Date: Sun, 18 Sep 2016 22:03:07 +0000 (UTC) From: Konstantin Belousov <kib@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r305954 - head/sys/compat/freebsd32 Message-ID: <201609182203.u8IM37x6026446@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kib Date: Sun Sep 18 22:03:07 2016 New Revision: 305954 URL: https://svnweb.freebsd.org/changeset/base/305954 Log: Add compat32 support for capsicum. Reviewed by: bapt, emaste Sponsored by: The FreeBSD Foundation MFC after: 2 weeks Differential revision: https://reviews.freebsd.org/D7942 Added: head/sys/compat/freebsd32/capabilities.conf - copied, changed from r305950, head/sys/kern/capabilities.conf Modified: head/sys/compat/freebsd32/Makefile head/sys/compat/freebsd32/freebsd32_capability.c head/sys/compat/freebsd32/syscalls.master Modified: head/sys/compat/freebsd32/Makefile ============================================================================== --- head/sys/compat/freebsd32/Makefile Sun Sep 18 21:28:09 2016 (r305953) +++ head/sys/compat/freebsd32/Makefile Sun Sep 18 22:03:07 2016 (r305954) @@ -8,7 +8,7 @@ all: sysent: freebsd32_sysent.c freebsd32_syscall.h freebsd32_proto.h freebsd32_systrace_args.c freebsd32_sysent.c freebsd32_syscalls.c freebsd32_syscall.h freebsd32_proto.h freebsd32_systrace_args.c : \ - ../../kern/makesyscalls.sh syscalls.master syscalls.conf + ../../kern/makesyscalls.sh syscalls.master syscalls.conf capabilities.conf sh ../../kern/makesyscalls.sh syscalls.master syscalls.conf clean: Copied and modified: head/sys/compat/freebsd32/capabilities.conf (from r305950, head/sys/kern/capabilities.conf) ============================================================================== --- head/sys/kern/capabilities.conf Sun Sep 18 20:00:17 2016 (r305950, copy source) +++ head/sys/compat/freebsd32/capabilities.conf Sun Sep 18 22:03:07 2016 (r305954) @@ -1,10 +1,14 @@ ## ## Copyright (c) 2008-2010 Robert N. M. Watson +## Copyright (c) 2016 The FreeBSD Foundation ## All rights reserved. ## ## This software was developed at the University of Cambridge Computer ## Laboratory with support from a grant from Google, Inc. ## +## Portions of this software were developed by Konstantin Belousov +## under sponsorship from the FreeBSD Foundation. +## ## Redistribution and use in source and binary forms, with or without ## modification, are permitted provided that the following conditions ## are met: @@ -26,20 +30,14 @@ ## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF ## SUCH DAMAGE. ## -## List of system calls enabled in capability mode, one name per line. -## -## Notes: -## - sys_exit(2), abort2(2) and close(2) are very important. -## - Sorted alphabetically, please keep it that way. +## List of system calls enabled in freebsd32 capability mode, one name +## per line. See the original list in the sys/kern/capabilities.conf. +## Position of the compat syscall in this file must be identical to +## the master, to facilitate comparision and diagnostic. ## ## $FreeBSD$ ## -## -## Allow ACL and MAC label operations by file descriptor, subject to -## capability rights. Allow MAC label operations on the current process but -## we will need to scope __mac_get_pid(2). -## __acl_aclcheck_fd __acl_delete_fd __acl_get_fd @@ -49,249 +47,82 @@ __mac_get_fd __mac_get_proc __mac_set_fd __mac_set_proc - -## -## Allow sysctl(2) as we scope internal to the call; this is a global -## namespace, but there are several critical sysctls required for almost -## anything to run, such as hw.pagesize. For now that policy lives in the -## kernel for performance and simplicity, but perhaps it could move to a -## proxying daemon in userspace. -## -__sysctl - -## -## Allow umtx operations as these are scoped by address space. -## -## XXRW: Need to check this very carefully. -## -_umtx_op - -## -## Allow process termination using abort2(2). -## +freebsd32_sysctl +freebsd32_umtx_op abort2 - -## -## Allow accept(2) since it doesn't manipulate namespaces directly, rather -## relies on existing bindings on a socket, subject to capability rights. -## accept accept4 - -## -## Allow AIO operations by file descriptor, subject to capability rights. -## aio_cancel -aio_error +freebsd32_aio_error aio_fsync -aio_read -aio_return -aio_suspend -aio_waitcomplete -aio_write - -## -## audit(2) is a global operation, submitting to the global trail, but it is -## controlled by privilege, and it might be useful to be able to submit -## records from sandboxes. For now, disallow, but we may want to think about -## providing some sort of proxy service for this. -## +freebsd32_aio_read +freebsd32_aio_return +freebsd32_aio_suspend +freebsd32_aio_waitcomplete +freebsd32_aio_write #audit - -## -## Allow bindat(2). -## bindat - -## -## Allow capability mode and capability system calls. -## cap_enter cap_fcntls_get cap_fcntls_limit cap_getmode -cap_ioctls_get -cap_ioctls_limit +freebsd32_cap_ioctls_get +freebsd32_cap_ioctls_limit __cap_rights_get cap_rights_limit - -## -## Allow read-only clock operations. -## -clock_getres -clock_gettime - -## -## Always allow file descriptor close(2). -## +freebsd32_clock_getres +freebsd32_clock_gettime close closefrom - -## -## Allow connectat(2). -## connectat - -## -## cpuset(2) and related calls require scoping by process, but should -## eventually be allowed, at least in the current process case. -## #cpuset -#cpuset_getaffinity -#cpuset_getid -#cpuset_setaffinity -#cpuset_setid - -## -## Always allow dup(2) and dup2(2) manipulation of the file descriptor table. -## +#freebsd32_cpuset_getaffinity +#freebsd32_cpuset_getid +#freebsd32_cpuset_setaffinity +#freebsd32_cpuset_setid dup dup2 - -## -## Allow extended attribute operations by file descriptor, subject to -## capability rights. -## extattr_delete_fd extattr_get_fd extattr_list_fd extattr_set_fd - -## -## Allow changing file flags, mode, and owner by file descriptor, subject to -## capability rights. -## fchflags fchmod fchown - -## -## For now, allow fcntl(2), subject to capability rights, but this probably -## needs additional scoping. -## -fcntl - -## -## Allow fexecve(2), subject to capability rights. We perform some scoping, -## such as disallowing privilege escalation. -## -fexecve - -## -## Allow flock(2), subject to capability rights. -## +freebsd32_fcntl +freebsd32_fexecve flock - -## -## Allow fork(2), even though it returns pids -- some applications seem to -## prefer this interface. -## fork - -## -## Allow fpathconf(2), subject to capability rights. -## fpathconf - -## -## Allow various file descriptor-based I/O operations, subject to capability -## rights. -## -freebsd6_ftruncate -freebsd6_lseek -freebsd6_mmap -freebsd6_pread -freebsd6_pwrite - -## -## Allow querying file and file system state with fstat(2) and fstatfs(2), -## subject to capability rights. -## -fstat +freebsd6_freebsd32_ftruncate +freebsd6_freebsd32_lseek +freebsd6_freebsd32_mmap +freebsd6_freebsd32_pread +freebsd6_freebsd32_pwrite +freebsd32_fstat fstatfs - -## -## Allow further file descriptor-based I/O operations, subject to capability -## rights. -## fsync ftruncate - -## -## Allow futimens(2) and futimes(2), subject to capability rights. -## -futimens -futimes - -## -## Allow querying process audit state, subject to normal access control. -## +freebsd32_futimens +freebsd32_futimes getaudit getaudit_addr getauid - -## -## Allow thread context management with getcontext(2). -## -getcontext - -## -## Allow directory I/O on a file descriptor, subject to capability rights. -## Originally we had separate capabilities for directory-specific read -## operations, but on BSD we allow reading the raw directory data, so we just -## rely on CAP_READ now. -## +freebsd32_getcontext getdents -getdirentries - -## -## Allow querying certain trivial global state. -## +freebsd32_getdirentries getdomainname - -## -## Allow querying certain per-process resource limit state. -## getdtablesize - -## -## Allow querying current process credential state. -## getegid geteuid - -## -## Allow querying certain trivial global state. -## gethostid gethostname - -## -## Allow querying per-process timer. -## -getitimer - -## -## Allow querying current process credential state. -## +freebsd32_getitimer getgid getgroups getlogin - -## -## Allow querying certain trivial global state. -## -getpagesize +freebsd32_getpagesize getpeername - -## -## Allow querying certain per-process scheduling, resource limit, and -## credential state. -## -## XXXRW: getpgid(2) needs scoping. It's not clear if it's worth scoping -## getppid(2). getpriority(2) needs scoping. getrusage(2) needs scoping. -## getsid(2) needs scoping. -## getpgid getpgrp getpid @@ -300,154 +131,53 @@ getpriority getresgid getresuid getrlimit -getrusage +freebsd32_getrusage getsid - -## -## Allow querying socket state, subject to capability rights. -## -## XXXRW: getsockopt(2) may need more attention. -## getsockname getsockopt - -## -## Allow querying the global clock. -## -gettimeofday - -## -## Allow querying current process credential state. -## +freebsd32_gettimeofday getuid - -## -## Allow ioctl(2), which hopefully will be limited by applications only to -## required commands with cap_ioctls_limit(2) syscall. -## -ioctl - -## -## Allow querying current process credential state. -## +freebsd32_ioctl issetugid - -## -## Allow kevent(2), as we will authorize based on capability rights on the -## target descriptor. -## -kevent - -## -## Allow kill(2), as we allow the process to send signals only to himself. -## +freebsd32_kevent kill - -## -## Allow message queue operations on file descriptors, subject to capability -## rights. -## -kmq_notify -kmq_setattr -kmq_timedreceive -kmq_timedsend - -## -## Allow kqueue(2), we will control use. -## +freebsd32_kmq_notify +freebsd32_kmq_setattr +freebsd32_kmq_timedreceive +freebsd32_kmq_timedsend kqueue - -## -## Allow managing per-process timers. -## -ktimer_create +freebsd32_ktimer_create ktimer_delete ktimer_getoverrun -ktimer_gettime -ktimer_settime - -## -## We can't allow ktrace(2) because it relies on a global namespace, but we -## might want to introduce an fktrace(2) of some sort. -## +freebsd32_ktimer_gettime +freebsd32_ktimer_settime #ktrace - -## -## Allow AIO operations by file descriptor, subject to capability rights. -## -lio_listio - -## -## Allow listen(2), subject to capability rights. -## -## XXXRW: One might argue this manipulates a global namespace. -## +freebsd32_lio_listio listen - -## -## Allow I/O-related file descriptors, subject to capability rights. -## -lseek - -## -## Allow simple VM operations on the current process. -## +freebsd32_lseek madvise mincore minherit mlock mlockall - -## -## Allow memory mapping a file descriptor, and updating protections, subject -## to capability rights. -## -mmap -mprotect - -## -## Allow simple VM operations on the current process. -## +freebsd32_mmap +freebsd32_mprotect msync munlock munlockall munmap - -## -## Allow the current process to sleep. -## -nanosleep - -## -## Allow querying the global clock. -## +freebsd32_nanosleep ntp_gettime - -## -## Allow AIO operations by file descriptor, subject to capability rights. -## -oaio_read -oaio_write - -## -## Allow simple VM operations on the current process. -## +freebsd6_freebsd32_aio_read +freebsd6_freebsd32_aio_write obreak - -## -## Allow AIO operations by file descriptor, subject to capability rights. -## -olio_listio - -## -## Operations relative to directory capabilities. -## +freebsd6_freebsd32_lio_listio chflagsat faccessat fchmodat fchownat -fstatat -futimesat +freebsd32_fstatat +freebsd32_futimesat linkat mkdirat mkfifoat @@ -457,290 +187,98 @@ readlinkat renameat symlinkat unlinkat -utimensat - -## -## Allow entry into open(2). This system call will fail, since access to the -## global file namespace has been disallowed, but allowing entry into the -## syscall means that an audit trail will be generated (which is also very -## useful for debugging). -## +freebsd32_utimensat open - -## -## Process descriptor-related system calls are allowed. -## pdfork pdgetpid pdkill #pdwait4 # not yet implemented - -## -## Allow pipe(2). -## -pipe +freebsd32_pipe pipe2 - -## -## Allow poll(2), which will be scoped by capability rights. -## XXXRW: We don't yet do that scoping. -## poll - -## -## Allow I/O-related file descriptors, subject to capability rights. -## -pread -preadv - -## -## Allow access to profiling state on the current process. -## +freebsd32_pread +freebsd32_preadv profil - -## -## Disallow ptrace(2) for now, but we do need debugging facilities in -## capability mode, so we will want to revisit this, possibly by scoping its -## operation. -## #ptrace - -## -## Allow I/O-related file descriptors, subject to capability rights. -## -pwrite -pwritev +freebsd32_pwrite +freebsd32_pwritev read -readv -recv -recvfrom -recvmsg - -## -## Allow real-time scheduling primitives to be used. -## -## XXXRW: These require scoping. -## +freebsd32_readv +freebsd6_freebsd32_recv +freebsd32_recvfrom +freebsd32_recvmsg rtprio rtprio_thread - -## -## Allow simple VM operations on the current process. -## sbrk - -## -## Allow querying trivial global scheduler state. -## sched_get_priority_max sched_get_priority_min - -## -## Allow various thread/process scheduler operations. -## -## XXXRW: Some of these require further scoping. -## sched_getparam sched_getscheduler sched_rr_get_interval sched_setparam sched_setscheduler sched_yield - -## -## Allow I/O-related file descriptors, subject to capability rights. -## sctp_generic_recvmsg sctp_generic_sendmsg sctp_generic_sendmsg_iov sctp_peeloff - -## -## Allow pselect(2) and select(2), which will be scoped by capability rights. -## -## XXXRW: But is it? -## -pselect -select - -## -## Allow I/O-related file descriptors, subject to capability rights. Use of -## explicit addresses here is restricted by the system calls themselves. -## -send -sendfile -sendmsg +freebsd32_pselect +freebsd32_select +freebsd6_freebsd32_send +freebsd32_sendfile +freebsd32_sendmsg sendto - -## -## Allow setting per-process audit state, which is controlled separately by -## privileges. -## setaudit setaudit_addr setauid - -## -## Allow setting thread context. -## -setcontext - -## -## Allow setting current process credential state, which is controlled -## separately by privilege. -## +freebsd32_setcontext setegid seteuid setgid - -## -## Allow use of the process interval timer. -## -setitimer - -## -## Allow setpriority(2). -## -## XXXRW: Requires scoping. -## +freebsd32_setitimer setpriority - -## -## Allow setting current process credential state, which is controlled -## separately by privilege. -## setregid setresgid setresuid setreuid - -## -## Allow setting process resource limits with setrlimit(2). -## setrlimit - -## -## Allow creating a new session with setsid(2). -## setsid - -## -## Allow setting socket options with setsockopt(2), subject to capability -## rights. -## -## XXXRW: Might require scoping. -## setsockopt - -## -## Allow setting current process credential state, which is controlled -## separately by privilege. -## setuid - -## -## shm_open(2) is scoped so as to allow only access to new anonymous objects. -## shm_open - -## -## Allow I/O-related file descriptors, subject to capability rights. -## shutdown - -## -## Allow signal control on current process. -## -sigaction -sigaltstack -sigblock -sigpending +freebsd32_sigaction +freebsd32_sigaltstack +freebsd32_sigblock +freebsd32_sigpending sigprocmask sigqueue -sigreturn -sigsetmask -sigstack +freebsd32_sigreturn +freebsd32_sigsetmask +ofreebsd32_sigstack sigsuspend -sigtimedwait -sigvec -sigwaitinfo +freebsd32_sigtimedwait +freebsd32_sigvec +freebsd32_sigwaitinfo sigwait - -## -## Allow creating new socket pairs with socket(2) and socketpair(2). -## socket socketpair - -## -## Allow simple VM operations on the current process. -## -## XXXRW: Kernel doesn't implement this, so drop? -## sstk - -## -## Do allow sync(2) for now, but possibly shouldn't. -## sync - -## -## Always allow process termination with sys_exit(2). -## sys_exit - -## -## sysarch(2) does rather diverse things, but is required on at least i386 -## in order to configure per-thread data. As such, it's scoped on each -## architecture. -## -sysarch - -## -## Allow thread operations operating only on current process. -## +freebsd32_sysarch thr_create thr_exit thr_kill - -## -## Disallow thr_kill2(2), as it may operate beyond the current process. -## -## XXXRW: Requires scoping. -## #thr_kill2 - -## -## Allow thread operations operating only on current process. -## -thr_new +freebsd32_thr_new thr_self thr_set_name -thr_suspend +freebsd32_thr_suspend thr_wake - -## -## Allow manipulation of the current process umask with umask(2). -## umask - -## -## Allow submitting of process trace entries with utrace(2). -## utrace - -## -## Allow generating UUIDs with uuidgen(2). -## uuidgen - -## -## Allow I/O-related file descriptors, subject to capability rights. -## write -writev - -## -## Allow processes to yield(2). -## +freebsd32_writev yield Modified: head/sys/compat/freebsd32/freebsd32_capability.c ============================================================================== --- head/sys/compat/freebsd32/freebsd32_capability.c Sun Sep 18 21:28:09 2016 (r305953) +++ head/sys/compat/freebsd32/freebsd32_capability.c Sun Sep 18 22:03:07 2016 (r305954) @@ -49,18 +49,6 @@ __FBSDID("$FreeBSD$"); MALLOC_DECLARE(M_FILECAPS); int -freebsd32_cap_enter(struct thread *td, - struct freebsd32_cap_enter_args *uap) -{ - - /* - * We do not have an equivalent of capabilities.conf for freebsd32 - * compatibility, so do not allow capability mode for now. - */ - return (ENOSYS); -} - -int freebsd32_cap_ioctls_limit(struct thread *td, struct freebsd32_cap_ioctls_limit_args *uap) { @@ -148,14 +136,6 @@ out: #else /* !CAPABILITIES */ int -freebsd32_cap_enter(struct thread *td, - struct freebsd32_cap_enter_args *uap) -{ - - return (ENOSYS); -} - -int freebsd32_cap_ioctls_limit(struct thread *td, struct freebsd32_cap_ioctls_limit_args *uap) { Modified: head/sys/compat/freebsd32/syscalls.master ============================================================================== --- head/sys/compat/freebsd32/syscalls.master Sun Sep 18 21:28:09 2016 (r305953) +++ head/sys/compat/freebsd32/syscalls.master Sun Sep 18 22:03:07 2016 (r305954) @@ -974,7 +974,7 @@ 514 AUE_NULL OBSOL cap_new 515 AUE_CAP_RIGHTS_GET NOPROTO { int __cap_rights_get(int version, \ int fd, cap_rights_t *rightsp); } -516 AUE_CAP_ENTER STD { int freebsd32_cap_enter(void); } +516 AUE_CAP_ENTER NOPROTO { int cap_enter(void); } 517 AUE_CAP_GETMODE NOPROTO { int cap_getmode(u_int *modep); } 518 AUE_PDFORK NOPROTO { int pdfork(int *fdp, int flags); } 519 AUE_PDKILL NOPROTO { int pdkill(int fd, int signum); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201609182203.u8IM37x6026446>