diff options
author | rwatson <rwatson@FreeBSD.org> | 2002-07-22 03:57:07 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2002-07-22 03:57:07 +0000 |
commit | 7be639a7c001f8dc5f8e7b6d1951845156bb997d (patch) | |
tree | 174e3bfd203f2088fac3efc5f68dfc8e96d1c5a3 /sys/kern/kern_acl.c | |
parent | c578ffd6e110dce1199cb540aa12951448b6e570 (diff) | |
download | FreeBSD-src-7be639a7c001f8dc5f8e7b6d1951845156bb997d.zip FreeBSD-src-7be639a7c001f8dc5f8e7b6d1951845156bb997d.tar.gz |
Teach discretionary access control methods for files about VAPPEND
and VALLPERM.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
Diffstat (limited to 'sys/kern/kern_acl.c')
-rw-r--r-- | sys/kern/kern_acl.c | 26 |
1 files changed, 13 insertions, 13 deletions
diff --git a/sys/kern/kern_acl.c b/sys/kern/kern_acl.c index 70be0ec..60ce1bf 100644 --- a/sys/kern/kern_acl.c +++ b/sys/kern/kern_acl.c @@ -88,7 +88,7 @@ vaccess_acl_posix1e(enum vtype type, uid_t file_uid, gid_t file_gid, */ #ifndef CAPABILITIES if (suser_cred(cred, PRISON_ROOT) == 0) - cap_granted = (VEXEC | VREAD | VWRITE | VADMIN); + cap_granted = VALLPERM; else cap_granted = 0; #else @@ -108,9 +108,9 @@ vaccess_acl_posix1e(enum vtype type, uid_t file_uid, gid_t file_gid, PRISON_ROOT)) cap_granted |= VREAD; - if ((acc_mode & VWRITE) && !cap_check(cred, NULL, CAP_DAC_WRITE, - PRISON_ROOT)) - cap_granted |= VWRITE; + if (((acc_mode & VWRITE) || (acc_mode & VAPPEND)) && + !cap_check(cred, NULL, CAP_DAC_WRITE, PRISON_ROOT)) + cap_granted |= (VWRITE | VAPPEND); if ((acc_mode & VADMIN) && !cap_check(cred, NULL, CAP_FOWNER, PRISON_ROOT)) @@ -136,7 +136,7 @@ vaccess_acl_posix1e(enum vtype type, uid_t file_uid, gid_t file_gid, if (acl->acl_entry[i].ae_perm & ACL_READ) dac_granted |= VREAD; if (acl->acl_entry[i].ae_perm & ACL_WRITE) - dac_granted |= VWRITE; + dac_granted |= (VWRITE | VAPPEND); if ((acc_mode & dac_granted) == acc_mode) return (0); if ((acc_mode & (dac_granted | cap_granted)) == @@ -188,9 +188,9 @@ vaccess_acl_posix1e(enum vtype type, uid_t file_uid, gid_t file_gid, if (acl_mask->ae_perm & ACL_READ) acl_mask_granted |= VREAD; if (acl_mask->ae_perm & ACL_WRITE) - acl_mask_granted |= VWRITE; + acl_mask_granted |= (VWRITE | VAPPEND); } else - acl_mask_granted = VEXEC | VREAD | VWRITE; + acl_mask_granted = VEXEC | VREAD | VWRITE | VAPPEND; /* * Iterate through user ACL entries. Do checks twice, first @@ -212,7 +212,7 @@ vaccess_acl_posix1e(enum vtype type, uid_t file_uid, gid_t file_gid, if (acl->acl_entry[i].ae_perm & ACL_READ) dac_granted |= VREAD; if (acl->acl_entry[i].ae_perm & ACL_WRITE) - dac_granted |= VWRITE; + dac_granted |= (VWRITE | VAPPEND); dac_granted &= acl_mask_granted; if ((acc_mode & dac_granted) == acc_mode) return (0); @@ -245,7 +245,7 @@ vaccess_acl_posix1e(enum vtype type, uid_t file_uid, gid_t file_gid, if (acl->acl_entry[i].ae_perm & ACL_READ) dac_granted |= VREAD; if (acl->acl_entry[i].ae_perm & ACL_WRITE) - dac_granted |= VWRITE; + dac_granted |= (VWRITE | VAPPEND); dac_granted &= acl_mask_granted; if ((acc_mode & dac_granted) == acc_mode) @@ -263,7 +263,7 @@ vaccess_acl_posix1e(enum vtype type, uid_t file_uid, gid_t file_gid, if (acl->acl_entry[i].ae_perm & ACL_READ) dac_granted |= VREAD; if (acl->acl_entry[i].ae_perm & ACL_WRITE) - dac_granted |= VWRITE; + dac_granted |= (VWRITE | VAPPEND); dac_granted &= acl_mask_granted; if ((acc_mode & dac_granted) == acc_mode) @@ -293,7 +293,7 @@ vaccess_acl_posix1e(enum vtype type, uid_t file_uid, gid_t file_gid, if (acl->acl_entry[i].ae_perm & ACL_READ) dac_granted |= VREAD; if (acl->acl_entry[i].ae_perm & ACL_WRITE) - dac_granted |= VWRITE; + dac_granted |= (VWRITE | VAPPEND); dac_granted &= acl_mask_granted; if ((acc_mode & (dac_granted | cap_granted)) != @@ -314,7 +314,7 @@ vaccess_acl_posix1e(enum vtype type, uid_t file_uid, gid_t file_gid, if (acl->acl_entry[i].ae_perm & ACL_READ) dac_granted |= VREAD; if (acl->acl_entry[i].ae_perm & ACL_WRITE) - dac_granted |= VWRITE; + dac_granted |= (VWRITE | VAPPEND); dac_granted &= acl_mask_granted; if ((acc_mode & (dac_granted | cap_granted)) != @@ -345,7 +345,7 @@ vaccess_acl_posix1e(enum vtype type, uid_t file_uid, gid_t file_gid, if (acl_other->ae_perm & ACL_READ) dac_granted |= VREAD; if (acl_other->ae_perm & ACL_WRITE) - dac_granted |= VWRITE; + dac_granted |= (VWRITE | VAPPEND); if ((acc_mode & dac_granted) == acc_mode) return (0); |