summaryrefslogtreecommitdiff
path: root/usr/src
diff options
context:
space:
mode:
authordh155122 <none@none>2007-02-17 22:21:28 -0800
committerdh155122 <none@none>2007-02-17 22:21:28 -0800
commitbf1d7e28fd966a3f7e92b40aa301efdedc81ef7b (patch)
treef4fabae784f5f5d3e1c51aabf7c683b8f46a39f8 /usr/src
parentbac8fa9cb4e49b18fc19e28fa7aeb18816da4f62 (diff)
downloadillumos-gate-bf1d7e28fd966a3f7e92b40aa301efdedc81ef7b.tar.gz
6516265 an exclusive zone with "limitpriv" other than "default" will panic the machine
6518710 sbd will not run with IP Instances putback to snv_57
Diffstat (limited to 'usr/src')
-rw-r--r--usr/src/cmd/zoneadmd/vplat.c31
-rw-r--r--usr/src/head/libzonecfg.h2
-rw-r--r--usr/src/lib/brand/lx/zone/config.xml3
-rw-r--r--usr/src/lib/brand/native/zone/config.xml6
-rw-r--r--usr/src/lib/brand/sn1/zone/config.xml6
-rw-r--r--usr/src/lib/libbrand/common/libbrand.c19
-rw-r--r--usr/src/lib/libbrand/common/libbrand.h8
-rw-r--r--usr/src/lib/libbrand/dtd/brand.dtd.128
-rw-r--r--usr/src/lib/libzonecfg/common/libzonecfg.c47
-rw-r--r--usr/src/pkgdefs/SUNWhea/prototype_com1
-rw-r--r--usr/src/pkgdefs/etc/exception_list_i3861
-rw-r--r--usr/src/pkgdefs/etc/exception_list_sparc1
12 files changed, 110 insertions, 43 deletions
diff --git a/usr/src/cmd/zoneadmd/vplat.c b/usr/src/cmd/zoneadmd/vplat.c
index e518516da2..2c588e8e6d 100644
--- a/usr/src/cmd/zoneadmd/vplat.c
+++ b/usr/src/cmd/zoneadmd/vplat.c
@@ -2809,7 +2809,25 @@ get_privset(zlog_t *zlogp, priv_set_t *privs, boolean_t mount_cmd)
}
if (mount_cmd) {
- if (zonecfg_default_privset(privs) == Z_OK)
+ zone_iptype_t iptype;
+ const char *curr_iptype;
+
+ if (zonecfg_get_iptype(handle, &iptype) != Z_OK) {
+ zerror(zlogp, B_TRUE, "unable to determine ip-type");
+ zonecfg_fini_handle(handle);
+ return (-1);
+ }
+
+ switch (iptype) {
+ case ZS_SHARED:
+ curr_iptype = "shared";
+ break;
+ case ZS_EXCLUSIVE:
+ curr_iptype = "exclusive";
+ break;
+ }
+
+ if (zonecfg_default_privset(privs, curr_iptype) == Z_OK)
return (0);
zerror(zlogp, B_FALSE,
"failed to determine the zone's default privilege set");
@@ -3920,17 +3938,6 @@ vplat_create(zlog_t *zlogp, boolean_t mount_cmd)
return (-1);
}
priv_emptyset(privs);
- if (iptype == ZS_EXCLUSIVE) {
- /*
- * add PRIV_NET_RAWACCESS and PRIV_SYS_IP_CONFIG
- */
- if (priv_addset(privs, PRIV_NET_RAWACCESS) != 0 ||
- priv_addset(privs, PRIV_SYS_IP_CONFIG) != 0) {
- zerror(zlogp, B_TRUE,
- "Failed to add networking privileges");
- goto error;
- }
- }
if (get_privset(zlogp, privs, mount_cmd) != 0)
goto error;
diff --git a/usr/src/head/libzonecfg.h b/usr/src/head/libzonecfg.h
index 8272817020..83b70bc8e5 100644
--- a/usr/src/head/libzonecfg.h
+++ b/usr/src/head/libzonecfg.h
@@ -470,7 +470,7 @@ extern int zonecfg_enddevperment(zone_dochandle_t);
/*
* Privilege-related functions.
*/
-extern int zonecfg_default_privset(priv_set_t *);
+extern int zonecfg_default_privset(priv_set_t *, const char *);
extern int zonecfg_get_privset(zone_dochandle_t, priv_set_t *,
char **);
extern int zonecfg_get_limitpriv(zone_dochandle_t, char **);
diff --git a/usr/src/lib/brand/lx/zone/config.xml b/usr/src/lib/brand/lx/zone/config.xml
index 7eba9f6f18..0cdb522457 100644
--- a/usr/src/lib/brand/lx/zone/config.xml
+++ b/usr/src/lib/brand/lx/zone/config.xml
@@ -20,7 +20,7 @@
CDDL HEADER END
- Copyright 2006 Sun Microsystems, Inc. All rights reserved.
+ Copyright 2007 Sun Microsystems, Inc. All rights reserved.
Use is subject to license terms.
ident "%Z%%M% %I% %E% SMI"
@@ -79,6 +79,7 @@
<privilege set="prohibited" name="proc_zone" />
<privilege set="prohibited" name="sys_config" />
<privilege set="prohibited" name="sys_devices" />
+ <privilege set="prohibited" name="sys_ip_config" />
<privilege set="prohibited" name="sys_linkdir" />
<privilege set="prohibited" name="sys_net_config" />
<privilege set="prohibited" name="sys_res_config" />
diff --git a/usr/src/lib/brand/native/zone/config.xml b/usr/src/lib/brand/native/zone/config.xml
index 45ce096c13..ba8fa8c091 100644
--- a/usr/src/lib/brand/native/zone/config.xml
+++ b/usr/src/lib/brand/native/zone/config.xml
@@ -20,7 +20,7 @@
CDDL HEADER END
- Copyright 2006 Sun Microsystems, Inc. All rights reserved.
+ Copyright 2007 Sun Microsystems, Inc. All rights reserved.
Use is subject to license terms.
ident "%Z%%M% %I% %E% SMI"
@@ -62,6 +62,7 @@
<privilege set="default" name="net_icmpaccess" />
<privilege set="default" name="net_mac_aware" />
<privilege set="default" name="net_privaddr" />
+ <privilege set="default" name="net_rawaccess" ip-type="exclusive" />
<privilege set="default" name="proc_chroot" />
<privilege set="default" name="sys_audit" />
<privilege set="default" name="proc_audit" />
@@ -71,6 +72,7 @@
<privilege set="default" name="proc_taskid" />
<privilege set="default" name="sys_acct" />
<privilege set="default" name="sys_admin" />
+ <privilege set="default" name="sys_ip_config" ip-type="exclusive" />
<privilege set="default" name="sys_mount" />
<privilege set="default" name="sys_nfs" />
<privilege set="default" name="sys_resource" />
@@ -79,6 +81,7 @@
<privilege set="prohibited" name="proc_zone" />
<privilege set="prohibited" name="sys_config" />
<privilege set="prohibited" name="sys_devices" />
+ <privilege set="prohibited" name="sys_ip_config" ip-type="shared" />
<privilege set="prohibited" name="sys_linkdir" />
<privilege set="prohibited" name="sys_net_config" />
<privilege set="prohibited" name="sys_res_config" />
@@ -86,5 +89,6 @@
<privilege set="required" name="proc_exec" />
<privilege set="required" name="proc_fork" />
+ <privilege set="required" name="sys_ip_config" ip-type="exclusive" />
<privilege set="required" name="sys_mount" />
</brand>
diff --git a/usr/src/lib/brand/sn1/zone/config.xml b/usr/src/lib/brand/sn1/zone/config.xml
index 15d39b9c35..344cecbfbc 100644
--- a/usr/src/lib/brand/sn1/zone/config.xml
+++ b/usr/src/lib/brand/sn1/zone/config.xml
@@ -20,7 +20,7 @@
CDDL HEADER END
- Copyright 2006 Sun Microsystems, Inc. All rights reserved.
+ Copyright 2007 Sun Microsystems, Inc. All rights reserved.
Use is subject to license terms.
ident "%Z%%M% %I% %E% SMI"
@@ -62,6 +62,7 @@
<privilege set="default" name="net_icmpaccess" />
<privilege set="default" name="net_mac_aware" />
<privilege set="default" name="net_privaddr" />
+ <privilege set="default" name="net_rawaccess" ip-type="exclusive" />
<privilege set="default" name="proc_chroot" />
<privilege set="default" name="sys_audit" />
<privilege set="default" name="proc_audit" />
@@ -71,6 +72,7 @@
<privilege set="default" name="proc_taskid" />
<privilege set="default" name="sys_acct" />
<privilege set="default" name="sys_admin" />
+ <privilege set="default" name="sys_ip_config" ip-type="exclusive" />
<privilege set="default" name="sys_mount" />
<privilege set="default" name="sys_nfs" />
<privilege set="default" name="sys_resource" />
@@ -79,6 +81,7 @@
<privilege set="prohibited" name="proc_zone" />
<privilege set="prohibited" name="sys_config" />
<privilege set="prohibited" name="sys_devices" />
+ <privilege set="prohibited" name="sys_ip_config" ip-type="shared" />
<privilege set="prohibited" name="sys_linkdir" />
<privilege set="prohibited" name="sys_net_config" />
<privilege set="prohibited" name="sys_res_config" />
@@ -86,5 +89,6 @@
<privilege set="required" name="proc_exec" />
<privilege set="required" name="proc_fork" />
+ <privilege set="required" name="sys_ip_config" ip-type="exclusive" />
<privilege set="required" name="sys_mount" />
</brand>
diff --git a/usr/src/lib/libbrand/common/libbrand.c b/usr/src/lib/libbrand/common/libbrand.c
index 068d720247..ad17b6709a 100644
--- a/usr/src/lib/libbrand/common/libbrand.c
+++ b/usr/src/lib/libbrand/common/libbrand.c
@@ -577,12 +577,13 @@ brand_allow_exclusive_ip(brand_handle_t bh)
* specified callback for each. Returns 0 on success, or -1 on failure.
*/
int
-brand_config_iter_privilege(brand_handle_t bh, int (*func)(void *,
- const char *, const char *), void *data)
+brand_config_iter_privilege(brand_handle_t bh,
+ int (*func)(void *, priv_iter_t *), void *data)
{
struct brand_handle *bhp = (struct brand_handle *)bh;
xmlNodePtr node;
- xmlChar *name, *set;
+ xmlChar *name, *set, *iptype;
+ priv_iter_t priv_iter;
int ret;
if ((node = xmlDocGetRootElement(bhp->bh_config)) == NULL)
@@ -595,19 +596,27 @@ brand_config_iter_privilege(brand_handle_t bh, int (*func)(void *,
name = xmlGetProp(node, DTD_ATTR_NAME);
set = xmlGetProp(node, DTD_ATTR_SET);
+ iptype = xmlGetProp(node, DTD_ATTR_IPTYPE);
- if (name == NULL || set == NULL) {
+ if (name == NULL || set == NULL || iptype == NULL) {
if (name != NULL)
xmlFree(name);
if (set != NULL)
xmlFree(set);
+ if (iptype != NULL)
+ xmlFree(iptype);
return (-1);
}
- ret = func(data, (const char *)name, (const char *)set);
+ priv_iter.pi_name = (char *)name;
+ priv_iter.pi_set = (char *)set;
+ priv_iter.pi_iptype = (char *)iptype;
+
+ ret = func(data, &priv_iter);
xmlFree(name);
xmlFree(set);
+ xmlFree(iptype);
if (ret != 0)
return (-1);
diff --git a/usr/src/lib/libbrand/common/libbrand.h b/usr/src/lib/libbrand/common/libbrand.h
index 0254a9fa3e..cdb097edf1 100644
--- a/usr/src/lib/libbrand/common/libbrand.h
+++ b/usr/src/lib/libbrand/common/libbrand.h
@@ -37,6 +37,12 @@ extern "C" {
typedef struct __brand_handle *brand_handle_t;
+typedef struct priv_iter_s {
+ char *pi_name;
+ char *pi_set;
+ char *pi_iptype;
+} priv_iter_t;
+
extern brand_handle_t brand_open(const char *);
extern void brand_close(brand_handle_t);
@@ -62,7 +68,7 @@ extern int brand_get_verify_adm(brand_handle_t, const char *, const char *,
char *, size_t, int, char **);
extern int brand_config_iter_privilege(brand_handle_t,
- int (*func)(void *, const char *, const char *), void *);
+ int (*func)(void *, priv_iter_t *), void *);
extern int brand_platform_iter_devices(brand_handle_t, const char *,
int (*)(void *, const char *, const char *), void *, const char *);
diff --git a/usr/src/lib/libbrand/dtd/brand.dtd.1 b/usr/src/lib/libbrand/dtd/brand.dtd.1
index b03a2f23e8..efcb308651 100644
--- a/usr/src/lib/libbrand/dtd/brand.dtd.1
+++ b/usr/src/lib/libbrand/dtd/brand.dtd.1
@@ -20,7 +20,7 @@
CDDL HEADER END
- Copyright 2006 Sun Microsystems, Inc. All rights reserved.
+ Copyright 2007 Sun Microsystems, Inc. All rights reserved.
Use is subject to license terms.
ident "%Z%%M% %I% %E% SMI"
@@ -206,22 +206,30 @@
privilege
Add a privilege to the default, prohibited, or required set for all
- zones of this brand. If a privilege is added to the default set all
- zones of this brand on the system will inherit this privilege unless
- the privilege is removed via limitpriv in zonecfg(1m). If a
- privilege is added to the prohibited set it can not be added to
- any zones via limitpriv in zonecfg(1m). If a privilege is added
- to the required set then all zones of this brand on the system
- will inherit this privilege and it can't be removed via limitpriv in
- zonecfg(1m).
+ zones of this brand with ip-type matched. If a privilege is added
+ to the default set all zones of this brand with ip-type matched on
+ the system will inherit this privilege unless the privilege is
+ removed via limitpriv in zonecfg(1m). If a privilege is added to
+ the prohibited set it can not be added to any zones with ip-type
+ matched via limitpriv in zonecfg(1m). If a privilege is added to
+ the required set then all zones of this brand with ip-type matched
+ on the system will inherit this privilege and it can't be removed via
+ limitpriv in zonecfg(1m).
Its attributes are
set The name of the set the privilege should go into.
name The name of the privilege.
+ ip-type Optional, indicates that adding of the privilege to the
+ set only applies to certain IP types. Can be "shared" or
+ "exclusive". If it is not specified, the default value
+ "all" will be used, which means it is applicable regardless
+ the IP type.
+
-->
<!ELEMENT privilege (#PCDATA) >
<!ATTLIST privilege set ( default | prohibited | required ) #REQUIRED
- name CDATA #REQUIRED >
+ name CDATA #REQUIRED
+ ip-type ( shared | exclusive ) "all" >
<!--
brand
diff --git a/usr/src/lib/libzonecfg/common/libzonecfg.c b/usr/src/lib/libzonecfg/common/libzonecfg.c
index cce47ce753..adc270c9b9 100644
--- a/usr/src/lib/libzonecfg/common/libzonecfg.c
+++ b/usr/src/lib/libzonecfg/common/libzonecfg.c
@@ -4592,30 +4592,42 @@ typedef struct priv_lists {
/* Privileges required for all non-global zones of a brand */
struct priv_node *pl_required;
+
+ /*
+ * ip-type of the zone these privileges lists apply to.
+ * It is used to pass ip-type to the callback function,
+ * priv_lists_cb, which has no way of getting the ip-type.
+ */
+ const char *pl_iptype;
} priv_lists_t;
static int
-priv_lists_cb(void *data, const char *name, const char *set)
+priv_lists_cb(void *data, priv_iter_t *priv_iter)
{
priv_lists_t *plp = (priv_lists_t *)data;
priv_node_t *pnp;
+ /* Skip this privilege if ip-type does not match */
+ if ((strcmp(priv_iter->pi_iptype, "all") != 0) &&
+ (strcmp(priv_iter->pi_iptype, plp->pl_iptype) != 0))
+ return (0);
+
/* Allocate a new priv list node. */
if ((pnp = malloc(sizeof (*pnp))) == NULL)
return (-1);
- if ((pnp->pn_priv = strdup(name)) == NULL) {
+ if ((pnp->pn_priv = strdup(priv_iter->pi_name)) == NULL) {
free(pnp);
return (-1);
}
/* Insert the new priv list node into the right list */
- if (strcmp(set, "default") == 0) {
+ if (strcmp(priv_iter->pi_set, "default") == 0) {
pnp->pn_next = plp->pl_default;
plp->pl_default = pnp;
- } else if (strcmp(set, "prohibited") == 0) {
+ } else if (strcmp(priv_iter->pi_set, "prohibited") == 0) {
pnp->pn_next = plp->pl_prohibited;
plp->pl_prohibited = pnp;
- } else if (strcmp(set, "required") == 0) {
+ } else if (strcmp(priv_iter->pi_set, "required") == 0) {
pnp->pn_next = plp->pl_required;
plp->pl_required = pnp;
} else {
@@ -4652,7 +4664,8 @@ priv_lists_destroy(priv_lists_t *plp)
}
static int
-priv_lists_create(zone_dochandle_t handle, priv_lists_t **plpp)
+priv_lists_create(zone_dochandle_t handle, priv_lists_t **plpp,
+ const char *curr_iptype)
{
priv_lists_t *plp;
brand_handle_t bh;
@@ -4673,6 +4686,8 @@ priv_lists_create(zone_dochandle_t handle, priv_lists_t **plpp)
return (Z_NOMEM);
}
+ plp->pl_iptype = curr_iptype;
+
/* construct the privilege lists */
if (brand_config_iter_privilege(bh, priv_lists_cb, plp) != 0) {
priv_lists_destroy(plp);
@@ -4707,12 +4722,12 @@ get_default_privset(priv_set_t *privs, priv_lists_t *plp)
}
int
-zonecfg_default_privset(priv_set_t *privs)
+zonecfg_default_privset(priv_set_t *privs, const char *curr_iptype)
{
priv_lists_t *plp;
int ret;
- if ((ret = priv_lists_create(NULL, &plp)) != Z_OK)
+ if ((ret = priv_lists_create(NULL, &plp, curr_iptype)) != Z_OK)
return (ret);
ret = get_default_privset(privs, plp);
priv_lists_destroy(plp);
@@ -4861,6 +4876,8 @@ zonecfg_get_privset(zone_dochandle_t handle, priv_set_t *privs,
priv_lists_t *plp;
char *cp, *limitpriv = NULL;
int err, limitlen;
+ zone_iptype_t iptype;
+ const char *curr_iptype;
/*
* Attempt to lookup the "limitpriv" property. If it does not
@@ -4870,7 +4887,19 @@ zonecfg_get_privset(zone_dochandle_t handle, priv_set_t *privs,
if ((err = zonecfg_get_limitpriv(handle, &limitpriv)) != Z_OK)
return (err);
- if ((err = priv_lists_create(handle, &plp)) != Z_OK)
+ if ((err = zonecfg_get_iptype(handle, &iptype)) != Z_OK)
+ return (err);
+
+ switch (iptype) {
+ case ZS_SHARED:
+ curr_iptype = "shared";
+ break;
+ case ZS_EXCLUSIVE:
+ curr_iptype = "exclusive";
+ break;
+ }
+
+ if ((err = priv_lists_create(handle, &plp, curr_iptype)) != Z_OK)
return (err);
limitlen = strlen(limitpriv);
diff --git a/usr/src/pkgdefs/SUNWhea/prototype_com b/usr/src/pkgdefs/SUNWhea/prototype_com
index 0738021167..c0cbbb57a0 100644
--- a/usr/src/pkgdefs/SUNWhea/prototype_com
+++ b/usr/src/pkgdefs/SUNWhea/prototype_com
@@ -145,6 +145,7 @@ f none usr/include/inet/ip_stack.h 644 root bin
f none usr/include/inet/ip6.h 644 root bin
f none usr/include/inet/ip6_asp.h 644 root bin
f none usr/include/inet/ipclassifier.h 644 root bin
+f none usr/include/inet/ipdrop.h 644 root bin
f none usr/include/inet/ipp_common.h 644 root bin
d none usr/include/inet/kssl 755 root bin
f none usr/include/inet/kssl/ksslapi.h 644 root bin
diff --git a/usr/src/pkgdefs/etc/exception_list_i386 b/usr/src/pkgdefs/etc/exception_list_i386
index 724028cff5..3dfa90859f 100644
--- a/usr/src/pkgdefs/etc/exception_list_i386
+++ b/usr/src/pkgdefs/etc/exception_list_i386
@@ -361,7 +361,6 @@ usr/include/inet/udp_impl.h i386
usr/include/inet/tcp_impl.h i386
usr/include/inet/ip_impl.h i386
usr/include/inet/ip_ndp.h i386
-usr/include/inet/ipdrop.h i386
usr/include/inet/tun.h i386
usr/include/protocols/ripngd.h i386
usr/include/libmail.h i386
diff --git a/usr/src/pkgdefs/etc/exception_list_sparc b/usr/src/pkgdefs/etc/exception_list_sparc
index 5b5a5ee80b..a67be839d5 100644
--- a/usr/src/pkgdefs/etc/exception_list_sparc
+++ b/usr/src/pkgdefs/etc/exception_list_sparc
@@ -350,7 +350,6 @@ usr/include/inet/udp_impl.h sparc
usr/include/inet/tcp_impl.h sparc
usr/include/inet/ip_impl.h sparc
usr/include/inet/ip_ndp.h sparc
-usr/include/inet/ipdrop.h sparc
usr/include/inet/tun.h sparc
usr/include/protocols/ripngd.h sparc
usr/include/libmail.h sparc