diff options
author | Robert Watson <rwatson@FreeBSD.org> | 2001-05-06 16:15:42 +0000 |
---|---|---|
committer | Robert Watson <rwatson@FreeBSD.org> | 2001-05-06 16:15:42 +0000 |
commit | 29b2efeb6bbce8f8def354194ef4b45fbeb241a0 (patch) | |
tree | 647ee1f325b36e5031d726670a403ec9f99801b8 /sys/kern/p1003_1b.c | |
parent | a2b5df0a56885090afaa201ab02cf7fd23f0de38 (diff) | |
download | src-29b2efeb6bbce8f8def354194ef4b45fbeb241a0.tar.gz src-29b2efeb6bbce8f8def354194ef4b45fbeb241a0.zip |
o First step in cleaning up authorization code for the posix4
implementation. Move from direct uid 0 comparision to using suser_xxx()
call with the same semantics. Simplify CAN_AFFECT() macro as passed
pcred was redundant. The checks here still aren't "right", but they
are probably "better".
Obtained from: TrustedBSD Project
Notes
Notes:
svn path=/head/; revision=76316
Diffstat (limited to 'sys/kern/p1003_1b.c')
-rw-r--r-- | sys/kern/p1003_1b.c | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/sys/kern/p1003_1b.c b/sys/kern/p1003_1b.c index 577456f62c4a..569bb6f78f6e 100644 --- a/sys/kern/p1003_1b.c +++ b/sys/kern/p1003_1b.c @@ -70,14 +70,14 @@ MALLOC_DEFINE(M_P31B, "p1003.1b", "Posix 1003.1B"); * * Can process p, with pcred pc, do "write flavor" operations to process q? */ -#define CAN_AFFECT(p, pc, q) \ - ((pc)->pc_ucred->cr_uid == 0 || \ - (pc)->p_ruid == (q)->p_cred->p_ruid || \ - (pc)->pc_ucred->cr_uid == (q)->p_cred->p_ruid || \ - (pc)->p_ruid == (q)->p_ucred->cr_uid || \ - (pc)->pc_ucred->cr_uid == (q)->p_ucred->cr_uid) +#define CAN_AFFECT(p, q) \ + (!suser_xxx(NULL, p, PRISON_ROOT) || \ + (p)->p_cred->pc_ruid == (q)->p_cred->p_ruid || \ + (p)->p_ucred->cr_uid == (q)->p_cred->p_ruid || \ + (p)->p_cred->pc_ruid == (q)->p_ucred->cr_uid || \ + (p)->p_ucred->cr_uid == (q)->p_ucred->cr_uid) #else -#define CAN_AFFECT(p, pc, q) ((pc)->pc_ucred->cr_uid == 0) +#define CAN_AFFECT(p, q) (!suser_xxx(NULL, p, PRISON_ROOT)) #endif /* @@ -99,7 +99,7 @@ int p31b_proc(struct proc *p, pid_t pid, struct proc **pp) { /* Enforce permission policy. */ - if (CAN_AFFECT(p, p->p_cred, other_proc)) + if (CAN_AFFECT(p, other_proc)) *pp = other_proc; else ret = EPERM; |