xref: /titanic_51/usr/src/cmd/zoneadm/zoneadm.c (revision 53a7b6b6763f5865522a76e5e887390a8f4777d7)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 /*
28  * zoneadm is a command interpreter for zone administration.  It is all in
29  * C (i.e., no lex/yacc), and all the argument passing is argc/argv based.
30  * main() calls parse_and_run() which calls cmd_match(), then invokes the
31  * appropriate command's handler function.  The rest of the program is the
32  * handler functions and their helper functions.
33  *
34  * Some of the helper functions are used largely to simplify I18N: reducing
35  * the need for translation notes.  This is particularly true of many of
36  * the zerror() calls: doing e.g. zerror(gettext("%s failed"), "foo") rather
37  * than zerror(gettext("foo failed")) with a translation note indicating
38  * that "foo" need not be translated.
39  */
40 
41 #include <stdio.h>
42 #include <errno.h>
43 #include <unistd.h>
44 #include <signal.h>
45 #include <stdarg.h>
46 #include <ctype.h>
47 #include <stdlib.h>
48 #include <string.h>
49 #include <wait.h>
50 #include <zone.h>
51 #include <priv.h>
52 #include <locale.h>
53 #include <libintl.h>
54 #include <libzonecfg.h>
55 #include <bsm/adt.h>
56 #include <sys/brand.h>
57 #include <sys/param.h>
58 #include <sys/types.h>
59 #include <sys/stat.h>
60 #include <sys/statvfs.h>
61 #include <assert.h>
62 #include <sys/sockio.h>
63 #include <sys/mntent.h>
64 #include <limits.h>
65 #include <dirent.h>
66 #include <uuid/uuid.h>
67 #include <libdlpi.h>
68 
69 #include <fcntl.h>
70 #include <door.h>
71 #include <macros.h>
72 #include <libgen.h>
73 #include <fnmatch.h>
74 #include <sys/modctl.h>
75 #include <libbrand.h>
76 #include <libscf.h>
77 #include <procfs.h>
78 #include <strings.h>
79 
80 #include <pool.h>
81 #include <sys/pool.h>
82 #include <sys/priocntl.h>
83 #include <sys/fsspriocntl.h>
84 
85 #include "zoneadm.h"
86 
87 #define	MAXARGS	8
88 
89 /* Reflects kernel zone entries */
90 typedef struct zone_entry {
91 	zoneid_t	zid;
92 	char		zname[ZONENAME_MAX];
93 	char		*zstate_str;
94 	zone_state_t	zstate_num;
95 	char		zbrand[MAXNAMELEN];
96 	char		zroot[MAXPATHLEN];
97 	char		zuuid[UUID_PRINTABLE_STRING_LENGTH];
98 	zone_iptype_t	ziptype;
99 } zone_entry_t;
100 
101 #define	CLUSTER_BRAND_NAME	"cluster"
102 
103 static zone_entry_t *zents;
104 static size_t nzents;
105 static boolean_t is_native_zone = B_TRUE;
106 
107 #define	LOOPBACK_IF	"lo0"
108 #define	SOCKET_AF(af)	(((af) == AF_UNSPEC) ? AF_INET : (af))
109 
110 struct net_if {
111 	char	*name;
112 	int	af;
113 };
114 
115 /* 0755 is the default directory mode. */
116 #define	DEFAULT_DIR_MODE \
117 	(S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH)
118 
119 struct cmd {
120 	uint_t	cmd_num;				/* command number */
121 	char	*cmd_name;				/* command name */
122 	char	*short_usage;				/* short form help */
123 	int	(*handler)(int argc, char *argv[]);	/* function to call */
124 
125 };
126 
127 #define	SHELP_HELP	"help"
128 #define	SHELP_BOOT	"boot [-- boot_arguments]"
129 #define	SHELP_HALT	"halt"
130 #define	SHELP_READY	"ready"
131 #define	SHELP_REBOOT	"reboot [-- boot_arguments]"
132 #define	SHELP_LIST	"list [-cipv]"
133 #define	SHELP_VERIFY	"verify"
134 #define	SHELP_INSTALL	"install [-x nodataset] [brand-specific args]"
135 #define	SHELP_UNINSTALL	"uninstall [-F] [brand-specific args]"
136 #define	SHELP_CLONE	"clone [-m method] [-s <ZFS snapshot>] "\
137 	"[brand-specific args] zonename"
138 #define	SHELP_MOVE	"move zonepath"
139 #define	SHELP_DETACH	"detach [-n] [brand-specific args]"
140 #define	SHELP_ATTACH	"attach [-F] [-n <path>] [brand-specific args]"
141 #define	SHELP_MARK	"mark incomplete"
142 
143 #define	EXEC_PREFIX	"exec "
144 #define	EXEC_LEN	(strlen(EXEC_PREFIX))
145 #define	RMCOMMAND	"/usr/bin/rm -rf"
146 
147 static int cleanup_zonepath(char *, boolean_t);
148 
149 
150 static int help_func(int argc, char *argv[]);
151 static int ready_func(int argc, char *argv[]);
152 static int boot_func(int argc, char *argv[]);
153 static int halt_func(int argc, char *argv[]);
154 static int reboot_func(int argc, char *argv[]);
155 static int list_func(int argc, char *argv[]);
156 static int verify_func(int argc, char *argv[]);
157 static int install_func(int argc, char *argv[]);
158 static int uninstall_func(int argc, char *argv[]);
159 static int mount_func(int argc, char *argv[]);
160 static int unmount_func(int argc, char *argv[]);
161 static int clone_func(int argc, char *argv[]);
162 static int move_func(int argc, char *argv[]);
163 static int detach_func(int argc, char *argv[]);
164 static int attach_func(int argc, char *argv[]);
165 static int mark_func(int argc, char *argv[]);
166 static int apply_func(int argc, char *argv[]);
167 static int sanity_check(char *zone, int cmd_num, boolean_t running,
168     boolean_t unsafe_when_running, boolean_t force);
169 static int cmd_match(char *cmd);
170 static int verify_details(int, char *argv[]);
171 static int verify_brand(zone_dochandle_t, int, char *argv[]);
172 static int invoke_brand_handler(int, char *argv[]);
173 
174 static struct cmd cmdtab[] = {
175 	{ CMD_HELP,		"help",		SHELP_HELP,	help_func },
176 	{ CMD_BOOT,		"boot",		SHELP_BOOT,	boot_func },
177 	{ CMD_HALT,		"halt",		SHELP_HALT,	halt_func },
178 	{ CMD_READY,		"ready",	SHELP_READY,	ready_func },
179 	{ CMD_REBOOT,		"reboot",	SHELP_REBOOT,	reboot_func },
180 	{ CMD_LIST,		"list",		SHELP_LIST,	list_func },
181 	{ CMD_VERIFY,		"verify",	SHELP_VERIFY,	verify_func },
182 	{ CMD_INSTALL,		"install",	SHELP_INSTALL,	install_func },
183 	{ CMD_UNINSTALL,	"uninstall",	SHELP_UNINSTALL,
184 	    uninstall_func },
185 	/* mount and unmount are private commands for admin/install */
186 	{ CMD_MOUNT,		"mount",	NULL,		mount_func },
187 	{ CMD_UNMOUNT,		"unmount",	NULL,		unmount_func },
188 	{ CMD_CLONE,		"clone",	SHELP_CLONE,	clone_func },
189 	{ CMD_MOVE,		"move",		SHELP_MOVE,	move_func },
190 	{ CMD_DETACH,		"detach",	SHELP_DETACH,	detach_func },
191 	{ CMD_ATTACH,		"attach",	SHELP_ATTACH,	attach_func },
192 	{ CMD_MARK,		"mark",		SHELP_MARK,	mark_func },
193 	{ CMD_APPLY,		"apply",	NULL,		apply_func }
194 };
195 
196 /* global variables */
197 
198 /* set early in main(), never modified thereafter, used all over the place */
199 static char *execname;
200 static char target_brand[MAXNAMELEN];
201 static char *locale;
202 char *target_zone;
203 static char *target_uuid;
204 
205 /* used in do_subproc() and signal handler */
206 static volatile boolean_t child_killed;
207 static int do_subproc_cnt = 0;
208 
209 /*
210  * Used to indicate whether this zoneadm instance has another zoneadm
211  * instance in its ancestry.
212  */
213 static boolean_t zoneadm_is_nested = B_FALSE;
214 
215 char *
216 cmd_to_str(int cmd_num)
217 {
218 	assert(cmd_num >= CMD_MIN && cmd_num <= CMD_MAX);
219 	return (cmdtab[cmd_num].cmd_name);
220 }
221 
222 /* This is a separate function because of gettext() wrapping. */
223 static char *
224 long_help(int cmd_num)
225 {
226 	assert(cmd_num >= CMD_MIN && cmd_num <= CMD_MAX);
227 	switch (cmd_num) {
228 	case CMD_HELP:
229 		return (gettext("Print usage message."));
230 	case CMD_BOOT:
231 		return (gettext("Activates (boots) specified zone.  See "
232 		    "zoneadm(1m) for valid boot\n\targuments."));
233 	case CMD_HALT:
234 		return (gettext("Halts specified zone, bypassing shutdown "
235 		    "scripts and removing runtime\n\tresources of the zone."));
236 	case CMD_READY:
237 		return (gettext("Prepares a zone for running applications but "
238 		    "does not start any user\n\tprocesses in the zone."));
239 	case CMD_REBOOT:
240 		return (gettext("Restarts the zone (equivalent to a halt / "
241 		    "boot sequence).\n\tFails if the zone is not active.  "
242 		    "See zoneadm(1m) for valid boot\n\targuments."));
243 	case CMD_LIST:
244 		return (gettext("Lists the current zones, or a "
245 		    "specific zone if indicated.  By default,\n\tall "
246 		    "running zones are listed, though this can be "
247 		    "expanded to all\n\tinstalled zones with the -i "
248 		    "option or all configured zones with the\n\t-c "
249 		    "option.  When used with the general -z <zone> and/or -u "
250 		    "<uuid-match>\n\toptions, lists only the specified "
251 		    "matching zone, but lists it\n\tregardless of its state, "
252 		    "and the -i and -c options are disallowed.  The\n\t-v "
253 		    "option can be used to display verbose information: zone "
254 		    "name, id,\n\tcurrent state, root directory and options.  "
255 		    "The -p option can be used\n\tto request machine-parsable "
256 		    "output.  The -v and -p options are mutually\n\texclusive."
257 		    "  If neither -v nor -p is used, just the zone name is "
258 		    "listed."));
259 	case CMD_VERIFY:
260 		return (gettext("Check to make sure the configuration "
261 		    "can safely be instantiated\n\ton the machine: "
262 		    "physical network interfaces exist, etc."));
263 	case CMD_INSTALL:
264 		return (gettext("Install the configuration on to the system.  "
265 		    "The -x nodataset option\n\tcan be used to prevent the "
266 		    "creation of a new ZFS file system for the\n\tzone "
267 		    "(assuming the zonepath is within a ZFS file system).\n\t"
268 		    "All other arguments are passed to the brand installation "
269 		    "function;\n\tsee brands(5) for more information."));
270 	case CMD_UNINSTALL:
271 		return (gettext("Uninstall the configuration from the system.  "
272 		    "The -F flag can be used\n\tto force the action.  All "
273 		    "other arguments are passed to the brand\n\tuninstall "
274 		    "function; see brands(5) for more information."));
275 	case CMD_CLONE:
276 		return (gettext("Clone the installation of another zone.  "
277 		    "The -m option can be used to\n\tspecify 'copy' which "
278 		    "forces a copy of the source zone.  The -s option\n\t"
279 		    "can be used to specify the name of a ZFS snapshot "
280 		    "that was taken from\n\ta previous clone command.  The "
281 		    "snapshot will be used as the source\n\tinstead of "
282 		    "creating a new ZFS snapshot.  All other arguments are "
283 		    "passed\n\tto the brand clone function; see "
284 		    "brands(5) for more information."));
285 	case CMD_MOVE:
286 		return (gettext("Move the zone to a new zonepath."));
287 	case CMD_DETACH:
288 		return (gettext("Detach the zone from the system. The zone "
289 		    "state is changed to\n\t'configured' (but the files under "
290 		    "the zonepath are untouched).\n\tThe zone can subsequently "
291 		    "be attached, or can be moved to another\n\tsystem and "
292 		    "attached there.  The -n option can be used to specify\n\t"
293 		    "'no-execute' mode.  When -n is used, the information "
294 		    "needed to attach\n\tthe zone is sent to standard output "
295 		    "but the zone is not actually\n\tdetached.  All other "
296 		    "arguments are passed to the brand detach function;\n\tsee "
297 		    "brands(5) for more information."));
298 	case CMD_ATTACH:
299 		return (gettext("Attach the zone to the system.  The zone "
300 		    "state must be 'configured'\n\tprior to attach; upon "
301 		    "successful completion, the zone state will be\n\t"
302 		    "'installed'.  The system software on the current "
303 		    "system must be\n\tcompatible with the software on the "
304 		    "zone's original system.\n\tSpecify -F "
305 		    "to force the attach and skip software compatibility "
306 		    "tests.\n\tThe -n option can be used to specify "
307 		    "'no-execute' mode.  When -n is\n\tused, the information "
308 		    "needed to attach the zone is read from the\n\tspecified "
309 		    "path and the configuration is only validated.  The path "
310 		    "can\n\tbe '-' to specify standard input.  The -F and -n "
311 		    "options are mutually\n\texclusive.  All other arguments "
312 		    "are passed to the brand attach\n\tfunction; see "
313 		    "brands(5) for more information."));
314 	case CMD_MARK:
315 		return (gettext("Set the state of the zone.  This can be used "
316 		    "to force the zone\n\tstate to 'incomplete' "
317 		    "administratively if some activity has rendered\n\tthe "
318 		    "zone permanently unusable.  The only valid state that "
319 		    "may be\n\tspecified is 'incomplete'."));
320 	default:
321 		return ("");
322 	}
323 	/* NOTREACHED */
324 	return (NULL);
325 }
326 
327 /*
328  * Called with explicit B_TRUE when help is explicitly requested, B_FALSE for
329  * unexpected errors.
330  */
331 
332 static int
333 usage(boolean_t explicit)
334 {
335 	int i;
336 	FILE *fd = explicit ? stdout : stderr;
337 
338 	(void) fprintf(fd, "%s:\t%s help\n", gettext("usage"), execname);
339 	(void) fprintf(fd, "\t%s [-z <zone>] [-u <uuid-match>] list\n",
340 	    execname);
341 	(void) fprintf(fd, "\t%s {-z <zone>|-u <uuid-match>} <%s>\n", execname,
342 	    gettext("subcommand"));
343 	(void) fprintf(fd, "\n%s:\n\n", gettext("Subcommands"));
344 	for (i = CMD_MIN; i <= CMD_MAX; i++) {
345 		if (cmdtab[i].short_usage == NULL)
346 			continue;
347 		(void) fprintf(fd, "%s\n", cmdtab[i].short_usage);
348 		if (explicit)
349 			(void) fprintf(fd, "\t%s\n\n", long_help(i));
350 	}
351 	if (!explicit)
352 		(void) fputs("\n", fd);
353 	return (Z_USAGE);
354 }
355 
356 static void
357 sub_usage(char *short_usage, int cmd_num)
358 {
359 	(void) fprintf(stderr, "%s:\t%s\n", gettext("usage"), short_usage);
360 	(void) fprintf(stderr, "\t%s\n", long_help(cmd_num));
361 }
362 
363 /*
364  * zperror() is like perror(3c) except that this also prints the executable
365  * name at the start of the message, and takes a boolean indicating whether
366  * to call libc'c strerror() or that from libzonecfg.
367  */
368 
369 void
370 zperror(const char *str, boolean_t zonecfg_error)
371 {
372 	(void) fprintf(stderr, "%s: %s: %s\n", execname, str,
373 	    zonecfg_error ? zonecfg_strerror(errno) : strerror(errno));
374 }
375 
376 /*
377  * zperror2() is very similar to zperror() above, except it also prints a
378  * supplied zone name after the executable.
379  *
380  * All current consumers of this function want libzonecfg's strerror() rather
381  * than libc's; if this ever changes, this function can be made more generic
382  * like zperror() above.
383  */
384 
385 void
386 zperror2(const char *zone, const char *str)
387 {
388 	(void) fprintf(stderr, "%s: %s: %s: %s\n", execname, zone, str,
389 	    zonecfg_strerror(errno));
390 }
391 
392 /* PRINTFLIKE1 */
393 void
394 zerror(const char *fmt, ...)
395 {
396 	va_list alist;
397 
398 	va_start(alist, fmt);
399 	(void) fprintf(stderr, "%s: ", execname);
400 	if (target_zone != NULL)
401 		(void) fprintf(stderr, "zone '%s': ", target_zone);
402 	(void) vfprintf(stderr, fmt, alist);
403 	(void) fprintf(stderr, "\n");
404 	va_end(alist);
405 }
406 
407 static void *
408 safe_calloc(size_t nelem, size_t elsize)
409 {
410 	void *r = calloc(nelem, elsize);
411 
412 	if (r == NULL) {
413 		zerror(gettext("failed to allocate %lu bytes: %s"),
414 		    (ulong_t)nelem * elsize, strerror(errno));
415 		exit(Z_ERR);
416 	}
417 	return (r);
418 }
419 
420 static void
421 zone_print(zone_entry_t *zent, boolean_t verbose, boolean_t parsable)
422 {
423 	static boolean_t firsttime = B_TRUE;
424 	char *ip_type_str;
425 
426 	if (zent->ziptype == ZS_EXCLUSIVE)
427 		ip_type_str = "excl";
428 	else
429 		ip_type_str = "shared";
430 
431 	assert(!(verbose && parsable));
432 	if (firsttime && verbose) {
433 		firsttime = B_FALSE;
434 		(void) printf("%*s %-16s %-10s %-30s %-8s %-6s\n",
435 		    ZONEID_WIDTH, "ID", "NAME", "STATUS", "PATH", "BRAND",
436 		    "IP");
437 	}
438 	if (!verbose) {
439 		char *cp, *clim;
440 
441 		if (!parsable) {
442 			(void) printf("%s\n", zent->zname);
443 			return;
444 		}
445 		if (zent->zid == ZONE_ID_UNDEFINED)
446 			(void) printf("-");
447 		else
448 			(void) printf("%lu", zent->zid);
449 		(void) printf(":%s:%s:", zent->zname, zent->zstate_str);
450 		cp = zent->zroot;
451 		while ((clim = strchr(cp, ':')) != NULL) {
452 			(void) printf("%.*s\\:", clim - cp, cp);
453 			cp = clim + 1;
454 		}
455 		(void) printf("%s:%s:%s:%s\n", cp, zent->zuuid, zent->zbrand,
456 		    ip_type_str);
457 		return;
458 	}
459 	if (zent->zstate_str != NULL) {
460 		if (zent->zid == ZONE_ID_UNDEFINED)
461 			(void) printf("%*s", ZONEID_WIDTH, "-");
462 		else
463 			(void) printf("%*lu", ZONEID_WIDTH, zent->zid);
464 		(void) printf(" %-16s %-10s %-30s %-8s %-6s\n", zent->zname,
465 		    zent->zstate_str, zent->zroot, zent->zbrand, ip_type_str);
466 	}
467 }
468 
469 static int
470 lookup_zone_info(const char *zone_name, zoneid_t zid, zone_entry_t *zent)
471 {
472 	char root[MAXPATHLEN], *cp;
473 	int err;
474 	uuid_t uuid;
475 
476 	(void) strlcpy(zent->zname, zone_name, sizeof (zent->zname));
477 	(void) strlcpy(zent->zroot, "???", sizeof (zent->zroot));
478 	(void) strlcpy(zent->zbrand, "???", sizeof (zent->zbrand));
479 	zent->zstate_str = "???";
480 
481 	zent->zid = zid;
482 
483 	if (zonecfg_get_uuid(zone_name, uuid) == Z_OK &&
484 	    !uuid_is_null(uuid))
485 		uuid_unparse(uuid, zent->zuuid);
486 	else
487 		zent->zuuid[0] = '\0';
488 
489 	/*
490 	 * For labeled zones which query the zone path of lower-level
491 	 * zones, the path needs to be adjusted to drop the final
492 	 * "/root" component. This adjusted path is then useful
493 	 * for reading down any exported directories from the
494 	 * lower-level zone.
495 	 */
496 	if (is_system_labeled() && zent->zid != ZONE_ID_UNDEFINED) {
497 		if (zone_getattr(zent->zid, ZONE_ATTR_ROOT, zent->zroot,
498 		    sizeof (zent->zroot)) == -1) {
499 			zperror2(zent->zname,
500 			    gettext("could not get zone path."));
501 			return (Z_ERR);
502 		}
503 		cp = zent->zroot + strlen(zent->zroot) - 5;
504 		if (cp > zent->zroot && strcmp(cp, "/root") == 0)
505 			*cp = 0;
506 	} else {
507 		if ((err = zone_get_zonepath(zent->zname, root,
508 		    sizeof (root))) != Z_OK) {
509 			errno = err;
510 			zperror2(zent->zname,
511 			    gettext("could not get zone path."));
512 			return (Z_ERR);
513 		}
514 		(void) strlcpy(zent->zroot, root, sizeof (zent->zroot));
515 	}
516 
517 	if ((err = zone_get_state(zent->zname, &zent->zstate_num)) != Z_OK) {
518 		errno = err;
519 		zperror2(zent->zname, gettext("could not get state"));
520 		return (Z_ERR);
521 	}
522 	zent->zstate_str = zone_state_str(zent->zstate_num);
523 
524 	/*
525 	 * A zone's brand is only available in the .xml file describing it,
526 	 * which is only visible to the global zone.  This causes
527 	 * zone_get_brand() to fail when called from within a non-global
528 	 * zone.  Fortunately we only do this on labeled systems, where we
529 	 * know all zones are native.
530 	 */
531 	if (getzoneid() != GLOBAL_ZONEID) {
532 		assert(is_system_labeled() != 0);
533 		(void) strlcpy(zent->zbrand, NATIVE_BRAND_NAME,
534 		    sizeof (zent->zbrand));
535 	} else if (zone_get_brand(zent->zname, zent->zbrand,
536 	    sizeof (zent->zbrand)) != Z_OK) {
537 		zperror2(zent->zname, gettext("could not get brand name"));
538 		return (Z_ERR);
539 	}
540 
541 	/*
542 	 * Get ip type of the zone.
543 	 * Note for global zone, ZS_SHARED is set always.
544 	 */
545 	if (zid == GLOBAL_ZONEID) {
546 		zent->ziptype = ZS_SHARED;
547 	} else {
548 
549 		if (zent->zstate_num == ZONE_STATE_RUNNING) {
550 			ushort_t flags;
551 
552 			if (zone_getattr(zid, ZONE_ATTR_FLAGS, &flags,
553 			    sizeof (flags)) < 0) {
554 				zperror2(zent->zname,
555 				    gettext("could not get zone flags"));
556 				return (Z_ERR);
557 			}
558 			if (flags & ZF_NET_EXCL)
559 				zent->ziptype = ZS_EXCLUSIVE;
560 			else
561 				zent->ziptype = ZS_SHARED;
562 		} else {
563 			zone_dochandle_t handle;
564 
565 			if ((handle = zonecfg_init_handle()) == NULL) {
566 				zperror2(zent->zname,
567 				    gettext("could not init handle"));
568 				return (Z_ERR);
569 			}
570 			if ((err = zonecfg_get_handle(zent->zname, handle))
571 			    != Z_OK) {
572 				zperror2(zent->zname,
573 				    gettext("could not get handle"));
574 				zonecfg_fini_handle(handle);
575 				return (Z_ERR);
576 			}
577 
578 			if ((err = zonecfg_get_iptype(handle, &zent->ziptype))
579 			    != Z_OK) {
580 				zperror2(zent->zname,
581 				    gettext("could not get ip-type"));
582 				zonecfg_fini_handle(handle);
583 				return (Z_ERR);
584 			}
585 			zonecfg_fini_handle(handle);
586 		}
587 	}
588 
589 	return (Z_OK);
590 }
591 
592 /*
593  * fetch_zents() calls zone_list(2) to find out how many zones are running
594  * (which is stored in the global nzents), then calls zone_list(2) again
595  * to fetch the list of running zones (stored in the global zents).  This
596  * function may be called multiple times, so if zents is already set, we
597  * return immediately to save work.
598  */
599 
600 static int
601 fetch_zents(void)
602 {
603 	zoneid_t *zids = NULL;
604 	uint_t nzents_saved;
605 	int i, retv;
606 	FILE *fp;
607 	boolean_t inaltroot;
608 	zone_entry_t *zentp;
609 
610 	if (nzents > 0)
611 		return (Z_OK);
612 
613 	if (zone_list(NULL, &nzents) != 0) {
614 		zperror(gettext("failed to get zoneid list"), B_FALSE);
615 		return (Z_ERR);
616 	}
617 
618 again:
619 	if (nzents == 0)
620 		return (Z_OK);
621 
622 	zids = safe_calloc(nzents, sizeof (zoneid_t));
623 	nzents_saved = nzents;
624 
625 	if (zone_list(zids, &nzents) != 0) {
626 		zperror(gettext("failed to get zone list"), B_FALSE);
627 		free(zids);
628 		return (Z_ERR);
629 	}
630 	if (nzents != nzents_saved) {
631 		/* list changed, try again */
632 		free(zids);
633 		goto again;
634 	}
635 
636 	zents = safe_calloc(nzents, sizeof (zone_entry_t));
637 
638 	inaltroot = zonecfg_in_alt_root();
639 	if (inaltroot)
640 		fp = zonecfg_open_scratch("", B_FALSE);
641 	else
642 		fp = NULL;
643 	zentp = zents;
644 	retv = Z_OK;
645 	for (i = 0; i < nzents; i++) {
646 		char name[ZONENAME_MAX];
647 		char altname[ZONENAME_MAX];
648 
649 		if (getzonenamebyid(zids[i], name, sizeof (name)) < 0) {
650 			zperror(gettext("failed to get zone name"), B_FALSE);
651 			retv = Z_ERR;
652 			continue;
653 		}
654 		if (zonecfg_is_scratch(name)) {
655 			/* Ignore scratch zones by default */
656 			if (!inaltroot)
657 				continue;
658 			if (fp == NULL ||
659 			    zonecfg_reverse_scratch(fp, name, altname,
660 			    sizeof (altname), NULL, 0) == -1) {
661 				zerror(gettext("could not resolve scratch "
662 				    "zone %s"), name);
663 				retv = Z_ERR;
664 				continue;
665 			}
666 			(void) strcpy(name, altname);
667 		} else {
668 			/* Ignore non-scratch when in an alternate root */
669 			if (inaltroot && strcmp(name, GLOBAL_ZONENAME) != 0)
670 				continue;
671 		}
672 		if (lookup_zone_info(name, zids[i], zentp) != Z_OK) {
673 			zerror(gettext("failed to get zone data"));
674 			retv = Z_ERR;
675 			continue;
676 		}
677 		zentp++;
678 	}
679 	nzents = zentp - zents;
680 	if (fp != NULL)
681 		zonecfg_close_scratch(fp);
682 
683 	free(zids);
684 	return (retv);
685 }
686 
687 static int
688 zone_print_list(zone_state_t min_state, boolean_t verbose, boolean_t parsable)
689 {
690 	int i;
691 	zone_entry_t zent;
692 	FILE *cookie;
693 	char *name;
694 
695 	/*
696 	 * First get the list of running zones from the kernel and print them.
697 	 * If that is all we need, then return.
698 	 */
699 	if ((i = fetch_zents()) != Z_OK) {
700 		/*
701 		 * No need for error messages; fetch_zents() has already taken
702 		 * care of this.
703 		 */
704 		return (i);
705 	}
706 	for (i = 0; i < nzents; i++)
707 		zone_print(&zents[i], verbose, parsable);
708 	if (min_state >= ZONE_STATE_RUNNING)
709 		return (Z_OK);
710 	/*
711 	 * Next, get the full list of zones from the configuration, skipping
712 	 * any we have already printed.
713 	 */
714 	cookie = setzoneent();
715 	while ((name = getzoneent(cookie)) != NULL) {
716 		for (i = 0; i < nzents; i++) {
717 			if (strcmp(zents[i].zname, name) == 0)
718 				break;
719 		}
720 		if (i < nzents) {
721 			free(name);
722 			continue;
723 		}
724 		if (lookup_zone_info(name, ZONE_ID_UNDEFINED, &zent) != Z_OK) {
725 			free(name);
726 			continue;
727 		}
728 		free(name);
729 		if (zent.zstate_num >= min_state)
730 			zone_print(&zent, verbose, parsable);
731 	}
732 	endzoneent(cookie);
733 	return (Z_OK);
734 }
735 
736 /*
737  * Retrieve a zone entry by name.  Returns NULL if no such zone exists.
738  */
739 static zone_entry_t *
740 lookup_running_zone(const char *str)
741 {
742 	int i;
743 
744 	if (fetch_zents() != Z_OK)
745 		return (NULL);
746 
747 	for (i = 0; i < nzents; i++) {
748 		if (strcmp(str, zents[i].zname) == 0)
749 			return (&zents[i]);
750 	}
751 	return (NULL);
752 }
753 
754 /*
755  * Check a bit in a mode_t: if on is B_TRUE, that bit should be on; if
756  * B_FALSE, it should be off.  Return B_TRUE if the mode is bad (incorrect).
757  */
758 static boolean_t
759 bad_mode_bit(mode_t mode, mode_t bit, boolean_t on, char *file)
760 {
761 	char *str;
762 
763 	assert(bit == S_IRUSR || bit == S_IWUSR || bit == S_IXUSR ||
764 	    bit == S_IRGRP || bit == S_IWGRP || bit == S_IXGRP ||
765 	    bit == S_IROTH || bit == S_IWOTH || bit == S_IXOTH);
766 	/*
767 	 * TRANSLATION_NOTE
768 	 * The strings below will be used as part of a larger message,
769 	 * either:
770 	 * (file name) must be (owner|group|world) (read|writ|execut)able
771 	 * or
772 	 * (file name) must not be (owner|group|world) (read|writ|execut)able
773 	 */
774 	switch (bit) {
775 	case S_IRUSR:
776 		str = gettext("owner readable");
777 		break;
778 	case S_IWUSR:
779 		str = gettext("owner writable");
780 		break;
781 	case S_IXUSR:
782 		str = gettext("owner executable");
783 		break;
784 	case S_IRGRP:
785 		str = gettext("group readable");
786 		break;
787 	case S_IWGRP:
788 		str = gettext("group writable");
789 		break;
790 	case S_IXGRP:
791 		str = gettext("group executable");
792 		break;
793 	case S_IROTH:
794 		str = gettext("world readable");
795 		break;
796 	case S_IWOTH:
797 		str = gettext("world writable");
798 		break;
799 	case S_IXOTH:
800 		str = gettext("world executable");
801 		break;
802 	}
803 	if ((mode & bit) == (on ? 0 : bit)) {
804 		/*
805 		 * TRANSLATION_NOTE
806 		 * The first parameter below is a file name; the second
807 		 * is one of the "(owner|group|world) (read|writ|execut)able"
808 		 * strings from above.
809 		 */
810 		/*
811 		 * The code below could be simplified but not in a way
812 		 * that would easily translate to non-English locales.
813 		 */
814 		if (on) {
815 			(void) fprintf(stderr, gettext("%s must be %s.\n"),
816 			    file, str);
817 		} else {
818 			(void) fprintf(stderr, gettext("%s must not be %s.\n"),
819 			    file, str);
820 		}
821 		return (B_TRUE);
822 	}
823 	return (B_FALSE);
824 }
825 
826 /*
827  * We want to make sure that no zone has its zone path as a child node
828  * (in the directory sense) of any other.  We do that by comparing this
829  * zone's path to the path of all other (non-global) zones.  The comparison
830  * in each case is simple: add '/' to the end of the path, then do a
831  * strncmp() of the two paths, using the length of the shorter one.
832  */
833 
834 static int
835 crosscheck_zonepaths(char *path)
836 {
837 	char rpath[MAXPATHLEN];		/* resolved path */
838 	char path_copy[MAXPATHLEN];	/* copy of original path */
839 	char rpath_copy[MAXPATHLEN];	/* copy of original rpath */
840 	struct zoneent *ze;
841 	int res, err;
842 	FILE *cookie;
843 
844 	cookie = setzoneent();
845 	while ((ze = getzoneent_private(cookie)) != NULL) {
846 		/* Skip zones which are not installed. */
847 		if (ze->zone_state < ZONE_STATE_INSTALLED) {
848 			free(ze);
849 			continue;
850 		}
851 		/* Skip the global zone and the current target zone. */
852 		if (strcmp(ze->zone_name, GLOBAL_ZONENAME) == 0 ||
853 		    strcmp(ze->zone_name, target_zone) == 0) {
854 			free(ze);
855 			continue;
856 		}
857 		if (strlen(ze->zone_path) == 0) {
858 			/* old index file without path, fall back */
859 			if ((err = zone_get_zonepath(ze->zone_name,
860 			    ze->zone_path, sizeof (ze->zone_path))) != Z_OK) {
861 				errno = err;
862 				zperror2(ze->zone_name,
863 				    gettext("could not get zone path"));
864 				free(ze);
865 				continue;
866 			}
867 		}
868 		(void) snprintf(path_copy, sizeof (path_copy), "%s%s",
869 		    zonecfg_get_root(), ze->zone_path);
870 		res = resolvepath(path_copy, rpath, sizeof (rpath));
871 		if (res == -1) {
872 			if (errno != ENOENT) {
873 				zperror(path_copy, B_FALSE);
874 				free(ze);
875 				return (Z_ERR);
876 			}
877 			(void) printf(gettext("WARNING: zone %s is installed, "
878 			    "but its %s %s does not exist.\n"), ze->zone_name,
879 			    "zonepath", path_copy);
880 			free(ze);
881 			continue;
882 		}
883 		rpath[res] = '\0';
884 		(void) snprintf(path_copy, sizeof (path_copy), "%s/", path);
885 		(void) snprintf(rpath_copy, sizeof (rpath_copy), "%s/", rpath);
886 		if (strncmp(path_copy, rpath_copy,
887 		    min(strlen(path_copy), strlen(rpath_copy))) == 0) {
888 			/*
889 			 * TRANSLATION_NOTE
890 			 * zonepath is a literal that should not be translated.
891 			 */
892 			(void) fprintf(stderr, gettext("%s zonepath (%s) and "
893 			    "%s zonepath (%s) overlap.\n"),
894 			    target_zone, path, ze->zone_name, rpath);
895 			free(ze);
896 			return (Z_ERR);
897 		}
898 		free(ze);
899 	}
900 	endzoneent(cookie);
901 	return (Z_OK);
902 }
903 
904 static int
905 validate_zonepath(char *path, int cmd_num)
906 {
907 	int res;			/* result of last library/system call */
908 	boolean_t err = B_FALSE;	/* have we run into an error? */
909 	struct stat stbuf;
910 	struct statvfs64 vfsbuf;
911 	char rpath[MAXPATHLEN];		/* resolved path */
912 	char ppath[MAXPATHLEN];		/* parent path */
913 	char rppath[MAXPATHLEN];	/* resolved parent path */
914 	char rootpath[MAXPATHLEN];	/* root path */
915 	zone_state_t state;
916 
917 	if (path[0] != '/') {
918 		(void) fprintf(stderr,
919 		    gettext("%s is not an absolute path.\n"), path);
920 		return (Z_ERR);
921 	}
922 	if ((res = resolvepath(path, rpath, sizeof (rpath))) == -1) {
923 		if ((errno != ENOENT) ||
924 		    (cmd_num != CMD_VERIFY && cmd_num != CMD_INSTALL &&
925 		    cmd_num != CMD_CLONE && cmd_num != CMD_MOVE)) {
926 			zperror(path, B_FALSE);
927 			return (Z_ERR);
928 		}
929 		if (cmd_num == CMD_VERIFY) {
930 			/*
931 			 * TRANSLATION_NOTE
932 			 * zoneadm is a literal that should not be translated.
933 			 */
934 			(void) fprintf(stderr, gettext("WARNING: %s does not "
935 			    "exist, so it could not be verified.\nWhen "
936 			    "'zoneadm %s' is run, '%s' will try to create\n%s, "
937 			    "and '%s' will be tried again,\nbut the '%s' may "
938 			    "fail if:\nthe parent directory of %s is group- or "
939 			    "other-writable\nor\n%s overlaps with any other "
940 			    "installed zones.\n"), path,
941 			    cmd_to_str(CMD_INSTALL), cmd_to_str(CMD_INSTALL),
942 			    path, cmd_to_str(CMD_VERIFY),
943 			    cmd_to_str(CMD_VERIFY), path, path);
944 			return (Z_OK);
945 		}
946 		/*
947 		 * The zonepath is supposed to be mode 700 but its
948 		 * parent(s) 755.  So use 755 on the mkdirp() then
949 		 * chmod() the zonepath itself to 700.
950 		 */
951 		if (mkdirp(path, DEFAULT_DIR_MODE) < 0) {
952 			zperror(path, B_FALSE);
953 			return (Z_ERR);
954 		}
955 		/*
956 		 * If the chmod() fails, report the error, but might
957 		 * as well continue the verify procedure.
958 		 */
959 		if (chmod(path, S_IRWXU) != 0)
960 			zperror(path, B_FALSE);
961 		/*
962 		 * Since the mkdir() succeeded, we should not have to
963 		 * worry about a subsequent ENOENT, thus this should
964 		 * only recurse once.
965 		 */
966 		return (validate_zonepath(path, cmd_num));
967 	}
968 	rpath[res] = '\0';
969 	if (strcmp(path, rpath) != 0) {
970 		errno = Z_RESOLVED_PATH;
971 		zperror(path, B_TRUE);
972 		return (Z_ERR);
973 	}
974 	if ((res = stat(rpath, &stbuf)) != 0) {
975 		zperror(rpath, B_FALSE);
976 		return (Z_ERR);
977 	}
978 	if (!S_ISDIR(stbuf.st_mode)) {
979 		(void) fprintf(stderr, gettext("%s is not a directory.\n"),
980 		    rpath);
981 		return (Z_ERR);
982 	}
983 	if (strcmp(stbuf.st_fstype, MNTTYPE_TMPFS) == 0) {
984 		(void) printf(gettext("WARNING: %s is on a temporary "
985 		    "file system.\n"), rpath);
986 	}
987 	if (crosscheck_zonepaths(rpath) != Z_OK)
988 		return (Z_ERR);
989 	/*
990 	 * Try to collect and report as many minor errors as possible
991 	 * before returning, so the user can learn everything that needs
992 	 * to be fixed up front.
993 	 */
994 	if (stbuf.st_uid != 0) {
995 		(void) fprintf(stderr, gettext("%s is not owned by root.\n"),
996 		    rpath);
997 		err = B_TRUE;
998 	}
999 	err |= bad_mode_bit(stbuf.st_mode, S_IRUSR, B_TRUE, rpath);
1000 	err |= bad_mode_bit(stbuf.st_mode, S_IWUSR, B_TRUE, rpath);
1001 	err |= bad_mode_bit(stbuf.st_mode, S_IXUSR, B_TRUE, rpath);
1002 	err |= bad_mode_bit(stbuf.st_mode, S_IRGRP, B_FALSE, rpath);
1003 	err |= bad_mode_bit(stbuf.st_mode, S_IWGRP, B_FALSE, rpath);
1004 	err |= bad_mode_bit(stbuf.st_mode, S_IXGRP, B_FALSE, rpath);
1005 	err |= bad_mode_bit(stbuf.st_mode, S_IROTH, B_FALSE, rpath);
1006 	err |= bad_mode_bit(stbuf.st_mode, S_IWOTH, B_FALSE, rpath);
1007 	err |= bad_mode_bit(stbuf.st_mode, S_IXOTH, B_FALSE, rpath);
1008 
1009 	(void) snprintf(ppath, sizeof (ppath), "%s/..", path);
1010 	if ((res = resolvepath(ppath, rppath, sizeof (rppath))) == -1) {
1011 		zperror(ppath, B_FALSE);
1012 		return (Z_ERR);
1013 	}
1014 	rppath[res] = '\0';
1015 	if ((res = stat(rppath, &stbuf)) != 0) {
1016 		zperror(rppath, B_FALSE);
1017 		return (Z_ERR);
1018 	}
1019 	/* theoretically impossible */
1020 	if (!S_ISDIR(stbuf.st_mode)) {
1021 		(void) fprintf(stderr, gettext("%s is not a directory.\n"),
1022 		    rppath);
1023 		return (Z_ERR);
1024 	}
1025 	if (stbuf.st_uid != 0) {
1026 		(void) fprintf(stderr, gettext("%s is not owned by root.\n"),
1027 		    rppath);
1028 		err = B_TRUE;
1029 	}
1030 	err |= bad_mode_bit(stbuf.st_mode, S_IRUSR, B_TRUE, rppath);
1031 	err |= bad_mode_bit(stbuf.st_mode, S_IWUSR, B_TRUE, rppath);
1032 	err |= bad_mode_bit(stbuf.st_mode, S_IXUSR, B_TRUE, rppath);
1033 	err |= bad_mode_bit(stbuf.st_mode, S_IWGRP, B_FALSE, rppath);
1034 	err |= bad_mode_bit(stbuf.st_mode, S_IWOTH, B_FALSE, rppath);
1035 	if (strcmp(rpath, rppath) == 0) {
1036 		(void) fprintf(stderr, gettext("%s is its own parent.\n"),
1037 		    rppath);
1038 		err = B_TRUE;
1039 	}
1040 
1041 	if (statvfs64(rpath, &vfsbuf) != 0) {
1042 		zperror(rpath, B_FALSE);
1043 		return (Z_ERR);
1044 	}
1045 	if (strcmp(vfsbuf.f_basetype, MNTTYPE_NFS) == 0) {
1046 		/*
1047 		 * TRANSLATION_NOTE
1048 		 * Zonepath and NFS are literals that should not be translated.
1049 		 */
1050 		(void) fprintf(stderr, gettext("Zonepath %s is on an NFS "
1051 		    "mounted file system.\n"
1052 		    "\tA local file system must be used.\n"), rpath);
1053 		return (Z_ERR);
1054 	}
1055 	if (vfsbuf.f_flag & ST_NOSUID) {
1056 		/*
1057 		 * TRANSLATION_NOTE
1058 		 * Zonepath and nosuid are literals that should not be
1059 		 * translated.
1060 		 */
1061 		(void) fprintf(stderr, gettext("Zonepath %s is on a nosuid "
1062 		    "file system.\n"), rpath);
1063 		return (Z_ERR);
1064 	}
1065 
1066 	if ((res = zone_get_state(target_zone, &state)) != Z_OK) {
1067 		errno = res;
1068 		zperror2(target_zone, gettext("could not get state"));
1069 		return (Z_ERR);
1070 	}
1071 	/*
1072 	 * The existence of the root path is only bad in the configured state,
1073 	 * as it is *supposed* to be there at the installed and later states.
1074 	 * However, the root path is expected to be there if the zone is
1075 	 * detached.
1076 	 * State/command mismatches are caught earlier in verify_details().
1077 	 */
1078 	if (state == ZONE_STATE_CONFIGURED && cmd_num != CMD_ATTACH) {
1079 		if (snprintf(rootpath, sizeof (rootpath), "%s/root", rpath) >=
1080 		    sizeof (rootpath)) {
1081 			/*
1082 			 * TRANSLATION_NOTE
1083 			 * Zonepath is a literal that should not be translated.
1084 			 */
1085 			(void) fprintf(stderr,
1086 			    gettext("Zonepath %s is too long.\n"), rpath);
1087 			return (Z_ERR);
1088 		}
1089 		if ((res = stat(rootpath, &stbuf)) == 0) {
1090 			struct dirent	*dp;
1091 			DIR		*dirp;
1092 			boolean_t	empty = B_TRUE;
1093 
1094 			if (zonecfg_detached(rpath)) {
1095 				(void) fprintf(stderr,
1096 				    gettext("Cannot %s detached "
1097 				    "zone.\nUse attach or remove %s "
1098 				    "directory.\n"), cmd_to_str(cmd_num),
1099 				    rpath);
1100 				return (Z_ERR);
1101 			}
1102 
1103 			/* Not detached, check if it really looks ok. */
1104 
1105 			if (!S_ISDIR(stbuf.st_mode)) {
1106 				(void) fprintf(stderr, gettext("%s is not a "
1107 				    "directory.\n"), rootpath);
1108 				return (Z_ERR);
1109 			}
1110 
1111 			if (stbuf.st_uid != 0) {
1112 				(void) fprintf(stderr, gettext("%s is not "
1113 				    "owned by root.\n"), rootpath);
1114 				return (Z_ERR);
1115 			}
1116 
1117 			if ((stbuf.st_mode & 0777) != 0755) {
1118 				(void) fprintf(stderr, gettext("%s mode is not "
1119 				    "0755.\n"), rootpath);
1120 				return (Z_ERR);
1121 			}
1122 
1123 			if ((dirp = opendir(rootpath)) == NULL) {
1124 				(void) fprintf(stderr, gettext("Could not "
1125 				    "open rootpath %s\n"), rootpath);
1126 				return (Z_ERR);
1127 			}
1128 
1129 			/* Verify that the dir is empty. */
1130 			while ((dp = readdir(dirp)) != NULL) {
1131 				if (strcmp(dp->d_name, ".") == 0 ||
1132 				    strcmp(dp->d_name, "..") == 0)
1133 					continue;
1134 
1135 				empty = B_FALSE;
1136 				break;
1137 			}
1138 			(void) closedir(dirp);
1139 
1140 			if (!empty) {
1141 				(void) fprintf(stderr, gettext("Rootpath %s "
1142 				    "exists and contains data; remove or move "
1143 				    "aside prior to %s.\n"), rootpath,
1144 				    cmd_to_str(cmd_num));
1145 				return (Z_ERR);
1146 			}
1147 
1148 		}
1149 	}
1150 
1151 	return (err ? Z_ERR : Z_OK);
1152 }
1153 
1154 static int
1155 invoke_brand_handler(int cmd_num, char *argv[])
1156 {
1157 	zone_dochandle_t handle;
1158 	int err;
1159 
1160 	if ((handle = zonecfg_init_handle()) == NULL) {
1161 		zperror(cmd_to_str(cmd_num), B_TRUE);
1162 		return (Z_ERR);
1163 	}
1164 	if ((err = zonecfg_get_handle(target_zone, handle)) != Z_OK) {
1165 		errno = err;
1166 		zperror(cmd_to_str(cmd_num), B_TRUE);
1167 		zonecfg_fini_handle(handle);
1168 		return (Z_ERR);
1169 	}
1170 	if (verify_brand(handle, cmd_num, argv) != Z_OK) {
1171 		zonecfg_fini_handle(handle);
1172 		return (Z_ERR);
1173 	}
1174 	zonecfg_fini_handle(handle);
1175 	return (Z_OK);
1176 }
1177 
1178 static int
1179 ready_func(int argc, char *argv[])
1180 {
1181 	zone_cmd_arg_t zarg;
1182 	int arg;
1183 
1184 	if (zonecfg_in_alt_root()) {
1185 		zerror(gettext("cannot ready zone in alternate root"));
1186 		return (Z_ERR);
1187 	}
1188 
1189 	optind = 0;
1190 	if ((arg = getopt(argc, argv, "?")) != EOF) {
1191 		switch (arg) {
1192 		case '?':
1193 			sub_usage(SHELP_READY, CMD_READY);
1194 			return (optopt == '?' ? Z_OK : Z_USAGE);
1195 		default:
1196 			sub_usage(SHELP_READY, CMD_READY);
1197 			return (Z_USAGE);
1198 		}
1199 	}
1200 	if (argc > optind) {
1201 		sub_usage(SHELP_READY, CMD_READY);
1202 		return (Z_USAGE);
1203 	}
1204 	if (sanity_check(target_zone, CMD_READY, B_FALSE, B_FALSE, B_FALSE)
1205 	    != Z_OK)
1206 		return (Z_ERR);
1207 	if (verify_details(CMD_READY, argv) != Z_OK)
1208 		return (Z_ERR);
1209 
1210 	zarg.cmd = Z_READY;
1211 	if (zonecfg_call_zoneadmd(target_zone, &zarg, locale, B_TRUE) != 0) {
1212 		zerror(gettext("call to %s failed"), "zoneadmd");
1213 		return (Z_ERR);
1214 	}
1215 	return (Z_OK);
1216 }
1217 
1218 static int
1219 boot_func(int argc, char *argv[])
1220 {
1221 	zone_cmd_arg_t zarg;
1222 	boolean_t force = B_FALSE;
1223 	int arg;
1224 
1225 	if (zonecfg_in_alt_root()) {
1226 		zerror(gettext("cannot boot zone in alternate root"));
1227 		return (Z_ERR);
1228 	}
1229 
1230 	zarg.bootbuf[0] = '\0';
1231 
1232 	/*
1233 	 * The following getopt processes arguments to zone boot; that
1234 	 * is to say, the [here] portion of the argument string:
1235 	 *
1236 	 *	zoneadm -z myzone boot [here] -- -v -m verbose
1237 	 *
1238 	 * Where [here] can either be nothing, -? (in which case we bail
1239 	 * and print usage), -f (a private option to indicate that the
1240 	 * boot operation should be 'forced'), or -s.  Support for -s is
1241 	 * vestigal and obsolete, but is retained because it was a
1242 	 * documented interface and there are known consumers including
1243 	 * admin/install; the proper way to specify boot arguments like -s
1244 	 * is:
1245 	 *
1246 	 *	zoneadm -z myzone boot -- -s -v -m verbose.
1247 	 */
1248 	optind = 0;
1249 	while ((arg = getopt(argc, argv, "?fs")) != EOF) {
1250 		switch (arg) {
1251 		case '?':
1252 			sub_usage(SHELP_BOOT, CMD_BOOT);
1253 			return (optopt == '?' ? Z_OK : Z_USAGE);
1254 		case 's':
1255 			(void) strlcpy(zarg.bootbuf, "-s",
1256 			    sizeof (zarg.bootbuf));
1257 			break;
1258 		case 'f':
1259 			force = B_TRUE;
1260 			break;
1261 		default:
1262 			sub_usage(SHELP_BOOT, CMD_BOOT);
1263 			return (Z_USAGE);
1264 		}
1265 	}
1266 
1267 	for (; optind < argc; optind++) {
1268 		if (strlcat(zarg.bootbuf, argv[optind],
1269 		    sizeof (zarg.bootbuf)) >= sizeof (zarg.bootbuf)) {
1270 			zerror(gettext("Boot argument list too long"));
1271 			return (Z_ERR);
1272 		}
1273 		if (optind < argc - 1)
1274 			if (strlcat(zarg.bootbuf, " ", sizeof (zarg.bootbuf)) >=
1275 			    sizeof (zarg.bootbuf)) {
1276 				zerror(gettext("Boot argument list too long"));
1277 				return (Z_ERR);
1278 			}
1279 	}
1280 	if (sanity_check(target_zone, CMD_BOOT, B_FALSE, B_FALSE, force)
1281 	    != Z_OK)
1282 		return (Z_ERR);
1283 	if (verify_details(CMD_BOOT, argv) != Z_OK)
1284 		return (Z_ERR);
1285 	zarg.cmd = force ? Z_FORCEBOOT : Z_BOOT;
1286 	if (zonecfg_call_zoneadmd(target_zone, &zarg, locale, B_TRUE) != 0) {
1287 		zerror(gettext("call to %s failed"), "zoneadmd");
1288 		return (Z_ERR);
1289 	}
1290 
1291 	return (Z_OK);
1292 }
1293 
1294 static void
1295 fake_up_local_zone(zoneid_t zid, zone_entry_t *zeptr)
1296 {
1297 	ssize_t result;
1298 	uuid_t uuid;
1299 	FILE *fp;
1300 	ushort_t flags;
1301 
1302 	(void) memset(zeptr, 0, sizeof (*zeptr));
1303 
1304 	zeptr->zid = zid;
1305 
1306 	/*
1307 	 * Since we're looking up our own (non-global) zone name,
1308 	 * we can be assured that it will succeed.
1309 	 */
1310 	result = getzonenamebyid(zid, zeptr->zname, sizeof (zeptr->zname));
1311 	assert(result >= 0);
1312 	if (zonecfg_is_scratch(zeptr->zname) &&
1313 	    (fp = zonecfg_open_scratch("", B_FALSE)) != NULL) {
1314 		(void) zonecfg_reverse_scratch(fp, zeptr->zname, zeptr->zname,
1315 		    sizeof (zeptr->zname), NULL, 0);
1316 		zonecfg_close_scratch(fp);
1317 	}
1318 
1319 	if (is_system_labeled()) {
1320 		(void) zone_getattr(zid, ZONE_ATTR_ROOT, zeptr->zroot,
1321 		    sizeof (zeptr->zroot));
1322 		(void) strlcpy(zeptr->zbrand, NATIVE_BRAND_NAME,
1323 		    sizeof (zeptr->zbrand));
1324 	} else {
1325 		(void) strlcpy(zeptr->zroot, "/", sizeof (zeptr->zroot));
1326 		(void) zone_getattr(zid, ZONE_ATTR_BRAND, zeptr->zbrand,
1327 		    sizeof (zeptr->zbrand));
1328 	}
1329 
1330 	zeptr->zstate_str = "running";
1331 	if (zonecfg_get_uuid(zeptr->zname, uuid) == Z_OK &&
1332 	    !uuid_is_null(uuid))
1333 		uuid_unparse(uuid, zeptr->zuuid);
1334 
1335 	if (zone_getattr(zid, ZONE_ATTR_FLAGS, &flags, sizeof (flags)) < 0) {
1336 		zperror2(zeptr->zname, gettext("could not get zone flags"));
1337 		exit(Z_ERR);
1338 	}
1339 	if (flags & ZF_NET_EXCL)
1340 		zeptr->ziptype = ZS_EXCLUSIVE;
1341 	else
1342 		zeptr->ziptype = ZS_SHARED;
1343 }
1344 
1345 static int
1346 list_func(int argc, char *argv[])
1347 {
1348 	zone_entry_t *zentp, zent;
1349 	int arg, retv;
1350 	boolean_t output = B_FALSE, verbose = B_FALSE, parsable = B_FALSE;
1351 	zone_state_t min_state = ZONE_STATE_RUNNING;
1352 	zoneid_t zone_id = getzoneid();
1353 
1354 	if (target_zone == NULL) {
1355 		/* all zones: default view to running but allow override */
1356 		optind = 0;
1357 		while ((arg = getopt(argc, argv, "?cipv")) != EOF) {
1358 			switch (arg) {
1359 			case '?':
1360 				sub_usage(SHELP_LIST, CMD_LIST);
1361 				return (optopt == '?' ? Z_OK : Z_USAGE);
1362 				/*
1363 				 * The 'i' and 'c' options are not mutually
1364 				 * exclusive so if 'c' is given, then min_state
1365 				 * is set to 0 (ZONE_STATE_CONFIGURED) which is
1366 				 * the lowest possible state.  If 'i' is given,
1367 				 * then min_state is set to be the lowest state
1368 				 * so far.
1369 				 */
1370 			case 'c':
1371 				min_state = ZONE_STATE_CONFIGURED;
1372 				break;
1373 			case 'i':
1374 				min_state = min(ZONE_STATE_INSTALLED,
1375 				    min_state);
1376 
1377 				break;
1378 			case 'p':
1379 				parsable = B_TRUE;
1380 				break;
1381 			case 'v':
1382 				verbose = B_TRUE;
1383 				break;
1384 			default:
1385 				sub_usage(SHELP_LIST, CMD_LIST);
1386 				return (Z_USAGE);
1387 			}
1388 		}
1389 		if (parsable && verbose) {
1390 			zerror(gettext("%s -p and -v are mutually exclusive."),
1391 			    cmd_to_str(CMD_LIST));
1392 			return (Z_ERR);
1393 		}
1394 		if (zone_id == GLOBAL_ZONEID || is_system_labeled()) {
1395 			retv = zone_print_list(min_state, verbose, parsable);
1396 		} else {
1397 			fake_up_local_zone(zone_id, &zent);
1398 			retv = Z_OK;
1399 			zone_print(&zent, verbose, parsable);
1400 		}
1401 		return (retv);
1402 	}
1403 
1404 	/*
1405 	 * Specific target zone: disallow -i/-c suboptions.
1406 	 */
1407 	optind = 0;
1408 	while ((arg = getopt(argc, argv, "?pv")) != EOF) {
1409 		switch (arg) {
1410 		case '?':
1411 			sub_usage(SHELP_LIST, CMD_LIST);
1412 			return (optopt == '?' ? Z_OK : Z_USAGE);
1413 		case 'p':
1414 			parsable = B_TRUE;
1415 			break;
1416 		case 'v':
1417 			verbose = B_TRUE;
1418 			break;
1419 		default:
1420 			sub_usage(SHELP_LIST, CMD_LIST);
1421 			return (Z_USAGE);
1422 		}
1423 	}
1424 	if (parsable && verbose) {
1425 		zerror(gettext("%s -p and -v are mutually exclusive."),
1426 		    cmd_to_str(CMD_LIST));
1427 		return (Z_ERR);
1428 	}
1429 	if (argc > optind) {
1430 		sub_usage(SHELP_LIST, CMD_LIST);
1431 		return (Z_USAGE);
1432 	}
1433 	if (zone_id != GLOBAL_ZONEID && !is_system_labeled()) {
1434 		fake_up_local_zone(zone_id, &zent);
1435 		/*
1436 		 * main() will issue a Z_NO_ZONE error if it cannot get an
1437 		 * id for target_zone, which in a non-global zone should
1438 		 * happen for any zone name except `zonename`.  Thus we
1439 		 * assert() that here but don't otherwise check.
1440 		 */
1441 		assert(strcmp(zent.zname, target_zone) == 0);
1442 		zone_print(&zent, verbose, parsable);
1443 		output = B_TRUE;
1444 	} else if ((zentp = lookup_running_zone(target_zone)) != NULL) {
1445 		zone_print(zentp, verbose, parsable);
1446 		output = B_TRUE;
1447 	} else if (lookup_zone_info(target_zone, ZONE_ID_UNDEFINED,
1448 	    &zent) == Z_OK) {
1449 		zone_print(&zent, verbose, parsable);
1450 		output = B_TRUE;
1451 	}
1452 
1453 	/*
1454 	 * Invoke brand-specific handler. Note that we do this
1455 	 * only if we're in the global zone, and target_zone is specified
1456 	 * and it is not the global zone.
1457 	 */
1458 	if (zone_id == GLOBAL_ZONEID && target_zone != NULL &&
1459 	    strcmp(target_zone, GLOBAL_ZONENAME) != 0)
1460 		if (invoke_brand_handler(CMD_LIST, argv) != Z_OK)
1461 			return (Z_ERR);
1462 
1463 	return (output ? Z_OK : Z_ERR);
1464 }
1465 
1466 static void
1467 sigterm(int sig)
1468 {
1469 	/*
1470 	 * Ignore SIG{INT,TERM}, so we don't end up in an infinite loop,
1471 	 * then propagate the signal to our process group.
1472 	 */
1473 	assert(sig == SIGINT || sig == SIGTERM);
1474 	(void) sigset(SIGINT, SIG_IGN);
1475 	(void) sigset(SIGTERM, SIG_IGN);
1476 	(void) kill(0, sig);
1477 	child_killed = B_TRUE;
1478 }
1479 
1480 static int
1481 do_subproc(char *cmdbuf)
1482 {
1483 	char inbuf[1024];	/* arbitrary large amount */
1484 	FILE *file;
1485 
1486 	do_subproc_cnt++;
1487 	child_killed = B_FALSE;
1488 	/*
1489 	 * We use popen(3c) to launch child processes for [un]install;
1490 	 * this library call does not return a PID, so we have to kill
1491 	 * the whole process group.  To avoid killing our parent, we
1492 	 * become a process group leader here.  But doing so can wreak
1493 	 * havoc with reading from stdin when launched by a non-job-control
1494 	 * shell, so we close stdin and reopen it as /dev/null first.
1495 	 */
1496 	(void) close(STDIN_FILENO);
1497 	(void) openat(STDIN_FILENO, "/dev/null", O_RDONLY);
1498 	if (!zoneadm_is_nested)
1499 		(void) setpgid(0, 0);
1500 	(void) sigset(SIGINT, sigterm);
1501 	(void) sigset(SIGTERM, sigterm);
1502 	file = popen(cmdbuf, "r");
1503 	for (;;) {
1504 		if (child_killed || fgets(inbuf, sizeof (inbuf), file) == NULL)
1505 			break;
1506 		(void) fputs(inbuf, stdout);
1507 	}
1508 	(void) sigset(SIGINT, SIG_DFL);
1509 	(void) sigset(SIGTERM, SIG_DFL);
1510 	return (pclose(file));
1511 }
1512 
1513 int
1514 do_subproc_interactive(char *cmdbuf)
1515 {
1516 	void (*saveint)(int);
1517 	void (*saveterm)(int);
1518 	void (*savequit)(int);
1519 	void (*savehup)(int);
1520 	int pid, child, status;
1521 
1522 	/*
1523 	 * do_subproc() links stdin to /dev/null, which would break any
1524 	 * interactive subprocess we try to launch here.  Similarly, we
1525 	 * can't have been launched as a subprocess ourselves.
1526 	 */
1527 	assert(do_subproc_cnt == 0 && !zoneadm_is_nested);
1528 
1529 	if ((child = vfork()) == 0) {
1530 		(void) execl("/bin/sh", "sh", "-c", cmdbuf, (char *)NULL);
1531 	}
1532 
1533 	if (child == -1)
1534 		return (-1);
1535 
1536 	saveint = sigset(SIGINT, SIG_IGN);
1537 	saveterm = sigset(SIGTERM, SIG_IGN);
1538 	savequit = sigset(SIGQUIT, SIG_IGN);
1539 	savehup = sigset(SIGHUP, SIG_IGN);
1540 
1541 	while ((pid = waitpid(child, &status, 0)) != child && pid != -1)
1542 		;
1543 
1544 	(void) sigset(SIGINT, saveint);
1545 	(void) sigset(SIGTERM, saveterm);
1546 	(void) sigset(SIGQUIT, savequit);
1547 	(void) sigset(SIGHUP, savehup);
1548 
1549 	return (pid == -1 ? -1 : status);
1550 }
1551 
1552 int
1553 subproc_status(const char *cmd, int status, boolean_t verbose_failure)
1554 {
1555 	if (WIFEXITED(status)) {
1556 		int exit_code = WEXITSTATUS(status);
1557 
1558 		if ((verbose_failure) && (exit_code != ZONE_SUBPROC_OK))
1559 			zerror(gettext("'%s' failed with exit code %d."), cmd,
1560 			    exit_code);
1561 
1562 		return (exit_code);
1563 	} else if (WIFSIGNALED(status)) {
1564 		int signal = WTERMSIG(status);
1565 		char sigstr[SIG2STR_MAX];
1566 
1567 		if (sig2str(signal, sigstr) == 0) {
1568 			zerror(gettext("'%s' terminated by signal SIG%s."), cmd,
1569 			    sigstr);
1570 		} else {
1571 			zerror(gettext("'%s' terminated by an unknown signal."),
1572 			    cmd);
1573 		}
1574 	} else {
1575 		zerror(gettext("'%s' failed for unknown reasons."), cmd);
1576 	}
1577 
1578 	/*
1579 	 * Assume a subprocess that died due to a signal or an unknown error
1580 	 * should be considered an exit code of ZONE_SUBPROC_FATAL, as the
1581 	 * user will likely need to do some manual cleanup.
1582 	 */
1583 	return (ZONE_SUBPROC_FATAL);
1584 }
1585 
1586 /*
1587  * Various sanity checks; make sure:
1588  * 1. We're in the global zone.
1589  * 2. The calling user has sufficient privilege.
1590  * 3. The target zone is neither the global zone nor anything starting with
1591  *    "SUNW".
1592  * 4a. If we're looking for a 'not running' (i.e., configured or installed)
1593  *     zone, the name service knows about it.
1594  * 4b. For some operations which expect a zone not to be running, that it is
1595  *     not already running (or ready).
1596  */
1597 static int
1598 sanity_check(char *zone, int cmd_num, boolean_t running,
1599     boolean_t unsafe_when_running, boolean_t force)
1600 {
1601 	zone_entry_t *zent;
1602 	priv_set_t *privset;
1603 	zone_state_t state, min_state;
1604 	char kernzone[ZONENAME_MAX];
1605 	FILE *fp;
1606 
1607 	if (getzoneid() != GLOBAL_ZONEID) {
1608 		switch (cmd_num) {
1609 		case CMD_HALT:
1610 			zerror(gettext("use %s to %s this zone."), "halt(1M)",
1611 			    cmd_to_str(cmd_num));
1612 			break;
1613 		case CMD_REBOOT:
1614 			zerror(gettext("use %s to %s this zone."),
1615 			    "reboot(1M)", cmd_to_str(cmd_num));
1616 			break;
1617 		default:
1618 			zerror(gettext("must be in the global zone to %s a "
1619 			    "zone."), cmd_to_str(cmd_num));
1620 			break;
1621 		}
1622 		return (Z_ERR);
1623 	}
1624 
1625 	if ((privset = priv_allocset()) == NULL) {
1626 		zerror(gettext("%s failed"), "priv_allocset");
1627 		return (Z_ERR);
1628 	}
1629 
1630 	if (getppriv(PRIV_EFFECTIVE, privset) != 0) {
1631 		zerror(gettext("%s failed"), "getppriv");
1632 		priv_freeset(privset);
1633 		return (Z_ERR);
1634 	}
1635 
1636 	if (priv_isfullset(privset) == B_FALSE) {
1637 		zerror(gettext("only a privileged user may %s a zone."),
1638 		    cmd_to_str(cmd_num));
1639 		priv_freeset(privset);
1640 		return (Z_ERR);
1641 	}
1642 	priv_freeset(privset);
1643 
1644 	if (zone == NULL) {
1645 		zerror(gettext("no zone specified"));
1646 		return (Z_ERR);
1647 	}
1648 
1649 	if (strcmp(zone, GLOBAL_ZONENAME) == 0) {
1650 		zerror(gettext("%s operation is invalid for the global zone."),
1651 		    cmd_to_str(cmd_num));
1652 		return (Z_ERR);
1653 	}
1654 
1655 	if (strncmp(zone, "SUNW", 4) == 0) {
1656 		zerror(gettext("%s operation is invalid for zones starting "
1657 		    "with SUNW."), cmd_to_str(cmd_num));
1658 		return (Z_ERR);
1659 	}
1660 
1661 	if (!zonecfg_in_alt_root()) {
1662 		zent = lookup_running_zone(zone);
1663 	} else if ((fp = zonecfg_open_scratch("", B_FALSE)) == NULL) {
1664 		zent = NULL;
1665 	} else {
1666 		if (zonecfg_find_scratch(fp, zone, zonecfg_get_root(),
1667 		    kernzone, sizeof (kernzone)) == 0)
1668 			zent = lookup_running_zone(kernzone);
1669 		else
1670 			zent = NULL;
1671 		zonecfg_close_scratch(fp);
1672 	}
1673 
1674 	/*
1675 	 * Look up from the kernel for 'running' zones.
1676 	 */
1677 	if (running && !force) {
1678 		if (zent == NULL) {
1679 			zerror(gettext("not running"));
1680 			return (Z_ERR);
1681 		}
1682 	} else {
1683 		int err;
1684 
1685 		if (unsafe_when_running && zent != NULL) {
1686 			/* check whether the zone is ready or running */
1687 			if ((err = zone_get_state(zent->zname,
1688 			    &zent->zstate_num)) != Z_OK) {
1689 				errno = err;
1690 				zperror2(zent->zname,
1691 				    gettext("could not get state"));
1692 				/* can't tell, so hedge */
1693 				zent->zstate_str = "ready/running";
1694 			} else {
1695 				zent->zstate_str =
1696 				    zone_state_str(zent->zstate_num);
1697 			}
1698 			zerror(gettext("%s operation is invalid for %s zones."),
1699 			    cmd_to_str(cmd_num), zent->zstate_str);
1700 			return (Z_ERR);
1701 		}
1702 		if ((err = zone_get_state(zone, &state)) != Z_OK) {
1703 			errno = err;
1704 			zperror2(zone, gettext("could not get state"));
1705 			return (Z_ERR);
1706 		}
1707 		switch (cmd_num) {
1708 		case CMD_UNINSTALL:
1709 			if (state == ZONE_STATE_CONFIGURED) {
1710 				zerror(gettext("is already in state '%s'."),
1711 				    zone_state_str(ZONE_STATE_CONFIGURED));
1712 				return (Z_ERR);
1713 			}
1714 			break;
1715 		case CMD_ATTACH:
1716 		case CMD_CLONE:
1717 		case CMD_INSTALL:
1718 			if (state == ZONE_STATE_INSTALLED) {
1719 				zerror(gettext("is already %s."),
1720 				    zone_state_str(ZONE_STATE_INSTALLED));
1721 				return (Z_ERR);
1722 			} else if (state == ZONE_STATE_INCOMPLETE) {
1723 				zerror(gettext("zone is %s; %s required."),
1724 				    zone_state_str(ZONE_STATE_INCOMPLETE),
1725 				    cmd_to_str(CMD_UNINSTALL));
1726 				return (Z_ERR);
1727 			}
1728 			break;
1729 		case CMD_DETACH:
1730 		case CMD_MOVE:
1731 		case CMD_READY:
1732 		case CMD_BOOT:
1733 		case CMD_MOUNT:
1734 		case CMD_MARK:
1735 			if ((cmd_num == CMD_BOOT || cmd_num == CMD_MOUNT) &&
1736 			    force)
1737 				min_state = ZONE_STATE_INCOMPLETE;
1738 			else
1739 				min_state = ZONE_STATE_INSTALLED;
1740 
1741 			if (force && cmd_num == CMD_BOOT && is_native_zone) {
1742 				zerror(gettext("Only branded zones may be "
1743 				    "force-booted."));
1744 				return (Z_ERR);
1745 			}
1746 
1747 			if (state < min_state) {
1748 				zerror(gettext("must be %s before %s."),
1749 				    zone_state_str(min_state),
1750 				    cmd_to_str(cmd_num));
1751 				return (Z_ERR);
1752 			}
1753 			break;
1754 		case CMD_VERIFY:
1755 			if (state == ZONE_STATE_INCOMPLETE) {
1756 				zerror(gettext("zone is %s; %s required."),
1757 				    zone_state_str(ZONE_STATE_INCOMPLETE),
1758 				    cmd_to_str(CMD_UNINSTALL));
1759 				return (Z_ERR);
1760 			}
1761 			break;
1762 		case CMD_UNMOUNT:
1763 			if (state != ZONE_STATE_MOUNTED) {
1764 				zerror(gettext("must be %s before %s."),
1765 				    zone_state_str(ZONE_STATE_MOUNTED),
1766 				    cmd_to_str(cmd_num));
1767 				return (Z_ERR);
1768 			}
1769 			break;
1770 		}
1771 	}
1772 	return (Z_OK);
1773 }
1774 
1775 static int
1776 halt_func(int argc, char *argv[])
1777 {
1778 	zone_cmd_arg_t zarg;
1779 	int arg;
1780 
1781 	if (zonecfg_in_alt_root()) {
1782 		zerror(gettext("cannot halt zone in alternate root"));
1783 		return (Z_ERR);
1784 	}
1785 
1786 	optind = 0;
1787 	if ((arg = getopt(argc, argv, "?")) != EOF) {
1788 		switch (arg) {
1789 		case '?':
1790 			sub_usage(SHELP_HALT, CMD_HALT);
1791 			return (optopt == '?' ? Z_OK : Z_USAGE);
1792 		default:
1793 			sub_usage(SHELP_HALT, CMD_HALT);
1794 			return (Z_USAGE);
1795 		}
1796 	}
1797 	if (argc > optind) {
1798 		sub_usage(SHELP_HALT, CMD_HALT);
1799 		return (Z_USAGE);
1800 	}
1801 	/*
1802 	 * zoneadmd should be the one to decide whether or not to proceed,
1803 	 * so even though it seems that the fourth parameter below should
1804 	 * perhaps be B_TRUE, it really shouldn't be.
1805 	 */
1806 	if (sanity_check(target_zone, CMD_HALT, B_FALSE, B_FALSE, B_FALSE)
1807 	    != Z_OK)
1808 		return (Z_ERR);
1809 
1810 	/*
1811 	 * Invoke brand-specific handler.
1812 	 */
1813 	if (invoke_brand_handler(CMD_HALT, argv) != Z_OK)
1814 		return (Z_ERR);
1815 
1816 	zarg.cmd = Z_HALT;
1817 	return ((zonecfg_call_zoneadmd(target_zone, &zarg, locale,
1818 	    B_TRUE) == 0) ?  Z_OK : Z_ERR);
1819 }
1820 
1821 static int
1822 reboot_func(int argc, char *argv[])
1823 {
1824 	zone_cmd_arg_t zarg;
1825 	int arg;
1826 
1827 	if (zonecfg_in_alt_root()) {
1828 		zerror(gettext("cannot reboot zone in alternate root"));
1829 		return (Z_ERR);
1830 	}
1831 
1832 	optind = 0;
1833 	if ((arg = getopt(argc, argv, "?")) != EOF) {
1834 		switch (arg) {
1835 		case '?':
1836 			sub_usage(SHELP_REBOOT, CMD_REBOOT);
1837 			return (optopt == '?' ? Z_OK : Z_USAGE);
1838 		default:
1839 			sub_usage(SHELP_REBOOT, CMD_REBOOT);
1840 			return (Z_USAGE);
1841 		}
1842 	}
1843 
1844 	zarg.bootbuf[0] = '\0';
1845 	for (; optind < argc; optind++) {
1846 		if (strlcat(zarg.bootbuf, argv[optind],
1847 		    sizeof (zarg.bootbuf)) >= sizeof (zarg.bootbuf)) {
1848 			zerror(gettext("Boot argument list too long"));
1849 			return (Z_ERR);
1850 		}
1851 		if (optind < argc - 1)
1852 			if (strlcat(zarg.bootbuf, " ", sizeof (zarg.bootbuf)) >=
1853 			    sizeof (zarg.bootbuf)) {
1854 				zerror(gettext("Boot argument list too long"));
1855 				return (Z_ERR);
1856 			}
1857 	}
1858 
1859 
1860 	/*
1861 	 * zoneadmd should be the one to decide whether or not to proceed,
1862 	 * so even though it seems that the fourth parameter below should
1863 	 * perhaps be B_TRUE, it really shouldn't be.
1864 	 */
1865 	if (sanity_check(target_zone, CMD_REBOOT, B_TRUE, B_FALSE, B_FALSE)
1866 	    != Z_OK)
1867 		return (Z_ERR);
1868 	if (verify_details(CMD_REBOOT, argv) != Z_OK)
1869 		return (Z_ERR);
1870 
1871 	zarg.cmd = Z_REBOOT;
1872 	return ((zonecfg_call_zoneadmd(target_zone, &zarg, locale, B_TRUE) == 0)
1873 	    ? Z_OK : Z_ERR);
1874 }
1875 
1876 static int
1877 get_hook(brand_handle_t bh, char *cmd, size_t len, int (*bp)(brand_handle_t,
1878     const char *, const char *, char *, size_t), char *zonename, char *zonepath)
1879 {
1880 	if (strlcpy(cmd, EXEC_PREFIX, len) >= len)
1881 		return (Z_ERR);
1882 
1883 	if (bp(bh, zonename, zonepath, cmd + EXEC_LEN, len - EXEC_LEN) != 0)
1884 		return (Z_ERR);
1885 
1886 	if (strlen(cmd) <= EXEC_LEN)
1887 		cmd[0] = '\0';
1888 
1889 	return (Z_OK);
1890 }
1891 
1892 static int
1893 verify_brand(zone_dochandle_t handle, int cmd_num, char *argv[])
1894 {
1895 	char cmdbuf[MAXPATHLEN];
1896 	int err;
1897 	char zonepath[MAXPATHLEN];
1898 	brand_handle_t bh = NULL;
1899 	int status, i;
1900 
1901 	/*
1902 	 * Fetch the verify command from the brand configuration.
1903 	 * "exec" the command so that the returned status is that of
1904 	 * the command and not the shell.
1905 	 */
1906 	if (handle == NULL) {
1907 		(void) strlcpy(zonepath, "-", sizeof (zonepath));
1908 	} else if ((err = zonecfg_get_zonepath(handle, zonepath,
1909 	    sizeof (zonepath))) != Z_OK) {
1910 		errno = err;
1911 		zperror(cmd_to_str(cmd_num), B_TRUE);
1912 		return (Z_ERR);
1913 	}
1914 	if ((bh = brand_open(target_brand)) == NULL) {
1915 		zerror(gettext("missing or invalid brand"));
1916 		return (Z_ERR);
1917 	}
1918 
1919 	/*
1920 	 * If the brand has its own verification routine, execute it now.
1921 	 * The verification routine validates the intended zoneadm
1922 	 * operation for the specific brand. The zoneadm subcommand and
1923 	 * all its arguments are passed to the routine.
1924 	 */
1925 	err = get_hook(bh, cmdbuf, sizeof (cmdbuf), brand_get_verify_adm,
1926 	    target_zone, zonepath);
1927 	brand_close(bh);
1928 	if (err != Z_OK)
1929 		return (Z_BRAND_ERROR);
1930 	if (cmdbuf[0] == '\0')
1931 		return (Z_OK);
1932 
1933 	if (strlcat(cmdbuf, cmd_to_str(cmd_num),
1934 	    sizeof (cmdbuf)) >= sizeof (cmdbuf))
1935 		return (Z_ERR);
1936 
1937 	/* Build the argv string */
1938 	i = 0;
1939 	while (argv[i] != NULL) {
1940 		if ((strlcat(cmdbuf, " ",
1941 		    sizeof (cmdbuf)) >= sizeof (cmdbuf)) ||
1942 		    (strlcat(cmdbuf, argv[i++],
1943 		    sizeof (cmdbuf)) >= sizeof (cmdbuf)))
1944 			return (Z_ERR);
1945 	}
1946 
1947 	if (zoneadm_is_nested)
1948 		status = do_subproc(cmdbuf);
1949 	else
1950 		status = do_subproc_interactive(cmdbuf);
1951 	err = subproc_status(gettext("brand-specific verification"),
1952 	    status, B_FALSE);
1953 
1954 	return ((err == ZONE_SUBPROC_OK) ? Z_OK : Z_BRAND_ERROR);
1955 }
1956 
1957 static int
1958 verify_rctls(zone_dochandle_t handle)
1959 {
1960 	struct zone_rctltab rctltab;
1961 	size_t rbs = rctlblk_size();
1962 	rctlblk_t *rctlblk;
1963 	int error = Z_INVAL;
1964 
1965 	if ((rctlblk = malloc(rbs)) == NULL) {
1966 		zerror(gettext("failed to allocate %lu bytes: %s"), rbs,
1967 		    strerror(errno));
1968 		return (Z_NOMEM);
1969 	}
1970 
1971 	if (zonecfg_setrctlent(handle) != Z_OK) {
1972 		zerror(gettext("zonecfg_setrctlent failed"));
1973 		free(rctlblk);
1974 		return (error);
1975 	}
1976 
1977 	rctltab.zone_rctl_valptr = NULL;
1978 	while (zonecfg_getrctlent(handle, &rctltab) == Z_OK) {
1979 		struct zone_rctlvaltab *rctlval;
1980 		const char *name = rctltab.zone_rctl_name;
1981 
1982 		if (!zonecfg_is_rctl(name)) {
1983 			zerror(gettext("WARNING: Ignoring unrecognized rctl "
1984 			    "'%s'."),  name);
1985 			zonecfg_free_rctl_value_list(rctltab.zone_rctl_valptr);
1986 			rctltab.zone_rctl_valptr = NULL;
1987 			continue;
1988 		}
1989 
1990 		for (rctlval = rctltab.zone_rctl_valptr; rctlval != NULL;
1991 		    rctlval = rctlval->zone_rctlval_next) {
1992 			if (zonecfg_construct_rctlblk(rctlval, rctlblk)
1993 			    != Z_OK) {
1994 				zerror(gettext("invalid rctl value: "
1995 				    "(priv=%s,limit=%s,action%s)"),
1996 				    rctlval->zone_rctlval_priv,
1997 				    rctlval->zone_rctlval_limit,
1998 				    rctlval->zone_rctlval_action);
1999 				goto out;
2000 			}
2001 			if (!zonecfg_valid_rctl(name, rctlblk)) {
2002 				zerror(gettext("(priv=%s,limit=%s,action=%s) "
2003 				    "is not a valid value for rctl '%s'"),
2004 				    rctlval->zone_rctlval_priv,
2005 				    rctlval->zone_rctlval_limit,
2006 				    rctlval->zone_rctlval_action,
2007 				    name);
2008 				goto out;
2009 			}
2010 		}
2011 		zonecfg_free_rctl_value_list(rctltab.zone_rctl_valptr);
2012 	}
2013 	rctltab.zone_rctl_valptr = NULL;
2014 	error = Z_OK;
2015 out:
2016 	zonecfg_free_rctl_value_list(rctltab.zone_rctl_valptr);
2017 	(void) zonecfg_endrctlent(handle);
2018 	free(rctlblk);
2019 	return (error);
2020 }
2021 
2022 static int
2023 verify_pool(zone_dochandle_t handle)
2024 {
2025 	char poolname[MAXPATHLEN];
2026 	pool_conf_t *poolconf;
2027 	pool_t *pool;
2028 	int status;
2029 	int error;
2030 
2031 	/*
2032 	 * This ends up being very similar to the check done in zoneadmd.
2033 	 */
2034 	error = zonecfg_get_pool(handle, poolname, sizeof (poolname));
2035 	if (error == Z_NO_ENTRY || (error == Z_OK && strlen(poolname) == 0)) {
2036 		/*
2037 		 * No pool specified.
2038 		 */
2039 		return (0);
2040 	}
2041 	if (error != Z_OK) {
2042 		zperror(gettext("Unable to retrieve pool name from "
2043 		    "configuration"), B_TRUE);
2044 		return (error);
2045 	}
2046 	/*
2047 	 * Don't do anything if pools aren't enabled.
2048 	 */
2049 	if (pool_get_status(&status) != PO_SUCCESS || status != POOL_ENABLED) {
2050 		zerror(gettext("WARNING: pools facility not active; "
2051 		    "zone will not be bound to pool '%s'."), poolname);
2052 		return (Z_OK);
2053 	}
2054 	/*
2055 	 * Try to provide a sane error message if the requested pool doesn't
2056 	 * exist.  It isn't clear that pools-related failures should
2057 	 * necessarily translate to a failure to verify the zone configuration,
2058 	 * hence they are not considered errors.
2059 	 */
2060 	if ((poolconf = pool_conf_alloc()) == NULL) {
2061 		zerror(gettext("WARNING: pool_conf_alloc failed; "
2062 		    "using default pool"));
2063 		return (Z_OK);
2064 	}
2065 	if (pool_conf_open(poolconf, pool_dynamic_location(), PO_RDONLY) !=
2066 	    PO_SUCCESS) {
2067 		zerror(gettext("WARNING: pool_conf_open failed; "
2068 		    "using default pool"));
2069 		pool_conf_free(poolconf);
2070 		return (Z_OK);
2071 	}
2072 	pool = pool_get_pool(poolconf, poolname);
2073 	(void) pool_conf_close(poolconf);
2074 	pool_conf_free(poolconf);
2075 	if (pool == NULL) {
2076 		zerror(gettext("WARNING: pool '%s' not found. "
2077 		    "using default pool"), poolname);
2078 	}
2079 
2080 	return (Z_OK);
2081 }
2082 
2083 static int
2084 verify_ipd(zone_dochandle_t handle)
2085 {
2086 	int return_code = Z_OK;
2087 	struct zone_fstab fstab;
2088 	struct stat st;
2089 	char specdir[MAXPATHLEN];
2090 
2091 	if (zonecfg_setipdent(handle) != Z_OK) {
2092 		/*
2093 		 * TRANSLATION_NOTE
2094 		 * inherit-pkg-dirs is a literal that should not be translated.
2095 		 */
2096 		(void) fprintf(stderr, gettext("could not verify "
2097 		    "inherit-pkg-dirs: unable to enumerate mounts\n"));
2098 		return (Z_ERR);
2099 	}
2100 	while (zonecfg_getipdent(handle, &fstab) == Z_OK) {
2101 		/*
2102 		 * Verify fs_dir exists.
2103 		 */
2104 		(void) snprintf(specdir, sizeof (specdir), "%s%s",
2105 		    zonecfg_get_root(), fstab.zone_fs_dir);
2106 		if (stat(specdir, &st) != 0) {
2107 			/*
2108 			 * TRANSLATION_NOTE
2109 			 * inherit-pkg-dir is a literal that should not be
2110 			 * translated.
2111 			 */
2112 			(void) fprintf(stderr, gettext("could not verify "
2113 			    "inherit-pkg-dir %s: %s\n"),
2114 			    fstab.zone_fs_dir, strerror(errno));
2115 			return_code = Z_ERR;
2116 		}
2117 		if (strcmp(st.st_fstype, MNTTYPE_NFS) == 0) {
2118 			/*
2119 			 * TRANSLATION_NOTE
2120 			 * inherit-pkg-dir and NFS are literals that should
2121 			 * not be translated.
2122 			 */
2123 			(void) fprintf(stderr, gettext("cannot verify "
2124 			    "inherit-pkg-dir %s: NFS mounted file system.\n"
2125 			    "\tA local file system must be used.\n"),
2126 			    fstab.zone_fs_dir);
2127 			return_code = Z_ERR;
2128 		}
2129 	}
2130 	(void) zonecfg_endipdent(handle);
2131 
2132 	return (return_code);
2133 }
2134 
2135 /*
2136  * Verify that the special device/file system exists and is valid.
2137  */
2138 static int
2139 verify_fs_special(struct zone_fstab *fstab)
2140 {
2141 	struct stat64 st;
2142 
2143 	/*
2144 	 * This validation is really intended for standard zone administration.
2145 	 * If we are in a mini-root or some other upgrade situation where
2146 	 * we are using the scratch zone, just by-pass this.
2147 	 */
2148 	if (zonecfg_in_alt_root())
2149 		return (Z_OK);
2150 
2151 	if (strcmp(fstab->zone_fs_type, MNTTYPE_ZFS) == 0)
2152 		return (verify_fs_zfs(fstab));
2153 
2154 	if (stat64(fstab->zone_fs_special, &st) != 0) {
2155 		(void) fprintf(stderr, gettext("could not verify fs "
2156 		    "%s: could not access %s: %s\n"), fstab->zone_fs_dir,
2157 		    fstab->zone_fs_special, strerror(errno));
2158 		return (Z_ERR);
2159 	}
2160 
2161 	if (strcmp(st.st_fstype, MNTTYPE_NFS) == 0) {
2162 		/*
2163 		 * TRANSLATION_NOTE
2164 		 * fs and NFS are literals that should
2165 		 * not be translated.
2166 		 */
2167 		(void) fprintf(stderr, gettext("cannot verify "
2168 		    "fs %s: NFS mounted file system.\n"
2169 		    "\tA local file system must be used.\n"),
2170 		    fstab->zone_fs_special);
2171 		return (Z_ERR);
2172 	}
2173 
2174 	return (Z_OK);
2175 }
2176 
2177 static int
2178 isregfile(const char *path)
2179 {
2180 	struct stat64 st;
2181 
2182 	if (stat64(path, &st) == -1)
2183 		return (-1);
2184 
2185 	return (S_ISREG(st.st_mode));
2186 }
2187 
2188 static int
2189 verify_filesystems(zone_dochandle_t handle)
2190 {
2191 	int return_code = Z_OK;
2192 	struct zone_fstab fstab;
2193 	char cmdbuf[MAXPATHLEN];
2194 	struct stat st;
2195 
2196 	/*
2197 	 * No need to verify inherit-pkg-dir fs types, as their type is
2198 	 * implicitly lofs, which is known.  Therefore, the types are only
2199 	 * verified for regular file systems below.
2200 	 *
2201 	 * Since the actual mount point is not known until the dependent mounts
2202 	 * are performed, we don't attempt any path validation here: that will
2203 	 * happen later when zoneadmd actually does the mounts.
2204 	 */
2205 	if (zonecfg_setfsent(handle) != Z_OK) {
2206 		(void) fprintf(stderr, gettext("could not verify file systems: "
2207 		    "unable to enumerate mounts\n"));
2208 		return (Z_ERR);
2209 	}
2210 	while (zonecfg_getfsent(handle, &fstab) == Z_OK) {
2211 		if (!zonecfg_valid_fs_type(fstab.zone_fs_type)) {
2212 			(void) fprintf(stderr, gettext("cannot verify fs %s: "
2213 			    "type %s is not allowed.\n"), fstab.zone_fs_dir,
2214 			    fstab.zone_fs_type);
2215 			return_code = Z_ERR;
2216 			goto next_fs;
2217 		}
2218 		/*
2219 		 * Verify /usr/lib/fs/<fstype>/mount exists.
2220 		 */
2221 		if (snprintf(cmdbuf, sizeof (cmdbuf), "/usr/lib/fs/%s/mount",
2222 		    fstab.zone_fs_type) > sizeof (cmdbuf)) {
2223 			(void) fprintf(stderr, gettext("cannot verify fs %s: "
2224 			    "type %s is too long.\n"), fstab.zone_fs_dir,
2225 			    fstab.zone_fs_type);
2226 			return_code = Z_ERR;
2227 			goto next_fs;
2228 		}
2229 		if (stat(cmdbuf, &st) != 0) {
2230 			(void) fprintf(stderr, gettext("could not verify fs "
2231 			    "%s: could not access %s: %s\n"), fstab.zone_fs_dir,
2232 			    cmdbuf, strerror(errno));
2233 			return_code = Z_ERR;
2234 			goto next_fs;
2235 		}
2236 		if (!S_ISREG(st.st_mode)) {
2237 			(void) fprintf(stderr, gettext("could not verify fs "
2238 			    "%s: %s is not a regular file\n"),
2239 			    fstab.zone_fs_dir, cmdbuf);
2240 			return_code = Z_ERR;
2241 			goto next_fs;
2242 		}
2243 		/*
2244 		 * If zone_fs_raw is set, verify that there's an fsck
2245 		 * binary for it.  If zone_fs_raw is not set, and it's
2246 		 * not a regular file (lofi mount), and there's an fsck
2247 		 * binary for it, complain.
2248 		 */
2249 		if (snprintf(cmdbuf, sizeof (cmdbuf), "/usr/lib/fs/%s/fsck",
2250 		    fstab.zone_fs_type) > sizeof (cmdbuf)) {
2251 			(void) fprintf(stderr, gettext("cannot verify fs %s: "
2252 			    "type %s is too long.\n"), fstab.zone_fs_dir,
2253 			    fstab.zone_fs_type);
2254 			return_code = Z_ERR;
2255 			goto next_fs;
2256 		}
2257 		if (fstab.zone_fs_raw[0] != '\0' &&
2258 		    (stat(cmdbuf, &st) != 0 || !S_ISREG(st.st_mode))) {
2259 			(void) fprintf(stderr, gettext("cannot verify fs %s: "
2260 			    "'raw' device specified but "
2261 			    "no fsck executable exists for %s\n"),
2262 			    fstab.zone_fs_dir, fstab.zone_fs_type);
2263 			return_code = Z_ERR;
2264 			goto next_fs;
2265 		} else if (fstab.zone_fs_raw[0] == '\0' &&
2266 		    stat(cmdbuf, &st) == 0 &&
2267 		    isregfile(fstab.zone_fs_special) != 1) {
2268 			(void) fprintf(stderr, gettext("could not verify fs "
2269 			    "%s: must specify 'raw' device for %s "
2270 			    "file systems\n"),
2271 			    fstab.zone_fs_dir, fstab.zone_fs_type);
2272 			return_code = Z_ERR;
2273 			goto next_fs;
2274 		}
2275 
2276 		/* Verify fs_special. */
2277 		if ((return_code = verify_fs_special(&fstab)) != Z_OK)
2278 			goto next_fs;
2279 
2280 		/* Verify fs_raw. */
2281 		if (fstab.zone_fs_raw[0] != '\0' &&
2282 		    stat(fstab.zone_fs_raw, &st) != 0) {
2283 			/*
2284 			 * TRANSLATION_NOTE
2285 			 * fs is a literal that should not be translated.
2286 			 */
2287 			(void) fprintf(stderr, gettext("could not verify fs "
2288 			    "%s: could not access %s: %s\n"), fstab.zone_fs_dir,
2289 			    fstab.zone_fs_raw, strerror(errno));
2290 			return_code = Z_ERR;
2291 			goto next_fs;
2292 		}
2293 next_fs:
2294 		zonecfg_free_fs_option_list(fstab.zone_fs_options);
2295 	}
2296 	(void) zonecfg_endfsent(handle);
2297 
2298 	return (return_code);
2299 }
2300 
2301 static int
2302 verify_limitpriv(zone_dochandle_t handle)
2303 {
2304 	char *privname = NULL;
2305 	int err;
2306 	priv_set_t *privs;
2307 
2308 	if ((privs = priv_allocset()) == NULL) {
2309 		zperror(gettext("failed to allocate privilege set"), B_FALSE);
2310 		return (Z_NOMEM);
2311 	}
2312 	err = zonecfg_get_privset(handle, privs, &privname);
2313 	switch (err) {
2314 	case Z_OK:
2315 		break;
2316 	case Z_PRIV_PROHIBITED:
2317 		(void) fprintf(stderr, gettext("privilege \"%s\" is not "
2318 		    "permitted within the zone's privilege set\n"), privname);
2319 		break;
2320 	case Z_PRIV_REQUIRED:
2321 		(void) fprintf(stderr, gettext("required privilege \"%s\" is "
2322 		    "missing from the zone's privilege set\n"), privname);
2323 		break;
2324 	case Z_PRIV_UNKNOWN:
2325 		(void) fprintf(stderr, gettext("unknown privilege \"%s\" "
2326 		    "specified in the zone's privilege set\n"), privname);
2327 		break;
2328 	default:
2329 		zperror(
2330 		    gettext("failed to determine the zone's privilege set"),
2331 		    B_TRUE);
2332 		break;
2333 	}
2334 	free(privname);
2335 	priv_freeset(privs);
2336 	return (err);
2337 }
2338 
2339 static void
2340 free_local_netifs(int if_cnt, struct net_if **if_list)
2341 {
2342 	int		i;
2343 
2344 	for (i = 0; i < if_cnt; i++) {
2345 		free(if_list[i]->name);
2346 		free(if_list[i]);
2347 	}
2348 	free(if_list);
2349 }
2350 
2351 /*
2352  * Get a list of the network interfaces, along with their address families,
2353  * that are plumbed in the global zone.  See if_tcp(7p) for a description
2354  * of the ioctls used here.
2355  */
2356 static int
2357 get_local_netifs(int *if_cnt, struct net_if ***if_list)
2358 {
2359 	int		s;
2360 	int		i;
2361 	int		res = Z_OK;
2362 	int		space_needed;
2363 	int		cnt = 0;
2364 	struct		lifnum if_num;
2365 	struct		lifconf if_conf;
2366 	struct		lifreq *if_reqp;
2367 	char		*if_buf;
2368 	struct net_if	**local_ifs = NULL;
2369 
2370 	*if_cnt = 0;
2371 	*if_list = NULL;
2372 
2373 	if ((s = socket(SOCKET_AF(AF_INET), SOCK_DGRAM, 0)) < 0)
2374 		return (Z_ERR);
2375 
2376 	/*
2377 	 * Come back here in the unlikely event that the number of interfaces
2378 	 * increases between the time we get the count and the time we do the
2379 	 * SIOCGLIFCONF ioctl.
2380 	 */
2381 retry:
2382 	/* Get the number of interfaces. */
2383 	if_num.lifn_family = AF_UNSPEC;
2384 	if_num.lifn_flags = LIFC_NOXMIT;
2385 	if (ioctl(s, SIOCGLIFNUM, &if_num) < 0) {
2386 		(void) close(s);
2387 		return (Z_ERR);
2388 	}
2389 
2390 	/* Get the interface configuration list. */
2391 	space_needed = if_num.lifn_count * sizeof (struct lifreq);
2392 	if ((if_buf = malloc(space_needed)) == NULL) {
2393 		(void) close(s);
2394 		return (Z_ERR);
2395 	}
2396 	if_conf.lifc_family = AF_UNSPEC;
2397 	if_conf.lifc_flags = LIFC_NOXMIT;
2398 	if_conf.lifc_len = space_needed;
2399 	if_conf.lifc_buf = if_buf;
2400 	if (ioctl(s, SIOCGLIFCONF, &if_conf) < 0) {
2401 		free(if_buf);
2402 		/*
2403 		 * SIOCGLIFCONF returns EINVAL if the buffer we passed in is
2404 		 * too small.  In this case go back and get the new if cnt.
2405 		 */
2406 		if (errno == EINVAL)
2407 			goto retry;
2408 
2409 		(void) close(s);
2410 		return (Z_ERR);
2411 	}
2412 	(void) close(s);
2413 
2414 	/* Get the name and address family for each interface. */
2415 	if_reqp = if_conf.lifc_req;
2416 	for (i = 0; i < (if_conf.lifc_len / sizeof (struct lifreq)); i++) {
2417 		struct net_if	**p;
2418 		struct lifreq	req;
2419 
2420 		if (strcmp(LOOPBACK_IF, if_reqp->lifr_name) == 0) {
2421 			if_reqp++;
2422 			continue;
2423 		}
2424 
2425 		if ((s = socket(SOCKET_AF(if_reqp->lifr_addr.ss_family),
2426 		    SOCK_DGRAM, 0)) == -1) {
2427 			res = Z_ERR;
2428 			break;
2429 		}
2430 
2431 		(void) strncpy(req.lifr_name, if_reqp->lifr_name,
2432 		    sizeof (req.lifr_name));
2433 		if (ioctl(s, SIOCGLIFADDR, &req) < 0) {
2434 			(void) close(s);
2435 			if_reqp++;
2436 			continue;
2437 		}
2438 
2439 		if ((p = (struct net_if **)realloc(local_ifs,
2440 		    sizeof (struct net_if *) * (cnt + 1))) == NULL) {
2441 			res = Z_ERR;
2442 			break;
2443 		}
2444 		local_ifs = p;
2445 
2446 		if ((local_ifs[cnt] = malloc(sizeof (struct net_if))) == NULL) {
2447 			res = Z_ERR;
2448 			break;
2449 		}
2450 
2451 		if ((local_ifs[cnt]->name = strdup(if_reqp->lifr_name))
2452 		    == NULL) {
2453 			free(local_ifs[cnt]);
2454 			res = Z_ERR;
2455 			break;
2456 		}
2457 		local_ifs[cnt]->af = req.lifr_addr.ss_family;
2458 		cnt++;
2459 
2460 		(void) close(s);
2461 		if_reqp++;
2462 	}
2463 
2464 	free(if_buf);
2465 
2466 	if (res != Z_OK) {
2467 		free_local_netifs(cnt, local_ifs);
2468 	} else {
2469 		*if_cnt = cnt;
2470 		*if_list = local_ifs;
2471 	}
2472 
2473 	return (res);
2474 }
2475 
2476 static char *
2477 af2str(int af)
2478 {
2479 	switch (af) {
2480 	case AF_INET:
2481 		return ("IPv4");
2482 	case AF_INET6:
2483 		return ("IPv6");
2484 	default:
2485 		return ("Unknown");
2486 	}
2487 }
2488 
2489 /*
2490  * Cross check the network interface name and address family with the
2491  * interfaces that are set up in the global zone so that we can print the
2492  * appropriate error message.
2493  */
2494 static void
2495 print_net_err(char *phys, char *addr, int af, char *msg)
2496 {
2497 	int		i;
2498 	int		local_if_cnt = 0;
2499 	struct net_if	**local_ifs = NULL;
2500 	boolean_t	found_if = B_FALSE;
2501 	boolean_t	found_af = B_FALSE;
2502 
2503 	if (get_local_netifs(&local_if_cnt, &local_ifs) != Z_OK) {
2504 		(void) fprintf(stderr,
2505 		    gettext("could not verify %s %s=%s %s=%s\n\t%s\n"),
2506 		    "net", "address", addr, "physical", phys, msg);
2507 		return;
2508 	}
2509 
2510 	for (i = 0; i < local_if_cnt; i++) {
2511 		if (strcmp(phys, local_ifs[i]->name) == 0) {
2512 			found_if = B_TRUE;
2513 			if (af == local_ifs[i]->af) {
2514 				found_af = B_TRUE;
2515 				break;
2516 			}
2517 		}
2518 	}
2519 
2520 	free_local_netifs(local_if_cnt, local_ifs);
2521 
2522 	if (!found_if) {
2523 		(void) fprintf(stderr,
2524 		    gettext("could not verify %s %s=%s\n\t"
2525 		    "network interface %s is not plumbed in the global zone\n"),
2526 		    "net", "physical", phys, phys);
2527 		return;
2528 	}
2529 
2530 	/*
2531 	 * Print this error if we were unable to find the address family
2532 	 * for this interface.  If the af variable is not initialized to
2533 	 * to something meaningful by the caller (not AF_UNSPEC) then we
2534 	 * also skip this message since it wouldn't be informative.
2535 	 */
2536 	if (!found_af && af != AF_UNSPEC) {
2537 		(void) fprintf(stderr,
2538 		    gettext("could not verify %s %s=%s %s=%s\n\tthe %s address "
2539 		    "family is not configured on this network interface in "
2540 		    "the\n\tglobal zone\n"),
2541 		    "net", "address", addr, "physical", phys, af2str(af));
2542 		return;
2543 	}
2544 
2545 	(void) fprintf(stderr,
2546 	    gettext("could not verify %s %s=%s %s=%s\n\t%s\n"),
2547 	    "net", "address", addr, "physical", phys, msg);
2548 }
2549 
2550 static int
2551 verify_handle(int cmd_num, zone_dochandle_t handle, char *argv[])
2552 {
2553 	struct zone_nwiftab nwiftab;
2554 	int return_code = Z_OK;
2555 	int err;
2556 	boolean_t in_alt_root;
2557 	zone_iptype_t iptype;
2558 	dlpi_handle_t dh;
2559 
2560 	in_alt_root = zonecfg_in_alt_root();
2561 	if (in_alt_root)
2562 		goto no_net;
2563 
2564 	if ((err = zonecfg_get_iptype(handle, &iptype)) != Z_OK) {
2565 		errno = err;
2566 		zperror(cmd_to_str(cmd_num), B_TRUE);
2567 		zonecfg_fini_handle(handle);
2568 		return (Z_ERR);
2569 	}
2570 	if ((err = zonecfg_setnwifent(handle)) != Z_OK) {
2571 		errno = err;
2572 		zperror(cmd_to_str(cmd_num), B_TRUE);
2573 		zonecfg_fini_handle(handle);
2574 		return (Z_ERR);
2575 	}
2576 	while (zonecfg_getnwifent(handle, &nwiftab) == Z_OK) {
2577 		struct lifreq lifr;
2578 		sa_family_t af = AF_UNSPEC;
2579 		char dl_owner_zname[ZONENAME_MAX];
2580 		zoneid_t dl_owner_zid;
2581 		zoneid_t target_zid;
2582 		int res;
2583 
2584 		/* skip any loopback interfaces */
2585 		if (strcmp(nwiftab.zone_nwif_physical, "lo0") == 0)
2586 			continue;
2587 		switch (iptype) {
2588 		case ZS_SHARED:
2589 			if ((res = zonecfg_valid_net_address(
2590 			    nwiftab.zone_nwif_address, &lifr)) != Z_OK) {
2591 				print_net_err(nwiftab.zone_nwif_physical,
2592 				    nwiftab.zone_nwif_address, af,
2593 				    zonecfg_strerror(res));
2594 				return_code = Z_ERR;
2595 				continue;
2596 			}
2597 			af = lifr.lifr_addr.ss_family;
2598 			if (!zonecfg_ifname_exists(af,
2599 			    nwiftab.zone_nwif_physical)) {
2600 				/*
2601 				 * The interface failed to come up. We continue
2602 				 * on anyway for the sake of consistency: a
2603 				 * zone is not shut down if the interface fails
2604 				 * any time after boot, nor does the global zone
2605 				 * fail to boot if an interface fails.
2606 				 */
2607 				(void) fprintf(stderr,
2608 				    gettext("WARNING: skipping network "
2609 				    "interface '%s' which may not be "
2610 				    "present/plumbed in the global "
2611 				    "zone.\n"),
2612 				    nwiftab.zone_nwif_physical);
2613 			}
2614 			break;
2615 		case ZS_EXCLUSIVE:
2616 			/* Warning if it exists for either IPv4 or IPv6 */
2617 
2618 			if (zonecfg_ifname_exists(AF_INET,
2619 			    nwiftab.zone_nwif_physical) ||
2620 			    zonecfg_ifname_exists(AF_INET6,
2621 			    nwiftab.zone_nwif_physical)) {
2622 				(void) fprintf(stderr,
2623 				    gettext("WARNING: skipping network "
2624 				    "interface '%s' which is used in the "
2625 				    "global zone.\n"),
2626 				    nwiftab.zone_nwif_physical);
2627 				break;
2628 			}
2629 
2630 			/*
2631 			 * Verify that the physical interface can be opened.
2632 			 */
2633 			err = dlpi_open(nwiftab.zone_nwif_physical, &dh, 0);
2634 			if (err != DLPI_SUCCESS) {
2635 				(void) fprintf(stderr,
2636 				    gettext("WARNING: skipping network "
2637 				    "interface '%s' which cannot be opened: "
2638 				    "dlpi error (%s).\n"),
2639 				    nwiftab.zone_nwif_physical,
2640 				    dlpi_strerror(err));
2641 				break;
2642 			} else {
2643 				dlpi_close(dh);
2644 			}
2645 			/*
2646 			 * Verify whether the physical interface is already
2647 			 * used by a zone.
2648 			 */
2649 			dl_owner_zid = ALL_ZONES;
2650 			if (zone_check_datalink(&dl_owner_zid,
2651 			    nwiftab.zone_nwif_physical) != 0)
2652 				break;
2653 
2654 			/*
2655 			 * If the zone being verified is
2656 			 * running and owns the interface
2657 			 */
2658 			target_zid = getzoneidbyname(target_zone);
2659 			if (target_zid == dl_owner_zid)
2660 				break;
2661 
2662 			/* Zone id match failed, use name to check */
2663 			if (getzonenamebyid(dl_owner_zid, dl_owner_zname,
2664 			    ZONENAME_MAX) < 0) {
2665 				/* No name, show ID instead */
2666 				(void) snprintf(dl_owner_zname, ZONENAME_MAX,
2667 				    "<%d>", dl_owner_zid);
2668 			} else if (strcmp(dl_owner_zname, target_zone) == 0)
2669 				break;
2670 
2671 			/*
2672 			 * Note here we only report a warning that
2673 			 * the interface is already in use by another
2674 			 * running zone, and the verify process just
2675 			 * goes on, if the interface is still in use
2676 			 * when this zone really boots up, zoneadmd
2677 			 * will find it. If the name of the zone which
2678 			 * owns this interface cannot be determined,
2679 			 * then it is not possible to determine if there
2680 			 * is a conflict so just report it as a warning.
2681 			 */
2682 			(void) fprintf(stderr,
2683 			    gettext("WARNING: skipping network interface "
2684 			    "'%s' which is used by the non-global zone "
2685 			    "'%s'.\n"), nwiftab.zone_nwif_physical,
2686 			    dl_owner_zname);
2687 			break;
2688 		}
2689 	}
2690 	(void) zonecfg_endnwifent(handle);
2691 no_net:
2692 
2693 	/* verify that lofs has not been excluded from the kernel */
2694 	if (!(cmd_num == CMD_DETACH || cmd_num == CMD_ATTACH ||
2695 	    cmd_num == CMD_MOVE || cmd_num == CMD_CLONE) &&
2696 	    modctl(MODLOAD, 1, "fs/lofs", NULL) != 0) {
2697 		if (errno == ENXIO)
2698 			(void) fprintf(stderr, gettext("could not verify "
2699 			    "lofs(7FS): possibly excluded in /etc/system\n"));
2700 		else
2701 			(void) fprintf(stderr, gettext("could not verify "
2702 			    "lofs(7FS): %s\n"), strerror(errno));
2703 		return_code = Z_ERR;
2704 	}
2705 
2706 	if (verify_filesystems(handle) != Z_OK)
2707 		return_code = Z_ERR;
2708 	if (verify_ipd(handle) != Z_OK)
2709 		return_code = Z_ERR;
2710 	if (!in_alt_root && verify_rctls(handle) != Z_OK)
2711 		return_code = Z_ERR;
2712 	if (!in_alt_root && verify_pool(handle) != Z_OK)
2713 		return_code = Z_ERR;
2714 	if (!in_alt_root && verify_brand(handle, cmd_num, argv) != Z_OK)
2715 		return_code = Z_ERR;
2716 	if (!in_alt_root && verify_datasets(handle) != Z_OK)
2717 		return_code = Z_ERR;
2718 
2719 	/*
2720 	 * As the "mount" command is used for patching/upgrading of zones
2721 	 * or other maintenance processes, the zone's privilege set is not
2722 	 * checked in this case.  Instead, the default, safe set of
2723 	 * privileges will be used when this zone is created in the
2724 	 * kernel.
2725 	 */
2726 	if (!in_alt_root && cmd_num != CMD_MOUNT &&
2727 	    verify_limitpriv(handle) != Z_OK)
2728 		return_code = Z_ERR;
2729 
2730 	return (return_code);
2731 }
2732 
2733 static int
2734 verify_details(int cmd_num, char *argv[])
2735 {
2736 	zone_dochandle_t handle;
2737 	char zonepath[MAXPATHLEN], checkpath[MAXPATHLEN];
2738 	int return_code = Z_OK;
2739 	int err;
2740 
2741 	if ((handle = zonecfg_init_handle()) == NULL) {
2742 		zperror(cmd_to_str(cmd_num), B_TRUE);
2743 		return (Z_ERR);
2744 	}
2745 	if ((err = zonecfg_get_handle(target_zone, handle)) != Z_OK) {
2746 		errno = err;
2747 		zperror(cmd_to_str(cmd_num), B_TRUE);
2748 		zonecfg_fini_handle(handle);
2749 		return (Z_ERR);
2750 	}
2751 	if ((err = zonecfg_get_zonepath(handle, zonepath, sizeof (zonepath))) !=
2752 	    Z_OK) {
2753 		errno = err;
2754 		zperror(cmd_to_str(cmd_num), B_TRUE);
2755 		zonecfg_fini_handle(handle);
2756 		return (Z_ERR);
2757 	}
2758 	/*
2759 	 * zonecfg_get_zonepath() gets its data from the XML repository.
2760 	 * Verify this against the index file, which is checked first by
2761 	 * zone_get_zonepath().  If they don't match, bail out.
2762 	 */
2763 	if ((err = zone_get_zonepath(target_zone, checkpath,
2764 	    sizeof (checkpath))) != Z_OK) {
2765 		errno = err;
2766 		zperror2(target_zone, gettext("could not get zone path"));
2767 		zonecfg_fini_handle(handle);
2768 		return (Z_ERR);
2769 	}
2770 	if (strcmp(zonepath, checkpath) != 0) {
2771 		/*
2772 		 * TRANSLATION_NOTE
2773 		 * XML and zonepath are literals that should not be translated.
2774 		 */
2775 		(void) fprintf(stderr, gettext("The XML repository has "
2776 		    "zonepath '%s',\nbut the index file has zonepath '%s'.\n"
2777 		    "These must match, so fix the incorrect entry.\n"),
2778 		    zonepath, checkpath);
2779 		zonecfg_fini_handle(handle);
2780 		return (Z_ERR);
2781 	}
2782 	if (validate_zonepath(zonepath, cmd_num) != Z_OK) {
2783 		(void) fprintf(stderr, gettext("could not verify zonepath %s "
2784 		    "because of the above errors.\n"), zonepath);
2785 		return_code = Z_ERR;
2786 	}
2787 
2788 	if (verify_handle(cmd_num, handle, argv) != Z_OK)
2789 		return_code = Z_ERR;
2790 
2791 	zonecfg_fini_handle(handle);
2792 	if (return_code == Z_ERR)
2793 		(void) fprintf(stderr,
2794 		    gettext("%s: zone %s failed to verify\n"),
2795 		    execname, target_zone);
2796 	return (return_code);
2797 }
2798 
2799 static int
2800 verify_func(int argc, char *argv[])
2801 {
2802 	int arg;
2803 
2804 	optind = 0;
2805 	if ((arg = getopt(argc, argv, "?")) != EOF) {
2806 		switch (arg) {
2807 		case '?':
2808 			sub_usage(SHELP_VERIFY, CMD_VERIFY);
2809 			return (optopt == '?' ? Z_OK : Z_USAGE);
2810 		default:
2811 			sub_usage(SHELP_VERIFY, CMD_VERIFY);
2812 			return (Z_USAGE);
2813 		}
2814 	}
2815 	if (argc > optind) {
2816 		sub_usage(SHELP_VERIFY, CMD_VERIFY);
2817 		return (Z_USAGE);
2818 	}
2819 	if (sanity_check(target_zone, CMD_VERIFY, B_FALSE, B_FALSE, B_FALSE)
2820 	    != Z_OK)
2821 		return (Z_ERR);
2822 	return (verify_details(CMD_VERIFY, argv));
2823 }
2824 
2825 static int
2826 addoptions(char *buf, char *argv[], size_t len)
2827 {
2828 	int i = 0;
2829 
2830 	if (buf[0] == '\0')
2831 		return (Z_OK);
2832 
2833 	while (argv[i] != NULL) {
2834 		if (strlcat(buf, " ", len) >= len ||
2835 		    strlcat(buf, argv[i++], len) >= len) {
2836 			zerror("Command line too long");
2837 			return (Z_ERR);
2838 		}
2839 	}
2840 
2841 	return (Z_OK);
2842 }
2843 
2844 static int
2845 addopt(char *buf, int opt, char *optarg, size_t bufsize)
2846 {
2847 	char optstring[4];
2848 
2849 	if (opt > 0)
2850 		(void) sprintf(optstring, " -%c", opt);
2851 	else
2852 		(void) strcpy(optstring, " ");
2853 
2854 	if ((strlcat(buf, optstring, bufsize) > bufsize))
2855 		return (Z_ERR);
2856 
2857 	if ((optarg != NULL) && (strlcat(buf, optarg, bufsize) > bufsize))
2858 		return (Z_ERR);
2859 
2860 	return (Z_OK);
2861 }
2862 
2863 /* ARGSUSED */
2864 static int
2865 install_func(int argc, char *argv[])
2866 {
2867 	char cmdbuf[MAXPATHLEN];
2868 	char postcmdbuf[MAXPATHLEN];
2869 	int lockfd;
2870 	int arg, err, subproc_err;
2871 	char zonepath[MAXPATHLEN];
2872 	brand_handle_t bh = NULL;
2873 	int status;
2874 	boolean_t nodataset = B_FALSE;
2875 	boolean_t do_postinstall = B_FALSE;
2876 	boolean_t brand_help = B_FALSE;
2877 	char opts[128];
2878 
2879 	if (target_zone == NULL) {
2880 		sub_usage(SHELP_INSTALL, CMD_INSTALL);
2881 		return (Z_USAGE);
2882 	}
2883 
2884 	if (zonecfg_in_alt_root()) {
2885 		zerror(gettext("cannot install zone in alternate root"));
2886 		return (Z_ERR);
2887 	}
2888 
2889 	if ((err = zone_get_zonepath(target_zone, zonepath,
2890 	    sizeof (zonepath))) != Z_OK) {
2891 		errno = err;
2892 		zperror2(target_zone, gettext("could not get zone path"));
2893 		return (Z_ERR);
2894 	}
2895 
2896 	/* Fetch the install command from the brand configuration.  */
2897 	if ((bh = brand_open(target_brand)) == NULL) {
2898 		zerror(gettext("missing or invalid brand"));
2899 		return (Z_ERR);
2900 	}
2901 
2902 	if (get_hook(bh, cmdbuf, sizeof (cmdbuf), brand_get_install,
2903 	    target_zone, zonepath) != Z_OK) {
2904 		zerror("invalid brand configuration: missing install resource");
2905 		brand_close(bh);
2906 		return (Z_ERR);
2907 	}
2908 
2909 	if (get_hook(bh, postcmdbuf, sizeof (postcmdbuf), brand_get_postinstall,
2910 	    target_zone, zonepath) != Z_OK) {
2911 		zerror("invalid brand configuration: missing postinstall "
2912 		    "resource");
2913 		brand_close(bh);
2914 		return (Z_ERR);
2915 	}
2916 
2917 	if (postcmdbuf[0] != '\0')
2918 		do_postinstall = B_TRUE;
2919 
2920 	(void) strcpy(opts, "?x:");
2921 	/*
2922 	 * Fetch the list of recognized command-line options from
2923 	 * the brand configuration file.
2924 	 */
2925 	if (brand_get_installopts(bh, opts + strlen(opts),
2926 	    sizeof (opts) - strlen(opts)) != 0) {
2927 		zerror("invalid brand configuration: missing "
2928 		    "install options resource");
2929 		brand_close(bh);
2930 		return (Z_ERR);
2931 	}
2932 
2933 	brand_close(bh);
2934 
2935 	if (cmdbuf[0] == '\0') {
2936 		zerror("Missing brand install command");
2937 		return (Z_ERR);
2938 	}
2939 
2940 	/* Check the argv string for args we handle internally */
2941 	optind = 0;
2942 	opterr = 0;
2943 	while ((arg = getopt(argc, argv, opts)) != EOF) {
2944 		switch (arg) {
2945 		case '?':
2946 			if (optopt == '?') {
2947 				sub_usage(SHELP_INSTALL, CMD_INSTALL);
2948 				brand_help = B_TRUE;
2949 			}
2950 			/* Ignore unknown options - may be brand specific. */
2951 			break;
2952 		case 'x':
2953 			/* Handle this option internally, don't pass to brand */
2954 			if (strcmp(optarg, "nodataset") == 0) {
2955 				/* Handle this option internally */
2956 				nodataset = B_TRUE;
2957 			}
2958 			continue;
2959 		default:
2960 			/* Ignore unknown options - may be brand specific. */
2961 			break;
2962 		}
2963 
2964 		/*
2965 		 * Append the option to the command line passed to the
2966 		 * brand-specific install and postinstall routines.
2967 		 */
2968 		if (addopt(cmdbuf, optopt, optarg, sizeof (cmdbuf)) != Z_OK) {
2969 			zerror("Install command line too long");
2970 			return (Z_ERR);
2971 		}
2972 		if (addopt(postcmdbuf, optopt, optarg, sizeof (postcmdbuf))
2973 		    != Z_OK) {
2974 			zerror("Post-Install command line too long");
2975 			return (Z_ERR);
2976 		}
2977 	}
2978 
2979 	for (; optind < argc; optind++) {
2980 		if (addopt(cmdbuf, 0, argv[optind], sizeof (cmdbuf)) != Z_OK) {
2981 			zerror("Install command line too long");
2982 			return (Z_ERR);
2983 		}
2984 
2985 		if (addopt(postcmdbuf, 0, argv[optind], sizeof (postcmdbuf))
2986 		    != Z_OK) {
2987 			zerror("Post-Install command line too long");
2988 			return (Z_ERR);
2989 		}
2990 	}
2991 
2992 	if (!brand_help) {
2993 		if (sanity_check(target_zone, CMD_INSTALL, B_FALSE, B_TRUE,
2994 		    B_FALSE) != Z_OK)
2995 			return (Z_ERR);
2996 		if (verify_details(CMD_INSTALL, argv) != Z_OK)
2997 			return (Z_ERR);
2998 
2999 		if (zonecfg_grab_lock_file(target_zone, &lockfd) != Z_OK) {
3000 			zerror(gettext("another %s may have an operation in "
3001 			    "progress."), "zoneadm");
3002 			return (Z_ERR);
3003 		}
3004 		err = zone_set_state(target_zone, ZONE_STATE_INCOMPLETE);
3005 		if (err != Z_OK) {
3006 			errno = err;
3007 			zperror2(target_zone, gettext("could not set state"));
3008 			goto done;
3009 		}
3010 
3011 		if (!nodataset)
3012 			create_zfs_zonepath(zonepath);
3013 	}
3014 
3015 	status = do_subproc_interactive(cmdbuf);
3016 	if ((subproc_err =
3017 	    subproc_status(gettext("brand-specific installation"), status,
3018 	    B_FALSE)) != ZONE_SUBPROC_OK) {
3019 		if (subproc_err == ZONE_SUBPROC_USAGE && !brand_help) {
3020 			sub_usage(SHELP_INSTALL, CMD_INSTALL);
3021 			zonecfg_release_lock_file(target_zone, lockfd);
3022 			return (Z_ERR);
3023 		}
3024 		err = Z_ERR;
3025 		goto done;
3026 	}
3027 
3028 	if (brand_help)
3029 		return (Z_OK);
3030 
3031 	if ((err = zone_set_state(target_zone, ZONE_STATE_INSTALLED)) != Z_OK) {
3032 		errno = err;
3033 		zperror2(target_zone, gettext("could not set state"));
3034 		goto done;
3035 	}
3036 
3037 	if (do_postinstall) {
3038 		status = do_subproc(postcmdbuf);
3039 
3040 		if ((subproc_err =
3041 		    subproc_status(gettext("brand-specific post-install"),
3042 		    status, B_FALSE)) != ZONE_SUBPROC_OK) {
3043 			err = Z_ERR;
3044 			(void) zone_set_state(target_zone,
3045 			    ZONE_STATE_INCOMPLETE);
3046 		}
3047 	}
3048 
3049 done:
3050 	/*
3051 	 * If the install script exited with ZONE_SUBPROC_NOTCOMPLETE, try to
3052 	 * clean up the zone and leave the zone in the CONFIGURED state so that
3053 	 * another install can be attempted without requiring an uninstall
3054 	 * first.
3055 	 */
3056 	if (subproc_err == ZONE_SUBPROC_NOTCOMPLETE) {
3057 		if ((err = cleanup_zonepath(zonepath, B_FALSE)) != Z_OK) {
3058 			errno = err;
3059 			zperror2(target_zone,
3060 			    gettext("cleaning up zonepath failed"));
3061 		} else if ((err = zone_set_state(target_zone,
3062 		    ZONE_STATE_CONFIGURED)) != Z_OK) {
3063 			errno = err;
3064 			zperror2(target_zone, gettext("could not set state"));
3065 		}
3066 	}
3067 
3068 	if (!brand_help)
3069 		zonecfg_release_lock_file(target_zone, lockfd);
3070 	return ((err == Z_OK) ? Z_OK : Z_ERR);
3071 }
3072 
3073 /*
3074  * Check that the inherited pkg dirs are the same for the clone and its source.
3075  * The easiest way to do that is check that the list of ipds is the same
3076  * by matching each one against the other.  This algorithm should be fine since
3077  * the list of ipds should not be that long.
3078  */
3079 static int
3080 valid_ipd_clone(zone_dochandle_t s_handle, char *source_zone,
3081 	zone_dochandle_t t_handle, char *target_zone)
3082 {
3083 	int err;
3084 	int res = Z_OK;
3085 	int s_cnt = 0;
3086 	int t_cnt = 0;
3087 	struct zone_fstab s_fstab;
3088 	struct zone_fstab t_fstab;
3089 
3090 	/*
3091 	 * First check the source of the clone against the target.
3092 	 */
3093 	if ((err = zonecfg_setipdent(s_handle)) != Z_OK) {
3094 		errno = err;
3095 		zperror2(source_zone, gettext("could not enumerate "
3096 		    "inherit-pkg-dirs"));
3097 		return (Z_ERR);
3098 	}
3099 
3100 	while (zonecfg_getipdent(s_handle, &s_fstab) == Z_OK) {
3101 		boolean_t match = B_FALSE;
3102 
3103 		s_cnt++;
3104 
3105 		if ((err = zonecfg_setipdent(t_handle)) != Z_OK) {
3106 			errno = err;
3107 			zperror2(target_zone, gettext("could not enumerate "
3108 			    "inherit-pkg-dirs"));
3109 			(void) zonecfg_endipdent(s_handle);
3110 			return (Z_ERR);
3111 		}
3112 
3113 		while (zonecfg_getipdent(t_handle, &t_fstab) == Z_OK) {
3114 			if (strcmp(s_fstab.zone_fs_dir, t_fstab.zone_fs_dir)
3115 			    == 0) {
3116 				match = B_TRUE;
3117 				break;
3118 			}
3119 		}
3120 		(void) zonecfg_endipdent(t_handle);
3121 
3122 		if (!match) {
3123 			(void) fprintf(stderr, gettext("inherit-pkg-dir "
3124 			    "'%s' is not configured in zone %s.\n"),
3125 			    s_fstab.zone_fs_dir, target_zone);
3126 			res = Z_ERR;
3127 		}
3128 	}
3129 
3130 	(void) zonecfg_endipdent(s_handle);
3131 
3132 	/* skip the next check if we already have errors */
3133 	if (res == Z_ERR)
3134 		return (res);
3135 
3136 	/*
3137 	 * Now check the number of ipds in the target so we can verify
3138 	 * that the source is not a subset of the target.
3139 	 */
3140 	if ((err = zonecfg_setipdent(t_handle)) != Z_OK) {
3141 		errno = err;
3142 		zperror2(target_zone, gettext("could not enumerate "
3143 		    "inherit-pkg-dirs"));
3144 		return (Z_ERR);
3145 	}
3146 
3147 	while (zonecfg_getipdent(t_handle, &t_fstab) == Z_OK)
3148 		t_cnt++;
3149 
3150 	(void) zonecfg_endipdent(t_handle);
3151 
3152 	if (t_cnt != s_cnt) {
3153 		(void) fprintf(stderr, gettext("Zone %s is configured "
3154 		    "with inherit-pkg-dirs that are not configured in zone "
3155 		    "%s.\n"), target_zone, source_zone);
3156 		res = Z_ERR;
3157 	}
3158 
3159 	return (res);
3160 }
3161 
3162 static void
3163 warn_dev_match(zone_dochandle_t s_handle, char *source_zone,
3164 	zone_dochandle_t t_handle, char *target_zone)
3165 {
3166 	int err;
3167 	struct zone_devtab s_devtab;
3168 	struct zone_devtab t_devtab;
3169 
3170 	if ((err = zonecfg_setdevent(t_handle)) != Z_OK) {
3171 		errno = err;
3172 		zperror2(target_zone, gettext("could not enumerate devices"));
3173 		return;
3174 	}
3175 
3176 	while (zonecfg_getdevent(t_handle, &t_devtab) == Z_OK) {
3177 		if ((err = zonecfg_setdevent(s_handle)) != Z_OK) {
3178 			errno = err;
3179 			zperror2(source_zone,
3180 			    gettext("could not enumerate devices"));
3181 			(void) zonecfg_enddevent(t_handle);
3182 			return;
3183 		}
3184 
3185 		while (zonecfg_getdevent(s_handle, &s_devtab) == Z_OK) {
3186 			/*
3187 			 * Use fnmatch to catch the case where wildcards
3188 			 * were used in one zone and the other has an
3189 			 * explicit entry (e.g. /dev/dsk/c0t0d0s6 vs.
3190 			 * /dev/\*dsk/c0t0d0s6).
3191 			 */
3192 			if (fnmatch(t_devtab.zone_dev_match,
3193 			    s_devtab.zone_dev_match, FNM_PATHNAME) == 0 ||
3194 			    fnmatch(s_devtab.zone_dev_match,
3195 			    t_devtab.zone_dev_match, FNM_PATHNAME) == 0) {
3196 				(void) fprintf(stderr,
3197 				    gettext("WARNING: device '%s' "
3198 				    "is configured in both zones.\n"),
3199 				    t_devtab.zone_dev_match);
3200 				break;
3201 			}
3202 		}
3203 		(void) zonecfg_enddevent(s_handle);
3204 	}
3205 
3206 	(void) zonecfg_enddevent(t_handle);
3207 }
3208 
3209 /*
3210  * Check if the specified mount option (opt) is contained within the
3211  * options string.
3212  */
3213 static boolean_t
3214 opt_match(char *opt, char *options)
3215 {
3216 	char *p;
3217 	char *lastp;
3218 
3219 	if ((p = strtok_r(options, ",", &lastp)) != NULL) {
3220 		if (strcmp(p, opt) == 0)
3221 			return (B_TRUE);
3222 		while ((p = strtok_r(NULL, ",", &lastp)) != NULL) {
3223 			if (strcmp(p, opt) == 0)
3224 				return (B_TRUE);
3225 		}
3226 	}
3227 
3228 	return (B_FALSE);
3229 }
3230 
3231 #define	RW_LOFS	"WARNING: read-write lofs file system on '%s' is configured " \
3232 	"in both zones.\n"
3233 
3234 static void
3235 print_fs_warnings(struct zone_fstab *s_fstab, struct zone_fstab *t_fstab)
3236 {
3237 	/*
3238 	 * It is ok to have shared lofs mounted fs but we want to warn if
3239 	 * either is rw since this will effect the other zone.
3240 	 */
3241 	if (strcmp(t_fstab->zone_fs_type, "lofs") == 0) {
3242 		zone_fsopt_t *optp;
3243 
3244 		/* The default is rw so no options means rw */
3245 		if (t_fstab->zone_fs_options == NULL ||
3246 		    s_fstab->zone_fs_options == NULL) {
3247 			(void) fprintf(stderr, gettext(RW_LOFS),
3248 			    t_fstab->zone_fs_special);
3249 			return;
3250 		}
3251 
3252 		for (optp = s_fstab->zone_fs_options; optp != NULL;
3253 		    optp = optp->zone_fsopt_next) {
3254 			if (opt_match("rw", optp->zone_fsopt_opt)) {
3255 				(void) fprintf(stderr, gettext(RW_LOFS),
3256 				    s_fstab->zone_fs_special);
3257 				return;
3258 			}
3259 		}
3260 
3261 		for (optp = t_fstab->zone_fs_options; optp != NULL;
3262 		    optp = optp->zone_fsopt_next) {
3263 			if (opt_match("rw", optp->zone_fsopt_opt)) {
3264 				(void) fprintf(stderr, gettext(RW_LOFS),
3265 				    t_fstab->zone_fs_special);
3266 				return;
3267 			}
3268 		}
3269 
3270 		return;
3271 	}
3272 
3273 	/*
3274 	 * TRANSLATION_NOTE
3275 	 * The first variable is the file system type and the second is
3276 	 * the file system special device.  For example,
3277 	 * WARNING: ufs file system on '/dev/dsk/c0t0d0s0' ...
3278 	 */
3279 	(void) fprintf(stderr, gettext("WARNING: %s file system on '%s' "
3280 	    "is configured in both zones.\n"), t_fstab->zone_fs_type,
3281 	    t_fstab->zone_fs_special);
3282 }
3283 
3284 static void
3285 warn_fs_match(zone_dochandle_t s_handle, char *source_zone,
3286 	zone_dochandle_t t_handle, char *target_zone)
3287 {
3288 	int err;
3289 	struct zone_fstab s_fstab;
3290 	struct zone_fstab t_fstab;
3291 
3292 	if ((err = zonecfg_setfsent(t_handle)) != Z_OK) {
3293 		errno = err;
3294 		zperror2(target_zone,
3295 		    gettext("could not enumerate file systems"));
3296 		return;
3297 	}
3298 
3299 	while (zonecfg_getfsent(t_handle, &t_fstab) == Z_OK) {
3300 		if ((err = zonecfg_setfsent(s_handle)) != Z_OK) {
3301 			errno = err;
3302 			zperror2(source_zone,
3303 			    gettext("could not enumerate file systems"));
3304 			(void) zonecfg_endfsent(t_handle);
3305 			return;
3306 		}
3307 
3308 		while (zonecfg_getfsent(s_handle, &s_fstab) == Z_OK) {
3309 			if (strcmp(t_fstab.zone_fs_special,
3310 			    s_fstab.zone_fs_special) == 0) {
3311 				print_fs_warnings(&s_fstab, &t_fstab);
3312 				break;
3313 			}
3314 		}
3315 		(void) zonecfg_endfsent(s_handle);
3316 	}
3317 
3318 	(void) zonecfg_endfsent(t_handle);
3319 }
3320 
3321 /*
3322  * We don't catch the case where you used the same IP address but
3323  * it is not an exact string match.  For example, 192.9.0.128 vs. 192.09.0.128.
3324  * However, we're not going to worry about that but we will check for
3325  * a possible netmask on one of the addresses (e.g. 10.0.0.1 and 10.0.0.1/24)
3326  * and handle that case as a match.
3327  */
3328 static void
3329 warn_ip_match(zone_dochandle_t s_handle, char *source_zone,
3330 	zone_dochandle_t t_handle, char *target_zone)
3331 {
3332 	int err;
3333 	struct zone_nwiftab s_nwiftab;
3334 	struct zone_nwiftab t_nwiftab;
3335 
3336 	if ((err = zonecfg_setnwifent(t_handle)) != Z_OK) {
3337 		errno = err;
3338 		zperror2(target_zone,
3339 		    gettext("could not enumerate network interfaces"));
3340 		return;
3341 	}
3342 
3343 	while (zonecfg_getnwifent(t_handle, &t_nwiftab) == Z_OK) {
3344 		char *p;
3345 
3346 		/* remove an (optional) netmask from the address */
3347 		if ((p = strchr(t_nwiftab.zone_nwif_address, '/')) != NULL)
3348 			*p = '\0';
3349 
3350 		if ((err = zonecfg_setnwifent(s_handle)) != Z_OK) {
3351 			errno = err;
3352 			zperror2(source_zone,
3353 			    gettext("could not enumerate network interfaces"));
3354 			(void) zonecfg_endnwifent(t_handle);
3355 			return;
3356 		}
3357 
3358 		while (zonecfg_getnwifent(s_handle, &s_nwiftab) == Z_OK) {
3359 			/* remove an (optional) netmask from the address */
3360 			if ((p = strchr(s_nwiftab.zone_nwif_address, '/'))
3361 			    != NULL)
3362 				*p = '\0';
3363 
3364 			/* For exclusive-IP zones, address is not specified. */
3365 			if (strlen(s_nwiftab.zone_nwif_address) == 0)
3366 				continue;
3367 
3368 			if (strcmp(t_nwiftab.zone_nwif_address,
3369 			    s_nwiftab.zone_nwif_address) == 0) {
3370 				(void) fprintf(stderr,
3371 				    gettext("WARNING: network address '%s' "
3372 				    "is configured in both zones.\n"),
3373 				    t_nwiftab.zone_nwif_address);
3374 				break;
3375 			}
3376 		}
3377 		(void) zonecfg_endnwifent(s_handle);
3378 	}
3379 
3380 	(void) zonecfg_endnwifent(t_handle);
3381 }
3382 
3383 static void
3384 warn_dataset_match(zone_dochandle_t s_handle, char *source,
3385 	zone_dochandle_t t_handle, char *target)
3386 {
3387 	int err;
3388 	struct zone_dstab s_dstab;
3389 	struct zone_dstab t_dstab;
3390 
3391 	if ((err = zonecfg_setdsent(t_handle)) != Z_OK) {
3392 		errno = err;
3393 		zperror2(target, gettext("could not enumerate datasets"));
3394 		return;
3395 	}
3396 
3397 	while (zonecfg_getdsent(t_handle, &t_dstab) == Z_OK) {
3398 		if ((err = zonecfg_setdsent(s_handle)) != Z_OK) {
3399 			errno = err;
3400 			zperror2(source,
3401 			    gettext("could not enumerate datasets"));
3402 			(void) zonecfg_enddsent(t_handle);
3403 			return;
3404 		}
3405 
3406 		while (zonecfg_getdsent(s_handle, &s_dstab) == Z_OK) {
3407 			if (strcmp(t_dstab.zone_dataset_name,
3408 			    s_dstab.zone_dataset_name) == 0) {
3409 				target_zone = source;
3410 				zerror(gettext("WARNING: dataset '%s' "
3411 				    "is configured in both zones.\n"),
3412 				    t_dstab.zone_dataset_name);
3413 				break;
3414 			}
3415 		}
3416 		(void) zonecfg_enddsent(s_handle);
3417 	}
3418 
3419 	(void) zonecfg_enddsent(t_handle);
3420 }
3421 
3422 /*
3423  * Check that the clone and its source have the same brand type.
3424  */
3425 static int
3426 valid_brand_clone(char *source_zone, char *target_zone)
3427 {
3428 	brand_handle_t bh;
3429 	char source_brand[MAXNAMELEN];
3430 
3431 	if ((zone_get_brand(source_zone, source_brand,
3432 	    sizeof (source_brand))) != Z_OK) {
3433 		(void) fprintf(stderr, "%s: zone '%s': %s\n",
3434 		    execname, source_zone, gettext("missing or invalid brand"));
3435 		return (Z_ERR);
3436 	}
3437 
3438 	if (strcmp(source_brand, target_brand) != NULL) {
3439 		(void) fprintf(stderr,
3440 		    gettext("%s: Zones '%s' and '%s' have different brand "
3441 		    "types.\n"), execname, source_zone, target_zone);
3442 		return (Z_ERR);
3443 	}
3444 
3445 	if ((bh = brand_open(target_brand)) == NULL) {
3446 		zerror(gettext("missing or invalid brand"));
3447 		return (Z_ERR);
3448 	}
3449 	brand_close(bh);
3450 	return (Z_OK);
3451 }
3452 
3453 static int
3454 validate_clone(char *source_zone, char *target_zone)
3455 {
3456 	int err = Z_OK;
3457 	zone_dochandle_t s_handle;
3458 	zone_dochandle_t t_handle;
3459 
3460 	if ((t_handle = zonecfg_init_handle()) == NULL) {
3461 		zperror(cmd_to_str(CMD_CLONE), B_TRUE);
3462 		return (Z_ERR);
3463 	}
3464 	if ((err = zonecfg_get_handle(target_zone, t_handle)) != Z_OK) {
3465 		errno = err;
3466 		zperror(cmd_to_str(CMD_CLONE), B_TRUE);
3467 		zonecfg_fini_handle(t_handle);
3468 		return (Z_ERR);
3469 	}
3470 
3471 	if ((s_handle = zonecfg_init_handle()) == NULL) {
3472 		zperror(cmd_to_str(CMD_CLONE), B_TRUE);
3473 		zonecfg_fini_handle(t_handle);
3474 		return (Z_ERR);
3475 	}
3476 	if ((err = zonecfg_get_handle(source_zone, s_handle)) != Z_OK) {
3477 		errno = err;
3478 		zperror(cmd_to_str(CMD_CLONE), B_TRUE);
3479 		goto done;
3480 	}
3481 
3482 	/* verify new zone has same brand type */
3483 	err = valid_brand_clone(source_zone, target_zone);
3484 	if (err != Z_OK)
3485 		goto done;
3486 
3487 	/* verify new zone has same inherit-pkg-dirs */
3488 	err = valid_ipd_clone(s_handle, source_zone, t_handle, target_zone);
3489 
3490 	/* warn about imported fs's which are the same */
3491 	warn_fs_match(s_handle, source_zone, t_handle, target_zone);
3492 
3493 	/* warn about imported IP addresses which are the same */
3494 	warn_ip_match(s_handle, source_zone, t_handle, target_zone);
3495 
3496 	/* warn about imported devices which are the same */
3497 	warn_dev_match(s_handle, source_zone, t_handle, target_zone);
3498 
3499 	/* warn about imported datasets which are the same */
3500 	warn_dataset_match(s_handle, source_zone, t_handle, target_zone);
3501 
3502 done:
3503 	zonecfg_fini_handle(t_handle);
3504 	zonecfg_fini_handle(s_handle);
3505 
3506 	return ((err == Z_OK) ? Z_OK : Z_ERR);
3507 }
3508 
3509 static int
3510 copy_zone(char *src, char *dst)
3511 {
3512 	boolean_t out_null = B_FALSE;
3513 	int status;
3514 	char *outfile;
3515 	char cmdbuf[MAXPATHLEN * 2 + 128];
3516 
3517 	if ((outfile = tempnam("/var/log", "zone")) == NULL) {
3518 		outfile = "/dev/null";
3519 		out_null = B_TRUE;
3520 	}
3521 
3522 	/*
3523 	 * Use find to get the list of files to copy.  We need to skip
3524 	 * files of type "socket" since cpio can't handle those but that
3525 	 * should be ok since the app will recreate the socket when it runs.
3526 	 * We also need to filter out anything under the .zfs subdir.  Since
3527 	 * find is running depth-first, we need the extra egrep to filter .zfs.
3528 	 */
3529 	(void) snprintf(cmdbuf, sizeof (cmdbuf),
3530 	    "cd %s && /usr/bin/find . -type s -prune -o -depth -print | "
3531 	    "/usr/bin/egrep -v '^\\./\\.zfs$|^\\./\\.zfs/' | "
3532 	    "/usr/bin/cpio -pdmuP@ %s > %s 2>&1",
3533 	    src, dst, outfile);
3534 
3535 	status = do_subproc(cmdbuf);
3536 
3537 	if (subproc_status("copy", status, B_TRUE) != ZONE_SUBPROC_OK) {
3538 		if (!out_null)
3539 			(void) fprintf(stderr, gettext("\nThe copy failed.\n"
3540 			    "More information can be found in %s\n"), outfile);
3541 		return (Z_ERR);
3542 	}
3543 
3544 	if (!out_null)
3545 		(void) unlink(outfile);
3546 
3547 	return (Z_OK);
3548 }
3549 
3550 /* ARGSUSED */
3551 static int
3552 zfm_print(const char *p, void *r) {
3553 	zerror("  %s\n", p);
3554 	return (0);
3555 }
3556 
3557 int
3558 clone_copy(char *source_zonepath, char *zonepath)
3559 {
3560 	int err;
3561 
3562 	/* Don't clone the zone if anything is still mounted there */
3563 	if (zonecfg_find_mounts(source_zonepath, NULL, NULL)) {
3564 		zerror(gettext("These file systems are mounted on "
3565 		    "subdirectories of %s.\n"), source_zonepath);
3566 		(void) zonecfg_find_mounts(source_zonepath, zfm_print, NULL);
3567 		return (Z_ERR);
3568 	}
3569 
3570 	/*
3571 	 * Attempt to create a ZFS fs for the zonepath.  As usual, we don't
3572 	 * care if this works or not since we always have the default behavior
3573 	 * of a simple directory for the zonepath.
3574 	 */
3575 	create_zfs_zonepath(zonepath);
3576 
3577 	(void) printf(gettext("Copying %s..."), source_zonepath);
3578 	(void) fflush(stdout);
3579 
3580 	err = copy_zone(source_zonepath, zonepath);
3581 
3582 	(void) printf("\n");
3583 
3584 	return (err);
3585 }
3586 
3587 static int
3588 clone_func(int argc, char *argv[])
3589 {
3590 	char *source_zone = NULL;
3591 	int lockfd;
3592 	int err, arg;
3593 	char zonepath[MAXPATHLEN];
3594 	char source_zonepath[MAXPATHLEN];
3595 	zone_state_t state;
3596 	zone_entry_t *zent;
3597 	char *method = NULL;
3598 	char *snapshot = NULL;
3599 	char cmdbuf[MAXPATHLEN];
3600 	char postcmdbuf[MAXPATHLEN];
3601 	char presnapbuf[MAXPATHLEN];
3602 	char postsnapbuf[MAXPATHLEN];
3603 	char validsnapbuf[MAXPATHLEN];
3604 	brand_handle_t bh = NULL;
3605 	int status;
3606 	boolean_t brand_help = B_FALSE;
3607 
3608 	if (zonecfg_in_alt_root()) {
3609 		zerror(gettext("cannot clone zone in alternate root"));
3610 		return (Z_ERR);
3611 	}
3612 
3613 	/* Check the argv string for args we handle internally */
3614 	optind = 0;
3615 	opterr = 0;
3616 	while ((arg = getopt(argc, argv, "?m:s:")) != EOF) {
3617 		switch (arg) {
3618 		case '?':
3619 			if (optopt == '?') {
3620 				sub_usage(SHELP_CLONE, CMD_CLONE);
3621 				brand_help = B_TRUE;
3622 			}
3623 			/* Ignore unknown options - may be brand specific. */
3624 			break;
3625 		case 'm':
3626 			method = optarg;
3627 			break;
3628 		case 's':
3629 			snapshot = optarg;
3630 			break;
3631 		default:
3632 			/* Ignore unknown options - may be brand specific. */
3633 			break;
3634 		}
3635 	}
3636 
3637 	if (argc != (optind + 1)) {
3638 		sub_usage(SHELP_CLONE, CMD_CLONE);
3639 		return (Z_USAGE);
3640 	}
3641 
3642 	source_zone = argv[optind];
3643 
3644 	if (!brand_help) {
3645 		if (sanity_check(target_zone, CMD_CLONE, B_FALSE, B_TRUE,
3646 		    B_FALSE) != Z_OK)
3647 			return (Z_ERR);
3648 		if (verify_details(CMD_CLONE, argv) != Z_OK)
3649 			return (Z_ERR);
3650 
3651 		/*
3652 		 * We also need to do some extra validation on the source zone.
3653 		 */
3654 		if (strcmp(source_zone, GLOBAL_ZONENAME) == 0) {
3655 			zerror(gettext("%s operation is invalid for the "
3656 			    "global zone."), cmd_to_str(CMD_CLONE));
3657 			return (Z_ERR);
3658 		}
3659 
3660 		if (strncmp(source_zone, "SUNW", 4) == 0) {
3661 			zerror(gettext("%s operation is invalid for zones "
3662 			    "starting with SUNW."), cmd_to_str(CMD_CLONE));
3663 			return (Z_ERR);
3664 		}
3665 
3666 		zent = lookup_running_zone(source_zone);
3667 		if (zent != NULL) {
3668 			/* check whether the zone is ready or running */
3669 			if ((err = zone_get_state(zent->zname,
3670 			    &zent->zstate_num)) != Z_OK) {
3671 				errno = err;
3672 				zperror2(zent->zname, gettext("could not get "
3673 				    "state"));
3674 				/* can't tell, so hedge */
3675 				zent->zstate_str = "ready/running";
3676 			} else {
3677 				zent->zstate_str =
3678 				    zone_state_str(zent->zstate_num);
3679 			}
3680 			zerror(gettext("%s operation is invalid for %s zones."),
3681 			    cmd_to_str(CMD_CLONE), zent->zstate_str);
3682 			return (Z_ERR);
3683 		}
3684 
3685 		if ((err = zone_get_state(source_zone, &state)) != Z_OK) {
3686 			errno = err;
3687 			zperror2(source_zone, gettext("could not get state"));
3688 			return (Z_ERR);
3689 		}
3690 		if (state != ZONE_STATE_INSTALLED) {
3691 			(void) fprintf(stderr,
3692 			    gettext("%s: zone %s is %s; %s is required.\n"),
3693 			    execname, source_zone, zone_state_str(state),
3694 			    zone_state_str(ZONE_STATE_INSTALLED));
3695 			return (Z_ERR);
3696 		}
3697 
3698 		/*
3699 		 * The source zone checks out ok, continue with the clone.
3700 		 */
3701 
3702 		if (validate_clone(source_zone, target_zone) != Z_OK)
3703 			return (Z_ERR);
3704 
3705 		if (zonecfg_grab_lock_file(target_zone, &lockfd) != Z_OK) {
3706 			zerror(gettext("another %s may have an operation in "
3707 			    "progress."), "zoneadm");
3708 			return (Z_ERR);
3709 		}
3710 	}
3711 
3712 	if ((err = zone_get_zonepath(source_zone, source_zonepath,
3713 	    sizeof (source_zonepath))) != Z_OK) {
3714 		errno = err;
3715 		zperror2(source_zone, gettext("could not get zone path"));
3716 		goto done;
3717 	}
3718 
3719 	if ((err = zone_get_zonepath(target_zone, zonepath, sizeof (zonepath)))
3720 	    != Z_OK) {
3721 		errno = err;
3722 		zperror2(target_zone, gettext("could not get zone path"));
3723 		goto done;
3724 	}
3725 
3726 	/*
3727 	 * Fetch the clone and postclone hooks from the brand configuration.
3728 	 */
3729 	if ((bh = brand_open(target_brand)) == NULL) {
3730 		zerror(gettext("missing or invalid brand"));
3731 		err = Z_ERR;
3732 		goto done;
3733 	}
3734 
3735 	if (get_hook(bh, cmdbuf, sizeof (cmdbuf), brand_get_clone, target_zone,
3736 	    zonepath) != Z_OK) {
3737 		zerror("invalid brand configuration: missing clone resource");
3738 		brand_close(bh);
3739 		err = Z_ERR;
3740 		goto done;
3741 	}
3742 
3743 	if (get_hook(bh, postcmdbuf, sizeof (postcmdbuf), brand_get_postclone,
3744 	    target_zone, zonepath) != Z_OK) {
3745 		zerror("invalid brand configuration: missing postclone "
3746 		    "resource");
3747 		brand_close(bh);
3748 		err = Z_ERR;
3749 		goto done;
3750 	}
3751 
3752 	if (get_hook(bh, presnapbuf, sizeof (presnapbuf), brand_get_presnap,
3753 	    source_zone, source_zonepath) != Z_OK) {
3754 		zerror("invalid brand configuration: missing presnap "
3755 		    "resource");
3756 		brand_close(bh);
3757 		err = Z_ERR;
3758 		goto done;
3759 	}
3760 
3761 	if (get_hook(bh, postsnapbuf, sizeof (postsnapbuf), brand_get_postsnap,
3762 	    source_zone, source_zonepath) != Z_OK) {
3763 		zerror("invalid brand configuration: missing postsnap "
3764 		    "resource");
3765 		brand_close(bh);
3766 		err = Z_ERR;
3767 		goto done;
3768 	}
3769 
3770 	if (get_hook(bh, validsnapbuf, sizeof (validsnapbuf),
3771 	    brand_get_validatesnap, target_zone, zonepath) != Z_OK) {
3772 		zerror("invalid brand configuration: missing validatesnap "
3773 		    "resource");
3774 		brand_close(bh);
3775 		err = Z_ERR;
3776 		goto done;
3777 	}
3778 	brand_close(bh);
3779 
3780 	/* Append all options to clone hook. */
3781 	if (addoptions(cmdbuf, argv, sizeof (cmdbuf)) != Z_OK) {
3782 		err = Z_ERR;
3783 		goto done;
3784 	}
3785 
3786 	/* Append all options to postclone hook. */
3787 	if (addoptions(postcmdbuf, argv, sizeof (postcmdbuf)) != Z_OK) {
3788 		err = Z_ERR;
3789 		goto done;
3790 	}
3791 
3792 	if (!brand_help) {
3793 		if ((err = zone_set_state(target_zone, ZONE_STATE_INCOMPLETE))
3794 		    != Z_OK) {
3795 			errno = err;
3796 			zperror2(target_zone, gettext("could not set state"));
3797 			goto done;
3798 		}
3799 	}
3800 
3801 	/*
3802 	 * The clone hook is optional.  If it exists, use the hook for
3803 	 * cloning, otherwise use the built-in clone support
3804 	 */
3805 	if (cmdbuf[0] != '\0') {
3806 		/* Run the clone hook */
3807 		status = do_subproc_interactive(cmdbuf);
3808 		if ((status = subproc_status(gettext("brand-specific clone"),
3809 		    status, B_FALSE)) != ZONE_SUBPROC_OK) {
3810 			if (status == ZONE_SUBPROC_USAGE && !brand_help)
3811 				sub_usage(SHELP_CLONE, CMD_CLONE);
3812 			err = Z_ERR;
3813 			goto done;
3814 		}
3815 
3816 		if (brand_help)
3817 			return (Z_OK);
3818 
3819 	} else {
3820 		/* If just help, we're done since there is no brand help. */
3821 		if (brand_help)
3822 			return (Z_OK);
3823 
3824 		/* Run the built-in clone support. */
3825 
3826 		/* The only explicit built-in method is "copy". */
3827 		if (method != NULL && strcmp(method, "copy") != 0) {
3828 			sub_usage(SHELP_CLONE, CMD_CLONE);
3829 			err = Z_USAGE;
3830 			goto done;
3831 		}
3832 
3833 		if (snapshot != NULL) {
3834 			err = clone_snapshot_zfs(snapshot, zonepath,
3835 			    validsnapbuf);
3836 		} else {
3837 			/*
3838 			 * We always copy the clone unless the source is ZFS
3839 			 * and a ZFS clone worked.  We fallback to copying if
3840 			 * the ZFS clone fails for some reason.
3841 			 */
3842 			err = Z_ERR;
3843 			if (method == NULL && is_zonepath_zfs(source_zonepath))
3844 				err = clone_zfs(source_zonepath, zonepath,
3845 				    presnapbuf, postsnapbuf);
3846 
3847 			if (err != Z_OK)
3848 				err = clone_copy(source_zonepath, zonepath);
3849 		}
3850 	}
3851 
3852 	if (err == Z_OK && postcmdbuf[0] != '\0') {
3853 		status = do_subproc(postcmdbuf);
3854 		if ((err = subproc_status("postclone", status, B_FALSE))
3855 		    != ZONE_SUBPROC_OK) {
3856 			zerror(gettext("post-clone configuration failed."));
3857 			err = Z_ERR;
3858 		}
3859 	}
3860 
3861 done:
3862 	/*
3863 	 * If everything went well, we mark the zone as installed.
3864 	 */
3865 	if (err == Z_OK) {
3866 		err = zone_set_state(target_zone, ZONE_STATE_INSTALLED);
3867 		if (err != Z_OK) {
3868 			errno = err;
3869 			zperror2(target_zone, gettext("could not set state"));
3870 		}
3871 	}
3872 	if (!brand_help)
3873 		zonecfg_release_lock_file(target_zone, lockfd);
3874 	return ((err == Z_OK) ? Z_OK : Z_ERR);
3875 }
3876 
3877 /*
3878  * Used when removing a zonepath after uninstalling or cleaning up after
3879  * the move subcommand.  This handles a zonepath that has non-standard
3880  * contents so that we will only cleanup the stuff we know about and leave
3881  * any user data alone.
3882  *
3883  * If the "all" parameter is true then we should remove the whole zonepath
3884  * even if it has non-standard files/directories in it.  This can be used when
3885  * we need to cleanup after moving the zonepath across file systems.
3886  *
3887  * We "exec" the RMCOMMAND so that the returned status is that of RMCOMMAND
3888  * and not the shell.
3889  */
3890 static int
3891 cleanup_zonepath(char *zonepath, boolean_t all)
3892 {
3893 	int		status;
3894 	int		i;
3895 	boolean_t	non_std = B_FALSE;
3896 	struct dirent	*dp;
3897 	DIR		*dirp;
3898 			/*
3899 			 * The SUNWattached.xml file is expected since it might
3900 			 * exist if the zone was force-attached after a
3901 			 * migration.
3902 			 */
3903 	char		*std_entries[] = {"dev", "lu", "root",
3904 			    "SUNWattached.xml", NULL};
3905 			/* (MAXPATHLEN * 3) is for the 3 std_entries dirs */
3906 	char		cmdbuf[sizeof (RMCOMMAND) + (MAXPATHLEN * 3) + 64];
3907 
3908 	/*
3909 	 * We shouldn't need these checks but lets be paranoid since we
3910 	 * could blow away the whole system here if we got the wrong zonepath.
3911 	 */
3912 	if (*zonepath == NULL || strcmp(zonepath, "/") == 0) {
3913 		(void) fprintf(stderr, "invalid zonepath '%s'\n", zonepath);
3914 		return (Z_INVAL);
3915 	}
3916 
3917 	/*
3918 	 * If the dirpath is already gone (maybe it was manually removed) then
3919 	 * we just return Z_OK so that the cleanup is successful.
3920 	 */
3921 	if ((dirp = opendir(zonepath)) == NULL)
3922 		return (Z_OK);
3923 
3924 	/*
3925 	 * Look through the zonepath directory to see if there are any
3926 	 * non-standard files/dirs.  Also skip .zfs since that might be
3927 	 * there but we'll handle ZFS file systems as a special case.
3928 	 */
3929 	while ((dp = readdir(dirp)) != NULL) {
3930 		if (strcmp(dp->d_name, ".") == 0 ||
3931 		    strcmp(dp->d_name, "..") == 0 ||
3932 		    strcmp(dp->d_name, ".zfs") == 0)
3933 			continue;
3934 
3935 		for (i = 0; std_entries[i] != NULL; i++)
3936 			if (strcmp(dp->d_name, std_entries[i]) == 0)
3937 				break;
3938 
3939 		if (std_entries[i] == NULL)
3940 			non_std = B_TRUE;
3941 	}
3942 	(void) closedir(dirp);
3943 
3944 	if (!all && non_std) {
3945 		/*
3946 		 * There are extra, non-standard directories/files in the
3947 		 * zonepath so we don't want to remove the zonepath.  We
3948 		 * just want to remove the standard directories and leave
3949 		 * the user data alone.
3950 		 */
3951 		(void) snprintf(cmdbuf, sizeof (cmdbuf), "exec " RMCOMMAND);
3952 
3953 		for (i = 0; std_entries[i] != NULL; i++) {
3954 			char tmpbuf[MAXPATHLEN];
3955 
3956 			if (snprintf(tmpbuf, sizeof (tmpbuf), " %s/%s",
3957 			    zonepath, std_entries[i]) >= sizeof (tmpbuf) ||
3958 			    strlcat(cmdbuf, tmpbuf, sizeof (cmdbuf)) >=
3959 			    sizeof (cmdbuf)) {
3960 				(void) fprintf(stderr,
3961 				    gettext("path is too long\n"));
3962 				return (Z_INVAL);
3963 			}
3964 		}
3965 
3966 		status = do_subproc(cmdbuf);
3967 
3968 		(void) fprintf(stderr, gettext("WARNING: Unable to completely "
3969 		    "remove %s\nbecause it contains additional user data.  "
3970 		    "Only the standard directory\nentries have been "
3971 		    "removed.\n"),
3972 		    zonepath);
3973 
3974 		return ((subproc_status(RMCOMMAND, status, B_TRUE) ==
3975 		    ZONE_SUBPROC_OK) ? Z_OK : Z_ERR);
3976 	}
3977 
3978 	/*
3979 	 * There is nothing unexpected in the zonepath, try to get rid of the
3980 	 * whole zonepath directory.
3981 	 *
3982 	 * If the zonepath is its own zfs file system, try to destroy the
3983 	 * file system.  If that fails for some reason (e.g. it has clones)
3984 	 * then we'll just remove the contents of the zonepath.
3985 	 */
3986 	if (is_zonepath_zfs(zonepath)) {
3987 		if (destroy_zfs(zonepath) == Z_OK)
3988 			return (Z_OK);
3989 		(void) snprintf(cmdbuf, sizeof (cmdbuf), "exec " RMCOMMAND
3990 		    " %s/*", zonepath);
3991 		status = do_subproc(cmdbuf);
3992 		return ((subproc_status(RMCOMMAND, status, B_TRUE) ==
3993 		    ZONE_SUBPROC_OK) ? Z_OK : Z_ERR);
3994 	}
3995 
3996 	(void) snprintf(cmdbuf, sizeof (cmdbuf), "exec " RMCOMMAND " %s",
3997 	    zonepath);
3998 	status = do_subproc(cmdbuf);
3999 
4000 	return ((subproc_status(RMCOMMAND, status, B_TRUE) == ZONE_SUBPROC_OK)
4001 	    ? Z_OK : Z_ERR);
4002 }
4003 
4004 static int
4005 move_func(int argc, char *argv[])
4006 {
4007 	char *new_zonepath = NULL;
4008 	int lockfd;
4009 	int err, arg;
4010 	char zonepath[MAXPATHLEN];
4011 	zone_dochandle_t handle;
4012 	boolean_t fast;
4013 	boolean_t is_zfs = B_FALSE;
4014 	struct dirent *dp;
4015 	DIR *dirp;
4016 	boolean_t empty = B_TRUE;
4017 	boolean_t revert;
4018 	struct stat zonepath_buf;
4019 	struct stat new_zonepath_buf;
4020 
4021 	if (zonecfg_in_alt_root()) {
4022 		zerror(gettext("cannot move zone in alternate root"));
4023 		return (Z_ERR);
4024 	}
4025 
4026 	optind = 0;
4027 	if ((arg = getopt(argc, argv, "?")) != EOF) {
4028 		switch (arg) {
4029 		case '?':
4030 			sub_usage(SHELP_MOVE, CMD_MOVE);
4031 			return (optopt == '?' ? Z_OK : Z_USAGE);
4032 		default:
4033 			sub_usage(SHELP_MOVE, CMD_MOVE);
4034 			return (Z_USAGE);
4035 		}
4036 	}
4037 	if (argc != (optind + 1)) {
4038 		sub_usage(SHELP_MOVE, CMD_MOVE);
4039 		return (Z_USAGE);
4040 	}
4041 	new_zonepath = argv[optind];
4042 	if (sanity_check(target_zone, CMD_MOVE, B_FALSE, B_TRUE, B_FALSE)
4043 	    != Z_OK)
4044 		return (Z_ERR);
4045 	if (verify_details(CMD_MOVE, argv) != Z_OK)
4046 		return (Z_ERR);
4047 
4048 	/*
4049 	 * Check out the new zonepath.  This has the side effect of creating
4050 	 * a directory for the new zonepath.  We depend on this later when we
4051 	 * stat to see if we are doing a cross file system move or not.
4052 	 */
4053 	if (validate_zonepath(new_zonepath, CMD_MOVE) != Z_OK)
4054 		return (Z_ERR);
4055 
4056 	if ((err = zone_get_zonepath(target_zone, zonepath, sizeof (zonepath)))
4057 	    != Z_OK) {
4058 		errno = err;
4059 		zperror2(target_zone, gettext("could not get zone path"));
4060 		return (Z_ERR);
4061 	}
4062 
4063 	if (stat(zonepath, &zonepath_buf) == -1) {
4064 		zperror(gettext("could not stat zone path"), B_FALSE);
4065 		return (Z_ERR);
4066 	}
4067 
4068 	if (stat(new_zonepath, &new_zonepath_buf) == -1) {
4069 		zperror(gettext("could not stat new zone path"), B_FALSE);
4070 		return (Z_ERR);
4071 	}
4072 
4073 	/*
4074 	 * Check if the destination directory is empty.
4075 	 */
4076 	if ((dirp = opendir(new_zonepath)) == NULL) {
4077 		zperror(gettext("could not open new zone path"), B_FALSE);
4078 		return (Z_ERR);
4079 	}
4080 	while ((dp = readdir(dirp)) != (struct dirent *)0) {
4081 		if (strcmp(dp->d_name, ".") == 0 ||
4082 		    strcmp(dp->d_name, "..") == 0)
4083 			continue;
4084 		empty = B_FALSE;
4085 		break;
4086 	}
4087 	(void) closedir(dirp);
4088 
4089 	/* Error if there is anything in the destination directory. */
4090 	if (!empty) {
4091 		(void) fprintf(stderr, gettext("could not move zone to %s: "
4092 		    "directory not empty\n"), new_zonepath);
4093 		return (Z_ERR);
4094 	}
4095 
4096 	/* Don't move the zone if anything is still mounted there */
4097 	if (zonecfg_find_mounts(zonepath, NULL, NULL)) {
4098 		zerror(gettext("These file systems are mounted on "
4099 		    "subdirectories of %s.\n"), zonepath);
4100 		(void) zonecfg_find_mounts(zonepath, zfm_print, NULL);
4101 		return (Z_ERR);
4102 	}
4103 
4104 	/*
4105 	 * Check if we are moving in the same file system and can do a fast
4106 	 * move or if we are crossing file systems and have to copy the data.
4107 	 */
4108 	fast = (zonepath_buf.st_dev == new_zonepath_buf.st_dev);
4109 
4110 	if ((handle = zonecfg_init_handle()) == NULL) {
4111 		zperror(cmd_to_str(CMD_MOVE), B_TRUE);
4112 		return (Z_ERR);
4113 	}
4114 
4115 	if ((err = zonecfg_get_handle(target_zone, handle)) != Z_OK) {
4116 		errno = err;
4117 		zperror(cmd_to_str(CMD_MOVE), B_TRUE);
4118 		zonecfg_fini_handle(handle);
4119 		return (Z_ERR);
4120 	}
4121 
4122 	if (zonecfg_grab_lock_file(target_zone, &lockfd) != Z_OK) {
4123 		zerror(gettext("another %s may have an operation in progress."),
4124 		    "zoneadm");
4125 		zonecfg_fini_handle(handle);
4126 		return (Z_ERR);
4127 	}
4128 
4129 	/*
4130 	 * We're making some file system changes now so we have to clean up
4131 	 * the file system before we are done.  This will either clean up the
4132 	 * new zonepath if the zonecfg update failed or it will clean up the
4133 	 * old zonepath if everything is ok.
4134 	 */
4135 	revert = B_TRUE;
4136 
4137 	if (is_zonepath_zfs(zonepath) &&
4138 	    move_zfs(zonepath, new_zonepath) != Z_ERR) {
4139 		is_zfs = B_TRUE;
4140 
4141 	} else if (fast) {
4142 		/* same file system, use rename for a quick move */
4143 
4144 		/*
4145 		 * Remove the new_zonepath directory that got created above
4146 		 * during the validation.  It gets in the way of the rename.
4147 		 */
4148 		if (rmdir(new_zonepath) != 0) {
4149 			zperror(gettext("could not rmdir new zone path"),
4150 			    B_FALSE);
4151 			zonecfg_fini_handle(handle);
4152 			zonecfg_release_lock_file(target_zone, lockfd);
4153 			return (Z_ERR);
4154 		}
4155 
4156 		if (rename(zonepath, new_zonepath) != 0) {
4157 			/*
4158 			 * If this fails we don't need to do all of the
4159 			 * cleanup that happens for the rest of the code
4160 			 * so just return from this error.
4161 			 */
4162 			zperror(gettext("could not move zone"), B_FALSE);
4163 			zonecfg_fini_handle(handle);
4164 			zonecfg_release_lock_file(target_zone, lockfd);
4165 			return (Z_ERR);
4166 		}
4167 
4168 	} else {
4169 		/*
4170 		 * Attempt to create a ZFS fs for the new zonepath.  As usual,
4171 		 * we don't care if this works or not since we always have the
4172 		 * default behavior of a simple directory for the zonepath.
4173 		 */
4174 		create_zfs_zonepath(new_zonepath);
4175 
4176 		(void) printf(gettext(
4177 		    "Moving across file systems; copying zonepath %s..."),
4178 		    zonepath);
4179 		(void) fflush(stdout);
4180 
4181 		err = copy_zone(zonepath, new_zonepath);
4182 
4183 		(void) printf("\n");
4184 		if (err != Z_OK)
4185 			goto done;
4186 	}
4187 
4188 	if ((err = zonecfg_set_zonepath(handle, new_zonepath)) != Z_OK) {
4189 		errno = err;
4190 		zperror(gettext("could not set new zonepath"), B_TRUE);
4191 		goto done;
4192 	}
4193 
4194 	if ((err = zonecfg_save(handle)) != Z_OK) {
4195 		errno = err;
4196 		zperror(gettext("zonecfg save failed"), B_TRUE);
4197 		goto done;
4198 	}
4199 
4200 	revert = B_FALSE;
4201 
4202 done:
4203 	zonecfg_fini_handle(handle);
4204 	zonecfg_release_lock_file(target_zone, lockfd);
4205 
4206 	/*
4207 	 * Clean up the file system based on how things went.  We either
4208 	 * clean up the new zonepath if the operation failed for some reason
4209 	 * or we clean up the old zonepath if everything is ok.
4210 	 */
4211 	if (revert) {
4212 		/* The zonecfg update failed, cleanup the new zonepath. */
4213 		if (is_zfs) {
4214 			if (move_zfs(new_zonepath, zonepath) == Z_ERR) {
4215 				(void) fprintf(stderr, gettext("could not "
4216 				    "restore zonepath, the zfs mountpoint is "
4217 				    "set as:\n%s\n"), new_zonepath);
4218 				/*
4219 				 * err is already != Z_OK since we're reverting
4220 				 */
4221 			}
4222 
4223 		} else if (fast) {
4224 			if (rename(new_zonepath, zonepath) != 0) {
4225 				zperror(gettext("could not restore zonepath"),
4226 				    B_FALSE);
4227 				/*
4228 				 * err is already != Z_OK since we're reverting
4229 				 */
4230 			}
4231 		} else {
4232 			(void) printf(gettext("Cleaning up zonepath %s..."),
4233 			    new_zonepath);
4234 			(void) fflush(stdout);
4235 			err = cleanup_zonepath(new_zonepath, B_TRUE);
4236 			(void) printf("\n");
4237 
4238 			if (err != Z_OK) {
4239 				errno = err;
4240 				zperror(gettext("could not remove new "
4241 				    "zonepath"), B_TRUE);
4242 			} else {
4243 				/*
4244 				 * Because we're reverting we know the mainline
4245 				 * code failed but we just reused the err
4246 				 * variable so we reset it back to Z_ERR.
4247 				 */
4248 				err = Z_ERR;
4249 			}
4250 		}
4251 
4252 	} else {
4253 		/* The move was successful, cleanup the old zonepath. */
4254 		if (!is_zfs && !fast) {
4255 			(void) printf(
4256 			    gettext("Cleaning up zonepath %s..."), zonepath);
4257 			(void) fflush(stdout);
4258 			err = cleanup_zonepath(zonepath, B_TRUE);
4259 			(void) printf("\n");
4260 
4261 			if (err != Z_OK) {
4262 				errno = err;
4263 				zperror(gettext("could not remove zonepath"),
4264 				    B_TRUE);
4265 			}
4266 		}
4267 	}
4268 
4269 	return ((err == Z_OK) ? Z_OK : Z_ERR);
4270 }
4271 
4272 /* ARGSUSED */
4273 static int
4274 detach_func(int argc, char *argv[])
4275 {
4276 	int lockfd = -1;
4277 	int err, arg;
4278 	char zonepath[MAXPATHLEN];
4279 	char cmdbuf[MAXPATHLEN];
4280 	char precmdbuf[MAXPATHLEN];
4281 	boolean_t execute = B_TRUE;
4282 	boolean_t brand_help = B_FALSE;
4283 	brand_handle_t bh = NULL;
4284 	int status;
4285 
4286 	if (zonecfg_in_alt_root()) {
4287 		zerror(gettext("cannot detach zone in alternate root"));
4288 		return (Z_ERR);
4289 	}
4290 
4291 	/* Check the argv string for args we handle internally */
4292 	optind = 0;
4293 	opterr = 0;
4294 	while ((arg = getopt(argc, argv, "?n")) != EOF) {
4295 		switch (arg) {
4296 		case '?':
4297 			if (optopt == '?') {
4298 				sub_usage(SHELP_DETACH, CMD_DETACH);
4299 				brand_help = B_TRUE;
4300 			}
4301 			/* Ignore unknown options - may be brand specific. */
4302 			break;
4303 		case 'n':
4304 			execute = B_FALSE;
4305 			break;
4306 		default:
4307 			/* Ignore unknown options - may be brand specific. */
4308 			break;
4309 		}
4310 	}
4311 
4312 	if (brand_help)
4313 		execute = B_FALSE;
4314 
4315 	if (execute) {
4316 		if (sanity_check(target_zone, CMD_DETACH, B_FALSE, B_TRUE,
4317 		    B_FALSE) != Z_OK)
4318 			return (Z_ERR);
4319 		if (verify_details(CMD_DETACH, argv) != Z_OK)
4320 			return (Z_ERR);
4321 	} else {
4322 		/*
4323 		 * We want a dry-run to work for a non-privileged user so we
4324 		 * only do minimal validation.
4325 		 */
4326 		if (target_zone == NULL) {
4327 			zerror(gettext("no zone specified"));
4328 			return (Z_ERR);
4329 		}
4330 
4331 		if (strcmp(target_zone, GLOBAL_ZONENAME) == 0) {
4332 			zerror(gettext("%s operation is invalid for the "
4333 			    "global zone."), cmd_to_str(CMD_DETACH));
4334 			return (Z_ERR);
4335 		}
4336 	}
4337 
4338 	if ((err = zone_get_zonepath(target_zone, zonepath, sizeof (zonepath)))
4339 	    != Z_OK) {
4340 		errno = err;
4341 		zperror2(target_zone, gettext("could not get zone path"));
4342 		return (Z_ERR);
4343 	}
4344 
4345 	/* Fetch the detach and predetach hooks from the brand configuration. */
4346 	if ((bh = brand_open(target_brand)) == NULL) {
4347 		zerror(gettext("missing or invalid brand"));
4348 		return (Z_ERR);
4349 	}
4350 
4351 	if (get_hook(bh, cmdbuf, sizeof (cmdbuf), brand_get_detach, target_zone,
4352 	    zonepath) != Z_OK) {
4353 		zerror("invalid brand configuration: missing detach resource");
4354 		brand_close(bh);
4355 		return (Z_ERR);
4356 	}
4357 
4358 	if (get_hook(bh, precmdbuf, sizeof (precmdbuf), brand_get_predetach,
4359 	    target_zone, zonepath) != Z_OK) {
4360 		zerror("invalid brand configuration: missing predetach "
4361 		    "resource");
4362 		brand_close(bh);
4363 		return (Z_ERR);
4364 	}
4365 	brand_close(bh);
4366 
4367 	/* Append all options to predetach hook. */
4368 	if (addoptions(precmdbuf, argv, sizeof (precmdbuf)) != Z_OK)
4369 		return (Z_ERR);
4370 
4371 	/* Append all options to detach hook. */
4372 	if (addoptions(cmdbuf, argv, sizeof (cmdbuf)) != Z_OK)
4373 		return (Z_ERR);
4374 
4375 	if (execute && zonecfg_grab_lock_file(target_zone, &lockfd) != Z_OK) {
4376 		zerror(gettext("another %s may have an operation in progress."),
4377 		    "zoneadm");
4378 		return (Z_ERR);
4379 	}
4380 
4381 	/* If we have a brand predetach hook, run it. */
4382 	if (!brand_help && precmdbuf[0] != '\0') {
4383 		status = do_subproc(precmdbuf);
4384 		if (subproc_status(gettext("brand-specific predetach"),
4385 		    status, B_FALSE) != ZONE_SUBPROC_OK) {
4386 
4387 			if (execute) {
4388 				assert(lockfd >= 0);
4389 				zonecfg_release_lock_file(target_zone, lockfd);
4390 				lockfd = -1;
4391 			}
4392 
4393 			assert(lockfd == -1);
4394 			return (Z_ERR);
4395 		}
4396 	}
4397 
4398 	if (cmdbuf[0] != '\0') {
4399 		/* Run the detach hook */
4400 		status = do_subproc_interactive(cmdbuf);
4401 		if ((status = subproc_status(gettext("brand-specific detach"),
4402 		    status, B_FALSE)) != ZONE_SUBPROC_OK) {
4403 			if (status == ZONE_SUBPROC_USAGE && !brand_help)
4404 				sub_usage(SHELP_DETACH, CMD_DETACH);
4405 
4406 			if (execute) {
4407 				assert(lockfd >= 0);
4408 				zonecfg_release_lock_file(target_zone, lockfd);
4409 				lockfd = -1;
4410 			}
4411 
4412 			assert(lockfd == -1);
4413 			return (Z_ERR);
4414 		}
4415 
4416 	} else {
4417 		zone_dochandle_t handle;
4418 
4419 		/* If just help, we're done since there is no brand help. */
4420 		if (brand_help) {
4421 			assert(lockfd == -1);
4422 			return (Z_OK);
4423 		}
4424 
4425 		/*
4426 		 * Run the built-in detach support.  Just generate a simple
4427 		 * zone definition XML file and detach.
4428 		 */
4429 
4430 		/* Don't detach the zone if anything is still mounted there */
4431 		if (execute && zonecfg_find_mounts(zonepath, NULL, NULL)) {
4432 			(void) fprintf(stderr, gettext("These file systems are "
4433 			    "mounted on subdirectories of %s.\n"), zonepath);
4434 			(void) zonecfg_find_mounts(zonepath, zfm_print, NULL);
4435 			err = ZONE_SUBPROC_NOTCOMPLETE;
4436 			goto done;
4437 		}
4438 
4439 		if ((handle = zonecfg_init_handle()) == NULL) {
4440 			zperror(cmd_to_str(CMD_DETACH), B_TRUE);
4441 			err = ZONE_SUBPROC_NOTCOMPLETE;
4442 			goto done;
4443 		}
4444 
4445 		if ((err = zonecfg_get_handle(target_zone, handle)) != Z_OK) {
4446 			errno = err;
4447 			zperror(cmd_to_str(CMD_DETACH), B_TRUE);
4448 
4449 		} else if ((err = zonecfg_detach_save(handle,
4450 		    (execute ? 0 : ZONE_DRY_RUN))) != Z_OK) {
4451 			errno = err;
4452 			zperror(gettext("saving the detach manifest failed"),
4453 			    B_TRUE);
4454 		}
4455 
4456 		zonecfg_fini_handle(handle);
4457 		if (err != Z_OK)
4458 			goto done;
4459 	}
4460 
4461 	/*
4462 	 * Set the zone state back to configured unless we are running with the
4463 	 * no-execute option.
4464 	 */
4465 	if (execute && (err = zone_set_state(target_zone,
4466 	    ZONE_STATE_CONFIGURED)) != Z_OK) {
4467 		errno = err;
4468 		zperror(gettext("could not reset state"), B_TRUE);
4469 	}
4470 
4471 done:
4472 	if (execute) {
4473 		assert(lockfd >= 0);
4474 		zonecfg_release_lock_file(target_zone, lockfd);
4475 		lockfd = -1;
4476 	}
4477 
4478 	assert(lockfd == -1);
4479 	return ((err == Z_OK) ? Z_OK : Z_ERR);
4480 }
4481 
4482 /*
4483  * Determine the brand when doing a dry-run attach.  The zone does not have to
4484  * exist, so we have to read the incoming manifest to determine the zone's
4485  * brand.
4486  *
4487  * Because the manifest has to be processed twice; once to determine the brand
4488  * and once to do the brand-specific attach logic, we always read it into a tmp
4489  * file.  This handles the manifest coming from stdin or a regular file.  The
4490  * tmpname parameter returns the name of the temporary file that the manifest
4491  * was read into.
4492  */
4493 static int
4494 dryrun_get_brand(char *manifest_path, char *tmpname, int size)
4495 {
4496 	int fd;
4497 	int err;
4498 	int res = Z_OK;
4499 	zone_dochandle_t local_handle;
4500 	zone_dochandle_t rem_handle = NULL;
4501 	int len;
4502 	int ofd;
4503 	char buf[512];
4504 
4505 	if (strcmp(manifest_path, "-") == 0) {
4506 		fd = STDIN_FILENO;
4507 	} else {
4508 		if ((fd = open(manifest_path, O_RDONLY)) < 0) {
4509 			if (getcwd(buf, sizeof (buf)) == NULL)
4510 				(void) strlcpy(buf, "/", sizeof (buf));
4511 			zerror(gettext("could not open manifest path %s%s: %s"),
4512 			    (*manifest_path == '/' ? "" : buf), manifest_path,
4513 			    strerror(errno));
4514 			return (Z_ERR);
4515 		}
4516 	}
4517 
4518 	(void) snprintf(tmpname, size, "/var/run/zone.%d", getpid());
4519 
4520 	if ((ofd = open(tmpname, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR)) < 0) {
4521 		zperror(gettext("could not save manifest"), B_FALSE);
4522 		(void) close(fd);
4523 		return (Z_ERR);
4524 	}
4525 
4526 	while ((len = read(fd, buf, sizeof (buf))) > 0) {
4527 		if (write(ofd, buf, len) == -1) {
4528 			zperror(gettext("could not save manifest"), B_FALSE);
4529 			(void) close(ofd);
4530 			(void) close(fd);
4531 			return (Z_ERR);
4532 		}
4533 	}
4534 
4535 	if (close(ofd) != 0) {
4536 		zperror(gettext("could not save manifest"), B_FALSE);
4537 		(void) close(fd);
4538 		return (Z_ERR);
4539 	}
4540 
4541 	(void) close(fd);
4542 
4543 	if ((fd = open(tmpname, O_RDONLY)) < 0) {
4544 		zperror(gettext("could not open manifest path"), B_FALSE);
4545 		return (Z_ERR);
4546 	}
4547 
4548 	if ((local_handle = zonecfg_init_handle()) == NULL) {
4549 		zperror(cmd_to_str(CMD_ATTACH), B_TRUE);
4550 		res = Z_ERR;
4551 		goto done;
4552 	}
4553 
4554 	if ((rem_handle = zonecfg_init_handle()) == NULL) {
4555 		zperror(cmd_to_str(CMD_ATTACH), B_TRUE);
4556 		res = Z_ERR;
4557 		goto done;
4558 	}
4559 
4560 	if ((err = zonecfg_attach_manifest(fd, local_handle, rem_handle))
4561 	    != Z_OK) {
4562 		res = Z_ERR;
4563 
4564 		if (err == Z_INVALID_DOCUMENT) {
4565 			struct stat st;
4566 			char buf[6];
4567 
4568 			if (strcmp(manifest_path, "-") == 0) {
4569 				zerror(gettext("Input is not a valid XML "
4570 				    "file"));
4571 				goto done;
4572 			}
4573 
4574 			if (fstat(fd, &st) == -1 || !S_ISREG(st.st_mode)) {
4575 				zerror(gettext("%s is not an XML file"),
4576 				    manifest_path);
4577 				goto done;
4578 			}
4579 
4580 			bzero(buf, sizeof (buf));
4581 			(void) lseek(fd, 0L, SEEK_SET);
4582 			if (read(fd, buf, sizeof (buf) - 1) < 0 ||
4583 			    strncmp(buf, "<?xml", 5) != 0)
4584 				zerror(gettext("%s is not an XML file"),
4585 				    manifest_path);
4586 			else
4587 				zerror(gettext("Cannot attach to an earlier "
4588 				    "release of the operating system"));
4589 		} else {
4590 			zperror(cmd_to_str(CMD_ATTACH), B_TRUE);
4591 		}
4592 		goto done;
4593 	}
4594 
4595 	/* Retrieve remote handle brand type. */
4596 	if (zonecfg_get_brand(rem_handle, target_brand, sizeof (target_brand))
4597 	    != Z_OK) {
4598 		zerror(gettext("missing or invalid brand"));
4599 		exit(Z_ERR);
4600 	}
4601 
4602 done:
4603 	zonecfg_fini_handle(local_handle);
4604 	zonecfg_fini_handle(rem_handle);
4605 	(void) close(fd);
4606 
4607 	return ((res == Z_OK) ? Z_OK : Z_ERR);
4608 }
4609 
4610 /* ARGSUSED */
4611 static int
4612 attach_func(int argc, char *argv[])
4613 {
4614 	int lockfd = -1;
4615 	int err, arg;
4616 	boolean_t force = B_FALSE;
4617 	zone_dochandle_t handle;
4618 	char zonepath[MAXPATHLEN];
4619 	char cmdbuf[MAXPATHLEN];
4620 	char postcmdbuf[MAXPATHLEN];
4621 	boolean_t execute = B_TRUE;
4622 	boolean_t brand_help = B_FALSE;
4623 	char *manifest_path;
4624 	char tmpmanifest[80];
4625 	int manifest_pos;
4626 	brand_handle_t bh = NULL;
4627 	int status;
4628 
4629 	if (zonecfg_in_alt_root()) {
4630 		zerror(gettext("cannot attach zone in alternate root"));
4631 		return (Z_ERR);
4632 	}
4633 
4634 	/* Check the argv string for args we handle internally */
4635 	optind = 0;
4636 	opterr = 0;
4637 	while ((arg = getopt(argc, argv, "?Fn:")) != EOF) {
4638 		switch (arg) {
4639 		case '?':
4640 			if (optopt == '?') {
4641 				sub_usage(SHELP_ATTACH, CMD_ATTACH);
4642 				brand_help = B_TRUE;
4643 			}
4644 			/* Ignore unknown options - may be brand specific. */
4645 			break;
4646 		case 'F':
4647 			force = B_TRUE;
4648 			break;
4649 		case 'n':
4650 			execute = B_FALSE;
4651 			manifest_path = optarg;
4652 			manifest_pos = optind - 1;
4653 			break;
4654 		default:
4655 			/* Ignore unknown options - may be brand specific. */
4656 			break;
4657 		}
4658 	}
4659 
4660 	if (brand_help) {
4661 		force = B_FALSE;
4662 		execute = B_TRUE;
4663 	}
4664 
4665 	/* dry-run and force flags are mutually exclusive */
4666 	if (!execute && force) {
4667 		zerror(gettext("-F and -n flags are mutually exclusive"));
4668 		return (Z_ERR);
4669 	}
4670 
4671 	/*
4672 	 * If the no-execute option was specified, we don't do validation and
4673 	 * need to figure out the brand, since there is no zone required to be
4674 	 * configured for this option.
4675 	 */
4676 	if (execute) {
4677 		if (!brand_help) {
4678 			if (sanity_check(target_zone, CMD_ATTACH, B_FALSE,
4679 			    B_TRUE, B_FALSE) != Z_OK)
4680 				return (Z_ERR);
4681 			if (verify_details(CMD_ATTACH, argv) != Z_OK)
4682 				return (Z_ERR);
4683 		}
4684 
4685 		if ((err = zone_get_zonepath(target_zone, zonepath,
4686 		    sizeof (zonepath))) != Z_OK) {
4687 			errno = err;
4688 			zperror2(target_zone,
4689 			    gettext("could not get zone path"));
4690 			return (Z_ERR);
4691 		}
4692 	} else {
4693 		if (dryrun_get_brand(manifest_path, tmpmanifest,
4694 		    sizeof (tmpmanifest)) != Z_OK)
4695 			return (Z_ERR);
4696 
4697 		argv[manifest_pos] = tmpmanifest;
4698 		target_zone = "-";
4699 		(void) strlcpy(zonepath, "-", sizeof (zonepath));
4700 
4701 		/* Run the brand's verify_adm hook. */
4702 		if (verify_brand(NULL, CMD_ATTACH, argv) != Z_OK)
4703 			return (Z_ERR);
4704 	}
4705 
4706 	/*
4707 	 * Fetch the attach and postattach hooks from the brand configuration.
4708 	 */
4709 	if ((bh = brand_open(target_brand)) == NULL) {
4710 		zerror(gettext("missing or invalid brand"));
4711 		return (Z_ERR);
4712 	}
4713 
4714 	if (get_hook(bh, cmdbuf, sizeof (cmdbuf), brand_get_attach, target_zone,
4715 	    zonepath) != Z_OK) {
4716 		zerror("invalid brand configuration: missing attach resource");
4717 		brand_close(bh);
4718 		return (Z_ERR);
4719 	}
4720 
4721 	if (get_hook(bh, postcmdbuf, sizeof (postcmdbuf), brand_get_postattach,
4722 	    target_zone, zonepath) != Z_OK) {
4723 		zerror("invalid brand configuration: missing postattach "
4724 		    "resource");
4725 		brand_close(bh);
4726 		return (Z_ERR);
4727 	}
4728 	brand_close(bh);
4729 
4730 	/* Append all options to attach hook. */
4731 	if (addoptions(cmdbuf, argv, sizeof (cmdbuf)) != Z_OK)
4732 		return (Z_ERR);
4733 
4734 	/* Append all options to postattach hook. */
4735 	if (addoptions(postcmdbuf, argv, sizeof (postcmdbuf)) != Z_OK)
4736 		return (Z_ERR);
4737 
4738 	if (execute && !brand_help) {
4739 		if (zonecfg_grab_lock_file(target_zone, &lockfd) != Z_OK) {
4740 			zerror(gettext("another %s may have an operation in "
4741 			    "progress."), "zoneadm");
4742 			return (Z_ERR);
4743 		}
4744 	}
4745 
4746 	if (!force) {
4747 		/*
4748 		 * Not a force-attach, so we need to actually do the work.
4749 		 */
4750 		if (cmdbuf[0] != '\0') {
4751 			/* Run the attach hook */
4752 			status = do_subproc_interactive(cmdbuf);
4753 			if ((status = subproc_status(gettext("brand-specific "
4754 			    "attach"), status, B_FALSE)) != ZONE_SUBPROC_OK) {
4755 				if (status == ZONE_SUBPROC_USAGE && !brand_help)
4756 					sub_usage(SHELP_ATTACH, CMD_ATTACH);
4757 
4758 				if (execute && !brand_help) {
4759 					assert(lockfd >= 0);
4760 					zonecfg_release_lock_file(target_zone,
4761 					    lockfd);
4762 					lockfd = -1;
4763 				}
4764 
4765 				assert(lockfd == -1);
4766 				return (Z_ERR);
4767 			}
4768 		}
4769 
4770 		/*
4771 		 * Else run the built-in attach support.
4772 		 * This is a no-op since there is nothing to validate.
4773 		 */
4774 
4775 		/* If dry-run or help, then we're done. */
4776 		if (!execute || brand_help) {
4777 			if (!execute)
4778 				(void) unlink(tmpmanifest);
4779 			assert(lockfd == -1);
4780 			return (Z_OK);
4781 		}
4782 	}
4783 
4784 	if ((handle = zonecfg_init_handle()) == NULL) {
4785 		zperror(cmd_to_str(CMD_ATTACH), B_TRUE);
4786 		err = Z_ERR;
4787 	} else if ((err = zonecfg_get_handle(target_zone, handle)) != Z_OK) {
4788 		errno = err;
4789 		zperror(cmd_to_str(CMD_ATTACH), B_TRUE);
4790 		zonecfg_fini_handle(handle);
4791 	} else {
4792 		zonecfg_rm_detached(handle, force);
4793 		zonecfg_fini_handle(handle);
4794 	}
4795 
4796 	if (err == Z_OK &&
4797 	    (err = zone_set_state(target_zone, ZONE_STATE_INSTALLED)) != Z_OK) {
4798 		errno = err;
4799 		zperror(gettext("could not reset state"), B_TRUE);
4800 	}
4801 
4802 	assert(lockfd >= 0);
4803 	zonecfg_release_lock_file(target_zone, lockfd);
4804 	lockfd = -1;
4805 
4806 	/* If we have a brand postattach hook, run it. */
4807 	if (err == Z_OK && !force && postcmdbuf[0] != '\0') {
4808 		status = do_subproc(postcmdbuf);
4809 		if (subproc_status(gettext("brand-specific postattach"),
4810 		    status, B_FALSE) != ZONE_SUBPROC_OK) {
4811 			if ((err = zone_set_state(target_zone,
4812 			    ZONE_STATE_CONFIGURED)) != Z_OK) {
4813 				errno = err;
4814 				zperror(gettext("could not reset state"),
4815 				    B_TRUE);
4816 			}
4817 		}
4818 	}
4819 
4820 	assert(lockfd == -1);
4821 	return ((err == Z_OK) ? Z_OK : Z_ERR);
4822 }
4823 
4824 /*
4825  * On input, TRUE => yes, FALSE => no.
4826  * On return, TRUE => 1, FALSE => 0, could not ask => -1.
4827  */
4828 
4829 static int
4830 ask_yesno(boolean_t default_answer, const char *question)
4831 {
4832 	char line[64];	/* should be large enough to answer yes or no */
4833 
4834 	if (!isatty(STDIN_FILENO))
4835 		return (-1);
4836 	for (;;) {
4837 		(void) printf("%s (%s)? ", question,
4838 		    default_answer ? "[y]/n" : "y/[n]");
4839 		if (fgets(line, sizeof (line), stdin) == NULL ||
4840 		    line[0] == '\n')
4841 			return (default_answer ? 1 : 0);
4842 		if (tolower(line[0]) == 'y')
4843 			return (1);
4844 		if (tolower(line[0]) == 'n')
4845 			return (0);
4846 	}
4847 }
4848 
4849 /* ARGSUSED */
4850 static int
4851 uninstall_func(int argc, char *argv[])
4852 {
4853 	char line[ZONENAME_MAX + 128];	/* Enough for "Are you sure ..." */
4854 	char rootpath[MAXPATHLEN], zonepath[MAXPATHLEN];
4855 	char cmdbuf[MAXPATHLEN];
4856 	char precmdbuf[MAXPATHLEN];
4857 	boolean_t force = B_FALSE;
4858 	int lockfd, answer;
4859 	int err, arg;
4860 	boolean_t brand_help = B_FALSE;
4861 	brand_handle_t bh = NULL;
4862 	int status;
4863 
4864 	if (zonecfg_in_alt_root()) {
4865 		zerror(gettext("cannot uninstall zone in alternate root"));
4866 		return (Z_ERR);
4867 	}
4868 
4869 	/* Check the argv string for args we handle internally */
4870 	optind = 0;
4871 	opterr = 0;
4872 	while ((arg = getopt(argc, argv, "?F")) != EOF) {
4873 		switch (arg) {
4874 		case '?':
4875 			if (optopt == '?') {
4876 				sub_usage(SHELP_UNINSTALL, CMD_UNINSTALL);
4877 				brand_help = B_TRUE;
4878 			}
4879 			/* Ignore unknown options - may be brand specific. */
4880 			break;
4881 		case 'F':
4882 			force = B_TRUE;
4883 			break;
4884 		default:
4885 			/* Ignore unknown options - may be brand specific. */
4886 			break;
4887 		}
4888 	}
4889 
4890 	if (!brand_help) {
4891 		if (sanity_check(target_zone, CMD_UNINSTALL, B_FALSE, B_TRUE,
4892 		    B_FALSE) != Z_OK)
4893 			return (Z_ERR);
4894 
4895 		/*
4896 		 * Invoke brand-specific handler.
4897 		 */
4898 		if (invoke_brand_handler(CMD_UNINSTALL, argv) != Z_OK)
4899 			return (Z_ERR);
4900 
4901 		if (!force) {
4902 			(void) snprintf(line, sizeof (line),
4903 			    gettext("Are you sure you want to %s zone %s"),
4904 			    cmd_to_str(CMD_UNINSTALL), target_zone);
4905 			if ((answer = ask_yesno(B_FALSE, line)) == 0) {
4906 				return (Z_OK);
4907 			} else if (answer == -1) {
4908 				zerror(gettext("Input not from terminal and -F "
4909 				    "not specified: %s not done."),
4910 				    cmd_to_str(CMD_UNINSTALL));
4911 				return (Z_ERR);
4912 			}
4913 		}
4914 	}
4915 
4916 	if ((err = zone_get_zonepath(target_zone, zonepath,
4917 	    sizeof (zonepath))) != Z_OK) {
4918 		errno = err;
4919 		zperror2(target_zone, gettext("could not get zone path"));
4920 		return (Z_ERR);
4921 	}
4922 
4923 	/*
4924 	 * Fetch the uninstall and preuninstall hooks from the brand
4925 	 * configuration.
4926 	 */
4927 	if ((bh = brand_open(target_brand)) == NULL) {
4928 		zerror(gettext("missing or invalid brand"));
4929 		return (Z_ERR);
4930 	}
4931 
4932 	if (get_hook(bh, cmdbuf, sizeof (cmdbuf), brand_get_uninstall,
4933 	    target_zone, zonepath) != Z_OK) {
4934 		zerror("invalid brand configuration: missing uninstall "
4935 		    "resource");
4936 		brand_close(bh);
4937 		return (Z_ERR);
4938 	}
4939 
4940 	if (get_hook(bh, precmdbuf, sizeof (precmdbuf), brand_get_preuninstall,
4941 	    target_zone, zonepath) != Z_OK) {
4942 		zerror("invalid brand configuration: missing preuninstall "
4943 		    "resource");
4944 		brand_close(bh);
4945 		return (Z_ERR);
4946 	}
4947 	brand_close(bh);
4948 
4949 	/* Append all options to preuninstall hook. */
4950 	if (addoptions(precmdbuf, argv, sizeof (precmdbuf)) != Z_OK)
4951 		return (Z_ERR);
4952 
4953 	/* Append all options to uninstall hook. */
4954 	if (addoptions(cmdbuf, argv, sizeof (cmdbuf)) != Z_OK)
4955 		return (Z_ERR);
4956 
4957 	if (!brand_help) {
4958 		if ((err = zone_get_rootpath(target_zone, rootpath,
4959 		    sizeof (rootpath))) != Z_OK) {
4960 			errno = err;
4961 			zperror2(target_zone, gettext("could not get root "
4962 			    "path"));
4963 			return (Z_ERR);
4964 		}
4965 
4966 		/*
4967 		 * If there seems to be a zoneadmd running for this zone, call
4968 		 * it to tell it that an uninstall is happening; if all goes
4969 		 * well it will then shut itself down.
4970 		 */
4971 		if (zonecfg_ping_zoneadmd(target_zone) == Z_OK) {
4972 			zone_cmd_arg_t zarg;
4973 			zarg.cmd = Z_NOTE_UNINSTALLING;
4974 			/* we don't care too much if this fails, just plow on */
4975 			(void) zonecfg_call_zoneadmd(target_zone, &zarg, locale,
4976 			    B_TRUE);
4977 		}
4978 
4979 		if (zonecfg_grab_lock_file(target_zone, &lockfd) != Z_OK) {
4980 			zerror(gettext("another %s may have an operation in "
4981 			    "progress."), "zoneadm");
4982 			return (Z_ERR);
4983 		}
4984 
4985 		/* Don't uninstall the zone if anything is mounted there */
4986 		err = zonecfg_find_mounts(rootpath, NULL, NULL);
4987 		if (err) {
4988 			zerror(gettext("These file systems are mounted on "
4989 			    "subdirectories of %s.\n"), rootpath);
4990 			(void) zonecfg_find_mounts(rootpath, zfm_print, NULL);
4991 			zonecfg_release_lock_file(target_zone, lockfd);
4992 			return (Z_ERR);
4993 		}
4994 	}
4995 
4996 	/* If we have a brand preuninstall hook, run it. */
4997 	if (!brand_help && precmdbuf[0] != '\0') {
4998 		status = do_subproc(cmdbuf);
4999 		if (subproc_status(gettext("brand-specific preuninstall"),
5000 		    status, B_FALSE) != ZONE_SUBPROC_OK) {
5001 			zonecfg_release_lock_file(target_zone, lockfd);
5002 			return (Z_ERR);
5003 		}
5004 	}
5005 
5006 	if (!brand_help) {
5007 		err = zone_set_state(target_zone, ZONE_STATE_INCOMPLETE);
5008 		if (err != Z_OK) {
5009 			errno = err;
5010 			zperror2(target_zone, gettext("could not set state"));
5011 			goto bad;
5012 		}
5013 	}
5014 
5015 	/*
5016 	 * If there is a brand uninstall hook, use it, otherwise use the
5017 	 * built-in uninstall code.
5018 	 */
5019 	if (cmdbuf[0] != '\0') {
5020 		/* Run the uninstall hook */
5021 		status = do_subproc_interactive(cmdbuf);
5022 		if ((status = subproc_status(gettext("brand-specific "
5023 		    "uninstall"), status, B_FALSE)) != ZONE_SUBPROC_OK) {
5024 			if (status == ZONE_SUBPROC_USAGE && !brand_help)
5025 				sub_usage(SHELP_UNINSTALL, CMD_UNINSTALL);
5026 			if (!brand_help)
5027 				zonecfg_release_lock_file(target_zone, lockfd);
5028 			return (Z_ERR);
5029 		}
5030 
5031 		if (brand_help)
5032 			return (Z_OK);
5033 	} else {
5034 		/* If just help, we're done since there is no brand help. */
5035 		if (brand_help)
5036 			return (Z_OK);
5037 
5038 		/* Run the built-in uninstall support. */
5039 		if ((err = cleanup_zonepath(zonepath, B_FALSE)) != Z_OK) {
5040 			errno = err;
5041 			zperror2(target_zone, gettext("cleaning up zonepath "
5042 			    "failed"));
5043 			goto bad;
5044 		}
5045 	}
5046 
5047 	err = zone_set_state(target_zone, ZONE_STATE_CONFIGURED);
5048 	if (err != Z_OK) {
5049 		errno = err;
5050 		zperror2(target_zone, gettext("could not reset state"));
5051 	}
5052 bad:
5053 	zonecfg_release_lock_file(target_zone, lockfd);
5054 	return (err);
5055 }
5056 
5057 /* ARGSUSED */
5058 static int
5059 mount_func(int argc, char *argv[])
5060 {
5061 	zone_cmd_arg_t zarg;
5062 	boolean_t force = B_FALSE;
5063 	int arg;
5064 
5065 	/*
5066 	 * The only supported subargument to the "mount" subcommand is
5067 	 * "-f", which forces us to mount a zone in the INCOMPLETE state.
5068 	 */
5069 	optind = 0;
5070 	if ((arg = getopt(argc, argv, "f")) != EOF) {
5071 		switch (arg) {
5072 		case 'f':
5073 			force = B_TRUE;
5074 			break;
5075 		default:
5076 			return (Z_USAGE);
5077 		}
5078 	}
5079 	if (argc > optind)
5080 		return (Z_USAGE);
5081 
5082 	if (sanity_check(target_zone, CMD_MOUNT, B_FALSE, B_FALSE, force)
5083 	    != Z_OK)
5084 		return (Z_ERR);
5085 	if (verify_details(CMD_MOUNT, argv) != Z_OK)
5086 		return (Z_ERR);
5087 
5088 	zarg.cmd = force ? Z_FORCEMOUNT : Z_MOUNT;
5089 	zarg.bootbuf[0] = '\0';
5090 	if (zonecfg_call_zoneadmd(target_zone, &zarg, locale, B_TRUE) != 0) {
5091 		zerror(gettext("call to %s failed"), "zoneadmd");
5092 		return (Z_ERR);
5093 	}
5094 	return (Z_OK);
5095 }
5096 
5097 /* ARGSUSED */
5098 static int
5099 unmount_func(int argc, char *argv[])
5100 {
5101 	zone_cmd_arg_t zarg;
5102 
5103 	if (argc > 0)
5104 		return (Z_USAGE);
5105 	if (sanity_check(target_zone, CMD_UNMOUNT, B_FALSE, B_FALSE, B_FALSE)
5106 	    != Z_OK)
5107 		return (Z_ERR);
5108 
5109 	zarg.cmd = Z_UNMOUNT;
5110 	if (zonecfg_call_zoneadmd(target_zone, &zarg, locale, B_TRUE) != 0) {
5111 		zerror(gettext("call to %s failed"), "zoneadmd");
5112 		return (Z_ERR);
5113 	}
5114 	return (Z_OK);
5115 }
5116 
5117 static int
5118 mark_func(int argc, char *argv[])
5119 {
5120 	int err, lockfd;
5121 
5122 	if (argc != 1 || strcmp(argv[0], "incomplete") != 0)
5123 		return (Z_USAGE);
5124 	if (sanity_check(target_zone, CMD_MARK, B_FALSE, B_FALSE, B_FALSE)
5125 	    != Z_OK)
5126 		return (Z_ERR);
5127 
5128 	/*
5129 	 * Invoke brand-specific handler.
5130 	 */
5131 	if (invoke_brand_handler(CMD_MARK, argv) != Z_OK)
5132 		return (Z_ERR);
5133 
5134 	if (zonecfg_grab_lock_file(target_zone, &lockfd) != Z_OK) {
5135 		zerror(gettext("another %s may have an operation in progress."),
5136 		    "zoneadm");
5137 		return (Z_ERR);
5138 	}
5139 
5140 	err = zone_set_state(target_zone, ZONE_STATE_INCOMPLETE);
5141 	if (err != Z_OK) {
5142 		errno = err;
5143 		zperror2(target_zone, gettext("could not set state"));
5144 	}
5145 	zonecfg_release_lock_file(target_zone, lockfd);
5146 
5147 	return (err);
5148 }
5149 
5150 /*
5151  * Check what scheduling class we're running under and print a warning if
5152  * we're not using FSS.
5153  */
5154 static int
5155 check_sched_fss(zone_dochandle_t handle)
5156 {
5157 	char class_name[PC_CLNMSZ];
5158 
5159 	if (zonecfg_get_dflt_sched_class(handle, class_name,
5160 	    sizeof (class_name)) != Z_OK) {
5161 		zerror(gettext("WARNING: unable to determine the zone's "
5162 		    "scheduling class"));
5163 	} else if (strcmp("FSS", class_name) != 0) {
5164 		zerror(gettext("WARNING: The zone.cpu-shares rctl is set but\n"
5165 		    "FSS is not the default scheduling class for this zone.  "
5166 		    "FSS will be\nused for processes in the zone but to get "
5167 		    "the full benefit of FSS,\nit should be the default "
5168 		    "scheduling class.  See dispadmin(1M) for\nmore details."));
5169 		return (Z_SYSTEM);
5170 	}
5171 
5172 	return (Z_OK);
5173 }
5174 
5175 static int
5176 check_cpu_shares_sched(zone_dochandle_t handle)
5177 {
5178 	int err;
5179 	int res = Z_OK;
5180 	struct zone_rctltab rctl;
5181 
5182 	if ((err = zonecfg_setrctlent(handle)) != Z_OK) {
5183 		errno = err;
5184 		zperror(cmd_to_str(CMD_APPLY), B_TRUE);
5185 		return (err);
5186 	}
5187 
5188 	while (zonecfg_getrctlent(handle, &rctl) == Z_OK) {
5189 		if (strcmp(rctl.zone_rctl_name, "zone.cpu-shares") == 0) {
5190 			if (check_sched_fss(handle) != Z_OK)
5191 				res = Z_SYSTEM;
5192 			break;
5193 		}
5194 	}
5195 
5196 	(void) zonecfg_endrctlent(handle);
5197 
5198 	return (res);
5199 }
5200 
5201 /*
5202  * Check if there is a mix of processes running in different pools within the
5203  * zone.  This is currently only going to be called for the global zone from
5204  * apply_func but that could be generalized in the future.
5205  */
5206 static boolean_t
5207 mixed_pools(zoneid_t zoneid)
5208 {
5209 	DIR *dirp;
5210 	dirent_t *dent;
5211 	boolean_t mixed = B_FALSE;
5212 	boolean_t poolid_set = B_FALSE;
5213 	poolid_t last_poolid = 0;
5214 
5215 	if ((dirp = opendir("/proc")) == NULL) {
5216 		zerror(gettext("could not open /proc"));
5217 		return (B_FALSE);
5218 	}
5219 
5220 	while ((dent = readdir(dirp)) != NULL) {
5221 		int procfd;
5222 		psinfo_t ps;
5223 		char procpath[MAXPATHLEN];
5224 
5225 		if (dent->d_name[0] == '.')
5226 			continue;
5227 
5228 		(void) snprintf(procpath, sizeof (procpath), "/proc/%s/psinfo",
5229 		    dent->d_name);
5230 
5231 		if ((procfd = open(procpath, O_RDONLY)) == -1)
5232 			continue;
5233 
5234 		if (read(procfd, &ps, sizeof (ps)) == sizeof (psinfo_t)) {
5235 			/* skip processes in other zones and system processes */
5236 			if (zoneid != ps.pr_zoneid || ps.pr_flag & SSYS) {
5237 				(void) close(procfd);
5238 				continue;
5239 			}
5240 
5241 			if (poolid_set) {
5242 				if (ps.pr_poolid != last_poolid)
5243 					mixed = B_TRUE;
5244 			} else {
5245 				last_poolid = ps.pr_poolid;
5246 				poolid_set = B_TRUE;
5247 			}
5248 		}
5249 
5250 		(void) close(procfd);
5251 
5252 		if (mixed)
5253 			break;
5254 	}
5255 
5256 	(void) closedir(dirp);
5257 
5258 	return (mixed);
5259 }
5260 
5261 /*
5262  * Check if a persistent or temporary pool is configured for the zone.
5263  * This is currently only going to be called for the global zone from
5264  * apply_func but that could be generalized in the future.
5265  */
5266 static boolean_t
5267 pool_configured(zone_dochandle_t handle)
5268 {
5269 	int err1, err2;
5270 	struct zone_psettab pset_tab;
5271 	char poolname[MAXPATHLEN];
5272 
5273 	err1 = zonecfg_lookup_pset(handle, &pset_tab);
5274 	err2 = zonecfg_get_pool(handle, poolname, sizeof (poolname));
5275 
5276 	if (err1 == Z_NO_ENTRY &&
5277 	    (err2 == Z_NO_ENTRY || (err2 == Z_OK && strlen(poolname) == 0)))
5278 		return (B_FALSE);
5279 
5280 	return (B_TRUE);
5281 }
5282 
5283 /*
5284  * This is an undocumented interface which is currently only used to apply
5285  * the global zone resource management settings when the system boots.
5286  * This function does not yet properly handle updating a running system so
5287  * any projects running in the zone would be trashed if this function
5288  * were to run after the zone had booted.  It also does not reset any
5289  * rctl settings that were removed from zonecfg.  There is still work to be
5290  * done before we can properly support dynamically updating the resource
5291  * management settings for a running zone (global or non-global).  Thus, this
5292  * functionality is undocumented for now.
5293  */
5294 /* ARGSUSED */
5295 static int
5296 apply_func(int argc, char *argv[])
5297 {
5298 	int err;
5299 	int res = Z_OK;
5300 	priv_set_t *privset;
5301 	zoneid_t zoneid;
5302 	zone_dochandle_t handle;
5303 	struct zone_mcaptab mcap;
5304 	char pool_err[128];
5305 
5306 	zoneid = getzoneid();
5307 
5308 	if (zonecfg_in_alt_root() || zoneid != GLOBAL_ZONEID ||
5309 	    target_zone == NULL || strcmp(target_zone, GLOBAL_ZONENAME) != 0)
5310 		return (usage(B_FALSE));
5311 
5312 	if ((privset = priv_allocset()) == NULL) {
5313 		zerror(gettext("%s failed"), "priv_allocset");
5314 		return (Z_ERR);
5315 	}
5316 
5317 	if (getppriv(PRIV_EFFECTIVE, privset) != 0) {
5318 		zerror(gettext("%s failed"), "getppriv");
5319 		priv_freeset(privset);
5320 		return (Z_ERR);
5321 	}
5322 
5323 	if (priv_isfullset(privset) == B_FALSE) {
5324 		(void) usage(B_FALSE);
5325 		priv_freeset(privset);
5326 		return (Z_ERR);
5327 	}
5328 	priv_freeset(privset);
5329 
5330 	if ((handle = zonecfg_init_handle()) == NULL) {
5331 		zperror(cmd_to_str(CMD_APPLY), B_TRUE);
5332 		return (Z_ERR);
5333 	}
5334 
5335 	if ((err = zonecfg_get_handle(target_zone, handle)) != Z_OK) {
5336 		errno = err;
5337 		zperror(cmd_to_str(CMD_APPLY), B_TRUE);
5338 		zonecfg_fini_handle(handle);
5339 		return (Z_ERR);
5340 	}
5341 
5342 	/* specific error msgs are printed within apply_rctls */
5343 	if ((err = zonecfg_apply_rctls(target_zone, handle)) != Z_OK) {
5344 		errno = err;
5345 		zperror(cmd_to_str(CMD_APPLY), B_TRUE);
5346 		res = Z_ERR;
5347 	}
5348 
5349 	if ((err = check_cpu_shares_sched(handle)) != Z_OK)
5350 		res = Z_ERR;
5351 
5352 	if (pool_configured(handle)) {
5353 		if (mixed_pools(zoneid)) {
5354 			zerror(gettext("Zone is using multiple resource "
5355 			    "pools.  The pool\nconfiguration cannot be "
5356 			    "applied without rebooting."));
5357 			res = Z_ERR;
5358 		} else {
5359 
5360 			/*
5361 			 * The next two blocks of code attempt to set up
5362 			 * temporary pools as well as persistent pools.  In
5363 			 * both cases we call the functions unconditionally.
5364 			 * Within each funtion the code will check if the zone
5365 			 * is actually configured for a temporary pool or
5366 			 * persistent pool and just return if there is nothing
5367 			 * to do.
5368 			 */
5369 			if ((err = zonecfg_bind_tmp_pool(handle, zoneid,
5370 			    pool_err, sizeof (pool_err))) != Z_OK) {
5371 				if (err == Z_POOL || err == Z_POOL_CREATE ||
5372 				    err == Z_POOL_BIND)
5373 					zerror("%s: %s", zonecfg_strerror(err),
5374 					    pool_err);
5375 				else
5376 					zerror(gettext("could not bind zone to "
5377 					    "temporary pool: %s"),
5378 					    zonecfg_strerror(err));
5379 				res = Z_ERR;
5380 			}
5381 
5382 			if ((err = zonecfg_bind_pool(handle, zoneid, pool_err,
5383 			    sizeof (pool_err))) != Z_OK) {
5384 				if (err == Z_POOL || err == Z_POOL_BIND)
5385 					zerror("%s: %s", zonecfg_strerror(err),
5386 					    pool_err);
5387 				else
5388 					zerror("%s", zonecfg_strerror(err));
5389 			}
5390 		}
5391 	}
5392 
5393 	/*
5394 	 * If a memory cap is configured, set the cap in the kernel using
5395 	 * zone_setattr() and make sure the rcapd SMF service is enabled.
5396 	 */
5397 	if (zonecfg_getmcapent(handle, &mcap) == Z_OK) {
5398 		uint64_t num;
5399 		char smf_err[128];
5400 
5401 		num = (uint64_t)strtoll(mcap.zone_physmem_cap, NULL, 10);
5402 		if (zone_setattr(zoneid, ZONE_ATTR_PHYS_MCAP, &num, 0) == -1) {
5403 			zerror(gettext("could not set zone memory cap"));
5404 			res = Z_ERR;
5405 		}
5406 
5407 		if (zonecfg_enable_rcapd(smf_err, sizeof (smf_err)) != Z_OK) {
5408 			zerror(gettext("enabling system/rcap service failed: "
5409 			    "%s"), smf_err);
5410 			res = Z_ERR;
5411 		}
5412 	}
5413 
5414 	zonecfg_fini_handle(handle);
5415 
5416 	return (res);
5417 }
5418 
5419 static int
5420 help_func(int argc, char *argv[])
5421 {
5422 	int arg, cmd_num;
5423 
5424 	if (argc == 0) {
5425 		(void) usage(B_TRUE);
5426 		return (Z_OK);
5427 	}
5428 	optind = 0;
5429 	if ((arg = getopt(argc, argv, "?")) != EOF) {
5430 		switch (arg) {
5431 		case '?':
5432 			sub_usage(SHELP_HELP, CMD_HELP);
5433 			return (optopt == '?' ? Z_OK : Z_USAGE);
5434 		default:
5435 			sub_usage(SHELP_HELP, CMD_HELP);
5436 			return (Z_USAGE);
5437 		}
5438 	}
5439 	while (optind < argc) {
5440 		/* Private commands have NULL short_usage; omit them */
5441 		if ((cmd_num = cmd_match(argv[optind])) < 0 ||
5442 		    cmdtab[cmd_num].short_usage == NULL) {
5443 			sub_usage(SHELP_HELP, CMD_HELP);
5444 			return (Z_USAGE);
5445 		}
5446 		sub_usage(cmdtab[cmd_num].short_usage, cmd_num);
5447 		optind++;
5448 	}
5449 	return (Z_OK);
5450 }
5451 
5452 /*
5453  * Returns: CMD_MIN thru CMD_MAX on success, -1 on error
5454  */
5455 
5456 static int
5457 cmd_match(char *cmd)
5458 {
5459 	int i;
5460 
5461 	for (i = CMD_MIN; i <= CMD_MAX; i++) {
5462 		/* return only if there is an exact match */
5463 		if (strcmp(cmd, cmdtab[i].cmd_name) == 0)
5464 			return (cmdtab[i].cmd_num);
5465 	}
5466 	return (-1);
5467 }
5468 
5469 static int
5470 parse_and_run(int argc, char *argv[])
5471 {
5472 	int i = cmd_match(argv[0]);
5473 
5474 	if (i < 0)
5475 		return (usage(B_FALSE));
5476 	return (cmdtab[i].handler(argc - 1, &(argv[1])));
5477 }
5478 
5479 static char *
5480 get_execbasename(char *execfullname)
5481 {
5482 	char *last_slash, *execbasename;
5483 
5484 	/* guard against '/' at end of command invocation */
5485 	for (;;) {
5486 		last_slash = strrchr(execfullname, '/');
5487 		if (last_slash == NULL) {
5488 			execbasename = execfullname;
5489 			break;
5490 		} else {
5491 			execbasename = last_slash + 1;
5492 			if (*execbasename == '\0') {
5493 				*last_slash = '\0';
5494 				continue;
5495 			}
5496 			break;
5497 		}
5498 	}
5499 	return (execbasename);
5500 }
5501 
5502 int
5503 main(int argc, char **argv)
5504 {
5505 	int arg;
5506 	zoneid_t zid;
5507 	struct stat st;
5508 	char *zone_lock_env;
5509 	int err;
5510 
5511 	if ((locale = setlocale(LC_ALL, "")) == NULL)
5512 		locale = "C";
5513 	(void) textdomain(TEXT_DOMAIN);
5514 	setbuf(stdout, NULL);
5515 	(void) sigset(SIGHUP, SIG_IGN);
5516 	execname = get_execbasename(argv[0]);
5517 	target_zone = NULL;
5518 	if (chdir("/") != 0) {
5519 		zerror(gettext("could not change directory to /."));
5520 		exit(Z_ERR);
5521 	}
5522 
5523 	if (init_zfs() != Z_OK)
5524 		exit(Z_ERR);
5525 
5526 	while ((arg = getopt(argc, argv, "?u:z:R:")) != EOF) {
5527 		switch (arg) {
5528 		case '?':
5529 			return (usage(B_TRUE));
5530 		case 'u':
5531 			target_uuid = optarg;
5532 			break;
5533 		case 'z':
5534 			target_zone = optarg;
5535 			break;
5536 		case 'R':	/* private option for admin/install use */
5537 			if (*optarg != '/') {
5538 				zerror(gettext("root path must be absolute."));
5539 				exit(Z_ERR);
5540 			}
5541 			if (stat(optarg, &st) == -1 || !S_ISDIR(st.st_mode)) {
5542 				zerror(
5543 				    gettext("root path must be a directory."));
5544 				exit(Z_ERR);
5545 			}
5546 			zonecfg_set_root(optarg);
5547 			break;
5548 		default:
5549 			return (usage(B_FALSE));
5550 		}
5551 	}
5552 
5553 	if (optind >= argc)
5554 		return (usage(B_FALSE));
5555 
5556 	if (target_uuid != NULL && *target_uuid != '\0') {
5557 		uuid_t uuid;
5558 		static char newtarget[ZONENAME_MAX];
5559 
5560 		if (uuid_parse(target_uuid, uuid) == -1) {
5561 			zerror(gettext("illegal UUID value specified"));
5562 			exit(Z_ERR);
5563 		}
5564 		if (zonecfg_get_name_by_uuid(uuid, newtarget,
5565 		    sizeof (newtarget)) == Z_OK)
5566 			target_zone = newtarget;
5567 	}
5568 
5569 	if (target_zone != NULL && zone_get_id(target_zone, &zid) != 0) {
5570 		errno = Z_NO_ZONE;
5571 		zperror(target_zone, B_TRUE);
5572 		exit(Z_ERR);
5573 	}
5574 
5575 	/*
5576 	 * See if we have inherited the right to manipulate this zone from
5577 	 * a zoneadm instance in our ancestry.  If so, set zone_lock_cnt to
5578 	 * indicate it.  If not, make that explicit in our environment.
5579 	 */
5580 	zonecfg_init_lock_file(target_zone, &zone_lock_env);
5581 	if (zone_lock_env != NULL)
5582 		zoneadm_is_nested = B_TRUE;
5583 
5584 	/*
5585 	 * If we are going to be operating on a single zone, retrieve its
5586 	 * brand type and determine whether it is native or not.
5587 	 */
5588 	if ((target_zone != NULL) &&
5589 	    (strcmp(target_zone, GLOBAL_ZONENAME) != 0)) {
5590 		if (zone_get_brand(target_zone, target_brand,
5591 		    sizeof (target_brand)) != Z_OK) {
5592 			zerror(gettext("missing or invalid brand"));
5593 			exit(Z_ERR);
5594 		}
5595 		is_native_zone = (strcmp(target_brand, NATIVE_BRAND_NAME) == 0);
5596 	}
5597 
5598 	err = parse_and_run(argc - optind, &argv[optind]);
5599 
5600 	return (err);
5601 }
5602