xref: /titanic_50/usr/src/uts/common/os/policy.c (revision f0d698506237857fb2953ea04c88a16ade32226a)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <sys/types.h>
29 #include <sys/sysmacros.h>
30 #include <sys/param.h>
31 #include <sys/systm.h>
32 #include <sys/cred_impl.h>
33 #include <sys/vnode.h>
34 #include <sys/vfs.h>
35 #include <sys/stat.h>
36 #include <sys/errno.h>
37 #include <sys/kmem.h>
38 #include <sys/user.h>
39 #include <sys/proc.h>
40 #include <sys/acct.h>
41 #include <sys/ipc_impl.h>
42 #include <sys/cmn_err.h>
43 #include <sys/debug.h>
44 #include <sys/policy.h>
45 #include <sys/kobj.h>
46 #include <sys/msg.h>
47 #include <sys/devpolicy.h>
48 #include <c2/audit.h>
49 #include <sys/varargs.h>
50 #include <sys/modctl.h>
51 #include <sys/disp.h>
52 #include <sys/zone.h>
53 #include <inet/optcom.h>
54 #include <sys/sdt.h>
55 #include <sys/vfs.h>
56 #include <sys/mntent.h>
57 #include <sys/contract_impl.h>
58 
59 /*
60  * There are two possible layers of privilege routines and two possible
61  * levels of secpolicy.  Plus one other we may not be interested in, so
62  * we may need as many as 6 but no more.
63  */
64 #define	MAXPRIVSTACK		6
65 
66 int priv_debug = 0;
67 
68 /*
69  * This file contains the majority of the policy routines.
70  * Since the policy routines are defined by function and not
71  * by privilege, there is quite a bit of duplication of
72  * functions.
73  *
74  * The secpolicy functions must not make assumptions about
75  * locks held or not held as any lock can be held while they're
76  * being called.
77  *
78  * Credentials are read-only so no special precautions need to
79  * be taken while locking them.
80  *
81  * When a new policy check needs to be added to the system the
82  * following procedure should be followed:
83  *
84  *		Pick an appropriate secpolicy_*() function
85  *			-> done if one exists.
86  *		Create a new secpolicy function, preferably with
87  *		a descriptive name using the standard template.
88  *		Pick an appropriate privilege for the policy.
89  *		If no appropraite privilege exists, define new one
90  *		(this should be done with extreme care; in most cases
91  *		little is gained by adding another privilege)
92  *
93  * WHY ROOT IS STILL SPECIAL.
94  *
95  * In a number of the policy functions, there are still explicit
96  * checks for uid 0.  The rationale behind these is that many root
97  * owned files/objects hold configuration information which can give full
98  * privileges to the user once written to.  To prevent escalation
99  * of privilege by allowing just a single privilege to modify root owned
100  * objects, we've added these root specific checks where we considered
101  * them necessary: modifying root owned files, changing uids to 0, etc.
102  *
103  * PRIVILEGE ESCALATION AND ZONES.
104  *
105  * A number of operations potentially allow the caller to achieve
106  * privileges beyond the ones normally required to perform the operation.
107  * For example, if allowed to create a setuid 0 executable, a process can
108  * gain privileges beyond PRIV_FILE_SETID.  Zones, however, place
109  * restrictions on the ability to gain privileges beyond those available
110  * within the zone through file and process manipulation.  Hence, such
111  * operations require that the caller have an effective set that includes
112  * all privileges available within the current zone, or all privileges
113  * if executing in the global zone.
114  *
115  * This is indicated in the priv_policy* policy checking functions
116  * through a combination of parameters.  The "priv" parameter indicates
117  * the privilege that is required, and the "allzone" parameter indicates
118  * whether or not all privileges in the zone are required.  In addition,
119  * priv can be set to PRIV_ALL to indicate that all privileges are
120  * required (regardless of zone).  There are three scenarios of interest:
121  * (1) operation requires a specific privilege
122  * (2) operation requires a specific privilege, and requires all
123  *     privileges available within the zone (or all privileges if in
124  *     the global zone)
125  * (3) operation requires all privileges, regardless of zone
126  *
127  * For (1), priv should be set to the specific privilege, and allzone
128  * should be set to B_FALSE.
129  * For (2), priv should be set to the specific privilege, and allzone
130  * should be set to B_TRUE.
131  * For (3), priv should be set to PRIV_ALL, and allzone should be set
132  * to B_FALSE.
133  *
134  */
135 
136 /*
137  * The privileges are checked against the Effective set for
138  * ordinary processes and checked against the Limit set
139  * for euid 0 processes that haven't manipulated their privilege
140  * sets.
141  */
142 #define	HAS_ALLPRIVS(cr)	priv_isfullset(&CR_OEPRIV(cr))
143 #define	ZONEPRIVS(cr)		((cr)->cr_zone->zone_privset)
144 #define	HAS_ALLZONEPRIVS(cr)	priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr))
145 #define	HAS_PRIVILEGE(cr, pr)	((pr) == PRIV_ALL ? \
146 					HAS_ALLPRIVS(cr) : \
147 					PRIV_ISASSERT(&CR_OEPRIV(cr), pr))
148 
149 /*
150  * Policy checking functions
151  *
152  * In future, these will migrate to several files when policy
153  * becomes more or less pluggable.
154  *
155  * For now, there's only one policy and this is it.
156  */
157 
158 /*
159  * Generic policy calls
160  *
161  * The "bottom" functions of policy control
162  */
163 
164 static char *
165 mprintf(const char *fmt, ...)
166 {
167 	va_list args;
168 	char *buf;
169 	size_t len;
170 
171 	va_start(args, fmt);
172 	len = vsnprintf(NULL, 0, fmt, args) + 1;
173 	va_end(args);
174 
175 	buf = kmem_alloc(len, KM_NOSLEEP);
176 
177 	if (buf == NULL)
178 		return (NULL);
179 
180 	va_start(args, fmt);
181 	(void) vsnprintf(buf, len, fmt, args);
182 	va_end(args);
183 
184 	return (buf);
185 }
186 
187 /*
188  * priv_policy_errmsg()
189  *
190  * Generate an error message if privilege debugging is enabled system wide
191  * or for this particular process.
192  */
193 
194 #define	FMTHDR	"%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)"
195 #define	FMTMSG	" for \"%s\""
196 #define	FMTFUN	" needed at %s+0x%lx"
197 
198 /* The maximum size privilege format: the concatenation of the above */
199 #define	FMTMAX	FMTHDR FMTMSG FMTFUN "\n"
200 
201 static void
202 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg)
203 {
204 	struct proc *me;
205 	pc_t stack[MAXPRIVSTACK];
206 	int depth;
207 	int i;
208 	char *sym;
209 	ulong_t off;
210 	const char *pname;
211 
212 	char *cmd;
213 	char fmt[sizeof (FMTMAX)];
214 
215 	if ((me = curproc) == &p0)
216 		return;
217 
218 	/* Privileges must be defined  */
219 	ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE ||
220 	    priv == PRIV_ALLZONE || priv == PRIV_GLOBAL ||
221 	    priv_getbynum(priv) != NULL);
222 
223 	if (priv == PRIV_ALLZONE && INGLOBALZONE(me))
224 		priv = PRIV_ALL;
225 
226 	if (curthread->t_pre_sys)
227 		ttolwp(curthread)->lwp_badpriv = (short)priv;
228 
229 	if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0)
230 		return;
231 
232 	(void) strcpy(fmt, FMTHDR);
233 
234 	if (me->p_user.u_comm[0])
235 		cmd = &me->p_user.u_comm[0];
236 	else
237 		cmd = "priv_policy";
238 
239 	if (msg != NULL && *msg != '\0') {
240 		(void) strcat(fmt, FMTMSG);
241 	} else {
242 		(void) strcat(fmt, "%s");
243 		msg = "";
244 	}
245 
246 	sym = NULL;
247 
248 	depth = getpcstack(stack, MAXPRIVSTACK);
249 
250 	/*
251 	 * Try to find the first interesting function on the stack.
252 	 * priv_policy* that's us, so completely uninteresting.
253 	 * suser(), drv_priv(), secpolicy_* are also called from
254 	 * too many locations to convey useful information.
255 	 */
256 	for (i = 0; i < depth; i++) {
257 		sym = kobj_getsymname((uintptr_t)stack[i], &off);
258 		if (sym != NULL &&
259 		    strstr(sym, "hasprocperm") == 0 &&
260 		    strcmp("suser", sym) != 0 &&
261 		    strcmp("ipcaccess", sym) != 0 &&
262 		    strcmp("drv_priv", sym) != 0 &&
263 		    strncmp("secpolicy_", sym, 10) != 0 &&
264 		    strncmp("priv_policy", sym, 11) != 0)
265 			break;
266 	}
267 
268 	if (sym != NULL)
269 		(void) strcat(fmt, FMTFUN);
270 
271 	(void) strcat(fmt, "\n");
272 
273 	switch (priv) {
274 	case PRIV_ALL:
275 		pname = "ALL";
276 		break;
277 	case PRIV_MULTIPLE:
278 		pname = "MULTIPLE";
279 		break;
280 	case PRIV_ALLZONE:
281 		pname = "ZONE";
282 		break;
283 	case PRIV_GLOBAL:
284 		pname = "GLOBAL";
285 		break;
286 	default:
287 		pname = priv_getbynum(priv);
288 		break;
289 	}
290 
291 	if (CR_FLAGS(cr) & PRIV_DEBUG) {
292 		/* Remember last message, just like lwp_badpriv. */
293 		if (curthread->t_pdmsg != NULL) {
294 			kmem_free(curthread->t_pdmsg,
295 			    strlen(curthread->t_pdmsg) + 1);
296 		}
297 
298 		curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname,
299 		    cr->cr_uid, curthread->t_sysnum, msg, sym, off);
300 
301 		curthread->t_post_sys = 1;
302 	} else {
303 		cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid,
304 		    curthread->t_sysnum, msg, sym, off);
305 	}
306 }
307 
308 /*
309  * Audit failure, log error message.
310  */
311 static void
312 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg)
313 {
314 
315 #ifdef C2_AUDIT
316 	if (audit_active)
317 		audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0);
318 #endif
319 	DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
320 
321 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
322 	    curthread->t_pre_sys) {
323 		if (allzone && !HAS_ALLZONEPRIVS(cr)) {
324 			priv_policy_errmsg(cr, PRIV_ALLZONE, msg);
325 		} else {
326 			ASSERT(!HAS_PRIVILEGE(cr, priv));
327 			priv_policy_errmsg(cr, priv, msg);
328 		}
329 	}
330 }
331 
332 /*
333  * priv_policy()
334  * return 0 or error.
335  * See block comment above for a description of "priv" and "allzone" usage.
336  */
337 int
338 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err,
339     const char *msg)
340 {
341 	if (HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) {
342 		if ((allzone || priv == PRIV_ALL ||
343 		    !PRIV_ISASSERT(priv_basic, priv)) &&
344 		    !servicing_interrupt()) {
345 			PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */
346 #ifdef C2_AUDIT
347 			if (audit_active)
348 				audit_priv(priv,
349 				    allzone ? ZONEPRIVS(cr) : NULL, 1);
350 #endif
351 		}
352 		err = 0;
353 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
354 	} else if (!servicing_interrupt()) {
355 		/* Failure audited in this procedure */
356 		priv_policy_err(cr, priv, allzone, msg);
357 	}
358 
359 	return (err);
360 }
361 
362 /*
363  * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges.
364  */
365 boolean_t
366 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone)
367 {
368 	boolean_t res = HAS_PRIVILEGE(cr, priv) &&
369 	    (!allzone || HAS_ALLZONEPRIVS(cr));
370 
371 #ifdef C2_AUDIT
372 	/* Audit success only */
373 	if (res && audit_active &&
374 	    (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) &&
375 	    !servicing_interrupt()) {
376 		audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1);
377 	}
378 #endif
379 	if (res) {
380 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
381 	} else {
382 		DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
383 	}
384 	return (res);
385 }
386 
387 /*
388  * Non-auditing variant of priv_policy_choice().
389  */
390 boolean_t
391 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone)
392 {
393 	boolean_t res = HAS_PRIVILEGE(cr, priv) &&
394 	    (!allzone || HAS_ALLZONEPRIVS(cr));
395 
396 	if (res) {
397 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
398 	} else {
399 		DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
400 	}
401 	return (res);
402 }
403 
404 /*
405  * Check whether all privileges in the required set are present.
406  */
407 static int
408 secpolicy_require_set(const cred_t *cr, const priv_set_t *req, const char *msg)
409 {
410 	int priv;
411 	int pfound = -1;
412 	priv_set_t pset;
413 
414 	if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req,
415 	    &CR_OEPRIV(cr))) {
416 		return (0);
417 	}
418 
419 	if (req == PRIV_FULLSET || priv_isfullset(req)) {
420 		priv_policy_err(cr, PRIV_ALL, B_FALSE, msg);
421 		return (EACCES);
422 	}
423 
424 	pset = CR_OEPRIV(cr);		/* present privileges */
425 	priv_inverse(&pset);		/* all non present privileges */
426 	priv_intersect(req, &pset);	/* the actual missing privs */
427 
428 #ifdef C2_AUDIT
429 	if (audit_active)
430 		audit_priv(PRIV_NONE, &pset, 0);
431 #endif
432 	/*
433 	 * Privilege debugging; special case "one privilege in set".
434 	 */
435 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) {
436 		for (priv = 0; priv < nprivs; priv++) {
437 			if (priv_ismember(&pset, priv)) {
438 				if (pfound != -1) {
439 					/* Multiple missing privs */
440 					priv_policy_errmsg(cr, PRIV_MULTIPLE,
441 					    msg);
442 					return (EACCES);
443 				}
444 				pfound = priv;
445 			}
446 		}
447 		ASSERT(pfound != -1);
448 		/* Just the one missing privilege */
449 		priv_policy_errmsg(cr, pfound, msg);
450 	}
451 
452 	return (EACCES);
453 }
454 
455 /*
456  * Called when an operation requires that the caller be in the
457  * global zone, regardless of privilege.
458  */
459 static int
460 priv_policy_global(const cred_t *cr)
461 {
462 	if (crgetzoneid(cr) == GLOBAL_ZONEID)
463 		return (0);	/* success */
464 
465 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
466 	    curthread->t_pre_sys) {
467 		priv_policy_errmsg(cr, PRIV_GLOBAL, NULL);
468 	}
469 	return (EPERM);
470 }
471 
472 /*
473  * Changing process priority
474  */
475 int
476 secpolicy_setpriority(const cred_t *cr)
477 {
478 	return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL));
479 }
480 
481 /*
482  * Binding to a privileged port, port must be specified in host byte
483  * order.
484  */
485 int
486 secpolicy_net_privaddr(const cred_t *cr, in_port_t port)
487 {
488 	char *reason;
489 	int priv;
490 
491 	switch (port) {
492 	case 137:
493 	case 138:
494 	case 139:
495 	case 445:
496 		/*
497 		 * NBT and SMB ports, these are extra privileged ports,
498 		 * allow bind only if the SYS_SMB privilege is present.
499 		 */
500 		priv = PRIV_SYS_SMB;
501 		reason = "NBT or SMB port";
502 		break;
503 
504 	case 2049:
505 	case 4045:
506 		/*
507 		 * NFS ports, these are extra privileged ports, allow bind
508 		 * only if the SYS_NFS privilege is present.
509 		 */
510 		priv = PRIV_SYS_NFS;
511 		reason = "NFS port";
512 		break;
513 
514 	default:
515 		priv = PRIV_NET_PRIVADDR;
516 		reason = NULL;
517 		break;
518 
519 	}
520 
521 	return (PRIV_POLICY(cr, priv, B_FALSE, EACCES, reason));
522 }
523 
524 /*
525  * Binding to a multilevel port on a trusted (labeled) system.
526  */
527 int
528 secpolicy_net_bindmlp(const cred_t *cr)
529 {
530 	return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES,
531 	    NULL));
532 }
533 
534 /*
535  * Allow a communication between a zone and an unlabeled host when their
536  * labels don't match.
537  */
538 int
539 secpolicy_net_mac_aware(const cred_t *cr)
540 {
541 	return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES,
542 	    NULL));
543 }
544 
545 /*
546  * Common routine which determines whether a given credential can
547  * act on a given mount.
548  * When called through mount, the parameter needoptcheck is a pointer
549  * to a boolean variable which will be set to either true or false,
550  * depending on whether the mount policy should change the mount options.
551  * In all other cases, needoptcheck should be a NULL pointer.
552  */
553 static int
554 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp,
555     boolean_t *needoptcheck)
556 {
557 	boolean_t allzone = B_FALSE;
558 	boolean_t mounting = needoptcheck != NULL;
559 
560 	/*
561 	 * Short circuit the following cases:
562 	 *	vfsp == NULL or mvp == NULL (pure privilege check)
563 	 *	have all privileges - no further checks required
564 	 *	and no mount options need to be set.
565 	 */
566 	if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) {
567 		if (mounting)
568 			*needoptcheck = B_FALSE;
569 
570 		return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, allzone, EPERM, NULL));
571 	}
572 
573 	/*
574 	 * When operating on an existing mount (either we're not mounting
575 	 * or we're doing a remount and VFS_REMOUNT will be set), zones
576 	 * can operate only on mounts established by the zone itself.
577 	 */
578 	if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) {
579 		zoneid_t zoneid = crgetzoneid(cr);
580 
581 		if (zoneid != GLOBAL_ZONEID &&
582 		    vfsp->vfs_zone->zone_id != zoneid) {
583 			return (EPERM);
584 		}
585 	}
586 
587 	if (mounting)
588 		*needoptcheck = B_TRUE;
589 
590 	/*
591 	 * Overlay mounts may hide important stuff; if you can't write to a
592 	 * mount point but would be able to mount on top of it, you can
593 	 * escalate your privileges.
594 	 * So we go about asking the same questions namefs does when it
595 	 * decides whether you can mount over a file or not but with the
596 	 * added restriction that you can only mount on top of a regular
597 	 * file or directory.
598 	 * If we have all the zone's privileges, we skip all other checks,
599 	 * or else we may actually get in trouble inside the automounter.
600 	 */
601 	if ((mvp->v_flag & VROOT) != 0 ||
602 	    (mvp->v_type != VDIR && mvp->v_type != VREG) ||
603 	    HAS_ALLZONEPRIVS(cr)) {
604 		allzone = B_TRUE;
605 	} else {
606 		vattr_t va;
607 		int err;
608 
609 		va.va_mask = AT_UID|AT_MODE;
610 		err = VOP_GETATTR(mvp, &va, 0, cr, NULL);
611 		if (err != 0)
612 			return (err);
613 
614 		if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0)
615 			return (err);
616 
617 		if ((va.va_mode & VWRITE) == 0 &&
618 		    secpolicy_vnode_access(cr, mvp, va.va_uid, VWRITE) != 0) {
619 			return (EACCES);
620 		}
621 	}
622 	return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, allzone, EPERM, NULL));
623 }
624 
625 void
626 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp)
627 {
628 	boolean_t amsuper = HAS_ALLZONEPRIVS(cr);
629 
630 	/*
631 	 * check; if we don't have either "nosuid" or
632 	 * both "nosetuid" and "nodevices", then we add
633 	 * "nosuid"; this depends on how the current
634 	 * implementation works (it first checks nosuid).  In a
635 	 * zone, a user with all zone privileges can mount with
636 	 * "setuid" but never with "devices".
637 	 */
638 	if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) &&
639 	    (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) ||
640 	    !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) {
641 		if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper)
642 			vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0);
643 		else
644 			vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0);
645 	}
646 	/*
647 	 * If we're not the local super user, we set the "restrict"
648 	 * option to indicate to automountd that this mount should
649 	 * be handled with care.
650 	 */
651 	if (!amsuper)
652 		vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0);
653 
654 }
655 
656 extern vnode_t *rootvp;
657 extern vfs_t *rootvfs;
658 
659 int
660 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp)
661 {
662 	boolean_t needoptchk;
663 	int error;
664 
665 	/*
666 	 * If it's a remount, get the underlying mount point,
667 	 * except for the root where we use the rootvp.
668 	 */
669 	if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) {
670 		if (vfsp == rootvfs)
671 			mvp = rootvp;
672 		else
673 			mvp = vfsp->vfs_vnodecovered;
674 	}
675 
676 	error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk);
677 
678 	if (error == 0 && needoptchk) {
679 		secpolicy_fs_mount_clearopts(cr, vfsp);
680 	}
681 
682 	return (error);
683 }
684 
685 /*
686  * Does the policy computations for "ownership" of a mount;
687  * here ownership is defined as the ability to "mount"
688  * the filesystem originally.  The rootvfs doesn't cover any
689  * vnodes; we attribute its ownership to the rootvp.
690  */
691 static int
692 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp)
693 {
694 	vnode_t *mvp;
695 
696 	if (vfsp == NULL)
697 		mvp = NULL;
698 	else if (vfsp == rootvfs)
699 		mvp = rootvp;
700 	else
701 		mvp = vfsp->vfs_vnodecovered;
702 
703 	return (secpolicy_fs_common(cr, mvp, vfsp, NULL));
704 }
705 
706 int
707 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp)
708 {
709 	return (secpolicy_fs_owner(cr, vfsp));
710 }
711 
712 /*
713  * Quotas are a resource, but if one has the ability to mount a filesystem, he
714  * should be able to modify quotas on it.
715  */
716 int
717 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp)
718 {
719 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
720 }
721 
722 /*
723  * Exceeding minfree: also a per-mount resource constraint.
724  */
725 int
726 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp)
727 {
728 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
729 }
730 
731 int
732 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp)
733 {
734 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
735 }
736 
737 /* ARGSUSED */
738 int
739 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp)
740 {
741 	return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL));
742 }
743 
744 /*
745  * Name:        secpolicy_vnode_access()
746  *
747  * Parameters:  Process credential
748  *		vnode
749  *		uid of owner of vnode
750  *		permission bits not granted to the caller when examining
751  *		file mode bits (i.e., when a process wants to open a
752  *		mode 444 file for VREAD|VWRITE, this function should be
753  *		called only with a VWRITE argument).
754  *
755  * Normal:      Verifies that cred has the appropriate privileges to
756  *              override the mode bits that were denied.
757  *
758  * Override:    file_dac_execute - if VEXEC bit was denied and vnode is
759  *                      not a directory.
760  *              file_dac_read - if VREAD bit was denied.
761  *              file_dac_search - if VEXEC bit was denied and vnode is
762  *                      a directory.
763  *              file_dac_write - if VWRITE bit was denied.
764  *
765  *		Root owned files are special cased to protect system
766  *		configuration files and such.
767  *
768  * Output:      EACCES - if privilege check fails.
769  */
770 
771 /* ARGSUSED */
772 int
773 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode)
774 {
775 	if ((mode & VREAD) &&
776 	    PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EACCES, NULL) != 0)
777 		return (EACCES);
778 
779 	if (mode & VWRITE) {
780 		boolean_t allzone;
781 
782 		if (owner == 0 && cr->cr_uid != 0)
783 			allzone = B_TRUE;
784 		else
785 			allzone = B_FALSE;
786 		if (PRIV_POLICY(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, NULL)
787 		    != 0)
788 			return (EACCES);
789 	}
790 
791 	if (mode & VEXEC) {
792 		/*
793 		 * Directories use file_dac_search to override the execute bit.
794 		 */
795 		vtype_t vtype = vp->v_type;
796 
797 		if (vtype == VDIR)
798 			return (PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE,
799 			    EACCES, NULL));
800 		else
801 			return (PRIV_POLICY(cr, PRIV_FILE_DAC_EXECUTE, B_FALSE,
802 			    EACCES, NULL));
803 	}
804 	return (0);
805 }
806 
807 /*
808  * Name:	secpolicy_vnode_setid_modify()
809  *
810  * Normal:	verify that subject can set the file setid flags.
811  *
812  * Output:	EPERM - if not privileged.
813  */
814 
815 static int
816 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner)
817 {
818 	/* If changing to suid root, must have all zone privs */
819 	boolean_t allzone = B_TRUE;
820 
821 	if (owner != 0) {
822 		if (owner == cr->cr_uid)
823 			return (0);
824 		allzone = B_FALSE;
825 	}
826 	return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL));
827 }
828 
829 /*
830  * Are we allowed to retain the set-uid/set-gid bits when
831  * changing ownership or when writing to a file?
832  * "issuid" should be true when set-uid; only in that case
833  * root ownership is checked (setgid is assumed).
834  */
835 int
836 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot)
837 {
838 	if (issuidroot && !HAS_ALLZONEPRIVS(cred))
839 		return (EPERM);
840 
841 	return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE));
842 }
843 
844 /*
845  * Name:	secpolicy_vnode_setids_setgids()
846  *
847  * Normal:	verify that subject can set the file setgid flag.
848  *
849  * Output:	EPERM - if not privileged
850  */
851 
852 int
853 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid)
854 {
855 	if (!groupmember(gid, cred))
856 		return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM,
857 		    NULL));
858 	return (0);
859 }
860 
861 /*
862  * Create a file with a group different than any of the groups allowed:
863  * the group of the directory the file is created in, the effective
864  * group or any of the supplementary groups.
865  */
866 int
867 secpolicy_vnode_create_gid(const cred_t *cred)
868 {
869 	if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN))
870 		return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM,
871 		    NULL));
872 	else
873 		return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM,
874 		    NULL));
875 }
876 
877 /*
878  * Name:	secpolicy_vnode_utime_modify()
879  *
880  * Normal:	verify that subject can modify the utime on a file.
881  *
882  * Output:	EPERM - if access denied.
883  */
884 
885 static int
886 secpolicy_vnode_utime_modify(const cred_t *cred)
887 {
888 	return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM,
889 	    "modify file times"));
890 }
891 
892 
893 /*
894  * Name:	secpolicy_vnode_setdac()
895  *
896  * Normal:	verify that subject can modify the mode of a file.
897  *		allzone privilege needed when modifying root owned object.
898  *
899  * Output:	EPERM - if access denied.
900  */
901 
902 int
903 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner)
904 {
905 	if (owner == cred->cr_uid)
906 		return (0);
907 
908 	return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL));
909 }
910 /*
911  * Name:	secpolicy_vnode_stky_modify()
912  *
913  * Normal:	verify that subject can make a file a "sticky".
914  *
915  * Output:	EPERM - if access denied.
916  */
917 
918 int
919 secpolicy_vnode_stky_modify(const cred_t *cred)
920 {
921 	return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM,
922 	    "set file sticky"));
923 }
924 
925 /*
926  * Policy determines whether we can remove an entry from a directory,
927  * regardless of permission bits.
928  */
929 int
930 secpolicy_vnode_remove(const cred_t *cr)
931 {
932 	return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES,
933 	    "sticky directory"));
934 }
935 
936 int
937 secpolicy_vnode_owner(const cred_t *cr, uid_t owner)
938 {
939 	boolean_t allzone = (owner == 0);
940 
941 	if (owner == cr->cr_uid)
942 		return (0);
943 
944 	return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL));
945 }
946 
947 void
948 secpolicy_setid_clear(vattr_t *vap, cred_t *cr)
949 {
950 	if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 &&
951 	    secpolicy_vnode_setid_retain(cr,
952 	    (vap->va_mode & S_ISUID) != 0 &&
953 	    (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) {
954 		vap->va_mask |= AT_MODE;
955 		vap->va_mode &= ~(S_ISUID|S_ISGID);
956 	}
957 }
958 
959 int
960 secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap,
961     cred_t *cr)
962 {
963 	int error;
964 
965 	if ((vap->va_mode & S_ISUID) != 0 &&
966 	    (error = secpolicy_vnode_setid_modify(cr,
967 	    ovap->va_uid)) != 0) {
968 		return (error);
969 	}
970 
971 	/*
972 	 * Check privilege if attempting to set the
973 	 * sticky bit on a non-directory.
974 	 */
975 	if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 &&
976 	    secpolicy_vnode_stky_modify(cr) != 0) {
977 		vap->va_mode &= ~S_ISVTX;
978 	}
979 
980 	/*
981 	 * Check for privilege if attempting to set the
982 	 * group-id bit.
983 	 */
984 	if ((vap->va_mode & S_ISGID) != 0 &&
985 	    secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) {
986 		vap->va_mode &= ~S_ISGID;
987 	}
988 
989 	return (0);
990 }
991 
992 #define	ATTR_FLAG_PRIV(attr, value, cr)	\
993 	PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \
994 	B_FALSE, EPERM, NULL)
995 
996 /*
997  * Check privileges for setting xvattr attributes
998  */
999 int
1000 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype)
1001 {
1002 	xoptattr_t *xoap;
1003 	int error = 0;
1004 
1005 	if ((xoap = xva_getxoptattr(xvap)) == NULL)
1006 		return (EINVAL);
1007 
1008 	/*
1009 	 * First process the DOS bits
1010 	 */
1011 	if (XVA_ISSET_REQ(xvap, XAT_ARCHIVE) ||
1012 	    XVA_ISSET_REQ(xvap, XAT_HIDDEN) ||
1013 	    XVA_ISSET_REQ(xvap, XAT_READONLY) ||
1014 	    XVA_ISSET_REQ(xvap, XAT_SYSTEM) ||
1015 	    XVA_ISSET_REQ(xvap, XAT_CREATETIME)) {
1016 		if ((error = secpolicy_vnode_owner(cr, owner)) != 0)
1017 			return (error);
1018 	}
1019 
1020 	/*
1021 	 * Now handle special attributes
1022 	 */
1023 
1024 	if (XVA_ISSET_REQ(xvap, XAT_IMMUTABLE))
1025 		error = ATTR_FLAG_PRIV(XAT_IMMUTABLE,
1026 		    xoap->xoa_immutable, cr);
1027 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NOUNLINK))
1028 		error = ATTR_FLAG_PRIV(XAT_NOUNLINK,
1029 		    xoap->xoa_nounlink, cr);
1030 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_APPENDONLY))
1031 		error = ATTR_FLAG_PRIV(XAT_APPENDONLY,
1032 		    xoap->xoa_appendonly, cr);
1033 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NODUMP))
1034 		error = ATTR_FLAG_PRIV(XAT_NODUMP,
1035 		    xoap->xoa_nodump, cr);
1036 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_OPAQUE))
1037 		error = EPERM;
1038 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_QUARANTINED)) {
1039 		error = ATTR_FLAG_PRIV(XAT_AV_QUARANTINED,
1040 		    xoap->xoa_av_quarantined, cr);
1041 		if (error == 0 && vtype != VREG && xoap->xoa_av_quarantined)
1042 			error = EINVAL;
1043 	}
1044 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_MODIFIED))
1045 		error = ATTR_FLAG_PRIV(XAT_AV_MODIFIED,
1046 		    xoap->xoa_av_modified, cr);
1047 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_SCANSTAMP)) {
1048 		error = ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP,
1049 		    xoap->xoa_av_scanstamp, cr);
1050 		if (error == 0 && vtype != VREG)
1051 			error = EINVAL;
1052 	}
1053 	return (error);
1054 }
1055 
1056 /*
1057  * This function checks the policy decisions surrounding the
1058  * vop setattr call.
1059  *
1060  * It should be called after sufficient locks have been established
1061  * on the underlying data structures.  No concurrent modifications
1062  * should be allowed.
1063  *
1064  * The caller must pass in unlocked version of its vaccess function
1065  * this is required because vop_access function should lock the
1066  * node for reading.  A three argument function should be defined
1067  * which accepts the following argument:
1068  * 	A pointer to the internal "node" type (inode *)
1069  *	vnode access bits (VREAD|VWRITE|VEXEC)
1070  *	a pointer to the credential
1071  *
1072  * This function makes the following policy decisions:
1073  *
1074  *		- change permissions
1075  *			- permission to change file mode if not owner
1076  *			- permission to add sticky bit to non-directory
1077  *			- permission to add set-gid bit
1078  *
1079  * The ovap argument should include AT_MODE|AT_UID|AT_GID.
1080  *
1081  * If the vap argument does not include AT_MODE, the mode will be copied from
1082  * ovap.  In certain situations set-uid/set-gid bits need to be removed;
1083  * this is done by marking vap->va_mask to include AT_MODE and va_mode
1084  * is updated to the newly computed mode.
1085  */
1086 
1087 int
1088 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap,
1089 	const struct vattr *ovap, int flags,
1090 	int unlocked_access(void *, int, cred_t *),
1091 	void *node)
1092 {
1093 	int mask = vap->va_mask;
1094 	int error = 0;
1095 	boolean_t skipaclchk = (flags & ATTR_NOACLCHECK) ? B_TRUE : B_FALSE;
1096 
1097 	if (mask & AT_SIZE) {
1098 		if (vp->v_type == VDIR) {
1099 			error = EISDIR;
1100 			goto out;
1101 		}
1102 
1103 		/*
1104 		 * If ATTR_NOACLCHECK is set in the flags, then we don't
1105 		 * perform the secondary unlocked_access() call since the
1106 		 * ACL (if any) is being checked there.
1107 		 */
1108 		if (skipaclchk == B_FALSE) {
1109 			error = unlocked_access(node, VWRITE, cr);
1110 			if (error)
1111 				goto out;
1112 		}
1113 	}
1114 	if (mask & AT_MODE) {
1115 		/*
1116 		 * If not the owner of the file then check privilege
1117 		 * for two things: the privilege to set the mode at all
1118 		 * and, if we're setting setuid, we also need permissions
1119 		 * to add the set-uid bit, if we're not the owner.
1120 		 * In the specific case of creating a set-uid root
1121 		 * file, we need even more permissions.
1122 		 */
1123 		if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0)
1124 			goto out;
1125 
1126 		if ((error = secpolicy_setid_setsticky_clear(vp, vap,
1127 		    ovap, cr)) != 0)
1128 			goto out;
1129 	} else
1130 		vap->va_mode = ovap->va_mode;
1131 
1132 	if (mask & (AT_UID|AT_GID)) {
1133 		boolean_t checkpriv = B_FALSE;
1134 		int priv;
1135 		boolean_t allzone = B_FALSE;
1136 
1137 		/*
1138 		 * Chowning files.
1139 		 *
1140 		 * If you are the file owner:
1141 		 *	chown to other uid		FILE_CHOWN_SELF
1142 		 *	chown to gid (non-member) 	FILE_CHOWN_SELF
1143 		 *	chown to gid (member) 		<none>
1144 		 *
1145 		 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also
1146 		 * acceptable but the first one is reported when debugging.
1147 		 *
1148 		 * If you are not the file owner:
1149 		 *	chown from root			PRIV_FILE_CHOWN + zone
1150 		 *	chown from other to any		PRIV_FILE_CHOWN
1151 		 *
1152 		 */
1153 		if (cr->cr_uid != ovap->va_uid) {
1154 			checkpriv = B_TRUE;
1155 			allzone = (ovap->va_uid == 0);
1156 			priv = PRIV_FILE_CHOWN;
1157 		} else {
1158 			if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) ||
1159 			    ((mask & AT_GID) && vap->va_gid != ovap->va_gid &&
1160 			    !groupmember(vap->va_gid, cr))) {
1161 				checkpriv = B_TRUE;
1162 				priv = HAS_PRIVILEGE(cr, PRIV_FILE_CHOWN) ?
1163 				    PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF;
1164 			}
1165 		}
1166 		/*
1167 		 * If necessary, check privilege to see if update can be done.
1168 		 */
1169 		if (checkpriv &&
1170 		    (error = PRIV_POLICY(cr, priv, allzone, EPERM, NULL))
1171 		    != 0) {
1172 			goto out;
1173 		}
1174 
1175 		/*
1176 		 * If the file has either the set UID or set GID bits
1177 		 * set and the caller can set the bits, then leave them.
1178 		 */
1179 		secpolicy_setid_clear(vap, cr);
1180 	}
1181 	if (mask & (AT_ATIME|AT_MTIME)) {
1182 		/*
1183 		 * If not the file owner and not otherwise privileged,
1184 		 * always return an error when setting the
1185 		 * time other than the current (ATTR_UTIME flag set).
1186 		 * If setting the current time (ATTR_UTIME not set) then
1187 		 * unlocked_access will check permissions according to policy.
1188 		 */
1189 		if (cr->cr_uid != ovap->va_uid) {
1190 			if (flags & ATTR_UTIME)
1191 				error = secpolicy_vnode_utime_modify(cr);
1192 			else if (skipaclchk == B_FALSE) {
1193 				error = unlocked_access(node, VWRITE, cr);
1194 				if (error == EACCES &&
1195 				    secpolicy_vnode_utime_modify(cr) == 0)
1196 					error = 0;
1197 			}
1198 			if (error)
1199 				goto out;
1200 		}
1201 	}
1202 
1203 	/*
1204 	 * Check for optional attributes here by checking the following:
1205 	 */
1206 	if (mask & AT_XVATTR)
1207 		error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr,
1208 		    vp->v_type);
1209 out:
1210 	return (error);
1211 }
1212 
1213 /*
1214  * Name:	secpolicy_pcfs_modify_bootpartition()
1215  *
1216  * Normal:	verify that subject can modify a pcfs boot partition.
1217  *
1218  * Output:	EACCES - if privilege check failed.
1219  */
1220 /*ARGSUSED*/
1221 int
1222 secpolicy_pcfs_modify_bootpartition(const cred_t *cred)
1223 {
1224 	return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES,
1225 	    "modify pcfs boot partition"));
1226 }
1227 
1228 /*
1229  * System V IPC routines
1230  */
1231 int
1232 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip)
1233 {
1234 	if (crgetzoneid(cr) != ip->ipc_zoneid ||
1235 	    (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) {
1236 		boolean_t allzone = B_FALSE;
1237 		if (ip->ipc_uid == 0 || ip->ipc_cuid == 0)
1238 			allzone = B_TRUE;
1239 		return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL));
1240 	}
1241 	return (0);
1242 }
1243 
1244 int
1245 secpolicy_ipc_config(const cred_t *cr)
1246 {
1247 	return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL));
1248 }
1249 
1250 int
1251 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode)
1252 {
1253 
1254 	boolean_t allzone = B_FALSE;
1255 
1256 	ASSERT((mode & (MSG_R|MSG_W)) != 0);
1257 
1258 	if ((mode & MSG_R) &&
1259 	    PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1260 		return (EACCES);
1261 
1262 	if (mode & MSG_W) {
1263 		if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0))
1264 			allzone = B_TRUE;
1265 
1266 		return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1267 		    NULL));
1268 	}
1269 	return (0);
1270 }
1271 
1272 int
1273 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode)
1274 {
1275 	boolean_t allzone = B_FALSE;
1276 
1277 	ASSERT((mode & (MSG_R|MSG_W)) != 0);
1278 
1279 	if ((mode & MSG_R) &&
1280 	    PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1281 		return (EACCES);
1282 
1283 	if (mode & MSG_W) {
1284 		if (cr->cr_uid != 0 && owner == 0)
1285 			allzone = B_TRUE;
1286 
1287 		return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1288 		    NULL));
1289 	}
1290 	return (0);
1291 }
1292 
1293 /*
1294  * Audit configuration.
1295  */
1296 int
1297 secpolicy_audit_config(const cred_t *cr)
1298 {
1299 	return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL));
1300 }
1301 
1302 /*
1303  * Audit record generation.
1304  */
1305 int
1306 secpolicy_audit_modify(const cred_t *cr)
1307 {
1308 	return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL));
1309 }
1310 
1311 /*
1312  * Get audit attributes.
1313  * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the
1314  * "Least" of the two privileges on error.
1315  */
1316 int
1317 secpolicy_audit_getattr(const cred_t *cr)
1318 {
1319 	if (!PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE)) {
1320 		return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM,
1321 		    NULL));
1322 	} else {
1323 		return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL));
1324 	}
1325 }
1326 
1327 
1328 /*
1329  * Locking physical memory
1330  */
1331 int
1332 secpolicy_lock_memory(const cred_t *cr)
1333 {
1334 	return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL));
1335 }
1336 
1337 /*
1338  * Accounting (both acct(2) and exacct).
1339  */
1340 int
1341 secpolicy_acct(const cred_t *cr)
1342 {
1343 	return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL));
1344 }
1345 
1346 /*
1347  * Is this process privileged to change its uids at will?
1348  * Uid 0 is still considered "special" and having the SETID
1349  * privilege is not sufficient to get uid 0.
1350  * Files are owned by root, so the privilege would give
1351  * full access and euid 0 is still effective.
1352  *
1353  * If you have the privilege and euid 0 only then do you
1354  * get the powers of root wrt uid 0.
1355  *
1356  * For gid manipulations, this is should be called with an
1357  * uid of -1.
1358  *
1359  */
1360 int
1361 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly)
1362 {
1363 	boolean_t allzone = B_FALSE;
1364 
1365 	if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 &&
1366 	    cr->cr_ruid != 0) {
1367 		allzone = B_TRUE;
1368 	}
1369 
1370 	return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) :
1371 	    PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL));
1372 }
1373 
1374 
1375 /*
1376  * Acting on a different process: if the mode is for writing,
1377  * the restrictions are more severe.  This is called after
1378  * we've verified that the uids do not match.
1379  */
1380 int
1381 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode)
1382 {
1383 	boolean_t allzone = B_FALSE;
1384 
1385 	if ((mode & VWRITE) && scr->cr_uid != 0 &&
1386 	    (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0))
1387 		allzone = B_TRUE;
1388 
1389 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL));
1390 }
1391 
1392 int
1393 secpolicy_proc_access(const cred_t *scr)
1394 {
1395 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL));
1396 }
1397 
1398 int
1399 secpolicy_proc_excl_open(const cred_t *scr)
1400 {
1401 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL));
1402 }
1403 
1404 int
1405 secpolicy_proc_zone(const cred_t *scr)
1406 {
1407 	return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL));
1408 }
1409 
1410 /*
1411  * Destroying the system
1412  */
1413 
1414 int
1415 secpolicy_kmdb(const cred_t *scr)
1416 {
1417 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1418 }
1419 
1420 int
1421 secpolicy_error_inject(const cred_t *scr)
1422 {
1423 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1424 }
1425 
1426 /*
1427  * Processor sets, cpu configuration, resource pools.
1428  */
1429 int
1430 secpolicy_pset(const cred_t *cr)
1431 {
1432 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1433 }
1434 
1435 int
1436 secpolicy_ponline(const cred_t *cr)
1437 {
1438 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1439 }
1440 
1441 int
1442 secpolicy_pool(const cred_t *cr)
1443 {
1444 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1445 }
1446 
1447 int
1448 secpolicy_blacklist(const cred_t *cr)
1449 {
1450 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1451 }
1452 
1453 /*
1454  * Catch all system configuration.
1455  */
1456 int
1457 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly)
1458 {
1459 	if (checkonly) {
1460 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 :
1461 		    EPERM);
1462 	} else {
1463 		return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1464 	}
1465 }
1466 
1467 /*
1468  * Zone administration (halt, reboot, etc.) from within zone.
1469  */
1470 int
1471 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly)
1472 {
1473 	if (checkonly) {
1474 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 :
1475 		    EPERM);
1476 	} else {
1477 		return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM,
1478 		    NULL));
1479 	}
1480 }
1481 
1482 /*
1483  * Zone configuration (create, halt, enter).
1484  */
1485 int
1486 secpolicy_zone_config(const cred_t *cr)
1487 {
1488 	/*
1489 	 * Require all privileges to avoid possibility of privilege
1490 	 * escalation.
1491 	 */
1492 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL));
1493 }
1494 
1495 /*
1496  * Various other system configuration calls
1497  */
1498 int
1499 secpolicy_coreadm(const cred_t *cr)
1500 {
1501 	return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1502 }
1503 
1504 int
1505 secpolicy_systeminfo(const cred_t *cr)
1506 {
1507 	return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1508 }
1509 
1510 int
1511 secpolicy_dispadm(const cred_t *cr)
1512 {
1513 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1514 }
1515 
1516 int
1517 secpolicy_settime(const cred_t *cr)
1518 {
1519 	return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL));
1520 }
1521 
1522 /*
1523  * For realtime users: high resolution clock.
1524  */
1525 int
1526 secpolicy_clock_highres(const cred_t *cr)
1527 {
1528 	return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM,
1529 	    NULL));
1530 }
1531 
1532 /*
1533  * drv_priv() is documented as callable from interrupt context, not that
1534  * anyone ever does, but still.  No debugging or auditing can be done when
1535  * it is called from interrupt context.
1536  * returns 0 on succes, EPERM on failure.
1537  */
1538 int
1539 drv_priv(cred_t *cr)
1540 {
1541 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1542 }
1543 
1544 int
1545 secpolicy_sys_devices(const cred_t *cr)
1546 {
1547 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1548 }
1549 
1550 int
1551 secpolicy_excl_open(const cred_t *cr)
1552 {
1553 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL));
1554 }
1555 
1556 int
1557 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl)
1558 {
1559 	/* zone.* rctls can only be set from the global zone */
1560 	if (is_zone_rctl && priv_policy_global(cr) != 0)
1561 		return (EPERM);
1562 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1563 }
1564 
1565 int
1566 secpolicy_resource(const cred_t *cr)
1567 {
1568 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1569 }
1570 
1571 /*
1572  * Processes with a real uid of 0 escape any form of accounting, much
1573  * like before.
1574  */
1575 int
1576 secpolicy_newproc(const cred_t *cr)
1577 {
1578 	if (cr->cr_ruid == 0)
1579 		return (0);
1580 
1581 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1582 }
1583 
1584 /*
1585  * Networking
1586  */
1587 int
1588 secpolicy_net_rawaccess(const cred_t *cr)
1589 {
1590 	return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL));
1591 }
1592 
1593 /*
1594  * Need this privilege for accessing the ICMP device
1595  */
1596 int
1597 secpolicy_net_icmpaccess(const cred_t *cr)
1598 {
1599 	return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL));
1600 }
1601 
1602 /*
1603  * There are a few rare cases where the kernel generates ioctls() from
1604  * interrupt context with a credential of kcred rather than NULL.
1605  * In those cases, we take the safe and cheap test.
1606  */
1607 int
1608 secpolicy_net_config(const cred_t *cr, boolean_t checkonly)
1609 {
1610 	if (checkonly) {
1611 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ?
1612 		    0 : EPERM);
1613 	} else {
1614 		return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM,
1615 		    NULL));
1616 	}
1617 }
1618 
1619 
1620 /*
1621  * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
1622  *
1623  * There are a few rare cases where the kernel generates ioctls() from
1624  * interrupt context with a credential of kcred rather than NULL.
1625  * In those cases, we take the safe and cheap test.
1626  */
1627 int
1628 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly)
1629 {
1630 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1631 		return (secpolicy_net_config(cr, checkonly));
1632 
1633 	if (checkonly) {
1634 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ?
1635 		    0 : EPERM);
1636 	} else {
1637 		return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM,
1638 		    NULL));
1639 	}
1640 }
1641 
1642 
1643 /*
1644  * Map IP pseudo privileges to actual privileges.
1645  * So we don't need to recompile IP when we change the privileges.
1646  */
1647 int
1648 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly)
1649 {
1650 	int priv = PRIV_ALL;
1651 
1652 	switch (netpriv) {
1653 	case OP_CONFIG:
1654 		priv = PRIV_SYS_IP_CONFIG;
1655 		break;
1656 	case OP_RAW:
1657 		priv = PRIV_NET_RAWACCESS;
1658 		break;
1659 	case OP_PRIVPORT:
1660 		priv = PRIV_NET_PRIVADDR;
1661 		break;
1662 	}
1663 	ASSERT(priv != PRIV_ALL);
1664 	if (checkonly)
1665 		return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
1666 	else
1667 		return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
1668 }
1669 
1670 /*
1671  * Map network pseudo privileges to actual privileges.
1672  * So we don't need to recompile IP when we change the privileges.
1673  */
1674 int
1675 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly)
1676 {
1677 	int priv = PRIV_ALL;
1678 
1679 	switch (netpriv) {
1680 	case OP_CONFIG:
1681 		priv = PRIV_SYS_NET_CONFIG;
1682 		break;
1683 	case OP_RAW:
1684 		priv = PRIV_NET_RAWACCESS;
1685 		break;
1686 	case OP_PRIVPORT:
1687 		priv = PRIV_NET_PRIVADDR;
1688 		break;
1689 	}
1690 	ASSERT(priv != PRIV_ALL);
1691 	if (checkonly)
1692 		return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
1693 	else
1694 		return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
1695 }
1696 
1697 /*
1698  * Checks for operations that are either client-only or are used by
1699  * both clients and servers.
1700  */
1701 int
1702 secpolicy_nfs(const cred_t *cr)
1703 {
1704 	return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL));
1705 }
1706 
1707 /*
1708  * Special case for opening rpcmod: have NFS privileges or network
1709  * config privileges.
1710  */
1711 int
1712 secpolicy_rpcmod_open(const cred_t *cr)
1713 {
1714 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE))
1715 		return (secpolicy_nfs(cr));
1716 	else
1717 		return (secpolicy_net_config(cr, NULL));
1718 }
1719 
1720 int
1721 secpolicy_chroot(const cred_t *cr)
1722 {
1723 	return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL));
1724 }
1725 
1726 int
1727 secpolicy_tasksys(const cred_t *cr)
1728 {
1729 	return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL));
1730 }
1731 
1732 /*
1733  * Basic privilege checks.
1734  */
1735 int
1736 secpolicy_basic_exec(const cred_t *cr)
1737 {
1738 	return (PRIV_POLICY(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL));
1739 }
1740 
1741 int
1742 secpolicy_basic_fork(const cred_t *cr)
1743 {
1744 	return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL));
1745 }
1746 
1747 int
1748 secpolicy_basic_proc(const cred_t *cr)
1749 {
1750 	return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL));
1751 }
1752 
1753 /*
1754  * Slightly complicated because we don't want to trigger the policy too
1755  * often.  First we shortcircuit access to "self" (tp == sp) or if
1756  * we don't have the privilege but if we have permission
1757  * just return (0) and we don't flag the privilege as needed.
1758  * Else, we test for the privilege because we either have it or need it.
1759  */
1760 int
1761 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp)
1762 {
1763 	if (tp == sp ||
1764 	    !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) {
1765 		return (0);
1766 	} else {
1767 		return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL));
1768 	}
1769 }
1770 
1771 int
1772 secpolicy_basic_link(const cred_t *cr)
1773 {
1774 	return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL));
1775 }
1776 
1777 /*
1778  * Additional device protection.
1779  *
1780  * Traditionally, a device has specific permissions on the node in
1781  * the filesystem which govern which devices can be opened by what
1782  * processes.  In certain cases, it is desirable to add extra
1783  * restrictions, as writing to certain devices is identical to
1784  * having a complete run of the system.
1785  *
1786  * This mechanism is called the device policy.
1787  *
1788  * When a device is opened, its policy entry is looked up in the
1789  * policy cache and checked.
1790  */
1791 int
1792 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag)
1793 {
1794 	devplcy_t *plcy;
1795 	int err;
1796 	struct snode *csp = VTOS(common_specvp(vp));
1797 	priv_set_t pset;
1798 
1799 	mutex_enter(&csp->s_lock);
1800 
1801 	if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) {
1802 		plcy = devpolicy_find(vp);
1803 		if (csp->s_plcy)
1804 			dpfree(csp->s_plcy);
1805 		csp->s_plcy = plcy;
1806 		ASSERT(plcy != NULL);
1807 	} else
1808 		plcy = csp->s_plcy;
1809 
1810 	if (plcy == nullpolicy) {
1811 		mutex_exit(&csp->s_lock);
1812 		return (0);
1813 	}
1814 
1815 	dphold(plcy);
1816 
1817 	mutex_exit(&csp->s_lock);
1818 
1819 	if (oflag & FWRITE)
1820 		pset = plcy->dp_wrp;
1821 	else
1822 		pset = plcy->dp_rdp;
1823 	/*
1824 	 * Special case:
1825 	 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
1826 	 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is
1827 	 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG
1828 	 * in the required privilege set before doing the check.
1829 	 */
1830 	if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) &&
1831 	    priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) &&
1832 	    !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) {
1833 		priv_delset(&pset, PRIV_SYS_IP_CONFIG);
1834 		priv_addset(&pset, PRIV_SYS_NET_CONFIG);
1835 	}
1836 
1837 	err = secpolicy_require_set(cr, &pset, "devpolicy");
1838 	dpfree(plcy);
1839 
1840 	return (err);
1841 }
1842 
1843 int
1844 secpolicy_modctl(const cred_t *cr, int cmd)
1845 {
1846 	switch (cmd) {
1847 	case MODINFO:
1848 	case MODGETMAJBIND:
1849 	case MODGETPATH:
1850 	case MODGETPATHLEN:
1851 	case MODGETNAME:
1852 	case MODGETFBNAME:
1853 	case MODGETDEVPOLICY:
1854 	case MODGETDEVPOLICYBYNAME:
1855 	case MODDEVT2INSTANCE:
1856 	case MODSIZEOF_DEVID:
1857 	case MODGETDEVID:
1858 	case MODSIZEOF_MINORNAME:
1859 	case MODGETMINORNAME:
1860 	case MODGETDEVFSPATH_LEN:
1861 	case MODGETDEVFSPATH:
1862 	case MODGETDEVFSPATH_MI_LEN:
1863 	case MODGETDEVFSPATH_MI:
1864 		/* Unprivileged */
1865 		return (0);
1866 	case MODLOAD:
1867 	case MODSETDEVPOLICY:
1868 		return (secpolicy_require_set(cr, PRIV_FULLSET, NULL));
1869 	default:
1870 		return (secpolicy_sys_config(cr, B_FALSE));
1871 	}
1872 }
1873 
1874 int
1875 secpolicy_console(const cred_t *cr)
1876 {
1877 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1878 }
1879 
1880 int
1881 secpolicy_power_mgmt(const cred_t *cr)
1882 {
1883 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1884 }
1885 
1886 /*
1887  * Simulate terminal input; another escalation of privileges avenue.
1888  */
1889 
1890 int
1891 secpolicy_sti(const cred_t *cr)
1892 {
1893 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL));
1894 }
1895 
1896 boolean_t
1897 secpolicy_net_reply_equal(const cred_t *cr)
1898 {
1899 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1900 }
1901 
1902 int
1903 secpolicy_swapctl(const cred_t *cr)
1904 {
1905 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1906 }
1907 
1908 int
1909 secpolicy_cpc_cpu(const cred_t *cr)
1910 {
1911 	return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL));
1912 }
1913 
1914 /*
1915  * secpolicy_contract_observer
1916  *
1917  * Determine if the subject may observe a specific contract's events.
1918  */
1919 int
1920 secpolicy_contract_observer(const cred_t *cr, struct contract *ct)
1921 {
1922 	if (contract_owned(ct, cr, B_FALSE))
1923 		return (0);
1924 	return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL));
1925 }
1926 
1927 /*
1928  * secpolicy_contract_observer_choice
1929  *
1930  * Determine if the subject may observe any contract's events.  Just
1931  * tests privilege and audits on success.
1932  */
1933 boolean_t
1934 secpolicy_contract_observer_choice(const cred_t *cr)
1935 {
1936 	return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE));
1937 }
1938 
1939 /*
1940  * secpolicy_contract_event
1941  *
1942  * Determine if the subject may request critical contract events or
1943  * reliable contract event delivery.
1944  */
1945 int
1946 secpolicy_contract_event(const cred_t *cr)
1947 {
1948 	return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL));
1949 }
1950 
1951 /*
1952  * secpolicy_contract_event_choice
1953  *
1954  * Determine if the subject may retain contract events in its critical
1955  * set when a change in other terms would normally require a change in
1956  * the critical set.  Just tests privilege and audits on success.
1957  */
1958 boolean_t
1959 secpolicy_contract_event_choice(const cred_t *cr)
1960 {
1961 	return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE));
1962 }
1963 
1964 /*
1965  * secpolicy_gart_access
1966  *
1967  * Determine if the subject has sufficient priveleges to make ioctls to agpgart
1968  * device.
1969  */
1970 int
1971 secpolicy_gart_access(const cred_t *cr)
1972 {
1973 	return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL));
1974 }
1975 
1976 /*
1977  * secpolicy_gart_map
1978  *
1979  * Determine if the subject has sufficient priveleges to map aperture range
1980  * through agpgart driver.
1981  */
1982 int
1983 secpolicy_gart_map(const cred_t *cr)
1984 {
1985 	if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) {
1986 		return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM,
1987 		    NULL));
1988 	} else {
1989 		return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM,
1990 		    NULL));
1991 	}
1992 }
1993 
1994 /*
1995  * secpolicy_zinject
1996  *
1997  * Determine if the subject can inject faults in the ZFS fault injection
1998  * framework.  Requires all privileges.
1999  */
2000 int
2001 secpolicy_zinject(const cred_t *cr)
2002 {
2003 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL));
2004 }
2005 
2006 /*
2007  * secpolicy_zfs
2008  *
2009  * Determine if the subject has permission to manipulate ZFS datasets
2010  * (not pools).  Equivalent to the SYS_MOUNT privilege.
2011  */
2012 int
2013 secpolicy_zfs(const cred_t *cr)
2014 {
2015 	return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL));
2016 }
2017 
2018 /*
2019  * secpolicy_idmap
2020  *
2021  * Determine if the calling process has permissions to register an SID
2022  * mapping daemon and allocate ephemeral IDs.
2023  */
2024 int
2025 secpolicy_idmap(const cred_t *cr)
2026 {
2027 	return (PRIV_POLICY(cr, PRIV_ALL, B_FALSE, EPERM, NULL));
2028 }
2029 
2030 /*
2031  * secpolicy_ucode_update
2032  *
2033  * Determine if the subject has sufficient privilege to update microcode.
2034  */
2035 int
2036 secpolicy_ucode_update(const cred_t *scr)
2037 {
2038 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
2039 }
2040 
2041 /*
2042  * secpolicy_sadopen
2043  *
2044  * Determine if the subject has sufficient privilege to access /dev/sad/admin.
2045  * /dev/sad/admin appear in global zone and exclusive-IP zones only.
2046  * In global zone, sys_config is required.
2047  * In exclusive-IP zones, sys_ip_config is required.
2048  * Note that sys_config is prohibited in non-global zones.
2049  */
2050 int
2051 secpolicy_sadopen(const cred_t *credp)
2052 {
2053 	priv_set_t pset;
2054 
2055 	priv_emptyset(&pset);
2056 
2057 	if (crgetzoneid(credp) == GLOBAL_ZONEID)
2058 		priv_addset(&pset, PRIV_SYS_CONFIG);
2059 	else
2060 		priv_addset(&pset, PRIV_SYS_IP_CONFIG);
2061 
2062 	return (secpolicy_require_set(credp, &pset, "devpolicy"));
2063 }
2064 
2065 /*
2066  * secpolicy_smb
2067  *
2068  * Determine if the cred_t has PRIV_SYS_SMB privilege, indicating
2069  * that it has permission to access the smbsrv kernel driver.
2070  * PRIV_POLICY checks the privilege and audits the check.
2071  *
2072  * Returns:
2073  * 0       Driver access is allowed.
2074  * EPERM   Driver access is NOT permitted.
2075  */
2076 int
2077 secpolicy_smb(const cred_t *cr)
2078 {
2079 	return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL));
2080 }
2081 
2082 /*
2083  * secpolicy_vscan
2084  *
2085  * Determine if cred_t has the necessary privileges to access a file
2086  * for virus scanning and update its extended system attributes.
2087  * PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access
2088  * PRIV_FILE_FLAG_SET - set extended system attributes
2089  *
2090  * PRIV_POLICY checks the privilege and audits the check.
2091  *
2092  * Returns:
2093  * 0      file access for virus scanning allowed.
2094  * EPERM  file access for virus scanning is NOT permitted.
2095  */
2096 int
2097 secpolicy_vscan(const cred_t *cr)
2098 {
2099 	if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) ||
2100 	    (PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) ||
2101 	    (PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) {
2102 		return (EPERM);
2103 	}
2104 
2105 	return (0);
2106 }
2107