PERFORCE change 40226 for review

Thu Oct 23 01:33:11 GMT 2003

http://perforce.freebsd.org/chv.cgi?CH=40226

Change 40226 by rwatson at rwatson_paprika on 2003/10/22 18:32:46

	Fix capability-related syntax, reformat to match original layout.
	Re-spell capability.h.  This now builds.

Affected files ...

.. //depot/projects/trustedbsd/sebsd/sys/gnu/ext2fs/ext2_vfsops.c#5 edit
.. //depot/projects/trustedbsd/sebsd/sys/gnu/ext2fs/ext2_vnops.c#5 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd/sys/gnu/ext2fs/ext2_vfsops.c#5 (text+ko) ====

@@ -54,7 +54,7 @@
 #include <sys/malloc.h>
 #include <sys/stat.h>
 #include <sys/mutex.h>
-#include <sys/capabililty.h>
+#include <sys/capability.h>
 
 #include <gnu/ext2fs/ext2_mount.h>
 #include <gnu/ext2fs/inode.h>
@@ -234,7 +234,7 @@
 			 * If upgrade to read-write by non-root, then verify
 			 * that user has necessary permissions on the device.
 			 */
-			if (cap_check(td, CAP_MKNOD)) {
+			if (cap_check(td, CAP_MKNOD) != 0) {
 				vn_lock(devvp, LK_EXCLUSIVE | LK_RETRY, td);
 				if ((error = VOP_ACCESS(devvp, VREAD | VWRITE,
 				    td->td_ucred, td)) != 0) {
@@ -291,7 +291,7 @@
 	 * If mount by non-root, then verify that user has necessary
 	 * permissions on the device.
 	 */
-	if (cap_check(td, CAP_MKNOD)) {
+	if (cap_check(td, CAP_MKNOD) != 0) {
 		accessmode = VREAD;
 		if ((mp->mnt_flag & MNT_RDONLY) == 0)
 			accessmode |= VWRITE;

==== //depot/projects/trustedbsd/sebsd/sys/gnu/ext2fs/ext2_vnops.c#5 (text+ko) ====

@@ -66,7 +66,7 @@
 #include <sys/event.h>
 #include <sys/conf.h>
 #include <sys/file.h>
-#include <sys/capabililty.h>
+#include <sys/capability.h>
 
 #include <vm/vm.h>
 #include <vm/vm_extern.h>
@@ -485,7 +485,8 @@
 		 * Privileged non-jail processes may not modify system flags
 		 * if securelevel > 0 and any existing system flags are set.
 		 */
-		if (!cap_check_cred(cred, NULL, CAP_SYS_SETFFLAG, PRISON_ROOT)) {
+		if (cap_check_cred(cred, NULL, CAP_SYS_SETFFLAG, PRISON_ROOT)
+		    == 0) {
 			if (ip->i_flags
 			    & (SF_NOUNLINK | SF_IMMUTABLE | SF_APPEND)) {
 				error = securelevel_gt(cred, 0);
@@ -599,15 +600,22 @@
 	 */
 	if ((error = VOP_ACCESS(vp, VADMIN, cred, td)))
 		return (error);
-	/* Privileged processes may set the sticky bit on non-directories */
-	if (vp->v_type != VDIR && (mode & S_ISTXT) && cap_check_cred(cred, NULL, CAP_SYS_RAWIO, 0))
-	  return (EFTYPE);
+	/*
+	 * Privileged processes may set the sticky bit on non-directories.
+	 */
+	if (vp->v_type != VDIR && (mode & S_ISTXT)) {
+		if (cap_check_cred(cred, NULL, CAP_SYS_RAWIO, 0) != 0)
+		    return (EFTYPE);
+	}
 
-	/* CAP_FSETID is required to set suid or sgid on non-owned files */
-	if (((!groupmember(ip->i_gid, cred) && (mode & ISGID)) ||
-	     ((mode & ISUID) && ip->i_uid != cred->cr_uid))
-	    && cap_check_cred (cred, NULL, CAP_FSETID, PRISON_ROOT))
-	  return (EPERM);
+	/*
+	 * CAP_FSETID is required to set suid or sgid on non-owned files.
+	 */
+	if (((mode & ISGID) && !groupmember(ip->i_gid, cred)) ||
+	     ((mode & ISUID) && ip->i_uid != cred->cr_uid)) {
+		if (cap_check_cred (cred, NULL, CAP_FSETID, PRISON_ROOT) != 0)
+			return (EPERM);
+	}
 
 	ip->i_mode &= ~ALLPERMS;
 	ip->i_mode |= (mode & ALLPERMS);
@@ -648,19 +656,25 @@
 	 * have privilege.
 	 */
 	if ((uid != ip->i_uid || 
-	    (gid != ip->i_gid && !groupmember(gid, cred))) &&
-	    (error = cap_check_cred(cred, NULL, CAP_FOWNER, PRISON_ROOT)))
-		return (error);
+	    (gid != ip->i_gid && !groupmember(gid, cred)))) {
+		error = cap_check_cred(cred, NULL, CAP_FOWNER, PRISON_ROOT);
+		if (error)
+			return (error);
+	}
 	ogid = ip->i_gid;
 	ouid = ip->i_uid;
 	ip->i_gid = gid;
 	ip->i_uid = uid;
 	ip->i_flag |= IN_CHANGE;
 
-	/* Processes without CAP_FSETID clear suid and sgid when owner/groups change */
-	if ((ouid != uid || ogid != gid) && (ip->i_mode & (ISUID | ISGID)) &&
-	    cap_check_cred (cred, NULL, CAP_FSETID, PRISON_ROOT))
-	  ip->i_mode &= ~(ISUID | ISGID);
+	/*
+	 * Processes without CAP_FSETID clear suid and sgid when owner/groups
+	 * change.
+	 */
+	if ((ouid != uid || ogid != gid) && (ip->i_mode & (ISUID | ISGID))) {
+		if (cap_check_cred (cred, NULL, CAP_FSETID, PRISON_ROOT) != 0)
+			ip->i_mode &= ~(ISUID | ISGID);
+	}
 	return (0);
 }
 
@@ -1832,9 +1846,11 @@
 	ip->i_mode = mode;
 	tvp->v_type = IFTOVT(mode);	/* Rest init'd in getnewvnode(). */
 	ip->i_nlink = 1;
-	if ((ip->i_mode & ISGID) && !groupmember(ip->i_gid, cnp->cn_cred) &&
-	    cap_check_cred(cnp->cn_cred, NULL, CAP_FSETOD, PRISON_ROOT))
-		ip->i_mode &= ~ISGID;
+	if ((ip->i_mode & ISGID) && !groupmember(ip->i_gid, cnp->cn_cred)) {
+		if (cap_check_cred(cnp->cn_cred, NULL, CAP_FSETID,
+		    PRISON_ROOT) != 0)
+			ip->i_mode &= ~ISGID;
+	}
 
 	if (cnp->cn_flags & ISWHITEOUT)
 		ip->i_flags |= UF_OPAQUE;
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

