Page MenuHomeFreeBSD
Files F134752240

D40631.id125809.diff
No OneTemporary
Actions

D40631.id125809.diff
View Options

diff --git a/share/man/man9/Makefile b/share/man/man9/Makefile
--- a/share/man/man9/Makefile
+++ b/share/man/man9/Makefile
@@ -70,6 +70,7 @@
counter.9 \
cpuset.9 \
cr_cansee.9 \
+ cr_canseejailproc.9 \
cr_canseeothergids.9 \
cr_canseeotheruids.9 \
critical_enter.9 \
diff --git a/share/man/man9/cr_canseejailproc.9 b/share/man/man9/cr_canseejailproc.9
new file mode 100644
--- /dev/null
+++ b/share/man/man9/cr_canseejailproc.9
@@ -0,0 +1,81 @@
+.\"
+.\" SPDX-License-Identifier: BSD-2-Clause
+.\"
+.\" Copyright (c) 2023 Olivier Certner <olce.freebsd@certner.fr>
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE DEVELOPERS BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd June 16, 2023
+.Dt CR_CANSEEJAILPROC 9
+.Os
+.Sh NAME
+.Nm cr_canseejailproc
+.Nd determine if subjects may see entities in sub-jails
+.Sh SYNOPSIS
+.Ft int
+.Fn cr_canseejailproc "struct ucred *u1" "struct ucred *u2"
+.Sh DESCRIPTION
+.Bf -emphasis
+This function is internal.
+Its functionality is integrated into the function
+.Xr cr_bsd_visible 9 ,
+which should be called instead.
+.Ef
+.Pp
+This function checks if a subject associated to credentials
+.Fa u1
+is denied seeing a subject or object associated to credentials
+.Fa u2
+by a policy that requires both credentials to be associated to the same jail.
+This is a restriction to the baseline jail policy that a subject can see
+subjects or objects in its own jail or any sub-jail of it.
+.Pp
+This policy is active if and only if the
+.Xr sysctl 8
+variable
+.Va security.bsd.see_jail_proc
+is set to zero.
+.Pp
+As usual, the superuser (effective user ID 0) is exempt from this policy
+provided that the
+.Xr sysctl 8
+variable
+.Va security.bsd.suser_enabled
+is non-zero and no active MAC policy explicitly denies the exemption
+.Po
+see
+.Xr priv_check_cred 9
+.Pc .
+.Sh RETURN VALUES
+The
+.Fn cr_canseejailproc
+function returns 0 if the policy is disabled, both credentials are associated to
+the same jail, or if
+ .Fa u1
+has privilege exempting it from the policy.
+Otherwise, it returns
+.Er ESRCH .
+.Sh SEE ALSO
+.Xr cr_bsd_visible 9 ,
+.Xr priv_check_cred 9
+.Sh AUTHORS
+This manual page was written by
+.An Olivier Certner Aq Mt olce.freebsd@certner.fr .

File Metadata

Mime Type
text/plain
Expires
Wed, Nov 5, 9:35 AM (6 h, 27 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
24829442
Default Alt Text
D40631.id125809.diff (3 KB)

Event Timeline