| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
.. for easier inclusion
Notes:
svn path=/head/; revision=363751
|
| |
|
|
|
|
|
|
|
| |
Static rights are initialized in cap_rights_sysinit().
MFC after: 1 week
Notes:
svn path=/head/; revision=359330
|
| |
|
|
|
|
|
|
| |
... which allow the compiler to generate relevant code in place without
resorting to calling to a routine at runtime.
Notes:
svn path=/head/; revision=357950
|
| |
|
|
|
|
|
|
|
|
|
| |
The latter is a typedef of the former; the typedef exists and these bits are
representing vmprot values, so use the correct type.
Submitted by: sigsys@gmail.com
MFC after: 3 days
Notes:
svn path=/head/; revision=357899
|
| |
|
|
|
|
|
|
|
|
| |
It is expected to be provided by libc.
PR: 244033
Reported by: Jan Kokemueller
Notes:
svn path=/head/; revision=357766
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
clang has the unfortunate property of paying little attention to prediction
hints when faced with a loop spanning the majority of the rotuine.
In particular fget_unlocked has an unlikely corner case where it starts almost
from scratch. Faced with this clang generates a maze of taken jumps, whereas
gcc produces jump-free code (in the expected case).
Work around the problem by providing a variant which only tries once and
resorts to calling the original code if anything goes wrong.
While here note that the 'seq' parameter is almost never passed, thus the
seldom users are redirected to call it directly.
Notes:
svn path=/head/; revision=357471
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of doing a 2 iteration loop (determined at runeimt), take advantage
of the fact that the size is already known.
While here provdie cap_check_inline so that fget_unlocked does not have to
do a function call.
Verified with the capsicum suite /usr/tests.
Notes:
svn path=/head/; revision=357452
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
@cem removed references to pdwait4(2) (a nonexistent syscall) in
r320058.
This change removes references to pdwait4(2) and `CAP_PDWAIT` in
rights(4) to not mislead the user into thinking that pdwait4(2)/`CAP_PDWAIT` is
actually implemented in the stock FreeBSD kernel.
The goal of this functionality was to simplify monitoring/manipulating
processes started with `pdfork`, et al, and avoid races with waiting on pids.
The syscall was never completed though--just discussed on the capsicum mailing
list back in 2015:
https://lists.cam.ac.uk/pipermail/cl-capsicum-discuss/2015-May/msg00012.html
. That being said, there are members of the project (@rwatson, etc) who
have longterm goals to implement this syscall to better secure pdfork(2)
calls.
PR: 235871
Reviewed by: emaste
Discussed with: rwatson
Approved by: emaste (mentor)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D18950
Notes:
svn path=/head/; revision=344662
|
| |
|
|
|
|
|
|
|
|
|
| |
Reading caps is in the hot path (on each successful fd lookup), but
completely unnecessarily requires a function call.
Approved by: re (gjb)
Sponsored by: The FreeBSD Foundation
Notes:
svn path=/head/; revision=339341
|
| |
|
|
| |
Notes:
svn path=/head/; revision=334069
|
| |
|
|
| |
Notes:
svn path=/head/; revision=333920
|
| |
|
|
| |
Notes:
svn path=/head/; revision=333863
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Add macros to allow preinitialization of cap_rights_t.
- Convert most commonly used code paths to use preinitialized cap_rights_t.
A 3.6% speedup in fstat was measured with this change.
Reported by: mjg
Reviewed by: oshogbo
Approved by: sbruno
MFC after: 1 month
Notes:
svn path=/head/; revision=333425
|
| |
|
|
|
|
|
| |
It is read on each return to user space.
Notes:
svn path=/head/; revision=333342
|
| |
|
|
|
|
|
|
| |
Introduce the recently approved BSD-1-Clause and replace 0BSD which
never did fit well our use cases.
Notes:
svn path=/head/; revision=326823
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Both can be used to cause processes in capability mode to receive
SIGTRAP when ENOTCAPABLE or ECAPMODE errors are returned from
syscalls.
Idea by: emaste
Reviewed by: oshogbo (previous version), emaste
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D7965
Notes:
svn path=/head/; revision=306081
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To make it easier to understand how Capsicum interacts with linkat() and
renameat(), rename the rights to CAP_{LINK,RENAME}AT_{SOURCE,TARGET}.
This also addresses a shortcoming in Capsicum, where it isn't possible
to disable linking to files stored in a directory. Creating hardlinks
essentially makes it possible to access files with additional rights.
Reviewed by: rwatson, wblock
Differential Revision: https://reviews.freebsd.org/D3411
Notes:
svn path=/head/; revision=287209
|
| |
|
|
|
|
|
|
|
|
| |
In the CloudABI code I sometimes call into cap_rights_* without
providing any arguments. Though one could argue that this doesn't make
sense, in this specific case it's hard to avoid, as the rights that
should be tested against are forwarded by a couple of wrapper macros.
Notes:
svn path=/head/; revision=285810
|
| |
|
|
|
|
|
|
|
|
|
| |
and cap_ioctls_get(). On FreeBSD, these are 'unsigned long', but on Linux,
ioctl(2) takes an 'int', making mild abstraction desirable.
MFC after: 3 days
Sponsored by: Google, Inc.
Notes:
svn path=/head/; revision=280148
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The core kernel part is patch file utimes.2008.4.diff from
pluknet@FreeBSD.org. I updated the code for API changes, added the manual
page and added compatibility code for old kernels. There is also audit and
Capsicum support.
A new UTIME_* constant might allow setting birthtimes in future.
Differential Revision: https://reviews.freebsd.org/D1426
Submitted by: pluknet (partially)
Reviewed by: delphij, pluknet, rwatson
Relnotes: yes
Notes:
svn path=/head/; revision=277610
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This makes sure that file descriptors of opened directories will
actually get these capabilities. Without this change, bindat() and
connectat() don't seem to work for me.
MFC after: 2 weeks
Reviewed by: rwatson, pjd
Notes:
svn path=/head/; revision=277178
|
| |
|
|
|
|
|
|
|
|
|
| |
Some capsicum functions accept fdp + fd and lookup fde based on that.
Add variants which accept fde.
Reviewed by: pjd
MFC after: 1 week
Notes:
svn path=/head/; revision=269023
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Since <sys/capsicum.h> does not comply to any standards, standards-compliant
applications do not include it and it is not useful to restrict what is
exposed depending on the requested standard.
In addition, the use of types like u_int makes the header fail in strict
standards compliance modes anyway.
Notes:
svn path=/head/; revision=264683
|
|
|
draft POSIX.1e capability.h used on some systems (e.g., Linux). On
FreeBSD, leave a wrapper header so that current code continues to compile.
We will eventually want to deprecate the old header as the presence of a
capability.h may be confusing some configure scripts.
Suggested by: David Drysdale <drysdale at google.com>
Discussed on: cl-capsicum-discuss
MFC after: 3 weeks
Notes:
svn path=/head/; revision=263232
|
