From owner-p4-projects@FreeBSD.ORG Thu Jan 24 16:19:28 2008 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 9CAA016A469; Thu, 24 Jan 2008 16:19:28 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4759316A41B for ; Thu, 24 Jan 2008 16:19:28 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id 37AD213C458 for ; Thu, 24 Jan 2008 16:19:28 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.1/8.14.1) with ESMTP id m0OGJSgH070923 for ; Thu, 24 Jan 2008 16:19:28 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.1/8.14.1/Submit) id m0OGJRAi070915 for perforce@freebsd.org; Thu, 24 Jan 2008 16:19:27 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Thu, 24 Jan 2008 16:19:27 GMT Message-Id: <200801241619.m0OGJRAi070915@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson To: Perforce Change Reviews Cc: Subject: PERFORCE change 134017 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2008 16:19:28 -0000 http://perforce.freebsd.org/chv.cgi?CH=134017 Change 134017 by rwatson@rwatson_freebsd_capabilities on 2008/01/24 16:18:38 Don't use fileops passthrough as we now filter capabilities when a file descriptor is used rather than on the way down the operation stack. Panic in the passthrough functions, except for close, which is still needed. Update comments. Affected files ... .. //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#9 edit Differences ... ==== //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#9 (text+ko) ==== @@ -38,16 +38,12 @@ * rather than referencing the previous capability. * * XXXRW: - * - Does it make sense that each capability maintains a separate seek - * location from the file descriptor it wraps? What about DSEEKABLE, which - * appears to be static for a particular fileops? - * - Does it make sense that each capability maintains a separate f_flags - * from the file descriptor it wraps? - * - Currently we can only forward operations that are handled via fileops. * - Some operations, such as poll/select/kqueue are explicitly aware of file * descriptors and may need adapting. * - UNIX domain socket passing of file descriptors will likely need work, - * especially relating to garbage collection. + * especially relating to garbage collection. Do we need to teach the GC + * routines to walk through capabilities to the underlying object + * descriptors so it knows they are reachable? * - The list of capability rights is probably inadequate. * - Should there be a privilege to expand capability rights? * - Should different underlying object sets have different valid capability @@ -56,15 +52,14 @@ * approved system calls. A flag in syscalls.master? * - Need to refine access control on sysctl infrastructe sysctls, such as * name lookup. - * - masking in fo_read/fo_write/etc is undesirable because really we want - * only the original file to be used, as it might have state (cred, flags, - * etc) that should be used instead. seekable is a particular issue. * - mmap should incorporate capability rights into maxprot, not just file * flags. + * - Need fexec() or similar primitive to launch code in a sandbox. What + * should this look like? */ #include -__FBSDID("$P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#8 $"); +__FBSDID("$P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#9 $"); #include #include @@ -297,117 +292,63 @@ } /* - * Various pass-through operations for the capability. + * In general, file descriptor operations should never make it to the + * capability, only the underlying file descriptor operation vector, so with + * the exception of close(), panic if we do turn up here. */ static int capability_read(struct file *fp, struct uio *uio, struct ucred *active_cred, int flags, struct thread *td) { - struct capability *c; - int error; - KASSERT(fp->f_type == DTYPE_CAPABILITY, - ("capability_read: !capability")); - c = fp->f_data; - error = cap_check(c, CAP_READ); - if (error) - return (error); - return (fo_read(c->cap_file, uio, active_cred, flags, td)); + panic("capability_read"); } static int capability_write(struct file *fp, struct uio *uio, struct ucred *active_cred, int flags, struct thread *td) { - struct capability *c; - int error; - KASSERT(fp->f_type == DTYPE_CAPABILITY, - ("capability_write: !capability")); - c = fp->f_data; - error = cap_check(c, CAP_WRITE); - if (error) - return (error); - return (fo_write(c->cap_file, uio, active_cred, flags, td)); + panic("capability_write"); } static int capability_truncate(struct file *fp, off_t length, struct ucred *active_cred, struct thread *td) { - struct capability *c; - int error; - KASSERT(fp->f_type == DTYPE_CAPABILITY, - ("capability_truncate: !capability")); - c = fp->f_data; - error = cap_check(c, CAP_FTRUNCATE); - if (error) - return (error); - return (fo_truncate(c->cap_file, length, active_cred, td)); + panic("capability_truncate"); } static int capability_ioctl(struct file *fp, u_long com, void *data, struct ucred *active_cred, struct thread *td) { - struct capability *c; - int error; - KASSERT(fp->f_type == DTYPE_CAPABILITY, - ("capability_ioctl: !capability")); - c = fp->f_data; - error = cap_check(c, CAP_IOCTL); - if (error) - return (error); - return (fo_ioctl(c->cap_file, com, data, active_cred, td)); + panic("capability_ioctl"); } static int capability_poll(struct file *fp, int events, struct ucred *active_cred, struct thread *td) { - struct capability *c; - int error; - KASSERT(fp->f_type == DTYPE_CAPABILITY, - ("capability_poll: !capability")); - c = fp->f_data; - error = cap_check(c, CAP_EVENT); - if (error) - return (error); - return (fo_poll(c->cap_file, events, active_cred, td)); + panic("capability_poll"); } static int capability_kqfilter(struct file *fp, struct knote *kn) { - struct capability *c; - int error; - KASSERT(fp->f_type == DTYPE_CAPABILITY, - ("capability_kqfilter: !capability")); - c = fp->f_data; - error = cap_check(c, CAP_EVENT); - if (error) - return (error); - return (fo_kqfilter(c->cap_file, kn)); + panic("capability_kqfilter"); } static int capability_stat(struct file *fp, struct stat *sb, struct ucred *active_cred, struct thread *td) { - struct capability *c; - int error; - KASSERT(fp->f_type == DTYPE_CAPABILITY, - ("capability_stat: !capability")); - c = fp->f_data; - error = cap_check(c, CAP_FSTAT); - if (error) - return (error); - return (fo_stat(c->cap_file, sb, active_cred, td)); + panic("capability_stat"); } static int