PSARC 2009/377 In-kernel pfexec implementation.

PSARC 2009/378 Basic File Privileges PSARC 2010/072 RBAC update: user attrs from profiles 4912090 pfzsh(1) should exist 4912093 pfbash(1) should exist 4912096 pftcsh(1) should exist 6440298 Expand the basic privilege set in order to restrict file access 6859862 Move pfexec into the kernel 6919171 cred_t sidesteps kmem_debug; we need to be able to detect bad hold/free when they occur 6923721 The new SYS_SMB privilege is not backward compatible 6937562 autofs doesn't remove its door when the zone shuts down 6937727 Zones stuck on deathrow; netstack_zone keeps a credential reference to the zone 6940159 Implement PSARC 2010/072
author: Casper H.S. Dik <Casper.Dik@Sun.COM> 2010-04-28 10:01:37 +0200
committer: Casper H.S. Dik <Casper.Dik@Sun.COM> 2010-04-28 10:01:37 +0200
commit: 134a1f4e3289b54e0f980e9cf05352e419a60bee (patch)
tree: 792d1e39f7d9299df1f67c1681a02daa1b734878 /usr/src/uts/common/inet
parent: 2e98bdabdfa935eb368c090f1cecbba5619c88ee (diff)
download: illumos-gate-134a1f4e3289b54e0f980e9cf05352e419a60bee.tar.gz
3 files changed, 25 insertions, 12 deletions
diff --git a/usr/src/uts/common/inet/ip/icmp.c b/usr/src/uts/common/inet/ip/icmp.c
index fa4c7a8b57..b024baaf0c 100644
--- a/usr/src/uts/common/inet/ip/icmp.c
+++ b/usr/src/uts/common/inet/ip/icmp.c
@@ -38,7 +38,7 @@
 #include <sys/xti_inet.h>
 #include <sys/cmn_err.h>
 #include <sys/kmem.h>
-#include <sys/cred_impl.h>
+#include <sys/cred.h>
 #include <sys/policy.h>
 #include <sys/priv.h>
 #include <sys/ucred.h>
diff --git a/usr/src/uts/common/inet/ip/spdsock.c b/usr/src/uts/common/inet/ip/spdsock.c
index 4a9053cddf..37dc31875e 100644
--- a/usr/src/uts/common/inet/ip/spdsock.c
+++ b/usr/src/uts/common/inet/ip/spdsock.c
@@ -19,8 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
+ * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
  */
 
 #include <sys/param.h>
@@ -156,6 +155,7 @@ static void spdsock_wput(queue_t *, mblk_t *);
 static void spdsock_wsrv(queue_t *);
 static void spdsock_rsrv(queue_t *);
 static void *spdsock_stack_init(netstackid_t stackid, netstack_t *ns);
+static void spdsock_stack_shutdown(netstackid_t stackid, void *arg);
 static void spdsock_stack_fini(netstackid_t stackid, void *arg);
 static void spdsock_loadcheck(void *);
 static void spdsock_merge_algs(spd_stack_t *);
@@ -276,8 +276,8 @@ spdsock_ddi_init(void)
 	 * destroyed in the kernel, so we can maintain the
 	 * set of spd_stack_t's.
 	 */
-	netstack_register(NS_SPDSOCK, spdsock_stack_init, NULL,
-	    spdsock_stack_fini);
+	netstack_register(NS_SPDSOCK, spdsock_stack_init,
+	    spdsock_stack_shutdown, spdsock_stack_fini);
 
 	return (B_TRUE);
 }
@@ -340,13 +340,28 @@ spdsock_ddi_destroy(void)
 	netstack_unregister(NS_SPDSOCK);
 }
 
+/*
+ * Do pre-removal cleanup.
+ */
+/* ARGSUSED */
+static void
+spdsock_stack_shutdown(netstackid_t stackid, void *arg)
+{
+	spd_stack_t *spds = (spd_stack_t *)arg;
+
+	if (spds->spds_mp_algs != NULL) {
+		freemsg(spds->spds_mp_algs);
+		spds->spds_mp_algs = NULL;
+	}
+}
+
 /* ARGSUSED */
 static void
 spdsock_stack_fini(netstackid_t stackid, void *arg)
 {
 	spd_stack_t *spds = (spd_stack_t *)arg;
 
-	freemsg(spds->spds_mp_algs);
+	ASSERT(spds->spds_mp_algs == NULL);
 	mutex_destroy(&spds->spds_param_lock);
 	mutex_destroy(&spds->spds_alg_lock);
 	nd_free(&spds->spds_g_nd);
@@ -2794,7 +2809,6 @@ spdsock_updatealg(queue_t *q, mblk_t *mp, spd_ext_t *extv[])
 		if (spds->spds_mp_algs != NULL)
 			freemsg(spds->spds_mp_algs);
 		spds->spds_mp_algs = mp;
-		spds->spds_algs_pending = B_TRUE;
 		mutex_exit(&spds->spds_alg_lock);
 		if (auditing) {
 			cred_t *cr;
@@ -3152,9 +3166,10 @@ spdsock_update_pending_algs(netstack_t *ns)
 	spd_stack_t *spds = ns->netstack_spdsock;
 
 	mutex_enter(&spds->spds_alg_lock);
-	if (spds->spds_algs_pending) {
+	if (spds->spds_mp_algs != NULL) {
 		(void) spdsock_do_updatealg(spds->spds_extv_algs, spds);
-		spds->spds_algs_pending = B_FALSE;
+		freemsg(spds->spds_mp_algs);
+		spds->spds_mp_algs = NULL;
 	}
 	mutex_exit(&spds->spds_alg_lock);
 }
diff --git a/usr/src/uts/common/inet/spdsock.h b/usr/src/uts/common/inet/spdsock.h
index 64c63cdd71..7cc065d740 100644
--- a/usr/src/uts/common/inet/spdsock.h
+++ b/usr/src/uts/common/inet/spdsock.h
@@ -19,8 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
+ * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
  */
 
 #ifndef	_INET_SPDSOCK_H
@@ -49,7 +48,6 @@ struct spd_stack {
 	 */
 	struct spd_ext		*spds_extv_algs[SPD_EXT_MAX + 1];
 	mblk_t			*spds_mp_algs;
-	boolean_t		spds_algs_pending;
 	struct ipsec_alginfo
 			*spds_algs[IPSEC_NALGTYPES][IPSEC_MAX_ALGS];
 	int		spds_algs_exec_mode[IPSEC_NALGTYPES];
author	Casper H.S. Dik <Casper.Dik@Sun.COM>	2010-04-28 10:01:37 +0200
committer	Casper H.S. Dik <Casper.Dik@Sun.COM>	2010-04-28 10:01:37 +0200
commit	134a1f4e3289b54e0f980e9cf05352e419a60bee (patch)
tree	792d1e39f7d9299df1f67c1681a02daa1b734878 /usr/src/uts/common/inet
parent	2e98bdabdfa935eb368c090f1cecbba5619c88ee (diff)
download	illumos-gate-134a1f4e3289b54e0f980e9cf05352e419a60bee.tar.gz