PERFORCE change 133988 for review
Robert Watson
rwatson at FreeBSD.org
Thu Jan 24 01:03:43 PST 2008
http://perforce.freebsd.org/chv.cgi?CH=133988
Change 133988 by rwatson at rwatson_freebsd_capabilities on 2008/01/24 09:02:44
Update comments. We now have cap_enter(2) but it needs more work
as it doesn't mask sysctls.
Affected files ...
.. //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#6 edit
Differences ...
==== //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#6 (text+ko) ====
@@ -48,17 +48,21 @@
* descriptors and may need adapting.
* - UNIX domain socket passing of file descriptors will likely need work,
* especially relating to garbage collection.
- * - There is currently no way to prevent system calls from accessing objects
- * other than via capabilities.
* - The list of capability rights is probably inadequate.
* - Should there be a privilege to expand capability rights?
* - Should different underlying object sets have different valid capability
* rights? I.e., CAP_SOCK_*, CAP_VNODE_*, etc?
- * - cap_enter(2) is not implemented.
+ * - Need a way to mask system calls based on capability mode and only allow
+ * approved system calls. A flag in syscalls.master?
+ * - Need to refine access control on sysctl infrastructe sysctls, such as
+ * name lookup.
+ * - masking in fo_read/fo_write/etc is undesirable because really we want
+ * only the original file to be used, as it might have state (cred, flags,
+ * etc) that should be used instead. seekable is a particular issue.
*/
#include <sys/cdefs.h>
-__FBSDID("$P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#5 $");
+__FBSDID("$P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#6 $");
#include <sys/param.h>
#include <sys/capability.h>
More information about the p4-projects
mailing list