xref: /illumos-gate/usr/src/uts/common/os/policy.c (revision 14c2ce9048cb9407fdf675f7ef76081a1dd5e715)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #include <sys/types.h>
27 #include <sys/sysmacros.h>
28 #include <sys/param.h>
29 #include <sys/systm.h>
30 #include <sys/cred_impl.h>
31 #include <sys/vnode.h>
32 #include <sys/vfs.h>
33 #include <sys/stat.h>
34 #include <sys/errno.h>
35 #include <sys/kmem.h>
36 #include <sys/user.h>
37 #include <sys/proc.h>
38 #include <sys/acct.h>
39 #include <sys/ipc_impl.h>
40 #include <sys/cmn_err.h>
41 #include <sys/debug.h>
42 #include <sys/policy.h>
43 #include <sys/kobj.h>
44 #include <sys/msg.h>
45 #include <sys/devpolicy.h>
46 #include <c2/audit.h>
47 #include <sys/varargs.h>
48 #include <sys/klpd.h>
49 #include <sys/modctl.h>
50 #include <sys/disp.h>
51 #include <sys/zone.h>
52 #include <inet/optcom.h>
53 #include <sys/sdt.h>
54 #include <sys/vfs.h>
55 #include <sys/mntent.h>
56 #include <sys/contract_impl.h>
57 #include <sys/dld_ioc.h>
58 
59 /*
60  * There are two possible layers of privilege routines and two possible
61  * levels of secpolicy.  Plus one other we may not be interested in, so
62  * we may need as many as 6 but no more.
63  */
64 #define	MAXPRIVSTACK		6
65 
66 int priv_debug = 0;
67 
68 /*
69  * This file contains the majority of the policy routines.
70  * Since the policy routines are defined by function and not
71  * by privilege, there is quite a bit of duplication of
72  * functions.
73  *
74  * The secpolicy functions must not make assumptions about
75  * locks held or not held as any lock can be held while they're
76  * being called.
77  *
78  * Credentials are read-only so no special precautions need to
79  * be taken while locking them.
80  *
81  * When a new policy check needs to be added to the system the
82  * following procedure should be followed:
83  *
84  *		Pick an appropriate secpolicy_*() function
85  *			-> done if one exists.
86  *		Create a new secpolicy function, preferably with
87  *		a descriptive name using the standard template.
88  *		Pick an appropriate privilege for the policy.
89  *		If no appropraite privilege exists, define new one
90  *		(this should be done with extreme care; in most cases
91  *		little is gained by adding another privilege)
92  *
93  * WHY ROOT IS STILL SPECIAL.
94  *
95  * In a number of the policy functions, there are still explicit
96  * checks for uid 0.  The rationale behind these is that many root
97  * owned files/objects hold configuration information which can give full
98  * privileges to the user once written to.  To prevent escalation
99  * of privilege by allowing just a single privilege to modify root owned
100  * objects, we've added these root specific checks where we considered
101  * them necessary: modifying root owned files, changing uids to 0, etc.
102  *
103  * PRIVILEGE ESCALATION AND ZONES.
104  *
105  * A number of operations potentially allow the caller to achieve
106  * privileges beyond the ones normally required to perform the operation.
107  * For example, if allowed to create a setuid 0 executable, a process can
108  * gain privileges beyond PRIV_FILE_SETID.  Zones, however, place
109  * restrictions on the ability to gain privileges beyond those available
110  * within the zone through file and process manipulation.  Hence, such
111  * operations require that the caller have an effective set that includes
112  * all privileges available within the current zone, or all privileges
113  * if executing in the global zone.
114  *
115  * This is indicated in the priv_policy* policy checking functions
116  * through a combination of parameters.  The "priv" parameter indicates
117  * the privilege that is required, and the "allzone" parameter indicates
118  * whether or not all privileges in the zone are required.  In addition,
119  * priv can be set to PRIV_ALL to indicate that all privileges are
120  * required (regardless of zone).  There are three scenarios of interest:
121  * (1) operation requires a specific privilege
122  * (2) operation requires a specific privilege, and requires all
123  *     privileges available within the zone (or all privileges if in
124  *     the global zone)
125  * (3) operation requires all privileges, regardless of zone
126  *
127  * For (1), priv should be set to the specific privilege, and allzone
128  * should be set to B_FALSE.
129  * For (2), priv should be set to the specific privilege, and allzone
130  * should be set to B_TRUE.
131  * For (3), priv should be set to PRIV_ALL, and allzone should be set
132  * to B_FALSE.
133  *
134  */
135 
136 /*
137  * The privileges are checked against the Effective set for
138  * ordinary processes and checked against the Limit set
139  * for euid 0 processes that haven't manipulated their privilege
140  * sets.
141  */
142 #define	HAS_ALLPRIVS(cr)	priv_isfullset(&CR_OEPRIV(cr))
143 #define	ZONEPRIVS(cr)		((cr)->cr_zone->zone_privset)
144 #define	HAS_ALLZONEPRIVS(cr)	priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr))
145 #define	HAS_PRIVILEGE(cr, pr)	((pr) == PRIV_ALL ? \
146 					HAS_ALLPRIVS(cr) : \
147 					PRIV_ISASSERT(&CR_OEPRIV(cr), pr))
148 
149 /*
150  * Policy checking functions.
151  *
152  * All of the system's policy should be implemented here.
153  */
154 
155 /*
156  * Private functions which take an additional va_list argument to
157  * implement an object specific policy override.
158  */
159 static int priv_policy_ap(const cred_t *, int, boolean_t, int,
160     const char *, va_list);
161 static int priv_policy_va(const cred_t *, int, boolean_t, int,
162     const char *, ...);
163 
164 /*
165  * Generic policy calls
166  *
167  * The "bottom" functions of policy control
168  */
169 static char *
170 mprintf(const char *fmt, ...)
171 {
172 	va_list args;
173 	char *buf;
174 	size_t len;
175 
176 	va_start(args, fmt);
177 	len = vsnprintf(NULL, 0, fmt, args) + 1;
178 	va_end(args);
179 
180 	buf = kmem_alloc(len, KM_NOSLEEP);
181 
182 	if (buf == NULL)
183 		return (NULL);
184 
185 	va_start(args, fmt);
186 	(void) vsnprintf(buf, len, fmt, args);
187 	va_end(args);
188 
189 	return (buf);
190 }
191 
192 /*
193  * priv_policy_errmsg()
194  *
195  * Generate an error message if privilege debugging is enabled system wide
196  * or for this particular process.
197  */
198 
199 #define	FMTHDR	"%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)"
200 #define	FMTMSG	" for \"%s\""
201 #define	FMTFUN	" needed at %s+0x%lx"
202 
203 /* The maximum size privilege format: the concatenation of the above */
204 #define	FMTMAX	FMTHDR FMTMSG FMTFUN "\n"
205 
206 static void
207 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg)
208 {
209 	struct proc *me;
210 	pc_t stack[MAXPRIVSTACK];
211 	int depth;
212 	int i;
213 	char *sym;
214 	ulong_t off;
215 	const char *pname;
216 
217 	char *cmd;
218 	char fmt[sizeof (FMTMAX)];
219 
220 	if ((me = curproc) == &p0)
221 		return;
222 
223 	/* Privileges must be defined  */
224 	ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE ||
225 	    priv == PRIV_ALLZONE || priv == PRIV_GLOBAL ||
226 	    priv_getbynum(priv) != NULL);
227 
228 	if (priv == PRIV_ALLZONE && INGLOBALZONE(me))
229 		priv = PRIV_ALL;
230 
231 	if (curthread->t_pre_sys)
232 		ttolwp(curthread)->lwp_badpriv = (short)priv;
233 
234 	if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0)
235 		return;
236 
237 	(void) strcpy(fmt, FMTHDR);
238 
239 	if (me->p_user.u_comm[0])
240 		cmd = &me->p_user.u_comm[0];
241 	else
242 		cmd = "priv_policy";
243 
244 	if (msg != NULL && *msg != '\0') {
245 		(void) strcat(fmt, FMTMSG);
246 	} else {
247 		(void) strcat(fmt, "%s");
248 		msg = "";
249 	}
250 
251 	sym = NULL;
252 
253 	depth = getpcstack(stack, MAXPRIVSTACK);
254 
255 	/*
256 	 * Try to find the first interesting function on the stack.
257 	 * priv_policy* that's us, so completely uninteresting.
258 	 * suser(), drv_priv(), secpolicy_* are also called from
259 	 * too many locations to convey useful information.
260 	 */
261 	for (i = 0; i < depth; i++) {
262 		sym = kobj_getsymname((uintptr_t)stack[i], &off);
263 		if (sym != NULL &&
264 		    strstr(sym, "hasprocperm") == 0 &&
265 		    strcmp("suser", sym) != 0 &&
266 		    strcmp("ipcaccess", sym) != 0 &&
267 		    strcmp("drv_priv", sym) != 0 &&
268 		    strncmp("secpolicy_", sym, 10) != 0 &&
269 		    strncmp("priv_policy", sym, 11) != 0)
270 			break;
271 	}
272 
273 	if (sym != NULL)
274 		(void) strcat(fmt, FMTFUN);
275 
276 	(void) strcat(fmt, "\n");
277 
278 	switch (priv) {
279 	case PRIV_ALL:
280 		pname = "ALL";
281 		break;
282 	case PRIV_MULTIPLE:
283 		pname = "MULTIPLE";
284 		break;
285 	case PRIV_ALLZONE:
286 		pname = "ZONE";
287 		break;
288 	case PRIV_GLOBAL:
289 		pname = "GLOBAL";
290 		break;
291 	default:
292 		pname = priv_getbynum(priv);
293 		break;
294 	}
295 
296 	if (CR_FLAGS(cr) & PRIV_DEBUG) {
297 		/* Remember last message, just like lwp_badpriv. */
298 		if (curthread->t_pdmsg != NULL) {
299 			kmem_free(curthread->t_pdmsg,
300 			    strlen(curthread->t_pdmsg) + 1);
301 		}
302 
303 		curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname,
304 		    cr->cr_uid, curthread->t_sysnum, msg, sym, off);
305 
306 		curthread->t_post_sys = 1;
307 	}
308 	if (priv_debug) {
309 		cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid,
310 		    curthread->t_sysnum, msg, sym, off);
311 	}
312 }
313 
314 /*
315  * Override the policy, if appropriate.  Return 0 if the external
316  * policy engine approves.
317  */
318 static int
319 priv_policy_override(const cred_t *cr, int priv, boolean_t allzone, va_list ap)
320 {
321 	priv_set_t set;
322 	int ret;
323 
324 	if (!(CR_FLAGS(cr) & PRIV_XPOLICY))
325 		return (-1);
326 
327 	if (priv == PRIV_ALL) {
328 		priv_fillset(&set);
329 	} else if (allzone) {
330 		set = *ZONEPRIVS(cr);
331 	} else {
332 		priv_emptyset(&set);
333 		priv_addset(&set, priv);
334 	}
335 	ret = klpd_call(cr, &set, ap);
336 	return (ret);
337 }
338 
339 static int
340 priv_policy_override_set(const cred_t *cr, const priv_set_t *req, ...)
341 {
342 	va_list ap;
343 
344 	if (CR_FLAGS(cr) & PRIV_XPOLICY) {
345 		va_start(ap, req);
346 		return (klpd_call(cr, req, ap));
347 	}
348 	return (-1);
349 }
350 
351 /*
352  * Audit failure, log error message.
353  */
354 static void
355 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg)
356 {
357 
358 	if (audit_active)
359 		audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0);
360 	DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
361 
362 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
363 	    curthread->t_pre_sys) {
364 		if (allzone && !HAS_ALLZONEPRIVS(cr)) {
365 			priv_policy_errmsg(cr, PRIV_ALLZONE, msg);
366 		} else {
367 			ASSERT(!HAS_PRIVILEGE(cr, priv));
368 			priv_policy_errmsg(cr, priv, msg);
369 		}
370 	}
371 }
372 
373 /*
374  * priv_policy_ap()
375  * return 0 or error.
376  * See block comment above for a description of "priv" and "allzone" usage.
377  */
378 static int
379 priv_policy_ap(const cred_t *cr, int priv, boolean_t allzone, int err,
380     const char *msg, va_list ap)
381 {
382 	if ((HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) ||
383 	    (!servicing_interrupt() &&
384 	    priv_policy_override(cr, priv, allzone, ap) == 0)) {
385 		if ((allzone || priv == PRIV_ALL ||
386 		    !PRIV_ISASSERT(priv_basic, priv)) &&
387 		    !servicing_interrupt()) {
388 			PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */
389 			if (audit_active)
390 				audit_priv(priv,
391 				    allzone ? ZONEPRIVS(cr) : NULL, 1);
392 		}
393 		err = 0;
394 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
395 	} else if (!servicing_interrupt()) {
396 		/* Failure audited in this procedure */
397 		priv_policy_err(cr, priv, allzone, msg);
398 	}
399 	return (err);
400 }
401 
402 int
403 priv_policy_va(const cred_t *cr, int priv, boolean_t allzone, int err,
404     const char *msg, ...)
405 {
406 	int ret;
407 	va_list ap;
408 
409 	va_start(ap, msg);
410 	ret = priv_policy_ap(cr, priv, allzone, err, msg, ap);
411 	va_end(ap);
412 
413 	return (ret);
414 }
415 
416 int
417 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err,
418     const char *msg)
419 {
420 	return (priv_policy_va(cr, priv, allzone, err, msg, KLPDARG_NOMORE));
421 }
422 
423 /*
424  * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges.
425  */
426 boolean_t
427 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone)
428 {
429 	boolean_t res = HAS_PRIVILEGE(cr, priv) &&
430 	    (!allzone || HAS_ALLZONEPRIVS(cr));
431 
432 	/* Audit success only */
433 	if (res && audit_active &&
434 	    (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) &&
435 	    !servicing_interrupt()) {
436 		audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1);
437 	}
438 	if (res) {
439 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
440 	} else {
441 		DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
442 	}
443 	return (res);
444 }
445 
446 /*
447  * Non-auditing variant of priv_policy_choice().
448  */
449 boolean_t
450 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone)
451 {
452 	boolean_t res = HAS_PRIVILEGE(cr, priv) &&
453 	    (!allzone || HAS_ALLZONEPRIVS(cr));
454 
455 	if (res) {
456 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
457 	} else {
458 		DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
459 	}
460 	return (res);
461 }
462 
463 /*
464  * Check whether all privileges in the required set are present.
465  */
466 static int
467 secpolicy_require_set(const cred_t *cr, const priv_set_t *req, const char *msg)
468 {
469 	int priv;
470 	int pfound = -1;
471 	priv_set_t pset;
472 
473 	if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req,
474 	    &CR_OEPRIV(cr))) {
475 		return (0);
476 	}
477 
478 	if (priv_policy_override_set(cr, req, KLPDARG_NOMORE) == 0)
479 		return (0);
480 
481 	if (req == PRIV_FULLSET || priv_isfullset(req)) {
482 		priv_policy_err(cr, PRIV_ALL, B_FALSE, msg);
483 		return (EACCES);
484 	}
485 
486 	pset = CR_OEPRIV(cr);		/* present privileges */
487 	priv_inverse(&pset);		/* all non present privileges */
488 	priv_intersect(req, &pset);	/* the actual missing privs */
489 
490 	if (audit_active)
491 		audit_priv(PRIV_NONE, &pset, 0);
492 	/*
493 	 * Privilege debugging; special case "one privilege in set".
494 	 */
495 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) {
496 		for (priv = 0; priv < nprivs; priv++) {
497 			if (priv_ismember(&pset, priv)) {
498 				if (pfound != -1) {
499 					/* Multiple missing privs */
500 					priv_policy_errmsg(cr, PRIV_MULTIPLE,
501 					    msg);
502 					return (EACCES);
503 				}
504 				pfound = priv;
505 			}
506 		}
507 		ASSERT(pfound != -1);
508 		/* Just the one missing privilege */
509 		priv_policy_errmsg(cr, pfound, msg);
510 	}
511 
512 	return (EACCES);
513 }
514 
515 /*
516  * Called when an operation requires that the caller be in the
517  * global zone, regardless of privilege.
518  */
519 static int
520 priv_policy_global(const cred_t *cr)
521 {
522 	if (crgetzoneid(cr) == GLOBAL_ZONEID)
523 		return (0);	/* success */
524 
525 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
526 	    curthread->t_pre_sys) {
527 		priv_policy_errmsg(cr, PRIV_GLOBAL, NULL);
528 	}
529 	return (EPERM);
530 }
531 
532 /*
533  * Changing process priority
534  */
535 int
536 secpolicy_setpriority(const cred_t *cr)
537 {
538 	return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL));
539 }
540 
541 /*
542  * Binding to a privileged port, port must be specified in host byte
543  * order.
544  */
545 int
546 secpolicy_net_privaddr(const cred_t *cr, in_port_t port, int proto)
547 {
548 	char *reason;
549 	int priv;
550 
551 	switch (port) {
552 	case 137:
553 	case 138:
554 	case 139:
555 	case 445:
556 		/*
557 		 * NBT and SMB ports, these are extra privileged ports,
558 		 * allow bind only if the SYS_SMB privilege is present.
559 		 */
560 		priv = PRIV_SYS_SMB;
561 		reason = "NBT or SMB port";
562 		break;
563 
564 	case 2049:
565 	case 4045:
566 		/*
567 		 * NFS ports, these are extra privileged ports, allow bind
568 		 * only if the SYS_NFS privilege is present.
569 		 */
570 		priv = PRIV_SYS_NFS;
571 		reason = "NFS port";
572 		break;
573 
574 	default:
575 		priv = PRIV_NET_PRIVADDR;
576 		reason = NULL;
577 		break;
578 
579 	}
580 
581 	return (priv_policy_va(cr, priv, B_FALSE, EACCES, reason,
582 	    KLPDARG_PORT, (int)proto, (int)port, KLPDARG_NOMORE));
583 }
584 
585 /*
586  * Binding to a multilevel port on a trusted (labeled) system.
587  */
588 int
589 secpolicy_net_bindmlp(const cred_t *cr)
590 {
591 	return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, NULL));
592 }
593 
594 /*
595  * Allow a communication between a zone and an unlabeled host when their
596  * labels don't match.
597  */
598 int
599 secpolicy_net_mac_aware(const cred_t *cr)
600 {
601 	return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, NULL));
602 }
603 
604 /*
605  * Allow a privileged process to transmit traffic without explicit labels
606  */
607 int
608 secpolicy_net_mac_implicit(const cred_t *cr)
609 {
610 	return (PRIV_POLICY(cr, PRIV_NET_MAC_IMPLICIT, B_FALSE, EACCES, NULL));
611 }
612 
613 /*
614  * Common routine which determines whether a given credential can
615  * act on a given mount.
616  * When called through mount, the parameter needoptcheck is a pointer
617  * to a boolean variable which will be set to either true or false,
618  * depending on whether the mount policy should change the mount options.
619  * In all other cases, needoptcheck should be a NULL pointer.
620  */
621 static int
622 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp,
623     boolean_t *needoptcheck)
624 {
625 	boolean_t allzone = B_FALSE;
626 	boolean_t mounting = needoptcheck != NULL;
627 
628 	/*
629 	 * Short circuit the following cases:
630 	 *	vfsp == NULL or mvp == NULL (pure privilege check)
631 	 *	have all privileges - no further checks required
632 	 *	and no mount options need to be set.
633 	 */
634 	if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) {
635 		if (mounting)
636 			*needoptcheck = B_FALSE;
637 
638 		return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
639 		    NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE));
640 	}
641 
642 	/*
643 	 * When operating on an existing mount (either we're not mounting
644 	 * or we're doing a remount and VFS_REMOUNT will be set), zones
645 	 * can operate only on mounts established by the zone itself.
646 	 */
647 	if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) {
648 		zoneid_t zoneid = crgetzoneid(cr);
649 
650 		if (zoneid != GLOBAL_ZONEID &&
651 		    vfsp->vfs_zone->zone_id != zoneid) {
652 			return (EPERM);
653 		}
654 	}
655 
656 	if (mounting)
657 		*needoptcheck = B_TRUE;
658 
659 	/*
660 	 * Overlay mounts may hide important stuff; if you can't write to a
661 	 * mount point but would be able to mount on top of it, you can
662 	 * escalate your privileges.
663 	 * So we go about asking the same questions namefs does when it
664 	 * decides whether you can mount over a file or not but with the
665 	 * added restriction that you can only mount on top of a regular
666 	 * file or directory.
667 	 * If we have all the zone's privileges, we skip all other checks,
668 	 * or else we may actually get in trouble inside the automounter.
669 	 */
670 	if ((mvp->v_flag & VROOT) != 0 ||
671 	    (mvp->v_type != VDIR && mvp->v_type != VREG) ||
672 	    HAS_ALLZONEPRIVS(cr)) {
673 		allzone = B_TRUE;
674 	} else {
675 		vattr_t va;
676 		int err;
677 
678 		va.va_mask = AT_UID|AT_MODE;
679 		err = VOP_GETATTR(mvp, &va, 0, cr, NULL);
680 		if (err != 0)
681 			return (err);
682 
683 		if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0)
684 			return (err);
685 
686 		if ((va.va_mode & VWRITE) == 0 &&
687 		    secpolicy_vnode_access(cr, mvp, va.va_uid, VWRITE) != 0) {
688 			return (EACCES);
689 		}
690 	}
691 	return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
692 	    NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE));
693 }
694 
695 void
696 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp)
697 {
698 	boolean_t amsuper = HAS_ALLZONEPRIVS(cr);
699 
700 	/*
701 	 * check; if we don't have either "nosuid" or
702 	 * both "nosetuid" and "nodevices", then we add
703 	 * "nosuid"; this depends on how the current
704 	 * implementation works (it first checks nosuid).  In a
705 	 * zone, a user with all zone privileges can mount with
706 	 * "setuid" but never with "devices".
707 	 */
708 	if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) &&
709 	    (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) ||
710 	    !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) {
711 		if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper)
712 			vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0);
713 		else
714 			vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0);
715 	}
716 	/*
717 	 * If we're not the local super user, we set the "restrict"
718 	 * option to indicate to automountd that this mount should
719 	 * be handled with care.
720 	 */
721 	if (!amsuper)
722 		vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0);
723 
724 }
725 
726 extern vnode_t *rootvp;
727 extern vfs_t *rootvfs;
728 
729 int
730 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp)
731 {
732 	boolean_t needoptchk;
733 	int error;
734 
735 	/*
736 	 * If it's a remount, get the underlying mount point,
737 	 * except for the root where we use the rootvp.
738 	 */
739 	if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) {
740 		if (vfsp == rootvfs)
741 			mvp = rootvp;
742 		else
743 			mvp = vfsp->vfs_vnodecovered;
744 	}
745 
746 	error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk);
747 
748 	if (error == 0 && needoptchk) {
749 		secpolicy_fs_mount_clearopts(cr, vfsp);
750 	}
751 
752 	return (error);
753 }
754 
755 /*
756  * Does the policy computations for "ownership" of a mount;
757  * here ownership is defined as the ability to "mount"
758  * the filesystem originally.  The rootvfs doesn't cover any
759  * vnodes; we attribute its ownership to the rootvp.
760  */
761 static int
762 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp)
763 {
764 	vnode_t *mvp;
765 
766 	if (vfsp == NULL)
767 		mvp = NULL;
768 	else if (vfsp == rootvfs)
769 		mvp = rootvp;
770 	else
771 		mvp = vfsp->vfs_vnodecovered;
772 
773 	return (secpolicy_fs_common(cr, mvp, vfsp, NULL));
774 }
775 
776 int
777 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp)
778 {
779 	return (secpolicy_fs_owner(cr, vfsp));
780 }
781 
782 /*
783  * Quotas are a resource, but if one has the ability to mount a filesystem, he
784  * should be able to modify quotas on it.
785  */
786 int
787 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp)
788 {
789 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
790 }
791 
792 /*
793  * Exceeding minfree: also a per-mount resource constraint.
794  */
795 int
796 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp)
797 {
798 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
799 }
800 
801 int
802 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp)
803 {
804 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
805 }
806 
807 /* ARGSUSED */
808 int
809 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp)
810 {
811 	return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL));
812 }
813 
814 /*
815  * Name:        secpolicy_vnode_access()
816  *
817  * Parameters:  Process credential
818  *		vnode
819  *		uid of owner of vnode
820  *		permission bits not granted to the caller when examining
821  *		file mode bits (i.e., when a process wants to open a
822  *		mode 444 file for VREAD|VWRITE, this function should be
823  *		called only with a VWRITE argument).
824  *
825  * Normal:      Verifies that cred has the appropriate privileges to
826  *              override the mode bits that were denied.
827  *
828  * Override:    file_dac_execute - if VEXEC bit was denied and vnode is
829  *                      not a directory.
830  *              file_dac_read - if VREAD bit was denied.
831  *              file_dac_search - if VEXEC bit was denied and vnode is
832  *                      a directory.
833  *              file_dac_write - if VWRITE bit was denied.
834  *
835  *		Root owned files are special cased to protect system
836  *		configuration files and such.
837  *
838  * Output:      EACCES - if privilege check fails.
839  */
840 
841 /* ARGSUSED */
842 int
843 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode)
844 {
845 	if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE,
846 	    EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL,
847 	    KLPDARG_NOMORE) != 0) {
848 		return (EACCES);
849 	}
850 
851 	if (mode & VWRITE) {
852 		boolean_t allzone;
853 
854 		if (owner == 0 && cr->cr_uid != 0)
855 			allzone = B_TRUE;
856 		else
857 			allzone = B_FALSE;
858 		if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES,
859 		    NULL, KLPDARG_VNODE, vp, (char *)NULL,
860 		    KLPDARG_NOMORE) != 0) {
861 			return (EACCES);
862 		}
863 	}
864 
865 	if (mode & VEXEC) {
866 		/*
867 		 * Directories use file_dac_search to override the execute bit.
868 		 */
869 		int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH :
870 		    PRIV_FILE_DAC_EXECUTE;
871 
872 		return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL,
873 		    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
874 	}
875 	return (0);
876 }
877 
878 /*
879  * Name:	secpolicy_vnode_setid_modify()
880  *
881  * Normal:	verify that subject can set the file setid flags.
882  *
883  * Output:	EPERM - if not privileged.
884  */
885 
886 static int
887 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner)
888 {
889 	/* If changing to suid root, must have all zone privs */
890 	boolean_t allzone = B_TRUE;
891 
892 	if (owner != 0) {
893 		if (owner == cr->cr_uid)
894 			return (0);
895 		allzone = B_FALSE;
896 	}
897 	return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL));
898 }
899 
900 /*
901  * Are we allowed to retain the set-uid/set-gid bits when
902  * changing ownership or when writing to a file?
903  * "issuid" should be true when set-uid; only in that case
904  * root ownership is checked (setgid is assumed).
905  */
906 int
907 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot)
908 {
909 	if (issuidroot && !HAS_ALLZONEPRIVS(cred))
910 		return (EPERM);
911 
912 	return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE));
913 }
914 
915 /*
916  * Name:	secpolicy_vnode_setids_setgids()
917  *
918  * Normal:	verify that subject can set the file setgid flag.
919  *
920  * Output:	EPERM - if not privileged
921  */
922 
923 int
924 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid)
925 {
926 	if (!groupmember(gid, cred))
927 		return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM,
928 		    NULL));
929 	return (0);
930 }
931 
932 /*
933  * Name:	secpolicy_vnode_chown
934  *
935  * Normal:	Determine if subject can chown owner of a file.
936  *
937  * Output:	EPERM - if access denied
938  */
939 
940 int
941 secpolicy_vnode_chown(const cred_t *cred, uid_t owner)
942 {
943 	boolean_t is_owner = (owner == crgetuid(cred));
944 	boolean_t allzone = B_FALSE;
945 	int priv;
946 
947 	if (!is_owner) {
948 		allzone = (owner == 0);
949 		priv = PRIV_FILE_CHOWN;
950 	} else {
951 		priv = HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN) ?
952 		    PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF;
953 	}
954 
955 	return (PRIV_POLICY(cred, priv, allzone, EPERM, NULL));
956 }
957 
958 /*
959  * Name:	secpolicy_vnode_create_gid
960  *
961  * Normal:	Determine if subject can change group ownership of a file.
962  *
963  * Output:	EPERM - if access denied
964  */
965 int
966 secpolicy_vnode_create_gid(const cred_t *cred)
967 {
968 	if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN))
969 		return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM,
970 		    NULL));
971 	else
972 		return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM,
973 		    NULL));
974 }
975 
976 /*
977  * Name:	secpolicy_vnode_utime_modify()
978  *
979  * Normal:	verify that subject can modify the utime on a file.
980  *
981  * Output:	EPERM - if access denied.
982  */
983 
984 static int
985 secpolicy_vnode_utime_modify(const cred_t *cred)
986 {
987 	return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM,
988 	    "modify file times"));
989 }
990 
991 
992 /*
993  * Name:	secpolicy_vnode_setdac()
994  *
995  * Normal:	verify that subject can modify the mode of a file.
996  *		allzone privilege needed when modifying root owned object.
997  *
998  * Output:	EPERM - if access denied.
999  */
1000 
1001 int
1002 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner)
1003 {
1004 	if (owner == cred->cr_uid)
1005 		return (0);
1006 
1007 	return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL));
1008 }
1009 /*
1010  * Name:	secpolicy_vnode_stky_modify()
1011  *
1012  * Normal:	verify that subject can make a file a "sticky".
1013  *
1014  * Output:	EPERM - if access denied.
1015  */
1016 
1017 int
1018 secpolicy_vnode_stky_modify(const cred_t *cred)
1019 {
1020 	return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM,
1021 	    "set file sticky"));
1022 }
1023 
1024 /*
1025  * Policy determines whether we can remove an entry from a directory,
1026  * regardless of permission bits.
1027  */
1028 int
1029 secpolicy_vnode_remove(const cred_t *cr)
1030 {
1031 	return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES,
1032 	    "sticky directory"));
1033 }
1034 
1035 int
1036 secpolicy_vnode_owner(const cred_t *cr, uid_t owner)
1037 {
1038 	boolean_t allzone = (owner == 0);
1039 
1040 	if (owner == cr->cr_uid)
1041 		return (0);
1042 
1043 	return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL));
1044 }
1045 
1046 void
1047 secpolicy_setid_clear(vattr_t *vap, cred_t *cr)
1048 {
1049 	if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 &&
1050 	    secpolicy_vnode_setid_retain(cr,
1051 	    (vap->va_mode & S_ISUID) != 0 &&
1052 	    (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) {
1053 		vap->va_mask |= AT_MODE;
1054 		vap->va_mode &= ~(S_ISUID|S_ISGID);
1055 	}
1056 }
1057 
1058 int
1059 secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap,
1060     cred_t *cr)
1061 {
1062 	int error;
1063 
1064 	if ((vap->va_mode & S_ISUID) != 0 &&
1065 	    (error = secpolicy_vnode_setid_modify(cr,
1066 	    ovap->va_uid)) != 0) {
1067 		return (error);
1068 	}
1069 
1070 	/*
1071 	 * Check privilege if attempting to set the
1072 	 * sticky bit on a non-directory.
1073 	 */
1074 	if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 &&
1075 	    secpolicy_vnode_stky_modify(cr) != 0) {
1076 		vap->va_mode &= ~S_ISVTX;
1077 	}
1078 
1079 	/*
1080 	 * Check for privilege if attempting to set the
1081 	 * group-id bit.
1082 	 */
1083 	if ((vap->va_mode & S_ISGID) != 0 &&
1084 	    secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) {
1085 		vap->va_mode &= ~S_ISGID;
1086 	}
1087 
1088 	return (0);
1089 }
1090 
1091 #define	ATTR_FLAG_PRIV(attr, value, cr)	\
1092 	PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \
1093 	B_FALSE, EPERM, NULL)
1094 
1095 /*
1096  * Check privileges for setting xvattr attributes
1097  */
1098 int
1099 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype)
1100 {
1101 	xoptattr_t *xoap;
1102 	int error = 0;
1103 
1104 	if ((xoap = xva_getxoptattr(xvap)) == NULL)
1105 		return (EINVAL);
1106 
1107 	/*
1108 	 * First process the DOS bits
1109 	 */
1110 	if (XVA_ISSET_REQ(xvap, XAT_ARCHIVE) ||
1111 	    XVA_ISSET_REQ(xvap, XAT_HIDDEN) ||
1112 	    XVA_ISSET_REQ(xvap, XAT_READONLY) ||
1113 	    XVA_ISSET_REQ(xvap, XAT_SYSTEM) ||
1114 	    XVA_ISSET_REQ(xvap, XAT_CREATETIME)) {
1115 		if ((error = secpolicy_vnode_owner(cr, owner)) != 0)
1116 			return (error);
1117 	}
1118 
1119 	/*
1120 	 * Now handle special attributes
1121 	 */
1122 
1123 	if (XVA_ISSET_REQ(xvap, XAT_IMMUTABLE))
1124 		error = ATTR_FLAG_PRIV(XAT_IMMUTABLE,
1125 		    xoap->xoa_immutable, cr);
1126 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NOUNLINK))
1127 		error = ATTR_FLAG_PRIV(XAT_NOUNLINK,
1128 		    xoap->xoa_nounlink, cr);
1129 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_APPENDONLY))
1130 		error = ATTR_FLAG_PRIV(XAT_APPENDONLY,
1131 		    xoap->xoa_appendonly, cr);
1132 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NODUMP))
1133 		error = ATTR_FLAG_PRIV(XAT_NODUMP,
1134 		    xoap->xoa_nodump, cr);
1135 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_OPAQUE))
1136 		error = EPERM;
1137 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_QUARANTINED)) {
1138 		error = ATTR_FLAG_PRIV(XAT_AV_QUARANTINED,
1139 		    xoap->xoa_av_quarantined, cr);
1140 		if (error == 0 && vtype != VREG && xoap->xoa_av_quarantined)
1141 			error = EINVAL;
1142 	}
1143 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_MODIFIED))
1144 		error = ATTR_FLAG_PRIV(XAT_AV_MODIFIED,
1145 		    xoap->xoa_av_modified, cr);
1146 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_SCANSTAMP)) {
1147 		error = ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP,
1148 		    xoap->xoa_av_scanstamp, cr);
1149 		if (error == 0 && vtype != VREG)
1150 			error = EINVAL;
1151 	}
1152 	return (error);
1153 }
1154 
1155 /*
1156  * This function checks the policy decisions surrounding the
1157  * vop setattr call.
1158  *
1159  * It should be called after sufficient locks have been established
1160  * on the underlying data structures.  No concurrent modifications
1161  * should be allowed.
1162  *
1163  * The caller must pass in unlocked version of its vaccess function
1164  * this is required because vop_access function should lock the
1165  * node for reading.  A three argument function should be defined
1166  * which accepts the following argument:
1167  * 	A pointer to the internal "node" type (inode *)
1168  *	vnode access bits (VREAD|VWRITE|VEXEC)
1169  *	a pointer to the credential
1170  *
1171  * This function makes the following policy decisions:
1172  *
1173  *		- change permissions
1174  *			- permission to change file mode if not owner
1175  *			- permission to add sticky bit to non-directory
1176  *			- permission to add set-gid bit
1177  *
1178  * The ovap argument should include AT_MODE|AT_UID|AT_GID.
1179  *
1180  * If the vap argument does not include AT_MODE, the mode will be copied from
1181  * ovap.  In certain situations set-uid/set-gid bits need to be removed;
1182  * this is done by marking vap->va_mask to include AT_MODE and va_mode
1183  * is updated to the newly computed mode.
1184  */
1185 
1186 int
1187 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap,
1188 	const struct vattr *ovap, int flags,
1189 	int unlocked_access(void *, int, cred_t *),
1190 	void *node)
1191 {
1192 	int mask = vap->va_mask;
1193 	int error = 0;
1194 	boolean_t skipaclchk = (flags & ATTR_NOACLCHECK) ? B_TRUE : B_FALSE;
1195 
1196 	if (mask & AT_SIZE) {
1197 		if (vp->v_type == VDIR) {
1198 			error = EISDIR;
1199 			goto out;
1200 		}
1201 
1202 		/*
1203 		 * If ATTR_NOACLCHECK is set in the flags, then we don't
1204 		 * perform the secondary unlocked_access() call since the
1205 		 * ACL (if any) is being checked there.
1206 		 */
1207 		if (skipaclchk == B_FALSE) {
1208 			error = unlocked_access(node, VWRITE, cr);
1209 			if (error)
1210 				goto out;
1211 		}
1212 	}
1213 	if (mask & AT_MODE) {
1214 		/*
1215 		 * If not the owner of the file then check privilege
1216 		 * for two things: the privilege to set the mode at all
1217 		 * and, if we're setting setuid, we also need permissions
1218 		 * to add the set-uid bit, if we're not the owner.
1219 		 * In the specific case of creating a set-uid root
1220 		 * file, we need even more permissions.
1221 		 */
1222 		if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0)
1223 			goto out;
1224 
1225 		if ((error = secpolicy_setid_setsticky_clear(vp, vap,
1226 		    ovap, cr)) != 0)
1227 			goto out;
1228 	} else
1229 		vap->va_mode = ovap->va_mode;
1230 
1231 	if (mask & (AT_UID|AT_GID)) {
1232 		boolean_t checkpriv = B_FALSE;
1233 
1234 		/*
1235 		 * Chowning files.
1236 		 *
1237 		 * If you are the file owner:
1238 		 *	chown to other uid		FILE_CHOWN_SELF
1239 		 *	chown to gid (non-member) 	FILE_CHOWN_SELF
1240 		 *	chown to gid (member) 		<none>
1241 		 *
1242 		 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also
1243 		 * acceptable but the first one is reported when debugging.
1244 		 *
1245 		 * If you are not the file owner:
1246 		 *	chown from root			PRIV_FILE_CHOWN + zone
1247 		 *	chown from other to any		PRIV_FILE_CHOWN
1248 		 *
1249 		 */
1250 		if (cr->cr_uid != ovap->va_uid) {
1251 			checkpriv = B_TRUE;
1252 		} else {
1253 			if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) ||
1254 			    ((mask & AT_GID) && vap->va_gid != ovap->va_gid &&
1255 			    !groupmember(vap->va_gid, cr))) {
1256 				checkpriv = B_TRUE;
1257 			}
1258 		}
1259 		/*
1260 		 * If necessary, check privilege to see if update can be done.
1261 		 */
1262 		if (checkpriv &&
1263 		    (error = secpolicy_vnode_chown(cr, ovap->va_uid)) != 0) {
1264 			goto out;
1265 		}
1266 
1267 		/*
1268 		 * If the file has either the set UID or set GID bits
1269 		 * set and the caller can set the bits, then leave them.
1270 		 */
1271 		secpolicy_setid_clear(vap, cr);
1272 	}
1273 	if (mask & (AT_ATIME|AT_MTIME)) {
1274 		/*
1275 		 * If not the file owner and not otherwise privileged,
1276 		 * always return an error when setting the
1277 		 * time other than the current (ATTR_UTIME flag set).
1278 		 * If setting the current time (ATTR_UTIME not set) then
1279 		 * unlocked_access will check permissions according to policy.
1280 		 */
1281 		if (cr->cr_uid != ovap->va_uid) {
1282 			if (flags & ATTR_UTIME)
1283 				error = secpolicy_vnode_utime_modify(cr);
1284 			else if (skipaclchk == B_FALSE) {
1285 				error = unlocked_access(node, VWRITE, cr);
1286 				if (error == EACCES &&
1287 				    secpolicy_vnode_utime_modify(cr) == 0)
1288 					error = 0;
1289 			}
1290 			if (error)
1291 				goto out;
1292 		}
1293 	}
1294 
1295 	/*
1296 	 * Check for optional attributes here by checking the following:
1297 	 */
1298 	if (mask & AT_XVATTR)
1299 		error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr,
1300 		    vp->v_type);
1301 out:
1302 	return (error);
1303 }
1304 
1305 /*
1306  * Name:	secpolicy_pcfs_modify_bootpartition()
1307  *
1308  * Normal:	verify that subject can modify a pcfs boot partition.
1309  *
1310  * Output:	EACCES - if privilege check failed.
1311  */
1312 /*ARGSUSED*/
1313 int
1314 secpolicy_pcfs_modify_bootpartition(const cred_t *cred)
1315 {
1316 	return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES,
1317 	    "modify pcfs boot partition"));
1318 }
1319 
1320 /*
1321  * System V IPC routines
1322  */
1323 int
1324 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip)
1325 {
1326 	if (crgetzoneid(cr) != ip->ipc_zoneid ||
1327 	    (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) {
1328 		boolean_t allzone = B_FALSE;
1329 		if (ip->ipc_uid == 0 || ip->ipc_cuid == 0)
1330 			allzone = B_TRUE;
1331 		return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL));
1332 	}
1333 	return (0);
1334 }
1335 
1336 int
1337 secpolicy_ipc_config(const cred_t *cr)
1338 {
1339 	return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL));
1340 }
1341 
1342 int
1343 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode)
1344 {
1345 
1346 	boolean_t allzone = B_FALSE;
1347 
1348 	ASSERT((mode & (MSG_R|MSG_W)) != 0);
1349 
1350 	if ((mode & MSG_R) &&
1351 	    PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1352 		return (EACCES);
1353 
1354 	if (mode & MSG_W) {
1355 		if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0))
1356 			allzone = B_TRUE;
1357 
1358 		return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1359 		    NULL));
1360 	}
1361 	return (0);
1362 }
1363 
1364 int
1365 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode)
1366 {
1367 	boolean_t allzone = B_FALSE;
1368 
1369 	ASSERT((mode & (MSG_R|MSG_W)) != 0);
1370 
1371 	if ((mode & MSG_R) &&
1372 	    PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1373 		return (EACCES);
1374 
1375 	if (mode & MSG_W) {
1376 		if (cr->cr_uid != 0 && owner == 0)
1377 			allzone = B_TRUE;
1378 
1379 		return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1380 		    NULL));
1381 	}
1382 	return (0);
1383 }
1384 
1385 /*
1386  * Audit configuration.
1387  */
1388 int
1389 secpolicy_audit_config(const cred_t *cr)
1390 {
1391 	return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL));
1392 }
1393 
1394 /*
1395  * Audit record generation.
1396  */
1397 int
1398 secpolicy_audit_modify(const cred_t *cr)
1399 {
1400 	return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL));
1401 }
1402 
1403 /*
1404  * Get audit attributes.
1405  * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the
1406  * "Least" of the two privileges on error.
1407  */
1408 int
1409 secpolicy_audit_getattr(const cred_t *cr)
1410 {
1411 	if (!PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE)) {
1412 		return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM,
1413 		    NULL));
1414 	} else {
1415 		return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL));
1416 	}
1417 }
1418 
1419 
1420 /*
1421  * Locking physical memory
1422  */
1423 int
1424 secpolicy_lock_memory(const cred_t *cr)
1425 {
1426 	return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL));
1427 }
1428 
1429 /*
1430  * Accounting (both acct(2) and exacct).
1431  */
1432 int
1433 secpolicy_acct(const cred_t *cr)
1434 {
1435 	return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL));
1436 }
1437 
1438 /*
1439  * Is this process privileged to change its uids at will?
1440  * Uid 0 is still considered "special" and having the SETID
1441  * privilege is not sufficient to get uid 0.
1442  * Files are owned by root, so the privilege would give
1443  * full access and euid 0 is still effective.
1444  *
1445  * If you have the privilege and euid 0 only then do you
1446  * get the powers of root wrt uid 0.
1447  *
1448  * For gid manipulations, this is should be called with an
1449  * uid of -1.
1450  *
1451  */
1452 int
1453 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly)
1454 {
1455 	boolean_t allzone = B_FALSE;
1456 
1457 	if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 &&
1458 	    cr->cr_ruid != 0) {
1459 		allzone = B_TRUE;
1460 	}
1461 
1462 	return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) :
1463 	    PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL));
1464 }
1465 
1466 
1467 /*
1468  * Acting on a different process: if the mode is for writing,
1469  * the restrictions are more severe.  This is called after
1470  * we've verified that the uids do not match.
1471  */
1472 int
1473 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode)
1474 {
1475 	boolean_t allzone = B_FALSE;
1476 
1477 	if ((mode & VWRITE) && scr->cr_uid != 0 &&
1478 	    (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0))
1479 		allzone = B_TRUE;
1480 
1481 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL));
1482 }
1483 
1484 int
1485 secpolicy_proc_access(const cred_t *scr)
1486 {
1487 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL));
1488 }
1489 
1490 int
1491 secpolicy_proc_excl_open(const cred_t *scr)
1492 {
1493 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL));
1494 }
1495 
1496 int
1497 secpolicy_proc_zone(const cred_t *scr)
1498 {
1499 	return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL));
1500 }
1501 
1502 /*
1503  * Destroying the system
1504  */
1505 
1506 int
1507 secpolicy_kmdb(const cred_t *scr)
1508 {
1509 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1510 }
1511 
1512 int
1513 secpolicy_error_inject(const cred_t *scr)
1514 {
1515 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1516 }
1517 
1518 /*
1519  * Processor sets, cpu configuration, resource pools.
1520  */
1521 int
1522 secpolicy_pset(const cred_t *cr)
1523 {
1524 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1525 }
1526 
1527 int
1528 secpolicy_ponline(const cred_t *cr)
1529 {
1530 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1531 }
1532 
1533 int
1534 secpolicy_pool(const cred_t *cr)
1535 {
1536 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1537 }
1538 
1539 int
1540 secpolicy_blacklist(const cred_t *cr)
1541 {
1542 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1543 }
1544 
1545 /*
1546  * Catch all system configuration.
1547  */
1548 int
1549 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly)
1550 {
1551 	if (checkonly) {
1552 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 :
1553 		    EPERM);
1554 	} else {
1555 		return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1556 	}
1557 }
1558 
1559 /*
1560  * Zone administration (halt, reboot, etc.) from within zone.
1561  */
1562 int
1563 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly)
1564 {
1565 	if (checkonly) {
1566 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 :
1567 		    EPERM);
1568 	} else {
1569 		return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM,
1570 		    NULL));
1571 	}
1572 }
1573 
1574 /*
1575  * Zone configuration (create, halt, enter).
1576  */
1577 int
1578 secpolicy_zone_config(const cred_t *cr)
1579 {
1580 	/*
1581 	 * Require all privileges to avoid possibility of privilege
1582 	 * escalation.
1583 	 */
1584 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL));
1585 }
1586 
1587 /*
1588  * Various other system configuration calls
1589  */
1590 int
1591 secpolicy_coreadm(const cred_t *cr)
1592 {
1593 	return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1594 }
1595 
1596 int
1597 secpolicy_systeminfo(const cred_t *cr)
1598 {
1599 	return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1600 }
1601 
1602 int
1603 secpolicy_dispadm(const cred_t *cr)
1604 {
1605 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1606 }
1607 
1608 int
1609 secpolicy_settime(const cred_t *cr)
1610 {
1611 	return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL));
1612 }
1613 
1614 /*
1615  * For realtime users: high resolution clock.
1616  */
1617 int
1618 secpolicy_clock_highres(const cred_t *cr)
1619 {
1620 	return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM,
1621 	    NULL));
1622 }
1623 
1624 /*
1625  * drv_priv() is documented as callable from interrupt context, not that
1626  * anyone ever does, but still.  No debugging or auditing can be done when
1627  * it is called from interrupt context.
1628  * returns 0 on succes, EPERM on failure.
1629  */
1630 int
1631 drv_priv(cred_t *cr)
1632 {
1633 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1634 }
1635 
1636 int
1637 secpolicy_sys_devices(const cred_t *cr)
1638 {
1639 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1640 }
1641 
1642 int
1643 secpolicy_excl_open(const cred_t *cr)
1644 {
1645 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL));
1646 }
1647 
1648 int
1649 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl)
1650 {
1651 	/* zone.* rctls can only be set from the global zone */
1652 	if (is_zone_rctl && priv_policy_global(cr) != 0)
1653 		return (EPERM);
1654 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1655 }
1656 
1657 int
1658 secpolicy_resource(const cred_t *cr)
1659 {
1660 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1661 }
1662 
1663 int
1664 secpolicy_resource_anon_mem(const cred_t *cr)
1665 {
1666 	return (PRIV_POLICY_ONLY(cr, PRIV_SYS_RESOURCE, B_FALSE));
1667 }
1668 
1669 /*
1670  * Processes with a real uid of 0 escape any form of accounting, much
1671  * like before.
1672  */
1673 int
1674 secpolicy_newproc(const cred_t *cr)
1675 {
1676 	if (cr->cr_ruid == 0)
1677 		return (0);
1678 
1679 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1680 }
1681 
1682 /*
1683  * Networking
1684  */
1685 int
1686 secpolicy_net_rawaccess(const cred_t *cr)
1687 {
1688 	return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL));
1689 }
1690 
1691 int
1692 secpolicy_net_observability(const cred_t *cr)
1693 {
1694 	return (PRIV_POLICY(cr, PRIV_NET_OBSERVABILITY, B_FALSE, EACCES, NULL));
1695 }
1696 
1697 /*
1698  * Need this privilege for accessing the ICMP device
1699  */
1700 int
1701 secpolicy_net_icmpaccess(const cred_t *cr)
1702 {
1703 	return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL));
1704 }
1705 
1706 /*
1707  * There are a few rare cases where the kernel generates ioctls() from
1708  * interrupt context with a credential of kcred rather than NULL.
1709  * In those cases, we take the safe and cheap test.
1710  */
1711 int
1712 secpolicy_net_config(const cred_t *cr, boolean_t checkonly)
1713 {
1714 	if (checkonly) {
1715 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ?
1716 		    0 : EPERM);
1717 	} else {
1718 		return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM,
1719 		    NULL));
1720 	}
1721 }
1722 
1723 
1724 /*
1725  * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
1726  *
1727  * There are a few rare cases where the kernel generates ioctls() from
1728  * interrupt context with a credential of kcred rather than NULL.
1729  * In those cases, we take the safe and cheap test.
1730  */
1731 int
1732 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly)
1733 {
1734 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1735 		return (secpolicy_net_config(cr, checkonly));
1736 
1737 	if (checkonly) {
1738 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ?
1739 		    0 : EPERM);
1740 	} else {
1741 		return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM,
1742 		    NULL));
1743 	}
1744 }
1745 
1746 /*
1747  * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_DL_CONFIG.
1748  */
1749 int
1750 secpolicy_dl_config(const cred_t *cr)
1751 {
1752 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1753 		return (secpolicy_net_config(cr, B_FALSE));
1754 	return (PRIV_POLICY(cr, PRIV_SYS_DL_CONFIG, B_FALSE, EPERM, NULL));
1755 }
1756 
1757 /*
1758  * PRIV_SYS_DL_CONFIG is a superset of PRIV_SYS_IPTUN_CONFIG.
1759  */
1760 int
1761 secpolicy_iptun_config(const cred_t *cr)
1762 {
1763 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1764 		return (secpolicy_net_config(cr, B_FALSE));
1765 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_DL_CONFIG, B_FALSE))
1766 		return (secpolicy_dl_config(cr));
1767 	return (PRIV_POLICY(cr, PRIV_SYS_IPTUN_CONFIG, B_FALSE, EPERM, NULL));
1768 }
1769 
1770 /*
1771  * Map IP pseudo privileges to actual privileges.
1772  * So we don't need to recompile IP when we change the privileges.
1773  */
1774 int
1775 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly)
1776 {
1777 	int priv = PRIV_ALL;
1778 
1779 	switch (netpriv) {
1780 	case OP_CONFIG:
1781 		priv = PRIV_SYS_IP_CONFIG;
1782 		break;
1783 	case OP_RAW:
1784 		priv = PRIV_NET_RAWACCESS;
1785 		break;
1786 	case OP_PRIVPORT:
1787 		priv = PRIV_NET_PRIVADDR;
1788 		break;
1789 	}
1790 	ASSERT(priv != PRIV_ALL);
1791 	if (checkonly)
1792 		return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
1793 	else
1794 		return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
1795 }
1796 
1797 /*
1798  * Map network pseudo privileges to actual privileges.
1799  * So we don't need to recompile IP when we change the privileges.
1800  */
1801 int
1802 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly)
1803 {
1804 	int priv = PRIV_ALL;
1805 
1806 	switch (netpriv) {
1807 	case OP_CONFIG:
1808 		priv = PRIV_SYS_NET_CONFIG;
1809 		break;
1810 	case OP_RAW:
1811 		priv = PRIV_NET_RAWACCESS;
1812 		break;
1813 	case OP_PRIVPORT:
1814 		priv = PRIV_NET_PRIVADDR;
1815 		break;
1816 	}
1817 	ASSERT(priv != PRIV_ALL);
1818 	if (checkonly)
1819 		return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
1820 	else
1821 		return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
1822 }
1823 
1824 /*
1825  * Checks for operations that are either client-only or are used by
1826  * both clients and servers.
1827  */
1828 int
1829 secpolicy_nfs(const cred_t *cr)
1830 {
1831 	return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL));
1832 }
1833 
1834 /*
1835  * Special case for opening rpcmod: have NFS privileges or network
1836  * config privileges.
1837  */
1838 int
1839 secpolicy_rpcmod_open(const cred_t *cr)
1840 {
1841 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE))
1842 		return (secpolicy_nfs(cr));
1843 	else
1844 		return (secpolicy_net_config(cr, NULL));
1845 }
1846 
1847 int
1848 secpolicy_chroot(const cred_t *cr)
1849 {
1850 	return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL));
1851 }
1852 
1853 int
1854 secpolicy_tasksys(const cred_t *cr)
1855 {
1856 	return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL));
1857 }
1858 
1859 /*
1860  * Basic privilege checks.
1861  */
1862 int
1863 secpolicy_basic_exec(const cred_t *cr, vnode_t *vp)
1864 {
1865 	return (priv_policy_va(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL,
1866 	    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
1867 }
1868 
1869 int
1870 secpolicy_basic_fork(const cred_t *cr)
1871 {
1872 	return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL));
1873 }
1874 
1875 int
1876 secpolicy_basic_proc(const cred_t *cr)
1877 {
1878 	return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL));
1879 }
1880 
1881 /*
1882  * Slightly complicated because we don't want to trigger the policy too
1883  * often.  First we shortcircuit access to "self" (tp == sp) or if
1884  * we don't have the privilege but if we have permission
1885  * just return (0) and we don't flag the privilege as needed.
1886  * Else, we test for the privilege because we either have it or need it.
1887  */
1888 int
1889 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp)
1890 {
1891 	if (tp == sp ||
1892 	    !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) {
1893 		return (0);
1894 	} else {
1895 		return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL));
1896 	}
1897 }
1898 
1899 int
1900 secpolicy_basic_link(const cred_t *cr)
1901 {
1902 	return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL));
1903 }
1904 
1905 /*
1906  * Additional device protection.
1907  *
1908  * Traditionally, a device has specific permissions on the node in
1909  * the filesystem which govern which devices can be opened by what
1910  * processes.  In certain cases, it is desirable to add extra
1911  * restrictions, as writing to certain devices is identical to
1912  * having a complete run of the system.
1913  *
1914  * This mechanism is called the device policy.
1915  *
1916  * When a device is opened, its policy entry is looked up in the
1917  * policy cache and checked.
1918  */
1919 int
1920 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag)
1921 {
1922 	devplcy_t *plcy;
1923 	int err;
1924 	struct snode *csp = VTOS(common_specvp(vp));
1925 	priv_set_t pset;
1926 
1927 	mutex_enter(&csp->s_lock);
1928 
1929 	if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) {
1930 		plcy = devpolicy_find(vp);
1931 		if (csp->s_plcy)
1932 			dpfree(csp->s_plcy);
1933 		csp->s_plcy = plcy;
1934 		ASSERT(plcy != NULL);
1935 	} else
1936 		plcy = csp->s_plcy;
1937 
1938 	if (plcy == nullpolicy) {
1939 		mutex_exit(&csp->s_lock);
1940 		return (0);
1941 	}
1942 
1943 	dphold(plcy);
1944 
1945 	mutex_exit(&csp->s_lock);
1946 
1947 	if (oflag & FWRITE)
1948 		pset = plcy->dp_wrp;
1949 	else
1950 		pset = plcy->dp_rdp;
1951 	/*
1952 	 * Special case:
1953 	 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
1954 	 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is
1955 	 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG
1956 	 * in the required privilege set before doing the check.
1957 	 */
1958 	if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) &&
1959 	    priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) &&
1960 	    !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) {
1961 		priv_delset(&pset, PRIV_SYS_IP_CONFIG);
1962 		priv_addset(&pset, PRIV_SYS_NET_CONFIG);
1963 	}
1964 
1965 	err = secpolicy_require_set(cr, &pset, "devpolicy");
1966 	dpfree(plcy);
1967 
1968 	return (err);
1969 }
1970 
1971 int
1972 secpolicy_modctl(const cred_t *cr, int cmd)
1973 {
1974 	switch (cmd) {
1975 	case MODINFO:
1976 	case MODGETMAJBIND:
1977 	case MODGETPATH:
1978 	case MODGETPATHLEN:
1979 	case MODGETNAME:
1980 	case MODGETFBNAME:
1981 	case MODGETDEVPOLICY:
1982 	case MODGETDEVPOLICYBYNAME:
1983 	case MODDEVT2INSTANCE:
1984 	case MODSIZEOF_DEVID:
1985 	case MODGETDEVID:
1986 	case MODSIZEOF_MINORNAME:
1987 	case MODGETMINORNAME:
1988 	case MODGETDEVFSPATH_LEN:
1989 	case MODGETDEVFSPATH:
1990 	case MODGETDEVFSPATH_MI_LEN:
1991 	case MODGETDEVFSPATH_MI:
1992 		/* Unprivileged */
1993 		return (0);
1994 	case MODLOAD:
1995 	case MODSETDEVPOLICY:
1996 		return (secpolicy_require_set(cr, PRIV_FULLSET, NULL));
1997 	default:
1998 		return (secpolicy_sys_config(cr, B_FALSE));
1999 	}
2000 }
2001 
2002 int
2003 secpolicy_console(const cred_t *cr)
2004 {
2005 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
2006 }
2007 
2008 int
2009 secpolicy_power_mgmt(const cred_t *cr)
2010 {
2011 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
2012 }
2013 
2014 /*
2015  * Simulate terminal input; another escalation of privileges avenue.
2016  */
2017 
2018 int
2019 secpolicy_sti(const cred_t *cr)
2020 {
2021 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL));
2022 }
2023 
2024 boolean_t
2025 secpolicy_net_reply_equal(const cred_t *cr)
2026 {
2027 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
2028 }
2029 
2030 int
2031 secpolicy_swapctl(const cred_t *cr)
2032 {
2033 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
2034 }
2035 
2036 int
2037 secpolicy_cpc_cpu(const cred_t *cr)
2038 {
2039 	return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL));
2040 }
2041 
2042 /*
2043  * secpolicy_contract_identity
2044  *
2045  * Determine if the subject may set the process contract FMRI value
2046  */
2047 int
2048 secpolicy_contract_identity(const cred_t *cr)
2049 {
2050 	return (PRIV_POLICY(cr, PRIV_CONTRACT_IDENTITY, B_FALSE, EPERM, NULL));
2051 }
2052 
2053 /*
2054  * secpolicy_contract_observer
2055  *
2056  * Determine if the subject may observe a specific contract's events.
2057  */
2058 int
2059 secpolicy_contract_observer(const cred_t *cr, struct contract *ct)
2060 {
2061 	if (contract_owned(ct, cr, B_FALSE))
2062 		return (0);
2063 	return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL));
2064 }
2065 
2066 /*
2067  * secpolicy_contract_observer_choice
2068  *
2069  * Determine if the subject may observe any contract's events.  Just
2070  * tests privilege and audits on success.
2071  */
2072 boolean_t
2073 secpolicy_contract_observer_choice(const cred_t *cr)
2074 {
2075 	return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE));
2076 }
2077 
2078 /*
2079  * secpolicy_contract_event
2080  *
2081  * Determine if the subject may request critical contract events or
2082  * reliable contract event delivery.
2083  */
2084 int
2085 secpolicy_contract_event(const cred_t *cr)
2086 {
2087 	return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL));
2088 }
2089 
2090 /*
2091  * secpolicy_contract_event_choice
2092  *
2093  * Determine if the subject may retain contract events in its critical
2094  * set when a change in other terms would normally require a change in
2095  * the critical set.  Just tests privilege and audits on success.
2096  */
2097 boolean_t
2098 secpolicy_contract_event_choice(const cred_t *cr)
2099 {
2100 	return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE));
2101 }
2102 
2103 /*
2104  * secpolicy_gart_access
2105  *
2106  * Determine if the subject has sufficient priveleges to make ioctls to agpgart
2107  * device.
2108  */
2109 int
2110 secpolicy_gart_access(const cred_t *cr)
2111 {
2112 	return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL));
2113 }
2114 
2115 /*
2116  * secpolicy_gart_map
2117  *
2118  * Determine if the subject has sufficient priveleges to map aperture range
2119  * through agpgart driver.
2120  */
2121 int
2122 secpolicy_gart_map(const cred_t *cr)
2123 {
2124 	if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) {
2125 		return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM,
2126 		    NULL));
2127 	} else {
2128 		return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM,
2129 		    NULL));
2130 	}
2131 }
2132 
2133 /*
2134  * secpolicy_zinject
2135  *
2136  * Determine if the subject can inject faults in the ZFS fault injection
2137  * framework.  Requires all privileges.
2138  */
2139 int
2140 secpolicy_zinject(const cred_t *cr)
2141 {
2142 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL));
2143 }
2144 
2145 /*
2146  * secpolicy_zfs
2147  *
2148  * Determine if the subject has permission to manipulate ZFS datasets
2149  * (not pools).  Equivalent to the SYS_MOUNT privilege.
2150  */
2151 int
2152 secpolicy_zfs(const cred_t *cr)
2153 {
2154 	return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL));
2155 }
2156 
2157 /*
2158  * secpolicy_idmap
2159  *
2160  * Determine if the calling process has permissions to register an SID
2161  * mapping daemon and allocate ephemeral IDs.
2162  */
2163 int
2164 secpolicy_idmap(const cred_t *cr)
2165 {
2166 	return (PRIV_POLICY(cr, PRIV_FILE_SETID, B_TRUE, EPERM, NULL));
2167 }
2168 
2169 /*
2170  * secpolicy_ucode_update
2171  *
2172  * Determine if the subject has sufficient privilege to update microcode.
2173  */
2174 int
2175 secpolicy_ucode_update(const cred_t *scr)
2176 {
2177 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
2178 }
2179 
2180 /*
2181  * secpolicy_sadopen
2182  *
2183  * Determine if the subject has sufficient privilege to access /dev/sad/admin.
2184  * /dev/sad/admin appear in global zone and exclusive-IP zones only.
2185  * In global zone, sys_config is required.
2186  * In exclusive-IP zones, sys_ip_config is required.
2187  * Note that sys_config is prohibited in non-global zones.
2188  */
2189 int
2190 secpolicy_sadopen(const cred_t *credp)
2191 {
2192 	priv_set_t pset;
2193 
2194 	priv_emptyset(&pset);
2195 
2196 	if (crgetzoneid(credp) == GLOBAL_ZONEID)
2197 		priv_addset(&pset, PRIV_SYS_CONFIG);
2198 	else
2199 		priv_addset(&pset, PRIV_SYS_IP_CONFIG);
2200 
2201 	return (secpolicy_require_set(credp, &pset, "devpolicy"));
2202 }
2203 
2204 
2205 /*
2206  * Add privileges to a particular privilege set; this is called when the
2207  * current sets of privileges are not sufficient.  I.e., we should always
2208  * call the policy override functions from here.
2209  * What we are allowed to have is in the Observed Permitted set; so
2210  * we compute the difference between that and the newset.
2211  */
2212 int
2213 secpolicy_require_privs(const cred_t *cr, const priv_set_t *nset)
2214 {
2215 	priv_set_t rqd;
2216 
2217 	rqd = CR_OPPRIV(cr);
2218 
2219 	priv_inverse(&rqd);
2220 	priv_intersect(nset, &rqd);
2221 
2222 	return (secpolicy_require_set(cr, &rqd, NULL));
2223 }
2224 
2225 /*
2226  * secpolicy_smb
2227  *
2228  * Determine if the cred_t has PRIV_SYS_SMB privilege, indicating
2229  * that it has permission to access the smbsrv kernel driver.
2230  * PRIV_POLICY checks the privilege and audits the check.
2231  *
2232  * Returns:
2233  * 0       Driver access is allowed.
2234  * EPERM   Driver access is NOT permitted.
2235  */
2236 int
2237 secpolicy_smb(const cred_t *cr)
2238 {
2239 	return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL));
2240 }
2241 
2242 /*
2243  * secpolicy_vscan
2244  *
2245  * Determine if cred_t has the necessary privileges to access a file
2246  * for virus scanning and update its extended system attributes.
2247  * PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access
2248  * PRIV_FILE_FLAG_SET - set extended system attributes
2249  *
2250  * PRIV_POLICY checks the privilege and audits the check.
2251  *
2252  * Returns:
2253  * 0      file access for virus scanning allowed.
2254  * EPERM  file access for virus scanning is NOT permitted.
2255  */
2256 int
2257 secpolicy_vscan(const cred_t *cr)
2258 {
2259 	if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) ||
2260 	    (PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) ||
2261 	    (PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) {
2262 		return (EPERM);
2263 	}
2264 
2265 	return (0);
2266 }
2267 
2268 /*
2269  * secpolicy_smbfs_login
2270  *
2271  * Determines if the caller can add and delete the smbfs login
2272  * password in the the nsmb kernel module for the CIFS client.
2273  *
2274  * Returns:
2275  * 0       access is allowed.
2276  * EPERM   access is NOT allowed.
2277  */
2278 int
2279 secpolicy_smbfs_login(const cred_t *cr, uid_t uid)
2280 {
2281 	uid_t cruid = crgetruid(cr);
2282 
2283 	if (cruid == uid)
2284 		return (0);
2285 	return (PRIV_POLICY(cr, PRIV_PROC_OWNER, B_FALSE,
2286 	    EPERM, NULL));
2287 }
2288 
2289 /*
2290  * secpolicy_xvm_control
2291  *
2292  * Determines if a caller can control the xVM hypervisor and/or running
2293  * domains (x86 specific).
2294  *
2295  * Returns:
2296  * 0       access is allowed.
2297  * EPERM   access is NOT allowed.
2298  */
2299 int
2300 secpolicy_xvm_control(const cred_t *cr)
2301 {
2302 	if (PRIV_POLICY(cr, PRIV_XVM_CONTROL, B_FALSE, EPERM, NULL))
2303 		return (EPERM);
2304 	return (0);
2305 }
2306 
2307 /*
2308  * secpolicy_ppp_config
2309  *
2310  * Determine if the subject has sufficient privileges to configure PPP and
2311  * PPP-related devices.
2312  */
2313 int
2314 secpolicy_ppp_config(const cred_t *cr)
2315 {
2316 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
2317 		return (secpolicy_net_config(cr, B_FALSE));
2318 	return (PRIV_POLICY(cr, PRIV_SYS_PPP_CONFIG, B_FALSE, EPERM, NULL));
2319 }
2320