PERFORCE change 107657 for review
Robert Watson
rwatson at FreeBSD.org
Tue Oct 10 23:04:16 PDT 2006
http://perforce.freebsd.org/chv.cgi?CH=107657
Change 107657 by rwatson at rwatson_zoo on 2006/10/11 06:03:44
Clean up a number of priv(9) loose ends for VFS: make file system
checks for utimes() NULL timestamp more consistent.
Add privileges for dtrace.
Affected files ...
.. //depot/projects/trustedbsd/priv/sys/fs/hpfs/hpfs_vnops.c#3 edit
.. //depot/projects/trustedbsd/priv/sys/fs/msdosfs/msdosfs_vnops.c#3 edit
.. //depot/projects/trustedbsd/priv/sys/fs/smbfs/smbfs_vnops.c#3 edit
.. //depot/projects/trustedbsd/priv/sys/kern/vfs_mount.c#4 edit
.. //depot/projects/trustedbsd/priv/sys/kern/vfs_syscalls.c#5 edit
.. //depot/projects/trustedbsd/priv/sys/sys/priv.h#5 edit
Differences ...
==== //depot/projects/trustedbsd/priv/sys/fs/hpfs/hpfs_vnops.c#3 (text+ko) ====
@@ -501,15 +501,12 @@
if (vap->va_atime.tv_sec != VNOVAL || vap->va_mtime.tv_sec != VNOVAL) {
if (vp->v_mount->mnt_flag & MNT_RDONLY)
return (EROFS);
- /*
- * XXXRW: Why not just rely on the VOP_ACCESS() check here
- * instead of calling suser()?
- */
- if (cred->cr_uid != hp->h_uid &&
- (error = suser_cred(cred, SUSER_ALLOWJAIL)) &&
- ((vap->va_vaflags & VA_UTIMES_NULL) == 0 ||
- (error = VOP_ACCESS(vp, VWRITE, cred, td))))
- return (error);
+ if (vap->va_vaflags & VA_UTIMES_NULL) {
+ error = VOP_ACCESS(vp, VADMIN, cred, td);
+ if (error)
+ error = VOP_ACCESS(vp, VWRITE, cred, td);
+ } else
+ error = VOP_ACCESS(vp, VADMIN, cred, td);
if (vap->va_atime.tv_sec != VNOVAL)
hp->h_atime = vap->va_atime.tv_sec;
if (vap->va_mtime.tv_sec != VNOVAL)
==== //depot/projects/trustedbsd/priv/sys/fs/msdosfs/msdosfs_vnops.c#3 (text+ko) ====
@@ -484,15 +484,13 @@
if (vap->va_atime.tv_sec != VNOVAL || vap->va_mtime.tv_sec != VNOVAL) {
if (vp->v_mount->mnt_flag & MNT_RDONLY)
return (EROFS);
- /*
- * XXXRW: Isn't VOP_ACCESS() enough here? Why is suser()
- * required?
- */
- if (cred->cr_uid != pmp->pm_uid &&
- (error = suser_cred(cred, SUSER_ALLOWJAIL)) &&
- ((vap->va_vaflags & VA_UTIMES_NULL) == 0 ||
- (error = VOP_ACCESS(ap->a_vp, VWRITE, cred, ap->a_td))))
- return (error);
+ if (vap->va_vaflags & VA_UTIMES_NULL) {
+ error = VOP_ACCESS(vp, VADMIN, cred, ap->a_td);
+ if (error)
+ error = VOP_ACCESS(vp, VWRITE, cred,
+ ap->a_td);
+ } else
+ error = VOP_ACCESS(vp, VADMIN, cred, ap->a_td);
if (vp->v_type != VDIR) {
if ((pmp->pm_flags & MSDOSFSMNT_NOWIN95) == 0 &&
vap->va_atime.tv_sec != VNOVAL) {
==== //depot/projects/trustedbsd/priv/sys/fs/smbfs/smbfs_vnops.c#3 (text+ko) ====
@@ -352,14 +352,13 @@
if (vap->va_atime.tv_sec != VNOVAL)
atime = &vap->va_atime;
if (mtime != atime) {
- /*
- * XXXRW: Isn't VOP_ACCESS() here sufficient? Why suser()?
- */
- if (ap->a_cred->cr_uid != VTOSMBFS(vp)->sm_uid &&
- (error = suser_cred(ap->a_cred, SUSER_ALLOWJAIL)) &&
- ((vap->va_vaflags & VA_UTIMES_NULL) == 0 ||
- (error = VOP_ACCESS(vp, VWRITE, ap->a_cred, ap->a_td))))
- return (error);
+ if (vap->va_vaflags & VA_UTIMES_NULL) {
+ error = VOP_ACCESS(vp, VADMIN, ap->a_cred, ap->a_td);
+ if (error)
+ error = VOP_ACCESS(vp, VWRITE, ap->a_cred,
+ ap->a_td);
+ } else
+ error = VOP_ACCESS(vp, VADMIN, ap->a_cred, ap->a_td);
#if 0
if (mtime == NULL)
mtime = &np->n_mtime;
==== //depot/projects/trustedbsd/priv/sys/kern/vfs_mount.c#4 (text+ko) ====
@@ -825,12 +825,11 @@
}
/*
* Silently enforce MNT_NOSUID and MNT_USER for unprivileged users.
- *
- * XXXRW: Which privileges to map this to? Wouldn't it be better
- * to see if they weren't already set and only then check privilege?
*/
- if (suser(td) != 0)
- fsflags |= MNT_NOSUID | MNT_USER;
+ if ((fsflags & (MNT_NOSUID | MNT_USER)) != (MNT_NOSUID | MNT_USER)) {
+ if (priv_check(td, PRIV_VFS_MOUNT_NONUSER) != 0)
+ fsflags |= MNT_NOSUID | MNT_USER;
+ }
/* Load KLDs before we lock the covered vnode to avoid reversals. */
vfsp = NULL;
==== //depot/projects/trustedbsd/priv/sys/kern/vfs_syscalls.c#5 (text+ko) ====
@@ -1184,9 +1184,14 @@
case S_IFBLK:
error = priv_check(td, PRIV_VFS_MKNOD_DEV);
break;
+ case S_IFMT:
+ error = priv_check(td, PRIV_VFS_MKNOD_BAD);
+ break;
+ case S_IFWHT:
+ error = priv_check(td, PRIV_VFS_MKNOD_WHT);
+ break;
default:
- /* XXXRW: Should do a full enumeration here. */
- error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL);
+ error = EINVAL;
break;
}
if (error)
@@ -1231,8 +1236,7 @@
whiteout = 1;
break;
default:
- error = EINVAL;
- break;
+ panic("kern_mknod: invalid mode");
}
}
if (vn_start_write(nd.ni_dvp, &mp, V_NOWAIT) != 0) {
==== //depot/projects/trustedbsd/priv/sys/sys/priv.h#5 (text+ko) ====
@@ -104,6 +104,9 @@
PRIV_DEBUG_DIFFCRED, /* Exempt debugging other users. */
PRIV_DEBUG_SUGID, /* Exempt debugging setuid proc. */
PRIV_DEBUG_UNPRIV, /* Exempt unprivileged debug limit. */
+ PRIV_DTRACE_KERNEL, /* Allow use of DTrace on the kernel. */
+ PRIV_DTRACE_USER, /* Allow process to submit DTrace events. */
+ PRIV_DTRACE_PROC, /* Allow attaching DTrace to process. */
PRIV_FIRMWARE_LOAD, /* Can load firmware. */
PRIV_JAIL_ATTACH, /* Attach to a jail. */
PRIV_KENV_SET, /* Set kernel env. variables. */
@@ -167,12 +170,15 @@
PRIV_VFS_GENERATION, /* stat() returns generation number. */
PRIV_VFS_GETFH, /* Can retrieve file handles. */
PRIV_VFS_LINK, /* bsd.hardlink_check_uid */
- PRIV_VFS_MKNOD_DEV, /* Can create device nodes. */
+ PRIV_VFS_MKNOD_BAD, /* Can use mknod() to mark bad inodes. */
+ PRIV_VFS_MKNOD_DEV, /* Can use mknod() to create device nodes. */
+ PRIV_VFS_MKNOD_WHT, /* Can use mknod() to create whiteout. */
PRIV_VFS_MOUNT, /* Can mount(). */
PRIV_VFS_MOUNT_OWNER, /* Override owner on user mounts. */
PRIV_VFS_MOUNT_EXPORTED, /* Can set MNT_EXPORTED on mount. */
PRIV_VFS_MOUNT_PERM, /* Override device node perms at mount. */
PRIV_VFS_MOUNT_SUIDDIR, /* Can set MNT_SUIDDIR on mount. */
+ PRIV_VFS_MOUNT_NONUSER, /* Can perform a non-user mount. */
PRIV_VFS_SETGID, /* Can setgid if not in group. */
PRIV_VFS_STICKYFILE, /* Can set sticky bit on file. */
PRIV_VFS_SYSFLAGS, /* Can modify system flags. */
More information about the trustedbsd-cvs
mailing list