1.\"- 2.\" Copyright (c) 2006 nCircle Network Security, Inc. 3.\" All rights reserved. 4.\" 5.\" This software was developed by Robert N. M. Watson for the TrustedBSD 6.\" Project under contract to nCircle Network Security, Inc. 7.\" 8.\" Redistribution and use in source and binary forms, with or without 9.\" modification, are permitted provided that the following conditions 10.\" are met: 11.\" 1. Redistributions of source code must retain the above copyright 12.\" notice, this list of conditions and the following disclaimer. 13.\" 2. Redistributions in binary form must reproduce the above copyright 14.\" notice, this list of conditions and the following disclaimer in the 15.\" documentation and/or other materials provided with the distribution. 16.\" 17.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY, 21.\" INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 22.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 23.\" TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 24.\" PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 25.\" LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 26.\" NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27.\" SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28.\" 29.\" $FreeBSD$ 30.\" 31.Dd December 19, 2018 32.Dt PRIV 9 33.Os 34.Sh NAME 35.Nm priv 36.Nd kernel privilege checking API 37.Sh SYNOPSIS 38.In sys/priv.h 39.Ft int 40.Fn priv_check "struct thread *td" "int priv" 41.Ft int 42.Fn priv_check_cred "struct ucred *cred" "int priv" 43.Sh DESCRIPTION 44The 45.Nm 46interfaces check to see if specific system privileges are granted to the 47passed thread, 48.Fa td , 49or credential, 50.Fa cred . 51This interface replaces the now removed 52.Xr suser 9 53privilege checking interface. 54Privileges typically represent rights in one of two categories: the right to 55manage a particular component of the system, or an exemption to a specific 56policy or access control list. 57The caller identifies the desired privilege via the 58.Fa priv 59argument. 60.Ss Privilege Policies 61Privileges are typically granted based on one of two base system policies: 62the superuser policy, which grants privilege based on the effective (or 63sometimes real) UID having a value of 0, and the 64.Xr jail 2 65policy, which permits only certain privileges to be granted to processes in a 66jail. 67The set of available privileges may also be influenced by the TrustedBSD MAC 68Framework, described in 69.Xr mac 9 . 70.Sh IMPLEMENTATION NOTES 71When adding a new privilege check to a code path, first check the complete 72list of current privileges in 73.Pa sys/priv.h 74to see if one already exists for the class of privilege required. 75Only if there is not an exact match should a new privilege be added to the 76privilege list. 77As privilege numbers becomes encoded in the kernel module ABI, privilege 78constants must not be changed as any kernel modules depending on privileges 79will then need to be recompiled. 80When adding a new privilege, be certain to also determine whether it should 81be listed in 82.Fn prison_priv_check , 83which includes a complete list of privileges granted to the root user in 84.Xr jail 2 . 85.Pp 86Certain catch-all privileges exist, such as 87.Dv PRIV_DRIVER , 88intended to be used by device drivers, rather than adding a new 89driver-specific privilege. 90.Sh RETURN VALUES 91Typically, 0 will be returned for success, and 92.Er EPERM 93will be returned on failure. 94Most consumers of 95.Nm 96will wish to directly return the error code from a failed privilege check to 97user space; a small number will wish to translate it to another error code 98appropriate to a specific context. 99.Pp 100When designing new APIs, it is preferable to return explicit errors from a 101call if privilege is not granted rather than changing the semantics of the 102call but returning success. 103For example, the behavior exhibited by 104.Xr stat 2 , 105in which the generation field is optionally zero'd out when there is 106insufficient privilege is highly undesirable, as it results in frequent 107privilege checks, and the caller is unable to tell if an access control 108failure occurred. 109.Sh SEE ALSO 110.Xr jail 2 , 111.Xr mac 9 , 112.Xr ucred 9 113.Sh AUTHORS 114The 115.Nm 116API and implementation were created by 117.An Robert Watson 118under contract to 119nCircle Network Security, Inc. 120