svn commit: r305954 - head/sys/compat/freebsd32

Sun Sep 18 22:03:09 UTC 2016

Author: kib
Date: Sun Sep 18 22:03:07 2016
New Revision: 305954
URL: https://svnweb.freebsd.org/changeset/base/305954

Log:
  Add compat32 support for capsicum.
  
  Reviewed by:	bapt, emaste
  Sponsored by:	The FreeBSD Foundation
  MFC after:	2 weeks
  Differential revision:	https://reviews.freebsd.org/D7942

Added:
  head/sys/compat/freebsd32/capabilities.conf
     - copied, changed from r305950, head/sys/kern/capabilities.conf
Modified:
  head/sys/compat/freebsd32/Makefile
  head/sys/compat/freebsd32/freebsd32_capability.c
  head/sys/compat/freebsd32/syscalls.master

Modified: head/sys/compat/freebsd32/Makefile
==============================================================================

--- head/sys/compat/freebsd32/Makefile	Sun Sep 18 21:28:09 2016	(r305953)
+++ head/sys/compat/freebsd32/Makefile	Sun Sep 18 22:03:07 2016	(r305954)
@@ -8,7 +8,7 @@ all:
 sysent:  freebsd32_sysent.c freebsd32_syscall.h freebsd32_proto.h freebsd32_systrace_args.c
 
 freebsd32_sysent.c freebsd32_syscalls.c freebsd32_syscall.h freebsd32_proto.h freebsd32_systrace_args.c : \
-	    ../../kern/makesyscalls.sh syscalls.master syscalls.conf
+	    ../../kern/makesyscalls.sh syscalls.master syscalls.conf capabilities.conf
 	sh ../../kern/makesyscalls.sh syscalls.master syscalls.conf
 
 clean:

Copied and modified: head/sys/compat/freebsd32/capabilities.conf (from r305950, head/sys/kern/capabilities.conf)
==============================================================================
--- head/sys/kern/capabilities.conf	Sun Sep 18 20:00:17 2016	(r305950, copy source)
+++ head/sys/compat/freebsd32/capabilities.conf	Sun Sep 18 22:03:07 2016	(r305954)
@@ -1,10 +1,14 @@
 ##
 ## Copyright (c) 2008-2010 Robert N. M. Watson
+## Copyright (c) 2016 The FreeBSD Foundation
 ## All rights reserved.
 ##
 ## This software was developed at the University of Cambridge Computer
 ## Laboratory with support from a grant from Google, Inc.
 ##
+## Portions of this software were developed by Konstantin Belousov
+## under sponsorship from the FreeBSD Foundation.
+##
 ## Redistribution and use in source and binary forms, with or without
 ## modification, are permitted provided that the following conditions
 ## are met:
@@ -26,20 +30,14 @@
 ## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 ## SUCH DAMAGE.
 ##
-## List of system calls enabled in capability mode, one name per line.
-##
-## Notes:
-## - sys_exit(2), abort2(2) and close(2) are very important.
-## - Sorted alphabetically, please keep it that way.
+## List of system calls enabled in freebsd32 capability mode, one name
+## per line.  See the original list in the sys/kern/capabilities.conf.
+## Position of the compat syscall in this file must be identical to
+## the master, to facilitate comparision and diagnostic.
 ##
 ## $FreeBSD$
 ##
 
-##
-## Allow ACL and MAC label operations by file descriptor, subject to
-## capability rights.  Allow MAC label operations on the current process but
-## we will need to scope __mac_get_pid(2).
-##
 __acl_aclcheck_fd
 __acl_delete_fd
 __acl_get_fd
@@ -49,249 +47,82 @@ __mac_get_fd
 __mac_get_proc
 __mac_set_fd
 __mac_set_proc
-
-##
-## Allow sysctl(2) as we scope internal to the call; this is a global
-## namespace, but there are several critical sysctls required for almost
-## anything to run, such as hw.pagesize.  For now that policy lives in the
-## kernel for performance and simplicity, but perhaps it could move to a
-## proxying daemon in userspace.
-##
-__sysctl
-
-##
-## Allow umtx operations as these are scoped by address space.
-##
-## XXRW: Need to check this very carefully.
-##
-_umtx_op
-
-##
-## Allow process termination using abort2(2).
-##
+freebsd32_sysctl
+freebsd32_umtx_op
 abort2
-
-##
-## Allow accept(2) since it doesn't manipulate namespaces directly, rather
-## relies on existing bindings on a socket, subject to capability rights.
-##
 accept
 accept4
-
-##
-## Allow AIO operations by file descriptor, subject to capability rights.
-##
 aio_cancel
-aio_error
+freebsd32_aio_error
 aio_fsync
-aio_read
-aio_return
-aio_suspend
-aio_waitcomplete
-aio_write
-
-##
-## audit(2) is a global operation, submitting to the global trail, but it is
-## controlled by privilege, and it might be useful to be able to submit
-## records from sandboxes.  For now, disallow, but we may want to think about
-## providing some sort of proxy service for this.
-##
+freebsd32_aio_read
+freebsd32_aio_return
+freebsd32_aio_suspend
+freebsd32_aio_waitcomplete
+freebsd32_aio_write
 #audit
-
-##
-## Allow bindat(2).
-##
 bindat
-
-##
-## Allow capability mode and capability system calls.
-##
 cap_enter
 cap_fcntls_get
 cap_fcntls_limit
 cap_getmode
-cap_ioctls_get
-cap_ioctls_limit
+freebsd32_cap_ioctls_get
+freebsd32_cap_ioctls_limit
 __cap_rights_get
 cap_rights_limit
-
-##
-## Allow read-only clock operations.
-##
-clock_getres
-clock_gettime
-
-##
-## Always allow file descriptor close(2).
-##
+freebsd32_clock_getres
+freebsd32_clock_gettime
 close
 closefrom
-
-##
-## Allow connectat(2).
-##
 connectat
-
-##
-## cpuset(2) and related calls require scoping by process, but should
-## eventually be allowed, at least in the current process case.
-##
 #cpuset
-#cpuset_getaffinity
-#cpuset_getid
-#cpuset_setaffinity
-#cpuset_setid
-
-##
-## Always allow dup(2) and dup2(2) manipulation of the file descriptor table.
-##
+#freebsd32_cpuset_getaffinity
+#freebsd32_cpuset_getid
+#freebsd32_cpuset_setaffinity
+#freebsd32_cpuset_setid
 dup
 dup2
-
-##
-## Allow extended attribute operations by file descriptor, subject to
-## capability rights.
-##
 extattr_delete_fd
 extattr_get_fd
 extattr_list_fd
 extattr_set_fd
-
-##
-## Allow changing file flags, mode, and owner by file descriptor, subject to
-## capability rights.
-##
 fchflags
 fchmod
 fchown
-
-##
-## For now, allow fcntl(2), subject to capability rights, but this probably
-## needs additional scoping.
-##
-fcntl
-
-##
-## Allow fexecve(2), subject to capability rights.  We perform some scoping,
-## such as disallowing privilege escalation.
-##
-fexecve
-
-##
-## Allow flock(2), subject to capability rights.
-##
+freebsd32_fcntl
+freebsd32_fexecve
 flock
-
-##
-## Allow fork(2), even though it returns pids -- some applications seem to
-## prefer this interface.
-##
 fork
-
-##
-## Allow fpathconf(2), subject to capability rights.
-##
 fpathconf
-
-##
-## Allow various file descriptor-based I/O operations, subject to capability
-## rights.
-##
-freebsd6_ftruncate
-freebsd6_lseek
-freebsd6_mmap
-freebsd6_pread
-freebsd6_pwrite
-
-##
-## Allow querying file and file system state with fstat(2) and fstatfs(2),
-## subject to capability rights.
-##
-fstat
+freebsd6_freebsd32_ftruncate
+freebsd6_freebsd32_lseek
+freebsd6_freebsd32_mmap
+freebsd6_freebsd32_pread
+freebsd6_freebsd32_pwrite
+freebsd32_fstat
 fstatfs
-
-##
-## Allow further file descriptor-based I/O operations, subject to capability
-## rights.
-##
 fsync
 ftruncate
-
-##
-## Allow futimens(2) and futimes(2), subject to capability rights.
-##
-futimens
-futimes
-
-##
-## Allow querying process audit state, subject to normal access control.
-##
+freebsd32_futimens
+freebsd32_futimes
 getaudit
 getaudit_addr
 getauid
-
-##
-## Allow thread context management with getcontext(2).
-##
-getcontext
-
-##
-## Allow directory I/O on a file descriptor, subject to capability rights.
-## Originally we had separate capabilities for directory-specific read
-## operations, but on BSD we allow reading the raw directory data, so we just
-## rely on CAP_READ now.
-##
+freebsd32_getcontext
 getdents
-getdirentries
-
-##
-## Allow querying certain trivial global state.
-##
+freebsd32_getdirentries
 getdomainname
-
-##
-## Allow querying certain per-process resource limit state.
-##
 getdtablesize
-
-##
-## Allow querying current process credential state.
-##
 getegid
 geteuid
-
-##
-## Allow querying certain trivial global state.
-##
 gethostid
 gethostname
-
-##
-## Allow querying per-process timer.
-##
-getitimer
-
-##
-## Allow querying current process credential state.
-##
+freebsd32_getitimer
 getgid
 getgroups
 getlogin
-
-##
-## Allow querying certain trivial global state.
-##
-getpagesize
+freebsd32_getpagesize
 getpeername
-
-##
-## Allow querying certain per-process scheduling, resource limit, and
-## credential state.
-##
-## XXXRW: getpgid(2) needs scoping.  It's not clear if it's worth scoping
-## getppid(2).  getpriority(2) needs scoping.  getrusage(2) needs scoping.
-## getsid(2) needs scoping.
-##
 getpgid
 getpgrp
 getpid
@@ -300,154 +131,53 @@ getpriority
 getresgid
 getresuid
 getrlimit
-getrusage
+freebsd32_getrusage
 getsid
-
-##
-## Allow querying socket state, subject to capability rights.
-##
-## XXXRW: getsockopt(2) may need more attention.
-##
 getsockname
 getsockopt
-
-##
-## Allow querying the global clock.
-##
-gettimeofday
-
-##
-## Allow querying current process credential state.
-##
+freebsd32_gettimeofday
 getuid
-
-##
-## Allow ioctl(2), which hopefully will be limited by applications only to
-## required commands with cap_ioctls_limit(2) syscall.
-##
-ioctl
-
-##
-## Allow querying current process credential state.
-##
+freebsd32_ioctl
 issetugid
-
-##
-## Allow kevent(2), as we will authorize based on capability rights on the
-## target descriptor.
-##
-kevent
-
-##
-## Allow kill(2), as we allow the process to send signals only to himself.
-##
+freebsd32_kevent
 kill
-
-##
-## Allow message queue operations on file descriptors, subject to capability
-## rights.
-##
-kmq_notify
-kmq_setattr
-kmq_timedreceive
-kmq_timedsend
-
-##
-## Allow kqueue(2), we will control use.
-##
+freebsd32_kmq_notify
+freebsd32_kmq_setattr
+freebsd32_kmq_timedreceive
+freebsd32_kmq_timedsend
 kqueue
-
-##
-## Allow managing per-process timers.
-##
-ktimer_create
+freebsd32_ktimer_create
 ktimer_delete
 ktimer_getoverrun
-ktimer_gettime
-ktimer_settime
-
-##
-## We can't allow ktrace(2) because it relies on a global namespace, but we
-## might want to introduce an fktrace(2) of some sort.
-##
+freebsd32_ktimer_gettime
+freebsd32_ktimer_settime
 #ktrace
-
-##
-## Allow AIO operations by file descriptor, subject to capability rights.
-##
-lio_listio
-
-##
-## Allow listen(2), subject to capability rights.
-##
-## XXXRW: One might argue this manipulates a global namespace.
-##
+freebsd32_lio_listio
 listen
-
-##
-## Allow I/O-related file descriptors, subject to capability rights.
-##
-lseek
-
-##
-## Allow simple VM operations on the current process.
-##
+freebsd32_lseek
 madvise
 mincore
 minherit
 mlock
 mlockall
-
-##
-## Allow memory mapping a file descriptor, and updating protections, subject
-## to capability rights.
-##
-mmap
-mprotect
-
-##
-## Allow simple VM operations on the current process.
-##
+freebsd32_mmap
+freebsd32_mprotect
 msync
 munlock
 munlockall
 munmap
-
-##
-## Allow the current process to sleep.
-##
-nanosleep
-
-##
-## Allow querying the global clock.
-##
+freebsd32_nanosleep
 ntp_gettime
-
-##
-## Allow AIO operations by file descriptor, subject to capability rights.
-##
-oaio_read
-oaio_write
-
-##
-## Allow simple VM operations on the current process.
-##
+freebsd6_freebsd32_aio_read
+freebsd6_freebsd32_aio_write
 obreak
-
-##
-## Allow AIO operations by file descriptor, subject to capability rights.
-##
-olio_listio
-
-##
-## Operations relative to directory capabilities.
-##
+freebsd6_freebsd32_lio_listio
 chflagsat
 faccessat
 fchmodat
 fchownat
-fstatat
-futimesat
+freebsd32_fstatat
+freebsd32_futimesat
 linkat
 mkdirat
 mkfifoat
@@ -457,290 +187,98 @@ readlinkat
 renameat
 symlinkat
 unlinkat
-utimensat
-
-##
-## Allow entry into open(2). This system call will fail, since access to the
-## global file namespace has been disallowed, but allowing entry into the
-## syscall means that an audit trail will be generated (which is also very
-## useful for debugging).
-##
+freebsd32_utimensat
 open
-
-##
-## Process descriptor-related system calls are allowed.
-##
 pdfork
 pdgetpid
 pdkill
 #pdwait4	# not yet implemented
-
-##
-## Allow pipe(2).
-##
-pipe
+freebsd32_pipe
 pipe2
-
-##
-## Allow poll(2), which will be scoped by capability rights.
-## XXXRW: We don't yet do that scoping.
-##
 poll
-
-##
-## Allow I/O-related file descriptors, subject to capability rights.
-##
-pread
-preadv
-
-##
-## Allow access to profiling state on the current process.
-##
+freebsd32_pread
+freebsd32_preadv
 profil
-
-##
-## Disallow ptrace(2) for now, but we do need debugging facilities in
-## capability mode, so we will want to revisit this, possibly by scoping its
-## operation.
-##
 #ptrace
-
-##
-## Allow I/O-related file descriptors, subject to capability rights.
-##
-pwrite
-pwritev
+freebsd32_pwrite
+freebsd32_pwritev
 read
-readv
-recv
-recvfrom
-recvmsg
-
-##
-## Allow real-time scheduling primitives to be used.
-##
-## XXXRW: These require scoping.
-##
+freebsd32_readv
+freebsd6_freebsd32_recv
+freebsd32_recvfrom
+freebsd32_recvmsg
 rtprio
 rtprio_thread
-
-##
-## Allow simple VM operations on the current process.
-##
 sbrk
-
-##
-## Allow querying trivial global scheduler state.
-##
 sched_get_priority_max
 sched_get_priority_min
-
-##
-## Allow various thread/process scheduler operations.
-##
-## XXXRW: Some of these require further scoping.
-##
 sched_getparam
 sched_getscheduler
 sched_rr_get_interval
 sched_setparam
 sched_setscheduler
 sched_yield
-
-##
-## Allow I/O-related file descriptors, subject to capability rights.
-##
 sctp_generic_recvmsg
 sctp_generic_sendmsg
 sctp_generic_sendmsg_iov
 sctp_peeloff
-
-##
-## Allow pselect(2) and select(2), which will be scoped by capability rights.
-##
-## XXXRW: But is it?
-##
-pselect
-select
-
-##
-## Allow I/O-related file descriptors, subject to capability rights.  Use of
-## explicit addresses here is restricted by the system calls themselves.
-##
-send
-sendfile
-sendmsg
+freebsd32_pselect
+freebsd32_select
+freebsd6_freebsd32_send
+freebsd32_sendfile
+freebsd32_sendmsg
 sendto
-
-##
-## Allow setting per-process audit state, which is controlled separately by
-## privileges.
-##
 setaudit
 setaudit_addr
 setauid
-
-##
-## Allow setting thread context.
-##
-setcontext
-
-##
-## Allow setting current process credential state, which is controlled
-## separately by privilege.
-##
+freebsd32_setcontext
 setegid
 seteuid
 setgid
-
-##
-## Allow use of the process interval timer.
-##
-setitimer
-
-##
-## Allow setpriority(2).
-##
-## XXXRW: Requires scoping.
-##
+freebsd32_setitimer
 setpriority
-
-##
-## Allow setting current process credential state, which is controlled
-## separately by privilege.
-##
 setregid
 setresgid
 setresuid
 setreuid
-
-##
-## Allow setting process resource limits with setrlimit(2).
-##
 setrlimit
-
-##
-## Allow creating a new session with setsid(2).
-##
 setsid
-
-##
-## Allow setting socket options with setsockopt(2), subject to capability
-## rights.
-##
-## XXXRW: Might require scoping.
-##
 setsockopt
-
-##
-## Allow setting current process credential state, which is controlled
-## separately by privilege.
-##
 setuid
-
-##
-## shm_open(2) is scoped so as to allow only access to new anonymous objects.
-##
 shm_open
-
-##
-## Allow I/O-related file descriptors, subject to capability rights.
-##
 shutdown
-
-##
-## Allow signal control on current process.
-##
-sigaction
-sigaltstack
-sigblock
-sigpending
+freebsd32_sigaction
+freebsd32_sigaltstack
+freebsd32_sigblock
+freebsd32_sigpending
 sigprocmask
 sigqueue
-sigreturn
-sigsetmask
-sigstack
+freebsd32_sigreturn
+freebsd32_sigsetmask
+ofreebsd32_sigstack
 sigsuspend
-sigtimedwait
-sigvec
-sigwaitinfo
+freebsd32_sigtimedwait
+freebsd32_sigvec
+freebsd32_sigwaitinfo
 sigwait
-
-##
-## Allow creating new socket pairs with socket(2) and socketpair(2).
-##
 socket
 socketpair
-
-##
-## Allow simple VM operations on the current process.
-##
-## XXXRW: Kernel doesn't implement this, so drop?
-##
 sstk
-
-##
-## Do allow sync(2) for now, but possibly shouldn't.
-##
 sync
-
-##
-## Always allow process termination with sys_exit(2).
-##
 sys_exit
-
-##
-## sysarch(2) does rather diverse things, but is required on at least i386
-## in order to configure per-thread data.  As such, it's scoped on each
-## architecture.
-##
-sysarch
-
-##
-## Allow thread operations operating only on current process.
-##
+freebsd32_sysarch
 thr_create
 thr_exit
 thr_kill
-
-##
-## Disallow thr_kill2(2), as it may operate beyond the current process.
-##
-## XXXRW: Requires scoping.
-##
 #thr_kill2
-
-##
-## Allow thread operations operating only on current process.
-##
-thr_new
+freebsd32_thr_new
 thr_self
 thr_set_name
-thr_suspend
+freebsd32_thr_suspend
 thr_wake
-
-##
-## Allow manipulation of the current process umask with umask(2).
-##
 umask
-
-##
-## Allow submitting of process trace entries with utrace(2).
-##
 utrace
-
-##
-## Allow generating UUIDs with uuidgen(2).
-##
 uuidgen
-
-##
-## Allow I/O-related file descriptors, subject to capability rights.
-##
 write
-writev
-
-##
-## Allow processes to yield(2).
-##
+freebsd32_writev
 yield

Modified: head/sys/compat/freebsd32/freebsd32_capability.c
==============================================================================
--- head/sys/compat/freebsd32/freebsd32_capability.c	Sun Sep 18 21:28:09 2016	(r305953)
+++ head/sys/compat/freebsd32/freebsd32_capability.c	Sun Sep 18 22:03:07 2016	(r305954)
@@ -49,18 +49,6 @@ __FBSDID("$FreeBSD$");
 MALLOC_DECLARE(M_FILECAPS);
 
 int
-freebsd32_cap_enter(struct thread *td,
-    struct freebsd32_cap_enter_args *uap)
-{
-
-	/*
-	 * We do not have an equivalent of capabilities.conf for freebsd32
-	 * compatibility, so do not allow capability mode for now.
-	 */
-	return (ENOSYS);
-}
-
-int
 freebsd32_cap_ioctls_limit(struct thread *td,
     struct freebsd32_cap_ioctls_limit_args *uap)
 {
@@ -148,14 +136,6 @@ out:
 #else /* !CAPABILITIES */
 
 int
-freebsd32_cap_enter(struct thread *td,
-    struct freebsd32_cap_enter_args *uap)
-{
-
-	return (ENOSYS);
-}
-
-int
 freebsd32_cap_ioctls_limit(struct thread *td,
     struct freebsd32_cap_ioctls_limit_args *uap)
 {

Modified: head/sys/compat/freebsd32/syscalls.master
==============================================================================
--- head/sys/compat/freebsd32/syscalls.master	Sun Sep 18 21:28:09 2016	(r305953)
+++ head/sys/compat/freebsd32/syscalls.master	Sun Sep 18 22:03:07 2016	(r305954)
@@ -974,7 +974,7 @@
 514	AUE_NULL	OBSOL	cap_new
 515	AUE_CAP_RIGHTS_GET	NOPROTO	{ int __cap_rights_get(int version, \
 				    int fd, cap_rights_t *rightsp); }
-516	AUE_CAP_ENTER	STD	{ int freebsd32_cap_enter(void); }
+516	AUE_CAP_ENTER	NOPROTO	{ int cap_enter(void); }
 517	AUE_CAP_GETMODE	NOPROTO	{ int cap_getmode(u_int *modep); }
 518	AUE_PDFORK	NOPROTO	{ int pdfork(int *fdp, int flags); }
 519	AUE_PDKILL	NOPROTO	{ int pdkill(int fd, int signum); }
