4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright 2015, Joyent, Inc. All rights reserved.
24 * Copyright 2023 RackTop Systems, Inc.
30 #include <sys/types.h>
32 #include <sys/vnode.h>
33 #include <sys/fs/snode.h>
43 typedef uint16_t in_port_t
;
47 * Policy routines; in case we check privileges in-line.
51 * audits success & failure
52 * returns 0 on success, error on failure
55 * determines extend of operation
57 * returns a boolean_t indicating success (B_TRUE) or failure.
60 * when auditing is in appropriate (interrupt context)
61 * to determine context of operation
62 * returns a boolean_t indicating success (B_TRUE) or failure.
65 int priv_policy(const cred_t
*, int, boolean_t
, int, const char *);
66 boolean_t
priv_policy_only(const cred_t
*, int, boolean_t
);
67 boolean_t
priv_policy_choice(const cred_t
*, int, boolean_t
);
74 int secpolicy_acct(const cred_t
*);
75 int secpolicy_require_privs(const cred_t
*, const struct priv_set
*);
76 int secpolicy_allow_setid(const cred_t
*, uid_t
, boolean_t
);
77 int secpolicy_audit_config(const cred_t
*);
78 int secpolicy_audit_getattr(const cred_t
*, boolean_t
);
79 int secpolicy_audit_modify(const cred_t
*);
80 int secpolicy_blacklist(const cred_t
*);
81 int secpolicy_chroot(const cred_t
*);
82 int secpolicy_clock_highres(const cred_t
*);
83 int secpolicy_console(const cred_t
*);
84 int secpolicy_contract_identity(const cred_t
*);
85 int secpolicy_contract_observer(const cred_t
*, struct contract
*);
86 boolean_t
secpolicy_contract_observer_choice(const cred_t
*);
87 int secpolicy_contract_event(const cred_t
*);
88 boolean_t
secpolicy_contract_event_choice(const cred_t
*);
89 int secpolicy_coreadm(const cred_t
*);
90 int secpolicy_cpc_cpu(const cred_t
*);
91 int secpolicy_dispadm(const cred_t
*);
92 int secpolicy_error_inject(const cred_t
*);
93 int secpolicy_excl_open(const cred_t
*);
94 int secpolicy_fs_allowed_mount(const char *);
95 int secpolicy_fs_config(const cred_t
*, const struct vfs
*);
96 int secpolicy_fs_linkdir(const cred_t
*, const struct vfs
*);
97 int secpolicy_fs_minfree(const cred_t
*, const struct vfs
*);
98 int secpolicy_fs_mount(cred_t
*, vnode_t
*, struct vfs
*);
99 int secpolicy_fs_quota(const cred_t
*, const struct vfs
*);
100 int secpolicy_fs_unmount(cred_t
*, struct vfs
*);
101 int secpolicy_idmap(const cred_t
*);
102 int secpolicy_ip(const cred_t
*, int, boolean_t
);
103 int secpolicy_ip_config(const cred_t
*, boolean_t
);
104 int secpolicy_dl_config(const cred_t
*);
105 int secpolicy_iptun_config(const cred_t
*);
106 int secpolicy_ipc_access(const cred_t
*, const struct kipc_perm
*, mode_t
);
107 int secpolicy_ipc_config(const cred_t
*);
108 int secpolicy_ipc_owner(const cred_t
*, const struct kipc_perm
*);
109 int secpolicy_kmdb(const cred_t
*);
110 int secpolicy_lock_memory(const cred_t
*);
111 int secpolicy_meminfo(const cred_t
*);
112 int secpolicy_modctl(const cred_t
*, int);
113 int secpolicy_net(const cred_t
*, int, boolean_t
);
114 int secpolicy_net_bindmlp(const cred_t
*);
115 int secpolicy_net_config(const cred_t
*, boolean_t
);
116 int secpolicy_net_icmpaccess(const cred_t
*);
117 int secpolicy_net_mac_aware(const cred_t
*);
118 int secpolicy_net_mac_implicit(const cred_t
*);
119 int secpolicy_net_observability(const cred_t
*);
120 int secpolicy_net_privaddr(const cred_t
*, in_port_t
, int proto
);
121 int secpolicy_net_rawaccess(const cred_t
*);
122 boolean_t
secpolicy_net_reply_equal(const cred_t
*);
123 int secpolicy_newproc(const cred_t
*);
124 int secpolicy_nfs(const cred_t
*);
125 int secpolicy_pbind(const cred_t
*);
126 int secpolicy_pcfs_modify_bootpartition(const cred_t
*);
127 int secpolicy_pfexec_register(const cred_t
*);
128 int secpolicy_ponline(const cred_t
*);
129 int secpolicy_pool(const cred_t
*);
130 int secpolicy_power_mgmt(const cred_t
*);
131 int secpolicy_ppp_config(const cred_t
*);
132 int secpolicy_proc_access(const cred_t
*);
133 int secpolicy_proc_excl_open(const cred_t
*);
134 int secpolicy_proc_owner(const cred_t
*, const cred_t
*, int);
135 int secpolicy_proc_zone(const cred_t
*);
136 int secpolicy_psecflags(const cred_t
*, struct proc
*, struct proc
*);
137 int secpolicy_pset(const cred_t
*);
138 int secpolicy_rctlsys(const cred_t
*, boolean_t
);
139 int secpolicy_resource(const cred_t
*);
140 int secpolicy_resource_anon_mem(const cred_t
*);
141 int secpolicy_rpcmod_open(const cred_t
*);
142 int secpolicy_rsm_access(const cred_t
*, uid_t
, mode_t
);
143 int secpolicy_raisepriority(const cred_t
*);
144 int secpolicy_setpriority(const cred_t
*);
145 int secpolicy_settime(const cred_t
*);
146 int secpolicy_smb(const cred_t
*);
147 int secpolicy_smbfs_login(const cred_t
*, uid_t
);
148 int secpolicy_spec_open(const cred_t
*, struct vnode
*, int);
149 int secpolicy_sti(const cred_t
*);
150 int secpolicy_swapctl(const cred_t
*);
151 int secpolicy_sys_config(const cred_t
*, boolean_t
);
152 int secpolicy_zone_admin(const cred_t
*, boolean_t
);
153 int secpolicy_zone_config(const cred_t
*);
154 int secpolicy_sys_devices(const cred_t
*);
155 int secpolicy_systeminfo(const cred_t
*);
156 int secpolicy_tasksys(const cred_t
*);
157 int secpolicy_vnode_access(const cred_t
*, vnode_t
*, uid_t
, mode_t
);
158 int secpolicy_vnode_access2(const cred_t
*, vnode_t
*, uid_t
, mode_t
, mode_t
);
159 int secpolicy_vnode_any_access(const cred_t
*, vnode_t
*, uid_t
);
160 int secpolicy_vnode_chown(const cred_t
*, uid_t
);
161 int secpolicy_vnode_create_gid(const cred_t
*);
162 int secpolicy_vnode_owner(const cred_t
*, uid_t
);
163 int secpolicy_vnode_remove(const cred_t
*);
164 int secpolicy_vnode_setdac(const cred_t
*, uid_t
);
165 int secpolicy_vnode_setdac3(const cred_t
*, uid_t
, boolean_t
);
166 int secpolicy_vnode_setid_retain(const cred_t
*, boolean_t
);
167 int secpolicy_vnode_setids_setgids(const cred_t
*, gid_t
);
168 int secpolicy_vnode_stky_modify(const cred_t
*);
169 int secpolicy_vscan(const cred_t
*);
170 int secpolicy_hwmanip(const cred_t
*);
171 int secpolicy_zinject(const cred_t
*);
172 int secpolicy_zfs(const cred_t
*);
173 int secpolicy_ucode_update(const cred_t
*);
174 int secpolicy_sadopen(const cred_t
*);
175 void secpolicy_setid_clear(vattr_t
*, cred_t
*);
176 void secpolicy_fs_mount_clearopts(cred_t
*, struct vfs
*);
177 int secpolicy_setid_setsticky_clear(vnode_t
*, vattr_t
*,
178 const vattr_t
*, cred_t
*);
179 int secpolicy_xvattr(xvattr_t
*, uid_t
, cred_t
*, vtype_t
);
180 int secpolicy_xvm_control(const cred_t
*);
182 int secpolicy_basic_exec(const cred_t
*, vnode_t
*);
183 int secpolicy_basic_fork(const cred_t
*);
184 int secpolicy_basic_link(const cred_t
*);
185 int secpolicy_basic_file_read(const cred_t
*, vnode_t
*, const char *);
186 int secpolicy_basic_file_write(const cred_t
*, vnode_t
*, const char *);
187 int secpolicy_basic_net_access(const cred_t
*);
188 int secpolicy_basic_proc(const cred_t
*);
189 int secpolicy_basic_procinfo(const cred_t
*, struct proc
*, struct proc
*);
191 int secpolicy_gart_access(const cred_t
*);
192 int secpolicy_gart_map(const cred_t
*);
194 * This function to be called from xxfs_setattr().
195 * Must be called with the node's attributes read-write locked.
197 * cred_t * - acting credentials
198 * struct vnode * - vnode we're operating on
199 * struct vattr *va - new attributes, va_mask may be
200 * changed on return from a call
201 * struct vattr *oldva - old attributes, need include owner
203 * int flags - setattr flags
204 * int iaccess(void *node, int mode, cred_t *cr)
205 * - non-locking internal access function
207 * w/ VREAD|VWRITE|VEXEC, not fs
208 * internal mode encoding.
210 * void *node - internal node (inode, tmpnode) to
211 * pass as arg to iaccess
213 int secpolicy_vnode_setattr(cred_t
*, struct vnode
*, struct vattr
*,
214 const struct vattr
*, int, int (void *, int, cred_t
*), void *);
217 * Test privilege. Audit success or failure, allow privilege debugging.
218 * Returns 0 for success, err for failure.
220 #define PRIV_POLICY(cred, priv, all, err, reason) \
221 priv_policy((cred), (priv), (all), (err), (reason))
224 * Test privilege. Audit success only, no privilege debugging.
225 * Returns 1 for success, and 0 for failure.
227 #define PRIV_POLICY_CHOICE(cred, priv, all) \
228 priv_policy_choice((cred), (priv), (all))
231 * Test privilege. No priv_debugging, no auditing.
232 * Returns 1 for success, and 0 for failure.
235 #define PRIV_POLICY_ONLY(cred, priv, all) \
236 priv_policy_only((cred), (priv), (all))
245 #endif /* _SYS_POLICY_H */