[GSOC] capsicum week 3 report

Joris GIOVANNANGELI joris at giovannangeli.fr
Mon Jul 8 05:17:53 PDT 2013


this week I've been working on capability mode, and stabilizing the
capability checks I introduced in the file descriptor code. I've been
stuck for one day on a panic on an assertion which was due to a misspell
of  an #ifdef (sigh... Thanks swildner for catching this), but i my
vkernel survives a buildword for both the file descriptor code and the
proc descriptor code.

The file descriptor code can now check the capability needed to get a
file pointer (holdfp function) and the various call to holdfp in
kern_descrip.c have been converted to the new api.

For the capability mode, i've implemented the following syscalls :
    - cap_enter : enter capability mode for the calling process. The
capability mode is a flag in the process credential. Btw, the
credentials (in kern_prot.c) of a process are still protected by the
proc_token instead of the p_token of the process.
    - cap_getmode : returns the current mode for the calling process
(capability mode or ambient authority)
    - cap_rights_limit : limit the capabilities for a file descriptor. I
still have to understand how capabilities play with shared file
descriptor tables.
    - cap_rights_get : retrieve the rights bitmask of a filedescriptor.
    - cap_ioctls_limit/cap_ioctls_get : limit the list of ioctls allowed
for a given file descriptor.
For this set of sycall, I've been able to reuse the freeBSD code. But
i've modified the locking model, and i've made the ioctls list a
standalone structure which is shared and copy on write for the
descriptors instead of having a malloc for each descriptor. I use a
hold/drop reference count which frees the structure after the 1 -> 0
transition . This had been discussed with alex, and is necessary because
dragonfly uses hard locks (spin lock) to protect the file descriptor
table, and we cannot malloc easily in various paths (fork, dup, etc).

This code is not yet tested, and i plan to stabilize it in the coming
week. Next week, i'll have to finish to hook the capability check in
various places of the kernel which call holdfp, and set up the sycall
list allowed in capability mode. The week after that is a testing week
in my schedule, but i plan to work on unit tests before, during the
following week and maybe finish the hooking of capability check after.

Thanks for reading,

More information about the Kernel mailing list