Date: Thu, 3 Dec 2009 12:54:00 GMT From: Jonathan Anderson <jona@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 171323 for review Message-ID: <200912031254.nB3Cs0Ev031410@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://p4web.freebsd.org/chv.cgi?CH=171323 Change 171323 by jona@jona-capsicum-kent64 on 2009/12/03 12:53:02 Refactored out fgetbase(), which will be used for other syscalls besides faccessat() Affected files ... .. //depot/projects/trustedbsd/capabilities/src/sys/kern/vfs_syscalls.c#20 edit .. //depot/projects/trustedbsd/capabilities/src/sys/sys/capability.h#27 edit .. //depot/projects/trustedbsd/capabilities/src/sys/sys/filedesc.h#5 edit Differences ... ==== //depot/projects/trustedbsd/capabilities/src/sys/kern/vfs_syscalls.c#20 (text+ko) ==== @@ -160,6 +160,40 @@ } /* + * Get the "base" vnode defined by a user file descriptor. + * + * Several *at() system calls are now supported in capability mode. This function + * finds out what their "*at base" vnode, which is needed by namei(), should be: + * + * 1. In non-capability (and thus unconstrained) mode, base = 0. + * 2. In capability mode, base is the vnode given by the fd parameter, subject to + * the condition that the supplied 'rights' parameter (OR'ed with CAP_LOOKUP + * and CAP_ATBASE) is satisfied. The vnode is returned with a shared lock. + */ +int +fgetbase(struct thread *td, int fd, cap_rights_t rights, struct vnode **base) +{ + if (!(td->td_ucred->cr_flags & CRED_FLAG_CAPMODE)) + base = 0; + + else { + int error; + + error = fgetvp(td, fd, rights | CAP_LOOKUP | CAP_ATBASE, base); + if (error) + return (error); + + if ((error = vn_lock(*base, LK_SHARED))) { + vrele(*base); + return (error); + } + } + + return 0; +} + + +/* * Sync each mounted filesystem. */ #ifndef _SYS_SYSPROTO_H_ @@ -2239,21 +2273,9 @@ cred = tmpcred = td->td_ucred; AUDIT_ARG_VALUE(mode); - /* - * if a relative base was specified and we're in capability mode, find - * the vnode of the base so that namei() can restrict itself accordingly - */ - if ((cred->cr_flags & CRED_FLAG_CAPMODE) && (fd >= 0)) { - - if ((error = fgetvp(td, fd, CAP_LOOKUP | CAP_ATBASE, &base))) - /* XXX: more CAP_FOO? */ - return (error); - - if ((error = vn_lock(base, LK_SHARED))) { - vrele (base); - return (error); - } - } + /* get *at base vnode for namei() */ + if ((error = fgetbase(td, fd, CAP_FSTAT, &base))) + return (error); NDINIT_ATBASE(&nd, LOOKUP, FOLLOW | LOCKSHARED | LOCKLEAF | MPSAFE | AUDITVNODE1, pathseg, path, fd, base, td); ==== //depot/projects/trustedbsd/capabilities/src/sys/sys/capability.h#27 (text+ko) ==== @@ -30,7 +30,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/capabilities/src/sys/sys/capability.h#26 $ + * $P4: //depot/projects/trustedbsd/capabilities/src/sys/sys/capability.h#27 $ */ /* @@ -52,7 +52,7 @@ #define CAP_GETSOCKNAME 0x0000000000000010ULL /* getsockname */ #define CAP_FCHFLAGS 0x0000000000000020ULL /* fchflags */ #define CAP_IOCTL 0x0000000000000040ULL /* ioctl */ -#define CAP_FSTAT 0x0000000000000080ULL /* fstat */ +#define CAP_FSTAT 0x0000000000000080ULL /* fstat, faccessat */ #define CAP_MMAP 0x0000000000000100ULL /* mmap */ #define CAP_FCNTL 0x0000000000000200ULL /* fcntl */ #define CAP_EVENT 0x0000000000000400ULL /* select/poll */ ==== //depot/projects/trustedbsd/capabilities/src/sys/sys/filedesc.h#5 (text+ko) ==== @@ -130,6 +130,8 @@ int getvnode(struct filedesc *fdp, int fd, struct file **fpp); int getvnode_cap(struct filedesc *fdp, int fd, cap_rights_t rights, struct file **fpp); +int fgetbase(struct thread *td, int fd, cap_rights_t rights, + struct vnode **base); void mountcheckdirs(struct vnode *olddp, struct vnode *newdp); void setugidsafety(struct thread *td);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200912031254.nB3Cs0Ev031410>