Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 9 Oct 2001 14:40:31 -0700 (PDT)
From:      Robert Watson <rwatson@FreeBSD.org>
To:        cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   cvs commit: src/sys/kern kern_proc.c kern_prot.c uipc_socket.c uipc_usrreq.c src/sys/netinet raw_ip.c tcp_subr.c udp_usrreq.c
Message-ID:  <200110092140.f99LeVA74145@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 
rwatson     2001/10/09 14:40:31 PDT

  Modified files:
    sys/kern             kern_proc.c kern_prot.c uipc_socket.c 
                         uipc_usrreq.c 
    sys/netinet          raw_ip.c tcp_subr.c udp_usrreq.c 
  Log:
  - Combine kern.ps_showallprocs and kern.ipc.showallsockets into
    a single kern.security.seeotheruids_permitted, describes as:
    "Unprivileged processes may see subjects/objects with different real uid"
    NOTE: kern.ps_showallprocs exists in -STABLE, and therefore there is
    an API change.  kern.ipc.showallsockets does not.
  - Check kern.security.seeotheruids_permitted in cr_cansee().
  - Replace visibility calls to socheckuid() with cr_cansee() (retain
    the change to socheckuid() in ipfw, where it is used for rule-matching).
  - Remove prison_unpcb() and make use of cr_cansee() against the UNIX
    domain socket credential instead of comparing root vnodes for the
    UDS and the process.  This allows multiple jails to share the same
    chroot() and not see each others UNIX domain sockets.
  - Remove unused socheckproc().
  
  Now that cr_cansee() is used universally for socket visibility, a variety
  of policies are more consistently enforced, including uid-based
  restrictions and jail-based restrictions.  This also better-supports
  the introduction of additional MAC models.
  
  Reviewed by:	ps, billf
  Obtained from:	TrustedBSD Project
  
  Revision  Changes    Path
  1.102     +1 -5      src/sys/kern/kern_proc.c
  1.111     +13 -3     src/sys/kern/kern_prot.c
  1.102     +1 -20     src/sys/kern/uipc_socket.c
  1.74      +4 -14     src/sys/kern/uipc_usrreq.c
  1.85      +3 -3      src/sys/netinet/raw_ip.c
  1.116     +4 -4      src/sys/netinet/tcp_subr.c
  1.98      +4 -4      src/sys/netinet/udp_usrreq.c


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200110092140.f99LeVA74145>