From owner-svn-src-all@FreeBSD.ORG Sat Aug 13 10:43:22 2011 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EF204106566C; Sat, 13 Aug 2011 10:43:21 +0000 (UTC) (envelope-from jonathan@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id D3D1B8FC20; Sat, 13 Aug 2011 10:43:21 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id p7DAhLho010293; Sat, 13 Aug 2011 10:43:21 GMT (envelope-from jonathan@svn.freebsd.org) Received: (from jonathan@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id p7DAhLtP010291; Sat, 13 Aug 2011 10:43:21 GMT (envelope-from jonathan@svn.freebsd.org) Message-Id: <201108131043.p7DAhLtP010291@svn.freebsd.org> From: Jonathan Anderson Date: Sat, 13 Aug 2011 10:43:21 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r224812 - head/sys/kern X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Aug 2011 10:43:22 -0000 Author: jonathan Date: Sat Aug 13 10:43:21 2011 New Revision: 224812 URL: http://svn.freebsd.org/changeset/base/224812 Log: Allow openat(2), fstatat(2), etc. in capability mode. namei() and lookup() can now perform "strictly relative" lookups. Such lookups, performed when in capability mode or when looking up relative to a directory capability, enforce two policies: - absolute paths are disallowed (including symlinks to absolute paths) - paths containing '..' components are disallowed These constraints make it safe to enable openat() and friends. These system calls are instrumental in supporting Capsicum components such as the capability-mode-aware runtime linker. Finally, adjust comments in capabilities.conf to reflect the actual state of the world (e.g. shm_open(2) already has the appropriate constraints, getdents(2) already requires CAP_SEEK). Approved by: re (bz), mentor (rwatson) Sponsored by: Google Inc. Modified: head/sys/kern/capabilities.conf Modified: head/sys/kern/capabilities.conf ============================================================================== --- head/sys/kern/capabilities.conf Sat Aug 13 10:23:52 2011 (r224811) +++ head/sys/kern/capabilities.conf Sat Aug 13 10:43:21 2011 (r224812) @@ -239,9 +239,7 @@ getcontext ## Allow directory I/O on a file descriptor, subject to capability rights. ## Originally we had separate capabilities for directory-specific read ## operations, but on BSD we allow reading the raw directory data, so we just -## rely on CAP_READ (etc) now. -## -## XXXRW: Possibly these should also use CAP_SEEK. +## rely on CAP_READ and CAP_SEEK now. ## getdents getdirentries @@ -447,28 +445,26 @@ obreak olio_listio ## -## Once Capsicum is fully merged, some of the *at(2) calls which can be -## semantically constrained will be permitted in capability mode. For now, -## we will simply not allow them to be called. -## -#faccessat -#fstatat -#fchmodat -#futimesat -#mkdirat -#rmdirat -#mkfifoat -#mknodat -#openat -#renameat - -## -## ONCE CAPSICUM IS FULLY MERGED: -## Allow entry into open(2). This system call will fail, since access to the global -## file namespace has been disallowed, but allowing entry into the syscall means -## that an audit trail will be generated (which is also very useful for debugging), +## Operations relative to directory capabilities. +## +faccessat +fstatat +fchmodat +futimesat +mkdirat +rmdirat +mkfifoat +mknodat +openat +renameat + +## +## Allow entry into open(2). This system call will fail, since access to the +## global file namespace has been disallowed, but allowing entry into the +## syscall means that an audit trail will be generated (which is also very +## useful for debugging). ## -#open +open ## ## Allow poll(2), which will be scoped by capability rights. @@ -648,11 +644,9 @@ setsockopt setuid ## -## ONCE CAPSICUM IS FULLY MERGED: -## Allow shm_open(2), which is scoped so as to allow only access to new -## anonymous objects. +## shm_open(2) is scoped so as to allow only access to new anonymous objects. ## -#shm_open +shm_open ## ## Allow I/O-related file descriptors, subject to capability rights.