diff options
| author | Olivier Certner <olce.freebsd@certner.fr> | 2023-08-17 23:54:42 +0000 |
|---|---|---|
| committer | Olivier Certner <olce@FreeBSD.org> | 2023-12-21 13:37:08 +0000 |
| commit | 6eecda225f11f1e139976b08c439bbf357f1553a (patch) | |
| tree | c90a3a9434dc724e5d47d1b60c739a328f4104a6 /share | |
| parent | 32a9108cdcc671547d087cf6eecbcdb37064b8ab (diff) | |
| download | src-6eecda225f11f1e139976b08c439bbf357f1553a.tar.gz src-6eecda225f11f1e139976b08c439bbf357f1553a.zip | |
cr_cansee(9): cr_bsd_visible() impacts, simplifications
Remove references to cr_canseeothergids(9) and cr_canseeotheruids(9).
Defer to cr_bsd_visible() for controlling sysctl(8) variables.
Reviewed by: bcr, mhorne
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40636
(cherry picked from commit 82f9bc9ea8ed660c61050ad1d92f1a64108c7004)
Approved by: markj (mentor)
Diffstat (limited to 'share')
| -rw-r--r-- | share/man/man9/cr_cansee.9 | 61 |
1 files changed, 27 insertions, 34 deletions
diff --git a/share/man/man9/cr_cansee.9 b/share/man/man9/cr_cansee.9 index 4824a231170b..d5cdfdd6f8e5 100644 --- a/share/man/man9/cr_cansee.9 +++ b/share/man/man9/cr_cansee.9 @@ -1,5 +1,6 @@ .\" .\" Copyright (c) 2006 Ceri Davies <ceri@FreeBSD.org> +.\" Copyright (c) 2023 Olivier Certner <olce.freebsd@certner.fr> .\" .\" All rights reserved. .\" @@ -23,43 +24,39 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd November 19, 2006 +.Dd August 18, 2023 .Dt CR_CANSEE 9 .Os .Sh NAME .Nm cr_cansee .Nd "determine visibility of objects given their user credentials" .Sh SYNOPSIS -.In sys/param.h -.In sys/systm.h -.In sys/ucred.h +.In sys/proc.h .Ft int .Fn cr_cansee "struct ucred *u1" "struct ucred *u2" .Sh DESCRIPTION -This function determines the visibility of objects in the -kernel based on the real user IDs and group IDs in the credentials +This function determines if a subject with credential .Fa u1 -and -.Fa u2 -associated with them. +can see a subject or object associated to credential +.Fa u2 . .Pp -The visibility of objects is influenced by the +Specific types of subjects may need to submit to additional or different +restrictions. +As an example, for processes, see +.Xr p_cansee 9 , +which calls this function. +.Pp +The implementation relies on +.Xr cr_bsd_visible 9 +and consequently the .Xr sysctl 8 -variables -.Va security.bsd.see_other_gids -and -.Va security.bsd.see_other_uids , -as per the description in -.Xr cr_canseeothergids 9 -and -.Xr cr_canseeotheruids 9 -respectively. +variables referenced in its manual page influence the result. .Sh RETURN VALUES -This function returns zero if the object with credential +This function returns zero if the subject with credential .Fa u1 can .Dq see -the object with credential +the subject or object with credential .Fa u2 , or .Er ESRCH @@ -67,24 +64,20 @@ otherwise. .Sh ERRORS .Bl -tag -width Er .It Bq Er ESRCH -The object with credential -.Fa u1 -cannot -.Dq see -the object with credential -.Fa u2 . -.It Bq Er ESRCH -The object with credential +The subject with credential .Fa u1 -has been jailed and the object with credential +has been jailed and the subject or object with credential .Fa u2 -does not belong to the same jail as -.Fa u1 . +does not belong to the same jail or one of its sub-jails, as determined by +.Xr prison_check 9 . .It Bq Er ESRCH The MAC subsystem denied visibility. +.It Bq Er ESRCH +.Xr cr_bsd_visible 9 +denied visibility according to the BSD security policies in force. .El .Sh SEE ALSO -.Xr cr_canseeothergids 9 , -.Xr cr_canseeotheruids 9 , +.Xr prison_check 9 , .Xr mac 9 , +.Xr cr_bsd_visible 9 , .Xr p_cansee 9 |