1800c9408SRobert Watson.\"- 2800c9408SRobert Watson.\" Copyright (c) 2006 nCircle Network Security, Inc. 3800c9408SRobert Watson.\" All rights reserved. 4800c9408SRobert Watson.\" 5800c9408SRobert Watson.\" This software was developed by Robert N. M. Watson for the TrustedBSD 6800c9408SRobert Watson.\" Project under contract to nCircle Network Security, Inc. 7800c9408SRobert Watson.\" 8800c9408SRobert Watson.\" Redistribution and use in source and binary forms, with or without 9800c9408SRobert Watson.\" modification, are permitted provided that the following conditions 10800c9408SRobert Watson.\" are met: 11800c9408SRobert Watson.\" 1. Redistributions of source code must retain the above copyright 12800c9408SRobert Watson.\" notice, this list of conditions and the following disclaimer. 13800c9408SRobert Watson.\" 2. Redistributions in binary form must reproduce the above copyright 14800c9408SRobert Watson.\" notice, this list of conditions and the following disclaimer in the 15800c9408SRobert Watson.\" documentation and/or other materials provided with the distribution. 16800c9408SRobert Watson.\" 17800c9408SRobert Watson.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18800c9408SRobert Watson.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19800c9408SRobert Watson.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20800c9408SRobert Watson.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY, 21800c9408SRobert Watson.\" INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 22800c9408SRobert Watson.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 23800c9408SRobert Watson.\" TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 24800c9408SRobert Watson.\" PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 25800c9408SRobert Watson.\" LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 26800c9408SRobert Watson.\" NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27800c9408SRobert Watson.\" SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28800c9408SRobert Watson.\" 29*1ea91370SMateusz Guzik.Dd December 19, 2018 30e045a8e6SRuslan Ermilov.Dt PRIV 9 31800c9408SRobert Watson.Os 32800c9408SRobert Watson.Sh NAME 33800c9408SRobert Watson.Nm priv 34800c9408SRobert Watson.Nd kernel privilege checking API 35800c9408SRobert Watson.Sh SYNOPSIS 36800c9408SRobert Watson.In sys/priv.h 37800c9408SRobert Watson.Ft int 38800c9408SRobert Watson.Fn priv_check "struct thread *td" "int priv" 39800c9408SRobert Watson.Ft int 40*1ea91370SMateusz Guzik.Fn priv_check_cred "struct ucred *cred" "int priv" 41800c9408SRobert Watson.Sh DESCRIPTION 42800c9408SRobert WatsonThe 43e045a8e6SRuslan Ermilov.Nm 44800c9408SRobert Watsoninterfaces check to see if specific system privileges are granted to the 45800c9408SRobert Watsonpassed thread, 46e045a8e6SRuslan Ermilov.Fa td , 47800c9408SRobert Watsonor credential, 48e045a8e6SRuslan Ermilov.Fa cred . 49cecd8edbSAttilio RaoThis interface replaces the now removed 50800c9408SRobert Watson.Xr suser 9 51800c9408SRobert Watsonprivilege checking interface. 52800c9408SRobert WatsonPrivileges typically represent rights in one of two categories: the right to 53800c9408SRobert Watsonmanage a particular component of the system, or an exemption to a specific 54800c9408SRobert Watsonpolicy or access control list. 55800c9408SRobert WatsonThe caller identifies the desired privilege via the 56800c9408SRobert Watson.Fa priv 57800c9408SRobert Watsonargument. 58800c9408SRobert Watson.Ss Privilege Policies 59800c9408SRobert WatsonPrivileges are typically granted based on one of two base system policies: 60800c9408SRobert Watsonthe superuser policy, which grants privilege based on the effective (or 61e045a8e6SRuslan Ermilovsometimes real) UID having a value of 0, and the 62800c9408SRobert Watson.Xr jail 2 63800c9408SRobert Watsonpolicy, which permits only certain privileges to be granted to processes in a 64800c9408SRobert Watsonjail. 65800c9408SRobert WatsonThe set of available privileges may also be influenced by the TrustedBSD MAC 66800c9408SRobert WatsonFramework, described in 67800c9408SRobert Watson.Xr mac 9 . 68800c9408SRobert Watson.Sh IMPLEMENTATION NOTES 69800c9408SRobert WatsonWhen adding a new privilege check to a code path, first check the complete 70800c9408SRobert Watsonlist of current privileges in 71800c9408SRobert Watson.Pa sys/priv.h 72800c9408SRobert Watsonto see if one already exists for the class of privilege required. 73800c9408SRobert WatsonOnly if there is not an exact match should a new privilege be added to the 74800c9408SRobert Watsonprivilege list. 759fad4c2aSRobert WatsonAs privilege numbers becomes encoded in the kernel module ABI, privilege 769fad4c2aSRobert Watsonconstants must not be changed as any kernel modules depending on privileges 779fad4c2aSRobert Watsonwill then need to be recompiled. 789fad4c2aSRobert WatsonWhen adding a new privilege, be certain to also determine whether it should 799fad4c2aSRobert Watsonbe listed in 809fad4c2aSRobert Watson.Fn prison_priv_check , 819fad4c2aSRobert Watsonwhich includes a complete list of privileges granted to the root user in 829fad4c2aSRobert Watson.Xr jail 2 . 83800c9408SRobert Watson.Pp 84800c9408SRobert WatsonCertain catch-all privileges exist, such as 85800c9408SRobert Watson.Dv PRIV_DRIVER , 86800c9408SRobert Watsonintended to be used by device drivers, rather than adding a new 87800c9408SRobert Watsondriver-specific privilege. 88800c9408SRobert Watson.Sh RETURN VALUES 89800c9408SRobert WatsonTypically, 0 will be returned for success, and 90e045a8e6SRuslan Ermilov.Er EPERM 91800c9408SRobert Watsonwill be returned on failure. 92800c9408SRobert WatsonMost consumers of 93e045a8e6SRuslan Ermilov.Nm 94800c9408SRobert Watsonwill wish to directly return the error code from a failed privilege check to 95800c9408SRobert Watsonuser space; a small number will wish to translate it to another error code 96800c9408SRobert Watsonappropriate to a specific context. 97800c9408SRobert Watson.Pp 98800c9408SRobert WatsonWhen designing new APIs, it is preferable to return explicit errors from a 99800c9408SRobert Watsoncall if privilege is not granted rather than changing the semantics of the 100800c9408SRobert Watsoncall but returning success. 101800c9408SRobert WatsonFor example, the behavior exhibited by 102800c9408SRobert Watson.Xr stat 2 , 1032bf27477SChristian Bruefferin which the generation field is optionally zero'd out when there is 1042bf27477SChristian Bruefferinsufficient privilege is highly undesirable, as it results in frequent 105800c9408SRobert Watsonprivilege checks, and the caller is unable to tell if an access control 1069280e5faSMike Pritchardfailure occurred. 107800c9408SRobert Watson.Sh SEE ALSO 108800c9408SRobert Watson.Xr jail 2 , 109800c9408SRobert Watson.Xr mac 9 , 110800c9408SRobert Watson.Xr ucred 9 111800c9408SRobert Watson.Sh AUTHORS 112800c9408SRobert WatsonThe 113e045a8e6SRuslan Ermilov.Nm 114e045a8e6SRuslan ErmilovAPI and implementation were created by 115e045a8e6SRuslan Ermilov.An Robert Watson 116e045a8e6SRuslan Ermilovunder contract to 117800c9408SRobert WatsonnCircle Network Security, Inc. 118