diff options
author | Ed Schouten <ed@FreeBSD.org> | 2015-08-27 15:16:41 +0000 |
---|---|---|
committer | Ed Schouten <ed@FreeBSD.org> | 2015-08-27 15:16:41 +0000 |
commit | bc1ace0b96e17338dccec5cb08e2a3a96ebfba3c (patch) | |
tree | 3d92b43d01ed22c5356196a6620f856ce5d5fbbc /share | |
parent | 34d2e76a64e5b56624b3004c94550f60179f26e6 (diff) | |
download | src-bc1ace0b96e17338dccec5cb08e2a3a96ebfba3c.tar.gz src-bc1ace0b96e17338dccec5cb08e2a3a96ebfba3c.zip |
Decompose linkat()/renameat() rights to source and target.
To make it easier to understand how Capsicum interacts with linkat() and
renameat(), rename the rights to CAP_{LINK,RENAME}AT_{SOURCE,TARGET}.
This also addresses a shortcoming in Capsicum, where it isn't possible
to disable linking to files stored in a directory. Creating hardlinks
essentially makes it possible to access files with additional rights.
Reviewed by: rwatson, wblock
Differential Revision: https://reviews.freebsd.org/D3411
Notes
Notes:
svn path=/head/; revision=287209
Diffstat (limited to 'share')
-rw-r--r-- | share/man/man4/rights.4 | 52 |
1 files changed, 43 insertions, 9 deletions
diff --git a/share/man/man4/rights.4 b/share/man/man4/rights.4 index 16025c179e65..4802e6baca80 100644 --- a/share/man/man4/rights.4 +++ b/share/man/man4/rights.4 @@ -32,7 +32,7 @@ .\" .\" $FreeBSD$ .\" -.Dd January 23, 2015 +.Dd August 27, 2015 .Dt RIGHTS 4 .Os .Sh NAME @@ -71,7 +71,7 @@ The family of functions should be used to manage the structure. .Sh RIGHTS The following rights may be specified in a rights mask: -.Bl -tag -width CAP_EXTATTR_DELETE +.Bl -tag -width CAP_RENAMEAT_SOURCE .It Dv CAP_ACCEPT Permit .Xr accept 2 @@ -328,12 +328,28 @@ argument is non-NULL). .Dv CAP_EVENT is also required on file descriptors that will be monitored using .Xr kevent 2 . -.It Dv CAP_LINKAT +.It Dv CAP_LINKAT_SOURCE Permit .Xr linkat 2 -and -.Xr renameat 2 -on the destination directory descriptor. +on the source directory descriptor. +This right includes the +.Dv CAP_LOOKUP +right. +.Pp +Warning: +.Dv CAP_LINKAT_SOURCE +makes it possible to link files in a directory for which file +descriptors exist that have additional rights. +For example, +a file stored in a directory that does not allow +.Dv CAP_READ +may be linked in another directory that does allow +.Dv CAP_READ , +thereby granting read access to a file that is otherwise unreadable. +.It Dv CAP_LINKAT_TARGET +Permit +.Xr linkat 2 +on the target directory descriptor. This right includes the .Dv CAP_LOOKUP right. @@ -474,10 +490,28 @@ is also required) and related system calls. .It Dv CAP_RECV An alias to .Dv CAP_READ . -.It Dv CAP_RENAMEAT +.It Dv CAP_RENAMEAT_SOURCE Permit -.Xr renameat 2 . -This right is required on the source directory descriptor. +.Xr renameat 2 +on the source directory descriptor. +This right includes the +.Dv CAP_LOOKUP +right. +.Pp +Warning: +.Dv CAP_RENAMEAT_SOURCE +makes it possible to move files to a directory for which file +descriptors exist that have additional rights. +For example, +a file stored in a directory that does not allow +.Dv CAP_READ +may be moved to another directory that does allow +.Dv CAP_READ , +thereby granting read access to a file that is otherwise unreadable. +.It Dv CAP_RENAMEAT_TARGET +Permit +.Xr renameat 2 +on the target directory descriptor. This right includes the .Dv CAP_LOOKUP right. |