Re: [capsicum] fstatat() in capabilities mode



Yes, fstatat() is only enabled in Perforce, not the (stabler) capabilities8, but nothing uses it outside of the capsicum-core tree. The fact that fstatat() didn't return -1 is interesting, though.


Jon

On 29 May 2010, at 17:34 h, Mark Seaborn wrote:

> I've got the kernel from the capabilities8 SVN branch built and
> running.  I tried running the tests in capsicum-core/tests/___at.
> They produced a bunch of errors about fstatat() when used in
> capabilities mode (although it doesn't return a non-zero exit code,
> BTW).  It looks like the problem is that fstatat isn't listed in
> sys/kern/capabilities.conf.  The patch below fixed the errors.  I'm
> guessing that the FreeBSD 8 backport branch might be out-of-date in
> this respect?
> 
> Cheers,
> Mark
> 
> diff --git a/sys/kern/capabilities.conf b/sys/kern/capabilities.conf
> index 06f8f8b..7c7733b 100644
> --- a/sys/kern/capabilities.conf
> +++ b/sys/kern/capabilities.conf
> @@ -465,6 +465,7 @@ mkfifoat
> mknodat
> openat
> renameat
> +fstatat
> 
> ##
> ## Allow entry into open(2). This system call will fail, since access
> to the global
> 

--
Jonathan Anderson

Research Student, Security Group
Computer Laboratory
University of Cambridge

+44 (01223) 763747
jonathan.anderson at cl.cam.ac.uk





This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc.