git: 2ecbfdaecbd0 - stable/14 - cr_cansee(9): cr_bsd_visible() impacts, simplifications
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 17 Oct 2023 19:43:33 UTC
The branch stable/14 has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=2ecbfdaecbd009d32b2453c7b2bd6c33656b92ef commit 2ecbfdaecbd009d32b2453c7b2bd6c33656b92ef Author: Olivier Certner <olce.freebsd@certner.fr> AuthorDate: 2023-08-17 23:54:42 +0000 Commit: Mitchell Horne <mhorne@FreeBSD.org> CommitDate: 2023-10-17 19:42:58 +0000 cr_cansee(9): cr_bsd_visible() impacts, simplifications Remove references to cr_canseeothergids(9) and cr_canseeotheruids(9). Defer to cr_bsd_visible() for controlling sysctl(8) variables. Reviewed by: bcr, mhorne MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40636 (cherry picked from commit 82f9bc9ea8ed660c61050ad1d92f1a64108c7004) --- share/man/man9/cr_cansee.9 | 61 ++++++++++++++++++++-------------------------- 1 file changed, 27 insertions(+), 34 deletions(-) diff --git a/share/man/man9/cr_cansee.9 b/share/man/man9/cr_cansee.9 index 4824a231170b..d5cdfdd6f8e5 100644 --- a/share/man/man9/cr_cansee.9 +++ b/share/man/man9/cr_cansee.9 @@ -1,5 +1,6 @@ .\" .\" Copyright (c) 2006 Ceri Davies <ceri@FreeBSD.org> +.\" Copyright (c) 2023 Olivier Certner <olce.freebsd@certner.fr> .\" .\" All rights reserved. .\" @@ -23,43 +24,39 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd November 19, 2006 +.Dd August 18, 2023 .Dt CR_CANSEE 9 .Os .Sh NAME .Nm cr_cansee .Nd "determine visibility of objects given their user credentials" .Sh SYNOPSIS -.In sys/param.h -.In sys/systm.h -.In sys/ucred.h +.In sys/proc.h .Ft int .Fn cr_cansee "struct ucred *u1" "struct ucred *u2" .Sh DESCRIPTION -This function determines the visibility of objects in the -kernel based on the real user IDs and group IDs in the credentials +This function determines if a subject with credential .Fa u1 -and -.Fa u2 -associated with them. +can see a subject or object associated to credential +.Fa u2 . .Pp -The visibility of objects is influenced by the +Specific types of subjects may need to submit to additional or different +restrictions. +As an example, for processes, see +.Xr p_cansee 9 , +which calls this function. +.Pp +The implementation relies on +.Xr cr_bsd_visible 9 +and consequently the .Xr sysctl 8 -variables -.Va security.bsd.see_other_gids -and -.Va security.bsd.see_other_uids , -as per the description in -.Xr cr_canseeothergids 9 -and -.Xr cr_canseeotheruids 9 -respectively. +variables referenced in its manual page influence the result. .Sh RETURN VALUES -This function returns zero if the object with credential +This function returns zero if the subject with credential .Fa u1 can .Dq see -the object with credential +the subject or object with credential .Fa u2 , or .Er ESRCH @@ -67,24 +64,20 @@ otherwise. .Sh ERRORS .Bl -tag -width Er .It Bq Er ESRCH -The object with credential -.Fa u1 -cannot -.Dq see -the object with credential -.Fa u2 . -.It Bq Er ESRCH -The object with credential +The subject with credential .Fa u1 -has been jailed and the object with credential +has been jailed and the subject or object with credential .Fa u2 -does not belong to the same jail as -.Fa u1 . +does not belong to the same jail or one of its sub-jails, as determined by +.Xr prison_check 9 . .It Bq Er ESRCH The MAC subsystem denied visibility. +.It Bq Er ESRCH +.Xr cr_bsd_visible 9 +denied visibility according to the BSD security policies in force. .El .Sh SEE ALSO -.Xr cr_canseeothergids 9 , -.Xr cr_canseeotheruids 9 , +.Xr prison_check 9 , .Xr mac 9 , +.Xr cr_bsd_visible 9 , .Xr p_cansee 9