Date: Thu, 31 May 2007 14:36:39 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 120669 for review Message-ID: <200705311436.l4VEadXO030601@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=120669 Change 120669 by rwatson@rwatson_zoo on 2007/05/31 14:36:29 SUSER_ALLOWJAIL reduction. Affected files ... .. //depot/projects/trustedbsd/priv/sys/compat/opensolaris/kern/opensolaris_policy.c#2 edit Differences ... ==== //depot/projects/trustedbsd/priv/sys/compat/opensolaris/kern/opensolaris_policy.c#2 (text+ko) ==== @@ -72,7 +72,7 @@ if (!hardlink_check_uid) return (0); - return (priv_check_cred(cred, PRIV_VFS_LINK, SUSER_ALLOWJAIL)); + return (priv_check_cred(cred, PRIV_VFS_LINK, 0)); } int @@ -86,7 +86,7 @@ secpolicy_vnode_remove(struct ucred *cred) { - return (priv_check_cred(cred, PRIV_VFS_ADMIN, SUSER_ALLOWJAIL)); + return (priv_check_cred(cred, PRIV_VFS_ADMIN, 0)); } int @@ -94,23 +94,20 @@ int mode) { - if ((mode & VREAD) && - priv_check_cred(cred, PRIV_VFS_READ, SUSER_ALLOWJAIL) != 0) { + if ((mode & VREAD) && priv_check_cred(cred, PRIV_VFS_READ, 0) != 0) { return (EACCES); } if ((mode & VWRITE) && - priv_check_cred(cred, PRIV_VFS_WRITE, SUSER_ALLOWJAIL) != 0) { + priv_check_cred(cred, PRIV_VFS_WRITE, 0) != 0) { return (EACCES); } if (mode & VEXEC) { if (vp->v_type == VDIR) { - if (priv_check_cred(cred, PRIV_VFS_LOOKUP, - SUSER_ALLOWJAIL) != 0) { + if (priv_check_cred(cred, PRIV_VFS_LOOKUP, 0) != 0) { return (EACCES); } } else { - if (priv_check_cred(cred, PRIV_VFS_EXEC, - SUSER_ALLOWJAIL) != 0) { + if (priv_check_cred(cred, PRIV_VFS_EXEC, 0) != 0) { return (EACCES); } } @@ -124,7 +121,7 @@ if (owner == cred->cr_uid) return (0); - return (priv_check_cred(cred, PRIV_VFS_ADMIN, SUSER_ALLOWJAIL)); + return (priv_check_cred(cred, PRIV_VFS_ADMIN, 0)); } int @@ -173,8 +170,7 @@ if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) || ((mask & AT_GID) && vap->va_gid != ovap->va_gid && !groupmember(vap->va_gid, cred))) { - error = priv_check_cred(cred, PRIV_VFS_CHOWN, - SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_VFS_CHOWN, 0); if (error) return (error); } @@ -214,7 +210,7 @@ { if (!groupmember(gid, cred)) - return (priv_check_cred(cred, PRIV_VFS_SETGID, SUSER_ALLOWJAIL)); + return (priv_check_cred(cred, PRIV_VFS_SETGID, 0)); return (0); } @@ -222,7 +218,7 @@ secpolicy_vnode_setid_retain(struct ucred *cred, boolean_t issuidroot __unused) { - return (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, SUSER_ALLOWJAIL)); + return (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, 0)); } void @@ -230,8 +226,7 @@ { if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0) { - if (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, - SUSER_ALLOWJAIL)) { + if (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, 0)) { vap->va_mask |= AT_MODE; vap->va_mode &= ~(S_ISUID|S_ISGID); } @@ -250,7 +245,7 @@ * is not a member of. Both of these are allowed in jail(8). */ if (vp->v_type != VDIR && (vap->va_mode & S_ISTXT)) { - if (priv_check_cred(cred, PRIV_VFS_STICKYFILE, SUSER_ALLOWJAIL)) + if (priv_check_cred(cred, PRIV_VFS_STICKYFILE, 0)) return (EFTYPE); } /*
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200705311436.l4VEadXO030601>