diff options
author | jhb <jhb@FreeBSD.org> | 2002-04-01 21:31:13 +0000 |
---|---|---|
committer | jhb <jhb@FreeBSD.org> | 2002-04-01 21:31:13 +0000 |
commit | dc2e474f79c1287592679cd5e0c4c2307feccd60 (patch) | |
tree | 79021f0d43a5858be317d5cd33eac8cd4962b336 /sys/kern | |
parent | 34c7d606c9818987384d404948ecdc98521462bd (diff) | |
download | FreeBSD-src-dc2e474f79c1287592679cd5e0c4c2307feccd60.zip FreeBSD-src-dc2e474f79c1287592679cd5e0c4c2307feccd60.tar.gz |
Change the suser() API to take advantage of td_ucred as well as do a
general cleanup of the API. The entire API now consists of two functions
similar to the pre-KSE API. The suser() function takes a thread pointer
as its only argument. The td_ucred member of this thread must be valid
so the only valid thread pointers are curthread and a few kernel threads
such as thread0. The suser_cred() function takes a pointer to a struct
ucred as its first argument and an integer flag as its second argument.
The flag is currently only used for the PRISON_ROOT flag.
Discussed on: smp@
Diffstat (limited to 'sys/kern')
-rw-r--r-- | sys/kern/kern_acct.c | 2 | ||||
-rw-r--r-- | sys/kern/kern_acl.c | 2 | ||||
-rw-r--r-- | sys/kern/kern_exec.c | 2 | ||||
-rw-r--r-- | sys/kern/kern_jail.c | 2 | ||||
-rw-r--r-- | sys/kern/kern_ktrace.c | 2 | ||||
-rw-r--r-- | sys/kern/kern_linker.c | 4 | ||||
-rw-r--r-- | sys/kern/kern_ntptime.c | 2 | ||||
-rw-r--r-- | sys/kern/kern_prot.c | 85 | ||||
-rw-r--r-- | sys/kern/kern_resource.c | 6 | ||||
-rw-r--r-- | sys/kern/kern_shutdown.c | 2 | ||||
-rw-r--r-- | sys/kern/kern_sysctl.c | 4 | ||||
-rw-r--r-- | sys/kern/kern_time.c | 6 | ||||
-rw-r--r-- | sys/kern/kern_xxx.c | 6 | ||||
-rw-r--r-- | sys/kern/subr_acl_posix1e.c | 2 | ||||
-rw-r--r-- | sys/kern/subr_prf.c | 2 | ||||
-rw-r--r-- | sys/kern/sysv_ipc.c | 4 | ||||
-rw-r--r-- | sys/kern/sysv_msg.c | 2 | ||||
-rw-r--r-- | sys/kern/tty.c | 12 | ||||
-rw-r--r-- | sys/kern/tty_cons.c | 2 | ||||
-rw-r--r-- | sys/kern/tty_pty.c | 2 | ||||
-rw-r--r-- | sys/kern/vfs_acl.c | 2 | ||||
-rw-r--r-- | sys/kern/vfs_extattr.c | 50 | ||||
-rw-r--r-- | sys/kern/vfs_subr.c | 2 | ||||
-rw-r--r-- | sys/kern/vfs_syscalls.c | 50 | ||||
-rw-r--r-- | sys/kern/vfs_vnops.c | 2 |
25 files changed, 119 insertions, 138 deletions
diff --git a/sys/kern/kern_acct.c b/sys/kern/kern_acct.c index afb0ab0..12c72cc 100644 --- a/sys/kern/kern_acct.c +++ b/sys/kern/kern_acct.c @@ -123,7 +123,7 @@ acct(td, uap) if (td != curthread) panic("acct"); /* XXXKSE DIAGNOSTIC */ /* Make sure that the caller is root. */ - error = suser_xxx(td->td_proc->p_ucred, NULL, 0); + error = suser(td); if (error) goto done2; diff --git a/sys/kern/kern_acl.c b/sys/kern/kern_acl.c index b0d0baf..55ab33e 100644 --- a/sys/kern/kern_acl.c +++ b/sys/kern/kern_acl.c @@ -89,7 +89,7 @@ vaccess_acl_posix1e(enum vtype type, uid_t file_uid, gid_t file_gid, * a DAC entry that matches but has failed to allow access. */ #ifndef CAPABILITIES - if (suser_xxx(cred, NULL, PRISON_ROOT) == 0) + if (suser_cred(cred, PRISON_ROOT) == 0) cap_granted = (VEXEC | VREAD | VWRITE | VADMIN); else cap_granted = 0; diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index ba68e68..36003c6 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -353,7 +353,7 @@ interpret: * we do not regain any tracing during a possible block. */ setsugid(p); - if (p->p_tracep && suser_xxx(oldcred, NULL, PRISON_ROOT)) { + if (p->p_tracep && suser_cred(oldcred, PRISON_ROOT)) { struct vnode *vtmp; if ((vtmp = p->p_tracep) != NULL) { diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index ac5b732..aae12be 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -87,7 +87,7 @@ jail(td, uap) pr->pr_ip = j.ip_number; PROC_LOCK(p); /* Implicitly fail if already in jail. */ - error = suser_xxx(p->p_ucred, NULL, 0); + error = suser_cred(p->p_ucred, 0); if (error) goto badcred; oldcred = p->p_ucred; diff --git a/sys/kern/kern_ktrace.c b/sys/kern/kern_ktrace.c index 4991b0d..b94db2a 100644 --- a/sys/kern/kern_ktrace.c +++ b/sys/kern/kern_ktrace.c @@ -594,7 +594,7 @@ ktrcanset(callp, targetp) { if (targetp->p_traceflag & KTRFAC_ROOT && - suser_xxx(NULL, callp, PRISON_ROOT)) + suser_cred(callp->p_ucred, PRISON_ROOT)) return (0); if (p_candebug(callp, targetp) != 0) diff --git a/sys/kern/kern_linker.c b/sys/kern/kern_linker.c index 1050b33..bad5e1e 100644 --- a/sys/kern/kern_linker.c +++ b/sys/kern/kern_linker.c @@ -703,7 +703,7 @@ kldload(struct thread *td, struct kldload_args *uap) if ((error = securelevel_gt(td->td_ucred, 0)) != 0) goto out; - if ((error = suser_xxx(td->td_ucred, NULL, 0)) != 0) + if ((error = suser(td)) != 0) goto out; pathname = malloc(MAXPATHLEN, M_TEMP, M_WAITOK); @@ -750,7 +750,7 @@ kldunload(struct thread *td, struct kldunload_args *uap) if ((error = securelevel_gt(td->td_ucred, 0)) != 0) goto out; - if ((error = suser_xxx(td->td_ucred, NULL, 0)) != 0) + if ((error = suser(td)) != 0) goto out; lf = linker_find_file_by_id(SCARG(uap, fileid)); diff --git a/sys/kern/kern_ntptime.c b/sys/kern/kern_ntptime.c index 91daee0..96870e0 100644 --- a/sys/kern/kern_ntptime.c +++ b/sys/kern/kern_ntptime.c @@ -300,7 +300,7 @@ ntp_adjtime(struct thread *td, struct ntp_adjtime_args *uap) mtx_lock(&Giant); modes = ntv.modes; if (modes) - error = suser_td(td); + error = suser(td); if (error) goto done2; s = splclock(); diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index dc2a6be..3ba42b1 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -555,7 +555,7 @@ setuid(struct thread *td, struct setuid_args *uap) #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ #endif - (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) + (error = suser_cred(oldcred, PRISON_ROOT)) != 0) goto done2; newcred = crdup(oldcred); @@ -568,7 +568,7 @@ setuid(struct thread *td, struct setuid_args *uap) #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ uid == oldcred->cr_uid || #endif - suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */ + suser_cred(oldcred, PRISON_ROOT) == 0) /* we are using privs */ #endif { /* @@ -629,7 +629,7 @@ seteuid(struct thread *td, struct seteuid_args *uap) oldcred = p->p_ucred; if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ - (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) + (error = suser_cred(oldcred, PRISON_ROOT)) != 0) goto done2; /* * Everything's okay, do it. Copy credentials so other references do @@ -687,7 +687,7 @@ setgid(struct thread *td, struct setgid_args *uap) #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ #endif - (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) + (error = suser_cred(oldcred, PRISON_ROOT)) != 0) goto done2; newcred = crdup(oldcred); @@ -700,7 +700,7 @@ setgid(struct thread *td, struct setgid_args *uap) #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ gid == oldcred->cr_groups[0] || #endif - suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */ + suser_cred(oldcred, PRISON_ROOT) == 0) /* we are using privs */ #endif { /* @@ -760,7 +760,7 @@ setegid(struct thread *td, struct setegid_args *uap) oldcred = p->p_ucred; if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ - (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) + (error = suser_cred(oldcred, PRISON_ROOT)) != 0) goto done2; newcred = crdup(oldcred); if (oldcred->cr_groups[0] != egid) { @@ -795,7 +795,7 @@ setgroups(struct thread *td, struct setgroups_args *uap) ngrp = uap->gidsetsize; mtx_lock(&Giant); oldcred = p->p_ucred; - if ((error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) + if ((error = suser_cred(oldcred, PRISON_ROOT)) != 0) goto done2; if (ngrp > NGROUPS) { error = EINVAL; @@ -857,7 +857,7 @@ setreuid(register struct thread *td, struct setreuid_args *uap) ruid != oldcred->cr_svuid) || (euid != (uid_t)-1 && euid != oldcred->cr_uid && euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && - (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) + (error = suser_cred(oldcred, PRISON_ROOT)) != 0) goto done2; newcred = crdup(oldcred); if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { @@ -907,7 +907,7 @@ setregid(register struct thread *td, struct setregid_args *uap) rgid != oldcred->cr_svgid) || (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && - (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) + (error = suser_cred(oldcred, PRISON_ROOT)) != 0) goto done2; newcred = crdup(oldcred); if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { @@ -968,7 +968,7 @@ setresuid(register struct thread *td, struct setresuid_args *uap) (suid != (uid_t)-1 && suid != oldcred->cr_ruid && suid != oldcred->cr_svuid && suid != oldcred->cr_uid)) && - (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) + (error = suser_cred(oldcred, PRISON_ROOT)) != 0) goto done2; newcred = crdup(oldcred); if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { @@ -1029,7 +1029,7 @@ setresgid(register struct thread *td, struct setresgid_args *uap) (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && sgid != oldcred->cr_svgid && sgid != oldcred->cr_groups[0])) && - (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) + (error = suser_cred(oldcred, PRISON_ROOT)) != 0) goto done2; newcred = crdup(oldcred); if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { @@ -1209,47 +1209,15 @@ TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled); /* * Test whether the specified credentials imply "super-user" privilege. - * Return 0 or EPERM. + * Return 0 or EPERM. The flag argument is currently used only to + * specify jail interaction. */ int -suser(struct proc *p) +suser_cred(struct ucred *cred, int flag) { - return (suser_xxx(0, p, 0)); -} - -/* - * version for when the thread pointer is available and not the proc. - * (saves having to include proc.h into every file that needs to do the change.) - */ -int -suser_td(struct thread *td) -{ - return (suser_xxx(0, td->td_proc, 0)); -} - -/* - * wrapper to use if you have the thread on hand but not the proc. - * - * MPSAFE (cred must be held) - */ -int -suser_xxx_td(struct ucred *cred, struct thread *td, int flag) -{ - return(suser_xxx(cred, td->td_proc, flag)); -} - -int -suser_xxx(struct ucred *cred, struct proc *proc, int flag) -{ if (!suser_enabled) return (EPERM); - if (!cred && !proc) { - printf("suser_xxx(): THINK!\n"); - return (EPERM); - } - if (cred == NULL) - cred = proc->p_ucred; if (cred->cr_uid != 0) return (EPERM); if (jailed(cred) && !(flag & PRISON_ROOT)) @@ -1258,6 +1226,17 @@ suser_xxx(struct ucred *cred, struct proc *proc, int flag) } /* + * Shortcut to hide contents of struct td and struct proc from the + * caller, promoting binary compatibility. + */ +int +suser(struct thread *td) +{ + + return (suser_cred(td->td_ucred, 0)); +} + +/* * Test the active securelevel against a given level. securelevel_gt() * implements (securelevel > level). securelevel_ge() implements * (securelevel >= level). Note that the logic is inverted -- these @@ -1328,7 +1307,7 @@ cr_seeotheruids(struct ucred *u1, struct ucred *u2) { if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { - if (suser_xxx(u1, NULL, PRISON_ROOT) != 0) + if (suser_cred(u1, PRISON_ROOT) != 0) return (ESRCH); } return (0); @@ -1416,7 +1395,7 @@ cr_cansignal(struct ucred *cred, struct proc *proc, int signum) break; default: /* Not permitted without privilege. */ - error = suser_xxx(cred, NULL, PRISON_ROOT); + error = suser_cred(cred, PRISON_ROOT); if (error) return (error); } @@ -1431,7 +1410,7 @@ cr_cansignal(struct ucred *cred, struct proc *proc, int signum) cred->cr_uid != proc->p_ucred->cr_ruid && cred->cr_uid != proc->p_ucred->cr_svuid) { /* Not permitted without privilege. */ - error = suser_xxx(cred, NULL, PRISON_ROOT); + error = suser_cred(cred, PRISON_ROOT); if (error) return (error); } @@ -1489,7 +1468,7 @@ p_cansched(struct proc *p1, struct proc *p2) return (0); if (p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid) return (0); - if (suser_xxx(0, p1, PRISON_ROOT) == 0) + if (suser_cred(p1->p_ucred, PRISON_ROOT) == 0) return (0); #ifdef CAPABILITIES @@ -1530,7 +1509,7 @@ p_candebug(struct proc *p1, struct proc *p2) int credentialchanged, error, grpsubset, i, uidsubset; if (!unprivileged_proc_debug) { - error = suser_xxx(NULL, p1, PRISON_ROOT); + error = suser_cred(p1->p_ucred, PRISON_ROOT); if (error) return (error); } @@ -1576,7 +1555,7 @@ p_candebug(struct proc *p1, struct proc *p2) * require CAP_SYS_PTRACE. */ if (!grpsubset || !uidsubset || credentialchanged) { - error = suser_xxx(NULL, p1, PRISON_ROOT); + error = suser_cred(p1->p_ucred, PRISON_ROOT); if (error) return (error); } @@ -1828,7 +1807,7 @@ setlogin(struct thread *td, struct setlogin_args *uap) char logintmp[MAXLOGNAME]; mtx_lock(&Giant); - if ((error = suser_xxx(0, p, PRISON_ROOT)) != 0) + if ((error = suser_cred(td->td_ucred, PRISON_ROOT)) != 0) goto done2; error = copyinstr((caddr_t) uap->namebuf, (caddr_t) logintmp, sizeof(logintmp), (size_t *)0); diff --git a/sys/kern/kern_resource.c b/sys/kern/kern_resource.c index fbd76c2..26349bd 100644 --- a/sys/kern/kern_resource.c +++ b/sys/kern/kern_resource.c @@ -258,7 +258,7 @@ donice(curp, chgp, n) if (n < PRIO_MIN) n = PRIO_MIN; if (n < chgp->p_ksegrp.kg_nice /* XXXKSE */ && - suser_xxx(curp->p_ucred, NULL, 0)) + suser_cred(curp->p_ucred, 0)) return (EACCES); chgp->p_ksegrp.kg_nice /* XXXKSE */ = n; (void)resetpriority(&chgp->p_ksegrp); /* XXXKSE */ @@ -320,7 +320,7 @@ rtprio(td, uap) (error = copyin(uap->rtp, &rtp, sizeof(struct rtprio)))) break; /* disallow setting rtprio in most cases if not superuser */ - if (suser_xxx(curp->p_ucred, NULL, 0) != 0) { + if (suser(td) != 0) { /* can't set someone else's */ if (uap->pid) { error = EPERM; @@ -521,7 +521,7 @@ dosetrlimit(td, which, limp) if (limp->rlim_cur > alimp->rlim_max || limp->rlim_max > alimp->rlim_max) - if ((error = suser_xxx(0, p, PRISON_ROOT))) + if ((error = suser_cred(td->td_ucred, PRISON_ROOT))) return (error); if (limp->rlim_cur > limp->rlim_max) limp->rlim_cur = limp->rlim_max; diff --git a/sys/kern/kern_shutdown.c b/sys/kern/kern_shutdown.c index 3312b54..fe0cbb0 100644 --- a/sys/kern/kern_shutdown.c +++ b/sys/kern/kern_shutdown.c @@ -148,7 +148,7 @@ reboot(struct thread *td, struct reboot_args *uap) int error; mtx_lock(&Giant); - if ((error = suser_td(td)) == 0) + if ((error = suser(td)) == 0) boot(uap->opt); mtx_unlock(&Giant); return (error); diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c index 9942ca1..6938706 100644 --- a/sys/kern/kern_sysctl.c +++ b/sys/kern/kern_sysctl.c @@ -463,7 +463,7 @@ sysctl_sysctl_debug(SYSCTL_HANDLER_ARGS) { int error; - error = suser(req->td->td_proc); + error = suser(req->td); if (error) return error; sysctl_sysctl_debug_dump_node(&sysctl__children, 0); @@ -1084,7 +1084,7 @@ sysctl_root(SYSCTL_HANDLER_ARGS) flags = PRISON_ROOT; else flags = 0; - error = suser_xxx(NULL, req->td->td_proc, flags); + error = suser_cred(req->td->td_ucred, flags); if (error) return (error); } diff --git a/sys/kern/kern_time.c b/sys/kern/kern_time.c index 970cb93..58c81ab 100644 --- a/sys/kern/kern_time.c +++ b/sys/kern/kern_time.c @@ -187,7 +187,7 @@ clock_settime(td, uap) int error; mtx_lock(&Giant); - if ((error = suser_td(td)) != 0) + if ((error = suser(td)) != 0) goto done2; if (SCARG(uap, clock_id) != CLOCK_REALTIME) { error = EINVAL; @@ -370,7 +370,7 @@ settimeofday(td, uap) mtx_lock(&Giant); - if ((error = suser_td(td))) + if ((error = suser(td))) goto done2; /* Verify all parameters before changing time. */ if (uap->tv) { @@ -421,7 +421,7 @@ adjtime(td, uap) mtx_lock(&Giant); - if ((error = suser_td(td))) + if ((error = suser(td))) goto done2; error = copyin((caddr_t)uap->delta, (caddr_t)&atv, sizeof(struct timeval)); diff --git a/sys/kern/kern_xxx.c b/sys/kern/kern_xxx.c index f3f19ee..9d4136b 100644 --- a/sys/kern/kern_xxx.c +++ b/sys/kern/kern_xxx.c @@ -97,7 +97,7 @@ osethostname(td, uap) name[0] = CTL_KERN; name[1] = KERN_HOSTNAME; mtx_lock(&Giant); - if ((error = suser_xxx(0, td->td_proc, PRISON_ROOT)) == 0) { + if ((error = suser_cred(td->td_ucred, PRISON_ROOT)) == 0) { error = userland_sysctl(td, name, 2, 0, 0, 0, uap->hostname, uap->len, 0); } @@ -143,7 +143,7 @@ osethostid(td, uap) int error; mtx_lock(&Giant); - if ((error = suser_td(td))) + if ((error = suser(td))) hostid = uap->hostid; mtx_unlock(&Giant); return (error); @@ -298,7 +298,7 @@ setdomainname(td, uap) int error, domainnamelen; mtx_lock(&Giant); - if ((error = suser_td(td))) + if ((error = suser(td))) goto done2; if ((u_int)uap->len > sizeof (domainname) - 1) { error = EINVAL; diff --git a/sys/kern/subr_acl_posix1e.c b/sys/kern/subr_acl_posix1e.c index b0d0baf..55ab33e 100644 --- a/sys/kern/subr_acl_posix1e.c +++ b/sys/kern/subr_acl_posix1e.c @@ -89,7 +89,7 @@ vaccess_acl_posix1e(enum vtype type, uid_t file_uid, gid_t file_gid, * a DAC entry that matches but has failed to allow access. */ #ifndef CAPABILITIES - if (suser_xxx(cred, NULL, PRISON_ROOT) == 0) + if (suser_cred(cred, PRISON_ROOT) == 0) cap_granted = (VEXEC | VREAD | VWRITE | VADMIN); else cap_granted = 0; diff --git a/sys/kern/subr_prf.c b/sys/kern/subr_prf.c index b670c67..d1c42a6 100644 --- a/sys/kern/subr_prf.c +++ b/sys/kern/subr_prf.c @@ -861,7 +861,7 @@ sysctl_kern_msgbuf(SYSCTL_HANDLER_ARGS) int error; if (!unprivileged_read_msgbuf) { - error = suser_td(req->td); + error = suser(req->td); if (error) return (error); } diff --git a/sys/kern/sysv_ipc.c b/sys/kern/sysv_ipc.c index 42a1465..fc5fd8f 100644 --- a/sys/kern/sysv_ipc.c +++ b/sys/kern/sysv_ipc.c @@ -81,7 +81,7 @@ ipcperm(td, perm, mode) /* Check for user match. */ if (cred->cr_uid != perm->cuid && cred->cr_uid != perm->uid) { if (mode & IPC_M) - return (suser_td(td) == 0 ? 0 : EPERM); + return (suser(td) == 0 ? 0 : EPERM); /* Check for group match. */ mode >>= 3; if (!groupmember(perm->gid, cred) && @@ -93,5 +93,5 @@ ipcperm(td, perm, mode) if (mode & IPC_M) return (0); return ((mode & perm->mode) == mode || - suser_td(td) == 0 ? 0 : EACCES); + suser(td) == 0 ? 0 : EACCES); } diff --git a/sys/kern/sysv_msg.c b/sys/kern/sysv_msg.c index a26a172..4dd2249 100644 --- a/sys/kern/sysv_msg.c +++ b/sys/kern/sysv_msg.c @@ -421,7 +421,7 @@ msgctl(td, uap) if ((error = copyin(user_msqptr, &msqbuf, sizeof(msqbuf))) != 0) goto done2; if (msqbuf.msg_qbytes > msqptr->msg_qbytes) { - error = suser_td(td); + error = suser(td); if (error) goto done2; } diff --git a/sys/kern/tty.c b/sys/kern/tty.c index c9a56fd..1214513 100644 --- a/sys/kern/tty.c +++ b/sys/kern/tty.c @@ -730,9 +730,11 @@ ttioctl(tp, cmd, data, flag) void *data; { register struct proc *p; + struct thread *td; int s, error; - p = curproc; /* XXX */ + td = curthread; /* XXX */ + p = td->td_proc; /* If the ioctl involves modification, hang if in the background. */ switch (cmd) { @@ -851,7 +853,7 @@ ttioctl(tp, cmd, data, flag) ISSET(constty->t_state, TS_CONNECTED)) return (EBUSY); #ifndef UCONSOLE - if ((error = suser_xxx(p->p_ucred, NULL, 0)) != 0) + if ((error = suser(td)) != 0) return (error); #endif constty = tp; @@ -1023,9 +1025,9 @@ ttioctl(tp, cmd, data, flag) splx(s); break; case TIOCSTI: /* simulate terminal input */ - if ((flag & FREAD) == 0 && suser_xxx(p->p_ucred, NULL, 0)) + if ((flag & FREAD) == 0 && suser(td)) return (EPERM); - if (!isctty(p, tp) && suser_xxx(p->p_ucred, NULL, 0)) + if (!isctty(p, tp) && suser(td)) return (EACCES); s = spltty(); (*linesw[tp->t_line].l_rint)(*(u_char *)data, tp); @@ -1099,7 +1101,7 @@ ttioctl(tp, cmd, data, flag) } break; case TIOCSDRAINWAIT: - error = suser_xxx(p->p_ucred, NULL, 0); + error = suser(td); if (error) return (error); tp->t_timeout = *(int *)data * hz; diff --git a/sys/kern/tty_cons.c b/sys/kern/tty_cons.c index d6f805c..91713c1 100644 --- a/sys/kern/tty_cons.c +++ b/sys/kern/tty_cons.c @@ -456,7 +456,7 @@ cnioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct thread *td) * output from the "virtual" console. */ if (cmd == TIOCCONS && constty) { - error = suser_td(td); + error = suser(td); if (error) return (error); constty = NULL; diff --git a/sys/kern/tty_pty.c b/sys/kern/tty_pty.c index f1aa946..9bc2360 100644 --- a/sys/kern/tty_pty.c +++ b/sys/kern/tty_pty.c @@ -187,7 +187,7 @@ ptsopen(dev, flag, devtype, td) tp->t_lflag = TTYDEF_LFLAG; tp->t_cflag = TTYDEF_CFLAG; tp->t_ispeed = tp->t_ospeed = TTYDEF_SPEED; - } else if (tp->t_state & TS_XCLUDE && suser_xxx(td->td_ucred, NULL, 0)) { + } else if (tp->t_state & TS_XCLUDE && suser(td)) { return (EBUSY); } else if (pti->pt_prison != td->td_ucred->cr_prison) { return (EBUSY); diff --git a/sys/kern/vfs_acl.c b/sys/kern/vfs_acl.c index b0d0baf..55ab33e 100644 --- a/sys/kern/vfs_acl.c +++ b/sys/kern/vfs_acl.c @@ -89,7 +89,7 @@ vaccess_acl_posix1e(enum vtype type, uid_t file_uid, gid_t file_gid, * a DAC entry that matches but has failed to allow access. */ #ifndef CAPABILITIES - if (suser_xxx(cred, NULL, PRISON_ROOT) == 0) + if (suser_cred(cred, PRISON_ROOT) == 0) cap_granted = (VEXEC | VREAD | VWRITE | VADMIN); else cap_granted = 0; diff --git a/sys/kern/vfs_extattr.c b/sys/kern/vfs_extattr.c index 9ed164b..3ecd199 100644 --- a/sys/kern/vfs_extattr.c +++ b/sys/kern/vfs_extattr.c @@ -374,7 +374,7 @@ vfs_nmount(td, fsflags, fsoptions) } if (usermount == 0) { - error = suser_td(td); + error = suser(td); if (error) goto bad; } @@ -382,14 +382,14 @@ vfs_nmount(td, fsflags, fsoptions) * Do not allow NFS export by non-root users. */ if (fsflags & MNT_EXPORTED) { - error = suser_td(td); + error = suser(td); if (error) goto bad; } /* * Silently enforce MNT_NOSUID and MNT_NODEV for non-root users. */ - if (suser_xxx(td->td_ucred, NULL, 0) != 0) + if (suser(td)) fsflags |= MNT_NOSUID | MNT_NODEV; /* * Get vnode to be covered @@ -423,7 +423,7 @@ vfs_nmount(td, fsflags, fsoptions) * permitted to update it. */ if (mp->mnt_stat.f_owner != td->td_ucred->cr_uid) { - error = suser_td(td); + error = suser(td); if (error) { vput(vp); goto bad; @@ -460,7 +460,7 @@ vfs_nmount(td, fsflags, fsoptions) goto bad; } if (va.va_uid != td->td_ucred->cr_uid) { - error = suser_td(td); + error = suser(td); if (error) { vput(vp); goto bad; @@ -480,7 +480,7 @@ vfs_nmount(td, fsflags, fsoptions) break; if (vfsp == NULL) { /* Only load modules for root (very important!). */ - error = suser_td(td); + error = suser(td); if (error) { vput(vp); goto bad; @@ -722,7 +722,7 @@ vfs_mount(td, fstype, fspath, fsflags, fsdata) return (ENAMETOOLONG); if (usermount == 0) { - error = suser_td(td); + error = suser(td); if (error) return (error); } @@ -730,14 +730,14 @@ vfs_mount(td, fstype, fspath, fsflags, fsdata) * Do not allow NFS export by non-root users. */ if (fsflags & MNT_EXPORTED) { - error = suser_td(td); + error = suser(td); if (error) return (error); } /* * Silently enforce MNT_NOSUID and MNT_NODEV for non-root users. */ - if (suser_xxx(td->td_ucred, NULL, 0) != 0) + if (suser(td)) fsflags |= MNT_NOSUID | MNT_NODEV; /* * Get vnode to be covered @@ -769,7 +769,7 @@ vfs_mount(td, fstype, fspath, fsflags, fsdata) * permitted to update it. */ if (mp->mnt_stat.f_owner != td->td_ucred->cr_uid) { - error = suser_td(td); + error = suser(td); if (error) { vput(vp); return (error); @@ -803,7 +803,7 @@ vfs_mount(td, fstype, fspath, fsflags, fsdata) return (error); } if (va.va_uid != td->td_ucred->cr_uid) { - error = suser_td(td); + error = suser(td); if (error) { vput(vp); return (error); @@ -822,7 +822,7 @@ vfs_mount(td, fstype, fspath, fsflags, fsdata) break; if (vfsp == NULL) { /* Only load modules for root (very important!). */ - error = suser_td(td); + error = suser(td); if (error) { vput(vp); return (error); @@ -1056,7 +1056,7 @@ unmount(td, uap) * permitted to unmount this filesystem. */ if (mp->mnt_stat.f_owner != td->td_ucred->cr_uid) { - error = suser_td(td); + error = suser(td); if (error) { vput(vp); return (error); @@ -1313,7 +1313,7 @@ statfs(td, uap) if (error) return (error); sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK; - if (suser_xxx(td->td_ucred, 0, 0)) { + if (suser(td)) { bcopy((caddr_t)sp, (caddr_t)&sb, sizeof(sb)); sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0; sp = &sb; @@ -1356,7 +1356,7 @@ fstatfs(td, uap) if (error) return (error); sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK; - if (suser_xxx(td->td_ucred, 0, 0)) { + if (suser(td)) { bcopy((caddr_t)sp, (caddr_t)&sb, sizeof(sb)); sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0; sp = &sb; @@ -1585,7 +1585,7 @@ chroot(td, uap) struct nameidata nd; struct vnode *vp; - error = suser_xxx(0, td->td_proc, PRISON_ROOT); + error = suser_cred(td->td_ucred, PRISON_ROOT); if (error) return (error); FILEDESC_LOCK(fdp); @@ -1868,10 +1868,10 @@ mknod(td, uap) switch (SCARG(uap, mode) & S_IFMT) { case S_IFCHR: case S_IFBLK: - error = suser_td(td); + error = suser(td); break; default: - error = suser_xxx(0, td->td_proc, PRISON_ROOT); + error = suser_cred(td->td_ucred, PRISON_ROOT); break; } if (error) @@ -2831,7 +2831,7 @@ setfflags(td, vp, flags) * chown can't fail when done as root. */ if (vp->v_type == VCHR || vp->v_type == VBLK) { - error = suser_xxx(td->td_ucred, td->td_proc, PRISON_ROOT); + error = suser_cred(td->td_ucred, PRISON_ROOT); if (error) return (error); } @@ -4089,7 +4089,7 @@ revoke(td, uap) } VOP_UNLOCK(vp, 0, td); if (td->td_ucred->cr_uid != vattr.va_uid) { - error = suser_xxx(0, td->td_proc, PRISON_ROOT); + error = suser_cred(td->td_ucred, PRISON_ROOT); if (error) goto out; } @@ -4158,7 +4158,7 @@ getfh(td, uap) /* * Must be super user */ - error = suser_td(td); + error = suser(td); if (error) return (error); NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE, uap->fname, td); @@ -4214,7 +4214,7 @@ fhopen(td, uap) /* * Must be super user */ - error = suser_td(td); + error = suser(td); if (error) return (error); @@ -4390,7 +4390,7 @@ fhstat(td, uap) /* * Must be super user */ - error = suser_td(td); + error = suser(td); if (error) return (error); @@ -4437,7 +4437,7 @@ fhstatfs(td, uap) /* * Must be super user */ - error = suser_td(td); + error = suser(td); if (error) return (error); @@ -4454,7 +4454,7 @@ fhstatfs(td, uap) if ((error = VFS_STATFS(mp, sp, td)) != 0) return (error); sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK; - if (suser_xxx(td->td_ucred, 0, 0)) { + if (suser(td)) { bcopy((caddr_t)sp, (caddr_t)&sb, sizeof(sb)); sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0; sp = &sb; diff --git a/sys/kern/vfs_subr.c b/sys/kern/vfs_subr.c index e3290a1..7967b04 100644 --- a/sys/kern/vfs_subr.c +++ b/sys/kern/vfs_subr.c @@ -3217,7 +3217,7 @@ vaccess(type, file_mode, file_uid, file_gid, acc_mode, cred, privused) return (0); privcheck: - if (!suser_xxx(cred, NULL, PRISON_ROOT)) { + if (!suser_cred(cred, PRISON_ROOT)) { /* XXX audit: privilege used */ if (privused != NULL) *privused = 1; diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c index 9ed164b..3ecd199 100644 --- a/sys/kern/vfs_syscalls.c +++ b/sys/kern/vfs_syscalls.c @@ -374,7 +374,7 @@ vfs_nmount(td, fsflags, fsoptions) } if (usermount == 0) { - error = suser_td(td); + error = suser(td); if (error) goto bad; } @@ -382,14 +382,14 @@ vfs_nmount(td, fsflags, fsoptions) * Do not allow NFS export by non-root users. */ if (fsflags & MNT_EXPORTED) { - error = suser_td(td); + error = suser(td); if (error) goto bad; } /* * Silently enforce MNT_NOSUID and MNT_NODEV for non-root users. */ - if (suser_xxx(td->td_ucred, NULL, 0) != 0) + if (suser(td)) fsflags |= MNT_NOSUID | MNT_NODEV; /* * Get vnode to be covered @@ -423,7 +423,7 @@ vfs_nmount(td, fsflags, fsoptions) * permitted to update it. */ if (mp->mnt_stat.f_owner != td->td_ucred->cr_uid) { - error = suser_td(td); + error = suser(td); if (error) { vput(vp); goto bad; @@ -460,7 +460,7 @@ vfs_nmount(td, fsflags, fsoptions) goto bad; } if (va.va_uid != td->td_ucred->cr_uid) { - error = suser_td(td); + error = suser(td); if (error) { vput(vp); goto bad; @@ -480,7 +480,7 @@ vfs_nmount(td, fsflags, fsoptions) break; if (vfsp == NULL) { /* Only load modules for root (very important!). */ - error = suser_td(td); + error = suser(td); if (error) { vput(vp); goto bad; @@ -722,7 +722,7 @@ vfs_mount(td, fstype, fspath, fsflags, fsdata) return (ENAMETOOLONG); if (usermount == 0) { - error = suser_td(td); + error = suser(td); if (error) return (error); } @@ -730,14 +730,14 @@ vfs_mount(td, fstype, fspath, fsflags, fsdata) * Do not allow NFS export by non-root users. */ if (fsflags & MNT_EXPORTED) { - error = suser_td(td); + error = suser(td); if (error) return (error); } /* * Silently enforce MNT_NOSUID and MNT_NODEV for non-root users. */ - if (suser_xxx(td->td_ucred, NULL, 0) != 0) + if (suser(td)) fsflags |= MNT_NOSUID | MNT_NODEV; /* * Get vnode to be covered @@ -769,7 +769,7 @@ vfs_mount(td, fstype, fspath, fsflags, fsdata) * permitted to update it. */ if (mp->mnt_stat.f_owner != td->td_ucred->cr_uid) { - error = suser_td(td); + error = suser(td); if (error) { vput(vp); return (error); @@ -803,7 +803,7 @@ vfs_mount(td, fstype, fspath, fsflags, fsdata) return (error); } if (va.va_uid != td->td_ucred->cr_uid) { - error = suser_td(td); + error = suser(td); if (error) { vput(vp); return (error); @@ -822,7 +822,7 @@ vfs_mount(td, fstype, fspath, fsflags, fsdata) break; if (vfsp == NULL) { /* Only load modules for root (very important!). */ - error = suser_td(td); + error = suser(td); if (error) { vput(vp); return (error); @@ -1056,7 +1056,7 @@ unmount(td, uap) * permitted to unmount this filesystem. */ if (mp->mnt_stat.f_owner != td->td_ucred->cr_uid) { - error = suser_td(td); + error = suser(td); if (error) { vput(vp); return (error); @@ -1313,7 +1313,7 @@ statfs(td, uap) if (error) return (error); sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK; - if (suser_xxx(td->td_ucred, 0, 0)) { + if (suser(td)) { bcopy((caddr_t)sp, (caddr_t)&sb, sizeof(sb)); sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0; sp = &sb; @@ -1356,7 +1356,7 @@ fstatfs(td, uap) if (error) return (error); sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK; - if (suser_xxx(td->td_ucred, 0, 0)) { + if (suser(td)) { bcopy((caddr_t)sp, (caddr_t)&sb, sizeof(sb)); sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0; sp = &sb; @@ -1585,7 +1585,7 @@ chroot(td, uap) struct nameidata nd; struct vnode *vp; - error = suser_xxx(0, td->td_proc, PRISON_ROOT); + error = suser_cred(td->td_ucred, PRISON_ROOT); if (error) return (error); FILEDESC_LOCK(fdp); @@ -1868,10 +1868,10 @@ mknod(td, uap) switch (SCARG(uap, mode) & S_IFMT) { case S_IFCHR: case S_IFBLK: - error = suser_td(td); + error = suser(td); break; default: - error = suser_xxx(0, td->td_proc, PRISON_ROOT); + error = suser_cred(td->td_ucred, PRISON_ROOT); break; } if (error) @@ -2831,7 +2831,7 @@ setfflags(td, vp, flags) * chown can't fail when done as root. */ if (vp->v_type == VCHR || vp->v_type == VBLK) { - error = suser_xxx(td->td_ucred, td->td_proc, PRISON_ROOT); + error = suser_cred(td->td_ucred, PRISON_ROOT); if (error) return (error); } @@ -4089,7 +4089,7 @@ revoke(td, uap) } VOP_UNLOCK(vp, 0, td); if (td->td_ucred->cr_uid != vattr.va_uid) { - error = suser_xxx(0, td->td_proc, PRISON_ROOT); + error = suser_cred(td->td_ucred, PRISON_ROOT); if (error) goto out; } @@ -4158,7 +4158,7 @@ getfh(td, uap) /* * Must be super user */ - error = suser_td(td); + error = suser(td); if (error) return (error); NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE, uap->fname, td); @@ -4214,7 +4214,7 @@ fhopen(td, uap) /* * Must be super user */ - error = suser_td(td); + error = suser(td); if (error) return (error); @@ -4390,7 +4390,7 @@ fhstat(td, uap) /* * Must be super user */ - error = suser_td(td); + error = suser(td); if (error) return (error); @@ -4437,7 +4437,7 @@ fhstatfs(td, uap) /* * Must be super user */ - error = suser_td(td); + error = suser(td); if (error) return (error); @@ -4454,7 +4454,7 @@ fhstatfs(td, uap) if ((error = VFS_STATFS(mp, sp, td)) != 0) return (error); sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK; - if (suser_xxx(td->td_ucred, 0, 0)) { + if (suser(td)) { bcopy((caddr_t)sp, (caddr_t)&sb, sizeof(sb)); sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0; sp = &sb; diff --git a/sys/kern/vfs_vnops.c b/sys/kern/vfs_vnops.c index f60ce7d..9eb60f9 100644 --- a/sys/kern/vfs_vnops.c +++ b/sys/kern/vfs_vnops.c @@ -638,7 +638,7 @@ vn_stat(vp, sb, td) } sb->st_flags = vap->va_flags; - if (suser_xxx(td->td_ucred, 0, 0)) + if (suser(td)) sb->st_gen = 0; else sb->st_gen = vap->va_gen; |