From owner-p4-projects@FreeBSD.ORG Mon Jan 25 17:58:03 2010 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 50D0D1065679; Mon, 25 Jan 2010 17:58:03 +0000 (UTC) Delivered-To: perforce@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F06CB1065670 for ; Mon, 25 Jan 2010 17:58:02 +0000 (UTC) (envelope-from jona@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id DD93F8FC0A for ; Mon, 25 Jan 2010 17:58:02 +0000 (UTC) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.3/8.14.3) with ESMTP id o0PHw2sf091690 for ; Mon, 25 Jan 2010 17:58:02 GMT (envelope-from jona@FreeBSD.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.3/8.14.3/Submit) id o0PHw2mZ091688 for perforce@freebsd.org; Mon, 25 Jan 2010 17:58:02 GMT (envelope-from jona@FreeBSD.org) Date: Mon, 25 Jan 2010 17:58:02 GMT Message-Id: <201001251758.o0PHw2mZ091688@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to jona@FreeBSD.org using -f From: Jonathan Anderson To: Perforce Change Reviews Precedence: bulk Cc: Subject: PERFORCE change 173679 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jan 2010 17:58:03 -0000 http://p4web.freebsd.org/chv.cgi?CH=173679 Change 173679 by jona@jona-capsicum-kent64 on 2010/01/25 17:57:56 Enable more *at(2) system calls Affected files ... .. //depot/projects/trustedbsd/capabilities/TODO#18 edit .. //depot/projects/trustedbsd/capabilities/src/sys/kern/capabilities.conf#25 edit .. //depot/projects/trustedbsd/capabilities/src/sys/kern/init_sysent.c#45 edit .. //depot/projects/trustedbsd/capabilities/src/sys/kern/vfs_syscalls.c#28 edit .. //depot/projects/trustedbsd/capabilities/src/sys/sys/capability.h#29 edit Differences ... ==== //depot/projects/trustedbsd/capabilities/TODO#18 (text+ko) ==== @@ -29,17 +29,18 @@ - Add support for capability-mode *at() system calls: faccessat DONE 2 Dec 2009 JA - fchmodat INPROGRESS JA + fchmodat DONE 22 Jan 2010 JA fchownat ---- fstatat ---- - futimesat ---- + futimesat DONE 22 Jan 2010 JA linkat ---- - mkdirat ---- - mkfifoat ---- - mknodat ---- + mkdirat DONE 22 Jan 2010 JA + rmdirat DONE 22 Jan 2010 JA + mkfifoat DONE 22 Jan 2010 JA + mknodat DONE 22 Jan 2010 JA openat DONE 25 Nov 2009 JA readlinkat ---- - renameat ---- + renameat DONE 22 Jan 2010 JA symlinkat ---- unlinkat ---- ==== //depot/projects/trustedbsd/capabilities/src/sys/kern/capabilities.conf#25 (text+ko) ==== @@ -38,7 +38,7 @@ ## - sys_exit(2), abort2(2) and close(2) are very important. ## - Sorted alphabetically, please keep it that way. ## -## $P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/capabilities.conf#24 $ +## $P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/capabilities.conf#25 $ ## ## @@ -458,7 +458,13 @@ ## faccessat fchmodat +futimesat +mkdirat +rmdirat +mkfifoat +mknodat openat +renameat ## ## Allow poll(2), which will be scoped by capability rights. ==== //depot/projects/trustedbsd/capabilities/src/sys/kern/init_sysent.c#45 (text+ko) ==== @@ -528,14 +528,14 @@ { AS(fchownat_args), (sy_call_t *)fchownat, AUE_FCHOWNAT, NULL, 0, 0, 0 }, /* 491 = fchownat */ { AS(fexecve_args), (sy_call_t *)fexecve, AUE_FEXECVE, NULL, 0, 0, SYF_CAPENABLED }, /* 492 = fexecve */ { AS(fstatat_args), (sy_call_t *)fstatat, AUE_FSTATAT, NULL, 0, 0, 0 }, /* 493 = fstatat */ - { AS(futimesat_args), (sy_call_t *)futimesat, AUE_FUTIMESAT, NULL, 0, 0, 0 }, /* 494 = futimesat */ + { AS(futimesat_args), (sy_call_t *)futimesat, AUE_FUTIMESAT, NULL, 0, 0, SYF_CAPENABLED }, /* 494 = futimesat */ { AS(linkat_args), (sy_call_t *)linkat, AUE_LINKAT, NULL, 0, 0, 0 }, /* 495 = linkat */ - { AS(mkdirat_args), (sy_call_t *)mkdirat, AUE_MKDIRAT, NULL, 0, 0, 0 }, /* 496 = mkdirat */ - { AS(mkfifoat_args), (sy_call_t *)mkfifoat, AUE_MKFIFOAT, NULL, 0, 0, 0 }, /* 497 = mkfifoat */ - { AS(mknodat_args), (sy_call_t *)mknodat, AUE_MKNODAT, NULL, 0, 0, 0 }, /* 498 = mknodat */ + { AS(mkdirat_args), (sy_call_t *)mkdirat, AUE_MKDIRAT, NULL, 0, 0, SYF_CAPENABLED }, /* 496 = mkdirat */ + { AS(mkfifoat_args), (sy_call_t *)mkfifoat, AUE_MKFIFOAT, NULL, 0, 0, SYF_CAPENABLED }, /* 497 = mkfifoat */ + { AS(mknodat_args), (sy_call_t *)mknodat, AUE_MKNODAT, NULL, 0, 0, SYF_CAPENABLED }, /* 498 = mknodat */ { AS(openat_args), (sy_call_t *)openat, AUE_OPENAT_RWTC, NULL, 0, 0, SYF_CAPENABLED }, /* 499 = openat */ { AS(readlinkat_args), (sy_call_t *)readlinkat, AUE_READLINKAT, NULL, 0, 0, 0 }, /* 500 = readlinkat */ - { AS(renameat_args), (sy_call_t *)renameat, AUE_RENAMEAT, NULL, 0, 0, 0 }, /* 501 = renameat */ + { AS(renameat_args), (sy_call_t *)renameat, AUE_RENAMEAT, NULL, 0, 0, SYF_CAPENABLED }, /* 501 = renameat */ { AS(symlinkat_args), (sy_call_t *)symlinkat, AUE_SYMLINKAT, NULL, 0, 0, 0 }, /* 502 = symlinkat */ { AS(unlinkat_args), (sy_call_t *)unlinkat, AUE_UNLINKAT, NULL, 0, 0, 0 }, /* 503 = unlinkat */ { AS(posix_openpt_args), (sy_call_t *)posix_openpt, AUE_POSIX_OPENPT, NULL, 0, 0, 0 }, /* 504 = posix_openpt */ ==== //depot/projects/trustedbsd/capabilities/src/sys/kern/vfs_syscalls.c#28 (text+ko) ==== @@ -1372,7 +1372,12 @@ if (error) return (error); restart: + if (IN_CAPABILITY_MODE(td)) + /* only mkfifoat(2) allowed in capability mode */ + return (EOPNOTSUPP); + bwillwrite(); + NDINIT_AT(&nd, CREATE, LOCKPARENT | SAVENAME | MPSAFE | AUDITVNODE1, pathseg, path, fd, td); if ((error = namei(&nd)) != 0) @@ -1498,8 +1503,8 @@ AUDIT_ARG_MODE(mode); restart: bwillwrite(); - NDINIT_AT(&nd, CREATE, LOCKPARENT | SAVENAME | MPSAFE | AUDITVNODE1, - pathseg, path, fd, td); + NDINIT_ATRIGHTS(&nd, CREATE, LOCKPARENT | SAVENAME | MPSAFE | AUDITVNODE1, + pathseg, path, fd, CAP_MKFIFO, td); if ((error = namei(&nd)) != 0) return (error); vfslocked = NDHASGIANT(&nd); @@ -3125,8 +3130,8 @@ AUDIT_ARG_OWNER(uid, gid); follow = (flag & AT_SYMLINK_NOFOLLOW) ? NOFOLLOW : FOLLOW; - NDINIT_AT(&nd, LOOKUP, follow | MPSAFE | AUDITVNODE1, pathseg, path, - fd, td); + NDINIT_ATRIGHTS(&nd, LOOKUP, follow | MPSAFE | AUDITVNODE1, pathseg, path, + fd, CAP_FCHOWN, td); if ((error = namei(&nd)) != 0) return (error); @@ -3341,8 +3346,8 @@ if ((error = getutimes(tptr, tptrseg, ts)) != 0) return (error); - NDINIT_AT(&nd, LOOKUP, FOLLOW | MPSAFE | AUDITVNODE1, pathseg, path, - fd, td); + NDINIT_ATRIGHTS(&nd, LOOKUP, FOLLOW | MPSAFE | AUDITVNODE1, pathseg, path, + fd, CAP_FUTIMES, td); if ((error = namei(&nd)) != 0) return (error); @@ -3672,11 +3677,11 @@ bwillwrite(); #ifdef MAC - NDINIT_AT(&fromnd, DELETE, LOCKPARENT | LOCKLEAF | SAVESTART | MPSAFE | - AUDITVNODE1, pathseg, old, oldfd, td); + NDINIT_ATRIGHTS(&fromnd, DELETE, LOCKPARENT | LOCKLEAF | SAVESTART | + MPSAFE | AUDITVNODE1, pathseg, old, oldfd, CAP_DELETE, td); #else - NDINIT_AT(&fromnd, DELETE, WANTPARENT | SAVESTART | MPSAFE | - AUDITVNODE1, pathseg, old, oldfd, td); + NDINIT_ATRIGHTS(&fromnd, DELETE, WANTPARENT | SAVESTART | MPSAFE | + AUDITVNODE1, pathseg, old, oldfd, CAP_DELETE, td); #endif if ((error = namei(&fromnd)) != 0) @@ -3699,8 +3704,8 @@ vrele(fvp); goto out1; } - NDINIT_AT(&tond, RENAME, LOCKPARENT | LOCKLEAF | NOCACHE | SAVESTART | - MPSAFE | AUDITVNODE2, pathseg, new, newfd, td); + NDINIT_ATRIGHTS(&tond, RENAME, LOCKPARENT | LOCKLEAF | NOCACHE | + SAVESTART | MPSAFE | AUDITVNODE2, pathseg, new, newfd, CAP_CREATE, td); if (fromnd.ni_vp->v_type == VDIR) tond.ni_cnd.cn_flags |= WILLBEDIR; if ((error = namei(&tond)) != 0) { @@ -3826,8 +3831,8 @@ AUDIT_ARG_MODE(mode); restart: bwillwrite(); - NDINIT_AT(&nd, CREATE, LOCKPARENT | SAVENAME | MPSAFE | AUDITVNODE1, - segflg, path, fd, td); + NDINIT_ATRIGHTS(&nd, CREATE, LOCKPARENT | SAVENAME | MPSAFE | AUDITVNODE1, + segflg, path, fd, CAP_MKDIR, td); nd.ni_cnd.cn_flags |= WILLBEDIR; if ((error = namei(&nd)) != 0) return (error); @@ -3915,8 +3920,8 @@ restart: bwillwrite(); - NDINIT_AT(&nd, DELETE, LOCKPARENT | LOCKLEAF | MPSAFE | AUDITVNODE1, - pathseg, path, fd, td); + NDINIT_ATRIGHTS(&nd, DELETE, LOCKPARENT | LOCKLEAF | MPSAFE | AUDITVNODE1, + pathseg, path, fd, CAP_RMDIR, td); if ((error = namei(&nd)) != 0) return (error); vfslocked = NDHASGIANT(&nd); ==== //depot/projects/trustedbsd/capabilities/src/sys/sys/capability.h#29 (text+ko) ==== @@ -30,7 +30,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/capabilities/src/sys/sys/capability.h#28 $ + * $P4: //depot/projects/trustedbsd/capabilities/src/sys/sys/capability.h#29 $ */ /* @@ -98,7 +98,12 @@ #define CAP_FSCK 0x0004000000000000ULL /* sysctl_ffs_fsck */ #define CAP_ATBASE 0x0008000000000000ULL /* openat(2), etc. */ #define CAP_ABSOLUTEPATH 0x0010000000000000ULL /* abs. lookup from '/' */ -#define CAP_MASK_VALID 0x001fffffffffffffULL +#define CAP_CREATE 0x0020000000000000ULL /* open, rename, etc. */ +#define CAP_DELETE 0x0040000000000000ULL /* rename, remove, etc. */ +#define CAP_MKDIR 0x0080000000000000ULL /* mkdirat(2), mknodat(2) */ +#define CAP_RMDIR 0x0100000000000000ULL /* rmdirat(2) */ +#define CAP_MKFIFO 0x0200000000000000ULL /* mkfifoat(2) */ +#define CAP_MASK_VALID 0x03ffffffffffffffULL /* * Notes: