From 68fc8f3934ba314cc13c87f56df97315edfe479e Mon Sep 17 00:00:00 2001
From: Ed Maste <emaste@FreeBSD.org>
Date: Mon, 22 May 2017 11:43:19 +0000
Subject: [PATCH] disallow open(2) in capability mode

Previously open(2) was allowed in capability mode, with a comment that
suggested this was likely the case to facilitate debugging. The system
call would still fail later on, but it's better to disallow the syscall
altogether.

We now have the kern.trap_enotcap sysctl or PROC_TRAPCAP_CTL proccontrol
to aid in debugging.

In any case libc has translated open() to the openat syscall since
r277032.

Reviewed by:	kib, rwatson
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D10850
---
 sys/compat/freebsd32/capabilities.conf | 1 -
 sys/kern/capabilities.conf             | 8 --------
 2 files changed, 9 deletions(-)

diff --git a/sys/compat/freebsd32/capabilities.conf b/sys/compat/freebsd32/capabilities.conf
index e14ff2db637..6d815f1ab52 100644
--- a/sys/compat/freebsd32/capabilities.conf
+++ b/sys/compat/freebsd32/capabilities.conf
@@ -188,7 +188,6 @@ renameat
 symlinkat
 unlinkat
 freebsd32_utimensat
-open
 pdfork
 pdgetpid
 pdkill
diff --git a/sys/kern/capabilities.conf b/sys/kern/capabilities.conf
index 97fb88144b8..1c8ca0811d8 100644
--- a/sys/kern/capabilities.conf
+++ b/sys/kern/capabilities.conf
@@ -459,14 +459,6 @@ symlinkat
 unlinkat
 utimensat
 
-##
-## Allow entry into open(2). This system call will fail, since access to the
-## global file namespace has been disallowed, but allowing entry into the
-## syscall means that an audit trail will be generated (which is also very
-## useful for debugging).
-##
-open
-
 ##
 ## Process descriptor-related system calls are allowed.
 ##