blob: e53cab665648e321004802d4f2801aa083100d35 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
<table class="head">
<tr>
<td class="head-ltitle">CR_CANSEEJAILPROC(9)</td>
<td class="head-vol">Kernel Developer's Manual</td>
<td class="head-rtitle">CR_CANSEEJAILPROC(9)</td>
</tr>
</table>
<div class="manual-text">
<section class="Sh">
<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1>
<p class="Pp"><code class="Nm">cr_canseejailproc</code> —
<span class="Nd">determine if subjects may see entities in
sub-jails</span></p>
</section>
<section class="Sh">
<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1>
<p class="Pp"><var class="Ft">int</var>
<br/>
<code class="Fn">cr_canseejailproc</code>(<var class="Fa" style="white-space: nowrap;">struct
ucred *u1</var>, <var class="Fa" style="white-space: nowrap;">struct ucred
*u2</var>);</p>
</section>
<section class="Sh">
<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1>
<div class="Bf Em">This function is internal. Its functionality is integrated
into the function <a class="Xr">cr_bsd_visible(9)</a>, which should be called
instead.</div>
<p class="Pp">This function checks if a subject associated to credentials
<var class="Fa">u1</var> is denied seeing a subject or object associated to
credentials <var class="Fa">u2</var> by a policy that requires both
credentials to be associated to the same jail. This is a restriction to the
baseline jail policy that a subject can see subjects or objects in its own
jail or any sub-jail of it.</p>
<p class="Pp">This policy is active if and only if the
<a class="Xr">sysctl(8)</a> variable
<var class="Va">security.bsd.see_jail_proc</var> is set to zero.</p>
<p class="Pp">As usual, the superuser (effective user ID 0) is exempt from this
policy provided that the <a class="Xr">sysctl(8)</a> variable
<var class="Va">security.bsd.suser_enabled</var> is non-zero and no active
MAC policy explicitly denies the exemption (see
<a class="Xr">priv_check_cred(9)</a>).</p>
</section>
<section class="Sh">
<h1 class="Sh" id="RETURN_VALUES"><a class="permalink" href="#RETURN_VALUES">RETURN
VALUES</a></h1>
<p class="Pp">The <code class="Fn">cr_canseejailproc</code>() function returns 0
if the policy is disabled, both credentials are associated to the same jail,
or if <var class="Fa">u1</var> has privilege exempting it from the policy.
Otherwise, it returns <code class="Er">ESRCH</code>.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE
ALSO</a></h1>
<p class="Pp"><a class="Xr">cr_bsd_visible(9)</a>,
<a class="Xr">priv_check_cred(9)</a></p>
</section>
<section class="Sh">
<h1 class="Sh" id="AUTHORS"><a class="permalink" href="#AUTHORS">AUTHORS</a></h1>
<p class="Pp">This manual page was written by <span class="An">Olivier
Certner</span>
<<a class="Mt" href="mailto:olce.freebsd@certner.fr">olce.freebsd@certner.fr</a>>.</p>
</section>
</div>
<table class="foot">
<tr>
<td class="foot-date">August 18, 2023</td>
<td class="foot-os">FreeBSD 15.0</td>
</tr>
</table>
|
