diff options
| -rw-r--r-- | lib/libc/sys/open.2 | 35 |
1 files changed, 34 insertions, 1 deletions
diff --git a/lib/libc/sys/open.2 b/lib/libc/sys/open.2 index 74538fe..3147ed9 100644 --- a/lib/libc/sys/open.2 +++ b/lib/libc/sys/open.2 @@ -28,7 +28,7 @@ .\" @(#)open.2 8.2 (Berkeley) 11/16/93 .\" $FreeBSD$ .\" -.Dd November 22, 2016 +.Dd March 28, 2018 .Dt OPEN 2 .Os .Sh NAME @@ -95,6 +95,28 @@ parameter, the current working directory is used and the behavior is identical to a call to .Fn open . .Pp +In +.Xr capsicum 4 +capability mode, +.Fn open +is not permitted. +The +.Fa path +argument to +.Fn openat +must be strictly relative to a file descriptor +.Fa fd , +as defined in +.Pa sys/kern/vfs_lookup.c . +.Fa path +must not be an absolute path and must not contain ".." components. +Additionally, no symbolic link in +.Fa path +may contain ".." components either. +.Fa fd +must not be +.Dv AT_FDCWD . +.Pp The flags specified are formed by .Em or Ns 'ing the following values @@ -457,6 +479,17 @@ nor a file descriptor associated with a directory. .It Bq Er ENOTDIR .Dv O_DIRECTORY is specified and the file is not a directory. +.It Bq Er ECAPMODE +.Dv AT_FDCWD +is specified and the process is in capability mode. +.It Bq Er ECAPMODE +.Fn open +was called and the process is in capability mode. +.It Bq Er ENOTCAPABLE +.Fa path +is an absolute path or contained a ".." component leading to a +directory outside of the directory hierarchy specified by +.Fa fd . .El .Sh SEE ALSO .Xr chmod 2 , |
