From owner-svn-src-all@FreeBSD.ORG Sat Aug 13 13:26:41 2011 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 69E68106564A; Sat, 13 Aug 2011 13:26:41 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 3FE3A8FC0A; Sat, 13 Aug 2011 13:26:41 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id p7DDQfAC018326; Sat, 13 Aug 2011 13:26:41 GMT (envelope-from rwatson@svn.freebsd.org) Received: (from rwatson@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id p7DDQfmC018324; Sat, 13 Aug 2011 13:26:41 GMT (envelope-from rwatson@svn.freebsd.org) Message-Id: <201108131326.p7DDQfmC018324@svn.freebsd.org> From: Robert Watson Date: Sat, 13 Aug 2011 13:26:41 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r224839 - head/sys/kern X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Aug 2011 13:26:41 -0000 Author: rwatson Date: Sat Aug 13 13:26:40 2011 New Revision: 224839 URL: http://svn.freebsd.org/changeset/base/224839 Log: Now that capability support has been committed, update and expand the comment at the type of sys_capability.c to describe its new contents. Approved by: re (xxx) Modified: head/sys/kern/sys_capability.c Modified: head/sys/kern/sys_capability.c ============================================================================== --- head/sys/kern/sys_capability.c Sat Aug 13 13:18:54 2011 (r224838) +++ head/sys/kern/sys_capability.c Sat Aug 13 13:26:40 2011 (r224839) @@ -31,9 +31,24 @@ /* * FreeBSD kernel capability facility. * - * Currently, this file implements only capability mode; capabilities - * (rights-refined file descriptors) will follow. + * Two kernel features are implemented here: capability mode, a sandboxed mode + * of execution for processes, and capabilities, a refinement on file + * descriptors that allows fine-grained control over operations on the file + * descriptor. Collectively, these allow processes to run in the style of a + * historic "capability system" in which they can use only resources + * explicitly delegated to them. This model is enforced by restricting access + * to global namespaces in capability mode. * + * Capabilities wrap other file descriptor types, binding them to a constant + * rights mask set when the capability is created. New capabilities may be + * derived from existing capabilities, but only if they have the same or a + * strict subset of the rights on the original capability. + * + * System calls permitted in capability mode are defined in capabilities.conf; + * calls must be carefully audited for safety to ensure that they don't allow + * escape from a sandbox. Some calls permit only a subset of operations in + * capability mode -- for example, shm_open(2) is limited to creating + * anonymous, rather than named, POSIX shared memory objects. */ #include "opt_capsicum.h" @@ -512,4 +527,3 @@ cap_funwrap_mmap(struct file *fp_cap, ca } #endif /* CAPABILITIES */ -