From owner-p4-projects@FreeBSD.ORG Wed Feb 2 18:59:14 2011 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 3E6D91065670; Wed, 2 Feb 2011 18:59:14 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0138A106564A for ; Wed, 2 Feb 2011 18:59:14 +0000 (UTC) (envelope-from trasz@freebsd.org) Received: from skunkworks.freebsd.org (skunkworks.freebsd.org [IPv6:2001:4f8:fff6::2d]) by mx1.freebsd.org (Postfix) with ESMTP id C70AA8FC0A for ; Wed, 2 Feb 2011 18:59:13 +0000 (UTC) Received: from skunkworks.freebsd.org (localhost [127.0.0.1]) by skunkworks.freebsd.org (8.14.4/8.14.4) with ESMTP id p12IxDtU007749 for ; Wed, 2 Feb 2011 18:59:13 GMT (envelope-from trasz@freebsd.org) Received: (from perforce@localhost) by skunkworks.freebsd.org (8.14.4/8.14.4/Submit) id p12IxDhI007746 for perforce@freebsd.org; Wed, 2 Feb 2011 18:59:13 GMT (envelope-from trasz@freebsd.org) Date: Wed, 2 Feb 2011 18:59:13 GMT Message-Id: <201102021859.p12IxDhI007746@skunkworks.freebsd.org> X-Authentication-Warning: skunkworks.freebsd.org: perforce set sender to trasz@freebsd.org using -f From: Edward Tomasz Napierala To: Perforce Change Reviews Precedence: bulk Cc: Subject: PERFORCE change 188463 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Feb 2011 18:59:14 -0000 http://p4web.freebsd.org/@@188463?ac=10 Change 188463 by trasz@trasz_victim on 2011/02/02 18:58:19 Properly guard RCTL syscalls with privileges. Affected files ... .. //depot/projects/soc2009/trasz_limits/sys/kern/kern_rctl.c#27 edit .. //depot/projects/soc2009/trasz_limits/sys/sys/priv.h#14 edit Differences ... ==== //depot/projects/soc2009/trasz_limits/sys/kern/kern_rctl.c#27 (text+ko) ==== @@ -1213,6 +1213,10 @@ struct loginclass *lc; struct prison *pr; + error = priv_check(td, PRIV_RCTL_GET_USAGE); + if (error != 0) + return (error); + error = rctl_read_inbuf(&inputstr, uap->inbufp, uap->inbuflen); if (error != 0) return (error); @@ -1304,6 +1308,10 @@ struct rctl_rule_link *link; struct proc *p; + error = priv_check(td, PRIV_RCTL_GET_RULES); + if (error != 0) + return (error); + error = rctl_read_inbuf(&inputstr, uap->inbufp, uap->inbuflen); if (error != 0) return (error); @@ -1373,6 +1381,10 @@ struct rctl_rule *filter; struct rctl_rule_link *link; + error = priv_check(td, PRIV_RCTL_GET_LIMITS); + if (error != 0) + return (error); + error = rctl_read_inbuf(&inputstr, uap->inbufp, uap->inbuflen); if (error != 0) return (error); @@ -1439,7 +1451,7 @@ struct rctl_rule *rule; char *inputstr; - error = priv_check(td, PRIV_RCTL_SET); + error = priv_check(td, PRIV_RCTL_ADD_RULE); if (error != 0) return (error); @@ -1481,7 +1493,7 @@ struct rctl_rule *filter; char *inputstr; - error = priv_check(td, PRIV_RCTL_SET); + error = priv_check(td, PRIV_RCTL_REMOVE_RULE); if (error != 0) return (error); ==== //depot/projects/soc2009/trasz_limits/sys/sys/priv.h#14 (text+ko) ==== @@ -486,13 +486,16 @@ /* * Resource Limits privileges. */ -#define PRIV_RCTL_SET 670 -#define PRIV_RCTL_GET 671 +#define PRIV_RCTL_GET_RULES 670 +#define PRIV_RCTL_ADD_RULE 671 +#define PRIV_RCTL_REMOVE_RULE 672 +#define PRIV_RCTL_GET_USAGE 673 +#define PRIV_RCTL_GET_LIMITS 674 /* * Track end of privilege list. */ -#define _PRIV_HIGHEST 672 +#define _PRIV_HIGHEST 674 /* * Validate that a named privilege is known by the privilege system. Invalid