4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright 2013, Joyent, Inc. All rights reserved.
26 #include <sys/types.h>
27 #include <sys/sysmacros.h>
28 #include <sys/param.h>
29 #include <sys/systm.h>
30 #include <sys/cred_impl.h>
31 #include <sys/vnode.h>
34 #include <sys/errno.h>
39 #include <sys/ipc_impl.h>
40 #include <sys/cmn_err.h>
41 #include <sys/debug.h>
42 #include <sys/policy.h>
45 #include <sys/devpolicy.h>
47 #include <sys/varargs.h>
49 #include <sys/modctl.h>
52 #include <inet/optcom.h>
55 #include <sys/mntent.h>
56 #include <sys/contract_impl.h>
57 #include <sys/dld_ioc.h>
60 * There are two possible layers of privilege routines and two possible
61 * levels of secpolicy. Plus one other we may not be interested in, so
62 * we may need as many as 6 but no more.
64 #define MAXPRIVSTACK 6
67 int priv_basic_test
= -1;
70 * This file contains the majority of the policy routines.
71 * Since the policy routines are defined by function and not
72 * by privilege, there is quite a bit of duplication of
75 * The secpolicy functions must not make assumptions about
76 * locks held or not held as any lock can be held while they're
79 * Credentials are read-only so no special precautions need to
80 * be taken while locking them.
82 * When a new policy check needs to be added to the system the
83 * following procedure should be followed:
85 * Pick an appropriate secpolicy_*() function
86 * -> done if one exists.
87 * Create a new secpolicy function, preferably with
88 * a descriptive name using the standard template.
89 * Pick an appropriate privilege for the policy.
90 * If no appropraite privilege exists, define new one
91 * (this should be done with extreme care; in most cases
92 * little is gained by adding another privilege)
94 * WHY ROOT IS STILL SPECIAL.
96 * In a number of the policy functions, there are still explicit
97 * checks for uid 0. The rationale behind these is that many root
98 * owned files/objects hold configuration information which can give full
99 * privileges to the user once written to. To prevent escalation
100 * of privilege by allowing just a single privilege to modify root owned
101 * objects, we've added these root specific checks where we considered
102 * them necessary: modifying root owned files, changing uids to 0, etc.
104 * PRIVILEGE ESCALATION AND ZONES.
106 * A number of operations potentially allow the caller to achieve
107 * privileges beyond the ones normally required to perform the operation.
108 * For example, if allowed to create a setuid 0 executable, a process can
109 * gain privileges beyond PRIV_FILE_SETID. Zones, however, place
110 * restrictions on the ability to gain privileges beyond those available
111 * within the zone through file and process manipulation. Hence, such
112 * operations require that the caller have an effective set that includes
113 * all privileges available within the current zone, or all privileges
114 * if executing in the global zone.
116 * This is indicated in the priv_policy* policy checking functions
117 * through a combination of parameters. The "priv" parameter indicates
118 * the privilege that is required, and the "allzone" parameter indicates
119 * whether or not all privileges in the zone are required. In addition,
120 * priv can be set to PRIV_ALL to indicate that all privileges are
121 * required (regardless of zone). There are three scenarios of interest:
122 * (1) operation requires a specific privilege
123 * (2) operation requires a specific privilege, and requires all
124 * privileges available within the zone (or all privileges if in
126 * (3) operation requires all privileges, regardless of zone
128 * For (1), priv should be set to the specific privilege, and allzone
129 * should be set to B_FALSE.
130 * For (2), priv should be set to the specific privilege, and allzone
131 * should be set to B_TRUE.
132 * For (3), priv should be set to PRIV_ALL, and allzone should be set
138 * The privileges are checked against the Effective set for
139 * ordinary processes and checked against the Limit set
140 * for euid 0 processes that haven't manipulated their privilege
143 #define HAS_ALLPRIVS(cr) priv_isfullset(&CR_OEPRIV(cr))
144 #define ZONEPRIVS(cr) ((cr)->cr_zone->zone_privset)
145 #define HAS_ALLZONEPRIVS(cr) priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr))
146 #define HAS_PRIVILEGE(cr, pr) ((pr) == PRIV_ALL ? \
148 PRIV_ISMEMBER(&CR_OEPRIV(cr), pr))
150 #define FAST_BASIC_CHECK(cr, priv) \
151 if (PRIV_ISMEMBER(&CR_OEPRIV(cr), priv)) { \
152 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, B_FALSE); \
157 * Policy checking functions.
159 * All of the system's policy should be implemented here.
163 * Private functions which take an additional va_list argument to
164 * implement an object specific policy override.
166 static int priv_policy_ap(const cred_t
*, int, boolean_t
, int,
167 const char *, va_list);
168 static int priv_policy_va(const cred_t
*, int, boolean_t
, int,
172 * Generic policy calls
174 * The "bottom" functions of policy control
177 mprintf(const char *fmt
, ...)
184 len
= vsnprintf(NULL
, 0, fmt
, args
) + 1;
187 buf
= kmem_alloc(len
, KM_NOSLEEP
);
193 (void) vsnprintf(buf
, len
, fmt
, args
);
200 * priv_policy_errmsg()
202 * Generate an error message if privilege debugging is enabled system wide
203 * or for this particular process.
206 #define FMTHDR "%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)"
207 #define FMTMSG " for \"%s\""
208 #define FMTFUN " needed at %s+0x%lx"
210 /* The maximum size privilege format: the concatenation of the above */
211 #define FMTMAX FMTHDR FMTMSG FMTFUN "\n"
214 priv_policy_errmsg(const cred_t
*cr
, int priv
, const char *msg
)
217 pc_t stack
[MAXPRIVSTACK
];
225 char fmt
[sizeof (FMTMAX
)];
227 if ((me
= curproc
) == &p0
)
230 /* Privileges must be defined */
231 ASSERT(priv
== PRIV_ALL
|| priv
== PRIV_MULTIPLE
||
232 priv
== PRIV_ALLZONE
|| priv
== PRIV_GLOBAL
||
233 priv_getbynum(priv
) != NULL
);
235 if (priv
== PRIV_ALLZONE
&& INGLOBALZONE(me
))
238 if (curthread
->t_pre_sys
)
239 ttolwp(curthread
)->lwp_badpriv
= (short)priv
;
241 if (priv_debug
== 0 && (CR_FLAGS(cr
) & PRIV_DEBUG
) == 0)
244 (void) strcpy(fmt
, FMTHDR
);
246 if (me
->p_user
.u_comm
[0])
247 cmd
= &me
->p_user
.u_comm
[0];
251 if (msg
!= NULL
&& *msg
!= '\0') {
252 (void) strcat(fmt
, FMTMSG
);
254 (void) strcat(fmt
, "%s");
260 depth
= getpcstack(stack
, MAXPRIVSTACK
);
263 * Try to find the first interesting function on the stack.
264 * priv_policy* that's us, so completely uninteresting.
265 * suser(), drv_priv(), secpolicy_* are also called from
266 * too many locations to convey useful information.
268 for (i
= 0; i
< depth
; i
++) {
269 sym
= kobj_getsymname((uintptr_t)stack
[i
], &off
);
271 strstr(sym
, "hasprocperm") == 0 &&
272 strcmp("suser", sym
) != 0 &&
273 strcmp("ipcaccess", sym
) != 0 &&
274 strcmp("drv_priv", sym
) != 0 &&
275 strncmp("secpolicy_", sym
, 10) != 0 &&
276 strncmp("priv_policy", sym
, 11) != 0)
281 (void) strcat(fmt
, FMTFUN
);
283 (void) strcat(fmt
, "\n");
299 pname
= priv_getbynum(priv
);
303 if (CR_FLAGS(cr
) & PRIV_DEBUG
) {
304 /* Remember last message, just like lwp_badpriv. */
305 if (curthread
->t_pdmsg
!= NULL
) {
306 kmem_free(curthread
->t_pdmsg
,
307 strlen(curthread
->t_pdmsg
) + 1);
310 curthread
->t_pdmsg
= mprintf(fmt
, cmd
, me
->p_pid
, pname
,
311 cr
->cr_uid
, curthread
->t_sysnum
, msg
, sym
, off
);
313 curthread
->t_post_sys
= 1;
316 cmn_err(CE_NOTE
, fmt
, cmd
, me
->p_pid
, pname
, cr
->cr_uid
,
317 curthread
->t_sysnum
, msg
, sym
, off
);
322 * Override the policy, if appropriate. Return 0 if the external
323 * policy engine approves.
326 priv_policy_override(const cred_t
*cr
, int priv
, boolean_t allzone
, va_list ap
)
331 if (!(CR_FLAGS(cr
) & PRIV_XPOLICY
))
334 if (priv
== PRIV_ALL
) {
336 } else if (allzone
) {
337 set
= *ZONEPRIVS(cr
);
340 priv_addset(&set
, priv
);
342 ret
= klpd_call(cr
, &set
, ap
);
347 priv_policy_override_set(const cred_t
*cr
, const priv_set_t
*req
, va_list ap
)
349 if (CR_FLAGS(cr
) & PRIV_PFEXEC
)
350 return (check_user_privs(cr
, req
));
351 if (CR_FLAGS(cr
) & PRIV_XPOLICY
) {
352 return (klpd_call(cr
, req
, ap
));
358 priv_policy_override_set_va(const cred_t
*cr
, const priv_set_t
*req
, ...)
364 ret
= priv_policy_override_set(cr
, req
, ap
);
370 * Audit failure, log error message.
373 priv_policy_err(const cred_t
*cr
, int priv
, boolean_t allzone
, const char *msg
)
377 audit_priv(priv
, allzone
? ZONEPRIVS(cr
) : NULL
, 0);
378 DTRACE_PROBE2(priv__err
, int, priv
, boolean_t
, allzone
);
380 if (priv_debug
|| (CR_FLAGS(cr
) & PRIV_DEBUG
) ||
381 curthread
->t_pre_sys
) {
382 if (allzone
&& !HAS_ALLZONEPRIVS(cr
)) {
383 priv_policy_errmsg(cr
, PRIV_ALLZONE
, msg
);
385 ASSERT(!HAS_PRIVILEGE(cr
, priv
));
386 priv_policy_errmsg(cr
, priv
, msg
);
394 * See block comment above for a description of "priv" and "allzone" usage.
397 priv_policy_ap(const cred_t
*cr
, int priv
, boolean_t allzone
, int err
,
398 const char *msg
, va_list ap
)
400 if ((HAS_PRIVILEGE(cr
, priv
) && (!allzone
|| HAS_ALLZONEPRIVS(cr
))) ||
401 (!servicing_interrupt() &&
402 priv_policy_override(cr
, priv
, allzone
, ap
) == 0)) {
403 if ((allzone
|| priv
== PRIV_ALL
||
404 !PRIV_ISMEMBER(priv_basic
, priv
)) &&
405 !servicing_interrupt()) {
406 PTOU(curproc
)->u_acflag
|= ASU
;
409 allzone
? ZONEPRIVS(cr
) : NULL
, 1);
412 DTRACE_PROBE2(priv__ok
, int, priv
, boolean_t
, allzone
);
413 } else if (!servicing_interrupt()) {
414 /* Failure audited in this procedure */
415 priv_policy_err(cr
, priv
, allzone
, msg
);
421 priv_policy_va(const cred_t
*cr
, int priv
, boolean_t allzone
, int err
,
422 const char *msg
, ...)
428 ret
= priv_policy_ap(cr
, priv
, allzone
, err
, msg
, ap
);
435 priv_policy(const cred_t
*cr
, int priv
, boolean_t allzone
, int err
,
438 return (priv_policy_va(cr
, priv
, allzone
, err
, msg
, KLPDARG_NONE
));
442 * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges.
445 priv_policy_choice(const cred_t
*cr
, int priv
, boolean_t allzone
)
447 boolean_t res
= HAS_PRIVILEGE(cr
, priv
) &&
448 (!allzone
|| HAS_ALLZONEPRIVS(cr
));
450 /* Audit success only */
451 if (res
&& AU_AUDITING() &&
452 (allzone
|| priv
== PRIV_ALL
|| !PRIV_ISMEMBER(priv_basic
, priv
)) &&
453 !servicing_interrupt()) {
454 audit_priv(priv
, allzone
? ZONEPRIVS(cr
) : NULL
, 1);
457 DTRACE_PROBE2(priv__ok
, int, priv
, boolean_t
, allzone
);
459 DTRACE_PROBE2(priv__err
, int, priv
, boolean_t
, allzone
);
465 * Non-auditing variant of priv_policy_choice().
468 priv_policy_only(const cred_t
*cr
, int priv
, boolean_t allzone
)
470 boolean_t res
= HAS_PRIVILEGE(cr
, priv
) &&
471 (!allzone
|| HAS_ALLZONEPRIVS(cr
));
474 DTRACE_PROBE2(priv__ok
, int, priv
, boolean_t
, allzone
);
476 DTRACE_PROBE2(priv__err
, int, priv
, boolean_t
, allzone
);
482 * Check whether all privileges in the required set are present.
485 secpolicy_require_set(const cred_t
*cr
, const priv_set_t
*req
,
486 const char *msg
, ...)
494 if (req
== PRIV_FULLSET
? HAS_ALLPRIVS(cr
) : priv_issubset(req
,
500 ret
= priv_policy_override_set(cr
, req
, ap
);
505 if (req
== PRIV_FULLSET
|| priv_isfullset(req
)) {
506 priv_policy_err(cr
, PRIV_ALL
, B_FALSE
, msg
);
510 pset
= CR_OEPRIV(cr
); /* present privileges */
511 priv_inverse(&pset
); /* all non present privileges */
512 priv_intersect(req
, &pset
); /* the actual missing privs */
515 audit_priv(PRIV_NONE
, &pset
, 0);
517 * Privilege debugging; special case "one privilege in set".
519 if (priv_debug
|| (CR_FLAGS(cr
) & PRIV_DEBUG
) || curthread
->t_pre_sys
) {
520 for (priv
= 0; priv
< nprivs
; priv
++) {
521 if (priv_ismember(&pset
, priv
)) {
523 /* Multiple missing privs */
524 priv_policy_errmsg(cr
, PRIV_MULTIPLE
,
531 ASSERT(pfound
!= -1);
532 /* Just the one missing privilege */
533 priv_policy_errmsg(cr
, pfound
, msg
);
540 * Called when an operation requires that the caller be in the
541 * global zone, regardless of privilege.
544 priv_policy_global(const cred_t
*cr
)
546 if (crgetzoneid(cr
) == GLOBAL_ZONEID
)
547 return (0); /* success */
549 if (priv_debug
|| (CR_FLAGS(cr
) & PRIV_DEBUG
) ||
550 curthread
->t_pre_sys
) {
551 priv_policy_errmsg(cr
, PRIV_GLOBAL
, NULL
);
557 * Raising process priority
560 secpolicy_raisepriority(const cred_t
*cr
)
562 if (PRIV_POLICY(cr
, PRIV_PROC_PRIOUP
, B_FALSE
, EPERM
, NULL
) == 0)
564 return (secpolicy_setpriority(cr
));
568 * Changing process priority or scheduling class
571 secpolicy_setpriority(const cred_t
*cr
)
573 return (PRIV_POLICY(cr
, PRIV_PROC_PRIOCNTL
, B_FALSE
, EPERM
, NULL
));
577 * Binding to a privileged port, port must be specified in host byte
579 * When adding a new privilege which allows binding to currently privileged
580 * ports, then you MUST also allow processes with PRIV_NET_PRIVADDR bind
581 * to these ports because of backward compatibility.
584 secpolicy_net_privaddr(const cred_t
*cr
, in_port_t port
, int proto
)
595 * NBT and SMB ports, these are normal privileged ports,
596 * allow bind only if the SYS_SMB or NET_PRIVADDR privilege
598 * Try both, if neither is present return an error for
601 if (PRIV_POLICY_ONLY(cr
, PRIV_NET_PRIVADDR
, B_FALSE
))
602 priv
= PRIV_NET_PRIVADDR
;
605 reason
= "NBT or SMB port";
611 * NFS ports, these are extra privileged ports, allow bind
612 * only if the SYS_NFS privilege is present.
619 priv
= PRIV_NET_PRIVADDR
;
625 return (priv_policy_va(cr
, priv
, B_FALSE
, EACCES
, reason
,
626 KLPDARG_PORT
, (int)proto
, (int)port
, KLPDARG_NOMORE
));
630 * Common routine which determines whether a given credential can
631 * act on a given mount.
632 * When called through mount, the parameter needoptcheck is a pointer
633 * to a boolean variable which will be set to either true or false,
634 * depending on whether the mount policy should change the mount options.
635 * In all other cases, needoptcheck should be a NULL pointer.
638 secpolicy_fs_common(cred_t
*cr
, vnode_t
*mvp
, const vfs_t
*vfsp
,
639 boolean_t
*needoptcheck
)
641 boolean_t allzone
= B_FALSE
;
642 boolean_t mounting
= needoptcheck
!= NULL
;
645 * Short circuit the following cases:
646 * vfsp == NULL or mvp == NULL (pure privilege check)
647 * have all privileges - no further checks required
648 * and no mount options need to be set.
650 if (vfsp
== NULL
|| mvp
== NULL
|| HAS_ALLPRIVS(cr
)) {
652 *needoptcheck
= B_FALSE
;
654 return (priv_policy_va(cr
, PRIV_SYS_MOUNT
, allzone
, EPERM
,
655 NULL
, KLPDARG_VNODE
, mvp
, (char *)NULL
, KLPDARG_NOMORE
));
659 * When operating on an existing mount (either we're not mounting
660 * or we're doing a remount and VFS_REMOUNT will be set), zones
661 * can operate only on mounts established by the zone itself.
663 if (!mounting
|| (vfsp
->vfs_flag
& VFS_REMOUNT
) != 0) {
664 zoneid_t zoneid
= crgetzoneid(cr
);
666 if (zoneid
!= GLOBAL_ZONEID
&&
667 vfsp
->vfs_zone
->zone_id
!= zoneid
) {
673 *needoptcheck
= B_TRUE
;
676 * Overlay mounts may hide important stuff; if you can't write to a
677 * mount point but would be able to mount on top of it, you can
678 * escalate your privileges.
679 * So we go about asking the same questions namefs does when it
680 * decides whether you can mount over a file or not but with the
681 * added restriction that you can only mount on top of a regular
683 * If we have all the zone's privileges, we skip all other checks,
684 * or else we may actually get in trouble inside the automounter.
686 if ((mvp
->v_flag
& VROOT
) != 0 ||
687 (mvp
->v_type
!= VDIR
&& mvp
->v_type
!= VREG
) ||
688 HAS_ALLZONEPRIVS(cr
)) {
694 va
.va_mask
= AT_UID
|AT_MODE
;
695 err
= VOP_GETATTR(mvp
, &va
, 0, cr
, NULL
);
699 if ((err
= secpolicy_vnode_owner(cr
, va
.va_uid
)) != 0)
702 if (secpolicy_vnode_access2(cr
, mvp
, va
.va_uid
, va
.va_mode
,
707 return (priv_policy_va(cr
, PRIV_SYS_MOUNT
, allzone
, EPERM
,
708 NULL
, KLPDARG_VNODE
, mvp
, (char *)NULL
, KLPDARG_NOMORE
));
712 secpolicy_fs_mount_clearopts(cred_t
*cr
, struct vfs
*vfsp
)
714 boolean_t amsuper
= HAS_ALLZONEPRIVS(cr
);
717 * check; if we don't have either "nosuid" or
718 * both "nosetuid" and "nodevices", then we add
719 * "nosuid"; this depends on how the current
720 * implementation works (it first checks nosuid). In a
721 * zone, a user with all zone privileges can mount with
722 * "setuid" but never with "devices".
724 if (!vfs_optionisset(vfsp
, MNTOPT_NOSUID
, NULL
) &&
725 (!vfs_optionisset(vfsp
, MNTOPT_NODEVICES
, NULL
) ||
726 !vfs_optionisset(vfsp
, MNTOPT_NOSETUID
, NULL
))) {
727 if (crgetzoneid(cr
) == GLOBAL_ZONEID
|| !amsuper
)
728 vfs_setmntopt(vfsp
, MNTOPT_NOSUID
, NULL
, 0);
730 vfs_setmntopt(vfsp
, MNTOPT_NODEVICES
, NULL
, 0);
733 * If we're not the local super user, we set the "restrict"
734 * option to indicate to automountd that this mount should
735 * be handled with care.
738 vfs_setmntopt(vfsp
, MNTOPT_RESTRICT
, NULL
, 0);
743 secpolicy_fs_allowed_mount(const char *fsname
)
749 ASSERT(fsname
!= NULL
);
750 ASSERT(fsname
[0] != '\0');
752 if (INGLOBALZONE(curproc
))
755 vswp
= vfs_getvfssw(fsname
);
759 if ((vswp
->vsw_flag
& VSW_ZMOUNT
) != 0) {
760 vfs_unrefvfssw(vswp
);
764 vfs_unrefvfssw(vswp
);
766 p
= curzone
->zone_fs_allowed
;
767 len
= strlen(fsname
);
769 while (p
!= NULL
&& *p
!= '\0') {
770 if (strncmp(p
, fsname
, len
) == 0) {
772 if (c
== '\0' || c
== ',')
776 /* skip to beyond the next comma */
777 if ((p
= strchr(p
, ',')) != NULL
)
784 extern vnode_t
*rootvp
;
785 extern vfs_t
*rootvfs
;
788 secpolicy_fs_mount(cred_t
*cr
, vnode_t
*mvp
, struct vfs
*vfsp
)
790 boolean_t needoptchk
;
794 * If it's a remount, get the underlying mount point,
795 * except for the root where we use the rootvp.
797 if ((vfsp
->vfs_flag
& VFS_REMOUNT
) != 0) {
801 mvp
= vfsp
->vfs_vnodecovered
;
804 error
= secpolicy_fs_common(cr
, mvp
, vfsp
, &needoptchk
);
806 if (error
== 0 && needoptchk
) {
807 secpolicy_fs_mount_clearopts(cr
, vfsp
);
814 * Does the policy computations for "ownership" of a mount;
815 * here ownership is defined as the ability to "mount"
816 * the filesystem originally. The rootvfs doesn't cover any
817 * vnodes; we attribute its ownership to the rootvp.
820 secpolicy_fs_owner(cred_t
*cr
, const struct vfs
*vfsp
)
826 else if (vfsp
== rootvfs
)
829 mvp
= vfsp
->vfs_vnodecovered
;
831 return (secpolicy_fs_common(cr
, mvp
, vfsp
, NULL
));
835 secpolicy_fs_unmount(cred_t
*cr
, struct vfs
*vfsp
)
837 return (secpolicy_fs_owner(cr
, vfsp
));
841 * Quotas are a resource, but if one has the ability to mount a filesystem, he
842 * should be able to modify quotas on it.
845 secpolicy_fs_quota(const cred_t
*cr
, const vfs_t
*vfsp
)
847 return (secpolicy_fs_owner((cred_t
*)cr
, vfsp
));
851 * Exceeding minfree: also a per-mount resource constraint.
854 secpolicy_fs_minfree(const cred_t
*cr
, const vfs_t
*vfsp
)
856 return (secpolicy_fs_owner((cred_t
*)cr
, vfsp
));
860 secpolicy_fs_config(const cred_t
*cr
, const vfs_t
*vfsp
)
862 return (secpolicy_fs_owner((cred_t
*)cr
, vfsp
));
867 secpolicy_fs_linkdir(const cred_t
*cr
, const vfs_t
*vfsp
)
869 return (PRIV_POLICY(cr
, PRIV_SYS_LINKDIR
, B_FALSE
, EPERM
, NULL
));
873 * Name: secpolicy_vnode_access()
875 * Parameters: Process credential
877 * uid of owner of vnode
878 * permission bits not granted to the caller when examining
879 * file mode bits (i.e., when a process wants to open a
880 * mode 444 file for VREAD|VWRITE, this function should be
881 * called only with a VWRITE argument).
883 * Normal: Verifies that cred has the appropriate privileges to
884 * override the mode bits that were denied.
886 * Override: file_dac_execute - if VEXEC bit was denied and vnode is
888 * file_dac_read - if VREAD bit was denied.
889 * file_dac_search - if VEXEC bit was denied and vnode is
891 * file_dac_write - if VWRITE bit was denied.
893 * Root owned files are special cased to protect system
894 * configuration files and such.
896 * Output: EACCES - if privilege check fails.
900 secpolicy_vnode_access(const cred_t
*cr
, vnode_t
*vp
, uid_t owner
, mode_t mode
)
902 if ((mode
& VREAD
) && priv_policy_va(cr
, PRIV_FILE_DAC_READ
, B_FALSE
,
903 EACCES
, NULL
, KLPDARG_VNODE
, vp
, (char *)NULL
,
904 KLPDARG_NOMORE
) != 0) {
911 if (owner
== 0 && cr
->cr_uid
!= 0)
915 if (priv_policy_va(cr
, PRIV_FILE_DAC_WRITE
, allzone
, EACCES
,
916 NULL
, KLPDARG_VNODE
, vp
, (char *)NULL
,
917 KLPDARG_NOMORE
) != 0) {
924 * Directories use file_dac_search to override the execute bit.
926 int p
= vp
->v_type
== VDIR
? PRIV_FILE_DAC_SEARCH
:
927 PRIV_FILE_DAC_EXECUTE
;
929 return (priv_policy_va(cr
, p
, B_FALSE
, EACCES
, NULL
,
930 KLPDARG_VNODE
, vp
, (char *)NULL
, KLPDARG_NOMORE
));
936 * Like secpolicy_vnode_access() but we get the actual wanted mode and the
937 * current mode of the file, not the missing bits.
940 secpolicy_vnode_access2(const cred_t
*cr
, vnode_t
*vp
, uid_t owner
,
941 mode_t curmode
, mode_t wantmode
)
945 /* Inline the basic privileges tests. */
946 if ((wantmode
& VREAD
) &&
947 !PRIV_ISMEMBER(&CR_OEPRIV(cr
), PRIV_FILE_READ
) &&
948 priv_policy_va(cr
, PRIV_FILE_READ
, B_FALSE
, EACCES
, NULL
,
949 KLPDARG_VNODE
, vp
, (char *)NULL
, KLPDARG_NOMORE
) != 0) {
953 if ((wantmode
& VWRITE
) &&
954 !PRIV_ISMEMBER(&CR_OEPRIV(cr
), PRIV_FILE_WRITE
) &&
955 priv_policy_va(cr
, PRIV_FILE_WRITE
, B_FALSE
, EACCES
, NULL
,
956 KLPDARG_VNODE
, vp
, (char *)NULL
, KLPDARG_NOMORE
) != 0) {
960 mode
= ~curmode
& wantmode
;
965 if ((mode
& VREAD
) && priv_policy_va(cr
, PRIV_FILE_DAC_READ
, B_FALSE
,
966 EACCES
, NULL
, KLPDARG_VNODE
, vp
, (char *)NULL
,
967 KLPDARG_NOMORE
) != 0) {
974 if (owner
== 0 && cr
->cr_uid
!= 0)
978 if (priv_policy_va(cr
, PRIV_FILE_DAC_WRITE
, allzone
, EACCES
,
979 NULL
, KLPDARG_VNODE
, vp
, (char *)NULL
,
980 KLPDARG_NOMORE
) != 0) {
987 * Directories use file_dac_search to override the execute bit.
989 int p
= vp
->v_type
== VDIR
? PRIV_FILE_DAC_SEARCH
:
990 PRIV_FILE_DAC_EXECUTE
;
992 return (priv_policy_va(cr
, p
, B_FALSE
, EACCES
, NULL
,
993 KLPDARG_VNODE
, vp
, (char *)NULL
, KLPDARG_NOMORE
));
999 * This is a special routine for ZFS; it is used to determine whether
1000 * any of the privileges in effect allow any form of access to the
1001 * file. There's no reason to audit this or any reason to record
1002 * this. More work is needed to do the "KPLD" stuff.
1005 secpolicy_vnode_any_access(const cred_t
*cr
, vnode_t
*vp
, uid_t owner
)
1007 static int privs
[] = {
1011 PRIV_FILE_DAC_WRITE
,
1012 PRIV_FILE_DAC_EXECUTE
,
1013 PRIV_FILE_DAC_SEARCH
,
1017 /* Same as secpolicy_vnode_setdac */
1018 if (owner
== cr
->cr_uid
)
1021 for (i
= 0; i
< sizeof (privs
)/sizeof (int); i
++) {
1022 boolean_t allzone
= B_FALSE
;
1025 switch (priv
= privs
[i
]) {
1026 case PRIV_FILE_DAC_EXECUTE
:
1027 if (vp
->v_type
== VDIR
)
1030 case PRIV_FILE_DAC_SEARCH
:
1031 if (vp
->v_type
!= VDIR
)
1034 case PRIV_FILE_DAC_WRITE
:
1035 case PRIV_FILE_OWNER
:
1036 case PRIV_FILE_CHOWN
:
1037 /* We know here that if owner == 0, that cr_uid != 0 */
1038 allzone
= owner
== 0;
1041 if (PRIV_POLICY_CHOICE(cr
, priv
, allzone
))
1048 * Name: secpolicy_vnode_setid_modify()
1050 * Normal: verify that subject can set the file setid flags.
1052 * Output: EPERM - if not privileged.
1056 secpolicy_vnode_setid_modify(const cred_t
*cr
, uid_t owner
)
1058 /* If changing to suid root, must have all zone privs */
1059 boolean_t allzone
= B_TRUE
;
1062 if (owner
== cr
->cr_uid
)
1066 return (PRIV_POLICY(cr
, PRIV_FILE_SETID
, allzone
, EPERM
, NULL
));
1070 * Are we allowed to retain the set-uid/set-gid bits when
1071 * changing ownership or when writing to a file?
1072 * "issuid" should be true when set-uid; only in that case
1073 * root ownership is checked (setgid is assumed).
1076 secpolicy_vnode_setid_retain(const cred_t
*cred
, boolean_t issuidroot
)
1078 if (issuidroot
&& !HAS_ALLZONEPRIVS(cred
))
1081 return (!PRIV_POLICY_CHOICE(cred
, PRIV_FILE_SETID
, B_FALSE
));
1085 * Name: secpolicy_vnode_setids_setgids()
1087 * Normal: verify that subject can set the file setgid flag.
1089 * Output: EPERM - if not privileged
1093 secpolicy_vnode_setids_setgids(const cred_t
*cred
, gid_t gid
)
1095 if (!groupmember(gid
, cred
))
1096 return (PRIV_POLICY(cred
, PRIV_FILE_SETID
, B_FALSE
, EPERM
,
1102 * Name: secpolicy_vnode_chown
1104 * Normal: Determine if subject can chown owner of a file.
1106 * Output: EPERM - if access denied
1110 secpolicy_vnode_chown(const cred_t
*cred
, uid_t owner
)
1112 boolean_t is_owner
= (owner
== crgetuid(cred
));
1113 boolean_t allzone
= B_FALSE
;
1117 allzone
= (owner
== 0);
1118 priv
= PRIV_FILE_CHOWN
;
1120 priv
= HAS_PRIVILEGE(cred
, PRIV_FILE_CHOWN
) ?
1121 PRIV_FILE_CHOWN
: PRIV_FILE_CHOWN_SELF
;
1124 return (PRIV_POLICY(cred
, priv
, allzone
, EPERM
, NULL
));
1128 * Name: secpolicy_vnode_create_gid
1130 * Normal: Determine if subject can change group ownership of a file.
1132 * Output: EPERM - if access denied
1135 secpolicy_vnode_create_gid(const cred_t
*cred
)
1137 if (HAS_PRIVILEGE(cred
, PRIV_FILE_CHOWN
))
1138 return (PRIV_POLICY(cred
, PRIV_FILE_CHOWN
, B_FALSE
, EPERM
,
1141 return (PRIV_POLICY(cred
, PRIV_FILE_CHOWN_SELF
, B_FALSE
, EPERM
,
1146 * Name: secpolicy_vnode_utime_modify()
1148 * Normal: verify that subject can modify the utime on a file.
1150 * Output: EPERM - if access denied.
1154 secpolicy_vnode_utime_modify(const cred_t
*cred
)
1156 return (PRIV_POLICY(cred
, PRIV_FILE_OWNER
, B_FALSE
, EPERM
,
1157 "modify file times"));
1162 * Name: secpolicy_vnode_setdac()
1164 * Normal: verify that subject can modify the mode of a file.
1165 * allzone privilege needed when modifying root owned object.
1167 * Output: EPERM - if access denied.
1171 secpolicy_vnode_setdac(const cred_t
*cred
, uid_t owner
)
1173 if (owner
== cred
->cr_uid
)
1176 return (PRIV_POLICY(cred
, PRIV_FILE_OWNER
, owner
== 0, EPERM
, NULL
));
1179 * Name: secpolicy_vnode_stky_modify()
1181 * Normal: verify that subject can make a file a "sticky".
1183 * Output: EPERM - if access denied.
1187 secpolicy_vnode_stky_modify(const cred_t
*cred
)
1189 return (PRIV_POLICY(cred
, PRIV_SYS_CONFIG
, B_FALSE
, EPERM
,
1190 "set file sticky"));
1194 * Policy determines whether we can remove an entry from a directory,
1195 * regardless of permission bits.
1198 secpolicy_vnode_remove(const cred_t
*cr
)
1200 return (PRIV_POLICY(cr
, PRIV_FILE_OWNER
, B_FALSE
, EACCES
,
1201 "sticky directory"));
1205 secpolicy_vnode_owner(const cred_t
*cr
, uid_t owner
)
1207 boolean_t allzone
= (owner
== 0);
1209 if (owner
== cr
->cr_uid
)
1212 return (PRIV_POLICY(cr
, PRIV_FILE_OWNER
, allzone
, EPERM
, NULL
));
1216 secpolicy_setid_clear(vattr_t
*vap
, cred_t
*cr
)
1218 if ((vap
->va_mode
& (S_ISUID
| S_ISGID
)) != 0 &&
1219 secpolicy_vnode_setid_retain(cr
,
1220 (vap
->va_mode
& S_ISUID
) != 0 &&
1221 (vap
->va_mask
& AT_UID
) != 0 && vap
->va_uid
== 0) != 0) {
1222 vap
->va_mask
|= AT_MODE
;
1223 vap
->va_mode
&= ~(S_ISUID
|S_ISGID
);
1228 secpolicy_setid_setsticky_clear(vnode_t
*vp
, vattr_t
*vap
, const vattr_t
*ovap
,
1233 if ((vap
->va_mode
& S_ISUID
) != 0 &&
1234 (error
= secpolicy_vnode_setid_modify(cr
,
1235 ovap
->va_uid
)) != 0) {
1240 * Check privilege if attempting to set the
1241 * sticky bit on a non-directory.
1243 if (vp
->v_type
!= VDIR
&& (vap
->va_mode
& S_ISVTX
) != 0 &&
1244 secpolicy_vnode_stky_modify(cr
) != 0) {
1245 vap
->va_mode
&= ~S_ISVTX
;
1249 * Check for privilege if attempting to set the
1252 if ((vap
->va_mode
& S_ISGID
) != 0 &&
1253 secpolicy_vnode_setids_setgids(cr
, ovap
->va_gid
) != 0) {
1254 vap
->va_mode
&= ~S_ISGID
;
1260 #define ATTR_FLAG_PRIV(attr, value, cr) \
1261 PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \
1262 B_FALSE, EPERM, NULL)
1265 * Check privileges for setting xvattr attributes
1268 secpolicy_xvattr(xvattr_t
*xvap
, uid_t owner
, cred_t
*cr
, vtype_t vtype
)
1273 if ((xoap
= xva_getxoptattr(xvap
)) == NULL
)
1277 * First process the DOS bits
1279 if (XVA_ISSET_REQ(xvap
, XAT_ARCHIVE
) ||
1280 XVA_ISSET_REQ(xvap
, XAT_HIDDEN
) ||
1281 XVA_ISSET_REQ(xvap
, XAT_READONLY
) ||
1282 XVA_ISSET_REQ(xvap
, XAT_SYSTEM
) ||
1283 XVA_ISSET_REQ(xvap
, XAT_CREATETIME
) ||
1284 XVA_ISSET_REQ(xvap
, XAT_OFFLINE
) ||
1285 XVA_ISSET_REQ(xvap
, XAT_SPARSE
)) {
1286 if ((error
= secpolicy_vnode_owner(cr
, owner
)) != 0)
1291 * Now handle special attributes
1294 if (XVA_ISSET_REQ(xvap
, XAT_IMMUTABLE
))
1295 error
= ATTR_FLAG_PRIV(XAT_IMMUTABLE
,
1296 xoap
->xoa_immutable
, cr
);
1297 if (error
== 0 && XVA_ISSET_REQ(xvap
, XAT_NOUNLINK
))
1298 error
= ATTR_FLAG_PRIV(XAT_NOUNLINK
,
1299 xoap
->xoa_nounlink
, cr
);
1300 if (error
== 0 && XVA_ISSET_REQ(xvap
, XAT_APPENDONLY
))
1301 error
= ATTR_FLAG_PRIV(XAT_APPENDONLY
,
1302 xoap
->xoa_appendonly
, cr
);
1303 if (error
== 0 && XVA_ISSET_REQ(xvap
, XAT_NODUMP
))
1304 error
= ATTR_FLAG_PRIV(XAT_NODUMP
,
1305 xoap
->xoa_nodump
, cr
);
1306 if (error
== 0 && XVA_ISSET_REQ(xvap
, XAT_OPAQUE
))
1308 if (error
== 0 && XVA_ISSET_REQ(xvap
, XAT_AV_QUARANTINED
)) {
1309 error
= ATTR_FLAG_PRIV(XAT_AV_QUARANTINED
,
1310 xoap
->xoa_av_quarantined
, cr
);
1311 if (error
== 0 && vtype
!= VREG
&& xoap
->xoa_av_quarantined
)
1314 if (error
== 0 && XVA_ISSET_REQ(xvap
, XAT_AV_MODIFIED
))
1315 error
= ATTR_FLAG_PRIV(XAT_AV_MODIFIED
,
1316 xoap
->xoa_av_modified
, cr
);
1317 if (error
== 0 && XVA_ISSET_REQ(xvap
, XAT_AV_SCANSTAMP
)) {
1318 error
= ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP
,
1319 xoap
->xoa_av_scanstamp
, cr
);
1320 if (error
== 0 && vtype
!= VREG
)
1327 * This function checks the policy decisions surrounding the
1330 * It should be called after sufficient locks have been established
1331 * on the underlying data structures. No concurrent modifications
1332 * should be allowed.
1334 * The caller must pass in unlocked version of its vaccess function
1335 * this is required because vop_access function should lock the
1336 * node for reading. A three argument function should be defined
1337 * which accepts the following argument:
1338 * A pointer to the internal "node" type (inode *)
1339 * vnode access bits (VREAD|VWRITE|VEXEC)
1340 * a pointer to the credential
1342 * This function makes the following policy decisions:
1344 * - change permissions
1345 * - permission to change file mode if not owner
1346 * - permission to add sticky bit to non-directory
1347 * - permission to add set-gid bit
1349 * The ovap argument should include AT_MODE|AT_UID|AT_GID.
1351 * If the vap argument does not include AT_MODE, the mode will be copied from
1352 * ovap. In certain situations set-uid/set-gid bits need to be removed;
1353 * this is done by marking vap->va_mask to include AT_MODE and va_mode
1354 * is updated to the newly computed mode.
1358 secpolicy_vnode_setattr(cred_t
*cr
, struct vnode
*vp
, struct vattr
*vap
,
1359 const struct vattr
*ovap
, int flags
,
1360 int unlocked_access(void *, int, cred_t
*),
1363 int mask
= vap
->va_mask
;
1365 boolean_t skipaclchk
= (flags
& ATTR_NOACLCHECK
) ? B_TRUE
: B_FALSE
;
1367 if (mask
& AT_SIZE
) {
1368 if (vp
->v_type
== VDIR
) {
1374 * If ATTR_NOACLCHECK is set in the flags, then we don't
1375 * perform the secondary unlocked_access() call since the
1376 * ACL (if any) is being checked there.
1378 if (skipaclchk
== B_FALSE
) {
1379 error
= unlocked_access(node
, VWRITE
, cr
);
1384 if (mask
& AT_MODE
) {
1386 * If not the owner of the file then check privilege
1387 * for two things: the privilege to set the mode at all
1388 * and, if we're setting setuid, we also need permissions
1389 * to add the set-uid bit, if we're not the owner.
1390 * In the specific case of creating a set-uid root
1391 * file, we need even more permissions.
1393 if ((error
= secpolicy_vnode_setdac(cr
, ovap
->va_uid
)) != 0)
1396 if ((error
= secpolicy_setid_setsticky_clear(vp
, vap
,
1400 vap
->va_mode
= ovap
->va_mode
;
1402 if (mask
& (AT_UID
|AT_GID
)) {
1403 boolean_t checkpriv
= B_FALSE
;
1408 * If you are the file owner:
1409 * chown to other uid FILE_CHOWN_SELF
1410 * chown to gid (non-member) FILE_CHOWN_SELF
1411 * chown to gid (member) <none>
1413 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also
1414 * acceptable but the first one is reported when debugging.
1416 * If you are not the file owner:
1417 * chown from root PRIV_FILE_CHOWN + zone
1418 * chown from other to any PRIV_FILE_CHOWN
1421 if (cr
->cr_uid
!= ovap
->va_uid
) {
1424 if (((mask
& AT_UID
) && vap
->va_uid
!= ovap
->va_uid
) ||
1425 ((mask
& AT_GID
) && vap
->va_gid
!= ovap
->va_gid
&&
1426 !groupmember(vap
->va_gid
, cr
))) {
1431 * If necessary, check privilege to see if update can be done.
1434 (error
= secpolicy_vnode_chown(cr
, ovap
->va_uid
)) != 0) {
1439 * If the file has either the set UID or set GID bits
1440 * set and the caller can set the bits, then leave them.
1442 secpolicy_setid_clear(vap
, cr
);
1444 if (mask
& (AT_ATIME
|AT_MTIME
)) {
1446 * If not the file owner and not otherwise privileged,
1447 * always return an error when setting the
1448 * time other than the current (ATTR_UTIME flag set).
1449 * If setting the current time (ATTR_UTIME not set) then
1450 * unlocked_access will check permissions according to policy.
1452 if (cr
->cr_uid
!= ovap
->va_uid
) {
1453 if (flags
& ATTR_UTIME
)
1454 error
= secpolicy_vnode_utime_modify(cr
);
1455 else if (skipaclchk
== B_FALSE
) {
1456 error
= unlocked_access(node
, VWRITE
, cr
);
1457 if (error
== EACCES
&&
1458 secpolicy_vnode_utime_modify(cr
) == 0)
1467 * Check for optional attributes here by checking the following:
1469 if (mask
& AT_XVATTR
)
1470 error
= secpolicy_xvattr((xvattr_t
*)vap
, ovap
->va_uid
, cr
,
1477 * Name: secpolicy_pcfs_modify_bootpartition()
1479 * Normal: verify that subject can modify a pcfs boot partition.
1481 * Output: EACCES - if privilege check failed.
1485 secpolicy_pcfs_modify_bootpartition(const cred_t
*cred
)
1487 return (PRIV_POLICY(cred
, PRIV_ALL
, B_FALSE
, EACCES
,
1488 "modify pcfs boot partition"));
1492 * System V IPC routines
1495 secpolicy_ipc_owner(const cred_t
*cr
, const struct kipc_perm
*ip
)
1497 if (crgetzoneid(cr
) != ip
->ipc_zoneid
||
1498 (cr
->cr_uid
!= ip
->ipc_uid
&& cr
->cr_uid
!= ip
->ipc_cuid
)) {
1499 boolean_t allzone
= B_FALSE
;
1500 if (ip
->ipc_uid
== 0 || ip
->ipc_cuid
== 0)
1502 return (PRIV_POLICY(cr
, PRIV_IPC_OWNER
, allzone
, EPERM
, NULL
));
1508 secpolicy_ipc_config(const cred_t
*cr
)
1510 return (PRIV_POLICY(cr
, PRIV_SYS_IPC_CONFIG
, B_FALSE
, EPERM
, NULL
));
1514 secpolicy_ipc_access(const cred_t
*cr
, const struct kipc_perm
*ip
, mode_t mode
)
1517 boolean_t allzone
= B_FALSE
;
1519 ASSERT((mode
& (MSG_R
|MSG_W
)) != 0);
1521 if ((mode
& MSG_R
) &&
1522 PRIV_POLICY(cr
, PRIV_IPC_DAC_READ
, allzone
, EACCES
, NULL
) != 0)
1526 if (cr
->cr_uid
!= 0 && (ip
->ipc_uid
== 0 || ip
->ipc_cuid
== 0))
1529 return (PRIV_POLICY(cr
, PRIV_IPC_DAC_WRITE
, allzone
, EACCES
,
1536 secpolicy_rsm_access(const cred_t
*cr
, uid_t owner
, mode_t mode
)
1538 boolean_t allzone
= B_FALSE
;
1540 ASSERT((mode
& (MSG_R
|MSG_W
)) != 0);
1542 if ((mode
& MSG_R
) &&
1543 PRIV_POLICY(cr
, PRIV_IPC_DAC_READ
, allzone
, EACCES
, NULL
) != 0)
1547 if (cr
->cr_uid
!= 0 && owner
== 0)
1550 return (PRIV_POLICY(cr
, PRIV_IPC_DAC_WRITE
, allzone
, EACCES
,
1557 * Audit configuration.
1560 secpolicy_audit_config(const cred_t
*cr
)
1562 return (PRIV_POLICY(cr
, PRIV_SYS_AUDIT
, B_FALSE
, EPERM
, NULL
));
1566 * Audit record generation.
1569 secpolicy_audit_modify(const cred_t
*cr
)
1571 return (PRIV_POLICY(cr
, PRIV_PROC_AUDIT
, B_FALSE
, EPERM
, NULL
));
1575 * Get audit attributes.
1576 * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the
1577 * "Least" of the two privileges on error.
1580 secpolicy_audit_getattr(const cred_t
*cr
, boolean_t checkonly
)
1584 if (PRIV_POLICY_ONLY(cr
, PRIV_SYS_AUDIT
, B_FALSE
))
1585 priv
= PRIV_SYS_AUDIT
;
1587 priv
= PRIV_PROC_AUDIT
;
1590 return (!PRIV_POLICY_ONLY(cr
, priv
, B_FALSE
));
1592 return (PRIV_POLICY(cr
, priv
, B_FALSE
, EPERM
, NULL
));
1597 * Locking physical memory
1600 secpolicy_lock_memory(const cred_t
*cr
)
1602 return (PRIV_POLICY(cr
, PRIV_PROC_LOCK_MEMORY
, B_FALSE
, EPERM
, NULL
));
1606 * Accounting (both acct(2) and exacct).
1609 secpolicy_acct(const cred_t
*cr
)
1611 return (PRIV_POLICY(cr
, PRIV_SYS_ACCT
, B_FALSE
, EPERM
, NULL
));
1615 * Is this process privileged to change its uids at will?
1616 * Uid 0 is still considered "special" and having the SETID
1617 * privilege is not sufficient to get uid 0.
1618 * Files are owned by root, so the privilege would give
1619 * full access and euid 0 is still effective.
1621 * If you have the privilege and euid 0 only then do you
1622 * get the powers of root wrt uid 0.
1624 * For gid manipulations, this is should be called with an
1629 secpolicy_allow_setid(const cred_t
*cr
, uid_t newuid
, boolean_t checkonly
)
1631 boolean_t allzone
= B_FALSE
;
1633 if (newuid
== 0 && cr
->cr_uid
!= 0 && cr
->cr_suid
!= 0 &&
1638 return (checkonly
? !PRIV_POLICY_ONLY(cr
, PRIV_PROC_SETID
, allzone
) :
1639 PRIV_POLICY(cr
, PRIV_PROC_SETID
, allzone
, EPERM
, NULL
));
1644 * Acting on a different process: if the mode is for writing,
1645 * the restrictions are more severe. This is called after
1646 * we've verified that the uids do not match.
1649 secpolicy_proc_owner(const cred_t
*scr
, const cred_t
*tcr
, int mode
)
1651 boolean_t allzone
= B_FALSE
;
1653 if ((mode
& VWRITE
) && scr
->cr_uid
!= 0 &&
1654 (tcr
->cr_uid
== 0 || tcr
->cr_ruid
== 0 || tcr
->cr_suid
== 0))
1657 return (PRIV_POLICY(scr
, PRIV_PROC_OWNER
, allzone
, EPERM
, NULL
));
1661 secpolicy_proc_access(const cred_t
*scr
)
1663 return (PRIV_POLICY(scr
, PRIV_PROC_OWNER
, B_FALSE
, EACCES
, NULL
));
1667 secpolicy_proc_excl_open(const cred_t
*scr
)
1669 return (PRIV_POLICY(scr
, PRIV_PROC_OWNER
, B_FALSE
, EBUSY
, NULL
));
1673 secpolicy_proc_zone(const cred_t
*scr
)
1675 return (PRIV_POLICY(scr
, PRIV_PROC_ZONE
, B_FALSE
, EPERM
, NULL
));
1679 * Destroying the system
1683 secpolicy_kmdb(const cred_t
*scr
)
1685 return (PRIV_POLICY(scr
, PRIV_ALL
, B_FALSE
, EPERM
, NULL
));
1689 secpolicy_error_inject(const cred_t
*scr
)
1691 return (PRIV_POLICY(scr
, PRIV_ALL
, B_FALSE
, EPERM
, NULL
));
1695 * Processor sets, cpu configuration, resource pools.
1698 secpolicy_pset(const cred_t
*cr
)
1700 return (PRIV_POLICY(cr
, PRIV_SYS_RES_CONFIG
, B_FALSE
, EPERM
, NULL
));
1703 /* Process security flags */
1705 secpolicy_psecflags(const cred_t
*cr
, proc_t
*tp
, proc_t
*sp
)
1707 if (PRIV_POLICY(cr
, PRIV_PROC_SECFLAGS
, B_FALSE
, EPERM
, NULL
) != 0)
1710 if (!prochasprocperm(tp
, sp
, cr
))
1717 * Processor set binding.
1720 secpolicy_pbind(const cred_t
*cr
)
1722 if (PRIV_POLICY_ONLY(cr
, PRIV_SYS_RES_CONFIG
, B_FALSE
))
1723 return (secpolicy_pset(cr
));
1724 return (PRIV_POLICY(cr
, PRIV_SYS_RES_BIND
, B_FALSE
, EPERM
, NULL
));
1728 secpolicy_ponline(const cred_t
*cr
)
1730 return (PRIV_POLICY(cr
, PRIV_SYS_RES_CONFIG
, B_FALSE
, EPERM
, NULL
));
1734 secpolicy_pool(const cred_t
*cr
)
1736 return (PRIV_POLICY(cr
, PRIV_SYS_RES_CONFIG
, B_FALSE
, EPERM
, NULL
));
1740 secpolicy_blacklist(const cred_t
*cr
)
1742 return (PRIV_POLICY(cr
, PRIV_SYS_RES_CONFIG
, B_FALSE
, EPERM
, NULL
));
1746 * Catch all system configuration.
1749 secpolicy_sys_config(const cred_t
*cr
, boolean_t checkonly
)
1752 return (PRIV_POLICY_ONLY(cr
, PRIV_SYS_CONFIG
, B_FALSE
) ? 0 :
1755 return (PRIV_POLICY(cr
, PRIV_SYS_CONFIG
, B_FALSE
, EPERM
, NULL
));
1760 * Zone administration (halt, reboot, etc.) from within zone.
1763 secpolicy_zone_admin(const cred_t
*cr
, boolean_t checkonly
)
1766 return (PRIV_POLICY_ONLY(cr
, PRIV_SYS_ADMIN
, B_FALSE
) ? 0 :
1769 return (PRIV_POLICY(cr
, PRIV_SYS_ADMIN
, B_FALSE
, EPERM
,
1775 * Zone configuration (create, halt, enter).
1778 secpolicy_zone_config(const cred_t
*cr
)
1781 * Require all privileges to avoid possibility of privilege
1784 return (secpolicy_require_set(cr
, PRIV_FULLSET
, NULL
, KLPDARG_NONE
));
1788 * Various other system configuration calls
1791 secpolicy_coreadm(const cred_t
*cr
)
1793 return (PRIV_POLICY(cr
, PRIV_SYS_ADMIN
, B_FALSE
, EPERM
, NULL
));
1797 secpolicy_systeminfo(const cred_t
*cr
)
1799 return (PRIV_POLICY(cr
, PRIV_SYS_ADMIN
, B_FALSE
, EPERM
, NULL
));
1803 secpolicy_dispadm(const cred_t
*cr
)
1805 return (PRIV_POLICY(cr
, PRIV_SYS_CONFIG
, B_FALSE
, EPERM
, NULL
));
1809 secpolicy_settime(const cred_t
*cr
)
1811 return (PRIV_POLICY(cr
, PRIV_SYS_TIME
, B_FALSE
, EPERM
, NULL
));
1815 * For realtime users: high resolution clock.
1818 secpolicy_clock_highres(const cred_t
*cr
)
1820 return (PRIV_POLICY(cr
, PRIV_PROC_CLOCK_HIGHRES
, B_FALSE
, EPERM
,
1825 * drv_priv() is documented as callable from interrupt context, not that
1826 * anyone ever does, but still. No debugging or auditing can be done when
1827 * it is called from interrupt context.
1828 * returns 0 on succes, EPERM on failure.
1831 drv_priv(cred_t
*cr
)
1833 return (PRIV_POLICY(cr
, PRIV_SYS_DEVICES
, B_FALSE
, EPERM
, NULL
));
1837 secpolicy_sys_devices(const cred_t
*cr
)
1839 return (PRIV_POLICY(cr
, PRIV_SYS_DEVICES
, B_FALSE
, EPERM
, NULL
));
1843 secpolicy_excl_open(const cred_t
*cr
)
1845 return (PRIV_POLICY(cr
, PRIV_SYS_DEVICES
, B_FALSE
, EBUSY
, NULL
));
1849 secpolicy_rctlsys(const cred_t
*cr
, boolean_t is_zone_rctl
)
1851 /* zone.* rctls can only be set from the global zone */
1852 if (is_zone_rctl
&& priv_policy_global(cr
) != 0)
1854 return (PRIV_POLICY(cr
, PRIV_SYS_RESOURCE
, B_FALSE
, EPERM
, NULL
));
1858 secpolicy_resource(const cred_t
*cr
)
1860 return (PRIV_POLICY(cr
, PRIV_SYS_RESOURCE
, B_FALSE
, EPERM
, NULL
));
1864 secpolicy_resource_anon_mem(const cred_t
*cr
)
1866 return (PRIV_POLICY_ONLY(cr
, PRIV_SYS_RESOURCE
, B_FALSE
));
1870 * Processes with a real uid of 0 escape any form of accounting, much
1874 secpolicy_newproc(const cred_t
*cr
)
1876 if (cr
->cr_ruid
== 0)
1879 return (PRIV_POLICY(cr
, PRIV_SYS_RESOURCE
, B_FALSE
, EPERM
, NULL
));
1886 secpolicy_net_rawaccess(const cred_t
*cr
)
1888 return (PRIV_POLICY(cr
, PRIV_NET_RAWACCESS
, B_FALSE
, EACCES
, NULL
));
1892 secpolicy_net_observability(const cred_t
*cr
)
1894 return (PRIV_POLICY(cr
, PRIV_NET_OBSERVABILITY
, B_FALSE
, EACCES
, NULL
));
1898 * Need this privilege for accessing the ICMP device
1901 secpolicy_net_icmpaccess(const cred_t
*cr
)
1903 return (PRIV_POLICY(cr
, PRIV_NET_ICMPACCESS
, B_FALSE
, EACCES
, NULL
));
1907 * There are a few rare cases where the kernel generates ioctls() from
1908 * interrupt context with a credential of kcred rather than NULL.
1909 * In those cases, we take the safe and cheap test.
1912 secpolicy_net_config(const cred_t
*cr
, boolean_t checkonly
)
1915 return (PRIV_POLICY_ONLY(cr
, PRIV_SYS_NET_CONFIG
, B_FALSE
) ?
1918 return (PRIV_POLICY(cr
, PRIV_SYS_NET_CONFIG
, B_FALSE
, EPERM
,
1925 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
1927 * There are a few rare cases where the kernel generates ioctls() from
1928 * interrupt context with a credential of kcred rather than NULL.
1929 * In those cases, we take the safe and cheap test.
1932 secpolicy_ip_config(const cred_t
*cr
, boolean_t checkonly
)
1934 if (PRIV_POLICY_ONLY(cr
, PRIV_SYS_NET_CONFIG
, B_FALSE
))
1935 return (secpolicy_net_config(cr
, checkonly
));
1938 return (PRIV_POLICY_ONLY(cr
, PRIV_SYS_IP_CONFIG
, B_FALSE
) ?
1941 return (PRIV_POLICY(cr
, PRIV_SYS_IP_CONFIG
, B_FALSE
, EPERM
,
1947 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_DL_CONFIG.
1950 secpolicy_dl_config(const cred_t
*cr
)
1952 if (PRIV_POLICY_ONLY(cr
, PRIV_SYS_NET_CONFIG
, B_FALSE
))
1953 return (secpolicy_net_config(cr
, B_FALSE
));
1954 return (PRIV_POLICY(cr
, PRIV_SYS_DL_CONFIG
, B_FALSE
, EPERM
, NULL
));
1958 * PRIV_SYS_DL_CONFIG is a superset of PRIV_SYS_IPTUN_CONFIG.
1961 secpolicy_iptun_config(const cred_t
*cr
)
1963 if (PRIV_POLICY_ONLY(cr
, PRIV_SYS_NET_CONFIG
, B_FALSE
))
1964 return (secpolicy_net_config(cr
, B_FALSE
));
1965 if (PRIV_POLICY_ONLY(cr
, PRIV_SYS_DL_CONFIG
, B_FALSE
))
1966 return (secpolicy_dl_config(cr
));
1967 return (PRIV_POLICY(cr
, PRIV_SYS_IPTUN_CONFIG
, B_FALSE
, EPERM
, NULL
));
1971 * Map IP pseudo privileges to actual privileges.
1972 * So we don't need to recompile IP when we change the privileges.
1975 secpolicy_ip(const cred_t
*cr
, int netpriv
, boolean_t checkonly
)
1977 int priv
= PRIV_ALL
;
1981 priv
= PRIV_SYS_IP_CONFIG
;
1984 priv
= PRIV_NET_RAWACCESS
;
1987 priv
= PRIV_NET_PRIVADDR
;
1990 ASSERT(priv
!= PRIV_ALL
);
1992 return (PRIV_POLICY_ONLY(cr
, priv
, B_FALSE
) ? 0 : EPERM
);
1994 return (PRIV_POLICY(cr
, priv
, B_FALSE
, EPERM
, NULL
));
1998 * Map network pseudo privileges to actual privileges.
1999 * So we don't need to recompile IP when we change the privileges.
2002 secpolicy_net(const cred_t
*cr
, int netpriv
, boolean_t checkonly
)
2004 int priv
= PRIV_ALL
;
2008 priv
= PRIV_SYS_NET_CONFIG
;
2011 priv
= PRIV_NET_RAWACCESS
;
2014 priv
= PRIV_NET_PRIVADDR
;
2017 ASSERT(priv
!= PRIV_ALL
);
2019 return (PRIV_POLICY_ONLY(cr
, priv
, B_FALSE
) ? 0 : EPERM
);
2021 return (PRIV_POLICY(cr
, priv
, B_FALSE
, EPERM
, NULL
));
2025 * Checks for operations that are either client-only or are used by
2026 * both clients and servers.
2029 secpolicy_nfs(const cred_t
*cr
)
2031 return (PRIV_POLICY(cr
, PRIV_SYS_NFS
, B_FALSE
, EPERM
, NULL
));
2035 * Special case for opening rpcmod: have NFS privileges or network
2036 * config privileges.
2039 secpolicy_rpcmod_open(const cred_t
*cr
)
2041 if (PRIV_POLICY_ONLY(cr
, PRIV_SYS_NFS
, B_FALSE
))
2042 return (secpolicy_nfs(cr
));
2044 return (secpolicy_net_config(cr
, NULL
));
2048 secpolicy_chroot(const cred_t
*cr
)
2050 return (PRIV_POLICY(cr
, PRIV_PROC_CHROOT
, B_FALSE
, EPERM
, NULL
));
2054 secpolicy_tasksys(const cred_t
*cr
)
2056 return (PRIV_POLICY(cr
, PRIV_PROC_TASKID
, B_FALSE
, EPERM
, NULL
));
2060 secpolicy_meminfo(const cred_t
*cr
)
2062 return (PRIV_POLICY(cr
, PRIV_PROC_MEMINFO
, B_FALSE
, EPERM
, NULL
));
2066 secpolicy_pfexec_register(const cred_t
*cr
)
2068 return (PRIV_POLICY(cr
, PRIV_SYS_ADMIN
, B_TRUE
, EPERM
, NULL
));
2072 * Basic privilege checks.
2075 secpolicy_basic_exec(const cred_t
*cr
, vnode_t
*vp
)
2077 FAST_BASIC_CHECK(cr
, PRIV_PROC_EXEC
);
2079 return (priv_policy_va(cr
, PRIV_PROC_EXEC
, B_FALSE
, EPERM
, NULL
,
2080 KLPDARG_VNODE
, vp
, (char *)NULL
, KLPDARG_NOMORE
));
2084 secpolicy_basic_fork(const cred_t
*cr
)
2086 FAST_BASIC_CHECK(cr
, PRIV_PROC_FORK
);
2088 return (PRIV_POLICY(cr
, PRIV_PROC_FORK
, B_FALSE
, EPERM
, NULL
));
2092 secpolicy_basic_proc(const cred_t
*cr
)
2094 FAST_BASIC_CHECK(cr
, PRIV_PROC_SESSION
);
2096 return (PRIV_POLICY(cr
, PRIV_PROC_SESSION
, B_FALSE
, EPERM
, NULL
));
2100 * Slightly complicated because we don't want to trigger the policy too
2101 * often. First we shortcircuit access to "self" (tp == sp) or if
2102 * we don't have the privilege but if we have permission
2103 * just return (0) and we don't flag the privilege as needed.
2104 * Else, we test for the privilege because we either have it or need it.
2107 secpolicy_basic_procinfo(const cred_t
*cr
, proc_t
*tp
, proc_t
*sp
)
2110 !HAS_PRIVILEGE(cr
, PRIV_PROC_INFO
) && prochasprocperm(tp
, sp
, cr
)) {
2113 return (PRIV_POLICY(cr
, PRIV_PROC_INFO
, B_FALSE
, EPERM
, NULL
));
2118 secpolicy_basic_link(const cred_t
*cr
)
2120 FAST_BASIC_CHECK(cr
, PRIV_FILE_LINK_ANY
);
2122 return (PRIV_POLICY(cr
, PRIV_FILE_LINK_ANY
, B_FALSE
, EPERM
, NULL
));
2126 secpolicy_basic_net_access(const cred_t
*cr
)
2128 FAST_BASIC_CHECK(cr
, PRIV_NET_ACCESS
);
2130 return (PRIV_POLICY(cr
, PRIV_NET_ACCESS
, B_FALSE
, EACCES
, NULL
));
2135 secpolicy_basic_file_read(const cred_t
*cr
, vnode_t
*vp
, const char *pn
)
2137 FAST_BASIC_CHECK(cr
, PRIV_FILE_READ
);
2139 return (priv_policy_va(cr
, PRIV_FILE_READ
, B_FALSE
, EACCES
, NULL
,
2140 KLPDARG_VNODE
, vp
, (char *)pn
, KLPDARG_NOMORE
));
2145 secpolicy_basic_file_write(const cred_t
*cr
, vnode_t
*vp
, const char *pn
)
2147 FAST_BASIC_CHECK(cr
, PRIV_FILE_WRITE
);
2149 return (priv_policy_va(cr
, PRIV_FILE_WRITE
, B_FALSE
, EACCES
, NULL
,
2150 KLPDARG_VNODE
, vp
, (char *)pn
, KLPDARG_NOMORE
));
2154 * Additional device protection.
2156 * Traditionally, a device has specific permissions on the node in
2157 * the filesystem which govern which devices can be opened by what
2158 * processes. In certain cases, it is desirable to add extra
2159 * restrictions, as writing to certain devices is identical to
2160 * having a complete run of the system.
2162 * This mechanism is called the device policy.
2164 * When a device is opened, its policy entry is looked up in the
2165 * policy cache and checked.
2168 secpolicy_spec_open(const cred_t
*cr
, struct vnode
*vp
, int oflag
)
2172 struct snode
*csp
= VTOS(common_specvp(vp
));
2175 mutex_enter(&csp
->s_lock
);
2177 if (csp
->s_plcy
== NULL
|| csp
->s_plcy
->dp_gen
!= devplcy_gen
) {
2178 plcy
= devpolicy_find(vp
);
2180 dpfree(csp
->s_plcy
);
2182 ASSERT(plcy
!= NULL
);
2186 if (plcy
== nullpolicy
) {
2187 mutex_exit(&csp
->s_lock
);
2193 mutex_exit(&csp
->s_lock
);
2196 pset
= plcy
->dp_wrp
;
2198 pset
= plcy
->dp_rdp
;
2201 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
2202 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is
2203 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG
2204 * in the required privilege set before doing the check.
2206 if (priv_ismember(&pset
, PRIV_SYS_IP_CONFIG
) &&
2207 priv_ismember(&CR_OEPRIV(cr
), PRIV_SYS_NET_CONFIG
) &&
2208 !priv_ismember(&CR_OEPRIV(cr
), PRIV_SYS_IP_CONFIG
)) {
2209 priv_delset(&pset
, PRIV_SYS_IP_CONFIG
);
2210 priv_addset(&pset
, PRIV_SYS_NET_CONFIG
);
2213 err
= secpolicy_require_set(cr
, &pset
, "devpolicy", KLPDARG_NONE
);
2220 secpolicy_modctl(const cred_t
*cr
, int cmd
)
2229 case MODGETDEVPOLICY
:
2230 case MODGETDEVPOLICYBYNAME
:
2231 case MODDEVT2INSTANCE
:
2232 case MODSIZEOF_DEVID
:
2234 case MODSIZEOF_MINORNAME
:
2235 case MODGETMINORNAME
:
2236 case MODGETDEVFSPATH_LEN
:
2237 case MODGETDEVFSPATH
:
2238 case MODGETDEVFSPATH_MI_LEN
:
2239 case MODGETDEVFSPATH_MI
:
2243 case MODSETDEVPOLICY
:
2244 return (secpolicy_require_set(cr
, PRIV_FULLSET
, NULL
,
2247 return (secpolicy_sys_config(cr
, B_FALSE
));
2252 secpolicy_console(const cred_t
*cr
)
2254 return (PRIV_POLICY(cr
, PRIV_SYS_DEVICES
, B_FALSE
, EPERM
, NULL
));
2258 secpolicy_power_mgmt(const cred_t
*cr
)
2260 return (PRIV_POLICY(cr
, PRIV_SYS_DEVICES
, B_FALSE
, EPERM
, NULL
));
2264 * Simulate terminal input; another escalation of privileges avenue.
2268 secpolicy_sti(const cred_t
*cr
)
2270 return (secpolicy_require_set(cr
, PRIV_FULLSET
, NULL
, KLPDARG_NONE
));
2274 secpolicy_net_reply_equal(const cred_t
*cr
)
2276 return (PRIV_POLICY(cr
, PRIV_SYS_CONFIG
, B_FALSE
, EPERM
, NULL
));
2280 secpolicy_swapctl(const cred_t
*cr
)
2282 return (PRIV_POLICY(cr
, PRIV_SYS_CONFIG
, B_FALSE
, EPERM
, NULL
));
2286 secpolicy_cpc_cpu(const cred_t
*cr
)
2288 return (PRIV_POLICY(cr
, PRIV_CPC_CPU
, B_FALSE
, EACCES
, NULL
));
2292 * secpolicy_contract_identity
2294 * Determine if the subject may set the process contract FMRI value
2297 secpolicy_contract_identity(const cred_t
*cr
)
2299 return (PRIV_POLICY(cr
, PRIV_CONTRACT_IDENTITY
, B_FALSE
, EPERM
, NULL
));
2303 * secpolicy_contract_observer
2305 * Determine if the subject may observe a specific contract's events.
2308 secpolicy_contract_observer(const cred_t
*cr
, struct contract
*ct
)
2310 if (contract_owned(ct
, cr
, B_FALSE
))
2312 return (PRIV_POLICY(cr
, PRIV_CONTRACT_OBSERVER
, B_FALSE
, EPERM
, NULL
));
2316 * secpolicy_contract_observer_choice
2318 * Determine if the subject may observe any contract's events. Just
2319 * tests privilege and audits on success.
2322 secpolicy_contract_observer_choice(const cred_t
*cr
)
2324 return (PRIV_POLICY_CHOICE(cr
, PRIV_CONTRACT_OBSERVER
, B_FALSE
));
2328 * secpolicy_contract_event
2330 * Determine if the subject may request critical contract events or
2331 * reliable contract event delivery.
2334 secpolicy_contract_event(const cred_t
*cr
)
2336 return (PRIV_POLICY(cr
, PRIV_CONTRACT_EVENT
, B_FALSE
, EPERM
, NULL
));
2340 * secpolicy_contract_event_choice
2342 * Determine if the subject may retain contract events in its critical
2343 * set when a change in other terms would normally require a change in
2344 * the critical set. Just tests privilege and audits on success.
2347 secpolicy_contract_event_choice(const cred_t
*cr
)
2349 return (PRIV_POLICY_CHOICE(cr
, PRIV_CONTRACT_EVENT
, B_FALSE
));
2353 * secpolicy_gart_access
2355 * Determine if the subject has sufficient priveleges to make ioctls to agpgart
2359 secpolicy_gart_access(const cred_t
*cr
)
2361 return (PRIV_POLICY(cr
, PRIV_GRAPHICS_ACCESS
, B_FALSE
, EPERM
, NULL
));
2365 * secpolicy_gart_map
2367 * Determine if the subject has sufficient priveleges to map aperture range
2368 * through agpgart driver.
2371 secpolicy_gart_map(const cred_t
*cr
)
2373 if (PRIV_POLICY_ONLY(cr
, PRIV_GRAPHICS_ACCESS
, B_FALSE
)) {
2374 return (PRIV_POLICY(cr
, PRIV_GRAPHICS_ACCESS
, B_FALSE
, EPERM
,
2377 return (PRIV_POLICY(cr
, PRIV_GRAPHICS_MAP
, B_FALSE
, EPERM
,
2385 * Determine if the subject can inject faults in the ZFS fault injection
2386 * framework. Requires all privileges.
2389 secpolicy_zinject(const cred_t
*cr
)
2391 return (secpolicy_require_set(cr
, PRIV_FULLSET
, NULL
, KLPDARG_NONE
));
2397 * Determine if the subject has permission to manipulate ZFS datasets
2398 * (not pools). Equivalent to the SYS_MOUNT privilege.
2401 secpolicy_zfs(const cred_t
*cr
)
2403 return (PRIV_POLICY(cr
, PRIV_SYS_MOUNT
, B_FALSE
, EPERM
, NULL
));
2409 * Determine if the calling process has permissions to register an SID
2410 * mapping daemon and allocate ephemeral IDs.
2413 secpolicy_idmap(const cred_t
*cr
)
2415 return (PRIV_POLICY(cr
, PRIV_FILE_SETID
, B_TRUE
, EPERM
, NULL
));
2419 * secpolicy_ucode_update
2421 * Determine if the subject has sufficient privilege to update microcode.
2424 secpolicy_ucode_update(const cred_t
*scr
)
2426 return (PRIV_POLICY(scr
, PRIV_ALL
, B_FALSE
, EPERM
, NULL
));
2432 * Determine if the subject has sufficient privilege to access /dev/sad/admin.
2433 * /dev/sad/admin appear in global zone and exclusive-IP zones only.
2434 * In global zone, sys_config is required.
2435 * In exclusive-IP zones, sys_ip_config is required.
2436 * Note that sys_config is prohibited in non-global zones.
2439 secpolicy_sadopen(const cred_t
*credp
)
2443 priv_emptyset(&pset
);
2445 if (crgetzoneid(credp
) == GLOBAL_ZONEID
)
2446 priv_addset(&pset
, PRIV_SYS_CONFIG
);
2448 priv_addset(&pset
, PRIV_SYS_IP_CONFIG
);
2450 return (secpolicy_require_set(credp
, &pset
, "devpolicy", KLPDARG_NONE
));
2455 * Add privileges to a particular privilege set; this is called when the
2456 * current sets of privileges are not sufficient. I.e., we should always
2457 * call the policy override functions from here.
2458 * What we are allowed to have is in the Observed Permitted set; so
2459 * we compute the difference between that and the newset.
2462 secpolicy_require_privs(const cred_t
*cr
, const priv_set_t
*nset
)
2466 rqd
= CR_OPPRIV(cr
);
2469 priv_intersect(nset
, &rqd
);
2471 return (secpolicy_require_set(cr
, &rqd
, NULL
, KLPDARG_NONE
));
2477 * Determine if the cred_t has PRIV_SYS_SMB privilege, indicating
2478 * that it has permission to access the smbsrv kernel driver.
2479 * PRIV_POLICY checks the privilege and audits the check.
2482 * 0 Driver access is allowed.
2483 * EPERM Driver access is NOT permitted.
2486 secpolicy_smb(const cred_t
*cr
)
2488 return (PRIV_POLICY(cr
, PRIV_SYS_SMB
, B_FALSE
, EPERM
, NULL
));
2494 * Determine if cred_t has the necessary privileges to access a file
2495 * for virus scanning and update its extended system attributes.
2496 * PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access
2497 * PRIV_FILE_FLAG_SET - set extended system attributes
2499 * PRIV_POLICY checks the privilege and audits the check.
2502 * 0 file access for virus scanning allowed.
2503 * EPERM file access for virus scanning is NOT permitted.
2506 secpolicy_vscan(const cred_t
*cr
)
2508 if ((PRIV_POLICY(cr
, PRIV_FILE_DAC_SEARCH
, B_FALSE
, EPERM
, NULL
)) ||
2509 (PRIV_POLICY(cr
, PRIV_FILE_DAC_READ
, B_FALSE
, EPERM
, NULL
)) ||
2510 (PRIV_POLICY(cr
, PRIV_FILE_FLAG_SET
, B_FALSE
, EPERM
, NULL
))) {
2518 * secpolicy_smbfs_login
2520 * Determines if the caller can add and delete the smbfs login
2521 * password in the the nsmb kernel module for the CIFS client.
2524 * 0 access is allowed.
2525 * EPERM access is NOT allowed.
2528 secpolicy_smbfs_login(const cred_t
*cr
, uid_t uid
)
2530 uid_t cruid
= crgetruid(cr
);
2534 return (PRIV_POLICY(cr
, PRIV_PROC_OWNER
, B_FALSE
,
2539 * secpolicy_xvm_control
2541 * Determines if a caller can control the xVM hypervisor and/or running
2542 * domains (x86 specific).
2545 * 0 access is allowed.
2546 * EPERM access is NOT allowed.
2549 secpolicy_xvm_control(const cred_t
*cr
)
2551 if (PRIV_POLICY(cr
, PRIV_XVM_CONTROL
, B_FALSE
, EPERM
, NULL
))
2557 * secpolicy_ppp_config
2559 * Determine if the subject has sufficient privileges to configure PPP and
2560 * PPP-related devices.
2563 secpolicy_ppp_config(const cred_t
*cr
)
2565 if (PRIV_POLICY_ONLY(cr
, PRIV_SYS_NET_CONFIG
, B_FALSE
))
2566 return (secpolicy_net_config(cr
, B_FALSE
));
2567 return (PRIV_POLICY(cr
, PRIV_SYS_PPP_CONFIG
, B_FALSE
, EPERM
, NULL
));