1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or https://opensource.org/licenses/CDDL-1.0.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
24 * Copyright 2013, Joyent, Inc. All rights reserved.
25 * Copyright (C) 2016 Lawrence Livermore National Security, LLC.
26 *
27 * For Linux the vast majority of this enforcement is already handled via
28 * the standard Linux VFS permission checks. However certain administrative
29 * commands which bypass the standard mechanisms may need to make use of
30 * this functionality.
31 */
32
33 #include <sys/policy.h>
34 #include <linux/security.h>
35 #include <linux/vfs_compat.h>
36
37 /*
38 * The passed credentials cannot be directly verified because Linux only
39 * provides and interface to check the *current* process credentials. In
40 * order to handle this the capable() test is only run when the passed
41 * credentials match the current process credentials or the kcred. In
42 * all other cases this function must fail and return the passed err.
43 */
44 static int
priv_policy_ns(const cred_t * cr,int capability,int err,struct user_namespace * ns)45 priv_policy_ns(const cred_t *cr, int capability, int err,
46 struct user_namespace *ns)
47 {
48 if (cr != CRED() && (cr != kcred))
49 return (err);
50
51 #if defined(CONFIG_USER_NS)
52 if (!(ns ? ns_capable(ns, capability) : capable(capability)))
53 #else
54 if (!capable(capability))
55 #endif
56 return (err);
57
58 return (0);
59 }
60
61 static int
priv_policy(const cred_t * cr,int capability,int err)62 priv_policy(const cred_t *cr, int capability, int err)
63 {
64 return (priv_policy_ns(cr, capability, err, cr->user_ns));
65 }
66
67 static int
priv_policy_user(const cred_t * cr,int capability,int err)68 priv_policy_user(const cred_t *cr, int capability, int err)
69 {
70 /*
71 * All priv_policy_user checks are preceded by kuid/kgid_has_mapping()
72 * checks. If we cannot do them, we shouldn't be using ns_capable()
73 * since we don't know whether the affected files are valid in our
74 * namespace.
75 */
76 #if defined(CONFIG_USER_NS)
77 return (priv_policy_ns(cr, capability, err, cr->user_ns));
78 #else
79 return (priv_policy_ns(cr, capability, err, NULL));
80 #endif
81 }
82
83 /*
84 * Checks for operations that are either client-only or are used by
85 * both clients and servers.
86 */
87 int
secpolicy_nfs(const cred_t * cr)88 secpolicy_nfs(const cred_t *cr)
89 {
90 return (priv_policy(cr, CAP_SYS_ADMIN, EPERM));
91 }
92
93 /*
94 * Catch all system configuration.
95 */
96 int
secpolicy_sys_config(const cred_t * cr,boolean_t checkonly)97 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly)
98 {
99 return (priv_policy(cr, CAP_SYS_ADMIN, EPERM));
100 }
101
102 /*
103 * Like secpolicy_vnode_access() but we get the actual wanted mode and the
104 * current mode of the file, not the missing bits.
105 *
106 * Enforced in the Linux VFS.
107 */
108 int
secpolicy_vnode_access2(const cred_t * cr,struct inode * ip,uid_t owner,mode_t curmode,mode_t wantmode)109 secpolicy_vnode_access2(const cred_t *cr, struct inode *ip, uid_t owner,
110 mode_t curmode, mode_t wantmode)
111 {
112 return (0);
113 }
114
115 /*
116 * This is a special routine for ZFS; it is used to determine whether
117 * any of the privileges in effect allow any form of access to the
118 * file. There's no reason to audit this or any reason to record
119 * this. More work is needed to do the "KPLD" stuff.
120 */
121 int
secpolicy_vnode_any_access(const cred_t * cr,struct inode * ip,uid_t owner)122 secpolicy_vnode_any_access(const cred_t *cr, struct inode *ip, uid_t owner)
123 {
124 if (crgetuid(cr) == owner)
125 return (0);
126
127 if (zpl_inode_owner_or_capable(zfs_init_idmap, ip))
128 return (0);
129
130 #if defined(CONFIG_USER_NS)
131 if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
132 return (EPERM);
133 #endif
134
135 if (priv_policy_user(cr, CAP_DAC_OVERRIDE, EPERM) == 0)
136 return (0);
137
138 if (priv_policy_user(cr, CAP_DAC_READ_SEARCH, EPERM) == 0)
139 return (0);
140
141 return (EPERM);
142 }
143
144 /*
145 * Determine if subject can chown owner of a file.
146 */
147 int
secpolicy_vnode_chown(const cred_t * cr,uid_t owner)148 secpolicy_vnode_chown(const cred_t *cr, uid_t owner)
149 {
150 if (crgetuid(cr) == owner)
151 return (0);
152
153 #if defined(CONFIG_USER_NS)
154 if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
155 return (EPERM);
156 #endif
157
158 return (priv_policy_user(cr, CAP_FOWNER, EPERM));
159 }
160
161 /*
162 * Determine if subject can change group ownership of a file.
163 */
164 int
secpolicy_vnode_create_gid(const cred_t * cr)165 secpolicy_vnode_create_gid(const cred_t *cr)
166 {
167 return (priv_policy(cr, CAP_SETGID, EPERM));
168 }
169
170 /*
171 * Policy determines whether we can remove an entry from a directory,
172 * regardless of permission bits.
173 */
174 int
secpolicy_vnode_remove(const cred_t * cr)175 secpolicy_vnode_remove(const cred_t *cr)
176 {
177 return (priv_policy(cr, CAP_FOWNER, EPERM));
178 }
179
180 /*
181 * Determine that subject can modify the mode of a file. allzone privilege
182 * needed when modifying root owned object.
183 */
184 int
secpolicy_vnode_setdac(const cred_t * cr,uid_t owner)185 secpolicy_vnode_setdac(const cred_t *cr, uid_t owner)
186 {
187 if (crgetuid(cr) == owner)
188 return (0);
189
190 #if defined(CONFIG_USER_NS)
191 if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
192 return (EPERM);
193 #endif
194
195 return (priv_policy_user(cr, CAP_FOWNER, EPERM));
196 }
197
198 /*
199 * Are we allowed to retain the set-uid/set-gid bits when
200 * changing ownership or when writing to a file?
201 * "issuid" should be true when set-uid; only in that case
202 * root ownership is checked (setgid is assumed).
203 *
204 * Enforced in the Linux VFS.
205 */
206 int
secpolicy_vnode_setid_retain(struct znode * zp __maybe_unused,const cred_t * cr,boolean_t issuidroot)207 secpolicy_vnode_setid_retain(struct znode *zp __maybe_unused, const cred_t *cr,
208 boolean_t issuidroot)
209 {
210 return (priv_policy_user(cr, CAP_FSETID, EPERM));
211 }
212
213 /*
214 * Determine that subject can set the file setgid flag.
215 */
216 int
secpolicy_vnode_setids_setgids(const cred_t * cr,gid_t gid,zidmap_t * mnt_ns,struct user_namespace * fs_ns)217 secpolicy_vnode_setids_setgids(const cred_t *cr, gid_t gid, zidmap_t *mnt_ns,
218 struct user_namespace *fs_ns)
219 {
220 gid = zfs_gid_to_vfsgid(mnt_ns, fs_ns, gid);
221 #if defined(CONFIG_USER_NS)
222 if (!kgid_has_mapping(cr->user_ns, SGID_TO_KGID(gid)))
223 return (EPERM);
224 #endif
225 if (crgetgid(cr) != gid && !groupmember(gid, cr))
226 return (priv_policy_user(cr, CAP_FSETID, EPERM));
227
228 return (0);
229 }
230
231 /*
232 * Determine if the subject can inject faults in the ZFS fault injection
233 * framework. Requires all privileges.
234 */
235 int
secpolicy_zinject(const cred_t * cr)236 secpolicy_zinject(const cred_t *cr)
237 {
238 return (priv_policy(cr, CAP_SYS_ADMIN, EACCES));
239 }
240
241 /*
242 * Determine if the subject has permission to manipulate ZFS datasets
243 * (not pools). Equivalent to the SYS_MOUNT privilege.
244 */
245 int
secpolicy_zfs(const cred_t * cr)246 secpolicy_zfs(const cred_t *cr)
247 {
248 return (priv_policy(cr, CAP_SYS_ADMIN, EACCES));
249 }
250
251 /*
252 * Equivalent to secpolicy_zfs(), but works even if the cred_t is not that of
253 * the current process. Takes both cred_t and proc_t so that this can work
254 * easily on all platforms.
255 */
256 int
secpolicy_zfs_proc(const cred_t * cr,proc_t * proc)257 secpolicy_zfs_proc(const cred_t *cr, proc_t *proc)
258 {
259 if (!has_capability(proc, CAP_SYS_ADMIN))
260 return (EACCES);
261 return (0);
262 }
263
264 void
secpolicy_setid_clear(vattr_t * vap,cred_t * cr)265 secpolicy_setid_clear(vattr_t *vap, cred_t *cr)
266 {
267 if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 &&
268 secpolicy_vnode_setid_retain(NULL, cr,
269 (vap->va_mode & S_ISUID) != 0 &&
270 (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) {
271 vap->va_mask |= AT_MODE;
272 vap->va_mode &= ~(S_ISUID|S_ISGID);
273 }
274 }
275
276 /*
277 * Determine that subject can set the file setid flags.
278 */
279 static int
secpolicy_vnode_setid_modify(const cred_t * cr,uid_t owner,zidmap_t * mnt_ns,struct user_namespace * fs_ns)280 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner, zidmap_t *mnt_ns,
281 struct user_namespace *fs_ns)
282 {
283 owner = zfs_uid_to_vfsuid(mnt_ns, fs_ns, owner);
284
285 if (crgetuid(cr) == owner)
286 return (0);
287
288 #if defined(CONFIG_USER_NS)
289 if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
290 return (EPERM);
291 #endif
292
293 return (priv_policy_user(cr, CAP_FSETID, EPERM));
294 }
295
296 /*
297 * Determine that subject can make a file a "sticky".
298 *
299 * Enforced in the Linux VFS.
300 */
301 static int
secpolicy_vnode_stky_modify(const cred_t * cr)302 secpolicy_vnode_stky_modify(const cred_t *cr)
303 {
304 return (0);
305 }
306
307 int
secpolicy_setid_setsticky_clear(struct inode * ip,vattr_t * vap,const vattr_t * ovap,cred_t * cr,zidmap_t * mnt_ns,struct user_namespace * fs_ns)308 secpolicy_setid_setsticky_clear(struct inode *ip, vattr_t *vap,
309 const vattr_t *ovap, cred_t *cr, zidmap_t *mnt_ns,
310 struct user_namespace *fs_ns)
311 {
312 int error;
313
314 if ((vap->va_mode & S_ISUID) != 0 &&
315 (error = secpolicy_vnode_setid_modify(cr,
316 ovap->va_uid, mnt_ns, fs_ns)) != 0) {
317 return (error);
318 }
319
320 /*
321 * Check privilege if attempting to set the
322 * sticky bit on a non-directory.
323 */
324 if (!S_ISDIR(ip->i_mode) && (vap->va_mode & S_ISVTX) != 0 &&
325 secpolicy_vnode_stky_modify(cr) != 0) {
326 vap->va_mode &= ~S_ISVTX;
327 }
328
329 /*
330 * Check for privilege if attempting to set the
331 * group-id bit.
332 */
333 if ((vap->va_mode & S_ISGID) != 0 &&
334 secpolicy_vnode_setids_setgids(cr, ovap->va_gid,
335 mnt_ns, fs_ns) != 0) {
336 vap->va_mode &= ~S_ISGID;
337 }
338
339 return (0);
340 }
341
342 /*
343 * Check privileges for setting xvattr attributes
344 */
345 int
secpolicy_xvattr(xvattr_t * xvap,uid_t owner,cred_t * cr,mode_t type)346 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, mode_t type)
347 {
348 return (secpolicy_vnode_chown(cr, owner));
349 }
350
351 /*
352 * Check privileges for setattr attributes.
353 *
354 * Enforced in the Linux VFS.
355 */
356 int
secpolicy_vnode_setattr(cred_t * cr,struct inode * ip,struct vattr * vap,const struct vattr * ovap,int flags,int unlocked_access (void *,int,cred_t *),void * node)357 secpolicy_vnode_setattr(cred_t *cr, struct inode *ip, struct vattr *vap,
358 const struct vattr *ovap, int flags,
359 int unlocked_access(void *, int, cred_t *), void *node)
360 {
361 return (0);
362 }
363
364 /*
365 * Check privileges for links.
366 *
367 * Enforced in the Linux VFS.
368 */
369 int
secpolicy_basic_link(const cred_t * cr)370 secpolicy_basic_link(const cred_t *cr)
371 {
372 return (0);
373 }
374