From 5fdcd70349e1110a6e7d6790fc4fcc48ebf83f51 Mon Sep 17 00:00:00 2001 From: perseant Date: Thu, 20 Jul 2006 23:14:09 +0000 Subject: [PATCH] Move the kauth checks up front, so that all new LFS fcntl calls are subject to the check for superuser privilege. --- sys/ufs/lfs/lfs_vnops.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/sys/ufs/lfs/lfs_vnops.c b/sys/ufs/lfs/lfs_vnops.c index fda5241a936c..abfb2bf66475 100644 --- a/sys/ufs/lfs/lfs_vnops.c +++ b/sys/ufs/lfs/lfs_vnops.c @@ -1,4 +1,4 @@ -/* $NetBSD: lfs_vnops.c,v 1.183 2006/07/13 22:08:00 martin Exp $ */ +/* $NetBSD: lfs_vnops.c,v 1.184 2006/07/20 23:14:09 perseant Exp $ */ /*- * Copyright (c) 1999, 2000, 2001, 2002, 2003 The NetBSD Foundation, Inc. @@ -67,7 +67,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: lfs_vnops.c,v 1.183 2006/07/13 22:08:00 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: lfs_vnops.c,v 1.184 2006/07/20 23:14:09 perseant Exp $"); #ifdef _KERNEL_OPT #include "opt_compat_netbsd.h" @@ -1406,7 +1406,13 @@ lfs_fcntl(void *v) return ESHUTDOWN; } + /* LFS control and monitoring fcntls are available only to root */ p = ap->a_l->l_proc; + if (((ap->a_command & 0xff00) >> 8) == 'L' && + (error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, + &p->p_acflag)) != 0) + return (error); + fs = VTOI(ap->a_vp)->i_lfs; fsidp = &ap->a_vp->v_mount->mnt_stat.f_fsidx; @@ -1432,9 +1438,6 @@ lfs_fcntl(void *v) case LFCNBMAPV: case LFCNMARKV: - if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, - &p->p_acflag)) != 0) - return (error); blkvp = *(struct lfs_fcntl_markv *)ap->a_data; blkcnt = blkvp.blkcnt; @@ -1507,10 +1510,6 @@ lfs_fcntl(void *v) case LFCNIFILEFH: /* Return the filehandle of the Ifile */ - if ((error = kauth_authorize_generic(ap->a_l->l_proc->p_cred, - KAUTH_GENERIC_ISSUSER, - &ap->a_l->l_proc->p_acflag)) != 0) - return (error); fhp = (struct fhandle *)ap->a_data; fhp->fh_fsid = *fsidp; fh_size = sizeof(union lfs_fhandle) -