PERFORCE change 133870 for review
Robert Watson
rwatson at FreeBSD.org
Tue Jan 22 08:29:18 PST 2008
http://perforce.freebsd.org/chv.cgi?CH=133870
Change 133870 by rwatson at rwatson_freebsd_capabilities on 2008/01/22 16:28:22
Don't allow sysctl read or write access in capability mode unless
nodes have been specifically marked as available.
Affected files ...
.. //depot/projects/trustedbsd/capabilities/src/sys/kern/kern_sysctl.c#2 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/sys/sysctl.h#2 edit
Differences ...
==== //depot/projects/trustedbsd/capabilities/src/sys/kern/kern_sysctl.c#2 (text+ko) ====
@@ -38,10 +38,12 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD: src/sys/kern/kern_sysctl.c,v 1.179 2007/11/30 21:29:08 peter Exp $");
+#include "opt_capabilities.h"
#include "opt_compat.h"
#include "opt_mac.h"
#include <sys/param.h>
+#include <sys/capability.h>
#include <sys/systm.h>
#include <sys/kernel.h>
#include <sys/sysctl.h>
@@ -1288,6 +1290,19 @@
KASSERT(req->td != NULL, ("sysctl_root(): req->td == NULL"));
+#ifdef CAPABILITIES
+ /*
+ * If the process is in capability mode, then don't permit reading or
+ * writing unless specifically granted for the node.
+ */
+ if (req->td->td_ucred->cr_flags & CRED_FLAG_CAPMODE) {
+ if (req->oldptr && !(oid->oid_kind & CTLFLAG_CAPRD))
+ return (EPERM);
+ if (req->newptr && !(oid->oid_kind & CTLFLAG_CAPWR))
+ return (EPERM);
+ }
+#endif
+
/* Is this sysctl sensitive to securelevels? */
if (req->newptr && (oid->oid_kind & CTLFLAG_SECURE)) {
lvl = (oid->oid_kind & CTLMASK_SECURE) >> CTLSHIFT_SECURE;
==== //depot/projects/trustedbsd/capabilities/src/sys/sys/sysctl.h#2 (text+ko) ====
@@ -85,6 +85,8 @@
#define CTLMASK_SECURE 0x00F00000 /* Secure level */
#define CTLFLAG_TUN 0x00080000 /* Tunable variable */
#define CTLFLAG_RDTUN (CTLFLAG_RD|CTLFLAG_TUN)
+#define CTLFLAG_CAPRD 0x00040000 /* Can be read in capability mode */
+#define CTLFLAG_CAPWR 0x00020000 /* Can be written in capability mode */
/*
* Secure level. Note that CTLFLAG_SECURE == CTLFLAG_SECURE1.
More information about the p4-projects
mailing list