xref: /titanic_52/usr/src/uts/common/os/policy.c (revision 4656d4747c8743290bfbe910c64cd75eb4e4af8d)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23  */
24 
25 #include <sys/types.h>
26 #include <sys/sysmacros.h>
27 #include <sys/param.h>
28 #include <sys/systm.h>
29 #include <sys/cred_impl.h>
30 #include <sys/vnode.h>
31 #include <sys/vfs.h>
32 #include <sys/stat.h>
33 #include <sys/errno.h>
34 #include <sys/kmem.h>
35 #include <sys/user.h>
36 #include <sys/proc.h>
37 #include <sys/acct.h>
38 #include <sys/ipc_impl.h>
39 #include <sys/cmn_err.h>
40 #include <sys/debug.h>
41 #include <sys/policy.h>
42 #include <sys/kobj.h>
43 #include <sys/msg.h>
44 #include <sys/devpolicy.h>
45 #include <c2/audit.h>
46 #include <sys/varargs.h>
47 #include <sys/klpd.h>
48 #include <sys/modctl.h>
49 #include <sys/disp.h>
50 #include <sys/zone.h>
51 #include <inet/optcom.h>
52 #include <sys/sdt.h>
53 #include <sys/vfs.h>
54 #include <sys/mntent.h>
55 #include <sys/contract_impl.h>
56 #include <sys/dld_ioc.h>
57 
58 /*
59  * There are two possible layers of privilege routines and two possible
60  * levels of secpolicy.  Plus one other we may not be interested in, so
61  * we may need as many as 6 but no more.
62  */
63 #define	MAXPRIVSTACK		6
64 
65 int priv_debug = 0;
66 int priv_basic_test = -1;
67 
68 /*
69  * This file contains the majority of the policy routines.
70  * Since the policy routines are defined by function and not
71  * by privilege, there is quite a bit of duplication of
72  * functions.
73  *
74  * The secpolicy functions must not make assumptions about
75  * locks held or not held as any lock can be held while they're
76  * being called.
77  *
78  * Credentials are read-only so no special precautions need to
79  * be taken while locking them.
80  *
81  * When a new policy check needs to be added to the system the
82  * following procedure should be followed:
83  *
84  *		Pick an appropriate secpolicy_*() function
85  *			-> done if one exists.
86  *		Create a new secpolicy function, preferably with
87  *		a descriptive name using the standard template.
88  *		Pick an appropriate privilege for the policy.
89  *		If no appropraite privilege exists, define new one
90  *		(this should be done with extreme care; in most cases
91  *		little is gained by adding another privilege)
92  *
93  * WHY ROOT IS STILL SPECIAL.
94  *
95  * In a number of the policy functions, there are still explicit
96  * checks for uid 0.  The rationale behind these is that many root
97  * owned files/objects hold configuration information which can give full
98  * privileges to the user once written to.  To prevent escalation
99  * of privilege by allowing just a single privilege to modify root owned
100  * objects, we've added these root specific checks where we considered
101  * them necessary: modifying root owned files, changing uids to 0, etc.
102  *
103  * PRIVILEGE ESCALATION AND ZONES.
104  *
105  * A number of operations potentially allow the caller to achieve
106  * privileges beyond the ones normally required to perform the operation.
107  * For example, if allowed to create a setuid 0 executable, a process can
108  * gain privileges beyond PRIV_FILE_SETID.  Zones, however, place
109  * restrictions on the ability to gain privileges beyond those available
110  * within the zone through file and process manipulation.  Hence, such
111  * operations require that the caller have an effective set that includes
112  * all privileges available within the current zone, or all privileges
113  * if executing in the global zone.
114  *
115  * This is indicated in the priv_policy* policy checking functions
116  * through a combination of parameters.  The "priv" parameter indicates
117  * the privilege that is required, and the "allzone" parameter indicates
118  * whether or not all privileges in the zone are required.  In addition,
119  * priv can be set to PRIV_ALL to indicate that all privileges are
120  * required (regardless of zone).  There are three scenarios of interest:
121  * (1) operation requires a specific privilege
122  * (2) operation requires a specific privilege, and requires all
123  *     privileges available within the zone (or all privileges if in
124  *     the global zone)
125  * (3) operation requires all privileges, regardless of zone
126  *
127  * For (1), priv should be set to the specific privilege, and allzone
128  * should be set to B_FALSE.
129  * For (2), priv should be set to the specific privilege, and allzone
130  * should be set to B_TRUE.
131  * For (3), priv should be set to PRIV_ALL, and allzone should be set
132  * to B_FALSE.
133  *
134  */
135 
136 /*
137  * The privileges are checked against the Effective set for
138  * ordinary processes and checked against the Limit set
139  * for euid 0 processes that haven't manipulated their privilege
140  * sets.
141  */
142 #define	HAS_ALLPRIVS(cr)	priv_isfullset(&CR_OEPRIV(cr))
143 #define	ZONEPRIVS(cr)		((cr)->cr_zone->zone_privset)
144 #define	HAS_ALLZONEPRIVS(cr)	priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr))
145 #define	HAS_PRIVILEGE(cr, pr)	((pr) == PRIV_ALL ? \
146 					HAS_ALLPRIVS(cr) : \
147 					PRIV_ISASSERT(&CR_OEPRIV(cr), pr))
148 
149 #define	FAST_BASIC_CHECK(cr, priv)	\
150 	if (PRIV_ISASSERT(&CR_OEPRIV(cr), priv)) { \
151 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, B_FALSE); \
152 		return (0); \
153 	}
154 
155 /*
156  * Policy checking functions.
157  *
158  * All of the system's policy should be implemented here.
159  */
160 
161 /*
162  * Private functions which take an additional va_list argument to
163  * implement an object specific policy override.
164  */
165 static int priv_policy_ap(const cred_t *, int, boolean_t, int,
166     const char *, va_list);
167 static int priv_policy_va(const cred_t *, int, boolean_t, int,
168     const char *, ...);
169 
170 /*
171  * Generic policy calls
172  *
173  * The "bottom" functions of policy control
174  */
175 static char *
176 mprintf(const char *fmt, ...)
177 {
178 	va_list args;
179 	char *buf;
180 	size_t len;
181 
182 	va_start(args, fmt);
183 	len = vsnprintf(NULL, 0, fmt, args) + 1;
184 	va_end(args);
185 
186 	buf = kmem_alloc(len, KM_NOSLEEP);
187 
188 	if (buf == NULL)
189 		return (NULL);
190 
191 	va_start(args, fmt);
192 	(void) vsnprintf(buf, len, fmt, args);
193 	va_end(args);
194 
195 	return (buf);
196 }
197 
198 /*
199  * priv_policy_errmsg()
200  *
201  * Generate an error message if privilege debugging is enabled system wide
202  * or for this particular process.
203  */
204 
205 #define	FMTHDR	"%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)"
206 #define	FMTMSG	" for \"%s\""
207 #define	FMTFUN	" needed at %s+0x%lx"
208 
209 /* The maximum size privilege format: the concatenation of the above */
210 #define	FMTMAX	FMTHDR FMTMSG FMTFUN "\n"
211 
212 static void
213 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg)
214 {
215 	struct proc *me;
216 	pc_t stack[MAXPRIVSTACK];
217 	int depth;
218 	int i;
219 	char *sym;
220 	ulong_t off;
221 	const char *pname;
222 
223 	char *cmd;
224 	char fmt[sizeof (FMTMAX)];
225 
226 	if ((me = curproc) == &p0)
227 		return;
228 
229 	/* Privileges must be defined  */
230 	ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE ||
231 	    priv == PRIV_ALLZONE || priv == PRIV_GLOBAL ||
232 	    priv_getbynum(priv) != NULL);
233 
234 	if (priv == PRIV_ALLZONE && INGLOBALZONE(me))
235 		priv = PRIV_ALL;
236 
237 	if (curthread->t_pre_sys)
238 		ttolwp(curthread)->lwp_badpriv = (short)priv;
239 
240 	if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0)
241 		return;
242 
243 	(void) strcpy(fmt, FMTHDR);
244 
245 	if (me->p_user.u_comm[0])
246 		cmd = &me->p_user.u_comm[0];
247 	else
248 		cmd = "priv_policy";
249 
250 	if (msg != NULL && *msg != '\0') {
251 		(void) strcat(fmt, FMTMSG);
252 	} else {
253 		(void) strcat(fmt, "%s");
254 		msg = "";
255 	}
256 
257 	sym = NULL;
258 
259 	depth = getpcstack(stack, MAXPRIVSTACK);
260 
261 	/*
262 	 * Try to find the first interesting function on the stack.
263 	 * priv_policy* that's us, so completely uninteresting.
264 	 * suser(), drv_priv(), secpolicy_* are also called from
265 	 * too many locations to convey useful information.
266 	 */
267 	for (i = 0; i < depth; i++) {
268 		sym = kobj_getsymname((uintptr_t)stack[i], &off);
269 		if (sym != NULL &&
270 		    strstr(sym, "hasprocperm") == 0 &&
271 		    strcmp("suser", sym) != 0 &&
272 		    strcmp("ipcaccess", sym) != 0 &&
273 		    strcmp("drv_priv", sym) != 0 &&
274 		    strncmp("secpolicy_", sym, 10) != 0 &&
275 		    strncmp("priv_policy", sym, 11) != 0)
276 			break;
277 	}
278 
279 	if (sym != NULL)
280 		(void) strcat(fmt, FMTFUN);
281 
282 	(void) strcat(fmt, "\n");
283 
284 	switch (priv) {
285 	case PRIV_ALL:
286 		pname = "ALL";
287 		break;
288 	case PRIV_MULTIPLE:
289 		pname = "MULTIPLE";
290 		break;
291 	case PRIV_ALLZONE:
292 		pname = "ZONE";
293 		break;
294 	case PRIV_GLOBAL:
295 		pname = "GLOBAL";
296 		break;
297 	default:
298 		pname = priv_getbynum(priv);
299 		break;
300 	}
301 
302 	if (CR_FLAGS(cr) & PRIV_DEBUG) {
303 		/* Remember last message, just like lwp_badpriv. */
304 		if (curthread->t_pdmsg != NULL) {
305 			kmem_free(curthread->t_pdmsg,
306 			    strlen(curthread->t_pdmsg) + 1);
307 		}
308 
309 		curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname,
310 		    cr->cr_uid, curthread->t_sysnum, msg, sym, off);
311 
312 		curthread->t_post_sys = 1;
313 	}
314 	if (priv_debug) {
315 		cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid,
316 		    curthread->t_sysnum, msg, sym, off);
317 	}
318 }
319 
320 /*
321  * Override the policy, if appropriate.  Return 0 if the external
322  * policy engine approves.
323  */
324 static int
325 priv_policy_override(const cred_t *cr, int priv, boolean_t allzone, va_list ap)
326 {
327 	priv_set_t set;
328 	int ret;
329 
330 	if (!(CR_FLAGS(cr) & PRIV_XPOLICY))
331 		return (-1);
332 
333 	if (priv == PRIV_ALL) {
334 		priv_fillset(&set);
335 	} else if (allzone) {
336 		set = *ZONEPRIVS(cr);
337 	} else {
338 		priv_emptyset(&set);
339 		priv_addset(&set, priv);
340 	}
341 	ret = klpd_call(cr, &set, ap);
342 	return (ret);
343 }
344 
345 static int
346 priv_policy_override_set(const cred_t *cr, const priv_set_t *req, va_list ap)
347 {
348 	if (CR_FLAGS(cr) & PRIV_PFEXEC)
349 		return (check_user_privs(cr, req));
350 	if (CR_FLAGS(cr) & PRIV_XPOLICY) {
351 		return (klpd_call(cr, req, ap));
352 	}
353 	return (-1);
354 }
355 
356 static int
357 priv_policy_override_set_va(const cred_t *cr, const priv_set_t *req, ...)
358 {
359 	va_list ap;
360 	int ret;
361 
362 	va_start(ap, req);
363 	ret = priv_policy_override_set(cr, req, ap);
364 	va_end(ap);
365 	return (ret);
366 }
367 
368 /*
369  * Audit failure, log error message.
370  */
371 static void
372 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg)
373 {
374 
375 	if (AU_AUDITING())
376 		audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0);
377 	DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
378 
379 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
380 	    curthread->t_pre_sys) {
381 		if (allzone && !HAS_ALLZONEPRIVS(cr)) {
382 			priv_policy_errmsg(cr, PRIV_ALLZONE, msg);
383 		} else {
384 			ASSERT(!HAS_PRIVILEGE(cr, priv));
385 			priv_policy_errmsg(cr, priv, msg);
386 		}
387 	}
388 }
389 
390 /*
391  * priv_policy_ap()
392  * return 0 or error.
393  * See block comment above for a description of "priv" and "allzone" usage.
394  */
395 static int
396 priv_policy_ap(const cred_t *cr, int priv, boolean_t allzone, int err,
397     const char *msg, va_list ap)
398 {
399 	if ((HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) ||
400 	    (!servicing_interrupt() &&
401 	    priv_policy_override(cr, priv, allzone, ap) == 0)) {
402 		if ((allzone || priv == PRIV_ALL ||
403 		    !PRIV_ISASSERT(priv_basic, priv)) &&
404 		    !servicing_interrupt()) {
405 			PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */
406 			if (AU_AUDITING())
407 				audit_priv(priv,
408 				    allzone ? ZONEPRIVS(cr) : NULL, 1);
409 		}
410 		err = 0;
411 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
412 	} else if (!servicing_interrupt()) {
413 		/* Failure audited in this procedure */
414 		priv_policy_err(cr, priv, allzone, msg);
415 	}
416 	return (err);
417 }
418 
419 int
420 priv_policy_va(const cred_t *cr, int priv, boolean_t allzone, int err,
421     const char *msg, ...)
422 {
423 	int ret;
424 	va_list ap;
425 
426 	va_start(ap, msg);
427 	ret = priv_policy_ap(cr, priv, allzone, err, msg, ap);
428 	va_end(ap);
429 
430 	return (ret);
431 }
432 
433 int
434 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err,
435     const char *msg)
436 {
437 	return (priv_policy_va(cr, priv, allzone, err, msg, KLPDARG_NONE));
438 }
439 
440 /*
441  * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges.
442  */
443 boolean_t
444 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone)
445 {
446 	boolean_t res = HAS_PRIVILEGE(cr, priv) &&
447 	    (!allzone || HAS_ALLZONEPRIVS(cr));
448 
449 	/* Audit success only */
450 	if (res && AU_AUDITING() &&
451 	    (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) &&
452 	    !servicing_interrupt()) {
453 		audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1);
454 	}
455 	if (res) {
456 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
457 	} else {
458 		DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
459 	}
460 	return (res);
461 }
462 
463 /*
464  * Non-auditing variant of priv_policy_choice().
465  */
466 boolean_t
467 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone)
468 {
469 	boolean_t res = HAS_PRIVILEGE(cr, priv) &&
470 	    (!allzone || HAS_ALLZONEPRIVS(cr));
471 
472 	if (res) {
473 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
474 	} else {
475 		DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
476 	}
477 	return (res);
478 }
479 
480 /*
481  * Check whether all privileges in the required set are present.
482  */
483 static int
484 secpolicy_require_set(const cred_t *cr, const priv_set_t *req,
485     const char *msg, ...)
486 {
487 	int priv;
488 	int pfound = -1;
489 	priv_set_t pset;
490 	va_list ap;
491 	int ret;
492 
493 	if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req,
494 	    &CR_OEPRIV(cr))) {
495 		return (0);
496 	}
497 
498 	va_start(ap, msg);
499 	ret = priv_policy_override_set(cr, req, ap);
500 	va_end(ap);
501 	if (ret == 0)
502 		return (0);
503 
504 	if (req == PRIV_FULLSET || priv_isfullset(req)) {
505 		priv_policy_err(cr, PRIV_ALL, B_FALSE, msg);
506 		return (EACCES);
507 	}
508 
509 	pset = CR_OEPRIV(cr);		/* present privileges */
510 	priv_inverse(&pset);		/* all non present privileges */
511 	priv_intersect(req, &pset);	/* the actual missing privs */
512 
513 	if (AU_AUDITING())
514 		audit_priv(PRIV_NONE, &pset, 0);
515 	/*
516 	 * Privilege debugging; special case "one privilege in set".
517 	 */
518 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) {
519 		for (priv = 0; priv < nprivs; priv++) {
520 			if (priv_ismember(&pset, priv)) {
521 				if (pfound != -1) {
522 					/* Multiple missing privs */
523 					priv_policy_errmsg(cr, PRIV_MULTIPLE,
524 					    msg);
525 					return (EACCES);
526 				}
527 				pfound = priv;
528 			}
529 		}
530 		ASSERT(pfound != -1);
531 		/* Just the one missing privilege */
532 		priv_policy_errmsg(cr, pfound, msg);
533 	}
534 
535 	return (EACCES);
536 }
537 
538 /*
539  * Called when an operation requires that the caller be in the
540  * global zone, regardless of privilege.
541  */
542 static int
543 priv_policy_global(const cred_t *cr)
544 {
545 	if (crgetzoneid(cr) == GLOBAL_ZONEID)
546 		return (0);	/* success */
547 
548 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
549 	    curthread->t_pre_sys) {
550 		priv_policy_errmsg(cr, PRIV_GLOBAL, NULL);
551 	}
552 	return (EPERM);
553 }
554 
555 /*
556  * Changing process priority
557  */
558 int
559 secpolicy_setpriority(const cred_t *cr)
560 {
561 	return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL));
562 }
563 
564 /*
565  * Binding to a privileged port, port must be specified in host byte
566  * order.
567  * When adding a new privilege which allows binding to currently privileged
568  * ports, then you MUST also allow processes with PRIV_NET_PRIVADDR bind
569  * to these ports because of backward compatibility.
570  */
571 int
572 secpolicy_net_privaddr(const cred_t *cr, in_port_t port, int proto)
573 {
574 	char *reason;
575 	int priv;
576 
577 	switch (port) {
578 	case 137:
579 	case 138:
580 	case 139:
581 	case 445:
582 		/*
583 		 * NBT and SMB ports, these are normal privileged ports,
584 		 * allow bind only if the SYS_SMB or NET_PRIVADDR privilege
585 		 * is present.
586 		 * Try both, if neither is present return an error for
587 		 * priv SYS_SMB.
588 		 */
589 		if (PRIV_POLICY_ONLY(cr, PRIV_NET_PRIVADDR, B_FALSE))
590 			priv = PRIV_NET_PRIVADDR;
591 		else
592 			priv = PRIV_SYS_SMB;
593 		reason = "NBT or SMB port";
594 		break;
595 
596 	case 2049:
597 	case 4045:
598 		/*
599 		 * NFS ports, these are extra privileged ports, allow bind
600 		 * only if the SYS_NFS privilege is present.
601 		 */
602 		priv = PRIV_SYS_NFS;
603 		reason = "NFS port";
604 		break;
605 
606 	default:
607 		priv = PRIV_NET_PRIVADDR;
608 		reason = NULL;
609 		break;
610 
611 	}
612 
613 	return (priv_policy_va(cr, priv, B_FALSE, EACCES, reason,
614 	    KLPDARG_PORT, (int)proto, (int)port, KLPDARG_NOMORE));
615 }
616 
617 /*
618  * Binding to a multilevel port on a trusted (labeled) system.
619  */
620 int
621 secpolicy_net_bindmlp(const cred_t *cr)
622 {
623 	return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, NULL));
624 }
625 
626 /*
627  * Allow a communication between a zone and an unlabeled host when their
628  * labels don't match.
629  */
630 int
631 secpolicy_net_mac_aware(const cred_t *cr)
632 {
633 	return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, NULL));
634 }
635 
636 /*
637  * Allow a privileged process to transmit traffic without explicit labels
638  */
639 int
640 secpolicy_net_mac_implicit(const cred_t *cr)
641 {
642 	return (PRIV_POLICY(cr, PRIV_NET_MAC_IMPLICIT, B_FALSE, EACCES, NULL));
643 }
644 
645 /*
646  * Common routine which determines whether a given credential can
647  * act on a given mount.
648  * When called through mount, the parameter needoptcheck is a pointer
649  * to a boolean variable which will be set to either true or false,
650  * depending on whether the mount policy should change the mount options.
651  * In all other cases, needoptcheck should be a NULL pointer.
652  */
653 static int
654 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp,
655     boolean_t *needoptcheck)
656 {
657 	boolean_t allzone = B_FALSE;
658 	boolean_t mounting = needoptcheck != NULL;
659 
660 	/*
661 	 * Short circuit the following cases:
662 	 *	vfsp == NULL or mvp == NULL (pure privilege check)
663 	 *	have all privileges - no further checks required
664 	 *	and no mount options need to be set.
665 	 */
666 	if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) {
667 		if (mounting)
668 			*needoptcheck = B_FALSE;
669 
670 		return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
671 		    NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE));
672 	}
673 
674 	/*
675 	 * When operating on an existing mount (either we're not mounting
676 	 * or we're doing a remount and VFS_REMOUNT will be set), zones
677 	 * can operate only on mounts established by the zone itself.
678 	 */
679 	if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) {
680 		zoneid_t zoneid = crgetzoneid(cr);
681 
682 		if (zoneid != GLOBAL_ZONEID &&
683 		    vfsp->vfs_zone->zone_id != zoneid) {
684 			return (EPERM);
685 		}
686 	}
687 
688 	if (mounting)
689 		*needoptcheck = B_TRUE;
690 
691 	/*
692 	 * Overlay mounts may hide important stuff; if you can't write to a
693 	 * mount point but would be able to mount on top of it, you can
694 	 * escalate your privileges.
695 	 * So we go about asking the same questions namefs does when it
696 	 * decides whether you can mount over a file or not but with the
697 	 * added restriction that you can only mount on top of a regular
698 	 * file or directory.
699 	 * If we have all the zone's privileges, we skip all other checks,
700 	 * or else we may actually get in trouble inside the automounter.
701 	 */
702 	if ((mvp->v_flag & VROOT) != 0 ||
703 	    (mvp->v_type != VDIR && mvp->v_type != VREG) ||
704 	    HAS_ALLZONEPRIVS(cr)) {
705 		allzone = B_TRUE;
706 	} else {
707 		vattr_t va;
708 		int err;
709 
710 		va.va_mask = AT_UID|AT_MODE;
711 		err = VOP_GETATTR(mvp, &va, 0, cr, NULL);
712 		if (err != 0)
713 			return (err);
714 
715 		if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0)
716 			return (err);
717 
718 		if (secpolicy_vnode_access2(cr, mvp, va.va_uid, va.va_mode,
719 		    VWRITE) != 0) {
720 			return (EACCES);
721 		}
722 	}
723 	return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
724 	    NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE));
725 }
726 
727 void
728 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp)
729 {
730 	boolean_t amsuper = HAS_ALLZONEPRIVS(cr);
731 
732 	/*
733 	 * check; if we don't have either "nosuid" or
734 	 * both "nosetuid" and "nodevices", then we add
735 	 * "nosuid"; this depends on how the current
736 	 * implementation works (it first checks nosuid).  In a
737 	 * zone, a user with all zone privileges can mount with
738 	 * "setuid" but never with "devices".
739 	 */
740 	if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) &&
741 	    (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) ||
742 	    !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) {
743 		if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper)
744 			vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0);
745 		else
746 			vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0);
747 	}
748 	/*
749 	 * If we're not the local super user, we set the "restrict"
750 	 * option to indicate to automountd that this mount should
751 	 * be handled with care.
752 	 */
753 	if (!amsuper)
754 		vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0);
755 
756 }
757 
758 int
759 secpolicy_fs_allowed_mount(const char *fsname)
760 {
761 	struct vfssw *vswp;
762 	const char *p;
763 	size_t len;
764 
765 	ASSERT(fsname != NULL);
766 	ASSERT(fsname[0] != '\0');
767 
768 	if (INGLOBALZONE(curproc))
769 		return (0);
770 
771 	vswp = vfs_getvfssw(fsname);
772 	if (vswp == NULL)
773 		return (ENOENT);
774 
775 	if ((vswp->vsw_flag & VSW_ZMOUNT) != 0) {
776 		vfs_unrefvfssw(vswp);
777 		return (0);
778 	}
779 
780 	vfs_unrefvfssw(vswp);
781 
782 	p = curzone->zone_fs_allowed;
783 	len = strlen(fsname);
784 
785 	while (p != NULL && *p != '\0') {
786 		if (strncmp(p, fsname, len) == 0) {
787 			char c = *(p + len);
788 			if (c == '\0' || c == ',')
789 				return (0);
790 		}
791 
792 		/* skip to beyond the next comma */
793 		if ((p = strchr(p, ',')) != NULL)
794 			p++;
795 	}
796 
797 	return (EPERM);
798 }
799 
800 extern vnode_t *rootvp;
801 extern vfs_t *rootvfs;
802 
803 int
804 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp)
805 {
806 	boolean_t needoptchk;
807 	int error;
808 
809 	/*
810 	 * If it's a remount, get the underlying mount point,
811 	 * except for the root where we use the rootvp.
812 	 */
813 	if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) {
814 		if (vfsp == rootvfs)
815 			mvp = rootvp;
816 		else
817 			mvp = vfsp->vfs_vnodecovered;
818 	}
819 
820 	error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk);
821 
822 	if (error == 0 && needoptchk) {
823 		secpolicy_fs_mount_clearopts(cr, vfsp);
824 	}
825 
826 	return (error);
827 }
828 
829 /*
830  * Does the policy computations for "ownership" of a mount;
831  * here ownership is defined as the ability to "mount"
832  * the filesystem originally.  The rootvfs doesn't cover any
833  * vnodes; we attribute its ownership to the rootvp.
834  */
835 static int
836 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp)
837 {
838 	vnode_t *mvp;
839 
840 	if (vfsp == NULL)
841 		mvp = NULL;
842 	else if (vfsp == rootvfs)
843 		mvp = rootvp;
844 	else
845 		mvp = vfsp->vfs_vnodecovered;
846 
847 	return (secpolicy_fs_common(cr, mvp, vfsp, NULL));
848 }
849 
850 int
851 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp)
852 {
853 	return (secpolicy_fs_owner(cr, vfsp));
854 }
855 
856 /*
857  * Quotas are a resource, but if one has the ability to mount a filesystem, he
858  * should be able to modify quotas on it.
859  */
860 int
861 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp)
862 {
863 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
864 }
865 
866 /*
867  * Exceeding minfree: also a per-mount resource constraint.
868  */
869 int
870 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp)
871 {
872 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
873 }
874 
875 int
876 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp)
877 {
878 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
879 }
880 
881 /* ARGSUSED */
882 int
883 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp)
884 {
885 	return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL));
886 }
887 
888 /*
889  * Name:        secpolicy_vnode_access()
890  *
891  * Parameters:  Process credential
892  *		vnode
893  *		uid of owner of vnode
894  *		permission bits not granted to the caller when examining
895  *		file mode bits (i.e., when a process wants to open a
896  *		mode 444 file for VREAD|VWRITE, this function should be
897  *		called only with a VWRITE argument).
898  *
899  * Normal:      Verifies that cred has the appropriate privileges to
900  *              override the mode bits that were denied.
901  *
902  * Override:    file_dac_execute - if VEXEC bit was denied and vnode is
903  *                      not a directory.
904  *              file_dac_read - if VREAD bit was denied.
905  *              file_dac_search - if VEXEC bit was denied and vnode is
906  *                      a directory.
907  *              file_dac_write - if VWRITE bit was denied.
908  *
909  *		Root owned files are special cased to protect system
910  *		configuration files and such.
911  *
912  * Output:      EACCES - if privilege check fails.
913  */
914 
915 int
916 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode)
917 {
918 	if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE,
919 	    EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL,
920 	    KLPDARG_NOMORE) != 0) {
921 		return (EACCES);
922 	}
923 
924 	if (mode & VWRITE) {
925 		boolean_t allzone;
926 
927 		if (owner == 0 && cr->cr_uid != 0)
928 			allzone = B_TRUE;
929 		else
930 			allzone = B_FALSE;
931 		if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES,
932 		    NULL, KLPDARG_VNODE, vp, (char *)NULL,
933 		    KLPDARG_NOMORE) != 0) {
934 			return (EACCES);
935 		}
936 	}
937 
938 	if (mode & VEXEC) {
939 		/*
940 		 * Directories use file_dac_search to override the execute bit.
941 		 */
942 		int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH :
943 		    PRIV_FILE_DAC_EXECUTE;
944 
945 		return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL,
946 		    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
947 	}
948 	return (0);
949 }
950 
951 /*
952  * Like secpolicy_vnode_access() but we get the actual wanted mode and the
953  * current mode of the file, not the missing bits.
954  */
955 int
956 secpolicy_vnode_access2(const cred_t *cr, vnode_t *vp, uid_t owner,
957     mode_t curmode, mode_t wantmode)
958 {
959 	mode_t mode;
960 
961 	/* Inline the basic privileges tests. */
962 	if ((wantmode & VREAD) &&
963 	    !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_READ) &&
964 	    priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL,
965 	    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) {
966 		return (EACCES);
967 	}
968 
969 	if ((wantmode & VWRITE) &&
970 	    !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_WRITE) &&
971 	    priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL,
972 	    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) {
973 		return (EACCES);
974 	}
975 
976 	mode = ~curmode & wantmode;
977 
978 	if (mode == 0)
979 		return (0);
980 
981 	if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE,
982 	    EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL,
983 	    KLPDARG_NOMORE) != 0) {
984 		return (EACCES);
985 	}
986 
987 	if (mode & VWRITE) {
988 		boolean_t allzone;
989 
990 		if (owner == 0 && cr->cr_uid != 0)
991 			allzone = B_TRUE;
992 		else
993 			allzone = B_FALSE;
994 		if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES,
995 		    NULL, KLPDARG_VNODE, vp, (char *)NULL,
996 		    KLPDARG_NOMORE) != 0) {
997 			return (EACCES);
998 		}
999 	}
1000 
1001 	if (mode & VEXEC) {
1002 		/*
1003 		 * Directories use file_dac_search to override the execute bit.
1004 		 */
1005 		int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH :
1006 		    PRIV_FILE_DAC_EXECUTE;
1007 
1008 		return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL,
1009 		    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
1010 	}
1011 	return (0);
1012 }
1013 
1014 /*
1015  * This is a special routine for ZFS; it is used to determine whether
1016  * any of the privileges in effect allow any form of access to the
1017  * file.  There's no reason to audit this or any reason to record
1018  * this.  More work is needed to do the "KPLD" stuff.
1019  */
1020 int
1021 secpolicy_vnode_any_access(const cred_t *cr, vnode_t *vp, uid_t owner)
1022 {
1023 	static int privs[] = {
1024 	    PRIV_FILE_OWNER,
1025 	    PRIV_FILE_CHOWN,
1026 	    PRIV_FILE_DAC_READ,
1027 	    PRIV_FILE_DAC_WRITE,
1028 	    PRIV_FILE_DAC_EXECUTE,
1029 	    PRIV_FILE_DAC_SEARCH,
1030 	};
1031 	int i;
1032 
1033 	/* Same as secpolicy_vnode_setdac */
1034 	if (owner == cr->cr_uid)
1035 		return (0);
1036 
1037 	for (i = 0; i < sizeof (privs)/sizeof (int); i++) {
1038 		boolean_t allzone = B_FALSE;
1039 		int priv;
1040 
1041 		switch (priv = privs[i]) {
1042 		case PRIV_FILE_DAC_EXECUTE:
1043 			if (vp->v_type == VDIR)
1044 				continue;
1045 			break;
1046 		case PRIV_FILE_DAC_SEARCH:
1047 			if (vp->v_type != VDIR)
1048 				continue;
1049 			break;
1050 		case PRIV_FILE_DAC_WRITE:
1051 		case PRIV_FILE_OWNER:
1052 		case PRIV_FILE_CHOWN:
1053 			/* We know here that if owner == 0, that cr_uid != 0 */
1054 			allzone = owner == 0;
1055 			break;
1056 		}
1057 		if (PRIV_POLICY_CHOICE(cr, priv, allzone))
1058 			return (0);
1059 	}
1060 	return (EPERM);
1061 }
1062 
1063 /*
1064  * Name:	secpolicy_vnode_setid_modify()
1065  *
1066  * Normal:	verify that subject can set the file setid flags.
1067  *
1068  * Output:	EPERM - if not privileged.
1069  */
1070 
1071 static int
1072 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner)
1073 {
1074 	/* If changing to suid root, must have all zone privs */
1075 	boolean_t allzone = B_TRUE;
1076 
1077 	if (owner != 0) {
1078 		if (owner == cr->cr_uid)
1079 			return (0);
1080 		allzone = B_FALSE;
1081 	}
1082 	return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL));
1083 }
1084 
1085 /*
1086  * Are we allowed to retain the set-uid/set-gid bits when
1087  * changing ownership or when writing to a file?
1088  * "issuid" should be true when set-uid; only in that case
1089  * root ownership is checked (setgid is assumed).
1090  */
1091 int
1092 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot)
1093 {
1094 	if (issuidroot && !HAS_ALLZONEPRIVS(cred))
1095 		return (EPERM);
1096 
1097 	return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE));
1098 }
1099 
1100 /*
1101  * Name:	secpolicy_vnode_setids_setgids()
1102  *
1103  * Normal:	verify that subject can set the file setgid flag.
1104  *
1105  * Output:	EPERM - if not privileged
1106  */
1107 
1108 int
1109 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid)
1110 {
1111 	if (!groupmember(gid, cred))
1112 		return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM,
1113 		    NULL));
1114 	return (0);
1115 }
1116 
1117 /*
1118  * Name:	secpolicy_vnode_chown
1119  *
1120  * Normal:	Determine if subject can chown owner of a file.
1121  *
1122  * Output:	EPERM - if access denied
1123  */
1124 
1125 int
1126 secpolicy_vnode_chown(const cred_t *cred, uid_t owner)
1127 {
1128 	boolean_t is_owner = (owner == crgetuid(cred));
1129 	boolean_t allzone = B_FALSE;
1130 	int priv;
1131 
1132 	if (!is_owner) {
1133 		allzone = (owner == 0);
1134 		priv = PRIV_FILE_CHOWN;
1135 	} else {
1136 		priv = HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN) ?
1137 		    PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF;
1138 	}
1139 
1140 	return (PRIV_POLICY(cred, priv, allzone, EPERM, NULL));
1141 }
1142 
1143 /*
1144  * Name:	secpolicy_vnode_create_gid
1145  *
1146  * Normal:	Determine if subject can change group ownership of a file.
1147  *
1148  * Output:	EPERM - if access denied
1149  */
1150 int
1151 secpolicy_vnode_create_gid(const cred_t *cred)
1152 {
1153 	if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN))
1154 		return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM,
1155 		    NULL));
1156 	else
1157 		return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM,
1158 		    NULL));
1159 }
1160 
1161 /*
1162  * Name:	secpolicy_vnode_utime_modify()
1163  *
1164  * Normal:	verify that subject can modify the utime on a file.
1165  *
1166  * Output:	EPERM - if access denied.
1167  */
1168 
1169 static int
1170 secpolicy_vnode_utime_modify(const cred_t *cred)
1171 {
1172 	return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM,
1173 	    "modify file times"));
1174 }
1175 
1176 
1177 /*
1178  * Name:	secpolicy_vnode_setdac()
1179  *
1180  * Normal:	verify that subject can modify the mode of a file.
1181  *		allzone privilege needed when modifying root owned object.
1182  *
1183  * Output:	EPERM - if access denied.
1184  */
1185 
1186 int
1187 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner)
1188 {
1189 	if (owner == cred->cr_uid)
1190 		return (0);
1191 
1192 	return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL));
1193 }
1194 /*
1195  * Name:	secpolicy_vnode_stky_modify()
1196  *
1197  * Normal:	verify that subject can make a file a "sticky".
1198  *
1199  * Output:	EPERM - if access denied.
1200  */
1201 
1202 int
1203 secpolicy_vnode_stky_modify(const cred_t *cred)
1204 {
1205 	return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM,
1206 	    "set file sticky"));
1207 }
1208 
1209 /*
1210  * Policy determines whether we can remove an entry from a directory,
1211  * regardless of permission bits.
1212  */
1213 int
1214 secpolicy_vnode_remove(const cred_t *cr)
1215 {
1216 	return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES,
1217 	    "sticky directory"));
1218 }
1219 
1220 int
1221 secpolicy_vnode_owner(const cred_t *cr, uid_t owner)
1222 {
1223 	boolean_t allzone = (owner == 0);
1224 
1225 	if (owner == cr->cr_uid)
1226 		return (0);
1227 
1228 	return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL));
1229 }
1230 
1231 void
1232 secpolicy_setid_clear(vattr_t *vap, cred_t *cr)
1233 {
1234 	if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 &&
1235 	    secpolicy_vnode_setid_retain(cr,
1236 	    (vap->va_mode & S_ISUID) != 0 &&
1237 	    (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) {
1238 		vap->va_mask |= AT_MODE;
1239 		vap->va_mode &= ~(S_ISUID|S_ISGID);
1240 	}
1241 }
1242 
1243 int
1244 secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap,
1245     cred_t *cr)
1246 {
1247 	int error;
1248 
1249 	if ((vap->va_mode & S_ISUID) != 0 &&
1250 	    (error = secpolicy_vnode_setid_modify(cr,
1251 	    ovap->va_uid)) != 0) {
1252 		return (error);
1253 	}
1254 
1255 	/*
1256 	 * Check privilege if attempting to set the
1257 	 * sticky bit on a non-directory.
1258 	 */
1259 	if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 &&
1260 	    secpolicy_vnode_stky_modify(cr) != 0) {
1261 		vap->va_mode &= ~S_ISVTX;
1262 	}
1263 
1264 	/*
1265 	 * Check for privilege if attempting to set the
1266 	 * group-id bit.
1267 	 */
1268 	if ((vap->va_mode & S_ISGID) != 0 &&
1269 	    secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) {
1270 		vap->va_mode &= ~S_ISGID;
1271 	}
1272 
1273 	return (0);
1274 }
1275 
1276 #define	ATTR_FLAG_PRIV(attr, value, cr)	\
1277 	PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \
1278 	B_FALSE, EPERM, NULL)
1279 
1280 /*
1281  * Check privileges for setting xvattr attributes
1282  */
1283 int
1284 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype)
1285 {
1286 	xoptattr_t *xoap;
1287 	int error = 0;
1288 
1289 	if ((xoap = xva_getxoptattr(xvap)) == NULL)
1290 		return (EINVAL);
1291 
1292 	/*
1293 	 * First process the DOS bits
1294 	 */
1295 	if (XVA_ISSET_REQ(xvap, XAT_ARCHIVE) ||
1296 	    XVA_ISSET_REQ(xvap, XAT_HIDDEN) ||
1297 	    XVA_ISSET_REQ(xvap, XAT_READONLY) ||
1298 	    XVA_ISSET_REQ(xvap, XAT_SYSTEM) ||
1299 	    XVA_ISSET_REQ(xvap, XAT_CREATETIME) ||
1300 	    XVA_ISSET_REQ(xvap, XAT_OFFLINE) ||
1301 	    XVA_ISSET_REQ(xvap, XAT_SPARSE)) {
1302 		if ((error = secpolicy_vnode_owner(cr, owner)) != 0)
1303 			return (error);
1304 	}
1305 
1306 	/*
1307 	 * Now handle special attributes
1308 	 */
1309 
1310 	if (XVA_ISSET_REQ(xvap, XAT_IMMUTABLE))
1311 		error = ATTR_FLAG_PRIV(XAT_IMMUTABLE,
1312 		    xoap->xoa_immutable, cr);
1313 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NOUNLINK))
1314 		error = ATTR_FLAG_PRIV(XAT_NOUNLINK,
1315 		    xoap->xoa_nounlink, cr);
1316 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_APPENDONLY))
1317 		error = ATTR_FLAG_PRIV(XAT_APPENDONLY,
1318 		    xoap->xoa_appendonly, cr);
1319 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NODUMP))
1320 		error = ATTR_FLAG_PRIV(XAT_NODUMP,
1321 		    xoap->xoa_nodump, cr);
1322 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_OPAQUE))
1323 		error = EPERM;
1324 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_QUARANTINED)) {
1325 		error = ATTR_FLAG_PRIV(XAT_AV_QUARANTINED,
1326 		    xoap->xoa_av_quarantined, cr);
1327 		if (error == 0 && vtype != VREG && xoap->xoa_av_quarantined)
1328 			error = EINVAL;
1329 	}
1330 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_MODIFIED))
1331 		error = ATTR_FLAG_PRIV(XAT_AV_MODIFIED,
1332 		    xoap->xoa_av_modified, cr);
1333 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_SCANSTAMP)) {
1334 		error = ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP,
1335 		    xoap->xoa_av_scanstamp, cr);
1336 		if (error == 0 && vtype != VREG)
1337 			error = EINVAL;
1338 	}
1339 	return (error);
1340 }
1341 
1342 /*
1343  * This function checks the policy decisions surrounding the
1344  * vop setattr call.
1345  *
1346  * It should be called after sufficient locks have been established
1347  * on the underlying data structures.  No concurrent modifications
1348  * should be allowed.
1349  *
1350  * The caller must pass in unlocked version of its vaccess function
1351  * this is required because vop_access function should lock the
1352  * node for reading.  A three argument function should be defined
1353  * which accepts the following argument:
1354  * 	A pointer to the internal "node" type (inode *)
1355  *	vnode access bits (VREAD|VWRITE|VEXEC)
1356  *	a pointer to the credential
1357  *
1358  * This function makes the following policy decisions:
1359  *
1360  *		- change permissions
1361  *			- permission to change file mode if not owner
1362  *			- permission to add sticky bit to non-directory
1363  *			- permission to add set-gid bit
1364  *
1365  * The ovap argument should include AT_MODE|AT_UID|AT_GID.
1366  *
1367  * If the vap argument does not include AT_MODE, the mode will be copied from
1368  * ovap.  In certain situations set-uid/set-gid bits need to be removed;
1369  * this is done by marking vap->va_mask to include AT_MODE and va_mode
1370  * is updated to the newly computed mode.
1371  */
1372 
1373 int
1374 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap,
1375 	const struct vattr *ovap, int flags,
1376 	int unlocked_access(void *, int, cred_t *),
1377 	void *node)
1378 {
1379 	int mask = vap->va_mask;
1380 	int error = 0;
1381 	boolean_t skipaclchk = (flags & ATTR_NOACLCHECK) ? B_TRUE : B_FALSE;
1382 
1383 	if (mask & AT_SIZE) {
1384 		if (vp->v_type == VDIR) {
1385 			error = EISDIR;
1386 			goto out;
1387 		}
1388 
1389 		/*
1390 		 * If ATTR_NOACLCHECK is set in the flags, then we don't
1391 		 * perform the secondary unlocked_access() call since the
1392 		 * ACL (if any) is being checked there.
1393 		 */
1394 		if (skipaclchk == B_FALSE) {
1395 			error = unlocked_access(node, VWRITE, cr);
1396 			if (error)
1397 				goto out;
1398 		}
1399 	}
1400 	if (mask & AT_MODE) {
1401 		/*
1402 		 * If not the owner of the file then check privilege
1403 		 * for two things: the privilege to set the mode at all
1404 		 * and, if we're setting setuid, we also need permissions
1405 		 * to add the set-uid bit, if we're not the owner.
1406 		 * In the specific case of creating a set-uid root
1407 		 * file, we need even more permissions.
1408 		 */
1409 		if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0)
1410 			goto out;
1411 
1412 		if ((error = secpolicy_setid_setsticky_clear(vp, vap,
1413 		    ovap, cr)) != 0)
1414 			goto out;
1415 	} else
1416 		vap->va_mode = ovap->va_mode;
1417 
1418 	if (mask & (AT_UID|AT_GID)) {
1419 		boolean_t checkpriv = B_FALSE;
1420 
1421 		/*
1422 		 * Chowning files.
1423 		 *
1424 		 * If you are the file owner:
1425 		 *	chown to other uid		FILE_CHOWN_SELF
1426 		 *	chown to gid (non-member) 	FILE_CHOWN_SELF
1427 		 *	chown to gid (member) 		<none>
1428 		 *
1429 		 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also
1430 		 * acceptable but the first one is reported when debugging.
1431 		 *
1432 		 * If you are not the file owner:
1433 		 *	chown from root			PRIV_FILE_CHOWN + zone
1434 		 *	chown from other to any		PRIV_FILE_CHOWN
1435 		 *
1436 		 */
1437 		if (cr->cr_uid != ovap->va_uid) {
1438 			checkpriv = B_TRUE;
1439 		} else {
1440 			if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) ||
1441 			    ((mask & AT_GID) && vap->va_gid != ovap->va_gid &&
1442 			    !groupmember(vap->va_gid, cr))) {
1443 				checkpriv = B_TRUE;
1444 			}
1445 		}
1446 		/*
1447 		 * If necessary, check privilege to see if update can be done.
1448 		 */
1449 		if (checkpriv &&
1450 		    (error = secpolicy_vnode_chown(cr, ovap->va_uid)) != 0) {
1451 			goto out;
1452 		}
1453 
1454 		/*
1455 		 * If the file has either the set UID or set GID bits
1456 		 * set and the caller can set the bits, then leave them.
1457 		 */
1458 		secpolicy_setid_clear(vap, cr);
1459 	}
1460 	if (mask & (AT_ATIME|AT_MTIME)) {
1461 		/*
1462 		 * If not the file owner and not otherwise privileged,
1463 		 * always return an error when setting the
1464 		 * time other than the current (ATTR_UTIME flag set).
1465 		 * If setting the current time (ATTR_UTIME not set) then
1466 		 * unlocked_access will check permissions according to policy.
1467 		 */
1468 		if (cr->cr_uid != ovap->va_uid) {
1469 			if (flags & ATTR_UTIME)
1470 				error = secpolicy_vnode_utime_modify(cr);
1471 			else if (skipaclchk == B_FALSE) {
1472 				error = unlocked_access(node, VWRITE, cr);
1473 				if (error == EACCES &&
1474 				    secpolicy_vnode_utime_modify(cr) == 0)
1475 					error = 0;
1476 			}
1477 			if (error)
1478 				goto out;
1479 		}
1480 	}
1481 
1482 	/*
1483 	 * Check for optional attributes here by checking the following:
1484 	 */
1485 	if (mask & AT_XVATTR)
1486 		error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr,
1487 		    vp->v_type);
1488 out:
1489 	return (error);
1490 }
1491 
1492 /*
1493  * Name:	secpolicy_pcfs_modify_bootpartition()
1494  *
1495  * Normal:	verify that subject can modify a pcfs boot partition.
1496  *
1497  * Output:	EACCES - if privilege check failed.
1498  */
1499 /*ARGSUSED*/
1500 int
1501 secpolicy_pcfs_modify_bootpartition(const cred_t *cred)
1502 {
1503 	return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES,
1504 	    "modify pcfs boot partition"));
1505 }
1506 
1507 /*
1508  * System V IPC routines
1509  */
1510 int
1511 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip)
1512 {
1513 	if (crgetzoneid(cr) != ip->ipc_zoneid ||
1514 	    (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) {
1515 		boolean_t allzone = B_FALSE;
1516 		if (ip->ipc_uid == 0 || ip->ipc_cuid == 0)
1517 			allzone = B_TRUE;
1518 		return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL));
1519 	}
1520 	return (0);
1521 }
1522 
1523 int
1524 secpolicy_ipc_config(const cred_t *cr)
1525 {
1526 	return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL));
1527 }
1528 
1529 int
1530 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode)
1531 {
1532 
1533 	boolean_t allzone = B_FALSE;
1534 
1535 	ASSERT((mode & (MSG_R|MSG_W)) != 0);
1536 
1537 	if ((mode & MSG_R) &&
1538 	    PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1539 		return (EACCES);
1540 
1541 	if (mode & MSG_W) {
1542 		if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0))
1543 			allzone = B_TRUE;
1544 
1545 		return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1546 		    NULL));
1547 	}
1548 	return (0);
1549 }
1550 
1551 int
1552 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode)
1553 {
1554 	boolean_t allzone = B_FALSE;
1555 
1556 	ASSERT((mode & (MSG_R|MSG_W)) != 0);
1557 
1558 	if ((mode & MSG_R) &&
1559 	    PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1560 		return (EACCES);
1561 
1562 	if (mode & MSG_W) {
1563 		if (cr->cr_uid != 0 && owner == 0)
1564 			allzone = B_TRUE;
1565 
1566 		return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1567 		    NULL));
1568 	}
1569 	return (0);
1570 }
1571 
1572 /*
1573  * Audit configuration.
1574  */
1575 int
1576 secpolicy_audit_config(const cred_t *cr)
1577 {
1578 	return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL));
1579 }
1580 
1581 /*
1582  * Audit record generation.
1583  */
1584 int
1585 secpolicy_audit_modify(const cred_t *cr)
1586 {
1587 	return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL));
1588 }
1589 
1590 /*
1591  * Get audit attributes.
1592  * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the
1593  * "Least" of the two privileges on error.
1594  */
1595 int
1596 secpolicy_audit_getattr(const cred_t *cr, boolean_t checkonly)
1597 {
1598 	int priv;
1599 
1600 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE))
1601 		priv = PRIV_SYS_AUDIT;
1602 	else
1603 		priv = PRIV_PROC_AUDIT;
1604 
1605 	if (checkonly)
1606 		return (!PRIV_POLICY_ONLY(cr, priv, B_FALSE));
1607 	else
1608 		return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
1609 }
1610 
1611 
1612 /*
1613  * Locking physical memory
1614  */
1615 int
1616 secpolicy_lock_memory(const cred_t *cr)
1617 {
1618 	return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL));
1619 }
1620 
1621 /*
1622  * Accounting (both acct(2) and exacct).
1623  */
1624 int
1625 secpolicy_acct(const cred_t *cr)
1626 {
1627 	return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL));
1628 }
1629 
1630 /*
1631  * Is this process privileged to change its uids at will?
1632  * Uid 0 is still considered "special" and having the SETID
1633  * privilege is not sufficient to get uid 0.
1634  * Files are owned by root, so the privilege would give
1635  * full access and euid 0 is still effective.
1636  *
1637  * If you have the privilege and euid 0 only then do you
1638  * get the powers of root wrt uid 0.
1639  *
1640  * For gid manipulations, this is should be called with an
1641  * uid of -1.
1642  *
1643  */
1644 int
1645 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly)
1646 {
1647 	boolean_t allzone = B_FALSE;
1648 
1649 	if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 &&
1650 	    cr->cr_ruid != 0) {
1651 		allzone = B_TRUE;
1652 	}
1653 
1654 	return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) :
1655 	    PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL));
1656 }
1657 
1658 
1659 /*
1660  * Acting on a different process: if the mode is for writing,
1661  * the restrictions are more severe.  This is called after
1662  * we've verified that the uids do not match.
1663  */
1664 int
1665 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode)
1666 {
1667 	boolean_t allzone = B_FALSE;
1668 
1669 	if ((mode & VWRITE) && scr->cr_uid != 0 &&
1670 	    (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0))
1671 		allzone = B_TRUE;
1672 
1673 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL));
1674 }
1675 
1676 int
1677 secpolicy_proc_access(const cred_t *scr)
1678 {
1679 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL));
1680 }
1681 
1682 int
1683 secpolicy_proc_excl_open(const cred_t *scr)
1684 {
1685 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL));
1686 }
1687 
1688 int
1689 secpolicy_proc_zone(const cred_t *scr)
1690 {
1691 	return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL));
1692 }
1693 
1694 /*
1695  * Destroying the system
1696  */
1697 
1698 int
1699 secpolicy_kmdb(const cred_t *scr)
1700 {
1701 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1702 }
1703 
1704 int
1705 secpolicy_error_inject(const cred_t *scr)
1706 {
1707 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1708 }
1709 
1710 /*
1711  * Processor sets, cpu configuration, resource pools.
1712  */
1713 int
1714 secpolicy_pset(const cred_t *cr)
1715 {
1716 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1717 }
1718 
1719 /*
1720  * Processor set binding.
1721  */
1722 int
1723 secpolicy_pbind(const cred_t *cr)
1724 {
1725 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_RES_CONFIG, B_FALSE))
1726 		return (secpolicy_pset(cr));
1727 	return (PRIV_POLICY(cr, PRIV_SYS_RES_BIND, B_FALSE, EPERM, NULL));
1728 }
1729 
1730 int
1731 secpolicy_ponline(const cred_t *cr)
1732 {
1733 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1734 }
1735 
1736 int
1737 secpolicy_pool(const cred_t *cr)
1738 {
1739 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1740 }
1741 
1742 int
1743 secpolicy_blacklist(const cred_t *cr)
1744 {
1745 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1746 }
1747 
1748 /*
1749  * Catch all system configuration.
1750  */
1751 int
1752 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly)
1753 {
1754 	if (checkonly) {
1755 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 :
1756 		    EPERM);
1757 	} else {
1758 		return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1759 	}
1760 }
1761 
1762 /*
1763  * Zone administration (halt, reboot, etc.) from within zone.
1764  */
1765 int
1766 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly)
1767 {
1768 	if (checkonly) {
1769 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 :
1770 		    EPERM);
1771 	} else {
1772 		return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM,
1773 		    NULL));
1774 	}
1775 }
1776 
1777 /*
1778  * Zone configuration (create, halt, enter).
1779  */
1780 int
1781 secpolicy_zone_config(const cred_t *cr)
1782 {
1783 	/*
1784 	 * Require all privileges to avoid possibility of privilege
1785 	 * escalation.
1786 	 */
1787 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
1788 }
1789 
1790 /*
1791  * Various other system configuration calls
1792  */
1793 int
1794 secpolicy_coreadm(const cred_t *cr)
1795 {
1796 	return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1797 }
1798 
1799 int
1800 secpolicy_systeminfo(const cred_t *cr)
1801 {
1802 	return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1803 }
1804 
1805 int
1806 secpolicy_dispadm(const cred_t *cr)
1807 {
1808 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1809 }
1810 
1811 int
1812 secpolicy_settime(const cred_t *cr)
1813 {
1814 	return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL));
1815 }
1816 
1817 /*
1818  * For realtime users: high resolution clock.
1819  */
1820 int
1821 secpolicy_clock_highres(const cred_t *cr)
1822 {
1823 	return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM,
1824 	    NULL));
1825 }
1826 
1827 /*
1828  * drv_priv() is documented as callable from interrupt context, not that
1829  * anyone ever does, but still.  No debugging or auditing can be done when
1830  * it is called from interrupt context.
1831  * returns 0 on succes, EPERM on failure.
1832  */
1833 int
1834 drv_priv(cred_t *cr)
1835 {
1836 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1837 }
1838 
1839 int
1840 secpolicy_sys_devices(const cred_t *cr)
1841 {
1842 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1843 }
1844 
1845 int
1846 secpolicy_excl_open(const cred_t *cr)
1847 {
1848 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL));
1849 }
1850 
1851 int
1852 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl)
1853 {
1854 	/* zone.* rctls can only be set from the global zone */
1855 	if (is_zone_rctl && priv_policy_global(cr) != 0)
1856 		return (EPERM);
1857 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1858 }
1859 
1860 int
1861 secpolicy_resource(const cred_t *cr)
1862 {
1863 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1864 }
1865 
1866 int
1867 secpolicy_resource_anon_mem(const cred_t *cr)
1868 {
1869 	return (PRIV_POLICY_ONLY(cr, PRIV_SYS_RESOURCE, B_FALSE));
1870 }
1871 
1872 /*
1873  * Processes with a real uid of 0 escape any form of accounting, much
1874  * like before.
1875  */
1876 int
1877 secpolicy_newproc(const cred_t *cr)
1878 {
1879 	if (cr->cr_ruid == 0)
1880 		return (0);
1881 
1882 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1883 }
1884 
1885 /*
1886  * Networking
1887  */
1888 int
1889 secpolicy_net_rawaccess(const cred_t *cr)
1890 {
1891 	return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL));
1892 }
1893 
1894 int
1895 secpolicy_net_observability(const cred_t *cr)
1896 {
1897 	return (PRIV_POLICY(cr, PRIV_NET_OBSERVABILITY, B_FALSE, EACCES, NULL));
1898 }
1899 
1900 /*
1901  * Need this privilege for accessing the ICMP device
1902  */
1903 int
1904 secpolicy_net_icmpaccess(const cred_t *cr)
1905 {
1906 	return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL));
1907 }
1908 
1909 /*
1910  * There are a few rare cases where the kernel generates ioctls() from
1911  * interrupt context with a credential of kcred rather than NULL.
1912  * In those cases, we take the safe and cheap test.
1913  */
1914 int
1915 secpolicy_net_config(const cred_t *cr, boolean_t checkonly)
1916 {
1917 	if (checkonly) {
1918 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ?
1919 		    0 : EPERM);
1920 	} else {
1921 		return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM,
1922 		    NULL));
1923 	}
1924 }
1925 
1926 
1927 /*
1928  * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
1929  *
1930  * There are a few rare cases where the kernel generates ioctls() from
1931  * interrupt context with a credential of kcred rather than NULL.
1932  * In those cases, we take the safe and cheap test.
1933  */
1934 int
1935 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly)
1936 {
1937 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1938 		return (secpolicy_net_config(cr, checkonly));
1939 
1940 	if (checkonly) {
1941 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ?
1942 		    0 : EPERM);
1943 	} else {
1944 		return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM,
1945 		    NULL));
1946 	}
1947 }
1948 
1949 /*
1950  * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_DL_CONFIG.
1951  */
1952 int
1953 secpolicy_dl_config(const cred_t *cr)
1954 {
1955 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1956 		return (secpolicy_net_config(cr, B_FALSE));
1957 	return (PRIV_POLICY(cr, PRIV_SYS_DL_CONFIG, B_FALSE, EPERM, NULL));
1958 }
1959 
1960 /*
1961  * PRIV_SYS_DL_CONFIG is a superset of PRIV_SYS_IPTUN_CONFIG.
1962  */
1963 int
1964 secpolicy_iptun_config(const cred_t *cr)
1965 {
1966 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1967 		return (secpolicy_net_config(cr, B_FALSE));
1968 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_DL_CONFIG, B_FALSE))
1969 		return (secpolicy_dl_config(cr));
1970 	return (PRIV_POLICY(cr, PRIV_SYS_IPTUN_CONFIG, B_FALSE, EPERM, NULL));
1971 }
1972 
1973 /*
1974  * Map IP pseudo privileges to actual privileges.
1975  * So we don't need to recompile IP when we change the privileges.
1976  */
1977 int
1978 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly)
1979 {
1980 	int priv = PRIV_ALL;
1981 
1982 	switch (netpriv) {
1983 	case OP_CONFIG:
1984 		priv = PRIV_SYS_IP_CONFIG;
1985 		break;
1986 	case OP_RAW:
1987 		priv = PRIV_NET_RAWACCESS;
1988 		break;
1989 	case OP_PRIVPORT:
1990 		priv = PRIV_NET_PRIVADDR;
1991 		break;
1992 	}
1993 	ASSERT(priv != PRIV_ALL);
1994 	if (checkonly)
1995 		return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
1996 	else
1997 		return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
1998 }
1999 
2000 /*
2001  * Map network pseudo privileges to actual privileges.
2002  * So we don't need to recompile IP when we change the privileges.
2003  */
2004 int
2005 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly)
2006 {
2007 	int priv = PRIV_ALL;
2008 
2009 	switch (netpriv) {
2010 	case OP_CONFIG:
2011 		priv = PRIV_SYS_NET_CONFIG;
2012 		break;
2013 	case OP_RAW:
2014 		priv = PRIV_NET_RAWACCESS;
2015 		break;
2016 	case OP_PRIVPORT:
2017 		priv = PRIV_NET_PRIVADDR;
2018 		break;
2019 	}
2020 	ASSERT(priv != PRIV_ALL);
2021 	if (checkonly)
2022 		return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
2023 	else
2024 		return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
2025 }
2026 
2027 /*
2028  * Checks for operations that are either client-only or are used by
2029  * both clients and servers.
2030  */
2031 int
2032 secpolicy_nfs(const cred_t *cr)
2033 {
2034 	return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL));
2035 }
2036 
2037 /*
2038  * Special case for opening rpcmod: have NFS privileges or network
2039  * config privileges.
2040  */
2041 int
2042 secpolicy_rpcmod_open(const cred_t *cr)
2043 {
2044 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE))
2045 		return (secpolicy_nfs(cr));
2046 	else
2047 		return (secpolicy_net_config(cr, NULL));
2048 }
2049 
2050 int
2051 secpolicy_chroot(const cred_t *cr)
2052 {
2053 	return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL));
2054 }
2055 
2056 int
2057 secpolicy_tasksys(const cred_t *cr)
2058 {
2059 	return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL));
2060 }
2061 
2062 int
2063 secpolicy_pfexec_register(const cred_t *cr)
2064 {
2065 	return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_TRUE, EPERM, NULL));
2066 }
2067 
2068 /*
2069  * Basic privilege checks.
2070  */
2071 int
2072 secpolicy_basic_exec(const cred_t *cr, vnode_t *vp)
2073 {
2074 	FAST_BASIC_CHECK(cr, PRIV_PROC_EXEC);
2075 
2076 	return (priv_policy_va(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL,
2077 	    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
2078 }
2079 
2080 int
2081 secpolicy_basic_fork(const cred_t *cr)
2082 {
2083 	FAST_BASIC_CHECK(cr, PRIV_PROC_FORK);
2084 
2085 	return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL));
2086 }
2087 
2088 int
2089 secpolicy_basic_proc(const cred_t *cr)
2090 {
2091 	FAST_BASIC_CHECK(cr, PRIV_PROC_SESSION);
2092 
2093 	return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL));
2094 }
2095 
2096 /*
2097  * Slightly complicated because we don't want to trigger the policy too
2098  * often.  First we shortcircuit access to "self" (tp == sp) or if
2099  * we don't have the privilege but if we have permission
2100  * just return (0) and we don't flag the privilege as needed.
2101  * Else, we test for the privilege because we either have it or need it.
2102  */
2103 int
2104 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp)
2105 {
2106 	if (tp == sp ||
2107 	    !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) {
2108 		return (0);
2109 	} else {
2110 		return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL));
2111 	}
2112 }
2113 
2114 int
2115 secpolicy_basic_link(const cred_t *cr)
2116 {
2117 	FAST_BASIC_CHECK(cr, PRIV_FILE_LINK_ANY);
2118 
2119 	return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL));
2120 }
2121 
2122 int
2123 secpolicy_basic_net_access(const cred_t *cr)
2124 {
2125 	FAST_BASIC_CHECK(cr, PRIV_NET_ACCESS);
2126 
2127 	return (PRIV_POLICY(cr, PRIV_NET_ACCESS, B_FALSE, EACCES, NULL));
2128 }
2129 
2130 /* ARGSUSED */
2131 int
2132 secpolicy_basic_file_read(const cred_t *cr, vnode_t *vp, const char *pn)
2133 {
2134 	FAST_BASIC_CHECK(cr, PRIV_FILE_READ);
2135 
2136 	return (priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL,
2137 	    KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE));
2138 }
2139 
2140 /* ARGSUSED */
2141 int
2142 secpolicy_basic_file_write(const cred_t *cr, vnode_t *vp, const char *pn)
2143 {
2144 	FAST_BASIC_CHECK(cr, PRIV_FILE_WRITE);
2145 
2146 	return (priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL,
2147 	    KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE));
2148 }
2149 
2150 /*
2151  * Additional device protection.
2152  *
2153  * Traditionally, a device has specific permissions on the node in
2154  * the filesystem which govern which devices can be opened by what
2155  * processes.  In certain cases, it is desirable to add extra
2156  * restrictions, as writing to certain devices is identical to
2157  * having a complete run of the system.
2158  *
2159  * This mechanism is called the device policy.
2160  *
2161  * When a device is opened, its policy entry is looked up in the
2162  * policy cache and checked.
2163  */
2164 int
2165 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag)
2166 {
2167 	devplcy_t *plcy;
2168 	int err;
2169 	struct snode *csp = VTOS(common_specvp(vp));
2170 	priv_set_t pset;
2171 
2172 	mutex_enter(&csp->s_lock);
2173 
2174 	if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) {
2175 		plcy = devpolicy_find(vp);
2176 		if (csp->s_plcy)
2177 			dpfree(csp->s_plcy);
2178 		csp->s_plcy = plcy;
2179 		ASSERT(plcy != NULL);
2180 	} else
2181 		plcy = csp->s_plcy;
2182 
2183 	if (plcy == nullpolicy) {
2184 		mutex_exit(&csp->s_lock);
2185 		return (0);
2186 	}
2187 
2188 	dphold(plcy);
2189 
2190 	mutex_exit(&csp->s_lock);
2191 
2192 	if (oflag & FWRITE)
2193 		pset = plcy->dp_wrp;
2194 	else
2195 		pset = plcy->dp_rdp;
2196 	/*
2197 	 * Special case:
2198 	 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
2199 	 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is
2200 	 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG
2201 	 * in the required privilege set before doing the check.
2202 	 */
2203 	if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) &&
2204 	    priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) &&
2205 	    !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) {
2206 		priv_delset(&pset, PRIV_SYS_IP_CONFIG);
2207 		priv_addset(&pset, PRIV_SYS_NET_CONFIG);
2208 	}
2209 
2210 	err = secpolicy_require_set(cr, &pset, "devpolicy", KLPDARG_NONE);
2211 	dpfree(plcy);
2212 
2213 	return (err);
2214 }
2215 
2216 int
2217 secpolicy_modctl(const cred_t *cr, int cmd)
2218 {
2219 	switch (cmd) {
2220 	case MODINFO:
2221 	case MODGETMAJBIND:
2222 	case MODGETPATH:
2223 	case MODGETPATHLEN:
2224 	case MODGETNAME:
2225 	case MODGETFBNAME:
2226 	case MODGETDEVPOLICY:
2227 	case MODGETDEVPOLICYBYNAME:
2228 	case MODDEVT2INSTANCE:
2229 	case MODSIZEOF_DEVID:
2230 	case MODGETDEVID:
2231 	case MODSIZEOF_MINORNAME:
2232 	case MODGETMINORNAME:
2233 	case MODGETDEVFSPATH_LEN:
2234 	case MODGETDEVFSPATH:
2235 	case MODGETDEVFSPATH_MI_LEN:
2236 	case MODGETDEVFSPATH_MI:
2237 		/* Unprivileged */
2238 		return (0);
2239 	case MODLOAD:
2240 	case MODSETDEVPOLICY:
2241 		return (secpolicy_require_set(cr, PRIV_FULLSET, NULL,
2242 		    KLPDARG_NONE));
2243 	default:
2244 		return (secpolicy_sys_config(cr, B_FALSE));
2245 	}
2246 }
2247 
2248 int
2249 secpolicy_console(const cred_t *cr)
2250 {
2251 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
2252 }
2253 
2254 int
2255 secpolicy_power_mgmt(const cred_t *cr)
2256 {
2257 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
2258 }
2259 
2260 /*
2261  * Simulate terminal input; another escalation of privileges avenue.
2262  */
2263 
2264 int
2265 secpolicy_sti(const cred_t *cr)
2266 {
2267 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
2268 }
2269 
2270 boolean_t
2271 secpolicy_net_reply_equal(const cred_t *cr)
2272 {
2273 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
2274 }
2275 
2276 int
2277 secpolicy_swapctl(const cred_t *cr)
2278 {
2279 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
2280 }
2281 
2282 int
2283 secpolicy_cpc_cpu(const cred_t *cr)
2284 {
2285 	return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL));
2286 }
2287 
2288 /*
2289  * secpolicy_contract_identity
2290  *
2291  * Determine if the subject may set the process contract FMRI value
2292  */
2293 int
2294 secpolicy_contract_identity(const cred_t *cr)
2295 {
2296 	return (PRIV_POLICY(cr, PRIV_CONTRACT_IDENTITY, B_FALSE, EPERM, NULL));
2297 }
2298 
2299 /*
2300  * secpolicy_contract_observer
2301  *
2302  * Determine if the subject may observe a specific contract's events.
2303  */
2304 int
2305 secpolicy_contract_observer(const cred_t *cr, struct contract *ct)
2306 {
2307 	if (contract_owned(ct, cr, B_FALSE))
2308 		return (0);
2309 	return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL));
2310 }
2311 
2312 /*
2313  * secpolicy_contract_observer_choice
2314  *
2315  * Determine if the subject may observe any contract's events.  Just
2316  * tests privilege and audits on success.
2317  */
2318 boolean_t
2319 secpolicy_contract_observer_choice(const cred_t *cr)
2320 {
2321 	return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE));
2322 }
2323 
2324 /*
2325  * secpolicy_contract_event
2326  *
2327  * Determine if the subject may request critical contract events or
2328  * reliable contract event delivery.
2329  */
2330 int
2331 secpolicy_contract_event(const cred_t *cr)
2332 {
2333 	return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL));
2334 }
2335 
2336 /*
2337  * secpolicy_contract_event_choice
2338  *
2339  * Determine if the subject may retain contract events in its critical
2340  * set when a change in other terms would normally require a change in
2341  * the critical set.  Just tests privilege and audits on success.
2342  */
2343 boolean_t
2344 secpolicy_contract_event_choice(const cred_t *cr)
2345 {
2346 	return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE));
2347 }
2348 
2349 /*
2350  * secpolicy_gart_access
2351  *
2352  * Determine if the subject has sufficient priveleges to make ioctls to agpgart
2353  * device.
2354  */
2355 int
2356 secpolicy_gart_access(const cred_t *cr)
2357 {
2358 	return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL));
2359 }
2360 
2361 /*
2362  * secpolicy_gart_map
2363  *
2364  * Determine if the subject has sufficient priveleges to map aperture range
2365  * through agpgart driver.
2366  */
2367 int
2368 secpolicy_gart_map(const cred_t *cr)
2369 {
2370 	if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) {
2371 		return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM,
2372 		    NULL));
2373 	} else {
2374 		return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM,
2375 		    NULL));
2376 	}
2377 }
2378 
2379 /*
2380  * secpolicy_zinject
2381  *
2382  * Determine if the subject can inject faults in the ZFS fault injection
2383  * framework.  Requires all privileges.
2384  */
2385 int
2386 secpolicy_zinject(const cred_t *cr)
2387 {
2388 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
2389 }
2390 
2391 /*
2392  * secpolicy_zfs
2393  *
2394  * Determine if the subject has permission to manipulate ZFS datasets
2395  * (not pools).  Equivalent to the SYS_MOUNT privilege.
2396  */
2397 int
2398 secpolicy_zfs(const cred_t *cr)
2399 {
2400 	return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL));
2401 }
2402 
2403 /*
2404  * secpolicy_idmap
2405  *
2406  * Determine if the calling process has permissions to register an SID
2407  * mapping daemon and allocate ephemeral IDs.
2408  */
2409 int
2410 secpolicy_idmap(const cred_t *cr)
2411 {
2412 	return (PRIV_POLICY(cr, PRIV_FILE_SETID, B_TRUE, EPERM, NULL));
2413 }
2414 
2415 /*
2416  * secpolicy_ucode_update
2417  *
2418  * Determine if the subject has sufficient privilege to update microcode.
2419  */
2420 int
2421 secpolicy_ucode_update(const cred_t *scr)
2422 {
2423 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
2424 }
2425 
2426 /*
2427  * secpolicy_sadopen
2428  *
2429  * Determine if the subject has sufficient privilege to access /dev/sad/admin.
2430  * /dev/sad/admin appear in global zone and exclusive-IP zones only.
2431  * In global zone, sys_config is required.
2432  * In exclusive-IP zones, sys_ip_config is required.
2433  * Note that sys_config is prohibited in non-global zones.
2434  */
2435 int
2436 secpolicy_sadopen(const cred_t *credp)
2437 {
2438 	priv_set_t pset;
2439 
2440 	priv_emptyset(&pset);
2441 
2442 	if (crgetzoneid(credp) == GLOBAL_ZONEID)
2443 		priv_addset(&pset, PRIV_SYS_CONFIG);
2444 	else
2445 		priv_addset(&pset, PRIV_SYS_IP_CONFIG);
2446 
2447 	return (secpolicy_require_set(credp, &pset, "devpolicy", KLPDARG_NONE));
2448 }
2449 
2450 
2451 /*
2452  * Add privileges to a particular privilege set; this is called when the
2453  * current sets of privileges are not sufficient.  I.e., we should always
2454  * call the policy override functions from here.
2455  * What we are allowed to have is in the Observed Permitted set; so
2456  * we compute the difference between that and the newset.
2457  */
2458 int
2459 secpolicy_require_privs(const cred_t *cr, const priv_set_t *nset)
2460 {
2461 	priv_set_t rqd;
2462 
2463 	rqd = CR_OPPRIV(cr);
2464 
2465 	priv_inverse(&rqd);
2466 	priv_intersect(nset, &rqd);
2467 
2468 	return (secpolicy_require_set(cr, &rqd, NULL, KLPDARG_NONE));
2469 }
2470 
2471 /*
2472  * secpolicy_smb
2473  *
2474  * Determine if the cred_t has PRIV_SYS_SMB privilege, indicating
2475  * that it has permission to access the smbsrv kernel driver.
2476  * PRIV_POLICY checks the privilege and audits the check.
2477  *
2478  * Returns:
2479  * 0       Driver access is allowed.
2480  * EPERM   Driver access is NOT permitted.
2481  */
2482 int
2483 secpolicy_smb(const cred_t *cr)
2484 {
2485 	return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL));
2486 }
2487 
2488 /*
2489  * secpolicy_vscan
2490  *
2491  * Determine if cred_t has the necessary privileges to access a file
2492  * for virus scanning and update its extended system attributes.
2493  * PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access
2494  * PRIV_FILE_FLAG_SET - set extended system attributes
2495  *
2496  * PRIV_POLICY checks the privilege and audits the check.
2497  *
2498  * Returns:
2499  * 0      file access for virus scanning allowed.
2500  * EPERM  file access for virus scanning is NOT permitted.
2501  */
2502 int
2503 secpolicy_vscan(const cred_t *cr)
2504 {
2505 	if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) ||
2506 	    (PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) ||
2507 	    (PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) {
2508 		return (EPERM);
2509 	}
2510 
2511 	return (0);
2512 }
2513 
2514 /*
2515  * secpolicy_smbfs_login
2516  *
2517  * Determines if the caller can add and delete the smbfs login
2518  * password in the the nsmb kernel module for the CIFS client.
2519  *
2520  * Returns:
2521  * 0       access is allowed.
2522  * EPERM   access is NOT allowed.
2523  */
2524 int
2525 secpolicy_smbfs_login(const cred_t *cr, uid_t uid)
2526 {
2527 	uid_t cruid = crgetruid(cr);
2528 
2529 	if (cruid == uid)
2530 		return (0);
2531 	return (PRIV_POLICY(cr, PRIV_PROC_OWNER, B_FALSE,
2532 	    EPERM, NULL));
2533 }
2534 
2535 /*
2536  * secpolicy_xvm_control
2537  *
2538  * Determines if a caller can control the xVM hypervisor and/or running
2539  * domains (x86 specific).
2540  *
2541  * Returns:
2542  * 0       access is allowed.
2543  * EPERM   access is NOT allowed.
2544  */
2545 int
2546 secpolicy_xvm_control(const cred_t *cr)
2547 {
2548 	if (PRIV_POLICY(cr, PRIV_XVM_CONTROL, B_FALSE, EPERM, NULL))
2549 		return (EPERM);
2550 	return (0);
2551 }
2552 
2553 /*
2554  * secpolicy_ppp_config
2555  *
2556  * Determine if the subject has sufficient privileges to configure PPP and
2557  * PPP-related devices.
2558  */
2559 int
2560 secpolicy_ppp_config(const cred_t *cr)
2561 {
2562 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
2563 		return (secpolicy_net_config(cr, B_FALSE));
2564 	return (PRIV_POLICY(cr, PRIV_SYS_PPP_CONFIG, B_FALSE, EPERM, NULL));
2565 }
2566