PERFORCE change 134203 for review
Robert Watson
rwatson at FreeBSD.org
Sun Jan 27 07:54:58 PST 2008
http://perforce.freebsd.org/chv.cgi?CH=134203
Change 134203 by rwatson at rwatson_freebsd_capabilities on 2008/01/27 15:54:17
In capabilities mode, don't allow the use of interpreters.
Affected files ...
.. //depot/projects/trustedbsd/capabilities/src/sys/kern/kern_exec.c#5 edit
Differences ...
==== //depot/projects/trustedbsd/capabilities/src/sys/kern/kern_exec.c#5 (text+ko) ====
@@ -384,6 +384,18 @@
interpret:
if (args->fname != NULL) {
+ /*
+ * While capability mode can't reach this point via direct
+ * path arguments to execve(), we also don't allow
+ * interpreters to be used in capability mode (for now).
+ * Catch indirect lookups and return a permissions error.
+ *
+ * XXXRW: Is this the right error?
+ */
+ if (td->td_ucred->cr_flags & CRED_FLAG_CAPMODE) {
+ error = EPERM;
+ goto exec_fail;
+ }
error = namei(ndp);
if (error)
goto exec_fail;
More information about the p4-projects
mailing list