Add ECAPMODE, "Not permitted in capability mode", a new kernel errno

constant to indicate that a system call (or perhaps an operation requested
via a system call) is not permitted for a capability mode process.

Submitted by:	anderson
Sponsored by:	Google, Inc.
Obtained from:	Capsicum Project
MFC after:	1 week

sys/bsm/audit_errno.h

@@ -205,6 +205,8 @@
 #define	BSM_ERRNO_EKEYEXPIRED		220	/* Linux-specific. */
 #define	BSM_ERRNO_EKEYREVOKED		221	/* Linux-specific. */
 #define	BSM_ERRNO_EKEYREJECTED		222	/* Linux-specific. */
+#define	BSM_ERRNO_ENOTCAPABLE		223	/* FreeBSD-specific. */
+#define	BSM_ERRNO_ECAPMODE		224	/* FreeBSD-specific. */
 
 /*
  * In the event that OpenBSM doesn't have a file representation of a local

sys/security/audit/audit_bsm_errno.c

@@ -686,6 +686,20 @@ static const struct bsm_errno bsm_errnos[] = {
 	ERRNO_NO_LOCAL_MAPPING,
 #endif
 	ES("Key was rejected by service") },
+	{ BSM_ERRNO_ENOTCAPABLE,
+#ifdef ENOTCAPABLE
+	ENOTCAPABLE,
+#else
+	ERRNO_NO_LOCAL_MAPPING,
+#endif
+	ES("Capabilities insufficient") },
+	{ BSM_ERRNO_ECAPMODE,
+#ifdef ECAPMODE
+	ECAPMODE,
+#else
+	ERRNO_NO_LOCAL_MAPPING,
+#endif
+	ES("Not permitted in capability mode") },
 };
 static const int bsm_errnos_count = sizeof(bsm_errnos) / sizeof(bsm_errnos[0]);
 

sys/sys/errno.h

@@ -175,10 +175,11 @@ __END_DECLS
 
 #ifndef _POSIX_SOURCE
 #define	ENOTCAPABLE	93		/* Capabilities insufficient */
+#define	ECAPMODE		94		/* Not permitted in capability mode */
 #endif /* _POSIX_SOURCE */
 
 #ifndef _POSIX_SOURCE
-#define	ELAST		93		/* Must be equal largest errno */
+#define	ELAST		94		/* Must be equal largest errno */
 #endif /* _POSIX_SOURCE */
 
 #ifdef _KERNEL