diff options
author | rwatson <rwatson@FreeBSD.org> | 2007-06-16 23:41:43 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2007-06-16 23:41:43 +0000 |
commit | 5956b5bc21c96b25c05bcdb8b76e1fd590072f14 (patch) | |
tree | 787b92698a00798f7eef6093395ee57f1e6c2cf0 /sys | |
parent | e3e21bd46ae0de1d4958f608c5a4a3016bec2dbd (diff) | |
download | FreeBSD-src-5956b5bc21c96b25c05bcdb8b76e1fd590072f14.zip FreeBSD-src-5956b5bc21c96b25c05bcdb8b76e1fd590072f14.tar.gz |
Rather than passing SUSER_RUID into priv_check_cred() to specify when
a privilege is checked against the real uid rather than the effective
uid, instead decide which uid to use in priv_check_cred() based on the
privilege passed in. We use the real uid for PRIV_MAXFILES,
PRIV_MAXPROC, and PRIV_PROC_LIMIT. Remove the definition of
SUSER_RUID; there are now no flags defined for priv_check_cred().
Obtained from: TrustedBSD Project
Diffstat (limited to 'sys')
-rw-r--r-- | sys/kern/kern_descrip.c | 2 | ||||
-rw-r--r-- | sys/kern/kern_fork.c | 7 | ||||
-rw-r--r-- | sys/kern/kern_priv.c | 25 | ||||
-rw-r--r-- | sys/sys/priv.h | 14 |
4 files changed, 26 insertions, 22 deletions
diff --git a/sys/kern/kern_descrip.c b/sys/kern/kern_descrip.c index 963b286..4dfb005 100644 --- a/sys/kern/kern_descrip.c +++ b/sys/kern/kern_descrip.c @@ -1332,7 +1332,7 @@ falloc(struct thread *td, struct file **resultfp, int *resultfd) sx_xlock(&filelist_lock); if ((openfiles >= maxuserfiles && - priv_check_cred(td->td_ucred, PRIV_MAXFILES, SUSER_RUID) != 0) || + priv_check(td, PRIV_MAXFILES) != 0) || openfiles >= maxfiles) { if (ppsratecheck(&lastfail, &curfail, 1)) { printf("kern.maxfiles limit exceeded by uid %i, please see tuning(7).\n", diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c index c0e3204..1a7f4a7 100644 --- a/sys/kern/kern_fork.c +++ b/sys/kern/kern_fork.c @@ -293,9 +293,8 @@ fork1(td, flags, pages, procp) * processes, maxproc is the limit. */ sx_xlock(&allproc_lock); - if ((nprocs >= maxproc - 10 && - priv_check_cred(td->td_ucred, PRIV_MAXPROC, SUSER_RUID) != 0) || - nprocs >= maxproc) { + if ((nprocs >= maxproc - 10 && priv_check_cred(td->td_ucred, + PRIV_MAXPROC, 0) != 0) || nprocs >= maxproc) { error = EAGAIN; goto fail; } @@ -306,7 +305,7 @@ fork1(td, flags, pages, procp) * * XXXRW: Can we avoid privilege here if it's not needed? */ - error = priv_check_cred(td->td_ucred, PRIV_PROC_LIMIT, SUSER_RUID); + error = priv_check_cred(td->td_ucred, PRIV_PROC_LIMIT, 0); if (error == 0) ok = chgproccnt(td->td_ucred->cr_ruidinfo, 1, 0); else { diff --git a/sys/kern/kern_priv.c b/sys/kern/kern_priv.c index ebf01ba..307d134 100644 --- a/sys/kern/kern_priv.c +++ b/sys/kern/kern_priv.c @@ -68,6 +68,10 @@ priv_check_cred(struct ucred *cred, int priv, int flags) KASSERT(PRIV_VALID(priv), ("priv_check_cred: invalid privilege %d", priv)); + /* + * We first evaluate policies that may deny the granting of + * privilege unilaterally. + */ #ifdef MAC error = mac_priv_check(cred, priv); if (error) @@ -84,21 +88,28 @@ priv_check_cred(struct ucred *cred, int priv, int flags) /* * Having determined if privilege is restricted by various policies, - * now determine if privilege is granted. For now, we allow - * short-circuit boolean evaluation, so may not call all policies. - * Perhaps we should. + * now determine if privilege is granted. At this point, any policy + * may grant privilege. For now, we allow short-circuit boolean + * evaluation, so may not call all policies. Perhaps we should. * * Superuser policy grants privilege based on the effective (or in - * certain edge cases, real) uid being 0. We allow the policy to be - * globally disabled, although this is currently of limited utility. + * the case of specific privileges, real) uid being 0. We allow the + * superuser policy to be globally disabled, although this is + * currenty of limited utility. */ if (suser_enabled) { - if (flags & SUSER_RUID) { + switch (priv) { + case PRIV_MAXFILES: + case PRIV_MAXPROC: + case PRIV_PROC_LIMIT: if (cred->cr_ruid == 0) return (0); - } else { + break; + + default: if (cred->cr_uid == 0) return (0); + break; } } diff --git a/sys/sys/priv.h b/sys/sys/priv.h index e79cc40..b18319c 100644 --- a/sys/sys/priv.h +++ b/sys/sys/priv.h @@ -457,10 +457,10 @@ #ifdef _KERNEL /* * Privilege check interfaces, modeled after historic suser() interfacs, but - * with the addition of a specific privilege name. The existing SUSER_* flag - * name space is used here. The jail flag will likely be something that can - * be removed at some point as jail itself will be able to decide if the priv - * is appropriate, rather than the caller. + * with the addition of a specific privilege name. No flags are currently + * defined for the API. Historically, flags specified using the real uid + * instead of the effective uid, and whether or not the check should be + * allowed in jail. */ struct thread; struct ucred; @@ -472,12 +472,6 @@ int priv_check_cred(struct ucred *cred, int priv, int flags); */ int suser(struct thread *td); int suser_cred(struct ucred *cred, int flags); - -/* - * For historical reasons, flags to priv_check_cred() retain the SUSER_ - * prefix. - */ -#define SUSER_RUID 2 #endif #endif /* !_SYS_PRIV_H_ */ |