Print this page
smf: switch to a tri-state for process-security properties true=on,false=off,nil=default

Split Close
Expand all
Collapse all
          --- old/usr/src/lib/librestart/common/librestart.c
          +++ new/usr/src/lib/librestart/common/librestart.c
↓ open down ↓ 3163 lines elided ↑ open up ↑
3164 3164                  }
3165 3165          }
3166 3166  
3167 3167  
3168 3168          if (scf_default_secflags(h, &cip->def_secflags) != 0) {
3169 3169                  err = mc_error_create(err, EINVAL, "couldn't fetch "
3170 3170                      "default security-flags");
3171 3171                  goto out;
3172 3172          }
3173 3173  
3174      -        if (strcmp(cip->vbuf, ":default") == 0) {
3175      -                if (secflags_parse(&cip->def_secflags.psf_inherit, "default",
3176      -                    &cip->secflag_delta) != 0) {
3177      -                        err = mc_error_create(err, EINVAL, "couldn't parse "
3178      -                            "security flags: %s", cip->vbuf);
3179      -                        goto out;
3180      -                }
3181      -        } else {
3182      -                if (secflags_parse(&cip->def_secflags.psf_inherit, cip->vbuf,
     3174 +        if (strcmp(cip->vbuf, ":default") != 0) {
     3175 +                if (secflags_parse(NULL, cip->vbuf,
3183 3176                      &cip->secflag_delta) != 0) {
3184 3177                          err = mc_error_create(err, EINVAL, "couldn't parse "
3185 3178                              "security flags: %s", cip->vbuf);
3186 3179                          goto out;
3187 3180                  }
3188 3181          }
3189 3182  
3190 3183          /* get (optional) corefile pattern */
3191 3184          if ((methpg != NULL && scf_pg_get_property(methpg,
3192 3185              SCF_PROPERTY_COREFILE_PATTERN, prop) == SCF_SUCCESS) ||
↓ open down ↓ 233 lines elided ↑ open up ↑
3426 3419                  cip->uid = 0;
3427 3420                  cip->gid = 0;
3428 3421                  cip->euid = (uid_t)-1;
3429 3422                  cip->egid = (gid_t)-1;
3430 3423  
3431 3424                  if (scf_default_secflags(h, &cip->def_secflags) != 0) {
3432 3425                          err = mc_error_create(err, EINVAL, "couldn't fetch "
3433 3426                              "default security-flags");
3434 3427                          goto out;
3435 3428                  }
3436      -
3437      -                if (secflags_parse(&cip->def_secflags.psf_inherit, "default",
3438      -                    &cip->secflag_delta) != 0) {
3439      -                        err = mc_error_create(err, EINVAL, "couldn't parse "
3440      -                            "security flags: %s", cip->vbuf);
3441      -                        goto out;
3442      -                }
3443 3429          }
3444 3430  
3445 3431          *mcpp = cip;
3446 3432  
3447 3433  out:
3448 3434          (void) scf_value_destroy(val);
3449 3435          scf_property_destroy(prop);
3450 3436          scf_pg_destroy(instpg);
3451 3437          scf_pg_destroy(methpg);
3452 3438  
↓ open down ↓ 52 lines elided ↑ open up ↑
3505 3491   *   EBADF - the configuration for the pool is invalid (pool_set_binding)
3506 3492   *   -1 - core_set_process_path() failed (core_set_process_path)
3507 3493   *        a resource control assignment failed (setproject)
3508 3494   *        a system error occurred during pool_set_binding (pool_set_binding)
3509 3495   */
3510 3496  int
3511 3497  restarter_set_method_context(struct method_context *cip, const char **fp)
3512 3498  {
3513 3499          pid_t mypid = -1;
3514 3500          int r, ret;
3515      -        secflagdelta_t delta = {0};
3516 3501  
3517 3502          cip->pwbuf = NULL;
3518 3503          *fp = NULL;
3519 3504  
3520 3505          if (cip->gid != (gid_t)-1) {
3521 3506                  if (setregid(cip->gid,
3522 3507                      cip->egid != (gid_t)-1 ? cip->egid : cip->gid) != 0) {
3523 3508                          *fp = "setregid";
3524 3509  
3525 3510                          ret = errno;
↓ open down ↓ 76 lines elided ↑ open up ↑
3602 3587  
3603 3588                  if (core_set_process_path(cip->corefile_pattern,
3604 3589                      strlen(cip->corefile_pattern) + 1, mypid) != 0) {
3605 3590                          *fp = "core_set_process_path";
3606 3591                          ret = -1;
3607 3592                          goto out;
3608 3593                  }
3609 3594          }
3610 3595  
3611 3596  
3612      -        delta.psd_ass_active = B_TRUE;
3613      -        secflags_copy(&delta.psd_assign, &cip->def_secflags.psf_inherit);
3614 3597          if (psecflags(P_PID, P_MYID, PSF_INHERIT,
3615      -            &delta) != 0) {
3616      -                *fp = "psecflags (inherit defaults)";
     3598 +            &cip->def_secflags.ss_default) != 0) {
     3599 +                *fp = "psecflags (default inherit)";
3617 3600                  ret = errno;
3618 3601                  goto out;
3619 3602          }
3620 3603  
3621      -        if (psecflags(P_PID, P_MYID, PSF_INHERIT,
3622      -            &cip->secflag_delta) != 0) {
3623      -                *fp = "psecflags (inherit)";
     3604 +        if (psecflags(P_PID, P_MYID, PSF_LOWER,
     3605 +            &cip->def_secflags.ss_lower) != 0) {
     3606 +                *fp = "psecflags (default lower)";
3624 3607                  ret = errno;
3625 3608                  goto out;
3626 3609          }
3627 3610  
3628      -        secflags_copy(&delta.psd_assign, &cip->def_secflags.psf_lower);
3629      -        if (psecflags(P_PID, P_MYID, PSF_LOWER,
3630      -            &delta) != 0) {
3631      -                *fp = "psecflags (lower)";
     3611 +        if (psecflags(P_PID, P_MYID, PSF_UPPER,
     3612 +            &cip->def_secflags.ss_upper) != 0) {
     3613 +                *fp = "psecflags (default upper)";
3632 3614                  ret = errno;
3633 3615                  goto out;
3634 3616          }
3635 3617  
3636      -        secflags_copy(&delta.psd_assign, &cip->def_secflags.psf_upper);
3637      -        if (psecflags(P_PID, P_MYID, PSF_UPPER,
3638      -            &delta) != 0) {
3639      -                *fp = "psecflags (upper)";
     3618 +        if (psecflags(P_PID, P_MYID, PSF_INHERIT,
     3619 +            &cip->secflag_delta) != 0) {
     3620 +                *fp = "psecflags (from manifest)";
3640 3621                  ret = errno;
3641 3622                  goto out;
3642 3623          }
3643 3624  
3644 3625          if (restarter_rm_libs_loadable()) {
3645 3626                  if (cip->project == NULL) {
3646 3627                          if (settaskid(getprojid(), TASK_NORMAL) == -1) {
3647 3628                                  switch (errno) {
3648 3629                                  case EACCES:
3649 3630                                  case EPERM:
↓ open down ↓ 506 lines elided ↑ open up ↑
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX