xref: /illumos-gate/usr/src/lib/libzonecfg/common/libzonecfg.c (revision 2833423dc59f4c35fe4713dbb942950c82df0437)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2014 Gary Mills
24  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
25  * Copyright (c) 2018, Joyent, Inc.
26  * Copyright 2015 Nexenta Systems, Inc. All rights reserved.
27  * Copyright 2021 OmniOS Community Edition (OmniOSce) Association.
28  */
29 
30 #include <libsysevent.h>
31 #include <pthread.h>
32 #include <stdlib.h>
33 #include <errno.h>
34 #include <fnmatch.h>
35 #include <strings.h>
36 #include <unistd.h>
37 #include <assert.h>
38 #include <libgen.h>
39 #include <libintl.h>
40 #include <alloca.h>
41 #include <ctype.h>
42 #include <sys/acl.h>
43 #include <sys/stat.h>
44 #include <sys/brand.h>
45 #include <sys/mntio.h>
46 #include <sys/mnttab.h>
47 #include <sys/nvpair.h>
48 #include <sys/types.h>
49 #include <sys/sockio.h>
50 #include <sys/systeminfo.h>
51 #include <ftw.h>
52 #include <pool.h>
53 #include <libscf.h>
54 #include <libproc.h>
55 #include <sys/priocntl.h>
56 #include <libuutil.h>
57 #include <wait.h>
58 #include <bsm/adt.h>
59 #include <auth_attr.h>
60 #include <auth_list.h>
61 #include <secdb.h>
62 #include <user_attr.h>
63 #include <prof_attr.h>
64 #include <definit.h>
65 
66 #include <arpa/inet.h>
67 #include <netdb.h>
68 
69 #include <libxml/xmlmemory.h>
70 #include <libxml/parser.h>
71 
72 #include <libdevinfo.h>
73 #include <uuid/uuid.h>
74 #include <dirent.h>
75 #include <libbrand.h>
76 
77 #include <libzonecfg.h>
78 #include "zonecfg_impl.h"
79 
80 #define	_PATH_TMPFILE	"/zonecfg.XXXXXX"
81 #define	ZONE_CB_RETRY_COUNT		10
82 #define	ZONE_EVENT_PING_SUBCLASS	"ping"
83 #define	ZONE_EVENT_PING_PUBLISHER	"solaris"
84 
85 /* Hard-code the DTD element/attribute/entity names just once, here. */
86 #define	DTD_ELEM_ATTR		(const xmlChar *) "attr"
87 #define	DTD_ELEM_COMMENT	(const xmlChar *) "comment"
88 #define	DTD_ELEM_DEVICE		(const xmlChar *) "device"
89 #define	DTD_ELEM_FS		(const xmlChar *) "filesystem"
90 #define	DTD_ELEM_FSOPTION	(const xmlChar *) "fsoption"
91 #define	DTD_ELEM_NET		(const xmlChar *) "network"
92 #define	DTD_ELEM_RCTL		(const xmlChar *) "rctl"
93 #define	DTD_ELEM_RCTLVALUE	(const xmlChar *) "rctl-value"
94 #define	DTD_ELEM_ZONE		(const xmlChar *) "zone"
95 #define	DTD_ELEM_DATASET	(const xmlChar *) "dataset"
96 #define	DTD_ELEM_TMPPOOL	(const xmlChar *) "tmp_pool"
97 #define	DTD_ELEM_PSET		(const xmlChar *) "pset"
98 #define	DTD_ELEM_MCAP		(const xmlChar *) "mcap"
99 #define	DTD_ELEM_PACKAGE	(const xmlChar *) "package"
100 #define	DTD_ELEM_OBSOLETES	(const xmlChar *) "obsoletes"
101 #define	DTD_ELEM_DEV_PERM	(const xmlChar *) "dev-perm"
102 #define	DTD_ELEM_ADMIN		(const xmlChar *) "admin"
103 #define	DTD_ELEM_SECFLAGS	(const xmlChar *) "security-flags"
104 
105 #define	DTD_ATTR_ACTION		(const xmlChar *) "action"
106 #define	DTD_ATTR_ADDRESS	(const xmlChar *) "address"
107 #define	DTD_ATTR_ALLOWED_ADDRESS	(const xmlChar *) "allowed-address"
108 #define	DTD_ATTR_AUTOBOOT	(const xmlChar *) "autoboot"
109 #define	DTD_ATTR_IPTYPE		(const xmlChar *) "ip-type"
110 #define	DTD_ATTR_DEFROUTER	(const xmlChar *) "defrouter"
111 #define	DTD_ATTR_DIR		(const xmlChar *) "directory"
112 #define	DTD_ATTR_LIMIT		(const xmlChar *) "limit"
113 #define	DTD_ATTR_LIMITPRIV	(const xmlChar *) "limitpriv"
114 #define	DTD_ATTR_BOOTARGS	(const xmlChar *) "bootargs"
115 #define	DTD_ATTR_SCHED		(const xmlChar *) "scheduling-class"
116 #define	DTD_ATTR_MATCH		(const xmlChar *) "match"
117 #define	DTD_ATTR_NAME		(const xmlChar *) "name"
118 #define	DTD_ATTR_PHYSICAL	(const xmlChar *) "physical"
119 #define	DTD_ATTR_POOL		(const xmlChar *) "pool"
120 #define	DTD_ATTR_PRIV		(const xmlChar *) "priv"
121 #define	DTD_ATTR_RAW		(const xmlChar *) "raw"
122 #define	DTD_ATTR_SPECIAL	(const xmlChar *) "special"
123 #define	DTD_ATTR_TYPE		(const xmlChar *) "type"
124 #define	DTD_ATTR_VALUE		(const xmlChar *) "value"
125 #define	DTD_ATTR_ZONEPATH	(const xmlChar *) "zonepath"
126 #define	DTD_ATTR_NCPU_MIN	(const xmlChar *) "ncpu_min"
127 #define	DTD_ATTR_NCPU_MAX	(const xmlChar *) "ncpu_max"
128 #define	DTD_ATTR_IMPORTANCE	(const xmlChar *) "importance"
129 #define	DTD_ATTR_PHYSCAP	(const xmlChar *) "physcap"
130 #define	DTD_ATTR_VERSION	(const xmlChar *) "version"
131 #define	DTD_ATTR_ID		(const xmlChar *) "id"
132 #define	DTD_ATTR_UID		(const xmlChar *) "uid"
133 #define	DTD_ATTR_GID		(const xmlChar *) "gid"
134 #define	DTD_ATTR_MODE		(const xmlChar *) "mode"
135 #define	DTD_ATTR_ACL		(const xmlChar *) "acl"
136 #define	DTD_ATTR_BRAND		(const xmlChar *) "brand"
137 #define	DTD_ATTR_HOSTID		(const xmlChar *) "hostid"
138 #define	DTD_ATTR_USER		(const xmlChar *) "user"
139 #define	DTD_ATTR_AUTHS		(const xmlChar *) "auths"
140 #define	DTD_ATTR_FS_ALLOWED	(const xmlChar *) "fs-allowed"
141 #define	DTD_ATTR_DEFAULT	(const xmlChar *) "default"
142 #define	DTD_ATTR_LOWER		(const xmlChar *) "lower"
143 #define	DTD_ATTR_UPPER		(const xmlChar *) "upper"
144 
145 
146 #define	DTD_ENTITY_BOOLEAN	"boolean"
147 #define	DTD_ENTITY_DEVPATH	"devpath"
148 #define	DTD_ENTITY_DRIVER	"driver"
149 #define	DTD_ENTITY_DRVMIN	"drv_min"
150 #define	DTD_ENTITY_FALSE	"false"
151 #define	DTD_ENTITY_INT		"int"
152 #define	DTD_ENTITY_STRING	"string"
153 #define	DTD_ENTITY_TRUE		"true"
154 #define	DTD_ENTITY_UINT		"uint"
155 
156 #define	DTD_ENTITY_BOOL_LEN	6	/* "false" */
157 
158 #define	ATTACH_FORCED	"SUNWattached.xml"
159 
160 #define	TMP_POOL_NAME	"SUNWtmp_%s"
161 #define	MAX_TMP_POOL_NAME	(ZONENAME_MAX + 9)
162 #define	RCAP_SERVICE	"system/rcap:default"
163 #define	POOLD_SERVICE	"system/pools/dynamic:default"
164 
165 #define	XML_PARSER_OPTIONS	(XML_PARSE_DTDLOAD | XML_PARSE_DTDVALID | \
166 				XML_PARSE_NOBLANKS | XML_PARSE_NOWARNING)
167 
168 /*
169  * rctl alias definitions
170  *
171  * This holds the alias, the full rctl name, the default priv value, action
172  * and lower limit.  The functions that handle rctl aliases step through
173  * this table, matching on the alias, and using the full values for setting
174  * the rctl entry as well the limit for validation.
175  */
176 static struct alias {
177 	char *shortname;
178 	char *realname;
179 	char *priv;
180 	char *action;
181 	uint64_t low_limit;
182 } aliases[] = {
183 	{ALIAS_MAXLWPS, "zone.max-lwps", "privileged", "deny", 100},
184 	{ALIAS_MAXSHMMEM, "zone.max-shm-memory", "privileged", "deny", 0},
185 	{ALIAS_MAXSHMIDS, "zone.max-shm-ids", "privileged", "deny", 0},
186 	{ALIAS_MAXMSGIDS, "zone.max-msg-ids", "privileged", "deny", 0},
187 	{ALIAS_MAXSEMIDS, "zone.max-sem-ids", "privileged", "deny", 0},
188 	{ALIAS_MAXLOCKEDMEM, "zone.max-locked-memory", "privileged", "deny", 0},
189 	{ALIAS_MAXSWAP, "zone.max-swap", "privileged", "deny", 0},
190 	{ALIAS_SHARES, "zone.cpu-shares", "privileged", "none", 0},
191 	{ALIAS_CPUCAP, "zone.cpu-cap", "privileged", "deny", 0},
192 	{ALIAS_MAXPROCS, "zone.max-processes", "privileged", "deny", 100},
193 	{NULL, NULL, NULL, NULL, 0}
194 };
195 
196 /*
197  * Structure for applying rctls to a running zone.  It allows important
198  * process values to be passed together easily.
199  */
200 typedef struct pr_info_handle {
201 	struct ps_prochandle *pr;
202 	pid_t pid;
203 } pr_info_handle_t;
204 
205 struct zone_dochandle {
206 	char		*zone_dh_rootdir;
207 	xmlDocPtr	zone_dh_doc;
208 	xmlNodePtr	zone_dh_cur;
209 	xmlNodePtr	zone_dh_top;
210 	boolean_t	zone_dh_newzone;
211 	boolean_t	zone_dh_snapshot;
212 	boolean_t	zone_dh_sw_inv;
213 	zone_userauths_t	*zone_dh_userauths;
214 	char		zone_dh_delete_name[ZONENAME_MAX];
215 };
216 
217 struct znotify {
218 	void * zn_private;
219 	evchan_t *zn_eventchan;
220 	int (*zn_callback)(const  char *zonename, zoneid_t zid,
221 	    const char *newstate, const char *oldstate, hrtime_t when, void *p);
222 	pthread_mutex_t zn_mutex;
223 	pthread_cond_t zn_cond;
224 	pthread_mutex_t zn_bigmutex;
225 	volatile enum {ZN_UNLOCKED, ZN_LOCKED, ZN_PING_INFLIGHT,
226 	    ZN_PING_RECEIVED} zn_state;
227 	char zn_subscriber_id[MAX_SUBID_LEN];
228 	volatile boolean_t zn_failed;
229 	int zn_failure_count;
230 };
231 
232 /* used to track nested zone-lock operations */
233 static int zone_lock_cnt = 0;
234 
235 /* used to communicate lock status to children */
236 #define	LOCK_ENV_VAR	"_ZONEADM_LOCK_HELD"
237 static char zoneadm_lock_held[] = LOCK_ENV_VAR"=1";
238 static char zoneadm_lock_not_held[] = LOCK_ENV_VAR"=0";
239 
240 char *zonecfg_root = "";
241 
242 /*
243  * For functions which return int, which is most of the functions herein,
244  * the return values should be from the Z_foo set defined in <libzonecfg.h>.
245  * In some instances, we take pains mapping some libc errno values to Z_foo
246  * values from this set.
247  */
248 
249 /*
250  * Set the root (/) path for all zonecfg configuration files.  This is a
251  * private interface used by Live Upgrade extensions to access zone
252  * configuration inside mounted alternate boot environments.
253  * This interface is also used by zoneadm mount and unmount subcommands.
254  */
255 void
256 zonecfg_set_root(const char *rootpath)
257 {
258 	if (*zonecfg_root != '\0')
259 		free(zonecfg_root);
260 	if (rootpath == NULL || rootpath[0] == '\0' || rootpath[1] == '\0' ||
261 	    (zonecfg_root = strdup(rootpath)) == NULL)
262 		zonecfg_root = "";
263 }
264 
265 const char *
266 zonecfg_get_root(void)
267 {
268 	return (zonecfg_root);
269 }
270 
271 boolean_t
272 zonecfg_in_alt_root(void)
273 {
274 	return (*zonecfg_root != '\0');
275 }
276 
277 /*
278  * Callers of the _file_path() functions are expected to have the second
279  * parameter be a (char foo[MAXPATHLEN]).
280  */
281 
282 static boolean_t
283 config_file_path(const char *zonename, char *answer)
284 {
285 	return (snprintf(answer, MAXPATHLEN, "%s%s/%s.xml", zonecfg_root,
286 	    ZONE_CONFIG_ROOT, zonename) < MAXPATHLEN);
287 }
288 
289 static boolean_t
290 snap_file_path(const char *zonename, char *answer)
291 {
292 	return (snprintf(answer, MAXPATHLEN, "%s%s/%s.snapshot.xml",
293 	    zonecfg_root, ZONE_SNAPSHOT_ROOT, zonename) < MAXPATHLEN);
294 }
295 
296 /*ARGSUSED*/
297 static void
298 zonecfg_error_func(void *ctx, const char *msg, ...)
299 {
300 	/*
301 	 * This function does nothing by design.  Its purpose is to prevent
302 	 * libxml from dumping unwanted messages to stdout/stderr.
303 	 */
304 }
305 
306 zone_dochandle_t
307 zonecfg_init_handle(void)
308 {
309 	zone_dochandle_t handle = calloc(1, sizeof (struct zone_dochandle));
310 	if (handle == NULL) {
311 		errno = Z_NOMEM;
312 		return (NULL);
313 	}
314 
315 	xmlSetGenericErrorFunc(NULL, zonecfg_error_func);
316 
317 	return (handle);
318 }
319 
320 int
321 zonecfg_check_handle(zone_dochandle_t handle)
322 {
323 	if (handle == NULL || handle->zone_dh_doc == NULL)
324 		return (Z_BAD_HANDLE);
325 	return (Z_OK);
326 }
327 
328 void
329 zonecfg_fini_handle(zone_dochandle_t handle)
330 {
331 	if (zonecfg_check_handle(handle) == Z_OK)
332 		xmlFreeDoc(handle->zone_dh_doc);
333 	if (handle != NULL)
334 		free(handle);
335 }
336 
337 static int
338 zonecfg_destroy_impl(char *filename)
339 {
340 	if (unlink(filename) == -1) {
341 		if (errno == EACCES)
342 			return (Z_ACCES);
343 		if (errno == ENOENT)
344 			return (Z_NO_ZONE);
345 		return (Z_MISC_FS);
346 	}
347 	return (Z_OK);
348 }
349 
350 int
351 zonecfg_destroy(const char *zonename, boolean_t force)
352 {
353 	char path[MAXPATHLEN];
354 	struct zoneent ze;
355 	int err, state_err;
356 	zone_state_t state;
357 
358 	if (!config_file_path(zonename, path))
359 		return (Z_MISC_FS);
360 
361 	state_err = zone_get_state((char *)zonename, &state);
362 	err = access(path, W_OK);
363 
364 	/*
365 	 * If there is no file, and no index entry, reliably indicate that no
366 	 * such zone exists.
367 	 */
368 	if ((state_err == Z_NO_ZONE) && (err == -1) && (errno == ENOENT))
369 		return (Z_NO_ZONE);
370 
371 	/*
372 	 * Handle any other filesystem related errors (except if the XML
373 	 * file is missing, which we treat silently), unless we're forcing,
374 	 * in which case we plow on.
375 	 */
376 	if (err == -1 && errno != ENOENT) {
377 		if (errno == EACCES)
378 			return (Z_ACCES);
379 		else if (!force)
380 			return (Z_MISC_FS);
381 	}
382 
383 	if (state > ZONE_STATE_INSTALLED)
384 		return (Z_BAD_ZONE_STATE);
385 
386 	if (!force && state > ZONE_STATE_CONFIGURED)
387 		return (Z_BAD_ZONE_STATE);
388 
389 	/*
390 	 * Index deletion succeeds even if the entry doesn't exist.  So this
391 	 * will fail only if we've had some more severe problem.
392 	 */
393 	bzero(&ze, sizeof (ze));
394 	(void) strlcpy(ze.zone_name, zonename, sizeof (ze.zone_name));
395 	if ((err = putzoneent(&ze, PZE_REMOVE)) != Z_OK)
396 		if (!force)
397 			return (err);
398 
399 	err = zonecfg_destroy_impl(path);
400 
401 	/*
402 	 * Treat failure to find the XML file silently, since, well, it's
403 	 * gone, and with the index file cleaned up, we're done.
404 	 */
405 	if (err == Z_OK || err == Z_NO_ZONE)
406 		return (Z_OK);
407 	return (err);
408 }
409 
410 int
411 zonecfg_destroy_snapshot(const char *zonename)
412 {
413 	char path[MAXPATHLEN];
414 
415 	if (!snap_file_path(zonename, path))
416 		return (Z_MISC_FS);
417 	return (zonecfg_destroy_impl(path));
418 }
419 
420 static int
421 getroot(zone_dochandle_t handle, xmlNodePtr *root)
422 {
423 	if (zonecfg_check_handle(handle) == Z_BAD_HANDLE)
424 		return (Z_BAD_HANDLE);
425 
426 	*root = xmlDocGetRootElement(handle->zone_dh_doc);
427 
428 	if (*root == NULL)
429 		return (Z_EMPTY_DOCUMENT);
430 
431 	if (xmlStrcmp((*root)->name, DTD_ELEM_ZONE))
432 		return (Z_WRONG_DOC_TYPE);
433 
434 	return (Z_OK);
435 }
436 
437 static int
438 operation_prep(zone_dochandle_t handle)
439 {
440 	xmlNodePtr root;
441 	int err;
442 
443 	if ((err = getroot(handle, &root)) != 0)
444 		return (err);
445 
446 	handle->zone_dh_cur = root;
447 	handle->zone_dh_top = root;
448 	return (Z_OK);
449 }
450 
451 static int
452 fetchprop(xmlNodePtr cur, const xmlChar *propname, char *dst, size_t dstsize)
453 {
454 	xmlChar *property;
455 	size_t srcsize;
456 
457 	if ((property = xmlGetProp(cur, propname)) == NULL)
458 		return (Z_BAD_PROPERTY);
459 	srcsize = strlcpy(dst, (char *)property, dstsize);
460 	xmlFree(property);
461 	if (srcsize >= dstsize)
462 		return (Z_TOO_BIG);
463 	return (Z_OK);
464 }
465 
466 static int
467 fetch_alloc_prop(xmlNodePtr cur, const xmlChar *propname, char **dst)
468 {
469 	xmlChar *property;
470 
471 	if ((property = xmlGetProp(cur, propname)) == NULL)
472 		return (Z_BAD_PROPERTY);
473 	if ((*dst = strdup((char *)property)) == NULL) {
474 		xmlFree(property);
475 		return (Z_NOMEM);
476 	}
477 	xmlFree(property);
478 	return (Z_OK);
479 }
480 
481 static int
482 getrootattr(zone_dochandle_t handle, const xmlChar *propname,
483     char *propval, size_t propsize)
484 {
485 	xmlNodePtr root;
486 	int err;
487 
488 	if ((err = getroot(handle, &root)) != 0)
489 		return (err);
490 
491 	return (fetchprop(root, propname, propval, propsize));
492 }
493 
494 static int
495 get_alloc_rootattr(zone_dochandle_t handle, const xmlChar *propname,
496     char **propval)
497 {
498 	xmlNodePtr root;
499 	int err;
500 
501 	if ((err = getroot(handle, &root)) != 0)
502 		return (err);
503 
504 	return (fetch_alloc_prop(root, propname, propval));
505 }
506 
507 static int
508 setrootattr(zone_dochandle_t handle, const xmlChar *propname,
509     const char *propval)
510 {
511 	int err;
512 	xmlNodePtr root;
513 
514 	if ((err = getroot(handle, &root)) != Z_OK)
515 		return (err);
516 
517 	/*
518 	 * If we get a null propval remove the property (ignore return since it
519 	 * may not be set to begin with).
520 	 */
521 	if (propval == NULL) {
522 		(void) xmlUnsetProp(root, propname);
523 	} else {
524 		if (xmlSetProp(root, propname, (const xmlChar *) propval)
525 		    == NULL)
526 			return (Z_INVAL);
527 	}
528 	return (Z_OK);
529 }
530 
531 static void
532 addcomment(zone_dochandle_t handle, const char *comment)
533 {
534 	xmlNodePtr node;
535 	node = xmlNewComment((xmlChar *) comment);
536 
537 	if (node != NULL)
538 		(void) xmlAddPrevSibling(handle->zone_dh_top, node);
539 }
540 
541 static void
542 stripcomments(zone_dochandle_t handle)
543 {
544 	xmlDocPtr top;
545 	xmlNodePtr child, next;
546 
547 	top = handle->zone_dh_doc;
548 	for (child = top->xmlChildrenNode; child != NULL; child = next) {
549 		next = child->next;
550 		if (child->name == NULL)
551 			continue;
552 		if (xmlStrcmp(child->name, DTD_ELEM_COMMENT) == 0) {
553 			next = child->next;
554 			xmlUnlinkNode(child);
555 			xmlFreeNode(child);
556 		}
557 	}
558 }
559 
560 static void
561 strip_sw_inv(zone_dochandle_t handle)
562 {
563 	xmlNodePtr root, child, next;
564 
565 	root = xmlDocGetRootElement(handle->zone_dh_doc);
566 	for (child = root->xmlChildrenNode; child != NULL; child = next) {
567 		next = child->next;
568 		if (child->name == NULL)
569 			continue;
570 		if (xmlStrcmp(child->name, DTD_ELEM_PACKAGE) == 0) {
571 			next = child->next;
572 			xmlUnlinkNode(child);
573 			xmlFreeNode(child);
574 		}
575 	}
576 }
577 
578 static int
579 zonecfg_get_handle_impl(const char *zonename, const char *filename,
580     zone_dochandle_t handle)
581 {
582 	xmlValidCtxtPtr cvp;
583 	struct stat statbuf;
584 	int valid;
585 
586 	if (zonename == NULL)
587 		return (Z_NO_ZONE);
588 
589 	handle->zone_dh_doc = xmlReadFile(filename, NULL, XML_PARSER_OPTIONS);
590 	if (handle->zone_dh_doc == NULL) {
591 		/* distinguish file not found vs. found but not parsed */
592 		if (stat(filename, &statbuf) == 0)
593 			return (Z_INVALID_DOCUMENT);
594 		return (Z_NO_ZONE);
595 	}
596 	if ((cvp = xmlNewValidCtxt()) == NULL)
597 		return (Z_NOMEM);
598 	cvp->error = zonecfg_error_func;
599 	cvp->warning = zonecfg_error_func;
600 	valid = xmlValidateDocument(cvp, handle->zone_dh_doc);
601 	xmlFreeValidCtxt(cvp);
602 	if (valid == 0)
603 		return (Z_INVALID_DOCUMENT);
604 
605 	/* delete any comments such as inherited Sun copyright / ident str */
606 	stripcomments(handle);
607 	return (Z_OK);
608 }
609 
610 int
611 zonecfg_get_handle(const char *zonename, zone_dochandle_t handle)
612 {
613 	char path[MAXPATHLEN];
614 
615 	if (!config_file_path(zonename, path))
616 		return (Z_MISC_FS);
617 	handle->zone_dh_newzone = B_FALSE;
618 
619 	return (zonecfg_get_handle_impl(zonename, path, handle));
620 }
621 
622 int
623 zonecfg_get_attach_handle(const char *path, const char *fname,
624     const char *zonename, boolean_t preserve_sw, zone_dochandle_t handle)
625 {
626 	char		migpath[MAXPATHLEN];
627 	int		err;
628 	struct stat	buf;
629 
630 	if (snprintf(migpath, sizeof (migpath), "%s/root", path) >=
631 	    sizeof (migpath))
632 		return (Z_NOMEM);
633 
634 	if (stat(migpath, &buf) == -1 || !S_ISDIR(buf.st_mode))
635 		return (Z_NO_ZONE);
636 
637 	if (snprintf(migpath, sizeof (migpath), "%s/%s", path, fname) >=
638 	    sizeof (migpath))
639 		return (Z_NOMEM);
640 
641 	if ((err = zonecfg_get_handle_impl(zonename, migpath, handle)) != Z_OK)
642 		return (err);
643 
644 	if (!preserve_sw)
645 		strip_sw_inv(handle);
646 
647 	handle->zone_dh_newzone = B_TRUE;
648 	if ((err = setrootattr(handle, DTD_ATTR_ZONEPATH, path)) != Z_OK)
649 		return (err);
650 
651 	return (setrootattr(handle, DTD_ATTR_NAME, zonename));
652 }
653 
654 int
655 zonecfg_get_snapshot_handle(const char *zonename, zone_dochandle_t handle)
656 {
657 	char path[MAXPATHLEN];
658 
659 	if (!snap_file_path(zonename, path))
660 		return (Z_MISC_FS);
661 	handle->zone_dh_newzone = B_FALSE;
662 	return (zonecfg_get_handle_impl(zonename, path, handle));
663 }
664 
665 int
666 zonecfg_get_template_handle(const char *template, const char *zonename,
667     zone_dochandle_t handle)
668 {
669 	char path[MAXPATHLEN];
670 	int err;
671 
672 	if (!config_file_path(template, path))
673 		return (Z_MISC_FS);
674 
675 	if ((err = zonecfg_get_handle_impl(template, path, handle)) != Z_OK)
676 		return (err);
677 	handle->zone_dh_newzone = B_TRUE;
678 	return (setrootattr(handle, DTD_ATTR_NAME, zonename));
679 }
680 
681 int
682 zonecfg_get_xml_handle(const char *path, zone_dochandle_t handle)
683 {
684 	struct stat buf;
685 	int err;
686 
687 	if (stat(path, &buf) == -1)
688 		return (Z_MISC_FS);
689 
690 	if ((err = zonecfg_get_handle_impl("xml", path, handle)) != Z_OK)
691 		return (err);
692 	handle->zone_dh_newzone = B_TRUE;
693 	return (Z_OK);
694 }
695 
696 /*
697  * Initialize two handles from the manifest read on fd.  The rem_handle
698  * is initialized from the input file, including the sw inventory.  The
699  * local_handle is initialized with the same zone configuration but with
700  * no sw inventory.
701  */
702 int
703 zonecfg_attach_manifest(int fd, zone_dochandle_t local_handle,
704     zone_dochandle_t rem_handle)
705 {
706 	xmlValidCtxtPtr cvp;
707 	int valid;
708 
709 	/* load the manifest into the handle for the remote system */
710 	rem_handle->zone_dh_doc = xmlReadFd(fd, NULL, NULL, XML_PARSER_OPTIONS);
711 	if (rem_handle->zone_dh_doc == NULL) {
712 		return (Z_INVALID_DOCUMENT);
713 	}
714 	if ((cvp = xmlNewValidCtxt()) == NULL)
715 		return (Z_NOMEM);
716 	cvp->error = zonecfg_error_func;
717 	cvp->warning = zonecfg_error_func;
718 	valid = xmlValidateDocument(cvp, rem_handle->zone_dh_doc);
719 	xmlFreeValidCtxt(cvp);
720 	if (valid == 0)
721 		return (Z_INVALID_DOCUMENT);
722 
723 	/* delete any comments such as inherited Sun copyright / ident str */
724 	stripcomments(rem_handle);
725 
726 	rem_handle->zone_dh_newzone = B_TRUE;
727 	rem_handle->zone_dh_sw_inv = B_TRUE;
728 
729 	/*
730 	 * Now use the remote system handle to generate a local system handle
731 	 * with an identical zones configuration but no sw inventory.
732 	 */
733 	if ((local_handle->zone_dh_doc = xmlCopyDoc(rem_handle->zone_dh_doc,
734 	    1)) == NULL) {
735 		return (Z_INVALID_DOCUMENT);
736 	}
737 
738 	/*
739 	 * We need to re-run xmlValidateDocument on local_handle to properly
740 	 * update the in-core representation of the configuration.
741 	 */
742 	if ((cvp = xmlNewValidCtxt()) == NULL)
743 		return (Z_NOMEM);
744 	cvp->error = zonecfg_error_func;
745 	cvp->warning = zonecfg_error_func;
746 	valid = xmlValidateDocument(cvp, local_handle->zone_dh_doc);
747 	xmlFreeValidCtxt(cvp);
748 	if (valid == 0)
749 		return (Z_INVALID_DOCUMENT);
750 
751 	strip_sw_inv(local_handle);
752 
753 	local_handle->zone_dh_newzone = B_TRUE;
754 	local_handle->zone_dh_sw_inv = B_FALSE;
755 
756 	return (Z_OK);
757 }
758 
759 static boolean_t
760 is_renaming(zone_dochandle_t handle)
761 {
762 	if (handle->zone_dh_newzone)
763 		return (B_FALSE);
764 	if (strlen(handle->zone_dh_delete_name) > 0)
765 		return (B_TRUE);
766 	return (B_FALSE);
767 }
768 
769 static boolean_t
770 is_new(zone_dochandle_t handle)
771 {
772 	return (handle->zone_dh_newzone || handle->zone_dh_snapshot);
773 }
774 
775 static boolean_t
776 is_snapshot(zone_dochandle_t handle)
777 {
778 	return (handle->zone_dh_snapshot);
779 }
780 
781 /*
782  * It would be great to be able to use libc's ctype(3c) macros, but we
783  * can't, as they are locale sensitive, and it would break our limited thread
784  * safety if this routine had to change the app locale on the fly.
785  */
786 int
787 zonecfg_validate_zonename(const char *zone)
788 {
789 	int i;
790 
791 	if (strcmp(zone, GLOBAL_ZONENAME) == 0)
792 		return (Z_BOGUS_ZONE_NAME);
793 
794 	if (strlen(zone) >= ZONENAME_MAX)
795 		return (Z_BOGUS_ZONE_NAME);
796 
797 	if (!((zone[0] >= 'a' && zone[0] <= 'z') ||
798 	    (zone[0] >= 'A' && zone[0] <= 'Z') ||
799 	    (zone[0] >= '0' && zone[0] <= '9')))
800 		return (Z_BOGUS_ZONE_NAME);
801 
802 	for (i = 1; zone[i] != '\0'; i++) {
803 		if (!((zone[i] >= 'a' && zone[i] <= 'z') ||
804 		    (zone[i] >= 'A' && zone[i] <= 'Z') ||
805 		    (zone[i] >= '0' && zone[i] <= '9') ||
806 		    (zone[i] == '-') || (zone[i] == '_') || (zone[i] == '.')))
807 			return (Z_BOGUS_ZONE_NAME);
808 	}
809 
810 	return (Z_OK);
811 }
812 
813 /*
814  * Changing the zone name requires us to track both the old and new
815  * name of the zone until commit time.
816  */
817 int
818 zonecfg_get_name(zone_dochandle_t handle, char *name, size_t namesize)
819 {
820 	return (getrootattr(handle, DTD_ATTR_NAME, name, namesize));
821 }
822 
823 static int
824 insert_admins(zone_dochandle_t handle, char *zonename)
825 {
826 	int err;
827 	struct zone_admintab admintab;
828 
829 	if ((err = zonecfg_setadminent(handle)) != Z_OK) {
830 		return (err);
831 	}
832 	while (zonecfg_getadminent(handle, &admintab) == Z_OK) {
833 		err = zonecfg_insert_userauths(handle,
834 		    admintab.zone_admin_user, zonename);
835 		if (err != Z_OK) {
836 			(void) zonecfg_endadminent(handle);
837 			return (err);
838 		}
839 	}
840 	(void) zonecfg_endadminent(handle);
841 	return (Z_OK);
842 }
843 
844 int
845 zonecfg_set_name(zone_dochandle_t handle, char *name)
846 {
847 	zone_state_t state;
848 	char curname[ZONENAME_MAX], old_delname[ZONENAME_MAX];
849 	int err;
850 
851 	if ((err = getrootattr(handle, DTD_ATTR_NAME, curname,
852 	    sizeof (curname))) != Z_OK)
853 		return (err);
854 
855 	if (strcmp(name, curname) == 0)
856 		return (Z_OK);
857 
858 	/*
859 	 * Switching zone names to one beginning with SUNW is not permitted.
860 	 */
861 	if (strncmp(name, "SUNW", 4) == 0)
862 		return (Z_BOGUS_ZONE_NAME);
863 
864 	if ((err = zonecfg_validate_zonename(name)) != Z_OK)
865 		return (err);
866 
867 	/*
868 	 * Setting the name back to the original name (effectively a revert of
869 	 * the name) is fine.  But if we carry on, we'll falsely identify the
870 	 * name as "in use," so special case here.
871 	 */
872 	if (strcmp(name, handle->zone_dh_delete_name) == 0) {
873 		err = setrootattr(handle, DTD_ATTR_NAME, name);
874 		handle->zone_dh_delete_name[0] = '\0';
875 		return (err);
876 	}
877 
878 	/* Check to see if new name chosen is already in use */
879 	if (zone_get_state(name, &state) != Z_NO_ZONE)
880 		return (Z_NAME_IN_USE);
881 
882 	/*
883 	 * If this isn't already "new" or in a renaming transition, then
884 	 * we're initiating a rename here; so stash the "delete name"
885 	 * (i.e. the name of the zone we'll be removing) for the rename.
886 	 */
887 	(void) strlcpy(old_delname, handle->zone_dh_delete_name,
888 	    sizeof (old_delname));
889 	if (!is_new(handle) && !is_renaming(handle)) {
890 		/*
891 		 * Name change is allowed only when the zone we're altering
892 		 * is not ready or running.
893 		 */
894 		err = zone_get_state(curname, &state);
895 		if (err == Z_OK) {
896 			if (state > ZONE_STATE_INSTALLED)
897 				return (Z_BAD_ZONE_STATE);
898 		} else if (err != Z_NO_ZONE) {
899 			return (err);
900 		}
901 
902 		(void) strlcpy(handle->zone_dh_delete_name, curname,
903 		    sizeof (handle->zone_dh_delete_name));
904 		assert(is_renaming(handle));
905 	} else if (is_renaming(handle)) {
906 		err = zone_get_state(handle->zone_dh_delete_name, &state);
907 		if (err == Z_OK) {
908 			if (state > ZONE_STATE_INSTALLED)
909 				return (Z_BAD_ZONE_STATE);
910 		} else if (err != Z_NO_ZONE) {
911 			return (err);
912 		}
913 	}
914 
915 	if ((err = setrootattr(handle, DTD_ATTR_NAME, name)) != Z_OK) {
916 		/*
917 		 * Restore the deletename to whatever it was at the
918 		 * top of the routine, since we've had a failure.
919 		 */
920 		(void) strlcpy(handle->zone_dh_delete_name, old_delname,
921 		    sizeof (handle->zone_dh_delete_name));
922 		return (err);
923 	}
924 
925 	/*
926 	 * Record the old admins from the old zonename
927 	 * so that they can be deleted when the operation is committed.
928 	 */
929 	if ((err = insert_admins(handle, curname)) != Z_OK)
930 		return (err);
931 	else
932 		return (Z_OK);
933 }
934 
935 int
936 zonecfg_get_zonepath(zone_dochandle_t handle, char *path, size_t pathsize)
937 {
938 	size_t len;
939 
940 	if ((len = strlcpy(path, zonecfg_root, pathsize)) >= pathsize)
941 		return (Z_TOO_BIG);
942 	return (getrootattr(handle, DTD_ATTR_ZONEPATH, path + len,
943 	    pathsize - len));
944 }
945 
946 int
947 zonecfg_set_zonepath(zone_dochandle_t handle, char *zonepath)
948 {
949 	size_t len;
950 	char *modpath, *copy_mp, *curr_mp;	/* modified path ptrs */
951 	char last_copied;
952 	int ret;
953 
954 	/*
955 	 * Collapse multiple contiguous slashes and remove trailing slash.
956 	 */
957 	modpath = strdup(zonepath);
958 	if (modpath == NULL)
959 		return (Z_NOMEM);
960 	last_copied = '\0';
961 	for (copy_mp = curr_mp = modpath; *curr_mp != '\0'; curr_mp++) {
962 		if (*curr_mp != '/' || last_copied != '/') {
963 			last_copied = *copy_mp = *curr_mp;
964 			copy_mp++;
965 		}
966 	}
967 	if (last_copied == '/')
968 		copy_mp--;
969 	*copy_mp = '\0';
970 
971 	/*
972 	 * The user deals in absolute paths in the running global zone, but the
973 	 * internal configuration files deal with boot environment relative
974 	 * paths.  Strip out the alternate root when specified.
975 	 */
976 	len = strlen(zonecfg_root);
977 	if (strncmp(modpath, zonecfg_root, len) != 0 || modpath[len] != '/') {
978 		free(modpath);
979 		return (Z_BAD_PROPERTY);
980 	}
981 	curr_mp = modpath + len;
982 	ret = setrootattr(handle, DTD_ATTR_ZONEPATH, curr_mp);
983 	free(modpath);
984 	return (ret);
985 }
986 
987 static int
988 i_zonecfg_get_brand(zone_dochandle_t handle, char *brand, size_t brandsize,
989     boolean_t default_query)
990 {
991 	int ret, sz;
992 
993 	ret = getrootattr(handle, DTD_ATTR_BRAND, brand, brandsize);
994 
995 	/*
996 	 * If the lookup failed, or succeeded in finding a non-null brand
997 	 * string then return.
998 	 */
999 	if (ret != Z_OK || brand[0] != '\0')
1000 		return (ret);
1001 
1002 	if (!default_query) {
1003 		/* If the zone has no brand, it is the default brand. */
1004 		return (zonecfg_default_brand(brand, brandsize));
1005 	}
1006 
1007 	/* if SUNWdefault didn't specify a brand, fallback to "native" */
1008 	sz = strlcpy(brand, NATIVE_BRAND_NAME, brandsize);
1009 	if (sz >= brandsize)
1010 		return (Z_TOO_BIG);
1011 	return (Z_OK);
1012 }
1013 
1014 int
1015 zonecfg_get_brand(zone_dochandle_t handle, char *brand, size_t brandsize)
1016 {
1017 	return (i_zonecfg_get_brand(handle, brand, brandsize, B_FALSE));
1018 }
1019 
1020 int
1021 zonecfg_set_brand(zone_dochandle_t handle, char *brand)
1022 {
1023 	return (setrootattr(handle, DTD_ATTR_BRAND, brand));
1024 }
1025 
1026 int
1027 zonecfg_get_autoboot(zone_dochandle_t handle, boolean_t *autoboot)
1028 {
1029 	char autobootstr[DTD_ENTITY_BOOL_LEN];
1030 	int ret;
1031 
1032 	if ((ret = getrootattr(handle, DTD_ATTR_AUTOBOOT, autobootstr,
1033 	    sizeof (autobootstr))) != Z_OK)
1034 		return (ret);
1035 
1036 	if (strcmp(autobootstr, DTD_ENTITY_TRUE) == 0)
1037 		*autoboot = B_TRUE;
1038 	else if (strcmp(autobootstr, DTD_ENTITY_FALSE) == 0)
1039 		*autoboot = B_FALSE;
1040 	else
1041 		ret = Z_BAD_PROPERTY;
1042 	return (ret);
1043 }
1044 
1045 int
1046 zonecfg_set_autoboot(zone_dochandle_t handle, boolean_t autoboot)
1047 {
1048 	return (setrootattr(handle, DTD_ATTR_AUTOBOOT,
1049 	    autoboot ? DTD_ENTITY_TRUE : DTD_ENTITY_FALSE));
1050 }
1051 
1052 int
1053 zonecfg_get_pool(zone_dochandle_t handle, char *pool, size_t poolsize)
1054 {
1055 	return (getrootattr(handle, DTD_ATTR_POOL, pool, poolsize));
1056 }
1057 
1058 int
1059 zonecfg_set_pool(zone_dochandle_t handle, char *pool)
1060 {
1061 	return (setrootattr(handle, DTD_ATTR_POOL, pool));
1062 }
1063 
1064 int
1065 zonecfg_get_limitpriv(zone_dochandle_t handle, char **limitpriv)
1066 {
1067 	return (get_alloc_rootattr(handle, DTD_ATTR_LIMITPRIV, limitpriv));
1068 }
1069 
1070 int
1071 zonecfg_set_limitpriv(zone_dochandle_t handle, char *limitpriv)
1072 {
1073 	return (setrootattr(handle, DTD_ATTR_LIMITPRIV, limitpriv));
1074 }
1075 
1076 int
1077 zonecfg_get_bootargs(zone_dochandle_t handle, char *bargs, size_t bargssize)
1078 {
1079 	return (getrootattr(handle, DTD_ATTR_BOOTARGS, bargs, bargssize));
1080 }
1081 
1082 int
1083 zonecfg_set_bootargs(zone_dochandle_t handle, char *bargs)
1084 {
1085 	return (setrootattr(handle, DTD_ATTR_BOOTARGS, bargs));
1086 }
1087 
1088 int
1089 zonecfg_get_sched_class(zone_dochandle_t handle, char *sched, size_t schedsize)
1090 {
1091 	return (getrootattr(handle, DTD_ATTR_SCHED, sched, schedsize));
1092 }
1093 
1094 int
1095 zonecfg_set_sched(zone_dochandle_t handle, char *sched)
1096 {
1097 	return (setrootattr(handle, DTD_ATTR_SCHED, sched));
1098 }
1099 
1100 /*
1101  * /etc/zones/index caches a vital piece of information which is also
1102  * in the <zonename>.xml file: the path to the zone.  This is for performance,
1103  * since we need to walk all zonepath's in order to be able to detect conflicts
1104  * (see crosscheck_zonepaths() in the zoneadm command).
1105  *
1106  * An additional complexity is that when doing a rename, we'd like the entire
1107  * index update operation (rename, and potential state changes) to be atomic.
1108  * In general, the operation of this function should succeed or fail as
1109  * a unit.
1110  */
1111 int
1112 zonecfg_refresh_index_file(zone_dochandle_t handle)
1113 {
1114 	char name[ZONENAME_MAX], zonepath[MAXPATHLEN];
1115 	struct zoneent ze;
1116 	int err;
1117 	int opcode;
1118 	char *zn;
1119 
1120 	bzero(&ze, sizeof (ze));
1121 	ze.zone_state = -1;	/* Preserve existing state in index */
1122 
1123 	if ((err = zonecfg_get_name(handle, name, sizeof (name))) != Z_OK)
1124 		return (err);
1125 	(void) strlcpy(ze.zone_name, name, sizeof (ze.zone_name));
1126 
1127 	if ((err = zonecfg_get_zonepath(handle, zonepath,
1128 	    sizeof (zonepath))) != Z_OK)
1129 		return (err);
1130 	(void) strlcpy(ze.zone_path, zonepath + strlen(zonecfg_root),
1131 	    sizeof (ze.zone_path));
1132 
1133 	if (is_renaming(handle)) {
1134 		opcode = PZE_MODIFY;
1135 		(void) strlcpy(ze.zone_name, handle->zone_dh_delete_name,
1136 		    sizeof (ze.zone_name));
1137 		(void) strlcpy(ze.zone_newname, name, sizeof (ze.zone_newname));
1138 	} else if (is_new(handle)) {
1139 		FILE *cookie;
1140 		/*
1141 		 * Be tolerant of the zone already existing in the index file,
1142 		 * since we might be forcibly overwriting an existing
1143 		 * configuration with a new one (for example 'create -F'
1144 		 * in zonecfg).
1145 		 */
1146 		opcode = PZE_ADD;
1147 		cookie = setzoneent();
1148 		while ((zn = getzoneent(cookie)) != NULL) {
1149 			if (strcmp(zn, name) == 0) {
1150 				opcode = PZE_MODIFY;
1151 				free(zn);
1152 				break;
1153 			}
1154 			free(zn);
1155 		}
1156 		endzoneent(cookie);
1157 		ze.zone_state = ZONE_STATE_CONFIGURED;
1158 	} else {
1159 		opcode = PZE_MODIFY;
1160 	}
1161 
1162 	if ((err = putzoneent(&ze, opcode)) != Z_OK)
1163 		return (err);
1164 
1165 	return (Z_OK);
1166 }
1167 
1168 /*
1169  * The goal of this routine is to cause the index file update and the
1170  * document save to happen as an atomic operation.  We do the document
1171  * first, saving a backup copy using a hard link; if that succeeds, we go
1172  * on to the index.  If that fails, we roll the document back into place.
1173  *
1174  * Strategy:
1175  *
1176  * New zone 'foo' configuration:
1177  *	Create tmpfile (zonecfg.xxxxxx)
1178  *	Write XML to tmpfile
1179  *	Rename tmpfile to xmlfile (zonecfg.xxxxxx -> foo.xml)
1180  *	Add entry to index file
1181  *	If it fails, delete foo.xml, leaving nothing behind.
1182  *
1183  * Save existing zone 'foo':
1184  *	Make backup of foo.xml -> .backup
1185  *	Create tmpfile (zonecfg.xxxxxx)
1186  *	Write XML to tmpfile
1187  *	Rename tmpfile to xmlfile (zonecfg.xxxxxx -> foo.xml)
1188  *	Modify index file as needed
1189  *	If it fails, recover from .backup -> foo.xml
1190  *
1191  * Rename 'foo' to 'bar':
1192  *	Create tmpfile (zonecfg.xxxxxx)
1193  *	Write XML to tmpfile
1194  *	Rename tmpfile to xmlfile (zonecfg.xxxxxx -> bar.xml)
1195  *	Add entry for 'bar' to index file, Remove entry for 'foo' (refresh)
1196  *	If it fails, delete bar.xml; foo.xml is left behind.
1197  */
1198 static int
1199 zonecfg_save_impl(zone_dochandle_t handle, char *filename)
1200 {
1201 	char tmpfile[MAXPATHLEN];
1202 	char bakdir[MAXPATHLEN], bakbase[MAXPATHLEN], bakfile[MAXPATHLEN];
1203 	int tmpfd, err, valid;
1204 	xmlValidCtxt cvp = { NULL };
1205 	boolean_t backup;
1206 
1207 	(void) strlcpy(tmpfile, filename, sizeof (tmpfile));
1208 	(void) dirname(tmpfile);
1209 	(void) strlcat(tmpfile, _PATH_TMPFILE, sizeof (tmpfile));
1210 
1211 	tmpfd = mkstemp(tmpfile);
1212 	if (tmpfd == -1) {
1213 		(void) unlink(tmpfile);
1214 		return (Z_TEMP_FILE);
1215 	}
1216 	(void) close(tmpfd);
1217 
1218 	cvp.error = zonecfg_error_func;
1219 	cvp.warning = zonecfg_error_func;
1220 
1221 	/*
1222 	 * We do a final validation of the document.  Since the library has
1223 	 * malfunctioned if it fails to validate, we follow-up with an
1224 	 * assert() that the doc is valid.
1225 	 */
1226 	valid = xmlValidateDocument(&cvp, handle->zone_dh_doc);
1227 	assert(valid != 0);
1228 
1229 	if (xmlSaveFormatFile(tmpfile, handle->zone_dh_doc, 1) <= 0)
1230 		goto err;
1231 
1232 	(void) chmod(tmpfile, 0644);
1233 
1234 	/*
1235 	 * In the event we are doing a standard save, hard link a copy of the
1236 	 * original file in .backup.<pid>.filename so we can restore it if
1237 	 * something goes wrong.
1238 	 */
1239 	if (!is_new(handle) && !is_renaming(handle)) {
1240 		backup = B_TRUE;
1241 
1242 		(void) strlcpy(bakdir, filename, sizeof (bakdir));
1243 		(void) strlcpy(bakbase, filename, sizeof (bakbase));
1244 		(void) snprintf(bakfile, sizeof (bakfile), "%s/.backup.%d.%s",
1245 		    dirname(bakdir), getpid(), basename(bakbase));
1246 
1247 		if (link(filename, bakfile) == -1) {
1248 			err = errno;
1249 			(void) unlink(tmpfile);
1250 			if (errno == EACCES)
1251 				return (Z_ACCES);
1252 			return (Z_MISC_FS);
1253 		}
1254 	}
1255 
1256 	/*
1257 	 * Move the new document over top of the old.
1258 	 * i.e.:   zonecfg.XXXXXX  ->  myzone.xml
1259 	 */
1260 	if (rename(tmpfile, filename) == -1) {
1261 		err = errno;
1262 		(void) unlink(tmpfile);
1263 		if (backup)
1264 			(void) unlink(bakfile);
1265 		if (err == EACCES)
1266 			return (Z_ACCES);
1267 		return (Z_MISC_FS);
1268 	}
1269 
1270 	/*
1271 	 * If this is a snapshot, we're done-- don't add an index entry.
1272 	 */
1273 	if (is_snapshot(handle))
1274 		return (Z_OK);
1275 
1276 	/* now update the index file to reflect whatever we just did */
1277 	if ((err = zonecfg_refresh_index_file(handle)) != Z_OK) {
1278 		if (backup) {
1279 			/*
1280 			 * Try to restore from our backup.
1281 			 */
1282 			(void) unlink(filename);
1283 			(void) rename(bakfile, filename);
1284 		} else {
1285 			/*
1286 			 * Either the zone is new, in which case we can delete
1287 			 * new.xml, or we're doing a rename, so ditto.
1288 			 */
1289 			assert(is_new(handle) || is_renaming(handle));
1290 			(void) unlink(filename);
1291 		}
1292 		return (Z_UPDATING_INDEX);
1293 	}
1294 
1295 	if (backup)
1296 		(void) unlink(bakfile);
1297 
1298 	return (Z_OK);
1299 
1300 err:
1301 	(void) unlink(tmpfile);
1302 	return (Z_SAVING_FILE);
1303 }
1304 
1305 int
1306 zonecfg_save(zone_dochandle_t handle)
1307 {
1308 	char zname[ZONENAME_MAX], path[MAXPATHLEN];
1309 	char delpath[MAXPATHLEN];
1310 	int err = Z_SAVING_FILE;
1311 
1312 	if (zonecfg_check_handle(handle) != Z_OK)
1313 		return (Z_BAD_HANDLE);
1314 
1315 	/*
1316 	 * We don't support saving snapshots or a tree containing a sw
1317 	 * inventory at this time.
1318 	 */
1319 	if (handle->zone_dh_snapshot || handle->zone_dh_sw_inv)
1320 		return (Z_INVAL);
1321 
1322 	if ((err = zonecfg_get_name(handle, zname, sizeof (zname))) != Z_OK)
1323 		return (err);
1324 
1325 	if (!config_file_path(zname, path))
1326 		return (Z_MISC_FS);
1327 
1328 	addcomment(handle, "\n    DO NOT EDIT THIS "
1329 	    "FILE.  Use zonecfg(8) instead.\n");
1330 
1331 	/*
1332 	 * Update user_attr first so that it will be older
1333 	 * than the config file.
1334 	 */
1335 	(void) zonecfg_authorize_users(handle, zname);
1336 	err = zonecfg_save_impl(handle, path);
1337 
1338 	stripcomments(handle);
1339 
1340 	if (err != Z_OK)
1341 		return (err);
1342 
1343 	handle->zone_dh_newzone = B_FALSE;
1344 
1345 	if (is_renaming(handle)) {
1346 		if (config_file_path(handle->zone_dh_delete_name, delpath))
1347 			(void) unlink(delpath);
1348 		handle->zone_dh_delete_name[0] = '\0';
1349 	}
1350 
1351 	return (Z_OK);
1352 }
1353 
1354 int
1355 zonecfg_verify_save(zone_dochandle_t handle, char *filename)
1356 {
1357 	int valid;
1358 
1359 	xmlValidCtxt cvp = { NULL };
1360 
1361 	if (zonecfg_check_handle(handle) != Z_OK)
1362 		return (Z_BAD_HANDLE);
1363 
1364 	cvp.error = zonecfg_error_func;
1365 	cvp.warning = zonecfg_error_func;
1366 
1367 	/*
1368 	 * We do a final validation of the document.  Since the library has
1369 	 * malfunctioned if it fails to validate, we follow-up with an
1370 	 * assert() that the doc is valid.
1371 	 */
1372 	valid = xmlValidateDocument(&cvp, handle->zone_dh_doc);
1373 	assert(valid != 0);
1374 
1375 	if (xmlSaveFormatFile(filename, handle->zone_dh_doc, 1) <= 0)
1376 		return (Z_SAVING_FILE);
1377 
1378 	return (Z_OK);
1379 }
1380 
1381 int
1382 zonecfg_detach_save(zone_dochandle_t handle, uint_t flags)
1383 {
1384 	char zname[ZONENAME_MAX];
1385 	char path[MAXPATHLEN];
1386 	char migpath[MAXPATHLEN];
1387 	xmlValidCtxt cvp = { NULL };
1388 	int err = Z_SAVING_FILE;
1389 	int valid;
1390 
1391 	if (zonecfg_check_handle(handle) != Z_OK)
1392 		return (Z_BAD_HANDLE);
1393 
1394 	if (flags & ZONE_DRY_RUN) {
1395 		(void) strlcpy(migpath, "-", sizeof (migpath));
1396 	} else {
1397 		if ((err = zonecfg_get_name(handle, zname, sizeof (zname)))
1398 		    != Z_OK)
1399 			return (err);
1400 
1401 		if ((err = zone_get_zonepath(zname, path, sizeof (path)))
1402 		    != Z_OK)
1403 			return (err);
1404 
1405 		if (snprintf(migpath, sizeof (migpath), "%s/%s", path,
1406 		    ZONE_DETACHED) >= sizeof (migpath))
1407 			return (Z_NOMEM);
1408 	}
1409 
1410 	if ((err = operation_prep(handle)) != Z_OK)
1411 		return (err);
1412 
1413 	addcomment(handle, "\n    DO NOT EDIT THIS FILE.  "
1414 	    "Use zonecfg(8) and zoneadm(8) attach.\n");
1415 
1416 	cvp.error = zonecfg_error_func;
1417 	cvp.warning = zonecfg_error_func;
1418 
1419 	/*
1420 	 * We do a final validation of the document.  Since the library has
1421 	 * malfunctioned if it fails to validate, we follow-up with an
1422 	 * assert() that the doc is valid.
1423 	 */
1424 	valid = xmlValidateDocument(&cvp, handle->zone_dh_doc);
1425 	assert(valid != 0);
1426 
1427 	if (xmlSaveFormatFile(migpath, handle->zone_dh_doc, 1) <= 0)
1428 		return (Z_SAVING_FILE);
1429 
1430 	if (!(flags & ZONE_DRY_RUN))
1431 		(void) chmod(migpath, 0644);
1432 
1433 	stripcomments(handle);
1434 
1435 	handle->zone_dh_newzone = B_FALSE;
1436 
1437 	return (Z_OK);
1438 }
1439 
1440 boolean_t
1441 zonecfg_detached(const char *path)
1442 {
1443 	char		migpath[MAXPATHLEN];
1444 	struct stat	buf;
1445 
1446 	if (snprintf(migpath, sizeof (migpath), "%s/%s", path, ZONE_DETACHED) >=
1447 	    sizeof (migpath))
1448 		return (B_FALSE);
1449 
1450 	if (stat(migpath, &buf) != -1)
1451 		return (B_TRUE);
1452 
1453 	return (B_FALSE);
1454 }
1455 
1456 void
1457 zonecfg_rm_detached(zone_dochandle_t handle, boolean_t forced)
1458 {
1459 	char zname[ZONENAME_MAX];
1460 	char path[MAXPATHLEN];
1461 	char detached[MAXPATHLEN];
1462 	char attached[MAXPATHLEN];
1463 
1464 	if (zonecfg_check_handle(handle) != Z_OK)
1465 		return;
1466 
1467 	if (zonecfg_get_name(handle, zname, sizeof (zname)) != Z_OK)
1468 		return;
1469 
1470 	if (zone_get_zonepath(zname, path, sizeof (path)) != Z_OK)
1471 		return;
1472 
1473 	(void) snprintf(detached, sizeof (detached), "%s/%s", path,
1474 	    ZONE_DETACHED);
1475 	(void) snprintf(attached, sizeof (attached), "%s/%s", path,
1476 	    ATTACH_FORCED);
1477 
1478 	if (forced) {
1479 		(void) rename(detached, attached);
1480 	} else {
1481 		(void) unlink(attached);
1482 		(void) unlink(detached);
1483 	}
1484 }
1485 
1486 /*
1487  * Special case: if access(2) fails with ENOENT, then try again using
1488  * ZONE_CONFIG_ROOT instead of config_file_path(zonename).  This is how we
1489  * work around the case of a config file which has not been created yet:
1490  * the user will need access to the directory so use that as a heuristic.
1491  */
1492 
1493 int
1494 zonecfg_access(const char *zonename, int amode)
1495 {
1496 	char path[MAXPATHLEN];
1497 
1498 	if (!config_file_path(zonename, path))
1499 		return (Z_INVAL);
1500 	if (access(path, amode) == 0)
1501 		return (Z_OK);
1502 	if (errno == ENOENT) {
1503 		if (snprintf(path, sizeof (path), "%s%s", zonecfg_root,
1504 		    ZONE_CONFIG_ROOT) >= sizeof (path))
1505 			return (Z_INVAL);
1506 		if (access(path, amode) == 0)
1507 			return (Z_OK);
1508 	}
1509 	if (errno == EACCES)
1510 		return (Z_ACCES);
1511 	if (errno == EINVAL)
1512 		return (Z_INVAL);
1513 	return (Z_MISC_FS);
1514 }
1515 
1516 int
1517 zonecfg_create_snapshot(const char *zonename)
1518 {
1519 	zone_dochandle_t handle;
1520 	char path[MAXPATHLEN], zonepath[MAXPATHLEN], rpath[MAXPATHLEN];
1521 	int error = Z_OK, res;
1522 
1523 	if ((handle = zonecfg_init_handle()) == NULL) {
1524 		return (Z_NOMEM);
1525 	}
1526 
1527 	handle->zone_dh_newzone = B_TRUE;
1528 	handle->zone_dh_snapshot = B_TRUE;
1529 
1530 	if ((error = zonecfg_get_handle(zonename, handle)) != Z_OK)
1531 		goto out;
1532 	if ((error = operation_prep(handle)) != Z_OK)
1533 		goto out;
1534 	error = zonecfg_get_zonepath(handle, zonepath, sizeof (zonepath));
1535 	if (error != Z_OK)
1536 		goto out;
1537 	if ((res = resolvepath(zonepath, rpath, sizeof (rpath))) == -1) {
1538 		error = Z_RESOLVED_PATH;
1539 		goto out;
1540 	}
1541 	/*
1542 	 * If the resolved path is not the same as the original path, then
1543 	 * save the resolved path in the snapshot, thus preventing any
1544 	 * potential problems down the line when zoneadmd goes to unmount
1545 	 * file systems and depends on initial string matches with resolved
1546 	 * paths.
1547 	 */
1548 	rpath[res] = '\0';
1549 	if (strcmp(zonepath, rpath) != 0) {
1550 		if ((error = zonecfg_set_zonepath(handle, rpath)) != Z_OK)
1551 			goto out;
1552 	}
1553 	if (snprintf(path, sizeof (path), "%s%s", zonecfg_root,
1554 	    ZONE_SNAPSHOT_ROOT) >= sizeof (path)) {
1555 		error = Z_MISC_FS;
1556 		goto out;
1557 	}
1558 	if ((mkdir(path, S_IRWXU) == -1) && (errno != EEXIST)) {
1559 		error = Z_MISC_FS;
1560 		goto out;
1561 	}
1562 
1563 	if (!snap_file_path(zonename, path)) {
1564 		error = Z_MISC_FS;
1565 		goto out;
1566 	}
1567 
1568 	addcomment(handle, "\n    DO NOT EDIT THIS FILE.  "
1569 	    "It is a snapshot of running zone state.\n");
1570 
1571 	error = zonecfg_save_impl(handle, path);
1572 
1573 	stripcomments(handle);
1574 
1575 out:
1576 	zonecfg_fini_handle(handle);
1577 	return (error);
1578 }
1579 
1580 int
1581 zonecfg_get_iptype(zone_dochandle_t handle, zone_iptype_t *iptypep)
1582 {
1583 	char property[10]; /* 10 is big enough for "shared"/"exclusive" */
1584 	int err;
1585 
1586 	err = getrootattr(handle, DTD_ATTR_IPTYPE, property, sizeof (property));
1587 	if (err == Z_BAD_PROPERTY) {
1588 		/* Return default value */
1589 		*iptypep = ZS_SHARED;
1590 		return (Z_OK);
1591 	} else if (err != Z_OK) {
1592 		return (err);
1593 	}
1594 
1595 	if (strlen(property) == 0 ||
1596 	    strcmp(property, "shared") == 0)
1597 		*iptypep = ZS_SHARED;
1598 	else if (strcmp(property, "exclusive") == 0)
1599 		*iptypep = ZS_EXCLUSIVE;
1600 	else
1601 		return (Z_INVAL);
1602 
1603 	return (Z_OK);
1604 }
1605 
1606 int
1607 zonecfg_set_iptype(zone_dochandle_t handle, zone_iptype_t iptype)
1608 {
1609 	xmlNodePtr cur;
1610 
1611 	if (handle == NULL)
1612 		return (Z_INVAL);
1613 
1614 	cur = xmlDocGetRootElement(handle->zone_dh_doc);
1615 	if (cur == NULL) {
1616 		return (Z_EMPTY_DOCUMENT);
1617 	}
1618 
1619 	if (xmlStrcmp(cur->name, DTD_ELEM_ZONE) != 0) {
1620 		return (Z_WRONG_DOC_TYPE);
1621 	}
1622 	switch (iptype) {
1623 	case ZS_SHARED:
1624 		/*
1625 		 * Since "shared" is the default, we don't write it to the
1626 		 * configuration file, so that it's easier to migrate those
1627 		 * zones elsewhere, eg., to systems which are not IP-Instances
1628 		 * aware.
1629 		 * xmlUnsetProp only fails when the attribute doesn't exist,
1630 		 * which we don't care.
1631 		 */
1632 		(void) xmlUnsetProp(cur, DTD_ATTR_IPTYPE);
1633 		break;
1634 	case ZS_EXCLUSIVE:
1635 		if (xmlSetProp(cur, DTD_ATTR_IPTYPE,
1636 		    (const xmlChar *) "exclusive") == NULL)
1637 			return (Z_INVAL);
1638 		break;
1639 	}
1640 	return (Z_OK);
1641 }
1642 
1643 static int
1644 newprop(xmlNodePtr node, const xmlChar *attrname, char *src)
1645 {
1646 	xmlAttrPtr newattr;
1647 
1648 	newattr = xmlNewProp(node, attrname, (xmlChar *)src);
1649 	if (newattr == NULL) {
1650 		xmlUnlinkNode(node);
1651 		xmlFreeNode(node);
1652 		return (Z_BAD_PROPERTY);
1653 	}
1654 	return (Z_OK);
1655 }
1656 
1657 static int
1658 zonecfg_add_filesystem_core(zone_dochandle_t handle, struct zone_fstab *tabptr)
1659 {
1660 	xmlNodePtr newnode, cur = handle->zone_dh_cur, options_node;
1661 	zone_fsopt_t *ptr;
1662 	int err;
1663 
1664 	newnode = xmlNewTextChild(cur, NULL, DTD_ELEM_FS, NULL);
1665 	if ((err = newprop(newnode, DTD_ATTR_SPECIAL,
1666 	    tabptr->zone_fs_special)) != Z_OK)
1667 		return (err);
1668 	if (tabptr->zone_fs_raw[0] != '\0' &&
1669 	    (err = newprop(newnode, DTD_ATTR_RAW, tabptr->zone_fs_raw)) != Z_OK)
1670 		return (err);
1671 	if ((err = newprop(newnode, DTD_ATTR_DIR, tabptr->zone_fs_dir)) != Z_OK)
1672 		return (err);
1673 	if ((err = newprop(newnode, DTD_ATTR_TYPE,
1674 	    tabptr->zone_fs_type)) != Z_OK)
1675 		return (err);
1676 	if (tabptr->zone_fs_options != NULL) {
1677 		for (ptr = tabptr->zone_fs_options; ptr != NULL;
1678 		    ptr = ptr->zone_fsopt_next) {
1679 			options_node = xmlNewTextChild(newnode, NULL,
1680 			    DTD_ELEM_FSOPTION, NULL);
1681 			if ((err = newprop(options_node, DTD_ATTR_NAME,
1682 			    ptr->zone_fsopt_opt)) != Z_OK)
1683 				return (err);
1684 		}
1685 	}
1686 	return (Z_OK);
1687 }
1688 
1689 int
1690 zonecfg_add_filesystem(zone_dochandle_t handle, struct zone_fstab *tabptr)
1691 {
1692 	int err;
1693 
1694 	if (tabptr == NULL)
1695 		return (Z_INVAL);
1696 
1697 	if ((err = operation_prep(handle)) != Z_OK)
1698 		return (err);
1699 
1700 	if ((err = zonecfg_add_filesystem_core(handle, tabptr)) != Z_OK)
1701 		return (err);
1702 
1703 	return (Z_OK);
1704 }
1705 
1706 int
1707 zonecfg_add_fs_option(struct zone_fstab *tabptr, char *option)
1708 {
1709 	zone_fsopt_t *last, *old, *new;
1710 
1711 	last = tabptr->zone_fs_options;
1712 	for (old = last; old != NULL; old = old->zone_fsopt_next)
1713 		last = old;	/* walk to the end of the list */
1714 	new = (zone_fsopt_t *)malloc(sizeof (zone_fsopt_t));
1715 	if (new == NULL)
1716 		return (Z_NOMEM);
1717 	(void) strlcpy(new->zone_fsopt_opt, option,
1718 	    sizeof (new->zone_fsopt_opt));
1719 	new->zone_fsopt_next = NULL;
1720 	if (last == NULL)
1721 		tabptr->zone_fs_options = new;
1722 	else
1723 		last->zone_fsopt_next = new;
1724 	return (Z_OK);
1725 }
1726 
1727 int
1728 zonecfg_remove_fs_option(struct zone_fstab *tabptr, char *option)
1729 {
1730 	zone_fsopt_t *last, *this, *next;
1731 
1732 	last = tabptr->zone_fs_options;
1733 	for (this = last; this != NULL; this = this->zone_fsopt_next) {
1734 		if (strcmp(this->zone_fsopt_opt, option) == 0) {
1735 			next = this->zone_fsopt_next;
1736 			if (this == tabptr->zone_fs_options)
1737 				tabptr->zone_fs_options = next;
1738 			else
1739 				last->zone_fsopt_next = next;
1740 			free(this);
1741 			return (Z_OK);
1742 		} else
1743 			last = this;
1744 	}
1745 	return (Z_NO_PROPERTY_ID);
1746 }
1747 
1748 void
1749 zonecfg_free_fs_option_list(zone_fsopt_t *list)
1750 {
1751 	zone_fsopt_t *this, *next;
1752 
1753 	for (this = list; this != NULL; this = next) {
1754 		next = this->zone_fsopt_next;
1755 		free(this);
1756 	}
1757 }
1758 
1759 void
1760 zonecfg_free_rctl_value_list(struct zone_rctlvaltab *valtab)
1761 {
1762 	if (valtab == NULL)
1763 		return;
1764 	zonecfg_free_rctl_value_list(valtab->zone_rctlval_next);
1765 	free(valtab);
1766 }
1767 
1768 static boolean_t
1769 match_prop(xmlNodePtr cur, const xmlChar *attr, char *user_prop)
1770 {
1771 	xmlChar *gotten_prop;
1772 	int prop_result;
1773 
1774 	gotten_prop = xmlGetProp(cur, attr);
1775 	if (gotten_prop == NULL)	/* shouldn't happen */
1776 		return (B_FALSE);
1777 	prop_result = xmlStrcmp(gotten_prop, (const xmlChar *) user_prop);
1778 	xmlFree(gotten_prop);
1779 	return ((prop_result == 0));	/* empty strings will match */
1780 }
1781 
1782 static int
1783 zonecfg_delete_filesystem_core(zone_dochandle_t handle,
1784     struct zone_fstab *tabptr)
1785 {
1786 	xmlNodePtr cur = handle->zone_dh_cur;
1787 	boolean_t dir_match, spec_match, raw_match, type_match;
1788 
1789 	for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next) {
1790 		if (xmlStrcmp(cur->name, DTD_ELEM_FS))
1791 			continue;
1792 		dir_match = match_prop(cur, DTD_ATTR_DIR, tabptr->zone_fs_dir);
1793 		spec_match = match_prop(cur, DTD_ATTR_SPECIAL,
1794 		    tabptr->zone_fs_special);
1795 		raw_match = match_prop(cur, DTD_ATTR_RAW,
1796 		    tabptr->zone_fs_raw);
1797 		type_match = match_prop(cur, DTD_ATTR_TYPE,
1798 		    tabptr->zone_fs_type);
1799 		if (dir_match && spec_match && raw_match && type_match) {
1800 			xmlUnlinkNode(cur);
1801 			xmlFreeNode(cur);
1802 			return (Z_OK);
1803 		}
1804 	}
1805 	return (Z_NO_RESOURCE_ID);
1806 }
1807 
1808 int
1809 zonecfg_delete_filesystem(zone_dochandle_t handle, struct zone_fstab *tabptr)
1810 {
1811 	int err;
1812 
1813 	if (tabptr == NULL)
1814 		return (Z_INVAL);
1815 
1816 	if ((err = operation_prep(handle)) != Z_OK)
1817 		return (err);
1818 
1819 	if ((err = zonecfg_delete_filesystem_core(handle, tabptr)) != Z_OK)
1820 		return (err);
1821 
1822 	return (Z_OK);
1823 }
1824 
1825 int
1826 zonecfg_modify_filesystem(
1827 	zone_dochandle_t handle,
1828 	struct zone_fstab *oldtabptr,
1829 	struct zone_fstab *newtabptr)
1830 {
1831 	int err;
1832 
1833 	if (oldtabptr == NULL || newtabptr == NULL)
1834 		return (Z_INVAL);
1835 
1836 	if ((err = operation_prep(handle)) != Z_OK)
1837 		return (err);
1838 
1839 	if ((err = zonecfg_delete_filesystem_core(handle, oldtabptr)) != Z_OK)
1840 		return (err);
1841 
1842 	if ((err = zonecfg_add_filesystem_core(handle, newtabptr)) != Z_OK)
1843 		return (err);
1844 
1845 	return (Z_OK);
1846 }
1847 
1848 int
1849 zonecfg_lookup_filesystem(
1850 	zone_dochandle_t handle,
1851 	struct zone_fstab *tabptr)
1852 {
1853 	xmlNodePtr cur, options, firstmatch;
1854 	int err;
1855 	char dirname[MAXPATHLEN], special[MAXPATHLEN], raw[MAXPATHLEN];
1856 	char type[FSTYPSZ];
1857 	char options_str[MAX_MNTOPT_STR];
1858 
1859 	if (tabptr == NULL)
1860 		return (Z_INVAL);
1861 
1862 	if ((err = operation_prep(handle)) != Z_OK)
1863 		return (err);
1864 
1865 	/*
1866 	 * Walk the list of children looking for matches on any properties
1867 	 * specified in the fstab parameter.  If more than one resource
1868 	 * matches, we return Z_INSUFFICIENT_SPEC; if none match, we return
1869 	 * Z_NO_RESOURCE_ID.
1870 	 */
1871 	cur = handle->zone_dh_cur;
1872 	firstmatch = NULL;
1873 	for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next) {
1874 		if (xmlStrcmp(cur->name, DTD_ELEM_FS))
1875 			continue;
1876 		if (strlen(tabptr->zone_fs_dir) > 0) {
1877 			if ((fetchprop(cur, DTD_ATTR_DIR, dirname,
1878 			    sizeof (dirname)) == Z_OK) &&
1879 			    (strcmp(tabptr->zone_fs_dir, dirname) == 0)) {
1880 				if (firstmatch == NULL)
1881 					firstmatch = cur;
1882 				else
1883 					return (Z_INSUFFICIENT_SPEC);
1884 			}
1885 		}
1886 		if (strlen(tabptr->zone_fs_special) > 0) {
1887 			if ((fetchprop(cur, DTD_ATTR_SPECIAL, special,
1888 			    sizeof (special)) == Z_OK)) {
1889 				if (strcmp(tabptr->zone_fs_special,
1890 				    special) == 0) {
1891 					if (firstmatch == NULL)
1892 						firstmatch = cur;
1893 					else if (firstmatch != cur)
1894 						return (Z_INSUFFICIENT_SPEC);
1895 				} else {
1896 					/*
1897 					 * If another property matched but this
1898 					 * one doesn't then reset firstmatch.
1899 					 */
1900 					if (firstmatch == cur)
1901 						firstmatch = NULL;
1902 				}
1903 			}
1904 		}
1905 		if (strlen(tabptr->zone_fs_raw) > 0) {
1906 			if ((fetchprop(cur, DTD_ATTR_RAW, raw,
1907 			    sizeof (raw)) == Z_OK)) {
1908 				if (strcmp(tabptr->zone_fs_raw, raw) == 0) {
1909 					if (firstmatch == NULL)
1910 						firstmatch = cur;
1911 					else if (firstmatch != cur)
1912 						return (Z_INSUFFICIENT_SPEC);
1913 				} else {
1914 					/*
1915 					 * If another property matched but this
1916 					 * one doesn't then reset firstmatch.
1917 					 */
1918 					if (firstmatch == cur)
1919 						firstmatch = NULL;
1920 				}
1921 			}
1922 		}
1923 		if (strlen(tabptr->zone_fs_type) > 0) {
1924 			if ((fetchprop(cur, DTD_ATTR_TYPE, type,
1925 			    sizeof (type)) == Z_OK)) {
1926 				if (strcmp(tabptr->zone_fs_type, type) == 0) {
1927 					if (firstmatch == NULL)
1928 						firstmatch = cur;
1929 					else if (firstmatch != cur)
1930 						return (Z_INSUFFICIENT_SPEC);
1931 				} else {
1932 					/*
1933 					 * If another property matched but this
1934 					 * one doesn't then reset firstmatch.
1935 					 */
1936 					if (firstmatch == cur)
1937 						firstmatch = NULL;
1938 				}
1939 			}
1940 		}
1941 	}
1942 
1943 	if (firstmatch == NULL)
1944 		return (Z_NO_RESOURCE_ID);
1945 
1946 	cur = firstmatch;
1947 
1948 	if ((err = fetchprop(cur, DTD_ATTR_DIR, tabptr->zone_fs_dir,
1949 	    sizeof (tabptr->zone_fs_dir))) != Z_OK)
1950 		return (err);
1951 
1952 	if ((err = fetchprop(cur, DTD_ATTR_SPECIAL, tabptr->zone_fs_special,
1953 	    sizeof (tabptr->zone_fs_special))) != Z_OK)
1954 		return (err);
1955 
1956 	if ((err = fetchprop(cur, DTD_ATTR_RAW, tabptr->zone_fs_raw,
1957 	    sizeof (tabptr->zone_fs_raw))) != Z_OK)
1958 		return (err);
1959 
1960 	if ((err = fetchprop(cur, DTD_ATTR_TYPE, tabptr->zone_fs_type,
1961 	    sizeof (tabptr->zone_fs_type))) != Z_OK)
1962 		return (err);
1963 
1964 	/* options are optional */
1965 	tabptr->zone_fs_options = NULL;
1966 	for (options = cur->xmlChildrenNode; options != NULL;
1967 	    options = options->next) {
1968 		if ((fetchprop(options, DTD_ATTR_NAME, options_str,
1969 		    sizeof (options_str)) != Z_OK))
1970 			break;
1971 		if (zonecfg_add_fs_option(tabptr, options_str) != Z_OK)
1972 			break;
1973 	}
1974 	return (Z_OK);
1975 }
1976 
1977 /*
1978  * Compare two IP addresses in string form.  Allow for the possibility that
1979  * one might have "/<prefix-length>" at the end: allow a match on just the
1980  * IP address (or host name) part.
1981  */
1982 
1983 boolean_t
1984 zonecfg_same_net_address(char *a1, char *a2)
1985 {
1986 	char *slashp, *slashp1, *slashp2;
1987 	int result;
1988 
1989 	if (strcmp(a1, a2) == 0)
1990 		return (B_TRUE);
1991 
1992 	/*
1993 	 * If neither has a slash or both do, they need to match to be
1994 	 * considered the same, but they did not match above, so fail.
1995 	 */
1996 	slashp1 = strchr(a1, '/');
1997 	slashp2 = strchr(a2, '/');
1998 	if ((slashp1 == NULL && slashp2 == NULL) ||
1999 	    (slashp1 != NULL && slashp2 != NULL))
2000 		return (B_FALSE);
2001 
2002 	/*
2003 	 * Only one had a slash: pick that one, zero out the slash, compare
2004 	 * the "address only" strings, restore the slash, and return the
2005 	 * result of the comparison.
2006 	 */
2007 	slashp = (slashp1 == NULL) ? slashp2 : slashp1;
2008 	*slashp = '\0';
2009 	result = strcmp(a1, a2);
2010 	*slashp = '/';
2011 	return ((result == 0));
2012 }
2013 
2014 int
2015 zonecfg_valid_net_address(char *address, struct lifreq *lifr)
2016 {
2017 	struct sockaddr_in *sin4;
2018 	struct sockaddr_in6 *sin6;
2019 	struct addrinfo hints, *result;
2020 	char *slashp = strchr(address, '/');
2021 
2022 	bzero(lifr, sizeof (struct lifreq));
2023 	sin4 = (struct sockaddr_in *)&lifr->lifr_addr;
2024 	sin6 = (struct sockaddr_in6 *)&lifr->lifr_addr;
2025 	if (slashp != NULL)
2026 		*slashp = '\0';
2027 	if (inet_pton(AF_INET, address, &sin4->sin_addr) == 1) {
2028 		sin4->sin_family = AF_INET;
2029 	} else if (inet_pton(AF_INET6, address, &sin6->sin6_addr) == 1) {
2030 		if (slashp == NULL)
2031 			return (Z_IPV6_ADDR_PREFIX_LEN);
2032 		sin6->sin6_family = AF_INET6;
2033 	} else {
2034 		/* "address" may be a host name */
2035 		(void) memset(&hints, 0, sizeof (hints));
2036 		hints.ai_family = PF_INET;
2037 		if (getaddrinfo(address, NULL, &hints, &result) != 0)
2038 			return (Z_BOGUS_ADDRESS);
2039 		sin4->sin_family = result->ai_family;
2040 
2041 		(void) memcpy(&sin4->sin_addr,
2042 		    /* LINTED E_BAD_PTR_CAST_ALIGN */
2043 		    &((struct sockaddr_in *)result->ai_addr)->sin_addr,
2044 		    sizeof (struct in_addr));
2045 
2046 		freeaddrinfo(result);
2047 	}
2048 	return (Z_OK);
2049 }
2050 
2051 boolean_t
2052 zonecfg_ifname_exists(sa_family_t af, char *ifname)
2053 {
2054 	struct lifreq lifr;
2055 	int so;
2056 	int save_errno;
2057 
2058 	(void) memset(&lifr, 0, sizeof (lifr));
2059 	(void) strlcpy(lifr.lifr_name, ifname, sizeof (lifr.lifr_name));
2060 	lifr.lifr_addr.ss_family = af;
2061 	if ((so = socket(af, SOCK_DGRAM, 0)) < 0) {
2062 		/* Odd - can't tell if the ifname exists */
2063 		return (B_FALSE);
2064 	}
2065 	if (ioctl(so, SIOCGLIFFLAGS, (caddr_t)&lifr) < 0) {
2066 		save_errno = errno;
2067 		(void) close(so);
2068 		errno = save_errno;
2069 		return (B_FALSE);
2070 	}
2071 	(void) close(so);
2072 	return (B_TRUE);
2073 }
2074 
2075 /*
2076  * Determines whether there is a net resource with the physical interface, IP
2077  * address, and default router specified by 'tabptr' in the zone configuration
2078  * to which 'handle' refers.  'tabptr' must have an interface, an address, a
2079  * default router, or a combination of the three.  This function returns Z_OK
2080  * iff there is exactly one net resource matching the query specified by
2081  * 'tabptr'.  The function returns Z_INSUFFICIENT_SPEC if there are multiple
2082  * matches or 'tabptr' does not specify a physical interface, address, or
2083  * default router.  The function returns Z_NO_RESOURCE_ID if are no matches.
2084  *
2085  * Errors might also be returned if the entry that exactly matches the
2086  * query lacks critical network resource information.
2087  *
2088  * If there is a single match, then the matching entry's physical interface, IP
2089  * address, and default router information are stored in 'tabptr'.
2090  */
2091 int
2092 zonecfg_lookup_nwif(zone_dochandle_t handle, struct zone_nwiftab *tabptr)
2093 {
2094 	xmlNodePtr cur;
2095 	xmlNodePtr firstmatch;
2096 	int err;
2097 	char address[INET6_ADDRSTRLEN];
2098 	char physical[LIFNAMSIZ];
2099 	size_t addrspec;		/* nonzero if tabptr has IP addr */
2100 	size_t physspec;		/* nonzero if tabptr has interface */
2101 	size_t defrouterspec;		/* nonzero if tabptr has def. router */
2102 	size_t allowed_addrspec;
2103 	zone_iptype_t iptype;
2104 
2105 	if (tabptr == NULL)
2106 		return (Z_INVAL);
2107 
2108 	/*
2109 	 * Determine the fields that will be searched.  There must be at least
2110 	 * one.
2111 	 *
2112 	 * zone_nwif_address, zone_nwif_physical, and zone_nwif_defrouter are
2113 	 * arrays, so no NULL checks are necessary.
2114 	 */
2115 	addrspec = strlen(tabptr->zone_nwif_address);
2116 	physspec = strlen(tabptr->zone_nwif_physical);
2117 	defrouterspec = strlen(tabptr->zone_nwif_defrouter);
2118 	allowed_addrspec = strlen(tabptr->zone_nwif_allowed_address);
2119 	if (addrspec != 0 && allowed_addrspec != 0)
2120 		return (Z_INVAL); /* can't specify both */
2121 	if (addrspec == 0 && physspec == 0 && defrouterspec == 0 &&
2122 	    allowed_addrspec == 0)
2123 		return (Z_INSUFFICIENT_SPEC);
2124 
2125 	if ((err = operation_prep(handle)) != Z_OK)
2126 		return (err);
2127 
2128 	if ((err = zonecfg_get_iptype(handle, &iptype)) != Z_OK)
2129 		return (err);
2130 	/*
2131 	 * Iterate over the configuration's elements and look for net elements
2132 	 * that match the query.
2133 	 */
2134 	firstmatch = NULL;
2135 	cur = handle->zone_dh_cur;
2136 	for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next) {
2137 		/* Skip non-net elements */
2138 		if (xmlStrcmp(cur->name, DTD_ELEM_NET))
2139 			continue;
2140 
2141 		/*
2142 		 * If any relevant fields don't match the query, then skip
2143 		 * the current net element.
2144 		 */
2145 		if (physspec != 0 && (fetchprop(cur, DTD_ATTR_PHYSICAL,
2146 		    physical, sizeof (physical)) != Z_OK ||
2147 		    strcmp(tabptr->zone_nwif_physical, physical) != 0))
2148 			continue;
2149 		if (iptype == ZS_SHARED && addrspec != 0 &&
2150 		    (fetchprop(cur, DTD_ATTR_ADDRESS, address,
2151 		    sizeof (address)) != Z_OK ||
2152 		    !zonecfg_same_net_address(tabptr->zone_nwif_address,
2153 		    address)))
2154 			continue;
2155 		if (iptype == ZS_EXCLUSIVE && allowed_addrspec != 0 &&
2156 		    (fetchprop(cur, DTD_ATTR_ALLOWED_ADDRESS, address,
2157 		    sizeof (address)) != Z_OK ||
2158 		    !zonecfg_same_net_address(tabptr->zone_nwif_allowed_address,
2159 		    address)))
2160 			continue;
2161 		if (defrouterspec != 0 && (fetchprop(cur, DTD_ATTR_DEFROUTER,
2162 		    address, sizeof (address)) != Z_OK ||
2163 		    !zonecfg_same_net_address(tabptr->zone_nwif_defrouter,
2164 		    address)))
2165 			continue;
2166 
2167 		/*
2168 		 * The current net element matches the query.  Select it if
2169 		 * it's the first match; otherwise, abort the search.
2170 		 */
2171 		if (firstmatch == NULL)
2172 			firstmatch = cur;
2173 		else
2174 			return (Z_INSUFFICIENT_SPEC);
2175 	}
2176 	if (firstmatch == NULL)
2177 		return (Z_NO_RESOURCE_ID);
2178 
2179 	cur = firstmatch;
2180 
2181 	if ((err = fetchprop(cur, DTD_ATTR_PHYSICAL, tabptr->zone_nwif_physical,
2182 	    sizeof (tabptr->zone_nwif_physical))) != Z_OK)
2183 		return (err);
2184 
2185 	if (iptype == ZS_SHARED &&
2186 	    (err = fetchprop(cur, DTD_ATTR_ADDRESS, tabptr->zone_nwif_address,
2187 	    sizeof (tabptr->zone_nwif_address))) != Z_OK)
2188 		return (err);
2189 
2190 	if (iptype == ZS_EXCLUSIVE &&
2191 	    (err = fetchprop(cur, DTD_ATTR_ALLOWED_ADDRESS,
2192 	    tabptr->zone_nwif_allowed_address,
2193 	    sizeof (tabptr->zone_nwif_allowed_address))) != Z_OK)
2194 		return (err);
2195 
2196 	if ((err = fetchprop(cur, DTD_ATTR_DEFROUTER,
2197 	    tabptr->zone_nwif_defrouter,
2198 	    sizeof (tabptr->zone_nwif_defrouter))) != Z_OK)
2199 		return (err);
2200 
2201 	return (Z_OK);
2202 }
2203 
2204 static int
2205 zonecfg_add_nwif_core(zone_dochandle_t handle, struct zone_nwiftab *tabptr)
2206 {
2207 	xmlNodePtr newnode, cur = handle->zone_dh_cur;
2208 	int err;
2209 
2210 	newnode = xmlNewTextChild(cur, NULL, DTD_ELEM_NET, NULL);
2211 	if (strlen(tabptr->zone_nwif_address) > 0 &&
2212 	    (err = newprop(newnode, DTD_ATTR_ADDRESS,
2213 	    tabptr->zone_nwif_address)) != Z_OK)
2214 		return (err);
2215 	if (strlen(tabptr->zone_nwif_allowed_address) > 0 &&
2216 	    (err = newprop(newnode, DTD_ATTR_ALLOWED_ADDRESS,
2217 	    tabptr->zone_nwif_allowed_address)) != Z_OK)
2218 		return (err);
2219 	if ((err = newprop(newnode, DTD_ATTR_PHYSICAL,
2220 	    tabptr->zone_nwif_physical)) != Z_OK)
2221 		return (err);
2222 	/*
2223 	 * Do not add this property when it is not set, for backwards
2224 	 * compatibility and because it is optional.
2225 	 */
2226 	if ((strlen(tabptr->zone_nwif_defrouter) > 0) &&
2227 	    ((err = newprop(newnode, DTD_ATTR_DEFROUTER,
2228 	    tabptr->zone_nwif_defrouter)) != Z_OK))
2229 		return (err);
2230 	return (Z_OK);
2231 }
2232 
2233 int
2234 zonecfg_add_nwif(zone_dochandle_t handle, struct zone_nwiftab *tabptr)
2235 {
2236 	int err;
2237 
2238 	if (tabptr == NULL)
2239 		return (Z_INVAL);
2240 
2241 	if ((err = operation_prep(handle)) != Z_OK)
2242 		return (err);
2243 
2244 	if ((err = zonecfg_add_nwif_core(handle, tabptr)) != Z_OK)
2245 		return (err);
2246 
2247 	return (Z_OK);
2248 }
2249 
2250 static int
2251 zonecfg_delete_nwif_core(zone_dochandle_t handle, struct zone_nwiftab *tabptr)
2252 {
2253 	xmlNodePtr cur = handle->zone_dh_cur;
2254 	boolean_t addr_match, phys_match, allowed_addr_match;
2255 
2256 	for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next) {
2257 		if (xmlStrcmp(cur->name, DTD_ELEM_NET))
2258 			continue;
2259 
2260 		addr_match = match_prop(cur, DTD_ATTR_ADDRESS,
2261 		    tabptr->zone_nwif_address);
2262 		allowed_addr_match = match_prop(cur, DTD_ATTR_ALLOWED_ADDRESS,
2263 		    tabptr->zone_nwif_allowed_address);
2264 		phys_match = match_prop(cur, DTD_ATTR_PHYSICAL,
2265 		    tabptr->zone_nwif_physical);
2266 
2267 		if (addr_match && allowed_addr_match && phys_match) {
2268 			xmlUnlinkNode(cur);
2269 			xmlFreeNode(cur);
2270 			return (Z_OK);
2271 		}
2272 	}
2273 	return (Z_NO_RESOURCE_ID);
2274 }
2275 
2276 int
2277 zonecfg_delete_nwif(zone_dochandle_t handle, struct zone_nwiftab *tabptr)
2278 {
2279 	int err;
2280 
2281 	if (tabptr == NULL)
2282 		return (Z_INVAL);
2283 
2284 	if ((err = operation_prep(handle)) != Z_OK)
2285 		return (err);
2286 
2287 	if ((err = zonecfg_delete_nwif_core(handle, tabptr)) != Z_OK)
2288 		return (err);
2289 
2290 	return (Z_OK);
2291 }
2292 
2293 int
2294 zonecfg_modify_nwif(
2295 	zone_dochandle_t handle,
2296 	struct zone_nwiftab *oldtabptr,
2297 	struct zone_nwiftab *newtabptr)
2298 {
2299 	int err;
2300 
2301 	if (oldtabptr == NULL || newtabptr == NULL)
2302 		return (Z_INVAL);
2303 
2304 	if ((err = operation_prep(handle)) != Z_OK)
2305 		return (err);
2306 
2307 	if ((err = zonecfg_delete_nwif_core(handle, oldtabptr)) != Z_OK)
2308 		return (err);
2309 
2310 	if ((err = zonecfg_add_nwif_core(handle, newtabptr)) != Z_OK)
2311 		return (err);
2312 
2313 	return (Z_OK);
2314 }
2315 
2316 /*
2317  * Must be a comma-separated list of alpha-numeric file system names.
2318  */
2319 static int
2320 zonecfg_valid_fs_allowed(const char *fsallowedp)
2321 {
2322 	char tmp[ZONE_FS_ALLOWED_MAX];
2323 	char *cp = tmp;
2324 	char *p;
2325 
2326 	if (strlen(fsallowedp) > ZONE_FS_ALLOWED_MAX)
2327 		return (Z_TOO_BIG);
2328 
2329 	(void) strlcpy(tmp, fsallowedp, sizeof (tmp));
2330 
2331 	while (*cp != '\0') {
2332 		p = cp;
2333 		while (*p != '\0' && *p != ',') {
2334 			if (!isalnum(*p) && *p != '-')
2335 				return (Z_INVALID_PROPERTY);
2336 			p++;
2337 		}
2338 
2339 		if (*p == ',') {
2340 			if (p == cp)
2341 				return (Z_INVALID_PROPERTY);
2342 
2343 			p++;
2344 
2345 			if (*p == '\0')
2346 				return (Z_INVALID_PROPERTY);
2347 		}
2348 
2349 		cp = p;
2350 	}
2351 
2352 	return (Z_OK);
2353 }
2354 
2355 int
2356 zonecfg_get_fs_allowed(zone_dochandle_t handle, char *bufp, size_t buflen)
2357 {
2358 	int err;
2359 
2360 	if ((err = getrootattr(handle, DTD_ATTR_FS_ALLOWED,
2361 	    bufp, buflen)) != Z_OK)
2362 		return (err);
2363 	if (bufp[0] == '\0')
2364 		return (Z_BAD_PROPERTY);
2365 	return (zonecfg_valid_fs_allowed(bufp));
2366 }
2367 
2368 int
2369 zonecfg_set_fs_allowed(zone_dochandle_t handle, const char *bufp)
2370 {
2371 	int err;
2372 
2373 	if (bufp == NULL || (err = zonecfg_valid_fs_allowed(bufp)) == Z_OK)
2374 		return (setrootattr(handle, DTD_ATTR_FS_ALLOWED, bufp));
2375 	return (err);
2376 }
2377 
2378 /*
2379  * Determines if the specified string is a valid hostid string.  This function
2380  * returns Z_OK if the string is a valid hostid string.  It returns Z_INVAL if
2381  * 'hostidp' is NULL, Z_TOO_BIG if 'hostidp' refers to a string buffer
2382  * containing a hex string with more than 8 digits, and Z_INVALID_PROPERTY if
2383  * the string has an invalid format.
2384  */
2385 static int
2386 zonecfg_valid_hostid(const char *hostidp)
2387 {
2388 	char *currentp;
2389 	u_longlong_t hostidval;
2390 	size_t len;
2391 
2392 	if (hostidp == NULL)
2393 		return (Z_INVAL);
2394 
2395 	/* Empty strings and strings with whitespace are invalid. */
2396 	if (*hostidp == '\0')
2397 		return (Z_INVALID_PROPERTY);
2398 	for (currentp = (char *)hostidp; *currentp != '\0'; ++currentp) {
2399 		if (isspace(*currentp))
2400 			return (Z_INVALID_PROPERTY);
2401 	}
2402 	len = (size_t)(currentp - hostidp);
2403 
2404 	/*
2405 	 * The caller might pass a hostid that is larger than the maximum
2406 	 * unsigned 32-bit integral value.  Check for this!  Also, make sure
2407 	 * that the whole string is converted (this helps us find illegal
2408 	 * characters) and that the whole string fits within a buffer of size
2409 	 * HW_HOSTID_LEN.
2410 	 */
2411 	currentp = (char *)hostidp;
2412 	if (strncmp(hostidp, "0x", 2) == 0 || strncmp(hostidp, "0X", 2) == 0)
2413 		currentp += 2;
2414 	hostidval = strtoull(currentp, &currentp, 16);
2415 	if ((size_t)(currentp - hostidp) >= HW_HOSTID_LEN)
2416 		return (Z_TOO_BIG);
2417 	if (hostidval > UINT_MAX || hostidval == HW_INVALID_HOSTID ||
2418 	    currentp != hostidp + len)
2419 		return (Z_INVALID_PROPERTY);
2420 	return (Z_OK);
2421 }
2422 
2423 /*
2424  * Gets the zone hostid string stored in the specified zone configuration
2425  * document.  This function returns Z_OK on success.  Z_BAD_PROPERTY is returned
2426  * if the config file doesn't specify a hostid or if the hostid is blank.
2427  *
2428  * Note that buflen should be at least HW_HOSTID_LEN.
2429  */
2430 int
2431 zonecfg_get_hostid(zone_dochandle_t handle, char *bufp, size_t buflen)
2432 {
2433 	int err;
2434 
2435 	if ((err = getrootattr(handle, DTD_ATTR_HOSTID, bufp, buflen)) != Z_OK)
2436 		return (err);
2437 	if (bufp[0] == '\0')
2438 		return (Z_BAD_PROPERTY);
2439 	return (zonecfg_valid_hostid(bufp));
2440 }
2441 
2442 /*
2443  * Sets the hostid string in the specified zone config document to the given
2444  * string value.  If 'hostidp' is NULL, then the config document's hostid
2445  * attribute is cleared.  Non-NULL hostids are validated.  This function returns
2446  * Z_OK on success.  Any other return value indicates failure.
2447  */
2448 int
2449 zonecfg_set_hostid(zone_dochandle_t handle, const char *hostidp)
2450 {
2451 	int err;
2452 
2453 	/*
2454 	 * A NULL hostid string is interpreted as a request to clear the
2455 	 * hostid.
2456 	 */
2457 	if (hostidp == NULL || (err = zonecfg_valid_hostid(hostidp)) == Z_OK)
2458 		return (setrootattr(handle, DTD_ATTR_HOSTID, hostidp));
2459 	return (err);
2460 }
2461 
2462 int
2463 zonecfg_lookup_dev(zone_dochandle_t handle, struct zone_devtab *tabptr)
2464 {
2465 	xmlNodePtr cur, firstmatch;
2466 	int err;
2467 	char match[MAXPATHLEN];
2468 
2469 	if (tabptr == NULL)
2470 		return (Z_INVAL);
2471 
2472 	if ((err = operation_prep(handle)) != Z_OK)
2473 		return (err);
2474 
2475 	cur = handle->zone_dh_cur;
2476 	firstmatch = NULL;
2477 	for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next) {
2478 		if (xmlStrcmp(cur->name, DTD_ELEM_DEVICE))
2479 			continue;
2480 		if (strlen(tabptr->zone_dev_match) == 0)
2481 			continue;
2482 
2483 		if ((fetchprop(cur, DTD_ATTR_MATCH, match,
2484 		    sizeof (match)) == Z_OK)) {
2485 			if (strcmp(tabptr->zone_dev_match,
2486 			    match) == 0) {
2487 				if (firstmatch == NULL)
2488 					firstmatch = cur;
2489 				else if (firstmatch != cur)
2490 					return (Z_INSUFFICIENT_SPEC);
2491 			} else {
2492 				/*
2493 				 * If another property matched but this
2494 				 * one doesn't then reset firstmatch.
2495 				 */
2496 				if (firstmatch == cur)
2497 					firstmatch = NULL;
2498 			}
2499 		}
2500 	}
2501 	if (firstmatch == NULL)
2502 		return (Z_NO_RESOURCE_ID);
2503 
2504 	cur = firstmatch;
2505 
2506 	if ((err = fetchprop(cur, DTD_ATTR_MATCH, tabptr->zone_dev_match,
2507 	    sizeof (tabptr->zone_dev_match))) != Z_OK)
2508 		return (err);
2509 
2510 	return (Z_OK);
2511 }
2512 
2513 static int
2514 zonecfg_add_dev_core(zone_dochandle_t handle, struct zone_devtab *tabptr)
2515 {
2516 	xmlNodePtr newnode, cur = handle->zone_dh_cur;
2517 	int err;
2518 
2519 	newnode = xmlNewTextChild(cur, NULL, DTD_ELEM_DEVICE, NULL);
2520 
2521 	if ((err = newprop(newnode, DTD_ATTR_MATCH,
2522 	    tabptr->zone_dev_match)) != Z_OK)
2523 		return (err);
2524 
2525 	return (Z_OK);
2526 }
2527 
2528 int
2529 zonecfg_add_dev(zone_dochandle_t handle, struct zone_devtab *tabptr)
2530 {
2531 	int err;
2532 
2533 	if (tabptr == NULL)
2534 		return (Z_INVAL);
2535 
2536 	if ((err = operation_prep(handle)) != Z_OK)
2537 		return (err);
2538 
2539 	if ((err = zonecfg_add_dev_core(handle, tabptr)) != Z_OK)
2540 		return (err);
2541 
2542 	return (Z_OK);
2543 }
2544 
2545 static int
2546 zonecfg_delete_dev_core(zone_dochandle_t handle, struct zone_devtab *tabptr)
2547 {
2548 	xmlNodePtr cur = handle->zone_dh_cur;
2549 	int match_match;
2550 
2551 	for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next) {
2552 		if (xmlStrcmp(cur->name, DTD_ELEM_DEVICE))
2553 			continue;
2554 
2555 		match_match = match_prop(cur, DTD_ATTR_MATCH,
2556 		    tabptr->zone_dev_match);
2557 
2558 		if (match_match) {
2559 			xmlUnlinkNode(cur);
2560 			xmlFreeNode(cur);
2561 			return (Z_OK);
2562 		}
2563 	}
2564 	return (Z_NO_RESOURCE_ID);
2565 }
2566 
2567 int
2568 zonecfg_delete_dev(zone_dochandle_t handle, struct zone_devtab *tabptr)
2569 {
2570 	int err;
2571 
2572 	if (tabptr == NULL)
2573 		return (Z_INVAL);
2574 
2575 	if ((err = operation_prep(handle)) != Z_OK)
2576 		return (err);
2577 
2578 	if ((err = zonecfg_delete_dev_core(handle, tabptr)) != Z_OK)
2579 		return (err);
2580 
2581 	return (Z_OK);
2582 }
2583 
2584 int
2585 zonecfg_modify_dev(
2586 	zone_dochandle_t handle,
2587 	struct zone_devtab *oldtabptr,
2588 	struct zone_devtab *newtabptr)
2589 {
2590 	int err;
2591 
2592 	if (oldtabptr == NULL || newtabptr == NULL)
2593 		return (Z_INVAL);
2594 
2595 	if ((err = operation_prep(handle)) != Z_OK)
2596 		return (err);
2597 
2598 	if ((err = zonecfg_delete_dev_core(handle, oldtabptr)) != Z_OK)
2599 		return (err);
2600 
2601 	if ((err = zonecfg_add_dev_core(handle, newtabptr)) != Z_OK)
2602 		return (err);
2603 
2604 	return (Z_OK);
2605 }
2606 
2607 static int
2608 zonecfg_add_auth_core(zone_dochandle_t handle, struct zone_admintab *tabptr,
2609     char *zonename)
2610 {
2611 	xmlNodePtr newnode, cur = handle->zone_dh_cur;
2612 	int err;
2613 
2614 	newnode = xmlNewTextChild(cur, NULL, DTD_ELEM_ADMIN, NULL);
2615 	err = newprop(newnode, DTD_ATTR_USER, tabptr->zone_admin_user);
2616 	if (err != Z_OK)
2617 		return (err);
2618 	err = newprop(newnode, DTD_ATTR_AUTHS, tabptr->zone_admin_auths);
2619 	if (err != Z_OK)
2620 		return (err);
2621 	if ((err = zonecfg_remove_userauths(
2622 	    handle, tabptr->zone_admin_user, zonename, B_FALSE)) != Z_OK)
2623 		return (err);
2624 	return (Z_OK);
2625 }
2626 
2627 int
2628 zonecfg_add_admin(zone_dochandle_t handle, struct zone_admintab *tabptr,
2629     char *zonename)
2630 {
2631 	int err;
2632 
2633 	if (tabptr == NULL)
2634 		return (Z_INVAL);
2635 
2636 	if ((err = operation_prep(handle)) != Z_OK)
2637 		return (err);
2638 
2639 	if ((err = zonecfg_add_auth_core(handle, tabptr,
2640 	    zonename)) != Z_OK)
2641 		return (err);
2642 
2643 	return (Z_OK);
2644 }
2645 
2646 static int
2647 zonecfg_delete_auth_core(zone_dochandle_t handle, struct zone_admintab *tabptr,
2648     char *zonename)
2649 {
2650 	xmlNodePtr cur = handle->zone_dh_cur;
2651 	boolean_t auth_match;
2652 	int err;
2653 
2654 	for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next) {
2655 		if (xmlStrcmp(cur->name, DTD_ELEM_ADMIN))
2656 			continue;
2657 		auth_match = match_prop(cur, DTD_ATTR_USER,
2658 		    tabptr->zone_admin_user);
2659 		if (auth_match) {
2660 			if ((err = zonecfg_insert_userauths(
2661 			    handle, tabptr->zone_admin_user,
2662 			    zonename)) != Z_OK)
2663 				return (err);
2664 			xmlUnlinkNode(cur);
2665 			xmlFreeNode(cur);
2666 			return (Z_OK);
2667 		}
2668 	}
2669 	return (Z_NO_RESOURCE_ID);
2670 }
2671 
2672 int
2673 zonecfg_delete_admin(zone_dochandle_t handle, struct zone_admintab *tabptr,
2674     char *zonename)
2675 {
2676 	int err;
2677 
2678 	if (tabptr == NULL)
2679 		return (Z_INVAL);
2680 
2681 	if ((err = operation_prep(handle)) != Z_OK)
2682 		return (err);
2683 
2684 	if ((err = zonecfg_delete_auth_core(handle, tabptr, zonename)) != Z_OK)
2685 		return (err);
2686 
2687 	return (Z_OK);
2688 }
2689 
2690 int
2691 zonecfg_modify_admin(zone_dochandle_t handle, struct zone_admintab *oldtabptr,
2692     struct zone_admintab *newtabptr, char *zonename)
2693 {
2694 	int err;
2695 
2696 	if (oldtabptr == NULL || newtabptr == NULL)
2697 		return (Z_INVAL);
2698 
2699 	if ((err = operation_prep(handle)) != Z_OK)
2700 		return (err);
2701 
2702 	if ((err = zonecfg_delete_auth_core(handle, oldtabptr, zonename))
2703 	    != Z_OK)
2704 		return (err);
2705 
2706 	if ((err = zonecfg_add_auth_core(handle, newtabptr,
2707 	    zonename)) != Z_OK)
2708 		return (err);
2709 
2710 	return (Z_OK);
2711 }
2712 
2713 int
2714 zonecfg_lookup_admin(zone_dochandle_t handle, struct zone_admintab *tabptr)
2715 {
2716 	xmlNodePtr cur, firstmatch;
2717 	int err;
2718 	char user[MAXUSERNAME];
2719 
2720 	if (tabptr == NULL)
2721 		return (Z_INVAL);
2722 
2723 	if ((err = operation_prep(handle)) != Z_OK)
2724 		return (err);
2725 
2726 	cur = handle->zone_dh_cur;
2727 	firstmatch = NULL;
2728 	for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next) {
2729 		if (xmlStrcmp(cur->name, DTD_ELEM_ADMIN))
2730 			continue;
2731 		if (strlen(tabptr->zone_admin_user) > 0) {
2732 			if ((fetchprop(cur, DTD_ATTR_USER, user,
2733 			    sizeof (user)) == Z_OK) &&
2734 			    (strcmp(tabptr->zone_admin_user, user) == 0)) {
2735 				if (firstmatch == NULL)
2736 					firstmatch = cur;
2737 				else
2738 					return (Z_INSUFFICIENT_SPEC);
2739 			}
2740 		}
2741 	}
2742 	if (firstmatch == NULL)
2743 		return (Z_NO_RESOURCE_ID);
2744 
2745 	cur = firstmatch;
2746 
2747 	if ((err = fetchprop(cur, DTD_ATTR_USER, tabptr->zone_admin_user,
2748 	    sizeof (tabptr->zone_admin_user))) != Z_OK)
2749 		return (err);
2750 
2751 	if ((err = fetchprop(cur, DTD_ATTR_AUTHS, tabptr->zone_admin_auths,
2752 	    sizeof (tabptr->zone_admin_auths))) != Z_OK)
2753 		return (err);
2754 
2755 	return (Z_OK);
2756 }
2757 
2758 static int
2759 zonecfg_add_secflags_core(zone_dochandle_t handle,
2760     struct zone_secflagstab *tabptr)
2761 {
2762 	xmlNodePtr newnode, cur = handle->zone_dh_cur;
2763 	int err;
2764 
2765 	newnode = xmlNewTextChild(cur, NULL, DTD_ELEM_SECFLAGS, NULL);
2766 	err = newprop(newnode, DTD_ATTR_DEFAULT, tabptr->zone_secflags_default);
2767 	if (err != Z_OK)
2768 		return (err);
2769 	err = newprop(newnode, DTD_ATTR_LOWER, tabptr->zone_secflags_lower);
2770 	if (err != Z_OK)
2771 		return (err);
2772 	err = newprop(newnode, DTD_ATTR_UPPER, tabptr->zone_secflags_upper);
2773 	if (err != Z_OK)
2774 		return (err);
2775 
2776 	return (Z_OK);
2777 }
2778 
2779 int
2780 zonecfg_add_secflags(zone_dochandle_t handle, struct zone_secflagstab *tabptr)
2781 {
2782 	int err;
2783 
2784 
2785 	if (tabptr == NULL)
2786 		return (Z_INVAL);
2787 
2788 	if ((err = operation_prep(handle)) != Z_OK)
2789 		return (err);
2790 
2791 	if ((err = zonecfg_add_secflags_core(handle, tabptr)) != Z_OK)
2792 		return (err);
2793 
2794 	return (Z_OK);
2795 }
2796 
2797 static int
2798 zonecfg_delete_secflags_core(zone_dochandle_t handle,
2799     struct zone_secflagstab *tabptr)
2800 {
2801 	xmlNodePtr cur = handle->zone_dh_cur;
2802 	boolean_t def_match, low_match, up_match;
2803 
2804 	for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next) {
2805 		if (xmlStrcmp(cur->name, DTD_ELEM_SECFLAGS) != 0)
2806 			continue;
2807 
2808 		def_match = match_prop(cur, DTD_ATTR_DEFAULT,
2809 		    tabptr->zone_secflags_default);
2810 		low_match = match_prop(cur, DTD_ATTR_LOWER,
2811 		    tabptr->zone_secflags_lower);
2812 		up_match = match_prop(cur, DTD_ATTR_UPPER,
2813 		    tabptr->zone_secflags_upper);
2814 
2815 		if (def_match && low_match && up_match) {
2816 			xmlUnlinkNode(cur);
2817 			xmlFreeNode(cur);
2818 			return (Z_OK);
2819 		}
2820 
2821 	}
2822 	return (Z_NO_RESOURCE_ID);
2823 }
2824 
2825 int
2826 zonecfg_delete_secflags(zone_dochandle_t handle,
2827     struct zone_secflagstab *tabptr)
2828 {
2829 	int err;
2830 
2831 	if (tabptr == NULL)
2832 		return (Z_INVAL);
2833 
2834 	if ((err = operation_prep(handle)) != Z_OK)
2835 		return (err);
2836 
2837 	if ((err = zonecfg_delete_secflags_core(handle, tabptr)) != Z_OK)
2838 		return (err);
2839 
2840 	return (Z_OK);
2841 }
2842 
2843 int
2844 zonecfg_modify_secflags(zone_dochandle_t handle,
2845     struct zone_secflagstab *oldtabptr,
2846     struct zone_secflagstab *newtabptr)
2847 {
2848 	int err;
2849 
2850 	if (oldtabptr == NULL || newtabptr == NULL)
2851 		return (Z_INVAL);
2852 
2853 	if ((err = operation_prep(handle)) != Z_OK)
2854 		return (err);
2855 
2856 	if ((err = zonecfg_delete_secflags_core(handle, oldtabptr))
2857 	    != Z_OK)
2858 		return (err);
2859 
2860 	if ((err = zonecfg_add_secflags_core(handle, newtabptr)) != Z_OK)
2861 		return (err);
2862 
2863 	return (Z_OK);
2864 }
2865 
2866 int
2867 zonecfg_lookup_secflags(zone_dochandle_t handle,
2868     struct zone_secflagstab *tabptr)
2869 {
2870 	xmlNodePtr cur;
2871 	int err;
2872 
2873 	if (tabptr == NULL)
2874 		return (Z_INVAL);
2875 
2876 	if ((err = operation_prep(handle)) != Z_OK)
2877 		return (err);
2878 
2879 	cur = handle->zone_dh_cur;
2880 
2881 	for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next) {
2882 		if (xmlStrcmp(cur->name, DTD_ELEM_SECFLAGS) != 0)
2883 			continue;
2884 
2885 		if ((err = fetchprop(cur, DTD_ATTR_DEFAULT,
2886 		    tabptr->zone_secflags_default,
2887 		    sizeof (tabptr->zone_secflags_default))) != Z_OK) {
2888 			handle->zone_dh_cur = handle->zone_dh_top;
2889 			return (err);
2890 		}
2891 
2892 		if ((err = fetchprop(cur, DTD_ATTR_LOWER,
2893 		    tabptr->zone_secflags_lower,
2894 		    sizeof (tabptr->zone_secflags_lower))) != Z_OK) {
2895 			handle->zone_dh_cur = handle->zone_dh_top;
2896 			return (err);
2897 		}
2898 
2899 		if ((err = fetchprop(cur, DTD_ATTR_UPPER,
2900 		    tabptr->zone_secflags_upper,
2901 		    sizeof (tabptr->zone_secflags_upper))) != Z_OK) {
2902 			handle->zone_dh_cur = handle->zone_dh_top;
2903 			return (err);
2904 		}
2905 
2906 		return (Z_OK);
2907 	}
2908 
2909 	return (Z_NO_ENTRY);
2910 }
2911 
2912 /* Lock to serialize all devwalks */
2913 static pthread_mutex_t zonecfg_devwalk_lock = PTHREAD_MUTEX_INITIALIZER;
2914 /*
2915  * Global variables used to pass data from zonecfg_dev_manifest to the nftw
2916  * call-back (zonecfg_devwalk_cb).  g_devwalk_data is really the void*
2917  * parameter and g_devwalk_cb is really the *cb parameter from
2918  * zonecfg_dev_manifest.
2919  */
2920 typedef struct __g_devwalk_data *g_devwalk_data_t;
2921 static g_devwalk_data_t g_devwalk_data;
2922 static int (*g_devwalk_cb)(const char *, uid_t, gid_t, mode_t, const char *,
2923     void *);
2924 static size_t g_devwalk_skip_prefix;
2925 
2926 /*
2927  * zonecfg_dev_manifest call-back function used during detach to generate the
2928  * dev info in the manifest.
2929  */
2930 static int
2931 get_detach_dev_entry(const char *name, uid_t uid, gid_t gid, mode_t mode,
2932     const char *acl, void *hdl)
2933 {
2934 	zone_dochandle_t handle = (zone_dochandle_t)hdl;
2935 	xmlNodePtr newnode;
2936 	xmlNodePtr cur;
2937 	int err;
2938 	char buf[128];
2939 
2940 	if ((err = operation_prep(handle)) != Z_OK)
2941 		return (err);
2942 
2943 	cur = handle->zone_dh_cur;
2944 	newnode = xmlNewTextChild(cur, NULL, DTD_ELEM_DEV_PERM, NULL);
2945 	if ((err = newprop(newnode, DTD_ATTR_NAME, (char *)name)) != Z_OK)
2946 		return (err);
2947 	(void) snprintf(buf, sizeof (buf), "%lu", uid);
2948 	if ((err = newprop(newnode, DTD_ATTR_UID, buf)) != Z_OK)
2949 		return (err);
2950 	(void) snprintf(buf, sizeof (buf), "%lu", gid);
2951 	if ((err = newprop(newnode, DTD_ATTR_GID, buf)) != Z_OK)
2952 		return (err);
2953 	(void) snprintf(buf, sizeof (buf), "%o", mode);
2954 	if ((err = newprop(newnode, DTD_ATTR_MODE, buf)) != Z_OK)
2955 		return (err);
2956 	if ((err = newprop(newnode, DTD_ATTR_ACL, (char *)acl)) != Z_OK)
2957 		return (err);
2958 	return (Z_OK);
2959 }
2960 
2961 /*
2962  * This is the nftw call-back function used by zonecfg_dev_manifest.  It is
2963  * responsible for calling the actual call-back.
2964  */
2965 /* ARGSUSED2 */
2966 static int
2967 zonecfg_devwalk_cb(const char *path, const struct stat *st, int f,
2968     struct FTW *ftw)
2969 {
2970 	acl_t *acl;
2971 	char *acl_txt = NULL;
2972 
2973 	/* skip all but character and block devices */
2974 	if (!S_ISBLK(st->st_mode) && !S_ISCHR(st->st_mode))
2975 		return (0);
2976 
2977 	if ((acl_get(path, ACL_NO_TRIVIAL, &acl) == 0) &&
2978 	    acl != NULL) {
2979 		acl_txt = acl_totext(acl, ACL_NORESOLVE);
2980 		acl_free(acl);
2981 	}
2982 
2983 	if (strlen(path) <= g_devwalk_skip_prefix)
2984 		return (0);
2985 
2986 	(void) g_devwalk_cb(path + g_devwalk_skip_prefix, st->st_uid,
2987 	    st->st_gid, st->st_mode & S_IAMB, acl_txt != NULL ? acl_txt : "",
2988 	    g_devwalk_data);
2989 	free(acl_txt);
2990 	return (0);
2991 }
2992 
2993 /*
2994  * Walk the dev tree for the zone specified by hdl and call the
2995  * get_detach_dev_entry call-back function for each entry in the tree.  The
2996  * call-back will be passed the name, uid, gid, mode, acl string and the
2997  * handle input parameter for each dev entry.
2998  *
2999  * Data is passed to get_detach_dev_entry through the global variables
3000  * g_devwalk_data, *g_devwalk_cb, and g_devwalk_skip_prefix.  The
3001  * zonecfg_devwalk_cb function will actually call get_detach_dev_entry.
3002  */
3003 int
3004 zonecfg_dev_manifest(zone_dochandle_t hdl)
3005 {
3006 	char path[MAXPATHLEN];
3007 	int ret;
3008 
3009 	if ((ret = zonecfg_get_zonepath(hdl, path, sizeof (path))) != Z_OK)
3010 		return (ret);
3011 
3012 	if (strlcat(path, "/dev", sizeof (path)) >= sizeof (path))
3013 		return (Z_TOO_BIG);
3014 
3015 	/*
3016 	 * We have to serialize all devwalks in the same process
3017 	 * (which should be fine), since nftw() is so badly designed.
3018 	 */
3019 	(void) pthread_mutex_lock(&zonecfg_devwalk_lock);
3020 
3021 	g_devwalk_skip_prefix = strlen(path) + 1;
3022 	g_devwalk_data = (g_devwalk_data_t)hdl;
3023 	g_devwalk_cb = get_detach_dev_entry;
3024 	(void) nftw(path, zonecfg_devwalk_cb, 0, FTW_PHYS);
3025 
3026 	(void) pthread_mutex_unlock(&zonecfg_devwalk_lock);
3027 	return (Z_OK);
3028 }
3029 
3030 /*
3031  * Update the owner, group, mode and acl on the specified dev (inpath) for
3032  * the zone (hdl).  This function can be used to fix up the dev tree after
3033  * attaching a migrated zone.
3034  */
3035 int
3036 zonecfg_devperms_apply(zone_dochandle_t hdl, const char *inpath, uid_t owner,
3037     gid_t group, mode_t mode, const char *acltxt)
3038 {
3039 	int ret;
3040 	char path[MAXPATHLEN];
3041 	struct stat st;
3042 	acl_t *aclp;
3043 
3044 	if ((ret = zonecfg_get_zonepath(hdl, path, sizeof (path))) != Z_OK)
3045 		return (ret);
3046 
3047 	if (strlcat(path, "/dev/", sizeof (path)) >= sizeof (path))
3048 		return (Z_TOO_BIG);
3049 	if (strlcat(path, inpath, sizeof (path)) >= sizeof (path))
3050 		return (Z_TOO_BIG);
3051 
3052 	if (stat(path, &st) == -1)
3053 		return (Z_INVAL);
3054 
3055 	/* make sure we're only touching device nodes */
3056 	if (!S_ISCHR(st.st_mode) && !S_ISBLK(st.st_mode))
3057 		return (Z_INVAL);
3058 
3059 	if (chown(path, owner, group) == -1)
3060 		return (Z_SYSTEM);
3061 
3062 	if (chmod(path, mode) == -1)
3063 		return (Z_SYSTEM);
3064 
3065 	if ((acltxt == NULL) || (strcmp(acltxt, "") == 0))
3066 		return (Z_OK);
3067 
3068 	if (acl_fromtext(acltxt, &aclp) != 0) {
3069 		errno = EINVAL;
3070 		return (Z_SYSTEM);
3071 	}
3072 
3073 	errno = 0;
3074 	if (acl_set(path, aclp) == -1) {
3075 		free(aclp);
3076 		return (Z_SYSTEM);
3077 	}
3078 
3079 	free(aclp);
3080 	return (Z_OK);
3081 }
3082 
3083 /*
3084  * This function finds everything mounted under a zone's rootpath.
3085  * This returns the number of mounts under rootpath, or -1 on error.
3086  * callback is called once per mount found with the first argument
3087  * pointing to a mnttab structure containing the mount's information.
3088  *
3089  * If the callback function returns non-zero zonecfg_find_mounts
3090  * aborts with an error.
3091  */
3092 int
3093 zonecfg_find_mounts(char *rootpath, int (*callback)(const struct mnttab *,
3094     void *), void *priv)
3095 {
3096 	FILE *mnttab;
3097 	struct mnttab m;
3098 	size_t l;
3099 	int zfsl;
3100 	int rv = 0;
3101 	char zfs_path[MAXPATHLEN];
3102 
3103 	assert(rootpath != NULL);
3104 
3105 	if ((zfsl = snprintf(zfs_path, sizeof (zfs_path), "%s/.zfs/", rootpath))
3106 	    >= sizeof (zfs_path))
3107 		return (-1);
3108 
3109 	l = strlen(rootpath);
3110 
3111 	mnttab = fopen("/etc/mnttab", "r");
3112 
3113 	if (mnttab == NULL)
3114 		return (-1);
3115 
3116 	if (ioctl(fileno(mnttab), MNTIOC_SHOWHIDDEN, NULL) < 0)  {
3117 		rv = -1;
3118 		goto out;
3119 	}
3120 
3121 	while (!getmntent(mnttab, &m)) {
3122 		if ((strncmp(rootpath, m.mnt_mountp, l) == 0) &&
3123 		    (m.mnt_mountp[l] == '/') &&
3124 		    (strncmp(zfs_path, m.mnt_mountp, zfsl) != 0)) {
3125 			rv++;
3126 			if (callback == NULL)
3127 				continue;
3128 			if (callback(&m, priv)) {
3129 				rv = -1;
3130 				goto out;
3131 
3132 			}
3133 		}
3134 	}
3135 
3136 out:
3137 	(void) fclose(mnttab);
3138 	return (rv);
3139 }
3140 
3141 int
3142 zonecfg_lookup_attr(zone_dochandle_t handle, struct zone_attrtab *tabptr)
3143 {
3144 	xmlNodePtr cur, firstmatch;
3145 	int err;
3146 	char name[MAXNAMELEN], type[MAXNAMELEN], value[MAXNAMELEN];
3147 
3148 	if (tabptr == NULL)
3149 		return (Z_INVAL);
3150 
3151 	if ((err = operation_prep(handle)) != Z_OK)
3152 		return (err);
3153 
3154 	cur = handle->zone_dh_cur;
3155 	firstmatch = NULL;
3156 	for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next) {
3157 		if (xmlStrcmp(cur->name, DTD_ELEM_ATTR))
3158 			continue;
3159 		if (strlen(tabptr->zone_attr_name) > 0) {
3160 			if ((fetchprop(cur, DTD_ATTR_NAME, name,
3161 			    sizeof (name)) == Z_OK) &&
3162 			    (strcmp(tabptr->zone_attr_name, name) == 0)) {
3163 				if (firstmatch == NULL)
3164 					firstmatch = cur;
3165 				else
3166 					return (Z_INSUFFICIENT_SPEC);
3167 			}
3168 		}
3169 		if (strlen(tabptr->zone_attr_type) > 0) {
3170 			if ((fetchprop(cur, DTD_ATTR_TYPE, type,
3171 			    sizeof (type)) == Z_OK)) {
3172 				if (strcmp(tabptr->zone_attr_type, type) == 0) {
3173 					if (firstmatch == NULL)
3174 						firstmatch = cur;
3175 					else if (firstmatch != cur)
3176 						return (Z_INSUFFICIENT_SPEC);
3177 				} else {
3178 					/*
3179 					 * If another property matched but this
3180 					 * one doesn't then reset firstmatch.
3181 					 */
3182 					if (firstmatch == cur)
3183 						firstmatch = NULL;
3184 				}
3185 			}
3186 		}
3187 		if (strlen(tabptr->zone_attr_value) > 0) {
3188 			if ((fetchprop(cur, DTD_ATTR_VALUE, value,
3189 			    sizeof (value)) == Z_OK)) {
3190 				if (strcmp(tabptr->zone_attr_value, value) ==
3191 				    0) {
3192 					if (firstmatch == NULL)
3193 						firstmatch = cur;
3194 					else if (firstmatch != cur)
3195 						return (Z_INSUFFICIENT_SPEC);
3196 				} else {
3197 					/*
3198 					 * If another property matched but this
3199 					 * one doesn't then reset firstmatch.
3200 					 */
3201 					if (firstmatch == cur)
3202 						firstmatch = NULL;
3203 				}
3204 			}
3205 		}
3206 	}
3207 	if (firstmatch == NULL)
3208 		return (Z_NO_RESOURCE_ID);
3209 
3210 	cur = firstmatch;
3211 
3212 	if ((err = fetchprop(cur, DTD_ATTR_NAME, tabptr->zone_attr_name,
3213 	    sizeof (tabptr->zone_attr_name))) != Z_OK)
3214 		return (err);
3215 
3216 	if ((err = fetchprop(cur, DTD_ATTR_TYPE, tabptr->zone_attr_type,
3217 	    sizeof (tabptr->zone_attr_type))) != Z_OK)
3218 		return (err);
3219 
3220 	if ((err = fetchprop(cur, DTD_ATTR_VALUE, tabptr->zone_attr_value,
3221 	    sizeof (tabptr->zone_attr_value))) != Z_OK)
3222 		return (err);
3223 
3224 	return (Z_OK);
3225 }
3226 
3227 static int
3228 zonecfg_add_attr_core(zone_dochandle_t handle, struct zone_attrtab *tabptr)
3229 {
3230 	xmlNodePtr newnode, cur = handle->zone_dh_cur;
3231 	int err;
3232 
3233 	newnode = xmlNewTextChild(cur, NULL, DTD_ELEM_ATTR, NULL);
3234 	err = newprop(newnode, DTD_ATTR_NAME, tabptr->zone_attr_name);
3235 	if (err != Z_OK)
3236 		return (err);
3237 	err = newprop(newnode, DTD_ATTR_TYPE, tabptr->zone_attr_type);
3238 	if (err != Z_OK)
3239 		return (err);
3240 	err = newprop(newnode, DTD_ATTR_VALUE, tabptr->zone_attr_value);
3241 	if (err != Z_OK)
3242 		return (err);
3243 	return (Z_OK);
3244 }
3245 
3246 int
3247 zonecfg_add_attr(zone_dochandle_t handle, struct zone_attrtab *tabptr)
3248 {
3249 	int err;
3250 
3251 	if (tabptr == NULL)
3252 		return (Z_INVAL);
3253 
3254 	if ((err = operation_prep(handle)) != Z_OK)
3255 		return (err);
3256 
3257 	if ((err = zonecfg_add_attr_core(handle, tabptr)) != Z_OK)
3258 		return (err);
3259 
3260 	return (Z_OK);
3261 }
3262 
3263 static int
3264 zonecfg_delete_attr_core(zone_dochandle_t handle, struct zone_attrtab *tabptr)
3265 {
3266 	xmlNodePtr cur = handle->zone_dh_cur;
3267 	int name_match, type_match, value_match;
3268 
3269 	for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next) {
3270 		if (xmlStrcmp(cur->name, DTD_ELEM_ATTR))
3271 			continue;
3272 
3273 		name_match = match_prop(cur, DTD_ATTR_NAME,
3274 		    tabptr->zone_attr_name);
3275 		type_match = match_prop(cur, DTD_ATTR_TYPE,
3276 		    tabptr->zone_attr_type);
3277 		value_match = match_prop(cur, DTD_ATTR_VALUE,
3278 		    tabptr->zone_attr_value);
3279 
3280 		if (name_match && type_match && value_match) {
3281 			xmlUnlinkNode(cur);
3282 			xmlFreeNode(cur);
3283 			return (Z_OK);
3284 		}
3285 	}
3286 	return (Z_NO_RESOURCE_ID);
3287 }
3288 
3289 int
3290 zonecfg_delete_attr(zone_dochandle_t handle, struct zone_attrtab *tabptr)
3291 {
3292 	int err;
3293 
3294 	if (tabptr == NULL)
3295 		return (Z_INVAL);
3296 
3297 	if ((err = operation_prep(handle)) != Z_OK)
3298 		return (err);
3299 
3300 	if ((err = zonecfg_delete_attr_core(handle, tabptr)) != Z_OK)
3301 		return (err);
3302 
3303 	return (Z_OK);
3304 }
3305 
3306 int
3307 zonecfg_modify_attr(
3308 	zone_dochandle_t handle,
3309 	struct zone_attrtab *oldtabptr,
3310 	struct zone_attrtab *newtabptr)
3311 {
3312 	int err;
3313 
3314 	if (oldtabptr == NULL || newtabptr == NULL)
3315 		return (Z_INVAL);
3316 
3317 	if ((err = operation_prep(handle)) != Z_OK)
3318 		return (err);
3319 
3320 	if ((err = zonecfg_delete_attr_core(handle, oldtabptr)) != Z_OK)
3321 		return (err);
3322 
3323 	if ((err = zonecfg_add_attr_core(handle, newtabptr)) != Z_OK)
3324 		return (err);
3325 
3326 	return (Z_OK);
3327 }
3328 
3329 int
3330 zonecfg_get_attr_boolean(const struct zone_attrtab *attr, boolean_t *value)
3331 {
3332 	if (attr == NULL)
3333 		return (Z_INVAL);
3334 
3335 	if (strcmp(attr->zone_attr_type, DTD_ENTITY_BOOLEAN) != 0)
3336 		return (Z_INVAL);
3337 
3338 	if (strcmp(attr->zone_attr_value, DTD_ENTITY_TRUE) == 0) {
3339 		*value = B_TRUE;
3340 		return (Z_OK);
3341 	}
3342 	if (strcmp(attr->zone_attr_value, DTD_ENTITY_FALSE) == 0) {
3343 		*value = B_FALSE;
3344 		return (Z_OK);
3345 	}
3346 	return (Z_INVAL);
3347 }
3348 
3349 int
3350 zonecfg_get_attr_int(const struct zone_attrtab *attr, int64_t *value)
3351 {
3352 	long long result;
3353 	char *endptr;
3354 
3355 	if (attr == NULL)
3356 		return (Z_INVAL);
3357 
3358 	if (strcmp(attr->zone_attr_type, DTD_ENTITY_INT) != 0)
3359 		return (Z_INVAL);
3360 
3361 	errno = 0;
3362 	result = strtoll(attr->zone_attr_value, &endptr, 10);
3363 	if (errno != 0 || *endptr != '\0')
3364 		return (Z_INVAL);
3365 	*value = result;
3366 	return (Z_OK);
3367 }
3368 
3369 int
3370 zonecfg_get_attr_string(const struct zone_attrtab *attr, char *value,
3371     size_t val_sz)
3372 {
3373 	if (attr == NULL)
3374 		return (Z_INVAL);
3375 
3376 	if (strcmp(attr->zone_attr_type, DTD_ENTITY_STRING) != 0)
3377 		return (Z_INVAL);
3378 
3379 	if (strlcpy(value, attr->zone_attr_value, val_sz) >= val_sz)
3380 		return (Z_TOO_BIG);
3381 	return (Z_OK);
3382 }
3383 
3384 int
3385 zonecfg_get_attr_uint(const struct zone_attrtab *attr, uint64_t *value)
3386 {
3387 	unsigned long long result;
3388 	long long neg_result;
3389 	char *endptr;
3390 
3391 	if (attr == NULL)
3392 		return (Z_INVAL);
3393 
3394 	if (strcmp(attr->zone_attr_type, DTD_ENTITY_UINT) != 0)
3395 		return (Z_INVAL);
3396 
3397 	errno = 0;
3398 	result = strtoull(attr->zone_attr_value, &endptr, 10);
3399 	if (errno != 0 || *endptr != '\0')
3400 		return (Z_INVAL);
3401 	errno = 0;
3402 	neg_result = strtoll(attr->zone_attr_value, &endptr, 10);
3403 	/*
3404 	 * Incredibly, strtoull("<negative number>", ...) will not fail but
3405 	 * return whatever (negative) number cast as a u_longlong_t, so we
3406 	 * need to look for this here.
3407 	 */
3408 	if (errno == 0 && neg_result < 0)
3409 		return (Z_INVAL);
3410 	*value = result;
3411 	return (Z_OK);
3412 }
3413 
3414 int
3415 zonecfg_lookup_rctl(zone_dochandle_t handle, struct zone_rctltab *tabptr)
3416 {
3417 	xmlNodePtr cur, val;
3418 	char savedname[MAXNAMELEN];
3419 	struct zone_rctlvaltab *valptr;
3420 	int err;
3421 
3422 	if (strlen(tabptr->zone_rctl_name) == 0)
3423 		return (Z_INVAL);
3424 
3425 	if ((err = operation_prep(handle)) != Z_OK)
3426 		return (err);
3427 
3428 	cur = handle->zone_dh_cur;
3429 	for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next) {
3430 		if (xmlStrcmp(cur->name, DTD_ELEM_RCTL))
3431 			continue;
3432 		if ((fetchprop(cur, DTD_ATTR_NAME, savedname,
3433 		    sizeof (savedname)) == Z_OK) &&
3434 		    (strcmp(savedname, tabptr->zone_rctl_name) == 0)) {
3435 			tabptr->zone_rctl_valptr = NULL;
3436 			for (val = cur->xmlChildrenNode; val != NULL;
3437 			    val = val->next) {
3438 				valptr = (struct zone_rctlvaltab *)malloc(
3439 				    sizeof (struct zone_rctlvaltab));
3440 				if (valptr == NULL)
3441 					return (Z_NOMEM);
3442 				if ((fetchprop(val, DTD_ATTR_PRIV,
3443 				    valptr->zone_rctlval_priv,
3444 				    sizeof (valptr->zone_rctlval_priv)) !=
3445 				    Z_OK))
3446 					break;
3447 				if ((fetchprop(val, DTD_ATTR_LIMIT,
3448 				    valptr->zone_rctlval_limit,
3449 				    sizeof (valptr->zone_rctlval_limit)) !=
3450 				    Z_OK))
3451 					break;
3452 				if ((fetchprop(val, DTD_ATTR_ACTION,
3453 				    valptr->zone_rctlval_action,
3454 				    sizeof (valptr->zone_rctlval_action)) !=
3455 				    Z_OK))
3456 					break;
3457 				if (zonecfg_add_rctl_value(tabptr, valptr) !=
3458 				    Z_OK)
3459 					break;
3460 			}
3461 			return (Z_OK);
3462 		}
3463 	}
3464 	return (Z_NO_RESOURCE_ID);
3465 }
3466 
3467 static int
3468 zonecfg_add_rctl_core(zone_dochandle_t handle, struct zone_rctltab *tabptr)
3469 {
3470 	xmlNodePtr newnode, cur = handle->zone_dh_cur, valnode;
3471 	struct zone_rctlvaltab *valptr;
3472 	int err;
3473 
3474 	newnode = xmlNewTextChild(cur, NULL, DTD_ELEM_RCTL, NULL);
3475 	err = newprop(newnode, DTD_ATTR_NAME, tabptr->zone_rctl_name);
3476 	if (err != Z_OK)
3477 		return (err);
3478 	for (valptr = tabptr->zone_rctl_valptr; valptr != NULL;
3479 	    valptr = valptr->zone_rctlval_next) {
3480 		valnode = xmlNewTextChild(newnode, NULL,
3481 		    DTD_ELEM_RCTLVALUE, NULL);
3482 		err = newprop(valnode, DTD_ATTR_PRIV,
3483 		    valptr->zone_rctlval_priv);
3484 		if (err != Z_OK)
3485 			return (err);
3486 		err = newprop(valnode, DTD_ATTR_LIMIT,
3487 		    valptr->zone_rctlval_limit);
3488 		if (err != Z_OK)
3489 			return (err);
3490 		err = newprop(valnode, DTD_ATTR_ACTION,
3491 		    valptr->zone_rctlval_action);
3492 		if (err != Z_OK)
3493 			return (err);
3494 	}
3495 	return (Z_OK);
3496 }
3497 
3498 int
3499 zonecfg_add_rctl(zone_dochandle_t handle, struct zone_rctltab *tabptr)
3500 {
3501 	int err;
3502 
3503 	if (tabptr == NULL)
3504 		return (Z_INVAL);
3505 
3506 	if ((err = operation_prep(handle)) != Z_OK)
3507 		return (err);
3508 
3509 	if ((err = zonecfg_add_rctl_core(handle, tabptr)) != Z_OK)
3510 		return (err);
3511 
3512 	return (Z_OK);
3513 }
3514 
3515 static int
3516 zonecfg_delete_rctl_core(zone_dochandle_t handle, struct zone_rctltab *tabptr)
3517 {
3518 	xmlNodePtr cur = handle->zone_dh_cur;
3519 	xmlChar *savedname;
3520 	int name_result;
3521 
3522 	for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next) {
3523 		if (xmlStrcmp(cur->name, DTD_ELEM_RCTL))
3524 			continue;
3525 
3526 		savedname = xmlGetProp(cur, DTD_ATTR_NAME);
3527 		if (savedname == NULL)	/* shouldn't happen */
3528 			continue;
3529 		name_result = xmlStrcmp(savedname,
3530 		    (const xmlChar *) tabptr->zone_rctl_name);
3531 		xmlFree(savedname);
3532 
3533 		if (name_result == 0) {
3534 			xmlUnlinkNode(cur);
3535 			xmlFreeNode(cur);
3536 			return (Z_OK);
3537 		}
3538 	}
3539 	return (Z_NO_RESOURCE_ID);
3540 }
3541 
3542 int
3543 zonecfg_delete_rctl(zone_dochandle_t handle, struct zone_rctltab *tabptr)
3544 {
3545 	int err;
3546 
3547 	if (tabptr == NULL)
3548 		return (Z_INVAL);
3549 
3550 	if ((err = operation_prep(handle)) != Z_OK)
3551 		return (err);
3552 
3553 	if ((err = zonecfg_delete_rctl_core(handle, tabptr)) != Z_OK)
3554 		return (err);
3555 
3556 	return (Z_OK);
3557 }
3558 
3559 int
3560 zonecfg_modify_rctl(
3561 	zone_dochandle_t handle,
3562 	struct zone_rctltab *oldtabptr,
3563 	struct zone_rctltab *newtabptr)
3564 {
3565 	int err;
3566 
3567 	if (oldtabptr == NULL || newtabptr == NULL)
3568 		return (Z_INVAL);
3569 
3570 	if ((err = operation_prep(handle)) != Z_OK)
3571 		return (err);
3572 
3573 	if ((err = zonecfg_delete_rctl_core(handle, oldtabptr)) != Z_OK)
3574 		return (err);
3575 
3576 	if ((err = zonecfg_add_rctl_core(handle, newtabptr)) != Z_OK)
3577 		return (err);
3578 
3579 	return (Z_OK);
3580 }
3581 
3582 int
3583 zonecfg_add_rctl_value(
3584 	struct zone_rctltab *tabptr,
3585 	struct zone_rctlvaltab *valtabptr)
3586 {
3587 	struct zone_rctlvaltab *last, *old, *new;
3588 	rctlblk_t *rctlblk = alloca(rctlblk_size());
3589 
3590 	last = tabptr->zone_rctl_valptr;
3591 	for (old = last; old != NULL; old = old->zone_rctlval_next)
3592 		last = old;	/* walk to the end of the list */
3593 	new = valtabptr;	/* alloc'd by caller */
3594 	new->zone_rctlval_next = NULL;
3595 	if (zonecfg_construct_rctlblk(valtabptr, rctlblk) != Z_OK)
3596 		return (Z_INVAL);
3597 	if (!zonecfg_valid_rctlblk(rctlblk))
3598 		return (Z_INVAL);
3599 	if (last == NULL)
3600 		tabptr->zone_rctl_valptr = new;
3601 	else
3602 		last->zone_rctlval_next = new;
3603 	return (Z_OK);
3604 }
3605 
3606 int
3607 zonecfg_remove_rctl_value(
3608 	struct zone_rctltab *tabptr,
3609 	struct zone_rctlvaltab *valtabptr)
3610 {
3611 	struct zone_rctlvaltab *last, *this, *next;
3612 
3613 	last = tabptr->zone_rctl_valptr;
3614 	for (this = last; this != NULL; this = this->zone_rctlval_next) {
3615 		if (strcmp(this->zone_rctlval_priv,
3616 		    valtabptr->zone_rctlval_priv) == 0 &&
3617 		    strcmp(this->zone_rctlval_limit,
3618 		    valtabptr->zone_rctlval_limit) == 0 &&
3619 		    strcmp(this->zone_rctlval_action,
3620 		    valtabptr->zone_rctlval_action) == 0) {
3621 			next = this->zone_rctlval_next;
3622 			if (this == tabptr->zone_rctl_valptr)
3623 				tabptr->zone_rctl_valptr = next;
3624 			else
3625 				last->zone_rctlval_next = next;
3626 			free(this);
3627 			return (Z_OK);
3628 		} else
3629 			last = this;
3630 	}
3631 	return (Z_NO_PROPERTY_ID);
3632 }
3633 
3634 void
3635 zonecfg_set_swinv(zone_dochandle_t handle)
3636 {
3637 	handle->zone_dh_sw_inv = B_TRUE;
3638 }
3639 
3640 /*
3641  * Add the pkg to the sw inventory on the handle.
3642  */
3643 int
3644 zonecfg_add_pkg(zone_dochandle_t handle, char *name, char *version)
3645 {
3646 	xmlNodePtr newnode;
3647 	xmlNodePtr cur;
3648 	int err;
3649 
3650 	if ((err = operation_prep(handle)) != Z_OK)
3651 		return (err);
3652 
3653 	cur = handle->zone_dh_cur;
3654 	newnode = xmlNewTextChild(cur, NULL, DTD_ELEM_PACKAGE, NULL);
3655 	if ((err = newprop(newnode, DTD_ATTR_NAME, name)) != Z_OK)
3656 		return (err);
3657 	if ((err = newprop(newnode, DTD_ATTR_VERSION, version)) != Z_OK)
3658 		return (err);
3659 	return (Z_OK);
3660 }
3661 
3662 char *
3663 zonecfg_strerror(int errnum)
3664 {
3665 	switch (errnum) {
3666 	case Z_OK:
3667 		return (dgettext(TEXT_DOMAIN, "OK"));
3668 	case Z_EMPTY_DOCUMENT:
3669 		return (dgettext(TEXT_DOMAIN, "Empty document"));
3670 	case Z_WRONG_DOC_TYPE:
3671 		return (dgettext(TEXT_DOMAIN, "Wrong document type"));
3672 	case Z_BAD_PROPERTY:
3673 		return (dgettext(TEXT_DOMAIN, "Bad document property"));
3674 	case Z_TEMP_FILE:
3675 		return (dgettext(TEXT_DOMAIN,
3676 		    "Problem creating temporary file"));
3677 	case Z_SAVING_FILE:
3678 		return (dgettext(TEXT_DOMAIN, "Problem saving file"));
3679 	case Z_NO_ENTRY:
3680 		return (dgettext(TEXT_DOMAIN, "No such entry"));
3681 	case Z_BOGUS_ZONE_NAME:
3682 		return (dgettext(TEXT_DOMAIN, "Bogus zone name"));
3683 	case Z_REQD_RESOURCE_MISSING:
3684 		return (dgettext(TEXT_DOMAIN, "Required resource missing"));
3685 	case Z_REQD_PROPERTY_MISSING:
3686 		return (dgettext(TEXT_DOMAIN, "Required property missing"));
3687 	case Z_BAD_HANDLE:
3688 		return (dgettext(TEXT_DOMAIN, "Bad handle"));
3689 	case Z_NOMEM:
3690 		return (dgettext(TEXT_DOMAIN, "Out of memory"));
3691 	case Z_INVAL:
3692 		return (dgettext(TEXT_DOMAIN, "Invalid argument"));
3693 	case Z_ACCES:
3694 		return (dgettext(TEXT_DOMAIN, "Permission denied"));
3695 	case Z_TOO_BIG:
3696 		return (dgettext(TEXT_DOMAIN, "Argument list too long"));
3697 	case Z_MISC_FS:
3698 		return (dgettext(TEXT_DOMAIN,
3699 		    "Miscellaneous file system error"));
3700 	case Z_NO_ZONE:
3701 		return (dgettext(TEXT_DOMAIN, "No such zone configured"));
3702 	case Z_NO_RESOURCE_TYPE:
3703 		return (dgettext(TEXT_DOMAIN, "No such resource type"));
3704 	case Z_NO_RESOURCE_ID:
3705 		return (dgettext(TEXT_DOMAIN, "No such resource with that id"));
3706 	case Z_NO_PROPERTY_TYPE:
3707 		return (dgettext(TEXT_DOMAIN, "No such property type"));
3708 	case Z_NO_PROPERTY_ID:
3709 		return (dgettext(TEXT_DOMAIN, "No such property with that id"));
3710 	case Z_BAD_ZONE_STATE:
3711 		return (dgettext(TEXT_DOMAIN,
3712 		    "Zone state is invalid for the requested operation"));
3713 	case Z_INVALID_DOCUMENT:
3714 		return (dgettext(TEXT_DOMAIN, "Invalid document"));
3715 	case Z_NAME_IN_USE:
3716 		return (dgettext(TEXT_DOMAIN, "Zone name already in use"));
3717 	case Z_NO_SUCH_ID:
3718 		return (dgettext(TEXT_DOMAIN, "No such zone ID"));
3719 	case Z_UPDATING_INDEX:
3720 		return (dgettext(TEXT_DOMAIN, "Problem updating index file"));
3721 	case Z_LOCKING_FILE:
3722 		return (dgettext(TEXT_DOMAIN, "Locking index file"));
3723 	case Z_UNLOCKING_FILE:
3724 		return (dgettext(TEXT_DOMAIN, "Unlocking index file"));
3725 	case Z_INSUFFICIENT_SPEC:
3726 		return (dgettext(TEXT_DOMAIN, "Insufficient specification"));
3727 	case Z_RESOLVED_PATH:
3728 		return (dgettext(TEXT_DOMAIN, "Resolved path mismatch"));
3729 	case Z_IPV6_ADDR_PREFIX_LEN:
3730 		return (dgettext(TEXT_DOMAIN,
3731 		    "IPv6 address missing required prefix length"));
3732 	case Z_BOGUS_ADDRESS:
3733 		return (dgettext(TEXT_DOMAIN,
3734 		    "Neither an IPv4 nor an IPv6 address nor a host name"));
3735 	case Z_PRIV_PROHIBITED:
3736 		return (dgettext(TEXT_DOMAIN,
3737 		    "Specified privilege is prohibited"));
3738 	case Z_PRIV_REQUIRED:
3739 		return (dgettext(TEXT_DOMAIN,
3740 		    "Required privilege is missing"));
3741 	case Z_PRIV_UNKNOWN:
3742 		return (dgettext(TEXT_DOMAIN,
3743 		    "Specified privilege is unknown"));
3744 	case Z_BRAND_ERROR:
3745 		return (dgettext(TEXT_DOMAIN,
3746 		    "Brand-specific error"));
3747 	case Z_INCOMPATIBLE:
3748 		return (dgettext(TEXT_DOMAIN, "Incompatible settings"));
3749 	case Z_ALIAS_DISALLOW:
3750 		return (dgettext(TEXT_DOMAIN,
3751 		    "An incompatible rctl already exists for this property"));
3752 	case Z_CLEAR_DISALLOW:
3753 		return (dgettext(TEXT_DOMAIN,
3754 		    "Clearing this property is not allowed"));
3755 	case Z_POOL:
3756 		return (dgettext(TEXT_DOMAIN, "libpool(3LIB) error"));
3757 	case Z_POOLS_NOT_ACTIVE:
3758 		return (dgettext(TEXT_DOMAIN, "Pools facility not active; "
3759 		    "zone will not be bound to pool"));
3760 	case Z_POOL_ENABLE:
3761 		return (dgettext(TEXT_DOMAIN,
3762 		    "Could not enable pools facility"));
3763 	case Z_NO_POOL:
3764 		return (dgettext(TEXT_DOMAIN,
3765 		    "Pool not found; using default pool"));
3766 	case Z_POOL_CREATE:
3767 		return (dgettext(TEXT_DOMAIN,
3768 		    "Could not create a temporary pool"));
3769 	case Z_POOL_BIND:
3770 		return (dgettext(TEXT_DOMAIN, "Could not bind zone to pool"));
3771 	case Z_INVALID_PROPERTY:
3772 		return (dgettext(TEXT_DOMAIN, "Specified property is invalid"));
3773 	case Z_SYSTEM:
3774 		return (strerror(errno));
3775 	default:
3776 		return (dgettext(TEXT_DOMAIN, "Unknown error"));
3777 	}
3778 }
3779 
3780 /*
3781  * Note that the zonecfg_setXent() and zonecfg_endXent() calls are all the
3782  * same, as they just turn around and call zonecfg_setent() / zonecfg_endent().
3783  */
3784 
3785 static int
3786 zonecfg_setent(zone_dochandle_t handle)
3787 {
3788 	xmlNodePtr cur;
3789 	int err;
3790 
3791 	if (handle == NULL)
3792 		return (Z_INVAL);
3793 
3794 	if ((err = operation_prep(handle)) != Z_OK) {
3795 		handle->zone_dh_cur = NULL;
3796 		return (err);
3797 	}
3798 	cur = handle->zone_dh_cur;
3799 	cur = cur->xmlChildrenNode;
3800 	handle->zone_dh_cur = cur;
3801 	return (Z_OK);
3802 }
3803 
3804 static int
3805 zonecfg_endent(zone_dochandle_t handle)
3806 {
3807 	if (handle == NULL)
3808 		return (Z_INVAL);
3809 
3810 	handle->zone_dh_cur = handle->zone_dh_top;
3811 	return (Z_OK);
3812 }
3813 
3814 /*
3815  * Do the work required to manipulate a process through libproc.
3816  * If grab_process() returns no errors (0), then release_process()
3817  * must eventually be called.
3818  *
3819  * Return values:
3820  *      0 Successful creation of agent thread
3821  *      1 Error grabbing
3822  *      2 Error creating agent
3823  */
3824 static int
3825 grab_process(pr_info_handle_t *p)
3826 {
3827 	int ret;
3828 
3829 	if ((p->pr = Pgrab(p->pid, 0, &ret)) != NULL) {
3830 
3831 		if (Psetflags(p->pr, PR_RLC) != 0) {
3832 			Prelease(p->pr, 0);
3833 			return (1);
3834 		}
3835 		if (Pcreate_agent(p->pr) == 0) {
3836 			return (0);
3837 
3838 		} else {
3839 			Prelease(p->pr, 0);
3840 			return (2);
3841 		}
3842 	} else {
3843 		return (1);
3844 	}
3845 }
3846 
3847 /*
3848  * Release the specified process. This destroys the agent
3849  * and releases the process. If the process is NULL, nothing
3850  * is done. This function should only be called if grab_process()
3851  * has previously been called and returned success.
3852  *
3853  * This function is Pgrab-safe.
3854  */
3855 static void
3856 release_process(struct ps_prochandle *Pr)
3857 {
3858 	if (Pr == NULL)
3859 		return;
3860 
3861 	Pdestroy_agent(Pr);
3862 	Prelease(Pr, 0);
3863 }
3864 
3865 static boolean_t
3866 grab_zone_proc(char *zonename, pr_info_handle_t *p)
3867 {
3868 	DIR *dirp;
3869 	struct dirent *dentp;
3870 	zoneid_t zoneid;
3871 	int pid_self;
3872 	psinfo_t psinfo;
3873 
3874 	if (zone_get_id(zonename, &zoneid) != 0)
3875 		return (B_FALSE);
3876 
3877 	pid_self = getpid();
3878 
3879 	if ((dirp = opendir("/proc")) == NULL)
3880 		return (B_FALSE);
3881 
3882 	while (dentp = readdir(dirp)) {
3883 		p->pid = atoi(dentp->d_name);
3884 
3885 		/* Skip self */
3886 		if (p->pid == pid_self)
3887 			continue;
3888 
3889 		if (proc_get_psinfo(p->pid, &psinfo) != 0)
3890 			continue;
3891 
3892 		if (psinfo.pr_zoneid != zoneid)
3893 			continue;
3894 
3895 		/* attempt to grab process */
3896 		if (grab_process(p) != 0)
3897 			continue;
3898 
3899 		if (pr_getzoneid(p->pr) != zoneid) {
3900 			release_process(p->pr);
3901 			continue;
3902 		}
3903 
3904 		(void) closedir(dirp);
3905 		return (B_TRUE);
3906 	}
3907 
3908 	(void) closedir(dirp);
3909 	return (B_FALSE);
3910 }
3911 
3912 static boolean_t
3913 get_priv_rctl(struct ps_prochandle *pr, char *name, rctlblk_t *rblk)
3914 {
3915 	if (pr_getrctl(pr, name, NULL, rblk, RCTL_FIRST))
3916 		return (B_FALSE);
3917 
3918 	if (rctlblk_get_privilege(rblk) == RCPRIV_PRIVILEGED)
3919 		return (B_TRUE);
3920 
3921 	while (pr_getrctl(pr, name, rblk, rblk, RCTL_NEXT) == 0) {
3922 		if (rctlblk_get_privilege(rblk) == RCPRIV_PRIVILEGED)
3923 			return (B_TRUE);
3924 	}
3925 
3926 	return (B_FALSE);
3927 }
3928 
3929 /*
3930  * Apply the current rctl settings to the specified, running zone.
3931  */
3932 int
3933 zonecfg_apply_rctls(char *zone_name, zone_dochandle_t handle)
3934 {
3935 	int err;
3936 	int res = Z_OK;
3937 	rctlblk_t *rblk;
3938 	pr_info_handle_t p;
3939 	struct zone_rctltab rctl;
3940 
3941 	if ((err = zonecfg_setrctlent(handle)) != Z_OK)
3942 		return (err);
3943 
3944 	if ((rblk = (rctlblk_t *)malloc(rctlblk_size())) == NULL) {
3945 		(void) zonecfg_endrctlent(handle);
3946 		return (Z_NOMEM);
3947 	}
3948 
3949 	if (!grab_zone_proc(zone_name, &p)) {
3950 		(void) zonecfg_endrctlent(handle);
3951 		free(rblk);
3952 		return (Z_SYSTEM);
3953 	}
3954 
3955 	while (zonecfg_getrctlent(handle, &rctl) == Z_OK) {
3956 		char *rname;
3957 		struct zone_rctlvaltab *valptr;
3958 
3959 		rname = rctl.zone_rctl_name;
3960 
3961 		/* first delete all current privileged settings for this rctl */
3962 		while (get_priv_rctl(p.pr, rname, rblk)) {
3963 			if (pr_setrctl(p.pr, rname, NULL, rblk, RCTL_DELETE) !=
3964 			    0) {
3965 				res = Z_SYSTEM;
3966 				goto done;
3967 			}
3968 		}
3969 
3970 		/* now set each new value for the rctl */
3971 		for (valptr = rctl.zone_rctl_valptr; valptr != NULL;
3972 		    valptr = valptr->zone_rctlval_next) {
3973 			if ((err = zonecfg_construct_rctlblk(valptr, rblk))
3974 			    != Z_OK) {
3975 				res = errno = err;
3976 				goto done;
3977 			}
3978 
3979 			if (pr_setrctl(p.pr, rname, NULL, rblk, RCTL_INSERT)) {
3980 				res = Z_SYSTEM;
3981 				goto done;
3982 			}
3983 		}
3984 	}
3985 
3986 done:
3987 	release_process(p.pr);
3988 	free(rblk);
3989 	(void) zonecfg_endrctlent(handle);
3990 
3991 	return (res);
3992 }
3993 
3994 static const xmlChar *
3995 nm_to_dtd(char *nm)
3996 {
3997 	if (strcmp(nm, "device") == 0)
3998 		return (DTD_ELEM_DEVICE);
3999 	if (strcmp(nm, "fs") == 0)
4000 		return (DTD_ELEM_FS);
4001 	if (strcmp(nm, "net") == 0)
4002 		return (DTD_ELEM_NET);
4003 	if (strcmp(nm, "attr") == 0)
4004 		return (DTD_ELEM_ATTR);
4005 	if (strcmp(nm, "rctl") == 0)
4006 		return (DTD_ELEM_RCTL);
4007 	if (strcmp(nm, "dataset") == 0)
4008 		return (DTD_ELEM_DATASET);
4009 	if (strcmp(nm, "admin") == 0)
4010 		return (DTD_ELEM_ADMIN);
4011 
4012 	return (NULL);
4013 }
4014 
4015 int
4016 zonecfg_num_resources(zone_dochandle_t handle, char *rsrc)
4017 {
4018 	int num = 0;
4019 	const xmlChar *dtd;
4020 	xmlNodePtr cur;
4021 
4022 	if ((dtd = nm_to_dtd(rsrc)) == NULL)
4023 		return (num);
4024 
4025 	if (zonecfg_setent(handle) != Z_OK)
4026 		return (num);
4027 
4028 	for (cur = handle->zone_dh_cur; cur != NULL; cur = cur->next)
4029 		if (xmlStrcmp(cur->name, dtd) == 0)
4030 			num++;
4031 
4032 	(void) zonecfg_endent(handle);
4033 
4034 	return (num);
4035 }
4036 
4037 int
4038 zonecfg_del_all_resources(zone_dochandle_t handle, char *rsrc)
4039 {
4040 	int err;
4041 	const xmlChar *dtd;
4042 	xmlNodePtr cur;
4043 
4044 	if ((dtd = nm_to_dtd(rsrc)) == NULL)
4045 		return (Z_NO_RESOURCE_TYPE);
4046 
4047 	if ((err = zonecfg_setent(handle)) != Z_OK)
4048 		return (err);
4049 
4050 	cur = handle->zone_dh_cur;
4051 	while (cur != NULL) {
4052 		xmlNodePtr tmp;
4053 
4054 		if (xmlStrcmp(cur->name, dtd)) {
4055 			cur = cur->next;
4056 			continue;
4057 		}
4058 
4059 		tmp = cur->next;
4060 		xmlUnlinkNode(cur);
4061 		xmlFreeNode(cur);
4062 		cur = tmp;
4063 	}
4064 
4065 	(void) zonecfg_endent(handle);
4066 	return (Z_OK);
4067 }
4068 
4069 static boolean_t
4070 valid_uint(char *s, uint64_t *n)
4071 {
4072 	char *endp;
4073 
4074 	/* strtoull accepts '-'?! so we want to flag that as an error */
4075 	if (strchr(s, '-') != NULL)
4076 		return (B_FALSE);
4077 
4078 	errno = 0;
4079 	*n = strtoull(s, &endp, 10);
4080 
4081 	if (errno != 0 || *endp != '\0')
4082 		return (B_FALSE);
4083 	return (B_TRUE);
4084 }
4085 
4086 /*
4087  * Convert a string representing a number (possibly a fraction) into an integer.
4088  * The string can have a modifier (K, M, G or T).   The modifiers are treated
4089  * as powers of two (not 10).
4090  */
4091 int
4092 zonecfg_str_to_bytes(char *str, uint64_t *bytes)
4093 {
4094 	long double val;
4095 	char *unitp;
4096 	uint64_t scale;
4097 
4098 	if ((val = strtold(str, &unitp)) < 0)
4099 		return (-1);
4100 
4101 	/* remove any leading white space from units string */
4102 	while (isspace(*unitp) != 0)
4103 		++unitp;
4104 
4105 	/* if no units explicitly set, error */
4106 	if (unitp == NULL || *unitp == '\0') {
4107 		scale = 1;
4108 	} else {
4109 		int i;
4110 		char *units[] = {"K", "M", "G", "T", NULL};
4111 
4112 		scale = 1024;
4113 
4114 		/* update scale based on units */
4115 		for (i = 0; units[i] != NULL; i++) {
4116 			if (strcasecmp(unitp, units[i]) == 0)
4117 				break;
4118 			scale <<= 10;
4119 		}
4120 
4121 		if (units[i] == NULL)
4122 			return (-1);
4123 	}
4124 
4125 	*bytes = (uint64_t)(val * scale);
4126 	return (0);
4127 }
4128 
4129 boolean_t
4130 zonecfg_valid_ncpus(char *lowstr, char *highstr)
4131 {
4132 	uint64_t low, high;
4133 
4134 	if (!valid_uint(lowstr, &low) || !valid_uint(highstr, &high) ||
4135 	    low < 1 || low > high)
4136 		return (B_FALSE);
4137 
4138 	return (B_TRUE);
4139 }
4140 
4141 boolean_t
4142 zonecfg_valid_importance(char *impstr)
4143 {
4144 	uint64_t num;
4145 
4146 	if (!valid_uint(impstr, &num))
4147 		return (B_FALSE);
4148 
4149 	return (B_TRUE);
4150 }
4151 
4152 boolean_t
4153 zonecfg_valid_alias_limit(char *name, char *limitstr, uint64_t *limit)
4154 {
4155 	int i;
4156 
4157 	for (i = 0; aliases[i].shortname != NULL; i++)
4158 		if (strcmp(name, aliases[i].shortname) == 0)
4159 			break;
4160 
4161 	if (aliases[i].shortname == NULL)
4162 		return (B_FALSE);
4163 
4164 	if (!valid_uint(limitstr, limit) || *limit < aliases[i].low_limit)
4165 		return (B_FALSE);
4166 
4167 	return (B_TRUE);
4168 }
4169 
4170 boolean_t
4171 zonecfg_valid_memlimit(char *memstr, uint64_t *mem_val)
4172 {
4173 	if (zonecfg_str_to_bytes(memstr, mem_val) != 0)
4174 		return (B_FALSE);
4175 
4176 	return (B_TRUE);
4177 }
4178 
4179 static int
4180 zerr_pool(char *pool_err, int err_size, int res)
4181 {
4182 	(void) strlcpy(pool_err, pool_strerror(pool_error()), err_size);
4183 	return (res);
4184 }
4185 
4186 static int
4187 create_tmp_pset(char *pool_err, int err_size, pool_conf_t *pconf, pool_t *pool,
4188     char *name, int min, int max)
4189 {
4190 	pool_resource_t *res;
4191 	pool_elem_t *elem;
4192 	pool_value_t *val;
4193 
4194 	if ((res = pool_resource_create(pconf, "pset", name)) == NULL)
4195 		return (zerr_pool(pool_err, err_size, Z_POOL));
4196 
4197 	if (pool_associate(pconf, pool, res) != PO_SUCCESS)
4198 		return (zerr_pool(pool_err, err_size, Z_POOL));
4199 
4200 	if ((elem = pool_resource_to_elem(pconf, res)) == NULL)
4201 		return (zerr_pool(pool_err, err_size, Z_POOL));
4202 
4203 	if ((val = pool_value_alloc()) == NULL)
4204 		return (zerr_pool(pool_err, err_size, Z_POOL));
4205 
4206 	/* set the maximum number of cpus for the pset */
4207 	pool_value_set_uint64(val, (uint64_t)max);
4208 
4209 	if (pool_put_property(pconf, elem, "pset.max", val) != PO_SUCCESS) {
4210 		pool_value_free(val);
4211 		return (zerr_pool(pool_err, err_size, Z_POOL));
4212 	}
4213 
4214 	/* set the minimum number of cpus for the pset */
4215 	pool_value_set_uint64(val, (uint64_t)min);
4216 
4217 	if (pool_put_property(pconf, elem, "pset.min", val) != PO_SUCCESS) {
4218 		pool_value_free(val);
4219 		return (zerr_pool(pool_err, err_size, Z_POOL));
4220 	}
4221 
4222 	pool_value_free(val);
4223 
4224 	return (Z_OK);
4225 }
4226 
4227 static int
4228 create_tmp_pool(char *pool_err, int err_size, pool_conf_t *pconf, char *name,
4229     struct zone_psettab *pset_tab)
4230 {
4231 	pool_t *pool;
4232 	int res = Z_OK;
4233 
4234 	/* create a temporary pool configuration */
4235 	if (pool_conf_open(pconf, NULL, PO_TEMP) != PO_SUCCESS) {
4236 		res = zerr_pool(pool_err, err_size, Z_POOL);
4237 		return (res);
4238 	}
4239 
4240 	if ((pool = pool_create(pconf, name)) == NULL) {
4241 		res = zerr_pool(pool_err, err_size, Z_POOL_CREATE);
4242 		goto done;
4243 	}
4244 
4245 	/* set pool importance */
4246 	if (pset_tab->zone_importance[0] != '\0') {
4247 		pool_elem_t *elem;
4248 		pool_value_t *val;
4249 
4250 		if ((elem = pool_to_elem(pconf, pool)) == NULL) {
4251 			res = zerr_pool(pool_err, err_size, Z_POOL);
4252 			goto done;
4253 		}
4254 
4255 		if ((val = pool_value_alloc()) == NULL) {
4256 			res = zerr_pool(pool_err, err_size, Z_POOL);
4257 			goto done;
4258 		}
4259 
4260 		pool_value_set_int64(val,
4261 		    (int64_t)atoi(pset_tab->zone_importance));
4262 
4263 		if (pool_put_property(pconf, elem, "pool.importance", val)
4264 		    != PO_SUCCESS) {
4265 			res = zerr_pool(pool_err, err_size, Z_POOL);
4266 			pool_value_free(val);
4267 			goto done;
4268 		}
4269 
4270 		pool_value_free(val);
4271 	}
4272 
4273 	if ((res = create_tmp_pset(pool_err, err_size, pconf, pool, name,
4274 	    atoi(pset_tab->zone_ncpu_min),
4275 	    atoi(pset_tab->zone_ncpu_max))) != Z_OK)
4276 		goto done;
4277 
4278 	/* validation */
4279 	if (pool_conf_status(pconf) == POF_INVALID) {
4280 		res = zerr_pool(pool_err, err_size, Z_POOL);
4281 		goto done;
4282 	}
4283 
4284 	/*
4285 	 * This validation is the one we expect to fail if the user specified
4286 	 * an invalid configuration (too many cpus) for this system.
4287 	 */
4288 	if (pool_conf_validate(pconf, POV_RUNTIME) != PO_SUCCESS) {
4289 		res = zerr_pool(pool_err, err_size, Z_POOL_CREATE);
4290 		goto done;
4291 	}
4292 
4293 	/*
4294 	 * Commit the dynamic configuration but not the pool configuration
4295 	 * file.
4296 	 */
4297 	if (pool_conf_commit(pconf, 1) != PO_SUCCESS)
4298 		res = zerr_pool(pool_err, err_size, Z_POOL);
4299 
4300 done:
4301 	(void) pool_conf_close(pconf);
4302 	return (res);
4303 }
4304 
4305 static int
4306 get_running_tmp_pset(pool_conf_t *pconf, pool_t *pool, pool_resource_t *pset,
4307     struct zone_psettab *pset_tab)
4308 {
4309 	int nfound = 0;
4310 	pool_elem_t *pe;
4311 	pool_value_t *pv = pool_value_alloc();
4312 	uint64_t val_uint;
4313 
4314 	if (pool != NULL) {
4315 		pe = pool_to_elem(pconf, pool);
4316 		if (pool_get_property(pconf, pe, "pool.importance", pv)
4317 		    != POC_INVAL) {
4318 			int64_t val_int;
4319 
4320 			(void) pool_value_get_int64(pv, &val_int);
4321 			(void) snprintf(pset_tab->zone_importance,
4322 			    sizeof (pset_tab->zone_importance), "%d", val_int);
4323 			nfound++;
4324 		}
4325 	}
4326 
4327 	if (pset != NULL) {
4328 		pe = pool_resource_to_elem(pconf, pset);
4329 		if (pool_get_property(pconf, pe, "pset.min", pv) != POC_INVAL) {
4330 			(void) pool_value_get_uint64(pv, &val_uint);
4331 			(void) snprintf(pset_tab->zone_ncpu_min,
4332 			    sizeof (pset_tab->zone_ncpu_min), "%u", val_uint);
4333 			nfound++;
4334 		}
4335 
4336 		if (pool_get_property(pconf, pe, "pset.max", pv) != POC_INVAL) {
4337 			(void) pool_value_get_uint64(pv, &val_uint);
4338 			(void) snprintf(pset_tab->zone_ncpu_max,
4339 			    sizeof (pset_tab->zone_ncpu_max), "%u", val_uint);
4340 			nfound++;
4341 		}
4342 	}
4343 
4344 	pool_value_free(pv);
4345 
4346 	if (nfound == 3)
4347 		return (PO_SUCCESS);
4348 
4349 	return (PO_FAIL);
4350 }
4351 
4352 /*
4353  * Determine if a tmp pool is configured and if so, if the configuration is
4354  * still valid or if it has been changed since the tmp pool was created.
4355  * If the tmp pool configuration is no longer valid, delete the tmp pool.
4356  *
4357  * Set *valid=B_TRUE if there is an existing, valid tmp pool configuration.
4358  */
4359 static int
4360 verify_del_tmp_pool(pool_conf_t *pconf, char *tmp_name, char *pool_err,
4361     int err_size, struct zone_psettab *pset_tab, boolean_t *exists)
4362 {
4363 	int res = Z_OK;
4364 	pool_t *pool;
4365 	pool_resource_t *pset;
4366 	struct zone_psettab pset_current;
4367 
4368 	*exists = B_FALSE;
4369 
4370 	if (pool_conf_open(pconf, pool_dynamic_location(), PO_RDWR)
4371 	    != PO_SUCCESS) {
4372 		res = zerr_pool(pool_err, err_size, Z_POOL);
4373 		return (res);
4374 	}
4375 
4376 	pool = pool_get_pool(pconf, tmp_name);
4377 	pset = pool_get_resource(pconf, "pset", tmp_name);
4378 
4379 	if (pool == NULL && pset == NULL) {
4380 		/* no tmp pool configured */
4381 		goto done;
4382 	}
4383 
4384 	/*
4385 	 * If an existing tmp pool for this zone is configured with the proper
4386 	 * settings, then the tmp pool is valid.
4387 	 */
4388 	if (get_running_tmp_pset(pconf, pool, pset, &pset_current)
4389 	    == PO_SUCCESS &&
4390 	    strcmp(pset_tab->zone_ncpu_min,
4391 	    pset_current.zone_ncpu_min) == 0 &&
4392 	    strcmp(pset_tab->zone_ncpu_max,
4393 	    pset_current.zone_ncpu_max) == 0 &&
4394 	    strcmp(pset_tab->zone_importance,
4395 	    pset_current.zone_importance) == 0) {
4396 		*exists = B_TRUE;
4397 
4398 	} else {
4399 		/*
4400 		 * An out-of-date tmp pool configuration exists.  Delete it
4401 		 * so that we can create the correct tmp pool config.
4402 		 */
4403 		if (pset != NULL &&
4404 		    pool_resource_destroy(pconf, pset) != PO_SUCCESS) {
4405 			res = zerr_pool(pool_err, err_size, Z_POOL);
4406 			goto done;
4407 		}
4408 
4409 		if (pool != NULL &&
4410 		    pool_destroy(pconf, pool) != PO_SUCCESS) {
4411 			res = zerr_pool(pool_err, err_size, Z_POOL);
4412 			goto done;
4413 		}
4414 
4415 		/* commit dynamic config */
4416 		if (pool_conf_commit(pconf, 0) != PO_SUCCESS)
4417 			res = zerr_pool(pool_err, err_size, Z_POOL);
4418 	}
4419 
4420 done:
4421 	(void) pool_conf_close(pconf);
4422 
4423 	return (res);
4424 }
4425 
4426 /*
4427  * Destroy any existing tmp pool.
4428  */
4429 int
4430 zonecfg_destroy_tmp_pool(char *zone_name, char *pool_err, int err_size)
4431 {
4432 	int status;
4433 	int res = Z_OK;
4434 	pool_conf_t *pconf;
4435 	pool_t *pool;
4436 	pool_resource_t *pset;
4437 	char tmp_name[MAX_TMP_POOL_NAME];
4438 
4439 	/* if pools not enabled then nothing to do */
4440 	if (pool_get_status(&status) != PO_SUCCESS || status != POOL_ENABLED)
4441 		return (Z_OK);
4442 
4443 	if ((pconf = pool_conf_alloc()) == NULL)
4444 		return (zerr_pool(pool_err, err_size, Z_POOL));
4445 
4446 	(void) snprintf(tmp_name, sizeof (tmp_name), TMP_POOL_NAME, zone_name);
4447 
4448 	if (pool_conf_open(pconf, pool_dynamic_location(), PO_RDWR)
4449 	    != PO_SUCCESS) {
4450 		res = zerr_pool(pool_err, err_size, Z_POOL);
4451 		pool_conf_free(pconf);
4452 		return (res);
4453 	}
4454 
4455 	pool = pool_get_pool(pconf, tmp_name);
4456 	pset = pool_get_resource(pconf, "pset", tmp_name);
4457 
4458 	if (pool == NULL && pset == NULL) {
4459 		/* nothing to destroy, we're done */
4460 		goto done;
4461 	}
4462 
4463 	if (pset != NULL && pool_resource_destroy(pconf, pset) != PO_SUCCESS) {
4464 		res = zerr_pool(pool_err, err_size, Z_POOL);
4465 		goto done;
4466 	}
4467 
4468 	if (pool != NULL && pool_destroy(pconf, pool) != PO_SUCCESS) {
4469 		res = zerr_pool(pool_err, err_size, Z_POOL);
4470 		goto done;
4471 	}
4472 
4473 	/* commit dynamic config */
4474 	if (pool_conf_commit(pconf, 0) != PO_SUCCESS)
4475 		res = zerr_pool(pool_err, err_size, Z_POOL);
4476 
4477 done:
4478 	(void) pool_conf_close(pconf);
4479 	pool_conf_free(pconf);
4480 
4481 	return (res);
4482 }
4483 
4484 /*
4485  * Attempt to bind to a tmp pool for this zone.  If there is no tmp pool
4486  * configured, we just return Z_OK.
4487  *
4488  * We either attempt to create the tmp pool for this zone or rebind to an
4489  * existing tmp pool for this zone.
4490  *
4491  * Rebinding is used when a zone with a tmp pool reboots so that we don't have
4492  * to recreate the tmp pool.  To do this we need to be sure we work correctly
4493  * for the following cases:
4494  *
4495  *	- there is an existing, properly configured tmp pool.
4496  *	- zonecfg added tmp pool after zone was booted, must now create.
4497  *	- zonecfg updated tmp pool config after zone was booted, in this case
4498  *	  we destroy the old tmp pool and create a new one.
4499  */
4500 int
4501 zonecfg_bind_tmp_pool(zone_dochandle_t handle, zoneid_t zoneid, char *pool_err,
4502     int err_size)
4503 {
4504 	struct zone_psettab pset_tab;
4505 	int err;
4506 	int status;
4507 	pool_conf_t *pconf;
4508 	boolean_t exists;
4509 	char zone_name[ZONENAME_MAX];
4510 	char tmp_name[MAX_TMP_POOL_NAME];
4511 
4512 	(void) getzonenamebyid(zoneid, zone_name, sizeof (zone_name));
4513 
4514 	err = zonecfg_lookup_pset(handle, &pset_tab);
4515 
4516 	/* if no temporary pool configured, we're done */
4517 	if (err == Z_NO_ENTRY)
4518 		return (Z_OK);
4519 
4520 	/*
4521 	 * importance might not have a value but we need to validate it here,
4522 	 * so set the default.
4523 	 */
4524 	if (pset_tab.zone_importance[0] == '\0')
4525 		(void) strlcpy(pset_tab.zone_importance, "1",
4526 		    sizeof (pset_tab.zone_importance));
4527 
4528 	/* if pools not enabled, enable them now */
4529 	if (pool_get_status(&status) != PO_SUCCESS || status != POOL_ENABLED) {
4530 		if (pool_set_status(POOL_ENABLED) != PO_SUCCESS)
4531 			return (Z_POOL_ENABLE);
4532 	}
4533 
4534 	if ((pconf = pool_conf_alloc()) == NULL)
4535 		return (zerr_pool(pool_err, err_size, Z_POOL));
4536 
4537 	(void) snprintf(tmp_name, sizeof (tmp_name), TMP_POOL_NAME, zone_name);
4538 
4539 	/*
4540 	 * Check if a valid tmp pool/pset already exists.  If so, we just
4541 	 * reuse it.
4542 	 */
4543 	if ((err = verify_del_tmp_pool(pconf, tmp_name, pool_err, err_size,
4544 	    &pset_tab, &exists)) != Z_OK) {
4545 		pool_conf_free(pconf);
4546 		return (err);
4547 	}
4548 
4549 	if (!exists)
4550 		err = create_tmp_pool(pool_err, err_size, pconf, tmp_name,
4551 		    &pset_tab);
4552 
4553 	pool_conf_free(pconf);
4554 
4555 	if (err != Z_OK)
4556 		return (err);
4557 
4558 	/* Bind the zone to the pool. */
4559 	if (pool_set_binding(tmp_name, P_ZONEID, zoneid) != PO_SUCCESS)
4560 		return (zerr_pool(pool_err, err_size, Z_POOL_BIND));
4561 
4562 	return (Z_OK);
4563 }
4564 
4565 /*
4566  * Attempt to bind to a permanent pool for this zone.  If there is no
4567  * permanent pool configured, we just return Z_OK.
4568  */
4569 int
4570 zonecfg_bind_pool(zone_dochandle_t handle, zoneid_t zoneid, char *pool_err,
4571     int err_size)
4572 {
4573 	pool_conf_t *poolconf;
4574 	pool_t *pool;
4575 	char poolname[MAXPATHLEN];
4576 	int status;
4577 	int error;
4578 
4579 	/*
4580 	 * Find the pool mentioned in the zone configuration, and bind to it.
4581 	 */
4582 	error = zonecfg_get_pool(handle, poolname, sizeof (poolname));
4583 	if (error == Z_NO_ENTRY || (error == Z_OK && strlen(poolname) == 0)) {
4584 		/*
4585 		 * The property is not set on the zone, so the pool
4586 		 * should be bound to the default pool.  But that's
4587 		 * already done by the kernel, so we can just return.
4588 		 */
4589 		return (Z_OK);
4590 	}
4591 	if (error != Z_OK) {
4592 		/*
4593 		 * Not an error, even though it shouldn't be happening.
4594 		 */
4595 		return (Z_OK);
4596 	}
4597 	/*
4598 	 * Don't do anything if pools aren't enabled.
4599 	 */
4600 	if (pool_get_status(&status) != PO_SUCCESS || status != POOL_ENABLED)
4601 		return (Z_POOLS_NOT_ACTIVE);
4602 
4603 	/*
4604 	 * Try to provide a sane error message if the requested pool doesn't
4605 	 * exist.
4606 	 */
4607 	if ((poolconf = pool_conf_alloc()) == NULL)
4608 		return (zerr_pool(pool_err, err_size, Z_POOL));
4609 
4610 	if (pool_conf_open(poolconf, pool_dynamic_location(), PO_RDONLY) !=
4611 	    PO_SUCCESS) {
4612 		pool_conf_free(poolconf);
4613 		return (zerr_pool(pool_err, err_size, Z_POOL));
4614 	}
4615 	pool = pool_get_pool(poolconf, poolname);
4616 	(void) pool_conf_close(poolconf);
4617 	pool_conf_free(poolconf);
4618 	if (pool == NULL)
4619 		return (Z_NO_POOL);
4620 
4621 	/*
4622 	 * Bind the zone to the pool.
4623 	 */
4624 	if (pool_set_binding(poolname, P_ZONEID, zoneid) != PO_SUCCESS) {
4625 		/* if bind fails, return poolname for the error msg */
4626 		(void) strlcpy(pool_err, poolname, err_size);
4627 		return (Z_POOL_BIND);
4628 	}
4629 
4630 	return (Z_OK);
4631 }
4632 
4633 int
4634 zonecfg_get_poolname(zone_dochandle_t handle, char *zone, char *pool,
4635     size_t poolsize)
4636 {
4637 	int err;
4638 	struct zone_psettab pset_tab;
4639 
4640 	err = zonecfg_lookup_pset(handle, &pset_tab);
4641 	if ((err != Z_NO_ENTRY) && (err != Z_OK))
4642 		return (err);
4643 
4644 	/* pset was found so a temporary pool was created */
4645 	if (err == Z_OK) {
4646 		(void) snprintf(pool, poolsize, TMP_POOL_NAME, zone);
4647 		return (Z_OK);
4648 	}
4649 
4650 	/* lookup the poolname in zonecfg */
4651 	return (zonecfg_get_pool(handle, pool, poolsize));
4652 }
4653 
4654 static boolean_t
4655 svc_enabled(char *svc_name)
4656 {
4657 	scf_simple_prop_t	*prop;
4658 	boolean_t		found = B_FALSE;
4659 
4660 	prop = scf_simple_prop_get(NULL, svc_name, SCF_PG_GENERAL,
4661 	    SCF_PROPERTY_ENABLED);
4662 
4663 	if (scf_simple_prop_numvalues(prop) == 1 &&
4664 	    *scf_simple_prop_next_boolean(prop) != 0)
4665 		found = B_TRUE;
4666 
4667 	scf_simple_prop_free(prop);
4668 
4669 	return (found);
4670 }
4671 
4672 /*
4673  * If the zone has capped-memory, make sure the rcap service is enabled.
4674  */
4675 int
4676 zonecfg_enable_rcapd(char *err, int size)
4677 {
4678 	if (!svc_enabled(RCAP_SERVICE) &&
4679 	    smf_enable_instance(RCAP_SERVICE, 0) == -1) {
4680 		(void) strlcpy(err, scf_strerror(scf_error()), size);
4681 		return (Z_SYSTEM);
4682 	}
4683 
4684 	return (Z_OK);
4685 }
4686 
4687 /*
4688  * Return true if pset has cpu range specified and poold is not enabled.
4689  */
4690 boolean_t
4691 zonecfg_warn_poold(zone_dochandle_t handle)
4692 {
4693 	struct zone_psettab pset_tab;
4694 	int min, max;
4695 	int err;
4696 
4697 	err = zonecfg_lookup_pset(handle, &pset_tab);
4698 
4699 	/* if no temporary pool configured, we're done */
4700 	if (err == Z_NO_ENTRY)
4701 		return (B_FALSE);
4702 
4703 	min = atoi(pset_tab.zone_ncpu_min);
4704 	max = atoi(pset_tab.zone_ncpu_max);
4705 
4706 	/* range not specified, no need for poold */
4707 	if (min == max)
4708 		return (B_FALSE);
4709 
4710 	/* we have a range, check if poold service is enabled */
4711 	if (svc_enabled(POOLD_SERVICE))
4712 		return (B_FALSE);
4713 
4714 	return (B_TRUE);
4715 }
4716 
4717 /*
4718  * Retrieve the specified pool's thread scheduling class.  'poolname' must
4719  * refer to the name of a configured resource pool.  The thread scheduling
4720  * class specified by the pool will be stored in the buffer to which 'class'
4721  * points.  'clsize' is the byte size of the buffer to which 'class' points.
4722  *
4723  * This function returns Z_OK if it successfully stored the specified pool's
4724  * thread scheduling class into the buffer to which 'class' points.  It returns
4725  * Z_NO_POOL if resource pools are not enabled, the function is unable to
4726  * access the system's resource pools configuration, or the specified pool
4727  * does not exist.  The function returns Z_TOO_BIG if the buffer to which
4728  * 'class' points is not large enough to contain the thread scheduling class'
4729  * name.  The function returns Z_NO_ENTRY if the pool does not specify a thread
4730  * scheduling class.
4731  */
4732 static int
4733 get_pool_sched_class(char *poolname, char *class, int clsize)
4734 {
4735 	int status;
4736 	pool_conf_t *poolconf;
4737 	pool_t *pool;
4738 	pool_elem_t *pe;
4739 	pool_value_t *pv = pool_value_alloc();
4740 	const char *sched_str;
4741 
4742 	if (pool_get_status(&status) != PO_SUCCESS || status != POOL_ENABLED)
4743 		return (Z_NO_POOL);
4744 
4745 	if ((poolconf = pool_conf_alloc()) == NULL)
4746 		return (Z_NO_POOL);
4747 
4748 	if (pool_conf_open(poolconf, pool_dynamic_location(), PO_RDONLY) !=
4749 	    PO_SUCCESS) {
4750 		pool_conf_free(poolconf);
4751 		return (Z_NO_POOL);
4752 	}
4753 
4754 	if ((pool = pool_get_pool(poolconf, poolname)) == NULL) {
4755 		(void) pool_conf_close(poolconf);
4756 		pool_conf_free(poolconf);
4757 		return (Z_NO_POOL);
4758 	}
4759 
4760 	pe = pool_to_elem(poolconf, pool);
4761 	if (pool_get_property(poolconf, pe, "pool.scheduler", pv) !=
4762 	    POC_STRING) {
4763 		(void) pool_conf_close(poolconf);
4764 		pool_conf_free(poolconf);
4765 		return (Z_NO_ENTRY);
4766 	}
4767 	(void) pool_value_get_string(pv, &sched_str);
4768 	(void) pool_conf_close(poolconf);
4769 	pool_conf_free(poolconf);
4770 	if (strlcpy(class, sched_str, clsize) >= clsize)
4771 		return (Z_TOO_BIG);
4772 	return (Z_OK);
4773 }
4774 
4775 /*
4776  * Get the default scheduling class for the zone.  This will either be the
4777  * class set on the zone's pool or the system default scheduling class.
4778  */
4779 int
4780 zonecfg_get_dflt_sched_class(zone_dochandle_t handle, char *class, int clsize)
4781 {
4782 	char poolname[MAXPATHLEN];
4783 
4784 	if (zonecfg_get_pool(handle, poolname, sizeof (poolname)) == Z_OK) {
4785 		/* check if the zone's pool specified a sched class */
4786 		if (get_pool_sched_class(poolname, class, clsize) == Z_OK)
4787 			return (Z_OK);
4788 	}
4789 
4790 	if (priocntl(0, 0, PC_GETDFLCL, class, (uint64_t)clsize) == -1)
4791 		return (Z_TOO_BIG);
4792 
4793 	return (Z_OK);
4794 }
4795 
4796 int
4797 zonecfg_setfsent(zone_dochandle_t handle)
4798 {
4799 	return (zonecfg_setent(handle));
4800 }
4801 
4802 int
4803 zonecfg_getfsent(zone_dochandle_t handle, struct zone_fstab *tabptr)
4804 {
4805 	xmlNodePtr cur, options;
4806 	char options_str[MAX_MNTOPT_STR];
4807 	int err;
4808 
4809 	if (handle == NULL)
4810 		return (Z_INVAL);
4811 
4812 	if ((cur = handle->zone_dh_cur) == NULL)
4813 		return (Z_NO_ENTRY);
4814 
4815 	for (; cur != NULL; cur = cur->next)
4816 		if (!xmlStrcmp(cur->name, DTD_ELEM_FS))
4817 			break;
4818 	if (cur == NULL) {
4819 		handle->zone_dh_cur = handle->zone_dh_top;
4820 		return (Z_NO_ENTRY);
4821 	}
4822 
4823 	if ((err = fetchprop(cur, DTD_ATTR_SPECIAL, tabptr->zone_fs_special,
4824 	    sizeof (tabptr->zone_fs_special))) != Z_OK) {
4825 		handle->zone_dh_cur = handle->zone_dh_top;
4826 		return (err);
4827 	}
4828 
4829 	if ((err = fetchprop(cur, DTD_ATTR_RAW, tabptr->zone_fs_raw,
4830 	    sizeof (tabptr->zone_fs_raw))) != Z_OK) {
4831 		handle->zone_dh_cur = handle->zone_dh_top;
4832 		return (err);
4833 	}
4834 
4835 	if ((err = fetchprop(cur, DTD_ATTR_DIR, tabptr->zone_fs_dir,
4836 	    sizeof (tabptr->zone_fs_dir))) != Z_OK) {
4837 		handle->zone_dh_cur = handle->zone_dh_top;
4838 		return (err);
4839 	}
4840 
4841 	if ((err = fetchprop(cur, DTD_ATTR_TYPE, tabptr->zone_fs_type,
4842 	    sizeof (tabptr->zone_fs_type))) != Z_OK) {
4843 		handle->zone_dh_cur = handle->zone_dh_top;
4844 		return (err);
4845 	}
4846 
4847 	/* OK for options to be NULL */
4848 	tabptr->zone_fs_options = NULL;
4849 	for (options = cur->xmlChildrenNode; options != NULL;
4850 	    options = options->next) {
4851 		if (fetchprop(options, DTD_ATTR_NAME, options_str,
4852 		    sizeof (options_str)) != Z_OK)
4853 			break;
4854 		if (zonecfg_add_fs_option(tabptr, options_str) != Z_OK)
4855 			break;
4856 	}
4857 
4858 	handle->zone_dh_cur = cur->next;
4859 	return (Z_OK);
4860 }
4861 
4862 int
4863 zonecfg_endfsent(zone_dochandle_t handle)
4864 {
4865 	return (zonecfg_endent(handle));
4866 }
4867 
4868 int
4869 zonecfg_setnwifent(zone_dochandle_t handle)
4870 {
4871 	return (zonecfg_setent(handle));
4872 }
4873 
4874 int
4875 zonecfg_getnwifent(zone_dochandle_t handle, struct zone_nwiftab *tabptr)
4876 {
4877 	xmlNodePtr cur;
4878 	int err;
4879 
4880 	if (handle == NULL)
4881 		return (Z_INVAL);
4882 
4883 	if ((cur = handle->zone_dh_cur) == NULL)
4884 		return (Z_NO_ENTRY);
4885 
4886 	for (; cur != NULL; cur = cur->next)
4887 		if (!xmlStrcmp(cur->name, DTD_ELEM_NET))
4888 			break;
4889 	if (cur == NULL) {
4890 		handle->zone_dh_cur = handle->zone_dh_top;
4891 		return (Z_NO_ENTRY);
4892 	}
4893 
4894 	if ((err = fetchprop(cur, DTD_ATTR_ADDRESS, tabptr->zone_nwif_address,
4895 	    sizeof (tabptr->zone_nwif_address))) != Z_OK) {
4896 		handle->zone_dh_cur = handle->zone_dh_top;
4897 		return (err);
4898 	}
4899 
4900 	if ((err = fetchprop(cur, DTD_ATTR_ALLOWED_ADDRESS,
4901 	    tabptr->zone_nwif_allowed_address,
4902 	    sizeof (tabptr->zone_nwif_allowed_address))) != Z_OK) {
4903 		handle->zone_dh_cur = handle->zone_dh_top;
4904 		return (err);
4905 	}
4906 
4907 	if ((err = fetchprop(cur, DTD_ATTR_PHYSICAL, tabptr->zone_nwif_physical,
4908 	    sizeof (tabptr->zone_nwif_physical))) != Z_OK) {
4909 		handle->zone_dh_cur = handle->zone_dh_top;
4910 		return (err);
4911 	}
4912 
4913 	if ((err = fetchprop(cur, DTD_ATTR_DEFROUTER,
4914 	    tabptr->zone_nwif_defrouter,
4915 	    sizeof (tabptr->zone_nwif_defrouter))) != Z_OK) {
4916 		handle->zone_dh_cur = handle->zone_dh_top;
4917 		return (err);
4918 	}
4919 
4920 	handle->zone_dh_cur = cur->next;
4921 	return (Z_OK);
4922 }
4923 
4924 int
4925 zonecfg_endnwifent(zone_dochandle_t handle)
4926 {
4927 	return (zonecfg_endent(handle));
4928 }
4929 
4930 int
4931 zonecfg_setdevent(zone_dochandle_t handle)
4932 {
4933 	return (zonecfg_setent(handle));
4934 }
4935 
4936 int
4937 zonecfg_getdevent(zone_dochandle_t handle, struct zone_devtab *tabptr)
4938 {
4939 	xmlNodePtr cur;
4940 	int err;
4941 
4942 	if (handle == NULL)
4943 		return (Z_INVAL);
4944 
4945 	if ((cur = handle->zone_dh_cur) == NULL)
4946 		return (Z_NO_ENTRY);
4947 
4948 	for (; cur != NULL; cur = cur->next)
4949 		if (!xmlStrcmp(cur->name, DTD_ELEM_DEVICE))
4950 			break;
4951 	if (cur == NULL) {
4952 		handle->zone_dh_cur = handle->zone_dh_top;
4953 		return (Z_NO_ENTRY);
4954 	}
4955 
4956 	if ((err = fetchprop(cur, DTD_ATTR_MATCH, tabptr->zone_dev_match,
4957 	    sizeof (tabptr->zone_dev_match))) != Z_OK) {
4958 		handle->zone_dh_cur = handle->zone_dh_top;
4959 		return (err);
4960 	}
4961 
4962 	handle->zone_dh_cur = cur->next;
4963 	return (Z_OK);
4964 }
4965 
4966 int
4967 zonecfg_enddevent(zone_dochandle_t handle)
4968 {
4969 	return (zonecfg_endent(handle));
4970 }
4971 
4972 int
4973 zonecfg_setrctlent(zone_dochandle_t handle)
4974 {
4975 	return (zonecfg_setent(handle));
4976 }
4977 
4978 int
4979 zonecfg_getrctlent(zone_dochandle_t handle, struct zone_rctltab *tabptr)
4980 {
4981 	xmlNodePtr cur, val;
4982 	struct zone_rctlvaltab *valptr;
4983 	int err;
4984 
4985 	if (handle == NULL)
4986 		return (Z_INVAL);
4987 
4988 	if ((cur = handle->zone_dh_cur) == NULL)
4989 		return (Z_NO_ENTRY);
4990 
4991 	for (; cur != NULL; cur = cur->next)
4992 		if (!xmlStrcmp(cur->name, DTD_ELEM_RCTL))
4993 			break;
4994 	if (cur == NULL) {
4995 		handle->zone_dh_cur = handle->zone_dh_top;
4996 		return (Z_NO_ENTRY);
4997 	}
4998 
4999 	if ((err = fetchprop(cur, DTD_ATTR_NAME, tabptr->zone_rctl_name,
5000 	    sizeof (tabptr->zone_rctl_name))) != Z_OK) {
5001 		handle->zone_dh_cur = handle->zone_dh_top;
5002 		return (err);
5003 	}
5004 
5005 	tabptr->zone_rctl_valptr = NULL;
5006 	for (val = cur->xmlChildrenNode; val != NULL; val = val->next) {
5007 		valptr = (struct zone_rctlvaltab *)malloc(
5008 		    sizeof (struct zone_rctlvaltab));
5009 		if (valptr == NULL)
5010 			return (Z_NOMEM);
5011 		if (fetchprop(val, DTD_ATTR_PRIV, valptr->zone_rctlval_priv,
5012 		    sizeof (valptr->zone_rctlval_priv)) != Z_OK)
5013 			break;
5014 		if (fetchprop(val, DTD_ATTR_LIMIT, valptr->zone_rctlval_limit,
5015 		    sizeof (valptr->zone_rctlval_limit)) != Z_OK)
5016 			break;
5017 		if (fetchprop(val, DTD_ATTR_ACTION, valptr->zone_rctlval_action,
5018 		    sizeof (valptr->zone_rctlval_action)) != Z_OK)
5019 			break;
5020 		if (zonecfg_add_rctl_value(tabptr, valptr) != Z_OK)
5021 			break;
5022 	}
5023 
5024 	handle->zone_dh_cur = cur->next;
5025 	return (Z_OK);
5026 }
5027 
5028 int
5029 zonecfg_endrctlent(zone_dochandle_t handle)
5030 {
5031 	return (zonecfg_endent(handle));
5032 }
5033 
5034 int
5035 zonecfg_setattrent(zone_dochandle_t handle)
5036 {
5037 	return (zonecfg_setent(handle));
5038 }
5039 
5040 int
5041 zonecfg_getattrent(zone_dochandle_t handle, struct zone_attrtab *tabptr)
5042 {
5043 	xmlNodePtr cur;
5044 	int err;
5045 
5046 	if (handle == NULL)
5047 		return (Z_INVAL);
5048 
5049 	if ((cur = handle->zone_dh_cur) == NULL)
5050 		return (Z_NO_ENTRY);
5051 
5052 	for (; cur != NULL; cur = cur->next)
5053 		if (!xmlStrcmp(cur->name, DTD_ELEM_ATTR))
5054 			break;
5055 	if (cur == NULL) {
5056 		handle->zone_dh_cur = handle->zone_dh_top;
5057 		return (Z_NO_ENTRY);
5058 	}
5059 
5060 	if ((err = fetchprop(cur, DTD_ATTR_NAME, tabptr->zone_attr_name,
5061 	    sizeof (tabptr->zone_attr_name))) != Z_OK) {
5062 		handle->zone_dh_cur = handle->zone_dh_top;
5063 		return (err);
5064 	}
5065 
5066 	if ((err = fetchprop(cur, DTD_ATTR_TYPE, tabptr->zone_attr_type,
5067 	    sizeof (tabptr->zone_attr_type))) != Z_OK) {
5068 		handle->zone_dh_cur = handle->zone_dh_top;
5069 		return (err);
5070 	}
5071 
5072 	if ((err = fetchprop(cur, DTD_ATTR_VALUE, tabptr->zone_attr_value,
5073 	    sizeof (tabptr->zone_attr_value))) != Z_OK) {
5074 		handle->zone_dh_cur = handle->zone_dh_top;
5075 		return (err);
5076 	}
5077 
5078 	handle->zone_dh_cur = cur->next;
5079 	return (Z_OK);
5080 }
5081 
5082 int
5083 zonecfg_endattrent(zone_dochandle_t handle)
5084 {
5085 	return (zonecfg_endent(handle));
5086 }
5087 
5088 int
5089 zonecfg_setadminent(zone_dochandle_t handle)
5090 {
5091 	return (zonecfg_setent(handle));
5092 }
5093 
5094 int
5095 zonecfg_getadminent(zone_dochandle_t handle, struct zone_admintab *tabptr)
5096 {
5097 	xmlNodePtr cur;
5098 	int err;
5099 
5100 	if (handle == NULL)
5101 		return (Z_INVAL);
5102 
5103 	if ((cur = handle->zone_dh_cur) == NULL)
5104 		return (Z_NO_ENTRY);
5105 
5106 	for (; cur != NULL; cur = cur->next)
5107 		if (!xmlStrcmp(cur->name, DTD_ELEM_ADMIN))
5108 			break;
5109 	if (cur == NULL) {
5110 		handle->zone_dh_cur = handle->zone_dh_top;
5111 		return (Z_NO_ENTRY);
5112 	}
5113 
5114 	if ((err = fetchprop(cur, DTD_ATTR_USER, tabptr->zone_admin_user,
5115 	    sizeof (tabptr->zone_admin_user))) != Z_OK) {
5116 		handle->zone_dh_cur = handle->zone_dh_top;
5117 		return (err);
5118 	}
5119 
5120 
5121 	if ((err = fetchprop(cur, DTD_ATTR_AUTHS, tabptr->zone_admin_auths,
5122 	    sizeof (tabptr->zone_admin_auths))) != Z_OK) {
5123 		handle->zone_dh_cur = handle->zone_dh_top;
5124 		return (err);
5125 	}
5126 
5127 	handle->zone_dh_cur = cur->next;
5128 	return (Z_OK);
5129 }
5130 
5131 int
5132 zonecfg_endadminent(zone_dochandle_t handle)
5133 {
5134 	return (zonecfg_endent(handle));
5135 }
5136 
5137 /*
5138  * The privileges available on the system and described in privileges(7)
5139  * fall into four categories with respect to non-global zones:
5140  *
5141  *      Default set of privileges considered safe for all non-global
5142  *      zones.  These privileges are "safe" in the sense that a
5143  *      privileged process in the zone cannot affect processes in any
5144  *      other zone on the system.
5145  *
5146  *      Set of privileges not currently permitted within a non-global
5147  *      zone.  These privileges are considered by default, "unsafe,"
5148  *      and include ones which affect global resources (such as the
5149  *      system clock or physical memory) or are overly broad and cover
5150  *      more than one mechanism in the system.  In other cases, there
5151  *      has not been sufficient virtualization in the parts of the
5152  *      system the privilege covers to allow its use within a
5153  *      non-global zone.
5154  *
5155  *      Set of privileges required in order to get a zone booted and
5156  *      init(8) started.  These cannot be removed from the zone's
5157  *      privilege set.
5158  *
5159  * All other privileges are optional and are potentially useful for
5160  * processes executing inside a non-global zone.
5161  *
5162  * When privileges are added to the system, a determination needs to be
5163  * made as to which category the privilege belongs to.  Ideally,
5164  * privileges should be fine-grained enough and the mechanisms they cover
5165  * virtualized enough so that they can be made available to non-global
5166  * zones.
5167  */
5168 
5169 /*
5170  * Define some of the tokens that priv_str_to_set(3C) recognizes.  Since
5171  * the privilege string separator can be any character, although it is
5172  * usually a comma character, define these here as well in the event that
5173  * they change or are augmented in the future.
5174  */
5175 #define	BASIC_TOKEN		"basic"
5176 #define	DEFAULT_TOKEN		"default"
5177 #define	ZONE_TOKEN		"zone"
5178 #define	TOKEN_PRIV_CHAR		','
5179 #define	TOKEN_PRIV_STR		","
5180 
5181 typedef struct priv_node {
5182 	struct priv_node	*pn_next;	/* Next privilege */
5183 	char			*pn_priv;	/* Privileges name */
5184 } priv_node_t;
5185 
5186 /* Privileges lists can differ across brands */
5187 typedef struct priv_lists {
5188 	/* Privileges considered safe for all non-global zones of a brand */
5189 	struct priv_node	*pl_default;
5190 
5191 	/* Privileges not permitted for all non-global zones of a brand */
5192 	struct priv_node	*pl_prohibited;
5193 
5194 	/* Privileges required for all non-global zones of a brand */
5195 	struct priv_node	*pl_required;
5196 
5197 	/*
5198 	 * ip-type of the zone these privileges lists apply to.
5199 	 * It is used to pass ip-type to the callback function,
5200 	 * priv_lists_cb, which has no way of getting the ip-type.
5201 	 */
5202 	const char		*pl_iptype;
5203 } priv_lists_t;
5204 
5205 static int
5206 priv_lists_cb(void *data, priv_iter_t *priv_iter)
5207 {
5208 	priv_lists_t *plp = (priv_lists_t *)data;
5209 	priv_node_t *pnp;
5210 
5211 	/* Skip this privilege if ip-type does not match */
5212 	if ((strcmp(priv_iter->pi_iptype, "all") != 0) &&
5213 	    (strcmp(priv_iter->pi_iptype, plp->pl_iptype) != 0))
5214 		return (0);
5215 
5216 	/* Allocate a new priv list node. */
5217 	if ((pnp = malloc(sizeof (*pnp))) == NULL)
5218 		return (-1);
5219 	if ((pnp->pn_priv = strdup(priv_iter->pi_name)) == NULL) {
5220 		free(pnp);
5221 		return (-1);
5222 	}
5223 
5224 	/* Insert the new priv list node into the right list */
5225 	if (strcmp(priv_iter->pi_set, "default") == 0) {
5226 		pnp->pn_next = plp->pl_default;
5227 		plp->pl_default = pnp;
5228 	} else if (strcmp(priv_iter->pi_set, "prohibited") == 0) {
5229 		pnp->pn_next = plp->pl_prohibited;
5230 		plp->pl_prohibited = pnp;
5231 	} else if (strcmp(priv_iter->pi_set, "required") == 0) {
5232 		pnp->pn_next = plp->pl_required;
5233 		plp->pl_required = pnp;
5234 	} else {
5235 		free(pnp->pn_priv);
5236 		free(pnp);
5237 		return (-1);
5238 	}
5239 	return (0);
5240 }
5241 
5242 static void
5243 priv_lists_destroy(priv_lists_t *plp)
5244 {
5245 	priv_node_t *pnp;
5246 
5247 	assert(plp != NULL);
5248 
5249 	while ((pnp = plp->pl_default) != NULL) {
5250 		plp->pl_default = pnp->pn_next;
5251 		free(pnp->pn_priv);
5252 		free(pnp);
5253 	}
5254 	while ((pnp = plp->pl_prohibited) != NULL) {
5255 		plp->pl_prohibited = pnp->pn_next;
5256 		free(pnp->pn_priv);
5257 		free(pnp);
5258 	}
5259 	while ((pnp = plp->pl_required) != NULL) {
5260 		plp->pl_required = pnp->pn_next;
5261 		free(pnp->pn_priv);
5262 		free(pnp);
5263 	}
5264 	free(plp);
5265 }
5266 
5267 static int
5268 priv_lists_create(zone_dochandle_t handle, char *brand, priv_lists_t **plpp,
5269     const char *curr_iptype)
5270 {
5271 	priv_lists_t *plp;
5272 	brand_handle_t bh;
5273 	char brand_str[MAXNAMELEN];
5274 
5275 	/* handle or brand must be set, but never both */
5276 	assert((handle != NULL) || (brand != NULL));
5277 	assert((handle == NULL) || (brand == NULL));
5278 
5279 	if (handle != NULL) {
5280 		brand = brand_str;
5281 		if (zonecfg_get_brand(handle, brand, sizeof (brand_str)) != 0)
5282 			return (Z_BRAND_ERROR);
5283 	}
5284 
5285 	if ((bh = brand_open(brand)) == NULL)
5286 		return (Z_BRAND_ERROR);
5287 
5288 	if ((plp = calloc(1, sizeof (priv_lists_t))) == NULL) {
5289 		brand_close(bh);
5290 		return (Z_NOMEM);
5291 	}
5292 
5293 	plp->pl_iptype = curr_iptype;
5294 
5295 	/* construct the privilege lists */
5296 	if (brand_config_iter_privilege(bh, priv_lists_cb, plp) != 0) {
5297 		priv_lists_destroy(plp);
5298 		brand_close(bh);
5299 		return (Z_BRAND_ERROR);
5300 	}
5301 
5302 	brand_close(bh);
5303 	*plpp = plp;
5304 	return (Z_OK);
5305 }
5306 
5307 static int
5308 get_default_privset(priv_set_t *privs, priv_lists_t *plp)
5309 {
5310 	priv_node_t *pnp;
5311 	priv_set_t *basic;
5312 
5313 	basic = priv_str_to_set(BASIC_TOKEN, TOKEN_PRIV_STR, NULL);
5314 	if (basic == NULL)
5315 		return (errno == ENOMEM ? Z_NOMEM : Z_INVAL);
5316 
5317 	priv_union(basic, privs);
5318 	priv_freeset(basic);
5319 
5320 	for (pnp = plp->pl_default; pnp != NULL; pnp = pnp->pn_next) {
5321 		if (priv_addset(privs, pnp->pn_priv) != 0)
5322 			return (Z_INVAL);
5323 	}
5324 
5325 	return (Z_OK);
5326 }
5327 
5328 int
5329 zonecfg_default_brand(char *brand, size_t brandsize)
5330 {
5331 	zone_dochandle_t handle;
5332 	int myzoneid = getzoneid();
5333 	int ret;
5334 
5335 	/*
5336 	 * If we're running within a zone, then the default brand is the
5337 	 * current zone's brand.
5338 	 */
5339 	if (myzoneid != GLOBAL_ZONEID) {
5340 		ret = zone_getattr(myzoneid, ZONE_ATTR_BRAND, brand, brandsize);
5341 		if (ret < 0)
5342 			return ((errno == EFAULT) ? Z_TOO_BIG : Z_INVAL);
5343 		return (Z_OK);
5344 	}
5345 
5346 	if ((handle = zonecfg_init_handle()) == NULL)
5347 		return (Z_NOMEM);
5348 	if ((ret = zonecfg_get_handle("SUNWdefault", handle)) == Z_OK) {
5349 		ret = i_zonecfg_get_brand(handle, brand, brandsize, B_TRUE);
5350 		zonecfg_fini_handle(handle);
5351 		return (ret);
5352 	}
5353 	return (ret);
5354 }
5355 
5356 int
5357 zonecfg_default_privset(priv_set_t *privs, const char *curr_iptype)
5358 {
5359 	priv_lists_t *plp;
5360 	char buf[MAXNAMELEN];
5361 	int ret;
5362 
5363 	if ((ret = zonecfg_default_brand(buf, sizeof (buf))) != Z_OK)
5364 		return (ret);
5365 	if ((ret = priv_lists_create(NULL, buf, &plp, curr_iptype)) != Z_OK)
5366 		return (ret);
5367 	ret = get_default_privset(privs, plp);
5368 	priv_lists_destroy(plp);
5369 	return (ret);
5370 }
5371 
5372 void
5373 append_priv_token(char *priv, char *str, size_t strlen)
5374 {
5375 	if (*str != '\0')
5376 		(void) strlcat(str, TOKEN_PRIV_STR, strlen);
5377 	(void) strlcat(str, priv, strlen);
5378 }
5379 
5380 /*
5381  * Verify that the supplied string is a valid privilege limit set for a
5382  * non-global zone.  This string must not only be acceptable to
5383  * priv_str_to_set(3C) which parses it, but it also must resolve to a
5384  * privilege set that includes certain required privileges and lacks
5385  * certain prohibited privileges.
5386  */
5387 static int
5388 verify_privset(char *privbuf, priv_set_t *privs, char **privname,
5389     boolean_t add_default, priv_lists_t *plp)
5390 {
5391 	priv_node_t *pnp;
5392 	char *tmp, *cp, *lasts;
5393 	size_t len;
5394 	priv_set_t *mergeset;
5395 	const char *token;
5396 
5397 	/*
5398 	 * The verification of the privilege string occurs in several
5399 	 * phases.  In the first phase, the supplied string is scanned for
5400 	 * the ZONE_TOKEN token which is not support as part of the
5401 	 * "limitpriv" property.
5402 	 *
5403 	 * Duplicate the supplied privilege string since strtok_r(3C)
5404 	 * tokenizes its input by null-terminating the tokens.
5405 	 */
5406 	if ((tmp = strdup(privbuf)) == NULL)
5407 		return (Z_NOMEM);
5408 	for (cp = strtok_r(tmp, TOKEN_PRIV_STR, &lasts); cp != NULL;
5409 	    cp = strtok_r(NULL, TOKEN_PRIV_STR, &lasts)) {
5410 		if (strcmp(cp, ZONE_TOKEN) == 0) {
5411 			free(tmp);
5412 			if ((*privname = strdup(ZONE_TOKEN)) == NULL)
5413 				return (Z_NOMEM);
5414 			else
5415 				return (Z_PRIV_UNKNOWN);
5416 		}
5417 	}
5418 	free(tmp);
5419 
5420 	if (add_default) {
5421 		/*
5422 		 * If DEFAULT_TOKEN was specified, a string needs to be
5423 		 * built containing the privileges from the default, safe
5424 		 * set along with those of the "limitpriv" property.
5425 		 */
5426 		len = strlen(privbuf) + sizeof (BASIC_TOKEN) + 2;
5427 
5428 		for (pnp = plp->pl_default; pnp != NULL; pnp = pnp->pn_next)
5429 			len += strlen(pnp->pn_priv) + 1;
5430 		tmp = alloca(len);
5431 		*tmp = '\0';
5432 
5433 		append_priv_token(BASIC_TOKEN, tmp, len);
5434 		for (pnp = plp->pl_default; pnp != NULL; pnp = pnp->pn_next)
5435 			append_priv_token(pnp->pn_priv, tmp, len);
5436 		(void) strlcat(tmp, TOKEN_PRIV_STR, len);
5437 		(void) strlcat(tmp, privbuf, len);
5438 	} else {
5439 		tmp = privbuf;
5440 	}
5441 
5442 
5443 	/*
5444 	 * In the next phase, attempt to convert the merged privilege
5445 	 * string into a privilege set.  In the case of an error, either
5446 	 * there was a memory allocation failure or there was an invalid
5447 	 * privilege token in the string.  In either case, return an
5448 	 * appropriate error code but in the event of an invalid token,
5449 	 * allocate a string containing its name and return that back to
5450 	 * the caller.
5451 	 */
5452 	mergeset = priv_str_to_set(tmp, TOKEN_PRIV_STR, &token);
5453 	if (mergeset == NULL) {
5454 		if (token == NULL)
5455 			return (Z_NOMEM);
5456 		if ((cp = strchr(token, TOKEN_PRIV_CHAR)) != NULL)
5457 			*cp = '\0';
5458 		if ((*privname = strdup(token)) == NULL)
5459 			return (Z_NOMEM);
5460 		else
5461 			return (Z_PRIV_UNKNOWN);
5462 	}
5463 
5464 	/*
5465 	 * Next, verify that none of the prohibited zone privileges are
5466 	 * present in the merged privilege set.
5467 	 */
5468 	for (pnp = plp->pl_prohibited; pnp != NULL; pnp = pnp->pn_next) {
5469 		if (priv_ismember(mergeset, pnp->pn_priv)) {
5470 			priv_freeset(mergeset);
5471 			if ((*privname = strdup(pnp->pn_priv)) == NULL)
5472 				return (Z_NOMEM);
5473 			else
5474 				return (Z_PRIV_PROHIBITED);
5475 		}
5476 	}
5477 
5478 	/*
5479 	 * Finally, verify that all of the required zone privileges are
5480 	 * present in the merged privilege set.
5481 	 */
5482 	for (pnp = plp->pl_required; pnp != NULL; pnp = pnp->pn_next) {
5483 		if (!priv_ismember(mergeset, pnp->pn_priv)) {
5484 			priv_freeset(mergeset);
5485 			if ((*privname = strdup(pnp->pn_priv)) == NULL)
5486 				return (Z_NOMEM);
5487 			else
5488 				return (Z_PRIV_REQUIRED);
5489 		}
5490 	}
5491 
5492 	priv_copyset(mergeset, privs);
5493 	priv_freeset(mergeset);
5494 	return (Z_OK);
5495 }
5496 
5497 /*
5498  * Fill in the supplied privilege set with either the default, safe set of
5499  * privileges suitable for a non-global zone, or one based on the
5500  * "limitpriv" property in the zone's configuration.
5501  *
5502  * In the event of an invalid privilege specification in the
5503  * configuration, a string is allocated and returned containing the
5504  * "privilege" causing the issue.  It is the caller's responsibility to
5505  * free this memory when it is done with it.
5506  */
5507 int
5508 zonecfg_get_privset(zone_dochandle_t handle, priv_set_t *privs,
5509     char **privname)
5510 {
5511 	priv_lists_t *plp;
5512 	char *cp, *limitpriv = NULL;
5513 	int err, limitlen;
5514 	zone_iptype_t iptype;
5515 	const char *curr_iptype;
5516 
5517 	/*
5518 	 * Attempt to lookup the "limitpriv" property.  If it does not
5519 	 * exist or matches the string DEFAULT_TOKEN exactly, then the
5520 	 * default, safe privilege set is returned.
5521 	 */
5522 	if ((err = zonecfg_get_limitpriv(handle, &limitpriv)) != Z_OK)
5523 		return (err);
5524 
5525 	if ((err = zonecfg_get_iptype(handle, &iptype)) != Z_OK)
5526 		return (err);
5527 
5528 	switch (iptype) {
5529 	case ZS_SHARED:
5530 		curr_iptype = "shared";
5531 		break;
5532 	case ZS_EXCLUSIVE:
5533 		curr_iptype = "exclusive";
5534 		break;
5535 	}
5536 
5537 	if ((err = priv_lists_create(handle, NULL, &plp, curr_iptype)) != Z_OK)
5538 		return (err);
5539 
5540 	limitlen = strlen(limitpriv);
5541 	if (limitlen == 0 || strcmp(limitpriv, DEFAULT_TOKEN) == 0) {
5542 		free(limitpriv);
5543 		err = get_default_privset(privs, plp);
5544 		priv_lists_destroy(plp);
5545 		return (err);
5546 	}
5547 
5548 	/*
5549 	 * Check if the string DEFAULT_TOKEN is the first token in a list
5550 	 * of privileges.
5551 	 */
5552 	cp = strchr(limitpriv, TOKEN_PRIV_CHAR);
5553 	if (cp != NULL &&
5554 	    strncmp(limitpriv, DEFAULT_TOKEN, cp - limitpriv) == 0)
5555 		err = verify_privset(cp + 1, privs, privname, B_TRUE, plp);
5556 	else
5557 		err = verify_privset(limitpriv, privs, privname, B_FALSE, plp);
5558 
5559 	free(limitpriv);
5560 	priv_lists_destroy(plp);
5561 	return (err);
5562 }
5563 
5564 int
5565 zone_get_zonepath(char *zone_name, char *zonepath, size_t rp_sz)
5566 {
5567 	zone_dochandle_t handle;
5568 	boolean_t found = B_FALSE;
5569 	struct zoneent *ze;
5570 	FILE *cookie;
5571 	int err;
5572 	char *cp;
5573 
5574 	if (zone_name == NULL)
5575 		return (Z_INVAL);
5576 
5577 	(void) strlcpy(zonepath, zonecfg_root, rp_sz);
5578 	cp = zonepath + strlen(zonepath);
5579 	while (cp > zonepath && cp[-1] == '/')
5580 		*--cp = '\0';
5581 
5582 	if (strcmp(zone_name, GLOBAL_ZONENAME) == 0) {
5583 		if (zonepath[0] == '\0')
5584 			(void) strlcpy(zonepath, "/", rp_sz);
5585 		return (Z_OK);
5586 	}
5587 
5588 	/*
5589 	 * First check the index file.  Because older versions did not have
5590 	 * a copy of the zone path, allow for it to be zero length, in which
5591 	 * case we ignore this result and fall back to the XML files.
5592 	 */
5593 	cookie = setzoneent();
5594 	while ((ze = getzoneent_private(cookie)) != NULL) {
5595 		if (strcmp(ze->zone_name, zone_name) == 0) {
5596 			found = B_TRUE;
5597 			if (ze->zone_path[0] != '\0')
5598 				(void) strlcpy(cp, ze->zone_path,
5599 				    rp_sz - (cp - zonepath));
5600 		}
5601 		free(ze);
5602 		if (found)
5603 			break;
5604 	}
5605 	endzoneent(cookie);
5606 	if (found && *cp != '\0')
5607 		return (Z_OK);
5608 
5609 	/* Fall back to the XML files. */
5610 	if ((handle = zonecfg_init_handle()) == NULL)
5611 		return (Z_NOMEM);
5612 
5613 	/*
5614 	 * Check the snapshot first: if a zone is running, its zonepath
5615 	 * may have changed.
5616 	 */
5617 	if (zonecfg_get_snapshot_handle(zone_name, handle) != Z_OK) {
5618 		if ((err = zonecfg_get_handle(zone_name, handle)) != Z_OK) {
5619 			zonecfg_fini_handle(handle);
5620 			return (err);
5621 		}
5622 	}
5623 	err = zonecfg_get_zonepath(handle, zonepath, rp_sz);
5624 	zonecfg_fini_handle(handle);
5625 	return (err);
5626 }
5627 
5628 int
5629 zone_get_rootpath(char *zone_name, char *rootpath, size_t rp_sz)
5630 {
5631 	int err;
5632 
5633 	/* This function makes sense for non-global zones only. */
5634 	if (strcmp(zone_name, GLOBAL_ZONENAME) == 0)
5635 		return (Z_BOGUS_ZONE_NAME);
5636 	if ((err = zone_get_zonepath(zone_name, rootpath, rp_sz)) != Z_OK)
5637 		return (err);
5638 	if (strlcat(rootpath, "/root", rp_sz) >= rp_sz)
5639 		return (Z_TOO_BIG);
5640 	return (Z_OK);
5641 }
5642 
5643 int
5644 zone_get_brand(char *zone_name, char *brandname, size_t rp_sz)
5645 {
5646 	int err;
5647 	zone_dochandle_t handle;
5648 	char myzone[MAXNAMELEN];
5649 	int myzoneid = getzoneid();
5650 
5651 	/*
5652 	 * If we are not in the global zone, then we don't have the zone
5653 	 * .xml files with the brand name available.  Thus, we are going to
5654 	 * have to ask the kernel for the information.
5655 	 */
5656 	if (myzoneid != GLOBAL_ZONEID) {
5657 		if (is_system_labeled()) {
5658 			(void) strlcpy(brandname, NATIVE_BRAND_NAME, rp_sz);
5659 			return (Z_OK);
5660 		}
5661 		if (zone_getattr(myzoneid, ZONE_ATTR_NAME, myzone,
5662 		    sizeof (myzone)) < 0)
5663 			return (Z_NO_ZONE);
5664 		if (!zonecfg_is_scratch(myzone)) {
5665 			if (strncmp(zone_name, myzone, MAXNAMELEN) != 0)
5666 				return (Z_NO_ZONE);
5667 		}
5668 		err = zone_getattr(myzoneid, ZONE_ATTR_BRAND, brandname, rp_sz);
5669 		if (err < 0)
5670 			return ((errno == EFAULT) ? Z_TOO_BIG : Z_INVAL);
5671 
5672 		return (Z_OK);
5673 	}
5674 
5675 	if (strcmp(zone_name, "global") == 0)
5676 		return (zonecfg_default_brand(brandname, rp_sz));
5677 
5678 	if ((handle = zonecfg_init_handle()) == NULL)
5679 		return (Z_NOMEM);
5680 
5681 	err = zonecfg_get_handle((char *)zone_name, handle);
5682 	if (err == Z_OK)
5683 		err = zonecfg_get_brand(handle, brandname, rp_sz);
5684 
5685 	zonecfg_fini_handle(handle);
5686 	return (err);
5687 }
5688 
5689 /*
5690  * Return the appropriate root for the active /dev.
5691  * For normal zone, the path is $ZONEPATH/root;
5692  * for scratch zone, the dev path is $ZONEPATH/lu.
5693  */
5694 int
5695 zone_get_devroot(char *zone_name, char *devroot, size_t rp_sz)
5696 {
5697 	int err;
5698 	char *suffix;
5699 	zone_state_t state;
5700 
5701 	/* This function makes sense for non-global zones only. */
5702 	if (strcmp(zone_name, GLOBAL_ZONENAME) == 0)
5703 		return (Z_BOGUS_ZONE_NAME);
5704 	if ((err = zone_get_zonepath(zone_name, devroot, rp_sz)) != Z_OK)
5705 		return (err);
5706 
5707 	if (zone_get_state(zone_name, &state) == Z_OK &&
5708 	    state == ZONE_STATE_MOUNTED)
5709 		suffix = "/lu";
5710 	else
5711 		suffix = "/root";
5712 	if (strlcat(devroot, suffix, rp_sz) >= rp_sz)
5713 		return (Z_TOO_BIG);
5714 	return (Z_OK);
5715 }
5716 
5717 static zone_state_t
5718 kernel_state_to_user_state(zoneid_t zoneid, zone_status_t kernel_state)
5719 {
5720 	char zoneroot[MAXPATHLEN];
5721 	size_t zlen;
5722 
5723 	assert(kernel_state <= ZONE_MAX_STATE);
5724 	switch (kernel_state) {
5725 		case ZONE_IS_UNINITIALIZED:
5726 		case ZONE_IS_INITIALIZED:
5727 			/* The kernel will not return these two states */
5728 			return (ZONE_STATE_READY);
5729 		case ZONE_IS_READY:
5730 			/*
5731 			 * If the zone's root is mounted on $ZONEPATH/lu, then
5732 			 * it's a mounted scratch zone.
5733 			 */
5734 			if (zone_getattr(zoneid, ZONE_ATTR_ROOT, zoneroot,
5735 			    sizeof (zoneroot)) >= 0) {
5736 				zlen = strlen(zoneroot);
5737 				if (zlen > 3 &&
5738 				    strcmp(zoneroot + zlen - 3, "/lu") == 0)
5739 					return (ZONE_STATE_MOUNTED);
5740 			}
5741 			return (ZONE_STATE_READY);
5742 		case ZONE_IS_BOOTING:
5743 		case ZONE_IS_RUNNING:
5744 			return (ZONE_STATE_RUNNING);
5745 		case ZONE_IS_SHUTTING_DOWN:
5746 		case ZONE_IS_EMPTY:
5747 			return (ZONE_STATE_SHUTTING_DOWN);
5748 		case ZONE_IS_DOWN:
5749 		case ZONE_IS_DYING:
5750 		case ZONE_IS_DEAD:
5751 		default:
5752 			return (ZONE_STATE_DOWN);
5753 	}
5754 	/* NOTREACHED */
5755 }
5756 
5757 int
5758 zone_get_state(char *zone_name, zone_state_t *state_num)
5759 {
5760 	zone_status_t status;
5761 	zoneid_t zone_id;
5762 	struct zoneent *ze;
5763 	boolean_t found = B_FALSE;
5764 	FILE *cookie;
5765 	char kernzone[ZONENAME_MAX];
5766 	FILE *fp;
5767 
5768 	if (zone_name == NULL)
5769 		return (Z_INVAL);
5770 
5771 	/*
5772 	 * If we're looking at an alternate root, then we need to query the
5773 	 * kernel using the scratch zone name.
5774 	 */
5775 	zone_id = -1;
5776 	if (*zonecfg_root != '\0' && !zonecfg_is_scratch(zone_name)) {
5777 		if ((fp = zonecfg_open_scratch("", B_FALSE)) != NULL) {
5778 			if (zonecfg_find_scratch(fp, zone_name, zonecfg_root,
5779 			    kernzone, sizeof (kernzone)) == 0)
5780 				zone_id = getzoneidbyname(kernzone);
5781 			zonecfg_close_scratch(fp);
5782 		}
5783 	} else {
5784 		zone_id = getzoneidbyname(zone_name);
5785 	}
5786 
5787 	/* check to see if zone is running */
5788 	if (zone_id != -1 &&
5789 	    zone_getattr(zone_id, ZONE_ATTR_STATUS, &status,
5790 	    sizeof (status)) >= 0) {
5791 		*state_num = kernel_state_to_user_state(zone_id, status);
5792 		return (Z_OK);
5793 	}
5794 
5795 	cookie = setzoneent();
5796 	while ((ze = getzoneent_private(cookie)) != NULL) {
5797 		if (strcmp(ze->zone_name, zone_name) == 0) {
5798 			found = B_TRUE;
5799 			*state_num = ze->zone_state;
5800 		}
5801 		free(ze);
5802 		if (found)
5803 			break;
5804 	}
5805 	endzoneent(cookie);
5806 	return ((found) ? Z_OK : Z_NO_ZONE);
5807 }
5808 
5809 int
5810 zone_set_state(char *zone, zone_state_t state)
5811 {
5812 	struct zoneent ze;
5813 
5814 	if (state != ZONE_STATE_CONFIGURED && state != ZONE_STATE_INSTALLED &&
5815 	    state != ZONE_STATE_INCOMPLETE)
5816 		return (Z_INVAL);
5817 
5818 	bzero(&ze, sizeof (ze));
5819 	(void) strlcpy(ze.zone_name, zone, sizeof (ze.zone_name));
5820 	ze.zone_state = state;
5821 	(void) strlcpy(ze.zone_path, "", sizeof (ze.zone_path));
5822 	return (putzoneent(&ze, PZE_MODIFY));
5823 }
5824 
5825 /*
5826  * Get id (if any) for specified zone.  There are four possible outcomes:
5827  * - If the string corresponds to the numeric id of an active (booted)
5828  *   zone, sets *zip to the zone id and returns 0.
5829  * - If the string corresponds to the name of an active (booted) zone,
5830  *   sets *zip to the zone id and returns 0.
5831  * - If the string is a name in the configuration but is not booted,
5832  *   sets *zip to ZONE_ID_UNDEFINED and returns 0.
5833  * - Otherwise, leaves *zip unchanged and returns -1.
5834  *
5835  * This function acts as an auxiliary filter on the function of the same
5836  * name in libc; the linker binds to this version if libzonecfg exists,
5837  * and the libc version if it doesn't.  Any changes to this version of
5838  * the function should probably be reflected in the libc version as well.
5839  */
5840 int
5841 zone_get_id(const char *str, zoneid_t *zip)
5842 {
5843 	zone_dochandle_t hdl;
5844 	zoneid_t zoneid;
5845 	char *cp;
5846 	int err;
5847 
5848 	/* first try looking for active zone by id */
5849 	errno = 0;
5850 	zoneid = (zoneid_t)strtol(str, &cp, 0);
5851 	if (errno == 0 && cp != str && *cp == '\0' &&
5852 	    getzonenamebyid(zoneid, NULL, 0) != -1) {
5853 		*zip = zoneid;
5854 		return (0);
5855 	}
5856 
5857 	/* then look for active zone by name */
5858 	if ((zoneid = getzoneidbyname(str)) != -1) {
5859 		*zip = zoneid;
5860 		return (0);
5861 	}
5862 
5863 	/* if in global zone, try looking up name in configuration database */
5864 	if (getzoneid() != GLOBAL_ZONEID ||
5865 	    (hdl = zonecfg_init_handle()) == NULL)
5866 		return (-1);
5867 
5868 	if (zonecfg_get_handle(str, hdl) == Z_OK) {
5869 		/* zone exists but isn't active */
5870 		*zip = ZONE_ID_UNDEFINED;
5871 		err = 0;
5872 	} else {
5873 		err = -1;
5874 	}
5875 
5876 	zonecfg_fini_handle(hdl);
5877 	return (err);
5878 }
5879 
5880 char *
5881 zone_state_str(zone_state_t state_num)
5882 {
5883 	switch (state_num) {
5884 	case ZONE_STATE_CONFIGURED:
5885 		return (ZONE_STATE_STR_CONFIGURED);
5886 	case ZONE_STATE_INCOMPLETE:
5887 		return (ZONE_STATE_STR_INCOMPLETE);
5888 	case ZONE_STATE_INSTALLED:
5889 		return (ZONE_STATE_STR_INSTALLED);
5890 	case ZONE_STATE_READY:
5891 		return (ZONE_STATE_STR_READY);
5892 	case ZONE_STATE_MOUNTED:
5893 		return (ZONE_STATE_STR_MOUNTED);
5894 	case ZONE_STATE_RUNNING:
5895 		return (ZONE_STATE_STR_RUNNING);
5896 	case ZONE_STATE_SHUTTING_DOWN:
5897 		return (ZONE_STATE_STR_SHUTTING_DOWN);
5898 	case ZONE_STATE_DOWN:
5899 		return (ZONE_STATE_STR_DOWN);
5900 	default:
5901 		return ("unknown");
5902 	}
5903 }
5904 
5905 /*
5906  * Given a UUID value, find an associated zone name.  This is intended to be
5907  * used by callers who set up some 'default' name (corresponding to the
5908  * expected name for the zone) in the zonename buffer, and thus the function
5909  * doesn't touch this buffer on failure.
5910  */
5911 int
5912 zonecfg_get_name_by_uuid(const uuid_t uuidin, char *zonename, size_t namelen)
5913 {
5914 	FILE *fp;
5915 	struct zoneent *ze;
5916 	uchar_t *uuid;
5917 
5918 	/*
5919 	 * A small amount of subterfuge via casts is necessary here because
5920 	 * libuuid doesn't use const correctly, but we don't want to export
5921 	 * this brokenness to our clients.
5922 	 */
5923 	uuid = (uchar_t *)uuidin;
5924 	if (uuid_is_null(uuid))
5925 		return (Z_NO_ZONE);
5926 	if ((fp = setzoneent()) == NULL)
5927 		return (Z_NO_ZONE);
5928 	while ((ze = getzoneent_private(fp)) != NULL) {
5929 		if (uuid_compare(uuid, ze->zone_uuid) == 0)
5930 			break;
5931 		free(ze);
5932 	}
5933 	endzoneent(fp);
5934 	if (ze != NULL) {
5935 		(void) strlcpy(zonename, ze->zone_name, namelen);
5936 		free(ze);
5937 		return (Z_OK);
5938 	} else {
5939 		return (Z_NO_ZONE);
5940 	}
5941 }
5942 
5943 /*
5944  * Given a zone name, get its UUID.  Returns a "NULL" UUID value if the zone
5945  * exists but the file doesn't have a value set yet.  Returns an error if the
5946  * zone cannot be located.
5947  */
5948 int
5949 zonecfg_get_uuid(const char *zonename, uuid_t uuid)
5950 {
5951 	FILE *fp;
5952 	struct zoneent *ze;
5953 
5954 	if ((fp = setzoneent()) == NULL)
5955 		return (Z_NO_ZONE);
5956 	while ((ze = getzoneent_private(fp)) != NULL) {
5957 		if (strcmp(ze->zone_name, zonename) == 0)
5958 			break;
5959 		free(ze);
5960 	}
5961 	endzoneent(fp);
5962 	if (ze != NULL) {
5963 		uuid_copy(uuid, ze->zone_uuid);
5964 		free(ze);
5965 		return (Z_OK);
5966 	} else {
5967 		return (Z_NO_ZONE);
5968 	}
5969 }
5970 
5971 /*
5972  * File-system convenience functions.
5973  */
5974 boolean_t
5975 zonecfg_valid_fs_type(const char *type)
5976 {
5977 	/*
5978 	 * We already know which FS types don't work.
5979 	 */
5980 	if (strcmp(type, "proc") == 0 ||
5981 	    strcmp(type, "mntfs") == 0 ||
5982 	    strcmp(type, "autofs") == 0 ||
5983 	    strncmp(type, "nfs", sizeof ("nfs") - 1) == 0)
5984 		return (B_FALSE);
5985 	/*
5986 	 * The caller may do more detailed verification to make sure other
5987 	 * aspects of this filesystem type make sense.
5988 	 */
5989 	return (B_TRUE);
5990 }
5991 
5992 /*
5993  * Generally uninteresting rctl convenience functions.
5994  */
5995 
5996 int
5997 zonecfg_construct_rctlblk(const struct zone_rctlvaltab *rctlval,
5998     rctlblk_t *rctlblk)
5999 {
6000 	unsigned long long ull;
6001 	char *endp;
6002 	rctl_priv_t priv;
6003 	rctl_qty_t limit;
6004 	uint_t action;
6005 
6006 	/* Get the privilege */
6007 	if (strcmp(rctlval->zone_rctlval_priv, "basic") == 0) {
6008 		priv = RCPRIV_BASIC;
6009 	} else if (strcmp(rctlval->zone_rctlval_priv, "privileged") == 0) {
6010 		priv = RCPRIV_PRIVILEGED;
6011 	} else {
6012 		/* Invalid privilege */
6013 		return (Z_INVAL);
6014 	}
6015 
6016 	/* deal with negative input; strtoull(3c) doesn't do what we want */
6017 	if (rctlval->zone_rctlval_limit[0] == '-')
6018 		return (Z_INVAL);
6019 	/* Get the limit */
6020 	errno = 0;
6021 	ull = strtoull(rctlval->zone_rctlval_limit, &endp, 0);
6022 	if (errno != 0 || *endp != '\0') {
6023 		/* parse failed */
6024 		return (Z_INVAL);
6025 	}
6026 	limit = (rctl_qty_t)ull;
6027 
6028 	/* Get the action */
6029 	if (strcmp(rctlval->zone_rctlval_action, "none") == 0) {
6030 		action = RCTL_LOCAL_NOACTION;
6031 	} else if (strcmp(rctlval->zone_rctlval_action, "signal") == 0) {
6032 		action = RCTL_LOCAL_SIGNAL;
6033 	} else if (strcmp(rctlval->zone_rctlval_action, "deny") == 0) {
6034 		action = RCTL_LOCAL_DENY;
6035 	} else {
6036 		/* Invalid Action */
6037 		return (Z_INVAL);
6038 	}
6039 	rctlblk_set_local_action(rctlblk, action, 0);
6040 	rctlblk_set_privilege(rctlblk, priv);
6041 	rctlblk_set_value(rctlblk, limit);
6042 	return (Z_OK);
6043 }
6044 
6045 static int
6046 rctl_check(const char *rctlname, void *arg)
6047 {
6048 	const char *attrname = arg;
6049 
6050 	/*
6051 	 * Returning 1 here is our signal to zonecfg_is_rctl() that it is
6052 	 * indeed an rctl name recognized by the system.
6053 	 */
6054 	return (strcmp(rctlname, attrname) == 0 ? 1 : 0);
6055 }
6056 
6057 boolean_t
6058 zonecfg_is_rctl(const char *name)
6059 {
6060 	return (rctl_walk(rctl_check, (void *)name) == 1);
6061 }
6062 
6063 boolean_t
6064 zonecfg_valid_rctlname(const char *name)
6065 {
6066 	const char *c;
6067 
6068 	if (strncmp(name, "zone.", sizeof ("zone.") - 1) != 0)
6069 		return (B_FALSE);
6070 	if (strlen(name) == sizeof ("zone.") - 1)
6071 		return (B_FALSE);
6072 	for (c = name + sizeof ("zone.") - 1; *c != '\0'; c++) {
6073 		if (!isalpha(*c) && *c != '-')
6074 			return (B_FALSE);
6075 	}
6076 	return (B_TRUE);
6077 }
6078 
6079 boolean_t
6080 zonecfg_valid_rctlblk(const rctlblk_t *rctlblk)
6081 {
6082 	rctl_priv_t priv = rctlblk_get_privilege((rctlblk_t *)rctlblk);
6083 	uint_t action = rctlblk_get_local_action((rctlblk_t *)rctlblk, NULL);
6084 
6085 	if (priv != RCPRIV_PRIVILEGED)
6086 		return (B_FALSE);
6087 	if (action != RCTL_LOCAL_NOACTION && action != RCTL_LOCAL_DENY)
6088 		return (B_FALSE);
6089 	return (B_TRUE);
6090 }
6091 
6092 boolean_t
6093 zonecfg_valid_rctl(const char *name, const rctlblk_t *rctlblk)
6094 {
6095 	rctlblk_t *current, *next;
6096 	rctl_qty_t limit = rctlblk_get_value((rctlblk_t *)rctlblk);
6097 	uint_t action = rctlblk_get_local_action((rctlblk_t *)rctlblk, NULL);
6098 	uint_t global_flags;
6099 
6100 	if (!zonecfg_valid_rctlblk(rctlblk))
6101 		return (B_FALSE);
6102 	if (!zonecfg_valid_rctlname(name))
6103 		return (B_FALSE);
6104 
6105 	current = alloca(rctlblk_size());
6106 	if (getrctl(name, NULL, current, RCTL_FIRST) != 0)
6107 		return (B_TRUE);	/* not an rctl on this system */
6108 	/*
6109 	 * Make sure the proposed value isn't greater than the current system
6110 	 * value.
6111 	 */
6112 	next = alloca(rctlblk_size());
6113 	while (rctlblk_get_privilege(current) != RCPRIV_SYSTEM) {
6114 		rctlblk_t *tmp;
6115 
6116 		if (getrctl(name, current, next, RCTL_NEXT) != 0)
6117 			return (B_FALSE);	/* shouldn't happen */
6118 		tmp = current;
6119 		current = next;
6120 		next = tmp;
6121 	}
6122 	if (limit > rctlblk_get_value(current))
6123 		return (B_FALSE);
6124 
6125 	/*
6126 	 * Make sure the proposed action is allowed.
6127 	 */
6128 	global_flags = rctlblk_get_global_flags(current);
6129 	if ((global_flags & RCTL_GLOBAL_DENY_NEVER) &&
6130 	    action == RCTL_LOCAL_DENY)
6131 		return (B_FALSE);
6132 	if ((global_flags & RCTL_GLOBAL_DENY_ALWAYS) &&
6133 	    action == RCTL_LOCAL_NOACTION)
6134 		return (B_FALSE);
6135 
6136 	return (B_TRUE);
6137 }
6138 
6139 /*
6140  * There is always a race condition between reading the initial copy of
6141  * a zones state and its state changing.  We address this by providing
6142  * zonecfg_notify_critical_enter and zonecfg_noticy_critical_exit functions.
6143  * When zonecfg_critical_enter is called, sets the state field to LOCKED
6144  * and aquires biglock. Biglock protects against other threads executing
6145  * critical_enter and the state field protects against state changes during
6146  * the critical period.
6147  *
6148  * If any state changes occur, zn_cb will set the failed field of the znotify
6149  * structure.  This will cause the critical_exit function to re-lock the
6150  * channel and return an error. Since evsnts may be delayed, the critical_exit
6151  * function "flushes" the queue by putting an event on the queue and waiting for
6152  * zn_cb to notify critical_exit that it received the ping event.
6153  */
6154 static const char *
6155 string_get_tok(const char *in, char delim, int num)
6156 {
6157 	int i = 0;
6158 
6159 	for (; i < num; in++) {
6160 		if (*in == delim)
6161 			i++;
6162 		if (*in == 0)
6163 			return (NULL);
6164 	}
6165 	return (in);
6166 }
6167 
6168 static boolean_t
6169 is_ping(sysevent_t *ev)
6170 {
6171 	if (strcmp(sysevent_get_subclass_name(ev),
6172 	    ZONE_EVENT_PING_SUBCLASS) == 0) {
6173 		return (B_TRUE);
6174 	} else {
6175 		return (B_FALSE);
6176 	}
6177 }
6178 
6179 static boolean_t
6180 is_my_ping(sysevent_t *ev)
6181 {
6182 	const char *sender;
6183 	char mypid[sizeof (pid_t) * 3 + 1];
6184 
6185 	(void) snprintf(mypid, sizeof (mypid), "%i", getpid());
6186 	sender = string_get_tok(sysevent_get_pub(ev), ':', 3);
6187 	if (sender == NULL)
6188 		return (B_FALSE);
6189 	if (strcmp(sender, mypid) != 0)
6190 		return (B_FALSE);
6191 	return (B_TRUE);
6192 }
6193 
6194 static int
6195 do_callback(struct znotify *zevtchan, sysevent_t *ev)
6196 {
6197 	nvlist_t *l;
6198 	int zid;
6199 	char *zonename;
6200 	char *newstate;
6201 	char *oldstate;
6202 	int ret;
6203 	hrtime_t when;
6204 
6205 	if (strcmp(sysevent_get_subclass_name(ev),
6206 	    ZONE_EVENT_STATUS_SUBCLASS) == 0) {
6207 
6208 		if (sysevent_get_attr_list(ev, &l) != 0) {
6209 			if (errno == ENOMEM) {
6210 				zevtchan->zn_failure_count++;
6211 				return (EAGAIN);
6212 			}
6213 			return (0);
6214 		}
6215 		ret = 0;
6216 
6217 		if ((nvlist_lookup_string(l, ZONE_CB_NAME, &zonename) == 0) &&
6218 		    (nvlist_lookup_string(l, ZONE_CB_NEWSTATE, &newstate)
6219 		    == 0) &&
6220 		    (nvlist_lookup_string(l, ZONE_CB_OLDSTATE, &oldstate)
6221 		    == 0) &&
6222 		    (nvlist_lookup_uint64(l, ZONE_CB_TIMESTAMP,
6223 		    (uint64_t *)&when) == 0) &&
6224 		    (nvlist_lookup_int32(l, ZONE_CB_ZONEID, &zid) == 0)) {
6225 			ret = zevtchan->zn_callback(zonename, zid, newstate,
6226 			    oldstate, when, zevtchan->zn_private);
6227 		}
6228 
6229 		zevtchan->zn_failure_count = 0;
6230 		nvlist_free(l);
6231 		return (ret);
6232 	} else {
6233 		/*
6234 		 * We have received an event in an unknown subclass. Ignore.
6235 		 */
6236 		zevtchan->zn_failure_count = 0;
6237 		return (0);
6238 	}
6239 }
6240 
6241 static int
6242 zn_cb(sysevent_t *ev, void *p)
6243 {
6244 	struct znotify *zevtchan = p;
6245 	int error;
6246 
6247 	(void) pthread_mutex_lock(&(zevtchan->zn_mutex));
6248 
6249 	if (is_ping(ev) && !is_my_ping(ev)) {
6250 		(void) pthread_mutex_unlock((&zevtchan->zn_mutex));
6251 		return (0);
6252 	}
6253 
6254 	if (zevtchan->zn_state == ZN_LOCKED) {
6255 		assert(!is_ping(ev));
6256 		zevtchan->zn_failed = B_TRUE;
6257 		(void) pthread_mutex_unlock(&(zevtchan->zn_mutex));
6258 		return (0);
6259 	}
6260 
6261 	if (zevtchan->zn_state == ZN_PING_INFLIGHT) {
6262 		if (is_ping(ev)) {
6263 			zevtchan->zn_state = ZN_PING_RECEIVED;
6264 			(void) pthread_cond_signal(&(zevtchan->zn_cond));
6265 			(void) pthread_mutex_unlock(&(zevtchan->zn_mutex));
6266 			return (0);
6267 		} else {
6268 			zevtchan->zn_failed = B_TRUE;
6269 			(void) pthread_mutex_unlock(&(zevtchan->zn_mutex));
6270 			return (0);
6271 		}
6272 	}
6273 
6274 	if (zevtchan->zn_state == ZN_UNLOCKED) {
6275 
6276 		error = do_callback(zevtchan, ev);
6277 		(void) pthread_mutex_unlock(&(zevtchan->zn_mutex));
6278 		/*
6279 		 * Every ENOMEM failure causes do_callback to increment
6280 		 * zn_failure_count and every success causes it to
6281 		 * set zn_failure_count to zero.  If we got EAGAIN,
6282 		 * we will sleep for zn_failure_count seconds and return
6283 		 * EAGAIN to gpec to try again.
6284 		 *
6285 		 * After 55 seconds, or 10 try's we give up and drop the
6286 		 * event.
6287 		 */
6288 		if (error == EAGAIN) {
6289 			if (zevtchan->zn_failure_count > ZONE_CB_RETRY_COUNT) {
6290 				return (0);
6291 			}
6292 			(void) sleep(zevtchan->zn_failure_count);
6293 		}
6294 		return (error);
6295 	}
6296 
6297 	if (zevtchan->zn_state == ZN_PING_RECEIVED) {
6298 		(void) pthread_mutex_unlock(&(zevtchan->zn_mutex));
6299 		return (0);
6300 	}
6301 
6302 	abort();
6303 	return (0);
6304 }
6305 
6306 void
6307 zonecfg_notify_critical_enter(void *h)
6308 {
6309 	struct znotify *zevtchan = h;
6310 
6311 	(void) pthread_mutex_lock(&(zevtchan->zn_bigmutex));
6312 	zevtchan->zn_state = ZN_LOCKED;
6313 }
6314 
6315 int
6316 zonecfg_notify_critical_exit(void * h)
6317 {
6318 
6319 	struct znotify *zevtchan = h;
6320 
6321 	if (zevtchan->zn_state == ZN_UNLOCKED)
6322 		return (0);
6323 
6324 	(void) pthread_mutex_lock(&(zevtchan->zn_mutex));
6325 	zevtchan->zn_state = ZN_PING_INFLIGHT;
6326 
6327 	(void) sysevent_evc_publish(zevtchan->zn_eventchan,
6328 	    ZONE_EVENT_STATUS_CLASS,
6329 	    ZONE_EVENT_PING_SUBCLASS, ZONE_EVENT_PING_PUBLISHER,
6330 	    zevtchan->zn_subscriber_id, NULL, EVCH_SLEEP);
6331 
6332 	while (zevtchan->zn_state != ZN_PING_RECEIVED) {
6333 		(void) pthread_cond_wait(&(zevtchan->zn_cond),
6334 		    &(zevtchan->zn_mutex));
6335 	}
6336 
6337 	if (zevtchan->zn_failed == B_TRUE) {
6338 		zevtchan->zn_state = ZN_LOCKED;
6339 		zevtchan->zn_failed = B_FALSE;
6340 		(void) pthread_mutex_unlock(&(zevtchan->zn_mutex));
6341 		return (1);
6342 	}
6343 
6344 	zevtchan->zn_state = ZN_UNLOCKED;
6345 	(void) pthread_mutex_unlock(&(zevtchan->zn_mutex));
6346 	(void) pthread_mutex_unlock(&(zevtchan->zn_bigmutex));
6347 	return (0);
6348 }
6349 
6350 void
6351 zonecfg_notify_critical_abort(void *h)
6352 {
6353 	struct znotify *zevtchan = h;
6354 
6355 	zevtchan->zn_state = ZN_UNLOCKED;
6356 	zevtchan->zn_failed = B_FALSE;
6357 	/*
6358 	 * Don't do anything about zn_lock. If it is held, it could only be
6359 	 * held by zn_cb and it will be unlocked soon.
6360 	 */
6361 	(void) pthread_mutex_unlock(&(zevtchan->zn_bigmutex));
6362 }
6363 
6364 void *
6365 zonecfg_notify_bind(int(*func)(const char *zonename, zoneid_t zid,
6366     const char *newstate, const char *oldstate, hrtime_t when, void *p),
6367     void *p)
6368 {
6369 	struct znotify *zevtchan;
6370 	int i = 1;
6371 	int r;
6372 
6373 	zevtchan = malloc(sizeof (struct znotify));
6374 
6375 	if (zevtchan == NULL)
6376 		return (NULL);
6377 
6378 	zevtchan->zn_private = p;
6379 	zevtchan->zn_callback = func;
6380 	zevtchan->zn_state = ZN_UNLOCKED;
6381 	zevtchan->zn_failed = B_FALSE;
6382 
6383 	if (pthread_mutex_init(&(zevtchan->zn_mutex), NULL))
6384 		goto out3;
6385 	if (pthread_cond_init(&(zevtchan->zn_cond), NULL)) {
6386 		(void) pthread_mutex_destroy(&(zevtchan->zn_mutex));
6387 		goto out3;
6388 	}
6389 	if (pthread_mutex_init(&(zevtchan->zn_bigmutex), NULL)) {
6390 		(void) pthread_mutex_destroy(&(zevtchan->zn_mutex));
6391 		(void) pthread_cond_destroy(&(zevtchan->zn_cond));
6392 		goto out3;
6393 	}
6394 
6395 	if (sysevent_evc_bind(ZONE_EVENT_CHANNEL, &(zevtchan->zn_eventchan),
6396 	    0) != 0)
6397 		goto out2;
6398 
6399 	do {
6400 		/*
6401 		 * At 4 digits the subscriber ID gets too long and we have
6402 		 * no chance of successfully registering.
6403 		 */
6404 		if (i > 999)
6405 			goto out1;
6406 
6407 		(void) sprintf(zevtchan->zn_subscriber_id, "zone_%li_%i",
6408 		    getpid() % 999999l, i);
6409 
6410 		r = sysevent_evc_subscribe(zevtchan->zn_eventchan,
6411 		    zevtchan->zn_subscriber_id, ZONE_EVENT_STATUS_CLASS, zn_cb,
6412 		    zevtchan, 0);
6413 
6414 		i++;
6415 
6416 	} while (r);
6417 
6418 	return (zevtchan);
6419 out1:
6420 	(void) sysevent_evc_unbind(zevtchan->zn_eventchan);
6421 out2:
6422 	(void) pthread_mutex_destroy(&zevtchan->zn_mutex);
6423 	(void) pthread_cond_destroy(&zevtchan->zn_cond);
6424 	(void) pthread_mutex_destroy(&(zevtchan->zn_bigmutex));
6425 out3:
6426 	free(zevtchan);
6427 
6428 	return (NULL);
6429 }
6430 
6431 void
6432 zonecfg_notify_unbind(void *handle)
6433 {
6434 
6435 	int ret;
6436 
6437 	(void) sysevent_evc_unbind(((struct znotify *)handle)->zn_eventchan);
6438 	/*
6439 	 * Check that all evc threads have gone away. This should be
6440 	 * enforced by sysevent_evc_unbind.
6441 	 */
6442 	ret = pthread_mutex_trylock(&((struct znotify *)handle)->zn_mutex);
6443 
6444 	if (ret)
6445 		abort();
6446 
6447 	(void) pthread_mutex_unlock(&((struct znotify *)handle)->zn_mutex);
6448 	(void) pthread_mutex_destroy(&((struct znotify *)handle)->zn_mutex);
6449 	(void) pthread_cond_destroy(&((struct znotify *)handle)->zn_cond);
6450 	(void) pthread_mutex_destroy(&((struct znotify *)handle)->zn_bigmutex);
6451 
6452 	free(handle);
6453 }
6454 
6455 static int
6456 zonecfg_add_ds_core(zone_dochandle_t handle, struct zone_dstab *tabptr)
6457 {
6458 	xmlNodePtr newnode, cur = handle->zone_dh_cur;
6459 	int err;
6460 
6461 	newnode = xmlNewTextChild(cur, NULL, DTD_ELEM_DATASET, NULL);
6462 	if ((err = newprop(newnode, DTD_ATTR_NAME,
6463 	    tabptr->zone_dataset_name)) != Z_OK)
6464 		return (err);
6465 	return (Z_OK);
6466 }
6467 
6468 int
6469 zonecfg_add_ds(zone_dochandle_t handle, struct zone_dstab *tabptr)
6470 {
6471 	int err;
6472 
6473 	if (tabptr == NULL)
6474 		return (Z_INVAL);
6475 
6476 	if ((err = operation_prep(handle)) != Z_OK)
6477 		return (err);
6478 
6479 	if ((err = zonecfg_add_ds_core(handle, tabptr)) != Z_OK)
6480 		return (err);
6481 
6482 	return (Z_OK);
6483 }
6484 
6485 static int
6486 zonecfg_delete_ds_core(zone_dochandle_t handle, struct zone_dstab *tabptr)
6487 {
6488 	xmlNodePtr cur = handle->zone_dh_cur;
6489 
6490 	for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next) {
6491 		if (xmlStrcmp(cur->name, DTD_ELEM_DATASET))
6492 			continue;
6493 
6494 		if (match_prop(cur, DTD_ATTR_NAME,
6495 		    tabptr->zone_dataset_name)) {
6496 			xmlUnlinkNode(cur);
6497 			xmlFreeNode(cur);
6498 			return (Z_OK);
6499 		}
6500 	}
6501 	return (Z_NO_RESOURCE_ID);
6502 }
6503 
6504 int
6505 zonecfg_delete_ds(zone_dochandle_t handle, struct zone_dstab *tabptr)
6506 {
6507 	int err;
6508 
6509 	if (tabptr == NULL)
6510 		return (Z_INVAL);
6511 
6512 	if ((err = operation_prep(handle)) != Z_OK)
6513 		return (err);
6514 
6515 	if ((err = zonecfg_delete_ds_core(handle, tabptr)) != Z_OK)
6516 		return (err);
6517 
6518 	return (Z_OK);
6519 }
6520 
6521 int
6522 zonecfg_modify_ds(
6523 	zone_dochandle_t handle,
6524 	struct zone_dstab *oldtabptr,
6525 	struct zone_dstab *newtabptr)
6526 {
6527 	int err;
6528 
6529 	if (oldtabptr == NULL || newtabptr == NULL)
6530 		return (Z_INVAL);
6531 
6532 	if ((err = operation_prep(handle)) != Z_OK)
6533 		return (err);
6534 
6535 	if ((err = zonecfg_delete_ds_core(handle, oldtabptr)) != Z_OK)
6536 		return (err);
6537 
6538 	if ((err = zonecfg_add_ds_core(handle, newtabptr)) != Z_OK)
6539 		return (err);
6540 
6541 	return (Z_OK);
6542 }
6543 
6544 int
6545 zonecfg_lookup_ds(zone_dochandle_t handle, struct zone_dstab *tabptr)
6546 {
6547 	xmlNodePtr cur, firstmatch;
6548 	int err;
6549 	char dataset[MAXNAMELEN];
6550 
6551 	if (tabptr == NULL)
6552 		return (Z_INVAL);
6553 
6554 	if ((err = operation_prep(handle)) != Z_OK)
6555 		return (err);
6556 
6557 	cur = handle->zone_dh_cur;
6558 	firstmatch = NULL;
6559 	for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next) {
6560 		if (xmlStrcmp(cur->name, DTD_ELEM_DATASET))
6561 			continue;
6562 		if (strlen(tabptr->zone_dataset_name) > 0) {
6563 			if ((fetchprop(cur, DTD_ATTR_NAME, dataset,
6564 			    sizeof (dataset)) == Z_OK) &&
6565 			    (strcmp(tabptr->zone_dataset_name,
6566 			    dataset) == 0)) {
6567 				if (firstmatch == NULL)
6568 					firstmatch = cur;
6569 				else
6570 					return (Z_INSUFFICIENT_SPEC);
6571 			}
6572 		}
6573 	}
6574 	if (firstmatch == NULL)
6575 		return (Z_NO_RESOURCE_ID);
6576 
6577 	cur = firstmatch;
6578 
6579 	if ((err = fetchprop(cur, DTD_ATTR_NAME, tabptr->zone_dataset_name,
6580 	    sizeof (tabptr->zone_dataset_name))) != Z_OK)
6581 		return (err);
6582 
6583 	return (Z_OK);
6584 }
6585 
6586 int
6587 zonecfg_setdsent(zone_dochandle_t handle)
6588 {
6589 	return (zonecfg_setent(handle));
6590 }
6591 
6592 int
6593 zonecfg_getdsent(zone_dochandle_t handle, struct zone_dstab *tabptr)
6594 {
6595 	xmlNodePtr cur;
6596 	int err;
6597 
6598 	if (handle == NULL)
6599 		return (Z_INVAL);
6600 
6601 	if ((cur = handle->zone_dh_cur) == NULL)
6602 		return (Z_NO_ENTRY);
6603 
6604 	for (; cur != NULL; cur = cur->next)
6605 		if (!xmlStrcmp(cur->name, DTD_ELEM_DATASET))
6606 			break;
6607 	if (cur == NULL) {
6608 		handle->zone_dh_cur = handle->zone_dh_top;
6609 		return (Z_NO_ENTRY);
6610 	}
6611 
6612 	if ((err = fetchprop(cur, DTD_ATTR_NAME, tabptr->zone_dataset_name,
6613 	    sizeof (tabptr->zone_dataset_name))) != Z_OK) {
6614 		handle->zone_dh_cur = handle->zone_dh_top;
6615 		return (err);
6616 	}
6617 
6618 	handle->zone_dh_cur = cur->next;
6619 	return (Z_OK);
6620 }
6621 
6622 int
6623 zonecfg_enddsent(zone_dochandle_t handle)
6624 {
6625 	return (zonecfg_endent(handle));
6626 }
6627 
6628 /*
6629  * Support for aliased rctls; that is, rctls that have simplified names in
6630  * zonecfg.  For example, max-lwps is an alias for a well defined zone.max-lwps
6631  * rctl.  If there are multiple existing values for one of these rctls or if
6632  * there is a single value that does not match the well defined template (i.e.
6633  * it has a different action) then we cannot treat the rctl as having an alias
6634  * so we return Z_ALIAS_DISALLOW.  That means that the rctl cannot be
6635  * managed in zonecfg via an alias and that the standard rctl syntax must be
6636  * used.
6637  *
6638  * The possible return values are:
6639  *	Z_NO_PROPERTY_ID - invalid alias name
6640  *	Z_ALIAS_DISALLOW - pre-existing, incompatible rctl definition
6641  *	Z_NO_ENTRY - no rctl is configured for this alias
6642  *	Z_OK - we got a valid rctl for the specified alias
6643  */
6644 int
6645 zonecfg_get_aliased_rctl(zone_dochandle_t handle, char *name, uint64_t *rval)
6646 {
6647 	boolean_t found = B_FALSE;
6648 	boolean_t found_val = B_FALSE;
6649 	xmlNodePtr cur, val;
6650 	char savedname[MAXNAMELEN];
6651 	struct zone_rctlvaltab rctl;
6652 	int i;
6653 	int err;
6654 
6655 	for (i = 0; aliases[i].shortname != NULL; i++)
6656 		if (strcmp(name, aliases[i].shortname) == 0)
6657 			break;
6658 
6659 	if (aliases[i].shortname == NULL)
6660 		return (Z_NO_PROPERTY_ID);
6661 
6662 	if ((err = operation_prep(handle)) != Z_OK)
6663 		return (err);
6664 
6665 	cur = handle->zone_dh_cur;
6666 	for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next) {
6667 		if (xmlStrcmp(cur->name, DTD_ELEM_RCTL) != 0)
6668 			continue;
6669 		if ((fetchprop(cur, DTD_ATTR_NAME, savedname,
6670 		    sizeof (savedname)) == Z_OK) &&
6671 		    (strcmp(savedname, aliases[i].realname) == 0)) {
6672 
6673 			/*
6674 			 * If we already saw one of these, we can't have an
6675 			 * alias since we just found another.
6676 			 */
6677 			if (found)
6678 				return (Z_ALIAS_DISALLOW);
6679 			found = B_TRUE;
6680 
6681 			for (val = cur->xmlChildrenNode; val != NULL;
6682 			    val = val->next) {
6683 				/*
6684 				 * If we already have one value, we can't have
6685 				 * an alias since we just found another.
6686 				 */
6687 				if (found_val)
6688 					return (Z_ALIAS_DISALLOW);
6689 				found_val = B_TRUE;
6690 
6691 				if ((fetchprop(val, DTD_ATTR_PRIV,
6692 				    rctl.zone_rctlval_priv,
6693 				    sizeof (rctl.zone_rctlval_priv)) != Z_OK))
6694 					break;
6695 				if ((fetchprop(val, DTD_ATTR_LIMIT,
6696 				    rctl.zone_rctlval_limit,
6697 				    sizeof (rctl.zone_rctlval_limit)) != Z_OK))
6698 					break;
6699 				if ((fetchprop(val, DTD_ATTR_ACTION,
6700 				    rctl.zone_rctlval_action,
6701 				    sizeof (rctl.zone_rctlval_action)) != Z_OK))
6702 					break;
6703 			}
6704 
6705 			/* check priv and action match the expected vals */
6706 			if (strcmp(rctl.zone_rctlval_priv,
6707 			    aliases[i].priv) != 0 ||
6708 			    strcmp(rctl.zone_rctlval_action,
6709 			    aliases[i].action) != 0)
6710 				return (Z_ALIAS_DISALLOW);
6711 		}
6712 	}
6713 
6714 	if (found) {
6715 		*rval = strtoull(rctl.zone_rctlval_limit, NULL, 10);
6716 		return (Z_OK);
6717 	}
6718 
6719 	return (Z_NO_ENTRY);
6720 }
6721 
6722 int
6723 zonecfg_rm_aliased_rctl(zone_dochandle_t handle, char *name)
6724 {
6725 	int i;
6726 	uint64_t val;
6727 	struct zone_rctltab rctltab;
6728 
6729 	/*
6730 	 * First check that we have a valid aliased rctl to remove.
6731 	 * This will catch an rctl entry with non-standard values or
6732 	 * multiple rctl values for this name.  We need to ignore those
6733 	 * rctl entries.
6734 	 */
6735 	if (zonecfg_get_aliased_rctl(handle, name, &val) != Z_OK)
6736 		return (Z_OK);
6737 
6738 	for (i = 0; aliases[i].shortname != NULL; i++)
6739 		if (strcmp(name, aliases[i].shortname) == 0)
6740 			break;
6741 
6742 	if (aliases[i].shortname == NULL)
6743 		return (Z_NO_RESOURCE_ID);
6744 
6745 	(void) strlcpy(rctltab.zone_rctl_name, aliases[i].realname,
6746 	    sizeof (rctltab.zone_rctl_name));
6747 
6748 	return (zonecfg_delete_rctl(handle, &rctltab));
6749 }
6750 
6751 boolean_t
6752 zonecfg_aliased_rctl_ok(zone_dochandle_t handle, char *name)
6753 {
6754 	uint64_t tmp_val;
6755 
6756 	switch (zonecfg_get_aliased_rctl(handle, name, &tmp_val)) {
6757 	case Z_OK:
6758 		/*FALLTHRU*/
6759 	case Z_NO_ENTRY:
6760 		return (B_TRUE);
6761 	default:
6762 		return (B_FALSE);
6763 	}
6764 }
6765 
6766 int
6767 zonecfg_set_aliased_rctl(zone_dochandle_t handle, char *name, uint64_t val)
6768 {
6769 	int i;
6770 	int err;
6771 	struct zone_rctltab rctltab;
6772 	struct zone_rctlvaltab *rctlvaltab;
6773 	char buf[128];
6774 
6775 	if (!zonecfg_aliased_rctl_ok(handle, name))
6776 		return (Z_ALIAS_DISALLOW);
6777 
6778 	for (i = 0; aliases[i].shortname != NULL; i++)
6779 		if (strcmp(name, aliases[i].shortname) == 0)
6780 			break;
6781 
6782 	if (aliases[i].shortname == NULL)
6783 		return (Z_NO_RESOURCE_ID);
6784 
6785 	/* remove any pre-existing definition for this rctl */
6786 	(void) zonecfg_rm_aliased_rctl(handle, name);
6787 
6788 	(void) strlcpy(rctltab.zone_rctl_name, aliases[i].realname,
6789 	    sizeof (rctltab.zone_rctl_name));
6790 
6791 	rctltab.zone_rctl_valptr = NULL;
6792 
6793 	if ((rctlvaltab = calloc(1, sizeof (struct zone_rctlvaltab))) == NULL)
6794 		return (Z_NOMEM);
6795 
6796 	(void) snprintf(buf, sizeof (buf), "%llu", (long long)val);
6797 
6798 	(void) strlcpy(rctlvaltab->zone_rctlval_priv, aliases[i].priv,
6799 	    sizeof (rctlvaltab->zone_rctlval_priv));
6800 	(void) strlcpy(rctlvaltab->zone_rctlval_limit, buf,
6801 	    sizeof (rctlvaltab->zone_rctlval_limit));
6802 	(void) strlcpy(rctlvaltab->zone_rctlval_action, aliases[i].action,
6803 	    sizeof (rctlvaltab->zone_rctlval_action));
6804 
6805 	rctlvaltab->zone_rctlval_next = NULL;
6806 
6807 	if ((err = zonecfg_add_rctl_value(&rctltab, rctlvaltab)) != Z_OK)
6808 		return (err);
6809 
6810 	return (zonecfg_add_rctl(handle, &rctltab));
6811 }
6812 
6813 static int
6814 delete_tmp_pool(zone_dochandle_t handle)
6815 {
6816 	int err;
6817 	xmlNodePtr cur = handle->zone_dh_cur;
6818 
6819 	if ((err = operation_prep(handle)) != Z_OK)
6820 		return (err);
6821 
6822 	for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next) {
6823 		if (xmlStrcmp(cur->name, DTD_ELEM_TMPPOOL) == 0) {
6824 			xmlUnlinkNode(cur);
6825 			xmlFreeNode(cur);
6826 			return (Z_OK);
6827 		}
6828 	}
6829 
6830 	return (Z_NO_RESOURCE_ID);
6831 }
6832 
6833 static int
6834 modify_tmp_pool(zone_dochandle_t handle, char *pool_importance)
6835 {
6836 	int err;
6837 	xmlNodePtr cur = handle->zone_dh_cur;
6838 	xmlNodePtr newnode;
6839 
6840 	err = delete_tmp_pool(handle);
6841 	if (err != Z_OK && err != Z_NO_RESOURCE_ID)
6842 		return (err);
6843 
6844 	if (*pool_importance != '\0') {
6845 		if ((err = operation_prep(handle)) != Z_OK)
6846 			return (err);
6847 
6848 		newnode = xmlNewTextChild(cur, NULL, DTD_ELEM_TMPPOOL, NULL);
6849 		if ((err = newprop(newnode, DTD_ATTR_IMPORTANCE,
6850 		    pool_importance)) != Z_OK)
6851 			return (err);
6852 	}
6853 
6854 	return (Z_OK);
6855 }
6856 
6857 static int
6858 add_pset_core(zone_dochandle_t handle, struct zone_psettab *tabptr)
6859 {
6860 	xmlNodePtr newnode, cur = handle->zone_dh_cur;
6861 	int err;
6862 
6863 	newnode = xmlNewTextChild(cur, NULL, DTD_ELEM_PSET, NULL);
6864 	if ((err = newprop(newnode, DTD_ATTR_NCPU_MIN,
6865 	    tabptr->zone_ncpu_min)) != Z_OK)
6866 		return (err);
6867 	if ((err = newprop(newnode, DTD_ATTR_NCPU_MAX,
6868 	    tabptr->zone_ncpu_max)) != Z_OK)
6869 		return (err);
6870 
6871 	if ((err = modify_tmp_pool(handle, tabptr->zone_importance)) != Z_OK)
6872 		return (err);
6873 
6874 	return (Z_OK);
6875 }
6876 
6877 int
6878 zonecfg_add_pset(zone_dochandle_t handle, struct zone_psettab *tabptr)
6879 {
6880 	int err;
6881 
6882 	if (tabptr == NULL)
6883 		return (Z_INVAL);
6884 
6885 	if ((err = operation_prep(handle)) != Z_OK)
6886 		return (err);
6887 
6888 	if ((err = add_pset_core(handle, tabptr)) != Z_OK)
6889 		return (err);
6890 
6891 	return (Z_OK);
6892 }
6893 
6894 int
6895 zonecfg_delete_pset(zone_dochandle_t handle)
6896 {
6897 	int err;
6898 	int res = Z_NO_RESOURCE_ID;
6899 	xmlNodePtr cur = handle->zone_dh_cur;
6900 
6901 	if ((err = operation_prep(handle)) != Z_OK)
6902 		return (err);
6903 
6904 	for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next) {
6905 		if (xmlStrcmp(cur->name, DTD_ELEM_PSET) == 0) {
6906 			xmlUnlinkNode(cur);
6907 			xmlFreeNode(cur);
6908 			res = Z_OK;
6909 			break;
6910 		}
6911 	}
6912 
6913 	/*
6914 	 * Once we have msets, we should check that a mset
6915 	 * do not exist before we delete the tmp_pool data.
6916 	 */
6917 	err = delete_tmp_pool(handle);
6918 	if (err != Z_OK && err != Z_NO_RESOURCE_ID)
6919 		return (err);
6920 
6921 	return (res);
6922 }
6923 
6924 int
6925 zonecfg_modify_pset(zone_dochandle_t handle, struct zone_psettab *tabptr)
6926 {
6927 	int err;
6928 
6929 	if (tabptr == NULL)
6930 		return (Z_INVAL);
6931 
6932 	if ((err = zonecfg_delete_pset(handle)) != Z_OK)
6933 		return (err);
6934 
6935 	if ((err = add_pset_core(handle, tabptr)) != Z_OK)
6936 		return (err);
6937 
6938 	return (Z_OK);
6939 }
6940 
6941 int
6942 zonecfg_lookup_pset(zone_dochandle_t handle, struct zone_psettab *tabptr)
6943 {
6944 	xmlNodePtr cur;
6945 	int err;
6946 	int res = Z_NO_ENTRY;
6947 
6948 	if (tabptr == NULL)
6949 		return (Z_INVAL);
6950 
6951 	if ((err = operation_prep(handle)) != Z_OK)
6952 		return (err);
6953 
6954 	/* this is an optional component */
6955 	tabptr->zone_importance[0] = '\0';
6956 
6957 	cur = handle->zone_dh_cur;
6958 	for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next) {
6959 		if (xmlStrcmp(cur->name, DTD_ELEM_PSET) == 0) {
6960 			if ((err = fetchprop(cur, DTD_ATTR_NCPU_MIN,
6961 			    tabptr->zone_ncpu_min,
6962 			    sizeof (tabptr->zone_ncpu_min))) != Z_OK) {
6963 				handle->zone_dh_cur = handle->zone_dh_top;
6964 				return (err);
6965 			}
6966 
6967 			if ((err = fetchprop(cur, DTD_ATTR_NCPU_MAX,
6968 			    tabptr->zone_ncpu_max,
6969 			    sizeof (tabptr->zone_ncpu_max))) != Z_OK) {
6970 				handle->zone_dh_cur = handle->zone_dh_top;
6971 				return (err);
6972 			}
6973 
6974 			res = Z_OK;
6975 
6976 		} else if (xmlStrcmp(cur->name, DTD_ELEM_TMPPOOL) == 0) {
6977 			if ((err = fetchprop(cur, DTD_ATTR_IMPORTANCE,
6978 			    tabptr->zone_importance,
6979 			    sizeof (tabptr->zone_importance))) != Z_OK) {
6980 				handle->zone_dh_cur = handle->zone_dh_top;
6981 				return (err);
6982 			}
6983 		}
6984 	}
6985 
6986 	return (res);
6987 }
6988 
6989 int
6990 zonecfg_getpsetent(zone_dochandle_t handle, struct zone_psettab *tabptr)
6991 {
6992 	int err;
6993 
6994 	if ((err = zonecfg_setent(handle)) != Z_OK)
6995 		return (err);
6996 
6997 	err = zonecfg_lookup_pset(handle, tabptr);
6998 
6999 	(void) zonecfg_endent(handle);
7000 
7001 	return (err);
7002 }
7003 
7004 static int
7005 add_mcap(zone_dochandle_t handle, struct zone_mcaptab *tabptr)
7006 {
7007 	xmlNodePtr newnode, cur = handle->zone_dh_cur;
7008 	int err;
7009 
7010 	newnode = xmlNewTextChild(cur, NULL, DTD_ELEM_MCAP, NULL);
7011 	if ((err = newprop(newnode, DTD_ATTR_PHYSCAP, tabptr->zone_physmem_cap))
7012 	    != Z_OK)
7013 		return (err);
7014 
7015 	return (Z_OK);
7016 }
7017 
7018 int
7019 zonecfg_delete_mcap(zone_dochandle_t handle)
7020 {
7021 	int err;
7022 	xmlNodePtr cur = handle->zone_dh_cur;
7023 
7024 	if ((err = operation_prep(handle)) != Z_OK)
7025 		return (err);
7026 
7027 	for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next) {
7028 		if (xmlStrcmp(cur->name, DTD_ELEM_MCAP) != 0)
7029 			continue;
7030 
7031 		xmlUnlinkNode(cur);
7032 		xmlFreeNode(cur);
7033 		return (Z_OK);
7034 	}
7035 	return (Z_NO_RESOURCE_ID);
7036 }
7037 
7038 int
7039 zonecfg_modify_mcap(zone_dochandle_t handle, struct zone_mcaptab *tabptr)
7040 {
7041 	int err;
7042 
7043 	if (tabptr == NULL)
7044 		return (Z_INVAL);
7045 
7046 	err = zonecfg_delete_mcap(handle);
7047 	/* it is ok if there is no mcap entry */
7048 	if (err != Z_OK && err != Z_NO_RESOURCE_ID)
7049 		return (err);
7050 
7051 	if ((err = add_mcap(handle, tabptr)) != Z_OK)
7052 		return (err);
7053 
7054 	return (Z_OK);
7055 }
7056 
7057 int
7058 zonecfg_lookup_mcap(zone_dochandle_t handle, struct zone_mcaptab *tabptr)
7059 {
7060 	xmlNodePtr cur;
7061 	int err;
7062 
7063 	if (tabptr == NULL)
7064 		return (Z_INVAL);
7065 
7066 	if ((err = operation_prep(handle)) != Z_OK)
7067 		return (err);
7068 
7069 	cur = handle->zone_dh_cur;
7070 	for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next) {
7071 		if (xmlStrcmp(cur->name, DTD_ELEM_MCAP) != 0)
7072 			continue;
7073 		if ((err = fetchprop(cur, DTD_ATTR_PHYSCAP,
7074 		    tabptr->zone_physmem_cap,
7075 		    sizeof (tabptr->zone_physmem_cap))) != Z_OK) {
7076 			handle->zone_dh_cur = handle->zone_dh_top;
7077 			return (err);
7078 		}
7079 
7080 		return (Z_OK);
7081 	}
7082 
7083 	return (Z_NO_ENTRY);
7084 }
7085 
7086 int
7087 zonecfg_getsecflagsent(zone_dochandle_t handle,
7088     struct zone_secflagstab *tabptr)
7089 {
7090 	int err;
7091 	xmlNodePtr cur;
7092 
7093 	if (handle == NULL)
7094 		return (Z_INVAL);
7095 
7096 	if ((err = zonecfg_setent(handle)) != Z_OK)
7097 		return (err);
7098 
7099 
7100 	if ((cur = handle->zone_dh_cur) == NULL)
7101 		return (Z_NO_ENTRY);
7102 
7103 	for (; cur != NULL; cur = cur->next) {
7104 		if (xmlStrcmp(cur->name, DTD_ELEM_SECFLAGS) == 0)
7105 			break;
7106 	}
7107 
7108 	if (cur == NULL) {
7109 		handle->zone_dh_cur = handle->zone_dh_top;
7110 		return (Z_NO_ENTRY);
7111 	}
7112 
7113 	if ((err = fetchprop(cur, DTD_ATTR_DEFAULT,
7114 	    tabptr->zone_secflags_default,
7115 	    sizeof (tabptr->zone_secflags_default))) != Z_OK) {
7116 		handle->zone_dh_cur = handle->zone_dh_top;
7117 		return (err);
7118 	}
7119 
7120 	if ((err = fetchprop(cur, DTD_ATTR_LOWER,
7121 	    tabptr->zone_secflags_lower,
7122 	    sizeof (tabptr->zone_secflags_lower))) != Z_OK) {
7123 		handle->zone_dh_cur = handle->zone_dh_top;
7124 		return (err);
7125 	}
7126 
7127 	if ((err = fetchprop(cur, DTD_ATTR_UPPER,
7128 	    tabptr->zone_secflags_upper,
7129 	    sizeof (tabptr->zone_secflags_upper))) != Z_OK) {
7130 		handle->zone_dh_cur = handle->zone_dh_top;
7131 		return (err);
7132 	}
7133 
7134 	handle->zone_dh_cur = cur->next;
7135 
7136 	(void) zonecfg_endent(handle);
7137 
7138 	return (err);
7139 }
7140 
7141 static int
7142 getmcapent_core(zone_dochandle_t handle, struct zone_mcaptab *tabptr)
7143 {
7144 	xmlNodePtr cur;
7145 	int err;
7146 
7147 	if (handle == NULL)
7148 		return (Z_INVAL);
7149 
7150 	if ((cur = handle->zone_dh_cur) == NULL)
7151 		return (Z_NO_ENTRY);
7152 
7153 	for (; cur != NULL; cur = cur->next)
7154 		if (xmlStrcmp(cur->name, DTD_ELEM_MCAP) == 0)
7155 			break;
7156 	if (cur == NULL) {
7157 		handle->zone_dh_cur = handle->zone_dh_top;
7158 		return (Z_NO_ENTRY);
7159 	}
7160 
7161 	if ((err = fetchprop(cur, DTD_ATTR_PHYSCAP, tabptr->zone_physmem_cap,
7162 	    sizeof (tabptr->zone_physmem_cap))) != Z_OK) {
7163 		handle->zone_dh_cur = handle->zone_dh_top;
7164 		return (err);
7165 	}
7166 
7167 	handle->zone_dh_cur = cur->next;
7168 	return (Z_OK);
7169 }
7170 
7171 int
7172 zonecfg_getmcapent(zone_dochandle_t handle, struct zone_mcaptab *tabptr)
7173 {
7174 	int err;
7175 
7176 	if ((err = zonecfg_setent(handle)) != Z_OK)
7177 		return (err);
7178 
7179 	err = getmcapent_core(handle, tabptr);
7180 
7181 	(void) zonecfg_endent(handle);
7182 
7183 	return (err);
7184 }
7185 
7186 /*
7187  * Get the full tree of pkg metadata in a set of nested AVL trees.
7188  * pkgs_avl is an AVL tree of pkgs.
7189  *
7190  * The zone xml data contains DTD_ELEM_PACKAGE elements.
7191  */
7192 int
7193 zonecfg_getpkgdata(zone_dochandle_t handle, uu_avl_pool_t *pkg_pool,
7194     uu_avl_t *pkgs_avl)
7195 {
7196 	xmlNodePtr cur;
7197 	int res;
7198 	zone_pkg_entry_t *pkg;
7199 	char name[MAXNAMELEN];
7200 	char version[ZONE_PKG_VERSMAX];
7201 
7202 	if (handle == NULL)
7203 		return (Z_INVAL);
7204 
7205 	if ((res = zonecfg_setent(handle)) != Z_OK)
7206 		return (res);
7207 
7208 	if ((cur = handle->zone_dh_cur) == NULL) {
7209 		res = Z_NO_ENTRY;
7210 		goto done;
7211 	}
7212 
7213 	for (; cur != NULL; cur = cur->next) {
7214 		if (xmlStrcmp(cur->name, DTD_ELEM_PACKAGE) == 0) {
7215 			uu_avl_index_t where;
7216 
7217 			if ((res = fetchprop(cur, DTD_ATTR_NAME, name,
7218 			    sizeof (name))) != Z_OK)
7219 				goto done;
7220 
7221 			if ((res = fetchprop(cur, DTD_ATTR_VERSION, version,
7222 			    sizeof (version))) != Z_OK)
7223 				goto done;
7224 
7225 			if ((pkg = (zone_pkg_entry_t *)
7226 			    malloc(sizeof (zone_pkg_entry_t))) == NULL) {
7227 				res = Z_NOMEM;
7228 				goto done;
7229 			}
7230 
7231 			if ((pkg->zpe_name = strdup(name)) == NULL) {
7232 				free(pkg);
7233 				res = Z_NOMEM;
7234 				goto done;
7235 			}
7236 
7237 			if ((pkg->zpe_vers = strdup(version)) == NULL) {
7238 				free(pkg->zpe_name);
7239 				free(pkg);
7240 				res = Z_NOMEM;
7241 				goto done;
7242 			}
7243 
7244 			uu_avl_node_init(pkg, &pkg->zpe_entry, pkg_pool);
7245 			if (uu_avl_find(pkgs_avl, pkg, NULL, &where) != NULL) {
7246 				free(pkg->zpe_name);
7247 				free(pkg->zpe_vers);
7248 				free(pkg);
7249 			} else {
7250 				uu_avl_insert(pkgs_avl, pkg, where);
7251 			}
7252 		}
7253 	}
7254 
7255 done:
7256 	(void) zonecfg_endent(handle);
7257 	return (res);
7258 }
7259 
7260 int
7261 zonecfg_setdevperment(zone_dochandle_t handle)
7262 {
7263 	return (zonecfg_setent(handle));
7264 }
7265 
7266 int
7267 zonecfg_getdevperment(zone_dochandle_t handle, struct zone_devpermtab *tabptr)
7268 {
7269 	xmlNodePtr cur;
7270 	int err;
7271 	char buf[128];
7272 
7273 	tabptr->zone_devperm_acl = NULL;
7274 
7275 	if (handle == NULL)
7276 		return (Z_INVAL);
7277 
7278 	if ((cur = handle->zone_dh_cur) == NULL)
7279 		return (Z_NO_ENTRY);
7280 
7281 	for (; cur != NULL; cur = cur->next)
7282 		if (!xmlStrcmp(cur->name, DTD_ELEM_DEV_PERM))
7283 			break;
7284 	if (cur == NULL) {
7285 		handle->zone_dh_cur = handle->zone_dh_top;
7286 		return (Z_NO_ENTRY);
7287 	}
7288 
7289 	if ((err = fetchprop(cur, DTD_ATTR_NAME, tabptr->zone_devperm_name,
7290 	    sizeof (tabptr->zone_devperm_name))) != Z_OK) {
7291 		handle->zone_dh_cur = handle->zone_dh_top;
7292 		return (err);
7293 	}
7294 
7295 	if ((err = fetchprop(cur, DTD_ATTR_UID, buf, sizeof (buf))) != Z_OK) {
7296 		handle->zone_dh_cur = handle->zone_dh_top;
7297 		return (err);
7298 	}
7299 	tabptr->zone_devperm_uid = (uid_t)atol(buf);
7300 
7301 	if ((err = fetchprop(cur, DTD_ATTR_GID, buf, sizeof (buf))) != Z_OK) {
7302 		handle->zone_dh_cur = handle->zone_dh_top;
7303 		return (err);
7304 	}
7305 	tabptr->zone_devperm_gid = (gid_t)atol(buf);
7306 
7307 	if ((err = fetchprop(cur, DTD_ATTR_MODE, buf, sizeof (buf))) != Z_OK) {
7308 		handle->zone_dh_cur = handle->zone_dh_top;
7309 		return (err);
7310 	}
7311 	tabptr->zone_devperm_mode = (mode_t)strtol(buf, (char **)NULL, 8);
7312 
7313 	if ((err = fetch_alloc_prop(cur, DTD_ATTR_ACL,
7314 	    &(tabptr->zone_devperm_acl))) != Z_OK) {
7315 		handle->zone_dh_cur = handle->zone_dh_top;
7316 		return (err);
7317 	}
7318 
7319 	handle->zone_dh_cur = cur->next;
7320 	return (Z_OK);
7321 }
7322 
7323 int
7324 zonecfg_enddevperment(zone_dochandle_t handle)
7325 {
7326 	return (zonecfg_endent(handle));
7327 }
7328 
7329 /* PRINTFLIKE1 */
7330 static void
7331 zerror(const char *zone_name, const char *fmt, ...)
7332 {
7333 	va_list alist;
7334 
7335 	va_start(alist, fmt);
7336 	(void) fprintf(stderr, "zone '%s': ", zone_name);
7337 	(void) vfprintf(stderr, fmt, alist);
7338 	(void) fprintf(stderr, "\n");
7339 	va_end(alist);
7340 }
7341 
7342 static void
7343 zperror(const char *str)
7344 {
7345 	(void) fprintf(stderr, "%s: %s\n", str, strerror(errno));
7346 }
7347 
7348 /*
7349  * The following three routines implement a simple locking mechanism to
7350  * ensure that only one instance of zoneadm at a time is able to manipulate
7351  * a given zone.  The lock is built on top of an fcntl(2) lock of
7352  * [<altroot>]/var/run/zones/<zonename>.zoneadm.lock.  If a zoneadm instance
7353  * can grab that lock, it is allowed to manipulate the zone.
7354  *
7355  * Since zoneadm may call external applications which in turn invoke
7356  * zoneadm again, we introduce the notion of "lock inheritance".  Any
7357  * instance of zoneadm that has another instance in its ancestry is assumed
7358  * to be acting on behalf of the original zoneadm, and is thus allowed to
7359  * manipulate its zone.
7360  *
7361  * This inheritance is implemented via the _ZONEADM_LOCK_HELD environment
7362  * variable.  When zoneadm is granted a lock on its zone, this environment
7363  * variable is set to 1.  When it releases the lock, the variable is set to
7364  * 0.  Since a child process inherits its parent's environment, checking
7365  * the state of this variable indicates whether or not any ancestor owns
7366  * the lock.
7367  */
7368 void
7369 zonecfg_init_lock_file(const char *zone_name, char **lock_env)
7370 {
7371 	*lock_env = getenv(LOCK_ENV_VAR);
7372 	if (*lock_env == NULL) {
7373 		if (putenv(zoneadm_lock_not_held) != 0) {
7374 			zerror(zone_name, gettext("could not set env: %s"),
7375 			    strerror(errno));
7376 			exit(1);
7377 		}
7378 	} else {
7379 		if (atoi(*lock_env) == 1)
7380 			zone_lock_cnt = 1;
7381 	}
7382 }
7383 
7384 void
7385 zonecfg_release_lock_file(const char *zone_name, int lockfd)
7386 {
7387 	/*
7388 	 * If we are cleaning up from a failed attempt to lock the zone for
7389 	 * the first time, we might have a zone_lock_cnt of 0.  In that
7390 	 * error case, we don't want to do anything but close the lock
7391 	 * file.
7392 	 */
7393 	assert(zone_lock_cnt >= 0);
7394 	if (zone_lock_cnt > 0) {
7395 		assert(getenv(LOCK_ENV_VAR) != NULL);
7396 		assert(atoi(getenv(LOCK_ENV_VAR)) == 1);
7397 		if (--zone_lock_cnt > 0) {
7398 			assert(lockfd == -1);
7399 			return;
7400 		}
7401 		if (putenv(zoneadm_lock_not_held) != 0) {
7402 			zerror(zone_name, gettext("could not set env: %s"),
7403 			    strerror(errno));
7404 			exit(1);
7405 		}
7406 	}
7407 	assert(lockfd >= 0);
7408 	(void) close(lockfd);
7409 }
7410 
7411 int
7412 zonecfg_grab_lock_file(const char *zone_name, int *lockfd)
7413 {
7414 	char pathbuf[PATH_MAX];
7415 	struct flock flock;
7416 
7417 	/*
7418 	 * If we already have the lock, we can skip this expensive song
7419 	 * and dance.
7420 	 */
7421 	assert(zone_lock_cnt >= 0);
7422 	assert(getenv(LOCK_ENV_VAR) != NULL);
7423 	if (zone_lock_cnt > 0) {
7424 		assert(atoi(getenv(LOCK_ENV_VAR)) == 1);
7425 		zone_lock_cnt++;
7426 		*lockfd = -1;
7427 		return (Z_OK);
7428 	}
7429 	assert(getenv(LOCK_ENV_VAR) != NULL);
7430 	assert(atoi(getenv(LOCK_ENV_VAR)) == 0);
7431 
7432 	if (snprintf(pathbuf, sizeof (pathbuf), "%s%s", zonecfg_get_root(),
7433 	    ZONES_TMPDIR) >= sizeof (pathbuf)) {
7434 		zerror(zone_name, gettext("alternate root path is too long"));
7435 		return (-1);
7436 	}
7437 	if (mkdir(pathbuf, S_IRWXU) < 0 && errno != EEXIST) {
7438 		zerror(zone_name, gettext("could not mkdir %s: %s"), pathbuf,
7439 		    strerror(errno));
7440 		return (-1);
7441 	}
7442 	(void) chmod(pathbuf, S_IRWXU);
7443 
7444 	/*
7445 	 * One of these lock files is created for each zone (when needed).
7446 	 * The lock files are not cleaned up (except on system reboot),
7447 	 * but since there is only one per zone, there is no resource
7448 	 * starvation issue.
7449 	 */
7450 	if (snprintf(pathbuf, sizeof (pathbuf), "%s%s/%s.zoneadm.lock",
7451 	    zonecfg_get_root(), ZONES_TMPDIR, zone_name) >= sizeof (pathbuf)) {
7452 		zerror(zone_name, gettext("alternate root path is too long"));
7453 		return (-1);
7454 	}
7455 	if ((*lockfd = open(pathbuf, O_RDWR|O_CREAT, S_IRUSR|S_IWUSR)) < 0) {
7456 		zerror(zone_name, gettext("could not open %s: %s"), pathbuf,
7457 		    strerror(errno));
7458 		return (-1);
7459 	}
7460 	/*
7461 	 * Lock the file to synchronize with other zoneadmds
7462 	 */
7463 	flock.l_type = F_WRLCK;
7464 	flock.l_whence = SEEK_SET;
7465 	flock.l_start = (off_t)0;
7466 	flock.l_len = (off_t)0;
7467 	if ((fcntl(*lockfd, F_SETLKW, &flock) < 0) ||
7468 	    (putenv(zoneadm_lock_held) != 0)) {
7469 		zerror(zone_name, gettext("unable to lock %s: %s"), pathbuf,
7470 		    strerror(errno));
7471 		zonecfg_release_lock_file(zone_name, *lockfd);
7472 		return (-1);
7473 	}
7474 	zone_lock_cnt = 1;
7475 	return (Z_OK);
7476 }
7477 
7478 boolean_t
7479 zonecfg_lock_file_held(int *lockfd)
7480 {
7481 	if (*lockfd >= 0 || zone_lock_cnt > 0)
7482 		return (B_TRUE);
7483 	return (B_FALSE);
7484 }
7485 
7486 static boolean_t
7487 get_doorname(const char *zone_name, char *buffer)
7488 {
7489 	return (snprintf(buffer, PATH_MAX, "%s" ZONE_DOOR_PATH,
7490 	    zonecfg_get_root(), zone_name) < PATH_MAX);
7491 }
7492 
7493 /*
7494  * system daemons are not audited.  For the global zone, this occurs
7495  * "naturally" since init is started with the default audit
7496  * characteristics.  Since zoneadmd is a system daemon and it starts
7497  * init for a zone, it is necessary to clear out the audit
7498  * characteristics inherited from whomever started zoneadmd.  This is
7499  * indicated by the audit id, which is set from the ruid parameter of
7500  * adt_set_user(), below.
7501  */
7502 
7503 static void
7504 prepare_audit_context(const char *zone_name)
7505 {
7506 	adt_session_data_t	*ah;
7507 	char			*failure = gettext("audit failure: %s");
7508 
7509 	if (adt_start_session(&ah, NULL, 0)) {
7510 		zerror(zone_name, failure, strerror(errno));
7511 		return;
7512 	}
7513 	if (adt_set_user(ah, ADT_NO_AUDIT, ADT_NO_AUDIT,
7514 	    ADT_NO_AUDIT, ADT_NO_AUDIT, NULL, ADT_NEW)) {
7515 		zerror(zone_name, failure, strerror(errno));
7516 		(void) adt_end_session(ah);
7517 		return;
7518 	}
7519 	if (adt_set_proc(ah))
7520 		zerror(zone_name, failure, strerror(errno));
7521 
7522 	(void) adt_end_session(ah);
7523 }
7524 
7525 static const char **
7526 get_zoneadmd_envp(void)
7527 {
7528 	const char **envp = NULL;
7529 	size_t envlen;
7530 	size_t envslot = 0;
7531 	const char *tok;
7532 	void *dstate = NULL;
7533 
7534 	/*
7535 	 * This initial array size is enough to hold the two variables
7536 	 * set below, up to five additional entries from /etc/default/init,
7537 	 * and the NULL terminator. /etc/default/init commonly includes only
7538 	 * TZ, LANG and LC_ALL. The array will be grown if necessary by
7539 	 * doubling the size whenever it is full.
7540 	 */
7541 	envlen = 8;
7542 
7543 	if ((envp = recallocarray(NULL, 0, envlen, sizeof (char *))) == NULL)
7544 		return (NULL);
7545 
7546 	/*
7547 	 * See the comment above zonecfg_init_lock_file() for details on the
7548 	 * implementation of the locking mechanism.
7549 	 * zoneadmd is started with an inherited lock, indicated by the
7550 	 * environment variable being set. Once the starting zoneadm exits,
7551 	 * zoneadmd may persist and will continue to believe that it has the
7552 	 * lock. This is okay as long as the only things that connect to the
7553 	 * zoneadmd door and cause it to do work that requires a lock have
7554 	 * grabbed the lock in advance, which zoneadm does in all cases today.
7555 	 */
7556 	envp[envslot++] = zoneadm_lock_held;
7557 
7558 	if (asprintf((char **)&tok, "PATH=%s", ZONEADMD_PATH) == -1) {
7559 		free(envp);
7560 		return (NULL);
7561 	}
7562 	envp[envslot++] = tok;
7563 
7564 	if (definit_open(DEFINIT_DEFAULT_FILE, &dstate) != 0) {
7565 		if (errno == ENOENT) {
7566 			/*
7567 			 * If the configuration file does not exist, return the
7568 			 * environment populated so far (with PATH and the
7569 			 * zoneadm lock).
7570 			 */
7571 			envp[envslot] = NULL;
7572 			return (envp);
7573 		}
7574 		goto err;
7575 	}
7576 
7577 	while ((tok = definit_token(dstate)) != NULL) {
7578 
7579 		if (strncmp(tok, "CMASK=", 6) == 0) {
7580 			long t;
7581 
7582 			t = strtol(tok + 6, NULL, 8);
7583 
7584 			if (t >= DEFINIT_MIN_UMASK && t <= DEFINIT_MAX_UMASK)
7585 				(void) umask((int)t);
7586 			continue;
7587 		}
7588 
7589 		/*
7590 		 * Always ensure there is space for a terminating
7591 		 * NULL in addition to the new entry being added.
7592 		 */
7593 		if (envslot + 2 >= envlen) {
7594 			const char **newenvp;
7595 
7596 			newenvp = recallocarray(envp, envlen, envlen * 2,
7597 			    sizeof (char *));
7598 			if (newenvp == NULL)
7599 				goto err;
7600 			envp = newenvp;
7601 			envlen *= 2;
7602 		}
7603 
7604 		envp[envslot] = strdup(tok);
7605 		if (envp[envslot] == NULL)
7606 			goto err;
7607 		envslot++;
7608 	}
7609 
7610 	definit_close(dstate);
7611 	envp[envslot] = NULL;
7612 	return (envp);
7613 
7614 err:
7615 	if (dstate != NULL)
7616 		definit_close(dstate);
7617 
7618 	/*
7619 	 * The first slot in envp is 'zoneadm_lock_held' and should not be
7620 	 * freed.
7621 	 */
7622 	while (--envslot > 0)
7623 		free((void *)envp[envslot]);
7624 	free(envp);
7625 
7626 	return (NULL);
7627 }
7628 
7629 static int
7630 start_zoneadmd(const char *zone_name, boolean_t lock)
7631 {
7632 	char doorpath[PATH_MAX];
7633 	pid_t child_pid;
7634 	int error = -1;
7635 	int doorfd, lockfd;
7636 	struct door_info info;
7637 
7638 	if (!get_doorname(zone_name, doorpath))
7639 		return (-1);
7640 
7641 	if (lock)
7642 		if (zonecfg_grab_lock_file(zone_name, &lockfd) != Z_OK)
7643 			return (-1);
7644 
7645 	/*
7646 	 * Now that we have the lock, re-confirm that the daemon is
7647 	 * *not* up and working fine.  If it is still down, we have a green
7648 	 * light to start it.
7649 	 */
7650 	if ((doorfd = open(doorpath, O_RDONLY)) < 0) {
7651 		if (errno != ENOENT) {
7652 			zperror(doorpath);
7653 			goto out;
7654 		}
7655 	} else {
7656 		if (door_info(doorfd, &info) == 0 &&
7657 		    ((info.di_attributes & DOOR_REVOKED) == 0)) {
7658 			error = Z_OK;
7659 			(void) close(doorfd);
7660 			goto out;
7661 		}
7662 		(void) close(doorfd);
7663 	}
7664 
7665 	if ((child_pid = fork()) == -1) {
7666 		zperror(gettext("could not fork"));
7667 		goto out;
7668 	}
7669 
7670 	if (child_pid == 0) {
7671 		const char *argv[6], **ap;
7672 		const char **envp;
7673 
7674 		/* child process */
7675 		prepare_audit_context(zone_name);
7676 
7677 		ap = argv;
7678 		*ap++ = "zoneadmd";
7679 		*ap++ = "-z";
7680 		*ap++ = zone_name;
7681 		if (zonecfg_in_alt_root()) {
7682 			*ap++ = "-R";
7683 			*ap++ = zonecfg_get_root();
7684 		}
7685 		*ap = NULL;
7686 
7687 		envp = get_zoneadmd_envp();
7688 		if (envp == NULL) {
7689 			zperror(gettext(
7690 			    "could not build environment for zoneadmd"));
7691 			_exit(1);
7692 		}
7693 
7694 		(void) execve("/usr/lib/zones/zoneadmd",
7695 		    (char * const *)argv, (char * const *)envp);
7696 		/*
7697 		 * TRANSLATION_NOTE
7698 		 * zoneadmd is a literal that should not be translated.
7699 		 */
7700 		zperror(gettext("could not exec zoneadmd"));
7701 		_exit(1);
7702 	} else {
7703 		/* parent process */
7704 		pid_t retval;
7705 		int pstatus = 0;
7706 
7707 		do {
7708 			retval = waitpid(child_pid, &pstatus, 0);
7709 		} while (retval != child_pid);
7710 		if (WIFSIGNALED(pstatus) || (WIFEXITED(pstatus) &&
7711 		    WEXITSTATUS(pstatus) != 0)) {
7712 			zerror(zone_name, gettext("could not start %s"),
7713 			    "zoneadmd");
7714 			goto out;
7715 		}
7716 	}
7717 	error = Z_OK;
7718 out:
7719 	if (lock)
7720 		zonecfg_release_lock_file(zone_name, lockfd);
7721 	return (error);
7722 }
7723 
7724 int
7725 zonecfg_ping_zoneadmd(const char *zone_name)
7726 {
7727 	char doorpath[PATH_MAX];
7728 	int doorfd;
7729 	struct door_info info;
7730 
7731 	if (!get_doorname(zone_name, doorpath))
7732 		return (-1);
7733 
7734 	if ((doorfd = open(doorpath, O_RDONLY)) < 0) {
7735 		return (-1);
7736 	}
7737 	if (door_info(doorfd, &info) == 0 &&
7738 	    ((info.di_attributes & DOOR_REVOKED) == 0)) {
7739 		(void) close(doorfd);
7740 		return (Z_OK);
7741 	}
7742 	(void) close(doorfd);
7743 	return (-1);
7744 }
7745 
7746 int
7747 zonecfg_call_zoneadmd(const char *zone_name, zone_cmd_arg_t *arg, char *locale,
7748     boolean_t lock)
7749 {
7750 	char doorpath[PATH_MAX];
7751 	int doorfd, result;
7752 	door_arg_t darg;
7753 
7754 	zoneid_t zoneid;
7755 	uint64_t uniqid = 0;
7756 
7757 	zone_cmd_rval_t *rvalp;
7758 	size_t rlen;
7759 	char *cp, *errbuf;
7760 
7761 	rlen = getpagesize();
7762 	if ((rvalp = malloc(rlen)) == NULL) {
7763 		zerror(zone_name, gettext("failed to allocate %lu bytes: %s"),
7764 		    rlen, strerror(errno));
7765 		return (-1);
7766 	}
7767 
7768 	if ((zoneid = getzoneidbyname(zone_name)) != ZONE_ID_UNDEFINED) {
7769 		(void) zone_getattr(zoneid, ZONE_ATTR_UNIQID, &uniqid,
7770 		    sizeof (uniqid));
7771 	}
7772 	arg->uniqid = uniqid;
7773 	(void) strlcpy(arg->locale, locale, sizeof (arg->locale));
7774 	if (!get_doorname(zone_name, doorpath)) {
7775 		zerror(zone_name, gettext("alternate root path is too long"));
7776 		free(rvalp);
7777 		return (-1);
7778 	}
7779 
7780 	/*
7781 	 * Loop trying to start zoneadmd; if something goes seriously
7782 	 * wrong we break out and fail.
7783 	 */
7784 	for (;;) {
7785 		if (start_zoneadmd(zone_name, lock) != Z_OK)
7786 			break;
7787 
7788 		if ((doorfd = open(doorpath, O_RDONLY)) < 0) {
7789 			zperror(gettext("failed to open zone door"));
7790 			break;
7791 		}
7792 
7793 		darg.data_ptr = (char *)arg;
7794 		darg.data_size = sizeof (*arg);
7795 		darg.desc_ptr = NULL;
7796 		darg.desc_num = 0;
7797 		darg.rbuf = (char *)rvalp;
7798 		darg.rsize = rlen;
7799 		if (door_call(doorfd, &darg) != 0) {
7800 			(void) close(doorfd);
7801 			/*
7802 			 * We'll get EBADF if the door has been revoked.
7803 			 */
7804 			if (errno != EBADF) {
7805 				zperror(gettext("door_call failed"));
7806 				break;
7807 			}
7808 			continue;	/* take another lap */
7809 		}
7810 		(void) close(doorfd);
7811 
7812 		if (darg.data_size == 0) {
7813 			/* Door server is going away; kick it again. */
7814 			continue;
7815 		}
7816 
7817 		errbuf = rvalp->errbuf;
7818 		while (*errbuf != '\0') {
7819 			/*
7820 			 * Remove any newlines since zerror()
7821 			 * will append one automatically.
7822 			 */
7823 			cp = strchr(errbuf, '\n');
7824 			if (cp != NULL)
7825 				*cp = '\0';
7826 			zerror(zone_name, "%s", errbuf);
7827 			if (cp == NULL)
7828 				break;
7829 			errbuf = cp + 1;
7830 		}
7831 		result = rvalp->rval == 0 ? 0 : -1;
7832 		free(rvalp);
7833 		return (result);
7834 	}
7835 
7836 	free(rvalp);
7837 	return (-1);
7838 }
7839 
7840 boolean_t
7841 zonecfg_valid_auths(const char *auths, const char *zonename)
7842 {
7843 	char *right;
7844 	char *tmpauths;
7845 	char *lasts;
7846 	char authname[MAXAUTHS];
7847 	boolean_t status = B_TRUE;
7848 
7849 	tmpauths = strdup(auths);
7850 	if (tmpauths == NULL) {
7851 		zerror(zonename, gettext("Out of memory"));
7852 		return (B_FALSE);
7853 	}
7854 	right = strtok_r(tmpauths, ",", &lasts);
7855 	while (right != NULL) {
7856 		(void) snprintf(authname, MAXAUTHS, "%s%s",
7857 		    ZONE_AUTH_PREFIX, right);
7858 		if (getauthnam(authname) == NULL) {
7859 			status = B_FALSE;
7860 			zerror(zonename,
7861 			    gettext("'%s' is not a valid authorization"),
7862 			    right);
7863 		}
7864 		right = strtok_r(NULL, ",", &lasts);
7865 	}
7866 	free(tmpauths);
7867 	return (status);
7868 }
7869 
7870 int
7871 zonecfg_delete_admins(zone_dochandle_t handle, char *zonename)
7872 {
7873 	int err;
7874 	struct zone_admintab admintab;
7875 	boolean_t changed = B_FALSE;
7876 
7877 	if ((err = zonecfg_setadminent(handle)) != Z_OK) {
7878 		return (err);
7879 	}
7880 	while (zonecfg_getadminent(handle, &admintab) == Z_OK) {
7881 		err = zonecfg_delete_admin(handle, &admintab,
7882 		    zonename);
7883 		if (err != Z_OK) {
7884 			(void) zonecfg_endadminent(handle);
7885 			return (err);
7886 		} else {
7887 			changed = B_TRUE;
7888 		}
7889 		if ((err = zonecfg_setadminent(handle)) != Z_OK) {
7890 			return (err);
7891 		}
7892 	}
7893 	(void) zonecfg_endadminent(handle);
7894 	return (changed? Z_OK:Z_NO_ENTRY);
7895 }
7896 
7897 /*
7898  * Checks if a long authorization applies to this zone.
7899  * If so, it returns true, after destructively stripping
7900  * the authorization of its prefix and zone suffix.
7901  */
7902 static boolean_t
7903 is_zone_auth(char **auth, char *zonename, char *oldzonename)
7904 {
7905 	char *suffix;
7906 	size_t offset;
7907 
7908 	offset = strlen(ZONE_AUTH_PREFIX);
7909 	if ((strncmp(*auth, ZONE_AUTH_PREFIX, offset) == 0) &&
7910 	    ((suffix = strchr(*auth, '/')) != NULL)) {
7911 		if (strcmp(suffix + 1, zonename) == 0) {
7912 			*auth += offset;
7913 			suffix[0] = '\0';
7914 			return (B_TRUE);
7915 		} else if ((oldzonename != NULL) &&
7916 		    (strcmp(suffix + 1, oldzonename) == 0)) {
7917 			*auth += offset;
7918 			suffix[0] = '\0';
7919 			return (B_TRUE);
7920 		}
7921 	}
7922 	return (B_FALSE);
7923 }
7924 
7925 /*
7926  * This function determines whether the zone-specific authorization
7927  * assignments in /etc/user_attr have been changed more recently
7928  * than the equivalent data stored in the zone's configuration file.
7929  * This should only happen if the zone-specific authorizations in
7930  * the user_attr file were modified using a tool other than zonecfg.
7931  * If the configuration file is out-of-date with respect to these
7932  * authorization assignments, it is updated to match those specified
7933  * in /etc/user_attr.
7934  */
7935 
7936 int
7937 zonecfg_update_userauths(zone_dochandle_t handle, char *zonename)
7938 {
7939 	userattr_t *ua_ptr;
7940 	char *authlist;
7941 	char *lasts;
7942 	FILE  *uaf;
7943 	struct zone_admintab admintab;
7944 	struct stat config_st, ua_st;
7945 	char config_file[MAXPATHLEN];
7946 	boolean_t changed = B_FALSE;
7947 	int err;
7948 
7949 	if ((uaf = fopen(USERATTR_FILENAME, "r")) == NULL) {
7950 		zerror(zonename, gettext("could not open file %s: %s"),
7951 		    USERATTR_FILENAME, strerror(errno));
7952 		if (errno == EACCES)
7953 			return (Z_ACCES);
7954 		if (errno == ENOENT)
7955 			return (Z_NO_ZONE);
7956 		return (Z_MISC_FS);
7957 	}
7958 	if ((err = fstat(fileno(uaf), &ua_st)) != 0) {
7959 		zerror(zonename, gettext("could not stat file %s: %s"),
7960 		    USERATTR_FILENAME, strerror(errno));
7961 		(void) fclose(uaf);
7962 		return (Z_MISC_FS);
7963 	}
7964 	if (!config_file_path(zonename, config_file)) {
7965 		(void) fclose(uaf);
7966 		return (Z_MISC_FS);
7967 	}
7968 
7969 	if ((err = stat(config_file, &config_st)) != 0) {
7970 		zerror(zonename, gettext("could not stat file %s: %s"),
7971 		    config_file, strerror(errno));
7972 		(void) fclose(uaf);
7973 		return (Z_MISC_FS);
7974 	}
7975 	if (config_st.st_mtime >= ua_st.st_mtime) {
7976 		(void) fclose(uaf);
7977 		return (Z_NO_ENTRY);
7978 	}
7979 	if ((err = zonecfg_delete_admins(handle, zonename)) == Z_OK) {
7980 		changed = B_TRUE;
7981 	} else if (err != Z_NO_ENTRY) {
7982 		(void) fclose(uaf);
7983 		return (err);
7984 	}
7985 	while ((ua_ptr = fgetuserattr(uaf)) != NULL) {
7986 		if (ua_ptr->name[0] == '#') {
7987 			continue;
7988 		}
7989 		authlist = kva_match(ua_ptr->attr, USERATTR_AUTHS_KW);
7990 		if (authlist != NULL) {
7991 			char *cur_auth;
7992 			boolean_t first;
7993 
7994 			first = B_TRUE;
7995 			bzero(&admintab.zone_admin_auths, MAXAUTHS);
7996 			cur_auth = strtok_r(authlist, ",", &lasts);
7997 			while (cur_auth != NULL) {
7998 				if (is_zone_auth(&cur_auth, zonename,
7999 				    NULL)) {
8000 					/*
8001 					 * Add auths for this zone
8002 					 */
8003 					if (first) {
8004 						first = B_FALSE;
8005 					} else {
8006 						(void) strlcat(
8007 						    admintab.zone_admin_auths,
8008 						    ",", MAXAUTHS);
8009 					}
8010 					(void) strlcat(
8011 					    admintab.zone_admin_auths,
8012 					    cur_auth, MAXAUTHS);
8013 				}
8014 				cur_auth = strtok_r(NULL, ",", &lasts);
8015 			}
8016 			if (!first) {
8017 				/*
8018 				 * Add this right to config file
8019 				 */
8020 				(void) strlcpy(admintab.zone_admin_user,
8021 				    ua_ptr->name,
8022 				    sizeof (admintab.zone_admin_user));
8023 				err = zonecfg_add_admin(handle,
8024 				    &admintab, zonename);
8025 				if (err != Z_OK) {
8026 					(void) fclose(uaf);
8027 					return (err);
8028 				} else {
8029 					changed = B_TRUE;
8030 				}
8031 			}
8032 		}
8033 	} /* end-of-while-loop */
8034 	(void) fclose(uaf);
8035 	return (changed? Z_OK: Z_NO_ENTRY);
8036 }
8037 
8038 static void
8039 update_profiles(char *rbac_profs, boolean_t add)
8040 {
8041 	char new_profs[MAXPROFS];
8042 	char *cur_prof;
8043 	boolean_t first = B_TRUE;
8044 	boolean_t found = B_FALSE;
8045 	char *lasts;
8046 
8047 	cur_prof = strtok_r(rbac_profs, ",", &lasts);
8048 	while (cur_prof != NULL) {
8049 		if (strcmp(cur_prof, ZONE_MGMT_PROF) == 0) {
8050 			found = B_TRUE;
8051 			if (!add) {
8052 				cur_prof = strtok_r(NULL, ",", &lasts);
8053 				continue;
8054 			}
8055 		}
8056 		if (first) {
8057 			first = B_FALSE;
8058 		} else {
8059 			(void) strlcat(new_profs, ",",
8060 			    MAXPROFS);
8061 		}
8062 		(void) strlcat(new_profs, cur_prof,
8063 		    MAXPROFS);
8064 		cur_prof = strtok_r(NULL, ",", &lasts);
8065 	}
8066 	/*
8067 	 * Now prepend the Zone Management profile at the beginning
8068 	 * of the list if it is needed, and append the rest.
8069 	 * Return the updated list in the original buffer.
8070 	 */
8071 	if (add && !found) {
8072 		first = B_FALSE;
8073 		(void) strlcpy(rbac_profs, ZONE_MGMT_PROF, MAXPROFS);
8074 	} else {
8075 		first = B_TRUE;
8076 		rbac_profs[0] = '\0';
8077 	}
8078 	if (strlen(new_profs) > 0) {
8079 		if (!first)
8080 			(void) strlcat(rbac_profs, ",", MAXPROFS);
8081 		(void) strlcat(rbac_profs, new_profs, MAXPROFS);
8082 	}
8083 }
8084 
8085 #define	MAX_CMD_LEN	1024
8086 
8087 static int
8088 do_subproc(char *zonename, char *cmdbuf)
8089 {
8090 	char inbuf[MAX_CMD_LEN];
8091 	FILE *file;
8092 	int status;
8093 
8094 	file = popen(cmdbuf, "r");
8095 	if (file == NULL) {
8096 		zerror(zonename, gettext("Could not launch: %s"), cmdbuf);
8097 		return (-1);
8098 	}
8099 
8100 	while (fgets(inbuf, sizeof (inbuf), file) != NULL)
8101 		(void) fprintf(stderr, "%s", inbuf);
8102 	status = pclose(file);
8103 
8104 	if (WIFSIGNALED(status)) {
8105 		zerror(zonename, gettext("%s unexpectedly terminated "
8106 		    "due to signal %d"),
8107 		    cmdbuf, WTERMSIG(status));
8108 		return (-1);
8109 	}
8110 	assert(WIFEXITED(status));
8111 	return (WEXITSTATUS(status));
8112 }
8113 
8114 /*
8115  * This function updates the local /etc/user_attr file to
8116  * correspond to the admin settings that are currently being
8117  * committed. The updates are done via usermod and/or rolemod
8118  * depending on the type of the specified user. It is also
8119  * invoked to remove entries from user_attr corresponding to
8120  * removed admin assignments, using an empty auths string.
8121  *
8122  * Because the removed entries are no longer included in the
8123  * cofiguration that is being committed, a linked list of
8124  * removed admin entries is maintained to keep track of such
8125  * transactions. The head of the list is stored in the zone_dh_userauths
8126  * element of the handle strcture.
8127  */
8128 static int
8129 zonecfg_authorize_user_impl(zone_dochandle_t handle, char *user,
8130     char *auths, char *zonename)
8131 {
8132 	char *right;
8133 	char old_auths[MAXAUTHS];
8134 	char new_auths[MAXAUTHS];
8135 	char rbac_profs[MAXPROFS];
8136 	char *lasts;
8137 	userattr_t *u;
8138 	boolean_t first = B_TRUE;
8139 	boolean_t is_zone_admin = B_FALSE;
8140 	char user_cmd[] = "/usr/sbin/usermod";
8141 	char role_cmd[] = "/usr/sbin/rolemod";
8142 	char *auths_cmd = user_cmd;	/* either usermod or rolemod */
8143 	char *new_auth_start;		/* string containing the new auths */
8144 	int new_auth_cnt = 0;		/* delta of changed authorizations */
8145 
8146 	/*
8147 	 * First get the existing authorizations for this user
8148 	 */
8149 
8150 	bzero(&old_auths, sizeof (old_auths));
8151 	bzero(&new_auths, sizeof (new_auths));
8152 	bzero(&rbac_profs, sizeof (rbac_profs));
8153 	if ((u = getusernam(user)) != NULL) {
8154 		char *current_auths;
8155 		char *current_profs;
8156 		char *type;
8157 
8158 		type = kva_match(u->attr, USERATTR_TYPE_KW);
8159 		if (type != NULL) {
8160 			if (strcmp(type, USERATTR_TYPE_NONADMIN_KW) == 0)
8161 				auths_cmd = role_cmd;
8162 		}
8163 
8164 		current_auths = kva_match(u->attr, USERATTR_AUTHS_KW);
8165 		if (current_auths != NULL) {
8166 			char *cur_auth;
8167 			char *delete_name;
8168 			size_t offset;
8169 
8170 			offset = strlen(ZONE_AUTH_PREFIX);
8171 
8172 			(void) strlcpy(old_auths, current_auths, MAXAUTHS);
8173 			cur_auth = strtok_r(current_auths, ",", &lasts);
8174 
8175 			/*
8176 			 * Next, remove any existing authorizations
8177 			 * for this zone, and determine if the
8178 			 * user still needs the Zone Management Profile.
8179 			 */
8180 			if (is_renaming(handle))
8181 				delete_name = handle->zone_dh_delete_name;
8182 			else
8183 				delete_name = NULL;
8184 			while (cur_auth != NULL) {
8185 				if (!is_zone_auth(&cur_auth, zonename,
8186 				    delete_name)) {
8187 					if (first) {
8188 						first = B_FALSE;
8189 					} else {
8190 						(void) strlcat(new_auths, ",",
8191 						    MAXAUTHS);
8192 					}
8193 					(void) strlcat(new_auths, cur_auth,
8194 					    MAXAUTHS);
8195 					/*
8196 					 * If the user has authorizations
8197 					 * for other zones, then set a
8198 					 * flag indicate that the Zone
8199 					 * Management profile should be
8200 					 * preserved in user_attr.
8201 					 */
8202 					if (strncmp(cur_auth,
8203 					    ZONE_AUTH_PREFIX, offset) == 0)
8204 						is_zone_admin = B_TRUE;
8205 				} else {
8206 					new_auth_cnt++;
8207 				}
8208 				cur_auth = strtok_r(NULL, ",", &lasts);
8209 			}
8210 		}
8211 		current_profs = kva_match(u->attr, USERATTR_PROFILES_KW);
8212 		if (current_profs != NULL) {
8213 			(void) strlcpy(rbac_profs, current_profs, MAXPROFS);
8214 		}
8215 		free_userattr(u);
8216 	}
8217 	/*
8218 	 * The following is done to avoid revisiting the
8219 	 * user_attr entry for this user
8220 	 */
8221 	(void) zonecfg_remove_userauths(handle, user, "", B_FALSE);
8222 
8223 	/*
8224 	 * Convert each right into a properly formatted authorization
8225 	 */
8226 	new_auth_start = new_auths + strlen(new_auths);
8227 	if (!first)
8228 		new_auth_start++;
8229 	right = strtok_r(auths, ",", &lasts);
8230 	while (right != NULL) {
8231 		char auth[MAXAUTHS];
8232 
8233 		(void) snprintf(auth, MAXAUTHS, "%s%s/%s",
8234 		    ZONE_AUTH_PREFIX, right, zonename);
8235 		if (first) {
8236 			first = B_FALSE;
8237 		} else {
8238 			(void) strlcat(new_auths, ",", MAXAUTHS);
8239 		}
8240 		(void) strlcat(new_auths, auth, MAXAUTHS);
8241 		is_zone_admin = B_TRUE;
8242 		new_auth_cnt--;
8243 		right = strtok_r(NULL, ",", &lasts);
8244 	}
8245 
8246 	/*
8247 	 * Need to update the authorizations in user_attr unless
8248 	 * the number of old and new authorizations is unchanged
8249 	 * and the new auths are a substrings of the old auths.
8250 	 *
8251 	 * If the user's previous authorizations have changed
8252 	 * execute the usermod progam to update them in user_attr.
8253 	 */
8254 	if ((new_auth_cnt != 0) ||
8255 	    (strstr(old_auths, new_auth_start) == NULL)) {
8256 		char    *cmdbuf;
8257 		size_t  cmd_len;
8258 
8259 		update_profiles(rbac_profs, is_zone_admin);
8260 		cmd_len = snprintf(NULL, 0, "%s -A \"%s\" -P \"%s\" %s",
8261 		    auths_cmd, new_auths, rbac_profs, user) + 1;
8262 		if ((cmdbuf = malloc(cmd_len)) == NULL) {
8263 			return (Z_NOMEM);
8264 		}
8265 		(void) snprintf(cmdbuf, cmd_len, "%s -A \"%s\" -P \"%s\" %s",
8266 		    auths_cmd, new_auths, rbac_profs, user);
8267 		if (do_subproc(zonename, cmdbuf) != 0) {
8268 			free(cmdbuf);
8269 			return (Z_SYSTEM);
8270 		}
8271 		free(cmdbuf);
8272 	}
8273 
8274 	return (Z_OK);
8275 }
8276 
8277 int
8278 zonecfg_authorize_users(zone_dochandle_t handle, char *zonename)
8279 {
8280 	xmlNodePtr cur;
8281 	int err;
8282 	char user[MAXUSERNAME];
8283 	char auths[MAXAUTHS];
8284 
8285 	if ((err = operation_prep(handle)) != Z_OK)
8286 		return (err);
8287 
8288 	cur = handle->zone_dh_cur;
8289 	for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next) {
8290 		if (xmlStrcmp(cur->name, DTD_ELEM_ADMIN))
8291 			continue;
8292 		if (fetchprop(cur, DTD_ATTR_USER, user,
8293 		    sizeof (user)) != Z_OK)
8294 			continue;
8295 		if (fetchprop(cur, DTD_ATTR_AUTHS, auths,
8296 		    sizeof (auths)) != Z_OK)
8297 			continue;
8298 		if (zonecfg_authorize_user_impl(handle, user, auths, zonename)
8299 		    != Z_OK)
8300 			return (Z_SYSTEM);
8301 	}
8302 	(void) zonecfg_remove_userauths(handle, "", "", B_TRUE);
8303 
8304 	return (Z_OK);
8305 }
8306 
8307 int
8308 zonecfg_deauthorize_user(zone_dochandle_t handle, char *user, char *zonename)
8309 {
8310 	return (zonecfg_authorize_user_impl(handle, user, "", zonename));
8311 }
8312 
8313 int
8314 zonecfg_deauthorize_users(zone_dochandle_t handle, char *zonename)
8315 {
8316 	xmlNodePtr cur;
8317 	int err;
8318 	char user[MAXUSERNAME];
8319 
8320 	if ((err = operation_prep(handle)) != Z_OK)
8321 		return (err);
8322 
8323 	cur = handle->zone_dh_cur;
8324 	for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next) {
8325 		if (xmlStrcmp(cur->name, DTD_ELEM_ADMIN))
8326 			continue;
8327 		if (fetchprop(cur, DTD_ATTR_USER, user,
8328 		    sizeof (user)) != Z_OK)
8329 			continue;
8330 		if ((err = zonecfg_deauthorize_user(handle, user,
8331 		    zonename)) != Z_OK)
8332 			return (err);
8333 	}
8334 	return (Z_OK);
8335 }
8336 
8337 int
8338 zonecfg_insert_userauths(zone_dochandle_t handle, char *user, char *zonename)
8339 {
8340 	zone_userauths_t *new, **prev, *next;
8341 
8342 	prev = &handle->zone_dh_userauths;
8343 	next = *prev;
8344 	while (next) {
8345 		if ((strncmp(next->user, user, MAXUSERNAME) == 0) &&
8346 		    (strncmp(next->zonename, zonename,
8347 		    ZONENAME_MAX) == 0)) {
8348 			/*
8349 			 * user is already in list
8350 			 * which isn't supposed to happen!
8351 			 */
8352 			return (Z_OK);
8353 		}
8354 		prev = &next->next;
8355 		next = *prev;
8356 	}
8357 	new = (zone_userauths_t *)malloc(sizeof (zone_userauths_t));
8358 	if (new == NULL)
8359 		return (Z_NOMEM);
8360 
8361 	(void) strlcpy(new->user, user, sizeof (new->user));
8362 	(void) strlcpy(new->zonename, zonename, sizeof (new->zonename));
8363 	new->next = NULL;
8364 	*prev = new;
8365 	return (Z_OK);
8366 }
8367 
8368 int
8369 zonecfg_remove_userauths(zone_dochandle_t handle, char *user, char *zonename,
8370     boolean_t deauthorize)
8371 {
8372 	zone_userauths_t *new, **prev, *next;
8373 
8374 	prev = &handle->zone_dh_userauths;
8375 	next = *prev;
8376 
8377 	while (next) {
8378 		if ((strlen(user) == 0 ||
8379 		    strncmp(next->user, user, MAXUSERNAME) == 0) &&
8380 		    (strlen(zonename) == 0 ||
8381 		    (strncmp(next->zonename, zonename, ZONENAME_MAX) == 0))) {
8382 			new = next;
8383 			*prev = next->next;
8384 			next =  *prev;
8385 			if (deauthorize)
8386 				(void) zonecfg_deauthorize_user(handle,
8387 				    new->user, new->zonename);
8388 			free(new);
8389 			continue;
8390 		}
8391 		prev = &next->next;
8392 		next = *prev;
8393 	}
8394 	return (Z_OK);
8395 }
8396