PERFORCE change 107082 for review

Mon Oct 2 02:17:08 PDT 2006

http://perforce.freebsd.org/chv.cgi?CH=107082

Change 107082 by rwatson at rwatson_peppercorn on 2006/10/02 09:16:11

	Resolve more conflicts merging priv changes from 7.x to 6.x.

Affected files ...

.. //depot/projects/trustedbsd/priv6/src/sys/dev/dcons/dcons_os.c#3 edit
.. //depot/projects/trustedbsd/priv6/src/sys/i386/linux/linux_machdep.c#4 edit
.. //depot/projects/trustedbsd/priv6/src/sys/kern/kern_descrip.c#4 edit
.. //depot/projects/trustedbsd/priv6/src/sys/kern/kern_fork.c#4 edit
.. //depot/projects/trustedbsd/priv6/src/sys/kern/kern_ktrace.c#4 edit
.. //depot/projects/trustedbsd/priv6/src/sys/kern/kern_linker.c#3 edit
.. //depot/projects/trustedbsd/priv6/src/sys/kern/vfs_subr.c#4 edit
.. //depot/projects/trustedbsd/priv6/src/sys/kern/vfs_syscalls.c#4 edit
.. //depot/projects/trustedbsd/priv6/src/sys/net/if.c#3 edit
.. //depot/projects/trustedbsd/priv6/src/sys/net/raw_usrreq.c#3 edit

Differences ...

==== //depot/projects/trustedbsd/priv6/src/sys/dev/dcons/dcons_os.c#3 (text+ko) ====

@@ -297,7 +297,8 @@
 		tp->t_state |= TS_CARR_ON;
 		ttyconsolemode(tp, 0);
 		ttsetwater(tp);
-	} else if ((tp->t_state & TS_XCLUDE) && suser(td)) {
+	} else if ((tp->t_state & TS_XCLUDE) &&
+	    priv_check(td, PRIV_TTY_EXCLUSIVE)) {
 		splx(s);
 		return (EBUSY);
 	}

==== //depot/projects/trustedbsd/priv6/src/sys/i386/linux/linux_machdep.c#4 (text+ko) ====

@@ -38,6 +38,7 @@
 #include <sys/malloc.h>
 #include <sys/mman.h>
 #include <sys/mutex.h>
+#include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/resource.h>
 #include <sys/resourcevar.h>

==== //depot/projects/trustedbsd/priv6/src/sys/kern/kern_descrip.c#4 (text+ko) ====

@@ -1338,8 +1338,8 @@
 	sx_xlock(&filelist_lock);
 
 	if ((openfiles >= maxuserfiles &&
-	     suser_cred(td->td_ucred, SUSER_RUID) != 0) ||
-	    openfiles >= maxfiles) {
+	     priv_check_cred(td->td_ucred, PRIV_MAXFILES, SUSER_RUID) != 0)
+	    || openfiles >= maxfiles) {
 		if (ppsratecheck(&lastfail, &curfail, 1)) {
 			printf("kern.maxfiles limit exceeded by uid %i, please see tuning(7).\n",
 				td->td_ucred->cr_ruid);

==== //depot/projects/trustedbsd/priv6/src/sys/kern/kern_fork.c#4 (text+ko) ====

@@ -317,8 +317,11 @@
 	/*
 	 * Increment the count of procs running with this uid. Don't allow
 	 * a nonprivileged user to exceed their current limit.
+	 *
+	 * XXXRW: Can we avoid privilege here if it's not needed?
 	 */
-	error = suser_cred(td->td_ucred, SUSER_RUID | SUSER_ALLOWJAIL);
+	error = priv_check_cred(td->td_ucred, PRIV_PROC_LIMIT, SUSER_RUID |
+	    SUSER_ALLOWJAIL);
 	if (error == 0)
 		ok = chgproccnt(td->td_ucred->cr_ruidinfo, 1, 0);
 	else {

==== //depot/projects/trustedbsd/priv6/src/sys/kern/kern_ktrace.c#4 (text+ko) ====

@@ -807,7 +807,8 @@
 			p->p_tracecred = crhold(td->td_ucred);
 		}
 		p->p_traceflag |= facs;
-		if (suser_cred(td->td_ucred, SUSER_ALLOWJAIL) == 0)
+		if (priv_check_cred(td->td_ucred, PRIV_KTRACE,
+		    SUSER_ALLOWJAIL) == 0)
 			p->p_traceflag |= KTRFAC_ROOT;
 	} else {
 		/* KTROP_CLEAR */

==== //depot/projects/trustedbsd/priv6/src/sys/kern/kern_linker.c#3 (text+ko) ====

@@ -764,7 +764,7 @@
 	if ((error = securelevel_gt(td->td_ucred, 0)) != 0)
 		goto out;
 
-	if ((error = suser(td)) != 0)
+	if ((error = priv_check(td, PRIV_KLD_LOAD)) != 0)
 		goto out;
 
 	pathname = malloc(MAXPATHLEN, M_TEMP, M_WAITOK);
@@ -810,7 +810,7 @@
 	if ((error = securelevel_gt(td->td_ucred, 0)) != 0)
 		goto out;
 
-	if ((error = suser(td)) != 0)
+	if ((error = priv_check(td, PRIV_KLD_UNLOAD)) != 0)
 		goto out;
 
 	lf = linker_find_file_by_id(fileid);

==== //depot/projects/trustedbsd/priv6/src/sys/kern/vfs_subr.c#4 (text+ko) ====

@@ -3250,56 +3250,46 @@
 		return (0);
 
 privcheck:
-	if (!suser_cred(cred, SUSER_ALLOWJAIL)) {
-		/* XXX audit: privilege used */
-		if (privused != NULL)
-			*privused = 1;
-		return (0);
-	}
-
-#ifdef CAPABILITIES
 	/*
-	 * Build a capability mask to determine if the set of capabilities
+	 * Build a privilege mask to determine if the set of privileges
 	 * satisfies the requirements when combined with the granted mask
-	 * from above.
-	 * For each capability, if the capability is required, bitwise
-	 * or the request type onto the cap_granted mask.
+	 * from above.  For each privilege, if the privilege is required,
+	 * bitwise or the request type onto the priv_granted mask.
 	 */
-	cap_granted = 0;
+	priv_granted = 0;
 
 	if (type == VDIR) {
 		/*
-		 * For directories, use CAP_DAC_READ_SEARCH to satisfy
-		 * VEXEC requests, instead of CAP_DAC_EXECUTE.
+		 * For directories, use PRIV_VFS_LOOKUP to satisfy VEXEC
+		 * requests, instead of PRIV_VFS_EXEC.
 		 */
 		if ((acc_mode & VEXEC) && ((dac_granted & VEXEC) == 0) &&
-		    !cap_check(cred, NULL, CAP_DAC_READ_SEARCH, SUSER_ALLOWJAIL))
-			cap_granted |= VEXEC;
+		    !priv_check_cred(cred, PRIV_VFS_LOOKUP, SUSER_ALLOWJAIL))
+			priv_granted |= VEXEC;
 	} else {
 		if ((acc_mode & VEXEC) && ((dac_granted & VEXEC) == 0) &&
-		    !cap_check(cred, NULL, CAP_DAC_EXECUTE, SUSER_ALLOWJAIL))
-			cap_granted |= VEXEC;
+		    !priv_check_cred(cred, PRIV_VFS_EXEC, SUSER_ALLOWJAIL))
+		priv_granted |= VEXEC;
 	}
 
 	if ((acc_mode & VREAD) && ((dac_granted & VREAD) == 0) &&
-	    !cap_check(cred, NULL, CAP_DAC_READ_SEARCH, SUSER_ALLOWJAIL))
-		cap_granted |= VREAD;
+	    !priv_check_cred(cred, PRIV_VFS_READ, SUSER_ALLOWJAIL))
+		priv_granted |= VREAD;
 
 	if ((acc_mode & VWRITE) && ((dac_granted & VWRITE) == 0) &&
-	    !cap_check(cred, NULL, CAP_DAC_WRITE, SUSER_ALLOWJAIL))
-		cap_granted |= (VWRITE | VAPPEND);
+	    !priv_check_cred(cred, PRIV_VFS_WRITE, SUSER_ALLOWJAIL))
+		priv_granted |= (VWRITE | VAPPEND);
 
 	if ((acc_mode & VADMIN) && ((dac_granted & VADMIN) == 0) &&
-	    !cap_check(cred, NULL, CAP_FOWNER, SUSER_ALLOWJAIL))
-		cap_granted |= VADMIN;
+	    !priv_check_cred(cred, PRIV_VFS_ADMIN, SUSER_ALLOWJAIL))
+		priv_granted |= VADMIN;
 
-	if ((acc_mode & (cap_granted | dac_granted)) == acc_mode) {
+	if ((acc_mode & (priv_granted | dac_granted)) == acc_mode) {
 		/* XXX audit: privilege used */
 		if (privused != NULL)
 			*privused = 1;
 		return (0);
 	}
-#endif
 
 	return ((acc_mode & VADMIN) ? EPERM : EACCES);
 }

==== //depot/projects/trustedbsd/priv6/src/sys/kern/vfs_syscalls.c#4 (text+ko) ====

@@ -278,7 +278,7 @@
 	error = VFS_STATFS(mp, sp, td);
 	if (error)
 		goto out;
-	if (suser(td)) {
+	if (priv_check(td, PRIV_VFS_GENERATION)) {
 		bcopy(sp, &sb, sizeof(sb));
 		sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0;
 		prison_enforce_statfs(td->td_ucred, mp, &sb);
@@ -362,7 +362,7 @@
 	error = VFS_STATFS(mp, sp, td);
 	if (error)
 		goto out;
-	if (suser(td)) {
+	if (priv_check(td, PRIV_VFS_GENERATION)) {
 		bcopy(sp, &sb, sizeof(sb));
 		sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0;
 		prison_enforce_statfs(td->td_ucred, mp, &sb);

==== //depot/projects/trustedbsd/priv6/src/sys/net/if.c#3 (text+ko) ====

@@ -1504,12 +1504,16 @@
 
 	switch (cmd) {
 	case SIOCIFCREATE:
+		error = priv_check(td, PRIV_NET_IFCREATE);
+		if (error)
+			return (error);
+		return (if_clone_create(ifr->ifr_name, sizeof(ifr->ifr_name));
+
 	case SIOCIFDESTROY:
-		if ((error = suser(td)) != 0)
+		error = priv_check(td, PRIV_NET_IFDESTROY);
+		if (error)
 			return (error);
-		return ((cmd == SIOCIFCREATE) ?
-			if_clone_create(ifr->ifr_name, sizeof(ifr->ifr_name)) :
-			if_clone_destroy(ifr->ifr_name));
+		return (if_clone_destroy(ifr->ifr_name));
 
 	case SIOCIFGCLONERS:
 		return (if_clone_list((struct if_clonereq *)data));

==== //depot/projects/trustedbsd/priv6/src/sys/net/raw_usrreq.c#3 (text+ko) ====

@@ -164,8 +164,11 @@
 
 	if (rp == 0)
 		return EINVAL;
-	if (td && (error = suser(td)) != 0)
-		return error;
+	if (td != NULL) {
+		error = priv_check(td, PRIV_NET_RAW);
+		if (error)
+			return error;
+	}
 	return raw_attach(so, proto);
 }
 
