907  *		file mode bits (i.e., when a process wants to open a
908  *		mode 444 file for VREAD|VWRITE, this function should be
912  *              override the mode bits that were denied.
928 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode)
930 	if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE,
936 	if (mode & VWRITE) {
950 	if (mode & VEXEC) {
964  * Like secpolicy_vnode_access() but we get the actual wanted mode and the
965  * current mode of the file, not the missing bits.
971 	mode_t mode;
988 	mode = ~curmode & wantmode;
990 	if (mode == 0)
993 	if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE,
999 	if (mode & VWRITE) {
1013 	if (mode & VEXEC) {
1192  * Normal:	verify that subject can modify the mode of a file.
1373  *			- permission to change file mode if not owner
1379  * If the vap argument does not include AT_MODE, the mode will be copied from
1382  * is updated to the newly computed mode.
1415 		 * for two things: the privilege to set the mode at all
1542 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode)
1547 	ASSERT((mode & (MSG_R|MSG_W)) != 0);
1549 	if ((mode & MSG_R) &&
1553 	if (mode & MSG_W) {
1564 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode)
1568 	ASSERT((mode & (MSG_R|MSG_W)) != 0);
1570 	if ((mode & MSG_R) &&
1574 	if (mode & MSG_W) {
1672  * Acting on a different process: if the mode is for writing,
1677 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode)
1681 	if ((mode & VWRITE) && scr->cr_uid != 0 &&

Indexes created Tue Jul 24 14:28:13 CEST 2018