Skip to content

Commit d289382

Browse files
CismonXbsdimp
CismonX
authored and
bsdimp
committed
rights.4: various corrections on capability rights
- A file descriptor obtained from accept(2), accept4(2) and openat(2) is not always assigned all capability rights. Instead, it inherits capability rights from the "parent" socket/dir file descriptor. - getdents(2) and getdirentries(2) requires CAP_READ. - openat(2) with O_WRONLY|O_TRUNC does not require CAP_SEEK. Reviewed by: imp Pull Request: freebsd/freebsd-src#1207
1 parent 78444b5 commit d289382

File tree

2 files changed

+22
-11
lines changed

2 files changed

+22
-11
lines changed

lib/libsys/cap_rights_limit.2

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@
3030
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
3131
.\" SUCH DAMAGE.
3232
.\"
33-
.Dd March 9, 2023
33+
.Dd April 27, 2024
3434
.Dt CAP_RIGHTS_LIMIT 2
3535
.Os
3636
.Sh NAME
@@ -44,20 +44,22 @@
4444
.Fn cap_rights_limit "int fd" "const cap_rights_t *rights"
4545
.Sh DESCRIPTION
4646
When a file descriptor is created by a function such as
47-
.Xr accept 2 ,
48-
.Xr accept4 2 ,
4947
.Xr fhopen 2 ,
5048
.Xr kqueue 2 ,
5149
.Xr mq_open 2 ,
5250
.Xr open 2 ,
53-
.Xr openat 2 ,
5451
.Xr pdfork 2 ,
5552
.Xr pipe 2 ,
5653
.Xr shm_open 2 ,
5754
.Xr socket 2
5855
or
5956
.Xr socketpair 2 ,
60-
it is assigned all capability rights.
57+
it is assigned all capability rights; for
58+
.Xr accept 2 ,
59+
.Xr accept4 2
60+
or
61+
.Xr openat 2 ,
62+
it inherits capability rights from the "parent" file descriptor.
6163
Those rights can be reduced (but never expanded) by using the
6264
.Fn cap_rights_limit
6365
system call.

share/man/man4/rights.4

Lines changed: 15 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -30,28 +30,30 @@
3030
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
3131
.\" SUCH DAMAGE.
3232
.\"
33-
.Dd March 22, 2024
33+
.Dd April 27, 2024
3434
.Dt RIGHTS 4
3535
.Os
3636
.Sh NAME
3737
.Nm Capability rights
3838
.Nd Capsicum capability rights for file descriptors
3939
.Sh DESCRIPTION
4040
When a file descriptor is created by a function such as
41-
.Xr accept 2 ,
42-
.Xr accept4 2 ,
4341
.Xr fhopen 2 ,
4442
.Xr kqueue 2 ,
4543
.Xr mq_open 2 ,
4644
.Xr open 2 ,
47-
.Xr openat 2 ,
4845
.Xr pdfork 2 ,
4946
.Xr pipe 2 ,
5047
.Xr shm_open 2 ,
5148
.Xr socket 2
5249
or
5350
.Xr socketpair 2 ,
54-
it is assigned all capability rights.
51+
it is assigned all capability rights; for
52+
.Xr accept 2 ,
53+
.Xr accept4 2
54+
or
55+
.Xr openat 2 ,
56+
it inherits capability rights from the "parent" file descriptor.
5557
Those rights can be reduced (but never expanded) by using the
5658
.Xr cap_rights_limit 2 ,
5759
.Xr cap_fcntls_limit 2 and
@@ -501,7 +503,10 @@ with the
501503
is also required),
502504
.Xr preadv 2
503505
.Dv ( CAP_SEEK
504-
is also required) and related system calls.
506+
is also required),
507+
.Xr getdents 2 ,
508+
.Xr getdirentries 2 ,
509+
and related system calls.
505510
.It Dv CAP_RECV
506511
An alias to
507512
.Dv CAP_READ .
@@ -611,6 +616,8 @@ with the
611616
.Dv O_WRONLY
612617
flag, but without the
613618
.Dv O_APPEND
619+
or
620+
.Dv O_TRUNC
614621
flag,
615622
.Dv CAP_SEEK
616623
is also required.
@@ -657,6 +664,8 @@ is also required.
657664
.Xr fsync 2 ,
658665
.Xr ftruncate 2 ,
659666
.Xr futimes 2 ,
667+
.Xr getdents 2 ,
668+
.Xr getdirentries 2 ,
660669
.Xr getpeername 2 ,
661670
.Xr getsockname 2 ,
662671
.Xr getsockopt 2 ,

0 commit comments

Comments
 (0)