Lines Matching refs:cr
159 #define HAS_ALLPRIVS(cr) priv_isfullset(&CR_OEPRIV(cr)) argument
160 #define ZONEPRIVS(cr) ((cr)->cr_zone->zone_privset) argument
161 #define HAS_ALLZONEPRIVS(cr) priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr)) argument
162 #define HAS_PRIVILEGE(cr, pr) ((pr) == PRIV_ALL ? \ argument
163 HAS_ALLPRIVS(cr) : \
164 PRIV_ISASSERT(&CR_OEPRIV(cr), pr))
166 #define FAST_BASIC_CHECK(cr, priv) \ argument
167 if (PRIV_ISASSERT(&CR_OEPRIV(cr), priv)) { \
230 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg) in priv_policy_errmsg() argument
257 if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0) in priv_policy_errmsg()
319 if (CR_FLAGS(cr) & PRIV_DEBUG) { in priv_policy_errmsg()
327 cr->cr_uid, curthread->t_sysnum, msg, sym, off); in priv_policy_errmsg()
332 cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid, in priv_policy_errmsg()
342 priv_policy_override(const cred_t *cr, int priv, boolean_t allzone, va_list ap) in priv_policy_override() argument
347 if (!(CR_FLAGS(cr) & PRIV_XPOLICY)) in priv_policy_override()
353 set = *ZONEPRIVS(cr); in priv_policy_override()
358 ret = klpd_call(cr, &set, ap); in priv_policy_override()
363 priv_policy_override_set(const cred_t *cr, const priv_set_t *req, va_list ap) in priv_policy_override_set() argument
365 if (CR_FLAGS(cr) & PRIV_PFEXEC) in priv_policy_override_set()
366 return (check_user_privs(cr, req)); in priv_policy_override_set()
367 if (CR_FLAGS(cr) & PRIV_XPOLICY) { in priv_policy_override_set()
368 return (klpd_call(cr, req, ap)); in priv_policy_override_set()
374 priv_policy_override_set_va(const cred_t *cr, const priv_set_t *req, ...) in priv_policy_override_set_va() argument
380 ret = priv_policy_override_set(cr, req, ap); in priv_policy_override_set_va()
389 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg) in priv_policy_err() argument
393 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0); in priv_policy_err()
396 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || in priv_policy_err()
398 if (allzone && !HAS_ALLZONEPRIVS(cr)) { in priv_policy_err()
399 priv_policy_errmsg(cr, PRIV_ALLZONE, msg); in priv_policy_err()
401 ASSERT(!HAS_PRIVILEGE(cr, priv)); in priv_policy_err()
402 priv_policy_errmsg(cr, priv, msg); in priv_policy_err()
413 priv_policy_ap(const cred_t *cr, int priv, boolean_t allzone, int err, in priv_policy_ap() argument
416 if ((HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) || in priv_policy_ap()
418 priv_policy_override(cr, priv, allzone, ap) == 0)) { in priv_policy_ap()
425 allzone ? ZONEPRIVS(cr) : NULL, 1); in priv_policy_ap()
431 priv_policy_err(cr, priv, allzone, msg); in priv_policy_ap()
437 priv_policy_va(const cred_t *cr, int priv, boolean_t allzone, int err, in priv_policy_va() argument
444 ret = priv_policy_ap(cr, priv, allzone, err, msg, ap); in priv_policy_va()
451 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err, in priv_policy() argument
454 return (priv_policy_va(cr, priv, allzone, err, msg, KLPDARG_NONE)); in priv_policy()
461 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone) in priv_policy_choice() argument
463 boolean_t res = HAS_PRIVILEGE(cr, priv) && in priv_policy_choice()
464 (!allzone || HAS_ALLZONEPRIVS(cr)); in priv_policy_choice()
470 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1); in priv_policy_choice()
484 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone) in priv_policy_only() argument
486 boolean_t res = HAS_PRIVILEGE(cr, priv) && in priv_policy_only()
487 (!allzone || HAS_ALLZONEPRIVS(cr)); in priv_policy_only()
501 secpolicy_require_set(const cred_t *cr, const priv_set_t *req, in secpolicy_require_set() argument
510 if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req, in secpolicy_require_set()
511 &CR_OEPRIV(cr))) { in secpolicy_require_set()
516 ret = priv_policy_override_set(cr, req, ap); in secpolicy_require_set()
522 priv_policy_err(cr, PRIV_ALL, B_FALSE, msg); in secpolicy_require_set()
526 pset = CR_OEPRIV(cr); /* present privileges */ in secpolicy_require_set()
535 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) { in secpolicy_require_set()
540 priv_policy_errmsg(cr, PRIV_MULTIPLE, in secpolicy_require_set()
549 priv_policy_errmsg(cr, pfound, msg); in secpolicy_require_set()
560 priv_policy_global(const cred_t *cr) in priv_policy_global() argument
562 if (crgetzoneid(cr) == GLOBAL_ZONEID) in priv_policy_global()
565 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || in priv_policy_global()
567 priv_policy_errmsg(cr, PRIV_GLOBAL, NULL); in priv_policy_global()
576 secpolicy_raisepriority(const cred_t *cr) in secpolicy_raisepriority() argument
578 if (PRIV_POLICY(cr, PRIV_PROC_PRIOUP, B_FALSE, EPERM, NULL) == 0) in secpolicy_raisepriority()
580 return (secpolicy_setpriority(cr)); in secpolicy_raisepriority()
587 secpolicy_setpriority(const cred_t *cr) in secpolicy_setpriority() argument
589 return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL)); in secpolicy_setpriority()
600 secpolicy_net_privaddr(const cred_t *cr, in_port_t port, int proto) in secpolicy_net_privaddr() argument
617 if (PRIV_POLICY_ONLY(cr, PRIV_NET_PRIVADDR, B_FALSE)) in secpolicy_net_privaddr()
641 return (priv_policy_va(cr, priv, B_FALSE, EACCES, reason, in secpolicy_net_privaddr()
649 secpolicy_net_bindmlp(const cred_t *cr) in secpolicy_net_bindmlp() argument
651 return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, NULL)); in secpolicy_net_bindmlp()
659 secpolicy_net_mac_aware(const cred_t *cr) in secpolicy_net_mac_aware() argument
661 return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, NULL)); in secpolicy_net_mac_aware()
668 secpolicy_net_mac_implicit(const cred_t *cr) in secpolicy_net_mac_implicit() argument
670 return (PRIV_POLICY(cr, PRIV_NET_MAC_IMPLICIT, B_FALSE, EACCES, NULL)); in secpolicy_net_mac_implicit()
682 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp, in secpolicy_fs_common() argument
694 if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) { in secpolicy_fs_common()
698 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM, in secpolicy_fs_common()
708 zoneid_t zoneid = crgetzoneid(cr); in secpolicy_fs_common()
732 HAS_ALLZONEPRIVS(cr)) { in secpolicy_fs_common()
739 err = VOP_GETATTR(mvp, &va, 0, cr, NULL); in secpolicy_fs_common()
743 if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0) in secpolicy_fs_common()
746 if (secpolicy_vnode_access2(cr, mvp, va.va_uid, va.va_mode, in secpolicy_fs_common()
751 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM, in secpolicy_fs_common()
756 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp) in secpolicy_fs_mount_clearopts() argument
758 boolean_t amsuper = HAS_ALLZONEPRIVS(cr); in secpolicy_fs_mount_clearopts()
771 if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper) in secpolicy_fs_mount_clearopts()
832 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp) in secpolicy_fs_mount() argument
848 error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk); in secpolicy_fs_mount()
851 secpolicy_fs_mount_clearopts(cr, vfsp); in secpolicy_fs_mount()
864 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp) in secpolicy_fs_owner() argument
875 return (secpolicy_fs_common(cr, mvp, vfsp, NULL)); in secpolicy_fs_owner()
879 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp) in secpolicy_fs_unmount() argument
881 return (secpolicy_fs_owner(cr, vfsp)); in secpolicy_fs_unmount()
889 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp) in secpolicy_fs_quota() argument
891 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); in secpolicy_fs_quota()
898 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp) in secpolicy_fs_minfree() argument
900 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); in secpolicy_fs_minfree()
904 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp) in secpolicy_fs_config() argument
906 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); in secpolicy_fs_config()
911 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp) in secpolicy_fs_linkdir() argument
930 return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL)); in secpolicy_fs_linkdir()
961 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode) in secpolicy_vnode_access() argument
963 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE, in secpolicy_vnode_access()
972 if (owner == 0 && cr->cr_uid != 0) in secpolicy_vnode_access()
976 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, in secpolicy_vnode_access()
990 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL, in secpolicy_vnode_access()
1001 secpolicy_vnode_access2(const cred_t *cr, vnode_t *vp, uid_t owner, in secpolicy_vnode_access2() argument
1008 !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_READ) && in secpolicy_vnode_access2()
1009 priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL, in secpolicy_vnode_access2()
1015 !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_WRITE) && in secpolicy_vnode_access2()
1016 priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL, in secpolicy_vnode_access2()
1026 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE, in secpolicy_vnode_access2()
1035 if (owner == 0 && cr->cr_uid != 0) in secpolicy_vnode_access2()
1039 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, in secpolicy_vnode_access2()
1053 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL, in secpolicy_vnode_access2()
1066 secpolicy_vnode_any_access(const cred_t *cr, vnode_t *vp, uid_t owner) in secpolicy_vnode_any_access() argument
1079 if (owner == cr->cr_uid) in secpolicy_vnode_any_access()
1102 if (PRIV_POLICY_CHOICE(cr, priv, allzone)) in secpolicy_vnode_any_access()
1117 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner) in secpolicy_vnode_setid_modify() argument
1123 if (owner == cr->cr_uid) in secpolicy_vnode_setid_modify()
1127 return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL)); in secpolicy_vnode_setid_modify()
1284 secpolicy_vnode_remove(const cred_t *cr) in secpolicy_vnode_remove() argument
1286 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES, in secpolicy_vnode_remove()
1291 secpolicy_vnode_owner(const cred_t *cr, uid_t owner) in secpolicy_vnode_owner() argument
1295 if (owner == cr->cr_uid) in secpolicy_vnode_owner()
1298 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL)); in secpolicy_vnode_owner()
1302 secpolicy_setid_clear(vattr_t *vap, cred_t *cr) in secpolicy_setid_clear() argument
1305 secpolicy_vnode_setid_retain(cr, in secpolicy_setid_clear()
1315 cred_t *cr) in secpolicy_setid_setsticky_clear() argument
1320 (error = secpolicy_vnode_setid_modify(cr, in secpolicy_setid_setsticky_clear()
1330 secpolicy_vnode_stky_modify(cr) != 0) { in secpolicy_setid_setsticky_clear()
1339 secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) { in secpolicy_setid_setsticky_clear()
1346 #define ATTR_FLAG_PRIV(attr, value, cr) \ argument
1347 PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \
1354 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype) in secpolicy_xvattr() argument
1372 if ((error = secpolicy_vnode_owner(cr, owner)) != 0) in secpolicy_xvattr()
1382 xoap->xoa_immutable, cr); in secpolicy_xvattr()
1385 xoap->xoa_nounlink, cr); in secpolicy_xvattr()
1388 xoap->xoa_appendonly, cr); in secpolicy_xvattr()
1391 xoap->xoa_nodump, cr); in secpolicy_xvattr()
1396 xoap->xoa_av_quarantined, cr); in secpolicy_xvattr()
1402 xoap->xoa_av_modified, cr); in secpolicy_xvattr()
1405 xoap->xoa_av_scanstamp, cr); in secpolicy_xvattr()
1444 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap, in secpolicy_vnode_setattr() argument
1466 error = unlocked_access(node, VWRITE, cr); in secpolicy_vnode_setattr()
1480 error = secpolicy_vnode_setdac3(cr, ovap->va_uid, implicit); in secpolicy_vnode_setattr()
1485 ovap, cr)) != 0) in secpolicy_vnode_setattr()
1511 } else if (cr->cr_uid != ovap->va_uid) { in secpolicy_vnode_setattr()
1516 !groupmember(vap->va_gid, cr))) { in secpolicy_vnode_setattr()
1524 (error = secpolicy_vnode_chown(cr, ovap->va_uid)) != 0) { in secpolicy_vnode_setattr()
1532 secpolicy_setid_clear(vap, cr); in secpolicy_vnode_setattr()
1542 if (cr->cr_uid != ovap->va_uid) { in secpolicy_vnode_setattr()
1544 error = secpolicy_vnode_utime_modify(cr); in secpolicy_vnode_setattr()
1546 error = unlocked_access(node, VWRITE, cr); in secpolicy_vnode_setattr()
1548 secpolicy_vnode_utime_modify(cr) == 0) in secpolicy_vnode_setattr()
1560 error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr, in secpolicy_vnode_setattr()
1585 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip) in secpolicy_ipc_owner() argument
1587 if (crgetzoneid(cr) != ip->ipc_zoneid || in secpolicy_ipc_owner()
1588 (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) { in secpolicy_ipc_owner()
1592 return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL)); in secpolicy_ipc_owner()
1598 secpolicy_ipc_config(const cred_t *cr) in secpolicy_ipc_config() argument
1600 return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL)); in secpolicy_ipc_config()
1604 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode) in secpolicy_ipc_access() argument
1612 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) in secpolicy_ipc_access()
1616 if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0)) in secpolicy_ipc_access()
1619 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, in secpolicy_ipc_access()
1626 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode) in secpolicy_rsm_access() argument
1633 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) in secpolicy_rsm_access()
1637 if (cr->cr_uid != 0 && owner == 0) in secpolicy_rsm_access()
1640 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, in secpolicy_rsm_access()
1650 secpolicy_audit_config(const cred_t *cr) in secpolicy_audit_config() argument
1652 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); in secpolicy_audit_config()
1659 secpolicy_audit_modify(const cred_t *cr) in secpolicy_audit_modify() argument
1661 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL)); in secpolicy_audit_modify()
1670 secpolicy_audit_getattr(const cred_t *cr, boolean_t checkonly) in secpolicy_audit_getattr() argument
1674 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE)) in secpolicy_audit_getattr()
1680 return (!PRIV_POLICY_ONLY(cr, priv, B_FALSE)); in secpolicy_audit_getattr()
1682 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); in secpolicy_audit_getattr()
1690 secpolicy_lock_memory(const cred_t *cr) in secpolicy_lock_memory() argument
1692 return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL)); in secpolicy_lock_memory()
1699 secpolicy_acct(const cred_t *cr) in secpolicy_acct() argument
1701 return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL)); in secpolicy_acct()
1719 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly) in secpolicy_allow_setid() argument
1723 if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 && in secpolicy_allow_setid()
1724 cr->cr_ruid != 0) { in secpolicy_allow_setid()
1728 return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) : in secpolicy_allow_setid()
1729 PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL)); in secpolicy_allow_setid()
1788 secpolicy_pset(const cred_t *cr) in secpolicy_pset() argument
1790 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); in secpolicy_pset()
1795 secpolicy_psecflags(const cred_t *cr, proc_t *tp, proc_t *sp) in secpolicy_psecflags() argument
1797 if (PRIV_POLICY(cr, PRIV_PROC_SECFLAGS, B_FALSE, EPERM, NULL) != 0) in secpolicy_psecflags()
1800 if (!prochasprocperm(tp, sp, cr)) in secpolicy_psecflags()
1810 secpolicy_pbind(const cred_t *cr) in secpolicy_pbind() argument
1812 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_RES_CONFIG, B_FALSE)) in secpolicy_pbind()
1813 return (secpolicy_pset(cr)); in secpolicy_pbind()
1814 return (PRIV_POLICY(cr, PRIV_SYS_RES_BIND, B_FALSE, EPERM, NULL)); in secpolicy_pbind()
1818 secpolicy_ponline(const cred_t *cr) in secpolicy_ponline() argument
1820 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); in secpolicy_ponline()
1824 secpolicy_pool(const cred_t *cr) in secpolicy_pool() argument
1826 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); in secpolicy_pool()
1830 secpolicy_blacklist(const cred_t *cr) in secpolicy_blacklist() argument
1832 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); in secpolicy_blacklist()
1839 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly) in secpolicy_sys_config() argument
1842 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 : in secpolicy_sys_config()
1845 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); in secpolicy_sys_config()
1853 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly) in secpolicy_zone_admin() argument
1856 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 : in secpolicy_zone_admin()
1859 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, in secpolicy_zone_admin()
1868 secpolicy_zone_config(const cred_t *cr) in secpolicy_zone_config() argument
1874 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE)); in secpolicy_zone_config()
1881 secpolicy_coreadm(const cred_t *cr) in secpolicy_coreadm() argument
1883 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); in secpolicy_coreadm()
1887 secpolicy_systeminfo(const cred_t *cr) in secpolicy_systeminfo() argument
1889 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); in secpolicy_systeminfo()
1893 secpolicy_dispadm(const cred_t *cr) in secpolicy_dispadm() argument
1895 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); in secpolicy_dispadm()
1899 secpolicy_settime(const cred_t *cr) in secpolicy_settime() argument
1901 return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL)); in secpolicy_settime()
1908 secpolicy_clock_highres(const cred_t *cr) in secpolicy_clock_highres() argument
1910 return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM, in secpolicy_clock_highres()
1921 drv_priv(cred_t *cr) in drv_priv() argument
1923 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); in drv_priv()
1927 secpolicy_sys_devices(const cred_t *cr) in secpolicy_sys_devices() argument
1929 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); in secpolicy_sys_devices()
1933 secpolicy_excl_open(const cred_t *cr) in secpolicy_excl_open() argument
1935 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL)); in secpolicy_excl_open()
1939 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl) in secpolicy_rctlsys() argument
1942 if (is_zone_rctl && priv_policy_global(cr) != 0) in secpolicy_rctlsys()
1944 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); in secpolicy_rctlsys()
1948 secpolicy_resource(const cred_t *cr) in secpolicy_resource() argument
1950 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); in secpolicy_resource()
1954 secpolicy_resource_anon_mem(const cred_t *cr) in secpolicy_resource_anon_mem() argument
1956 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_RESOURCE, B_FALSE)); in secpolicy_resource_anon_mem()
1964 secpolicy_newproc(const cred_t *cr) in secpolicy_newproc() argument
1966 if (cr->cr_ruid == 0) in secpolicy_newproc()
1969 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); in secpolicy_newproc()
1976 secpolicy_net_rawaccess(const cred_t *cr) in secpolicy_net_rawaccess() argument
1978 return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL)); in secpolicy_net_rawaccess()
1982 secpolicy_net_observability(const cred_t *cr) in secpolicy_net_observability() argument
1984 return (PRIV_POLICY(cr, PRIV_NET_OBSERVABILITY, B_FALSE, EACCES, NULL)); in secpolicy_net_observability()
1991 secpolicy_net_icmpaccess(const cred_t *cr) in secpolicy_net_icmpaccess() argument
1993 return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL)); in secpolicy_net_icmpaccess()
2002 secpolicy_net_config(const cred_t *cr, boolean_t checkonly) in secpolicy_net_config() argument
2005 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ? in secpolicy_net_config()
2008 return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM, in secpolicy_net_config()
2022 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly) in secpolicy_ip_config() argument
2024 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) in secpolicy_ip_config()
2025 return (secpolicy_net_config(cr, checkonly)); in secpolicy_ip_config()
2028 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ? in secpolicy_ip_config()
2031 return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM, in secpolicy_ip_config()
2040 secpolicy_dl_config(const cred_t *cr) in secpolicy_dl_config() argument
2042 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) in secpolicy_dl_config()
2043 return (secpolicy_net_config(cr, B_FALSE)); in secpolicy_dl_config()
2044 return (PRIV_POLICY(cr, PRIV_SYS_DL_CONFIG, B_FALSE, EPERM, NULL)); in secpolicy_dl_config()
2051 secpolicy_iptun_config(const cred_t *cr) in secpolicy_iptun_config() argument
2053 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) in secpolicy_iptun_config()
2054 return (secpolicy_net_config(cr, B_FALSE)); in secpolicy_iptun_config()
2055 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_DL_CONFIG, B_FALSE)) in secpolicy_iptun_config()
2056 return (secpolicy_dl_config(cr)); in secpolicy_iptun_config()
2057 return (PRIV_POLICY(cr, PRIV_SYS_IPTUN_CONFIG, B_FALSE, EPERM, NULL)); in secpolicy_iptun_config()
2065 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly) in secpolicy_ip() argument
2082 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); in secpolicy_ip()
2084 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); in secpolicy_ip()
2092 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly) in secpolicy_net() argument
2109 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); in secpolicy_net()
2111 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); in secpolicy_net()
2119 secpolicy_nfs(const cred_t *cr) in secpolicy_nfs() argument
2121 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL)); in secpolicy_nfs()
2129 secpolicy_rpcmod_open(const cred_t *cr) in secpolicy_rpcmod_open() argument
2131 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE)) in secpolicy_rpcmod_open()
2132 return (secpolicy_nfs(cr)); in secpolicy_rpcmod_open()
2134 return (secpolicy_net_config(cr, B_FALSE)); in secpolicy_rpcmod_open()
2138 secpolicy_chroot(const cred_t *cr) in secpolicy_chroot() argument
2140 return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL)); in secpolicy_chroot()
2144 secpolicy_tasksys(const cred_t *cr) in secpolicy_tasksys() argument
2146 return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL)); in secpolicy_tasksys()
2150 secpolicy_meminfo(const cred_t *cr) in secpolicy_meminfo() argument
2152 return (PRIV_POLICY(cr, PRIV_PROC_MEMINFO, B_FALSE, EPERM, NULL)); in secpolicy_meminfo()
2156 secpolicy_pfexec_register(const cred_t *cr) in secpolicy_pfexec_register() argument
2158 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_TRUE, EPERM, NULL)); in secpolicy_pfexec_register()
2165 secpolicy_basic_exec(const cred_t *cr, vnode_t *vp) in secpolicy_basic_exec() argument
2167 FAST_BASIC_CHECK(cr, PRIV_PROC_EXEC); in secpolicy_basic_exec()
2169 return (priv_policy_va(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL, in secpolicy_basic_exec()
2174 secpolicy_basic_fork(const cred_t *cr) in secpolicy_basic_fork() argument
2176 FAST_BASIC_CHECK(cr, PRIV_PROC_FORK); in secpolicy_basic_fork()
2178 return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL)); in secpolicy_basic_fork()
2182 secpolicy_basic_proc(const cred_t *cr) in secpolicy_basic_proc() argument
2184 FAST_BASIC_CHECK(cr, PRIV_PROC_SESSION); in secpolicy_basic_proc()
2186 return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL)); in secpolicy_basic_proc()
2197 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp) in secpolicy_basic_procinfo() argument
2200 !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) { in secpolicy_basic_procinfo()
2203 return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL)); in secpolicy_basic_procinfo()
2208 secpolicy_basic_link(const cred_t *cr) in secpolicy_basic_link() argument
2210 FAST_BASIC_CHECK(cr, PRIV_FILE_LINK_ANY); in secpolicy_basic_link()
2212 return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL)); in secpolicy_basic_link()
2216 secpolicy_basic_net_access(const cred_t *cr) in secpolicy_basic_net_access() argument
2218 FAST_BASIC_CHECK(cr, PRIV_NET_ACCESS); in secpolicy_basic_net_access()
2220 return (PRIV_POLICY(cr, PRIV_NET_ACCESS, B_FALSE, EACCES, NULL)); in secpolicy_basic_net_access()
2225 secpolicy_basic_file_read(const cred_t *cr, vnode_t *vp, const char *pn) in secpolicy_basic_file_read() argument
2227 FAST_BASIC_CHECK(cr, PRIV_FILE_READ); in secpolicy_basic_file_read()
2229 return (priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL, in secpolicy_basic_file_read()
2235 secpolicy_basic_file_write(const cred_t *cr, vnode_t *vp, const char *pn) in secpolicy_basic_file_write() argument
2237 FAST_BASIC_CHECK(cr, PRIV_FILE_WRITE); in secpolicy_basic_file_write()
2239 return (priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL, in secpolicy_basic_file_write()
2258 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag) in secpolicy_spec_open() argument
2297 priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) && in secpolicy_spec_open()
2298 !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) { in secpolicy_spec_open()
2303 err = secpolicy_require_set(cr, &pset, "devpolicy", KLPDARG_NONE); in secpolicy_spec_open()
2310 secpolicy_modctl(const cred_t *cr, int cmd) in secpolicy_modctl() argument
2334 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, in secpolicy_modctl()
2337 return (secpolicy_sys_config(cr, B_FALSE)); in secpolicy_modctl()
2342 secpolicy_console(const cred_t *cr) in secpolicy_console() argument
2344 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); in secpolicy_console()
2348 secpolicy_power_mgmt(const cred_t *cr) in secpolicy_power_mgmt() argument
2350 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); in secpolicy_power_mgmt()
2358 secpolicy_sti(const cred_t *cr) in secpolicy_sti() argument
2360 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE)); in secpolicy_sti()
2364 secpolicy_net_reply_equal(const cred_t *cr) in secpolicy_net_reply_equal() argument
2366 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); in secpolicy_net_reply_equal()
2370 secpolicy_swapctl(const cred_t *cr) in secpolicy_swapctl() argument
2372 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); in secpolicy_swapctl()
2376 secpolicy_cpc_cpu(const cred_t *cr) in secpolicy_cpc_cpu() argument
2378 return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL)); in secpolicy_cpc_cpu()
2387 secpolicy_contract_identity(const cred_t *cr) in secpolicy_contract_identity() argument
2389 return (PRIV_POLICY(cr, PRIV_CONTRACT_IDENTITY, B_FALSE, EPERM, NULL)); in secpolicy_contract_identity()
2398 secpolicy_contract_observer(const cred_t *cr, struct contract *ct) in secpolicy_contract_observer() argument
2400 if (contract_owned(ct, cr, B_FALSE)) in secpolicy_contract_observer()
2402 return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL)); in secpolicy_contract_observer()
2412 secpolicy_contract_observer_choice(const cred_t *cr) in secpolicy_contract_observer_choice() argument
2414 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE)); in secpolicy_contract_observer_choice()
2424 secpolicy_contract_event(const cred_t *cr) in secpolicy_contract_event() argument
2426 return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL)); in secpolicy_contract_event()
2437 secpolicy_contract_event_choice(const cred_t *cr) in secpolicy_contract_event_choice() argument
2439 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE)); in secpolicy_contract_event_choice()
2449 secpolicy_gart_access(const cred_t *cr) in secpolicy_gart_access() argument
2451 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL)); in secpolicy_gart_access()
2461 secpolicy_gart_map(const cred_t *cr) in secpolicy_gart_map() argument
2463 if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) { in secpolicy_gart_map()
2464 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, in secpolicy_gart_map()
2467 return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM, in secpolicy_gart_map()
2480 secpolicy_hwmanip(const cred_t *cr) in secpolicy_hwmanip() argument
2482 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE)); in secpolicy_hwmanip()
2492 secpolicy_zinject(const cred_t *cr) in secpolicy_zinject() argument
2494 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE)); in secpolicy_zinject()
2504 secpolicy_zfs(const cred_t *cr) in secpolicy_zfs() argument
2506 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL)); in secpolicy_zfs()
2516 secpolicy_idmap(const cred_t *cr) in secpolicy_idmap() argument
2518 return (PRIV_POLICY(cr, PRIV_FILE_SETID, B_TRUE, EPERM, NULL)); in secpolicy_idmap()
2565 secpolicy_require_privs(const cred_t *cr, const priv_set_t *nset) in secpolicy_require_privs() argument
2569 rqd = CR_OPPRIV(cr); in secpolicy_require_privs()
2574 return (secpolicy_require_set(cr, &rqd, NULL, KLPDARG_NONE)); in secpolicy_require_privs()
2589 secpolicy_smb(const cred_t *cr) in secpolicy_smb() argument
2591 return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL)); in secpolicy_smb()
2609 secpolicy_vscan(const cred_t *cr) in secpolicy_vscan() argument
2611 if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) || in secpolicy_vscan()
2612 (PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) || in secpolicy_vscan()
2613 (PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) { in secpolicy_vscan()
2631 secpolicy_smbfs_login(const cred_t *cr, uid_t uid) in secpolicy_smbfs_login() argument
2633 uid_t cruid = crgetruid(cr); in secpolicy_smbfs_login()
2637 return (PRIV_POLICY(cr, PRIV_PROC_OWNER, B_FALSE, in secpolicy_smbfs_login()
2652 secpolicy_xvm_control(const cred_t *cr) in secpolicy_xvm_control() argument
2654 if (PRIV_POLICY(cr, PRIV_XVM_CONTROL, B_FALSE, EPERM, NULL)) in secpolicy_xvm_control()
2666 secpolicy_ppp_config(const cred_t *cr) in secpolicy_ppp_config() argument
2668 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) in secpolicy_ppp_config()
2669 return (secpolicy_net_config(cr, B_FALSE)); in secpolicy_ppp_config()
2670 return (PRIV_POLICY(cr, PRIV_SYS_PPP_CONFIG, B_FALSE, EPERM, NULL)); in secpolicy_ppp_config()