Implement O_BENEATH flag for openat(2).

Authored by jonathan on Jun 14 2015, 4:23 PM.



Capsicum restricts capability-mode and capability-relative path lookups
to be "strictly relative": we do not permit absolute paths or ".." in
path resolution for these cases. This functionality could be useful in
non-Capsicum applications as well, and it has been proposed for inclusion
in Linux as a step along the way to Capsicum in Linux.

This commit would add the O_BENEATH flag for use in openat(2) to enable
"strict relative" lookups with unrestricted file descriptors (i.e., not
Capsicum capabilities) outside of capability mode. The only difference
from the Capsicum behaviour is that O_BENEATH would cause errno to be
EPERM rather than ECAPMODE or ENOTCAPABLE. If O_BENEATH is used together
with capability mode or a directory capability, EPERM is returned, since
the usermode application has explicitly requested the new behaviour.

Approved by: rwatson (mentor)

Diff Detail

Lint OK
No Unit Test Coverage
jonathan retitled this revision from to Implement O_BENEATH flag for openat(2)..Jun 14 2015, 4:23 PM
jonathan updated this object.
jonathan edited the test plan for this revision. (Show Details)
jonathan abandoned this revision.Jun 14 2015, 4:24 PM

User error: I meant to type arc diff --update D2808