From owner-svn-src-head@FreeBSD.ORG  Tue Mar  1 13:35:48 2011
Return-Path: <owner-svn-src-head@FreeBSD.ORG>
Delivered-To: svn-src-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 62098106566B;
	Tue,  1 Mar 2011 13:35:48 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 5005D8FC15;
	Tue,  1 Mar 2011 13:35:48 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id p21DZmPv028584;
	Tue, 1 Mar 2011 13:35:48 GMT (envelope-from rwatson@svn.freebsd.org)
Received: (from rwatson@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id p21DZmJ7028579;
	Tue, 1 Mar 2011 13:35:48 GMT (envelope-from rwatson@svn.freebsd.org)
Message-Id: <201103011335.p21DZmJ7028579@svn.freebsd.org>
From: Robert Watson <rwatson@FreeBSD.org>
Date: Tue, 1 Mar 2011 13:35:48 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-head@freebsd.org
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r219134 - in head/sys: amd64/amd64 arm/arm i386/i386
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
	<svn-src-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
	<mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
	<mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Mar 2011 13:35:48 -0000

Author: rwatson
Date: Tue Mar  1 13:35:48 2011
New Revision: 219134
URL: http://svn.freebsd.org/changeset/base/219134

Log:
  Continue to introduce Capsicum capability mode:
  
  White list sysarch calls allowed in capability mode; arguably, there
  should be some link between the capability mode model and the privilege
  model here.  Sysarch is a morass similar to ioctl, in many senses.
  
  Submitted by:	anderson
  Discussed with:	benl, kris, pjd
  Sponsored by:	Google, Inc.
  Obtained from:	Capsicum Project
  MFC after:	3 months

Modified:
  head/sys/amd64/amd64/sys_machdep.c
  head/sys/arm/arm/sys_machdep.c
  head/sys/i386/i386/sys_machdep.c

Modified: head/sys/amd64/amd64/sys_machdep.c
==============================================================================
--- head/sys/amd64/amd64/sys_machdep.c	Tue Mar  1 13:32:07 2011	(r219133)
+++ head/sys/amd64/amd64/sys_machdep.c	Tue Mar  1 13:35:48 2011	(r219134)
@@ -33,8 +33,11 @@
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD$");
 
+#include "opt_capabilities.h"
+
 #include <sys/param.h>
 #include <sys/systm.h>
+#include <sys/capability.h>
 #include <sys/kernel.h>
 #include <sys/lock.h>
 #include <sys/malloc.h>
@@ -177,6 +180,32 @@ sysarch(td, uap)
 	uint64_t a64base;
 	struct i386_ioperm_args iargs;
 
+#ifdef CAPABILITIES
+	/*
+	 * Whitelist of operations which are safe enough for capability mode.
+	 */
+	if (IN_CAPABILITY_MODE(td)) {
+		switch (uap->op) {
+			case I386_GET_LDT:
+			case I386_SET_LDT:
+			case I386_GET_IOPERM:
+			case I386_GET_FSBASE:
+			case I386_SET_FSBASE:
+			case I386_GET_GSBASE:
+			case I386_SET_GSBASE:
+			case AMD64_GET_FSBASE:
+			case AMD64_SET_FSBASE:
+			case AMD64_GET_GSBASE:
+			case AMD64_SET_GSBASE:
+				break;
+
+			case I386_SET_IOPERM:
+			default:
+				return (ECAPMODE);
+		}
+	}
+#endif
+
 	if (uap->op == I386_GET_LDT || uap->op == I386_SET_LDT)
 		return (sysarch_ldt(td, uap, UIO_USERSPACE));
 	/*

Modified: head/sys/arm/arm/sys_machdep.c
==============================================================================
--- head/sys/arm/arm/sys_machdep.c	Tue Mar  1 13:32:07 2011	(r219133)
+++ head/sys/arm/arm/sys_machdep.c	Tue Mar  1 13:35:48 2011	(r219134)
@@ -36,8 +36,11 @@
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD$");
 
+#include "opt_capabilities.h"
+
 #include <sys/param.h>
 #include <sys/systm.h>
+#include <sys/capability.h>
 #include <sys/proc.h>
 #include <sys/sysproto.h>
 #include <sys/syscall.h>
@@ -104,6 +107,24 @@ sysarch(td, uap)
 {
 	int error;
 
+#ifdef CAPABILITIES
+	/*
+	 * Whitelist of operations which are safe enough for capability mode.
+	 */
+	if (IN_CAPABILITY_MODE(td)) {
+		switch (uap->op) {
+			case ARM_SYNC_ICACHE:
+			case ARM_DRAIN_WRITEBUF:
+			case ARM_SET_TP:
+			case ARM_GET_TP:
+				break;
+
+			default:
+				return (ECAPMODE);
+		}
+	}
+#endif
+
 	switch (uap->op) {
 	case ARM_SYNC_ICACHE : 
 		error = arm32_sync_icache(td, uap->parms);

Modified: head/sys/i386/i386/sys_machdep.c
==============================================================================
--- head/sys/i386/i386/sys_machdep.c	Tue Mar  1 13:32:07 2011	(r219133)
+++ head/sys/i386/i386/sys_machdep.c	Tue Mar  1 13:35:48 2011	(r219134)
@@ -32,9 +32,11 @@
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD$");
 
+#include "opt_capabilities.h"
 #include "opt_kstack_pages.h"
 
 #include <sys/param.h>
+#include <sys/capability.h>
 #include <sys/systm.h>
 #include <sys/lock.h>
 #include <sys/malloc.h>
@@ -108,6 +110,29 @@ sysarch(td, uap)
 	struct segment_descriptor sd, *sdp;
 
 	AUDIT_ARG_CMD(uap->op);
+
+#ifdef CAPABILITIES
+	/*
+	 * Whitelist of operations which are safe enough for capability mode.
+	 */
+	if (IN_CAPABILITY_MODE(td)) {
+		switch (uap->op) {
+			case I386_GET_LDT:
+			case I386_SET_LDT:
+			case I386_GET_IOPERM:
+			case I386_GET_FSBASE:
+			case I386_SET_FSBASE:
+			case I386_GET_GSBASE:
+			case I386_SET_GSBASE:
+				break;
+
+			case I386_SET_IOPERM:
+			default:
+				return (ECAPMODE);
+		}
+	}
+#endif
+
 	switch (uap->op) {
 	case I386_GET_IOPERM:
 	case I386_SET_IOPERM: