Index: lib/libc/sys/posix_fallocate.2 =================================================================== --- lib/libc/sys/posix_fallocate.2 +++ lib/libc/sys/posix_fallocate.2 @@ -28,7 +28,7 @@ .\" @(#)open.2 8.2 (Berkeley) 11/16/93 .\" $FreeBSD$ .\" -.Dd January 23, 2014 +.Dd October 11, 2017 .Dt POSIX_FALLOCATE 2 .Os .Sh NAME @@ -118,6 +118,10 @@ .It Bq Er ENOSPC There is insufficient free space remaining on the file system storage media. +.It Bq Er ENOTCAPABLE +The file descriptor +.Fa fd +has insufficient rights. .It Bq Er ESPIPE The .Fa fd Index: sys/kern/capabilities.conf =================================================================== --- sys/kern/capabilities.conf +++ sys/kern/capabilities.conf @@ -488,6 +488,7 @@ ## ## Allow I/O-related file descriptors, subject to capability rights. ## +posix_fallocate pread preadv Index: sys/kern/init_sysent.c =================================================================== --- sys/kern/init_sysent.c +++ sys/kern/init_sysent.c @@ -581,7 +581,7 @@ { AS(rctl_get_limits_args), (sy_call_t *)sys_rctl_get_limits, AUE_NULL, NULL, 0, 0, 0, SY_THR_STATIC }, /* 527 = rctl_get_limits */ { AS(rctl_add_rule_args), (sy_call_t *)sys_rctl_add_rule, AUE_NULL, NULL, 0, 0, 0, SY_THR_STATIC }, /* 528 = rctl_add_rule */ { AS(rctl_remove_rule_args), (sy_call_t *)sys_rctl_remove_rule, AUE_NULL, NULL, 0, 0, 0, SY_THR_STATIC }, /* 529 = rctl_remove_rule */ - { AS(posix_fallocate_args), (sy_call_t *)sys_posix_fallocate, AUE_POSIX_FALLOCATE, NULL, 0, 0, 0, SY_THR_STATIC }, /* 530 = posix_fallocate */ + { AS(posix_fallocate_args), (sy_call_t *)sys_posix_fallocate, AUE_POSIX_FALLOCATE, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 530 = posix_fallocate */ { AS(posix_fadvise_args), (sy_call_t *)sys_posix_fadvise, AUE_POSIX_FADVISE, NULL, 0, 0, 0, SY_THR_STATIC }, /* 531 = posix_fadvise */ { AS(wait6_args), (sy_call_t *)sys_wait6, AUE_WAIT6, NULL, 0, 0, 0, SY_THR_STATIC }, /* 532 = wait6 */ { AS(cap_rights_limit_args), (sy_call_t *)sys_cap_rights_limit, AUE_CAP_RIGHTS_LIMIT, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 533 = cap_rights_limit */ Index: sys/kern/vfs_syscalls.c =================================================================== --- sys/kern/vfs_syscalls.c +++ sys/kern/vfs_syscalls.c @@ -4400,7 +4400,7 @@ if (offset > OFF_MAX - len) return (EFBIG); AUDIT_ARG_FD(fd); - error = fget(td, fd, cap_rights_init(&rights, CAP_WRITE), &fp); + error = fget(td, fd, cap_rights_init(&rights, CAP_PWRITE), &fp); if (error != 0) return (error); AUDIT_ARG_FILE(td->td_proc, fp);