From owner-p4-projects@FreeBSD.ORG  Fri Oct 20 00:07:07 2006
Return-Path: <owner-p4-projects@FreeBSD.ORG>
X-Original-To: p4-projects@freebsd.org
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id D718016A415; Fri, 20 Oct 2006 00:07:06 +0000 (UTC)
X-Original-To: perforce@freebsd.org
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B283216A40F
	for <perforce@freebsd.org>; Fri, 20 Oct 2006 00:07:06 +0000 (UTC)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CBE7A43D4C
	for <perforce@freebsd.org>; Fri, 20 Oct 2006 00:06:54 +0000 (GMT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k9K06sMc075347
	for <perforce@freebsd.org>; Fri, 20 Oct 2006 00:06:54 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k9K06rlV075339
	for perforce@freebsd.org; Fri, 20 Oct 2006 00:06:53 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Date: Fri, 20 Oct 2006 00:06:53 GMT
Message-Id: <200610200006.k9K06rlV075339@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	bb+lists.freebsd.perforce@cyrus.watson.org using -f
From: Robert Watson <rwatson@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Cc: 
Subject: PERFORCE change 108136 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Oct 2006 00:07:07 -0000

http://perforce.freebsd.org/chv.cgi?CH=108136

Change 108136 by rwatson@rwatson_zoo on 2006/10/20 00:06:18

	Merge from HEAD priv(9):
	
	Clean up a number of priv(9) loose ends for VFS: make file system
	checks for utimes() NULL timestamp more consistent.
	
	Add privileges for dtrace.

Affected files ...

.. //depot/projects/trustedbsd/priv6/src/sys/fs/hpfs/hpfs_vnops.c#3 edit
.. //depot/projects/trustedbsd/priv6/src/sys/fs/msdosfs/msdosfs_vnops.c#3 edit
.. //depot/projects/trustedbsd/priv6/src/sys/fs/smbfs/smbfs_vnops.c#3 edit
.. //depot/projects/trustedbsd/priv6/src/sys/kern/vfs_mount.c#5 edit
.. //depot/projects/trustedbsd/priv6/src/sys/kern/vfs_syscalls.c#6 edit
.. //depot/projects/trustedbsd/priv6/src/sys/sys/priv.h#3 edit

Differences ...

==== //depot/projects/trustedbsd/priv6/src/sys/fs/hpfs/hpfs_vnops.c#3 (text+ko) ====

@@ -501,15 +501,12 @@
 	if (vap->va_atime.tv_sec != VNOVAL || vap->va_mtime.tv_sec != VNOVAL) {
 		if (vp->v_mount->mnt_flag & MNT_RDONLY)
 			return (EROFS);
-		/*
-		 * XXXRW: Why not just rely on the VOP_ACCESS() check here
-		 * instead of calling suser()?
-		 */
-		if (cred->cr_uid != hp->h_uid &&
-		    (error = suser_cred(cred, SUSER_ALLOWJAIL)) &&
-		    ((vap->va_vaflags & VA_UTIMES_NULL) == 0 ||
-		    (error = VOP_ACCESS(vp, VWRITE, cred, td))))
-			return (error);
+		if (vap->va_vaflags & VA_UTIMES_NULL) {
+			error = VOP_ACCESS(vp, VADMIN, cred, td);
+			if (error)
+				error = VOP_ACCESS(vp, VWRITE, cred, td);
+		} else
+			error = VOP_ACCESS(vp, VADMIN, cred, td);
 		if (vap->va_atime.tv_sec != VNOVAL)
 			hp->h_atime = vap->va_atime.tv_sec;
 		if (vap->va_mtime.tv_sec != VNOVAL)

==== //depot/projects/trustedbsd/priv6/src/sys/fs/msdosfs/msdosfs_vnops.c#3 (text+ko) ====

@@ -484,15 +484,13 @@
 	if (vap->va_atime.tv_sec != VNOVAL || vap->va_mtime.tv_sec != VNOVAL) {
 		if (vp->v_mount->mnt_flag & MNT_RDONLY)
 			return (EROFS);
-		/*
-		 * XXXRW: Isn't VOP_ACCESS() enough here?  Why is suser()
-		 * required?
-		 */
-		if (cred->cr_uid != pmp->pm_uid &&
-		    (error = suser_cred(cred, SUSER_ALLOWJAIL)) &&
-		    ((vap->va_vaflags & VA_UTIMES_NULL) == 0 ||
-		    (error = VOP_ACCESS(ap->a_vp, VWRITE, cred, ap->a_td))))
-			return (error);
+		if (vap->va_vaflags & VA_UTIMES_NULL) {
+			error = VOP_ACCESS(vp, VADMIN, cred, ap->a_td); 
+			if (error)
+				error = VOP_ACCESS(vp, VWRITE, cred,
+				    ap->a_td);
+		} else
+			error = VOP_ACCESS(vp, VADMIN, cred, ap->a_td);
 		if (vp->v_type != VDIR) {
 			if ((pmp->pm_flags & MSDOSFSMNT_NOWIN95) == 0 &&
 			    vap->va_atime.tv_sec != VNOVAL) {

==== //depot/projects/trustedbsd/priv6/src/sys/fs/smbfs/smbfs_vnops.c#3 (text+ko) ====

@@ -352,14 +352,13 @@
 	if (vap->va_atime.tv_sec != VNOVAL)
 		atime = &vap->va_atime;
 	if (mtime != atime) {
-		/*
-		 * XXXRW: Isn't VOP_ACCESS() here sufficient?  Why suser()?
-		 */
-		if (ap->a_cred->cr_uid != VTOSMBFS(vp)->sm_uid &&
-		    (error = suser_cred(ap->a_cred, SUSER_ALLOWJAIL)) &&
-		    ((vap->va_vaflags & VA_UTIMES_NULL) == 0 ||
-		    (error = VOP_ACCESS(vp, VWRITE, ap->a_cred, ap->a_td))))
-			return (error);
+		if (vap->va_vaflags & VA_UTIMES_NULL) {
+			error = VOP_ACCESS(vp, VADMIN, ap->a_cred, ap->a_td);
+			if (error)
+				error = VOP_ACCESS(vp, VWRITE, ap->a_cred,
+				    ap->a_td);
+		} else
+			error = VOP_ACCESS(vp, VADMIN, ap->a_cred, ap->a_td);
 #if 0
 		if (mtime == NULL)
 			mtime = &np->n_mtime;

==== //depot/projects/trustedbsd/priv6/src/sys/kern/vfs_mount.c#5 (text+ko) ====

@@ -796,12 +796,11 @@
 	}
 	/*
 	 * Silently enforce MNT_NOSUID and MNT_USER for unprivileged users.
-	 *
-	 * XXXRW: Which privileges to map this to?  Wouldn't it be better
-	 * to see if they weren't already set and only then check privilege?
 	 */
-	if (suser(td) != 0)
-		fsflags |= MNT_NOSUID | MNT_USER;
+	if ((fsflags & (MNT_NOSUID | MNT_USER)) != (MNT_NOSUID | MNT_USER)) {
+		if (priv_check(td, PRIV_VFS_MOUNT_NONUSER) != 0)
+			fsflags |= MNT_NOSUID | MNT_USER;
+	}
 
 	/* Load KLDs before we lock the covered vnode to avoid reversals. */
 	vfsp = NULL;

==== //depot/projects/trustedbsd/priv6/src/sys/kern/vfs_syscalls.c#6 (text+ko) ====

@@ -1206,9 +1206,14 @@
 	case S_IFBLK:
 		error = priv_check(td, PRIV_VFS_MKNOD_DEV);
 		break;
+	case S_IFMT:
+		error = priv_check(td, PRIV_VFS_MKNOD_BAD);
+		break;
+	case S_IFWHT:
+		error = priv_check(td, PRIV_VFS_MKNOD_WHT);
+		break;
 	default:
-		/* XXXRW: Should do a full enumeration here. */
-		error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL);
+		error = EINVAL;
 		break;
 	}
 	if (error)
@@ -1253,8 +1258,7 @@
 			whiteout = 1;
 			break;
 		default:
-			error = EINVAL;
-			break;
+			panic("kern_mknod: invalid mode");
 		}
 	}
 	if (vn_start_write(nd.ni_dvp, &mp, V_NOWAIT) != 0) {

==== //depot/projects/trustedbsd/priv6/src/sys/sys/priv.h#3 (text+ko) ====

@@ -104,6 +104,9 @@
 	PRIV_DEBUG_DIFFCRED,	/* Exempt debugging other users. */
 	PRIV_DEBUG_SUGID,	/* Exempt debugging setuid proc. */
 	PRIV_DEBUG_UNPRIV,	/* Exempt unprivileged debug limit. */
+	PRIV_DTRACE_KERNEL,	/* Allow use of DTrace on the kernel. */
+	PRIV_DTRACE_USER,	/* Allow process to submit DTrace events. */
+	PRIV_DTRACE_PROC,	/* Allow attaching DTrace to process. */
 	PRIV_FIRMWARE_LOAD,	/* Can load firmware. */
 	PRIV_JAIL_ATTACH,	/* Attach to a jail. */
 	PRIV_KENV_SET,		/* Set kernel env. variables. */
@@ -167,12 +170,15 @@
 	PRIV_VFS_GENERATION,	/* stat() returns generation number. */
 	PRIV_VFS_GETFH,		/* Can retrieve file handles. */
 	PRIV_VFS_LINK,		/* bsd.hardlink_check_uid */
-	PRIV_VFS_MKNOD_DEV,	/* Can create device nodes. */
+	PRIV_VFS_MKNOD_BAD,	/* Can use mknod() to mark bad inodes. */
+	PRIV_VFS_MKNOD_DEV,	/* Can use mknod() to create device nodes. */
+	PRIV_VFS_MKNOD_WHT,	/* Can use mknod() to create whiteout. */
 	PRIV_VFS_MOUNT,		/* Can mount(). */
 	PRIV_VFS_MOUNT_OWNER,	/* Override owner on user mounts. */
 	PRIV_VFS_MOUNT_EXPORTED,	/* Can set MNT_EXPORTED on mount. */
 	PRIV_VFS_MOUNT_PERM,	/* Override device node perms at mount. */
 	PRIV_VFS_MOUNT_SUIDDIR,	/* Can set MNT_SUIDDIR on mount. */
+	PRIV_VFS_MOUNT_NONUSER,	/* Can perform a non-user mount. */
 	PRIV_VFS_SETGID,	/* Can setgid if not in group. */
 	PRIV_VFS_STICKYFILE,	/* Can set sticky bit on file. */
 	PRIV_VFS_SYSFLAGS,	/* Can modify system flags. */