PERFORCE change 156399 for review

Mon Jan 19 10:52:36 PST 2009

http://perforce.freebsd.org/chv.cgi?CH=156399

Change 156399 by rwatson at rwatson_freebsd_capabilities on 2009/01/19 18:51:57

	For better or worse, we really need sysarch() on amd64 and i386 in
	order to allow segment registers to be changed.  Allow it in
	capability mode, but specifically disallow certain sysarch functions
	when in capability mode.  This is a less robust approach since it
	requires carefully watching what gets adding to sysarch().

Affected files ...

.. //depot/projects/trustedbsd/capabilities/src/sys/amd64/amd64/sys_machdep.c#2 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/arm/arm/sys_machdep.c#2 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/i386/i386/sys_machdep.c#5 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/kern/capabilities.conf#15 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/kern/init_sysent.c#25 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/sparc64/sparc64/sys_machdep.c#2 edit

Differences ...

==== //depot/projects/trustedbsd/capabilities/src/sys/amd64/amd64/sys_machdep.c#2 (text+ko) ====

@@ -63,6 +63,10 @@
 	uint32_t i386base;
 	uint64_t a64base;
 
+	/*
+	 * XXXRW: As new operations are added here, check that they are safe
+	 * in capability mode.
+	 */
 	switch(uap->op) {
 	case I386_GET_FSBASE:
 		i386base = pcb->pcb_fsbase;

==== //depot/projects/trustedbsd/capabilities/src/sys/arm/arm/sys_machdep.c#2 (text+ko) ====

@@ -104,6 +104,10 @@
 {
 	int error;
 
+	/*
+	 * XXXRW: As new operations are added here, check that they are safe
+	 * in capability mode.
+	 */
 	switch (uap->op) {
 	case ARM_SYNC_ICACHE : 
 		error = arm32_sync_icache(td, uap->parms);

==== //depot/projects/trustedbsd/capabilities/src/sys/i386/i386/sys_machdep.c#5 (text+ko) ====

@@ -33,6 +33,7 @@
 __FBSDID("$FreeBSD: src/sys/i386/i386/sys_machdep.c,v 1.118 2008/10/23 15:53:51 des Exp $");
 
 #include "opt_kstack_pages.h"
+#include "opt_capabilities.h"
 #include "opt_mac.h"
 
 #include <sys/param.h>
@@ -128,6 +129,10 @@
 		break;
 	}
 
+	/*
+	 * XXXRW: As new operations are added here, check that they are safe
+	 * in capability mode.
+	 */
 	switch(uap->op) {
 	case I386_GET_LDT:
 		error = i386_get_ldt(td, &kargs.largs);
@@ -160,6 +165,10 @@
 		error = i386_set_ioperm(td, &kargs.iargs);
 		break;
 	case I386_VM86:
+#ifdef CAPABILITIES
+		if (td->td_ucred->cr_flags & CRED_FLAG_CAPMODE)
+			return (EPERM);
+#endif
 		error = vm86_sysarch(td, uap->parms);
 		break;
 	case I386_GET_FSBASE:
@@ -317,6 +326,10 @@
 	int i, error;
 	char *iomap;
 
+#ifdef CAPABILITIES
+	if (td->td_ucred->cr_flags & CRED_FLAG_CAPMODE)
+		return (EPERM);
+#endif
 	if ((error = priv_check(td, PRIV_IO)) != 0)
 		return (error);
 	if ((error = securelevel_gt(td->td_ucred, 0)) != 0)

==== //depot/projects/trustedbsd/capabilities/src/sys/kern/capabilities.conf#15 (text+ko) ====

@@ -38,7 +38,7 @@
 ## - sys_exit(2), abort2(2) and close(2) are very important.
 ## - Sorted alphabetically, please keep it that way.
 ##
-## $P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/capabilities.conf#14 $
+## $P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/capabilities.conf#15 $
 ##
 
 ##
@@ -686,6 +686,13 @@
 sys_exit
 
 ##
+## sysarch(2) does rather diverse things, but is required on at least i386
+## in order to configure per-thread data.  As such, it's scoped on each
+## architecture.
+##
+sysarch
+
+##
 ## Allow thread operations operating only on current process.
 ##
 thr_create

==== //depot/projects/trustedbsd/capabilities/src/sys/kern/init_sysent.c#25 (text+ko) ====

@@ -193,7 +193,7 @@
 	{ compat4(AS(freebsd4_getdomainname_args),getdomainname), AUE_SYSCTL, NULL, 0, 0, SYF_CAPENABLED },	/* 162 = old getdomainname */
 	{ compat4(AS(freebsd4_setdomainname_args),setdomainname), AUE_SYSCTL, NULL, 0, 0, 0 },	/* 163 = old setdomainname */
 	{ compat4(AS(freebsd4_uname_args),uname), AUE_NULL, NULL, 0, 0, 0 },	/* 164 = old uname */
-	{ AS(sysarch_args), (sy_call_t *)sysarch, AUE_SYSARCH, NULL, 0, 0, 0 },	/* 165 = sysarch */
+	{ AS(sysarch_args), (sy_call_t *)sysarch, AUE_SYSARCH, NULL, 0, 0, SYF_CAPENABLED },	/* 165 = sysarch */
 	{ AS(rtprio_args), (sy_call_t *)rtprio, AUE_RTPRIO, NULL, 0, 0, SYF_CAPENABLED },	/* 166 = rtprio */
 	{ 0, (sy_call_t *)nosys, AUE_NULL, NULL, 0, 0, 0 },			/* 167 = nosys */
 	{ 0, (sy_call_t *)nosys, AUE_NULL, NULL, 0, 0, 0 },			/* 168 = nosys */

==== //depot/projects/trustedbsd/capabilities/src/sys/sparc64/sparc64/sys_machdep.c#2 (text+ko) ====

@@ -53,6 +53,10 @@
 {
 	int error;
 
+	/*
+	 * XXXRW: As new operations are added here, check that they are safe
+	 * in capability mode.
+	 */
 	mtx_lock(&Giant);
 	switch (uap->op) {
 	case SPARC_SIGTRAMP_INSTALL:
