| vplat.c (3c2328bf3bf6527c6b28445336d32183a277b1e1) | vplat.c (5d08dfa0e47b41649eb5cfa0e8350f9e71383292) |
|---|---|
| 1/* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE --- 4599 unchanged lines hidden (view full) --- 4608 "zone hostid is not valid: %s: %d", hostidp, res); 4609 return (Z_SYSTEM); 4610 } 4611 4612 return (res); 4613} 4614 4615static int | 1/* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE --- 4599 unchanged lines hidden (view full) --- 4608 "zone hostid is not valid: %s: %d", hostidp, res); 4609 return (Z_SYSTEM); 4610 } 4611 4612 return (res); 4613} 4614 4615static int |
| 4616secflags_parse_check(secflagset_t *flagset, const char *flagstr, char *descr, 4617 zlog_t *zlogp) 4618{ 4619 secflagdelta_t delt; 4620 4621 if (secflags_parse(NULL, flagstr, &delt) == -1) { 4622 zerror(zlogp, B_FALSE, 4623 "failed to parse %s security-flags '%s': %s", 4624 descr, flagstr, strerror(errno)); 4625 return (Z_BAD_PROPERTY); 4626 } 4627 4628 if (delt.psd_ass_active != B_TRUE) { 4629 zerror(zlogp, B_FALSE, 4630 "relative security-flags are not allowed " 4631 "(%s security-flags: '%s')", descr, flagstr); 4632 return (Z_BAD_PROPERTY); 4633 } 4634 4635 secflags_copy(flagset, &delt.psd_assign); 4636 4637 return (Z_OK); 4638} 4639 4640static int |
|
| 4616setup_zone_secflags(zone_dochandle_t handle, zlog_t *zlogp, zoneid_t zoneid) 4617{ 4618 psecflags_t secflags; 4619 struct zone_secflagstab tab = {0}; | 4641setup_zone_secflags(zone_dochandle_t handle, zlog_t *zlogp, zoneid_t zoneid) 4642{ 4643 psecflags_t secflags; 4644 struct zone_secflagstab tab = {0}; |
| 4620 secflagdelta_t delt; | 4645 secflagset_t flagset; |
| 4621 int res; 4622 4623 res = zonecfg_lookup_secflags(handle, &tab); 4624 | 4646 int res; 4647 4648 res = zonecfg_lookup_secflags(handle, &tab); 4649 |
| 4625 if ((res != Z_OK) && 4626 /* The general defaulting code will handle this */ 4627 (res != Z_NO_ENTRY) && (res != Z_BAD_PROPERTY)) { 4628 zerror(zlogp, B_FALSE, "security-flags property is " 4629 "invalid: %d", res); | 4650 /* 4651 * If the zone configuration does not define any security flag sets, 4652 * then check to see if there are any default flags configured for 4653 * the brand. If so, set these as the default set for this zone and 4654 * the lower/upper sets will become none/all as per the defaults. 4655 * 4656 * If there is no brand default either, then the flags will be 4657 * defaulted below. 4658 */ 4659 if (res == Z_NO_ENTRY) { 4660 char flagstr[ZONECFG_SECFLAGS_MAX]; 4661 brand_handle_t bh = NULL; 4662 4663 if ((bh = brand_open(brand_name)) == NULL) { 4664 zerror(zlogp, B_FALSE, 4665 "unable to find brand named %s", brand_name); 4666 return (Z_BAD_PROPERTY); 4667 } 4668 if (brand_get_secflags(bh, flagstr, sizeof (flagstr)) != 0) { 4669 brand_close(bh); 4670 zerror(zlogp, B_FALSE, 4671 "unable to retrieve brand default security flags"); 4672 return (Z_BAD_PROPERTY); 4673 } 4674 brand_close(bh); 4675 4676 if (*flagstr != '\0' && 4677 strlcpy(tab.zone_secflags_default, flagstr, 4678 sizeof (tab.zone_secflags_default)) >= 4679 sizeof (tab.zone_secflags_default)) { 4680 zerror(zlogp, B_FALSE, 4681 "brand default security-flags is too long"); 4682 return (Z_BAD_PROPERTY); 4683 } 4684 } else if (res != Z_OK) { 4685 zerror(zlogp, B_FALSE, 4686 "security-flags property is invalid: %d", res); |
| 4630 return (res); 4631 } 4632 | 4687 return (res); 4688 } 4689 |
| 4633 if (strlen(tab.zone_secflags_lower) == 0) | 4690 if (strlen(tab.zone_secflags_lower) == 0) { |
| 4634 (void) strlcpy(tab.zone_secflags_lower, "none", 4635 sizeof (tab.zone_secflags_lower)); | 4691 (void) strlcpy(tab.zone_secflags_lower, "none", 4692 sizeof (tab.zone_secflags_lower)); |
| 4636 if (strlen(tab.zone_secflags_default) == 0) | 4693 } 4694 if (strlen(tab.zone_secflags_default) == 0) { |
| 4637 (void) strlcpy(tab.zone_secflags_default, 4638 tab.zone_secflags_lower, 4639 sizeof (tab.zone_secflags_default)); | 4695 (void) strlcpy(tab.zone_secflags_default, 4696 tab.zone_secflags_lower, 4697 sizeof (tab.zone_secflags_default)); |
| 4640 if (strlen(tab.zone_secflags_upper) == 0) | 4698 } 4699 if (strlen(tab.zone_secflags_upper) == 0) { |
| 4641 (void) strlcpy(tab.zone_secflags_upper, "all", 4642 sizeof (tab.zone_secflags_upper)); | 4700 (void) strlcpy(tab.zone_secflags_upper, "all", 4701 sizeof (tab.zone_secflags_upper)); |
| 4702 } |
|
| 4643 | 4703 |
| 4644 if (secflags_parse(NULL, tab.zone_secflags_default, 4645 &delt) == -1) { 4646 zerror(zlogp, B_FALSE, "default security-flags: '%s'" 4647 "are invalid", tab.zone_secflags_default); 4648 return (Z_BAD_PROPERTY); 4649 } else if (delt.psd_ass_active != B_TRUE) { 4650 zerror(zlogp, B_FALSE, "relative security-flags are not " 4651 "allowed in zone configuration (default " 4652 "security-flags: '%s')", 4653 tab.zone_secflags_default); 4654 return (Z_BAD_PROPERTY); | 4704 if ((res = secflags_parse_check(&flagset, tab.zone_secflags_default, 4705 "default", zlogp)) != Z_OK) { 4706 return (res); |
| 4655 } else { | 4707 } else { |
| 4656 secflags_copy(&secflags.psf_inherit, &delt.psd_assign); 4657 secflags_copy(&secflags.psf_effective, &delt.psd_assign); | 4708 secflags_copy(&secflags.psf_inherit, &flagset); 4709 secflags_copy(&secflags.psf_effective, &flagset); |
| 4658 } 4659 | 4710 } 4711 |
| 4660 if (secflags_parse(NULL, tab.zone_secflags_lower, 4661 &delt) == -1) { 4662 zerror(zlogp, B_FALSE, "lower security-flags: '%s'" 4663 "are invalid", tab.zone_secflags_lower); 4664 return (Z_BAD_PROPERTY); 4665 } else if (delt.psd_ass_active != B_TRUE) { 4666 zerror(zlogp, B_FALSE, "relative security-flags are not " 4667 "allowed in zone configuration (lower " 4668 "security-flags: '%s')", 4669 tab.zone_secflags_lower); 4670 return (Z_BAD_PROPERTY); | 4712 if ((res = secflags_parse_check(&flagset, tab.zone_secflags_lower, 4713 "lower", zlogp)) != Z_OK) { 4714 return (res); |
| 4671 } else { | 4715 } else { |
| 4672 secflags_copy(&secflags.psf_lower, &delt.psd_assign); | 4716 secflags_copy(&secflags.psf_lower, &flagset); |
| 4673 } 4674 | 4717 } 4718 |
| 4675 if (secflags_parse(NULL, tab.zone_secflags_upper, 4676 &delt) == -1) { 4677 zerror(zlogp, B_FALSE, "upper security-flags: '%s'" 4678 "are invalid", tab.zone_secflags_upper); 4679 return (Z_BAD_PROPERTY); 4680 } else if (delt.psd_ass_active != B_TRUE) { 4681 zerror(zlogp, B_FALSE, "relative security-flags are not " 4682 "allowed in zone configuration (upper " 4683 "security-flags: '%s')", 4684 tab.zone_secflags_upper); 4685 return (Z_BAD_PROPERTY); | 4719 if ((res = secflags_parse_check(&flagset, tab.zone_secflags_upper, 4720 "upper", zlogp)) != Z_OK) { 4721 return (res); |
| 4686 } else { | 4722 } else { |
| 4687 secflags_copy(&secflags.psf_upper, &delt.psd_assign); | 4723 secflags_copy(&secflags.psf_upper, &flagset); |
| 4688 } 4689 4690 if (!psecflags_validate(&secflags)) { 4691 zerror(zlogp, B_TRUE, "security-flags violate invariants"); 4692 return (Z_BAD_PROPERTY); 4693 } 4694 4695 if ((res = zone_setattr(zoneid, ZONE_ATTR_SECFLAGS, &secflags, --- 744 unchanged lines hidden --- | 4724 } 4725 4726 if (!psecflags_validate(&secflags)) { 4727 zerror(zlogp, B_TRUE, "security-flags violate invariants"); 4728 return (Z_BAD_PROPERTY); 4729 } 4730 4731 if ((res = zone_setattr(zoneid, ZONE_ATTR_SECFLAGS, &secflags, --- 744 unchanged lines hidden --- |