git: 8ae9921f2e9e - main - sys_capability.c: update the source of CAPENABLED
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 22 Oct 2024 18:45:23 UTC
The branch main has been updated by brooks: URL: https://cgit.FreeBSD.org/src/commit/?id=8ae9921f2e9e770462613bb6bae76a470dbdfcbd commit 8ae9921f2e9e770462613bb6bae76a470dbdfcbd Author: Brooks Davis <brooks@FreeBSD.org> AuthorDate: 2024-10-22 17:49:43 +0000 Commit: Brooks Davis <brooks@FreeBSD.org> CommitDate: 2024-10-22 18:44:41 +0000 sys_capability.c: update the source of CAPENABLED System calls allowed in capability mode have been specified by the CAPENABLED flag in syscalls.master since 2021. --- sys/kern/sys_capability.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/sys/kern/sys_capability.c b/sys/kern/sys_capability.c index e71dc4f3285b..d43102ab7849 100644 --- a/sys/kern/sys_capability.c +++ b/sys/kern/sys_capability.c @@ -50,11 +50,12 @@ * derived from existing capabilities, but only if they have the same or a * strict subset of the rights on the original capability. * - * System calls permitted in capability mode are defined in capabilities.conf; - * calls must be carefully audited for safety to ensure that they don't allow - * escape from a sandbox. Some calls permit only a subset of operations in - * capability mode -- for example, shm_open(2) is limited to creating - * anonymous, rather than named, POSIX shared memory objects. + * System calls permitted in capability mode are defined by CAPENABLED + * flags in syscalls.master; calls must be carefully audited for safety + * to ensure that they don't allow escape from a sandbox. Some calls + * permit only a subset of operations in capability mode -- for example, + * shm_open(2) is limited to creating anonymous, rather than named, + * POSIX shared memory objects. */ #include <sys/cdefs.h>