From owner-p4-projects@FreeBSD.ORG Tue Jan 22 01:30:55 2008 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 68CC216A418; Tue, 22 Jan 2008 01:30:55 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 059BA16A41B for ; Tue, 22 Jan 2008 01:30:55 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id DCAC913C455 for ; Tue, 22 Jan 2008 01:30:54 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.1/8.14.1) with ESMTP id m0M1UsSu046229 for ; Tue, 22 Jan 2008 01:30:54 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.1/8.14.1/Submit) id m0M1Usav046211 for perforce@freebsd.org; Tue, 22 Jan 2008 01:30:54 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Tue, 22 Jan 2008 01:30:54 GMT Message-Id: <200801220130.m0M1Usav046211@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson To: Perforce Change Reviews Cc: Subject: PERFORCE change 133832 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jan 2008 01:30:55 -0000 http://perforce.freebsd.org/chv.cgi?CH=133832 Change 133832 by rwatson@rwatson_freebsd_capabilities on 2008/01/22 01:29:57 Define cap_enter(2), a system call to enter "capability mode", in which a process is prevented from accessing system resources via global namespaces, and must instead use only file descriptors and capabilities exposed prior to the call to cap_enter(2). Not yet implemented, need to think a lot about the semantics. Affected files ... .. //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#4 edit .. //depot/projects/trustedbsd/capabilities/src/sys/kern/syscalls.master#4 edit .. //depot/projects/trustedbsd/capabilities/src/sys/sys/capability.h#6 edit Differences ... ==== //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#4 (text+ko) ==== @@ -54,10 +54,11 @@ * - Should there be a privilege to expand capability rights? * - Should different underlying object sets have different valid capability * rights? I.e., CAP_SOCK_*, CAP_VNODE_*, etc? + * - cap_enter(2) is not implemented. */ #include -__FBSDID("$P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#3 $"); +__FBSDID("$P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#4 $"); #include #include @@ -161,6 +162,18 @@ } /* + * Enter capability mode for the process. + */ +int +cap_enter(struct thread *td, struct cap_enter_args *uap) +{ + + /* XXXRW: Not implemented. */ + + return (0); +} + +/* * Create a new capability reference to either an existing file object or an * an existing capability. */ ==== //depot/projects/trustedbsd/capabilities/src/sys/kern/syscalls.master#4 (text+ko) ==== @@ -853,5 +853,6 @@ 484 AUE_NULL STD { int cap_new(int fd, u_int64_t rights); } 485 AUE_NULL STD { int cap_getrights(int fd, \ u_int64_t *rightsp); } +486 AUE_NULL STD { int cap_enter(void); } ; Please copy any additions and changes to the following compatability tables: ; sys/compat/freebsd32/syscalls.master ==== //depot/projects/trustedbsd/capabilities/src/sys/sys/capability.h#6 (text+ko) ==== @@ -23,7 +23,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/capabilities/src/sys/sys/capability.h#5 $ + * $P4: //depot/projects/trustedbsd/capabilities/src/sys/sys/capability.h#6 $ */ /* @@ -120,6 +120,18 @@ #else /* !_KERNEL */ /* + * cap_enter(): Cause the process to enter capability mode, which will + * prevent it from directly accessing global namespaces. System calls will + * be limited to those performed on file descriptors, and subject to the + * restrictions imposed by the objects referenced and the rights specified in + * the file descriptor and possibly a protecting capability. If already in + * the capability mode, a no-op. + * + * XXXRW: This isn't implemented yet. + */ +int cap_enter(void); + +/* * cap_new(): Create a new capability derived from an existing file * descriptor with the specified rights. If the existing file descriptor is * a capability, then the new rights must be a subset of the existing rights.