PERFORCE change 133832 for review

Robert Watson rwatson at FreeBSD.org
Mon Jan 21 17:30:55 PST 2008 

http://perforce.freebsd.org/chv.cgi?CH=133832

Change 133832 by rwatson at rwatson_freebsd_capabilities on 2008/01/22 01:29:57

	Define cap_enter(2), a system call to enter "capability mode", in
	which a process is prevented from accessing system resources via
	global namespaces, and must instead use only file descriptors and
	capabilities exposed prior to the call to cap_enter(2).  Not yet
	implemented, need to think a lot about the semantics.

Affected files ...

.. //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#4 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/kern/syscalls.master#4 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/sys/capability.h#6 edit

Differences ...

==== //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#4 (text+ko) ====

@@ -54,10 +54,11 @@
  * - Should there be a privilege to expand capability rights?
  * - Should different underlying object sets have different valid capability
  *   rights?  I.e., CAP_SOCK_*, CAP_VNODE_*, etc?
+ * - cap_enter(2) is not implemented.
  */
 
 #include <sys/cdefs.h>
-__FBSDID("$P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#3 $");
+__FBSDID("$P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#4 $");
 
 #include <sys/param.h>
 #include <sys/capability.h>
@@ -161,6 +162,18 @@
 }
 
 /*
+ * Enter capability mode for the process.
+ */
+int
+cap_enter(struct thread *td, struct cap_enter_args *uap)
+{
+
+	/* XXXRW: Not implemented. */
+
+	return (0);
+}
+
+/*
  * Create a new capability reference to either an existing file object or an
  * an existing capability.
  */

==== //depot/projects/trustedbsd/capabilities/src/sys/kern/syscalls.master#4 (text+ko) ====

@@ -853,5 +853,6 @@
 484	AUE_NULL	STD	{ int cap_new(int fd, u_int64_t rights); }
 485	AUE_NULL	STD	{ int cap_getrights(int fd, \
 				    u_int64_t *rightsp); }
+486	AUE_NULL	STD	{ int cap_enter(void); }
 ; Please copy any additions and changes to the following compatability tables:
 ; sys/compat/freebsd32/syscalls.master

==== //depot/projects/trustedbsd/capabilities/src/sys/sys/capability.h#6 (text+ko) ====

@@ -23,7 +23,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/capabilities/src/sys/sys/capability.h#5 $
+ * $P4: //depot/projects/trustedbsd/capabilities/src/sys/sys/capability.h#6 $
  */
 
 /*
@@ -120,6 +120,18 @@
 #else /* !_KERNEL */
 
 /*
+ * cap_enter(): Cause the process to enter capability mode, which will
+ * prevent it from directly accessing global namespaces.  System calls will
+ * be limited to those performed on file descriptors, and subject to the
+ * restrictions imposed by the objects referenced and the rights specified in
+ * the file descriptor and possibly a protecting capability.  If already in
+ * the capability mode, a no-op.
+ *
+ * XXXRW: This isn't implemented yet.
+ */
+int	cap_enter(void);
+
+/*
  * cap_new(): Create a new capability derived from an existing file
  * descriptor with the specified rights.  If the existing file descriptor is
  * a capability, then the new rights must be a subset of the existing rights.

More information about the p4-projects mailing list