--- //depot/projects/trustedbsd/base/sys/compat/linux/linux_misc.c 2007/05/28 12:57:17 +++ //depot/projects/trustedbsd/priv/sys/compat/linux/linux_misc.c 2007/05/31 14:05:34 @@ -1077,8 +1077,7 @@ * Keep cr_groups[0] unchanged to prevent that. */ - if ((error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS, - SUSER_ALLOWJAIL)) != 0) { + if ((error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS, 0)) != 0) { PROC_UNLOCK(p); crfree(newcred); return (error); --- //depot/projects/trustedbsd/base/sys/compat/linux/linux_uid16.c 2007/04/08 13:38:53 +++ //depot/projects/trustedbsd/priv/sys/compat/linux/linux_uid16.c 2007/05/31 14:05:34 @@ -124,8 +124,7 @@ * Keep cr_groups[0] unchanged to prevent that. */ - if ((error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS, - SUSER_ALLOWJAIL)) != 0) { + if ((error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS, 0)) != 0) { PROC_UNLOCK(p); crfree(newcred); return (error); --- //depot/projects/trustedbsd/base/sys/compat/opensolaris/kern/opensolaris_policy.c 2007/04/08 13:38:53 +++ //depot/projects/trustedbsd/priv/sys/compat/opensolaris/kern/opensolaris_policy.c 2007/05/31 14:36:29 @@ -72,7 +72,7 @@ if (!hardlink_check_uid) return (0); - return (priv_check_cred(cred, PRIV_VFS_LINK, SUSER_ALLOWJAIL)); + return (priv_check_cred(cred, PRIV_VFS_LINK, 0)); } int @@ -86,7 +86,7 @@ secpolicy_vnode_remove(struct ucred *cred) { - return (priv_check_cred(cred, PRIV_VFS_ADMIN, SUSER_ALLOWJAIL)); + return (priv_check_cred(cred, PRIV_VFS_ADMIN, 0)); } int @@ -94,23 +94,20 @@ int mode) { - if ((mode & VREAD) && - priv_check_cred(cred, PRIV_VFS_READ, SUSER_ALLOWJAIL) != 0) { + if ((mode & VREAD) && priv_check_cred(cred, PRIV_VFS_READ, 0) != 0) { return (EACCES); } if ((mode & VWRITE) && - priv_check_cred(cred, PRIV_VFS_WRITE, SUSER_ALLOWJAIL) != 0) { + priv_check_cred(cred, PRIV_VFS_WRITE, 0) != 0) { return (EACCES); } if (mode & VEXEC) { if (vp->v_type == VDIR) { - if (priv_check_cred(cred, PRIV_VFS_LOOKUP, - SUSER_ALLOWJAIL) != 0) { + if (priv_check_cred(cred, PRIV_VFS_LOOKUP, 0) != 0) { return (EACCES); } } else { - if (priv_check_cred(cred, PRIV_VFS_EXEC, - SUSER_ALLOWJAIL) != 0) { + if (priv_check_cred(cred, PRIV_VFS_EXEC, 0) != 0) { return (EACCES); } } @@ -124,7 +121,7 @@ if (owner == cred->cr_uid) return (0); - return (priv_check_cred(cred, PRIV_VFS_ADMIN, SUSER_ALLOWJAIL)); + return (priv_check_cred(cred, PRIV_VFS_ADMIN, 0)); } int @@ -173,8 +170,7 @@ if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) || ((mask & AT_GID) && vap->va_gid != ovap->va_gid && !groupmember(vap->va_gid, cred))) { - error = priv_check_cred(cred, PRIV_VFS_CHOWN, - SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_VFS_CHOWN, 0); if (error) return (error); } @@ -214,7 +210,7 @@ { if (!groupmember(gid, cred)) - return (priv_check_cred(cred, PRIV_VFS_SETGID, SUSER_ALLOWJAIL)); + return (priv_check_cred(cred, PRIV_VFS_SETGID, 0)); return (0); } @@ -222,7 +218,7 @@ secpolicy_vnode_setid_retain(struct ucred *cred, boolean_t issuidroot __unused) { - return (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, SUSER_ALLOWJAIL)); + return (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, 0)); } void @@ -230,8 +226,7 @@ { if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0) { - if (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, - SUSER_ALLOWJAIL)) { + if (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, 0)) { vap->va_mask |= AT_MODE; vap->va_mode &= ~(S_ISUID|S_ISGID); } @@ -250,7 +245,7 @@ * is not a member of. Both of these are allowed in jail(8). */ if (vp->v_type != VDIR && (vap->va_mode & S_ISTXT)) { - if (priv_check_cred(cred, PRIV_VFS_STICKYFILE, SUSER_ALLOWJAIL)) + if (priv_check_cred(cred, PRIV_VFS_STICKYFILE, 0)) return (EFTYPE); } /* --- //depot/projects/trustedbsd/base/sys/compat/svr4/svr4_fcntl.c 2006/11/06 15:40:25 +++ //depot/projects/trustedbsd/priv/sys/compat/svr4/svr4_fcntl.c 2007/05/31 14:05:34 @@ -281,8 +281,7 @@ goto out; if (td->td_ucred->cr_uid != vattr.va_uid && - (error = priv_check_cred(td->td_ucred, PRIV_VFS_ADMIN, - SUSER_ALLOWJAIL)) != 0) + (error = priv_check(td, PRIV_VFS_ADMIN)) != 0) goto out; if ((error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0) --- //depot/projects/trustedbsd/base/sys/compat/svr4/svr4_misc.c 2007/05/28 12:57:17 +++ //depot/projects/trustedbsd/priv/sys/compat/svr4/svr4_misc.c 2007/05/31 14:05:34 @@ -612,8 +612,7 @@ struct file *fp; int error, vfslocked; - if ((error = priv_check_cred(td->td_ucred, PRIV_VFS_FCHROOT, - SUSER_ALLOWJAIL)) != 0) + if ((error = priv_check(td, PRIV_VFS_FCHROOT)) != 0) return error; if ((error = getvnode(fdp, uap->fd, &fp)) != 0) return error; --- //depot/projects/trustedbsd/base/sys/conf/NOTES 2007/05/28 12:57:17 +++ //depot/projects/trustedbsd/priv/sys/conf/NOTES 2007/05/29 15:49:19 @@ -1129,6 +1129,7 @@ options MAC_NONE options MAC_PARTITION options MAC_PORTACL +options MAC_PRIVS options MAC_SEEOTHERUIDS options MAC_STUB options MAC_TEST --- //depot/projects/trustedbsd/base/sys/conf/files 2007/05/28 12:57:17 +++ //depot/projects/trustedbsd/priv/sys/conf/files 2007/05/29 15:49:19 @@ -2019,6 +2019,7 @@ security/mac_none/mac_none.c optional mac_none security/mac_partition/mac_partition.c optional mac_partition security/mac_portacl/mac_portacl.c optional mac_portacl +security/mac_privs/mac_privs.c optional mac_privs security/mac_seeotheruids/mac_seeotheruids.c optional mac_seeotheruids security/mac_stub/mac_stub.c optional mac_stub security/mac_test/mac_test.c optional mac_test --- //depot/projects/trustedbsd/base/sys/conf/options 2007/05/28 12:57:17 +++ //depot/projects/trustedbsd/priv/sys/conf/options 2007/05/29 15:49:19 @@ -113,6 +113,7 @@ MAC_NONE opt_dontuse.h MAC_PARTITION opt_dontuse.h MAC_PORTACL opt_dontuse.h +MAC_PRIVS opt_dontuse.h MAC_SEEOTHERUIDS opt_dontuse.h MAC_STATIC opt_mac.h MAC_STUB opt_dontuse.h --- //depot/projects/trustedbsd/base/sys/fs/devfs/devfs_vnops.c 2007/04/23 14:18:58 +++ //depot/projects/trustedbsd/priv/sys/fs/devfs/devfs_vnops.c 2007/05/31 14:05:34 @@ -1168,7 +1168,7 @@ if ((ap->a_cred->cr_uid != de->de_uid) || uid != de->de_uid || (gid != de->de_gid && !groupmember(gid, ap->a_cred))) { error = priv_check_cred(ap->a_td->td_ucred, - PRIV_VFS_CHOWN, SUSER_ALLOWJAIL); + PRIV_VFS_CHOWN, 0); if (error) return (error); } @@ -1180,7 +1180,7 @@ if (vap->va_mode != (mode_t)VNOVAL) { if (ap->a_cred->cr_uid != de->de_uid) { error = priv_check_cred(ap->a_td->td_ucred, - PRIV_VFS_ADMIN, SUSER_ALLOWJAIL); + PRIV_VFS_ADMIN, 0); if (error) return (error); } --- //depot/projects/trustedbsd/base/sys/fs/msdosfs/msdosfs_vnops.c 2007/02/19 13:58:26 +++ //depot/projects/trustedbsd/priv/sys/fs/msdosfs/msdosfs_vnops.c 2007/05/31 14:05:34 @@ -408,8 +408,7 @@ if (vp->v_mount->mnt_flag & MNT_RDONLY) return (EROFS); if (cred->cr_uid != pmp->pm_uid) { - error = priv_check_cred(cred, PRIV_VFS_ADMIN, - SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_VFS_ADMIN, 0); if (error) return (error); } @@ -426,8 +425,7 @@ * sensible filesystem attempts it a lot. */ if (vap->va_flags & SF_SETTABLE) { - error = priv_check_cred(cred, PRIV_VFS_SYSFLAGS, - SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_VFS_SYSFLAGS, 0); if (error) return (error); } @@ -454,8 +452,7 @@ gid = pmp->pm_gid; if (cred->cr_uid != pmp->pm_uid || uid != pmp->pm_uid || (gid != pmp->pm_gid && !groupmember(gid, cred))) { - error = priv_check_cred(cred, PRIV_VFS_CHOWN, - SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_VFS_CHOWN, 0); if (error) return (error); } @@ -520,8 +517,7 @@ if (vp->v_mount->mnt_flag & MNT_RDONLY) return (EROFS); if (cred->cr_uid != pmp->pm_uid) { - error = priv_check_cred(cred, PRIV_VFS_ADMIN, - SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_VFS_ADMIN, 0); if (error) return (error); } --- //depot/projects/trustedbsd/base/sys/fs/procfs/procfs_ioctl.c 2007/05/28 12:57:17 +++ //depot/projects/trustedbsd/priv/sys/fs/procfs/procfs_ioctl.c 2007/05/31 14:05:34 @@ -115,7 +115,7 @@ * are missing. */ error = priv_check_cred(td->td_ucred, - PRIV_DEBUG_SUGID, SUSER_ALLOWJAIL); + PRIV_DEBUG_SUGID, 0); if (error) break; } --- //depot/projects/trustedbsd/base/sys/gnu/fs/ext2fs/ext2_vnops.c 2007/04/08 13:38:53 +++ //depot/projects/trustedbsd/priv/sys/gnu/fs/ext2fs/ext2_vnops.c 2007/05/31 14:05:34 @@ -415,8 +415,7 @@ * Privileged non-jail processes may not modify system flags * if securelevel > 0 and any existing system flags are set. */ - if (!priv_check_cred(cred, PRIV_VFS_SYSFLAGS, - SUSER_ALLOWJAIL)) { + if (!priv_check_cred(cred, PRIV_VFS_SYSFLAGS, 0)) { if (ip->i_flags & (SF_NOUNLINK | SF_IMMUTABLE | SF_APPEND)) { error = securelevel_gt(cred, 0); @@ -535,14 +534,12 @@ * process is not a member of. */ if (vp->v_type != VDIR && (mode & S_ISTXT)) { - error = priv_check_cred(cred, PRIV_VFS_STICKYFILE, - SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_VFS_STICKYFILE, 0); if (error) return (EFTYPE); } if (!groupmember(ip->i_gid, cred) && (mode & ISGID)) { - error = priv_check_cred(cred, PRIV_VFS_SETGID, - SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_VFS_SETGID, 0); if (error) return (error); } @@ -586,8 +583,7 @@ */ if (uid != ip->i_uid || (gid != ip->i_gid && !groupmember(gid, cred))) { - error = priv_check_cred(cred, PRIV_VFS_CHOWN, - SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_VFS_CHOWN, 0); if (error) return (error); } @@ -597,8 +593,7 @@ ip->i_uid = uid; ip->i_flag |= IN_CHANGE; if ((ip->i_mode & (ISUID | ISGID)) && (ouid != uid || ogid != gid)) { - if (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, - SUSER_ALLOWJAIL) != 0) + if (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, 0) != 0) ip->i_mode &= ~(ISUID | ISGID); } return (0); @@ -1648,8 +1643,7 @@ tvp->v_type = IFTOVT(mode); /* Rest init'd in getnewvnode(). */ ip->i_nlink = 1; if ((ip->i_mode & ISGID) && !groupmember(ip->i_gid, cnp->cn_cred)) { - if (priv_check_cred(cnp->cn_cred, PRIV_VFS_RETAINSUGID, - SUSER_ALLOWJAIL)) + if (priv_check_cred(cnp->cn_cred, PRIV_VFS_RETAINSUGID, 0)) ip->i_mode &= ~ISGID; } --- //depot/projects/trustedbsd/base/sys/kern/kern_exec.c 2007/05/28 12:57:17 +++ //depot/projects/trustedbsd/priv/sys/kern/kern_exec.c 2007/05/31 14:05:34 @@ -567,8 +567,7 @@ #ifdef KTRACE if (p->p_tracevp != NULL && - priv_check_cred(oldcred, PRIV_DEBUG_DIFFCRED, - SUSER_ALLOWJAIL)) { + priv_check_cred(oldcred, PRIV_DEBUG_DIFFCRED, 0)) { mtx_lock(&ktrace_mtx); p->p_traceflag = 0; tracevp = p->p_tracevp; --- //depot/projects/trustedbsd/base/sys/kern/kern_fork.c 2007/05/28 12:57:17 +++ //depot/projects/trustedbsd/priv/sys/kern/kern_fork.c 2007/05/31 14:05:34 @@ -309,8 +309,7 @@ * * XXXRW: Can we avoid privilege here if it's not needed? */ - error = priv_check_cred(td->td_ucred, PRIV_PROC_LIMIT, SUSER_RUID | - SUSER_ALLOWJAIL); + error = priv_check_cred(td->td_ucred, PRIV_PROC_LIMIT, SUSER_RUID); if (error == 0) ok = chgproccnt(td->td_ucred->cr_ruidinfo, 1, 0); else { --- //depot/projects/trustedbsd/base/sys/kern/kern_ktrace.c 2007/04/08 13:38:53 +++ //depot/projects/trustedbsd/priv/sys/kern/kern_ktrace.c 2007/05/31 14:05:34 @@ -793,8 +793,7 @@ p->p_tracecred = crhold(td->td_ucred); } p->p_traceflag |= facs; - if (priv_check_cred(td->td_ucred, PRIV_KTRACE, - SUSER_ALLOWJAIL) == 0) + if (priv_check(td, PRIV_KTRACE) == 0) p->p_traceflag |= KTRFAC_ROOT; } else { /* KTROP_CLEAR */ @@ -1000,7 +999,7 @@ PROC_LOCK_ASSERT(targetp, MA_OWNED); if (targetp->p_traceflag & KTRFAC_ROOT && - priv_check_cred(td->td_ucred, PRIV_KTRACE, SUSER_ALLOWJAIL)) + priv_check(td, PRIV_KTRACE)) return (0); if (p_candebug(td, targetp) != 0) --- //depot/projects/trustedbsd/base/sys/kern/kern_priv.c 2006/11/06 15:40:25 +++ //depot/projects/trustedbsd/priv/sys/kern/kern_priv.c 2007/05/31 14:33:06 @@ -77,18 +77,8 @@ /* * Jail policy will restrict certain privileges that may otherwise be * be granted. - * - * While debugging the transition from SUSER_ALLOWJAIL to Jail being - * aware of specific privileges, perform run-time checking that the - * two versions of the policy align. This assertion will go away - * once the SUSER_ALLOWJAIL flag has gone away. */ error = prison_priv_check(cred, priv); -#ifdef NOTYET - KASSERT(!jailed(cred) || error == ((flags & SUSER_ALLOWJAIL) ? 0 : - EPERM), ("priv_check_cred: prison_priv_check %d but flags %s", - error, flags & SUSER_ALLOWJAIL ? "allowjail" : "!allowjail")); -#endif if (error) return (error); --- //depot/projects/trustedbsd/base/sys/kern/kern_prot.c 2007/04/08 13:38:53 +++ //depot/projects/trustedbsd/priv/sys/kern/kern_prot.c 2007/05/31 14:05:34 @@ -511,8 +511,7 @@ #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ #endif - (error = priv_check_cred(oldcred, PRIV_CRED_SETUID, - SUSER_ALLOWJAIL)) != 0) + (error = priv_check_cred(oldcred, PRIV_CRED_SETUID, 0)) != 0) goto fail; /* @@ -529,7 +528,7 @@ uid == oldcred->cr_uid || #endif /* We are using privs. */ - priv_check_cred(oldcred, PRIV_CRED_SETUID, SUSER_ALLOWJAIL) == 0) + priv_check_cred(oldcred, PRIV_CRED_SETUID, 0) == 0) #endif { /* @@ -602,8 +601,7 @@ if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ - (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID, - SUSER_ALLOWJAIL)) != 0) + (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID, 0)) != 0) goto fail; /* @@ -672,8 +670,7 @@ #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ #endif - (error = priv_check_cred(oldcred, PRIV_CRED_SETGID, - SUSER_ALLOWJAIL)) != 0) + (error = priv_check_cred(oldcred, PRIV_CRED_SETGID, 0)) != 0) goto fail; crcopy(newcred, oldcred); @@ -687,7 +684,7 @@ gid == oldcred->cr_groups[0] || #endif /* We are using privs. */ - priv_check_cred(oldcred, PRIV_CRED_SETGID, SUSER_ALLOWJAIL) == 0) + priv_check_cred(oldcred, PRIV_CRED_SETGID, 0) == 0) #endif { /* @@ -756,8 +753,7 @@ if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ - (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID, - SUSER_ALLOWJAIL)) != 0) + (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID, 0)) != 0) goto fail; crcopy(newcred, oldcred); @@ -817,8 +813,7 @@ goto fail; #endif - error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS, - SUSER_ALLOWJAIL); + error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS, 0); if (error) goto fail; @@ -887,8 +882,7 @@ ruid != oldcred->cr_svuid) || (euid != (uid_t)-1 && euid != oldcred->cr_uid && euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && - (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID, - SUSER_ALLOWJAIL)) != 0) + (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID, 0)) != 0) goto fail; crcopy(newcred, oldcred); @@ -953,8 +947,7 @@ rgid != oldcred->cr_svgid) || (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && - (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID, - SUSER_ALLOWJAIL)) != 0) + (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID, 0)) != 0) goto fail; crcopy(newcred, oldcred); @@ -1030,8 +1023,7 @@ (suid != (uid_t)-1 && suid != oldcred->cr_ruid && suid != oldcred->cr_svuid && suid != oldcred->cr_uid)) && - (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID, - SUSER_ALLOWJAIL)) != 0) + (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID, 0)) != 0) goto fail; crcopy(newcred, oldcred); @@ -1108,8 +1100,7 @@ (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && sgid != oldcred->cr_svgid && sgid != oldcred->cr_groups[0])) && - (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID, - SUSER_ALLOWJAIL)) != 0) + (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID, 0)) != 0) goto fail; crcopy(newcred, oldcred); @@ -1317,8 +1308,7 @@ { if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { - if (priv_check_cred(u1, PRIV_SEEOTHERUIDS, SUSER_ALLOWJAIL) - != 0) + if (priv_check_cred(u1, PRIV_SEEOTHERUIDS, 0) != 0) return (ESRCH); } return (0); @@ -1357,8 +1347,7 @@ break; } if (!match) { - if (priv_check_cred(u1, PRIV_SEEOTHERGIDS, - SUSER_ALLOWJAIL) != 0) + if (priv_check_cred(u1, PRIV_SEEOTHERGIDS, 0) != 0) return (ESRCH); } } @@ -1475,8 +1464,7 @@ break; default: /* Not permitted without privilege. */ - error = priv_check_cred(cred, PRIV_SIGNAL_SUGID, - SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_SIGNAL_SUGID, 0); if (error) return (error); } @@ -1490,9 +1478,7 @@ cred->cr_ruid != proc->p_ucred->cr_svuid && cred->cr_uid != proc->p_ucred->cr_ruid && cred->cr_uid != proc->p_ucred->cr_svuid) { - /* Not permitted without privilege. */ - error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED, - SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED, 0); if (error) return (error); } @@ -1570,8 +1556,7 @@ return (error); if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid && td->td_ucred->cr_uid != p->p_ucred->cr_ruid) { - error = priv_check_cred(td->td_ucred, PRIV_SCHED_DIFFCRED, - SUSER_ALLOWJAIL); + error = priv_check(td, PRIV_SCHED_DIFFCRED); if (error) return (error); } @@ -1610,8 +1595,7 @@ KASSERT(td == curthread, ("%s: td not curthread", __func__)); PROC_LOCK_ASSERT(p, MA_OWNED); if (!unprivileged_proc_debug) { - error = priv_check_cred(td->td_ucred, PRIV_DEBUG_UNPRIV, - SUSER_ALLOWJAIL); + error = priv_check(td, PRIV_DEBUG_UNPRIV); if (error) return (error); } @@ -1662,15 +1646,13 @@ * for td to debug p. */ if (!grpsubset || !uidsubset) { - error = priv_check_cred(td->td_ucred, PRIV_DEBUG_DIFFCRED, - SUSER_ALLOWJAIL); + error = priv_check(td, PRIV_DEBUG_DIFFCRED); if (error) return (error); } if (credentialchanged) { - error = priv_check_cred(td->td_ucred, PRIV_DEBUG_SUGID, - SUSER_ALLOWJAIL); + error = priv_check(td, PRIV_DEBUG_SUGID); if (error) return (error); } @@ -1931,8 +1913,7 @@ int error; char logintmp[MAXLOGNAME]; - error = priv_check_cred(td->td_ucred, PRIV_PROC_SETLOGIN, - SUSER_ALLOWJAIL); + error = priv_check(td, PRIV_PROC_SETLOGIN); if (error) return (error); error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); --- //depot/projects/trustedbsd/base/sys/kern/kern_resource.c 2007/05/28 12:57:17 +++ //depot/projects/trustedbsd/priv/sys/kern/kern_resource.c 2007/05/31 14:05:34 @@ -650,8 +650,7 @@ alimp = &oldlim->pl_rlimit[which]; if (limp->rlim_cur > alimp->rlim_max || limp->rlim_max > alimp->rlim_max) - if ((error = priv_check_cred(td->td_ucred, - PRIV_PROC_SETRLIMIT, SUSER_ALLOWJAIL))) { + if ((error = priv_check(td, PRIV_PROC_SETRLIMIT))) { PROC_UNLOCK(p); lim_free(newlim); return (error); --- //depot/projects/trustedbsd/base/sys/kern/kern_sysctl.c 2007/04/08 13:38:53 +++ //depot/projects/trustedbsd/priv/sys/kern/kern_sysctl.c 2007/05/31 14:05:34 @@ -1255,8 +1255,7 @@ /* Is this sysctl writable by only privileged users? */ if (req->newptr && !(oid->oid_kind & CTLFLAG_ANYBODY)) { if (oid->oid_kind & CTLFLAG_PRISON) - error = priv_check_cred(req->td->td_ucred, - PRIV_SYSCTL_WRITEJAIL, SUSER_ALLOWJAIL); + error = priv_check(req->td, PRIV_SYSCTL_WRITEJAIL); else error = priv_check(req->td, PRIV_SYSCTL_WRITE); if (error) --- //depot/projects/trustedbsd/base/sys/kern/subr_acl_posix1e.c 2006/11/06 15:40:25 +++ //depot/projects/trustedbsd/priv/sys/kern/subr_acl_posix1e.c 2007/05/31 14:05:34 @@ -82,24 +82,22 @@ if (type == VDIR) { if ((acc_mode & VEXEC) && !priv_check_cred(cred, - PRIV_VFS_LOOKUP, SUSER_ALLOWJAIL)) + PRIV_VFS_LOOKUP, 0)) priv_granted |= VEXEC; } else { if ((acc_mode & VEXEC) && !priv_check_cred(cred, - PRIV_VFS_EXEC, SUSER_ALLOWJAIL)) + PRIV_VFS_EXEC, 0)) priv_granted |= VEXEC; } - if ((acc_mode & VREAD) && !priv_check_cred(cred, PRIV_VFS_READ, - SUSER_ALLOWJAIL)) + if ((acc_mode & VREAD) && !priv_check_cred(cred, PRIV_VFS_READ, 0)) priv_granted |= VREAD; if (((acc_mode & VWRITE) || (acc_mode & VAPPEND)) && - !priv_check_cred(cred, PRIV_VFS_WRITE, SUSER_ALLOWJAIL)) + !priv_check_cred(cred, PRIV_VFS_WRITE, 0)) priv_granted |= (VWRITE | VAPPEND); - if ((acc_mode & VADMIN) && !priv_check_cred(cred, PRIV_VFS_ADMIN, - SUSER_ALLOWJAIL)) + if ((acc_mode & VADMIN) && !priv_check_cred(cred, PRIV_VFS_ADMIN, 0)) priv_granted |= VADMIN; /* --- //depot/projects/trustedbsd/base/sys/kern/sysv_ipc.c 2007/04/08 13:38:53 +++ //depot/projects/trustedbsd/priv/sys/kern/sysv_ipc.c 2007/05/31 14:05:34 @@ -125,22 +125,19 @@ */ priv_granted = 0; if ((acc_mode & IPC_M) && !(dac_granted & IPC_M)) { - error = priv_check_cred(td->td_ucred, PRIV_IPC_ADMIN, - SUSER_ALLOWJAIL); + error = priv_check(td, PRIV_IPC_ADMIN); if (error == 0) priv_granted |= IPC_M; } if ((acc_mode & IPC_R) && !(dac_granted & IPC_R)) { - error = priv_check_cred(td->td_ucred, PRIV_IPC_READ, - SUSER_ALLOWJAIL); + error = priv_check(td, PRIV_IPC_READ); if (error == 0) priv_granted |= IPC_R; } if ((acc_mode & IPC_W) && !(dac_granted & IPC_W)) { - error = priv_check_cred(td->td_ucred, PRIV_IPC_WRITE, - SUSER_ALLOWJAIL); + error = priv_check(td, PRIV_IPC_WRITE); if (error == 0) priv_granted |= IPC_W; } --- //depot/projects/trustedbsd/base/sys/kern/sysv_msg.c 2007/04/08 13:38:53 +++ //depot/projects/trustedbsd/priv/sys/kern/sysv_msg.c 2007/05/31 14:05:34 @@ -502,8 +502,7 @@ if ((error = ipcperm(td, &msqkptr->u.msg_perm, IPC_M))) goto done2; if (msqbuf->msg_qbytes > msqkptr->u.msg_qbytes) { - error = priv_check_cred(td->td_ucred, - PRIV_IPC_MSGSIZE, SUSER_ALLOWJAIL); + error = priv_check(td, PRIV_IPC_MSGSIZE); if (error) goto done2; } --- //depot/projects/trustedbsd/base/sys/kern/uipc_mqueue.c 2007/05/28 12:57:17 +++ //depot/projects/trustedbsd/priv/sys/kern/uipc_mqueue.c 2007/05/31 14:05:34 @@ -961,8 +961,7 @@ sx_assert(&pn->mn_info->mi_lock, SX_LOCKED); if (ucred->cr_uid != pn->mn_uid && - (error = priv_check_cred(ucred, PRIV_MQ_ADMIN, - SUSER_ALLOWJAIL)) != 0) + (error = priv_check_cred(ucred, PRIV_MQ_ADMIN, 0)) != 0) error = EACCES; else if (!pn->mn_deleted) { parent = pn->mn_parent; @@ -1221,8 +1220,7 @@ */ if (((ap->a_cred->cr_uid != pn->mn_uid) || uid != pn->mn_uid || (gid != pn->mn_gid && !groupmember(gid, ap->a_cred))) && - (error = priv_check_cred(ap->a_td->td_ucred, - PRIV_MQ_ADMIN, SUSER_ALLOWJAIL)) != 0) + (error = priv_check(ap->a_td, PRIV_MQ_ADMIN)) != 0) return (error); pn->mn_uid = uid; pn->mn_gid = gid; @@ -1231,8 +1229,7 @@ if (vap->va_mode != (mode_t)VNOVAL) { if ((ap->a_cred->cr_uid != pn->mn_uid) && - (error = priv_check_cred(ap->a_td->td_ucred, - PRIV_MQ_ADMIN, SUSER_ALLOWJAIL))) + (error = priv_check(ap->a_td, PRIV_MQ_ADMIN))) return (error); pn->mn_mode = vap->va_mode; c = 1; --- //depot/projects/trustedbsd/base/sys/kern/vfs_mount.c 2007/05/28 12:57:17 +++ //depot/projects/trustedbsd/priv/sys/kern/vfs_mount.c 2007/05/31 14:05:34 @@ -918,7 +918,7 @@ } if (va.va_uid != td->td_ucred->cr_uid) { error = priv_check_cred(td->td_ucred, PRIV_VFS_ADMIN, - SUSER_ALLOWJAIL); + 0); if (error) { vput(vp); return (error); --- //depot/projects/trustedbsd/base/sys/kern/vfs_subr.c 2007/05/28 12:57:17 +++ //depot/projects/trustedbsd/priv/sys/kern/vfs_subr.c 2007/05/31 14:05:34 @@ -3300,24 +3300,24 @@ * requests, instead of PRIV_VFS_EXEC. */ if ((acc_mode & VEXEC) && ((dac_granted & VEXEC) == 0) && - !priv_check_cred(cred, PRIV_VFS_LOOKUP, SUSER_ALLOWJAIL)) + !priv_check_cred(cred, PRIV_VFS_LOOKUP, 0)) priv_granted |= VEXEC; } else { if ((acc_mode & VEXEC) && ((dac_granted & VEXEC) == 0) && - !priv_check_cred(cred, PRIV_VFS_EXEC, SUSER_ALLOWJAIL)) + !priv_check_cred(cred, PRIV_VFS_EXEC, 0)) priv_granted |= VEXEC; } if ((acc_mode & VREAD) && ((dac_granted & VREAD) == 0) && - !priv_check_cred(cred, PRIV_VFS_READ, SUSER_ALLOWJAIL)) + !priv_check_cred(cred, PRIV_VFS_READ, 0)) priv_granted |= VREAD; if ((acc_mode & VWRITE) && ((dac_granted & VWRITE) == 0) && - !priv_check_cred(cred, PRIV_VFS_WRITE, SUSER_ALLOWJAIL)) + !priv_check_cred(cred, PRIV_VFS_WRITE, 0)) priv_granted |= (VWRITE | VAPPEND); if ((acc_mode & VADMIN) && ((dac_granted & VADMIN) == 0) && - !priv_check_cred(cred, PRIV_VFS_ADMIN, SUSER_ALLOWJAIL)) + !priv_check_cred(cred, PRIV_VFS_ADMIN, 0)) priv_granted |= VADMIN; if ((acc_mode & (priv_granted | dac_granted)) == acc_mode) { --- //depot/projects/trustedbsd/base/sys/kern/vfs_syscalls.c 2007/05/28 12:57:17 +++ //depot/projects/trustedbsd/priv/sys/kern/vfs_syscalls.c 2007/05/31 14:05:34 @@ -837,8 +837,7 @@ struct nameidata nd; int vfslocked; - error = priv_check_cred(td->td_ucred, PRIV_VFS_CHROOT, - SUSER_ALLOWJAIL); + error = priv_check(td, PRIV_VFS_CHROOT); if (error) return (error); NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | MPSAFE | AUDITVNODE1, @@ -1379,15 +1378,13 @@ return (error); if (hardlink_check_uid && cred->cr_uid != va.va_uid) { - error = priv_check_cred(cred, PRIV_VFS_LINK, - SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_VFS_LINK, 0); if (error) return (error); } if (hardlink_check_gid && !groupmember(va.va_gid, cred)) { - error = priv_check_cred(cred, PRIV_VFS_LINK, - SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_VFS_LINK, 0); if (error) return (error); } @@ -2349,8 +2346,7 @@ * chown can't fail when done as root. */ if (vp->v_type == VCHR || vp->v_type == VBLK) { - error = priv_check_cred(td->td_ucred, PRIV_VFS_CHFLAGS_DEV, - SUSER_ALLOWJAIL); + error = priv_check(td, PRIV_VFS_CHFLAGS_DEV); if (error) return (error); } @@ -3852,8 +3848,7 @@ if (error) goto out; if (td->td_ucred->cr_uid != vattr.va_uid) { - error = priv_check_cred(td->td_ucred, PRIV_VFS_ADMIN, - SUSER_ALLOWJAIL); + error = priv_check(td, PRIV_VFS_ADMIN); if (error) goto out; } --- //depot/projects/trustedbsd/base/sys/modules/Makefile 2007/05/28 12:57:17 +++ //depot/projects/trustedbsd/priv/sys/modules/Makefile 2007/05/29 15:49:19 @@ -154,6 +154,7 @@ mac_none \ mac_partition \ mac_portacl \ + mac_privs \ mac_seeotheruids \ mac_stub \ mac_test \ --- //depot/projects/trustedbsd/base/sys/netinet/in_pcb.c 2007/05/28 12:57:17 +++ //depot/projects/trustedbsd/priv/sys/netinet/in_pcb.c 2007/05/31 14:05:34 @@ -340,13 +340,13 @@ if (ntohs(lport) <= ipport_reservedhigh && ntohs(lport) >= ipport_reservedlow && priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT, - SUSER_ALLOWJAIL)) + 0)) return (EACCES); if (jailed(cred)) prison = 1; if (!IN_MULTICAST(ntohl(sin->sin_addr.s_addr)) && priv_check_cred(so->so_cred, - PRIV_NETINET_REUSEPORT, SUSER_ALLOWJAIL) != 0) { + PRIV_NETINET_REUSEPORT, 0) != 0) { t = in_pcblookup_local(inp->inp_pcbinfo, sin->sin_addr, lport, prison ? 0 : INPLOOKUP_WILDCARD); @@ -411,7 +411,7 @@ lastport = &pcbinfo->ipi_lasthi; } else if (inp->inp_flags & INP_LOWPORT) { error = priv_check_cred(cred, - PRIV_NETINET_RESERVEDPORT, SUSER_ALLOWJAIL); + PRIV_NETINET_RESERVEDPORT, 0); if (error) return error; first = ipport_lowfirstauto; /* 1023 */ --- //depot/projects/trustedbsd/base/sys/netinet/raw_ip.c 2007/05/28 12:57:17 +++ //depot/projects/trustedbsd/priv/sys/netinet/raw_ip.c 2007/05/31 14:05:34 @@ -607,13 +607,8 @@ inp = sotoinpcb(so); KASSERT(inp == NULL, ("rip_attach: inp != NULL")); - /* - * XXXRW: Centralize privilege decision in kern_jail.c. - */ - if (jailed(td->td_ucred) && !jail_allow_raw_sockets) - return (EPERM); - error = priv_check_cred(td->td_ucred, PRIV_NETINET_RAW, - SUSER_ALLOWJAIL); + + error = priv_check(td, PRIV_NETINET_RAW); if (error) return error; if (proto >= IPPROTO_MAX || proto < 0) --- //depot/projects/trustedbsd/base/sys/netinet/sctp_pcb.c 2007/05/30 09:33:24 +++ //depot/projects/trustedbsd/priv/sys/netinet/sctp_pcb.c 2007/06/01 14:12:22 @@ -2133,10 +2133,7 @@ /* got to be root to get at low ports */ if (ntohs(lport) < IPPORT_RESERVED) { if (p && (error = - priv_check_cred(p->td_ucred, - PRIV_NETINET_RESERVEDPORT, - SUSER_ALLOWJAIL - ) + priv_check(p, PRIV_NETINET_RESERVEDPORT) )) { SCTP_INP_DECR_REF(inp); SCTP_INP_WUNLOCK(inp); @@ -2206,10 +2203,7 @@ last = ipport_hilastauto; } else if (ip_inp->inp_flags & INP_LOWPORT) { if (p && (error = - priv_check_cred(p->td_ucred, - PRIV_NETINET_RESERVEDPORT, - SUSER_ALLOWJAIL - ) + priv_check(p, PRIV_NETINET_RESERVEDPORT) )) { SCTP_INP_DECR_REF(inp); SCTP_INP_WUNLOCK(inp); --- //depot/projects/trustedbsd/base/sys/netinet/sctp_usrreq.c 2007/05/30 09:33:24 +++ //depot/projects/trustedbsd/priv/sys/netinet/sctp_usrreq.c 2007/05/31 14:41:56 @@ -387,13 +387,8 @@ /* FIX, for non-bsd is this right? */ vrf_id = SCTP_DEFAULT_VRFID; - /* - * XXXRW: Other instances of getcred use SUSER_ALLOWJAIL, as socket - * visibility is scoped using cr_canseesocket(), which it is not - * here. - */ - error = priv_check_cred(req->td->td_ucred, PRIV_NETINET_GETCRED, - SUSER_ALLOWJAIL); + error = priv_check(req->td, PRIV_NETINET_GETCRED); + if (error) return (error); @@ -3439,9 +3434,8 @@ { union sctp_sockstore *ss; - error = priv_check_cred(curthread->td_ucred, - PRIV_NETINET_RESERVEDPORT, - SUSER_ALLOWJAIL); + error = priv_check(curthread, + PRIV_NETINET_RESERVEDPORT); if (error) break; --- //depot/projects/trustedbsd/base/sys/netinet/tcp_subr.c 2007/05/28 12:57:17 +++ //depot/projects/trustedbsd/priv/sys/netinet/tcp_subr.c 2007/05/31 14:05:34 @@ -1019,8 +1019,7 @@ struct inpcb *inp; int error; - error = priv_check_cred(req->td->td_ucred, PRIV_NETINET_GETCRED, - SUSER_ALLOWJAIL); + error = priv_check(req->td, PRIV_NETINET_GETCRED); if (error) return (error); error = SYSCTL_IN(req, addrs, sizeof(addrs)); @@ -1064,8 +1063,7 @@ struct inpcb *inp; int error, mapped = 0; - error = priv_check_cred(req->td->td_ucred, PRIV_NETINET_GETCRED, - SUSER_ALLOWJAIL); + error = priv_check(req->td, PRIV_NETINET_GETCRED); if (error) return (error); error = SYSCTL_IN(req, addrs, sizeof(addrs)); --- //depot/projects/trustedbsd/base/sys/netinet/udp_usrreq.c 2007/05/28 12:57:17 +++ //depot/projects/trustedbsd/priv/sys/netinet/udp_usrreq.c 2007/05/31 14:05:34 @@ -696,8 +696,7 @@ struct inpcb *inp; int error; - error = priv_check_cred(req->td->td_ucred, PRIV_NETINET_GETCRED, - SUSER_ALLOWJAIL); + error = priv_check(req->td, PRIV_NETINET_GETCRED); if (error) return (error); error = SYSCTL_IN(req, addrs, sizeof(addrs)); --- //depot/projects/trustedbsd/base/sys/netinet6/in6_pcb.c 2007/05/28 12:57:17 +++ //depot/projects/trustedbsd/priv/sys/netinet6/in6_pcb.c 2007/05/31 14:05:34 @@ -192,11 +192,11 @@ if (ntohs(lport) <= ipport_reservedhigh && ntohs(lport) >= ipport_reservedlow && priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT, - SUSER_ALLOWJAIL)) + 0)) return (EACCES); if (!IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr) && priv_check_cred(so->so_cred, - PRIV_NETINET_REUSEPORT, SUSER_ALLOWJAIL) != 0) { + PRIV_NETINET_REUSEPORT, 0) != 0) { t = in6_pcblookup_local(pcbinfo, &sin6->sin6_addr, lport, INPLOOKUP_WILDCARD); --- //depot/projects/trustedbsd/base/sys/netinet6/in6_src.c 2007/05/28 12:57:17 +++ //depot/projects/trustedbsd/priv/sys/netinet6/in6_src.c 2007/05/31 14:05:34 @@ -775,8 +775,7 @@ last = ipport_hilastauto; lastport = &pcbinfo->ipi_lasthi; } else if (inp->inp_flags & INP_LOWPORT) { - error = priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT, - SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT, 0); if (error) return error; first = ipport_lowfirstauto; /* 1023 */ --- //depot/projects/trustedbsd/base/sys/netinet6/raw_ip6.c 2007/05/28 12:57:17 +++ //depot/projects/trustedbsd/priv/sys/netinet6/raw_ip6.c 2007/05/31 14:34:33 @@ -352,7 +352,7 @@ INP_LOCK(in6p); priv = 0; - if (suser_cred(so->so_cred, SUSER_ALLOWJAIL) == 0) + if (suser_cred(so->so_cred, 0) == 0) priv = 1; dst = &dstsock->sin6_addr; if (control) { --- //depot/projects/trustedbsd/base/sys/netinet6/sctp6_usrreq.c 2007/05/30 09:33:24 +++ //depot/projects/trustedbsd/priv/sys/netinet6/sctp6_usrreq.c 2007/05/31 14:41:56 @@ -445,13 +445,7 @@ vrf_id = SCTP_DEFAULT_VRFID; - /* - * XXXRW: Other instances of getcred use SUSER_ALLOWJAIL, as socket - * visibility is scoped using cr_canseesocket(), which it is not - * here. - */ - error = priv_check_cred(req->td->td_ucred, PRIV_NETINET_RESERVEDPORT, - 0); + error = priv_check(req->td, PRIV_NETINET_GETCRED); if (error) return (error); --- //depot/projects/trustedbsd/base/sys/netinet6/udp6_usrreq.c 2007/04/08 13:38:53 +++ //depot/projects/trustedbsd/priv/sys/netinet6/udp6_usrreq.c 2007/05/31 14:27:52 @@ -437,8 +437,7 @@ struct inpcb *inp; int error; - error = priv_check_cred(req->td->td_ucred, PRIV_NETINET_GETCRED, - SUSER_ALLOWJAIL); + error = priv_check(req->td, PRIV_NETINET_GETCRED); if (error) return (error); @@ -465,6 +464,9 @@ INP_LOCK(inp); KASSERT(inp->inp_socket != NULL, ("udp6_getcred: inp_socket == NULL")); + /* + * XXXRW: There should be a scoping access control check here. + */ cru2x(inp->inp_socket->so_cred, &xuc); INP_UNLOCK(inp); INP_INFO_RUNLOCK(&udbinfo); --- //depot/projects/trustedbsd/base/sys/netipsec/ipsec_osdep.h 2007/04/11 14:45:05 +++ //depot/projects/trustedbsd/priv/sys/netipsec/ipsec_osdep.h 2007/05/31 14:24:20 @@ -212,11 +212,9 @@ /* * 8. Test for "privileged" socket opened by superuser. * FreeBSD tests ((so)->so_cred != NULL && priv_check_cred((so)->so_cred, - * PRIV_NETINET_IPSEC, SUSER_ALLOWJAIL) == 0). + * PRIV_NETINET_IPSEC, 0) == 0). * NetBSD (1.6N) tests (so)->so_uid == 0). * This difference is wrapped inside the IPSEC_PRIVILEGED_SO() macro. - * - * XXXRW: Why was this suser_allowjail? */ #ifdef __FreeBSD__ #define IPSEC_IS_PRIVILEGED_SO(_so) \ --- //depot/projects/trustedbsd/base/sys/security/mac_portacl/mac_portacl.c 2007/04/23 14:18:58 +++ //depot/projects/trustedbsd/priv/sys/security/mac_portacl/mac_portacl.c 2007/05/31 14:05:34 @@ -419,8 +419,7 @@ mtx_unlock(&rule_mtx); if (error != 0 && mac_portacl_suser_exempt != 0) - error = priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT, - SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT, 0); return (error); } --- //depot/projects/trustedbsd/base/sys/security/mac_seeotheruids/mac_seeotheruids.c 2007/04/23 14:18:58 +++ //depot/projects/trustedbsd/priv/sys/security/mac_seeotheruids/mac_seeotheruids.c 2007/05/31 14:05:34 @@ -114,8 +114,7 @@ return (0); if (suser_privileged) { - if (priv_check_cred(cr1, PRIV_SEEOTHERUIDS, SUSER_ALLOWJAIL) - == 0) + if (priv_check_cred(cr1, PRIV_SEEOTHERUIDS, 0) == 0) return (0); } --- //depot/projects/trustedbsd/base/sys/sys/priv.h 2007/04/23 14:18:58 +++ //depot/projects/trustedbsd/priv/sys/sys/priv.h 2007/05/29 15:53:45 @@ -466,6 +466,18 @@ struct ucred; int priv_check(struct thread *td, int priv); int priv_check_cred(struct ucred *cred, int priv, int flags); + +/* + * Continue to support external modules that rely on suser(9) -- for now. + */ +int suser(struct thread *td); +int suser_cred(struct ucred *cred, int flags); + +/* + * For historical reasons, flags to priv_check_cred() retain the SUSER_ + * prefix. + */ +#define SUSER_RUID 2 #endif #endif /* !_SYS_PRIV_H_ */ --- //depot/projects/trustedbsd/base/sys/sys/systm.h 2007/05/28 12:57:17 +++ //depot/projects/trustedbsd/priv/sys/sys/systm.h 2007/05/29 15:53:45 @@ -236,12 +236,6 @@ void cpu_startprofclock(void); void cpu_stopprofclock(void); -/* flags for suser() and suser_cred() */ -#define SUSER_ALLOWJAIL 1 -#define SUSER_RUID 2 - -int suser(struct thread *td); -int suser_cred(struct ucred *cred, int flags); int cr_cansee(struct ucred *u1, struct ucred *u2); int cr_canseesocket(struct ucred *cred, struct socket *so); --- //depot/projects/trustedbsd/base/sys/ufs/ffs/ffs_alloc.c 2007/04/08 13:38:53 +++ //depot/projects/trustedbsd/priv/sys/ufs/ffs/ffs_alloc.c 2007/05/31 14:05:34 @@ -173,7 +173,7 @@ #endif if (size == fs->fs_bsize && fs->fs_cstotal.cs_nbfree == 0) goto nospace; - if (priv_check_cred(cred, PRIV_VFS_BLOCKRESERVE, SUSER_ALLOWJAIL) && + if (priv_check_cred(cred, PRIV_VFS_BLOCKRESERVE, 0) && freespace(fs, fs->fs_minfree) - numfrags(fs, size) < 0) goto nospace; if (bpref >= fs->fs_size) @@ -268,7 +268,7 @@ #endif /* DIAGNOSTIC */ reclaimed = 0; retry: - if (priv_check_cred(cred, PRIV_VFS_BLOCKRESERVE, SUSER_ALLOWJAIL) && + if (priv_check_cred(cred, PRIV_VFS_BLOCKRESERVE, 0) && freespace(fs, fs->fs_minfree) - numfrags(fs, nsize - osize) < 0) { goto nospace; } --- //depot/projects/trustedbsd/base/sys/ufs/ffs/ffs_vnops.c 2007/05/28 12:57:17 +++ //depot/projects/trustedbsd/priv/sys/ufs/ffs/ffs_vnops.c 2007/05/31 14:05:34 @@ -790,8 +790,7 @@ */ if ((ip->i_mode & (ISUID | ISGID)) && resid > uio->uio_resid && ap->a_cred) { - if (priv_check_cred(ap->a_cred, PRIV_VFS_RETAINSUGID, - SUSER_ALLOWJAIL)) { + if (priv_check_cred(ap->a_cred, PRIV_VFS_RETAINSUGID, 0)) { ip->i_mode &= ~(ISUID | ISGID); DIP_SET(ip, i_mode, ip->i_mode); } @@ -1121,8 +1120,7 @@ * tampering. */ if ((ip->i_mode & (ISUID | ISGID)) && resid > uio->uio_resid && ucred) { - if (priv_check_cred(ucred, PRIV_VFS_RETAINSUGID, - SUSER_ALLOWJAIL)) { + if (priv_check_cred(ucred, PRIV_VFS_RETAINSUGID, 0)) { ip->i_mode &= ~(ISUID | ISGID); dp->di_mode = ip->i_mode; } --- //depot/projects/trustedbsd/base/sys/ufs/ufs/ufs_quota.c 2007/04/08 13:38:53 +++ //depot/projects/trustedbsd/priv/sys/ufs/ufs/ufs_quota.c 2007/05/31 14:05:34 @@ -515,7 +515,7 @@ int error, flags, vfslocked; struct nameidata nd; - error = priv_check_cred(td->td_ucred, PRIV_UFS_QUOTAON, 0); + error = priv_check(td, PRIV_UFS_QUOTAON); if (error) return (error); @@ -747,10 +747,7 @@ struct ufsmount *ump; int error; - /* - * XXXRW: This also seems wrong to allow in a jail? - */ - error = priv_check_cred(td->td_ucred, PRIV_UFS_QUOTAOFF, 0); + error = priv_check(td, PRIV_UFS_QUOTAOFF); if (error) return (error); @@ -783,8 +780,7 @@ switch (type) { case USRQUOTA: if ((td->td_ucred->cr_uid != id) && !unprivileged_get_quota) { - error = priv_check_cred(td->td_ucred, - PRIV_VFS_GETQUOTA, SUSER_ALLOWJAIL); + error = priv_check(td, PRIV_VFS_GETQUOTA); if (error) return (error); } @@ -793,8 +789,7 @@ case GRPQUOTA: if (!groupmember(id, td->td_ucred) && !unprivileged_get_quota) { - error = priv_check_cred(td->td_ucred, - PRIV_VFS_GETQUOTA, SUSER_ALLOWJAIL); + error = priv_check(td, PRIV_VFS_GETQUOTA); if (error) return (error); } @@ -830,8 +825,7 @@ struct dqblk newlim; int error; - error = priv_check_cred(td->td_ucred, PRIV_VFS_SETQUOTA, - SUSER_ALLOWJAIL); + error = priv_check(td, PRIV_VFS_SETQUOTA); if (error) return (error); @@ -901,7 +895,7 @@ struct dqblk usage; int error; - error = priv_check_cred(td->td_ucred, PRIV_UFS_SETUSE, 0); + error = priv_check(td, PRIV_UFS_SETUSE); if (error) return (error); --- //depot/projects/trustedbsd/base/sys/ufs/ufs/ufs_vnops.c 2007/05/28 12:57:17 +++ //depot/projects/trustedbsd/priv/sys/ufs/ufs/ufs_vnops.c 2007/05/31 14:05:34 @@ -490,12 +490,8 @@ * processes if the security.jail.chflags_allowed sysctl is * is non-zero; otherwise, they behave like unprivileged * processes. - * - * XXXRW: Move implementation of jail_chflags_allowed to - * kern_jail.c. */ - if (!priv_check_cred(cred, PRIV_VFS_SYSFLAGS, - jail_chflags_allowed ? SUSER_ALLOWJAIL : 0)) { + if (!priv_check_cred(cred, PRIV_VFS_SYSFLAGS, 0)) { if (ip->i_flags & (SF_NOUNLINK | SF_IMMUTABLE | SF_APPEND)) { error = securelevel_gt(cred, 0); @@ -663,13 +659,11 @@ * jail(8). */ if (vp->v_type != VDIR && (mode & S_ISTXT)) { - if (priv_check_cred(cred, PRIV_VFS_STICKYFILE, - SUSER_ALLOWJAIL)) + if (priv_check_cred(cred, PRIV_VFS_STICKYFILE, 0)) return (EFTYPE); } if (!groupmember(ip->i_gid, cred) && (mode & ISGID)) { - error = priv_check_cred(cred, PRIV_VFS_SETGID, - SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_VFS_SETGID, 0); if (error) return (error); } @@ -718,7 +712,7 @@ */ if ((uid != ip->i_uid || (gid != ip->i_gid && !groupmember(gid, cred))) && - (error = priv_check_cred(cred, PRIV_VFS_CHOWN, SUSER_ALLOWJAIL))) + (error = priv_check_cred(cred, PRIV_VFS_CHOWN, 0))) return (error); ogid = ip->i_gid; ouid = ip->i_uid; @@ -790,8 +784,7 @@ #endif /* QUOTA */ ip->i_flag |= IN_CHANGE; if ((ip->i_mode & (ISUID | ISGID)) && (ouid != uid || ogid != gid)) { - if (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, - SUSER_ALLOWJAIL)) { + if (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, 0)) { ip->i_mode &= ~(ISUID | ISGID); DIP_SET(ip, i_mode, ip->i_mode); } @@ -2371,8 +2364,7 @@ if (DOINGSOFTDEP(tvp)) softdep_change_linkcnt(ip); if ((ip->i_mode & ISGID) && !groupmember(ip->i_gid, cnp->cn_cred) && - priv_check_cred(cnp->cn_cred, PRIV_VFS_SETGID, - SUSER_ALLOWJAIL)) { + priv_check_cred(cnp->cn_cred, PRIV_VFS_SETGID, 0)) { ip->i_mode &= ~ISGID; DIP_SET(ip, i_mode, ip->i_mode); }