Date: Mon, 25 Aug 2008 10:36:23 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 148370 for review Message-ID: <200808251036.m7PAaNEH089123@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=148370 Change 148370 by rwatson@rwatson_freebsd_capabilities on 2008/08/25 10:36:00 Review, annotate, and in some cases revise the list of system calls permitted in capability mode. Affected files ... .. //depot/projects/trustedbsd/capabilities/src/sys/kern/capabilities.conf#11 edit .. //depot/projects/trustedbsd/capabilities/src/sys/kern/init_sysent.c#19 edit .. //depot/projects/trustedbsd/capabilities/src/sys/kern/syscalls.c#19 edit .. //depot/projects/trustedbsd/capabilities/src/sys/kern/systrace_args.c#19 edit .. //depot/projects/trustedbsd/capabilities/src/sys/sys/syscall.h#19 edit .. //depot/projects/trustedbsd/capabilities/src/sys/sys/syscall.mk#19 edit .. //depot/projects/trustedbsd/capabilities/src/sys/sys/sysproto.h#19 edit Differences ... ==== //depot/projects/trustedbsd/capabilities/src/sys/kern/capabilities.conf#11 (text+ko) ==== @@ -1,66 +1,93 @@ -# -# Copyright (c) 2008 Robert N. M. Watson -# All rights reserved. -# -# WARNING: THIS IS EXPERIMENTAL SECURITY SOFTWARE THAT MUST NOT BE RELIED -# ON IN PRODUCTION SYSTEMS. IT WILL BREAK YOUR SOFTWARE IN NEW AND -# UNEXPECTED WAYS. -# -# This software was developed at the University of Cambridge Computer -# Laboratory with support from a grant from Google, Inc. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# -# List of system calls enabled in capability mode, one name per line. -# -# Notes: -# - sys_exit() and close() are very important. -# - Sorted alphabetically, please keep it that way. -# -# $P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/capabilities.conf#10 $ -# +## +## Copyright (c) 2008 Robert N. M. Watson +## All rights reserved. +## +## WARNING: THIS IS EXPERIMENTAL SECURITY SOFTWARE THAT MUST NOT BE RELIED +## ON IN PRODUCTION SYSTEMS. IT WILL BREAK YOUR SOFTWARE IN NEW AND +## UNEXPECTED WAYS. +## +## This software was developed at the University of Cambridge Computer +## Laboratory with support from a grant from Google, Inc. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted provided that the following conditions +## are met: +## 1. Redistributions of source code must retain the above copyright +## notice, this list of conditions and the following disclaimer. +## 2. Redistributions in binary form must reproduce the above copyright +## notice, this list of conditions and the following disclaimer in the +## documentation and/or other materials provided with the distribution. +## +## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +## ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +## SUCH DAMAGE. +## +## $FreeBSD$ +## +## List of system calls enabled in capability mode, one name per line. +## +## Notes: +## - sys_exit(2), abort2(2) and close(2) are very important. +## - Sorted alphabetically, please keep it that way. +## +## $P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/capabilities.conf#11 $ +## + +## +## Allow ACL and MAC label operations by file descriptor, subject to +## capability rights. Allow MAC label operations on the current process but +## we will need to scope __mac_get_pid(2). +## __acl_aclcheck_fd __acl_delete_fd __acl_get_fd __acl_set_fd __mac_get_fd -# -# __mac_get_pid need scoping -# -__mac_get_pid +#__mac_get_pid __mac_get_proc __mac_set_fd __mac_set_proc -# -# Certain sysctls need more scoping -# + +## +## Allow sysctl(2) as we scope internal to the call; this is a global +## namespace, but there are several critical sysctls required for almost +## anything to run, such as hw.pagesize. For now that policy lives in the +## kernel for performance and simplicity, but perhaps it could move to a +## proxying daemon in userspace. +## __sysctl + +## +## Allow umtx operations as these are scoped by address space. +## +## XXRW: Need to check this very carefully. +## _umtx_lock _umtx_op _umtx_unlock + +## +## Allow process termination using abort2(2). +## abort2 + +## +## Allow accept(2) since it doesn't manipulate namespaces directly, rather +## relies on existing bindings on a socket, subject to capability rights. +## accept + +## +## Allow AIO operations by file descriptor, subject to capability rights. +## aio_cancel aio_error aio_fsync @@ -69,168 +96,423 @@ aio_suspend aio_waitcomplete aio_write -# -# What to do about audit()? -# + +## +## audit(2) is a global operation, submitting to the global trail, but it is +## controlled by privilege, and it might be useful to be able to submit +## records from sandboxes. For now, disallow, but we may want to think about +## providing some sort of proxy service for this. +## #audit + +## +## Allow bind(2) for now, even though it operates on global name spaces, as +## we support CAP_BIND. +## +## XXXRW: Revisit this. +## bind + +## +## Allow capability mode and capability system calls. +## cap_enter cap_getmode cap_getrights cap_new + +## +## Allow read-only clock operations. +## clock_gettime clock_getres + +## +## Always allow file descriptor close(2). +## close + +## +## Allow connect(2) for now, ven though it supports global namespaces, we +## we support CAP_CONNECT. +## +## XXXRW: Revisit this. +## connect -# -# cpuset(2) and related calls require scoping. -# + +## +## cpuset(2) and related calls require scoping by process, but should +## eventually be allowed, at least in the current process case. +## #cpuset #cpuset_getaffinity #cpuset_getid #cpuset_setaffinity #cpuset_setid + +## +## Always allow dup(2) and dup2(2) manipulation of the file descriptor table. +## dup dup2 -eaccess + +## +## Allow extended attribute operations by file descriptor, subject to +## capability rights. +## extattr_delete_fd extattr_get_fd extattr_list_fd extattr_set_fd + +## +## Allow changing file flags, mode, and owner by file descriptor, subject to +## capability rights. +## fchflags fchmod fchown -# -# Need to review fcntl operations for global affects that might need to be -# scoped. -# + +## +## For now, allow fcntly(2), subject to capability rights, but this probably +## needs additional scoping. +## fcntl + +## +## Allow fexecve(2), subject to capability rights. We perform some scoping, +## such as disallowing privilege escalation. +## fexecve + +## +## Allow flock(2), subject to capability rights. +## flock + +## +## Allow fork(2). +## fork + +## +## Allow fpathconf(2), subject to capability rights. +## fpathconf + +## +## Allow various file descriptor-based I/O operations, subject to capability +## rights. mmap(2) requires further attention. +## freebsd6_ftruncate freebsd6_lseek freebsd6_mmap freebsd6_pread freebsd6_pwrite + +## +## Allow querying file and file system state with fstat(2) and fstatfs(2), +## subject to capability rights. +## fstat fstatfs + +## +## Allow further file descriptor-based I/O operations, subject to capability +## rights. +## fsync ftruncate + +## +## Allow futimes(2), subject to capability rights. +## futimes + +## +## Allow querying process audit state, subject to normal access control. +## getaudit getaudit_addr getauid + +## +## Allow thread context management with getcontext(2). +## getcontext + +## +## Allow directory I/O on a file descriptor, subject to capability rights. +## Originally we had separate capabilities for directory-specific read +## operations, but on BSD we allow reading the raw directory data, so we just +## rely on CAP_READ (etc) now. +## +## XXXRW: Possibly these should also use CAP_SEEK. +## getdents getdirentries + +## +## Allow querying certain trivial global state. +## getdomainname + +## +## Allow querying current process credential state. +## getegid geteuid + +## +## Allow querying certain trivial global state. +## gethostid gethostname + +## +## Allow querying per-process timer. +## getitimer + +## +## Allow querying current process credential state. +## getgid getgroups -# -# Should we allow getlogin? -# -#getlogin +getlogin + +## +## Allow querying certain trivial global state. +## getpagesize getpeername -# -# getpgid needs scoping. -# + +## +## Allow querying certain per-process scheduling, resource limit, and +## credential state. +## +## XXXRW: getpgid(2) needs scoping. It's not clear if it's worth scoping +## getppid(2). getpriority(2) needs scoping. getrusage(2) needs scoping. +## getsid(2) needs scoping. +## getpgid getpgrp getpid -# -# getppid might or might not need scoping. -# getppid getpriority getresgid getresuid getrlimit -# -# getrusage needs scoping. -# getrusage -# -# getsid needs scoping. -# getsid + +## +## Allow querying socket state, subject to capability rights. +## +## XXXRW: getsockopt(2) may need more attention. +## getsockname getsockopt + +## +## Allow querying the global clock. +## gettimeofday + +## +## Allow querying current process credential state. +## getuid -# -# ioctl is dangerous. -# -ioctl + +## +## Disallow ioctl(2) for now, as frequently ioctl(2) operations have global +## scope, but this is a tricky one as it is also required for tty control. +## We do have a capability right for this operation. +## +## XXXRW: This needs to be revisited. +## +#ioctl + +## +## Allow querying current process credential state. +## issetugid + +## +## Allow kevent(2), as we will authorize based on capability rights on the +## target descriptor. +## +## XXXRW: Do we do this? +## kevent + +## +## Allow message queue operations on file descriptors, subject to capability +## rights. +## kmq_notify kmq_setattr kmq_timedreceive kmq_timedsend -# -# kill needs scoping -# + +## +## For now, don't allow kill(2) and friends, but in the future we will need +## something here to allow inter-process signalling and control. +## +## XXXRW: Revisit. +## #kill #killpg + +## +## Allow kqueue(2), we will control use. +## kqueue + +## +## Allow threading-related system calls. +## +## XXXRW: These are obsolete, remove? +## kse_create kse_exit kse_release kse_switchin kse_thr_interrupt kse_wakeup + +## +## Allow managing per-process timers. +## ktimer_create ktimer_delete ktimer_getoverrun ktimer_gettime ktimer_settime -# -# ktrace needs scoping -# + +## +## We can't allow ktrace(2) because it relies on a global namespace, but we +## might want to introduce an fktrace(2) of some sort. +## #ktrace + +## +## Allow AIO operations by file descriptor, subject to capability rights. +## lio_listio + +## +## Allow listen(2), subject to capability rights. +## +## XXXRW: One might argue this manipulates a global namespace. +## listen + +## +## Allow I/O-related file descriptors, subject to capability rights. +## lseek + +## +## Allow MAC label operations by file descriptor, subject to capability +## rights. +## mac_get_fd mac_set_fd + +## +## Allow simple VM operations on the current process. +## madvise mincore minherit mlock mlockall -# -# mmap needs scoping -# + +## +## Allow memory mapping a file descriptor, and updating protections, subject +## to capability rights. +## +## XXXRW: We currently don't properly mask VM protections using capability +## rights. +## mmap mprotect + +## +## Allow simple VM operations on the current process. +## msync munlock munlockall munmap + +## +## Allow the current process to sleep. +## nanosleep + +## +## Allow querying the global clock. +## ntp_gettime + +## +## Allow AIO operations by file descriptor, subject to capability rights. +## oaio_read oaio_write + +## +## Allow simple VM operations on the current process. +## obreak + +## +## Allow AIO operations by file descriptor, subject to capability rights. +## olio_listio + +## +## Allow poll(2), which will be scoped by capability rights. +## +## XXXRW: Perhaps we don't need the OpenBSD version? +## XXXRW: We don't yet do that scoping. +## openbsd_poll + +## +## Allow pipe(2). +## pipe + +## +## Allow poll(2), which will be scoped by capability rights. +## XXXRW: We don't yet do that scoping. +## poll + +## +## Allow I/O-related file descriptors, subject to capability rights. +## pread preadv + +## +## Allow access to profiling state on the current process. +## profil -# -# ptrace needs scoping. -# + +## +## Disallow ptrace(2) for now, but we do need debugging facilities in +## capability mode, so we will want to revisit this, possibly by scoping its +## operation. +## #ptrace + +## +## Allow I/O-related file descriptors, subject to capability rights. +## pwrite pwritev read @@ -238,66 +520,146 @@ recv recvfrom recvmsg + +## +## Allow rfork(2). +## rfork -# -# rtprio needs scoping. -# + +## +## Allow real-time scheduling primitives to be used. +## +## XXXRW: These require scoping. +## rtprio rtprio_thread + +## +## Allow simple VM operations on the current process. +## sbrk + +## +## Allow querying trivial global scheduler state. +## sched_get_priority_max -sched_get_priority_mind -# -# sched_{get,set}* need scoping. -# +sched_get_priority_min + +## +## Allow various thread/process scheduler operations. +## +## XXXRW: Some of these require further scoping. +## sched_getparam sched_getscheduler sched_rr_getinterval sched_setparam sched_setscheduler sched_yield + +## +## Allow I/O-related file descriptors, subject to capability rights. +## sctp_generic_recvmsg sctp_generic_sendmsg sctp_generic_sendmsg_iov sctp_peeloff + +## +## Allow select(2), which will be scoped by capability rights. +## +## XXXRW: But is it? +## select + +## +## Allow I/O-related file descriptors, subject to capability rights. +## send sendfile sendmsg sendto + +## +## Allow setting per-process audit state, which is controlled separately by +## privileges. +## setaudit setaudit_addr setauid + +## +## Allow setting thread context. +## setcontext + +## +## Allow setting current process credential state, which is controlled +## separately by privilege. +## setegid seteuid setgid + +## +## Allow use of the process interval timer. +## setitimer -# -# Need to think about setpriority and capabilities. -# + +## +## Allow setpriority(2). +## +## XXXRW: Requires scoping. +## setpriority + +## +## Allow setting current process credential state, which is controlled +## separately by privilege. +## setregid setresgid setresuid setreuid + +## +## Allow setting process resource limits with setrlimit(2). +## setrlimit + +## +## Allow creating a new session with setsid(2). +## setsid -# -# Need to review socket options and decide what to do about ones that manage -# globally visible stack properties. -# + +## +## Allow setting socket options with setsockopt(2), subject to capability +## rights. +## +## XXXRW: Might require scoping. +## setsockopt -# -# Need to think hard about the safety of credential manipulation calls where -# the capability model and UNIX model intersect. -# + +## +## Allow setting current process credential state, which is controlled +## separately by privilege. +## setuid -# -# We allow shm_open(2), but only when used with anonymous objects. -# + +## +## Allow shm_open(2), which is scoped so as to allow only access to new +## anonymous objects. +## shm_open + +## +## Allow I/O-related file descriptors, subject to capability rights. +## shutdown + +## +## Allow signal control on current process. +## sigaction sigaltstack sigblock @@ -311,34 +673,87 @@ sigtimedwait sigvec sigwaitinfo + +## +## Allow creating new socket pairs with socketpair(2). +## socketpair + +## +## Allow simple VM operations on the current process. +## +## XXXRW: Kernel doesn't implement this, so drop? +## sstk -# -# sync isn't all that harmful, but is global. -# + +## +## Do allow sync(2) for now, but possibly shouldn't. +## sync + +## +## Always allow process termination with sys_exit(2). +## sys_exit + +## +## Allow thread operations operating only on current process. +## thr_create thr_exit thr_kill -# -# thr_kill2 needs scoping. -# + +## +## Disallow thr_kill2(2), as it may operate beyond the current process. +## +## XXXRW: Requires scoping. +## #thr_kill2 + +## +## Allow thread operations operating only on current process. +## thr_new thr_self thr_set_name thr_suspend thr_wake + +## +## Allow manipulation of the current process umask with umask(2). +## umask + +## +## Allow submitting of process trace entries with utrace(2). +## utrace + +## +## Allow generating UUIDs with uuidgen(2). +## uuidgen + +## +## Allow vfork(2). +## vfork -# -# wait and wait4 needs process scoping work -# + +## +## For now, allow wait(2), wait4(2), etc. +## +## XXXRW: These require scoping. +## wait wait4 + +## +## Allow I/O-related file descriptors, subject to capability rights. +## write writev + +## +## Allow processes to yield(2). +## yield ==== //depot/projects/trustedbsd/capabilities/src/sys/kern/init_sysent.c#19 (text+ko) ==== @@ -77,12 +77,12 @@ { compat(AS(osigaction_args),sigaction), AUE_SIGACTION, NULL, 0, 0, SYF_CAPENABLED }, /* 46 = old sigaction */ { 0, (sy_call_t *)getgid, AUE_GETGID, NULL, 0, 0, SYF_CAPENABLED }, /* 47 = getgid */ { compat(AS(osigprocmask_args),sigprocmask), AUE_SIGPROCMASK, NULL, 0, 0, SYF_CAPENABLED }, /* 48 = old sigprocmask */ - { AS(getlogin_args), (sy_call_t *)getlogin, AUE_GETLOGIN, NULL, 0, 0, 0 }, /* 49 = getlogin */ + { AS(getlogin_args), (sy_call_t *)getlogin, AUE_GETLOGIN, NULL, 0, 0, SYF_CAPENABLED }, /* 49 = getlogin */ { AS(setlogin_args), (sy_call_t *)setlogin, AUE_SETLOGIN, NULL, 0, 0, 0 }, /* 50 = setlogin */ { AS(acct_args), (sy_call_t *)acct, AUE_ACCT, NULL, 0, 0, 0 }, /* 51 = acct */ { compat(0,sigpending), AUE_SIGPENDING, NULL, 0, 0, SYF_CAPENABLED }, /* 52 = old sigpending */ { AS(sigaltstack_args), (sy_call_t *)sigaltstack, AUE_SIGALTSTACK, NULL, 0, 0, SYF_CAPENABLED }, /* 53 = sigaltstack */ - { AS(ioctl_args), (sy_call_t *)ioctl, AUE_IOCTL, NULL, 0, 0, SYF_CAPENABLED }, /* 54 = ioctl */ + { AS(ioctl_args), (sy_call_t *)ioctl, AUE_IOCTL, NULL, 0, 0, 0 }, /* 54 = ioctl */ { AS(reboot_args), (sy_call_t *)reboot, AUE_REBOOT, NULL, 0, 0, 0 }, /* 55 = reboot */ { AS(revoke_args), (sy_call_t *)revoke, AUE_REVOKE, NULL, 0, 0, 0 }, /* 56 = revoke */ { AS(symlink_args), (sy_call_t *)symlink, AUE_SYMLINK, NULL, 0, 0, 0 }, /* 57 = symlink */ @@ -361,7 +361,7 @@ { AS(sched_getscheduler_args), (sy_call_t *)sched_getscheduler, AUE_NULL, NULL, 0, 0, SYF_CAPENABLED }, /* 330 = sched_getscheduler */ { 0, (sy_call_t *)sched_yield, AUE_NULL, NULL, 0, 0, SYF_CAPENABLED }, /* 331 = sched_yield */ { AS(sched_get_priority_max_args), (sy_call_t *)sched_get_priority_max, AUE_NULL, NULL, 0, 0, SYF_CAPENABLED }, /* 332 = sched_get_priority_max */ - { AS(sched_get_priority_min_args), (sy_call_t *)sched_get_priority_min, AUE_NULL, NULL, 0, 0, 0 }, /* 333 = sched_get_priority_min */ + { AS(sched_get_priority_min_args), (sy_call_t *)sched_get_priority_min, AUE_NULL, NULL, 0, 0, SYF_CAPENABLED }, /* 333 = sched_get_priority_min */ { AS(sched_rr_get_interval_args), (sy_call_t *)sched_rr_get_interval, AUE_NULL, NULL, 0, 0, 0 }, /* 334 = sched_rr_get_interval */ { AS(utrace_args), (sy_call_t *)utrace, AUE_NULL, NULL, 0, 0, SYF_CAPENABLED }, /* 335 = utrace */ { compat4(AS(freebsd4_sendfile_args),sendfile), AUE_SENDFILE, NULL, 0, 0, SYF_CAPENABLED }, /* 336 = old sendfile */ @@ -404,7 +404,7 @@ { AS(extattr_delete_fd_args), (sy_call_t *)extattr_delete_fd, AUE_EXTATTR_DELETE_FD, NULL, 0, 0, SYF_CAPENABLED }, /* 373 = extattr_delete_fd */ { AS(__setugid_args), (sy_call_t *)__setugid, AUE_NULL, NULL, 0, 0, 0 }, /* 374 = __setugid */ { AS(nfsclnt_args), (sy_call_t *)nosys, AUE_NULL, NULL, 0, 0, 0 }, /* 375 = nfsclnt */ - { AS(eaccess_args), (sy_call_t *)eaccess, AUE_EACCESS, NULL, 0, 0, SYF_CAPENABLED }, /* 376 = eaccess */ + { AS(eaccess_args), (sy_call_t *)eaccess, AUE_EACCESS, NULL, 0, 0, 0 }, /* 376 = eaccess */ { 0, (sy_call_t *)nosys, AUE_NULL, NULL, 0, 0, 0 }, /* 377 = afs_syscall */ { AS(nmount_args), (sy_call_t *)nmount, AUE_NMOUNT, NULL, 0, 0, 0 }, /* 378 = nmount */ { 0, (sy_call_t *)nosys, AUE_NULL, NULL, 0, 0, 0 }, /* 379 = kse_exit */ @@ -437,7 +437,7 @@ { AS(ksem_unlink_args), (sy_call_t *)lkmressys, AUE_NULL, NULL, 0, 0, 0 }, /* 406 = ksem_unlink */ { AS(ksem_getvalue_args), (sy_call_t *)lkmressys, AUE_NULL, NULL, 0, 0, 0 }, /* 407 = ksem_getvalue */ { AS(ksem_destroy_args), (sy_call_t *)lkmressys, AUE_NULL, NULL, 0, 0, 0 }, /* 408 = ksem_destroy */ - { AS(__mac_get_pid_args), (sy_call_t *)__mac_get_pid, AUE_NULL, NULL, 0, 0, SYF_CAPENABLED }, /* 409 = __mac_get_pid */ + { AS(__mac_get_pid_args), (sy_call_t *)__mac_get_pid, AUE_NULL, NULL, 0, 0, 0 }, /* 409 = __mac_get_pid */ { AS(__mac_get_link_args), (sy_call_t *)__mac_get_link, AUE_NULL, NULL, 0, 0, 0 }, /* 410 = __mac_get_link */ { AS(__mac_set_link_args), (sy_call_t *)__mac_set_link, AUE_NULL, NULL, 0, 0, 0 }, /* 411 = __mac_set_link */ { AS(extattr_set_link_args), (sy_call_t *)extattr_set_link, AUE_EXTATTR_SET_LINK, NULL, 0, 0, 0 }, /* 412 = extattr_set_link */ ==== //depot/projects/trustedbsd/capabilities/src/sys/kern/syscalls.c#19 (text+ko) ==== ==== //depot/projects/trustedbsd/capabilities/src/sys/kern/systrace_args.c#19 (text+ko) ==== ==== //depot/projects/trustedbsd/capabilities/src/sys/sys/syscall.h#19 (text+ko) ==== ==== //depot/projects/trustedbsd/capabilities/src/sys/sys/syscall.mk#19 (text+ko) ==== ==== //depot/projects/trustedbsd/capabilities/src/sys/sys/sysproto.h#19 (text+ko) ====
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200808251036.m7PAaNEH089123>