4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright 2015, Joyent, Inc. All rights reserved.
29 # Privileges can be added to this file at any location, not
30 # necessarily at the end. For patches, it is probably best to
31 # add the new privilege at the end; for ordinary releases privileges
32 # should be ordered alphabetically.
35 privilege PRIV_CONTRACT_EVENT
37 Allows a process to request critical events without limitation.
38 Allows a process to request reliable delivery of all events on
41 privilege PRIV_CONTRACT_IDENTITY
43 Allows a process to set the service FMRI value of a process
46 privilege PRIV_CONTRACT_OBSERVER
48 Allows a process to observe contract events generated by
49 contracts created and owned by users other than the process's
51 Allows a process to open contract event endpoints belonging to
52 contracts created and owned by users other than the process's
55 privilege PRIV_CPC_CPU
57 Allow a process to access per-CPU hardware performance counters.
59 privilege PRIV_DTRACE_KERNEL
61 Allows DTrace kernel-level tracing.
63 privilege PRIV_DTRACE_PROC
65 Allows DTrace process-level tracing.
66 Allows process-level tracing probes to be placed and enabled in
67 processes to which the user has permissions.
69 privilege PRIV_DTRACE_USER
71 Allows DTrace user-level tracing.
72 Allows use of the syscall and profile DTrace providers to
73 examine processes to which the user has permissions.
75 privilege PRIV_FILE_CHOWN
77 Allows a process to change a file's owner user ID.
78 Allows a process to change a file's group ID to one other than
79 the process' effective group ID or one of the process'
80 supplemental group IDs.
82 privilege PRIV_FILE_CHOWN_SELF
84 Allows a process to give away its files; a process with this
85 privilege will run as if {_POSIX_CHOWN_RESTRICTED} is not
88 privilege PRIV_FILE_DAC_EXECUTE
90 Allows a process to execute an executable file whose permission
91 bits or ACL do not allow the process execute permission.
93 privilege PRIV_FILE_DAC_READ
95 Allows a process to read a file or directory whose permission
96 bits or ACL do not allow the process read permission.
98 privilege PRIV_FILE_DAC_SEARCH
100 Allows a process to search a directory whose permission bits or
101 ACL do not allow the process search permission.
103 privilege PRIV_FILE_DAC_WRITE
105 Allows a process to write a file or directory whose permission
106 bits or ACL do not allow the process write permission.
107 In order to write files owned by uid 0 in the absence of an
108 effective uid of 0 ALL privileges are required.
110 privilege PRIV_FILE_FLAG_SET
112 Allows a process to set immutable, nounlink or appendonly
115 basic privilege PRIV_FILE_LINK_ANY
117 Allows a process to create hardlinks to files owned by a uid
118 different from the process' effective uid.
120 privilege PRIV_FILE_OWNER
122 Allows a process which is not the owner of a file or directory
123 to perform the following operations that are normally permitted
124 only for the file owner: modify that file's access and
125 modification times; remove or rename a file or directory whose
126 parent directory has the ``save text image after execution''
127 (sticky) bit set; mount a ``namefs'' upon a file; modify
128 permission bits or ACL except for the set-uid and set-gid
131 basic privilege PRIV_FILE_READ
133 Allows a process to read objects in the filesystem.
135 privilege PRIV_FILE_SETID
137 Allows a process to change the ownership of a file or write to
138 a file without the set-user-ID and set-group-ID bits being
140 Allows a process to set the set-group-ID bit on a file or
141 directory whose group is not the process' effective group or
142 one of the process' supplemental groups.
143 Allows a process to set the set-user-ID bit on a file with
144 different ownership in the presence of PRIV_FILE_OWNER.
145 Additional restrictions apply when creating or modifying a
148 basic privilege PRIV_FILE_WRITE
150 Allows a process to modify objects in the filesystem.
152 privilege PRIV_GRAPHICS_ACCESS
154 Allows a process to make privileged ioctls to graphics devices.
155 Typically only xserver process needs to have this privilege.
156 A process with this privilege is also allowed to perform
157 privileged graphics device mappings.
159 privilege PRIV_GRAPHICS_MAP
161 Allows a process to perform privileged mappings through a
164 privilege PRIV_IPC_DAC_READ
166 Allows a process to read a System V IPC
167 Message Queue, Semaphore Set, or Shared Memory Segment whose
168 permission bits do not allow the process read permission.
169 Allows a process to read remote shared memory whose
170 permission bits do not allow the process read permission.
172 privilege PRIV_IPC_DAC_WRITE
174 Allows a process to write a System V IPC
175 Message Queue, Semaphore Set, or Shared Memory Segment whose
176 permission bits do not allow the process write permission.
177 Allows a process to read remote shared memory whose
178 permission bits do not allow the process write permission.
179 Additional restrictions apply if the owner of the object has uid 0
180 and the effective uid of the current process is not 0.
182 privilege PRIV_IPC_OWNER
184 Allows a process which is not the owner of a System
185 V IPC Message Queue, Semaphore Set, or Shared Memory Segment to
186 remove, change ownership of, or change permission bits of the
187 Message Queue, Semaphore Set, or Shared Memory Segment.
188 Additional restrictions apply if the owner of the object has uid 0
189 and the effective uid of the current process is not 0.
191 basic privilege PRIV_NET_ACCESS
193 Allows a process to open a TCP, UDP, SDP or SCTP network endpoint.
195 privilege PRIV_NET_ICMPACCESS
197 Allows a process to send and receive ICMP packets.
199 privilege PRIV_NET_OBSERVABILITY
201 Allows a process to access /dev/lo0 and the devices in /dev/ipnet/
202 while not requiring them to need PRIV_NET_RAWACCESS.
204 privilege PRIV_NET_PRIVADDR
206 Allows a process to bind to a privileged port
207 number. The privilege port numbers are 1-1023 (the traditional
208 UNIX privileged ports) as well as those ports marked as
209 "udp/tcp_extra_priv_ports" with the exception of the ports
210 reserved for use by NFS.
212 privilege PRIV_NET_RAWACCESS
214 Allows a process to have direct access to the network layer.
216 unsafe privilege PRIV_PROC_AUDIT
218 Allows a process to generate audit records.
219 Allows a process to get its own audit pre-selection information.
221 privilege PRIV_PROC_CHROOT
223 Allows a process to change its root directory.
225 privilege PRIV_PROC_CLOCK_HIGHRES
227 Allows a process to use high resolution timers.
229 basic privilege PRIV_PROC_EXEC
231 Allows a process to call execve().
233 basic privilege PRIV_PROC_FORK
235 Allows a process to call fork1()/forkall()/vfork()
237 basic privilege PRIV_PROC_INFO
239 Allows a process to examine the status of processes other
240 than those it can send signals to. Processes which cannot
241 be examined cannot be seen in /proc and appear not to exist.
243 privilege PRIV_PROC_LOCK_MEMORY
245 Allows a process to lock pages in physical memory.
247 privilege PRIV_PROC_MEMINFO
249 Allows a process to access physical memory information.
251 privilege PRIV_PROC_OWNER
253 Allows a process to send signals to other processes, inspect
254 and modify process state to other processes regardless of
255 ownership. When modifying another process, additional
256 restrictions apply: the effective privilege set of the
257 attaching process must be a superset of the target process'
258 effective, permitted and inheritable sets; the limit set must
259 be a superset of the target's limit set; if the target process
260 has any uid set to 0 all privilege must be asserted unless the
262 Allows a process to bind arbitrary processes to CPUs.
264 privilege PRIV_PROC_PRIOUP
266 Allows a process to elevate its priority above its current level.
268 privilege PRIV_PROC_PRIOCNTL
270 Allows all that PRIV_PROC_PRIOUP allows.
271 Allows a process to change its scheduling class to any scheduling class,
272 including the RT class.
274 basic privilege PRIV_PROC_SECFLAGS
276 Allows a process to manipulate the secflags of processes (subject to,
277 additionally, the ability to signal that process)
279 basic privilege PRIV_PROC_SESSION
281 Allows a process to send signals or trace processes outside its
284 unsafe privilege PRIV_PROC_SETID
286 Allows a process to set its uids at will.
287 Assuming uid 0 requires all privileges to be asserted.
289 privilege PRIV_PROC_TASKID
291 Allows a process to assign a new task ID to the calling process.
293 privilege PRIV_PROC_ZONE
295 Allows a process to trace or send signals to processes in
298 privilege PRIV_SYS_ACCT
300 Allows a process to enable and disable and manage accounting through
301 acct(2), getacct(2), putacct(2) and wracct(2).
303 privilege PRIV_SYS_ADMIN
305 Allows a process to perform system administration tasks such
306 as setting node and domain name and specifying nscd and coreadm
309 privilege PRIV_SYS_AUDIT
311 Allows a process to start the (kernel) audit daemon.
312 Allows a process to view and set audit state (audit user ID,
313 audit terminal ID, audit sessions ID, audit pre-selection mask).
314 Allows a process to turn off and on auditing.
315 Allows a process to configure the audit parameters (cache and
316 queue sizes, event to class mappings, policy options).
318 privilege PRIV_SYS_CONFIG
320 Allows a process to perform various system configuration tasks.
321 Allows a process to add and remove swap devices; when adding a swap
322 device, a process must also have sufficient privileges to read from
323 and write to the swap device.
325 privilege PRIV_SYS_DEVICES
327 Allows a process to successfully call a kernel module that
328 calls the kernel drv_priv(9F) function to check for allowed
330 Allows a process to open the real console device directly.
331 Allows a process to open devices that have been exclusively opened.
333 privilege PRIV_SYS_IPC_CONFIG
335 Allows a process to increase the size of a System V IPC Message
338 privilege PRIV_SYS_LINKDIR
340 Allows a process to unlink and link directories.
342 privilege PRIV_SYS_MOUNT
344 Allows filesystem specific administrative procedures, such as
345 filesystem configuration ioctls, quota calls and creation/deletion
347 Allows a process to mount and unmount filesystems which would
348 otherwise be restricted (i.e., most filesystems except
350 A process performing a mount operation needs to have
351 appropriate access to the device being mounted (read-write for
352 "rw" mounts, read for "ro" mounts).
353 A process performing any of the aforementioned
354 filesystem operations needs to have read/write/owner
355 access to the mount point.
356 Only regular files and directories can serve as mount points
357 for processes which do not have all zone privileges asserted.
358 Unless a process has all zone privileges, the mount(2)
359 system call will force the "nosuid" and "restrict" options, the
360 latter only for autofs mountpoints.
361 Regardless of privileges, a process running in a non-global zone may
362 only control mounts performed from within said zone.
363 Outside the global zone, the "nodevices" option is always forced.
365 privilege PRIV_SYS_IPTUN_CONFIG
367 Allows a process to configure IP tunnel links.
369 privilege PRIV_SYS_DL_CONFIG
371 Allows a process to configure all classes of datalinks, including
372 configuration allowed by PRIV_SYS_IPTUN_CONFIG.
374 privilege PRIV_SYS_IP_CONFIG
376 Allows a process to configure a system's IP interfaces and routes.
377 Allows a process to configure network parameters using ndd.
378 Allows a process access to otherwise restricted information using ndd.
379 Allows a process to configure IPsec.
380 Allows a process to pop anchored STREAMs modules with matching zoneid.
382 privilege PRIV_SYS_NET_CONFIG
384 Allows all that PRIV_SYS_IP_CONFIG, PRIV_SYS_DL_CONFIG, and
385 PRIV_SYS_PPP_CONFIG allow.
386 Allows a process to push the rpcmod STREAMs module.
387 Allows a process to INSERT/REMOVE STREAMs modules on locations other
388 than the top of the module stack.
390 privilege PRIV_SYS_NFS
392 Allows a process to perform Sun private NFS specific system calls.
393 Allows a process to bind to ports reserved by NFS: ports 2049 (nfs)
394 and port 4045 (lockd).
396 privilege PRIV_SYS_PPP_CONFIG
398 Allows a process to create and destroy PPP (sppp) interfaces.
399 Allows a process to configure PPP tunnels (sppptun).
401 privilege PRIV_SYS_RES_BIND
403 Allows a process to bind processes to processor sets.
405 privilege PRIV_SYS_RES_CONFIG
407 Allows all that PRIV_SYS_RES_BIND allows.
408 Allows a process to create and delete processor sets, assign
409 CPUs to processor sets and override the PSET_NOESCAPE property.
410 Allows a process to change the operational status of CPUs in
411 the system using p_online(2).
412 Allows a process to configure resource pools and to bind
415 unsafe privilege PRIV_SYS_RESOURCE
417 Allows a process to modify the resource limits specified
418 by setrlimit(2) and setrctl(2) without restriction.
419 Allows a process to exceed the per-user maximum number of
421 Allows a process to extend or create files on a filesystem that
422 has less than minfree space in reserve.
424 privilege PRIV_SYS_SMB
426 Allows a process to access the Sun private SMB kernel module.
427 Allows a process to bind to ports reserved by NetBIOS and SMB:
428 ports 137 (NBNS), 138 (NetBIOS Datagram Service), 139 (NetBIOS
429 Session Service and SMB-over-NBT) and 445 (SMB-over-TCP).
431 privilege PRIV_SYS_SUSER_COMPAT
433 Allows a process to successfully call a third party loadable module
434 that calls the kernel suser() function to check for allowed access.
435 This privilege exists only for third party loadable module
436 compatibility and is not used by Solaris proper.
438 privilege PRIV_SYS_TIME
440 Allows a process to manipulate system time using any of the
441 appropriate system calls: stime, adjtime, ntp_adjtime and
442 the IA specific RTC calls.
444 privilege PRIV_VIRT_MANAGE
446 Allows a process to manage virtualized environments such as
449 privilege PRIV_XVM_CONTROL
451 Allows a process access to the xVM(5) control devices for
452 managing guest domains and the hypervisor. This privilege is
453 used only if booted into xVM on x86 platforms.
457 Set of privileges currently in effect.
461 Set of privileges that comes into effect on exec.
465 Set of privileges that can be put into the effective set without
470 Set of privileges that determines the absolute upper bound of
471 privileges this process and its off-spring can obtain.