diff options
| author | jonathan <jonathan@FreeBSD.org> | 2011-08-13 09:21:16 +0000 |
|---|---|---|
| committer | jonathan <jonathan@FreeBSD.org> | 2011-08-13 09:21:16 +0000 |
| commit | f63d2e920584a3d403a07e765a61eeac57210332 (patch) | |
| tree | 3334bf0dc037565dbb28b66bfe83c6d9e8823738 /sys/sys/capability.h | |
| parent | 0ba1fe7d116a032383d49c9a252a5f09682c76f0 (diff) | |
| download | FreeBSD-src-f63d2e920584a3d403a07e765a61eeac57210332.zip FreeBSD-src-f63d2e920584a3d403a07e765a61eeac57210332.tar.gz | |
Allow Capsicum capabilities to delegate constrained
access to file system subtrees to sandboxed processes.
- Use of absolute paths and '..' are limited in capability mode.
- Use of absolute paths and '..' are limited when looking up relative
to a capability.
- When a name lookup is performed, identify what operation is to be
performed (such as CAP_MKDIR) as well as check for CAP_LOOKUP.
With these constraints, openat() and friends are now safe in capability
mode, and can then be used by code such as the capability-mode runtime
linker.
Approved by: re (bz), mentor (rwatson)
Sponsored by: Google Inc
Diffstat (limited to 'sys/sys/capability.h')
| -rw-r--r-- | sys/sys/capability.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/sys/capability.h b/sys/sys/capability.h index 54fcaa0..d67dc17 100644 --- a/sys/sys/capability.h +++ b/sys/sys/capability.h @@ -142,7 +142,7 @@ * Create a capability to wrap a file object. */ int kern_capwrap(struct thread *td, struct file *fp, cap_rights_t rights, - struct file **cap, int *capfd); + int *capfd); /* * Unwrap a capability if its rights mask is a superset of 'rights'. |
