| vfs_acl.c (f6a4109212fd8fbabc731f07b2dd5c7e07fbec33) | vfs_acl.c (56f21b9d74a516a6c2f67d09e1b6c588bfa54c6a) |
|---|---|
| 1/*- 2 * Copyright (c) 1999-2003 Robert N. M. Watson 3 * All rights reserved. 4 * 5 * This software was developed by Robert Watson for the TrustedBSD Project. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions --- 78 unchanged lines hidden (view full) --- 87 if (privused != NULL) 88 *privused = 0; 89 90 /* 91 * Determine privileges now, but don't apply until we've found 92 * a DAC entry that matches but has failed to allow access. 93 */ 94#ifndef CAPABILITIES | 1/*- 2 * Copyright (c) 1999-2003 Robert N. M. Watson 3 * All rights reserved. 4 * 5 * This software was developed by Robert Watson for the TrustedBSD Project. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions --- 78 unchanged lines hidden (view full) --- 87 if (privused != NULL) 88 *privused = 0; 89 90 /* 91 * Determine privileges now, but don't apply until we've found 92 * a DAC entry that matches but has failed to allow access. 93 */ 94#ifndef CAPABILITIES |
| 95 if (suser_cred(cred, PRISON_ROOT) == 0) | 95 if (suser_cred(cred, SUSER_ALLOWJAIL) == 0) |
| 96 cap_granted = VALLPERM; 97 else 98 cap_granted = 0; 99#else 100 cap_granted = 0; 101 102 if (type == VDIR) { 103 if ((acc_mode & VEXEC) && !cap_check(cred, NULL, | 96 cap_granted = VALLPERM; 97 else 98 cap_granted = 0; 99#else 100 cap_granted = 0; 101 102 if (type == VDIR) { 103 if ((acc_mode & VEXEC) && !cap_check(cred, NULL, |
| 104 CAP_DAC_READ_SEARCH, PRISON_ROOT)) | 104 CAP_DAC_READ_SEARCH, SUSER_ALLOWJAIL)) |
| 105 cap_granted |= VEXEC; 106 } else { 107 if ((acc_mode & VEXEC) && !cap_check(cred, NULL, | 105 cap_granted |= VEXEC; 106 } else { 107 if ((acc_mode & VEXEC) && !cap_check(cred, NULL, |
| 108 CAP_DAC_EXECUTE, PRISON_ROOT)) | 108 CAP_DAC_EXECUTE, SUSER_ALLOWJAIL)) |
| 109 cap_granted |= VEXEC; 110 } 111 112 if ((acc_mode & VREAD) && !cap_check(cred, NULL, CAP_DAC_READ_SEARCH, | 109 cap_granted |= VEXEC; 110 } 111 112 if ((acc_mode & VREAD) && !cap_check(cred, NULL, CAP_DAC_READ_SEARCH, |
| 113 PRISON_ROOT)) | 113 SUSER_ALLOWJAIL)) |
| 114 cap_granted |= VREAD; 115 116 if (((acc_mode & VWRITE) || (acc_mode & VAPPEND)) && | 114 cap_granted |= VREAD; 115 116 if (((acc_mode & VWRITE) || (acc_mode & VAPPEND)) && |
| 117 !cap_check(cred, NULL, CAP_DAC_WRITE, PRISON_ROOT)) | 117 !cap_check(cred, NULL, CAP_DAC_WRITE, SUSER_ALLOWJAIL)) |
| 118 cap_granted |= (VWRITE | VAPPEND); 119 120 if ((acc_mode & VADMIN) && !cap_check(cred, NULL, CAP_FOWNER, | 118 cap_granted |= (VWRITE | VAPPEND); 119 120 if ((acc_mode & VADMIN) && !cap_check(cred, NULL, CAP_FOWNER, |
| 121 PRISON_ROOT)) | 121 SUSER_ALLOWJAIL)) |
| 122 cap_granted |= VADMIN; 123#endif /* CAPABILITIES */ 124 125 /* 126 * The owner matches if the effective uid associated with the 127 * credential matches that of the ACL_USER_OBJ entry. While we're 128 * doing the first scan, also cache the location of the ACL_MASK 129 * and ACL_OTHER entries, preventing some future iterations. --- 894 unchanged lines hidden --- | 122 cap_granted |= VADMIN; 123#endif /* CAPABILITIES */ 124 125 /* 126 * The owner matches if the effective uid associated with the 127 * credential matches that of the ACL_USER_OBJ entry. While we're 128 * doing the first scan, also cache the location of the ACL_MASK 129 * and ACL_OTHER entries, preventing some future iterations. --- 894 unchanged lines hidden --- |