From owner-p4-projects@FreeBSD.ORG Mon Feb 4 18:04:56 2008 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 9BA1116A421; Mon, 4 Feb 2008 18:04:56 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 48CCC16A41B for ; Mon, 4 Feb 2008 18:04:56 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id 35E6A13C442 for ; Mon, 4 Feb 2008 18:04:56 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.1/8.14.1) with ESMTP id m14I4ufF013247 for ; Mon, 4 Feb 2008 18:04:56 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.1/8.14.1/Submit) id m14I4u9E013244 for perforce@freebsd.org; Mon, 4 Feb 2008 18:04:56 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Mon, 4 Feb 2008 18:04:56 GMT Message-Id: <200802041804.m14I4u9E013244@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson To: Perforce Change Reviews Cc: Subject: PERFORCE change 134793 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Feb 2008 18:04:56 -0000 http://perforce.freebsd.org/chv.cgi?CH=134793 Change 134793 by rwatson@rwatson_freebsd_capabilities on 2008/02/04 18:04:23 Update comments. Use ENOTCAPABLE rather than EPERM since expanding capability rights fails due to a lack of capability rights. We don't want privilege to be able to override this in the current thinking. Affected files ... .. //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#13 edit Differences ... ==== //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#13 (text+ko) ==== @@ -41,7 +41,7 @@ */ #include -__FBSDID("$P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#12 $"); +__FBSDID("$P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#13 $"); #include #include @@ -211,14 +211,11 @@ * If a new capability is being derived from an existing capability, * then the new capability rights must be a subset of the existing * rights. - * - * XXXRW: Should we have a priv_check() here that can override this - * policy? */ if (fp->f_type == DTYPE_CAPABILITY) { c_old = fp->f_data; if ((c_old->cap_rights | uap->rights) != c_old->cap_rights) { - error = EPERM; + error = ENOTCAPABLE; goto fail2; } } @@ -232,7 +229,10 @@ /* * Rather than nesting capabilities, directly reference the object an - * existing capability references. + * existing capability references. There's nothing else interesting + * to preserve for future use, as we've incorporated the previous + * rights mask into the new one. This prevents us from having to + * deal with capability chains. */ if (fp->f_type == DTYPE_CAPABILITY) fp_object = ((struct capability *)fp->f_data)->cap_file;