From b324dcbd3d4209d0d74487538081082dbf904bed Mon Sep 17 00:00:00 2001
From: rwatson <rwatson@FreeBSD.org>
Date: Mon, 18 Sep 2000 17:58:15 +0000
Subject: o Add a comment clarifying interaction between jail(), privileged
 processes,   and UFS file flags.  Here's what the comment says, for
 reference:

	Privileged processes in jail() are permitted to modify
	arbitrary user flags on files, but are not permitted
	to modify system flags.

  In other words, privilege does allow a process in jail to modify user
  flags for objects that the process does not own, but privilege will
  not permit the setting of system flags on the file.

Obtained from:	TrustedBSD Project
---
 sys/ufs/ufs/ufs_vnops.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'sys/ufs/ufs')

diff --git a/sys/ufs/ufs/ufs_vnops.c b/sys/ufs/ufs/ufs_vnops.c
index 1ac7dd0..c214b4c 100644
--- a/sys/ufs/ufs/ufs_vnops.c
+++ b/sys/ufs/ufs/ufs_vnops.c
@@ -408,6 +408,11 @@ ufs_setattr(ap)
 	if (vap->va_flags != VNOVAL) {
 		if (vp->v_mount->mnt_flag & MNT_RDONLY)
 			return (EROFS);
+		/*
+		 * Privileged processes in jail() are permitted to modify
+		 * arbitrary user flags on files, but are not permitted
+		 * to modify system flags.
+		 */
 		if (cred->cr_uid != ip->i_uid &&
 		    (error = suser_xxx(cred, p, PRISON_ROOT)))
 			return (error);
-- 
cgit v1.1