mirror of
https://github.com/freebsd/freebsd-src
synced 2024-07-22 02:37:15 +00:00
cr_cansee(9): cr_bsd_visible() impacts, simplifications
Remove references to cr_canseeothergids(9) and cr_canseeotheruids(9). Defer to cr_bsd_visible() for controlling sysctl(8) variables. Reviewed by: bcr, mhorne MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40636
This commit is contained in:
parent
4ddd253b38
commit
82f9bc9ea8
|
@ -1,5 +1,6 @@
|
|||
.\"
|
||||
.\" Copyright (c) 2006 Ceri Davies <ceri@FreeBSD.org>
|
||||
.\" Copyright (c) 2023 Olivier Certner <olce.freebsd@certner.fr>
|
||||
.\"
|
||||
.\" All rights reserved.
|
||||
.\"
|
||||
|
@ -23,43 +24,39 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd November 19, 2006
|
||||
.Dd August 18, 2023
|
||||
.Dt CR_CANSEE 9
|
||||
.Os
|
||||
.Sh NAME
|
||||
.Nm cr_cansee
|
||||
.Nd "determine visibility of objects given their user credentials"
|
||||
.Sh SYNOPSIS
|
||||
.In sys/param.h
|
||||
.In sys/systm.h
|
||||
.In sys/ucred.h
|
||||
.In sys/proc.h
|
||||
.Ft int
|
||||
.Fn cr_cansee "struct ucred *u1" "struct ucred *u2"
|
||||
.Sh DESCRIPTION
|
||||
This function determines the visibility of objects in the
|
||||
kernel based on the real user IDs and group IDs in the credentials
|
||||
This function determines if a subject with credential
|
||||
.Fa u1
|
||||
and
|
||||
.Fa u2
|
||||
associated with them.
|
||||
can see a subject or object associated to credential
|
||||
.Fa u2 .
|
||||
.Pp
|
||||
The visibility of objects is influenced by the
|
||||
Specific types of subjects may need to submit to additional or different
|
||||
restrictions.
|
||||
As an example, for processes, see
|
||||
.Xr p_cansee 9 ,
|
||||
which calls this function.
|
||||
.Pp
|
||||
The implementation relies on
|
||||
.Xr cr_bsd_visible 9
|
||||
and consequently the
|
||||
.Xr sysctl 8
|
||||
variables
|
||||
.Va security.bsd.see_other_gids
|
||||
and
|
||||
.Va security.bsd.see_other_uids ,
|
||||
as per the description in
|
||||
.Xr cr_canseeothergids 9
|
||||
and
|
||||
.Xr cr_canseeotheruids 9
|
||||
respectively.
|
||||
variables referenced in its manual page influence the result.
|
||||
.Sh RETURN VALUES
|
||||
This function returns zero if the object with credential
|
||||
This function returns zero if the subject with credential
|
||||
.Fa u1
|
||||
can
|
||||
.Dq see
|
||||
the object with credential
|
||||
the subject or object with credential
|
||||
.Fa u2 ,
|
||||
or
|
||||
.Er ESRCH
|
||||
|
@ -67,24 +64,20 @@ otherwise.
|
|||
.Sh ERRORS
|
||||
.Bl -tag -width Er
|
||||
.It Bq Er ESRCH
|
||||
The object with credential
|
||||
The subject with credential
|
||||
.Fa u1
|
||||
cannot
|
||||
.Dq see
|
||||
the object with credential
|
||||
.Fa u2 .
|
||||
.It Bq Er ESRCH
|
||||
The object with credential
|
||||
.Fa u1
|
||||
has been jailed and the object with credential
|
||||
has been jailed and the subject or object with credential
|
||||
.Fa u2
|
||||
does not belong to the same jail as
|
||||
.Fa u1 .
|
||||
does not belong to the same jail or one of its sub-jails, as determined by
|
||||
.Xr prison_check 9 .
|
||||
.It Bq Er ESRCH
|
||||
The MAC subsystem denied visibility.
|
||||
.It Bq Er ESRCH
|
||||
.Xr cr_bsd_visible 9
|
||||
denied visibility according to the BSD security policies in force.
|
||||
.El
|
||||
.Sh SEE ALSO
|
||||
.Xr cr_canseeothergids 9 ,
|
||||
.Xr cr_canseeotheruids 9 ,
|
||||
.Xr prison_check 9 ,
|
||||
.Xr mac 9 ,
|
||||
.Xr cr_bsd_visible 9 ,
|
||||
.Xr p_cansee 9
|
||||
|
|
Loading…
Reference in a new issue