d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Eliminate now-unused SUSER_ALLOWJAIL arguments to priv_check_cred(); in

Browse Source 
some cases, move to priv_check() if it was an operation on a thread and
no other flags were present.

Eliminate caller-side jail exception checking (also now-unused); jail
privilege exception code now goes solely in kern_jail.c.

We can't yet eliminate suser() due to some cases in the KAME code where
a privilege check is performed and then used in many different deferred
paths.  Do, however, move those prototypes to priv.h.

Reviewed by:	csjp
Obtained from:	TrustedBSD Project
This commit is contained in:
Robert Watson 2007-06-12 00:12:01 +00:00
parent efe641b939
commit 32f9753cfb
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=170587
44 changed files with 144 additions and 258 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
sys/cddl/compat/opensolaris/kern/opensolaris_policy.c
View File

@ -72,7 +72,7 @@ secpolicy_basic_link(struct ucred *cred)
if (!hardlink_check_uid)
return (0);
return (priv_check_cred(cred, PRIV_VFS_LINK, SUSER_ALLOWJAIL));
return (priv_check_cred(cred, PRIV_VFS_LINK, 0));
}
int
@ -86,7 +86,7 @@ int
secpolicy_vnode_remove(struct ucred *cred)
{
return (priv_check_cred(cred, PRIV_VFS_ADMIN, SUSER_ALLOWJAIL));
return (priv_check_cred(cred, PRIV_VFS_ADMIN, 0));
}
int
@ -94,23 +94,20 @@ secpolicy_vnode_access(struct ucred *cred, struct vnode *vp, uint64_t owner,
int mode)
{
if ((mode & VREAD) &&
priv_check_cred(cred, PRIV_VFS_READ, SUSER_ALLOWJAIL) != 0) {
if ((mode & VREAD) && priv_check_cred(cred, PRIV_VFS_READ, 0) != 0) {
return (EACCES);
}
if ((mode & VWRITE) &&
priv_check_cred(cred, PRIV_VFS_WRITE, SUSER_ALLOWJAIL) != 0) {
priv_check_cred(cred, PRIV_VFS_WRITE, 0) != 0) {
return (EACCES);
}
if (mode & VEXEC) {
if (vp->v_type == VDIR) {
if (priv_check_cred(cred, PRIV_VFS_LOOKUP,
SUSER_ALLOWJAIL) != 0) {
if (priv_check_cred(cred, PRIV_VFS_LOOKUP, 0) != 0) {
return (EACCES);
}
} else {
if (priv_check_cred(cred, PRIV_VFS_EXEC,
SUSER_ALLOWJAIL) != 0) {
if (priv_check_cred(cred, PRIV_VFS_EXEC, 0) != 0) {
return (EACCES);
}
}
@ -124,7 +121,7 @@ secpolicy_vnode_setdac(struct ucred *cred, uid_t owner)
if (owner == cred->cr_uid)
return (0);
return (priv_check_cred(cred, PRIV_VFS_ADMIN, SUSER_ALLOWJAIL));
return (priv_check_cred(cred, PRIV_VFS_ADMIN, 0));
}
int
@ -173,8 +170,7 @@ secpolicy_vnode_setattr(struct ucred *cred, struct vnode *vp, struct vattr *vap,
if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) ||
((mask & AT_GID) && vap->va_gid != ovap->va_gid &&
!groupmember(vap->va_gid, cred))) {
error = priv_check_cred(cred, PRIV_VFS_CHOWN,
SUSER_ALLOWJAIL);
error = priv_check_cred(cred, PRIV_VFS_CHOWN, 0);
if (error)
return (error);
}
@ -214,7 +210,7 @@ secpolicy_vnode_setids_setgids(struct ucred *cred, gid_t gid)
{
if (!groupmember(gid, cred))
return (priv_check_cred(cred, PRIV_VFS_SETGID, SUSER_ALLOWJAIL));
return (priv_check_cred(cred, PRIV_VFS_SETGID, 0));
return (0);
}
@ -222,7 +218,7 @@ int
secpolicy_vnode_setid_retain(struct ucred *cred, boolean_t issuidroot __unused)
{
return (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, SUSER_ALLOWJAIL));
return (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, 0));
}
void
@ -230,8 +226,7 @@ secpolicy_setid_clear(struct vattr *vap, struct ucred *cred)
{
if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0) {
if (priv_check_cred(cred, PRIV_VFS_RETAINSUGID,
SUSER_ALLOWJAIL)) {
if (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, 0)) {
vap->va_mask |= AT_MODE;
vap->va_mode &= ~(S_ISUID|S_ISGID);
}
@ -250,7 +245,7 @@ secpolicy_setid_setsticky_clear(struct vnode *vp, struct vattr *vap,
* is not a member of. Both of these are allowed in jail(8).
*/
if (vp->v_type != VDIR && (vap->va_mode & S_ISTXT)) {
if (priv_check_cred(cred, PRIV_VFS_STICKYFILE, SUSER_ALLOWJAIL))
if (priv_check_cred(cred, PRIV_VFS_STICKYFILE, 0))
return (EFTYPE);
}
/*

3
sys/compat/linux/linux_misc.c
View File

@ -1079,8 +1079,7 @@ linux_setgroups(struct thread *td, struct linux_setgroups_args *args)
* Keep cr_groups[0] unchanged to prevent that.
*/
if ((error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS,
SUSER_ALLOWJAIL)) != 0) {
if ((error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS, 0)) != 0) {
PROC_UNLOCK(p);
crfree(newcred);
return (error);

3
sys/compat/linux/linux_uid16.c
View File

@ -124,8 +124,7 @@ linux_setgroups16(struct thread *td, struct linux_setgroups16_args *args)
* Keep cr_groups[0] unchanged to prevent that.
*/
if ((error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS,
SUSER_ALLOWJAIL)) != 0) {
if ((error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS, 0)) != 0) {
PROC_UNLOCK(p);
crfree(newcred);
return (error);

29
sys/compat/opensolaris/kern/opensolaris_policy.c
View File

@ -72,7 +72,7 @@ secpolicy_basic_link(struct ucred *cred)
if (!hardlink_check_uid)
return (0);
return (priv_check_cred(cred, PRIV_VFS_LINK, SUSER_ALLOWJAIL));
return (priv_check_cred(cred, PRIV_VFS_LINK, 0));
}
int
@ -86,7 +86,7 @@ int
secpolicy_vnode_remove(struct ucred *cred)
{
return (priv_check_cred(cred, PRIV_VFS_ADMIN, SUSER_ALLOWJAIL));
return (priv_check_cred(cred, PRIV_VFS_ADMIN, 0));
}
int
@ -94,23 +94,20 @@ secpolicy_vnode_access(struct ucred *cred, struct vnode *vp, uint64_t owner,
int mode)
{
if ((mode & VREAD) &&
priv_check_cred(cred, PRIV_VFS_READ, SUSER_ALLOWJAIL) != 0) {
if ((mode & VREAD) && priv_check_cred(cred, PRIV_VFS_READ, 0) != 0) {
return (EACCES);
}
if ((mode & VWRITE) &&
priv_check_cred(cred, PRIV_VFS_WRITE, SUSER_ALLOWJAIL) != 0) {
priv_check_cred(cred, PRIV_VFS_WRITE, 0) != 0) {
return (EACCES);
}
if (mode & VEXEC) {
if (vp->v_type == VDIR) {
if (priv_check_cred(cred, PRIV_VFS_LOOKUP,
SUSER_ALLOWJAIL) != 0) {
if (priv_check_cred(cred, PRIV_VFS_LOOKUP, 0) != 0) {
return (EACCES);
}
} else {
if (priv_check_cred(cred, PRIV_VFS_EXEC,
SUSER_ALLOWJAIL) != 0) {
if (priv_check_cred(cred, PRIV_VFS_EXEC, 0) != 0) {
return (EACCES);
}
}
@ -124,7 +121,7 @@ secpolicy_vnode_setdac(struct ucred *cred, uid_t owner)
if (owner == cred->cr_uid)
return (0);
return (priv_check_cred(cred, PRIV_VFS_ADMIN, SUSER_ALLOWJAIL));
return (priv_check_cred(cred, PRIV_VFS_ADMIN, 0));
}
int
@ -173,8 +170,7 @@ secpolicy_vnode_setattr(struct ucred *cred, struct vnode *vp, struct vattr *vap,
if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) ||
((mask & AT_GID) && vap->va_gid != ovap->va_gid &&
!groupmember(vap->va_gid, cred))) {
error = priv_check_cred(cred, PRIV_VFS_CHOWN,
SUSER_ALLOWJAIL);
error = priv_check_cred(cred, PRIV_VFS_CHOWN, 0);
if (error)
return (error);
}
@ -214,7 +210,7 @@ secpolicy_vnode_setids_setgids(struct ucred *cred, gid_t gid)
{
if (!groupmember(gid, cred))
return (priv_check_cred(cred, PRIV_VFS_SETGID, SUSER_ALLOWJAIL));
return (priv_check_cred(cred, PRIV_VFS_SETGID, 0));
return (0);
}
@ -222,7 +218,7 @@ int
secpolicy_vnode_setid_retain(struct ucred *cred, boolean_t issuidroot __unused)
{
return (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, SUSER_ALLOWJAIL));
return (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, 0));
}
void
@ -230,8 +226,7 @@ secpolicy_setid_clear(struct vattr *vap, struct ucred *cred)
{
if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0) {
if (priv_check_cred(cred, PRIV_VFS_RETAINSUGID,
SUSER_ALLOWJAIL)) {
if (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, 0)) {
vap->va_mask |= AT_MODE;
vap->va_mode &= ~(S_ISUID|S_ISGID);
}
@ -250,7 +245,7 @@ secpolicy_setid_setsticky_clear(struct vnode *vp, struct vattr *vap,
* is not a member of. Both of these are allowed in jail(8).
*/
if (vp->v_type != VDIR && (vap->va_mode & S_ISTXT)) {
if (priv_check_cred(cred, PRIV_VFS_STICKYFILE, SUSER_ALLOWJAIL))
if (priv_check_cred(cred, PRIV_VFS_STICKYFILE, 0))
return (EFTYPE);
}
/*

3
sys/compat/svr4/svr4_fcntl.c
View File

@ -281,8 +281,7 @@ fd_revoke(td, fd)
goto out;
if (td->td_ucred->cr_uid != vattr.va_uid &&
(error = priv_check_cred(td->td_ucred, PRIV_VFS_ADMIN,
SUSER_ALLOWJAIL)) != 0)
(error = priv_check(td, PRIV_VFS_ADMIN)) != 0)
goto out;
if ((error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0)

3
sys/compat/svr4/svr4_misc.c
View File

@ -612,8 +612,7 @@ svr4_sys_fchroot(td, uap)
struct file *fp;
int error, vfslocked;
if ((error = priv_check_cred(td->td_ucred, PRIV_VFS_FCHROOT,
SUSER_ALLOWJAIL)) != 0)
if ((error = priv_check(td, PRIV_VFS_FCHROOT)) != 0)
return error;
if ((error = getvnode(fdp, uap->fd, &fp)) != 0)
return error;

6
sys/fs/devfs/devfs_vnops.c
View File

@ -1160,8 +1160,7 @@ devfs_setattr(struct vop_setattr_args *ap)
if (uid != de->de_uid || gid != de->de_gid) {
if ((ap->a_cred->cr_uid != de->de_uid) || uid != de->de_uid ||
(gid != de->de_gid && !groupmember(gid, ap->a_cred))) {
error = priv_check_cred(ap->a_td->td_ucred,
PRIV_VFS_CHOWN, SUSER_ALLOWJAIL);
error = priv_check(ap->a_td, PRIV_VFS_CHOWN);
if (error)
return (error);
}
@ -1172,8 +1171,7 @@ devfs_setattr(struct vop_setattr_args *ap)
if (vap->va_mode != (mode_t)VNOVAL) {
if (ap->a_cred->cr_uid != de->de_uid) {
error = priv_check_cred(ap->a_td->td_ucred,
PRIV_VFS_ADMIN, SUSER_ALLOWJAIL);
error = priv_check(ap->a_td, PRIV_VFS_ADMIN);
if (error)
return (error);
}

12
sys/fs/msdosfs/msdosfs_vnops.c
View File

@ -408,8 +408,7 @@ msdosfs_setattr(ap)
if (vp->v_mount->mnt_flag & MNT_RDONLY)
return (EROFS);
if (cred->cr_uid != pmp->pm_uid) {
error = priv_check_cred(cred, PRIV_VFS_ADMIN,
SUSER_ALLOWJAIL);
error = priv_check_cred(cred, PRIV_VFS_ADMIN, 0);
if (error)
return (error);
}
@ -426,8 +425,7 @@ msdosfs_setattr(ap)
* sensible filesystem attempts it a lot.
*/
if (vap->va_flags & SF_SETTABLE) {
error = priv_check_cred(cred, PRIV_VFS_SYSFLAGS,
SUSER_ALLOWJAIL);
error = priv_check_cred(cred, PRIV_VFS_SYSFLAGS, 0);
if (error)
return (error);
}
@ -454,8 +452,7 @@ msdosfs_setattr(ap)
gid = pmp->pm_gid;
if (cred->cr_uid != pmp->pm_uid || uid != pmp->pm_uid ||
(gid != pmp->pm_gid && !groupmember(gid, cred))) {
error = priv_check_cred(cred, PRIV_VFS_CHOWN,
SUSER_ALLOWJAIL);
error = priv_check_cred(cred, PRIV_VFS_CHOWN, 0);
if (error)
return (error);
}
@ -520,8 +517,7 @@ msdosfs_setattr(ap)
if (vp->v_mount->mnt_flag & MNT_RDONLY)
return (EROFS);
if (cred->cr_uid != pmp->pm_uid) {
error = priv_check_cred(cred, PRIV_VFS_ADMIN,
SUSER_ALLOWJAIL);
error = priv_check_cred(cred, PRIV_VFS_ADMIN, 0);
if (error)
return (error);
}

3
sys/fs/procfs/procfs_ioctl.c
View File

@ -114,8 +114,7 @@ procfs_ioctl(PFS_IOCTL_ARGS)
* p_candebug() should implement it, or other checks
* are missing.
*/
error = priv_check_cred(td->td_ucred,
PRIV_DEBUG_SUGID, SUSER_ALLOWJAIL);
error = priv_check(td, PRIV_DEBUG_SUGID);
if (error)
break;
}

18
sys/gnu/fs/ext2fs/ext2_vnops.c
View File

@ -415,8 +415,7 @@ ext2_setattr(ap)
* Privileged non-jail processes may not modify system flags
* if securelevel > 0 and any existing system flags are set.
*/
if (!priv_check_cred(cred, PRIV_VFS_SYSFLAGS,
SUSER_ALLOWJAIL)) {
if (!priv_check_cred(cred, PRIV_VFS_SYSFLAGS, 0)) {
if (ip->i_flags
& (SF_NOUNLINK | SF_IMMUTABLE | SF_APPEND)) {
error = securelevel_gt(cred, 0);
@ -535,14 +534,12 @@ ext2_chmod(vp, mode, cred, td)
* process is not a member of.
*/
if (vp->v_type != VDIR && (mode & S_ISTXT)) {
error = priv_check_cred(cred, PRIV_VFS_STICKYFILE,
SUSER_ALLOWJAIL);
error = priv_check_cred(cred, PRIV_VFS_STICKYFILE, 0);
if (error)
return (EFTYPE);
}
if (!groupmember(ip->i_gid, cred) && (mode & ISGID)) {
error = priv_check_cred(cred, PRIV_VFS_SETGID,
SUSER_ALLOWJAIL);
error = priv_check_cred(cred, PRIV_VFS_SETGID, 0);
if (error)
return (error);
}
@ -586,8 +583,7 @@ ext2_chown(vp, uid, gid, cred, td)
*/
if (uid != ip->i_uid || (gid != ip->i_gid &&
!groupmember(gid, cred))) {
error = priv_check_cred(cred, PRIV_VFS_CHOWN,
SUSER_ALLOWJAIL);
error = priv_check_cred(cred, PRIV_VFS_CHOWN, 0);
if (error)
return (error);
}
@ -597,8 +593,7 @@ ext2_chown(vp, uid, gid, cred, td)
ip->i_uid = uid;
ip->i_flag |= IN_CHANGE;
if ((ip->i_mode & (ISUID | ISGID)) && (ouid != uid || ogid != gid)) {
if (priv_check_cred(cred, PRIV_VFS_RETAINSUGID,
SUSER_ALLOWJAIL) != 0)
if (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, 0) != 0)
ip->i_mode &= ~(ISUID | ISGID);
}
return (0);
@ -1648,8 +1643,7 @@ ext2_makeinode(mode, dvp, vpp, cnp)
tvp->v_type = IFTOVT(mode); /* Rest init'd in getnewvnode(). */
ip->i_nlink = 1;
if ((ip->i_mode & ISGID) && !groupmember(ip->i_gid, cnp->cn_cred)) {
if (priv_check_cred(cnp->cn_cred, PRIV_VFS_RETAINSUGID,
SUSER_ALLOWJAIL))
if (priv_check_cred(cnp->cn_cred, PRIV_VFS_RETAINSUGID, 0))
ip->i_mode &= ~ISGID;
}

3
sys/kern/kern_exec.c
View File

@ -567,8 +567,7 @@ do_execve(td, args, mac_p)
#ifdef KTRACE
if (p->p_tracevp != NULL &&
priv_check_cred(oldcred, PRIV_DEBUG_DIFFCRED,
SUSER_ALLOWJAIL)) {
priv_check_cred(oldcred, PRIV_DEBUG_DIFFCRED, 0)) {
mtx_lock(&ktrace_mtx);
p->p_traceflag = 0;
tracevp = p->p_tracevp;

3
sys/kern/kern_fork.c
View File

@ -306,8 +306,7 @@ fork1(td, flags, pages, procp)
*
* XXXRW: Can we avoid privilege here if it's not needed?
*/
error = priv_check_cred(td->td_ucred, PRIV_PROC_LIMIT, SUSER_RUID |
SUSER_ALLOWJAIL);
error = priv_check_cred(td->td_ucred, PRIV_PROC_LIMIT, SUSER_RUID);
if (error == 0)
ok = chgproccnt(td->td_ucred->cr_ruidinfo, 1, 0);
else {

5
sys/kern/kern_ktrace.c
View File

@ -793,8 +793,7 @@ ktrops(td, p, ops, facs, vp)
p->p_tracecred = crhold(td->td_ucred);
}
p->p_traceflag |= facs;
if (priv_check_cred(td->td_ucred, PRIV_KTRACE,
SUSER_ALLOWJAIL) == 0)
if (priv_check(td, PRIV_KTRACE) == 0)
p->p_traceflag |= KTRFAC_ROOT;
} else {
/* KTROP_CLEAR */
@ -1000,7 +999,7 @@ ktrcanset(td, targetp)
PROC_LOCK_ASSERT(targetp, MA_OWNED);
if (targetp->p_traceflag & KTRFAC_ROOT &&
priv_check_cred(td->td_ucred, PRIV_KTRACE, SUSER_ALLOWJAIL))
priv_check(td, PRIV_KTRACE))
return (0);
if (p_candebug(td, targetp) != 0)

10
sys/kern/kern_priv.c
View File

@ -77,18 +77,8 @@ priv_check_cred(struct ucred *cred, int priv, int flags)
/*
* Jail policy will restrict certain privileges that may otherwise be
* be granted.
*
* While debugging the transition from SUSER_ALLOWJAIL to Jail being
* aware of specific privileges, perform run-time checking that the
* two versions of the policy align. This assertion will go away
* once the SUSER_ALLOWJAIL flag has gone away.
*/
error = prison_priv_check(cred, priv);
#ifdef NOTYET
KASSERT(!jailed(cred) || error == ((flags & SUSER_ALLOWJAIL) ? 0 :
EPERM), ("priv_check_cred: prison_priv_check %d but flags %s",
error, flags & SUSER_ALLOWJAIL ? "allowjail" : "!allowjail"));
#endif
if (error)
return (error);

59
sys/kern/kern_prot.c
View File

@ -511,8 +511,7 @@ setuid(struct thread *td, struct setuid_args *uap)
#ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
uid != oldcred->cr_uid && /* allow setuid(geteuid()) */
#endif
(error = priv_check_cred(oldcred, PRIV_CRED_SETUID,
SUSER_ALLOWJAIL)) != 0)
(error = priv_check_cred(oldcred, PRIV_CRED_SETUID, 0)) != 0)
goto fail;
/*
@ -529,7 +528,7 @@ setuid(struct thread *td, struct setuid_args *uap)
uid == oldcred->cr_uid ||
#endif
/* We are using privs. */
priv_check_cred(oldcred, PRIV_CRED_SETUID, SUSER_ALLOWJAIL) == 0)
priv_check_cred(oldcred, PRIV_CRED_SETUID, 0) == 0)
#endif
{
/*
@ -602,8 +601,7 @@ seteuid(struct thread *td, struct seteuid_args *uap)
if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */
euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */
(error = priv_check_cred(oldcred, PRIV_CRED_SETEUID,
SUSER_ALLOWJAIL)) != 0)
(error = priv_check_cred(oldcred, PRIV_CRED_SETEUID, 0)) != 0)
goto fail;
/*
@ -672,8 +670,7 @@ setgid(struct thread *td, struct setgid_args *uap)
#ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */
#endif
(error = priv_check_cred(oldcred, PRIV_CRED_SETGID,
SUSER_ALLOWJAIL)) != 0)
(error = priv_check_cred(oldcred, PRIV_CRED_SETGID, 0)) != 0)
goto fail;
crcopy(newcred, oldcred);
@ -687,7 +684,7 @@ setgid(struct thread *td, struct setgid_args *uap)
gid == oldcred->cr_groups[0] ||
#endif
/* We are using privs. */
priv_check_cred(oldcred, PRIV_CRED_SETGID, SUSER_ALLOWJAIL) == 0)
priv_check_cred(oldcred, PRIV_CRED_SETGID, 0) == 0)
#endif
{
/*
@ -756,8 +753,7 @@ setegid(struct thread *td, struct setegid_args *uap)
if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */
egid != oldcred->cr_svgid && /* allow setegid(saved gid) */
(error = priv_check_cred(oldcred, PRIV_CRED_SETEGID,
SUSER_ALLOWJAIL)) != 0)
(error = priv_check_cred(oldcred, PRIV_CRED_SETEGID, 0)) != 0)
goto fail;
crcopy(newcred, oldcred);
@ -817,8 +813,7 @@ kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups)
goto fail;
#endif
error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS,
SUSER_ALLOWJAIL);
error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS, 0);
if (error)
goto fail;
@ -887,8 +882,7 @@ setreuid(register struct thread *td, struct setreuid_args *uap)
ruid != oldcred->cr_svuid) ||
(euid != (uid_t)-1 && euid != oldcred->cr_uid &&
euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) &&
(error = priv_check_cred(oldcred, PRIV_CRED_SETREUID,
SUSER_ALLOWJAIL)) != 0)
(error = priv_check_cred(oldcred, PRIV_CRED_SETREUID, 0)) != 0)
goto fail;
crcopy(newcred, oldcred);
@ -953,8 +947,7 @@ setregid(register struct thread *td, struct setregid_args *uap)
rgid != oldcred->cr_svgid) ||
(egid != (gid_t)-1 && egid != oldcred->cr_groups[0] &&
egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) &&
(error = priv_check_cred(oldcred, PRIV_CRED_SETREGID,
SUSER_ALLOWJAIL)) != 0)
(error = priv_check_cred(oldcred, PRIV_CRED_SETREGID, 0)) != 0)
goto fail;
crcopy(newcred, oldcred);
@ -1030,8 +1023,7 @@ setresuid(register struct thread *td, struct setresuid_args *uap)
(suid != (uid_t)-1 && suid != oldcred->cr_ruid &&
suid != oldcred->cr_svuid &&
suid != oldcred->cr_uid)) &&
(error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID,
SUSER_ALLOWJAIL)) != 0)
(error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID, 0)) != 0)
goto fail;
crcopy(newcred, oldcred);
@ -1108,8 +1100,7 @@ setresgid(register struct thread *td, struct setresgid_args *uap)
(sgid != (gid_t)-1 && sgid != oldcred->cr_rgid &&
sgid != oldcred->cr_svgid &&
sgid != oldcred->cr_groups[0])) &&
(error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID,
SUSER_ALLOWJAIL)) != 0)
(error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID, 0)) != 0)
goto fail;
crcopy(newcred, oldcred);
@ -1317,8 +1308,7 @@ cr_seeotheruids(struct ucred *u1, struct ucred *u2)
{
if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) {
if (priv_check_cred(u1, PRIV_SEEOTHERUIDS, SUSER_ALLOWJAIL)
!= 0)
if (priv_check_cred(u1, PRIV_SEEOTHERUIDS, 0) != 0)
return (ESRCH);
}
return (0);
@ -1357,8 +1347,7 @@ cr_seeothergids(struct ucred *u1, struct ucred *u2)
break;
}
if (!match) {
if (priv_check_cred(u1, PRIV_SEEOTHERGIDS,
SUSER_ALLOWJAIL) != 0)
if (priv_check_cred(u1, PRIV_SEEOTHERGIDS, 0) != 0)
return (ESRCH);
}
}
@ -1475,8 +1464,7 @@ cr_cansignal(struct ucred *cred, struct proc *proc, int signum)
break;
default:
/* Not permitted without privilege. */
error = priv_check_cred(cred, PRIV_SIGNAL_SUGID,
SUSER_ALLOWJAIL);
error = priv_check_cred(cred, PRIV_SIGNAL_SUGID, 0);
if (error)
return (error);
}
@ -1490,9 +1478,7 @@ cr_cansignal(struct ucred *cred, struct proc *proc, int signum)
cred->cr_ruid != proc->p_ucred->cr_svuid &&
cred->cr_uid != proc->p_ucred->cr_ruid &&
cred->cr_uid != proc->p_ucred->cr_svuid) {
/* Not permitted without privilege. */
error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED,
SUSER_ALLOWJAIL);
error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED, 0);
if (error)
return (error);
}
@ -1570,8 +1556,7 @@ p_cansched(struct thread *td, struct proc *p)
return (error);
if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid &&
td->td_ucred->cr_uid != p->p_ucred->cr_ruid) {
error = priv_check_cred(td->td_ucred, PRIV_SCHED_DIFFCRED,
SUSER_ALLOWJAIL);
error = priv_check(td, PRIV_SCHED_DIFFCRED);
if (error)
return (error);
}
@ -1610,8 +1595,7 @@ p_candebug(struct thread *td, struct proc *p)
KASSERT(td == curthread, ("%s: td not curthread", __func__));
PROC_LOCK_ASSERT(p, MA_OWNED);
if (!unprivileged_proc_debug) {
error = priv_check_cred(td->td_ucred, PRIV_DEBUG_UNPRIV,
SUSER_ALLOWJAIL);
error = priv_check(td, PRIV_DEBUG_UNPRIV);
if (error)
return (error);
}
@ -1662,15 +1646,13 @@ p_candebug(struct thread *td, struct proc *p)
* for td to debug p.
*/
if (!grpsubset || !uidsubset) {
error = priv_check_cred(td->td_ucred, PRIV_DEBUG_DIFFCRED,
SUSER_ALLOWJAIL);
error = priv_check(td, PRIV_DEBUG_DIFFCRED);
if (error)
return (error);
}
if (credentialchanged) {
error = priv_check_cred(td->td_ucred, PRIV_DEBUG_SUGID,
SUSER_ALLOWJAIL);
error = priv_check(td, PRIV_DEBUG_SUGID);
if (error)
return (error);
}
@ -1940,8 +1922,7 @@ setlogin(struct thread *td, struct setlogin_args *uap)
int error;
char logintmp[MAXLOGNAME];
error = priv_check_cred(td->td_ucred, PRIV_PROC_SETLOGIN,
SUSER_ALLOWJAIL);
error = priv_check(td, PRIV_PROC_SETLOGIN);
if (error)
return (error);
error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);

3
sys/kern/kern_resource.c
View File

@ -688,8 +688,7 @@ kern_setrlimit(td, which, limp)
alimp = &oldlim->pl_rlimit[which];
if (limp->rlim_cur > alimp->rlim_max ||
limp->rlim_max > alimp->rlim_max)
if ((error = priv_check_cred(td->td_ucred,
PRIV_PROC_SETRLIMIT, SUSER_ALLOWJAIL))) {
if ((error = priv_check(td, PRIV_PROC_SETRLIMIT))) {
PROC_UNLOCK(p);
lim_free(newlim);
return (error);

3
sys/kern/kern_sysctl.c
View File

@ -1280,8 +1280,7 @@ sysctl_root(SYSCTL_HANDLER_ARGS)
/* Is this sysctl writable by only privileged users? */
if (req->newptr && !(oid->oid_kind & CTLFLAG_ANYBODY)) {
if (oid->oid_kind & CTLFLAG_PRISON)
error = priv_check_cred(req->td->td_ucred,
PRIV_SYSCTL_WRITEJAIL, SUSER_ALLOWJAIL);
error = priv_check(req->td, PRIV_SYSCTL_WRITEJAIL);
else
error = priv_check(req->td, PRIV_SYSCTL_WRITE);
if (error)

12
sys/kern/subr_acl_posix1e.c
View File

@ -82,24 +82,22 @@ vaccess_acl_posix1e(enum vtype type, uid_t file_uid, gid_t file_gid,
if (type == VDIR) {
if ((acc_mode & VEXEC) && !priv_check_cred(cred,
PRIV_VFS_LOOKUP, SUSER_ALLOWJAIL))
PRIV_VFS_LOOKUP, 0))
priv_granted |= VEXEC;
} else {
if ((acc_mode & VEXEC) && !priv_check_cred(cred,
PRIV_VFS_EXEC, SUSER_ALLOWJAIL))
PRIV_VFS_EXEC, 0))
priv_granted |= VEXEC;
}
if ((acc_mode & VREAD) && !priv_check_cred(cred, PRIV_VFS_READ,
SUSER_ALLOWJAIL))
if ((acc_mode & VREAD) && !priv_check_cred(cred, PRIV_VFS_READ, 0))
priv_granted |= VREAD;
if (((acc_mode & VWRITE) || (acc_mode & VAPPEND)) &&
!priv_check_cred(cred, PRIV_VFS_WRITE, SUSER_ALLOWJAIL))
!priv_check_cred(cred, PRIV_VFS_WRITE, 0))
priv_granted |= (VWRITE | VAPPEND);
if ((acc_mode & VADMIN) && !priv_check_cred(cred, PRIV_VFS_ADMIN,
SUSER_ALLOWJAIL))
if ((acc_mode & VADMIN) && !priv_check_cred(cred, PRIV_VFS_ADMIN, 0))
priv_granted |= VADMIN;
/*

9
sys/kern/sysv_ipc.c
View File

@ -125,22 +125,19 @@ ipcperm(struct thread *td, struct ipc_perm *perm, int acc_mode)
*/
priv_granted = 0;
if ((acc_mode & IPC_M) && !(dac_granted & IPC_M)) {
error = priv_check_cred(td->td_ucred, PRIV_IPC_ADMIN,
SUSER_ALLOWJAIL);
error = priv_check(td, PRIV_IPC_ADMIN);
if (error == 0)
priv_granted |= IPC_M;
}
if ((acc_mode & IPC_R) && !(dac_granted & IPC_R)) {
error = priv_check_cred(td->td_ucred, PRIV_IPC_READ,
SUSER_ALLOWJAIL);
error = priv_check(td, PRIV_IPC_READ);
if (error == 0)
priv_granted |= IPC_R;
}
if ((acc_mode & IPC_W) && !(dac_granted & IPC_W)) {
error = priv_check_cred(td->td_ucred, PRIV_IPC_WRITE,
SUSER_ALLOWJAIL);
error = priv_check(td, PRIV_IPC_WRITE);
if (error == 0)
priv_granted |= IPC_W;
}

3
sys/kern/sysv_msg.c
View File

@ -502,8 +502,7 @@ kern_msgctl(td, msqid, cmd, msqbuf)
if ((error = ipcperm(td, &msqkptr->u.msg_perm, IPC_M)))
goto done2;
if (msqbuf->msg_qbytes > msqkptr->u.msg_qbytes) {
error = priv_check_cred(td->td_ucred,
PRIV_IPC_MSGSIZE, SUSER_ALLOWJAIL);
error = priv_check(td, PRIV_IPC_MSGSIZE);
if (error)
goto done2;
}

9
sys/kern/uipc_mqueue.c
View File

@ -961,8 +961,7 @@ int do_unlink(struct mqfs_node *pn, struct ucred *ucred)
sx_assert(&pn->mn_info->mi_lock, SX_LOCKED);
if (ucred->cr_uid != pn->mn_uid &&
(error = priv_check_cred(ucred, PRIV_MQ_ADMIN,
SUSER_ALLOWJAIL)) != 0)
(error = priv_check_cred(ucred, PRIV_MQ_ADMIN, 0)) != 0)
error = EACCES;
else if (!pn->mn_deleted) {
parent = pn->mn_parent;
@ -1221,8 +1220,7 @@ mqfs_setattr(struct vop_setattr_args *ap)
*/
if (((ap->a_cred->cr_uid != pn->mn_uid) || uid != pn->mn_uid ||
(gid != pn->mn_gid && !groupmember(gid, ap->a_cred))) &&
(error = priv_check_cred(ap->a_td->td_ucred,
PRIV_MQ_ADMIN, SUSER_ALLOWJAIL)) != 0)
(error = priv_check(ap->a_td, PRIV_MQ_ADMIN)) != 0)
return (error);
pn->mn_uid = uid;
pn->mn_gid = gid;
@ -1231,8 +1229,7 @@ mqfs_setattr(struct vop_setattr_args *ap)
if (vap->va_mode != (mode_t)VNOVAL) {
if ((ap->a_cred->cr_uid != pn->mn_uid) &&
(error = priv_check_cred(ap->a_td->td_ucred,
PRIV_MQ_ADMIN, SUSER_ALLOWJAIL)))
(error = priv_check(ap->a_td, PRIV_MQ_ADMIN)))
return (error);
pn->mn_mode = vap->va_mode;
c = 1;

2
sys/kern/vfs_mount.c
View File

@ -918,7 +918,7 @@ vfs_domount(
}
if (va.va_uid != td->td_ucred->cr_uid) {
error = priv_check_cred(td->td_ucred, PRIV_VFS_ADMIN,
SUSER_ALLOWJAIL);
0);
if (error) {
vput(vp);
return (error);

10
sys/kern/vfs_subr.c
View File

@ -3299,24 +3299,24 @@ vaccess(enum vtype type, mode_t file_mode, uid_t file_uid, gid_t file_gid,
* requests, instead of PRIV_VFS_EXEC.
*/
if ((acc_mode & VEXEC) && ((dac_granted & VEXEC) == 0) &&
!priv_check_cred(cred, PRIV_VFS_LOOKUP, SUSER_ALLOWJAIL))
!priv_check_cred(cred, PRIV_VFS_LOOKUP, 0))
priv_granted |= VEXEC;
} else {
if ((acc_mode & VEXEC) && ((dac_granted & VEXEC) == 0) &&
!priv_check_cred(cred, PRIV_VFS_EXEC, SUSER_ALLOWJAIL))
!priv_check_cred(cred, PRIV_VFS_EXEC, 0))
priv_granted |= VEXEC;
}
if ((acc_mode & VREAD) && ((dac_granted & VREAD) == 0) &&
!priv_check_cred(cred, PRIV_VFS_READ, SUSER_ALLOWJAIL))
!priv_check_cred(cred, PRIV_VFS_READ, 0))
priv_granted |= VREAD;
if ((acc_mode & VWRITE) && ((dac_granted & VWRITE) == 0) &&
!priv_check_cred(cred, PRIV_VFS_WRITE, SUSER_ALLOWJAIL))
!priv_check_cred(cred, PRIV_VFS_WRITE, 0))
priv_granted |= (VWRITE | VAPPEND);
if ((acc_mode & VADMIN) && ((dac_granted & VADMIN) == 0) &&
!priv_check_cred(cred, PRIV_VFS_ADMIN, SUSER_ALLOWJAIL))
!priv_check_cred(cred, PRIV_VFS_ADMIN, 0))
priv_granted |= VADMIN;
if ((acc_mode & (priv_granted | dac_granted)) == acc_mode) {

15
sys/kern/vfs_syscalls.c
View File

@ -837,8 +837,7 @@ chroot(td, uap)
struct nameidata nd;
int vfslocked;
error = priv_check_cred(td->td_ucred, PRIV_VFS_CHROOT,
SUSER_ALLOWJAIL);
error = priv_check(td, PRIV_VFS_CHROOT);
if (error)
return (error);
NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | MPSAFE | AUDITVNODE1,
@ -1367,15 +1366,13 @@ can_hardlink(struct vnode *vp, struct thread *td, struct ucred *cred)
return (error);
if (hardlink_check_uid && cred->cr_uid != va.va_uid) {
error = priv_check_cred(cred, PRIV_VFS_LINK,
SUSER_ALLOWJAIL);
error = priv_check_cred(cred, PRIV_VFS_LINK, 0);
if (error)
return (error);
}
if (hardlink_check_gid && !groupmember(va.va_gid, cred)) {
error = priv_check_cred(cred, PRIV_VFS_LINK,
SUSER_ALLOWJAIL);
error = priv_check_cred(cred, PRIV_VFS_LINK, 0);
if (error)
return (error);
}
@ -2337,8 +2334,7 @@ setfflags(td, vp, flags)
* chown can't fail when done as root.
*/
if (vp->v_type == VCHR || vp->v_type == VBLK) {
error = priv_check_cred(td->td_ucred, PRIV_VFS_CHFLAGS_DEV,
SUSER_ALLOWJAIL);
error = priv_check(td, PRIV_VFS_CHFLAGS_DEV);
if (error)
return (error);
}
@ -3840,8 +3836,7 @@ revoke(td, uap)
if (error)
goto out;
if (td->td_ucred->cr_uid != vattr.va_uid) {
error = priv_check_cred(td->td_ucred, PRIV_VFS_ADMIN,
SUSER_ALLOWJAIL);
error = priv_check(td, PRIV_VFS_ADMIN);
if (error)
goto out;
}

6
sys/netinet/in_pcb.c
View File

@ -340,13 +340,13 @@ in_pcbbind_setup(struct inpcb *inp, struct sockaddr *nam, in_addr_t *laddrp,
if (ntohs(lport) <= ipport_reservedhigh &&
ntohs(lport) >= ipport_reservedlow &&
priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT,
SUSER_ALLOWJAIL))
0))
return (EACCES);
if (jailed(cred))
prison = 1;
if (!IN_MULTICAST(ntohl(sin->sin_addr.s_addr)) &&
priv_check_cred(so->so_cred,
PRIV_NETINET_REUSEPORT, SUSER_ALLOWJAIL) != 0) {
PRIV_NETINET_REUSEPORT, 0) != 0) {
t = in_pcblookup_local(inp->inp_pcbinfo,
sin->sin_addr, lport,
prison ? 0 : INPLOOKUP_WILDCARD);
@ -411,7 +411,7 @@ in_pcbbind_setup(struct inpcb *inp, struct sockaddr *nam, in_addr_t *laddrp,
lastport = &pcbinfo->ipi_lasthi;
} else if (inp->inp_flags & INP_LOWPORT) {
error = priv_check_cred(cred,
PRIV_NETINET_RESERVEDPORT, SUSER_ALLOWJAIL);
PRIV_NETINET_RESERVEDPORT, 0);
if (error)
return error;
first = ipport_lowfirstauto; /* 1023 */

9
sys/netinet/raw_ip.c
View File

@ -607,13 +607,8 @@ rip_attach(struct socket *so, int proto, struct thread *td)
inp = sotoinpcb(so);
KASSERT(inp == NULL, ("rip_attach: inp != NULL"));
/*
* XXXRW: Centralize privilege decision in kern_jail.c.
*/
if (jailed(td->td_ucred) && !jail_allow_raw_sockets)
return (EPERM);
error = priv_check_cred(td->td_ucred, PRIV_NETINET_RAW,
SUSER_ALLOWJAIL);
error = priv_check(td, PRIV_NETINET_RAW);
if (error)
return error;
if (proto >= IPPROTO_MAX || proto < 0)

10
sys/netinet/sctp_pcb.c
View File

@ -2155,10 +2155,7 @@ sctp_inpcb_bind(struct socket *so, struct sockaddr *addr, struct thread *p)
/* got to be root to get at low ports */
if (ntohs(lport) < IPPORT_RESERVED) {
if (p && (error =
priv_check_cred(p->td_ucred,
PRIV_NETINET_RESERVEDPORT,
SUSER_ALLOWJAIL
)
priv_check(p, PRIV_NETINET_RESERVEDPORT)
)) {
SCTP_INP_DECR_REF(inp);
SCTP_INP_WUNLOCK(inp);
@ -2228,10 +2225,7 @@ sctp_inpcb_bind(struct socket *so, struct sockaddr *addr, struct thread *p)
last = ipport_hilastauto;
} else if (ip_inp->inp_flags & INP_LOWPORT) {
if (p && (error =
priv_check_cred(p->td_ucred,
PRIV_NETINET_RESERVEDPORT,
SUSER_ALLOWJAIL
)
priv_check(p, PRIV_NETINET_RESERVEDPORT)
)) {
SCTP_INP_DECR_REF(inp);
SCTP_INP_WUNLOCK(inp);

14
sys/netinet/sctp_usrreq.c
View File

@ -386,13 +386,8 @@ sctp_getcred(SYSCTL_HANDLER_ARGS)
/* FIX, for non-bsd is this right? */
vrf_id = SCTP_DEFAULT_VRFID;
/*
* XXXRW: Other instances of getcred use SUSER_ALLOWJAIL, as socket
* visibility is scoped using cr_canseesocket(), which it is not
* here.
*/
error = priv_check_cred(req->td->td_ucred, PRIV_NETINET_GETCRED,
SUSER_ALLOWJAIL);
error = priv_check(req->td, PRIV_NETINET_GETCRED);
if (error)
return (error);
@ -3439,9 +3434,8 @@ sctp_setopt(struct socket *so, int optname, void *optval, size_t optsize,
{
union sctp_sockstore *ss;
error = priv_check_cred(curthread->td_ucred,
PRIV_NETINET_RESERVEDPORT,
SUSER_ALLOWJAIL);
error = priv_check(curthread,
PRIV_NETINET_RESERVEDPORT);
if (error)
break;

6
sys/netinet/tcp_subr.c
View File

@ -1019,8 +1019,7 @@ tcp_getcred(SYSCTL_HANDLER_ARGS)
struct inpcb *inp;
int error;
error = priv_check_cred(req->td->td_ucred, PRIV_NETINET_GETCRED,
SUSER_ALLOWJAIL);
error = priv_check(req->td, PRIV_NETINET_GETCRED);
if (error)
return (error);
error = SYSCTL_IN(req, addrs, sizeof(addrs));
@ -1064,8 +1063,7 @@ tcp6_getcred(SYSCTL_HANDLER_ARGS)
struct inpcb *inp;
int error, mapped = 0;
error = priv_check_cred(req->td->td_ucred, PRIV_NETINET_GETCRED,
SUSER_ALLOWJAIL);
error = priv_check(req->td, PRIV_NETINET_GETCRED);
if (error)
return (error);
error = SYSCTL_IN(req, addrs, sizeof(addrs));

3
sys/netinet/udp_usrreq.c
View File

@ -696,8 +696,7 @@ udp_getcred(SYSCTL_HANDLER_ARGS)
struct inpcb *inp;
int error;
error = priv_check_cred(req->td->td_ucred, PRIV_NETINET_GETCRED,
SUSER_ALLOWJAIL);
error = priv_check(req->td, PRIV_NETINET_GETCRED);
if (error)
return (error);
error = SYSCTL_IN(req, addrs, sizeof(addrs));

4
sys/netinet6/in6_pcb.c
View File

@ -192,11 +192,11 @@ in6_pcbbind(inp, nam, cred)
if (ntohs(lport) <= ipport_reservedhigh &&
ntohs(lport) >= ipport_reservedlow &&
priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT,
SUSER_ALLOWJAIL))
0))
return (EACCES);
if (!IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr) &&
priv_check_cred(so->so_cred,
PRIV_NETINET_REUSEPORT, SUSER_ALLOWJAIL) != 0) {
PRIV_NETINET_REUSEPORT, 0) != 0) {
t = in6_pcblookup_local(pcbinfo,
&sin6->sin6_addr, lport,
INPLOOKUP_WILDCARD);

3
sys/netinet6/in6_src.c
View File

@ -775,8 +775,7 @@ in6_pcbsetport(laddr, inp, cred)
last = ipport_hilastauto;
lastport = &pcbinfo->ipi_lasthi;
} else if (inp->inp_flags & INP_LOWPORT) {
error = priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT,
SUSER_ALLOWJAIL);
error = priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT, 0);
if (error)
return error;
first = ipport_lowfirstauto; /* 1023 */

2
sys/netinet6/raw_ip6.c
View File

@ -352,7 +352,7 @@ rip6_output(m, va_alist)
INP_LOCK(in6p);
priv = 0;
if (suser_cred(so->so_cred, SUSER_ALLOWJAIL) == 0)
if (suser_cred(so->so_cred, 0) == 0)
priv = 1;
dst = &dstsock->sin6_addr;
if (control) {

8
sys/netinet6/sctp6_usrreq.c
View File

@ -439,13 +439,7 @@ sctp6_getcred(SYSCTL_HANDLER_ARGS)
vrf_id = SCTP_DEFAULT_VRFID;
/*
* XXXRW: Other instances of getcred use SUSER_ALLOWJAIL, as socket
* visibility is scoped using cr_canseesocket(), which it is not
* here.
*/
error = priv_check_cred(req->td->td_ucred, PRIV_NETINET_RESERVEDPORT,
0);
error = priv_check(req->td, PRIV_NETINET_GETCRED);
if (error)
return (error);

6
sys/netinet6/udp6_usrreq.c
View File

@ -437,8 +437,7 @@ udp6_getcred(SYSCTL_HANDLER_ARGS)
struct inpcb *inp;
int error;
error = priv_check_cred(req->td->td_ucred, PRIV_NETINET_GETCRED,
SUSER_ALLOWJAIL);
error = priv_check(req->td, PRIV_NETINET_GETCRED);
if (error)
return (error);
@ -465,6 +464,9 @@ udp6_getcred(SYSCTL_HANDLER_ARGS)
INP_LOCK(inp);
KASSERT(inp->inp_socket != NULL,
("udp6_getcred: inp_socket == NULL"));
/*
* XXXRW: There should be a scoping access control check here.
*/
cru2x(inp->inp_socket->so_cred, &xuc);
INP_UNLOCK(inp);
INP_INFO_RUNLOCK(&udbinfo);

4
sys/netipsec/ipsec_osdep.h
View File

@ -212,11 +212,9 @@ if_handoff(struct ifqueue *ifq, struct mbuf *m, struct ifnet *ifp, int adjust)
/*
* 8. Test for "privileged" socket opened by superuser.
* FreeBSD tests ((so)->so_cred != NULL && priv_check_cred((so)->so_cred,
* PRIV_NETINET_IPSEC, SUSER_ALLOWJAIL) == 0).
* PRIV_NETINET_IPSEC, 0) == 0).
* NetBSD (1.6N) tests (so)->so_uid == 0).
* This difference is wrapped inside the IPSEC_PRIVILEGED_SO() macro.
*
* XXXRW: Why was this suser_allowjail?
*/
#ifdef __FreeBSD__
#define IPSEC_IS_PRIVILEGED_SO(_so) \

3
sys/security/mac_portacl/mac_portacl.c
View File

@ -419,8 +419,7 @@ rules_check(struct ucred *cred, int family, int type, u_int16_t port)
mtx_unlock(&rule_mtx);
if (error != 0 && mac_portacl_suser_exempt != 0)
error = priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT,
SUSER_ALLOWJAIL);
error = priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT, 0);
return (error);
}

3
sys/security/mac_seeotheruids/mac_seeotheruids.c
View File

@ -114,8 +114,7 @@ mac_seeotheruids_check(struct ucred *cr1, struct ucred *cr2)
return (0);
if (suser_privileged) {
if (priv_check_cred(cr1, PRIV_SEEOTHERUIDS, SUSER_ALLOWJAIL)
== 0)
if (priv_check_cred(cr1, PRIV_SEEOTHERUIDS, 0) == 0)
return (0);
}

12
sys/sys/priv.h
View File

@ -466,6 +466,18 @@ struct thread;
struct ucred;
int priv_check(struct thread *td, int priv);
int priv_check_cred(struct ucred *cred, int priv, int flags);
/*
* Continue to support external modules that rely on suser(9) -- for now.
*/
int suser(struct thread *td);
int suser_cred(struct ucred *cred, int flags);
/*
* For historical reasons, flags to priv_check_cred() retain the SUSER_
* prefix.
*/
#define SUSER_RUID 2
#endif
#endif /* !_SYS_PRIV_H_ */

6
sys/sys/systm.h
View File

@ -234,12 +234,6 @@ void stopprofclock(struct proc *);
void cpu_startprofclock(void);
void cpu_stopprofclock(void);
/* flags for suser() and suser_cred() */
#define SUSER_ALLOWJAIL 1
#define SUSER_RUID 2
int suser(struct thread *td);
int suser_cred(struct ucred *cred, int flags);
int cr_cansee(struct ucred *u1, struct ucred *u2);
int cr_canseesocket(struct ucred *cred, struct socket *so);

4
sys/ufs/ffs/ffs_alloc.c
View File

@ -173,7 +173,7 @@ ffs_alloc(ip, lbn, bpref, size, cred, bnp)
#endif
if (size == fs->fs_bsize && fs->fs_cstotal.cs_nbfree == 0)
goto nospace;
if (priv_check_cred(cred, PRIV_VFS_BLOCKRESERVE, SUSER_ALLOWJAIL) &&
if (priv_check_cred(cred, PRIV_VFS_BLOCKRESERVE, 0) &&
freespace(fs, fs->fs_minfree) - numfrags(fs, size) < 0)
goto nospace;
if (bpref >= fs->fs_size)
@ -268,7 +268,7 @@ ffs_realloccg(ip, lbprev, bprev, bpref, osize, nsize, cred, bpp)
#endif /* DIAGNOSTIC */
reclaimed = 0;
retry:
if (priv_check_cred(cred, PRIV_VFS_BLOCKRESERVE, SUSER_ALLOWJAIL) &&
if (priv_check_cred(cred, PRIV_VFS_BLOCKRESERVE, 0) &&
freespace(fs, fs->fs_minfree) - numfrags(fs, nsize - osize) < 0) {
goto nospace;
}

6
sys/ufs/ffs/ffs_vnops.c
View File

@ -790,8 +790,7 @@ ffs_write(ap)
*/
if ((ip->i_mode & (ISUID | ISGID)) && resid > uio->uio_resid &&
ap->a_cred) {
if (priv_check_cred(ap->a_cred, PRIV_VFS_RETAINSUGID,
SUSER_ALLOWJAIL)) {
if (priv_check_cred(ap->a_cred, PRIV_VFS_RETAINSUGID, 0)) {
ip->i_mode &= ~(ISUID | ISGID);
DIP_SET(ip, i_mode, ip->i_mode);
}
@ -1121,8 +1120,7 @@ ffs_extwrite(struct vnode *vp, struct uio *uio, int ioflag, struct ucred *ucred)
* tampering.
*/
if ((ip->i_mode & (ISUID | ISGID)) && resid > uio->uio_resid && ucred) {
if (priv_check_cred(ucred, PRIV_VFS_RETAINSUGID,
SUSER_ALLOWJAIL)) {
if (priv_check_cred(ucred, PRIV_VFS_RETAINSUGID, 0)) {
ip->i_mode &= ~(ISUID | ISGID);
dp->di_mode = ip->i_mode;
}

18
sys/ufs/ufs/ufs_quota.c
View File

@ -515,7 +515,7 @@ quotaon(td, mp, type, fname)
int error, flags, vfslocked;
struct nameidata nd;
error = priv_check_cred(td->td_ucred, PRIV_UFS_QUOTAON, 0);
error = priv_check(td, PRIV_UFS_QUOTAON);
if (error)
return (error);
@ -747,10 +747,7 @@ quotaoff(td, mp, type)
struct ufsmount *ump;
int error;
/*
* XXXRW: This also seems wrong to allow in a jail?
*/
error = priv_check_cred(td->td_ucred, PRIV_UFS_QUOTAOFF, 0);
error = priv_check(td, PRIV_UFS_QUOTAOFF);
if (error)
return (error);
@ -783,8 +780,7 @@ getquota(td, mp, id, type, addr)
switch (type) {
case USRQUOTA:
if ((td->td_ucred->cr_uid != id) && !unprivileged_get_quota) {
error = priv_check_cred(td->td_ucred,
PRIV_VFS_GETQUOTA, SUSER_ALLOWJAIL);
error = priv_check(td, PRIV_VFS_GETQUOTA);
if (error)
return (error);
}
@ -793,8 +789,7 @@ getquota(td, mp, id, type, addr)
case GRPQUOTA:
if (!groupmember(id, td->td_ucred) &&
!unprivileged_get_quota) {
error = priv_check_cred(td->td_ucred,
PRIV_VFS_GETQUOTA, SUSER_ALLOWJAIL);
error = priv_check(td, PRIV_VFS_GETQUOTA);
if (error)
return (error);
}
@ -830,8 +825,7 @@ setquota(td, mp, id, type, addr)
struct dqblk newlim;
int error;
error = priv_check_cred(td->td_ucred, PRIV_VFS_SETQUOTA,
SUSER_ALLOWJAIL);
error = priv_check(td, PRIV_VFS_SETQUOTA);
if (error)
return (error);
@ -901,7 +895,7 @@ setuse(td, mp, id, type, addr)
struct dqblk usage;
int error;
error = priv_check_cred(td->td_ucred, PRIV_UFS_SETUSE, 0);
error = priv_check(td, PRIV_UFS_SETUSE);
if (error)
return (error);

20
sys/ufs/ufs/ufs_vnops.c
View File

@ -490,12 +490,8 @@ ufs_setattr(ap)
* processes if the security.jail.chflags_allowed sysctl is
* is non-zero; otherwise, they behave like unprivileged
* processes.
*
* XXXRW: Move implementation of jail_chflags_allowed to
* kern_jail.c.
*/
if (!priv_check_cred(cred, PRIV_VFS_SYSFLAGS,
jail_chflags_allowed ? SUSER_ALLOWJAIL : 0)) {
if (!priv_check_cred(cred, PRIV_VFS_SYSFLAGS, 0)) {
if (ip->i_flags
& (SF_NOUNLINK | SF_IMMUTABLE | SF_APPEND)) {
error = securelevel_gt(cred, 0);
@ -663,13 +659,11 @@ ufs_chmod(vp, mode, cred, td)
* jail(8).
*/
if (vp->v_type != VDIR && (mode & S_ISTXT)) {
if (priv_check_cred(cred, PRIV_VFS_STICKYFILE,
SUSER_ALLOWJAIL))
if (priv_check_cred(cred, PRIV_VFS_STICKYFILE, 0))
return (EFTYPE);
}
if (!groupmember(ip->i_gid, cred) && (mode & ISGID)) {
error = priv_check_cred(cred, PRIV_VFS_SETGID,
SUSER_ALLOWJAIL);
error = priv_check_cred(cred, PRIV_VFS_SETGID, 0);
if (error)
return (error);
}
@ -718,7 +712,7 @@ ufs_chown(vp, uid, gid, cred, td)
*/
if ((uid != ip->i_uid ||
(gid != ip->i_gid && !groupmember(gid, cred))) &&
(error = priv_check_cred(cred, PRIV_VFS_CHOWN, SUSER_ALLOWJAIL)))
(error = priv_check_cred(cred, PRIV_VFS_CHOWN, 0)))
return (error);
ogid = ip->i_gid;
ouid = ip->i_uid;
@ -790,8 +784,7 @@ ufs_chown(vp, uid, gid, cred, td)
#endif /* QUOTA */
ip->i_flag |= IN_CHANGE;
if ((ip->i_mode & (ISUID | ISGID)) && (ouid != uid || ogid != gid)) {
if (priv_check_cred(cred, PRIV_VFS_RETAINSUGID,
SUSER_ALLOWJAIL)) {
if (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, 0)) {
ip->i_mode &= ~(ISUID | ISGID);
DIP_SET(ip, i_mode, ip->i_mode);
}
@ -2371,8 +2364,7 @@ ufs_makeinode(mode, dvp, vpp, cnp)
if (DOINGSOFTDEP(tvp))
softdep_change_linkcnt(ip);
if ((ip->i_mode & ISGID) && !groupmember(ip->i_gid, cnp->cn_cred) &&
priv_check_cred(cnp->cn_cred, PRIV_VFS_SETGID,
SUSER_ALLOWJAIL)) {
priv_check_cred(cnp->cn_cred, PRIV_VFS_SETGID, 0)) {
ip->i_mode &= ~ISGID;
DIP_SET(ip, i_mode, ip->i_mode);
}