From owner-p4-projects@FreeBSD.ORG  Mon Jan 19 18:52:34 2009
Return-Path: <owner-p4-projects@FreeBSD.ORG>
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id A87C91065677; Mon, 19 Jan 2009 18:52:33 +0000 (UTC)
Delivered-To: perforce@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 35FF11065674
	for <perforce@freebsd.org>; Mon, 19 Jan 2009 18:52:33 +0000 (UTC)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (repoman.freebsd.org
	[IPv6:2001:4f8:fff6::29])
	by mx1.freebsd.org (Postfix) with ESMTP id 16F8C8FC14
	for <perforce@freebsd.org>; Mon, 19 Jan 2009 18:52:33 +0000 (UTC)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.14.3/8.14.3) with ESMTP id n0JIqWqg013964
	for <perforce@freebsd.org>; Mon, 19 Jan 2009 18:52:32 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.14.3/8.14.3/Submit) id n0JIqWBH013962
	for perforce@freebsd.org; Mon, 19 Jan 2009 18:52:32 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Date: Mon, 19 Jan 2009 18:52:32 GMT
Message-Id: <200901191852.n0JIqWBH013962@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	bb+lists.freebsd.perforce@cyrus.watson.org using -f
From: Robert Watson <rwatson@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Cc: 
Subject: PERFORCE change 156399 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jan 2009 18:52:36 -0000

http://perforce.freebsd.org/chv.cgi?CH=156399

Change 156399 by rwatson@rwatson_freebsd_capabilities on 2009/01/19 18:51:57

	For better or worse, we really need sysarch() on amd64 and i386 in
	order to allow segment registers to be changed.  Allow it in
	capability mode, but specifically disallow certain sysarch functions
	when in capability mode.  This is a less robust approach since it
	requires carefully watching what gets adding to sysarch().

Affected files ...

.. //depot/projects/trustedbsd/capabilities/src/sys/amd64/amd64/sys_machdep.c#2 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/arm/arm/sys_machdep.c#2 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/i386/i386/sys_machdep.c#5 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/kern/capabilities.conf#15 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/kern/init_sysent.c#25 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/sparc64/sparc64/sys_machdep.c#2 edit

Differences ...

==== //depot/projects/trustedbsd/capabilities/src/sys/amd64/amd64/sys_machdep.c#2 (text+ko) ====

@@ -63,6 +63,10 @@
 	uint32_t i386base;
 	uint64_t a64base;
 
+	/*
+	 * XXXRW: As new operations are added here, check that they are safe
+	 * in capability mode.
+	 */
 	switch(uap->op) {
 	case I386_GET_FSBASE:
 		i386base = pcb->pcb_fsbase;

==== //depot/projects/trustedbsd/capabilities/src/sys/arm/arm/sys_machdep.c#2 (text+ko) ====

@@ -104,6 +104,10 @@
 {
 	int error;
 
+	/*
+	 * XXXRW: As new operations are added here, check that they are safe
+	 * in capability mode.
+	 */
 	switch (uap->op) {
 	case ARM_SYNC_ICACHE : 
 		error = arm32_sync_icache(td, uap->parms);

==== //depot/projects/trustedbsd/capabilities/src/sys/i386/i386/sys_machdep.c#5 (text+ko) ====

@@ -33,6 +33,7 @@
 __FBSDID("$FreeBSD: src/sys/i386/i386/sys_machdep.c,v 1.118 2008/10/23 15:53:51 des Exp $");
 
 #include "opt_kstack_pages.h"
+#include "opt_capabilities.h"
 #include "opt_mac.h"
 
 #include <sys/param.h>
@@ -128,6 +129,10 @@
 		break;
 	}
 
+	/*
+	 * XXXRW: As new operations are added here, check that they are safe
+	 * in capability mode.
+	 */
 	switch(uap->op) {
 	case I386_GET_LDT:
 		error = i386_get_ldt(td, &kargs.largs);
@@ -160,6 +165,10 @@
 		error = i386_set_ioperm(td, &kargs.iargs);
 		break;
 	case I386_VM86:
+#ifdef CAPABILITIES
+		if (td->td_ucred->cr_flags & CRED_FLAG_CAPMODE)
+			return (EPERM);
+#endif
 		error = vm86_sysarch(td, uap->parms);
 		break;
 	case I386_GET_FSBASE:
@@ -317,6 +326,10 @@
 	int i, error;
 	char *iomap;
 
+#ifdef CAPABILITIES
+	if (td->td_ucred->cr_flags & CRED_FLAG_CAPMODE)
+		return (EPERM);
+#endif
 	if ((error = priv_check(td, PRIV_IO)) != 0)
 		return (error);
 	if ((error = securelevel_gt(td->td_ucred, 0)) != 0)

==== //depot/projects/trustedbsd/capabilities/src/sys/kern/capabilities.conf#15 (text+ko) ====

@@ -38,7 +38,7 @@
 ## - sys_exit(2), abort2(2) and close(2) are very important.
 ## - Sorted alphabetically, please keep it that way.
 ##
-## $P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/capabilities.conf#14 $
+## $P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/capabilities.conf#15 $
 ##
 
 ##
@@ -686,6 +686,13 @@
 sys_exit
 
 ##
+## sysarch(2) does rather diverse things, but is required on at least i386
+## in order to configure per-thread data.  As such, it's scoped on each
+## architecture.
+##
+sysarch
+
+##
 ## Allow thread operations operating only on current process.
 ##
 thr_create

==== //depot/projects/trustedbsd/capabilities/src/sys/kern/init_sysent.c#25 (text+ko) ====

@@ -193,7 +193,7 @@
 	{ compat4(AS(freebsd4_getdomainname_args),getdomainname), AUE_SYSCTL, NULL, 0, 0, SYF_CAPENABLED },	/* 162 = old getdomainname */
 	{ compat4(AS(freebsd4_setdomainname_args),setdomainname), AUE_SYSCTL, NULL, 0, 0, 0 },	/* 163 = old setdomainname */
 	{ compat4(AS(freebsd4_uname_args),uname), AUE_NULL, NULL, 0, 0, 0 },	/* 164 = old uname */
-	{ AS(sysarch_args), (sy_call_t *)sysarch, AUE_SYSARCH, NULL, 0, 0, 0 },	/* 165 = sysarch */
+	{ AS(sysarch_args), (sy_call_t *)sysarch, AUE_SYSARCH, NULL, 0, 0, SYF_CAPENABLED },	/* 165 = sysarch */
 	{ AS(rtprio_args), (sy_call_t *)rtprio, AUE_RTPRIO, NULL, 0, 0, SYF_CAPENABLED },	/* 166 = rtprio */
 	{ 0, (sy_call_t *)nosys, AUE_NULL, NULL, 0, 0, 0 },			/* 167 = nosys */
 	{ 0, (sy_call_t *)nosys, AUE_NULL, NULL, 0, 0, 0 },			/* 168 = nosys */

==== //depot/projects/trustedbsd/capabilities/src/sys/sparc64/sparc64/sys_machdep.c#2 (text+ko) ====

@@ -53,6 +53,10 @@
 {
 	int error;
 
+	/*
+	 * XXXRW: As new operations are added here, check that they are safe
+	 * in capability mode.
+	 */
 	mtx_lock(&Giant);
 	switch (uap->op) {
 	case SPARC_SIGTRAMP_INSTALL: