->f_type == DTYPE_CAPABILITY, - ("capability_kqfilter: !capability")); - c = fp->f_data; - error = cap_check(c, CAP_EVENT); - if (error) - return (error); - return (fo_kqfilter(c->cap_file, kn)); + panic("capability_kqfilter"); } static int capability_stat(struct file *fp, struct stat *sb, struct ucred *active_cred, struct thread *td) { - struct capability *c; - int error; - KASSERT(fp->f_type == DTYPE_CAPABILITY, - ("capability_stat: !capability")); - c = fp->f_data; - error = cap_check(c, CAP_FSTAT); - if (error) - return (error); - return (fo_stat(c->cap_file, sb, active_cred, td)); + panic("capability_stat"); } static int
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200801241619.m0OGJRAi070915>