Ensure that process descriptors work as expected. We should be able to:
- pdfork(), like regular fork(), but producing a process descriptor
- pdgetpid() to convert a PD into a PID
- pdkill() to send signals to a process identified by a PD
Approved by: re (kib), mentor (rwatson)
Sponsored by: Google Inc
When calling poll(2) on a capability, unwrap first and then poll the
underlying object.
Approved by: re (kib), mentor (rwatson)
Sponsored by: Google Inc
This commit adds regression testing for openat(), fstatat(), etc. with
capability scoping ("strict relative" lookup), which applies:
- in capability mode
- when performing any *at() lookup relative to a capability
These tests will fail until the *at() code is committed; on my local
instance, with the *at() changes, they all pass.
Approved by: re (kib), mentor (rwatson)
Sponsored by: Google Inc
As per kib's suggestion, we also change test_count from a size_t to an int;
its value at the moment is 4, and we only expect it to go up to 7.
Approved by: re (kib), mentor (rwatson)
Sponsored by: Google Inc
kernel for FreeBSD 9.0:
Add a new capability mask argument to fget(9) and friends, allowing system
call code to declare what capabilities are required when an integer file
descriptor is converted into an in-kernel struct file *. With options
CAPABILITIES compiled into the kernel, this enforces capability
protection; without, this change is effectively a no-op.
Some cases require special handling, such as mmap(2), which must preserve
information about the maximum rights at the time of mapping in the memory
map so that they can later be enforced in mprotect(2) -- this is done by
narrowing the rights in the existing max_protection field used for similar
purposes with file permissions.
In namei(9), we assert that the code is not reached from within capability
mode, as we're not yet ready to enforce namespace capabilities there.
This will follow in a later commit.
Update two capability names: CAP_EVENT and CAP_KEVENT become
CAP_POST_KEVENT and CAP_POLL_KEVENT to more accurately indicate what they
represent.
Approved by: re (bz)
Submitted by: jonathan
Sponsored by: Google Inc
Even if we have CAP_FCHFLAGS, fchflags(2) fails on NFS. This is normal
and expected, so don't fail the test because of it.
Note that, whether or not we are on NFS, fchflags(2) should always fail
with ENOTCAPABLE if we are using a capability that does not have the
CAP_FCHFLAGS right.
Approved by: re (kib), mentor (rwatson)
Sponsored by: Google Inc
Add more regression testing, some of which is expected to fail until we
commit more kernel implementation.
Approved by: re (kib), mentor (rwatson)
Sponsored by: Google Inc
Add more regression testing, some of which is expected to fail until we
commit more kernel implementation.
Approved by: re (kib), mentor (rwatson)
Sponsored by: Google Inc
Ensure that system calls that access global namespaces, e.g. open(2), are not permitted, and that whitelisted sysctls like kern.osreldate are.
Approved by: rwatson
Sponsored by: Google, Inc.
various open flags and then tests various operations to make sure that
they are properly constrained by open flags. Various I/O mechansms
are tried, including aio if compiled into the kernel or loaded as a
module. There's more to be done here but it's a useful start, running
about 220 individual tests.
This is in support of FreeBSD-SA-08:03.sendfile.
test by default, as setugid() is now part of the base kernel (assuming
(options REGRESSION) has been enabled for the running kernel).
Obtained from: TrustedBSD Project
This test utility attempts to evaluate the current kernel policy
for authorization inter-process activities, currently ptrace(),
kill(, SIGHUP), getpriority(), and setpriority(). The utility creates
pairs of processes, initializes their credential sets to useful
cases, and reports on whether the results are in keeping with hard-coded
safety expectations.
o Currently, this utility relies on the availability of __setugid(),
an uncomitted system call used for managing the P_SUGID bit. Due to
continuing discussion of optional regression testing kernel components
("options REGRESSION") I'll hold off on committing that until the
discussion has reached its natural termination.
o A number of additional testing factors should be taken into account
in the testing, including tests for different classes of signals,
interactions with process session characteristics, I/O signalling,
broadcast activities such as broadcast signalling, mass priority
setting, and to take into group-related aspects of credentials.
Additional operations should also be taken into account, such as ktrace,
debugging attach using procfs, and so on.
o This testing suite is intended to prevent the introduction of bugs
in the upcoming sets of authorization changes associated with the
introduction of process capabilities and mandatory access control.
Obtained from: TrustedBSD Project
