xref: /illumos-gate/usr/src/uts/common/os/policy.c (revision d1e631af56641f21cde1f1efe3a9623ff9d6ee7c)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23  * Copyright 2013, Joyent, Inc. All rights reserved.
24  */
25 
26 #include <sys/types.h>
27 #include <sys/sysmacros.h>
28 #include <sys/param.h>
29 #include <sys/systm.h>
30 #include <sys/cred_impl.h>
31 #include <sys/vnode.h>
32 #include <sys/vfs.h>
33 #include <sys/stat.h>
34 #include <sys/errno.h>
35 #include <sys/kmem.h>
36 #include <sys/user.h>
37 #include <sys/proc.h>
38 #include <sys/acct.h>
39 #include <sys/ipc_impl.h>
40 #include <sys/cmn_err.h>
41 #include <sys/debug.h>
42 #include <sys/policy.h>
43 #include <sys/kobj.h>
44 #include <sys/msg.h>
45 #include <sys/devpolicy.h>
46 #include <c2/audit.h>
47 #include <sys/varargs.h>
48 #include <sys/klpd.h>
49 #include <sys/modctl.h>
50 #include <sys/disp.h>
51 #include <sys/zone.h>
52 #include <inet/optcom.h>
53 #include <sys/sdt.h>
54 #include <sys/vfs.h>
55 #include <sys/mntent.h>
56 #include <sys/contract_impl.h>
57 #include <sys/dld_ioc.h>
58 
59 /*
60  * There are two possible layers of privilege routines and two possible
61  * levels of secpolicy.  Plus one other we may not be interested in, so
62  * we may need as many as 6 but no more.
63  */
64 #define	MAXPRIVSTACK		6
65 
66 int priv_debug = 0;
67 int priv_basic_test = -1;
68 
69 /*
70  * This file contains the majority of the policy routines.
71  * Since the policy routines are defined by function and not
72  * by privilege, there is quite a bit of duplication of
73  * functions.
74  *
75  * The secpolicy functions must not make assumptions about
76  * locks held or not held as any lock can be held while they're
77  * being called.
78  *
79  * Credentials are read-only so no special precautions need to
80  * be taken while locking them.
81  *
82  * When a new policy check needs to be added to the system the
83  * following procedure should be followed:
84  *
85  *		Pick an appropriate secpolicy_*() function
86  *			-> done if one exists.
87  *		Create a new secpolicy function, preferably with
88  *		a descriptive name using the standard template.
89  *		Pick an appropriate privilege for the policy.
90  *		If no appropraite privilege exists, define new one
91  *		(this should be done with extreme care; in most cases
92  *		little is gained by adding another privilege)
93  *
94  * WHY ROOT IS STILL SPECIAL.
95  *
96  * In a number of the policy functions, there are still explicit
97  * checks for uid 0.  The rationale behind these is that many root
98  * owned files/objects hold configuration information which can give full
99  * privileges to the user once written to.  To prevent escalation
100  * of privilege by allowing just a single privilege to modify root owned
101  * objects, we've added these root specific checks where we considered
102  * them necessary: modifying root owned files, changing uids to 0, etc.
103  *
104  * PRIVILEGE ESCALATION AND ZONES.
105  *
106  * A number of operations potentially allow the caller to achieve
107  * privileges beyond the ones normally required to perform the operation.
108  * For example, if allowed to create a setuid 0 executable, a process can
109  * gain privileges beyond PRIV_FILE_SETID.  Zones, however, place
110  * restrictions on the ability to gain privileges beyond those available
111  * within the zone through file and process manipulation.  Hence, such
112  * operations require that the caller have an effective set that includes
113  * all privileges available within the current zone, or all privileges
114  * if executing in the global zone.
115  *
116  * This is indicated in the priv_policy* policy checking functions
117  * through a combination of parameters.  The "priv" parameter indicates
118  * the privilege that is required, and the "allzone" parameter indicates
119  * whether or not all privileges in the zone are required.  In addition,
120  * priv can be set to PRIV_ALL to indicate that all privileges are
121  * required (regardless of zone).  There are three scenarios of interest:
122  * (1) operation requires a specific privilege
123  * (2) operation requires a specific privilege, and requires all
124  *     privileges available within the zone (or all privileges if in
125  *     the global zone)
126  * (3) operation requires all privileges, regardless of zone
127  *
128  * For (1), priv should be set to the specific privilege, and allzone
129  * should be set to B_FALSE.
130  * For (2), priv should be set to the specific privilege, and allzone
131  * should be set to B_TRUE.
132  * For (3), priv should be set to PRIV_ALL, and allzone should be set
133  * to B_FALSE.
134  *
135  */
136 
137 /*
138  * The privileges are checked against the Effective set for
139  * ordinary processes and checked against the Limit set
140  * for euid 0 processes that haven't manipulated their privilege
141  * sets.
142  */
143 #define	HAS_ALLPRIVS(cr)	priv_isfullset(&CR_OEPRIV(cr))
144 #define	ZONEPRIVS(cr)		((cr)->cr_zone->zone_privset)
145 #define	HAS_ALLZONEPRIVS(cr)	priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr))
146 #define	HAS_PRIVILEGE(cr, pr)	((pr) == PRIV_ALL ? \
147 					HAS_ALLPRIVS(cr) : \
148 					PRIV_ISASSERT(&CR_OEPRIV(cr), pr))
149 
150 #define	FAST_BASIC_CHECK(cr, priv)	\
151 	if (PRIV_ISASSERT(&CR_OEPRIV(cr), priv)) { \
152 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, B_FALSE); \
153 		return (0); \
154 	}
155 
156 /*
157  * Policy checking functions.
158  *
159  * All of the system's policy should be implemented here.
160  */
161 
162 /*
163  * Private functions which take an additional va_list argument to
164  * implement an object specific policy override.
165  */
166 static int priv_policy_ap(const cred_t *, int, boolean_t, int,
167     const char *, va_list);
168 static int priv_policy_va(const cred_t *, int, boolean_t, int,
169     const char *, ...);
170 
171 /*
172  * Generic policy calls
173  *
174  * The "bottom" functions of policy control
175  */
176 static char *
177 mprintf(const char *fmt, ...)
178 {
179 	va_list args;
180 	char *buf;
181 	size_t len;
182 
183 	va_start(args, fmt);
184 	len = vsnprintf(NULL, 0, fmt, args) + 1;
185 	va_end(args);
186 
187 	buf = kmem_alloc(len, KM_NOSLEEP);
188 
189 	if (buf == NULL)
190 		return (NULL);
191 
192 	va_start(args, fmt);
193 	(void) vsnprintf(buf, len, fmt, args);
194 	va_end(args);
195 
196 	return (buf);
197 }
198 
199 /*
200  * priv_policy_errmsg()
201  *
202  * Generate an error message if privilege debugging is enabled system wide
203  * or for this particular process.
204  */
205 
206 #define	FMTHDR	"%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)"
207 #define	FMTMSG	" for \"%s\""
208 #define	FMTFUN	" needed at %s+0x%lx"
209 
210 /* The maximum size privilege format: the concatenation of the above */
211 #define	FMTMAX	FMTHDR FMTMSG FMTFUN "\n"
212 
213 static void
214 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg)
215 {
216 	struct proc *me;
217 	pc_t stack[MAXPRIVSTACK];
218 	int depth;
219 	int i;
220 	char *sym;
221 	ulong_t off;
222 	const char *pname;
223 
224 	char *cmd;
225 	char fmt[sizeof (FMTMAX)];
226 
227 	if ((me = curproc) == &p0)
228 		return;
229 
230 	/* Privileges must be defined  */
231 	ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE ||
232 	    priv == PRIV_ALLZONE || priv == PRIV_GLOBAL ||
233 	    priv_getbynum(priv) != NULL);
234 
235 	if (priv == PRIV_ALLZONE && INGLOBALZONE(me))
236 		priv = PRIV_ALL;
237 
238 	if (curthread->t_pre_sys)
239 		ttolwp(curthread)->lwp_badpriv = (short)priv;
240 
241 	if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0)
242 		return;
243 
244 	(void) strcpy(fmt, FMTHDR);
245 
246 	if (me->p_user.u_comm[0])
247 		cmd = &me->p_user.u_comm[0];
248 	else
249 		cmd = "priv_policy";
250 
251 	if (msg != NULL && *msg != '\0') {
252 		(void) strcat(fmt, FMTMSG);
253 	} else {
254 		(void) strcat(fmt, "%s");
255 		msg = "";
256 	}
257 
258 	sym = NULL;
259 
260 	depth = getpcstack(stack, MAXPRIVSTACK);
261 
262 	/*
263 	 * Try to find the first interesting function on the stack.
264 	 * priv_policy* that's us, so completely uninteresting.
265 	 * suser(), drv_priv(), secpolicy_* are also called from
266 	 * too many locations to convey useful information.
267 	 */
268 	for (i = 0; i < depth; i++) {
269 		sym = kobj_getsymname((uintptr_t)stack[i], &off);
270 		if (sym != NULL &&
271 		    strstr(sym, "hasprocperm") == 0 &&
272 		    strcmp("suser", sym) != 0 &&
273 		    strcmp("ipcaccess", sym) != 0 &&
274 		    strcmp("drv_priv", sym) != 0 &&
275 		    strncmp("secpolicy_", sym, 10) != 0 &&
276 		    strncmp("priv_policy", sym, 11) != 0)
277 			break;
278 	}
279 
280 	if (sym != NULL)
281 		(void) strcat(fmt, FMTFUN);
282 
283 	(void) strcat(fmt, "\n");
284 
285 	switch (priv) {
286 	case PRIV_ALL:
287 		pname = "ALL";
288 		break;
289 	case PRIV_MULTIPLE:
290 		pname = "MULTIPLE";
291 		break;
292 	case PRIV_ALLZONE:
293 		pname = "ZONE";
294 		break;
295 	case PRIV_GLOBAL:
296 		pname = "GLOBAL";
297 		break;
298 	default:
299 		pname = priv_getbynum(priv);
300 		break;
301 	}
302 
303 	if (CR_FLAGS(cr) & PRIV_DEBUG) {
304 		/* Remember last message, just like lwp_badpriv. */
305 		if (curthread->t_pdmsg != NULL) {
306 			kmem_free(curthread->t_pdmsg,
307 			    strlen(curthread->t_pdmsg) + 1);
308 		}
309 
310 		curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname,
311 		    cr->cr_uid, curthread->t_sysnum, msg, sym, off);
312 
313 		curthread->t_post_sys = 1;
314 	}
315 	if (priv_debug) {
316 		cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid,
317 		    curthread->t_sysnum, msg, sym, off);
318 	}
319 }
320 
321 /*
322  * Override the policy, if appropriate.  Return 0 if the external
323  * policy engine approves.
324  */
325 static int
326 priv_policy_override(const cred_t *cr, int priv, boolean_t allzone, va_list ap)
327 {
328 	priv_set_t set;
329 	int ret;
330 
331 	if (!(CR_FLAGS(cr) & PRIV_XPOLICY))
332 		return (-1);
333 
334 	if (priv == PRIV_ALL) {
335 		priv_fillset(&set);
336 	} else if (allzone) {
337 		set = *ZONEPRIVS(cr);
338 	} else {
339 		priv_emptyset(&set);
340 		priv_addset(&set, priv);
341 	}
342 	ret = klpd_call(cr, &set, ap);
343 	return (ret);
344 }
345 
346 static int
347 priv_policy_override_set(const cred_t *cr, const priv_set_t *req, va_list ap)
348 {
349 	if (CR_FLAGS(cr) & PRIV_PFEXEC)
350 		return (check_user_privs(cr, req));
351 	if (CR_FLAGS(cr) & PRIV_XPOLICY) {
352 		return (klpd_call(cr, req, ap));
353 	}
354 	return (-1);
355 }
356 
357 static int
358 priv_policy_override_set_va(const cred_t *cr, const priv_set_t *req, ...)
359 {
360 	va_list ap;
361 	int ret;
362 
363 	va_start(ap, req);
364 	ret = priv_policy_override_set(cr, req, ap);
365 	va_end(ap);
366 	return (ret);
367 }
368 
369 /*
370  * Audit failure, log error message.
371  */
372 static void
373 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg)
374 {
375 
376 	if (AU_AUDITING())
377 		audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0);
378 	DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
379 
380 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
381 	    curthread->t_pre_sys) {
382 		if (allzone && !HAS_ALLZONEPRIVS(cr)) {
383 			priv_policy_errmsg(cr, PRIV_ALLZONE, msg);
384 		} else {
385 			ASSERT(!HAS_PRIVILEGE(cr, priv));
386 			priv_policy_errmsg(cr, priv, msg);
387 		}
388 	}
389 }
390 
391 /*
392  * priv_policy_ap()
393  * return 0 or error.
394  * See block comment above for a description of "priv" and "allzone" usage.
395  */
396 static int
397 priv_policy_ap(const cred_t *cr, int priv, boolean_t allzone, int err,
398     const char *msg, va_list ap)
399 {
400 	if ((HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) ||
401 	    (!servicing_interrupt() &&
402 	    priv_policy_override(cr, priv, allzone, ap) == 0)) {
403 		if ((allzone || priv == PRIV_ALL ||
404 		    !PRIV_ISASSERT(priv_basic, priv)) &&
405 		    !servicing_interrupt()) {
406 			PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */
407 			if (AU_AUDITING())
408 				audit_priv(priv,
409 				    allzone ? ZONEPRIVS(cr) : NULL, 1);
410 		}
411 		err = 0;
412 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
413 	} else if (!servicing_interrupt()) {
414 		/* Failure audited in this procedure */
415 		priv_policy_err(cr, priv, allzone, msg);
416 	}
417 	return (err);
418 }
419 
420 int
421 priv_policy_va(const cred_t *cr, int priv, boolean_t allzone, int err,
422     const char *msg, ...)
423 {
424 	int ret;
425 	va_list ap;
426 
427 	va_start(ap, msg);
428 	ret = priv_policy_ap(cr, priv, allzone, err, msg, ap);
429 	va_end(ap);
430 
431 	return (ret);
432 }
433 
434 int
435 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err,
436     const char *msg)
437 {
438 	return (priv_policy_va(cr, priv, allzone, err, msg, KLPDARG_NONE));
439 }
440 
441 /*
442  * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges.
443  */
444 boolean_t
445 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone)
446 {
447 	boolean_t res = HAS_PRIVILEGE(cr, priv) &&
448 	    (!allzone || HAS_ALLZONEPRIVS(cr));
449 
450 	/* Audit success only */
451 	if (res && AU_AUDITING() &&
452 	    (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) &&
453 	    !servicing_interrupt()) {
454 		audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1);
455 	}
456 	if (res) {
457 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
458 	} else {
459 		DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
460 	}
461 	return (res);
462 }
463 
464 /*
465  * Non-auditing variant of priv_policy_choice().
466  */
467 boolean_t
468 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone)
469 {
470 	boolean_t res = HAS_PRIVILEGE(cr, priv) &&
471 	    (!allzone || HAS_ALLZONEPRIVS(cr));
472 
473 	if (res) {
474 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
475 	} else {
476 		DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
477 	}
478 	return (res);
479 }
480 
481 /*
482  * Check whether all privileges in the required set are present.
483  */
484 static int
485 secpolicy_require_set(const cred_t *cr, const priv_set_t *req,
486     const char *msg, ...)
487 {
488 	int priv;
489 	int pfound = -1;
490 	priv_set_t pset;
491 	va_list ap;
492 	int ret;
493 
494 	if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req,
495 	    &CR_OEPRIV(cr))) {
496 		return (0);
497 	}
498 
499 	va_start(ap, msg);
500 	ret = priv_policy_override_set(cr, req, ap);
501 	va_end(ap);
502 	if (ret == 0)
503 		return (0);
504 
505 	if (req == PRIV_FULLSET || priv_isfullset(req)) {
506 		priv_policy_err(cr, PRIV_ALL, B_FALSE, msg);
507 		return (EACCES);
508 	}
509 
510 	pset = CR_OEPRIV(cr);		/* present privileges */
511 	priv_inverse(&pset);		/* all non present privileges */
512 	priv_intersect(req, &pset);	/* the actual missing privs */
513 
514 	if (AU_AUDITING())
515 		audit_priv(PRIV_NONE, &pset, 0);
516 	/*
517 	 * Privilege debugging; special case "one privilege in set".
518 	 */
519 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) {
520 		for (priv = 0; priv < nprivs; priv++) {
521 			if (priv_ismember(&pset, priv)) {
522 				if (pfound != -1) {
523 					/* Multiple missing privs */
524 					priv_policy_errmsg(cr, PRIV_MULTIPLE,
525 					    msg);
526 					return (EACCES);
527 				}
528 				pfound = priv;
529 			}
530 		}
531 		ASSERT(pfound != -1);
532 		/* Just the one missing privilege */
533 		priv_policy_errmsg(cr, pfound, msg);
534 	}
535 
536 	return (EACCES);
537 }
538 
539 /*
540  * Called when an operation requires that the caller be in the
541  * global zone, regardless of privilege.
542  */
543 static int
544 priv_policy_global(const cred_t *cr)
545 {
546 	if (crgetzoneid(cr) == GLOBAL_ZONEID)
547 		return (0);	/* success */
548 
549 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
550 	    curthread->t_pre_sys) {
551 		priv_policy_errmsg(cr, PRIV_GLOBAL, NULL);
552 	}
553 	return (EPERM);
554 }
555 
556 /*
557  * Raising process priority
558  */
559 int
560 secpolicy_raisepriority(const cred_t *cr)
561 {
562 	if (PRIV_POLICY(cr, PRIV_PROC_PRIOUP, B_FALSE, EPERM, NULL) == 0)
563 		return (0);
564 	return (secpolicy_setpriority(cr));
565 }
566 
567 /*
568  * Changing process priority or scheduling class
569  */
570 int
571 secpolicy_setpriority(const cred_t *cr)
572 {
573 	return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL));
574 }
575 
576 /*
577  * Binding to a privileged port, port must be specified in host byte
578  * order.
579  * When adding a new privilege which allows binding to currently privileged
580  * ports, then you MUST also allow processes with PRIV_NET_PRIVADDR bind
581  * to these ports because of backward compatibility.
582  */
583 int
584 secpolicy_net_privaddr(const cred_t *cr, in_port_t port, int proto)
585 {
586 	char *reason;
587 	int priv;
588 
589 	switch (port) {
590 	case 137:
591 	case 138:
592 	case 139:
593 	case 445:
594 		/*
595 		 * NBT and SMB ports, these are normal privileged ports,
596 		 * allow bind only if the SYS_SMB or NET_PRIVADDR privilege
597 		 * is present.
598 		 * Try both, if neither is present return an error for
599 		 * priv SYS_SMB.
600 		 */
601 		if (PRIV_POLICY_ONLY(cr, PRIV_NET_PRIVADDR, B_FALSE))
602 			priv = PRIV_NET_PRIVADDR;
603 		else
604 			priv = PRIV_SYS_SMB;
605 		reason = "NBT or SMB port";
606 		break;
607 
608 	case 2049:
609 	case 4045:
610 		/*
611 		 * NFS ports, these are extra privileged ports, allow bind
612 		 * only if the SYS_NFS privilege is present.
613 		 */
614 		priv = PRIV_SYS_NFS;
615 		reason = "NFS port";
616 		break;
617 
618 	default:
619 		priv = PRIV_NET_PRIVADDR;
620 		reason = NULL;
621 		break;
622 
623 	}
624 
625 	return (priv_policy_va(cr, priv, B_FALSE, EACCES, reason,
626 	    KLPDARG_PORT, (int)proto, (int)port, KLPDARG_NOMORE));
627 }
628 
629 /*
630  * Binding to a multilevel port on a trusted (labeled) system.
631  */
632 int
633 secpolicy_net_bindmlp(const cred_t *cr)
634 {
635 	return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, NULL));
636 }
637 
638 /*
639  * Allow a communication between a zone and an unlabeled host when their
640  * labels don't match.
641  */
642 int
643 secpolicy_net_mac_aware(const cred_t *cr)
644 {
645 	return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, NULL));
646 }
647 
648 /*
649  * Allow a privileged process to transmit traffic without explicit labels
650  */
651 int
652 secpolicy_net_mac_implicit(const cred_t *cr)
653 {
654 	return (PRIV_POLICY(cr, PRIV_NET_MAC_IMPLICIT, B_FALSE, EACCES, NULL));
655 }
656 
657 /*
658  * Common routine which determines whether a given credential can
659  * act on a given mount.
660  * When called through mount, the parameter needoptcheck is a pointer
661  * to a boolean variable which will be set to either true or false,
662  * depending on whether the mount policy should change the mount options.
663  * In all other cases, needoptcheck should be a NULL pointer.
664  */
665 static int
666 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp,
667     boolean_t *needoptcheck)
668 {
669 	boolean_t allzone = B_FALSE;
670 	boolean_t mounting = needoptcheck != NULL;
671 
672 	/*
673 	 * Short circuit the following cases:
674 	 *	vfsp == NULL or mvp == NULL (pure privilege check)
675 	 *	have all privileges - no further checks required
676 	 *	and no mount options need to be set.
677 	 */
678 	if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) {
679 		if (mounting)
680 			*needoptcheck = B_FALSE;
681 
682 		return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
683 		    NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE));
684 	}
685 
686 	/*
687 	 * When operating on an existing mount (either we're not mounting
688 	 * or we're doing a remount and VFS_REMOUNT will be set), zones
689 	 * can operate only on mounts established by the zone itself.
690 	 */
691 	if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) {
692 		zoneid_t zoneid = crgetzoneid(cr);
693 
694 		if (zoneid != GLOBAL_ZONEID &&
695 		    vfsp->vfs_zone->zone_id != zoneid) {
696 			return (EPERM);
697 		}
698 	}
699 
700 	if (mounting)
701 		*needoptcheck = B_TRUE;
702 
703 	/*
704 	 * Overlay mounts may hide important stuff; if you can't write to a
705 	 * mount point but would be able to mount on top of it, you can
706 	 * escalate your privileges.
707 	 * So we go about asking the same questions namefs does when it
708 	 * decides whether you can mount over a file or not but with the
709 	 * added restriction that you can only mount on top of a regular
710 	 * file or directory.
711 	 * If we have all the zone's privileges, we skip all other checks,
712 	 * or else we may actually get in trouble inside the automounter.
713 	 */
714 	if ((mvp->v_flag & VROOT) != 0 ||
715 	    (mvp->v_type != VDIR && mvp->v_type != VREG) ||
716 	    HAS_ALLZONEPRIVS(cr)) {
717 		allzone = B_TRUE;
718 	} else {
719 		vattr_t va;
720 		int err;
721 
722 		va.va_mask = AT_UID|AT_MODE;
723 		err = VOP_GETATTR(mvp, &va, 0, cr, NULL);
724 		if (err != 0)
725 			return (err);
726 
727 		if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0)
728 			return (err);
729 
730 		if (secpolicy_vnode_access2(cr, mvp, va.va_uid, va.va_mode,
731 		    VWRITE) != 0) {
732 			return (EACCES);
733 		}
734 	}
735 	return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
736 	    NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE));
737 }
738 
739 void
740 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp)
741 {
742 	boolean_t amsuper = HAS_ALLZONEPRIVS(cr);
743 
744 	/*
745 	 * check; if we don't have either "nosuid" or
746 	 * both "nosetuid" and "nodevices", then we add
747 	 * "nosuid"; this depends on how the current
748 	 * implementation works (it first checks nosuid).  In a
749 	 * zone, a user with all zone privileges can mount with
750 	 * "setuid" but never with "devices".
751 	 */
752 	if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) &&
753 	    (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) ||
754 	    !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) {
755 		if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper)
756 			vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0);
757 		else
758 			vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0);
759 	}
760 	/*
761 	 * If we're not the local super user, we set the "restrict"
762 	 * option to indicate to automountd that this mount should
763 	 * be handled with care.
764 	 */
765 	if (!amsuper)
766 		vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0);
767 
768 }
769 
770 int
771 secpolicy_fs_allowed_mount(const char *fsname)
772 {
773 	struct vfssw *vswp;
774 	const char *p;
775 	size_t len;
776 
777 	ASSERT(fsname != NULL);
778 	ASSERT(fsname[0] != '\0');
779 
780 	if (INGLOBALZONE(curproc))
781 		return (0);
782 
783 	vswp = vfs_getvfssw(fsname);
784 	if (vswp == NULL)
785 		return (ENOENT);
786 
787 	if ((vswp->vsw_flag & VSW_ZMOUNT) != 0) {
788 		vfs_unrefvfssw(vswp);
789 		return (0);
790 	}
791 
792 	vfs_unrefvfssw(vswp);
793 
794 	p = curzone->zone_fs_allowed;
795 	len = strlen(fsname);
796 
797 	while (p != NULL && *p != '\0') {
798 		if (strncmp(p, fsname, len) == 0) {
799 			char c = *(p + len);
800 			if (c == '\0' || c == ',')
801 				return (0);
802 		}
803 
804 		/* skip to beyond the next comma */
805 		if ((p = strchr(p, ',')) != NULL)
806 			p++;
807 	}
808 
809 	return (EPERM);
810 }
811 
812 extern vnode_t *rootvp;
813 extern vfs_t *rootvfs;
814 
815 int
816 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp)
817 {
818 	boolean_t needoptchk;
819 	int error;
820 
821 	/*
822 	 * If it's a remount, get the underlying mount point,
823 	 * except for the root where we use the rootvp.
824 	 */
825 	if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) {
826 		if (vfsp == rootvfs)
827 			mvp = rootvp;
828 		else
829 			mvp = vfsp->vfs_vnodecovered;
830 	}
831 
832 	error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk);
833 
834 	if (error == 0 && needoptchk) {
835 		secpolicy_fs_mount_clearopts(cr, vfsp);
836 	}
837 
838 	return (error);
839 }
840 
841 /*
842  * Does the policy computations for "ownership" of a mount;
843  * here ownership is defined as the ability to "mount"
844  * the filesystem originally.  The rootvfs doesn't cover any
845  * vnodes; we attribute its ownership to the rootvp.
846  */
847 static int
848 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp)
849 {
850 	vnode_t *mvp;
851 
852 	if (vfsp == NULL)
853 		mvp = NULL;
854 	else if (vfsp == rootvfs)
855 		mvp = rootvp;
856 	else
857 		mvp = vfsp->vfs_vnodecovered;
858 
859 	return (secpolicy_fs_common(cr, mvp, vfsp, NULL));
860 }
861 
862 int
863 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp)
864 {
865 	return (secpolicy_fs_owner(cr, vfsp));
866 }
867 
868 /*
869  * Quotas are a resource, but if one has the ability to mount a filesystem, he
870  * should be able to modify quotas on it.
871  */
872 int
873 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp)
874 {
875 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
876 }
877 
878 /*
879  * Exceeding minfree: also a per-mount resource constraint.
880  */
881 int
882 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp)
883 {
884 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
885 }
886 
887 int
888 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp)
889 {
890 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
891 }
892 
893 /* ARGSUSED */
894 int
895 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp)
896 {
897 	return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL));
898 }
899 
900 /*
901  * Name:        secpolicy_vnode_access()
902  *
903  * Parameters:  Process credential
904  *		vnode
905  *		uid of owner of vnode
906  *		permission bits not granted to the caller when examining
907  *		file mode bits (i.e., when a process wants to open a
908  *		mode 444 file for VREAD|VWRITE, this function should be
909  *		called only with a VWRITE argument).
910  *
911  * Normal:      Verifies that cred has the appropriate privileges to
912  *              override the mode bits that were denied.
913  *
914  * Override:    file_dac_execute - if VEXEC bit was denied and vnode is
915  *                      not a directory.
916  *              file_dac_read - if VREAD bit was denied.
917  *              file_dac_search - if VEXEC bit was denied and vnode is
918  *                      a directory.
919  *              file_dac_write - if VWRITE bit was denied.
920  *
921  *		Root owned files are special cased to protect system
922  *		configuration files and such.
923  *
924  * Output:      EACCES - if privilege check fails.
925  */
926 
927 int
928 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode)
929 {
930 	if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE,
931 	    EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL,
932 	    KLPDARG_NOMORE) != 0) {
933 		return (EACCES);
934 	}
935 
936 	if (mode & VWRITE) {
937 		boolean_t allzone;
938 
939 		if (owner == 0 && cr->cr_uid != 0)
940 			allzone = B_TRUE;
941 		else
942 			allzone = B_FALSE;
943 		if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES,
944 		    NULL, KLPDARG_VNODE, vp, (char *)NULL,
945 		    KLPDARG_NOMORE) != 0) {
946 			return (EACCES);
947 		}
948 	}
949 
950 	if (mode & VEXEC) {
951 		/*
952 		 * Directories use file_dac_search to override the execute bit.
953 		 */
954 		int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH :
955 		    PRIV_FILE_DAC_EXECUTE;
956 
957 		return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL,
958 		    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
959 	}
960 	return (0);
961 }
962 
963 /*
964  * Like secpolicy_vnode_access() but we get the actual wanted mode and the
965  * current mode of the file, not the missing bits.
966  */
967 int
968 secpolicy_vnode_access2(const cred_t *cr, vnode_t *vp, uid_t owner,
969     mode_t curmode, mode_t wantmode)
970 {
971 	mode_t mode;
972 
973 	/* Inline the basic privileges tests. */
974 	if ((wantmode & VREAD) &&
975 	    !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_READ) &&
976 	    priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL,
977 	    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) {
978 		return (EACCES);
979 	}
980 
981 	if ((wantmode & VWRITE) &&
982 	    !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_WRITE) &&
983 	    priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL,
984 	    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) {
985 		return (EACCES);
986 	}
987 
988 	mode = ~curmode & wantmode;
989 
990 	if (mode == 0)
991 		return (0);
992 
993 	if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE,
994 	    EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL,
995 	    KLPDARG_NOMORE) != 0) {
996 		return (EACCES);
997 	}
998 
999 	if (mode & VWRITE) {
1000 		boolean_t allzone;
1001 
1002 		if (owner == 0 && cr->cr_uid != 0)
1003 			allzone = B_TRUE;
1004 		else
1005 			allzone = B_FALSE;
1006 		if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES,
1007 		    NULL, KLPDARG_VNODE, vp, (char *)NULL,
1008 		    KLPDARG_NOMORE) != 0) {
1009 			return (EACCES);
1010 		}
1011 	}
1012 
1013 	if (mode & VEXEC) {
1014 		/*
1015 		 * Directories use file_dac_search to override the execute bit.
1016 		 */
1017 		int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH :
1018 		    PRIV_FILE_DAC_EXECUTE;
1019 
1020 		return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL,
1021 		    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
1022 	}
1023 	return (0);
1024 }
1025 
1026 /*
1027  * This is a special routine for ZFS; it is used to determine whether
1028  * any of the privileges in effect allow any form of access to the
1029  * file.  There's no reason to audit this or any reason to record
1030  * this.  More work is needed to do the "KPLD" stuff.
1031  */
1032 int
1033 secpolicy_vnode_any_access(const cred_t *cr, vnode_t *vp, uid_t owner)
1034 {
1035 	static int privs[] = {
1036 	    PRIV_FILE_OWNER,
1037 	    PRIV_FILE_CHOWN,
1038 	    PRIV_FILE_DAC_READ,
1039 	    PRIV_FILE_DAC_WRITE,
1040 	    PRIV_FILE_DAC_EXECUTE,
1041 	    PRIV_FILE_DAC_SEARCH,
1042 	};
1043 	int i;
1044 
1045 	/* Same as secpolicy_vnode_setdac */
1046 	if (owner == cr->cr_uid)
1047 		return (0);
1048 
1049 	for (i = 0; i < sizeof (privs)/sizeof (int); i++) {
1050 		boolean_t allzone = B_FALSE;
1051 		int priv;
1052 
1053 		switch (priv = privs[i]) {
1054 		case PRIV_FILE_DAC_EXECUTE:
1055 			if (vp->v_type == VDIR)
1056 				continue;
1057 			break;
1058 		case PRIV_FILE_DAC_SEARCH:
1059 			if (vp->v_type != VDIR)
1060 				continue;
1061 			break;
1062 		case PRIV_FILE_DAC_WRITE:
1063 		case PRIV_FILE_OWNER:
1064 		case PRIV_FILE_CHOWN:
1065 			/* We know here that if owner == 0, that cr_uid != 0 */
1066 			allzone = owner == 0;
1067 			break;
1068 		}
1069 		if (PRIV_POLICY_CHOICE(cr, priv, allzone))
1070 			return (0);
1071 	}
1072 	return (EPERM);
1073 }
1074 
1075 /*
1076  * Name:	secpolicy_vnode_setid_modify()
1077  *
1078  * Normal:	verify that subject can set the file setid flags.
1079  *
1080  * Output:	EPERM - if not privileged.
1081  */
1082 
1083 static int
1084 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner)
1085 {
1086 	/* If changing to suid root, must have all zone privs */
1087 	boolean_t allzone = B_TRUE;
1088 
1089 	if (owner != 0) {
1090 		if (owner == cr->cr_uid)
1091 			return (0);
1092 		allzone = B_FALSE;
1093 	}
1094 	return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL));
1095 }
1096 
1097 /*
1098  * Are we allowed to retain the set-uid/set-gid bits when
1099  * changing ownership or when writing to a file?
1100  * "issuid" should be true when set-uid; only in that case
1101  * root ownership is checked (setgid is assumed).
1102  */
1103 int
1104 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot)
1105 {
1106 	if (issuidroot && !HAS_ALLZONEPRIVS(cred))
1107 		return (EPERM);
1108 
1109 	return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE));
1110 }
1111 
1112 /*
1113  * Name:	secpolicy_vnode_setids_setgids()
1114  *
1115  * Normal:	verify that subject can set the file setgid flag.
1116  *
1117  * Output:	EPERM - if not privileged
1118  */
1119 
1120 int
1121 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid)
1122 {
1123 	if (!groupmember(gid, cred))
1124 		return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM,
1125 		    NULL));
1126 	return (0);
1127 }
1128 
1129 /*
1130  * Name:	secpolicy_vnode_chown
1131  *
1132  * Normal:	Determine if subject can chown owner of a file.
1133  *
1134  * Output:	EPERM - if access denied
1135  */
1136 
1137 int
1138 secpolicy_vnode_chown(const cred_t *cred, uid_t owner)
1139 {
1140 	boolean_t is_owner = (owner == crgetuid(cred));
1141 	boolean_t allzone = B_FALSE;
1142 	int priv;
1143 
1144 	if (!is_owner) {
1145 		allzone = (owner == 0);
1146 		priv = PRIV_FILE_CHOWN;
1147 	} else {
1148 		priv = HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN) ?
1149 		    PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF;
1150 	}
1151 
1152 	return (PRIV_POLICY(cred, priv, allzone, EPERM, NULL));
1153 }
1154 
1155 /*
1156  * Name:	secpolicy_vnode_create_gid
1157  *
1158  * Normal:	Determine if subject can change group ownership of a file.
1159  *
1160  * Output:	EPERM - if access denied
1161  */
1162 int
1163 secpolicy_vnode_create_gid(const cred_t *cred)
1164 {
1165 	if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN))
1166 		return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM,
1167 		    NULL));
1168 	else
1169 		return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM,
1170 		    NULL));
1171 }
1172 
1173 /*
1174  * Name:	secpolicy_vnode_utime_modify()
1175  *
1176  * Normal:	verify that subject can modify the utime on a file.
1177  *
1178  * Output:	EPERM - if access denied.
1179  */
1180 
1181 static int
1182 secpolicy_vnode_utime_modify(const cred_t *cred)
1183 {
1184 	return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM,
1185 	    "modify file times"));
1186 }
1187 
1188 
1189 /*
1190  * Name:	secpolicy_vnode_setdac()
1191  *
1192  * Normal:	verify that subject can modify the mode of a file.
1193  *		allzone privilege needed when modifying root owned object.
1194  *
1195  * Output:	EPERM - if access denied.
1196  */
1197 
1198 int
1199 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner)
1200 {
1201 	if (owner == cred->cr_uid)
1202 		return (0);
1203 
1204 	return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL));
1205 }
1206 /*
1207  * Name:	secpolicy_vnode_stky_modify()
1208  *
1209  * Normal:	verify that subject can make a file a "sticky".
1210  *
1211  * Output:	EPERM - if access denied.
1212  */
1213 
1214 int
1215 secpolicy_vnode_stky_modify(const cred_t *cred)
1216 {
1217 	return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM,
1218 	    "set file sticky"));
1219 }
1220 
1221 /*
1222  * Policy determines whether we can remove an entry from a directory,
1223  * regardless of permission bits.
1224  */
1225 int
1226 secpolicy_vnode_remove(const cred_t *cr)
1227 {
1228 	return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES,
1229 	    "sticky directory"));
1230 }
1231 
1232 int
1233 secpolicy_vnode_owner(const cred_t *cr, uid_t owner)
1234 {
1235 	boolean_t allzone = (owner == 0);
1236 
1237 	if (owner == cr->cr_uid)
1238 		return (0);
1239 
1240 	return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL));
1241 }
1242 
1243 void
1244 secpolicy_setid_clear(vattr_t *vap, cred_t *cr)
1245 {
1246 	if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 &&
1247 	    secpolicy_vnode_setid_retain(cr,
1248 	    (vap->va_mode & S_ISUID) != 0 &&
1249 	    (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) {
1250 		vap->va_mask |= AT_MODE;
1251 		vap->va_mode &= ~(S_ISUID|S_ISGID);
1252 	}
1253 }
1254 
1255 int
1256 secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap,
1257     cred_t *cr)
1258 {
1259 	int error;
1260 
1261 	if ((vap->va_mode & S_ISUID) != 0 &&
1262 	    (error = secpolicy_vnode_setid_modify(cr,
1263 	    ovap->va_uid)) != 0) {
1264 		return (error);
1265 	}
1266 
1267 	/*
1268 	 * Check privilege if attempting to set the
1269 	 * sticky bit on a non-directory.
1270 	 */
1271 	if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 &&
1272 	    secpolicy_vnode_stky_modify(cr) != 0) {
1273 		vap->va_mode &= ~S_ISVTX;
1274 	}
1275 
1276 	/*
1277 	 * Check for privilege if attempting to set the
1278 	 * group-id bit.
1279 	 */
1280 	if ((vap->va_mode & S_ISGID) != 0 &&
1281 	    secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) {
1282 		vap->va_mode &= ~S_ISGID;
1283 	}
1284 
1285 	return (0);
1286 }
1287 
1288 #define	ATTR_FLAG_PRIV(attr, value, cr)	\
1289 	PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \
1290 	B_FALSE, EPERM, NULL)
1291 
1292 /*
1293  * Check privileges for setting xvattr attributes
1294  */
1295 int
1296 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype)
1297 {
1298 	xoptattr_t *xoap;
1299 	int error = 0;
1300 
1301 	if ((xoap = xva_getxoptattr(xvap)) == NULL)
1302 		return (EINVAL);
1303 
1304 	/*
1305 	 * First process the DOS bits
1306 	 */
1307 	if (XVA_ISSET_REQ(xvap, XAT_ARCHIVE) ||
1308 	    XVA_ISSET_REQ(xvap, XAT_HIDDEN) ||
1309 	    XVA_ISSET_REQ(xvap, XAT_READONLY) ||
1310 	    XVA_ISSET_REQ(xvap, XAT_SYSTEM) ||
1311 	    XVA_ISSET_REQ(xvap, XAT_CREATETIME) ||
1312 	    XVA_ISSET_REQ(xvap, XAT_OFFLINE) ||
1313 	    XVA_ISSET_REQ(xvap, XAT_SPARSE)) {
1314 		if ((error = secpolicy_vnode_owner(cr, owner)) != 0)
1315 			return (error);
1316 	}
1317 
1318 	/*
1319 	 * Now handle special attributes
1320 	 */
1321 
1322 	if (XVA_ISSET_REQ(xvap, XAT_IMMUTABLE))
1323 		error = ATTR_FLAG_PRIV(XAT_IMMUTABLE,
1324 		    xoap->xoa_immutable, cr);
1325 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NOUNLINK))
1326 		error = ATTR_FLAG_PRIV(XAT_NOUNLINK,
1327 		    xoap->xoa_nounlink, cr);
1328 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_APPENDONLY))
1329 		error = ATTR_FLAG_PRIV(XAT_APPENDONLY,
1330 		    xoap->xoa_appendonly, cr);
1331 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NODUMP))
1332 		error = ATTR_FLAG_PRIV(XAT_NODUMP,
1333 		    xoap->xoa_nodump, cr);
1334 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_OPAQUE))
1335 		error = EPERM;
1336 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_QUARANTINED)) {
1337 		error = ATTR_FLAG_PRIV(XAT_AV_QUARANTINED,
1338 		    xoap->xoa_av_quarantined, cr);
1339 		if (error == 0 && vtype != VREG && xoap->xoa_av_quarantined)
1340 			error = EINVAL;
1341 	}
1342 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_MODIFIED))
1343 		error = ATTR_FLAG_PRIV(XAT_AV_MODIFIED,
1344 		    xoap->xoa_av_modified, cr);
1345 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_SCANSTAMP)) {
1346 		error = ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP,
1347 		    xoap->xoa_av_scanstamp, cr);
1348 		if (error == 0 && vtype != VREG)
1349 			error = EINVAL;
1350 	}
1351 	return (error);
1352 }
1353 
1354 /*
1355  * This function checks the policy decisions surrounding the
1356  * vop setattr call.
1357  *
1358  * It should be called after sufficient locks have been established
1359  * on the underlying data structures.  No concurrent modifications
1360  * should be allowed.
1361  *
1362  * The caller must pass in unlocked version of its vaccess function
1363  * this is required because vop_access function should lock the
1364  * node for reading.  A three argument function should be defined
1365  * which accepts the following argument:
1366  * 	A pointer to the internal "node" type (inode *)
1367  *	vnode access bits (VREAD|VWRITE|VEXEC)
1368  *	a pointer to the credential
1369  *
1370  * This function makes the following policy decisions:
1371  *
1372  *		- change permissions
1373  *			- permission to change file mode if not owner
1374  *			- permission to add sticky bit to non-directory
1375  *			- permission to add set-gid bit
1376  *
1377  * The ovap argument should include AT_MODE|AT_UID|AT_GID.
1378  *
1379  * If the vap argument does not include AT_MODE, the mode will be copied from
1380  * ovap.  In certain situations set-uid/set-gid bits need to be removed;
1381  * this is done by marking vap->va_mask to include AT_MODE and va_mode
1382  * is updated to the newly computed mode.
1383  */
1384 
1385 int
1386 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap,
1387 	const struct vattr *ovap, int flags,
1388 	int unlocked_access(void *, int, cred_t *),
1389 	void *node)
1390 {
1391 	int mask = vap->va_mask;
1392 	int error = 0;
1393 	boolean_t skipaclchk = (flags & ATTR_NOACLCHECK) ? B_TRUE : B_FALSE;
1394 
1395 	if (mask & AT_SIZE) {
1396 		if (vp->v_type == VDIR) {
1397 			error = EISDIR;
1398 			goto out;
1399 		}
1400 
1401 		/*
1402 		 * If ATTR_NOACLCHECK is set in the flags, then we don't
1403 		 * perform the secondary unlocked_access() call since the
1404 		 * ACL (if any) is being checked there.
1405 		 */
1406 		if (skipaclchk == B_FALSE) {
1407 			error = unlocked_access(node, VWRITE, cr);
1408 			if (error)
1409 				goto out;
1410 		}
1411 	}
1412 	if (mask & AT_MODE) {
1413 		/*
1414 		 * If not the owner of the file then check privilege
1415 		 * for two things: the privilege to set the mode at all
1416 		 * and, if we're setting setuid, we also need permissions
1417 		 * to add the set-uid bit, if we're not the owner.
1418 		 * In the specific case of creating a set-uid root
1419 		 * file, we need even more permissions.
1420 		 */
1421 		if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0)
1422 			goto out;
1423 
1424 		if ((error = secpolicy_setid_setsticky_clear(vp, vap,
1425 		    ovap, cr)) != 0)
1426 			goto out;
1427 	} else
1428 		vap->va_mode = ovap->va_mode;
1429 
1430 	if (mask & (AT_UID|AT_GID)) {
1431 		boolean_t checkpriv = B_FALSE;
1432 
1433 		/*
1434 		 * Chowning files.
1435 		 *
1436 		 * If you are the file owner:
1437 		 *	chown to other uid		FILE_CHOWN_SELF
1438 		 *	chown to gid (non-member) 	FILE_CHOWN_SELF
1439 		 *	chown to gid (member) 		<none>
1440 		 *
1441 		 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also
1442 		 * acceptable but the first one is reported when debugging.
1443 		 *
1444 		 * If you are not the file owner:
1445 		 *	chown from root			PRIV_FILE_CHOWN + zone
1446 		 *	chown from other to any		PRIV_FILE_CHOWN
1447 		 *
1448 		 */
1449 		if (cr->cr_uid != ovap->va_uid) {
1450 			checkpriv = B_TRUE;
1451 		} else {
1452 			if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) ||
1453 			    ((mask & AT_GID) && vap->va_gid != ovap->va_gid &&
1454 			    !groupmember(vap->va_gid, cr))) {
1455 				checkpriv = B_TRUE;
1456 			}
1457 		}
1458 		/*
1459 		 * If necessary, check privilege to see if update can be done.
1460 		 */
1461 		if (checkpriv &&
1462 		    (error = secpolicy_vnode_chown(cr, ovap->va_uid)) != 0) {
1463 			goto out;
1464 		}
1465 
1466 		/*
1467 		 * If the file has either the set UID or set GID bits
1468 		 * set and the caller can set the bits, then leave them.
1469 		 */
1470 		secpolicy_setid_clear(vap, cr);
1471 	}
1472 	if (mask & (AT_ATIME|AT_MTIME)) {
1473 		/*
1474 		 * If not the file owner and not otherwise privileged,
1475 		 * always return an error when setting the
1476 		 * time other than the current (ATTR_UTIME flag set).
1477 		 * If setting the current time (ATTR_UTIME not set) then
1478 		 * unlocked_access will check permissions according to policy.
1479 		 */
1480 		if (cr->cr_uid != ovap->va_uid) {
1481 			if (flags & ATTR_UTIME)
1482 				error = secpolicy_vnode_utime_modify(cr);
1483 			else if (skipaclchk == B_FALSE) {
1484 				error = unlocked_access(node, VWRITE, cr);
1485 				if (error == EACCES &&
1486 				    secpolicy_vnode_utime_modify(cr) == 0)
1487 					error = 0;
1488 			}
1489 			if (error)
1490 				goto out;
1491 		}
1492 	}
1493 
1494 	/*
1495 	 * Check for optional attributes here by checking the following:
1496 	 */
1497 	if (mask & AT_XVATTR)
1498 		error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr,
1499 		    vp->v_type);
1500 out:
1501 	return (error);
1502 }
1503 
1504 /*
1505  * Name:	secpolicy_pcfs_modify_bootpartition()
1506  *
1507  * Normal:	verify that subject can modify a pcfs boot partition.
1508  *
1509  * Output:	EACCES - if privilege check failed.
1510  */
1511 /*ARGSUSED*/
1512 int
1513 secpolicy_pcfs_modify_bootpartition(const cred_t *cred)
1514 {
1515 	return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES,
1516 	    "modify pcfs boot partition"));
1517 }
1518 
1519 /*
1520  * System V IPC routines
1521  */
1522 int
1523 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip)
1524 {
1525 	if (crgetzoneid(cr) != ip->ipc_zoneid ||
1526 	    (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) {
1527 		boolean_t allzone = B_FALSE;
1528 		if (ip->ipc_uid == 0 || ip->ipc_cuid == 0)
1529 			allzone = B_TRUE;
1530 		return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL));
1531 	}
1532 	return (0);
1533 }
1534 
1535 int
1536 secpolicy_ipc_config(const cred_t *cr)
1537 {
1538 	return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL));
1539 }
1540 
1541 int
1542 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode)
1543 {
1544 
1545 	boolean_t allzone = B_FALSE;
1546 
1547 	ASSERT((mode & (MSG_R|MSG_W)) != 0);
1548 
1549 	if ((mode & MSG_R) &&
1550 	    PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1551 		return (EACCES);
1552 
1553 	if (mode & MSG_W) {
1554 		if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0))
1555 			allzone = B_TRUE;
1556 
1557 		return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1558 		    NULL));
1559 	}
1560 	return (0);
1561 }
1562 
1563 int
1564 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode)
1565 {
1566 	boolean_t allzone = B_FALSE;
1567 
1568 	ASSERT((mode & (MSG_R|MSG_W)) != 0);
1569 
1570 	if ((mode & MSG_R) &&
1571 	    PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1572 		return (EACCES);
1573 
1574 	if (mode & MSG_W) {
1575 		if (cr->cr_uid != 0 && owner == 0)
1576 			allzone = B_TRUE;
1577 
1578 		return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1579 		    NULL));
1580 	}
1581 	return (0);
1582 }
1583 
1584 /*
1585  * Audit configuration.
1586  */
1587 int
1588 secpolicy_audit_config(const cred_t *cr)
1589 {
1590 	return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL));
1591 }
1592 
1593 /*
1594  * Audit record generation.
1595  */
1596 int
1597 secpolicy_audit_modify(const cred_t *cr)
1598 {
1599 	return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL));
1600 }
1601 
1602 /*
1603  * Get audit attributes.
1604  * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the
1605  * "Least" of the two privileges on error.
1606  */
1607 int
1608 secpolicy_audit_getattr(const cred_t *cr, boolean_t checkonly)
1609 {
1610 	int priv;
1611 
1612 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE))
1613 		priv = PRIV_SYS_AUDIT;
1614 	else
1615 		priv = PRIV_PROC_AUDIT;
1616 
1617 	if (checkonly)
1618 		return (!PRIV_POLICY_ONLY(cr, priv, B_FALSE));
1619 	else
1620 		return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
1621 }
1622 
1623 
1624 /*
1625  * Locking physical memory
1626  */
1627 int
1628 secpolicy_lock_memory(const cred_t *cr)
1629 {
1630 	return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL));
1631 }
1632 
1633 /*
1634  * Accounting (both acct(2) and exacct).
1635  */
1636 int
1637 secpolicy_acct(const cred_t *cr)
1638 {
1639 	return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL));
1640 }
1641 
1642 /*
1643  * Is this process privileged to change its uids at will?
1644  * Uid 0 is still considered "special" and having the SETID
1645  * privilege is not sufficient to get uid 0.
1646  * Files are owned by root, so the privilege would give
1647  * full access and euid 0 is still effective.
1648  *
1649  * If you have the privilege and euid 0 only then do you
1650  * get the powers of root wrt uid 0.
1651  *
1652  * For gid manipulations, this is should be called with an
1653  * uid of -1.
1654  *
1655  */
1656 int
1657 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly)
1658 {
1659 	boolean_t allzone = B_FALSE;
1660 
1661 	if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 &&
1662 	    cr->cr_ruid != 0) {
1663 		allzone = B_TRUE;
1664 	}
1665 
1666 	return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) :
1667 	    PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL));
1668 }
1669 
1670 
1671 /*
1672  * Acting on a different process: if the mode is for writing,
1673  * the restrictions are more severe.  This is called after
1674  * we've verified that the uids do not match.
1675  */
1676 int
1677 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode)
1678 {
1679 	boolean_t allzone = B_FALSE;
1680 
1681 	if ((mode & VWRITE) && scr->cr_uid != 0 &&
1682 	    (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0))
1683 		allzone = B_TRUE;
1684 
1685 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL));
1686 }
1687 
1688 int
1689 secpolicy_proc_access(const cred_t *scr)
1690 {
1691 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL));
1692 }
1693 
1694 int
1695 secpolicy_proc_excl_open(const cred_t *scr)
1696 {
1697 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL));
1698 }
1699 
1700 int
1701 secpolicy_proc_zone(const cred_t *scr)
1702 {
1703 	return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL));
1704 }
1705 
1706 /*
1707  * Destroying the system
1708  */
1709 
1710 int
1711 secpolicy_kmdb(const cred_t *scr)
1712 {
1713 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1714 }
1715 
1716 int
1717 secpolicy_error_inject(const cred_t *scr)
1718 {
1719 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1720 }
1721 
1722 /*
1723  * Processor sets, cpu configuration, resource pools.
1724  */
1725 int
1726 secpolicy_pset(const cred_t *cr)
1727 {
1728 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1729 }
1730 
1731 /*
1732  * Processor set binding.
1733  */
1734 int
1735 secpolicy_pbind(const cred_t *cr)
1736 {
1737 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_RES_CONFIG, B_FALSE))
1738 		return (secpolicy_pset(cr));
1739 	return (PRIV_POLICY(cr, PRIV_SYS_RES_BIND, B_FALSE, EPERM, NULL));
1740 }
1741 
1742 int
1743 secpolicy_ponline(const cred_t *cr)
1744 {
1745 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1746 }
1747 
1748 int
1749 secpolicy_pool(const cred_t *cr)
1750 {
1751 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1752 }
1753 
1754 int
1755 secpolicy_blacklist(const cred_t *cr)
1756 {
1757 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1758 }
1759 
1760 /*
1761  * Catch all system configuration.
1762  */
1763 int
1764 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly)
1765 {
1766 	if (checkonly) {
1767 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 :
1768 		    EPERM);
1769 	} else {
1770 		return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1771 	}
1772 }
1773 
1774 /*
1775  * Zone administration (halt, reboot, etc.) from within zone.
1776  */
1777 int
1778 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly)
1779 {
1780 	if (checkonly) {
1781 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 :
1782 		    EPERM);
1783 	} else {
1784 		return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM,
1785 		    NULL));
1786 	}
1787 }
1788 
1789 /*
1790  * Zone configuration (create, halt, enter).
1791  */
1792 int
1793 secpolicy_zone_config(const cred_t *cr)
1794 {
1795 	/*
1796 	 * Require all privileges to avoid possibility of privilege
1797 	 * escalation.
1798 	 */
1799 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
1800 }
1801 
1802 /*
1803  * Various other system configuration calls
1804  */
1805 int
1806 secpolicy_coreadm(const cred_t *cr)
1807 {
1808 	return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1809 }
1810 
1811 int
1812 secpolicy_systeminfo(const cred_t *cr)
1813 {
1814 	return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1815 }
1816 
1817 int
1818 secpolicy_dispadm(const cred_t *cr)
1819 {
1820 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1821 }
1822 
1823 int
1824 secpolicy_settime(const cred_t *cr)
1825 {
1826 	return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL));
1827 }
1828 
1829 /*
1830  * For realtime users: high resolution clock.
1831  */
1832 int
1833 secpolicy_clock_highres(const cred_t *cr)
1834 {
1835 	return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM,
1836 	    NULL));
1837 }
1838 
1839 /*
1840  * drv_priv() is documented as callable from interrupt context, not that
1841  * anyone ever does, but still.  No debugging or auditing can be done when
1842  * it is called from interrupt context.
1843  * returns 0 on succes, EPERM on failure.
1844  */
1845 int
1846 drv_priv(cred_t *cr)
1847 {
1848 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1849 }
1850 
1851 int
1852 secpolicy_sys_devices(const cred_t *cr)
1853 {
1854 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1855 }
1856 
1857 int
1858 secpolicy_excl_open(const cred_t *cr)
1859 {
1860 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL));
1861 }
1862 
1863 int
1864 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl)
1865 {
1866 	/* zone.* rctls can only be set from the global zone */
1867 	if (is_zone_rctl && priv_policy_global(cr) != 0)
1868 		return (EPERM);
1869 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1870 }
1871 
1872 int
1873 secpolicy_resource(const cred_t *cr)
1874 {
1875 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1876 }
1877 
1878 int
1879 secpolicy_resource_anon_mem(const cred_t *cr)
1880 {
1881 	return (PRIV_POLICY_ONLY(cr, PRIV_SYS_RESOURCE, B_FALSE));
1882 }
1883 
1884 /*
1885  * Processes with a real uid of 0 escape any form of accounting, much
1886  * like before.
1887  */
1888 int
1889 secpolicy_newproc(const cred_t *cr)
1890 {
1891 	if (cr->cr_ruid == 0)
1892 		return (0);
1893 
1894 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1895 }
1896 
1897 /*
1898  * Networking
1899  */
1900 int
1901 secpolicy_net_rawaccess(const cred_t *cr)
1902 {
1903 	return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL));
1904 }
1905 
1906 int
1907 secpolicy_net_observability(const cred_t *cr)
1908 {
1909 	return (PRIV_POLICY(cr, PRIV_NET_OBSERVABILITY, B_FALSE, EACCES, NULL));
1910 }
1911 
1912 /*
1913  * Need this privilege for accessing the ICMP device
1914  */
1915 int
1916 secpolicy_net_icmpaccess(const cred_t *cr)
1917 {
1918 	return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL));
1919 }
1920 
1921 /*
1922  * There are a few rare cases where the kernel generates ioctls() from
1923  * interrupt context with a credential of kcred rather than NULL.
1924  * In those cases, we take the safe and cheap test.
1925  */
1926 int
1927 secpolicy_net_config(const cred_t *cr, boolean_t checkonly)
1928 {
1929 	if (checkonly) {
1930 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ?
1931 		    0 : EPERM);
1932 	} else {
1933 		return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM,
1934 		    NULL));
1935 	}
1936 }
1937 
1938 
1939 /*
1940  * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
1941  *
1942  * There are a few rare cases where the kernel generates ioctls() from
1943  * interrupt context with a credential of kcred rather than NULL.
1944  * In those cases, we take the safe and cheap test.
1945  */
1946 int
1947 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly)
1948 {
1949 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1950 		return (secpolicy_net_config(cr, checkonly));
1951 
1952 	if (checkonly) {
1953 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ?
1954 		    0 : EPERM);
1955 	} else {
1956 		return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM,
1957 		    NULL));
1958 	}
1959 }
1960 
1961 /*
1962  * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_DL_CONFIG.
1963  */
1964 int
1965 secpolicy_dl_config(const cred_t *cr)
1966 {
1967 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1968 		return (secpolicy_net_config(cr, B_FALSE));
1969 	return (PRIV_POLICY(cr, PRIV_SYS_DL_CONFIG, B_FALSE, EPERM, NULL));
1970 }
1971 
1972 /*
1973  * PRIV_SYS_DL_CONFIG is a superset of PRIV_SYS_IPTUN_CONFIG.
1974  */
1975 int
1976 secpolicy_iptun_config(const cred_t *cr)
1977 {
1978 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1979 		return (secpolicy_net_config(cr, B_FALSE));
1980 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_DL_CONFIG, B_FALSE))
1981 		return (secpolicy_dl_config(cr));
1982 	return (PRIV_POLICY(cr, PRIV_SYS_IPTUN_CONFIG, B_FALSE, EPERM, NULL));
1983 }
1984 
1985 /*
1986  * Map IP pseudo privileges to actual privileges.
1987  * So we don't need to recompile IP when we change the privileges.
1988  */
1989 int
1990 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly)
1991 {
1992 	int priv = PRIV_ALL;
1993 
1994 	switch (netpriv) {
1995 	case OP_CONFIG:
1996 		priv = PRIV_SYS_IP_CONFIG;
1997 		break;
1998 	case OP_RAW:
1999 		priv = PRIV_NET_RAWACCESS;
2000 		break;
2001 	case OP_PRIVPORT:
2002 		priv = PRIV_NET_PRIVADDR;
2003 		break;
2004 	}
2005 	ASSERT(priv != PRIV_ALL);
2006 	if (checkonly)
2007 		return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
2008 	else
2009 		return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
2010 }
2011 
2012 /*
2013  * Map network pseudo privileges to actual privileges.
2014  * So we don't need to recompile IP when we change the privileges.
2015  */
2016 int
2017 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly)
2018 {
2019 	int priv = PRIV_ALL;
2020 
2021 	switch (netpriv) {
2022 	case OP_CONFIG:
2023 		priv = PRIV_SYS_NET_CONFIG;
2024 		break;
2025 	case OP_RAW:
2026 		priv = PRIV_NET_RAWACCESS;
2027 		break;
2028 	case OP_PRIVPORT:
2029 		priv = PRIV_NET_PRIVADDR;
2030 		break;
2031 	}
2032 	ASSERT(priv != PRIV_ALL);
2033 	if (checkonly)
2034 		return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
2035 	else
2036 		return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
2037 }
2038 
2039 /*
2040  * Checks for operations that are either client-only or are used by
2041  * both clients and servers.
2042  */
2043 int
2044 secpolicy_nfs(const cred_t *cr)
2045 {
2046 	return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL));
2047 }
2048 
2049 /*
2050  * Special case for opening rpcmod: have NFS privileges or network
2051  * config privileges.
2052  */
2053 int
2054 secpolicy_rpcmod_open(const cred_t *cr)
2055 {
2056 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE))
2057 		return (secpolicy_nfs(cr));
2058 	else
2059 		return (secpolicy_net_config(cr, NULL));
2060 }
2061 
2062 int
2063 secpolicy_chroot(const cred_t *cr)
2064 {
2065 	return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL));
2066 }
2067 
2068 int
2069 secpolicy_tasksys(const cred_t *cr)
2070 {
2071 	return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL));
2072 }
2073 
2074 int
2075 secpolicy_meminfo(const cred_t *cr)
2076 {
2077 	return (PRIV_POLICY(cr, PRIV_PROC_MEMINFO, B_FALSE, EPERM, NULL));
2078 }
2079 
2080 int
2081 secpolicy_pfexec_register(const cred_t *cr)
2082 {
2083 	return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_TRUE, EPERM, NULL));
2084 }
2085 
2086 /*
2087  * Basic privilege checks.
2088  */
2089 int
2090 secpolicy_basic_exec(const cred_t *cr, vnode_t *vp)
2091 {
2092 	FAST_BASIC_CHECK(cr, PRIV_PROC_EXEC);
2093 
2094 	return (priv_policy_va(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL,
2095 	    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
2096 }
2097 
2098 int
2099 secpolicy_basic_fork(const cred_t *cr)
2100 {
2101 	FAST_BASIC_CHECK(cr, PRIV_PROC_FORK);
2102 
2103 	return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL));
2104 }
2105 
2106 int
2107 secpolicy_basic_proc(const cred_t *cr)
2108 {
2109 	FAST_BASIC_CHECK(cr, PRIV_PROC_SESSION);
2110 
2111 	return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL));
2112 }
2113 
2114 /*
2115  * Slightly complicated because we don't want to trigger the policy too
2116  * often.  First we shortcircuit access to "self" (tp == sp) or if
2117  * we don't have the privilege but if we have permission
2118  * just return (0) and we don't flag the privilege as needed.
2119  * Else, we test for the privilege because we either have it or need it.
2120  */
2121 int
2122 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp)
2123 {
2124 	if (tp == sp ||
2125 	    !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) {
2126 		return (0);
2127 	} else {
2128 		return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL));
2129 	}
2130 }
2131 
2132 int
2133 secpolicy_basic_link(const cred_t *cr)
2134 {
2135 	FAST_BASIC_CHECK(cr, PRIV_FILE_LINK_ANY);
2136 
2137 	return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL));
2138 }
2139 
2140 int
2141 secpolicy_basic_net_access(const cred_t *cr)
2142 {
2143 	FAST_BASIC_CHECK(cr, PRIV_NET_ACCESS);
2144 
2145 	return (PRIV_POLICY(cr, PRIV_NET_ACCESS, B_FALSE, EACCES, NULL));
2146 }
2147 
2148 /* ARGSUSED */
2149 int
2150 secpolicy_basic_file_read(const cred_t *cr, vnode_t *vp, const char *pn)
2151 {
2152 	FAST_BASIC_CHECK(cr, PRIV_FILE_READ);
2153 
2154 	return (priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL,
2155 	    KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE));
2156 }
2157 
2158 /* ARGSUSED */
2159 int
2160 secpolicy_basic_file_write(const cred_t *cr, vnode_t *vp, const char *pn)
2161 {
2162 	FAST_BASIC_CHECK(cr, PRIV_FILE_WRITE);
2163 
2164 	return (priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL,
2165 	    KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE));
2166 }
2167 
2168 /*
2169  * Additional device protection.
2170  *
2171  * Traditionally, a device has specific permissions on the node in
2172  * the filesystem which govern which devices can be opened by what
2173  * processes.  In certain cases, it is desirable to add extra
2174  * restrictions, as writing to certain devices is identical to
2175  * having a complete run of the system.
2176  *
2177  * This mechanism is called the device policy.
2178  *
2179  * When a device is opened, its policy entry is looked up in the
2180  * policy cache and checked.
2181  */
2182 int
2183 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag)
2184 {
2185 	devplcy_t *plcy;
2186 	int err;
2187 	struct snode *csp = VTOS(common_specvp(vp));
2188 	priv_set_t pset;
2189 
2190 	mutex_enter(&csp->s_lock);
2191 
2192 	if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) {
2193 		plcy = devpolicy_find(vp);
2194 		if (csp->s_plcy)
2195 			dpfree(csp->s_plcy);
2196 		csp->s_plcy = plcy;
2197 		ASSERT(plcy != NULL);
2198 	} else
2199 		plcy = csp->s_plcy;
2200 
2201 	if (plcy == nullpolicy) {
2202 		mutex_exit(&csp->s_lock);
2203 		return (0);
2204 	}
2205 
2206 	dphold(plcy);
2207 
2208 	mutex_exit(&csp->s_lock);
2209 
2210 	if (oflag & FWRITE)
2211 		pset = plcy->dp_wrp;
2212 	else
2213 		pset = plcy->dp_rdp;
2214 	/*
2215 	 * Special case:
2216 	 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
2217 	 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is
2218 	 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG
2219 	 * in the required privilege set before doing the check.
2220 	 */
2221 	if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) &&
2222 	    priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) &&
2223 	    !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) {
2224 		priv_delset(&pset, PRIV_SYS_IP_CONFIG);
2225 		priv_addset(&pset, PRIV_SYS_NET_CONFIG);
2226 	}
2227 
2228 	err = secpolicy_require_set(cr, &pset, "devpolicy", KLPDARG_NONE);
2229 	dpfree(plcy);
2230 
2231 	return (err);
2232 }
2233 
2234 int
2235 secpolicy_modctl(const cred_t *cr, int cmd)
2236 {
2237 	switch (cmd) {
2238 	case MODINFO:
2239 	case MODGETMAJBIND:
2240 	case MODGETPATH:
2241 	case MODGETPATHLEN:
2242 	case MODGETNAME:
2243 	case MODGETFBNAME:
2244 	case MODGETDEVPOLICY:
2245 	case MODGETDEVPOLICYBYNAME:
2246 	case MODDEVT2INSTANCE:
2247 	case MODSIZEOF_DEVID:
2248 	case MODGETDEVID:
2249 	case MODSIZEOF_MINORNAME:
2250 	case MODGETMINORNAME:
2251 	case MODGETDEVFSPATH_LEN:
2252 	case MODGETDEVFSPATH:
2253 	case MODGETDEVFSPATH_MI_LEN:
2254 	case MODGETDEVFSPATH_MI:
2255 		/* Unprivileged */
2256 		return (0);
2257 	case MODLOAD:
2258 	case MODSETDEVPOLICY:
2259 		return (secpolicy_require_set(cr, PRIV_FULLSET, NULL,
2260 		    KLPDARG_NONE));
2261 	default:
2262 		return (secpolicy_sys_config(cr, B_FALSE));
2263 	}
2264 }
2265 
2266 int
2267 secpolicy_console(const cred_t *cr)
2268 {
2269 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
2270 }
2271 
2272 int
2273 secpolicy_power_mgmt(const cred_t *cr)
2274 {
2275 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
2276 }
2277 
2278 /*
2279  * Simulate terminal input; another escalation of privileges avenue.
2280  */
2281 
2282 int
2283 secpolicy_sti(const cred_t *cr)
2284 {
2285 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
2286 }
2287 
2288 boolean_t
2289 secpolicy_net_reply_equal(const cred_t *cr)
2290 {
2291 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
2292 }
2293 
2294 int
2295 secpolicy_swapctl(const cred_t *cr)
2296 {
2297 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
2298 }
2299 
2300 int
2301 secpolicy_cpc_cpu(const cred_t *cr)
2302 {
2303 	return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL));
2304 }
2305 
2306 /*
2307  * secpolicy_contract_identity
2308  *
2309  * Determine if the subject may set the process contract FMRI value
2310  */
2311 int
2312 secpolicy_contract_identity(const cred_t *cr)
2313 {
2314 	return (PRIV_POLICY(cr, PRIV_CONTRACT_IDENTITY, B_FALSE, EPERM, NULL));
2315 }
2316 
2317 /*
2318  * secpolicy_contract_observer
2319  *
2320  * Determine if the subject may observe a specific contract's events.
2321  */
2322 int
2323 secpolicy_contract_observer(const cred_t *cr, struct contract *ct)
2324 {
2325 	if (contract_owned(ct, cr, B_FALSE))
2326 		return (0);
2327 	return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL));
2328 }
2329 
2330 /*
2331  * secpolicy_contract_observer_choice
2332  *
2333  * Determine if the subject may observe any contract's events.  Just
2334  * tests privilege and audits on success.
2335  */
2336 boolean_t
2337 secpolicy_contract_observer_choice(const cred_t *cr)
2338 {
2339 	return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE));
2340 }
2341 
2342 /*
2343  * secpolicy_contract_event
2344  *
2345  * Determine if the subject may request critical contract events or
2346  * reliable contract event delivery.
2347  */
2348 int
2349 secpolicy_contract_event(const cred_t *cr)
2350 {
2351 	return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL));
2352 }
2353 
2354 /*
2355  * secpolicy_contract_event_choice
2356  *
2357  * Determine if the subject may retain contract events in its critical
2358  * set when a change in other terms would normally require a change in
2359  * the critical set.  Just tests privilege and audits on success.
2360  */
2361 boolean_t
2362 secpolicy_contract_event_choice(const cred_t *cr)
2363 {
2364 	return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE));
2365 }
2366 
2367 /*
2368  * secpolicy_gart_access
2369  *
2370  * Determine if the subject has sufficient priveleges to make ioctls to agpgart
2371  * device.
2372  */
2373 int
2374 secpolicy_gart_access(const cred_t *cr)
2375 {
2376 	return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL));
2377 }
2378 
2379 /*
2380  * secpolicy_gart_map
2381  *
2382  * Determine if the subject has sufficient priveleges to map aperture range
2383  * through agpgart driver.
2384  */
2385 int
2386 secpolicy_gart_map(const cred_t *cr)
2387 {
2388 	if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) {
2389 		return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM,
2390 		    NULL));
2391 	} else {
2392 		return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM,
2393 		    NULL));
2394 	}
2395 }
2396 
2397 /*
2398  * secpolicy_zinject
2399  *
2400  * Determine if the subject can inject faults in the ZFS fault injection
2401  * framework.  Requires all privileges.
2402  */
2403 int
2404 secpolicy_zinject(const cred_t *cr)
2405 {
2406 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
2407 }
2408 
2409 /*
2410  * secpolicy_zfs
2411  *
2412  * Determine if the subject has permission to manipulate ZFS datasets
2413  * (not pools).  Equivalent to the SYS_MOUNT privilege.
2414  */
2415 int
2416 secpolicy_zfs(const cred_t *cr)
2417 {
2418 	return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL));
2419 }
2420 
2421 /*
2422  * secpolicy_idmap
2423  *
2424  * Determine if the calling process has permissions to register an SID
2425  * mapping daemon and allocate ephemeral IDs.
2426  */
2427 int
2428 secpolicy_idmap(const cred_t *cr)
2429 {
2430 	return (PRIV_POLICY(cr, PRIV_FILE_SETID, B_TRUE, EPERM, NULL));
2431 }
2432 
2433 /*
2434  * secpolicy_ucode_update
2435  *
2436  * Determine if the subject has sufficient privilege to update microcode.
2437  */
2438 int
2439 secpolicy_ucode_update(const cred_t *scr)
2440 {
2441 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
2442 }
2443 
2444 /*
2445  * secpolicy_sadopen
2446  *
2447  * Determine if the subject has sufficient privilege to access /dev/sad/admin.
2448  * /dev/sad/admin appear in global zone and exclusive-IP zones only.
2449  * In global zone, sys_config is required.
2450  * In exclusive-IP zones, sys_ip_config is required.
2451  * Note that sys_config is prohibited in non-global zones.
2452  */
2453 int
2454 secpolicy_sadopen(const cred_t *credp)
2455 {
2456 	priv_set_t pset;
2457 
2458 	priv_emptyset(&pset);
2459 
2460 	if (crgetzoneid(credp) == GLOBAL_ZONEID)
2461 		priv_addset(&pset, PRIV_SYS_CONFIG);
2462 	else
2463 		priv_addset(&pset, PRIV_SYS_IP_CONFIG);
2464 
2465 	return (secpolicy_require_set(credp, &pset, "devpolicy", KLPDARG_NONE));
2466 }
2467 
2468 
2469 /*
2470  * Add privileges to a particular privilege set; this is called when the
2471  * current sets of privileges are not sufficient.  I.e., we should always
2472  * call the policy override functions from here.
2473  * What we are allowed to have is in the Observed Permitted set; so
2474  * we compute the difference between that and the newset.
2475  */
2476 int
2477 secpolicy_require_privs(const cred_t *cr, const priv_set_t *nset)
2478 {
2479 	priv_set_t rqd;
2480 
2481 	rqd = CR_OPPRIV(cr);
2482 
2483 	priv_inverse(&rqd);
2484 	priv_intersect(nset, &rqd);
2485 
2486 	return (secpolicy_require_set(cr, &rqd, NULL, KLPDARG_NONE));
2487 }
2488 
2489 /*
2490  * secpolicy_smb
2491  *
2492  * Determine if the cred_t has PRIV_SYS_SMB privilege, indicating
2493  * that it has permission to access the smbsrv kernel driver.
2494  * PRIV_POLICY checks the privilege and audits the check.
2495  *
2496  * Returns:
2497  * 0       Driver access is allowed.
2498  * EPERM   Driver access is NOT permitted.
2499  */
2500 int
2501 secpolicy_smb(const cred_t *cr)
2502 {
2503 	return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL));
2504 }
2505 
2506 /*
2507  * secpolicy_vscan
2508  *
2509  * Determine if cred_t has the necessary privileges to access a file
2510  * for virus scanning and update its extended system attributes.
2511  * PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access
2512  * PRIV_FILE_FLAG_SET - set extended system attributes
2513  *
2514  * PRIV_POLICY checks the privilege and audits the check.
2515  *
2516  * Returns:
2517  * 0      file access for virus scanning allowed.
2518  * EPERM  file access for virus scanning is NOT permitted.
2519  */
2520 int
2521 secpolicy_vscan(const cred_t *cr)
2522 {
2523 	if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) ||
2524 	    (PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) ||
2525 	    (PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) {
2526 		return (EPERM);
2527 	}
2528 
2529 	return (0);
2530 }
2531 
2532 /*
2533  * secpolicy_smbfs_login
2534  *
2535  * Determines if the caller can add and delete the smbfs login
2536  * password in the the nsmb kernel module for the CIFS client.
2537  *
2538  * Returns:
2539  * 0       access is allowed.
2540  * EPERM   access is NOT allowed.
2541  */
2542 int
2543 secpolicy_smbfs_login(const cred_t *cr, uid_t uid)
2544 {
2545 	uid_t cruid = crgetruid(cr);
2546 
2547 	if (cruid == uid)
2548 		return (0);
2549 	return (PRIV_POLICY(cr, PRIV_PROC_OWNER, B_FALSE,
2550 	    EPERM, NULL));
2551 }
2552 
2553 /*
2554  * secpolicy_xvm_control
2555  *
2556  * Determines if a caller can control the xVM hypervisor and/or running
2557  * domains (x86 specific).
2558  *
2559  * Returns:
2560  * 0       access is allowed.
2561  * EPERM   access is NOT allowed.
2562  */
2563 int
2564 secpolicy_xvm_control(const cred_t *cr)
2565 {
2566 	if (PRIV_POLICY(cr, PRIV_XVM_CONTROL, B_FALSE, EPERM, NULL))
2567 		return (EPERM);
2568 	return (0);
2569 }
2570 
2571 /*
2572  * secpolicy_ppp_config
2573  *
2574  * Determine if the subject has sufficient privileges to configure PPP and
2575  * PPP-related devices.
2576  */
2577 int
2578 secpolicy_ppp_config(const cred_t *cr)
2579 {
2580 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
2581 		return (secpolicy_net_config(cr, B_FALSE));
2582 	return (PRIV_POLICY(cr, PRIV_SYS_PPP_CONFIG, B_FALSE, EPERM, NULL));
2583 }
2584