diff options
author | dh155122 <none@none> | 2007-02-17 22:21:28 -0800 |
---|---|---|
committer | dh155122 <none@none> | 2007-02-17 22:21:28 -0800 |
commit | bf1d7e28fd966a3f7e92b40aa301efdedc81ef7b (patch) | |
tree | f4fabae784f5f5d3e1c51aabf7c683b8f46a39f8 /usr/src | |
parent | bac8fa9cb4e49b18fc19e28fa7aeb18816da4f62 (diff) | |
download | illumos-gate-bf1d7e28fd966a3f7e92b40aa301efdedc81ef7b.tar.gz |
6516265 an exclusive zone with "limitpriv" other than "default" will panic the machine
6518710 sbd will not run with IP Instances putback to snv_57
Diffstat (limited to 'usr/src')
-rw-r--r-- | usr/src/cmd/zoneadmd/vplat.c | 31 | ||||
-rw-r--r-- | usr/src/head/libzonecfg.h | 2 | ||||
-rw-r--r-- | usr/src/lib/brand/lx/zone/config.xml | 3 | ||||
-rw-r--r-- | usr/src/lib/brand/native/zone/config.xml | 6 | ||||
-rw-r--r-- | usr/src/lib/brand/sn1/zone/config.xml | 6 | ||||
-rw-r--r-- | usr/src/lib/libbrand/common/libbrand.c | 19 | ||||
-rw-r--r-- | usr/src/lib/libbrand/common/libbrand.h | 8 | ||||
-rw-r--r-- | usr/src/lib/libbrand/dtd/brand.dtd.1 | 28 | ||||
-rw-r--r-- | usr/src/lib/libzonecfg/common/libzonecfg.c | 47 | ||||
-rw-r--r-- | usr/src/pkgdefs/SUNWhea/prototype_com | 1 | ||||
-rw-r--r-- | usr/src/pkgdefs/etc/exception_list_i386 | 1 | ||||
-rw-r--r-- | usr/src/pkgdefs/etc/exception_list_sparc | 1 |
12 files changed, 110 insertions, 43 deletions
diff --git a/usr/src/cmd/zoneadmd/vplat.c b/usr/src/cmd/zoneadmd/vplat.c index e518516da2..2c588e8e6d 100644 --- a/usr/src/cmd/zoneadmd/vplat.c +++ b/usr/src/cmd/zoneadmd/vplat.c @@ -2809,7 +2809,25 @@ get_privset(zlog_t *zlogp, priv_set_t *privs, boolean_t mount_cmd) } if (mount_cmd) { - if (zonecfg_default_privset(privs) == Z_OK) + zone_iptype_t iptype; + const char *curr_iptype; + + if (zonecfg_get_iptype(handle, &iptype) != Z_OK) { + zerror(zlogp, B_TRUE, "unable to determine ip-type"); + zonecfg_fini_handle(handle); + return (-1); + } + + switch (iptype) { + case ZS_SHARED: + curr_iptype = "shared"; + break; + case ZS_EXCLUSIVE: + curr_iptype = "exclusive"; + break; + } + + if (zonecfg_default_privset(privs, curr_iptype) == Z_OK) return (0); zerror(zlogp, B_FALSE, "failed to determine the zone's default privilege set"); @@ -3920,17 +3938,6 @@ vplat_create(zlog_t *zlogp, boolean_t mount_cmd) return (-1); } priv_emptyset(privs); - if (iptype == ZS_EXCLUSIVE) { - /* - * add PRIV_NET_RAWACCESS and PRIV_SYS_IP_CONFIG - */ - if (priv_addset(privs, PRIV_NET_RAWACCESS) != 0 || - priv_addset(privs, PRIV_SYS_IP_CONFIG) != 0) { - zerror(zlogp, B_TRUE, - "Failed to add networking privileges"); - goto error; - } - } if (get_privset(zlogp, privs, mount_cmd) != 0) goto error; diff --git a/usr/src/head/libzonecfg.h b/usr/src/head/libzonecfg.h index 8272817020..83b70bc8e5 100644 --- a/usr/src/head/libzonecfg.h +++ b/usr/src/head/libzonecfg.h @@ -470,7 +470,7 @@ extern int zonecfg_enddevperment(zone_dochandle_t); /* * Privilege-related functions. */ -extern int zonecfg_default_privset(priv_set_t *); +extern int zonecfg_default_privset(priv_set_t *, const char *); extern int zonecfg_get_privset(zone_dochandle_t, priv_set_t *, char **); extern int zonecfg_get_limitpriv(zone_dochandle_t, char **); diff --git a/usr/src/lib/brand/lx/zone/config.xml b/usr/src/lib/brand/lx/zone/config.xml index 7eba9f6f18..0cdb522457 100644 --- a/usr/src/lib/brand/lx/zone/config.xml +++ b/usr/src/lib/brand/lx/zone/config.xml @@ -20,7 +20,7 @@ CDDL HEADER END - Copyright 2006 Sun Microsystems, Inc. All rights reserved. + Copyright 2007 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. ident "%Z%%M% %I% %E% SMI" @@ -79,6 +79,7 @@ <privilege set="prohibited" name="proc_zone" /> <privilege set="prohibited" name="sys_config" /> <privilege set="prohibited" name="sys_devices" /> + <privilege set="prohibited" name="sys_ip_config" /> <privilege set="prohibited" name="sys_linkdir" /> <privilege set="prohibited" name="sys_net_config" /> <privilege set="prohibited" name="sys_res_config" /> diff --git a/usr/src/lib/brand/native/zone/config.xml b/usr/src/lib/brand/native/zone/config.xml index 45ce096c13..ba8fa8c091 100644 --- a/usr/src/lib/brand/native/zone/config.xml +++ b/usr/src/lib/brand/native/zone/config.xml @@ -20,7 +20,7 @@ CDDL HEADER END - Copyright 2006 Sun Microsystems, Inc. All rights reserved. + Copyright 2007 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. ident "%Z%%M% %I% %E% SMI" @@ -62,6 +62,7 @@ <privilege set="default" name="net_icmpaccess" /> <privilege set="default" name="net_mac_aware" /> <privilege set="default" name="net_privaddr" /> + <privilege set="default" name="net_rawaccess" ip-type="exclusive" /> <privilege set="default" name="proc_chroot" /> <privilege set="default" name="sys_audit" /> <privilege set="default" name="proc_audit" /> @@ -71,6 +72,7 @@ <privilege set="default" name="proc_taskid" /> <privilege set="default" name="sys_acct" /> <privilege set="default" name="sys_admin" /> + <privilege set="default" name="sys_ip_config" ip-type="exclusive" /> <privilege set="default" name="sys_mount" /> <privilege set="default" name="sys_nfs" /> <privilege set="default" name="sys_resource" /> @@ -79,6 +81,7 @@ <privilege set="prohibited" name="proc_zone" /> <privilege set="prohibited" name="sys_config" /> <privilege set="prohibited" name="sys_devices" /> + <privilege set="prohibited" name="sys_ip_config" ip-type="shared" /> <privilege set="prohibited" name="sys_linkdir" /> <privilege set="prohibited" name="sys_net_config" /> <privilege set="prohibited" name="sys_res_config" /> @@ -86,5 +89,6 @@ <privilege set="required" name="proc_exec" /> <privilege set="required" name="proc_fork" /> + <privilege set="required" name="sys_ip_config" ip-type="exclusive" /> <privilege set="required" name="sys_mount" /> </brand> diff --git a/usr/src/lib/brand/sn1/zone/config.xml b/usr/src/lib/brand/sn1/zone/config.xml index 15d39b9c35..344cecbfbc 100644 --- a/usr/src/lib/brand/sn1/zone/config.xml +++ b/usr/src/lib/brand/sn1/zone/config.xml @@ -20,7 +20,7 @@ CDDL HEADER END - Copyright 2006 Sun Microsystems, Inc. All rights reserved. + Copyright 2007 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. ident "%Z%%M% %I% %E% SMI" @@ -62,6 +62,7 @@ <privilege set="default" name="net_icmpaccess" /> <privilege set="default" name="net_mac_aware" /> <privilege set="default" name="net_privaddr" /> + <privilege set="default" name="net_rawaccess" ip-type="exclusive" /> <privilege set="default" name="proc_chroot" /> <privilege set="default" name="sys_audit" /> <privilege set="default" name="proc_audit" /> @@ -71,6 +72,7 @@ <privilege set="default" name="proc_taskid" /> <privilege set="default" name="sys_acct" /> <privilege set="default" name="sys_admin" /> + <privilege set="default" name="sys_ip_config" ip-type="exclusive" /> <privilege set="default" name="sys_mount" /> <privilege set="default" name="sys_nfs" /> <privilege set="default" name="sys_resource" /> @@ -79,6 +81,7 @@ <privilege set="prohibited" name="proc_zone" /> <privilege set="prohibited" name="sys_config" /> <privilege set="prohibited" name="sys_devices" /> + <privilege set="prohibited" name="sys_ip_config" ip-type="shared" /> <privilege set="prohibited" name="sys_linkdir" /> <privilege set="prohibited" name="sys_net_config" /> <privilege set="prohibited" name="sys_res_config" /> @@ -86,5 +89,6 @@ <privilege set="required" name="proc_exec" /> <privilege set="required" name="proc_fork" /> + <privilege set="required" name="sys_ip_config" ip-type="exclusive" /> <privilege set="required" name="sys_mount" /> </brand> diff --git a/usr/src/lib/libbrand/common/libbrand.c b/usr/src/lib/libbrand/common/libbrand.c index 068d720247..ad17b6709a 100644 --- a/usr/src/lib/libbrand/common/libbrand.c +++ b/usr/src/lib/libbrand/common/libbrand.c @@ -577,12 +577,13 @@ brand_allow_exclusive_ip(brand_handle_t bh) * specified callback for each. Returns 0 on success, or -1 on failure. */ int -brand_config_iter_privilege(brand_handle_t bh, int (*func)(void *, - const char *, const char *), void *data) +brand_config_iter_privilege(brand_handle_t bh, + int (*func)(void *, priv_iter_t *), void *data) { struct brand_handle *bhp = (struct brand_handle *)bh; xmlNodePtr node; - xmlChar *name, *set; + xmlChar *name, *set, *iptype; + priv_iter_t priv_iter; int ret; if ((node = xmlDocGetRootElement(bhp->bh_config)) == NULL) @@ -595,19 +596,27 @@ brand_config_iter_privilege(brand_handle_t bh, int (*func)(void *, name = xmlGetProp(node, DTD_ATTR_NAME); set = xmlGetProp(node, DTD_ATTR_SET); + iptype = xmlGetProp(node, DTD_ATTR_IPTYPE); - if (name == NULL || set == NULL) { + if (name == NULL || set == NULL || iptype == NULL) { if (name != NULL) xmlFree(name); if (set != NULL) xmlFree(set); + if (iptype != NULL) + xmlFree(iptype); return (-1); } - ret = func(data, (const char *)name, (const char *)set); + priv_iter.pi_name = (char *)name; + priv_iter.pi_set = (char *)set; + priv_iter.pi_iptype = (char *)iptype; + + ret = func(data, &priv_iter); xmlFree(name); xmlFree(set); + xmlFree(iptype); if (ret != 0) return (-1); diff --git a/usr/src/lib/libbrand/common/libbrand.h b/usr/src/lib/libbrand/common/libbrand.h index 0254a9fa3e..cdb097edf1 100644 --- a/usr/src/lib/libbrand/common/libbrand.h +++ b/usr/src/lib/libbrand/common/libbrand.h @@ -37,6 +37,12 @@ extern "C" { typedef struct __brand_handle *brand_handle_t; +typedef struct priv_iter_s { + char *pi_name; + char *pi_set; + char *pi_iptype; +} priv_iter_t; + extern brand_handle_t brand_open(const char *); extern void brand_close(brand_handle_t); @@ -62,7 +68,7 @@ extern int brand_get_verify_adm(brand_handle_t, const char *, const char *, char *, size_t, int, char **); extern int brand_config_iter_privilege(brand_handle_t, - int (*func)(void *, const char *, const char *), void *); + int (*func)(void *, priv_iter_t *), void *); extern int brand_platform_iter_devices(brand_handle_t, const char *, int (*)(void *, const char *, const char *), void *, const char *); diff --git a/usr/src/lib/libbrand/dtd/brand.dtd.1 b/usr/src/lib/libbrand/dtd/brand.dtd.1 index b03a2f23e8..efcb308651 100644 --- a/usr/src/lib/libbrand/dtd/brand.dtd.1 +++ b/usr/src/lib/libbrand/dtd/brand.dtd.1 @@ -20,7 +20,7 @@ CDDL HEADER END - Copyright 2006 Sun Microsystems, Inc. All rights reserved. + Copyright 2007 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. ident "%Z%%M% %I% %E% SMI" @@ -206,22 +206,30 @@ privilege Add a privilege to the default, prohibited, or required set for all - zones of this brand. If a privilege is added to the default set all - zones of this brand on the system will inherit this privilege unless - the privilege is removed via limitpriv in zonecfg(1m). If a - privilege is added to the prohibited set it can not be added to - any zones via limitpriv in zonecfg(1m). If a privilege is added - to the required set then all zones of this brand on the system - will inherit this privilege and it can't be removed via limitpriv in - zonecfg(1m). + zones of this brand with ip-type matched. If a privilege is added + to the default set all zones of this brand with ip-type matched on + the system will inherit this privilege unless the privilege is + removed via limitpriv in zonecfg(1m). If a privilege is added to + the prohibited set it can not be added to any zones with ip-type + matched via limitpriv in zonecfg(1m). If a privilege is added to + the required set then all zones of this brand with ip-type matched + on the system will inherit this privilege and it can't be removed via + limitpriv in zonecfg(1m). Its attributes are set The name of the set the privilege should go into. name The name of the privilege. + ip-type Optional, indicates that adding of the privilege to the + set only applies to certain IP types. Can be "shared" or + "exclusive". If it is not specified, the default value + "all" will be used, which means it is applicable regardless + the IP type. + --> <!ELEMENT privilege (#PCDATA) > <!ATTLIST privilege set ( default | prohibited | required ) #REQUIRED - name CDATA #REQUIRED > + name CDATA #REQUIRED + ip-type ( shared | exclusive ) "all" > <!-- brand diff --git a/usr/src/lib/libzonecfg/common/libzonecfg.c b/usr/src/lib/libzonecfg/common/libzonecfg.c index cce47ce753..adc270c9b9 100644 --- a/usr/src/lib/libzonecfg/common/libzonecfg.c +++ b/usr/src/lib/libzonecfg/common/libzonecfg.c @@ -4592,30 +4592,42 @@ typedef struct priv_lists { /* Privileges required for all non-global zones of a brand */ struct priv_node *pl_required; + + /* + * ip-type of the zone these privileges lists apply to. + * It is used to pass ip-type to the callback function, + * priv_lists_cb, which has no way of getting the ip-type. + */ + const char *pl_iptype; } priv_lists_t; static int -priv_lists_cb(void *data, const char *name, const char *set) +priv_lists_cb(void *data, priv_iter_t *priv_iter) { priv_lists_t *plp = (priv_lists_t *)data; priv_node_t *pnp; + /* Skip this privilege if ip-type does not match */ + if ((strcmp(priv_iter->pi_iptype, "all") != 0) && + (strcmp(priv_iter->pi_iptype, plp->pl_iptype) != 0)) + return (0); + /* Allocate a new priv list node. */ if ((pnp = malloc(sizeof (*pnp))) == NULL) return (-1); - if ((pnp->pn_priv = strdup(name)) == NULL) { + if ((pnp->pn_priv = strdup(priv_iter->pi_name)) == NULL) { free(pnp); return (-1); } /* Insert the new priv list node into the right list */ - if (strcmp(set, "default") == 0) { + if (strcmp(priv_iter->pi_set, "default") == 0) { pnp->pn_next = plp->pl_default; plp->pl_default = pnp; - } else if (strcmp(set, "prohibited") == 0) { + } else if (strcmp(priv_iter->pi_set, "prohibited") == 0) { pnp->pn_next = plp->pl_prohibited; plp->pl_prohibited = pnp; - } else if (strcmp(set, "required") == 0) { + } else if (strcmp(priv_iter->pi_set, "required") == 0) { pnp->pn_next = plp->pl_required; plp->pl_required = pnp; } else { @@ -4652,7 +4664,8 @@ priv_lists_destroy(priv_lists_t *plp) } static int -priv_lists_create(zone_dochandle_t handle, priv_lists_t **plpp) +priv_lists_create(zone_dochandle_t handle, priv_lists_t **plpp, + const char *curr_iptype) { priv_lists_t *plp; brand_handle_t bh; @@ -4673,6 +4686,8 @@ priv_lists_create(zone_dochandle_t handle, priv_lists_t **plpp) return (Z_NOMEM); } + plp->pl_iptype = curr_iptype; + /* construct the privilege lists */ if (brand_config_iter_privilege(bh, priv_lists_cb, plp) != 0) { priv_lists_destroy(plp); @@ -4707,12 +4722,12 @@ get_default_privset(priv_set_t *privs, priv_lists_t *plp) } int -zonecfg_default_privset(priv_set_t *privs) +zonecfg_default_privset(priv_set_t *privs, const char *curr_iptype) { priv_lists_t *plp; int ret; - if ((ret = priv_lists_create(NULL, &plp)) != Z_OK) + if ((ret = priv_lists_create(NULL, &plp, curr_iptype)) != Z_OK) return (ret); ret = get_default_privset(privs, plp); priv_lists_destroy(plp); @@ -4861,6 +4876,8 @@ zonecfg_get_privset(zone_dochandle_t handle, priv_set_t *privs, priv_lists_t *plp; char *cp, *limitpriv = NULL; int err, limitlen; + zone_iptype_t iptype; + const char *curr_iptype; /* * Attempt to lookup the "limitpriv" property. If it does not @@ -4870,7 +4887,19 @@ zonecfg_get_privset(zone_dochandle_t handle, priv_set_t *privs, if ((err = zonecfg_get_limitpriv(handle, &limitpriv)) != Z_OK) return (err); - if ((err = priv_lists_create(handle, &plp)) != Z_OK) + if ((err = zonecfg_get_iptype(handle, &iptype)) != Z_OK) + return (err); + + switch (iptype) { + case ZS_SHARED: + curr_iptype = "shared"; + break; + case ZS_EXCLUSIVE: + curr_iptype = "exclusive"; + break; + } + + if ((err = priv_lists_create(handle, &plp, curr_iptype)) != Z_OK) return (err); limitlen = strlen(limitpriv); diff --git a/usr/src/pkgdefs/SUNWhea/prototype_com b/usr/src/pkgdefs/SUNWhea/prototype_com index 0738021167..c0cbbb57a0 100644 --- a/usr/src/pkgdefs/SUNWhea/prototype_com +++ b/usr/src/pkgdefs/SUNWhea/prototype_com @@ -145,6 +145,7 @@ f none usr/include/inet/ip_stack.h 644 root bin f none usr/include/inet/ip6.h 644 root bin f none usr/include/inet/ip6_asp.h 644 root bin f none usr/include/inet/ipclassifier.h 644 root bin +f none usr/include/inet/ipdrop.h 644 root bin f none usr/include/inet/ipp_common.h 644 root bin d none usr/include/inet/kssl 755 root bin f none usr/include/inet/kssl/ksslapi.h 644 root bin diff --git a/usr/src/pkgdefs/etc/exception_list_i386 b/usr/src/pkgdefs/etc/exception_list_i386 index 724028cff5..3dfa90859f 100644 --- a/usr/src/pkgdefs/etc/exception_list_i386 +++ b/usr/src/pkgdefs/etc/exception_list_i386 @@ -361,7 +361,6 @@ usr/include/inet/udp_impl.h i386 usr/include/inet/tcp_impl.h i386 usr/include/inet/ip_impl.h i386 usr/include/inet/ip_ndp.h i386 -usr/include/inet/ipdrop.h i386 usr/include/inet/tun.h i386 usr/include/protocols/ripngd.h i386 usr/include/libmail.h i386 diff --git a/usr/src/pkgdefs/etc/exception_list_sparc b/usr/src/pkgdefs/etc/exception_list_sparc index 5b5a5ee80b..a67be839d5 100644 --- a/usr/src/pkgdefs/etc/exception_list_sparc +++ b/usr/src/pkgdefs/etc/exception_list_sparc @@ -350,7 +350,6 @@ usr/include/inet/udp_impl.h sparc usr/include/inet/tcp_impl.h sparc usr/include/inet/ip_impl.h sparc usr/include/inet/ip_ndp.h sparc -usr/include/inet/ipdrop.h sparc usr/include/inet/tun.h sparc usr/include/protocols/ripngd.h sparc usr/include/libmail.h sparc |