d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

- Add NOCAPCHECK flag to namei that allows lookup to work even if the process

Browse Source 
is in capability mode.
- Add VN_OPEN_NOCAPCHECK flag for vn_open_cred() to will ne converted into
  NOCAPCHECK namei flag.

This functionality will be used to enable core dumps for sandboxed processes.

Reviewed by:	rwatson
Obtained from:	WHEEL Systems
MFC after:	2 weeks
This commit is contained in:
Pawel Jakub Dawidek 2012-11-27 10:32:35 +00:00
parent 90b2202145
commit f121e3e81d
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=243612
4 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sys/kern/vfs_lookup.c
View File

@ -183,7 +183,7 @@ namei(struct nameidata *ndp)
* not an absolute path, and not containing '..' components) to
* a real file descriptor, not the pseudo-descriptor AT_FDCWD.
*/
if (IN_CAPABILITY_MODE(td)) {
if (IN_CAPABILITY_MODE(td) && (cnp->cn_flags & NOCAPCHECK) == 0) {
ndp->ni_strictrelative = 1;
if (ndp->ni_dirfd == AT_FDCWD) {
#ifdef KTRACE

4
sys/kern/vfs_vnops.c
View File

@ -135,6 +135,8 @@ vn_open_cred(struct nameidata *ndp, int *flagp, int cmode, u_int vn_open_flags,
ndp->ni_cnd.cn_flags |= FOLLOW;
if (!(vn_open_flags & VN_OPEN_NOAUDIT))
ndp->ni_cnd.cn_flags |= AUDITVNODE1;
if (vn_open_flags & VN_OPEN_NOCAPCHECK)
ndp->ni_cnd.cn_flags |= NOCAPCHECK;
bwillwrite();
if ((error = namei(ndp)) != 0)
return (error);
@ -188,6 +190,8 @@ vn_open_cred(struct nameidata *ndp, int *flagp, int cmode, u_int vn_open_flags,
ndp->ni_cnd.cn_flags |= LOCKSHARED;
if (!(vn_open_flags & VN_OPEN_NOAUDIT))
ndp->ni_cnd.cn_flags |= AUDITVNODE1;
if (vn_open_flags & VN_OPEN_NOCAPCHECK)
ndp->ni_cnd.cn_flags |= NOCAPCHECK;
if ((error = namei(ndp)) != 0)
return (error);
vp = ndp->ni_vp;

3
sys/sys/namei.h
View File

@ -147,7 +147,8 @@ struct nameidata {
#define AUDITVNODE1 0x04000000 /* audit the looked up vnode information */
#define AUDITVNODE2 0x08000000 /* audit the looked up vnode information */
#define TRAILINGSLASH 0x10000000 /* path ended in a slash */
#define PARAMASK 0x1ffffe00 /* mask of parameter descriptors */
#define NOCAPCHECK 0x20000000 /* do not perform capability checks */
#define PARAMASK 0x3ffffe00 /* mask of parameter descriptors */
/*
* Initialization of a nameidata structure.

1
sys/sys/vnode.h
View File

@ -565,6 +565,7 @@ vn_canvmio(struct vnode *vp)
/* vn_open_flags */
#define VN_OPEN_NOAUDIT 0x00000001
#define VN_OPEN_NOCAPCHECK 0x00000002
/*
* Public vnode manipulation functions.