Change privilege model for mac_partition such that BSD superuser can change

the partition once a partition has been set. This is required for correct operation of sendmail between partitions. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
svn path=/head/; revision=106367
2002-11-03 00:53:03 +00:00 · 2002-11-03 00:53:03 +00:00 · 0d89ccd7d5 · 2020-12-20 02:59:44 +00:00
commit 0d89ccd7d5
parent 9aba5a2cdb
1 changed files with 4 additions and 6 deletions
--- a/sys/security/mac_partition/mac_partition.c
+++ b/sys/security/mac_partition/mac_partition.c
@ -183,13 +183,11 @@ mac_partition_check_cred_relabel(struct ucred *cred, struct label *newlabel)

 	/* Treat "0" as a no-op request. */
 	if (SLOT(newlabel) != 0) {
-		/* If we're already in a partition, can't repartition. */
-		if (SLOT(&cred->cr_label) != 0)
-			return (EPERM);
-
 		/*
-		 * If not in a partition, must have privilege to create
-		 * one.
+		 * Require BSD privilege in order to change the partition.
+		 * Originally we also required that the process not be
+		 * in a partition in the first place, but this didn't
+		 * interact well with sendmail.
 		 */
 		error = suser_cred(cred, 0);
 	}