svn commit: r224812 - head/sys/kern
Jonathan Anderson
jonathan at FreeBSD.org
Sat Aug 13 10:43:22 UTC 2011
Author: jonathan
Date: Sat Aug 13 10:43:21 2011
New Revision: 224812
URL: http://svn.freebsd.org/changeset/base/224812
Log:
Allow openat(2), fstatat(2), etc. in capability mode.
namei() and lookup() can now perform "strictly relative" lookups.
Such lookups, performed when in capability mode or when looking up
relative to a directory capability, enforce two policies:
- absolute paths are disallowed (including symlinks to absolute paths)
- paths containing '..' components are disallowed
These constraints make it safe to enable openat() and friends.
These system calls are instrumental in supporting Capsicum
components such as the capability-mode-aware runtime linker.
Finally, adjust comments in capabilities.conf to reflect the actual state
of the world (e.g. shm_open(2) already has the appropriate constraints,
getdents(2) already requires CAP_SEEK).
Approved by: re (bz), mentor (rwatson)
Sponsored by: Google Inc.
Modified:
head/sys/kern/capabilities.conf
Modified: head/sys/kern/capabilities.conf
==============================================================================
--- head/sys/kern/capabilities.conf Sat Aug 13 10:23:52 2011 (r224811)
+++ head/sys/kern/capabilities.conf Sat Aug 13 10:43:21 2011 (r224812)
@@ -239,9 +239,7 @@ getcontext
## Allow directory I/O on a file descriptor, subject to capability rights.
## Originally we had separate capabilities for directory-specific read
## operations, but on BSD we allow reading the raw directory data, so we just
-## rely on CAP_READ (etc) now.
-##
-## XXXRW: Possibly these should also use CAP_SEEK.
+## rely on CAP_READ and CAP_SEEK now.
##
getdents
getdirentries
@@ -447,28 +445,26 @@ obreak
olio_listio
##
-## Once Capsicum is fully merged, some of the *at(2) calls which can be
-## semantically constrained will be permitted in capability mode. For now,
-## we will simply not allow them to be called.
-##
-#faccessat
-#fstatat
-#fchmodat
-#futimesat
-#mkdirat
-#rmdirat
-#mkfifoat
-#mknodat
-#openat
-#renameat
-
-##
-## ONCE CAPSICUM IS FULLY MERGED:
-## Allow entry into open(2). This system call will fail, since access to the global
-## file namespace has been disallowed, but allowing entry into the syscall means
-## that an audit trail will be generated (which is also very useful for debugging),
+## Operations relative to directory capabilities.
+##
+faccessat
+fstatat
+fchmodat
+futimesat
+mkdirat
+rmdirat
+mkfifoat
+mknodat
+openat
+renameat
+
+##
+## Allow entry into open(2). This system call will fail, since access to the
+## global file namespace has been disallowed, but allowing entry into the
+## syscall means that an audit trail will be generated (which is also very
+## useful for debugging).
##
-#open
+open
##
## Allow poll(2), which will be scoped by capability rights.
@@ -648,11 +644,9 @@ setsockopt
setuid
##
-## ONCE CAPSICUM IS FULLY MERGED:
-## Allow shm_open(2), which is scoped so as to allow only access to new
-## anonymous objects.
+## shm_open(2) is scoped so as to allow only access to new anonymous objects.
##
-#shm_open
+shm_open
##
## Allow I/O-related file descriptors, subject to capability rights.
More information about the svn-src-head
mailing list