PERFORCE change 163885 for review

Robert Watson rwatson at FreeBSD.org
Tue Jun 9 11:09:53 UTC 2009 

http://perforce.freebsd.org/chv.cgi?CH=163885

Change 163885 by rwatson at rwatson_freebsd_capabilities on 2009/06/09 11:09:14

	Disallow connect()/send() in capability mode since they use global
	IPC namespaces (including potentially the local file system
	interface), and subset sendto()/sendmsg() so that they return an
	error in capability mode if an explicit destination address is
	requested.

Affected files ...

.. //depot/projects/trustedbsd/capabilities/src/sys/kern/capabilities.conf#20 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/kern/init_sysent.c#33 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/kern/syscalls.c#33 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/kern/systrace_args.c#33 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/kern/uipc_syscalls.c#13 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/sys/syscall.h#33 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/sys/syscall.mk#33 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/sys/sysproto.h#33 edit

Differences ...

==== //depot/projects/trustedbsd/capabilities/src/sys/kern/capabilities.conf#20 (text+ko) ====

@@ -38,7 +38,7 @@
 ## - sys_exit(2), abort2(2) and close(2) are very important.
 ## - Sorted alphabetically, please keep it that way.
 ##
-## $P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/capabilities.conf#19 $
+## $P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/capabilities.conf#20 $
 ##
 
 ##
@@ -106,12 +106,11 @@
 #audit
 
 ##
-## Allow bind(2) for now, even though it operates on global name spaces, as
-## we support CAP_BIND.
+## Disllow bind(2) for now, even though we support CAP_BIND.
 ##
 ## XXXRW: Revisit this.
 ##
-bind
+#bind
 
 ##
 ## Allow capability mode and capability system calls.
@@ -133,12 +132,11 @@
 close
 
 ##
-## Allow connect(2) for now, ven though it supports global namespaces, we 
-## we support CAP_CONNECT.
+## Disallow connect(2) for now, despite CAP_CONNECT.
 ##
 ## XXXRW: Revisit this.
 ##
-connect
+#connect
 
 ##
 ## cpuset(2) and related calls require scoping by process, but should
@@ -556,7 +554,8 @@
 select
 
 ##
-## Allow I/O-related file descriptors, subject to capability rights.
+## Allow I/O-related file descriptors, subject to capability rights.  Use of
+## explicit addresses here is restricted by the system calls themselves.
 ##
 send
 sendfile

==== //depot/projects/trustedbsd/capabilities/src/sys/kern/init_sysent.c#33 (text+ko) ====

@@ -126,13 +126,13 @@
 	{ AS(fsync_args), (sy_call_t *)fsync, AUE_FSYNC, NULL, 0, 0, SYF_CAPENABLED },	/* 95 = fsync */
 	{ AS(setpriority_args), (sy_call_t *)setpriority, AUE_SETPRIORITY, NULL, 0, 0, SYF_CAPENABLED },	/* 96 = setpriority */
 	{ AS(socket_args), (sy_call_t *)socket, AUE_SOCKET, NULL, 0, 0, SYF_CAPENABLED },	/* 97 = socket */
-	{ AS(connect_args), (sy_call_t *)connect, AUE_CONNECT, NULL, 0, 0, SYF_CAPENABLED },	/* 98 = connect */
+	{ AS(connect_args), (sy_call_t *)connect, AUE_CONNECT, NULL, 0, 0, 0 },	/* 98 = connect */
 	{ compat(AS(accept_args),accept), AUE_ACCEPT, NULL, 0, 0, SYF_CAPENABLED },	/* 99 = old accept */
 	{ AS(getpriority_args), (sy_call_t *)getpriority, AUE_GETPRIORITY, NULL, 0, 0, SYF_CAPENABLED },	/* 100 = getpriority */
 	{ compat(AS(osend_args),send), AUE_SEND, NULL, 0, 0, SYF_CAPENABLED },	/* 101 = old send */
 	{ compat(AS(orecv_args),recv), AUE_RECV, NULL, 0, 0, SYF_CAPENABLED },	/* 102 = old recv */
 	{ compat(AS(osigreturn_args),sigreturn), AUE_SIGRETURN, NULL, 0, 0, SYF_CAPENABLED },	/* 103 = old sigreturn */
-	{ AS(bind_args), (sy_call_t *)bind, AUE_BIND, NULL, 0, 0, SYF_CAPENABLED },	/* 104 = bind */
+	{ AS(bind_args), (sy_call_t *)bind, AUE_BIND, NULL, 0, 0, 0 },	/* 104 = bind */
 	{ AS(setsockopt_args), (sy_call_t *)setsockopt, AUE_SETSOCKOPT, NULL, 0, 0, SYF_CAPENABLED },	/* 105 = setsockopt */
 	{ AS(listen_args), (sy_call_t *)listen, AUE_LISTEN, NULL, 0, 0, SYF_CAPENABLED },	/* 106 = listen */
 	{ 0, (sy_call_t *)nosys, AUE_NULL, NULL, 0, 0, 0 },			/* 107 = obsolete vtimes */

==== //depot/projects/trustedbsd/capabilities/src/sys/kern/syscalls.c#33 (text+ko) ====


==== //depot/projects/trustedbsd/capabilities/src/sys/kern/systrace_args.c#33 (text+ko) ====


==== //depot/projects/trustedbsd/capabilities/src/sys/kern/uipc_syscalls.c#13 (text+ko) ====

@@ -682,6 +682,12 @@
 	struct sockaddr *to;
 	int error;
 
+#ifdef CAPABILITIES
+	if ((td->td_ucred->cr_flags & CRED_FLAG_CAPMODE) &&
+	    (mp->msg_name != NULL))
+		return (ENOSYS);
+#endif
+
 	if (mp->msg_name != NULL) {
 		error = getsockaddr(&to, mp->msg_name, mp->msg_namelen);
 		if (error) {

==== //depot/projects/trustedbsd/capabilities/src/sys/sys/syscall.h#33 (text+ko) ====


==== //depot/projects/trustedbsd/capabilities/src/sys/sys/syscall.mk#33 (text+ko) ====


==== //depot/projects/trustedbsd/capabilities/src/sys/sys/sysproto.h#33 (text+ko) ====

More information about the p4-projects mailing list