f07ebb8888
- Capability is no longer separate descriptor type. Now every descriptor has set of its own capability rights. - The cap_new(2) system call is left, but it is no longer documented and should not be used in new code. - The new syscall cap_rights_limit(2) should be used instead of cap_new(2), which limits capability rights of the given descriptor without creating a new one. - The cap_getrights(2) syscall is renamed to cap_rights_get(2). - If CAP_IOCTL capability right is present we can further reduce allowed ioctls list with the new cap_ioctls_limit(2) syscall. List of allowed ioctls can be retrived with cap_ioctls_get(2) syscall. - If CAP_FCNTL capability right is present we can further reduce fcntls that can be used with the new cap_fcntls_limit(2) syscall and retrive them with cap_fcntls_get(2). - To support ioctl and fcntl white-listing the filedesc structure was heavly modified. - The audit subsystem, kdump and procstat tools were updated to recognize new syscalls. - Capability rights were revised and eventhough I tried hard to provide backward API and ABI compatibility there are some incompatible changes that are described in detail below: CAP_CREATE old behaviour: - Allow for openat(2)+O_CREAT. - Allow for linkat(2). - Allow for symlinkat(2). CAP_CREATE new behaviour: - Allow for openat(2)+O_CREAT. Added CAP_LINKAT: - Allow for linkat(2). ABI: Reuses CAP_RMDIR bit. - Allow to be target for renameat(2). Added CAP_SYMLINKAT: - Allow for symlinkat(2). Removed CAP_DELETE. Old behaviour: - Allow for unlinkat(2) when removing non-directory object. - Allow to be source for renameat(2). Removed CAP_RMDIR. Old behaviour: - Allow for unlinkat(2) when removing directory. Added CAP_RENAMEAT: - Required for source directory for the renameat(2) syscall. Added CAP_UNLINKAT (effectively it replaces CAP_DELETE and CAP_RMDIR): - Allow for unlinkat(2) on any object. - Required if target of renameat(2) exists and will be removed by this call. Removed CAP_MAPEXEC. CAP_MMAP old behaviour: - Allow for mmap(2) with any combination of PROT_NONE, PROT_READ and PROT_WRITE. CAP_MMAP new behaviour: - Allow for mmap(2)+PROT_NONE. Added CAP_MMAP_R: - Allow for mmap(PROT_READ). Added CAP_MMAP_W: - Allow for mmap(PROT_WRITE). Added CAP_MMAP_X: - Allow for mmap(PROT_EXEC). Added CAP_MMAP_RW: - Allow for mmap(PROT_READ | PROT_WRITE). Added CAP_MMAP_RX: - Allow for mmap(PROT_READ | PROT_EXEC). Added CAP_MMAP_WX: - Allow for mmap(PROT_WRITE | PROT_EXEC). Added CAP_MMAP_RWX: - Allow for mmap(PROT_READ | PROT_WRITE | PROT_EXEC). Renamed CAP_MKDIR to CAP_MKDIRAT. Renamed CAP_MKFIFO to CAP_MKFIFOAT. Renamed CAP_MKNODE to CAP_MKNODEAT. CAP_READ old behaviour: - Allow pread(2). - Disallow read(2), readv(2) (if there is no CAP_SEEK). CAP_READ new behaviour: - Allow read(2), readv(2). - Disallow pread(2) (CAP_SEEK was also required). CAP_WRITE old behaviour: - Allow pwrite(2). - Disallow write(2), writev(2) (if there is no CAP_SEEK). CAP_WRITE new behaviour: - Allow write(2), writev(2). - Disallow pwrite(2) (CAP_SEEK was also required). Added convinient defines: #define CAP_PREAD (CAP_SEEK | CAP_READ) #define CAP_PWRITE (CAP_SEEK | CAP_WRITE) #define CAP_MMAP_R (CAP_MMAP | CAP_SEEK | CAP_READ) #define CAP_MMAP_W (CAP_MMAP | CAP_SEEK | CAP_WRITE) #define CAP_MMAP_X (CAP_MMAP | CAP_SEEK | 0x0000000000000008ULL) #define CAP_MMAP_RW (CAP_MMAP_R | CAP_MMAP_W) #define CAP_MMAP_RX (CAP_MMAP_R | CAP_MMAP_X) #define CAP_MMAP_WX (CAP_MMAP_W | CAP_MMAP_X) #define CAP_MMAP_RWX (CAP_MMAP_R | CAP_MMAP_W | CAP_MMAP_X) #define CAP_RECV CAP_READ #define CAP_SEND CAP_WRITE #define CAP_SOCK_CLIENT \ (CAP_CONNECT | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT | \ CAP_PEELOFF | CAP_RECV | CAP_SEND | CAP_SETSOCKOPT | CAP_SHUTDOWN) #define CAP_SOCK_SERVER \ (CAP_ACCEPT | CAP_BIND | CAP_GETPEERNAME | CAP_GETSOCKNAME | \ CAP_GETSOCKOPT | CAP_LISTEN | CAP_PEELOFF | CAP_RECV | CAP_SEND | \ CAP_SETSOCKOPT | CAP_SHUTDOWN) Added defines for backward API compatibility: #define CAP_MAPEXEC CAP_MMAP_X #define CAP_DELETE CAP_UNLINKAT #define CAP_MKDIR CAP_MKDIRAT #define CAP_RMDIR CAP_UNLINKAT #define CAP_MKFIFO CAP_MKFIFOAT #define CAP_MKNOD CAP_MKNODAT #define CAP_SOCK_ALL (CAP_SOCK_CLIENT | CAP_SOCK_SERVER) Sponsored by: The FreeBSD Foundation Reviewed by: Christoph Mallon <christoph.mallon@gmx.de> Many aspects discussed with: rwatson, benl, jonathan ABI compatibility discussed with: kib |
||
---|---|---|
.. | ||
__error.c | ||
__vdso_gettimeofday.c | ||
_exit.2 | ||
abort2.2 | ||
accept.2 | ||
access.2 | ||
acct.2 | ||
adjtime.2 | ||
aio_cancel.2 | ||
aio_error.2 | ||
aio_read.2 | ||
aio_return.2 | ||
aio_suspend.2 | ||
aio_waitcomplete.2 | ||
aio_write.2 | ||
bind.2 | ||
brk.2 | ||
cap_enter.2 | ||
cap_fcntls_limit.2 | ||
cap_ioctls_limit.2 | ||
cap_rights_limit.2 | ||
chdir.2 | ||
chflags.2 | ||
chmod.2 | ||
chown.2 | ||
chroot.2 | ||
clock_gettime.2 | ||
clock_gettime.c | ||
close.2 | ||
closefrom.2 | ||
connect.2 | ||
cpuset_getaffinity.2 | ||
cpuset.2 | ||
dup.2 | ||
execve.2 | ||
extattr_get_file.2 | ||
fcntl.2 | ||
fcntl.c | ||
ffclock.2 | ||
fhopen.2 | ||
flock.2 | ||
fork.2 | ||
fsync.2 | ||
ftruncate.c | ||
getdirentries.2 | ||
getdtablesize.2 | ||
getfh.2 | ||
getfsstat.2 | ||
getgid.2 | ||
getgroups.2 | ||
getitimer.2 | ||
getlogin.2 | ||
getloginclass.2 | ||
getpeername.2 | ||
getpgrp.2 | ||
getpid.2 | ||
getpriority.2 | ||
getrlimit.2 | ||
getrusage.2 | ||
getsid.2 | ||
getsockname.2 | ||
getsockopt.2 | ||
gettimeofday.2 | ||
gettimeofday.c | ||
getuid.2 | ||
intro.2 | ||
ioctl.2 | ||
issetugid.2 | ||
jail.2 | ||
kenv.2 | ||
kill.2 | ||
kldfind.2 | ||
kldfirstmod.2 | ||
kldload.2 | ||
kldnext.2 | ||
kldstat.2 | ||
kldsym.2 | ||
kldunload.2 | ||
kqueue.2 | ||
kse.2 | ||
ktrace.2 | ||
link.2 | ||
lio_listio.2 | ||
listen.2 | ||
lseek.2 | ||
lseek.c | ||
madvise.2 | ||
Makefile.inc | ||
mincore.2 | ||
minherit.2 | ||
mkdir.2 | ||
mkfifo.2 | ||
mknod.2 | ||
mlock.2 | ||
mlockall.2 | ||
mmap.2 | ||
mmap.c | ||
modfind.2 | ||
modnext.2 | ||
modstat.2 | ||
mount.2 | ||
mprotect.2 | ||
mq_close.2 | ||
mq_getattr.2 | ||
mq_notify.2 | ||
mq_open.2 | ||
mq_receive.2 | ||
mq_send.2 | ||
mq_setattr.2 | ||
msgctl.2 | ||
msgget.2 | ||
msgrcv.2 | ||
msgsnd.2 | ||
msync.2 | ||
munmap.2 | ||
nanosleep.2 | ||
nfssvc.2 | ||
ntp_adjtime.2 | ||
open.2 | ||
pathconf.2 | ||
pdfork.2 | ||
pipe.2 | ||
poll.2 | ||
posix_fadvise.2 | ||
posix_fallocate.2 | ||
posix_openpt.2 | ||
pread.c | ||
profil.2 | ||
pselect.2 | ||
ptrace.2 | ||
pwrite.c | ||
quotactl.2 | ||
read.2 | ||
readlink.2 | ||
reboot.2 | ||
recv.2 | ||
rename.2 | ||
revoke.2 | ||
rfork.2 | ||
rmdir.2 | ||
rtprio.2 | ||
sched_get_priority_max.2 | ||
sched_setparam.2 | ||
sched_setscheduler.2 | ||
sched_yield.2 | ||
sctp_generic_recvmsg.2 | ||
sctp_generic_sendmsg.2 | ||
sctp_peeloff.2 | ||
select.2 | ||
semctl.2 | ||
semget.2 | ||
semop.2 | ||
send.2 | ||
sendfile.2 | ||
setfib.2 | ||
setgroups.2 | ||
setpgid.2 | ||
setregid.2 | ||
setresuid.2 | ||
setreuid.2 | ||
setsid.2 | ||
setuid.2 | ||
shm_open.2 | ||
shmat.2 | ||
shmctl.2 | ||
shmget.2 | ||
shutdown.2 | ||
sigaction.2 | ||
sigaltstack.2 | ||
sigpending.2 | ||
sigprocmask.2 | ||
sigqueue.2 | ||
sigreturn.2 | ||
sigstack.2 | ||
sigsuspend.2 | ||
sigwait.2 | ||
sigwait.c | ||
sigwaitinfo.2 | ||
socket.2 | ||
socketpair.2 | ||
stack_protector_compat.c | ||
stack_protector.c | ||
stat.2 | ||
statfs.2 | ||
swapon.2 | ||
Symbol.map | ||
symlink.2 | ||
sync.2 | ||
sysarch.2 | ||
syscall.2 | ||
timer_create.2 | ||
timer_delete.2 | ||
timer_settime.2 | ||
truncate.2 | ||
truncate.c | ||
umask.2 | ||
undelete.2 | ||
unlink.2 | ||
utimes.2 | ||
utrace.2 | ||
uuidgen.2 | ||
vfork.2 | ||
wait.2 | ||
write.2 |