1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <sys/types.h> 27 #include <sys/sysmacros.h> 28 #include <sys/param.h> 29 #include <sys/systm.h> 30 #include <sys/cred_impl.h> 31 #include <sys/vnode.h> 32 #include <sys/vfs.h> 33 #include <sys/stat.h> 34 #include <sys/errno.h> 35 #include <sys/kmem.h> 36 #include <sys/user.h> 37 #include <sys/proc.h> 38 #include <sys/acct.h> 39 #include <sys/ipc_impl.h> 40 #include <sys/cmn_err.h> 41 #include <sys/debug.h> 42 #include <sys/policy.h> 43 #include <sys/kobj.h> 44 #include <sys/msg.h> 45 #include <sys/devpolicy.h> 46 #include <c2/audit.h> 47 #include <sys/varargs.h> 48 #include <sys/klpd.h> 49 #include <sys/modctl.h> 50 #include <sys/disp.h> 51 #include <sys/zone.h> 52 #include <inet/optcom.h> 53 #include <sys/sdt.h> 54 #include <sys/vfs.h> 55 #include <sys/mntent.h> 56 #include <sys/contract_impl.h> 57 #include <sys/dld_ioc.h> 58 59 /* 60 * There are two possible layers of privilege routines and two possible 61 * levels of secpolicy. Plus one other we may not be interested in, so 62 * we may need as many as 6 but no more. 63 */ 64 #define MAXPRIVSTACK 6 65 66 int priv_debug = 0; 67 68 /* 69 * This file contains the majority of the policy routines. 70 * Since the policy routines are defined by function and not 71 * by privilege, there is quite a bit of duplication of 72 * functions. 73 * 74 * The secpolicy functions must not make assumptions about 75 * locks held or not held as any lock can be held while they're 76 * being called. 77 * 78 * Credentials are read-only so no special precautions need to 79 * be taken while locking them. 80 * 81 * When a new policy check needs to be added to the system the 82 * following procedure should be followed: 83 * 84 * Pick an appropriate secpolicy_*() function 85 * -> done if one exists. 86 * Create a new secpolicy function, preferably with 87 * a descriptive name using the standard template. 88 * Pick an appropriate privilege for the policy. 89 * If no appropraite privilege exists, define new one 90 * (this should be done with extreme care; in most cases 91 * little is gained by adding another privilege) 92 * 93 * WHY ROOT IS STILL SPECIAL. 94 * 95 * In a number of the policy functions, there are still explicit 96 * checks for uid 0. The rationale behind these is that many root 97 * owned files/objects hold configuration information which can give full 98 * privileges to the user once written to. To prevent escalation 99 * of privilege by allowing just a single privilege to modify root owned 100 * objects, we've added these root specific checks where we considered 101 * them necessary: modifying root owned files, changing uids to 0, etc. 102 * 103 * PRIVILEGE ESCALATION AND ZONES. 104 * 105 * A number of operations potentially allow the caller to achieve 106 * privileges beyond the ones normally required to perform the operation. 107 * For example, if allowed to create a setuid 0 executable, a process can 108 * gain privileges beyond PRIV_FILE_SETID. Zones, however, place 109 * restrictions on the ability to gain privileges beyond those available 110 * within the zone through file and process manipulation. Hence, such 111 * operations require that the caller have an effective set that includes 112 * all privileges available within the current zone, or all privileges 113 * if executing in the global zone. 114 * 115 * This is indicated in the priv_policy* policy checking functions 116 * through a combination of parameters. The "priv" parameter indicates 117 * the privilege that is required, and the "allzone" parameter indicates 118 * whether or not all privileges in the zone are required. In addition, 119 * priv can be set to PRIV_ALL to indicate that all privileges are 120 * required (regardless of zone). There are three scenarios of interest: 121 * (1) operation requires a specific privilege 122 * (2) operation requires a specific privilege, and requires all 123 * privileges available within the zone (or all privileges if in 124 * the global zone) 125 * (3) operation requires all privileges, regardless of zone 126 * 127 * For (1), priv should be set to the specific privilege, and allzone 128 * should be set to B_FALSE. 129 * For (2), priv should be set to the specific privilege, and allzone 130 * should be set to B_TRUE. 131 * For (3), priv should be set to PRIV_ALL, and allzone should be set 132 * to B_FALSE. 133 * 134 */ 135 136 /* 137 * The privileges are checked against the Effective set for 138 * ordinary processes and checked against the Limit set 139 * for euid 0 processes that haven't manipulated their privilege 140 * sets. 141 */ 142 #define HAS_ALLPRIVS(cr) priv_isfullset(&CR_OEPRIV(cr)) 143 #define ZONEPRIVS(cr) ((cr)->cr_zone->zone_privset) 144 #define HAS_ALLZONEPRIVS(cr) priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr)) 145 #define HAS_PRIVILEGE(cr, pr) ((pr) == PRIV_ALL ? \ 146 HAS_ALLPRIVS(cr) : \ 147 PRIV_ISASSERT(&CR_OEPRIV(cr), pr)) 148 149 /* 150 * Policy checking functions. 151 * 152 * All of the system's policy should be implemented here. 153 */ 154 155 /* 156 * Private functions which take an additional va_list argument to 157 * implement an object specific policy override. 158 */ 159 static int priv_policy_ap(const cred_t *, int, boolean_t, int, 160 const char *, va_list); 161 static int priv_policy_va(const cred_t *, int, boolean_t, int, 162 const char *, ...); 163 164 /* 165 * Generic policy calls 166 * 167 * The "bottom" functions of policy control 168 */ 169 static char * 170 mprintf(const char *fmt, ...) 171 { 172 va_list args; 173 char *buf; 174 size_t len; 175 176 va_start(args, fmt); 177 len = vsnprintf(NULL, 0, fmt, args) + 1; 178 va_end(args); 179 180 buf = kmem_alloc(len, KM_NOSLEEP); 181 182 if (buf == NULL) 183 return (NULL); 184 185 va_start(args, fmt); 186 (void) vsnprintf(buf, len, fmt, args); 187 va_end(args); 188 189 return (buf); 190 } 191 192 /* 193 * priv_policy_errmsg() 194 * 195 * Generate an error message if privilege debugging is enabled system wide 196 * or for this particular process. 197 */ 198 199 #define FMTHDR "%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)" 200 #define FMTMSG " for \"%s\"" 201 #define FMTFUN " needed at %s+0x%lx" 202 203 /* The maximum size privilege format: the concatenation of the above */ 204 #define FMTMAX FMTHDR FMTMSG FMTFUN "\n" 205 206 static void 207 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg) 208 { 209 struct proc *me; 210 pc_t stack[MAXPRIVSTACK]; 211 int depth; 212 int i; 213 char *sym; 214 ulong_t off; 215 const char *pname; 216 217 char *cmd; 218 char fmt[sizeof (FMTMAX)]; 219 220 if ((me = curproc) == &p0) 221 return; 222 223 /* Privileges must be defined */ 224 ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE || 225 priv == PRIV_ALLZONE || priv == PRIV_GLOBAL || 226 priv_getbynum(priv) != NULL); 227 228 if (priv == PRIV_ALLZONE && INGLOBALZONE(me)) 229 priv = PRIV_ALL; 230 231 if (curthread->t_pre_sys) 232 ttolwp(curthread)->lwp_badpriv = (short)priv; 233 234 if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0) 235 return; 236 237 (void) strcpy(fmt, FMTHDR); 238 239 if (me->p_user.u_comm[0]) 240 cmd = &me->p_user.u_comm[0]; 241 else 242 cmd = "priv_policy"; 243 244 if (msg != NULL && *msg != '\0') { 245 (void) strcat(fmt, FMTMSG); 246 } else { 247 (void) strcat(fmt, "%s"); 248 msg = ""; 249 } 250 251 sym = NULL; 252 253 depth = getpcstack(stack, MAXPRIVSTACK); 254 255 /* 256 * Try to find the first interesting function on the stack. 257 * priv_policy* that's us, so completely uninteresting. 258 * suser(), drv_priv(), secpolicy_* are also called from 259 * too many locations to convey useful information. 260 */ 261 for (i = 0; i < depth; i++) { 262 sym = kobj_getsymname((uintptr_t)stack[i], &off); 263 if (sym != NULL && 264 strstr(sym, "hasprocperm") == 0 && 265 strcmp("suser", sym) != 0 && 266 strcmp("ipcaccess", sym) != 0 && 267 strcmp("drv_priv", sym) != 0 && 268 strncmp("secpolicy_", sym, 10) != 0 && 269 strncmp("priv_policy", sym, 11) != 0) 270 break; 271 } 272 273 if (sym != NULL) 274 (void) strcat(fmt, FMTFUN); 275 276 (void) strcat(fmt, "\n"); 277 278 switch (priv) { 279 case PRIV_ALL: 280 pname = "ALL"; 281 break; 282 case PRIV_MULTIPLE: 283 pname = "MULTIPLE"; 284 break; 285 case PRIV_ALLZONE: 286 pname = "ZONE"; 287 break; 288 case PRIV_GLOBAL: 289 pname = "GLOBAL"; 290 break; 291 default: 292 pname = priv_getbynum(priv); 293 break; 294 } 295 296 if (CR_FLAGS(cr) & PRIV_DEBUG) { 297 /* Remember last message, just like lwp_badpriv. */ 298 if (curthread->t_pdmsg != NULL) { 299 kmem_free(curthread->t_pdmsg, 300 strlen(curthread->t_pdmsg) + 1); 301 } 302 303 curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname, 304 cr->cr_uid, curthread->t_sysnum, msg, sym, off); 305 306 curthread->t_post_sys = 1; 307 } 308 if (priv_debug) { 309 cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid, 310 curthread->t_sysnum, msg, sym, off); 311 } 312 } 313 314 /* 315 * Override the policy, if appropriate. Return 0 if the external 316 * policy engine approves. 317 */ 318 static int 319 priv_policy_override(const cred_t *cr, int priv, boolean_t allzone, va_list ap) 320 { 321 priv_set_t set; 322 int ret; 323 324 if (!(CR_FLAGS(cr) & PRIV_XPOLICY)) 325 return (-1); 326 327 if (priv == PRIV_ALL) { 328 priv_fillset(&set); 329 } else if (allzone) { 330 set = *ZONEPRIVS(cr); 331 } else { 332 priv_emptyset(&set); 333 priv_addset(&set, priv); 334 } 335 ret = klpd_call(cr, &set, ap); 336 return (ret); 337 } 338 339 static int 340 priv_policy_override_set(const cred_t *cr, const priv_set_t *req, ...) 341 { 342 va_list ap; 343 344 if (CR_FLAGS(cr) & PRIV_XPOLICY) { 345 va_start(ap, req); 346 return (klpd_call(cr, req, ap)); 347 } 348 return (-1); 349 } 350 351 /* 352 * Audit failure, log error message. 353 */ 354 static void 355 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg) 356 { 357 358 if (audit_active) 359 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0); 360 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 361 362 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 363 curthread->t_pre_sys) { 364 if (allzone && !HAS_ALLZONEPRIVS(cr)) { 365 priv_policy_errmsg(cr, PRIV_ALLZONE, msg); 366 } else { 367 ASSERT(!HAS_PRIVILEGE(cr, priv)); 368 priv_policy_errmsg(cr, priv, msg); 369 } 370 } 371 } 372 373 /* 374 * priv_policy_ap() 375 * return 0 or error. 376 * See block comment above for a description of "priv" and "allzone" usage. 377 */ 378 static int 379 priv_policy_ap(const cred_t *cr, int priv, boolean_t allzone, int err, 380 const char *msg, va_list ap) 381 { 382 if ((HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) || 383 (!servicing_interrupt() && 384 priv_policy_override(cr, priv, allzone, ap) == 0)) { 385 if ((allzone || priv == PRIV_ALL || 386 !PRIV_ISASSERT(priv_basic, priv)) && 387 !servicing_interrupt()) { 388 PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */ 389 if (audit_active) 390 audit_priv(priv, 391 allzone ? ZONEPRIVS(cr) : NULL, 1); 392 } 393 err = 0; 394 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 395 } else if (!servicing_interrupt()) { 396 /* Failure audited in this procedure */ 397 priv_policy_err(cr, priv, allzone, msg); 398 } 399 return (err); 400 } 401 402 int 403 priv_policy_va(const cred_t *cr, int priv, boolean_t allzone, int err, 404 const char *msg, ...) 405 { 406 int ret; 407 va_list ap; 408 409 va_start(ap, msg); 410 ret = priv_policy_ap(cr, priv, allzone, err, msg, ap); 411 va_end(ap); 412 413 return (ret); 414 } 415 416 int 417 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err, 418 const char *msg) 419 { 420 return (priv_policy_va(cr, priv, allzone, err, msg, KLPDARG_NOMORE)); 421 } 422 423 /* 424 * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges. 425 */ 426 boolean_t 427 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone) 428 { 429 boolean_t res = HAS_PRIVILEGE(cr, priv) && 430 (!allzone || HAS_ALLZONEPRIVS(cr)); 431 432 /* Audit success only */ 433 if (res && audit_active && 434 (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) && 435 !servicing_interrupt()) { 436 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1); 437 } 438 if (res) { 439 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 440 } else { 441 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 442 } 443 return (res); 444 } 445 446 /* 447 * Non-auditing variant of priv_policy_choice(). 448 */ 449 boolean_t 450 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone) 451 { 452 boolean_t res = HAS_PRIVILEGE(cr, priv) && 453 (!allzone || HAS_ALLZONEPRIVS(cr)); 454 455 if (res) { 456 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 457 } else { 458 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 459 } 460 return (res); 461 } 462 463 /* 464 * Check whether all privileges in the required set are present. 465 */ 466 static int 467 secpolicy_require_set(const cred_t *cr, const priv_set_t *req, const char *msg) 468 { 469 int priv; 470 int pfound = -1; 471 priv_set_t pset; 472 473 if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req, 474 &CR_OEPRIV(cr))) { 475 return (0); 476 } 477 478 if (priv_policy_override_set(cr, req, KLPDARG_NOMORE) == 0) 479 return (0); 480 481 if (req == PRIV_FULLSET || priv_isfullset(req)) { 482 priv_policy_err(cr, PRIV_ALL, B_FALSE, msg); 483 return (EACCES); 484 } 485 486 pset = CR_OEPRIV(cr); /* present privileges */ 487 priv_inverse(&pset); /* all non present privileges */ 488 priv_intersect(req, &pset); /* the actual missing privs */ 489 490 if (audit_active) 491 audit_priv(PRIV_NONE, &pset, 0); 492 /* 493 * Privilege debugging; special case "one privilege in set". 494 */ 495 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) { 496 for (priv = 0; priv < nprivs; priv++) { 497 if (priv_ismember(&pset, priv)) { 498 if (pfound != -1) { 499 /* Multiple missing privs */ 500 priv_policy_errmsg(cr, PRIV_MULTIPLE, 501 msg); 502 return (EACCES); 503 } 504 pfound = priv; 505 } 506 } 507 ASSERT(pfound != -1); 508 /* Just the one missing privilege */ 509 priv_policy_errmsg(cr, pfound, msg); 510 } 511 512 return (EACCES); 513 } 514 515 /* 516 * Called when an operation requires that the caller be in the 517 * global zone, regardless of privilege. 518 */ 519 static int 520 priv_policy_global(const cred_t *cr) 521 { 522 if (crgetzoneid(cr) == GLOBAL_ZONEID) 523 return (0); /* success */ 524 525 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 526 curthread->t_pre_sys) { 527 priv_policy_errmsg(cr, PRIV_GLOBAL, NULL); 528 } 529 return (EPERM); 530 } 531 532 /* 533 * Changing process priority 534 */ 535 int 536 secpolicy_setpriority(const cred_t *cr) 537 { 538 return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL)); 539 } 540 541 /* 542 * Binding to a privileged port, port must be specified in host byte 543 * order. 544 */ 545 int 546 secpolicy_net_privaddr(const cred_t *cr, in_port_t port, int proto) 547 { 548 char *reason; 549 int priv; 550 551 switch (port) { 552 case 137: 553 case 138: 554 case 139: 555 case 445: 556 /* 557 * NBT and SMB ports, these are extra privileged ports, 558 * allow bind only if the SYS_SMB privilege is present. 559 */ 560 priv = PRIV_SYS_SMB; 561 reason = "NBT or SMB port"; 562 break; 563 564 case 2049: 565 case 4045: 566 /* 567 * NFS ports, these are extra privileged ports, allow bind 568 * only if the SYS_NFS privilege is present. 569 */ 570 priv = PRIV_SYS_NFS; 571 reason = "NFS port"; 572 break; 573 574 default: 575 priv = PRIV_NET_PRIVADDR; 576 reason = NULL; 577 break; 578 579 } 580 581 return (priv_policy_va(cr, priv, B_FALSE, EACCES, reason, 582 KLPDARG_PORT, (int)proto, (int)port, KLPDARG_NOMORE)); 583 } 584 585 /* 586 * Binding to a multilevel port on a trusted (labeled) system. 587 */ 588 int 589 secpolicy_net_bindmlp(const cred_t *cr) 590 { 591 return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, NULL)); 592 } 593 594 /* 595 * Allow a communication between a zone and an unlabeled host when their 596 * labels don't match. 597 */ 598 int 599 secpolicy_net_mac_aware(const cred_t *cr) 600 { 601 return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, NULL)); 602 } 603 604 /* 605 * Common routine which determines whether a given credential can 606 * act on a given mount. 607 * When called through mount, the parameter needoptcheck is a pointer 608 * to a boolean variable which will be set to either true or false, 609 * depending on whether the mount policy should change the mount options. 610 * In all other cases, needoptcheck should be a NULL pointer. 611 */ 612 static int 613 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp, 614 boolean_t *needoptcheck) 615 { 616 boolean_t allzone = B_FALSE; 617 boolean_t mounting = needoptcheck != NULL; 618 619 /* 620 * Short circuit the following cases: 621 * vfsp == NULL or mvp == NULL (pure privilege check) 622 * have all privileges - no further checks required 623 * and no mount options need to be set. 624 */ 625 if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) { 626 if (mounting) 627 *needoptcheck = B_FALSE; 628 629 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM, 630 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE)); 631 } 632 633 /* 634 * When operating on an existing mount (either we're not mounting 635 * or we're doing a remount and VFS_REMOUNT will be set), zones 636 * can operate only on mounts established by the zone itself. 637 */ 638 if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) { 639 zoneid_t zoneid = crgetzoneid(cr); 640 641 if (zoneid != GLOBAL_ZONEID && 642 vfsp->vfs_zone->zone_id != zoneid) { 643 return (EPERM); 644 } 645 } 646 647 if (mounting) 648 *needoptcheck = B_TRUE; 649 650 /* 651 * Overlay mounts may hide important stuff; if you can't write to a 652 * mount point but would be able to mount on top of it, you can 653 * escalate your privileges. 654 * So we go about asking the same questions namefs does when it 655 * decides whether you can mount over a file or not but with the 656 * added restriction that you can only mount on top of a regular 657 * file or directory. 658 * If we have all the zone's privileges, we skip all other checks, 659 * or else we may actually get in trouble inside the automounter. 660 */ 661 if ((mvp->v_flag & VROOT) != 0 || 662 (mvp->v_type != VDIR && mvp->v_type != VREG) || 663 HAS_ALLZONEPRIVS(cr)) { 664 allzone = B_TRUE; 665 } else { 666 vattr_t va; 667 int err; 668 669 va.va_mask = AT_UID|AT_MODE; 670 err = VOP_GETATTR(mvp, &va, 0, cr, NULL); 671 if (err != 0) 672 return (err); 673 674 if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0) 675 return (err); 676 677 if ((va.va_mode & VWRITE) == 0 && 678 secpolicy_vnode_access(cr, mvp, va.va_uid, VWRITE) != 0) { 679 return (EACCES); 680 } 681 } 682 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM, 683 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE)); 684 } 685 686 void 687 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp) 688 { 689 boolean_t amsuper = HAS_ALLZONEPRIVS(cr); 690 691 /* 692 * check; if we don't have either "nosuid" or 693 * both "nosetuid" and "nodevices", then we add 694 * "nosuid"; this depends on how the current 695 * implementation works (it first checks nosuid). In a 696 * zone, a user with all zone privileges can mount with 697 * "setuid" but never with "devices". 698 */ 699 if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) && 700 (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) || 701 !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) { 702 if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper) 703 vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0); 704 else 705 vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0); 706 } 707 /* 708 * If we're not the local super user, we set the "restrict" 709 * option to indicate to automountd that this mount should 710 * be handled with care. 711 */ 712 if (!amsuper) 713 vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0); 714 715 } 716 717 extern vnode_t *rootvp; 718 extern vfs_t *rootvfs; 719 720 int 721 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp) 722 { 723 boolean_t needoptchk; 724 int error; 725 726 /* 727 * If it's a remount, get the underlying mount point, 728 * except for the root where we use the rootvp. 729 */ 730 if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) { 731 if (vfsp == rootvfs) 732 mvp = rootvp; 733 else 734 mvp = vfsp->vfs_vnodecovered; 735 } 736 737 error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk); 738 739 if (error == 0 && needoptchk) { 740 secpolicy_fs_mount_clearopts(cr, vfsp); 741 } 742 743 return (error); 744 } 745 746 /* 747 * Does the policy computations for "ownership" of a mount; 748 * here ownership is defined as the ability to "mount" 749 * the filesystem originally. The rootvfs doesn't cover any 750 * vnodes; we attribute its ownership to the rootvp. 751 */ 752 static int 753 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp) 754 { 755 vnode_t *mvp; 756 757 if (vfsp == NULL) 758 mvp = NULL; 759 else if (vfsp == rootvfs) 760 mvp = rootvp; 761 else 762 mvp = vfsp->vfs_vnodecovered; 763 764 return (secpolicy_fs_common(cr, mvp, vfsp, NULL)); 765 } 766 767 int 768 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp) 769 { 770 return (secpolicy_fs_owner(cr, vfsp)); 771 } 772 773 /* 774 * Quotas are a resource, but if one has the ability to mount a filesystem, he 775 * should be able to modify quotas on it. 776 */ 777 int 778 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp) 779 { 780 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 781 } 782 783 /* 784 * Exceeding minfree: also a per-mount resource constraint. 785 */ 786 int 787 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp) 788 { 789 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 790 } 791 792 int 793 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp) 794 { 795 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 796 } 797 798 /* ARGSUSED */ 799 int 800 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp) 801 { 802 return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL)); 803 } 804 805 /* 806 * Name: secpolicy_vnode_access() 807 * 808 * Parameters: Process credential 809 * vnode 810 * uid of owner of vnode 811 * permission bits not granted to the caller when examining 812 * file mode bits (i.e., when a process wants to open a 813 * mode 444 file for VREAD|VWRITE, this function should be 814 * called only with a VWRITE argument). 815 * 816 * Normal: Verifies that cred has the appropriate privileges to 817 * override the mode bits that were denied. 818 * 819 * Override: file_dac_execute - if VEXEC bit was denied and vnode is 820 * not a directory. 821 * file_dac_read - if VREAD bit was denied. 822 * file_dac_search - if VEXEC bit was denied and vnode is 823 * a directory. 824 * file_dac_write - if VWRITE bit was denied. 825 * 826 * Root owned files are special cased to protect system 827 * configuration files and such. 828 * 829 * Output: EACCES - if privilege check fails. 830 */ 831 832 /* ARGSUSED */ 833 int 834 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode) 835 { 836 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE, 837 EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL, 838 KLPDARG_NOMORE) != 0) { 839 return (EACCES); 840 } 841 842 if (mode & VWRITE) { 843 boolean_t allzone; 844 845 if (owner == 0 && cr->cr_uid != 0) 846 allzone = B_TRUE; 847 else 848 allzone = B_FALSE; 849 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, 850 NULL, KLPDARG_VNODE, vp, (char *)NULL, 851 KLPDARG_NOMORE) != 0) { 852 return (EACCES); 853 } 854 } 855 856 if (mode & VEXEC) { 857 /* 858 * Directories use file_dac_search to override the execute bit. 859 */ 860 int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH : 861 PRIV_FILE_DAC_EXECUTE; 862 863 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL, 864 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); 865 } 866 return (0); 867 } 868 869 /* 870 * Name: secpolicy_vnode_setid_modify() 871 * 872 * Normal: verify that subject can set the file setid flags. 873 * 874 * Output: EPERM - if not privileged. 875 */ 876 877 static int 878 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner) 879 { 880 /* If changing to suid root, must have all zone privs */ 881 boolean_t allzone = B_TRUE; 882 883 if (owner != 0) { 884 if (owner == cr->cr_uid) 885 return (0); 886 allzone = B_FALSE; 887 } 888 return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL)); 889 } 890 891 /* 892 * Are we allowed to retain the set-uid/set-gid bits when 893 * changing ownership or when writing to a file? 894 * "issuid" should be true when set-uid; only in that case 895 * root ownership is checked (setgid is assumed). 896 */ 897 int 898 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot) 899 { 900 if (issuidroot && !HAS_ALLZONEPRIVS(cred)) 901 return (EPERM); 902 903 return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE)); 904 } 905 906 /* 907 * Name: secpolicy_vnode_setids_setgids() 908 * 909 * Normal: verify that subject can set the file setgid flag. 910 * 911 * Output: EPERM - if not privileged 912 */ 913 914 int 915 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid) 916 { 917 if (!groupmember(gid, cred)) 918 return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM, 919 NULL)); 920 return (0); 921 } 922 923 /* 924 * Name: secpolicy_vnode_chown 925 * 926 * Normal: Determine if subject can chown owner of a file. 927 * 928 * Output: EPERM - if access denied 929 */ 930 931 int 932 secpolicy_vnode_chown(const cred_t *cred, uid_t owner) 933 { 934 boolean_t is_owner = (owner == crgetuid(cred)); 935 boolean_t allzone = B_FALSE; 936 int priv; 937 938 if (!is_owner) { 939 allzone = (owner == 0); 940 priv = PRIV_FILE_CHOWN; 941 } else { 942 priv = HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN) ? 943 PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF; 944 } 945 946 return (PRIV_POLICY(cred, priv, allzone, EPERM, NULL)); 947 } 948 949 /* 950 * Name: secpolicy_vnode_create_gid 951 * 952 * Normal: Determine if subject can change group ownership of a file. 953 * 954 * Output: EPERM - if access denied 955 */ 956 int 957 secpolicy_vnode_create_gid(const cred_t *cred) 958 { 959 if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN)) 960 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM, 961 NULL)); 962 else 963 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM, 964 NULL)); 965 } 966 967 /* 968 * Name: secpolicy_vnode_utime_modify() 969 * 970 * Normal: verify that subject can modify the utime on a file. 971 * 972 * Output: EPERM - if access denied. 973 */ 974 975 static int 976 secpolicy_vnode_utime_modify(const cred_t *cred) 977 { 978 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM, 979 "modify file times")); 980 } 981 982 983 /* 984 * Name: secpolicy_vnode_setdac() 985 * 986 * Normal: verify that subject can modify the mode of a file. 987 * allzone privilege needed when modifying root owned object. 988 * 989 * Output: EPERM - if access denied. 990 */ 991 992 int 993 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner) 994 { 995 if (owner == cred->cr_uid) 996 return (0); 997 998 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL)); 999 } 1000 /* 1001 * Name: secpolicy_vnode_stky_modify() 1002 * 1003 * Normal: verify that subject can make a file a "sticky". 1004 * 1005 * Output: EPERM - if access denied. 1006 */ 1007 1008 int 1009 secpolicy_vnode_stky_modify(const cred_t *cred) 1010 { 1011 return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM, 1012 "set file sticky")); 1013 } 1014 1015 /* 1016 * Policy determines whether we can remove an entry from a directory, 1017 * regardless of permission bits. 1018 */ 1019 int 1020 secpolicy_vnode_remove(const cred_t *cr) 1021 { 1022 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES, 1023 "sticky directory")); 1024 } 1025 1026 int 1027 secpolicy_vnode_owner(const cred_t *cr, uid_t owner) 1028 { 1029 boolean_t allzone = (owner == 0); 1030 1031 if (owner == cr->cr_uid) 1032 return (0); 1033 1034 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL)); 1035 } 1036 1037 void 1038 secpolicy_setid_clear(vattr_t *vap, cred_t *cr) 1039 { 1040 if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 && 1041 secpolicy_vnode_setid_retain(cr, 1042 (vap->va_mode & S_ISUID) != 0 && 1043 (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) { 1044 vap->va_mask |= AT_MODE; 1045 vap->va_mode &= ~(S_ISUID|S_ISGID); 1046 } 1047 } 1048 1049 int 1050 secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap, 1051 cred_t *cr) 1052 { 1053 int error; 1054 1055 if ((vap->va_mode & S_ISUID) != 0 && 1056 (error = secpolicy_vnode_setid_modify(cr, 1057 ovap->va_uid)) != 0) { 1058 return (error); 1059 } 1060 1061 /* 1062 * Check privilege if attempting to set the 1063 * sticky bit on a non-directory. 1064 */ 1065 if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 && 1066 secpolicy_vnode_stky_modify(cr) != 0) { 1067 vap->va_mode &= ~S_ISVTX; 1068 } 1069 1070 /* 1071 * Check for privilege if attempting to set the 1072 * group-id bit. 1073 */ 1074 if ((vap->va_mode & S_ISGID) != 0 && 1075 secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) { 1076 vap->va_mode &= ~S_ISGID; 1077 } 1078 1079 return (0); 1080 } 1081 1082 #define ATTR_FLAG_PRIV(attr, value, cr) \ 1083 PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \ 1084 B_FALSE, EPERM, NULL) 1085 1086 /* 1087 * Check privileges for setting xvattr attributes 1088 */ 1089 int 1090 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype) 1091 { 1092 xoptattr_t *xoap; 1093 int error = 0; 1094 1095 if ((xoap = xva_getxoptattr(xvap)) == NULL) 1096 return (EINVAL); 1097 1098 /* 1099 * First process the DOS bits 1100 */ 1101 if (XVA_ISSET_REQ(xvap, XAT_ARCHIVE) || 1102 XVA_ISSET_REQ(xvap, XAT_HIDDEN) || 1103 XVA_ISSET_REQ(xvap, XAT_READONLY) || 1104 XVA_ISSET_REQ(xvap, XAT_SYSTEM) || 1105 XVA_ISSET_REQ(xvap, XAT_CREATETIME)) { 1106 if ((error = secpolicy_vnode_owner(cr, owner)) != 0) 1107 return (error); 1108 } 1109 1110 /* 1111 * Now handle special attributes 1112 */ 1113 1114 if (XVA_ISSET_REQ(xvap, XAT_IMMUTABLE)) 1115 error = ATTR_FLAG_PRIV(XAT_IMMUTABLE, 1116 xoap->xoa_immutable, cr); 1117 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NOUNLINK)) 1118 error = ATTR_FLAG_PRIV(XAT_NOUNLINK, 1119 xoap->xoa_nounlink, cr); 1120 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_APPENDONLY)) 1121 error = ATTR_FLAG_PRIV(XAT_APPENDONLY, 1122 xoap->xoa_appendonly, cr); 1123 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NODUMP)) 1124 error = ATTR_FLAG_PRIV(XAT_NODUMP, 1125 xoap->xoa_nodump, cr); 1126 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_OPAQUE)) 1127 error = EPERM; 1128 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_QUARANTINED)) { 1129 error = ATTR_FLAG_PRIV(XAT_AV_QUARANTINED, 1130 xoap->xoa_av_quarantined, cr); 1131 if (error == 0 && vtype != VREG && xoap->xoa_av_quarantined) 1132 error = EINVAL; 1133 } 1134 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_MODIFIED)) 1135 error = ATTR_FLAG_PRIV(XAT_AV_MODIFIED, 1136 xoap->xoa_av_modified, cr); 1137 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_SCANSTAMP)) { 1138 error = ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP, 1139 xoap->xoa_av_scanstamp, cr); 1140 if (error == 0 && vtype != VREG) 1141 error = EINVAL; 1142 } 1143 return (error); 1144 } 1145 1146 /* 1147 * This function checks the policy decisions surrounding the 1148 * vop setattr call. 1149 * 1150 * It should be called after sufficient locks have been established 1151 * on the underlying data structures. No concurrent modifications 1152 * should be allowed. 1153 * 1154 * The caller must pass in unlocked version of its vaccess function 1155 * this is required because vop_access function should lock the 1156 * node for reading. A three argument function should be defined 1157 * which accepts the following argument: 1158 * A pointer to the internal "node" type (inode *) 1159 * vnode access bits (VREAD|VWRITE|VEXEC) 1160 * a pointer to the credential 1161 * 1162 * This function makes the following policy decisions: 1163 * 1164 * - change permissions 1165 * - permission to change file mode if not owner 1166 * - permission to add sticky bit to non-directory 1167 * - permission to add set-gid bit 1168 * 1169 * The ovap argument should include AT_MODE|AT_UID|AT_GID. 1170 * 1171 * If the vap argument does not include AT_MODE, the mode will be copied from 1172 * ovap. In certain situations set-uid/set-gid bits need to be removed; 1173 * this is done by marking vap->va_mask to include AT_MODE and va_mode 1174 * is updated to the newly computed mode. 1175 */ 1176 1177 int 1178 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap, 1179 const struct vattr *ovap, int flags, 1180 int unlocked_access(void *, int, cred_t *), 1181 void *node) 1182 { 1183 int mask = vap->va_mask; 1184 int error = 0; 1185 boolean_t skipaclchk = (flags & ATTR_NOACLCHECK) ? B_TRUE : B_FALSE; 1186 1187 if (mask & AT_SIZE) { 1188 if (vp->v_type == VDIR) { 1189 error = EISDIR; 1190 goto out; 1191 } 1192 1193 /* 1194 * If ATTR_NOACLCHECK is set in the flags, then we don't 1195 * perform the secondary unlocked_access() call since the 1196 * ACL (if any) is being checked there. 1197 */ 1198 if (skipaclchk == B_FALSE) { 1199 error = unlocked_access(node, VWRITE, cr); 1200 if (error) 1201 goto out; 1202 } 1203 } 1204 if (mask & AT_MODE) { 1205 /* 1206 * If not the owner of the file then check privilege 1207 * for two things: the privilege to set the mode at all 1208 * and, if we're setting setuid, we also need permissions 1209 * to add the set-uid bit, if we're not the owner. 1210 * In the specific case of creating a set-uid root 1211 * file, we need even more permissions. 1212 */ 1213 if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0) 1214 goto out; 1215 1216 if ((error = secpolicy_setid_setsticky_clear(vp, vap, 1217 ovap, cr)) != 0) 1218 goto out; 1219 } else 1220 vap->va_mode = ovap->va_mode; 1221 1222 if (mask & (AT_UID|AT_GID)) { 1223 boolean_t checkpriv = B_FALSE; 1224 1225 /* 1226 * Chowning files. 1227 * 1228 * If you are the file owner: 1229 * chown to other uid FILE_CHOWN_SELF 1230 * chown to gid (non-member) FILE_CHOWN_SELF 1231 * chown to gid (member) <none> 1232 * 1233 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also 1234 * acceptable but the first one is reported when debugging. 1235 * 1236 * If you are not the file owner: 1237 * chown from root PRIV_FILE_CHOWN + zone 1238 * chown from other to any PRIV_FILE_CHOWN 1239 * 1240 */ 1241 if (cr->cr_uid != ovap->va_uid) { 1242 checkpriv = B_TRUE; 1243 } else { 1244 if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) || 1245 ((mask & AT_GID) && vap->va_gid != ovap->va_gid && 1246 !groupmember(vap->va_gid, cr))) { 1247 checkpriv = B_TRUE; 1248 } 1249 } 1250 /* 1251 * If necessary, check privilege to see if update can be done. 1252 */ 1253 if (checkpriv && 1254 (error = secpolicy_vnode_chown(cr, ovap->va_uid)) != 0) { 1255 goto out; 1256 } 1257 1258 /* 1259 * If the file has either the set UID or set GID bits 1260 * set and the caller can set the bits, then leave them. 1261 */ 1262 secpolicy_setid_clear(vap, cr); 1263 } 1264 if (mask & (AT_ATIME|AT_MTIME)) { 1265 /* 1266 * If not the file owner and not otherwise privileged, 1267 * always return an error when setting the 1268 * time other than the current (ATTR_UTIME flag set). 1269 * If setting the current time (ATTR_UTIME not set) then 1270 * unlocked_access will check permissions according to policy. 1271 */ 1272 if (cr->cr_uid != ovap->va_uid) { 1273 if (flags & ATTR_UTIME) 1274 error = secpolicy_vnode_utime_modify(cr); 1275 else if (skipaclchk == B_FALSE) { 1276 error = unlocked_access(node, VWRITE, cr); 1277 if (error == EACCES && 1278 secpolicy_vnode_utime_modify(cr) == 0) 1279 error = 0; 1280 } 1281 if (error) 1282 goto out; 1283 } 1284 } 1285 1286 /* 1287 * Check for optional attributes here by checking the following: 1288 */ 1289 if (mask & AT_XVATTR) 1290 error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr, 1291 vp->v_type); 1292 out: 1293 return (error); 1294 } 1295 1296 /* 1297 * Name: secpolicy_pcfs_modify_bootpartition() 1298 * 1299 * Normal: verify that subject can modify a pcfs boot partition. 1300 * 1301 * Output: EACCES - if privilege check failed. 1302 */ 1303 /*ARGSUSED*/ 1304 int 1305 secpolicy_pcfs_modify_bootpartition(const cred_t *cred) 1306 { 1307 return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES, 1308 "modify pcfs boot partition")); 1309 } 1310 1311 /* 1312 * System V IPC routines 1313 */ 1314 int 1315 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip) 1316 { 1317 if (crgetzoneid(cr) != ip->ipc_zoneid || 1318 (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) { 1319 boolean_t allzone = B_FALSE; 1320 if (ip->ipc_uid == 0 || ip->ipc_cuid == 0) 1321 allzone = B_TRUE; 1322 return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL)); 1323 } 1324 return (0); 1325 } 1326 1327 int 1328 secpolicy_ipc_config(const cred_t *cr) 1329 { 1330 return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL)); 1331 } 1332 1333 int 1334 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode) 1335 { 1336 1337 boolean_t allzone = B_FALSE; 1338 1339 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1340 1341 if ((mode & MSG_R) && 1342 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1343 return (EACCES); 1344 1345 if (mode & MSG_W) { 1346 if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0)) 1347 allzone = B_TRUE; 1348 1349 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1350 NULL)); 1351 } 1352 return (0); 1353 } 1354 1355 int 1356 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode) 1357 { 1358 boolean_t allzone = B_FALSE; 1359 1360 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1361 1362 if ((mode & MSG_R) && 1363 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1364 return (EACCES); 1365 1366 if (mode & MSG_W) { 1367 if (cr->cr_uid != 0 && owner == 0) 1368 allzone = B_TRUE; 1369 1370 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1371 NULL)); 1372 } 1373 return (0); 1374 } 1375 1376 /* 1377 * Audit configuration. 1378 */ 1379 int 1380 secpolicy_audit_config(const cred_t *cr) 1381 { 1382 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1383 } 1384 1385 /* 1386 * Audit record generation. 1387 */ 1388 int 1389 secpolicy_audit_modify(const cred_t *cr) 1390 { 1391 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL)); 1392 } 1393 1394 /* 1395 * Get audit attributes. 1396 * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the 1397 * "Least" of the two privileges on error. 1398 */ 1399 int 1400 secpolicy_audit_getattr(const cred_t *cr) 1401 { 1402 if (!PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE)) { 1403 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, 1404 NULL)); 1405 } else { 1406 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1407 } 1408 } 1409 1410 1411 /* 1412 * Locking physical memory 1413 */ 1414 int 1415 secpolicy_lock_memory(const cred_t *cr) 1416 { 1417 return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL)); 1418 } 1419 1420 /* 1421 * Accounting (both acct(2) and exacct). 1422 */ 1423 int 1424 secpolicy_acct(const cred_t *cr) 1425 { 1426 return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL)); 1427 } 1428 1429 /* 1430 * Is this process privileged to change its uids at will? 1431 * Uid 0 is still considered "special" and having the SETID 1432 * privilege is not sufficient to get uid 0. 1433 * Files are owned by root, so the privilege would give 1434 * full access and euid 0 is still effective. 1435 * 1436 * If you have the privilege and euid 0 only then do you 1437 * get the powers of root wrt uid 0. 1438 * 1439 * For gid manipulations, this is should be called with an 1440 * uid of -1. 1441 * 1442 */ 1443 int 1444 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly) 1445 { 1446 boolean_t allzone = B_FALSE; 1447 1448 if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 && 1449 cr->cr_ruid != 0) { 1450 allzone = B_TRUE; 1451 } 1452 1453 return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) : 1454 PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL)); 1455 } 1456 1457 1458 /* 1459 * Acting on a different process: if the mode is for writing, 1460 * the restrictions are more severe. This is called after 1461 * we've verified that the uids do not match. 1462 */ 1463 int 1464 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode) 1465 { 1466 boolean_t allzone = B_FALSE; 1467 1468 if ((mode & VWRITE) && scr->cr_uid != 0 && 1469 (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0)) 1470 allzone = B_TRUE; 1471 1472 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL)); 1473 } 1474 1475 int 1476 secpolicy_proc_access(const cred_t *scr) 1477 { 1478 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL)); 1479 } 1480 1481 int 1482 secpolicy_proc_excl_open(const cred_t *scr) 1483 { 1484 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL)); 1485 } 1486 1487 int 1488 secpolicy_proc_zone(const cred_t *scr) 1489 { 1490 return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL)); 1491 } 1492 1493 /* 1494 * Destroying the system 1495 */ 1496 1497 int 1498 secpolicy_kmdb(const cred_t *scr) 1499 { 1500 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1501 } 1502 1503 int 1504 secpolicy_error_inject(const cred_t *scr) 1505 { 1506 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1507 } 1508 1509 /* 1510 * Processor sets, cpu configuration, resource pools. 1511 */ 1512 int 1513 secpolicy_pset(const cred_t *cr) 1514 { 1515 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1516 } 1517 1518 int 1519 secpolicy_ponline(const cred_t *cr) 1520 { 1521 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1522 } 1523 1524 int 1525 secpolicy_pool(const cred_t *cr) 1526 { 1527 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1528 } 1529 1530 int 1531 secpolicy_blacklist(const cred_t *cr) 1532 { 1533 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1534 } 1535 1536 /* 1537 * Catch all system configuration. 1538 */ 1539 int 1540 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly) 1541 { 1542 if (checkonly) { 1543 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 : 1544 EPERM); 1545 } else { 1546 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1547 } 1548 } 1549 1550 /* 1551 * Zone administration (halt, reboot, etc.) from within zone. 1552 */ 1553 int 1554 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly) 1555 { 1556 if (checkonly) { 1557 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 : 1558 EPERM); 1559 } else { 1560 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, 1561 NULL)); 1562 } 1563 } 1564 1565 /* 1566 * Zone configuration (create, halt, enter). 1567 */ 1568 int 1569 secpolicy_zone_config(const cred_t *cr) 1570 { 1571 /* 1572 * Require all privileges to avoid possibility of privilege 1573 * escalation. 1574 */ 1575 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1576 } 1577 1578 /* 1579 * Various other system configuration calls 1580 */ 1581 int 1582 secpolicy_coreadm(const cred_t *cr) 1583 { 1584 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1585 } 1586 1587 int 1588 secpolicy_systeminfo(const cred_t *cr) 1589 { 1590 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1591 } 1592 1593 int 1594 secpolicy_dispadm(const cred_t *cr) 1595 { 1596 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1597 } 1598 1599 int 1600 secpolicy_settime(const cred_t *cr) 1601 { 1602 return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL)); 1603 } 1604 1605 /* 1606 * For realtime users: high resolution clock. 1607 */ 1608 int 1609 secpolicy_clock_highres(const cred_t *cr) 1610 { 1611 return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM, 1612 NULL)); 1613 } 1614 1615 /* 1616 * drv_priv() is documented as callable from interrupt context, not that 1617 * anyone ever does, but still. No debugging or auditing can be done when 1618 * it is called from interrupt context. 1619 * returns 0 on succes, EPERM on failure. 1620 */ 1621 int 1622 drv_priv(cred_t *cr) 1623 { 1624 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1625 } 1626 1627 int 1628 secpolicy_sys_devices(const cred_t *cr) 1629 { 1630 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1631 } 1632 1633 int 1634 secpolicy_excl_open(const cred_t *cr) 1635 { 1636 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL)); 1637 } 1638 1639 int 1640 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl) 1641 { 1642 /* zone.* rctls can only be set from the global zone */ 1643 if (is_zone_rctl && priv_policy_global(cr) != 0) 1644 return (EPERM); 1645 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1646 } 1647 1648 int 1649 secpolicy_resource(const cred_t *cr) 1650 { 1651 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1652 } 1653 1654 int 1655 secpolicy_resource_anon_mem(const cred_t *cr) 1656 { 1657 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_RESOURCE, B_FALSE)); 1658 } 1659 1660 /* 1661 * Processes with a real uid of 0 escape any form of accounting, much 1662 * like before. 1663 */ 1664 int 1665 secpolicy_newproc(const cred_t *cr) 1666 { 1667 if (cr->cr_ruid == 0) 1668 return (0); 1669 1670 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1671 } 1672 1673 /* 1674 * Networking 1675 */ 1676 int 1677 secpolicy_net_rawaccess(const cred_t *cr) 1678 { 1679 return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL)); 1680 } 1681 1682 /* 1683 * Need this privilege for accessing the ICMP device 1684 */ 1685 int 1686 secpolicy_net_icmpaccess(const cred_t *cr) 1687 { 1688 return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL)); 1689 } 1690 1691 /* 1692 * There are a few rare cases where the kernel generates ioctls() from 1693 * interrupt context with a credential of kcred rather than NULL. 1694 * In those cases, we take the safe and cheap test. 1695 */ 1696 int 1697 secpolicy_net_config(const cred_t *cr, boolean_t checkonly) 1698 { 1699 if (checkonly) { 1700 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ? 1701 0 : EPERM); 1702 } else { 1703 return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM, 1704 NULL)); 1705 } 1706 } 1707 1708 1709 /* 1710 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG. 1711 * 1712 * There are a few rare cases where the kernel generates ioctls() from 1713 * interrupt context with a credential of kcred rather than NULL. 1714 * In those cases, we take the safe and cheap test. 1715 */ 1716 int 1717 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly) 1718 { 1719 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 1720 return (secpolicy_net_config(cr, checkonly)); 1721 1722 if (checkonly) { 1723 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ? 1724 0 : EPERM); 1725 } else { 1726 return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM, 1727 NULL)); 1728 } 1729 } 1730 1731 /* 1732 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_DL_CONFIG. 1733 */ 1734 int 1735 secpolicy_dl_config(const cred_t *cr) 1736 { 1737 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 1738 return (secpolicy_net_config(cr, B_FALSE)); 1739 return (PRIV_POLICY(cr, PRIV_SYS_DL_CONFIG, B_FALSE, EPERM, 1740 NULL)); 1741 } 1742 1743 1744 /* 1745 * Map IP pseudo privileges to actual privileges. 1746 * So we don't need to recompile IP when we change the privileges. 1747 */ 1748 int 1749 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly) 1750 { 1751 int priv = PRIV_ALL; 1752 1753 switch (netpriv) { 1754 case OP_CONFIG: 1755 priv = PRIV_SYS_IP_CONFIG; 1756 break; 1757 case OP_RAW: 1758 priv = PRIV_NET_RAWACCESS; 1759 break; 1760 case OP_PRIVPORT: 1761 priv = PRIV_NET_PRIVADDR; 1762 break; 1763 } 1764 ASSERT(priv != PRIV_ALL); 1765 if (checkonly) 1766 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 1767 else 1768 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 1769 } 1770 1771 /* 1772 * Map network pseudo privileges to actual privileges. 1773 * So we don't need to recompile IP when we change the privileges. 1774 */ 1775 int 1776 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly) 1777 { 1778 int priv = PRIV_ALL; 1779 1780 switch (netpriv) { 1781 case OP_CONFIG: 1782 priv = PRIV_SYS_NET_CONFIG; 1783 break; 1784 case OP_RAW: 1785 priv = PRIV_NET_RAWACCESS; 1786 break; 1787 case OP_PRIVPORT: 1788 priv = PRIV_NET_PRIVADDR; 1789 break; 1790 } 1791 ASSERT(priv != PRIV_ALL); 1792 if (checkonly) 1793 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 1794 else 1795 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 1796 } 1797 1798 /* 1799 * Checks for operations that are either client-only or are used by 1800 * both clients and servers. 1801 */ 1802 int 1803 secpolicy_nfs(const cred_t *cr) 1804 { 1805 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL)); 1806 } 1807 1808 /* 1809 * Special case for opening rpcmod: have NFS privileges or network 1810 * config privileges. 1811 */ 1812 int 1813 secpolicy_rpcmod_open(const cred_t *cr) 1814 { 1815 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE)) 1816 return (secpolicy_nfs(cr)); 1817 else 1818 return (secpolicy_net_config(cr, NULL)); 1819 } 1820 1821 int 1822 secpolicy_chroot(const cred_t *cr) 1823 { 1824 return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL)); 1825 } 1826 1827 int 1828 secpolicy_tasksys(const cred_t *cr) 1829 { 1830 return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL)); 1831 } 1832 1833 /* 1834 * Basic privilege checks. 1835 */ 1836 int 1837 secpolicy_basic_exec(const cred_t *cr, vnode_t *vp) 1838 { 1839 return (priv_policy_va(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL, 1840 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); 1841 } 1842 1843 int 1844 secpolicy_basic_fork(const cred_t *cr) 1845 { 1846 return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL)); 1847 } 1848 1849 int 1850 secpolicy_basic_proc(const cred_t *cr) 1851 { 1852 return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL)); 1853 } 1854 1855 /* 1856 * Slightly complicated because we don't want to trigger the policy too 1857 * often. First we shortcircuit access to "self" (tp == sp) or if 1858 * we don't have the privilege but if we have permission 1859 * just return (0) and we don't flag the privilege as needed. 1860 * Else, we test for the privilege because we either have it or need it. 1861 */ 1862 int 1863 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp) 1864 { 1865 if (tp == sp || 1866 !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) { 1867 return (0); 1868 } else { 1869 return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL)); 1870 } 1871 } 1872 1873 int 1874 secpolicy_basic_link(const cred_t *cr) 1875 { 1876 return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL)); 1877 } 1878 1879 /* 1880 * Additional device protection. 1881 * 1882 * Traditionally, a device has specific permissions on the node in 1883 * the filesystem which govern which devices can be opened by what 1884 * processes. In certain cases, it is desirable to add extra 1885 * restrictions, as writing to certain devices is identical to 1886 * having a complete run of the system. 1887 * 1888 * This mechanism is called the device policy. 1889 * 1890 * When a device is opened, its policy entry is looked up in the 1891 * policy cache and checked. 1892 */ 1893 int 1894 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag) 1895 { 1896 devplcy_t *plcy; 1897 int err; 1898 struct snode *csp = VTOS(common_specvp(vp)); 1899 priv_set_t pset; 1900 1901 mutex_enter(&csp->s_lock); 1902 1903 if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) { 1904 plcy = devpolicy_find(vp); 1905 if (csp->s_plcy) 1906 dpfree(csp->s_plcy); 1907 csp->s_plcy = plcy; 1908 ASSERT(plcy != NULL); 1909 } else 1910 plcy = csp->s_plcy; 1911 1912 if (plcy == nullpolicy) { 1913 mutex_exit(&csp->s_lock); 1914 return (0); 1915 } 1916 1917 dphold(plcy); 1918 1919 mutex_exit(&csp->s_lock); 1920 1921 if (oflag & FWRITE) 1922 pset = plcy->dp_wrp; 1923 else 1924 pset = plcy->dp_rdp; 1925 /* 1926 * Special case: 1927 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG. 1928 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is 1929 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG 1930 * in the required privilege set before doing the check. 1931 */ 1932 if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) && 1933 priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) && 1934 !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) { 1935 priv_delset(&pset, PRIV_SYS_IP_CONFIG); 1936 priv_addset(&pset, PRIV_SYS_NET_CONFIG); 1937 } 1938 1939 err = secpolicy_require_set(cr, &pset, "devpolicy"); 1940 dpfree(plcy); 1941 1942 return (err); 1943 } 1944 1945 int 1946 secpolicy_modctl(const cred_t *cr, int cmd) 1947 { 1948 switch (cmd) { 1949 case MODINFO: 1950 case MODGETMAJBIND: 1951 case MODGETPATH: 1952 case MODGETPATHLEN: 1953 case MODGETNAME: 1954 case MODGETFBNAME: 1955 case MODGETDEVPOLICY: 1956 case MODGETDEVPOLICYBYNAME: 1957 case MODDEVT2INSTANCE: 1958 case MODSIZEOF_DEVID: 1959 case MODGETDEVID: 1960 case MODSIZEOF_MINORNAME: 1961 case MODGETMINORNAME: 1962 case MODGETDEVFSPATH_LEN: 1963 case MODGETDEVFSPATH: 1964 case MODGETDEVFSPATH_MI_LEN: 1965 case MODGETDEVFSPATH_MI: 1966 /* Unprivileged */ 1967 return (0); 1968 case MODLOAD: 1969 case MODSETDEVPOLICY: 1970 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1971 default: 1972 return (secpolicy_sys_config(cr, B_FALSE)); 1973 } 1974 } 1975 1976 int 1977 secpolicy_console(const cred_t *cr) 1978 { 1979 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1980 } 1981 1982 int 1983 secpolicy_power_mgmt(const cred_t *cr) 1984 { 1985 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1986 } 1987 1988 /* 1989 * Simulate terminal input; another escalation of privileges avenue. 1990 */ 1991 1992 int 1993 secpolicy_sti(const cred_t *cr) 1994 { 1995 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1996 } 1997 1998 boolean_t 1999 secpolicy_net_reply_equal(const cred_t *cr) 2000 { 2001 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 2002 } 2003 2004 int 2005 secpolicy_swapctl(const cred_t *cr) 2006 { 2007 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 2008 } 2009 2010 int 2011 secpolicy_cpc_cpu(const cred_t *cr) 2012 { 2013 return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL)); 2014 } 2015 2016 /* 2017 * secpolicy_contract_identity 2018 * 2019 * Determine if the subject may set the process contract FMRI value 2020 */ 2021 int 2022 secpolicy_contract_identity(const cred_t *cr) 2023 { 2024 return (PRIV_POLICY(cr, PRIV_CONTRACT_IDENTITY, B_FALSE, EPERM, NULL)); 2025 } 2026 2027 /* 2028 * secpolicy_contract_observer 2029 * 2030 * Determine if the subject may observe a specific contract's events. 2031 */ 2032 int 2033 secpolicy_contract_observer(const cred_t *cr, struct contract *ct) 2034 { 2035 if (contract_owned(ct, cr, B_FALSE)) 2036 return (0); 2037 return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL)); 2038 } 2039 2040 /* 2041 * secpolicy_contract_observer_choice 2042 * 2043 * Determine if the subject may observe any contract's events. Just 2044 * tests privilege and audits on success. 2045 */ 2046 boolean_t 2047 secpolicy_contract_observer_choice(const cred_t *cr) 2048 { 2049 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE)); 2050 } 2051 2052 /* 2053 * secpolicy_contract_event 2054 * 2055 * Determine if the subject may request critical contract events or 2056 * reliable contract event delivery. 2057 */ 2058 int 2059 secpolicy_contract_event(const cred_t *cr) 2060 { 2061 return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL)); 2062 } 2063 2064 /* 2065 * secpolicy_contract_event_choice 2066 * 2067 * Determine if the subject may retain contract events in its critical 2068 * set when a change in other terms would normally require a change in 2069 * the critical set. Just tests privilege and audits on success. 2070 */ 2071 boolean_t 2072 secpolicy_contract_event_choice(const cred_t *cr) 2073 { 2074 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE)); 2075 } 2076 2077 /* 2078 * secpolicy_gart_access 2079 * 2080 * Determine if the subject has sufficient priveleges to make ioctls to agpgart 2081 * device. 2082 */ 2083 int 2084 secpolicy_gart_access(const cred_t *cr) 2085 { 2086 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL)); 2087 } 2088 2089 /* 2090 * secpolicy_gart_map 2091 * 2092 * Determine if the subject has sufficient priveleges to map aperture range 2093 * through agpgart driver. 2094 */ 2095 int 2096 secpolicy_gart_map(const cred_t *cr) 2097 { 2098 if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) { 2099 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, 2100 NULL)); 2101 } else { 2102 return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM, 2103 NULL)); 2104 } 2105 } 2106 2107 /* 2108 * secpolicy_zinject 2109 * 2110 * Determine if the subject can inject faults in the ZFS fault injection 2111 * framework. Requires all privileges. 2112 */ 2113 int 2114 secpolicy_zinject(const cred_t *cr) 2115 { 2116 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 2117 } 2118 2119 /* 2120 * secpolicy_zfs 2121 * 2122 * Determine if the subject has permission to manipulate ZFS datasets 2123 * (not pools). Equivalent to the SYS_MOUNT privilege. 2124 */ 2125 int 2126 secpolicy_zfs(const cred_t *cr) 2127 { 2128 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL)); 2129 } 2130 2131 /* 2132 * secpolicy_idmap 2133 * 2134 * Determine if the calling process has permissions to register an SID 2135 * mapping daemon and allocate ephemeral IDs. 2136 */ 2137 int 2138 secpolicy_idmap(const cred_t *cr) 2139 { 2140 return (PRIV_POLICY(cr, PRIV_FILE_SETID, B_TRUE, EPERM, NULL)); 2141 } 2142 2143 /* 2144 * secpolicy_ucode_update 2145 * 2146 * Determine if the subject has sufficient privilege to update microcode. 2147 */ 2148 int 2149 secpolicy_ucode_update(const cred_t *scr) 2150 { 2151 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 2152 } 2153 2154 /* 2155 * secpolicy_sadopen 2156 * 2157 * Determine if the subject has sufficient privilege to access /dev/sad/admin. 2158 * /dev/sad/admin appear in global zone and exclusive-IP zones only. 2159 * In global zone, sys_config is required. 2160 * In exclusive-IP zones, sys_ip_config is required. 2161 * Note that sys_config is prohibited in non-global zones. 2162 */ 2163 int 2164 secpolicy_sadopen(const cred_t *credp) 2165 { 2166 priv_set_t pset; 2167 2168 priv_emptyset(&pset); 2169 2170 if (crgetzoneid(credp) == GLOBAL_ZONEID) 2171 priv_addset(&pset, PRIV_SYS_CONFIG); 2172 else 2173 priv_addset(&pset, PRIV_SYS_IP_CONFIG); 2174 2175 return (secpolicy_require_set(credp, &pset, "devpolicy")); 2176 } 2177 2178 2179 /* 2180 * Add privileges to a particular privilege set; this is called when the 2181 * current sets of privileges are not sufficient. I.e., we should always 2182 * call the policy override functions from here. 2183 * What we are allowed to have is in the Observed Permitted set; so 2184 * we compute the difference between that and the newset. 2185 */ 2186 int 2187 secpolicy_require_privs(const cred_t *cr, const priv_set_t *nset) 2188 { 2189 priv_set_t rqd; 2190 2191 rqd = CR_OPPRIV(cr); 2192 2193 priv_inverse(&rqd); 2194 priv_intersect(nset, &rqd); 2195 2196 return (secpolicy_require_set(cr, &rqd, NULL)); 2197 } 2198 2199 /* 2200 * secpolicy_smb 2201 * 2202 * Determine if the cred_t has PRIV_SYS_SMB privilege, indicating 2203 * that it has permission to access the smbsrv kernel driver. 2204 * PRIV_POLICY checks the privilege and audits the check. 2205 * 2206 * Returns: 2207 * 0 Driver access is allowed. 2208 * EPERM Driver access is NOT permitted. 2209 */ 2210 int 2211 secpolicy_smb(const cred_t *cr) 2212 { 2213 return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL)); 2214 } 2215 2216 /* 2217 * secpolicy_vscan 2218 * 2219 * Determine if cred_t has the necessary privileges to access a file 2220 * for virus scanning and update its extended system attributes. 2221 * PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access 2222 * PRIV_FILE_FLAG_SET - set extended system attributes 2223 * 2224 * PRIV_POLICY checks the privilege and audits the check. 2225 * 2226 * Returns: 2227 * 0 file access for virus scanning allowed. 2228 * EPERM file access for virus scanning is NOT permitted. 2229 */ 2230 int 2231 secpolicy_vscan(const cred_t *cr) 2232 { 2233 if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) || 2234 (PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) || 2235 (PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) { 2236 return (EPERM); 2237 } 2238 2239 return (0); 2240 } 2241 2242 /* 2243 * secpolicy_smbfs_login 2244 * 2245 * Determines if the caller can add and delete the smbfs login 2246 * password in the the nsmb kernel module for the CIFS client. 2247 * 2248 * Returns: 2249 * 0 access is allowed. 2250 * EPERM access is NOT allowed. 2251 */ 2252 int 2253 secpolicy_smbfs_login(const cred_t *cr, uid_t uid) 2254 { 2255 uid_t cruid = crgetruid(cr); 2256 2257 if (cruid == uid) 2258 return (0); 2259 return (PRIV_POLICY(cr, PRIV_PROC_OWNER, B_FALSE, 2260 EPERM, NULL)); 2261 } 2262 2263 /* 2264 * secpolicy_xvm_control 2265 * 2266 * Determines if a caller can control the xVM hypervisor and/or running 2267 * domains (x86 specific). 2268 * 2269 * Returns: 2270 * 0 access is allowed. 2271 * EPERM access is NOT allowed. 2272 */ 2273 int 2274 secpolicy_xvm_control(const cred_t *cr) 2275 { 2276 if (PRIV_POLICY(cr, PRIV_XVM_CONTROL, B_FALSE, EPERM, NULL)) 2277 return (EPERM); 2278 return (0); 2279 } 2280 2281 /* 2282 * secpolicy_dld_ioctl 2283 * 2284 * Determine if the subject has permission to use certain dld ioctls. 2285 * Each ioctl should require a limited number of privileges. A large 2286 * number indicates a poor design. 2287 */ 2288 int 2289 secpolicy_dld_ioctl(const cred_t *cr, const char *dld_priv, const char *msg) 2290 { 2291 int rv; 2292 2293 if ((rv = priv_getbyname(dld_priv, 0)) >= 0) { 2294 return (PRIV_POLICY(cr, rv, B_FALSE, EPERM, msg)); 2295 } 2296 /* priv_getbyname() returns -ve errno */ 2297 return (-rv); 2298 2299 } 2300 2301 /* 2302 * secpolicy_ppp_config 2303 * 2304 * Determine if the subject has sufficient privileges to configure PPP and 2305 * PPP-related devices. 2306 */ 2307 int 2308 secpolicy_ppp_config(const cred_t *cr) 2309 { 2310 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 2311 return (secpolicy_net_config(cr, B_FALSE)); 2312 return (PRIV_POLICY(cr, PRIV_SYS_PPP_CONFIG, B_FALSE, EPERM, NULL)); 2313 } 2314