summaryrefslogtreecommitdiffstats
path: root/sys/kern/kern_prot.c
diff options
context:
space:
mode:
authorrwatson <rwatson@FreeBSD.org>2001-09-26 20:41:48 +0000
committerrwatson <rwatson@FreeBSD.org>2001-09-26 20:41:48 +0000
commitc3b85750019e1db5db54add33f31308979fb356f (patch)
treece34d904ac8d4d05b872799d07247a020146471c /sys/kern/kern_prot.c
parent90600b5b23c1efdeb657e94c049491223c25ff67 (diff)
downloadFreeBSD-src-c3b85750019e1db5db54add33f31308979fb356f.zip
FreeBSD-src-c3b85750019e1db5db54add33f31308979fb356f.tar.gz
o When performing a securelevel check as part of securelevel_ge() or
securelevel_gt(), determine first if a local securelevel exists -- if so, perform the check based on imax(local, global). Otherwise, simply use the global value. o Note: even though local securelevels might lag below the global one, if the global value is updated to higher than local values, maximum will still be used, making the global dominant even if there is local lag. Obtained from: TrustedBSD Project
Diffstat (limited to 'sys/kern/kern_prot.c')
-rw-r--r--sys/kern/kern_prot.c23
1 files changed, 15 insertions, 8 deletions
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 1f52132..69b086b 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1301,18 +1301,14 @@ suser_xxx(cred, proc, flag)
/*
- * Test securelevel values against passed required securelevel.
- * _gt implements (level > securelevel), and _ge implements
+ * Test (local, globale) securelevel values against passed required
+ * securelevel. _gt implements (level > securelevel), and _ge implements
* (level >= securelevel). Returns 0 oer EPERM.
*
* cr is permitted to be NULL for the time being, as there were some
* existing securelevel checks that occurred without a process/credential
* context. In the future this will be disallowed, so a kernel
* message is displayed.
- *
- * XXX: The redundant construction below is to facilitate the merging
- * of support for per-jail securelevels, which maintain a local
- * jail securelevel in the process credential.
*/
int
securelevel_gt(struct ucred *cr, int level)
@@ -1324,12 +1320,18 @@ securelevel_gt(struct ucred *cr, int level)
return (0);
else
return (EPERM);
- } else {
+ } else if (cr->cr_prison == NULL) {
if (level > securelevel)
return (0);
else
return (EPERM);
+ } else {
+ if (level > imax(cr->cr_prison->pr_securelevel, securelevel))
+ return (0);
+ else
+ return (EPERM);
}
+
}
int
@@ -1342,11 +1344,16 @@ securelevel_ge(struct ucred *cr, int level)
return (0);
else
return (EPERM);
- } else {
+ } if (cr->cr_prison == NULL) {
if (level >= securelevel)
return (0);
else
return (EPERM);
+ } else {
+ if (level >= imax(cr->cr_prison->pr_securelevel, securelevel))
+ return (0);
+ else
+ return (EPERM);
}
}
OpenPOWER on IntegriCloud