PERFORCE change 163885 for review
Robert Watson
rwatson at FreeBSD.org
Tue Jun 9 11:09:53 UTC 2009
http://perforce.freebsd.org/chv.cgi?CH=163885
Change 163885 by rwatson at rwatson_freebsd_capabilities on 2009/06/09 11:09:14
Disallow connect()/send() in capability mode since they use global
IPC namespaces (including potentially the local file system
interface), and subset sendto()/sendmsg() so that they return an
error in capability mode if an explicit destination address is
requested.
Affected files ...
.. //depot/projects/trustedbsd/capabilities/src/sys/kern/capabilities.conf#20 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/kern/init_sysent.c#33 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/kern/syscalls.c#33 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/kern/systrace_args.c#33 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/kern/uipc_syscalls.c#13 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/sys/syscall.h#33 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/sys/syscall.mk#33 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/sys/sysproto.h#33 edit
Differences ...
==== //depot/projects/trustedbsd/capabilities/src/sys/kern/capabilities.conf#20 (text+ko) ====
@@ -38,7 +38,7 @@
## - sys_exit(2), abort2(2) and close(2) are very important.
## - Sorted alphabetically, please keep it that way.
##
-## $P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/capabilities.conf#19 $
+## $P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/capabilities.conf#20 $
##
##
@@ -106,12 +106,11 @@
#audit
##
-## Allow bind(2) for now, even though it operates on global name spaces, as
-## we support CAP_BIND.
+## Disllow bind(2) for now, even though we support CAP_BIND.
##
## XXXRW: Revisit this.
##
-bind
+#bind
##
## Allow capability mode and capability system calls.
@@ -133,12 +132,11 @@
close
##
-## Allow connect(2) for now, ven though it supports global namespaces, we
-##Â we support CAP_CONNECT.
+## Disallow connect(2) for now, despite CAP_CONNECT.
##
## XXXRW: Revisit this.
##
-connect
+#connect
##
## cpuset(2) and related calls require scoping by process, but should
@@ -556,7 +554,8 @@
select
##
-## Allow I/O-related file descriptors, subject to capability rights.
+## Allow I/O-related file descriptors, subject to capability rights. Use of
+## explicit addresses here is restricted by the system calls themselves.
##
send
sendfile
==== //depot/projects/trustedbsd/capabilities/src/sys/kern/init_sysent.c#33 (text+ko) ====
@@ -126,13 +126,13 @@
{ AS(fsync_args), (sy_call_t *)fsync, AUE_FSYNC, NULL, 0, 0, SYF_CAPENABLED }, /* 95 = fsync */
{ AS(setpriority_args), (sy_call_t *)setpriority, AUE_SETPRIORITY, NULL, 0, 0, SYF_CAPENABLED }, /* 96 = setpriority */
{ AS(socket_args), (sy_call_t *)socket, AUE_SOCKET, NULL, 0, 0, SYF_CAPENABLED }, /* 97 = socket */
- { AS(connect_args), (sy_call_t *)connect, AUE_CONNECT, NULL, 0, 0, SYF_CAPENABLED }, /* 98 = connect */
+ { AS(connect_args), (sy_call_t *)connect, AUE_CONNECT, NULL, 0, 0, 0 }, /* 98 = connect */
{ compat(AS(accept_args),accept), AUE_ACCEPT, NULL, 0, 0, SYF_CAPENABLED }, /* 99 = old accept */
{ AS(getpriority_args), (sy_call_t *)getpriority, AUE_GETPRIORITY, NULL, 0, 0, SYF_CAPENABLED }, /* 100 = getpriority */
{ compat(AS(osend_args),send), AUE_SEND, NULL, 0, 0, SYF_CAPENABLED }, /* 101 = old send */
{ compat(AS(orecv_args),recv), AUE_RECV, NULL, 0, 0, SYF_CAPENABLED }, /* 102 = old recv */
{ compat(AS(osigreturn_args),sigreturn), AUE_SIGRETURN, NULL, 0, 0, SYF_CAPENABLED }, /* 103 = old sigreturn */
- { AS(bind_args), (sy_call_t *)bind, AUE_BIND, NULL, 0, 0, SYF_CAPENABLED }, /* 104 = bind */
+ { AS(bind_args), (sy_call_t *)bind, AUE_BIND, NULL, 0, 0, 0 }, /* 104 = bind */
{ AS(setsockopt_args), (sy_call_t *)setsockopt, AUE_SETSOCKOPT, NULL, 0, 0, SYF_CAPENABLED }, /* 105 = setsockopt */
{ AS(listen_args), (sy_call_t *)listen, AUE_LISTEN, NULL, 0, 0, SYF_CAPENABLED }, /* 106 = listen */
{ 0, (sy_call_t *)nosys, AUE_NULL, NULL, 0, 0, 0 }, /* 107 = obsolete vtimes */
==== //depot/projects/trustedbsd/capabilities/src/sys/kern/syscalls.c#33 (text+ko) ====
==== //depot/projects/trustedbsd/capabilities/src/sys/kern/systrace_args.c#33 (text+ko) ====
==== //depot/projects/trustedbsd/capabilities/src/sys/kern/uipc_syscalls.c#13 (text+ko) ====
@@ -682,6 +682,12 @@
struct sockaddr *to;
int error;
+#ifdef CAPABILITIES
+ if ((td->td_ucred->cr_flags & CRED_FLAG_CAPMODE) &&
+ (mp->msg_name != NULL))
+ return (ENOSYS);
+#endif
+
if (mp->msg_name != NULL) {
error = getsockaddr(&to, mp->msg_name, mp->msg_namelen);
if (error) {
==== //depot/projects/trustedbsd/capabilities/src/sys/sys/syscall.h#33 (text+ko) ====
==== //depot/projects/trustedbsd/capabilities/src/sys/sys/syscall.mk#33 (text+ko) ====
==== //depot/projects/trustedbsd/capabilities/src/sys/sys/sysproto.h#33 (text+ko) ====
More information about the p4-projects
mailing list