diff options
author | rwatson <rwatson@FreeBSD.org> | 2006-11-06 13:42:10 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2006-11-06 13:42:10 +0000 |
commit | 10d0d9cf473dc5f0ce1bf263ead445ffe7819154 (patch) | |
tree | b9dd284620eeaddbff089cef10e4b1afb7918279 /sys/netinet6/ipsec.c | |
parent | 7288104e2094825a9c98b9923f039817a76e2983 (diff) | |
download | FreeBSD-src-10d0d9cf473dc5f0ce1bf263ead445ffe7819154.zip FreeBSD-src-10d0d9cf473dc5f0ce1bf263ead445ffe7819154.tar.gz |
Sweep kernel replacing suser(9) calls with priv(9) calls, assigning
specific privilege names to a broad range of privileges. These may
require some future tweaking.
Sponsored by: nCircle Network Security, Inc.
Obtained from: TrustedBSD Project
Discussed on: arch@
Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri,
Alex Lyashkov <umka at sevcity dot net>,
Skip Ford <skip dot ford at verizon dot net>,
Antoine Brodin <antoine dot brodin at laposte dot net>
Diffstat (limited to 'sys/netinet6/ipsec.c')
-rw-r--r-- | sys/netinet6/ipsec.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/sys/netinet6/ipsec.c b/sys/netinet6/ipsec.c index 5ce3989..a0b356b 100644 --- a/sys/netinet6/ipsec.c +++ b/sys/netinet6/ipsec.c @@ -43,6 +43,7 @@ #include <sys/malloc.h> #include <sys/mbuf.h> #include <sys/domain.h> +#include <sys/priv.h> #include <sys/protosw.h> #include <sys/socket.h> #include <sys/socketvar.h> @@ -1221,8 +1222,14 @@ ipsec_init_pcbpolicy(so, pcb_sp) } bzero(new, sizeof(*new)); - if (so->so_cred != NULL && - suser_cred(so->so_cred, SUSER_ALLOWJAIL) == 0) + /* + * XXXRW: Can we avoid caching the privilege decision here, and + * instead cache the credential? + * + * XXXRW: Why is suser_allowjail set here? + */ + if (so->so_cred != NULL && priv_check_cred(so->so_cred, + PRIV_NETINET_IPSEC, 0) == 0) new->priv = 1; else new->priv = 0; |