40 priv_policy_ns(const cred_t *cr, int capability, int err,  in priv_policy_ns()  argument
52 	    (cr != CRED() && cr != kcred) ? override_creds(cr) : NULL;  in priv_policy_ns()
68 priv_policy(const cred_t *cr, int capability, int err)  in priv_policy()  argument
70 	return (priv_policy_ns(cr, capability, err, cr->user_ns));  in priv_policy()
74 priv_policy_user(const cred_t *cr, int capability, int err)  in priv_policy_user()  argument
83 	return (priv_policy_ns(cr, capability, err, cr->user_ns));  in priv_policy_user()
85 	return (priv_policy_ns(cr, capability, err, NULL));  in priv_policy_user()
94 secpolicy_nfs(const cred_t *cr)  in secpolicy_nfs()  argument
96 	return (priv_policy(cr, CAP_SYS_ADMIN, EPERM));  in secpolicy_nfs()
103 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly)  in secpolicy_sys_config()  argument
105 	return (priv_policy(cr, CAP_SYS_ADMIN, EPERM));  in secpolicy_sys_config()
115 secpolicy_vnode_access2(const cred_t *cr, struct inode *ip, uid_t owner,  in secpolicy_vnode_access2()  argument
128 secpolicy_vnode_any_access(const cred_t *cr, struct inode *ip, uid_t owner)  in secpolicy_vnode_any_access()  argument
130 	if (crgetuid(cr) == owner)  in secpolicy_vnode_any_access()
137 	if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))  in secpolicy_vnode_any_access()
141 	if (priv_policy_user(cr, CAP_DAC_OVERRIDE, EPERM) == 0)  in secpolicy_vnode_any_access()
144 	if (priv_policy_user(cr, CAP_DAC_READ_SEARCH, EPERM) == 0)  in secpolicy_vnode_any_access()
154 secpolicy_vnode_chown(const cred_t *cr, uid_t owner)  in secpolicy_vnode_chown()  argument
156 	if (crgetuid(cr) == owner)  in secpolicy_vnode_chown()
160 	if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))  in secpolicy_vnode_chown()
164 	return (priv_policy_user(cr, CAP_FOWNER, EPERM));  in secpolicy_vnode_chown()
171 secpolicy_vnode_create_gid(const cred_t *cr)  in secpolicy_vnode_create_gid()  argument
173 	return (priv_policy(cr, CAP_SETGID, EPERM));  in secpolicy_vnode_create_gid()
181 secpolicy_vnode_remove(const cred_t *cr)  in secpolicy_vnode_remove()  argument
183 	return (priv_policy(cr, CAP_FOWNER, EPERM));  in secpolicy_vnode_remove()
191 secpolicy_vnode_setdac(const cred_t *cr, uid_t owner)  in secpolicy_vnode_setdac()  argument
193 	if (crgetuid(cr) == owner)  in secpolicy_vnode_setdac()
197 	if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))  in secpolicy_vnode_setdac()
201 	return (priv_policy_user(cr, CAP_FOWNER, EPERM));  in secpolicy_vnode_setdac()
213 secpolicy_vnode_setid_retain(struct znode *zp __maybe_unused, const cred_t *cr,  in secpolicy_vnode_setid_retain()  argument
216 	return (priv_policy_user(cr, CAP_FSETID, EPERM));  in secpolicy_vnode_setid_retain()
223 secpolicy_vnode_setids_setgids(const cred_t *cr, gid_t gid, zidmap_t *mnt_ns,  in secpolicy_vnode_setids_setgids()  argument
228 	if (!kgid_has_mapping(cr->user_ns, SGID_TO_KGID(gid)))  in secpolicy_vnode_setids_setgids()
231 	if (crgetgid(cr) != gid && !groupmember(gid, cr))  in secpolicy_vnode_setids_setgids()
232 		return (priv_policy_user(cr, CAP_FSETID, EPERM));  in secpolicy_vnode_setids_setgids()
242 secpolicy_zinject(const cred_t *cr)  in secpolicy_zinject()  argument
244 	return (priv_policy(cr, CAP_SYS_ADMIN, EACCES));  in secpolicy_zinject()
252 secpolicy_zfs(const cred_t *cr)  in secpolicy_zfs()  argument
254 	return (priv_policy(cr, CAP_SYS_ADMIN, EACCES));  in secpolicy_zfs()
258 secpolicy_setid_clear(vattr_t *vap, cred_t *cr)  in secpolicy_setid_clear()  argument
261 	    secpolicy_vnode_setid_retain(NULL, cr,  in secpolicy_setid_clear()
273 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner, zidmap_t *mnt_ns,  in secpolicy_vnode_setid_modify()  argument
278 	if (crgetuid(cr) == owner)  in secpolicy_vnode_setid_modify()
282 	if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))  in secpolicy_vnode_setid_modify()
286 	return (priv_policy_user(cr, CAP_FSETID, EPERM));  in secpolicy_vnode_setid_modify()
295 secpolicy_vnode_stky_modify(const cred_t *cr)  in secpolicy_vnode_stky_modify()  argument
302     const vattr_t *ovap, cred_t *cr, zidmap_t *mnt_ns,  in secpolicy_setid_setsticky_clear()  argument
308 	    (error = secpolicy_vnode_setid_modify(cr,  in secpolicy_setid_setsticky_clear()
318 	    secpolicy_vnode_stky_modify(cr) != 0) {  in secpolicy_setid_setsticky_clear()
327 	    secpolicy_vnode_setids_setgids(cr, ovap->va_gid,  in secpolicy_setid_setsticky_clear()
339 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, mode_t type)  in secpolicy_xvattr()  argument
341 	return (secpolicy_vnode_chown(cr, owner));  in secpolicy_xvattr()
350 secpolicy_vnode_setattr(cred_t *cr, struct inode *ip, struct vattr *vap,  in secpolicy_vnode_setattr()  argument
363 secpolicy_basic_link(const cred_t *cr)  in secpolicy_basic_link()  argument