PSARC/2010/181 PRIV_SYS_RES_BIND privilege
6953849 need ability to bind to processor sets from within a zone
--- a/usr/src/uts/common/os/policy.c Tue May 25 14:25:21 2010 -0600
+++ b/usr/src/uts/common/os/policy.c Tue May 25 16:50:45 2010 -0600
@@ -1672,6 +1672,17 @@
return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
}
+/*
+ * Processor set binding.
+ */
+int
+secpolicy_pbind(const cred_t *cr)
+{
+ if (PRIV_POLICY_ONLY(cr, PRIV_SYS_RES_CONFIG, B_FALSE))
+ return (secpolicy_pset(cr));
+ return (PRIV_POLICY(cr, PRIV_SYS_RES_BIND, B_FALSE, EPERM, NULL));
+}
+
int
secpolicy_ponline(const cred_t *cr)
{
--- a/usr/src/uts/common/os/priv_defs Tue May 25 14:25:21 2010 -0600
+++ b/usr/src/uts/common/os/priv_defs Tue May 25 16:50:45 2010 -0600
@@ -431,8 +431,13 @@
Allows a process to create and destroy PPP (sppp) interfaces.
Allows a process to configure PPP tunnels (sppptun).
+privilege PRIV_SYS_RES_BIND
+
+ Allows a process to bind processes to processor sets.
+
privilege PRIV_SYS_RES_CONFIG
+ Allows all that PRIV_SYS_RES_BIND allows.
Allows a process to create and delete processor sets, assign
CPUs to processor sets and override the PSET_NOESCAPE property.
Allows a process to change the operational status of CPUs in
--- a/usr/src/uts/common/sys/policy.h Tue May 25 14:25:21 2010 -0600
+++ b/usr/src/uts/common/sys/policy.h Tue May 25 16:50:45 2010 -0600
@@ -118,6 +118,7 @@
boolean_t secpolicy_net_reply_equal(const cred_t *);
int secpolicy_newproc(const cred_t *);
int secpolicy_nfs(const cred_t *);
+int secpolicy_pbind(const cred_t *);
int secpolicy_pcfs_modify_bootpartition(const cred_t *);
int secpolicy_pfexec_register(const cred_t *);
int secpolicy_ponline(const cred_t *);
--- a/usr/src/uts/common/syscall/pset.c Tue May 25 14:25:21 2010 -0600
+++ b/usr/src/uts/common/syscall/pset.c Tue May 25 16:50:45 2010 -0600
@@ -19,8 +19,7 @@
* CDDL HEADER END
*/
/*
- * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
- * Use is subject to license terms.
+ * Copyright (c) 1996, 2010, Oracle and/or its affiliates. All rights reserved.
*/
#include <sys/types.h>
@@ -283,7 +282,7 @@
* PSET_NOESCAPE attribute.
*/
if ((tp->t_cpupart->cp_attr & PSET_NOESCAPE) &&
- secpolicy_pset(CRED()) != 0)
+ secpolicy_pbind(CRED()) != 0)
return (EPERM);
if ((error = cpupart_bind_thread(tp, pset, 0,
projbuf, zonebuf)) == 0)
@@ -561,7 +560,7 @@
if (cpupart_get_cpus(&pset, NULL, NULL) != 0) {
pool_unlock();
return (set_errno(EINVAL));
- } else if (pset != PS_NONE && secpolicy_pset(CRED()) != 0) {
+ } else if (pset != PS_NONE && secpolicy_pbind(CRED()) != 0) {
pool_unlock();
return (set_errno(EPERM));
}