sys/kern/sys_capability.c

32  * FreeBSD kernel capability facility.
34  * Two kernel features are implemented here: capability mode, a sandboxed mode
38  * historic "capability system" in which they can use only resources
40  * to global namespaces in capability mode.
43  * rights mask set when the capability is created.  New capabilities may be
45  * strict subset of the rights on the original capability.
47  * System calls permitted in capability mode are defined in capabilities.conf;
50  * capability mode -- for example, shm_open(2) is limited to creating
60 #include <sys/capability.h>
82  * System call to enter capability mode for the process.
106  * System call to query whether the process is in capability mode.
140  * struct capability describes a capability, and is hung off of its struct
145 struct capability {
153  * called except for fo_close, as the capability will normally not be
201 	capability_zone = uma_zcreate("capability", sizeof(struct capability),
209  * Test whether a capability grants the requested rights.
212 cap_check(struct capability *c, cap_rights_t rights)
221  * Extract rights from a capability for monitoring purposes -- not for use in
222  * any other way, as we want to keep all capability permission evaluation in
228 	struct capability *c;
231 	    ("cap_rights: !capability"));
238  * System call to create a new capability reference to either an existing
239  * file object or an an existing capability.
267  * System call to query the rights mask associated with a capability.
272 	struct capability *cp;
287  * Create a capability to wrap around an existing file.
293 	struct capability *cp, *cp_old;
301 	 * If a new capability is being derived from an existing capability,
302 	 * then the new capability rights must be a subset of the existing
312 	 * Allocate a new file descriptor to hang the capability off of.
320 	 * existing capability references.  There's nothing else interesting
323 	 * deal with capability chains.
326 		fp_object = ((struct capability *)fp->f_data)->cap_object;
349  * Given a file descriptor, test it against a capability rights mask and then
359 	struct capability *c;
376  * capability and check CAP_MMAP, but also return a bitmask representing the
377  * maximum mapping rights the capability allows on the object.
383 	struct capability *c;
409  * When a capability is closed, simply drop the reference on the underlying
410  * object and free the capability.  fdrop() will handle the case where the
417 	struct capability *c;
421 	    ("capability_close: !capability"));
433  * capability, only the underlying file descriptor operation vector, so panic
532 	    ("cap_funwrap: saw capability"));
544 	    ("cap_funwrap_mmap: saw capability"));