Date: Sat, 13 Aug 2011 13:26:41 +0000 (UTC) From: Robert Watson <rwatson@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r224839 - head/sys/kern Message-ID: <201108131326.p7DDQfmC018324@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: rwatson Date: Sat Aug 13 13:26:40 2011 New Revision: 224839 URL: http://svn.freebsd.org/changeset/base/224839 Log: Now that capability support has been committed, update and expand the comment at the type of sys_capability.c to describe its new contents. Approved by: re (xxx) Modified: head/sys/kern/sys_capability.c Modified: head/sys/kern/sys_capability.c ============================================================================== --- head/sys/kern/sys_capability.c Sat Aug 13 13:18:54 2011 (r224838) +++ head/sys/kern/sys_capability.c Sat Aug 13 13:26:40 2011 (r224839) @@ -31,9 +31,24 @@ /* * FreeBSD kernel capability facility. * - * Currently, this file implements only capability mode; capabilities - * (rights-refined file descriptors) will follow. + * Two kernel features are implemented here: capability mode, a sandboxed mode + * of execution for processes, and capabilities, a refinement on file + * descriptors that allows fine-grained control over operations on the file + * descriptor. Collectively, these allow processes to run in the style of a + * historic "capability system" in which they can use only resources + * explicitly delegated to them. This model is enforced by restricting access + * to global namespaces in capability mode. * + * Capabilities wrap other file descriptor types, binding them to a constant + * rights mask set when the capability is created. New capabilities may be + * derived from existing capabilities, but only if they have the same or a + * strict subset of the rights on the original capability. + * + * System calls permitted in capability mode are defined in capabilities.conf; + * calls must be carefully audited for safety to ensure that they don't allow + * escape from a sandbox. Some calls permit only a subset of operations in + * capability mode -- for example, shm_open(2) is limited to creating + * anonymous, rather than named, POSIX shared memory objects. */ #include "opt_capsicum.h" @@ -512,4 +527,3 @@ cap_funwrap_mmap(struct file *fp_cap, ca } #endif /* CAPABILITIES */ -
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201108131326.p7DDQfmC018324>