39c39
< __FBSDID("$FreeBSD: head/sys/kern/kern_sysctl.c 221829 2011-05-13 05:27:58Z mdf $");
---
> __FBSDID("$FreeBSD: head/sys/kern/kern_sysctl.c 224159 2011-07-17 23:05:24Z rwatson $");
40a41
> #include "opt_capsicum.h"
46a48
> #include <sys/capability.h>
728c730,735
< static SYSCTL_NODE(_sysctl, 1, name, CTLFLAG_RD, sysctl_sysctl_name, "");
---
> /*
> * XXXRW/JA: Shouldn't return name data for nodes that we don't permit in
> * capability mode.
> */
> static SYSCTL_NODE(_sysctl, 1, name, CTLFLAG_RD | CTLFLAG_CAPRD,
> sysctl_sysctl_name, "");
809c816,821
< static SYSCTL_NODE(_sysctl, 2, next, CTLFLAG_RD, sysctl_sysctl_next, "");
---
> /*
> * XXXRW/JA: Shouldn't return next data for nodes that we don't permit in
> * capability mode.
> */
> static SYSCTL_NODE(_sysctl, 2, next, CTLFLAG_RD | CTLFLAG_CAPRD,
> sysctl_sysctl_next, "");
904a917,920
> /*
> * XXXRW/JA: Shouldn't return name2oid data for nodes that we don't permit in
> * capability mode.
> */
906,907c922,923
< CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_ANYBODY | CTLFLAG_MPSAFE,
< 0, 0, sysctl_sysctl_name2oid, "I", "");
---
> CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_ANYBODY | CTLFLAG_MPSAFE
> | CTLFLAG_CAPRW, 0, 0, sysctl_sysctl_name2oid, "I", "");
934c950
< static SYSCTL_NODE(_sysctl, 4, oidfmt, CTLFLAG_RD|CTLFLAG_MPSAFE,
---
> static SYSCTL_NODE(_sysctl, 4, oidfmt, CTLFLAG_RD|CTLFLAG_MPSAFE|CTLFLAG_CAPRD,
958c974,975
< static SYSCTL_NODE(_sysctl, 5, oiddescr, CTLFLAG_RD, sysctl_sysctl_oiddescr, "");
---
> static SYSCTL_NODE(_sysctl, 5, oiddescr, CTLFLAG_RD|CTLFLAG_CAPRD,
> sysctl_sysctl_oiddescr, "");
1431a1449,1461
> #ifdef CAPABILITY_MODE
> /*
> * If the process is in capability mode, then don't permit reading or
> * writing unless specifically granted for the node.
> */
> if (IN_CAPABILITY_MODE(req->td)) {
> if (req->oldptr && !(oid->oid_kind & CTLFLAG_CAPRD))
> return (EPERM);
> if (req->newptr && !(oid->oid_kind & CTLFLAG_CAPWR))
> return (EPERM);
> }
> #endif
>
< __FBSDID("$FreeBSD: head/sys/kern/kern_sysctl.c 221829 2011-05-13 05:27:58Z mdf $");
---
> __FBSDID("$FreeBSD: head/sys/kern/kern_sysctl.c 224159 2011-07-17 23:05:24Z rwatson $");
40a41
> #include "opt_capsicum.h"
46a48
> #include <sys/capability.h>
728c730,735
< static SYSCTL_NODE(_sysctl, 1, name, CTLFLAG_RD, sysctl_sysctl_name, "");
---
> /*
> * XXXRW/JA: Shouldn't return name data for nodes that we don't permit in
> * capability mode.
> */
> static SYSCTL_NODE(_sysctl, 1, name, CTLFLAG_RD | CTLFLAG_CAPRD,
> sysctl_sysctl_name, "");
809c816,821
< static SYSCTL_NODE(_sysctl, 2, next, CTLFLAG_RD, sysctl_sysctl_next, "");
---
> /*
> * XXXRW/JA: Shouldn't return next data for nodes that we don't permit in
> * capability mode.
> */
> static SYSCTL_NODE(_sysctl, 2, next, CTLFLAG_RD | CTLFLAG_CAPRD,
> sysctl_sysctl_next, "");
904a917,920
> /*
> * XXXRW/JA: Shouldn't return name2oid data for nodes that we don't permit in
> * capability mode.
> */
906,907c922,923
< CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_ANYBODY | CTLFLAG_MPSAFE,
< 0, 0, sysctl_sysctl_name2oid, "I", "");
---
> CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_ANYBODY | CTLFLAG_MPSAFE
> | CTLFLAG_CAPRW, 0, 0, sysctl_sysctl_name2oid, "I", "");
934c950
< static SYSCTL_NODE(_sysctl, 4, oidfmt, CTLFLAG_RD|CTLFLAG_MPSAFE,
---
> static SYSCTL_NODE(_sysctl, 4, oidfmt, CTLFLAG_RD|CTLFLAG_MPSAFE|CTLFLAG_CAPRD,
958c974,975
< static SYSCTL_NODE(_sysctl, 5, oiddescr, CTLFLAG_RD, sysctl_sysctl_oiddescr, "");
---
> static SYSCTL_NODE(_sysctl, 5, oiddescr, CTLFLAG_RD|CTLFLAG_CAPRD,
> sysctl_sysctl_oiddescr, "");
1431a1449,1461
> #ifdef CAPABILITY_MODE
> /*
> * If the process is in capability mode, then don't permit reading or
> * writing unless specifically granted for the node.
> */
> if (IN_CAPABILITY_MODE(req->td)) {
> if (req->oldptr && !(oid->oid_kind & CTLFLAG_CAPRD))
> return (EPERM);
> if (req->newptr && !(oid->oid_kind & CTLFLAG_CAPWR))
> return (EPERM);
> }
> #endif
>