diff options
| author | ed <ed@FreeBSD.org> | 2015-08-27 15:16:41 +0000 |
|---|---|---|
| committer | ed <ed@FreeBSD.org> | 2015-08-27 15:16:41 +0000 |
| commit | 066f63003b3322fde7a1311ce45b01965217fe7c (patch) | |
| tree | 3d92b43d01ed22c5356196a6620f856ce5d5fbbc /sys/sys/capsicum.h | |
| parent | b882529705a487f48363294f4a155db2d2df07ad (diff) | |
| download | FreeBSD-src-066f63003b3322fde7a1311ce45b01965217fe7c.zip FreeBSD-src-066f63003b3322fde7a1311ce45b01965217fe7c.tar.gz | |
Decompose linkat()/renameat() rights to source and target.
To make it easier to understand how Capsicum interacts with linkat() and
renameat(), rename the rights to CAP_{LINK,RENAME}AT_{SOURCE,TARGET}.
This also addresses a shortcoming in Capsicum, where it isn't possible
to disable linking to files stored in a directory. Creating hardlinks
essentially makes it possible to access files with additional rights.
Reviewed by: rwatson, wblock
Differential Revision: https://reviews.freebsd.org/D3411
Diffstat (limited to 'sys/sys/capsicum.h')
| -rw-r--r-- | sys/sys/capsicum.h | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/sys/sys/capsicum.h b/sys/sys/capsicum.h index 09105bd..8720166 100644 --- a/sys/sys/capsicum.h +++ b/sys/sys/capsicum.h @@ -150,16 +150,16 @@ #define CAP_FUTIMES CAPRIGHT(0, 0x0000000000200000ULL) /* Allows for futimens(2), futimes(2), futimesat(2) and utimensat(2). */ #define CAP_FUTIMESAT (CAP_FUTIMES | CAP_LOOKUP) -/* Allows for linkat(2) and renameat(2) (destination directory descriptor). */ -#define CAP_LINKAT (CAP_LOOKUP | 0x0000000000400000ULL) +/* Allows for linkat(2) (target directory descriptor). */ +#define CAP_LINKAT_TARGET (CAP_LOOKUP | 0x0000000000400000ULL) /* Allows for mkdirat(2). */ #define CAP_MKDIRAT (CAP_LOOKUP | 0x0000000000800000ULL) /* Allows for mkfifoat(2). */ #define CAP_MKFIFOAT (CAP_LOOKUP | 0x0000000001000000ULL) /* Allows for mknodat(2). */ #define CAP_MKNODAT (CAP_LOOKUP | 0x0000000002000000ULL) -/* Allows for renameat(2). */ -#define CAP_RENAMEAT (CAP_LOOKUP | 0x0000000004000000ULL) +/* Allows for renameat(2) (source directory descriptor). */ +#define CAP_RENAMEAT_SOURCE (CAP_LOOKUP | 0x0000000004000000ULL) /* Allows for symlinkat(2). */ #define CAP_SYMLINKAT (CAP_LOOKUP | 0x0000000008000000ULL) /* @@ -197,6 +197,11 @@ /* Allows for connectat(2) on a directory descriptor. */ #define CAP_CONNECTAT (CAP_LOOKUP | 0x0000010000000000ULL) +/* Allows for linkat(2) (source directory descriptor). */ +#define CAP_LINKAT_SOURCE (CAP_LOOKUP | 0x0000020000000000ULL) +/* Allows for renameat(2) (target directory descriptor). */ +#define CAP_RENAMEAT_TARGET (CAP_LOOKUP | 0x0000040000000000ULL) + #define CAP_SOCK_CLIENT \ (CAP_CONNECT | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT | \ CAP_PEELOFF | CAP_RECV | CAP_SEND | CAP_SETSOCKOPT | CAP_SHUTDOWN) @@ -206,10 +211,10 @@ CAP_SETSOCKOPT | CAP_SHUTDOWN) /* All used bits for index 0. */ -#define CAP_ALL0 CAPRIGHT(0, 0x000001FFFFFFFFFFULL) +#define CAP_ALL0 CAPRIGHT(0, 0x000007FFFFFFFFFFULL) /* Available bits for index 0. */ -#define CAP_UNUSED0_42 CAPRIGHT(0, 0x0000020000000000ULL) +#define CAP_UNUSED0_44 CAPRIGHT(0, 0x0000080000000000ULL) /* ... */ #define CAP_UNUSED0_57 CAPRIGHT(0, 0x0100000000000000ULL) |
