Allow openat(2), fstatat(2), etc. in capability mode.

namei() and lookup() can now perform "strictly relative" lookups.
Such lookups, performed when in capability mode or when looking up
relative to a directory capability, enforce two policies:
 - absolute paths are disallowed (including symlinks to absolute paths)
 - paths containing '..' components are disallowed

These constraints make it safe to enable openat() and friends.
These system calls are instrumental in supporting Capsicum
components such as the capability-mode-aware runtime linker.

Finally, adjust comments in capabilities.conf to reflect the actual state
of the world (e.g. shm_open(2) already has the appropriate constraints,
getdents(2) already requires CAP_SEEK).

Approved by: re (bz), mentor (rwatson)
Sponsored by: Google Inc.

0 files changed, 0 insertions, 0 deletions