diff options
| author | jonathan <jonathan@FreeBSD.org> | 2011-08-13 10:43:21 +0000 |
|---|---|---|
| committer | jonathan <jonathan@FreeBSD.org> | 2011-08-13 10:43:21 +0000 |
| commit | 09f5070c506b517e40094df7ec1f82570c6e18b6 (patch) | |
| tree | 2e02b91819f99530c65219a7b7e75435148db988 /sys/kern/capabilities.conf | |
| parent | f63d2e920584a3d403a07e765a61eeac57210332 (diff) | |
| download | FreeBSD-src-09f5070c506b517e40094df7ec1f82570c6e18b6.zip FreeBSD-src-09f5070c506b517e40094df7ec1f82570c6e18b6.tar.gz | |
Allow openat(2), fstatat(2), etc. in capability mode.
namei() and lookup() can now perform "strictly relative" lookups.
Such lookups, performed when in capability mode or when looking up
relative to a directory capability, enforce two policies:
- absolute paths are disallowed (including symlinks to absolute paths)
- paths containing '..' components are disallowed
These constraints make it safe to enable openat() and friends.
These system calls are instrumental in supporting Capsicum
components such as the capability-mode-aware runtime linker.
Finally, adjust comments in capabilities.conf to reflect the actual state
of the world (e.g. shm_open(2) already has the appropriate constraints,
getdents(2) already requires CAP_SEEK).
Approved by: re (bz), mentor (rwatson)
Sponsored by: Google Inc.
Diffstat (limited to 'sys/kern/capabilities.conf')
| -rw-r--r-- | sys/kern/capabilities.conf | 44 |
1 files changed, 19 insertions, 25 deletions
diff --git a/sys/kern/capabilities.conf b/sys/kern/capabilities.conf index f9a6b24..2b7e559 100644 --- a/sys/kern/capabilities.conf +++ b/sys/kern/capabilities.conf @@ -239,9 +239,7 @@ getcontext ## Allow directory I/O on a file descriptor, subject to capability rights. ## Originally we had separate capabilities for directory-specific read ## operations, but on BSD we allow reading the raw directory data, so we just -## rely on CAP_READ (etc) now. -## -## XXXRW: Possibly these should also use CAP_SEEK. +## rely on CAP_READ and CAP_SEEK now. ## getdents getdirentries @@ -447,28 +445,26 @@ obreak olio_listio ## -## Once Capsicum is fully merged, some of the *at(2) calls which can be -## semantically constrained will be permitted in capability mode. For now, -## we will simply not allow them to be called. +## Operations relative to directory capabilities. ## -#faccessat -#fstatat -#fchmodat -#futimesat -#mkdirat -#rmdirat -#mkfifoat -#mknodat -#openat -#renameat +faccessat +fstatat +fchmodat +futimesat +mkdirat +rmdirat +mkfifoat +mknodat +openat +renameat ## -## ONCE CAPSICUM IS FULLY MERGED: -## Allow entry into open(2). This system call will fail, since access to the global -## file namespace has been disallowed, but allowing entry into the syscall means -## that an audit trail will be generated (which is also very useful for debugging), +## Allow entry into open(2). This system call will fail, since access to the +## global file namespace has been disallowed, but allowing entry into the +## syscall means that an audit trail will be generated (which is also very +## useful for debugging). ## -#open +open ## ## Allow poll(2), which will be scoped by capability rights. @@ -648,11 +644,9 @@ setsockopt setuid ## -## ONCE CAPSICUM IS FULLY MERGED: -## Allow shm_open(2), which is scoped so as to allow only access to new -## anonymous objects. +## shm_open(2) is scoped so as to allow only access to new anonymous objects. ## -#shm_open +shm_open ## ## Allow I/O-related file descriptors, subject to capability rights. |
