mirror/freebsd
1
0
Fork 0
mirror of https://git.FreeBSD.org/src.git synced 2024-11-27 08:00:11 +00:00
Code Issues Releases Activity

New cr_bsd_visible(): Whether BSD policies deny seeing subjects/objects

Browse Source 
This is a new helper function that leverages existing code: It calls
successively cr_canseeotheruids(), cr_canseeothergids() and
cr_canseejailproc() (as long as the previous didn't deny access).  Will
be used in a subsequent commit.

Reviewed by:            mhorne
MFC after:              2 weeks
Sponsored by:           Kumacom SAS
Differential Revision:  https://reviews.freebsd.org/D40627
This commit is contained in:
Olivier Certner 2023-08-18 01:54:38 +02:00 committed by Mitchell Horne
parent 7974ca1cdb
commit e4a7b4f99c
2 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
sys/kern/kern_prot.c
View File

@ -1434,6 +1434,25 @@ cr_canseejailproc(struct ucred *u1, struct ucred *u2)
return (ESRCH);
}
/*
* Helper for cr_cansee*() functions to abide by system-wide security.bsd.see_*
* policies. Determines if u1 "can see" u2 according to these policies.
* Returns: 0 for permitted, ESRCH otherwise
*/
int
cr_bsd_visible(struct ucred *u1, struct ucred *u2)
{
int error;
if ((error = cr_canseeotheruids(u1, u2)))
return (error);
if ((error = cr_canseeothergids(u1, u2)))
return (error);
if ((error = cr_canseejailproc(u1, u2)))
return (error);
return (0);
}
/*-
* Determine if u1 "can see" the subject specified by u2.
* Returns: 0 for permitted, an errno value otherwise

1
sys/sys/proc.h
View File

@ -1163,6 +1163,7 @@ void ast_sched(struct thread *td, int tda);
void ast_unsched_locked(struct thread *td, int tda);
struct thread *choosethread(void);
int cr_bsd_visible(struct ucred *u1, struct ucred *u2);
int cr_cansee(struct ucred *u1, struct ucred *u2);
int cr_canseesocket(struct ucred *cred, struct socket *so);
int cr_canseeothergids(struct ucred *u1, struct ucred *u2);