FreeBSD manual
download PDF document: cr_bsd_visible.9.pdf
CR_BSD_VISIBLE(9) FreeBSD Kernel Developer's Manual CR_BSD_VISIBLE(9)
NAME
cr_bsd_visible - determine if subjects may see entities according to BSD
security policies
SYNOPSIS
#include <sys/proc.h>
int
cr_bsd_visible(struct ucred *u1, struct ucred *u2);
DESCRIPTION
This function determines if a subject with credentials u1 is denied
seeing an object or subject associated to credentials u2 by the following
policies and associated sysctl(8) knobs:
security.bsd.seeotheruids
If set to 0, subjects cannot see other subjects or objects if
they are not associated with the same real user ID. The
corresponding internal function is cr_canseeotheruids(9).
security.bsd.seeothergids
If set to 0, subjects cannot see other subjects or objects if
they are not both a member of at least one common group. The
corresponding internal function is cr_canseeothergids(9).
security.bsd.see_jail_proc
If set to 0, subjects cannot see other subjects or objects that
are not associated with the same jail as they are. The
corresponding internal function is cr_canseejailproc(9).
As usual, the superuser (effective user ID 0) is exempt from any of these
policies provided that the sysctl(8) variable security.bsd.suser_enabled
is non-zero and no active MAC policy explicitly denies the exemption (see
priv_check_cred(9)).
This function is intended to be used as a helper to implement
cr_cansee(9) and similar functions.
RETURN VALUES
This function returns zero if a subject with credentials u1 may see a
subject or object with credentials u2 by the active above-mentioned
policies, or ESRCH otherwise.
ERRORS
[ESRCH] Credentials u1 and u2 do not have the same real user
ID.
[ESRCH] Credentials u1 and u2 are not members of any common
group (as determined by realgroupmember(9)).
[ESRCH] Credentials u1 and u2 are not in the same jail.
SEE ALSO
cr_canseeotheruids(9), cr_canseeothergids(9), cr_canseejailproc(9),
priv_check_cred(9), cr_cansee(9)
AUTHORS