4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright 2013, Joyent, Inc. All rights reserved.
26 #include <sys/types.h>
27 #include <sys/sysmacros.h>
28 #include <sys/param.h>
29 #include <sys/systm.h>
30 #include <sys/cred_impl.h>
31 #include <sys/vnode.h>
34 #include <sys/errno.h>
39 #include <sys/ipc_impl.h>
40 #include <sys/cmn_err.h>
41 #include <sys/debug.h>
42 #include <sys/policy.h>
45 #include <sys/devpolicy.h>
47 #include <sys/varargs.h>
49 #include <sys/modctl.h>
52 #include <inet/optcom.h>
55 #include <sys/mntent.h>
56 #include <sys/contract_impl.h>
57 #include <sys/dld_ioc.h>
60 * There are two possible layers of privilege routines and two possible
61 * levels of secpolicy. Plus one other we may not be interested in, so
62 * we may need as many as 6 but no more.
64 #define MAXPRIVSTACK 6
67 int priv_basic_test
= -1;
70 * This file contains the majority of the policy routines.
71 * Since the policy routines are defined by function and not
72 * by privilege, there is quite a bit of duplication of
75 * The secpolicy functions must not make assumptions about
76 * locks held or not held as any lock can be held while they're
79 * Credentials are read-only so no special precautions need to
80 * be taken while locking them.
82 * When a new policy check needs to be added to the system the
83 * following procedure should be followed:
85 * Pick an appropriate secpolicy_*() function
86 * -> done if one exists.
87 * Create a new secpolicy function, preferably with
88 * a descriptive name using the standard template.
89 * Pick an appropriate privilege for the policy.
90 * If no appropraite privilege exists, define new one
91 * (this should be done with extreme care; in most cases
92 * little is gained by adding another privilege)
94 * WHY ROOT IS STILL SPECIAL.
96 * In a number of the policy functions, there are still explicit
97 * checks for uid 0. The rationale behind these is that many root
98 * owned files/objects hold configuration information which can give full
99 * privileges to the user once written to. To prevent escalation
100 * of privilege by allowing just a single privilege to modify root owned
101 * objects, we've added these root specific checks where we considered
102 * them necessary: modifying root owned files, changing uids to 0, etc.
104 * PRIVILEGE ESCALATION AND ZONES.
106 * A number of operations potentially allow the caller to achieve
107 * privileges beyond the ones normally required to perform the operation.
108 * For example, if allowed to create a setuid 0 executable, a process can
109 * gain privileges beyond PRIV_FILE_SETID. Zones, however, place
110 * restrictions on the ability to gain privileges beyond those available
111 * within the zone through file and process manipulation. Hence, such
112 * operations require that the caller have an effective set that includes
113 * all privileges available within the current zone, or all privileges
114 * if executing in the global zone.
116 * This is indicated in the priv_policy* policy checking functions
117 * through a combination of parameters. The "priv" parameter indicates
118 * the privilege that is required, and the "allzone" parameter indicates
119 * whether or not all privileges in the zone are required. In addition,
120 * priv can be set to PRIV_ALL to indicate that all privileges are
121 * required (regardless of zone). There are three scenarios of interest:
122 * (1) operation requires a specific privilege
123 * (2) operation requires a specific privilege, and requires all
124 * privileges available within the zone (or all privileges if in
126 * (3) operation requires all privileges, regardless of zone
128 * For (1), priv should be set to the specific privilege, and allzone
129 * should be set to B_FALSE.
130 * For (2), priv should be set to the specific privilege, and allzone
131 * should be set to B_TRUE.
132 * For (3), priv should be set to PRIV_ALL, and allzone should be set
138 * The privileges are checked against the Effective set for
139 * ordinary processes and checked against the Limit set
140 * for euid 0 processes that haven't manipulated their privilege
143 #define HAS_ALLPRIVS(cr) priv_isfullset(&CR_OEPRIV(cr))
144 #define ZONEPRIVS(cr) ((cr)->cr_zone->zone_privset)
145 #define HAS_ALLZONEPRIVS(cr) priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr))
146 #define HAS_PRIVILEGE(cr, pr) ((pr) == PRIV_ALL ? \
148 PRIV_ISASSERT(&CR_OEPRIV(cr), pr))
150 #define FAST_BASIC_CHECK(cr, priv) \
151 if (PRIV_ISASSERT(&CR_OEPRIV(cr), priv)) { \
152 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, B_FALSE); \
157 * Policy checking functions.
159 * All of the system's policy should be implemented here.
163 * Private functions which take an additional va_list argument to
164 * implement an object specific policy override.
166 static int priv_policy_ap(const cred_t
*, int, boolean_t
, int,
167 const char *, va_list);
168 static int priv_policy_va(const cred_t
*, int, boolean_t
, int,
172 * Generic policy calls
174 * The "bottom" functions of policy control
177 mprintf(const char *fmt
, ...)
184 len
= vsnprintf(NULL
, 0, fmt
, args
) + 1;
187 buf
= kmem_alloc(len
, KM_NOSLEEP
);
193 (void) vsnprintf(buf
, len
, fmt
, args
);
200 * priv_policy_errmsg()
202 * Generate an error message if privilege debugging is enabled system wide
203 * or for this particular process.
206 #define FMTHDR "%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)"
207 #define FMTMSG " for \"%s\""
208 #define FMTFUN " needed at %s+0x%lx"
210 /* The maximum size privilege format: the concatenation of the above */
211 #define FMTMAX FMTHDR FMTMSG FMTFUN "\n"
214 priv_policy_errmsg(const cred_t
*cr
, int priv
, const char *msg
)
217 pc_t stack
[MAXPRIVSTACK
];
225 char fmt
[sizeof (FMTMAX
)];
227 if ((me
= curproc
) == &p0
)
230 /* Privileges must be defined */
231 ASSERT(priv
== PRIV_ALL
|| priv
== PRIV_MULTIPLE
||
232 priv
== PRIV_ALLZONE
|| priv
== PRIV_GLOBAL
||
233 priv_getbynum(priv
) != NULL
);
235 if (priv
== PRIV_ALLZONE
&& INGLOBALZONE(me
))
238 if (curthread
->t_pre_sys
)
239 ttolwp(curthread
)->lwp_badpriv
= (short)priv
;
241 if (priv_debug
== 0 && (CR_FLAGS(cr
) & PRIV_DEBUG
) == 0)
244 (void) strcpy(fmt
, FMTHDR
);
246 if (me
->p_user
.u_comm
[0])
247 cmd
= &me
->p_user
.u_comm
[0];
251 if (msg
!= NULL
&& *msg
!= '\0') {
252 (void) strcat(fmt
, FMTMSG
);
254 (void) strcat(fmt
, "%s");
260 depth
= getpcstack(stack
, MAXPRIVSTACK
);
263 * Try to find the first interesting function on the stack.
264 * priv_policy* that's us, so completely uninteresting.
265 * suser(), drv_priv(), secpolicy_* are also called from
266 * too many locations to convey useful information.
268 for (i
= 0; i
< depth
; i
++) {
269 sym
= kobj_getsymname((uintptr_t)stack
[i
], &off
);
271 strstr(sym
, "hasprocperm") == 0 &&
272 strcmp("suser", sym
) != 0 &&
273 strcmp("ipcaccess", sym
) != 0 &&
274 strcmp("drv_priv", sym
) != 0 &&
275 strncmp("secpolicy_", sym
, 10) != 0 &&
276 strncmp("priv_policy", sym
, 11) != 0)
281 (void) strcat(fmt
, FMTFUN
);
283 (void) strcat(fmt
, "\n");
299 pname
= priv_getbynum(priv
);
303 if (CR_FLAGS(cr
) & PRIV_DEBUG
) {
304 /* Remember last message, just like lwp_badpriv. */
305 if (curthread
->t_pdmsg
!= NULL
) {
306 kmem_free(curthread
->t_pdmsg
,
307 strlen(curthread
->t_pdmsg
) + 1);
310 curthread
->t_pdmsg
= mprintf(fmt
, cmd
, me
->p_pid
, pname
,
311 cr
->cr_uid
, curthread
->t_sysnum
, msg
, sym
, off
);
313 curthread
->t_post_sys
= 1;
316 cmn_err(CE_NOTE
, fmt
, cmd
, me
->p_pid
, pname
, cr
->cr_uid
,
317 curthread
->t_sysnum
, msg
, sym
, off
);
322 * Override the policy, if appropriate. Return 0 if the external
323 * policy engine approves.
326 priv_policy_override(const cred_t
*cr
, int priv
, boolean_t allzone
, va_list ap
)
331 if (!(CR_FLAGS(cr
) & PRIV_XPOLICY
))
334 if (priv
== PRIV_ALL
) {
336 } else if (allzone
) {
337 set
= *ZONEPRIVS(cr
);
340 priv_addset(&set
, priv
);
342 ret
= klpd_call(cr
, &set
, ap
);
347 priv_policy_override_set(const cred_t
*cr
, const priv_set_t
*req
, va_list ap
)
349 if (CR_FLAGS(cr
) & PRIV_PFEXEC
)
350 return (check_user_privs(cr
, req
));
351 if (CR_FLAGS(cr
) & PRIV_XPOLICY
) {
352 return (klpd_call(cr
, req
, ap
));
358 priv_policy_override_set_va(const cred_t
*cr
, const priv_set_t
*req
, ...)
364 ret
= priv_policy_override_set(cr
, req
, ap
);
370 * Audit failure, log error message.
373 priv_policy_err(const cred_t
*cr
, int priv
, boolean_t allzone
, const char *msg
)
377 audit_priv(priv
, allzone
? ZONEPRIVS(cr
) : NULL
, 0);
378 DTRACE_PROBE2(priv__err
, int, priv
, boolean_t
, allzone
);
380 if (priv_debug
|| (CR_FLAGS(cr
) & PRIV_DEBUG
) ||
381 curthread
->t_pre_sys
) {
382 if (allzone
&& !HAS_ALLZONEPRIVS(cr
)) {
383 priv_policy_errmsg(cr
, PRIV_ALLZONE
, msg
);
385 ASSERT(!HAS_PRIVILEGE(cr
, priv
));
386 priv_policy_errmsg(cr
, priv
, msg
);
394 * See block comment above for a description of "priv" and "allzone" usage.
397 priv_policy_ap(const cred_t
*cr
, int priv
, boolean_t allzone
, int err
,
398 const char *msg
, va_list ap
)
400 if ((HAS_PRIVILEGE(cr
, priv
) && (!allzone
|| HAS_ALLZONEPRIVS(cr
))) ||
401 (!servicing_interrupt() &&
402 priv_policy_override(cr
, priv
, allzone
, ap
) == 0)) {
403 if ((allzone
|| priv
== PRIV_ALL
||
404 !PRIV_ISASSERT(priv_basic
, priv
)) &&
405 !servicing_interrupt()) {
406 PTOU(curproc
)->u_acflag
|= ASU
; /* Needed for SVVS */
409 allzone
? ZONEPRIVS(cr
) : NULL
, 1);
412 DTRACE_PROBE2(priv__ok
, int, priv
, boolean_t
, allzone
);
413 } else if (!servicing_interrupt()) {
414 /* Failure audited in this procedure */
415 priv_policy_err(cr
, priv
, allzone
, msg
);
421 priv_policy_va(const cred_t
*cr
, int priv
, boolean_t allzone
, int err
,
422 const char *msg
, ...)
428 ret
= priv_policy_ap(cr
, priv
, allzone
, err
, msg
, ap
);
435 priv_policy(const cred_t
*cr
, int priv
, boolean_t allzone
, int err
,
438 return (priv_policy_va(cr
, priv
, allzone
, err
, msg
, KLPDARG_NONE
));
442 * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges.
445 priv_policy_choice(const cred_t
*cr
, int priv
, boolean_t allzone
)
447 boolean_t res
= HAS_PRIVILEGE(cr
, priv
) &&
448 (!allzone
|| HAS_ALLZONEPRIVS(cr
));
450 /* Audit success only */
451 if (res
&& AU_AUDITING() &&
452 (allzone
|| priv
== PRIV_ALL
|| !PRIV_ISASSERT(priv_basic
, priv
)) &&
453 !servicing_interrupt()) {
454 audit_priv(priv
, allzone
? ZONEPRIVS(cr
) : NULL
, 1);
457 DTRACE_PROBE2(priv__ok
, int, priv
, boolean_t
, allzone
);
459 DTRACE_PROBE2(priv__err
, int, priv
, boolean_t
, allzone
);
465 * Non-auditing variant of priv_policy_choice().
468 priv_policy_only(const cred_t
*cr
, int priv
, boolean_t allzone
)
470 boolean_t res
= HAS_PRIVILEGE(cr
, priv
) &&
471 (!allzone
|| HAS_ALLZONEPRIVS(cr
));
474 DTRACE_PROBE2(priv__ok
, int, priv
, boolean_t
, allzone
);
476 DTRACE_PROBE2(priv__err
, int, priv
, boolean_t
, allzone
);
482 * Check whether all privileges in the required set are present.
485 secpolicy_require_set(const cred_t
*cr
, const priv_set_t
*req
,
486 const char *msg
, ...)
494 if (req
== PRIV_FULLSET
? HAS_ALLPRIVS(cr
) : priv_issubset(req
,
500 ret
= priv_policy_override_set(cr
, req
, ap
);
505 if (req
== PRIV_FULLSET
|| priv_isfullset(req
)) {
506 priv_policy_err(cr
, PRIV_ALL
, B_FALSE
, msg
);
510 pset
= CR_OEPRIV(cr
); /* present privileges */
511 priv_inverse(&pset
); /* all non present privileges */
512 priv_intersect(req
, &pset
); /* the actual missing privs */
515 audit_priv(PRIV_NONE
, &pset
, 0);
517 * Privilege debugging; special case "one privilege in set".
519 if (priv_debug
|| (CR_FLAGS(cr
) & PRIV_DEBUG
) || curthread
->t_pre_sys
) {
520 for (priv
= 0; priv
< nprivs
; priv
++) {
521 if (priv_ismember(&pset
, priv
)) {
523 /* Multiple missing privs */
524 priv_policy_errmsg(cr
, PRIV_MULTIPLE
,
531 ASSERT(pfound
!= -1);
532 /* Just the one missing privilege */
533 priv_policy_errmsg(cr
, pfound
, msg
);
540 * Called when an operation requires that the caller be in the
541 * global zone, regardless of privilege.
544 priv_policy_global(const cred_t
*cr
)
546 if (crgetzoneid(cr
) == GLOBAL_ZONEID
)
547 return (0); /* success */
549 if (priv_debug
|| (CR_FLAGS(cr
) & PRIV_DEBUG
) ||
550 curthread
->t_pre_sys
) {
551 priv_policy_errmsg(cr
, PRIV_GLOBAL
, NULL
);
557 * Raising process priority
560 secpolicy_raisepriority(const cred_t
*cr
)
562 if (PRIV_POLICY(cr
, PRIV_PROC_PRIOUP
, B_FALSE
, EPERM
, NULL
) == 0)
564 return (secpolicy_setpriority(cr
));
568 * Changing process priority or scheduling class
571 secpolicy_setpriority(const cred_t
*cr
)
573 return (PRIV_POLICY(cr
, PRIV_PROC_PRIOCNTL
, B_FALSE
, EPERM
, NULL
));
577 * Binding to a privileged port, port must be specified in host byte
579 * When adding a new privilege which allows binding to currently privileged
580 * ports, then you MUST also allow processes with PRIV_NET_PRIVADDR bind
581 * to these ports because of backward compatibility.
584 secpolicy_net_privaddr(const cred_t
*cr
, in_port_t port
, int proto
)
595 * NBT and SMB ports, these are normal privileged ports,
596 * allow bind only if the SYS_SMB or NET_PRIVADDR privilege
598 * Try both, if neither is present return an error for
601 if (PRIV_POLICY_ONLY(cr
, PRIV_NET_PRIVADDR
, B_FALSE
))
602 priv
= PRIV_NET_PRIVADDR
;
605 reason
= "NBT or SMB port";
611 * NFS ports, these are extra privileged ports, allow bind
612 * only if the SYS_NFS privilege is present.
619 priv
= PRIV_NET_PRIVADDR
;
625 return (priv_policy_va(cr
, priv
, B_FALSE
, EACCES
, reason
,
626 KLPDARG_PORT
, (int)proto
, (int)port
, KLPDARG_NOMORE
));
630 * Binding to a multilevel port on a trusted (labeled) system.
633 secpolicy_net_bindmlp(const cred_t
*cr
)
635 return (PRIV_POLICY(cr
, PRIV_NET_BINDMLP
, B_FALSE
, EACCES
, NULL
));
639 * Allow a communication between a zone and an unlabeled host when their
640 * labels don't match.
643 secpolicy_net_mac_aware(const cred_t
*cr
)
645 return (PRIV_POLICY(cr
, PRIV_NET_MAC_AWARE
, B_FALSE
, EACCES
, NULL
));
649 * Allow a privileged process to transmit traffic without explicit labels
652 secpolicy_net_mac_implicit(const cred_t
*cr
)
654 return (PRIV_POLICY(cr
, PRIV_NET_MAC_IMPLICIT
, B_FALSE
, EACCES
, NULL
));
658 * Common routine which determines whether a given credential can
659 * act on a given mount.
660 * When called through mount, the parameter needoptcheck is a pointer
661 * to a boolean variable which will be set to either true or false,
662 * depending on whether the mount policy should change the mount options.
663 * In all other cases, needoptcheck should be a NULL pointer.
666 secpolicy_fs_common(cred_t
*cr
, vnode_t
*mvp
, const vfs_t
*vfsp
,
667 boolean_t
*needoptcheck
)
669 boolean_t allzone
= B_FALSE
;
670 boolean_t mounting
= needoptcheck
!= NULL
;
673 * Short circuit the following cases:
674 * vfsp == NULL or mvp == NULL (pure privilege check)
675 * have all privileges - no further checks required
676 * and no mount options need to be set.
678 if (vfsp
== NULL
|| mvp
== NULL
|| HAS_ALLPRIVS(cr
)) {
680 *needoptcheck
= B_FALSE
;
682 return (priv_policy_va(cr
, PRIV_SYS_MOUNT
, allzone
, EPERM
,
683 NULL
, KLPDARG_VNODE
, mvp
, (char *)NULL
, KLPDARG_NOMORE
));
687 * When operating on an existing mount (either we're not mounting
688 * or we're doing a remount and VFS_REMOUNT will be set), zones
689 * can operate only on mounts established by the zone itself.
691 if (!mounting
|| (vfsp
->vfs_flag
& VFS_REMOUNT
) != 0) {
692 zoneid_t zoneid
= crgetzoneid(cr
);
694 if (zoneid
!= GLOBAL_ZONEID
&&
695 vfsp
->vfs_zone
->zone_id
!= zoneid
) {
701 *needoptcheck
= B_TRUE
;
704 * Overlay mounts may hide important stuff; if you can't write to a
705 * mount point but would be able to mount on top of it, you can
706 * escalate your privileges.
707 * So we go about asking the same questions namefs does when it
708 * decides whether you can mount over a file or not but with the
709 * added restriction that you can only mount on top of a regular
711 * If we have all the zone's privileges, we skip all other checks,
712 * or else we may actually get in trouble inside the automounter.
714 if ((mvp
->v_flag
& VROOT
) != 0 ||
715 (mvp
->v_type
!= VDIR
&& mvp
->v_type
!= VREG
) ||
716 HAS_ALLZONEPRIVS(cr
)) {
722 va
.va_mask
= AT_UID
|AT_MODE
;
723 err
= VOP_GETATTR(mvp
, &va
, 0, cr
, NULL
);
727 if ((err
= secpolicy_vnode_owner(cr
, va
.va_uid
)) != 0)
730 if (secpolicy_vnode_access2(cr
, mvp
, va
.va_uid
, va
.va_mode
,
735 return (priv_policy_va(cr
, PRIV_SYS_MOUNT
, allzone
, EPERM
,
736 NULL
, KLPDARG_VNODE
, mvp
, (char *)NULL
, KLPDARG_NOMORE
));
740 secpolicy_fs_mount_clearopts(cred_t
*cr
, struct vfs
*vfsp
)
742 boolean_t amsuper
= HAS_ALLZONEPRIVS(cr
);
745 * check; if we don't have either "nosuid" or
746 * both "nosetuid" and "nodevices", then we add
747 * "nosuid"; this depends on how the current
748 * implementation works (it first checks nosuid). In a
749 * zone, a user with all zone privileges can mount with
750 * "setuid" but never with "devices".
752 if (!vfs_optionisset(vfsp
, MNTOPT_NOSUID
, NULL
) &&
753 (!vfs_optionisset(vfsp
, MNTOPT_NODEVICES
, NULL
) ||
754 !vfs_optionisset(vfsp
, MNTOPT_NOSETUID
, NULL
))) {
755 if (crgetzoneid(cr
) == GLOBAL_ZONEID
|| !amsuper
)
756 vfs_setmntopt(vfsp
, MNTOPT_NOSUID
, NULL
, 0);
758 vfs_setmntopt(vfsp
, MNTOPT_NODEVICES
, NULL
, 0);
761 * If we're not the local super user, we set the "restrict"
762 * option to indicate to automountd that this mount should
763 * be handled with care.
766 vfs_setmntopt(vfsp
, MNTOPT_RESTRICT
, NULL
, 0);
771 secpolicy_fs_allowed_mount(const char *fsname
)
777 ASSERT(fsname
!= NULL
);
778 ASSERT(fsname
[0] != '\0');
780 if (INGLOBALZONE(curproc
))
783 vswp
= vfs_getvfssw(fsname
);
787 if ((vswp
->vsw_flag
& VSW_ZMOUNT
) != 0) {
788 vfs_unrefvfssw(vswp
);
792 vfs_unrefvfssw(vswp
);
794 p
= curzone
->zone_fs_allowed
;
795 len
= strlen(fsname
);
797 while (p
!= NULL
&& *p
!= '\0') {
798 if (strncmp(p
, fsname
, len
) == 0) {
800 if (c
== '\0' || c
== ',')
804 /* skip to beyond the next comma */
805 if ((p
= strchr(p
, ',')) != NULL
)
812 extern vnode_t
*rootvp
;
813 extern vfs_t
*rootvfs
;
816 secpolicy_fs_mount(cred_t
*cr
, vnode_t
*mvp
, struct vfs
*vfsp
)
818 boolean_t needoptchk
;
822 * If it's a remount, get the underlying mount point,
823 * except for the root where we use the rootvp.
825 if ((vfsp
->vfs_flag
& VFS_REMOUNT
) != 0) {
829 mvp
= vfsp
->vfs_vnodecovered
;
832 error
= secpolicy_fs_common(cr
, mvp
, vfsp
, &needoptchk
);
834 if (error
== 0 && needoptchk
) {
835 secpolicy_fs_mount_clearopts(cr
, vfsp
);
842 * Does the policy computations for "ownership" of a mount;
843 * here ownership is defined as the ability to "mount"
844 * the filesystem originally. The rootvfs doesn't cover any
845 * vnodes; we attribute its ownership to the rootvp.
848 secpolicy_fs_owner(cred_t
*cr
, const struct vfs
*vfsp
)
854 else if (vfsp
== rootvfs
)
857 mvp
= vfsp
->vfs_vnodecovered
;
859 return (secpolicy_fs_common(cr
, mvp
, vfsp
, NULL
));
863 secpolicy_fs_unmount(cred_t
*cr
, struct vfs
*vfsp
)
865 return (secpolicy_fs_owner(cr
, vfsp
));
869 * Quotas are a resource, but if one has the ability to mount a filesystem, he
870 * should be able to modify quotas on it.
873 secpolicy_fs_quota(const cred_t
*cr
, const vfs_t
*vfsp
)
875 return (secpolicy_fs_owner((cred_t
*)cr
, vfsp
));
879 * Exceeding minfree: also a per-mount resource constraint.
882 secpolicy_fs_minfree(const cred_t
*cr
, const vfs_t
*vfsp
)
884 return (secpolicy_fs_owner((cred_t
*)cr
, vfsp
));
888 secpolicy_fs_config(const cred_t
*cr
, const vfs_t
*vfsp
)
890 return (secpolicy_fs_owner((cred_t
*)cr
, vfsp
));
895 secpolicy_fs_linkdir(const cred_t
*cr
, const vfs_t
*vfsp
)
897 return (PRIV_POLICY(cr
, PRIV_SYS_LINKDIR
, B_FALSE
, EPERM
, NULL
));
901 * Name: secpolicy_vnode_access()
903 * Parameters: Process credential
905 * uid of owner of vnode
906 * permission bits not granted to the caller when examining
907 * file mode bits (i.e., when a process wants to open a
908 * mode 444 file for VREAD|VWRITE, this function should be
909 * called only with a VWRITE argument).
911 * Normal: Verifies that cred has the appropriate privileges to
912 * override the mode bits that were denied.
914 * Override: file_dac_execute - if VEXEC bit was denied and vnode is
916 * file_dac_read - if VREAD bit was denied.
917 * file_dac_search - if VEXEC bit was denied and vnode is
919 * file_dac_write - if VWRITE bit was denied.
921 * Root owned files are special cased to protect system
922 * configuration files and such.
924 * Output: EACCES - if privilege check fails.
928 secpolicy_vnode_access(const cred_t
*cr
, vnode_t
*vp
, uid_t owner
, mode_t mode
)
930 if ((mode
& VREAD
) && priv_policy_va(cr
, PRIV_FILE_DAC_READ
, B_FALSE
,
931 EACCES
, NULL
, KLPDARG_VNODE
, vp
, (char *)NULL
,
932 KLPDARG_NOMORE
) != 0) {
939 if (owner
== 0 && cr
->cr_uid
!= 0)
943 if (priv_policy_va(cr
, PRIV_FILE_DAC_WRITE
, allzone
, EACCES
,
944 NULL
, KLPDARG_VNODE
, vp
, (char *)NULL
,
945 KLPDARG_NOMORE
) != 0) {
952 * Directories use file_dac_search to override the execute bit.
954 int p
= vp
->v_type
== VDIR
? PRIV_FILE_DAC_SEARCH
:
955 PRIV_FILE_DAC_EXECUTE
;
957 return (priv_policy_va(cr
, p
, B_FALSE
, EACCES
, NULL
,
958 KLPDARG_VNODE
, vp
, (char *)NULL
, KLPDARG_NOMORE
));
964 * Like secpolicy_vnode_access() but we get the actual wanted mode and the
965 * current mode of the file, not the missing bits.
968 secpolicy_vnode_access2(const cred_t
*cr
, vnode_t
*vp
, uid_t owner
,
969 mode_t curmode
, mode_t wantmode
)
973 /* Inline the basic privileges tests. */
974 if ((wantmode
& VREAD
) &&
975 !PRIV_ISASSERT(&CR_OEPRIV(cr
), PRIV_FILE_READ
) &&
976 priv_policy_va(cr
, PRIV_FILE_READ
, B_FALSE
, EACCES
, NULL
,
977 KLPDARG_VNODE
, vp
, (char *)NULL
, KLPDARG_NOMORE
) != 0) {
981 if ((wantmode
& VWRITE
) &&
982 !PRIV_ISASSERT(&CR_OEPRIV(cr
), PRIV_FILE_WRITE
) &&
983 priv_policy_va(cr
, PRIV_FILE_WRITE
, B_FALSE
, EACCES
, NULL
,
984 KLPDARG_VNODE
, vp
, (char *)NULL
, KLPDARG_NOMORE
) != 0) {
988 mode
= ~curmode
& wantmode
;
993 if ((mode
& VREAD
) && priv_policy_va(cr
, PRIV_FILE_DAC_READ
, B_FALSE
,
994 EACCES
, NULL
, KLPDARG_VNODE
, vp
, (char *)NULL
,
995 KLPDARG_NOMORE
) != 0) {
1002 if (owner
== 0 && cr
->cr_uid
!= 0)
1006 if (priv_policy_va(cr
, PRIV_FILE_DAC_WRITE
, allzone
, EACCES
,
1007 NULL
, KLPDARG_VNODE
, vp
, (char *)NULL
,
1008 KLPDARG_NOMORE
) != 0) {
1015 * Directories use file_dac_search to override the execute bit.
1017 int p
= vp
->v_type
== VDIR
? PRIV_FILE_DAC_SEARCH
:
1018 PRIV_FILE_DAC_EXECUTE
;
1020 return (priv_policy_va(cr
, p
, B_FALSE
, EACCES
, NULL
,
1021 KLPDARG_VNODE
, vp
, (char *)NULL
, KLPDARG_NOMORE
));
1027 * This is a special routine for ZFS; it is used to determine whether
1028 * any of the privileges in effect allow any form of access to the
1029 * file. There's no reason to audit this or any reason to record
1030 * this. More work is needed to do the "KPLD" stuff.
1033 secpolicy_vnode_any_access(const cred_t
*cr
, vnode_t
*vp
, uid_t owner
)
1035 static int privs
[] = {
1039 PRIV_FILE_DAC_WRITE
,
1040 PRIV_FILE_DAC_EXECUTE
,
1041 PRIV_FILE_DAC_SEARCH
,
1045 /* Same as secpolicy_vnode_setdac */
1046 if (owner
== cr
->cr_uid
)
1049 for (i
= 0; i
< sizeof (privs
)/sizeof (int); i
++) {
1050 boolean_t allzone
= B_FALSE
;
1053 switch (priv
= privs
[i
]) {
1054 case PRIV_FILE_DAC_EXECUTE
:
1055 if (vp
->v_type
== VDIR
)
1058 case PRIV_FILE_DAC_SEARCH
:
1059 if (vp
->v_type
!= VDIR
)
1062 case PRIV_FILE_DAC_WRITE
:
1063 case PRIV_FILE_OWNER
:
1064 case PRIV_FILE_CHOWN
:
1065 /* We know here that if owner == 0, that cr_uid != 0 */
1066 allzone
= owner
== 0;
1069 if (PRIV_POLICY_CHOICE(cr
, priv
, allzone
))
1076 * Name: secpolicy_vnode_setid_modify()
1078 * Normal: verify that subject can set the file setid flags.
1080 * Output: EPERM - if not privileged.
1084 secpolicy_vnode_setid_modify(const cred_t
*cr
, uid_t owner
)
1086 /* If changing to suid root, must have all zone privs */
1087 boolean_t allzone
= B_TRUE
;
1090 if (owner
== cr
->cr_uid
)
1094 return (PRIV_POLICY(cr
, PRIV_FILE_SETID
, allzone
, EPERM
, NULL
));
1098 * Are we allowed to retain the set-uid/set-gid bits when
1099 * changing ownership or when writing to a file?
1100 * "issuid" should be true when set-uid; only in that case
1101 * root ownership is checked (setgid is assumed).
1104 secpolicy_vnode_setid_retain(const cred_t
*cred
, boolean_t issuidroot
)
1106 if (issuidroot
&& !HAS_ALLZONEPRIVS(cred
))
1109 return (!PRIV_POLICY_CHOICE(cred
, PRIV_FILE_SETID
, B_FALSE
));
1113 * Name: secpolicy_vnode_setids_setgids()
1115 * Normal: verify that subject can set the file setgid flag.
1117 * Output: EPERM - if not privileged
1121 secpolicy_vnode_setids_setgids(const cred_t
*cred
, gid_t gid
)
1123 if (!groupmember(gid
, cred
))
1124 return (PRIV_POLICY(cred
, PRIV_FILE_SETID
, B_FALSE
, EPERM
,
1130 * Name: secpolicy_vnode_chown
1132 * Normal: Determine if subject can chown owner of a file.
1134 * Output: EPERM - if access denied
1138 secpolicy_vnode_chown(const cred_t
*cred
, uid_t owner
)
1140 boolean_t is_owner
= (owner
== crgetuid(cred
));
1141 boolean_t allzone
= B_FALSE
;
1145 allzone
= (owner
== 0);
1146 priv
= PRIV_FILE_CHOWN
;
1148 priv
= HAS_PRIVILEGE(cred
, PRIV_FILE_CHOWN
) ?
1149 PRIV_FILE_CHOWN
: PRIV_FILE_CHOWN_SELF
;
1152 return (PRIV_POLICY(cred
, priv
, allzone
, EPERM
, NULL
));
1156 * Name: secpolicy_vnode_create_gid
1158 * Normal: Determine if subject can change group ownership of a file.
1160 * Output: EPERM - if access denied
1163 secpolicy_vnode_create_gid(const cred_t
*cred
)
1165 if (HAS_PRIVILEGE(cred
, PRIV_FILE_CHOWN
))
1166 return (PRIV_POLICY(cred
, PRIV_FILE_CHOWN
, B_FALSE
, EPERM
,
1169 return (PRIV_POLICY(cred
, PRIV_FILE_CHOWN_SELF
, B_FALSE
, EPERM
,
1174 * Name: secpolicy_vnode_utime_modify()
1176 * Normal: verify that subject can modify the utime on a file.
1178 * Output: EPERM - if access denied.
1182 secpolicy_vnode_utime_modify(const cred_t
*cred
)
1184 return (PRIV_POLICY(cred
, PRIV_FILE_OWNER
, B_FALSE
, EPERM
,
1185 "modify file times"));
1190 * Name: secpolicy_vnode_setdac()
1192 * Normal: verify that subject can modify the mode of a file.
1193 * allzone privilege needed when modifying root owned object.
1195 * Output: EPERM - if access denied.
1199 secpolicy_vnode_setdac(const cred_t
*cred
, uid_t owner
)
1201 if (owner
== cred
->cr_uid
)
1204 return (PRIV_POLICY(cred
, PRIV_FILE_OWNER
, owner
== 0, EPERM
, NULL
));
1207 * Name: secpolicy_vnode_stky_modify()
1209 * Normal: verify that subject can make a file a "sticky".
1211 * Output: EPERM - if access denied.
1215 secpolicy_vnode_stky_modify(const cred_t
*cred
)
1217 return (PRIV_POLICY(cred
, PRIV_SYS_CONFIG
, B_FALSE
, EPERM
,
1218 "set file sticky"));
1222 * Policy determines whether we can remove an entry from a directory,
1223 * regardless of permission bits.
1226 secpolicy_vnode_remove(const cred_t
*cr
)
1228 return (PRIV_POLICY(cr
, PRIV_FILE_OWNER
, B_FALSE
, EACCES
,
1229 "sticky directory"));
1233 secpolicy_vnode_owner(const cred_t
*cr
, uid_t owner
)
1235 boolean_t allzone
= (owner
== 0);
1237 if (owner
== cr
->cr_uid
)
1240 return (PRIV_POLICY(cr
, PRIV_FILE_OWNER
, allzone
, EPERM
, NULL
));
1244 secpolicy_setid_clear(vattr_t
*vap
, cred_t
*cr
)
1246 if ((vap
->va_mode
& (S_ISUID
| S_ISGID
)) != 0 &&
1247 secpolicy_vnode_setid_retain(cr
,
1248 (vap
->va_mode
& S_ISUID
) != 0 &&
1249 (vap
->va_mask
& AT_UID
) != 0 && vap
->va_uid
== 0) != 0) {
1250 vap
->va_mask
|= AT_MODE
;
1251 vap
->va_mode
&= ~(S_ISUID
|S_ISGID
);
1256 secpolicy_setid_setsticky_clear(vnode_t
*vp
, vattr_t
*vap
, const vattr_t
*ovap
,
1261 if ((vap
->va_mode
& S_ISUID
) != 0 &&
1262 (error
= secpolicy_vnode_setid_modify(cr
,
1263 ovap
->va_uid
)) != 0) {
1268 * Check privilege if attempting to set the
1269 * sticky bit on a non-directory.
1271 if (vp
->v_type
!= VDIR
&& (vap
->va_mode
& S_ISVTX
) != 0 &&
1272 secpolicy_vnode_stky_modify(cr
) != 0) {
1273 vap
->va_mode
&= ~S_ISVTX
;
1277 * Check for privilege if attempting to set the
1280 if ((vap
->va_mode
& S_ISGID
) != 0 &&
1281 secpolicy_vnode_setids_setgids(cr
, ovap
->va_gid
) != 0) {
1282 vap
->va_mode
&= ~S_ISGID
;
1288 #define ATTR_FLAG_PRIV(attr, value, cr) \
1289 PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \
1290 B_FALSE, EPERM, NULL)
1293 * Check privileges for setting xvattr attributes
1296 secpolicy_xvattr(xvattr_t
*xvap
, uid_t owner
, cred_t
*cr
, vtype_t vtype
)
1301 if ((xoap
= xva_getxoptattr(xvap
)) == NULL
)
1305 * First process the DOS bits
1307 if (XVA_ISSET_REQ(xvap
, XAT_ARCHIVE
) ||
1308 XVA_ISSET_REQ(xvap
, XAT_HIDDEN
) ||
1309 XVA_ISSET_REQ(xvap
, XAT_READONLY
) ||
1310 XVA_ISSET_REQ(xvap
, XAT_SYSTEM
) ||
1311 XVA_ISSET_REQ(xvap
, XAT_CREATETIME
) ||
1312 XVA_ISSET_REQ(xvap
, XAT_OFFLINE
) ||
1313 XVA_ISSET_REQ(xvap
, XAT_SPARSE
)) {
1314 if ((error
= secpolicy_vnode_owner(cr
, owner
)) != 0)
1319 * Now handle special attributes
1322 if (XVA_ISSET_REQ(xvap
, XAT_IMMUTABLE
))
1323 error
= ATTR_FLAG_PRIV(XAT_IMMUTABLE
,
1324 xoap
->xoa_immutable
, cr
);
1325 if (error
== 0 && XVA_ISSET_REQ(xvap
, XAT_NOUNLINK
))
1326 error
= ATTR_FLAG_PRIV(XAT_NOUNLINK
,
1327 xoap
->xoa_nounlink
, cr
);
1328 if (error
== 0 && XVA_ISSET_REQ(xvap
, XAT_APPENDONLY
))
1329 error
= ATTR_FLAG_PRIV(XAT_APPENDONLY
,
1330 xoap
->xoa_appendonly
, cr
);
1331 if (error
== 0 && XVA_ISSET_REQ(xvap
, XAT_NODUMP
))
1332 error
= ATTR_FLAG_PRIV(XAT_NODUMP
,
1333 xoap
->xoa_nodump
, cr
);
1334 if (error
== 0 && XVA_ISSET_REQ(xvap
, XAT_OPAQUE
))
1336 if (error
== 0 && XVA_ISSET_REQ(xvap
, XAT_AV_QUARANTINED
)) {
1337 error
= ATTR_FLAG_PRIV(XAT_AV_QUARANTINED
,
1338 xoap
->xoa_av_quarantined
, cr
);
1339 if (error
== 0 && vtype
!= VREG
&& xoap
->xoa_av_quarantined
)
1342 if (error
== 0 && XVA_ISSET_REQ(xvap
, XAT_AV_MODIFIED
))
1343 error
= ATTR_FLAG_PRIV(XAT_AV_MODIFIED
,
1344 xoap
->xoa_av_modified
, cr
);
1345 if (error
== 0 && XVA_ISSET_REQ(xvap
, XAT_AV_SCANSTAMP
)) {
1346 error
= ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP
,
1347 xoap
->xoa_av_scanstamp
, cr
);
1348 if (error
== 0 && vtype
!= VREG
)
1355 * This function checks the policy decisions surrounding the
1358 * It should be called after sufficient locks have been established
1359 * on the underlying data structures. No concurrent modifications
1360 * should be allowed.
1362 * The caller must pass in unlocked version of its vaccess function
1363 * this is required because vop_access function should lock the
1364 * node for reading. A three argument function should be defined
1365 * which accepts the following argument:
1366 * A pointer to the internal "node" type (inode *)
1367 * vnode access bits (VREAD|VWRITE|VEXEC)
1368 * a pointer to the credential
1370 * This function makes the following policy decisions:
1372 * - change permissions
1373 * - permission to change file mode if not owner
1374 * - permission to add sticky bit to non-directory
1375 * - permission to add set-gid bit
1377 * The ovap argument should include AT_MODE|AT_UID|AT_GID.
1379 * If the vap argument does not include AT_MODE, the mode will be copied from
1380 * ovap. In certain situations set-uid/set-gid bits need to be removed;
1381 * this is done by marking vap->va_mask to include AT_MODE and va_mode
1382 * is updated to the newly computed mode.
1386 secpolicy_vnode_setattr(cred_t
*cr
, struct vnode
*vp
, struct vattr
*vap
,
1387 const struct vattr
*ovap
, int flags
,
1388 int unlocked_access(void *, int, cred_t
*),
1391 int mask
= vap
->va_mask
;
1393 boolean_t skipaclchk
= (flags
& ATTR_NOACLCHECK
) ? B_TRUE
: B_FALSE
;
1395 if (mask
& AT_SIZE
) {
1396 if (vp
->v_type
== VDIR
) {
1402 * If ATTR_NOACLCHECK is set in the flags, then we don't
1403 * perform the secondary unlocked_access() call since the
1404 * ACL (if any) is being checked there.
1406 if (skipaclchk
== B_FALSE
) {
1407 error
= unlocked_access(node
, VWRITE
, cr
);
1412 if (mask
& AT_MODE
) {
1414 * If not the owner of the file then check privilege
1415 * for two things: the privilege to set the mode at all
1416 * and, if we're setting setuid, we also need permissions
1417 * to add the set-uid bit, if we're not the owner.
1418 * In the specific case of creating a set-uid root
1419 * file, we need even more permissions.
1421 if ((error
= secpolicy_vnode_setdac(cr
, ovap
->va_uid
)) != 0)
1424 if ((error
= secpolicy_setid_setsticky_clear(vp
, vap
,
1428 vap
->va_mode
= ovap
->va_mode
;
1430 if (mask
& (AT_UID
|AT_GID
)) {
1431 boolean_t checkpriv
= B_FALSE
;
1436 * If you are the file owner:
1437 * chown to other uid FILE_CHOWN_SELF
1438 * chown to gid (non-member) FILE_CHOWN_SELF
1439 * chown to gid (member) <none>
1441 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also
1442 * acceptable but the first one is reported when debugging.
1444 * If you are not the file owner:
1445 * chown from root PRIV_FILE_CHOWN + zone
1446 * chown from other to any PRIV_FILE_CHOWN
1449 if (cr
->cr_uid
!= ovap
->va_uid
) {
1452 if (((mask
& AT_UID
) && vap
->va_uid
!= ovap
->va_uid
) ||
1453 ((mask
& AT_GID
) && vap
->va_gid
!= ovap
->va_gid
&&
1454 !groupmember(vap
->va_gid
, cr
))) {
1459 * If necessary, check privilege to see if update can be done.
1462 (error
= secpolicy_vnode_chown(cr
, ovap
->va_uid
)) != 0) {
1467 * If the file has either the set UID or set GID bits
1468 * set and the caller can set the bits, then leave them.
1470 secpolicy_setid_clear(vap
, cr
);
1472 if (mask
& (AT_ATIME
|AT_MTIME
)) {
1474 * If not the file owner and not otherwise privileged,
1475 * always return an error when setting the
1476 * time other than the current (ATTR_UTIME flag set).
1477 * If setting the current time (ATTR_UTIME not set) then
1478 * unlocked_access will check permissions according to policy.
1480 if (cr
->cr_uid
!= ovap
->va_uid
) {
1481 if (flags
& ATTR_UTIME
)
1482 error
= secpolicy_vnode_utime_modify(cr
);
1483 else if (skipaclchk
== B_FALSE
) {
1484 error
= unlocked_access(node
, VWRITE
, cr
);
1485 if (error
== EACCES
&&
1486 secpolicy_vnode_utime_modify(cr
) == 0)
1495 * Check for optional attributes here by checking the following:
1497 if (mask
& AT_XVATTR
)
1498 error
= secpolicy_xvattr((xvattr_t
*)vap
, ovap
->va_uid
, cr
,
1505 * Name: secpolicy_pcfs_modify_bootpartition()
1507 * Normal: verify that subject can modify a pcfs boot partition.
1509 * Output: EACCES - if privilege check failed.
1513 secpolicy_pcfs_modify_bootpartition(const cred_t
*cred
)
1515 return (PRIV_POLICY(cred
, PRIV_ALL
, B_FALSE
, EACCES
,
1516 "modify pcfs boot partition"));
1520 * System V IPC routines
1523 secpolicy_ipc_owner(const cred_t
*cr
, const struct kipc_perm
*ip
)
1525 if (crgetzoneid(cr
) != ip
->ipc_zoneid
||
1526 (cr
->cr_uid
!= ip
->ipc_uid
&& cr
->cr_uid
!= ip
->ipc_cuid
)) {
1527 boolean_t allzone
= B_FALSE
;
1528 if (ip
->ipc_uid
== 0 || ip
->ipc_cuid
== 0)
1530 return (PRIV_POLICY(cr
, PRIV_IPC_OWNER
, allzone
, EPERM
, NULL
));
1536 secpolicy_ipc_config(const cred_t
*cr
)
1538 return (PRIV_POLICY(cr
, PRIV_SYS_IPC_CONFIG
, B_FALSE
, EPERM
, NULL
));
1542 secpolicy_ipc_access(const cred_t
*cr
, const struct kipc_perm
*ip
, mode_t mode
)
1545 boolean_t allzone
= B_FALSE
;
1547 ASSERT((mode
& (MSG_R
|MSG_W
)) != 0);
1549 if ((mode
& MSG_R
) &&
1550 PRIV_POLICY(cr
, PRIV_IPC_DAC_READ
, allzone
, EACCES
, NULL
) != 0)
1554 if (cr
->cr_uid
!= 0 && (ip
->ipc_uid
== 0 || ip
->ipc_cuid
== 0))
1557 return (PRIV_POLICY(cr
, PRIV_IPC_DAC_WRITE
, allzone
, EACCES
,
1564 secpolicy_rsm_access(const cred_t
*cr
, uid_t owner
, mode_t mode
)
1566 boolean_t allzone
= B_FALSE
;
1568 ASSERT((mode
& (MSG_R
|MSG_W
)) != 0);
1570 if ((mode
& MSG_R
) &&
1571 PRIV_POLICY(cr
, PRIV_IPC_DAC_READ
, allzone
, EACCES
, NULL
) != 0)
1575 if (cr
->cr_uid
!= 0 && owner
== 0)
1578 return (PRIV_POLICY(cr
, PRIV_IPC_DAC_WRITE
, allzone
, EACCES
,
1585 * Audit configuration.
1588 secpolicy_audit_config(const cred_t
*cr
)
1590 return (PRIV_POLICY(cr
, PRIV_SYS_AUDIT
, B_FALSE
, EPERM
, NULL
));
1594 * Audit record generation.
1597 secpolicy_audit_modify(const cred_t
*cr
)
1599 return (PRIV_POLICY(cr
, PRIV_PROC_AUDIT
, B_FALSE
, EPERM
, NULL
));
1603 * Get audit attributes.
1604 * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the
1605 * "Least" of the two privileges on error.
1608 secpolicy_audit_getattr(const cred_t
*cr
, boolean_t checkonly
)
1612 if (PRIV_POLICY_ONLY(cr
, PRIV_SYS_AUDIT
, B_FALSE
))
1613 priv
= PRIV_SYS_AUDIT
;
1615 priv
= PRIV_PROC_AUDIT
;
1618 return (!PRIV_POLICY_ONLY(cr
, priv
, B_FALSE
));
1620 return (PRIV_POLICY(cr
, priv
, B_FALSE
, EPERM
, NULL
));
1625 * Locking physical memory
1628 secpolicy_lock_memory(const cred_t
*cr
)
1630 return (PRIV_POLICY(cr
, PRIV_PROC_LOCK_MEMORY
, B_FALSE
, EPERM
, NULL
));
1634 * Accounting (both acct(2) and exacct).
1637 secpolicy_acct(const cred_t
*cr
)
1639 return (PRIV_POLICY(cr
, PRIV_SYS_ACCT
, B_FALSE
, EPERM
, NULL
));
1643 * Is this process privileged to change its uids at will?
1644 * Uid 0 is still considered "special" and having the SETID
1645 * privilege is not sufficient to get uid 0.
1646 * Files are owned by root, so the privilege would give
1647 * full access and euid 0 is still effective.
1649 * If you have the privilege and euid 0 only then do you
1650 * get the powers of root wrt uid 0.
1652 * For gid manipulations, this is should be called with an
1657 secpolicy_allow_setid(const cred_t
*cr
, uid_t newuid
, boolean_t checkonly
)
1659 boolean_t allzone
= B_FALSE
;
1661 if (newuid
== 0 && cr
->cr_uid
!= 0 && cr
->cr_suid
!= 0 &&
1666 return (checkonly
? !PRIV_POLICY_ONLY(cr
, PRIV_PROC_SETID
, allzone
) :
1667 PRIV_POLICY(cr
, PRIV_PROC_SETID
, allzone
, EPERM
, NULL
));
1672 * Acting on a different process: if the mode is for writing,
1673 * the restrictions are more severe. This is called after
1674 * we've verified that the uids do not match.
1677 secpolicy_proc_owner(const cred_t
*scr
, const cred_t
*tcr
, int mode
)
1679 boolean_t allzone
= B_FALSE
;
1681 if ((mode
& VWRITE
) && scr
->cr_uid
!= 0 &&
1682 (tcr
->cr_uid
== 0 || tcr
->cr_ruid
== 0 || tcr
->cr_suid
== 0))
1685 return (PRIV_POLICY(scr
, PRIV_PROC_OWNER
, allzone
, EPERM
, NULL
));
1689 secpolicy_proc_access(const cred_t
*scr
)
1691 return (PRIV_POLICY(scr
, PRIV_PROC_OWNER
, B_FALSE
, EACCES
, NULL
));
1695 secpolicy_proc_excl_open(const cred_t
*scr
)
1697 return (PRIV_POLICY(scr
, PRIV_PROC_OWNER
, B_FALSE
, EBUSY
, NULL
));
1701 secpolicy_proc_zone(const cred_t
*scr
)
1703 return (PRIV_POLICY(scr
, PRIV_PROC_ZONE
, B_FALSE
, EPERM
, NULL
));
1707 * Destroying the system
1711 secpolicy_kmdb(const cred_t
*scr
)
1713 return (PRIV_POLICY(scr
, PRIV_ALL
, B_FALSE
, EPERM
, NULL
));
1717 secpolicy_error_inject(const cred_t
*scr
)
1719 return (PRIV_POLICY(scr
, PRIV_ALL
, B_FALSE
, EPERM
, NULL
));
1723 * Processor sets, cpu configuration, resource pools.
1726 secpolicy_pset(const cred_t
*cr
)
1728 return (PRIV_POLICY(cr
, PRIV_SYS_RES_CONFIG
, B_FALSE
, EPERM
, NULL
));
1732 * Processor set binding.
1735 secpolicy_pbind(const cred_t
*cr
)
1737 if (PRIV_POLICY_ONLY(cr
, PRIV_SYS_RES_CONFIG
, B_FALSE
))
1738 return (secpolicy_pset(cr
));
1739 return (PRIV_POLICY(cr
, PRIV_SYS_RES_BIND
, B_FALSE
, EPERM
, NULL
));
1743 secpolicy_ponline(const cred_t
*cr
)
1745 return (PRIV_POLICY(cr
, PRIV_SYS_RES_CONFIG
, B_FALSE
, EPERM
, NULL
));
1749 secpolicy_pool(const cred_t
*cr
)
1751 return (PRIV_POLICY(cr
, PRIV_SYS_RES_CONFIG
, B_FALSE
, EPERM
, NULL
));
1755 secpolicy_blacklist(const cred_t
*cr
)
1757 return (PRIV_POLICY(cr
, PRIV_SYS_RES_CONFIG
, B_FALSE
, EPERM
, NULL
));
1761 * Catch all system configuration.
1764 secpolicy_sys_config(const cred_t
*cr
, boolean_t checkonly
)
1767 return (PRIV_POLICY_ONLY(cr
, PRIV_SYS_CONFIG
, B_FALSE
) ? 0 :
1770 return (PRIV_POLICY(cr
, PRIV_SYS_CONFIG
, B_FALSE
, EPERM
, NULL
));
1775 * Zone administration (halt, reboot, etc.) from within zone.
1778 secpolicy_zone_admin(const cred_t
*cr
, boolean_t checkonly
)
1781 return (PRIV_POLICY_ONLY(cr
, PRIV_SYS_ADMIN
, B_FALSE
) ? 0 :
1784 return (PRIV_POLICY(cr
, PRIV_SYS_ADMIN
, B_FALSE
, EPERM
,
1790 * Zone configuration (create, halt, enter).
1793 secpolicy_zone_config(const cred_t
*cr
)
1796 * Require all privileges to avoid possibility of privilege
1799 return (secpolicy_require_set(cr
, PRIV_FULLSET
, NULL
, KLPDARG_NONE
));
1803 * Various other system configuration calls
1806 secpolicy_coreadm(const cred_t
*cr
)
1808 return (PRIV_POLICY(cr
, PRIV_SYS_ADMIN
, B_FALSE
, EPERM
, NULL
));
1812 secpolicy_systeminfo(const cred_t
*cr
)
1814 return (PRIV_POLICY(cr
, PRIV_SYS_ADMIN
, B_FALSE
, EPERM
, NULL
));
1818 secpolicy_dispadm(const cred_t
*cr
)
1820 return (PRIV_POLICY(cr
, PRIV_SYS_CONFIG
, B_FALSE
, EPERM
, NULL
));
1824 secpolicy_settime(const cred_t
*cr
)
1826 return (PRIV_POLICY(cr
, PRIV_SYS_TIME
, B_FALSE
, EPERM
, NULL
));
1830 * For realtime users: high resolution clock.
1833 secpolicy_clock_highres(const cred_t
*cr
)
1835 return (PRIV_POLICY(cr
, PRIV_PROC_CLOCK_HIGHRES
, B_FALSE
, EPERM
,
1840 * drv_priv() is documented as callable from interrupt context, not that
1841 * anyone ever does, but still. No debugging or auditing can be done when
1842 * it is called from interrupt context.
1843 * returns 0 on succes, EPERM on failure.
1846 drv_priv(cred_t
*cr
)
1848 return (PRIV_POLICY(cr
, PRIV_SYS_DEVICES
, B_FALSE
, EPERM
, NULL
));
1852 secpolicy_sys_devices(const cred_t
*cr
)
1854 return (PRIV_POLICY(cr
, PRIV_SYS_DEVICES
, B_FALSE
, EPERM
, NULL
));
1858 secpolicy_excl_open(const cred_t
*cr
)
1860 return (PRIV_POLICY(cr
, PRIV_SYS_DEVICES
, B_FALSE
, EBUSY
, NULL
));
1864 secpolicy_rctlsys(const cred_t
*cr
, boolean_t is_zone_rctl
)
1866 /* zone.* rctls can only be set from the global zone */
1867 if (is_zone_rctl
&& priv_policy_global(cr
) != 0)
1869 return (PRIV_POLICY(cr
, PRIV_SYS_RESOURCE
, B_FALSE
, EPERM
, NULL
));
1873 secpolicy_resource(const cred_t
*cr
)
1875 return (PRIV_POLICY(cr
, PRIV_SYS_RESOURCE
, B_FALSE
, EPERM
, NULL
));
1879 secpolicy_resource_anon_mem(const cred_t
*cr
)
1881 return (PRIV_POLICY_ONLY(cr
, PRIV_SYS_RESOURCE
, B_FALSE
));
1885 * Processes with a real uid of 0 escape any form of accounting, much
1889 secpolicy_newproc(const cred_t
*cr
)
1891 if (cr
->cr_ruid
== 0)
1894 return (PRIV_POLICY(cr
, PRIV_SYS_RESOURCE
, B_FALSE
, EPERM
, NULL
));
1901 secpolicy_net_rawaccess(const cred_t
*cr
)
1903 return (PRIV_POLICY(cr
, PRIV_NET_RAWACCESS
, B_FALSE
, EACCES
, NULL
));
1907 secpolicy_net_observability(const cred_t
*cr
)
1909 return (PRIV_POLICY(cr
, PRIV_NET_OBSERVABILITY
, B_FALSE
, EACCES
, NULL
));
1913 * Need this privilege for accessing the ICMP device
1916 secpolicy_net_icmpaccess(const cred_t
*cr
)
1918 return (PRIV_POLICY(cr
, PRIV_NET_ICMPACCESS
, B_FALSE
, EACCES
, NULL
));
1922 * There are a few rare cases where the kernel generates ioctls() from
1923 * interrupt context with a credential of kcred rather than NULL.
1924 * In those cases, we take the safe and cheap test.
1927 secpolicy_net_config(const cred_t
*cr
, boolean_t checkonly
)
1930 return (PRIV_POLICY_ONLY(cr
, PRIV_SYS_NET_CONFIG
, B_FALSE
) ?
1933 return (PRIV_POLICY(cr
, PRIV_SYS_NET_CONFIG
, B_FALSE
, EPERM
,
1940 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
1942 * There are a few rare cases where the kernel generates ioctls() from
1943 * interrupt context with a credential of kcred rather than NULL.
1944 * In those cases, we take the safe and cheap test.
1947 secpolicy_ip_config(const cred_t
*cr
, boolean_t checkonly
)
1949 if (PRIV_POLICY_ONLY(cr
, PRIV_SYS_NET_CONFIG
, B_FALSE
))
1950 return (secpolicy_net_config(cr
, checkonly
));
1953 return (PRIV_POLICY_ONLY(cr
, PRIV_SYS_IP_CONFIG
, B_FALSE
) ?
1956 return (PRIV_POLICY(cr
, PRIV_SYS_IP_CONFIG
, B_FALSE
, EPERM
,
1962 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_DL_CONFIG.
1965 secpolicy_dl_config(const cred_t
*cr
)
1967 if (PRIV_POLICY_ONLY(cr
, PRIV_SYS_NET_CONFIG
, B_FALSE
))
1968 return (secpolicy_net_config(cr
, B_FALSE
));
1969 return (PRIV_POLICY(cr
, PRIV_SYS_DL_CONFIG
, B_FALSE
, EPERM
, NULL
));
1973 * PRIV_SYS_DL_CONFIG is a superset of PRIV_SYS_IPTUN_CONFIG.
1976 secpolicy_iptun_config(const cred_t
*cr
)
1978 if (PRIV_POLICY_ONLY(cr
, PRIV_SYS_NET_CONFIG
, B_FALSE
))
1979 return (secpolicy_net_config(cr
, B_FALSE
));
1980 if (PRIV_POLICY_ONLY(cr
, PRIV_SYS_DL_CONFIG
, B_FALSE
))
1981 return (secpolicy_dl_config(cr
));
1982 return (PRIV_POLICY(cr
, PRIV_SYS_IPTUN_CONFIG
, B_FALSE
, EPERM
, NULL
));
1986 * Map IP pseudo privileges to actual privileges.
1987 * So we don't need to recompile IP when we change the privileges.
1990 secpolicy_ip(const cred_t
*cr
, int netpriv
, boolean_t checkonly
)
1992 int priv
= PRIV_ALL
;
1996 priv
= PRIV_SYS_IP_CONFIG
;
1999 priv
= PRIV_NET_RAWACCESS
;
2002 priv
= PRIV_NET_PRIVADDR
;
2005 ASSERT(priv
!= PRIV_ALL
);
2007 return (PRIV_POLICY_ONLY(cr
, priv
, B_FALSE
) ? 0 : EPERM
);
2009 return (PRIV_POLICY(cr
, priv
, B_FALSE
, EPERM
, NULL
));
2013 * Map network pseudo privileges to actual privileges.
2014 * So we don't need to recompile IP when we change the privileges.
2017 secpolicy_net(const cred_t
*cr
, int netpriv
, boolean_t checkonly
)
2019 int priv
= PRIV_ALL
;
2023 priv
= PRIV_SYS_NET_CONFIG
;
2026 priv
= PRIV_NET_RAWACCESS
;
2029 priv
= PRIV_NET_PRIVADDR
;
2032 ASSERT(priv
!= PRIV_ALL
);
2034 return (PRIV_POLICY_ONLY(cr
, priv
, B_FALSE
) ? 0 : EPERM
);
2036 return (PRIV_POLICY(cr
, priv
, B_FALSE
, EPERM
, NULL
));
2040 * Checks for operations that are either client-only or are used by
2041 * both clients and servers.
2044 secpolicy_nfs(const cred_t
*cr
)
2046 return (PRIV_POLICY(cr
, PRIV_SYS_NFS
, B_FALSE
, EPERM
, NULL
));
2050 * Special case for opening rpcmod: have NFS privileges or network
2051 * config privileges.
2054 secpolicy_rpcmod_open(const cred_t
*cr
)
2056 if (PRIV_POLICY_ONLY(cr
, PRIV_SYS_NFS
, B_FALSE
))
2057 return (secpolicy_nfs(cr
));
2059 return (secpolicy_net_config(cr
, NULL
));
2063 secpolicy_chroot(const cred_t
*cr
)
2065 return (PRIV_POLICY(cr
, PRIV_PROC_CHROOT
, B_FALSE
, EPERM
, NULL
));
2069 secpolicy_tasksys(const cred_t
*cr
)
2071 return (PRIV_POLICY(cr
, PRIV_PROC_TASKID
, B_FALSE
, EPERM
, NULL
));
2075 secpolicy_meminfo(const cred_t
*cr
)
2077 return (PRIV_POLICY(cr
, PRIV_PROC_MEMINFO
, B_FALSE
, EPERM
, NULL
));
2081 secpolicy_pfexec_register(const cred_t
*cr
)
2083 return (PRIV_POLICY(cr
, PRIV_SYS_ADMIN
, B_TRUE
, EPERM
, NULL
));
2087 * Basic privilege checks.
2090 secpolicy_basic_exec(const cred_t
*cr
, vnode_t
*vp
)
2092 FAST_BASIC_CHECK(cr
, PRIV_PROC_EXEC
);
2094 return (priv_policy_va(cr
, PRIV_PROC_EXEC
, B_FALSE
, EPERM
, NULL
,
2095 KLPDARG_VNODE
, vp
, (char *)NULL
, KLPDARG_NOMORE
));
2099 secpolicy_basic_fork(const cred_t
*cr
)
2101 FAST_BASIC_CHECK(cr
, PRIV_PROC_FORK
);
2103 return (PRIV_POLICY(cr
, PRIV_PROC_FORK
, B_FALSE
, EPERM
, NULL
));
2107 secpolicy_basic_proc(const cred_t
*cr
)
2109 FAST_BASIC_CHECK(cr
, PRIV_PROC_SESSION
);
2111 return (PRIV_POLICY(cr
, PRIV_PROC_SESSION
, B_FALSE
, EPERM
, NULL
));
2115 * Slightly complicated because we don't want to trigger the policy too
2116 * often. First we shortcircuit access to "self" (tp == sp) or if
2117 * we don't have the privilege but if we have permission
2118 * just return (0) and we don't flag the privilege as needed.
2119 * Else, we test for the privilege because we either have it or need it.
2122 secpolicy_basic_procinfo(const cred_t
*cr
, proc_t
*tp
, proc_t
*sp
)
2125 !HAS_PRIVILEGE(cr
, PRIV_PROC_INFO
) && prochasprocperm(tp
, sp
, cr
)) {
2128 return (PRIV_POLICY(cr
, PRIV_PROC_INFO
, B_FALSE
, EPERM
, NULL
));
2133 secpolicy_basic_link(const cred_t
*cr
)
2135 FAST_BASIC_CHECK(cr
, PRIV_FILE_LINK_ANY
);
2137 return (PRIV_POLICY(cr
, PRIV_FILE_LINK_ANY
, B_FALSE
, EPERM
, NULL
));
2141 secpolicy_basic_net_access(const cred_t
*cr
)
2143 FAST_BASIC_CHECK(cr
, PRIV_NET_ACCESS
);
2145 return (PRIV_POLICY(cr
, PRIV_NET_ACCESS
, B_FALSE
, EACCES
, NULL
));
2150 secpolicy_basic_file_read(const cred_t
*cr
, vnode_t
*vp
, const char *pn
)
2152 FAST_BASIC_CHECK(cr
, PRIV_FILE_READ
);
2154 return (priv_policy_va(cr
, PRIV_FILE_READ
, B_FALSE
, EACCES
, NULL
,
2155 KLPDARG_VNODE
, vp
, (char *)pn
, KLPDARG_NOMORE
));
2160 secpolicy_basic_file_write(const cred_t
*cr
, vnode_t
*vp
, const char *pn
)
2162 FAST_BASIC_CHECK(cr
, PRIV_FILE_WRITE
);
2164 return (priv_policy_va(cr
, PRIV_FILE_WRITE
, B_FALSE
, EACCES
, NULL
,
2165 KLPDARG_VNODE
, vp
, (char *)pn
, KLPDARG_NOMORE
));
2169 * Additional device protection.
2171 * Traditionally, a device has specific permissions on the node in
2172 * the filesystem which govern which devices can be opened by what
2173 * processes. In certain cases, it is desirable to add extra
2174 * restrictions, as writing to certain devices is identical to
2175 * having a complete run of the system.
2177 * This mechanism is called the device policy.
2179 * When a device is opened, its policy entry is looked up in the
2180 * policy cache and checked.
2183 secpolicy_spec_open(const cred_t
*cr
, struct vnode
*vp
, int oflag
)
2187 struct snode
*csp
= VTOS(common_specvp(vp
));
2190 mutex_enter(&csp
->s_lock
);
2192 if (csp
->s_plcy
== NULL
|| csp
->s_plcy
->dp_gen
!= devplcy_gen
) {
2193 plcy
= devpolicy_find(vp
);
2195 dpfree(csp
->s_plcy
);
2197 ASSERT(plcy
!= NULL
);
2201 if (plcy
== nullpolicy
) {
2202 mutex_exit(&csp
->s_lock
);
2208 mutex_exit(&csp
->s_lock
);
2211 pset
= plcy
->dp_wrp
;
2213 pset
= plcy
->dp_rdp
;
2216 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
2217 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is
2218 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG
2219 * in the required privilege set before doing the check.
2221 if (priv_ismember(&pset
, PRIV_SYS_IP_CONFIG
) &&
2222 priv_ismember(&CR_OEPRIV(cr
), PRIV_SYS_NET_CONFIG
) &&
2223 !priv_ismember(&CR_OEPRIV(cr
), PRIV_SYS_IP_CONFIG
)) {
2224 priv_delset(&pset
, PRIV_SYS_IP_CONFIG
);
2225 priv_addset(&pset
, PRIV_SYS_NET_CONFIG
);
2228 err
= secpolicy_require_set(cr
, &pset
, "devpolicy", KLPDARG_NONE
);
2235 secpolicy_modctl(const cred_t
*cr
, int cmd
)
2244 case MODGETDEVPOLICY
:
2245 case MODGETDEVPOLICYBYNAME
:
2246 case MODDEVT2INSTANCE
:
2247 case MODSIZEOF_DEVID
:
2249 case MODSIZEOF_MINORNAME
:
2250 case MODGETMINORNAME
:
2251 case MODGETDEVFSPATH_LEN
:
2252 case MODGETDEVFSPATH
:
2253 case MODGETDEVFSPATH_MI_LEN
:
2254 case MODGETDEVFSPATH_MI
:
2258 case MODSETDEVPOLICY
:
2259 return (secpolicy_require_set(cr
, PRIV_FULLSET
, NULL
,
2262 return (secpolicy_sys_config(cr
, B_FALSE
));
2267 secpolicy_console(const cred_t
*cr
)
2269 return (PRIV_POLICY(cr
, PRIV_SYS_DEVICES
, B_FALSE
, EPERM
, NULL
));
2273 secpolicy_power_mgmt(const cred_t
*cr
)
2275 return (PRIV_POLICY(cr
, PRIV_SYS_DEVICES
, B_FALSE
, EPERM
, NULL
));
2279 * Simulate terminal input; another escalation of privileges avenue.
2283 secpolicy_sti(const cred_t
*cr
)
2285 return (secpolicy_require_set(cr
, PRIV_FULLSET
, NULL
, KLPDARG_NONE
));
2289 secpolicy_net_reply_equal(const cred_t
*cr
)
2291 return (PRIV_POLICY(cr
, PRIV_SYS_CONFIG
, B_FALSE
, EPERM
, NULL
));
2295 secpolicy_swapctl(const cred_t
*cr
)
2297 return (PRIV_POLICY(cr
, PRIV_SYS_CONFIG
, B_FALSE
, EPERM
, NULL
));
2301 secpolicy_cpc_cpu(const cred_t
*cr
)
2303 return (PRIV_POLICY(cr
, PRIV_CPC_CPU
, B_FALSE
, EACCES
, NULL
));
2307 * secpolicy_contract_identity
2309 * Determine if the subject may set the process contract FMRI value
2312 secpolicy_contract_identity(const cred_t
*cr
)
2314 return (PRIV_POLICY(cr
, PRIV_CONTRACT_IDENTITY
, B_FALSE
, EPERM
, NULL
));
2318 * secpolicy_contract_observer
2320 * Determine if the subject may observe a specific contract's events.
2323 secpolicy_contract_observer(const cred_t
*cr
, struct contract
*ct
)
2325 if (contract_owned(ct
, cr
, B_FALSE
))
2327 return (PRIV_POLICY(cr
, PRIV_CONTRACT_OBSERVER
, B_FALSE
, EPERM
, NULL
));
2331 * secpolicy_contract_observer_choice
2333 * Determine if the subject may observe any contract's events. Just
2334 * tests privilege and audits on success.
2337 secpolicy_contract_observer_choice(const cred_t
*cr
)
2339 return (PRIV_POLICY_CHOICE(cr
, PRIV_CONTRACT_OBSERVER
, B_FALSE
));
2343 * secpolicy_contract_event
2345 * Determine if the subject may request critical contract events or
2346 * reliable contract event delivery.
2349 secpolicy_contract_event(const cred_t
*cr
)
2351 return (PRIV_POLICY(cr
, PRIV_CONTRACT_EVENT
, B_FALSE
, EPERM
, NULL
));
2355 * secpolicy_contract_event_choice
2357 * Determine if the subject may retain contract events in its critical
2358 * set when a change in other terms would normally require a change in
2359 * the critical set. Just tests privilege and audits on success.
2362 secpolicy_contract_event_choice(const cred_t
*cr
)
2364 return (PRIV_POLICY_CHOICE(cr
, PRIV_CONTRACT_EVENT
, B_FALSE
));
2368 * secpolicy_gart_access
2370 * Determine if the subject has sufficient priveleges to make ioctls to agpgart
2374 secpolicy_gart_access(const cred_t
*cr
)
2376 return (PRIV_POLICY(cr
, PRIV_GRAPHICS_ACCESS
, B_FALSE
, EPERM
, NULL
));
2380 * secpolicy_gart_map
2382 * Determine if the subject has sufficient priveleges to map aperture range
2383 * through agpgart driver.
2386 secpolicy_gart_map(const cred_t
*cr
)
2388 if (PRIV_POLICY_ONLY(cr
, PRIV_GRAPHICS_ACCESS
, B_FALSE
)) {
2389 return (PRIV_POLICY(cr
, PRIV_GRAPHICS_ACCESS
, B_FALSE
, EPERM
,
2392 return (PRIV_POLICY(cr
, PRIV_GRAPHICS_MAP
, B_FALSE
, EPERM
,
2400 * Determine if the subject can inject faults in the ZFS fault injection
2401 * framework. Requires all privileges.
2404 secpolicy_zinject(const cred_t
*cr
)
2406 return (secpolicy_require_set(cr
, PRIV_FULLSET
, NULL
, KLPDARG_NONE
));
2412 * Determine if the subject has permission to manipulate ZFS datasets
2413 * (not pools). Equivalent to the SYS_MOUNT privilege.
2416 secpolicy_zfs(const cred_t
*cr
)
2418 return (PRIV_POLICY(cr
, PRIV_SYS_MOUNT
, B_FALSE
, EPERM
, NULL
));
2424 * Determine if the calling process has permissions to register an SID
2425 * mapping daemon and allocate ephemeral IDs.
2428 secpolicy_idmap(const cred_t
*cr
)
2430 return (PRIV_POLICY(cr
, PRIV_FILE_SETID
, B_TRUE
, EPERM
, NULL
));
2434 * secpolicy_ucode_update
2436 * Determine if the subject has sufficient privilege to update microcode.
2439 secpolicy_ucode_update(const cred_t
*scr
)
2441 return (PRIV_POLICY(scr
, PRIV_ALL
, B_FALSE
, EPERM
, NULL
));
2447 * Determine if the subject has sufficient privilege to access /dev/sad/admin.
2448 * /dev/sad/admin appear in global zone and exclusive-IP zones only.
2449 * In global zone, sys_config is required.
2450 * In exclusive-IP zones, sys_ip_config is required.
2451 * Note that sys_config is prohibited in non-global zones.
2454 secpolicy_sadopen(const cred_t
*credp
)
2458 priv_emptyset(&pset
);
2460 if (crgetzoneid(credp
) == GLOBAL_ZONEID
)
2461 priv_addset(&pset
, PRIV_SYS_CONFIG
);
2463 priv_addset(&pset
, PRIV_SYS_IP_CONFIG
);
2465 return (secpolicy_require_set(credp
, &pset
, "devpolicy", KLPDARG_NONE
));
2470 * Add privileges to a particular privilege set; this is called when the
2471 * current sets of privileges are not sufficient. I.e., we should always
2472 * call the policy override functions from here.
2473 * What we are allowed to have is in the Observed Permitted set; so
2474 * we compute the difference between that and the newset.
2477 secpolicy_require_privs(const cred_t
*cr
, const priv_set_t
*nset
)
2481 rqd
= CR_OPPRIV(cr
);
2484 priv_intersect(nset
, &rqd
);
2486 return (secpolicy_require_set(cr
, &rqd
, NULL
, KLPDARG_NONE
));
2492 * Determine if the cred_t has PRIV_SYS_SMB privilege, indicating
2493 * that it has permission to access the smbsrv kernel driver.
2494 * PRIV_POLICY checks the privilege and audits the check.
2497 * 0 Driver access is allowed.
2498 * EPERM Driver access is NOT permitted.
2501 secpolicy_smb(const cred_t
*cr
)
2503 return (PRIV_POLICY(cr
, PRIV_SYS_SMB
, B_FALSE
, EPERM
, NULL
));
2509 * Determine if cred_t has the necessary privileges to access a file
2510 * for virus scanning and update its extended system attributes.
2511 * PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access
2512 * PRIV_FILE_FLAG_SET - set extended system attributes
2514 * PRIV_POLICY checks the privilege and audits the check.
2517 * 0 file access for virus scanning allowed.
2518 * EPERM file access for virus scanning is NOT permitted.
2521 secpolicy_vscan(const cred_t
*cr
)
2523 if ((PRIV_POLICY(cr
, PRIV_FILE_DAC_SEARCH
, B_FALSE
, EPERM
, NULL
)) ||
2524 (PRIV_POLICY(cr
, PRIV_FILE_DAC_READ
, B_FALSE
, EPERM
, NULL
)) ||
2525 (PRIV_POLICY(cr
, PRIV_FILE_FLAG_SET
, B_FALSE
, EPERM
, NULL
))) {
2533 * secpolicy_smbfs_login
2535 * Determines if the caller can add and delete the smbfs login
2536 * password in the the nsmb kernel module for the CIFS client.
2539 * 0 access is allowed.
2540 * EPERM access is NOT allowed.
2543 secpolicy_smbfs_login(const cred_t
*cr
, uid_t uid
)
2545 uid_t cruid
= crgetruid(cr
);
2549 return (PRIV_POLICY(cr
, PRIV_PROC_OWNER
, B_FALSE
,
2554 * secpolicy_xvm_control
2556 * Determines if a caller can control the xVM hypervisor and/or running
2557 * domains (x86 specific).
2560 * 0 access is allowed.
2561 * EPERM access is NOT allowed.
2564 secpolicy_xvm_control(const cred_t
*cr
)
2566 if (PRIV_POLICY(cr
, PRIV_XVM_CONTROL
, B_FALSE
, EPERM
, NULL
))
2572 * secpolicy_ppp_config
2574 * Determine if the subject has sufficient privileges to configure PPP and
2575 * PPP-related devices.
2578 secpolicy_ppp_config(const cred_t
*cr
)
2580 if (PRIV_POLICY_ONLY(cr
, PRIV_SYS_NET_CONFIG
, B_FALSE
))
2581 return (secpolicy_net_config(cr
, B_FALSE
));
2582 return (PRIV_POLICY(cr
, PRIV_SYS_PPP_CONFIG
, B_FALSE
, EPERM
, NULL
));