d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

o When performing a securelevel check as part of securelevel_ge() or

Browse Source 
securelevel_gt(), determine first if a local securelevel exists --
  if so, perform the check based on imax(local, global).  Otherwise,
  simply use the global value.
o Note: even though local securelevels might lag below the global one,
  if the global value is updated to higher than local values, maximum
  will still be used, making the global dominant even if there is local
  lag.

Obtained from:	TrustedBSD Project
This commit is contained in:
rwatson 2001-09-26 20:41:48 +00:00
parent 90600b5b23
commit c3b8575001
1 changed files with 15 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
sys/kern/kern_prot.c
View File

@ -1301,18 +1301,14 @@ suser_xxx(cred, proc, flag)
/*
* Test securelevel values against passed required securelevel.
* _gt implements (level > securelevel), and _ge implements
* Test (local, globale) securelevel values against passed required
* securelevel. _gt implements (level > securelevel), and _ge implements
* (level >= securelevel). Returns 0 oer EPERM.
*
* cr is permitted to be NULL for the time being, as there were some
* existing securelevel checks that occurred without a process/credential
* context. In the future this will be disallowed, so a kernel
* message is displayed.
*
* XXX: The redundant construction below is to facilitate the merging
* of support for per-jail securelevels, which maintain a local
* jail securelevel in the process credential.
*/
int
securelevel_gt(struct ucred *cr, int level)
@ -1324,12 +1320,18 @@ securelevel_gt(struct ucred *cr, int level)
return (0);
else
return (EPERM);
} else {
} else if (cr->cr_prison == NULL) {
if (level > securelevel)
return (0);
else
return (EPERM);
} else {
if (level > imax(cr->cr_prison->pr_securelevel, securelevel))
return (0);
else
return (EPERM);
}
}
int
@ -1342,11 +1344,16 @@ securelevel_ge(struct ucred *cr, int level)
return (0);
else
return (EPERM);
} else {
} if (cr->cr_prison == NULL) {
if (level >= securelevel)
return (0);
else
return (EPERM);
} else {
if (level >= imax(cr->cr_prison->pr_securelevel, securelevel))
return (0);
else
return (EPERM);
}
}