diff options
author | Robert Watson <rwatson@FreeBSD.org> | 2007-06-12 00:12:01 +0000 |
---|---|---|
committer | Robert Watson <rwatson@FreeBSD.org> | 2007-06-12 00:12:01 +0000 |
commit | 32f9753cfbfe844fa6c02c88c7ca96617e903d8e (patch) | |
tree | c439df85bebf079d07319c231d64ac481577b036 /sys/netinet | |
parent | efe641b939baf83c13aa60cadaa44ad5a501e824 (diff) | |
download | src-32f9753cfbfe844fa6c02c88c7ca96617e903d8e.tar.gz src-32f9753cfbfe844fa6c02c88c7ca96617e903d8e.zip |
Eliminate now-unused SUSER_ALLOWJAIL arguments to priv_check_cred(); in
some cases, move to priv_check() if it was an operation on a thread and
no other flags were present.
Eliminate caller-side jail exception checking (also now-unused); jail
privilege exception code now goes solely in kern_jail.c.
We can't yet eliminate suser() due to some cases in the KAME code where
a privilege check is performed and then used in many different deferred
paths. Do, however, move those prototypes to priv.h.
Reviewed by: csjp
Obtained from: TrustedBSD Project
Notes
Notes:
svn path=/head/; revision=170587
Diffstat (limited to 'sys/netinet')
-rw-r--r-- | sys/netinet/in_pcb.c | 6 | ||||
-rw-r--r-- | sys/netinet/raw_ip.c | 9 | ||||
-rw-r--r-- | sys/netinet/sctp_pcb.c | 10 | ||||
-rw-r--r-- | sys/netinet/sctp_usrreq.c | 14 | ||||
-rw-r--r-- | sys/netinet/tcp_subr.c | 6 | ||||
-rw-r--r-- | sys/netinet/udp_usrreq.c | 3 |
6 files changed, 14 insertions, 34 deletions
diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c index d7d829052a36..61f2894706c4 100644 --- a/sys/netinet/in_pcb.c +++ b/sys/netinet/in_pcb.c @@ -340,13 +340,13 @@ in_pcbbind_setup(struct inpcb *inp, struct sockaddr *nam, in_addr_t *laddrp, if (ntohs(lport) <= ipport_reservedhigh && ntohs(lport) >= ipport_reservedlow && priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT, - SUSER_ALLOWJAIL)) + 0)) return (EACCES); if (jailed(cred)) prison = 1; if (!IN_MULTICAST(ntohl(sin->sin_addr.s_addr)) && priv_check_cred(so->so_cred, - PRIV_NETINET_REUSEPORT, SUSER_ALLOWJAIL) != 0) { + PRIV_NETINET_REUSEPORT, 0) != 0) { t = in_pcblookup_local(inp->inp_pcbinfo, sin->sin_addr, lport, prison ? 0 : INPLOOKUP_WILDCARD); @@ -411,7 +411,7 @@ in_pcbbind_setup(struct inpcb *inp, struct sockaddr *nam, in_addr_t *laddrp, lastport = &pcbinfo->ipi_lasthi; } else if (inp->inp_flags & INP_LOWPORT) { error = priv_check_cred(cred, - PRIV_NETINET_RESERVEDPORT, SUSER_ALLOWJAIL); + PRIV_NETINET_RESERVEDPORT, 0); if (error) return error; first = ipport_lowfirstauto; /* 1023 */ diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index 3eef187c4fbe..5329c6c2df6f 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -607,13 +607,8 @@ rip_attach(struct socket *so, int proto, struct thread *td) inp = sotoinpcb(so); KASSERT(inp == NULL, ("rip_attach: inp != NULL")); - /* - * XXXRW: Centralize privilege decision in kern_jail.c. - */ - if (jailed(td->td_ucred) && !jail_allow_raw_sockets) - return (EPERM); - error = priv_check_cred(td->td_ucred, PRIV_NETINET_RAW, - SUSER_ALLOWJAIL); + + error = priv_check(td, PRIV_NETINET_RAW); if (error) return error; if (proto >= IPPROTO_MAX || proto < 0) diff --git a/sys/netinet/sctp_pcb.c b/sys/netinet/sctp_pcb.c index a803eca1c38b..5423208e046f 100644 --- a/sys/netinet/sctp_pcb.c +++ b/sys/netinet/sctp_pcb.c @@ -2155,10 +2155,7 @@ sctp_inpcb_bind(struct socket *so, struct sockaddr *addr, struct thread *p) /* got to be root to get at low ports */ if (ntohs(lport) < IPPORT_RESERVED) { if (p && (error = - priv_check_cred(p->td_ucred, - PRIV_NETINET_RESERVEDPORT, - SUSER_ALLOWJAIL - ) + priv_check(p, PRIV_NETINET_RESERVEDPORT) )) { SCTP_INP_DECR_REF(inp); SCTP_INP_WUNLOCK(inp); @@ -2228,10 +2225,7 @@ sctp_inpcb_bind(struct socket *so, struct sockaddr *addr, struct thread *p) last = ipport_hilastauto; } else if (ip_inp->inp_flags & INP_LOWPORT) { if (p && (error = - priv_check_cred(p->td_ucred, - PRIV_NETINET_RESERVEDPORT, - SUSER_ALLOWJAIL - ) + priv_check(p, PRIV_NETINET_RESERVEDPORT) )) { SCTP_INP_DECR_REF(inp); SCTP_INP_WUNLOCK(inp); diff --git a/sys/netinet/sctp_usrreq.c b/sys/netinet/sctp_usrreq.c index cc69ba11f3a4..0bd92b31d88e 100644 --- a/sys/netinet/sctp_usrreq.c +++ b/sys/netinet/sctp_usrreq.c @@ -386,13 +386,8 @@ sctp_getcred(SYSCTL_HANDLER_ARGS) /* FIX, for non-bsd is this right? */ vrf_id = SCTP_DEFAULT_VRFID; - /* - * XXXRW: Other instances of getcred use SUSER_ALLOWJAIL, as socket - * visibility is scoped using cr_canseesocket(), which it is not - * here. - */ - error = priv_check_cred(req->td->td_ucred, PRIV_NETINET_GETCRED, - SUSER_ALLOWJAIL); + error = priv_check(req->td, PRIV_NETINET_GETCRED); + if (error) return (error); @@ -3439,9 +3434,8 @@ sctp_setopt(struct socket *so, int optname, void *optval, size_t optsize, { union sctp_sockstore *ss; - error = priv_check_cred(curthread->td_ucred, - PRIV_NETINET_RESERVEDPORT, - SUSER_ALLOWJAIL); + error = priv_check(curthread, + PRIV_NETINET_RESERVEDPORT); if (error) break; diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index 2f300d5b4667..64c53641360b 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -1019,8 +1019,7 @@ tcp_getcred(SYSCTL_HANDLER_ARGS) struct inpcb *inp; int error; - error = priv_check_cred(req->td->td_ucred, PRIV_NETINET_GETCRED, - SUSER_ALLOWJAIL); + error = priv_check(req->td, PRIV_NETINET_GETCRED); if (error) return (error); error = SYSCTL_IN(req, addrs, sizeof(addrs)); @@ -1064,8 +1063,7 @@ tcp6_getcred(SYSCTL_HANDLER_ARGS) struct inpcb *inp; int error, mapped = 0; - error = priv_check_cred(req->td->td_ucred, PRIV_NETINET_GETCRED, - SUSER_ALLOWJAIL); + error = priv_check(req->td, PRIV_NETINET_GETCRED); if (error) return (error); error = SYSCTL_IN(req, addrs, sizeof(addrs)); diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 96dc044cd327..f6031d6d524d 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -696,8 +696,7 @@ udp_getcred(SYSCTL_HANDLER_ARGS) struct inpcb *inp; int error; - error = priv_check_cred(req->td->td_ucred, PRIV_NETINET_GETCRED, - SUSER_ALLOWJAIL); + error = priv_check(req->td, PRIV_NETINET_GETCRED); if (error) return (error); error = SYSCTL_IN(req, addrs, sizeof(addrs)); |