Use the main capabilities.conf for freebsd32.

Allow the location of capabilities.conf to be configured.

Also allow a per-abi syscall prefix to be configured with the
abi_func_prefix syscalls.conf variable and check syscalls against
entries in capabilities.conf with and without the prefix amended.

Take advantage of these two features to allow use shared capabilities.conf
between the default syscall vector and the freebsd32 compatability
layer.  We've been inconsistent about keeping the two in sync as
evidenced by the bugs fixed in r340294.  This eliminates that problem
going forward.

Reviewed by:	kib
Obtained from:	CheriBSD
Sponsored by:	DARPA, AFRL
Differential Revision:	https://reviews.freebsd.org/D17932
This commit is contained in:
Brooks Davis 2018-11-14 00:46:02 +00:00
parent 6febf18036
commit 5b1df30051
4 changed files with 14 additions and 307 deletions

View File

@ -11,7 +11,7 @@ all:
sysent: freebsd32_sysent.c freebsd32_syscall.h freebsd32_proto.h freebsd32_systrace_args.c
freebsd32_sysent.c freebsd32_syscalls.c freebsd32_syscall.h freebsd32_proto.h freebsd32_systrace_args.c : \
../../kern/makesyscalls.sh syscalls.master syscalls.conf capabilities.conf
../../kern/makesyscalls.sh syscalls.master syscalls.conf ../../kern/capabilities.conf
sh ../../kern/makesyscalls.sh syscalls.master syscalls.conf
clean:

View File

@ -1,298 +0,0 @@
##
## Copyright (c) 2008-2010 Robert N. M. Watson
## Copyright (c) 2016 The FreeBSD Foundation
## All rights reserved.
##
## This software was developed at the University of Cambridge Computer
## Laboratory with support from a grant from Google, Inc.
##
## Portions of this software were developed by Konstantin Belousov
## under sponsorship from the FreeBSD Foundation.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted provided that the following conditions
## are met:
## 1. Redistributions of source code must retain the above copyright
## notice, this list of conditions and the following disclaimer.
## 2. Redistributions in binary form must reproduce the above copyright
## notice, this list of conditions and the following disclaimer in the
## documentation and/or other materials provided with the distribution.
##
## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
## ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
## SUCH DAMAGE.
##
## List of system calls enabled in freebsd32 capability mode, one name
## per line. See the original list in the sys/kern/capabilities.conf.
## Position of the compat syscall in this file must be identical to
## the master, to facilitate comparision and diagnostic.
##
## $FreeBSD$
##
__acl_aclcheck_fd
__acl_delete_fd
__acl_get_fd
__acl_set_fd
__mac_get_fd
#__mac_get_pid
__mac_get_proc
__mac_set_fd
__mac_set_proc
freebsd32___sysctl
freebsd32__umtx_op
abort2
accept
accept4
aio_cancel
freebsd32_aio_error
freebsd32_aio_fsync
freebsd32_aio_read
freebsd32_aio_return
freebsd32_aio_suspend
freebsd32_aio_waitcomplete
freebsd32_aio_write
#audit
bindat
cap_enter
cap_fcntls_get
cap_fcntls_limit
cap_getmode
freebsd32_cap_ioctls_get
freebsd32_cap_ioctls_limit
__cap_rights_get
cap_rights_limit
freebsd32_clock_getres
freebsd32_clock_gettime
close
closefrom
connectat
#cpuset
freebsd32_cpuset_getaffinity
#freebsd32_cpuset_getid
freebsd32_cpuset_setaffinity
#freebsd32_cpuset_setid
dup
dup2
extattr_delete_fd
extattr_get_fd
extattr_list_fd
extattr_set_fd
fchflags
fchmod
fchown
freebsd32_fcntl
freebsd32_fexecve
flock
fork
fpathconf
freebsd32_fstat
freebsd32_fstatat
freebsd32_getdirentries
freebsd32_fstatfs
freebsd32_mknodat
freebsd32_ftruncate
freebsd32_lseek
freebsd32_mmap
mmap
freebsd32_pread
freebsd32_pwrite
freebsd32_fstat
fstatfs
fsync
ftruncate
freebsd32_ftruncate
freebsd32_futimens
freebsd32_futimes
getaudit
getaudit_addr
getauid
freebsd32_getcontext
freebsd32_getdents
freebsd32_getdirentries
getdirentries
getdomainname
getdtablesize
getegid
geteuid
gethostid
gethostname
freebsd32_getitimer
getgid
getgroups
getlogin
freebsd32_getpagesize
getpeername
getpgid
getpgrp
getpid
getppid
getpriority
getrandom
getresgid
getresuid
getrlimit
freebsd32_getrusage
getsid
getsockname
getsockopt
freebsd32_gettimeofday
getuid
freebsd32_ioctl
issetugid
freebsd32_kevent
kill
freebsd32_kmq_notify
freebsd32_kmq_setattr
freebsd32_kmq_timedreceive
freebsd32_kmq_timedsend
kqueue
freebsd32_ktimer_create
ktimer_delete
ktimer_getoverrun
freebsd32_ktimer_gettime
freebsd32_ktimer_settime
#ktrace
freebsd32_lio_listio
listen
freebsd32_lseek
madvise
mincore
minherit
mlock
mlockall
freebsd32_mmap
freebsd32_mprotect
msync
munlock
munlockall
munmap
freebsd32_nanosleep
ntp_gettime
freebsd6_freebsd32_aio_read
freebsd6_freebsd32_aio_write
break
freebsd6_freebsd32_lio_listio
chflagsat
faccessat
fchmodat
fchownat
freebsd32_fstatat
freebsd32_futimesat
linkat
mkdirat
mkfifoat
mknodat
openat
readlinkat
renameat
symlinkat
unlinkat
freebsd32_utimensat
pdfork
pdgetpid
pdkill
#pdwait4 # not yet implemented
freebsd32_pipe
pipe2
poll
freebsd32_ppoll
freebsd32_posix_fallocate
freebsd32_pread
freebsd32_preadv
profil
#ptrace
freebsd32_pwrite
freebsd32_pwritev
read
freebsd32_readv
freebsd6_freebsd32_recv
freebsd32_recvfrom
freebsd32_recvmsg
rtprio
rtprio_thread
sbrk
sched_get_priority_max
sched_get_priority_min
sched_getparam
sched_getscheduler
freebsd32_sched_rr_get_interval
sched_setparam
sched_setscheduler
sched_yield
sctp_generic_recvmsg
sctp_generic_sendmsg
sctp_generic_sendmsg_iov
sctp_peeloff
freebsd32_pselect
freebsd32_select
freebsd6_freebsd32_send
freebsd32_sendfile
freebsd32_sendmsg
sendto
setaudit
setaudit_addr
setauid
freebsd32_setcontext
setegid
seteuid
setgid
freebsd32_setitimer
setpriority
setregid
setresgid
setresuid
setreuid
setrlimit
setsid
setsockopt
setuid
shm_open
shutdown
freebsd32_sigaction
freebsd32_sigaltstack
freebsd32_sigblock
freebsd32_sigpending
sigpending
freebsd32_sigprocmask
sigprocmask
freebsd32_sigqueue
sigqueue
freebsd32_sigreturn
freebsd32_sigsetmask
freebsd32_sigstack
freebsd32_sigsuspend
sigsuspend
freebsd32_sigtimedwait
freebsd32_sigvec
freebsd32_sigwaitinfo
sigwait
socket
socketpair
sstk
sync
sys_exit
freebsd32_sysarch
thr_create
thr_exit
thr_kill
#thr_kill2
freebsd32_thr_new
thr_self
thr_set_name
freebsd32_thr_suspend
thr_wake
umask
utrace
uuidgen
write
freebsd32_writev
yield

View File

@ -9,3 +9,5 @@ syscallprefix="FREEBSD32_SYS_"
switchname="freebsd32_sysent"
namesname="freebsd32_syscallnames"
systrace="freebsd32_systrace_args.c"
abi_func_prefix="freebsd32_"
capabilities_conf="../../kern/capabilities.conf"

View File

@ -45,13 +45,7 @@ sysarg="sysarg.switch.$$"
sysprotoend="sysprotoend.$$"
systracetmp="systrace.$$"
systraceret="systraceret.$$"
if [ -r capabilities.conf ]; then
capenabled=`egrep -v '^#|^$' capabilities.conf`
capenabled=`echo $capenabled | sed 's/ /,/g'`
else
capenabled=""
fi
capabilities_conf="capabilities.conf"
trap "rm $sysaue $sysdcl $syscompat $syscompatdcl $syscompat4 $syscompat4dcl $syscompat6 $syscompat6dcl $syscompat7 $syscompat7dcl $syscompat10 $syscompat10dcl $syscompat11 $syscompat11dcl $sysent $sysinc $sysarg $sysprotoend $systracetmp $systraceret" 0
@ -67,6 +61,13 @@ if [ -n "$2" ]; then
. $2
fi
if [ -r $capabilities_conf ]; then
capenabled=`egrep -v '^#|^$' $capabilities_conf`
capenabled=`echo $capenabled | sed 's/ /,/g'`
else
capenabled=""
fi
sed -e '
# FreeBSD ID, includes, comments, and blank lines
/.*\$FreeBSD/b done_joining
@ -137,6 +138,7 @@ sed -e '
switchname = \"$switchname\"
namesname = \"$namesname\"
infile = \"$1\"
abi_func_prefix = \"$abi_func_prefix\"
capenabled_string = \"$capenabled\"
"'
@ -381,7 +383,8 @@ sed -e '
# from it.
#
for (cap in capenabled) {
if (funcname == capenabled[cap]) {
if (funcname == capenabled[cap] ||
funcname == abi_func_prefix capenabled[cap]) {
flags = "SYF_CAPENABLED";
break;
}