summaryrefslogtreecommitdiffstats
path: root/sys
diff options
context:
space:
mode:
authorrwatson <rwatson@FreeBSD.org>2001-09-26 19:51:25 +0000
committerrwatson <rwatson@FreeBSD.org>2001-09-26 19:51:25 +0000
commit1d311f9352f5ace8fdfb23fe20bfe53c9ea99761 (patch)
treeb18b705cb6e9875fb1a6cde12df6198341c0f850 /sys
parent518e58c70b81add4e65212c62cd3cb730eb373ea (diff)
downloadFreeBSD-src-1d311f9352f5ace8fdfb23fe20bfe53c9ea99761.zip
FreeBSD-src-1d311f9352f5ace8fdfb23fe20bfe53c9ea99761.tar.gz
o Modify sysctl access control check to use securelevel_gt(), and
clarify sysctl access control logic. Obtained from: TrustedBSD Project
Diffstat (limited to 'sys')
-rw-r--r--sys/kern/kern_sysctl.c38
1 files changed, 29 insertions, 9 deletions
diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c
index 34fcb68..7ebdf82 100644
--- a/sys/kern/kern_sysctl.c
+++ b/sys/kern/kern_sysctl.c
@@ -1027,17 +1027,37 @@ sysctl_root(SYSCTL_HANDLER_ARGS)
return (EISDIR);
}
- /* If writing isn't allowed */
- if (req->newptr && (!(oid->oid_kind & CTLFLAG_WR) ||
- ((oid->oid_kind & CTLFLAG_SECURE) && securelevel > 0)))
+ /* Is this sysctl writable? */
+ if (req->newptr && !(oid->oid_kind & CTLFLAG_WR))
return (EPERM);
- /* Most likely only root can write */
- if (!(oid->oid_kind & CTLFLAG_ANYBODY) &&
- req->newptr && req->p &&
- (error = suser_xxx(0, req->p,
- (oid->oid_kind & CTLFLAG_PRISON) ? PRISON_ROOT : 0)))
- return (error);
+ /* Is this sysctl sensitive to securelevels? */
+ if (req->newptr && (oid->oid_kind & CTLFLAG_SECURE)) {
+ if (req->p == NULL) {
+ error = securelevel_gt(NULL, 0); /* XXX */
+ if (error)
+ return (error);
+ } else {
+ error = securelevel_gt(req->p->p_ucred, 0);
+ if (error)
+ return (error);
+ }
+ }
+
+ /* Is this sysctl writable by only privileged users? */
+ if (req->newptr && !(oid->oid_kind & CTLFLAG_ANYBODY)) {
+ if (req->p != NULL) {
+ int flags;
+
+ if (oid->oid_kind & CTLFLAG_PRISON)
+ flags = PRISON_ROOT;
+ else
+ flags = 0;
+ error = suser_xxx(NULL, req->p, flags);
+ if (error)
+ return (error);
+ }
+ }
if (!oid->oid_handler)
return EINVAL;
OpenPOWER on IntegriCloud