git: 0dafeb5bc874 - stable/13 - New cr_bsd_visible(): Whether BSD policies deny seeing subjects/objects
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 21 Dec 2023 13:43:23 UTC
The branch stable/13 has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=0dafeb5bc874d79907cc25b3c8dc14f9ed55b396 commit 0dafeb5bc874d79907cc25b3c8dc14f9ed55b396 Author: Olivier Certner <olce.freebsd@certner.fr> AuthorDate: 2023-08-17 23:54:38 +0000 Commit: Olivier Certner <olce@FreeBSD.org> CommitDate: 2023-12-21 13:36:09 +0000 New cr_bsd_visible(): Whether BSD policies deny seeing subjects/objects This is a new helper function that leverages existing code: It calls successively cr_canseeotheruids(), cr_canseeothergids() and cr_canseejailproc() (as long as the previous didn't deny access). Will be used in a subsequent commit. Reviewed by: mhorne Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40627 (cherry picked from commit e4a7b4f99cfd4931468c0866da4ae8b49cf5badb) Approved by: markj (mentor) --- sys/kern/kern_prot.c | 19 +++++++++++++++++++ sys/sys/proc.h | 1 + 2 files changed, 20 insertions(+) diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index 8b56ba3f8846..8118afd4d366 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -1436,6 +1436,25 @@ cr_canseejailproc(struct ucred *u1, struct ucred *u2) return (ESRCH); } +/* + * Helper for cr_cansee*() functions to abide by system-wide security.bsd.see_* + * policies. Determines if u1 "can see" u2 according to these policies. + * Returns: 0 for permitted, ESRCH otherwise + */ +int +cr_bsd_visible(struct ucred *u1, struct ucred *u2) +{ + int error; + + if ((error = cr_canseeotheruids(u1, u2))) + return (error); + if ((error = cr_canseeothergids(u1, u2))) + return (error); + if ((error = cr_canseejailproc(u1, u2))) + return (error); + return (0); +} + /*- * Determine if u1 "can see" the subject specified by u2. * Returns: 0 for permitted, an errno value otherwise diff --git a/sys/sys/proc.h b/sys/sys/proc.h index b279839dbf8d..a85ae239f46b 100644 --- a/sys/sys/proc.h +++ b/sys/sys/proc.h @@ -1095,6 +1095,7 @@ int pget(pid_t pid, int flags, struct proc **pp); void ast(struct trapframe *framep); struct thread *choosethread(void); +int cr_bsd_visible(struct ucred *u1, struct ucred *u2); int cr_cansee(struct ucred *u1, struct ucred *u2); int cr_canseesocket(struct ucred *cred, struct socket *so); int cr_canseeothergids(struct ucred *u1, struct ucred *u2);