Page MenuHomeFreeBSD
Files F102834232

D40678.diff
No OneTemporary
Actions

D40678.diff
View Options

diff --git a/sys/amd64/amd64/sys_machdep.c b/sys/amd64/amd64/sys_machdep.c
--- a/sys/amd64/amd64/sys_machdep.c
+++ b/sys/amd64/amd64/sys_machdep.c
@@ -187,35 +187,33 @@
* explicitly indicate whether or not the operation is safe to
* perform in capability mode.
*/
- if (IN_CAPABILITY_MODE(td)) {
- switch (uap->op) {
- case I386_GET_LDT:
- case I386_SET_LDT:
- case I386_GET_IOPERM:
- case I386_GET_FSBASE:
- case I386_SET_FSBASE:
- case I386_GET_GSBASE:
- case I386_SET_GSBASE:
- case I386_GET_XFPUSTATE:
- case I386_SET_PKRU:
- case I386_CLEAR_PKRU:
- case AMD64_GET_FSBASE:
- case AMD64_SET_FSBASE:
- case AMD64_GET_GSBASE:
- case AMD64_SET_GSBASE:
- case AMD64_GET_XFPUSTATE:
- case AMD64_SET_PKRU:
- case AMD64_CLEAR_PKRU:
- break;
+ switch (uap->op) {
+ case I386_GET_LDT:
+ case I386_SET_LDT:
+ case I386_GET_IOPERM:
+ case I386_GET_FSBASE:
+ case I386_SET_FSBASE:
+ case I386_GET_GSBASE:
+ case I386_SET_GSBASE:
+ case I386_GET_XFPUSTATE:
+ case I386_SET_PKRU:
+ case I386_CLEAR_PKRU:
+ case AMD64_GET_FSBASE:
+ case AMD64_SET_FSBASE:
+ case AMD64_GET_GSBASE:
+ case AMD64_SET_GSBASE:
+ case AMD64_GET_XFPUSTATE:
+ case AMD64_SET_PKRU:
+ case AMD64_CLEAR_PKRU:
+ break;
- case I386_SET_IOPERM:
- default:
-#ifdef KTRACE
- if (KTRPOINT(td, KTR_CAPFAIL))
- ktrcapfail(CAPFAIL_SYSCALL, NULL, NULL);
-#endif
+ case I386_SET_IOPERM:
+ default:
+ if (CAP_TRACING(td))
+ ktrcapfail(CAPFAIL_SYSCALL, &uap->op);
+ if (IN_CAPABILITY_MODE(td))
return (ECAPMODE);
- }
+ break;
}
#endif
diff --git a/sys/arm/arm/sys_machdep.c b/sys/arm/arm/sys_machdep.c
--- a/sys/arm/arm/sys_machdep.c
+++ b/sys/arm/arm/sys_machdep.c
@@ -175,22 +175,19 @@
* explicitly indicate whether or not the operation is safe to
* perform in capability mode.
*/
- if (IN_CAPABILITY_MODE(td)) {
- switch (uap->op) {
- case ARM_SYNC_ICACHE:
- case ARM_DRAIN_WRITEBUF:
- case ARM_SET_TP:
- case ARM_GET_TP:
- case ARM_GET_VFPSTATE:
- break;
-
- default:
-#ifdef KTRACE
- if (KTRPOINT(td, KTR_CAPFAIL))
- ktrcapfail(CAPFAIL_SYSCALL, NULL, NULL);
-#endif
+ switch (uap->op) {
+ case ARM_SYNC_ICACHE:
+ case ARM_DRAIN_WRITEBUF:
+ case ARM_SET_TP:
+ case ARM_GET_TP:
+ case ARM_GET_VFPSTATE:
+ break;
+
+ default:
+ if (CAP_TRACING(td))
+ ktrcapfail(CAPFAIL_SYSCALL, &uap->op);
+ if (IN_CAPABILITY_MODE(td))
return (ECAPMODE);
- }
}
#endif
diff --git a/sys/i386/i386/sys_machdep.c b/sys/i386/i386/sys_machdep.c
--- a/sys/i386/i386/sys_machdep.c
+++ b/sys/i386/i386/sys_machdep.c
@@ -152,26 +152,24 @@
* explicitly indicate whether or not the operation is safe to
* perform in capability mode.
*/
- if (IN_CAPABILITY_MODE(td)) {
- switch (uap->op) {
- case I386_GET_LDT:
- case I386_SET_LDT:
- case I386_GET_IOPERM:
- case I386_GET_FSBASE:
- case I386_SET_FSBASE:
- case I386_GET_GSBASE:
- case I386_SET_GSBASE:
- case I386_GET_XFPUSTATE:
- break;
+ switch (uap->op) {
+ case I386_GET_LDT:
+ case I386_SET_LDT:
+ case I386_GET_IOPERM:
+ case I386_GET_FSBASE:
+ case I386_SET_FSBASE:
+ case I386_GET_GSBASE:
+ case I386_SET_GSBASE:
+ case I386_GET_XFPUSTATE:
+ break;
- case I386_SET_IOPERM:
- default:
-#ifdef KTRACE
- if (KTRPOINT(td, KTR_CAPFAIL))
- ktrcapfail(CAPFAIL_SYSCALL, NULL, NULL);
-#endif
+ case I386_SET_IOPERM:
+ default:
+ if (CAP_TRACING(td))
+ ktrcapfail(CAPFAIL_SYSCALL, &uap->op);
+ if (IN_CAPABILITY_MODE(td))
return (ECAPMODE);
- }
+ break;
}
#endif
diff --git a/sys/kern/kern_descrip.c b/sys/kern/kern_descrip.c
--- a/sys/kern/kern_descrip.c
+++ b/sys/kern/kern_descrip.c
@@ -875,6 +875,8 @@
case F_KINFO:
#ifdef CAPABILITY_MODE
+ if (CAP_TRACING(td))
+ ktrcapfail(CAPFAIL_SYSCALL, &cmd);
if (IN_CAPABILITY_MODE(td)) {
error = ECAPMODE;
break;
diff --git a/sys/kern/kern_sig.c b/sys/kern/kern_sig.c
--- a/sys/kern/kern_sig.c
+++ b/sys/kern/kern_sig.c
@@ -2677,10 +2677,16 @@
&td->td_proc->p_cowgen)))
thread_cow_update(td);
+ td->td_sa = tsr->ts_sa;
+
#ifdef CAPABILITY_MODE
- if (IN_CAPABILITY_MODE(td) && (se->sy_flags & SYF_CAPENABLED) == 0) {
- tsr->ts_ret.sr_error = ECAPMODE;
- return;
+ if ((se->sy_flags & SYF_CAPENABLED) == 0) {
+ if (CAP_TRACING(td))
+ ktrcapfail(CAPFAIL_SYSCALL, NULL);
+ if (IN_CAPABILITY_MODE(td)) {
+ tsr->ts_ret.sr_error = ECAPMODE;
+ return;
+ }
}
#endif
diff --git a/sys/kern/subr_syscall.c b/sys/kern/subr_syscall.c
--- a/sys/kern/subr_syscall.c
+++ b/sys/kern/subr_syscall.c
@@ -118,10 +118,13 @@
* In capability mode, we only allow access to system calls
* flagged with SYF_CAPENABLED.
*/
- if (__predict_false(IN_CAPABILITY_MODE(td) &&
- (se->sy_flags & SYF_CAPENABLED) == 0)) {
- td->td_errno = error = ECAPMODE;
- goto retval;
+ if ((se->sy_flags & SYF_CAPENABLED) == 0) {
+ if (CAP_TRACING(td))
+ ktrcapfail(CAPFAIL_SYSCALL, NULL);
+ if (IN_CAPABILITY_MODE(td)) {
+ td->td_errno = error = ECAPMODE;
+ goto retval;
+ }
}
#endif

File Metadata

Mime Type
text/plain
Expires
Mon, Nov 18, 6:51 PM (21 h, 3 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
14703114
Default Alt Text
D40678.diff (4 KB)

Event Timeline