diff options
author | des <des@FreeBSD.org> | 2011-10-18 07:28:58 +0000 |
---|---|---|
committer | des <des@FreeBSD.org> | 2011-10-18 07:28:58 +0000 |
commit | 1b405df8baa78dedceda6da24510b9597aad726d (patch) | |
tree | a66a1f7a0cad9c0bdb1b03d06f7f48c643033aca /usr.bin | |
parent | 6876e3d9c139cd8d3dbaaaaf463d9a1ff2103a5e (diff) | |
download | FreeBSD-src-1b405df8baa78dedceda6da24510b9597aad726d.zip FreeBSD-src-1b405df8baa78dedceda6da24510b9597aad726d.tar.gz |
Revisit the capability failure trace points. The initial implementation
only logged instances where an operation on a file descriptor required
capabilities which the file descriptor did not have. By adding a type enum
to struct ktr_cap_fail, we can catch other types of capability failures as
well, such as disallowed system calls or attempts to wrap a file descriptor
with more capabilities than it had to begin with.
Diffstat (limited to 'usr.bin')
-rw-r--r-- | usr.bin/kdump/kdump.c | 34 |
1 files changed, 30 insertions, 4 deletions
diff --git a/usr.bin/kdump/kdump.c b/usr.bin/kdump/kdump.c index 45893df..2c5d03b 100644 --- a/usr.bin/kdump/kdump.c +++ b/usr.bin/kdump/kdump.c @@ -1592,10 +1592,36 @@ invalid: void ktrcapfail(struct ktr_cap_fail *ktr) { - printf("needed "); - capname((intmax_t)ktr->cap_needed); - printf(" held "); - capname((intmax_t)ktr->cap_held); + switch (ktr->cap_type) { + case CAPFAIL_NOTCAPABLE: + /* operation on fd with insufficient capabilities */ + printf("operation requires "); + capname((intmax_t)ktr->cap_needed); + printf(", process holds "); + capname((intmax_t)ktr->cap_held); + break; + case CAPFAIL_INCREASE: + /* requested more capabilities than fd already has */ + printf("attempt to increase capabilities from "); + capname((intmax_t)ktr->cap_needed); + printf(" to "); + capname((intmax_t)ktr->cap_held); + break; + case CAPFAIL_SYSCALL: + /* called restricted syscall */ + printf("disallowed system call"); + break; + case CAPFAIL_LOOKUP: + /* used ".." in strict-relative mode */ + printf("restricted VFS lookup"); + break; + default: + printf("unknown capability failure: "); + capname((intmax_t)ktr->cap_needed); + printf(" "); + capname((intmax_t)ktr->cap_held); + break; + } } #if defined(__amd64__) || defined(__i386__) |