MFC Capsicum open(2) and openat(2) documentation

r306537 by cem: open.2: Document Capsicum behavior

Document open(2) and openat(2) behavior in Capsicum capability mode.

Sponsored by:	Dell EMC Isilon

r323622 by emaste: open(2): update ENOTCAPABLE description for .. lookups

After r308732 (MFC of r308212) Capsicum permits .. lookups in capability
mode, as long as path component traversal does not escape the directory
corresponding to the provided file descriptor.

Sponsored by:	The FreeBSD Foundation

1 files changed, 34 insertions, 1 deletions

diff --git a/lib/libc/sys/open.2 b/lib/libc/sys/open.2
index 74538fe..3147ed9 100644
--- a/lib/libc/sys/open.2
+++ b/lib/libc/sys/open.2
@@ -28,7 +28,7 @@
 .\"     @(#)open.2	8.2 (Berkeley) 11/16/93
 .\" $FreeBSD$
 .\"
-.Dd November 22, 2016
+.Dd March 28, 2018
 .Dt OPEN 2
 .Os
 .Sh NAME
@@ -95,6 +95,28 @@ parameter, the current working directory is used
 and the behavior is identical to a call to
 .Fn open .
 .Pp
+In
+.Xr capsicum 4
+capability mode,
+.Fn open
+is not permitted.
+The
+.Fa path
+argument to
+.Fn openat
+must be strictly relative to a file descriptor
+.Fa fd ,
+as defined in
+.Pa sys/kern/vfs_lookup.c .
+.Fa path
+must not be an absolute path and must not contain ".." components.
+Additionally, no symbolic link in
+.Fa path
+may contain ".." components either.
+.Fa fd
+must not be
+.Dv AT_FDCWD .
+.Pp
 The flags specified are formed by
 .Em or Ns 'ing
 the following values
@@ -457,6 +479,17 @@ nor a file descriptor associated with a directory.
 .It Bq Er ENOTDIR
 .Dv O_DIRECTORY
 is specified and the file is not a directory.
+.It Bq Er ECAPMODE
+.Dv AT_FDCWD
+is specified and the process is in capability mode.
+.It Bq Er ECAPMODE
+.Fn open
+was called and the process is in capability mode.
+.It Bq Er ENOTCAPABLE
+.Fa path
+is an absolute path or contained a ".." component leading to a
+directory outside of the directory hierarchy specified by
+.Fa fd .
 .El
 .Sh SEE ALSO
 .Xr chmod 2 ,