Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 13 Aug 2011 10:43:21 +0000 (UTC)
From:      Jonathan Anderson <jonathan@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r224812 - head/sys/kern
Message-ID:  <201108131043.p7DAhLtP010291@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: jonathan
Date: Sat Aug 13 10:43:21 2011
New Revision: 224812
URL: http://svn.freebsd.org/changeset/base/224812

Log:
  Allow openat(2), fstatat(2), etc. in capability mode.
  
  namei() and lookup() can now perform "strictly relative" lookups.
  Such lookups, performed when in capability mode or when looking up
  relative to a directory capability, enforce two policies:
   - absolute paths are disallowed (including symlinks to absolute paths)
   - paths containing '..' components are disallowed
  
  These constraints make it safe to enable openat() and friends.
  These system calls are instrumental in supporting Capsicum
  components such as the capability-mode-aware runtime linker.
  
  Finally, adjust comments in capabilities.conf to reflect the actual state
  of the world (e.g. shm_open(2) already has the appropriate constraints,
  getdents(2) already requires CAP_SEEK).
  
  Approved by: re (bz), mentor (rwatson)
  Sponsored by: Google Inc.

Modified:
  head/sys/kern/capabilities.conf

Modified: head/sys/kern/capabilities.conf
==============================================================================
--- head/sys/kern/capabilities.conf	Sat Aug 13 10:23:52 2011	(r224811)
+++ head/sys/kern/capabilities.conf	Sat Aug 13 10:43:21 2011	(r224812)
@@ -239,9 +239,7 @@ getcontext
 ## Allow directory I/O on a file descriptor, subject to capability rights.
 ## Originally we had separate capabilities for directory-specific read
 ## operations, but on BSD we allow reading the raw directory data, so we just
-## rely on CAP_READ (etc) now.
-##
-## XXXRW: Possibly these should also use CAP_SEEK.
+## rely on CAP_READ and CAP_SEEK now.
 ##
 getdents
 getdirentries
@@ -447,28 +445,26 @@ obreak
 olio_listio
 
 ##
-## Once Capsicum is fully merged, some of the *at(2) calls which can be
-## semantically constrained will be permitted in capability mode. For now,
-## we will simply not allow them to be called.
-##
-#faccessat
-#fstatat
-#fchmodat
-#futimesat
-#mkdirat
-#rmdirat
-#mkfifoat
-#mknodat
-#openat
-#renameat
-
-##
-## ONCE CAPSICUM IS FULLY MERGED:
-## Allow entry into open(2). This system call will fail, since access to the global
-## file namespace has been disallowed, but allowing entry into the syscall means
-## that an audit trail will be generated (which is also very useful for debugging),
+## Operations relative to directory capabilities.
+##
+faccessat
+fstatat
+fchmodat
+futimesat
+mkdirat
+rmdirat
+mkfifoat
+mknodat
+openat
+renameat
+
+##
+## Allow entry into open(2). This system call will fail, since access to the
+## global file namespace has been disallowed, but allowing entry into the
+## syscall means that an audit trail will be generated (which is also very
+## useful for debugging).
 ##
-#open
+open
 
 ##
 ## Allow poll(2), which will be scoped by capability rights.
@@ -648,11 +644,9 @@ setsockopt
 setuid
 
 ##
-## ONCE CAPSICUM IS FULLY MERGED:
-## Allow shm_open(2), which is scoped so as to allow only access to new
-## anonymous objects.
+## shm_open(2) is scoped so as to allow only access to new anonymous objects.
 ##
-#shm_open
+shm_open
 
 ##
 ## Allow I/O-related file descriptors, subject to capability rights.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201108131043.p7DAhLtP010291>