diff options
author | jonathan <jonathan@FreeBSD.org> | 2011-08-13 10:43:21 +0000 |
---|---|---|
committer | jonathan <jonathan@FreeBSD.org> | 2011-08-13 10:43:21 +0000 |
commit | 09f5070c506b517e40094df7ec1f82570c6e18b6 (patch) | |
tree | 2e02b91819f99530c65219a7b7e75435148db988 /sys/kern/syscalls.c | |
parent | f63d2e920584a3d403a07e765a61eeac57210332 (diff) | |
download | FreeBSD-src-09f5070c506b517e40094df7ec1f82570c6e18b6.zip FreeBSD-src-09f5070c506b517e40094df7ec1f82570c6e18b6.tar.gz |
Allow openat(2), fstatat(2), etc. in capability mode.
namei() and lookup() can now perform "strictly relative" lookups.
Such lookups, performed when in capability mode or when looking up
relative to a directory capability, enforce two policies:
- absolute paths are disallowed (including symlinks to absolute paths)
- paths containing '..' components are disallowed
These constraints make it safe to enable openat() and friends.
These system calls are instrumental in supporting Capsicum
components such as the capability-mode-aware runtime linker.
Finally, adjust comments in capabilities.conf to reflect the actual state
of the world (e.g. shm_open(2) already has the appropriate constraints,
getdents(2) already requires CAP_SEEK).
Approved by: re (bz), mentor (rwatson)
Sponsored by: Google Inc.
Diffstat (limited to 'sys/kern/syscalls.c')
0 files changed, 0 insertions, 0 deletions