PERFORCE change 133868 for review
Robert Watson
rwatson at FreeBSD.org
Tue Jan 22 08:14:02 PST 2008
http://perforce.freebsd.org/chv.cgi?CH=133868
Change 133868 by rwatson at rwatson_freebsd_capabilities on 2008/01/22 16:13:50
Add a flags field to the process credential and define a flag for
capability mode.
Add a new system call, cap_getmode() that returns whether or not
the process is in capability mode.
Implement cap_enter() system call to set that flag. The call is
a no-op if the process is already in capability mode.
Affected files ...
.. //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#5 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/kern/syscalls.master#5 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/sys/ucred.h#2 edit
Differences ...
==== //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#5 (text+ko) ====
@@ -58,16 +58,19 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#4 $");
+__FBSDID("$P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#5 $");
#include <sys/param.h>
#include <sys/capability.h>
#include <sys/file.h>
#include <sys/filedesc.h>
#include <sys/kernel.h>
+#include <sys/lock.h>
+#include <sys/mutex.h>
#include <sys/proc.h>
#include <sys/sysproto.h>
#include <sys/systm.h>
+#include <sys/ucred.h>
#include <vm/uma.h>
@@ -162,20 +165,44 @@
}
/*
- * Enter capability mode for the process.
+ * System call to enter capability mode for the process.
*/
int
cap_enter(struct thread *td, struct cap_enter_args *uap)
{
+ struct ucred *newcred, *oldcred;
+ struct proc *p;
- /* XXXRW: Not implemented. */
+ if (td->td_ucred->cr_flags & CRED_FLAG_CAPMODE)
+ return (0);
+ newcred = crget();
+ p = td->td_proc;
+ PROC_LOCK(p);
+ oldcred = p->p_ucred;
+ crcopy(newcred, oldcred);
+ newcred->cr_flags |= CRED_FLAG_CAPMODE;
+ p->p_ucred = newcred;
+ PROC_UNLOCK(p);
+ crfree(oldcred);
return (0);
}
/*
- * Create a new capability reference to either an existing file object or an
- * an existing capability.
+ * System call to query whether the process is in capability mode.
+ */
+int
+cap_getmode(struct thread *td, struct cap_getmode_args *uap)
+{
+ u_int i;
+
+ i = (td->td_ucred->cr_flags & CRED_FLAG_CAPMODE) ? 1 : 0;
+ return (copyout(&i, uap->modep, sizeof(i)));
+}
+
+/*
+ * System call to create a new capability reference to either an existing
+ * file object or an an existing capability.
*/
int
cap_new(struct thread *td, struct cap_new_args *uap)
==== //depot/projects/trustedbsd/capabilities/src/sys/kern/syscalls.master#5 (text+ko) ====
@@ -854,5 +854,6 @@
485 AUE_NULL STD { int cap_getrights(int fd, \
u_int64_t *rightsp); }
486 AUE_NULL STD { int cap_enter(void); }
+487 AUE_NULL STD { int cap_getmode(u_int *modep); }
; Please copy any additions and changes to the following compatability tables:
; sys/compat/freebsd32/syscalls.master
==== //depot/projects/trustedbsd/capabilities/src/sys/sys/ucred.h#2 (text+ko) ====
@@ -55,13 +55,19 @@
struct uidinfo *cr_uidinfo; /* per euid resource consumption */
struct uidinfo *cr_ruidinfo; /* per ruid resource consumption */
struct prison *cr_prison; /* jail(2) */
- void *cr_pspare[3]; /* vimage 2; general use 1 */
+ u_int cr_flags; /* Flags. */
+ void *cr_pspare[3]; /* vimage 2; general use 1 */
#define cr_endcopy cr_label
struct label *cr_label; /* MAC label */
struct auditinfo_addr cr_audit; /* Audit properties. */
};
#define NOCRED ((struct ucred *)0) /* no credential available */
#define FSCRED ((struct ucred *)-1) /* filesystem credential */
+
+/*
+ * Flags for cr_flags.
+ */
+#define CRED_FLAG_CAPMODE 0x00000001 /* In capability mode. */
#endif /* _KERNEL || _WANT_UCRED */
/*
More information about the p4-projects
mailing list