Module Name: src
Committed By: christos
Date: Sun Mar 27 16:23:08 UTC 2022
Modified Files:
src/sys/fs/unionfs: unionfs_vnops.c
src/sys/kern: kern_auth.c sysv_ipc.c
src/sys/miscfs/genfs: genfs_vnops.c
Log Message:
Expose groupmember as kauth_cred_groupmember and use it.
To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.18 src/sys/fs/unionfs/unionfs_vnops.c
cvs rdiff -u -r1.79 -r1.80 src/sys/kern/kern_auth.c
cvs rdiff -u -r1.41 -r1.42 src/sys/kern/sysv_ipc.c
cvs rdiff -u -r1.217 -r1.218 src/sys/miscfs/genfs/genfs_vnops.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/fs/unionfs/unionfs_vnops.c
diff -u src/sys/fs/unionfs/unionfs_vnops.c:1.17 src/sys/fs/unionfs/unionfs_vnops.c:1.18
--- src/sys/fs/unionfs/unionfs_vnops.c:1.17 Tue Oct 19 23:08:17 2021
+++ src/sys/fs/unionfs/unionfs_vnops.c Sun Mar 27 12:23:08 2022
@@ -566,7 +566,6 @@ unionfs_close_abort:
static int
unionfs_check_corrected_access(u_short mode, struct vattr *va, kauth_cred_t cred)
{
- int result;
int error;
uid_t uid; /* upper side vnode's uid */
gid_t gid; /* upper side vnode's gid */
@@ -590,10 +589,7 @@ unionfs_check_corrected_access(u_short m
}
/* check group */
- error = kauth_cred_ismember_gid(cred, gid, &result);
- if (error != 0)
- return error;
- if (result) {
+ if (kauth_cred_groupmember(cred, gid) == 0) {
if (mode & VEXEC)
mask |= S_IXGRP;
if (mode & VREAD)
Index: src/sys/kern/kern_auth.c
diff -u src/sys/kern/kern_auth.c:1.79 src/sys/kern/kern_auth.c:1.80
--- src/sys/kern/kern_auth.c:1.79 Sat Mar 12 10:32:32 2022
+++ src/sys/kern/kern_auth.c Sun Mar 27 12:23:08 2022
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_auth.c,v 1.79 2022/03/12 15:32:32 riastradh Exp $ */
+/* $NetBSD: kern_auth.c,v 1.80 2022/03/27 16:23:08 christos Exp $ */
/*-
* Copyright (c) 2005, 2006 Elad Efrat <e...@netbsd.org>
@@ -28,7 +28,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_auth.c,v 1.79 2022/03/12 15:32:32 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_auth.c,v 1.80 2022/03/27 16:23:08 christos Exp $");
#include <sys/types.h>
#include <sys/param.h>
@@ -404,6 +404,25 @@ kauth_cred_ismember_gid(kauth_cred_t cre
return (0);
}
+int
+kauth_cred_groupmember(kauth_cred_t cred, gid_t gid)
+{
+ int ismember, error;
+
+ KASSERT(cred != NULL);
+ KASSERT(cred != NOCRED);
+ KASSERT(cred != FSCRED);
+
+ error = kauth_cred_ismember_gid(cred, gid, &ismember);
+ if (error)
+ return error;
+
+ if (kauth_cred_getegid(cred) == gid || ismember)
+ return 0;
+
+ return -1;
+}
+
u_int
kauth_cred_ngroups(kauth_cred_t cred)
{
Index: src/sys/kern/sysv_ipc.c
diff -u src/sys/kern/sysv_ipc.c:1.41 src/sys/kern/sysv_ipc.c:1.42
--- src/sys/kern/sysv_ipc.c:1.41 Thu Feb 20 19:26:22 2020
+++ src/sys/kern/sysv_ipc.c Sun Mar 27 12:23:08 2022
@@ -1,4 +1,4 @@
-/* $NetBSD: sysv_ipc.c,v 1.41 2020/02/21 00:26:22 joerg Exp $ */
+/* $NetBSD: sysv_ipc.c,v 1.42 2022/03/27 16:23:08 christos Exp $ */
/*-
* Copyright (c) 1998, 2007 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: sysv_ipc.c,v 1.41 2020/02/21 00:26:22 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sysv_ipc.c,v 1.42 2022/03/27 16:23:08 christos Exp $");
#ifdef _KERNEL_OPT
#include "opt_sysv.h"
@@ -258,7 +258,6 @@ sysvipc_listener_cb(kauth_cred_t cred, k
void *arg0, void *arg1, void *arg2, void *arg3)
{
mode_t mask;
- int ismember = 0;
struct ipc_perm *perm;
int mode;
enum kauth_system_req req;
@@ -290,10 +289,8 @@ sysvipc_listener_cb(kauth_cred_t cred, k
return ((perm->mode & mask) == mask ? KAUTH_RESULT_ALLOW : KAUTH_RESULT_DEFER /* EACCES */);
}
- if (kauth_cred_getegid(cred) == perm->gid ||
- (kauth_cred_ismember_gid(cred, perm->gid, &ismember) == 0 && ismember) ||
- kauth_cred_getegid(cred) == perm->cgid ||
- (kauth_cred_ismember_gid(cred, perm->cgid, &ismember) == 0 && ismember)) {
+ if (kauth_cred_groupmember(cred, perm->gid) == 0 ||
+ kauth_cred_groupmember(cred, perm->cgid) == 0) {
if (mode & IPC_R)
mask |= S_IRGRP;
if (mode & IPC_W)
Index: src/sys/miscfs/genfs/genfs_vnops.c
diff -u src/sys/miscfs/genfs/genfs_vnops.c:1.217 src/sys/miscfs/genfs/genfs_vnops.c:1.218
--- src/sys/miscfs/genfs/genfs_vnops.c:1.217 Sat Mar 19 09:52:45 2022
+++ src/sys/miscfs/genfs/genfs_vnops.c Sun Mar 27 12:23:08 2022
@@ -1,4 +1,4 @@
-/* $NetBSD: genfs_vnops.c,v 1.217 2022/03/19 13:52:45 hannken Exp $ */
+/* $NetBSD: genfs_vnops.c,v 1.218 2022/03/27 16:23:08 christos Exp $ */
/*-
* Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -57,7 +57,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: genfs_vnops.c,v 1.217 2022/03/19 13:52:45 hannken Exp $");
+__KERNEL_RCSID(0, "$NetBSD: genfs_vnops.c,v 1.218 2022/03/27 16:23:08 christos Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -663,18 +663,6 @@ genfs_node_wrlocked(struct vnode *vp)
return rw_write_held(&gp->g_glock);
}
-static int
-groupmember(gid_t gid, kauth_cred_t cred)
-{
- int ismember;
- int error = kauth_cred_ismember_gid(cred, gid, &ismember);
- if (error)
- return error;
- if (kauth_cred_getegid(cred) == gid || ismember)
- return 0;
- return -1;
-}
-
/*
* Common filesystem object access control check routine. Accepts a
* vnode, cred, uid, gid, mode, acl, requested access mode.
@@ -712,7 +700,7 @@ genfs_can_access(vnode_t *vp, kauth_cred
/* Otherwise, check the groups (first match) */
/* Otherwise, check the groups. */
- error = groupmember(file_gid, cred);
+ error = kauth_cred_groupmember(cred, file_gid);
if (error > 0)
return error;
if (error == 0) {
@@ -864,7 +852,7 @@ genfs_can_access_acl_posix1e(vnode_t *vp
struct acl_entry *ae = &acl->acl_entry[i];
switch (ae->ae_tag) {
case ACL_GROUP_OBJ:
- error = groupmember(file_gid, cred);
+ error = kauth_cred_groupmember(cred, file_gid);
if (error > 0)
return error;
if (error)
@@ -885,7 +873,7 @@ genfs_can_access_acl_posix1e(vnode_t *vp
break;
case ACL_GROUP:
- error = groupmember(ae->ae_id, cred);
+ error = kauth_cred_groupmember(cred, ae->ae_id);
if (error > 0)
return error;
if (error)
@@ -919,7 +907,7 @@ genfs_can_access_acl_posix1e(vnode_t *vp
struct acl_entry *ae = &acl->acl_entry[i];
switch (ae->ae_tag) {
case ACL_GROUP_OBJ:
- error = groupmember(file_gid, cred);
+ error = kauth_cred_groupmember(cred, file_gid);
if (error > 0)
return error;
if (error)
@@ -935,7 +923,7 @@ genfs_can_access_acl_posix1e(vnode_t *vp
goto out;
case ACL_GROUP:
- error = groupmember(ae->ae_id, cred);
+ error = kauth_cred_groupmember(cred, ae->ae_id);
if (error > 0)
return error;
if (error)
@@ -1053,14 +1041,14 @@ _acl_denies(const struct acl *aclp, int
continue;
break;
case ACL_GROUP_OBJ:
- error = groupmember(file_gid, cred);
+ error = kauth_cred_groupmember(cred, file_gid);
if (error > 0)
return error;
if (error != 0)
continue;
break;
case ACL_GROUP:
- error = groupmember(ae->ae_id, cred);
+ error = kauth_cred_groupmember(cred, ae->ae_id);
if (error > 0)
return error;
if (error != 0)
