1*29d863bbSOlivier Certner.\" 2*29d863bbSOlivier Certner.\" SPDX-License-Identifier: BSD-2-Clause 3*29d863bbSOlivier Certner.\" 4*29d863bbSOlivier Certner.\" Copyright (c) 2023 Olivier Certner <olce.freebsd@certner.fr> 5*29d863bbSOlivier Certner.\" 6*29d863bbSOlivier Certner.\" Redistribution and use in source and binary forms, with or without 7*29d863bbSOlivier Certner.\" modification, are permitted provided that the following conditions 8*29d863bbSOlivier Certner.\" are met: 9*29d863bbSOlivier Certner.\" 1. Redistributions of source code must retain the above copyright 10*29d863bbSOlivier Certner.\" notice, this list of conditions and the following disclaimer. 11*29d863bbSOlivier Certner.\" 2. Redistributions in binary form must reproduce the above copyright 12*29d863bbSOlivier Certner.\" notice, this list of conditions and the following disclaimer in the 13*29d863bbSOlivier Certner.\" documentation and/or other materials provided with the distribution. 14*29d863bbSOlivier Certner.\" 15*29d863bbSOlivier Certner.\" THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY EXPRESS OR 16*29d863bbSOlivier Certner.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17*29d863bbSOlivier Certner.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18*29d863bbSOlivier Certner.\" IN NO EVENT SHALL THE DEVELOPERS BE LIABLE FOR ANY DIRECT, INDIRECT, 19*29d863bbSOlivier Certner.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20*29d863bbSOlivier Certner.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21*29d863bbSOlivier Certner.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22*29d863bbSOlivier Certner.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23*29d863bbSOlivier Certner.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24*29d863bbSOlivier Certner.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25*29d863bbSOlivier Certner.\" 26*29d863bbSOlivier Certner.Dd August 18, 2023 27*29d863bbSOlivier Certner.Dt CR_CANSEEJAILPROC 9 28*29d863bbSOlivier Certner.Os 29*29d863bbSOlivier Certner.Sh NAME 30*29d863bbSOlivier Certner.Nm cr_canseejailproc 31*29d863bbSOlivier Certner.Nd determine if subjects may see entities in sub-jails 32*29d863bbSOlivier Certner.Sh SYNOPSIS 33*29d863bbSOlivier Certner.Ft int 34*29d863bbSOlivier Certner.Fn cr_canseejailproc "struct ucred *u1" "struct ucred *u2" 35*29d863bbSOlivier Certner.Sh DESCRIPTION 36*29d863bbSOlivier Certner.Bf -emphasis 37*29d863bbSOlivier CertnerThis function is internal. 38*29d863bbSOlivier CertnerIts functionality is integrated into the function 39*29d863bbSOlivier Certner.Xr cr_bsd_visible 9 , 40*29d863bbSOlivier Certnerwhich should be called instead. 41*29d863bbSOlivier Certner.Ef 42*29d863bbSOlivier Certner.Pp 43*29d863bbSOlivier CertnerThis function checks if a subject associated to credentials 44*29d863bbSOlivier Certner.Fa u1 45*29d863bbSOlivier Certneris denied seeing a subject or object associated to credentials 46*29d863bbSOlivier Certner.Fa u2 47*29d863bbSOlivier Certnerby a policy that requires both credentials to be associated to the same jail. 48*29d863bbSOlivier CertnerThis is a restriction to the baseline jail policy that a subject can see 49*29d863bbSOlivier Certnersubjects or objects in its own jail or any sub-jail of it. 50*29d863bbSOlivier Certner.Pp 51*29d863bbSOlivier CertnerThis policy is active if and only if the 52*29d863bbSOlivier Certner.Xr sysctl 8 53*29d863bbSOlivier Certnervariable 54*29d863bbSOlivier Certner.Va security.bsd.see_jail_proc 55*29d863bbSOlivier Certneris set to zero. 56*29d863bbSOlivier Certner.Pp 57*29d863bbSOlivier CertnerAs usual, the superuser (effective user ID 0) is exempt from this policy 58*29d863bbSOlivier Certnerprovided that the 59*29d863bbSOlivier Certner.Xr sysctl 8 60*29d863bbSOlivier Certnervariable 61*29d863bbSOlivier Certner.Va security.bsd.suser_enabled 62*29d863bbSOlivier Certneris non-zero and no active MAC policy explicitly denies the exemption 63*29d863bbSOlivier Certner.Po 64*29d863bbSOlivier Certnersee 65*29d863bbSOlivier Certner.Xr priv_check_cred 9 66*29d863bbSOlivier Certner.Pc . 67*29d863bbSOlivier Certner.Sh RETURN VALUES 68*29d863bbSOlivier CertnerThe 69*29d863bbSOlivier Certner.Fn cr_canseejailproc 70*29d863bbSOlivier Certnerfunction returns 0 if the policy is disabled, both credentials are associated to 71*29d863bbSOlivier Certnerthe same jail, or if 72*29d863bbSOlivier Certner.Fa u1 73*29d863bbSOlivier Certnerhas privilege exempting it from the policy. 74*29d863bbSOlivier CertnerOtherwise, it returns 75*29d863bbSOlivier Certner.Er ESRCH . 76*29d863bbSOlivier Certner.Sh SEE ALSO 77*29d863bbSOlivier Certner.Xr cr_bsd_visible 9 , 78*29d863bbSOlivier Certner.Xr priv_check_cred 9 79*29d863bbSOlivier Certner.Sh AUTHORS 80*29d863bbSOlivier CertnerThis manual page was written by 81*29d863bbSOlivier Certner.An Olivier Certner Aq Mt olce.freebsd@certner.fr . 82