Date: Mon, 19 Jan 2009 18:52:32 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 156399 for review Message-ID: <200901191852.n0JIqWBH013962@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=156399 Change 156399 by rwatson@rwatson_freebsd_capabilities on 2009/01/19 18:51:57 For better or worse, we really need sysarch() on amd64 and i386 in order to allow segment registers to be changed. Allow it in capability mode, but specifically disallow certain sysarch functions when in capability mode. This is a less robust approach since it requires carefully watching what gets adding to sysarch(). Affected files ... .. //depot/projects/trustedbsd/capabilities/src/sys/amd64/amd64/sys_machdep.c#2 edit .. //depot/projects/trustedbsd/capabilities/src/sys/arm/arm/sys_machdep.c#2 edit .. //depot/projects/trustedbsd/capabilities/src/sys/i386/i386/sys_machdep.c#5 edit .. //depot/projects/trustedbsd/capabilities/src/sys/kern/capabilities.conf#15 edit .. //depot/projects/trustedbsd/capabilities/src/sys/kern/init_sysent.c#25 edit .. //depot/projects/trustedbsd/capabilities/src/sys/sparc64/sparc64/sys_machdep.c#2 edit Differences ... ==== //depot/projects/trustedbsd/capabilities/src/sys/amd64/amd64/sys_machdep.c#2 (text+ko) ==== @@ -63,6 +63,10 @@ uint32_t i386base; uint64_t a64base; + /* + * XXXRW: As new operations are added here, check that they are safe + * in capability mode. + */ switch(uap->op) { case I386_GET_FSBASE: i386base = pcb->pcb_fsbase; ==== //depot/projects/trustedbsd/capabilities/src/sys/arm/arm/sys_machdep.c#2 (text+ko) ==== @@ -104,6 +104,10 @@ { int error; + /* + * XXXRW: As new operations are added here, check that they are safe + * in capability mode. + */ switch (uap->op) { case ARM_SYNC_ICACHE : error = arm32_sync_icache(td, uap->parms); ==== //depot/projects/trustedbsd/capabilities/src/sys/i386/i386/sys_machdep.c#5 (text+ko) ==== @@ -33,6 +33,7 @@ __FBSDID("$FreeBSD: src/sys/i386/i386/sys_machdep.c,v 1.118 2008/10/23 15:53:51 des Exp $"); #include "opt_kstack_pages.h" +#include "opt_capabilities.h" #include "opt_mac.h" #include <sys/param.h> @@ -128,6 +129,10 @@ break; } + /* + * XXXRW: As new operations are added here, check that they are safe + * in capability mode. + */ switch(uap->op) { case I386_GET_LDT: error = i386_get_ldt(td, &kargs.largs); @@ -160,6 +165,10 @@ error = i386_set_ioperm(td, &kargs.iargs); break; case I386_VM86: +#ifdef CAPABILITIES + if (td->td_ucred->cr_flags & CRED_FLAG_CAPMODE) + return (EPERM); +#endif error = vm86_sysarch(td, uap->parms); break; case I386_GET_FSBASE: @@ -317,6 +326,10 @@ int i, error; char *iomap; +#ifdef CAPABILITIES + if (td->td_ucred->cr_flags & CRED_FLAG_CAPMODE) + return (EPERM); +#endif if ((error = priv_check(td, PRIV_IO)) != 0) return (error); if ((error = securelevel_gt(td->td_ucred, 0)) != 0) ==== //depot/projects/trustedbsd/capabilities/src/sys/kern/capabilities.conf#15 (text+ko) ==== @@ -38,7 +38,7 @@ ## - sys_exit(2), abort2(2) and close(2) are very important. ## - Sorted alphabetically, please keep it that way. ## -## $P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/capabilities.conf#14 $ +## $P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/capabilities.conf#15 $ ## ## @@ -686,6 +686,13 @@ sys_exit ## +## sysarch(2) does rather diverse things, but is required on at least i386 +## in order to configure per-thread data. As such, it's scoped on each +## architecture. +## +sysarch + +## ## Allow thread operations operating only on current process. ## thr_create ==== //depot/projects/trustedbsd/capabilities/src/sys/kern/init_sysent.c#25 (text+ko) ==== @@ -193,7 +193,7 @@ { compat4(AS(freebsd4_getdomainname_args),getdomainname), AUE_SYSCTL, NULL, 0, 0, SYF_CAPENABLED }, /* 162 = old getdomainname */ { compat4(AS(freebsd4_setdomainname_args),setdomainname), AUE_SYSCTL, NULL, 0, 0, 0 }, /* 163 = old setdomainname */ { compat4(AS(freebsd4_uname_args),uname), AUE_NULL, NULL, 0, 0, 0 }, /* 164 = old uname */ - { AS(sysarch_args), (sy_call_t *)sysarch, AUE_SYSARCH, NULL, 0, 0, 0 }, /* 165 = sysarch */ + { AS(sysarch_args), (sy_call_t *)sysarch, AUE_SYSARCH, NULL, 0, 0, SYF_CAPENABLED }, /* 165 = sysarch */ { AS(rtprio_args), (sy_call_t *)rtprio, AUE_RTPRIO, NULL, 0, 0, SYF_CAPENABLED }, /* 166 = rtprio */ { 0, (sy_call_t *)nosys, AUE_NULL, NULL, 0, 0, 0 }, /* 167 = nosys */ { 0, (sy_call_t *)nosys, AUE_NULL, NULL, 0, 0, 0 }, /* 168 = nosys */ ==== //depot/projects/trustedbsd/capabilities/src/sys/sparc64/sparc64/sys_machdep.c#2 (text+ko) ==== @@ -53,6 +53,10 @@ { int error; + /* + * XXXRW: As new operations are added here, check that they are safe + * in capability mode. + */ mtx_lock(&Giant); switch (uap->op) { case SPARC_SIGTRAMP_INSTALL:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200901191852.n0JIqWBH013962>