From owner-p4-projects@FreeBSD.ORG  Mon Oct  2 09:17:05 2006
Return-Path: <owner-p4-projects@FreeBSD.ORG>
X-Original-To: p4-projects@freebsd.org
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id D015316A47C; Mon,  2 Oct 2006 09:17:04 +0000 (UTC)
X-Original-To: perforce@freebsd.org
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 76CFF16A403
	for <perforce@freebsd.org>; Mon,  2 Oct 2006 09:17:04 +0000 (UTC)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 267AA43D49
	for <perforce@freebsd.org>; Mon,  2 Oct 2006 09:17:04 +0000 (GMT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k929H4rJ037702
	for <perforce@freebsd.org>; Mon, 2 Oct 2006 09:17:04 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k929H35w037699
	for perforce@freebsd.org; Mon, 2 Oct 2006 09:17:03 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Date: Mon, 2 Oct 2006 09:17:03 GMT
Message-Id: <200610020917.k929H35w037699@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	bb+lists.freebsd.perforce@cyrus.watson.org using -f
From: Robert Watson <rwatson@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Cc: 
Subject: PERFORCE change 107082 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Oct 2006 09:17:05 -0000

http://perforce.freebsd.org/chv.cgi?CH=107082

Change 107082 by rwatson@rwatson_peppercorn on 2006/10/02 09:16:11

	Resolve more conflicts merging priv changes from 7.x to 6.x.

Affected files ...

.. //depot/projects/trustedbsd/priv6/src/sys/dev/dcons/dcons_os.c#3 edit
.. //depot/projects/trustedbsd/priv6/src/sys/i386/linux/linux_machdep.c#4 edit
.. //depot/projects/trustedbsd/priv6/src/sys/kern/kern_descrip.c#4 edit
.. //depot/projects/trustedbsd/priv6/src/sys/kern/kern_fork.c#4 edit
.. //depot/projects/trustedbsd/priv6/src/sys/kern/kern_ktrace.c#4 edit
.. //depot/projects/trustedbsd/priv6/src/sys/kern/kern_linker.c#3 edit
.. //depot/projects/trustedbsd/priv6/src/sys/kern/vfs_subr.c#4 edit
.. //depot/projects/trustedbsd/priv6/src/sys/kern/vfs_syscalls.c#4 edit
.. //depot/projects/trustedbsd/priv6/src/sys/net/if.c#3 edit
.. //depot/projects/trustedbsd/priv6/src/sys/net/raw_usrreq.c#3 edit

Differences ...

==== //depot/projects/trustedbsd/priv6/src/sys/dev/dcons/dcons_os.c#3 (text+ko) ====

@@ -297,7 +297,8 @@
 		tp->t_state |= TS_CARR_ON;
 		ttyconsolemode(tp, 0);
 		ttsetwater(tp);
-	} else if ((tp->t_state & TS_XCLUDE) && suser(td)) {
+	} else if ((tp->t_state & TS_XCLUDE) &&
+	    priv_check(td, PRIV_TTY_EXCLUSIVE)) {
 		splx(s);
 		return (EBUSY);
 	}

==== //depot/projects/trustedbsd/priv6/src/sys/i386/linux/linux_machdep.c#4 (text+ko) ====

@@ -38,6 +38,7 @@
 #include <sys/malloc.h>
 #include <sys/mman.h>
 #include <sys/mutex.h>
+#include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/resource.h>
 #include <sys/resourcevar.h>

==== //depot/projects/trustedbsd/priv6/src/sys/kern/kern_descrip.c#4 (text+ko) ====

@@ -1338,8 +1338,8 @@
 	sx_xlock(&filelist_lock);
 
 	if ((openfiles >= maxuserfiles &&
-	     suser_cred(td->td_ucred, SUSER_RUID) != 0) ||
-	    openfiles >= maxfiles) {
+	     priv_check_cred(td->td_ucred, PRIV_MAXFILES, SUSER_RUID) != 0)
+	    || openfiles >= maxfiles) {
 		if (ppsratecheck(&lastfail, &curfail, 1)) {
 			printf("kern.maxfiles limit exceeded by uid %i, please see tuning(7).\n",
 				td->td_ucred->cr_ruid);

==== //depot/projects/trustedbsd/priv6/src/sys/kern/kern_fork.c#4 (text+ko) ====

@@ -317,8 +317,11 @@
 	/*
 	 * Increment the count of procs running with this uid. Don't allow
 	 * a nonprivileged user to exceed their current limit.
+	 *
+	 * XXXRW: Can we avoid privilege here if it's not needed?
 	 */
-	error = suser_cred(td->td_ucred, SUSER_RUID | SUSER_ALLOWJAIL);
+	error = priv_check_cred(td->td_ucred, PRIV_PROC_LIMIT, SUSER_RUID |
+	    SUSER_ALLOWJAIL);
 	if (error == 0)
 		ok = chgproccnt(td->td_ucred->cr_ruidinfo, 1, 0);
 	else {

==== //depot/projects/trustedbsd/priv6/src/sys/kern/kern_ktrace.c#4 (text+ko) ====

@@ -807,7 +807,8 @@
 			p->p_tracecred = crhold(td->td_ucred);
 		}
 		p->p_traceflag |= facs;
-		if (suser_cred(td->td_ucred, SUSER_ALLOWJAIL) == 0)
+		if (priv_check_cred(td->td_ucred, PRIV_KTRACE,
+		    SUSER_ALLOWJAIL) == 0)
 			p->p_traceflag |= KTRFAC_ROOT;
 	} else {
 		/* KTROP_CLEAR */

==== //depot/projects/trustedbsd/priv6/src/sys/kern/kern_linker.c#3 (text+ko) ====

@@ -764,7 +764,7 @@
 	if ((error = securelevel_gt(td->td_ucred, 0)) != 0)
 		goto out;
 
-	if ((error = suser(td)) != 0)
+	if ((error = priv_check(td, PRIV_KLD_LOAD)) != 0)
 		goto out;
 
 	pathname = malloc(MAXPATHLEN, M_TEMP, M_WAITOK);
@@ -810,7 +810,7 @@
 	if ((error = securelevel_gt(td->td_ucred, 0)) != 0)
 		goto out;
 
-	if ((error = suser(td)) != 0)
+	if ((error = priv_check(td, PRIV_KLD_UNLOAD)) != 0)
 		goto out;
 
 	lf = linker_find_file_by_id(fileid);

==== //depot/projects/trustedbsd/priv6/src/sys/kern/vfs_subr.c#4 (text+ko) ====

@@ -3250,56 +3250,46 @@
 		return (0);
 
 privcheck:
-	if (!suser_cred(cred, SUSER_ALLOWJAIL)) {
-		/* XXX audit: privilege used */
-		if (privused != NULL)
-			*privused = 1;
-		return (0);
-	}
-
-#ifdef CAPABILITIES
 	/*
-	 * Build a capability mask to determine if the set of capabilities
+	 * Build a privilege mask to determine if the set of privileges
 	 * satisfies the requirements when combined with the granted mask
-	 * from above.
-	 * For each capability, if the capability is required, bitwise
-	 * or the request type onto the cap_granted mask.
+	 * from above.  For each privilege, if the privilege is required,
+	 * bitwise or the request type onto the priv_granted mask.
 	 */
-	cap_granted = 0;
+	priv_granted = 0;
 
 	if (type == VDIR) {
 		/*
-		 * For directories, use CAP_DAC_READ_SEARCH to satisfy
-		 * VEXEC requests, instead of CAP_DAC_EXECUTE.
+		 * For directories, use PRIV_VFS_LOOKUP to satisfy VEXEC
+		 * requests, instead of PRIV_VFS_EXEC.
 		 */
 		if ((acc_mode & VEXEC) && ((dac_granted & VEXEC) == 0) &&
-		    !cap_check(cred, NULL, CAP_DAC_READ_SEARCH, SUSER_ALLOWJAIL))
-			cap_granted |= VEXEC;
+		    !priv_check_cred(cred, PRIV_VFS_LOOKUP, SUSER_ALLOWJAIL))
+			priv_granted |= VEXEC;
 	} else {
 		if ((acc_mode & VEXEC) && ((dac_granted & VEXEC) == 0) &&
-		    !cap_check(cred, NULL, CAP_DAC_EXECUTE, SUSER_ALLOWJAIL))
-			cap_granted |= VEXEC;
+		    !priv_check_cred(cred, PRIV_VFS_EXEC, SUSER_ALLOWJAIL))
+		priv_granted |= VEXEC;
 	}
 
 	if ((acc_mode & VREAD) && ((dac_granted & VREAD) == 0) &&
-	    !cap_check(cred, NULL, CAP_DAC_READ_SEARCH, SUSER_ALLOWJAIL))
-		cap_granted |= VREAD;
+	    !priv_check_cred(cred, PRIV_VFS_READ, SUSER_ALLOWJAIL))
+		priv_granted |= VREAD;
 
 	if ((acc_mode & VWRITE) && ((dac_granted & VWRITE) == 0) &&
-	    !cap_check(cred, NULL, CAP_DAC_WRITE, SUSER_ALLOWJAIL))
-		cap_granted |= (VWRITE | VAPPEND);
+	    !priv_check_cred(cred, PRIV_VFS_WRITE, SUSER_ALLOWJAIL))
+		priv_granted |= (VWRITE | VAPPEND);
 
 	if ((acc_mode & VADMIN) && ((dac_granted & VADMIN) == 0) &&
-	    !cap_check(cred, NULL, CAP_FOWNER, SUSER_ALLOWJAIL))
-		cap_granted |= VADMIN;
+	    !priv_check_cred(cred, PRIV_VFS_ADMIN, SUSER_ALLOWJAIL))
+		priv_granted |= VADMIN;
 
-	if ((acc_mode & (cap_granted | dac_granted)) == acc_mode) {
+	if ((acc_mode & (priv_granted | dac_granted)) == acc_mode) {
 		/* XXX audit: privilege used */
 		if (privused != NULL)
 			*privused = 1;
 		return (0);
 	}
-#endif
 
 	return ((acc_mode & VADMIN) ? EPERM : EACCES);
 }

==== //depot/projects/trustedbsd/priv6/src/sys/kern/vfs_syscalls.c#4 (text+ko) ====

@@ -278,7 +278,7 @@
 	error = VFS_STATFS(mp, sp, td);
 	if (error)
 		goto out;
-	if (suser(td)) {
+	if (priv_check(td, PRIV_VFS_GENERATION)) {
 		bcopy(sp, &sb, sizeof(sb));
 		sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0;
 		prison_enforce_statfs(td->td_ucred, mp, &sb);
@@ -362,7 +362,7 @@
 	error = VFS_STATFS(mp, sp, td);
 	if (error)
 		goto out;
-	if (suser(td)) {
+	if (priv_check(td, PRIV_VFS_GENERATION)) {
 		bcopy(sp, &sb, sizeof(sb));
 		sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0;
 		prison_enforce_statfs(td->td_ucred, mp, &sb);

==== //depot/projects/trustedbsd/priv6/src/sys/net/if.c#3 (text+ko) ====

@@ -1504,12 +1504,16 @@
 
 	switch (cmd) {
 	case SIOCIFCREATE:
+		error = priv_check(td, PRIV_NET_IFCREATE);
+		if (error)
+			return (error);
+		return (if_clone_create(ifr->ifr_name, sizeof(ifr->ifr_name));
+
 	case SIOCIFDESTROY:
-		if ((error = suser(td)) != 0)
+		error = priv_check(td, PRIV_NET_IFDESTROY);
+		if (error)
 			return (error);
-		return ((cmd == SIOCIFCREATE) ?
-			if_clone_create(ifr->ifr_name, sizeof(ifr->ifr_name)) :
-			if_clone_destroy(ifr->ifr_name));
+		return (if_clone_destroy(ifr->ifr_name));
 
 	case SIOCIFGCLONERS:
 		return (if_clone_list((struct if_clonereq *)data));

==== //depot/projects/trustedbsd/priv6/src/sys/net/raw_usrreq.c#3 (text+ko) ====

@@ -164,8 +164,11 @@
 
 	if (rp == 0)
 		return EINVAL;
-	if (td && (error = suser(td)) != 0)
-		return error;
+	if (td != NULL) {
+		error = priv_check(td, PRIV_NET_RAW);
+		if (error)
+			return error;
+	}
 	return raw_attach(so, proto);
 }