6 files changed, 248 insertions, 22 deletions

diff --git a/usr/src/man/man9f/Makefile b/usr/src/man/man9f/Makefile
index dec8aa99d7..4b4dd80396 100644
--- a/usr/src/man/man9f/Makefile
+++ b/usr/src/man/man9f/Makefile
@@ -13,7 +13,7 @@
 # Copyright 2017, Richard Lowe
 # Copyright 2014 Garrett D'Amore <garrett@damore>
 # Copyright 2019 Joyent, Inc.
-# Copyright 2016 Nexenta Systems, Inc.
+# Copyright 2020 Nexenta by DDN, Inc. All rights reserved.
 # Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org>
 #
 
@@ -70,6 +70,7 @@ MANFILES=	ASSERT.9f				\
 		copyin.9f				\
 		copymsg.9f				\
 		copyout.9f				\
+		credentials.9f				\
 		csx_AccessConfigurationRegister.9f	\
 		csx_CS_DDI_Info.9f			\
 		csx_ConvertSize.9f			\
@@ -556,6 +557,7 @@ MANFILES=	ASSERT.9f				\
 
 MANLINKS=	AVL_NEXT.9f					\
 		AVL_PREV.9f					\
+		CRED.9f						\
 		SIZEOF_PTR.9f					\
 		SIZEOF_STRUCT.9f				\
 		STRUCT_BUF.9f					\
@@ -690,6 +692,9 @@ MANLINKS=	AVL_NEXT.9f					\
 		avl_remove.9f					\
 		avl_swap.9f					\
 		bcanputnext.9f					\
+		crdup.9f					\
+		crfree.9f					\
+		crget.9f					\
 		crgetgid.9f					\
 		crgetgroups.9f					\
 		crgetngroups.9f					\
@@ -699,6 +704,7 @@ MANLINKS=	AVL_NEXT.9f					\
 		crgetsuid.9f					\
 		crgetuid.9f					\
 		crgetzoneid.9f					\
+		crhold.9f					\
 		csx_Get16.9f					\
 		csx_Get32.9f					\
 		csx_Get64.9f					\
@@ -969,6 +975,7 @@ MANLINKS=	AVL_NEXT.9f					\
 		inl.9f						\
 		intro.9f					\
 		inw.9f						\
+		kcred.9f					\
 		kmem_cache_alloc.9f				\
 		kmem_cache_destroy.9f				\
 		kmem_cache_free.9f				\
@@ -1310,7 +1317,8 @@ MANLINKS=	AVL_NEXT.9f					\
 		vsprintf.9f					\
 		vzcmn_err.9f					\
 		wr.9f						\
-		zcmn_err.9f
+		zcmn_err.9f					\
+		zone_kcred.9f
 
 assert.9f				:= LINKSRC = ASSERT.9f
 
@@ -1483,6 +1491,14 @@ cv_timedwait_sig.9f			:= LINKSRC = condvar.9f
 cv_wait.9f				:= LINKSRC = condvar.9f
 cv_wait_sig.9f				:= LINKSRC = condvar.9f
 
+CRED.9f					:= LINKSRC = credentials.9f
+crdup.9f				:= LINKSRC = credentials.9f
+crfree.9f				:= LINKSRC = credentials.9f
+crget.9f				:= LINKSRC = credentials.9f
+crhold.9f				:= LINKSRC = credentials.9f
+kcred.9f				:= LINKSRC = credentials.9f
+zone_kcred.9f				:= LINKSRC = credentials.9f
+
 csx_Get16.9f				:= LINKSRC = csx_Get8.9f
 csx_Get32.9f				:= LINKSRC = csx_Get8.9f
 csx_Get64.9f				:= LINKSRC = csx_Get8.9f
diff --git a/usr/src/man/man9f/credentials.9f b/usr/src/man/man9f/credentials.9f
new file mode 100644
index 0000000000..89d2138c95
--- /dev/null
+++ b/usr/src/man/man9f/credentials.9f
@@ -0,0 +1,201 @@
+.\"
+.\" This file and its contents are supplied under the terms of the
+.\" Common Development and Distribution License ("CDDL"), version 1.0.
+.\" You may only use this file in accordance with the terms of version
+.\" 1.0 of the CDDL.
+.\"
+.\" A full copy of the text of the CDDL should have accompanied this
+.\" source.  A copy of the CDDL is also available via the Internet at
+.\" http://www.illumos.org/license/CDDL.
+.\"
+.\"
+.\" Copyright 2020 Nexenta by DDN, Inc. All rights reserved.
+.\"
+.Dd Aug 21, 2020
+.Dt CREDENTIALS 9F
+.Os
+.Sh NAME
+.Nm credentials ,
+.Nm CRED ,
+.Nm crdup ,
+.Nm crfree ,
+.Nm crget ,
+.Nm crhold ,
+.Nm kcred ,
+.Nm zone_kcred
+.Nd Functions for obtaining credentials in the kernel
+.Sh SYNOPSIS
+.In sys/cred.h
+.Ft "cred_t *"
+.Fo CRED
+.Fc
+.Ft "cred_t *"
+.Fo crdup
+.Fa "cred_t *cr"
+.Fc
+.Ft "void"
+.Fo crfree
+.Fa "cred_t *cr"
+.Fc
+.Ft "cred_t *"
+.Fo crget
+.Fc
+.Ft "void"
+.Fo crhold
+.Fa "cred_t *cr"
+.Fc
+.Ft "cred_t *"
+.Fo zone_kcred
+.Fc
+.Vt cred_t *kcred
+.Sh INTERFACE LEVEL
+.Sy Volatile -
+This interface is still evolving in illumos.
+API and ABI stability is not guaranteed.
+.Sh PARAMETERS
+.Bl -tag -width Fa
+.It Fa cr
+pointer to the user credential structure.
+.El
+.Sh DESCRIPTION
+Some kernel interfaces require a credential as an argument.
+This page documents the credentials available in the system,
+as well as interfaces for creating new credentials.
+.Pp
+Most users do not need to create new credentials.
+Instead, users should generally use the credentials of the executing context.
+.Pp
+This interface is primarily intended for services that must perform operations
+on behalf of multiple remotely authenticated users, whose authentication context
+is unrelated to the context of the executing thread or process.
+Drivers MUST NOT create new credentials.
+Drivers should use the provided credential.
+.Pp
+For functions that do not return new credentials,
+if the credentials will be used outside of their context
+(i.e. if the output of zone_kcred() is referenced outside of the zone),
+then one should use
+.Fn crdup
+or
+.Fn crhold
+to ensure that the credentials remain valid.
+.Ss Fn CRED
+The
+.Fn CRED
+function returns the credential of the calling thread.
+Its contents depend on the calling context (user, kernel, interrupt).
+.Ss Fn crdup
+.Fn crdup
+returns a newly-allocated copy of
+.Fa cr
+with reference count of 1.
+It sleeps until the allocation succeeds.
+.Ss Fn crfree
+.Fn crfree
+releases a reference to
+.Fa cr .
+If this is the last reference, the credential is destroyed.
+.Ss Fn crhold
+.Fn crhold
+takes a reference to
+.Fa cr .
+.Ss Va kcred
+.Va kcred
+is the root credential of the global zone.
+Its UIDs and GIDs are all 0.
+It has the following privilege sets by default:
+.Bd -literal -offset indent
+E: basic,proc_secflags
+I: basic,proc_secflags
+P: basic,proc_secflags
+L: all
+.Ed
+.Pp
+.Dv NET_MAC_AWARE
+is set in the credential's flags.
+It is not marked privilege-aware.
+.Pp
+.Va kcred
+will never be freed by the system.
+.Ss Fn zone_kcred
+The
+.Fn zone_kcred
+function returns the root credential of the zone to which the calling thread belongs.
+This cred is derived from the global kcred, minus any privileges denied to the zone.
+.Ss Fn crget
+The
+.Fn crget
+function returns a copy of
+.Fn zone_kcred
+suitable for modification by the caller.
+This is useful for obtaining a default,
+well-initialized credential in the appropriate zone context,
+that is free of privileges or limitations of the originating thread.
+It must be freed with
+.Fn crfree .
+It sleeps until the allocation succeeds.
+.Ss Considerations
+.Va kcred
+and
+.Fn zone_kcred
+are not privilege-aware, and have all IDs set to 0.
+This causes their Limit set to be used in place of the Effective and Permitted sets,
+which significantly expands their privileges.
+.Pp
+If the output of
+.Fn crget
+is not later marked as privilege aware, and its UID is not set to a non-zero value,
+then its Limit set will be used in place of its Effective and Permitted sets,
+significantly expanding its privileges.
+Callers should either mark the credential as privilege-aware,
+reduce the Limit set appropriately,
+or ensure that they intend for zero-uid users to have expanded privileges.
+.Pp
+.Va kcred ,
+.Fn zone_kcred ,
+and
+.Fn CRED
+are not suitable for modfication by the caller.
+Callers must use
+.Fn crdup
+to create a copy of these credentials that are suitable for modification.
+.Pp
+Callers of
+.Fn zone_kcred
+and
+.Fn crget
+must take care to ensure that the calling thread is
+executing in the context of the appropriate zone.
+If the thread is performing work on behalf of a different zone,
+or if one is uncertain of the zone context of the calling thread,
+then one should find the appropriate zone by other means, and reference
+.Em zone->zone_kcred
+explicitly.
+.Sh CONTEXT
+These functions can be called from
+.Sy user
+and
+.Sy kernel
+contexts.
+.Sh RETURN VALUES
+.Fn zone_kcred
+and
+.Fn CRED
+return a pointer to a
+.Vt cred_t
+that should not be modified.
+.Pp
+.Fn crget
+and
+.Fn crdup
+return a pointer to a newly allocated
+.Vt cred_t .
+.Pp
+.Fn zone_kcred ,
+.Fn CRED ,
+.Fn crdup ,
+and
+.Fn crget
+can never fail, and always return a valid credential.
+.Sh SEE ALSO
+.Xr ddi_cred 9f
diff --git a/usr/src/pkg/manifests/system-kernel.man9f.inc b/usr/src/pkg/manifests/system-kernel.man9f.inc
index 5b3dc6d94e..78107ef373 100644
--- a/usr/src/pkg/manifests/system-kernel.man9f.inc
+++ b/usr/src/pkg/manifests/system-kernel.man9f.inc
@@ -12,7 +12,7 @@
 #
 # Copyright 2017, Richard Lowe
 # Copyright 2014 Garrett D'Amore <garrett@damore.org>
-# Copyright 2016 Nexenta Systems, Inc.
+# Copyright 2020 Nexenta by DDN, Inc. All rights reserved.
 # Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org>
 # Copyright 2019 Joyent, Inc.
 #
@@ -66,6 +66,7 @@ file path=usr/share/man/man9f/copyb.9f
 file path=usr/share/man/man9f/copyin.9f
 file path=usr/share/man/man9f/copymsg.9f
 file path=usr/share/man/man9f/copyout.9f
+file path=usr/share/man/man9f/credentials.9f
 file path=usr/share/man/man9f/csx_AccessConfigurationRegister.9f
 file path=usr/share/man/man9f/csx_CS_DDI_Info.9f
 file path=usr/share/man/man9f/csx_ConvertSize.9f
@@ -513,6 +514,7 @@ file path=usr/share/man/man9f/vmem_create.9f
 file path=usr/share/man/man9f/vmem_walk.9f
 link path=usr/share/man/man9f/AVL_NEXT.9f target=avl.9f
 link path=usr/share/man/man9f/AVL_PREV.9f target=avl.9f
+link path=usr/share/man/man9f/CRED.9f target=credentials.9f
 link path=usr/share/man/man9f/SIZEOF_PTR.9f target=STRUCT_DECL.9f
 link path=usr/share/man/man9f/SIZEOF_STRUCT.9f target=STRUCT_DECL.9f
 link path=usr/share/man/man9f/STRUCT_BUF.9f target=STRUCT_DECL.9f
@@ -647,6 +649,9 @@ link path=usr/share/man/man9f/avl_numnodes.9f target=avl.9f
 link path=usr/share/man/man9f/avl_remove.9f target=avl.9f
 link path=usr/share/man/man9f/avl_swap.9f target=avl.9f
 link path=usr/share/man/man9f/bcanputnext.9f target=canputnext.9f
+link path=usr/share/man/man9f/crdup.9f target=credentials.9f
+link path=usr/share/man/man9f/crfree.9f target=credentials.9f
+link path=usr/share/man/man9f/crget.9f target=credentials.9f
 link path=usr/share/man/man9f/crgetgid.9f target=ddi_cred.9f
 link path=usr/share/man/man9f/crgetgroups.9f target=ddi_cred.9f
 link path=usr/share/man/man9f/crgetngroups.9f target=ddi_cred.9f
@@ -656,6 +661,7 @@ link path=usr/share/man/man9f/crgetsgid.9f target=ddi_cred.9f
 link path=usr/share/man/man9f/crgetsuid.9f target=ddi_cred.9f
 link path=usr/share/man/man9f/crgetuid.9f target=ddi_cred.9f
 link path=usr/share/man/man9f/crgetzoneid.9f target=ddi_cred.9f
+link path=usr/share/man/man9f/crhold.9f target=credentials.9f
 link path=usr/share/man/man9f/csx_Get16.9f target=csx_Get8.9f
 link path=usr/share/man/man9f/csx_Get32.9f target=csx_Get8.9f
 link path=usr/share/man/man9f/csx_Get64.9f target=csx_Get8.9f
@@ -969,6 +975,7 @@ link path=usr/share/man/man9f/id_space_extend.9f target=id_space.9f
 link path=usr/share/man/man9f/inl.9f target=inb.9f
 link path=usr/share/man/man9f/intro.9f target=Intro.9f
 link path=usr/share/man/man9f/inw.9f target=inb.9f
+link path=usr/share/man/man9f/kcred.9f target=credentials.9f
 link path=usr/share/man/man9f/kmem_cache_alloc.9f target=kmem_cache_create.9f
 link path=usr/share/man/man9f/kmem_cache_destroy.9f \
     target=kmem_cache_create.9f
@@ -1402,3 +1409,4 @@ link path=usr/share/man/man9f/vsprintf.9f target=sprintf.9f
 link path=usr/share/man/man9f/vzcmn_err.9f target=cmn_err.9f
 link path=usr/share/man/man9f/wr.9f target=WR.9f
 link path=usr/share/man/man9f/zcmn_err.9f target=cmn_err.9f
+link path=usr/share/man/man9f/zone_kcred.9f target=credentials.9f
diff --git a/usr/src/uts/common/fs/smbsrv/smb_idmap.c b/usr/src/uts/common/fs/smbsrv/smb_idmap.c
index b9bfa991c4..e6c04193b0 100644
--- a/usr/src/uts/common/fs/smbsrv/smb_idmap.c
+++ b/usr/src/uts/common/fs/smbsrv/smb_idmap.c
@@ -20,7 +20,7 @@
  */
 /*
  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
- * Copyright 2018 Nexenta Systems, Inc.  All rights reserved.
+ * Copyright 2020 Nexenta by DDN, Inc. All rights reserved.
  */
 
 /*
@@ -83,12 +83,12 @@ smb_idmap_getsid(uid_t id, int idtype, smb_sid_t **sid)
 
 	switch (idtype) {
 	case SMB_IDMAP_USER:
-		sim.sim_stat = kidmap_getsidbyuid(global_zone, id,
+		sim.sim_stat = kidmap_getsidbyuid(curzone, id,
 		    (const char **)&sim.sim_domsid, &sim.sim_rid);
 		break;
 
 	case SMB_IDMAP_GROUP:
-		sim.sim_stat = kidmap_getsidbygid(global_zone, id,
+		sim.sim_stat = kidmap_getsidbygid(curzone, id,
 		    (const char **)&sim.sim_domsid, &sim.sim_rid);
 		break;
 
@@ -150,17 +150,17 @@ smb_idmap_getid(smb_sid_t *sid, uid_t *id, int *idtype)
 
 	switch (*idtype) {
 	case SMB_IDMAP_USER:
-		sim.sim_stat = kidmap_getuidbysid(global_zone, sim.sim_domsid,
+		sim.sim_stat = kidmap_getuidbysid(curzone, sim.sim_domsid,
 		    sim.sim_rid, sim.sim_id);
 		break;
 
 	case SMB_IDMAP_GROUP:
-		sim.sim_stat = kidmap_getgidbysid(global_zone, sim.sim_domsid,
+		sim.sim_stat = kidmap_getgidbysid(curzone, sim.sim_domsid,
 		    sim.sim_rid, sim.sim_id);
 		break;
 
 	case SMB_IDMAP_UNKNOWN:
-		sim.sim_stat = kidmap_getpidbysid(global_zone, sim.sim_domsid,
+		sim.sim_stat = kidmap_getpidbysid(curzone, sim.sim_domsid,
 		    sim.sim_rid, sim.sim_id, &sim.sim_idtype);
 		break;
 
@@ -186,7 +186,7 @@ smb_idmap_batch_create(smb_idmap_batch_t *sib, uint16_t nmap, int flags)
 
 	bzero(sib, sizeof (smb_idmap_batch_t));
 
-	sib->sib_idmaph = kidmap_get_create(global_zone);
+	sib->sib_idmaph = kidmap_get_create(curzone);
 
 	sib->sib_flags = flags;
 	sib->sib_nmap = nmap;
diff --git a/usr/src/uts/common/os/cred.c b/usr/src/uts/common/os/cred.c
index 25727d54c5..3e1df330b7 100644
--- a/usr/src/uts/common/os/cred.c
+++ b/usr/src/uts/common/os/cred.c
@@ -20,13 +20,14 @@
  */
 /*
  * Copyright (c) 2013, Ira Cooper.  All rights reserved.
+ * Copyright 2020 Nexenta by DDN, Inc. All rights reserved.
  */
 /*
  * Copyright (c) 1989, 2010, Oracle and/or its affiliates. All rights reserved.
  */
 
 /*	Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T	*/
-/*	  All Rights Reserved  	*/
+/*	  All Rights Reserved	*/
 
 /*
  * University Copyright- Copyright (c) 1982, 1986, 1988
@@ -288,7 +289,7 @@ crget(void)
 {
 	cred_t *cr = kmem_cache_alloc(cred_cache, KM_SLEEP);
 
-	bcopy(kcred, cr, crsize);
+	bcopy(zone_kcred(), cr, crsize);
 	cr->cr_ref = 1;
 	zone_cred_hold(cr->cr_zone);
 	if (cr->cr_label)
@@ -377,7 +378,7 @@ crfree(cred_t *cr)
 /*
  * Copy a cred structure to a new one and free the old one.
  *	The new cred will have two references.  One for the calling process,
- * 	and one for the thread.
+ *	and one for the thread.
  */
 cred_t *
 crcopy(cred_t *cr)
@@ -404,7 +405,7 @@ crcopy(cred_t *cr)
 /*
  * Copy a cred structure to a new one and free the old one.
  *	The new cred will have two references.  One for the calling process,
- * 	and one for the thread.
+ *	and one for the thread.
  * This variation on crcopy uses a pre-allocated structure for the
  * "new" cred.
  */
diff --git a/usr/src/uts/sun4u/chicago/io/fpc/fpc-impl-4u.c b/usr/src/uts/sun4u/chicago/io/fpc/fpc-impl-4u.c
index aa96f19079..a8ceea0344 100644
--- a/usr/src/uts/sun4u/chicago/io/fpc/fpc-impl-4u.c
+++ b/usr/src/uts/sun4u/chicago/io/fpc/fpc-impl-4u.c
@@ -24,6 +24,10 @@
  * Use is subject to license terms.
  */
 
+/*
+ * Copyright 2020 Nexenta by DDN, Inc. All rights reserved.
+ */
+
 #include <sys/file.h>
 #include <sys/sunndi.h>
 #include <sys/sunddi.h>
@@ -101,7 +105,6 @@ static uint64_t counter_reg_offsets[] = {
 
 static ldi_ident_t ldi_identifier;
 static boolean_t ldi_identifier_valid = B_FALSE;
-static cred_t *credentials = NULL;
 
 /* Called by _init to determine if it is OK to install driver. */
 int
@@ -116,7 +119,6 @@ fpc_platform_module_init(dev_info_t *dip)
 {
 	int status;
 
-	credentials = crget();
 	status = ldi_ident_from_dip(dip, &ldi_identifier);
 	if (status == 0)
 		ldi_identifier_valid = B_TRUE;
@@ -211,8 +213,6 @@ fpc_platform_module_fini(dev_info_t *dip)
 {
 	if (ldi_identifier_valid)
 		ldi_ident_release(ldi_identifier);
-	if (credentials)
-		crfree(credentials);
 }
 
 fire_perfreg_handle_t
@@ -226,7 +226,7 @@ fpc_get_perfreg_handle(int devnum)
 	if ((handle_impl->devspec =
 	    fpc_get_platform_data_by_number(devnum)) != NULL) {
 		rval = ldi_open_by_name(handle_impl->devspec->nodename,
-		    OPEN_FLAGS, credentials, &handle_impl->devhandle,
+		    OPEN_FLAGS, kcred, &handle_impl->devhandle,
 		    ldi_identifier);
 	}
 
@@ -243,7 +243,7 @@ fpc_free_counter_handle(fire_perfreg_handle_t handle)
 {
 	fire_counter_handle_impl_t *handle_impl =
 	    (fire_counter_handle_impl_t *)handle;
-	(void) ldi_close(handle_impl->devhandle, OPEN_FLAGS, credentials);
+	(void) ldi_close(handle_impl->devhandle, OPEN_FLAGS, kcred);
 	kmem_free(handle_impl, sizeof (fire_counter_handle_impl_t));
 	return (SUCCESS);
 }
@@ -281,7 +281,7 @@ fpc_event_io(fire_perfreg_handle_t handle, fire_perfcnt_t group,
 
 	/* Read original value. */
 	if (((rval = ldi_ioctl(handle_impl->devhandle, cmd, (intptr_t)&prg,
-	    FKIOCTL, credentials, &ioctl_rval)) == SUCCESS) && (!is_write)) {
+	    FKIOCTL, kcred, &ioctl_rval)) == SUCCESS) && (!is_write)) {
 		*reg_data = prg.data;
 	}
 
@@ -322,7 +322,7 @@ fpc_counter_io(fire_perfreg_handle_t handle, fire_perfcnt_t group,
 	prg.data = *value;
 
 	if (((rval = ldi_ioctl(handle_impl->devhandle, command, (intptr_t)&prg,
-	    FKIOCTL, credentials, &ioctl_rval)) == SUCCESS) && (!is_write)) {
+	    FKIOCTL, kcred, &ioctl_rval)) == SUCCESS) && (!is_write)) {
 		*value = prg.data;
 	}