1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or https://opensource.org/licenses/CDDL-1.0. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. 24 * Copyright 2013, Joyent, Inc. All rights reserved. 25 * Copyright (C) 2016 Lawrence Livermore National Security, LLC. 26 * 27 * For Linux the vast majority of this enforcement is already handled via 28 * the standard Linux VFS permission checks. However certain administrative 29 * commands which bypass the standard mechanisms may need to make use of 30 * this functionality. 31 */ 32 33 #include <sys/policy.h> 34 #include <linux/security.h> 35 #include <linux/vfs_compat.h> 36 37 /* 38 * The passed credentials cannot be directly verified because Linux only 39 * provides and interface to check the *current* process credentials. In 40 * order to handle this the capable() test is only run when the passed 41 * credentials match the current process credentials or the kcred. In 42 * all other cases this function must fail and return the passed err. 43 */ 44 static int 45 priv_policy_ns(const cred_t *cr, int capability, int err, 46 struct user_namespace *ns) 47 { 48 if (cr != CRED() && (cr != kcred)) 49 return (err); 50 51 #if defined(CONFIG_USER_NS) 52 if (!(ns ? ns_capable(ns, capability) : capable(capability))) 53 #else 54 if (!capable(capability)) 55 #endif 56 return (err); 57 58 return (0); 59 } 60 61 static int 62 priv_policy(const cred_t *cr, int capability, int err) 63 { 64 return (priv_policy_ns(cr, capability, err, cr->user_ns)); 65 } 66 67 static int 68 priv_policy_user(const cred_t *cr, int capability, int err) 69 { 70 /* 71 * All priv_policy_user checks are preceded by kuid/kgid_has_mapping() 72 * checks. If we cannot do them, we shouldn't be using ns_capable() 73 * since we don't know whether the affected files are valid in our 74 * namespace. 75 */ 76 #if defined(CONFIG_USER_NS) 77 return (priv_policy_ns(cr, capability, err, cr->user_ns)); 78 #else 79 return (priv_policy_ns(cr, capability, err, NULL)); 80 #endif 81 } 82 83 /* 84 * Checks for operations that are either client-only or are used by 85 * both clients and servers. 86 */ 87 int 88 secpolicy_nfs(const cred_t *cr) 89 { 90 return (priv_policy(cr, CAP_SYS_ADMIN, EPERM)); 91 } 92 93 /* 94 * Catch all system configuration. 95 */ 96 int 97 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly) 98 { 99 return (priv_policy(cr, CAP_SYS_ADMIN, EPERM)); 100 } 101 102 /* 103 * Like secpolicy_vnode_access() but we get the actual wanted mode and the 104 * current mode of the file, not the missing bits. 105 * 106 * Enforced in the Linux VFS. 107 */ 108 int 109 secpolicy_vnode_access2(const cred_t *cr, struct inode *ip, uid_t owner, 110 mode_t curmode, mode_t wantmode) 111 { 112 return (0); 113 } 114 115 /* 116 * This is a special routine for ZFS; it is used to determine whether 117 * any of the privileges in effect allow any form of access to the 118 * file. There's no reason to audit this or any reason to record 119 * this. More work is needed to do the "KPLD" stuff. 120 */ 121 int 122 secpolicy_vnode_any_access(const cred_t *cr, struct inode *ip, uid_t owner) 123 { 124 if (crgetuid(cr) == owner) 125 return (0); 126 127 if (zpl_inode_owner_or_capable(zfs_init_idmap, ip)) 128 return (0); 129 130 #if defined(CONFIG_USER_NS) 131 if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner))) 132 return (EPERM); 133 #endif 134 135 if (priv_policy_user(cr, CAP_DAC_OVERRIDE, EPERM) == 0) 136 return (0); 137 138 if (priv_policy_user(cr, CAP_DAC_READ_SEARCH, EPERM) == 0) 139 return (0); 140 141 return (EPERM); 142 } 143 144 /* 145 * Determine if subject can chown owner of a file. 146 */ 147 int 148 secpolicy_vnode_chown(const cred_t *cr, uid_t owner) 149 { 150 if (crgetuid(cr) == owner) 151 return (0); 152 153 #if defined(CONFIG_USER_NS) 154 if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner))) 155 return (EPERM); 156 #endif 157 158 return (priv_policy_user(cr, CAP_FOWNER, EPERM)); 159 } 160 161 /* 162 * Determine if subject can change group ownership of a file. 163 */ 164 int 165 secpolicy_vnode_create_gid(const cred_t *cr) 166 { 167 return (priv_policy(cr, CAP_SETGID, EPERM)); 168 } 169 170 /* 171 * Policy determines whether we can remove an entry from a directory, 172 * regardless of permission bits. 173 */ 174 int 175 secpolicy_vnode_remove(const cred_t *cr) 176 { 177 return (priv_policy(cr, CAP_FOWNER, EPERM)); 178 } 179 180 /* 181 * Determine that subject can modify the mode of a file. allzone privilege 182 * needed when modifying root owned object. 183 */ 184 int 185 secpolicy_vnode_setdac(const cred_t *cr, uid_t owner) 186 { 187 if (crgetuid(cr) == owner) 188 return (0); 189 190 #if defined(CONFIG_USER_NS) 191 if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner))) 192 return (EPERM); 193 #endif 194 195 return (priv_policy_user(cr, CAP_FOWNER, EPERM)); 196 } 197 198 /* 199 * Are we allowed to retain the set-uid/set-gid bits when 200 * changing ownership or when writing to a file? 201 * "issuid" should be true when set-uid; only in that case 202 * root ownership is checked (setgid is assumed). 203 * 204 * Enforced in the Linux VFS. 205 */ 206 int 207 secpolicy_vnode_setid_retain(struct znode *zp __maybe_unused, const cred_t *cr, 208 boolean_t issuidroot) 209 { 210 return (priv_policy_user(cr, CAP_FSETID, EPERM)); 211 } 212 213 /* 214 * Determine that subject can set the file setgid flag. 215 */ 216 int 217 secpolicy_vnode_setids_setgids(const cred_t *cr, gid_t gid, zidmap_t *mnt_ns, 218 struct user_namespace *fs_ns) 219 { 220 gid = zfs_gid_to_vfsgid(mnt_ns, fs_ns, gid); 221 #if defined(CONFIG_USER_NS) 222 if (!kgid_has_mapping(cr->user_ns, SGID_TO_KGID(gid))) 223 return (EPERM); 224 #endif 225 if (crgetgid(cr) != gid && !groupmember(gid, cr)) 226 return (priv_policy_user(cr, CAP_FSETID, EPERM)); 227 228 return (0); 229 } 230 231 /* 232 * Determine if the subject can inject faults in the ZFS fault injection 233 * framework. Requires all privileges. 234 */ 235 int 236 secpolicy_zinject(const cred_t *cr) 237 { 238 return (priv_policy(cr, CAP_SYS_ADMIN, EACCES)); 239 } 240 241 /* 242 * Determine if the subject has permission to manipulate ZFS datasets 243 * (not pools). Equivalent to the SYS_MOUNT privilege. 244 */ 245 int 246 secpolicy_zfs(const cred_t *cr) 247 { 248 return (priv_policy(cr, CAP_SYS_ADMIN, EACCES)); 249 } 250 251 /* 252 * Equivalent to secpolicy_zfs(), but works even if the cred_t is not that of 253 * the current process. Takes both cred_t and proc_t so that this can work 254 * easily on all platforms. 255 * 256 * The has_capability() function was first exported in the 4.10 Linux kernel 257 * then backported to some LTS kernels. Prior to this change there was no 258 * mechanism to perform this check therefore EACCES is returned when the 259 * functionality is not present in the kernel. 260 */ 261 int 262 secpolicy_zfs_proc(const cred_t *cr, proc_t *proc) 263 { 264 #if defined(HAVE_HAS_CAPABILITY) 265 if (!has_capability(proc, CAP_SYS_ADMIN)) 266 return (EACCES); 267 return (0); 268 #else 269 return (EACCES); 270 #endif 271 } 272 273 void 274 secpolicy_setid_clear(vattr_t *vap, cred_t *cr) 275 { 276 if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 && 277 secpolicy_vnode_setid_retain(NULL, cr, 278 (vap->va_mode & S_ISUID) != 0 && 279 (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) { 280 vap->va_mask |= AT_MODE; 281 vap->va_mode &= ~(S_ISUID|S_ISGID); 282 } 283 } 284 285 /* 286 * Determine that subject can set the file setid flags. 287 */ 288 static int 289 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner, zidmap_t *mnt_ns, 290 struct user_namespace *fs_ns) 291 { 292 owner = zfs_uid_to_vfsuid(mnt_ns, fs_ns, owner); 293 294 if (crgetuid(cr) == owner) 295 return (0); 296 297 #if defined(CONFIG_USER_NS) 298 if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner))) 299 return (EPERM); 300 #endif 301 302 return (priv_policy_user(cr, CAP_FSETID, EPERM)); 303 } 304 305 /* 306 * Determine that subject can make a file a "sticky". 307 * 308 * Enforced in the Linux VFS. 309 */ 310 static int 311 secpolicy_vnode_stky_modify(const cred_t *cr) 312 { 313 return (0); 314 } 315 316 int 317 secpolicy_setid_setsticky_clear(struct inode *ip, vattr_t *vap, 318 const vattr_t *ovap, cred_t *cr, zidmap_t *mnt_ns, 319 struct user_namespace *fs_ns) 320 { 321 int error; 322 323 if ((vap->va_mode & S_ISUID) != 0 && 324 (error = secpolicy_vnode_setid_modify(cr, 325 ovap->va_uid, mnt_ns, fs_ns)) != 0) { 326 return (error); 327 } 328 329 /* 330 * Check privilege if attempting to set the 331 * sticky bit on a non-directory. 332 */ 333 if (!S_ISDIR(ip->i_mode) && (vap->va_mode & S_ISVTX) != 0 && 334 secpolicy_vnode_stky_modify(cr) != 0) { 335 vap->va_mode &= ~S_ISVTX; 336 } 337 338 /* 339 * Check for privilege if attempting to set the 340 * group-id bit. 341 */ 342 if ((vap->va_mode & S_ISGID) != 0 && 343 secpolicy_vnode_setids_setgids(cr, ovap->va_gid, 344 mnt_ns, fs_ns) != 0) { 345 vap->va_mode &= ~S_ISGID; 346 } 347 348 return (0); 349 } 350 351 /* 352 * Check privileges for setting xvattr attributes 353 */ 354 int 355 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, mode_t type) 356 { 357 return (secpolicy_vnode_chown(cr, owner)); 358 } 359 360 /* 361 * Check privileges for setattr attributes. 362 * 363 * Enforced in the Linux VFS. 364 */ 365 int 366 secpolicy_vnode_setattr(cred_t *cr, struct inode *ip, struct vattr *vap, 367 const struct vattr *ovap, int flags, 368 int unlocked_access(void *, int, cred_t *), void *node) 369 { 370 return (0); 371 } 372 373 /* 374 * Check privileges for links. 375 * 376 * Enforced in the Linux VFS. 377 */ 378 int 379 secpolicy_basic_link(const cred_t *cr) 380 { 381 return (0); 382 } 383