1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
  23  * Copyright 2013, Joyent, Inc. All rights reserved.
  24  */
  25 
  26 #include <sys/types.h>
  27 #include <sys/sysmacros.h>
  28 #include <sys/param.h>
  29 #include <sys/systm.h>
  30 #include <sys/cred_impl.h>
  31 #include <sys/vnode.h>
  32 #include <sys/vfs.h>
  33 #include <sys/stat.h>
  34 #include <sys/errno.h>
  35 #include <sys/kmem.h>
  36 #include <sys/user.h>
  37 #include <sys/proc.h>
  38 #include <sys/acct.h>
  39 #include <sys/ipc_impl.h>
  40 #include <sys/cmn_err.h>
  41 #include <sys/debug.h>
  42 #include <sys/policy.h>
  43 #include <sys/kobj.h>
  44 #include <sys/msg.h>
  45 #include <sys/devpolicy.h>
  46 #include <c2/audit.h>
  47 #include <sys/varargs.h>
  48 #include <sys/klpd.h>
  49 #include <sys/modctl.h>
  50 #include <sys/disp.h>
  51 #include <sys/zone.h>
  52 #include <inet/optcom.h>
  53 #include <sys/sdt.h>
  54 #include <sys/vfs.h>
  55 #include <sys/mntent.h>
  56 #include <sys/contract_impl.h>
  57 #include <sys/dld_ioc.h>
  58 
  59 /*
  60  * There are two possible layers of privilege routines and two possible
  61  * levels of secpolicy.  Plus one other we may not be interested in, so
  62  * we may need as many as 6 but no more.
  63  */
  64 #define MAXPRIVSTACK            6
  65 
  66 int priv_debug = 0;
  67 int priv_basic_test = -1;
  68 
  69 /*
  70  * This file contains the majority of the policy routines.
  71  * Since the policy routines are defined by function and not
  72  * by privilege, there is quite a bit of duplication of
  73  * functions.
  74  *
  75  * The secpolicy functions must not make assumptions about
  76  * locks held or not held as any lock can be held while they're
  77  * being called.
  78  *
  79  * Credentials are read-only so no special precautions need to
  80  * be taken while locking them.
  81  *
  82  * When a new policy check needs to be added to the system the
  83  * following procedure should be followed:
  84  *
  85  *              Pick an appropriate secpolicy_*() function
  86  *                      -> done if one exists.
  87  *              Create a new secpolicy function, preferably with
  88  *              a descriptive name using the standard template.
  89  *              Pick an appropriate privilege for the policy.
  90  *              If no appropraite privilege exists, define new one
  91  *              (this should be done with extreme care; in most cases
  92  *              little is gained by adding another privilege)
  93  *
  94  * WHY ROOT IS STILL SPECIAL.
  95  *
  96  * In a number of the policy functions, there are still explicit
  97  * checks for uid 0.  The rationale behind these is that many root
  98  * owned files/objects hold configuration information which can give full
  99  * privileges to the user once written to.  To prevent escalation
 100  * of privilege by allowing just a single privilege to modify root owned
 101  * objects, we've added these root specific checks where we considered
 102  * them necessary: modifying root owned files, changing uids to 0, etc.
 103  *
 104  * PRIVILEGE ESCALATION AND ZONES.
 105  *
 106  * A number of operations potentially allow the caller to achieve
 107  * privileges beyond the ones normally required to perform the operation.
 108  * For example, if allowed to create a setuid 0 executable, a process can
 109  * gain privileges beyond PRIV_FILE_SETID.  Zones, however, place
 110  * restrictions on the ability to gain privileges beyond those available
 111  * within the zone through file and process manipulation.  Hence, such
 112  * operations require that the caller have an effective set that includes
 113  * all privileges available within the current zone, or all privileges
 114  * if executing in the global zone.
 115  *
 116  * This is indicated in the priv_policy* policy checking functions
 117  * through a combination of parameters.  The "priv" parameter indicates
 118  * the privilege that is required, and the "allzone" parameter indicates
 119  * whether or not all privileges in the zone are required.  In addition,
 120  * priv can be set to PRIV_ALL to indicate that all privileges are
 121  * required (regardless of zone).  There are three scenarios of interest:
 122  * (1) operation requires a specific privilege
 123  * (2) operation requires a specific privilege, and requires all
 124  *     privileges available within the zone (or all privileges if in
 125  *     the global zone)
 126  * (3) operation requires all privileges, regardless of zone
 127  *
 128  * For (1), priv should be set to the specific privilege, and allzone
 129  * should be set to B_FALSE.
 130  * For (2), priv should be set to the specific privilege, and allzone
 131  * should be set to B_TRUE.
 132  * For (3), priv should be set to PRIV_ALL, and allzone should be set
 133  * to B_FALSE.
 134  *
 135  */
 136 
 137 /*
 138  * The privileges are checked against the Effective set for
 139  * ordinary processes and checked against the Limit set
 140  * for euid 0 processes that haven't manipulated their privilege
 141  * sets.
 142  */
 143 #define HAS_ALLPRIVS(cr)        priv_isfullset(&CR_OEPRIV(cr))
 144 #define ZONEPRIVS(cr)           ((cr)->cr_zone->zone_privset)
 145 #define HAS_ALLZONEPRIVS(cr)    priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr))
 146 #define HAS_PRIVILEGE(cr, pr)   ((pr) == PRIV_ALL ? \
 147                                         HAS_ALLPRIVS(cr) : \
 148                                         PRIV_ISMEMBER(&CR_OEPRIV(cr), pr))
 149 
 150 #define FAST_BASIC_CHECK(cr, priv)      \
 151         if (PRIV_ISMEMBER(&CR_OEPRIV(cr), priv)) { \
 152                 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, B_FALSE); \
 153                 return (0); \
 154         }
 155 
 156 /*
 157  * Policy checking functions.
 158  *
 159  * All of the system's policy should be implemented here.
 160  */
 161 
 162 /*
 163  * Private functions which take an additional va_list argument to
 164  * implement an object specific policy override.
 165  */
 166 static int priv_policy_ap(const cred_t *, int, boolean_t, int,
 167     const char *, va_list);
 168 static int priv_policy_va(const cred_t *, int, boolean_t, int,
 169     const char *, ...);
 170 
 171 /*
 172  * Generic policy calls
 173  *
 174  * The "bottom" functions of policy control
 175  */
 176 static char *
 177 mprintf(const char *fmt, ...)
 178 {
 179         va_list args;
 180         char *buf;
 181         size_t len;
 182 
 183         va_start(args, fmt);
 184         len = vsnprintf(NULL, 0, fmt, args) + 1;
 185         va_end(args);
 186 
 187         buf = kmem_alloc(len, KM_NOSLEEP);
 188 
 189         if (buf == NULL)
 190                 return (NULL);
 191 
 192         va_start(args, fmt);
 193         (void) vsnprintf(buf, len, fmt, args);
 194         va_end(args);
 195 
 196         return (buf);
 197 }
 198 
 199 /*
 200  * priv_policy_errmsg()
 201  *
 202  * Generate an error message if privilege debugging is enabled system wide
 203  * or for this particular process.
 204  */
 205 
 206 #define FMTHDR  "%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)"
 207 #define FMTMSG  " for \"%s\""
 208 #define FMTFUN  " needed at %s+0x%lx"
 209 
 210 /* The maximum size privilege format: the concatenation of the above */
 211 #define FMTMAX  FMTHDR FMTMSG FMTFUN "\n"
 212 
 213 static void
 214 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg)
 215 {
 216         struct proc *me;
 217         pc_t stack[MAXPRIVSTACK];
 218         int depth;
 219         int i;
 220         char *sym;
 221         ulong_t off;
 222         const char *pname;
 223 
 224         char *cmd;
 225         char fmt[sizeof (FMTMAX)];
 226 
 227         if ((me = curproc) == &p0)
 228                 return;
 229 
 230         /* Privileges must be defined  */
 231         ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE ||
 232             priv == PRIV_ALLZONE || priv == PRIV_GLOBAL ||
 233             priv_getbynum(priv) != NULL);
 234 
 235         if (priv == PRIV_ALLZONE && INGLOBALZONE(me))
 236                 priv = PRIV_ALL;
 237 
 238         if (curthread->t_pre_sys)
 239                 ttolwp(curthread)->lwp_badpriv = (short)priv;
 240 
 241         if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0)
 242                 return;
 243 
 244         (void) strcpy(fmt, FMTHDR);
 245 
 246         if (me->p_user.u_comm[0])
 247                 cmd = &me->p_user.u_comm[0];
 248         else
 249                 cmd = "priv_policy";
 250 
 251         if (msg != NULL && *msg != '\0') {
 252                 (void) strcat(fmt, FMTMSG);
 253         } else {
 254                 (void) strcat(fmt, "%s");
 255                 msg = "";
 256         }
 257 
 258         sym = NULL;
 259 
 260         depth = getpcstack(stack, MAXPRIVSTACK);
 261 
 262         /*
 263          * Try to find the first interesting function on the stack.
 264          * priv_policy* that's us, so completely uninteresting.
 265          * suser(), drv_priv(), secpolicy_* are also called from
 266          * too many locations to convey useful information.
 267          */
 268         for (i = 0; i < depth; i++) {
 269                 sym = kobj_getsymname((uintptr_t)stack[i], &off);
 270                 if (sym != NULL &&
 271                     strstr(sym, "hasprocperm") == 0 &&
 272                     strcmp("suser", sym) != 0 &&
 273                     strcmp("ipcaccess", sym) != 0 &&
 274                     strcmp("drv_priv", sym) != 0 &&
 275                     strncmp("secpolicy_", sym, 10) != 0 &&
 276                     strncmp("priv_policy", sym, 11) != 0)
 277                         break;
 278         }
 279 
 280         if (sym != NULL)
 281                 (void) strcat(fmt, FMTFUN);
 282 
 283         (void) strcat(fmt, "\n");
 284 
 285         switch (priv) {
 286         case PRIV_ALL:
 287                 pname = "ALL";
 288                 break;
 289         case PRIV_MULTIPLE:
 290                 pname = "MULTIPLE";
 291                 break;
 292         case PRIV_ALLZONE:
 293                 pname = "ZONE";
 294                 break;
 295         case PRIV_GLOBAL:
 296                 pname = "GLOBAL";
 297                 break;
 298         default:
 299                 pname = priv_getbynum(priv);
 300                 break;
 301         }
 302 
 303         if (CR_FLAGS(cr) & PRIV_DEBUG) {
 304                 /* Remember last message, just like lwp_badpriv. */
 305                 if (curthread->t_pdmsg != NULL) {
 306                         kmem_free(curthread->t_pdmsg,
 307                             strlen(curthread->t_pdmsg) + 1);
 308                 }
 309 
 310                 curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname,
 311                     cr->cr_uid, curthread->t_sysnum, msg, sym, off);
 312 
 313                 curthread->t_post_sys = 1;
 314         }
 315         if (priv_debug) {
 316                 cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid,
 317                     curthread->t_sysnum, msg, sym, off);
 318         }
 319 }
 320 
 321 /*
 322  * Override the policy, if appropriate.  Return 0 if the external
 323  * policy engine approves.
 324  */
 325 static int
 326 priv_policy_override(const cred_t *cr, int priv, boolean_t allzone, va_list ap)
 327 {
 328         priv_set_t set;
 329         int ret;
 330 
 331         if (!(CR_FLAGS(cr) & PRIV_XPOLICY))
 332                 return (-1);
 333 
 334         if (priv == PRIV_ALL) {
 335                 priv_fillset(&set);
 336         } else if (allzone) {
 337                 set = *ZONEPRIVS(cr);
 338         } else {
 339                 priv_emptyset(&set);
 340                 priv_addset(&set, priv);
 341         }
 342         ret = klpd_call(cr, &set, ap);
 343         return (ret);
 344 }
 345 
 346 static int
 347 priv_policy_override_set(const cred_t *cr, const priv_set_t *req, va_list ap)
 348 {
 349         if (CR_FLAGS(cr) & PRIV_PFEXEC)
 350                 return (check_user_privs(cr, req));
 351         if (CR_FLAGS(cr) & PRIV_XPOLICY) {
 352                 return (klpd_call(cr, req, ap));
 353         }
 354         return (-1);
 355 }
 356 
 357 static int
 358 priv_policy_override_set_va(const cred_t *cr, const priv_set_t *req, ...)
 359 {
 360         va_list ap;
 361         int ret;
 362 
 363         va_start(ap, req);
 364         ret = priv_policy_override_set(cr, req, ap);
 365         va_end(ap);
 366         return (ret);
 367 }
 368 
 369 /*
 370  * Audit failure, log error message.
 371  */
 372 static void
 373 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg)
 374 {
 375 
 376         if (AU_AUDITING())
 377                 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0);
 378         DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
 379 
 380         if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
 381             curthread->t_pre_sys) {
 382                 if (allzone && !HAS_ALLZONEPRIVS(cr)) {
 383                         priv_policy_errmsg(cr, PRIV_ALLZONE, msg);
 384                 } else {
 385                         ASSERT(!HAS_PRIVILEGE(cr, priv));
 386                         priv_policy_errmsg(cr, priv, msg);
 387                 }
 388         }
 389 }
 390 
 391 /*
 392  * priv_policy_ap()
 393  * return 0 or error.
 394  * See block comment above for a description of "priv" and "allzone" usage.
 395  */
 396 static int
 397 priv_policy_ap(const cred_t *cr, int priv, boolean_t allzone, int err,
 398     const char *msg, va_list ap)
 399 {
 400         if ((HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) ||
 401             (!servicing_interrupt() &&
 402             priv_policy_override(cr, priv, allzone, ap) == 0)) {
 403                 if ((allzone || priv == PRIV_ALL ||
 404                     !PRIV_ISMEMBER(priv_basic, priv)) &&
 405                     !servicing_interrupt()) {
 406                         PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */
 407                         if (AU_AUDITING())
 408                                 audit_priv(priv,
 409                                     allzone ? ZONEPRIVS(cr) : NULL, 1);
 410                 }
 411                 err = 0;
 412                 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
 413         } else if (!servicing_interrupt()) {
 414                 /* Failure audited in this procedure */
 415                 priv_policy_err(cr, priv, allzone, msg);
 416         }
 417         return (err);
 418 }
 419 
 420 int
 421 priv_policy_va(const cred_t *cr, int priv, boolean_t allzone, int err,
 422     const char *msg, ...)
 423 {
 424         int ret;
 425         va_list ap;
 426 
 427         va_start(ap, msg);
 428         ret = priv_policy_ap(cr, priv, allzone, err, msg, ap);
 429         va_end(ap);
 430 
 431         return (ret);
 432 }
 433 
 434 int
 435 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err,
 436     const char *msg)
 437 {
 438         return (priv_policy_va(cr, priv, allzone, err, msg, KLPDARG_NONE));
 439 }
 440 
 441 /*
 442  * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges.
 443  */
 444 boolean_t
 445 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone)
 446 {
 447         boolean_t res = HAS_PRIVILEGE(cr, priv) &&
 448             (!allzone || HAS_ALLZONEPRIVS(cr));
 449 
 450         /* Audit success only */
 451         if (res && AU_AUDITING() &&
 452             (allzone || priv == PRIV_ALL || !PRIV_ISMEMBER(priv_basic, priv)) &&
 453             !servicing_interrupt()) {
 454                 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1);
 455         }
 456         if (res) {
 457                 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
 458         } else {
 459                 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
 460         }
 461         return (res);
 462 }
 463 
 464 /*
 465  * Non-auditing variant of priv_policy_choice().
 466  */
 467 boolean_t
 468 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone)
 469 {
 470         boolean_t res = HAS_PRIVILEGE(cr, priv) &&
 471             (!allzone || HAS_ALLZONEPRIVS(cr));
 472 
 473         if (res) {
 474                 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
 475         } else {
 476                 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
 477         }
 478         return (res);
 479 }
 480 
 481 /*
 482  * Check whether all privileges in the required set are present.
 483  */
 484 static int
 485 secpolicy_require_set(const cred_t *cr, const priv_set_t *req,
 486     const char *msg, ...)
 487 {
 488         int priv;
 489         int pfound = -1;
 490         priv_set_t pset;
 491         va_list ap;
 492         int ret;
 493 
 494         if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req,
 495             &CR_OEPRIV(cr))) {
 496                 return (0);
 497         }
 498 
 499         va_start(ap, msg);
 500         ret = priv_policy_override_set(cr, req, ap);
 501         va_end(ap);
 502         if (ret == 0)
 503                 return (0);
 504 
 505         if (req == PRIV_FULLSET || priv_isfullset(req)) {
 506                 priv_policy_err(cr, PRIV_ALL, B_FALSE, msg);
 507                 return (EACCES);
 508         }
 509 
 510         pset = CR_OEPRIV(cr);           /* present privileges */
 511         priv_inverse(&pset);                /* all non present privileges */
 512         priv_intersect(req, &pset); /* the actual missing privs */
 513 
 514         if (AU_AUDITING())
 515                 audit_priv(PRIV_NONE, &pset, 0);
 516         /*
 517          * Privilege debugging; special case "one privilege in set".
 518          */
 519         if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) {
 520                 for (priv = 0; priv < nprivs; priv++) {
 521                         if (priv_ismember(&pset, priv)) {
 522                                 if (pfound != -1) {
 523                                         /* Multiple missing privs */
 524                                         priv_policy_errmsg(cr, PRIV_MULTIPLE,
 525                                             msg);
 526                                         return (EACCES);
 527                                 }
 528                                 pfound = priv;
 529                         }
 530                 }
 531                 ASSERT(pfound != -1);
 532                 /* Just the one missing privilege */
 533                 priv_policy_errmsg(cr, pfound, msg);
 534         }
 535 
 536         return (EACCES);
 537 }
 538 
 539 /*
 540  * Called when an operation requires that the caller be in the
 541  * global zone, regardless of privilege.
 542  */
 543 static int
 544 priv_policy_global(const cred_t *cr)
 545 {
 546         if (crgetzoneid(cr) == GLOBAL_ZONEID)
 547                 return (0);     /* success */
 548 
 549         if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
 550             curthread->t_pre_sys) {
 551                 priv_policy_errmsg(cr, PRIV_GLOBAL, NULL);
 552         }
 553         return (EPERM);
 554 }
 555 
 556 /*
 557  * Raising process priority
 558  */
 559 int
 560 secpolicy_raisepriority(const cred_t *cr)
 561 {
 562         if (PRIV_POLICY(cr, PRIV_PROC_PRIOUP, B_FALSE, EPERM, NULL) == 0)
 563                 return (0);
 564         return (secpolicy_setpriority(cr));
 565 }
 566 
 567 /*
 568  * Changing process priority or scheduling class
 569  */
 570 int
 571 secpolicy_setpriority(const cred_t *cr)
 572 {
 573         return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL));
 574 }
 575 
 576 /*
 577  * Binding to a privileged port, port must be specified in host byte
 578  * order.
 579  * When adding a new privilege which allows binding to currently privileged
 580  * ports, then you MUST also allow processes with PRIV_NET_PRIVADDR bind
 581  * to these ports because of backward compatibility.
 582  */
 583 int
 584 secpolicy_net_privaddr(const cred_t *cr, in_port_t port, int proto)
 585 {
 586         char *reason;
 587         int priv;
 588 
 589         switch (port) {
 590         case 137:
 591         case 138:
 592         case 139:
 593         case 445:
 594                 /*
 595                  * NBT and SMB ports, these are normal privileged ports,
 596                  * allow bind only if the SYS_SMB or NET_PRIVADDR privilege
 597                  * is present.
 598                  * Try both, if neither is present return an error for
 599                  * priv SYS_SMB.
 600                  */
 601                 if (PRIV_POLICY_ONLY(cr, PRIV_NET_PRIVADDR, B_FALSE))
 602                         priv = PRIV_NET_PRIVADDR;
 603                 else
 604                         priv = PRIV_SYS_SMB;
 605                 reason = "NBT or SMB port";
 606                 break;
 607 
 608         case 2049:
 609         case 4045:
 610                 /*
 611                  * NFS ports, these are extra privileged ports, allow bind
 612                  * only if the SYS_NFS privilege is present.
 613                  */
 614                 priv = PRIV_SYS_NFS;
 615                 reason = "NFS port";
 616                 break;
 617 
 618         default:
 619                 priv = PRIV_NET_PRIVADDR;
 620                 reason = NULL;
 621                 break;
 622 
 623         }
 624 
 625         return (priv_policy_va(cr, priv, B_FALSE, EACCES, reason,
 626             KLPDARG_PORT, (int)proto, (int)port, KLPDARG_NOMORE));
 627 }
 628 
 629 /*
 630  * Binding to a multilevel port on a trusted (labeled) system.
 631  */
 632 int
 633 secpolicy_net_bindmlp(const cred_t *cr)
 634 {
 635         return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, NULL));
 636 }
 637 
 638 /*
 639  * Allow a communication between a zone and an unlabeled host when their
 640  * labels don't match.
 641  */
 642 int
 643 secpolicy_net_mac_aware(const cred_t *cr)
 644 {
 645         return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, NULL));
 646 }
 647 
 648 /*
 649  * Allow a privileged process to transmit traffic without explicit labels
 650  */
 651 int
 652 secpolicy_net_mac_implicit(const cred_t *cr)
 653 {
 654         return (PRIV_POLICY(cr, PRIV_NET_MAC_IMPLICIT, B_FALSE, EACCES, NULL));
 655 }
 656 
 657 /*
 658  * Common routine which determines whether a given credential can
 659  * act on a given mount.
 660  * When called through mount, the parameter needoptcheck is a pointer
 661  * to a boolean variable which will be set to either true or false,
 662  * depending on whether the mount policy should change the mount options.
 663  * In all other cases, needoptcheck should be a NULL pointer.
 664  */
 665 static int
 666 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp,
 667     boolean_t *needoptcheck)
 668 {
 669         boolean_t allzone = B_FALSE;
 670         boolean_t mounting = needoptcheck != NULL;
 671 
 672         /*
 673          * Short circuit the following cases:
 674          *      vfsp == NULL or mvp == NULL (pure privilege check)
 675          *      have all privileges - no further checks required
 676          *      and no mount options need to be set.
 677          */
 678         if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) {
 679                 if (mounting)
 680                         *needoptcheck = B_FALSE;
 681 
 682                 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
 683                     NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE));
 684         }
 685 
 686         /*
 687          * When operating on an existing mount (either we're not mounting
 688          * or we're doing a remount and VFS_REMOUNT will be set), zones
 689          * can operate only on mounts established by the zone itself.
 690          */
 691         if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) {
 692                 zoneid_t zoneid = crgetzoneid(cr);
 693 
 694                 if (zoneid != GLOBAL_ZONEID &&
 695                     vfsp->vfs_zone->zone_id != zoneid) {
 696                         return (EPERM);
 697                 }
 698         }
 699 
 700         if (mounting)
 701                 *needoptcheck = B_TRUE;
 702 
 703         /*
 704          * Overlay mounts may hide important stuff; if you can't write to a
 705          * mount point but would be able to mount on top of it, you can
 706          * escalate your privileges.
 707          * So we go about asking the same questions namefs does when it
 708          * decides whether you can mount over a file or not but with the
 709          * added restriction that you can only mount on top of a regular
 710          * file or directory.
 711          * If we have all the zone's privileges, we skip all other checks,
 712          * or else we may actually get in trouble inside the automounter.
 713          */
 714         if ((mvp->v_flag & VROOT) != 0 ||
 715             (mvp->v_type != VDIR && mvp->v_type != VREG) ||
 716             HAS_ALLZONEPRIVS(cr)) {
 717                 allzone = B_TRUE;
 718         } else {
 719                 vattr_t va;
 720                 int err;
 721 
 722                 va.va_mask = AT_UID|AT_MODE;
 723                 err = VOP_GETATTR(mvp, &va, 0, cr, NULL);
 724                 if (err != 0)
 725                         return (err);
 726 
 727                 if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0)
 728                         return (err);
 729 
 730                 if (secpolicy_vnode_access2(cr, mvp, va.va_uid, va.va_mode,
 731                     VWRITE) != 0) {
 732                         return (EACCES);
 733                 }
 734         }
 735         return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
 736             NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE));
 737 }
 738 
 739 void
 740 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp)
 741 {
 742         boolean_t amsuper = HAS_ALLZONEPRIVS(cr);
 743 
 744         /*
 745          * check; if we don't have either "nosuid" or
 746          * both "nosetuid" and "nodevices", then we add
 747          * "nosuid"; this depends on how the current
 748          * implementation works (it first checks nosuid).  In a
 749          * zone, a user with all zone privileges can mount with
 750          * "setuid" but never with "devices".
 751          */
 752         if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) &&
 753             (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) ||
 754             !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) {
 755                 if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper)
 756                         vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0);
 757                 else
 758                         vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0);
 759         }
 760         /*
 761          * If we're not the local super user, we set the "restrict"
 762          * option to indicate to automountd that this mount should
 763          * be handled with care.
 764          */
 765         if (!amsuper)
 766                 vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0);
 767 
 768 }
 769 
 770 int
 771 secpolicy_fs_allowed_mount(const char *fsname)
 772 {
 773         struct vfssw *vswp;
 774         const char *p;
 775         size_t len;
 776 
 777         ASSERT(fsname != NULL);
 778         ASSERT(fsname[0] != '\0');
 779 
 780         if (INGLOBALZONE(curproc))
 781                 return (0);
 782 
 783         vswp = vfs_getvfssw(fsname);
 784         if (vswp == NULL)
 785                 return (ENOENT);
 786 
 787         if ((vswp->vsw_flag & VSW_ZMOUNT) != 0) {
 788                 vfs_unrefvfssw(vswp);
 789                 return (0);
 790         }
 791 
 792         vfs_unrefvfssw(vswp);
 793 
 794         p = curzone->zone_fs_allowed;
 795         len = strlen(fsname);
 796 
 797         while (p != NULL && *p != '\0') {
 798                 if (strncmp(p, fsname, len) == 0) {
 799                         char c = *(p + len);
 800                         if (c == '\0' || c == ',')
 801                                 return (0);
 802                 }
 803 
 804                 /* skip to beyond the next comma */
 805                 if ((p = strchr(p, ',')) != NULL)
 806                         p++;
 807         }
 808 
 809         return (EPERM);
 810 }
 811 
 812 extern vnode_t *rootvp;
 813 extern vfs_t *rootvfs;
 814 
 815 int
 816 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp)
 817 {
 818         boolean_t needoptchk;
 819         int error;
 820 
 821         /*
 822          * If it's a remount, get the underlying mount point,
 823          * except for the root where we use the rootvp.
 824          */
 825         if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) {
 826                 if (vfsp == rootvfs)
 827                         mvp = rootvp;
 828                 else
 829                         mvp = vfsp->vfs_vnodecovered;
 830         }
 831 
 832         error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk);
 833 
 834         if (error == 0 && needoptchk) {
 835                 secpolicy_fs_mount_clearopts(cr, vfsp);
 836         }
 837 
 838         return (error);
 839 }
 840 
 841 /*
 842  * Does the policy computations for "ownership" of a mount;
 843  * here ownership is defined as the ability to "mount"
 844  * the filesystem originally.  The rootvfs doesn't cover any
 845  * vnodes; we attribute its ownership to the rootvp.
 846  */
 847 static int
 848 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp)
 849 {
 850         vnode_t *mvp;
 851 
 852         if (vfsp == NULL)
 853                 mvp = NULL;
 854         else if (vfsp == rootvfs)
 855                 mvp = rootvp;
 856         else
 857                 mvp = vfsp->vfs_vnodecovered;
 858 
 859         return (secpolicy_fs_common(cr, mvp, vfsp, NULL));
 860 }
 861 
 862 int
 863 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp)
 864 {
 865         return (secpolicy_fs_owner(cr, vfsp));
 866 }
 867 
 868 /*
 869  * Quotas are a resource, but if one has the ability to mount a filesystem, he
 870  * should be able to modify quotas on it.
 871  */
 872 int
 873 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp)
 874 {
 875         return (secpolicy_fs_owner((cred_t *)cr, vfsp));
 876 }
 877 
 878 /*
 879  * Exceeding minfree: also a per-mount resource constraint.
 880  */
 881 int
 882 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp)
 883 {
 884         return (secpolicy_fs_owner((cred_t *)cr, vfsp));
 885 }
 886 
 887 int
 888 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp)
 889 {
 890         return (secpolicy_fs_owner((cred_t *)cr, vfsp));
 891 }
 892 
 893 /* ARGSUSED */
 894 int
 895 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp)
 896 {
 897         return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL));
 898 }
 899 
 900 /*
 901  * Name:        secpolicy_vnode_access()
 902  *
 903  * Parameters:  Process credential
 904  *              vnode
 905  *              uid of owner of vnode
 906  *              permission bits not granted to the caller when examining
 907  *              file mode bits (i.e., when a process wants to open a
 908  *              mode 444 file for VREAD|VWRITE, this function should be
 909  *              called only with a VWRITE argument).
 910  *
 911  * Normal:      Verifies that cred has the appropriate privileges to
 912  *              override the mode bits that were denied.
 913  *
 914  * Override:    file_dac_execute - if VEXEC bit was denied and vnode is
 915  *                      not a directory.
 916  *              file_dac_read - if VREAD bit was denied.
 917  *              file_dac_search - if VEXEC bit was denied and vnode is
 918  *                      a directory.
 919  *              file_dac_write - if VWRITE bit was denied.
 920  *
 921  *              Root owned files are special cased to protect system
 922  *              configuration files and such.
 923  *
 924  * Output:      EACCES - if privilege check fails.
 925  */
 926 
 927 int
 928 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode)
 929 {
 930         if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE,
 931             EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL,
 932             KLPDARG_NOMORE) != 0) {
 933                 return (EACCES);
 934         }
 935 
 936         if (mode & VWRITE) {
 937                 boolean_t allzone;
 938 
 939                 if (owner == 0 && cr->cr_uid != 0)
 940                         allzone = B_TRUE;
 941                 else
 942                         allzone = B_FALSE;
 943                 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES,
 944                     NULL, KLPDARG_VNODE, vp, (char *)NULL,
 945                     KLPDARG_NOMORE) != 0) {
 946                         return (EACCES);
 947                 }
 948         }
 949 
 950         if (mode & VEXEC) {
 951                 /*
 952                  * Directories use file_dac_search to override the execute bit.
 953                  */
 954                 int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH :
 955                     PRIV_FILE_DAC_EXECUTE;
 956 
 957                 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL,
 958                     KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
 959         }
 960         return (0);
 961 }
 962 
 963 /*
 964  * Like secpolicy_vnode_access() but we get the actual wanted mode and the
 965  * current mode of the file, not the missing bits.
 966  */
 967 int
 968 secpolicy_vnode_access2(const cred_t *cr, vnode_t *vp, uid_t owner,
 969     mode_t curmode, mode_t wantmode)
 970 {
 971         mode_t mode;
 972 
 973         /* Inline the basic privileges tests. */
 974         if ((wantmode & VREAD) &&
 975             !PRIV_ISMEMBER(&CR_OEPRIV(cr), PRIV_FILE_READ) &&
 976             priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL,
 977             KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) {
 978                 return (EACCES);
 979         }
 980 
 981         if ((wantmode & VWRITE) &&
 982             !PRIV_ISMEMBER(&CR_OEPRIV(cr), PRIV_FILE_WRITE) &&
 983             priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL,
 984             KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) {
 985                 return (EACCES);
 986         }
 987 
 988         mode = ~curmode & wantmode;
 989 
 990         if (mode == 0)
 991                 return (0);
 992 
 993         if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE,
 994             EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL,
 995             KLPDARG_NOMORE) != 0) {
 996                 return (EACCES);
 997         }
 998 
 999         if (mode & VWRITE) {
1000                 boolean_t allzone;
1001 
1002                 if (owner == 0 && cr->cr_uid != 0)
1003                         allzone = B_TRUE;
1004                 else
1005                         allzone = B_FALSE;
1006                 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES,
1007                     NULL, KLPDARG_VNODE, vp, (char *)NULL,
1008                     KLPDARG_NOMORE) != 0) {
1009                         return (EACCES);
1010                 }
1011         }
1012 
1013         if (mode & VEXEC) {
1014                 /*
1015                  * Directories use file_dac_search to override the execute bit.
1016                  */
1017                 int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH :
1018                     PRIV_FILE_DAC_EXECUTE;
1019 
1020                 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL,
1021                     KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
1022         }
1023         return (0);
1024 }
1025 
1026 /*
1027  * This is a special routine for ZFS; it is used to determine whether
1028  * any of the privileges in effect allow any form of access to the
1029  * file.  There's no reason to audit this or any reason to record
1030  * this.  More work is needed to do the "KPLD" stuff.
1031  */
1032 int
1033 secpolicy_vnode_any_access(const cred_t *cr, vnode_t *vp, uid_t owner)
1034 {
1035         static int privs[] = {
1036             PRIV_FILE_OWNER,
1037             PRIV_FILE_CHOWN,
1038             PRIV_FILE_DAC_READ,
1039             PRIV_FILE_DAC_WRITE,
1040             PRIV_FILE_DAC_EXECUTE,
1041             PRIV_FILE_DAC_SEARCH,
1042         };
1043         int i;
1044 
1045         /* Same as secpolicy_vnode_setdac */
1046         if (owner == cr->cr_uid)
1047                 return (0);
1048 
1049         for (i = 0; i < sizeof (privs)/sizeof (int); i++) {
1050                 boolean_t allzone = B_FALSE;
1051                 int priv;
1052 
1053                 switch (priv = privs[i]) {
1054                 case PRIV_FILE_DAC_EXECUTE:
1055                         if (vp->v_type == VDIR)
1056                                 continue;
1057                         break;
1058                 case PRIV_FILE_DAC_SEARCH:
1059                         if (vp->v_type != VDIR)
1060                                 continue;
1061                         break;
1062                 case PRIV_FILE_DAC_WRITE:
1063                 case PRIV_FILE_OWNER:
1064                 case PRIV_FILE_CHOWN:
1065                         /* We know here that if owner == 0, that cr_uid != 0 */
1066                         allzone = owner == 0;
1067                         break;
1068                 }
1069                 if (PRIV_POLICY_CHOICE(cr, priv, allzone))
1070                         return (0);
1071         }
1072         return (EPERM);
1073 }
1074 
1075 /*
1076  * Name:        secpolicy_vnode_setid_modify()
1077  *
1078  * Normal:      verify that subject can set the file setid flags.
1079  *
1080  * Output:      EPERM - if not privileged.
1081  */
1082 
1083 static int
1084 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner)
1085 {
1086         /* If changing to suid root, must have all zone privs */
1087         boolean_t allzone = B_TRUE;
1088 
1089         if (owner != 0) {
1090                 if (owner == cr->cr_uid)
1091                         return (0);
1092                 allzone = B_FALSE;
1093         }
1094         return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL));
1095 }
1096 
1097 /*
1098  * Are we allowed to retain the set-uid/set-gid bits when
1099  * changing ownership or when writing to a file?
1100  * "issuid" should be true when set-uid; only in that case
1101  * root ownership is checked (setgid is assumed).
1102  */
1103 int
1104 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot)
1105 {
1106         if (issuidroot && !HAS_ALLZONEPRIVS(cred))
1107                 return (EPERM);
1108 
1109         return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE));
1110 }
1111 
1112 /*
1113  * Name:        secpolicy_vnode_setids_setgids()
1114  *
1115  * Normal:      verify that subject can set the file setgid flag.
1116  *
1117  * Output:      EPERM - if not privileged
1118  */
1119 
1120 int
1121 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid)
1122 {
1123         if (!groupmember(gid, cred))
1124                 return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM,
1125                     NULL));
1126         return (0);
1127 }
1128 
1129 /*
1130  * Name:        secpolicy_vnode_chown
1131  *
1132  * Normal:      Determine if subject can chown owner of a file.
1133  *
1134  * Output:      EPERM - if access denied
1135  */
1136 
1137 int
1138 secpolicy_vnode_chown(const cred_t *cred, uid_t owner)
1139 {
1140         boolean_t is_owner = (owner == crgetuid(cred));
1141         boolean_t allzone = B_FALSE;
1142         int priv;
1143 
1144         if (!is_owner) {
1145                 allzone = (owner == 0);
1146                 priv = PRIV_FILE_CHOWN;
1147         } else {
1148                 priv = HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN) ?
1149                     PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF;
1150         }
1151 
1152         return (PRIV_POLICY(cred, priv, allzone, EPERM, NULL));
1153 }
1154 
1155 /*
1156  * Name:        secpolicy_vnode_create_gid
1157  *
1158  * Normal:      Determine if subject can change group ownership of a file.
1159  *
1160  * Output:      EPERM - if access denied
1161  */
1162 int
1163 secpolicy_vnode_create_gid(const cred_t *cred)
1164 {
1165         if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN))
1166                 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM,
1167                     NULL));
1168         else
1169                 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM,
1170                     NULL));
1171 }
1172 
1173 /*
1174  * Name:        secpolicy_vnode_utime_modify()
1175  *
1176  * Normal:      verify that subject can modify the utime on a file.
1177  *
1178  * Output:      EPERM - if access denied.
1179  */
1180 
1181 static int
1182 secpolicy_vnode_utime_modify(const cred_t *cred)
1183 {
1184         return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM,
1185             "modify file times"));
1186 }
1187 
1188 
1189 /*
1190  * Name:        secpolicy_vnode_setdac()
1191  *
1192  * Normal:      verify that subject can modify the mode of a file.
1193  *              allzone privilege needed when modifying root owned object.
1194  *
1195  * Output:      EPERM - if access denied.
1196  */
1197 
1198 int
1199 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner)
1200 {
1201         if (owner == cred->cr_uid)
1202                 return (0);
1203 
1204         return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL));
1205 }
1206 /*
1207  * Name:        secpolicy_vnode_stky_modify()
1208  *
1209  * Normal:      verify that subject can make a file a "sticky".
1210  *
1211  * Output:      EPERM - if access denied.
1212  */
1213 
1214 int
1215 secpolicy_vnode_stky_modify(const cred_t *cred)
1216 {
1217         return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM,
1218             "set file sticky"));
1219 }
1220 
1221 /*
1222  * Policy determines whether we can remove an entry from a directory,
1223  * regardless of permission bits.
1224  */
1225 int
1226 secpolicy_vnode_remove(const cred_t *cr)
1227 {
1228         return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES,
1229             "sticky directory"));
1230 }
1231 
1232 int
1233 secpolicy_vnode_owner(const cred_t *cr, uid_t owner)
1234 {
1235         boolean_t allzone = (owner == 0);
1236 
1237         if (owner == cr->cr_uid)
1238                 return (0);
1239 
1240         return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL));
1241 }
1242 
1243 void
1244 secpolicy_setid_clear(vattr_t *vap, cred_t *cr)
1245 {
1246         if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 &&
1247             secpolicy_vnode_setid_retain(cr,
1248             (vap->va_mode & S_ISUID) != 0 &&
1249             (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) {
1250                 vap->va_mask |= AT_MODE;
1251                 vap->va_mode &= ~(S_ISUID|S_ISGID);
1252         }
1253 }
1254 
1255 int
1256 secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap,
1257     cred_t *cr)
1258 {
1259         int error;
1260 
1261         if ((vap->va_mode & S_ISUID) != 0 &&
1262             (error = secpolicy_vnode_setid_modify(cr,
1263             ovap->va_uid)) != 0) {
1264                 return (error);
1265         }
1266 
1267         /*
1268          * Check privilege if attempting to set the
1269          * sticky bit on a non-directory.
1270          */
1271         if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 &&
1272             secpolicy_vnode_stky_modify(cr) != 0) {
1273                 vap->va_mode &= ~S_ISVTX;
1274         }
1275 
1276         /*
1277          * Check for privilege if attempting to set the
1278          * group-id bit.
1279          */
1280         if ((vap->va_mode & S_ISGID) != 0 &&
1281             secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) {
1282                 vap->va_mode &= ~S_ISGID;
1283         }
1284 
1285         return (0);
1286 }
1287 
1288 #define ATTR_FLAG_PRIV(attr, value, cr) \
1289         PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \
1290         B_FALSE, EPERM, NULL)
1291 
1292 /*
1293  * Check privileges for setting xvattr attributes
1294  */
1295 int
1296 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype)
1297 {
1298         xoptattr_t *xoap;
1299         int error = 0;
1300 
1301         if ((xoap = xva_getxoptattr(xvap)) == NULL)
1302                 return (EINVAL);
1303 
1304         /*
1305          * First process the DOS bits
1306          */
1307         if (XVA_ISSET_REQ(xvap, XAT_ARCHIVE) ||
1308             XVA_ISSET_REQ(xvap, XAT_HIDDEN) ||
1309             XVA_ISSET_REQ(xvap, XAT_READONLY) ||
1310             XVA_ISSET_REQ(xvap, XAT_SYSTEM) ||
1311             XVA_ISSET_REQ(xvap, XAT_CREATETIME) ||
1312             XVA_ISSET_REQ(xvap, XAT_OFFLINE) ||
1313             XVA_ISSET_REQ(xvap, XAT_SPARSE)) {
1314                 if ((error = secpolicy_vnode_owner(cr, owner)) != 0)
1315                         return (error);
1316         }
1317 
1318         /*
1319          * Now handle special attributes
1320          */
1321 
1322         if (XVA_ISSET_REQ(xvap, XAT_IMMUTABLE))
1323                 error = ATTR_FLAG_PRIV(XAT_IMMUTABLE,
1324                     xoap->xoa_immutable, cr);
1325         if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NOUNLINK))
1326                 error = ATTR_FLAG_PRIV(XAT_NOUNLINK,
1327                     xoap->xoa_nounlink, cr);
1328         if (error == 0 && XVA_ISSET_REQ(xvap, XAT_APPENDONLY))
1329                 error = ATTR_FLAG_PRIV(XAT_APPENDONLY,
1330                     xoap->xoa_appendonly, cr);
1331         if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NODUMP))
1332                 error = ATTR_FLAG_PRIV(XAT_NODUMP,
1333                     xoap->xoa_nodump, cr);
1334         if (error == 0 && XVA_ISSET_REQ(xvap, XAT_OPAQUE))
1335                 error = EPERM;
1336         if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_QUARANTINED)) {
1337                 error = ATTR_FLAG_PRIV(XAT_AV_QUARANTINED,
1338                     xoap->xoa_av_quarantined, cr);
1339                 if (error == 0 && vtype != VREG && xoap->xoa_av_quarantined)
1340                         error = EINVAL;
1341         }
1342         if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_MODIFIED))
1343                 error = ATTR_FLAG_PRIV(XAT_AV_MODIFIED,
1344                     xoap->xoa_av_modified, cr);
1345         if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_SCANSTAMP)) {
1346                 error = ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP,
1347                     xoap->xoa_av_scanstamp, cr);
1348                 if (error == 0 && vtype != VREG)
1349                         error = EINVAL;
1350         }
1351         return (error);
1352 }
1353 
1354 /*
1355  * This function checks the policy decisions surrounding the
1356  * vop setattr call.
1357  *
1358  * It should be called after sufficient locks have been established
1359  * on the underlying data structures.  No concurrent modifications
1360  * should be allowed.
1361  *
1362  * The caller must pass in unlocked version of its vaccess function
1363  * this is required because vop_access function should lock the
1364  * node for reading.  A three argument function should be defined
1365  * which accepts the following argument:
1366  *      A pointer to the internal "node" type (inode *)
1367  *      vnode access bits (VREAD|VWRITE|VEXEC)
1368  *      a pointer to the credential
1369  *
1370  * This function makes the following policy decisions:
1371  *
1372  *              - change permissions
1373  *                      - permission to change file mode if not owner
1374  *                      - permission to add sticky bit to non-directory
1375  *                      - permission to add set-gid bit
1376  *
1377  * The ovap argument should include AT_MODE|AT_UID|AT_GID.
1378  *
1379  * If the vap argument does not include AT_MODE, the mode will be copied from
1380  * ovap.  In certain situations set-uid/set-gid bits need to be removed;
1381  * this is done by marking vap->va_mask to include AT_MODE and va_mode
1382  * is updated to the newly computed mode.
1383  */
1384 
1385 int
1386 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap,
1387     const struct vattr *ovap, int flags,
1388     int unlocked_access(void *, int, cred_t *),
1389     void *node)
1390 {
1391         int mask = vap->va_mask;
1392         int error = 0;
1393         boolean_t skipaclchk = (flags & ATTR_NOACLCHECK) ? B_TRUE : B_FALSE;
1394 
1395         if (mask & AT_SIZE) {
1396                 if (vp->v_type == VDIR) {
1397                         error = EISDIR;
1398                         goto out;
1399                 }
1400 
1401                 /*
1402                  * If ATTR_NOACLCHECK is set in the flags, then we don't
1403                  * perform the secondary unlocked_access() call since the
1404                  * ACL (if any) is being checked there.
1405                  */
1406                 if (skipaclchk == B_FALSE) {
1407                         error = unlocked_access(node, VWRITE, cr);
1408                         if (error)
1409                                 goto out;
1410                 }
1411         }
1412         if (mask & AT_MODE) {
1413                 /*
1414                  * If not the owner of the file then check privilege
1415                  * for two things: the privilege to set the mode at all
1416                  * and, if we're setting setuid, we also need permissions
1417                  * to add the set-uid bit, if we're not the owner.
1418                  * In the specific case of creating a set-uid root
1419                  * file, we need even more permissions.
1420                  */
1421                 if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0)
1422                         goto out;
1423 
1424                 if ((error = secpolicy_setid_setsticky_clear(vp, vap,
1425                     ovap, cr)) != 0)
1426                         goto out;
1427         } else
1428                 vap->va_mode = ovap->va_mode;
1429 
1430         if (mask & (AT_UID|AT_GID)) {
1431                 boolean_t checkpriv = B_FALSE;
1432 
1433                 /*
1434                  * Chowning files.
1435                  *
1436                  * If you are the file owner:
1437                  *      chown to other uid              FILE_CHOWN_SELF
1438                  *      chown to gid (non-member)       FILE_CHOWN_SELF
1439                  *      chown to gid (member)           <none>
1440                  *
1441                  * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also
1442                  * acceptable but the first one is reported when debugging.
1443                  *
1444                  * If you are not the file owner:
1445                  *      chown from root                 PRIV_FILE_CHOWN + zone
1446                  *      chown from other to any         PRIV_FILE_CHOWN
1447                  *
1448                  */
1449                 if (cr->cr_uid != ovap->va_uid) {
1450                         checkpriv = B_TRUE;
1451                 } else {
1452                         if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) ||
1453                             ((mask & AT_GID) && vap->va_gid != ovap->va_gid &&
1454                             !groupmember(vap->va_gid, cr))) {
1455                                 checkpriv = B_TRUE;
1456                         }
1457                 }
1458                 /*
1459                  * If necessary, check privilege to see if update can be done.
1460                  */
1461                 if (checkpriv &&
1462                     (error = secpolicy_vnode_chown(cr, ovap->va_uid)) != 0) {
1463                         goto out;
1464                 }
1465 
1466                 /*
1467                  * If the file has either the set UID or set GID bits
1468                  * set and the caller can set the bits, then leave them.
1469                  */
1470                 secpolicy_setid_clear(vap, cr);
1471         }
1472         if (mask & (AT_ATIME|AT_MTIME)) {
1473                 /*
1474                  * If not the file owner and not otherwise privileged,
1475                  * always return an error when setting the
1476                  * time other than the current (ATTR_UTIME flag set).
1477                  * If setting the current time (ATTR_UTIME not set) then
1478                  * unlocked_access will check permissions according to policy.
1479                  */
1480                 if (cr->cr_uid != ovap->va_uid) {
1481                         if (flags & ATTR_UTIME)
1482                                 error = secpolicy_vnode_utime_modify(cr);
1483                         else if (skipaclchk == B_FALSE) {
1484                                 error = unlocked_access(node, VWRITE, cr);
1485                                 if (error == EACCES &&
1486                                     secpolicy_vnode_utime_modify(cr) == 0)
1487                                         error = 0;
1488                         }
1489                         if (error)
1490                                 goto out;
1491                 }
1492         }
1493 
1494         /*
1495          * Check for optional attributes here by checking the following:
1496          */
1497         if (mask & AT_XVATTR)
1498                 error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr,
1499                     vp->v_type);
1500 out:
1501         return (error);
1502 }
1503 
1504 /*
1505  * Name:        secpolicy_pcfs_modify_bootpartition()
1506  *
1507  * Normal:      verify that subject can modify a pcfs boot partition.
1508  *
1509  * Output:      EACCES - if privilege check failed.
1510  */
1511 /*ARGSUSED*/
1512 int
1513 secpolicy_pcfs_modify_bootpartition(const cred_t *cred)
1514 {
1515         return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES,
1516             "modify pcfs boot partition"));
1517 }
1518 
1519 /*
1520  * System V IPC routines
1521  */
1522 int
1523 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip)
1524 {
1525         if (crgetzoneid(cr) != ip->ipc_zoneid ||
1526             (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) {
1527                 boolean_t allzone = B_FALSE;
1528                 if (ip->ipc_uid == 0 || ip->ipc_cuid == 0)
1529                         allzone = B_TRUE;
1530                 return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL));
1531         }
1532         return (0);
1533 }
1534 
1535 int
1536 secpolicy_ipc_config(const cred_t *cr)
1537 {
1538         return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL));
1539 }
1540 
1541 int
1542 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode)
1543 {
1544 
1545         boolean_t allzone = B_FALSE;
1546 
1547         ASSERT((mode & (MSG_R|MSG_W)) != 0);
1548 
1549         if ((mode & MSG_R) &&
1550             PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1551                 return (EACCES);
1552 
1553         if (mode & MSG_W) {
1554                 if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0))
1555                         allzone = B_TRUE;
1556 
1557                 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1558                     NULL));
1559         }
1560         return (0);
1561 }
1562 
1563 int
1564 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode)
1565 {
1566         boolean_t allzone = B_FALSE;
1567 
1568         ASSERT((mode & (MSG_R|MSG_W)) != 0);
1569 
1570         if ((mode & MSG_R) &&
1571             PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1572                 return (EACCES);
1573 
1574         if (mode & MSG_W) {
1575                 if (cr->cr_uid != 0 && owner == 0)
1576                         allzone = B_TRUE;
1577 
1578                 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1579                     NULL));
1580         }
1581         return (0);
1582 }
1583 
1584 /*
1585  * Audit configuration.
1586  */
1587 int
1588 secpolicy_audit_config(const cred_t *cr)
1589 {
1590         return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL));
1591 }
1592 
1593 /*
1594  * Audit record generation.
1595  */
1596 int
1597 secpolicy_audit_modify(const cred_t *cr)
1598 {
1599         return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL));
1600 }
1601 
1602 /*
1603  * Get audit attributes.
1604  * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the
1605  * "Least" of the two privileges on error.
1606  */
1607 int
1608 secpolicy_audit_getattr(const cred_t *cr, boolean_t checkonly)
1609 {
1610         int priv;
1611 
1612         if (PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE))
1613                 priv = PRIV_SYS_AUDIT;
1614         else
1615                 priv = PRIV_PROC_AUDIT;
1616 
1617         if (checkonly)
1618                 return (!PRIV_POLICY_ONLY(cr, priv, B_FALSE));
1619         else
1620                 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
1621 }
1622 
1623 
1624 /*
1625  * Locking physical memory
1626  */
1627 int
1628 secpolicy_lock_memory(const cred_t *cr)
1629 {
1630         return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL));
1631 }
1632 
1633 /*
1634  * Accounting (both acct(2) and exacct).
1635  */
1636 int
1637 secpolicy_acct(const cred_t *cr)
1638 {
1639         return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL));
1640 }
1641 
1642 /*
1643  * Is this process privileged to change its uids at will?
1644  * Uid 0 is still considered "special" and having the SETID
1645  * privilege is not sufficient to get uid 0.
1646  * Files are owned by root, so the privilege would give
1647  * full access and euid 0 is still effective.
1648  *
1649  * If you have the privilege and euid 0 only then do you
1650  * get the powers of root wrt uid 0.
1651  *
1652  * For gid manipulations, this is should be called with an
1653  * uid of -1.
1654  *
1655  */
1656 int
1657 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly)
1658 {
1659         boolean_t allzone = B_FALSE;
1660 
1661         if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 &&
1662             cr->cr_ruid != 0) {
1663                 allzone = B_TRUE;
1664         }
1665 
1666         return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) :
1667             PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL));
1668 }
1669 
1670 
1671 /*
1672  * Acting on a different process: if the mode is for writing,
1673  * the restrictions are more severe.  This is called after
1674  * we've verified that the uids do not match.
1675  */
1676 int
1677 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode)
1678 {
1679         boolean_t allzone = B_FALSE;
1680 
1681         if ((mode & VWRITE) && scr->cr_uid != 0 &&
1682             (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0))
1683                 allzone = B_TRUE;
1684 
1685         return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL));
1686 }
1687 
1688 int
1689 secpolicy_proc_access(const cred_t *scr)
1690 {
1691         return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL));
1692 }
1693 
1694 int
1695 secpolicy_proc_excl_open(const cred_t *scr)
1696 {
1697         return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL));
1698 }
1699 
1700 int
1701 secpolicy_proc_zone(const cred_t *scr)
1702 {
1703         return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL));
1704 }
1705 
1706 /*
1707  * Destroying the system
1708  */
1709 
1710 int
1711 secpolicy_kmdb(const cred_t *scr)
1712 {
1713         return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1714 }
1715 
1716 int
1717 secpolicy_error_inject(const cred_t *scr)
1718 {
1719         return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1720 }
1721 
1722 /*
1723  * Processor sets, cpu configuration, resource pools.
1724  */
1725 int
1726 secpolicy_pset(const cred_t *cr)
1727 {
1728         return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1729 }
1730 
1731 /* Process security flags */
1732 int
1733 secpolicy_psecflags(const cred_t *cr, proc_t *tp, proc_t *sp)
1734 {
1735         if (PRIV_POLICY(cr, PRIV_PROC_SECFLAGS, B_FALSE, EPERM, NULL) != 0)
1736                 return (EPERM);
1737 
1738         if (!prochasprocperm(tp, sp, cr))
1739                 return (EPERM);
1740 
1741         return (0);
1742 }
1743 
1744 /*
1745  * Processor set binding.
1746  */
1747 int
1748 secpolicy_pbind(const cred_t *cr)
1749 {
1750         if (PRIV_POLICY_ONLY(cr, PRIV_SYS_RES_CONFIG, B_FALSE))
1751                 return (secpolicy_pset(cr));
1752         return (PRIV_POLICY(cr, PRIV_SYS_RES_BIND, B_FALSE, EPERM, NULL));
1753 }
1754 
1755 int
1756 secpolicy_ponline(const cred_t *cr)
1757 {
1758         return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1759 }
1760 
1761 int
1762 secpolicy_pool(const cred_t *cr)
1763 {
1764         return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1765 }
1766 
1767 int
1768 secpolicy_blacklist(const cred_t *cr)
1769 {
1770         return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1771 }
1772 
1773 /*
1774  * Catch all system configuration.
1775  */
1776 int
1777 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly)
1778 {
1779         if (checkonly) {
1780                 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 :
1781                     EPERM);
1782         } else {
1783                 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1784         }
1785 }
1786 
1787 /*
1788  * Zone administration (halt, reboot, etc.) from within zone.
1789  */
1790 int
1791 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly)
1792 {
1793         if (checkonly) {
1794                 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 :
1795                     EPERM);
1796         } else {
1797                 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM,
1798                     NULL));
1799         }
1800 }
1801 
1802 /*
1803  * Zone configuration (create, halt, enter).
1804  */
1805 int
1806 secpolicy_zone_config(const cred_t *cr)
1807 {
1808         /*
1809          * Require all privileges to avoid possibility of privilege
1810          * escalation.
1811          */
1812         return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
1813 }
1814 
1815 /*
1816  * Various other system configuration calls
1817  */
1818 int
1819 secpolicy_coreadm(const cred_t *cr)
1820 {
1821         return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1822 }
1823 
1824 int
1825 secpolicy_systeminfo(const cred_t *cr)
1826 {
1827         return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1828 }
1829 
1830 int
1831 secpolicy_dispadm(const cred_t *cr)
1832 {
1833         return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1834 }
1835 
1836 int
1837 secpolicy_settime(const cred_t *cr)
1838 {
1839         return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL));
1840 }
1841 
1842 /*
1843  * For realtime users: high resolution clock.
1844  */
1845 int
1846 secpolicy_clock_highres(const cred_t *cr)
1847 {
1848         return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM,
1849             NULL));
1850 }
1851 
1852 /*
1853  * drv_priv() is documented as callable from interrupt context, not that
1854  * anyone ever does, but still.  No debugging or auditing can be done when
1855  * it is called from interrupt context.
1856  * returns 0 on succes, EPERM on failure.
1857  */
1858 int
1859 drv_priv(cred_t *cr)
1860 {
1861         return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1862 }
1863 
1864 int
1865 secpolicy_sys_devices(const cred_t *cr)
1866 {
1867         return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1868 }
1869 
1870 int
1871 secpolicy_excl_open(const cred_t *cr)
1872 {
1873         return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL));
1874 }
1875 
1876 int
1877 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl)
1878 {
1879         /* zone.* rctls can only be set from the global zone */
1880         if (is_zone_rctl && priv_policy_global(cr) != 0)
1881                 return (EPERM);
1882         return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1883 }
1884 
1885 int
1886 secpolicy_resource(const cred_t *cr)
1887 {
1888         return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1889 }
1890 
1891 int
1892 secpolicy_resource_anon_mem(const cred_t *cr)
1893 {
1894         return (PRIV_POLICY_ONLY(cr, PRIV_SYS_RESOURCE, B_FALSE));
1895 }
1896 
1897 /*
1898  * Processes with a real uid of 0 escape any form of accounting, much
1899  * like before.
1900  */
1901 int
1902 secpolicy_newproc(const cred_t *cr)
1903 {
1904         if (cr->cr_ruid == 0)
1905                 return (0);
1906 
1907         return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1908 }
1909 
1910 /*
1911  * Networking
1912  */
1913 int
1914 secpolicy_net_rawaccess(const cred_t *cr)
1915 {
1916         return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL));
1917 }
1918 
1919 int
1920 secpolicy_net_observability(const cred_t *cr)
1921 {
1922         return (PRIV_POLICY(cr, PRIV_NET_OBSERVABILITY, B_FALSE, EACCES, NULL));
1923 }
1924 
1925 /*
1926  * Need this privilege for accessing the ICMP device
1927  */
1928 int
1929 secpolicy_net_icmpaccess(const cred_t *cr)
1930 {
1931         return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL));
1932 }
1933 
1934 /*
1935  * There are a few rare cases where the kernel generates ioctls() from
1936  * interrupt context with a credential of kcred rather than NULL.
1937  * In those cases, we take the safe and cheap test.
1938  */
1939 int
1940 secpolicy_net_config(const cred_t *cr, boolean_t checkonly)
1941 {
1942         if (checkonly) {
1943                 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ?
1944                     0 : EPERM);
1945         } else {
1946                 return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM,
1947                     NULL));
1948         }
1949 }
1950 
1951 
1952 /*
1953  * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
1954  *
1955  * There are a few rare cases where the kernel generates ioctls() from
1956  * interrupt context with a credential of kcred rather than NULL.
1957  * In those cases, we take the safe and cheap test.
1958  */
1959 int
1960 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly)
1961 {
1962         if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1963                 return (secpolicy_net_config(cr, checkonly));
1964 
1965         if (checkonly) {
1966                 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ?
1967                     0 : EPERM);
1968         } else {
1969                 return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM,
1970                     NULL));
1971         }
1972 }
1973 
1974 /*
1975  * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_DL_CONFIG.
1976  */
1977 int
1978 secpolicy_dl_config(const cred_t *cr)
1979 {
1980         if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1981                 return (secpolicy_net_config(cr, B_FALSE));
1982         return (PRIV_POLICY(cr, PRIV_SYS_DL_CONFIG, B_FALSE, EPERM, NULL));
1983 }
1984 
1985 /*
1986  * PRIV_SYS_DL_CONFIG is a superset of PRIV_SYS_IPTUN_CONFIG.
1987  */
1988 int
1989 secpolicy_iptun_config(const cred_t *cr)
1990 {
1991         if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1992                 return (secpolicy_net_config(cr, B_FALSE));
1993         if (PRIV_POLICY_ONLY(cr, PRIV_SYS_DL_CONFIG, B_FALSE))
1994                 return (secpolicy_dl_config(cr));
1995         return (PRIV_POLICY(cr, PRIV_SYS_IPTUN_CONFIG, B_FALSE, EPERM, NULL));
1996 }
1997 
1998 /*
1999  * Map IP pseudo privileges to actual privileges.
2000  * So we don't need to recompile IP when we change the privileges.
2001  */
2002 int
2003 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly)
2004 {
2005         int priv = PRIV_ALL;
2006 
2007         switch (netpriv) {
2008         case OP_CONFIG:
2009                 priv = PRIV_SYS_IP_CONFIG;
2010                 break;
2011         case OP_RAW:
2012                 priv = PRIV_NET_RAWACCESS;
2013                 break;
2014         case OP_PRIVPORT:
2015                 priv = PRIV_NET_PRIVADDR;
2016                 break;
2017         }
2018         ASSERT(priv != PRIV_ALL);
2019         if (checkonly)
2020                 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
2021         else
2022                 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
2023 }
2024 
2025 /*
2026  * Map network pseudo privileges to actual privileges.
2027  * So we don't need to recompile IP when we change the privileges.
2028  */
2029 int
2030 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly)
2031 {
2032         int priv = PRIV_ALL;
2033 
2034         switch (netpriv) {
2035         case OP_CONFIG:
2036                 priv = PRIV_SYS_NET_CONFIG;
2037                 break;
2038         case OP_RAW:
2039                 priv = PRIV_NET_RAWACCESS;
2040                 break;
2041         case OP_PRIVPORT:
2042                 priv = PRIV_NET_PRIVADDR;
2043                 break;
2044         }
2045         ASSERT(priv != PRIV_ALL);
2046         if (checkonly)
2047                 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
2048         else
2049                 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
2050 }
2051 
2052 /*
2053  * Checks for operations that are either client-only or are used by
2054  * both clients and servers.
2055  */
2056 int
2057 secpolicy_nfs(const cred_t *cr)
2058 {
2059         return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL));
2060 }
2061 
2062 /*
2063  * Special case for opening rpcmod: have NFS privileges or network
2064  * config privileges.
2065  */
2066 int
2067 secpolicy_rpcmod_open(const cred_t *cr)
2068 {
2069         if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE))
2070                 return (secpolicy_nfs(cr));
2071         else
2072                 return (secpolicy_net_config(cr, NULL));
2073 }
2074 
2075 int
2076 secpolicy_chroot(const cred_t *cr)
2077 {
2078         return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL));
2079 }
2080 
2081 int
2082 secpolicy_tasksys(const cred_t *cr)
2083 {
2084         return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL));
2085 }
2086 
2087 int
2088 secpolicy_meminfo(const cred_t *cr)
2089 {
2090         return (PRIV_POLICY(cr, PRIV_PROC_MEMINFO, B_FALSE, EPERM, NULL));
2091 }
2092 
2093 int
2094 secpolicy_pfexec_register(const cred_t *cr)
2095 {
2096         return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_TRUE, EPERM, NULL));
2097 }
2098 
2099 /*
2100  * Basic privilege checks.
2101  */
2102 int
2103 secpolicy_basic_exec(const cred_t *cr, vnode_t *vp)
2104 {
2105         FAST_BASIC_CHECK(cr, PRIV_PROC_EXEC);
2106 
2107         return (priv_policy_va(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL,
2108             KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
2109 }
2110 
2111 int
2112 secpolicy_basic_fork(const cred_t *cr)
2113 {
2114         FAST_BASIC_CHECK(cr, PRIV_PROC_FORK);
2115 
2116         return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL));
2117 }
2118 
2119 int
2120 secpolicy_basic_proc(const cred_t *cr)
2121 {
2122         FAST_BASIC_CHECK(cr, PRIV_PROC_SESSION);
2123 
2124         return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL));
2125 }
2126 
2127 /*
2128  * Slightly complicated because we don't want to trigger the policy too
2129  * often.  First we shortcircuit access to "self" (tp == sp) or if
2130  * we don't have the privilege but if we have permission
2131  * just return (0) and we don't flag the privilege as needed.
2132  * Else, we test for the privilege because we either have it or need it.
2133  */
2134 int
2135 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp)
2136 {
2137         if (tp == sp ||
2138             !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) {
2139                 return (0);
2140         } else {
2141                 return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL));
2142         }
2143 }
2144 
2145 int
2146 secpolicy_basic_link(const cred_t *cr)
2147 {
2148         FAST_BASIC_CHECK(cr, PRIV_FILE_LINK_ANY);
2149 
2150         return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL));
2151 }
2152 
2153 int
2154 secpolicy_basic_net_access(const cred_t *cr)
2155 {
2156         FAST_BASIC_CHECK(cr, PRIV_NET_ACCESS);
2157 
2158         return (PRIV_POLICY(cr, PRIV_NET_ACCESS, B_FALSE, EACCES, NULL));
2159 }
2160 
2161 /* ARGSUSED */
2162 int
2163 secpolicy_basic_file_read(const cred_t *cr, vnode_t *vp, const char *pn)
2164 {
2165         FAST_BASIC_CHECK(cr, PRIV_FILE_READ);
2166 
2167         return (priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL,
2168             KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE));
2169 }
2170 
2171 /* ARGSUSED */
2172 int
2173 secpolicy_basic_file_write(const cred_t *cr, vnode_t *vp, const char *pn)
2174 {
2175         FAST_BASIC_CHECK(cr, PRIV_FILE_WRITE);
2176 
2177         return (priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL,
2178             KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE));
2179 }
2180 
2181 /*
2182  * Additional device protection.
2183  *
2184  * Traditionally, a device has specific permissions on the node in
2185  * the filesystem which govern which devices can be opened by what
2186  * processes.  In certain cases, it is desirable to add extra
2187  * restrictions, as writing to certain devices is identical to
2188  * having a complete run of the system.
2189  *
2190  * This mechanism is called the device policy.
2191  *
2192  * When a device is opened, its policy entry is looked up in the
2193  * policy cache and checked.
2194  */
2195 int
2196 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag)
2197 {
2198         devplcy_t *plcy;
2199         int err;
2200         struct snode *csp = VTOS(common_specvp(vp));
2201         priv_set_t pset;
2202 
2203         mutex_enter(&csp->s_lock);
2204 
2205         if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) {
2206                 plcy = devpolicy_find(vp);
2207                 if (csp->s_plcy)
2208                         dpfree(csp->s_plcy);
2209                 csp->s_plcy = plcy;
2210                 ASSERT(plcy != NULL);
2211         } else
2212                 plcy = csp->s_plcy;
2213 
2214         if (plcy == nullpolicy) {
2215                 mutex_exit(&csp->s_lock);
2216                 return (0);
2217         }
2218 
2219         dphold(plcy);
2220 
2221         mutex_exit(&csp->s_lock);
2222 
2223         if (oflag & FWRITE)
2224                 pset = plcy->dp_wrp;
2225         else
2226                 pset = plcy->dp_rdp;
2227         /*
2228          * Special case:
2229          * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
2230          * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is
2231          * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG
2232          * in the required privilege set before doing the check.
2233          */
2234         if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) &&
2235             priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) &&
2236             !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) {
2237                 priv_delset(&pset, PRIV_SYS_IP_CONFIG);
2238                 priv_addset(&pset, PRIV_SYS_NET_CONFIG);
2239         }
2240 
2241         err = secpolicy_require_set(cr, &pset, "devpolicy", KLPDARG_NONE);
2242         dpfree(plcy);
2243 
2244         return (err);
2245 }
2246 
2247 int
2248 secpolicy_modctl(const cred_t *cr, int cmd)
2249 {
2250         switch (cmd) {
2251         case MODINFO:
2252         case MODGETMAJBIND:
2253         case MODGETPATH:
2254         case MODGETPATHLEN:
2255         case MODGETNAME:
2256         case MODGETFBNAME:
2257         case MODGETDEVPOLICY:
2258         case MODGETDEVPOLICYBYNAME:
2259         case MODDEVT2INSTANCE:
2260         case MODSIZEOF_DEVID:
2261         case MODGETDEVID:
2262         case MODSIZEOF_MINORNAME:
2263         case MODGETMINORNAME:
2264         case MODGETDEVFSPATH_LEN:
2265         case MODGETDEVFSPATH:
2266         case MODGETDEVFSPATH_MI_LEN:
2267         case MODGETDEVFSPATH_MI:
2268                 /* Unprivileged */
2269                 return (0);
2270         case MODLOAD:
2271         case MODSETDEVPOLICY:
2272                 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL,
2273                     KLPDARG_NONE));
2274         default:
2275                 return (secpolicy_sys_config(cr, B_FALSE));
2276         }
2277 }
2278 
2279 int
2280 secpolicy_console(const cred_t *cr)
2281 {
2282         return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
2283 }
2284 
2285 int
2286 secpolicy_power_mgmt(const cred_t *cr)
2287 {
2288         return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
2289 }
2290 
2291 /*
2292  * Simulate terminal input; another escalation of privileges avenue.
2293  */
2294 
2295 int
2296 secpolicy_sti(const cred_t *cr)
2297 {
2298         return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
2299 }
2300 
2301 boolean_t
2302 secpolicy_net_reply_equal(const cred_t *cr)
2303 {
2304         return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
2305 }
2306 
2307 int
2308 secpolicy_swapctl(const cred_t *cr)
2309 {
2310         return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
2311 }
2312 
2313 int
2314 secpolicy_cpc_cpu(const cred_t *cr)
2315 {
2316         return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL));
2317 }
2318 
2319 /*
2320  * secpolicy_contract_identity
2321  *
2322  * Determine if the subject may set the process contract FMRI value
2323  */
2324 int
2325 secpolicy_contract_identity(const cred_t *cr)
2326 {
2327         return (PRIV_POLICY(cr, PRIV_CONTRACT_IDENTITY, B_FALSE, EPERM, NULL));
2328 }
2329 
2330 /*
2331  * secpolicy_contract_observer
2332  *
2333  * Determine if the subject may observe a specific contract's events.
2334  */
2335 int
2336 secpolicy_contract_observer(const cred_t *cr, struct contract *ct)
2337 {
2338         if (contract_owned(ct, cr, B_FALSE))
2339                 return (0);
2340         return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL));
2341 }
2342 
2343 /*
2344  * secpolicy_contract_observer_choice
2345  *
2346  * Determine if the subject may observe any contract's events.  Just
2347  * tests privilege and audits on success.
2348  */
2349 boolean_t
2350 secpolicy_contract_observer_choice(const cred_t *cr)
2351 {
2352         return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE));
2353 }
2354 
2355 /*
2356  * secpolicy_contract_event
2357  *
2358  * Determine if the subject may request critical contract events or
2359  * reliable contract event delivery.
2360  */
2361 int
2362 secpolicy_contract_event(const cred_t *cr)
2363 {
2364         return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL));
2365 }
2366 
2367 /*
2368  * secpolicy_contract_event_choice
2369  *
2370  * Determine if the subject may retain contract events in its critical
2371  * set when a change in other terms would normally require a change in
2372  * the critical set.  Just tests privilege and audits on success.
2373  */
2374 boolean_t
2375 secpolicy_contract_event_choice(const cred_t *cr)
2376 {
2377         return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE));
2378 }
2379 
2380 /*
2381  * secpolicy_gart_access
2382  *
2383  * Determine if the subject has sufficient priveleges to make ioctls to agpgart
2384  * device.
2385  */
2386 int
2387 secpolicy_gart_access(const cred_t *cr)
2388 {
2389         return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL));
2390 }
2391 
2392 /*
2393  * secpolicy_gart_map
2394  *
2395  * Determine if the subject has sufficient priveleges to map aperture range
2396  * through agpgart driver.
2397  */
2398 int
2399 secpolicy_gart_map(const cred_t *cr)
2400 {
2401         if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) {
2402                 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM,
2403                     NULL));
2404         } else {
2405                 return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM,
2406                     NULL));
2407         }
2408 }
2409 
2410 /*
2411  * secpolicy_zinject
2412  *
2413  * Determine if the subject can inject faults in the ZFS fault injection
2414  * framework.  Requires all privileges.
2415  */
2416 int
2417 secpolicy_zinject(const cred_t *cr)
2418 {
2419         return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
2420 }
2421 
2422 /*
2423  * secpolicy_zfs
2424  *
2425  * Determine if the subject has permission to manipulate ZFS datasets
2426  * (not pools).  Equivalent to the SYS_MOUNT privilege.
2427  */
2428 int
2429 secpolicy_zfs(const cred_t *cr)
2430 {
2431         return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL));
2432 }
2433 
2434 /*
2435  * secpolicy_idmap
2436  *
2437  * Determine if the calling process has permissions to register an SID
2438  * mapping daemon and allocate ephemeral IDs.
2439  */
2440 int
2441 secpolicy_idmap(const cred_t *cr)
2442 {
2443         return (PRIV_POLICY(cr, PRIV_FILE_SETID, B_TRUE, EPERM, NULL));
2444 }
2445 
2446 /*
2447  * secpolicy_ucode_update
2448  *
2449  * Determine if the subject has sufficient privilege to update microcode.
2450  */
2451 int
2452 secpolicy_ucode_update(const cred_t *scr)
2453 {
2454         return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
2455 }
2456 
2457 /*
2458  * secpolicy_sadopen
2459  *
2460  * Determine if the subject has sufficient privilege to access /dev/sad/admin.
2461  * /dev/sad/admin appear in global zone and exclusive-IP zones only.
2462  * In global zone, sys_config is required.
2463  * In exclusive-IP zones, sys_ip_config is required.
2464  * Note that sys_config is prohibited in non-global zones.
2465  */
2466 int
2467 secpolicy_sadopen(const cred_t *credp)
2468 {
2469         priv_set_t pset;
2470 
2471         priv_emptyset(&pset);
2472 
2473         if (crgetzoneid(credp) == GLOBAL_ZONEID)
2474                 priv_addset(&pset, PRIV_SYS_CONFIG);
2475         else
2476                 priv_addset(&pset, PRIV_SYS_IP_CONFIG);
2477 
2478         return (secpolicy_require_set(credp, &pset, "devpolicy", KLPDARG_NONE));
2479 }
2480 
2481 
2482 /*
2483  * Add privileges to a particular privilege set; this is called when the
2484  * current sets of privileges are not sufficient.  I.e., we should always
2485  * call the policy override functions from here.
2486  * What we are allowed to have is in the Observed Permitted set; so
2487  * we compute the difference between that and the newset.
2488  */
2489 int
2490 secpolicy_require_privs(const cred_t *cr, const priv_set_t *nset)
2491 {
2492         priv_set_t rqd;
2493 
2494         rqd = CR_OPPRIV(cr);
2495 
2496         priv_inverse(&rqd);
2497         priv_intersect(nset, &rqd);
2498 
2499         return (secpolicy_require_set(cr, &rqd, NULL, KLPDARG_NONE));
2500 }
2501 
2502 /*
2503  * secpolicy_smb
2504  *
2505  * Determine if the cred_t has PRIV_SYS_SMB privilege, indicating
2506  * that it has permission to access the smbsrv kernel driver.
2507  * PRIV_POLICY checks the privilege and audits the check.
2508  *
2509  * Returns:
2510  * 0       Driver access is allowed.
2511  * EPERM   Driver access is NOT permitted.
2512  */
2513 int
2514 secpolicy_smb(const cred_t *cr)
2515 {
2516         return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL));
2517 }
2518 
2519 /*
2520  * secpolicy_vscan
2521  *
2522  * Determine if cred_t has the necessary privileges to access a file
2523  * for virus scanning and update its extended system attributes.
2524  * PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access
2525  * PRIV_FILE_FLAG_SET - set extended system attributes
2526  *
2527  * PRIV_POLICY checks the privilege and audits the check.
2528  *
2529  * Returns:
2530  * 0      file access for virus scanning allowed.
2531  * EPERM  file access for virus scanning is NOT permitted.
2532  */
2533 int
2534 secpolicy_vscan(const cred_t *cr)
2535 {
2536         if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) ||
2537             (PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) ||
2538             (PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) {
2539                 return (EPERM);
2540         }
2541 
2542         return (0);
2543 }
2544 
2545 /*
2546  * secpolicy_smbfs_login
2547  *
2548  * Determines if the caller can add and delete the smbfs login
2549  * password in the the nsmb kernel module for the CIFS client.
2550  *
2551  * Returns:
2552  * 0       access is allowed.
2553  * EPERM   access is NOT allowed.
2554  */
2555 int
2556 secpolicy_smbfs_login(const cred_t *cr, uid_t uid)
2557 {
2558         uid_t cruid = crgetruid(cr);
2559 
2560         if (cruid == uid)
2561                 return (0);
2562         return (PRIV_POLICY(cr, PRIV_PROC_OWNER, B_FALSE,
2563             EPERM, NULL));
2564 }
2565 
2566 /*
2567  * secpolicy_xvm_control
2568  *
2569  * Determines if a caller can control the xVM hypervisor and/or running
2570  * domains (x86 specific).
2571  *
2572  * Returns:
2573  * 0       access is allowed.
2574  * EPERM   access is NOT allowed.
2575  */
2576 int
2577 secpolicy_xvm_control(const cred_t *cr)
2578 {
2579         if (PRIV_POLICY(cr, PRIV_XVM_CONTROL, B_FALSE, EPERM, NULL))
2580                 return (EPERM);
2581         return (0);
2582 }
2583 
2584 /*
2585  * secpolicy_ppp_config
2586  *
2587  * Determine if the subject has sufficient privileges to configure PPP and
2588  * PPP-related devices.
2589  */
2590 int
2591 secpolicy_ppp_config(const cred_t *cr)
2592 {
2593         if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
2594                 return (secpolicy_net_config(cr, B_FALSE));
2595         return (PRIV_POLICY(cr, PRIV_SYS_PPP_CONFIG, B_FALSE, EPERM, NULL));
2596 }