diff --git a/share/man/man9/cr_seejailproc.9 b/share/man/man9/cr_seejailproc.9 new file mode 100644 --- /dev/null +++ b/share/man/man9/cr_seejailproc.9 @@ -0,0 +1,77 @@ +.\" +.\" SPDX-License-Identifier: BSD-2-Clause +.\" +.\" Copyright (c) 2023 Olivier Certner +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE DEVELOPERS BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd June 16, 2023 +.Dt CR_SEEJAILPROC 9 +.Os +.Sh NAME +.Nm cr_seejailproc +.Nd may subjects see entities in a different jail? +.Sh SYNOPSIS +.Ft int +.Fn cr_seejailproc "struct ucred *u1" "struct ucred *u2" +.Sh DESCRIPTION +.Bf -emphasis +This function is internal. +Its functionality is integrated into function +.Xr cr_bsd_visibility 9 , +which should be called instead. +.Ef +.Pp +This function checks if a subject associated to credentials +.Fa u1 +is not denied seeing a subject or object associated to credentials +.Fa u2 +by a policy that requires both credentials to be associated to the same jail. +This is a restriction to the baseline jail policy that subjects in a jail can +see subjects or objects in the same jail or any sub-jail of it. +.Pp +This policy is active if and only if the +.Xr sysctl 8 +variable +.Va security.bsd.see_jail_proc +is non-zero. +.Pp +As usual, the superuser (effective user ID 0) is exempt from this policy +provided that the +.Xr sysctl 8 +variable +.Va security.bsd.suser_enabled +is non-zero and no active MAC policy explicitly denies the exemption +.Po +see +.Xr priv_check_cred 9 +.Pc . +.Sh RETURN VALUES +0 if the policy is disabled, the subject exempt from it or if both credentials +are associated to the same jail, +.Er ESRCH +otherwise. +.Sh SEE ALSO +.Xr cr_bsd_visibility 9 , +.Xr priv_check_cred 9 +.Sh AUTHORS +This manual page was written by +.An Olivier Certner Aq Mt olce.freebsd@certner.fr .