xref: /titanic_51/usr/src/cmd/zoneadm/zoneadm.c (revision 72bdce51192b13a20009855f749004480874291b)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #pragma ident	"%Z%%M%	%I%	%E% SMI"
28 
29 /*
30  * zoneadm is a command interpreter for zone administration.  It is all in
31  * C (i.e., no lex/yacc), and all the argument passing is argc/argv based.
32  * main() calls parse_and_run() which calls cmd_match(), then invokes the
33  * appropriate command's handler function.  The rest of the program is the
34  * handler functions and their helper functions.
35  *
36  * Some of the helper functions are used largely to simplify I18N: reducing
37  * the need for translation notes.  This is particularly true of many of
38  * the zerror() calls: doing e.g. zerror(gettext("%s failed"), "foo") rather
39  * than zerror(gettext("foo failed")) with a translation note indicating
40  * that "foo" need not be translated.
41  */
42 
43 #include <stdio.h>
44 #include <errno.h>
45 #include <unistd.h>
46 #include <signal.h>
47 #include <stdarg.h>
48 #include <ctype.h>
49 #include <stdlib.h>
50 #include <string.h>
51 #include <wait.h>
52 #include <zone.h>
53 #include <priv.h>
54 #include <locale.h>
55 #include <libintl.h>
56 #include <libzonecfg.h>
57 #include <bsm/adt.h>
58 #include <sys/brand.h>
59 #include <sys/param.h>
60 #include <sys/types.h>
61 #include <sys/stat.h>
62 #include <sys/statvfs.h>
63 #include <assert.h>
64 #include <sys/sockio.h>
65 #include <sys/mntent.h>
66 #include <limits.h>
67 #include <dirent.h>
68 #include <uuid/uuid.h>
69 
70 #include <fcntl.h>
71 #include <door.h>
72 #include <macros.h>
73 #include <libgen.h>
74 #include <fnmatch.h>
75 #include <sys/modctl.h>
76 #include <libbrand.h>
77 #include <libscf.h>
78 #include <procfs.h>
79 
80 #include <pool.h>
81 #include <sys/pool.h>
82 #include <sys/priocntl.h>
83 #include <sys/fsspriocntl.h>
84 
85 #include "zoneadm.h"
86 
87 #define	MAXARGS	8
88 
89 /* Reflects kernel zone entries */
90 typedef struct zone_entry {
91 	zoneid_t	zid;
92 	char		zname[ZONENAME_MAX];
93 	char		*zstate_str;
94 	zone_state_t	zstate_num;
95 	char		zbrand[MAXNAMELEN];
96 	char		zroot[MAXPATHLEN];
97 	char		zuuid[UUID_PRINTABLE_STRING_LENGTH];
98 	zone_iptype_t	ziptype;
99 } zone_entry_t;
100 
101 static zone_entry_t *zents;
102 static size_t nzents;
103 static boolean_t is_native_zone = B_TRUE;
104 
105 #define	LOOPBACK_IF	"lo0"
106 #define	SOCKET_AF(af)	(((af) == AF_UNSPEC) ? AF_INET : (af))
107 
108 struct net_if {
109 	char	*name;
110 	int	af;
111 };
112 
113 /* 0755 is the default directory mode. */
114 #define	DEFAULT_DIR_MODE \
115 	(S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH)
116 
117 struct cmd {
118 	uint_t	cmd_num;				/* command number */
119 	char	*cmd_name;				/* command name */
120 	char	*short_usage;				/* short form help */
121 	int	(*handler)(int argc, char *argv[]);	/* function to call */
122 
123 };
124 
125 #define	SHELP_HELP	"help"
126 #define	SHELP_BOOT	"boot [-- boot_arguments]"
127 #define	SHELP_HALT	"halt"
128 #define	SHELP_READY	"ready"
129 #define	SHELP_REBOOT	"reboot [-- boot_arguments]"
130 #define	SHELP_LIST	"list [-cipv]"
131 #define	SHELP_VERIFY	"verify"
132 #define	SHELP_INSTALL	"install [-x nodataset] [brand-specific args]"
133 #define	SHELP_UNINSTALL	"uninstall [-F]"
134 #define	SHELP_CLONE	"clone [-m method] [-s <ZFS snapshot>] zonename"
135 #define	SHELP_MOVE	"move zonepath"
136 #define	SHELP_DETACH	"detach [-n]"
137 #define	SHELP_ATTACH	"attach [-F] [-n <path>]"
138 #define	SHELP_MARK	"mark incomplete"
139 
140 #define	EXEC_PREFIX	"exec "
141 #define	EXEC_LEN	(strlen(EXEC_PREFIX))
142 #define	RMCOMMAND	"/usr/bin/rm -rf"
143 
144 static int cleanup_zonepath(char *, boolean_t);
145 
146 extern int ifname_open(char *);
147 
148 static int help_func(int argc, char *argv[]);
149 static int ready_func(int argc, char *argv[]);
150 static int boot_func(int argc, char *argv[]);
151 static int halt_func(int argc, char *argv[]);
152 static int reboot_func(int argc, char *argv[]);
153 static int list_func(int argc, char *argv[]);
154 static int verify_func(int argc, char *argv[]);
155 static int install_func(int argc, char *argv[]);
156 static int uninstall_func(int argc, char *argv[]);
157 static int mount_func(int argc, char *argv[]);
158 static int unmount_func(int argc, char *argv[]);
159 static int clone_func(int argc, char *argv[]);
160 static int move_func(int argc, char *argv[]);
161 static int detach_func(int argc, char *argv[]);
162 static int attach_func(int argc, char *argv[]);
163 static int mark_func(int argc, char *argv[]);
164 static int apply_func(int argc, char *argv[]);
165 static int sanity_check(char *zone, int cmd_num, boolean_t running,
166     boolean_t unsafe_when_running, boolean_t force);
167 static int cmd_match(char *cmd);
168 static int verify_details(int, char *argv[]);
169 static int verify_brand(zone_dochandle_t, int, char *argv[]);
170 static int invoke_brand_handler(int, char *argv[]);
171 
172 static struct cmd cmdtab[] = {
173 	{ CMD_HELP,		"help",		SHELP_HELP,	help_func },
174 	{ CMD_BOOT,		"boot",		SHELP_BOOT,	boot_func },
175 	{ CMD_HALT,		"halt",		SHELP_HALT,	halt_func },
176 	{ CMD_READY,		"ready",	SHELP_READY,	ready_func },
177 	{ CMD_REBOOT,		"reboot",	SHELP_REBOOT,	reboot_func },
178 	{ CMD_LIST,		"list",		SHELP_LIST,	list_func },
179 	{ CMD_VERIFY,		"verify",	SHELP_VERIFY,	verify_func },
180 	{ CMD_INSTALL,		"install",	SHELP_INSTALL,	install_func },
181 	{ CMD_UNINSTALL,	"uninstall",	SHELP_UNINSTALL,
182 	    uninstall_func },
183 	/* mount and unmount are private commands for admin/install */
184 	{ CMD_MOUNT,		"mount",	NULL,		mount_func },
185 	{ CMD_UNMOUNT,		"unmount",	NULL,		unmount_func },
186 	{ CMD_CLONE,		"clone",	SHELP_CLONE,	clone_func },
187 	{ CMD_MOVE,		"move",		SHELP_MOVE,	move_func },
188 	{ CMD_DETACH,		"detach",	SHELP_DETACH,	detach_func },
189 	{ CMD_ATTACH,		"attach",	SHELP_ATTACH,	attach_func },
190 	{ CMD_MARK,		"mark",		SHELP_MARK,	mark_func },
191 	{ CMD_APPLY,		"apply",	NULL,		apply_func }
192 };
193 
194 /* global variables */
195 
196 /* set early in main(), never modified thereafter, used all over the place */
197 static char *execname;
198 static char target_brand[MAXNAMELEN];
199 static char *locale;
200 char *target_zone;
201 static char *target_uuid;
202 
203 /* used in do_subproc() and signal handler */
204 static volatile boolean_t child_killed;
205 static int do_subproc_cnt = 0;
206 
207 /*
208  * Used to indicate whether this zoneadm instance has another zoneadm
209  * instance in its ancestry.
210  */
211 static boolean_t zoneadm_is_nested = B_FALSE;
212 
213 /* used to track nested zone-lock operations */
214 static int zone_lock_cnt = 0;
215 
216 /* used to communicate lock status to children */
217 #define	LOCK_ENV_VAR	"_ZONEADM_LOCK_HELD"
218 static char zoneadm_lock_held[] = LOCK_ENV_VAR"=1";
219 static char zoneadm_lock_not_held[] = LOCK_ENV_VAR"=0";
220 
221 char *
222 cmd_to_str(int cmd_num)
223 {
224 	assert(cmd_num >= CMD_MIN && cmd_num <= CMD_MAX);
225 	return (cmdtab[cmd_num].cmd_name);
226 }
227 
228 /* This is a separate function because of gettext() wrapping. */
229 static char *
230 long_help(int cmd_num)
231 {
232 	assert(cmd_num >= CMD_MIN && cmd_num <= CMD_MAX);
233 	switch (cmd_num) {
234 	case CMD_HELP:
235 		return (gettext("Print usage message."));
236 	case CMD_BOOT:
237 		return (gettext("Activates (boots) specified zone.  See "
238 		    "zoneadm(1m) for valid boot\n\targuments."));
239 	case CMD_HALT:
240 		return (gettext("Halts specified zone, bypassing shutdown "
241 		    "scripts and removing runtime\n\tresources of the zone."));
242 	case CMD_READY:
243 		return (gettext("Prepares a zone for running applications but "
244 		    "does not start any user\n\tprocesses in the zone."));
245 	case CMD_REBOOT:
246 		return (gettext("Restarts the zone (equivalent to a halt / "
247 		    "boot sequence).\n\tFails if the zone is not active.  "
248 		    "See zoneadm(1m) for valid boot\n\targuments."));
249 	case CMD_LIST:
250 		return (gettext("Lists the current zones, or a "
251 		    "specific zone if indicated.  By default,\n\tall "
252 		    "running zones are listed, though this can be "
253 		    "expanded to all\n\tinstalled zones with the -i "
254 		    "option or all configured zones with the\n\t-c "
255 		    "option.  When used with the general -z <zone> and/or -u "
256 		    "<uuid-match>\n\toptions, lists only the specified "
257 		    "matching zone, but lists it\n\tregardless of its state, "
258 		    "and the -i and -c options are disallowed.  The\n\t-v "
259 		    "option can be used to display verbose information: zone "
260 		    "name, id,\n\tcurrent state, root directory and options.  "
261 		    "The -p option can be used\n\tto request machine-parsable "
262 		    "output.  The -v and -p options are mutually\n\texclusive."
263 		    "  If neither -v nor -p is used, just the zone name is "
264 		    "listed."));
265 	case CMD_VERIFY:
266 		return (gettext("Check to make sure the configuration "
267 		    "can safely be instantiated\n\ton the machine: "
268 		    "physical network interfaces exist, etc."));
269 	case CMD_INSTALL:
270 		return (gettext("Install the configuration on to the system.  "
271 		    "The -x nodataset option\n\tcan be used to prevent the "
272 		    "creation of a new ZFS file system for the\n\tzone "
273 		    "(assuming the zonepath is within a ZFS file system).\n\t"
274 		    "All other arguments are passed to the brand installation "
275 		    "function;\n\tsee brand(4) for more information."));
276 	case CMD_UNINSTALL:
277 		return (gettext("Uninstall the configuration from the system.  "
278 		    "The -F flag can be used\n\tto force the action."));
279 	case CMD_CLONE:
280 		return (gettext("Clone the installation of another zone.  "
281 		    "The -m option can be used to\n\tspecify 'copy' which "
282 		    "forces a copy of the source zone.  The -s option\n\t"
283 		    "can be used to specify the name of a ZFS snapshot "
284 		    "that was taken from\n\ta previous clone command.  The "
285 		    "snapshot will be used as the source\n\tinstead of "
286 		    "creating a new ZFS snapshot."));
287 	case CMD_MOVE:
288 		return (gettext("Move the zone to a new zonepath."));
289 	case CMD_DETACH:
290 		return (gettext("Detach the zone from the system. The zone "
291 		    "state is changed to\n\t'configured' (but the files under "
292 		    "the zonepath are untouched).\n\tThe zone can subsequently "
293 		    "be attached, or can be moved to another\n\tsystem and "
294 		    "attached there.  The -n option can be used to specify\n\t"
295 		    "'no-execute' mode.  When -n is used, the information "
296 		    "needed to attach\n\tthe zone is sent to standard output "
297 		    "but the zone is not actually\n\tdetached."));
298 	case CMD_ATTACH:
299 		return (gettext("Attach the zone to the system.  The zone "
300 		    "state must be 'configured'\n\tprior to attach; upon "
301 		    "successful completion, the zone state will be\n\t"
302 		    "'installed'.  The system software on the current "
303 		    "system must be\n\tcompatible with the software on the "
304 		    "zone's original system.\n\tSpecify -F to force the attach "
305 		    "and skip software compatibility tests.\n\tThe -n option "
306 		    "can be used to specify 'no-execute' mode.  When -n is\n\t"
307 		    "used, the information needed to attach the zone is read "
308 		    "from the\n\tspecified path and the configuration is only "
309 		    "validated.  The path can\n\tbe '-' to specify standard "
310 		    "input."));
311 	case CMD_MARK:
312 		return (gettext("Set the state of the zone.  This can be used "
313 		    "to force the zone\n\tstate to 'incomplete' "
314 		    "administratively if some activity has rendered\n\tthe "
315 		    "zone permanently unusable.  The only valid state that "
316 		    "may be\n\tspecified is 'incomplete'."));
317 	default:
318 		return ("");
319 	}
320 	/* NOTREACHED */
321 	return (NULL);
322 }
323 
324 /*
325  * Called with explicit B_TRUE when help is explicitly requested, B_FALSE for
326  * unexpected errors.
327  */
328 
329 static int
330 usage(boolean_t explicit)
331 {
332 	int i;
333 	FILE *fd = explicit ? stdout : stderr;
334 
335 	(void) fprintf(fd, "%s:\t%s help\n", gettext("usage"), execname);
336 	(void) fprintf(fd, "\t%s [-z <zone>] [-u <uuid-match>] list\n",
337 	    execname);
338 	(void) fprintf(fd, "\t%s {-z <zone>|-u <uuid-match>} <%s>\n", execname,
339 	    gettext("subcommand"));
340 	(void) fprintf(fd, "\n%s:\n\n", gettext("Subcommands"));
341 	for (i = CMD_MIN; i <= CMD_MAX; i++) {
342 		if (cmdtab[i].short_usage == NULL)
343 			continue;
344 		(void) fprintf(fd, "%s\n", cmdtab[i].short_usage);
345 		if (explicit)
346 			(void) fprintf(fd, "\t%s\n\n", long_help(i));
347 	}
348 	if (!explicit)
349 		(void) fputs("\n", fd);
350 	return (Z_USAGE);
351 }
352 
353 static void
354 sub_usage(char *short_usage, int cmd_num)
355 {
356 	(void) fprintf(stderr, "%s:\t%s\n", gettext("usage"), short_usage);
357 	(void) fprintf(stderr, "\t%s\n", long_help(cmd_num));
358 }
359 
360 /*
361  * zperror() is like perror(3c) except that this also prints the executable
362  * name at the start of the message, and takes a boolean indicating whether
363  * to call libc'c strerror() or that from libzonecfg.
364  */
365 
366 void
367 zperror(const char *str, boolean_t zonecfg_error)
368 {
369 	(void) fprintf(stderr, "%s: %s: %s\n", execname, str,
370 	    zonecfg_error ? zonecfg_strerror(errno) : strerror(errno));
371 }
372 
373 /*
374  * zperror2() is very similar to zperror() above, except it also prints a
375  * supplied zone name after the executable.
376  *
377  * All current consumers of this function want libzonecfg's strerror() rather
378  * than libc's; if this ever changes, this function can be made more generic
379  * like zperror() above.
380  */
381 
382 void
383 zperror2(const char *zone, const char *str)
384 {
385 	(void) fprintf(stderr, "%s: %s: %s: %s\n", execname, zone, str,
386 	    zonecfg_strerror(errno));
387 }
388 
389 /* PRINTFLIKE1 */
390 void
391 zerror(const char *fmt, ...)
392 {
393 	va_list alist;
394 
395 	va_start(alist, fmt);
396 	(void) fprintf(stderr, "%s: ", execname);
397 	if (target_zone != NULL)
398 		(void) fprintf(stderr, "zone '%s': ", target_zone);
399 	(void) vfprintf(stderr, fmt, alist);
400 	(void) fprintf(stderr, "\n");
401 	va_end(alist);
402 }
403 
404 static void *
405 safe_calloc(size_t nelem, size_t elsize)
406 {
407 	void *r = calloc(nelem, elsize);
408 
409 	if (r == NULL) {
410 		zerror(gettext("failed to allocate %lu bytes: %s"),
411 		    (ulong_t)nelem * elsize, strerror(errno));
412 		exit(Z_ERR);
413 	}
414 	return (r);
415 }
416 
417 static void
418 zone_print(zone_entry_t *zent, boolean_t verbose, boolean_t parsable)
419 {
420 	static boolean_t firsttime = B_TRUE;
421 	char *ip_type_str;
422 
423 	if (zent->ziptype == ZS_EXCLUSIVE)
424 		ip_type_str = "excl";
425 	else
426 		ip_type_str = "shared";
427 
428 	assert(!(verbose && parsable));
429 	if (firsttime && verbose) {
430 		firsttime = B_FALSE;
431 		(void) printf("%*s %-16s %-10s %-30s %-8s %-6s\n",
432 		    ZONEID_WIDTH, "ID", "NAME", "STATUS", "PATH", "BRAND",
433 		    "IP");
434 	}
435 	if (!verbose) {
436 		char *cp, *clim;
437 
438 		if (!parsable) {
439 			(void) printf("%s\n", zent->zname);
440 			return;
441 		}
442 		if (zent->zid == ZONE_ID_UNDEFINED)
443 			(void) printf("-");
444 		else
445 			(void) printf("%lu", zent->zid);
446 		(void) printf(":%s:%s:", zent->zname, zent->zstate_str);
447 		cp = zent->zroot;
448 		while ((clim = strchr(cp, ':')) != NULL) {
449 			(void) printf("%.*s\\:", clim - cp, cp);
450 			cp = clim + 1;
451 		}
452 		(void) printf("%s:%s:%s:%s\n", cp, zent->zuuid, zent->zbrand,
453 		    ip_type_str);
454 		return;
455 	}
456 	if (zent->zstate_str != NULL) {
457 		if (zent->zid == ZONE_ID_UNDEFINED)
458 			(void) printf("%*s", ZONEID_WIDTH, "-");
459 		else
460 			(void) printf("%*lu", ZONEID_WIDTH, zent->zid);
461 		(void) printf(" %-16s %-10s %-30s %-8s %-6s\n", zent->zname,
462 		    zent->zstate_str, zent->zroot, zent->zbrand, ip_type_str);
463 	}
464 }
465 
466 static int
467 lookup_zone_info(const char *zone_name, zoneid_t zid, zone_entry_t *zent)
468 {
469 	char root[MAXPATHLEN], *cp;
470 	int err;
471 	uuid_t uuid;
472 
473 	(void) strlcpy(zent->zname, zone_name, sizeof (zent->zname));
474 	(void) strlcpy(zent->zroot, "???", sizeof (zent->zroot));
475 	(void) strlcpy(zent->zbrand, "???", sizeof (zent->zbrand));
476 	zent->zstate_str = "???";
477 
478 	zent->zid = zid;
479 
480 	if (zonecfg_get_uuid(zone_name, uuid) == Z_OK &&
481 	    !uuid_is_null(uuid))
482 		uuid_unparse(uuid, zent->zuuid);
483 	else
484 		zent->zuuid[0] = '\0';
485 
486 	/*
487 	 * For labeled zones which query the zone path of lower-level
488 	 * zones, the path needs to be adjusted to drop the final
489 	 * "/root" component. This adjusted path is then useful
490 	 * for reading down any exported directories from the
491 	 * lower-level zone.
492 	 */
493 	if (is_system_labeled() && zent->zid != ZONE_ID_UNDEFINED) {
494 		if (zone_getattr(zent->zid, ZONE_ATTR_ROOT, zent->zroot,
495 		    sizeof (zent->zroot)) == -1) {
496 			zperror2(zent->zname,
497 			    gettext("could not get zone path."));
498 			return (Z_ERR);
499 		}
500 		cp = zent->zroot + strlen(zent->zroot) - 5;
501 		if (cp > zent->zroot && strcmp(cp, "/root") == 0)
502 			*cp = 0;
503 	} else {
504 		if ((err = zone_get_zonepath(zent->zname, root,
505 		    sizeof (root))) != Z_OK) {
506 			errno = err;
507 			zperror2(zent->zname,
508 			    gettext("could not get zone path."));
509 			return (Z_ERR);
510 		}
511 		(void) strlcpy(zent->zroot, root, sizeof (zent->zroot));
512 	}
513 
514 	if ((err = zone_get_state(zent->zname, &zent->zstate_num)) != Z_OK) {
515 		errno = err;
516 		zperror2(zent->zname, gettext("could not get state"));
517 		return (Z_ERR);
518 	}
519 	zent->zstate_str = zone_state_str(zent->zstate_num);
520 
521 	/*
522 	 * A zone's brand is only available in the .xml file describing it,
523 	 * which is only visible to the global zone.  This causes
524 	 * zone_get_brand() to fail when called from within a non-global
525 	 * zone.  Fortunately we only do this on labeled systems, where we
526 	 * know all zones are native.
527 	 */
528 	if (getzoneid() != GLOBAL_ZONEID) {
529 		assert(is_system_labeled() != 0);
530 		(void) strlcpy(zent->zbrand, NATIVE_BRAND_NAME,
531 		    sizeof (zent->zbrand));
532 	} else if (zone_get_brand(zent->zname, zent->zbrand,
533 	    sizeof (zent->zbrand)) != Z_OK) {
534 		zperror2(zent->zname, gettext("could not get brand name"));
535 		return (Z_ERR);
536 	}
537 
538 	/*
539 	 * Get ip type of the zone.
540 	 * Note for global zone, ZS_SHARED is set always.
541 	 */
542 	if (zid == GLOBAL_ZONEID) {
543 		zent->ziptype = ZS_SHARED;
544 	} else {
545 
546 		if (zent->zstate_num == ZONE_STATE_RUNNING) {
547 			ushort_t flags;
548 
549 			if (zone_getattr(zid, ZONE_ATTR_FLAGS, &flags,
550 			    sizeof (flags)) < 0) {
551 				zperror2(zent->zname,
552 				    gettext("could not get zone flags"));
553 				return (Z_ERR);
554 			}
555 			if (flags & ZF_NET_EXCL)
556 				zent->ziptype = ZS_EXCLUSIVE;
557 			else
558 				zent->ziptype = ZS_SHARED;
559 		} else {
560 			zone_dochandle_t handle;
561 
562 			if ((handle = zonecfg_init_handle()) == NULL) {
563 				zperror2(zent->zname,
564 				    gettext("could not init handle"));
565 				return (Z_ERR);
566 			}
567 			if ((err = zonecfg_get_handle(zent->zname, handle))
568 			    != Z_OK) {
569 				zperror2(zent->zname,
570 				    gettext("could not get handle"));
571 				zonecfg_fini_handle(handle);
572 				return (Z_ERR);
573 			}
574 
575 			if ((err = zonecfg_get_iptype(handle, &zent->ziptype))
576 			    != Z_OK) {
577 				zperror2(zent->zname,
578 				    gettext("could not get ip-type"));
579 				zonecfg_fini_handle(handle);
580 				return (Z_ERR);
581 			}
582 			zonecfg_fini_handle(handle);
583 		}
584 	}
585 
586 	return (Z_OK);
587 }
588 
589 /*
590  * fetch_zents() calls zone_list(2) to find out how many zones are running
591  * (which is stored in the global nzents), then calls zone_list(2) again
592  * to fetch the list of running zones (stored in the global zents).  This
593  * function may be called multiple times, so if zents is already set, we
594  * return immediately to save work.
595  */
596 
597 static int
598 fetch_zents(void)
599 {
600 	zoneid_t *zids = NULL;
601 	uint_t nzents_saved;
602 	int i, retv;
603 	FILE *fp;
604 	boolean_t inaltroot;
605 	zone_entry_t *zentp;
606 
607 	if (nzents > 0)
608 		return (Z_OK);
609 
610 	if (zone_list(NULL, &nzents) != 0) {
611 		zperror(gettext("failed to get zoneid list"), B_FALSE);
612 		return (Z_ERR);
613 	}
614 
615 again:
616 	if (nzents == 0)
617 		return (Z_OK);
618 
619 	zids = safe_calloc(nzents, sizeof (zoneid_t));
620 	nzents_saved = nzents;
621 
622 	if (zone_list(zids, &nzents) != 0) {
623 		zperror(gettext("failed to get zone list"), B_FALSE);
624 		free(zids);
625 		return (Z_ERR);
626 	}
627 	if (nzents != nzents_saved) {
628 		/* list changed, try again */
629 		free(zids);
630 		goto again;
631 	}
632 
633 	zents = safe_calloc(nzents, sizeof (zone_entry_t));
634 
635 	inaltroot = zonecfg_in_alt_root();
636 	if (inaltroot)
637 		fp = zonecfg_open_scratch("", B_FALSE);
638 	else
639 		fp = NULL;
640 	zentp = zents;
641 	retv = Z_OK;
642 	for (i = 0; i < nzents; i++) {
643 		char name[ZONENAME_MAX];
644 		char altname[ZONENAME_MAX];
645 
646 		if (getzonenamebyid(zids[i], name, sizeof (name)) < 0) {
647 			zperror(gettext("failed to get zone name"), B_FALSE);
648 			retv = Z_ERR;
649 			continue;
650 		}
651 		if (zonecfg_is_scratch(name)) {
652 			/* Ignore scratch zones by default */
653 			if (!inaltroot)
654 				continue;
655 			if (fp == NULL ||
656 			    zonecfg_reverse_scratch(fp, name, altname,
657 			    sizeof (altname), NULL, 0) == -1) {
658 				zerror(gettext("could not resolve scratch "
659 				    "zone %s"), name);
660 				retv = Z_ERR;
661 				continue;
662 			}
663 			(void) strcpy(name, altname);
664 		} else {
665 			/* Ignore non-scratch when in an alternate root */
666 			if (inaltroot && strcmp(name, GLOBAL_ZONENAME) != 0)
667 				continue;
668 		}
669 		if (lookup_zone_info(name, zids[i], zentp) != Z_OK) {
670 			zerror(gettext("failed to get zone data"));
671 			retv = Z_ERR;
672 			continue;
673 		}
674 		zentp++;
675 	}
676 	nzents = zentp - zents;
677 	if (fp != NULL)
678 		zonecfg_close_scratch(fp);
679 
680 	free(zids);
681 	return (retv);
682 }
683 
684 static int
685 zone_print_list(zone_state_t min_state, boolean_t verbose, boolean_t parsable)
686 {
687 	int i;
688 	zone_entry_t zent;
689 	FILE *cookie;
690 	char *name;
691 
692 	/*
693 	 * First get the list of running zones from the kernel and print them.
694 	 * If that is all we need, then return.
695 	 */
696 	if ((i = fetch_zents()) != Z_OK) {
697 		/*
698 		 * No need for error messages; fetch_zents() has already taken
699 		 * care of this.
700 		 */
701 		return (i);
702 	}
703 	for (i = 0; i < nzents; i++)
704 		zone_print(&zents[i], verbose, parsable);
705 	if (min_state >= ZONE_STATE_RUNNING)
706 		return (Z_OK);
707 	/*
708 	 * Next, get the full list of zones from the configuration, skipping
709 	 * any we have already printed.
710 	 */
711 	cookie = setzoneent();
712 	while ((name = getzoneent(cookie)) != NULL) {
713 		for (i = 0; i < nzents; i++) {
714 			if (strcmp(zents[i].zname, name) == 0)
715 				break;
716 		}
717 		if (i < nzents) {
718 			free(name);
719 			continue;
720 		}
721 		if (lookup_zone_info(name, ZONE_ID_UNDEFINED, &zent) != Z_OK) {
722 			free(name);
723 			continue;
724 		}
725 		free(name);
726 		if (zent.zstate_num >= min_state)
727 			zone_print(&zent, verbose, parsable);
728 	}
729 	endzoneent(cookie);
730 	return (Z_OK);
731 }
732 
733 static zone_entry_t *
734 lookup_running_zone(char *str)
735 {
736 	zoneid_t zoneid;
737 	char *cp;
738 	int i;
739 
740 	if (fetch_zents() != Z_OK)
741 		return (NULL);
742 
743 	for (i = 0; i < nzents; i++) {
744 		if (strcmp(str, zents[i].zname) == 0)
745 			return (&zents[i]);
746 	}
747 	errno = 0;
748 	zoneid = strtol(str, &cp, 0);
749 	if (zoneid < MIN_ZONEID || zoneid > MAX_ZONEID ||
750 	    errno != 0 || *cp != '\0')
751 		return (NULL);
752 	for (i = 0; i < nzents; i++) {
753 		if (zoneid == zents[i].zid)
754 			return (&zents[i]);
755 	}
756 	return (NULL);
757 }
758 
759 /*
760  * Check a bit in a mode_t: if on is B_TRUE, that bit should be on; if
761  * B_FALSE, it should be off.  Return B_TRUE if the mode is bad (incorrect).
762  */
763 static boolean_t
764 bad_mode_bit(mode_t mode, mode_t bit, boolean_t on, char *file)
765 {
766 	char *str;
767 
768 	assert(bit == S_IRUSR || bit == S_IWUSR || bit == S_IXUSR ||
769 	    bit == S_IRGRP || bit == S_IWGRP || bit == S_IXGRP ||
770 	    bit == S_IROTH || bit == S_IWOTH || bit == S_IXOTH);
771 	/*
772 	 * TRANSLATION_NOTE
773 	 * The strings below will be used as part of a larger message,
774 	 * either:
775 	 * (file name) must be (owner|group|world) (read|writ|execut)able
776 	 * or
777 	 * (file name) must not be (owner|group|world) (read|writ|execut)able
778 	 */
779 	switch (bit) {
780 	case S_IRUSR:
781 		str = gettext("owner readable");
782 		break;
783 	case S_IWUSR:
784 		str = gettext("owner writable");
785 		break;
786 	case S_IXUSR:
787 		str = gettext("owner executable");
788 		break;
789 	case S_IRGRP:
790 		str = gettext("group readable");
791 		break;
792 	case S_IWGRP:
793 		str = gettext("group writable");
794 		break;
795 	case S_IXGRP:
796 		str = gettext("group executable");
797 		break;
798 	case S_IROTH:
799 		str = gettext("world readable");
800 		break;
801 	case S_IWOTH:
802 		str = gettext("world writable");
803 		break;
804 	case S_IXOTH:
805 		str = gettext("world executable");
806 		break;
807 	}
808 	if ((mode & bit) == (on ? 0 : bit)) {
809 		/*
810 		 * TRANSLATION_NOTE
811 		 * The first parameter below is a file name; the second
812 		 * is one of the "(owner|group|world) (read|writ|execut)able"
813 		 * strings from above.
814 		 */
815 		/*
816 		 * The code below could be simplified but not in a way
817 		 * that would easily translate to non-English locales.
818 		 */
819 		if (on) {
820 			(void) fprintf(stderr, gettext("%s must be %s.\n"),
821 			    file, str);
822 		} else {
823 			(void) fprintf(stderr, gettext("%s must not be %s.\n"),
824 			    file, str);
825 		}
826 		return (B_TRUE);
827 	}
828 	return (B_FALSE);
829 }
830 
831 /*
832  * We want to make sure that no zone has its zone path as a child node
833  * (in the directory sense) of any other.  We do that by comparing this
834  * zone's path to the path of all other (non-global) zones.  The comparison
835  * in each case is simple: add '/' to the end of the path, then do a
836  * strncmp() of the two paths, using the length of the shorter one.
837  */
838 
839 static int
840 crosscheck_zonepaths(char *path)
841 {
842 	char rpath[MAXPATHLEN];		/* resolved path */
843 	char path_copy[MAXPATHLEN];	/* copy of original path */
844 	char rpath_copy[MAXPATHLEN];	/* copy of original rpath */
845 	struct zoneent *ze;
846 	int res, err;
847 	FILE *cookie;
848 
849 	cookie = setzoneent();
850 	while ((ze = getzoneent_private(cookie)) != NULL) {
851 		/* Skip zones which are not installed. */
852 		if (ze->zone_state < ZONE_STATE_INSTALLED) {
853 			free(ze);
854 			continue;
855 		}
856 		/* Skip the global zone and the current target zone. */
857 		if (strcmp(ze->zone_name, GLOBAL_ZONENAME) == 0 ||
858 		    strcmp(ze->zone_name, target_zone) == 0) {
859 			free(ze);
860 			continue;
861 		}
862 		if (strlen(ze->zone_path) == 0) {
863 			/* old index file without path, fall back */
864 			if ((err = zone_get_zonepath(ze->zone_name,
865 			    ze->zone_path, sizeof (ze->zone_path))) != Z_OK) {
866 				errno = err;
867 				zperror2(ze->zone_name,
868 				    gettext("could not get zone path"));
869 				free(ze);
870 				continue;
871 			}
872 		}
873 		(void) snprintf(path_copy, sizeof (path_copy), "%s%s",
874 		    zonecfg_get_root(), ze->zone_path);
875 		res = resolvepath(path_copy, rpath, sizeof (rpath));
876 		if (res == -1) {
877 			if (errno != ENOENT) {
878 				zperror(path_copy, B_FALSE);
879 				free(ze);
880 				return (Z_ERR);
881 			}
882 			(void) printf(gettext("WARNING: zone %s is installed, "
883 			    "but its %s %s does not exist.\n"), ze->zone_name,
884 			    "zonepath", path_copy);
885 			free(ze);
886 			continue;
887 		}
888 		rpath[res] = '\0';
889 		(void) snprintf(path_copy, sizeof (path_copy), "%s/", path);
890 		(void) snprintf(rpath_copy, sizeof (rpath_copy), "%s/", rpath);
891 		if (strncmp(path_copy, rpath_copy,
892 		    min(strlen(path_copy), strlen(rpath_copy))) == 0) {
893 			/*
894 			 * TRANSLATION_NOTE
895 			 * zonepath is a literal that should not be translated.
896 			 */
897 			(void) fprintf(stderr, gettext("%s zonepath (%s) and "
898 			    "%s zonepath (%s) overlap.\n"),
899 			    target_zone, path, ze->zone_name, rpath);
900 			free(ze);
901 			return (Z_ERR);
902 		}
903 		free(ze);
904 	}
905 	endzoneent(cookie);
906 	return (Z_OK);
907 }
908 
909 static int
910 validate_zonepath(char *path, int cmd_num)
911 {
912 	int res;			/* result of last library/system call */
913 	boolean_t err = B_FALSE;	/* have we run into an error? */
914 	struct stat stbuf;
915 	struct statvfs64 vfsbuf;
916 	char rpath[MAXPATHLEN];		/* resolved path */
917 	char ppath[MAXPATHLEN];		/* parent path */
918 	char rppath[MAXPATHLEN];	/* resolved parent path */
919 	char rootpath[MAXPATHLEN];	/* root path */
920 	zone_state_t state;
921 
922 	if (path[0] != '/') {
923 		(void) fprintf(stderr,
924 		    gettext("%s is not an absolute path.\n"), path);
925 		return (Z_ERR);
926 	}
927 	if ((res = resolvepath(path, rpath, sizeof (rpath))) == -1) {
928 		if ((errno != ENOENT) ||
929 		    (cmd_num != CMD_VERIFY && cmd_num != CMD_INSTALL &&
930 		    cmd_num != CMD_CLONE && cmd_num != CMD_MOVE)) {
931 			zperror(path, B_FALSE);
932 			return (Z_ERR);
933 		}
934 		if (cmd_num == CMD_VERIFY) {
935 			/*
936 			 * TRANSLATION_NOTE
937 			 * zoneadm is a literal that should not be translated.
938 			 */
939 			(void) fprintf(stderr, gettext("WARNING: %s does not "
940 			    "exist, so it could not be verified.\nWhen "
941 			    "'zoneadm %s' is run, '%s' will try to create\n%s, "
942 			    "and '%s' will be tried again,\nbut the '%s' may "
943 			    "fail if:\nthe parent directory of %s is group- or "
944 			    "other-writable\nor\n%s overlaps with any other "
945 			    "installed zones.\n"), path,
946 			    cmd_to_str(CMD_INSTALL), cmd_to_str(CMD_INSTALL),
947 			    path, cmd_to_str(CMD_VERIFY),
948 			    cmd_to_str(CMD_VERIFY), path, path);
949 			return (Z_OK);
950 		}
951 		/*
952 		 * The zonepath is supposed to be mode 700 but its
953 		 * parent(s) 755.  So use 755 on the mkdirp() then
954 		 * chmod() the zonepath itself to 700.
955 		 */
956 		if (mkdirp(path, DEFAULT_DIR_MODE) < 0) {
957 			zperror(path, B_FALSE);
958 			return (Z_ERR);
959 		}
960 		/*
961 		 * If the chmod() fails, report the error, but might
962 		 * as well continue the verify procedure.
963 		 */
964 		if (chmod(path, S_IRWXU) != 0)
965 			zperror(path, B_FALSE);
966 		/*
967 		 * Since the mkdir() succeeded, we should not have to
968 		 * worry about a subsequent ENOENT, thus this should
969 		 * only recurse once.
970 		 */
971 		return (validate_zonepath(path, cmd_num));
972 	}
973 	rpath[res] = '\0';
974 	if (strcmp(path, rpath) != 0) {
975 		errno = Z_RESOLVED_PATH;
976 		zperror(path, B_TRUE);
977 		return (Z_ERR);
978 	}
979 	if ((res = stat(rpath, &stbuf)) != 0) {
980 		zperror(rpath, B_FALSE);
981 		return (Z_ERR);
982 	}
983 	if (!S_ISDIR(stbuf.st_mode)) {
984 		(void) fprintf(stderr, gettext("%s is not a directory.\n"),
985 		    rpath);
986 		return (Z_ERR);
987 	}
988 	if (strcmp(stbuf.st_fstype, MNTTYPE_TMPFS) == 0) {
989 		(void) printf(gettext("WARNING: %s is on a temporary "
990 		    "file system.\n"), rpath);
991 	}
992 	if (crosscheck_zonepaths(rpath) != Z_OK)
993 		return (Z_ERR);
994 	/*
995 	 * Try to collect and report as many minor errors as possible
996 	 * before returning, so the user can learn everything that needs
997 	 * to be fixed up front.
998 	 */
999 	if (stbuf.st_uid != 0) {
1000 		(void) fprintf(stderr, gettext("%s is not owned by root.\n"),
1001 		    rpath);
1002 		err = B_TRUE;
1003 	}
1004 	err |= bad_mode_bit(stbuf.st_mode, S_IRUSR, B_TRUE, rpath);
1005 	err |= bad_mode_bit(stbuf.st_mode, S_IWUSR, B_TRUE, rpath);
1006 	err |= bad_mode_bit(stbuf.st_mode, S_IXUSR, B_TRUE, rpath);
1007 	err |= bad_mode_bit(stbuf.st_mode, S_IRGRP, B_FALSE, rpath);
1008 	err |= bad_mode_bit(stbuf.st_mode, S_IWGRP, B_FALSE, rpath);
1009 	err |= bad_mode_bit(stbuf.st_mode, S_IXGRP, B_FALSE, rpath);
1010 	err |= bad_mode_bit(stbuf.st_mode, S_IROTH, B_FALSE, rpath);
1011 	err |= bad_mode_bit(stbuf.st_mode, S_IWOTH, B_FALSE, rpath);
1012 	err |= bad_mode_bit(stbuf.st_mode, S_IXOTH, B_FALSE, rpath);
1013 
1014 	(void) snprintf(ppath, sizeof (ppath), "%s/..", path);
1015 	if ((res = resolvepath(ppath, rppath, sizeof (rppath))) == -1) {
1016 		zperror(ppath, B_FALSE);
1017 		return (Z_ERR);
1018 	}
1019 	rppath[res] = '\0';
1020 	if ((res = stat(rppath, &stbuf)) != 0) {
1021 		zperror(rppath, B_FALSE);
1022 		return (Z_ERR);
1023 	}
1024 	/* theoretically impossible */
1025 	if (!S_ISDIR(stbuf.st_mode)) {
1026 		(void) fprintf(stderr, gettext("%s is not a directory.\n"),
1027 		    rppath);
1028 		return (Z_ERR);
1029 	}
1030 	if (stbuf.st_uid != 0) {
1031 		(void) fprintf(stderr, gettext("%s is not owned by root.\n"),
1032 		    rppath);
1033 		err = B_TRUE;
1034 	}
1035 	err |= bad_mode_bit(stbuf.st_mode, S_IRUSR, B_TRUE, rppath);
1036 	err |= bad_mode_bit(stbuf.st_mode, S_IWUSR, B_TRUE, rppath);
1037 	err |= bad_mode_bit(stbuf.st_mode, S_IXUSR, B_TRUE, rppath);
1038 	err |= bad_mode_bit(stbuf.st_mode, S_IWGRP, B_FALSE, rppath);
1039 	err |= bad_mode_bit(stbuf.st_mode, S_IWOTH, B_FALSE, rppath);
1040 	if (strcmp(rpath, rppath) == 0) {
1041 		(void) fprintf(stderr, gettext("%s is its own parent.\n"),
1042 		    rppath);
1043 		err = B_TRUE;
1044 	}
1045 
1046 	if (statvfs64(rpath, &vfsbuf) != 0) {
1047 		zperror(rpath, B_FALSE);
1048 		return (Z_ERR);
1049 	}
1050 	if (strcmp(vfsbuf.f_basetype, MNTTYPE_NFS) == 0) {
1051 		/*
1052 		 * TRANSLATION_NOTE
1053 		 * Zonepath and NFS are literals that should not be translated.
1054 		 */
1055 		(void) fprintf(stderr, gettext("Zonepath %s is on an NFS "
1056 		    "mounted file system.\n"
1057 		    "\tA local file system must be used.\n"), rpath);
1058 		return (Z_ERR);
1059 	}
1060 	if (vfsbuf.f_flag & ST_NOSUID) {
1061 		/*
1062 		 * TRANSLATION_NOTE
1063 		 * Zonepath and nosuid are literals that should not be
1064 		 * translated.
1065 		 */
1066 		(void) fprintf(stderr, gettext("Zonepath %s is on a nosuid "
1067 		    "file system.\n"), rpath);
1068 		return (Z_ERR);
1069 	}
1070 
1071 	if ((res = zone_get_state(target_zone, &state)) != Z_OK) {
1072 		errno = res;
1073 		zperror2(target_zone, gettext("could not get state"));
1074 		return (Z_ERR);
1075 	}
1076 	/*
1077 	 * The existence of the root path is only bad in the configured state,
1078 	 * as it is *supposed* to be there at the installed and later states.
1079 	 * However, the root path is expected to be there if the zone is
1080 	 * detached.
1081 	 * State/command mismatches are caught earlier in verify_details().
1082 	 */
1083 	if (state == ZONE_STATE_CONFIGURED && cmd_num != CMD_ATTACH) {
1084 		if (snprintf(rootpath, sizeof (rootpath), "%s/root", rpath) >=
1085 		    sizeof (rootpath)) {
1086 			/*
1087 			 * TRANSLATION_NOTE
1088 			 * Zonepath is a literal that should not be translated.
1089 			 */
1090 			(void) fprintf(stderr,
1091 			    gettext("Zonepath %s is too long.\n"), rpath);
1092 			return (Z_ERR);
1093 		}
1094 		if ((res = stat(rootpath, &stbuf)) == 0) {
1095 			if (zonecfg_detached(rpath))
1096 				(void) fprintf(stderr,
1097 				    gettext("Cannot %s detached "
1098 				    "zone.\nUse attach or remove %s "
1099 				    "directory.\n"), cmd_to_str(cmd_num),
1100 				    rpath);
1101 			else
1102 				(void) fprintf(stderr,
1103 				    gettext("Rootpath %s exists; "
1104 				    "remove or move aside prior to %s.\n"),
1105 				    rootpath, cmd_to_str(cmd_num));
1106 			return (Z_ERR);
1107 		}
1108 	}
1109 
1110 	return (err ? Z_ERR : Z_OK);
1111 }
1112 
1113 /*
1114  * The following two routines implement a simple locking mechanism to
1115  * ensure that only one instance of zoneadm at a time is able to manipulate
1116  * a given zone.  The lock is built on top of an fcntl(2) lock of
1117  * [<altroot>]/var/run/zones/<zonename>.zoneadm.lock.  If a zoneadm instance
1118  * can grab that lock, it is allowed to manipulate the zone.
1119  *
1120  * Since zoneadm may call external applications which in turn invoke
1121  * zoneadm again, we introduce the notion of "lock inheritance".  Any
1122  * instance of zoneadm that has another instance in its ancestry is assumed
1123  * to be acting on behalf of the original zoneadm, and is thus allowed to
1124  * manipulate its zone.
1125  *
1126  * This inheritance is implemented via the _ZONEADM_LOCK_HELD environment
1127  * variable.  When zoneadm is granted a lock on its zone, this environment
1128  * variable is set to 1.  When it releases the lock, the variable is set to
1129  * 0.  Since a child process inherits its parent's environment, checking
1130  * the state of this variable indicates whether or not any ancestor owns
1131  * the lock.
1132  */
1133 static void
1134 release_lock_file(int lockfd)
1135 {
1136 	/*
1137 	 * If we are cleaning up from a failed attempt to lock the zone for
1138 	 * the first time, we might have a zone_lock_cnt of 0.  In that
1139 	 * error case, we don't want to do anything but close the lock
1140 	 * file.
1141 	 */
1142 	assert(zone_lock_cnt >= 0);
1143 	if (zone_lock_cnt > 0) {
1144 		assert(getenv(LOCK_ENV_VAR) != NULL);
1145 		assert(atoi(getenv(LOCK_ENV_VAR)) == 1);
1146 		if (--zone_lock_cnt > 0) {
1147 			assert(lockfd == -1);
1148 			return;
1149 		}
1150 		if (putenv(zoneadm_lock_not_held) != 0) {
1151 			zperror(target_zone, B_TRUE);
1152 			exit(Z_ERR);
1153 		}
1154 	}
1155 	assert(lockfd >= 0);
1156 	(void) close(lockfd);
1157 }
1158 
1159 static int
1160 grab_lock_file(const char *zone_name, int *lockfd)
1161 {
1162 	char pathbuf[PATH_MAX];
1163 	struct flock flock;
1164 
1165 	/*
1166 	 * If we already have the lock, we can skip this expensive song
1167 	 * and dance.
1168 	 */
1169 	if (zone_lock_cnt > 0) {
1170 		zone_lock_cnt++;
1171 		*lockfd = -1;
1172 		return (Z_OK);
1173 	}
1174 	assert(getenv(LOCK_ENV_VAR) != NULL);
1175 	assert(atoi(getenv(LOCK_ENV_VAR)) == 0);
1176 
1177 	if (snprintf(pathbuf, sizeof (pathbuf), "%s%s", zonecfg_get_root(),
1178 	    ZONES_TMPDIR) >= sizeof (pathbuf)) {
1179 		zerror(gettext("alternate root path is too long"));
1180 		return (Z_ERR);
1181 	}
1182 	if (mkdir(pathbuf, S_IRWXU) < 0 && errno != EEXIST) {
1183 		zerror(gettext("could not mkdir %s: %s"), pathbuf,
1184 		    strerror(errno));
1185 		return (Z_ERR);
1186 	}
1187 	(void) chmod(pathbuf, S_IRWXU);
1188 
1189 	/*
1190 	 * One of these lock files is created for each zone (when needed).
1191 	 * The lock files are not cleaned up (except on system reboot),
1192 	 * but since there is only one per zone, there is no resource
1193 	 * starvation issue.
1194 	 */
1195 	if (snprintf(pathbuf, sizeof (pathbuf), "%s%s/%s.zoneadm.lock",
1196 	    zonecfg_get_root(), ZONES_TMPDIR, zone_name) >= sizeof (pathbuf)) {
1197 		zerror(gettext("alternate root path is too long"));
1198 		return (Z_ERR);
1199 	}
1200 	if ((*lockfd = open(pathbuf, O_RDWR|O_CREAT, S_IRUSR|S_IWUSR)) < 0) {
1201 		zerror(gettext("could not open %s: %s"), pathbuf,
1202 		    strerror(errno));
1203 		return (Z_ERR);
1204 	}
1205 	/*
1206 	 * Lock the file to synchronize with other zoneadmds
1207 	 */
1208 	flock.l_type = F_WRLCK;
1209 	flock.l_whence = SEEK_SET;
1210 	flock.l_start = (off_t)0;
1211 	flock.l_len = (off_t)0;
1212 	if ((fcntl(*lockfd, F_SETLKW, &flock) < 0) ||
1213 	    (putenv(zoneadm_lock_held) != 0)) {
1214 		zerror(gettext("unable to lock %s: %s"), pathbuf,
1215 		    strerror(errno));
1216 		release_lock_file(*lockfd);
1217 		return (Z_ERR);
1218 	}
1219 	zone_lock_cnt = 1;
1220 	return (Z_OK);
1221 }
1222 
1223 static boolean_t
1224 get_doorname(const char *zone_name, char *buffer)
1225 {
1226 	return (snprintf(buffer, PATH_MAX, "%s" ZONE_DOOR_PATH,
1227 	    zonecfg_get_root(), zone_name) < PATH_MAX);
1228 }
1229 
1230 /*
1231  * system daemons are not audited.  For the global zone, this occurs
1232  * "naturally" since init is started with the default audit
1233  * characteristics.  Since zoneadmd is a system daemon and it starts
1234  * init for a zone, it is necessary to clear out the audit
1235  * characteristics inherited from whomever started zoneadmd.  This is
1236  * indicated by the audit id, which is set from the ruid parameter of
1237  * adt_set_user(), below.
1238  */
1239 
1240 static void
1241 prepare_audit_context()
1242 {
1243 	adt_session_data_t	*ah;
1244 	char			*failure = gettext("audit failure: %s");
1245 
1246 	if (adt_start_session(&ah, NULL, 0)) {
1247 		zerror(failure, strerror(errno));
1248 		return;
1249 	}
1250 	if (adt_set_user(ah, ADT_NO_AUDIT, ADT_NO_AUDIT,
1251 	    ADT_NO_AUDIT, ADT_NO_AUDIT, NULL, ADT_NEW)) {
1252 		zerror(failure, strerror(errno));
1253 		(void) adt_end_session(ah);
1254 		return;
1255 	}
1256 	if (adt_set_proc(ah))
1257 		zerror(failure, strerror(errno));
1258 
1259 	(void) adt_end_session(ah);
1260 }
1261 
1262 static int
1263 start_zoneadmd(const char *zone_name)
1264 {
1265 	char doorpath[PATH_MAX];
1266 	pid_t child_pid;
1267 	int error = Z_ERR;
1268 	int doorfd, lockfd;
1269 	struct door_info info;
1270 
1271 	if (!get_doorname(zone_name, doorpath))
1272 		return (Z_ERR);
1273 
1274 	if (grab_lock_file(zone_name, &lockfd) != Z_OK)
1275 		return (Z_ERR);
1276 
1277 	/*
1278 	 * Now that we have the lock, re-confirm that the daemon is
1279 	 * *not* up and working fine.  If it is still down, we have a green
1280 	 * light to start it.
1281 	 */
1282 	if ((doorfd = open(doorpath, O_RDONLY)) < 0) {
1283 		if (errno != ENOENT) {
1284 			zperror(doorpath, B_FALSE);
1285 			goto out;
1286 		}
1287 	} else {
1288 		if (door_info(doorfd, &info) == 0 &&
1289 		    ((info.di_attributes & DOOR_REVOKED) == 0)) {
1290 			error = Z_OK;
1291 			(void) close(doorfd);
1292 			goto out;
1293 		}
1294 		(void) close(doorfd);
1295 	}
1296 
1297 	if ((child_pid = fork()) == -1) {
1298 		zperror(gettext("could not fork"), B_FALSE);
1299 		goto out;
1300 	} else if (child_pid == 0) {
1301 		const char *argv[6], **ap;
1302 
1303 		/* child process */
1304 		prepare_audit_context();
1305 
1306 		ap = argv;
1307 		*ap++ = "zoneadmd";
1308 		*ap++ = "-z";
1309 		*ap++ = zone_name;
1310 		if (zonecfg_in_alt_root()) {
1311 			*ap++ = "-R";
1312 			*ap++ = zonecfg_get_root();
1313 		}
1314 		*ap = NULL;
1315 
1316 		(void) execv("/usr/lib/zones/zoneadmd", (char * const *)argv);
1317 		/*
1318 		 * TRANSLATION_NOTE
1319 		 * zoneadmd is a literal that should not be translated.
1320 		 */
1321 		zperror(gettext("could not exec zoneadmd"), B_FALSE);
1322 		_exit(Z_ERR);
1323 	} else {
1324 		/* parent process */
1325 		pid_t retval;
1326 		int pstatus = 0;
1327 
1328 		do {
1329 			retval = waitpid(child_pid, &pstatus, 0);
1330 		} while (retval != child_pid);
1331 		if (WIFSIGNALED(pstatus) || (WIFEXITED(pstatus) &&
1332 		    WEXITSTATUS(pstatus) != 0)) {
1333 			zerror(gettext("could not start %s"), "zoneadmd");
1334 			goto out;
1335 		}
1336 	}
1337 	error = Z_OK;
1338 out:
1339 	release_lock_file(lockfd);
1340 	return (error);
1341 }
1342 
1343 static int
1344 ping_zoneadmd(const char *zone_name)
1345 {
1346 	char doorpath[PATH_MAX];
1347 	int doorfd;
1348 	struct door_info info;
1349 
1350 	if (!get_doorname(zone_name, doorpath))
1351 		return (Z_ERR);
1352 
1353 	if ((doorfd = open(doorpath, O_RDONLY)) < 0) {
1354 		return (Z_ERR);
1355 	}
1356 	if (door_info(doorfd, &info) == 0 &&
1357 	    ((info.di_attributes & DOOR_REVOKED) == 0)) {
1358 		(void) close(doorfd);
1359 		return (Z_OK);
1360 	}
1361 	(void) close(doorfd);
1362 	return (Z_ERR);
1363 }
1364 
1365 static int
1366 call_zoneadmd(const char *zone_name, zone_cmd_arg_t *arg)
1367 {
1368 	char doorpath[PATH_MAX];
1369 	int doorfd, result;
1370 	door_arg_t darg;
1371 
1372 	zoneid_t zoneid;
1373 	uint64_t uniqid = 0;
1374 
1375 	zone_cmd_rval_t *rvalp;
1376 	size_t rlen;
1377 	char *cp, *errbuf;
1378 
1379 	rlen = getpagesize();
1380 	if ((rvalp = malloc(rlen)) == NULL) {
1381 		zerror(gettext("failed to allocate %lu bytes: %s"), rlen,
1382 		    strerror(errno));
1383 		return (-1);
1384 	}
1385 
1386 	if ((zoneid = getzoneidbyname(zone_name)) != ZONE_ID_UNDEFINED) {
1387 		(void) zone_getattr(zoneid, ZONE_ATTR_UNIQID, &uniqid,
1388 		    sizeof (uniqid));
1389 	}
1390 	arg->uniqid = uniqid;
1391 	(void) strlcpy(arg->locale, locale, sizeof (arg->locale));
1392 	if (!get_doorname(zone_name, doorpath)) {
1393 		zerror(gettext("alternate root path is too long"));
1394 		free(rvalp);
1395 		return (-1);
1396 	}
1397 
1398 	/*
1399 	 * Loop trying to start zoneadmd; if something goes seriously
1400 	 * wrong we break out and fail.
1401 	 */
1402 	for (;;) {
1403 		if (start_zoneadmd(zone_name) != Z_OK)
1404 			break;
1405 
1406 		if ((doorfd = open(doorpath, O_RDONLY)) < 0) {
1407 			zperror(gettext("failed to open zone door"), B_FALSE);
1408 			break;
1409 		}
1410 
1411 		darg.data_ptr = (char *)arg;
1412 		darg.data_size = sizeof (*arg);
1413 		darg.desc_ptr = NULL;
1414 		darg.desc_num = 0;
1415 		darg.rbuf = (char *)rvalp;
1416 		darg.rsize = rlen;
1417 		if (door_call(doorfd, &darg) != 0) {
1418 			(void) close(doorfd);
1419 			/*
1420 			 * We'll get EBADF if the door has been revoked.
1421 			 */
1422 			if (errno != EBADF) {
1423 				zperror(gettext("door_call failed"), B_FALSE);
1424 				break;
1425 			}
1426 			continue;	/* take another lap */
1427 		}
1428 		(void) close(doorfd);
1429 
1430 		if (darg.data_size == 0) {
1431 			/* Door server is going away; kick it again. */
1432 			continue;
1433 		}
1434 
1435 		errbuf = rvalp->errbuf;
1436 		while (*errbuf != '\0') {
1437 			/*
1438 			 * Remove any newlines since zerror()
1439 			 * will append one automatically.
1440 			 */
1441 			cp = strchr(errbuf, '\n');
1442 			if (cp != NULL)
1443 				*cp = '\0';
1444 			zerror("%s", errbuf);
1445 			if (cp == NULL)
1446 				break;
1447 			errbuf = cp + 1;
1448 		}
1449 		result = rvalp->rval == 0 ? 0 : -1;
1450 		free(rvalp);
1451 		return (result);
1452 	}
1453 
1454 	free(rvalp);
1455 	return (-1);
1456 }
1457 
1458 static int
1459 invoke_brand_handler(int cmd_num, char *argv[])
1460 {
1461 	zone_dochandle_t handle;
1462 	int err;
1463 
1464 	if ((handle = zonecfg_init_handle()) == NULL) {
1465 		zperror(cmd_to_str(cmd_num), B_TRUE);
1466 		return (Z_ERR);
1467 	}
1468 	if ((err = zonecfg_get_handle(target_zone, handle)) != Z_OK) {
1469 		errno = err;
1470 		zperror(cmd_to_str(cmd_num), B_TRUE);
1471 		zonecfg_fini_handle(handle);
1472 		return (Z_ERR);
1473 	}
1474 	if (verify_brand(handle, cmd_num, argv) != Z_OK) {
1475 		zonecfg_fini_handle(handle);
1476 		return (Z_ERR);
1477 	}
1478 	zonecfg_fini_handle(handle);
1479 	return (Z_OK);
1480 }
1481 
1482 static int
1483 ready_func(int argc, char *argv[])
1484 {
1485 	zone_cmd_arg_t zarg;
1486 	int arg;
1487 
1488 	if (zonecfg_in_alt_root()) {
1489 		zerror(gettext("cannot ready zone in alternate root"));
1490 		return (Z_ERR);
1491 	}
1492 
1493 	optind = 0;
1494 	if ((arg = getopt(argc, argv, "?")) != EOF) {
1495 		switch (arg) {
1496 		case '?':
1497 			sub_usage(SHELP_READY, CMD_READY);
1498 			return (optopt == '?' ? Z_OK : Z_USAGE);
1499 		default:
1500 			sub_usage(SHELP_READY, CMD_READY);
1501 			return (Z_USAGE);
1502 		}
1503 	}
1504 	if (argc > optind) {
1505 		sub_usage(SHELP_READY, CMD_READY);
1506 		return (Z_USAGE);
1507 	}
1508 	if (sanity_check(target_zone, CMD_READY, B_FALSE, B_FALSE, B_FALSE)
1509 	    != Z_OK)
1510 		return (Z_ERR);
1511 	if (verify_details(CMD_READY, argv) != Z_OK)
1512 		return (Z_ERR);
1513 
1514 	zarg.cmd = Z_READY;
1515 	if (call_zoneadmd(target_zone, &zarg) != 0) {
1516 		zerror(gettext("call to %s failed"), "zoneadmd");
1517 		return (Z_ERR);
1518 	}
1519 	return (Z_OK);
1520 }
1521 
1522 static int
1523 boot_func(int argc, char *argv[])
1524 {
1525 	zone_cmd_arg_t zarg;
1526 	boolean_t force = B_FALSE;
1527 	int arg;
1528 
1529 	if (zonecfg_in_alt_root()) {
1530 		zerror(gettext("cannot boot zone in alternate root"));
1531 		return (Z_ERR);
1532 	}
1533 
1534 	zarg.bootbuf[0] = '\0';
1535 
1536 	/*
1537 	 * The following getopt processes arguments to zone boot; that
1538 	 * is to say, the [here] portion of the argument string:
1539 	 *
1540 	 *	zoneadm -z myzone boot [here] -- -v -m verbose
1541 	 *
1542 	 * Where [here] can either be nothing, -? (in which case we bail
1543 	 * and print usage), -f (a private option to indicate that the
1544 	 * boot operation should be 'forced'), or -s.  Support for -s is
1545 	 * vestigal and obsolete, but is retained because it was a
1546 	 * documented interface and there are known consumers including
1547 	 * admin/install; the proper way to specify boot arguments like -s
1548 	 * is:
1549 	 *
1550 	 *	zoneadm -z myzone boot -- -s -v -m verbose.
1551 	 */
1552 	optind = 0;
1553 	while ((arg = getopt(argc, argv, "?fs")) != EOF) {
1554 		switch (arg) {
1555 		case '?':
1556 			sub_usage(SHELP_BOOT, CMD_BOOT);
1557 			return (optopt == '?' ? Z_OK : Z_USAGE);
1558 		case 's':
1559 			(void) strlcpy(zarg.bootbuf, "-s",
1560 			    sizeof (zarg.bootbuf));
1561 			break;
1562 		case 'f':
1563 			force = B_TRUE;
1564 			break;
1565 		default:
1566 			sub_usage(SHELP_BOOT, CMD_BOOT);
1567 			return (Z_USAGE);
1568 		}
1569 	}
1570 
1571 	for (; optind < argc; optind++) {
1572 		if (strlcat(zarg.bootbuf, argv[optind],
1573 		    sizeof (zarg.bootbuf)) >= sizeof (zarg.bootbuf)) {
1574 			zerror(gettext("Boot argument list too long"));
1575 			return (Z_ERR);
1576 		}
1577 		if (optind < argc - 1)
1578 			if (strlcat(zarg.bootbuf, " ", sizeof (zarg.bootbuf)) >=
1579 			    sizeof (zarg.bootbuf)) {
1580 				zerror(gettext("Boot argument list too long"));
1581 				return (Z_ERR);
1582 			}
1583 	}
1584 	if (sanity_check(target_zone, CMD_BOOT, B_FALSE, B_FALSE, force)
1585 	    != Z_OK)
1586 		return (Z_ERR);
1587 	if (verify_details(CMD_BOOT, argv) != Z_OK)
1588 		return (Z_ERR);
1589 	zarg.cmd = force ? Z_FORCEBOOT : Z_BOOT;
1590 	if (call_zoneadmd(target_zone, &zarg) != 0) {
1591 		zerror(gettext("call to %s failed"), "zoneadmd");
1592 		return (Z_ERR);
1593 	}
1594 
1595 	return (Z_OK);
1596 }
1597 
1598 static void
1599 fake_up_local_zone(zoneid_t zid, zone_entry_t *zeptr)
1600 {
1601 	ssize_t result;
1602 	uuid_t uuid;
1603 	FILE *fp;
1604 	ushort_t flags;
1605 
1606 	(void) memset(zeptr, 0, sizeof (*zeptr));
1607 
1608 	zeptr->zid = zid;
1609 
1610 	/*
1611 	 * Since we're looking up our own (non-global) zone name,
1612 	 * we can be assured that it will succeed.
1613 	 */
1614 	result = getzonenamebyid(zid, zeptr->zname, sizeof (zeptr->zname));
1615 	assert(result >= 0);
1616 	if (zonecfg_is_scratch(zeptr->zname) &&
1617 	    (fp = zonecfg_open_scratch("", B_FALSE)) != NULL) {
1618 		(void) zonecfg_reverse_scratch(fp, zeptr->zname, zeptr->zname,
1619 		    sizeof (zeptr->zname), NULL, 0);
1620 		zonecfg_close_scratch(fp);
1621 	}
1622 
1623 	if (is_system_labeled()) {
1624 		(void) zone_getattr(zid, ZONE_ATTR_ROOT, zeptr->zroot,
1625 		    sizeof (zeptr->zroot));
1626 		(void) strlcpy(zeptr->zbrand, NATIVE_BRAND_NAME,
1627 			    sizeof (zeptr->zbrand));
1628 	} else {
1629 		(void) strlcpy(zeptr->zroot, "/", sizeof (zeptr->zroot));
1630 		(void) zone_getattr(zid, ZONE_ATTR_BRAND, zeptr->zbrand,
1631 		    sizeof (zeptr->zbrand));
1632 	}
1633 
1634 	zeptr->zstate_str = "running";
1635 	if (zonecfg_get_uuid(zeptr->zname, uuid) == Z_OK &&
1636 	    !uuid_is_null(uuid))
1637 		uuid_unparse(uuid, zeptr->zuuid);
1638 
1639 	if (zone_getattr(zid, ZONE_ATTR_FLAGS, &flags, sizeof (flags)) < 0) {
1640 		zperror2(zeptr->zname, gettext("could not get zone flags"));
1641 		exit(Z_ERR);
1642 	}
1643 	if (flags & ZF_NET_EXCL)
1644 		zeptr->ziptype = ZS_EXCLUSIVE;
1645 	else
1646 		zeptr->ziptype = ZS_SHARED;
1647 }
1648 
1649 static int
1650 list_func(int argc, char *argv[])
1651 {
1652 	zone_entry_t *zentp, zent;
1653 	int arg, retv;
1654 	boolean_t output = B_FALSE, verbose = B_FALSE, parsable = B_FALSE;
1655 	zone_state_t min_state = ZONE_STATE_RUNNING;
1656 	zoneid_t zone_id = getzoneid();
1657 
1658 	if (target_zone == NULL) {
1659 		/* all zones: default view to running but allow override */
1660 		optind = 0;
1661 		while ((arg = getopt(argc, argv, "?cipv")) != EOF) {
1662 			switch (arg) {
1663 			case '?':
1664 				sub_usage(SHELP_LIST, CMD_LIST);
1665 				return (optopt == '?' ? Z_OK : Z_USAGE);
1666 				/*
1667 				 * The 'i' and 'c' options are not mutually
1668 				 * exclusive so if 'c' is given, then min_state
1669 				 * is set to 0 (ZONE_STATE_CONFIGURED) which is
1670 				 * the lowest possible state.  If 'i' is given,
1671 				 * then min_state is set to be the lowest state
1672 				 * so far.
1673 				 */
1674 			case 'c':
1675 				min_state = ZONE_STATE_CONFIGURED;
1676 				break;
1677 			case 'i':
1678 				min_state = min(ZONE_STATE_INSTALLED,
1679 				    min_state);
1680 
1681 				break;
1682 			case 'p':
1683 				parsable = B_TRUE;
1684 				break;
1685 			case 'v':
1686 				verbose = B_TRUE;
1687 				break;
1688 			default:
1689 				sub_usage(SHELP_LIST, CMD_LIST);
1690 				return (Z_USAGE);
1691 			}
1692 		}
1693 		if (parsable && verbose) {
1694 			zerror(gettext("%s -p and -v are mutually exclusive."),
1695 			    cmd_to_str(CMD_LIST));
1696 			return (Z_ERR);
1697 		}
1698 		if (zone_id == GLOBAL_ZONEID || is_system_labeled()) {
1699 			retv = zone_print_list(min_state, verbose, parsable);
1700 		} else {
1701 			fake_up_local_zone(zone_id, &zent);
1702 			retv = Z_OK;
1703 			zone_print(&zent, verbose, parsable);
1704 		}
1705 		return (retv);
1706 	}
1707 
1708 	/*
1709 	 * Specific target zone: disallow -i/-c suboptions.
1710 	 */
1711 	optind = 0;
1712 	while ((arg = getopt(argc, argv, "?pv")) != EOF) {
1713 		switch (arg) {
1714 		case '?':
1715 			sub_usage(SHELP_LIST, CMD_LIST);
1716 			return (optopt == '?' ? Z_OK : Z_USAGE);
1717 		case 'p':
1718 			parsable = B_TRUE;
1719 			break;
1720 		case 'v':
1721 			verbose = B_TRUE;
1722 			break;
1723 		default:
1724 			sub_usage(SHELP_LIST, CMD_LIST);
1725 			return (Z_USAGE);
1726 		}
1727 	}
1728 	if (parsable && verbose) {
1729 		zerror(gettext("%s -p and -v are mutually exclusive."),
1730 		    cmd_to_str(CMD_LIST));
1731 		return (Z_ERR);
1732 	}
1733 	if (argc > optind) {
1734 		sub_usage(SHELP_LIST, CMD_LIST);
1735 		return (Z_USAGE);
1736 	}
1737 	if (zone_id != GLOBAL_ZONEID) {
1738 		fake_up_local_zone(zone_id, &zent);
1739 		/*
1740 		 * main() will issue a Z_NO_ZONE error if it cannot get an
1741 		 * id for target_zone, which in a non-global zone should
1742 		 * happen for any zone name except `zonename`.  Thus we
1743 		 * assert() that here but don't otherwise check.
1744 		 */
1745 		assert(strcmp(zent.zname, target_zone) == 0);
1746 		zone_print(&zent, verbose, parsable);
1747 		output = B_TRUE;
1748 	} else if ((zentp = lookup_running_zone(target_zone)) != NULL) {
1749 		zone_print(zentp, verbose, parsable);
1750 		output = B_TRUE;
1751 	} else if (lookup_zone_info(target_zone, ZONE_ID_UNDEFINED,
1752 	    &zent) == Z_OK) {
1753 		zone_print(&zent, verbose, parsable);
1754 		output = B_TRUE;
1755 	}
1756 
1757 	/*
1758 	 * Invoke brand-specific handler. Note that we do this
1759 	 * only if we're in the global zone, and target_zone is specified.
1760 	 */
1761 	if (zone_id == GLOBAL_ZONEID && target_zone != NULL)
1762 		if (invoke_brand_handler(CMD_LIST, argv) != Z_OK)
1763 			return (Z_ERR);
1764 
1765 	return (output ? Z_OK : Z_ERR);
1766 }
1767 
1768 static void
1769 sigterm(int sig)
1770 {
1771 	/*
1772 	 * Ignore SIG{INT,TERM}, so we don't end up in an infinite loop,
1773 	 * then propagate the signal to our process group.
1774 	 */
1775 	assert(sig == SIGINT || sig == SIGTERM);
1776 	(void) sigset(SIGINT, SIG_IGN);
1777 	(void) sigset(SIGTERM, SIG_IGN);
1778 	(void) kill(0, sig);
1779 	child_killed = B_TRUE;
1780 }
1781 
1782 static int
1783 do_subproc(char *cmdbuf)
1784 {
1785 	char inbuf[1024];	/* arbitrary large amount */
1786 	FILE *file;
1787 
1788 	do_subproc_cnt++;
1789 	child_killed = B_FALSE;
1790 	/*
1791 	 * We use popen(3c) to launch child processes for [un]install;
1792 	 * this library call does not return a PID, so we have to kill
1793 	 * the whole process group.  To avoid killing our parent, we
1794 	 * become a process group leader here.  But doing so can wreak
1795 	 * havoc with reading from stdin when launched by a non-job-control
1796 	 * shell, so we close stdin and reopen it as /dev/null first.
1797 	 */
1798 	(void) close(STDIN_FILENO);
1799 	(void) openat(STDIN_FILENO, "/dev/null", O_RDONLY);
1800 	if (!zoneadm_is_nested)
1801 		(void) setpgid(0, 0);
1802 	(void) sigset(SIGINT, sigterm);
1803 	(void) sigset(SIGTERM, sigterm);
1804 	file = popen(cmdbuf, "r");
1805 	for (;;) {
1806 		if (child_killed || fgets(inbuf, sizeof (inbuf), file) == NULL)
1807 			break;
1808 		(void) fputs(inbuf, stdout);
1809 	}
1810 	(void) sigset(SIGINT, SIG_DFL);
1811 	(void) sigset(SIGTERM, SIG_DFL);
1812 	return (pclose(file));
1813 }
1814 
1815 static int
1816 do_subproc_interactive(char *cmdbuf)
1817 {
1818 	void (*saveint)(int);
1819 	void (*saveterm)(int);
1820 	void (*savequit)(int);
1821 	void (*savehup)(int);
1822 	int pid, child, status;
1823 
1824 	/*
1825 	 * do_subproc() links stdin to /dev/null, which would break any
1826 	 * interactive subprocess we try to launch here.  Similarly, we
1827 	 * can't have been launched as a subprocess ourselves.
1828 	 */
1829 	assert(do_subproc_cnt == 0 && !zoneadm_is_nested);
1830 
1831 	if ((child = vfork()) == 0) {
1832 		(void) execl("/bin/sh", "sh", "-c", cmdbuf, (char *)NULL);
1833 	}
1834 
1835 	if (child == -1)
1836 		return (-1);
1837 
1838 	saveint = sigset(SIGINT, SIG_IGN);
1839 	saveterm = sigset(SIGTERM, SIG_IGN);
1840 	savequit = sigset(SIGQUIT, SIG_IGN);
1841 	savehup = sigset(SIGHUP, SIG_IGN);
1842 
1843 	while ((pid = waitpid(child, &status, 0)) != child && pid != -1)
1844 		;
1845 
1846 	(void) sigset(SIGINT, saveint);
1847 	(void) sigset(SIGTERM, saveterm);
1848 	(void) sigset(SIGQUIT, savequit);
1849 	(void) sigset(SIGHUP, savehup);
1850 
1851 	return (pid == -1 ? -1 : status);
1852 }
1853 
1854 static int
1855 subproc_status(const char *cmd, int status, boolean_t verbose_failure)
1856 {
1857 	if (WIFEXITED(status)) {
1858 		int exit_code = WEXITSTATUS(status);
1859 
1860 		if ((verbose_failure) && (exit_code != ZONE_SUBPROC_OK))
1861 			zerror(gettext("'%s' failed with exit code %d."), cmd,
1862 			    exit_code);
1863 
1864 		return (exit_code);
1865 	} else if (WIFSIGNALED(status)) {
1866 		int signal = WTERMSIG(status);
1867 		char sigstr[SIG2STR_MAX];
1868 
1869 		if (sig2str(signal, sigstr) == 0) {
1870 			zerror(gettext("'%s' terminated by signal SIG%s."), cmd,
1871 			    sigstr);
1872 		} else {
1873 			zerror(gettext("'%s' terminated by an unknown signal."),
1874 			    cmd);
1875 		}
1876 	} else {
1877 		zerror(gettext("'%s' failed for unknown reasons."), cmd);
1878 	}
1879 
1880 	/*
1881 	 * Assume a subprocess that died due to a signal or an unknown error
1882 	 * should be considered an exit code of ZONE_SUBPROC_FATAL, as the
1883 	 * user will likely need to do some manual cleanup.
1884 	 */
1885 	return (ZONE_SUBPROC_FATAL);
1886 }
1887 
1888 /*
1889  * Various sanity checks; make sure:
1890  * 1. We're in the global zone.
1891  * 2. The calling user has sufficient privilege.
1892  * 3. The target zone is neither the global zone nor anything starting with
1893  *    "SUNW".
1894  * 4a. If we're looking for a 'not running' (i.e., configured or installed)
1895  *     zone, the name service knows about it.
1896  * 4b. For some operations which expect a zone not to be running, that it is
1897  *     not already running (or ready).
1898  */
1899 static int
1900 sanity_check(char *zone, int cmd_num, boolean_t running,
1901     boolean_t unsafe_when_running, boolean_t force)
1902 {
1903 	zone_entry_t *zent;
1904 	priv_set_t *privset;
1905 	zone_state_t state, min_state;
1906 	char kernzone[ZONENAME_MAX];
1907 	FILE *fp;
1908 
1909 	if (getzoneid() != GLOBAL_ZONEID) {
1910 		switch (cmd_num) {
1911 		case CMD_HALT:
1912 			zerror(gettext("use %s to %s this zone."), "halt(1M)",
1913 			    cmd_to_str(cmd_num));
1914 			break;
1915 		case CMD_REBOOT:
1916 			zerror(gettext("use %s to %s this zone."),
1917 			    "reboot(1M)", cmd_to_str(cmd_num));
1918 			break;
1919 		default:
1920 			zerror(gettext("must be in the global zone to %s a "
1921 			    "zone."), cmd_to_str(cmd_num));
1922 			break;
1923 		}
1924 		return (Z_ERR);
1925 	}
1926 
1927 	if ((privset = priv_allocset()) == NULL) {
1928 		zerror(gettext("%s failed"), "priv_allocset");
1929 		return (Z_ERR);
1930 	}
1931 
1932 	if (getppriv(PRIV_EFFECTIVE, privset) != 0) {
1933 		zerror(gettext("%s failed"), "getppriv");
1934 		priv_freeset(privset);
1935 		return (Z_ERR);
1936 	}
1937 
1938 	if (priv_isfullset(privset) == B_FALSE) {
1939 		zerror(gettext("only a privileged user may %s a zone."),
1940 		    cmd_to_str(cmd_num));
1941 		priv_freeset(privset);
1942 		return (Z_ERR);
1943 	}
1944 	priv_freeset(privset);
1945 
1946 	if (zone == NULL) {
1947 		zerror(gettext("no zone specified"));
1948 		return (Z_ERR);
1949 	}
1950 
1951 	if (strcmp(zone, GLOBAL_ZONENAME) == 0) {
1952 		zerror(gettext("%s operation is invalid for the global zone."),
1953 		    cmd_to_str(cmd_num));
1954 		return (Z_ERR);
1955 	}
1956 
1957 	if (strncmp(zone, "SUNW", 4) == 0) {
1958 		zerror(gettext("%s operation is invalid for zones starting "
1959 		    "with SUNW."), cmd_to_str(cmd_num));
1960 		return (Z_ERR);
1961 	}
1962 
1963 	if (!is_native_zone && cmd_num == CMD_MOUNT) {
1964 		zerror(gettext("%s operation is invalid for branded zones."),
1965 		    cmd_to_str(cmd_num));
1966 			return (Z_ERR);
1967 	}
1968 
1969 	if (!zonecfg_in_alt_root()) {
1970 		zent = lookup_running_zone(zone);
1971 	} else if ((fp = zonecfg_open_scratch("", B_FALSE)) == NULL) {
1972 		zent = NULL;
1973 	} else {
1974 		if (zonecfg_find_scratch(fp, zone, zonecfg_get_root(),
1975 		    kernzone, sizeof (kernzone)) == 0)
1976 			zent = lookup_running_zone(kernzone);
1977 		else
1978 			zent = NULL;
1979 		zonecfg_close_scratch(fp);
1980 	}
1981 
1982 	/*
1983 	 * Look up from the kernel for 'running' zones.
1984 	 */
1985 	if (running && !force) {
1986 		if (zent == NULL) {
1987 			zerror(gettext("not running"));
1988 			return (Z_ERR);
1989 		}
1990 	} else {
1991 		int err;
1992 
1993 		if (unsafe_when_running && zent != NULL) {
1994 			/* check whether the zone is ready or running */
1995 			if ((err = zone_get_state(zent->zname,
1996 			    &zent->zstate_num)) != Z_OK) {
1997 				errno = err;
1998 				zperror2(zent->zname,
1999 				    gettext("could not get state"));
2000 				/* can't tell, so hedge */
2001 				zent->zstate_str = "ready/running";
2002 			} else {
2003 				zent->zstate_str =
2004 				    zone_state_str(zent->zstate_num);
2005 			}
2006 			zerror(gettext("%s operation is invalid for %s zones."),
2007 			    cmd_to_str(cmd_num), zent->zstate_str);
2008 			return (Z_ERR);
2009 		}
2010 		if ((err = zone_get_state(zone, &state)) != Z_OK) {
2011 			errno = err;
2012 			zperror2(zone, gettext("could not get state"));
2013 			return (Z_ERR);
2014 		}
2015 		switch (cmd_num) {
2016 		case CMD_UNINSTALL:
2017 			if (state == ZONE_STATE_CONFIGURED) {
2018 				zerror(gettext("is already in state '%s'."),
2019 				    zone_state_str(ZONE_STATE_CONFIGURED));
2020 				return (Z_ERR);
2021 			}
2022 			break;
2023 		case CMD_ATTACH:
2024 		case CMD_CLONE:
2025 		case CMD_INSTALL:
2026 			if (state == ZONE_STATE_INSTALLED) {
2027 				zerror(gettext("is already %s."),
2028 				    zone_state_str(ZONE_STATE_INSTALLED));
2029 				return (Z_ERR);
2030 			} else if (state == ZONE_STATE_INCOMPLETE) {
2031 				zerror(gettext("zone is %s; %s required."),
2032 				    zone_state_str(ZONE_STATE_INCOMPLETE),
2033 				    cmd_to_str(CMD_UNINSTALL));
2034 				return (Z_ERR);
2035 			}
2036 			break;
2037 		case CMD_DETACH:
2038 		case CMD_MOVE:
2039 		case CMD_READY:
2040 		case CMD_BOOT:
2041 		case CMD_MOUNT:
2042 		case CMD_MARK:
2043 			if ((cmd_num == CMD_BOOT || cmd_num == CMD_MOUNT) &&
2044 			    force)
2045 				min_state = ZONE_STATE_INCOMPLETE;
2046 			else
2047 				min_state = ZONE_STATE_INSTALLED;
2048 
2049 			if (force && cmd_num == CMD_BOOT && is_native_zone) {
2050 				zerror(gettext("Only branded zones may be "
2051 				    "force-booted."));
2052 				return (Z_ERR);
2053 			}
2054 
2055 			if (state < min_state) {
2056 				zerror(gettext("must be %s before %s."),
2057 				    zone_state_str(min_state),
2058 				    cmd_to_str(cmd_num));
2059 				return (Z_ERR);
2060 			}
2061 			break;
2062 		case CMD_VERIFY:
2063 			if (state == ZONE_STATE_INCOMPLETE) {
2064 				zerror(gettext("zone is %s; %s required."),
2065 				    zone_state_str(ZONE_STATE_INCOMPLETE),
2066 				    cmd_to_str(CMD_UNINSTALL));
2067 				return (Z_ERR);
2068 			}
2069 			break;
2070 		case CMD_UNMOUNT:
2071 			if (state != ZONE_STATE_MOUNTED) {
2072 				zerror(gettext("must be %s before %s."),
2073 				    zone_state_str(ZONE_STATE_MOUNTED),
2074 				    cmd_to_str(cmd_num));
2075 				return (Z_ERR);
2076 			}
2077 			break;
2078 		}
2079 	}
2080 	return (Z_OK);
2081 }
2082 
2083 static int
2084 halt_func(int argc, char *argv[])
2085 {
2086 	zone_cmd_arg_t zarg;
2087 	int arg;
2088 
2089 	if (zonecfg_in_alt_root()) {
2090 		zerror(gettext("cannot halt zone in alternate root"));
2091 		return (Z_ERR);
2092 	}
2093 
2094 	optind = 0;
2095 	if ((arg = getopt(argc, argv, "?")) != EOF) {
2096 		switch (arg) {
2097 		case '?':
2098 			sub_usage(SHELP_HALT, CMD_HALT);
2099 			return (optopt == '?' ? Z_OK : Z_USAGE);
2100 		default:
2101 			sub_usage(SHELP_HALT, CMD_HALT);
2102 			return (Z_USAGE);
2103 		}
2104 	}
2105 	if (argc > optind) {
2106 		sub_usage(SHELP_HALT, CMD_HALT);
2107 		return (Z_USAGE);
2108 	}
2109 	/*
2110 	 * zoneadmd should be the one to decide whether or not to proceed,
2111 	 * so even though it seems that the fourth parameter below should
2112 	 * perhaps be B_TRUE, it really shouldn't be.
2113 	 */
2114 	if (sanity_check(target_zone, CMD_HALT, B_FALSE, B_FALSE, B_FALSE)
2115 	    != Z_OK)
2116 		return (Z_ERR);
2117 
2118 	/*
2119 	 * Invoke brand-specific handler.
2120 	 */
2121 	if (invoke_brand_handler(CMD_HALT, argv) != Z_OK)
2122 		return (Z_ERR);
2123 
2124 	zarg.cmd = Z_HALT;
2125 	return ((call_zoneadmd(target_zone, &zarg) == 0) ? Z_OK : Z_ERR);
2126 }
2127 
2128 static int
2129 reboot_func(int argc, char *argv[])
2130 {
2131 	zone_cmd_arg_t zarg;
2132 	int arg;
2133 
2134 	if (zonecfg_in_alt_root()) {
2135 		zerror(gettext("cannot reboot zone in alternate root"));
2136 		return (Z_ERR);
2137 	}
2138 
2139 	optind = 0;
2140 	if ((arg = getopt(argc, argv, "?")) != EOF) {
2141 		switch (arg) {
2142 		case '?':
2143 			sub_usage(SHELP_REBOOT, CMD_REBOOT);
2144 			return (optopt == '?' ? Z_OK : Z_USAGE);
2145 		default:
2146 			sub_usage(SHELP_REBOOT, CMD_REBOOT);
2147 			return (Z_USAGE);
2148 		}
2149 	}
2150 
2151 	zarg.bootbuf[0] = '\0';
2152 	for (; optind < argc; optind++) {
2153 		if (strlcat(zarg.bootbuf, argv[optind],
2154 		    sizeof (zarg.bootbuf)) >= sizeof (zarg.bootbuf)) {
2155 			zerror(gettext("Boot argument list too long"));
2156 			return (Z_ERR);
2157 		}
2158 		if (optind < argc - 1)
2159 			if (strlcat(zarg.bootbuf, " ", sizeof (zarg.bootbuf)) >=
2160 			    sizeof (zarg.bootbuf)) {
2161 				zerror(gettext("Boot argument list too long"));
2162 				return (Z_ERR);
2163 			}
2164 	}
2165 
2166 
2167 	/*
2168 	 * zoneadmd should be the one to decide whether or not to proceed,
2169 	 * so even though it seems that the fourth parameter below should
2170 	 * perhaps be B_TRUE, it really shouldn't be.
2171 	 */
2172 	if (sanity_check(target_zone, CMD_REBOOT, B_TRUE, B_FALSE, B_FALSE)
2173 	    != Z_OK)
2174 		return (Z_ERR);
2175 	if (verify_details(CMD_REBOOT, argv) != Z_OK)
2176 		return (Z_ERR);
2177 
2178 	zarg.cmd = Z_REBOOT;
2179 	return ((call_zoneadmd(target_zone, &zarg) == 0) ? Z_OK : Z_ERR);
2180 }
2181 
2182 static int
2183 verify_brand(zone_dochandle_t handle, int cmd_num, char *argv[])
2184 {
2185 	char cmdbuf[MAXPATHLEN];
2186 	int err;
2187 	char zonepath[MAXPATHLEN];
2188 	brand_handle_t bh = NULL;
2189 	int status, i;
2190 
2191 	/*
2192 	 * Fetch the verify command from the brand configuration.
2193 	 * "exec" the command so that the returned status is that of
2194 	 * the command and not the shell.
2195 	 */
2196 	if ((err = zonecfg_get_zonepath(handle, zonepath, sizeof (zonepath))) !=
2197 	    Z_OK) {
2198 		errno = err;
2199 		zperror(cmd_to_str(cmd_num), B_TRUE);
2200 		return (Z_ERR);
2201 	}
2202 	if ((bh = brand_open(target_brand)) == NULL) {
2203 		zerror(gettext("missing or invalid brand"));
2204 		return (Z_ERR);
2205 	}
2206 
2207 	/*
2208 	 * If the brand has its own verification routine, execute it now.
2209 	 * The verification routine validates the intended zoneadm
2210 	 * operation for the specific brand. The zoneadm subcommand and
2211 	 * all its arguments are passed to the routine.
2212 	 */
2213 	(void) strcpy(cmdbuf, EXEC_PREFIX);
2214 	err = brand_get_verify_adm(bh, target_zone, zonepath,
2215 	    cmdbuf + EXEC_LEN, sizeof (cmdbuf) - EXEC_LEN, 0, NULL);
2216 	brand_close(bh);
2217 	if (err != 0)
2218 		return (Z_BRAND_ERROR);
2219 	if (strlen(cmdbuf) <= EXEC_LEN)
2220 		return (Z_OK);
2221 
2222 	if (strlcat(cmdbuf, cmd_to_str(cmd_num),
2223 	    sizeof (cmdbuf)) >= sizeof (cmdbuf))
2224 		return (Z_ERR);
2225 
2226 	/* Build the argv string */
2227 	i = 0;
2228 	while (argv[i] != NULL) {
2229 		if ((strlcat(cmdbuf, " ",
2230 		    sizeof (cmdbuf)) >= sizeof (cmdbuf)) ||
2231 		    (strlcat(cmdbuf, argv[i++],
2232 		    sizeof (cmdbuf)) >= sizeof (cmdbuf)))
2233 			return (Z_ERR);
2234 	}
2235 
2236 	status = do_subproc_interactive(cmdbuf);
2237 	err = subproc_status(gettext("brand-specific verification"),
2238 	    status, B_FALSE);
2239 
2240 	return ((err == ZONE_SUBPROC_OK) ? Z_OK : Z_BRAND_ERROR);
2241 }
2242 
2243 static int
2244 verify_rctls(zone_dochandle_t handle)
2245 {
2246 	struct zone_rctltab rctltab;
2247 	size_t rbs = rctlblk_size();
2248 	rctlblk_t *rctlblk;
2249 	int error = Z_INVAL;
2250 
2251 	if ((rctlblk = malloc(rbs)) == NULL) {
2252 		zerror(gettext("failed to allocate %lu bytes: %s"), rbs,
2253 		    strerror(errno));
2254 		return (Z_NOMEM);
2255 	}
2256 
2257 	if (zonecfg_setrctlent(handle) != Z_OK) {
2258 		zerror(gettext("zonecfg_setrctlent failed"));
2259 		free(rctlblk);
2260 		return (error);
2261 	}
2262 
2263 	rctltab.zone_rctl_valptr = NULL;
2264 	while (zonecfg_getrctlent(handle, &rctltab) == Z_OK) {
2265 		struct zone_rctlvaltab *rctlval;
2266 		const char *name = rctltab.zone_rctl_name;
2267 
2268 		if (!zonecfg_is_rctl(name)) {
2269 			zerror(gettext("WARNING: Ignoring unrecognized rctl "
2270 			    "'%s'."),  name);
2271 			zonecfg_free_rctl_value_list(rctltab.zone_rctl_valptr);
2272 			rctltab.zone_rctl_valptr = NULL;
2273 			continue;
2274 		}
2275 
2276 		for (rctlval = rctltab.zone_rctl_valptr; rctlval != NULL;
2277 		    rctlval = rctlval->zone_rctlval_next) {
2278 			if (zonecfg_construct_rctlblk(rctlval, rctlblk)
2279 			    != Z_OK) {
2280 				zerror(gettext("invalid rctl value: "
2281 				    "(priv=%s,limit=%s,action%s)"),
2282 				    rctlval->zone_rctlval_priv,
2283 				    rctlval->zone_rctlval_limit,
2284 				    rctlval->zone_rctlval_action);
2285 				goto out;
2286 			}
2287 			if (!zonecfg_valid_rctl(name, rctlblk)) {
2288 				zerror(gettext("(priv=%s,limit=%s,action=%s) "
2289 				    "is not a valid value for rctl '%s'"),
2290 				    rctlval->zone_rctlval_priv,
2291 				    rctlval->zone_rctlval_limit,
2292 				    rctlval->zone_rctlval_action,
2293 				    name);
2294 				goto out;
2295 			}
2296 		}
2297 		zonecfg_free_rctl_value_list(rctltab.zone_rctl_valptr);
2298 	}
2299 	rctltab.zone_rctl_valptr = NULL;
2300 	error = Z_OK;
2301 out:
2302 	zonecfg_free_rctl_value_list(rctltab.zone_rctl_valptr);
2303 	(void) zonecfg_endrctlent(handle);
2304 	free(rctlblk);
2305 	return (error);
2306 }
2307 
2308 static int
2309 verify_pool(zone_dochandle_t handle)
2310 {
2311 	char poolname[MAXPATHLEN];
2312 	pool_conf_t *poolconf;
2313 	pool_t *pool;
2314 	int status;
2315 	int error;
2316 
2317 	/*
2318 	 * This ends up being very similar to the check done in zoneadmd.
2319 	 */
2320 	error = zonecfg_get_pool(handle, poolname, sizeof (poolname));
2321 	if (error == Z_NO_ENTRY || (error == Z_OK && strlen(poolname) == 0)) {
2322 		/*
2323 		 * No pool specified.
2324 		 */
2325 		return (0);
2326 	}
2327 	if (error != Z_OK) {
2328 		zperror(gettext("Unable to retrieve pool name from "
2329 		    "configuration"), B_TRUE);
2330 		return (error);
2331 	}
2332 	/*
2333 	 * Don't do anything if pools aren't enabled.
2334 	 */
2335 	if (pool_get_status(&status) != PO_SUCCESS || status != POOL_ENABLED) {
2336 		zerror(gettext("WARNING: pools facility not active; "
2337 		    "zone will not be bound to pool '%s'."), poolname);
2338 		return (Z_OK);
2339 	}
2340 	/*
2341 	 * Try to provide a sane error message if the requested pool doesn't
2342 	 * exist.  It isn't clear that pools-related failures should
2343 	 * necessarily translate to a failure to verify the zone configuration,
2344 	 * hence they are not considered errors.
2345 	 */
2346 	if ((poolconf = pool_conf_alloc()) == NULL) {
2347 		zerror(gettext("WARNING: pool_conf_alloc failed; "
2348 		    "using default pool"));
2349 		return (Z_OK);
2350 	}
2351 	if (pool_conf_open(poolconf, pool_dynamic_location(), PO_RDONLY) !=
2352 	    PO_SUCCESS) {
2353 		zerror(gettext("WARNING: pool_conf_open failed; "
2354 		    "using default pool"));
2355 		pool_conf_free(poolconf);
2356 		return (Z_OK);
2357 	}
2358 	pool = pool_get_pool(poolconf, poolname);
2359 	(void) pool_conf_close(poolconf);
2360 	pool_conf_free(poolconf);
2361 	if (pool == NULL) {
2362 		zerror(gettext("WARNING: pool '%s' not found. "
2363 		    "using default pool"), poolname);
2364 	}
2365 
2366 	return (Z_OK);
2367 }
2368 
2369 static int
2370 verify_ipd(zone_dochandle_t handle)
2371 {
2372 	int return_code = Z_OK;
2373 	struct zone_fstab fstab;
2374 	struct stat st;
2375 	char specdir[MAXPATHLEN];
2376 
2377 	if (zonecfg_setipdent(handle) != Z_OK) {
2378 		/*
2379 		 * TRANSLATION_NOTE
2380 		 * inherit-pkg-dirs is a literal that should not be translated.
2381 		 */
2382 		(void) fprintf(stderr, gettext("could not verify "
2383 		    "inherit-pkg-dirs: unable to enumerate mounts\n"));
2384 		return (Z_ERR);
2385 	}
2386 	while (zonecfg_getipdent(handle, &fstab) == Z_OK) {
2387 		/*
2388 		 * Verify fs_dir exists.
2389 		 */
2390 		(void) snprintf(specdir, sizeof (specdir), "%s%s",
2391 		    zonecfg_get_root(), fstab.zone_fs_dir);
2392 		if (stat(specdir, &st) != 0) {
2393 			/*
2394 			 * TRANSLATION_NOTE
2395 			 * inherit-pkg-dir is a literal that should not be
2396 			 * translated.
2397 			 */
2398 			(void) fprintf(stderr, gettext("could not verify "
2399 			    "inherit-pkg-dir %s: %s\n"),
2400 			    fstab.zone_fs_dir, strerror(errno));
2401 			return_code = Z_ERR;
2402 		}
2403 		if (strcmp(st.st_fstype, MNTTYPE_NFS) == 0) {
2404 			/*
2405 			 * TRANSLATION_NOTE
2406 			 * inherit-pkg-dir and NFS are literals that should
2407 			 * not be translated.
2408 			 */
2409 			(void) fprintf(stderr, gettext("cannot verify "
2410 			    "inherit-pkg-dir %s: NFS mounted file system.\n"
2411 			    "\tA local file system must be used.\n"),
2412 			    fstab.zone_fs_dir);
2413 			return_code = Z_ERR;
2414 		}
2415 	}
2416 	(void) zonecfg_endipdent(handle);
2417 
2418 	return (return_code);
2419 }
2420 
2421 /*
2422  * Verify that the special device/file system exists and is valid.
2423  */
2424 static int
2425 verify_fs_special(struct zone_fstab *fstab)
2426 {
2427 	struct stat st;
2428 
2429 	/*
2430 	 * This validation is really intended for standard zone administration.
2431 	 * If we are in a mini-root or some other upgrade situation where
2432 	 * we are using the scratch zone, just by-pass this.
2433 	 */
2434 	if (zonecfg_in_alt_root())
2435 		return (Z_OK);
2436 
2437 	if (strcmp(fstab->zone_fs_type, MNTTYPE_ZFS) == 0)
2438 		return (verify_fs_zfs(fstab));
2439 
2440 	if (stat(fstab->zone_fs_special, &st) != 0) {
2441 		(void) fprintf(stderr, gettext("could not verify fs "
2442 		    "%s: could not access %s: %s\n"), fstab->zone_fs_dir,
2443 		    fstab->zone_fs_special, strerror(errno));
2444 		return (Z_ERR);
2445 	}
2446 
2447 	if (strcmp(st.st_fstype, MNTTYPE_NFS) == 0) {
2448 		/*
2449 		 * TRANSLATION_NOTE
2450 		 * fs and NFS are literals that should
2451 		 * not be translated.
2452 		 */
2453 		(void) fprintf(stderr, gettext("cannot verify "
2454 		    "fs %s: NFS mounted file system.\n"
2455 		    "\tA local file system must be used.\n"),
2456 		    fstab->zone_fs_special);
2457 		return (Z_ERR);
2458 	}
2459 
2460 	return (Z_OK);
2461 }
2462 
2463 static int
2464 verify_filesystems(zone_dochandle_t handle)
2465 {
2466 	int return_code = Z_OK;
2467 	struct zone_fstab fstab;
2468 	char cmdbuf[MAXPATHLEN];
2469 	struct stat st;
2470 
2471 	/*
2472 	 * No need to verify inherit-pkg-dir fs types, as their type is
2473 	 * implicitly lofs, which is known.  Therefore, the types are only
2474 	 * verified for regular file systems below.
2475 	 *
2476 	 * Since the actual mount point is not known until the dependent mounts
2477 	 * are performed, we don't attempt any path validation here: that will
2478 	 * happen later when zoneadmd actually does the mounts.
2479 	 */
2480 	if (zonecfg_setfsent(handle) != Z_OK) {
2481 		(void) fprintf(stderr, gettext("could not verify file systems: "
2482 		    "unable to enumerate mounts\n"));
2483 		return (Z_ERR);
2484 	}
2485 	while (zonecfg_getfsent(handle, &fstab) == Z_OK) {
2486 		if (!zonecfg_valid_fs_type(fstab.zone_fs_type)) {
2487 			(void) fprintf(stderr, gettext("cannot verify fs %s: "
2488 			    "type %s is not allowed.\n"), fstab.zone_fs_dir,
2489 			    fstab.zone_fs_type);
2490 			return_code = Z_ERR;
2491 			goto next_fs;
2492 		}
2493 		/*
2494 		 * Verify /usr/lib/fs/<fstype>/mount exists.
2495 		 */
2496 		if (snprintf(cmdbuf, sizeof (cmdbuf), "/usr/lib/fs/%s/mount",
2497 		    fstab.zone_fs_type) > sizeof (cmdbuf)) {
2498 			(void) fprintf(stderr, gettext("cannot verify fs %s: "
2499 			    "type %s is too long.\n"), fstab.zone_fs_dir,
2500 			    fstab.zone_fs_type);
2501 			return_code = Z_ERR;
2502 			goto next_fs;
2503 		}
2504 		if (stat(cmdbuf, &st) != 0) {
2505 			(void) fprintf(stderr, gettext("could not verify fs "
2506 			    "%s: could not access %s: %s\n"), fstab.zone_fs_dir,
2507 			    cmdbuf, strerror(errno));
2508 			return_code = Z_ERR;
2509 			goto next_fs;
2510 		}
2511 		if (!S_ISREG(st.st_mode)) {
2512 			(void) fprintf(stderr, gettext("could not verify fs "
2513 			    "%s: %s is not a regular file\n"),
2514 			    fstab.zone_fs_dir, cmdbuf);
2515 			return_code = Z_ERR;
2516 			goto next_fs;
2517 		}
2518 		/*
2519 		 * Verify /usr/lib/fs/<fstype>/fsck exists iff zone_fs_raw is
2520 		 * set.
2521 		 */
2522 		if (snprintf(cmdbuf, sizeof (cmdbuf), "/usr/lib/fs/%s/fsck",
2523 		    fstab.zone_fs_type) > sizeof (cmdbuf)) {
2524 			(void) fprintf(stderr, gettext("cannot verify fs %s: "
2525 			    "type %s is too long.\n"), fstab.zone_fs_dir,
2526 			    fstab.zone_fs_type);
2527 			return_code = Z_ERR;
2528 			goto next_fs;
2529 		}
2530 		if (fstab.zone_fs_raw[0] == '\0' && stat(cmdbuf, &st) == 0) {
2531 			(void) fprintf(stderr, gettext("could not verify fs "
2532 			    "%s: must specify 'raw' device for %s "
2533 			    "file systems\n"),
2534 			    fstab.zone_fs_dir, fstab.zone_fs_type);
2535 			return_code = Z_ERR;
2536 			goto next_fs;
2537 		}
2538 		if (fstab.zone_fs_raw[0] != '\0' &&
2539 		    (stat(cmdbuf, &st) != 0 || !S_ISREG(st.st_mode))) {
2540 			(void) fprintf(stderr, gettext("cannot verify fs %s: "
2541 			    "'raw' device specified but "
2542 			    "no fsck executable exists for %s\n"),
2543 			    fstab.zone_fs_dir, fstab.zone_fs_type);
2544 			return_code = Z_ERR;
2545 			goto next_fs;
2546 		}
2547 
2548 		/* Verify fs_special. */
2549 		if ((return_code = verify_fs_special(&fstab)) != Z_OK)
2550 			goto next_fs;
2551 
2552 		/* Verify fs_raw. */
2553 		if (fstab.zone_fs_raw[0] != '\0' &&
2554 		    stat(fstab.zone_fs_raw, &st) != 0) {
2555 			/*
2556 			 * TRANSLATION_NOTE
2557 			 * fs is a literal that should not be translated.
2558 			 */
2559 			(void) fprintf(stderr, gettext("could not verify fs "
2560 			    "%s: could not access %s: %s\n"), fstab.zone_fs_dir,
2561 			    fstab.zone_fs_raw, strerror(errno));
2562 			return_code = Z_ERR;
2563 			goto next_fs;
2564 		}
2565 next_fs:
2566 		zonecfg_free_fs_option_list(fstab.zone_fs_options);
2567 	}
2568 	(void) zonecfg_endfsent(handle);
2569 
2570 	return (return_code);
2571 }
2572 
2573 static int
2574 verify_limitpriv(zone_dochandle_t handle)
2575 {
2576 	char *privname = NULL;
2577 	int err;
2578 	priv_set_t *privs;
2579 
2580 	if ((privs = priv_allocset()) == NULL) {
2581 		zperror(gettext("failed to allocate privilege set"), B_FALSE);
2582 		return (Z_NOMEM);
2583 	}
2584 	err = zonecfg_get_privset(handle, privs, &privname);
2585 	switch (err) {
2586 	case Z_OK:
2587 		break;
2588 	case Z_PRIV_PROHIBITED:
2589 		(void) fprintf(stderr, gettext("privilege \"%s\" is not "
2590 		    "permitted within the zone's privilege set\n"), privname);
2591 		break;
2592 	case Z_PRIV_REQUIRED:
2593 		(void) fprintf(stderr, gettext("required privilege \"%s\" is "
2594 		    "missing from the zone's privilege set\n"), privname);
2595 		break;
2596 	case Z_PRIV_UNKNOWN:
2597 		(void) fprintf(stderr, gettext("unknown privilege \"%s\" "
2598 		    "specified in the zone's privilege set\n"), privname);
2599 		break;
2600 	default:
2601 		zperror(
2602 		    gettext("failed to determine the zone's privilege set"),
2603 		    B_TRUE);
2604 		break;
2605 	}
2606 	free(privname);
2607 	priv_freeset(privs);
2608 	return (err);
2609 }
2610 
2611 static void
2612 free_local_netifs(int if_cnt, struct net_if **if_list)
2613 {
2614 	int		i;
2615 
2616 	for (i = 0; i < if_cnt; i++) {
2617 		free(if_list[i]->name);
2618 		free(if_list[i]);
2619 	}
2620 	free(if_list);
2621 }
2622 
2623 /*
2624  * Get a list of the network interfaces, along with their address families,
2625  * that are plumbed in the global zone.  See if_tcp(7p) for a description
2626  * of the ioctls used here.
2627  */
2628 static int
2629 get_local_netifs(int *if_cnt, struct net_if ***if_list)
2630 {
2631 	int		s;
2632 	int		i;
2633 	int		res = Z_OK;
2634 	int		space_needed;
2635 	int		cnt = 0;
2636 	struct		lifnum if_num;
2637 	struct		lifconf if_conf;
2638 	struct		lifreq *if_reqp;
2639 	char		*if_buf;
2640 	struct net_if	**local_ifs = NULL;
2641 
2642 	*if_cnt = 0;
2643 	*if_list = NULL;
2644 
2645 	if ((s = socket(SOCKET_AF(AF_INET), SOCK_DGRAM, 0)) < 0)
2646 		return (Z_ERR);
2647 
2648 	/*
2649 	 * Come back here in the unlikely event that the number of interfaces
2650 	 * increases between the time we get the count and the time we do the
2651 	 * SIOCGLIFCONF ioctl.
2652 	 */
2653 retry:
2654 	/* Get the number of interfaces. */
2655 	if_num.lifn_family = AF_UNSPEC;
2656 	if_num.lifn_flags = LIFC_NOXMIT;
2657 	if (ioctl(s, SIOCGLIFNUM, &if_num) < 0) {
2658 		(void) close(s);
2659 		return (Z_ERR);
2660 	}
2661 
2662 	/* Get the interface configuration list. */
2663 	space_needed = if_num.lifn_count * sizeof (struct lifreq);
2664 	if ((if_buf = malloc(space_needed)) == NULL) {
2665 		(void) close(s);
2666 		return (Z_ERR);
2667 	}
2668 	if_conf.lifc_family = AF_UNSPEC;
2669 	if_conf.lifc_flags = LIFC_NOXMIT;
2670 	if_conf.lifc_len = space_needed;
2671 	if_conf.lifc_buf = if_buf;
2672 	if (ioctl(s, SIOCGLIFCONF, &if_conf) < 0) {
2673 		free(if_buf);
2674 		/*
2675 		 * SIOCGLIFCONF returns EINVAL if the buffer we passed in is
2676 		 * too small.  In this case go back and get the new if cnt.
2677 		 */
2678 		if (errno == EINVAL)
2679 			goto retry;
2680 
2681 		(void) close(s);
2682 		return (Z_ERR);
2683 	}
2684 	(void) close(s);
2685 
2686 	/* Get the name and address family for each interface. */
2687 	if_reqp = if_conf.lifc_req;
2688 	for (i = 0; i < (if_conf.lifc_len / sizeof (struct lifreq)); i++) {
2689 		struct net_if	**p;
2690 		struct lifreq	req;
2691 
2692 		if (strcmp(LOOPBACK_IF, if_reqp->lifr_name) == 0) {
2693 			if_reqp++;
2694 			continue;
2695 		}
2696 
2697 		if ((s = socket(SOCKET_AF(if_reqp->lifr_addr.ss_family),
2698 		    SOCK_DGRAM, 0)) == -1) {
2699 			res = Z_ERR;
2700 			break;
2701 		}
2702 
2703 		(void) strncpy(req.lifr_name, if_reqp->lifr_name,
2704 		    sizeof (req.lifr_name));
2705 		if (ioctl(s, SIOCGLIFADDR, &req) < 0) {
2706 			(void) close(s);
2707 			if_reqp++;
2708 			continue;
2709 		}
2710 
2711 		if ((p = (struct net_if **)realloc(local_ifs,
2712 		    sizeof (struct net_if *) * (cnt + 1))) == NULL) {
2713 			res = Z_ERR;
2714 			break;
2715 		}
2716 		local_ifs = p;
2717 
2718 		if ((local_ifs[cnt] = malloc(sizeof (struct net_if))) == NULL) {
2719 			res = Z_ERR;
2720 			break;
2721 		}
2722 
2723 		if ((local_ifs[cnt]->name = strdup(if_reqp->lifr_name))
2724 		    == NULL) {
2725 			free(local_ifs[cnt]);
2726 			res = Z_ERR;
2727 			break;
2728 		}
2729 		local_ifs[cnt]->af = req.lifr_addr.ss_family;
2730 		cnt++;
2731 
2732 		(void) close(s);
2733 		if_reqp++;
2734 	}
2735 
2736 	free(if_buf);
2737 
2738 	if (res != Z_OK) {
2739 		free_local_netifs(cnt, local_ifs);
2740 	} else {
2741 		*if_cnt = cnt;
2742 		*if_list = local_ifs;
2743 	}
2744 
2745 	return (res);
2746 }
2747 
2748 static char *
2749 af2str(int af)
2750 {
2751 	switch (af) {
2752 	case AF_INET:
2753 		return ("IPv4");
2754 	case AF_INET6:
2755 		return ("IPv6");
2756 	default:
2757 		return ("Unknown");
2758 	}
2759 }
2760 
2761 /*
2762  * Cross check the network interface name and address family with the
2763  * interfaces that are set up in the global zone so that we can print the
2764  * appropriate error message.
2765  */
2766 static void
2767 print_net_err(char *phys, char *addr, int af, char *msg)
2768 {
2769 	int		i;
2770 	int		local_if_cnt = 0;
2771 	struct net_if	**local_ifs = NULL;
2772 	boolean_t	found_if = B_FALSE;
2773 	boolean_t	found_af = B_FALSE;
2774 
2775 	if (get_local_netifs(&local_if_cnt, &local_ifs) != Z_OK) {
2776 		(void) fprintf(stderr,
2777 		    gettext("could not verify %s %s=%s %s=%s\n\t%s\n"),
2778 		    "net", "address", addr, "physical", phys, msg);
2779 		return;
2780 	}
2781 
2782 	for (i = 0; i < local_if_cnt; i++) {
2783 		if (strcmp(phys, local_ifs[i]->name) == 0) {
2784 			found_if = B_TRUE;
2785 			if (af == local_ifs[i]->af) {
2786 				found_af = B_TRUE;
2787 				break;
2788 			}
2789 		}
2790 	}
2791 
2792 	free_local_netifs(local_if_cnt, local_ifs);
2793 
2794 	if (!found_if) {
2795 		(void) fprintf(stderr,
2796 		    gettext("could not verify %s %s=%s\n\t"
2797 		    "network interface %s is not plumbed in the global zone\n"),
2798 		    "net", "physical", phys, phys);
2799 		return;
2800 	}
2801 
2802 	/*
2803 	 * Print this error if we were unable to find the address family
2804 	 * for this interface.  If the af variable is not initialized to
2805 	 * to something meaningful by the caller (not AF_UNSPEC) then we
2806 	 * also skip this message since it wouldn't be informative.
2807 	 */
2808 	if (!found_af && af != AF_UNSPEC) {
2809 		(void) fprintf(stderr,
2810 		    gettext("could not verify %s %s=%s %s=%s\n\tthe %s address "
2811 		    "family is not configured on this network interface in "
2812 		    "the\n\tglobal zone\n"),
2813 		    "net", "address", addr, "physical", phys, af2str(af));
2814 		return;
2815 	}
2816 
2817 	(void) fprintf(stderr,
2818 	    gettext("could not verify %s %s=%s %s=%s\n\t%s\n"),
2819 	    "net", "address", addr, "physical", phys, msg);
2820 }
2821 
2822 static int
2823 verify_handle(int cmd_num, zone_dochandle_t handle, char *argv[])
2824 {
2825 	struct zone_nwiftab nwiftab;
2826 	int return_code = Z_OK;
2827 	int err;
2828 	boolean_t in_alt_root;
2829 	zone_iptype_t iptype;
2830 	int fd;
2831 
2832 	in_alt_root = zonecfg_in_alt_root();
2833 	if (in_alt_root)
2834 		goto no_net;
2835 
2836 	if ((err = zonecfg_get_iptype(handle, &iptype)) != Z_OK) {
2837 		errno = err;
2838 		zperror(cmd_to_str(cmd_num), B_TRUE);
2839 		zonecfg_fini_handle(handle);
2840 		return (Z_ERR);
2841 	}
2842 	if ((err = zonecfg_setnwifent(handle)) != Z_OK) {
2843 		errno = err;
2844 		zperror(cmd_to_str(cmd_num), B_TRUE);
2845 		zonecfg_fini_handle(handle);
2846 		return (Z_ERR);
2847 	}
2848 	while (zonecfg_getnwifent(handle, &nwiftab) == Z_OK) {
2849 		struct lifreq lifr;
2850 		sa_family_t af = AF_UNSPEC;
2851 		char dl_owner_zname[ZONENAME_MAX];
2852 		zoneid_t dl_owner_zid;
2853 		zoneid_t target_zid;
2854 		int res;
2855 
2856 		/* skip any loopback interfaces */
2857 		if (strcmp(nwiftab.zone_nwif_physical, "lo0") == 0)
2858 			continue;
2859 		switch (iptype) {
2860 		case ZS_SHARED:
2861 			if ((res = zonecfg_valid_net_address(
2862 			    nwiftab.zone_nwif_address, &lifr)) != Z_OK) {
2863 				print_net_err(nwiftab.zone_nwif_physical,
2864 				    nwiftab.zone_nwif_address, af,
2865 				    zonecfg_strerror(res));
2866 			    return_code = Z_ERR;
2867 			    continue;
2868 			}
2869 			af = lifr.lifr_addr.ss_family;
2870 			if (!zonecfg_ifname_exists(af,
2871 			    nwiftab.zone_nwif_physical)) {
2872 				/*
2873 				 * The interface failed to come up. We continue
2874 				 * on anyway for the sake of consistency: a
2875 				 * zone is not shut down if the interface fails
2876 				 * any time after boot, nor does the global zone
2877 				 * fail to boot if an interface fails.
2878 				 */
2879 				(void) fprintf(stderr,
2880 				    gettext("WARNING: skipping network "
2881 					"interface '%s' which may not be "
2882 					"present/plumbed in the global "
2883 					"zone.\n"),
2884 				    nwiftab.zone_nwif_physical);
2885 			}
2886 			break;
2887 		case ZS_EXCLUSIVE:
2888 			/* Warning if it exists for either IPv4 or IPv6 */
2889 
2890 			if (zonecfg_ifname_exists(AF_INET,
2891 			    nwiftab.zone_nwif_physical) ||
2892 			    zonecfg_ifname_exists(AF_INET6,
2893 			    nwiftab.zone_nwif_physical)) {
2894 				(void) fprintf(stderr,
2895 				    gettext("WARNING: skipping network "
2896 				    "interface '%s' which is used in the "
2897 				    "global zone.\n"),
2898 				    nwiftab.zone_nwif_physical);
2899 				break;
2900 			}
2901 			/*
2902 			 * Verify that the physical interface can
2903 			 * be opened
2904 			 */
2905 			fd = ifname_open(nwiftab.zone_nwif_physical);
2906 			if (fd == -1) {
2907 				(void) fprintf(stderr,
2908 				    gettext("WARNING: skipping network "
2909 				    "interface '%s' which cannot be opened.\n"),
2910 				    nwiftab.zone_nwif_physical);
2911 				break;
2912 			} else {
2913 				(void) close(fd);
2914 			}
2915 			/*
2916 			 * Verify whether the physical interface is already
2917 			 * used by a zone.
2918 			 */
2919 			dl_owner_zid = ALL_ZONES;
2920 			if (zone_check_datalink(&dl_owner_zid,
2921 			    nwiftab.zone_nwif_physical) != 0)
2922 				break;
2923 
2924 			/*
2925 			 * If the zone being verified is
2926 			 * running and owns the interface
2927 			 */
2928 			target_zid = getzoneidbyname(target_zone);
2929 			if (target_zid == dl_owner_zid)
2930 				break;
2931 
2932 			/* Zone id match failed, use name to check */
2933 			if (getzonenamebyid(dl_owner_zid, dl_owner_zname,
2934 			    ZONENAME_MAX) < 0) {
2935 				/* No name, show ID instead */
2936 				(void) snprintf(dl_owner_zname, ZONENAME_MAX,
2937 				    "<%d>", dl_owner_zid);
2938 			} else if (strcmp(dl_owner_zname, target_zone) == 0)
2939 				break;
2940 
2941 			/*
2942 			 * Note here we only report a warning that
2943 			 * the interface is already in use by another
2944 			 * running zone, and the verify process just
2945 			 * goes on, if the interface is still in use
2946 			 * when this zone really boots up, zoneadmd
2947 			 * will find it. If the name of the zone which
2948 			 * owns this interface cannot be determined,
2949 			 * then it is not possible to determine if there
2950 			 * is a conflict so just report it as a warning.
2951 			 */
2952 			(void) fprintf(stderr,
2953 			    gettext("WARNING: skipping network interface "
2954 			    "'%s' which is used by the non-global zone "
2955 			    "'%s'.\n"), nwiftab.zone_nwif_physical,
2956 			    dl_owner_zname);
2957 			break;
2958 		}
2959 	}
2960 	(void) zonecfg_endnwifent(handle);
2961 no_net:
2962 
2963 	/* verify that lofs has not been excluded from the kernel */
2964 	if (!(cmd_num == CMD_DETACH || cmd_num == CMD_ATTACH ||
2965 	    cmd_num == CMD_MOVE || cmd_num == CMD_CLONE) &&
2966 	    modctl(MODLOAD, 1, "fs/lofs", NULL) != 0) {
2967 		if (errno == ENXIO)
2968 			(void) fprintf(stderr, gettext("could not verify "
2969 			    "lofs(7FS): possibly excluded in /etc/system\n"));
2970 		else
2971 			(void) fprintf(stderr, gettext("could not verify "
2972 			    "lofs(7FS): %s\n"), strerror(errno));
2973 		return_code = Z_ERR;
2974 	}
2975 
2976 	if (verify_filesystems(handle) != Z_OK)
2977 		return_code = Z_ERR;
2978 	if (verify_ipd(handle) != Z_OK)
2979 		return_code = Z_ERR;
2980 	if (!in_alt_root && verify_rctls(handle) != Z_OK)
2981 		return_code = Z_ERR;
2982 	if (!in_alt_root && verify_pool(handle) != Z_OK)
2983 		return_code = Z_ERR;
2984 	if (!in_alt_root && verify_brand(handle, cmd_num, argv) != Z_OK)
2985 		return_code = Z_ERR;
2986 	if (!in_alt_root && verify_datasets(handle) != Z_OK)
2987 		return_code = Z_ERR;
2988 
2989 	/*
2990 	 * As the "mount" command is used for patching/upgrading of zones
2991 	 * or other maintenance processes, the zone's privilege set is not
2992 	 * checked in this case.  Instead, the default, safe set of
2993 	 * privileges will be used when this zone is created in the
2994 	 * kernel.
2995 	 */
2996 	if (!in_alt_root && cmd_num != CMD_MOUNT &&
2997 	    verify_limitpriv(handle) != Z_OK)
2998 		return_code = Z_ERR;
2999 
3000 	return (return_code);
3001 }
3002 
3003 static int
3004 verify_details(int cmd_num, char *argv[])
3005 {
3006 	zone_dochandle_t handle;
3007 	char zonepath[MAXPATHLEN], checkpath[MAXPATHLEN];
3008 	int return_code = Z_OK;
3009 	int err;
3010 
3011 	if ((handle = zonecfg_init_handle()) == NULL) {
3012 		zperror(cmd_to_str(cmd_num), B_TRUE);
3013 		return (Z_ERR);
3014 	}
3015 	if ((err = zonecfg_get_handle(target_zone, handle)) != Z_OK) {
3016 		errno = err;
3017 		zperror(cmd_to_str(cmd_num), B_TRUE);
3018 		zonecfg_fini_handle(handle);
3019 		return (Z_ERR);
3020 	}
3021 	if ((err = zonecfg_get_zonepath(handle, zonepath, sizeof (zonepath))) !=
3022 	    Z_OK) {
3023 		errno = err;
3024 		zperror(cmd_to_str(cmd_num), B_TRUE);
3025 		zonecfg_fini_handle(handle);
3026 		return (Z_ERR);
3027 	}
3028 	/*
3029 	 * zonecfg_get_zonepath() gets its data from the XML repository.
3030 	 * Verify this against the index file, which is checked first by
3031 	 * zone_get_zonepath().  If they don't match, bail out.
3032 	 */
3033 	if ((err = zone_get_zonepath(target_zone, checkpath,
3034 	    sizeof (checkpath))) != Z_OK) {
3035 		errno = err;
3036 		zperror2(target_zone, gettext("could not get zone path"));
3037 		return (Z_ERR);
3038 	}
3039 	if (strcmp(zonepath, checkpath) != 0) {
3040 		/*
3041 		 * TRANSLATION_NOTE
3042 		 * XML and zonepath are literals that should not be translated.
3043 		 */
3044 		(void) fprintf(stderr, gettext("The XML repository has "
3045 		    "zonepath '%s',\nbut the index file has zonepath '%s'.\n"
3046 		    "These must match, so fix the incorrect entry.\n"),
3047 		    zonepath, checkpath);
3048 		return (Z_ERR);
3049 	}
3050 	if (validate_zonepath(zonepath, cmd_num) != Z_OK) {
3051 		(void) fprintf(stderr, gettext("could not verify zonepath %s "
3052 		    "because of the above errors.\n"), zonepath);
3053 		return_code = Z_ERR;
3054 	}
3055 
3056 	if (verify_handle(cmd_num, handle, argv) != Z_OK)
3057 		return_code = Z_ERR;
3058 
3059 	zonecfg_fini_handle(handle);
3060 	if (return_code == Z_ERR)
3061 		(void) fprintf(stderr,
3062 		    gettext("%s: zone %s failed to verify\n"),
3063 		    execname, target_zone);
3064 	return (return_code);
3065 }
3066 
3067 static int
3068 verify_func(int argc, char *argv[])
3069 {
3070 	int arg;
3071 
3072 	optind = 0;
3073 	if ((arg = getopt(argc, argv, "?")) != EOF) {
3074 		switch (arg) {
3075 		case '?':
3076 			sub_usage(SHELP_VERIFY, CMD_VERIFY);
3077 			return (optopt == '?' ? Z_OK : Z_USAGE);
3078 		default:
3079 			sub_usage(SHELP_VERIFY, CMD_VERIFY);
3080 			return (Z_USAGE);
3081 		}
3082 	}
3083 	if (argc > optind) {
3084 		sub_usage(SHELP_VERIFY, CMD_VERIFY);
3085 		return (Z_USAGE);
3086 	}
3087 	if (sanity_check(target_zone, CMD_VERIFY, B_FALSE, B_FALSE, B_FALSE)
3088 	    != Z_OK)
3089 		return (Z_ERR);
3090 	return (verify_details(CMD_VERIFY, argv));
3091 }
3092 
3093 static int
3094 addopt(char *buf, int opt, char *optarg, size_t bufsize)
3095 {
3096 	char optstring[4];
3097 
3098 	if (opt > 0)
3099 		(void) sprintf(optstring, " -%c", opt);
3100 	else
3101 		(void) strcpy(optstring, " ");
3102 
3103 	if ((strlcat(buf, optstring, bufsize) > bufsize))
3104 		return (Z_ERR);
3105 	if ((optarg != NULL) && (strlcat(buf, optarg, bufsize) > bufsize))
3106 		return (Z_ERR);
3107 	return (Z_OK);
3108 }
3109 
3110 static int
3111 install_func(int argc, char *argv[])
3112 {
3113 	char cmdbuf[MAXPATHLEN];
3114 	int lockfd;
3115 	int arg, err, subproc_err;
3116 	char zonepath[MAXPATHLEN];
3117 	brand_handle_t bh = NULL;
3118 	int status;
3119 	boolean_t nodataset = B_FALSE;
3120 	char opts[128];
3121 
3122 	if (target_zone == NULL) {
3123 		sub_usage(SHELP_INSTALL, CMD_INSTALL);
3124 		return (Z_USAGE);
3125 	}
3126 
3127 	if (zonecfg_in_alt_root()) {
3128 		zerror(gettext("cannot install zone in alternate root"));
3129 		return (Z_ERR);
3130 	}
3131 
3132 	if ((err = zone_get_zonepath(target_zone, zonepath,
3133 	    sizeof (zonepath))) != Z_OK) {
3134 		errno = err;
3135 		zperror2(target_zone, gettext("could not get zone path"));
3136 		return (Z_ERR);
3137 	}
3138 
3139 	/* Fetch the install command from the brand configuration.  */
3140 	if ((bh = brand_open(target_brand)) == NULL) {
3141 		zerror(gettext("missing or invalid brand"));
3142 		return (Z_ERR);
3143 	}
3144 
3145 	(void) strcpy(cmdbuf, EXEC_PREFIX);
3146 	if (brand_get_install(bh, target_zone, zonepath, cmdbuf + EXEC_LEN,
3147 	    sizeof (cmdbuf) - EXEC_LEN, 0, NULL) != 0) {
3148 		zerror("invalid brand configuration: missing install resource");
3149 		brand_close(bh);
3150 		return (Z_ERR);
3151 	}
3152 
3153 	(void) strcpy(opts, "?x:");
3154 	if (!is_native_zone) {
3155 		/*
3156 		 * Fetch the list of recognized command-line options from
3157 		 * the brand configuration file.
3158 		 */
3159 		if (brand_get_installopts(bh, opts + strlen(opts),
3160 		    sizeof (opts) - strlen(opts)) != 0) {
3161 			zerror("invalid brand configuration: missing "
3162 			    "install options resource");
3163 			brand_close(bh);
3164 			return (Z_ERR);
3165 		}
3166 	}
3167 	brand_close(bh);
3168 
3169 	optind = 0;
3170 	while ((arg = getopt(argc, argv, opts)) != EOF) {
3171 		switch (arg) {
3172 		case '?':
3173 			sub_usage(SHELP_INSTALL, CMD_INSTALL);
3174 			return (optopt == '?' ? Z_OK : Z_USAGE);
3175 		case 'x':
3176 			if (strcmp(optarg, "nodataset") != 0) {
3177 				sub_usage(SHELP_INSTALL, CMD_INSTALL);
3178 				return (Z_USAGE);
3179 			}
3180 			nodataset = B_TRUE;
3181 			break;
3182 		default:
3183 			if (is_native_zone) {
3184 				sub_usage(SHELP_INSTALL, CMD_INSTALL);
3185 				return (Z_USAGE);
3186 			}
3187 
3188 			/*
3189 			 * This option isn't for zoneadm, so append it to
3190 			 * the command line passed to the brand-specific
3191 			 * install routine.
3192 			 */
3193 			if (addopt(cmdbuf, optopt, optarg,
3194 			    sizeof (cmdbuf)) != Z_OK) {
3195 				zerror("Install command line too long");
3196 				return (Z_ERR);
3197 			}
3198 			break;
3199 		}
3200 	}
3201 
3202 	if (!is_native_zone) {
3203 		for (; optind < argc; optind++) {
3204 			if (addopt(cmdbuf, 0, argv[optind],
3205 			    sizeof (cmdbuf)) != Z_OK) {
3206 				zerror("Install command line too long");
3207 				return (Z_ERR);
3208 			}
3209 		}
3210 	}
3211 
3212 	if (sanity_check(target_zone, CMD_INSTALL, B_FALSE, B_TRUE, B_FALSE)
3213 	    != Z_OK)
3214 		return (Z_ERR);
3215 	if (verify_details(CMD_INSTALL, argv) != Z_OK)
3216 		return (Z_ERR);
3217 
3218 	if (grab_lock_file(target_zone, &lockfd) != Z_OK) {
3219 		zerror(gettext("another %s may have an operation in progress."),
3220 		    "zoneadm");
3221 		return (Z_ERR);
3222 	}
3223 	err = zone_set_state(target_zone, ZONE_STATE_INCOMPLETE);
3224 	if (err != Z_OK) {
3225 		errno = err;
3226 		zperror2(target_zone, gettext("could not set state"));
3227 		goto done;
3228 	}
3229 
3230 	if (!nodataset)
3231 		create_zfs_zonepath(zonepath);
3232 
3233 	/*
3234 	 * According to the Application Packaging Developer's Guide, a
3235 	 * "checkinstall" script when included in a package is executed as
3236 	 * the user "install", if such a user exists, or by the user
3237 	 * "nobody".  In order to support this dubious behavior, the path
3238 	 * to the zone being constructed is opened up during the life of
3239 	 * the command laying down the zone's root file system.  Once this
3240 	 * has completed, regardless of whether it was successful, the
3241 	 * path to the zone is again restricted.
3242 	 */
3243 	if (chmod(zonepath, DEFAULT_DIR_MODE) != 0) {
3244 		zperror(zonepath, B_FALSE);
3245 		err = Z_ERR;
3246 		goto done;
3247 	}
3248 
3249 	if (is_native_zone)
3250 		status = do_subproc(cmdbuf);
3251 	else
3252 		status = do_subproc_interactive(cmdbuf);
3253 
3254 	if (chmod(zonepath, S_IRWXU) != 0) {
3255 		zperror(zonepath, B_FALSE);
3256 		err = Z_ERR;
3257 		goto done;
3258 	}
3259 	if ((subproc_err =
3260 	    subproc_status(gettext("brand-specific installation"), status,
3261 	    B_FALSE)) != ZONE_SUBPROC_OK) {
3262 		err = Z_ERR;
3263 		goto done;
3264 	}
3265 
3266 	if ((err = zone_set_state(target_zone, ZONE_STATE_INSTALLED)) != Z_OK) {
3267 		errno = err;
3268 		zperror2(target_zone, gettext("could not set state"));
3269 		goto done;
3270 	}
3271 
3272 done:
3273 	/*
3274 	 * If the install script exited with ZONE_SUBPROC_USAGE or
3275 	 * ZONE_SUBPROC_NOTCOMPLETE, try to clean up the zone and leave the
3276 	 * zone in the CONFIGURED state so that another install can be
3277 	 * attempted without requiring an uninstall first.
3278 	 */
3279 	if ((subproc_err == ZONE_SUBPROC_USAGE) ||
3280 	    (subproc_err == ZONE_SUBPROC_NOTCOMPLETE)) {
3281 		if ((err = cleanup_zonepath(zonepath, B_FALSE)) != Z_OK) {
3282 			errno = err;
3283 			zperror2(target_zone,
3284 			    gettext("cleaning up zonepath failed"));
3285 		} else if ((err = zone_set_state(target_zone,
3286 		    ZONE_STATE_CONFIGURED)) != Z_OK) {
3287 			errno = err;
3288 			zperror2(target_zone, gettext("could not set state"));
3289 		}
3290 	}
3291 
3292 	release_lock_file(lockfd);
3293 	return ((err == Z_OK) ? Z_OK : Z_ERR);
3294 }
3295 
3296 /*
3297  * Check that the inherited pkg dirs are the same for the clone and its source.
3298  * The easiest way to do that is check that the list of ipds is the same
3299  * by matching each one against the other.  This algorithm should be fine since
3300  * the list of ipds should not be that long.
3301  */
3302 static int
3303 valid_ipd_clone(zone_dochandle_t s_handle, char *source_zone,
3304 	zone_dochandle_t t_handle, char *target_zone)
3305 {
3306 	int err;
3307 	int res = Z_OK;
3308 	int s_cnt = 0;
3309 	int t_cnt = 0;
3310 	struct zone_fstab s_fstab;
3311 	struct zone_fstab t_fstab;
3312 
3313 	/*
3314 	 * First check the source of the clone against the target.
3315 	 */
3316 	if ((err = zonecfg_setipdent(s_handle)) != Z_OK) {
3317 		errno = err;
3318 		zperror2(source_zone, gettext("could not enumerate "
3319 		    "inherit-pkg-dirs"));
3320 		return (Z_ERR);
3321 	}
3322 
3323 	while (zonecfg_getipdent(s_handle, &s_fstab) == Z_OK) {
3324 		boolean_t match = B_FALSE;
3325 
3326 		s_cnt++;
3327 
3328 		if ((err = zonecfg_setipdent(t_handle)) != Z_OK) {
3329 			errno = err;
3330 			zperror2(target_zone, gettext("could not enumerate "
3331 			    "inherit-pkg-dirs"));
3332 			(void) zonecfg_endipdent(s_handle);
3333 			return (Z_ERR);
3334 		}
3335 
3336 		while (zonecfg_getipdent(t_handle, &t_fstab) == Z_OK) {
3337 			if (strcmp(s_fstab.zone_fs_dir, t_fstab.zone_fs_dir)
3338 			    == 0) {
3339 				match = B_TRUE;
3340 				break;
3341 			}
3342 		}
3343 		(void) zonecfg_endipdent(t_handle);
3344 
3345 		if (!match) {
3346 			(void) fprintf(stderr, gettext("inherit-pkg-dir "
3347 			    "'%s' is not configured in zone %s.\n"),
3348 			    s_fstab.zone_fs_dir, target_zone);
3349 			res = Z_ERR;
3350 		}
3351 	}
3352 
3353 	(void) zonecfg_endipdent(s_handle);
3354 
3355 	/* skip the next check if we already have errors */
3356 	if (res == Z_ERR)
3357 		return (res);
3358 
3359 	/*
3360 	 * Now check the number of ipds in the target so we can verify
3361 	 * that the source is not a subset of the target.
3362 	 */
3363 	if ((err = zonecfg_setipdent(t_handle)) != Z_OK) {
3364 		errno = err;
3365 		zperror2(target_zone, gettext("could not enumerate "
3366 		    "inherit-pkg-dirs"));
3367 		return (Z_ERR);
3368 	}
3369 
3370 	while (zonecfg_getipdent(t_handle, &t_fstab) == Z_OK)
3371 		t_cnt++;
3372 
3373 	(void) zonecfg_endipdent(t_handle);
3374 
3375 	if (t_cnt != s_cnt) {
3376 		(void) fprintf(stderr, gettext("Zone %s is configured "
3377 		    "with inherit-pkg-dirs that are not configured in zone "
3378 		    "%s.\n"), target_zone, source_zone);
3379 		res = Z_ERR;
3380 	}
3381 
3382 	return (res);
3383 }
3384 
3385 static void
3386 warn_dev_match(zone_dochandle_t s_handle, char *source_zone,
3387 	zone_dochandle_t t_handle, char *target_zone)
3388 {
3389 	int err;
3390 	struct zone_devtab s_devtab;
3391 	struct zone_devtab t_devtab;
3392 
3393 	if ((err = zonecfg_setdevent(t_handle)) != Z_OK) {
3394 		errno = err;
3395 		zperror2(target_zone, gettext("could not enumerate devices"));
3396 		return;
3397 	}
3398 
3399 	while (zonecfg_getdevent(t_handle, &t_devtab) == Z_OK) {
3400 		if ((err = zonecfg_setdevent(s_handle)) != Z_OK) {
3401 			errno = err;
3402 			zperror2(source_zone,
3403 			    gettext("could not enumerate devices"));
3404 			(void) zonecfg_enddevent(t_handle);
3405 			return;
3406 		}
3407 
3408 		while (zonecfg_getdevent(s_handle, &s_devtab) == Z_OK) {
3409 			/*
3410 			 * Use fnmatch to catch the case where wildcards
3411 			 * were used in one zone and the other has an
3412 			 * explicit entry (e.g. /dev/dsk/c0t0d0s6 vs.
3413 			 * /dev/\*dsk/c0t0d0s6).
3414 			 */
3415 			if (fnmatch(t_devtab.zone_dev_match,
3416 			    s_devtab.zone_dev_match, FNM_PATHNAME) == 0 ||
3417 			    fnmatch(s_devtab.zone_dev_match,
3418 			    t_devtab.zone_dev_match, FNM_PATHNAME) == 0) {
3419 				(void) fprintf(stderr,
3420 				    gettext("WARNING: device '%s' "
3421 				    "is configured in both zones.\n"),
3422 				    t_devtab.zone_dev_match);
3423 				break;
3424 			}
3425 		}
3426 		(void) zonecfg_enddevent(s_handle);
3427 	}
3428 
3429 	(void) zonecfg_enddevent(t_handle);
3430 }
3431 
3432 /*
3433  * Check if the specified mount option (opt) is contained within the
3434  * options string.
3435  */
3436 static boolean_t
3437 opt_match(char *opt, char *options)
3438 {
3439 	char *p;
3440 	char *lastp;
3441 
3442 	if ((p = strtok_r(options, ",", &lastp)) != NULL) {
3443 		if (strcmp(p, opt) == 0)
3444 			return (B_TRUE);
3445 		while ((p = strtok_r(NULL, ",", &lastp)) != NULL) {
3446 			if (strcmp(p, opt) == 0)
3447 				return (B_TRUE);
3448 		}
3449 	}
3450 
3451 	return (B_FALSE);
3452 }
3453 
3454 #define	RW_LOFS	"WARNING: read-write lofs file system on '%s' is configured " \
3455 	"in both zones.\n"
3456 
3457 static void
3458 print_fs_warnings(struct zone_fstab *s_fstab, struct zone_fstab *t_fstab)
3459 {
3460 	/*
3461 	 * It is ok to have shared lofs mounted fs but we want to warn if
3462 	 * either is rw since this will effect the other zone.
3463 	 */
3464 	if (strcmp(t_fstab->zone_fs_type, "lofs") == 0) {
3465 		zone_fsopt_t *optp;
3466 
3467 		/* The default is rw so no options means rw */
3468 		if (t_fstab->zone_fs_options == NULL ||
3469 		    s_fstab->zone_fs_options == NULL) {
3470 			(void) fprintf(stderr, gettext(RW_LOFS),
3471 			    t_fstab->zone_fs_special);
3472 			return;
3473 		}
3474 
3475 		for (optp = s_fstab->zone_fs_options; optp != NULL;
3476 		    optp = optp->zone_fsopt_next) {
3477 			if (opt_match("rw", optp->zone_fsopt_opt)) {
3478 				(void) fprintf(stderr, gettext(RW_LOFS),
3479 				    s_fstab->zone_fs_special);
3480 				return;
3481 			}
3482 		}
3483 
3484 		for (optp = t_fstab->zone_fs_options; optp != NULL;
3485 		    optp = optp->zone_fsopt_next) {
3486 			if (opt_match("rw", optp->zone_fsopt_opt)) {
3487 				(void) fprintf(stderr, gettext(RW_LOFS),
3488 				    t_fstab->zone_fs_special);
3489 				return;
3490 			}
3491 		}
3492 
3493 		return;
3494 	}
3495 
3496 	/*
3497 	 * TRANSLATION_NOTE
3498 	 * The first variable is the file system type and the second is
3499 	 * the file system special device.  For example,
3500 	 * WARNING: ufs file system on '/dev/dsk/c0t0d0s0' ...
3501 	 */
3502 	(void) fprintf(stderr, gettext("WARNING: %s file system on '%s' "
3503 	    "is configured in both zones.\n"), t_fstab->zone_fs_type,
3504 	    t_fstab->zone_fs_special);
3505 }
3506 
3507 static void
3508 warn_fs_match(zone_dochandle_t s_handle, char *source_zone,
3509 	zone_dochandle_t t_handle, char *target_zone)
3510 {
3511 	int err;
3512 	struct zone_fstab s_fstab;
3513 	struct zone_fstab t_fstab;
3514 
3515 	if ((err = zonecfg_setfsent(t_handle)) != Z_OK) {
3516 		errno = err;
3517 		zperror2(target_zone,
3518 		    gettext("could not enumerate file systems"));
3519 		return;
3520 	}
3521 
3522 	while (zonecfg_getfsent(t_handle, &t_fstab) == Z_OK) {
3523 		if ((err = zonecfg_setfsent(s_handle)) != Z_OK) {
3524 			errno = err;
3525 			zperror2(source_zone,
3526 			    gettext("could not enumerate file systems"));
3527 			(void) zonecfg_endfsent(t_handle);
3528 			return;
3529 		}
3530 
3531 		while (zonecfg_getfsent(s_handle, &s_fstab) == Z_OK) {
3532 			if (strcmp(t_fstab.zone_fs_special,
3533 			    s_fstab.zone_fs_special) == 0) {
3534 				print_fs_warnings(&s_fstab, &t_fstab);
3535 				break;
3536 			}
3537 		}
3538 		(void) zonecfg_endfsent(s_handle);
3539 	}
3540 
3541 	(void) zonecfg_endfsent(t_handle);
3542 }
3543 
3544 /*
3545  * We don't catch the case where you used the same IP address but
3546  * it is not an exact string match.  For example, 192.9.0.128 vs. 192.09.0.128.
3547  * However, we're not going to worry about that but we will check for
3548  * a possible netmask on one of the addresses (e.g. 10.0.0.1 and 10.0.0.1/24)
3549  * and handle that case as a match.
3550  */
3551 static void
3552 warn_ip_match(zone_dochandle_t s_handle, char *source_zone,
3553 	zone_dochandle_t t_handle, char *target_zone)
3554 {
3555 	int err;
3556 	struct zone_nwiftab s_nwiftab;
3557 	struct zone_nwiftab t_nwiftab;
3558 
3559 	if ((err = zonecfg_setnwifent(t_handle)) != Z_OK) {
3560 		errno = err;
3561 		zperror2(target_zone,
3562 		    gettext("could not enumerate network interfaces"));
3563 		return;
3564 	}
3565 
3566 	while (zonecfg_getnwifent(t_handle, &t_nwiftab) == Z_OK) {
3567 		char *p;
3568 
3569 		/* remove an (optional) netmask from the address */
3570 		if ((p = strchr(t_nwiftab.zone_nwif_address, '/')) != NULL)
3571 			*p = '\0';
3572 
3573 		if ((err = zonecfg_setnwifent(s_handle)) != Z_OK) {
3574 			errno = err;
3575 			zperror2(source_zone,
3576 			    gettext("could not enumerate network interfaces"));
3577 			(void) zonecfg_endnwifent(t_handle);
3578 			return;
3579 		}
3580 
3581 		while (zonecfg_getnwifent(s_handle, &s_nwiftab) == Z_OK) {
3582 			/* remove an (optional) netmask from the address */
3583 			if ((p = strchr(s_nwiftab.zone_nwif_address, '/'))
3584 			    != NULL)
3585 				*p = '\0';
3586 
3587 			/* For exclusive-IP zones, address is not specified. */
3588 			if (strlen(s_nwiftab.zone_nwif_address) == 0)
3589 				continue;
3590 
3591 			if (strcmp(t_nwiftab.zone_nwif_address,
3592 			    s_nwiftab.zone_nwif_address) == 0) {
3593 				(void) fprintf(stderr,
3594 				    gettext("WARNING: network address '%s' "
3595 				    "is configured in both zones.\n"),
3596 				    t_nwiftab.zone_nwif_address);
3597 				break;
3598 			}
3599 		}
3600 		(void) zonecfg_endnwifent(s_handle);
3601 	}
3602 
3603 	(void) zonecfg_endnwifent(t_handle);
3604 }
3605 
3606 static void
3607 warn_dataset_match(zone_dochandle_t s_handle, char *source,
3608 	zone_dochandle_t t_handle, char *target)
3609 {
3610 	int err;
3611 	struct zone_dstab s_dstab;
3612 	struct zone_dstab t_dstab;
3613 
3614 	if ((err = zonecfg_setdsent(t_handle)) != Z_OK) {
3615 		errno = err;
3616 		zperror2(target, gettext("could not enumerate datasets"));
3617 		return;
3618 	}
3619 
3620 	while (zonecfg_getdsent(t_handle, &t_dstab) == Z_OK) {
3621 		if ((err = zonecfg_setdsent(s_handle)) != Z_OK) {
3622 			errno = err;
3623 			zperror2(source,
3624 			    gettext("could not enumerate datasets"));
3625 			(void) zonecfg_enddsent(t_handle);
3626 			return;
3627 		}
3628 
3629 		while (zonecfg_getdsent(s_handle, &s_dstab) == Z_OK) {
3630 			if (strcmp(t_dstab.zone_dataset_name,
3631 			    s_dstab.zone_dataset_name) == 0) {
3632 				target_zone = source;
3633 				zerror(gettext("WARNING: dataset '%s' "
3634 				    "is configured in both zones.\n"),
3635 				    t_dstab.zone_dataset_name);
3636 				break;
3637 			}
3638 		}
3639 		(void) zonecfg_enddsent(s_handle);
3640 	}
3641 
3642 	(void) zonecfg_enddsent(t_handle);
3643 }
3644 
3645 /*
3646  * Check that the clone and its source have the same brand type.
3647  */
3648 static int
3649 valid_brand_clone(char *source_zone, char *target_zone)
3650 {
3651 	brand_handle_t bh;
3652 	char source_brand[MAXNAMELEN];
3653 
3654 	if ((zone_get_brand(source_zone, source_brand,
3655 	    sizeof (source_brand))) != Z_OK) {
3656 		(void) fprintf(stderr, "%s: zone '%s': %s\n",
3657 		    execname, source_zone, gettext("missing or invalid brand"));
3658 		return (Z_ERR);
3659 	}
3660 
3661 	if (strcmp(source_brand, target_brand) != NULL) {
3662 		(void) fprintf(stderr,
3663 		    gettext("%s: Zones '%s' and '%s' have different brand "
3664 		    "types.\n"), execname, source_zone, target_zone);
3665 		return (Z_ERR);
3666 	}
3667 
3668 	if ((bh = brand_open(target_brand)) == NULL) {
3669 		zerror(gettext("missing or invalid brand"));
3670 		return (Z_ERR);
3671 	}
3672 	brand_close(bh);
3673 	return (Z_OK);
3674 }
3675 
3676 static int
3677 validate_clone(char *source_zone, char *target_zone)
3678 {
3679 	int err = Z_OK;
3680 	zone_dochandle_t s_handle;
3681 	zone_dochandle_t t_handle;
3682 
3683 	if ((t_handle = zonecfg_init_handle()) == NULL) {
3684 		zperror(cmd_to_str(CMD_CLONE), B_TRUE);
3685 		return (Z_ERR);
3686 	}
3687 	if ((err = zonecfg_get_handle(target_zone, t_handle)) != Z_OK) {
3688 		errno = err;
3689 		zperror(cmd_to_str(CMD_CLONE), B_TRUE);
3690 		zonecfg_fini_handle(t_handle);
3691 		return (Z_ERR);
3692 	}
3693 
3694 	if ((s_handle = zonecfg_init_handle()) == NULL) {
3695 		zperror(cmd_to_str(CMD_CLONE), B_TRUE);
3696 		zonecfg_fini_handle(t_handle);
3697 		return (Z_ERR);
3698 	}
3699 	if ((err = zonecfg_get_handle(source_zone, s_handle)) != Z_OK) {
3700 		errno = err;
3701 		zperror(cmd_to_str(CMD_CLONE), B_TRUE);
3702 		goto done;
3703 	}
3704 
3705 	/* verify new zone has same brand type */
3706 	err = valid_brand_clone(source_zone, target_zone);
3707 	if (err != Z_OK)
3708 		goto done;
3709 
3710 	/* verify new zone has same inherit-pkg-dirs */
3711 	err = valid_ipd_clone(s_handle, source_zone, t_handle, target_zone);
3712 
3713 	/* warn about imported fs's which are the same */
3714 	warn_fs_match(s_handle, source_zone, t_handle, target_zone);
3715 
3716 	/* warn about imported IP addresses which are the same */
3717 	warn_ip_match(s_handle, source_zone, t_handle, target_zone);
3718 
3719 	/* warn about imported devices which are the same */
3720 	warn_dev_match(s_handle, source_zone, t_handle, target_zone);
3721 
3722 	/* warn about imported datasets which are the same */
3723 	warn_dataset_match(s_handle, source_zone, t_handle, target_zone);
3724 
3725 done:
3726 	zonecfg_fini_handle(t_handle);
3727 	zonecfg_fini_handle(s_handle);
3728 
3729 	return ((err == Z_OK) ? Z_OK : Z_ERR);
3730 }
3731 
3732 static int
3733 copy_zone(char *src, char *dst)
3734 {
3735 	boolean_t out_null = B_FALSE;
3736 	int status;
3737 	char *outfile;
3738 	char cmdbuf[MAXPATHLEN * 2 + 128];
3739 
3740 	if ((outfile = tempnam("/var/log", "zone")) == NULL) {
3741 		outfile = "/dev/null";
3742 		out_null = B_TRUE;
3743 	}
3744 
3745 	/*
3746 	 * Use find to get the list of files to copy.  We need to skip
3747 	 * files of type "socket" since cpio can't handle those but that
3748 	 * should be ok since the app will recreate the socket when it runs.
3749 	 * We also need to filter out anything under the .zfs subdir.  Since
3750 	 * find is running depth-first, we need the extra egrep to filter .zfs.
3751 	 */
3752 	(void) snprintf(cmdbuf, sizeof (cmdbuf),
3753 	    "cd %s && /usr/bin/find . -type s -prune -o -depth -print | "
3754 	    "/usr/bin/egrep -v '^\\./\\.zfs$|^\\./\\.zfs/' | "
3755 	    "/usr/bin/cpio -pdmuP@ %s > %s 2>&1",
3756 	    src, dst, outfile);
3757 
3758 	status = do_subproc(cmdbuf);
3759 
3760 	if (subproc_status("copy", status, B_TRUE) != ZONE_SUBPROC_OK) {
3761 		if (!out_null)
3762 			(void) fprintf(stderr, gettext("\nThe copy failed.\n"
3763 			    "More information can be found in %s\n"), outfile);
3764 		return (Z_ERR);
3765 	}
3766 
3767 	if (!out_null)
3768 		(void) unlink(outfile);
3769 
3770 	return (Z_OK);
3771 }
3772 
3773 static int
3774 zone_postclone(char *zonepath)
3775 {
3776 	char cmdbuf[MAXPATHLEN];
3777 	int status;
3778 	brand_handle_t bh;
3779 	int err = Z_OK;
3780 
3781 	/*
3782 	 * Fetch the post-clone command, if any, from the brand
3783 	 * configuration.
3784 	 */
3785 	if ((bh = brand_open(target_brand)) == NULL) {
3786 		zerror(gettext("missing or invalid brand"));
3787 		return (Z_ERR);
3788 	}
3789 	(void) strcpy(cmdbuf, EXEC_PREFIX);
3790 	err = brand_get_postclone(bh, target_zone, zonepath, cmdbuf + EXEC_LEN,
3791 	    sizeof (cmdbuf) - EXEC_LEN, 0, NULL);
3792 	brand_close(bh);
3793 
3794 	if (err == 0 && strlen(cmdbuf) > EXEC_LEN) {
3795 		status = do_subproc(cmdbuf);
3796 		if ((err = subproc_status("postclone", status, B_FALSE))
3797 		    != ZONE_SUBPROC_OK) {
3798 			zerror(gettext("post-clone configuration failed."));
3799 			err = Z_ERR;
3800 		}
3801 	}
3802 
3803 	return (err);
3804 }
3805 
3806 /* ARGSUSED */
3807 static int
3808 zfm_print(const char *p, void *r) {
3809 	zerror("  %s\n", p);
3810 	return (0);
3811 }
3812 
3813 int
3814 clone_copy(char *source_zonepath, char *zonepath)
3815 {
3816 	int err;
3817 
3818 	/* Don't clone the zone if anything is still mounted there */
3819 	if (zonecfg_find_mounts(source_zonepath, NULL, NULL)) {
3820 		zerror(gettext("These file systems are mounted on "
3821 		    "subdirectories of %s.\n"), source_zonepath);
3822 		(void) zonecfg_find_mounts(source_zonepath, zfm_print, NULL);
3823 		return (Z_ERR);
3824 	}
3825 
3826 	/*
3827 	 * Attempt to create a ZFS fs for the zonepath.  As usual, we don't
3828 	 * care if this works or not since we always have the default behavior
3829 	 * of a simple directory for the zonepath.
3830 	 */
3831 	create_zfs_zonepath(zonepath);
3832 
3833 	(void) printf(gettext("Copying %s..."), source_zonepath);
3834 	(void) fflush(stdout);
3835 
3836 	err = copy_zone(source_zonepath, zonepath);
3837 
3838 	(void) printf("\n");
3839 
3840 	return (err);
3841 }
3842 
3843 static int
3844 clone_func(int argc, char *argv[])
3845 {
3846 	char *source_zone = NULL;
3847 	int lockfd;
3848 	int err, arg;
3849 	char zonepath[MAXPATHLEN];
3850 	char source_zonepath[MAXPATHLEN];
3851 	zone_state_t state;
3852 	zone_entry_t *zent;
3853 	char *method = NULL;
3854 	char *snapshot = NULL;
3855 
3856 	if (zonecfg_in_alt_root()) {
3857 		zerror(gettext("cannot clone zone in alternate root"));
3858 		return (Z_ERR);
3859 	}
3860 
3861 	optind = 0;
3862 	if ((arg = getopt(argc, argv, "?m:s:")) != EOF) {
3863 		switch (arg) {
3864 		case '?':
3865 			sub_usage(SHELP_CLONE, CMD_CLONE);
3866 			return (optopt == '?' ? Z_OK : Z_USAGE);
3867 		case 'm':
3868 			method = optarg;
3869 			break;
3870 		case 's':
3871 			snapshot = optarg;
3872 			break;
3873 		default:
3874 			sub_usage(SHELP_CLONE, CMD_CLONE);
3875 			return (Z_USAGE);
3876 		}
3877 	}
3878 	if (argc != (optind + 1) ||
3879 	    (method != NULL && strcmp(method, "copy") != 0)) {
3880 		sub_usage(SHELP_CLONE, CMD_CLONE);
3881 		return (Z_USAGE);
3882 	}
3883 	source_zone = argv[optind];
3884 	if (sanity_check(target_zone, CMD_CLONE, B_FALSE, B_TRUE, B_FALSE)
3885 	    != Z_OK)
3886 		return (Z_ERR);
3887 	if (verify_details(CMD_CLONE, argv) != Z_OK)
3888 		return (Z_ERR);
3889 
3890 	/*
3891 	 * We also need to do some extra validation on the source zone.
3892 	 */
3893 	if (strcmp(source_zone, GLOBAL_ZONENAME) == 0) {
3894 		zerror(gettext("%s operation is invalid for the global zone."),
3895 		    cmd_to_str(CMD_CLONE));
3896 		return (Z_ERR);
3897 	}
3898 
3899 	if (strncmp(source_zone, "SUNW", 4) == 0) {
3900 		zerror(gettext("%s operation is invalid for zones starting "
3901 		    "with SUNW."), cmd_to_str(CMD_CLONE));
3902 		return (Z_ERR);
3903 	}
3904 
3905 	zent = lookup_running_zone(source_zone);
3906 	if (zent != NULL) {
3907 		/* check whether the zone is ready or running */
3908 		if ((err = zone_get_state(zent->zname, &zent->zstate_num))
3909 		    != Z_OK) {
3910 			errno = err;
3911 			zperror2(zent->zname, gettext("could not get state"));
3912 			/* can't tell, so hedge */
3913 			zent->zstate_str = "ready/running";
3914 		} else {
3915 			zent->zstate_str = zone_state_str(zent->zstate_num);
3916 		}
3917 		zerror(gettext("%s operation is invalid for %s zones."),
3918 		    cmd_to_str(CMD_CLONE), zent->zstate_str);
3919 		return (Z_ERR);
3920 	}
3921 
3922 	if ((err = zone_get_state(source_zone, &state)) != Z_OK) {
3923 		errno = err;
3924 		zperror2(source_zone, gettext("could not get state"));
3925 		return (Z_ERR);
3926 	}
3927 	if (state != ZONE_STATE_INSTALLED) {
3928 		(void) fprintf(stderr,
3929 		    gettext("%s: zone %s is %s; %s is required.\n"),
3930 		    execname, source_zone, zone_state_str(state),
3931 		    zone_state_str(ZONE_STATE_INSTALLED));
3932 		return (Z_ERR);
3933 	}
3934 
3935 	/*
3936 	 * The source zone checks out ok, continue with the clone.
3937 	 */
3938 
3939 	if (validate_clone(source_zone, target_zone) != Z_OK)
3940 		return (Z_ERR);
3941 
3942 	if (grab_lock_file(target_zone, &lockfd) != Z_OK) {
3943 		zerror(gettext("another %s may have an operation in progress."),
3944 		    "zoneadm");
3945 		return (Z_ERR);
3946 	}
3947 
3948 	if ((err = zone_get_zonepath(source_zone, source_zonepath,
3949 	    sizeof (source_zonepath))) != Z_OK) {
3950 		errno = err;
3951 		zperror2(source_zone, gettext("could not get zone path"));
3952 		goto done;
3953 	}
3954 
3955 	if ((err = zone_get_zonepath(target_zone, zonepath, sizeof (zonepath)))
3956 	    != Z_OK) {
3957 		errno = err;
3958 		zperror2(target_zone, gettext("could not get zone path"));
3959 		goto done;
3960 	}
3961 
3962 	if ((err = zone_set_state(target_zone, ZONE_STATE_INCOMPLETE))
3963 	    != Z_OK) {
3964 		errno = err;
3965 		zperror2(target_zone, gettext("could not set state"));
3966 		goto done;
3967 	}
3968 
3969 	if (snapshot != NULL) {
3970 		err = clone_snapshot_zfs(snapshot, zonepath);
3971 	} else {
3972 		/*
3973 		 * We always copy the clone unless the source is ZFS and a
3974 		 * ZFS clone worked.  We fallback to copying if the ZFS clone
3975 		 * fails for some reason.
3976 		 */
3977 		err = Z_ERR;
3978 		if (method == NULL && is_zonepath_zfs(source_zonepath))
3979 			err = clone_zfs(source_zone, source_zonepath, zonepath);
3980 
3981 		if (err != Z_OK)
3982 			err = clone_copy(source_zonepath, zonepath);
3983 	}
3984 
3985 	/*
3986 	 * Trusted Extensions requires that cloned zones use the same sysid
3987 	 * configuration, so it is not appropriate to perform any
3988 	 * post-clone reconfiguration.
3989 	 */
3990 	if ((err == Z_OK) && !is_system_labeled())
3991 		err = zone_postclone(zonepath);
3992 
3993 done:
3994 	/*
3995 	 * If everything went well, we mark the zone as installed.
3996 	 */
3997 	if (err == Z_OK) {
3998 		err = zone_set_state(target_zone, ZONE_STATE_INSTALLED);
3999 		if (err != Z_OK) {
4000 			errno = err;
4001 			zperror2(target_zone, gettext("could not set state"));
4002 		}
4003 	}
4004 	release_lock_file(lockfd);
4005 	return ((err == Z_OK) ? Z_OK : Z_ERR);
4006 }
4007 
4008 /*
4009  * Used when removing a zonepath after uninstalling or cleaning up after
4010  * the move subcommand.  This handles a zonepath that has non-standard
4011  * contents so that we will only cleanup the stuff we know about and leave
4012  * any user data alone.
4013  *
4014  * If the "all" parameter is true then we should remove the whole zonepath
4015  * even if it has non-standard files/directories in it.  This can be used when
4016  * we need to cleanup after moving the zonepath across file systems.
4017  *
4018  * We "exec" the RMCOMMAND so that the returned status is that of RMCOMMAND
4019  * and not the shell.
4020  */
4021 static int
4022 cleanup_zonepath(char *zonepath, boolean_t all)
4023 {
4024 	int		status;
4025 	int		i;
4026 	boolean_t	non_std = B_FALSE;
4027 	struct dirent	*dp;
4028 	DIR		*dirp;
4029 	char		*std_entries[] = {"dev", "lu", "root", NULL};
4030 			/* (MAXPATHLEN * 3) is for the 3 std_entries dirs */
4031 	char		cmdbuf[sizeof (RMCOMMAND) + (MAXPATHLEN * 3) + 64];
4032 
4033 	/*
4034 	 * We shouldn't need these checks but lets be paranoid since we
4035 	 * could blow away the whole system here if we got the wrong zonepath.
4036 	 */
4037 	if (*zonepath == NULL || strcmp(zonepath, "/") == 0) {
4038 		(void) fprintf(stderr, "invalid zonepath '%s'\n", zonepath);
4039 		return (Z_INVAL);
4040 	}
4041 
4042 	/*
4043 	 * If the dirpath is already gone (maybe it was manually removed) then
4044 	 * we just return Z_OK so that the cleanup is successful.
4045 	 */
4046 	if ((dirp = opendir(zonepath)) == NULL)
4047 		return (Z_OK);
4048 
4049 	/*
4050 	 * Look through the zonepath directory to see if there are any
4051 	 * non-standard files/dirs.  Also skip .zfs since that might be
4052 	 * there but we'll handle ZFS file systems as a special case.
4053 	 */
4054 	while ((dp = readdir(dirp)) != NULL) {
4055 		if (strcmp(dp->d_name, ".") == 0 ||
4056 		    strcmp(dp->d_name, "..") == 0 ||
4057 		    strcmp(dp->d_name, ".zfs") == 0)
4058 			continue;
4059 
4060 		for (i = 0; std_entries[i] != NULL; i++)
4061 			if (strcmp(dp->d_name, std_entries[i]) == 0)
4062 				break;
4063 
4064 		if (std_entries[i] == NULL)
4065 			non_std = B_TRUE;
4066 	}
4067 	(void) closedir(dirp);
4068 
4069 	if (!all && non_std) {
4070 		/*
4071 		 * There are extra, non-standard directories/files in the
4072 		 * zonepath so we don't want to remove the zonepath.  We
4073 		 * just want to remove the standard directories and leave
4074 		 * the user data alone.
4075 		 */
4076 		(void) snprintf(cmdbuf, sizeof (cmdbuf), "exec " RMCOMMAND);
4077 
4078 		for (i = 0; std_entries[i] != NULL; i++) {
4079 			char tmpbuf[MAXPATHLEN];
4080 
4081 			if (snprintf(tmpbuf, sizeof (tmpbuf), " %s/%s",
4082 			    zonepath, std_entries[i]) >= sizeof (tmpbuf) ||
4083 			    strlcat(cmdbuf, tmpbuf, sizeof (cmdbuf)) >=
4084 			    sizeof (cmdbuf)) {
4085 				(void) fprintf(stderr,
4086 				    gettext("path is too long\n"));
4087 				return (Z_INVAL);
4088 			}
4089 		}
4090 
4091 		status = do_subproc(cmdbuf);
4092 
4093 		(void) fprintf(stderr, gettext("WARNING: Unable to completely "
4094 		    "remove %s\nbecause it contains additional user data.  "
4095 		    "Only the standard directory\nentries have been "
4096 		    "removed.\n"),
4097 		    zonepath);
4098 
4099 		return ((subproc_status(RMCOMMAND, status, B_TRUE) ==
4100 		    ZONE_SUBPROC_OK) ? Z_OK : Z_ERR);
4101 	}
4102 
4103 	/*
4104 	 * There is nothing unexpected in the zonepath, try to get rid of the
4105 	 * whole zonepath directory.
4106 	 *
4107 	 * If the zonepath is its own zfs file system, try to destroy the
4108 	 * file system.  If that fails for some reason (e.g. it has clones)
4109 	 * then we'll just remove the contents of the zonepath.
4110 	 */
4111 	if (is_zonepath_zfs(zonepath)) {
4112 		if (destroy_zfs(zonepath) == Z_OK)
4113 			return (Z_OK);
4114 		(void) snprintf(cmdbuf, sizeof (cmdbuf), "exec " RMCOMMAND
4115 		    " %s/*", zonepath);
4116 		status = do_subproc(cmdbuf);
4117 		return ((subproc_status(RMCOMMAND, status, B_TRUE) ==
4118 		    ZONE_SUBPROC_OK) ? Z_OK : Z_ERR);
4119 	}
4120 
4121 	(void) snprintf(cmdbuf, sizeof (cmdbuf), "exec " RMCOMMAND " %s",
4122 	    zonepath);
4123 	status = do_subproc(cmdbuf);
4124 
4125 	return ((subproc_status(RMCOMMAND, status, B_TRUE) == ZONE_SUBPROC_OK)
4126 	    ? Z_OK : Z_ERR);
4127 }
4128 
4129 static int
4130 move_func(int argc, char *argv[])
4131 {
4132 	char *new_zonepath = NULL;
4133 	int lockfd;
4134 	int err, arg;
4135 	char zonepath[MAXPATHLEN];
4136 	zone_dochandle_t handle;
4137 	boolean_t fast;
4138 	boolean_t is_zfs = B_FALSE;
4139 	struct dirent *dp;
4140 	DIR *dirp;
4141 	boolean_t empty = B_TRUE;
4142 	boolean_t revert;
4143 	struct stat zonepath_buf;
4144 	struct stat new_zonepath_buf;
4145 
4146 	if (zonecfg_in_alt_root()) {
4147 		zerror(gettext("cannot move zone in alternate root"));
4148 		return (Z_ERR);
4149 	}
4150 
4151 	optind = 0;
4152 	if ((arg = getopt(argc, argv, "?")) != EOF) {
4153 		switch (arg) {
4154 		case '?':
4155 			sub_usage(SHELP_MOVE, CMD_MOVE);
4156 			return (optopt == '?' ? Z_OK : Z_USAGE);
4157 		default:
4158 			sub_usage(SHELP_MOVE, CMD_MOVE);
4159 			return (Z_USAGE);
4160 		}
4161 	}
4162 	if (argc != (optind + 1)) {
4163 		sub_usage(SHELP_MOVE, CMD_MOVE);
4164 		return (Z_USAGE);
4165 	}
4166 	new_zonepath = argv[optind];
4167 	if (sanity_check(target_zone, CMD_MOVE, B_FALSE, B_TRUE, B_FALSE)
4168 	    != Z_OK)
4169 		return (Z_ERR);
4170 	if (verify_details(CMD_MOVE, argv) != Z_OK)
4171 		return (Z_ERR);
4172 
4173 	/*
4174 	 * Check out the new zonepath.  This has the side effect of creating
4175 	 * a directory for the new zonepath.  We depend on this later when we
4176 	 * stat to see if we are doing a cross file system move or not.
4177 	 */
4178 	if (validate_zonepath(new_zonepath, CMD_MOVE) != Z_OK)
4179 		return (Z_ERR);
4180 
4181 	if ((err = zone_get_zonepath(target_zone, zonepath, sizeof (zonepath)))
4182 	    != Z_OK) {
4183 		errno = err;
4184 		zperror2(target_zone, gettext("could not get zone path"));
4185 		return (Z_ERR);
4186 	}
4187 
4188 	if (stat(zonepath, &zonepath_buf) == -1) {
4189 		zperror(gettext("could not stat zone path"), B_FALSE);
4190 		return (Z_ERR);
4191 	}
4192 
4193 	if (stat(new_zonepath, &new_zonepath_buf) == -1) {
4194 		zperror(gettext("could not stat new zone path"), B_FALSE);
4195 		return (Z_ERR);
4196 	}
4197 
4198 	/*
4199 	 * Check if the destination directory is empty.
4200 	 */
4201 	if ((dirp = opendir(new_zonepath)) == NULL) {
4202 		zperror(gettext("could not open new zone path"), B_FALSE);
4203 		return (Z_ERR);
4204 	}
4205 	while ((dp = readdir(dirp)) != (struct dirent *)0) {
4206 		if (strcmp(dp->d_name, ".") == 0 ||
4207 		    strcmp(dp->d_name, "..") == 0)
4208 			continue;
4209 		empty = B_FALSE;
4210 		break;
4211 	}
4212 	(void) closedir(dirp);
4213 
4214 	/* Error if there is anything in the destination directory. */
4215 	if (!empty) {
4216 		(void) fprintf(stderr, gettext("could not move zone to %s: "
4217 		    "directory not empty\n"), new_zonepath);
4218 		return (Z_ERR);
4219 	}
4220 
4221 	/* Don't move the zone if anything is still mounted there */
4222 	if (zonecfg_find_mounts(zonepath, NULL, NULL)) {
4223 		zerror(gettext("These file systems are mounted on "
4224 		    "subdirectories of %s.\n"), zonepath);
4225 		(void) zonecfg_find_mounts(zonepath, zfm_print, NULL);
4226 		return (Z_ERR);
4227 	}
4228 
4229 	/*
4230 	 * Check if we are moving in the same file system and can do a fast
4231 	 * move or if we are crossing file systems and have to copy the data.
4232 	 */
4233 	fast = (zonepath_buf.st_dev == new_zonepath_buf.st_dev);
4234 
4235 	if ((handle = zonecfg_init_handle()) == NULL) {
4236 		zperror(cmd_to_str(CMD_MOVE), B_TRUE);
4237 		return (Z_ERR);
4238 	}
4239 
4240 	if ((err = zonecfg_get_handle(target_zone, handle)) != Z_OK) {
4241 		errno = err;
4242 		zperror(cmd_to_str(CMD_MOVE), B_TRUE);
4243 		zonecfg_fini_handle(handle);
4244 		return (Z_ERR);
4245 	}
4246 
4247 	if (grab_lock_file(target_zone, &lockfd) != Z_OK) {
4248 		zerror(gettext("another %s may have an operation in progress."),
4249 		    "zoneadm");
4250 		zonecfg_fini_handle(handle);
4251 		return (Z_ERR);
4252 	}
4253 
4254 	/*
4255 	 * We're making some file system changes now so we have to clean up
4256 	 * the file system before we are done.  This will either clean up the
4257 	 * new zonepath if the zonecfg update failed or it will clean up the
4258 	 * old zonepath if everything is ok.
4259 	 */
4260 	revert = B_TRUE;
4261 
4262 	if (is_zonepath_zfs(zonepath) &&
4263 	    move_zfs(zonepath, new_zonepath) != Z_ERR) {
4264 		is_zfs = B_TRUE;
4265 
4266 	} else if (fast) {
4267 		/* same file system, use rename for a quick move */
4268 
4269 		/*
4270 		 * Remove the new_zonepath directory that got created above
4271 		 * during the validation.  It gets in the way of the rename.
4272 		 */
4273 		if (rmdir(new_zonepath) != 0) {
4274 			zperror(gettext("could not rmdir new zone path"),
4275 			    B_FALSE);
4276 			zonecfg_fini_handle(handle);
4277 			release_lock_file(lockfd);
4278 			return (Z_ERR);
4279 		}
4280 
4281 		if (rename(zonepath, new_zonepath) != 0) {
4282 			/*
4283 			 * If this fails we don't need to do all of the
4284 			 * cleanup that happens for the rest of the code
4285 			 * so just return from this error.
4286 			 */
4287 			zperror(gettext("could not move zone"), B_FALSE);
4288 			zonecfg_fini_handle(handle);
4289 			release_lock_file(lockfd);
4290 			return (Z_ERR);
4291 		}
4292 
4293 	} else {
4294 		/*
4295 		 * Attempt to create a ZFS fs for the new zonepath.  As usual,
4296 		 * we don't care if this works or not since we always have the
4297 		 * default behavior of a simple directory for the zonepath.
4298 		 */
4299 		create_zfs_zonepath(new_zonepath);
4300 
4301 		(void) printf(gettext(
4302 		    "Moving across file systems; copying zonepath %s..."),
4303 		    zonepath);
4304 		(void) fflush(stdout);
4305 
4306 		err = copy_zone(zonepath, new_zonepath);
4307 
4308 		(void) printf("\n");
4309 		if (err != Z_OK)
4310 			goto done;
4311 	}
4312 
4313 	if ((err = zonecfg_set_zonepath(handle, new_zonepath)) != Z_OK) {
4314 		errno = err;
4315 		zperror(gettext("could not set new zonepath"), B_TRUE);
4316 		goto done;
4317 	}
4318 
4319 	if ((err = zonecfg_save(handle)) != Z_OK) {
4320 		errno = err;
4321 		zperror(gettext("zonecfg save failed"), B_TRUE);
4322 		goto done;
4323 	}
4324 
4325 	revert = B_FALSE;
4326 
4327 done:
4328 	zonecfg_fini_handle(handle);
4329 	release_lock_file(lockfd);
4330 
4331 	/*
4332 	 * Clean up the file system based on how things went.  We either
4333 	 * clean up the new zonepath if the operation failed for some reason
4334 	 * or we clean up the old zonepath if everything is ok.
4335 	 */
4336 	if (revert) {
4337 		/* The zonecfg update failed, cleanup the new zonepath. */
4338 		if (is_zfs) {
4339 			if (move_zfs(new_zonepath, zonepath) == Z_ERR) {
4340 				(void) fprintf(stderr, gettext("could not "
4341 				    "restore zonepath, the zfs mountpoint is "
4342 				    "set as:\n%s\n"), new_zonepath);
4343 				/*
4344 				 * err is already != Z_OK since we're reverting
4345 				 */
4346 			}
4347 
4348 		} else if (fast) {
4349 			if (rename(new_zonepath, zonepath) != 0) {
4350 				zperror(gettext("could not restore zonepath"),
4351 				    B_FALSE);
4352 				/*
4353 				 * err is already != Z_OK since we're reverting
4354 				 */
4355 			}
4356 		} else {
4357 			(void) printf(gettext("Cleaning up zonepath %s..."),
4358 			    new_zonepath);
4359 			(void) fflush(stdout);
4360 			err = cleanup_zonepath(new_zonepath, B_TRUE);
4361 			(void) printf("\n");
4362 
4363 			if (err != Z_OK) {
4364 				errno = err;
4365 				zperror(gettext("could not remove new "
4366 				    "zonepath"), B_TRUE);
4367 			} else {
4368 				/*
4369 				 * Because we're reverting we know the mainline
4370 				 * code failed but we just reused the err
4371 				 * variable so we reset it back to Z_ERR.
4372 				 */
4373 				err = Z_ERR;
4374 			}
4375 		}
4376 
4377 	} else {
4378 		/* The move was successful, cleanup the old zonepath. */
4379 		if (!is_zfs && !fast) {
4380 			(void) printf(
4381 			    gettext("Cleaning up zonepath %s..."), zonepath);
4382 			(void) fflush(stdout);
4383 			err = cleanup_zonepath(zonepath, B_TRUE);
4384 			(void) printf("\n");
4385 
4386 			if (err != Z_OK) {
4387 				errno = err;
4388 				zperror(gettext("could not remove zonepath"),
4389 				    B_TRUE);
4390 			}
4391 		}
4392 	}
4393 
4394 	return ((err == Z_OK) ? Z_OK : Z_ERR);
4395 }
4396 
4397 static int
4398 detach_func(int argc, char *argv[])
4399 {
4400 	int lockfd;
4401 	int err, arg;
4402 	char zonepath[MAXPATHLEN];
4403 	zone_dochandle_t handle;
4404 	boolean_t execute = B_TRUE;
4405 
4406 	if (zonecfg_in_alt_root()) {
4407 		zerror(gettext("cannot detach zone in alternate root"));
4408 		return (Z_ERR);
4409 	}
4410 
4411 	optind = 0;
4412 	if ((arg = getopt(argc, argv, "?n")) != EOF) {
4413 		switch (arg) {
4414 		case '?':
4415 			sub_usage(SHELP_DETACH, CMD_DETACH);
4416 			return (optopt == '?' ? Z_OK : Z_USAGE);
4417 		case 'n':
4418 			execute = B_FALSE;
4419 			break;
4420 		default:
4421 			sub_usage(SHELP_DETACH, CMD_DETACH);
4422 			return (Z_USAGE);
4423 		}
4424 	}
4425 
4426 	if (execute) {
4427 		if (sanity_check(target_zone, CMD_DETACH, B_FALSE, B_TRUE,
4428 		    B_FALSE) != Z_OK)
4429 			return (Z_ERR);
4430 		if (verify_details(CMD_DETACH, argv) != Z_OK)
4431 			return (Z_ERR);
4432 	} else {
4433 		/*
4434 		 * We want a dry-run to work for a non-privileged user so we
4435 		 * only do minimal validation.
4436 		 */
4437 		if (getzoneid() != GLOBAL_ZONEID) {
4438 			zerror(gettext("must be in the global zone to %s a "
4439 			    "zone."), cmd_to_str(CMD_DETACH));
4440 			return (Z_ERR);
4441 		}
4442 
4443 		if (target_zone == NULL) {
4444 			zerror(gettext("no zone specified"));
4445 			return (Z_ERR);
4446 		}
4447 
4448 		if (strcmp(target_zone, GLOBAL_ZONENAME) == 0) {
4449 			zerror(gettext("%s operation is invalid for the "
4450 			    "global zone."), cmd_to_str(CMD_DETACH));
4451 			return (Z_ERR);
4452 		}
4453 	}
4454 
4455 	if ((err = zone_get_zonepath(target_zone, zonepath, sizeof (zonepath)))
4456 	    != Z_OK) {
4457 		errno = err;
4458 		zperror2(target_zone, gettext("could not get zone path"));
4459 		return (Z_ERR);
4460 	}
4461 
4462 	/* Don't detach the zone if anything is still mounted there */
4463 	if (execute && zonecfg_find_mounts(zonepath, NULL, NULL)) {
4464 		zerror(gettext("These file systems are mounted on "
4465 		    "subdirectories of %s.\n"), zonepath);
4466 		(void) zonecfg_find_mounts(zonepath, zfm_print, NULL);
4467 		return (Z_ERR);
4468 	}
4469 
4470 	if ((handle = zonecfg_init_handle()) == NULL) {
4471 		zperror(cmd_to_str(CMD_DETACH), B_TRUE);
4472 		return (Z_ERR);
4473 	}
4474 
4475 	if ((err = zonecfg_get_handle(target_zone, handle)) != Z_OK) {
4476 		errno = err;
4477 		zperror(cmd_to_str(CMD_DETACH), B_TRUE);
4478 		zonecfg_fini_handle(handle);
4479 		return (Z_ERR);
4480 	}
4481 
4482 	if (execute && grab_lock_file(target_zone, &lockfd) != Z_OK) {
4483 		zerror(gettext("another %s may have an operation in progress."),
4484 		    "zoneadm");
4485 		zonecfg_fini_handle(handle);
4486 		return (Z_ERR);
4487 	}
4488 
4489 	if ((err = zonecfg_get_detach_info(handle, B_TRUE)) != Z_OK) {
4490 		errno = err;
4491 		zperror(gettext("getting the detach information failed"),
4492 		    B_TRUE);
4493 		goto done;
4494 	}
4495 
4496 	if ((err = zonecfg_detach_save(handle, (execute ? 0 : ZONE_DRY_RUN)))
4497 	    != Z_OK) {
4498 		errno = err;
4499 		zperror(gettext("saving the detach manifest failed"), B_TRUE);
4500 		goto done;
4501 	}
4502 
4503 	/*
4504 	 * Set the zone state back to configured unless we are running with the
4505 	 * no-execute option.
4506 	 */
4507 	if (execute && (err = zone_set_state(target_zone,
4508 	    ZONE_STATE_CONFIGURED)) != Z_OK) {
4509 		errno = err;
4510 		zperror(gettext("could not reset state"), B_TRUE);
4511 	}
4512 
4513 done:
4514 	zonecfg_fini_handle(handle);
4515 	if (execute)
4516 		release_lock_file(lockfd);
4517 
4518 	return ((err == Z_OK) ? Z_OK : Z_ERR);
4519 }
4520 
4521 /*
4522  * During attach we go through and fix up the /dev entries for the zone
4523  * we are attaching.  In order to regenerate /dev with the correct devices,
4524  * the old /dev will be removed, the zone readied (which generates a new
4525  * /dev) then halted, then we use the info from the manifest to update
4526  * the modes, owners, etc. on the new /dev.
4527  */
4528 static int
4529 dev_fix(zone_dochandle_t handle)
4530 {
4531 	int			res;
4532 	int			err;
4533 	int			status;
4534 	struct zone_devpermtab	devtab;
4535 	zone_cmd_arg_t		zarg;
4536 	char			devpath[MAXPATHLEN];
4537 				/* 6: "exec " and " " */
4538 	char			cmdbuf[sizeof (RMCOMMAND) + MAXPATHLEN + 6];
4539 
4540 	if ((res = zonecfg_get_zonepath(handle, devpath, sizeof (devpath)))
4541 	    != Z_OK)
4542 		return (res);
4543 
4544 	if (strlcat(devpath, "/dev", sizeof (devpath)) >= sizeof (devpath))
4545 		return (Z_TOO_BIG);
4546 
4547 	/*
4548 	 * "exec" the command so that the returned status is that of
4549 	 * RMCOMMAND and not the shell.
4550 	 */
4551 	(void) snprintf(cmdbuf, sizeof (cmdbuf), EXEC_PREFIX RMCOMMAND " %s",
4552 	    devpath);
4553 	status = do_subproc(cmdbuf);
4554 	if ((err = subproc_status(RMCOMMAND, status, B_TRUE)) !=
4555 	    ZONE_SUBPROC_OK) {
4556 		(void) fprintf(stderr,
4557 		    gettext("could not remove existing /dev\n"));
4558 		return (Z_ERR);
4559 	}
4560 
4561 	/* In order to ready the zone, it must be in the installed state */
4562 	if ((err = zone_set_state(target_zone, ZONE_STATE_INSTALLED)) != Z_OK) {
4563 		errno = err;
4564 		zperror(gettext("could not reset state"), B_TRUE);
4565 		return (Z_ERR);
4566 	}
4567 
4568 	/* We have to ready the zone to regen the dev tree */
4569 	zarg.cmd = Z_READY;
4570 	if (call_zoneadmd(target_zone, &zarg) != 0) {
4571 		zerror(gettext("call to %s failed"), "zoneadmd");
4572 		/* attempt to restore zone to configured state */
4573 		(void) zone_set_state(target_zone, ZONE_STATE_CONFIGURED);
4574 		return (Z_ERR);
4575 	}
4576 
4577 	zarg.cmd = Z_HALT;
4578 	if (call_zoneadmd(target_zone, &zarg) != 0) {
4579 		zerror(gettext("call to %s failed"), "zoneadmd");
4580 		/* attempt to restore zone to configured state */
4581 		(void) zone_set_state(target_zone, ZONE_STATE_CONFIGURED);
4582 		return (Z_ERR);
4583 	}
4584 
4585 	/* attempt to restore zone to configured state */
4586 	(void) zone_set_state(target_zone, ZONE_STATE_CONFIGURED);
4587 
4588 	if (zonecfg_setdevperment(handle) != Z_OK) {
4589 		(void) fprintf(stderr,
4590 		    gettext("unable to enumerate device entries\n"));
4591 		return (Z_ERR);
4592 	}
4593 
4594 	while (zonecfg_getdevperment(handle, &devtab) == Z_OK) {
4595 		int err;
4596 
4597 		if ((err = zonecfg_devperms_apply(handle,
4598 		    devtab.zone_devperm_name, devtab.zone_devperm_uid,
4599 		    devtab.zone_devperm_gid, devtab.zone_devperm_mode,
4600 		    devtab.zone_devperm_acl)) != Z_OK && err != Z_INVAL)
4601 			(void) fprintf(stderr, gettext("error updating device "
4602 			    "%s: %s\n"), devtab.zone_devperm_name,
4603 			    zonecfg_strerror(err));
4604 
4605 		free(devtab.zone_devperm_acl);
4606 	}
4607 
4608 	(void) zonecfg_enddevperment(handle);
4609 
4610 	return (Z_OK);
4611 }
4612 
4613 /*
4614  * Validate attaching a zone but don't actually do the work.  The zone
4615  * does not have to exist, so there is some complexity getting a new zone
4616  * configuration set up so that we can perform the validation.  This is
4617  * handled within zonecfg_attach_manifest() which returns two handles; one
4618  * for the the full configuration to validate (rem_handle) and the other
4619  * (local_handle) containing only the zone configuration derived from the
4620  * manifest.
4621  */
4622 static int
4623 dryrun_attach(char *manifest_path, char *argv[])
4624 {
4625 	int fd;
4626 	int err;
4627 	int res;
4628 	zone_dochandle_t local_handle;
4629 	zone_dochandle_t rem_handle = NULL;
4630 
4631 	if (strcmp(manifest_path, "-") == 0) {
4632 		fd = 0;
4633 	} else if ((fd = open(manifest_path, O_RDONLY)) < 0) {
4634 		zperror(gettext("could not open manifest path"), B_FALSE);
4635 		return (Z_ERR);
4636 	}
4637 
4638 	if ((local_handle = zonecfg_init_handle()) == NULL) {
4639 		zperror(cmd_to_str(CMD_ATTACH), B_TRUE);
4640 		res = Z_ERR;
4641 		goto done;
4642 	}
4643 
4644 	if ((rem_handle = zonecfg_init_handle()) == NULL) {
4645 		zperror(cmd_to_str(CMD_ATTACH), B_TRUE);
4646 		res = Z_ERR;
4647 		goto done;
4648 	}
4649 
4650 	if ((err = zonecfg_attach_manifest(fd, local_handle, rem_handle))
4651 	    != Z_OK) {
4652 		if (err == Z_INVALID_DOCUMENT)
4653 			zerror(gettext("Cannot attach to an earlier release "
4654 			    "of the operating system"));
4655 		else
4656 			zperror(cmd_to_str(CMD_ATTACH), B_TRUE);
4657 		res = Z_ERR;
4658 		goto done;
4659 	}
4660 
4661 	/*
4662 	 * Retrieve remote handle brand type and determine whether it is
4663 	 * native or not.
4664 	 */
4665 	if (zonecfg_get_brand(rem_handle, target_brand, sizeof (target_brand))
4666 	    != Z_OK) {
4667 		zerror(gettext("missing or invalid brand"));
4668 		exit(Z_ERR);
4669 	}
4670 	is_native_zone = (strcmp(target_brand, NATIVE_BRAND_NAME) == 0);
4671 
4672 	res = verify_handle(CMD_ATTACH, local_handle, argv);
4673 
4674 	/* Get the detach information for the locally defined zone. */
4675 	if ((err = zonecfg_get_detach_info(local_handle, B_FALSE)) != Z_OK) {
4676 		errno = err;
4677 		zperror(gettext("getting the attach information failed"),
4678 		    B_TRUE);
4679 		res = Z_ERR;
4680 	} else {
4681 		/* sw_cmp prints error msgs as necessary */
4682 		if (sw_cmp(local_handle, rem_handle, SW_CMP_NONE) != Z_OK)
4683 			res = Z_ERR;
4684 	}
4685 
4686 done:
4687 	if (strcmp(manifest_path, "-") != 0)
4688 		(void) close(fd);
4689 
4690 	zonecfg_fini_handle(local_handle);
4691 	zonecfg_fini_handle(rem_handle);
4692 
4693 	return ((res == Z_OK) ? Z_OK : Z_ERR);
4694 }
4695 
4696 static int
4697 attach_func(int argc, char *argv[])
4698 {
4699 	int lockfd;
4700 	int err, arg;
4701 	boolean_t force = B_FALSE;
4702 	zone_dochandle_t handle;
4703 	zone_dochandle_t athandle = NULL;
4704 	char zonepath[MAXPATHLEN];
4705 	char brand[MAXNAMELEN], atbrand[MAXNAMELEN];
4706 	boolean_t execute = B_TRUE;
4707 	char *manifest_path;
4708 
4709 	if (zonecfg_in_alt_root()) {
4710 		zerror(gettext("cannot attach zone in alternate root"));
4711 		return (Z_ERR);
4712 	}
4713 
4714 	optind = 0;
4715 	if ((arg = getopt(argc, argv, "?Fn:")) != EOF) {
4716 		switch (arg) {
4717 		case '?':
4718 			sub_usage(SHELP_ATTACH, CMD_ATTACH);
4719 			return (optopt == '?' ? Z_OK : Z_USAGE);
4720 		case 'F':
4721 			force = B_TRUE;
4722 			break;
4723 		case 'n':
4724 			execute = B_FALSE;
4725 			manifest_path = optarg;
4726 			break;
4727 		default:
4728 			sub_usage(SHELP_ATTACH, CMD_ATTACH);
4729 			return (Z_USAGE);
4730 		}
4731 	}
4732 
4733 	/*
4734 	 * If the no-execute option was specified, we need to branch down
4735 	 * a completely different path since there is no zone required to be
4736 	 * configured for this option.
4737 	 */
4738 	if (!execute)
4739 		return (dryrun_attach(manifest_path, argv));
4740 
4741 	if (sanity_check(target_zone, CMD_ATTACH, B_FALSE, B_TRUE, B_FALSE)
4742 	    != Z_OK)
4743 		return (Z_ERR);
4744 	if (verify_details(CMD_ATTACH, argv) != Z_OK)
4745 		return (Z_ERR);
4746 
4747 	if ((err = zone_get_zonepath(target_zone, zonepath, sizeof (zonepath)))
4748 	    != Z_OK) {
4749 		errno = err;
4750 		zperror2(target_zone, gettext("could not get zone path"));
4751 		return (Z_ERR);
4752 	}
4753 
4754 	if ((handle = zonecfg_init_handle()) == NULL) {
4755 		zperror(cmd_to_str(CMD_ATTACH), B_TRUE);
4756 		return (Z_ERR);
4757 	}
4758 
4759 	if ((err = zonecfg_get_handle(target_zone, handle)) != Z_OK) {
4760 		errno = err;
4761 		zperror(cmd_to_str(CMD_ATTACH), B_TRUE);
4762 		zonecfg_fini_handle(handle);
4763 		return (Z_ERR);
4764 	}
4765 
4766 	if (grab_lock_file(target_zone, &lockfd) != Z_OK) {
4767 		zerror(gettext("another %s may have an operation in progress."),
4768 		    "zoneadm");
4769 		zonecfg_fini_handle(handle);
4770 		return (Z_ERR);
4771 	}
4772 
4773 	if (force)
4774 		goto forced;
4775 
4776 	if ((athandle = zonecfg_init_handle()) == NULL) {
4777 		zperror(cmd_to_str(CMD_ATTACH), B_TRUE);
4778 		goto done;
4779 	}
4780 
4781 	if ((err = zonecfg_get_attach_handle(zonepath, target_zone, B_TRUE,
4782 	    athandle)) != Z_OK) {
4783 		if (err == Z_NO_ZONE)
4784 			zerror(gettext("Not a detached zone"));
4785 		else if (err == Z_INVALID_DOCUMENT)
4786 			zerror(gettext("Cannot attach to an earlier release "
4787 			    "of the operating system"));
4788 		else
4789 			zperror(cmd_to_str(CMD_ATTACH), B_TRUE);
4790 		goto done;
4791 	}
4792 
4793 	/* Get the detach information for the locally defined zone. */
4794 	if ((err = zonecfg_get_detach_info(handle, B_FALSE)) != Z_OK) {
4795 		errno = err;
4796 		zperror(gettext("getting the attach information failed"),
4797 		    B_TRUE);
4798 		goto done;
4799 	}
4800 
4801 	/*
4802 	 * Ensure that the detached and locally defined zones are both of
4803 	 * the same brand.
4804 	 */
4805 	if ((zonecfg_get_brand(handle, brand, sizeof (brand)) != 0) ||
4806 	    (zonecfg_get_brand(athandle, atbrand, sizeof (atbrand)) != 0)) {
4807 		err = Z_ERR;
4808 		zerror(gettext("missing or invalid brand"));
4809 		goto done;
4810 	}
4811 
4812 	if (strcmp(atbrand, brand) != NULL) {
4813 		err = Z_ERR;
4814 		zerror(gettext("Trying to attach a '%s' zone to a '%s' "
4815 		    "configuration."), atbrand, brand);
4816 		goto done;
4817 	}
4818 
4819 	/* sw_cmp prints error msgs as necessary */
4820 	if ((err = sw_cmp(handle, athandle, SW_CMP_NONE)) != Z_OK)
4821 		goto done;
4822 
4823 	if ((err = dev_fix(athandle)) != Z_OK)
4824 		goto done;
4825 
4826 forced:
4827 
4828 	zonecfg_rm_detached(handle, force);
4829 
4830 	if ((err = zone_set_state(target_zone, ZONE_STATE_INSTALLED)) != Z_OK) {
4831 		errno = err;
4832 		zperror(gettext("could not reset state"), B_TRUE);
4833 	}
4834 
4835 done:
4836 	zonecfg_fini_handle(handle);
4837 	release_lock_file(lockfd);
4838 	if (athandle != NULL)
4839 		zonecfg_fini_handle(athandle);
4840 
4841 	return ((err == Z_OK) ? Z_OK : Z_ERR);
4842 }
4843 
4844 /*
4845  * On input, TRUE => yes, FALSE => no.
4846  * On return, TRUE => 1, FALSE => 0, could not ask => -1.
4847  */
4848 
4849 static int
4850 ask_yesno(boolean_t default_answer, const char *question)
4851 {
4852 	char line[64];	/* should be large enough to answer yes or no */
4853 
4854 	if (!isatty(STDIN_FILENO))
4855 		return (-1);
4856 	for (;;) {
4857 		(void) printf("%s (%s)? ", question,
4858 		    default_answer ? "[y]/n" : "y/[n]");
4859 		if (fgets(line, sizeof (line), stdin) == NULL ||
4860 		    line[0] == '\n')
4861 			return (default_answer ? 1 : 0);
4862 		if (tolower(line[0]) == 'y')
4863 			return (1);
4864 		if (tolower(line[0]) == 'n')
4865 			return (0);
4866 	}
4867 }
4868 
4869 static int
4870 uninstall_func(int argc, char *argv[])
4871 {
4872 	char line[ZONENAME_MAX + 128];	/* Enough for "Are you sure ..." */
4873 	char rootpath[MAXPATHLEN], zonepath[MAXPATHLEN];
4874 	boolean_t force = B_FALSE;
4875 	int lockfd, answer;
4876 	int err, arg;
4877 
4878 	if (zonecfg_in_alt_root()) {
4879 		zerror(gettext("cannot uninstall zone in alternate root"));
4880 		return (Z_ERR);
4881 	}
4882 
4883 	optind = 0;
4884 	while ((arg = getopt(argc, argv, "?F")) != EOF) {
4885 		switch (arg) {
4886 		case '?':
4887 			sub_usage(SHELP_UNINSTALL, CMD_UNINSTALL);
4888 			return (optopt == '?' ? Z_OK : Z_USAGE);
4889 		case 'F':
4890 			force = B_TRUE;
4891 			break;
4892 		default:
4893 			sub_usage(SHELP_UNINSTALL, CMD_UNINSTALL);
4894 			return (Z_USAGE);
4895 		}
4896 	}
4897 	if (argc > optind) {
4898 		sub_usage(SHELP_UNINSTALL, CMD_UNINSTALL);
4899 		return (Z_USAGE);
4900 	}
4901 
4902 	if (sanity_check(target_zone, CMD_UNINSTALL, B_FALSE, B_TRUE, B_FALSE)
4903 	    != Z_OK)
4904 		return (Z_ERR);
4905 
4906 	/*
4907 	 * Invoke brand-specific handler.
4908 	 */
4909 	if (invoke_brand_handler(CMD_UNINSTALL, argv) != Z_OK)
4910 		return (Z_ERR);
4911 
4912 	if (!force) {
4913 		(void) snprintf(line, sizeof (line),
4914 		    gettext("Are you sure you want to %s zone %s"),
4915 		    cmd_to_str(CMD_UNINSTALL), target_zone);
4916 		if ((answer = ask_yesno(B_FALSE, line)) == 0) {
4917 			return (Z_OK);
4918 		} else if (answer == -1) {
4919 			zerror(gettext("Input not from terminal and -F "
4920 			    "not specified: %s not done."),
4921 			    cmd_to_str(CMD_UNINSTALL));
4922 			return (Z_ERR);
4923 		}
4924 	}
4925 
4926 	if ((err = zone_get_zonepath(target_zone, zonepath,
4927 	    sizeof (zonepath))) != Z_OK) {
4928 		errno = err;
4929 		zperror2(target_zone, gettext("could not get zone path"));
4930 		return (Z_ERR);
4931 	}
4932 	if ((err = zone_get_rootpath(target_zone, rootpath,
4933 	    sizeof (rootpath))) != Z_OK) {
4934 		errno = err;
4935 		zperror2(target_zone, gettext("could not get root path"));
4936 		return (Z_ERR);
4937 	}
4938 
4939 	/*
4940 	 * If there seems to be a zoneadmd running for this zone, call it
4941 	 * to tell it that an uninstall is happening; if all goes well it
4942 	 * will then shut itself down.
4943 	 */
4944 	if (ping_zoneadmd(target_zone) == Z_OK) {
4945 		zone_cmd_arg_t zarg;
4946 		zarg.cmd = Z_NOTE_UNINSTALLING;
4947 		/* we don't care too much if this fails... just plow on */
4948 		(void) call_zoneadmd(target_zone, &zarg);
4949 	}
4950 
4951 	if (grab_lock_file(target_zone, &lockfd) != Z_OK) {
4952 		zerror(gettext("another %s may have an operation in progress."),
4953 		    "zoneadm");
4954 		return (Z_ERR);
4955 	}
4956 
4957 	/* Don't uninstall the zone if anything is mounted there */
4958 	err = zonecfg_find_mounts(rootpath, NULL, NULL);
4959 	if (err) {
4960 		zerror(gettext("These file systems are mounted on "
4961 		    "subdirectories of %s.\n"), rootpath);
4962 		(void) zonecfg_find_mounts(rootpath, zfm_print, NULL);
4963 		return (Z_ERR);
4964 	}
4965 
4966 	err = zone_set_state(target_zone, ZONE_STATE_INCOMPLETE);
4967 	if (err != Z_OK) {
4968 		errno = err;
4969 		zperror2(target_zone, gettext("could not set state"));
4970 		goto bad;
4971 	}
4972 
4973 	if ((err = cleanup_zonepath(zonepath, B_FALSE)) != Z_OK) {
4974 		errno = err;
4975 		zperror2(target_zone, gettext("cleaning up zonepath failed"));
4976 		goto bad;
4977 	}
4978 
4979 	err = zone_set_state(target_zone, ZONE_STATE_CONFIGURED);
4980 	if (err != Z_OK) {
4981 		errno = err;
4982 		zperror2(target_zone, gettext("could not reset state"));
4983 	}
4984 bad:
4985 	release_lock_file(lockfd);
4986 	return (err);
4987 }
4988 
4989 /* ARGSUSED */
4990 static int
4991 mount_func(int argc, char *argv[])
4992 {
4993 	zone_cmd_arg_t zarg;
4994 	boolean_t force = B_FALSE;
4995 	int arg;
4996 
4997 	/*
4998 	 * The only supported subargument to the "mount" subcommand is
4999 	 * "-f", which forces us to mount a zone in the INCOMPLETE state.
5000 	 */
5001 	optind = 0;
5002 	if ((arg = getopt(argc, argv, "f")) != EOF) {
5003 		switch (arg) {
5004 		case 'f':
5005 			force = B_TRUE;
5006 			break;
5007 		default:
5008 			return (Z_USAGE);
5009 		}
5010 	}
5011 	if (argc > optind)
5012 		return (Z_USAGE);
5013 
5014 	if (sanity_check(target_zone, CMD_MOUNT, B_FALSE, B_FALSE, force)
5015 	    != Z_OK)
5016 		return (Z_ERR);
5017 	if (verify_details(CMD_MOUNT, argv) != Z_OK)
5018 		return (Z_ERR);
5019 
5020 	zarg.cmd = force ? Z_FORCEMOUNT : Z_MOUNT;
5021 	if (call_zoneadmd(target_zone, &zarg) != 0) {
5022 		zerror(gettext("call to %s failed"), "zoneadmd");
5023 		return (Z_ERR);
5024 	}
5025 	return (Z_OK);
5026 }
5027 
5028 /* ARGSUSED */
5029 static int
5030 unmount_func(int argc, char *argv[])
5031 {
5032 	zone_cmd_arg_t zarg;
5033 
5034 	if (argc > 0)
5035 		return (Z_USAGE);
5036 	if (sanity_check(target_zone, CMD_UNMOUNT, B_FALSE, B_FALSE, B_FALSE)
5037 	    != Z_OK)
5038 		return (Z_ERR);
5039 
5040 	zarg.cmd = Z_UNMOUNT;
5041 	if (call_zoneadmd(target_zone, &zarg) != 0) {
5042 		zerror(gettext("call to %s failed"), "zoneadmd");
5043 		return (Z_ERR);
5044 	}
5045 	return (Z_OK);
5046 }
5047 
5048 static int
5049 mark_func(int argc, char *argv[])
5050 {
5051 	int err, lockfd;
5052 
5053 	if (argc != 1 || strcmp(argv[0], "incomplete") != 0)
5054 		return (Z_USAGE);
5055 	if (sanity_check(target_zone, CMD_MARK, B_FALSE, B_FALSE, B_FALSE)
5056 	    != Z_OK)
5057 		return (Z_ERR);
5058 
5059 	/*
5060 	 * Invoke brand-specific handler.
5061 	 */
5062 	if (invoke_brand_handler(CMD_MARK, argv) != Z_OK)
5063 		return (Z_ERR);
5064 
5065 	if (grab_lock_file(target_zone, &lockfd) != Z_OK) {
5066 		zerror(gettext("another %s may have an operation in progress."),
5067 		    "zoneadm");
5068 		return (Z_ERR);
5069 	}
5070 
5071 	err = zone_set_state(target_zone, ZONE_STATE_INCOMPLETE);
5072 	if (err != Z_OK) {
5073 		errno = err;
5074 		zperror2(target_zone, gettext("could not set state"));
5075 	}
5076 	release_lock_file(lockfd);
5077 
5078 	return (err);
5079 }
5080 
5081 /*
5082  * Check what scheduling class we're running under and print a warning if
5083  * we're not using FSS.
5084  */
5085 static int
5086 check_sched_fss(zone_dochandle_t handle)
5087 {
5088 	char class_name[PC_CLNMSZ];
5089 
5090 	if (zonecfg_get_dflt_sched_class(handle, class_name,
5091 	    sizeof (class_name)) != Z_OK) {
5092 		zerror(gettext("WARNING: unable to determine the zone's "
5093 		    "scheduling class"));
5094 	} else if (strcmp("FSS", class_name) != 0) {
5095 		zerror(gettext("WARNING: The zone.cpu-shares rctl is set but\n"
5096 		    "FSS is not the default scheduling class for this zone.  "
5097 		    "FSS will be\nused for processes in the zone but to get "
5098 		    "the full benefit of FSS,\nit should be the default "
5099 		    "scheduling class.  See dispadmin(1M) for\nmore details."));
5100 		return (Z_SYSTEM);
5101 	}
5102 
5103 	return (Z_OK);
5104 }
5105 
5106 static int
5107 check_cpu_shares_sched(zone_dochandle_t handle)
5108 {
5109 	int err;
5110 	int res = Z_OK;
5111 	struct zone_rctltab rctl;
5112 
5113 	if ((err = zonecfg_setrctlent(handle)) != Z_OK) {
5114 		errno = err;
5115 		zperror(cmd_to_str(CMD_APPLY), B_TRUE);
5116 		return (err);
5117 	}
5118 
5119 	while (zonecfg_getrctlent(handle, &rctl) == Z_OK) {
5120 		if (strcmp(rctl.zone_rctl_name, "zone.cpu-shares") == 0) {
5121 			if (check_sched_fss(handle) != Z_OK)
5122 				res = Z_SYSTEM;
5123 			break;
5124 		}
5125 	}
5126 
5127 	(void) zonecfg_endrctlent(handle);
5128 
5129 	return (res);
5130 }
5131 
5132 /*
5133  * Check if there is a mix of processes running in different pools within the
5134  * zone.  This is currently only going to be called for the global zone from
5135  * apply_func but that could be generalized in the future.
5136  */
5137 static boolean_t
5138 mixed_pools(zoneid_t zoneid)
5139 {
5140 	DIR *dirp;
5141 	dirent_t *dent;
5142 	boolean_t mixed = B_FALSE;
5143 	boolean_t poolid_set = B_FALSE;
5144 	poolid_t last_poolid = 0;
5145 
5146 	if ((dirp = opendir("/proc")) == NULL) {
5147 		zerror(gettext("could not open /proc"));
5148 		return (B_FALSE);
5149 	}
5150 
5151 	while ((dent = readdir(dirp)) != NULL) {
5152 		int procfd;
5153 		psinfo_t ps;
5154 		char procpath[MAXPATHLEN];
5155 
5156 		if (dent->d_name[0] == '.')
5157 			continue;
5158 
5159 		(void) snprintf(procpath, sizeof (procpath), "/proc/%s/psinfo",
5160 		    dent->d_name);
5161 
5162 		if ((procfd = open(procpath, O_RDONLY)) == -1)
5163 			continue;
5164 
5165 		if (read(procfd, &ps, sizeof (ps)) == sizeof (psinfo_t)) {
5166 			/* skip processes in other zones and system processes */
5167 			if (zoneid != ps.pr_zoneid || ps.pr_flag & SSYS) {
5168 				(void) close(procfd);
5169 				continue;
5170 			}
5171 
5172 			if (poolid_set) {
5173 				if (ps.pr_poolid != last_poolid)
5174 					mixed = B_TRUE;
5175 			} else {
5176 				last_poolid = ps.pr_poolid;
5177 				poolid_set = B_TRUE;
5178 			}
5179 		}
5180 
5181 		(void) close(procfd);
5182 
5183 		if (mixed)
5184 			break;
5185 	}
5186 
5187 	(void) closedir(dirp);
5188 
5189 	return (mixed);
5190 }
5191 
5192 /*
5193  * Check if a persistent or temporary pool is configured for the zone.
5194  * This is currently only going to be called for the global zone from
5195  * apply_func but that could be generalized in the future.
5196  */
5197 static boolean_t
5198 pool_configured(zone_dochandle_t handle)
5199 {
5200 	int err1, err2;
5201 	struct zone_psettab pset_tab;
5202 	char poolname[MAXPATHLEN];
5203 
5204 	err1 = zonecfg_lookup_pset(handle, &pset_tab);
5205 	err2 = zonecfg_get_pool(handle, poolname, sizeof (poolname));
5206 
5207 	if (err1 == Z_NO_ENTRY &&
5208 	    (err2 == Z_NO_ENTRY || (err2 == Z_OK && strlen(poolname) == 0)))
5209 		return (B_FALSE);
5210 
5211 	return (B_TRUE);
5212 }
5213 
5214 /*
5215  * This is an undocumented interface which is currently only used to apply
5216  * the global zone resource management settings when the system boots.
5217  * This function does not yet properly handle updating a running system so
5218  * any projects running in the zone would be trashed if this function
5219  * were to run after the zone had booted.  It also does not reset any
5220  * rctl settings that were removed from zonecfg.  There is still work to be
5221  * done before we can properly support dynamically updating the resource
5222  * management settings for a running zone (global or non-global).  Thus, this
5223  * functionality is undocumented for now.
5224  */
5225 /* ARGSUSED */
5226 static int
5227 apply_func(int argc, char *argv[])
5228 {
5229 	int err;
5230 	int res = Z_OK;
5231 	priv_set_t *privset;
5232 	zoneid_t zoneid;
5233 	zone_dochandle_t handle;
5234 	struct zone_mcaptab mcap;
5235 	char pool_err[128];
5236 
5237 	zoneid = getzoneid();
5238 
5239 	if (zonecfg_in_alt_root() || zoneid != GLOBAL_ZONEID ||
5240 	    target_zone == NULL || strcmp(target_zone, GLOBAL_ZONENAME) != 0)
5241 		return (usage(B_FALSE));
5242 
5243 	if ((privset = priv_allocset()) == NULL) {
5244 		zerror(gettext("%s failed"), "priv_allocset");
5245 		return (Z_ERR);
5246 	}
5247 
5248 	if (getppriv(PRIV_EFFECTIVE, privset) != 0) {
5249 		zerror(gettext("%s failed"), "getppriv");
5250 		priv_freeset(privset);
5251 		return (Z_ERR);
5252 	}
5253 
5254 	if (priv_isfullset(privset) == B_FALSE) {
5255 		(void) usage(B_FALSE);
5256 		priv_freeset(privset);
5257 		return (Z_ERR);
5258 	}
5259 	priv_freeset(privset);
5260 
5261 	if ((handle = zonecfg_init_handle()) == NULL) {
5262 		zperror(cmd_to_str(CMD_APPLY), B_TRUE);
5263 		return (Z_ERR);
5264 	}
5265 
5266 	if ((err = zonecfg_get_handle(target_zone, handle)) != Z_OK) {
5267 		errno = err;
5268 		zperror(cmd_to_str(CMD_APPLY), B_TRUE);
5269 		zonecfg_fini_handle(handle);
5270 		return (Z_ERR);
5271 	}
5272 
5273 	/* specific error msgs are printed within apply_rctls */
5274 	if ((err = zonecfg_apply_rctls(target_zone, handle)) != Z_OK) {
5275 		errno = err;
5276 		zperror(cmd_to_str(CMD_APPLY), B_TRUE);
5277 		res = Z_ERR;
5278 	}
5279 
5280 	if ((err = check_cpu_shares_sched(handle)) != Z_OK)
5281 		res = Z_ERR;
5282 
5283 	if (pool_configured(handle)) {
5284 		if (mixed_pools(zoneid)) {
5285 			zerror(gettext("Zone is using multiple resource "
5286 			    "pools.  The pool\nconfiguration cannot be "
5287 			    "applied without rebooting."));
5288 			res = Z_ERR;
5289 		} else {
5290 
5291 			/*
5292 			 * The next two blocks of code attempt to set up
5293 			 * temporary pools as well as persistent pools.  In
5294 			 * both cases we call the functions unconditionally.
5295 			 * Within each funtion the code will check if the zone
5296 			 * is actually configured for a temporary pool or
5297 			 * persistent pool and just return if there is nothing
5298 			 * to do.
5299 			 */
5300 			if ((err = zonecfg_bind_tmp_pool(handle, zoneid,
5301 			    pool_err, sizeof (pool_err))) != Z_OK) {
5302 				if (err == Z_POOL || err == Z_POOL_CREATE ||
5303 				    err == Z_POOL_BIND)
5304 					zerror("%s: %s", zonecfg_strerror(err),
5305 					    pool_err);
5306 				else
5307 					zerror(gettext("could not bind zone to "
5308 					    "temporary pool: %s"),
5309 					    zonecfg_strerror(err));
5310 				res = Z_ERR;
5311 			}
5312 
5313 			if ((err = zonecfg_bind_pool(handle, zoneid, pool_err,
5314 			    sizeof (pool_err))) != Z_OK) {
5315 				if (err == Z_POOL || err == Z_POOL_BIND)
5316 					zerror("%s: %s", zonecfg_strerror(err),
5317 					    pool_err);
5318 				else
5319 					zerror("%s", zonecfg_strerror(err));
5320 			}
5321 		}
5322 	}
5323 
5324 	/*
5325 	 * If a memory cap is configured, set the cap in the kernel using
5326 	 * zone_setattr() and make sure the rcapd SMF service is enabled.
5327 	 */
5328 	if (zonecfg_getmcapent(handle, &mcap) == Z_OK) {
5329 		uint64_t num;
5330 		char smf_err[128];
5331 
5332 		num = (uint64_t)strtoll(mcap.zone_physmem_cap, NULL, 10);
5333 		if (zone_setattr(zoneid, ZONE_ATTR_PHYS_MCAP, &num, 0) == -1) {
5334 			zerror(gettext("could not set zone memory cap"));
5335 			res = Z_ERR;
5336 		}
5337 
5338 		if (zonecfg_enable_rcapd(smf_err, sizeof (smf_err)) != Z_OK) {
5339 			zerror(gettext("enabling system/rcap service failed: "
5340 			    "%s"), smf_err);
5341 			res = Z_ERR;
5342 		}
5343 	}
5344 
5345 	zonecfg_fini_handle(handle);
5346 
5347 	return (res);
5348 }
5349 
5350 static int
5351 help_func(int argc, char *argv[])
5352 {
5353 	int arg, cmd_num;
5354 
5355 	if (argc == 0) {
5356 		(void) usage(B_TRUE);
5357 		return (Z_OK);
5358 	}
5359 	optind = 0;
5360 	if ((arg = getopt(argc, argv, "?")) != EOF) {
5361 		switch (arg) {
5362 		case '?':
5363 			sub_usage(SHELP_HELP, CMD_HELP);
5364 			return (optopt == '?' ? Z_OK : Z_USAGE);
5365 		default:
5366 			sub_usage(SHELP_HELP, CMD_HELP);
5367 			return (Z_USAGE);
5368 		}
5369 	}
5370 	while (optind < argc) {
5371 		/* Private commands have NULL short_usage; omit them */
5372 		if ((cmd_num = cmd_match(argv[optind])) < 0 ||
5373 		    cmdtab[cmd_num].short_usage == NULL) {
5374 			sub_usage(SHELP_HELP, CMD_HELP);
5375 			return (Z_USAGE);
5376 		}
5377 		sub_usage(cmdtab[cmd_num].short_usage, cmd_num);
5378 		optind++;
5379 	}
5380 	return (Z_OK);
5381 }
5382 
5383 /*
5384  * Returns: CMD_MIN thru CMD_MAX on success, -1 on error
5385  */
5386 
5387 static int
5388 cmd_match(char *cmd)
5389 {
5390 	int i;
5391 
5392 	for (i = CMD_MIN; i <= CMD_MAX; i++) {
5393 		/* return only if there is an exact match */
5394 		if (strcmp(cmd, cmdtab[i].cmd_name) == 0)
5395 			return (cmdtab[i].cmd_num);
5396 	}
5397 	return (-1);
5398 }
5399 
5400 static int
5401 parse_and_run(int argc, char *argv[])
5402 {
5403 	int i = cmd_match(argv[0]);
5404 
5405 	if (i < 0)
5406 		return (usage(B_FALSE));
5407 	return (cmdtab[i].handler(argc - 1, &(argv[1])));
5408 }
5409 
5410 static char *
5411 get_execbasename(char *execfullname)
5412 {
5413 	char *last_slash, *execbasename;
5414 
5415 	/* guard against '/' at end of command invocation */
5416 	for (;;) {
5417 		last_slash = strrchr(execfullname, '/');
5418 		if (last_slash == NULL) {
5419 			execbasename = execfullname;
5420 			break;
5421 		} else {
5422 			execbasename = last_slash + 1;
5423 			if (*execbasename == '\0') {
5424 				*last_slash = '\0';
5425 				continue;
5426 			}
5427 			break;
5428 		}
5429 	}
5430 	return (execbasename);
5431 }
5432 
5433 int
5434 main(int argc, char **argv)
5435 {
5436 	int arg;
5437 	zoneid_t zid;
5438 	struct stat st;
5439 	char *zone_lock_env;
5440 	int err;
5441 
5442 	if ((locale = setlocale(LC_ALL, "")) == NULL)
5443 		locale = "C";
5444 	(void) textdomain(TEXT_DOMAIN);
5445 	setbuf(stdout, NULL);
5446 	(void) sigset(SIGHUP, SIG_IGN);
5447 	execname = get_execbasename(argv[0]);
5448 	target_zone = NULL;
5449 	if (chdir("/") != 0) {
5450 		zerror(gettext("could not change directory to /."));
5451 		exit(Z_ERR);
5452 	}
5453 
5454 	if (init_zfs() != Z_OK)
5455 		exit(Z_ERR);
5456 
5457 	while ((arg = getopt(argc, argv, "?u:z:R:")) != EOF) {
5458 		switch (arg) {
5459 		case '?':
5460 			return (usage(B_TRUE));
5461 		case 'u':
5462 			target_uuid = optarg;
5463 			break;
5464 		case 'z':
5465 			target_zone = optarg;
5466 			break;
5467 		case 'R':	/* private option for admin/install use */
5468 			if (*optarg != '/') {
5469 				zerror(gettext("root path must be absolute."));
5470 				exit(Z_ERR);
5471 			}
5472 			if (stat(optarg, &st) == -1 || !S_ISDIR(st.st_mode)) {
5473 				zerror(
5474 				    gettext("root path must be a directory."));
5475 				exit(Z_ERR);
5476 			}
5477 			zonecfg_set_root(optarg);
5478 			break;
5479 		default:
5480 			return (usage(B_FALSE));
5481 		}
5482 	}
5483 
5484 	if (optind >= argc)
5485 		return (usage(B_FALSE));
5486 
5487 	if (target_uuid != NULL && *target_uuid != '\0') {
5488 		uuid_t uuid;
5489 		static char newtarget[ZONENAME_MAX];
5490 
5491 		if (uuid_parse(target_uuid, uuid) == -1) {
5492 			zerror(gettext("illegal UUID value specified"));
5493 			exit(Z_ERR);
5494 		}
5495 		if (zonecfg_get_name_by_uuid(uuid, newtarget,
5496 		    sizeof (newtarget)) == Z_OK)
5497 			target_zone = newtarget;
5498 	}
5499 
5500 	if (target_zone != NULL && zone_get_id(target_zone, &zid) != 0) {
5501 		errno = Z_NO_ZONE;
5502 		zperror(target_zone, B_TRUE);
5503 		exit(Z_ERR);
5504 	}
5505 
5506 	/*
5507 	 * See if we have inherited the right to manipulate this zone from
5508 	 * a zoneadm instance in our ancestry.  If so, set zone_lock_cnt to
5509 	 * indicate it.  If not, make that explicit in our environment.
5510 	 */
5511 	zone_lock_env = getenv(LOCK_ENV_VAR);
5512 	if (zone_lock_env == NULL) {
5513 		if (putenv(zoneadm_lock_not_held) != 0) {
5514 			zperror(target_zone, B_TRUE);
5515 			exit(Z_ERR);
5516 		}
5517 	} else {
5518 		zoneadm_is_nested = B_TRUE;
5519 		if (atoi(zone_lock_env) == 1)
5520 			zone_lock_cnt = 1;
5521 	}
5522 
5523 	/*
5524 	 * If we are going to be operating on a single zone, retrieve its
5525 	 * brand type and determine whether it is native or not.
5526 	 */
5527 	if ((target_zone != NULL) &&
5528 	    (strcmp(target_zone, GLOBAL_ZONENAME) != NULL)) {
5529 		if (zone_get_brand(target_zone, target_brand,
5530 		    sizeof (target_brand)) != Z_OK) {
5531 			zerror(gettext("missing or invalid brand"));
5532 			exit(Z_ERR);
5533 		}
5534 		is_native_zone = (strcmp(target_brand, NATIVE_BRAND_NAME) == 0);
5535 	}
5536 
5537 	err = parse_and_run(argc - optind, &argv[optind]);
5538 
5539 	return (err);
5540 }
5541