From owner-p4-projects@FreeBSD.ORG  Tue Jan 20 23:34:05 2009
Return-Path: <owner-p4-projects@FreeBSD.ORG>
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id D35961065674; Tue, 20 Jan 2009 23:34:04 +0000 (UTC)
Delivered-To: perforce@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 90584106566C
	for <perforce@freebsd.org>; Tue, 20 Jan 2009 23:34:04 +0000 (UTC)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (repoman.freebsd.org
	[IPv6:2001:4f8:fff6::29])
	by mx1.freebsd.org (Postfix) with ESMTP id 7EAAA8FC12
	for <perforce@freebsd.org>; Tue, 20 Jan 2009 23:34:04 +0000 (UTC)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.14.3/8.14.3) with ESMTP id n0KNY4CC072383
	for <perforce@freebsd.org>; Tue, 20 Jan 2009 23:34:04 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.14.3/8.14.3/Submit) id n0KNY4GG072381
	for perforce@freebsd.org; Tue, 20 Jan 2009 23:34:04 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Date: Tue, 20 Jan 2009 23:34:04 GMT
Message-Id: <200901202334.n0KNY4GG072381@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	bb+lists.freebsd.perforce@cyrus.watson.org using -f
From: Robert Watson <rwatson@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Cc: 
Subject: PERFORCE change 156452 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jan 2009 23:34:06 -0000

http://perforce.freebsd.org/chv.cgi?CH=156452

Change 156452 by rwatson@rwatson_freebsd_capabilities on 2009/01/20 23:33:35

	When fexecve(2) is called on a dynamically linked ELF binary in
	capability mode, disallow access to the globally named
	interpreter, or specially crafted binaries may be able to gain
	access to files outside of the sandbox.  For now we'll handle
	only statically linked code in capability mode, but later we'll
	do something more useful.

Affected files ...

.. //depot/projects/trustedbsd/capabilities/src/sys/kern/imgact_elf.c#4 edit

Differences ...

==== //depot/projects/trustedbsd/capabilities/src/sys/kern/imgact_elf.c#4 (text+ko) ====

@@ -492,9 +492,14 @@
 	imgp->object = NULL;
 	imgp->execlabel = NULL;
 
+	vfslocked = 0;
+	if (curthread->td_ucred->cr_flags & CRED_FLAG_CAPMODE) {
+		nd->ni_vp = NULL;
+		error = EPERM;
+		goto fail;
+	}
 	NDINIT(nd, LOOKUP, MPSAFE|LOCKLEAF|FOLLOW, UIO_SYSSPACE, file,
 	    curthread);
-	vfslocked = 0;
 	if ((error = namei(nd)) != 0) {
 		nd->ni_vp = NULL;
 		goto fail;