X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/6d2010ae8f7a6078e10b361c6962983bab233e0f..c6bf4f310a33a9262d455ea4d3f0630b1255e3fe:/bsd/kern/kern_priv.c

diff --git a/bsd/kern/kern_priv.c b/bsd/kern/kern_priv.c
index e7ceb6075..88adf2dda 100644
--- a/bsd/kern/kern_priv.c
+++ b/bsd/kern/kern_priv.c
@@ -2,7 +2,7 @@
  * Copyright (c) 2010 Apple Inc. All rights reserved.
  *
  * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
- * 
+ *
  * This file contains Original Code and/or Modifications of Original Code
  * as defined in and that are subject to the Apple Public Source License
  * Version 2.0 (the 'License'). You may not use this file except in
@@ -11,10 +11,10 @@
  * unlawful or unlicensed copies of an Apple operating system, or to
  * circumvent, violate, or enable the circumvention or violation of, any
  * terms of an Apple operating system software license agreement.
- * 
+ *
  * Please obtain a copy of the License at
  * http://www.opensource.apple.com/apsl/ and read it before using this file.
- * 
+ *
  * The Original Code and all software distributed under the License are
  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
@@ -22,7 +22,7 @@
  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  * Please see the License for the specific language governing rights and
  * limitations under the License.
- * 
+ *
  * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
  */
 /*-
@@ -68,13 +68,18 @@
 #include <security/mac_framework.h>
 #endif
 
+int proc_check_footprint_priv(void);
+
 /*
  * Check a credential for privilege.  Lots of good reasons to deny privilege;
  * only a few to grant it.
  */
 int
-priv_check_cred(kauth_cred_t cred, int priv, __unused int flags)
+priv_check_cred(kauth_cred_t cred, int priv, int flags)
 {
+#if !CONFIG_MACF
+#pragma unused(priv)
+#endif
 	int error;
 
 	/*
@@ -83,19 +88,23 @@ priv_check_cred(kauth_cred_t cred, int priv, __unused int flags)
 	 */
 #if CONFIG_MACF
 	error = mac_priv_check(cred, priv);
-	if (error)
+	if (error) {
 		goto out;
+	}
 #endif
 
-	/*
-	 * Having determined if privilege is restricted by various policies,
-	 * now determine if privilege is granted.  At this point, any policy
-	 * may grant privilege.  For now, we allow short-circuit boolean
-	 * evaluation, so may not call all policies.  Perhaps we should.
-	 */
-	if (kauth_cred_getuid(cred) == 0) {
-		error = 0;
-		goto out;
+	/* Only grant all privileges to root if DEFAULT_UNPRIVELEGED flag is NOT set. */
+	if (!(flags & PRIVCHECK_DEFAULT_UNPRIVILEGED_FLAG)) {
+		/*
+		 * Having determined if privilege is restricted by various policies,
+		 * now determine if privilege is granted.	At this point, any policy
+		 * may grant privilege.	For now, we allow short-circuit boolean
+		 * evaluation, so may not call all policies.	 Perhaps we should.
+		 */
+		if (kauth_cred_getuid(cred) == 0) {
+			error = 0;
+			goto out;
+		}
 	}
 
 	/*
@@ -115,5 +124,11 @@ priv_check_cred(kauth_cred_t cred, int priv, __unused int flags)
 	 */
 	error = EPERM;
 out:
-	return (error);
+	return error;
+}
+
+int
+proc_check_footprint_priv(void)
+{
+	return priv_check_cred(kauth_cred_get(), PRIV_VM_FOOTPRINT_LIMIT, 0);
 }