diff options
-rw-r--r-- | share/man/man4/rights.4 | 4 | ||||
-rw-r--r-- | sys/kern/kern_event.c | 15 | ||||
-rw-r--r-- | sys/kern/subr_capability.c | 20 | ||||
-rw-r--r-- | sys/kern/sys_generic.c | 9 | ||||
-rw-r--r-- | sys/kern/uipc_mqueue.c | 4 | ||||
-rw-r--r-- | sys/sys/capability.h | 161 | ||||
-rw-r--r-- | usr.bin/procstat/procstat_files.c | 5 |
7 files changed, 151 insertions, 67 deletions
diff --git a/share/man/man4/rights.4 b/share/man/man4/rights.4 index 0e85ac0..a6b1b79 100644 --- a/share/man/man4/rights.4 +++ b/share/man/man4/rights.4 @@ -306,7 +306,7 @@ An alias to .Dv CAP_KQUEUE_CHANGE and .Dv CAP_KQUEUE_EVENT . -.It Dv CAP_KEVENT_CHANGE +.It Dv CAP_KQUEUE_CHANGE Permit .Xr kevent 2 on a @@ -314,7 +314,7 @@ on a descriptor that modifies list of monitored events (the .Fa changelist argument is non-NULL). -.It Dv CAP_KEVENT_EVENT +.It Dv CAP_KQUEUE_EVENT Permit .Xr kevent 2 on a diff --git a/sys/kern/kern_event.c b/sys/kern/kern_event.c index 4c068bf..d23452a 100644 --- a/sys/kern/kern_event.c +++ b/sys/kern/kern_event.c @@ -835,10 +835,17 @@ kern_kevent(struct thread *td, int fd, int nchanges, int nevents, cap_rights_t rights; int i, n, nerrors, error; - error = fget(td, fd, cap_rights_init(&rights, CAP_POST_EVENT), &fp); + cap_rights_init(&rights); + if (nchanges > 0) + cap_rights_set(&rights, CAP_KQUEUE_CHANGE); + if (nevents > 0) + cap_rights_set(&rights, CAP_KQUEUE_EVENT); + error = fget(td, fd, &rights, &fp); if (error != 0) return (error); - if ((error = kqueue_acquire(fp, &kq)) != 0) + + error = kqueue_acquire(fp, &kq); + if (error != 0) goto done_norel; nerrors = 0; @@ -995,7 +1002,7 @@ findkn: if (fops->f_isfd) { KASSERT(td != NULL, ("td is NULL")); error = fget(td, kev->ident, - cap_rights_init(&rights, CAP_POLL_EVENT), &fp); + cap_rights_init(&rights, CAP_EVENT), &fp); if (error) goto done; @@ -2279,7 +2286,7 @@ kqfd_register(int fd, struct kevent *kev, struct thread *td, int waitok) cap_rights_t rights; int error; - error = fget(td, fd, cap_rights_init(&rights, CAP_POST_EVENT), &fp); + error = fget(td, fd, cap_rights_init(&rights, CAP_KQUEUE_CHANGE), &fp); if (error != 0) return (error); if ((error = kqueue_acquire(fp, &kq)) != 0) diff --git a/sys/kern/subr_capability.c b/sys/kern/subr_capability.c index 61ace5a..ce41f4a 100644 --- a/sys/kern/subr_capability.c +++ b/sys/kern/subr_capability.c @@ -30,6 +30,10 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); +/* + * Note that this file is compiled into the kernel and into libc. + */ + #ifdef _KERNEL #include <sys/types.h> #include <sys/capability.h> @@ -164,7 +168,7 @@ __cap_rights_init(int version, cap_rights_t *rights, ...) return (rights); } -void +cap_rights_t * __cap_rights_set(cap_rights_t *rights, ...) { va_list ap; @@ -174,9 +178,11 @@ __cap_rights_set(cap_rights_t *rights, ...) va_start(ap, rights); cap_rights_vset(rights, ap); va_end(ap); + + return (rights); } -void +cap_rights_t * __cap_rights_clear(cap_rights_t *rights, ...) { va_list ap; @@ -186,6 +192,8 @@ __cap_rights_clear(cap_rights_t *rights, ...) va_start(ap, rights); cap_rights_vclear(rights, ap); va_end(ap); + + return (rights); } bool @@ -231,7 +239,7 @@ cap_rights_is_valid(const cap_rights_t *rights) return (true); } -void +cap_rights_t * cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src) { unsigned int i, n; @@ -250,9 +258,11 @@ cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src) assert(cap_rights_is_valid(src)); assert(cap_rights_is_valid(dst)); + + return (dst); } -void +cap_rights_t * cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src) { unsigned int i, n; @@ -273,6 +283,8 @@ cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src) assert(cap_rights_is_valid(src)); assert(cap_rights_is_valid(dst)); + + return (dst); } bool diff --git a/sys/kern/sys_generic.c b/sys/kern/sys_generic.c index 13ccb58..a2d46ab 100644 --- a/sys/kern/sys_generic.c +++ b/sys/kern/sys_generic.c @@ -1195,8 +1195,9 @@ getselfd_cap(struct filedesc *fdp, int fd, struct file **fpp) { cap_rights_t rights; - return (fget_unlocked(fdp, fd, cap_rights_init(&rights, CAP_POLL_EVENT), - 0, fpp, NULL)); + cap_rights_init(&rights, CAP_EVENT); + + return (fget_unlocked(fdp, fd, &rights, 0, fpp, NULL)); } /* @@ -1392,7 +1393,7 @@ pollrescan(struct thread *td) #ifdef CAPABILITIES if (fp == NULL || cap_check(cap_rights(fdp, fd->fd), - cap_rights_init(&rights, CAP_POLL_EVENT)) != 0) + cap_rights_init(&rights, CAP_EVENT)) != 0) #else if (fp == NULL) #endif @@ -1467,7 +1468,7 @@ pollscan(td, fds, nfd) #ifdef CAPABILITIES if (fp == NULL || cap_check(cap_rights(fdp, fds->fd), - cap_rights_init(&rights, CAP_POLL_EVENT)) != 0) + cap_rights_init(&rights, CAP_EVENT)) != 0) #else if (fp == NULL) #endif diff --git a/sys/kern/uipc_mqueue.c b/sys/kern/uipc_mqueue.c index fe7e886..20efbe0 100644 --- a/sys/kern/uipc_mqueue.c +++ b/sys/kern/uipc_mqueue.c @@ -2119,7 +2119,7 @@ getmq(struct thread *td, int fd, struct file **fpp, struct mqfs_node **ppn, { cap_rights_t rights; - return _getmq(td, fd, cap_rights_init(&rights, CAP_POLL_EVENT), fget, + return _getmq(td, fd, cap_rights_init(&rights, CAP_EVENT), fget, fpp, ppn, pmq); } @@ -2282,7 +2282,7 @@ again: } #ifdef CAPABILITIES error = cap_check(cap_rights(fdp, mqd), - cap_rights_init(&rights, CAP_POLL_EVENT)); + cap_rights_init(&rights, CAP_EVENT)); if (error) { FILEDESC_SUNLOCK(fdp); goto out; diff --git a/sys/sys/capability.h b/sys/sys/capability.h index e5b9ec7..fcde6c1 100644 --- a/sys/sys/capability.h +++ b/sys/sys/capability.h @@ -79,9 +79,12 @@ #define CAP_SEEK_TELL CAPRIGHT(0, 0x0000000000000004ULL) /* Allows for lseek(2). */ #define CAP_SEEK (CAP_SEEK_TELL | 0x0000000000000008ULL) -/* Allows for pread(2), preadv(2). */ +/* Allows for aio_read(2), pread(2), preadv(2). */ #define CAP_PREAD (CAP_SEEK | CAP_READ) -/* Allows for openat(O_WRONLY) (without O_APPEND), pwrite(2), pwritev(2). */ +/* + * Allows for aio_write(2), openat(O_WRONLY) (without O_APPEND), pwrite(2), + * pwritev(2). + */ #define CAP_PWRITE (CAP_SEEK | CAP_WRITE) /* Allows for mmap(PROT_NONE). */ #define CAP_MMAP CAPRIGHT(0, 0x0000000000000010ULL) @@ -103,7 +106,7 @@ #define CAP_CREATE CAPRIGHT(0, 0x0000000000000040ULL) /* Allows for openat(O_EXEC) and fexecve(2) in turn. */ #define CAP_FEXECVE CAPRIGHT(0, 0x0000000000000080ULL) -/* Allows for openat(O_SYNC), openat(O_FSYNC), fsync(2). */ +/* Allows for openat(O_SYNC), openat(O_FSYNC), fsync(2), aio_fsync(2). */ #define CAP_FSYNC CAPRIGHT(0, 0x0000000000000100ULL) /* Allows for openat(O_TRUNC), ftruncate(2). */ #define CAP_FTRUNCATE CAPRIGHT(0, 0x0000000000000200ULL) @@ -112,55 +115,87 @@ #define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL) /* VFS methods. */ +/* Allows for fchdir(2). */ #define CAP_FCHDIR CAPRIGHT(0, 0x0000000000000800ULL) +/* Allows for fchflags(2). */ #define CAP_FCHFLAGS CAPRIGHT(0, 0x0000000000001000ULL) +/* Allows for fchflags(2) and chflagsat(2). */ #define CAP_CHFLAGSAT (CAP_FCHFLAGS | CAP_LOOKUP) +/* Allows for fchmod(2). */ #define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL) +/* Allows for fchmod(2) and fchmodat(2). */ #define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP) +/* Allows for fchown(2). */ #define CAP_FCHOWN CAPRIGHT(0, 0x0000000000004000ULL) +/* Allows for fchown(2) and fchownat(2). */ #define CAP_FCHOWNAT (CAP_FCHOWN | CAP_LOOKUP) +/* Allows for fcntl(2). */ #define CAP_FCNTL CAPRIGHT(0, 0x0000000000008000ULL) +/* + * Allows for flock(2), openat(O_SHLOCK), openat(O_EXLOCK), + * fcntl(F_SETLK_REMOTE), fcntl(F_SETLKW), fcntl(F_SETLK), fcntl(F_GETLK). + */ #define CAP_FLOCK CAPRIGHT(0, 0x0000000000010000ULL) +/* Allows for fpathconf(2). */ #define CAP_FPATHCONF CAPRIGHT(0, 0x0000000000020000ULL) +/* Allows for UFS background-fsck operations. */ #define CAP_FSCK CAPRIGHT(0, 0x0000000000040000ULL) +/* Allows for fstat(2). */ #define CAP_FSTAT CAPRIGHT(0, 0x0000000000080000ULL) +/* Allows for fstat(2), fstatat(2) and faccessat(2). */ #define CAP_FSTATAT (CAP_FSTAT | CAP_LOOKUP) +/* Allows for fstatfs(2). */ #define CAP_FSTATFS CAPRIGHT(0, 0x0000000000100000ULL) +/* Allows for futimes(2). */ #define CAP_FUTIMES CAPRIGHT(0, 0x0000000000200000ULL) +/* Allows for futimes(2) and futimesat(2). */ #define CAP_FUTIMESAT (CAP_FUTIMES | CAP_LOOKUP) -#define CAP_LINKAT CAPRIGHT(0, 0x0000000000400000ULL) -#define CAP_MKDIRAT CAPRIGHT(0, 0x0000000000800000ULL) -#define CAP_MKFIFOAT CAPRIGHT(0, 0x0000000001000000ULL) -#define CAP_MKNODAT CAPRIGHT(0, 0x0000000002000000ULL) -#define CAP_RENAMEAT CAPRIGHT(0, 0x0000000004000000ULL) -#define CAP_SYMLINKAT CAPRIGHT(0, 0x0000000008000000ULL) -#define CAP_UNLINKAT CAPRIGHT(0, 0x0000000010000000ULL) - -/* Extended attributes. */ -#define CAP_EXTATTR_DELETE CAPRIGHT(0, 0x0000000020000000ULL) -#define CAP_EXTATTR_GET CAPRIGHT(0, 0x0000000040000000ULL) -#define CAP_EXTATTR_LIST CAPRIGHT(0, 0x0000000080000000ULL) -#define CAP_EXTATTR_SET CAPRIGHT(0, 0x0000000100000000ULL) - -/* Access Control Lists. */ -#define CAP_ACL_CHECK CAPRIGHT(0, 0x0000000200000000ULL) -#define CAP_ACL_DELETE CAPRIGHT(0, 0x0000000400000000ULL) -#define CAP_ACL_GET CAPRIGHT(0, 0x0000000800000000ULL) -#define CAP_ACL_SET CAPRIGHT(0, 0x0000001000000000ULL) +/* Allows for linkat(2) and renameat(2) (destination directory descriptor). */ +#define CAP_LINKAT (CAP_LOOKUP | 0x0000000000400000ULL) +/* Allows for mkdirat(2). */ +#define CAP_MKDIRAT (CAP_LOOKUP | 0x0000000000800000ULL) +/* Allows for mkfifoat(2). */ +#define CAP_MKFIFOAT (CAP_LOOKUP | 0x0000000001000000ULL) +/* Allows for mknodat(2). */ +#define CAP_MKNODAT (CAP_LOOKUP | 0x0000000002000000ULL) +/* Allows for renameat(2). */ +#define CAP_RENAMEAT (CAP_LOOKUP | 0x0000000004000000ULL) +/* Allows for symlinkat(2). */ +#define CAP_SYMLINKAT (CAP_LOOKUP | 0x0000000008000000ULL) +/* + * Allows for unlinkat(2) and renameat(2) if destination object exists and + * will be removed. + */ +#define CAP_UNLINKAT (CAP_LOOKUP | 0x0000000010000000ULL) /* Socket operations. */ -#define CAP_ACCEPT CAPRIGHT(0, 0x0000002000000000ULL) -#define CAP_BIND CAPRIGHT(0, 0x0000004000000000ULL) -#define CAP_CONNECT CAPRIGHT(0, 0x0000008000000000ULL) -#define CAP_GETPEERNAME CAPRIGHT(0, 0x0000010000000000ULL) -#define CAP_GETSOCKNAME CAPRIGHT(0, 0x0000020000000000ULL) -#define CAP_GETSOCKOPT CAPRIGHT(0, 0x0000040000000000ULL) -#define CAP_LISTEN CAPRIGHT(0, 0x0000080000000000ULL) -#define CAP_PEELOFF CAPRIGHT(0, 0x0000100000000000ULL) +/* Allows for accept(2) and accept4(2). */ +#define CAP_ACCEPT CAPRIGHT(0, 0x0000000020000000ULL) +/* Allows for bind(2). */ +#define CAP_BIND CAPRIGHT(0, 0x0000000040000000ULL) +/* Allows for connect(2). */ +#define CAP_CONNECT CAPRIGHT(0, 0x0000000080000000ULL) +/* Allows for getpeername(2). */ +#define CAP_GETPEERNAME CAPRIGHT(0, 0x0000000100000000ULL) +/* Allows for getsockname(2). */ +#define CAP_GETSOCKNAME CAPRIGHT(0, 0x0000000200000000ULL) +/* Allows for getsockopt(2). */ +#define CAP_GETSOCKOPT CAPRIGHT(0, 0x0000000400000000ULL) +/* Allows for listen(2). */ +#define CAP_LISTEN CAPRIGHT(0, 0x0000000800000000ULL) +/* Allows for sctp_peeloff(2). */ +#define CAP_PEELOFF CAPRIGHT(0, 0x0000001000000000ULL) #define CAP_RECV CAP_READ #define CAP_SEND CAP_WRITE -#define CAP_SETSOCKOPT CAPRIGHT(0, 0x0000200000000000ULL) -#define CAP_SHUTDOWN CAPRIGHT(0, 0x0000400000000000ULL) +/* Allows for setsockopt(2). */ +#define CAP_SETSOCKOPT CAPRIGHT(0, 0x0000002000000000ULL) +/* Allows for shutdown(2). */ +#define CAP_SHUTDOWN CAPRIGHT(0, 0x0000004000000000ULL) + +/* Allows for bindat(2) on a directory descriptor. */ +#define CAP_BINDAT (CAP_LOOKUP | 0x0000008000000000ULL) +/* Allows for connectat(2) on a directory descriptor. */ +#define CAP_CONNECTAT (CAP_LOOKUP | 0x0000010000000000ULL) #define CAP_SOCK_CLIENT \ (CAP_CONNECT | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT | \ @@ -171,17 +206,19 @@ CAP_SETSOCKOPT | CAP_SHUTDOWN) /* All used bits for index 0. */ -#define CAP_ALL0 CAPRIGHT(0, 0x00007FFFFFFFFFFFULL) +#define CAP_ALL0 CAPRIGHT(0, 0x0000007FFFFFFFFFULL) /* Available bits for index 0. */ -#define CAP_UNUSED0_48 CAPRIGHT(0, 0x0000800000000000ULL) +#define CAP_UNUSED0_40 CAPRIGHT(0, 0x0000008000000000ULL) /* ... */ #define CAP_UNUSED0_57 CAPRIGHT(0, 0x0100000000000000ULL) /* INDEX 1 */ /* Mandatory Access Control. */ +/* Allows for mac_get_fd(3). */ #define CAP_MAC_GET CAPRIGHT(1, 0x0000000000000001ULL) +/* Allows for mac_set_fd(3). */ #define CAP_MAC_SET CAPRIGHT(1, 0x0000000000000002ULL) /* Methods on semaphores. */ @@ -189,34 +226,60 @@ #define CAP_SEM_POST CAPRIGHT(1, 0x0000000000000008ULL) #define CAP_SEM_WAIT CAPRIGHT(1, 0x0000000000000010ULL) -/* kqueue events. */ -#define CAP_POLL_EVENT CAPRIGHT(1, 0x0000000000000020ULL) -#define CAP_POST_EVENT CAPRIGHT(1, 0x0000000000000040ULL) +/* Allows select(2) and poll(2) on descriptor. */ +#define CAP_EVENT CAPRIGHT(1, 0x0000000000000020ULL) +/* Allows for kevent(2) on kqueue descriptor with eventlist != NULL. */ +#define CAP_KQUEUE_EVENT CAPRIGHT(1, 0x0000000000000040ULL) /* Strange and powerful rights that should not be given lightly. */ +/* Allows for ioctl(2). */ #define CAP_IOCTL CAPRIGHT(1, 0x0000000000000080ULL) #define CAP_TTYHOOK CAPRIGHT(1, 0x0000000000000100ULL) /* Process management via process descriptors. */ +/* Allows for pdgetpid(2). */ #define CAP_PDGETPID CAPRIGHT(1, 0x0000000000000200ULL) +/* Allows for pdwait4(2). */ #define CAP_PDWAIT CAPRIGHT(1, 0x0000000000000400ULL) +/* Allows for pdkill(2). */ #define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL) -/* - * Rights that allow to use bindat(2) and connectat(2) syscalls on a - * directory descriptor. - */ -#define CAP_BINDAT CAPRIGHT(1, 0x0000000000001000ULL) -#define CAP_CONNECTAT CAPRIGHT(1, 0x0000000000002000ULL) +/* Extended attributes. */ +/* Allows for extattr_delete_fd(2). */ +#define CAP_EXTATTR_DELETE CAPRIGHT(1, 0x0000000000001000ULL) +/* Allows for extattr_get_fd(2). */ +#define CAP_EXTATTR_GET CAPRIGHT(1, 0x0000000000002000ULL) +/* Allows for extattr_list_fd(2). */ +#define CAP_EXTATTR_LIST CAPRIGHT(1, 0x0000000000004000ULL) +/* Allows for extattr_set_fd(2). */ +#define CAP_EXTATTR_SET CAPRIGHT(1, 0x0000000000008000ULL) + +/* Access Control Lists. */ +/* Allows for acl_valid_fd_np(3). */ +#define CAP_ACL_CHECK CAPRIGHT(1, 0x0000000000010000ULL) +/* Allows for acl_delete_fd_np(3). */ +#define CAP_ACL_DELETE CAPRIGHT(1, 0x0000000000020000ULL) +/* Allows for acl_get_fd(3) and acl_get_fd_np(3). */ +#define CAP_ACL_GET CAPRIGHT(1, 0x0000000000040000ULL) +/* Allows for acl_set_fd(3) and acl_set_fd_np(3). */ +#define CAP_ACL_SET CAPRIGHT(1, 0x0000000000080000ULL) + +/* Allows for kevent(2) on kqueue descriptor with changelist != NULL. */ +#define CAP_KQUEUE_CHANGE CAPRIGHT(1, 0x0000000000100000ULL) + +#define CAP_KQUEUE (CAP_KQUEUE_EVENT | CAP_KQUEUE_CHANGE) /* All used bits for index 1. */ -#define CAP_ALL1 CAPRIGHT(1, 0x0000000000003FFFULL) +#define CAP_ALL1 CAPRIGHT(1, 0x00000000001FFFFFULL) /* Available bits for index 1. */ -#define CAP_UNUSED1_15 CAPRIGHT(1, 0x0000000000004000ULL) +#define CAP_UNUSED1_22 CAPRIGHT(1, 0x0000000000200000ULL) /* ... */ #define CAP_UNUSED1_57 CAPRIGHT(1, 0x0100000000000000ULL) +/* Backward compatibility. */ +#define CAP_POLL_EVENT CAP_EVENT + #define CAP_ALL(rights) do { \ (rights)->cr_rights[0] = \ ((uint64_t)CAP_RIGHTS_VERSION << 62) | CAP_ALL0; \ @@ -258,19 +321,19 @@ cap_rights_t *__cap_rights_init(int version, cap_rights_t *rights, ...); #define cap_rights_set(rights, ...) \ __cap_rights_set((rights), __VA_ARGS__, 0ULL) -void __cap_rights_set(cap_rights_t *rights, ...); +cap_rights_t *__cap_rights_set(cap_rights_t *rights, ...); #define cap_rights_clear(rights, ...) \ __cap_rights_clear((rights), __VA_ARGS__, 0ULL) -void __cap_rights_clear(cap_rights_t *rights, ...); +cap_rights_t *__cap_rights_clear(cap_rights_t *rights, ...); #define cap_rights_is_set(rights, ...) \ __cap_rights_is_set((rights), __VA_ARGS__, 0ULL) bool __cap_rights_is_set(const cap_rights_t *rights, ...); bool cap_rights_is_valid(const cap_rights_t *rights); -void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src); -void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src); +cap_rights_t *cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src); +cap_rights_t *cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src); bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little); #ifdef _KERNEL diff --git a/usr.bin/procstat/procstat_files.c b/usr.bin/procstat/procstat_files.c index d65c1ae..484dc2d 100644 --- a/usr.bin/procstat/procstat_files.c +++ b/usr.bin/procstat/procstat_files.c @@ -203,8 +203,9 @@ static struct cap_desc { { CAP_SEM_WAIT, "sw" }, /* Event monitoring and posting. */ - { CAP_POLL_EVENT, "po" }, - { CAP_POST_EVENT, "ev" }, + { CAP_EVENT, "ev" }, + { CAP_KQUEUE_EVENT, "ke" }, + { CAP_KQUEUE_CHANGE, "kc" }, /* Strange and powerful rights that should not be given lightly. */ { CAP_IOCTL, "io" }, |