Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 3 Aug 2015 13:41:47 +0000 (UTC)
From:      Ed Schouten <ed@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r286229 - in head/sys: kern sys
Message-ID:  <201508031341.t73Dflee026942@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: ed
Date: Mon Aug  3 13:41:47 2015
New Revision: 286229
URL: https://svnweb.freebsd.org/changeset/base/286229

Log:
  Add sysent flag to switch to capabilities mode on startup.
  
  CloudABI processes should run in capabilities mode automatically. There
  is no need to switch manually (e.g., by calling cap_enter()). Add a
  flag, SV_CAPSICUM, that can be used to call into cap_enter() during
  execve().
  
  Reviewed by:	kib

Modified:
  head/sys/kern/kern_exec.c
  head/sys/sys/sysent.h

Modified: head/sys/kern/kern_exec.c
==============================================================================
--- head/sys/kern/kern_exec.c	Mon Aug  3 12:14:42 2015	(r286228)
+++ head/sys/kern/kern_exec.c	Mon Aug  3 13:41:47 2015	(r286229)
@@ -562,6 +562,10 @@ interpret:
 		goto exec_fail_dealloc;
 	}
 
+	/* ABI enforces the use of Capsicum. Switch into capabilities mode. */
+	if (SV_PROC_FLAG(p, SV_CAPSICUM))
+		sys_cap_enter(td, NULL);
+
 	/*
 	 * Copy out strings (args and env) and initialize stack base
 	 */

Modified: head/sys/sys/sysent.h
==============================================================================
--- head/sys/sys/sysent.h	Mon Aug  3 12:14:42 2015	(r286228)
+++ head/sys/sys/sysent.h	Mon Aug  3 13:41:47 2015	(r286229)
@@ -139,11 +139,12 @@ struct sysentvec {
 	void		(*sv_thread_detach)(struct thread *);
 };
 
-#define	SV_ILP32	0x000100
-#define	SV_LP64		0x000200
-#define	SV_IA32		0x004000
-#define	SV_AOUT		0x008000
-#define	SV_SHP		0x010000
+#define	SV_ILP32	0x000100	/* 32-bit executable. */
+#define	SV_LP64		0x000200	/* 64-bit executable. */
+#define	SV_IA32		0x004000	/* Intel 32-bit executable. */
+#define	SV_AOUT		0x008000	/* a.out executable. */
+#define	SV_SHP		0x010000	/* Shared page. */
+#define	SV_CAPSICUM	0x020000	/* Force cap_enter() on startup. */
 
 #define	SV_ABI_MASK	0xff
 #define	SV_PROC_FLAG(p, x)	((p)->p_sysent->sv_flags & (x))

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201508031341.t73Dflee026942>