Manual Reference Pages - PRIV (9)
- kernel privilege checking API
priv_check struct thread *td int priv
priv_check_cred struct ucred *cred int priv int flags
interfaces check to see if specific system privileges are granted to the
This interface replaces the now removed
privilege checking interface.
Privileges typically represent rights in one of two categories: the right to
manage a particular component of the system, or an exemption to a specific
policy or access control list.
The caller identifies the desired privilege via the
The optional flags argument,
is currently unused.
Privileges are typically granted based on one of two base system policies:
the superuser policy, which grants privilege based on the effective (or
sometimes real) UID having a value of 0, and the
policy, which permits only certain privileges to be granted to processes in a
The set of available privileges may also be influenced by the TrustedBSD MAC
Framework, described in
When adding a new privilege check to a code path, first check the complete
list of current privileges in
to see if one already exists for the class of privilege required.
Only if there is not an exact match should a new privilege be added to the
As privilege numbers becomes encoded in the kernel module ABI, privilege
constants must not be changed as any kernel modules depending on privileges
will then need to be recompiled.
When adding a new privilege, be certain to also determine whether it should
be listed in
which includes a complete list of privileges granted to the root user in
Certain catch-all privileges exist, such as
intended to be used by device drivers, rather than adding a new
Typically, 0 will be returned for success, and
will be returned on failure.
Most consumers of
will wish to directly return the error code from a failed privilege check to
user space; a small number will wish to translate it to another error code
appropriate to a specific context.
When designing new APIs, it is preferable to return explicit errors from a
call if privilege is not granted rather than changing the semantics of the
call but returning success.
For example, the behavior exhibited by
in which the generation field is optionally zerod out when there is
insufficient privilege is highly undesirable, as it results in frequent
privilege checks, and the caller is unable to tell if an access control
API and implementation were created by
.An Robert Watson
under contract to
nCircle Network Security, Inc.
Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.