search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
cannot use crypto lofi on a block/character device
[unleashed.git] / kernel / os / policy.c
blob1588fcae31a3c473e8293ccc3cc0bfeeea19c640
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright 2016 Joyent, Inc.
24 * Copyright (c) 2016 by Delphix. All rights reserved.
25 */
26
27 #include <sys/types.h>
28 #include <sys/sysmacros.h>
29 #include <sys/param.h>
30 #include <sys/systm.h>
31 #include <sys/cred_impl.h>
32 #include <sys/vnode.h>
33 #include <sys/vfs.h>
34 #include <sys/stat.h>
35 #include <sys/errno.h>
36 #include <sys/kmem.h>
37 #include <sys/user.h>
38 #include <sys/proc.h>
39 #include <sys/acct.h>
40 #include <sys/ipc_impl.h>
41 #include <sys/cmn_err.h>
42 #include <sys/debug.h>
43 #include <sys/policy.h>
44 #include <sys/kobj.h>
45 #include <sys/msg.h>
46 #include <sys/devpolicy.h>
47 #include <c2/audit.h>
48 #include <sys/varargs.h>
49 #include <sys/klpd.h>
50 #include <sys/modctl.h>
51 #include <sys/disp.h>
52 #include <sys/zone.h>
53 #include <inet/optcom.h>
54 #include <sys/sdt.h>
55 #include <sys/vfs.h>
56 #include <sys/mntent.h>
57 #include <sys/contract_impl.h>
58 #include <sys/dld_ioc.h>
59
60 /*
61 * There are two possible layers of privilege routines and two possible
62 * levels of secpolicy. Plus one other we may not be interested in, so
63 * we may need as many as 6 but no more.
64 */
65 #define MAXPRIVSTACK 6
66
67 int priv_debug = 0;
68 int priv_basic_test = -1;
69
70 /*
71 * This file contains the majority of the policy routines.
72 * Since the policy routines are defined by function and not
73 * by privilege, there is quite a bit of duplication of
74 * functions.
75 *
76 * The secpolicy functions must not make assumptions about
77 * locks held or not held as any lock can be held while they're
78 * being called.
79 *
80 * Credentials are read-only so no special precautions need to
81 * be taken while locking them.
82 *
83 * When a new policy check needs to be added to the system the
84 * following procedure should be followed:
85 *
86 * Pick an appropriate secpolicy_*() function
87 * -> done if one exists.
88 * Create a new secpolicy function, preferably with
89 * a descriptive name using the standard template.
90 * Pick an appropriate privilege for the policy.
91 * If no appropraite privilege exists, define new one
92 * (this should be done with extreme care; in most cases
93 * little is gained by adding another privilege)
94 *
95 * WHY ROOT IS STILL SPECIAL.
96 *
97 * In a number of the policy functions, there are still explicit
98 * checks for uid 0. The rationale behind these is that many root
99 * owned files/objects hold configuration information which can give full
100 * privileges to the user once written to. To prevent escalation
101 * of privilege by allowing just a single privilege to modify root owned
102 * objects, we've added these root specific checks where we considered
103 * them necessary: modifying root owned files, changing uids to 0, etc.
104 *
105 * PRIVILEGE ESCALATION AND ZONES.
106 *
107 * A number of operations potentially allow the caller to achieve
108 * privileges beyond the ones normally required to perform the operation.
109 * For example, if allowed to create a setuid 0 executable, a process can
110 * gain privileges beyond PRIV_FILE_SETID. Zones, however, place
111 * restrictions on the ability to gain privileges beyond those available
112 * within the zone through file and process manipulation. Hence, such
113 * operations require that the caller have an effective set that includes
114 * all privileges available within the current zone, or all privileges
115 * if executing in the global zone.
116 *
117 * This is indicated in the priv_policy* policy checking functions
118 * through a combination of parameters. The "priv" parameter indicates
119 * the privilege that is required, and the "allzone" parameter indicates
120 * whether or not all privileges in the zone are required. In addition,
121 * priv can be set to PRIV_ALL to indicate that all privileges are
122 * required (regardless of zone). There are three scenarios of interest:
123 * (1) operation requires a specific privilege
124 * (2) operation requires a specific privilege, and requires all
125 * privileges available within the zone (or all privileges if in
126 * the global zone)
127 * (3) operation requires all privileges, regardless of zone
128 *
129 * For (1), priv should be set to the specific privilege, and allzone
130 * should be set to B_FALSE.
131 * For (2), priv should be set to the specific privilege, and allzone
132 * should be set to B_TRUE.
133 * For (3), priv should be set to PRIV_ALL, and allzone should be set
134 * to B_FALSE.
135 *
136 */
137
138 /*
139 * The privileges are checked against the Effective set for
140 * ordinary processes and checked against the Limit set
141 * for euid 0 processes that haven't manipulated their privilege
142 * sets.
143 */
144 #define HAS_ALLPRIVS(cr) priv_isfullset(&CR_OEPRIV(cr))
145 #define ZONEPRIVS(cr) ((cr)->cr_zone->zone_privset)
146 #define HAS_ALLZONEPRIVS(cr) priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr))
147 #define HAS_PRIVILEGE(cr, pr) ((pr) == PRIV_ALL ? \
148 HAS_ALLPRIVS(cr) : \
149 PRIV_ISMEMBER(&CR_OEPRIV(cr), pr))
150
151 #define FAST_BASIC_CHECK(cr, priv) \
152 if (PRIV_ISMEMBER(&CR_OEPRIV(cr), priv)) { \
153 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, B_FALSE); \
154 return (0); \
155 }
156
157 /*
158 * Policy checking functions.
159 *
160 * All of the system's policy should be implemented here.
161 */
162
163 /*
164 * Private functions which take an additional va_list argument to
165 * implement an object specific policy override.
166 */
167 static int priv_policy_ap(const cred_t *, int, boolean_t, int,
168 const char *, va_list);
169 static int priv_policy_va(const cred_t *, int, boolean_t, int,
170 const char *, ...);
171
172 /*
173 * Generic policy calls
174 *
175 * The "bottom" functions of policy control
176 */
177 static char *
178 mprintf(const char *fmt, ...)
179 {
180 va_list args;
181 char *buf;
182 size_t len;
183
184 va_start(args, fmt);
185 len = vsnprintf(NULL, 0, fmt, args) + 1;
186 va_end(args);
187
188 buf = kmem_alloc(len, KM_NOSLEEP);
189
190 if (buf == NULL)
191 return (NULL);
192
193 va_start(args, fmt);
194 (void) vsnprintf(buf, len, fmt, args);
195 va_end(args);
196
197 return (buf);
198 }
199
200 /*
201 * priv_policy_errmsg()
202 *
203 * Generate an error message if privilege debugging is enabled system wide
204 * or for this particular process.
205 */
206
207 #define FMTHDR "%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)"
208 #define FMTMSG " for \"%s\""
209 #define FMTFUN " needed at %s+0x%lx"
210
211 /* The maximum size privilege format: the concatenation of the above */
212 #define FMTMAX FMTHDR FMTMSG FMTFUN "\n"
213
214 static void
215 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg)
216 {
217 struct proc *me;
218 pc_t stack[MAXPRIVSTACK];
219 int depth;
220 int i;
221 char *sym;
222 ulong_t off;
223 const char *pname;
224
225 char *cmd;
226 char fmt[sizeof (FMTMAX)];
227
228 if ((me = curproc) == &p0)
229 return;
230
231 /* Privileges must be defined */
232 ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE ||
233 priv == PRIV_ALLZONE || priv == PRIV_GLOBAL ||
234 priv_getbynum(priv) != NULL);
235
236 if (priv == PRIV_ALLZONE && INGLOBALZONE(me))
237 priv = PRIV_ALL;
238
239 if (curthread->t_pre_sys)
240 ttolwp(curthread)->lwp_badpriv = (short)priv;
241
242 if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0)
243 return;
244
245 (void) strcpy(fmt, FMTHDR);
246
247 if (me->p_user.u_comm[0])
248 cmd = &me->p_user.u_comm[0];
249 else
250 cmd = "priv_policy";
251
252 if (msg != NULL && *msg != '\0') {
253 (void) strcat(fmt, FMTMSG);
254 } else {
255 (void) strcat(fmt, "%s");
256 msg = "";
257 }
258
259 sym = NULL;
260
261 depth = getpcstack(stack, MAXPRIVSTACK);
262
263 /*
264 * Try to find the first interesting function on the stack.
265 * priv_policy* that's us, so completely uninteresting.
266 * suser(), drv_priv(), secpolicy_* are also called from
267 * too many locations to convey useful information.
268 */
269 for (i = 0; i < depth; i++) {
270 sym = kobj_getsymname((uintptr_t)stack[i], &off);
271 if (sym != NULL &&
272 strstr(sym, "hasprocperm") == 0 &&
273 strcmp("suser", sym) != 0 &&
274 strcmp("ipcaccess", sym) != 0 &&
275 strcmp("drv_priv", sym) != 0 &&
276 strncmp("secpolicy_", sym, 10) != 0 &&
277 strncmp("priv_policy", sym, 11) != 0)
278 break;
279 }
280
281 if (sym != NULL)
282 (void) strcat(fmt, FMTFUN);
283
284 (void) strcat(fmt, "\n");
285
286 switch (priv) {
287 case PRIV_ALL:
288 pname = "ALL";
289 break;
290 case PRIV_MULTIPLE:
291 pname = "MULTIPLE";
292 break;
293 case PRIV_ALLZONE:
294 pname = "ZONE";
295 break;
296 case PRIV_GLOBAL:
297 pname = "GLOBAL";
298 break;
299 default:
300 pname = priv_getbynum(priv);
301 break;
302 }
303
304 if (CR_FLAGS(cr) & PRIV_DEBUG) {
305 /* Remember last message, just like lwp_badpriv. */
306 if (curthread->t_pdmsg != NULL) {
307 kmem_free(curthread->t_pdmsg,
308 strlen(curthread->t_pdmsg) + 1);
309 }
310
311 curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname,
312 cr->cr_uid, curthread->t_sysnum, msg, sym, off);
313
314 curthread->t_post_sys = 1;
315 }
316 if (priv_debug) {
317 cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid,
318 curthread->t_sysnum, msg, sym, off);
319 }
320 }
321
322 /*
323 * Override the policy, if appropriate. Return 0 if the external
324 * policy engine approves.
325 */
326 static int
327 priv_policy_override(const cred_t *cr, int priv, boolean_t allzone, va_list ap)
328 {
329 priv_set_t set;
330 int ret;
331
332 if (!(CR_FLAGS(cr) & PRIV_XPOLICY))
333 return (-1);
334
335 if (priv == PRIV_ALL) {
336 priv_fillset(&set);
337 } else if (allzone) {
338 set = *ZONEPRIVS(cr);
339 } else {
340 priv_emptyset(&set);
341 priv_addset(&set, priv);
342 }
343 ret = klpd_call(cr, &set, ap);
344 return (ret);
345 }
346
347 static int
348 priv_policy_override_set(const cred_t *cr, const priv_set_t *req, va_list ap)
349 {
350 if (CR_FLAGS(cr) & PRIV_PFEXEC)
351 return (check_user_privs(cr, req));
352 if (CR_FLAGS(cr) & PRIV_XPOLICY) {
353 return (klpd_call(cr, req, ap));
354 }
355 return (-1);
356 }
357
358 static int
359 priv_policy_override_set_va(const cred_t *cr, const priv_set_t *req, ...)
360 {
361 va_list ap;
362 int ret;
363
364 va_start(ap, req);
365 ret = priv_policy_override_set(cr, req, ap);
366 va_end(ap);
367 return (ret);
368 }
369
370 /*
371 * Audit failure, log error message.
372 */
373 static void
374 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg)
375 {
376
377 if (AU_AUDITING())
378 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0);
379 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
380
381 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
382 curthread->t_pre_sys) {
383 if (allzone && !HAS_ALLZONEPRIVS(cr)) {
384 priv_policy_errmsg(cr, PRIV_ALLZONE, msg);
385 } else {
386 ASSERT(!HAS_PRIVILEGE(cr, priv));
387 priv_policy_errmsg(cr, priv, msg);
388 }
389 }
390 }
391
392 /*
393 * priv_policy_ap()
394 * return 0 or error.
395 * See block comment above for a description of "priv" and "allzone" usage.
396 */
397 static int
398 priv_policy_ap(const cred_t *cr, int priv, boolean_t allzone, int err,
399 const char *msg, va_list ap)
400 {
401 if ((HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) ||
402 (!servicing_interrupt() &&
403 priv_policy_override(cr, priv, allzone, ap) == 0)) {
404 if ((allzone || priv == PRIV_ALL ||
405 !PRIV_ISMEMBER(priv_basic, priv)) &&
406 !servicing_interrupt()) {
407 PTOU(curproc)->u_acflag |= ASU;
408 if (AU_AUDITING())
409 audit_priv(priv,
410 allzone ? ZONEPRIVS(cr) : NULL, 1);
411 }
412 err = 0;
413 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
414 } else if (!servicing_interrupt()) {
415 /* Failure audited in this procedure */
416 priv_policy_err(cr, priv, allzone, msg);
417 }
418 return (err);
419 }
420
421 int
422 priv_policy_va(const cred_t *cr, int priv, boolean_t allzone, int err,
423 const char *msg, ...)
424 {
425 int ret;
426 va_list ap;
427
428 va_start(ap, msg);
429 ret = priv_policy_ap(cr, priv, allzone, err, msg, ap);
430 va_end(ap);
431
432 return (ret);
433 }
434
435 int
436 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err,
437 const char *msg)
438 {
439 return (priv_policy_va(cr, priv, allzone, err, msg, KLPDARG_NONE));
440 }
441
442 /*
443 * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges.
444 */
445 boolean_t
446 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone)
447 {
448 boolean_t res = HAS_PRIVILEGE(cr, priv) &&
449 (!allzone || HAS_ALLZONEPRIVS(cr));
450
451 /* Audit success only */
452 if (res && AU_AUDITING() &&
453 (allzone || priv == PRIV_ALL || !PRIV_ISMEMBER(priv_basic, priv)) &&
454 !servicing_interrupt()) {
455 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1);
456 }
457 if (res) {
458 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
459 } else {
460 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
461 }
462 return (res);
463 }
464
465 /*
466 * Non-auditing variant of priv_policy_choice().
467 */
468 boolean_t
469 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone)
470 {
471 boolean_t res = HAS_PRIVILEGE(cr, priv) &&
472 (!allzone || HAS_ALLZONEPRIVS(cr));
473
474 if (res) {
475 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
476 } else {
477 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
478 }
479 return (res);
480 }
481
482 /*
483 * Check whether all privileges in the required set are present.
484 */
485 static int
486 secpolicy_require_set(const cred_t *cr, const priv_set_t *req,
487 const char *msg, ...)
488 {
489 int priv;
490 int pfound = -1;
491 priv_set_t pset;
492 va_list ap;
493 int ret;
494
495 if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req,
496 &CR_OEPRIV(cr))) {
497 return (0);
498 }
499
500 va_start(ap, msg);
501 ret = priv_policy_override_set(cr, req, ap);
502 va_end(ap);
503 if (ret == 0)
504 return (0);
505
506 if (req == PRIV_FULLSET || priv_isfullset(req)) {
507 priv_policy_err(cr, PRIV_ALL, B_FALSE, msg);
508 return (EACCES);
509 }
510
511 pset = CR_OEPRIV(cr); /* present privileges */
512 priv_inverse(&pset); /* all non present privileges */
513 priv_intersect(req, &pset); /* the actual missing privs */
514
515 if (AU_AUDITING())
516 audit_priv(PRIV_NONE, &pset, 0);
517 /*
518 * Privilege debugging; special case "one privilege in set".
519 */
520 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) {
521 for (priv = 0; priv < nprivs; priv++) {
522 if (priv_ismember(&pset, priv)) {
523 if (pfound != -1) {
524 /* Multiple missing privs */
525 priv_policy_errmsg(cr, PRIV_MULTIPLE,
526 msg);
527 return (EACCES);
528 }
529 pfound = priv;
530 }
531 }
532 ASSERT(pfound != -1);
533 /* Just the one missing privilege */
534 priv_policy_errmsg(cr, pfound, msg);
535 }
536
537 return (EACCES);
538 }
539
540 /*
541 * Called when an operation requires that the caller be in the
542 * global zone, regardless of privilege.
543 */
544 static int
545 priv_policy_global(const cred_t *cr)
546 {
547 if (crgetzoneid(cr) == GLOBAL_ZONEID)
548 return (0); /* success */
549
550 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
551 curthread->t_pre_sys) {
552 priv_policy_errmsg(cr, PRIV_GLOBAL, NULL);
553 }
554 return (EPERM);
555 }
556
557 /*
558 * Raising process priority
559 */
560 int
561 secpolicy_raisepriority(const cred_t *cr)
562 {
563 if (PRIV_POLICY(cr, PRIV_PROC_PRIOUP, B_FALSE, EPERM, NULL) == 0)
564 return (0);
565 return (secpolicy_setpriority(cr));
566 }
567
568 /*
569 * Changing process priority or scheduling class
570 */
571 int
572 secpolicy_setpriority(const cred_t *cr)
573 {
574 return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL));
575 }
576
577 /*
578 * Binding to a privileged port, port must be specified in host byte
579 * order.
580 * When adding a new privilege which allows binding to currently privileged
581 * ports, then you MUST also allow processes with PRIV_NET_PRIVADDR bind
582 * to these ports because of backward compatibility.
583 */
584 int
585 secpolicy_net_privaddr(const cred_t *cr, in_port_t port, int proto)
586 {
587 char *reason;
588 int priv;
589
590 switch (port) {
591 case 137:
592 case 138:
593 case 139:
594 case 445:
595 /*
596 * NBT and SMB ports, these are normal privileged ports,
597 * allow bind only if the SYS_SMB or NET_PRIVADDR privilege
598 * is present.
599 * Try both, if neither is present return an error for
600 * priv SYS_SMB.
601 */
602 if (PRIV_POLICY_ONLY(cr, PRIV_NET_PRIVADDR, B_FALSE))
603 priv = PRIV_NET_PRIVADDR;
604 else
605 priv = PRIV_SYS_SMB;
606 reason = "NBT or SMB port";
607 break;
608
609 case 2049:
610 case 4045:
611 /*
612 * NFS ports, these are extra privileged ports, allow bind
613 * only if the SYS_NFS privilege is present.
614 */
615 priv = PRIV_SYS_NFS;
616 reason = "NFS port";
617 break;
618
619 default:
620 priv = PRIV_NET_PRIVADDR;
621 reason = NULL;
622 break;
623
624 }
625
626 return (priv_policy_va(cr, priv, B_FALSE, EACCES, reason,
627 KLPDARG_PORT, (int)proto, (int)port, KLPDARG_NOMORE));
628 }
629
630 /*
631 * Common routine which determines whether a given credential can
632 * act on a given mount.
633 * When called through mount, the parameter needoptcheck is a pointer
634 * to a boolean variable which will be set to either true or false,
635 * depending on whether the mount policy should change the mount options.
636 * In all other cases, needoptcheck should be a NULL pointer.
637 */
638 static int
639 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp,
640 boolean_t *needoptcheck)
641 {
642 boolean_t allzone = B_FALSE;
643 boolean_t mounting = needoptcheck != NULL;
644
645 /*
646 * Short circuit the following cases:
647 * vfsp == NULL or mvp == NULL (pure privilege check)
648 * have all privileges - no further checks required
649 * and no mount options need to be set.
650 */
651 if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) {
652 if (mounting)
653 *needoptcheck = B_FALSE;
654
655 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
656 NULL, KLPDARG_VNODE, mvp, NULL, KLPDARG_NOMORE));
657 }
658
659 /*
660 * When operating on an existing mount (either we're not mounting
661 * or we're doing a remount and VFS_REMOUNT will be set), zones
662 * can operate only on mounts established by the zone itself.
663 */
664 if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) {
665 zoneid_t zoneid = crgetzoneid(cr);
666
667 if (zoneid != GLOBAL_ZONEID &&
668 vfsp->vfs_zone->zone_id != zoneid) {
669 return (EPERM);
670 }
671 }
672
673 if (mounting)
674 *needoptcheck = B_TRUE;
675
676 /*
677 * Overlay mounts may hide important stuff; if you can't write to a
678 * mount point but would be able to mount on top of it, you can
679 * escalate your privileges.
680 * So we go about asking the same questions namefs does when it
681 * decides whether you can mount over a file or not but with the
682 * added restriction that you can only mount on top of a regular
683 * file or directory.
684 * If we have all the zone's privileges, we skip all other checks,
685 * or else we may actually get in trouble inside the automounter.
686 */
687 if ((mvp->v_flag & VROOT) != 0 ||
688 (mvp->v_type != VDIR && mvp->v_type != VREG) ||
689 HAS_ALLZONEPRIVS(cr)) {
690 allzone = B_TRUE;
691 } else {
692 vattr_t va;
693 int err;
694
695 va.va_mask = AT_UID|AT_MODE;
696 err = fop_getattr(mvp, &va, 0, cr, NULL);
697 if (err != 0)
698 return (err);
699
700 if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0)
701 return (err);
702
703 if (secpolicy_vnode_access2(cr, mvp, va.va_uid, va.va_mode,
704 VWRITE) != 0) {
705 return (EACCES);
706 }
707 }
708 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
709 NULL, KLPDARG_VNODE, mvp, NULL, KLPDARG_NOMORE));
710 }
711
712 void
713 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp)
714 {
715 boolean_t amsuper = HAS_ALLZONEPRIVS(cr);
716
717 /*
718 * check; if we don't have either "nosuid" or
719 * both "nosetuid" and "nodevices", then we add
720 * "nosuid"; this depends on how the current
721 * implementation works (it first checks nosuid). In a
722 * zone, a user with all zone privileges can mount with
723 * "setuid" but never with "devices".
724 */
725 if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) &&
726 (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) ||
727 !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) {
728 if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper)
729 vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0);
730 else
731 vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0);
732 }
733 /*
734 * If we're not the local super user, we set the "restrict"
735 * option to indicate to automountd that this mount should
736 * be handled with care.
737 */
738 if (!amsuper)
739 vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0);
740
741 }
742
743 int
744 secpolicy_fs_allowed_mount(const char *fsname)
745 {
746 struct vfssw *vswp;
747 const char *p;
748 size_t len;
749
750 ASSERT(fsname != NULL);
751 ASSERT(fsname[0] != '\0');
752
753 if (INGLOBALZONE(curproc))
754 return (0);
755
756 vswp = vfs_getvfssw(fsname);
757 if (vswp == NULL)
758 return (ENOENT);
759
760 if ((vswp->vsw_flag & VSW_ZMOUNT) != 0) {
761 vfs_unrefvfssw(vswp);
762 return (0);
763 }
764
765 vfs_unrefvfssw(vswp);
766
767 p = curzone->zone_fs_allowed;
768 len = strlen(fsname);
769
770 while (p != NULL && *p != '\0') {
771 if (strncmp(p, fsname, len) == 0) {
772 char c = *(p + len);
773 if (c == '\0' || c == ',')
774 return (0);
775 }
776
777 /* skip to beyond the next comma */
778 if ((p = strchr(p, ',')) != NULL)
779 p++;
780 }
781
782 return (EPERM);
783 }
784
785 extern vnode_t *rootvp;
786 extern vfs_t *rootvfs;
787
788 int
789 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp)
790 {
791 boolean_t needoptchk;
792 int error;
793
794 /*
795 * If it's a remount, get the underlying mount point,
796 * except for the root where we use the rootvp.
797 */
798 if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) {
799 if (vfsp == rootvfs)
800 mvp = rootvp;
801 else
802 mvp = vfsp->vfs_vnodecovered;
803 }
804
805 error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk);
806
807 if (error == 0 && needoptchk) {
808 secpolicy_fs_mount_clearopts(cr, vfsp);
809 }
810
811 return (error);
812 }
813
814 /*
815 * Does the policy computations for "ownership" of a mount;
816 * here ownership is defined as the ability to "mount"
817 * the filesystem originally. The rootvfs doesn't cover any
818 * vnodes; we attribute its ownership to the rootvp.
819 */
820 static int
821 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp)
822 {
823 vnode_t *mvp;
824
825 if (vfsp == NULL)
826 mvp = NULL;
827 else if (vfsp == rootvfs)
828 mvp = rootvp;
829 else
830 mvp = vfsp->vfs_vnodecovered;
831
832 return (secpolicy_fs_common(cr, mvp, vfsp, NULL));
833 }
834
835 int
836 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp)
837 {
838 return (secpolicy_fs_owner(cr, vfsp));
839 }
840
841 /*
842 * Quotas are a resource, but if one has the ability to mount a filesystem,
843 * they should be able to modify quotas on it.
844 */
845 int
846 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp)
847 {
848 return (secpolicy_fs_owner((cred_t *)cr, vfsp));
849 }
850
851 /*
852 * Exceeding minfree: also a per-mount resource constraint.
853 */
854 int
855 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp)
856 {
857 return (secpolicy_fs_owner((cred_t *)cr, vfsp));
858 }
859
860 int
861 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp)
862 {
863 return (secpolicy_fs_owner((cred_t *)cr, vfsp));
864 }
865
866 /* ARGSUSED */
867 int
868 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp)
869 {
870 return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL));
871 }
872
873 /*
874 * Name: secpolicy_vnode_access()
875 *
876 * Parameters: Process credential
877 * vnode
878 * uid of owner of vnode
879 * permission bits not granted to the caller when examining
880 * file mode bits (i.e., when a process wants to open a
881 * mode 444 file for VREAD|VWRITE, this function should be
882 * called only with a VWRITE argument).
883 *
884 * Normal: Verifies that cred has the appropriate privileges to
885 * override the mode bits that were denied.
886 *
887 * Override: file_dac_execute - if VEXEC bit was denied and vnode is
888 * not a directory.
889 * file_dac_read - if VREAD bit was denied.
890 * file_dac_search - if VEXEC bit was denied and vnode is
891 * a directory.
892 * file_dac_write - if VWRITE bit was denied.
893 *
894 * Root owned files are special cased to protect system
895 * configuration files and such.
896 *
897 * Output: EACCES - if privilege check fails.
898 */
899
900 int
901 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode)
902 {
903 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE,
904 EACCES, NULL, KLPDARG_VNODE, vp, NULL, KLPDARG_NOMORE) != 0) {
905 return (EACCES);
906 }
907
908 if (mode & VWRITE) {
909 boolean_t allzone;
910
911 if (owner == 0 && cr->cr_uid != 0)
912 allzone = B_TRUE;
913 else
914 allzone = B_FALSE;
915 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES,
916 NULL, KLPDARG_VNODE, vp, NULL, KLPDARG_NOMORE) != 0) {
917 return (EACCES);
918 }
919 }
920
921 if (mode & VEXEC) {
922 /*
923 * Directories use file_dac_search to override the execute bit.
924 */
925 int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH :
926 PRIV_FILE_DAC_EXECUTE;
927
928 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL,
929 KLPDARG_VNODE, vp, NULL, KLPDARG_NOMORE));
930 }
931 return (0);
932 }
933
934 /*
935 * Like secpolicy_vnode_access() but we get the actual wanted mode and the
936 * current mode of the file, not the missing bits.
937 */
938 int
939 secpolicy_vnode_access2(const cred_t *cr, vnode_t *vp, uid_t owner,
940 mode_t curmode, mode_t wantmode)
941 {
942 mode_t mode;
943
944 /* Inline the basic privileges tests. */
945 if ((wantmode & VREAD) &&
946 !PRIV_ISMEMBER(&CR_OEPRIV(cr), PRIV_FILE_READ) &&
947 priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL,
948 KLPDARG_VNODE, vp, NULL, KLPDARG_NOMORE) != 0) {
949 return (EACCES);
950 }
951
952 if ((wantmode & VWRITE) &&
953 !PRIV_ISMEMBER(&CR_OEPRIV(cr), PRIV_FILE_WRITE) &&
954 priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL,
955 KLPDARG_VNODE, vp, NULL, KLPDARG_NOMORE) != 0) {
956 return (EACCES);
957 }
958
959 mode = ~curmode & wantmode;
960
961 if (mode == 0)
962 return (0);
963
964 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE,
965 EACCES, NULL, KLPDARG_VNODE, vp, NULL, KLPDARG_NOMORE) != 0) {
966 return (EACCES);
967 }
968
969 if (mode & VWRITE) {
970 boolean_t allzone;
971
972 if (owner == 0 && cr->cr_uid != 0)
973 allzone = B_TRUE;
974 else
975 allzone = B_FALSE;
976 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES,
977 NULL, KLPDARG_VNODE, vp, NULL, KLPDARG_NOMORE) != 0) {
978 return (EACCES);
979 }
980 }
981
982 if (mode & VEXEC) {
983 /*
984 * Directories use file_dac_search to override the execute bit.
985 */
986 int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH :
987 PRIV_FILE_DAC_EXECUTE;
988
989 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL,
990 KLPDARG_VNODE, vp, NULL, KLPDARG_NOMORE));
991 }
992 return (0);
993 }
994
995 /*
996 * This is a special routine for ZFS; it is used to determine whether
997 * any of the privileges in effect allow any form of access to the
998 * file. There's no reason to audit this or any reason to record
999 * this. More work is needed to do the "KPLD" stuff.
1000 */
1001 int
1002 secpolicy_vnode_any_access(const cred_t *cr, vnode_t *vp, uid_t owner)
1003 {
1004 static int privs[] = {
1005 PRIV_FILE_OWNER,
1006 PRIV_FILE_CHOWN,
1007 PRIV_FILE_DAC_READ,
1008 PRIV_FILE_DAC_WRITE,
1009 PRIV_FILE_DAC_EXECUTE,
1010 PRIV_FILE_DAC_SEARCH,
1011 };
1012 int i;
1013
1014 /* Same as secpolicy_vnode_setdac */
1015 if (owner == cr->cr_uid)
1016 return (0);
1017
1018 for (i = 0; i < sizeof (privs)/sizeof (int); i++) {
1019 boolean_t allzone = B_FALSE;
1020 int priv;
1021
1022 switch (priv = privs[i]) {
1023 case PRIV_FILE_DAC_EXECUTE:
1024 if (vp->v_type == VDIR)
1025 continue;
1026 break;
1027 case PRIV_FILE_DAC_SEARCH:
1028 if (vp->v_type != VDIR)
1029 continue;
1030 break;
1031 case PRIV_FILE_DAC_WRITE:
1032 case PRIV_FILE_OWNER:
1033 case PRIV_FILE_CHOWN:
1034 /* We know here that if owner == 0, that cr_uid != 0 */
1035 allzone = owner == 0;
1036 break;
1037 }
1038 if (PRIV_POLICY_CHOICE(cr, priv, allzone))
1039 return (0);
1040 }
1041 return (EPERM);
1042 }
1043
1044 /*
1045 * Name: secpolicy_vnode_setid_modify()
1046 *
1047 * Normal: verify that subject can set the file setid flags.
1048 *
1049 * Output: EPERM - if not privileged.
1050 */
1051
1052 static int
1053 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner)
1054 {
1055 /* If changing to suid root, must have all zone privs */
1056 boolean_t allzone = B_TRUE;
1057
1058 if (owner != 0) {
1059 if (owner == cr->cr_uid)
1060 return (0);
1061 allzone = B_FALSE;
1062 }
1063 return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL));
1064 }
1065
1066 /*
1067 * Are we allowed to retain the set-uid/set-gid bits when
1068 * changing ownership or when writing to a file?
1069 * "issuid" should be true when set-uid; only in that case
1070 * root ownership is checked (setgid is assumed).
1071 */
1072 int
1073 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot)
1074 {
1075 if (issuidroot && !HAS_ALLZONEPRIVS(cred))
1076 return (EPERM);
1077
1078 return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE));
1079 }
1080
1081 /*
1082 * Name: secpolicy_vnode_setids_setgids()
1083 *
1084 * Normal: verify that subject can set the file setgid flag.
1085 *
1086 * Output: EPERM - if not privileged
1087 */
1088
1089 int
1090 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid)
1091 {
1092 if (!groupmember(gid, cred))
1093 return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM,
1094 NULL));
1095 return (0);
1096 }
1097
1098 /*
1099 * Name: secpolicy_vnode_chown
1100 *
1101 * Normal: Determine if subject can chown owner of a file.
1102 *
1103 * Output: EPERM - if access denied
1104 */
1105
1106 int
1107 secpolicy_vnode_chown(const cred_t *cred, uid_t owner)
1108 {
1109 boolean_t is_owner = (owner == crgetuid(cred));
1110 boolean_t allzone = B_FALSE;
1111 int priv;
1112
1113 if (!is_owner) {
1114 allzone = (owner == 0);
1115 priv = PRIV_FILE_CHOWN;
1116 } else {
1117 priv = HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN) ?
1118 PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF;
1119 }
1120
1121 return (PRIV_POLICY(cred, priv, allzone, EPERM, NULL));
1122 }
1123
1124 /*
1125 * Name: secpolicy_vnode_create_gid
1126 *
1127 * Normal: Determine if subject can change group ownership of a file.
1128 *
1129 * Output: EPERM - if access denied
1130 */
1131 int
1132 secpolicy_vnode_create_gid(const cred_t *cred)
1133 {
1134 if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN))
1135 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM,
1136 NULL));
1137 else
1138 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM,
1139 NULL));
1140 }
1141
1142 /*
1143 * Name: secpolicy_vnode_utime_modify()
1144 *
1145 * Normal: verify that subject can modify the utime on a file.
1146 *
1147 * Output: EPERM - if access denied.
1148 */
1149
1150 static int
1151 secpolicy_vnode_utime_modify(const cred_t *cred)
1152 {
1153 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM,
1154 "modify file times"));
1155 }
1156
1157
1158 /*
1159 * Name: secpolicy_vnode_setdac()
1160 *
1161 * Normal: verify that subject can modify the mode of a file.
1162 * allzone privilege needed when modifying root owned object.
1163 *
1164 * Output: EPERM - if access denied.
1165 */
1166
1167 int
1168 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner)
1169 {
1170 if (owner == cred->cr_uid)
1171 return (0);
1172
1173 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL));
1174 }
1175 /*
1176 * Name: secpolicy_vnode_stky_modify()
1177 *
1178 * Normal: verify that subject can make a file a "sticky".
1179 *
1180 * Output: EPERM - if access denied.
1181 */
1182
1183 int
1184 secpolicy_vnode_stky_modify(const cred_t *cred)
1185 {
1186 return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM,
1187 "set file sticky"));
1188 }
1189
1190 /*
1191 * Policy determines whether we can remove an entry from a directory,
1192 * regardless of permission bits.
1193 */
1194 int
1195 secpolicy_vnode_remove(const cred_t *cr)
1196 {
1197 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES,
1198 "sticky directory"));
1199 }
1200
1201 int
1202 secpolicy_vnode_owner(const cred_t *cr, uid_t owner)
1203 {
1204 boolean_t allzone = (owner == 0);
1205
1206 if (owner == cr->cr_uid)
1207 return (0);
1208
1209 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL));
1210 }
1211
1212 void
1213 secpolicy_setid_clear(vattr_t *vap, cred_t *cr)
1214 {
1215 if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 &&
1216 secpolicy_vnode_setid_retain(cr,
1217 (vap->va_mode & S_ISUID) != 0 &&
1218 (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) {
1219 vap->va_mask |= AT_MODE;
1220 vap->va_mode &= ~(S_ISUID|S_ISGID);
1221 }
1222 }
1223
1224 int
1225 secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap,
1226 cred_t *cr)
1227 {
1228 int error;
1229
1230 if ((vap->va_mode & S_ISUID) != 0 &&
1231 (error = secpolicy_vnode_setid_modify(cr,
1232 ovap->va_uid)) != 0) {
1233 return (error);
1234 }
1235
1236 /*
1237 * Check privilege if attempting to set the
1238 * sticky bit on a non-directory.
1239 */
1240 if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 &&
1241 secpolicy_vnode_stky_modify(cr) != 0) {
1242 vap->va_mode &= ~S_ISVTX;
1243 }
1244
1245 /*
1246 * Check for privilege if attempting to set the
1247 * group-id bit.
1248 */
1249 if ((vap->va_mode & S_ISGID) != 0 &&
1250 secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) {
1251 vap->va_mode &= ~S_ISGID;
1252 }
1253
1254 return (0);
1255 }
1256
1257 #define ATTR_FLAG_PRIV(attr, value, cr) \
1258 PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \
1259 B_FALSE, EPERM, NULL)
1260
1261 /*
1262 * Check privileges for setting xvattr attributes
1263 */
1264 int
1265 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype)
1266 {
1267 xoptattr_t *xoap;
1268 int error = 0;
1269
1270 if ((xoap = xva_getxoptattr(xvap)) == NULL)
1271 return (EINVAL);
1272
1273 /*
1274 * First process the DOS bits
1275 */
1276 if (XVA_ISSET_REQ(xvap, XAT_ARCHIVE) ||
1277 XVA_ISSET_REQ(xvap, XAT_HIDDEN) ||
1278 XVA_ISSET_REQ(xvap, XAT_READONLY) ||
1279 XVA_ISSET_REQ(xvap, XAT_SYSTEM) ||
1280 XVA_ISSET_REQ(xvap, XAT_CREATETIME) ||
1281 XVA_ISSET_REQ(xvap, XAT_OFFLINE) ||
1282 XVA_ISSET_REQ(xvap, XAT_SPARSE)) {
1283 if ((error = secpolicy_vnode_owner(cr, owner)) != 0)
1284 return (error);
1285 }
1286
1287 /*
1288 * Now handle special attributes
1289 */
1290
1291 if (XVA_ISSET_REQ(xvap, XAT_IMMUTABLE))
1292 error = ATTR_FLAG_PRIV(XAT_IMMUTABLE,
1293 xoap->xoa_immutable, cr);
1294 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NOUNLINK))
1295 error = ATTR_FLAG_PRIV(XAT_NOUNLINK,
1296 xoap->xoa_nounlink, cr);
1297 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_APPENDONLY))
1298 error = ATTR_FLAG_PRIV(XAT_APPENDONLY,
1299 xoap->xoa_appendonly, cr);
1300 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NODUMP))
1301 error = ATTR_FLAG_PRIV(XAT_NODUMP,
1302 xoap->xoa_nodump, cr);
1303 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_OPAQUE))
1304 error = EPERM;
1305 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_QUARANTINED)) {
1306 error = ATTR_FLAG_PRIV(XAT_AV_QUARANTINED,
1307 xoap->xoa_av_quarantined, cr);
1308 if (error == 0 && vtype != VREG && xoap->xoa_av_quarantined)
1309 error = EINVAL;
1310 }
1311 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_MODIFIED))
1312 error = ATTR_FLAG_PRIV(XAT_AV_MODIFIED,
1313 xoap->xoa_av_modified, cr);
1314 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_SCANSTAMP)) {
1315 error = ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP,
1316 xoap->xoa_av_scanstamp, cr);
1317 if (error == 0 && vtype != VREG)
1318 error = EINVAL;
1319 }
1320 return (error);
1321 }
1322
1323 /*
1324 * This function checks the policy decisions surrounding the
1325 * vop setattr call.
1326 *
1327 * It should be called after sufficient locks have been established
1328 * on the underlying data structures. No concurrent modifications
1329 * should be allowed.
1330 *
1331 * The caller must pass in unlocked version of its vaccess function
1332 * this is required because vop_access function should lock the
1333 * node for reading. A three argument function should be defined
1334 * which accepts the following argument:
1335 * A pointer to the internal "node" type (inode *)
1336 * vnode access bits (VREAD|VWRITE|VEXEC)
1337 * a pointer to the credential
1338 *
1339 * This function makes the following policy decisions:
1340 *
1341 * - change permissions
1342 * - permission to change file mode if not owner
1343 * - permission to add sticky bit to non-directory
1344 * - permission to add set-gid bit
1345 *
1346 * The ovap argument should include AT_MODE|AT_UID|AT_GID.
1347 *
1348 * If the vap argument does not include AT_MODE, the mode will be copied from
1349 * ovap. In certain situations set-uid/set-gid bits need to be removed;
1350 * this is done by marking vap->va_mask to include AT_MODE and va_mode
1351 * is updated to the newly computed mode.
1352 */
1353
1354 int
1355 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap,
1356 const struct vattr *ovap, int flags,
1357 int unlocked_access(void *, int, cred_t *),
1358 void *node)
1359 {
1360 int mask = vap->va_mask;
1361 int error = 0;
1362 boolean_t skipaclchk = (flags & ATTR_NOACLCHECK) ? B_TRUE : B_FALSE;
1363
1364 if (mask & AT_SIZE) {
1365 if (vp->v_type == VDIR) {
1366 error = EISDIR;
1367 goto out;
1368 }
1369
1370 /*
1371 * If ATTR_NOACLCHECK is set in the flags, then we don't
1372 * perform the secondary unlocked_access() call since the
1373 * ACL (if any) is being checked there.
1374 */
1375 if (skipaclchk == B_FALSE) {
1376 error = unlocked_access(node, VWRITE, cr);
1377 if (error)
1378 goto out;
1379 }
1380 }
1381 if (mask & AT_MODE) {
1382 /*
1383 * If not the owner of the file then check privilege
1384 * for two things: the privilege to set the mode at all
1385 * and, if we're setting setuid, we also need permissions
1386 * to add the set-uid bit, if we're not the owner.
1387 * In the specific case of creating a set-uid root
1388 * file, we need even more permissions.
1389 */
1390 if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0)
1391 goto out;
1392
1393 if ((error = secpolicy_setid_setsticky_clear(vp, vap,
1394 ovap, cr)) != 0)
1395 goto out;
1396 } else
1397 vap->va_mode = ovap->va_mode;
1398
1399 if (mask & (AT_UID|AT_GID)) {
1400 boolean_t checkpriv = B_FALSE;
1401
1402 /*
1403 * Chowning files.
1404 *
1405 * If you are the file owner:
1406 * chown to other uid FILE_CHOWN_SELF
1407 * chown to gid (non-member) FILE_CHOWN_SELF
1408 * chown to gid (member) <none>
1409 *
1410 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also
1411 * acceptable but the first one is reported when debugging.
1412 *
1413 * If you are not the file owner:
1414 * chown from root PRIV_FILE_CHOWN + zone
1415 * chown from other to any PRIV_FILE_CHOWN
1416 *
1417 */
1418 if (cr->cr_uid != ovap->va_uid) {
1419 checkpriv = B_TRUE;
1420 } else {
1421 if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) ||
1422 ((mask & AT_GID) && vap->va_gid != ovap->va_gid &&
1423 !groupmember(vap->va_gid, cr))) {
1424 checkpriv = B_TRUE;
1425 }
1426 }
1427 /*
1428 * If necessary, check privilege to see if update can be done.
1429 */
1430 if (checkpriv &&
1431 (error = secpolicy_vnode_chown(cr, ovap->va_uid)) != 0) {
1432 goto out;
1433 }
1434
1435 /*
1436 * If the file has either the set UID or set GID bits
1437 * set and the caller can set the bits, then leave them.
1438 */
1439 secpolicy_setid_clear(vap, cr);
1440 }
1441 if (mask & (AT_ATIME|AT_MTIME)) {
1442 /*
1443 * If not the file owner and not otherwise privileged,
1444 * always return an error when setting the
1445 * time other than the current (ATTR_UTIME flag set).
1446 * If setting the current time (ATTR_UTIME not set) then
1447 * unlocked_access will check permissions according to policy.
1448 */
1449 if (cr->cr_uid != ovap->va_uid) {
1450 if (flags & ATTR_UTIME)
1451 error = secpolicy_vnode_utime_modify(cr);
1452 else if (skipaclchk == B_FALSE) {
1453 error = unlocked_access(node, VWRITE, cr);
1454 if (error == EACCES &&
1455 secpolicy_vnode_utime_modify(cr) == 0)
1456 error = 0;
1457 }
1458 if (error)
1459 goto out;
1460 }
1461 }
1462
1463 /*
1464 * Check for optional attributes here by checking the following:
1465 */
1466 if (mask & AT_XVATTR)
1467 error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr,
1468 vp->v_type);
1469 out:
1470 return (error);
1471 }
1472
1473 /*
1474 * Name: secpolicy_pcfs_modify_bootpartition()
1475 *
1476 * Normal: verify that subject can modify a pcfs boot partition.
1477 *
1478 * Output: EACCES - if privilege check failed.
1479 */
1480 /*ARGSUSED*/
1481 int
1482 secpolicy_pcfs_modify_bootpartition(const cred_t *cred)
1483 {
1484 return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES,
1485 "modify pcfs boot partition"));
1486 }
1487
1488 /*
1489 * System V IPC routines
1490 */
1491 int
1492 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip)
1493 {
1494 if (crgetzoneid(cr) != ip->ipc_zoneid ||
1495 (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) {
1496 boolean_t allzone = B_FALSE;
1497 if (ip->ipc_uid == 0 || ip->ipc_cuid == 0)
1498 allzone = B_TRUE;
1499 return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL));
1500 }
1501 return (0);
1502 }
1503
1504 int
1505 secpolicy_ipc_config(const cred_t *cr)
1506 {
1507 return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL));
1508 }
1509
1510 int
1511 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode)
1512 {
1513
1514 boolean_t allzone = B_FALSE;
1515
1516 ASSERT((mode & (MSG_R|MSG_W)) != 0);
1517
1518 if ((mode & MSG_R) &&
1519 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1520 return (EACCES);
1521
1522 if (mode & MSG_W) {
1523 if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0))
1524 allzone = B_TRUE;
1525
1526 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1527 NULL));
1528 }
1529 return (0);
1530 }
1531
1532 int
1533 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode)
1534 {
1535 boolean_t allzone = B_FALSE;
1536
1537 ASSERT((mode & (MSG_R|MSG_W)) != 0);
1538
1539 if ((mode & MSG_R) &&
1540 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1541 return (EACCES);
1542
1543 if (mode & MSG_W) {
1544 if (cr->cr_uid != 0 && owner == 0)
1545 allzone = B_TRUE;
1546
1547 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1548 NULL));
1549 }
1550 return (0);
1551 }
1552
1553 /*
1554 * Audit configuration.
1555 */
1556 int
1557 secpolicy_audit_config(const cred_t *cr)
1558 {
1559 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL));
1560 }
1561
1562 /*
1563 * Audit record generation.
1564 */
1565 int
1566 secpolicy_audit_modify(const cred_t *cr)
1567 {
1568 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL));
1569 }
1570
1571 /*
1572 * Get audit attributes.
1573 * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the
1574 * "Least" of the two privileges on error.
1575 */
1576 int
1577 secpolicy_audit_getattr(const cred_t *cr, boolean_t checkonly)
1578 {
1579 int priv;
1580
1581 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE))
1582 priv = PRIV_SYS_AUDIT;
1583 else
1584 priv = PRIV_PROC_AUDIT;
1585
1586 if (checkonly)
1587 return (!PRIV_POLICY_ONLY(cr, priv, B_FALSE));
1588 else
1589 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
1590 }
1591
1592
1593 /*
1594 * Locking physical memory
1595 */
1596 int
1597 secpolicy_lock_memory(const cred_t *cr)
1598 {
1599 return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL));
1600 }
1601
1602 /*
1603 * Accounting (both acct(2) and exacct).
1604 */
1605 int
1606 secpolicy_acct(const cred_t *cr)
1607 {
1608 return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL));
1609 }
1610
1611 /*
1612 * Is this process privileged to change its uids at will?
1613 * Uid 0 is still considered "special" and having the SETID
1614 * privilege is not sufficient to get uid 0.
1615 * Files are owned by root, so the privilege would give
1616 * full access and euid 0 is still effective.
1617 *
1618 * If you have the privilege and euid 0 only then do you
1619 * get the powers of root wrt uid 0.
1620 *
1621 * For gid manipulations, this is should be called with an
1622 * uid of -1.
1623 *
1624 */
1625 int
1626 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly)
1627 {
1628 boolean_t allzone = B_FALSE;
1629
1630 if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 &&
1631 cr->cr_ruid != 0) {
1632 allzone = B_TRUE;
1633 }
1634
1635 return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) :
1636 PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL));
1637 }
1638
1639
1640 /*
1641 * Acting on a different process: if the mode is for writing,
1642 * the restrictions are more severe. This is called after
1643 * we've verified that the uids do not match.
1644 */
1645 int
1646 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode)
1647 {
1648 boolean_t allzone = B_FALSE;
1649
1650 if ((mode & VWRITE) && scr->cr_uid != 0 &&
1651 (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0))
1652 allzone = B_TRUE;
1653
1654 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL));
1655 }
1656
1657 int
1658 secpolicy_proc_access(const cred_t *scr)
1659 {
1660 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL));
1661 }
1662
1663 int
1664 secpolicy_proc_excl_open(const cred_t *scr)
1665 {
1666 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL));
1667 }
1668
1669 int
1670 secpolicy_proc_zone(const cred_t *scr)
1671 {
1672 return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL));
1673 }
1674
1675 /*
1676 * Destroying the system
1677 */
1678
1679 int
1680 secpolicy_kmdb(const cred_t *scr)
1681 {
1682 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1683 }
1684
1685 int
1686 secpolicy_error_inject(const cred_t *scr)
1687 {
1688 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1689 }
1690
1691 /*
1692 * Processor sets, cpu configuration, resource pools.
1693 */
1694 int
1695 secpolicy_pset(const cred_t *cr)
1696 {
1697 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1698 }
1699
1700 /* Process security flags */
1701 int
1702 secpolicy_psecflags(const cred_t *cr, proc_t *tp, proc_t *sp)
1703 {
1704 if (PRIV_POLICY(cr, PRIV_PROC_SECFLAGS, B_FALSE, EPERM, NULL) != 0)
1705 return (EPERM);
1706
1707 if (!prochasprocperm(tp, sp, cr))
1708 return (EPERM);
1709
1710 return (0);
1711 }
1712
1713 /*
1714 * Processor set binding.
1715 */
1716 int
1717 secpolicy_pbind(const cred_t *cr)
1718 {
1719 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_RES_CONFIG, B_FALSE))
1720 return (secpolicy_pset(cr));
1721 return (PRIV_POLICY(cr, PRIV_SYS_RES_BIND, B_FALSE, EPERM, NULL));
1722 }
1723
1724 int
1725 secpolicy_ponline(const cred_t *cr)
1726 {
1727 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1728 }
1729
1730 int
1731 secpolicy_pool(const cred_t *cr)
1732 {
1733 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1734 }
1735
1736 int
1737 secpolicy_blacklist(const cred_t *cr)
1738 {
1739 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1740 }
1741
1742 /*
1743 * Catch all system configuration.
1744 */
1745 int
1746 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly)
1747 {
1748 if (checkonly) {
1749 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 :
1750 EPERM);
1751 } else {
1752 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1753 }
1754 }
1755
1756 /*
1757 * Zone administration (halt, reboot, etc.) from within zone.
1758 */
1759 int
1760 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly)
1761 {
1762 if (checkonly) {
1763 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 :
1764 EPERM);
1765 } else {
1766 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM,
1767 NULL));
1768 }
1769 }
1770
1771 /*
1772 * Zone configuration (create, halt, enter).
1773 */
1774 int
1775 secpolicy_zone_config(const cred_t *cr)
1776 {
1777 /*
1778 * Require all privileges to avoid possibility of privilege
1779 * escalation.
1780 */
1781 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
1782 }
1783
1784 /*
1785 * Various other system configuration calls
1786 */
1787 int
1788 secpolicy_coreadm(const cred_t *cr)
1789 {
1790 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1791 }
1792
1793 int
1794 secpolicy_systeminfo(const cred_t *cr)
1795 {
1796 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1797 }
1798
1799 int
1800 secpolicy_dispadm(const cred_t *cr)
1801 {
1802 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1803 }
1804
1805 int
1806 secpolicy_settime(const cred_t *cr)
1807 {
1808 return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL));
1809 }
1810
1811 /*
1812 * For realtime users: high resolution clock.
1813 */
1814 int
1815 secpolicy_clock_highres(const cred_t *cr)
1816 {
1817 return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM,
1818 NULL));
1819 }
1820
1821 /*
1822 * drv_priv() is documented as callable from interrupt context, not that
1823 * anyone ever does, but still. No debugging or auditing can be done when
1824 * it is called from interrupt context.
1825 * returns 0 on succes, EPERM on failure.
1826 */
1827 int
1828 drv_priv(cred_t *cr)
1829 {
1830 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1831 }
1832
1833 int
1834 secpolicy_sys_devices(const cred_t *cr)
1835 {
1836 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1837 }
1838
1839 int
1840 secpolicy_excl_open(const cred_t *cr)
1841 {
1842 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL));
1843 }
1844
1845 int
1846 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl)
1847 {
1848 /* zone.* rctls can only be set from the global zone */
1849 if (is_zone_rctl && priv_policy_global(cr) != 0)
1850 return (EPERM);
1851 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1852 }
1853
1854 int
1855 secpolicy_resource(const cred_t *cr)
1856 {
1857 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1858 }
1859
1860 int
1861 secpolicy_resource_anon_mem(const cred_t *cr)
1862 {
1863 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_RESOURCE, B_FALSE));
1864 }
1865
1866 /*
1867 * Processes with a real uid of 0 escape any form of accounting, much
1868 * like before.
1869 */
1870 int
1871 secpolicy_newproc(const cred_t *cr)
1872 {
1873 if (cr->cr_ruid == 0)
1874 return (0);
1875
1876 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1877 }
1878
1879 /*
1880 * Networking
1881 */
1882 int
1883 secpolicy_net_rawaccess(const cred_t *cr)
1884 {
1885 return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL));
1886 }
1887
1888 int
1889 secpolicy_net_observability(const cred_t *cr)
1890 {
1891 return (PRIV_POLICY(cr, PRIV_NET_OBSERVABILITY, B_FALSE, EACCES, NULL));
1892 }
1893
1894 /*
1895 * Need this privilege for accessing the ICMP device
1896 */
1897 int
1898 secpolicy_net_icmpaccess(const cred_t *cr)
1899 {
1900 return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL));
1901 }
1902
1903 /*
1904 * There are a few rare cases where the kernel generates ioctls() from
1905 * interrupt context with a credential of kcred rather than NULL.
1906 * In those cases, we take the safe and cheap test.
1907 */
1908 int
1909 secpolicy_net_config(const cred_t *cr, boolean_t checkonly)
1910 {
1911 if (checkonly) {
1912 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ?
1913 0 : EPERM);
1914 } else {
1915 return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM,
1916 NULL));
1917 }
1918 }
1919
1920
1921 /*
1922 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
1923 *
1924 * There are a few rare cases where the kernel generates ioctls() from
1925 * interrupt context with a credential of kcred rather than NULL.
1926 * In those cases, we take the safe and cheap test.
1927 */
1928 int
1929 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly)
1930 {
1931 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1932 return (secpolicy_net_config(cr, checkonly));
1933
1934 if (checkonly) {
1935 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ?
1936 0 : EPERM);
1937 } else {
1938 return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM,
1939 NULL));
1940 }
1941 }
1942
1943 /*
1944 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_DL_CONFIG.
1945 */
1946 int
1947 secpolicy_dl_config(const cred_t *cr)
1948 {
1949 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1950 return (secpolicy_net_config(cr, B_FALSE));
1951 return (PRIV_POLICY(cr, PRIV_SYS_DL_CONFIG, B_FALSE, EPERM, NULL));
1952 }
1953
1954 /*
1955 * PRIV_SYS_DL_CONFIG is a superset of PRIV_SYS_IPTUN_CONFIG.
1956 */
1957 int
1958 secpolicy_iptun_config(const cred_t *cr)
1959 {
1960 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1961 return (secpolicy_net_config(cr, B_FALSE));
1962 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_DL_CONFIG, B_FALSE))
1963 return (secpolicy_dl_config(cr));
1964 return (PRIV_POLICY(cr, PRIV_SYS_IPTUN_CONFIG, B_FALSE, EPERM, NULL));
1965 }
1966
1967 /*
1968 * Map IP pseudo privileges to actual privileges.
1969 * So we don't need to recompile IP when we change the privileges.
1970 */
1971 int
1972 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly)
1973 {
1974 int priv = PRIV_ALL;
1975
1976 switch (netpriv) {
1977 case OP_CONFIG:
1978 priv = PRIV_SYS_IP_CONFIG;
1979 break;
1980 case OP_RAW:
1981 priv = PRIV_NET_RAWACCESS;
1982 break;
1983 case OP_PRIVPORT:
1984 priv = PRIV_NET_PRIVADDR;
1985 break;
1986 }
1987 ASSERT(priv != PRIV_ALL);
1988 if (checkonly)
1989 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
1990 else
1991 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
1992 }
1993
1994 /*
1995 * Map network pseudo privileges to actual privileges.
1996 * So we don't need to recompile IP when we change the privileges.
1997 */
1998 int
1999 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly)
2000 {
2001 int priv = PRIV_ALL;
2002
2003 switch (netpriv) {
2004 case OP_CONFIG:
2005 priv = PRIV_SYS_NET_CONFIG;
2006 break;
2007 case OP_RAW:
2008 priv = PRIV_NET_RAWACCESS;
2009 break;
2010 case OP_PRIVPORT:
2011 priv = PRIV_NET_PRIVADDR;
2012 break;
2013 }
2014 ASSERT(priv != PRIV_ALL);
2015 if (checkonly)
2016 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
2017 else
2018 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
2019 }
2020
2021 /*
2022 * Checks for operations that are either client-only or are used by
2023 * both clients and servers.
2024 */
2025 int
2026 secpolicy_nfs(const cred_t *cr)
2027 {
2028 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL));
2029 }
2030
2031 /*
2032 * Special case for opening rpcmod: have NFS privileges or network
2033 * config privileges.
2034 */
2035 int
2036 secpolicy_rpcmod_open(const cred_t *cr)
2037 {
2038 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE))
2039 return (secpolicy_nfs(cr));
2040 else
2041 return (secpolicy_net_config(cr, B_FALSE));
2042 }
2043
2044 int
2045 secpolicy_chroot(const cred_t *cr)
2046 {
2047 return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL));
2048 }
2049
2050 int
2051 secpolicy_tasksys(const cred_t *cr)
2052 {
2053 return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL));
2054 }
2055
2056 int
2057 secpolicy_meminfo(const cred_t *cr)
2058 {
2059 return (PRIV_POLICY(cr, PRIV_PROC_MEMINFO, B_FALSE, EPERM, NULL));
2060 }
2061
2062 int
2063 secpolicy_pfexec_register(const cred_t *cr)
2064 {
2065 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_TRUE, EPERM, NULL));
2066 }
2067
2068 /*
2069 * Basic privilege checks.
2070 */
2071 int
2072 secpolicy_basic_exec(const cred_t *cr, vnode_t *vp)
2073 {
2074 FAST_BASIC_CHECK(cr, PRIV_PROC_EXEC);
2075
2076 return (priv_policy_va(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL,
2077 KLPDARG_VNODE, vp, NULL, KLPDARG_NOMORE));
2078 }
2079
2080 int
2081 secpolicy_basic_fork(const cred_t *cr)
2082 {
2083 FAST_BASIC_CHECK(cr, PRIV_PROC_FORK);
2084
2085 return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL));
2086 }
2087
2088 int
2089 secpolicy_basic_proc(const cred_t *cr)
2090 {
2091 FAST_BASIC_CHECK(cr, PRIV_PROC_SESSION);
2092
2093 return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL));
2094 }
2095
2096 /*
2097 * Slightly complicated because we don't want to trigger the policy too
2098 * often. First we shortcircuit access to "self" (tp == sp) or if
2099 * we don't have the privilege but if we have permission
2100 * just return (0) and we don't flag the privilege as needed.
2101 * Else, we test for the privilege because we either have it or need it.
2102 */
2103 int
2104 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp)
2105 {
2106 if (tp == sp ||
2107 !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) {
2108 return (0);
2109 } else {
2110 return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL));
2111 }
2112 }
2113
2114 int
2115 secpolicy_basic_link(const cred_t *cr)
2116 {
2117 FAST_BASIC_CHECK(cr, PRIV_FILE_LINK_ANY);
2118
2119 return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL));
2120 }
2121
2122 int
2123 secpolicy_basic_net_access(const cred_t *cr)
2124 {
2125 FAST_BASIC_CHECK(cr, PRIV_NET_ACCESS);
2126
2127 return (PRIV_POLICY(cr, PRIV_NET_ACCESS, B_FALSE, EACCES, NULL));
2128 }
2129
2130 /* ARGSUSED */
2131 int
2132 secpolicy_basic_file_read(const cred_t *cr, vnode_t *vp, const char *pn)
2133 {
2134 FAST_BASIC_CHECK(cr, PRIV_FILE_READ);
2135
2136 return (priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL,
2137 KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE));
2138 }
2139
2140 /* ARGSUSED */
2141 int
2142 secpolicy_basic_file_write(const cred_t *cr, vnode_t *vp, const char *pn)
2143 {
2144 FAST_BASIC_CHECK(cr, PRIV_FILE_WRITE);
2145
2146 return (priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL,
2147 KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE));
2148 }
2149
2150 /*
2151 * Additional device protection.
2152 *
2153 * Traditionally, a device has specific permissions on the node in
2154 * the filesystem which govern which devices can be opened by what
2155 * processes. In certain cases, it is desirable to add extra
2156 * restrictions, as writing to certain devices is identical to
2157 * having a complete run of the system.
2158 *
2159 * This mechanism is called the device policy.
2160 *
2161 * When a device is opened, its policy entry is looked up in the
2162 * policy cache and checked.
2163 */
2164 int
2165 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag)
2166 {
2167 devplcy_t *plcy;
2168 int err;
2169 struct snode *csp = VTOS(common_specvp(vp));
2170 priv_set_t pset;
2171
2172 mutex_enter(&csp->s_lock);
2173
2174 if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) {
2175 plcy = devpolicy_find(vp);
2176 if (csp->s_plcy)
2177 dpfree(csp->s_plcy);
2178 csp->s_plcy = plcy;
2179 ASSERT(plcy != NULL);
2180 } else
2181 plcy = csp->s_plcy;
2182
2183 if (plcy == nullpolicy) {
2184 mutex_exit(&csp->s_lock);
2185 return (0);
2186 }
2187
2188 dphold(plcy);
2189
2190 mutex_exit(&csp->s_lock);
2191
2192 if (oflag & FWRITE)
2193 pset = plcy->dp_wrp;
2194 else
2195 pset = plcy->dp_rdp;
2196 /*
2197 * Special case:
2198 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
2199 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is
2200 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG
2201 * in the required privilege set before doing the check.
2202 */
2203 if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) &&
2204 priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) &&
2205 !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) {
2206 priv_delset(&pset, PRIV_SYS_IP_CONFIG);
2207 priv_addset(&pset, PRIV_SYS_NET_CONFIG);
2208 }
2209
2210 err = secpolicy_require_set(cr, &pset, "devpolicy", KLPDARG_NONE);
2211 dpfree(plcy);
2212
2213 return (err);
2214 }
2215
2216 int
2217 secpolicy_modctl(const cred_t *cr, int cmd)
2218 {
2219 switch (cmd) {
2220 case MODINFO:
2221 case MODGETMAJBIND:
2222 case MODGETPATH:
2223 case MODGETPATHLEN:
2224 case MODGETNAME:
2225 case MODGETFBNAME:
2226 case MODGETDEVPOLICY:
2227 case MODGETDEVPOLICYBYNAME:
2228 case MODDEVT2INSTANCE:
2229 case MODSIZEOF_DEVID:
2230 case MODGETDEVID:
2231 case MODSIZEOF_MINORNAME:
2232 case MODGETMINORNAME:
2233 case MODGETDEVFSPATH_LEN:
2234 case MODGETDEVFSPATH:
2235 case MODGETDEVFSPATH_MI_LEN:
2236 case MODGETDEVFSPATH_MI:
2237 /* Unprivileged */
2238 return (0);
2239 case MODLOAD:
2240 case MODSETDEVPOLICY:
2241 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL,
2242 KLPDARG_NONE));
2243 default:
2244 return (secpolicy_sys_config(cr, B_FALSE));
2245 }
2246 }
2247
2248 int
2249 secpolicy_console(const cred_t *cr)
2250 {
2251 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
2252 }
2253
2254 int
2255 secpolicy_power_mgmt(const cred_t *cr)
2256 {
2257 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
2258 }
2259
2260 /*
2261 * Simulate terminal input; another escalation of privileges avenue.
2262 */
2263
2264 int
2265 secpolicy_sti(const cred_t *cr)
2266 {
2267 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
2268 }
2269
2270 boolean_t
2271 secpolicy_net_reply_equal(const cred_t *cr)
2272 {
2273 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
2274 }
2275
2276 int
2277 secpolicy_swapctl(const cred_t *cr)
2278 {
2279 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
2280 }
2281
2282 int
2283 secpolicy_cpc_cpu(const cred_t *cr)
2284 {
2285 return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL));
2286 }
2287
2288 /*
2289 * secpolicy_contract_identity
2290 *
2291 * Determine if the subject may set the process contract FMRI value
2292 */
2293 int
2294 secpolicy_contract_identity(const cred_t *cr)
2295 {
2296 return (PRIV_POLICY(cr, PRIV_CONTRACT_IDENTITY, B_FALSE, EPERM, NULL));
2297 }
2298
2299 /*
2300 * secpolicy_contract_observer
2301 *
2302 * Determine if the subject may observe a specific contract's events.
2303 */
2304 int
2305 secpolicy_contract_observer(const cred_t *cr, struct contract *ct)
2306 {
2307 if (contract_owned(ct, cr, B_FALSE))
2308 return (0);
2309 return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL));
2310 }
2311
2312 /*
2313 * secpolicy_contract_observer_choice
2314 *
2315 * Determine if the subject may observe any contract's events. Just
2316 * tests privilege and audits on success.
2317 */
2318 boolean_t
2319 secpolicy_contract_observer_choice(const cred_t *cr)
2320 {
2321 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE));
2322 }
2323
2324 /*
2325 * secpolicy_contract_event
2326 *
2327 * Determine if the subject may request critical contract events or
2328 * reliable contract event delivery.
2329 */
2330 int
2331 secpolicy_contract_event(const cred_t *cr)
2332 {
2333 return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL));
2334 }
2335
2336 /*
2337 * secpolicy_contract_event_choice
2338 *
2339 * Determine if the subject may retain contract events in its critical
2340 * set when a change in other terms would normally require a change in
2341 * the critical set. Just tests privilege and audits on success.
2342 */
2343 boolean_t
2344 secpolicy_contract_event_choice(const cred_t *cr)
2345 {
2346 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE));
2347 }
2348
2349 /*
2350 * secpolicy_gart_access
2351 *
2352 * Determine if the subject has sufficient priveleges to make ioctls to agpgart
2353 * device.
2354 */
2355 int
2356 secpolicy_gart_access(const cred_t *cr)
2357 {
2358 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL));
2359 }
2360
2361 /*
2362 * secpolicy_gart_map
2363 *
2364 * Determine if the subject has sufficient priveleges to map aperture range
2365 * through agpgart driver.
2366 */
2367 int
2368 secpolicy_gart_map(const cred_t *cr)
2369 {
2370 if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) {
2371 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM,
2372 NULL));
2373 } else {
2374 return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM,
2375 NULL));
2376 }
2377 }
2378
2379 /*
2380 * secpolicy_xhci
2381 *
2382 * Determine if the subject can observe and manipulate the xhci driver with a
2383 * dangerous blunt hammer. Requires all privileges.
2384 */
2385 int
2386 secpolicy_xhci(const cred_t *cr)
2387 {
2388 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
2389 }
2390
2391 /*
2392 * secpolicy_zinject
2393 *
2394 * Determine if the subject can inject faults in the ZFS fault injection
2395 * framework. Requires all privileges.
2396 */
2397 int
2398 secpolicy_zinject(const cred_t *cr)
2399 {
2400 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
2401 }
2402
2403 /*
2404 * secpolicy_zfs
2405 *
2406 * Determine if the subject has permission to manipulate ZFS datasets
2407 * (not pools). Equivalent to the SYS_MOUNT privilege.
2408 */
2409 int
2410 secpolicy_zfs(const cred_t *cr)
2411 {
2412 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL));
2413 }
2414
2415 /*
2416 * secpolicy_idmap
2417 *
2418 * Determine if the calling process has permissions to register an SID
2419 * mapping daemon and allocate ephemeral IDs.
2420 */
2421 int
2422 secpolicy_idmap(const cred_t *cr)
2423 {
2424 return (PRIV_POLICY(cr, PRIV_FILE_SETID, B_TRUE, EPERM, NULL));
2425 }
2426
2427 /*
2428 * secpolicy_ucode_update
2429 *
2430 * Determine if the subject has sufficient privilege to update microcode.
2431 */
2432 int
2433 secpolicy_ucode_update(const cred_t *scr)
2434 {
2435 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
2436 }
2437
2438 /*
2439 * secpolicy_sadopen
2440 *
2441 * Determine if the subject has sufficient privilege to access /dev/sad/admin.
2442 * /dev/sad/admin appear in global zone and exclusive-IP zones only.
2443 * In global zone, sys_config is required.
2444 * In exclusive-IP zones, sys_ip_config is required.
2445 * Note that sys_config is prohibited in non-global zones.
2446 */
2447 int
2448 secpolicy_sadopen(const cred_t *credp)
2449 {
2450 priv_set_t pset;
2451
2452 priv_emptyset(&pset);
2453
2454 if (crgetzoneid(credp) == GLOBAL_ZONEID)
2455 priv_addset(&pset, PRIV_SYS_CONFIG);
2456 else
2457 priv_addset(&pset, PRIV_SYS_IP_CONFIG);
2458
2459 return (secpolicy_require_set(credp, &pset, "devpolicy", KLPDARG_NONE));
2460 }
2461
2462
2463 /*
2464 * Add privileges to a particular privilege set; this is called when the
2465 * current sets of privileges are not sufficient. I.e., we should always
2466 * call the policy override functions from here.
2467 * What we are allowed to have is in the Observed Permitted set; so
2468 * we compute the difference between that and the newset.
2469 */
2470 int
2471 secpolicy_require_privs(const cred_t *cr, const priv_set_t *nset)
2472 {
2473 priv_set_t rqd;
2474
2475 rqd = CR_OPPRIV(cr);
2476
2477 priv_inverse(&rqd);
2478 priv_intersect(nset, &rqd);
2479
2480 return (secpolicy_require_set(cr, &rqd, NULL, KLPDARG_NONE));
2481 }
2482
2483 /*
2484 * secpolicy_smb
2485 *
2486 * Determine if the cred_t has PRIV_SYS_SMB privilege, indicating
2487 * that it has permission to access the smbsrv kernel driver.
2488 * PRIV_POLICY checks the privilege and audits the check.
2489 *
2490 * Returns:
2491 * 0 Driver access is allowed.
2492 * EPERM Driver access is NOT permitted.
2493 */
2494 int
2495 secpolicy_smb(const cred_t *cr)
2496 {
2497 return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL));
2498 }
2499
2500 /*
2501 * secpolicy_vscan
2502 *
2503 * Determine if cred_t has the necessary privileges to access a file
2504 * for virus scanning and update its extended system attributes.
2505 * PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access
2506 * PRIV_FILE_FLAG_SET - set extended system attributes
2507 *
2508 * PRIV_POLICY checks the privilege and audits the check.
2509 *
2510 * Returns:
2511 * 0 file access for virus scanning allowed.
2512 * EPERM file access for virus scanning is NOT permitted.
2513 */
2514 int
2515 secpolicy_vscan(const cred_t *cr)
2516 {
2517 if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) ||
2518 (PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) ||
2519 (PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) {
2520 return (EPERM);
2521 }
2522
2523 return (0);
2524 }
2525
2526 /*
2527 * secpolicy_smbfs_login
2528 *
2529 * Determines if the caller can add and delete the smbfs login
2530 * password in the the nsmb kernel module for the CIFS client.
2531 *
2532 * Returns:
2533 * 0 access is allowed.
2534 * EPERM access is NOT allowed.
2535 */
2536 int
2537 secpolicy_smbfs_login(const cred_t *cr, uid_t uid)
2538 {
2539 uid_t cruid = crgetruid(cr);
2540
2541 if (cruid == uid)
2542 return (0);
2543 return (PRIV_POLICY(cr, PRIV_PROC_OWNER, B_FALSE,
2544 EPERM, NULL));
2545 }
2546
2547 /*
2548 * secpolicy_xvm_control
2549 *
2550 * Determines if a caller can control the xVM hypervisor and/or running
2551 * domains (x86 specific).
2552 *
2553 * Returns:
2554 * 0 access is allowed.
2555 * EPERM access is NOT allowed.
2556 */
2557 int
2558 secpolicy_xvm_control(const cred_t *cr)
2559 {
2560 if (PRIV_POLICY(cr, PRIV_XVM_CONTROL, B_FALSE, EPERM, NULL))
2561 return (EPERM);
2562 return (0);
2563 }
2564
2565 /*
2566 * secpolicy_ppp_config
2567 *
2568 * Determine if the subject has sufficient privileges to configure PPP and
2569 * PPP-related devices.
2570 */
2571 int
2572 secpolicy_ppp_config(const cred_t *cr)
2573 {
2574 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
2575 return (secpolicy_net_config(cr, B_FALSE));
2576 return (PRIV_POLICY(cr, PRIV_SYS_PPP_CONFIG, B_FALSE, EPERM, NULL));
2577 }
Unleashed OS