static/freebsd/man9/cr_bsd_visible.9 3.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97

<table class="head">
  <tr>
    <td class="head-ltitle">CR_BSD_VISIBLE(9)</td>
    <td class="head-vol">Kernel Developer's Manual</td>
    <td class="head-rtitle">CR_BSD_VISIBLE(9)</td>
  </tr>
</table>
<div class="manual-text">
<section class="Sh">
<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1>
<p class="Pp"><code class="Nm">cr_bsd_visible</code> &#x2014;
    <span class="Nd">determine if subjects may see entities according to BSD
    security policies</span></p>
</section>
<section class="Sh">
<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1>
<p class="Pp"><code class="In">#include
    &lt;<a class="In">sys/proc.h</a>&gt;</code></p>
<p class="Pp"><var class="Ft">int</var>
  <br/>
  <code class="Fn">cr_bsd_visible</code>(<var class="Fa" style="white-space: nowrap;">struct
    ucred *u1</var>, <var class="Fa" style="white-space: nowrap;">struct ucred
    *u2</var>);</p>
</section>
<section class="Sh">
<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1>
<p class="Pp">This function determines if a subject with credentials
    <var class="Fa">u1</var> is denied seeing an object or subject associated to
    credentials <var class="Fa">u2</var> by the following policies and
    associated <a class="Xr">sysctl(8)</a> knobs:</p>
<dl class="Bl-tag">
  <dt id="security.bsd.seeotheruids"><var class="Va">security.bsd.seeotheruids</var></dt>
  <dd>If set to 0, subjects cannot see other subjects or objects if they are not
      associated with the same real user ID. The corresponding internal function
      is <a class="Xr">cr_canseeotheruids(9)</a>.</dd>
  <dt id="security.bsd.seeothergids"><var class="Va">security.bsd.seeothergids</var></dt>
  <dd>If set to 0, subjects cannot see other subjects or objects if they are not
      both a member of at least one common group. The corresponding internal
      function is <a class="Xr">cr_canseeothergids(9)</a>.</dd>
  <dt id="security.bsd.see_jail_proc"><var class="Va">security.bsd.see_jail_proc</var></dt>
  <dd>If set to 0, subjects cannot see other subjects or objects that are not
      associated with the same jail as they are. The corresponding internal
      function is <a class="Xr">cr_canseejailproc(9)</a>.</dd>
</dl>
<p class="Pp">As usual, the superuser (effective user ID 0) is exempt from any
    of these policies provided that the <a class="Xr">sysctl(8)</a> variable
    <var class="Va">security.bsd.suser_enabled</var> is non-zero and no active
    MAC policy explicitly denies the exemption (see
    <a class="Xr">priv_check_cred(9)</a>).</p>
<p class="Pp">This function is intended to be used as a helper to implement
    <a class="Xr">cr_cansee(9)</a> and similar functions.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="RETURN_VALUES"><a class="permalink" href="#RETURN_VALUES">RETURN
  VALUES</a></h1>
<p class="Pp">This function returns zero if a subject with credentials
    <var class="Fa">u1</var> may see a subject or object with credentials
    <var class="Fa">u2</var> by the active above-mentioned policies, or
    <code class="Er">ESRCH</code> otherwise.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="ERRORS"><a class="permalink" href="#ERRORS">ERRORS</a></h1>
<dl class="Bl-tag">
  <dt id="ESRCH">[<a class="permalink" href="#ESRCH"><code class="Er">ESRCH</code></a>]</dt>
  <dd>Credentials <var class="Fa">u1</var> and <var class="Fa">u2</var> do not
      have the same real user ID.</dd>
  <dt id="ESRCH~2">[<a class="permalink" href="#ESRCH~2"><code class="Er">ESRCH</code></a>]</dt>
  <dd>Credentials <var class="Fa">u1</var> and <var class="Fa">u2</var> are not
      members of any common group (as determined by
      <a class="Xr">realgroupmember(9)</a>).</dd>
  <dt id="ESRCH~3">[<a class="permalink" href="#ESRCH~3"><code class="Er">ESRCH</code></a>]</dt>
  <dd>Credentials <var class="Fa">u1</var> and <var class="Fa">u2</var> are not
      in the same jail.</dd>
</dl>
</section>
<section class="Sh">
<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE
  ALSO</a></h1>
<p class="Pp"><a class="Xr">cr_cansee(9)</a>,
    <a class="Xr">cr_canseejailproc(9)</a>,
    <a class="Xr">cr_canseeothergids(9)</a>,
    <a class="Xr">cr_canseeotheruids(9)</a>,
    <a class="Xr">priv_check_cred(9)</a></p>
</section>
<section class="Sh">
<h1 class="Sh" id="AUTHORS"><a class="permalink" href="#AUTHORS">AUTHORS</a></h1>
<p class="Pp">This function and its manual page were written by
    <span class="An">Olivier Certner</span>
    &lt;<a class="Mt" href="mailto:olce.freebsd@certner.fr">olce.freebsd@certner.fr</a>&gt;.</p>
</section>
</div>
<table class="foot">
  <tr>
    <td class="foot-date">August 18, 2023</td>
    <td class="foot-os">FreeBSD 15.0</td>
  </tr>
</table>