priv: Use PRIV_VFS_CHFLAGS_DEV
[dragonfly.git] / sys / kern / kern_jail.c
index 15e9456..bde34e7 100644 (file)
@@ -203,7 +203,7 @@ sys_jail(struct jail_args *uap)
 
        uap->sysmsg_result = -1;
 
-       error = priv_check(td, PRIV_ROOT);
+       error = priv_check(td, PRIV_JAIL_CREATE);
        if (error)
                return (error);
 
@@ -294,7 +294,7 @@ sys_jail_attach(struct jail_attach_args *uap)
        struct thread *td = curthread;
        int error;
 
-       error = priv_check(td, PRIV_ROOT);
+       error = priv_check(td, PRIV_JAIL_ATTACH);
        if (error)
                return(error);
 
@@ -659,3 +659,46 @@ prison_free(struct prison *pr)
        cache_drop(&pr->pr_root);
        kfree(pr, M_PRISON);
 }
+
+/*
+ * Check if permisson for a specific privilege is granted within jail.
+ */
+int
+prison_priv_check(struct ucred *cred, int priv)
+{
+       if (!jailed(cred))
+               return (0);
+
+       switch (priv) {
+       case PRIV_CRED_SETUID:
+       case PRIV_CRED_SETEUID:
+       case PRIV_CRED_SETGID:
+       case PRIV_CRED_SETEGID:
+       case PRIV_CRED_SETGROUPS:
+       case PRIV_CRED_SETREUID:
+       case PRIV_CRED_SETREGID:
+       case PRIV_CRED_SETRESUID:
+       case PRIV_CRED_SETRESGID:
+
+       case PRIV_VFS_SYSFLAGS:
+       case PRIV_VFS_CHOWN:
+       case PRIV_VFS_CHMOD:
+       case PRIV_VFS_CHROOT:
+       case PRIV_VFS_LINK:
+       case PRIV_VFS_CHFLAGS_DEV:
+       case PRIV_VFS_MKNOD_BAD:
+       case PRIV_VFS_MKNOD_WHT:
+       case PRIV_VFS_MKNOD_DIR:
+
+       case PRIV_PROC_SETRLIMIT:
+       case PRIV_PROC_SETLOGIN:
+
+       case PRIV_SYSCTL_WRITEJAIL:
+
+               return (0);
+
+       default:
+
+               return (EPERM);
+       }
+}