xref: /illumos-gate/usr/src/uts/common/os/policy.c (revision fe54a78e1aacf39261ad56e9903bce02e3fb6d21)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #include <sys/types.h>
27 #include <sys/sysmacros.h>
28 #include <sys/param.h>
29 #include <sys/systm.h>
30 #include <sys/cred_impl.h>
31 #include <sys/vnode.h>
32 #include <sys/vfs.h>
33 #include <sys/stat.h>
34 #include <sys/errno.h>
35 #include <sys/kmem.h>
36 #include <sys/user.h>
37 #include <sys/proc.h>
38 #include <sys/acct.h>
39 #include <sys/ipc_impl.h>
40 #include <sys/cmn_err.h>
41 #include <sys/debug.h>
42 #include <sys/policy.h>
43 #include <sys/kobj.h>
44 #include <sys/msg.h>
45 #include <sys/devpolicy.h>
46 #include <c2/audit.h>
47 #include <sys/varargs.h>
48 #include <sys/klpd.h>
49 #include <sys/modctl.h>
50 #include <sys/disp.h>
51 #include <sys/zone.h>
52 #include <inet/optcom.h>
53 #include <sys/sdt.h>
54 #include <sys/vfs.h>
55 #include <sys/mntent.h>
56 #include <sys/contract_impl.h>
57 
58 /*
59  * There are two possible layers of privilege routines and two possible
60  * levels of secpolicy.  Plus one other we may not be interested in, so
61  * we may need as many as 6 but no more.
62  */
63 #define	MAXPRIVSTACK		6
64 
65 int priv_debug = 0;
66 
67 /*
68  * This file contains the majority of the policy routines.
69  * Since the policy routines are defined by function and not
70  * by privilege, there is quite a bit of duplication of
71  * functions.
72  *
73  * The secpolicy functions must not make assumptions about
74  * locks held or not held as any lock can be held while they're
75  * being called.
76  *
77  * Credentials are read-only so no special precautions need to
78  * be taken while locking them.
79  *
80  * When a new policy check needs to be added to the system the
81  * following procedure should be followed:
82  *
83  *		Pick an appropriate secpolicy_*() function
84  *			-> done if one exists.
85  *		Create a new secpolicy function, preferably with
86  *		a descriptive name using the standard template.
87  *		Pick an appropriate privilege for the policy.
88  *		If no appropraite privilege exists, define new one
89  *		(this should be done with extreme care; in most cases
90  *		little is gained by adding another privilege)
91  *
92  * WHY ROOT IS STILL SPECIAL.
93  *
94  * In a number of the policy functions, there are still explicit
95  * checks for uid 0.  The rationale behind these is that many root
96  * owned files/objects hold configuration information which can give full
97  * privileges to the user once written to.  To prevent escalation
98  * of privilege by allowing just a single privilege to modify root owned
99  * objects, we've added these root specific checks where we considered
100  * them necessary: modifying root owned files, changing uids to 0, etc.
101  *
102  * PRIVILEGE ESCALATION AND ZONES.
103  *
104  * A number of operations potentially allow the caller to achieve
105  * privileges beyond the ones normally required to perform the operation.
106  * For example, if allowed to create a setuid 0 executable, a process can
107  * gain privileges beyond PRIV_FILE_SETID.  Zones, however, place
108  * restrictions on the ability to gain privileges beyond those available
109  * within the zone through file and process manipulation.  Hence, such
110  * operations require that the caller have an effective set that includes
111  * all privileges available within the current zone, or all privileges
112  * if executing in the global zone.
113  *
114  * This is indicated in the priv_policy* policy checking functions
115  * through a combination of parameters.  The "priv" parameter indicates
116  * the privilege that is required, and the "allzone" parameter indicates
117  * whether or not all privileges in the zone are required.  In addition,
118  * priv can be set to PRIV_ALL to indicate that all privileges are
119  * required (regardless of zone).  There are three scenarios of interest:
120  * (1) operation requires a specific privilege
121  * (2) operation requires a specific privilege, and requires all
122  *     privileges available within the zone (or all privileges if in
123  *     the global zone)
124  * (3) operation requires all privileges, regardless of zone
125  *
126  * For (1), priv should be set to the specific privilege, and allzone
127  * should be set to B_FALSE.
128  * For (2), priv should be set to the specific privilege, and allzone
129  * should be set to B_TRUE.
130  * For (3), priv should be set to PRIV_ALL, and allzone should be set
131  * to B_FALSE.
132  *
133  */
134 
135 /*
136  * The privileges are checked against the Effective set for
137  * ordinary processes and checked against the Limit set
138  * for euid 0 processes that haven't manipulated their privilege
139  * sets.
140  */
141 #define	HAS_ALLPRIVS(cr)	priv_isfullset(&CR_OEPRIV(cr))
142 #define	ZONEPRIVS(cr)		((cr)->cr_zone->zone_privset)
143 #define	HAS_ALLZONEPRIVS(cr)	priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr))
144 #define	HAS_PRIVILEGE(cr, pr)	((pr) == PRIV_ALL ? \
145 					HAS_ALLPRIVS(cr) : \
146 					PRIV_ISASSERT(&CR_OEPRIV(cr), pr))
147 
148 /*
149  * Policy checking functions.
150  *
151  * All of the system's policy should be implemented here.
152  */
153 
154 /*
155  * Private functions which take an additional va_list argument to
156  * implement an object specific policy override.
157  */
158 static int priv_policy_ap(const cred_t *, int, boolean_t, int,
159     const char *, va_list);
160 static int priv_policy_va(const cred_t *, int, boolean_t, int,
161     const char *, ...);
162 
163 /*
164  * Generic policy calls
165  *
166  * The "bottom" functions of policy control
167  */
168 static char *
169 mprintf(const char *fmt, ...)
170 {
171 	va_list args;
172 	char *buf;
173 	size_t len;
174 
175 	va_start(args, fmt);
176 	len = vsnprintf(NULL, 0, fmt, args) + 1;
177 	va_end(args);
178 
179 	buf = kmem_alloc(len, KM_NOSLEEP);
180 
181 	if (buf == NULL)
182 		return (NULL);
183 
184 	va_start(args, fmt);
185 	(void) vsnprintf(buf, len, fmt, args);
186 	va_end(args);
187 
188 	return (buf);
189 }
190 
191 /*
192  * priv_policy_errmsg()
193  *
194  * Generate an error message if privilege debugging is enabled system wide
195  * or for this particular process.
196  */
197 
198 #define	FMTHDR	"%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)"
199 #define	FMTMSG	" for \"%s\""
200 #define	FMTFUN	" needed at %s+0x%lx"
201 
202 /* The maximum size privilege format: the concatenation of the above */
203 #define	FMTMAX	FMTHDR FMTMSG FMTFUN "\n"
204 
205 static void
206 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg)
207 {
208 	struct proc *me;
209 	pc_t stack[MAXPRIVSTACK];
210 	int depth;
211 	int i;
212 	char *sym;
213 	ulong_t off;
214 	const char *pname;
215 
216 	char *cmd;
217 	char fmt[sizeof (FMTMAX)];
218 
219 	if ((me = curproc) == &p0)
220 		return;
221 
222 	/* Privileges must be defined  */
223 	ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE ||
224 	    priv == PRIV_ALLZONE || priv == PRIV_GLOBAL ||
225 	    priv_getbynum(priv) != NULL);
226 
227 	if (priv == PRIV_ALLZONE && INGLOBALZONE(me))
228 		priv = PRIV_ALL;
229 
230 	if (curthread->t_pre_sys)
231 		ttolwp(curthread)->lwp_badpriv = (short)priv;
232 
233 	if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0)
234 		return;
235 
236 	(void) strcpy(fmt, FMTHDR);
237 
238 	if (me->p_user.u_comm[0])
239 		cmd = &me->p_user.u_comm[0];
240 	else
241 		cmd = "priv_policy";
242 
243 	if (msg != NULL && *msg != '\0') {
244 		(void) strcat(fmt, FMTMSG);
245 	} else {
246 		(void) strcat(fmt, "%s");
247 		msg = "";
248 	}
249 
250 	sym = NULL;
251 
252 	depth = getpcstack(stack, MAXPRIVSTACK);
253 
254 	/*
255 	 * Try to find the first interesting function on the stack.
256 	 * priv_policy* that's us, so completely uninteresting.
257 	 * suser(), drv_priv(), secpolicy_* are also called from
258 	 * too many locations to convey useful information.
259 	 */
260 	for (i = 0; i < depth; i++) {
261 		sym = kobj_getsymname((uintptr_t)stack[i], &off);
262 		if (sym != NULL &&
263 		    strstr(sym, "hasprocperm") == 0 &&
264 		    strcmp("suser", sym) != 0 &&
265 		    strcmp("ipcaccess", sym) != 0 &&
266 		    strcmp("drv_priv", sym) != 0 &&
267 		    strncmp("secpolicy_", sym, 10) != 0 &&
268 		    strncmp("priv_policy", sym, 11) != 0)
269 			break;
270 	}
271 
272 	if (sym != NULL)
273 		(void) strcat(fmt, FMTFUN);
274 
275 	(void) strcat(fmt, "\n");
276 
277 	switch (priv) {
278 	case PRIV_ALL:
279 		pname = "ALL";
280 		break;
281 	case PRIV_MULTIPLE:
282 		pname = "MULTIPLE";
283 		break;
284 	case PRIV_ALLZONE:
285 		pname = "ZONE";
286 		break;
287 	case PRIV_GLOBAL:
288 		pname = "GLOBAL";
289 		break;
290 	default:
291 		pname = priv_getbynum(priv);
292 		break;
293 	}
294 
295 	if (CR_FLAGS(cr) & PRIV_DEBUG) {
296 		/* Remember last message, just like lwp_badpriv. */
297 		if (curthread->t_pdmsg != NULL) {
298 			kmem_free(curthread->t_pdmsg,
299 			    strlen(curthread->t_pdmsg) + 1);
300 		}
301 
302 		curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname,
303 		    cr->cr_uid, curthread->t_sysnum, msg, sym, off);
304 
305 		curthread->t_post_sys = 1;
306 	}
307 	if (priv_debug) {
308 		cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid,
309 		    curthread->t_sysnum, msg, sym, off);
310 	}
311 }
312 
313 /*
314  * Override the policy, if appropriate.  Return 0 if the external
315  * policy engine approves.
316  */
317 static int
318 priv_policy_override(const cred_t *cr, int priv, boolean_t allzone, va_list ap)
319 {
320 	priv_set_t set;
321 	int ret;
322 
323 	if (!(CR_FLAGS(cr) & PRIV_XPOLICY))
324 		return (-1);
325 
326 	if (priv == PRIV_ALL) {
327 		priv_fillset(&set);
328 	} else if (allzone) {
329 		set = *ZONEPRIVS(cr);
330 	} else {
331 		priv_emptyset(&set);
332 		priv_addset(&set, priv);
333 	}
334 	ret = klpd_call(cr, &set, ap);
335 	return (ret);
336 }
337 
338 static int
339 priv_policy_override_set(const cred_t *cr, const priv_set_t *req, ...)
340 {
341 	va_list ap;
342 
343 	if (CR_FLAGS(cr) & PRIV_XPOLICY) {
344 		va_start(ap, req);
345 		return (klpd_call(cr, req, ap));
346 	}
347 	return (-1);
348 }
349 
350 /*
351  * Audit failure, log error message.
352  */
353 static void
354 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg)
355 {
356 
357 	if (audit_active)
358 		audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0);
359 	DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
360 
361 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
362 	    curthread->t_pre_sys) {
363 		if (allzone && !HAS_ALLZONEPRIVS(cr)) {
364 			priv_policy_errmsg(cr, PRIV_ALLZONE, msg);
365 		} else {
366 			ASSERT(!HAS_PRIVILEGE(cr, priv));
367 			priv_policy_errmsg(cr, priv, msg);
368 		}
369 	}
370 }
371 
372 /*
373  * priv_policy_ap()
374  * return 0 or error.
375  * See block comment above for a description of "priv" and "allzone" usage.
376  */
377 static int
378 priv_policy_ap(const cred_t *cr, int priv, boolean_t allzone, int err,
379     const char *msg, va_list ap)
380 {
381 	if ((HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) ||
382 	    (!servicing_interrupt() &&
383 	    priv_policy_override(cr, priv, allzone, ap) == 0)) {
384 		if ((allzone || priv == PRIV_ALL ||
385 		    !PRIV_ISASSERT(priv_basic, priv)) &&
386 		    !servicing_interrupt()) {
387 			PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */
388 			if (audit_active)
389 				audit_priv(priv,
390 				    allzone ? ZONEPRIVS(cr) : NULL, 1);
391 		}
392 		err = 0;
393 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
394 	} else if (!servicing_interrupt()) {
395 		/* Failure audited in this procedure */
396 		priv_policy_err(cr, priv, allzone, msg);
397 	}
398 	return (err);
399 }
400 
401 int
402 priv_policy_va(const cred_t *cr, int priv, boolean_t allzone, int err,
403     const char *msg, ...)
404 {
405 	int ret;
406 	va_list ap;
407 
408 	va_start(ap, msg);
409 	ret = priv_policy_ap(cr, priv, allzone, err, msg, ap);
410 	va_end(ap);
411 
412 	return (ret);
413 }
414 
415 int
416 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err,
417     const char *msg)
418 {
419 	return (priv_policy_va(cr, priv, allzone, err, msg, KLPDARG_NOMORE));
420 }
421 
422 /*
423  * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges.
424  */
425 boolean_t
426 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone)
427 {
428 	boolean_t res = HAS_PRIVILEGE(cr, priv) &&
429 	    (!allzone || HAS_ALLZONEPRIVS(cr));
430 
431 	/* Audit success only */
432 	if (res && audit_active &&
433 	    (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) &&
434 	    !servicing_interrupt()) {
435 		audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1);
436 	}
437 	if (res) {
438 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
439 	} else {
440 		DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
441 	}
442 	return (res);
443 }
444 
445 /*
446  * Non-auditing variant of priv_policy_choice().
447  */
448 boolean_t
449 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone)
450 {
451 	boolean_t res = HAS_PRIVILEGE(cr, priv) &&
452 	    (!allzone || HAS_ALLZONEPRIVS(cr));
453 
454 	if (res) {
455 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
456 	} else {
457 		DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
458 	}
459 	return (res);
460 }
461 
462 /*
463  * Check whether all privileges in the required set are present.
464  */
465 static int
466 secpolicy_require_set(const cred_t *cr, const priv_set_t *req, const char *msg)
467 {
468 	int priv;
469 	int pfound = -1;
470 	priv_set_t pset;
471 
472 	if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req,
473 	    &CR_OEPRIV(cr))) {
474 		return (0);
475 	}
476 
477 	if (priv_policy_override_set(cr, req, KLPDARG_NOMORE) == 0)
478 		return (0);
479 
480 	if (req == PRIV_FULLSET || priv_isfullset(req)) {
481 		priv_policy_err(cr, PRIV_ALL, B_FALSE, msg);
482 		return (EACCES);
483 	}
484 
485 	pset = CR_OEPRIV(cr);		/* present privileges */
486 	priv_inverse(&pset);		/* all non present privileges */
487 	priv_intersect(req, &pset);	/* the actual missing privs */
488 
489 	if (audit_active)
490 		audit_priv(PRIV_NONE, &pset, 0);
491 	/*
492 	 * Privilege debugging; special case "one privilege in set".
493 	 */
494 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) {
495 		for (priv = 0; priv < nprivs; priv++) {
496 			if (priv_ismember(&pset, priv)) {
497 				if (pfound != -1) {
498 					/* Multiple missing privs */
499 					priv_policy_errmsg(cr, PRIV_MULTIPLE,
500 					    msg);
501 					return (EACCES);
502 				}
503 				pfound = priv;
504 			}
505 		}
506 		ASSERT(pfound != -1);
507 		/* Just the one missing privilege */
508 		priv_policy_errmsg(cr, pfound, msg);
509 	}
510 
511 	return (EACCES);
512 }
513 
514 /*
515  * Called when an operation requires that the caller be in the
516  * global zone, regardless of privilege.
517  */
518 static int
519 priv_policy_global(const cred_t *cr)
520 {
521 	if (crgetzoneid(cr) == GLOBAL_ZONEID)
522 		return (0);	/* success */
523 
524 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
525 	    curthread->t_pre_sys) {
526 		priv_policy_errmsg(cr, PRIV_GLOBAL, NULL);
527 	}
528 	return (EPERM);
529 }
530 
531 /*
532  * Changing process priority
533  */
534 int
535 secpolicy_setpriority(const cred_t *cr)
536 {
537 	return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL));
538 }
539 
540 /*
541  * Binding to a privileged port, port must be specified in host byte
542  * order.
543  */
544 int
545 secpolicy_net_privaddr(const cred_t *cr, in_port_t port, int proto)
546 {
547 	char *reason;
548 	int priv;
549 
550 	switch (port) {
551 	case 137:
552 	case 138:
553 	case 139:
554 	case 445:
555 		/*
556 		 * NBT and SMB ports, these are extra privileged ports,
557 		 * allow bind only if the SYS_SMB privilege is present.
558 		 */
559 		priv = PRIV_SYS_SMB;
560 		reason = "NBT or SMB port";
561 		break;
562 
563 	case 2049:
564 	case 4045:
565 		/*
566 		 * NFS ports, these are extra privileged ports, allow bind
567 		 * only if the SYS_NFS privilege is present.
568 		 */
569 		priv = PRIV_SYS_NFS;
570 		reason = "NFS port";
571 		break;
572 
573 	default:
574 		priv = PRIV_NET_PRIVADDR;
575 		reason = NULL;
576 		break;
577 
578 	}
579 
580 	return (priv_policy_va(cr, priv, B_FALSE, EACCES, reason,
581 	    KLPDARG_PORT, (int)proto, (int)port, KLPDARG_NOMORE));
582 }
583 
584 /*
585  * Binding to a multilevel port on a trusted (labeled) system.
586  */
587 int
588 secpolicy_net_bindmlp(const cred_t *cr)
589 {
590 	return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, NULL));
591 }
592 
593 /*
594  * Allow a communication between a zone and an unlabeled host when their
595  * labels don't match.
596  */
597 int
598 secpolicy_net_mac_aware(const cred_t *cr)
599 {
600 	return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, NULL));
601 }
602 
603 /*
604  * Common routine which determines whether a given credential can
605  * act on a given mount.
606  * When called through mount, the parameter needoptcheck is a pointer
607  * to a boolean variable which will be set to either true or false,
608  * depending on whether the mount policy should change the mount options.
609  * In all other cases, needoptcheck should be a NULL pointer.
610  */
611 static int
612 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp,
613     boolean_t *needoptcheck)
614 {
615 	boolean_t allzone = B_FALSE;
616 	boolean_t mounting = needoptcheck != NULL;
617 
618 	/*
619 	 * Short circuit the following cases:
620 	 *	vfsp == NULL or mvp == NULL (pure privilege check)
621 	 *	have all privileges - no further checks required
622 	 *	and no mount options need to be set.
623 	 */
624 	if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) {
625 		if (mounting)
626 			*needoptcheck = B_FALSE;
627 
628 		return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
629 		    NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE));
630 	}
631 
632 	/*
633 	 * When operating on an existing mount (either we're not mounting
634 	 * or we're doing a remount and VFS_REMOUNT will be set), zones
635 	 * can operate only on mounts established by the zone itself.
636 	 */
637 	if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) {
638 		zoneid_t zoneid = crgetzoneid(cr);
639 
640 		if (zoneid != GLOBAL_ZONEID &&
641 		    vfsp->vfs_zone->zone_id != zoneid) {
642 			return (EPERM);
643 		}
644 	}
645 
646 	if (mounting)
647 		*needoptcheck = B_TRUE;
648 
649 	/*
650 	 * Overlay mounts may hide important stuff; if you can't write to a
651 	 * mount point but would be able to mount on top of it, you can
652 	 * escalate your privileges.
653 	 * So we go about asking the same questions namefs does when it
654 	 * decides whether you can mount over a file or not but with the
655 	 * added restriction that you can only mount on top of a regular
656 	 * file or directory.
657 	 * If we have all the zone's privileges, we skip all other checks,
658 	 * or else we may actually get in trouble inside the automounter.
659 	 */
660 	if ((mvp->v_flag & VROOT) != 0 ||
661 	    (mvp->v_type != VDIR && mvp->v_type != VREG) ||
662 	    HAS_ALLZONEPRIVS(cr)) {
663 		allzone = B_TRUE;
664 	} else {
665 		vattr_t va;
666 		int err;
667 
668 		va.va_mask = AT_UID|AT_MODE;
669 		err = VOP_GETATTR(mvp, &va, 0, cr, NULL);
670 		if (err != 0)
671 			return (err);
672 
673 		if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0)
674 			return (err);
675 
676 		if ((va.va_mode & VWRITE) == 0 &&
677 		    secpolicy_vnode_access(cr, mvp, va.va_uid, VWRITE) != 0) {
678 			return (EACCES);
679 		}
680 	}
681 	return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
682 	    NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE));
683 }
684 
685 void
686 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp)
687 {
688 	boolean_t amsuper = HAS_ALLZONEPRIVS(cr);
689 
690 	/*
691 	 * check; if we don't have either "nosuid" or
692 	 * both "nosetuid" and "nodevices", then we add
693 	 * "nosuid"; this depends on how the current
694 	 * implementation works (it first checks nosuid).  In a
695 	 * zone, a user with all zone privileges can mount with
696 	 * "setuid" but never with "devices".
697 	 */
698 	if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) &&
699 	    (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) ||
700 	    !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) {
701 		if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper)
702 			vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0);
703 		else
704 			vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0);
705 	}
706 	/*
707 	 * If we're not the local super user, we set the "restrict"
708 	 * option to indicate to automountd that this mount should
709 	 * be handled with care.
710 	 */
711 	if (!amsuper)
712 		vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0);
713 
714 }
715 
716 extern vnode_t *rootvp;
717 extern vfs_t *rootvfs;
718 
719 int
720 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp)
721 {
722 	boolean_t needoptchk;
723 	int error;
724 
725 	/*
726 	 * If it's a remount, get the underlying mount point,
727 	 * except for the root where we use the rootvp.
728 	 */
729 	if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) {
730 		if (vfsp == rootvfs)
731 			mvp = rootvp;
732 		else
733 			mvp = vfsp->vfs_vnodecovered;
734 	}
735 
736 	error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk);
737 
738 	if (error == 0 && needoptchk) {
739 		secpolicy_fs_mount_clearopts(cr, vfsp);
740 	}
741 
742 	return (error);
743 }
744 
745 /*
746  * Does the policy computations for "ownership" of a mount;
747  * here ownership is defined as the ability to "mount"
748  * the filesystem originally.  The rootvfs doesn't cover any
749  * vnodes; we attribute its ownership to the rootvp.
750  */
751 static int
752 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp)
753 {
754 	vnode_t *mvp;
755 
756 	if (vfsp == NULL)
757 		mvp = NULL;
758 	else if (vfsp == rootvfs)
759 		mvp = rootvp;
760 	else
761 		mvp = vfsp->vfs_vnodecovered;
762 
763 	return (secpolicy_fs_common(cr, mvp, vfsp, NULL));
764 }
765 
766 int
767 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp)
768 {
769 	return (secpolicy_fs_owner(cr, vfsp));
770 }
771 
772 /*
773  * Quotas are a resource, but if one has the ability to mount a filesystem, he
774  * should be able to modify quotas on it.
775  */
776 int
777 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp)
778 {
779 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
780 }
781 
782 /*
783  * Exceeding minfree: also a per-mount resource constraint.
784  */
785 int
786 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp)
787 {
788 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
789 }
790 
791 int
792 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp)
793 {
794 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
795 }
796 
797 /* ARGSUSED */
798 int
799 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp)
800 {
801 	return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL));
802 }
803 
804 /*
805  * Name:        secpolicy_vnode_access()
806  *
807  * Parameters:  Process credential
808  *		vnode
809  *		uid of owner of vnode
810  *		permission bits not granted to the caller when examining
811  *		file mode bits (i.e., when a process wants to open a
812  *		mode 444 file for VREAD|VWRITE, this function should be
813  *		called only with a VWRITE argument).
814  *
815  * Normal:      Verifies that cred has the appropriate privileges to
816  *              override the mode bits that were denied.
817  *
818  * Override:    file_dac_execute - if VEXEC bit was denied and vnode is
819  *                      not a directory.
820  *              file_dac_read - if VREAD bit was denied.
821  *              file_dac_search - if VEXEC bit was denied and vnode is
822  *                      a directory.
823  *              file_dac_write - if VWRITE bit was denied.
824  *
825  *		Root owned files are special cased to protect system
826  *		configuration files and such.
827  *
828  * Output:      EACCES - if privilege check fails.
829  */
830 
831 /* ARGSUSED */
832 int
833 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode)
834 {
835 	if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE,
836 	    EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL,
837 	    KLPDARG_NOMORE) != 0) {
838 		return (EACCES);
839 	}
840 
841 	if (mode & VWRITE) {
842 		boolean_t allzone;
843 
844 		if (owner == 0 && cr->cr_uid != 0)
845 			allzone = B_TRUE;
846 		else
847 			allzone = B_FALSE;
848 		if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES,
849 		    NULL, KLPDARG_VNODE, vp, (char *)NULL,
850 		    KLPDARG_NOMORE) != 0) {
851 			return (EACCES);
852 		}
853 	}
854 
855 	if (mode & VEXEC) {
856 		/*
857 		 * Directories use file_dac_search to override the execute bit.
858 		 */
859 		int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH :
860 		    PRIV_FILE_DAC_EXECUTE;
861 
862 		return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL,
863 		    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
864 	}
865 	return (0);
866 }
867 
868 /*
869  * Name:	secpolicy_vnode_setid_modify()
870  *
871  * Normal:	verify that subject can set the file setid flags.
872  *
873  * Output:	EPERM - if not privileged.
874  */
875 
876 static int
877 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner)
878 {
879 	/* If changing to suid root, must have all zone privs */
880 	boolean_t allzone = B_TRUE;
881 
882 	if (owner != 0) {
883 		if (owner == cr->cr_uid)
884 			return (0);
885 		allzone = B_FALSE;
886 	}
887 	return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL));
888 }
889 
890 /*
891  * Are we allowed to retain the set-uid/set-gid bits when
892  * changing ownership or when writing to a file?
893  * "issuid" should be true when set-uid; only in that case
894  * root ownership is checked (setgid is assumed).
895  */
896 int
897 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot)
898 {
899 	if (issuidroot && !HAS_ALLZONEPRIVS(cred))
900 		return (EPERM);
901 
902 	return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE));
903 }
904 
905 /*
906  * Name:	secpolicy_vnode_setids_setgids()
907  *
908  * Normal:	verify that subject can set the file setgid flag.
909  *
910  * Output:	EPERM - if not privileged
911  */
912 
913 int
914 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid)
915 {
916 	if (!groupmember(gid, cred))
917 		return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM,
918 		    NULL));
919 	return (0);
920 }
921 
922 /*
923  * Name:	secpolicy_vnode_chown
924  *
925  * Normal:	Determine if subject can chown owner of a file.
926  *
927  * Output:	EPERM - if access denied
928  */
929 
930 int
931 secpolicy_vnode_chown(const cred_t *cred, boolean_t check_self)
932 {
933 	if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN))
934 		return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM,
935 		    NULL));
936 	else if (check_self)
937 		return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM,
938 		    NULL));
939 	else
940 		return (EPERM);
941 }
942 
943 /*
944  * Name:	secpolicy_vnode_create_gid
945  *
946  * Normal:	Determine if subject can change group ownership of a file.
947  *
948  * Output:	EPERM - if access denied
949  */
950 int
951 secpolicy_vnode_create_gid(const cred_t *cred)
952 {
953 	return (secpolicy_vnode_chown(cred, B_TRUE));
954 }
955 
956 /*
957  * Name:	secpolicy_vnode_utime_modify()
958  *
959  * Normal:	verify that subject can modify the utime on a file.
960  *
961  * Output:	EPERM - if access denied.
962  */
963 
964 static int
965 secpolicy_vnode_utime_modify(const cred_t *cred)
966 {
967 	return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM,
968 	    "modify file times"));
969 }
970 
971 
972 /*
973  * Name:	secpolicy_vnode_setdac()
974  *
975  * Normal:	verify that subject can modify the mode of a file.
976  *		allzone privilege needed when modifying root owned object.
977  *
978  * Output:	EPERM - if access denied.
979  */
980 
981 int
982 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner)
983 {
984 	if (owner == cred->cr_uid)
985 		return (0);
986 
987 	return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL));
988 }
989 /*
990  * Name:	secpolicy_vnode_stky_modify()
991  *
992  * Normal:	verify that subject can make a file a "sticky".
993  *
994  * Output:	EPERM - if access denied.
995  */
996 
997 int
998 secpolicy_vnode_stky_modify(const cred_t *cred)
999 {
1000 	return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM,
1001 	    "set file sticky"));
1002 }
1003 
1004 /*
1005  * Policy determines whether we can remove an entry from a directory,
1006  * regardless of permission bits.
1007  */
1008 int
1009 secpolicy_vnode_remove(const cred_t *cr)
1010 {
1011 	return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES,
1012 	    "sticky directory"));
1013 }
1014 
1015 int
1016 secpolicy_vnode_owner(const cred_t *cr, uid_t owner)
1017 {
1018 	boolean_t allzone = (owner == 0);
1019 
1020 	if (owner == cr->cr_uid)
1021 		return (0);
1022 
1023 	return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL));
1024 }
1025 
1026 void
1027 secpolicy_setid_clear(vattr_t *vap, cred_t *cr)
1028 {
1029 	if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 &&
1030 	    secpolicy_vnode_setid_retain(cr,
1031 	    (vap->va_mode & S_ISUID) != 0 &&
1032 	    (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) {
1033 		vap->va_mask |= AT_MODE;
1034 		vap->va_mode &= ~(S_ISUID|S_ISGID);
1035 	}
1036 }
1037 
1038 int
1039 secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap,
1040     cred_t *cr)
1041 {
1042 	int error;
1043 
1044 	if ((vap->va_mode & S_ISUID) != 0 &&
1045 	    (error = secpolicy_vnode_setid_modify(cr,
1046 	    ovap->va_uid)) != 0) {
1047 		return (error);
1048 	}
1049 
1050 	/*
1051 	 * Check privilege if attempting to set the
1052 	 * sticky bit on a non-directory.
1053 	 */
1054 	if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 &&
1055 	    secpolicy_vnode_stky_modify(cr) != 0) {
1056 		vap->va_mode &= ~S_ISVTX;
1057 	}
1058 
1059 	/*
1060 	 * Check for privilege if attempting to set the
1061 	 * group-id bit.
1062 	 */
1063 	if ((vap->va_mode & S_ISGID) != 0 &&
1064 	    secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) {
1065 		vap->va_mode &= ~S_ISGID;
1066 	}
1067 
1068 	return (0);
1069 }
1070 
1071 #define	ATTR_FLAG_PRIV(attr, value, cr)	\
1072 	PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \
1073 	B_FALSE, EPERM, NULL)
1074 
1075 /*
1076  * Check privileges for setting xvattr attributes
1077  */
1078 int
1079 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype)
1080 {
1081 	xoptattr_t *xoap;
1082 	int error = 0;
1083 
1084 	if ((xoap = xva_getxoptattr(xvap)) == NULL)
1085 		return (EINVAL);
1086 
1087 	/*
1088 	 * First process the DOS bits
1089 	 */
1090 	if (XVA_ISSET_REQ(xvap, XAT_ARCHIVE) ||
1091 	    XVA_ISSET_REQ(xvap, XAT_HIDDEN) ||
1092 	    XVA_ISSET_REQ(xvap, XAT_READONLY) ||
1093 	    XVA_ISSET_REQ(xvap, XAT_SYSTEM) ||
1094 	    XVA_ISSET_REQ(xvap, XAT_CREATETIME)) {
1095 		if ((error = secpolicy_vnode_owner(cr, owner)) != 0)
1096 			return (error);
1097 	}
1098 
1099 	/*
1100 	 * Now handle special attributes
1101 	 */
1102 
1103 	if (XVA_ISSET_REQ(xvap, XAT_IMMUTABLE))
1104 		error = ATTR_FLAG_PRIV(XAT_IMMUTABLE,
1105 		    xoap->xoa_immutable, cr);
1106 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NOUNLINK))
1107 		error = ATTR_FLAG_PRIV(XAT_NOUNLINK,
1108 		    xoap->xoa_nounlink, cr);
1109 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_APPENDONLY))
1110 		error = ATTR_FLAG_PRIV(XAT_APPENDONLY,
1111 		    xoap->xoa_appendonly, cr);
1112 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NODUMP))
1113 		error = ATTR_FLAG_PRIV(XAT_NODUMP,
1114 		    xoap->xoa_nodump, cr);
1115 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_OPAQUE))
1116 		error = EPERM;
1117 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_QUARANTINED)) {
1118 		error = ATTR_FLAG_PRIV(XAT_AV_QUARANTINED,
1119 		    xoap->xoa_av_quarantined, cr);
1120 		if (error == 0 && vtype != VREG && xoap->xoa_av_quarantined)
1121 			error = EINVAL;
1122 	}
1123 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_MODIFIED))
1124 		error = ATTR_FLAG_PRIV(XAT_AV_MODIFIED,
1125 		    xoap->xoa_av_modified, cr);
1126 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_SCANSTAMP)) {
1127 		error = ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP,
1128 		    xoap->xoa_av_scanstamp, cr);
1129 		if (error == 0 && vtype != VREG)
1130 			error = EINVAL;
1131 	}
1132 	return (error);
1133 }
1134 
1135 /*
1136  * This function checks the policy decisions surrounding the
1137  * vop setattr call.
1138  *
1139  * It should be called after sufficient locks have been established
1140  * on the underlying data structures.  No concurrent modifications
1141  * should be allowed.
1142  *
1143  * The caller must pass in unlocked version of its vaccess function
1144  * this is required because vop_access function should lock the
1145  * node for reading.  A three argument function should be defined
1146  * which accepts the following argument:
1147  * 	A pointer to the internal "node" type (inode *)
1148  *	vnode access bits (VREAD|VWRITE|VEXEC)
1149  *	a pointer to the credential
1150  *
1151  * This function makes the following policy decisions:
1152  *
1153  *		- change permissions
1154  *			- permission to change file mode if not owner
1155  *			- permission to add sticky bit to non-directory
1156  *			- permission to add set-gid bit
1157  *
1158  * The ovap argument should include AT_MODE|AT_UID|AT_GID.
1159  *
1160  * If the vap argument does not include AT_MODE, the mode will be copied from
1161  * ovap.  In certain situations set-uid/set-gid bits need to be removed;
1162  * this is done by marking vap->va_mask to include AT_MODE and va_mode
1163  * is updated to the newly computed mode.
1164  */
1165 
1166 int
1167 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap,
1168 	const struct vattr *ovap, int flags,
1169 	int unlocked_access(void *, int, cred_t *),
1170 	void *node)
1171 {
1172 	int mask = vap->va_mask;
1173 	int error = 0;
1174 	boolean_t skipaclchk = (flags & ATTR_NOACLCHECK) ? B_TRUE : B_FALSE;
1175 
1176 	if (mask & AT_SIZE) {
1177 		if (vp->v_type == VDIR) {
1178 			error = EISDIR;
1179 			goto out;
1180 		}
1181 
1182 		/*
1183 		 * If ATTR_NOACLCHECK is set in the flags, then we don't
1184 		 * perform the secondary unlocked_access() call since the
1185 		 * ACL (if any) is being checked there.
1186 		 */
1187 		if (skipaclchk == B_FALSE) {
1188 			error = unlocked_access(node, VWRITE, cr);
1189 			if (error)
1190 				goto out;
1191 		}
1192 	}
1193 	if (mask & AT_MODE) {
1194 		/*
1195 		 * If not the owner of the file then check privilege
1196 		 * for two things: the privilege to set the mode at all
1197 		 * and, if we're setting setuid, we also need permissions
1198 		 * to add the set-uid bit, if we're not the owner.
1199 		 * In the specific case of creating a set-uid root
1200 		 * file, we need even more permissions.
1201 		 */
1202 		if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0)
1203 			goto out;
1204 
1205 		if ((error = secpolicy_setid_setsticky_clear(vp, vap,
1206 		    ovap, cr)) != 0)
1207 			goto out;
1208 	} else
1209 		vap->va_mode = ovap->va_mode;
1210 
1211 	if (mask & (AT_UID|AT_GID)) {
1212 		boolean_t checkpriv = B_FALSE;
1213 		int priv;
1214 		boolean_t allzone = B_FALSE;
1215 
1216 		/*
1217 		 * Chowning files.
1218 		 *
1219 		 * If you are the file owner:
1220 		 *	chown to other uid		FILE_CHOWN_SELF
1221 		 *	chown to gid (non-member) 	FILE_CHOWN_SELF
1222 		 *	chown to gid (member) 		<none>
1223 		 *
1224 		 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also
1225 		 * acceptable but the first one is reported when debugging.
1226 		 *
1227 		 * If you are not the file owner:
1228 		 *	chown from root			PRIV_FILE_CHOWN + zone
1229 		 *	chown from other to any		PRIV_FILE_CHOWN
1230 		 *
1231 		 */
1232 		if (cr->cr_uid != ovap->va_uid) {
1233 			checkpriv = B_TRUE;
1234 			allzone = (ovap->va_uid == 0);
1235 			priv = PRIV_FILE_CHOWN;
1236 		} else {
1237 			if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) ||
1238 			    ((mask & AT_GID) && vap->va_gid != ovap->va_gid &&
1239 			    !groupmember(vap->va_gid, cr))) {
1240 				checkpriv = B_TRUE;
1241 				priv = HAS_PRIVILEGE(cr, PRIV_FILE_CHOWN) ?
1242 				    PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF;
1243 			}
1244 		}
1245 		/*
1246 		 * If necessary, check privilege to see if update can be done.
1247 		 */
1248 		if (checkpriv &&
1249 		    (error = PRIV_POLICY(cr, priv, allzone, EPERM, NULL))
1250 		    != 0) {
1251 			goto out;
1252 		}
1253 
1254 		/*
1255 		 * If the file has either the set UID or set GID bits
1256 		 * set and the caller can set the bits, then leave them.
1257 		 */
1258 		secpolicy_setid_clear(vap, cr);
1259 	}
1260 	if (mask & (AT_ATIME|AT_MTIME)) {
1261 		/*
1262 		 * If not the file owner and not otherwise privileged,
1263 		 * always return an error when setting the
1264 		 * time other than the current (ATTR_UTIME flag set).
1265 		 * If setting the current time (ATTR_UTIME not set) then
1266 		 * unlocked_access will check permissions according to policy.
1267 		 */
1268 		if (cr->cr_uid != ovap->va_uid) {
1269 			if (flags & ATTR_UTIME)
1270 				error = secpolicy_vnode_utime_modify(cr);
1271 			else if (skipaclchk == B_FALSE) {
1272 				error = unlocked_access(node, VWRITE, cr);
1273 				if (error == EACCES &&
1274 				    secpolicy_vnode_utime_modify(cr) == 0)
1275 					error = 0;
1276 			}
1277 			if (error)
1278 				goto out;
1279 		}
1280 	}
1281 
1282 	/*
1283 	 * Check for optional attributes here by checking the following:
1284 	 */
1285 	if (mask & AT_XVATTR)
1286 		error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr,
1287 		    vp->v_type);
1288 out:
1289 	return (error);
1290 }
1291 
1292 /*
1293  * Name:	secpolicy_pcfs_modify_bootpartition()
1294  *
1295  * Normal:	verify that subject can modify a pcfs boot partition.
1296  *
1297  * Output:	EACCES - if privilege check failed.
1298  */
1299 /*ARGSUSED*/
1300 int
1301 secpolicy_pcfs_modify_bootpartition(const cred_t *cred)
1302 {
1303 	return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES,
1304 	    "modify pcfs boot partition"));
1305 }
1306 
1307 /*
1308  * System V IPC routines
1309  */
1310 int
1311 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip)
1312 {
1313 	if (crgetzoneid(cr) != ip->ipc_zoneid ||
1314 	    (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) {
1315 		boolean_t allzone = B_FALSE;
1316 		if (ip->ipc_uid == 0 || ip->ipc_cuid == 0)
1317 			allzone = B_TRUE;
1318 		return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL));
1319 	}
1320 	return (0);
1321 }
1322 
1323 int
1324 secpolicy_ipc_config(const cred_t *cr)
1325 {
1326 	return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL));
1327 }
1328 
1329 int
1330 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode)
1331 {
1332 
1333 	boolean_t allzone = B_FALSE;
1334 
1335 	ASSERT((mode & (MSG_R|MSG_W)) != 0);
1336 
1337 	if ((mode & MSG_R) &&
1338 	    PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1339 		return (EACCES);
1340 
1341 	if (mode & MSG_W) {
1342 		if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0))
1343 			allzone = B_TRUE;
1344 
1345 		return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1346 		    NULL));
1347 	}
1348 	return (0);
1349 }
1350 
1351 int
1352 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode)
1353 {
1354 	boolean_t allzone = B_FALSE;
1355 
1356 	ASSERT((mode & (MSG_R|MSG_W)) != 0);
1357 
1358 	if ((mode & MSG_R) &&
1359 	    PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1360 		return (EACCES);
1361 
1362 	if (mode & MSG_W) {
1363 		if (cr->cr_uid != 0 && owner == 0)
1364 			allzone = B_TRUE;
1365 
1366 		return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1367 		    NULL));
1368 	}
1369 	return (0);
1370 }
1371 
1372 /*
1373  * Audit configuration.
1374  */
1375 int
1376 secpolicy_audit_config(const cred_t *cr)
1377 {
1378 	return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL));
1379 }
1380 
1381 /*
1382  * Audit record generation.
1383  */
1384 int
1385 secpolicy_audit_modify(const cred_t *cr)
1386 {
1387 	return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL));
1388 }
1389 
1390 /*
1391  * Get audit attributes.
1392  * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the
1393  * "Least" of the two privileges on error.
1394  */
1395 int
1396 secpolicy_audit_getattr(const cred_t *cr)
1397 {
1398 	if (!PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE)) {
1399 		return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM,
1400 		    NULL));
1401 	} else {
1402 		return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL));
1403 	}
1404 }
1405 
1406 
1407 /*
1408  * Locking physical memory
1409  */
1410 int
1411 secpolicy_lock_memory(const cred_t *cr)
1412 {
1413 	return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL));
1414 }
1415 
1416 /*
1417  * Accounting (both acct(2) and exacct).
1418  */
1419 int
1420 secpolicy_acct(const cred_t *cr)
1421 {
1422 	return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL));
1423 }
1424 
1425 /*
1426  * Is this process privileged to change its uids at will?
1427  * Uid 0 is still considered "special" and having the SETID
1428  * privilege is not sufficient to get uid 0.
1429  * Files are owned by root, so the privilege would give
1430  * full access and euid 0 is still effective.
1431  *
1432  * If you have the privilege and euid 0 only then do you
1433  * get the powers of root wrt uid 0.
1434  *
1435  * For gid manipulations, this is should be called with an
1436  * uid of -1.
1437  *
1438  */
1439 int
1440 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly)
1441 {
1442 	boolean_t allzone = B_FALSE;
1443 
1444 	if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 &&
1445 	    cr->cr_ruid != 0) {
1446 		allzone = B_TRUE;
1447 	}
1448 
1449 	return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) :
1450 	    PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL));
1451 }
1452 
1453 
1454 /*
1455  * Acting on a different process: if the mode is for writing,
1456  * the restrictions are more severe.  This is called after
1457  * we've verified that the uids do not match.
1458  */
1459 int
1460 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode)
1461 {
1462 	boolean_t allzone = B_FALSE;
1463 
1464 	if ((mode & VWRITE) && scr->cr_uid != 0 &&
1465 	    (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0))
1466 		allzone = B_TRUE;
1467 
1468 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL));
1469 }
1470 
1471 int
1472 secpolicy_proc_access(const cred_t *scr)
1473 {
1474 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL));
1475 }
1476 
1477 int
1478 secpolicy_proc_excl_open(const cred_t *scr)
1479 {
1480 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL));
1481 }
1482 
1483 int
1484 secpolicy_proc_zone(const cred_t *scr)
1485 {
1486 	return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL));
1487 }
1488 
1489 /*
1490  * Destroying the system
1491  */
1492 
1493 int
1494 secpolicy_kmdb(const cred_t *scr)
1495 {
1496 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1497 }
1498 
1499 int
1500 secpolicy_error_inject(const cred_t *scr)
1501 {
1502 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1503 }
1504 
1505 /*
1506  * Processor sets, cpu configuration, resource pools.
1507  */
1508 int
1509 secpolicy_pset(const cred_t *cr)
1510 {
1511 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1512 }
1513 
1514 int
1515 secpolicy_ponline(const cred_t *cr)
1516 {
1517 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1518 }
1519 
1520 int
1521 secpolicy_pool(const cred_t *cr)
1522 {
1523 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1524 }
1525 
1526 int
1527 secpolicy_blacklist(const cred_t *cr)
1528 {
1529 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1530 }
1531 
1532 /*
1533  * Catch all system configuration.
1534  */
1535 int
1536 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly)
1537 {
1538 	if (checkonly) {
1539 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 :
1540 		    EPERM);
1541 	} else {
1542 		return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1543 	}
1544 }
1545 
1546 /*
1547  * Zone administration (halt, reboot, etc.) from within zone.
1548  */
1549 int
1550 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly)
1551 {
1552 	if (checkonly) {
1553 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 :
1554 		    EPERM);
1555 	} else {
1556 		return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM,
1557 		    NULL));
1558 	}
1559 }
1560 
1561 /*
1562  * Zone configuration (create, halt, enter).
1563  */
1564 int
1565 secpolicy_zone_config(const cred_t *cr)
1566 {
1567 	/*
1568 	 * Require all privileges to avoid possibility of privilege
1569 	 * escalation.
1570 	 */
1571 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL));
1572 }
1573 
1574 /*
1575  * Various other system configuration calls
1576  */
1577 int
1578 secpolicy_coreadm(const cred_t *cr)
1579 {
1580 	return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1581 }
1582 
1583 int
1584 secpolicy_systeminfo(const cred_t *cr)
1585 {
1586 	return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1587 }
1588 
1589 int
1590 secpolicy_dispadm(const cred_t *cr)
1591 {
1592 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1593 }
1594 
1595 int
1596 secpolicy_settime(const cred_t *cr)
1597 {
1598 	return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL));
1599 }
1600 
1601 /*
1602  * For realtime users: high resolution clock.
1603  */
1604 int
1605 secpolicy_clock_highres(const cred_t *cr)
1606 {
1607 	return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM,
1608 	    NULL));
1609 }
1610 
1611 /*
1612  * drv_priv() is documented as callable from interrupt context, not that
1613  * anyone ever does, but still.  No debugging or auditing can be done when
1614  * it is called from interrupt context.
1615  * returns 0 on succes, EPERM on failure.
1616  */
1617 int
1618 drv_priv(cred_t *cr)
1619 {
1620 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1621 }
1622 
1623 int
1624 secpolicy_sys_devices(const cred_t *cr)
1625 {
1626 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1627 }
1628 
1629 int
1630 secpolicy_excl_open(const cred_t *cr)
1631 {
1632 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL));
1633 }
1634 
1635 int
1636 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl)
1637 {
1638 	/* zone.* rctls can only be set from the global zone */
1639 	if (is_zone_rctl && priv_policy_global(cr) != 0)
1640 		return (EPERM);
1641 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1642 }
1643 
1644 int
1645 secpolicy_resource(const cred_t *cr)
1646 {
1647 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1648 }
1649 
1650 /*
1651  * Processes with a real uid of 0 escape any form of accounting, much
1652  * like before.
1653  */
1654 int
1655 secpolicy_newproc(const cred_t *cr)
1656 {
1657 	if (cr->cr_ruid == 0)
1658 		return (0);
1659 
1660 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1661 }
1662 
1663 /*
1664  * Networking
1665  */
1666 int
1667 secpolicy_net_rawaccess(const cred_t *cr)
1668 {
1669 	return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL));
1670 }
1671 
1672 /*
1673  * Need this privilege for accessing the ICMP device
1674  */
1675 int
1676 secpolicy_net_icmpaccess(const cred_t *cr)
1677 {
1678 	return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL));
1679 }
1680 
1681 /*
1682  * There are a few rare cases where the kernel generates ioctls() from
1683  * interrupt context with a credential of kcred rather than NULL.
1684  * In those cases, we take the safe and cheap test.
1685  */
1686 int
1687 secpolicy_net_config(const cred_t *cr, boolean_t checkonly)
1688 {
1689 	if (checkonly) {
1690 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ?
1691 		    0 : EPERM);
1692 	} else {
1693 		return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM,
1694 		    NULL));
1695 	}
1696 }
1697 
1698 
1699 /*
1700  * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
1701  *
1702  * There are a few rare cases where the kernel generates ioctls() from
1703  * interrupt context with a credential of kcred rather than NULL.
1704  * In those cases, we take the safe and cheap test.
1705  */
1706 int
1707 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly)
1708 {
1709 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1710 		return (secpolicy_net_config(cr, checkonly));
1711 
1712 	if (checkonly) {
1713 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ?
1714 		    0 : EPERM);
1715 	} else {
1716 		return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM,
1717 		    NULL));
1718 	}
1719 }
1720 
1721 /*
1722  * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_DL_CONFIG.
1723  */
1724 int
1725 secpolicy_dl_config(const cred_t *cr)
1726 {
1727 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1728 		return (secpolicy_net_config(cr, B_FALSE));
1729 	return (PRIV_POLICY(cr, PRIV_SYS_DL_CONFIG, B_FALSE, EPERM,
1730 	    NULL));
1731 }
1732 
1733 
1734 /*
1735  * Map IP pseudo privileges to actual privileges.
1736  * So we don't need to recompile IP when we change the privileges.
1737  */
1738 int
1739 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly)
1740 {
1741 	int priv = PRIV_ALL;
1742 
1743 	switch (netpriv) {
1744 	case OP_CONFIG:
1745 		priv = PRIV_SYS_IP_CONFIG;
1746 		break;
1747 	case OP_RAW:
1748 		priv = PRIV_NET_RAWACCESS;
1749 		break;
1750 	case OP_PRIVPORT:
1751 		priv = PRIV_NET_PRIVADDR;
1752 		break;
1753 	}
1754 	ASSERT(priv != PRIV_ALL);
1755 	if (checkonly)
1756 		return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
1757 	else
1758 		return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
1759 }
1760 
1761 /*
1762  * Map network pseudo privileges to actual privileges.
1763  * So we don't need to recompile IP when we change the privileges.
1764  */
1765 int
1766 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly)
1767 {
1768 	int priv = PRIV_ALL;
1769 
1770 	switch (netpriv) {
1771 	case OP_CONFIG:
1772 		priv = PRIV_SYS_NET_CONFIG;
1773 		break;
1774 	case OP_RAW:
1775 		priv = PRIV_NET_RAWACCESS;
1776 		break;
1777 	case OP_PRIVPORT:
1778 		priv = PRIV_NET_PRIVADDR;
1779 		break;
1780 	}
1781 	ASSERT(priv != PRIV_ALL);
1782 	if (checkonly)
1783 		return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
1784 	else
1785 		return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
1786 }
1787 
1788 /*
1789  * Checks for operations that are either client-only or are used by
1790  * both clients and servers.
1791  */
1792 int
1793 secpolicy_nfs(const cred_t *cr)
1794 {
1795 	return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL));
1796 }
1797 
1798 /*
1799  * Special case for opening rpcmod: have NFS privileges or network
1800  * config privileges.
1801  */
1802 int
1803 secpolicy_rpcmod_open(const cred_t *cr)
1804 {
1805 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE))
1806 		return (secpolicy_nfs(cr));
1807 	else
1808 		return (secpolicy_net_config(cr, NULL));
1809 }
1810 
1811 int
1812 secpolicy_chroot(const cred_t *cr)
1813 {
1814 	return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL));
1815 }
1816 
1817 int
1818 secpolicy_tasksys(const cred_t *cr)
1819 {
1820 	return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL));
1821 }
1822 
1823 /*
1824  * Basic privilege checks.
1825  */
1826 int
1827 secpolicy_basic_exec(const cred_t *cr, vnode_t *vp)
1828 {
1829 	return (priv_policy_va(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL,
1830 	    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
1831 }
1832 
1833 int
1834 secpolicy_basic_fork(const cred_t *cr)
1835 {
1836 	return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL));
1837 }
1838 
1839 int
1840 secpolicy_basic_proc(const cred_t *cr)
1841 {
1842 	return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL));
1843 }
1844 
1845 /*
1846  * Slightly complicated because we don't want to trigger the policy too
1847  * often.  First we shortcircuit access to "self" (tp == sp) or if
1848  * we don't have the privilege but if we have permission
1849  * just return (0) and we don't flag the privilege as needed.
1850  * Else, we test for the privilege because we either have it or need it.
1851  */
1852 int
1853 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp)
1854 {
1855 	if (tp == sp ||
1856 	    !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) {
1857 		return (0);
1858 	} else {
1859 		return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL));
1860 	}
1861 }
1862 
1863 int
1864 secpolicy_basic_link(const cred_t *cr)
1865 {
1866 	return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL));
1867 }
1868 
1869 /*
1870  * Additional device protection.
1871  *
1872  * Traditionally, a device has specific permissions on the node in
1873  * the filesystem which govern which devices can be opened by what
1874  * processes.  In certain cases, it is desirable to add extra
1875  * restrictions, as writing to certain devices is identical to
1876  * having a complete run of the system.
1877  *
1878  * This mechanism is called the device policy.
1879  *
1880  * When a device is opened, its policy entry is looked up in the
1881  * policy cache and checked.
1882  */
1883 int
1884 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag)
1885 {
1886 	devplcy_t *plcy;
1887 	int err;
1888 	struct snode *csp = VTOS(common_specvp(vp));
1889 	priv_set_t pset;
1890 
1891 	mutex_enter(&csp->s_lock);
1892 
1893 	if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) {
1894 		plcy = devpolicy_find(vp);
1895 		if (csp->s_plcy)
1896 			dpfree(csp->s_plcy);
1897 		csp->s_plcy = plcy;
1898 		ASSERT(plcy != NULL);
1899 	} else
1900 		plcy = csp->s_plcy;
1901 
1902 	if (plcy == nullpolicy) {
1903 		mutex_exit(&csp->s_lock);
1904 		return (0);
1905 	}
1906 
1907 	dphold(plcy);
1908 
1909 	mutex_exit(&csp->s_lock);
1910 
1911 	if (oflag & FWRITE)
1912 		pset = plcy->dp_wrp;
1913 	else
1914 		pset = plcy->dp_rdp;
1915 	/*
1916 	 * Special case:
1917 	 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
1918 	 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is
1919 	 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG
1920 	 * in the required privilege set before doing the check.
1921 	 */
1922 	if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) &&
1923 	    priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) &&
1924 	    !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) {
1925 		priv_delset(&pset, PRIV_SYS_IP_CONFIG);
1926 		priv_addset(&pset, PRIV_SYS_NET_CONFIG);
1927 	}
1928 
1929 	err = secpolicy_require_set(cr, &pset, "devpolicy");
1930 	dpfree(plcy);
1931 
1932 	return (err);
1933 }
1934 
1935 int
1936 secpolicy_modctl(const cred_t *cr, int cmd)
1937 {
1938 	switch (cmd) {
1939 	case MODINFO:
1940 	case MODGETMAJBIND:
1941 	case MODGETPATH:
1942 	case MODGETPATHLEN:
1943 	case MODGETNAME:
1944 	case MODGETFBNAME:
1945 	case MODGETDEVPOLICY:
1946 	case MODGETDEVPOLICYBYNAME:
1947 	case MODDEVT2INSTANCE:
1948 	case MODSIZEOF_DEVID:
1949 	case MODGETDEVID:
1950 	case MODSIZEOF_MINORNAME:
1951 	case MODGETMINORNAME:
1952 	case MODGETDEVFSPATH_LEN:
1953 	case MODGETDEVFSPATH:
1954 	case MODGETDEVFSPATH_MI_LEN:
1955 	case MODGETDEVFSPATH_MI:
1956 		/* Unprivileged */
1957 		return (0);
1958 	case MODLOAD:
1959 	case MODSETDEVPOLICY:
1960 		return (secpolicy_require_set(cr, PRIV_FULLSET, NULL));
1961 	default:
1962 		return (secpolicy_sys_config(cr, B_FALSE));
1963 	}
1964 }
1965 
1966 int
1967 secpolicy_console(const cred_t *cr)
1968 {
1969 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1970 }
1971 
1972 int
1973 secpolicy_power_mgmt(const cred_t *cr)
1974 {
1975 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1976 }
1977 
1978 /*
1979  * Simulate terminal input; another escalation of privileges avenue.
1980  */
1981 
1982 int
1983 secpolicy_sti(const cred_t *cr)
1984 {
1985 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL));
1986 }
1987 
1988 boolean_t
1989 secpolicy_net_reply_equal(const cred_t *cr)
1990 {
1991 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1992 }
1993 
1994 int
1995 secpolicy_swapctl(const cred_t *cr)
1996 {
1997 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1998 }
1999 
2000 int
2001 secpolicy_cpc_cpu(const cred_t *cr)
2002 {
2003 	return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL));
2004 }
2005 
2006 /*
2007  * secpolicy_contract_identity
2008  *
2009  * Determine if the subject may set the process contract FMRI value
2010  */
2011 int
2012 secpolicy_contract_identity(const cred_t *cr)
2013 {
2014 	return (PRIV_POLICY(cr, PRIV_CONTRACT_IDENTITY, B_FALSE, EPERM, NULL));
2015 }
2016 
2017 /*
2018  * secpolicy_contract_observer
2019  *
2020  * Determine if the subject may observe a specific contract's events.
2021  */
2022 int
2023 secpolicy_contract_observer(const cred_t *cr, struct contract *ct)
2024 {
2025 	if (contract_owned(ct, cr, B_FALSE))
2026 		return (0);
2027 	return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL));
2028 }
2029 
2030 /*
2031  * secpolicy_contract_observer_choice
2032  *
2033  * Determine if the subject may observe any contract's events.  Just
2034  * tests privilege and audits on success.
2035  */
2036 boolean_t
2037 secpolicy_contract_observer_choice(const cred_t *cr)
2038 {
2039 	return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE));
2040 }
2041 
2042 /*
2043  * secpolicy_contract_event
2044  *
2045  * Determine if the subject may request critical contract events or
2046  * reliable contract event delivery.
2047  */
2048 int
2049 secpolicy_contract_event(const cred_t *cr)
2050 {
2051 	return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL));
2052 }
2053 
2054 /*
2055  * secpolicy_contract_event_choice
2056  *
2057  * Determine if the subject may retain contract events in its critical
2058  * set when a change in other terms would normally require a change in
2059  * the critical set.  Just tests privilege and audits on success.
2060  */
2061 boolean_t
2062 secpolicy_contract_event_choice(const cred_t *cr)
2063 {
2064 	return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE));
2065 }
2066 
2067 /*
2068  * secpolicy_gart_access
2069  *
2070  * Determine if the subject has sufficient priveleges to make ioctls to agpgart
2071  * device.
2072  */
2073 int
2074 secpolicy_gart_access(const cred_t *cr)
2075 {
2076 	return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL));
2077 }
2078 
2079 /*
2080  * secpolicy_gart_map
2081  *
2082  * Determine if the subject has sufficient priveleges to map aperture range
2083  * through agpgart driver.
2084  */
2085 int
2086 secpolicy_gart_map(const cred_t *cr)
2087 {
2088 	if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) {
2089 		return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM,
2090 		    NULL));
2091 	} else {
2092 		return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM,
2093 		    NULL));
2094 	}
2095 }
2096 
2097 /*
2098  * secpolicy_zinject
2099  *
2100  * Determine if the subject can inject faults in the ZFS fault injection
2101  * framework.  Requires all privileges.
2102  */
2103 int
2104 secpolicy_zinject(const cred_t *cr)
2105 {
2106 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL));
2107 }
2108 
2109 /*
2110  * secpolicy_zfs
2111  *
2112  * Determine if the subject has permission to manipulate ZFS datasets
2113  * (not pools).  Equivalent to the SYS_MOUNT privilege.
2114  */
2115 int
2116 secpolicy_zfs(const cred_t *cr)
2117 {
2118 	return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL));
2119 }
2120 
2121 /*
2122  * secpolicy_idmap
2123  *
2124  * Determine if the calling process has permissions to register an SID
2125  * mapping daemon and allocate ephemeral IDs.
2126  */
2127 int
2128 secpolicy_idmap(const cred_t *cr)
2129 {
2130 	return (PRIV_POLICY(cr, PRIV_FILE_SETID, B_TRUE, EPERM, NULL));
2131 }
2132 
2133 /*
2134  * secpolicy_ucode_update
2135  *
2136  * Determine if the subject has sufficient privilege to update microcode.
2137  */
2138 int
2139 secpolicy_ucode_update(const cred_t *scr)
2140 {
2141 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
2142 }
2143 
2144 /*
2145  * secpolicy_sadopen
2146  *
2147  * Determine if the subject has sufficient privilege to access /dev/sad/admin.
2148  * /dev/sad/admin appear in global zone and exclusive-IP zones only.
2149  * In global zone, sys_config is required.
2150  * In exclusive-IP zones, sys_ip_config is required.
2151  * Note that sys_config is prohibited in non-global zones.
2152  */
2153 int
2154 secpolicy_sadopen(const cred_t *credp)
2155 {
2156 	priv_set_t pset;
2157 
2158 	priv_emptyset(&pset);
2159 
2160 	if (crgetzoneid(credp) == GLOBAL_ZONEID)
2161 		priv_addset(&pset, PRIV_SYS_CONFIG);
2162 	else
2163 		priv_addset(&pset, PRIV_SYS_IP_CONFIG);
2164 
2165 	return (secpolicy_require_set(credp, &pset, "devpolicy"));
2166 }
2167 
2168 
2169 /*
2170  * Add privileges to a particular privilege set; this is called when the
2171  * current sets of privileges are not sufficient.  I.e., we should always
2172  * call the policy override functions from here.
2173  * What we are allowed to have is in the Observed Permitted set; so
2174  * we compute the difference between that and the newset.
2175  */
2176 int
2177 secpolicy_require_privs(const cred_t *cr, const priv_set_t *nset)
2178 {
2179 	priv_set_t rqd;
2180 
2181 	rqd = CR_OPPRIV(cr);
2182 
2183 	priv_inverse(&rqd);
2184 	priv_intersect(nset, &rqd);
2185 
2186 	return (secpolicy_require_set(cr, &rqd, NULL));
2187 }
2188 
2189 /*
2190  * secpolicy_smb
2191  *
2192  * Determine if the cred_t has PRIV_SYS_SMB privilege, indicating
2193  * that it has permission to access the smbsrv kernel driver.
2194  * PRIV_POLICY checks the privilege and audits the check.
2195  *
2196  * Returns:
2197  * 0       Driver access is allowed.
2198  * EPERM   Driver access is NOT permitted.
2199  */
2200 int
2201 secpolicy_smb(const cred_t *cr)
2202 {
2203 	return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL));
2204 }
2205 
2206 /*
2207  * secpolicy_vscan
2208  *
2209  * Determine if cred_t has the necessary privileges to access a file
2210  * for virus scanning and update its extended system attributes.
2211  * PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access
2212  * PRIV_FILE_FLAG_SET - set extended system attributes
2213  *
2214  * PRIV_POLICY checks the privilege and audits the check.
2215  *
2216  * Returns:
2217  * 0      file access for virus scanning allowed.
2218  * EPERM  file access for virus scanning is NOT permitted.
2219  */
2220 int
2221 secpolicy_vscan(const cred_t *cr)
2222 {
2223 	if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) ||
2224 	    (PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) ||
2225 	    (PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) {
2226 		return (EPERM);
2227 	}
2228 
2229 	return (0);
2230 }
2231 
2232 /*
2233  * secpolicy_smbfs_login
2234  *
2235  * Determines if the caller can add and delete the smbfs login
2236  * password in the the nsmb kernel module for the CIFS client.
2237  *
2238  * Returns:
2239  * 0       access is allowed.
2240  * EPERM   access is NOT allowed.
2241  */
2242 int
2243 secpolicy_smbfs_login(const cred_t *cr, uid_t uid)
2244 {
2245 	uid_t cruid = crgetruid(cr);
2246 
2247 	if (cruid == uid)
2248 		return (0);
2249 	return (PRIV_POLICY(cr, PRIV_PROC_OWNER, B_FALSE,
2250 	    EPERM, NULL));
2251 }
2252 
2253 /*
2254  * secpolicy_xvm_control
2255  *
2256  * Determines if a caller can control the xVM hypervisor and/or running
2257  * domains (x86 specific).
2258  *
2259  * Returns:
2260  * 0       access is allowed.
2261  * EPERM   access is NOT allowed.
2262  */
2263 int
2264 secpolicy_xvm_control(const cred_t *cr)
2265 {
2266 	if (PRIV_POLICY(cr, PRIV_XVM_CONTROL, B_FALSE, EPERM, NULL))
2267 		return (EPERM);
2268 	return (0);
2269 }
2270