PSARC/2007/218 caller_context_t in all VOPs

PSARC/2007/227 VFS Feature Registration and ACL on Create
PSARC/2007/244 ZFS Case-insensitive support
PSARC/2007/315 Extensible Attribute Interfaces
PSARC/2007/394 ls(1) new command line options '-/' and '-%': CIFS system attributes support
PSARC/2007/403 Modified Access Checks for CIFS
PSARC/2007/410 Add system attribute support to chmod(1)
PSARC/2007/432 CIFS system attributes support for cp(1), pack(1), unpack(1), compress(1) and uncompress(1)
PSARC/2007/444 Rescind SETTABLE Attribute
PSARC/2007/459 CIFS system attributes support for cpio(1), pax(1), tar(1)
PSARC/2007/546 Update utilities to match CIFS system attributes changes.
PSARC/2007/560 ZFS sharesmb property
4890717 want append-only files
6417428 Case-insensitive file system name lookup to support CIFS
6417435 DOS attributes and additional timestamps to support for CIFS
6417442 File system quarantined and modified attributes to support an integrated Anti-Virus service
6417453 FS boolean property for rejecting/allowing invalid UTF-8 sequences in file names
6473733 RFE: Need support for open-deny modes
6473755 RFE:  Need ability to reconcile oplock and delegation conflicts
6494624 sharemgr needs to support CIFS shares better
6546705 All vnode operations need to pass caller_context_t
6546706 Need VOP_SETATTR/VOP_GETATTR to support new, optional attributes
6546893 Solaris system attribute support
6550962 ZFS ACL inheritance needs to be enhanced to support Automatic Inheritance
6553589 RFE: VFS Feature Registration facility
6553770 RFE: ZFS support for ACL-on-CREATE (PSARC 2007/227)
6565581 ls(1) should support file system attributes proposed in PSARC/2007/315
6566784 NTFS streams are not copied along with the files.
6576205 cp(1), pack(1) and compress(1) should support file system attributes proposed in PSARC/2007/315
6578875 RFE: kernel interfaces for nbmand need improvement
6578883 RFE: VOP_SHRLOCK needs additional access types
6578885 chmod(1) should support file system attributes proposed in PSARC/2007/315
6578886 RFE: disallow nbmand state to change on remount
6583349 ACL parser needs to support audit/alarm ACE types
6590347 tar(1) should support filesystem attributes proposed in PSARC/2007/315
6597357 *tar* xv@ doesn't show the hidden directory even though it is restored
6597360 *tar* should re-init xattr info if openat() fails during extraction of and extended attribute
6597368 *tar* cannot restore hard linked extended attributes
6597374 *tar* doesn't display "x " when hard linked attributes are restored
6597375 *tar* extended attribute header off by one
6614861 *cpio* incorrectly archives extended system attributes with -@
6614896 *pax* incorrectly archives extended system attributes with -@
6615225 *tar* incorrectly archives extended system attributes with -@
6617183 CIFS Service - PSARC 2006/715

1 files changed, 41 insertions, 12 deletions

diff --git a/usr/src/uts/common/os/cred.c b/usr/src/uts/common/os/cred.c
index 349c4f3c12..c6a1f1fabb 100644
--- a/usr/src/uts/common/os/cred.c
+++ b/usr/src/uts/common/os/cred.c
@@ -56,11 +56,13 @@
 #include <sys/prsystm.h>
 #include <sys/modctl.h>
 #include <sys/avl.h>
+#include <sys/door.h>
 #include <c2/audit.h>
 #include <sys/zone.h>
 #include <sys/tsol/label.h>
 #include <sys/sid.h>
 #include <sys/idmap.h>
+#include <sys/varargs.h>
 
 typedef struct ephidmap_data {
 	uid_t		min_uid, last_uid;
@@ -1028,8 +1030,8 @@ eph_gid_alloc(int flags, gid_t *start, int count)
 }
 
 /*
- * If the credential contains any ephemeral IDs, map the credential
- * to nobody.
+ * If the credential user SID or group SID is mapped to an ephemeral
+ * ID, map the credential to nobody.
  */
 cred_t *
 crgetmapped(const cred_t *cr)
@@ -1042,15 +1044,11 @@ crgetmapped(const cred_t *cr)
 		return (NULL);
 
 	if (cr->cr_ksid != NULL) {
-		int i;
-
-		for (i = 0; i < KSID_COUNT; i++)
-			if (cr->cr_ksid->kr_sidx[i].ks_id > MAXUID)
-				return (ephemeral_data.nobody);
-		if (cr->cr_ksid->kr_sidlist != NULL &&
-		    cr->cr_ksid->kr_sidlist->ksl_neid > 0) {
-				return (ephemeral_data.nobody);
-		}
+		if (cr->cr_ksid->kr_sidx[KSID_USER].ks_id > MAXUID)
+			return (ephemeral_data.nobody);
+
+		if (cr->cr_ksid->kr_sidx[KSID_GROUP].ks_id > MAXUID)
+			return (ephemeral_data.nobody);
 	}
 
 	return ((cred_t *)cr);
@@ -1088,7 +1086,38 @@ crgetsid(const cred_t *cr, int i)
 ksidlist_t *
 crgetsidlist(const cred_t *cr)
 {
-	if (cr->cr_ksid != NULL && cr->cr_ksid->kr_sidlist != NULL)
+	if (cr->cr_ksid != NULL)
 		return (cr->cr_ksid->kr_sidlist);
 	return (NULL);
 }
+
+/*
+ * Interface to set the effective and permitted privileges for
+ * a credential; this interface does no security checks and is
+ * intended for kernel (file)servers creating credentials with
+ * specific privileges.
+ */
+int
+crsetpriv(cred_t *cr, ...)
+{
+	va_list ap;
+	const char *privnm;
+
+	ASSERT(cr->cr_ref <= 2);
+
+	priv_set_PA(cr);
+
+	va_start(ap, cr);
+
+	while ((privnm = va_arg(ap, const char *)) != NULL) {
+		int priv = priv_getbyname(privnm, 0);
+		if (priv < 0)
+			return (-1);
+
+		priv_addset(&CR_PPRIV(cr), priv);
+		priv_addset(&CR_EPRIV(cr), priv);
+	}
+	priv_adjust_PA(cr);
+	va_end(ap);
+	return (0);
+}