PERFORCE change 134017 for review

[Robert Watson]

http://perforce.freebsd.org/chv.cgi?CH=134017

Change 134017 by rwatson at rwatson_freebsd_capabilities on 2008/01/24 16:18:38

	Don't use fileops passthrough as we now filter capabilities when a
	file descriptor is used rather than on the way down the operation
	stack.  Panic in the passthrough functions, except for close,
	which is still needed.
	
	Update comments.

Affected files ...

.. //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#9 edit

Differences ...

==== //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#9 (text+ko) ====

@@ -38,16 +38,12 @@
  * rather than referencing the previous capability.
  *
  * XXXRW:
- * - Does it make sense that each capability maintains a separate seek
- *   location from the file descriptor it wraps?  What about DSEEKABLE, which
- *   appears to be static for a particular fileops?
- * - Does it make sense that each capability maintains a separate f_flags
- *   from the file descriptor it wraps?
- * - Currently we can only forward operations that are handled via fileops.
  * - Some operations, such as poll/select/kqueue are explicitly aware of file
  *   descriptors and may need adapting.
  * - UNIX domain socket passing of file descriptors will likely need work,
- *   especially relating to garbage collection.
+ *   especially relating to garbage collection.  Do we need to teach the GC
+ *   routines to walk through capabilities to the underlying object
+ *   descriptors so it knows they are reachable?
  * - The list of capability rights is probably inadequate.
  * - Should there be a privilege to expand capability rights?
  * - Should different underlying object sets have different valid capability
@@ -56,15 +52,14 @@
  *   approved system calls.  A flag in syscalls.master?
  * - Need to refine access control on sysctl infrastructe sysctls, such as
  *   name lookup.
- * - masking in fo_read/fo_write/etc is undesirable because really we want
- *   only the original file to be used, as it might have state (cred, flags,
- *   etc) that should be used instead.  seekable is a particular issue.
  * - mmap should incorporate capability rights into maxprot, not just file
  *   flags.
+ * - Need fexec() or similar primitive to launch code in a sandbox.  What
+ *   should this look like?
  */
 
 #include <sys/cdefs.h>
-__FBSDID("$P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#8 $");
+__FBSDID("$P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#9 $");
 
 #include <sys/param.h>
 #include <sys/capability.h>
@@ -297,117 +292,63 @@
 }
 
 /*
- * Various pass-through operations for the capability.
+ * In general, file descriptor operations should never make it to the
+ * capability, only the underlying file descriptor operation vector, so with
+ * the exception of close(), panic if we do turn up here.
  */
 static int
 capability_read(struct file *fp, struct uio *uio, struct ucred *active_cred,
     int flags, struct thread *td)
 {
-	struct capability *c;
-	int error;
 
-	KASSERT(fp->f_type == DTYPE_CAPABILITY,
-	    ("capability_read: !capability"));
-	c = fp->f_data;
-	error = cap_check(c, CAP_READ);
-	if (error)
-		return (error);
-	return (fo_read(c->cap_file, uio, active_cred, flags, td));
+	panic("capability_read");
 }
 
 static int
 capability_write(struct file *fp, struct uio *uio, struct ucred *active_cred,
     int flags, struct thread *td)
 {
-	struct capability *c;
-	int error;
 
-	KASSERT(fp->f_type == DTYPE_CAPABILITY,
-	    ("capability_write: !capability"));
-	c = fp->f_data;
-	error = cap_check(c, CAP_WRITE);
-	if (error)
-		return (error);
-	return (fo_write(c->cap_file, uio, active_cred, flags, td));
+	panic("capability_write");
 }
 
 static int
 capability_truncate(struct file *fp, off_t length, struct ucred *active_cred,
     struct thread *td)
 {
-	struct capability *c;
-	int error;
 
-	KASSERT(fp->f_type == DTYPE_CAPABILITY,
-	    ("capability_truncate: !capability"));
-	c = fp->f_data;
-	error = cap_check(c, CAP_FTRUNCATE);
-	if (error)
-		return (error);
-	return (fo_truncate(c->cap_file, length, active_cred, td));
+	panic("capability_truncate");
 }
 
 static int
 capability_ioctl(struct file *fp, u_long com, void *data,
     struct ucred *active_cred, struct thread *td)
 {
-	struct capability *c;
-	int error;
 
-	KASSERT(fp->f_type == DTYPE_CAPABILITY,
-	    ("capability_ioctl: !capability"));
-	c = fp->f_data;
-	error = cap_check(c, CAP_IOCTL);
-	if (error)
-		return (error);
-	return (fo_ioctl(c->cap_file, com, data, active_cred, td));
+	panic("capability_ioctl");
 }
 
 static int
 capability_poll(struct file *fp, int events, struct ucred *active_cred,
     struct thread *td)
 {
-	struct capability *c;
-	int error;
 
-	KASSERT(fp->f_type == DTYPE_CAPABILITY,
-	    ("capability_poll: !capability"));
-	c = fp->f_data;
-	error = cap_check(c, CAP_EVENT);
-	if (error)
-		return (error);
-	return (fo_poll(c->cap_file, events, active_cred, td));
+	panic("capability_poll");
 }
 
 static int
 capability_kqfilter(struct file *fp, struct knote *kn)
 {
-	struct capability *c;
-	int error;
 
-	KASSERT(fp->f_type == DTYPE_CAPABILITY,
-	    ("capability_kqfilter: !capability"));
-	c = fp->f_data;
-	error = cap_check(c, CAP_EVENT);
-	if (error)
-		return (error);
-	return (fo_kqfilter(c->cap_file, kn));
+	panic("capability_kqfilter");
 }
 
 static int
 capability_stat(struct file *fp, struct stat *sb, struct ucred *active_cred,
     struct thread *td)
 {
-	struct capability *c;
-	int error;
 
-	KASSERT(fp->f_type == DTYPE_CAPABILITY,
-	    ("capability_stat: !capability"));
-	c = fp->f_data;
-	error = cap_check(c, CAP_FSTAT);
-	if (error)
-		return (error);
-	return (fo_stat(c->cap_file, sb, active_cred, td));
+	panic("capability_stat");
 }
 
 static int