# HG changeset patch
# User <gerald.jelinek@sun.com>
# Date 1274827845 21600
# Node ID 15439b11d535f030b6a1a7d88a8246b9ba270b41
# Parent  89ce40422cea6257e61fa997fa2726cbb63fe989
PSARC/2010/181 PRIV_SYS_RES_BIND privilege
6953849 need ability to bind to processor sets from within a zone

diff -r 89ce40422cea -r 15439b11d535 usr/src/uts/common/os/policy.c
--- a/usr/src/uts/common/os/policy.c	Tue May 25 14:25:21 2010 -0600
+++ b/usr/src/uts/common/os/policy.c	Tue May 25 16:50:45 2010 -0600
@@ -1672,6 +1672,17 @@
 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
 }
 
+/*
+ * Processor set binding.
+ */
+int
+secpolicy_pbind(const cred_t *cr)
+{
+	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_RES_CONFIG, B_FALSE))
+		return (secpolicy_pset(cr));
+	return (PRIV_POLICY(cr, PRIV_SYS_RES_BIND, B_FALSE, EPERM, NULL));
+}
+
 int
 secpolicy_ponline(const cred_t *cr)
 {
diff -r 89ce40422cea -r 15439b11d535 usr/src/uts/common/os/priv_defs
--- a/usr/src/uts/common/os/priv_defs	Tue May 25 14:25:21 2010 -0600
+++ b/usr/src/uts/common/os/priv_defs	Tue May 25 16:50:45 2010 -0600
@@ -431,8 +431,13 @@
 	Allows a process to create and destroy PPP (sppp) interfaces.
 	Allows a process to configure PPP tunnels (sppptun).
 
+privilege PRIV_SYS_RES_BIND
+
+	Allows a process to bind processes to processor sets.
+
 privilege PRIV_SYS_RES_CONFIG
 
+	Allows all that PRIV_SYS_RES_BIND allows.
 	Allows a process to create and delete processor sets, assign
 	CPUs to processor sets and override the PSET_NOESCAPE property.
 	Allows a process to change the operational status of CPUs in
diff -r 89ce40422cea -r 15439b11d535 usr/src/uts/common/sys/policy.h
--- a/usr/src/uts/common/sys/policy.h	Tue May 25 14:25:21 2010 -0600
+++ b/usr/src/uts/common/sys/policy.h	Tue May 25 16:50:45 2010 -0600
@@ -118,6 +118,7 @@
 boolean_t secpolicy_net_reply_equal(const cred_t *);
 int secpolicy_newproc(const cred_t *);
 int secpolicy_nfs(const cred_t *);
+int secpolicy_pbind(const cred_t *);
 int secpolicy_pcfs_modify_bootpartition(const cred_t *);
 int secpolicy_pfexec_register(const cred_t *);
 int secpolicy_ponline(const cred_t *);
diff -r 89ce40422cea -r 15439b11d535 usr/src/uts/common/syscall/pset.c
--- a/usr/src/uts/common/syscall/pset.c	Tue May 25 14:25:21 2010 -0600
+++ b/usr/src/uts/common/syscall/pset.c	Tue May 25 16:50:45 2010 -0600
@@ -19,8 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
+ * Copyright (c) 1996, 2010, Oracle and/or its affiliates. All rights reserved.
  */
 
 #include <sys/types.h>
@@ -283,7 +282,7 @@
 		 * PSET_NOESCAPE attribute.
 		 */
 		if ((tp->t_cpupart->cp_attr & PSET_NOESCAPE) &&
-		    secpolicy_pset(CRED()) != 0)
+		    secpolicy_pbind(CRED()) != 0)
 			return (EPERM);
 		if ((error = cpupart_bind_thread(tp, pset, 0,
 		    projbuf, zonebuf)) == 0)
@@ -561,7 +560,7 @@
 		if (cpupart_get_cpus(&pset, NULL, NULL) != 0) {
 			pool_unlock();
 			return (set_errno(EINVAL));
-		} else if (pset != PS_NONE && secpolicy_pset(CRED()) != 0) {
+		} else if (pset != PS_NONE && secpolicy_pbind(CRED()) != 0) {
 			pool_unlock();
 			return (set_errno(EPERM));
 		}