freebsd-dev/sys
Konstantin Belousov 7359fdcf5f Allow some dotdot lookups in capability mode.
If dotdot lookup does not escape from the file descriptor passed as
the lookup root, we can allow the component traversal.  Track the
directories traversed, and check the result of dotdot lookup against
the recorded list of the directory vnodes.

Dotdot lookups are enabled by sysctl vfs.lookup_cap_dotdot, currently
disabled by default until more verification of the approach is done.

Disallow non-local filesystems for dotdot, since remote server might
conspire with the local process to allow it to escape the namespace.
This might be too cautious, provide the knob
vfs.lookup_cap_dotdot_nonlocal to override as well.

Idea by:	rwatson
Discussed with:	emaste, jonathan, rwatson
Reviewed by:	mjg (previous version)
Tested by:	pho (previous version)
Sponsored by:	The FreeBSD Foundation
MFC after:	2 week
Differential revision:	https://reviews.freebsd.org/D8110
2016-11-02 12:43:15 +00:00
..
amd64 Add BUF_TRACKING and FULL_BUF_TRACKING buffer debugging 2016-10-31 23:09:52 +00:00
arm Move imx_sdhci driver over to a dev/sdhci in preparation for QorIQ support. 2016-11-02 00:51:09 +00:00
arm64 Pull the common FDT interrupt values into a new header rather than be magic 2016-10-26 15:18:08 +00:00
boot efinet_dev_print should honor verbose option. 2016-11-02 06:37:35 +00:00
bsm
cam Add BUF_TRACKING and FULL_BUF_TRACKING buffer debugging 2016-10-31 23:09:52 +00:00
cddl Fix ZIL records ordering when ZVOL opened both with and without FSYNC. 2016-11-01 16:03:31 +00:00
compat Tidy up ia32_sysvec sv_flags setting 2016-10-20 20:29:54 +00:00
conf Merge i.MX and PowerPC SDHCI drivers 2016-11-02 00:57:04 +00:00
contrib krping: Allow the underlying ib_device to handle DMA mappings. 2016-10-24 20:53:44 +00:00
crypto Fix C++ includability of crypto headers with static array sizes 2016-10-18 23:20:49 +00:00
ddb Determine the operand/address size of %cs in a new function 2016-09-25 16:30:29 +00:00
dev hyperv/kvp: Don't mix message status codes and function return values. 2016-11-02 07:18:27 +00:00
fs Allow some dotdot lookups in capability mode. 2016-11-02 12:43:15 +00:00
gdb
geom Add BUF_TRACKING and FULL_BUF_TRACKING buffer debugging 2016-10-31 23:09:52 +00:00
gnu Revert and redo r306083. 2016-09-22 15:17:36 +00:00
i386 Handle pmap_enter() over an existing 4/2M page in KVA on i386. 2016-10-28 11:53:22 +00:00
isa
kern Allow some dotdot lookups in capability mode. 2016-11-02 12:43:15 +00:00
kgssapi
libkern
mips Use correct signal number for floating point exceptions. 2016-10-31 15:49:41 +00:00
modules hyperv/hn: Rename cleaned up file. 2016-11-01 06:54:25 +00:00
net Various fixes for ptnet/ptnetmap (passthrough of netmap ports). In detail: 2016-10-27 09:46:22 +00:00
net80211 [net80211] add comments! 2016-10-28 02:10:07 +00:00
netgraph Avoid panic from ng_uncallout when unpluggin ethernet cable with active 2016-08-08 19:31:01 +00:00
netinet Set slow start threshold more accurately on loss to be flightsize/2 instead of 2016-11-01 21:08:37 +00:00
netinet6 Make ICMPv6 hard error handling for TCP consistent with the ICMPv4 2016-10-21 10:32:57 +00:00
netipsec Remove the 4.3BSD compatible macro m_copy(), use m_copym() instead. 2016-09-15 07:41:48 +00:00
netnatm
netpfil Stop abusing from struct ifnet presence to determine the packet direction 2016-11-01 18:42:44 +00:00
netsmb
nfs Hide the boottime and bootimebin globals, provide the getboottime(9) 2016-07-27 11:08:59 +00:00
nfsclient
nfsserver
nlm When sleeping waiting for either local or remote advisory lock, 2016-06-26 20:08:42 +00:00
ofed Move the ConnectX-3 and ConnectX-2 driver from sys/ofed into sys/dev/mlx4 2016-09-30 08:23:06 +00:00
opencrypto Add support for the fpu_kern(9) KPI on arm64. It hooks into the existing 2016-10-20 09:22:10 +00:00
pc98 Fix building on i386 and arm. But 'public domain' headers on the files 2016-10-13 06:56:23 +00:00
powerpc Add P1022 and compatible SVR IDs 2016-11-02 03:07:01 +00:00
riscv rtwn(4), urtwn(4): merge common code, add support for 11ac devices. 2016-10-17 20:38:24 +00:00
rpc Hide the boottime and bootimebin globals, provide the getboottime(9) 2016-07-27 11:08:59 +00:00
security Don't check aq64_minfree which is unsigned for negative values. 2016-09-08 19:47:57 +00:00
sparc64 Fix building on i386 and arm. But 'public domain' headers on the files 2016-10-13 06:56:23 +00:00
sys Allow some dotdot lookups in capability mode. 2016-11-02 12:43:15 +00:00
teken
tests
tools Consider CROSS_BINUTILS_PREFIX environment variable so we use correct 2016-08-10 13:49:17 +00:00
ufs ANSIfy ffs_subr.c 2016-10-31 20:43:43 +00:00
vm Move and revise a comment about the relation between the object's paging- 2016-11-01 17:11:10 +00:00
x86 xen/intr: add reference counts to event channels 2016-10-31 13:00:53 +00:00
xdr
xen xen: add a grant-table user-space device 2016-10-31 13:12:58 +00:00
Makefile