Date: Sat, 2 Sep 2006 08:52:17 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: "Andrew R. Reiter" <arr@watson.org> Cc: Perforce Change Reviews <perforce@freebsd.org> Subject: Re: PERFORCE change 105508 for review Message-ID: <20060902084548.R84468@fledge.watson.org> In-Reply-To: <20060902024832.K58636@fledge.watson.org> References: <200609020625.k826PGWV066879@repoman.freebsd.org> <20060902024832.K58636@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 2 Sep 2006, Andrew R. Reiter wrote: > Sorry if I missed a post; is there a project goin' on that explains this > work? Just curious not trying to pester :-) Basically, I'm currently looking at architectural subdivision of privilege inside the kernel, so that (among other things) those privileges may be individually granted or restricted, and to centralize the logic of jail in kern_jail.c, rather than distributing the jail decision in each individual piece of code. I'll submit an updated kern_jail.c that does this shortly (at least, some of this). This is similar to work done in the SEBSD/cap branches, but doesn't adopt the POSIX.1e/Linux subdivision of privileges into broad categories -- rather, it identifies a larger set of more specific privileges, which SEBSD or other policies can then coalesce into categories if they would like. One of the problems with both the POSIX.1e and Linux privilege subdivisions is that they tend to clump large numbers of preferably seperable privileges, such as the right to administer routes vs. the right to use interfaces in promiscuous mode or view IPSEC keys. This approach attempts to avoid that, while still permitting policies to take that approach if desired. Right now this is prototyping work, largely to identify the set of privileges and privilege abstractions; once things basically fit together, I'll send e-mail to trustedbsd-discuss and freebsd-arch with the specific proposal. Robert N M Watson Computer Laboratory University of Cambridge > > Peace/Cheers/blah, > andrew > > On Sat, 2 Sep 2006, Robert Watson wrote: > > :http://perforce.freebsd.org/chv.cgi?CH=105508 > : > :Change 105508 by rwatson@rwatson_sesame on 2006/09/02 06:24:56 > : > : Replace most kernel suser checks with more specific privilege > : checks. In some cases, significantly rework privilege logic to > : make more sense, such as in the file system handling of device > : permission override. Remove some unneeded suser checks in > : sysctl wrappers. > : > : Sponsored by: nCircle Network Security, Inc. > : > :Affected files ... > : > :.. //depot/projects/trustedbsd/priv/sys/amd64/amd64/io.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/compat/linux/linux_misc.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/compat/linux/linux_uid16.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/compat/svr4/svr4_fcntl.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/compat/svr4/svr4_misc.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/compat/svr4/svr4_stat.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/conf/files#2 edit > :.. //depot/projects/trustedbsd/priv/sys/contrib/altq/altq/altq_cbq.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/contrib/altq/altq/altq_cdnr.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/contrib/altq/altq/altq_hfsc.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/contrib/altq/altq/altq_priq.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/contrib/altq/altq/altq_red.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/contrib/altq/altq/altq_rio.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/contrib/pf/net/if_pfsync.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/dev/an/if_an.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/dev/arl/if_arl.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/dev/asr/asr.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/dev/ata/atapi-cd.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/dev/ce/if_ce.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/dev/cp/if_cp.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/dev/ctau/if_ct.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/dev/cx/if_cx.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/dev/dcons/dcons_os.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/dev/drm/drmP.h#2 edit > :.. //depot/projects/trustedbsd/priv/sys/dev/fdc/fdc.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/dev/hwpmc/hwpmc_mod.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/dev/if_ndis/if_ndis.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/dev/kbd/kbd.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/dev/lmc/if_lmc.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/dev/lmc/if_lmc.h#2 edit > :.. //depot/projects/trustedbsd/priv/sys/dev/nmdm/nmdm.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/dev/null/null.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/dev/ofw/ofw_console.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/dev/random/randomdev.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/dev/sbni/if_sbni.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/dev/sbsh/if_sbsh.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/dev/si/si.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/dev/syscons/syscons.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/dev/syscons/sysmouse.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/dev/wi/if_wi.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/dev/wl/if_wl.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/dev/zs/zs.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/fs/devfs/devfs_rule.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/fs/devfs/devfs_vnops.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/fs/hpfs/hpfs_vnops.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/fs/msdosfs/msdosfs_vfsops.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/fs/msdosfs/msdosfs_vnops.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/fs/procfs/procfs_ioctl.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/fs/smbfs/smbfs_vnops.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/fs/udf/udf_vfsops.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/fs/umapfs/umap_vfsops.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/gnu/fs/ext2fs/ext2_vfsops.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/gnu/fs/ext2fs/ext2_vnops.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/gnu/fs/reiserfs/reiserfs_fs.h#2 edit > :.. //depot/projects/trustedbsd/priv/sys/gnu/fs/reiserfs/reiserfs_vfsops.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/gnu/fs/xfs/FreeBSD/xfs_super.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/i386/i386/io.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/i386/i386/sys_machdep.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/i386/i386/vm86.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/i386/ibcs2/ibcs2_misc.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/i386/ibcs2/ibcs2_socksys.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/i386/ibcs2/ibcs2_sysi86.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/i386/linux/linux_machdep.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/i4b/driver/i4b_ipr.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/ia64/ia64/ssc.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/isofs/cd9660/cd9660_vfsops.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/kern/kern_acct.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/kern/kern_descrip.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/kern/kern_environment.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/kern/kern_exec.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/kern/kern_fork.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/kern/kern_ktr.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/kern/kern_ktrace.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/kern/kern_linker.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/kern/kern_ntptime.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/kern/kern_prot.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/kern/kern_resource.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/kern/kern_shutdown.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/kern/kern_sysctl.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/kern/kern_thr.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/kern/kern_time.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/kern/kern_xxx.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/kern/subr_acl_posix1e.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/kern/subr_firmware.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/kern/subr_prf.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/kern/subr_witness.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/kern/sysv_msg.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/kern/tty.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/kern/tty_cons.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/kern/tty_pts.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/kern/tty_pty.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/kern/uipc_mqueue.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/kern/uipc_sem.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/kern/vfs_mount.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/kern/vfs_subr.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/kern/vfs_syscalls.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/kern/vfs_vnops.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/net/bpf.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/net/if.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/net/if_bridge.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/net/if_gre.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/net/if_ppp.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/net/if_sl.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/net/if_tap.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/net/if_tun.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/net/ppp_tty.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/net/raw_usrreq.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/net/rtsock.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/net80211/ieee80211_ioctl.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/netatalk/at_control.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/netatalk/ddp_pcb.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/netatm/atm_usrreq.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/netgraph/ng_socket.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/netgraph/ng_tty.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/netinet/in_pcb.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/netinet/ip_carp.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/netinet/ip_divert.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/netinet/ip_fw2.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/netinet/ip_mroute.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/netinet/ip_output.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/netinet/raw_ip.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/netinet/tcp_subr.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/netinet/udp_usrreq.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/netinet6/in6.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/netinet6/in6_pcb.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/netinet6/in6_src.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/netinet6/ipsec.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/netinet6/udp6_usrreq.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/netipsec/ipsec_osdep.h#2 edit > :.. //depot/projects/trustedbsd/priv/sys/netipx/ipx_pcb.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/netipx/ipx_usrreq.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/netncp/ncp_conn.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/netncp/ncp_mod.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/netncp/ncp_subr.h#2 edit > :.. //depot/projects/trustedbsd/priv/sys/netsmb/smb_conn.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/netsmb/smb_subr.h#2 edit > :.. //depot/projects/trustedbsd/priv/sys/nfsserver/nfs_syscalls.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/pc98/cbus/fdc.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/posix4/p1003_1b.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/security/audit/audit.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/security/audit/audit_pipe.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/security/audit/audit_syscalls.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/security/mac/mac_internal.h#2 edit > :.. //depot/projects/trustedbsd/priv/sys/security/mac/mac_net.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/security/mac_bsdextended/mac_bsdextended.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/security/mac_lomac/mac_lomac.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/security/mac_partition/mac_partition.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/security/mac_portacl/mac_portacl.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/security/mac_seeotheruids/mac_seeotheruids.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/sys/jail.h#2 edit > :.. //depot/projects/trustedbsd/priv/sys/sys/sysctl.h#2 edit > :.. //depot/projects/trustedbsd/priv/sys/sys/systm.h#2 edit > :.. //depot/projects/trustedbsd/priv/sys/ufs/ffs/ffs_alloc.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/ufs/ffs/ffs_vfsops.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/ufs/ffs/ffs_vnops.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/ufs/ufs/ufs_extattr.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/ufs/ufs/ufs_quota.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/ufs/ufs/ufs_vnops.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/vm/swap_pager.c#2 edit > :.. //depot/projects/trustedbsd/priv/sys/vm/vm_mmap.c#2 edit > : > :Differences ... > : > :==== //depot/projects/trustedbsd/priv/sys/amd64/amd64/io.c#2 (text+ko) ==== > : > :@@ -33,6 +33,7 @@ > : #include <sys/lock.h> > : #include <sys/malloc.h> > : #include <sys/mutex.h> > :+#include <sys/priv.h> > : #include <sys/proc.h> > : #include <sys/signalvar.h> > : #include <sys/systm.h> > :@@ -54,7 +55,7 @@ > : { > : int error; > : > :- error = suser(td); > :+ error = priv_check(td, PRIV_IO); > : if (error != 0) > : return (error); > : error = securelevel_gt(td->td_ucred, 0); > : > :==== //depot/projects/trustedbsd/priv/sys/compat/linux/linux_misc.c#2 (text+ko) ==== > : > :@@ -49,6 +49,7 @@ > : #include <sys/mount.h> > : #include <sys/mutex.h> > : #include <sys/namei.h> > :+#include <sys/priv.h> > : #include <sys/proc.h> > : #include <sys/reboot.h> > : #include <sys/resourcevar.h> > :@@ -1011,7 +1012,8 @@ > : * Keep cr_groups[0] unchanged to prevent that. > : */ > : > :- if ((error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) { > :+ if ((error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS, > :+ SUSER_ALLOWJAIL)) != 0) { > : PROC_UNLOCK(p); > : crfree(newcred); > : return (error); > : > :==== //depot/projects/trustedbsd/priv/sys/compat/linux/linux_uid16.c#2 (text+ko) ==== > : > :@@ -33,6 +33,7 @@ > : #include <sys/lock.h> > : #include <sys/malloc.h> > : #include <sys/mutex.h> > :+#include <sys/priv.h> > : #include <sys/proc.h> > : #include <sys/syscallsubr.h> > : #include <sys/sysproto.h> > :@@ -123,7 +124,8 @@ > : * Keep cr_groups[0] unchanged to prevent that. > : */ > : > :- if ((error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) { > :+ if ((error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS, > :+ SUSER_ALLOWJAIL)) != 0) { > : PROC_UNLOCK(p); > : crfree(newcred); > : return (error); > : > :==== //depot/projects/trustedbsd/priv/sys/compat/svr4/svr4_fcntl.c#2 (text+ko) ==== > : > :@@ -45,6 +45,7 @@ > : #include <sys/mount.h> > : #include <sys/mutex.h> > : #include <sys/namei.h> > :+#include <sys/priv.h> > : #include <sys/proc.h> > : #include <sys/stat.h> > : #include <sys/syscallsubr.h> > :@@ -279,7 +280,7 @@ > : goto out; > : > : if (td->td_ucred->cr_uid != vattr.va_uid && > :- (error = suser(td)) != 0) > :+ (error = priv_check(td, PRIV_VFS_ADMIN)) != 0) > : goto out; > : > : if ((error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0) > : > :==== //depot/projects/trustedbsd/priv/sys/compat/svr4/svr4_misc.c#2 (text+ko) ==== > : > :@@ -53,6 +53,7 @@ > : #include <sys/msg.h> > : #include <sys/mutex.h> > : #include <sys/namei.h> > :+#include <sys/priv.h> > : #include <sys/proc.h> > : #include <sys/ptrace.h> > : #include <sys/resource.h> > :@@ -610,7 +611,7 @@ > : struct file *fp; > : int error, vfslocked; > : > :- if ((error = suser(td)) != 0) > :+ if ((error = priv_check(td, PRIV_VFS_FCHROOT)) != 0) > : return error; > : if ((error = getvnode(fdp, uap->fd, &fp)) != 0) > : return error; > : > :==== //depot/projects/trustedbsd/priv/sys/compat/svr4/svr4_stat.c#2 (text+ko) ==== > : > :@@ -470,14 +470,10 @@ > : break; > : #if defined(WHY_DOES_AN_EMULATOR_WANT_TO_SET_HOSTNAMES) > : case SVR4_SI_SET_HOSTNAME: > :- if ((error = suser(td)) != 0) > :- return error; > : name = KERN_HOSTNAME; > : return kern_sysctl(&name, 1, 0, 0, uap->buf, rlen, td); > : > : case SVR4_SI_SET_SRPC_DOMAIN: > :- if ((error = suser(td)) != 0) > :- return error; > : name = KERN_NISDOMAINNAME; > : return kern_sysctl(&name, 1, 0, 0, uap->buf, rlen, td); > : #else > : > :==== //depot/projects/trustedbsd/priv/sys/conf/files#2 (text+ko) ==== > : > :@@ -1335,6 +1335,7 @@ > : kern/kern_physio.c standard > : kern/kern_pmc.c standard > : kern/kern_poll.c optional device_polling > :+kern/kern_priv.c standard > : kern/kern_proc.c standard > : kern/kern_prot.c standard > : kern/kern_resource.c standard > : > :==== //depot/projects/trustedbsd/priv/sys/contrib/altq/altq/altq_cbq.c#2 (text+ko) ==== > : > :@@ -1062,7 +1062,9 @@ > : /* currently only command that an ordinary user can call */ > : break; > : default: > :-#if (__FreeBSD_version > 400000) > :+#if (__FreeBSD_version > 700000) > :+ error = priv_check(p, PRIV_ALTQ_MANAGE); > :+#elsif (__FreeBSD_version > 400000) > : error = suser(p); > : #else > : error = suser(p->p_ucred, &p->p_acflag); > : > :==== //depot/projects/trustedbsd/priv/sys/contrib/altq/altq/altq_cdnr.c#2 (text+ko) ==== > : > :@@ -1262,7 +1262,9 @@ > : case CDNR_GETSTATS: > : break; > : default: > :-#if (__FreeBSD_version > 400000) > :+#if (__FreeBSD_versoin > 700000) > :+ if ((error = priv_check(p, PRIV_ALTQ_MANAGE)) != 0) > :+#elsif (__FreeBSD_version > 400000) > : if ((error = suser(p)) != 0) > : #else > : if ((error = suser(p->p_ucred, &p->p_acflag)) != 0) > : > :==== //depot/projects/trustedbsd/priv/sys/contrib/altq/altq/altq_hfsc.c#2 (text+ko) ==== > : > :@@ -1975,7 +1975,10 @@ > : case HFSC_GETSTATS: > : break; > : default: > :-#if (__FreeBSD_version > 400000) > :+#if (__FreeBSD_version > 700000) > :+ if ((error = priv_check(p, PRIV_ALTQ_MANAGE)) != 0) > :+ return (error); > :+#elsif (__FreeBSD_version > 400000) > : if ((error = suser(p)) != 0) > : return (error); > : #else > : > :==== //depot/projects/trustedbsd/priv/sys/contrib/altq/altq/altq_priq.c#2 (text+ko) ==== > : > :@@ -772,7 +772,10 @@ > : case PRIQ_GETSTATS: > : break; > : default: > :-#if (__FreeBSD_version > 400000) > :+#if (__FreeBSD_version > 700000) > :+ if ((error = priv_check(p, PRIV_ALTQ_MANAGE)) != 0) > :+ return (error); > :+#elsif (__FreeBSD_version > 400000) > : if ((error = suser(p)) != 0) > : return (error); > : #else > : > :==== //depot/projects/trustedbsd/priv/sys/contrib/altq/altq/altq_red.c#2 (text+ko) ==== > : > :@@ -781,7 +781,9 @@ > : case RED_GETSTATS: > : break; > : default: > :-#if (__FreeBSD_version > 400000) > :+#if (__FreeBSD_version > 700000) > :+ if ((error = priv_check(p, PRIV_ALTQ_MANAGE)) != 0) > :+#elsif (__FreeBSD_version > 400000) > : if ((error = suser(p)) != 0) > : #else > : if ((error = suser(p->p_ucred, &p->p_acflag)) != 0) > : > :==== //depot/projects/trustedbsd/priv/sys/contrib/altq/altq/altq_rio.c#2 (text+ko) ==== > : > :@@ -531,7 +531,10 @@ > : case RIO_GETSTATS: > : break; > : default: > :-#if (__FreeBSD_version > 400000) > :+#if (__FreeBSD_versoin > 700000) > :+ if ((error = priv_check(p, PRIV_ALTQ_MANAGE)) != 0) > :+ return (error); > :+#elsif (__FreeBSD_version > 400000) > : if ((error = suser(p)) != 0) > : return (error); > : #else > : > :==== //depot/projects/trustedbsd/priv/sys/contrib/pf/net/if_pfsync.c#2 (text+ko) ==== > : > :@@ -54,6 +54,9 @@ > : #endif > : > : #include <sys/param.h> > :+#ifdef __FreeBSD__ > :+#include <sys/priv.h> > :+#endif > : #include <sys/proc.h> > : #include <sys/systm.h> > : #include <sys/time.h> > :@@ -1057,7 +1060,7 @@ > : break; > : case SIOCSETPFSYNC: > : #ifdef __FreeBSD__ > :- if ((error = suser(curthread)) != 0) > :+ if ((error = priv_check(curthread, PRIV_NETINET_PF)) != 0) > : #else > : if ((error = suser(p, p->p_acflag)) != 0) > : #endif > : > :==== //depot/projects/trustedbsd/priv/sys/dev/an/if_an.c#2 (text+ko) ==== > : > :@@ -92,6 +92,7 @@ > : #include <sys/systm.h> > : #include <sys/sockio.h> > : #include <sys/mbuf.h> > :+#include <sys/priv.h> > : #include <sys/proc.h> > : #include <sys/kernel.h> > : #include <sys/socket.h> > :@@ -1920,7 +1921,7 @@ > : break; > : #ifdef ANCACHE > : if (sc->areq.an_type == AN_RID_ZERO_CACHE) { > :- error = suser(td); > :+ error = priv_check(td, PRIV_DRIVER); > : if (error) > : break; > : sc->an_sigitems = sc->an_nextitem = 0; > :@@ -1944,7 +1945,7 @@ > : error = copyout(&sc->areq, ifr->ifr_data, sizeof(sc->areq)); > : break; > : case SIOCSAIRONET: > :- if ((error = suser(td))) > :+ if ((error = priv_check(td, PRIV_DRIVER))) > : goto out; > : error = copyin(ifr->ifr_data, &sc->areq, sizeof(sc->areq)); > : if (error != 0) > :@@ -1952,7 +1953,7 @@ > : an_setdef(sc, &sc->areq); > : break; > : case SIOCGPRIVATE_0: /* used by Cisco client utility */ > :- if ((error = suser(td))) > :+ if ((error = priv_check(td, PRIV_DRIVER))) > : goto out; > : error = copyin(ifr->ifr_data, &l_ioctl, sizeof(l_ioctl)); > : if (error) > :@@ -1974,7 +1975,7 @@ > : } > : break; > : case SIOCGPRIVATE_1: /* used by Cisco client utility */ > :- if ((error = suser(td))) > :+ if ((error = priv_check(td, PRIV_DRIVER))) > : goto out; > : error = copyin(ifr->ifr_data, &l_ioctl, sizeof(l_ioctl)); > : if (error) > :@@ -2226,7 +2227,7 @@ > : } > : break; > : case SIOCS80211: > :- if ((error = suser(td))) > :+ if ((error = priv_check(td, PRIV_NET80211_MANAGE))) > : goto out; > : sc->areq.an_len = sizeof(sc->areq); > : /* > : > :==== //depot/projects/trustedbsd/priv/sys/dev/arl/if_arl.c#2 (text+ko) ==== > : > :@@ -43,6 +43,7 @@ > : #include <sys/mbuf.h> > : #include <sys/socket.h> > : #include <sys/sockio.h> > :+#include <sys/priv.h> > : #include <sys/proc.h> > : #include <sys/conf.h> > : > :@@ -504,7 +505,7 @@ > : break; > : > : case SIOCS80211: > :- if ((error = suser(td))) > :+ if ((error = priv_check(td, PRIV_NET80211_MANAGE))) > : break; > : switch (ireq->i_type) { > : case IEEE80211_IOC_SSID: > :@@ -577,7 +578,7 @@ > : } > : case SIOCGARLALL: > : bzero(&arlan_io, sizeof(arlan_io)); > :- if (!suser(td)) { > :+ if (!priv_check(td, PRIV_DRIVER)) { > : bcopy(ar->systemId, arlan_io.cfg.sid, 4); > : } > : > :@@ -616,7 +617,7 @@ > : } while (0) > : > : case SIOCSARLALL: > :- if (suser(td)) > :+ if (priv_check(td, PRIV_DRIVER)) > : break; > : > : user = (void *)ifr->ifr_data; > : > :==== //depot/projects/trustedbsd/priv/sys/dev/asr/asr.c#2 (text+ko) ==== > : > :@@ -117,6 +117,7 @@ > : #include <sys/malloc.h> > : #include <sys/conf.h> > : #include <sys/ioccom.h> > :+#include <sys/priv.h> > : #include <sys/proc.h> > : #include <sys/bus.h> > : #include <machine/resource.h> > :@@ -3114,7 +3115,7 @@ > : s = splcam (); > : if (ASR_ctlr_held) { > : error = EBUSY; > :- } else if ((error = suser(td)) == 0) { > :+ } else if ((error = priv_check(td, PRIV_DRIVER)) == 0) { > : ++ASR_ctlr_held; > : } > : splx(s); > : > :==== //depot/projects/trustedbsd/priv/sys/dev/ata/atapi-cd.c#2 (text+ko) ==== > : > :@@ -34,6 +34,7 @@ > : #include <sys/kernel.h> > : #include <sys/module.h> > : #include <sys/malloc.h> > :+#include <sys/priv.h> > : #include <sys/proc.h> > : #include <sys/bio.h> > : #include <sys/bus.h> > :@@ -257,8 +258,11 @@ > : cdp->flags |= F_LOCKED; > : break; > : > :+ /* > :+ * XXXRW: Why does this require privilege? > :+ */ > : case CDIOCRESET: > :- error = suser(td); > :+ error = priv_check(td, PRIV_DRIVER); > : if (error) > : break; > : error = acd_test_ready(dev); > : > :==== //depot/projects/trustedbsd/priv/sys/dev/ce/if_ce.c#2 (text+ko) ==== > : > :@@ -29,6 +29,7 @@ > : #if NPCI > 0 > : > : #include <sys/ucred.h> > :+#include <sys/priv.h> > : #include <sys/proc.h> > : #include <sys/systm.h> > : #include <sys/mbuf.h> > :@@ -1341,9 +1342,11 @@ > : /* Only for superuser! */ > : #if __FreeBSD_version < 500000 > : error = suser (p); > :-#else /* __FreeBSD_version >= 500000 */ > :+#elsif __FreeBSD_version < 700000 > : error = suser (td); > :-#endif /* __FreeBSD_version >= 500000 */ > :+#else > :+ error = priv_check (td, PRIV_DRIVER); > :+#endif > : if (error) > : return error; > : #if __FreeBSD_version >= 600034 > :@@ -1380,8 +1383,10 @@ > : /* Only for superuser! */ > : #if __FreeBSD_version < 500000 > : error = suser (p); > :+#elsif __FreeBSD_version < 700000 > :+ error = suser (td); > : #else > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : #endif > : if (error) > : return error; > :@@ -1408,8 +1413,10 @@ > : /* Only for superuser! */ > : #if __FreeBSD_version < 500000 > : error = suser (p); > :+#elsif __FreeBSD_version < 700000 > :+ error = suser (td); > : #else > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : #endif > : if (error) > : return error; > :@@ -1426,8 +1433,10 @@ > : CE_DEBUG2 (d, ("ioctl: setcfg\n")); > : #if __FreeBSD_version < 500000 > : error = suser (p); > :+#elsif __FreeBSD_version < 700000 > :+ error = suser (td); > : #else > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : #endif > : if (error) > : return error; > :@@ -1526,8 +1535,10 @@ > : /* Only for superuser! */ > : #if __FreeBSD_version < 500000 > : error = suser (p); > :+#elsif __FreeBSD_version < 700000 > :+ error = suser (td); > : #else > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : #endif > : if (error) > : return error; > :@@ -1560,8 +1571,10 @@ > : /* Only for superuser! */ > : #if __FreeBSD_version < 500000 > : error = suser (p); > :+#elsif __FreeBSD_version < 700000 > :+ error = suser (td); > : #else > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : #endif > : if (error) > : return error; > :@@ -1586,8 +1599,10 @@ > : /* Only for superuser! */ > : #if __FreeBSD_version < 500000 > : error = suser (p); > :+#elsif __FreeBSD_version < 700000 > :+ error = suser (td); > : #else > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : #endif > : if (error) > : return error; > :@@ -1608,8 +1623,10 @@ > : /* Only for superuser! */ > : #if __FreeBSD_version < 500000 > : error = suser (p); > :+#elsif __FreeBSD_version < 700000 > :+ error = suser (td); > : #else > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : #endif > : if (error) > : return error; > :@@ -1634,8 +1651,10 @@ > : /* Only for superuser! */ > : #if __FreeBSD_version < 500000 > : error = suser (p); > :+#elsif __FreeBSD_version < 700000 > :+ error = suser (td); > : #else > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : #endif > : if (error) > : return error; > :@@ -1658,8 +1677,10 @@ > : /* Only for superuser! */ > : #if __FreeBSD_version < 500000 > : error = suser (p); > :+#elsif __FreeBSD_version < 700000 > :+ error = suser (td); > : #else > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : #endif > : if (error) > : return error; > :@@ -1686,8 +1707,10 @@ > : /* Only for superuser! */ > : #if __FreeBSD_version < 500000 > : error = suser (p); > :+#elsif __FreeBSD_version < 700000 > :+ error = suser (td); > : #else > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : #endif > : if (error) > : return error; > :@@ -1708,8 +1731,10 @@ > : /* Only for superuser! */ > : #if __FreeBSD_version < 500000 > : error = suser (p); > :+#elsif __FreeBSD_version < 700000 > :+ error = suser (td); > : #else > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : #endif > : if (error) > : return error; > :@@ -1734,8 +1759,10 @@ > : /* Only for superuser! */ > : #if __FreeBSD_version < 500000 > : error = suser (p); > :+#elsif __FreeBSD_version < 700000 > :+ error = suser (td); > : #else > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : #endif > : if (error) > : return error; > :@@ -1758,8 +1785,10 @@ > : /* Only for superuser! */ > : #if __FreeBSD_version < 500000 > : error = suser (p); > :+#elsif __FreeBSD_version < 700000 > :+ error = suser (td); > : #else > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : #endif > : if (error) > : return error; > :@@ -1784,8 +1813,10 @@ > : /* Only for superuser! */ > : #if __FreeBSD_version < 500000 > : error = suser (p); > :+#elsif __FreeBSD_version < 700000 > :+ error = suser (td); > : #else > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : #endif > : if (error) > : return error; > :@@ -1810,8 +1841,10 @@ > : /* Only for superuser! */ > : #if __FreeBSD_version < 500000 > : error = suser (p); > :+#elsif __FreeBSD_version < 700000 > :+ error = suser (td); > : #else > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : #endif > : if (error) > : return error; > :@@ -1836,8 +1869,10 @@ > : /* Only for superuser! */ > : #if __FreeBSD_version < 500000 > : error = suser (p); > :+#elsif __FreeBSD_version < 700000 > :+ error = suser (td); > : #else > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : #endif > : if (error) > : return error; > :@@ -1867,8 +1902,10 @@ > : /* Only for superuser! */ > : #if __FreeBSD_version < 500000 > : error = suser (p); > :+#elsif __FreeBSD_version < 700000 > :+ error = suser (td); > : #else > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : #endif > : if (error) > : return error; > :@@ -1892,8 +1929,10 @@ > : /* Only for superuser! */ > : #if __FreeBSD_version < 500000 > : error = suser (p); > :+#elsif __FreeBSD_version < 700000 > :+ error = suser (td); > : #else > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : #endif > : if (error) > : return error; > :@@ -1909,8 +1948,10 @@ > : /* Only for superuser! */ > : #if __FreeBSD_version < 500000 > : error = suser (p); > :+#elsif __FreeBSD_version < 700000 > :+ error = suser (td); > : #else > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : #endif > : if (error) > : return error; > :@@ -1945,8 +1986,10 @@ > : /* Only for superuser! */ > : #if __FreeBSD_version < 500000 > : error = suser (p); > :+#elsif __FreeBSD_version < 700000 > :+ error = suser (td); > : #else > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : #endif > : if (error) > : return error; > : > :==== //depot/projects/trustedbsd/priv/sys/dev/cp/if_cp.c#2 (text+ko) ==== > : > :@@ -33,6 +33,7 @@ > : #include <sys/module.h> > : #include <sys/conf.h> > : #include <sys/malloc.h> > :+#include <sys/priv.h> > : #include <sys/socket.h> > : #include <sys/sockio.h> > : #include <sys/sysctl.h> > :@@ -1071,7 +1072,7 @@ > : case SERIAL_SETPROTO: > : CP_DEBUG2 (d, ("ioctl: setproto\n")); > : /* Only for superuser! */ > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : if (error) > : return error; > : if (d->ifp->if_drv_flags & IFF_DRV_RUNNING) > :@@ -1102,7 +1103,7 @@ > : case SERIAL_SETKEEPALIVE: > : CP_DEBUG2 (d, ("ioctl: setkeepalive\n")); > : /* Only for superuser! */ > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : if (error) > : return error; > : if ((IFP2SP(d->ifp)->pp_flags & PP_FR) || > :@@ -1126,7 +1127,7 @@ > : > : case SERIAL_SETMODE: > : /* Only for superuser! */ > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : if (error) > : return error; > : if (*(int*)data != SERIAL_HDLC) > :@@ -1142,7 +1143,7 @@ > : > : case SERIAL_SETCFG: > : CP_DEBUG2 (d, ("ioctl: setcfg\n")); > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : if (error) > : return error; > : if (c->type != T_E1) > :@@ -1239,7 +1240,7 @@ > : case SERIAL_CLRSTAT: > : CP_DEBUG2 (d, ("ioctl: clrstat\n")); > : /* Only for superuser! */ > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : if (error) > : return error; > : c->rintr = 0; > :@@ -1268,7 +1269,7 @@ > : case SERIAL_SETBAUD: > : CP_DEBUG2 (d, ("ioctl: setbaud\n")); > : /* Only for superuser! */ > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : if (error) > : return error; > : s = splimp (); > :@@ -1286,7 +1287,7 @@ > : case SERIAL_SETLOOP: > : CP_DEBUG2 (d, ("ioctl: setloop\n")); > : /* Only for superuser! */ > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : if (error) > : return error; > : s = splimp (); > :@@ -1306,7 +1307,7 @@ > : case SERIAL_SETDPLL: > : CP_DEBUG2 (d, ("ioctl: setdpll\n")); > : /* Only for superuser! */ > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : if (error) > : return error; > : if (c->type != T_SERIAL) > :@@ -1328,7 +1329,7 @@ > : case SERIAL_SETNRZI: > : CP_DEBUG2 (d, ("ioctl: setnrzi\n")); > : /* Only for superuser! */ > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : if (error) > : return error; > : if (c->type != T_SERIAL) > :@@ -1348,7 +1349,7 @@ > : case SERIAL_SETDEBUG: > : CP_DEBUG2 (d, ("ioctl: setdebug\n")); > : /* Only for superuser! */ > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : if (error) > : return error; > : d->chan->debug = *(int*)data; > :@@ -1370,7 +1371,7 @@ > : case SERIAL_SETHIGAIN: > : CP_DEBUG2 (d, ("ioctl: sethigain\n")); > : /* Only for superuser! */ > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : if (error) > : return error; > : if (c->type != T_E1) > :@@ -1392,7 +1393,7 @@ > : case SERIAL_SETPHONY: > : CP_DEBUG2 (d, ("ioctl: setphony\n")); > : /* Only for superuser! */ > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : if (error) > : return error; > : if (c->type != T_E1) > :@@ -1414,7 +1415,7 @@ > : case SERIAL_SETUNFRAM: > : CP_DEBUG2 (d, ("ioctl: setunfram\n")); > : /* Only for superuser! */ > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : if (error) > : return error; > : if (c->type != T_E1) > :@@ -1436,7 +1437,7 @@ > : case SERIAL_SETSCRAMBLER: > : CP_DEBUG2 (d, ("ioctl: setscrambler\n")); > : /* Only for superuser! */ > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : if (error) > : return error; > : if (c->type != T_G703 && !c->unfram) > :@@ -1461,7 +1462,7 @@ > : case SERIAL_SETMONITOR: > : CP_DEBUG2 (d, ("ioctl: setmonitor\n")); > : /* Only for superuser! */ > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : if (error) > : return error; > : if (c->type != T_E1) > :@@ -1483,7 +1484,7 @@ > : case SERIAL_SETUSE16: > : CP_DEBUG2 (d, ("ioctl: setuse16\n")); > : /* Only for superuser! */ > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : if (error) > : return error; > : if (c->type != T_E1) > :@@ -1505,7 +1506,7 @@ > : case SERIAL_SETCRC4: > : CP_DEBUG2 (d, ("ioctl: setcrc4\n")); > : /* Only for superuser! */ > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : if (error) > : return error; > : if (c->type != T_E1) > :@@ -1538,7 +1539,7 @@ > : case SERIAL_SETCLK: > : CP_DEBUG2 (d, ("ioctl: setclk\n")); > : /* Only for superuser! */ > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : if (error) > : return error; > : if (c->type != T_E1 && > :@@ -1571,7 +1572,7 @@ > : case SERIAL_SETTIMESLOTS: > : CP_DEBUG2 (d, ("ioctl: settimeslots\n")); > : /* Only for superuser! */ > :- error = suser (td); > :+ error = priv_check (td, PRIV_DRIVER); > : if (error) > : return error; > : if ((c->type != T_E1 || c->unfram) && c->type != T_DATA) > :@@ -1597,7 +1598,7 @@ > : > :>>> TRUNCATED FOR MAIL (1000 lines) <<< > : > : > > -- > arr@watson.org >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060902084548.R84468>