svn commit: r219134 - in head/sys: amd64/amd64 arm/arm i386/i386
Robert Watson
rwatson at FreeBSD.org
Tue Mar 1 13:35:48 UTC 2011
Author: rwatson
Date: Tue Mar 1 13:35:48 2011
New Revision: 219134
URL: http://svn.freebsd.org/changeset/base/219134
Log:
Continue to introduce Capsicum capability mode:
White list sysarch calls allowed in capability mode; arguably, there
should be some link between the capability mode model and the privilege
model here. Sysarch is a morass similar to ioctl, in many senses.
Submitted by: anderson
Discussed with: benl, kris, pjd
Sponsored by: Google, Inc.
Obtained from: Capsicum Project
MFC after: 3 months
Modified:
head/sys/amd64/amd64/sys_machdep.c
head/sys/arm/arm/sys_machdep.c
head/sys/i386/i386/sys_machdep.c
Modified: head/sys/amd64/amd64/sys_machdep.c
==============================================================================
--- head/sys/amd64/amd64/sys_machdep.c Tue Mar 1 13:32:07 2011 (r219133)
+++ head/sys/amd64/amd64/sys_machdep.c Tue Mar 1 13:35:48 2011 (r219134)
@@ -33,8 +33,11 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
+#include "opt_capabilities.h"
+
#include <sys/param.h>
#include <sys/systm.h>
+#include <sys/capability.h>
#include <sys/kernel.h>
#include <sys/lock.h>
#include <sys/malloc.h>
@@ -177,6 +180,32 @@ sysarch(td, uap)
uint64_t a64base;
struct i386_ioperm_args iargs;
+#ifdef CAPABILITIES
+ /*
+ * Whitelist of operations which are safe enough for capability mode.
+ */
+ if (IN_CAPABILITY_MODE(td)) {
+ switch (uap->op) {
+ case I386_GET_LDT:
+ case I386_SET_LDT:
+ case I386_GET_IOPERM:
+ case I386_GET_FSBASE:
+ case I386_SET_FSBASE:
+ case I386_GET_GSBASE:
+ case I386_SET_GSBASE:
+ case AMD64_GET_FSBASE:
+ case AMD64_SET_FSBASE:
+ case AMD64_GET_GSBASE:
+ case AMD64_SET_GSBASE:
+ break;
+
+ case I386_SET_IOPERM:
+ default:
+ return (ECAPMODE);
+ }
+ }
+#endif
+
if (uap->op == I386_GET_LDT || uap->op == I386_SET_LDT)
return (sysarch_ldt(td, uap, UIO_USERSPACE));
/*
Modified: head/sys/arm/arm/sys_machdep.c
==============================================================================
--- head/sys/arm/arm/sys_machdep.c Tue Mar 1 13:32:07 2011 (r219133)
+++ head/sys/arm/arm/sys_machdep.c Tue Mar 1 13:35:48 2011 (r219134)
@@ -36,8 +36,11 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
+#include "opt_capabilities.h"
+
#include <sys/param.h>
#include <sys/systm.h>
+#include <sys/capability.h>
#include <sys/proc.h>
#include <sys/sysproto.h>
#include <sys/syscall.h>
@@ -104,6 +107,24 @@ sysarch(td, uap)
{
int error;
+#ifdef CAPABILITIES
+ /*
+ * Whitelist of operations which are safe enough for capability mode.
+ */
+ if (IN_CAPABILITY_MODE(td)) {
+ switch (uap->op) {
+ case ARM_SYNC_ICACHE:
+ case ARM_DRAIN_WRITEBUF:
+ case ARM_SET_TP:
+ case ARM_GET_TP:
+ break;
+
+ default:
+ return (ECAPMODE);
+ }
+ }
+#endif
+
switch (uap->op) {
case ARM_SYNC_ICACHE :
error = arm32_sync_icache(td, uap->parms);
Modified: head/sys/i386/i386/sys_machdep.c
==============================================================================
--- head/sys/i386/i386/sys_machdep.c Tue Mar 1 13:32:07 2011 (r219133)
+++ head/sys/i386/i386/sys_machdep.c Tue Mar 1 13:35:48 2011 (r219134)
@@ -32,9 +32,11 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
+#include "opt_capabilities.h"
#include "opt_kstack_pages.h"
#include <sys/param.h>
+#include <sys/capability.h>
#include <sys/systm.h>
#include <sys/lock.h>
#include <sys/malloc.h>
@@ -108,6 +110,29 @@ sysarch(td, uap)
struct segment_descriptor sd, *sdp;
AUDIT_ARG_CMD(uap->op);
+
+#ifdef CAPABILITIES
+ /*
+ * Whitelist of operations which are safe enough for capability mode.
+ */
+ if (IN_CAPABILITY_MODE(td)) {
+ switch (uap->op) {
+ case I386_GET_LDT:
+ case I386_SET_LDT:
+ case I386_GET_IOPERM:
+ case I386_GET_FSBASE:
+ case I386_SET_FSBASE:
+ case I386_GET_GSBASE:
+ case I386_SET_GSBASE:
+ break;
+
+ case I386_SET_IOPERM:
+ default:
+ return (ECAPMODE);
+ }
+ }
+#endif
+
switch (uap->op) {
case I386_GET_IOPERM:
case I386_SET_IOPERM:
More information about the svn-src-all
mailing list