PERFORCE change 79529 for review
Robert Watson
rwatson at FreeBSD.org
Mon Jul 4 11:00:29 GMT 2005
http://perforce.freebsd.org/chv.cgi?CH=79529
Change 79529 by rwatson at rwatson_paprika on 2005/07/04 11:00:13
Convert some new suser() calls into cap_check() calls.
In the fork() case, we might want CAP_SYS_RESOURCE instead.
Affected files ...
.. //depot/projects/trustedbsd/sebsd/sys/kern/kern_fork.c#12 edit
.. //depot/projects/trustedbsd/sebsd/sys/kern/kern_prot.c#13 edit
Differences ...
==== //depot/projects/trustedbsd/sebsd/sys/kern/kern_fork.c#12 (text+ko) ====
@@ -286,7 +286,7 @@
sx_xlock(&allproc_lock);
uid = td->td_ucred->cr_ruid;
if ((nprocs >= maxproc - 10 &&
- suser_cred(td->td_ucred, SUSER_RUID) != 0) ||
+ cap_check_cred(td->td_ucred, CAP_SYS_ADMIN, SUSER_RUID) != 0) ||
nprocs >= maxproc) {
error = EAGAIN;
goto fail;
==== //depot/projects/trustedbsd/sebsd/sys/kern/kern_prot.c#13 (text+ko) ====
@@ -548,7 +548,8 @@
#ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */
uid == oldcred->cr_uid ||
#endif
- suser_cred(oldcred, SUSER_ALLOWJAIL) == 0) /* we are using privs */
+ /* we are using privs */
+ cap_check_cred(oldcred, CAP_SETUID, SUSER_ALLOWJAIL) == 0)
#endif
{
/*
@@ -709,7 +710,8 @@
#ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */
gid == oldcred->cr_groups[0] ||
#endif
- suser_cred(oldcred, SUSER_ALLOWJAIL) == 0) /* we are using privs */
+ /* we are using privs */
+ cap_check_cred(oldcred, CAP_SETGID, SUSER_ALLOWJAIL) == 0)
#endif
{
/*
@@ -1454,7 +1456,8 @@
break;
}
if (!match) {
- if (suser_cred(u1, SUSER_ALLOWJAIL) != 0)
+ if (cap_check_cred(u1, CAP_SYS_ADMIN,
+ SUSER_ALLOWJAIL) != 0)
return (ESRCH);
}
}
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list