17c478bd9Sstevel@tonic-gate /* 27c478bd9Sstevel@tonic-gate * CDDL HEADER START 37c478bd9Sstevel@tonic-gate * 47c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 5ea8dc4b6Seschrock * Common Development and Distribution License (the "License"). 6ea8dc4b6Seschrock * You may not use this file except in compliance with the License. 77c478bd9Sstevel@tonic-gate * 87c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 97c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 107c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 117c478bd9Sstevel@tonic-gate * and limitations under the License. 127c478bd9Sstevel@tonic-gate * 137c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 147c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 157c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 167c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 177c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 187c478bd9Sstevel@tonic-gate * 197c478bd9Sstevel@tonic-gate * CDDL HEADER END 207c478bd9Sstevel@tonic-gate */ 217c478bd9Sstevel@tonic-gate /* 22ae115bc7Smrj * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 237c478bd9Sstevel@tonic-gate * Use is subject to license terms. 247c478bd9Sstevel@tonic-gate */ 257c478bd9Sstevel@tonic-gate 267c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 277c478bd9Sstevel@tonic-gate 287c478bd9Sstevel@tonic-gate #include <sys/types.h> 297c478bd9Sstevel@tonic-gate #include <sys/sysmacros.h> 307c478bd9Sstevel@tonic-gate #include <sys/param.h> 317c478bd9Sstevel@tonic-gate #include <sys/systm.h> 327c478bd9Sstevel@tonic-gate #include <sys/cred_impl.h> 337c478bd9Sstevel@tonic-gate #include <sys/vnode.h> 347c478bd9Sstevel@tonic-gate #include <sys/vfs.h> 357c478bd9Sstevel@tonic-gate #include <sys/stat.h> 367c478bd9Sstevel@tonic-gate #include <sys/errno.h> 377c478bd9Sstevel@tonic-gate #include <sys/kmem.h> 387c478bd9Sstevel@tonic-gate #include <sys/user.h> 397c478bd9Sstevel@tonic-gate #include <sys/proc.h> 407c478bd9Sstevel@tonic-gate #include <sys/acct.h> 417c478bd9Sstevel@tonic-gate #include <sys/ipc_impl.h> 427c478bd9Sstevel@tonic-gate #include <sys/cmn_err.h> 437c478bd9Sstevel@tonic-gate #include <sys/debug.h> 447c478bd9Sstevel@tonic-gate #include <sys/policy.h> 457c478bd9Sstevel@tonic-gate #include <sys/kobj.h> 467c478bd9Sstevel@tonic-gate #include <sys/msg.h> 477c478bd9Sstevel@tonic-gate #include <sys/devpolicy.h> 487c478bd9Sstevel@tonic-gate #include <c2/audit.h> 497c478bd9Sstevel@tonic-gate #include <sys/varargs.h> 507c478bd9Sstevel@tonic-gate #include <sys/modctl.h> 517c478bd9Sstevel@tonic-gate #include <sys/disp.h> 527c478bd9Sstevel@tonic-gate #include <sys/zone.h> 537c478bd9Sstevel@tonic-gate #include <inet/optcom.h> 547c478bd9Sstevel@tonic-gate #include <sys/sdt.h> 557c478bd9Sstevel@tonic-gate #include <sys/vfs.h> 567c478bd9Sstevel@tonic-gate #include <sys/mntent.h> 577c478bd9Sstevel@tonic-gate #include <sys/contract_impl.h> 587c478bd9Sstevel@tonic-gate 597c478bd9Sstevel@tonic-gate /* 607c478bd9Sstevel@tonic-gate * There are two possible layers of privilege routines and two possible 617c478bd9Sstevel@tonic-gate * levels of secpolicy. Plus one other we may not be interested in, so 627c478bd9Sstevel@tonic-gate * we may need as many as 6 but no more. 637c478bd9Sstevel@tonic-gate */ 647c478bd9Sstevel@tonic-gate #define MAXPRIVSTACK 6 657c478bd9Sstevel@tonic-gate 667c478bd9Sstevel@tonic-gate int priv_debug = 0; 677c478bd9Sstevel@tonic-gate 687c478bd9Sstevel@tonic-gate /* 697c478bd9Sstevel@tonic-gate * This file contains the majority of the policy routines. 707c478bd9Sstevel@tonic-gate * Since the policy routines are defined by function and not 717c478bd9Sstevel@tonic-gate * by privilege, there is quite a bit of duplication of 727c478bd9Sstevel@tonic-gate * functions. 737c478bd9Sstevel@tonic-gate * 747c478bd9Sstevel@tonic-gate * The secpolicy functions must not make asssumptions about 757c478bd9Sstevel@tonic-gate * locks held or not held as any lock can be held while they're 767c478bd9Sstevel@tonic-gate * being called. 777c478bd9Sstevel@tonic-gate * 787c478bd9Sstevel@tonic-gate * Credentials are read-only so no special precautions need to 797c478bd9Sstevel@tonic-gate * be taken while locking them. 807c478bd9Sstevel@tonic-gate * 817c478bd9Sstevel@tonic-gate * When a new policy check needs to be added to the system the 827c478bd9Sstevel@tonic-gate * following procedure should be followed: 837c478bd9Sstevel@tonic-gate * 847c478bd9Sstevel@tonic-gate * Pick an appropriate secpolicy_*() function 857c478bd9Sstevel@tonic-gate * -> done if one exists. 867c478bd9Sstevel@tonic-gate * Create a new secpolicy function, preferably with 877c478bd9Sstevel@tonic-gate * a descriptive name using the standard template. 887c478bd9Sstevel@tonic-gate * Pick an appropriate privilege for the policy. 897c478bd9Sstevel@tonic-gate * If no appropraite privilege exists, define new one 907c478bd9Sstevel@tonic-gate * (this should be done with extreme care; in most cases 917c478bd9Sstevel@tonic-gate * little is gained by adding another privilege) 927c478bd9Sstevel@tonic-gate * 937c478bd9Sstevel@tonic-gate * WHY ROOT IS STILL SPECIAL. 947c478bd9Sstevel@tonic-gate * 957c478bd9Sstevel@tonic-gate * In a number of the policy functions, there are still explicit 967c478bd9Sstevel@tonic-gate * checks for uid 0. The rationale behind these is that many root 977c478bd9Sstevel@tonic-gate * owned files/objects hold configuration information which can give full 987c478bd9Sstevel@tonic-gate * privileges to the user once written to. To prevent escalation 997c478bd9Sstevel@tonic-gate * of privilege by allowing just a single privilege to modify root owned 1007c478bd9Sstevel@tonic-gate * objects, we've added these root specific checks where we considered 1017c478bd9Sstevel@tonic-gate * them necessary: modifying root owned files, changing uids to 0, etc. 1027c478bd9Sstevel@tonic-gate * 1037c478bd9Sstevel@tonic-gate * PRIVILEGE ESCALATION AND ZONES. 1047c478bd9Sstevel@tonic-gate * 1057c478bd9Sstevel@tonic-gate * A number of operations potentially allow the caller to achieve 1067c478bd9Sstevel@tonic-gate * privileges beyond the ones normally required to perform the operation. 1077c478bd9Sstevel@tonic-gate * For example, if allowed to create a setuid 0 executable, a process can 1087c478bd9Sstevel@tonic-gate * gain privileges beyond PRIV_FILE_SETID. Zones, however, place 1097c478bd9Sstevel@tonic-gate * restrictions on the ability to gain privileges beyond those available 1107c478bd9Sstevel@tonic-gate * within the zone through file and process manipulation. Hence, such 1117c478bd9Sstevel@tonic-gate * operations require that the caller have an effective set that includes 1127c478bd9Sstevel@tonic-gate * all privileges available within the current zone, or all privileges 1137c478bd9Sstevel@tonic-gate * if executing in the global zone. 1147c478bd9Sstevel@tonic-gate * 1157c478bd9Sstevel@tonic-gate * This is indicated in the priv_policy* policy checking functions 1167c478bd9Sstevel@tonic-gate * through a combination of parameters. The "priv" parameter indicates 1177c478bd9Sstevel@tonic-gate * the privilege that is required, and the "allzone" parameter indicates 1187c478bd9Sstevel@tonic-gate * whether or not all privileges in the zone are required. In addition, 1197c478bd9Sstevel@tonic-gate * priv can be set to PRIV_ALL to indicate that all privileges are 1207c478bd9Sstevel@tonic-gate * required (regardless of zone). There are three scenarios of interest: 1217c478bd9Sstevel@tonic-gate * (1) operation requires a specific privilege 1227c478bd9Sstevel@tonic-gate * (2) operation requires a specific privilege, and requires all 1237c478bd9Sstevel@tonic-gate * privileges available within the zone (or all privileges if in 1247c478bd9Sstevel@tonic-gate * the global zone) 1257c478bd9Sstevel@tonic-gate * (3) operation requires all privileges, regardless of zone 1267c478bd9Sstevel@tonic-gate * 1277c478bd9Sstevel@tonic-gate * For (1), priv should be set to the specific privilege, and allzone 1287c478bd9Sstevel@tonic-gate * should be set to B_FALSE. 1297c478bd9Sstevel@tonic-gate * For (2), priv should be set to the specific privilege, and allzone 1307c478bd9Sstevel@tonic-gate * should be set to B_TRUE. 1317c478bd9Sstevel@tonic-gate * For (3), priv should be set to PRIV_ALL, and allzone should be set 1327c478bd9Sstevel@tonic-gate * to B_FALSE. 1337c478bd9Sstevel@tonic-gate * 1347c478bd9Sstevel@tonic-gate */ 1357c478bd9Sstevel@tonic-gate 1367c478bd9Sstevel@tonic-gate /* 1377c478bd9Sstevel@tonic-gate * The privileges are checked against the Effective set for 1387c478bd9Sstevel@tonic-gate * ordinary processes and checked against the Limit set 1397c478bd9Sstevel@tonic-gate * for euid 0 processes that haven't manipulated their privilege 1407c478bd9Sstevel@tonic-gate * sets. 1417c478bd9Sstevel@tonic-gate */ 1427c478bd9Sstevel@tonic-gate #define HAS_ALLPRIVS(cr) priv_isfullset(&CR_OEPRIV(cr)) 1437c478bd9Sstevel@tonic-gate #define ZONEPRIVS(cr) ((cr)->cr_zone->zone_privset) 1447c478bd9Sstevel@tonic-gate #define HAS_ALLZONEPRIVS(cr) priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr)) 1457c478bd9Sstevel@tonic-gate #define HAS_PRIVILEGE(cr, pr) ((pr) == PRIV_ALL ? \ 1467c478bd9Sstevel@tonic-gate HAS_ALLPRIVS(cr) : \ 1477c478bd9Sstevel@tonic-gate PRIV_ISASSERT(&CR_OEPRIV(cr), pr)) 1487c478bd9Sstevel@tonic-gate 1497c478bd9Sstevel@tonic-gate /* 1507c478bd9Sstevel@tonic-gate * Policy checking functions 1517c478bd9Sstevel@tonic-gate * 1527c478bd9Sstevel@tonic-gate * In future, these will migrate to several files when policy 1537c478bd9Sstevel@tonic-gate * becomes more or less pluggable. 1547c478bd9Sstevel@tonic-gate * 1557c478bd9Sstevel@tonic-gate * For now, there's only one policy and this is it. 1567c478bd9Sstevel@tonic-gate */ 1577c478bd9Sstevel@tonic-gate 1587c478bd9Sstevel@tonic-gate /* 1597c478bd9Sstevel@tonic-gate * Generic policy calls 1607c478bd9Sstevel@tonic-gate * 1617c478bd9Sstevel@tonic-gate * The "bottom" functions of policy control 1627c478bd9Sstevel@tonic-gate */ 1637c478bd9Sstevel@tonic-gate 1647c478bd9Sstevel@tonic-gate static char * 1657c478bd9Sstevel@tonic-gate mprintf(const char *fmt, ...) 1667c478bd9Sstevel@tonic-gate { 1677c478bd9Sstevel@tonic-gate va_list args; 1687c478bd9Sstevel@tonic-gate char *buf; 1697c478bd9Sstevel@tonic-gate size_t len; 1707c478bd9Sstevel@tonic-gate 1717c478bd9Sstevel@tonic-gate va_start(args, fmt); 1727c478bd9Sstevel@tonic-gate len = vsnprintf(NULL, 0, fmt, args) + 1; 1737c478bd9Sstevel@tonic-gate va_end(args); 1747c478bd9Sstevel@tonic-gate 1757c478bd9Sstevel@tonic-gate buf = kmem_alloc(len, KM_NOSLEEP); 1767c478bd9Sstevel@tonic-gate 1777c478bd9Sstevel@tonic-gate if (buf == NULL) 1787c478bd9Sstevel@tonic-gate return (NULL); 1797c478bd9Sstevel@tonic-gate 1807c478bd9Sstevel@tonic-gate va_start(args, fmt); 1817c478bd9Sstevel@tonic-gate (void) vsnprintf(buf, len, fmt, args); 1827c478bd9Sstevel@tonic-gate va_end(args); 1837c478bd9Sstevel@tonic-gate 1847c478bd9Sstevel@tonic-gate return (buf); 1857c478bd9Sstevel@tonic-gate } 1867c478bd9Sstevel@tonic-gate 1877c478bd9Sstevel@tonic-gate /* 1887c478bd9Sstevel@tonic-gate * priv_policy_errmsg() 1897c478bd9Sstevel@tonic-gate * 1907c478bd9Sstevel@tonic-gate * Generate an error message if privilege debugging is enabled system wide 1917c478bd9Sstevel@tonic-gate * or for this particular process. 1927c478bd9Sstevel@tonic-gate */ 1937c478bd9Sstevel@tonic-gate 1947c478bd9Sstevel@tonic-gate #define FMTHDR "%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)" 1957c478bd9Sstevel@tonic-gate #define FMTMSG " for \"%s\"" 1967c478bd9Sstevel@tonic-gate #define FMTFUN " needed at %s+0x%lx" 1977c478bd9Sstevel@tonic-gate 1987c478bd9Sstevel@tonic-gate /* The maximum size privilege format: the concatenation of the above */ 1997c478bd9Sstevel@tonic-gate #define FMTMAX FMTHDR FMTMSG FMTFUN "\n" 2007c478bd9Sstevel@tonic-gate 2017c478bd9Sstevel@tonic-gate static void 2027c478bd9Sstevel@tonic-gate priv_policy_errmsg(const cred_t *cr, int priv, const char *msg) 2037c478bd9Sstevel@tonic-gate { 2047c478bd9Sstevel@tonic-gate struct proc *me; 2057c478bd9Sstevel@tonic-gate pc_t stack[MAXPRIVSTACK]; 2067c478bd9Sstevel@tonic-gate int depth; 2077c478bd9Sstevel@tonic-gate int i; 2087c478bd9Sstevel@tonic-gate char *sym; 2097c478bd9Sstevel@tonic-gate ulong_t off; 2107c478bd9Sstevel@tonic-gate const char *pname; 2117c478bd9Sstevel@tonic-gate 2127c478bd9Sstevel@tonic-gate char *cmd; 2137c478bd9Sstevel@tonic-gate char fmt[sizeof (FMTMAX)]; 2147c478bd9Sstevel@tonic-gate 2157c478bd9Sstevel@tonic-gate if ((me = curproc) == &p0) 2167c478bd9Sstevel@tonic-gate return; 2177c478bd9Sstevel@tonic-gate 2187c478bd9Sstevel@tonic-gate /* Privileges must be defined */ 2197c478bd9Sstevel@tonic-gate ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE || 2207c478bd9Sstevel@tonic-gate priv == PRIV_ALLZONE || priv == PRIV_GLOBAL || 2217c478bd9Sstevel@tonic-gate priv_getbynum(priv) != NULL); 2227c478bd9Sstevel@tonic-gate 2237c478bd9Sstevel@tonic-gate if (priv == PRIV_ALLZONE && INGLOBALZONE(me)) 2247c478bd9Sstevel@tonic-gate priv = PRIV_ALL; 2257c478bd9Sstevel@tonic-gate 2267c478bd9Sstevel@tonic-gate if (curthread->t_pre_sys) 2277c478bd9Sstevel@tonic-gate ttolwp(curthread)->lwp_badpriv = (short)priv; 2287c478bd9Sstevel@tonic-gate 2297c478bd9Sstevel@tonic-gate if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0) 2307c478bd9Sstevel@tonic-gate return; 2317c478bd9Sstevel@tonic-gate 2327c478bd9Sstevel@tonic-gate (void) strcpy(fmt, FMTHDR); 2337c478bd9Sstevel@tonic-gate 2347c478bd9Sstevel@tonic-gate if (me->p_user.u_comm[0]) 2357c478bd9Sstevel@tonic-gate cmd = &me->p_user.u_comm[0]; 2367c478bd9Sstevel@tonic-gate else 2377c478bd9Sstevel@tonic-gate cmd = "priv_policy"; 2387c478bd9Sstevel@tonic-gate 2397c478bd9Sstevel@tonic-gate if (msg != NULL && *msg != '\0') { 2407c478bd9Sstevel@tonic-gate (void) strcat(fmt, FMTMSG); 2417c478bd9Sstevel@tonic-gate } else { 2427c478bd9Sstevel@tonic-gate (void) strcat(fmt, "%s"); 2437c478bd9Sstevel@tonic-gate msg = ""; 2447c478bd9Sstevel@tonic-gate } 2457c478bd9Sstevel@tonic-gate 2467c478bd9Sstevel@tonic-gate sym = NULL; 2477c478bd9Sstevel@tonic-gate 2487c478bd9Sstevel@tonic-gate depth = getpcstack(stack, MAXPRIVSTACK); 2497c478bd9Sstevel@tonic-gate 2507c478bd9Sstevel@tonic-gate /* 2517c478bd9Sstevel@tonic-gate * Try to find the first interesting function on the stack. 2527c478bd9Sstevel@tonic-gate * priv_policy* that's us, so completely uninteresting. 2537c478bd9Sstevel@tonic-gate * suser(), drv_priv(), secpolicy_* are also called from 2547c478bd9Sstevel@tonic-gate * too many locations to convey useful information. 2557c478bd9Sstevel@tonic-gate */ 2567c478bd9Sstevel@tonic-gate for (i = 0; i < depth; i++) { 2577c478bd9Sstevel@tonic-gate sym = kobj_getsymname((uintptr_t)stack[i], &off); 2587c478bd9Sstevel@tonic-gate if (sym != NULL && 2597c478bd9Sstevel@tonic-gate strstr(sym, "hasprocperm") == 0 && 2607c478bd9Sstevel@tonic-gate strcmp("suser", sym) != 0 && 2617c478bd9Sstevel@tonic-gate strcmp("ipcaccess", sym) != 0 && 2627c478bd9Sstevel@tonic-gate strcmp("drv_priv", sym) != 0 && 2637c478bd9Sstevel@tonic-gate strncmp("secpolicy_", sym, 10) != 0 && 2647c478bd9Sstevel@tonic-gate strncmp("priv_policy", sym, 11) != 0) 2657c478bd9Sstevel@tonic-gate break; 2667c478bd9Sstevel@tonic-gate } 2677c478bd9Sstevel@tonic-gate 2687c478bd9Sstevel@tonic-gate if (sym != NULL) 2697c478bd9Sstevel@tonic-gate (void) strcat(fmt, FMTFUN); 2707c478bd9Sstevel@tonic-gate 2717c478bd9Sstevel@tonic-gate (void) strcat(fmt, "\n"); 2727c478bd9Sstevel@tonic-gate 2737c478bd9Sstevel@tonic-gate switch (priv) { 2747c478bd9Sstevel@tonic-gate case PRIV_ALL: 2757c478bd9Sstevel@tonic-gate pname = "ALL"; 2767c478bd9Sstevel@tonic-gate break; 2777c478bd9Sstevel@tonic-gate case PRIV_MULTIPLE: 2787c478bd9Sstevel@tonic-gate pname = "MULTIPLE"; 2797c478bd9Sstevel@tonic-gate break; 2807c478bd9Sstevel@tonic-gate case PRIV_ALLZONE: 2817c478bd9Sstevel@tonic-gate pname = "ZONE"; 2827c478bd9Sstevel@tonic-gate break; 2837c478bd9Sstevel@tonic-gate case PRIV_GLOBAL: 2847c478bd9Sstevel@tonic-gate pname = "GLOBAL"; 2857c478bd9Sstevel@tonic-gate break; 2867c478bd9Sstevel@tonic-gate default: 2877c478bd9Sstevel@tonic-gate pname = priv_getbynum(priv); 2887c478bd9Sstevel@tonic-gate break; 2897c478bd9Sstevel@tonic-gate } 2907c478bd9Sstevel@tonic-gate 2917c478bd9Sstevel@tonic-gate if (CR_FLAGS(cr) & PRIV_DEBUG) { 2927c478bd9Sstevel@tonic-gate /* Remember last message, just like lwp_badpriv. */ 2937c478bd9Sstevel@tonic-gate if (curthread->t_pdmsg != NULL) { 2947c478bd9Sstevel@tonic-gate kmem_free(curthread->t_pdmsg, 2957c478bd9Sstevel@tonic-gate strlen(curthread->t_pdmsg) + 1); 2967c478bd9Sstevel@tonic-gate } 2977c478bd9Sstevel@tonic-gate 2987c478bd9Sstevel@tonic-gate curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname, 2997c478bd9Sstevel@tonic-gate cr->cr_uid, curthread->t_sysnum, msg, sym, off); 3007c478bd9Sstevel@tonic-gate 3017c478bd9Sstevel@tonic-gate curthread->t_post_sys = 1; 3027c478bd9Sstevel@tonic-gate } else { 3037c478bd9Sstevel@tonic-gate cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid, 3047c478bd9Sstevel@tonic-gate curthread->t_sysnum, msg, sym, off); 3057c478bd9Sstevel@tonic-gate } 3067c478bd9Sstevel@tonic-gate } 3077c478bd9Sstevel@tonic-gate 3087c478bd9Sstevel@tonic-gate /* 3097c478bd9Sstevel@tonic-gate * Audit failure, log error message. 3107c478bd9Sstevel@tonic-gate */ 3117c478bd9Sstevel@tonic-gate static void 3127c478bd9Sstevel@tonic-gate priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg) 3137c478bd9Sstevel@tonic-gate { 3147c478bd9Sstevel@tonic-gate 3157c478bd9Sstevel@tonic-gate #ifdef C2_AUDIT 3167c478bd9Sstevel@tonic-gate if (audit_active) 3177c478bd9Sstevel@tonic-gate audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0); 3187c478bd9Sstevel@tonic-gate #endif 3197c478bd9Sstevel@tonic-gate DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 3207c478bd9Sstevel@tonic-gate 3217c478bd9Sstevel@tonic-gate if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 3227c478bd9Sstevel@tonic-gate curthread->t_pre_sys) { 3237c478bd9Sstevel@tonic-gate if (allzone && !HAS_ALLZONEPRIVS(cr)) { 3247c478bd9Sstevel@tonic-gate priv_policy_errmsg(cr, PRIV_ALLZONE, msg); 3257c478bd9Sstevel@tonic-gate } else { 3267c478bd9Sstevel@tonic-gate ASSERT(!HAS_PRIVILEGE(cr, priv)); 3277c478bd9Sstevel@tonic-gate priv_policy_errmsg(cr, priv, msg); 3287c478bd9Sstevel@tonic-gate } 3297c478bd9Sstevel@tonic-gate } 3307c478bd9Sstevel@tonic-gate } 3317c478bd9Sstevel@tonic-gate 3327c478bd9Sstevel@tonic-gate /* 3337c478bd9Sstevel@tonic-gate * priv_policy() 3347c478bd9Sstevel@tonic-gate * return 0 or error. 3357c478bd9Sstevel@tonic-gate * See block comment above for a description of "priv" and "allzone" usage. 3367c478bd9Sstevel@tonic-gate */ 3377c478bd9Sstevel@tonic-gate int 3387c478bd9Sstevel@tonic-gate priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err, 3397c478bd9Sstevel@tonic-gate const char *msg) 3407c478bd9Sstevel@tonic-gate { 3417c478bd9Sstevel@tonic-gate if (HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) { 3427c478bd9Sstevel@tonic-gate if ((allzone || priv == PRIV_ALL || 3437c478bd9Sstevel@tonic-gate !PRIV_ISASSERT(priv_basic, priv)) && 3447c478bd9Sstevel@tonic-gate !servicing_interrupt()) { 345ae115bc7Smrj PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */ 3467c478bd9Sstevel@tonic-gate #ifdef C2_AUDIT 3477c478bd9Sstevel@tonic-gate if (audit_active) 3487c478bd9Sstevel@tonic-gate audit_priv(priv, 3497c478bd9Sstevel@tonic-gate allzone ? ZONEPRIVS(cr) : NULL, 1); 3507c478bd9Sstevel@tonic-gate #endif 3517c478bd9Sstevel@tonic-gate } 3527c478bd9Sstevel@tonic-gate err = 0; 3537c478bd9Sstevel@tonic-gate DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 3547c478bd9Sstevel@tonic-gate } else if (!servicing_interrupt()) { 3557c478bd9Sstevel@tonic-gate /* Failure audited in this procedure */ 3567c478bd9Sstevel@tonic-gate priv_policy_err(cr, priv, allzone, msg); 3577c478bd9Sstevel@tonic-gate } 3587c478bd9Sstevel@tonic-gate 3597c478bd9Sstevel@tonic-gate return (err); 3607c478bd9Sstevel@tonic-gate } 3617c478bd9Sstevel@tonic-gate 3627c478bd9Sstevel@tonic-gate /* 3637c478bd9Sstevel@tonic-gate * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges. 3647c478bd9Sstevel@tonic-gate */ 3657c478bd9Sstevel@tonic-gate boolean_t 3667c478bd9Sstevel@tonic-gate priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone) 3677c478bd9Sstevel@tonic-gate { 3687c478bd9Sstevel@tonic-gate boolean_t res = HAS_PRIVILEGE(cr, priv) && 3697c478bd9Sstevel@tonic-gate (!allzone || HAS_ALLZONEPRIVS(cr)); 3707c478bd9Sstevel@tonic-gate 3717c478bd9Sstevel@tonic-gate #ifdef C2_AUDIT 3727c478bd9Sstevel@tonic-gate /* Audit success only */ 3737c478bd9Sstevel@tonic-gate if (res && audit_active && 3747c478bd9Sstevel@tonic-gate (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) && 3757c478bd9Sstevel@tonic-gate !servicing_interrupt()) { 3767c478bd9Sstevel@tonic-gate audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1); 3777c478bd9Sstevel@tonic-gate } 3787c478bd9Sstevel@tonic-gate #endif 3797c478bd9Sstevel@tonic-gate if (res) { 3807c478bd9Sstevel@tonic-gate DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 3817c478bd9Sstevel@tonic-gate } else { 3827c478bd9Sstevel@tonic-gate DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 3837c478bd9Sstevel@tonic-gate } 3847c478bd9Sstevel@tonic-gate return (res); 3857c478bd9Sstevel@tonic-gate } 3867c478bd9Sstevel@tonic-gate 3877c478bd9Sstevel@tonic-gate /* 3887c478bd9Sstevel@tonic-gate * Non-auditing variant of priv_policy_choice(). 3897c478bd9Sstevel@tonic-gate */ 3907c478bd9Sstevel@tonic-gate boolean_t 3917c478bd9Sstevel@tonic-gate priv_policy_only(const cred_t *cr, int priv, boolean_t allzone) 3927c478bd9Sstevel@tonic-gate { 3937c478bd9Sstevel@tonic-gate boolean_t res = HAS_PRIVILEGE(cr, priv) && 3947c478bd9Sstevel@tonic-gate (!allzone || HAS_ALLZONEPRIVS(cr)); 3957c478bd9Sstevel@tonic-gate 3967c478bd9Sstevel@tonic-gate if (res) { 3977c478bd9Sstevel@tonic-gate DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 3987c478bd9Sstevel@tonic-gate } else { 3997c478bd9Sstevel@tonic-gate DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 4007c478bd9Sstevel@tonic-gate } 4017c478bd9Sstevel@tonic-gate return (res); 4027c478bd9Sstevel@tonic-gate } 4037c478bd9Sstevel@tonic-gate 4047c478bd9Sstevel@tonic-gate /* 4057c478bd9Sstevel@tonic-gate * Check whether all privileges in the required set are present. 4067c478bd9Sstevel@tonic-gate */ 4077c478bd9Sstevel@tonic-gate static int 4087c478bd9Sstevel@tonic-gate secpolicy_require_set(const cred_t *cr, const priv_set_t *req, const char *msg) 4097c478bd9Sstevel@tonic-gate { 4107c478bd9Sstevel@tonic-gate int priv; 4117c478bd9Sstevel@tonic-gate int pfound = -1; 4127c478bd9Sstevel@tonic-gate priv_set_t pset; 4137c478bd9Sstevel@tonic-gate 4147c478bd9Sstevel@tonic-gate if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req, 4157c478bd9Sstevel@tonic-gate &CR_OEPRIV(cr))) { 4167c478bd9Sstevel@tonic-gate return (0); 4177c478bd9Sstevel@tonic-gate } 4187c478bd9Sstevel@tonic-gate 4197c478bd9Sstevel@tonic-gate if (req == PRIV_FULLSET || priv_isfullset(req)) { 4207c478bd9Sstevel@tonic-gate priv_policy_err(cr, PRIV_ALL, B_FALSE, msg); 4217c478bd9Sstevel@tonic-gate return (EACCES); 4227c478bd9Sstevel@tonic-gate } 4237c478bd9Sstevel@tonic-gate 4247c478bd9Sstevel@tonic-gate pset = CR_OEPRIV(cr); /* present privileges */ 4257c478bd9Sstevel@tonic-gate priv_inverse(&pset); /* all non present privileges */ 4267c478bd9Sstevel@tonic-gate priv_intersect(req, &pset); /* the actual missing privs */ 4277c478bd9Sstevel@tonic-gate 4287c478bd9Sstevel@tonic-gate #ifdef C2_AUDIT 4297c478bd9Sstevel@tonic-gate if (audit_active) 4307c478bd9Sstevel@tonic-gate audit_priv(PRIV_NONE, &pset, 0); 4317c478bd9Sstevel@tonic-gate #endif 4327c478bd9Sstevel@tonic-gate /* 4337c478bd9Sstevel@tonic-gate * Privilege debugging; special case "one privilege in set". 4347c478bd9Sstevel@tonic-gate */ 4357c478bd9Sstevel@tonic-gate if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) { 4367c478bd9Sstevel@tonic-gate for (priv = 0; priv < nprivs; priv++) { 4377c478bd9Sstevel@tonic-gate if (priv_ismember(&pset, priv)) { 4387c478bd9Sstevel@tonic-gate if (pfound != -1) { 4397c478bd9Sstevel@tonic-gate /* Multiple missing privs */ 4407c478bd9Sstevel@tonic-gate priv_policy_errmsg(cr, PRIV_MULTIPLE, 4417c478bd9Sstevel@tonic-gate msg); 4427c478bd9Sstevel@tonic-gate return (EACCES); 4437c478bd9Sstevel@tonic-gate } 4447c478bd9Sstevel@tonic-gate pfound = priv; 4457c478bd9Sstevel@tonic-gate } 4467c478bd9Sstevel@tonic-gate } 4477c478bd9Sstevel@tonic-gate ASSERT(pfound != -1); 4487c478bd9Sstevel@tonic-gate /* Just the one missing privilege */ 4497c478bd9Sstevel@tonic-gate priv_policy_errmsg(cr, pfound, msg); 4507c478bd9Sstevel@tonic-gate } 4517c478bd9Sstevel@tonic-gate 4527c478bd9Sstevel@tonic-gate return (EACCES); 4537c478bd9Sstevel@tonic-gate } 4547c478bd9Sstevel@tonic-gate 4557c478bd9Sstevel@tonic-gate /* 4567c478bd9Sstevel@tonic-gate * Called when an operation requires that the caller be in the 4577c478bd9Sstevel@tonic-gate * global zone, regardless of privilege. 4587c478bd9Sstevel@tonic-gate */ 4597c478bd9Sstevel@tonic-gate static int 4607c478bd9Sstevel@tonic-gate priv_policy_global(const cred_t *cr) 4617c478bd9Sstevel@tonic-gate { 4627c478bd9Sstevel@tonic-gate if (crgetzoneid(cr) == GLOBAL_ZONEID) 4637c478bd9Sstevel@tonic-gate return (0); /* success */ 4647c478bd9Sstevel@tonic-gate 4657c478bd9Sstevel@tonic-gate if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 4667c478bd9Sstevel@tonic-gate curthread->t_pre_sys) { 4677c478bd9Sstevel@tonic-gate priv_policy_errmsg(cr, PRIV_GLOBAL, NULL); 4687c478bd9Sstevel@tonic-gate } 4697c478bd9Sstevel@tonic-gate return (EPERM); 4707c478bd9Sstevel@tonic-gate } 4717c478bd9Sstevel@tonic-gate 4727c478bd9Sstevel@tonic-gate /* 4737c478bd9Sstevel@tonic-gate * Changing process priority 4747c478bd9Sstevel@tonic-gate */ 4757c478bd9Sstevel@tonic-gate int 4767c478bd9Sstevel@tonic-gate secpolicy_setpriority(const cred_t *cr) 4777c478bd9Sstevel@tonic-gate { 4787c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL)); 4797c478bd9Sstevel@tonic-gate } 4807c478bd9Sstevel@tonic-gate 4817c478bd9Sstevel@tonic-gate /* 4827c478bd9Sstevel@tonic-gate * Binding to a privileged port, port must be specified in host byte 4837c478bd9Sstevel@tonic-gate * order. 4847c478bd9Sstevel@tonic-gate */ 4857c478bd9Sstevel@tonic-gate int 4867c478bd9Sstevel@tonic-gate secpolicy_net_privaddr(const cred_t *cr, in_port_t port) 4877c478bd9Sstevel@tonic-gate { 4887c478bd9Sstevel@tonic-gate /* 4897c478bd9Sstevel@tonic-gate * NFS ports, these are extra privileged ports, allow bind 4907c478bd9Sstevel@tonic-gate * only if the SYS_NFS privilege is present. 4917c478bd9Sstevel@tonic-gate */ 4927c478bd9Sstevel@tonic-gate if (port == 2049 || port == 4045) 4937c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EACCES, 4947c478bd9Sstevel@tonic-gate "NFS port")); 4957c478bd9Sstevel@tonic-gate else 4967c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_NET_PRIVADDR, B_FALSE, EACCES, 4977c478bd9Sstevel@tonic-gate NULL)); 4987c478bd9Sstevel@tonic-gate } 4997c478bd9Sstevel@tonic-gate 5007c478bd9Sstevel@tonic-gate /* 50145916cd2Sjpk * Binding to a multilevel port on a trusted (labeled) system. 50245916cd2Sjpk */ 50345916cd2Sjpk int 50445916cd2Sjpk secpolicy_net_bindmlp(const cred_t *cr) 50545916cd2Sjpk { 50645916cd2Sjpk return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, 50745916cd2Sjpk NULL)); 50845916cd2Sjpk } 50945916cd2Sjpk 51045916cd2Sjpk /* 51145916cd2Sjpk * Allow a communication between a zone and an unlabeled host when their 51245916cd2Sjpk * labels don't match. 51345916cd2Sjpk */ 51445916cd2Sjpk int 51545916cd2Sjpk secpolicy_net_mac_aware(const cred_t *cr) 51645916cd2Sjpk { 51745916cd2Sjpk return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, 51845916cd2Sjpk NULL)); 51945916cd2Sjpk } 52045916cd2Sjpk 52145916cd2Sjpk /* 5227c478bd9Sstevel@tonic-gate * Common routine which determines whether a given credential can 5237c478bd9Sstevel@tonic-gate * act on a given mount. 5247c478bd9Sstevel@tonic-gate * When called through mount, the parameter needoptcheck is a pointer 5257c478bd9Sstevel@tonic-gate * to a boolean variable which will be set to either true or false, 5267c478bd9Sstevel@tonic-gate * depending on whether the mount policy should change the mount options. 5277c478bd9Sstevel@tonic-gate * In all other cases, needoptcheck should be a NULL pointer. 5287c478bd9Sstevel@tonic-gate */ 5297c478bd9Sstevel@tonic-gate static int 5307c478bd9Sstevel@tonic-gate secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp, 5317c478bd9Sstevel@tonic-gate boolean_t *needoptcheck) 5327c478bd9Sstevel@tonic-gate { 5337c478bd9Sstevel@tonic-gate boolean_t allzone = B_FALSE; 5347c478bd9Sstevel@tonic-gate boolean_t mounting = needoptcheck != NULL; 5357c478bd9Sstevel@tonic-gate 5367c478bd9Sstevel@tonic-gate /* 5377c478bd9Sstevel@tonic-gate * Short circuit the following cases: 5387c478bd9Sstevel@tonic-gate * vfsp == NULL or mvp == NULL (pure privilege check) 5397c478bd9Sstevel@tonic-gate * have all privileges - no further checks required 5407c478bd9Sstevel@tonic-gate * and no mount options need to be set. 5417c478bd9Sstevel@tonic-gate */ 5427c478bd9Sstevel@tonic-gate if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) { 5437c478bd9Sstevel@tonic-gate if (mounting) 5447c478bd9Sstevel@tonic-gate *needoptcheck = B_FALSE; 5457c478bd9Sstevel@tonic-gate 5467c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, allzone, EPERM, NULL)); 5477c478bd9Sstevel@tonic-gate } 5487c478bd9Sstevel@tonic-gate 5497c478bd9Sstevel@tonic-gate /* 5507c478bd9Sstevel@tonic-gate * When operating on an existing mount (either we're not mounting 5517c478bd9Sstevel@tonic-gate * or we're doing a remount and VFS_REMOUNT will be set), zones 5527c478bd9Sstevel@tonic-gate * can operate only on mounts established by the zone itself. 5537c478bd9Sstevel@tonic-gate */ 5547c478bd9Sstevel@tonic-gate if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) { 5557c478bd9Sstevel@tonic-gate zoneid_t zoneid = crgetzoneid(cr); 5567c478bd9Sstevel@tonic-gate 5577c478bd9Sstevel@tonic-gate if (zoneid != GLOBAL_ZONEID && 5587c478bd9Sstevel@tonic-gate vfsp->vfs_zone->zone_id != zoneid) { 5597c478bd9Sstevel@tonic-gate return (EPERM); 5607c478bd9Sstevel@tonic-gate } 5617c478bd9Sstevel@tonic-gate } 5627c478bd9Sstevel@tonic-gate 5637c478bd9Sstevel@tonic-gate if (mounting) 5647c478bd9Sstevel@tonic-gate *needoptcheck = B_TRUE; 5657c478bd9Sstevel@tonic-gate 5667c478bd9Sstevel@tonic-gate /* 5677c478bd9Sstevel@tonic-gate * Overlay mounts may hide important stuff; if you can't write to a 5687c478bd9Sstevel@tonic-gate * mount point but would be able to mount on top of it, you can 5697c478bd9Sstevel@tonic-gate * escalate your privileges. 5707c478bd9Sstevel@tonic-gate * So we go about asking the same questions namefs does when it 5717c478bd9Sstevel@tonic-gate * decides whether you can mount over a file or not but with the 5727c478bd9Sstevel@tonic-gate * added restriction that you can only mount on top of a regular 5737c478bd9Sstevel@tonic-gate * file or directory. 5747c478bd9Sstevel@tonic-gate * If we have all the zone's privileges, we skip all other checks, 5757c478bd9Sstevel@tonic-gate * or else we may actually get in trouble inside the automounter. 5767c478bd9Sstevel@tonic-gate */ 5777c478bd9Sstevel@tonic-gate if ((mvp->v_flag & VROOT) != 0 || 5787c478bd9Sstevel@tonic-gate (mvp->v_type != VDIR && mvp->v_type != VREG) || 5797c478bd9Sstevel@tonic-gate HAS_ALLZONEPRIVS(cr)) { 5807c478bd9Sstevel@tonic-gate allzone = B_TRUE; 5817c478bd9Sstevel@tonic-gate } else { 5827c478bd9Sstevel@tonic-gate vattr_t va; 5837c478bd9Sstevel@tonic-gate int err; 5847c478bd9Sstevel@tonic-gate 5857c478bd9Sstevel@tonic-gate va.va_mask = AT_UID|AT_MODE; 5867c478bd9Sstevel@tonic-gate err = VOP_GETATTR(mvp, &va, 0, cr); 5877c478bd9Sstevel@tonic-gate if (err != 0) 5887c478bd9Sstevel@tonic-gate return (err); 5897c478bd9Sstevel@tonic-gate 5907c478bd9Sstevel@tonic-gate if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0) 5917c478bd9Sstevel@tonic-gate return (err); 5927c478bd9Sstevel@tonic-gate 5937c478bd9Sstevel@tonic-gate if ((va.va_mode & VWRITE) == 0 && 5947c478bd9Sstevel@tonic-gate secpolicy_vnode_access(cr, mvp, va.va_uid, VWRITE) != 0) { 5957c478bd9Sstevel@tonic-gate return (EACCES); 5967c478bd9Sstevel@tonic-gate } 5977c478bd9Sstevel@tonic-gate } 5987c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, allzone, EPERM, NULL)); 5997c478bd9Sstevel@tonic-gate } 6007c478bd9Sstevel@tonic-gate 601ecd6cf80Smarks void 602ecd6cf80Smarks secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp) 6037c478bd9Sstevel@tonic-gate { 6047c478bd9Sstevel@tonic-gate boolean_t amsuper = HAS_ALLZONEPRIVS(cr); 6057c478bd9Sstevel@tonic-gate 6067c478bd9Sstevel@tonic-gate /* 607ecd6cf80Smarks * check; if we don't have either "nosuid" or 6087c478bd9Sstevel@tonic-gate * both "nosetuid" and "nodevices", then we add 6097c478bd9Sstevel@tonic-gate * "nosuid"; this depends on how the current 6107c478bd9Sstevel@tonic-gate * implementation works (it first checks nosuid). In a 6117c478bd9Sstevel@tonic-gate * zone, a user with all zone privileges can mount with 6127c478bd9Sstevel@tonic-gate * "setuid" but never with "devices". 6137c478bd9Sstevel@tonic-gate */ 6147c478bd9Sstevel@tonic-gate if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) && 6157c478bd9Sstevel@tonic-gate (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) || 6167c478bd9Sstevel@tonic-gate !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) { 6177c478bd9Sstevel@tonic-gate if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper) 6187c478bd9Sstevel@tonic-gate vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0); 6197c478bd9Sstevel@tonic-gate else 6207c478bd9Sstevel@tonic-gate vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0); 6217c478bd9Sstevel@tonic-gate } 6227c478bd9Sstevel@tonic-gate /* 6237c478bd9Sstevel@tonic-gate * If we're not the local super user, we set the "restrict" 6247c478bd9Sstevel@tonic-gate * option to indicate to automountd that this mount should 6257c478bd9Sstevel@tonic-gate * be handled with care. 6267c478bd9Sstevel@tonic-gate */ 6277c478bd9Sstevel@tonic-gate if (!amsuper) 6287c478bd9Sstevel@tonic-gate vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0); 6297c478bd9Sstevel@tonic-gate 6307c478bd9Sstevel@tonic-gate } 631ecd6cf80Smarks 632ecd6cf80Smarks extern vnode_t *rootvp; 633ecd6cf80Smarks extern vfs_t *rootvfs; 634ecd6cf80Smarks 635ecd6cf80Smarks int 636ecd6cf80Smarks secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp) 637ecd6cf80Smarks { 638ecd6cf80Smarks boolean_t needoptchk; 639ecd6cf80Smarks int error; 640ecd6cf80Smarks 641ecd6cf80Smarks /* 642ecd6cf80Smarks * If it's a remount, get the underlying mount point, 643ecd6cf80Smarks * except for the root where we use the rootvp. 644ecd6cf80Smarks */ 645ecd6cf80Smarks if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) { 646ecd6cf80Smarks if (vfsp == rootvfs) 647ecd6cf80Smarks mvp = rootvp; 648ecd6cf80Smarks else 649ecd6cf80Smarks mvp = vfsp->vfs_vnodecovered; 650ecd6cf80Smarks } 651ecd6cf80Smarks 652ecd6cf80Smarks error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk); 653ecd6cf80Smarks 654ecd6cf80Smarks if (error == 0 && needoptchk) { 655ecd6cf80Smarks secpolicy_fs_mount_clearopts(cr, vfsp); 656ecd6cf80Smarks } 657ecd6cf80Smarks 6587c478bd9Sstevel@tonic-gate return (error); 6597c478bd9Sstevel@tonic-gate } 6607c478bd9Sstevel@tonic-gate 6617c478bd9Sstevel@tonic-gate /* 6627c478bd9Sstevel@tonic-gate * Does the policy computations for "ownership" of a mount; 6637c478bd9Sstevel@tonic-gate * here ownership is defined as the ability to "mount" 6647c478bd9Sstevel@tonic-gate * the filesystem originally. The rootvfs doesn't cover any 6657c478bd9Sstevel@tonic-gate * vnodes; we attribute its ownership to the rootvp. 6667c478bd9Sstevel@tonic-gate */ 6677c478bd9Sstevel@tonic-gate static int 6687c478bd9Sstevel@tonic-gate secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp) 6697c478bd9Sstevel@tonic-gate { 6707c478bd9Sstevel@tonic-gate vnode_t *mvp; 6717c478bd9Sstevel@tonic-gate 6727c478bd9Sstevel@tonic-gate if (vfsp == NULL) 6737c478bd9Sstevel@tonic-gate mvp = NULL; 6747c478bd9Sstevel@tonic-gate else if (vfsp == rootvfs) 6757c478bd9Sstevel@tonic-gate mvp = rootvp; 6767c478bd9Sstevel@tonic-gate else 6777c478bd9Sstevel@tonic-gate mvp = vfsp->vfs_vnodecovered; 6787c478bd9Sstevel@tonic-gate 6797c478bd9Sstevel@tonic-gate return (secpolicy_fs_common(cr, mvp, vfsp, NULL)); 6807c478bd9Sstevel@tonic-gate } 6817c478bd9Sstevel@tonic-gate 6827c478bd9Sstevel@tonic-gate int 6837c478bd9Sstevel@tonic-gate secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp) 6847c478bd9Sstevel@tonic-gate { 6857c478bd9Sstevel@tonic-gate return (secpolicy_fs_owner(cr, vfsp)); 6867c478bd9Sstevel@tonic-gate } 6877c478bd9Sstevel@tonic-gate 6887c478bd9Sstevel@tonic-gate /* 6897c478bd9Sstevel@tonic-gate * Quotas are a resource, but if one has the ability to mount a filesystem, he 6907c478bd9Sstevel@tonic-gate * should be able to modify quotas on it. 6917c478bd9Sstevel@tonic-gate */ 6927c478bd9Sstevel@tonic-gate int 6937c478bd9Sstevel@tonic-gate secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp) 6947c478bd9Sstevel@tonic-gate { 6957c478bd9Sstevel@tonic-gate return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 6967c478bd9Sstevel@tonic-gate } 6977c478bd9Sstevel@tonic-gate 6987c478bd9Sstevel@tonic-gate /* 6997c478bd9Sstevel@tonic-gate * Exceeding minfree: also a per-mount resource constraint. 7007c478bd9Sstevel@tonic-gate */ 7017c478bd9Sstevel@tonic-gate int 7027c478bd9Sstevel@tonic-gate secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp) 7037c478bd9Sstevel@tonic-gate { 7047c478bd9Sstevel@tonic-gate return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 7057c478bd9Sstevel@tonic-gate } 7067c478bd9Sstevel@tonic-gate 7077c478bd9Sstevel@tonic-gate int 7087c478bd9Sstevel@tonic-gate secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp) 7097c478bd9Sstevel@tonic-gate { 7107c478bd9Sstevel@tonic-gate return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 7117c478bd9Sstevel@tonic-gate } 7127c478bd9Sstevel@tonic-gate 7137c478bd9Sstevel@tonic-gate /* ARGSUSED */ 7147c478bd9Sstevel@tonic-gate int 7157c478bd9Sstevel@tonic-gate secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp) 7167c478bd9Sstevel@tonic-gate { 7177c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL)); 7187c478bd9Sstevel@tonic-gate } 7197c478bd9Sstevel@tonic-gate 7207c478bd9Sstevel@tonic-gate /* 7217c478bd9Sstevel@tonic-gate * Name: secpolicy_vnode_access() 7227c478bd9Sstevel@tonic-gate * 7237c478bd9Sstevel@tonic-gate * Parameters: Process credential 7247c478bd9Sstevel@tonic-gate * vnode 7257c478bd9Sstevel@tonic-gate * uid of owner of vnode 7267c478bd9Sstevel@tonic-gate * permission bits not granted to the caller when examining 7277c478bd9Sstevel@tonic-gate * file mode bits (i.e., when a process wants to open a 7287c478bd9Sstevel@tonic-gate * mode 444 file for VREAD|VWRITE, this function should be 7297c478bd9Sstevel@tonic-gate * called only with a VWRITE argument). 7307c478bd9Sstevel@tonic-gate * 7317c478bd9Sstevel@tonic-gate * Normal: Verifies that cred has the appropriate privileges to 7327c478bd9Sstevel@tonic-gate * override the mode bits that were denied. 7337c478bd9Sstevel@tonic-gate * 7347c478bd9Sstevel@tonic-gate * Override: file_dac_execute - if VEXEC bit was denied and vnode is 7357c478bd9Sstevel@tonic-gate * not a directory. 7367c478bd9Sstevel@tonic-gate * file_dac_read - if VREAD bit was denied. 7377c478bd9Sstevel@tonic-gate * file_dac_search - if VEXEC bit was denied and vnode is 7387c478bd9Sstevel@tonic-gate * a directory. 7397c478bd9Sstevel@tonic-gate * file_dac_write - if VWRITE bit was denied. 7407c478bd9Sstevel@tonic-gate * 7417c478bd9Sstevel@tonic-gate * Root owned files are special cased to protect system 7427c478bd9Sstevel@tonic-gate * configuration files and such. 7437c478bd9Sstevel@tonic-gate * 7447c478bd9Sstevel@tonic-gate * Output: EACCES - if privilege check fails. 7457c478bd9Sstevel@tonic-gate */ 7467c478bd9Sstevel@tonic-gate 7477c478bd9Sstevel@tonic-gate /* ARGSUSED */ 7487c478bd9Sstevel@tonic-gate int 7497c478bd9Sstevel@tonic-gate secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode) 7507c478bd9Sstevel@tonic-gate { 7517c478bd9Sstevel@tonic-gate if ((mode & VREAD) && 7527c478bd9Sstevel@tonic-gate PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EACCES, NULL) != 0) 7537c478bd9Sstevel@tonic-gate return (EACCES); 7547c478bd9Sstevel@tonic-gate 7557c478bd9Sstevel@tonic-gate if (mode & VWRITE) { 7567c478bd9Sstevel@tonic-gate boolean_t allzone; 7577c478bd9Sstevel@tonic-gate 7587c478bd9Sstevel@tonic-gate if (owner == 0 && cr->cr_uid != 0) 7597c478bd9Sstevel@tonic-gate allzone = B_TRUE; 7607c478bd9Sstevel@tonic-gate else 7617c478bd9Sstevel@tonic-gate allzone = B_FALSE; 7627c478bd9Sstevel@tonic-gate if (PRIV_POLICY(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, NULL) 7637c478bd9Sstevel@tonic-gate != 0) 7647c478bd9Sstevel@tonic-gate return (EACCES); 7657c478bd9Sstevel@tonic-gate } 7667c478bd9Sstevel@tonic-gate 7677c478bd9Sstevel@tonic-gate if (mode & VEXEC) { 7687c478bd9Sstevel@tonic-gate /* 7697c478bd9Sstevel@tonic-gate * Directories use file_dac_search to override the execute bit. 7707c478bd9Sstevel@tonic-gate */ 7717c478bd9Sstevel@tonic-gate vtype_t vtype = vp->v_type; 7727c478bd9Sstevel@tonic-gate 7737c478bd9Sstevel@tonic-gate if (vtype == VDIR) 7747c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, 7757c478bd9Sstevel@tonic-gate EACCES, NULL)); 7767c478bd9Sstevel@tonic-gate else 7777c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_FILE_DAC_EXECUTE, B_FALSE, 7787c478bd9Sstevel@tonic-gate EACCES, NULL)); 7797c478bd9Sstevel@tonic-gate } 7807c478bd9Sstevel@tonic-gate return (0); 7817c478bd9Sstevel@tonic-gate } 7827c478bd9Sstevel@tonic-gate 7837c478bd9Sstevel@tonic-gate /* 7847c478bd9Sstevel@tonic-gate * Name: secpolicy_vnode_setid_modify() 7857c478bd9Sstevel@tonic-gate * 7867c478bd9Sstevel@tonic-gate * Normal: verify that subject can set the file setid flags. 7877c478bd9Sstevel@tonic-gate * 7887c478bd9Sstevel@tonic-gate * Output: EPERM - if not privileged. 7897c478bd9Sstevel@tonic-gate */ 7907c478bd9Sstevel@tonic-gate 7917c478bd9Sstevel@tonic-gate static int 7927c478bd9Sstevel@tonic-gate secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner) 7937c478bd9Sstevel@tonic-gate { 7947c478bd9Sstevel@tonic-gate /* If changing to suid root, must have all zone privs */ 7957c478bd9Sstevel@tonic-gate boolean_t allzone = B_TRUE; 7967c478bd9Sstevel@tonic-gate 7977c478bd9Sstevel@tonic-gate if (owner != 0) { 7987c478bd9Sstevel@tonic-gate if (owner == cr->cr_uid) 7997c478bd9Sstevel@tonic-gate return (0); 8007c478bd9Sstevel@tonic-gate allzone = B_FALSE; 8017c478bd9Sstevel@tonic-gate } 8027c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL)); 8037c478bd9Sstevel@tonic-gate } 8047c478bd9Sstevel@tonic-gate 8057c478bd9Sstevel@tonic-gate /* 8067c478bd9Sstevel@tonic-gate * Are we allowed to retain the set-uid/set-gid bits when 8077c478bd9Sstevel@tonic-gate * changing ownership or when writing to a file? 8087c478bd9Sstevel@tonic-gate * "issuid" should be true when set-uid; only in that case 8097c478bd9Sstevel@tonic-gate * root ownership is checked (setgid is assumed). 8107c478bd9Sstevel@tonic-gate */ 8117c478bd9Sstevel@tonic-gate int 8127c478bd9Sstevel@tonic-gate secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot) 8137c478bd9Sstevel@tonic-gate { 8147c478bd9Sstevel@tonic-gate if (issuidroot && !HAS_ALLZONEPRIVS(cred)) 8157c478bd9Sstevel@tonic-gate return (EPERM); 8167c478bd9Sstevel@tonic-gate 8177c478bd9Sstevel@tonic-gate return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE)); 8187c478bd9Sstevel@tonic-gate } 8197c478bd9Sstevel@tonic-gate 8207c478bd9Sstevel@tonic-gate /* 8217c478bd9Sstevel@tonic-gate * Name: secpolicy_vnode_setids_setgids() 8227c478bd9Sstevel@tonic-gate * 8237c478bd9Sstevel@tonic-gate * Normal: verify that subject can set the file setgid flag. 8247c478bd9Sstevel@tonic-gate * 8257c478bd9Sstevel@tonic-gate * Output: EPERM - if not privileged 8267c478bd9Sstevel@tonic-gate */ 8277c478bd9Sstevel@tonic-gate 8287c478bd9Sstevel@tonic-gate int 8297c478bd9Sstevel@tonic-gate secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid) 8307c478bd9Sstevel@tonic-gate { 8317c478bd9Sstevel@tonic-gate if (!groupmember(gid, cred)) 8327c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM, 8337c478bd9Sstevel@tonic-gate NULL)); 8347c478bd9Sstevel@tonic-gate return (0); 8357c478bd9Sstevel@tonic-gate } 8367c478bd9Sstevel@tonic-gate 8377c478bd9Sstevel@tonic-gate /* 8387c478bd9Sstevel@tonic-gate * Create a file with a group different than any of the groups allowed: 8397c478bd9Sstevel@tonic-gate * the group of the directory the file is created in, the effective 8407c478bd9Sstevel@tonic-gate * group or any of the supplementary groups. 8417c478bd9Sstevel@tonic-gate */ 8427c478bd9Sstevel@tonic-gate int 8437c478bd9Sstevel@tonic-gate secpolicy_vnode_create_gid(const cred_t *cred) 8447c478bd9Sstevel@tonic-gate { 8457c478bd9Sstevel@tonic-gate if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN)) 8467c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM, 8477c478bd9Sstevel@tonic-gate NULL)); 8487c478bd9Sstevel@tonic-gate else 8497c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM, 8507c478bd9Sstevel@tonic-gate NULL)); 8517c478bd9Sstevel@tonic-gate } 8527c478bd9Sstevel@tonic-gate 8537c478bd9Sstevel@tonic-gate /* 8547c478bd9Sstevel@tonic-gate * Name: secpolicy_vnode_utime_modify() 8557c478bd9Sstevel@tonic-gate * 8567c478bd9Sstevel@tonic-gate * Normal: verify that subject can modify the utime on a file. 8577c478bd9Sstevel@tonic-gate * 8587c478bd9Sstevel@tonic-gate * Output: EPERM - if access denied. 8597c478bd9Sstevel@tonic-gate */ 8607c478bd9Sstevel@tonic-gate 8617c478bd9Sstevel@tonic-gate static int 8627c478bd9Sstevel@tonic-gate secpolicy_vnode_utime_modify(const cred_t *cred) 8637c478bd9Sstevel@tonic-gate { 8647c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM, 8657c478bd9Sstevel@tonic-gate "modify file times")); 8667c478bd9Sstevel@tonic-gate } 8677c478bd9Sstevel@tonic-gate 8687c478bd9Sstevel@tonic-gate 8697c478bd9Sstevel@tonic-gate /* 8707c478bd9Sstevel@tonic-gate * Name: secpolicy_vnode_setdac() 8717c478bd9Sstevel@tonic-gate * 8727c478bd9Sstevel@tonic-gate * Normal: verify that subject can modify the mode of a file. 8737c478bd9Sstevel@tonic-gate * allzone privilege needed when modifying root owned object. 8747c478bd9Sstevel@tonic-gate * 8757c478bd9Sstevel@tonic-gate * Output: EPERM - if access denied. 8767c478bd9Sstevel@tonic-gate */ 8777c478bd9Sstevel@tonic-gate 8787c478bd9Sstevel@tonic-gate int 8797c478bd9Sstevel@tonic-gate secpolicy_vnode_setdac(const cred_t *cred, uid_t owner) 8807c478bd9Sstevel@tonic-gate { 8817c478bd9Sstevel@tonic-gate if (owner == cred->cr_uid) 8827c478bd9Sstevel@tonic-gate return (0); 8837c478bd9Sstevel@tonic-gate 8847c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL)); 8857c478bd9Sstevel@tonic-gate } 8867c478bd9Sstevel@tonic-gate /* 8877c478bd9Sstevel@tonic-gate * Name: secpolicy_vnode_stky_modify() 8887c478bd9Sstevel@tonic-gate * 8897c478bd9Sstevel@tonic-gate * Normal: verify that subject can make a file a "sticky". 8907c478bd9Sstevel@tonic-gate * 8917c478bd9Sstevel@tonic-gate * Output: EPERM - if access denied. 8927c478bd9Sstevel@tonic-gate */ 8937c478bd9Sstevel@tonic-gate 8947c478bd9Sstevel@tonic-gate int 8957c478bd9Sstevel@tonic-gate secpolicy_vnode_stky_modify(const cred_t *cred) 8967c478bd9Sstevel@tonic-gate { 8977c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM, 8987c478bd9Sstevel@tonic-gate "set file sticky")); 8997c478bd9Sstevel@tonic-gate } 9007c478bd9Sstevel@tonic-gate 9017c478bd9Sstevel@tonic-gate /* 9027c478bd9Sstevel@tonic-gate * Policy determines whether we can remove an entry from a directory, 9037c478bd9Sstevel@tonic-gate * regardless of permission bits. 9047c478bd9Sstevel@tonic-gate */ 9057c478bd9Sstevel@tonic-gate int 9067c478bd9Sstevel@tonic-gate secpolicy_vnode_remove(const cred_t *cr) 9077c478bd9Sstevel@tonic-gate { 9087c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES, 9097c478bd9Sstevel@tonic-gate "sticky directory")); 9107c478bd9Sstevel@tonic-gate } 9117c478bd9Sstevel@tonic-gate 9127c478bd9Sstevel@tonic-gate int 9137c478bd9Sstevel@tonic-gate secpolicy_vnode_owner(const cred_t *cr, uid_t owner) 9147c478bd9Sstevel@tonic-gate { 9157c478bd9Sstevel@tonic-gate boolean_t allzone = (owner == 0); 9167c478bd9Sstevel@tonic-gate 9177c478bd9Sstevel@tonic-gate if (owner == cr->cr_uid) 9187c478bd9Sstevel@tonic-gate return (0); 9197c478bd9Sstevel@tonic-gate 9207c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL)); 9217c478bd9Sstevel@tonic-gate } 9227c478bd9Sstevel@tonic-gate 92313f9f30eSmarks void 92413f9f30eSmarks secpolicy_setid_clear(vattr_t *vap, cred_t *cr) 92513f9f30eSmarks { 92613f9f30eSmarks if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 && 92713f9f30eSmarks secpolicy_vnode_setid_retain(cr, 92813f9f30eSmarks (vap->va_mode & S_ISUID) != 0 && 92913f9f30eSmarks (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) { 93013f9f30eSmarks vap->va_mask |= AT_MODE; 93113f9f30eSmarks vap->va_mode &= ~(S_ISUID|S_ISGID); 93213f9f30eSmarks } 93313f9f30eSmarks } 93413f9f30eSmarks 935f92daba9Smarks int 936f92daba9Smarks secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap, 937f92daba9Smarks cred_t *cr) 938f92daba9Smarks { 939f92daba9Smarks int error; 940f92daba9Smarks 941f92daba9Smarks if ((vap->va_mode & S_ISUID) != 0 && 942f92daba9Smarks (error = secpolicy_vnode_setid_modify(cr, 943f92daba9Smarks ovap->va_uid)) != 0) { 944f92daba9Smarks return (error); 945f92daba9Smarks } 946f92daba9Smarks 947f92daba9Smarks /* 948f92daba9Smarks * Check privilege if attempting to set the 949f92daba9Smarks * sticky bit on a non-directory. 950f92daba9Smarks */ 951f92daba9Smarks if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 && 952f92daba9Smarks secpolicy_vnode_stky_modify(cr) != 0) { 953f92daba9Smarks vap->va_mode &= ~S_ISVTX; 954f92daba9Smarks } 955f92daba9Smarks 956f92daba9Smarks /* 957f92daba9Smarks * Check for privilege if attempting to set the 958f92daba9Smarks * group-id bit. 959f92daba9Smarks */ 960f92daba9Smarks if ((vap->va_mode & S_ISGID) != 0 && 961f92daba9Smarks secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) { 962f92daba9Smarks vap->va_mode &= ~S_ISGID; 963f92daba9Smarks } 964f92daba9Smarks 965f92daba9Smarks return (0); 966f92daba9Smarks } 967f92daba9Smarks 9687c478bd9Sstevel@tonic-gate /* 9697c478bd9Sstevel@tonic-gate * This function checks the policy decisions surrounding the 9707c478bd9Sstevel@tonic-gate * vop setattr call. 9717c478bd9Sstevel@tonic-gate * 9727c478bd9Sstevel@tonic-gate * It should be called after sufficient locks have been established 9737c478bd9Sstevel@tonic-gate * on the underlying data structures. No concurrent modifications 9747c478bd9Sstevel@tonic-gate * should be allowed. 9757c478bd9Sstevel@tonic-gate * 9767c478bd9Sstevel@tonic-gate * The caller must pass in unlocked version of its vaccess function 9777c478bd9Sstevel@tonic-gate * this is required because vop_access function should lock the 9787c478bd9Sstevel@tonic-gate * node for reading. A three argument function should be defined 9797c478bd9Sstevel@tonic-gate * which accepts the following argument: 9807c478bd9Sstevel@tonic-gate * A pointer to the internal "node" type (inode *) 9817c478bd9Sstevel@tonic-gate * vnode access bits (VREAD|VWRITE|VEXEC) 9827c478bd9Sstevel@tonic-gate * a pointer to the credential 9837c478bd9Sstevel@tonic-gate * 9847c478bd9Sstevel@tonic-gate * This function makes the following policy decisions: 9857c478bd9Sstevel@tonic-gate * 9867c478bd9Sstevel@tonic-gate * - change permissions 9877c478bd9Sstevel@tonic-gate * - permission to change file mode if not owner 9887c478bd9Sstevel@tonic-gate * - permission to add sticky bit to non-directory 9897c478bd9Sstevel@tonic-gate * - permission to add set-gid bit 9907c478bd9Sstevel@tonic-gate * 9917c478bd9Sstevel@tonic-gate * The ovap argument should include AT_MODE|AT_UID|AT_GID. 9927c478bd9Sstevel@tonic-gate * 9937c478bd9Sstevel@tonic-gate * If the vap argument does not include AT_MODE, the mode will be copied from 9947c478bd9Sstevel@tonic-gate * ovap. In certain situations set-uid/set-gid bits need to be removed; 9957c478bd9Sstevel@tonic-gate * this is done by marking vap->va_mask to include AT_MODE and va_mode 9967c478bd9Sstevel@tonic-gate * is updated to the newly computed mode. 9977c478bd9Sstevel@tonic-gate */ 9987c478bd9Sstevel@tonic-gate 9997c478bd9Sstevel@tonic-gate int 10007c478bd9Sstevel@tonic-gate secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap, 10017c478bd9Sstevel@tonic-gate const struct vattr *ovap, int flags, 10027c478bd9Sstevel@tonic-gate int unlocked_access(void *, int, cred_t *), 10037c478bd9Sstevel@tonic-gate void *node) 10047c478bd9Sstevel@tonic-gate { 10057c478bd9Sstevel@tonic-gate int mask = vap->va_mask; 10067c478bd9Sstevel@tonic-gate int error = 0; 10077c478bd9Sstevel@tonic-gate 10087c478bd9Sstevel@tonic-gate if (mask & AT_SIZE) { 10097c478bd9Sstevel@tonic-gate if (vp->v_type == VDIR) { 10107c478bd9Sstevel@tonic-gate error = EISDIR; 10117c478bd9Sstevel@tonic-gate goto out; 10127c478bd9Sstevel@tonic-gate } 10137c478bd9Sstevel@tonic-gate error = unlocked_access(node, VWRITE, cr); 10147c478bd9Sstevel@tonic-gate if (error) 10157c478bd9Sstevel@tonic-gate goto out; 10167c478bd9Sstevel@tonic-gate } 10177c478bd9Sstevel@tonic-gate if (mask & AT_MODE) { 10187c478bd9Sstevel@tonic-gate /* 10197c478bd9Sstevel@tonic-gate * If not the owner of the file then check privilege 10207c478bd9Sstevel@tonic-gate * for two things: the privilege to set the mode at all 10217c478bd9Sstevel@tonic-gate * and, if we're setting setuid, we also need permissions 10227c478bd9Sstevel@tonic-gate * to add the set-uid bit, if we're not the owner. 10237c478bd9Sstevel@tonic-gate * In the specific case of creating a set-uid root 10247c478bd9Sstevel@tonic-gate * file, we need even more permissions. 10257c478bd9Sstevel@tonic-gate */ 10267c478bd9Sstevel@tonic-gate if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0) 10277c478bd9Sstevel@tonic-gate goto out; 10287c478bd9Sstevel@tonic-gate 1029f92daba9Smarks if ((error = secpolicy_setid_setsticky_clear(vp, vap, 1030f92daba9Smarks ovap, cr)) != 0) 10317c478bd9Sstevel@tonic-gate goto out; 10327c478bd9Sstevel@tonic-gate } else 10337c478bd9Sstevel@tonic-gate vap->va_mode = ovap->va_mode; 10347c478bd9Sstevel@tonic-gate 10357c478bd9Sstevel@tonic-gate if (mask & (AT_UID|AT_GID)) { 10367c478bd9Sstevel@tonic-gate boolean_t checkpriv = B_FALSE; 10377c478bd9Sstevel@tonic-gate int priv; 10387c478bd9Sstevel@tonic-gate boolean_t allzone = B_FALSE; 10397c478bd9Sstevel@tonic-gate 10407c478bd9Sstevel@tonic-gate /* 10417c478bd9Sstevel@tonic-gate * Chowning files. 10427c478bd9Sstevel@tonic-gate * 10437c478bd9Sstevel@tonic-gate * If you are the file owner: 10447c478bd9Sstevel@tonic-gate * chown to other uid FILE_CHOWN_SELF 10457c478bd9Sstevel@tonic-gate * chown to gid (non-member) FILE_CHOWN_SELF 10467c478bd9Sstevel@tonic-gate * chown to gid (member) <none> 10477c478bd9Sstevel@tonic-gate * 10487c478bd9Sstevel@tonic-gate * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also 10497c478bd9Sstevel@tonic-gate * acceptable but the first one is reported when debugging. 10507c478bd9Sstevel@tonic-gate * 10517c478bd9Sstevel@tonic-gate * If you are not the file owner: 10527c478bd9Sstevel@tonic-gate * chown from root PRIV_FILE_CHOWN + zone 10537c478bd9Sstevel@tonic-gate * chown from other to any PRIV_FILE_CHOWN 10547c478bd9Sstevel@tonic-gate * 10557c478bd9Sstevel@tonic-gate */ 10567c478bd9Sstevel@tonic-gate if (cr->cr_uid != ovap->va_uid) { 10577c478bd9Sstevel@tonic-gate checkpriv = B_TRUE; 10587c478bd9Sstevel@tonic-gate allzone = (ovap->va_uid == 0); 10597c478bd9Sstevel@tonic-gate priv = PRIV_FILE_CHOWN; 10607c478bd9Sstevel@tonic-gate } else { 10617c478bd9Sstevel@tonic-gate if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) || 10627c478bd9Sstevel@tonic-gate ((mask & AT_GID) && vap->va_gid != ovap->va_gid && 10637c478bd9Sstevel@tonic-gate !groupmember(vap->va_gid, cr))) { 10647c478bd9Sstevel@tonic-gate checkpriv = B_TRUE; 10657c478bd9Sstevel@tonic-gate priv = HAS_PRIVILEGE(cr, PRIV_FILE_CHOWN) ? 10667c478bd9Sstevel@tonic-gate PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF; 10677c478bd9Sstevel@tonic-gate } 10687c478bd9Sstevel@tonic-gate } 10697c478bd9Sstevel@tonic-gate /* 10707c478bd9Sstevel@tonic-gate * If necessary, check privilege to see if update can be done. 10717c478bd9Sstevel@tonic-gate */ 10727c478bd9Sstevel@tonic-gate if (checkpriv && 10737c478bd9Sstevel@tonic-gate (error = PRIV_POLICY(cr, priv, allzone, EPERM, NULL)) 10747c478bd9Sstevel@tonic-gate != 0) { 10757c478bd9Sstevel@tonic-gate goto out; 10767c478bd9Sstevel@tonic-gate } 10777c478bd9Sstevel@tonic-gate 10787c478bd9Sstevel@tonic-gate /* 10797c478bd9Sstevel@tonic-gate * If the file has either the set UID or set GID bits 10807c478bd9Sstevel@tonic-gate * set and the caller can set the bits, then leave them. 10817c478bd9Sstevel@tonic-gate */ 108213f9f30eSmarks secpolicy_setid_clear(vap, cr); 10837c478bd9Sstevel@tonic-gate } 10847c478bd9Sstevel@tonic-gate if (mask & (AT_ATIME|AT_MTIME)) { 10857c478bd9Sstevel@tonic-gate /* 10867c478bd9Sstevel@tonic-gate * If not the file owner and not otherwise privileged, 10877c478bd9Sstevel@tonic-gate * always return an error when setting the 10887c478bd9Sstevel@tonic-gate * time other than the current (ATTR_UTIME flag set). 10897c478bd9Sstevel@tonic-gate * If setting the current time (ATTR_UTIME not set) then 10907c478bd9Sstevel@tonic-gate * unlocked_access will check permissions according to policy. 10917c478bd9Sstevel@tonic-gate */ 10927c478bd9Sstevel@tonic-gate if (cr->cr_uid != ovap->va_uid) { 10937c478bd9Sstevel@tonic-gate if (flags & ATTR_UTIME) 10947c478bd9Sstevel@tonic-gate error = secpolicy_vnode_utime_modify(cr); 10957c478bd9Sstevel@tonic-gate else { 10967c478bd9Sstevel@tonic-gate error = unlocked_access(node, VWRITE, cr); 10977c478bd9Sstevel@tonic-gate if (error == EACCES && 10987c478bd9Sstevel@tonic-gate secpolicy_vnode_utime_modify(cr) == 0) 10997c478bd9Sstevel@tonic-gate error = 0; 11007c478bd9Sstevel@tonic-gate } 11017c478bd9Sstevel@tonic-gate if (error) 11027c478bd9Sstevel@tonic-gate goto out; 11037c478bd9Sstevel@tonic-gate } 11047c478bd9Sstevel@tonic-gate } 11057c478bd9Sstevel@tonic-gate out: 11067c478bd9Sstevel@tonic-gate return (error); 11077c478bd9Sstevel@tonic-gate } 11087c478bd9Sstevel@tonic-gate 11097c478bd9Sstevel@tonic-gate /* 11107c478bd9Sstevel@tonic-gate * Name: secpolicy_pcfs_modify_bootpartition() 11117c478bd9Sstevel@tonic-gate * 11127c478bd9Sstevel@tonic-gate * Normal: verify that subject can modify a pcfs boot partition. 11137c478bd9Sstevel@tonic-gate * 11147c478bd9Sstevel@tonic-gate * Output: EACCES - if privilege check failed. 11157c478bd9Sstevel@tonic-gate */ 11167c478bd9Sstevel@tonic-gate /*ARGSUSED*/ 11177c478bd9Sstevel@tonic-gate int 11187c478bd9Sstevel@tonic-gate secpolicy_pcfs_modify_bootpartition(const cred_t *cred) 11197c478bd9Sstevel@tonic-gate { 11207c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES, 11217c478bd9Sstevel@tonic-gate "modify pcfs boot partition")); 11227c478bd9Sstevel@tonic-gate } 11237c478bd9Sstevel@tonic-gate 11247c478bd9Sstevel@tonic-gate /* 11257c478bd9Sstevel@tonic-gate * System V IPC routines 11267c478bd9Sstevel@tonic-gate */ 11277c478bd9Sstevel@tonic-gate int 11287c478bd9Sstevel@tonic-gate secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip) 11297c478bd9Sstevel@tonic-gate { 11307c478bd9Sstevel@tonic-gate if (crgetzoneid(cr) != ip->ipc_zoneid || 11317c478bd9Sstevel@tonic-gate (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) { 11327c478bd9Sstevel@tonic-gate boolean_t allzone = B_FALSE; 11337c478bd9Sstevel@tonic-gate if (ip->ipc_uid == 0 || ip->ipc_cuid == 0) 11347c478bd9Sstevel@tonic-gate allzone = B_TRUE; 11357c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL)); 11367c478bd9Sstevel@tonic-gate } 11377c478bd9Sstevel@tonic-gate return (0); 11387c478bd9Sstevel@tonic-gate } 11397c478bd9Sstevel@tonic-gate 11407c478bd9Sstevel@tonic-gate int 11417c478bd9Sstevel@tonic-gate secpolicy_ipc_config(const cred_t *cr) 11427c478bd9Sstevel@tonic-gate { 11437c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL)); 11447c478bd9Sstevel@tonic-gate } 11457c478bd9Sstevel@tonic-gate 11467c478bd9Sstevel@tonic-gate int 11477c478bd9Sstevel@tonic-gate secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode) 11487c478bd9Sstevel@tonic-gate { 11497c478bd9Sstevel@tonic-gate 11507c478bd9Sstevel@tonic-gate boolean_t allzone = B_FALSE; 11517c478bd9Sstevel@tonic-gate 11527c478bd9Sstevel@tonic-gate ASSERT((mode & (MSG_R|MSG_W)) != 0); 11537c478bd9Sstevel@tonic-gate 11547c478bd9Sstevel@tonic-gate if ((mode & MSG_R) && 11557c478bd9Sstevel@tonic-gate PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 11567c478bd9Sstevel@tonic-gate return (EACCES); 11577c478bd9Sstevel@tonic-gate 11587c478bd9Sstevel@tonic-gate if (mode & MSG_W) { 11597c478bd9Sstevel@tonic-gate if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0)) 11607c478bd9Sstevel@tonic-gate allzone = B_TRUE; 11617c478bd9Sstevel@tonic-gate 11627c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 11637c478bd9Sstevel@tonic-gate NULL)); 11647c478bd9Sstevel@tonic-gate } 11657c478bd9Sstevel@tonic-gate return (0); 11667c478bd9Sstevel@tonic-gate } 11677c478bd9Sstevel@tonic-gate 11687c478bd9Sstevel@tonic-gate int 11697c478bd9Sstevel@tonic-gate secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode) 11707c478bd9Sstevel@tonic-gate { 11717c478bd9Sstevel@tonic-gate boolean_t allzone = B_FALSE; 11727c478bd9Sstevel@tonic-gate 11737c478bd9Sstevel@tonic-gate ASSERT((mode & (MSG_R|MSG_W)) != 0); 11747c478bd9Sstevel@tonic-gate 11757c478bd9Sstevel@tonic-gate if ((mode & MSG_R) && 11767c478bd9Sstevel@tonic-gate PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 11777c478bd9Sstevel@tonic-gate return (EACCES); 11787c478bd9Sstevel@tonic-gate 11797c478bd9Sstevel@tonic-gate if (mode & MSG_W) { 11807c478bd9Sstevel@tonic-gate if (cr->cr_uid != 0 && owner == 0) 11817c478bd9Sstevel@tonic-gate allzone = B_TRUE; 11827c478bd9Sstevel@tonic-gate 11837c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 11847c478bd9Sstevel@tonic-gate NULL)); 11857c478bd9Sstevel@tonic-gate } 11867c478bd9Sstevel@tonic-gate return (0); 11877c478bd9Sstevel@tonic-gate } 11887c478bd9Sstevel@tonic-gate 11897c478bd9Sstevel@tonic-gate /* 11907c478bd9Sstevel@tonic-gate * Audit configuration. 11917c478bd9Sstevel@tonic-gate */ 11927c478bd9Sstevel@tonic-gate int 11937c478bd9Sstevel@tonic-gate secpolicy_audit_config(const cred_t *cr) 11947c478bd9Sstevel@tonic-gate { 11957c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 11967c478bd9Sstevel@tonic-gate } 11977c478bd9Sstevel@tonic-gate 11987c478bd9Sstevel@tonic-gate /* 11997c478bd9Sstevel@tonic-gate * Audit record generation. 12007c478bd9Sstevel@tonic-gate */ 12017c478bd9Sstevel@tonic-gate int 12027c478bd9Sstevel@tonic-gate secpolicy_audit_modify(const cred_t *cr) 12037c478bd9Sstevel@tonic-gate { 12047c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL)); 12057c478bd9Sstevel@tonic-gate } 12067c478bd9Sstevel@tonic-gate 12077c478bd9Sstevel@tonic-gate /* 12087c478bd9Sstevel@tonic-gate * Get audit attributes. 12097c478bd9Sstevel@tonic-gate * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the 12107c478bd9Sstevel@tonic-gate * "Least" of the two privileges on error. 12117c478bd9Sstevel@tonic-gate */ 12127c478bd9Sstevel@tonic-gate int 12137c478bd9Sstevel@tonic-gate secpolicy_audit_getattr(const cred_t *cr) 12147c478bd9Sstevel@tonic-gate { 12157c478bd9Sstevel@tonic-gate if (!PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE)) { 12167c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, 12177c478bd9Sstevel@tonic-gate NULL)); 12187c478bd9Sstevel@tonic-gate } else { 12197c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 12207c478bd9Sstevel@tonic-gate } 12217c478bd9Sstevel@tonic-gate } 12227c478bd9Sstevel@tonic-gate 12237c478bd9Sstevel@tonic-gate 12247c478bd9Sstevel@tonic-gate /* 12257c478bd9Sstevel@tonic-gate * Locking physical memory 12267c478bd9Sstevel@tonic-gate */ 12277c478bd9Sstevel@tonic-gate int 12287c478bd9Sstevel@tonic-gate secpolicy_lock_memory(const cred_t *cr) 12297c478bd9Sstevel@tonic-gate { 12307c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL)); 12317c478bd9Sstevel@tonic-gate } 12327c478bd9Sstevel@tonic-gate 12337c478bd9Sstevel@tonic-gate /* 12347c478bd9Sstevel@tonic-gate * Accounting (both acct(2) and exacct). 12357c478bd9Sstevel@tonic-gate */ 12367c478bd9Sstevel@tonic-gate int 12377c478bd9Sstevel@tonic-gate secpolicy_acct(const cred_t *cr) 12387c478bd9Sstevel@tonic-gate { 12397c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL)); 12407c478bd9Sstevel@tonic-gate } 12417c478bd9Sstevel@tonic-gate 12427c478bd9Sstevel@tonic-gate /* 12437c478bd9Sstevel@tonic-gate * Is this process privileged to change its uids at will? 12447c478bd9Sstevel@tonic-gate * Uid 0 is still considered "special" and having the SETID 12457c478bd9Sstevel@tonic-gate * privilege is not sufficient to get uid 0. 12467c478bd9Sstevel@tonic-gate * Files are owned by root, so the privilege would give 12477c478bd9Sstevel@tonic-gate * full access and euid 0 is still effective. 12487c478bd9Sstevel@tonic-gate * 12497c478bd9Sstevel@tonic-gate * If you have the privilege and euid 0 only then do you 12507c478bd9Sstevel@tonic-gate * get the powers of root wrt uid 0. 12517c478bd9Sstevel@tonic-gate * 12527c478bd9Sstevel@tonic-gate * For gid manipulations, this is should be called with an 12537c478bd9Sstevel@tonic-gate * uid of -1. 12547c478bd9Sstevel@tonic-gate * 12557c478bd9Sstevel@tonic-gate */ 12567c478bd9Sstevel@tonic-gate int 12577c478bd9Sstevel@tonic-gate secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly) 12587c478bd9Sstevel@tonic-gate { 12597c478bd9Sstevel@tonic-gate boolean_t allzone = B_FALSE; 12607c478bd9Sstevel@tonic-gate 12617c478bd9Sstevel@tonic-gate if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 && 12627c478bd9Sstevel@tonic-gate cr->cr_ruid != 0) { 12637c478bd9Sstevel@tonic-gate allzone = B_TRUE; 12647c478bd9Sstevel@tonic-gate } 12657c478bd9Sstevel@tonic-gate 12667c478bd9Sstevel@tonic-gate return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) : 12677c478bd9Sstevel@tonic-gate PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL)); 12687c478bd9Sstevel@tonic-gate } 12697c478bd9Sstevel@tonic-gate 12707c478bd9Sstevel@tonic-gate 12717c478bd9Sstevel@tonic-gate /* 12727c478bd9Sstevel@tonic-gate * Acting on a different process: if the mode is for writing, 12737c478bd9Sstevel@tonic-gate * the restrictions are more severe. This is called after 12747c478bd9Sstevel@tonic-gate * we've verified that the uids do not match. 12757c478bd9Sstevel@tonic-gate */ 12767c478bd9Sstevel@tonic-gate int 12777c478bd9Sstevel@tonic-gate secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode) 12787c478bd9Sstevel@tonic-gate { 12797c478bd9Sstevel@tonic-gate boolean_t allzone = B_FALSE; 12807c478bd9Sstevel@tonic-gate 12817c478bd9Sstevel@tonic-gate if ((mode & VWRITE) && scr->cr_uid != 0 && 12827c478bd9Sstevel@tonic-gate (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0)) 12837c478bd9Sstevel@tonic-gate allzone = B_TRUE; 12847c478bd9Sstevel@tonic-gate 12857c478bd9Sstevel@tonic-gate return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL)); 12867c478bd9Sstevel@tonic-gate } 12877c478bd9Sstevel@tonic-gate 12887c478bd9Sstevel@tonic-gate int 12897c478bd9Sstevel@tonic-gate secpolicy_proc_access(const cred_t *scr) 12907c478bd9Sstevel@tonic-gate { 12917c478bd9Sstevel@tonic-gate return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL)); 12927c478bd9Sstevel@tonic-gate } 12937c478bd9Sstevel@tonic-gate 12947c478bd9Sstevel@tonic-gate int 12957c478bd9Sstevel@tonic-gate secpolicy_proc_excl_open(const cred_t *scr) 12967c478bd9Sstevel@tonic-gate { 12977c478bd9Sstevel@tonic-gate return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL)); 12987c478bd9Sstevel@tonic-gate } 12997c478bd9Sstevel@tonic-gate 13007c478bd9Sstevel@tonic-gate int 13017c478bd9Sstevel@tonic-gate secpolicy_proc_zone(const cred_t *scr) 13027c478bd9Sstevel@tonic-gate { 13037c478bd9Sstevel@tonic-gate return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL)); 13047c478bd9Sstevel@tonic-gate } 13057c478bd9Sstevel@tonic-gate 13067c478bd9Sstevel@tonic-gate /* 13077c478bd9Sstevel@tonic-gate * Destroying the system 13087c478bd9Sstevel@tonic-gate */ 13097c478bd9Sstevel@tonic-gate 13107c478bd9Sstevel@tonic-gate int 13117c478bd9Sstevel@tonic-gate secpolicy_kmdb(const cred_t *scr) 13127c478bd9Sstevel@tonic-gate { 13137c478bd9Sstevel@tonic-gate return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 13147c478bd9Sstevel@tonic-gate } 13157c478bd9Sstevel@tonic-gate 13167aec1d6eScindi int 13177aec1d6eScindi secpolicy_error_inject(const cred_t *scr) 13187aec1d6eScindi { 13197aec1d6eScindi return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 13207aec1d6eScindi } 13217aec1d6eScindi 13227c478bd9Sstevel@tonic-gate /* 13237c478bd9Sstevel@tonic-gate * Processor sets, cpu configuration, resource pools. 13247c478bd9Sstevel@tonic-gate */ 13257c478bd9Sstevel@tonic-gate int 13267c478bd9Sstevel@tonic-gate secpolicy_pset(const cred_t *cr) 13277c478bd9Sstevel@tonic-gate { 13287c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 13297c478bd9Sstevel@tonic-gate } 13307c478bd9Sstevel@tonic-gate 13317c478bd9Sstevel@tonic-gate int 13327c478bd9Sstevel@tonic-gate secpolicy_ponline(const cred_t *cr) 13337c478bd9Sstevel@tonic-gate { 13347c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 13357c478bd9Sstevel@tonic-gate } 13367c478bd9Sstevel@tonic-gate 13377c478bd9Sstevel@tonic-gate int 13387c478bd9Sstevel@tonic-gate secpolicy_pool(const cred_t *cr) 13397c478bd9Sstevel@tonic-gate { 13407c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 13417c478bd9Sstevel@tonic-gate } 13427c478bd9Sstevel@tonic-gate 13437c478bd9Sstevel@tonic-gate int 13447c478bd9Sstevel@tonic-gate secpolicy_blacklist(const cred_t *cr) 13457c478bd9Sstevel@tonic-gate { 13467c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 13477c478bd9Sstevel@tonic-gate } 13487c478bd9Sstevel@tonic-gate 13497c478bd9Sstevel@tonic-gate /* 13507c478bd9Sstevel@tonic-gate * Catch all system configuration. 13517c478bd9Sstevel@tonic-gate */ 13527c478bd9Sstevel@tonic-gate int 13537c478bd9Sstevel@tonic-gate secpolicy_sys_config(const cred_t *cr, boolean_t checkonly) 13547c478bd9Sstevel@tonic-gate { 13557c478bd9Sstevel@tonic-gate if (checkonly) { 13567c478bd9Sstevel@tonic-gate return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 : 13577c478bd9Sstevel@tonic-gate EPERM); 13587c478bd9Sstevel@tonic-gate } else { 13597c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 13607c478bd9Sstevel@tonic-gate } 13617c478bd9Sstevel@tonic-gate } 13627c478bd9Sstevel@tonic-gate 13637c478bd9Sstevel@tonic-gate /* 13647c478bd9Sstevel@tonic-gate * Zone administration (halt, reboot, etc.) from within zone. 13657c478bd9Sstevel@tonic-gate */ 13667c478bd9Sstevel@tonic-gate int 13677c478bd9Sstevel@tonic-gate secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly) 13687c478bd9Sstevel@tonic-gate { 13697c478bd9Sstevel@tonic-gate if (checkonly) { 13707c478bd9Sstevel@tonic-gate return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 : 13717c478bd9Sstevel@tonic-gate EPERM); 13727c478bd9Sstevel@tonic-gate } else { 13737c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, 13747c478bd9Sstevel@tonic-gate NULL)); 13757c478bd9Sstevel@tonic-gate } 13767c478bd9Sstevel@tonic-gate } 13777c478bd9Sstevel@tonic-gate 13787c478bd9Sstevel@tonic-gate /* 13797c478bd9Sstevel@tonic-gate * Zone configuration (create, halt, enter). 13807c478bd9Sstevel@tonic-gate */ 13817c478bd9Sstevel@tonic-gate int 13827c478bd9Sstevel@tonic-gate secpolicy_zone_config(const cred_t *cr) 13837c478bd9Sstevel@tonic-gate { 13847c478bd9Sstevel@tonic-gate /* 13857c478bd9Sstevel@tonic-gate * Require all privileges to avoid possibility of privilege 13867c478bd9Sstevel@tonic-gate * escalation. 13877c478bd9Sstevel@tonic-gate */ 13887c478bd9Sstevel@tonic-gate return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 13897c478bd9Sstevel@tonic-gate } 13907c478bd9Sstevel@tonic-gate 13917c478bd9Sstevel@tonic-gate /* 13927c478bd9Sstevel@tonic-gate * Various other system configuration calls 13937c478bd9Sstevel@tonic-gate */ 13947c478bd9Sstevel@tonic-gate int 13957c478bd9Sstevel@tonic-gate secpolicy_coreadm(const cred_t *cr) 13967c478bd9Sstevel@tonic-gate { 13977c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 13987c478bd9Sstevel@tonic-gate } 13997c478bd9Sstevel@tonic-gate 14007c478bd9Sstevel@tonic-gate int 14017c478bd9Sstevel@tonic-gate secpolicy_systeminfo(const cred_t *cr) 14027c478bd9Sstevel@tonic-gate { 14037c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 14047c478bd9Sstevel@tonic-gate } 14057c478bd9Sstevel@tonic-gate 14067c478bd9Sstevel@tonic-gate int 14077c478bd9Sstevel@tonic-gate secpolicy_dispadm(const cred_t *cr) 14087c478bd9Sstevel@tonic-gate { 14097c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 14107c478bd9Sstevel@tonic-gate } 14117c478bd9Sstevel@tonic-gate 14127c478bd9Sstevel@tonic-gate int 14137c478bd9Sstevel@tonic-gate secpolicy_settime(const cred_t *cr) 14147c478bd9Sstevel@tonic-gate { 14157c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL)); 14167c478bd9Sstevel@tonic-gate } 14177c478bd9Sstevel@tonic-gate 14187c478bd9Sstevel@tonic-gate /* 14197c478bd9Sstevel@tonic-gate * For realtime users: high resolution clock. 14207c478bd9Sstevel@tonic-gate */ 14217c478bd9Sstevel@tonic-gate int 14227c478bd9Sstevel@tonic-gate secpolicy_clock_highres(const cred_t *cr) 14237c478bd9Sstevel@tonic-gate { 14247c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM, 14257c478bd9Sstevel@tonic-gate NULL)); 14267c478bd9Sstevel@tonic-gate } 14277c478bd9Sstevel@tonic-gate 14287c478bd9Sstevel@tonic-gate /* 14297c478bd9Sstevel@tonic-gate * drv_priv() is documented as callable from interrupt context, not that 14307c478bd9Sstevel@tonic-gate * anyone ever does, but still. No debugging or auditing can be done when 14317c478bd9Sstevel@tonic-gate * it is called from interrupt context. 14327c478bd9Sstevel@tonic-gate * returns 0 on succes, EPERM on failure. 14337c478bd9Sstevel@tonic-gate */ 14347c478bd9Sstevel@tonic-gate int 14357c478bd9Sstevel@tonic-gate drv_priv(cred_t *cr) 14367c478bd9Sstevel@tonic-gate { 14377c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 14387c478bd9Sstevel@tonic-gate } 14397c478bd9Sstevel@tonic-gate 14407c478bd9Sstevel@tonic-gate int 14417c478bd9Sstevel@tonic-gate secpolicy_sys_devices(const cred_t *cr) 14427c478bd9Sstevel@tonic-gate { 14437c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 14447c478bd9Sstevel@tonic-gate } 14457c478bd9Sstevel@tonic-gate 14467c478bd9Sstevel@tonic-gate int 14477c478bd9Sstevel@tonic-gate secpolicy_excl_open(const cred_t *cr) 14487c478bd9Sstevel@tonic-gate { 14497c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL)); 14507c478bd9Sstevel@tonic-gate } 14517c478bd9Sstevel@tonic-gate 14527c478bd9Sstevel@tonic-gate int 14537c478bd9Sstevel@tonic-gate secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl) 14547c478bd9Sstevel@tonic-gate { 14557c478bd9Sstevel@tonic-gate /* zone.* rctls can only be set from the global zone */ 14567c478bd9Sstevel@tonic-gate if (is_zone_rctl && priv_policy_global(cr) != 0) 14577c478bd9Sstevel@tonic-gate return (EPERM); 14587c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 14597c478bd9Sstevel@tonic-gate } 14607c478bd9Sstevel@tonic-gate 14617c478bd9Sstevel@tonic-gate int 14627c478bd9Sstevel@tonic-gate secpolicy_resource(const cred_t *cr) 14637c478bd9Sstevel@tonic-gate { 14647c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 14657c478bd9Sstevel@tonic-gate } 14667c478bd9Sstevel@tonic-gate 14677c478bd9Sstevel@tonic-gate /* 14687c478bd9Sstevel@tonic-gate * Processes with a real uid of 0 escape any form of accounting, much 14697c478bd9Sstevel@tonic-gate * like before. 14707c478bd9Sstevel@tonic-gate */ 14717c478bd9Sstevel@tonic-gate int 14727c478bd9Sstevel@tonic-gate secpolicy_newproc(const cred_t *cr) 14737c478bd9Sstevel@tonic-gate { 14747c478bd9Sstevel@tonic-gate if (cr->cr_ruid == 0) 14757c478bd9Sstevel@tonic-gate return (0); 14767c478bd9Sstevel@tonic-gate 14777c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 14787c478bd9Sstevel@tonic-gate } 14797c478bd9Sstevel@tonic-gate 14807c478bd9Sstevel@tonic-gate /* 14817c478bd9Sstevel@tonic-gate * Networking 14827c478bd9Sstevel@tonic-gate */ 14837c478bd9Sstevel@tonic-gate int 14847c478bd9Sstevel@tonic-gate secpolicy_net_rawaccess(const cred_t *cr) 14857c478bd9Sstevel@tonic-gate { 14867c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL)); 14877c478bd9Sstevel@tonic-gate } 14887c478bd9Sstevel@tonic-gate 14897c478bd9Sstevel@tonic-gate /* 14907c478bd9Sstevel@tonic-gate * Need this privilege for accessing the ICMP device 14917c478bd9Sstevel@tonic-gate */ 14927c478bd9Sstevel@tonic-gate int 14937c478bd9Sstevel@tonic-gate secpolicy_net_icmpaccess(const cred_t *cr) 14947c478bd9Sstevel@tonic-gate { 14957c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL)); 14967c478bd9Sstevel@tonic-gate } 14977c478bd9Sstevel@tonic-gate 14987c478bd9Sstevel@tonic-gate /* 14997c478bd9Sstevel@tonic-gate * There are a few rare cases where the kernel generates ioctls() from 15007c478bd9Sstevel@tonic-gate * interrupt context with a credential of kcred rather than NULL. 15017c478bd9Sstevel@tonic-gate * In those cases, we take the safe and cheap test. 15027c478bd9Sstevel@tonic-gate */ 15037c478bd9Sstevel@tonic-gate int 15047c478bd9Sstevel@tonic-gate secpolicy_net_config(const cred_t *cr, boolean_t checkonly) 15057c478bd9Sstevel@tonic-gate { 15067c478bd9Sstevel@tonic-gate if (checkonly) { 15077c478bd9Sstevel@tonic-gate return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ? 15087c478bd9Sstevel@tonic-gate 0 : EPERM); 15097c478bd9Sstevel@tonic-gate } else { 15107c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM, 15117c478bd9Sstevel@tonic-gate NULL)); 15127c478bd9Sstevel@tonic-gate } 15137c478bd9Sstevel@tonic-gate } 15147c478bd9Sstevel@tonic-gate 15157c478bd9Sstevel@tonic-gate 15167c478bd9Sstevel@tonic-gate /* 1517*e6bdcbd5Sdh155122 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG. 1518f4b3ec61Sdh155122 * 1519f4b3ec61Sdh155122 * There are a few rare cases where the kernel generates ioctls() from 1520f4b3ec61Sdh155122 * interrupt context with a credential of kcred rather than NULL. 1521f4b3ec61Sdh155122 * In those cases, we take the safe and cheap test. 1522f4b3ec61Sdh155122 */ 1523f4b3ec61Sdh155122 int 1524f4b3ec61Sdh155122 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly) 1525f4b3ec61Sdh155122 { 1526f4b3ec61Sdh155122 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 1527f4b3ec61Sdh155122 return (secpolicy_net_config(cr, checkonly)); 1528f4b3ec61Sdh155122 1529f4b3ec61Sdh155122 if (checkonly) { 1530f4b3ec61Sdh155122 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ? 1531f4b3ec61Sdh155122 0 : EPERM); 1532f4b3ec61Sdh155122 } else { 1533f4b3ec61Sdh155122 return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM, 1534f4b3ec61Sdh155122 NULL)); 1535f4b3ec61Sdh155122 } 1536f4b3ec61Sdh155122 } 1537f4b3ec61Sdh155122 1538f4b3ec61Sdh155122 1539f4b3ec61Sdh155122 /* 1540f4b3ec61Sdh155122 * Map IP pseudo privileges to actual privileges. 1541f4b3ec61Sdh155122 * So we don't need to recompile IP when we change the privileges. 1542f4b3ec61Sdh155122 */ 1543f4b3ec61Sdh155122 int 1544f4b3ec61Sdh155122 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly) 1545f4b3ec61Sdh155122 { 1546f4b3ec61Sdh155122 int priv = PRIV_ALL; 1547f4b3ec61Sdh155122 1548f4b3ec61Sdh155122 switch (netpriv) { 1549f4b3ec61Sdh155122 case OP_CONFIG: 1550f4b3ec61Sdh155122 priv = PRIV_SYS_IP_CONFIG; 1551f4b3ec61Sdh155122 break; 1552f4b3ec61Sdh155122 case OP_RAW: 1553f4b3ec61Sdh155122 priv = PRIV_NET_RAWACCESS; 1554f4b3ec61Sdh155122 break; 1555f4b3ec61Sdh155122 case OP_PRIVPORT: 1556f4b3ec61Sdh155122 priv = PRIV_NET_PRIVADDR; 1557f4b3ec61Sdh155122 break; 1558f4b3ec61Sdh155122 } 1559f4b3ec61Sdh155122 ASSERT(priv != PRIV_ALL); 1560f4b3ec61Sdh155122 if (checkonly) 1561f4b3ec61Sdh155122 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 1562f4b3ec61Sdh155122 else 1563f4b3ec61Sdh155122 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 1564f4b3ec61Sdh155122 } 1565f4b3ec61Sdh155122 1566f4b3ec61Sdh155122 /* 15677c478bd9Sstevel@tonic-gate * Map network pseudo privileges to actual privileges. 15687c478bd9Sstevel@tonic-gate * So we don't need to recompile IP when we change the privileges. 15697c478bd9Sstevel@tonic-gate */ 15707c478bd9Sstevel@tonic-gate int 15717c478bd9Sstevel@tonic-gate secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly) 15727c478bd9Sstevel@tonic-gate { 15737c478bd9Sstevel@tonic-gate int priv = PRIV_ALL; 15747c478bd9Sstevel@tonic-gate 15757c478bd9Sstevel@tonic-gate switch (netpriv) { 15767c478bd9Sstevel@tonic-gate case OP_CONFIG: 15777c478bd9Sstevel@tonic-gate priv = PRIV_SYS_NET_CONFIG; 15787c478bd9Sstevel@tonic-gate break; 15797c478bd9Sstevel@tonic-gate case OP_RAW: 15807c478bd9Sstevel@tonic-gate priv = PRIV_NET_RAWACCESS; 15817c478bd9Sstevel@tonic-gate break; 15827c478bd9Sstevel@tonic-gate case OP_PRIVPORT: 15837c478bd9Sstevel@tonic-gate priv = PRIV_NET_PRIVADDR; 15847c478bd9Sstevel@tonic-gate break; 15857c478bd9Sstevel@tonic-gate } 15867c478bd9Sstevel@tonic-gate ASSERT(priv != PRIV_ALL); 15877c478bd9Sstevel@tonic-gate if (checkonly) 15887c478bd9Sstevel@tonic-gate return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 15897c478bd9Sstevel@tonic-gate else 15907c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 15917c478bd9Sstevel@tonic-gate } 15927c478bd9Sstevel@tonic-gate 15937c478bd9Sstevel@tonic-gate /* 15947c478bd9Sstevel@tonic-gate * Checks for operations that are either client-only or are used by 15957c478bd9Sstevel@tonic-gate * both clients and servers. 15967c478bd9Sstevel@tonic-gate */ 15977c478bd9Sstevel@tonic-gate int 15987c478bd9Sstevel@tonic-gate secpolicy_nfs(const cred_t *cr) 15997c478bd9Sstevel@tonic-gate { 16007c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL)); 16017c478bd9Sstevel@tonic-gate } 16027c478bd9Sstevel@tonic-gate 16037c478bd9Sstevel@tonic-gate /* 16047c478bd9Sstevel@tonic-gate * Special case for opening rpcmod: have NFS privileges or network 16057c478bd9Sstevel@tonic-gate * config privileges. 16067c478bd9Sstevel@tonic-gate */ 16077c478bd9Sstevel@tonic-gate int 16087c478bd9Sstevel@tonic-gate secpolicy_rpcmod_open(const cred_t *cr) 16097c478bd9Sstevel@tonic-gate { 16107c478bd9Sstevel@tonic-gate if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE)) 16117c478bd9Sstevel@tonic-gate return (secpolicy_nfs(cr)); 16127c478bd9Sstevel@tonic-gate else 16137c478bd9Sstevel@tonic-gate return (secpolicy_net_config(cr, NULL)); 16147c478bd9Sstevel@tonic-gate } 16157c478bd9Sstevel@tonic-gate 16167c478bd9Sstevel@tonic-gate int 16177c478bd9Sstevel@tonic-gate secpolicy_chroot(const cred_t *cr) 16187c478bd9Sstevel@tonic-gate { 16197c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL)); 16207c478bd9Sstevel@tonic-gate } 16217c478bd9Sstevel@tonic-gate 16227c478bd9Sstevel@tonic-gate int 16237c478bd9Sstevel@tonic-gate secpolicy_tasksys(const cred_t *cr) 16247c478bd9Sstevel@tonic-gate { 16257c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL)); 16267c478bd9Sstevel@tonic-gate } 16277c478bd9Sstevel@tonic-gate 16287c478bd9Sstevel@tonic-gate /* 16297c478bd9Sstevel@tonic-gate * Basic privilege checks. 16307c478bd9Sstevel@tonic-gate */ 16317c478bd9Sstevel@tonic-gate int 16327c478bd9Sstevel@tonic-gate secpolicy_basic_exec(const cred_t *cr) 16337c478bd9Sstevel@tonic-gate { 16347c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL)); 16357c478bd9Sstevel@tonic-gate } 16367c478bd9Sstevel@tonic-gate 16377c478bd9Sstevel@tonic-gate int 16387c478bd9Sstevel@tonic-gate secpolicy_basic_fork(const cred_t *cr) 16397c478bd9Sstevel@tonic-gate { 16407c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL)); 16417c478bd9Sstevel@tonic-gate } 16427c478bd9Sstevel@tonic-gate 16437c478bd9Sstevel@tonic-gate int 16447c478bd9Sstevel@tonic-gate secpolicy_basic_proc(const cred_t *cr) 16457c478bd9Sstevel@tonic-gate { 16467c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL)); 16477c478bd9Sstevel@tonic-gate } 16487c478bd9Sstevel@tonic-gate 16497c478bd9Sstevel@tonic-gate /* 16507c478bd9Sstevel@tonic-gate * Slightly complicated because we don't want to trigger the policy too 16517c478bd9Sstevel@tonic-gate * often. First we shortcircuit access to "self" (tp == sp) or if 16527c478bd9Sstevel@tonic-gate * we don't have the privilege but if we have permission 16537c478bd9Sstevel@tonic-gate * just return (0) and we don't flag the privilege as needed. 16547c478bd9Sstevel@tonic-gate * Else, we test for the privilege because we either have it or need it. 16557c478bd9Sstevel@tonic-gate */ 16567c478bd9Sstevel@tonic-gate int 16577c478bd9Sstevel@tonic-gate secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp) 16587c478bd9Sstevel@tonic-gate { 16597c478bd9Sstevel@tonic-gate if (tp == sp || 16607c478bd9Sstevel@tonic-gate !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) { 16617c478bd9Sstevel@tonic-gate return (0); 16627c478bd9Sstevel@tonic-gate } else { 16637c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL)); 16647c478bd9Sstevel@tonic-gate } 16657c478bd9Sstevel@tonic-gate } 16667c478bd9Sstevel@tonic-gate 16677c478bd9Sstevel@tonic-gate int 16687c478bd9Sstevel@tonic-gate secpolicy_basic_link(const cred_t *cr) 16697c478bd9Sstevel@tonic-gate { 16707c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL)); 16717c478bd9Sstevel@tonic-gate } 16727c478bd9Sstevel@tonic-gate 16737c478bd9Sstevel@tonic-gate /* 16747c478bd9Sstevel@tonic-gate * Additional device protection. 16757c478bd9Sstevel@tonic-gate * 16767c478bd9Sstevel@tonic-gate * Traditionally, a device has specific permissions on the node in 16777c478bd9Sstevel@tonic-gate * the filesystem which govern which devices can be opened by what 16787c478bd9Sstevel@tonic-gate * processes. In certain cases, it is desirable to add extra 16797c478bd9Sstevel@tonic-gate * restrictions, as writing to certain devices is identical to 16807c478bd9Sstevel@tonic-gate * having a complete run of the system. 16817c478bd9Sstevel@tonic-gate * 16827c478bd9Sstevel@tonic-gate * This mechanism is called the device policy. 16837c478bd9Sstevel@tonic-gate * 16847c478bd9Sstevel@tonic-gate * When a device is opened, its policy entry is looked up in the 16857c478bd9Sstevel@tonic-gate * policy cache and checked. 16867c478bd9Sstevel@tonic-gate */ 16877c478bd9Sstevel@tonic-gate int 16887c478bd9Sstevel@tonic-gate secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag) 16897c478bd9Sstevel@tonic-gate { 16907c478bd9Sstevel@tonic-gate devplcy_t *plcy; 16917c478bd9Sstevel@tonic-gate int err; 16927c478bd9Sstevel@tonic-gate struct snode *csp = VTOS(common_specvp(vp)); 1693*e6bdcbd5Sdh155122 priv_set_t pset; 16947c478bd9Sstevel@tonic-gate 16957c478bd9Sstevel@tonic-gate mutex_enter(&csp->s_lock); 16967c478bd9Sstevel@tonic-gate 16977c478bd9Sstevel@tonic-gate if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) { 16987c478bd9Sstevel@tonic-gate plcy = devpolicy_find(vp); 16997c478bd9Sstevel@tonic-gate if (csp->s_plcy) 17007c478bd9Sstevel@tonic-gate dpfree(csp->s_plcy); 17017c478bd9Sstevel@tonic-gate csp->s_plcy = plcy; 17027c478bd9Sstevel@tonic-gate ASSERT(plcy != NULL); 17037c478bd9Sstevel@tonic-gate } else 17047c478bd9Sstevel@tonic-gate plcy = csp->s_plcy; 17057c478bd9Sstevel@tonic-gate 17067c478bd9Sstevel@tonic-gate if (plcy == nullpolicy) { 17077c478bd9Sstevel@tonic-gate mutex_exit(&csp->s_lock); 17087c478bd9Sstevel@tonic-gate return (0); 17097c478bd9Sstevel@tonic-gate } 17107c478bd9Sstevel@tonic-gate 17117c478bd9Sstevel@tonic-gate dphold(plcy); 17127c478bd9Sstevel@tonic-gate 17137c478bd9Sstevel@tonic-gate mutex_exit(&csp->s_lock); 17147c478bd9Sstevel@tonic-gate 1715*e6bdcbd5Sdh155122 if (oflag & FWRITE) 1716*e6bdcbd5Sdh155122 pset = plcy->dp_wrp; 1717*e6bdcbd5Sdh155122 else 1718*e6bdcbd5Sdh155122 pset = plcy->dp_rdp; 1719*e6bdcbd5Sdh155122 /* 1720*e6bdcbd5Sdh155122 * Special case: 1721*e6bdcbd5Sdh155122 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG. 1722*e6bdcbd5Sdh155122 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is 1723*e6bdcbd5Sdh155122 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG 1724*e6bdcbd5Sdh155122 * in the required privilege set before doing the check. 1725*e6bdcbd5Sdh155122 */ 1726*e6bdcbd5Sdh155122 if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) && 1727*e6bdcbd5Sdh155122 priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) && 1728*e6bdcbd5Sdh155122 !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) { 1729*e6bdcbd5Sdh155122 priv_delset(&pset, PRIV_SYS_IP_CONFIG); 1730*e6bdcbd5Sdh155122 priv_addset(&pset, PRIV_SYS_NET_CONFIG); 1731*e6bdcbd5Sdh155122 } 1732*e6bdcbd5Sdh155122 1733*e6bdcbd5Sdh155122 err = secpolicy_require_set(cr, &pset, "devpolicy"); 17347c478bd9Sstevel@tonic-gate dpfree(plcy); 17357c478bd9Sstevel@tonic-gate 17367c478bd9Sstevel@tonic-gate return (err); 17377c478bd9Sstevel@tonic-gate } 17387c478bd9Sstevel@tonic-gate 17397c478bd9Sstevel@tonic-gate int 17407c478bd9Sstevel@tonic-gate secpolicy_modctl(const cred_t *cr, int cmd) 17417c478bd9Sstevel@tonic-gate { 17427c478bd9Sstevel@tonic-gate switch (cmd) { 17437c478bd9Sstevel@tonic-gate case MODINFO: 1744a08731ecScth case MODGETMAJBIND: 17457c478bd9Sstevel@tonic-gate case MODGETPATH: 17467c478bd9Sstevel@tonic-gate case MODGETPATHLEN: 17477c478bd9Sstevel@tonic-gate case MODGETNAME: 1748a08731ecScth case MODGETFBNAME: 17497c478bd9Sstevel@tonic-gate case MODGETDEVPOLICY: 17507c478bd9Sstevel@tonic-gate case MODGETDEVPOLICYBYNAME: 1751a08731ecScth case MODDEVT2INSTANCE: 1752a08731ecScth case MODSIZEOF_DEVID: 1753a08731ecScth case MODGETDEVID: 1754a08731ecScth case MODSIZEOF_MINORNAME: 1755a08731ecScth case MODGETMINORNAME: 1756a08731ecScth case MODGETDEVFSPATH_LEN: 1757a08731ecScth case MODGETDEVFSPATH: 1758a08731ecScth case MODGETDEVFSPATH_MI_LEN: 1759a08731ecScth case MODGETDEVFSPATH_MI: 17607c478bd9Sstevel@tonic-gate /* Unprivileged */ 17617c478bd9Sstevel@tonic-gate return (0); 17627c478bd9Sstevel@tonic-gate case MODLOAD: 17637c478bd9Sstevel@tonic-gate case MODSETDEVPOLICY: 17647c478bd9Sstevel@tonic-gate return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 17657c478bd9Sstevel@tonic-gate default: 17667c478bd9Sstevel@tonic-gate return (secpolicy_sys_config(cr, B_FALSE)); 17677c478bd9Sstevel@tonic-gate } 17687c478bd9Sstevel@tonic-gate } 17697c478bd9Sstevel@tonic-gate 17707c478bd9Sstevel@tonic-gate int 17717c478bd9Sstevel@tonic-gate secpolicy_console(const cred_t *cr) 17727c478bd9Sstevel@tonic-gate { 17737c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 17747c478bd9Sstevel@tonic-gate } 17757c478bd9Sstevel@tonic-gate 17767c478bd9Sstevel@tonic-gate int 17777c478bd9Sstevel@tonic-gate secpolicy_power_mgmt(const cred_t *cr) 17787c478bd9Sstevel@tonic-gate { 17797c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 17807c478bd9Sstevel@tonic-gate } 17817c478bd9Sstevel@tonic-gate 17827c478bd9Sstevel@tonic-gate /* 17837c478bd9Sstevel@tonic-gate * Simulate terminal input; another escalation of privileges avenue. 17847c478bd9Sstevel@tonic-gate */ 17857c478bd9Sstevel@tonic-gate 17867c478bd9Sstevel@tonic-gate int 17877c478bd9Sstevel@tonic-gate secpolicy_sti(const cred_t *cr) 17887c478bd9Sstevel@tonic-gate { 17897c478bd9Sstevel@tonic-gate return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 17907c478bd9Sstevel@tonic-gate } 17917c478bd9Sstevel@tonic-gate 179245916cd2Sjpk boolean_t 179345916cd2Sjpk secpolicy_net_reply_equal(const cred_t *cr) 179445916cd2Sjpk { 179545916cd2Sjpk return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 179645916cd2Sjpk } 179745916cd2Sjpk 17987c478bd9Sstevel@tonic-gate int 17997c478bd9Sstevel@tonic-gate secpolicy_swapctl(const cred_t *cr) 18007c478bd9Sstevel@tonic-gate { 18017c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 18027c478bd9Sstevel@tonic-gate } 18037c478bd9Sstevel@tonic-gate 18047c478bd9Sstevel@tonic-gate int 18057c478bd9Sstevel@tonic-gate secpolicy_cpc_cpu(const cred_t *cr) 18067c478bd9Sstevel@tonic-gate { 18077c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL)); 18087c478bd9Sstevel@tonic-gate } 18097c478bd9Sstevel@tonic-gate 18107c478bd9Sstevel@tonic-gate /* 18117c478bd9Sstevel@tonic-gate * secpolicy_contract_observer 18127c478bd9Sstevel@tonic-gate * 18137c478bd9Sstevel@tonic-gate * Determine if the subject may observe a specific contract's events. 18147c478bd9Sstevel@tonic-gate */ 18157c478bd9Sstevel@tonic-gate int 18167c478bd9Sstevel@tonic-gate secpolicy_contract_observer(const cred_t *cr, struct contract *ct) 18177c478bd9Sstevel@tonic-gate { 18187c478bd9Sstevel@tonic-gate if (contract_owned(ct, cr, B_FALSE)) 18197c478bd9Sstevel@tonic-gate return (0); 18207c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL)); 18217c478bd9Sstevel@tonic-gate } 18227c478bd9Sstevel@tonic-gate 18237c478bd9Sstevel@tonic-gate /* 18247c478bd9Sstevel@tonic-gate * secpolicy_contract_observer_choice 18257c478bd9Sstevel@tonic-gate * 18267c478bd9Sstevel@tonic-gate * Determine if the subject may observe any contract's events. Just 18277c478bd9Sstevel@tonic-gate * tests privilege and audits on success. 18287c478bd9Sstevel@tonic-gate */ 18297c478bd9Sstevel@tonic-gate boolean_t 18307c478bd9Sstevel@tonic-gate secpolicy_contract_observer_choice(const cred_t *cr) 18317c478bd9Sstevel@tonic-gate { 18327c478bd9Sstevel@tonic-gate return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE)); 18337c478bd9Sstevel@tonic-gate } 18347c478bd9Sstevel@tonic-gate 18357c478bd9Sstevel@tonic-gate /* 18367c478bd9Sstevel@tonic-gate * secpolicy_contract_event 18377c478bd9Sstevel@tonic-gate * 18387c478bd9Sstevel@tonic-gate * Determine if the subject may request critical contract events or 18397c478bd9Sstevel@tonic-gate * reliable contract event delivery. 18407c478bd9Sstevel@tonic-gate */ 18417c478bd9Sstevel@tonic-gate int 18427c478bd9Sstevel@tonic-gate secpolicy_contract_event(const cred_t *cr) 18437c478bd9Sstevel@tonic-gate { 18447c478bd9Sstevel@tonic-gate return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL)); 18457c478bd9Sstevel@tonic-gate } 18467c478bd9Sstevel@tonic-gate 18477c478bd9Sstevel@tonic-gate /* 18487c478bd9Sstevel@tonic-gate * secpolicy_contract_event_choice 18497c478bd9Sstevel@tonic-gate * 18507c478bd9Sstevel@tonic-gate * Determine if the subject may retain contract events in its critical 18517c478bd9Sstevel@tonic-gate * set when a change in other terms would normally require a change in 18527c478bd9Sstevel@tonic-gate * the critical set. Just tests privilege and audits on success. 18537c478bd9Sstevel@tonic-gate */ 18547c478bd9Sstevel@tonic-gate boolean_t 18557c478bd9Sstevel@tonic-gate secpolicy_contract_event_choice(const cred_t *cr) 18567c478bd9Sstevel@tonic-gate { 18577c478bd9Sstevel@tonic-gate return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE)); 18587c478bd9Sstevel@tonic-gate } 18597c478bd9Sstevel@tonic-gate 18607c478bd9Sstevel@tonic-gate /* 1861ea8dc4b6Seschrock * secpolicy_gart_access 18627c478bd9Sstevel@tonic-gate * 1863ea8dc4b6Seschrock * Determine if the subject has sufficient priveleges to make ioctls to agpgart 1864ea8dc4b6Seschrock * device. 18657c478bd9Sstevel@tonic-gate */ 18667c478bd9Sstevel@tonic-gate int 18677c478bd9Sstevel@tonic-gate secpolicy_gart_access(const cred_t *cr) 18687c478bd9Sstevel@tonic-gate { 186926f24838Scasper return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL)); 18707c478bd9Sstevel@tonic-gate } 18717c478bd9Sstevel@tonic-gate 18727c478bd9Sstevel@tonic-gate /* 1873ea8dc4b6Seschrock * secpolicy_gart_map 18747c478bd9Sstevel@tonic-gate * 1875ea8dc4b6Seschrock * Determine if the subject has sufficient priveleges to map aperture range 1876ea8dc4b6Seschrock * through agpgart driver. 18777c478bd9Sstevel@tonic-gate */ 18787c478bd9Sstevel@tonic-gate int 18797c478bd9Sstevel@tonic-gate secpolicy_gart_map(const cred_t *cr) 18807c478bd9Sstevel@tonic-gate { 188126f24838Scasper if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) { 188226f24838Scasper return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, 188326f24838Scasper NULL)); 188426f24838Scasper } else { 188526f24838Scasper return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM, 188626f24838Scasper NULL)); 18877c478bd9Sstevel@tonic-gate } 18887c478bd9Sstevel@tonic-gate } 1889fa9e4066Sahrens 1890fa9e4066Sahrens /* 1891ea8dc4b6Seschrock * secpolicy_zinject 1892ea8dc4b6Seschrock * 1893ea8dc4b6Seschrock * Determine if the subject can inject faults in the ZFS fault injection 1894ea8dc4b6Seschrock * framework. Requires all privileges. 1895ea8dc4b6Seschrock */ 1896ea8dc4b6Seschrock int 1897ea8dc4b6Seschrock secpolicy_zinject(const cred_t *cr) 1898ea8dc4b6Seschrock { 1899ea8dc4b6Seschrock return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1900ea8dc4b6Seschrock } 1901ea8dc4b6Seschrock 1902ea8dc4b6Seschrock /* 1903fa9e4066Sahrens * secpolicy_zfs 1904fa9e4066Sahrens * 1905ea8dc4b6Seschrock * Determine if the subject has permission to manipulate ZFS datasets 1906ea8dc4b6Seschrock * (not pools). Equivalent to the SYS_MOUNT privilege. 1907fa9e4066Sahrens */ 1908fa9e4066Sahrens int 1909fa9e4066Sahrens secpolicy_zfs(const cred_t *cr) 1910fa9e4066Sahrens { 1911fa9e4066Sahrens return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL)); 1912fa9e4066Sahrens } 1913f48205beScasper 1914f48205beScasper /* 1915f48205beScasper * secpolicy_idmap 1916f48205beScasper * 1917f48205beScasper * Determine if the calling process has permissions to register an SID 1918f48205beScasper * mapping daemon and allocate ephemeral IDs. 1919f48205beScasper */ 1920f48205beScasper int 1921f48205beScasper secpolicy_idmap(const cred_t *cr) 1922f48205beScasper { 1923f48205beScasper return (PRIV_POLICY(cr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1924f48205beScasper } 19252449e17fSsherrym 19262449e17fSsherrym /* 19272449e17fSsherrym * secpolicy_ucode_update 19282449e17fSsherrym * 19292449e17fSsherrym * Determine if the subject has sufficient privilege to update microcode. 19302449e17fSsherrym */ 19312449e17fSsherrym int 19322449e17fSsherrym secpolicy_ucode_update(const cred_t *scr) 19332449e17fSsherrym { 19342449e17fSsherrym return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 19352449e17fSsherrym } 1936*e6bdcbd5Sdh155122 1937*e6bdcbd5Sdh155122 /* 1938*e6bdcbd5Sdh155122 * secpolicy_sadopen 1939*e6bdcbd5Sdh155122 * 1940*e6bdcbd5Sdh155122 * Determine if the subject has sufficient privilege to access /dev/sad/admin. 1941*e6bdcbd5Sdh155122 * /dev/sad/admin appear in global zone and exclusive-IP zones only. 1942*e6bdcbd5Sdh155122 * In global zone, sys_config is required. 1943*e6bdcbd5Sdh155122 * In exclusive-IP zones, sys_ip_config is required. 1944*e6bdcbd5Sdh155122 * Note that sys_config is prohibited in non-global zones. 1945*e6bdcbd5Sdh155122 */ 1946*e6bdcbd5Sdh155122 int 1947*e6bdcbd5Sdh155122 secpolicy_sadopen(const cred_t *credp) 1948*e6bdcbd5Sdh155122 { 1949*e6bdcbd5Sdh155122 priv_set_t pset; 1950*e6bdcbd5Sdh155122 1951*e6bdcbd5Sdh155122 priv_emptyset(&pset); 1952*e6bdcbd5Sdh155122 1953*e6bdcbd5Sdh155122 if (crgetzoneid(credp) == GLOBAL_ZONEID) 1954*e6bdcbd5Sdh155122 priv_addset(&pset, PRIV_SYS_CONFIG); 1955*e6bdcbd5Sdh155122 else 1956*e6bdcbd5Sdh155122 priv_addset(&pset, PRIV_SYS_IP_CONFIG); 1957*e6bdcbd5Sdh155122 1958*e6bdcbd5Sdh155122 return (secpolicy_require_set(credp, &pset, "devpolicy")); 1959*e6bdcbd5Sdh155122 } 1960