xref: /freebsd/share/man/man9/priv.9 (revision 401ab69cff8fa2320a9f8ea4baa114a6da6c952b)
1.\"-
2.\" Copyright (c) 2006 nCircle Network Security, Inc.
3.\" All rights reserved.
4.\"
5.\" This software was developed by Robert N. M. Watson for the TrustedBSD
6.\" Project under contract to nCircle Network Security, Inc.
7.\"
8.\" Redistribution and use in source and binary forms, with or without
9.\" modification, are permitted provided that the following conditions
10.\" are met:
11.\" 1. Redistributions of source code must retain the above copyright
12.\"    notice, this list of conditions and the following disclaimer.
13.\" 2. Redistributions in binary form must reproduce the above copyright
14.\"    notice, this list of conditions and the following disclaimer in the
15.\"    documentation and/or other materials provided with the distribution.
16.\"
17.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
21.\" INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
22.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
23.\" TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
24.\" PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
25.\" LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
26.\" NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27.\" SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28.\"
29.Dd December 19, 2018
30.Dt PRIV 9
31.Os
32.Sh NAME
33.Nm priv
34.Nd kernel privilege checking API
35.Sh SYNOPSIS
36.In sys/priv.h
37.Ft int
38.Fn priv_check "struct thread *td" "int priv"
39.Ft int
40.Fn priv_check_cred "struct ucred *cred" "int priv"
41.Sh DESCRIPTION
42The
43.Nm
44interfaces check to see if specific system privileges are granted to the
45passed thread,
46.Fa td ,
47or credential,
48.Fa cred .
49This interface replaces the now removed
50.Xr suser 9
51privilege checking interface.
52Privileges typically represent rights in one of two categories: the right to
53manage a particular component of the system, or an exemption to a specific
54policy or access control list.
55The caller identifies the desired privilege via the
56.Fa priv
57argument.
58.Ss Privilege Policies
59Privileges are typically granted based on one of two base system policies:
60the superuser policy, which grants privilege based on the effective (or
61sometimes real) UID having a value of 0, and the
62.Xr jail 2
63policy, which permits only certain privileges to be granted to processes in a
64jail.
65The set of available privileges may also be influenced by the TrustedBSD MAC
66Framework, described in
67.Xr mac 9 .
68.Sh IMPLEMENTATION NOTES
69When adding a new privilege check to a code path, first check the complete
70list of current privileges in
71.Pa sys/priv.h
72to see if one already exists for the class of privilege required.
73Only if there is not an exact match should a new privilege be added to the
74privilege list.
75As privilege numbers becomes encoded in the kernel module ABI, privilege
76constants must not be changed as any kernel modules depending on privileges
77will then need to be recompiled.
78When adding a new privilege, be certain to also determine whether it should
79be listed in
80.Fn prison_priv_check ,
81which includes a complete list of privileges granted to the root user in
82.Xr jail 2 .
83.Pp
84Certain catch-all privileges exist, such as
85.Dv PRIV_DRIVER ,
86intended to be used by device drivers, rather than adding a new
87driver-specific privilege.
88.Sh RETURN VALUES
89Typically, 0 will be returned for success, and
90.Er EPERM
91will be returned on failure.
92Most consumers of
93.Nm
94will wish to directly return the error code from a failed privilege check to
95user space; a small number will wish to translate it to another error code
96appropriate to a specific context.
97.Pp
98When designing new APIs, it is preferable to return explicit errors from a
99call if privilege is not granted rather than changing the semantics of the
100call but returning success.
101For example, the behavior exhibited by
102.Xr stat 2 ,
103in which the generation field is optionally zero'd out when there is
104insufficient privilege is highly undesirable, as it results in frequent
105privilege checks, and the caller is unable to tell if an access control
106failure occurred.
107.Sh SEE ALSO
108.Xr jail 2 ,
109.Xr mac 9 ,
110.Xr ucred 9
111.Sh AUTHORS
112The
113.Nm
114API and implementation were created by
115.An Robert Watson
116under contract to
117nCircle Network Security, Inc.
118