Date: Wed, 11 Oct 2006 06:03:54 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 107657 for review Message-ID: <200610110603.k9B63sUb008635@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=107657 Change 107657 by rwatson@rwatson_zoo on 2006/10/11 06:03:44 Clean up a number of priv(9) loose ends for VFS: make file system checks for utimes() NULL timestamp more consistent. Add privileges for dtrace. Affected files ... .. //depot/projects/trustedbsd/priv/sys/fs/hpfs/hpfs_vnops.c#3 edit .. //depot/projects/trustedbsd/priv/sys/fs/msdosfs/msdosfs_vnops.c#3 edit .. //depot/projects/trustedbsd/priv/sys/fs/smbfs/smbfs_vnops.c#3 edit .. //depot/projects/trustedbsd/priv/sys/kern/vfs_mount.c#4 edit .. //depot/projects/trustedbsd/priv/sys/kern/vfs_syscalls.c#5 edit .. //depot/projects/trustedbsd/priv/sys/sys/priv.h#5 edit Differences ... ==== //depot/projects/trustedbsd/priv/sys/fs/hpfs/hpfs_vnops.c#3 (text+ko) ==== @@ -501,15 +501,12 @@ if (vap->va_atime.tv_sec != VNOVAL || vap->va_mtime.tv_sec != VNOVAL) { if (vp->v_mount->mnt_flag & MNT_RDONLY) return (EROFS); - /* - * XXXRW: Why not just rely on the VOP_ACCESS() check here - * instead of calling suser()? - */ - if (cred->cr_uid != hp->h_uid && - (error = suser_cred(cred, SUSER_ALLOWJAIL)) && - ((vap->va_vaflags & VA_UTIMES_NULL) == 0 || - (error = VOP_ACCESS(vp, VWRITE, cred, td)))) - return (error); + if (vap->va_vaflags & VA_UTIMES_NULL) { + error = VOP_ACCESS(vp, VADMIN, cred, td); + if (error) + error = VOP_ACCESS(vp, VWRITE, cred, td); + } else + error = VOP_ACCESS(vp, VADMIN, cred, td); if (vap->va_atime.tv_sec != VNOVAL) hp->h_atime = vap->va_atime.tv_sec; if (vap->va_mtime.tv_sec != VNOVAL) ==== //depot/projects/trustedbsd/priv/sys/fs/msdosfs/msdosfs_vnops.c#3 (text+ko) ==== @@ -484,15 +484,13 @@ if (vap->va_atime.tv_sec != VNOVAL || vap->va_mtime.tv_sec != VNOVAL) { if (vp->v_mount->mnt_flag & MNT_RDONLY) return (EROFS); - /* - * XXXRW: Isn't VOP_ACCESS() enough here? Why is suser() - * required? - */ - if (cred->cr_uid != pmp->pm_uid && - (error = suser_cred(cred, SUSER_ALLOWJAIL)) && - ((vap->va_vaflags & VA_UTIMES_NULL) == 0 || - (error = VOP_ACCESS(ap->a_vp, VWRITE, cred, ap->a_td)))) - return (error); + if (vap->va_vaflags & VA_UTIMES_NULL) { + error = VOP_ACCESS(vp, VADMIN, cred, ap->a_td); + if (error) + error = VOP_ACCESS(vp, VWRITE, cred, + ap->a_td); + } else + error = VOP_ACCESS(vp, VADMIN, cred, ap->a_td); if (vp->v_type != VDIR) { if ((pmp->pm_flags & MSDOSFSMNT_NOWIN95) == 0 && vap->va_atime.tv_sec != VNOVAL) { ==== //depot/projects/trustedbsd/priv/sys/fs/smbfs/smbfs_vnops.c#3 (text+ko) ==== @@ -352,14 +352,13 @@ if (vap->va_atime.tv_sec != VNOVAL) atime = &vap->va_atime; if (mtime != atime) { - /* - * XXXRW: Isn't VOP_ACCESS() here sufficient? Why suser()? - */ - if (ap->a_cred->cr_uid != VTOSMBFS(vp)->sm_uid && - (error = suser_cred(ap->a_cred, SUSER_ALLOWJAIL)) && - ((vap->va_vaflags & VA_UTIMES_NULL) == 0 || - (error = VOP_ACCESS(vp, VWRITE, ap->a_cred, ap->a_td)))) - return (error); + if (vap->va_vaflags & VA_UTIMES_NULL) { + error = VOP_ACCESS(vp, VADMIN, ap->a_cred, ap->a_td); + if (error) + error = VOP_ACCESS(vp, VWRITE, ap->a_cred, + ap->a_td); + } else + error = VOP_ACCESS(vp, VADMIN, ap->a_cred, ap->a_td); #if 0 if (mtime == NULL) mtime = &np->n_mtime; ==== //depot/projects/trustedbsd/priv/sys/kern/vfs_mount.c#4 (text+ko) ==== @@ -825,12 +825,11 @@ } /* * Silently enforce MNT_NOSUID and MNT_USER for unprivileged users. - * - * XXXRW: Which privileges to map this to? Wouldn't it be better - * to see if they weren't already set and only then check privilege? */ - if (suser(td) != 0) - fsflags |= MNT_NOSUID | MNT_USER; + if ((fsflags & (MNT_NOSUID | MNT_USER)) != (MNT_NOSUID | MNT_USER)) { + if (priv_check(td, PRIV_VFS_MOUNT_NONUSER) != 0) + fsflags |= MNT_NOSUID | MNT_USER; + } /* Load KLDs before we lock the covered vnode to avoid reversals. */ vfsp = NULL; ==== //depot/projects/trustedbsd/priv/sys/kern/vfs_syscalls.c#5 (text+ko) ==== @@ -1184,9 +1184,14 @@ case S_IFBLK: error = priv_check(td, PRIV_VFS_MKNOD_DEV); break; + case S_IFMT: + error = priv_check(td, PRIV_VFS_MKNOD_BAD); + break; + case S_IFWHT: + error = priv_check(td, PRIV_VFS_MKNOD_WHT); + break; default: - /* XXXRW: Should do a full enumeration here. */ - error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); + error = EINVAL; break; } if (error) @@ -1231,8 +1236,7 @@ whiteout = 1; break; default: - error = EINVAL; - break; + panic("kern_mknod: invalid mode"); } } if (vn_start_write(nd.ni_dvp, &mp, V_NOWAIT) != 0) { ==== //depot/projects/trustedbsd/priv/sys/sys/priv.h#5 (text+ko) ==== @@ -104,6 +104,9 @@ PRIV_DEBUG_DIFFCRED, /* Exempt debugging other users. */ PRIV_DEBUG_SUGID, /* Exempt debugging setuid proc. */ PRIV_DEBUG_UNPRIV, /* Exempt unprivileged debug limit. */ + PRIV_DTRACE_KERNEL, /* Allow use of DTrace on the kernel. */ + PRIV_DTRACE_USER, /* Allow process to submit DTrace events. */ + PRIV_DTRACE_PROC, /* Allow attaching DTrace to process. */ PRIV_FIRMWARE_LOAD, /* Can load firmware. */ PRIV_JAIL_ATTACH, /* Attach to a jail. */ PRIV_KENV_SET, /* Set kernel env. variables. */ @@ -167,12 +170,15 @@ PRIV_VFS_GENERATION, /* stat() returns generation number. */ PRIV_VFS_GETFH, /* Can retrieve file handles. */ PRIV_VFS_LINK, /* bsd.hardlink_check_uid */ - PRIV_VFS_MKNOD_DEV, /* Can create device nodes. */ + PRIV_VFS_MKNOD_BAD, /* Can use mknod() to mark bad inodes. */ + PRIV_VFS_MKNOD_DEV, /* Can use mknod() to create device nodes. */ + PRIV_VFS_MKNOD_WHT, /* Can use mknod() to create whiteout. */ PRIV_VFS_MOUNT, /* Can mount(). */ PRIV_VFS_MOUNT_OWNER, /* Override owner on user mounts. */ PRIV_VFS_MOUNT_EXPORTED, /* Can set MNT_EXPORTED on mount. */ PRIV_VFS_MOUNT_PERM, /* Override device node perms at mount. */ PRIV_VFS_MOUNT_SUIDDIR, /* Can set MNT_SUIDDIR on mount. */ + PRIV_VFS_MOUNT_NONUSER, /* Can perform a non-user mount. */ PRIV_VFS_SETGID, /* Can setgid if not in group. */ PRIV_VFS_STICKYFILE, /* Can set sticky bit on file. */ PRIV_VFS_SYSFLAGS, /* Can modify system flags. */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200610110603.k9B63sUb008635>