Date: Sat, 13 Aug 2011 10:43:21 +0000 (UTC) From: Jonathan Anderson <jonathan@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r224812 - head/sys/kern Message-ID: <201108131043.p7DAhLtP010291@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jonathan Date: Sat Aug 13 10:43:21 2011 New Revision: 224812 URL: http://svn.freebsd.org/changeset/base/224812 Log: Allow openat(2), fstatat(2), etc. in capability mode. namei() and lookup() can now perform "strictly relative" lookups. Such lookups, performed when in capability mode or when looking up relative to a directory capability, enforce two policies: - absolute paths are disallowed (including symlinks to absolute paths) - paths containing '..' components are disallowed These constraints make it safe to enable openat() and friends. These system calls are instrumental in supporting Capsicum components such as the capability-mode-aware runtime linker. Finally, adjust comments in capabilities.conf to reflect the actual state of the world (e.g. shm_open(2) already has the appropriate constraints, getdents(2) already requires CAP_SEEK). Approved by: re (bz), mentor (rwatson) Sponsored by: Google Inc. Modified: head/sys/kern/capabilities.conf Modified: head/sys/kern/capabilities.conf ============================================================================== --- head/sys/kern/capabilities.conf Sat Aug 13 10:23:52 2011 (r224811) +++ head/sys/kern/capabilities.conf Sat Aug 13 10:43:21 2011 (r224812) @@ -239,9 +239,7 @@ getcontext ## Allow directory I/O on a file descriptor, subject to capability rights. ## Originally we had separate capabilities for directory-specific read ## operations, but on BSD we allow reading the raw directory data, so we just -## rely on CAP_READ (etc) now. -## -## XXXRW: Possibly these should also use CAP_SEEK. +## rely on CAP_READ and CAP_SEEK now. ## getdents getdirentries @@ -447,28 +445,26 @@ obreak olio_listio ## -## Once Capsicum is fully merged, some of the *at(2) calls which can be -## semantically constrained will be permitted in capability mode. For now, -## we will simply not allow them to be called. -## -#faccessat -#fstatat -#fchmodat -#futimesat -#mkdirat -#rmdirat -#mkfifoat -#mknodat -#openat -#renameat - -## -## ONCE CAPSICUM IS FULLY MERGED: -## Allow entry into open(2). This system call will fail, since access to the global -## file namespace has been disallowed, but allowing entry into the syscall means -## that an audit trail will be generated (which is also very useful for debugging), +## Operations relative to directory capabilities. +## +faccessat +fstatat +fchmodat +futimesat +mkdirat +rmdirat +mkfifoat +mknodat +openat +renameat + +## +## Allow entry into open(2). This system call will fail, since access to the +## global file namespace has been disallowed, but allowing entry into the +## syscall means that an audit trail will be generated (which is also very +## useful for debugging). ## -#open +open ## ## Allow poll(2), which will be scoped by capability rights. @@ -648,11 +644,9 @@ setsockopt setuid ## -## ONCE CAPSICUM IS FULLY MERGED: -## Allow shm_open(2), which is scoped so as to allow only access to new -## anonymous objects. +## shm_open(2) is scoped so as to allow only access to new anonymous objects. ## -#shm_open +shm_open ## ## Allow I/O-related file descriptors, subject to capability rights.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201108131043.p7DAhLtP010291>