Date: Mon, 2 Oct 2006 09:17:03 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 107082 for review Message-ID: <200610020917.k929H35w037699@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=107082 Change 107082 by rwatson@rwatson_peppercorn on 2006/10/02 09:16:11 Resolve more conflicts merging priv changes from 7.x to 6.x. Affected files ... .. //depot/projects/trustedbsd/priv6/src/sys/dev/dcons/dcons_os.c#3 edit .. //depot/projects/trustedbsd/priv6/src/sys/i386/linux/linux_machdep.c#4 edit .. //depot/projects/trustedbsd/priv6/src/sys/kern/kern_descrip.c#4 edit .. //depot/projects/trustedbsd/priv6/src/sys/kern/kern_fork.c#4 edit .. //depot/projects/trustedbsd/priv6/src/sys/kern/kern_ktrace.c#4 edit .. //depot/projects/trustedbsd/priv6/src/sys/kern/kern_linker.c#3 edit .. //depot/projects/trustedbsd/priv6/src/sys/kern/vfs_subr.c#4 edit .. //depot/projects/trustedbsd/priv6/src/sys/kern/vfs_syscalls.c#4 edit .. //depot/projects/trustedbsd/priv6/src/sys/net/if.c#3 edit .. //depot/projects/trustedbsd/priv6/src/sys/net/raw_usrreq.c#3 edit Differences ... ==== //depot/projects/trustedbsd/priv6/src/sys/dev/dcons/dcons_os.c#3 (text+ko) ==== @@ -297,7 +297,8 @@ tp->t_state |= TS_CARR_ON; ttyconsolemode(tp, 0); ttsetwater(tp); - } else if ((tp->t_state & TS_XCLUDE) && suser(td)) { + } else if ((tp->t_state & TS_XCLUDE) && + priv_check(td, PRIV_TTY_EXCLUSIVE)) { splx(s); return (EBUSY); } ==== //depot/projects/trustedbsd/priv6/src/sys/i386/linux/linux_machdep.c#4 (text+ko) ==== @@ -38,6 +38,7 @@ #include <sys/malloc.h> #include <sys/mman.h> #include <sys/mutex.h> +#include <sys/priv.h> #include <sys/proc.h> #include <sys/resource.h> #include <sys/resourcevar.h> ==== //depot/projects/trustedbsd/priv6/src/sys/kern/kern_descrip.c#4 (text+ko) ==== @@ -1338,8 +1338,8 @@ sx_xlock(&filelist_lock); if ((openfiles >= maxuserfiles && - suser_cred(td->td_ucred, SUSER_RUID) != 0) || - openfiles >= maxfiles) { + priv_check_cred(td->td_ucred, PRIV_MAXFILES, SUSER_RUID) != 0) + || openfiles >= maxfiles) { if (ppsratecheck(&lastfail, &curfail, 1)) { printf("kern.maxfiles limit exceeded by uid %i, please see tuning(7).\n", td->td_ucred->cr_ruid); ==== //depot/projects/trustedbsd/priv6/src/sys/kern/kern_fork.c#4 (text+ko) ==== @@ -317,8 +317,11 @@ /* * Increment the count of procs running with this uid. Don't allow * a nonprivileged user to exceed their current limit. + * + * XXXRW: Can we avoid privilege here if it's not needed? */ - error = suser_cred(td->td_ucred, SUSER_RUID | SUSER_ALLOWJAIL); + error = priv_check_cred(td->td_ucred, PRIV_PROC_LIMIT, SUSER_RUID | + SUSER_ALLOWJAIL); if (error == 0) ok = chgproccnt(td->td_ucred->cr_ruidinfo, 1, 0); else { ==== //depot/projects/trustedbsd/priv6/src/sys/kern/kern_ktrace.c#4 (text+ko) ==== @@ -807,7 +807,8 @@ p->p_tracecred = crhold(td->td_ucred); } p->p_traceflag |= facs; - if (suser_cred(td->td_ucred, SUSER_ALLOWJAIL) == 0) + if (priv_check_cred(td->td_ucred, PRIV_KTRACE, + SUSER_ALLOWJAIL) == 0) p->p_traceflag |= KTRFAC_ROOT; } else { /* KTROP_CLEAR */ ==== //depot/projects/trustedbsd/priv6/src/sys/kern/kern_linker.c#3 (text+ko) ==== @@ -764,7 +764,7 @@ if ((error = securelevel_gt(td->td_ucred, 0)) != 0) goto out; - if ((error = suser(td)) != 0) + if ((error = priv_check(td, PRIV_KLD_LOAD)) != 0) goto out; pathname = malloc(MAXPATHLEN, M_TEMP, M_WAITOK); @@ -810,7 +810,7 @@ if ((error = securelevel_gt(td->td_ucred, 0)) != 0) goto out; - if ((error = suser(td)) != 0) + if ((error = priv_check(td, PRIV_KLD_UNLOAD)) != 0) goto out; lf = linker_find_file_by_id(fileid); ==== //depot/projects/trustedbsd/priv6/src/sys/kern/vfs_subr.c#4 (text+ko) ==== @@ -3250,56 +3250,46 @@ return (0); privcheck: - if (!suser_cred(cred, SUSER_ALLOWJAIL)) { - /* XXX audit: privilege used */ - if (privused != NULL) - *privused = 1; - return (0); - } - -#ifdef CAPABILITIES /* - * Build a capability mask to determine if the set of capabilities + * Build a privilege mask to determine if the set of privileges * satisfies the requirements when combined with the granted mask - * from above. - * For each capability, if the capability is required, bitwise - * or the request type onto the cap_granted mask. + * from above. For each privilege, if the privilege is required, + * bitwise or the request type onto the priv_granted mask. */ - cap_granted = 0; + priv_granted = 0; if (type == VDIR) { /* - * For directories, use CAP_DAC_READ_SEARCH to satisfy - * VEXEC requests, instead of CAP_DAC_EXECUTE. + * For directories, use PRIV_VFS_LOOKUP to satisfy VEXEC + * requests, instead of PRIV_VFS_EXEC. */ if ((acc_mode & VEXEC) && ((dac_granted & VEXEC) == 0) && - !cap_check(cred, NULL, CAP_DAC_READ_SEARCH, SUSER_ALLOWJAIL)) - cap_granted |= VEXEC; + !priv_check_cred(cred, PRIV_VFS_LOOKUP, SUSER_ALLOWJAIL)) + priv_granted |= VEXEC; } else { if ((acc_mode & VEXEC) && ((dac_granted & VEXEC) == 0) && - !cap_check(cred, NULL, CAP_DAC_EXECUTE, SUSER_ALLOWJAIL)) - cap_granted |= VEXEC; + !priv_check_cred(cred, PRIV_VFS_EXEC, SUSER_ALLOWJAIL)) + priv_granted |= VEXEC; } if ((acc_mode & VREAD) && ((dac_granted & VREAD) == 0) && - !cap_check(cred, NULL, CAP_DAC_READ_SEARCH, SUSER_ALLOWJAIL)) - cap_granted |= VREAD; + !priv_check_cred(cred, PRIV_VFS_READ, SUSER_ALLOWJAIL)) + priv_granted |= VREAD; if ((acc_mode & VWRITE) && ((dac_granted & VWRITE) == 0) && - !cap_check(cred, NULL, CAP_DAC_WRITE, SUSER_ALLOWJAIL)) - cap_granted |= (VWRITE | VAPPEND); + !priv_check_cred(cred, PRIV_VFS_WRITE, SUSER_ALLOWJAIL)) + priv_granted |= (VWRITE | VAPPEND); if ((acc_mode & VADMIN) && ((dac_granted & VADMIN) == 0) && - !cap_check(cred, NULL, CAP_FOWNER, SUSER_ALLOWJAIL)) - cap_granted |= VADMIN; + !priv_check_cred(cred, PRIV_VFS_ADMIN, SUSER_ALLOWJAIL)) + priv_granted |= VADMIN; - if ((acc_mode & (cap_granted | dac_granted)) == acc_mode) { + if ((acc_mode & (priv_granted | dac_granted)) == acc_mode) { /* XXX audit: privilege used */ if (privused != NULL) *privused = 1; return (0); } -#endif return ((acc_mode & VADMIN) ? EPERM : EACCES); } ==== //depot/projects/trustedbsd/priv6/src/sys/kern/vfs_syscalls.c#4 (text+ko) ==== @@ -278,7 +278,7 @@ error = VFS_STATFS(mp, sp, td); if (error) goto out; - if (suser(td)) { + if (priv_check(td, PRIV_VFS_GENERATION)) { bcopy(sp, &sb, sizeof(sb)); sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0; prison_enforce_statfs(td->td_ucred, mp, &sb); @@ -362,7 +362,7 @@ error = VFS_STATFS(mp, sp, td); if (error) goto out; - if (suser(td)) { + if (priv_check(td, PRIV_VFS_GENERATION)) { bcopy(sp, &sb, sizeof(sb)); sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0; prison_enforce_statfs(td->td_ucred, mp, &sb); ==== //depot/projects/trustedbsd/priv6/src/sys/net/if.c#3 (text+ko) ==== @@ -1504,12 +1504,16 @@ switch (cmd) { case SIOCIFCREATE: + error = priv_check(td, PRIV_NET_IFCREATE); + if (error) + return (error); + return (if_clone_create(ifr->ifr_name, sizeof(ifr->ifr_name)); + case SIOCIFDESTROY: - if ((error = suser(td)) != 0) + error = priv_check(td, PRIV_NET_IFDESTROY); + if (error) return (error); - return ((cmd == SIOCIFCREATE) ? - if_clone_create(ifr->ifr_name, sizeof(ifr->ifr_name)) : - if_clone_destroy(ifr->ifr_name)); + return (if_clone_destroy(ifr->ifr_name)); case SIOCIFGCLONERS: return (if_clone_list((struct if_clonereq *)data)); ==== //depot/projects/trustedbsd/priv6/src/sys/net/raw_usrreq.c#3 (text+ko) ==== @@ -164,8 +164,11 @@ if (rp == 0) return EINVAL; - if (td && (error = suser(td)) != 0) - return error; + if (td != NULL) { + error = priv_check(td, PRIV_NET_RAW); + if (error) + return error; + } return raw_attach(so, proto); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200610020917.k929H35w037699>