priv: Refactor UFS quota permissions
authorMichael Neumann <mneumann@ntecs.de>
Sun, 12 Jul 2009 17:58:16 +0000 (19:58 +0200)
committerMichael Neumann <mneumann@ntecs.de>
Sun, 12 Jul 2009 17:58:16 +0000 (19:58 +0200)
sys/kern/kern_jail.c
sys/vfs/ufs/ufs_vfsops.c

index c3a921c..05440f6 100644 (file)
@@ -699,6 +699,14 @@ prison_priv_check(struct ucred *cred, int priv)
 
                return (0);
 
+       case PRIV_UFS_QUOTAON:
+       case PRIV_UFS_QUOTAOFF:
+       case PRIV_VFS_SETQUOTA:
+       case PRIV_UFS_SETUSE:
+       case PRIV_VFS_GETQUOTA:
+               return (0);
+
+
                /*
                 * Allow jailed root to bind reserved ports.
                 */
index 1acb000..803f6bc 100644 (file)
@@ -100,18 +100,47 @@ ufs_quotactl(struct mount *mp, int cmds, uid_t uid, caddr_t arg,
                }
        }
                                        
+       /*
+        * Check permissions.
+        */
        switch (cmd) {
-       case Q_SYNC:
+
+       case Q_QUOTAON:
+               error = priv_check_cred(cred, PRIV_UFS_QUOTAON, 0);
+               break;
+
+       case Q_QUOTAOFF:
+               error = priv_check_cred(cred, PRIV_UFS_QUOTAOFF, 0);
+               break;
+
+       case Q_SETQUOTA:
+               error = priv_check_cred(cred, PRIV_VFS_SETQUOTA, 0);
+               break;
+
+       case Q_SETUSE:
+               error = priv_check_cred(cred, PRIV_UFS_SETUSE, 0);
                break;
+
        case Q_GETQUOTA:
                if (uid == cred->cr_ruid)
-                       break;
-               /* fall through */
+                       error = 0;
+               else
+                       error = priv_check_cred(cred, PRIV_VFS_GETQUOTA, 0);
+               break;
+
+       case Q_SYNC:
+               error = 0;
+               break;
+
        default:
-               if ((error = priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT)) != 0)
-                       return (error);
+               error = EINVAL;
+               break;
        }
 
+       if (error)
+               return (error);
+
+
        if ((uint)type >= MAXQUOTAS)
                return (EINVAL);
        if (vfs_busy(mp, LK_NOWAIT))