Add fchroot(2)

This is similar to chroot(2), but takes a file descriptor instead
of path. Same syscall exists in NetBSD and Solaris. It is part of a larger
patch to make absolute pathnames usable

Add fchroot(2)

This is similar to chroot(2), but takes a file descriptor instead
of path. Same syscall exists in NetBSD and Solaris. It is part of a larger
patch to make absolute pathnames usable in Capsicum mode, but should
be useful in other contexts too.

Reviewed By: brooks
Sponsored by: Innovate UK
Differential Revision: https://reviews.freebsd.org/D41564

show more ...

rights.4: various corrections on capability rights

- A file descriptor obtained from accept(2), accept4(2) and openat(2)
is not always assigned all capability rights. Instead, it inherits
capab

rights.4: various corrections on capability rights

- A file descriptor obtained from accept(2), accept4(2) and openat(2)
is not always assigned all capability rights. Instead, it inherits
capability rights from the "parent" socket/dir file descriptor.
- getdents(2) and getdirentries(2) requires CAP_READ.
- openat(2) with O_WRONLY|O_TRUNC does not require CAP_SEEK.

Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1207

show more ...

rights.4: add note about rights not being simple bitmasks

PR: 277057
Reviewed by: oshogbo, asomers
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D44473

rights.4: Remove sentence implying that rights are a mask

Capability rights passed to cap_rights_* are (now) not simple bitmaks
and cannot be ORed together in general (although it will work for
cert

rights.4: Remove sentence implying that rights are a mask

Capability rights passed to cap_rights_* are (now) not simple bitmaks
and cannot be ORed together in general (although it will work for
certain subsets of rights).

Remove sentence that implied rights are masks. We already have the
sentence "The complete list of capability rights is provided below" so
listing the rights without an introductory sentence seems fine.

PR: 277057

show more ...

Remove $FreeBSD$: two-line nroff pattern

Remove /^\.\\"\n\.\\"\s*\$FreeBSD\$$\n/

MFHead@r345275

MFhead@r344786

Merge ^/head r344549 through r344775.

Remove references to pdwait4(2) and `CAP_PDWAIT` from rights(4)

@cem removed references to pdwait4(2) (a nonexistent syscall) in
r320058.

This change removes references to pdwait4(2) and `CAP_PDWAI

Remove references to pdwait4(2) and `CAP_PDWAIT` from rights(4)

@cem removed references to pdwait4(2) (a nonexistent syscall) in
r320058.

This change removes references to pdwait4(2) and `CAP_PDWAIT` in
rights(4) to not mislead the user into thinking that pdwait4(2)/`CAP_PDWAIT` is
actually implemented in the stock FreeBSD kernel.

The goal of this functionality was to simplify monitoring/manipulating
processes started with `pdfork`, et al, and avoid races with waiting on pids.
The syscall was never completed though--just discussed on the capsicum mailing
list back in 2015:
https://lists.cam.ac.uk/pipermail/cl-capsicum-discuss/2015-May/msg00012.html
. That being said, there are members of the project (@rwatson, etc) who
have longterm goals to implement this syscall to better secure pdfork(2)
calls.

PR: 235871
Reviewed by: emaste
Discussed with: rwatson
Approved by: emaste (mentor)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D18950

show more ...

Disable connectat/bindat with AT_FDCWD in capmode

Previously it was possible to connect a socket (which had the
CAP_CONNECT right) by calling "connectat(AT_FDCWD, ...)" even in
capabilties mode. Th

Disable connectat/bindat with AT_FDCWD in capmode

Previously it was possible to connect a socket (which had the
CAP_CONNECT right) by calling "connectat(AT_FDCWD, ...)" even in
capabilties mode. This combination should be treated the same as a call
to connect (i.e. forbidden in capabilities mode). Similarly for bindat.

Disable connectat/bindat with AT_FDCWD in capabilities mode, fix up the
documentation and add tests.

PR: 222632
Submitted by: Jan Kokemüller <jan.kokemueller@gmail.com>
Reviewed by: Domagoj Stolfa
MFC after: 1 week
Relnotes: Yes
Differential Revision: https://reviews.freebsd.org/D15221

show more ...

Typo.

MFC after: 1 week

MFhead @ r304815

Merge ^/head r304236 through r304536.

rights(4): CAP_FSYNC also permits fdatasync(2).

Merge from head

Sponsored by: Gandi.net

Merge from head

Finish merging from head, messed up in previous attempt

Merge r286744-r287584 from head.

Merge ^/head r286858 through r287489.

Decompose linkat()/renameat() rights to source and target.

To make it easier to understand how Capsicum interacts with linkat() and
renameat(), rename the rights to CAP_{LINK,RENAME}AT_{SOURCE,TARGE

Decompose linkat()/renameat() rights to source and target.

To make it easier to understand how Capsicum interacts with linkat() and
renameat(), rename the rights to CAP_{LINK,RENAME}AT_{SOURCE,TARGET}.

This also addresses a shortcoming in Capsicum, where it isn't possible
to disable linking to files stored in a directory. Creating hardlinks
essentially makes it possible to access files with additional rights.

Reviewed by: rwatson, wblock
Differential Revision: https://reviews.freebsd.org/D3411

show more ...

Merge sync of head

Merge from HEAD

Merge ^/head r277327 through r277718.

MFhead @ r277659

Add futimens and utimensat system calls.

The core kernel part is patch file utimes.2008.4.diff from
pluknet@FreeBSD.org. I updated the code for API changes, added the manual
page and added compatibi

Add futimens and utimensat system calls.

The core kernel part is patch file utimes.2008.4.diff from
pluknet@FreeBSD.org. I updated the code for API changes, added the manual
page and added compatibility code for old kernels. There is also audit and
Capsicum support.

A new UTIME_* constant might allow setting birthtimes in future.

Differential Revision: https://reviews.freebsd.org/D1426
Submitted by: pluknet (partially)
Reviewed by: delphij, pluknet, rwatson
Relnotes: yes

show more ...