xref: /titanic_51/usr/src/uts/common/os/policy.c (revision 68c47f65208790c466e5e484f2293d3baed71c6a)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #include <sys/types.h>
27 #include <sys/sysmacros.h>
28 #include <sys/param.h>
29 #include <sys/systm.h>
30 #include <sys/cred_impl.h>
31 #include <sys/vnode.h>
32 #include <sys/vfs.h>
33 #include <sys/stat.h>
34 #include <sys/errno.h>
35 #include <sys/kmem.h>
36 #include <sys/user.h>
37 #include <sys/proc.h>
38 #include <sys/acct.h>
39 #include <sys/ipc_impl.h>
40 #include <sys/cmn_err.h>
41 #include <sys/debug.h>
42 #include <sys/policy.h>
43 #include <sys/kobj.h>
44 #include <sys/msg.h>
45 #include <sys/devpolicy.h>
46 #include <c2/audit.h>
47 #include <sys/varargs.h>
48 #include <sys/klpd.h>
49 #include <sys/modctl.h>
50 #include <sys/disp.h>
51 #include <sys/zone.h>
52 #include <inet/optcom.h>
53 #include <sys/sdt.h>
54 #include <sys/vfs.h>
55 #include <sys/mntent.h>
56 #include <sys/contract_impl.h>
57 #include <sys/dld_ioc.h>
58 
59 /*
60  * There are two possible layers of privilege routines and two possible
61  * levels of secpolicy.  Plus one other we may not be interested in, so
62  * we may need as many as 6 but no more.
63  */
64 #define	MAXPRIVSTACK		6
65 
66 int priv_debug = 0;
67 int priv_basic_test = -1;
68 
69 /*
70  * This file contains the majority of the policy routines.
71  * Since the policy routines are defined by function and not
72  * by privilege, there is quite a bit of duplication of
73  * functions.
74  *
75  * The secpolicy functions must not make assumptions about
76  * locks held or not held as any lock can be held while they're
77  * being called.
78  *
79  * Credentials are read-only so no special precautions need to
80  * be taken while locking them.
81  *
82  * When a new policy check needs to be added to the system the
83  * following procedure should be followed:
84  *
85  *		Pick an appropriate secpolicy_*() function
86  *			-> done if one exists.
87  *		Create a new secpolicy function, preferably with
88  *		a descriptive name using the standard template.
89  *		Pick an appropriate privilege for the policy.
90  *		If no appropraite privilege exists, define new one
91  *		(this should be done with extreme care; in most cases
92  *		little is gained by adding another privilege)
93  *
94  * WHY ROOT IS STILL SPECIAL.
95  *
96  * In a number of the policy functions, there are still explicit
97  * checks for uid 0.  The rationale behind these is that many root
98  * owned files/objects hold configuration information which can give full
99  * privileges to the user once written to.  To prevent escalation
100  * of privilege by allowing just a single privilege to modify root owned
101  * objects, we've added these root specific checks where we considered
102  * them necessary: modifying root owned files, changing uids to 0, etc.
103  *
104  * PRIVILEGE ESCALATION AND ZONES.
105  *
106  * A number of operations potentially allow the caller to achieve
107  * privileges beyond the ones normally required to perform the operation.
108  * For example, if allowed to create a setuid 0 executable, a process can
109  * gain privileges beyond PRIV_FILE_SETID.  Zones, however, place
110  * restrictions on the ability to gain privileges beyond those available
111  * within the zone through file and process manipulation.  Hence, such
112  * operations require that the caller have an effective set that includes
113  * all privileges available within the current zone, or all privileges
114  * if executing in the global zone.
115  *
116  * This is indicated in the priv_policy* policy checking functions
117  * through a combination of parameters.  The "priv" parameter indicates
118  * the privilege that is required, and the "allzone" parameter indicates
119  * whether or not all privileges in the zone are required.  In addition,
120  * priv can be set to PRIV_ALL to indicate that all privileges are
121  * required (regardless of zone).  There are three scenarios of interest:
122  * (1) operation requires a specific privilege
123  * (2) operation requires a specific privilege, and requires all
124  *     privileges available within the zone (or all privileges if in
125  *     the global zone)
126  * (3) operation requires all privileges, regardless of zone
127  *
128  * For (1), priv should be set to the specific privilege, and allzone
129  * should be set to B_FALSE.
130  * For (2), priv should be set to the specific privilege, and allzone
131  * should be set to B_TRUE.
132  * For (3), priv should be set to PRIV_ALL, and allzone should be set
133  * to B_FALSE.
134  *
135  */
136 
137 /*
138  * The privileges are checked against the Effective set for
139  * ordinary processes and checked against the Limit set
140  * for euid 0 processes that haven't manipulated their privilege
141  * sets.
142  */
143 #define	HAS_ALLPRIVS(cr)	priv_isfullset(&CR_OEPRIV(cr))
144 #define	ZONEPRIVS(cr)		((cr)->cr_zone->zone_privset)
145 #define	HAS_ALLZONEPRIVS(cr)	priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr))
146 #define	HAS_PRIVILEGE(cr, pr)	((pr) == PRIV_ALL ? \
147 					HAS_ALLPRIVS(cr) : \
148 					PRIV_ISASSERT(&CR_OEPRIV(cr), pr))
149 
150 /*
151  * Policy checking functions.
152  *
153  * All of the system's policy should be implemented here.
154  */
155 
156 /*
157  * Private functions which take an additional va_list argument to
158  * implement an object specific policy override.
159  */
160 static int priv_policy_ap(const cred_t *, int, boolean_t, int,
161     const char *, va_list);
162 static int priv_policy_va(const cred_t *, int, boolean_t, int,
163     const char *, ...);
164 
165 /*
166  * Generic policy calls
167  *
168  * The "bottom" functions of policy control
169  */
170 static char *
171 mprintf(const char *fmt, ...)
172 {
173 	va_list args;
174 	char *buf;
175 	size_t len;
176 
177 	va_start(args, fmt);
178 	len = vsnprintf(NULL, 0, fmt, args) + 1;
179 	va_end(args);
180 
181 	buf = kmem_alloc(len, KM_NOSLEEP);
182 
183 	if (buf == NULL)
184 		return (NULL);
185 
186 	va_start(args, fmt);
187 	(void) vsnprintf(buf, len, fmt, args);
188 	va_end(args);
189 
190 	return (buf);
191 }
192 
193 /*
194  * priv_policy_errmsg()
195  *
196  * Generate an error message if privilege debugging is enabled system wide
197  * or for this particular process.
198  */
199 
200 #define	FMTHDR	"%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)"
201 #define	FMTMSG	" for \"%s\""
202 #define	FMTFUN	" needed at %s+0x%lx"
203 
204 /* The maximum size privilege format: the concatenation of the above */
205 #define	FMTMAX	FMTHDR FMTMSG FMTFUN "\n"
206 
207 static void
208 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg)
209 {
210 	struct proc *me;
211 	pc_t stack[MAXPRIVSTACK];
212 	int depth;
213 	int i;
214 	char *sym;
215 	ulong_t off;
216 	const char *pname;
217 
218 	char *cmd;
219 	char fmt[sizeof (FMTMAX)];
220 
221 	if ((me = curproc) == &p0)
222 		return;
223 
224 	/* Privileges must be defined  */
225 	ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE ||
226 	    priv == PRIV_ALLZONE || priv == PRIV_GLOBAL ||
227 	    priv_getbynum(priv) != NULL);
228 
229 	if (priv == PRIV_ALLZONE && INGLOBALZONE(me))
230 		priv = PRIV_ALL;
231 
232 	if (curthread->t_pre_sys)
233 		ttolwp(curthread)->lwp_badpriv = (short)priv;
234 
235 	if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0)
236 		return;
237 
238 	(void) strcpy(fmt, FMTHDR);
239 
240 	if (me->p_user.u_comm[0])
241 		cmd = &me->p_user.u_comm[0];
242 	else
243 		cmd = "priv_policy";
244 
245 	if (msg != NULL && *msg != '\0') {
246 		(void) strcat(fmt, FMTMSG);
247 	} else {
248 		(void) strcat(fmt, "%s");
249 		msg = "";
250 	}
251 
252 	sym = NULL;
253 
254 	depth = getpcstack(stack, MAXPRIVSTACK);
255 
256 	/*
257 	 * Try to find the first interesting function on the stack.
258 	 * priv_policy* that's us, so completely uninteresting.
259 	 * suser(), drv_priv(), secpolicy_* are also called from
260 	 * too many locations to convey useful information.
261 	 */
262 	for (i = 0; i < depth; i++) {
263 		sym = kobj_getsymname((uintptr_t)stack[i], &off);
264 		if (sym != NULL &&
265 		    strstr(sym, "hasprocperm") == 0 &&
266 		    strcmp("suser", sym) != 0 &&
267 		    strcmp("ipcaccess", sym) != 0 &&
268 		    strcmp("drv_priv", sym) != 0 &&
269 		    strncmp("secpolicy_", sym, 10) != 0 &&
270 		    strncmp("priv_policy", sym, 11) != 0)
271 			break;
272 	}
273 
274 	if (sym != NULL)
275 		(void) strcat(fmt, FMTFUN);
276 
277 	(void) strcat(fmt, "\n");
278 
279 	switch (priv) {
280 	case PRIV_ALL:
281 		pname = "ALL";
282 		break;
283 	case PRIV_MULTIPLE:
284 		pname = "MULTIPLE";
285 		break;
286 	case PRIV_ALLZONE:
287 		pname = "ZONE";
288 		break;
289 	case PRIV_GLOBAL:
290 		pname = "GLOBAL";
291 		break;
292 	default:
293 		pname = priv_getbynum(priv);
294 		break;
295 	}
296 
297 	if (CR_FLAGS(cr) & PRIV_DEBUG) {
298 		/* Remember last message, just like lwp_badpriv. */
299 		if (curthread->t_pdmsg != NULL) {
300 			kmem_free(curthread->t_pdmsg,
301 			    strlen(curthread->t_pdmsg) + 1);
302 		}
303 
304 		curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname,
305 		    cr->cr_uid, curthread->t_sysnum, msg, sym, off);
306 
307 		curthread->t_post_sys = 1;
308 	}
309 	if (priv_debug) {
310 		cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid,
311 		    curthread->t_sysnum, msg, sym, off);
312 	}
313 }
314 
315 /*
316  * Override the policy, if appropriate.  Return 0 if the external
317  * policy engine approves.
318  */
319 static int
320 priv_policy_override(const cred_t *cr, int priv, boolean_t allzone, va_list ap)
321 {
322 	priv_set_t set;
323 	int ret;
324 
325 	if (!(CR_FLAGS(cr) & PRIV_XPOLICY))
326 		return (-1);
327 
328 	if (priv == PRIV_ALL) {
329 		priv_fillset(&set);
330 	} else if (allzone) {
331 		set = *ZONEPRIVS(cr);
332 	} else {
333 		priv_emptyset(&set);
334 		priv_addset(&set, priv);
335 	}
336 	ret = klpd_call(cr, &set, ap);
337 	return (ret);
338 }
339 
340 static int
341 priv_policy_override_set(const cred_t *cr, const priv_set_t *req, ...)
342 {
343 	va_list ap;
344 
345 	if (CR_FLAGS(cr) & PRIV_XPOLICY) {
346 		va_start(ap, req);
347 		return (klpd_call(cr, req, ap));
348 	}
349 	return (-1);
350 }
351 
352 /*
353  * Audit failure, log error message.
354  */
355 static void
356 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg)
357 {
358 
359 	if (AU_AUDITING())
360 		audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0);
361 	DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
362 
363 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
364 	    curthread->t_pre_sys) {
365 		if (allzone && !HAS_ALLZONEPRIVS(cr)) {
366 			priv_policy_errmsg(cr, PRIV_ALLZONE, msg);
367 		} else {
368 			ASSERT(!HAS_PRIVILEGE(cr, priv));
369 			priv_policy_errmsg(cr, priv, msg);
370 		}
371 	}
372 }
373 
374 /*
375  * priv_policy_ap()
376  * return 0 or error.
377  * See block comment above for a description of "priv" and "allzone" usage.
378  */
379 static int
380 priv_policy_ap(const cred_t *cr, int priv, boolean_t allzone, int err,
381     const char *msg, va_list ap)
382 {
383 	if ((HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) ||
384 	    (!servicing_interrupt() &&
385 	    priv_policy_override(cr, priv, allzone, ap) == 0)) {
386 		if ((allzone || priv == PRIV_ALL ||
387 		    !PRIV_ISASSERT(priv_basic, priv)) &&
388 		    !servicing_interrupt()) {
389 			PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */
390 			if (AU_AUDITING())
391 				audit_priv(priv,
392 				    allzone ? ZONEPRIVS(cr) : NULL, 1);
393 		}
394 		err = 0;
395 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
396 	} else if (!servicing_interrupt()) {
397 		/* Failure audited in this procedure */
398 		priv_policy_err(cr, priv, allzone, msg);
399 	}
400 	return (err);
401 }
402 
403 int
404 priv_policy_va(const cred_t *cr, int priv, boolean_t allzone, int err,
405     const char *msg, ...)
406 {
407 	int ret;
408 	va_list ap;
409 
410 	va_start(ap, msg);
411 	ret = priv_policy_ap(cr, priv, allzone, err, msg, ap);
412 	va_end(ap);
413 
414 	return (ret);
415 }
416 
417 int
418 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err,
419     const char *msg)
420 {
421 	return (priv_policy_va(cr, priv, allzone, err, msg, KLPDARG_NOMORE));
422 }
423 
424 /*
425  * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges.
426  */
427 boolean_t
428 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone)
429 {
430 	boolean_t res = HAS_PRIVILEGE(cr, priv) &&
431 	    (!allzone || HAS_ALLZONEPRIVS(cr));
432 
433 	/* Audit success only */
434 	if (res && AU_AUDITING() &&
435 	    (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) &&
436 	    !servicing_interrupt()) {
437 		audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1);
438 	}
439 	if (res) {
440 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
441 	} else {
442 		DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
443 	}
444 	return (res);
445 }
446 
447 /*
448  * Non-auditing variant of priv_policy_choice().
449  */
450 boolean_t
451 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone)
452 {
453 	boolean_t res = HAS_PRIVILEGE(cr, priv) &&
454 	    (!allzone || HAS_ALLZONEPRIVS(cr));
455 
456 	if (res) {
457 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
458 	} else {
459 		DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
460 	}
461 	return (res);
462 }
463 
464 /*
465  * Check whether all privileges in the required set are present.
466  */
467 static int
468 secpolicy_require_set(const cred_t *cr, const priv_set_t *req, const char *msg)
469 {
470 	int priv;
471 	int pfound = -1;
472 	priv_set_t pset;
473 
474 	if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req,
475 	    &CR_OEPRIV(cr))) {
476 		return (0);
477 	}
478 
479 	if (priv_policy_override_set(cr, req, KLPDARG_NOMORE) == 0)
480 		return (0);
481 
482 	if (req == PRIV_FULLSET || priv_isfullset(req)) {
483 		priv_policy_err(cr, PRIV_ALL, B_FALSE, msg);
484 		return (EACCES);
485 	}
486 
487 	pset = CR_OEPRIV(cr);		/* present privileges */
488 	priv_inverse(&pset);		/* all non present privileges */
489 	priv_intersect(req, &pset);	/* the actual missing privs */
490 
491 	if (AU_AUDITING())
492 		audit_priv(PRIV_NONE, &pset, 0);
493 	/*
494 	 * Privilege debugging; special case "one privilege in set".
495 	 */
496 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) {
497 		for (priv = 0; priv < nprivs; priv++) {
498 			if (priv_ismember(&pset, priv)) {
499 				if (pfound != -1) {
500 					/* Multiple missing privs */
501 					priv_policy_errmsg(cr, PRIV_MULTIPLE,
502 					    msg);
503 					return (EACCES);
504 				}
505 				pfound = priv;
506 			}
507 		}
508 		ASSERT(pfound != -1);
509 		/* Just the one missing privilege */
510 		priv_policy_errmsg(cr, pfound, msg);
511 	}
512 
513 	return (EACCES);
514 }
515 
516 /*
517  * Called when an operation requires that the caller be in the
518  * global zone, regardless of privilege.
519  */
520 static int
521 priv_policy_global(const cred_t *cr)
522 {
523 	if (crgetzoneid(cr) == GLOBAL_ZONEID)
524 		return (0);	/* success */
525 
526 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
527 	    curthread->t_pre_sys) {
528 		priv_policy_errmsg(cr, PRIV_GLOBAL, NULL);
529 	}
530 	return (EPERM);
531 }
532 
533 /*
534  * Changing process priority
535  */
536 int
537 secpolicy_setpriority(const cred_t *cr)
538 {
539 	return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL));
540 }
541 
542 /*
543  * Binding to a privileged port, port must be specified in host byte
544  * order.
545  */
546 int
547 secpolicy_net_privaddr(const cred_t *cr, in_port_t port, int proto)
548 {
549 	char *reason;
550 	int priv;
551 
552 	switch (port) {
553 	case 137:
554 	case 138:
555 	case 139:
556 	case 445:
557 		/*
558 		 * NBT and SMB ports, these are extra privileged ports,
559 		 * allow bind only if the SYS_SMB privilege is present.
560 		 */
561 		priv = PRIV_SYS_SMB;
562 		reason = "NBT or SMB port";
563 		break;
564 
565 	case 2049:
566 	case 4045:
567 		/*
568 		 * NFS ports, these are extra privileged ports, allow bind
569 		 * only if the SYS_NFS privilege is present.
570 		 */
571 		priv = PRIV_SYS_NFS;
572 		reason = "NFS port";
573 		break;
574 
575 	default:
576 		priv = PRIV_NET_PRIVADDR;
577 		reason = NULL;
578 		break;
579 
580 	}
581 
582 	return (priv_policy_va(cr, priv, B_FALSE, EACCES, reason,
583 	    KLPDARG_PORT, (int)proto, (int)port, KLPDARG_NOMORE));
584 }
585 
586 /*
587  * Binding to a multilevel port on a trusted (labeled) system.
588  */
589 int
590 secpolicy_net_bindmlp(const cred_t *cr)
591 {
592 	return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, NULL));
593 }
594 
595 /*
596  * Allow a communication between a zone and an unlabeled host when their
597  * labels don't match.
598  */
599 int
600 secpolicy_net_mac_aware(const cred_t *cr)
601 {
602 	return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, NULL));
603 }
604 
605 /*
606  * Allow a privileged process to transmit traffic without explicit labels
607  */
608 int
609 secpolicy_net_mac_implicit(const cred_t *cr)
610 {
611 	return (PRIV_POLICY(cr, PRIV_NET_MAC_IMPLICIT, B_FALSE, EACCES, NULL));
612 }
613 
614 /*
615  * Common routine which determines whether a given credential can
616  * act on a given mount.
617  * When called through mount, the parameter needoptcheck is a pointer
618  * to a boolean variable which will be set to either true or false,
619  * depending on whether the mount policy should change the mount options.
620  * In all other cases, needoptcheck should be a NULL pointer.
621  */
622 static int
623 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp,
624     boolean_t *needoptcheck)
625 {
626 	boolean_t allzone = B_FALSE;
627 	boolean_t mounting = needoptcheck != NULL;
628 
629 	/*
630 	 * Short circuit the following cases:
631 	 *	vfsp == NULL or mvp == NULL (pure privilege check)
632 	 *	have all privileges - no further checks required
633 	 *	and no mount options need to be set.
634 	 */
635 	if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) {
636 		if (mounting)
637 			*needoptcheck = B_FALSE;
638 
639 		return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
640 		    NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE));
641 	}
642 
643 	/*
644 	 * When operating on an existing mount (either we're not mounting
645 	 * or we're doing a remount and VFS_REMOUNT will be set), zones
646 	 * can operate only on mounts established by the zone itself.
647 	 */
648 	if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) {
649 		zoneid_t zoneid = crgetzoneid(cr);
650 
651 		if (zoneid != GLOBAL_ZONEID &&
652 		    vfsp->vfs_zone->zone_id != zoneid) {
653 			return (EPERM);
654 		}
655 	}
656 
657 	if (mounting)
658 		*needoptcheck = B_TRUE;
659 
660 	/*
661 	 * Overlay mounts may hide important stuff; if you can't write to a
662 	 * mount point but would be able to mount on top of it, you can
663 	 * escalate your privileges.
664 	 * So we go about asking the same questions namefs does when it
665 	 * decides whether you can mount over a file or not but with the
666 	 * added restriction that you can only mount on top of a regular
667 	 * file or directory.
668 	 * If we have all the zone's privileges, we skip all other checks,
669 	 * or else we may actually get in trouble inside the automounter.
670 	 */
671 	if ((mvp->v_flag & VROOT) != 0 ||
672 	    (mvp->v_type != VDIR && mvp->v_type != VREG) ||
673 	    HAS_ALLZONEPRIVS(cr)) {
674 		allzone = B_TRUE;
675 	} else {
676 		vattr_t va;
677 		int err;
678 
679 		va.va_mask = AT_UID|AT_MODE;
680 		err = VOP_GETATTR(mvp, &va, 0, cr, NULL);
681 		if (err != 0)
682 			return (err);
683 
684 		if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0)
685 			return (err);
686 
687 		if ((va.va_mode & VWRITE) == 0 &&
688 		    secpolicy_vnode_access(cr, mvp, va.va_uid, VWRITE) != 0) {
689 			return (EACCES);
690 		}
691 	}
692 	return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
693 	    NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE));
694 }
695 
696 void
697 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp)
698 {
699 	boolean_t amsuper = HAS_ALLZONEPRIVS(cr);
700 
701 	/*
702 	 * check; if we don't have either "nosuid" or
703 	 * both "nosetuid" and "nodevices", then we add
704 	 * "nosuid"; this depends on how the current
705 	 * implementation works (it first checks nosuid).  In a
706 	 * zone, a user with all zone privileges can mount with
707 	 * "setuid" but never with "devices".
708 	 */
709 	if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) &&
710 	    (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) ||
711 	    !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) {
712 		if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper)
713 			vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0);
714 		else
715 			vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0);
716 	}
717 	/*
718 	 * If we're not the local super user, we set the "restrict"
719 	 * option to indicate to automountd that this mount should
720 	 * be handled with care.
721 	 */
722 	if (!amsuper)
723 		vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0);
724 
725 }
726 
727 extern vnode_t *rootvp;
728 extern vfs_t *rootvfs;
729 
730 int
731 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp)
732 {
733 	boolean_t needoptchk;
734 	int error;
735 
736 	/*
737 	 * If it's a remount, get the underlying mount point,
738 	 * except for the root where we use the rootvp.
739 	 */
740 	if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) {
741 		if (vfsp == rootvfs)
742 			mvp = rootvp;
743 		else
744 			mvp = vfsp->vfs_vnodecovered;
745 	}
746 
747 	error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk);
748 
749 	if (error == 0 && needoptchk) {
750 		secpolicy_fs_mount_clearopts(cr, vfsp);
751 	}
752 
753 	return (error);
754 }
755 
756 /*
757  * Does the policy computations for "ownership" of a mount;
758  * here ownership is defined as the ability to "mount"
759  * the filesystem originally.  The rootvfs doesn't cover any
760  * vnodes; we attribute its ownership to the rootvp.
761  */
762 static int
763 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp)
764 {
765 	vnode_t *mvp;
766 
767 	if (vfsp == NULL)
768 		mvp = NULL;
769 	else if (vfsp == rootvfs)
770 		mvp = rootvp;
771 	else
772 		mvp = vfsp->vfs_vnodecovered;
773 
774 	return (secpolicy_fs_common(cr, mvp, vfsp, NULL));
775 }
776 
777 int
778 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp)
779 {
780 	return (secpolicy_fs_owner(cr, vfsp));
781 }
782 
783 /*
784  * Quotas are a resource, but if one has the ability to mount a filesystem, he
785  * should be able to modify quotas on it.
786  */
787 int
788 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp)
789 {
790 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
791 }
792 
793 /*
794  * Exceeding minfree: also a per-mount resource constraint.
795  */
796 int
797 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp)
798 {
799 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
800 }
801 
802 int
803 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp)
804 {
805 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
806 }
807 
808 /* ARGSUSED */
809 int
810 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp)
811 {
812 	return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL));
813 }
814 
815 /*
816  * Name:        secpolicy_vnode_access()
817  *
818  * Parameters:  Process credential
819  *		vnode
820  *		uid of owner of vnode
821  *		permission bits not granted to the caller when examining
822  *		file mode bits (i.e., when a process wants to open a
823  *		mode 444 file for VREAD|VWRITE, this function should be
824  *		called only with a VWRITE argument).
825  *
826  * Normal:      Verifies that cred has the appropriate privileges to
827  *              override the mode bits that were denied.
828  *
829  * Override:    file_dac_execute - if VEXEC bit was denied and vnode is
830  *                      not a directory.
831  *              file_dac_read - if VREAD bit was denied.
832  *              file_dac_search - if VEXEC bit was denied and vnode is
833  *                      a directory.
834  *              file_dac_write - if VWRITE bit was denied.
835  *
836  *		Root owned files are special cased to protect system
837  *		configuration files and such.
838  *
839  * Output:      EACCES - if privilege check fails.
840  */
841 
842 /* ARGSUSED */
843 int
844 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode)
845 {
846 	if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE,
847 	    EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL,
848 	    KLPDARG_NOMORE) != 0) {
849 		return (EACCES);
850 	}
851 
852 	if (mode & VWRITE) {
853 		boolean_t allzone;
854 
855 		if (owner == 0 && cr->cr_uid != 0)
856 			allzone = B_TRUE;
857 		else
858 			allzone = B_FALSE;
859 		if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES,
860 		    NULL, KLPDARG_VNODE, vp, (char *)NULL,
861 		    KLPDARG_NOMORE) != 0) {
862 			return (EACCES);
863 		}
864 	}
865 
866 	if (mode & VEXEC) {
867 		/*
868 		 * Directories use file_dac_search to override the execute bit.
869 		 */
870 		int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH :
871 		    PRIV_FILE_DAC_EXECUTE;
872 
873 		return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL,
874 		    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
875 	}
876 	return (0);
877 }
878 
879 /*
880  * Name:	secpolicy_vnode_setid_modify()
881  *
882  * Normal:	verify that subject can set the file setid flags.
883  *
884  * Output:	EPERM - if not privileged.
885  */
886 
887 static int
888 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner)
889 {
890 	/* If changing to suid root, must have all zone privs */
891 	boolean_t allzone = B_TRUE;
892 
893 	if (owner != 0) {
894 		if (owner == cr->cr_uid)
895 			return (0);
896 		allzone = B_FALSE;
897 	}
898 	return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL));
899 }
900 
901 /*
902  * Are we allowed to retain the set-uid/set-gid bits when
903  * changing ownership or when writing to a file?
904  * "issuid" should be true when set-uid; only in that case
905  * root ownership is checked (setgid is assumed).
906  */
907 int
908 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot)
909 {
910 	if (issuidroot && !HAS_ALLZONEPRIVS(cred))
911 		return (EPERM);
912 
913 	return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE));
914 }
915 
916 /*
917  * Name:	secpolicy_vnode_setids_setgids()
918  *
919  * Normal:	verify that subject can set the file setgid flag.
920  *
921  * Output:	EPERM - if not privileged
922  */
923 
924 int
925 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid)
926 {
927 	if (!groupmember(gid, cred))
928 		return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM,
929 		    NULL));
930 	return (0);
931 }
932 
933 /*
934  * Name:	secpolicy_vnode_chown
935  *
936  * Normal:	Determine if subject can chown owner of a file.
937  *
938  * Output:	EPERM - if access denied
939  */
940 
941 int
942 secpolicy_vnode_chown(const cred_t *cred, uid_t owner)
943 {
944 	boolean_t is_owner = (owner == crgetuid(cred));
945 	boolean_t allzone = B_FALSE;
946 	int priv;
947 
948 	if (!is_owner) {
949 		allzone = (owner == 0);
950 		priv = PRIV_FILE_CHOWN;
951 	} else {
952 		priv = HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN) ?
953 		    PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF;
954 	}
955 
956 	return (PRIV_POLICY(cred, priv, allzone, EPERM, NULL));
957 }
958 
959 /*
960  * Name:	secpolicy_vnode_create_gid
961  *
962  * Normal:	Determine if subject can change group ownership of a file.
963  *
964  * Output:	EPERM - if access denied
965  */
966 int
967 secpolicy_vnode_create_gid(const cred_t *cred)
968 {
969 	if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN))
970 		return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM,
971 		    NULL));
972 	else
973 		return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM,
974 		    NULL));
975 }
976 
977 /*
978  * Name:	secpolicy_vnode_utime_modify()
979  *
980  * Normal:	verify that subject can modify the utime on a file.
981  *
982  * Output:	EPERM - if access denied.
983  */
984 
985 static int
986 secpolicy_vnode_utime_modify(const cred_t *cred)
987 {
988 	return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM,
989 	    "modify file times"));
990 }
991 
992 
993 /*
994  * Name:	secpolicy_vnode_setdac()
995  *
996  * Normal:	verify that subject can modify the mode of a file.
997  *		allzone privilege needed when modifying root owned object.
998  *
999  * Output:	EPERM - if access denied.
1000  */
1001 
1002 int
1003 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner)
1004 {
1005 	if (owner == cred->cr_uid)
1006 		return (0);
1007 
1008 	return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL));
1009 }
1010 /*
1011  * Name:	secpolicy_vnode_stky_modify()
1012  *
1013  * Normal:	verify that subject can make a file a "sticky".
1014  *
1015  * Output:	EPERM - if access denied.
1016  */
1017 
1018 int
1019 secpolicy_vnode_stky_modify(const cred_t *cred)
1020 {
1021 	return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM,
1022 	    "set file sticky"));
1023 }
1024 
1025 /*
1026  * Policy determines whether we can remove an entry from a directory,
1027  * regardless of permission bits.
1028  */
1029 int
1030 secpolicy_vnode_remove(const cred_t *cr)
1031 {
1032 	return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES,
1033 	    "sticky directory"));
1034 }
1035 
1036 int
1037 secpolicy_vnode_owner(const cred_t *cr, uid_t owner)
1038 {
1039 	boolean_t allzone = (owner == 0);
1040 
1041 	if (owner == cr->cr_uid)
1042 		return (0);
1043 
1044 	return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL));
1045 }
1046 
1047 void
1048 secpolicy_setid_clear(vattr_t *vap, cred_t *cr)
1049 {
1050 	if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 &&
1051 	    secpolicy_vnode_setid_retain(cr,
1052 	    (vap->va_mode & S_ISUID) != 0 &&
1053 	    (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) {
1054 		vap->va_mask |= AT_MODE;
1055 		vap->va_mode &= ~(S_ISUID|S_ISGID);
1056 	}
1057 }
1058 
1059 int
1060 secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap,
1061     cred_t *cr)
1062 {
1063 	int error;
1064 
1065 	if ((vap->va_mode & S_ISUID) != 0 &&
1066 	    (error = secpolicy_vnode_setid_modify(cr,
1067 	    ovap->va_uid)) != 0) {
1068 		return (error);
1069 	}
1070 
1071 	/*
1072 	 * Check privilege if attempting to set the
1073 	 * sticky bit on a non-directory.
1074 	 */
1075 	if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 &&
1076 	    secpolicy_vnode_stky_modify(cr) != 0) {
1077 		vap->va_mode &= ~S_ISVTX;
1078 	}
1079 
1080 	/*
1081 	 * Check for privilege if attempting to set the
1082 	 * group-id bit.
1083 	 */
1084 	if ((vap->va_mode & S_ISGID) != 0 &&
1085 	    secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) {
1086 		vap->va_mode &= ~S_ISGID;
1087 	}
1088 
1089 	return (0);
1090 }
1091 
1092 #define	ATTR_FLAG_PRIV(attr, value, cr)	\
1093 	PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \
1094 	B_FALSE, EPERM, NULL)
1095 
1096 /*
1097  * Check privileges for setting xvattr attributes
1098  */
1099 int
1100 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype)
1101 {
1102 	xoptattr_t *xoap;
1103 	int error = 0;
1104 
1105 	if ((xoap = xva_getxoptattr(xvap)) == NULL)
1106 		return (EINVAL);
1107 
1108 	/*
1109 	 * First process the DOS bits
1110 	 */
1111 	if (XVA_ISSET_REQ(xvap, XAT_ARCHIVE) ||
1112 	    XVA_ISSET_REQ(xvap, XAT_HIDDEN) ||
1113 	    XVA_ISSET_REQ(xvap, XAT_READONLY) ||
1114 	    XVA_ISSET_REQ(xvap, XAT_SYSTEM) ||
1115 	    XVA_ISSET_REQ(xvap, XAT_CREATETIME)) {
1116 		if ((error = secpolicy_vnode_owner(cr, owner)) != 0)
1117 			return (error);
1118 	}
1119 
1120 	/*
1121 	 * Now handle special attributes
1122 	 */
1123 
1124 	if (XVA_ISSET_REQ(xvap, XAT_IMMUTABLE))
1125 		error = ATTR_FLAG_PRIV(XAT_IMMUTABLE,
1126 		    xoap->xoa_immutable, cr);
1127 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NOUNLINK))
1128 		error = ATTR_FLAG_PRIV(XAT_NOUNLINK,
1129 		    xoap->xoa_nounlink, cr);
1130 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_APPENDONLY))
1131 		error = ATTR_FLAG_PRIV(XAT_APPENDONLY,
1132 		    xoap->xoa_appendonly, cr);
1133 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NODUMP))
1134 		error = ATTR_FLAG_PRIV(XAT_NODUMP,
1135 		    xoap->xoa_nodump, cr);
1136 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_OPAQUE))
1137 		error = EPERM;
1138 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_QUARANTINED)) {
1139 		error = ATTR_FLAG_PRIV(XAT_AV_QUARANTINED,
1140 		    xoap->xoa_av_quarantined, cr);
1141 		if (error == 0 && vtype != VREG && xoap->xoa_av_quarantined)
1142 			error = EINVAL;
1143 	}
1144 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_MODIFIED))
1145 		error = ATTR_FLAG_PRIV(XAT_AV_MODIFIED,
1146 		    xoap->xoa_av_modified, cr);
1147 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_SCANSTAMP)) {
1148 		error = ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP,
1149 		    xoap->xoa_av_scanstamp, cr);
1150 		if (error == 0 && vtype != VREG)
1151 			error = EINVAL;
1152 	}
1153 	return (error);
1154 }
1155 
1156 /*
1157  * This function checks the policy decisions surrounding the
1158  * vop setattr call.
1159  *
1160  * It should be called after sufficient locks have been established
1161  * on the underlying data structures.  No concurrent modifications
1162  * should be allowed.
1163  *
1164  * The caller must pass in unlocked version of its vaccess function
1165  * this is required because vop_access function should lock the
1166  * node for reading.  A three argument function should be defined
1167  * which accepts the following argument:
1168  * 	A pointer to the internal "node" type (inode *)
1169  *	vnode access bits (VREAD|VWRITE|VEXEC)
1170  *	a pointer to the credential
1171  *
1172  * This function makes the following policy decisions:
1173  *
1174  *		- change permissions
1175  *			- permission to change file mode if not owner
1176  *			- permission to add sticky bit to non-directory
1177  *			- permission to add set-gid bit
1178  *
1179  * The ovap argument should include AT_MODE|AT_UID|AT_GID.
1180  *
1181  * If the vap argument does not include AT_MODE, the mode will be copied from
1182  * ovap.  In certain situations set-uid/set-gid bits need to be removed;
1183  * this is done by marking vap->va_mask to include AT_MODE and va_mode
1184  * is updated to the newly computed mode.
1185  */
1186 
1187 int
1188 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap,
1189 	const struct vattr *ovap, int flags,
1190 	int unlocked_access(void *, int, cred_t *),
1191 	void *node)
1192 {
1193 	int mask = vap->va_mask;
1194 	int error = 0;
1195 	boolean_t skipaclchk = (flags & ATTR_NOACLCHECK) ? B_TRUE : B_FALSE;
1196 
1197 	if (mask & AT_SIZE) {
1198 		if (vp->v_type == VDIR) {
1199 			error = EISDIR;
1200 			goto out;
1201 		}
1202 
1203 		/*
1204 		 * If ATTR_NOACLCHECK is set in the flags, then we don't
1205 		 * perform the secondary unlocked_access() call since the
1206 		 * ACL (if any) is being checked there.
1207 		 */
1208 		if (skipaclchk == B_FALSE) {
1209 			error = unlocked_access(node, VWRITE, cr);
1210 			if (error)
1211 				goto out;
1212 		}
1213 	}
1214 	if (mask & AT_MODE) {
1215 		/*
1216 		 * If not the owner of the file then check privilege
1217 		 * for two things: the privilege to set the mode at all
1218 		 * and, if we're setting setuid, we also need permissions
1219 		 * to add the set-uid bit, if we're not the owner.
1220 		 * In the specific case of creating a set-uid root
1221 		 * file, we need even more permissions.
1222 		 */
1223 		if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0)
1224 			goto out;
1225 
1226 		if ((error = secpolicy_setid_setsticky_clear(vp, vap,
1227 		    ovap, cr)) != 0)
1228 			goto out;
1229 	} else
1230 		vap->va_mode = ovap->va_mode;
1231 
1232 	if (mask & (AT_UID|AT_GID)) {
1233 		boolean_t checkpriv = B_FALSE;
1234 
1235 		/*
1236 		 * Chowning files.
1237 		 *
1238 		 * If you are the file owner:
1239 		 *	chown to other uid		FILE_CHOWN_SELF
1240 		 *	chown to gid (non-member) 	FILE_CHOWN_SELF
1241 		 *	chown to gid (member) 		<none>
1242 		 *
1243 		 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also
1244 		 * acceptable but the first one is reported when debugging.
1245 		 *
1246 		 * If you are not the file owner:
1247 		 *	chown from root			PRIV_FILE_CHOWN + zone
1248 		 *	chown from other to any		PRIV_FILE_CHOWN
1249 		 *
1250 		 */
1251 		if (cr->cr_uid != ovap->va_uid) {
1252 			checkpriv = B_TRUE;
1253 		} else {
1254 			if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) ||
1255 			    ((mask & AT_GID) && vap->va_gid != ovap->va_gid &&
1256 			    !groupmember(vap->va_gid, cr))) {
1257 				checkpriv = B_TRUE;
1258 			}
1259 		}
1260 		/*
1261 		 * If necessary, check privilege to see if update can be done.
1262 		 */
1263 		if (checkpriv &&
1264 		    (error = secpolicy_vnode_chown(cr, ovap->va_uid)) != 0) {
1265 			goto out;
1266 		}
1267 
1268 		/*
1269 		 * If the file has either the set UID or set GID bits
1270 		 * set and the caller can set the bits, then leave them.
1271 		 */
1272 		secpolicy_setid_clear(vap, cr);
1273 	}
1274 	if (mask & (AT_ATIME|AT_MTIME)) {
1275 		/*
1276 		 * If not the file owner and not otherwise privileged,
1277 		 * always return an error when setting the
1278 		 * time other than the current (ATTR_UTIME flag set).
1279 		 * If setting the current time (ATTR_UTIME not set) then
1280 		 * unlocked_access will check permissions according to policy.
1281 		 */
1282 		if (cr->cr_uid != ovap->va_uid) {
1283 			if (flags & ATTR_UTIME)
1284 				error = secpolicy_vnode_utime_modify(cr);
1285 			else if (skipaclchk == B_FALSE) {
1286 				error = unlocked_access(node, VWRITE, cr);
1287 				if (error == EACCES &&
1288 				    secpolicy_vnode_utime_modify(cr) == 0)
1289 					error = 0;
1290 			}
1291 			if (error)
1292 				goto out;
1293 		}
1294 	}
1295 
1296 	/*
1297 	 * Check for optional attributes here by checking the following:
1298 	 */
1299 	if (mask & AT_XVATTR)
1300 		error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr,
1301 		    vp->v_type);
1302 out:
1303 	return (error);
1304 }
1305 
1306 /*
1307  * Name:	secpolicy_pcfs_modify_bootpartition()
1308  *
1309  * Normal:	verify that subject can modify a pcfs boot partition.
1310  *
1311  * Output:	EACCES - if privilege check failed.
1312  */
1313 /*ARGSUSED*/
1314 int
1315 secpolicy_pcfs_modify_bootpartition(const cred_t *cred)
1316 {
1317 	return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES,
1318 	    "modify pcfs boot partition"));
1319 }
1320 
1321 /*
1322  * System V IPC routines
1323  */
1324 int
1325 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip)
1326 {
1327 	if (crgetzoneid(cr) != ip->ipc_zoneid ||
1328 	    (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) {
1329 		boolean_t allzone = B_FALSE;
1330 		if (ip->ipc_uid == 0 || ip->ipc_cuid == 0)
1331 			allzone = B_TRUE;
1332 		return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL));
1333 	}
1334 	return (0);
1335 }
1336 
1337 int
1338 secpolicy_ipc_config(const cred_t *cr)
1339 {
1340 	return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL));
1341 }
1342 
1343 int
1344 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode)
1345 {
1346 
1347 	boolean_t allzone = B_FALSE;
1348 
1349 	ASSERT((mode & (MSG_R|MSG_W)) != 0);
1350 
1351 	if ((mode & MSG_R) &&
1352 	    PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1353 		return (EACCES);
1354 
1355 	if (mode & MSG_W) {
1356 		if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0))
1357 			allzone = B_TRUE;
1358 
1359 		return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1360 		    NULL));
1361 	}
1362 	return (0);
1363 }
1364 
1365 int
1366 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode)
1367 {
1368 	boolean_t allzone = B_FALSE;
1369 
1370 	ASSERT((mode & (MSG_R|MSG_W)) != 0);
1371 
1372 	if ((mode & MSG_R) &&
1373 	    PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1374 		return (EACCES);
1375 
1376 	if (mode & MSG_W) {
1377 		if (cr->cr_uid != 0 && owner == 0)
1378 			allzone = B_TRUE;
1379 
1380 		return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1381 		    NULL));
1382 	}
1383 	return (0);
1384 }
1385 
1386 /*
1387  * Audit configuration.
1388  */
1389 int
1390 secpolicy_audit_config(const cred_t *cr)
1391 {
1392 	return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL));
1393 }
1394 
1395 /*
1396  * Audit record generation.
1397  */
1398 int
1399 secpolicy_audit_modify(const cred_t *cr)
1400 {
1401 	return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL));
1402 }
1403 
1404 /*
1405  * Get audit attributes.
1406  * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the
1407  * "Least" of the two privileges on error.
1408  */
1409 int
1410 secpolicy_audit_getattr(const cred_t *cr)
1411 {
1412 	if (!PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE)) {
1413 		return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM,
1414 		    NULL));
1415 	} else {
1416 		return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL));
1417 	}
1418 }
1419 
1420 
1421 /*
1422  * Locking physical memory
1423  */
1424 int
1425 secpolicy_lock_memory(const cred_t *cr)
1426 {
1427 	return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL));
1428 }
1429 
1430 /*
1431  * Accounting (both acct(2) and exacct).
1432  */
1433 int
1434 secpolicy_acct(const cred_t *cr)
1435 {
1436 	return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL));
1437 }
1438 
1439 /*
1440  * Is this process privileged to change its uids at will?
1441  * Uid 0 is still considered "special" and having the SETID
1442  * privilege is not sufficient to get uid 0.
1443  * Files are owned by root, so the privilege would give
1444  * full access and euid 0 is still effective.
1445  *
1446  * If you have the privilege and euid 0 only then do you
1447  * get the powers of root wrt uid 0.
1448  *
1449  * For gid manipulations, this is should be called with an
1450  * uid of -1.
1451  *
1452  */
1453 int
1454 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly)
1455 {
1456 	boolean_t allzone = B_FALSE;
1457 
1458 	if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 &&
1459 	    cr->cr_ruid != 0) {
1460 		allzone = B_TRUE;
1461 	}
1462 
1463 	return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) :
1464 	    PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL));
1465 }
1466 
1467 
1468 /*
1469  * Acting on a different process: if the mode is for writing,
1470  * the restrictions are more severe.  This is called after
1471  * we've verified that the uids do not match.
1472  */
1473 int
1474 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode)
1475 {
1476 	boolean_t allzone = B_FALSE;
1477 
1478 	if ((mode & VWRITE) && scr->cr_uid != 0 &&
1479 	    (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0))
1480 		allzone = B_TRUE;
1481 
1482 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL));
1483 }
1484 
1485 int
1486 secpolicy_proc_access(const cred_t *scr)
1487 {
1488 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL));
1489 }
1490 
1491 int
1492 secpolicy_proc_excl_open(const cred_t *scr)
1493 {
1494 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL));
1495 }
1496 
1497 int
1498 secpolicy_proc_zone(const cred_t *scr)
1499 {
1500 	return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL));
1501 }
1502 
1503 /*
1504  * Destroying the system
1505  */
1506 
1507 int
1508 secpolicy_kmdb(const cred_t *scr)
1509 {
1510 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1511 }
1512 
1513 int
1514 secpolicy_error_inject(const cred_t *scr)
1515 {
1516 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1517 }
1518 
1519 /*
1520  * Processor sets, cpu configuration, resource pools.
1521  */
1522 int
1523 secpolicy_pset(const cred_t *cr)
1524 {
1525 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1526 }
1527 
1528 int
1529 secpolicy_ponline(const cred_t *cr)
1530 {
1531 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1532 }
1533 
1534 int
1535 secpolicy_pool(const cred_t *cr)
1536 {
1537 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1538 }
1539 
1540 int
1541 secpolicy_blacklist(const cred_t *cr)
1542 {
1543 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1544 }
1545 
1546 /*
1547  * Catch all system configuration.
1548  */
1549 int
1550 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly)
1551 {
1552 	if (checkonly) {
1553 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 :
1554 		    EPERM);
1555 	} else {
1556 		return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1557 	}
1558 }
1559 
1560 /*
1561  * Zone administration (halt, reboot, etc.) from within zone.
1562  */
1563 int
1564 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly)
1565 {
1566 	if (checkonly) {
1567 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 :
1568 		    EPERM);
1569 	} else {
1570 		return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM,
1571 		    NULL));
1572 	}
1573 }
1574 
1575 /*
1576  * Zone configuration (create, halt, enter).
1577  */
1578 int
1579 secpolicy_zone_config(const cred_t *cr)
1580 {
1581 	/*
1582 	 * Require all privileges to avoid possibility of privilege
1583 	 * escalation.
1584 	 */
1585 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL));
1586 }
1587 
1588 /*
1589  * Various other system configuration calls
1590  */
1591 int
1592 secpolicy_coreadm(const cred_t *cr)
1593 {
1594 	return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1595 }
1596 
1597 int
1598 secpolicy_systeminfo(const cred_t *cr)
1599 {
1600 	return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1601 }
1602 
1603 int
1604 secpolicy_dispadm(const cred_t *cr)
1605 {
1606 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1607 }
1608 
1609 int
1610 secpolicy_settime(const cred_t *cr)
1611 {
1612 	return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL));
1613 }
1614 
1615 /*
1616  * For realtime users: high resolution clock.
1617  */
1618 int
1619 secpolicy_clock_highres(const cred_t *cr)
1620 {
1621 	return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM,
1622 	    NULL));
1623 }
1624 
1625 /*
1626  * drv_priv() is documented as callable from interrupt context, not that
1627  * anyone ever does, but still.  No debugging or auditing can be done when
1628  * it is called from interrupt context.
1629  * returns 0 on succes, EPERM on failure.
1630  */
1631 int
1632 drv_priv(cred_t *cr)
1633 {
1634 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1635 }
1636 
1637 int
1638 secpolicy_sys_devices(const cred_t *cr)
1639 {
1640 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1641 }
1642 
1643 int
1644 secpolicy_excl_open(const cred_t *cr)
1645 {
1646 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL));
1647 }
1648 
1649 int
1650 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl)
1651 {
1652 	/* zone.* rctls can only be set from the global zone */
1653 	if (is_zone_rctl && priv_policy_global(cr) != 0)
1654 		return (EPERM);
1655 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1656 }
1657 
1658 int
1659 secpolicy_resource(const cred_t *cr)
1660 {
1661 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1662 }
1663 
1664 int
1665 secpolicy_resource_anon_mem(const cred_t *cr)
1666 {
1667 	return (PRIV_POLICY_ONLY(cr, PRIV_SYS_RESOURCE, B_FALSE));
1668 }
1669 
1670 /*
1671  * Processes with a real uid of 0 escape any form of accounting, much
1672  * like before.
1673  */
1674 int
1675 secpolicy_newproc(const cred_t *cr)
1676 {
1677 	if (cr->cr_ruid == 0)
1678 		return (0);
1679 
1680 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1681 }
1682 
1683 /*
1684  * Networking
1685  */
1686 int
1687 secpolicy_net_rawaccess(const cred_t *cr)
1688 {
1689 	return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL));
1690 }
1691 
1692 int
1693 secpolicy_net_observability(const cred_t *cr)
1694 {
1695 	return (PRIV_POLICY(cr, PRIV_NET_OBSERVABILITY, B_FALSE, EACCES, NULL));
1696 }
1697 
1698 /*
1699  * Need this privilege for accessing the ICMP device
1700  */
1701 int
1702 secpolicy_net_icmpaccess(const cred_t *cr)
1703 {
1704 	return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL));
1705 }
1706 
1707 /*
1708  * There are a few rare cases where the kernel generates ioctls() from
1709  * interrupt context with a credential of kcred rather than NULL.
1710  * In those cases, we take the safe and cheap test.
1711  */
1712 int
1713 secpolicy_net_config(const cred_t *cr, boolean_t checkonly)
1714 {
1715 	if (checkonly) {
1716 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ?
1717 		    0 : EPERM);
1718 	} else {
1719 		return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM,
1720 		    NULL));
1721 	}
1722 }
1723 
1724 
1725 /*
1726  * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
1727  *
1728  * There are a few rare cases where the kernel generates ioctls() from
1729  * interrupt context with a credential of kcred rather than NULL.
1730  * In those cases, we take the safe and cheap test.
1731  */
1732 int
1733 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly)
1734 {
1735 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1736 		return (secpolicy_net_config(cr, checkonly));
1737 
1738 	if (checkonly) {
1739 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ?
1740 		    0 : EPERM);
1741 	} else {
1742 		return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM,
1743 		    NULL));
1744 	}
1745 }
1746 
1747 /*
1748  * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_DL_CONFIG.
1749  */
1750 int
1751 secpolicy_dl_config(const cred_t *cr)
1752 {
1753 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1754 		return (secpolicy_net_config(cr, B_FALSE));
1755 	return (PRIV_POLICY(cr, PRIV_SYS_DL_CONFIG, B_FALSE, EPERM, NULL));
1756 }
1757 
1758 /*
1759  * PRIV_SYS_DL_CONFIG is a superset of PRIV_SYS_IPTUN_CONFIG.
1760  */
1761 int
1762 secpolicy_iptun_config(const cred_t *cr)
1763 {
1764 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1765 		return (secpolicy_net_config(cr, B_FALSE));
1766 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_DL_CONFIG, B_FALSE))
1767 		return (secpolicy_dl_config(cr));
1768 	return (PRIV_POLICY(cr, PRIV_SYS_IPTUN_CONFIG, B_FALSE, EPERM, NULL));
1769 }
1770 
1771 /*
1772  * Map IP pseudo privileges to actual privileges.
1773  * So we don't need to recompile IP when we change the privileges.
1774  */
1775 int
1776 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly)
1777 {
1778 	int priv = PRIV_ALL;
1779 
1780 	switch (netpriv) {
1781 	case OP_CONFIG:
1782 		priv = PRIV_SYS_IP_CONFIG;
1783 		break;
1784 	case OP_RAW:
1785 		priv = PRIV_NET_RAWACCESS;
1786 		break;
1787 	case OP_PRIVPORT:
1788 		priv = PRIV_NET_PRIVADDR;
1789 		break;
1790 	}
1791 	ASSERT(priv != PRIV_ALL);
1792 	if (checkonly)
1793 		return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
1794 	else
1795 		return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
1796 }
1797 
1798 /*
1799  * Map network pseudo privileges to actual privileges.
1800  * So we don't need to recompile IP when we change the privileges.
1801  */
1802 int
1803 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly)
1804 {
1805 	int priv = PRIV_ALL;
1806 
1807 	switch (netpriv) {
1808 	case OP_CONFIG:
1809 		priv = PRIV_SYS_NET_CONFIG;
1810 		break;
1811 	case OP_RAW:
1812 		priv = PRIV_NET_RAWACCESS;
1813 		break;
1814 	case OP_PRIVPORT:
1815 		priv = PRIV_NET_PRIVADDR;
1816 		break;
1817 	}
1818 	ASSERT(priv != PRIV_ALL);
1819 	if (checkonly)
1820 		return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
1821 	else
1822 		return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
1823 }
1824 
1825 /*
1826  * Checks for operations that are either client-only or are used by
1827  * both clients and servers.
1828  */
1829 int
1830 secpolicy_nfs(const cred_t *cr)
1831 {
1832 	return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL));
1833 }
1834 
1835 /*
1836  * Special case for opening rpcmod: have NFS privileges or network
1837  * config privileges.
1838  */
1839 int
1840 secpolicy_rpcmod_open(const cred_t *cr)
1841 {
1842 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE))
1843 		return (secpolicy_nfs(cr));
1844 	else
1845 		return (secpolicy_net_config(cr, NULL));
1846 }
1847 
1848 int
1849 secpolicy_chroot(const cred_t *cr)
1850 {
1851 	return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL));
1852 }
1853 
1854 int
1855 secpolicy_tasksys(const cred_t *cr)
1856 {
1857 	return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL));
1858 }
1859 
1860 /*
1861  * Basic privilege checks.
1862  */
1863 int
1864 secpolicy_basic_exec(const cred_t *cr, vnode_t *vp)
1865 {
1866 	return (priv_policy_va(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL,
1867 	    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
1868 }
1869 
1870 int
1871 secpolicy_basic_fork(const cred_t *cr)
1872 {
1873 	return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL));
1874 }
1875 
1876 int
1877 secpolicy_basic_proc(const cred_t *cr)
1878 {
1879 	return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL));
1880 }
1881 
1882 /*
1883  * Slightly complicated because we don't want to trigger the policy too
1884  * often.  First we shortcircuit access to "self" (tp == sp) or if
1885  * we don't have the privilege but if we have permission
1886  * just return (0) and we don't flag the privilege as needed.
1887  * Else, we test for the privilege because we either have it or need it.
1888  */
1889 int
1890 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp)
1891 {
1892 	if (tp == sp ||
1893 	    !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) {
1894 		return (0);
1895 	} else {
1896 		return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL));
1897 	}
1898 }
1899 
1900 int
1901 secpolicy_basic_link(const cred_t *cr)
1902 {
1903 	return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL));
1904 }
1905 
1906 int
1907 secpolicy_basic_net_access(const cred_t *cr)
1908 {
1909 	return (PRIV_POLICY(cr, PRIV_NET_ACCESS, B_FALSE, EACCES, NULL));
1910 }
1911 
1912 /*
1913  * Additional device protection.
1914  *
1915  * Traditionally, a device has specific permissions on the node in
1916  * the filesystem which govern which devices can be opened by what
1917  * processes.  In certain cases, it is desirable to add extra
1918  * restrictions, as writing to certain devices is identical to
1919  * having a complete run of the system.
1920  *
1921  * This mechanism is called the device policy.
1922  *
1923  * When a device is opened, its policy entry is looked up in the
1924  * policy cache and checked.
1925  */
1926 int
1927 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag)
1928 {
1929 	devplcy_t *plcy;
1930 	int err;
1931 	struct snode *csp = VTOS(common_specvp(vp));
1932 	priv_set_t pset;
1933 
1934 	mutex_enter(&csp->s_lock);
1935 
1936 	if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) {
1937 		plcy = devpolicy_find(vp);
1938 		if (csp->s_plcy)
1939 			dpfree(csp->s_plcy);
1940 		csp->s_plcy = plcy;
1941 		ASSERT(plcy != NULL);
1942 	} else
1943 		plcy = csp->s_plcy;
1944 
1945 	if (plcy == nullpolicy) {
1946 		mutex_exit(&csp->s_lock);
1947 		return (0);
1948 	}
1949 
1950 	dphold(plcy);
1951 
1952 	mutex_exit(&csp->s_lock);
1953 
1954 	if (oflag & FWRITE)
1955 		pset = plcy->dp_wrp;
1956 	else
1957 		pset = plcy->dp_rdp;
1958 	/*
1959 	 * Special case:
1960 	 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
1961 	 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is
1962 	 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG
1963 	 * in the required privilege set before doing the check.
1964 	 */
1965 	if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) &&
1966 	    priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) &&
1967 	    !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) {
1968 		priv_delset(&pset, PRIV_SYS_IP_CONFIG);
1969 		priv_addset(&pset, PRIV_SYS_NET_CONFIG);
1970 	}
1971 
1972 	err = secpolicy_require_set(cr, &pset, "devpolicy");
1973 	dpfree(plcy);
1974 
1975 	return (err);
1976 }
1977 
1978 int
1979 secpolicy_modctl(const cred_t *cr, int cmd)
1980 {
1981 	switch (cmd) {
1982 	case MODINFO:
1983 	case MODGETMAJBIND:
1984 	case MODGETPATH:
1985 	case MODGETPATHLEN:
1986 	case MODGETNAME:
1987 	case MODGETFBNAME:
1988 	case MODGETDEVPOLICY:
1989 	case MODGETDEVPOLICYBYNAME:
1990 	case MODDEVT2INSTANCE:
1991 	case MODSIZEOF_DEVID:
1992 	case MODGETDEVID:
1993 	case MODSIZEOF_MINORNAME:
1994 	case MODGETMINORNAME:
1995 	case MODGETDEVFSPATH_LEN:
1996 	case MODGETDEVFSPATH:
1997 	case MODGETDEVFSPATH_MI_LEN:
1998 	case MODGETDEVFSPATH_MI:
1999 		/* Unprivileged */
2000 		return (0);
2001 	case MODLOAD:
2002 	case MODSETDEVPOLICY:
2003 		return (secpolicy_require_set(cr, PRIV_FULLSET, NULL));
2004 	default:
2005 		return (secpolicy_sys_config(cr, B_FALSE));
2006 	}
2007 }
2008 
2009 int
2010 secpolicy_console(const cred_t *cr)
2011 {
2012 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
2013 }
2014 
2015 int
2016 secpolicy_power_mgmt(const cred_t *cr)
2017 {
2018 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
2019 }
2020 
2021 /*
2022  * Simulate terminal input; another escalation of privileges avenue.
2023  */
2024 
2025 int
2026 secpolicy_sti(const cred_t *cr)
2027 {
2028 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL));
2029 }
2030 
2031 boolean_t
2032 secpolicy_net_reply_equal(const cred_t *cr)
2033 {
2034 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
2035 }
2036 
2037 int
2038 secpolicy_swapctl(const cred_t *cr)
2039 {
2040 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
2041 }
2042 
2043 int
2044 secpolicy_cpc_cpu(const cred_t *cr)
2045 {
2046 	return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL));
2047 }
2048 
2049 /*
2050  * secpolicy_contract_identity
2051  *
2052  * Determine if the subject may set the process contract FMRI value
2053  */
2054 int
2055 secpolicy_contract_identity(const cred_t *cr)
2056 {
2057 	return (PRIV_POLICY(cr, PRIV_CONTRACT_IDENTITY, B_FALSE, EPERM, NULL));
2058 }
2059 
2060 /*
2061  * secpolicy_contract_observer
2062  *
2063  * Determine if the subject may observe a specific contract's events.
2064  */
2065 int
2066 secpolicy_contract_observer(const cred_t *cr, struct contract *ct)
2067 {
2068 	if (contract_owned(ct, cr, B_FALSE))
2069 		return (0);
2070 	return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL));
2071 }
2072 
2073 /*
2074  * secpolicy_contract_observer_choice
2075  *
2076  * Determine if the subject may observe any contract's events.  Just
2077  * tests privilege and audits on success.
2078  */
2079 boolean_t
2080 secpolicy_contract_observer_choice(const cred_t *cr)
2081 {
2082 	return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE));
2083 }
2084 
2085 /*
2086  * secpolicy_contract_event
2087  *
2088  * Determine if the subject may request critical contract events or
2089  * reliable contract event delivery.
2090  */
2091 int
2092 secpolicy_contract_event(const cred_t *cr)
2093 {
2094 	return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL));
2095 }
2096 
2097 /*
2098  * secpolicy_contract_event_choice
2099  *
2100  * Determine if the subject may retain contract events in its critical
2101  * set when a change in other terms would normally require a change in
2102  * the critical set.  Just tests privilege and audits on success.
2103  */
2104 boolean_t
2105 secpolicy_contract_event_choice(const cred_t *cr)
2106 {
2107 	return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE));
2108 }
2109 
2110 /*
2111  * secpolicy_gart_access
2112  *
2113  * Determine if the subject has sufficient priveleges to make ioctls to agpgart
2114  * device.
2115  */
2116 int
2117 secpolicy_gart_access(const cred_t *cr)
2118 {
2119 	return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL));
2120 }
2121 
2122 /*
2123  * secpolicy_gart_map
2124  *
2125  * Determine if the subject has sufficient priveleges to map aperture range
2126  * through agpgart driver.
2127  */
2128 int
2129 secpolicy_gart_map(const cred_t *cr)
2130 {
2131 	if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) {
2132 		return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM,
2133 		    NULL));
2134 	} else {
2135 		return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM,
2136 		    NULL));
2137 	}
2138 }
2139 
2140 /*
2141  * secpolicy_zinject
2142  *
2143  * Determine if the subject can inject faults in the ZFS fault injection
2144  * framework.  Requires all privileges.
2145  */
2146 int
2147 secpolicy_zinject(const cred_t *cr)
2148 {
2149 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL));
2150 }
2151 
2152 /*
2153  * secpolicy_zfs
2154  *
2155  * Determine if the subject has permission to manipulate ZFS datasets
2156  * (not pools).  Equivalent to the SYS_MOUNT privilege.
2157  */
2158 int
2159 secpolicy_zfs(const cred_t *cr)
2160 {
2161 	return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL));
2162 }
2163 
2164 /*
2165  * secpolicy_idmap
2166  *
2167  * Determine if the calling process has permissions to register an SID
2168  * mapping daemon and allocate ephemeral IDs.
2169  */
2170 int
2171 secpolicy_idmap(const cred_t *cr)
2172 {
2173 	return (PRIV_POLICY(cr, PRIV_FILE_SETID, B_TRUE, EPERM, NULL));
2174 }
2175 
2176 /*
2177  * secpolicy_ucode_update
2178  *
2179  * Determine if the subject has sufficient privilege to update microcode.
2180  */
2181 int
2182 secpolicy_ucode_update(const cred_t *scr)
2183 {
2184 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
2185 }
2186 
2187 /*
2188  * secpolicy_sadopen
2189  *
2190  * Determine if the subject has sufficient privilege to access /dev/sad/admin.
2191  * /dev/sad/admin appear in global zone and exclusive-IP zones only.
2192  * In global zone, sys_config is required.
2193  * In exclusive-IP zones, sys_ip_config is required.
2194  * Note that sys_config is prohibited in non-global zones.
2195  */
2196 int
2197 secpolicy_sadopen(const cred_t *credp)
2198 {
2199 	priv_set_t pset;
2200 
2201 	priv_emptyset(&pset);
2202 
2203 	if (crgetzoneid(credp) == GLOBAL_ZONEID)
2204 		priv_addset(&pset, PRIV_SYS_CONFIG);
2205 	else
2206 		priv_addset(&pset, PRIV_SYS_IP_CONFIG);
2207 
2208 	return (secpolicy_require_set(credp, &pset, "devpolicy"));
2209 }
2210 
2211 
2212 /*
2213  * Add privileges to a particular privilege set; this is called when the
2214  * current sets of privileges are not sufficient.  I.e., we should always
2215  * call the policy override functions from here.
2216  * What we are allowed to have is in the Observed Permitted set; so
2217  * we compute the difference between that and the newset.
2218  */
2219 int
2220 secpolicy_require_privs(const cred_t *cr, const priv_set_t *nset)
2221 {
2222 	priv_set_t rqd;
2223 
2224 	rqd = CR_OPPRIV(cr);
2225 
2226 	priv_inverse(&rqd);
2227 	priv_intersect(nset, &rqd);
2228 
2229 	return (secpolicy_require_set(cr, &rqd, NULL));
2230 }
2231 
2232 /*
2233  * secpolicy_smb
2234  *
2235  * Determine if the cred_t has PRIV_SYS_SMB privilege, indicating
2236  * that it has permission to access the smbsrv kernel driver.
2237  * PRIV_POLICY checks the privilege and audits the check.
2238  *
2239  * Returns:
2240  * 0       Driver access is allowed.
2241  * EPERM   Driver access is NOT permitted.
2242  */
2243 int
2244 secpolicy_smb(const cred_t *cr)
2245 {
2246 	return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL));
2247 }
2248 
2249 /*
2250  * secpolicy_vscan
2251  *
2252  * Determine if cred_t has the necessary privileges to access a file
2253  * for virus scanning and update its extended system attributes.
2254  * PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access
2255  * PRIV_FILE_FLAG_SET - set extended system attributes
2256  *
2257  * PRIV_POLICY checks the privilege and audits the check.
2258  *
2259  * Returns:
2260  * 0      file access for virus scanning allowed.
2261  * EPERM  file access for virus scanning is NOT permitted.
2262  */
2263 int
2264 secpolicy_vscan(const cred_t *cr)
2265 {
2266 	if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) ||
2267 	    (PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) ||
2268 	    (PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) {
2269 		return (EPERM);
2270 	}
2271 
2272 	return (0);
2273 }
2274 
2275 /*
2276  * secpolicy_smbfs_login
2277  *
2278  * Determines if the caller can add and delete the smbfs login
2279  * password in the the nsmb kernel module for the CIFS client.
2280  *
2281  * Returns:
2282  * 0       access is allowed.
2283  * EPERM   access is NOT allowed.
2284  */
2285 int
2286 secpolicy_smbfs_login(const cred_t *cr, uid_t uid)
2287 {
2288 	uid_t cruid = crgetruid(cr);
2289 
2290 	if (cruid == uid)
2291 		return (0);
2292 	return (PRIV_POLICY(cr, PRIV_PROC_OWNER, B_FALSE,
2293 	    EPERM, NULL));
2294 }
2295 
2296 /*
2297  * secpolicy_xvm_control
2298  *
2299  * Determines if a caller can control the xVM hypervisor and/or running
2300  * domains (x86 specific).
2301  *
2302  * Returns:
2303  * 0       access is allowed.
2304  * EPERM   access is NOT allowed.
2305  */
2306 int
2307 secpolicy_xvm_control(const cred_t *cr)
2308 {
2309 	if (PRIV_POLICY(cr, PRIV_XVM_CONTROL, B_FALSE, EPERM, NULL))
2310 		return (EPERM);
2311 	return (0);
2312 }
2313 
2314 /*
2315  * secpolicy_ppp_config
2316  *
2317  * Determine if the subject has sufficient privileges to configure PPP and
2318  * PPP-related devices.
2319  */
2320 int
2321 secpolicy_ppp_config(const cred_t *cr)
2322 {
2323 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
2324 		return (secpolicy_net_config(cr, B_FALSE));
2325 	return (PRIV_POLICY(cr, PRIV_SYS_PPP_CONFIG, B_FALSE, EPERM, NULL));
2326 }
2327