Mercurial Mercurial > upstream > illumos > illumos-gate / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
PSARC/2010/181 PRIV_SYS_RES_BIND privilege
author<gerald.jelinek@sun.com>
Tue, 25 May 2010 16:50:45 -0600
changeset 12494 15439b11d535
parent 12493 89ce40422cea
child 12495 70fe32c3ce31
PSARC/2010/181 PRIV_SYS_RES_BIND privilege 6953849 need ability to bind to processor sets from within a zone
usr/src/uts/common/os/policy.c file | annotate | diff | comparison | revisions
usr/src/uts/common/os/priv_defs file | annotate | diff | comparison | revisions
usr/src/uts/common/sys/policy.h file | annotate | diff | comparison | revisions
usr/src/uts/common/syscall/pset.c file | annotate | diff | comparison | revisions 
--- a/usr/src/uts/common/os/policy.c	Tue May 25 14:25:21 2010 -0600
+++ b/usr/src/uts/common/os/policy.c	Tue May 25 16:50:45 2010 -0600
@@ -1672,6 +1672,17 @@
 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
 }
 
+/*
+ * Processor set binding.
+ */
+int
+secpolicy_pbind(const cred_t *cr)
+{
+	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_RES_CONFIG, B_FALSE))
+		return (secpolicy_pset(cr));
+	return (PRIV_POLICY(cr, PRIV_SYS_RES_BIND, B_FALSE, EPERM, NULL));
+}
+
 int
 secpolicy_ponline(const cred_t *cr)
 {
--- a/usr/src/uts/common/os/priv_defs	Tue May 25 14:25:21 2010 -0600
+++ b/usr/src/uts/common/os/priv_defs	Tue May 25 16:50:45 2010 -0600
@@ -431,8 +431,13 @@
 	Allows a process to create and destroy PPP (sppp) interfaces.
 	Allows a process to configure PPP tunnels (sppptun).
 
+privilege PRIV_SYS_RES_BIND
+
+	Allows a process to bind processes to processor sets.
+
 privilege PRIV_SYS_RES_CONFIG
 
+	Allows all that PRIV_SYS_RES_BIND allows.
 	Allows a process to create and delete processor sets, assign
 	CPUs to processor sets and override the PSET_NOESCAPE property.
 	Allows a process to change the operational status of CPUs in
--- a/usr/src/uts/common/sys/policy.h	Tue May 25 14:25:21 2010 -0600
+++ b/usr/src/uts/common/sys/policy.h	Tue May 25 16:50:45 2010 -0600
@@ -118,6 +118,7 @@
 boolean_t secpolicy_net_reply_equal(const cred_t *);
 int secpolicy_newproc(const cred_t *);
 int secpolicy_nfs(const cred_t *);
+int secpolicy_pbind(const cred_t *);
 int secpolicy_pcfs_modify_bootpartition(const cred_t *);
 int secpolicy_pfexec_register(const cred_t *);
 int secpolicy_ponline(const cred_t *);
--- a/usr/src/uts/common/syscall/pset.c	Tue May 25 14:25:21 2010 -0600
+++ b/usr/src/uts/common/syscall/pset.c	Tue May 25 16:50:45 2010 -0600
@@ -19,8 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
+ * Copyright (c) 1996, 2010, Oracle and/or its affiliates. All rights reserved.
  */
 
 #include <sys/types.h>
@@ -283,7 +282,7 @@
 		 * PSET_NOESCAPE attribute.
 		 */
 		if ((tp->t_cpupart->cp_attr & PSET_NOESCAPE) &&
-		    secpolicy_pset(CRED()) != 0)
+		    secpolicy_pbind(CRED()) != 0)
 			return (EPERM);
 		if ((error = cpupart_bind_thread(tp, pset, 0,
 		    projbuf, zonebuf)) == 0)
@@ -561,7 +560,7 @@
 		if (cpupart_get_cpus(&pset, NULL, NULL) != 0) {
 			pool_unlock();
 			return (set_errno(EINVAL));
-		} else if (pset != PS_NONE && secpolicy_pset(CRED()) != 0) {
+		} else if (pset != PS_NONE && secpolicy_pbind(CRED()) != 0) {
 			pool_unlock();
 			return (set_errno(EPERM));
 		}
upstream/illumos/illumos-gate