svn commit: r224839 - head/sys/kern
Robert Watson
rwatson at FreeBSD.org
Sat Aug 13 13:26:41 UTC 2011
Author: rwatson
Date: Sat Aug 13 13:26:40 2011
New Revision: 224839
URL: http://svn.freebsd.org/changeset/base/224839
Log:
Now that capability support has been committed, update and expand the
comment at the type of sys_capability.c to describe its new contents.
Approved by: re (xxx)
Modified:
head/sys/kern/sys_capability.c
Modified: head/sys/kern/sys_capability.c
==============================================================================
--- head/sys/kern/sys_capability.c Sat Aug 13 13:18:54 2011 (r224838)
+++ head/sys/kern/sys_capability.c Sat Aug 13 13:26:40 2011 (r224839)
@@ -31,9 +31,24 @@
/*
* FreeBSD kernel capability facility.
*
- * Currently, this file implements only capability mode; capabilities
- * (rights-refined file descriptors) will follow.
+ * Two kernel features are implemented here: capability mode, a sandboxed mode
+ * of execution for processes, and capabilities, a refinement on file
+ * descriptors that allows fine-grained control over operations on the file
+ * descriptor. Collectively, these allow processes to run in the style of a
+ * historic "capability system" in which they can use only resources
+ * explicitly delegated to them. This model is enforced by restricting access
+ * to global namespaces in capability mode.
*
+ * Capabilities wrap other file descriptor types, binding them to a constant
+ * rights mask set when the capability is created. New capabilities may be
+ * derived from existing capabilities, but only if they have the same or a
+ * strict subset of the rights on the original capability.
+ *
+ * System calls permitted in capability mode are defined in capabilities.conf;
+ * calls must be carefully audited for safety to ensure that they don't allow
+ * escape from a sandbox. Some calls permit only a subset of operations in
+ * capability mode -- for example, shm_open(2) is limited to creating
+ * anonymous, rather than named, POSIX shared memory objects.
*/
#include "opt_capsicum.h"
@@ -512,4 +527,3 @@ cap_funwrap_mmap(struct file *fp_cap, ca
}
#endif /* CAPABILITIES */
-
More information about the svn-src-head
mailing list