#
280224 |
|
18-Mar-2015 |
rwatson |
Merge r263232 from head to stable/10:
Rename capability.h to capsicum.h: the original name conflicts with the draft POSIX.1e capability.h used on some systems (e.g., Linux). On FreeBSD, leave a wrapper header so that current code continues to compile.
We will eventually want to deprecate the old header as the presence of a capability.h may be confusing some configure scripts.
Suggested by: David Drysdale <drysdale at google.com> Discussed on: cl-capsicum-discuss MFC after: 3 weeks
Sponsored by: Google, Inc.
|
#
273109 |
|
14-Oct-2014 |
mjg |
MFC r269023,r272503,r272505,r272523,r272567,r272569,r272574
Prepare fget_unlocked for reading fd table only once.
Some capsicum functions accept fdp + fd and lookup fde based on that. Add variants which accept fde.
===============================
Add sequence counters with memory barriers.
Current implementation is somewhat simplistic and hackish, will be improved later after possible memory barrier overhaul.
===============================
Plug capability races.
fp and appropriate capability lookups were not atomic, which could result in improper capabilities being checked.
This could result either in protection bypass or in a spurious ENOTCAPABLE.
Make fp + capability check atomic with the help of sequence counters.
===============================
Put and #ifdef _KERNEL around the #include for opt_capsicum.h to hopefully allow the build to finish after r272505.
===============================
filedesc: fix up breakage introduced in 272505
Include sequence counter supports incoditionally [1]. This fixes reprted build problems with e.g. nvidia driver due to missing opt_capsicum.h.
Replace fishy looking sizeof with offsetof. Make fde_seq the last member in order to simplify calculations.
===============================
Keep struct filedescent comments within 80-char limit.
===============================
seq_t needs to be visible to userspace
|
#
258324 |
|
18-Nov-2013 |
pjd |
MFC r258148,r258149,r258150,r258152,r258153,r258154,r258181,r258182:
r258148:
Add a note that this file is compiled as part of the kernel and libc.
Requested by: kib
r258149:
Change cap_rights_merge(3) and cap_rights_remove(3) to return pointer to the destination cap_rights_t structure.
This already matches manual page.
r258150:
Sync return value with actual implementation.
r258151:
Style.
r258152:
Precisely document capability rights here too (they are already documented in rights(4)).
r258153:
The CAP_LINKAT, CAP_MKDIRAT, CAP_MKFIFOAT, CAP_MKNODAT, CAP_RENAMEAT, CAP_SYMLINKAT and CAP_UNLINKAT capability rights make no sense without the CAP_LOOKUP right, so include this rights.
r258154:
- Move CAP_EXTATTR_* and CAP_ACL_* rights to index 1 to have more room in index 0 for the future. - Move CAP_BINDAT and CAP_CONNECTAT rights to index 0 so we can include CAP_LOOKUP right in them. - Shuffle the bits around so there are no gaps. This is last chance to do that as all moved rights are not used yet.
r258181:
Replace CAP_POLL_EVENT and CAP_POST_EVENT capability rights (which I had a very hard time to fully understand) with much more intuitive rights:
CAP_EVENT - when set on descriptor, the descriptor can be monitored with syscalls like select(2), poll(2), kevent(2).
CAP_KQUEUE_EVENT - When set on a kqueue descriptor, the kevent(2) syscall can be called on this kqueue to with the eventlist argument set to non-NULL value; in other words the given kqueue descriptor can be used to monitor other descriptors. CAP_KQUEUE_CHANGE - When set on a kqueue descriptor, the kevent(2) syscall can be called on this kqueue to with the changelist argument set to non-NULL value; in other words it allows to modify events monitored with the given kqueue descriptor.
Add alias CAP_KQUEUE, which allows for both CAP_KQUEUE_EVENT and CAP_KQUEUE_CHANGE.
Add backward compatibility define CAP_POLL_EVENT which is equal to CAP_EVENT.
r258182:
Correct right names.
Sponsored by: The FreeBSD Foundation Approved by: re (kib)
|
#
280224 |
|
18-Mar-2015 |
rwatson |
Merge r263232 from head to stable/10:
Rename capability.h to capsicum.h: the original name conflicts with the draft POSIX.1e capability.h used on some systems (e.g., Linux). On FreeBSD, leave a wrapper header so that current code continues to compile.
We will eventually want to deprecate the old header as the presence of a capability.h may be confusing some configure scripts.
Suggested by: David Drysdale <drysdale at google.com> Discussed on: cl-capsicum-discuss MFC after: 3 weeks
Sponsored by: Google, Inc.
|
#
273109 |
|
14-Oct-2014 |
mjg |
MFC r269023,r272503,r272505,r272523,r272567,r272569,r272574
Prepare fget_unlocked for reading fd table only once.
Some capsicum functions accept fdp + fd and lookup fde based on that. Add variants which accept fde.
===============================
Add sequence counters with memory barriers.
Current implementation is somewhat simplistic and hackish, will be improved later after possible memory barrier overhaul.
===============================
Plug capability races.
fp and appropriate capability lookups were not atomic, which could result in improper capabilities being checked.
This could result either in protection bypass or in a spurious ENOTCAPABLE.
Make fp + capability check atomic with the help of sequence counters.
===============================
Put and #ifdef _KERNEL around the #include for opt_capsicum.h to hopefully allow the build to finish after r272505.
===============================
filedesc: fix up breakage introduced in 272505
Include sequence counter supports incoditionally [1]. This fixes reprted build problems with e.g. nvidia driver due to missing opt_capsicum.h.
Replace fishy looking sizeof with offsetof. Make fde_seq the last member in order to simplify calculations.
===============================
Keep struct filedescent comments within 80-char limit.
===============================
seq_t needs to be visible to userspace
|
#
258324 |
|
18-Nov-2013 |
pjd |
MFC r258148,r258149,r258150,r258152,r258153,r258154,r258181,r258182:
r258148:
Add a note that this file is compiled as part of the kernel and libc.
Requested by: kib
r258149:
Change cap_rights_merge(3) and cap_rights_remove(3) to return pointer to the destination cap_rights_t structure.
This already matches manual page.
r258150:
Sync return value with actual implementation.
r258151:
Style.
r258152:
Precisely document capability rights here too (they are already documented in rights(4)).
r258153:
The CAP_LINKAT, CAP_MKDIRAT, CAP_MKFIFOAT, CAP_MKNODAT, CAP_RENAMEAT, CAP_SYMLINKAT and CAP_UNLINKAT capability rights make no sense without the CAP_LOOKUP right, so include this rights.
r258154:
- Move CAP_EXTATTR_* and CAP_ACL_* rights to index 1 to have more room in index 0 for the future. - Move CAP_BINDAT and CAP_CONNECTAT rights to index 0 so we can include CAP_LOOKUP right in them. - Shuffle the bits around so there are no gaps. This is last chance to do that as all moved rights are not used yet.
r258181:
Replace CAP_POLL_EVENT and CAP_POST_EVENT capability rights (which I had a very hard time to fully understand) with much more intuitive rights:
CAP_EVENT - when set on descriptor, the descriptor can be monitored with syscalls like select(2), poll(2), kevent(2).
CAP_KQUEUE_EVENT - When set on a kqueue descriptor, the kevent(2) syscall can be called on this kqueue to with the eventlist argument set to non-NULL value; in other words the given kqueue descriptor can be used to monitor other descriptors. CAP_KQUEUE_CHANGE - When set on a kqueue descriptor, the kevent(2) syscall can be called on this kqueue to with the changelist argument set to non-NULL value; in other words it allows to modify events monitored with the given kqueue descriptor.
Add alias CAP_KQUEUE, which allows for both CAP_KQUEUE_EVENT and CAP_KQUEUE_CHANGE.
Add backward compatibility define CAP_POLL_EVENT which is equal to CAP_EVENT.
r258182:
Correct right names.
Sponsored by: The FreeBSD Foundation Approved by: re (kib)
|