From owner-p4-projects@FreeBSD.ORG Sun Feb 3 21:41:10 2008 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 29E1C16A469; Sun, 3 Feb 2008 21:41:10 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E351F16A420 for ; Sun, 3 Feb 2008 21:41:09 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id D98C013C459 for ; Sun, 3 Feb 2008 21:41:09 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.1/8.14.1) with ESMTP id m13Lf9he060911 for ; Sun, 3 Feb 2008 21:41:09 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.1/8.14.1/Submit) id m13Lf9pQ060908 for perforce@freebsd.org; Sun, 3 Feb 2008 21:41:09 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Sun, 3 Feb 2008 21:41:09 GMT Message-Id: <200802032141.m13Lf9pQ060908@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson To: Perforce Change Reviews Cc: Subject: PERFORCE change 134745 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Feb 2008 21:41:10 -0000 http://perforce.freebsd.org/chv.cgi?CH=134745 Change 134745 by rwatson@rwatson_freebsd_capabilities on 2008/02/03 21:40:37 Move TODO list in sys_capabilities.c to global TODO, and reference it. Trim some done items, such as fexecve(2), capability mode flagging for system calls from the list on the way. Affected files ... .. //depot/projects/trustedbsd/capabilities/TODO#3 edit .. //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#11 edit Differences ... ==== //depot/projects/trustedbsd/capabilities/TODO#3 (text+ko) ==== @@ -22,3 +22,25 @@ Low-level TODO list: +- Review poll/select/kqueue behavior, and in particular decide if/how we want + CAP_EVENT to work. + +- UNIX domain socket passing of file descriptors may need modification to + take into account indirectly referenced descriptors hung off of + capabilities in its GC routine. + +- Consider moving to per-class capability masks, such as CAP_SOCK_FOO, and a + per-class mask identifying possible rights. + +- Look at multi-operation calls such as getsockopt(), setsockopt(), ioctl(), + fcntl(), etc, which may have both global implications and also reflect a + diverse set of rights. Should we do something more fine-grained and + request a specific capability based on arguments and other context? + +- Should there be a priv(9) privilege to expand capability rights? (no) + +- Refine access control on sysctl infrastructure sysctls, such as name + lookup, etc. + +- mmap(2) needs to look at capability masks, not just file flags to determine + maxprot. ==== //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#11 (text+ko) ==== @@ -37,29 +37,11 @@ * nesting, we directly reference the underlying object but with a new mask, * rather than referencing the previous capability. * - * XXXRW: - * - Some operations, such as poll/select/kqueue are explicitly aware of file - * descriptors and may need adapting. - * - UNIX domain socket passing of file descriptors will likely need work, - * especially relating to garbage collection. Do we need to teach the GC - * routines to walk through capabilities to the underlying object - * descriptors so it knows they are reachable? - * - The list of capability rights is probably inadequate. - * - Should there be a privilege to expand capability rights? - * - Should different underlying object sets have different valid capability - * rights? I.e., CAP_SOCK_*, CAP_VNODE_*, etc? - * - Need a way to mask system calls based on capability mode and only allow - * approved system calls. A flag in syscalls.master? - * - Need to refine access control on sysctl infrastructe sysctls, such as - * name lookup. - * - mmap should incorporate capability rights into maxprot, not just file - * flags. - * - Need fexec() or similar primitive to launch code in a sandbox. What - * should this look like? + * XXXRW: See the global TODO for things that need to be done. */ #include -__FBSDID("$P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#10 $"); +__FBSDID("$P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#11 $"); #include #include