PERFORCE change 134780 for review
Robert Watson
rwatson at FreeBSD.org
Mon Feb 4 06:35:09 PST 2008
http://perforce.freebsd.org/chv.cgi?CH=134780
Change 134780 by rwatson at rwatson_freebsd_capabilities on 2008/02/04 14:34:36
Remove CAP_FCHDIR, fchdir() no longer permitted in capability
mode so notrequired.
Remove CAP_GETDIRENTRIES and just use CAP_READ, since CAP_READ
allows reading directory contents anyway.
Teach vfs_acl.c and vfs_extattr.c to use getvnode_cap(), which
requires making it non-static. Use ACL and EXTATTR
capabilities.
Define cap_rights_t in types.h (and _types.h) and nested include
that from capability.h. As a result, explicit includes of
capability.h are now required in any .c file that uses a CAP_
constant, so update. We no longer leak the include of
capability.h all over the place though.
Affected files ...
.. //depot/projects/trustedbsd/capabilities/src/sys/dev/aac/aac_linux.c#3 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/dev/amr/amr_linux.c#3 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/dev/hwpmc/hwpmc_logging.c#3 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/dev/iscsi/initiator/iscsi.c#3 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/dev/tdfx/tdfx_linux.c#3 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/fs/fdescfs/fdesc_vnops.c#3 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/i386/ibcs2/ibcs2_fcntl.c#3 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/i386/ibcs2/ibcs2_ioctl.c#3 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/kern/kern_event.c#3 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/kern/kern_exec.c#8 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_generic.c#3 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/kern/vfs_acl.c#2 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/kern/vfs_aio.c#4 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/kern/vfs_extattr.c#2 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/kern/vfs_syscalls.c#5 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/nfsserver/nfs_syscalls.c#3 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/sys/_types.h#2 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/sys/capability.h#10 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/sys/file.h#4 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/sys/filedesc.h#2 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/sys/types.h#2 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/vm/vm_mmap.c#3 edit
Differences ...
==== //depot/projects/trustedbsd/capabilities/src/sys/dev/aac/aac_linux.c#3 (text+ko) ====
@@ -33,6 +33,7 @@
#include <sys/param.h>
#include <sys/systm.h>
+#include <sys/capability.h>
#include <sys/conf.h>
#include <sys/kernel.h>
#include <sys/module.h>
==== //depot/projects/trustedbsd/capabilities/src/sys/dev/amr/amr_linux.c#3 (text+ko) ====
@@ -30,6 +30,7 @@
#include <sys/param.h>
#include <sys/systm.h>
+#include <sys/capability.h>
#include <sys/conf.h>
#include <sys/kernel.h>
#include <sys/module.h>
==== //depot/projects/trustedbsd/capabilities/src/sys/dev/hwpmc/hwpmc_logging.c#3 (text+ko) ====
@@ -37,6 +37,7 @@
__FBSDID("$FreeBSD: src/sys/dev/hwpmc/hwpmc_logging.c,v 1.9 2007/12/07 08:20:15 jkoshy Exp $");
#include <sys/param.h>
+#include <sys/capability.h>
#include <sys/file.h>
#include <sys/kernel.h>
#include <sys/kthread.h>
==== //depot/projects/trustedbsd/capabilities/src/sys/dev/iscsi/initiator/iscsi.c#3 (text+ko) ====
@@ -35,6 +35,7 @@
#include "opt_iscsi_initiator.h"
#include <sys/param.h>
+#include <sys/capability.h>
#include <sys/kernel.h>
#include <sys/module.h>
#include <sys/conf.h>
==== //depot/projects/trustedbsd/capabilities/src/sys/dev/tdfx/tdfx_linux.c#3 (text) ====
@@ -28,6 +28,7 @@
__FBSDID("$FreeBSD: src/sys/dev/tdfx/tdfx_linux.c,v 1.1 2006/03/03 21:37:36 yar Exp $");
#include <sys/param.h>
+#include <sys/capability.h>
#include <sys/file.h>
#include <sys/kernel.h>
#include <sys/module.h>
==== //depot/projects/trustedbsd/capabilities/src/sys/fs/fdescfs/fdesc_vnops.c#3 (text+ko) ====
@@ -40,6 +40,7 @@
#include <sys/param.h>
#include <sys/systm.h>
+#include <sys/capability.h>
#include <sys/conf.h>
#include <sys/dirent.h>
#include <sys/filedesc.h>
==== //depot/projects/trustedbsd/capabilities/src/sys/i386/ibcs2/ibcs2_fcntl.c#3 (text+ko) ====
@@ -32,6 +32,7 @@
#include <sys/param.h>
#include <sys/systm.h>
+#include <sys/capability.h>
#include <sys/fcntl.h>
#include <sys/file.h>
#include <sys/filedesc.h>
==== //depot/projects/trustedbsd/capabilities/src/sys/i386/ibcs2/ibcs2_ioctl.c#3 (text+ko) ====
@@ -31,6 +31,7 @@
#include <sys/param.h>
#include <sys/systm.h>
+#include <sys/capability.h>
#include <sys/consio.h>
#include <sys/fcntl.h>
#include <sys/file.h>
==== //depot/projects/trustedbsd/capabilities/src/sys/kern/kern_event.c#3 (text+ko) ====
@@ -32,6 +32,7 @@
#include <sys/param.h>
#include <sys/systm.h>
+#include <sys/capability.h>
#include <sys/kernel.h>
#include <sys/lock.h>
#include <sys/mutex.h>
==== //depot/projects/trustedbsd/capabilities/src/sys/kern/kern_exec.c#8 (text+ko) ====
@@ -34,6 +34,7 @@
#include <sys/param.h>
#include <sys/systm.h>
+#include <sys/capability.h>
#include <sys/eventhandler.h>
#include <sys/lock.h>
#include <sys/mutex.h>
==== //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_generic.c#3 (text+ko) ====
@@ -43,6 +43,7 @@
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/sysproto.h>
+#include <sys/capability.h>
#include <sys/filedesc.h>
#include <sys/filio.h>
#include <sys/fcntl.h>
==== //depot/projects/trustedbsd/capabilities/src/sys/kern/vfs_acl.c#2 (text+ko) ====
@@ -40,6 +40,7 @@
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/sysproto.h>
+#include <sys/capability.h>
#include <sys/kernel.h>
#include <sys/malloc.h>
#include <sys/mount.h>
@@ -272,7 +273,8 @@
struct file *fp;
int vfslocked, error;
- error = getvnode(td->td_proc->p_fd, uap->filedes, &fp);
+ error = getvnode_cap(td->td_proc->p_fd, uap->filedes, CAP_ACL_GET,
+ &fp);
if (error == 0) {
vfslocked = VFS_LOCK_GIANT(fp->f_vnode->v_mount);
error = vacl_get_acl(td, fp->f_vnode, uap->type, uap->aclp);
@@ -291,7 +293,8 @@
struct file *fp;
int vfslocked, error;
- error = getvnode(td->td_proc->p_fd, uap->filedes, &fp);
+ error = getvnode_cap(td->td_proc->p_fd, uap->filedes, CAP_ACL_SET,
+ &fp);
if (error == 0) {
vfslocked = VFS_LOCK_GIANT(fp->f_vnode->v_mount);
error = vacl_set_acl(td, fp->f_vnode, uap->type, uap->aclp);
@@ -350,7 +353,8 @@
struct file *fp;
int vfslocked, error;
- error = getvnode(td->td_proc->p_fd, uap->filedes, &fp);
+ error = getvnode_cap(td->td_proc->p_fd, uap->filedes, CAP_ACL_DELETE,
+ &fp);
if (error == 0) {
vfslocked = VFS_LOCK_GIANT(fp->f_vnode->v_mount);
error = vacl_delete(td, fp->f_vnode, uap->type);
@@ -409,7 +413,8 @@
struct file *fp;
int vfslocked, error;
- error = getvnode(td->td_proc->p_fd, uap->filedes, &fp);
+ error = getvnode_cap(td->td_proc->p_fd, uap->filedes, CAP_ACL_CHECK,
+ &fp);
if (error == 0) {
vfslocked = VFS_LOCK_GIANT(fp->f_vnode->v_mount);
error = vacl_aclcheck(td, fp->f_vnode, uap->type, uap->aclp);
==== //depot/projects/trustedbsd/capabilities/src/sys/kern/vfs_aio.c#4 (text+ko) ====
@@ -26,6 +26,7 @@
#include <sys/malloc.h>
#include <sys/bio.h>
#include <sys/buf.h>
+#include <sys/capability.h>
#include <sys/eventhandler.h>
#include <sys/sysproto.h>
#include <sys/filedesc.h>
==== //depot/projects/trustedbsd/capabilities/src/sys/kern/vfs_extattr.c#2 (text+ko) ====
@@ -33,6 +33,7 @@
#include <sys/param.h>
#include <sys/systm.h>
+#include <sys/capability.h>
#include <sys/lock.h>
#include <sys/mount.h>
#include <sys/mutex.h>
@@ -219,7 +220,8 @@
return (error);
AUDIT_ARG(text, attrname);
- error = getvnode(td->td_proc->p_fd, uap->fd, &fp);
+ error = getvnode_cap(td->td_proc->p_fd, uap->fd, CAP_EXTATTR_SET,
+ &fp);
if (error)
return (error);
@@ -400,7 +402,8 @@
return (error);
AUDIT_ARG(text, attrname);
- error = getvnode(td->td_proc->p_fd, uap->fd, &fp);
+ error = getvnode_cap(td->td_proc->p_fd, uap->fd, CAP_EXTATTR_GET,
+ &fp);
if (error)
return (error);
@@ -551,7 +554,8 @@
return (error);
AUDIT_ARG(text, attrname);
- error = getvnode(td->td_proc->p_fd, uap->fd, &fp);
+ error = getvnode_cap(td->td_proc->p_fd, uap->fd, CAP_EXTATTR_DELETE,
+ &fp);
if (error)
return (error);
@@ -711,7 +715,8 @@
AUDIT_ARG(fd, uap->fd);
AUDIT_ARG(value, uap->attrnamespace);
- error = getvnode(td->td_proc->p_fd, uap->fd, &fp);
+ error = getvnode_cap(td->td_proc->p_fd, uap->fd, CAP_EXTATTR_LIST,
+ &fp);
if (error)
return (error);
==== //depot/projects/trustedbsd/capabilities/src/sys/kern/vfs_syscalls.c#5 (text+ko) ====
@@ -142,7 +142,7 @@
* it is a capability, the right rights are present. A reference on the file
* entry is held upon returning.
*/
-static int
+int
getvnode_cap(struct filedesc *fdp, int fd, cap_rights_t rights,
struct file **fpp)
{
@@ -811,7 +811,7 @@
int error;
AUDIT_ARG(fd, uap->fd);
- if ((error = getvnode_cap(fdp, uap->fd, CAP_FCHDIR, &fp)) != 0)
+ if ((error = getvnode(fdp, uap->fd, &fp)) != 0)
return (error);
vp = fp->f_vnode;
VREF(vp);
@@ -3618,8 +3618,8 @@
/* XXX arbitrary sanity limit on `count'. */
if (uap->count > 64 * 1024)
return (EINVAL);
- if ((error = getvnode_cap(td->td_proc->p_fd, uap->fd,
- CAP_GETDIRENTRIES, &fp)) != 0)
+ if ((error = getvnode_cap(td->td_proc->p_fd, uap->fd, CAP_GETREAD,
+ &fp)) != 0)
return (error);
if ((fp->f_flag & FREAD) == 0) {
fdrop(fp, td);
@@ -3761,8 +3761,8 @@
int error, eofflag;
AUDIT_ARG(fd, uap->fd);
- if ((error = getvnode_cap(td->td_proc->p_fd, uap->fd,
- CAP_GETDIRENTRIES, &fp)) != 0)
+ if ((error = getvnode_cap(td->td_proc->p_fd, uap->fd, CAP_READ,
+ &fp)) != 0)
return (error);
if ((fp->f_flag & FREAD) == 0) {
fdrop(fp, td);
==== //depot/projects/trustedbsd/capabilities/src/sys/nfsserver/nfs_syscalls.c#3 (text+ko) ====
@@ -40,6 +40,7 @@
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/sysproto.h>
+#include <sys/capability.h>
#include <sys/kernel.h>
#include <sys/sysctl.h>
#include <sys/file.h>
==== //depot/projects/trustedbsd/capabilities/src/sys/sys/_types.h#2 (text+ko) ====
@@ -38,6 +38,7 @@
typedef __uint32_t __blksize_t; /* file block size */
typedef __int64_t __blkcnt_t; /* file block count */
typedef __int32_t __clockid_t; /* clock_gettime()... */
+typedef __uint64_t __cap_rights_t; /* capability rights */
typedef __uint32_t __fflags_t; /* file flags */
typedef __uint64_t __fsblkcnt_t;
typedef __uint64_t __fsfilcnt_t;
==== //depot/projects/trustedbsd/capabilities/src/sys/sys/capability.h#10 (text+ko) ====
@@ -23,7 +23,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/capabilities/src/sys/sys/capability.h#9 $
+ * $P4: //depot/projects/trustedbsd/capabilities/src/sys/sys/capability.h#10 $
*/
/*
@@ -32,19 +32,13 @@
#ifndef _SYS_CAPABILITY_H_
#define _SYS_CAPABILITY_H_
-/*
- * cap_rights_t defines a mask of rights on a capability. In the future,
- * perhaps this should be a type supporting more than 64 rights on a
- * capability.
- */
-typedef u_int64_t cap_rights_t;
+#include <sys/types.h>
/*
* Possibly rights on capabilities.
*/
#define CAP_READ 0x0000000000000001ULL /* read/recv */
#define CAP_WRITE 0x0000000000000002ULL /* write/send */
-#define CAP_FCHDIR 0x0000000000000004ULL /* fchdir */
#define CAP_SEEK 0x0000000000000008ULL /* lseek, various io */
#define CAP_GETPEERNAME 0x0000000000000010ULL /* getpeername */
#define CAP_GETSOCKNAME 0x0000000000000020ULL /* getsockname */
@@ -59,7 +53,6 @@
#define CAP_FCHMOD 0x0000000000004000ULL /* fchmod */
#define CAP_FTRUNCATE 0x0000000000008000ULL /* ftruncate */
#define CAP_FLOCK 0x0000000000010000ULL /* flock */
-#define CAP_GETDIRENTRIES 0x0000000000020000ULL /* getdirentries */
#define CAP_FSTATFS 0x0000000000040000ULL /* fstatfs */
#define CAP_REVOKE 0x0000000000080000ULL /* revoke */
#define CAP_FEXECVE 0x0000000000100000ULL /* fexecve */
@@ -84,7 +77,7 @@
#define CAP_LISTEN 0x0000008000000000ULL /* listen */
#define CAP_SHUTDOWN 0x0000010000000000ULL /* shutdown */
#define CAP_PEELOFF 0x0000020000000000ULL /* sctp_peeloff */
-#define CAP_MASK_VALID 0x000003ffffffffffULL
+#define CAP_MASK_VALID 0x000003fffffdfffbULL
/*
* Notes:
==== //depot/projects/trustedbsd/capabilities/src/sys/sys/file.h#4 (text+ko) ====
@@ -38,7 +38,6 @@
#include <sys/fcntl.h>
#include <sys/unistd.h>
#else
-#include <sys/capability.h>
#include <sys/queue.h>
#include <sys/_lock.h>
#include <sys/_mutex.h>
==== //depot/projects/trustedbsd/capabilities/src/sys/sys/filedesc.h#2 (text+ko) ====
@@ -126,6 +126,8 @@
filedesc_to_leader_alloc(struct filedesc_to_leader *old,
struct filedesc *fdp, struct proc *leader);
int getvnode(struct filedesc *fdp, int fd, struct file **fpp);
+int getvnode_cap(struct filedesc *fdp, int fd, cap_rights_t rights,
+ struct file **fpp);
void mountcheckdirs(struct vnode *olddp, struct vnode *newdp);
void setugidsafety(struct thread *td);
==== //depot/projects/trustedbsd/capabilities/src/sys/sys/types.h#2 (text+ko) ====
@@ -129,6 +129,8 @@
#define _BLKCNT_T_DECLARED
#endif
+typedef __cap_rights_t cap_rights_t;
+
#ifndef _CLOCK_T_DECLARED
typedef __clock_t clock_t;
#define _CLOCK_T_DECLARED
==== //depot/projects/trustedbsd/capabilities/src/sys/vm/vm_mmap.c#3 (text+ko) ====
@@ -49,6 +49,7 @@
#include <sys/param.h>
#include <sys/systm.h>
+#include <sys/capability.h>
#include <sys/kernel.h>
#include <sys/lock.h>
#include <sys/mutex.h>
More information about the p4-projects
mailing list