PERFORCE change 148370 for review
Robert Watson
rwatson at FreeBSD.org
Mon Aug 25 10:36:24 UTC 2008
http://perforce.freebsd.org/chv.cgi?CH=148370
Change 148370 by rwatson at rwatson_freebsd_capabilities on 2008/08/25 10:36:00
Review, annotate, and in some cases revise the list of system
calls permitted in capability mode.
Affected files ...
.. //depot/projects/trustedbsd/capabilities/src/sys/kern/capabilities.conf#11 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/kern/init_sysent.c#19 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/kern/syscalls.c#19 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/kern/systrace_args.c#19 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/sys/syscall.h#19 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/sys/syscall.mk#19 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/sys/sysproto.h#19 edit
Differences ...
==== //depot/projects/trustedbsd/capabilities/src/sys/kern/capabilities.conf#11 (text+ko) ====
@@ -1,66 +1,93 @@
-#
-# Copyright (c) 2008 Robert N. M. Watson
-# All rights reserved.
-#
-# WARNING: THIS IS EXPERIMENTAL SECURITY SOFTWARE THAT MUST NOT BE RELIED
-# ON IN PRODUCTION SYSTEMS. IT WILL BREAK YOUR SOFTWARE IN NEW AND
-# UNEXPECTED WAYS.
-#
-# This software was developed at the University of Cambridge Computer
-# Laboratory with support from a grant from Google, Inc.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-# 1. Redistributions of source code must retain the above copyright
-# notice, this list of conditions and the following disclaimer.
-# 2. Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in the
-# documentation and/or other materials provided with the distribution.
-#
-# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
-# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-# SUCH DAMAGE.
-#
-# $FreeBSD$
-#
-# List of system calls enabled in capability mode, one name per line.
-#
-# Notes:
-# - sys_exit() and close() are very important.
-# - Sorted alphabetically, please keep it that way.
-#
-# $P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/capabilities.conf#10 $
-#
+##
+## Copyright (c) 2008 Robert N. M. Watson
+## All rights reserved.
+##
+## WARNING: THIS IS EXPERIMENTAL SECURITY SOFTWARE THAT MUST NOT BE RELIED
+## ON IN PRODUCTION SYSTEMS. IT WILL BREAK YOUR SOFTWARE IN NEW AND
+## UNEXPECTED WAYS.
+##
+## This software was developed at the University of Cambridge Computer
+## Laboratory with support from a grant from Google, Inc.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted provided that the following conditions
+## are met:
+## 1. Redistributions of source code must retain the above copyright
+## notice, this list of conditions and the following disclaimer.
+## 2. Redistributions in binary form must reproduce the above copyright
+## notice, this list of conditions and the following disclaimer in the
+## documentation and/or other materials provided with the distribution.
+##
+## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+## ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+## SUCH DAMAGE.
+##
+## $FreeBSD$
+##
+## List of system calls enabled in capability mode, one name per line.
+##
+## Notes:
+## - sys_exit(2), abort2(2) and close(2) are very important.
+## - Sorted alphabetically, please keep it that way.
+##
+## $P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/capabilities.conf#11 $
+##
+
+##
+## Allow ACL and MAC label operations by file descriptor, subject to
+## capability rights. Allow MAC label operations on the current process but
+## we will need to scope __mac_get_pid(2).
+##
__acl_aclcheck_fd
__acl_delete_fd
__acl_get_fd
__acl_set_fd
__mac_get_fd
-#
-# __mac_get_pid need scoping
-#
-__mac_get_pid
+#__mac_get_pid
__mac_get_proc
__mac_set_fd
__mac_set_proc
-#
-# Certain sysctls need more scoping
-#
+
+##
+## Allow sysctl(2) as we scope internal to the call; this is a global
+## namespace, but there are several critical sysctls required for almost
+## anything to run, such as hw.pagesize. For now that policy lives in the
+## kernel for performance and simplicity, but perhaps it could move to a
+## proxying daemon in userspace.
+##
__sysctl
+
+##
+## Allow umtx operations as these are scoped by address space.
+##
+## XXRW: Need to check this very carefully.
+##
_umtx_lock
_umtx_op
_umtx_unlock
+
+##
+## Allow process termination using abort2(2).
+##
abort2
+
+##
+## Allow accept(2) since it doesn't manipulate namespaces directly, rather
+## relies on existing bindings on a socket, subject to capability rights.
+##
accept
+
+##
+## Allow AIO operations by file descriptor, subject to capability rights.
+##
aio_cancel
aio_error
aio_fsync
@@ -69,168 +96,423 @@
aio_suspend
aio_waitcomplete
aio_write
-#
-# What to do about audit()?
-#
+
+##
+## audit(2) is a global operation, submitting to the global trail, but it is
+## controlled by privilege, and it might be useful to be able to submit
+## records from sandboxes. For now, disallow, but we may want to think about
+## providing some sort of proxy service for this.
+##
#audit
+
+##
+## Allow bind(2) for now, even though it operates on global name spaces, as
+## we support CAP_BIND.
+##
+## XXXRW: Revisit this.
+##
bind
+
+##
+## Allow capability mode and capability system calls.
+##
cap_enter
cap_getmode
cap_getrights
cap_new
+
+##
+## Allow read-only clock operations.
+##
clock_gettime
clock_getres
+
+##
+## Always allow file descriptor close(2).
+##
close
+
+##
+## Allow connect(2) for now, ven though it supports global namespaces, we
+##Â we support CAP_CONNECT.
+##
+## XXXRW: Revisit this.
+##
connect
-#
-# cpuset(2) and related calls require scoping.
-#
+
+##
+## cpuset(2) and related calls require scoping by process, but should
+## eventually be allowed, at least in the current process case.
+##
#cpuset
#cpuset_getaffinity
#cpuset_getid
#cpuset_setaffinity
#cpuset_setid
+
+##
+## Always allow dup(2) and dup2(2) manipulation of the file descriptor table.
+##
dup
dup2
-eaccess
+
+##
+## Allow extended attribute operations by file descriptor, subject to
+## capability rights.
+##
extattr_delete_fd
extattr_get_fd
extattr_list_fd
extattr_set_fd
+
+##
+## Allow changing file flags, mode, and owner by file descriptor, subject to
+## capability rights.
+##
fchflags
fchmod
fchown
-#
-# Need to review fcntl operations for global affects that might need to be
-# scoped.
-#
+
+##
+## For now, allow fcntly(2), subject to capability rights, but this probably
+## needs additional scoping.
+##
fcntl
+
+##
+## Allow fexecve(2), subject to capability rights. We perform some scoping,
+## such as disallowing privilege escalation.
+##
fexecve
+
+##
+## Allow flock(2), subject to capability rights.
+##
flock
+
+##
+## Allow fork(2).
+##
fork
+
+##
+## Allow fpathconf(2), subject to capability rights.
+##
fpathconf
+
+##
+## Allow various file descriptor-based I/O operations, subject to capability
+## rights. mmap(2) requires further attention.
+##
freebsd6_ftruncate
freebsd6_lseek
freebsd6_mmap
freebsd6_pread
freebsd6_pwrite
+
+##
+## Allow querying file and file system state with fstat(2) and fstatfs(2),
+## subject to capability rights.
+##
fstat
fstatfs
+
+##
+## Allow further file descriptor-based I/O operations, subject to capability
+## rights.
+##
fsync
ftruncate
+
+##
+## Allow futimes(2), subject to capability rights.
+##
futimes
+
+##
+## Allow querying process audit state, subject to normal access control.
+##
getaudit
getaudit_addr
getauid
+
+##
+## Allow thread context management with getcontext(2).
+##
getcontext
+
+##
+## Allow directory I/O on a file descriptor, subject to capability rights.
+## Originally we had separate capabilities for directory-specific read
+## operations, but on BSD we allow reading the raw directory data, so we just
+## rely on CAP_READ (etc) now.
+##
+## XXXRW: Possibly these should also use CAP_SEEK.
+##
getdents
getdirentries
+
+##
+## Allow querying certain trivial global state.
+##
getdomainname
+
+##
+## Allow querying current process credential state.
+##
getegid
geteuid
+
+##
+## Allow querying certain trivial global state.
+##
gethostid
gethostname
+
+##
+## Allow querying per-process timer.
+##
getitimer
+
+##
+## Allow querying current process credential state.
+##
getgid
getgroups
-#
-# Should we allow getlogin?
-#
-#getlogin
+getlogin
+
+##
+## Allow querying certain trivial global state.
+##
getpagesize
getpeername
-#
-# getpgid needs scoping.
-#
+
+##
+## Allow querying certain per-process scheduling, resource limit, and
+## credential state.
+##
+## XXXRW: getpgid(2) needs scoping. It's not clear if it's worth scoping
+## getppid(2). getpriority(2) needs scoping. getrusage(2) needs scoping.
+## getsid(2) needs scoping.
+##
getpgid
getpgrp
getpid
-#
-# getppid might or might not need scoping.
-#
getppid
getpriority
getresgid
getresuid
getrlimit
-#
-# getrusage needs scoping.
-#
getrusage
-#
-# getsid needs scoping.
-#
getsid
+
+##
+## Allow querying socket state, subject to capability rights.
+##
+## XXXRW: getsockopt(2) may need more attention.
+##
getsockname
getsockopt
+
+##
+## Allow querying the global clock.
+##
gettimeofday
+
+##
+## Allow querying current process credential state.
+##
getuid
-#
-# ioctl is dangerous.
-#
-ioctl
+
+##
+## Disallow ioctl(2) for now, as frequently ioctl(2) operations have global
+## scope, but this is a tricky one as it is also required for tty control.
+## We do have a capability right for this operation.
+##
+## XXXRW: This needs to be revisited.
+##
+#ioctl
+
+##
+## Allow querying current process credential state.
+##
issetugid
+
+##
+## Allow kevent(2), as we will authorize based on capability rights on the
+## target descriptor.
+##
+## XXXRW: Do we do this?
+##
kevent
+
+##
+## Allow message queue operations on file descriptors, subject to capability
+## rights.
+##
kmq_notify
kmq_setattr
kmq_timedreceive
kmq_timedsend
-#
-# kill needs scoping
-#
+
+##
+## For now, don't allow kill(2) and friends, but in the future we will need
+## something here to allow inter-process signalling and control.
+##
+## XXXRW: Revisit.
+##
#kill
#killpg
+
+##
+## Allow kqueue(2), we will control use.
+##
kqueue
+
+##
+## Allow threading-related system calls.
+##
+## XXXRW: These are obsolete, remove?
+##
kse_create
kse_exit
kse_release
kse_switchin
kse_thr_interrupt
kse_wakeup
+
+##
+## Allow managing per-process timers.
+##
ktimer_create
ktimer_delete
ktimer_getoverrun
ktimer_gettime
ktimer_settime
-#
-# ktrace needs scoping
-#
+
+##
+## We can't allow ktrace(2) because it relies on a global namespace, but we
+## might want to introduce an fktrace(2) of some sort.
+##
#ktrace
+
+##
+## Allow AIO operations by file descriptor, subject to capability rights.
+##
lio_listio
+
+##
+## Allow listen(2), subject to capability rights.
+##
+## XXXRW: One might argue this manipulates a global namespace.
+##
listen
+
+##
+## Allow I/O-related file descriptors, subject to capability rights.
+##
lseek
+
+##
+## Allow MAC label operations by file descriptor, subject to capability
+## rights.
+##
mac_get_fd
mac_set_fd
+
+##
+## Allow simple VM operations on the current process.
+##
madvise
mincore
minherit
mlock
mlockall
-#
-# mmap needs scoping
-#
+
+##
+## Allow memory mapping a file descriptor, and updating protections, subject
+## to capability rights.
+##
+## XXXRW: We currently don't properly mask VM protections using capability
+## rights.
+##
mmap
mprotect
+
+##
+## Allow simple VM operations on the current process.
+##
msync
munlock
munlockall
munmap
+
+##
+## Allow the current process to sleep.
+##
nanosleep
+
+##
+## Allow querying the global clock.
+##
ntp_gettime
+
+##
+## Allow AIO operations by file descriptor, subject to capability rights.
+##
oaio_read
oaio_write
+
+##
+## Allow simple VM operations on the current process.
+##
obreak
+
+##
+## Allow AIO operations by file descriptor, subject to capability rights.
+##
olio_listio
+
+##
+## Allow poll(2), which will be scoped by capability rights.
+##
+## XXXRW: Perhaps we don't need the OpenBSD version?
+## XXXRW: We don't yet do that scoping.
+##
openbsd_poll
+
+##
+## Allow pipe(2).
+##
pipe
+
+##
+## Allow poll(2), which will be scoped by capability rights.
+## XXXRW: We don't yet do that scoping.
+##
poll
+
+##
+## Allow I/O-related file descriptors, subject to capability rights.
+##
pread
preadv
+
+##
+## Allow access to profiling state on the current process.
+##
profil
-#
-# ptrace needs scoping.
-#
+
+##
+## Disallow ptrace(2) for now, but we do need debugging facilities in
+## capability mode, so we will want to revisit this, possibly by scoping its
+## operation.
+##
#ptrace
+
+##
+## Allow I/O-related file descriptors, subject to capability rights.
+##
pwrite
pwritev
read
@@ -238,66 +520,146 @@
recv
recvfrom
recvmsg
+
+##
+## Allow rfork(2).
+##
rfork
-#
-# rtprio needs scoping.
-#
+
+##
+## Allow real-time scheduling primitives to be used.
+##
+## XXXRW: These require scoping.
+##
rtprio
rtprio_thread
+
+##
+## Allow simple VM operations on the current process.
+##
sbrk
+
+##
+## Allow querying trivial global scheduler state.
+##
sched_get_priority_max
-sched_get_priority_mind
-#
-# sched_{get,set}* need scoping.
-#
+sched_get_priority_min
+
+##
+## Allow various thread/process scheduler operations.
+##
+## XXXRW: Some of these require further scoping.
+##
sched_getparam
sched_getscheduler
sched_rr_getinterval
sched_setparam
sched_setscheduler
sched_yield
+
+##
+## Allow I/O-related file descriptors, subject to capability rights.
+##
sctp_generic_recvmsg
sctp_generic_sendmsg
sctp_generic_sendmsg_iov
sctp_peeloff
+
+##
+## Allow select(2), which will be scoped by capability rights.
+##
+## XXXRW: But is it?
+##
select
+
+##
+## Allow I/O-related file descriptors, subject to capability rights.
+##
send
sendfile
sendmsg
sendto
+
+##
+## Allow setting per-process audit state, which is controlled separately by
+## privileges.
+##
setaudit
setaudit_addr
setauid
+
+##
+## Allow setting thread context.
+##
setcontext
+
+##
+## Allow setting current process credential state, which is controlled
+## separately by privilege.
+##
setegid
seteuid
setgid
+
+##
+## Allow use of the process interval timer.
+##
setitimer
-#
-# Need to think about setpriority and capabilities.
-#
+
+##
+## Allow setpriority(2).
+##
+## XXXRW: Requires scoping.
+##
setpriority
+
+##
+## Allow setting current process credential state, which is controlled
+## separately by privilege.
+##
setregid
setresgid
setresuid
setreuid
+
+##
+## Allow setting process resource limits with setrlimit(2).
+##
setrlimit
+
+##
+## Allow creating a new session with setsid(2).
+##
setsid
-#
-# Need to review socket options and decide what to do about ones that manage
-# globally visible stack properties.
-#
+
+##
+## Allow setting socket options with setsockopt(2), subject to capability
+## rights.
+##
+## XXXRW: Might require scoping.
+##
setsockopt
-#
-# Need to think hard about the safety of credential manipulation calls where
-# the capability model and UNIX model intersect.
-#
+
+##
+## Allow setting current process credential state, which is controlled
+## separately by privilege.
+##
setuid
-#
-# We allow shm_open(2), but only when used with anonymous objects.
-#
+
+##
+## Allow shm_open(2), which is scoped so as to allow only access to new
+## anonymous objects.
+##
shm_open
+
+##
+## Allow I/O-related file descriptors, subject to capability rights.
+##
shutdown
+
+##
+## Allow signal control on current process.
+##
sigaction
sigaltstack
sigblock
@@ -311,34 +673,87 @@
sigtimedwait
sigvec
sigwaitinfo
+
+##
+## Allow creating new socket pairs with socketpair(2).
+##
socketpair
+
+##
+## Allow simple VM operations on the current process.
+##
+## XXXRW: Kernel doesn't implement this, so drop?
+##
sstk
-#
-# sync isn't all that harmful, but is global.
-#
+
+##
+## Do allow sync(2) for now, but possibly shouldn't.
+##
sync
+
+##
+## Always allow process termination with sys_exit(2).
+##
sys_exit
+
+##
+## Allow thread operations operating only on current process.
+##
thr_create
thr_exit
thr_kill
-#
-# thr_kill2 needs scoping.
-#
+
+##
+## Disallow thr_kill2(2), as it may operate beyond the current process.
+##
+## XXXRW: Requires scoping.
+##
#thr_kill2
+
+##
+## Allow thread operations operating only on current process.
+##
thr_new
thr_self
thr_set_name
thr_suspend
thr_wake
+
+##
+## Allow manipulation of the current process umask with umask(2).
+##
umask
+
+##
+## Allow submitting of process trace entries with utrace(2).
+##
utrace
+
+##
+## Allow generating UUIDs with uuidgen(2).
+##
uuidgen
+
+##
+## Allow vfork(2).
+##
vfork
-#
-# wait and wait4 needs process scoping work
-#
+
+##
+## For now, allow wait(2), wait4(2), etc.
+##
+## XXXRW: These require scoping.
+##
wait
wait4
+
+##
+## Allow I/O-related file descriptors, subject to capability rights.
+##
write
writev
+
+##
+## Allow processes to yield(2).
+##
yield
==== //depot/projects/trustedbsd/capabilities/src/sys/kern/init_sysent.c#19 (text+ko) ====
@@ -77,12 +77,12 @@
{ compat(AS(osigaction_args),sigaction), AUE_SIGACTION, NULL, 0, 0, SYF_CAPENABLED }, /* 46 = old sigaction */
{ 0, (sy_call_t *)getgid, AUE_GETGID, NULL, 0, 0, SYF_CAPENABLED }, /* 47 = getgid */
{ compat(AS(osigprocmask_args),sigprocmask), AUE_SIGPROCMASK, NULL, 0, 0, SYF_CAPENABLED }, /* 48 = old sigprocmask */
- { AS(getlogin_args), (sy_call_t *)getlogin, AUE_GETLOGIN, NULL, 0, 0, 0 }, /* 49 = getlogin */
+ { AS(getlogin_args), (sy_call_t *)getlogin, AUE_GETLOGIN, NULL, 0, 0, SYF_CAPENABLED }, /* 49 = getlogin */
{ AS(setlogin_args), (sy_call_t *)setlogin, AUE_SETLOGIN, NULL, 0, 0, 0 }, /* 50 = setlogin */
{ AS(acct_args), (sy_call_t *)acct, AUE_ACCT, NULL, 0, 0, 0 }, /* 51 = acct */
{ compat(0,sigpending), AUE_SIGPENDING, NULL, 0, 0, SYF_CAPENABLED }, /* 52 = old sigpending */
{ AS(sigaltstack_args), (sy_call_t *)sigaltstack, AUE_SIGALTSTACK, NULL, 0, 0, SYF_CAPENABLED }, /* 53 = sigaltstack */
- { AS(ioctl_args), (sy_call_t *)ioctl, AUE_IOCTL, NULL, 0, 0, SYF_CAPENABLED }, /* 54 = ioctl */
+ { AS(ioctl_args), (sy_call_t *)ioctl, AUE_IOCTL, NULL, 0, 0, 0 }, /* 54 = ioctl */
{ AS(reboot_args), (sy_call_t *)reboot, AUE_REBOOT, NULL, 0, 0, 0 }, /* 55 = reboot */
{ AS(revoke_args), (sy_call_t *)revoke, AUE_REVOKE, NULL, 0, 0, 0 }, /* 56 = revoke */
{ AS(symlink_args), (sy_call_t *)symlink, AUE_SYMLINK, NULL, 0, 0, 0 }, /* 57 = symlink */
@@ -361,7 +361,7 @@
{ AS(sched_getscheduler_args), (sy_call_t *)sched_getscheduler, AUE_NULL, NULL, 0, 0, SYF_CAPENABLED }, /* 330 = sched_getscheduler */
{ 0, (sy_call_t *)sched_yield, AUE_NULL, NULL, 0, 0, SYF_CAPENABLED }, /* 331 = sched_yield */
{ AS(sched_get_priority_max_args), (sy_call_t *)sched_get_priority_max, AUE_NULL, NULL, 0, 0, SYF_CAPENABLED }, /* 332 = sched_get_priority_max */
- { AS(sched_get_priority_min_args), (sy_call_t *)sched_get_priority_min, AUE_NULL, NULL, 0, 0, 0 }, /* 333 = sched_get_priority_min */
+ { AS(sched_get_priority_min_args), (sy_call_t *)sched_get_priority_min, AUE_NULL, NULL, 0, 0, SYF_CAPENABLED }, /* 333 = sched_get_priority_min */
{ AS(sched_rr_get_interval_args), (sy_call_t *)sched_rr_get_interval, AUE_NULL, NULL, 0, 0, 0 }, /* 334 = sched_rr_get_interval */
{ AS(utrace_args), (sy_call_t *)utrace, AUE_NULL, NULL, 0, 0, SYF_CAPENABLED }, /* 335 = utrace */
{ compat4(AS(freebsd4_sendfile_args),sendfile), AUE_SENDFILE, NULL, 0, 0, SYF_CAPENABLED }, /* 336 = old sendfile */
@@ -404,7 +404,7 @@
{ AS(extattr_delete_fd_args), (sy_call_t *)extattr_delete_fd, AUE_EXTATTR_DELETE_FD, NULL, 0, 0, SYF_CAPENABLED }, /* 373 = extattr_delete_fd */
{ AS(__setugid_args), (sy_call_t *)__setugid, AUE_NULL, NULL, 0, 0, 0 }, /* 374 = __setugid */
{ AS(nfsclnt_args), (sy_call_t *)nosys, AUE_NULL, NULL, 0, 0, 0 }, /* 375 = nfsclnt */
- { AS(eaccess_args), (sy_call_t *)eaccess, AUE_EACCESS, NULL, 0, 0, SYF_CAPENABLED }, /* 376 = eaccess */
+ { AS(eaccess_args), (sy_call_t *)eaccess, AUE_EACCESS, NULL, 0, 0, 0 }, /* 376 = eaccess */
{ 0, (sy_call_t *)nosys, AUE_NULL, NULL, 0, 0, 0 }, /* 377 = afs_syscall */
{ AS(nmount_args), (sy_call_t *)nmount, AUE_NMOUNT, NULL, 0, 0, 0 }, /* 378 = nmount */
{ 0, (sy_call_t *)nosys, AUE_NULL, NULL, 0, 0, 0 }, /* 379 = kse_exit */
@@ -437,7 +437,7 @@
{ AS(ksem_unlink_args), (sy_call_t *)lkmressys, AUE_NULL, NULL, 0, 0, 0 }, /* 406 = ksem_unlink */
{ AS(ksem_getvalue_args), (sy_call_t *)lkmressys, AUE_NULL, NULL, 0, 0, 0 }, /* 407 = ksem_getvalue */
{ AS(ksem_destroy_args), (sy_call_t *)lkmressys, AUE_NULL, NULL, 0, 0, 0 }, /* 408 = ksem_destroy */
- { AS(__mac_get_pid_args), (sy_call_t *)__mac_get_pid, AUE_NULL, NULL, 0, 0, SYF_CAPENABLED }, /* 409 = __mac_get_pid */
+ { AS(__mac_get_pid_args), (sy_call_t *)__mac_get_pid, AUE_NULL, NULL, 0, 0, 0 }, /* 409 = __mac_get_pid */
{ AS(__mac_get_link_args), (sy_call_t *)__mac_get_link, AUE_NULL, NULL, 0, 0, 0 }, /* 410 = __mac_get_link */
{ AS(__mac_set_link_args), (sy_call_t *)__mac_set_link, AUE_NULL, NULL, 0, 0, 0 }, /* 411 = __mac_set_link */
{ AS(extattr_set_link_args), (sy_call_t *)extattr_set_link, AUE_EXTATTR_SET_LINK, NULL, 0, 0, 0 }, /* 412 = extattr_set_link */
==== //depot/projects/trustedbsd/capabilities/src/sys/kern/syscalls.c#19 (text+ko) ====
==== //depot/projects/trustedbsd/capabilities/src/sys/kern/systrace_args.c#19 (text+ko) ====
==== //depot/projects/trustedbsd/capabilities/src/sys/sys/syscall.h#19 (text+ko) ====
==== //depot/projects/trustedbsd/capabilities/src/sys/sys/syscall.mk#19 (text+ko) ====
==== //depot/projects/trustedbsd/capabilities/src/sys/sys/sysproto.h#19 (text+ko) ====
More information about the p4-projects
mailing list