Changeset View
Changeset View
Standalone View
Standalone View
sys/kern/kern_prot.c
| Show First 20 Lines • Show All 1,401 Lines • ▼ Show 20 Lines | |||||
| * 'see_other_gids' policy. | * 'see_other_gids' policy. | ||||
| * Returns: 0 for permitted, ESRCH otherwise | * Returns: 0 for permitted, ESRCH otherwise | ||||
| * Locks: none | * Locks: none | ||||
| * References: *u1 and *u2 must not change during the call | * References: *u1 and *u2 must not change during the call | ||||
| * u1 may equal u2, in which case only one reference is required | * u1 may equal u2, in which case only one reference is required | ||||
| */ | */ | ||||
| static int | static int | ||||
| cr_canseeothergids(struct ucred *u1, struct ucred *u2) | cr_canseeothergids(struct ucred *u1, struct ucred *u2) | ||||
| { | { | ||||
| int i, match; | |||||
| if (!see_other_gids) { | if (!see_other_gids) { | ||||
mhorne: This is a style regression. Even though `see_other_gids` has an `int` type, it is a boolean… | |||||
| match = 0; | if (realgroupmember(u1->cr_rgid, u2)) | ||||
| for (i = 0; i < u1->cr_ngroups; i++) { | return (0); | ||||
| if (groupmember(u1->cr_groups[i], u2)) | |||||
| match = 1; | for (int i = 1; i < u1->cr_ngroups; i++) | ||||
| if (match) | if (realgroupmember(u1->cr_groups[i], u2)) | ||||
| break; | return (0); | ||||
| } | |||||
| if (!match) { | |||||
| if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) != 0) | if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) != 0) | ||||
| return (ESRCH); | return (ESRCH); | ||||
| } | } | ||||
| } | |||||
Done Inline ActionsMy only clarification... u1->cr_groups[0] contains the effective gid, right? That is why you have split this statement from the loop? mhorne: My only clarification... `u1->cr_groups[0]` contains the effective gid, right? That is why you… | |||||
Done Inline ActionsExactly. That's also why next loop starts with index 1. olce: Exactly. That's also why next loop starts with index 1. | |||||
| return (0); | return (0); | ||||
| } | } | ||||
| /* | /* | ||||
| * 'see_jail_proc' determines whether or not visibility of processes and | * 'see_jail_proc' determines whether or not visibility of processes and | ||||
| * sockets with credentials holding different jail ids is possible using a | * sockets with credentials holding different jail ids is possible using a | ||||
| * variety of system MIBs. | * variety of system MIBs. | ||||
| * | * | ||||
| ▲ Show 20 Lines • Show All 1,101 Lines • Show Last 20 Lines | |||||
This is a style regression. Even though see_other_gids has an int type, it is a boolean variable and so we should check its truthiness directly.