/**
* cap_ptrace_traceme - Determine whether another process may trace the current
* @parent: The task proposed to be the tracer
*
* Determine whether the nominated task is permitted to trace the current
* process, returning 0 if permission is granted, -ve if denied.
*/
int cap_ptrace_traceme(struct task_struct *parent)
{
int ret = 0;
rcu_read_lock();
if (!cap_issubset(current_cred()->cap_permitted,
__task_cred(parent)->cap_permitted) &&
!has_capability(parent, CAP_SYS_PTRACE))
ret = -EPERM;
rcu_read_unlock();
return ret;
}
int
check_nt_auth(int pwd_authenticated, struct passwd *pw)
{
/*
* The only authentication which is able to change the user
* context on NT systems is the password authentication. So
* we deny all requsts for changing the user context if another
* authentication method is used.
*
* This doesn't apply to Cygwin versions >= 1.3.2 anymore which
* uses the undocumented NtCreateToken() call to create a user
* token if the process has the appropriate privileges and if
* CYGWIN ntsec setting is on.
*/
static int has_create_token = -1;
if (pw == NULL)
return 0;
if (is_winnt) {
if (has_create_token < 0) {
char *cygwin = getenv("CYGWIN");
has_create_token = 0;
if (has_capability(HAS_CREATE_TOKEN) &&
(ntsec_on(cygwin) ||
(has_capability(HAS_NTSEC_BY_DEFAULT) &&
!ntsec_off(cygwin)) ||
has_capability(HAS_CREATE_TOKEN_WO_NTSEC)))
has_create_token = 1;
}
if (has_create_token < 1 &&
!pwd_authenticated && geteuid() != pw->pw_uid)
return (0);
}
return (1);
}
int
check_ntsec(const char *filename)
{
char *cygwin;
int allow_ntea = 0, allow_ntsec = 0;
struct statfs fsstat;
/* Windows 95/98/ME don't support file system security at all. */
if (!is_winnt)
return (0);
/* Evaluate current CYGWIN settings. */
cygwin = getenv("CYGWIN");
allow_ntea = ntea_on(cygwin);
allow_ntsec = ntsec_on(cygwin) ||
(has_capability(HAS_NTSEC_BY_DEFAULT) && !ntsec_off(cygwin));
/*
* `ntea' is an emulation of POSIX attributes. It doesn't support
* real file level security as ntsec on NTFS file systems does
* but it supports FAT filesystems. `ntea' is minimum requirement
* for security checks.
*/
if (allow_ntea)
return (1);
/*
* Retrieve file system flags. In Cygwin, file system flags are
* copied to f_type which has no meaning in Win32 itself.
*/
if (statfs(filename, &fsstat))
return (1);
/*
* Only file systems supporting ACLs are able to set permissions.
* `ntsec' is the setting in Cygwin which switches using of NTFS
* ACLs to support POSIX permissions on files.
*/
if (fsstat.f_type & FS_PERSISTENT_ACLS)
return (allow_ntsec);
return (0);
}
bool Nym::SetVerificationSet(const proto::VerificationSet& data)
{
eLock lock(shared_lock_);
if (false == has_capability(lock, NymCapability::SIGN_CHILDCRED)) {
otErr << OT_METHOD << __FUNCTION__ << ": This nym can not be modified."
<< std::endl;
return false;
}
revoke_verification_credentials(lock);
if (add_verification_credential(lock, data)) {
return update_nym(lock, version_);
}
return false;
}
bool Nym::set_contact_data(const eLock& lock, const proto::ContactData& data)
{
OT_ASSERT(verify_lock(lock));
auto version = proto::NymRequiredVersion(data.version(), version_);
if (!version || version > NYM_UPGRADE_VERSION) {
otErr << OT_METHOD << __FUNCTION__
<< ": Contact data version not supported by this nym."
<< std::endl;
return false;
}
if (false == has_capability(lock, NymCapability::SIGN_CHILDCRED)) {
otErr << OT_METHOD << __FUNCTION__ << ": This nym can not be modified."
<< std::endl;
return false;
}
if (false == proto::Validate(data, VERBOSE, false)) {
otErr << OT_METHOD << __FUNCTION__ << ": Invalid contact data."
<< std::endl;
return false;
}
revoke_contact_credentials(lock);
if (add_contact_credential(lock, data)) {
return update_nym(lock, version);
}
return false;
}
bool Nym::HasCapability(const NymCapability& capability) const
{
eLock lock(shared_lock_);
return has_capability(lock, capability);
}