Page MenuHomeFreeBSD
Files F108593286

D40631.id124433.diff
No OneTemporary
Actions

D40631.id124433.diff
View Options

diff --git a/share/man/man9/Makefile b/share/man/man9/Makefile
--- a/share/man/man9/Makefile
+++ b/share/man/man9/Makefile
@@ -70,9 +70,10 @@
counter.9 \
cpuset.9 \
cr_cansee.9 \
- critical_enter.9 \
+ cr_seejailproc.9 \
cr_seeothergids.9 \
cr_seeotheruids.9 \
+ critical_enter.9 \
crypto.9 \
crypto_buffer.9 \
crypto_driver.9 \
diff --git a/share/man/man9/cr_seejailproc.9 b/share/man/man9/cr_seejailproc.9
new file mode 100644
--- /dev/null
+++ b/share/man/man9/cr_seejailproc.9
@@ -0,0 +1,77 @@
+.\"
+.\" SPDX-License-Identifier: BSD-2-Clause
+.\"
+.\" Copyright (c) 2023 Olivier Certner <olce.freebsd@certner.fr>
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE DEVELOPERS BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd June 16, 2023
+.Dt CR_SEEJAILPROC 9
+.Os
+.Sh NAME
+.Nm cr_seejailproc
+.Nd may subjects see entities in a different jail?
+.Sh SYNOPSIS
+.Ft int
+.Fn cr_seejailproc "struct ucred *u1" "struct ucred *u2"
+.Sh DESCRIPTION
+.Bf -emphasis
+This function is internal.
+Its functionality is integrated into function
+.Xr cr_bsd_visibility 9 ,
+which should be called instead.
+.Ef
+.Pp
+This function checks if a subject associated to credentials
+.Fa u1
+is not denied seeing a subject or object associated to credentials
+.Fa u2
+by a policy that requires both credentials to be associated to the same jail.
+This is a restriction to the baseline jail policy that subjects in a jail can
+see subjects or objects in the same jail or any sub-jail of it.
+.Pp
+This policy is active if and only if the
+.Xr sysctl 8
+variable
+.Va security.bsd.see_jail_proc
+is non-zero.
+.Pp
+As usual, the superuser (effective user ID 0) is exempt from this policy
+provided that the
+.Xr sysctl 8
+variable
+.Va security.bsd.suser_enabled
+is non-zero and no active MAC policy explicitly denies the exemption
+.Po
+see
+.Xr priv_check_cred 9
+.Pc .
+.Sh RETURN VALUES
+0 if the policy is disabled, the subject exempt from it or if both credentials
+are associated to the same jail,
+.Er ESRCH
+otherwise.
+.Sh SEE ALSO
+.Xr cr_bsd_visibility 9 ,
+.Xr priv_check_cred 9
+.Sh AUTHORS
+This manual page was written by
+.An Olivier Certner Aq Mt olce.freebsd@certner.fr .

File Metadata

Mime Type
text/plain
Expires
Mon, Jan 27, 6:08 PM (5 h, 54 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
16203053
Default Alt Text
D40631.id124433.diff (3 KB)

Event Timeline