Lines Matching refs:cr
143 #define HAS_ALLPRIVS(cr) priv_isfullset(&CR_OEPRIV(cr)) argument
144 #define ZONEPRIVS(cr) ((cr)->cr_zone->zone_privset) argument
145 #define HAS_ALLZONEPRIVS(cr) priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr)) argument
146 #define HAS_PRIVILEGE(cr, pr) ((pr) == PRIV_ALL ? \ argument
147 HAS_ALLPRIVS(cr) : \
148 PRIV_ISASSERT(&CR_OEPRIV(cr), pr))
150 #define FAST_BASIC_CHECK(cr, priv) \ argument
151 if (PRIV_ISASSERT(&CR_OEPRIV(cr), priv)) { \
214 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg) in priv_policy_errmsg() argument
241 if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0) in priv_policy_errmsg()
303 if (CR_FLAGS(cr) & PRIV_DEBUG) { in priv_policy_errmsg()
311 cr->cr_uid, curthread->t_sysnum, msg, sym, off); in priv_policy_errmsg()
316 cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid, in priv_policy_errmsg()
326 priv_policy_override(const cred_t *cr, int priv, boolean_t allzone, va_list ap) in priv_policy_override() argument
331 if (!(CR_FLAGS(cr) & PRIV_XPOLICY)) in priv_policy_override()
337 set = *ZONEPRIVS(cr); in priv_policy_override()
342 ret = klpd_call(cr, &set, ap); in priv_policy_override()
347 priv_policy_override_set(const cred_t *cr, const priv_set_t *req, va_list ap) in priv_policy_override_set() argument
349 if (CR_FLAGS(cr) & PRIV_PFEXEC) in priv_policy_override_set()
350 return (check_user_privs(cr, req)); in priv_policy_override_set()
351 if (CR_FLAGS(cr) & PRIV_XPOLICY) { in priv_policy_override_set()
352 return (klpd_call(cr, req, ap)); in priv_policy_override_set()
358 priv_policy_override_set_va(const cred_t *cr, const priv_set_t *req, ...) in priv_policy_override_set_va() argument
364 ret = priv_policy_override_set(cr, req, ap); in priv_policy_override_set_va()
373 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg) in priv_policy_err() argument
377 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0); in priv_policy_err()
380 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || in priv_policy_err()
382 if (allzone && !HAS_ALLZONEPRIVS(cr)) { in priv_policy_err()
383 priv_policy_errmsg(cr, PRIV_ALLZONE, msg); in priv_policy_err()
385 ASSERT(!HAS_PRIVILEGE(cr, priv)); in priv_policy_err()
386 priv_policy_errmsg(cr, priv, msg); in priv_policy_err()
397 priv_policy_ap(const cred_t *cr, int priv, boolean_t allzone, int err, in priv_policy_ap() argument
400 if ((HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) || in priv_policy_ap()
402 priv_policy_override(cr, priv, allzone, ap) == 0)) { in priv_policy_ap()
409 allzone ? ZONEPRIVS(cr) : NULL, 1); in priv_policy_ap()
415 priv_policy_err(cr, priv, allzone, msg); in priv_policy_ap()
421 priv_policy_va(const cred_t *cr, int priv, boolean_t allzone, int err, in priv_policy_va() argument
428 ret = priv_policy_ap(cr, priv, allzone, err, msg, ap); in priv_policy_va()
435 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err, in priv_policy() argument
438 return (priv_policy_va(cr, priv, allzone, err, msg, KLPDARG_NONE)); in priv_policy()
445 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone) in priv_policy_choice() argument
447 boolean_t res = HAS_PRIVILEGE(cr, priv) && in priv_policy_choice()
448 (!allzone || HAS_ALLZONEPRIVS(cr)); in priv_policy_choice()
454 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1); in priv_policy_choice()
468 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone) in priv_policy_only() argument
470 boolean_t res = HAS_PRIVILEGE(cr, priv) && in priv_policy_only()
471 (!allzone || HAS_ALLZONEPRIVS(cr)); in priv_policy_only()
485 secpolicy_require_set(const cred_t *cr, const priv_set_t *req, in secpolicy_require_set() argument
494 if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req, in secpolicy_require_set()
495 &CR_OEPRIV(cr))) { in secpolicy_require_set()
500 ret = priv_policy_override_set(cr, req, ap); in secpolicy_require_set()
506 priv_policy_err(cr, PRIV_ALL, B_FALSE, msg); in secpolicy_require_set()
510 pset = CR_OEPRIV(cr); /* present privileges */ in secpolicy_require_set()
519 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) { in secpolicy_require_set()
524 priv_policy_errmsg(cr, PRIV_MULTIPLE, in secpolicy_require_set()
533 priv_policy_errmsg(cr, pfound, msg); in secpolicy_require_set()
544 priv_policy_global(const cred_t *cr) in priv_policy_global() argument
546 if (crgetzoneid(cr) == GLOBAL_ZONEID) in priv_policy_global()
549 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || in priv_policy_global()
551 priv_policy_errmsg(cr, PRIV_GLOBAL, NULL); in priv_policy_global()
560 secpolicy_raisepriority(const cred_t *cr) in secpolicy_raisepriority() argument
562 if (PRIV_POLICY(cr, PRIV_PROC_PRIOUP, B_FALSE, EPERM, NULL) == 0) in secpolicy_raisepriority()
564 return (secpolicy_setpriority(cr)); in secpolicy_raisepriority()
571 secpolicy_setpriority(const cred_t *cr) in secpolicy_setpriority() argument
573 return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL)); in secpolicy_setpriority()
584 secpolicy_net_privaddr(const cred_t *cr, in_port_t port, int proto) in secpolicy_net_privaddr() argument
601 if (PRIV_POLICY_ONLY(cr, PRIV_NET_PRIVADDR, B_FALSE)) in secpolicy_net_privaddr()
625 return (priv_policy_va(cr, priv, B_FALSE, EACCES, reason, in secpolicy_net_privaddr()
633 secpolicy_net_bindmlp(const cred_t *cr) in secpolicy_net_bindmlp() argument
635 return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, NULL)); in secpolicy_net_bindmlp()
643 secpolicy_net_mac_aware(const cred_t *cr) in secpolicy_net_mac_aware() argument
645 return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, NULL)); in secpolicy_net_mac_aware()
652 secpolicy_net_mac_implicit(const cred_t *cr) in secpolicy_net_mac_implicit() argument
654 return (PRIV_POLICY(cr, PRIV_NET_MAC_IMPLICIT, B_FALSE, EACCES, NULL)); in secpolicy_net_mac_implicit()
666 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp, in secpolicy_fs_common() argument
678 if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) { in secpolicy_fs_common()
682 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM, in secpolicy_fs_common()
692 zoneid_t zoneid = crgetzoneid(cr); in secpolicy_fs_common()
716 HAS_ALLZONEPRIVS(cr)) { in secpolicy_fs_common()
723 err = VOP_GETATTR(mvp, &va, 0, cr, NULL); in secpolicy_fs_common()
727 if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0) in secpolicy_fs_common()
730 if (secpolicy_vnode_access2(cr, mvp, va.va_uid, va.va_mode, in secpolicy_fs_common()
735 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM, in secpolicy_fs_common()
740 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp) in secpolicy_fs_mount_clearopts() argument
742 boolean_t amsuper = HAS_ALLZONEPRIVS(cr); in secpolicy_fs_mount_clearopts()
755 if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper) in secpolicy_fs_mount_clearopts()
816 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp) in secpolicy_fs_mount() argument
832 error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk); in secpolicy_fs_mount()
835 secpolicy_fs_mount_clearopts(cr, vfsp); in secpolicy_fs_mount()
848 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp) in secpolicy_fs_owner() argument
859 return (secpolicy_fs_common(cr, mvp, vfsp, NULL)); in secpolicy_fs_owner()
863 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp) in secpolicy_fs_unmount() argument
865 return (secpolicy_fs_owner(cr, vfsp)); in secpolicy_fs_unmount()
873 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp) in secpolicy_fs_quota() argument
875 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); in secpolicy_fs_quota()
882 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp) in secpolicy_fs_minfree() argument
884 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); in secpolicy_fs_minfree()
888 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp) in secpolicy_fs_config() argument
890 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); in secpolicy_fs_config()
895 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp) in secpolicy_fs_linkdir() argument
897 return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL)); in secpolicy_fs_linkdir()
928 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode) in secpolicy_vnode_access() argument
930 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE, in secpolicy_vnode_access()
939 if (owner == 0 && cr->cr_uid != 0) in secpolicy_vnode_access()
943 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, in secpolicy_vnode_access()
957 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL, in secpolicy_vnode_access()
968 secpolicy_vnode_access2(const cred_t *cr, vnode_t *vp, uid_t owner, in secpolicy_vnode_access2() argument
975 !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_READ) && in secpolicy_vnode_access2()
976 priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL, in secpolicy_vnode_access2()
982 !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_WRITE) && in secpolicy_vnode_access2()
983 priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL, in secpolicy_vnode_access2()
993 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE, in secpolicy_vnode_access2()
1002 if (owner == 0 && cr->cr_uid != 0) in secpolicy_vnode_access2()
1006 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, in secpolicy_vnode_access2()
1020 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL, in secpolicy_vnode_access2()
1033 secpolicy_vnode_any_access(const cred_t *cr, vnode_t *vp, uid_t owner) in secpolicy_vnode_any_access() argument
1046 if (owner == cr->cr_uid) in secpolicy_vnode_any_access()
1069 if (PRIV_POLICY_CHOICE(cr, priv, allzone)) in secpolicy_vnode_any_access()
1084 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner) in secpolicy_vnode_setid_modify() argument
1090 if (owner == cr->cr_uid) in secpolicy_vnode_setid_modify()
1094 return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL)); in secpolicy_vnode_setid_modify()
1226 secpolicy_vnode_remove(const cred_t *cr) in secpolicy_vnode_remove() argument
1228 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES, in secpolicy_vnode_remove()
1233 secpolicy_vnode_owner(const cred_t *cr, uid_t owner) in secpolicy_vnode_owner() argument
1237 if (owner == cr->cr_uid) in secpolicy_vnode_owner()
1240 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL)); in secpolicy_vnode_owner()
1244 secpolicy_setid_clear(vattr_t *vap, cred_t *cr) in secpolicy_setid_clear() argument
1247 secpolicy_vnode_setid_retain(cr, in secpolicy_setid_clear()
1257 cred_t *cr) in secpolicy_setid_setsticky_clear() argument
1262 (error = secpolicy_vnode_setid_modify(cr, in secpolicy_setid_setsticky_clear()
1272 secpolicy_vnode_stky_modify(cr) != 0) { in secpolicy_setid_setsticky_clear()
1281 secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) { in secpolicy_setid_setsticky_clear()
1288 #define ATTR_FLAG_PRIV(attr, value, cr) \ argument
1289 PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \
1296 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype) in secpolicy_xvattr() argument
1314 if ((error = secpolicy_vnode_owner(cr, owner)) != 0) in secpolicy_xvattr()
1324 xoap->xoa_immutable, cr); in secpolicy_xvattr()
1327 xoap->xoa_nounlink, cr); in secpolicy_xvattr()
1330 xoap->xoa_appendonly, cr); in secpolicy_xvattr()
1333 xoap->xoa_nodump, cr); in secpolicy_xvattr()
1338 xoap->xoa_av_quarantined, cr); in secpolicy_xvattr()
1344 xoap->xoa_av_modified, cr); in secpolicy_xvattr()
1347 xoap->xoa_av_scanstamp, cr); in secpolicy_xvattr()
1386 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap, in secpolicy_vnode_setattr() argument
1407 error = unlocked_access(node, VWRITE, cr); in secpolicy_vnode_setattr()
1421 if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0) in secpolicy_vnode_setattr()
1425 ovap, cr)) != 0) in secpolicy_vnode_setattr()
1449 if (cr->cr_uid != ovap->va_uid) { in secpolicy_vnode_setattr()
1454 !groupmember(vap->va_gid, cr))) { in secpolicy_vnode_setattr()
1462 (error = secpolicy_vnode_chown(cr, ovap->va_uid)) != 0) { in secpolicy_vnode_setattr()
1470 secpolicy_setid_clear(vap, cr); in secpolicy_vnode_setattr()
1480 if (cr->cr_uid != ovap->va_uid) { in secpolicy_vnode_setattr()
1482 error = secpolicy_vnode_utime_modify(cr); in secpolicy_vnode_setattr()
1484 error = unlocked_access(node, VWRITE, cr); in secpolicy_vnode_setattr()
1486 secpolicy_vnode_utime_modify(cr) == 0) in secpolicy_vnode_setattr()
1498 error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr, in secpolicy_vnode_setattr()
1523 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip) in secpolicy_ipc_owner() argument
1525 if (crgetzoneid(cr) != ip->ipc_zoneid || in secpolicy_ipc_owner()
1526 (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) { in secpolicy_ipc_owner()
1530 return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL)); in secpolicy_ipc_owner()
1536 secpolicy_ipc_config(const cred_t *cr) in secpolicy_ipc_config() argument
1538 return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL)); in secpolicy_ipc_config()
1542 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode) in secpolicy_ipc_access() argument
1550 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) in secpolicy_ipc_access()
1554 if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0)) in secpolicy_ipc_access()
1557 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, in secpolicy_ipc_access()
1564 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode) in secpolicy_rsm_access() argument
1571 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) in secpolicy_rsm_access()
1575 if (cr->cr_uid != 0 && owner == 0) in secpolicy_rsm_access()
1578 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, in secpolicy_rsm_access()
1588 secpolicy_audit_config(const cred_t *cr) in secpolicy_audit_config() argument
1590 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); in secpolicy_audit_config()
1597 secpolicy_audit_modify(const cred_t *cr) in secpolicy_audit_modify() argument
1599 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL)); in secpolicy_audit_modify()
1608 secpolicy_audit_getattr(const cred_t *cr, boolean_t checkonly) in secpolicy_audit_getattr() argument
1612 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE)) in secpolicy_audit_getattr()
1618 return (!PRIV_POLICY_ONLY(cr, priv, B_FALSE)); in secpolicy_audit_getattr()
1620 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); in secpolicy_audit_getattr()
1628 secpolicy_lock_memory(const cred_t *cr) in secpolicy_lock_memory() argument
1630 return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL)); in secpolicy_lock_memory()
1637 secpolicy_acct(const cred_t *cr) in secpolicy_acct() argument
1639 return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL)); in secpolicy_acct()
1657 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly) in secpolicy_allow_setid() argument
1661 if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 && in secpolicy_allow_setid()
1662 cr->cr_ruid != 0) { in secpolicy_allow_setid()
1666 return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) : in secpolicy_allow_setid()
1667 PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL)); in secpolicy_allow_setid()
1726 secpolicy_pset(const cred_t *cr) in secpolicy_pset() argument
1728 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); in secpolicy_pset()
1735 secpolicy_pbind(const cred_t *cr) in secpolicy_pbind() argument
1737 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_RES_CONFIG, B_FALSE)) in secpolicy_pbind()
1738 return (secpolicy_pset(cr)); in secpolicy_pbind()
1739 return (PRIV_POLICY(cr, PRIV_SYS_RES_BIND, B_FALSE, EPERM, NULL)); in secpolicy_pbind()
1743 secpolicy_ponline(const cred_t *cr) in secpolicy_ponline() argument
1745 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); in secpolicy_ponline()
1749 secpolicy_pool(const cred_t *cr) in secpolicy_pool() argument
1751 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); in secpolicy_pool()
1755 secpolicy_blacklist(const cred_t *cr) in secpolicy_blacklist() argument
1757 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); in secpolicy_blacklist()
1764 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly) in secpolicy_sys_config() argument
1767 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 : in secpolicy_sys_config()
1770 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); in secpolicy_sys_config()
1778 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly) in secpolicy_zone_admin() argument
1781 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 : in secpolicy_zone_admin()
1784 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, in secpolicy_zone_admin()
1793 secpolicy_zone_config(const cred_t *cr) in secpolicy_zone_config() argument
1799 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE)); in secpolicy_zone_config()
1806 secpolicy_coreadm(const cred_t *cr) in secpolicy_coreadm() argument
1808 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); in secpolicy_coreadm()
1812 secpolicy_systeminfo(const cred_t *cr) in secpolicy_systeminfo() argument
1814 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); in secpolicy_systeminfo()
1818 secpolicy_dispadm(const cred_t *cr) in secpolicy_dispadm() argument
1820 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); in secpolicy_dispadm()
1824 secpolicy_settime(const cred_t *cr) in secpolicy_settime() argument
1826 return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL)); in secpolicy_settime()
1833 secpolicy_clock_highres(const cred_t *cr) in secpolicy_clock_highres() argument
1835 return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM, in secpolicy_clock_highres()
1846 drv_priv(cred_t *cr) in drv_priv() argument
1848 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); in drv_priv()
1852 secpolicy_sys_devices(const cred_t *cr) in secpolicy_sys_devices() argument
1854 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); in secpolicy_sys_devices()
1858 secpolicy_excl_open(const cred_t *cr) in secpolicy_excl_open() argument
1860 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL)); in secpolicy_excl_open()
1864 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl) in secpolicy_rctlsys() argument
1867 if (is_zone_rctl && priv_policy_global(cr) != 0) in secpolicy_rctlsys()
1869 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); in secpolicy_rctlsys()
1873 secpolicy_resource(const cred_t *cr) in secpolicy_resource() argument
1875 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); in secpolicy_resource()
1879 secpolicy_resource_anon_mem(const cred_t *cr) in secpolicy_resource_anon_mem() argument
1881 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_RESOURCE, B_FALSE)); in secpolicy_resource_anon_mem()
1889 secpolicy_newproc(const cred_t *cr) in secpolicy_newproc() argument
1891 if (cr->cr_ruid == 0) in secpolicy_newproc()
1894 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); in secpolicy_newproc()
1901 secpolicy_net_rawaccess(const cred_t *cr) in secpolicy_net_rawaccess() argument
1903 return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL)); in secpolicy_net_rawaccess()
1907 secpolicy_net_observability(const cred_t *cr) in secpolicy_net_observability() argument
1909 return (PRIV_POLICY(cr, PRIV_NET_OBSERVABILITY, B_FALSE, EACCES, NULL)); in secpolicy_net_observability()
1916 secpolicy_net_icmpaccess(const cred_t *cr) in secpolicy_net_icmpaccess() argument
1918 return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL)); in secpolicy_net_icmpaccess()
1927 secpolicy_net_config(const cred_t *cr, boolean_t checkonly) in secpolicy_net_config() argument
1930 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ? in secpolicy_net_config()
1933 return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM, in secpolicy_net_config()
1947 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly) in secpolicy_ip_config() argument
1949 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) in secpolicy_ip_config()
1950 return (secpolicy_net_config(cr, checkonly)); in secpolicy_ip_config()
1953 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ? in secpolicy_ip_config()
1956 return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM, in secpolicy_ip_config()
1965 secpolicy_dl_config(const cred_t *cr) in secpolicy_dl_config() argument
1967 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) in secpolicy_dl_config()
1968 return (secpolicy_net_config(cr, B_FALSE)); in secpolicy_dl_config()
1969 return (PRIV_POLICY(cr, PRIV_SYS_DL_CONFIG, B_FALSE, EPERM, NULL)); in secpolicy_dl_config()
1976 secpolicy_iptun_config(const cred_t *cr) in secpolicy_iptun_config() argument
1978 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) in secpolicy_iptun_config()
1979 return (secpolicy_net_config(cr, B_FALSE)); in secpolicy_iptun_config()
1980 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_DL_CONFIG, B_FALSE)) in secpolicy_iptun_config()
1981 return (secpolicy_dl_config(cr)); in secpolicy_iptun_config()
1982 return (PRIV_POLICY(cr, PRIV_SYS_IPTUN_CONFIG, B_FALSE, EPERM, NULL)); in secpolicy_iptun_config()
1990 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly) in secpolicy_ip() argument
2007 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); in secpolicy_ip()
2009 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); in secpolicy_ip()
2017 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly) in secpolicy_net() argument
2034 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); in secpolicy_net()
2036 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); in secpolicy_net()
2044 secpolicy_nfs(const cred_t *cr) in secpolicy_nfs() argument
2046 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL)); in secpolicy_nfs()
2054 secpolicy_rpcmod_open(const cred_t *cr) in secpolicy_rpcmod_open() argument
2056 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE)) in secpolicy_rpcmod_open()
2057 return (secpolicy_nfs(cr)); in secpolicy_rpcmod_open()
2059 return (secpolicy_net_config(cr, NULL)); in secpolicy_rpcmod_open()
2063 secpolicy_chroot(const cred_t *cr) in secpolicy_chroot() argument
2065 return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL)); in secpolicy_chroot()
2069 secpolicy_tasksys(const cred_t *cr) in secpolicy_tasksys() argument
2071 return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL)); in secpolicy_tasksys()
2075 secpolicy_pfexec_register(const cred_t *cr) in secpolicy_pfexec_register() argument
2077 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_TRUE, EPERM, NULL)); in secpolicy_pfexec_register()
2084 secpolicy_basic_exec(const cred_t *cr, vnode_t *vp) in secpolicy_basic_exec() argument
2086 FAST_BASIC_CHECK(cr, PRIV_PROC_EXEC); in secpolicy_basic_exec()
2088 return (priv_policy_va(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL, in secpolicy_basic_exec()
2093 secpolicy_basic_fork(const cred_t *cr) in secpolicy_basic_fork() argument
2095 FAST_BASIC_CHECK(cr, PRIV_PROC_FORK); in secpolicy_basic_fork()
2097 return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL)); in secpolicy_basic_fork()
2101 secpolicy_basic_proc(const cred_t *cr) in secpolicy_basic_proc() argument
2103 FAST_BASIC_CHECK(cr, PRIV_PROC_SESSION); in secpolicy_basic_proc()
2105 return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL)); in secpolicy_basic_proc()
2116 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp) in secpolicy_basic_procinfo() argument
2119 !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) { in secpolicy_basic_procinfo()
2122 return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL)); in secpolicy_basic_procinfo()
2127 secpolicy_basic_link(const cred_t *cr) in secpolicy_basic_link() argument
2129 FAST_BASIC_CHECK(cr, PRIV_FILE_LINK_ANY); in secpolicy_basic_link()
2131 return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL)); in secpolicy_basic_link()
2135 secpolicy_basic_net_access(const cred_t *cr) in secpolicy_basic_net_access() argument
2137 FAST_BASIC_CHECK(cr, PRIV_NET_ACCESS); in secpolicy_basic_net_access()
2139 return (PRIV_POLICY(cr, PRIV_NET_ACCESS, B_FALSE, EACCES, NULL)); in secpolicy_basic_net_access()
2144 secpolicy_basic_file_read(const cred_t *cr, vnode_t *vp, const char *pn) in secpolicy_basic_file_read() argument
2146 FAST_BASIC_CHECK(cr, PRIV_FILE_READ); in secpolicy_basic_file_read()
2148 return (priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL, in secpolicy_basic_file_read()
2154 secpolicy_basic_file_write(const cred_t *cr, vnode_t *vp, const char *pn) in secpolicy_basic_file_write() argument
2156 FAST_BASIC_CHECK(cr, PRIV_FILE_WRITE); in secpolicy_basic_file_write()
2158 return (priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL, in secpolicy_basic_file_write()
2177 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag) in secpolicy_spec_open() argument
2216 priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) && in secpolicy_spec_open()
2217 !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) { in secpolicy_spec_open()
2222 err = secpolicy_require_set(cr, &pset, "devpolicy", KLPDARG_NONE); in secpolicy_spec_open()
2229 secpolicy_modctl(const cred_t *cr, int cmd) in secpolicy_modctl() argument
2253 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, in secpolicy_modctl()
2256 return (secpolicy_sys_config(cr, B_FALSE)); in secpolicy_modctl()
2261 secpolicy_console(const cred_t *cr) in secpolicy_console() argument
2263 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); in secpolicy_console()
2267 secpolicy_power_mgmt(const cred_t *cr) in secpolicy_power_mgmt() argument
2269 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); in secpolicy_power_mgmt()
2277 secpolicy_sti(const cred_t *cr) in secpolicy_sti() argument
2279 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE)); in secpolicy_sti()
2283 secpolicy_net_reply_equal(const cred_t *cr) in secpolicy_net_reply_equal() argument
2285 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); in secpolicy_net_reply_equal()
2289 secpolicy_swapctl(const cred_t *cr) in secpolicy_swapctl() argument
2291 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); in secpolicy_swapctl()
2295 secpolicy_cpc_cpu(const cred_t *cr) in secpolicy_cpc_cpu() argument
2297 return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL)); in secpolicy_cpc_cpu()
2306 secpolicy_contract_identity(const cred_t *cr) in secpolicy_contract_identity() argument
2308 return (PRIV_POLICY(cr, PRIV_CONTRACT_IDENTITY, B_FALSE, EPERM, NULL)); in secpolicy_contract_identity()
2317 secpolicy_contract_observer(const cred_t *cr, struct contract *ct) in secpolicy_contract_observer() argument
2319 if (contract_owned(ct, cr, B_FALSE)) in secpolicy_contract_observer()
2321 return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL)); in secpolicy_contract_observer()
2331 secpolicy_contract_observer_choice(const cred_t *cr) in secpolicy_contract_observer_choice() argument
2333 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE)); in secpolicy_contract_observer_choice()
2343 secpolicy_contract_event(const cred_t *cr) in secpolicy_contract_event() argument
2345 return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL)); in secpolicy_contract_event()
2356 secpolicy_contract_event_choice(const cred_t *cr) in secpolicy_contract_event_choice() argument
2358 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE)); in secpolicy_contract_event_choice()
2368 secpolicy_gart_access(const cred_t *cr) in secpolicy_gart_access() argument
2370 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL)); in secpolicy_gart_access()
2380 secpolicy_gart_map(const cred_t *cr) in secpolicy_gart_map() argument
2382 if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) { in secpolicy_gart_map()
2383 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, in secpolicy_gart_map()
2386 return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM, in secpolicy_gart_map()
2398 secpolicy_zinject(const cred_t *cr) in secpolicy_zinject() argument
2400 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE)); in secpolicy_zinject()
2410 secpolicy_zfs(const cred_t *cr) in secpolicy_zfs() argument
2412 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL)); in secpolicy_zfs()
2422 secpolicy_idmap(const cred_t *cr) in secpolicy_idmap() argument
2424 return (PRIV_POLICY(cr, PRIV_FILE_SETID, B_TRUE, EPERM, NULL)); in secpolicy_idmap()
2471 secpolicy_require_privs(const cred_t *cr, const priv_set_t *nset) in secpolicy_require_privs() argument
2475 rqd = CR_OPPRIV(cr); in secpolicy_require_privs()
2480 return (secpolicy_require_set(cr, &rqd, NULL, KLPDARG_NONE)); in secpolicy_require_privs()
2495 secpolicy_smb(const cred_t *cr) in secpolicy_smb() argument
2497 return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL)); in secpolicy_smb()
2515 secpolicy_vscan(const cred_t *cr) in secpolicy_vscan() argument
2517 if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) || in secpolicy_vscan()
2518 (PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) || in secpolicy_vscan()
2519 (PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) { in secpolicy_vscan()
2537 secpolicy_smbfs_login(const cred_t *cr, uid_t uid) in secpolicy_smbfs_login() argument
2539 uid_t cruid = crgetruid(cr); in secpolicy_smbfs_login()
2543 return (PRIV_POLICY(cr, PRIV_PROC_OWNER, B_FALSE, in secpolicy_smbfs_login()
2558 secpolicy_xvm_control(const cred_t *cr) in secpolicy_xvm_control() argument
2560 if (PRIV_POLICY(cr, PRIV_XVM_CONTROL, B_FALSE, EPERM, NULL)) in secpolicy_xvm_control()
2572 secpolicy_ppp_config(const cred_t *cr) in secpolicy_ppp_config() argument
2574 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) in secpolicy_ppp_config()
2575 return (secpolicy_net_config(cr, B_FALSE)); in secpolicy_ppp_config()
2576 return (PRIV_POLICY(cr, PRIV_SYS_PPP_CONFIG, B_FALSE, EPERM, NULL)); in secpolicy_ppp_config()