diff options
author | Robert Watson <rwatson@FreeBSD.org> | 2011-08-13 13:26:40 +0000 |
---|---|---|
committer | Robert Watson <rwatson@FreeBSD.org> | 2011-08-13 13:26:40 +0000 |
commit | 73516dbd27351f1cb86e72f5be56d1f7da9222a4 (patch) | |
tree | fbaa0c7b36740b281e2d0993c7e64f12232e0808 /sys/kern/sys_capability.c | |
parent | 3ff02b4a8e1f7ba599abb48e981722a58663d67b (diff) | |
download | src-73516dbd27351f1cb86e72f5be56d1f7da9222a4.tar.gz src-73516dbd27351f1cb86e72f5be56d1f7da9222a4.zip |
Now that capability support has been committed, update and expand the
comment at the type of sys_capability.c to describe its new contents.
Approved by: re (xxx)
Notes
Notes:
svn path=/head/; revision=224839
Diffstat (limited to 'sys/kern/sys_capability.c')
-rw-r--r-- | sys/kern/sys_capability.c | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/sys/kern/sys_capability.c b/sys/kern/sys_capability.c index 37b646f8d7c2..884f2ffb5d77 100644 --- a/sys/kern/sys_capability.c +++ b/sys/kern/sys_capability.c @@ -31,9 +31,24 @@ /* * FreeBSD kernel capability facility. * - * Currently, this file implements only capability mode; capabilities - * (rights-refined file descriptors) will follow. + * Two kernel features are implemented here: capability mode, a sandboxed mode + * of execution for processes, and capabilities, a refinement on file + * descriptors that allows fine-grained control over operations on the file + * descriptor. Collectively, these allow processes to run in the style of a + * historic "capability system" in which they can use only resources + * explicitly delegated to them. This model is enforced by restricting access + * to global namespaces in capability mode. * + * Capabilities wrap other file descriptor types, binding them to a constant + * rights mask set when the capability is created. New capabilities may be + * derived from existing capabilities, but only if they have the same or a + * strict subset of the rights on the original capability. + * + * System calls permitted in capability mode are defined in capabilities.conf; + * calls must be carefully audited for safety to ensure that they don't allow + * escape from a sandbox. Some calls permit only a subset of operations in + * capability mode -- for example, shm_open(2) is limited to creating + * anonymous, rather than named, POSIX shared memory objects. */ #include "opt_capsicum.h" @@ -512,4 +527,3 @@ cap_funwrap_mmap(struct file *fp_cap, cap_rights_t rights, u_char *maxprotp, } #endif /* CAPABILITIES */ - |