Date: Mon, 19 Oct 2009 15:23:54 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 169596 for review Message-ID: <200910191523.n9JFNseu075301@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://p4web.freebsd.org/chv.cgi?CH=169596 Change 169596 by rwatson@rwatson_vimage_client on 2009/10/19 15:23:30 amd64 also requires capability mode checks. Affected files ... .. //depot/projects/trustedbsd/capabilities/src/sys/amd64/amd64/trap.c#7 edit Differences ... ==== //depot/projects/trustedbsd/capabilities/src/sys/amd64/amd64/trap.c#7 (text+ko) ==== @@ -44,6 +44,7 @@ * AMD64 Trap and System call handling */ +#include "opt_capabilities.h" #include "opt_clock.h" #include "opt_cpu.h" #include "opt_hwpmc_hooks.h" @@ -68,6 +69,7 @@ #include <sys/syscall.h> #include <sys/sysctl.h> #include <sys/sysent.h> +#include <sys/ucred.h> #include <sys/uio.h> #include <sys/vmmeter.h> #ifdef KTRACE @@ -969,6 +971,18 @@ td->td_syscalls++; +#ifdef CAPABILITIES + /* + * In capabilities mode, we only allow access to system calls flagged + * SYF_CAPENABLED. + */ + if (error == 0) { + if (!(callp->sy_flags & SYF_CAPENABLED) && + (td->td_ucred->cr_flags & CRED_FLAG_CAPMODE)) + error = ENOSYS; + } +#endif + if (error == 0) { td->td_retval[0] = 0; td->td_retval[1] = frame->tf_rdx;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200910191523.n9JFNseu075301>