1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-12 09:58:36 +00:00

Merge from POSIX.1e Capabilities development tree:

o POSIX.1e capabilities authorize overriding of VEXEC for VDIR based
  on CAP_DAC_READ_SEARCH, but of !VDIR based on CAP_DAC_EXECUTE.  Add
  appropriate conditionals to vaccess() to take that into account.
o Synchronization cap_check_xxx() -> cap_check() change.

Obtained from:	TrustedBSD Project
This commit is contained in:
Robert Watson 2001-11-02 15:16:59 +00:00
parent 716d0f6c04
commit bcc0dc3dc7
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/head/; revision=85876

View File

@ -3006,20 +3006,31 @@ vaccess(type, file_mode, file_uid, file_gid, acc_mode, cred, privused)
* or the request type onto the cap_granted mask.
*/
cap_granted = 0;
if ((acc_mode & VEXEC) && ((dac_granted & VEXEC) == 0) &&
!cap_check_xxx(cred, NULL, CAP_DAC_EXECUTE, PRISON_ROOT))
cap_granted |= VEXEC;
if (type == VDIR) {
/*
* For directories, use CAP_DAC_READ_SEARCH to satisfy
* VEXEC requests, instead of CAP_DAC_EXECUTE.
*/
if ((acc_mode & VEXEC) && ((dac_granted & VEXEC) == 0) &&
!cap_check(cred, NULL, CAP_DAC_READ_SEARCH, PRISON_ROOT))
cap_granted |= VEXEC;
} else {
if ((acc_mode & VEXEC) && ((dac_granted & VEXEC) == 0) &&
!cap_check(cred, NULL, CAP_DAC_EXECUTE, PRISON_ROOT))
cap_granted |= VEXEC;
}
if ((acc_mode & VREAD) && ((dac_granted & VREAD) == 0) &&
!cap_check_xxx(cred, NULL, CAP_DAC_READ_SEARCH, PRISON_ROOT))
!cap_check(cred, NULL, CAP_DAC_READ_SEARCH, PRISON_ROOT))
cap_granted |= VREAD;
if ((acc_mode & VWRITE) && ((dac_granted & VWRITE) == 0) &&
!cap_check_xxx(cred, NULL, CAP_DAC_WRITE, PRISON_ROOT))
!cap_check(cred, NULL, CAP_DAC_WRITE, PRISON_ROOT))
cap_granted |= VWRITE;
if ((acc_mode & VADMIN) && ((dac_granted & VADMIN) == 0) &&
!cap_check_xxx(cred, NULL, CAP_FOWNER, PRISON_ROOT))
!cap_check(cred, NULL, CAP_FOWNER, PRISON_ROOT))
cap_granted |= VADMIN;
if ((acc_mode & (cap_granted | dac_granted)) == acc_mode) {