MFC r273109:
fget_unlocked currently reads 'fde' which is a structure consisting of
serveral fields. In effect the read is inatomic and may result in
obtaining file pointer with stale or incorrect capabilities.
Example race is with dup2.
Side effect is that capability checks can be circumvented.
Fix the problem with introduction of sequence counters.
MFC r269023,r272503,r272505,r272523,r272567,r272569,r272574:
Prepare fget_unlocked for reading fd table only once.
Some capsicum functions accept fdp + fd and lookup fde based on that.
Add variants which accept fde.
===============================
Add sequence counters with memory barriers.
Current implementation is somewhat simplistic and hackish,
will be improved later after possible memory barrier overhaul.
===============================
Plug capability races.
fp and appropriate capability lookups were not atomic, which could result in
improper capabilities being checked.
This could result either in protection bypass or in a spurious ENOTCAPABLE.
Make fp + capability check atomic with the help of sequence counters.
===============================
Put and #ifdef _KERNEL around the #include for opt_capsicum.h to
hopefully allow the build to finish after r272505.
===============================
filedesc: fix up breakage introduced in 272505
Include sequence counter supports incoditionally [1]. This fixes reprted build
problems with e.g. nvidia driver due to missing opt_capsicum.h.
Replace fishy looking sizeof with offsetof. Make fde_seq the last member in
order to simplify calculations.
===============================
Keep struct filedescent comments within 80-char limit.
===============================
seq_t needs to be visible to userspace
Approved by: re (kib)
git-svn-id: svn://svn.freebsd.org/base/releng/10.1@273137
ccf9f872-aa2e-dd11-9fc8-
001c23d0bc1f
projects / FreeBSD / releng / 10.1.git / commit