PERFORCE change 188463 for review
Edward Tomasz Napierala
trasz at FreeBSD.org
Wed Feb 2 18:59:14 UTC 2011
http://p4web.freebsd.org/@@188463?ac=10
Change 188463 by trasz at trasz_victim on 2011/02/02 18:58:19
Properly guard RCTL syscalls with privileges.
Affected files ...
.. //depot/projects/soc2009/trasz_limits/sys/kern/kern_rctl.c#27 edit
.. //depot/projects/soc2009/trasz_limits/sys/sys/priv.h#14 edit
Differences ...
==== //depot/projects/soc2009/trasz_limits/sys/kern/kern_rctl.c#27 (text+ko) ====
@@ -1213,6 +1213,10 @@
struct loginclass *lc;
struct prison *pr;
+ error = priv_check(td, PRIV_RCTL_GET_USAGE);
+ if (error != 0)
+ return (error);
+
error = rctl_read_inbuf(&inputstr, uap->inbufp, uap->inbuflen);
if (error != 0)
return (error);
@@ -1304,6 +1308,10 @@
struct rctl_rule_link *link;
struct proc *p;
+ error = priv_check(td, PRIV_RCTL_GET_RULES);
+ if (error != 0)
+ return (error);
+
error = rctl_read_inbuf(&inputstr, uap->inbufp, uap->inbuflen);
if (error != 0)
return (error);
@@ -1373,6 +1381,10 @@
struct rctl_rule *filter;
struct rctl_rule_link *link;
+ error = priv_check(td, PRIV_RCTL_GET_LIMITS);
+ if (error != 0)
+ return (error);
+
error = rctl_read_inbuf(&inputstr, uap->inbufp, uap->inbuflen);
if (error != 0)
return (error);
@@ -1439,7 +1451,7 @@
struct rctl_rule *rule;
char *inputstr;
- error = priv_check(td, PRIV_RCTL_SET);
+ error = priv_check(td, PRIV_RCTL_ADD_RULE);
if (error != 0)
return (error);
@@ -1481,7 +1493,7 @@
struct rctl_rule *filter;
char *inputstr;
- error = priv_check(td, PRIV_RCTL_SET);
+ error = priv_check(td, PRIV_RCTL_REMOVE_RULE);
if (error != 0)
return (error);
==== //depot/projects/soc2009/trasz_limits/sys/sys/priv.h#14 (text+ko) ====
@@ -486,13 +486,16 @@
/*
* Resource Limits privileges.
*/
-#define PRIV_RCTL_SET 670
-#define PRIV_RCTL_GET 671
+#define PRIV_RCTL_GET_RULES 670
+#define PRIV_RCTL_ADD_RULE 671
+#define PRIV_RCTL_REMOVE_RULE 672
+#define PRIV_RCTL_GET_USAGE 673
+#define PRIV_RCTL_GET_LIMITS 674
/*
* Track end of privilege list.
*/
-#define _PRIV_HIGHEST 672
+#define _PRIV_HIGHEST 674
/*
* Validate that a named privilege is known by the privilege system. Invalid
More information about the p4-projects
mailing list