Mercurial > illumos > illumos-gate
changeset 3673:5bba3401c7f4
6516265 an exclusive zone with "limitpriv" other than "default" will panic the machine
6518710 sbd will not run with IP Instances putback to snv_57
author | dh155122 |
---|---|
date | Sat, 17 Feb 2007 22:21:28 -0800 |
parents | c5a5c46b417f |
children | e0608a068bd6 |
files | usr/src/cmd/zoneadmd/vplat.c usr/src/head/libzonecfg.h usr/src/lib/brand/lx/zone/config.xml usr/src/lib/brand/native/zone/config.xml usr/src/lib/brand/sn1/zone/config.xml usr/src/lib/libbrand/common/libbrand.c usr/src/lib/libbrand/common/libbrand.h usr/src/lib/libbrand/dtd/brand.dtd.1 usr/src/lib/libzonecfg/common/libzonecfg.c usr/src/pkgdefs/SUNWhea/prototype_com usr/src/pkgdefs/etc/exception_list_i386 usr/src/pkgdefs/etc/exception_list_sparc |
diffstat | 12 files changed, 110 insertions(+), 43 deletions(-) [+] |
line wrap: on
line diff
--- a/usr/src/cmd/zoneadmd/vplat.c Fri Feb 16 22:50:16 2007 -0800 +++ b/usr/src/cmd/zoneadmd/vplat.c Sat Feb 17 22:21:28 2007 -0800 @@ -2809,7 +2809,25 @@ } if (mount_cmd) { - if (zonecfg_default_privset(privs) == Z_OK) + zone_iptype_t iptype; + const char *curr_iptype; + + if (zonecfg_get_iptype(handle, &iptype) != Z_OK) { + zerror(zlogp, B_TRUE, "unable to determine ip-type"); + zonecfg_fini_handle(handle); + return (-1); + } + + switch (iptype) { + case ZS_SHARED: + curr_iptype = "shared"; + break; + case ZS_EXCLUSIVE: + curr_iptype = "exclusive"; + break; + } + + if (zonecfg_default_privset(privs, curr_iptype) == Z_OK) return (0); zerror(zlogp, B_FALSE, "failed to determine the zone's default privilege set"); @@ -3920,17 +3938,6 @@ return (-1); } priv_emptyset(privs); - if (iptype == ZS_EXCLUSIVE) { - /* - * add PRIV_NET_RAWACCESS and PRIV_SYS_IP_CONFIG - */ - if (priv_addset(privs, PRIV_NET_RAWACCESS) != 0 || - priv_addset(privs, PRIV_SYS_IP_CONFIG) != 0) { - zerror(zlogp, B_TRUE, - "Failed to add networking privileges"); - goto error; - } - } if (get_privset(zlogp, privs, mount_cmd) != 0) goto error;
--- a/usr/src/head/libzonecfg.h Fri Feb 16 22:50:16 2007 -0800 +++ b/usr/src/head/libzonecfg.h Sat Feb 17 22:21:28 2007 -0800 @@ -470,7 +470,7 @@ /* * Privilege-related functions. */ -extern int zonecfg_default_privset(priv_set_t *); +extern int zonecfg_default_privset(priv_set_t *, const char *); extern int zonecfg_get_privset(zone_dochandle_t, priv_set_t *, char **); extern int zonecfg_get_limitpriv(zone_dochandle_t, char **);
--- a/usr/src/lib/brand/lx/zone/config.xml Fri Feb 16 22:50:16 2007 -0800 +++ b/usr/src/lib/brand/lx/zone/config.xml Sat Feb 17 22:21:28 2007 -0800 @@ -20,7 +20,7 @@ CDDL HEADER END - Copyright 2006 Sun Microsystems, Inc. All rights reserved. + Copyright 2007 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. ident "%Z%%M% %I% %E% SMI" @@ -79,6 +79,7 @@ <privilege set="prohibited" name="proc_zone" /> <privilege set="prohibited" name="sys_config" /> <privilege set="prohibited" name="sys_devices" /> + <privilege set="prohibited" name="sys_ip_config" /> <privilege set="prohibited" name="sys_linkdir" /> <privilege set="prohibited" name="sys_net_config" /> <privilege set="prohibited" name="sys_res_config" />
--- a/usr/src/lib/brand/native/zone/config.xml Fri Feb 16 22:50:16 2007 -0800 +++ b/usr/src/lib/brand/native/zone/config.xml Sat Feb 17 22:21:28 2007 -0800 @@ -20,7 +20,7 @@ CDDL HEADER END - Copyright 2006 Sun Microsystems, Inc. All rights reserved. + Copyright 2007 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. ident "%Z%%M% %I% %E% SMI" @@ -62,6 +62,7 @@ <privilege set="default" name="net_icmpaccess" /> <privilege set="default" name="net_mac_aware" /> <privilege set="default" name="net_privaddr" /> + <privilege set="default" name="net_rawaccess" ip-type="exclusive" /> <privilege set="default" name="proc_chroot" /> <privilege set="default" name="sys_audit" /> <privilege set="default" name="proc_audit" /> @@ -71,6 +72,7 @@ <privilege set="default" name="proc_taskid" /> <privilege set="default" name="sys_acct" /> <privilege set="default" name="sys_admin" /> + <privilege set="default" name="sys_ip_config" ip-type="exclusive" /> <privilege set="default" name="sys_mount" /> <privilege set="default" name="sys_nfs" /> <privilege set="default" name="sys_resource" /> @@ -79,6 +81,7 @@ <privilege set="prohibited" name="proc_zone" /> <privilege set="prohibited" name="sys_config" /> <privilege set="prohibited" name="sys_devices" /> + <privilege set="prohibited" name="sys_ip_config" ip-type="shared" /> <privilege set="prohibited" name="sys_linkdir" /> <privilege set="prohibited" name="sys_net_config" /> <privilege set="prohibited" name="sys_res_config" /> @@ -86,5 +89,6 @@ <privilege set="required" name="proc_exec" /> <privilege set="required" name="proc_fork" /> + <privilege set="required" name="sys_ip_config" ip-type="exclusive" /> <privilege set="required" name="sys_mount" /> </brand>
--- a/usr/src/lib/brand/sn1/zone/config.xml Fri Feb 16 22:50:16 2007 -0800 +++ b/usr/src/lib/brand/sn1/zone/config.xml Sat Feb 17 22:21:28 2007 -0800 @@ -20,7 +20,7 @@ CDDL HEADER END - Copyright 2006 Sun Microsystems, Inc. All rights reserved. + Copyright 2007 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. ident "%Z%%M% %I% %E% SMI" @@ -62,6 +62,7 @@ <privilege set="default" name="net_icmpaccess" /> <privilege set="default" name="net_mac_aware" /> <privilege set="default" name="net_privaddr" /> + <privilege set="default" name="net_rawaccess" ip-type="exclusive" /> <privilege set="default" name="proc_chroot" /> <privilege set="default" name="sys_audit" /> <privilege set="default" name="proc_audit" /> @@ -71,6 +72,7 @@ <privilege set="default" name="proc_taskid" /> <privilege set="default" name="sys_acct" /> <privilege set="default" name="sys_admin" /> + <privilege set="default" name="sys_ip_config" ip-type="exclusive" /> <privilege set="default" name="sys_mount" /> <privilege set="default" name="sys_nfs" /> <privilege set="default" name="sys_resource" /> @@ -79,6 +81,7 @@ <privilege set="prohibited" name="proc_zone" /> <privilege set="prohibited" name="sys_config" /> <privilege set="prohibited" name="sys_devices" /> + <privilege set="prohibited" name="sys_ip_config" ip-type="shared" /> <privilege set="prohibited" name="sys_linkdir" /> <privilege set="prohibited" name="sys_net_config" /> <privilege set="prohibited" name="sys_res_config" /> @@ -86,5 +89,6 @@ <privilege set="required" name="proc_exec" /> <privilege set="required" name="proc_fork" /> + <privilege set="required" name="sys_ip_config" ip-type="exclusive" /> <privilege set="required" name="sys_mount" /> </brand>
--- a/usr/src/lib/libbrand/common/libbrand.c Fri Feb 16 22:50:16 2007 -0800 +++ b/usr/src/lib/libbrand/common/libbrand.c Sat Feb 17 22:21:28 2007 -0800 @@ -577,12 +577,13 @@ * specified callback for each. Returns 0 on success, or -1 on failure. */ int -brand_config_iter_privilege(brand_handle_t bh, int (*func)(void *, - const char *, const char *), void *data) +brand_config_iter_privilege(brand_handle_t bh, + int (*func)(void *, priv_iter_t *), void *data) { struct brand_handle *bhp = (struct brand_handle *)bh; xmlNodePtr node; - xmlChar *name, *set; + xmlChar *name, *set, *iptype; + priv_iter_t priv_iter; int ret; if ((node = xmlDocGetRootElement(bhp->bh_config)) == NULL) @@ -595,19 +596,27 @@ name = xmlGetProp(node, DTD_ATTR_NAME); set = xmlGetProp(node, DTD_ATTR_SET); + iptype = xmlGetProp(node, DTD_ATTR_IPTYPE); - if (name == NULL || set == NULL) { + if (name == NULL || set == NULL || iptype == NULL) { if (name != NULL) xmlFree(name); if (set != NULL) xmlFree(set); + if (iptype != NULL) + xmlFree(iptype); return (-1); } - ret = func(data, (const char *)name, (const char *)set); + priv_iter.pi_name = (char *)name; + priv_iter.pi_set = (char *)set; + priv_iter.pi_iptype = (char *)iptype; + + ret = func(data, &priv_iter); xmlFree(name); xmlFree(set); + xmlFree(iptype); if (ret != 0) return (-1);
--- a/usr/src/lib/libbrand/common/libbrand.h Fri Feb 16 22:50:16 2007 -0800 +++ b/usr/src/lib/libbrand/common/libbrand.h Sat Feb 17 22:21:28 2007 -0800 @@ -37,6 +37,12 @@ typedef struct __brand_handle *brand_handle_t; +typedef struct priv_iter_s { + char *pi_name; + char *pi_set; + char *pi_iptype; +} priv_iter_t; + extern brand_handle_t brand_open(const char *); extern void brand_close(brand_handle_t); @@ -62,7 +68,7 @@ char *, size_t, int, char **); extern int brand_config_iter_privilege(brand_handle_t, - int (*func)(void *, const char *, const char *), void *); + int (*func)(void *, priv_iter_t *), void *); extern int brand_platform_iter_devices(brand_handle_t, const char *, int (*)(void *, const char *, const char *), void *, const char *);
--- a/usr/src/lib/libbrand/dtd/brand.dtd.1 Fri Feb 16 22:50:16 2007 -0800 +++ b/usr/src/lib/libbrand/dtd/brand.dtd.1 Sat Feb 17 22:21:28 2007 -0800 @@ -20,7 +20,7 @@ CDDL HEADER END - Copyright 2006 Sun Microsystems, Inc. All rights reserved. + Copyright 2007 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. ident "%Z%%M% %I% %E% SMI" @@ -206,22 +206,30 @@ privilege Add a privilege to the default, prohibited, or required set for all - zones of this brand. If a privilege is added to the default set all - zones of this brand on the system will inherit this privilege unless - the privilege is removed via limitpriv in zonecfg(1m). If a - privilege is added to the prohibited set it can not be added to - any zones via limitpriv in zonecfg(1m). If a privilege is added - to the required set then all zones of this brand on the system - will inherit this privilege and it can't be removed via limitpriv in - zonecfg(1m). + zones of this brand with ip-type matched. If a privilege is added + to the default set all zones of this brand with ip-type matched on + the system will inherit this privilege unless the privilege is + removed via limitpriv in zonecfg(1m). If a privilege is added to + the prohibited set it can not be added to any zones with ip-type + matched via limitpriv in zonecfg(1m). If a privilege is added to + the required set then all zones of this brand with ip-type matched + on the system will inherit this privilege and it can't be removed via + limitpriv in zonecfg(1m). Its attributes are set The name of the set the privilege should go into. name The name of the privilege. + ip-type Optional, indicates that adding of the privilege to the + set only applies to certain IP types. Can be "shared" or + "exclusive". If it is not specified, the default value + "all" will be used, which means it is applicable regardless + the IP type. + --> <!ELEMENT privilege (#PCDATA) > <!ATTLIST privilege set ( default | prohibited | required ) #REQUIRED - name CDATA #REQUIRED > + name CDATA #REQUIRED + ip-type ( shared | exclusive ) "all" > <!-- brand
--- a/usr/src/lib/libzonecfg/common/libzonecfg.c Fri Feb 16 22:50:16 2007 -0800 +++ b/usr/src/lib/libzonecfg/common/libzonecfg.c Sat Feb 17 22:21:28 2007 -0800 @@ -4592,30 +4592,42 @@ /* Privileges required for all non-global zones of a brand */ struct priv_node *pl_required; + + /* + * ip-type of the zone these privileges lists apply to. + * It is used to pass ip-type to the callback function, + * priv_lists_cb, which has no way of getting the ip-type. + */ + const char *pl_iptype; } priv_lists_t; static int -priv_lists_cb(void *data, const char *name, const char *set) +priv_lists_cb(void *data, priv_iter_t *priv_iter) { priv_lists_t *plp = (priv_lists_t *)data; priv_node_t *pnp; + /* Skip this privilege if ip-type does not match */ + if ((strcmp(priv_iter->pi_iptype, "all") != 0) && + (strcmp(priv_iter->pi_iptype, plp->pl_iptype) != 0)) + return (0); + /* Allocate a new priv list node. */ if ((pnp = malloc(sizeof (*pnp))) == NULL) return (-1); - if ((pnp->pn_priv = strdup(name)) == NULL) { + if ((pnp->pn_priv = strdup(priv_iter->pi_name)) == NULL) { free(pnp); return (-1); } /* Insert the new priv list node into the right list */ - if (strcmp(set, "default") == 0) { + if (strcmp(priv_iter->pi_set, "default") == 0) { pnp->pn_next = plp->pl_default; plp->pl_default = pnp; - } else if (strcmp(set, "prohibited") == 0) { + } else if (strcmp(priv_iter->pi_set, "prohibited") == 0) { pnp->pn_next = plp->pl_prohibited; plp->pl_prohibited = pnp; - } else if (strcmp(set, "required") == 0) { + } else if (strcmp(priv_iter->pi_set, "required") == 0) { pnp->pn_next = plp->pl_required; plp->pl_required = pnp; } else { @@ -4652,7 +4664,8 @@ } static int -priv_lists_create(zone_dochandle_t handle, priv_lists_t **plpp) +priv_lists_create(zone_dochandle_t handle, priv_lists_t **plpp, + const char *curr_iptype) { priv_lists_t *plp; brand_handle_t bh; @@ -4673,6 +4686,8 @@ return (Z_NOMEM); } + plp->pl_iptype = curr_iptype; + /* construct the privilege lists */ if (brand_config_iter_privilege(bh, priv_lists_cb, plp) != 0) { priv_lists_destroy(plp); @@ -4707,12 +4722,12 @@ } int -zonecfg_default_privset(priv_set_t *privs) +zonecfg_default_privset(priv_set_t *privs, const char *curr_iptype) { priv_lists_t *plp; int ret; - if ((ret = priv_lists_create(NULL, &plp)) != Z_OK) + if ((ret = priv_lists_create(NULL, &plp, curr_iptype)) != Z_OK) return (ret); ret = get_default_privset(privs, plp); priv_lists_destroy(plp); @@ -4861,6 +4876,8 @@ priv_lists_t *plp; char *cp, *limitpriv = NULL; int err, limitlen; + zone_iptype_t iptype; + const char *curr_iptype; /* * Attempt to lookup the "limitpriv" property. If it does not @@ -4870,7 +4887,19 @@ if ((err = zonecfg_get_limitpriv(handle, &limitpriv)) != Z_OK) return (err); - if ((err = priv_lists_create(handle, &plp)) != Z_OK) + if ((err = zonecfg_get_iptype(handle, &iptype)) != Z_OK) + return (err); + + switch (iptype) { + case ZS_SHARED: + curr_iptype = "shared"; + break; + case ZS_EXCLUSIVE: + curr_iptype = "exclusive"; + break; + } + + if ((err = priv_lists_create(handle, &plp, curr_iptype)) != Z_OK) return (err); limitlen = strlen(limitpriv);
--- a/usr/src/pkgdefs/SUNWhea/prototype_com Fri Feb 16 22:50:16 2007 -0800 +++ b/usr/src/pkgdefs/SUNWhea/prototype_com Sat Feb 17 22:21:28 2007 -0800 @@ -145,6 +145,7 @@ f none usr/include/inet/ip6.h 644 root bin f none usr/include/inet/ip6_asp.h 644 root bin f none usr/include/inet/ipclassifier.h 644 root bin +f none usr/include/inet/ipdrop.h 644 root bin f none usr/include/inet/ipp_common.h 644 root bin d none usr/include/inet/kssl 755 root bin f none usr/include/inet/kssl/ksslapi.h 644 root bin
--- a/usr/src/pkgdefs/etc/exception_list_i386 Fri Feb 16 22:50:16 2007 -0800 +++ b/usr/src/pkgdefs/etc/exception_list_i386 Sat Feb 17 22:21:28 2007 -0800 @@ -361,7 +361,6 @@ usr/include/inet/tcp_impl.h i386 usr/include/inet/ip_impl.h i386 usr/include/inet/ip_ndp.h i386 -usr/include/inet/ipdrop.h i386 usr/include/inet/tun.h i386 usr/include/protocols/ripngd.h i386 usr/include/libmail.h i386
--- a/usr/src/pkgdefs/etc/exception_list_sparc Fri Feb 16 22:50:16 2007 -0800 +++ b/usr/src/pkgdefs/etc/exception_list_sparc Sat Feb 17 22:21:28 2007 -0800 @@ -350,7 +350,6 @@ usr/include/inet/tcp_impl.h sparc usr/include/inet/ip_impl.h sparc usr/include/inet/ip_ndp.h sparc -usr/include/inet/ipdrop.h sparc usr/include/inet/tun.h sparc usr/include/protocols/ripngd.h sparc usr/include/libmail.h sparc