D10170.id26746.diff
No OneTemporary
Actions

Size

4 KB

Referenced Files

None

Subscribers

None

D10170.id26746.diff
View Options

	Index: sys/kern/capabilities.conf
	===================================================================
	--- sys/kern/capabilities.conf
	+++ sys/kern/capabilities.conf
	@@ -136,11 +136,11 @@
	## cpuset(2) and related calls require scoping by process, but should
	## eventually be allowed, at least in the current process case.
	##
	-#cpuset
	-#cpuset_getaffinity
	-#cpuset_getid
	-#cpuset_setaffinity
	-#cpuset_setid
	+cpuset
	+cpuset_getaffinity
	+cpuset_getid
	+cpuset_setaffinity
	+cpuset_setid

	##
	## Always allow dup(2) and dup2(2) manipulation of the file descriptor table.
	Index: sys/kern/init_sysent.c
	===================================================================
	--- sys/kern/init_sysent.c
	+++ sys/kern/init_sysent.c
	@@ -529,11 +529,11 @@
	{ AS(thr_kill2_args), (sy_call_t )sys_thr_kill2, AUE_KILL, NULL, 0, 0, 0, SY_THR_STATIC }, / 481 = thr_kill2 */
	{ AS(shm_open_args), (sy_call_t )sys_shm_open, AUE_SHMOPEN, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, / 482 = shm_open */
	{ AS(shm_unlink_args), (sy_call_t )sys_shm_unlink, AUE_SHMUNLINK, NULL, 0, 0, 0, SY_THR_STATIC }, / 483 = shm_unlink */
	- { AS(cpuset_args), (sy_call_t )sys_cpuset, AUE_NULL, NULL, 0, 0, 0, SY_THR_STATIC }, / 484 = cpuset */
	- { AS(cpuset_setid_args), (sy_call_t )sys_cpuset_setid, AUE_NULL, NULL, 0, 0, 0, SY_THR_STATIC }, / 485 = cpuset_setid */
	- { AS(cpuset_getid_args), (sy_call_t )sys_cpuset_getid, AUE_NULL, NULL, 0, 0, 0, SY_THR_STATIC }, / 486 = cpuset_getid */
	- { AS(cpuset_getaffinity_args), (sy_call_t )sys_cpuset_getaffinity, AUE_NULL, NULL, 0, 0, 0, SY_THR_STATIC }, / 487 = cpuset_getaffinity */
	- { AS(cpuset_setaffinity_args), (sy_call_t )sys_cpuset_setaffinity, AUE_NULL, NULL, 0, 0, 0, SY_THR_STATIC }, / 488 = cpuset_setaffinity */
	+ { AS(cpuset_args), (sy_call_t )sys_cpuset, AUE_NULL, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, / 484 = cpuset */
	+ { AS(cpuset_setid_args), (sy_call_t )sys_cpuset_setid, AUE_NULL, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, / 485 = cpuset_setid */
	+ { AS(cpuset_getid_args), (sy_call_t )sys_cpuset_getid, AUE_NULL, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, / 486 = cpuset_getid */
	+ { AS(cpuset_getaffinity_args), (sy_call_t )sys_cpuset_getaffinity, AUE_NULL, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, / 487 = cpuset_getaffinity */
	+ { AS(cpuset_setaffinity_args), (sy_call_t )sys_cpuset_setaffinity, AUE_NULL, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, / 488 = cpuset_setaffinity */
	{ AS(faccessat_args), (sy_call_t )sys_faccessat, AUE_FACCESSAT, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, / 489 = faccessat */
	{ AS(fchmodat_args), (sy_call_t )sys_fchmodat, AUE_FCHMODAT, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, / 490 = fchmodat */
	{ AS(fchownat_args), (sy_call_t )sys_fchownat, AUE_FCHOWNAT, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, / 491 = fchownat */
	Index: sys/kern/kern_cpuset.c
	===================================================================
	--- sys/kern/kern_cpuset.c
	+++ sys/kern/kern_cpuset.c
	@@ -47,6 +47,7 @@
	#include <sys/sched.h>
	#include <sys/smp.h>
	#include <sys/syscallsubr.h>
	+#include <sys/capsicum.h>
	#include <sys/cpuset.h>
	#include <sys/sx.h>
	#include <sys/queue.h>
	@@ -990,6 +991,9 @@
	/*
	* Presently we only support per-process sets.
	*/
	+ /* In Capability mode, you can only set your own CPU set. */
	+ if (IN_CAPABILITY_MODE(td) && !(which == CPU_WHICH_PID && id == -1))
	+ return (ECAPMODE);
	if (which != CPU_WHICH_PID)
	return (EINVAL);
	set = cpuset_lookup(setid, td);
	@@ -1029,6 +1033,10 @@

	if (level == CPU_LEVEL_WHICH && which != CPU_WHICH_CPUSET)
	return (EINVAL);
	+ /* In Capability mode, you can only get your own CPU set. */
	+ if (IN_CAPABILITY_MODE(td) && !((which == CPU_WHICH_TID \|\|
	+ which == CPU_WHICH_PID) && id == -1))
	+ return (ECAPMODE);
	error = cpuset_which(which, id, &p, &ttd, &set);
	if (error)
	return (error);
	@@ -1097,6 +1105,11 @@

	if (cpusetsize < sizeof(cpuset_t) \|\| cpusetsize > CPU_MAXSIZE / NBBY)
	return (ERANGE);
	+ /* In Capability mode, you can only get your own CPU set. */
	+ if (IN_CAPABILITY_MODE(td) && !(level == CPU_LEVEL_WHICH &&
	+ (which == CPU_WHICH_TID \|\| which == CPU_WHICH_PID) &&
	+ id == -1))
	+ return (ECAPMODE);
	size = cpusetsize;
	mask = malloc(size, M_TEMP, M_WAITOK \| M_ZERO);
	error = cpuset_which(which, id, &p, &ttd, &set);
	@@ -1201,6 +1214,12 @@

	if (cpusetsize < sizeof(cpuset_t) \|\| cpusetsize > CPU_MAXSIZE / NBBY)
	return (ERANGE);
	+ /* In Capability mode, you can only set your own CPU set. */
	+ /* XXX: TODO: should you only be able to reduce your cpuset? */
	+ if (IN_CAPABILITY_MODE(td) && !(level == CPU_LEVEL_WHICH &&
	+ (which == CPU_WHICH_TID \|\| which == CPU_WHICH_PID) &&
	+ id == -1))
	+ return (ECAPMODE);
	mask = malloc(cpusetsize, M_TEMP, M_WAITOK \| M_ZERO);
	error = copyin(maskp, mask, cpusetsize);
	if (error)

File Metadata

Mime Type: text/plain
Expires: Mon, May 18, 4:23 AM (15 h, 56 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 33232986
Default Alt Text: D10170.id26746.diff (4 KB)

D10170.id26746.diffNo OneTemporaryActions

D10170.id26746.diffView Options

File Metadata

Event Timeline

D10170.id26746.diff
No OneTemporary
Actions

D10170.id26746.diff
View Options