git: e9fdd494537c - main - prison_check(9): Bring up-to-date with hierarchical jails

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Mitchell Horne <mhorne_at_FreeBSD.org>
Date: Thu, 28 Sep 2023 15:10:47 UTC

The branch main has been updated by mhorne:

URL: https://cgit.FreeBSD.org/src/commit/?id=e9fdd494537ca45b14e0917e8bb1595b6460f3a3

commit e9fdd494537ca45b14e0917e8bb1595b6460f3a3
Author:     Olivier Certner <olce.freebsd@certner.fr>
AuthorDate: 2023-08-17 23:54:44 +0000
Commit:     Mitchell Horne <mhorne@FreeBSD.org>
CommitDate: 2023-09-28 15:05:46 +0000

    prison_check(9): Bring up-to-date with hierarchical jails
    
    Reviewed by:            bcr, emaste, pauamma_gundo.com, mhorne
    MFC after:              2 weeks
    Sponsored by:           Kumacom SAS
    Differential Revision:  https://reviews.freebsd.org/D40639
---
 share/man/man9/prison_check.9 | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/share/man/man9/prison_check.9 b/share/man/man9/prison_check.9
index b3bdcf6b4571..7f174e3ceb2e 100644
--- a/share/man/man9/prison_check.9
+++ b/share/man/man9/prison_check.9
@@ -25,22 +25,23 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd December 11, 2003
+.Dd August 18, 2023
 .Dt PRISON_CHECK 9
 .Os
 .Sh NAME
 .Nm prison_check
-.Nd determine if two credentials belong to the same jail
+.Nd determine if subjects may see entities according to jail restrictions
 .Sh SYNOPSIS
 .In sys/jail.h
 .Ft int
 .Fn prison_check "struct ucred *cred1" "struct ucred *cred2"
 .Sh DESCRIPTION
-This function can be used to determine if the two credentials
+This function determines if a subject with credentials
 .Fa cred1
-and
+is denied access to subjects or objects with credentials
 .Fa cred2
-belong to the same jail.
+according to the policy that a subject can see subjects or objects in its own
+jail or any sub-jail of it.
 .Sh RETURN VALUES
 The
 .Fn prison_check
@@ -48,12 +49,9 @@ function
 returns
 .Er ESRCH
 if
-.Fa cred1
-has been jailed, and
-.Fa cred1
-and
 .Fa cred2
-do not belong to the same jail.
+is not in the same jail or a sub-jail of that of
+.Fa cred1 .
 In all other cases,
 .Fn prison_check
 returns zero.