rename(2): document capability mode errors
ClosedPublic
Actions

Authored by emaste on Sep 12 2017, 1:10 PM.

Details

Reviewers

cem
oshogbo
allanjude

Commits

rS323623: rename(2): document capability mode errors

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

Hrm, although the ENOTCAPABLE errors should really be augmented with "... and the process is in capability mode."

Er, why is rename / renameat with AT_FDCWD not allowed in capability mode?

In D12339#255993, @cem wrote:

Er, why is rename / renameat with AT_FDCWD not allowed in capability mode?

AT_FDCWD is never allowed in capability mode. You have to be explicitly granted rights to any FD

allanjude accepted this revision.Sep 15 2017, 2:18 PM

This revision is now accepted and ready to land.Sep 15 2017, 2:18 PM

In D12339#255993, @cem wrote:

Er, why is rename / renameat with AT_FDCWD not allowed in capability mode?

If AT_FDCWD were permitted in capability mode, that would provide an implicit capability for the current working directory. It is desirable to be able to create sandboxes that don't have access to any directories (even the current working directory), and it's also not clear what rights should be associated with AT_FDCWD, so the clearest thing is to disallow AT_FDCWD. If a process in capability mode requires access to the current working directory, it can be passed in as an explicit capability.

Closed by commit rS323623: rename(2): document capability mode errors (authored by emaste). · Explain WhySep 15 2017, 8:12 PM

This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

Path

Size

head/

lib/

libc/

sys/

rename.2

25 lines

Diff 33130

View Options

head/lib/libc/sys/rename.2

rename(2): document capability mode errorsClosedPublicActions