New in-kernel privilege API: priv(9)
Robert Watson
rwatson at FreeBSD.org
Tue Oct 31 09:43:49 UTC 2006
Dear all,
A month and a half ago, I posted a patch implementing a priv(9) API. I've now
updated this patch to reflect a more thorough review of kernel privilege,
corrected some of the nits, etc. I would like to move ahead with committing
priv(9), so this is a final request for review (or serious objections) before
I do so in a few days. The commit will occur in two phases:
(1) Commit of the base portions of the patch:
Modified Files:
sys/kern/kern_jail.c sys/kern/kern_prot.c
sys/security/mac/mac_framework.h
sys/security/mac/mac_internal.h sys/sys/jail.h sys/sys/systm.h
sys/conf/files share/man/man9/Makefile share/man/man9/suser.9
Added Files:
sys/kern/kern_priv.c sys/security/mac/mac_priv.c
sys/sys/priv.h share/man/man9/priv.9
Commit message for this attached below.
(2) Sweep of the remaining kernel files, cleaning up privilege checks,
replacing suser()/suser_cred() calls, etc, across the kernel.
Among other things, I'd like to be able to add some additional names to the
"Reviewed by:" list. :-) This is, of course, a set of highly sensitive
security-related changes, and having detailed reviews is very important.
The primary changes from the previous patch to this one are:
- Significant cleanup of the kern_jail.c code. It's now simply a list of
privileges granted in jail, with justifications.
- A number of tweaks and fixes to privilege use across the kernel. A moderate
number of the XXX's added in the previous patch are now fixed. Not all
though.
- The privilege list has changed from an enum to an int with #define's. This
has several benefits -- one is that there's no longer a concern about the C
limit of not being able to forward declare enumerated types. Also, since
the numeric assignment of privilege identifiers is part of the kernel ABI
for modules, I've moved to explicitly assigning privilege numbers, and have
left gaps for subsystem growth, etc.
A few XXX's still exist that will require some further attention, likely after
merging the patch. Pawel and I are also discussing whether there are some UFS
privileges that should become general VFS privileges such as quota bypass
privileges). Another concern is that there are one or two places where
privileges are inconsistently granted inside and outside of jail, and we will
want to either subdivide the privilege or move to a more consistent approach.
For this reason, the KASSERT() after prison_priv_check() in priv_check()
concerning the consistency of SUSER_ALLOWJAIL and the internal logic is
temporarily disabled. Once we've decided that all looks good with regard to
jail, I can sweep the kernel removing the SUSER_ALLOWJAIL arguments, and
complete the migration of jail configuration frobs to kern_jail.c from their
current scattered locations across the kernel.
Thanks,
Robert N M Watson
Computer Laboratory
University of Cambridge
> Add a new priv(9) kernel interface for checking the availability of
> privilege for threads and credentials. Unlike the existing suser(9)
> interface, priv(9) exposes a named privilege identifier to the privilege
> checking code, allowing more complex policies regarding the granting of
> privilege to be expressed. Two interfaces are provided, replacing the
> existing suser(9) interface:
>
> suser(td) -> priv_check(td, priv)
> suser_cred(cred, flags) -> priv_check_cred(cred, priv, flags)
>
> A comprehensive list of currently available kernel privileges may be
> found in priv.h. New privileges are easily added as required, but the
> comments on adding privileges found in priv.h and priv(9) should be read
> before doing so.
>
> The new privilege interface exposed sufficient information to the
> privilege checking routine that it will now be possible for jail to
> determine whether a particular privilege is granted in the check routine,
> rather than relying on hints from the calling context via the
> SUSER_ALLOWJAIL flag. For now, the flag is maintained, but a new jail
> check function, prison_priv_check(), is exposed from kern_jail.c and used
> by the privilege check routine to determine if the privilege is permitted
> in jail. As a result, a centralized list of privileges permitted in jail
> is now present in kern_jail.c.
>
> The MAC Framework is now also able to instrument privilege checks, both
> to deny privileges otherwise granted (mac_priv_check()), and to grant
> privileges otherwise denied (mac_priv_grant()), permitting MAC Policy
> modules to implement privilege models, as well as control a much broader
> range of system behavior in order to constrain processes running with
> root privilege.
>
> The suser() and suser_cred() functions remain implemented, now in terms
> of priv_check() and the PRIV_ROOT privilege, for use during the transition
> and possibly continuing use by third party kernel modules that have not
> been updated. The PRIV_DRIVER privilege exists to allow device drivers to
> check privilege without adopting a more specific privilege identifier.
>
> This change does not modify the actual security policy, rather, it
> modifies the interface for privilege checks so changes to the security
> policy become more feasible.
>
> Sponsored by: nCircle Network Security, Inc.
> Discussed on: arch@
> Reviewed (at least in part) by: mlaier, jmg
Index: share/man/man9/Makefile
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/share/man/man9/Makefile,v
retrieving revision 1.282
diff -u -r1.282 Makefile
--- share/man/man9/Makefile 5 Oct 2006 12:40:44 -0000 1.282
+++ share/man/man9/Makefile 31 Oct 2006 09:06:00 -0000
@@ -188,6 +188,7 @@
pmap_zero_page.9 \
printf.9 \
prison_check.9 \
+ priv.9 \
pseudofs.9 \
psignal.9 \
random.9 \
Index: share/man/man9/priv.9
===================================================================
RCS file: share/man/man9/priv.9
diff -N share/man/man9/priv.9
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ share/man/man9/priv.9 31 Oct 2006 09:03:48 -0000
@@ -0,0 +1,115 @@
+.\"-
+.\" Copyright (c) 2006 nCircle Network Security, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed by Robert N. M. Watson for the TrustedBSD
+.\" Project under contract to nCircle Network Security, Inc.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
+.\" INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+.\" TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+.\" PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+.\" LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+.\" NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+.\" SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.Dd August 30, 2007
+.Dt priv 9
+.Os
+.Sh NAME
+.Nm priv
+.Nd kernel privilege checking API
+.Sh SYNOPSIS
+.In sys/priv.h
+.Ft int
+.Fn priv_check "struct thread *td" "int priv"
+.Ft int
+.Fn priv_check_cred "struct ucred *cred" "int priv" "int flags"
+.Sh DESCRIPTION
+The
+.Xr priv 9
+interfaces check to see if specific system privileges are granted to the
+passed thread,
+.Va td ,
+or credential,
+.Va cred.
+This interface replaces the
+.Xr suser 9
+privilege checking interface.
+Privileges typically represent rights in one of two categories: the right to
+manage a particular component of the system, or an exemption to a specific
+policy or access control list.
+The caller identifies the desired privilege via the
+.Fa priv
+argument.
+Additional access control context may also be passed using the
+.Va flags .
+.Ss Privilege Policies
+Privileges are typically granted based on one of two base system policies:
+the superuser policy, which grants privilege based on the effective (or
+sometimes real) uid having a value of 0, and the
+.Xr jail 2
+policy, which permits only certain privileges to be granted to processes in a
+jail.
+The set of available privileges may also be influenced by the TrustedBSD MAC
+Framework, described in
+.Xr mac 9 .
+.Sh IMPLEMENTATION NOTES
+When adding a new privilege check to a code path, first check the complete
+list of current privileges in
+.Pa sys/priv.h
+to see if one already exists for the class of privilege required.
+Only if there is not an exact match should a new privilege be added to the
+privilege list.
+As the privilege number becomes encoded in the kernel module ABI, privileges
+should only be appended to the list, not inserted in the list, and the list
+sort order should not be changed.
+.Pp
+Certain catch-all privileges exist, such as
+.Dv PRIV_DRIVER ,
+intended to be used by device drivers, rather than adding a new
+driver-specific privilege.
+.Sh RETURN VALUES
+Typically, 0 will be returned for success, and
+.Dv EPERM
+will be returned on failure.
+Most consumers of
+.Xr priv 9
+will wish to directly return the error code from a failed privilege check to
+user space; a small number will wish to translate it to another error code
+appropriate to a specific context.
+.Pp
+When designing new APIs, it is preferable to return explicit errors from a
+call if privilege is not granted rather than changing the semantics of the
+call but returning success.
+For example, the behavior exhibited by
+.Xr stat 2 ,
+in which the generation field is optionally zero'd out when insufficient
+privilege is not present is highly undesirable, as it results in frequent
+privilege checks, and the caller is unable to tell if an access control
+failure occured.
+.Sh SEE ALSO
+.Xr jail 2 ,
+.Xr mac 9 ,
+.Xr suser 9 ,
+.Xr ucred 9
+.Sh AUTHORS
+The
+.Xr priv 9
+API and implementation were created by Robert Watson under contract to
+nCircle Network Security, Inc.
Index: share/man/man9/suser.9
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/share/man/man9/suser.9,v
retrieving revision 1.29
diff -u -r1.29 suser.9
--- share/man/man9/suser.9 16 May 2006 22:58:43 -0000 1.29
+++ share/man/man9/suser.9 31 Oct 2006 09:05:47 -0000
@@ -54,6 +54,12 @@
.Fn suser_cred
functions check if the credentials given include superuser powers.
.Pp
+These interfaces have now been obsoleted by
+.Xr priv 9 ,
+and are provided only for compatibility with third party kernel modules that
+have not yet been updated to the new interface.
+They should not be used in any new kernel code.
+.Pp
The
.Fn suser
function is the most common, and should be used unless special
@@ -123,7 +129,8 @@
in which a TRUE response indicates superuser powers.
.Sh SEE ALSO
.Xr chroot 2 ,
-.Xr jail 2
+.Xr jail 2 ,
+.Xr priv 9
.Sh BUGS
The
.Fn suser
Index: sys/amd64/amd64/io.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/amd64/amd64/io.c,v
retrieving revision 1.1
diff -u -r1.1 io.c
--- sys/amd64/amd64/io.c 1 Aug 2004 11:40:50 -0000 1.1
+++ sys/amd64/amd64/io.c 30 Oct 2006 17:07:54 -0000
@@ -33,6 +33,7 @@
#include <sys/lock.h>
#include <sys/malloc.h>
#include <sys/mutex.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/signalvar.h>
#include <sys/systm.h>
@@ -54,7 +55,7 @@
{
int error;
- error = suser(td);
+ error = priv_check(td, PRIV_IO);
if (error != 0)
return (error);
error = securelevel_gt(td->td_ucred, 0);
Index: sys/compat/linux/linux_misc.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/compat/linux/linux_misc.c,v
retrieving revision 1.191
diff -u -r1.191 linux_misc.c
--- sys/compat/linux/linux_misc.c 28 Oct 2006 16:47:38 -0000 1.191
+++ sys/compat/linux/linux_misc.c 30 Oct 2006 17:07:54 -0000
@@ -48,6 +48,7 @@
#include <sys/mount.h>
#include <sys/mutex.h>
#include <sys/namei.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/reboot.h>
#include <sys/resourcevar.h>
@@ -1020,7 +1021,8 @@
* Keep cr_groups[0] unchanged to prevent that.
*/
- if ((error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) {
+ if ((error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS,
+ SUSER_ALLOWJAIL)) != 0) {
PROC_UNLOCK(p);
crfree(newcred);
return (error);
@@ -1341,7 +1343,7 @@
switch (args->cmd) {
case REBOOT_CAD_ON:
case REBOOT_CAD_OFF:
- return suser(td);
+ return (priv_check(td, PRIV_REBOOT));
case REBOOT_HALT:
bsd_args.opt = RB_HALT;
break;
Index: sys/compat/linux/linux_uid16.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/compat/linux/linux_uid16.c,v
retrieving revision 1.19
diff -u -r1.19 linux_uid16.c
--- sys/compat/linux/linux_uid16.c 19 Mar 2006 11:10:33 -0000 1.19
+++ sys/compat/linux/linux_uid16.c 30 Oct 2006 17:07:54 -0000
@@ -33,6 +33,7 @@
#include <sys/lock.h>
#include <sys/malloc.h>
#include <sys/mutex.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/syscallsubr.h>
#include <sys/sysproto.h>
@@ -123,7 +124,8 @@
* Keep cr_groups[0] unchanged to prevent that.
*/
- if ((error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) {
+ if ((error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS,
+ SUSER_ALLOWJAIL)) != 0) {
PROC_UNLOCK(p);
crfree(newcred);
return (error);
Index: sys/compat/svr4/svr4_fcntl.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/compat/svr4/svr4_fcntl.c,v
retrieving revision 1.38
diff -u -r1.38 svr4_fcntl.c
--- sys/compat/svr4/svr4_fcntl.c 22 Oct 2006 11:52:11 -0000 1.38
+++ sys/compat/svr4/svr4_fcntl.c 30 Oct 2006 17:07:54 -0000
@@ -44,6 +44,7 @@
#include <sys/mount.h>
#include <sys/mutex.h>
#include <sys/namei.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/stat.h>
#include <sys/syscallsubr.h>
@@ -280,7 +281,8 @@
goto out;
if (td->td_ucred->cr_uid != vattr.va_uid &&
- (error = suser(td)) != 0)
+ (error = priv_check_cred(td->td_ucred, PRIV_VFS_ADMIN,
+ SUSER_ALLOWJAIL)) != 0)
goto out;
if ((error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0)
Index: sys/compat/svr4/svr4_misc.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/compat/svr4/svr4_misc.c,v
retrieving revision 1.90
diff -u -r1.90 svr4_misc.c
--- sys/compat/svr4/svr4_misc.c 22 Oct 2006 11:52:11 -0000 1.90
+++ sys/compat/svr4/svr4_misc.c 30 Oct 2006 17:07:54 -0000
@@ -52,6 +52,7 @@
#include <sys/msg.h>
#include <sys/mutex.h>
#include <sys/namei.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/ptrace.h>
#include <sys/resource.h>
@@ -611,7 +612,8 @@
struct file *fp;
int error, vfslocked;
- if ((error = suser(td)) != 0)
+ if ((error = priv_check_cred(td->td_ucred, PRIV_VFS_FCHROOT,
+ SUSER_ALLOWJAIL)) != 0)
return error;
if ((error = getvnode(fdp, uap->fd, &fp)) != 0)
return error;
Index: sys/conf/files
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/conf/files,v
retrieving revision 1.1156
diff -u -r1.1156 files
--- sys/conf/files 30 Oct 2006 05:51:53 -0000 1.1156
+++ sys/conf/files 30 Oct 2006 21:24:56 -0000
@@ -1347,6 +1347,7 @@
kern/kern_physio.c standard
kern/kern_pmc.c standard
kern/kern_poll.c optional device_polling
+kern/kern_priv.c standard
kern/kern_proc.c standard
kern/kern_prot.c standard
kern/kern_resource.c standard
@@ -1920,6 +1921,7 @@
security/mac/mac_net.c optional mac
security/mac/mac_pipe.c optional mac
security/mac/mac_posix_sem.c optional mac
+security/mac/mac_priv.c optional mac
security/mac/mac_process.c optional mac
security/mac/mac_socket.c optional mac
security/mac/mac_system.c optional mac
Index: sys/contrib/altq/altq/altq_cbq.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/contrib/altq/altq/altq_cbq.c,v
retrieving revision 1.3
diff -u -r1.3 altq_cbq.c
--- sys/contrib/altq/altq/altq_cbq.c 9 Aug 2005 10:19:41 -0000 1.3
+++ sys/contrib/altq/altq/altq_cbq.c 30 Oct 2006 17:07:54 -0000
@@ -1062,7 +1062,9 @@
/* currently only command that an ordinary user can call */
break;
default:
-#if (__FreeBSD_version > 400000)
+#if (__FreeBSD_version > 700000)
+ error = priv_check(p, PRIV_ALTQ_MANAGE);
+#elsif (__FreeBSD_version > 400000)
error = suser(p);
#else
error = suser(p->p_ucred, &p->p_acflag);
Index: sys/contrib/altq/altq/altq_cdnr.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/contrib/altq/altq/altq_cdnr.c,v
retrieving revision 1.2
diff -u -r1.2 altq_cdnr.c
--- sys/contrib/altq/altq/altq_cdnr.c 12 Jun 2004 00:57:20 -0000 1.2
+++ sys/contrib/altq/altq/altq_cdnr.c 30 Oct 2006 17:07:54 -0000
@@ -1262,7 +1262,9 @@
case CDNR_GETSTATS:
break;
default:
-#if (__FreeBSD_version > 400000)
+#if (__FreeBSD_versoin > 700000)
+ if ((error = priv_check(p, PRIV_ALTQ_MANAGE)) != 0)
+#elsif (__FreeBSD_version > 400000)
if ((error = suser(p)) != 0)
#else
if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
Index: sys/contrib/altq/altq/altq_hfsc.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/contrib/altq/altq/altq_hfsc.c,v
retrieving revision 1.2
diff -u -r1.2 altq_hfsc.c
--- sys/contrib/altq/altq/altq_hfsc.c 12 Jun 2004 00:57:20 -0000 1.2
+++ sys/contrib/altq/altq/altq_hfsc.c 30 Oct 2006 17:07:54 -0000
@@ -1975,7 +1975,10 @@
case HFSC_GETSTATS:
break;
default:
-#if (__FreeBSD_version > 400000)
+#if (__FreeBSD_version > 700000)
+ if ((error = priv_check(p, PRIV_ALTQ_MANAGE)) != 0)
+ return (error);
+#elsif (__FreeBSD_version > 400000)
if ((error = suser(p)) != 0)
return (error);
#else
Index: sys/contrib/altq/altq/altq_priq.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/contrib/altq/altq/altq_priq.c,v
retrieving revision 1.2
diff -u -r1.2 altq_priq.c
--- sys/contrib/altq/altq/altq_priq.c 12 Jun 2004 00:57:20 -0000 1.2
+++ sys/contrib/altq/altq/altq_priq.c 30 Oct 2006 17:07:54 -0000
@@ -772,7 +772,10 @@
case PRIQ_GETSTATS:
break;
default:
-#if (__FreeBSD_version > 400000)
+#if (__FreeBSD_version > 700000)
+ if ((error = priv_check(p, PRIV_ALTQ_MANAGE)) != 0)
+ return (error);
+#elsif (__FreeBSD_version > 400000)
if ((error = suser(p)) != 0)
return (error);
#else
Index: sys/contrib/altq/altq/altq_red.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/contrib/altq/altq/altq_red.c,v
retrieving revision 1.2
diff -u -r1.2 altq_red.c
--- sys/contrib/altq/altq/altq_red.c 12 Jun 2004 00:57:20 -0000 1.2
+++ sys/contrib/altq/altq/altq_red.c 30 Oct 2006 17:07:54 -0000
@@ -781,7 +781,9 @@
case RED_GETSTATS:
break;
default:
-#if (__FreeBSD_version > 400000)
+#if (__FreeBSD_version > 700000)
+ if ((error = priv_check(p, PRIV_ALTQ_MANAGE)) != 0)
+#elsif (__FreeBSD_version > 400000)
if ((error = suser(p)) != 0)
#else
if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
Index: sys/contrib/altq/altq/altq_rio.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/contrib/altq/altq/altq_rio.c,v
retrieving revision 1.3
diff -u -r1.3 altq_rio.c
--- sys/contrib/altq/altq/altq_rio.c 10 Jun 2005 16:49:03 -0000 1.3
+++ sys/contrib/altq/altq/altq_rio.c 30 Oct 2006 17:07:54 -0000
@@ -531,7 +531,10 @@
case RIO_GETSTATS:
break;
default:
-#if (__FreeBSD_version > 400000)
+#if (__FreeBSD_versoin > 700000)
+ if ((error = priv_check(p, PRIV_ALTQ_MANAGE)) != 0)
+ return (error);
+#elsif (__FreeBSD_version > 400000)
if ((error = suser(p)) != 0)
return (error);
#else
Index: sys/contrib/pf/net/if_pfsync.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/contrib/pf/net/if_pfsync.c,v
retrieving revision 1.30
diff -u -r1.30 if_pfsync.c
--- sys/contrib/pf/net/if_pfsync.c 9 Jul 2006 06:04:01 -0000 1.30
+++ sys/contrib/pf/net/if_pfsync.c 30 Oct 2006 17:07:54 -0000
@@ -54,6 +54,9 @@
#endif
#include <sys/param.h>
+#ifdef __FreeBSD__
+#include <sys/priv.h>
+#endif
#include <sys/proc.h>
#include <sys/systm.h>
#include <sys/time.h>
@@ -1057,7 +1060,7 @@
break;
case SIOCSETPFSYNC:
#ifdef __FreeBSD__
- if ((error = suser(curthread)) != 0)
+ if ((error = priv_check(curthread, PRIV_NETINET_PF)) != 0)
#else
if ((error = suser(p, p->p_acflag)) != 0)
#endif
Index: sys/dev/an/if_an.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/an/if_an.c,v
retrieving revision 1.79
diff -u -r1.79 if_an.c
--- sys/dev/an/if_an.c 16 May 2006 14:36:22 -0000 1.79
+++ sys/dev/an/if_an.c 30 Oct 2006 17:07:54 -0000
@@ -92,6 +92,7 @@
#include <sys/systm.h>
#include <sys/sockio.h>
#include <sys/mbuf.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/kernel.h>
#include <sys/socket.h>
@@ -1920,7 +1921,7 @@
break;
#ifdef ANCACHE
if (sc->areq.an_type == AN_RID_ZERO_CACHE) {
- error = suser(td);
+ error = priv_check(td, PRIV_DRIVER);
if (error)
break;
sc->an_sigitems = sc->an_nextitem = 0;
@@ -1944,7 +1945,7 @@
error = copyout(&sc->areq, ifr->ifr_data, sizeof(sc->areq));
break;
case SIOCSAIRONET:
- if ((error = suser(td)))
+ if ((error = priv_check(td, PRIV_DRIVER)))
goto out;
error = copyin(ifr->ifr_data, &sc->areq, sizeof(sc->areq));
if (error != 0)
@@ -1952,7 +1953,7 @@
an_setdef(sc, &sc->areq);
break;
case SIOCGPRIVATE_0: /* used by Cisco client utility */
- if ((error = suser(td)))
+ if ((error = priv_check(td, PRIV_DRIVER)))
goto out;
error = copyin(ifr->ifr_data, &l_ioctl, sizeof(l_ioctl));
if (error)
@@ -1974,7 +1975,7 @@
}
break;
case SIOCGPRIVATE_1: /* used by Cisco client utility */
- if ((error = suser(td)))
+ if ((error = priv_check(td, PRIV_DRIVER)))
goto out;
error = copyin(ifr->ifr_data, &l_ioctl, sizeof(l_ioctl));
if (error)
@@ -2226,7 +2227,7 @@
}
break;
case SIOCS80211:
- if ((error = suser(td)))
+ if ((error = priv_check(td, PRIV_NET80211_MANAGE)))
goto out;
sc->areq.an_len = sizeof(sc->areq);
/*
Index: sys/dev/arl/if_arl.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/arl/if_arl.c,v
retrieving revision 1.13
diff -u -r1.13 if_arl.c
--- sys/dev/arl/if_arl.c 16 May 2006 14:36:23 -0000 1.13
+++ sys/dev/arl/if_arl.c 30 Oct 2006 17:07:54 -0000
@@ -43,6 +43,7 @@
#include <sys/mbuf.h>
#include <sys/socket.h>
#include <sys/sockio.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/conf.h>
@@ -504,7 +505,7 @@
break;
case SIOCS80211:
- if ((error = suser(td)))
+ if ((error = priv_check(td, PRIV_NET80211_MANAGE)))
break;
switch (ireq->i_type) {
case IEEE80211_IOC_SSID:
@@ -577,7 +578,7 @@
}
case SIOCGARLALL:
bzero(&arlan_io, sizeof(arlan_io));
- if (!suser(td)) {
+ if (!priv_check(td, PRIV_DRIVER)) {
bcopy(ar->systemId, arlan_io.cfg.sid, 4);
}
@@ -616,7 +617,7 @@
} while (0)
case SIOCSARLALL:
- if (suser(td))
+ if (priv_check(td, PRIV_DRIVER))
break;
user = (void *)ifr->ifr_data;
Index: sys/dev/asr/asr.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/asr/asr.c,v
retrieving revision 1.79
diff -u -r1.79 asr.c
--- sys/dev/asr/asr.c 31 Oct 2006 05:53:26 -0000 1.79
+++ sys/dev/asr/asr.c 31 Oct 2006 08:40:40 -0000
@@ -117,6 +117,7 @@
#include <sys/malloc.h>
#include <sys/conf.h>
#include <sys/ioccom.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/bus.h>
#include <machine/resource.h>
@@ -3145,7 +3146,7 @@
s = splcam ();
if (ASR_ctlr_held) {
error = EBUSY;
- } else if ((error = suser(td)) == 0) {
+ } else if ((error = priv_check(td, PRIV_DRIVER)) == 0) {
++ASR_ctlr_held;
}
splx(s);
Index: sys/dev/ata/atapi-cd.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/ata/atapi-cd.c,v
retrieving revision 1.189
diff -u -r1.189 atapi-cd.c
--- sys/dev/ata/atapi-cd.c 28 Jun 2006 15:04:10 -0000 1.189
+++ sys/dev/ata/atapi-cd.c 30 Oct 2006 17:07:54 -0000
@@ -34,6 +34,7 @@
#include <sys/kernel.h>
#include <sys/module.h>
#include <sys/malloc.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/bio.h>
#include <sys/bus.h>
@@ -257,8 +258,11 @@
cdp->flags |= F_LOCKED;
break;
+ /*
+ * XXXRW: Why does this require privilege?
+ */
case CDIOCRESET:
- error = suser(td);
+ error = priv_check(td, PRIV_DRIVER);
if (error)
break;
error = acd_test_ready(dev);
Index: sys/dev/ce/if_ce.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/ce/if_ce.c,v
retrieving revision 1.3
diff -u -r1.3 if_ce.c
--- sys/dev/ce/if_ce.c 3 Feb 2006 20:55:30 -0000 1.3
+++ sys/dev/ce/if_ce.c 30 Oct 2006 17:07:54 -0000
@@ -29,6 +29,7 @@
#if NPCI > 0
#include <sys/ucred.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/systm.h>
#include <sys/mbuf.h>
@@ -1341,9 +1342,11 @@
/* Only for superuser! */
#if __FreeBSD_version < 500000
error = suser (p);
-#else /* __FreeBSD_version >= 500000 */
+#elsif __FreeBSD_version < 700000
error = suser (td);
-#endif /* __FreeBSD_version >= 500000 */
+#else
+ error = priv_check (td, PRIV_DRIVER);
+#endif
if (error)
return error;
#if __FreeBSD_version >= 600034
@@ -1380,8 +1383,10 @@
/* Only for superuser! */
#if __FreeBSD_version < 500000
error = suser (p);
-#else
+#elsif __FreeBSD_version < 700000
error = suser (td);
+#else
+ error = priv_check (td, PRIV_DRIVER);
#endif
if (error)
return error;
@@ -1408,8 +1413,10 @@
/* Only for superuser! */
#if __FreeBSD_version < 500000
error = suser (p);
-#else
+#elsif __FreeBSD_version < 700000
error = suser (td);
+#else
+ error = priv_check (td, PRIV_DRIVER);
#endif
if (error)
return error;
@@ -1426,8 +1433,10 @@
CE_DEBUG2 (d, ("ioctl: setcfg\n"));
#if __FreeBSD_version < 500000
error = suser (p);
-#else
+#elsif __FreeBSD_version < 700000
error = suser (td);
+#else
+ error = priv_check (td, PRIV_DRIVER);
#endif
if (error)
return error;
@@ -1526,8 +1535,10 @@
/* Only for superuser! */
#if __FreeBSD_version < 500000
error = suser (p);
-#else
+#elsif __FreeBSD_version < 700000
error = suser (td);
+#else
+ error = priv_check (td, PRIV_DRIVER);
#endif
if (error)
return error;
@@ -1560,8 +1571,10 @@
/* Only for superuser! */
#if __FreeBSD_version < 500000
error = suser (p);
-#else
+#elsif __FreeBSD_version < 700000
error = suser (td);
+#else
+ error = priv_check (td, PRIV_DRIVER);
#endif
if (error)
return error;
@@ -1586,8 +1599,10 @@
/* Only for superuser! */
#if __FreeBSD_version < 500000
error = suser (p);
-#else
+#elsif __FreeBSD_version < 700000
error = suser (td);
+#else
+ error = priv_check (td, PRIV_DRIVER);
#endif
if (error)
return error;
@@ -1608,8 +1623,10 @@
/* Only for superuser! */
#if __FreeBSD_version < 500000
error = suser (p);
-#else
+#elsif __FreeBSD_version < 700000
error = suser (td);
+#else
+ error = priv_check (td, PRIV_DRIVER);
#endif
if (error)
return error;
@@ -1634,8 +1651,10 @@
/* Only for superuser! */
#if __FreeBSD_version < 500000
error = suser (p);
-#else
+#elsif __FreeBSD_version < 700000
error = suser (td);
+#else
+ error = priv_check (td, PRIV_DRIVER);
#endif
if (error)
return error;
@@ -1658,8 +1677,10 @@
/* Only for superuser! */
#if __FreeBSD_version < 500000
error = suser (p);
-#else
+#elsif __FreeBSD_version < 700000
error = suser (td);
+#else
+ error = priv_check (td, PRIV_DRIVER);
#endif
if (error)
return error;
@@ -1686,8 +1707,10 @@
/* Only for superuser! */
#if __FreeBSD_version < 500000
error = suser (p);
-#else
+#elsif __FreeBSD_version < 700000
error = suser (td);
+#else
+ error = priv_check (td, PRIV_DRIVER);
#endif
if (error)
return error;
@@ -1708,8 +1731,10 @@
/* Only for superuser! */
#if __FreeBSD_version < 500000
error = suser (p);
-#else
+#elsif __FreeBSD_version < 700000
error = suser (td);
+#else
+ error = priv_check (td, PRIV_DRIVER);
#endif
if (error)
return error;
@@ -1734,8 +1759,10 @@
/* Only for superuser! */
#if __FreeBSD_version < 500000
error = suser (p);
-#else
+#elsif __FreeBSD_version < 700000
error = suser (td);
+#else
+ error = priv_check (td, PRIV_DRIVER);
#endif
if (error)
return error;
@@ -1758,8 +1785,10 @@
/* Only for superuser! */
#if __FreeBSD_version < 500000
error = suser (p);
-#else
+#elsif __FreeBSD_version < 700000
error = suser (td);
+#else
+ error = priv_check (td, PRIV_DRIVER);
#endif
if (error)
return error;
@@ -1784,8 +1813,10 @@
/* Only for superuser! */
#if __FreeBSD_version < 500000
error = suser (p);
-#else
+#elsif __FreeBSD_version < 700000
error = suser (td);
+#else
+ error = priv_check (td, PRIV_DRIVER);
#endif
if (error)
return error;
@@ -1810,8 +1841,10 @@
/* Only for superuser! */
#if __FreeBSD_version < 500000
error = suser (p);
-#else
+#elsif __FreeBSD_version < 700000
error = suser (td);
+#else
+ error = priv_check (td, PRIV_DRIVER);
#endif
if (error)
return error;
@@ -1836,8 +1869,10 @@
/* Only for superuser! */
#if __FreeBSD_version < 500000
error = suser (p);
-#else
+#elsif __FreeBSD_version < 700000
error = suser (td);
+#else
+ error = priv_check (td, PRIV_DRIVER);
#endif
if (error)
return error;
@@ -1867,8 +1902,10 @@
/* Only for superuser! */
#if __FreeBSD_version < 500000
error = suser (p);
-#else
+#elsif __FreeBSD_version < 700000
error = suser (td);
+#else
+ error = priv_check (td, PRIV_DRIVER);
#endif
if (error)
return error;
@@ -1892,8 +1929,10 @@
/* Only for superuser! */
#if __FreeBSD_version < 500000
error = suser (p);
-#else
+#elsif __FreeBSD_version < 700000
error = suser (td);
+#else
+ error = priv_check (td, PRIV_DRIVER);
#endif
if (error)
return error;
@@ -1909,8 +1948,10 @@
/* Only for superuser! */
#if __FreeBSD_version < 500000
error = suser (p);
-#else
+#elsif __FreeBSD_version < 700000
error = suser (td);
+#else
+ error = priv_check (td, PRIV_DRIVER);
#endif
if (error)
return error;
@@ -1945,8 +1986,10 @@
/* Only for superuser! */
#if __FreeBSD_version < 500000
error = suser (p);
-#else
+#elsif __FreeBSD_version < 700000
error = suser (td);
+#else
+ error = priv_check (td, PRIV_DRIVER);
#endif
if (error)
return error;
Index: sys/dev/cnw/if_cnw.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/cnw/if_cnw.c,v
retrieving revision 1.23
diff -u -r1.23 if_cnw.c
--- sys/dev/cnw/if_cnw.c 16 May 2006 14:36:23 -0000 1.23
+++ sys/dev/cnw/if_cnw.c 30 Oct 2006 17:07:54 -0000
@@ -236,6 +236,7 @@
#include <sys/mbuf.h>
#include <sys/malloc.h>
#include <sys/kernel.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/ucred.h>
#include <sys/socket.h>
@@ -1339,7 +1340,7 @@
#if !defined(__FreeBSD__)
error = suser(p->p_ucred, &p->p_acflag);
#else
- error = suser(td);
+ error = priv_check(td, PRIV_DRIVER);
#endif
if (error)
break;
@@ -1350,7 +1351,7 @@
#if !defined(__FreeBSD__)
error = suser(p->p_ucred, &p->p_acflag);
#else
- error = suser(td);
+ error = priv_check(td, PRIV_DRIVER);
#endif
if (error)
break;
@@ -1361,7 +1362,7 @@
#if !defined(__FreeBSD__)
error = suser(p->p_ucred, &p->p_acflag);
#else
- error = suser(td);
+ error = priv_check(td, PRIV_DRIVER);
#endif
if (error)
break;
Index: sys/dev/cp/if_cp.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/cp/if_cp.c,v
retrieving revision 1.29
diff -u -r1.29 if_cp.c
--- sys/dev/cp/if_cp.c 27 Sep 2005 16:57:44 -0000 1.29
+++ sys/dev/cp/if_cp.c 30 Oct 2006 17:07:54 -0000
@@ -33,6 +33,7 @@
#include <sys/module.h>
#include <sys/conf.h>
#include <sys/malloc.h>
+#include <sys/priv.h>
#include <sys/socket.h>
#include <sys/sockio.h>
#include <sys/sysctl.h>
@@ -1071,7 +1072,7 @@
case SERIAL_SETPROTO:
CP_DEBUG2 (d, ("ioctl: setproto\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
if (d->ifp->if_drv_flags & IFF_DRV_RUNNING)
@@ -1102,7 +1103,7 @@
case SERIAL_SETKEEPALIVE:
CP_DEBUG2 (d, ("ioctl: setkeepalive\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
if ((IFP2SP(d->ifp)->pp_flags & PP_FR) ||
@@ -1126,7 +1127,7 @@
case SERIAL_SETMODE:
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
if (*(int*)data != SERIAL_HDLC)
@@ -1142,7 +1143,7 @@
case SERIAL_SETCFG:
CP_DEBUG2 (d, ("ioctl: setcfg\n"));
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
if (c->type != T_E1)
@@ -1239,7 +1240,7 @@
case SERIAL_CLRSTAT:
CP_DEBUG2 (d, ("ioctl: clrstat\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
c->rintr = 0;
@@ -1268,7 +1269,7 @@
case SERIAL_SETBAUD:
CP_DEBUG2 (d, ("ioctl: setbaud\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
s = splimp ();
@@ -1286,7 +1287,7 @@
case SERIAL_SETLOOP:
CP_DEBUG2 (d, ("ioctl: setloop\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
s = splimp ();
@@ -1306,7 +1307,7 @@
case SERIAL_SETDPLL:
CP_DEBUG2 (d, ("ioctl: setdpll\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
if (c->type != T_SERIAL)
@@ -1328,7 +1329,7 @@
case SERIAL_SETNRZI:
CP_DEBUG2 (d, ("ioctl: setnrzi\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
if (c->type != T_SERIAL)
@@ -1348,7 +1349,7 @@
case SERIAL_SETDEBUG:
CP_DEBUG2 (d, ("ioctl: setdebug\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
d->chan->debug = *(int*)data;
@@ -1370,7 +1371,7 @@
case SERIAL_SETHIGAIN:
CP_DEBUG2 (d, ("ioctl: sethigain\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
if (c->type != T_E1)
@@ -1392,7 +1393,7 @@
case SERIAL_SETPHONY:
CP_DEBUG2 (d, ("ioctl: setphony\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
if (c->type != T_E1)
@@ -1414,7 +1415,7 @@
case SERIAL_SETUNFRAM:
CP_DEBUG2 (d, ("ioctl: setunfram\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
if (c->type != T_E1)
@@ -1436,7 +1437,7 @@
case SERIAL_SETSCRAMBLER:
CP_DEBUG2 (d, ("ioctl: setscrambler\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
if (c->type != T_G703 && !c->unfram)
@@ -1461,7 +1462,7 @@
case SERIAL_SETMONITOR:
CP_DEBUG2 (d, ("ioctl: setmonitor\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
if (c->type != T_E1)
@@ -1483,7 +1484,7 @@
case SERIAL_SETUSE16:
CP_DEBUG2 (d, ("ioctl: setuse16\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
if (c->type != T_E1)
@@ -1505,7 +1506,7 @@
case SERIAL_SETCRC4:
CP_DEBUG2 (d, ("ioctl: setcrc4\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
if (c->type != T_E1)
@@ -1538,7 +1539,7 @@
case SERIAL_SETCLK:
CP_DEBUG2 (d, ("ioctl: setclk\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
if (c->type != T_E1 &&
@@ -1571,7 +1572,7 @@
case SERIAL_SETTIMESLOTS:
CP_DEBUG2 (d, ("ioctl: settimeslots\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
if ((c->type != T_E1 || c->unfram) && c->type != T_DATA)
@@ -1597,7 +1598,7 @@
case SERIAL_SETINVCLK:
CP_DEBUG2 (d, ("ioctl: setinvclk\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
if (c->type != T_SERIAL)
@@ -1620,7 +1621,7 @@
case SERIAL_SETINVTCLK:
CP_DEBUG2 (d, ("ioctl: setinvtclk\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
if (c->type != T_SERIAL)
@@ -1642,7 +1643,7 @@
case SERIAL_SETINVRCLK:
CP_DEBUG2 (d, ("ioctl: setinvrclk\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
if (c->type != T_SERIAL)
@@ -1669,7 +1670,7 @@
case SERIAL_RESET:
CP_DEBUG2 (d, ("ioctl: reset\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
s = splimp ();
@@ -1682,7 +1683,7 @@
case SERIAL_HARDRESET:
CP_DEBUG2 (d, ("ioctl: hardreset\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
s = splimp ();
@@ -1714,7 +1715,7 @@
case SERIAL_SETDIR:
CP_DEBUG2 (d, ("ioctl: setdir\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
s = splimp ();
@@ -1739,7 +1740,7 @@
if (c->type != T_E3 && c->type != T_T3 && c->type != T_STS1)
return EINVAL;
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
s = splimp ();
@@ -1761,7 +1762,7 @@
if (c->type != T_T3 && c->type != T_STS1)
return EINVAL;
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
s = splimp ();
Index: sys/dev/ctau/if_ct.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/ctau/if_ct.c,v
retrieving revision 1.29
diff -u -r1.29 if_ct.c
--- sys/dev/ctau/if_ct.c 16 May 2006 14:36:24 -0000 1.29
+++ sys/dev/ctau/if_ct.c 30 Oct 2006 17:07:54 -0000
@@ -32,6 +32,7 @@
#include <sys/mbuf.h>
#include <sys/sockio.h>
#include <sys/malloc.h>
+#include <sys/priv.h>
#include <sys/socket.h>
#include <sys/sysctl.h>
#include <sys/conf.h>
@@ -1300,7 +1301,7 @@
case SERIAL_SETPROTO:
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
if (d->ifp->if_drv_flags & IFF_DRV_RUNNING)
@@ -1328,7 +1329,7 @@
case SERIAL_SETKEEPALIVE:
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
if ((IFP2SP(d->ifp)->pp_flags & PP_FR) ||
@@ -1357,7 +1358,7 @@
case SERIAL_SETCFG:
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
if (c->mode == M_HDLC)
@@ -1435,7 +1436,7 @@
case SERIAL_CLRSTAT:
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
c->rintr = 0;
@@ -1458,7 +1459,7 @@
case SERIAL_SETBAUD:
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
s = splimp ();
@@ -1474,7 +1475,7 @@
case SERIAL_SETLOOP:
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
s = splimp ();
@@ -1492,7 +1493,7 @@
case SERIAL_SETDPLL:
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
if (c->mode == M_E1 || c->mode == M_G703)
@@ -1512,7 +1513,7 @@
case SERIAL_SETNRZI:
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
if (c->mode == M_E1 || c->mode == M_G703)
@@ -1530,7 +1531,7 @@
case SERIAL_SETDEBUG:
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
c->debug = *(int*)data;
@@ -1550,7 +1551,7 @@
case SERIAL_SETHIGAIN:
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
s = splimp ();
@@ -1572,7 +1573,7 @@
if (c->mode != M_E1)
return EINVAL;
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
s = splimp ();
@@ -1595,7 +1596,7 @@
case SERIAL_SETCLK:
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
s = splimp ();
@@ -1619,7 +1620,7 @@
case SERIAL_SETTIMESLOTS:
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
s = splimp ();
@@ -1637,7 +1638,7 @@
case SERIAL_SETSUBCHAN:
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
s = splimp ();
@@ -1663,7 +1664,7 @@
case SERIAL_SETINVCLK:
case SERIAL_SETINVTCLK:
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
if (c->mode == M_E1 || c->mode == M_G703)
@@ -1677,7 +1678,7 @@
case SERIAL_SETINVRCLK:
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
if (c->mode == M_E1 || c->mode == M_G703)
Index: sys/dev/cx/if_cx.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/cx/if_cx.c,v
retrieving revision 1.52
diff -u -r1.52 if_cx.c
--- sys/dev/cx/if_cx.c 16 May 2006 14:36:24 -0000 1.52
+++ sys/dev/cx/if_cx.c 30 Oct 2006 17:07:54 -0000
@@ -30,6 +30,7 @@
#include <sys/systm.h>
#include <sys/kernel.h>
#include <sys/module.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/mbuf.h>
#include <sys/sockio.h>
@@ -1632,7 +1633,7 @@
case SERIAL_SETPORT:
CX_DEBUG2 (d, ("ioctl: setproto\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
@@ -1658,7 +1659,7 @@
case SERIAL_SETPROTO:
CX_DEBUG2 (d, ("ioctl: setproto\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
if (c->mode == M_ASYNC)
@@ -1695,7 +1696,7 @@
case SERIAL_SETKEEPALIVE:
CX_DEBUG2 (d, ("ioctl: setkeepalive\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
if ((IFP2SP(d->ifp)->pp_flags & PP_FR) ||
@@ -1725,7 +1726,7 @@
case SERIAL_SETMODE:
CX_DEBUG2 (d, ("ioctl: setmode\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
@@ -1778,7 +1779,7 @@
case SERIAL_CLRSTAT:
CX_DEBUG2 (d, ("ioctl: clrstat\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
s = splhigh ();
@@ -1810,7 +1811,7 @@
case SERIAL_SETBAUD:
CX_DEBUG2 (d, ("ioctl: setbaud\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
if (c->mode == M_ASYNC)
@@ -1836,7 +1837,7 @@
case SERIAL_SETLOOP:
CX_DEBUG2 (d, ("ioctl: setloop\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
if (c->mode == M_ASYNC)
@@ -1862,7 +1863,7 @@
case SERIAL_SETDPLL:
CX_DEBUG2 (d, ("ioctl: setdpll\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
if (c->mode == M_ASYNC)
@@ -1888,7 +1889,7 @@
case SERIAL_SETNRZI:
CX_DEBUG2 (d, ("ioctl: setnrzi\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
if (c->mode == M_ASYNC)
@@ -1912,7 +1913,7 @@
case SERIAL_SETDEBUG:
CX_DEBUG2 (d, ("ioctl: setdebug\n"));
/* Only for superuser! */
- error = suser (td);
+ error = priv_check (td, PRIV_DRIVER);
if (error)
return error;
s = splhigh ();
Index: sys/dev/dcons/dcons_os.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/dcons/dcons_os.c,v
retrieving revision 1.11
diff -u -r1.11 dcons_os.c
--- sys/dev/dcons/dcons_os.c 26 May 2006 13:51:38 -0000 1.11
+++ sys/dev/dcons/dcons_os.c 30 Oct 2006 17:07:54 -0000
@@ -48,6 +48,7 @@
#include <sys/consio.h>
#include <sys/tty.h>
#include <sys/malloc.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/ucred.h>
@@ -293,7 +294,8 @@
if ((tp->t_state & TS_ISOPEN) == 0) {
tp->t_state |= TS_CARR_ON;
ttyconsolemode(tp, 0);
- } else if ((tp->t_state & TS_XCLUDE) && suser(td)) {
+ } else if ((tp->t_state & TS_XCLUDE) &&
+ priv_check(td, PRIV_TTY_EXCLUSIVE)) {
splx(s);
return (EBUSY);
}
Index: sys/dev/drm/drmP.h
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/drm/drmP.h,v
retrieving revision 1.17
diff -u -r1.17 drmP.h
--- sys/dev/drm/drmP.h 7 Sep 2006 23:04:47 -0000 1.17
+++ sys/dev/drm/drmP.h 30 Oct 2006 17:07:54 -0000
@@ -50,6 +50,9 @@
#include <sys/systm.h>
#include <sys/conf.h>
#include <sys/stat.h>
+#if __FreeBSD_version >= 700000
+#include <sys/priv.h>
+#endif
#include <sys/proc.h>
#include <sys/lock.h>
#include <sys/fcntl.h>
@@ -233,7 +236,11 @@
#define PAGE_ALIGN(addr) round_page(addr)
/* DRM_SUSER returns true if the user is superuser */
+#if __FreeBSD_version >= 700000
+#define DRM_SUSER(p) (priv_check(p, PRIV_DRIVER) == 0)
+#else
#define DRM_SUSER(p) (suser(p) == 0)
+#endif
#define DRM_AGP_FIND_DEVICE() agp_find_device()
#define DRM_MTRR_WC MDF_WRITECOMBINE
#define jiffies ticks
Index: sys/dev/fdc/fdc.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/fdc/fdc.c,v
retrieving revision 1.313
diff -u -r1.313 fdc.c
--- sys/dev/fdc/fdc.c 8 Sep 2006 21:46:00 -0000 1.313
+++ sys/dev/fdc/fdc.c 30 Oct 2006 17:07:54 -0000
@@ -69,6 +69,7 @@
#include <sys/malloc.h>
#include <sys/module.h>
#include <sys/mutex.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/rman.h>
#include <sys/sysctl.h>
@@ -1489,8 +1490,9 @@
return (0);
case FD_CLRERR:
- if (suser(td) != 0)
- return (EPERM);
+ error = priv_check(td, PRIV_DRIVER);
+ if (error)
+ return (error);
fd->fdc->fdc_errs = 0;
return (0);
Index: sys/dev/hwpmc/hwpmc_mod.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/hwpmc/hwpmc_mod.c,v
retrieving revision 1.25
diff -u -r1.25 hwpmc_mod.c
--- sys/dev/hwpmc/hwpmc_mod.c 17 Sep 2006 20:00:35 -0000 1.25
+++ sys/dev/hwpmc/hwpmc_mod.c 30 Oct 2006 17:07:54 -0000
@@ -41,6 +41,7 @@
#include <sys/pmc.h>
#include <sys/pmckern.h>
#include <sys/pmclog.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/queue.h>
#include <sys/resourcevar.h>
@@ -2782,10 +2783,9 @@
KASSERT(td == curthread,
("[pmc,%d] td != curthread", __LINE__));
- if (suser(td) || jailed(td->td_ucred)) {
- error = EPERM;
+ error = priv_check(td, PRIV_PMC_MANAGE);
+ if (error)
break;
- }
if ((error = copyin(arg, &pma, sizeof(pma))) != 0)
break;
@@ -2918,11 +2918,16 @@
*/
if (PMC_IS_SYSTEM_MODE(mode)) {
- if (jailed(curthread->td_ucred))
- error = EPERM;
- else if (suser(curthread) &&
- (pmc_unprivileged_syspmcs == 0))
+ if (jailed(curthread->td_ucred)) {
error = EPERM;
+ break;
+ }
+ if (!pmc_unprivileged_syspmcs) {
+ error = priv_check(curthread,
+ PRIV_PMC_SYSTEM);
+ if (error)
+ break;
+ }
}
if (error)
Index: sys/dev/if_ndis/if_ndis.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/if_ndis/if_ndis.c,v
retrieving revision 1.117
diff -u -r1.117 if_ndis.c
--- sys/dev/if_ndis/if_ndis.c 4 Feb 2006 19:42:49 -0000 1.117
+++ sys/dev/if_ndis/if_ndis.c 30 Oct 2006 17:07:54 -0000
@@ -41,6 +41,7 @@
#include <sys/sockio.h>
#include <sys/mbuf.h>
#include <sys/malloc.h>
+#include <sys/priv.h>
#include <sys/kernel.h>
#include <sys/socket.h>
#include <sys/queue.h>
@@ -2836,7 +2837,7 @@
error = ENOTTY;
break;
case SIOCGDRVSPEC:
- if ((error = suser(curthread)))
+ if ((error = priv_check(curthread, PRIV_DRIVER)))
break;
error = copyin(ifr->ifr_data, &oid, sizeof(oid));
if (error)
@@ -2865,7 +2866,7 @@
free(oidbuf, M_TEMP);
break;
case SIOCSDRVSPEC:
- if ((error = suser(curthread)))
+ if ((error = priv_check(curthread, PRIV_DRIVER)))
break;
error = copyin(ifr->ifr_data, &oid, sizeof(oid));
if (error)
@@ -2894,7 +2895,7 @@
free(oidbuf, M_TEMP);
break;
case SIOCGPRIVATE_0:
- if ((error = suser(curthread)))
+ if ((error = priv_check(curthread, PRIV_DRIVER)))
break;
NDIS_LOCK(sc);
if (sc->ndis_evt[sc->ndis_evtcidx].ne_sts == 0) {
@@ -3062,7 +3063,7 @@
uint32_t foo;
int error, len;
- error = suser(curthread);
+ error = priv_check(curthread, PRIV_DRIVER);
if (error)
return (error);
@@ -3370,7 +3371,7 @@
break;
#endif
case IEEE80211_IOC_STATIONNAME:
- error = suser(curthread);
+ error = priv_check(curthread, PRIV_NET80211_MANAGE);
if (error)
break;
if (ireq->i_val != 0 ||
Index: sys/dev/kbd/kbd.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/kbd/kbd.c,v
retrieving revision 1.45
diff -u -r1.45 kbd.c
--- sys/dev/kbd/kbd.c 28 Feb 2006 23:46:23 -0000 1.45
+++ sys/dev/kbd/kbd.c 30 Oct 2006 17:07:54 -0000
@@ -38,6 +38,7 @@
#include <sys/fcntl.h>
#include <sys/tty.h>
#include <sys/poll.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/sysctl.h>
#include <sys/uio.h>
@@ -972,11 +973,11 @@
if (keymap_restrict_change >= 2) {
for (i = 0; i < NUM_STATES; i++)
if (oldkey->map[i] != newkey->map[i])
- return suser(td);
+ return priv_check(td, PRIV_KEYBOARD);
if (oldkey->spcl != newkey->spcl)
- return suser(td);
+ return priv_check(td, PRIV_KEYBOARD);
if (oldkey->flgs != newkey->flgs)
- return suser(td);
+ return priv_check(td, PRIV_KEYBOARD);
return (0);
}
@@ -991,7 +992,7 @@
if ((oldkey->spcl & (0x80 >> i)) == (newkey->spcl & (0x80 >> i))
&& oldkey->map[i] == newkey->map[i])
continue;
- return suser(td);
+ return priv_check(td, PRIV_KEYBOARD);
}
return (0);
@@ -1020,20 +1021,20 @@
return (0);
if (oldmap->n_accs != newmap->n_accs)
- return suser(td);
+ return priv_check(td, PRIV_KEYBOARD);
for (accent = 0; accent < oldmap->n_accs; accent++) {
oldacc = &oldmap->acc[accent];
newacc = &newmap->acc[accent];
if (oldacc->accchar != newacc->accchar)
- return suser(td);
+ return priv_check(td, PRIV_KEYBOARD);
for (i = 0; i < NUM_ACCENTCHARS; ++i) {
if (oldacc->map[i][0] != newacc->map[i][0])
- return suser(td);
+ return priv_check(td, PRIV_KEYBOARD);
if (oldacc->map[i][0] == 0) /* end of table */
break;
if (oldacc->map[i][1] != newacc->map[i][1])
- return suser(td);
+ return priv_check(td, PRIV_KEYBOARD);
}
}
@@ -1048,7 +1049,7 @@
if (oldkey->len != newkey->flen ||
bcmp(oldkey->str, newkey->keydef, oldkey->len) != 0)
- return suser(td);
+ return priv_check(td, PRIV_KEYBOARD);
return (0);
}
Index: sys/dev/lmc/if_lmc.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/lmc/if_lmc.c,v
retrieving revision 1.29
diff -u -r1.29 if_lmc.c
--- sys/dev/lmc/if_lmc.c 15 Jul 2006 02:07:38 -0000 1.29
+++ sys/dev/lmc/if_lmc.c 30 Oct 2006 17:07:55 -0000
@@ -113,6 +113,9 @@
# include <sys/rman.h>
# include <vm/vm.h>
# include <vm/pmap.h>
+# if (__FreeBSD_version >= 700000)
+# include <sys/priv.h>
+# endif
# if (__FreeBSD_version >= 500000)
# include <sys/mutex.h>
# include <dev/pci/pcivar.h>
Index: sys/dev/lmc/if_lmc.h
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/lmc/if_lmc.h,v
retrieving revision 1.4
diff -u -r1.4 if_lmc.h
--- sys/dev/lmc/if_lmc.h 21 Jul 2006 08:45:00 -0000 1.4
+++ sys/dev/lmc/if_lmc.h 30 Oct 2006 17:07:55 -0000
@@ -1223,7 +1223,11 @@
# define TOP_UNLOCK mtx_unlock (&sc->top_mtx)
# define BOTTOM_TRYLOCK mtx_trylock(&sc->bottom_mtx)
# define BOTTOM_UNLOCK mtx_unlock (&sc->bottom_mtx)
-# define CHECK_CAP suser(curthread)
+# if (__FreeBSD_version >= 700000)
+# define CHECK_CAP priv_check(curthread, PRIV_DRIVER)
+# else
+# define CHECK_CAP suser(curthread)
+# endif
# else /* FreeBSD-4 */
# define TOP_TRYLOCK (sc->top_spl = splimp())
# define TOP_UNLOCK splx(sc->top_spl)
Index: sys/dev/nmdm/nmdm.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/nmdm/nmdm.c,v
retrieving revision 1.37
diff -u -r1.37 nmdm.c
--- sys/dev/nmdm/nmdm.c 4 Jan 2006 08:34:23 -0000 1.37
+++ sys/dev/nmdm/nmdm.c 30 Oct 2006 17:07:55 -0000
@@ -41,6 +41,7 @@
#include <sys/param.h>
#include <sys/systm.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/tty.h>
#include <sys/conf.h>
@@ -286,7 +287,8 @@
if ((tp->t_state & TS_ISOPEN) == 0) {
ttyinitmode(tp, 0, 0);
ttsetwater(tp); /* XXX ? */
- } else if (tp->t_state & TS_XCLUDE && suser(td)) {
+ } else if (tp->t_state & TS_XCLUDE &&
+ priv_check(td, PRIV_TTY_EXCLUSIVE)) {
return (EBUSY);
}
Index: sys/dev/null/null.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/null/null.c,v
retrieving revision 1.31
diff -u -r1.31 null.c
--- sys/dev/null/null.c 27 Feb 2005 22:00:45 -0000 1.31
+++ sys/dev/null/null.c 30 Oct 2006 17:07:55 -0000
@@ -36,6 +36,7 @@
#include <sys/kernel.h>
#include <sys/malloc.h>
#include <sys/module.h>
+#include <sys/priv.h>
#include <sys/disk.h>
#include <sys/bus.h>
#include <machine/bus.h>
@@ -87,7 +88,7 @@
if (cmd != DIOCSKERNELDUMP)
return (ENOIOCTL);
- error = suser(td);
+ error = priv_check(td, PRIV_SETDUMPER);
if (error)
return (error);
return (set_dumper(NULL));
Index: sys/dev/ofw/ofw_console.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/ofw/ofw_console.c,v
retrieving revision 1.34
diff -u -r1.34 ofw_console.c
--- sys/dev/ofw/ofw_console.c 30 May 2006 07:56:57 -0000 1.34
+++ sys/dev/ofw/ofw_console.c 30 Oct 2006 17:07:55 -0000
@@ -140,7 +140,8 @@
ttyconsolemode(tp, 0);
setuptimeout = 1;
- } else if ((tp->t_state & TS_XCLUDE) && suser(td)) {
+ } else if ((tp->t_state & TS_XCLUDE) &&
+ priv_check(td, PRIV_TTY_EXCLUSIVE)) {
return (EBUSY);
}
Index: sys/dev/random/randomdev.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/random/randomdev.c,v
retrieving revision 1.60
diff -u -r1.60 randomdev.c
--- sys/dev/random/randomdev.c 20 Dec 2005 21:41:52 -0000 1.60
+++ sys/dev/random/randomdev.c 30 Oct 2006 17:07:55 -0000
@@ -41,6 +41,7 @@
#include <sys/module.h>
#include <sys/mutex.h>
#include <sys/poll.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/selinfo.h>
#include <sys/uio.h>
@@ -85,7 +86,7 @@
random_close(struct cdev *dev __unused, int flags, int fmt __unused,
struct thread *td)
{
- if ((flags & FWRITE) && (suser(td) == 0)
+ if ((flags & FWRITE) && (priv_check(td, PRIV_RANDOM_RESEED) == 0)
&& (securelevel_gt(td->td_ucred, 0) == 0)) {
(*random_systat.reseed)();
random_systat.seeded = 1;
Index: sys/dev/sbni/if_sbni.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/sbni/if_sbni.c,v
retrieving revision 1.22
diff -u -r1.22 if_sbni.c
--- sys/dev/sbni/if_sbni.c 11 Nov 2005 16:04:54 -0000 1.22
+++ sys/dev/sbni/if_sbni.c 30 Oct 2006 17:07:55 -0000
@@ -67,6 +67,7 @@
#include <sys/sockio.h>
#include <sys/mbuf.h>
#include <sys/kernel.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/callout.h>
#include <sys/syslog.h>
@@ -1110,7 +1111,7 @@
case SIOCSHWFLAGS: /* set flags */
/* root only */
- error = suser(td);
+ error = priv_check(td, PRIV_DRIVER);
if (error)
break;
flags = *(struct sbni_flags*)&ifr->ifr_data;
@@ -1132,7 +1133,7 @@
break;
case SIOCRINSTATS:
- if (!(error = suser(td))) /* root only */
+ if (!(error = priv_check(td, PRIV_DRIVER))) /* root only */
bzero(&sc->in_stats, sizeof(struct sbni_in_stats));
break;
Index: sys/dev/sbsh/if_sbsh.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/sbsh/if_sbsh.c,v
retrieving revision 1.16
diff -u -r1.16 if_sbsh.c
--- sys/dev/sbsh/if_sbsh.c 16 May 2006 14:36:31 -0000 1.16
+++ sys/dev/sbsh/if_sbsh.c 30 Oct 2006 17:07:55 -0000
@@ -34,6 +34,7 @@
#include <sys/malloc.h>
#include <sys/kernel.h>
#include <sys/module.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/socket.h>
#include <sys/random.h>
@@ -424,7 +425,7 @@
switch(cmd) {
case SIOCLOADFIRMW:
- if ((error = suser(curthread)) != 0)
+ if ((error = priv_check(curthread, PRIV_DRIVER)) != 0)
break;
if (ifp->if_flags & IFF_UP)
error = EBUSY;
@@ -444,7 +445,7 @@
break;
case SIOCGETSTATS :
- if ((error = suser(curthread)) != 0)
+ if ((error = priv_check(curthread, PRIV_DRIVER)) != 0)
break;
t = 0;
@@ -478,7 +479,7 @@
break;
case SIOCCLRSTATS :
- if (!(error = suser(curthread))) {
+ if (!(error = priv_check(curthread, PRIV_DRIVER))) {
bzero(&sc->in_stats, sizeof(struct sbni16_stats));
t = 2;
if (issue_cx28975_cmd(sc, _DSL_CLEAR_ERROR_CTRS, &t, 1))
Index: sys/dev/si/si.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/si/si.c,v
retrieving revision 1.137
diff -u -r1.137 si.c
--- sys/dev/si/si.c 6 Jan 2006 19:56:12 -0000 1.137
+++ sys/dev/si/si.c 30 Oct 2006 17:07:55 -0000
@@ -53,6 +53,7 @@
#include <sys/fcntl.h>
#include <sys/kernel.h>
#include <sys/malloc.h>
+#include <sys/priv.h>
#include <sys/sysctl.h>
#include <sys/bus.h>
#include <machine/bus.h>
@@ -650,7 +651,7 @@
ip = (int *)data;
-#define SUCHECK if ((error = suser(td))) goto out
+#define SUCHECK if ((error = priv_check(td, PRIV_DRIVER))) goto out
switch (cmd) {
case TCSIPORTS:
Index: sys/dev/syscons/syscons.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/syscons/syscons.c,v
retrieving revision 1.447
diff -u -r1.447 syscons.c
--- sys/dev/syscons/syscons.c 27 Sep 2006 19:56:59 -0000 1.447
+++ sys/dev/syscons/syscons.c 30 Oct 2006 17:07:55 -0000
@@ -50,6 +50,7 @@
#include <sys/lock.h>
#include <sys/malloc.h>
#include <sys/mutex.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/random.h>
#include <sys/reboot.h>
@@ -517,7 +518,7 @@
ttyld_modem(tp, 1);
}
else
- if (tp->t_state & TS_XCLUDE && suser(td))
+ if (tp->t_state & TS_XCLUDE && priv_check(td, PRIV_TTY_EXCLUSIVE))
return(EBUSY);
error = ttyld_open(tp, dev);
@@ -1092,7 +1093,7 @@
return 0;
case KDENABIO: /* allow io operations */
- error = suser(td);
+ error = priv_check(td, PRIV_IO);
if (error != 0)
return error;
error = securelevel_gt(td->td_ucred, 0);
Index: sys/dev/syscons/sysmouse.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/syscons/sysmouse.c,v
retrieving revision 1.28
diff -u -r1.28 sysmouse.c
--- sys/dev/syscons/sysmouse.c 4 Dec 2005 02:12:42 -0000 1.28
+++ sys/dev/syscons/sysmouse.c 30 Oct 2006 17:07:55 -0000
@@ -33,6 +33,7 @@
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/conf.h>
+#include <sys/priv.h>
#include <sys/tty.h>
#include <sys/kernel.h>
#include <sys/consio.h>
@@ -83,7 +84,8 @@
ttyinitmode(tp, 0, 0);
smparam(tp, &tp->t_termios);
ttyld_modem(tp, 1);
- } else if (tp->t_state & TS_XCLUDE && suser(td)) {
+ } else if (tp->t_state & TS_XCLUDE &&
+ priv_check(td, PRIV_TTY_EXCLUSIVE)) {
return EBUSY;
}
Index: sys/dev/wi/if_wi.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/wi/if_wi.c,v
retrieving revision 1.199
diff -u -r1.199 if_wi.c
--- sys/dev/wi/if_wi.c 5 Aug 2006 04:58:25 -0000 1.199
+++ sys/dev/wi/if_wi.c 30 Oct 2006 17:07:55 -0000
@@ -76,6 +76,7 @@
#endif
#include <sys/sockio.h>
#include <sys/mbuf.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/kernel.h>
#include <sys/socket.h>
@@ -1273,7 +1274,7 @@
WI_UNLOCK(sc);
break;
case SIOCSIFGENERIC:
- error = suser(td);
+ error = priv_check(td, PRIV_DRIVER);
if (error == 0)
error = wi_set_cfg(ifp, cmd, data);
break;
@@ -1291,7 +1292,7 @@
error = copyout(&wreq, ifr->ifr_data, sizeof(wreq));
break;
case SIOCSPRISM2DEBUG:
- if ((error = suser(td)))
+ if ((error = priv_check(td, PRIV_DRIVER)))
return (error);
error = copyin(ifr->ifr_data, &wreq, sizeof(wreq));
if (error)
@@ -1312,7 +1313,7 @@
case SIOCS80211:
ireq = (struct ieee80211req *) data;
if (ireq->i_type == IEEE80211_IOC_STATIONNAME) {
- error = suser(td);
+ error = priv_check(td, PRIV_NET80211_MANAGE);
if (error)
break;
if (ireq->i_val != 0 ||
Index: sys/dev/wl/if_wl.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/wl/if_wl.c,v
retrieving revision 1.73
diff -u -r1.73 if_wl.c
--- sys/dev/wl/if_wl.c 19 Jun 2006 11:30:36 -0000 1.73
+++ sys/dev/wl/if_wl.c 30 Oct 2006 17:07:55 -0000
@@ -197,6 +197,7 @@
#include <sys/module.h>
#include <sys/sockio.h>
#include <sys/mbuf.h>
+#include <sys/priv.h>
#include <sys/socket.h>
#include <sys/syslog.h>
#include <machine/bus.h>
@@ -1310,7 +1311,7 @@
/* pointer to buffer in user space */
up = (void *)ifr->ifr_data;
/* work out if they're root */
- isroot = (suser(td) == 0);
+ isroot = (priv_check(td, PRIV_NET80211_GETKEY) == 0);
for (i = 0; i < 0x40; i++) {
/* don't hand the DES key out to non-root users */
@@ -1327,7 +1328,7 @@
/* copy the PSA in from the caller; we only copy _some_ values */
case SIOCSWLPSA:
/* root only */
- if ((error = suser(td)))
+ if ((error = priv_check(td, PRIV_DRIVER)))
break;
error = EINVAL; /* assume the worst */
/* pointer to buffer in user space containing data */
@@ -1383,7 +1384,7 @@
*/
case SIOCSWLCNWID:
/* root only */
- if ((error = suser(td)))
+ if ((error = priv_check(td, PRIV_DRIVER)))
break;
if (!(ifp->if_flags & IFF_UP)) {
error = EIO; /* only allowed while up */
@@ -1401,7 +1402,7 @@
/* copy the EEPROM in 2.4 Gz WaveMODEM out to the caller */
case SIOCGWLEEPROM:
/* root only */
- if ((error = suser(td)))
+ if ((error = priv_check(td, PRIV_DRIVER)))
break;
/* pointer to buffer in user space */
up = (void *)ifr->ifr_data;
@@ -1428,7 +1429,7 @@
/* zero (Delete) the wl cache */
case SIOCDWLCACHE:
/* root only */
- if ((error = suser(td)))
+ if ((error = priv_check(td, PRIV_DRIVER)))
break;
wl_cache_zero(sc);
break;
Index: sys/dev/zs/zs.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/zs/zs.c,v
retrieving revision 1.35
diff -u -r1.35 zs.c
--- sys/dev/zs/zs.c 26 May 2006 18:25:34 -0000 1.35
+++ sys/dev/zs/zs.c 30 Oct 2006 17:07:55 -0000
@@ -453,7 +453,7 @@
if ((tp->t_state & TS_ISOPEN) != 0 &&
(tp->t_state & TS_XCLUDE) != 0 &&
- suser(td) != 0)
+ priv_check(td, PRIV_TTY_EXCLUSIVE) != 0)
return (EBUSY);
if ((tp->t_state & TS_ISOPEN) == 0) {
Index: sys/fs/devfs/devfs_rule.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/fs/devfs/devfs_rule.c,v
retrieving revision 1.22
diff -u -r1.22 devfs_rule.c
--- sys/fs/devfs/devfs_rule.c 17 Jul 2006 09:07:01 -0000 1.22
+++ sys/fs/devfs/devfs_rule.c 31 Oct 2006 08:25:32 -0000
@@ -67,6 +67,7 @@
#include <sys/conf.h>
#include <sys/kernel.h>
#include <sys/malloc.h>
+#include <sys/priv.h>
#include <sys/dirent.h>
#include <sys/ioccom.h>
#include <sys/lock.h>
@@ -164,11 +165,13 @@
sx_assert(&dm->dm_lock, SX_XLOCKED);
/*
- * XXX: This returns an error regardless of whether we
- * actually support the cmd or not.
+ * XXX: This returns an error regardless of whether we actually
+ * support the cmd or not.
+ *
+ * We could make this privileges finer grained if desired.
*/
- error = suser(td);
- if (error != 0)
+ error = priv_check(td, PRIV_DEVFS_RULE);
+ if (error)
return (error);
sx_xlock(&sx_rules);
Index: sys/fs/devfs/devfs_vnops.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/fs/devfs/devfs_vnops.c,v
retrieving revision 1.139
diff -u -r1.139 devfs_vnops.c
--- sys/fs/devfs/devfs_vnops.c 22 Oct 2006 11:52:12 -0000 1.139
+++ sys/fs/devfs/devfs_vnops.c 30 Oct 2006 17:07:55 -0000
@@ -55,6 +55,7 @@
#include <sys/malloc.h>
#include <sys/mount.h>
#include <sys/namei.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/stat.h>
#include <sys/sx.h>
@@ -1145,19 +1146,25 @@
else
gid = vap->va_gid;
if (uid != de->de_uid || gid != de->de_gid) {
- if (((ap->a_cred->cr_uid != de->de_uid) || uid != de->de_uid ||
- (gid != de->de_gid && !groupmember(gid, ap->a_cred))) &&
- (error = suser_cred(ap->a_td->td_ucred, SUSER_ALLOWJAIL)) != 0)
- return (error);
+ if ((ap->a_cred->cr_uid != de->de_uid) || uid != de->de_uid ||
+ (gid != de->de_gid && !groupmember(gid, ap->a_cred))) {
+ error = priv_check_cred(ap->a_td->td_ucred,
+ PRIV_VFS_CHOWN, SUSER_ALLOWJAIL);
+ if (error)
+ return (error);
+ }
de->de_uid = uid;
de->de_gid = gid;
c = 1;
}
if (vap->va_mode != (mode_t)VNOVAL) {
- if ((ap->a_cred->cr_uid != de->de_uid) &&
- (error = suser_cred(ap->a_td->td_ucred, SUSER_ALLOWJAIL)))
- return (error);
+ if (ap->a_cred->cr_uid != de->de_uid) {
+ error = priv_check_cred(ap->a_td->td_ucred,
+ PRIV_VFS_ADMIN, SUSER_ALLOWJAIL);
+ if (error)
+ return (error);
+ }
de->de_mode = vap->va_mode;
c = 1;
}
@@ -1227,7 +1234,8 @@
td = ap->a_cnp->cn_thread;
KASSERT(td == curthread, ("devfs_symlink: td != curthread"));
- error = suser(td);
+
+ error = priv_check(td, PRIV_DEVFS_SYMLINK);
if (error)
return(error);
dmp = VFSTODEVFS(ap->a_dvp->v_mount);
Index: sys/fs/hpfs/hpfs_vnops.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/fs/hpfs/hpfs_vnops.c,v
retrieving revision 1.68
diff -u -r1.68 hpfs_vnops.c
--- sys/fs/hpfs/hpfs_vnops.c 17 Jan 2006 17:29:01 -0000 1.68
+++ sys/fs/hpfs/hpfs_vnops.c 30 Oct 2006 17:07:55 -0000
@@ -501,11 +501,12 @@
if (vap->va_atime.tv_sec != VNOVAL || vap->va_mtime.tv_sec != VNOVAL) {
if (vp->v_mount->mnt_flag & MNT_RDONLY)
return (EROFS);
- if (cred->cr_uid != hp->h_uid &&
- (error = suser_cred(cred, SUSER_ALLOWJAIL)) &&
- ((vap->va_vaflags & VA_UTIMES_NULL) == 0 ||
- (error = VOP_ACCESS(vp, VWRITE, cred, td))))
- return (error);
+ if (vap->va_vaflags & VA_UTIMES_NULL) {
+ error = VOP_ACCESS(vp, VADMIN, cred, td);
+ if (error)
+ error = VOP_ACCESS(vp, VWRITE, cred, td);
+ } else
+ error = VOP_ACCESS(vp, VADMIN, cred, td);
if (vap->va_atime.tv_sec != VNOVAL)
hp->h_atime = vap->va_atime.tv_sec;
if (vap->va_mtime.tv_sec != VNOVAL)
Index: sys/fs/msdosfs/msdosfs_vfsops.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/fs/msdosfs/msdosfs_vfsops.c,v
retrieving revision 1.153
diff -u -r1.153 msdosfs_vfsops.c
--- sys/fs/msdosfs/msdosfs_vfsops.c 26 Sep 2006 04:12:45 -0000 1.153
+++ sys/fs/msdosfs/msdosfs_vfsops.c 30 Oct 2006 17:07:55 -0000
@@ -52,6 +52,7 @@
#include <sys/systm.h>
#include <sys/conf.h>
#include <sys/namei.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/kernel.h>
#include <sys/vnode.h>
@@ -293,17 +294,17 @@
* If upgrade to read-write by non-root, then verify
* that user has necessary permissions on the device.
*/
- if (suser(td)) {
- devvp = pmp->pm_devvp;
- vn_lock(devvp, LK_EXCLUSIVE | LK_RETRY, td);
- error = VOP_ACCESS(devvp, VREAD | VWRITE,
- td->td_ucred, td);
- if (error) {
- VOP_UNLOCK(devvp, 0, td);
- return (error);
- }
+ devvp = pmp->pm_devvp;
+ vn_lock(devvp, LK_EXCLUSIVE | LK_RETRY, td);
+ error = VOP_ACCESS(devvp, VREAD | VWRITE,
+ td->td_ucred, td);
+ if (error)
+ error = priv_check(td, PRIV_VFS_MOUNT_PERM);
+ if (error) {
VOP_UNLOCK(devvp, 0, td);
+ return (error);
}
+ VOP_UNLOCK(devvp, 0, td);
DROP_GIANT();
g_topology_lock();
error = g_access(pmp->pm_cp, 0, 1, 0);
@@ -353,15 +354,15 @@
* If mount by non-root, then verify that user has necessary
* permissions on the device.
*/
- if (suser(td)) {
- accessmode = VREAD;
- if ((mp->mnt_flag & MNT_RDONLY) == 0)
- accessmode |= VWRITE;
- error = VOP_ACCESS(devvp, accessmode, td->td_ucred, td);
- if (error) {
- vput(devvp);
- return (error);
- }
+ accessmode = VREAD;
+ if ((mp->mnt_flag & MNT_RDONLY) == 0)
+ accessmode |= VWRITE;
+ error = VOP_ACCESS(devvp, accessmode, td->td_ucred, td);
+ if (error)
+ error = priv_check(td, PRIV_VFS_MOUNT_PERM);
+ if (error) {
+ vput(devvp);
+ return (error);
}
if ((mp->mnt_flag & MNT_UPDATE) == 0) {
error = mountmsdosfs(devvp, mp, td);
Index: sys/fs/msdosfs/msdosfs_vnops.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/fs/msdosfs/msdosfs_vnops.c,v
retrieving revision 1.164
diff -u -r1.164 msdosfs_vnops.c
--- sys/fs/msdosfs/msdosfs_vnops.c 24 Oct 2006 11:14:05 -0000 1.164
+++ sys/fs/msdosfs/msdosfs_vnops.c 30 Oct 2006 17:07:55 -0000
@@ -59,6 +59,7 @@
#include <sys/conf.h>
#include <sys/clock.h>
#include <sys/buf.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/mount.h>
#include <sys/unistd.h>
@@ -404,9 +405,12 @@
if (vap->va_flags != VNOVAL) {
if (vp->v_mount->mnt_flag & MNT_RDONLY)
return (EROFS);
- if (cred->cr_uid != pmp->pm_uid &&
- (error = suser_cred(cred, SUSER_ALLOWJAIL)))
- return (error);
+ if (cred->cr_uid != pmp->pm_uid) {
+ error = priv_check_cred(cred, PRIV_VFS_ADMIN,
+ SUSER_ALLOWJAIL);
+ if (error)
+ return (error);
+ }
/*
* We are very inconsistent about handling unsupported
* attributes. We ignored the access time and the
@@ -419,9 +423,11 @@
* set ATTR_ARCHIVE for directories `cp -pr' from a more
* sensible filesystem attempts it a lot.
*/
- if (suser_cred(cred, SUSER_ALLOWJAIL)) {
- if (vap->va_flags & SF_SETTABLE)
- return EPERM;
+ if (vap->va_flags & SF_SETTABLE) {
+ error = priv_check_cred(cred, PRIV_VFS_SYSFLAGS,
+ SUSER_ALLOWJAIL);
+ if (error)
+ return (error);
}
if (vap->va_flags & ~SF_ARCHIVED)
return EOPNOTSUPP;
@@ -444,10 +450,13 @@
gid = vap->va_gid;
if (gid == (gid_t)VNOVAL)
gid = pmp->pm_gid;
- if ((cred->cr_uid != pmp->pm_uid || uid != pmp->pm_uid ||
- (gid != pmp->pm_gid && !groupmember(gid, cred))) &&
- (error = suser_cred(cred, SUSER_ALLOWJAIL)))
- return error;
+ if (cred->cr_uid != pmp->pm_uid || uid != pmp->pm_uid ||
+ (gid != pmp->pm_gid && !groupmember(gid, cred))) {
+ error = priv_check_cred(cred, PRIV_VFS_CHOWN,
+ SUSER_ALLOWJAIL);
+ if (error)
+ return (error);
+ }
if (uid != pmp->pm_uid || gid != pmp->pm_gid)
return EINVAL;
}
@@ -477,11 +486,13 @@
if (vap->va_atime.tv_sec != VNOVAL || vap->va_mtime.tv_sec != VNOVAL) {
if (vp->v_mount->mnt_flag & MNT_RDONLY)
return (EROFS);
- if (cred->cr_uid != pmp->pm_uid &&
- (error = suser_cred(cred, SUSER_ALLOWJAIL)) &&
- ((vap->va_vaflags & VA_UTIMES_NULL) == 0 ||
- (error = VOP_ACCESS(ap->a_vp, VWRITE, cred, ap->a_td))))
- return (error);
+ if (vap->va_vaflags & VA_UTIMES_NULL) {
+ error = VOP_ACCESS(vp, VADMIN, cred, ap->a_td);
+ if (error)
+ error = VOP_ACCESS(vp, VWRITE, cred,
+ ap->a_td);
+ } else
+ error = VOP_ACCESS(vp, VADMIN, cred, ap->a_td);
if (vp->v_type != VDIR) {
if ((pmp->pm_flags & MSDOSFSMNT_NOWIN95) == 0 &&
vap->va_atime.tv_sec != VNOVAL) {
@@ -506,9 +517,12 @@
if (vap->va_mode != (mode_t)VNOVAL) {
if (vp->v_mount->mnt_flag & MNT_RDONLY)
return (EROFS);
- if (cred->cr_uid != pmp->pm_uid &&
- (error = suser_cred(cred, SUSER_ALLOWJAIL)))
- return (error);
+ if (cred->cr_uid != pmp->pm_uid) {
+ error = priv_check_cred(cred, PRIV_VFS_ADMIN,
+ SUSER_ALLOWJAIL);
+ if (error)
+ return (error);
+ }
if (vp->v_type != VDIR) {
/* We ignore the read and execute bits. */
if (vap->va_mode & VWRITE)
Index: sys/fs/procfs/procfs_ioctl.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/fs/procfs/procfs_ioctl.c,v
retrieving revision 1.13
diff -u -r1.13 procfs_ioctl.c
--- sys/fs/procfs/procfs_ioctl.c 27 Sep 2006 19:57:00 -0000 1.13
+++ sys/fs/procfs/procfs_ioctl.c 30 Oct 2006 17:07:55 -0000
@@ -34,6 +34,7 @@
#include <sys/lock.h>
#include <sys/mutex.h>
#include <sys/pioctl.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/signalvar.h>
#include <sys/systm.h>
@@ -104,8 +105,19 @@
#endif
case PIOCSFL:
flags = *(unsigned int *)data;
- if (flags & PF_ISUGID && (error = suser(td)) != 0)
- break;
+ if (flags & PF_ISUGID) {
+ /*
+ * XXXRW: Is this specific check required here, as
+ * p_candebug() should implement it, or other checks
+ * are missing.
+ *
+ * XXXRW: Other debugging privileges are granted in
+ * jail, why isn't this?
+ */
+ error = priv_check(td, PRIV_DEBUG_SUGID);
+ if (error)
+ break;
+ }
p->p_pfsflags = flags;
break;
case PIOCGFL:
Index: sys/fs/smbfs/smbfs_vnops.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/fs/smbfs/smbfs_vnops.c,v
retrieving revision 1.62
diff -u -r1.62 smbfs_vnops.c
--- sys/fs/smbfs/smbfs_vnops.c 31 May 2006 22:31:08 -0000 1.62
+++ sys/fs/smbfs/smbfs_vnops.c 30 Oct 2006 17:07:55 -0000
@@ -352,11 +352,13 @@
if (vap->va_atime.tv_sec != VNOVAL)
atime = &vap->va_atime;
if (mtime != atime) {
- if (ap->a_cred->cr_uid != VTOSMBFS(vp)->sm_uid &&
- (error = suser_cred(ap->a_cred, SUSER_ALLOWJAIL)) &&
- ((vap->va_vaflags & VA_UTIMES_NULL) == 0 ||
- (error = VOP_ACCESS(vp, VWRITE, ap->a_cred, ap->a_td))))
- return (error);
+ if (vap->va_vaflags & VA_UTIMES_NULL) {
+ error = VOP_ACCESS(vp, VADMIN, ap->a_cred, ap->a_td);
+ if (error)
+ error = VOP_ACCESS(vp, VWRITE, ap->a_cred,
+ ap->a_td);
+ } else
+ error = VOP_ACCESS(vp, VADMIN, ap->a_cred, ap->a_td);
#if 0
if (mtime == NULL)
mtime = &np->n_mtime;
Index: sys/fs/udf/udf_vfsops.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/fs/udf/udf_vfsops.c,v
retrieving revision 1.44
diff -u -r1.44 udf_vfsops.c
--- sys/fs/udf/udf_vfsops.c 26 Sep 2006 04:12:46 -0000 1.44
+++ sys/fs/udf/udf_vfsops.c 30 Oct 2006 17:07:55 -0000
@@ -84,6 +84,7 @@
#include <sys/malloc.h>
#include <sys/mount.h>
#include <sys/namei.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/queue.h>
#include <sys/vnode.h>
@@ -238,7 +239,7 @@
/* Check the access rights on the mount device */
error = VOP_ACCESS(devvp, VREAD, td->td_ucred, td);
if (error)
- error = suser(td);
+ error = priv_check(td, PRIV_VFS_MOUNT_PERM);
if (error) {
vput(devvp);
return (error);
Index: sys/fs/umapfs/umap_vfsops.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/fs/umapfs/umap_vfsops.c,v
retrieving revision 1.65
diff -u -r1.65 umap_vfsops.c
--- sys/fs/umapfs/umap_vfsops.c 26 Sep 2006 04:12:46 -0000 1.65
+++ sys/fs/umapfs/umap_vfsops.c 30 Oct 2006 17:07:55 -0000
@@ -88,8 +88,9 @@
/*
* Only for root
*/
- if ((error = suser(td)) != 0)
- return (error);
+ error = priv_check(td, PRIV_VFS_MOUNT);
+ if (error)
+ return (ERROR);
#ifdef DEBUG
printf("umapfs_mount(mp = %p)\n", (void *)mp);
Index: sys/gnu/fs/ext2fs/ext2_vfsops.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/gnu/fs/ext2fs/ext2_vfsops.c,v
retrieving revision 1.158
diff -u -r1.158 ext2_vfsops.c
--- sys/gnu/fs/ext2fs/ext2_vfsops.c 26 Sep 2006 04:12:47 -0000 1.158
+++ sys/gnu/fs/ext2fs/ext2_vfsops.c 30 Oct 2006 17:07:55 -0000
@@ -57,6 +57,7 @@
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/namei.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/kernel.h>
#include <sys/vnode.h>
@@ -197,15 +198,16 @@
* If upgrade to read-write by non-root, then verify
* that user has necessary permissions on the device.
*/
- if (suser(td)) {
- vn_lock(devvp, LK_EXCLUSIVE | LK_RETRY, td);
- if ((error = VOP_ACCESS(devvp, VREAD | VWRITE,
- td->td_ucred, td)) != 0) {
- VOP_UNLOCK(devvp, 0, td);
- return (error);
- }
+ vn_lock(devvp, LK_EXCLUSIVE | LK_RETRY, td);
+ error = VOP_ACCESS(devvp, VREAD | VWRITE,
+ td->td_ucred, td);
+ if (error)
+ error = priv_check(td, PRIV_VFS_MOUNT_PERM);
+ if (error) {
VOP_UNLOCK(devvp, 0, td);
+ return (error);
}
+ VOP_UNLOCK(devvp, 0, td);
DROP_GIANT();
g_topology_lock();
error = g_access(ump->um_cp, 0, 1, 0);
@@ -259,15 +261,18 @@
/*
* If mount by non-root, then verify that user has necessary
* permissions on the device.
+ *
+ * XXXRW: VOP_ACCESS() enough?
*/
- if (suser(td)) {
- accessmode = VREAD;
- if ((mp->mnt_flag & MNT_RDONLY) == 0)
- accessmode |= VWRITE;
- if ((error = VOP_ACCESS(devvp, accessmode, td->td_ucred, td)) != 0) {
- vput(devvp);
- return (error);
- }
+ accessmode = VREAD;
+ if ((mp->mnt_flag & MNT_RDONLY) == 0)
+ accessmode |= VWRITE;
+ error = VOP_ACCESS(devvp, accessmode, td->td_ucred, td);
+ if (error)
+ error = priv_check(td, PRIV_VFS_MOUNT_PERM);
+ if (error) {
+ vput(devvp);
+ return (error);
}
if ((mp->mnt_flag & MNT_UPDATE) == 0) {
Index: sys/gnu/fs/ext2fs/ext2_vnops.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/gnu/fs/ext2fs/ext2_vnops.c,v
retrieving revision 1.105
diff -u -r1.105 ext2_vnops.c
--- sys/gnu/fs/ext2fs/ext2_vnops.c 29 Dec 2005 21:34:49 -0000 1.105
+++ sys/gnu/fs/ext2fs/ext2_vnops.c 30 Oct 2006 17:07:55 -0000
@@ -52,6 +52,7 @@
#include <sys/stat.h>
#include <sys/bio.h>
#include <sys/buf.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/mount.h>
#include <sys/unistd.h>
@@ -411,7 +412,8 @@
* Privileged non-jail processes may not modify system flags
* if securelevel > 0 and any existing system flags are set.
*/
- if (!suser_cred(cred, SUSER_ALLOWJAIL)) {
+ if (!priv_check_cred(cred, PRIV_VFS_SYSFLAGS,
+ SUSER_ALLOWJAIL)) {
if (ip->i_flags
& (SF_NOUNLINK | SF_IMMUTABLE | SF_APPEND)) {
error = securelevel_gt(cred, 0);
@@ -529,11 +531,17 @@
* as well as set the setgid bit on a file with a group that the
* process is not a member of.
*/
- if (suser_cred(cred, SUSER_ALLOWJAIL)) {
- if (vp->v_type != VDIR && (mode & S_ISTXT))
+ if (vp->v_type != VDIR && (mode & S_ISTXT)) {
+ error = priv_check_cred(cred, PRIV_VFS_STICKYFILE,
+ SUSER_ALLOWJAIL);
+ if (error)
return (EFTYPE);
- if (!groupmember(ip->i_gid, cred) && (mode & ISGID))
- return (EPERM);
+ }
+ if (!groupmember(ip->i_gid, cred) && (mode & ISGID)) {
+ error = priv_check_cred(cred, PRIV_VFS_SETGID,
+ SUSER_ALLOWJAIL);
+ if (error)
+ return (error);
}
ip->i_mode &= ~ALLPERMS;
ip->i_mode |= (mode & ALLPERMS);
@@ -573,17 +581,23 @@
* to a group of which we are not a member, the caller must
* have privilege.
*/
- if ((uid != ip->i_uid ||
- (gid != ip->i_gid && !groupmember(gid, cred))) &&
- (error = suser_cred(cred, SUSER_ALLOWJAIL)))
- return (error);
+ if (uid != ip->i_uid || (gid != ip->i_gid &&
+ !groupmember(gid, cred))) {
+ error = priv_check_cred(cred, PRIV_VFS_CHOWN,
+ SUSER_ALLOWJAIL);
+ if (error)
+ return (error);
+ }
ogid = ip->i_gid;
ouid = ip->i_uid;
ip->i_gid = gid;
ip->i_uid = uid;
ip->i_flag |= IN_CHANGE;
- if (suser_cred(cred, SUSER_ALLOWJAIL) && (ouid != uid || ogid != gid))
- ip->i_mode &= ~(ISUID | ISGID);
+ if (ouid != uid || ogid != gid) {
+ if (priv_check_cred(cred, PRIV_VFS_CLEARSUGID,
+ SUSER_ALLOWJAIL) != 0)
+ ip->i_mode &= ~(ISUID | ISGID);
+ }
return (0);
}
@@ -1608,9 +1622,11 @@
ip->i_mode = mode;
tvp->v_type = IFTOVT(mode); /* Rest init'd in getnewvnode(). */
ip->i_nlink = 1;
- if ((ip->i_mode & ISGID) && !groupmember(ip->i_gid, cnp->cn_cred) &&
- suser_cred(cnp->cn_cred, SUSER_ALLOWJAIL))
- ip->i_mode &= ~ISGID;
+ if ((ip->i_mode & ISGID) && !groupmember(ip->i_gid, cnp->cn_cred)) {
+ if (priv_check_cred(cnp->cn_cred, PRIV_VFS_CLEARSUGID,
+ SUSER_ALLOWJAIL))
+ ip->i_mode &= ~ISGID;
+ }
if (cnp->cn_flags & ISWHITEOUT)
ip->i_flags |= UF_OPAQUE;
Index: sys/gnu/fs/reiserfs/reiserfs_fs.h
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/gnu/fs/reiserfs/reiserfs_fs.h,v
retrieving revision 1.4
diff -u -r1.4 reiserfs_fs.h
--- sys/gnu/fs/reiserfs/reiserfs_fs.h 4 Dec 2005 09:57:09 -0000 1.4
+++ sys/gnu/fs/reiserfs/reiserfs_fs.h 30 Oct 2006 17:07:55 -0000
@@ -18,6 +18,7 @@
#include <sys/kernel.h>
#include <sys/mount.h>
#include <sys/namei.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/vnode.h>
#include <sys/unistd.h>
Index: sys/gnu/fs/reiserfs/reiserfs_vfsops.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/gnu/fs/reiserfs/reiserfs_vfsops.c,v
retrieving revision 1.6
diff -u -r1.6 reiserfs_vfsops.c
--- sys/gnu/fs/reiserfs/reiserfs_vfsops.c 26 Sep 2006 04:12:47 -0000 1.6
+++ sys/gnu/fs/reiserfs/reiserfs_vfsops.c 30 Oct 2006 17:07:55 -0000
@@ -125,15 +125,15 @@
/* If mount by non-root, then verify that user has necessary
* permissions on the device. */
- if (suser(td)) {
- accessmode = VREAD;
- if ((mp->mnt_flag & MNT_RDONLY) == 0)
- accessmode |= VWRITE;
- if ((error = VOP_ACCESS(devvp,
- accessmode, td->td_ucred, td)) != 0) {
- vput(devvp);
- return (error);
- }
+ accessmode = VREAD;
+ if ((mp->mnt_flag & MNT_RDONLY) == 0)
+ accessmode |= VWRITE;
+ error = VOP_ACCESS(devvp, accessmode, td->td_ucred, td);
+ if (error)
+ error = priv_check(td, PRIV_VFS_MOUNT_PERM);
+ if (error) {
+ vput(devvp);
+ return (error);
}
if ((mp->mnt_flag & MNT_UPDATE) == 0) {
Index: sys/gnu/fs/xfs/FreeBSD/xfs_super.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/gnu/fs/xfs/FreeBSD/xfs_super.c,v
retrieving revision 1.4
diff -u -r1.4 xfs_super.c
--- sys/gnu/fs/xfs/FreeBSD/xfs_super.c 10 Jun 2006 19:02:13 -0000 1.4
+++ sys/gnu/fs/xfs/FreeBSD/xfs_super.c 30 Oct 2006 17:07:55 -0000
@@ -53,6 +53,8 @@
#include "xfs_version.h"
#include "xfs_buf.h"
+#include <sys/priv.h>
+
#include <geom/geom.h>
#include <geom/geom_vfs.h>
@@ -149,14 +151,15 @@
vn_lock(devvp, LK_EXCLUSIVE | LK_RETRY, td);
ronly = ((XFS_MTOVFS(mp)->vfs_flag & VFS_RDONLY) != 0);
- if (suser(td)) {
- accessmode = VREAD;
- if (!ronly)
- accessmode |= VWRITE;
- if ((error = VOP_ACCESS(devvp, accessmode, td->td_ucred, td))!= 0){
- vput(devvp);
- return (error);
- }
+ accessmode = VREAD;
+ if (!ronly)
+ accessmode |= VWRITE;
+ error = VOP_ACCESS(devvp, accessmode, td->td_ucred, td);
+ if (error)
+ error = priv_check(td, PRIV_VFS_MOUNT_PERM);
+ if (error) {
+ vput(devvp);
+ return (error);
}
DROP_GIANT();
Index: sys/i386/i386/io.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/i386/i386/io.c,v
retrieving revision 1.1
diff -u -r1.1 io.c
--- sys/i386/i386/io.c 1 Aug 2004 11:40:52 -0000 1.1
+++ sys/i386/i386/io.c 30 Oct 2006 17:07:55 -0000
@@ -33,6 +33,7 @@
#include <sys/lock.h>
#include <sys/malloc.h>
#include <sys/mutex.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/signalvar.h>
#include <sys/systm.h>
@@ -54,7 +55,7 @@
{
int error;
- error = suser(td);
+ error = priv_check(td, PRIV_IO);
if (error != 0)
return (error);
error = securelevel_gt(td->td_ucred, 0);
Index: sys/i386/i386/sys_machdep.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/i386/i386/sys_machdep.c,v
retrieving revision 1.106
diff -u -r1.106 sys_machdep.c
--- sys/i386/i386/sys_machdep.c 22 Oct 2006 11:52:12 -0000 1.106
+++ sys/i386/i386/sys_machdep.c 30 Oct 2006 17:07:55 -0000
@@ -40,6 +40,7 @@
#include <sys/lock.h>
#include <sys/malloc.h>
#include <sys/mutex.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/smp.h>
#include <sys/sysproto.h>
@@ -292,7 +293,7 @@
if ((error = mac_check_sysarch_ioperm(td->td_ucred)) != 0)
return (error);
#endif
- if ((error = suser(td)) != 0)
+ if ((error = priv_check(td, PRIV_IO)) != 0)
return (error);
if ((error = securelevel_gt(td->td_ucred, 0)) != 0)
return (error);
Index: sys/i386/i386/vm86.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/i386/i386/vm86.c,v
retrieving revision 1.59
diff -u -r1.59 vm86.c
--- sys/i386/i386/vm86.c 28 Sep 2005 07:03:03 -0000 1.59
+++ sys/i386/i386/vm86.c 30 Oct 2006 17:07:55 -0000
@@ -29,6 +29,7 @@
#include <sys/param.h>
#include <sys/systm.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/lock.h>
#include <sys/malloc.h>
@@ -724,7 +725,7 @@
case VM86_INTCALL: {
struct vm86_intcall_args sa;
- if ((error = suser(td)))
+ if ((error = priv_check(td, PRIV_VM86_INTCALL)))
return (error);
if ((error = copyin(ua.sub_args, &sa, sizeof(sa))))
return (error);
Index: sys/i386/ibcs2/ibcs2_misc.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/i386/ibcs2/ibcs2_misc.c,v
retrieving revision 1.65
diff -u -r1.65 ibcs2_misc.c
--- sys/i386/ibcs2/ibcs2_misc.c 22 Oct 2006 11:52:12 -0000 1.65
+++ sys/i386/ibcs2/ibcs2_misc.c 30 Oct 2006 17:07:55 -0000
@@ -68,6 +68,7 @@
#include <sys/malloc.h>
#include <sys/file.h> /* Must come after sys/malloc.h */
#include <sys/mutex.h>
+#include <sys/priv.h>
#include <sys/reboot.h>
#include <sys/resourcevar.h>
#include <sys/stat.h>
@@ -1008,14 +1009,22 @@
#define IBCS2_DATALOCK 4
- if ((error = suser(td)) != 0)
- return EPERM;
switch(uap->cmd) {
case IBCS2_UNLOCK:
+ error = priv_check(td, PRIV_VM_MUNLOCK);
+ if (error)
+ return (error);
+ /* XXX - TODO */
+ return (0);
+
case IBCS2_PROCLOCK:
case IBCS2_TEXTLOCK:
case IBCS2_DATALOCK:
- return 0; /* XXX - TODO */
+ error = priv_check(td, PRIV_VM_MLOCK);
+ if (error)
+ return (error);
+ /* XXX - TODO */
+ return 0;
}
return EINVAL;
}
@@ -1043,9 +1052,6 @@
#define SCO_AD_GETBMAJ 0
#define SCO_AD_GETCMAJ 1
- if (suser(td))
- return EPERM;
-
switch(uap->cmd) {
case SCO_A_REBOOT:
case SCO_A_SHUTDOWN:
@@ -1055,11 +1061,11 @@
case SCO_AD_PWRDOWN:
case SCO_AD_PWRNAP:
r.opt = RB_HALT;
- reboot(td, &r);
+ return (reboot(td, &r));
case SCO_AD_BOOT:
case SCO_AD_IBOOT:
r.opt = RB_AUTOBOOT;
- reboot(td, &r);
+ return (reboot(td, &r));
}
return EINVAL;
case SCO_A_REMOUNT:
Index: sys/i386/ibcs2/ibcs2_socksys.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/i386/ibcs2/ibcs2_socksys.c,v
retrieving revision 1.21
diff -u -r1.21 ibcs2_socksys.c
--- sys/i386/ibcs2/ibcs2_socksys.c 6 Jan 2005 23:22:04 -0000 1.21
+++ sys/i386/ibcs2/ibcs2_socksys.c 30 Oct 2006 17:07:55 -0000
@@ -174,9 +174,6 @@
char hname[MAXHOSTNAMELEN], *ptr;
int error, sctl[2], hlen;
- if ((error = suser(td)))
- return (error);
-
/* W/out a hostname a domain-name is nonsense */
if ( strlen(hostname) == 0 )
return EINVAL;
Index: sys/i386/ibcs2/ibcs2_sysi86.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/i386/ibcs2/ibcs2_sysi86.c,v
retrieving revision 1.22
diff -u -r1.22 ibcs2_sysi86.c
--- sys/i386/ibcs2/ibcs2_sysi86.c 7 Jul 2005 19:30:30 -0000 1.22
+++ sys/i386/ibcs2/ibcs2_sysi86.c 30 Oct 2006 17:07:55 -0000
@@ -76,8 +76,6 @@
int name[2];
int error;
- if ((error = suser(td)))
- return (error);
name[0] = CTL_KERN;
name[1] = KERN_HOSTNAME;
mtx_lock(&Giant);
Index: sys/i386/linux/linux_machdep.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/i386/linux/linux_machdep.c,v
retrieving revision 1.63
diff -u -r1.63 linux_machdep.c
--- sys/i386/linux/linux_machdep.c 20 Oct 2006 10:09:40 -0000 1.63
+++ sys/i386/linux/linux_machdep.c 30 Oct 2006 17:07:55 -0000
@@ -39,6 +39,7 @@
#include <sys/mman.h>
#include <sys/mutex.h>
#include <sys/sx.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/queue.h>
#include <sys/resource.h>
@@ -812,7 +813,7 @@
if (args->level < 0 || args->level > 3)
return (EINVAL);
- if ((error = suser(td)) != 0)
+ if ((error = priv_check(td, PRIV_IO)) != 0)
return (error);
if ((error = securelevel_gt(td->td_ucred, 0)) != 0)
return (error);
Index: sys/i4b/driver/i4b_ipr.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/i4b/driver/i4b_ipr.c,v
retrieving revision 1.35
diff -u -r1.35 i4b_ipr.c
--- sys/i4b/driver/i4b_ipr.c 9 Aug 2005 10:19:57 -0000 1.35
+++ sys/i4b/driver/i4b_ipr.c 30 Oct 2006 17:07:55 -0000
@@ -490,7 +490,7 @@
{
struct thread *td = curthread; /* XXX */
- if((error = suser(td)))
+ if((error = priv_check(td, PRIV_DRIVER)))
return (error);
sl_compress_setup(sc->sc_compr, *(int *)data);
}
Index: sys/ia64/ia64/ssc.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/ia64/ia64/ssc.c,v
retrieving revision 1.28
diff -u -r1.28 ssc.c
--- sys/ia64/ia64/ssc.c 27 May 2006 17:52:08 -0000 1.28
+++ sys/ia64/ia64/ssc.c 30 Oct 2006 17:07:55 -0000
@@ -147,7 +147,8 @@
ttyconsolemode(tp, 0);
setuptimeout = 1;
- } else if ((tp->t_state & TS_XCLUDE) && suser(td)) {
+ } else if ((tp->t_state & TS_XCLUDE) &&
+ priv_check(td, PRIV_TTY_EXCLUSIVE)) {
splx(s);
return EBUSY;
}
Index: sys/isofs/cd9660/cd9660_vfsops.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/isofs/cd9660/cd9660_vfsops.c,v
retrieving revision 1.146
diff -u -r1.146 cd9660_vfsops.c
--- sys/isofs/cd9660/cd9660_vfsops.c 26 Sep 2006 04:12:47 -0000 1.146
+++ sys/isofs/cd9660/cd9660_vfsops.c 30 Oct 2006 17:07:55 -0000
@@ -40,6 +40,7 @@
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/namei.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/kernel.h>
#include <sys/vnode.h>
@@ -174,7 +175,7 @@
vn_lock(devvp, LK_EXCLUSIVE | LK_RETRY, td);
error = VOP_ACCESS(devvp, accessmode, td->td_ucred, td);
if (error)
- error = suser(td);
+ error = priv_check(td, PRIV_VFS_MOUNT_PERM);
if (error) {
vput(devvp);
return (error);
Index: sys/kern/kern_acct.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/kern_acct.c,v
retrieving revision 1.84
diff -u -r1.84 kern_acct.c
--- sys/kern/kern_acct.c 22 Oct 2006 11:52:12 -0000 1.84
+++ sys/kern/kern_acct.c 30 Oct 2006 17:07:55 -0000
@@ -56,6 +56,7 @@
#include <sys/mount.h>
#include <sys/mutex.h>
#include <sys/namei.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/resourcevar.h>
#include <sys/sched.h>
@@ -166,8 +167,7 @@
struct nameidata nd;
int error, flags, vfslocked;
- /* Make sure that the caller is root. */
- error = suser(td);
+ error = priv_check(td, PRIV_ACCT);
if (error)
return (error);
Index: sys/kern/kern_descrip.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/kern_descrip.c,v
retrieving revision 1.298
diff -u -r1.298 kern_descrip.c
--- sys/kern/kern_descrip.c 24 Sep 2006 02:29:53 -0000 1.298
+++ sys/kern/kern_descrip.c 30 Oct 2006 17:07:55 -0000
@@ -57,6 +57,7 @@
#include <sys/mqueue.h>
#include <sys/mutex.h>
#include <sys/namei.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/resourcevar.h>
#include <sys/signalvar.h>
@@ -1351,8 +1352,8 @@
sx_xlock(&filelist_lock);
if ((openfiles >= maxuserfiles &&
- suser_cred(td->td_ucred, SUSER_RUID) != 0) ||
- openfiles >= maxfiles) {
+ priv_check_cred(td->td_ucred, PRIV_MAXFILES, SUSER_RUID) != 0)
+ || openfiles >= maxfiles) {
if (ppsratecheck(&lastfail, &curfail, 1)) {
printf("kern.maxfiles limit exceeded by uid %i, please see tuning(7).\n",
td->td_ucred->cr_ruid);
Index: sys/kern/kern_environment.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/kern_environment.c,v
retrieving revision 1.45
diff -u -r1.45 kern_environment.c
--- sys/kern/kern_environment.c 22 Oct 2006 11:52:12 -0000 1.45
+++ sys/kern/kern_environment.c 30 Oct 2006 17:07:55 -0000
@@ -46,6 +46,7 @@
#include <sys/lock.h>
#include <sys/malloc.h>
#include <sys/mutex.h>
+#include <sys/priv.h>
#include <sys/kernel.h>
#include <sys/systm.h>
#include <sys/sysent.h>
@@ -125,11 +126,18 @@
return (error);
}
- if ((uap->what == KENV_SET) ||
- (uap->what == KENV_UNSET)) {
- error = suser(td);
+ switch (uap->what) {
+ case KENV_SET:
+ error = priv_check(td, PRIV_KENV_SET);
+ if (error)
+ return (error);
+ break;
+
+ case KENV_UNSET:
+ error = priv_check(td, PRIV_KENV_UNSET);
if (error)
return (error);
+ break;
}
name = malloc(KENV_MNAMELEN, M_TEMP, M_WAITOK);
Index: sys/kern/kern_exec.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/kern_exec.c,v
retrieving revision 1.298
diff -u -r1.298 kern_exec.c
--- sys/kern/kern_exec.c 22 Oct 2006 21:18:47 -0000 1.298
+++ sys/kern/kern_exec.c 31 Oct 2006 08:28:07 -0000
@@ -48,6 +48,7 @@
#include <sys/imgact_elf.h>
#include <sys/wait.h>
#include <sys/malloc.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/pioctl.h>
#include <sys/namei.h>
@@ -571,8 +572,11 @@
* we do not regain any tracing during a possible block.
*/
setsugid(p);
+
#ifdef KTRACE
- if (p->p_tracevp != NULL && suser_cred(oldcred, SUSER_ALLOWJAIL)) {
+ if (p->p_tracevp != NULL &&
+ priv_check_cred(oldcred, PRIV_DEBUG_DIFFCRED,
+ SUSER_ALLOWJAIL)) {
mtx_lock(&ktrace_mtx);
p->p_traceflag = 0;
tracevp = p->p_tracevp;
Index: sys/kern/kern_fork.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/kern_fork.c,v
retrieving revision 1.263
diff -u -r1.263 kern_fork.c
--- sys/kern/kern_fork.c 26 Oct 2006 21:42:19 -0000 1.263
+++ sys/kern/kern_fork.c 30 Oct 2006 17:07:55 -0000
@@ -51,6 +51,7 @@
#include <sys/lock.h>
#include <sys/malloc.h>
#include <sys/mutex.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/pioctl.h>
#include <sys/resourcevar.h>
@@ -310,7 +311,7 @@
*/
sx_xlock(&allproc_lock);
if ((nprocs >= maxproc - 10 &&
- suser_cred(td->td_ucred, SUSER_RUID) != 0) ||
+ priv_check_cred(td->td_ucred, PRIV_MAXPROC, SUSER_RUID) != 0) ||
nprocs >= maxproc) {
error = EAGAIN;
goto fail;
@@ -319,8 +320,11 @@
/*
* Increment the count of procs running with this uid. Don't allow
* a nonprivileged user to exceed their current limit.
+ *
+ * XXXRW: Can we avoid privilege here if it's not needed?
*/
- error = suser_cred(td->td_ucred, SUSER_RUID | SUSER_ALLOWJAIL);
+ error = priv_check_cred(td->td_ucred, PRIV_PROC_LIMIT, SUSER_RUID |
+ SUSER_ALLOWJAIL);
if (error == 0)
ok = chgproccnt(td->td_ucred->cr_ruidinfo, 1, 0);
else {
Index: sys/kern/kern_jail.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/kern_jail.c,v
retrieving revision 1.53
diff -u -r1.53 kern_jail.c
--- sys/kern/kern_jail.c 22 Oct 2006 11:52:13 -0000 1.53
+++ sys/kern/kern_jail.c 30 Oct 2006 17:07:55 -0000
@@ -19,6 +19,7 @@
#include <sys/errno.h>
#include <sys/sysproto.h>
#include <sys/malloc.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/taskqueue.h>
#include <sys/jail.h>
@@ -205,7 +206,7 @@
* a process root from one prison, but attached to the jail
* of another.
*/
- error = suser(td);
+ error = priv_check(td, PRIV_JAIL_ATTACH);
if (error)
return (error);
@@ -523,6 +524,172 @@
}
}
+/*
+ * Check with permission for a specific privilege is granted within jail. We
+ * have a specific list of accepted privileges; the rest are denied.
+ */
+int
+prison_priv_check(struct ucred *cred, int priv)
+{
+
+ if (!(jailed(cred)))
+ return (0);
+
+ switch (priv) {
+
+ /*
+ * Allow ktrace privileges for root in jail.
+ */
+ case PRIV_KTRACE:
+
+ /*
+ * Allow jailed processes to configure audit identity and
+ * submit audit records (login, etc). In the future we may
+ * want to further refine the relationship between audit and
+ * jail.
+ */
+ case PRIV_AUDIT_GETAUDIT:
+ case PRIV_AUDIT_SETAUDIT:
+ case PRIV_AUDIT_SUBMIT:
+
+ /*
+ * Allow jailed processes to manipulate process UNIX
+ * credentials in any way they see fit.
+ */
+ case PRIV_CRED_SETUID:
+ case PRIV_CRED_SETEUID:
+ case PRIV_CRED_SETGID:
+ case PRIV_CRED_SETEGID:
+ case PRIV_CRED_SETGROUPS:
+ case PRIV_CRED_SETREUID:
+ case PRIV_CRED_SETREGID:
+ case PRIV_CRED_SETRESUID:
+ case PRIV_CRED_SETRESGID:
+
+ /*
+ * Jail implements visibility constraints already, so allow
+ * jailed root to override uid/gid-based constraints.
+ */
+ case PRIV_SEEOTHERGIDS:
+ case PRIV_SEEOTHERUIDS:
+
+ /*
+ * Jail implements inter-process debugging limits already, so
+ * allow jailed root various debugging privileges.
+ */
+ case PRIV_DEBUG_DIFFCRED:
+ case PRIV_DEBUG_SUGID:
+ case PRIV_DEBUG_UNPRIV:
+
+ /*
+ * Allow jail to set various resource limits and login
+ * properties, and for now, exceed process resource limits.
+ */
+ case PRIV_PROC_LIMIT:
+ case PRIV_PROC_SETLOGIN:
+ case PRIV_PROC_SETRLIMIT:
+
+ /*
+ * System V and POSIX IPC privileges are granted in jail.
+ */
+ case PRIV_IPC_READ:
+ case PRIV_IPC_WRITE:
+ case PRIV_IPC_EXEC:
+ case PRIV_IPC_ADMIN:
+ case PRIV_IPC_MSGSIZE:
+ case PRIV_MQ_ADMIN:
+
+ /*
+ * Jail implements its own inter-process limits, so allow
+ * root processes in jail to change scheduling on other
+ * processes in the same jail. Likewise for signalling.
+ */
+ case PRIV_SCHED_DIFFCRED:
+ case PRIV_SIGNAL_DIFFCRED:
+ case PRIV_SIGNAL_SUGID:
+
+ /*
+ * Allow jailed processes to write to sysctls marked as jail
+ * writable.
+ */
+ case PRIV_SYSCTL_WRITEJAIL:
+
+ /*
+ * Allow root in jail to manage a variety of quota
+ * properties. Some are a bit surprising and should be
+ * reconsidered.
+ */
+ case PRIV_UFS_GETQUOTA:
+ case PRIV_UFS_QUOTAOFF: /* XXXRW: Slightly surprising. */
+ case PRIV_UFS_QUOTAON: /* XXXRW: Slightly surprising. */
+ case PRIV_UFS_SETQUOTA:
+ case PRIV_UFS_SETUSE: /* XXXRW: Slightly surprising. */
+
+ /*
+ * Since Jail relies on chroot() to implement file system
+ * protections, grant many VFS privileges to root in jail.
+ * Be careful to exclude mount-related and NFS-related
+ * privileges.
+ */
+ case PRIV_VFS_READ:
+ case PRIV_VFS_WRITE:
+ case PRIV_VFS_ADMIN:
+ case PRIV_VFS_EXEC:
+ case PRIV_VFS_LOOKUP:
+ case PRIV_VFS_BLOCKRESERVE: /* XXXRW: Slightly surprising. */
+ case PRIV_VFS_CHFLAGS_DEV:
+ case PRIV_VFS_CHOWN:
+ case PRIV_VFS_CHROOT:
+ case PRIV_VFS_CLEARSUGID:
+ case PRIV_VFS_FCHROOT:
+ case PRIV_VFS_LINK:
+ case PRIV_VFS_SETGID:
+ case PRIV_VFS_STICKYFILE:
+ return (0);
+
+ /*
+ * Depending on the global setting, allow privilege of
+ * setting system flags.
+ */
+ case PRIV_VFS_SYSFLAGS:
+ if (jail_chflags_allowed)
+ return (0);
+ else
+ return (EPERM);
+
+ /*
+ * Allow jailed root to bind reserved ports.
+ */
+ case PRIV_NETINET_RESERVEDPORT:
+ return (0);
+
+ /*
+ * Conditionally allow creating raw sockets in jail.
+ */
+ case PRIV_NETINET_RAW:
+ if (jail_allow_raw_sockets)
+ return (0);
+ else
+ return (EPERM);
+
+ /*
+ * Since jail implements its own visibility limits on netstat
+ * sysctls, allow getcred. This allows identd to work in
+ * jail.
+ */
+ case PRIV_NETINET_GETCRED:
+ return (0);
+
+ default:
+ /*
+ * In all remaining cases, deny the privilege request. This
+ * includes almost all network privileges, many system
+ * configuration privileges.
+ */
+ return (EPERM);
+ }
+}
+
static int
sysctl_jail_list(SYSCTL_HANDLER_ARGS)
{
Index: sys/kern/kern_ktrace.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/kern_ktrace.c,v
retrieving revision 1.111
diff -u -r1.111 kern_ktrace.c
--- sys/kern/kern_ktrace.c 22 Oct 2006 11:52:13 -0000 1.111
+++ sys/kern/kern_ktrace.c 30 Oct 2006 17:07:55 -0000
@@ -47,6 +47,7 @@
#include <sys/malloc.h>
#include <sys/mount.h>
#include <sys/namei.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/unistd.h>
#include <sys/vnode.h>
@@ -807,7 +808,8 @@
p->p_tracecred = crhold(td->td_ucred);
}
p->p_traceflag |= facs;
- if (suser_cred(td->td_ucred, SUSER_ALLOWJAIL) == 0)
+ if (priv_check_cred(td->td_ucred, PRIV_KTRACE,
+ SUSER_ALLOWJAIL) == 0)
p->p_traceflag |= KTRFAC_ROOT;
} else {
/* KTROP_CLEAR */
@@ -1013,7 +1015,7 @@
PROC_LOCK_ASSERT(targetp, MA_OWNED);
if (targetp->p_traceflag & KTRFAC_ROOT &&
- suser_cred(td->td_ucred, SUSER_ALLOWJAIL))
+ priv_check_cred(td->td_ucred, PRIV_KTRACE, SUSER_ALLOWJAIL))
return (0);
if (p_candebug(td, targetp) != 0)
Index: sys/kern/kern_linker.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/kern_linker.c,v
retrieving revision 1.143
diff -u -r1.143 kern_linker.c
--- sys/kern/kern_linker.c 22 Oct 2006 11:52:13 -0000 1.143
+++ sys/kern/kern_linker.c 30 Oct 2006 17:07:55 -0000
@@ -37,6 +37,7 @@
#include <sys/malloc.h>
#include <sys/sysproto.h>
#include <sys/sysent.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/lock.h>
#include <sys/mutex.h>
@@ -854,7 +855,7 @@
if ((error = securelevel_gt(td->td_ucred, 0)) != 0)
return (error);
- if ((error = suser(td)) != 0)
+ if ((error = priv_check(td, PRIV_KLD_LOAD)) != 0)
return (error);
/*
@@ -921,7 +922,7 @@
if ((error = securelevel_gt(td->td_ucred, 0)) != 0)
return (error);
- if ((error = suser(td)) != 0)
+ if ((error = priv_check(td, PRIV_KLD_UNLOAD)) != 0)
return (error);
KLD_LOCK();
Index: sys/kern/kern_ntptime.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/kern_ntptime.c,v
retrieving revision 1.59
diff -u -r1.59 kern_ntptime.c
--- sys/kern/kern_ntptime.c 28 May 2005 14:34:41 -0000 1.59
+++ sys/kern/kern_ntptime.c 30 Oct 2006 17:07:55 -0000
@@ -39,6 +39,7 @@
#include <sys/systm.h>
#include <sys/sysproto.h>
#include <sys/kernel.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/lock.h>
#include <sys/mutex.h>
@@ -333,7 +334,7 @@
mtx_lock(&Giant);
modes = ntv.modes;
if (modes)
- error = suser(td);
+ error = priv_check(td, PRIV_NTP_ADJTIME);
if (error)
goto done2;
s = splclock();
@@ -954,7 +955,7 @@
struct timeval atv;
int error;
- if ((error = suser(td)))
+ if ((error = priv_check(td, PRIV_ADJTIME)))
return (error);
mtx_lock(&Giant);
Index: sys/kern/kern_priv.c
===================================================================
RCS file: sys/kern/kern_priv.c
diff -N sys/kern/kern_priv.c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ sys/kern/kern_priv.c 31 Oct 2006 08:22:47 -0000
@@ -0,0 +1,154 @@
+/*-
+ * Copyright (c) 2006 nCircle Network Security, Inc.
+ * All rights reserved.
+ *
+ * This software was developed by Robert N. M. Watson for the TrustedBSD
+ * Project under contract to nCircle Network Security, Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
+ * INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include "opt_mac.h"
+
+#include <sys/param.h>
+#include <sys/jail.h>
+#include <sys/kernel.h>
+#include <sys/priv.h>
+#include <sys/proc.h>
+#include <sys/sysctl.h>
+#include <sys/systm.h>
+
+#include <security/mac/mac_framework.h>
+
+/*
+ * `suser_enabled' (which can be set by the security.bsd.suser_enabled
+ * sysctl) determines whether the system 'super-user' policy is in effect. If
+ * it is nonzero, an effective uid of 0 connotes special privilege,
+ * overriding many mandatory and discretionary protections. If it is zero,
+ * uid 0 is offered no special privilege in the kernel security policy.
+ * Setting it to zero may seriously impact the functionality of many existing
+ * userland programs, and should not be done without careful consideration of
+ * the consequences.
+ */
+int suser_enabled = 1;
+SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW,
+ &suser_enabled, 0, "processes with uid 0 have privilege");
+TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled);
+
+/*
+ * Check a credential for privilege. Lots of good reasons to deny privilege;
+ * only a few to grant it.
+ */
+int
+priv_check_cred(struct ucred *cred, int priv, int flags)
+{
+ int error;
+
+ KASSERT(PRIV_VALID(priv), ("priv_check_cred: invalid privilege %d",
+ priv));
+
+#ifdef MAC
+ error = mac_priv_check(cred, priv);
+ if (error)
+ return (error);
+#endif
+
+ /*
+ * Jail policy will restrict certain privileges that may otherwise be
+ * be granted.
+ *
+ * While debugging the transition from SUSER_ALLOWJAIL to Jail being
+ * aware of specific privileges, perform run-time checking that the
+ * two versions of the policy align. This assertion will go away
+ * once the SUSER_ALLOWJAIL flag has gone away.
+ */
+ error = prison_priv_check(cred, priv);
+#ifdef NOTYET
+ KASSERT(!jailed(cred) || error == ((flags & SUSER_ALLOWJAIL) ? 0 :
+ EPERM), ("priv_check_cred: prison_priv_check %d but flags %s",
+ error, flags & SUSER_ALLOWJAIL ? "allowjail" : "!allowjail"));
+#endif
+ if (error)
+ return (error);
+
+ /*
+ * Having determined if privilege is restricted by various policies,
+ * now determine if privilege is granted. For now, we allow
+ * short-circuit boolean evaluation, so may not call all policies.
+ * Perhaps we should.
+ *
+ * Superuser policy grants privilege based on the effective (or in
+ * certain edge cases, real) uid being 0. We allow the policy to be
+ * globally disabled, although this is currently of limited utility.
+ */
+ if (suser_enabled) {
+ if (flags & SUSER_RUID) {
+ if (cred->cr_ruid == 0)
+ return (0);
+ } else {
+ if (cred->cr_uid == 0)
+ return (0);
+ }
+ }
+
+ /*
+ * Now check with MAC, if enabled, to see if a policy module grants
+ * privilege.
+ */
+#ifdef MAC
+ if (mac_priv_grant(cred, priv) == 0)
+ return (0);
+#endif
+ return (EPERM);
+}
+
+int
+priv_check(struct thread *td, int priv)
+{
+
+ KASSERT(td == curthread, ("priv_check: td != curthread"));
+
+ return (priv_check_cred(td->td_ucred, priv, 0));
+}
+
+/*
+ * Historical suser() wrapper functions, which now simply request PRIV_ROOT.
+ * These will be removed in the near future, and exist solely because
+ * the kernel and modules are not yet fully adapted to the new model.
+ */
+int
+suser_cred(struct ucred *cred, int flags)
+{
+
+ return (priv_check_cred(cred, PRIV_ROOT, flags));
+}
+
+int
+suser(struct thread *td)
+{
+
+ KASSERT(td == curthread, ("suser: td != curthread"));
+
+ return (suser_cred(td->td_ucred, 0));
+}
Index: sys/kern/kern_prot.c
===================================================================
RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/kern_prot.c,v
retrieving revision 1.205
diff -u -r1.205 kern_prot.c
--- sys/kern/kern_prot.c 22 Oct 2006 11:52:13 -0000 1.205
+++ sys/kern/kern_prot.c 30 Oct 2006 17:07:55 -0000
@@ -55,6 +55,7 @@
#include <sys/mutex.h>
#include <sys/refcount.h>
#include <sys/sx.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/sysproto.h>
#include <sys/jail.h>
@@ -547,7 +548,8 @@
#ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
uid != oldcred->cr_uid && /* allow setuid(geteuid()) */
#endif
- (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
+ (error = priv_check_cred(oldcred, PRIV_CRED_SETUID,
+ SUSER_ALLOWJAIL)) != 0)
goto fail;
/*
@@ -563,7 +565,8 @@
#ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */
uid == oldcred->cr_uid ||
#endif
- suser_cred(oldcred, SUSER_ALLOWJAIL) == 0) /* we are using privs */
+ /* We are using privs. */
+ priv_check_cred(oldcred, PRIV_CRED_SETUID, SUSER_ALLOWJAIL) == 0)
#endif
{
/*
@@ -639,7 +642,8 @@
if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */
euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */
- (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
+ (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID,
+ SUSER_ALLOWJAIL)) != 0)
goto fail;
/*
@@ -711,7 +715,8 @@
#ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */
#endif
- (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
+ (error = priv_check_cred(oldcred, PRIV_CRED_SETGID,
+ SUSER_ALLOWJAIL)) != 0)
goto fail;
crcopy(newcred, oldcred);
@@ -724,7 +729,8 @@
#ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */
gid == oldcred->cr_groups[0] ||
#endif
- suser_cred(oldcred, SUSER_ALLOWJAIL) == 0) /* we are using privs */
+ /* We are using privs. */
+ priv_check_cred(oldcred, PRIV_CRED_SETGID, SUSER_ALLOWJAIL) == 0)
#endif
{
/*
@@ -796,7 +802,8 @@
if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */
egid != oldcred->cr_svgid && /* allow setegid(saved gid) */
- (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
+ (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID,
+ SUSER_ALLOWJAIL)) != 0)
goto fail;
crcopy(newcred, oldcred);
@@ -859,7 +866,8 @@
goto fail;
#endif
- error = suser_cred(oldcred, SUSER_ALLOWJAIL);
+ error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS,
+ SUSER_ALLOWJAIL);
if (error)
goto fail;
@@ -931,7 +939,8 @@
ruid != oldcred->cr_svuid) ||
(euid != (uid_t)-1 && euid != oldcred->cr_uid &&
euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) &&
- (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
+ (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID,
+ SUSER_ALLOWJAIL)) != 0)
goto fail;
crcopy(newcred, oldcred);
@@ -999,7 +1008,8 @@
rgid != oldcred->cr_svgid) ||
(egid != (gid_t)-1 && egid != oldcred->cr_groups[0] &&
egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) &&
- (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
+ (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID,
+ SUSER_ALLOWJAIL)) != 0)
goto fail;
crcopy(newcred, oldcred);
@@ -1079,7 +1089,8 @@
(suid != (uid_t)-1 && suid != oldcred->cr_ruid &&
suid != oldcred->cr_svuid &&
suid != oldcred->cr_uid)) &&
- (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
+ (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID,
+ SUSER_ALLOWJAIL)) != 0)
goto fail;
crcopy(newcred, oldcred);
@@ -1160,7 +1171,8 @@
(sgid != (gid_t)-1 && sgid != oldcred->cr_rgid &&
sgid != oldcred->cr_svgid &&
sgid != oldcred->cr_groups[0])) &&
- (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
+ (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID,
+ SUSER_ALLOWJAIL)) != 0)
goto fail;
crcopy(newcred, oldcred);
@@ -1324,65 +1336,14 @@
}
/*
- * `suser_enabled' (which can be set by the security.suser_enabled
- * sysctl) determines whether the system 'super-user' policy is in effect.
- * If it is nonzero, an effective uid of 0 connotes special privilege,
- * overriding many mandatory and discretionary protections. If it is zero,
- * uid 0 is offered no special privilege in the kernel security policy.
- * Setting it to zero may seriously impact the functionality of many
- * existing userland programs, and should not be done without careful
- * consideration of the consequences.
- */
-int suser_enabled = 1;
-SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW,
- &suser_enabled, 0, "processes with uid 0 have privilege");
-TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled);
-
-/*
- * Test whether the specified credentials imply "super-user" privilege.
- * Return 0 or EPERM.
- */
-int
-suser_cred(struct ucred *cred, int flag)
-{
-
- if (!suser_enabled)
- return (EPERM);
- if (((flag & SUSER_RUID) ? cred->cr_ruid : cred->cr_uid) != 0)
- return (EPERM);
- if (jailed(cred) && !(flag & SUSER_ALLOWJAIL))
- return (EPERM);
- return (0);
-}
-
-/*
- * Shortcut to hide contents of struct td and struct proc from the
- * caller, promoting binary compatibility.
- */
-int
-suser(struct thread *td)
-{
-
-#ifdef INVARIANTS
- if (td != curthread) {
- printf("suser: thread %p (%d %s) != curthread %p (%d %s)\n",
- td, td->td_proc->p_pid, td->td_proc->p_comm,
- curthread, curthread->td_proc->p_pid,
- curthread->td_proc->p_comm);
-#ifdef KDB
- kdb_backtrace();
-#endif
- }
-#endif
- return (suser_cred(td->td_ucred, 0));
-}
-
-/*
* Test the active securelevel against a given level. securelevel_gt()
* implements (securelevel > level). securelevel_ge() implements
* (securelevel >= level). Note that the logic is inverted -- these
* functions return EPERM on "success" and 0 on "failure".
*
+ * XXXRW: Possibly since this has to do with privilege, it should move to
+ * kern_priv.c.
+ *
* MPSAFE
*/
int
@@ -1435,7 +1396,8 @@
{
if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) {
- if (suser_cred(u1, SUSER_ALLOWJAIL) != 0)
+ if (priv_check_cred(u1, PRIV_SEEOTHERUIDS, SUSER_ALLOWJAIL)
+ != 0)
return (ESRCH);
}
return (0);
@@ -1474,7 +1436,8 @@
break;
}
if (!match) {
- if (suser_cred(u1, SUSER_ALLOWJAIL) != 0)
+ if (priv_check_cred(u1, PRIV_SEEOTHERGIDS,
+ SUSER_ALLOWJAIL) != 0)
return (ESRCH);
}
}
@@ -1591,7 +1554,8 @@
break;
default:
/* Not permitted without privilege. */
- error = suser_cred(cred, SUSER_ALLOWJAIL);
+ error = priv_check_cred(cred, PRIV_SIGNAL_SUGID,
+ SUSER_ALLOWJAIL);
if (error)
return (error);
}
@@ -1606,7 +1570,8 @@
cred->cr_uid != proc->p_ucred->cr_ruid &&
cred->cr_uid != proc->p_ucred->cr_svuid) {
/* Not permitted without privilege. */
- error = suser_cred(cred, SUSER_ALLOWJAIL);
+ error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED,
+ SUSER_ALLOWJAIL);
if (error)
return (error);
}
@@ -1614,7 +1579,6 @@
return (0);
}
-
/*-
* Determine whether td may deliver the specified signal to p.
* Returns: 0 for permitted, an errno value otherwise
@@ -1683,19 +1647,14 @@
return (error);
if ((error = cr_seeothergids(td->td_ucred, p->p_ucred)))
return (error);
- if (td->td_ucred->cr_ruid == p->p_ucred->cr_ruid)
- return (0);
- if (td->td_ucred->cr_uid == p->p_ucred->cr_ruid)
- return (0);
- if (suser_cred(td->td_ucred, SUSER_ALLOWJAIL) == 0)
- return (0);
-
-#ifdef CAPABILITIES
- if (!cap_check(NULL, td, CAP_SYS_NICE, SUSER_ALLOWJAIL))
- return (0);
-#endif
-
- return (EPERM);
+ if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid &&
+ td->td_ucred->cr_uid != p->p_ucred->cr_ruid) {
+ error = priv_check_cred(td->td_ucred, PRIV_SCHED_DIFFCRED,
+ SUSER_ALLOWJAIL);
+ if (error)
+ return (error);
+ }
+ return (0);
}
/*
@@ -1730,7 +1689,8 @@
KASSERT(td == curthread, ("%s: td not curthread", __func__));
PROC_LOCK_ASSERT(p, MA_OWNED);
if (!unprivileged_proc_debug) {
- error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL);
+ error = priv_check_cred(td->td_ucred, PRIV_DEBUG_UNPRIV,
+ SUSER_ALLOWJAIL);
if (error)
return (error);
}
@@ -1778,11 +1738,18 @@
/*
* If p's gids aren't a subset, or the uids aren't a subset,
* or the credential has changed, require appropriate privilege
- * for td to debug p. For POSIX.1e capabilities, this will
- * require CAP_SYS_PTRACE.
+ * for td to debug p.
*/
- if (!grpsubset || !uidsubset || credentialchanged) {
- error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL);
+ if (!grpsubset || !uidsubset) {
+ error = priv_check_cred(td->td_ucred, PRIV_DEBUG_DIFFCRED,
+ SUSER_ALLOWJAIL);
+ if (error)
+ return (error);
+ }
+
+ if (credentialchanged) {
+ error = priv_check_cred(td->td_ucred, PRIV_DEBUG_SUGID,
+ SUSER_ALLOWJAIL);
if (error)
return (error);
}
@@ -1796,6 +1763,7 @@
/*
* Can't trace a process that's currently exec'ing.
+ *
* XXX: Note, this is not a security policy decision, it's a
* basic correctness/functionality decision. Therefore, this check
* should be moved to the caller's of p_candebug().
@@ -2057,7 +2025,8 @@