1 files changed, 20 insertions, 0 deletions

diff --git a/sys/kern/kern_cpuset.c b/sys/kern/kern_cpuset.c
index 9e83f568889e..c279264ea244 100644
--- a/sys/kern/kern_cpuset.c
+++ b/sys/kern/kern_cpuset.c
@@ -47,6 +47,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/sched.h>
 #include <sys/smp.h>
 #include <sys/syscallsubr.h>
+#include <sys/capsicum.h>
 #include <sys/cpuset.h>
 #include <sys/sx.h>
 #include <sys/queue.h>
@@ -522,6 +523,7 @@ cpuset_setproc(pid_t pid, struct cpuset *set, cpuset_t *mask)
 	int threads;
 	int nfree;
 	int error;
+
 	/*
 	 * The algorithm requires two passes due to locking considerations.
 	 * 
@@ -1096,6 +1098,15 @@ kern_cpuset_getaffinity(struct thread *td, cpulevel_t level, cpuwhich_t which,
 
 	if (cpusetsize < sizeof(cpuset_t) || cpusetsize > CPU_MAXSIZE / NBBY)
 		return (ERANGE);
+	/* In Capability mode, you can only get your own CPU set. */
+	if (IN_CAPABILITY_MODE(td)) {
+	    if (level != CPU_LEVEL_WHICH)
+		return (ECAPMODE);
+	    if (which != CPU_WHICH_TID && which != CPU_WHICH_PID)
+		return (ECAPMODE);
+	    if (id != -1)
+		return (ECAPMODE);
+	}
 	size = cpusetsize;
 	mask = malloc(size, M_TEMP, M_WAITOK | M_ZERO);
 	error = cpuset_which(which, id, &p, &ttd, &set);
@@ -1204,6 +1215,15 @@ kern_cpuset_setaffinity(struct thread *td, cpulevel_t level, cpuwhich_t which,
 
 	if (cpusetsize < sizeof(cpuset_t) || cpusetsize > CPU_MAXSIZE / NBBY)
 		return (ERANGE);
+	/* In Capability mode, you can only set your own CPU set. */
+	if (IN_CAPABILITY_MODE(td)) {
+	    if (level != CPU_LEVEL_WHICH)
+		return (ECAPMODE);
+	    if (which != CPU_WHICH_TID && which != CPU_WHICH_PID)
+		return (ECAPMODE);
+	    if (id != -1)
+		return (ECAPMODE);
+	}
 	mask = malloc(cpusetsize, M_TEMP, M_WAITOK | M_ZERO);
 	error = copyin(maskp, mask, cpusetsize);
 	if (error)