17c478bdstevel@tonic-gate/*
27c478bdstevel@tonic-gate * CDDL HEADER START
37c478bdstevel@tonic-gate *
47c478bdstevel@tonic-gate * The contents of this file are subject to the terms of the
5d3e55dcgww * Common Development and Distribution License (the "License").
6d3e55dcgww * You may not use this file except in compliance with the License.
77c478bdstevel@tonic-gate *
87c478bdstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
97c478bdstevel@tonic-gate * or http://www.opensolaris.org/os/licensing.
107c478bdstevel@tonic-gate * See the License for the specific language governing permissions
117c478bdstevel@tonic-gate * and limitations under the License.
127c478bdstevel@tonic-gate *
137c478bdstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each
147c478bdstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
157c478bdstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the
167c478bdstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying
177c478bdstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner]
187c478bdstevel@tonic-gate *
197c478bdstevel@tonic-gate * CDDL HEADER END
207c478bdstevel@tonic-gate */
217c478bdstevel@tonic-gate/*
22005d3feMarek Pospisil * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
237c478bdstevel@tonic-gate * Use is subject to license terms.
247c478bdstevel@tonic-gate */
257c478bdstevel@tonic-gate
267c478bdstevel@tonic-gate/*
277c478bdstevel@tonic-gate * Device policy implementation.
287c478bdstevel@tonic-gate *
297c478bdstevel@tonic-gate * Maintains the device policy table and defines the lookup functions.
307c478bdstevel@tonic-gate *
317c478bdstevel@tonic-gate * The table contains one entry for each major device number; each
327c478bdstevel@tonic-gate * major bucket has a list of minor number specific entries.  First
337c478bdstevel@tonic-gate * match gets it.  Not even simple minor names are expanded as that
347c478bdstevel@tonic-gate * would cause the device to be loaded.  Non-wildcard entries are expanded
357c478bdstevel@tonic-gate * on first match. Wildcard entries are matched each open but the actual
367c478bdstevel@tonic-gate * policy is cached with the common snode, so the matching code will
377c478bdstevel@tonic-gate * probably be called infrequently.  The trivial wildcard ``*'' does
387c478bdstevel@tonic-gate * not cause expensive string expansions and matches.
397c478bdstevel@tonic-gate *
407c478bdstevel@tonic-gate * When the policy is updated, the the generation count is increased;
417c478bdstevel@tonic-gate * whenever a cached policy is used, the generation count is compared;
427c478bdstevel@tonic-gate * if there's no match, the device policy is refreshed.
437c478bdstevel@tonic-gate *
447c478bdstevel@tonic-gate * The special policy "nullpolicy" is used to mean "no checking beyond DAC
457c478bdstevel@tonic-gate * needed".  It too will change when the policy is rev'ed to make sure
467c478bdstevel@tonic-gate * that devices with nullpolicy are also refreshed.
477c478bdstevel@tonic-gate *
487c478bdstevel@tonic-gate * The special policy "dfltpolicy" is used for those devices with no
497c478bdstevel@tonic-gate * matching policy.  On boot, it is "all privileges required".
507c478bdstevel@tonic-gate * This restriction on boot functions as a fail-safe; if no device policy
517c478bdstevel@tonic-gate * is loaded a "no restriction policy" would lead to security problems that
527c478bdstevel@tonic-gate * are not immediately noticable.
537c478bdstevel@tonic-gate */
547c478bdstevel@tonic-gate
557c478bdstevel@tonic-gate#include <sys/priv_impl.h>
567c478bdstevel@tonic-gate#include <sys/policy.h>
577c478bdstevel@tonic-gate#include <sys/atomic.h>
587c478bdstevel@tonic-gate#include <sys/autoconf.h>
597c478bdstevel@tonic-gate#include <sys/sysmacros.h>
607c478bdstevel@tonic-gate#include <sys/systm.h>
617c478bdstevel@tonic-gate#include <sys/vnode.h>
627c478bdstevel@tonic-gate#include <sys/devpolicy.h>
637c478bdstevel@tonic-gate#include <sys/priv.h>
647c478bdstevel@tonic-gate#include <sys/kmem.h>
657c478bdstevel@tonic-gate#include <sys/ksynch.h>
667c478bdstevel@tonic-gate#include <sys/errno.h>
677c478bdstevel@tonic-gate#include <sys/sunddi.h>
687c478bdstevel@tonic-gate#include <c2/audit.h>
697c478bdstevel@tonic-gate#include <sys/fs/dv_node.h>
707c478bdstevel@tonic-gate
717c478bdstevel@tonic-gate/*
727c478bdstevel@tonic-gate * Internal data structures definitions.
737c478bdstevel@tonic-gate */
747c478bdstevel@tonic-gate
757c478bdstevel@tonic-gatetypedef struct devplcyent devplcyent_t;
767c478bdstevel@tonic-gate
777c478bdstevel@tonic-gate/*
787c478bdstevel@tonic-gate * The device policy entry; if there is an expression string, the
797c478bdstevel@tonic-gate * minor numbers are not relevant.  This is indicated by dpe_len > 0.
807c478bdstevel@tonic-gate */
817c478bdstevel@tonic-gatestruct devplcyent {
827c478bdstevel@tonic-gate	devplcyent_t	*dpe_next;	/* next entry in this list */
837c478bdstevel@tonic-gate	devplcy_t	*dpe_plcy;	/* policy for this entry */
847c478bdstevel@tonic-gate	char		*dpe_expr;	/* expression matching minor mode */
857c478bdstevel@tonic-gate	int		dpe_len;	/* size of allocated mem for expr */
867c478bdstevel@tonic-gate	uint32_t	dpe_flags;	/* flags */
877c478bdstevel@tonic-gate	minor_t		dpe_lomin;	/* expanded: low minor number */
887c478bdstevel@tonic-gate	minor_t		dpe_himin;	/* expanded: high minor number */
897c478bdstevel@tonic-gate	vtype_t		dpe_spec;	/* expanded: VBLK or VCHR */
907c478bdstevel@tonic-gate};
917c478bdstevel@tonic-gate
927c478bdstevel@tonic-gate#define	DPE_WILDC	0x01		/* Expression has wildcard */
937c478bdstevel@tonic-gate#define	DPE_ALLMINOR	0x02		/* Matches all minor numbers */
947c478bdstevel@tonic-gate#define	DPE_EXPANDED	0x04		/* Minor numbers expanded */
957c478bdstevel@tonic-gate
967c478bdstevel@tonic-gatetypedef struct tableent {
977c478bdstevel@tonic-gate	devplcyent_t	*t_ent;		/* list of policies by minor */
987c478bdstevel@tonic-gate	major_t		t_major;	/* device major number */
997c478bdstevel@tonic-gate} tableent_t;
1007c478bdstevel@tonic-gate
1017c478bdstevel@tonic-gate/*
1027c478bdstevel@tonic-gate * The data store.
1037c478bdstevel@tonic-gate */
1047c478bdstevel@tonic-gate
1057c478bdstevel@tonic-gatestatic int ntabent;		/* # of major numbers */
1067c478bdstevel@tonic-gatestatic int totitems;		/* Number of entries in all buckets + dflt */
1077c478bdstevel@tonic-gatestatic tableent_t *devpolicy;	/* The device policy itself */
1087c478bdstevel@tonic-gate
1097c478bdstevel@tonic-gatestatic krwlock_t policyrw;	/* protects the table */
1107c478bdstevel@tonic-gatestatic kmutex_t policymutex;	/* allows only one concurrent devpolicy_load */
1117c478bdstevel@tonic-gate
1127c478bdstevel@tonic-gatedevplcy_t *nullpolicy;		/* public because it's used for shortcuts */
1137c478bdstevel@tonic-gatestatic devplcy_t *dfltpolicy;
1147c478bdstevel@tonic-gatestatic devplcy_t *netpolicy;
1157c478bdstevel@tonic-gate
1167c478bdstevel@tonic-gate/*
1177c478bdstevel@tonic-gate * Device policy generation count; only device policies matching the
1187c478bdstevel@tonic-gate * generation count are still valid.
1197c478bdstevel@tonic-gate */
1207c478bdstevel@tonic-gatevolatile uint32_t devplcy_gen;
1217c478bdstevel@tonic-gate
1227c478bdstevel@tonic-gate/*
1237c478bdstevel@tonic-gate * Tunable: maximum number of device policy entries to load in
1247c478bdstevel@tonic-gate * a system call.  (Protects KM_SLEEP call)
1257c478bdstevel@tonic-gate */
1267c478bdstevel@tonic-gateint maxdevpolicy = MAXDEVPOLICY;
1277c478bdstevel@tonic-gate
1287c478bdstevel@tonic-gate/*
1297c478bdstevel@tonic-gate * Initialize the device policy code
1307c478bdstevel@tonic-gate */
1317c478bdstevel@tonic-gatevoid
1327c478bdstevel@tonic-gatedevpolicy_init(void)
1337c478bdstevel@tonic-gate{
1347c478bdstevel@tonic-gate	rw_init(&policyrw, NULL, RW_DRIVER, NULL);
1357c478bdstevel@tonic-gate	mutex_init(&policymutex, NULL, MUTEX_DRIVER, NULL);
1367c478bdstevel@tonic-gate
1377c478bdstevel@tonic-gate	/* The mutex is held here in order to satisfy the ASSERT in dpget() */
1387c478bdstevel@tonic-gate	mutex_enter(&policymutex);
1397c478bdstevel@tonic-gate
1407c478bdstevel@tonic-gate	nullpolicy = dpget();
1417c478bdstevel@tonic-gate	dfltpolicy = dpget();
1427c478bdstevel@tonic-gate	netpolicy = dpget();
1437c478bdstevel@tonic-gate
1447c478bdstevel@tonic-gate	/*
1457c478bdstevel@tonic-gate	 * Initially, we refuse access to all devices except
1467c478bdstevel@tonic-gate	 * to processes with all privileges.
1477c478bdstevel@tonic-gate	 */
1487c478bdstevel@tonic-gate	priv_fillset(&dfltpolicy->dp_rdp);
1497c478bdstevel@tonic-gate	priv_fillset(&dfltpolicy->dp_wrp);
1507c478bdstevel@tonic-gate
1517c478bdstevel@tonic-gate	totitems = 1;
1527c478bdstevel@tonic-gate
1537c478bdstevel@tonic-gate	devplcy_gen++;
1547c478bdstevel@tonic-gate	mutex_exit(&policymutex);
1557c478bdstevel@tonic-gate
1567c478bdstevel@tonic-gate	/* initialize default network privilege */
1577c478bdstevel@tonic-gate	priv_emptyset(&netpolicy->dp_rdp);
1587c478bdstevel@tonic-gate	priv_emptyset(&netpolicy->dp_wrp);
1597c478bdstevel@tonic-gate	priv_addset(&netpolicy->dp_rdp, PRIV_NET_RAWACCESS);
1607c478bdstevel@tonic-gate	priv_addset(&netpolicy->dp_wrp, PRIV_NET_RAWACCESS);
1617c478bdstevel@tonic-gate}
1627c478bdstevel@tonic-gate
1637c478bdstevel@tonic-gate/*
1647c478bdstevel@tonic-gate * Devpolicy reference counting/allocation routines.
1657c478bdstevel@tonic-gate * cf. crget()/crhold()/crfree().
1667c478bdstevel@tonic-gate */
1677c478bdstevel@tonic-gatedevplcy_t *
1687c478bdstevel@tonic-gatedpget(void)
1697c478bdstevel@tonic-gate{
1707c478bdstevel@tonic-gate	devplcy_t *dp = kmem_zalloc(sizeof (*dp), KM_SLEEP);
1717c478bdstevel@tonic-gate
1727c478bdstevel@tonic-gate	ASSERT(MUTEX_HELD(&policymutex));
1737c478bdstevel@tonic-gate
1747c478bdstevel@tonic-gate	dp->dp_ref = 1;
1757c478bdstevel@tonic-gate	/* New ones belong to the next generation */
1767c478bdstevel@tonic-gate	dp->dp_gen = devplcy_gen + 1;
1777c478bdstevel@tonic-gate	return (dp);
1787c478bdstevel@tonic-gate}
1797c478bdstevel@tonic-gate
1807c478bdstevel@tonic-gatevoid
1817c478bdstevel@tonic-gatedphold(devplcy_t *dp)
1827c478bdstevel@tonic-gate{
1837c478bdstevel@tonic-gate	ASSERT(dp->dp_ref != 0xdeadbeef && dp->dp_ref != 0);
1841a5e258Josef 'Jeff' Sipek	atomic_inc_32(&dp->dp_ref);
1857c478bdstevel@tonic-gate}
1867c478bdstevel@tonic-gate
1877c478bdstevel@tonic-gatevoid
1887c478bdstevel@tonic-gatedpfree(devplcy_t *dp)
1897c478bdstevel@tonic-gate{
1907c478bdstevel@tonic-gate	ASSERT(dp->dp_ref != 0xdeadbeef && dp->dp_ref != 0);
1911a5e258Josef 'Jeff' Sipek	if (atomic_dec_32_nv(&dp->dp_ref) == 0)
1927c478bdstevel@tonic-gate		kmem_free(dp, sizeof (*dp));
1937c478bdstevel@tonic-gate}
1947c478bdstevel@tonic-gate
1957c478bdstevel@tonic-gate/*
1967c478bdstevel@tonic-gate * Find the policy that matches this device.
1977c478bdstevel@tonic-gate */
1987c478bdstevel@tonic-gatestatic devplcy_t *
1997c478bdstevel@tonic-gatematch_policy(devplcyent_t *de, dev_t dev, vtype_t spec)
2007c478bdstevel@tonic-gate{
2017c478bdstevel@tonic-gate	char *mname = NULL;
2027c478bdstevel@tonic-gate	minor_t min = getminor(dev);
2037c478bdstevel@tonic-gate
2047c478bdstevel@tonic-gate	for (; de != NULL; de = de->dpe_next) {
2057c478bdstevel@tonic-gate		if (de->dpe_flags & DPE_ALLMINOR)
2067c478bdstevel@tonic-gate			break;
2077c478bdstevel@tonic-gate
2087c478bdstevel@tonic-gate		if (de->dpe_flags & DPE_EXPANDED) {
2097c478bdstevel@tonic-gate			if (min >= de->dpe_lomin && min <= de->dpe_himin &&
2107c478bdstevel@tonic-gate			    spec == de->dpe_spec) {
2117c478bdstevel@tonic-gate				break;
2127c478bdstevel@tonic-gate			} else {
2137c478bdstevel@tonic-gate				continue;
2147c478bdstevel@tonic-gate			}
2157c478bdstevel@tonic-gate		}
2167c478bdstevel@tonic-gate
2177c478bdstevel@tonic-gate		/*
2187c478bdstevel@tonic-gate		 * We now need the minor name to match string or
2197c478bdstevel@tonic-gate		 * simle regexp.  Could we use csp->s_dip and not
2207c478bdstevel@tonic-gate		 * allocate a string here?
2217c478bdstevel@tonic-gate		 */
2227c478bdstevel@tonic-gate		if (mname == NULL &&
2237c478bdstevel@tonic-gate		    ddi_lyr_get_minor_name(dev, spec, &mname) != DDI_SUCCESS)
2247c478bdstevel@tonic-gate			/* mname can be set after the function fails */
2257c478bdstevel@tonic-gate			return (dfltpolicy);
2267c478bdstevel@tonic-gate
2277c478bdstevel@tonic-gate		/* Simple wildcard, with only one ``*'' */
2287c478bdstevel@tonic-gate		if (de->dpe_flags & DPE_WILDC) {
2297c478bdstevel@tonic-gate			int plen = de->dpe_len - 1;
2307c478bdstevel@tonic-gate			int slen = strlen(mname);
2317c478bdstevel@tonic-gate			char *pp = de->dpe_expr;
2327c478bdstevel@tonic-gate			char *sp = mname;
2337c478bdstevel@tonic-gate
2347c478bdstevel@tonic-gate			/* string must be at least as long as pattern w/o '*' */
2357c478bdstevel@tonic-gate			if (slen < plen - 1)
2367c478bdstevel@tonic-gate				continue;
2377c478bdstevel@tonic-gate
2387c478bdstevel@tonic-gate			/* skip prefix */
2397c478bdstevel@tonic-gate			while (*pp == *sp && *pp != '\0') {
2407c478bdstevel@tonic-gate				pp++;
2417c478bdstevel@tonic-gate				sp++;
2427c478bdstevel@tonic-gate			}
2437c478bdstevel@tonic-gate			/* matched single '*' */
2447c478bdstevel@tonic-gate			if (*pp == '\0')
2457c478bdstevel@tonic-gate				if (*sp == '\0')
2467c478bdstevel@tonic-gate					break;
2477c478bdstevel@tonic-gate				else
2487c478bdstevel@tonic-gate					continue;
2497c478bdstevel@tonic-gate			if (*pp != '*')
2507c478bdstevel@tonic-gate				continue;
2517c478bdstevel@tonic-gate
2527c478bdstevel@tonic-gate			pp++;
2537c478bdstevel@tonic-gate			/*
2547c478bdstevel@tonic-gate			 * skip characters matched by '*': difference of
2557c478bdstevel@tonic-gate			 * length of s and length of pattern sans '*'
2567c478bdstevel@tonic-gate			 */
2577c478bdstevel@tonic-gate			sp += slen - (plen - 1);
2587c478bdstevel@tonic-gate			if (strcmp(pp, sp) == 0) 	/* match! */
2597c478bdstevel@tonic-gate				break;
2607c478bdstevel@tonic-gate
2617c478bdstevel@tonic-gate		} else if (strcmp(de->dpe_expr, mname) == 0) {
2627c478bdstevel@tonic-gate			/* Store minor number, if no contention */
2637c478bdstevel@tonic-gate			if (rw_tryupgrade(&policyrw)) {
2647c478bdstevel@tonic-gate				de->dpe_lomin = de->dpe_himin = min;
2657c478bdstevel@tonic-gate				de->dpe_spec = spec;
2667c478bdstevel@tonic-gate				de->dpe_flags |= DPE_EXPANDED;
2677c478bdstevel@tonic-gate			}
2687c478bdstevel@tonic-gate			break;
2697c478bdstevel@tonic-gate		}
2707c478bdstevel@tonic-gate
2717c478bdstevel@tonic-gate	}
2727c478bdstevel@tonic-gate
2737c478bdstevel@tonic-gate	if (mname != NULL)
2747c478bdstevel@tonic-gate		kmem_free(mname, strlen(mname) + 1);
2757c478bdstevel@tonic-gate
2767c478bdstevel@tonic-gate	return (de != NULL ? de->dpe_plcy : dfltpolicy);
2777c478bdstevel@tonic-gate}
2787c478bdstevel@tonic-gate
2797c478bdstevel@tonic-gatestatic int
2807c478bdstevel@tonic-gatedevpolicyent_bymajor(major_t maj)
2817c478bdstevel@tonic-gate{
2827c478bdstevel@tonic-gate	int lo, hi;
2837c478bdstevel@tonic-gate
2847c478bdstevel@tonic-gate	ASSERT(RW_LOCK_HELD(&policyrw));
2857c478bdstevel@tonic-gate
2867c478bdstevel@tonic-gate	lo = 0;
2877c478bdstevel@tonic-gate	hi = ntabent - 1;
2887c478bdstevel@tonic-gate
2897c478bdstevel@tonic-gate	/* Binary search for major number */
2907c478bdstevel@tonic-gate	while (lo <= hi) {
2917c478bdstevel@tonic-gate		int mid = (lo + hi) / 2;
2927c478bdstevel@tonic-gate
2937c478bdstevel@tonic-gate		if (devpolicy[mid].t_major == maj)
2947c478bdstevel@tonic-gate			return (mid);
2957c478bdstevel@tonic-gate		else if (maj < devpolicy[mid].t_major)
2967c478bdstevel@tonic-gate			hi = mid - 1;
2977c478bdstevel@tonic-gate		else
2987c478bdstevel@tonic-gate			lo = mid + 1;
2997c478bdstevel@tonic-gate	}
3007c478bdstevel@tonic-gate	return (-1);
3017c478bdstevel@tonic-gate}
3027c478bdstevel@tonic-gate
3037c478bdstevel@tonic-gate/*
3047c478bdstevel@tonic-gate * Returns held device policy for the specific device node.
3057c478bdstevel@tonic-gate * Note devfs_devpolicy returns with a hold on the policy.
3067c478bdstevel@tonic-gate */
3077c478bdstevel@tonic-gatedevplcy_t *
3087c478bdstevel@tonic-gatedevpolicy_find(vnode_t *vp)
3097c478bdstevel@tonic-gate{
3107c478bdstevel@tonic-gate	dev_t dev = vp->v_rdev;
3117c478bdstevel@tonic-gate	vtype_t spec = vp->v_type;
3127c478bdstevel@tonic-gate	major_t maj = getmajor(dev);
3137c478bdstevel@tonic-gate	int i;
3147c478bdstevel@tonic-gate	devplcy_t *res;
3157c478bdstevel@tonic-gate
3167c478bdstevel@tonic-gate	if (maj == clone_major)
3177c478bdstevel@tonic-gate		maj = getminor(dev);
3187c478bdstevel@tonic-gate
3197c478bdstevel@tonic-gate	rw_enter(&policyrw, RW_READER);
3207c478bdstevel@tonic-gate
3217c478bdstevel@tonic-gate	i = devpolicyent_bymajor(maj);
3227c478bdstevel@tonic-gate
3237c478bdstevel@tonic-gate	if (i != -1) {
3247c478bdstevel@tonic-gate		res = match_policy(devpolicy[i].t_ent, dev, spec);
3257c478bdstevel@tonic-gate		dphold(res);
3267c478bdstevel@tonic-gate	} else if (devfs_devpolicy(vp, &res) != 0) {
3277c478bdstevel@tonic-gate		res = NETWORK_DRV(maj) ? netpolicy : dfltpolicy;
3287c478bdstevel@tonic-gate		dphold(res);
3297c478bdstevel@tonic-gate	}
3307c478bdstevel@tonic-gate
3317c478bdstevel@tonic-gate	rw_exit(&policyrw);
3327c478bdstevel@tonic-gate
3337c478bdstevel@tonic-gate	return (res);
3347c478bdstevel@tonic-gate}
3357c478bdstevel@tonic-gate
3367c478bdstevel@tonic-gatestatic devplcyent_t *
3377c478bdstevel@tonic-gateparse_policy(devplcysys_t *ds, devplcy_t *nullp, devplcy_t *defp)
3387c478bdstevel@tonic-gate{
3397c478bdstevel@tonic-gate	devplcyent_t *de = kmem_zalloc(sizeof (*de), KM_SLEEP);
3407c478bdstevel@tonic-gate	devplcy_t *np;
3417c478bdstevel@tonic-gate
3427c478bdstevel@tonic-gate	if (priv_isemptyset(&ds->dps_rdp) && priv_isemptyset(&ds->dps_wrp))
3437c478bdstevel@tonic-gate		dphold(np = nullp);
3447c478bdstevel@tonic-gate	else if (defp != nullp &&
345d3e55dcgww	    priv_isequalset(&ds->dps_rdp, &defp->dp_rdp) &&
346d3e55dcgww	    priv_isequalset(&ds->dps_wrp, &defp->dp_wrp))
3477c478bdstevel@tonic-gate		dphold(np = defp);
3487c478bdstevel@tonic-gate	else {
3497c478bdstevel@tonic-gate		np = dpget();
3507c478bdstevel@tonic-gate		np->dp_rdp = ds->dps_rdp;
3517c478bdstevel@tonic-gate		np->dp_wrp = ds->dps_wrp;
3527c478bdstevel@tonic-gate	}
3537c478bdstevel@tonic-gate
3547c478bdstevel@tonic-gate	if (ds->dps_minornm[0] != '\0') {
3557c478bdstevel@tonic-gate		de->dpe_len = strlen(ds->dps_minornm) + 1;
3567c478bdstevel@tonic-gate
3577c478bdstevel@tonic-gate		if (strchr(ds->dps_minornm, '*') != NULL) {
3587c478bdstevel@tonic-gate			if (de->dpe_len == 2) {		/* "*\0" */
3597c478bdstevel@tonic-gate				de->dpe_flags = DPE_ALLMINOR;
3607c478bdstevel@tonic-gate				de->dpe_len = 0;
3617c478bdstevel@tonic-gate			} else
3627c478bdstevel@tonic-gate				de->dpe_flags = DPE_WILDC;
3637c478bdstevel@tonic-gate		}
3647c478bdstevel@tonic-gate		if (de->dpe_len != 0) {
3657c478bdstevel@tonic-gate			de->dpe_expr = kmem_alloc(de->dpe_len, KM_SLEEP);
3667c478bdstevel@tonic-gate			(void) strcpy(de->dpe_expr, ds->dps_minornm);
3677c478bdstevel@tonic-gate		}
3687c478bdstevel@tonic-gate	} else {
3697c478bdstevel@tonic-gate		de->dpe_lomin = ds->dps_lomin;
3707c478bdstevel@tonic-gate		de->dpe_himin = ds->dps_himin;
3717c478bdstevel@tonic-gate		de->dpe_flags = DPE_EXPANDED;
3727c478bdstevel@tonic-gate		de->dpe_spec = ds->dps_isblock ? VBLK : VCHR;
3737c478bdstevel@tonic-gate	}
3747c478bdstevel@tonic-gate	de->dpe_plcy = np;
3757c478bdstevel@tonic-gate
3767c478bdstevel@tonic-gate	ASSERT((de->dpe_flags & (DPE_ALLMINOR|DPE_EXPANDED)) ||
377d3e55dcgww	    de->dpe_expr != NULL);
3787c478bdstevel@tonic-gate
3797c478bdstevel@tonic-gate	return (de);
3807c478bdstevel@tonic-gate}
3817c478bdstevel@tonic-gate
3827c478bdstevel@tonic-gatestatic void
3837c478bdstevel@tonic-gatefreechain(devplcyent_t *de)
3847c478bdstevel@tonic-gate{
3857c478bdstevel@tonic-gate	devplcyent_t *dn;
3867c478bdstevel@tonic-gate
3877c478bdstevel@tonic-gate	do {
3887c478bdstevel@tonic-gate		dn = de->dpe_next;
3897c478bdstevel@tonic-gate		dpfree(de->dpe_plcy);
3907c478bdstevel@tonic-gate		if (de->dpe_len != 0)
3917c478bdstevel@tonic-gate			kmem_free(de->dpe_expr, de->dpe_len);
3927c478bdstevel@tonic-gate		kmem_free(de, sizeof (*de));
3937c478bdstevel@tonic-gate		de = dn;
3947c478bdstevel@tonic-gate	} while (de != NULL);
3957c478bdstevel@tonic-gate}
3967c478bdstevel@tonic-gate
3977c478bdstevel@tonic-gate/*
3987c478bdstevel@tonic-gate * Load the device policy.
3997c478bdstevel@tonic-gate * The device policy currently makes nu distinction between the
4007c478bdstevel@tonic-gate * block and characters devices; that is generally not a problem
4017c478bdstevel@tonic-gate * as the names of those devices cannot clash.
4027c478bdstevel@tonic-gate */
4037c478bdstevel@tonic-gateint
4047c478bdstevel@tonic-gatedevpolicy_load(int nitems, size_t sz, devplcysys_t *uitmp)
4057c478bdstevel@tonic-gate{
4067c478bdstevel@tonic-gate	int i, j;
4077c478bdstevel@tonic-gate	int nmaj = 0;
4087c478bdstevel@tonic-gate	major_t lastmajor;
4097c478bdstevel@tonic-gate	devplcysys_t *items;
4107c478bdstevel@tonic-gate	size_t mem;
4117c478bdstevel@tonic-gate	major_t curmaj;
4127c478bdstevel@tonic-gate	devplcyent_t **last, *de;
4137c478bdstevel@tonic-gate
4147c478bdstevel@tonic-gate	tableent_t *newpolicy, *oldpolicy;
4157c478bdstevel@tonic-gate	devplcy_t *newnull, *newdflt, *oldnull, *olddflt;
4167c478bdstevel@tonic-gate	int oldcnt;
4177c478bdstevel@tonic-gate	int lastlen;
4187c478bdstevel@tonic-gate	int lastwild;
4197c478bdstevel@tonic-gate
420c6f039cToomas Soome	/* gcc 9 can't figure out that the "i == 1" test protects all */
4217c478bdstevel@tonic-gate	lastlen = 0;
4227c478bdstevel@tonic-gate	lastwild = 0;
4237c478bdstevel@tonic-gate	lastmajor = 0;
424c6f039cToomas Soome	newpolicy = NULL;
425c6f039cToomas Soome
4267c478bdstevel@tonic-gate	/*
4277c478bdstevel@tonic-gate	 * The application must agree with the kernel on the size of each
4287c478bdstevel@tonic-gate	 * item; it must not exceed the maximum number and must be
4297c478bdstevel@tonic-gate	 * at least 1 item in size.
4307c478bdstevel@tonic-gate	 */
4317c478bdstevel@tonic-gate	if (sz != sizeof (devplcysys_t) || nitems > maxdevpolicy || nitems < 1)
4327c478bdstevel@tonic-gate		return (EINVAL);
4337c478bdstevel@tonic-gate
4347c478bdstevel@tonic-gate	mem = nitems * sz;
4357c478bdstevel@tonic-gate
4367c478bdstevel@tonic-gate	items = kmem_alloc(mem, KM_SLEEP);
4377c478bdstevel@tonic-gate
4387c478bdstevel@tonic-gate	if (copyin(uitmp, items, mem)) {
4397c478bdstevel@tonic-gate		kmem_free(items, mem);
4407c478bdstevel@tonic-gate		return (EFAULT);
4417c478bdstevel@tonic-gate	}
4427c478bdstevel@tonic-gate
4437c478bdstevel@tonic-gate	/* Check for default policy, it must exist and be sorted first */
4447c478bdstevel@tonic-gate	if (items[0].dps_maj != DEVPOLICY_DFLT_MAJ) {
4457c478bdstevel@tonic-gate		kmem_free(items, mem);
4467c478bdstevel@tonic-gate		return (EINVAL);
4477c478bdstevel@tonic-gate	}
4487c478bdstevel@tonic-gate
4497c478bdstevel@tonic-gate	/*
4507c478bdstevel@tonic-gate	 * Application must deliver entries sorted.
4517c478bdstevel@tonic-gate	 * Sorted meaning here:
4527c478bdstevel@tonic-gate	 *	In major number order
4537c478bdstevel@tonic-gate	 *	For each major number, we first need to have the explicit
4547c478bdstevel@tonic-gate	 *	entries, then the wild card entries, longest first.
4557c478bdstevel@tonic-gate	 */
4567c478bdstevel@tonic-gate	for (i = 1; i < nitems; i++) {
4577c478bdstevel@tonic-gate		int len, wild;
4587c478bdstevel@tonic-gate		char *tmp;
4597c478bdstevel@tonic-gate
4607c478bdstevel@tonic-gate		curmaj = items[i].dps_maj;
4617c478bdstevel@tonic-gate		len = strlen(items[i].dps_minornm);
4627c478bdstevel@tonic-gate		wild = len > 0 &&
463d3e55dcgww		    (tmp = strchr(items[i].dps_minornm, '*')) != NULL;
4647c478bdstevel@tonic-gate
4657c478bdstevel@tonic-gate		/* Another default major, string too long or too many ``*'' */
4667c478bdstevel@tonic-gate		if (curmaj == DEVPOLICY_DFLT_MAJ ||
4677c478bdstevel@tonic-gate		    len >= sizeof (items[i].dps_minornm) ||
4687c478bdstevel@tonic-gate		    wild && strchr(tmp + 1, '*') != NULL) {
4697c478bdstevel@tonic-gate			kmem_free(items, mem);
4707c478bdstevel@tonic-gate			return (EINVAL);
4717c478bdstevel@tonic-gate		}
4727c478bdstevel@tonic-gate		if (i == 1 || lastmajor < curmaj) {
4737c478bdstevel@tonic-gate			lastmajor = curmaj;
4747c478bdstevel@tonic-gate			nmaj++;
4757c478bdstevel@tonic-gate		} else if (lastmajor > curmaj || lastwild > wild ||
476d3e55dcgww		    lastwild && lastlen < len) {
4777c478bdstevel@tonic-gate			kmem_free(items, mem);
4787c478bdstevel@tonic-gate			return (EINVAL);
4797c478bdstevel@tonic-gate		}
4807c478bdstevel@tonic-gate		lastlen = len;
4817c478bdstevel@tonic-gate		lastwild = wild;
4827c478bdstevel@tonic-gate	}
4837c478bdstevel@tonic-gate
484005d3feMarek Pospisil	if (AU_AUDITING())
4857c478bdstevel@tonic-gate		audit_devpolicy(nitems, items);
4867c478bdstevel@tonic-gate
4877c478bdstevel@tonic-gate	/*
4887c478bdstevel@tonic-gate	 * Parse the policy.  We create an array for all major numbers
4897c478bdstevel@tonic-gate	 * and in each major number bucket we'll have a linked list of
4907c478bdstevel@tonic-gate	 * entries.  Each item may contain either a lo,hi minor pair
4917c478bdstevel@tonic-gate	 * or a string/wild card matching a minor node.
4927c478bdstevel@tonic-gate	 */
4937c478bdstevel@tonic-gate	if (nmaj > 0)
4947c478bdstevel@tonic-gate		newpolicy = kmem_zalloc(nmaj * sizeof (tableent_t), KM_SLEEP);
4957c478bdstevel@tonic-gate
4967c478bdstevel@tonic-gate	/*
4977c478bdstevel@tonic-gate	 * We want to lock out concurrent updates but we don't want to
4987c478bdstevel@tonic-gate	 * lock out device opens while we still need to allocate memory.
4997c478bdstevel@tonic-gate	 * As soon as we allocate new devplcy_t's we commit to the next
5007c478bdstevel@tonic-gate	 * generation number, so we must lock out other updates from here.
5017c478bdstevel@tonic-gate	 */
5027c478bdstevel@tonic-gate	mutex_enter(&policymutex);
5037c478bdstevel@tonic-gate
5047c478bdstevel@tonic-gate	/* New default and NULL policy */
5057c478bdstevel@tonic-gate	newnull = dpget();
5067c478bdstevel@tonic-gate
5077c478bdstevel@tonic-gate	if (priv_isemptyset(&items[0].dps_rdp) &&
5087c478bdstevel@tonic-gate	    priv_isemptyset(&items[0].dps_wrp)) {
5097c478bdstevel@tonic-gate		newdflt = newnull;
5107c478bdstevel@tonic-gate		dphold(newdflt);
5117c478bdstevel@tonic-gate	} else {
5127c478bdstevel@tonic-gate		newdflt = dpget();
5137c478bdstevel@tonic-gate		newdflt->dp_rdp = items[0].dps_rdp;
5147c478bdstevel@tonic-gate		newdflt->dp_wrp = items[0].dps_wrp;
5157c478bdstevel@tonic-gate	}
5167c478bdstevel@tonic-gate
5177c478bdstevel@tonic-gate	j = -1;
5187c478bdstevel@tonic-gate
5197c478bdstevel@tonic-gate	/* Userland made sure sorting was ok */
5207c478bdstevel@tonic-gate	for (i = 1; i < nitems; i++) {
5217c478bdstevel@tonic-gate		de = parse_policy(&items[i], newnull, newdflt);
5227c478bdstevel@tonic-gate
5237c478bdstevel@tonic-gate		if (j == -1 || curmaj != items[i].dps_maj) {
5247c478bdstevel@tonic-gate			j++;
5257c478bdstevel@tonic-gate			newpolicy[j].t_major = curmaj = items[i].dps_maj;
5267c478bdstevel@tonic-gate			last = &newpolicy[j].t_ent;
5277c478bdstevel@tonic-gate		}
5287c478bdstevel@tonic-gate		*last = de;
5297c478bdstevel@tonic-gate		last = &de->dpe_next;
5307c478bdstevel@tonic-gate	}
5317c478bdstevel@tonic-gate
5327c478bdstevel@tonic-gate	/* Done parsing, throw away input */
5337c478bdstevel@tonic-gate	kmem_free(items, mem);
5347c478bdstevel@tonic-gate
5357c478bdstevel@tonic-gate	/* Lock out all devpolicy_find()s */
5367c478bdstevel@tonic-gate	rw_enter(&policyrw, RW_WRITER);
5377c478bdstevel@tonic-gate
5387c478bdstevel@tonic-gate	/* Install the new global data */
5397c478bdstevel@tonic-gate	oldnull = nullpolicy;
5407c478bdstevel@tonic-gate	nullpolicy = newnull;
5417c478bdstevel@tonic-gate
5427c478bdstevel@tonic-gate	olddflt = dfltpolicy;
5437c478bdstevel@tonic-gate	dfltpolicy = newdflt;
5447c478bdstevel@tonic-gate
5457c478bdstevel@tonic-gate	oldcnt = ntabent;
5467c478bdstevel@tonic-gate	ntabent = nmaj;
5477c478bdstevel@tonic-gate
5487c478bdstevel@tonic-gate	totitems = nitems;
5497c478bdstevel@tonic-gate
5507c478bdstevel@tonic-gate	oldpolicy = devpolicy;
5517c478bdstevel@tonic-gate	devpolicy = newpolicy;
5527c478bdstevel@tonic-gate
5537c478bdstevel@tonic-gate	/* Force all calls by devpolicy_find() */
5547c478bdstevel@tonic-gate	devplcy_gen++;
5557c478bdstevel@tonic-gate
5567c478bdstevel@tonic-gate	/* Reenable policy finds */
5577c478bdstevel@tonic-gate	rw_exit(&policyrw);
5587c478bdstevel@tonic-gate	mutex_exit(&policymutex);
5597c478bdstevel@tonic-gate
5607c478bdstevel@tonic-gate	/* Free old stuff */
5617c478bdstevel@tonic-gate	if (oldcnt != 0) {
5627c478bdstevel@tonic-gate		for (i = 0; i < oldcnt; i++)
5637c478bdstevel@tonic-gate			freechain(oldpolicy[i].t_ent);
5647c478bdstevel@tonic-gate		kmem_free(oldpolicy, oldcnt * sizeof (*oldpolicy));
5657c478bdstevel@tonic-gate	}
5667c478bdstevel@tonic-gate
5677c478bdstevel@tonic-gate	dpfree(oldnull);
5687c478bdstevel@tonic-gate	dpfree(olddflt);
5697c478bdstevel@tonic-gate
5707c478bdstevel@tonic-gate	return (0);
5717c478bdstevel@tonic-gate}
5727c478bdstevel@tonic-gate
5737c478bdstevel@tonic-gate/*
5747c478bdstevel@tonic-gate * Get device policy: argument one is a pointer to an integer holding
5757c478bdstevel@tonic-gate * the number of items allocated for the 3rd argument; the size argument
5767c478bdstevel@tonic-gate * is a revision check between kernel and userland.
5777c478bdstevel@tonic-gate */
5787c478bdstevel@tonic-gateint
5797c478bdstevel@tonic-gatedevpolicy_get(int *nitemp, size_t sz, devplcysys_t *uitmp)
5807c478bdstevel@tonic-gate{
5817c478bdstevel@tonic-gate	int i;
5827c478bdstevel@tonic-gate	devplcyent_t *de;
5837c478bdstevel@tonic-gate	devplcysys_t *itmp;
5847c478bdstevel@tonic-gate	int ind;
5857c478bdstevel@tonic-gate	int nitems;
5867c478bdstevel@tonic-gate	int err = 0;
5877c478bdstevel@tonic-gate	size_t alloced;
5887c478bdstevel@tonic-gate
5897c478bdstevel@tonic-gate	if (sz != sizeof (devplcysys_t))
5907c478bdstevel@tonic-gate		return (EINVAL);
5917c478bdstevel@tonic-gate
5927c478bdstevel@tonic-gate	if (copyin(nitemp, &nitems, sizeof (nitems)))
5937c478bdstevel@tonic-gate		return (EFAULT);
5947c478bdstevel@tonic-gate
5957c478bdstevel@tonic-gate	rw_enter(&policyrw, RW_READER);
5967c478bdstevel@tonic-gate
5977c478bdstevel@tonic-gate	if (copyout(&totitems, nitemp, sizeof (totitems)))
5987c478bdstevel@tonic-gate		err = EFAULT;
5997c478bdstevel@tonic-gate	else if (nitems < totitems)
6007c478bdstevel@tonic-gate		err = ENOMEM;
6017c478bdstevel@tonic-gate
6027c478bdstevel@tonic-gate	if (err != 0) {
6037c478bdstevel@tonic-gate		rw_exit(&policyrw);
6047c478bdstevel@tonic-gate		return (err);
6057c478bdstevel@tonic-gate	}
6067c478bdstevel@tonic-gate
6077c478bdstevel@tonic-gate	alloced = totitems * sizeof (devplcysys_t);
6087c478bdstevel@tonic-gate	itmp = kmem_zalloc(alloced, KM_SLEEP);
6097c478bdstevel@tonic-gate
6107c478bdstevel@tonic-gate	itmp[0].dps_rdp = dfltpolicy->dp_rdp;
6117c478bdstevel@tonic-gate	itmp[0].dps_wrp = dfltpolicy->dp_wrp;
6127c478bdstevel@tonic-gate	itmp[0].dps_maj = DEVPOLICY_DFLT_MAJ;
6137c478bdstevel@tonic-gate
6147c478bdstevel@tonic-gate	ind = 1;
6157c478bdstevel@tonic-gate
6167c478bdstevel@tonic-gate	for (i = 0; i < ntabent; i++) {
6177c478bdstevel@tonic-gate		for (de = devpolicy[i].t_ent; de != NULL; de = de->dpe_next) {
6187c478bdstevel@tonic-gate			itmp[ind].dps_maj = devpolicy[i].t_major;
6197c478bdstevel@tonic-gate			itmp[ind].dps_rdp = de->dpe_plcy->dp_rdp;
6207c478bdstevel@tonic-gate			itmp[ind].dps_wrp = de->dpe_plcy->dp_wrp;
6217c478bdstevel@tonic-gate			if (de->dpe_len)
6227c478bdstevel@tonic-gate				(void) strcpy(itmp[ind].dps_minornm,
623d3e55dcgww				    de->dpe_expr);
6247c478bdstevel@tonic-gate			else if (de->dpe_flags & DPE_ALLMINOR)
6257c478bdstevel@tonic-gate				(void) strcpy(itmp[ind].dps_minornm, "*");
6267c478bdstevel@tonic-gate			else {
6277c478bdstevel@tonic-gate				itmp[ind].dps_lomin = de->dpe_lomin;
6287c478bdstevel@tonic-gate				itmp[ind].dps_himin = de->dpe_himin;
6297c478bdstevel@tonic-gate				itmp[ind].dps_isblock = de->dpe_spec == VBLK;
6307c478bdstevel@tonic-gate			}
6317c478bdstevel@tonic-gate			ind++;
6327c478bdstevel@tonic-gate		}
6337c478bdstevel@tonic-gate	}
6347c478bdstevel@tonic-gate
6357c478bdstevel@tonic-gate	rw_exit(&policyrw);
6367c478bdstevel@tonic-gate
6377c478bdstevel@tonic-gate	if (copyout(itmp, uitmp, alloced))
6387c478bdstevel@tonic-gate		err = EFAULT;
6397c478bdstevel@tonic-gate
6407c478bdstevel@tonic-gate	kmem_free(itmp, alloced);
6417c478bdstevel@tonic-gate	return (err);
6427c478bdstevel@tonic-gate}
6437c478bdstevel@tonic-gate
6447c478bdstevel@tonic-gate/*
6457c478bdstevel@tonic-gate * Get device policy by device name.
6467c478bdstevel@tonic-gate * This is the implementation of MODGETDEVPOLICYBYNAME
6477c478bdstevel@tonic-gate */
6487c478bdstevel@tonic-gateint
6497c478bdstevel@tonic-gatedevpolicy_getbyname(size_t sz, devplcysys_t *uitmp, char *devname)
6507c478bdstevel@tonic-gate{
6517c478bdstevel@tonic-gate	devplcysys_t itm;
6527c478bdstevel@tonic-gate	devplcy_t *plcy;
6537c478bdstevel@tonic-gate	vtype_t spec;
6547c478bdstevel@tonic-gate	vnode_t *vp;
6557c478bdstevel@tonic-gate
6567c478bdstevel@tonic-gate	if (sz != sizeof (devplcysys_t))
6577c478bdstevel@tonic-gate		return (EINVAL);
6587c478bdstevel@tonic-gate
6597c478bdstevel@tonic-gate	if (lookupname(devname, UIO_USERSPACE, FOLLOW,
6607c478bdstevel@tonic-gate	    NULLVPP, &vp) != 0)
6617c478bdstevel@tonic-gate		return (EINVAL);
6627c478bdstevel@tonic-gate
6637c478bdstevel@tonic-gate	spec = vp->v_type;
6647c478bdstevel@tonic-gate	if (spec != VBLK && spec != VCHR) {
6657c478bdstevel@tonic-gate		VN_RELE(vp);
6667c478bdstevel@tonic-gate		return (EINVAL);
6677c478bdstevel@tonic-gate	}
6687c478bdstevel@tonic-gate
6697c478bdstevel@tonic-gate	plcy = devpolicy_find(vp);
6707c478bdstevel@tonic-gate	VN_RELE(vp);
6717c478bdstevel@tonic-gate
6727c478bdstevel@tonic-gate	bzero(&itm, sizeof (itm));
6737c478bdstevel@tonic-gate
6747c478bdstevel@tonic-gate	/* These are the only values of interest */
6757c478bdstevel@tonic-gate	itm.dps_rdp = plcy->dp_rdp;
6767c478bdstevel@tonic-gate	itm.dps_wrp = plcy->dp_wrp;
6777c478bdstevel@tonic-gate
6787c478bdstevel@tonic-gate	dpfree(plcy);
6797c478bdstevel@tonic-gate
6807c478bdstevel@tonic-gate	if (copyout(&itm, uitmp, sz))
6817c478bdstevel@tonic-gate		return (EFAULT);
6827c478bdstevel@tonic-gate	else
6837c478bdstevel@tonic-gate		return (0);
6847c478bdstevel@tonic-gate}
6857c478bdstevel@tonic-gate
6867c478bdstevel@tonic-gatestatic void
6877c478bdstevel@tonic-gatepriv_str_to_set(const char *priv_name, priv_set_t *priv_set)
6887c478bdstevel@tonic-gate{
6897c478bdstevel@tonic-gate	if (priv_name == NULL || strcmp(priv_name, "none") == 0) {
6907c478bdstevel@tonic-gate		priv_emptyset(priv_set);
6917c478bdstevel@tonic-gate	} else if (strcmp(priv_name, "all") == 0) {
6927c478bdstevel@tonic-gate		priv_fillset(priv_set);
6937c478bdstevel@tonic-gate	} else {
6947c478bdstevel@tonic-gate		int priv;
6957c478bdstevel@tonic-gate		priv = priv_getbyname(priv_name, PRIV_ALLOC);
6967c478bdstevel@tonic-gate		if (priv < 0) {
6977c478bdstevel@tonic-gate			cmn_err(CE_WARN, "fail to allocate privilege: %s",
6987c478bdstevel@tonic-gate			    priv_name);
6997c478bdstevel@tonic-gate			return;
7007c478bdstevel@tonic-gate		}
7017c478bdstevel@tonic-gate		priv_emptyset(priv_set);
7027c478bdstevel@tonic-gate		priv_addset(priv_set, priv);
7037c478bdstevel@tonic-gate	}
7047c478bdstevel@tonic-gate}
7057c478bdstevel@tonic-gate
7067c478bdstevel@tonic-gate/*
7077c478bdstevel@tonic-gate * Return device privileges by privilege name
7087c478bdstevel@tonic-gate * Called by ddi_create_priv_minor_node()
7097c478bdstevel@tonic-gate */
7107c478bdstevel@tonic-gatedevplcy_t *
7117c478bdstevel@tonic-gatedevpolicy_priv_by_name(const char *read_priv, const char *write_priv)
7127c478bdstevel@tonic-gate{
7137c478bdstevel@tonic-gate	devplcy_t *dp;
7147c478bdstevel@tonic-gate	mutex_enter(&policymutex);
7157c478bdstevel@tonic-gate	dp = dpget();
7167c478bdstevel@tonic-gate	mutex_exit(&policymutex);
7177c478bdstevel@tonic-gate	priv_str_to_set(read_priv, &dp->dp_rdp);
7187c478bdstevel@tonic-gate	priv_str_to_set(write_priv, &dp->dp_wrp);
7197c478bdstevel@tonic-gate
7207c478bdstevel@tonic-gate	return (dp);
7217c478bdstevel@tonic-gate}
722