From owner-svn-src-stable@freebsd.org  Wed Mar 28 14:35:25 2018
Return-Path: <owner-svn-src-stable@freebsd.org>
Delivered-To: svn-src-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id C84B5F63DBB;
 Wed, 28 Mar 2018 14:35:25 +0000 (UTC)
 (envelope-from emaste@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 552916E48A;
 Wed, 28 Mar 2018 14:35:25 +0000 (UTC)
 (envelope-from emaste@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4C2164511;
 Wed, 28 Mar 2018 14:35:25 +0000 (UTC)
 (envelope-from emaste@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w2SEZPH7001335;
 Wed, 28 Mar 2018 14:35:25 GMT (envelope-from emaste@FreeBSD.org)
Received: (from emaste@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id w2SEZPWS001334;
 Wed, 28 Mar 2018 14:35:25 GMT (envelope-from emaste@FreeBSD.org)
Message-Id: <201803281435.w2SEZPWS001334@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: emaste set sender to
 emaste@FreeBSD.org using -f
From: Ed Maste <emaste@FreeBSD.org>
Date: Wed, 28 Mar 2018 14:35:25 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject: svn commit: r331678 - stable/11/lib/libc/sys
X-SVN-Group: stable-11
X-SVN-Commit-Author: emaste
X-SVN-Commit-Paths: stable/11/lib/libc/sys
X-SVN-Commit-Revision: 331678
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
 <svn-src-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-stable>, 
 <mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable/>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
 <mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Mar 2018 14:35:26 -0000

Author: emaste
Date: Wed Mar 28 14:35:24 2018
New Revision: 331678
URL: https://svnweb.freebsd.org/changeset/base/331678

Log:
  MFC Capsicum open(2) and openat(2) documentation
  
  r306537 by cem: open.2: Document Capsicum behavior
  
  Document open(2) and openat(2) behavior in Capsicum capability mode.
  
  Sponsored by:	Dell EMC Isilon
  
  r323622 by emaste: open(2): update ENOTCAPABLE description for .. lookups
  
  After r308732 (MFC of r308212) Capsicum permits .. lookups in capability
  mode, as long as path component traversal does not escape the directory
  corresponding to the provided file descriptor.
  
  Sponsored by:	The FreeBSD Foundation

Modified:
  stable/11/lib/libc/sys/open.2
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/lib/libc/sys/open.2
==============================================================================
--- stable/11/lib/libc/sys/open.2	Wed Mar 28 14:33:35 2018	(r331677)
+++ stable/11/lib/libc/sys/open.2	Wed Mar 28 14:35:24 2018	(r331678)
@@ -28,7 +28,7 @@
 .\"     @(#)open.2	8.2 (Berkeley) 11/16/93
 .\" $FreeBSD$
 .\"
-.Dd November 22, 2016
+.Dd March 28, 2018
 .Dt OPEN 2
 .Os
 .Sh NAME
@@ -95,6 +95,28 @@ parameter, the current working directory is used
 and the behavior is identical to a call to
 .Fn open .
 .Pp
+In
+.Xr capsicum 4
+capability mode,
+.Fn open
+is not permitted.
+The
+.Fa path
+argument to
+.Fn openat
+must be strictly relative to a file descriptor
+.Fa fd ,
+as defined in
+.Pa sys/kern/vfs_lookup.c .
+.Fa path
+must not be an absolute path and must not contain ".." components.
+Additionally, no symbolic link in
+.Fa path
+may contain ".." components either.
+.Fa fd
+must not be
+.Dv AT_FDCWD .
+.Pp
 The flags specified are formed by
 .Em or Ns 'ing
 the following values
@@ -457,6 +479,17 @@ nor a file descriptor associated with a directory.
 .It Bq Er ENOTDIR
 .Dv O_DIRECTORY
 is specified and the file is not a directory.
+.It Bq Er ECAPMODE
+.Dv AT_FDCWD
+is specified and the process is in capability mode.
+.It Bq Er ECAPMODE
+.Fn open
+was called and the process is in capability mode.
+.It Bq Er ENOTCAPABLE
+.Fa path
+is an absolute path or contained a ".." component leading to a
+directory outside of the directory hierarchy specified by
+.Fa fd .
 .El
 .Sh SEE ALSO
 .Xr chmod 2 ,