diff options
author | rwatson <rwatson@FreeBSD.org> | 2011-07-17 23:05:24 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2011-07-17 23:05:24 +0000 |
commit | 7c21db8ed3ea76933360bc701c1cfe99e080cdb5 (patch) | |
tree | c4ed35a8f34e303ea8f9aaebd4a5bb9199dfb0dc /sys/kern/kern_exec.c | |
parent | 8c65d0122a45d4d6c8d002377782ad53a7a76d91 (diff) | |
download | FreeBSD-src-7c21db8ed3ea76933360bc701c1cfe99e080cdb5.zip FreeBSD-src-7c21db8ed3ea76933360bc701c1cfe99e080cdb5.tar.gz |
Define two new sysctl node flags: CTLFLAG_CAPRD and CTLFLAG_CAPRW, which
may be jointly referenced via the mask CTLFLAG_CAPRW. Sysctls with these
flags are available in Capsicum's capability mode; other sysctl nodes are
not.
Flag several useful sysctls as available in capability mode, such as memory
layout sysctls required by the run-time linker and malloc(3). Also expose
access to randomness and available kernel features.
A few sysctls are enabled to support name->MIB conversion; these may leak
information to capability mode by virtue of providing resolution on names
not flagged for access in capability mode. This is, generally, not a huge
problem, but might be something to resolve in the future. Flag these cases
with XXX comments.
Submitted by: jonathan
Sponsored by: Google, Inc.
Diffstat (limited to 'sys/kern/kern_exec.c')
-rw-r--r-- | sys/kern/kern_exec.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index f30f89a..f7f80af 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -36,6 +36,7 @@ __FBSDID("$FreeBSD$"); #include <sys/param.h> #include <sys/capability.h> #include <sys/systm.h> +#include <sys/capability.h> #include <sys/eventhandler.h> #include <sys/lock.h> #include <sys/mutex.h> @@ -113,8 +114,8 @@ SYSCTL_PROC(_kern, KERN_PS_STRINGS, ps_strings, CTLTYPE_ULONG|CTLFLAG_RD, NULL, 0, sysctl_kern_ps_strings, "LU", ""); /* XXX This should be vm_size_t. */ -SYSCTL_PROC(_kern, KERN_USRSTACK, usrstack, CTLTYPE_ULONG|CTLFLAG_RD, - NULL, 0, sysctl_kern_usrstack, "LU", ""); +SYSCTL_PROC(_kern, KERN_USRSTACK, usrstack, CTLTYPE_ULONG|CTLFLAG_RD| + CTLFLAG_CAPRD, NULL, 0, sysctl_kern_usrstack, "LU", ""); SYSCTL_PROC(_kern, OID_AUTO, stackprot, CTLTYPE_INT|CTLFLAG_RD, NULL, 0, sysctl_kern_stackprot, "I", ""); |