PERFORCE change 120669 for review

Thu May 31 14:36:40 UTC 2007

http://perforce.freebsd.org/chv.cgi?CH=120669

Change 120669 by rwatson at rwatson_zoo on 2007/05/31 14:36:29

	SUSER_ALLOWJAIL reduction.

Affected files ...

.. //depot/projects/trustedbsd/priv/sys/compat/opensolaris/kern/opensolaris_policy.c#2 edit

Differences ...

==== //depot/projects/trustedbsd/priv/sys/compat/opensolaris/kern/opensolaris_policy.c#2 (text+ko) ====

@@ -72,7 +72,7 @@
 
 	if (!hardlink_check_uid)
 		return (0);
-	return (priv_check_cred(cred, PRIV_VFS_LINK, SUSER_ALLOWJAIL));
+	return (priv_check_cred(cred, PRIV_VFS_LINK, 0));
 }
 
 int
@@ -86,7 +86,7 @@
 secpolicy_vnode_remove(struct ucred *cred)
 {
 
-	return (priv_check_cred(cred, PRIV_VFS_ADMIN, SUSER_ALLOWJAIL));
+	return (priv_check_cred(cred, PRIV_VFS_ADMIN, 0));
 }
 
 int
@@ -94,23 +94,20 @@
     int mode)
 {
 
-	if ((mode & VREAD) &&
-	    priv_check_cred(cred, PRIV_VFS_READ, SUSER_ALLOWJAIL) != 0) {
+	if ((mode & VREAD) && priv_check_cred(cred, PRIV_VFS_READ, 0) != 0) {
 		return (EACCES);
 	}
 	if ((mode & VWRITE) &&
-	    priv_check_cred(cred, PRIV_VFS_WRITE, SUSER_ALLOWJAIL) != 0) {
+	    priv_check_cred(cred, PRIV_VFS_WRITE, 0) != 0) {
 		return (EACCES);
 	}
 	if (mode & VEXEC) {
 		if (vp->v_type == VDIR) {
-			if (priv_check_cred(cred, PRIV_VFS_LOOKUP,
-			    SUSER_ALLOWJAIL) != 0) {
+			if (priv_check_cred(cred, PRIV_VFS_LOOKUP, 0) != 0) {
 				return (EACCES);
 			}
 		} else {
-			if (priv_check_cred(cred, PRIV_VFS_EXEC,
-			    SUSER_ALLOWJAIL) != 0) {
+			if (priv_check_cred(cred, PRIV_VFS_EXEC, 0) != 0) {
 				return (EACCES);
 			}
 		}
@@ -124,7 +121,7 @@
 
 	if (owner == cred->cr_uid)
 		return (0);
-	return (priv_check_cred(cred, PRIV_VFS_ADMIN, SUSER_ALLOWJAIL));
+	return (priv_check_cred(cred, PRIV_VFS_ADMIN, 0));
 }
 
 int
@@ -173,8 +170,7 @@
 		if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) ||
 		    ((mask & AT_GID) && vap->va_gid != ovap->va_gid &&
 		     !groupmember(vap->va_gid, cred))) {
-			error = priv_check_cred(cred, PRIV_VFS_CHOWN,
-			    SUSER_ALLOWJAIL);
+			error = priv_check_cred(cred, PRIV_VFS_CHOWN, 0);
 			if (error)
 				return (error);
 		}
@@ -214,7 +210,7 @@
 {
 
 	if (!groupmember(gid, cred))
-		return (priv_check_cred(cred, PRIV_VFS_SETGID, SUSER_ALLOWJAIL));
+		return (priv_check_cred(cred, PRIV_VFS_SETGID, 0));
 	return (0);
 }
 
@@ -222,7 +218,7 @@
 secpolicy_vnode_setid_retain(struct ucred *cred, boolean_t issuidroot __unused)
 {
 
-	return (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, SUSER_ALLOWJAIL));
+	return (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, 0));
 }
 
 void
@@ -230,8 +226,7 @@
 {
 
 	if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0) {
-		if (priv_check_cred(cred, PRIV_VFS_RETAINSUGID,
-		    SUSER_ALLOWJAIL)) {
+		if (priv_check_cred(cred, PRIV_VFS_RETAINSUGID, 0)) {
 			vap->va_mask |= AT_MODE;
 			vap->va_mode &= ~(S_ISUID|S_ISGID);
 		}
@@ -250,7 +245,7 @@
 	 * is not a member of. Both of these are allowed in jail(8).
 	 */
 	if (vp->v_type != VDIR && (vap->va_mode & S_ISTXT)) {
-		if (priv_check_cred(cred, PRIV_VFS_STICKYFILE, SUSER_ALLOWJAIL))
+		if (priv_check_cred(cred, PRIV_VFS_STICKYFILE, 0))
 			return (EFTYPE);
 	}
 	/*
