Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 22 Oct 2024 18:45:23 GMT
From:      Brooks Davis <brooks@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 8ae9921f2e9e - main - sys_capability.c: update the source of CAPENABLED
Message-ID:  <202410221845.49MIjNga023945@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by brooks:

URL: https://cgit.FreeBSD.org/src/commit/?id=8ae9921f2e9e770462613bb6bae76a470dbdfcbd

commit 8ae9921f2e9e770462613bb6bae76a470dbdfcbd
Author:     Brooks Davis <brooks@FreeBSD.org>
AuthorDate: 2024-10-22 17:49:43 +0000
Commit:     Brooks Davis <brooks@FreeBSD.org>
CommitDate: 2024-10-22 18:44:41 +0000

    sys_capability.c: update the source of CAPENABLED
    
    System calls allowed in capability mode have been specified by the
    CAPENABLED flag in syscalls.master since 2021.
---
 sys/kern/sys_capability.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/sys/kern/sys_capability.c b/sys/kern/sys_capability.c
index e71dc4f3285b..d43102ab7849 100644
--- a/sys/kern/sys_capability.c
+++ b/sys/kern/sys_capability.c
@@ -50,11 +50,12 @@
  * derived from existing capabilities, but only if they have the same or a
  * strict subset of the rights on the original capability.
  *
- * System calls permitted in capability mode are defined in capabilities.conf;
- * calls must be carefully audited for safety to ensure that they don't allow
- * escape from a sandbox.  Some calls permit only a subset of operations in
- * capability mode -- for example, shm_open(2) is limited to creating
- * anonymous, rather than named, POSIX shared memory objects.
+ * System calls permitted in capability mode are defined by CAPENABLED
+ * flags in syscalls.master; calls must be carefully audited for safety
+ * to ensure that they don't allow escape from a sandbox.  Some calls
+ * permit only a subset of operations in capability mode -- for example,
+ * shm_open(2) is limited to creating anonymous, rather than named,
+ * POSIX shared memory objects.
  */
 
 #include <sys/cdefs.h>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202410221845.49MIjNga023945>