Add initial support for Capsicum's Capability Mode to the FreeBSD kernel,

compiled conditionally on options CAPABILITIES: Add a new credential flag, CRED_FLAG_CAPMODE, which indicates that a subject (typically a process) is in capability mode. Add two new system calls, cap_enter(2) and cap_getmode(2), which allow setting and querying (but never clearing) the flag. Export the capability mode flag via process information sysctls. Sponsored by: Google, Inc. Reviewed by: anderson Discussed with: benl, kris, pjd Obtained from: Capsicum Project MFC after: 3 months
author: rwatson <rwatson@FreeBSD.org> 2011-03-01 13:23:37 +0000
committer: rwatson <rwatson@FreeBSD.org> 2011-03-01 13:23:37 +0000
commit: 6894aabcb5bf68abef0875992b3fef1fde3f7c0a (patch)
tree: d773ba10cfdbd686d9589ba5d6bfce8bdd97f0d1 /sys/sys/ucred.h
parent: 0fbd4a42792bb396f7a17bd8ed9eea61339f2d5b (diff)
download: FreeBSD-src-6894aabcb5bf68abef0875992b3fef1fde3f7c0a.zip
FreeBSD-src-6894aabcb5bf68abef0875992b3fef1fde3f7c0a.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/sys/sys/ucred.h b/sys/sys/ucred.h
index a8934ce..4e2ca02 100644
--- a/sys/sys/ucred.h
+++ b/sys/sys/ucred.h
@@ -70,6 +70,11 @@ struct ucred {
 #define	XU_NGROUPS	16
 
 /*
+ * Flags for cr_flags.
+ */
+#define	CRED_FLAG_CAPMODE	0x00000001	/* In capability mode. */
+
+/*
  * This is the external representation of struct ucred.
  */
 struct xucred {
author	rwatson <rwatson@FreeBSD.org>	2011-03-01 13:23:37 +0000
committer	rwatson <rwatson@FreeBSD.org>	2011-03-01 13:23:37 +0000
commit	6894aabcb5bf68abef0875992b3fef1fde3f7c0a (patch)
tree	d773ba10cfdbd686d9589ba5d6bfce8bdd97f0d1 /sys/sys/ucred.h
parent	0fbd4a42792bb396f7a17bd8ed9eea61339f2d5b (diff)
download	FreeBSD-src-6894aabcb5bf68abef0875992b3fef1fde3f7c0a.zip FreeBSD-src-6894aabcb5bf68abef0875992b3fef1fde3f7c0a.tar.gz