diff options
author | Jonathan Anderson <jonathan@FreeBSD.org> | 2011-08-13 09:21:16 +0000 |
---|---|---|
committer | Jonathan Anderson <jonathan@FreeBSD.org> | 2011-08-13 09:21:16 +0000 |
commit | 69d377fe1bd79cb7e932275504af3120791960bd (patch) | |
tree | 3334bf0dc037565dbb28b66bfe83c6d9e8823738 /sys/kern/sys_capability.c | |
parent | 15975b7bc274304696c3eff67aa9ecb32f580174 (diff) | |
download | src-69d377fe1bd79cb7e932275504af3120791960bd.tar.gz src-69d377fe1bd79cb7e932275504af3120791960bd.zip |
Allow Capsicum capabilities to delegate constrained
access to file system subtrees to sandboxed processes.
- Use of absolute paths and '..' are limited in capability mode.
- Use of absolute paths and '..' are limited when looking up relative
to a capability.
- When a name lookup is performed, identify what operation is to be
performed (such as CAP_MKDIR) as well as check for CAP_LOOKUP.
With these constraints, openat() and friends are now safe in capability
mode, and can then be used by code such as the capability-mode runtime
linker.
Approved by: re (bz), mentor (rwatson)
Sponsored by: Google Inc
Notes
Notes:
svn path=/head/; revision=224810
Diffstat (limited to 'sys/kern/sys_capability.c')
-rw-r--r-- | sys/kern/sys_capability.c | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/sys/kern/sys_capability.c b/sys/kern/sys_capability.c index b20fa62e123a..37b646f8d7c2 100644 --- a/sys/kern/sys_capability.c +++ b/sys/kern/sys_capability.c @@ -220,7 +220,7 @@ cap_new(struct thread *td, struct cap_new_args *uap) { int error, capfd; int fd = uap->fd; - struct file *fp, *fcapp; + struct file *fp; cap_rights_t rights = uap->rights; AUDIT_ARG_FD(fd); @@ -229,7 +229,7 @@ cap_new(struct thread *td, struct cap_new_args *uap) if (error) return (error); AUDIT_ARG_FILE(td->td_proc, fp); - error = kern_capwrap(td, fp, rights, &fcapp, &capfd); + error = kern_capwrap(td, fp, rights, &capfd); if (error) return (error); @@ -267,10 +267,10 @@ cap_getrights(struct thread *td, struct cap_getrights_args *uap) */ int kern_capwrap(struct thread *td, struct file *fp, cap_rights_t rights, - struct file **fcappp, int *capfdp) + int *capfdp) { struct capability *cp, *cp_old; - struct file *fp_object; + struct file *fp_object, *fcapp; int error; if ((rights | CAP_MASK_VALID) != CAP_MASK_VALID) @@ -290,7 +290,7 @@ kern_capwrap(struct thread *td, struct file *fp, cap_rights_t rights, /* * Allocate a new file descriptor to hang the capability off of. */ - error = falloc(td, fcappp, capfdp, fp->f_flag); + error = falloc(td, &fcapp, capfdp, fp->f_flag); if (error) return (error); @@ -309,18 +309,18 @@ kern_capwrap(struct thread *td, struct file *fp, cap_rights_t rights, cp = uma_zalloc(capability_zone, M_WAITOK | M_ZERO); cp->cap_rights = rights; cp->cap_object = fp_object; - cp->cap_file = *fcappp; + cp->cap_file = fcapp; if (fp->f_flag & DFLAG_PASSABLE) - finit(*fcappp, fp->f_flag, DTYPE_CAPABILITY, cp, + finit(fcapp, fp->f_flag, DTYPE_CAPABILITY, cp, &capability_ops); else - finit(*fcappp, fp->f_flag, DTYPE_CAPABILITY, cp, + finit(fcapp, fp->f_flag, DTYPE_CAPABILITY, cp, &capability_ops_unpassable); /* * Release our private reference (the proc filedesc still has one). */ - fdrop(*fcappp, td); + fdrop(fcapp, td); return (0); } |