Date: Mon, 4 Feb 2008 14:35:08 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 134780 for review Message-ID: <200802041435.m14EZ7Zs086318@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=134780 Change 134780 by rwatson@rwatson_freebsd_capabilities on 2008/02/04 14:34:36 Remove CAP_FCHDIR, fchdir() no longer permitted in capability mode so notrequired. Remove CAP_GETDIRENTRIES and just use CAP_READ, since CAP_READ allows reading directory contents anyway. Teach vfs_acl.c and vfs_extattr.c to use getvnode_cap(), which requires making it non-static. Use ACL and EXTATTR capabilities. Define cap_rights_t in types.h (and _types.h) and nested include that from capability.h. As a result, explicit includes of capability.h are now required in any .c file that uses a CAP_ constant, so update. We no longer leak the include of capability.h all over the place though. Affected files ... .. //depot/projects/trustedbsd/capabilities/src/sys/dev/aac/aac_linux.c#3 edit .. //depot/projects/trustedbsd/capabilities/src/sys/dev/amr/amr_linux.c#3 edit .. //depot/projects/trustedbsd/capabilities/src/sys/dev/hwpmc/hwpmc_logging.c#3 edit .. //depot/projects/trustedbsd/capabilities/src/sys/dev/iscsi/initiator/iscsi.c#3 edit .. //depot/projects/trustedbsd/capabilities/src/sys/dev/tdfx/tdfx_linux.c#3 edit .. //depot/projects/trustedbsd/capabilities/src/sys/fs/fdescfs/fdesc_vnops.c#3 edit .. //depot/projects/trustedbsd/capabilities/src/sys/i386/ibcs2/ibcs2_fcntl.c#3 edit .. //depot/projects/trustedbsd/capabilities/src/sys/i386/ibcs2/ibcs2_ioctl.c#3 edit .. //depot/projects/trustedbsd/capabilities/src/sys/kern/kern_event.c#3 edit .. //depot/projects/trustedbsd/capabilities/src/sys/kern/kern_exec.c#8 edit .. //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_generic.c#3 edit .. //depot/projects/trustedbsd/capabilities/src/sys/kern/vfs_acl.c#2 edit .. //depot/projects/trustedbsd/capabilities/src/sys/kern/vfs_aio.c#4 edit .. //depot/projects/trustedbsd/capabilities/src/sys/kern/vfs_extattr.c#2 edit .. //depot/projects/trustedbsd/capabilities/src/sys/kern/vfs_syscalls.c#5 edit .. //depot/projects/trustedbsd/capabilities/src/sys/nfsserver/nfs_syscalls.c#3 edit .. //depot/projects/trustedbsd/capabilities/src/sys/sys/_types.h#2 edit .. //depot/projects/trustedbsd/capabilities/src/sys/sys/capability.h#10 edit .. //depot/projects/trustedbsd/capabilities/src/sys/sys/file.h#4 edit .. //depot/projects/trustedbsd/capabilities/src/sys/sys/filedesc.h#2 edit .. //depot/projects/trustedbsd/capabilities/src/sys/sys/types.h#2 edit .. //depot/projects/trustedbsd/capabilities/src/sys/vm/vm_mmap.c#3 edit Differences ... ==== //depot/projects/trustedbsd/capabilities/src/sys/dev/aac/aac_linux.c#3 (text+ko) ==== @@ -33,6 +33,7 @@ #include <sys/param.h> #include <sys/systm.h> +#include <sys/capability.h> #include <sys/conf.h> #include <sys/kernel.h> #include <sys/module.h> ==== //depot/projects/trustedbsd/capabilities/src/sys/dev/amr/amr_linux.c#3 (text+ko) ==== @@ -30,6 +30,7 @@ #include <sys/param.h> #include <sys/systm.h> +#include <sys/capability.h> #include <sys/conf.h> #include <sys/kernel.h> #include <sys/module.h> ==== //depot/projects/trustedbsd/capabilities/src/sys/dev/hwpmc/hwpmc_logging.c#3 (text+ko) ==== @@ -37,6 +37,7 @@ __FBSDID("$FreeBSD: src/sys/dev/hwpmc/hwpmc_logging.c,v 1.9 2007/12/07 08:20:15 jkoshy Exp $"); #include <sys/param.h> +#include <sys/capability.h> #include <sys/file.h> #include <sys/kernel.h> #include <sys/kthread.h> ==== //depot/projects/trustedbsd/capabilities/src/sys/dev/iscsi/initiator/iscsi.c#3 (text+ko) ==== @@ -35,6 +35,7 @@ #include "opt_iscsi_initiator.h" #include <sys/param.h> +#include <sys/capability.h> #include <sys/kernel.h> #include <sys/module.h> #include <sys/conf.h> ==== //depot/projects/trustedbsd/capabilities/src/sys/dev/tdfx/tdfx_linux.c#3 (text) ==== @@ -28,6 +28,7 @@ __FBSDID("$FreeBSD: src/sys/dev/tdfx/tdfx_linux.c,v 1.1 2006/03/03 21:37:36 yar Exp $"); #include <sys/param.h> +#include <sys/capability.h> #include <sys/file.h> #include <sys/kernel.h> #include <sys/module.h> ==== //depot/projects/trustedbsd/capabilities/src/sys/fs/fdescfs/fdesc_vnops.c#3 (text+ko) ==== @@ -40,6 +40,7 @@ #include <sys/param.h> #include <sys/systm.h> +#include <sys/capability.h> #include <sys/conf.h> #include <sys/dirent.h> #include <sys/filedesc.h> ==== //depot/projects/trustedbsd/capabilities/src/sys/i386/ibcs2/ibcs2_fcntl.c#3 (text+ko) ==== @@ -32,6 +32,7 @@ #include <sys/param.h> #include <sys/systm.h> +#include <sys/capability.h> #include <sys/fcntl.h> #include <sys/file.h> #include <sys/filedesc.h> ==== //depot/projects/trustedbsd/capabilities/src/sys/i386/ibcs2/ibcs2_ioctl.c#3 (text+ko) ==== @@ -31,6 +31,7 @@ #include <sys/param.h> #include <sys/systm.h> +#include <sys/capability.h> #include <sys/consio.h> #include <sys/fcntl.h> #include <sys/file.h> ==== //depot/projects/trustedbsd/capabilities/src/sys/kern/kern_event.c#3 (text+ko) ==== @@ -32,6 +32,7 @@ #include <sys/param.h> #include <sys/systm.h> +#include <sys/capability.h> #include <sys/kernel.h> #include <sys/lock.h> #include <sys/mutex.h> ==== //depot/projects/trustedbsd/capabilities/src/sys/kern/kern_exec.c#8 (text+ko) ==== @@ -34,6 +34,7 @@ #include <sys/param.h> #include <sys/systm.h> +#include <sys/capability.h> #include <sys/eventhandler.h> #include <sys/lock.h> #include <sys/mutex.h> ==== //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_generic.c#3 (text+ko) ==== @@ -43,6 +43,7 @@ #include <sys/param.h> #include <sys/systm.h> #include <sys/sysproto.h> +#include <sys/capability.h> #include <sys/filedesc.h> #include <sys/filio.h> #include <sys/fcntl.h> ==== //depot/projects/trustedbsd/capabilities/src/sys/kern/vfs_acl.c#2 (text+ko) ==== @@ -40,6 +40,7 @@ #include <sys/param.h> #include <sys/systm.h> #include <sys/sysproto.h> +#include <sys/capability.h> #include <sys/kernel.h> #include <sys/malloc.h> #include <sys/mount.h> @@ -272,7 +273,8 @@ struct file *fp; int vfslocked, error; - error = getvnode(td->td_proc->p_fd, uap->filedes, &fp); + error = getvnode_cap(td->td_proc->p_fd, uap->filedes, CAP_ACL_GET, + &fp); if (error == 0) { vfslocked = VFS_LOCK_GIANT(fp->f_vnode->v_mount); error = vacl_get_acl(td, fp->f_vnode, uap->type, uap->aclp); @@ -291,7 +293,8 @@ struct file *fp; int vfslocked, error; - error = getvnode(td->td_proc->p_fd, uap->filedes, &fp); + error = getvnode_cap(td->td_proc->p_fd, uap->filedes, CAP_ACL_SET, + &fp); if (error == 0) { vfslocked = VFS_LOCK_GIANT(fp->f_vnode->v_mount); error = vacl_set_acl(td, fp->f_vnode, uap->type, uap->aclp); @@ -350,7 +353,8 @@ struct file *fp; int vfslocked, error; - error = getvnode(td->td_proc->p_fd, uap->filedes, &fp); + error = getvnode_cap(td->td_proc->p_fd, uap->filedes, CAP_ACL_DELETE, + &fp); if (error == 0) { vfslocked = VFS_LOCK_GIANT(fp->f_vnode->v_mount); error = vacl_delete(td, fp->f_vnode, uap->type); @@ -409,7 +413,8 @@ struct file *fp; int vfslocked, error; - error = getvnode(td->td_proc->p_fd, uap->filedes, &fp); + error = getvnode_cap(td->td_proc->p_fd, uap->filedes, CAP_ACL_CHECK, + &fp); if (error == 0) { vfslocked = VFS_LOCK_GIANT(fp->f_vnode->v_mount); error = vacl_aclcheck(td, fp->f_vnode, uap->type, uap->aclp); ==== //depot/projects/trustedbsd/capabilities/src/sys/kern/vfs_aio.c#4 (text+ko) ==== @@ -26,6 +26,7 @@ #include <sys/malloc.h> #include <sys/bio.h> #include <sys/buf.h> +#include <sys/capability.h> #include <sys/eventhandler.h> #include <sys/sysproto.h> #include <sys/filedesc.h> ==== //depot/projects/trustedbsd/capabilities/src/sys/kern/vfs_extattr.c#2 (text+ko) ==== @@ -33,6 +33,7 @@ #include <sys/param.h> #include <sys/systm.h> +#include <sys/capability.h> #include <sys/lock.h> #include <sys/mount.h> #include <sys/mutex.h> @@ -219,7 +220,8 @@ return (error); AUDIT_ARG(text, attrname); - error = getvnode(td->td_proc->p_fd, uap->fd, &fp); + error = getvnode_cap(td->td_proc->p_fd, uap->fd, CAP_EXTATTR_SET, + &fp); if (error) return (error); @@ -400,7 +402,8 @@ return (error); AUDIT_ARG(text, attrname); - error = getvnode(td->td_proc->p_fd, uap->fd, &fp); + error = getvnode_cap(td->td_proc->p_fd, uap->fd, CAP_EXTATTR_GET, + &fp); if (error) return (error); @@ -551,7 +554,8 @@ return (error); AUDIT_ARG(text, attrname); - error = getvnode(td->td_proc->p_fd, uap->fd, &fp); + error = getvnode_cap(td->td_proc->p_fd, uap->fd, CAP_EXTATTR_DELETE, + &fp); if (error) return (error); @@ -711,7 +715,8 @@ AUDIT_ARG(fd, uap->fd); AUDIT_ARG(value, uap->attrnamespace); - error = getvnode(td->td_proc->p_fd, uap->fd, &fp); + error = getvnode_cap(td->td_proc->p_fd, uap->fd, CAP_EXTATTR_LIST, + &fp); if (error) return (error); ==== //depot/projects/trustedbsd/capabilities/src/sys/kern/vfs_syscalls.c#5 (text+ko) ==== @@ -142,7 +142,7 @@ * it is a capability, the right rights are present. A reference on the file * entry is held upon returning. */ -static int +int getvnode_cap(struct filedesc *fdp, int fd, cap_rights_t rights, struct file **fpp) { @@ -811,7 +811,7 @@ int error; AUDIT_ARG(fd, uap->fd); - if ((error = getvnode_cap(fdp, uap->fd, CAP_FCHDIR, &fp)) != 0) + if ((error = getvnode(fdp, uap->fd, &fp)) != 0) return (error); vp = fp->f_vnode; VREF(vp); @@ -3618,8 +3618,8 @@ /* XXX arbitrary sanity limit on `count'. */ if (uap->count > 64 * 1024) return (EINVAL); - if ((error = getvnode_cap(td->td_proc->p_fd, uap->fd, - CAP_GETDIRENTRIES, &fp)) != 0) + if ((error = getvnode_cap(td->td_proc->p_fd, uap->fd, CAP_GETREAD, + &fp)) != 0) return (error); if ((fp->f_flag & FREAD) == 0) { fdrop(fp, td); @@ -3761,8 +3761,8 @@ int error, eofflag; AUDIT_ARG(fd, uap->fd); - if ((error = getvnode_cap(td->td_proc->p_fd, uap->fd, - CAP_GETDIRENTRIES, &fp)) != 0) + if ((error = getvnode_cap(td->td_proc->p_fd, uap->fd, CAP_READ, + &fp)) != 0) return (error); if ((fp->f_flag & FREAD) == 0) { fdrop(fp, td); ==== //depot/projects/trustedbsd/capabilities/src/sys/nfsserver/nfs_syscalls.c#3 (text+ko) ==== @@ -40,6 +40,7 @@ #include <sys/param.h> #include <sys/systm.h> #include <sys/sysproto.h> +#include <sys/capability.h> #include <sys/kernel.h> #include <sys/sysctl.h> #include <sys/file.h> ==== //depot/projects/trustedbsd/capabilities/src/sys/sys/_types.h#2 (text+ko) ==== @@ -38,6 +38,7 @@ typedef __uint32_t __blksize_t; /* file block size */ typedef __int64_t __blkcnt_t; /* file block count */ typedef __int32_t __clockid_t; /* clock_gettime()... */ +typedef __uint64_t __cap_rights_t; /* capability rights */ typedef __uint32_t __fflags_t; /* file flags */ typedef __uint64_t __fsblkcnt_t; typedef __uint64_t __fsfilcnt_t; ==== //depot/projects/trustedbsd/capabilities/src/sys/sys/capability.h#10 (text+ko) ==== @@ -23,7 +23,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/capabilities/src/sys/sys/capability.h#9 $ + * $P4: //depot/projects/trustedbsd/capabilities/src/sys/sys/capability.h#10 $ */ /* @@ -32,19 +32,13 @@ #ifndef _SYS_CAPABILITY_H_ #define _SYS_CAPABILITY_H_ -/* - * cap_rights_t defines a mask of rights on a capability. In the future, - * perhaps this should be a type supporting more than 64 rights on a - * capability. - */ -typedef u_int64_t cap_rights_t; +#include <sys/types.h> /* * Possibly rights on capabilities. */ #define CAP_READ 0x0000000000000001ULL /* read/recv */ #define CAP_WRITE 0x0000000000000002ULL /* write/send */ -#define CAP_FCHDIR 0x0000000000000004ULL /* fchdir */ #define CAP_SEEK 0x0000000000000008ULL /* lseek, various io */ #define CAP_GETPEERNAME 0x0000000000000010ULL /* getpeername */ #define CAP_GETSOCKNAME 0x0000000000000020ULL /* getsockname */ @@ -59,7 +53,6 @@ #define CAP_FCHMOD 0x0000000000004000ULL /* fchmod */ #define CAP_FTRUNCATE 0x0000000000008000ULL /* ftruncate */ #define CAP_FLOCK 0x0000000000010000ULL /* flock */ -#define CAP_GETDIRENTRIES 0x0000000000020000ULL /* getdirentries */ #define CAP_FSTATFS 0x0000000000040000ULL /* fstatfs */ #define CAP_REVOKE 0x0000000000080000ULL /* revoke */ #define CAP_FEXECVE 0x0000000000100000ULL /* fexecve */ @@ -84,7 +77,7 @@ #define CAP_LISTEN 0x0000008000000000ULL /* listen */ #define CAP_SHUTDOWN 0x0000010000000000ULL /* shutdown */ #define CAP_PEELOFF 0x0000020000000000ULL /* sctp_peeloff */ -#define CAP_MASK_VALID 0x000003ffffffffffULL +#define CAP_MASK_VALID 0x000003fffffdfffbULL /* * Notes: ==== //depot/projects/trustedbsd/capabilities/src/sys/sys/file.h#4 (text+ko) ==== @@ -38,7 +38,6 @@ #include <sys/fcntl.h> #include <sys/unistd.h> #else -#include <sys/capability.h> #include <sys/queue.h> #include <sys/_lock.h> #include <sys/_mutex.h> ==== //depot/projects/trustedbsd/capabilities/src/sys/sys/filedesc.h#2 (text+ko) ==== @@ -126,6 +126,8 @@ filedesc_to_leader_alloc(struct filedesc_to_leader *old, struct filedesc *fdp, struct proc *leader); int getvnode(struct filedesc *fdp, int fd, struct file **fpp); +int getvnode_cap(struct filedesc *fdp, int fd, cap_rights_t rights, + struct file **fpp); void mountcheckdirs(struct vnode *olddp, struct vnode *newdp); void setugidsafety(struct thread *td); ==== //depot/projects/trustedbsd/capabilities/src/sys/sys/types.h#2 (text+ko) ==== @@ -129,6 +129,8 @@ #define _BLKCNT_T_DECLARED #endif +typedef __cap_rights_t cap_rights_t; + #ifndef _CLOCK_T_DECLARED typedef __clock_t clock_t; #define _CLOCK_T_DECLARED ==== //depot/projects/trustedbsd/capabilities/src/sys/vm/vm_mmap.c#3 (text+ko) ==== @@ -49,6 +49,7 @@ #include <sys/param.h> #include <sys/systm.h> +#include <sys/capability.h> #include <sys/kernel.h> #include <sys/lock.h> #include <sys/mutex.h>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200802041435.m14EZ7Zs086318>