| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
to himself. For example abort(3) at first tries to do kill(getpid(), SIGABRT)
which was failing in capability mode, so the code was failing back to exit(1).
Reviewed by: rwatson
Obtained from: WHEEL Systems
MFC after: 2 weeks
|
| |
|
|
| |
MFC after: 3 days
|
| |
|
|
| |
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A "process descriptor" file descriptor is used to manage processes
without using the PID namespace. This is required for Capsicum's
Capability Mode, where the PID namespace is unavailable.
New system calls pdfork(2) and pdkill(2) offer the functional equivalents
of fork(2) and kill(2). pdgetpid(2) allows querying the PID of the remote
process for debugging purposes. The currently-unimplemented pdwait(2) will,
in the future, allow querying rusage/exit status. In the interim, poll(2)
may be used to check (and wait for) process termination.
When a process is referenced by a process descriptor, it does not issue
SIGCHLD to the parent, making it suitable for use in libraries---a common
scenario when using library compartmentalisation from within large
applications (such as web browsers). Some observers may note a similarity
to Mach task ports; process descriptors provide a subset of this behaviour,
but in a UNIX style.
This feature is enabled by "options PROCDESC", but as with several other
Capsicum kernel features, is not enabled by default in GENERIC 9.0.
Reviewed by: jhb, kib
Approved by: re (kib), mentor (rwatson)
Sponsored by: Google Inc
|
| |
|
|
|
|
|
| |
from Capsicum development, and no longer apply.
Approved by: re (kib)
Sponsored by: Google Inc
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
namei() and lookup() can now perform "strictly relative" lookups.
Such lookups, performed when in capability mode or when looking up
relative to a directory capability, enforce two policies:
- absolute paths are disallowed (including symlinks to absolute paths)
- paths containing '..' components are disallowed
These constraints make it safe to enable openat() and friends.
These system calls are instrumental in supporting Capsicum
components such as the capability-mode-aware runtime linker.
Finally, adjust comments in capabilities.conf to reflect the actual state
of the world (e.g. shm_open(2) already has the appropriate constraints,
getdents(2) already requires CAP_SEEK).
Approved by: re (bz), mentor (rwatson)
Sponsored by: Google Inc.
|
|
|
Add a new system call flag, SYF_CAPENABLED, which indicates that a
particular system call is available in capability mode.
Add a new configuration file, kern/capabilities.conf (similar files
may be introduced for other ABIs in the future), which enumerates
system calls that are available in capability mode. When a new
system call is added to syscalls.master, it will also need to be
added here (if needed). Teach sysent parts to use this file to set
values for SYF_CAPENABLED for the native ABI.
Reviewed by: anderson
Discussed with: benl, kris, pjd
Obtained from: Capsicum Project
MFC after: 3 months
|
