xref: /illumos-gate/usr/src/cmd/sgs/rtld/common/cap.c (revision 11994f6f6fa6fc668363b92c6b6ef60b2e75ebd6)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
24  * Copyright 2022 Oxide Computer Company
25  */
26 
27 #include	<sys/types.h>
28 #include	<sys/mman.h>
29 #include	<dirent.h>
30 #include	<stdio.h>
31 #include	<stdlib.h>
32 #include	<string.h>
33 #include	<limits.h>
34 #include	<debug.h>
35 #include	<conv.h>
36 #include	<elfcap.h>
37 #include	"_rtld.h"
38 #include	"_elf.h"
39 #include	"_audit.h"
40 #include	"msg.h"
41 
42 /*
43  * qsort(3c) capability comparison function.
44  */
45 static int
46 compare(const void *vp_a, const void *vp_b)
47 {
48 	Fdesc	*fdp_a = (Fdesc *)vp_a, *fdp_b = (Fdesc *)vp_b;
49 	char	*strcap_a, *strcap_b;
50 	Xword	hwcap_a, hwcap_b;
51 
52 	/*
53 	 * First, investigate any platform capability.
54 	 */
55 	strcap_a = fdp_a->fd_scapset.sc_plat;
56 	strcap_b = fdp_b->fd_scapset.sc_plat;
57 
58 	if (strcap_a && (strcap_b == NULL))
59 		return (-1);
60 	if (strcap_b && (strcap_a == NULL))
61 		return (1);
62 
63 	/*
64 	 * Second, investigate any machine capability.
65 	 */
66 	strcap_a = fdp_a->fd_scapset.sc_mach;
67 	strcap_b = fdp_b->fd_scapset.sc_mach;
68 
69 	if (strcap_a && (strcap_b == NULL))
70 		return (-1);
71 	if (strcap_b && (strcap_a == NULL))
72 		return (1);
73 	/*
74 	 * Third, investigate any CA_SUNW_HW_3 hardware capabilities.
75 	 */
76 	hwcap_a = fdp_a->fd_scapset.sc_hw_3;
77 	hwcap_b = fdp_b->fd_scapset.sc_hw_3;
78 
79 	if (hwcap_a > hwcap_b)
80 		return (-1);
81 	if (hwcap_a < hwcap_b)
82 		return (1);
83 
84 	/*
85 	 * Fourth, investigate any CA_SUNW_HW_2 hardware capabilities.
86 	 */
87 	hwcap_a = fdp_a->fd_scapset.sc_hw_2;
88 	hwcap_b = fdp_b->fd_scapset.sc_hw_2;
89 
90 	if (hwcap_a > hwcap_b)
91 		return (-1);
92 	if (hwcap_a < hwcap_b)
93 		return (1);
94 
95 	/*
96 	 * Finally, investigate any CA_SUNW_HW_1 hardware capabilities.
97 	 */
98 	hwcap_a = fdp_a->fd_scapset.sc_hw_1;
99 	hwcap_b = fdp_b->fd_scapset.sc_hw_1;
100 
101 	if (hwcap_a > hwcap_b)
102 		return (-1);
103 	if (hwcap_a < hwcap_b)
104 		return (1);
105 
106 	/*
107 	 * Normally, a capabilities directory contains one or more capabilities
108 	 * files, each with different capabilities.  The role of ld.so.1 is to
109 	 * select the best candidate from these variants.  However, we've come
110 	 * across cases where files containing the same capabilities have been
111 	 * placed in the same capabilities directory.  As we can't tell which
112 	 * file is the best, we select neither, and diagnose this suspicious
113 	 * scenario.
114 	 */
115 	DBG_CALL(Dbg_cap_identical(fdp_a->fd_lml, fdp_a->fd_nname,
116 	    fdp_b->fd_nname));
117 
118 	fdp_a->fd_flags |= FLG_FD_IGNORE;
119 	fdp_b->fd_flags |= FLG_FD_IGNORE;
120 
121 	return (0);
122 }
123 
124 /*
125  * Determine whether HWCAP1 capabilities value is supported.
126  */
127 int
128 hwcap1_check(Syscapset *scapset, Xword val, Rej_desc *rej)
129 {
130 	Xword	mval;
131 
132 	/*
133 	 * Ensure that the kernel can cope with the required capabilities.
134 	 */
135 	if ((rtld_flags2 & RT_FL2_HWCAP) &&
136 	    ((mval = (val & ~scapset->sc_hw_1)) != 0)) {
137 		if (rej) {
138 			static Conv_cap_val_hw1_buf_t	cap_buf;
139 
140 			rej->rej_type = SGS_REJ_HWCAP_1;
141 			rej->rej_str = conv_cap_val_hw1(mval,
142 			    M_MACH, 0, &cap_buf);
143 		}
144 		return (0);
145 	}
146 	return (1);
147 }
148 
149 /*
150  * Determine whether HWCAP2 capabilities value is supported.
151  */
152 int
153 hwcap2_check(Syscapset *scapset, Xword val, Rej_desc *rej)
154 {
155 	Xword	mval;
156 
157 	/*
158 	 * Ensure that the kernel can cope with the required capabilities.
159 	 */
160 	if ((mval = (val & ~scapset->sc_hw_2)) != 0) {
161 		if (rej) {
162 			static Conv_cap_val_hw2_buf_t	cap_buf;
163 
164 			rej->rej_type = SGS_REJ_HWCAP_2;
165 			rej->rej_str = conv_cap_val_hw2(mval,
166 			    M_MACH, 0, &cap_buf);
167 		}
168 		return (0);
169 	}
170 	return (1);
171 }
172 
173 /*
174  * Determine whether HWCAP3 capabilities value is supported.
175  */
176 int
177 hwcap3_check(Syscapset *scapset, Xword val, Rej_desc *rej)
178 {
179 	Xword	mval;
180 
181 	/*
182 	 * Ensure that the kernel can cope with the required capabilities.
183 	 */
184 	if ((mval = (val & ~scapset->sc_hw_3)) != 0) {
185 		if (rej) {
186 			static Conv_cap_val_hw3_buf_t	cap_buf;
187 
188 			rej->rej_type = SGS_REJ_HWCAP_3;
189 			rej->rej_str = conv_cap_val_hw3(mval,
190 			    M_MACH, 0, &cap_buf);
191 		}
192 		return (0);
193 	}
194 	return (1);
195 }
196 
197 /*
198  * Process any software capabilities.
199  */
200 /* ARGSUSED0 */
201 int
202 sfcap1_check(Syscapset *scapset, Xword val, Rej_desc *rej)
203 {
204 #if	defined(_ELF64)
205 	/*
206 	 * A 64-bit executable that started the process can be restricted to a
207 	 * 32-bit address space.  A 64-bit dependency that is restricted to a
208 	 * 32-bit address space can not be loaded unless the executable has
209 	 * established this requirement.
210 	 */
211 	if ((val & SF1_SUNW_ADDR32) && ((rtld_flags2 & RT_FL2_ADDR32) == 0)) {
212 		if (rej) {
213 			static Conv_cap_val_sf1_buf_t	cap_buf;
214 
215 			rej->rej_type = SGS_REJ_SFCAP_1;
216 			rej->rej_str = conv_cap_val_sf1(SF1_SUNW_ADDR32,
217 			    M_MACH, 0, &cap_buf);
218 		}
219 		return (0);
220 	}
221 #endif
222 	return (1);
223 }
224 
225 /*
226  * Process any platform capability.
227  */
228 int
229 platcap_check(Syscapset *scapset, const char *str, Rej_desc *rej)
230 {
231 	/*
232 	 * If the platform name hasn't been set, try and obtain it.
233 	 */
234 	if ((scapset->sc_plat == NULL) &&
235 	    (scapset->sc_platsz == 0))
236 		platform_name(scapset);
237 
238 	if ((scapset->sc_plat == NULL) ||
239 	    (str && strcmp(scapset->sc_plat, str))) {
240 		if (rej) {
241 			/*
242 			 * Note, the platform name points to a string within an
243 			 * objects string table, and if that object can't be
244 			 * loaded, it will be unloaded and thus invalidate the
245 			 * string.  Duplicate the string here for rejection
246 			 * message inheritance.
247 			 */
248 			rej->rej_type = SGS_REJ_PLATCAP;
249 			rej->rej_str = stravl_insert(str, 0, 0, 0);
250 		}
251 		return (0);
252 	}
253 	return (1);
254 }
255 
256 /*
257  * Process any machine capability.
258  */
259 int
260 machcap_check(Syscapset *scapset, const char *str, Rej_desc *rej)
261 {
262 	/*
263 	 * If the machine name hasn't been set, try and obtain it.
264 	 */
265 	if ((scapset->sc_mach == NULL) &&
266 	    (scapset->sc_machsz == 0))
267 		machine_name(scapset);
268 
269 	if ((scapset->sc_mach == NULL) ||
270 	    (str && strcmp(scapset->sc_mach, str))) {
271 		if (rej) {
272 			/*
273 			 * Note, the machine name points to a string within an
274 			 * objects string table, and if that object can't be
275 			 * loaded, it will be unloaded and thus invalidate the
276 			 * string.  Duplicate the string here for rejection
277 			 * message inheritance.
278 			 */
279 			rej->rej_type = SGS_REJ_MACHCAP;
280 			rej->rej_str = stravl_insert(str, 0, 0, 0);
281 		}
282 		return (0);
283 	}
284 	return (1);
285 }
286 
287 /*
288  * Generic front-end to capabilities validation.
289  */
290 static int
291 cap_check(Cap *cptr, char *strs, int alt, Fdesc *fdp, Rej_desc *rej)
292 {
293 	Syscapset	*scapset;
294 	int		totplat, ivlplat, totmach, ivlmach;
295 
296 	/*
297 	 * If the caller has no capabilities, then the object is valid.
298 	 */
299 	if (cptr == NULL)
300 		return (1);
301 
302 	if (alt)
303 		scapset = alt_scapset;
304 	else
305 		scapset = org_scapset;
306 
307 	totplat = ivlplat = totmach = ivlmach = 0;
308 
309 	while (cptr->c_tag != CA_SUNW_NULL) {
310 		Xword	val = cptr->c_un.c_val;
311 		char	*str;
312 
313 		switch (cptr->c_tag) {
314 		case CA_SUNW_HW_1:
315 			/*
316 			 * Remove any historic values that should not be
317 			 * involved with any validation.
318 			 */
319 			val &= ~AV_HW1_IGNORE;
320 
321 			if (hwcap1_check(scapset, val, rej) == 0)
322 				return (0);
323 			if (fdp)
324 				fdp->fd_scapset.sc_hw_1 = val;
325 			break;
326 		case CA_SUNW_SF_1:
327 			if (sfcap1_check(scapset, val, rej) == 0)
328 				return (0);
329 			if (fdp)
330 				fdp->fd_scapset.sc_sf_1 = val;
331 			break;
332 		case CA_SUNW_HW_2:
333 			if (hwcap2_check(scapset, val, rej) == 0)
334 				return (0);
335 			if (fdp)
336 				fdp->fd_scapset.sc_hw_2 = val;
337 			break;
338 		case CA_SUNW_PLAT:
339 			/*
340 			 * A capabilities group can define multiple platform
341 			 * names that are appropriate.  Only if all the names
342 			 * are deemed invalid is the group determined
343 			 * inappropriate.
344 			 */
345 			if (totplat == ivlplat) {
346 				totplat++;
347 
348 				str = strs + val;
349 
350 				if (platcap_check(scapset, str, rej) == 0)
351 					ivlplat++;
352 				else if (fdp)
353 					fdp->fd_scapset.sc_plat = str;
354 			}
355 			break;
356 		case CA_SUNW_MACH:
357 			/*
358 			 * A capabilities group can define multiple machine
359 			 * names that are appropriate.  Only if all the names
360 			 * are deemed invalid is the group determined
361 			 * inappropriate.
362 			 */
363 			if (totmach == ivlmach) {
364 				totmach++;
365 
366 				str = strs + val;
367 
368 				if (machcap_check(scapset, str, rej) == 0)
369 					ivlmach++;
370 				else if (fdp)
371 					fdp->fd_scapset.sc_mach = str;
372 			}
373 			break;
374 		case CA_SUNW_ID:
375 			/*
376 			 * Capabilities identifiers provide for diagnostics,
377 			 * but are not attributes that must be compared with
378 			 * the system.  They are ignored.
379 			 */
380 			break;
381 		case CA_SUNW_HW_3:
382 			if (hwcap3_check(scapset, val, rej) == 0)
383 				return (0);
384 			if (fdp)
385 				fdp->fd_scapset.sc_hw_3 = val;
386 			break;
387 		default:
388 			rej->rej_type = SGS_REJ_UNKCAP;
389 			rej->rej_info = cptr->c_tag;
390 			return (0);
391 		}
392 		cptr++;
393 	}
394 
395 	/*
396 	 * If any platform names, or machine names were found, and all were
397 	 * invalid, indicate that the object is inappropriate.
398 	 */
399 	if ((totplat && (totplat == ivlplat)) ||
400 	    (totmach && (totmach == ivlmach)))
401 		return (0);
402 
403 	return (1);
404 }
405 
406 #define	HWAVL_RECORDED(n)	pnavl_recorded(&capavl, n, 0, NULL)
407 
408 /*
409  * Determine whether a link-map should use alternative system capabilities.
410  */
411 static void
412 cap_check_lmp_init(Rt_map *lmp)
413 {
414 	int	alt = 0;
415 
416 	/*
417 	 * If an alternative set of system capabilities have been established,
418 	 * and only specific files should use these alternative system
419 	 * capabilities, determine whether this file is one of those specified.
420 	 */
421 	if (capavl) {
422 		const char	*file;
423 
424 		/*
425 		 * The simplest way to reference a file is to use its file name
426 		 * (soname), however try all of the names that this file is
427 		 * known by.
428 		 */
429 		if ((file = strrchr(NAME(lmp), '/')) != NULL)
430 			file++;
431 		else
432 			file = NULL;
433 
434 		if ((file && (HWAVL_RECORDED(file) != 0)) ||
435 		    (HWAVL_RECORDED(NAME(lmp)) != 0) ||
436 		    ((PATHNAME(lmp) != NAME(lmp)) &&
437 		    (HWAVL_RECORDED(PATHNAME(lmp)) != 0)))
438 			alt = 1;
439 
440 		if (alt == 0) {
441 			Aliste		idx;
442 			const char	*cp;
443 
444 			for (APLIST_TRAVERSE(ALIAS(lmp), idx, cp)) {
445 				if ((alt = HWAVL_RECORDED(cp)) != 0)
446 					break;
447 			}
448 		}
449 	}
450 
451 	/*
452 	 * Indicate if this link-map should use alternative system capabilities,
453 	 * and that the alternative system capabilities check has been carried
454 	 * out.
455 	 */
456 	if ((org_scapset != alt_scapset) && ((capavl == NULL) || alt))
457 		FLAGS1(lmp) |= FL1_RT_ALTCAP;
458 	FLAGS1(lmp) |= FL1_RT_ALTCHECK;
459 }
460 
461 /*
462  * Validate the capabilities requirements of a link-map.
463  *
464  * This routine is called for main, where a link-map is constructed from the
465  * mappings returned from exec(), and for any symbol capabilities comparisons.
466  */
467 int
468 cap_check_lmp(Rt_map *lmp, Rej_desc *rej)
469 {
470 	if ((FLAGS1(lmp) & FL1_RT_ALTCHECK) == 0)
471 		cap_check_lmp_init(lmp);
472 
473 	return (cap_check(CAP(lmp), STRTAB(lmp),
474 	    (FLAGS1(lmp) & FL1_RT_ALTCAP), NULL, rej));
475 }
476 
477 /*
478  * Validate the capabilities requirements of a file under inspection.
479  * This file is still under the early stages of loading, and has no link-map
480  * yet.  The file must have an object capabilities definition (PT_SUNWCAP), to
481  * have gotten us here.  The logic here is the same as cap_check_lmp().
482  */
483 int
484 cap_check_fdesc(Fdesc *fdp, Cap *cptr, char *strs, Rej_desc *rej)
485 {
486 	int	alt = 0;
487 
488 	/*
489 	 * If an alternative set of system capabilities have been established,
490 	 * and only specific files should use these alternative system
491 	 * capabilities, determine whether this file is one of those specified.
492 	 */
493 	if (capavl) {
494 		const char	*file;
495 
496 		/*
497 		 * The simplest way to reference a file is to use its file name
498 		 * (soname), however try all of the names that this file is
499 		 * known by.
500 		 */
501 		if (fdp->fd_oname &&
502 		    ((file = strrchr(fdp->fd_oname, '/')) != NULL))
503 			file++;
504 		else
505 			file = NULL;
506 
507 		if ((file && (HWAVL_RECORDED(file) != 0)) ||
508 		    (fdp->fd_oname && (HWAVL_RECORDED(fdp->fd_oname) != 0)) ||
509 		    (fdp->fd_nname && (HWAVL_RECORDED(fdp->fd_nname) != 0)) ||
510 		    (fdp->fd_pname && (fdp->fd_pname != fdp->fd_nname) &&
511 		    (HWAVL_RECORDED(fdp->fd_pname) != 0)))
512 			alt = 1;
513 	}
514 
515 	/*
516 	 * Indicate if this file descriptor should use alternative system
517 	 * capabilities, and that the alternative system capabilities check has
518 	 * been carried out.
519 	 */
520 	if ((org_scapset != alt_scapset) && ((capavl == NULL) || alt))
521 		fdp->fd_flags |= FLG_FD_ALTCAP;
522 	fdp->fd_flags |= FLG_FD_ALTCHECK;
523 
524 	/*
525 	 * Verify that the required capabilities are supported by the reference.
526 	 */
527 	return (cap_check(cptr, strs, (fdp->fd_flags & FLG_FD_ALTCAP),
528 	    fdp, rej));
529 }
530 
531 /*
532  * Free a file descriptor list.  As part of building this list, the original
533  * names for each capabilities candidate were duplicated for use in later
534  * diagnostics.  These names need to be freed.
535  */
536 void
537 free_fd(Alist *fdalp)
538 {
539 	if (fdalp) {
540 		Aliste	idx;
541 		Fdesc	*fdp;
542 
543 		for (ALIST_TRAVERSE(fdalp, idx, fdp)) {
544 			if (fdp->fd_oname)
545 				free((void *)fdp->fd_oname);
546 		}
547 		free(fdalp);
548 	}
549 }
550 
551 /*
552  * When $CAPABILITY (or $HWCAP) is used to represent dependencies, take the
553  * associated directory and analyze all the files it contains.
554  */
555 static int
556 cap_dir(Alist **fdalpp, Lm_list *lml, const char *dname, Rt_map *clmp,
557     uint_t flags, Rej_desc *rej, int *in_nfavl)
558 {
559 	char		path[PATH_MAX], *dst;
560 	const char	*src;
561 	DIR		*dir;
562 	struct dirent	*dirent;
563 	Alist		*fdalp = NULL;
564 	Aliste		idx;
565 	Fdesc		*fdp;
566 	int		error = 0;
567 
568 	/*
569 	 * Access the directory in preparation for reading its entries.  If
570 	 * successful, establish the initial pathname.
571 	 */
572 	if ((dir = opendir(dname)) == NULL) {
573 		Rej_desc	_rej = { 0 };
574 
575 		_rej.rej_type = SGS_REJ_STR;
576 		_rej.rej_name = dname;
577 		_rej.rej_str = strerror(errno);
578 		DBG_CALL(Dbg_file_rejected(lml, &_rej, M_MACH));
579 		rejection_inherit(rej, &_rej);
580 		return (0);
581 	}
582 
583 	for (dst = path, src = dname; *src; dst++, src++)
584 		*dst = *src;
585 	*dst++ = '/';
586 
587 	/*
588 	 * Read each entry from the directory and determine whether it is a
589 	 * valid ELF file.
590 	 */
591 	while ((dirent = readdir(dir)) != NULL) {
592 		const char	*file = dirent->d_name;
593 		char		*_dst;
594 		Fdesc		fd = { 0 };
595 		Rej_desc	_rej = { 0 };
596 		Pdesc		pd = { 0 };
597 
598 		/*
599 		 * Ignore "." and ".." entries.
600 		 */
601 		if ((file[0] == '.') && ((file[1] == '\0') ||
602 		    ((file[1] == '.') && (file[2] == '\0'))))
603 			continue;
604 
605 		/*
606 		 * Complete the full pathname.
607 		 */
608 		for (_dst = dst, src = file, file = dst; *src; _dst++, src++)
609 			*_dst = *src;
610 		*_dst = '\0';
611 
612 		/*
613 		 * Trace the inspection of this file, and determine any
614 		 * auditor substitution.
615 		 */
616 		pd.pd_pname = path;
617 		pd.pd_flags = PD_FLG_PNSLASH;
618 
619 		if (load_trace(lml, &pd, clmp, &fd) == NULL)
620 			continue;
621 
622 		/*
623 		 * Note, all directory entries are processed by find_path(),
624 		 * even entries that are directories themselves.  This single
625 		 * point for control keeps the number of stat()'s down, and
626 		 * provides a single point for error diagnostics.
627 		 */
628 		if (find_path(lml, clmp, flags, &fd, &_rej, in_nfavl) == 0) {
629 			rejection_inherit(rej, &_rej);
630 			continue;
631 		}
632 
633 		DBG_CALL(Dbg_cap_candidate(lml, fd.fd_nname));
634 
635 		/*
636 		 * If this object has already been loaded, save the capabilities
637 		 * for later sorting.  Otherwise we have a new candidate.
638 		 */
639 		if (fd.fd_lmp)
640 			fd.fd_scapset = CAPSET(fd.fd_lmp);
641 		fd.fd_lml = lml;
642 
643 		/*
644 		 * Duplicate the original name, as this may be required for
645 		 * later diagnostics.  Keep a copy of the file descriptor for
646 		 * analysis once all capabilities candidates have been
647 		 * determined.
648 		 */
649 		if (((fd.fd_oname = strdup(fd.fd_oname)) == NULL) ||
650 		    (alist_append(&fdalp, &fd, sizeof (Fdesc),
651 		    AL_CNT_CAP) == NULL)) {
652 			error = 1;
653 			break;
654 		}
655 	}
656 	(void) closedir(dir);
657 
658 	/*
659 	 * If no objects have been found, we're done.  Also, if an allocation
660 	 * error occurred while processing any object, remove any objects that
661 	 * had already been added to the list and return.
662 	 */
663 	if ((fdalp == NULL) || error) {
664 		if (fdalp)
665 			free_fd(fdalp);
666 		return (0);
667 	}
668 
669 	/*
670 	 * Having processed and retained all candidates from this directory,
671 	 * sort them, based on the precedence of their hardware capabilities.
672 	 */
673 	qsort(fdalp->al_data, fdalp->al_nitems, fdalp->al_size, compare);
674 
675 	/*
676 	 * If any objects were found to have the same capabilities, then these
677 	 * objects must be rejected, as we can't tell which object is more
678 	 * appropriate.
679 	 */
680 	for (ALIST_TRAVERSE(fdalp, idx, fdp)) {
681 		if (fdp->fd_flags & FLG_FD_IGNORE)
682 			alist_delete(fdalp, &idx);
683 	}
684 
685 	if (fdalp->al_nitems == 0) {
686 		free_fd(fdalp);
687 		return (0);
688 	}
689 
690 	*fdalpp = fdalp;
691 	return (1);
692 }
693 
694 int
695 cap_filtees(Alist **alpp, Aliste oidx, const char *dir, Aliste nlmco,
696     Rt_map *flmp, Rt_map *clmp, const char *ref, int mode, uint_t flags,
697     int *in_nfavl)
698 {
699 	Alist		*fdalp = NULL;
700 	Aliste		idx;
701 	Fdesc		*fdp;
702 	Lm_list		*lml = LIST(flmp);
703 	int		unused = 0;
704 	Rej_desc	rej = { 0 };
705 
706 	if (cap_dir(&fdalp, lml, dir, flmp, flags, &rej, in_nfavl) == 0)
707 		return (0);
708 
709 	/*
710 	 * Now complete the mapping of each of the ordered objects, adding
711 	 * each object to a new pathname descriptor.
712 	 */
713 	for (ALIST_TRAVERSE(fdalp, idx, fdp)) {
714 		Rt_map	*nlmp;
715 		Grp_hdl	*ghp = NULL;
716 		Pdesc	*pdp;
717 		int	audit = 0;
718 
719 		if (unused)
720 			continue;
721 
722 		/*
723 		 * Complete mapping the file, obtaining a handle, and continue
724 		 * to analyze the object, establishing dependencies and
725 		 * relocating.  Remove the file descriptor at this point, as it
726 		 * is no longer required.
727 		 */
728 		DBG_CALL(Dbg_file_filtee(lml, NAME(flmp), fdp->fd_nname, 0));
729 
730 		nlmp = load_path(lml, nlmco, flmp, mode,
731 		    (flags | FLG_RT_PUBHDL), &ghp, fdp, &rej, in_nfavl);
732 		if (nlmp == NULL)
733 			continue;
734 
735 		/*
736 		 * Create a new pathname descriptor to represent this filtee,
737 		 * and insert this descriptor in the Alist following the
738 		 * hardware descriptor that seeded this processing.
739 		 */
740 		if ((pdp = alist_insert(alpp, 0, sizeof (Pdesc),
741 		    AL_CNT_FILTEES, ++oidx)) == NULL) {
742 			if (ghp)
743 				remove_lmc(lml, flmp, nlmco, NAME(nlmp));
744 			return (0);
745 		}
746 
747 		pdp->pd_pname = NAME(nlmp);
748 		pdp->pd_plen = strlen(NAME(nlmp));
749 
750 		/*
751 		 * Establish the filter handle to prevent any recursion.
752 		 */
753 		if (nlmp && ghp) {
754 			ghp->gh_flags |= GPH_FILTEE;
755 			pdp->pd_info = (void *)ghp;
756 		}
757 
758 		/*
759 		 * Audit the filter/filtee established.  A return of 0
760 		 * indicates the auditor wishes to ignore this filtee.
761 		 */
762 		if (nlmp && (lml->lm_tflags | FLAGS1(flmp)) &
763 		    LML_TFLG_AUD_OBJFILTER) {
764 			if (audit_objfilter(flmp, ref, nlmp, 0) == 0) {
765 				audit = 1;
766 				nlmp = NULL;
767 			}
768 		}
769 
770 		/*
771 		 * Finish processing the objects associated with this request.
772 		 */
773 		if (nlmp && ghp && (((nlmp = analyze_lmc(lml, nlmco, nlmp,
774 		    clmp, in_nfavl)) == NULL) ||
775 		    (relocate_lmc(lml, nlmco, flmp, nlmp, in_nfavl) == 0)))
776 			nlmp = NULL;
777 
778 		/*
779 		 * If the filtee has been successfully processed, then create
780 		 * an association between the filter and the filtee.  This
781 		 * association provides sufficient information to tear down the
782 		 * filter and filtee if necessary.
783 		 */
784 		DBG_CALL(Dbg_file_hdl_title(DBG_HDL_ADD));
785 		if (nlmp && ghp &&
786 		    (hdl_add(ghp, flmp, GPD_FILTER, NULL) == NULL))
787 			nlmp = NULL;
788 
789 		/*
790 		 * If this object is marked an end-filtee, we're done.
791 		 */
792 		if (nlmp && ghp && (FLAGS1(nlmp) & FL1_RT_ENDFILTE))
793 			unused = 1;
794 
795 		/*
796 		 * If this filtee loading has failed, generate a diagnostic.
797 		 * Null out the path name descriptor entry, and continue the
798 		 * search.
799 		 */
800 		if (nlmp == NULL) {
801 			DBG_CALL(Dbg_file_filtee(lml, 0, pdp->pd_pname, audit));
802 
803 			/*
804 			 * If attempting to load this filtee required a new
805 			 * link-map control list to which this request has
806 			 * added objects, then remove all the objects that
807 			 * have been associated to this request.
808 			 */
809 			if (nlmco != ALIST_OFF_DATA)
810 				remove_lmc(lml, flmp, nlmco, pdp->pd_pname);
811 
812 			pdp->pd_plen = 0;
813 			pdp->pd_info = NULL;
814 		}
815 	}
816 
817 	free_fd(fdalp);
818 	return (1);
819 }
820 
821 /*
822  * Load an individual capabilities object.
823  */
824 Rt_map *
825 load_cap(Lm_list *lml, Aliste lmco, const char *dir, Rt_map *clmp,
826     uint_t mode, uint_t flags, Grp_hdl **hdl, Rej_desc *rej, int *in_nfavl)
827 {
828 	Alist	*fdalp = NULL;
829 	Aliste	idx;
830 	Fdesc	*fdp;
831 	int	found = 0;
832 	Rt_map	*lmp = NULL;
833 
834 	/*
835 	 * Obtain the sorted list of hardware capabilities objects available.
836 	 */
837 	if (cap_dir(&fdalp, lml, dir, clmp, flags, rej, in_nfavl) == 0)
838 		return (NULL);
839 
840 	/*
841 	 * From the list of hardware capability objects, use the first and
842 	 * discard the rest.
843 	 */
844 	for (ALIST_TRAVERSE(fdalp, idx, fdp)) {
845 		Fdesc	fd = *fdp;
846 
847 		if ((found == 0) && ((lmp = load_path(lml, lmco, clmp, mode,
848 		    flags, hdl, &fd, rej, in_nfavl)) != NULL))
849 			found++;
850 	}
851 
852 	free_fd(fdalp);
853 	return (lmp);
854 }
855 
856 /*
857  * Use a case insensitive string match when looking up capability mask
858  * values by name, and omit the AV_ prefix.
859  */
860 #define	ELFCAP_STYLE	ELFCAP_STYLE_LC | ELFCAP_STYLE_F_ICMP
861 
862 /*
863  * To aid in the development and testing of capabilities, an alternative system
864  * capabilities group can be specified.  This alternative set is initialized
865  * from the system capabilities that are normally used to validate all object
866  * loading.  However, the user can disable, enable or override flags within
867  * this alternative set, and thus affect object loading.
868  *
869  * This technique is usually combined with defining the family of objects
870  * that should be compared against this alternative set.  Without defining the
871  * family of objects, all objects loaded by ld.so.1 are validated against the
872  * alternative set.  This can prevent the loading of critical system objects
873  * like libc, and thus prevent process execution.
874  */
875 typedef enum {
876 	CAP_OVERRIDE =	0,		/* override existing capabilities */
877 	CAP_ENABLE =	1,		/* enable capabilities */
878 	CAP_DISABLE =	2		/* disable capabilities */
879 } cap_mode;
880 
881 /*
882  * The override indexes originally followed the values of CA_SUNW_HW_1, SF_1,
883  * etc.
884  */
885 typedef enum {
886 	CAP_OVR_HW_1 = 0,
887 	CAP_OVR_SF_1,
888 	CAP_OVR_HW_2,
889 	CAP_OVR_HW_3,
890 	CAP_OVR_MAX
891 } cap_index_t;
892 
893 static struct {
894 	elfcap_mask_t	cs_val[3];	/* value settings, and indicator for */
895 	int		cs_set[3];	/*	OVERRIDE, ENABLE and DISABLE */
896 	elfcap_mask_t	*cs_aval;	/* alternative variable for final */
897 					/*	update */
898 } cap_settings[CAP_OVR_MAX] = {
899 	{ { 0, 0, 0 }, { 0, 0, 0 }, NULL },		/* CA_SUNW_HW_1 */
900 	{ { 0, 0, 0 }, { 0, 0, 0 }, NULL },		/* CA_SUNW_SF_1 */
901 	{ { 0, 0, 0 }, { 0, 0, 0 }, NULL },		/* CA_SUNW_HW_2 */
902 	{ { 0, 0, 0 }, { 0, 0, 0 }, NULL }		/* CA_SUNW_HW_3 */
903 };
904 
905 static int
906 cap_modify(Xword tag, const char *str)
907 {
908 	char		*caps, *ptr, *next;
909 	cap_mode	mode = CAP_OVERRIDE;
910 	cap_index_t	ndx;
911 
912 	if ((caps = strdup(str)) == NULL)
913 		return (0);
914 
915 	for (ptr = strtok_r(caps, MSG_ORIG(MSG_CAP_DELIMIT), &next);
916 	    ptr != NULL;
917 	    ptr = strtok_r(NULL, MSG_ORIG(MSG_CAP_DELIMIT), &next)) {
918 		Xword		val = 0;
919 
920 		/*
921 		 * Determine whether this token should be enabled (+),
922 		 * disabled (-), or override any existing settings.
923 		 */
924 		if (*ptr == '+') {
925 			mode = CAP_ENABLE;
926 			ptr++;
927 		} else if (*ptr == '-') {
928 			mode = CAP_DISABLE;
929 			ptr++;
930 		}
931 
932 		/*
933 		 * Process the capabilities as directed by the calling tag.
934 		 */
935 		switch (tag) {
936 		case CA_SUNW_HW_1:
937 			/*
938 			 * Determine whether the capabilities string matches
939 			 * a known hardware capability mask.  Note, the caller
940 			 * indicates that these are hardware capabilities by
941 			 * passing in the CA_SUNW_HW_1 tag.  However, the
942 			 * tokens could be CA_SUNW_HW_1, CA_SUNW_HW_2, or
943 			 * CA_SUNW_HW_3.
944 			 */
945 			if ((val = (Xword)elfcap_hw3_from_str(ELFCAP_STYLE,
946 			    ptr, M_MACH)) != 0) {
947 				ndx = CAP_OVR_HW_3;
948 				break;
949 			}
950 			if ((val = (Xword)elfcap_hw2_from_str(ELFCAP_STYLE,
951 			    ptr, M_MACH)) != 0) {
952 				ndx = CAP_OVR_HW_2;
953 				break;
954 			}
955 			if ((val = (Xword)elfcap_hw1_from_str(ELFCAP_STYLE,
956 			    ptr, M_MACH)) != 0)
957 				ndx = CAP_OVR_HW_1;
958 			break;
959 		case CA_SUNW_SF_1:
960 			/*
961 			 * Determine whether the capabilities string matches a
962 			 * known software capability mask.  Note, the callers
963 			 * indication of what capabilities to process are
964 			 * triggered by a tag of CA_SUNW_SF_1, but the tokens
965 			 * processed could be CA_SUNW_SF_1, CA_SUNW_SF_2, etc.
966 			 */
967 			if ((val = (Xword)elfcap_sf1_from_str(ELFCAP_STYLE,
968 			    ptr, M_MACH)) != 0)
969 				ndx = CAP_OVR_SF_1;
970 			break;
971 		}
972 
973 		/*
974 		 * If a capabilities token has not been matched, interpret the
975 		 * string as a number.  To provide for setting the various
976 		 * families (CA_SUNW_HW_1, CA_SUNW_HW_2), the number can be
977 		 * prefixed with the (bracketed) family index.
978 		 *
979 		 *	LD_HWCAP=[1]0x40    sets CA_SUNW_HW_1 with 0x40
980 		 *	LD_HWCAP=[2]0x80    sets CA_SUNW_HW_2 with 0x80
981 		 *	LD_HWCAP=[3]0x44    sets CA_SUNW_HW_3 with 0x44
982 		 *
983 		 * Invalid indexes are ignored.
984 		 */
985 		if (val == 0) {
986 			char *end;
987 
988 			if ((*ptr == '[') && (*(ptr + 2) == ']')) {
989 				if (*(ptr + 1) == '1') {
990 					ndx = CAP_OVR_HW_1;
991 					ptr += 3;
992 				} else if (*(ptr + 1) == '3') {
993 					if (tag == CA_SUNW_HW_1) {
994 						ndx = CAP_OVR_HW_3;
995 						ptr += 3;
996 					} else {
997 						/* invalid index */
998 						continue;
999 					}
1000 				} else if (*(ptr + 1) == '2') {
1001 					if (tag == CA_SUNW_HW_1) {
1002 						ndx = CAP_OVR_HW_2;
1003 						ptr += 3;
1004 					} else {
1005 						/* invalid index */
1006 						continue;
1007 					}
1008 				} else {
1009 					/* invalid index */
1010 					continue;
1011 				}
1012 			} else {
1013 				ndx = tag - 1;
1014 			}
1015 
1016 			errno = 0;
1017 			if (((val = strtol(ptr, &end, 16)) == 0) && errno)
1018 				continue;
1019 
1020 			/*
1021 			 * If the value wasn't an entirely valid hexadecimal
1022 			 * integer, assume it was intended as a capability
1023 			 * name and skip it.
1024 			 */
1025 			if (*end != '\0') {
1026 				eprintf(NULL, ERR_WARNING,
1027 				    MSG_INTL(MSG_CAP_IGN_UNKCAP), ptr);
1028 				continue;
1029 			}
1030 		}
1031 
1032 		cap_settings[ndx].cs_val[mode] |= val;
1033 		cap_settings[ndx].cs_set[mode]++;
1034 
1035 	}
1036 
1037 	/*
1038 	 * If the "override" token was supplied, set the alternative
1039 	 * system capabilities, then enable or disable others.
1040 	 */
1041 	for (ndx = 0; ndx < CAP_OVR_MAX; ndx++) {
1042 		if (cap_settings[ndx].cs_set[CAP_OVERRIDE])
1043 			*(cap_settings[ndx].cs_aval) =
1044 			    cap_settings[ndx].cs_val[CAP_OVERRIDE];
1045 		if (cap_settings[ndx].cs_set[CAP_ENABLE])
1046 			*(cap_settings[ndx].cs_aval) |=
1047 			    cap_settings[ndx].cs_val[CAP_ENABLE];
1048 		if (cap_settings[ndx].cs_set[CAP_DISABLE])
1049 			*(cap_settings[ndx].cs_aval) &=
1050 			    ~cap_settings[ndx].cs_val[CAP_DISABLE];
1051 	}
1052 	free(caps);
1053 	return (1);
1054 }
1055 #undef	ELFCAP_STYLE
1056 
1057 /*
1058  * Create an AVL tree of objects that are to be validated against an alternative
1059  * system capabilities value.
1060  */
1061 static int
1062 cap_files(const char *str)
1063 {
1064 	char	*caps, *name, *next;
1065 
1066 	if ((caps = strdup(str)) == NULL)
1067 		return (0);
1068 
1069 	for (name = strtok_r(caps, MSG_ORIG(MSG_CAP_DELIMIT), &next);
1070 	    name != NULL;
1071 	    name = strtok_r(NULL, MSG_ORIG(MSG_CAP_DELIMIT), &next)) {
1072 		avl_index_t	where;
1073 		PathNode	*pnp;
1074 		uint_t		hash = sgs_str_hash(name);
1075 
1076 		/*
1077 		 * Determine whether this pathname has already been recorded.
1078 		 */
1079 		if (pnavl_recorded(&capavl, name, hash, &where))
1080 			continue;
1081 
1082 		if ((pnp = calloc(1, sizeof (PathNode))) != NULL) {
1083 			pnp->pn_name = name;
1084 			pnp->pn_hash = hash;
1085 			avl_insert(capavl, pnp, where);
1086 		}
1087 	}
1088 
1089 	return (1);
1090 }
1091 
1092 /*
1093  * Set alternative system capabilities.  A user can establish alternative system
1094  * capabilities from the environment, or from a configuration file.  This
1095  * routine is called in each instance.  Environment variables only set the
1096  * replaceable (rpl) variables.  Configuration files can set both replaceable
1097  * (rpl) and permanent (prm) variables.
1098  */
1099 int
1100 cap_alternative(void)
1101 {
1102 	/*
1103 	 * If no capabilities have been set, we're done.
1104 	 */
1105 	if ((rpl_hwcap == NULL) && (rpl_sfcap == NULL) &&
1106 	    (rpl_machcap == NULL) && (rpl_platcap == NULL) &&
1107 	    (prm_hwcap == NULL) && (prm_sfcap == NULL) &&
1108 	    (prm_machcap == NULL) && (prm_platcap == NULL))
1109 		return (1);
1110 
1111 	/*
1112 	 * If the user has requested to modify any capabilities, establish a
1113 	 * unique set from the present system capabilities.
1114 	 */
1115 	if ((alt_scapset = malloc(sizeof (Syscapset))) == NULL)
1116 		return (0);
1117 	*alt_scapset = *org_scapset;
1118 
1119 	cap_settings[CAP_OVR_HW_1].cs_aval = &alt_scapset->sc_hw_1;
1120 	cap_settings[CAP_OVR_SF_1].cs_aval = &alt_scapset->sc_sf_1;
1121 	cap_settings[CAP_OVR_HW_2].cs_aval = &alt_scapset->sc_hw_2;
1122 	cap_settings[CAP_OVR_HW_3].cs_aval = &alt_scapset->sc_hw_3;
1123 
1124 	/*
1125 	 * Process any replaceable variables.
1126 	 */
1127 	if (rpl_hwcap && (cap_modify(CA_SUNW_HW_1, rpl_hwcap) == 0))
1128 		return (0);
1129 	if (rpl_sfcap && (cap_modify(CA_SUNW_SF_1, rpl_sfcap) == 0))
1130 		return (0);
1131 
1132 	if (rpl_platcap) {
1133 		alt_scapset->sc_plat = (char *)rpl_platcap;
1134 		alt_scapset->sc_platsz = strlen(rpl_platcap);
1135 	}
1136 	if (rpl_machcap) {
1137 		alt_scapset->sc_mach = (char *)rpl_machcap;
1138 		alt_scapset->sc_machsz = strlen(rpl_machcap);
1139 	}
1140 
1141 	if (rpl_cap_files && (cap_files(rpl_cap_files) == 0))
1142 		return (0);
1143 
1144 	/*
1145 	 * Process any permanent variables.
1146 	 */
1147 	if (prm_hwcap && (cap_modify(CA_SUNW_HW_1, prm_hwcap) == 0))
1148 		return (0);
1149 	if (prm_sfcap && (cap_modify(CA_SUNW_SF_1, prm_sfcap) == 0))
1150 		return (0);
1151 
1152 	if (prm_platcap) {
1153 		alt_scapset->sc_plat = (char *)prm_platcap;
1154 		alt_scapset->sc_platsz = strlen(prm_platcap);
1155 	}
1156 	if (prm_machcap) {
1157 		alt_scapset->sc_mach = (char *)prm_machcap;
1158 		alt_scapset->sc_machsz = strlen(prm_machcap);
1159 	}
1160 
1161 	if (prm_cap_files && (cap_files(prm_cap_files) == 0))
1162 		return (0);
1163 
1164 	/*
1165 	 * Reset the replaceable variables.  If this is the environment variable
1166 	 * processing, these variables are now available for configuration file
1167 	 * initialization.
1168 	 */
1169 	rpl_hwcap = rpl_sfcap = rpl_machcap = rpl_platcap =
1170 	    rpl_cap_files = NULL;
1171 
1172 	return (1);
1173 }
1174 
1175 /*
1176  * Take the index from a Capinfo entry and determine the associated capabilities
1177  * set.  Verify that the capabilities are available for this system.
1178  */
1179 static int
1180 sym_cap_check(Cap *cptr, uint_t cndx, Syscapset *bestcapset, Rt_map *lmp,
1181     const char *name, uint_t ndx)
1182 {
1183 	Syscapset	*scapset;
1184 	int		totplat, ivlplat, totmach, ivlmach, capfail = 0;
1185 
1186 	/*
1187 	 * Determine whether this file requires validation against alternative
1188 	 * system capabilities.
1189 	 */
1190 	if ((FLAGS1(lmp) & FL1_RT_ALTCHECK) == 0)
1191 		cap_check_lmp_init(lmp);
1192 
1193 	if (FLAGS1(lmp) & FL1_RT_ALTCAP)
1194 		scapset = alt_scapset;
1195 	else
1196 		scapset = org_scapset;
1197 
1198 	totplat = ivlplat = totmach = ivlmach = 0;
1199 
1200 	/*
1201 	 * A capabilities index points to a capabilities group that can consist
1202 	 * of one or more capabilities, terminated with a CA_SUNW_NULL entry.
1203 	 */
1204 	for (cptr += cndx; cptr->c_tag != CA_SUNW_NULL; cptr++) {
1205 		Xword	val = cptr->c_un.c_val;
1206 		char	*str;
1207 
1208 		switch (cptr->c_tag) {
1209 		case CA_SUNW_HW_1:
1210 			/*
1211 			 * Remove any historic values that should not be
1212 			 * involved with any validation.
1213 			 */
1214 			val &= ~AV_HW1_IGNORE;
1215 
1216 			bestcapset->sc_hw_1 = val;
1217 			DBG_CALL(Dbg_syms_cap_lookup(lmp, DBG_CAP_HW_1,
1218 			    name, ndx, M_MACH, bestcapset));
1219 
1220 			if (hwcap1_check(scapset, val, NULL) == 0)
1221 				capfail++;
1222 			break;
1223 		case CA_SUNW_SF_1:
1224 			bestcapset->sc_sf_1 = val;
1225 			DBG_CALL(Dbg_syms_cap_lookup(lmp, DBG_CAP_SF_1,
1226 			    name, ndx, M_MACH, bestcapset));
1227 
1228 			if (sfcap1_check(scapset, val, NULL) == 0)
1229 				capfail++;
1230 			break;
1231 		case CA_SUNW_HW_2:
1232 			bestcapset->sc_hw_2 = val;
1233 			DBG_CALL(Dbg_syms_cap_lookup(lmp, DBG_CAP_HW_2,
1234 			    name, ndx, M_MACH, bestcapset));
1235 
1236 			if (hwcap2_check(scapset, val, NULL) == 0)
1237 				capfail++;
1238 			break;
1239 		case CA_SUNW_PLAT:
1240 			/*
1241 			 * A capabilities set can define multiple platform names
1242 			 * that are appropriate.  Only if all the names are
1243 			 * deemed invalid is the group determined inappropriate.
1244 			 */
1245 			if (totplat == ivlplat) {
1246 				totplat++;
1247 
1248 				str = STRTAB(lmp) + val;
1249 				bestcapset->sc_plat = str;
1250 
1251 				DBG_CALL(Dbg_syms_cap_lookup(lmp, DBG_CAP_PLAT,
1252 				    name, ndx, M_MACH, bestcapset));
1253 
1254 				if (platcap_check(scapset, str, NULL) == 0)
1255 					ivlplat++;
1256 			}
1257 			break;
1258 		case CA_SUNW_MACH:
1259 			/*
1260 			 * A capabilities set can define multiple machine names
1261 			 * that are appropriate.  Only if all the names are
1262 			 * deemed invalid is the group determined inappropriate.
1263 			 */
1264 			if (totmach == ivlmach) {
1265 				totmach++;
1266 
1267 				str = STRTAB(lmp) + val;
1268 				bestcapset->sc_mach = str;
1269 
1270 				DBG_CALL(Dbg_syms_cap_lookup(lmp, DBG_CAP_MACH,
1271 				    name, ndx, M_MACH, bestcapset));
1272 
1273 				if (machcap_check(scapset, str, NULL) == 0)
1274 					ivlmach++;
1275 			}
1276 			break;
1277 		case CA_SUNW_HW_3:
1278 			bestcapset->sc_hw_3 = val;
1279 			DBG_CALL(Dbg_syms_cap_lookup(lmp, DBG_CAP_HW_3,
1280 			    name, ndx, M_MACH, bestcapset));
1281 
1282 			if (hwcap3_check(scapset, val, NULL) == 0)
1283 				capfail++;
1284 			break;
1285 
1286 		default:
1287 			break;
1288 		}
1289 	}
1290 
1291 	/*
1292 	 * If any platform definitions, or machine definitions were found, and
1293 	 * all were invalid, indicate that the object is inappropriate.
1294 	 */
1295 	if (capfail || (totplat && (totplat == ivlplat)) ||
1296 	    (totmach && (totmach == ivlmach))) {
1297 		DBG_CALL(Dbg_syms_cap_lookup(lmp, DBG_CAP_REJECTED, name, ndx,
1298 		    M_MACH, NULL));
1299 		return (0);
1300 	}
1301 
1302 	DBG_CALL(Dbg_syms_cap_lookup(lmp, DBG_CAP_CANDIDATE, name, ndx,
1303 	    M_MACH, NULL));
1304 	return (1);
1305 }
1306 
1307 /*
1308  * Determine whether a symbols capabilities are more significant than any that
1309  * have already been validated.  The precedence of capabilities are:
1310  *
1311  *   PLATCAP -> MACHCAP -> HWCAP_2 -> HWCAP_1
1312  *
1313  *
1314  * Presently we make no comparisons of software capabilities.  However, should
1315  * this symbol capability have required the SF1_SUNW_ADDR32 attribute, then
1316  * this would have been validated as appropriate or not.
1317  *
1318  * bestcapset is the presently available 'best' capabilities group, and
1319  * symcapset is the present capabilities group under investigation.  Return 0
1320  * if the bestcapset should remain in affect, or 1 if the symcapset is better.
1321  */
1322 inline static int
1323 is_sym_the_best(Syscapset *bestcapset, Syscapset *symcapset)
1324 {
1325 	/*
1326 	 * Check any platform capability.  If the new symbol isn't associated
1327 	 * with a CA_SUNW_PLAT capability, and the best symbol is, then retain
1328 	 * the best capabilities group.  If the new symbol is associated with a
1329 	 * CA_SUNW_PLAT capability, and the best symbol isn't, then the new
1330 	 * symbol needs to be taken.
1331 	 */
1332 	if (bestcapset->sc_plat && (symcapset->sc_plat == NULL))
1333 		return (0);
1334 
1335 	if ((bestcapset->sc_plat == NULL) && symcapset->sc_plat)
1336 		return (1);
1337 
1338 	/*
1339 	 * Check any machine name capability.  If the new symbol isn't
1340 	 * associated with a CA_SUNW_MACH capability, and the best symbol is,
1341 	 * then retain the best capabilities group.  If the new symbol is
1342 	 * associated with a CA_SUNW_MACH capability, and the best symbol isn't,
1343 	 * then the new symbol needs to be taken.
1344 	 */
1345 	if (bestcapset->sc_mach && (symcapset->sc_mach == NULL))
1346 		return (0);
1347 
1348 	if ((bestcapset->sc_mach == NULL) && symcapset->sc_mach)
1349 		return (1);
1350 
1351 	/*
1352 	 * Check the hardware capabilities.  If the best symbols CA_SUNW_HW_3
1353 	 * capabilities are greater than the new symbols capabilities, then
1354 	 * retain the best capabilities group.  If the new symbols CA_SUNW_HW_3
1355 	 * capabilities are greater than the best symbol, then the new symbol
1356 	 * needs to be taken. Repeat the same process for CA_SUNW_HW_2.
1357 	 */
1358 	if (bestcapset->sc_hw_3 > symcapset->sc_hw_3)
1359 		return (0);
1360 
1361 	if (bestcapset->sc_hw_3 < symcapset->sc_hw_3)
1362 		return (1);
1363 
1364 	if (bestcapset->sc_hw_2 > symcapset->sc_hw_2)
1365 		return (0);
1366 
1367 	if (bestcapset->sc_hw_2 < symcapset->sc_hw_2)
1368 		return (1);
1369 
1370 	/*
1371 	 * Check the remaining hardware capabilities.  If the best symbols
1372 	 * CA_SUNW_HW_1 capabilities are greater than the new symbols
1373 	 * capabilities, then retain the best capabilities group.  If the new
1374 	 * symbols CA_SUNW_HW_1 capabilities are greater than the best symbol,
1375 	 * then the new symbol needs to be taken.
1376 	 */
1377 	if (bestcapset->sc_hw_1 > symcapset->sc_hw_1)
1378 		return (0);
1379 
1380 	if (bestcapset->sc_hw_1 < symcapset->sc_hw_1)
1381 		return (1);
1382 
1383 	/*
1384 	 * Both capabilities are the same.  Retain the best on a first-come
1385 	 * first-served basis.
1386 	 */
1387 	return (0);
1388 }
1389 
1390 /*
1391  * Initiate symbol capabilities processing.  If an initial symbol lookup
1392  * results in binding to a symbol that has an associated SUNW_capinfo entry,
1393  * we arrive here.
1394  *
1395  * The standard model is that this initial symbol is the lead capabilities
1396  * symbol (defined as CAPINFO_SUNW_GLOB) of a capabilities family.  This lead
1397  * symbol's SUNW_capinfo information points to the SUNW_capchain entry that
1398  * provides the family symbol indexes.  We traverse this chain, looking at
1399  * each family member, to discover the best capabilities instance.  This
1400  * instance name and symbol information is returned to establish the final
1401  * symbol binding.
1402  *
1403  * If the symbol that got us here is not CAPINFO_SUNW_GLOB, then we've bound
1404  * directly to a capabilities symbol which must be verified.  This is not the
1405  * model created by ld(1) using -z symbolcap, but might be created directly
1406  * within a relocatable object by the compilation system.
1407  */
1408 int
1409 cap_match(Sresult *srp, uint_t symndx, Sym *symtabptr, char *strtabptr)
1410 {
1411 	Rt_map		*ilmp = srp->sr_dmap;
1412 	Sym		*bsym = NULL;
1413 	const char	*bname;
1414 	Syscapset	bestcapset = { 0 };
1415 	Cap		*cap;
1416 	Capchain	*capchain;
1417 	uchar_t		grpndx;
1418 	uint_t		ochainndx, nchainndx, bndx;
1419 
1420 	cap = CAP(ilmp);
1421 	capchain = CAPCHAIN(ilmp);
1422 
1423 	grpndx = (uchar_t)ELF_C_GROUP(CAPINFO(ilmp)[symndx]);
1424 
1425 	/*
1426 	 * If this symbols capability group is not a lead symbol, then simply
1427 	 * verify the symbol.
1428 	 */
1429 	if (grpndx != CAPINFO_SUNW_GLOB) {
1430 		Syscapset	symcapset = { 0 };
1431 
1432 		return (sym_cap_check(cap, grpndx, &symcapset, ilmp,
1433 		    srp->sr_name, symndx));
1434 	}
1435 
1436 	/*
1437 	 * If there is no capabilities chain, return the lead symbol.
1438 	 */
1439 	if (capchain == NULL)
1440 		return (1);
1441 
1442 	ochainndx = (uint_t)ELF_C_SYM(CAPINFO(ilmp)[symndx]);
1443 
1444 	/*
1445 	 * If there is only one member for this family, take it.  Once a family
1446 	 * has been processed, the best family instance is written to the head
1447 	 * of the chain followed by a null entry.  This caching ensures that the
1448 	 * same family comparison doesn't have to be undertaken more than once.
1449 	 */
1450 	if (capchain[ochainndx] && (capchain[ochainndx + 1] == 0)) {
1451 		Sym		*fsym = symtabptr + capchain[ochainndx];
1452 		const char	*fname = strtabptr + fsym->st_name;
1453 
1454 		DBG_CALL(Dbg_syms_cap_lookup(ilmp, DBG_CAP_USED, fname,
1455 		    capchain[ochainndx], M_MACH, NULL));
1456 
1457 		srp->sr_sym = fsym;
1458 		srp->sr_name = fname;
1459 		return (1);
1460 	}
1461 
1462 	/*
1463 	 * As this symbol is the lead symbol of a capabilities family, it is
1464 	 * considered the generic member, and therefore forms the basic
1465 	 * fall-back for the capabilities family.
1466 	 */
1467 	DBG_CALL(Dbg_syms_cap_lookup(ilmp, DBG_CAP_DEFAULT, srp->sr_name,
1468 	    symndx, M_MACH, NULL));
1469 	bsym = srp->sr_sym;
1470 	bname = srp->sr_name;
1471 	bndx = symndx;
1472 
1473 	/*
1474 	 * Traverse the capabilities chain analyzing each family member.
1475 	 */
1476 	for (nchainndx = ochainndx + 1, symndx = capchain[nchainndx]; symndx;
1477 	    nchainndx++, symndx = capchain[nchainndx]) {
1478 		Sym		*nsym = symtabptr + symndx;
1479 		const char	*nname = strtabptr + nsym->st_name;
1480 		Syscapset	symcapset = { 0 };
1481 
1482 		if ((grpndx =
1483 		    (uchar_t)ELF_C_GROUP(CAPINFO(ilmp)[symndx])) == 0)
1484 			continue;
1485 
1486 		if (sym_cap_check(cap, grpndx, &symcapset, ilmp,
1487 		    nname, symndx) == 0)
1488 			continue;
1489 
1490 		/*
1491 		 * Determine whether a symbol's capabilities are more
1492 		 * significant than any that have already been validated.
1493 		 */
1494 		if (is_sym_the_best(&bestcapset, &symcapset)) {
1495 			bestcapset = symcapset;
1496 			bsym = nsym;
1497 			bname = nname;
1498 			bndx = symndx;
1499 		}
1500 	}
1501 
1502 	DBG_CALL(Dbg_syms_cap_lookup(ilmp, DBG_CAP_USED, bname, bndx,
1503 	    M_MACH, NULL));
1504 
1505 	/*
1506 	 * Having found the best symbol, cache the results by overriding the
1507 	 * first element of the associated chain.
1508 	 */
1509 	capchain[ochainndx] = bndx;
1510 	capchain[ochainndx + 1] = 0;
1511 
1512 	/*
1513 	 * Update the symbol result information for return to the user.
1514 	 */
1515 	srp->sr_sym = bsym;
1516 	srp->sr_name = bname;
1517 	return (1);
1518 }
1519