freebsd-skq/sys/kern
rwatson 678b28a532 In my first reading of POSIX.1e, I misinterpreted handling of the
ACL_USER_OBJ and ACL_GROUP_OBJ fields, believing that modification of the
access ACL could be used by privileged processes to change file/directory
ownership.  In fact, this is incorrect; ACL_*_OBJ (+ ACL_MASK and
ACL_OTHER) should have undefined ae_id fields; this commit attempts
to correct that misunderstanding.

o Modify arguments to vaccess_acl_posix1e() to accept the uid and gid
  associated with the vnode, as those can no longer be extracted from
  the ACL passed as an argument.  Perform all comparisons against
  the passed arguments.  This actually has the effect of simplifying
  a number of components of this call, as well as reducing the indent
  level, but now seperates handling of ACL_GROUP_OBJ from ACL_GROUP.

o Modify acl_posix1e_check() to return EINVAL if the ae_id field of
  any of the ACL_{USER_OBJ,GROUP_OBJ,MASK,OTHER} entries is a value
  other than ACL_UNDEFINED_ID.  As a temporary work-around to allow
  clean upgrades, set the ae_id field to ACL_UNDEFINED_ID before
  each check so that this cannot cause a failure in the short term
  (this work-around will be removed when the userland libraries and
  utilities are updated to take this change into account).

o Modify ufs_sync_acl_from_inode() so that it forces
  ACL_{USER_OBJ,GROUP_OBJ,MASK,OTHER} ae_id fields to ACL_UNDEFINED_ID
  when synchronizing the ACL from the inode.

o Modify ufs_sync_inode_from_acl to not propagate uid and gid
  information to the inode from the ACL during ACL update.  Also
  modify the masking of permission bits that may be set from
  ALLPERMS to (S_IRWXU|S_IRWXG|S_IRWXO), as ACLs currently do not
  carry none-ACCESSPERMS (S_ISUID, S_ISGID, S_ISTXT).

o Modify ufs_getacl() so that when it emulates an access ACL from
  the inode, it initializes the ae_id fields to ACL_UNDEFINED_ID.

o Clean up ufs_setacl() substantially since it is no longer possible
  to perform chown/chgrp operations using vop_setacl(), so all the
  access control for that can be eliminated.

o Modify ufs_access() so that it passes owner uid and gid information
  into vaccess_acl_posix1e().

Pointed out by:	jedger
Obtained from:	TrustedBSD Project
2001-04-17 04:33:34 +00:00
..
bus_if.m Alter the return value and arguments of the GET_RESOURCE_LIST bus method. 2000-11-28 06:49:15 +00:00
device_if.m * Factor out the object system from new-bus so that it can be used by 2000-04-08 14:17:18 +00:00
genassym.sh Improve kernel bootstrapping: 2001-01-28 06:39:56 +00:00
gensetdefs.pl Generate useful error messages. 2001-04-13 09:37:25 +00:00
imgact_aout.c Back out proc locking to protect p_ucred for obtaining additional 2001-01-27 00:01:31 +00:00
imgact_elf.c Convert the allproc and proctree locks from lockmgr locks to sx locks. 2001-03-28 11:52:56 +00:00
imgact_gzip.c Fix a typo. 2001-01-24 08:42:39 +00:00
imgact_shell.c Fix #! script exec under linux emulation. If a script is exec'd from a 2000-04-26 20:58:40 +00:00
inflate.c Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 05:07:58 +00:00
init_main.c Stick proc0 in the PID hash table. 2001-04-11 18:50:50 +00:00
init_sysent.c o Regenerated following introduction of __setugid() system call for 2001-04-11 20:21:37 +00:00
kern_acct.c Change and clean the mutex lock interface. 2001-02-09 06:11:45 +00:00
kern_acl.c In my first reading of POSIX.1e, I misinterpreted handling of the 2001-04-17 04:33:34 +00:00
kern_cap.c Remove unneeded #include <sys/proc.h> lines. 2000-10-29 13:57:19 +00:00
kern_clock.c Catch up to header include changes: 2001-03-28 09:17:56 +00:00
kern_condvar.c Pass in a pointer to the mutex's lock_object as the second argument to 2001-03-28 10:41:15 +00:00
kern_conf.c Call strlen() once instead of twice. 2001-04-14 21:33:58 +00:00
kern_descrip.c Send the remains (such as I have located) of "block major numbers" to 2001-03-26 12:41:29 +00:00
kern_environment.c Previous commit changing SYSCTL_HANDLER_ARGS violated KNF. 2000-07-04 11:25:35 +00:00
kern_event.c o Make kqueue's filt_procattach() function use the error value returned 2001-04-12 21:32:02 +00:00
kern_exec.c Proc locking. 2001-03-07 03:27:32 +00:00
kern_exit.c Convert the allproc and proctree locks from lockmgr locks to sx locks. 2001-03-28 11:52:56 +00:00
kern_fork.c Convert the allproc and proctree locks from lockmgr locks to sx locks. 2001-03-28 11:52:56 +00:00
kern_idle.c Implement a unified run queue and adjust priority levels accordingly. 2001-02-12 00:20:08 +00:00
kern_intr.c Catch up to header include changes: 2001-03-28 09:17:56 +00:00
kern_jail.c o Move per-process jail pointer (p->pr_prison) to inside of the subject 2001-02-21 06:39:57 +00:00
kern_kthread.c Convert the allproc and proctree locks from lockmgr locks to sx locks. 2001-03-28 11:52:56 +00:00
kern_ktr.c Switch from save/disable/restore_intr() to critical_enter/exit(). 2001-03-28 03:06:10 +00:00
kern_ktrace.c Convert the allproc and proctree locks from lockmgr locks to sx locks. 2001-03-28 11:52:56 +00:00
kern_linker.c o Actually extract version of interface and store it along with the name. 2001-03-22 08:58:45 +00:00
kern_lock.c convert if/panic -> KASSERT, explain what triggered the assertion 2001-04-13 10:15:53 +00:00
kern_lockf.c Protect p_wmesg and p_wchan with sched_lock while checking for deadlocks 2001-03-24 03:57:44 +00:00
kern_malloc.c Change and clean the mutex lock interface. 2001-02-09 06:11:45 +00:00
kern_mib.c o Move per-process jail pointer (p->pr_prison) to inside of the subject 2001-02-21 06:39:57 +00:00
kern_module.c Mechanical change to use <sys/queue.h> macro API instead of 2001-02-04 13:13:25 +00:00
kern_mutex.c Exit and re-enter the critical section while spinning for a spinlock so 2001-04-17 03:34:52 +00:00
kern_ntptime.c Update to the 2001-04-02 version of the nanokernel code from Dave Mills. 2001-04-16 13:05:05 +00:00
kern_physio.c Separate the struct bio related stuff out of <sys/buf.h> into 2000-05-05 09:59:14 +00:00
kern_proc.c Convert the allproc and proctree locks from lockmgr locks to sx locks. 2001-03-28 11:52:56 +00:00
kern_prot.c o Since uid checks in p_cansignal() are now identical between P_SUGID 2001-04-13 14:33:45 +00:00
kern_random.c This patchset fixes a large number of file descriptor race conditions. 2000-11-18 21:01:04 +00:00
kern_resource.c o Limit process information leakage by introducing a p_can(...P_CAN_SEE...) 2001-04-12 20:46:26 +00:00
kern_shutdown.c Blow away the panic mutex in favor of using a single atomic_cmpset() on a 2001-04-17 04:18:08 +00:00
kern_sig.c o Replace p_cankill() with p_cansignal(), remove wrappage of p_can() 2001-04-12 02:38:08 +00:00
kern_subr.c Introduce copyinfrom and copyinstrfrom, which can copy data from either 2001-02-16 14:31:49 +00:00
kern_switch.c Catch up to header include changes: 2001-03-28 09:17:56 +00:00
kern_sx.c Rework the witness code to work with sx locks as well as mutexes. 2001-03-28 09:03:24 +00:00
kern_synch.c Convert the allproc and proctree locks from lockmgr locks to sx locks. 2001-03-28 11:52:56 +00:00
kern_syscalls.c sysvipc loadable. 2000-12-01 08:57:47 +00:00
kern_sysctl.c Make the SYSCTL_OUT handlers sysctl_old_user() and sysctl_old_kernel() 2001-03-08 01:20:43 +00:00
kern_tc.c Remove a bogus #ifdef KTR stanza. 2001-01-01 23:09:53 +00:00
kern_time.c Lock the process while sending it SIGARLM and updating p_realtimer. 2001-03-07 03:02:56 +00:00
kern_timeout.c Catch up to header include changes: 2001-03-28 09:17:56 +00:00
kern_xxx.c This is kind of a hack, but it should work. Currently, world is broken 2001-03-24 04:40:49 +00:00
ksched.c Lock need_resched with sched_lock. 2001-02-22 13:46:09 +00:00
link_aout.c Manually add an extra _ to _DYNAMIC since it is provided by ld, not gcc. 2001-02-25 07:25:05 +00:00
link_elf_obj.c Make this compile in a.out mode. link.h has extra dependencies for a.out. 2001-02-25 07:26:54 +00:00
link_elf.c Make this compile in a.out mode. link.h has extra dependencies for a.out. 2001-02-25 07:26:54 +00:00
linker_if.m First round implementation of a fine grain enhanced module to module 2000-04-29 13:19:31 +00:00
Make.tags.inc there is no more miscfs/devfs 2000-12-31 23:12:20 +00:00
Makefile Retire kernfs (kernel part). 2000-12-28 12:17:35 +00:00
makeobjops.pl Use getopt instead of a home grown one 2001-04-07 20:51:24 +00:00
makesyscalls.sh Add reserved lkmressys keyword. I swear, this script will die the 2000-12-01 08:47:54 +00:00
md4c.c Import kernel part of SMB/CIFS requester. 2001-04-10 07:59:06 +00:00
md5c.c Add ia64 support. 2000-09-29 13:36:47 +00:00
p1003_1b.c Add $FreeBSD$ 2000-05-01 20:32:07 +00:00
posix4_mib.c Add $FreeBSD$. 2000-04-22 15:13:06 +00:00
subr_acl_posix1e.c In my first reading of POSIX.1e, I misinterpreted handling of the 2001-04-17 04:33:34 +00:00
subr_autoconf.c Back out the previous change to the queue(3) interface. 2000-05-26 02:09:24 +00:00
subr_blist.c Convert more malloc+bzero to malloc+M_ZERO. 2000-12-08 21:51:06 +00:00
subr_bus.c Unset the devclass if the attach fails and the devclass was not set to 2001-01-08 22:16:26 +00:00
subr_clist.c Make cblock_alloc_cblocks() spell its own name 2001-03-27 10:21:26 +00:00
subr_devstat.c Another round of the <sys/queue.h> FOREACH transmogriffer. 2001-02-04 16:08:18 +00:00
subr_disk.c Dont call device close and ioctl functions if device has disappeared. 2001-03-13 08:45:05 +00:00
subr_disklabel.c A bit of sanity-checking in bioqdisksort(): panic if we recurse. 2001-01-14 18:48:42 +00:00
subr_diskmbr.c Make diskerr() always log with printf. 2000-11-26 19:29:15 +00:00
subr_diskslice.c Add a new ioctl for doing virgin disklabels. 2000-10-31 07:05:40 +00:00
subr_eventhandler.c Catch up to header include changes: 2001-03-28 09:17:56 +00:00
subr_kobj.c Convert more malloc+bzero to malloc+M_ZERO. 2000-12-08 21:51:06 +00:00
subr_log.c Send the remains (such as I have located) of "block major numbers" to 2001-03-26 12:41:29 +00:00
subr_mchain.c Remove superfluous m_pkthdr.rcv_if = NULL assignment following 2001-02-25 06:33:50 +00:00
subr_module.c Preceed/preceeding are not english words. Use precede and preceding. 2001-02-18 10:43:53 +00:00
subr_param.c Remove unneeded <stddef.h> #includes. 2000-10-29 16:57:42 +00:00
subr_prf.c Use PCPU_GET, PCPU_PTR and PCPU_SET to access all per-cpu variables 2001-01-10 04:43:51 +00:00
subr_prof.c Switch from save/disable/restore_intr() to critical_enter/exit(). 2001-03-28 03:06:10 +00:00
subr_rman.c Change and clean the mutex lock interface. 2001-02-09 06:11:45 +00:00
subr_sbuf.c Rewrite of the CAM error recovery code. 2001-03-27 05:45:52 +00:00
subr_scanf.c Change the prototype of the strto* routines to make the second 1999-11-24 01:03:08 +00:00
subr_smp.c Blow away the panic mutex in favor of using a single atomic_cmpset() on a 2001-04-17 04:18:08 +00:00
subr_taskqueue.c - Catch up to the new swi API changes: 2001-02-09 17:46:35 +00:00
subr_trap.c - Release Giant a bit earlier on syscall exit. 2001-03-07 03:53:39 +00:00
subr_turnstile.c Exit and re-enter the critical section while spinning for a spinlock so 2001-04-17 03:34:52 +00:00
subr_witness.c Check to see if enroll() returns NULL in the witness initialization. This 2001-04-17 03:35:38 +00:00
subr_xxx.c Extend kqueue down to the device layer. 2001-02-15 16:34:11 +00:00
sys_generic.c Grab the process lock while calling psignal and before calling psignal. 2001-03-07 03:37:06 +00:00
sys_pipe.c Extend kqueue down to the device layer. 2001-02-15 16:34:11 +00:00
sys_process.c Convert the allproc and proctree locks from lockmgr locks to sx locks. 2001-03-28 11:52:56 +00:00
sys_socket.c Extend kqueue down to the device layer. 2001-02-15 16:34:11 +00:00
syscalls.c o Regenerated following introduction of __setugid() system call for 2001-04-11 20:21:37 +00:00
syscalls.master o Introduce a new system call, __setsugid(), which allows a process to 2001-04-11 20:20:40 +00:00
sysv_ipc.c sysvipc loadable. 2000-12-01 08:57:47 +00:00
sysv_msg.c o Move per-process jail pointer (p->pr_prison) to inside of the subject 2001-02-21 06:39:57 +00:00
sysv_sem.c o Move per-process jail pointer (p->pr_prison) to inside of the subject 2001-02-21 06:39:57 +00:00
sysv_shm.c o Move per-process jail pointer (p->pr_prison) to inside of the subject 2001-02-21 06:39:57 +00:00
tty_compat.c $Id$ -> $FreeBSD$ 1999-08-28 01:08:13 +00:00
tty_conf.c Don't refer to TABLDISC in the comments here. 2000-01-30 10:14:13 +00:00
tty_cons.c Send the remains (such as I have located) of "block major numbers" to 2001-03-26 12:41:29 +00:00
tty_pty.c Send the remains (such as I have located) of "block major numbers" to 2001-03-26 12:41:29 +00:00
tty_snoop.c Send the remains (such as I have located) of "block major numbers" to 2001-03-26 12:41:29 +00:00
tty_subr.c Make cblock_alloc_cblocks() spell its own name 2001-03-27 10:21:26 +00:00
tty_tty.c Send the remains (such as I have located) of "block major numbers" to 2001-03-26 12:41:29 +00:00
tty.c Grab the process lock while calling psignal and before calling psignal. 2001-03-07 03:37:06 +00:00
uipc_accf.c Remove unneeded #include <sys/proc.h> lines. 2000-10-29 13:57:19 +00:00
uipc_domain.c Use callout_reset instead of timeout(9). Most callouts are statically 2000-11-27 22:52:31 +00:00
uipc_mbuf2.c Long awaited style fixup in mbuf code. Get rid of K&R style prototyping 2001-02-11 05:02:06 +00:00
uipc_mbuf.c - Change the msleep()s to condition variables. 2001-04-03 04:50:13 +00:00
uipc_proto.c Trim unused options (or #ifdef for undoc options). 1999-10-11 15:19:12 +00:00
uipc_sockbuf.c Make sbcompress use the new M_WRITABLE macro. Previously sbcompress 2000-11-19 22:22:47 +00:00
uipc_socket2.c Make sbcompress use the new M_WRITABLE macro. Previously sbcompress 2000-11-19 22:22:47 +00:00
uipc_socket.c When doing a recv(.. MSG_WAITALL) for a message which is larger than 2001-03-16 22:37:06 +00:00
uipc_syscalls.c Fix is a similar race condition as existed in the mbuf code. When we go 2001-03-08 19:21:45 +00:00
uipc_usrreq.c o Move per-process jail pointer (p->pr_prison) to inside of the subject 2001-02-21 06:39:57 +00:00
vfs_acl.c In my first reading of POSIX.1e, I misinterpreted handling of the 2001-04-17 04:33:34 +00:00
vfs_aio.c When aio_read/write() is used on a raw device, physical buffers are 2001-03-10 22:47:57 +00:00
vfs_bio.c Fix lockup for loopback NFS mounts. The pipelined I/O limitations could be 2001-02-28 04:13:11 +00:00
vfs_cache.c Create debug.hashstat.[raw]nchash and debug.hashstat.[raw]nfsnode to 2001-04-11 00:39:20 +00:00
vfs_cluster.c Fix lockup for loopback NFS mounts. The pipelined I/O limitations could be 2001-02-28 04:13:11 +00:00
vfs_conf.c Reviewed by: jlemon 2001-03-01 21:00:17 +00:00
vfs_default.c o Rename "namespace" argument to "attrnamespace" as namespace is a C++ 2001-03-19 05:44:15 +00:00
vfs_export.c Add a NOTE_REVOKE flag for vnodes, which is triggered from within vclean(). 2001-02-23 20:06:01 +00:00
vfs_extattr.c o Introduce extattr_{delete,get,set}_fd() to allow extended attribute 2001-03-31 16:20:05 +00:00
vfs_init.c Another round of the <sys/queue.h> FOREACH transmogriffer. 2001-02-04 16:08:18 +00:00
vfs_lookup.c Untangle vfsinit() a bit. Use seperate sysinit functions rather than 2000-12-06 07:09:08 +00:00
vfs_mount.c Reviewed by: jlemon 2001-03-01 21:00:17 +00:00
vfs_subr.c Add a NOTE_REVOKE flag for vnodes, which is triggered from within vclean(). 2001-02-23 20:06:01 +00:00
vfs_syscalls.c o Introduce extattr_{delete,get,set}_fd() to allow extended attribute 2001-03-31 16:20:05 +00:00
vfs_vnops.c Previous commit broke interlock locking for !LK_RETRY case. 2001-03-26 12:45:35 +00:00
vnode_if.pl replace calls to non-existant bail() subroutine with calls to 2001-03-23 11:48:50 +00:00
vnode_if.src o Rename "namespace" argument to "attrnamespace" as namespace is a C++ 2001-03-19 05:44:15 +00:00