From d9a7152c3e89251d93085c0cc8b2de12ebfc0d89 Mon Sep 17 00:00:00 2001 From: elad Date: Sun, 16 Jul 2006 20:10:11 +0000 Subject: [PATCH] add KAUTH_GENERIC_CANSEE, which is like the KAUTH_PROCESS_CANSEE, only for two kauth_cred_t rather than kauth_cred_t and struct proc *. advise against using it in the man-page; it should be used only in cases where we either don't have an object-specific op or when we can't easily use one. --- share/man/man9/kauth.9 | 15 +++++++++++++-- sys/kern/kern_auth.c | 15 ++++++++++++++- sys/sys/kauth.h | 3 ++- 3 files changed, 29 insertions(+), 4 deletions(-) diff --git a/share/man/man9/kauth.9 b/share/man/man9/kauth.9 index 700e12cce8a0..543998de6fdc 100644 --- a/share/man/man9/kauth.9 +++ b/share/man/man9/kauth.9 @@ -1,4 +1,4 @@ -.\" $NetBSD: kauth.9,v 1.5 2006/07/14 21:58:46 elad Exp $ +.\" $NetBSD: kauth.9,v 1.6 2006/07/16 20:10:11 elad Exp $ .\" .\" Copyright (c) 2005, 2006 Elad Efrat .\" All rights reserved. @@ -28,7 +28,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd July 14, 2006 +.Dd July 16, 2006 .Dt KAUTH 9 .Os .Sh NAME @@ -141,6 +141,17 @@ it's treated as a to accounting flags, and the .Dv ACU flag is set. +.It Dv KAUTH_GENERIC_CANSEE +Checks whether an object with one set of credentials can access +information about another object, possibly with a different set of +credentials. +.Pp +.Ar arg0 +contains the credentials of the object looked at. +.Pp +This request should be issued only in cases where generic credentials +check is required; otherwise it is recommended to use the object-specific +routines. .El .Ss Process Scope The process scope, diff --git a/sys/kern/kern_auth.c b/sys/kern/kern_auth.c index db1ba5c68632..66fee69141a0 100644 --- a/sys/kern/kern_auth.c +++ b/sys/kern/kern_auth.c @@ -1,4 +1,4 @@ -/* $NetBSD: kern_auth.c,v 1.9 2006/07/15 05:54:56 yamt Exp $ */ +/* $NetBSD: kern_auth.c,v 1.10 2006/07/16 20:10:11 elad Exp $ */ /*- * Copyright (c) 2005, 2006 Elad Efrat @@ -730,6 +730,19 @@ kauth_authorize_cb_generic(kauth_cred_t cred, kauth_action_t action, } else error = KAUTH_RESULT_DENY; break; + + case KAUTH_GENERIC_CANSEE: + if (!security_curtain) { + error = KAUTH_RESULT_ALLOW; + } else { + kauth_cred_t cred2 = arg0; + + if (kauth_cred_uidmatch(cred, cred2)) + error = KAUTH_RESULT_ALLOW; + else + error = KAUTH_RESULT_DENY; + } + break; } return (error); diff --git a/sys/sys/kauth.h b/sys/sys/kauth.h index fc8f5aeedea8..0f8f524e567f 100644 --- a/sys/sys/kauth.h +++ b/sys/sys/kauth.h @@ -1,4 +1,4 @@ -/* $NetBSD: kauth.h,v 1.3 2006/05/28 06:49:27 yamt Exp $ */ +/* $NetBSD: kauth.h,v 1.4 2006/07/16 20:10:12 elad Exp $ */ /*- * Copyright (c) 2005, 2006 Elad Efrat @@ -74,6 +74,7 @@ typedef int (*kauth_scope_callback_t)(kauth_cred_t, kauth_action_t, * Generic scope - actions. */ #define KAUTH_GENERIC_ISSUSER 1 /* check for super-user */ +#define KAUTH_GENERIC_CANSEE 2 /* check if can see other cred */ #define NOCRED ((kauth_cred_t)-1) /* no credential available */ #define FSCRED ((kauth_cred_t)-2) /* filesystem credential */