Continue to introduce Capsicum capability mode:

White list sysarch calls allowed in capability mode; arguably, there
should be some link between the capability mode model and the privilege
model here.  Sysarch is a morass similar to ioctl, in many senses.

Submitted by:	anderson
Discussed with:	benl, kris, pjd
Sponsored by:	Google, Inc.
Obtained from:	Capsicum Project
MFC after:	3 months

1 files changed, 25 insertions, 0 deletions

diff --git a/sys/i386/i386/sys_machdep.c b/sys/i386/i386/sys_machdep.c
index cd0c370803c8..6a761bf31ec6 100644
--- a/sys/i386/i386/sys_machdep.c
+++ b/sys/i386/i386/sys_machdep.c
@@ -32,9 +32,11 @@
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD$");
 
+#include "opt_capabilities.h"
 #include "opt_kstack_pages.h"
 
 #include <sys/param.h>
+#include <sys/capability.h>
 #include <sys/systm.h>
 #include <sys/lock.h>
 #include <sys/malloc.h>
@@ -108,6 +110,29 @@ sysarch(td, uap)
 	struct segment_descriptor sd, *sdp;
 
 	AUDIT_ARG_CMD(uap->op);
+
+#ifdef CAPABILITIES
+	/*
+	 * Whitelist of operations which are safe enough for capability mode.
+	 */
+	if (IN_CAPABILITY_MODE(td)) {
+		switch (uap->op) {
+			case I386_GET_LDT:
+			case I386_SET_LDT:
+			case I386_GET_IOPERM:
+			case I386_GET_FSBASE:
+			case I386_SET_FSBASE:
+			case I386_GET_GSBASE:
+			case I386_SET_GSBASE:
+				break;
+
+			case I386_SET_IOPERM:
+			default:
+				return (ECAPMODE);
+		}
+	}
+#endif
+
 	switch (uap->op) {
 	case I386_GET_IOPERM:
 	case I386_SET_IOPERM: