diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -1434,6 +1434,25 @@ return (ESRCH); } +/* + * Helper for cr_cansee*() functions to abide by system-wide security.bsd.see_* + * policies. Determines if u1 "can see" u2 according to these policies. + * Returns: 0 for permitted, ESRCH otherwise + */ +int +cr_bsd_visible(struct ucred *u1, struct ucred *u2) +{ + int error; + + if ((error = cr_canseeotheruids(u1, u2))) + return (error); + if ((error = cr_canseeothergids(u1, u2))) + return (error); + if ((error = cr_canseejailproc(u1, u2))) + return (error); + return (0); +} + /*- * Determine if u1 "can see" the subject specified by u2. * Returns: 0 for permitted, an errno value otherwise diff --git a/sys/sys/proc.h b/sys/sys/proc.h --- a/sys/sys/proc.h +++ b/sys/sys/proc.h @@ -1163,6 +1163,7 @@ void ast_unsched_locked(struct thread *td, int tda); struct thread *choosethread(void); +int cr_bsd_visible(struct ucred *u1, struct ucred *u2); int cr_cansee(struct ucred *u1, struct ucred *u2); int cr_canseesocket(struct ucred *cred, struct socket *so); int cr_canseeothergids(struct ucred *u1, struct ucred *u2);