PERFORCE change 108136 for review

Robert Watson rwatson at FreeBSD.org
Thu Oct 19 17:08:54 PDT 2006


http://perforce.freebsd.org/chv.cgi?CH=108136

Change 108136 by rwatson at rwatson_zoo on 2006/10/20 00:06:18

	Merge from HEAD priv(9):
	
	Clean up a number of priv(9) loose ends for VFS: make file system
	checks for utimes() NULL timestamp more consistent.
	
	Add privileges for dtrace.

Affected files ...

.. //depot/projects/trustedbsd/priv6/src/sys/fs/hpfs/hpfs_vnops.c#3 edit
.. //depot/projects/trustedbsd/priv6/src/sys/fs/msdosfs/msdosfs_vnops.c#3 edit
.. //depot/projects/trustedbsd/priv6/src/sys/fs/smbfs/smbfs_vnops.c#3 edit
.. //depot/projects/trustedbsd/priv6/src/sys/kern/vfs_mount.c#5 edit
.. //depot/projects/trustedbsd/priv6/src/sys/kern/vfs_syscalls.c#6 edit
.. //depot/projects/trustedbsd/priv6/src/sys/sys/priv.h#3 edit

Differences ...

==== //depot/projects/trustedbsd/priv6/src/sys/fs/hpfs/hpfs_vnops.c#3 (text+ko) ====

@@ -501,15 +501,12 @@
 	if (vap->va_atime.tv_sec != VNOVAL || vap->va_mtime.tv_sec != VNOVAL) {
 		if (vp->v_mount->mnt_flag & MNT_RDONLY)
 			return (EROFS);
-		/*
-		 * XXXRW: Why not just rely on the VOP_ACCESS() check here
-		 * instead of calling suser()?
-		 */
-		if (cred->cr_uid != hp->h_uid &&
-		    (error = suser_cred(cred, SUSER_ALLOWJAIL)) &&
-		    ((vap->va_vaflags & VA_UTIMES_NULL) == 0 ||
-		    (error = VOP_ACCESS(vp, VWRITE, cred, td))))
-			return (error);
+		if (vap->va_vaflags & VA_UTIMES_NULL) {
+			error = VOP_ACCESS(vp, VADMIN, cred, td);
+			if (error)
+				error = VOP_ACCESS(vp, VWRITE, cred, td);
+		} else
+			error = VOP_ACCESS(vp, VADMIN, cred, td);
 		if (vap->va_atime.tv_sec != VNOVAL)
 			hp->h_atime = vap->va_atime.tv_sec;
 		if (vap->va_mtime.tv_sec != VNOVAL)

==== //depot/projects/trustedbsd/priv6/src/sys/fs/msdosfs/msdosfs_vnops.c#3 (text+ko) ====

@@ -484,15 +484,13 @@
 	if (vap->va_atime.tv_sec != VNOVAL || vap->va_mtime.tv_sec != VNOVAL) {
 		if (vp->v_mount->mnt_flag & MNT_RDONLY)
 			return (EROFS);
-		/*
-		 * XXXRW: Isn't VOP_ACCESS() enough here?  Why is suser()
-		 * required?
-		 */
-		if (cred->cr_uid != pmp->pm_uid &&
-		    (error = suser_cred(cred, SUSER_ALLOWJAIL)) &&
-		    ((vap->va_vaflags & VA_UTIMES_NULL) == 0 ||
-		    (error = VOP_ACCESS(ap->a_vp, VWRITE, cred, ap->a_td))))
-			return (error);
+		if (vap->va_vaflags & VA_UTIMES_NULL) {
+			error = VOP_ACCESS(vp, VADMIN, cred, ap->a_td); 
+			if (error)
+				error = VOP_ACCESS(vp, VWRITE, cred,
+				    ap->a_td);
+		} else
+			error = VOP_ACCESS(vp, VADMIN, cred, ap->a_td);
 		if (vp->v_type != VDIR) {
 			if ((pmp->pm_flags & MSDOSFSMNT_NOWIN95) == 0 &&
 			    vap->va_atime.tv_sec != VNOVAL) {

==== //depot/projects/trustedbsd/priv6/src/sys/fs/smbfs/smbfs_vnops.c#3 (text+ko) ====

@@ -352,14 +352,13 @@
 	if (vap->va_atime.tv_sec != VNOVAL)
 		atime = &vap->va_atime;
 	if (mtime != atime) {
-		/*
-		 * XXXRW: Isn't VOP_ACCESS() here sufficient?  Why suser()?
-		 */
-		if (ap->a_cred->cr_uid != VTOSMBFS(vp)->sm_uid &&
-		    (error = suser_cred(ap->a_cred, SUSER_ALLOWJAIL)) &&
-		    ((vap->va_vaflags & VA_UTIMES_NULL) == 0 ||
-		    (error = VOP_ACCESS(vp, VWRITE, ap->a_cred, ap->a_td))))
-			return (error);
+		if (vap->va_vaflags & VA_UTIMES_NULL) {
+			error = VOP_ACCESS(vp, VADMIN, ap->a_cred, ap->a_td);
+			if (error)
+				error = VOP_ACCESS(vp, VWRITE, ap->a_cred,
+				    ap->a_td);
+		} else
+			error = VOP_ACCESS(vp, VADMIN, ap->a_cred, ap->a_td);
 #if 0
 		if (mtime == NULL)
 			mtime = &np->n_mtime;

==== //depot/projects/trustedbsd/priv6/src/sys/kern/vfs_mount.c#5 (text+ko) ====

@@ -796,12 +796,11 @@
 	}
 	/*
 	 * Silently enforce MNT_NOSUID and MNT_USER for unprivileged users.
-	 *
-	 * XXXRW: Which privileges to map this to?  Wouldn't it be better
-	 * to see if they weren't already set and only then check privilege?
 	 */
-	if (suser(td) != 0)
-		fsflags |= MNT_NOSUID | MNT_USER;
+	if ((fsflags & (MNT_NOSUID | MNT_USER)) != (MNT_NOSUID | MNT_USER)) {
+		if (priv_check(td, PRIV_VFS_MOUNT_NONUSER) != 0)
+			fsflags |= MNT_NOSUID | MNT_USER;
+	}
 
 	/* Load KLDs before we lock the covered vnode to avoid reversals. */
 	vfsp = NULL;

==== //depot/projects/trustedbsd/priv6/src/sys/kern/vfs_syscalls.c#6 (text+ko) ====

@@ -1206,9 +1206,14 @@
 	case S_IFBLK:
 		error = priv_check(td, PRIV_VFS_MKNOD_DEV);
 		break;
+	case S_IFMT:
+		error = priv_check(td, PRIV_VFS_MKNOD_BAD);
+		break;
+	case S_IFWHT:
+		error = priv_check(td, PRIV_VFS_MKNOD_WHT);
+		break;
 	default:
-		/* XXXRW: Should do a full enumeration here. */
-		error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL);
+		error = EINVAL;
 		break;
 	}
 	if (error)
@@ -1253,8 +1258,7 @@
 			whiteout = 1;
 			break;
 		default:
-			error = EINVAL;
-			break;
+			panic("kern_mknod: invalid mode");
 		}
 	}
 	if (vn_start_write(nd.ni_dvp, &mp, V_NOWAIT) != 0) {

==== //depot/projects/trustedbsd/priv6/src/sys/sys/priv.h#3 (text+ko) ====

@@ -104,6 +104,9 @@
 	PRIV_DEBUG_DIFFCRED,	/* Exempt debugging other users. */
 	PRIV_DEBUG_SUGID,	/* Exempt debugging setuid proc. */
 	PRIV_DEBUG_UNPRIV,	/* Exempt unprivileged debug limit. */
+	PRIV_DTRACE_KERNEL,	/* Allow use of DTrace on the kernel. */
+	PRIV_DTRACE_USER,	/* Allow process to submit DTrace events. */
+	PRIV_DTRACE_PROC,	/* Allow attaching DTrace to process. */
 	PRIV_FIRMWARE_LOAD,	/* Can load firmware. */
 	PRIV_JAIL_ATTACH,	/* Attach to a jail. */
 	PRIV_KENV_SET,		/* Set kernel env. variables. */
@@ -167,12 +170,15 @@
 	PRIV_VFS_GENERATION,	/* stat() returns generation number. */
 	PRIV_VFS_GETFH,		/* Can retrieve file handles. */
 	PRIV_VFS_LINK,		/* bsd.hardlink_check_uid */
-	PRIV_VFS_MKNOD_DEV,	/* Can create device nodes. */
+	PRIV_VFS_MKNOD_BAD,	/* Can use mknod() to mark bad inodes. */
+	PRIV_VFS_MKNOD_DEV,	/* Can use mknod() to create device nodes. */
+	PRIV_VFS_MKNOD_WHT,	/* Can use mknod() to create whiteout. */
 	PRIV_VFS_MOUNT,		/* Can mount(). */
 	PRIV_VFS_MOUNT_OWNER,	/* Override owner on user mounts. */
 	PRIV_VFS_MOUNT_EXPORTED,	/* Can set MNT_EXPORTED on mount. */
 	PRIV_VFS_MOUNT_PERM,	/* Override device node perms at mount. */
 	PRIV_VFS_MOUNT_SUIDDIR,	/* Can set MNT_SUIDDIR on mount. */
+	PRIV_VFS_MOUNT_NONUSER,	/* Can perform a non-user mount. */
 	PRIV_VFS_SETGID,	/* Can setgid if not in group. */
 	PRIV_VFS_STICKYFILE,	/* Can set sticky bit on file. */
 	PRIV_VFS_SYSFLAGS,	/* Can modify system flags. */


More information about the trustedbsd-cvs mailing list