From 02575bafa7d27ede2d0ed3b05d481df92b74b89c Mon Sep 17 00:00:00 2001 From: rwatson Date: Sun, 3 Nov 2002 00:53:03 +0000 Subject: Change privilege model for mac_partition such that BSD superuser can change the partition once a partition has been set. This is required for correct operation of sendmail between partitions. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories --- sys/security/mac_partition/mac_partition.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) (limited to 'sys/security/mac_partition') diff --git a/sys/security/mac_partition/mac_partition.c b/sys/security/mac_partition/mac_partition.c index c1167ea..1b1ec0b 100644 --- a/sys/security/mac_partition/mac_partition.c +++ b/sys/security/mac_partition/mac_partition.c @@ -183,13 +183,11 @@ mac_partition_check_cred_relabel(struct ucred *cred, struct label *newlabel) /* Treat "0" as a no-op request. */ if (SLOT(newlabel) != 0) { - /* If we're already in a partition, can't repartition. */ - if (SLOT(&cred->cr_label) != 0) - return (EPERM); - /* - * If not in a partition, must have privilege to create - * one. + * Require BSD privilege in order to change the partition. + * Originally we also required that the process not be + * in a partition in the first place, but this didn't + * interact well with sendmail. */ error = suser_cred(cred, 0); } -- cgit v1.1