This function determines if a subject with credentials
u1
is denied seeing an object or subject associated to credentials
u2
by the following policies and associated
sysctl(8)
knobs:
|
| security.bsd.seeotheruids
|
| |
If set to 0, subjects cannot see other subjects or objects if they are not
associated with the same real user ID.
The corresponding internal function is
cr_canseeotheruids(9).
|
| security.bsd.seeothergids
|
| |
If set to 0, subjects cannot see other subjects or objects if they are not both
a member of at least one common group.
The corresponding internal function is
cr_canseeothergids(9).
|
| security.bsd.see_jail_proc
|
| |
If set to 0, subjects cannot see other subjects or objects that are not
associated with the same jail as they are.
The corresponding internal function is
cr_canseejailproc(9).
|
|
As usual, the superuser (effective user ID 0) is exempt from any of these
policies provided that the
sysctl(8)
variable
security.bsd.suser_enabled
is non-zero and no active MAC policy explicitly denies the exemption
(
see
priv_check_cred(9)
).
This function is intended to be used as a helper to implement
cr_cansee(9)
and similar functions.
