open(2): update ENOTCAPABLE error for ..
ClosedPublic

Authored by emaste on Tue, Sep 12, 3:37 PM.

Details

Summary

After rS308212 Capsicum permits .. lookups in capability mode, as long as path component traversal does not escape the directory corresponding to the provided file descriptor.

Diff Detail

Repository
rS FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.
emaste created this revision.Tue, Sep 12, 3:37 PM
kib accepted this revision.Tue, Sep 12, 4:26 PM

Perhaps also mention that dotdot is not allowed on non-local fs, unless vfs.lookup_cap_dotdot ise set.

This revision is now accepted and ready to land.Tue, Sep 12, 4:26 PM
cem accepted this revision.Tue, Sep 12, 7:11 PM
bjk accepted this revision.Tue, Sep 12, 11:13 PM
bjk added a subscriber: bjk.

Please bump .Dd when committing.

lib/libc/sys/open.2
493 ↗(On Diff #32976)

I might even drop the "file descriptor" part, as fd must be a file descriptor as covered previously in the document.

In D12343#255946, @kib wrote:

Perhaps also mention that dotdot is not allowed on non-local fs, unless vfs.lookup_cap_dotdot ise set.

Good point; perhaps we need to explain both of the sysctls, although I'm not sure how far we'd like to go in covering non-default options.

lib/libc/sys/open.2
493 ↗(On Diff #32976)

Thanks for the reminder, I would indeed have forgotten. And will make the suggested amendment too.

This revision was automatically updated to reflect the committed changes.