CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	jonathan <jonathan@FreeBSD.org>
	Sat, 13 Aug 2011 09:21:16 +0000 (09:21 +0000)
committer	jonathan <jonathan@FreeBSD.org>
	Sat, 13 Aug 2011 09:21:16 +0000 (09:21 +0000)
commit	f63d2e920584a3d403a07e765a61eeac57210332
tree	3334bf0dc037565dbb28b66bfe83c6d9e8823738	tree \| snapshot
parent	0ba1fe7d116a032383d49c9a252a5f09682c76f0	commit \| diff

Allow Capsicum capabilities to delegate constrained
access to file system subtrees to sandboxed processes.

- Use of absolute paths and '..' are limited in capability mode.
- Use of absolute paths and '..' are limited when looking up relative
to a capability.
- When a name lookup is performed, identify what operation is to be
performed (such as CAP_MKDIR) as well as check for CAP_LOOKUP.

With these constraints, openat() and friends are now safe in capability
mode, and can then be used by code such as the capability-mode runtime
linker.

Approved by: re (bz), mentor (rwatson)
Sponsored by: Google Inc

sys/kern/kern_descrip.c		diff \| blob \| history
sys/kern/sys_capability.c		diff \| blob \| history
sys/kern/vfs_lookup.c		diff \| blob \| history
sys/kern/vfs_syscalls.c		diff \| blob \| history
sys/sys/capability.h		diff \| blob \| history
sys/sys/namei.h		diff \| blob \| history