svn commit: r241083 - in head/sys: kern sys
Pawel Jakub Dawidek
pjd at FreeBSD.org
Mon Oct 1 05:43:25 UTC 2012
Author: pjd
Date: Mon Oct 1 05:43:24 2012
New Revision: 241083
URL: http://svn.freebsd.org/changeset/base/241083
Log:
- Enforce CAP_MKFIFO on mkfifoat(2), not on mknodat(2). Without this change
mkfifoat(2) was not restricted.
- Introduce CAP_MKNOD and enforce it on mknodat(2).
Sponsored by: FreeBSD Foundation
MFC after: 2 weeks
Modified:
head/sys/kern/vfs_syscalls.c
head/sys/sys/capability.h
Modified: head/sys/kern/vfs_syscalls.c
==============================================================================
--- head/sys/kern/vfs_syscalls.c Mon Oct 1 05:42:43 2012 (r241082)
+++ head/sys/kern/vfs_syscalls.c Mon Oct 1 05:43:24 2012 (r241083)
@@ -1334,7 +1334,7 @@ restart:
bwillwrite();
NDINIT_ATRIGHTS(&nd, CREATE,
LOCKPARENT | SAVENAME | MPSAFE | AUDITVNODE1, pathseg, path, fd,
- CAP_MKFIFO, td);
+ CAP_MKNOD, td);
if ((error = namei(&nd)) != 0)
return (error);
vfslocked = NDHASGIANT(&nd);
@@ -1458,8 +1458,9 @@ kern_mkfifoat(struct thread *td, int fd,
AUDIT_ARG_MODE(mode);
restart:
bwillwrite();
- NDINIT_AT(&nd, CREATE, LOCKPARENT | SAVENAME | MPSAFE | AUDITVNODE1,
- pathseg, path, fd, td);
+ NDINIT_ATRIGHTS(&nd, CREATE,
+ LOCKPARENT | SAVENAME | MPSAFE | AUDITVNODE1, pathseg, path, fd,
+ CAP_MKFIFO, td);
if ((error = namei(&nd)) != 0)
return (error);
vfslocked = NDHASGIANT(&nd);
Modified: head/sys/sys/capability.h
==============================================================================
--- head/sys/sys/capability.h Mon Oct 1 05:42:43 2012 (r241082)
+++ head/sys/sys/capability.h Mon Oct 1 05:43:24 2012 (r241083)
@@ -81,6 +81,7 @@
#define CAP_MKDIR 0x0000000000200000ULL
#define CAP_RMDIR 0x0000000000400000ULL
#define CAP_MKFIFO 0x0000000000800000ULL
+#define CAP_MKNOD 0x0080000000000000ULL
/* Lookups - used to constrain *at() calls. */
#define CAP_LOOKUP 0x0000000001000000ULL
@@ -137,7 +138,7 @@
#define CAP_PDKILL 0x0040000000000000ULL
/* The mask of all valid method rights. */
-#define CAP_MASK_VALID 0x007fffffffffffffULL
+#define CAP_MASK_VALID 0x00ffffffffffffffULL
#ifdef _KERNEL
More information about the svn-src-head
mailing list