git: ce4c78b612b1 - stable/14 - cr_canseejailproc(9): New man page

From: Mitchell Horne <mhorne_at_FreeBSD.org>
Date: Tue, 17 Oct 2023 19:43:28 UTC
The branch stable/14 has been updated by mhorne:

URL: https://cgit.FreeBSD.org/src/commit/?id=ce4c78b612b1d933320ae794b50f85f60db2e1a0

commit ce4c78b612b1d933320ae794b50f85f60db2e1a0
Author:     Olivier Certner <olce.freebsd@certner.fr>
AuthorDate: 2023-08-17 23:54:40 +0000
Commit:     Mitchell Horne <mhorne@FreeBSD.org>
CommitDate: 2023-10-17 19:42:58 +0000

    cr_canseejailproc(9): New man page
    
    Reviewed by:            pauamma_gundo.com, mhorne
    MFC after:              2 weeks
    Sponsored by:           Kumacom SAS
    Differential Revision:  https://reviews.freebsd.org/D40631
    
    (cherry picked from commit 29d863bb7ffc692998f21fa3e7a91afa1151cf1c)
---
 share/man/man9/Makefile            |  1 +
 share/man/man9/cr_canseejailproc.9 | 81 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 82 insertions(+)

diff --git a/share/man/man9/Makefile b/share/man/man9/Makefile
index 08ad811fa901..71a11a7cc6c0 100644
--- a/share/man/man9/Makefile
+++ b/share/man/man9/Makefile
@@ -69,6 +69,7 @@ MAN=	accept_filter.9 \
 	counter.9 \
 	cpuset.9 \
 	cr_cansee.9 \
+	cr_canseejailproc.9 \
 	cr_canseeothergids.9 \
 	cr_canseeotheruids.9 \
 	critical_enter.9 \
diff --git a/share/man/man9/cr_canseejailproc.9 b/share/man/man9/cr_canseejailproc.9
new file mode 100644
index 000000000000..775c76722b05
--- /dev/null
+++ b/share/man/man9/cr_canseejailproc.9
@@ -0,0 +1,81 @@
+.\"
+.\" SPDX-License-Identifier: BSD-2-Clause
+.\"
+.\" Copyright (c) 2023 Olivier Certner <olce.freebsd@certner.fr>
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE DEVELOPERS BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd August 18, 2023
+.Dt CR_CANSEEJAILPROC 9
+.Os
+.Sh NAME
+.Nm cr_canseejailproc
+.Nd determine if subjects may see entities in sub-jails
+.Sh SYNOPSIS
+.Ft int
+.Fn cr_canseejailproc "struct ucred *u1" "struct ucred *u2"
+.Sh DESCRIPTION
+.Bf -emphasis
+This function is internal.
+Its functionality is integrated into the function
+.Xr cr_bsd_visible 9 ,
+which should be called instead.
+.Ef
+.Pp
+This function checks if a subject associated to credentials
+.Fa u1
+is denied seeing a subject or object associated to credentials
+.Fa u2
+by a policy that requires both credentials to be associated to the same jail.
+This is a restriction to the baseline jail policy that a subject can see
+subjects or objects in its own jail or any sub-jail of it.
+.Pp
+This policy is active if and only if the
+.Xr sysctl 8
+variable
+.Va security.bsd.see_jail_proc
+is set to zero.
+.Pp
+As usual, the superuser (effective user ID 0) is exempt from this policy
+provided that the
+.Xr sysctl 8
+variable
+.Va security.bsd.suser_enabled
+is non-zero and no active MAC policy explicitly denies the exemption
+.Po
+see
+.Xr priv_check_cred 9
+.Pc .
+.Sh RETURN VALUES
+The
+.Fn cr_canseejailproc
+function returns 0 if the policy is disabled, both credentials are associated to
+the same jail, or if
+.Fa u1
+has privilege exempting it from the policy.
+Otherwise, it returns
+.Er ESRCH .
+.Sh SEE ALSO
+.Xr cr_bsd_visible 9 ,
+.Xr priv_check_cred 9
+.Sh AUTHORS
+This manual page was written by
+.An Olivier Certner Aq Mt olce.freebsd@certner.fr .