diff options
| author | rwatson <rwatson@FreeBSD.org> | 2007-06-12 00:12:01 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2007-06-12 00:12:01 +0000 |
| commit | 00b02345d424dac8a490ff28ff75fd9386196583 (patch) | |
| tree | c439df85bebf079d07319c231d64ac481577b036 /sys | |
| parent | e93b04c2868ee901613297bfbd90ff9990d8300e (diff) | |
| download | FreeBSD-src-00b02345d424dac8a490ff28ff75fd9386196583.zip FreeBSD-src-00b02345d424dac8a490ff28ff75fd9386196583.tar.gz | |
Eliminate now-unused SUSER_ALLOWJAIL arguments to priv_check_cred(); in
some cases, move to priv_check() if it was an operation on a thread and
no other flags were present.
Eliminate caller-side jail exception checking (also now-unused); jail
privilege exception code now goes solely in kern_jail.c.
We can't yet eliminate suser() due to some cases in the KAME code where
a privilege check is performed and then used in many different deferred
paths. Do, however, move those prototypes to priv.h.
Reviewed by: csjp
Obtained from: TrustedBSD Project
Diffstat (limited to 'sys')
44 files changed, 144 insertions, 258 deletions
diff --git a/sys/cddl/compat/opensolaris/kern/opensolaris_policy.c b/sys/cddl/compat/opensolaris/kern/opensolaris_policy.c index c109a4c..a09c9ec 100644 --- a/sys/cddl/compat/opensolaris/kern/opensolaris_policy.c +++ b/sys/cddl/compat/opensolaris/kern/opensolaris_policy.c @@ -72,7 +72,7 @@ secpolicy_basic_link(struct ucred *cred) if (!hardlink_check_uid) return (0); - return (priv_check_cred(cred, PRIV_VFS_LINK, SUSER_ALLOWJAIL)); + return (priv_check_cred(cred, PRIV_VFS_LINK, 0)); } int @@ -86,7 +86,7 @@ int secpolicy_vnode_remove(struct ucred *cred) { - return (priv_check_cred(cred, PRIV_VFS_ADMIN, SUSER_ALLOWJAIL)); + return (priv_check_cred(cred, PRIV_VFS_ADMIN, 0)); } int @@ -94,23 +94,20 @@ secpolicy_vnode_access(struct ucred *cred, struct vnode *vp, uint64_t owner, int mode) { - if ((mode & VREAD) && - priv_check_cred(cred, PRIV_VFS_READ, SUSER_ALLOWJAIL) != 0) { + if ((mode & VREAD) && priv_check_cred(cred, PRIV_VFS_READ, 0) != 0) { return (EACCES); } if ((mode & VWRITE) && - priv_check_cred(cred, PRIV_VFS_WRITE, SUSER_ALLOWJAIL) != 0) { + priv_check_cred(cred, PRIV_VFS_WRITE, 0) != 0) { return (EACCES); } if (mode & VEXEC) { if (vp->v_type == VDIR) { - if (priv_check_cred(cred, PRIV_VFS_LOOKUP, - SUSER_ALLOWJAIL) != 0) { + if (priv_check_cred(cred, PRIV_VFS_LOOKUP, 0) != 0) { return (EACCES); } } else { - if (priv_check_cred(cred, PRIV_VFS_EXEC, - SUSER_ALLOWJAIL) != 0) { + if (priv_check_cred(cred, PRIV_VFS_EXEC, 0) != 0) { return (EACCES); } } @@ -124,7 +121,7 @@ secpolicy_vnode_setdac(struct ucred *cred, uid_t owner) if (owner == cred->cr_uid) return (0); - return (priv_check_cred(cred, PRIV_VFS_ADMIN, SUSER_ALLOWJAIL)); + return (priv_check_cred(cred, PRIV_VFS_ADMIN, 0)); } int @@ -173,8 +170,7 @@ secpolicy_vnode_setattr(struct ucred *cred, struct vnode *vp, struct vattr *vap, if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) || ((mask & AT_GID) && vap->va_gid != ovap->va_gid && !groupmember(vap->va_gid, cred))) { - error = priv_check_cred(cred, PRIV_VFS_CHOWN, - SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_VFS_CHOWN, 0); if (error) return (error); } @@ -214,7 +210,7 @@ secpolicy_vnode_setids_setgids(struct ucred *cred, gid_t gid) { if (!groupmember(gid, cred)) - return (priv_check_cred(cred, PRIV_VFS_SETGID, SUSER_ALLOWJAIL)); + return (priv_check_cred(cred, PRIV_VFS_SETGID, 0)); return (0); } @@ -222,7 +218,7 @@ int secpolicy_vnode_setid_retain(struct ucred *cred, boolean_t issuidroot __unused) { - return (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, SUSER_ALLOWJAIL)); + return (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, 0)); } void @@ -230,8 +226,7 @@ secpolicy_setid_clear(struct vattr *vap, struct ucred *cred) { if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0) { - if (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, - SUSER_ALLOWJAIL)) { + if (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, 0)) { vap->va_mask |= AT_MODE; vap->va_mode &= ~(S_ISUID|S_ISGID); } @@ -250,7 +245,7 @@ secpolicy_setid_setsticky_clear(struct vnode *vp, struct vattr *vap, * is not a member of. Both of these are allowed in jail(8). */ if (vp->v_type != VDIR && (vap->va_mode & S_ISTXT)) { - if (priv_check_cred(cred, PRIV_VFS_STICKYFILE, SUSER_ALLOWJAIL)) + if (priv_check_cred(cred, PRIV_VFS_STICKYFILE, 0)) return (EFTYPE); } /* diff --git a/sys/compat/linux/linux_misc.c b/sys/compat/linux/linux_misc.c index 926efbc..9c066fc 100644 --- a/sys/compat/linux/linux_misc.c +++ b/sys/compat/linux/linux_misc.c @@ -1079,8 +1079,7 @@ linux_setgroups(struct thread *td, struct linux_setgroups_args *args) * Keep cr_groups[0] unchanged to prevent that. */ - if ((error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS, - SUSER_ALLOWJAIL)) != 0) { + if ((error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS, 0)) != 0) { PROC_UNLOCK(p); crfree(newcred); return (error); diff --git a/sys/compat/linux/linux_uid16.c b/sys/compat/linux/linux_uid16.c index a8a1f5d..c474382 100644 --- a/sys/compat/linux/linux_uid16.c +++ b/sys/compat/linux/linux_uid16.c @@ -124,8 +124,7 @@ linux_setgroups16(struct thread *td, struct linux_setgroups16_args *args) * Keep cr_groups[0] unchanged to prevent that. */ - if ((error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS, - SUSER_ALLOWJAIL)) != 0) { + if ((error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS, 0)) != 0) { PROC_UNLOCK(p); crfree(newcred); return (error); diff --git a/sys/compat/opensolaris/kern/opensolaris_policy.c b/sys/compat/opensolaris/kern/opensolaris_policy.c index c109a4c..a09c9ec 100644 --- a/sys/compat/opensolaris/kern/opensolaris_policy.c +++ b/sys/compat/opensolaris/kern/opensolaris_policy.c @@ -72,7 +72,7 @@ secpolicy_basic_link(struct ucred *cred) if (!hardlink_check_uid) return (0); - return (priv_check_cred(cred, PRIV_VFS_LINK, SUSER_ALLOWJAIL)); + return (priv_check_cred(cred, PRIV_VFS_LINK, 0)); } int @@ -86,7 +86,7 @@ int secpolicy_vnode_remove(struct ucred *cred) { - return (priv_check_cred(cred, PRIV_VFS_ADMIN, SUSER_ALLOWJAIL)); + return (priv_check_cred(cred, PRIV_VFS_ADMIN, 0)); } int @@ -94,23 +94,20 @@ secpolicy_vnode_access(struct ucred *cred, struct vnode *vp, uint64_t owner, int mode) { - if ((mode & VREAD) && - priv_check_cred(cred, PRIV_VFS_READ, SUSER_ALLOWJAIL) != 0) { + if ((mode & VREAD) && priv_check_cred(cred, PRIV_VFS_READ, 0) != 0) { return (EACCES); } if ((mode & VWRITE) && - priv_check_cred(cred, PRIV_VFS_WRITE, SUSER_ALLOWJAIL) != 0) { + priv_check_cred(cred, PRIV_VFS_WRITE, 0) != 0) { return (EACCES); } if (mode & VEXEC) { if (vp->v_type == VDIR) { - if (priv_check_cred(cred, PRIV_VFS_LOOKUP, - SUSER_ALLOWJAIL) != 0) { + if (priv_check_cred(cred, PRIV_VFS_LOOKUP, 0) != 0) { return (EACCES); } } else { - if (priv_check_cred(cred, PRIV_VFS_EXEC, - SUSER_ALLOWJAIL) != 0) { + if (priv_check_cred(cred, PRIV_VFS_EXEC, 0) != 0) { return (EACCES); } } @@ -124,7 +121,7 @@ secpolicy_vnode_setdac(struct ucred *cred, uid_t owner) if (owner == cred->cr_uid) return (0); - return (priv_check_cred(cred, PRIV_VFS_ADMIN, SUSER_ALLOWJAIL)); + return (priv_check_cred(cred, PRIV_VFS_ADMIN, 0)); } int @@ -173,8 +170,7 @@ secpolicy_vnode_setattr(struct ucred *cred, struct vnode *vp, struct vattr *vap, if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) || ((mask & AT_GID) && vap->va_gid != ovap->va_gid && !groupmember(vap->va_gid, cred))) { - error = priv_check_cred(cred, PRIV_VFS_CHOWN, - SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_VFS_CHOWN, 0); if (error) return (error); } @@ -214,7 +210,7 @@ secpolicy_vnode_setids_setgids(struct ucred *cred, gid_t gid) { if (!groupmember(gid, cred)) - return (priv_check_cred(cred, PRIV_VFS_SETGID, SUSER_ALLOWJAIL)); + return (priv_check_cred(cred, PRIV_VFS_SETGID, 0)); return (0); } @@ -222,7 +218,7 @@ int secpolicy_vnode_setid_retain(struct ucred *cred, boolean_t issuidroot __unused) { - return (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, SUSER_ALLOWJAIL)); + return (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, 0)); } void @@ -230,8 +226,7 @@ secpolicy_setid_clear(struct vattr *vap, struct ucred *cred) { if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0) { - if (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, - SUSER_ALLOWJAIL)) { + if (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, 0)) { vap->va_mask |= AT_MODE; vap->va_mode &= ~(S_ISUID|S_ISGID); } @@ -250,7 +245,7 @@ secpolicy_setid_setsticky_clear(struct vnode *vp, struct vattr *vap, * is not a member of. Both of these are allowed in jail(8). */ if (vp->v_type != VDIR && (vap->va_mode & S_ISTXT)) { - if (priv_check_cred(cred, PRIV_VFS_STICKYFILE, SUSER_ALLOWJAIL)) + if (priv_check_cred(cred, PRIV_VFS_STICKYFILE, 0)) return (EFTYPE); } /* diff --git a/sys/compat/svr4/svr4_fcntl.c b/sys/compat/svr4/svr4_fcntl.c index 6073e0d..8735abb 100644 --- a/sys/compat/svr4/svr4_fcntl.c +++ b/sys/compat/svr4/svr4_fcntl.c @@ -281,8 +281,7 @@ fd_revoke(td, fd) goto out; if (td->td_ucred->cr_uid != vattr.va_uid && - (error = priv_check_cred(td->td_ucred, PRIV_VFS_ADMIN, - SUSER_ALLOWJAIL)) != 0) + (error = priv_check(td, PRIV_VFS_ADMIN)) != 0) goto out; if ((error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0) diff --git a/sys/compat/svr4/svr4_misc.c b/sys/compat/svr4/svr4_misc.c index a158fd7..e4c48c0 100644 --- a/sys/compat/svr4/svr4_misc.c +++ b/sys/compat/svr4/svr4_misc.c @@ -612,8 +612,7 @@ svr4_sys_fchroot(td, uap) struct file *fp; int error, vfslocked; - if ((error = priv_check_cred(td->td_ucred, PRIV_VFS_FCHROOT, - SUSER_ALLOWJAIL)) != 0) + if ((error = priv_check(td, PRIV_VFS_FCHROOT)) != 0) return error; if ((error = getvnode(fdp, uap->fd, &fp)) != 0) return error; diff --git a/sys/fs/devfs/devfs_vnops.c b/sys/fs/devfs/devfs_vnops.c index d6c3232..0acf99b 100644 --- a/sys/fs/devfs/devfs_vnops.c +++ b/sys/fs/devfs/devfs_vnops.c @@ -1160,8 +1160,7 @@ devfs_setattr(struct vop_setattr_args *ap) if (uid != de->de_uid || gid != de->de_gid) { if ((ap->a_cred->cr_uid != de->de_uid) || uid != de->de_uid || (gid != de->de_gid && !groupmember(gid, ap->a_cred))) { - error = priv_check_cred(ap->a_td->td_ucred, - PRIV_VFS_CHOWN, SUSER_ALLOWJAIL); + error = priv_check(ap->a_td, PRIV_VFS_CHOWN); if (error) return (error); } @@ -1172,8 +1171,7 @@ devfs_setattr(struct vop_setattr_args *ap) if (vap->va_mode != (mode_t)VNOVAL) { if (ap->a_cred->cr_uid != de->de_uid) { - error = priv_check_cred(ap->a_td->td_ucred, - PRIV_VFS_ADMIN, SUSER_ALLOWJAIL); + error = priv_check(ap->a_td, PRIV_VFS_ADMIN); if (error) return (error); } diff --git a/sys/fs/msdosfs/msdosfs_vnops.c b/sys/fs/msdosfs/msdosfs_vnops.c index 33e5292..3231267 100644 --- a/sys/fs/msdosfs/msdosfs_vnops.c +++ b/sys/fs/msdosfs/msdosfs_vnops.c @@ -408,8 +408,7 @@ msdosfs_setattr(ap) if (vp->v_mount->mnt_flag & MNT_RDONLY) return (EROFS); if (cred->cr_uid != pmp->pm_uid) { - error = priv_check_cred(cred, PRIV_VFS_ADMIN, - SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_VFS_ADMIN, 0); if (error) return (error); } @@ -426,8 +425,7 @@ msdosfs_setattr(ap) * sensible filesystem attempts it a lot. */ if (vap->va_flags & SF_SETTABLE) { - error = priv_check_cred(cred, PRIV_VFS_SYSFLAGS, - SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_VFS_SYSFLAGS, 0); if (error) return (error); } @@ -454,8 +452,7 @@ msdosfs_setattr(ap) gid = pmp->pm_gid; if (cred->cr_uid != pmp->pm_uid || uid != pmp->pm_uid || (gid != pmp->pm_gid && !groupmember(gid, cred))) { - error = priv_check_cred(cred, PRIV_VFS_CHOWN, - SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_VFS_CHOWN, 0); if (error) return (error); } @@ -520,8 +517,7 @@ msdosfs_setattr(ap) if (vp->v_mount->mnt_flag & MNT_RDONLY) return (EROFS); if (cred->cr_uid != pmp->pm_uid) { - error = priv_check_cred(cred, PRIV_VFS_ADMIN, - SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_VFS_ADMIN, 0); if (error) return (error); } diff --git a/sys/fs/procfs/procfs_ioctl.c b/sys/fs/procfs/procfs_ioctl.c index bd003e0..ccff555 100644 --- a/sys/fs/procfs/procfs_ioctl.c +++ b/sys/fs/procfs/procfs_ioctl.c @@ -114,8 +114,7 @@ procfs_ioctl(PFS_IOCTL_ARGS) * p_candebug() should implement it, or other checks * are missing. */ - error = priv_check_cred(td->td_ucred, - PRIV_DEBUG_SUGID, SUSER_ALLOWJAIL); + error = priv_check(td, PRIV_DEBUG_SUGID); if (error) break; } diff --git a/sys/gnu/fs/ext2fs/ext2_vnops.c b/sys/gnu/fs/ext2fs/ext2_vnops.c index a1167e1..04afdeb 100644 --- a/sys/gnu/fs/ext2fs/ext2_vnops.c +++ b/sys/gnu/fs/ext2fs/ext2_vnops.c @@ -415,8 +415,7 @@ ext2_setattr(ap) * Privileged non-jail processes may not modify system flags * if securelevel > 0 and any existing system flags are set. */ - if (!priv_check_cred(cred, PRIV_VFS_SYSFLAGS, - SUSER_ALLOWJAIL)) { + if (!priv_check_cred(cred, PRIV_VFS_SYSFLAGS, 0)) { if (ip->i_flags & (SF_NOUNLINK | SF_IMMUTABLE | SF_APPEND)) { error = securelevel_gt(cred, 0); @@ -535,14 +534,12 @@ ext2_chmod(vp, mode, cred, td) * process is not a member of. */ if (vp->v_type != VDIR && (mode & S_ISTXT)) { - error = priv_check_cred(cred, PRIV_VFS_STICKYFILE, - SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_VFS_STICKYFILE, 0); if (error) return (EFTYPE); } if (!groupmember(ip->i_gid, cred) && (mode & ISGID)) { - error = priv_check_cred(cred, PRIV_VFS_SETGID, - SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_VFS_SETGID, 0); if (error) return (error); } @@ -586,8 +583,7 @@ ext2_chown(vp, uid, gid, cred, td) */ if (uid != ip->i_uid || (gid != ip->i_gid && !groupmember(gid, cred))) { - error = priv_check_cred(cred, PRIV_VFS_CHOWN, - SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_VFS_CHOWN, 0); if (error) return (error); } @@ -597,8 +593,7 @@ ext2_chown(vp, uid, gid, cred, td) ip->i_uid = uid; ip->i_flag |= IN_CHANGE; if ((ip->i_mode & (ISUID | ISGID)) && (ouid != uid || ogid != gid)) { - if (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, - SUSER_ALLOWJAIL) != 0) + if (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, 0) != 0) ip->i_mode &= ~(ISUID | ISGID); } return (0); @@ -1648,8 +1643,7 @@ ext2_makeinode(mode, dvp, vpp, cnp) tvp->v_type = IFTOVT(mode); /* Rest init'd in getnewvnode(). */ ip->i_nlink = 1; if ((ip->i_mode & ISGID) && !groupmember(ip->i_gid, cnp->cn_cred)) { - if (priv_check_cred(cnp->cn_cred, PRIV_VFS_RETAINSUGID, - SUSER_ALLOWJAIL)) + if (priv_check_cred(cnp->cn_cred, PRIV_VFS_RETAINSUGID, 0)) ip->i_mode &= ~ISGID; } diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index 78534ad..0e1b696 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -567,8 +567,7 @@ interpret: #ifdef KTRACE if (p->p_tracevp != NULL && - priv_check_cred(oldcred, PRIV_DEBUG_DIFFCRED, - SUSER_ALLOWJAIL)) { + priv_check_cred(oldcred, PRIV_DEBUG_DIFFCRED, 0)) { mtx_lock(&ktrace_mtx); p->p_traceflag = 0; tracevp = p->p_tracevp; diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c index ae69afe..f20cefe 100644 --- a/sys/kern/kern_fork.c +++ b/sys/kern/kern_fork.c @@ -306,8 +306,7 @@ fork1(td, flags, pages, procp) * * XXXRW: Can we avoid privilege here if it's not needed? */ - error = priv_check_cred(td->td_ucred, PRIV_PROC_LIMIT, SUSER_RUID | - SUSER_ALLOWJAIL); + error = priv_check_cred(td->td_ucred, PRIV_PROC_LIMIT, SUSER_RUID); if (error == 0) ok = chgproccnt(td->td_ucred->cr_ruidinfo, 1, 0); else { diff --git a/sys/kern/kern_ktrace.c b/sys/kern/kern_ktrace.c index 5ff62fe..2b7ee33 100644 --- a/sys/kern/kern_ktrace.c +++ b/sys/kern/kern_ktrace.c @@ -793,8 +793,7 @@ ktrops(td, p, ops, facs, vp) p->p_tracecred = crhold(td->td_ucred); } p->p_traceflag |= facs; - if (priv_check_cred(td->td_ucred, PRIV_KTRACE, - SUSER_ALLOWJAIL) == 0) + if (priv_check(td, PRIV_KTRACE) == 0) p->p_traceflag |= KTRFAC_ROOT; } else { /* KTROP_CLEAR */ @@ -1000,7 +999,7 @@ ktrcanset(td, targetp) PROC_LOCK_ASSERT(targetp, MA_OWNED); if (targetp->p_traceflag & KTRFAC_ROOT && - priv_check_cred(td->td_ucred, PRIV_KTRACE, SUSER_ALLOWJAIL)) + priv_check(td, PRIV_KTRACE)) return (0); if (p_candebug(td, targetp) != 0) diff --git a/sys/kern/kern_priv.c b/sys/kern/kern_priv.c index 6d2d692..ebf01ba 100644 --- a/sys/kern/kern_priv.c +++ b/sys/kern/kern_priv.c @@ -77,18 +77,8 @@ priv_check_cred(struct ucred *cred, int priv, int flags) /* * Jail policy will restrict certain privileges that may otherwise be * be granted. - * - * While debugging the transition from SUSER_ALLOWJAIL to Jail being - * aware of specific privileges, perform run-time checking that the - * two versions of the policy align. This assertion will go away - * once the SUSER_ALLOWJAIL flag has gone away. */ error = prison_priv_check(cred, priv); -#ifdef NOTYET - KASSERT(!jailed(cred) || error == ((flags & SUSER_ALLOWJAIL) ? 0 : - EPERM), ("priv_check_cred: prison_priv_check %d but flags %s", - error, flags & SUSER_ALLOWJAIL ? "allowjail" : "!allowjail")); -#endif if (error) return (error); diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index 36a5dc4..18d3b2a 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -511,8 +511,7 @@ setuid(struct thread *td, struct setuid_args *uap) #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ #endif - (error = priv_check_cred(oldcred, PRIV_CRED_SETUID, - SUSER_ALLOWJAIL)) != 0) + (error = priv_check_cred(oldcred, PRIV_CRED_SETUID, 0)) != 0) goto fail; /* @@ -529,7 +528,7 @@ setuid(struct thread *td, struct setuid_args *uap) uid == oldcred->cr_uid || #endif /* We are using privs. */ - priv_check_cred(oldcred, PRIV_CRED_SETUID, SUSER_ALLOWJAIL) == 0) + priv_check_cred(oldcred, PRIV_CRED_SETUID, 0) == 0) #endif { /* @@ -602,8 +601,7 @@ seteuid(struct thread *td, struct seteuid_args *uap) if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ - (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID, - SUSER_ALLOWJAIL)) != 0) + (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID, 0)) != 0) goto fail; /* @@ -672,8 +670,7 @@ setgid(struct thread *td, struct setgid_args *uap) #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ #endif - (error = priv_check_cred(oldcred, PRIV_CRED_SETGID, - SUSER_ALLOWJAIL)) != 0) + (error = priv_check_cred(oldcred, PRIV_CRED_SETGID, 0)) != 0) goto fail; crcopy(newcred, oldcred); @@ -687,7 +684,7 @@ setgid(struct thread *td, struct setgid_args *uap) gid == oldcred->cr_groups[0] || #endif /* We are using privs. */ - priv_check_cred(oldcred, PRIV_CRED_SETGID, SUSER_ALLOWJAIL) == 0) + priv_check_cred(oldcred, PRIV_CRED_SETGID, 0) == 0) #endif { /* @@ -756,8 +753,7 @@ setegid(struct thread *td, struct setegid_args *uap) if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ - (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID, - SUSER_ALLOWJAIL)) != 0) + (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID, 0)) != 0) goto fail; crcopy(newcred, oldcred); @@ -817,8 +813,7 @@ kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups) goto fail; #endif - error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS, - SUSER_ALLOWJAIL); + error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS, 0); if (error) goto fail; @@ -887,8 +882,7 @@ setreuid(register struct thread *td, struct setreuid_args *uap) ruid != oldcred->cr_svuid) || (euid != (uid_t)-1 && euid != oldcred->cr_uid && euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && - (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID, - SUSER_ALLOWJAIL)) != 0) + (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID, 0)) != 0) goto fail; crcopy(newcred, oldcred); @@ -953,8 +947,7 @@ setregid(register struct thread *td, struct setregid_args *uap) rgid != oldcred->cr_svgid) || (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && - (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID, - SUSER_ALLOWJAIL)) != 0) + (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID, 0)) != 0) goto fail; crcopy(newcred, oldcred); @@ -1030,8 +1023,7 @@ setresuid(register struct thread *td, struct setresuid_args *uap) (suid != (uid_t)-1 && suid != oldcred->cr_ruid && suid != oldcred->cr_svuid && suid != oldcred->cr_uid)) && - (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID, - SUSER_ALLOWJAIL)) != 0) + (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID, 0)) != 0) goto fail; crcopy(newcred, oldcred); @@ -1108,8 +1100,7 @@ setresgid(register struct thread *td, struct setresgid_args *uap) (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && sgid != oldcred->cr_svgid && sgid != oldcred->cr_groups[0])) && - (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID, - SUSER_ALLOWJAIL)) != 0) + (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID, 0)) != 0) goto fail; crcopy(newcred, oldcred); @@ -1317,8 +1308,7 @@ cr_seeotheruids(struct ucred *u1, struct ucred *u2) { if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { - if (priv_check_cred(u1, PRIV_SEEOTHERUIDS, SUSER_ALLOWJAIL) - != 0) + if (priv_check_cred(u1, PRIV_SEEOTHERUIDS, 0) != 0) return (ESRCH); } return (0); @@ -1357,8 +1347,7 @@ cr_seeothergids(struct ucred *u1, struct ucred *u2) break; } if (!match) { - if (priv_check_cred(u1, PRIV_SEEOTHERGIDS, - SUSER_ALLOWJAIL) != 0) + if (priv_check_cred(u1, PRIV_SEEOTHERGIDS, 0) != 0) return (ESRCH); } } @@ -1475,8 +1464,7 @@ cr_cansignal(struct ucred *cred, struct proc *proc, int signum) break; default: /* Not permitted without privilege. */ - error = priv_check_cred(cred, PRIV_SIGNAL_SUGID, - SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_SIGNAL_SUGID, 0); if (error) return (error); } @@ -1490,9 +1478,7 @@ cr_cansignal(struct ucred *cred, struct proc *proc, int signum) cred->cr_ruid != proc->p_ucred->cr_svuid && cred->cr_uid != proc->p_ucred->cr_ruid && cred->cr_uid != proc->p_ucred->cr_svuid) { - /* Not permitted without privilege. */ - error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED, - SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED, 0); if (error) return (error); } @@ -1570,8 +1556,7 @@ p_cansched(struct thread *td, struct proc *p) return (error); if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid && td->td_ucred->cr_uid != p->p_ucred->cr_ruid) { - error = priv_check_cred(td->td_ucred, PRIV_SCHED_DIFFCRED, - SUSER_ALLOWJAIL); + error = priv_check(td, PRIV_SCHED_DIFFCRED); if (error) return (error); } @@ -1610,8 +1595,7 @@ p_candebug(struct thread *td, struct proc *p) KASSERT(td == curthread, ("%s: td not curthread", __func__)); PROC_LOCK_ASSERT(p, MA_OWNED); if (!unprivileged_proc_debug) { - error = priv_check_cred(td->td_ucred, PRIV_DEBUG_UNPRIV, - SUSER_ALLOWJAIL); + error = priv_check(td, PRIV_DEBUG_UNPRIV); if (error) return (error); } @@ -1662,15 +1646,13 @@ p_candebug(struct thread *td, struct proc *p) * for td to debug p. */ if (!grpsubset || !uidsubset) { - error = priv_check_cred(td->td_ucred, PRIV_DEBUG_DIFFCRED, - SUSER_ALLOWJAIL); + error = priv_check(td, PRIV_DEBUG_DIFFCRED); if (error) return (error); } if (credentialchanged) { - error = priv_check_cred(td->td_ucred, PRIV_DEBUG_SUGID, - SUSER_ALLOWJAIL); + error = priv_check(td, PRIV_DEBUG_SUGID); if (error) return (error); } @@ -1940,8 +1922,7 @@ setlogin(struct thread *td, struct setlogin_args *uap) int error; char logintmp[MAXLOGNAME]; - error = priv_check_cred(td->td_ucred, PRIV_PROC_SETLOGIN, - SUSER_ALLOWJAIL); + error = priv_check(td, PRIV_PROC_SETLOGIN); if (error) return (error); error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); diff --git a/sys/kern/kern_resource.c b/sys/kern/kern_resource.c index 9f47402..847e9f4 100644 --- a/sys/kern/kern_resource.c +++ b/sys/kern/kern_resource.c @@ -688,8 +688,7 @@ kern_setrlimit(td, which, limp) alimp = &oldlim->pl_rlimit[which]; if (limp->rlim_cur > alimp->rlim_max || limp->rlim_max > alimp->rlim_max) - if ((error = priv_check_cred(td->td_ucred, - PRIV_PROC_SETRLIMIT, SUSER_ALLOWJAIL))) { + if ((error = priv_check(td, PRIV_PROC_SETRLIMIT))) { PROC_UNLOCK(p); lim_free(newlim); return (error); diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c index 6100f41..893c54f 100644 --- a/sys/kern/kern_sysctl.c +++ b/sys/kern/kern_sysctl.c @@ -1280,8 +1280,7 @@ sysctl_root(SYSCTL_HANDLER_ARGS) /* Is this sysctl writable by only privileged users? */ if (req->newptr && !(oid->oid_kind & CTLFLAG_ANYBODY)) { if (oid->oid_kind & CTLFLAG_PRISON) - error = priv_check_cred(req->td->td_ucred, - PRIV_SYSCTL_WRITEJAIL, SUSER_ALLOWJAIL); + error = priv_check(req->td, PRIV_SYSCTL_WRITEJAIL); else error = priv_check(req->td, PRIV_SYSCTL_WRITE); if (error) diff --git a/sys/kern/subr_acl_posix1e.c b/sys/kern/subr_acl_posix1e.c index 94c612f..d3f944d 100644 --- a/sys/kern/subr_acl_posix1e.c +++ b/sys/kern/subr_acl_posix1e.c @@ -82,24 +82,22 @@ vaccess_acl_posix1e(enum vtype type, uid_t file_uid, gid_t file_gid, if (type == VDIR) { if ((acc_mode & VEXEC) && !priv_check_cred(cred, - PRIV_VFS_LOOKUP, SUSER_ALLOWJAIL)) + PRIV_VFS_LOOKUP, 0)) priv_granted |= VEXEC; } else { if ((acc_mode & VEXEC) && !priv_check_cred(cred, - PRIV_VFS_EXEC, SUSER_ALLOWJAIL)) + PRIV_VFS_EXEC, 0)) priv_granted |= VEXEC; } - if ((acc_mode & VREAD) && !priv_check_cred(cred, PRIV_VFS_READ, - SUSER_ALLOWJAIL)) + if ((acc_mode & VREAD) && !priv_check_cred(cred, PRIV_VFS_READ, 0)) priv_granted |= VREAD; if (((acc_mode & VWRITE) || (acc_mode & VAPPEND)) && - !priv_check_cred(cred, PRIV_VFS_WRITE, SUSER_ALLOWJAIL)) + !priv_check_cred(cred, PRIV_VFS_WRITE, 0)) priv_granted |= (VWRITE | VAPPEND); - if ((acc_mode & VADMIN) && !priv_check_cred(cred, PRIV_VFS_ADMIN, - SUSER_ALLOWJAIL)) + if ((acc_mode & VADMIN) && !priv_check_cred(cred, PRIV_VFS_ADMIN, 0)) priv_granted |= VADMIN; /* diff --git a/sys/kern/sysv_ipc.c b/sys/kern/sysv_ipc.c index 7503760..0cbb4bb 100644 --- a/sys/kern/sysv_ipc.c +++ b/sys/kern/sysv_ipc.c @@ -125,22 +125,19 @@ ipcperm(struct thread *td, struct ipc_perm *perm, int acc_mode) */ priv_granted = 0; if ((acc_mode & IPC_M) && !(dac_granted & IPC_M)) { - error = priv_check_cred(td->td_ucred, PRIV_IPC_ADMIN, - SUSER_ALLOWJAIL); + error = priv_check(td, PRIV_IPC_ADMIN); if (error == 0) priv_granted |= IPC_M; } if ((acc_mode & IPC_R) && !(dac_granted & IPC_R)) { - error = priv_check_cred(td->td_ucred, PRIV_IPC_READ, - SUSER_ALLOWJAIL); + error = priv_check(td, PRIV_IPC_READ); if (error == 0) priv_granted |= IPC_R; } if ((acc_mode & IPC_W) && !(dac_granted & IPC_W)) { - error = priv_check_cred(td->td_ucred, PRIV_IPC_WRITE, - SUSER_ALLOWJAIL); + error = priv_check(td, PRIV_IPC_WRITE); if (error == 0) priv_granted |= IPC_W; } diff --git a/sys/kern/sysv_msg.c b/sys/kern/sysv_msg.c index d9f3207..bd5ca90 100644 --- a/sys/kern/sysv_msg.c +++ b/sys/kern/sysv_msg.c @@ -502,8 +502,7 @@ kern_msgctl(td, msqid, cmd, msqbuf) if ((error = ipcperm(td, &msqkptr->u.msg_perm, IPC_M))) goto done2; if (msqbuf->msg_qbytes > msqkptr->u.msg_qbytes) { - error = priv_check_cred(td->td_ucred, - PRIV_IPC_MSGSIZE, SUSER_ALLOWJAIL); + error = priv_check(td, PRIV_IPC_MSGSIZE); if (error) goto done2; } diff --git a/sys/kern/uipc_mqueue.c b/sys/kern/uipc_mqueue.c index 82cd070..1c5cadb 100644 --- a/sys/kern/uipc_mqueue.c +++ b/sys/kern/uipc_mqueue.c @@ -961,8 +961,7 @@ int do_unlink(struct mqfs_node *pn, struct ucred *ucred) sx_assert(&pn->mn_info->mi_lock, SX_LOCKED); if (ucred->cr_uid != pn->mn_uid && - (error = priv_check_cred(ucred, PRIV_MQ_ADMIN, - SUSER_ALLOWJAIL)) != 0) + (error = priv_check_cred(ucred, PRIV_MQ_ADMIN, 0)) != 0) error = EACCES; else if (!pn->mn_deleted) { parent = pn->mn_parent; @@ -1221,8 +1220,7 @@ mqfs_setattr(struct vop_setattr_args *ap) */ if (((ap->a_cred->cr_uid != pn->mn_uid) || uid != pn->mn_uid || (gid != pn->mn_gid && !groupmember(gid, ap->a_cred))) && - (error = priv_check_cred(ap->a_td->td_ucred, - PRIV_MQ_ADMIN, SUSER_ALLOWJAIL)) != 0) + (error = priv_check(ap->a_td, PRIV_MQ_ADMIN)) != 0) return (error); pn->mn_uid = uid; pn->mn_gid = gid; @@ -1231,8 +1229,7 @@ mqfs_setattr(struct vop_setattr_args *ap) if (vap->va_mode != (mode_t)VNOVAL) { if ((ap->a_cred->cr_uid != pn->mn_uid) && - (error = priv_check_cred(ap->a_td->td_ucred, - PRIV_MQ_ADMIN, SUSER_ALLOWJAIL))) + (error = priv_check(ap->a_td, PRIV_MQ_ADMIN))) return (error); pn->mn_mode = vap->va_mode; c = 1; diff --git a/sys/kern/vfs_mount.c b/sys/kern/vfs_mount.c index e545a25..82bb767 100644 --- a/sys/kern/vfs_mount.c +++ b/sys/kern/vfs_mount.c @@ -918,7 +918,7 @@ vfs_domount( } if (va.va_uid != td->td_ucred->cr_uid) { error = priv_check_cred(td->td_ucred, PRIV_VFS_ADMIN, - SUSER_ALLOWJAIL); + 0); if (error) { vput(vp); return (error); diff --git a/sys/kern/vfs_subr.c b/sys/kern/vfs_subr.c index 8e56b16..a45a8b7 100644 --- a/sys/kern/vfs_subr.c +++ b/sys/kern/vfs_subr.c @@ -3299,24 +3299,24 @@ privcheck: * requests, instead of PRIV_VFS_EXEC. */ if ((acc_mode & VEXEC) && ((dac_granted & VEXEC) == 0) && - !priv_check_cred(cred, PRIV_VFS_LOOKUP, SUSER_ALLOWJAIL)) + !priv_check_cred(cred, PRIV_VFS_LOOKUP, 0)) priv_granted |= VEXEC; } else { if ((acc_mode & VEXEC) && ((dac_granted & VEXEC) == 0) && - !priv_check_cred(cred, PRIV_VFS_EXEC, SUSER_ALLOWJAIL)) + !priv_check_cred(cred, PRIV_VFS_EXEC, 0)) priv_granted |= VEXEC; } if ((acc_mode & VREAD) && ((dac_granted & VREAD) == 0) && - !priv_check_cred(cred, PRIV_VFS_READ, SUSER_ALLOWJAIL)) + !priv_check_cred(cred, PRIV_VFS_READ, 0)) priv_granted |= VREAD; if ((acc_mode & VWRITE) && ((dac_granted & VWRITE) == 0) && - !priv_check_cred(cred, PRIV_VFS_WRITE, SUSER_ALLOWJAIL)) + !priv_check_cred(cred, PRIV_VFS_WRITE, 0)) priv_granted |= (VWRITE | VAPPEND); if ((acc_mode & VADMIN) && ((dac_granted & VADMIN) == 0) && - !priv_check_cred(cred, PRIV_VFS_ADMIN, SUSER_ALLOWJAIL)) + !priv_check_cred(cred, PRIV_VFS_ADMIN, 0)) priv_granted |= VADMIN; if ((acc_mode & (priv_granted | dac_granted)) == acc_mode) { diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c index ab10bfa..d73c4a2 100644 --- a/sys/kern/vfs_syscalls.c +++ b/sys/kern/vfs_syscalls.c @@ -837,8 +837,7 @@ chroot(td, uap) struct nameidata nd; int vfslocked; - error = priv_check_cred(td->td_ucred, PRIV_VFS_CHROOT, - SUSER_ALLOWJAIL); + error = priv_check(td, PRIV_VFS_CHROOT); if (error) return (error); NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | MPSAFE | AUDITVNODE1, @@ -1367,15 +1366,13 @@ can_hardlink(struct vnode *vp, struct thread *td, struct ucred *cred) return (error); if (hardlink_check_uid && cred->cr_uid != va.va_uid) { - error = priv_check_cred(cred, PRIV_VFS_LINK, - SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_VFS_LINK, 0); if (error) return (error); } if (hardlink_check_gid && !groupmember(va.va_gid, cred)) { - error = priv_check_cred(cred, PRIV_VFS_LINK, - SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_VFS_LINK, 0); if (error) return (error); } @@ -2337,8 +2334,7 @@ setfflags(td, vp, flags) * chown can't fail when done as root. */ if (vp->v_type == VCHR || vp->v_type == VBLK) { - error = priv_check_cred(td->td_ucred, PRIV_VFS_CHFLAGS_DEV, - SUSER_ALLOWJAIL); + error = priv_check(td, PRIV_VFS_CHFLAGS_DEV); if (error) return (error); } @@ -3840,8 +3836,7 @@ revoke(td, uap) if (error) goto out; if (td->td_ucred->cr_uid != vattr.va_uid) { - error = priv_check_cred(td->td_ucred, PRIV_VFS_ADMIN, - SUSER_ALLOWJAIL); + error = priv_check(td, PRIV_VFS_ADMIN); if (error) goto out; } diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c index d7d8290..61f2894 100644 --- a/sys/netinet/in_pcb.c +++ b/sys/netinet/in_pcb.c @@ -340,13 +340,13 @@ in_pcbbind_setup(struct inpcb *inp, struct sockaddr *nam, in_addr_t *laddrp, if (ntohs(lport) <= ipport_reservedhigh && ntohs(lport) >= ipport_reservedlow && priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT, - SUSER_ALLOWJAIL)) + 0)) return (EACCES); if (jailed(cred)) prison = 1; if (!IN_MULTICAST(ntohl(sin->sin_addr.s_addr)) && priv_check_cred(so->so_cred, - PRIV_NETINET_REUSEPORT, SUSER_ALLOWJAIL) != 0) { + PRIV_NETINET_REUSEPORT, 0) != 0) { t = in_pcblookup_local(inp->inp_pcbinfo, sin->sin_addr, lport, prison ? 0 : INPLOOKUP_WILDCARD); @@ -411,7 +411,7 @@ in_pcbbind_setup(struct inpcb *inp, struct sockaddr *nam, in_addr_t *laddrp, lastport = &pcbinfo->ipi_lasthi; } else if (inp->inp_flags & INP_LOWPORT) { error = priv_check_cred(cred, - PRIV_NETINET_RESERVEDPORT, SUSER_ALLOWJAIL); + PRIV_NETINET_RESERVEDPORT, 0); if (error) return error; first = ipport_lowfirstauto; /* 1023 */ diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index 3eef187..5329c6c 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -607,13 +607,8 @@ rip_attach(struct socket *so, int proto, struct thread *td) inp = sotoinpcb(so); KASSERT(inp == NULL, ("rip_attach: inp != NULL")); - /* - * XXXRW: Centralize privilege decision in kern_jail.c. - */ - if (jailed(td->td_ucred) && !jail_allow_raw_sockets) - return (EPERM); - error = priv_check_cred(td->td_ucred, PRIV_NETINET_RAW, - SUSER_ALLOWJAIL); + + error = priv_check(td, PRIV_NETINET_RAW); if (error) return error; if (proto >= IPPROTO_MAX || proto < 0) diff --git a/sys/netinet/sctp_pcb.c b/sys/netinet/sctp_pcb.c index a803eca..5423208 100644 --- a/sys/netinet/sctp_pcb.c +++ b/sys/netinet/sctp_pcb.c @@ -2155,10 +2155,7 @@ sctp_inpcb_bind(struct socket *so, struct sockaddr *addr, struct thread *p) /* got to be root to get at low ports */ if (ntohs(lport) < IPPORT_RESERVED) { if (p && (error = - priv_check_cred(p->td_ucred, - PRIV_NETINET_RESERVEDPORT, - SUSER_ALLOWJAIL - ) + priv_check(p, PRIV_NETINET_RESERVEDPORT) )) { SCTP_INP_DECR_REF(inp); SCTP_INP_WUNLOCK(inp); @@ -2228,10 +2225,7 @@ sctp_inpcb_bind(struct socket *so, struct sockaddr *addr, struct thread *p) last = ipport_hilastauto; } else if (ip_inp->inp_flags & INP_LOWPORT) { if (p && (error = - priv_check_cred(p->td_ucred, - PRIV_NETINET_RESERVEDPORT, - SUSER_ALLOWJAIL - ) + priv_check(p, PRIV_NETINET_RESERVEDPORT) )) { SCTP_INP_DECR_REF(inp); SCTP_INP_WUNLOCK(inp); diff --git a/sys/netinet/sctp_usrreq.c b/sys/netinet/sctp_usrreq.c index cc69ba1..0bd92b3 100644 --- a/sys/netinet/sctp_usrreq.c +++ b/sys/netinet/sctp_usrreq.c @@ -386,13 +386,8 @@ sctp_getcred(SYSCTL_HANDLER_ARGS) /* FIX, for non-bsd is this right? */ vrf_id = SCTP_DEFAULT_VRFID; - /* - * XXXRW: Other instances of getcred use SUSER_ALLOWJAIL, as socket - * visibility is scoped using cr_canseesocket(), which it is not - * here. - */ - error = priv_check_cred(req->td->td_ucred, PRIV_NETINET_GETCRED, - SUSER_ALLOWJAIL); + error = priv_check(req->td, PRIV_NETINET_GETCRED); + if (error) return (error); @@ -3439,9 +3434,8 @@ sctp_setopt(struct socket *so, int optname, void *optval, size_t optsize, { union sctp_sockstore *ss; - error = priv_check_cred(curthread->td_ucred, - PRIV_NETINET_RESERVEDPORT, - SUSER_ALLOWJAIL); + error = priv_check(curthread, + PRIV_NETINET_RESERVEDPORT); if (error) break; diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index 2f300d5..64c5364 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -1019,8 +1019,7 @@ tcp_getcred(SYSCTL_HANDLER_ARGS) struct inpcb *inp; int error; - error = priv_check_cred(req->td->td_ucred, PRIV_NETINET_GETCRED, - SUSER_ALLOWJAIL); + error = priv_check(req->td, PRIV_NETINET_GETCRED); if (error) return (error); error = SYSCTL_IN(req, addrs, sizeof(addrs)); @@ -1064,8 +1063,7 @@ tcp6_getcred(SYSCTL_HANDLER_ARGS) struct inpcb *inp; int error, mapped = 0; - error = priv_check_cred(req->td->td_ucred, PRIV_NETINET_GETCRED, - SUSER_ALLOWJAIL); + error = priv_check(req->td, PRIV_NETINET_GETCRED); if (error) return (error); error = SYSCTL_IN(req, addrs, sizeof(addrs)); diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 96dc044..f6031d6 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -696,8 +696,7 @@ udp_getcred(SYSCTL_HANDLER_ARGS) struct inpcb *inp; int error; - error = priv_check_cred(req->td->td_ucred, PRIV_NETINET_GETCRED, - SUSER_ALLOWJAIL); + error = priv_check(req->td, PRIV_NETINET_GETCRED); if (error) return (error); error = SYSCTL_IN(req, addrs, sizeof(addrs)); diff --git a/sys/netinet6/in6_pcb.c b/sys/netinet6/in6_pcb.c index d44e3e4..5ea647e 100644 --- a/sys/netinet6/in6_pcb.c +++ b/sys/netinet6/in6_pcb.c @@ -192,11 +192,11 @@ in6_pcbbind(inp, nam, cred) if (ntohs(lport) <= ipport_reservedhigh && ntohs(lport) >= ipport_reservedlow && priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT, - SUSER_ALLOWJAIL)) + 0)) return (EACCES); if (!IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr) && priv_check_cred(so->so_cred, - PRIV_NETINET_REUSEPORT, SUSER_ALLOWJAIL) != 0) { + PRIV_NETINET_REUSEPORT, 0) != 0) { t = in6_pcblookup_local(pcbinfo, &sin6->sin6_addr, lport, INPLOOKUP_WILDCARD); diff --git a/sys/netinet6/in6_src.c b/sys/netinet6/in6_src.c index bee583c..91868e7 100644 --- a/sys/netinet6/in6_src.c +++ b/sys/netinet6/in6_src.c @@ -775,8 +775,7 @@ in6_pcbsetport(laddr, inp, cred) last = ipport_hilastauto; lastport = &pcbinfo->ipi_lasthi; } else if (inp->inp_flags & INP_LOWPORT) { - error = priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT, - SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT, 0); if (error) return error; first = ipport_lowfirstauto; /* 1023 */ diff --git a/sys/netinet6/raw_ip6.c b/sys/netinet6/raw_ip6.c index f06d1eb..3f93168 100644 --- a/sys/netinet6/raw_ip6.c +++ b/sys/netinet6/raw_ip6.c @@ -352,7 +352,7 @@ rip6_output(m, va_alist) INP_LOCK(in6p); priv = 0; - if (suser_cred(so->so_cred, SUSER_ALLOWJAIL) == 0) + if (suser_cred(so->so_cred, 0) == 0) priv = 1; dst = &dstsock->sin6_addr; if (control) { diff --git a/sys/netinet6/sctp6_usrreq.c b/sys/netinet6/sctp6_usrreq.c index f7ad987..667184c 100644 --- a/sys/netinet6/sctp6_usrreq.c +++ b/sys/netinet6/sctp6_usrreq.c @@ -439,13 +439,7 @@ sctp6_getcred(SYSCTL_HANDLER_ARGS) vrf_id = SCTP_DEFAULT_VRFID; - /* - * XXXRW: Other instances of getcred use SUSER_ALLOWJAIL, as socket - * visibility is scoped using cr_canseesocket(), which it is not - * here. - */ - error = priv_check_cred(req->td->td_ucred, PRIV_NETINET_RESERVEDPORT, - 0); + error = priv_check(req->td, PRIV_NETINET_GETCRED); if (error) return (error); diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c index 41be3ca..ba17f39 100644 --- a/sys/netinet6/udp6_usrreq.c +++ b/sys/netinet6/udp6_usrreq.c @@ -437,8 +437,7 @@ udp6_getcred(SYSCTL_HANDLER_ARGS) struct inpcb *inp; int error; - error = priv_check_cred(req->td->td_ucred, PRIV_NETINET_GETCRED, - SUSER_ALLOWJAIL); + error = priv_check(req->td, PRIV_NETINET_GETCRED); if (error) return (error); @@ -465,6 +464,9 @@ udp6_getcred(SYSCTL_HANDLER_ARGS) INP_LOCK(inp); KASSERT(inp->inp_socket != NULL, ("udp6_getcred: inp_socket == NULL")); + /* + * XXXRW: There should be a scoping access control check here. + */ cru2x(inp->inp_socket->so_cred, &xuc); INP_UNLOCK(inp); INP_INFO_RUNLOCK(&udbinfo); diff --git a/sys/netipsec/ipsec_osdep.h b/sys/netipsec/ipsec_osdep.h index c1e11b49..992dd87 100644 --- a/sys/netipsec/ipsec_osdep.h +++ b/sys/netipsec/ipsec_osdep.h @@ -212,11 +212,9 @@ if_handoff(struct ifqueue *ifq, struct mbuf *m, struct ifnet *ifp, int adjust) /* * 8. Test for "privileged" socket opened by superuser. * FreeBSD tests ((so)->so_cred != NULL && priv_check_cred((so)->so_cred, - * PRIV_NETINET_IPSEC, SUSER_ALLOWJAIL) == 0). + * PRIV_NETINET_IPSEC, 0) == 0). * NetBSD (1.6N) tests (so)->so_uid == 0). * This difference is wrapped inside the IPSEC_PRIVILEGED_SO() macro. - * - * XXXRW: Why was this suser_allowjail? */ #ifdef __FreeBSD__ #define IPSEC_IS_PRIVILEGED_SO(_so) \ diff --git a/sys/security/mac_portacl/mac_portacl.c b/sys/security/mac_portacl/mac_portacl.c index 9adccba..633f606 100644 --- a/sys/security/mac_portacl/mac_portacl.c +++ b/sys/security/mac_portacl/mac_portacl.c @@ -419,8 +419,7 @@ rules_check(struct ucred *cred, int family, int type, u_int16_t port) mtx_unlock(&rule_mtx); if (error != 0 && mac_portacl_suser_exempt != 0) - error = priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT, - SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT, 0); return (error); } diff --git a/sys/security/mac_seeotheruids/mac_seeotheruids.c b/sys/security/mac_seeotheruids/mac_seeotheruids.c index c87c865..1e5e4df 100644 --- a/sys/security/mac_seeotheruids/mac_seeotheruids.c +++ b/sys/security/mac_seeotheruids/mac_seeotheruids.c @@ -114,8 +114,7 @@ mac_seeotheruids_check(struct ucred *cr1, struct ucred *cr2) return (0); if (suser_privileged) { - if (priv_check_cred(cr1, PRIV_SEEOTHERUIDS, SUSER_ALLOWJAIL) - == 0) + if (priv_check_cred(cr1, PRIV_SEEOTHERUIDS, 0) == 0) return (0); } diff --git a/sys/sys/priv.h b/sys/sys/priv.h index 2b215c8..e79cc40 100644 --- a/sys/sys/priv.h +++ b/sys/sys/priv.h @@ -466,6 +466,18 @@ struct thread; struct ucred; int priv_check(struct thread *td, int priv); int priv_check_cred(struct ucred *cred, int priv, int flags); + +/* + * Continue to support external modules that rely on suser(9) -- for now. + */ +int suser(struct thread *td); +int suser_cred(struct ucred *cred, int flags); + +/* + * For historical reasons, flags to priv_check_cred() retain the SUSER_ + * prefix. + */ +#define SUSER_RUID 2 #endif #endif /* !_SYS_PRIV_H_ */ diff --git a/sys/sys/systm.h b/sys/sys/systm.h index 817982c..c523378 100644 --- a/sys/sys/systm.h +++ b/sys/sys/systm.h @@ -234,12 +234,6 @@ void stopprofclock(struct proc *); void cpu_startprofclock(void); void cpu_stopprofclock(void); -/* flags for suser() and suser_cred() */ -#define SUSER_ALLOWJAIL 1 -#define SUSER_RUID 2 - -int suser(struct thread *td); -int suser_cred(struct ucred *cred, int flags); int cr_cansee(struct ucred *u1, struct ucred *u2); int cr_canseesocket(struct ucred *cred, struct socket *so); diff --git a/sys/ufs/ffs/ffs_alloc.c b/sys/ufs/ffs/ffs_alloc.c index 67c8fc3..00e0fbd 100644 --- a/sys/ufs/ffs/ffs_alloc.c +++ b/sys/ufs/ffs/ffs_alloc.c @@ -173,7 +173,7 @@ retry: #endif if (size == fs->fs_bsize && fs->fs_cstotal.cs_nbfree == 0) goto nospace; - if (priv_check_cred(cred, PRIV_VFS_BLOCKRESERVE, SUSER_ALLOWJAIL) && + if (priv_check_cred(cred, PRIV_VFS_BLOCKRESERVE, 0) && freespace(fs, fs->fs_minfree) - numfrags(fs, size) < 0) goto nospace; if (bpref >= fs->fs_size) @@ -268,7 +268,7 @@ ffs_realloccg(ip, lbprev, bprev, bpref, osize, nsize, cred, bpp) #endif /* DIAGNOSTIC */ reclaimed = 0; retry: - if (priv_check_cred(cred, PRIV_VFS_BLOCKRESERVE, SUSER_ALLOWJAIL) && + if (priv_check_cred(cred, PRIV_VFS_BLOCKRESERVE, 0) && freespace(fs, fs->fs_minfree) - numfrags(fs, nsize - osize) < 0) { goto nospace; } diff --git a/sys/ufs/ffs/ffs_vnops.c b/sys/ufs/ffs/ffs_vnops.c index 80892f3..b187ad7 100644 --- a/sys/ufs/ffs/ffs_vnops.c +++ b/sys/ufs/ffs/ffs_vnops.c @@ -790,8 +790,7 @@ ffs_write(ap) */ if ((ip->i_mode & (ISUID | ISGID)) && resid > uio->uio_resid && ap->a_cred) { - if (priv_check_cred(ap->a_cred, PRIV_VFS_RETAINSUGID, - SUSER_ALLOWJAIL)) { + if (priv_check_cred(ap->a_cred, PRIV_VFS_RETAINSUGID, 0)) { ip->i_mode &= ~(ISUID | ISGID); DIP_SET(ip, i_mode, ip->i_mode); } @@ -1121,8 +1120,7 @@ ffs_extwrite(struct vnode *vp, struct uio *uio, int ioflag, struct ucred *ucred) * tampering. */ if ((ip->i_mode & (ISUID | ISGID)) && resid > uio->uio_resid && ucred) { - if (priv_check_cred(ucred, PRIV_VFS_RETAINSUGID, - SUSER_ALLOWJAIL)) { + if (priv_check_cred(ucred, PRIV_VFS_RETAINSUGID, 0)) { ip->i_mode &= ~(ISUID | ISGID); dp->di_mode = ip->i_mode; } diff --git a/sys/ufs/ufs/ufs_quota.c b/sys/ufs/ufs/ufs_quota.c index c6d8795..49ee1c8 100644 --- a/sys/ufs/ufs/ufs_quota.c +++ b/sys/ufs/ufs/ufs_quota.c @@ -515,7 +515,7 @@ quotaon(td, mp, type, fname) int error, flags, vfslocked; struct nameidata nd; - error = priv_check_cred(td->td_ucred, PRIV_UFS_QUOTAON, 0); + error = priv_check(td, PRIV_UFS_QUOTAON); if (error) return (error); @@ -747,10 +747,7 @@ quotaoff(td, mp, type) struct ufsmount *ump; int error; - /* - * XXXRW: This also seems wrong to allow in a jail? - */ - error = priv_check_cred(td->td_ucred, PRIV_UFS_QUOTAOFF, 0); + error = priv_check(td, PRIV_UFS_QUOTAOFF); if (error) return (error); @@ -783,8 +780,7 @@ getquota(td, mp, id, type, addr) switch (type) { case USRQUOTA: if ((td->td_ucred->cr_uid != id) && !unprivileged_get_quota) { - error = priv_check_cred(td->td_ucred, - PRIV_VFS_GETQUOTA, SUSER_ALLOWJAIL); + error = priv_check(td, PRIV_VFS_GETQUOTA); if (error) return (error); } @@ -793,8 +789,7 @@ getquota(td, mp, id, type, addr) case GRPQUOTA: if (!groupmember(id, td->td_ucred) && !unprivileged_get_quota) { - error = priv_check_cred(td->td_ucred, - PRIV_VFS_GETQUOTA, SUSER_ALLOWJAIL); + error = priv_check(td, PRIV_VFS_GETQUOTA); if (error) return (error); } @@ -830,8 +825,7 @@ setquota(td, mp, id, type, addr) struct dqblk newlim; int error; - error = priv_check_cred(td->td_ucred, PRIV_VFS_SETQUOTA, - SUSER_ALLOWJAIL); + error = priv_check(td, PRIV_VFS_SETQUOTA); if (error) return (error); @@ -901,7 +895,7 @@ setuse(td, mp, id, type, addr) struct dqblk usage; int error; - error = priv_check_cred(td->td_ucred, PRIV_UFS_SETUSE, 0); + error = priv_check(td, PRIV_UFS_SETUSE); if (error) return (error); diff --git a/sys/ufs/ufs/ufs_vnops.c b/sys/ufs/ufs/ufs_vnops.c index 45d2d04..ec28c2d 100644 --- a/sys/ufs/ufs/ufs_vnops.c +++ b/sys/ufs/ufs/ufs_vnops.c @@ -490,12 +490,8 @@ ufs_setattr(ap) * processes if the security.jail.chflags_allowed sysctl is * is non-zero; otherwise, they behave like unprivileged * processes. - * - * XXXRW: Move implementation of jail_chflags_allowed to - * kern_jail.c. */ - if (!priv_check_cred(cred, PRIV_VFS_SYSFLAGS, - jail_chflags_allowed ? SUSER_ALLOWJAIL : 0)) { + if (!priv_check_cred(cred, PRIV_VFS_SYSFLAGS, 0)) { if (ip->i_flags & (SF_NOUNLINK | SF_IMMUTABLE | SF_APPEND)) { error = securelevel_gt(cred, 0); @@ -663,13 +659,11 @@ ufs_chmod(vp, mode, cred, td) * jail(8). */ if (vp->v_type != VDIR && (mode & S_ISTXT)) { - if (priv_check_cred(cred, PRIV_VFS_STICKYFILE, - SUSER_ALLOWJAIL)) + if (priv_check_cred(cred, PRIV_VFS_STICKYFILE, 0)) return (EFTYPE); } if (!groupmember(ip->i_gid, cred) && (mode & ISGID)) { - error = priv_check_cred(cred, PRIV_VFS_SETGID, - SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_VFS_SETGID, 0); if (error) return (error); } @@ -718,7 +712,7 @@ ufs_chown(vp, uid, gid, cred, td) */ if ((uid != ip->i_uid || (gid != ip->i_gid && !groupmember(gid, cred))) && - (error = priv_check_cred(cred, PRIV_VFS_CHOWN, SUSER_ALLOWJAIL))) + (error = priv_check_cred(cred, PRIV_VFS_CHOWN, 0))) return (error); ogid = ip->i_gid; ouid = ip->i_uid; @@ -790,8 +784,7 @@ good: #endif /* QUOTA */ ip->i_flag |= IN_CHANGE; if ((ip->i_mode & (ISUID | ISGID)) && (ouid != uid || ogid != gid)) { - if (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, - SUSER_ALLOWJAIL)) { + if (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, 0)) { ip->i_mode &= ~(ISUID | ISGID); DIP_SET(ip, i_mode, ip->i_mode); } @@ -2371,8 +2364,7 @@ ufs_makeinode(mode, dvp, vpp, cnp) if (DOINGSOFTDEP(tvp)) softdep_change_linkcnt(ip); if ((ip->i_mode & ISGID) && !groupmember(ip->i_gid, cnp->cn_cred) && - priv_check_cred(cnp->cn_cred, PRIV_VFS_SETGID, - SUSER_ALLOWJAIL)) { + priv_check_cred(cnp->cn_cred, PRIV_VFS_SETGID, 0)) { ip->i_mode &= ~ISGID; DIP_SET(ip, i_mode, ip->i_mode); } |
