Date: Tue, 20 Jan 2009 23:34:04 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 156452 for review Message-ID: <200901202334.n0KNY4GG072381@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=156452 Change 156452 by rwatson@rwatson_freebsd_capabilities on 2009/01/20 23:33:35 When fexecve(2) is called on a dynamically linked ELF binary in capability mode, disallow access to the globally named interpreter, or specially crafted binaries may be able to gain access to files outside of the sandbox. For now we'll handle only statically linked code in capability mode, but later we'll do something more useful. Affected files ... .. //depot/projects/trustedbsd/capabilities/src/sys/kern/imgact_elf.c#4 edit Differences ... ==== //depot/projects/trustedbsd/capabilities/src/sys/kern/imgact_elf.c#4 (text+ko) ==== @@ -492,9 +492,14 @@ imgp->object = NULL; imgp->execlabel = NULL; + vfslocked = 0; + if (curthread->td_ucred->cr_flags & CRED_FLAG_CAPMODE) { + nd->ni_vp = NULL; + error = EPERM; + goto fail; + } NDINIT(nd, LOOKUP, MPSAFE|LOCKLEAF|FOLLOW, UIO_SYSSPACE, file, curthread); - vfslocked = 0; if ((error = namei(nd)) != 0) { nd->ni_vp = NULL; goto fail;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200901202334.n0KNY4GG072381>