Capabilities patch 0.4 - file system support for capabilities

Robert Watson rwatson at FreeBSD.org
Wed Aug 9 18:29:19 GMT 2000 

Just to let you know that there is still life, it's just rather quiet due
to developer vacations, conferences, et al.

I just posted 0.4 of FreeBSD capabilities support to the
http://www.trustedbsd.org/downloads/ web page.  This version introduces
support for capabilities stored in extended attributes, meaning that the
capabilities are actually fairly usable, although not much userland
software has been adapted to use them yet.  I've been running it for a
couple of days on my workstation with ping and traceroute using
CAP_NET_RAW and not setuid root.  Not all kernel suser() calls have been
updated yet, but I caught most in kern/, ufs/*, and some in net/; this is
mostly an update to check the logic for evaluation and inheritence in
capability handling, and the disk handling.  You'll need a recent -CURRENT
(as in, today or yesterday) so that the newly committed supporting calls
for extended attribute handling in kernel are present.  I'll post a
summary of these calls later today. 

To enable on-disk storage of capabilities, you'll need to compile support
for UFS extended attributes into the kernel (options UFS_EXTATTR).  You'll
then need to initialize a backing file for the capabilities, and each boot
start and enable the extended attribute.

Configure first time (per file system)

	mkdir /.attribute
	chmod 0700 /.attribute
	extattrctl init -p / 24 /.attribute/posix1e.cap

Start and enable attribute each boot (per file system)

	extattrctl start /
	extattrctl enable / '$posix1e.cap' /.attribute/posix1e.cap

I'll be posting some tools shortly to allow assigning of capabilities to
files; right now, the libposix1e cap_{get,set}_file() work, but
cap_{get,set}_fd() don't, so if you have any existing POSIX.1e capability
manipulation tools, they may already compile and work.  Right now I still
don't have implementations of cap_{from,to}_text(), so on the other hand,
they may not.

  Robert N M Watson 

robert at fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list