mirror of
https://github.com/freebsd/freebsd-src
synced 2024-07-22 02:37:15 +00:00
cr_canseejailproc(9): New man page
Reviewed by: pauamma_gundo.com, mhorne MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40631
This commit is contained in:
parent
c59ab75c04
commit
29d863bb7f
|
@ -69,6 +69,7 @@ MAN= accept_filter.9 \
|
|||
counter.9 \
|
||||
cpuset.9 \
|
||||
cr_cansee.9 \
|
||||
cr_canseejailproc.9 \
|
||||
cr_canseeothergids.9 \
|
||||
cr_canseeotheruids.9 \
|
||||
critical_enter.9 \
|
||||
|
|
81
share/man/man9/cr_canseejailproc.9
Normal file
81
share/man/man9/cr_canseejailproc.9
Normal file
|
@ -0,0 +1,81 @@
|
|||
.\"
|
||||
.\" SPDX-License-Identifier: BSD-2-Clause
|
||||
.\"
|
||||
.\" Copyright (c) 2023 Olivier Certner <olce.freebsd@certner.fr>
|
||||
.\"
|
||||
.\" Redistribution and use in source and binary forms, with or without
|
||||
.\" modification, are permitted provided that the following conditions
|
||||
.\" are met:
|
||||
.\" 1. Redistributions of source code must retain the above copyright
|
||||
.\" notice, this list of conditions and the following disclaimer.
|
||||
.\" 2. Redistributions in binary form must reproduce the above copyright
|
||||
.\" notice, this list of conditions and the following disclaimer in the
|
||||
.\" documentation and/or other materials provided with the distribution.
|
||||
.\"
|
||||
.\" THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY EXPRESS OR
|
||||
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
.\" IN NO EVENT SHALL THE DEVELOPERS BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd August 18, 2023
|
||||
.Dt CR_CANSEEJAILPROC 9
|
||||
.Os
|
||||
.Sh NAME
|
||||
.Nm cr_canseejailproc
|
||||
.Nd determine if subjects may see entities in sub-jails
|
||||
.Sh SYNOPSIS
|
||||
.Ft int
|
||||
.Fn cr_canseejailproc "struct ucred *u1" "struct ucred *u2"
|
||||
.Sh DESCRIPTION
|
||||
.Bf -emphasis
|
||||
This function is internal.
|
||||
Its functionality is integrated into the function
|
||||
.Xr cr_bsd_visible 9 ,
|
||||
which should be called instead.
|
||||
.Ef
|
||||
.Pp
|
||||
This function checks if a subject associated to credentials
|
||||
.Fa u1
|
||||
is denied seeing a subject or object associated to credentials
|
||||
.Fa u2
|
||||
by a policy that requires both credentials to be associated to the same jail.
|
||||
This is a restriction to the baseline jail policy that a subject can see
|
||||
subjects or objects in its own jail or any sub-jail of it.
|
||||
.Pp
|
||||
This policy is active if and only if the
|
||||
.Xr sysctl 8
|
||||
variable
|
||||
.Va security.bsd.see_jail_proc
|
||||
is set to zero.
|
||||
.Pp
|
||||
As usual, the superuser (effective user ID 0) is exempt from this policy
|
||||
provided that the
|
||||
.Xr sysctl 8
|
||||
variable
|
||||
.Va security.bsd.suser_enabled
|
||||
is non-zero and no active MAC policy explicitly denies the exemption
|
||||
.Po
|
||||
see
|
||||
.Xr priv_check_cred 9
|
||||
.Pc .
|
||||
.Sh RETURN VALUES
|
||||
The
|
||||
.Fn cr_canseejailproc
|
||||
function returns 0 if the policy is disabled, both credentials are associated to
|
||||
the same jail, or if
|
||||
.Fa u1
|
||||
has privilege exempting it from the policy.
|
||||
Otherwise, it returns
|
||||
.Er ESRCH .
|
||||
.Sh SEE ALSO
|
||||
.Xr cr_bsd_visible 9 ,
|
||||
.Xr priv_check_cred 9
|
||||
.Sh AUTHORS
|
||||
This manual page was written by
|
||||
.An Olivier Certner Aq Mt olce.freebsd@certner.fr .
|
Loading…
Reference in a new issue