Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add KAUTH_GENERIC_CANSEE, which is like the KAUTH_PROCESS_CANSEE, only

Browse Source 
for two kauth_cred_t rather than kauth_cred_t and struct proc *.

advise against using it in the man-page; it should be used only in cases
where we either don't have an object-specific op or when we can't easily
use one.
This commit is contained in:
elad 2006-07-16 20:10:11 +00:00
parent 85fccc00b0
commit d9a7152c3e
3 changed files with 29 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
share/man/man9/kauth.9
View File

@ -1,4 +1,4 @@
.\" $NetBSD: kauth.9,v 1.5 2006/07/14 21:58:46 elad Exp $ .\" $NetBSD: kauth.9,v 1.6 2006/07/16 20:10:11 elad Exp $
.\" .\"
.\" Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org> .\" Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>
.\" All rights reserved. .\" All rights reserved.
@ -28,7 +28,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.Dd July 14, 2006 .Dd July 16, 2006
.Dt KAUTH 9 .Dt KAUTH 9
.Os .Os
.Sh NAME .Sh NAME
@ -141,6 +141,17 @@ it's treated as a
to accounting flags, and the to accounting flags, and the
.Dv ACU .Dv ACU
flag is set. flag is set.
.It Dv KAUTH_GENERIC_CANSEE
Checks whether an object with one set of credentials can access
information about another object, possibly with a different set of
credentials.
.Pp
.Ar arg0
contains the credentials of the object looked at.
.Pp
This request should be issued only in cases where generic credentials
check is required; otherwise it is recommended to use the object-specific
routines.
.El .El
.Ss Process Scope .Ss Process Scope
The process scope, The process scope,

15
sys/kern/kern_auth.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: kern_auth.c,v 1.9 2006/07/15 05:54:56 yamt Exp $ */ /* $NetBSD: kern_auth.c,v 1.10 2006/07/16 20:10:11 elad Exp $ */
/*- /*-
* Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org> * Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>
@ -730,6 +730,19 @@ kauth_authorize_cb_generic(kauth_cred_t cred, kauth_action_t action,
} else } else
error = KAUTH_RESULT_DENY; error = KAUTH_RESULT_DENY;
break; break;
case KAUTH_GENERIC_CANSEE:
if (!security_curtain) {
error = KAUTH_RESULT_ALLOW;
} else {
kauth_cred_t cred2 = arg0;
if (kauth_cred_uidmatch(cred, cred2))
error = KAUTH_RESULT_ALLOW;
else
error = KAUTH_RESULT_DENY;
}
break;
} }
return (error); return (error);

3
sys/sys/kauth.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: kauth.h,v 1.3 2006/05/28 06:49:27 yamt Exp $ */ /* $NetBSD: kauth.h,v 1.4 2006/07/16 20:10:12 elad Exp $ */
/*- /*-
* Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org> * Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>
@ -74,6 +74,7 @@ typedef int (*kauth_scope_callback_t)(kauth_cred_t, kauth_action_t,
* Generic scope - actions. * Generic scope - actions.
*/ */
#define KAUTH_GENERIC_ISSUSER 1 /* check for super-user */ #define KAUTH_GENERIC_ISSUSER 1 /* check for super-user */
#define KAUTH_GENERIC_CANSEE 2 /* check if can see other cred */
#define NOCRED ((kauth_cred_t)-1) /* no credential available */ #define NOCRED ((kauth_cred_t)-1) /* no credential available */
#define FSCRED ((kauth_cred_t)-2) /* filesystem credential */ #define FSCRED ((kauth_cred_t)-2) /* filesystem credential */