1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <sys/types.h> 29 #include <sys/sysmacros.h> 30 #include <sys/param.h> 31 #include <sys/systm.h> 32 #include <sys/cred_impl.h> 33 #include <sys/vnode.h> 34 #include <sys/vfs.h> 35 #include <sys/stat.h> 36 #include <sys/errno.h> 37 #include <sys/kmem.h> 38 #include <sys/user.h> 39 #include <sys/proc.h> 40 #include <sys/acct.h> 41 #include <sys/ipc_impl.h> 42 #include <sys/cmn_err.h> 43 #include <sys/debug.h> 44 #include <sys/policy.h> 45 #include <sys/kobj.h> 46 #include <sys/msg.h> 47 #include <sys/devpolicy.h> 48 #include <c2/audit.h> 49 #include <sys/varargs.h> 50 #include <sys/modctl.h> 51 #include <sys/disp.h> 52 #include <sys/zone.h> 53 #include <inet/optcom.h> 54 #include <sys/sdt.h> 55 #include <sys/vfs.h> 56 #include <sys/mntent.h> 57 #include <sys/contract_impl.h> 58 59 /* 60 * There are two possible layers of privilege routines and two possible 61 * levels of secpolicy. Plus one other we may not be interested in, so 62 * we may need as many as 6 but no more. 63 */ 64 #define MAXPRIVSTACK 6 65 66 int priv_debug = 0; 67 68 /* 69 * This file contains the majority of the policy routines. 70 * Since the policy routines are defined by function and not 71 * by privilege, there is quite a bit of duplication of 72 * functions. 73 * 74 * The secpolicy functions must not make asssumptions about 75 * locks held or not held as any lock can be held while they're 76 * being called. 77 * 78 * Credentials are read-only so no special precautions need to 79 * be taken while locking them. 80 * 81 * When a new policy check needs to be added to the system the 82 * following procedure should be followed: 83 * 84 * Pick an appropriate secpolicy_*() function 85 * -> done if one exists. 86 * Create a new secpolicy function, preferably with 87 * a descriptive name using the standard template. 88 * Pick an appropriate privilege for the policy. 89 * If no appropraite privilege exists, define new one 90 * (this should be done with extreme care; in most cases 91 * little is gained by adding another privilege) 92 * 93 * WHY ROOT IS STILL SPECIAL. 94 * 95 * In a number of the policy functions, there are still explicit 96 * checks for uid 0. The rationale behind these is that many root 97 * owned files/objects hold configuration information which can give full 98 * privileges to the user once written to. To prevent escalation 99 * of privilege by allowing just a single privilege to modify root owned 100 * objects, we've added these root specific checks where we considered 101 * them necessary: modifying root owned files, changing uids to 0, etc. 102 * 103 * PRIVILEGE ESCALATION AND ZONES. 104 * 105 * A number of operations potentially allow the caller to achieve 106 * privileges beyond the ones normally required to perform the operation. 107 * For example, if allowed to create a setuid 0 executable, a process can 108 * gain privileges beyond PRIV_FILE_SETID. Zones, however, place 109 * restrictions on the ability to gain privileges beyond those available 110 * within the zone through file and process manipulation. Hence, such 111 * operations require that the caller have an effective set that includes 112 * all privileges available within the current zone, or all privileges 113 * if executing in the global zone. 114 * 115 * This is indicated in the priv_policy* policy checking functions 116 * through a combination of parameters. The "priv" parameter indicates 117 * the privilege that is required, and the "allzone" parameter indicates 118 * whether or not all privileges in the zone are required. In addition, 119 * priv can be set to PRIV_ALL to indicate that all privileges are 120 * required (regardless of zone). There are three scenarios of interest: 121 * (1) operation requires a specific privilege 122 * (2) operation requires a specific privilege, and requires all 123 * privileges available within the zone (or all privileges if in 124 * the global zone) 125 * (3) operation requires all privileges, regardless of zone 126 * 127 * For (1), priv should be set to the specific privilege, and allzone 128 * should be set to B_FALSE. 129 * For (2), priv should be set to the specific privilege, and allzone 130 * should be set to B_TRUE. 131 * For (3), priv should be set to PRIV_ALL, and allzone should be set 132 * to B_FALSE. 133 * 134 */ 135 136 /* 137 * The privileges are checked against the Effective set for 138 * ordinary processes and checked against the Limit set 139 * for euid 0 processes that haven't manipulated their privilege 140 * sets. 141 */ 142 #define HAS_ALLPRIVS(cr) priv_isfullset(&CR_OEPRIV(cr)) 143 #define ZONEPRIVS(cr) ((cr)->cr_zone->zone_privset) 144 #define HAS_ALLZONEPRIVS(cr) priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr)) 145 #define HAS_PRIVILEGE(cr, pr) ((pr) == PRIV_ALL ? \ 146 HAS_ALLPRIVS(cr) : \ 147 PRIV_ISASSERT(&CR_OEPRIV(cr), pr)) 148 149 /* 150 * Policy checking functions 151 * 152 * In future, these will migrate to several files when policy 153 * becomes more or less pluggable. 154 * 155 * For now, there's only one policy and this is it. 156 */ 157 158 /* 159 * Generic policy calls 160 * 161 * The "bottom" functions of policy control 162 */ 163 164 static char * 165 mprintf(const char *fmt, ...) 166 { 167 va_list args; 168 char *buf; 169 size_t len; 170 171 va_start(args, fmt); 172 len = vsnprintf(NULL, 0, fmt, args) + 1; 173 va_end(args); 174 175 buf = kmem_alloc(len, KM_NOSLEEP); 176 177 if (buf == NULL) 178 return (NULL); 179 180 va_start(args, fmt); 181 (void) vsnprintf(buf, len, fmt, args); 182 va_end(args); 183 184 return (buf); 185 } 186 187 /* 188 * priv_policy_errmsg() 189 * 190 * Generate an error message if privilege debugging is enabled system wide 191 * or for this particular process. 192 */ 193 194 #define FMTHDR "%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)" 195 #define FMTMSG " for \"%s\"" 196 #define FMTFUN " needed at %s+0x%lx" 197 198 /* The maximum size privilege format: the concatenation of the above */ 199 #define FMTMAX FMTHDR FMTMSG FMTFUN "\n" 200 201 static void 202 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg) 203 { 204 struct proc *me; 205 pc_t stack[MAXPRIVSTACK]; 206 int depth; 207 int i; 208 char *sym; 209 ulong_t off; 210 const char *pname; 211 212 char *cmd; 213 char fmt[sizeof (FMTMAX)]; 214 215 if ((me = curproc) == &p0) 216 return; 217 218 /* Privileges must be defined */ 219 ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE || 220 priv == PRIV_ALLZONE || priv == PRIV_GLOBAL || 221 priv_getbynum(priv) != NULL); 222 223 if (priv == PRIV_ALLZONE && INGLOBALZONE(me)) 224 priv = PRIV_ALL; 225 226 if (curthread->t_pre_sys) 227 ttolwp(curthread)->lwp_badpriv = (short)priv; 228 229 if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0) 230 return; 231 232 (void) strcpy(fmt, FMTHDR); 233 234 if (me->p_user.u_comm[0]) 235 cmd = &me->p_user.u_comm[0]; 236 else 237 cmd = "priv_policy"; 238 239 if (msg != NULL && *msg != '\0') { 240 (void) strcat(fmt, FMTMSG); 241 } else { 242 (void) strcat(fmt, "%s"); 243 msg = ""; 244 } 245 246 sym = NULL; 247 248 depth = getpcstack(stack, MAXPRIVSTACK); 249 250 /* 251 * Try to find the first interesting function on the stack. 252 * priv_policy* that's us, so completely uninteresting. 253 * suser(), drv_priv(), secpolicy_* are also called from 254 * too many locations to convey useful information. 255 */ 256 for (i = 0; i < depth; i++) { 257 sym = kobj_getsymname((uintptr_t)stack[i], &off); 258 if (sym != NULL && 259 strstr(sym, "hasprocperm") == 0 && 260 strcmp("suser", sym) != 0 && 261 strcmp("ipcaccess", sym) != 0 && 262 strcmp("drv_priv", sym) != 0 && 263 strncmp("secpolicy_", sym, 10) != 0 && 264 strncmp("priv_policy", sym, 11) != 0) 265 break; 266 } 267 268 if (sym != NULL) 269 (void) strcat(fmt, FMTFUN); 270 271 (void) strcat(fmt, "\n"); 272 273 switch (priv) { 274 case PRIV_ALL: 275 pname = "ALL"; 276 break; 277 case PRIV_MULTIPLE: 278 pname = "MULTIPLE"; 279 break; 280 case PRIV_ALLZONE: 281 pname = "ZONE"; 282 break; 283 case PRIV_GLOBAL: 284 pname = "GLOBAL"; 285 break; 286 default: 287 pname = priv_getbynum(priv); 288 break; 289 } 290 291 if (CR_FLAGS(cr) & PRIV_DEBUG) { 292 /* Remember last message, just like lwp_badpriv. */ 293 if (curthread->t_pdmsg != NULL) { 294 kmem_free(curthread->t_pdmsg, 295 strlen(curthread->t_pdmsg) + 1); 296 } 297 298 curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname, 299 cr->cr_uid, curthread->t_sysnum, msg, sym, off); 300 301 curthread->t_post_sys = 1; 302 } else { 303 cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid, 304 curthread->t_sysnum, msg, sym, off); 305 } 306 } 307 308 /* 309 * Audit failure, log error message. 310 */ 311 static void 312 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg) 313 { 314 315 #ifdef C2_AUDIT 316 if (audit_active) 317 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0); 318 #endif 319 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 320 321 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 322 curthread->t_pre_sys) { 323 if (allzone && !HAS_ALLZONEPRIVS(cr)) { 324 priv_policy_errmsg(cr, PRIV_ALLZONE, msg); 325 } else { 326 ASSERT(!HAS_PRIVILEGE(cr, priv)); 327 priv_policy_errmsg(cr, priv, msg); 328 } 329 } 330 } 331 332 /* 333 * priv_policy() 334 * return 0 or error. 335 * See block comment above for a description of "priv" and "allzone" usage. 336 */ 337 int 338 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err, 339 const char *msg) 340 { 341 if (HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) { 342 if ((allzone || priv == PRIV_ALL || 343 !PRIV_ISASSERT(priv_basic, priv)) && 344 !servicing_interrupt()) { 345 u.u_acflag |= ASU; /* Needed for SVVS */ 346 #ifdef C2_AUDIT 347 if (audit_active) 348 audit_priv(priv, 349 allzone ? ZONEPRIVS(cr) : NULL, 1); 350 #endif 351 } 352 err = 0; 353 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 354 } else if (!servicing_interrupt()) { 355 /* Failure audited in this procedure */ 356 priv_policy_err(cr, priv, allzone, msg); 357 } 358 359 return (err); 360 } 361 362 /* 363 * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges. 364 */ 365 boolean_t 366 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone) 367 { 368 boolean_t res = HAS_PRIVILEGE(cr, priv) && 369 (!allzone || HAS_ALLZONEPRIVS(cr)); 370 371 #ifdef C2_AUDIT 372 /* Audit success only */ 373 if (res && audit_active && 374 (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) && 375 !servicing_interrupt()) { 376 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1); 377 } 378 #endif 379 if (res) { 380 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 381 } else { 382 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 383 } 384 return (res); 385 } 386 387 /* 388 * Non-auditing variant of priv_policy_choice(). 389 */ 390 boolean_t 391 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone) 392 { 393 boolean_t res = HAS_PRIVILEGE(cr, priv) && 394 (!allzone || HAS_ALLZONEPRIVS(cr)); 395 396 if (res) { 397 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 398 } else { 399 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 400 } 401 return (res); 402 } 403 404 /* 405 * Check whether all privileges in the required set are present. 406 */ 407 static int 408 secpolicy_require_set(const cred_t *cr, const priv_set_t *req, const char *msg) 409 { 410 int priv; 411 int pfound = -1; 412 priv_set_t pset; 413 414 if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req, 415 &CR_OEPRIV(cr))) { 416 return (0); 417 } 418 419 if (req == PRIV_FULLSET || priv_isfullset(req)) { 420 priv_policy_err(cr, PRIV_ALL, B_FALSE, msg); 421 return (EACCES); 422 } 423 424 pset = CR_OEPRIV(cr); /* present privileges */ 425 priv_inverse(&pset); /* all non present privileges */ 426 priv_intersect(req, &pset); /* the actual missing privs */ 427 428 #ifdef C2_AUDIT 429 if (audit_active) 430 audit_priv(PRIV_NONE, &pset, 0); 431 #endif 432 /* 433 * Privilege debugging; special case "one privilege in set". 434 */ 435 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) { 436 for (priv = 0; priv < nprivs; priv++) { 437 if (priv_ismember(&pset, priv)) { 438 if (pfound != -1) { 439 /* Multiple missing privs */ 440 priv_policy_errmsg(cr, PRIV_MULTIPLE, 441 msg); 442 return (EACCES); 443 } 444 pfound = priv; 445 } 446 } 447 ASSERT(pfound != -1); 448 /* Just the one missing privilege */ 449 priv_policy_errmsg(cr, pfound, msg); 450 } 451 452 return (EACCES); 453 } 454 455 /* 456 * Called when an operation requires that the caller be in the 457 * global zone, regardless of privilege. 458 */ 459 static int 460 priv_policy_global(const cred_t *cr) 461 { 462 if (crgetzoneid(cr) == GLOBAL_ZONEID) 463 return (0); /* success */ 464 465 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 466 curthread->t_pre_sys) { 467 priv_policy_errmsg(cr, PRIV_GLOBAL, NULL); 468 } 469 return (EPERM); 470 } 471 472 /* 473 * Changing process priority 474 */ 475 int 476 secpolicy_setpriority(const cred_t *cr) 477 { 478 return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL)); 479 } 480 481 /* 482 * Binding to a privileged port, port must be specified in host byte 483 * order. 484 */ 485 int 486 secpolicy_net_privaddr(const cred_t *cr, in_port_t port) 487 { 488 /* 489 * NFS ports, these are extra privileged ports, allow bind 490 * only if the SYS_NFS privilege is present. 491 */ 492 if (port == 2049 || port == 4045) 493 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EACCES, 494 "NFS port")); 495 else 496 return (PRIV_POLICY(cr, PRIV_NET_PRIVADDR, B_FALSE, EACCES, 497 NULL)); 498 } 499 500 /* 501 * Binding to a multilevel port on a trusted (labeled) system. 502 */ 503 int 504 secpolicy_net_bindmlp(const cred_t *cr) 505 { 506 return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, 507 NULL)); 508 } 509 510 /* 511 * Allow a communication between a zone and an unlabeled host when their 512 * labels don't match. 513 */ 514 int 515 secpolicy_net_mac_aware(const cred_t *cr) 516 { 517 return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, 518 NULL)); 519 } 520 521 /* 522 * Common routine which determines whether a given credential can 523 * act on a given mount. 524 * When called through mount, the parameter needoptcheck is a pointer 525 * to a boolean variable which will be set to either true or false, 526 * depending on whether the mount policy should change the mount options. 527 * In all other cases, needoptcheck should be a NULL pointer. 528 */ 529 static int 530 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp, 531 boolean_t *needoptcheck) 532 { 533 boolean_t allzone = B_FALSE; 534 boolean_t mounting = needoptcheck != NULL; 535 536 /* 537 * Short circuit the following cases: 538 * vfsp == NULL or mvp == NULL (pure privilege check) 539 * have all privileges - no further checks required 540 * and no mount options need to be set. 541 */ 542 if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) { 543 if (mounting) 544 *needoptcheck = B_FALSE; 545 546 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, allzone, EPERM, NULL)); 547 } 548 549 /* 550 * When operating on an existing mount (either we're not mounting 551 * or we're doing a remount and VFS_REMOUNT will be set), zones 552 * can operate only on mounts established by the zone itself. 553 */ 554 if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) { 555 zoneid_t zoneid = crgetzoneid(cr); 556 557 if (zoneid != GLOBAL_ZONEID && 558 vfsp->vfs_zone->zone_id != zoneid) { 559 return (EPERM); 560 } 561 } 562 563 if (mounting) 564 *needoptcheck = B_TRUE; 565 566 /* 567 * Overlay mounts may hide important stuff; if you can't write to a 568 * mount point but would be able to mount on top of it, you can 569 * escalate your privileges. 570 * So we go about asking the same questions namefs does when it 571 * decides whether you can mount over a file or not but with the 572 * added restriction that you can only mount on top of a regular 573 * file or directory. 574 * If we have all the zone's privileges, we skip all other checks, 575 * or else we may actually get in trouble inside the automounter. 576 */ 577 if ((mvp->v_flag & VROOT) != 0 || 578 (mvp->v_type != VDIR && mvp->v_type != VREG) || 579 HAS_ALLZONEPRIVS(cr)) { 580 allzone = B_TRUE; 581 } else { 582 vattr_t va; 583 int err; 584 585 va.va_mask = AT_UID|AT_MODE; 586 err = VOP_GETATTR(mvp, &va, 0, cr); 587 if (err != 0) 588 return (err); 589 590 if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0) 591 return (err); 592 593 if ((va.va_mode & VWRITE) == 0 && 594 secpolicy_vnode_access(cr, mvp, va.va_uid, VWRITE) != 0) { 595 return (EACCES); 596 } 597 } 598 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, allzone, EPERM, NULL)); 599 } 600 601 extern vnode_t *rootvp; 602 extern vfs_t *rootvfs; 603 604 int 605 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp) 606 { 607 boolean_t needoptchk; 608 int error; 609 610 /* 611 * If it's a remount, get the underlying mount point, 612 * except for the root where we use the rootvp. 613 */ 614 if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) { 615 if (vfsp == rootvfs) 616 mvp = rootvp; 617 else 618 mvp = vfsp->vfs_vnodecovered; 619 } 620 621 error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk); 622 623 if (error == 0 && needoptchk) { 624 boolean_t amsuper = HAS_ALLZONEPRIVS(cr); 625 626 /* 627 * Third check; if we don't have either "nosuid" or 628 * both "nosetuid" and "nodevices", then we add 629 * "nosuid"; this depends on how the current 630 * implementation works (it first checks nosuid). In a 631 * zone, a user with all zone privileges can mount with 632 * "setuid" but never with "devices". 633 */ 634 if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) && 635 (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) || 636 !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) { 637 if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper) 638 vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0); 639 else 640 vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0); 641 } 642 /* 643 * If we're not the local super user, we set the "restrict" 644 * option to indicate to automountd that this mount should 645 * be handled with care. 646 */ 647 if (!amsuper) 648 vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0); 649 650 } 651 return (error); 652 } 653 654 /* 655 * Does the policy computations for "ownership" of a mount; 656 * here ownership is defined as the ability to "mount" 657 * the filesystem originally. The rootvfs doesn't cover any 658 * vnodes; we attribute its ownership to the rootvp. 659 */ 660 static int 661 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp) 662 { 663 vnode_t *mvp; 664 665 if (vfsp == NULL) 666 mvp = NULL; 667 else if (vfsp == rootvfs) 668 mvp = rootvp; 669 else 670 mvp = vfsp->vfs_vnodecovered; 671 672 return (secpolicy_fs_common(cr, mvp, vfsp, NULL)); 673 } 674 675 int 676 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp) 677 { 678 return (secpolicy_fs_owner(cr, vfsp)); 679 } 680 681 /* 682 * Quotas are a resource, but if one has the ability to mount a filesystem, he 683 * should be able to modify quotas on it. 684 */ 685 int 686 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp) 687 { 688 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 689 } 690 691 /* 692 * Exceeding minfree: also a per-mount resource constraint. 693 */ 694 int 695 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp) 696 { 697 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 698 } 699 700 int 701 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp) 702 { 703 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 704 } 705 706 /* ARGSUSED */ 707 int 708 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp) 709 { 710 return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL)); 711 } 712 713 /* 714 * Name: secpolicy_vnode_access() 715 * 716 * Parameters: Process credential 717 * vnode 718 * uid of owner of vnode 719 * permission bits not granted to the caller when examining 720 * file mode bits (i.e., when a process wants to open a 721 * mode 444 file for VREAD|VWRITE, this function should be 722 * called only with a VWRITE argument). 723 * 724 * Normal: Verifies that cred has the appropriate privileges to 725 * override the mode bits that were denied. 726 * 727 * Override: file_dac_execute - if VEXEC bit was denied and vnode is 728 * not a directory. 729 * file_dac_read - if VREAD bit was denied. 730 * file_dac_search - if VEXEC bit was denied and vnode is 731 * a directory. 732 * file_dac_write - if VWRITE bit was denied. 733 * 734 * Root owned files are special cased to protect system 735 * configuration files and such. 736 * 737 * Output: EACCES - if privilege check fails. 738 */ 739 740 /* ARGSUSED */ 741 int 742 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode) 743 { 744 if ((mode & VREAD) && 745 PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EACCES, NULL) != 0) 746 return (EACCES); 747 748 if (mode & VWRITE) { 749 boolean_t allzone; 750 751 if (owner == 0 && cr->cr_uid != 0) 752 allzone = B_TRUE; 753 else 754 allzone = B_FALSE; 755 if (PRIV_POLICY(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, NULL) 756 != 0) 757 return (EACCES); 758 } 759 760 if (mode & VEXEC) { 761 /* 762 * Directories use file_dac_search to override the execute bit. 763 */ 764 vtype_t vtype = vp->v_type; 765 766 if (vtype == VDIR) 767 return (PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, 768 EACCES, NULL)); 769 else 770 return (PRIV_POLICY(cr, PRIV_FILE_DAC_EXECUTE, B_FALSE, 771 EACCES, NULL)); 772 } 773 return (0); 774 } 775 776 /* 777 * Name: secpolicy_vnode_setid_modify() 778 * 779 * Normal: verify that subject can set the file setid flags. 780 * 781 * Output: EPERM - if not privileged. 782 */ 783 784 static int 785 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner) 786 { 787 /* If changing to suid root, must have all zone privs */ 788 boolean_t allzone = B_TRUE; 789 790 if (owner != 0) { 791 if (owner == cr->cr_uid) 792 return (0); 793 allzone = B_FALSE; 794 } 795 return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL)); 796 } 797 798 /* 799 * Are we allowed to retain the set-uid/set-gid bits when 800 * changing ownership or when writing to a file? 801 * "issuid" should be true when set-uid; only in that case 802 * root ownership is checked (setgid is assumed). 803 */ 804 int 805 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot) 806 { 807 if (issuidroot && !HAS_ALLZONEPRIVS(cred)) 808 return (EPERM); 809 810 return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE)); 811 } 812 813 /* 814 * Name: secpolicy_vnode_setids_setgids() 815 * 816 * Normal: verify that subject can set the file setgid flag. 817 * 818 * Output: EPERM - if not privileged 819 */ 820 821 int 822 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid) 823 { 824 if (!groupmember(gid, cred)) 825 return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM, 826 NULL)); 827 return (0); 828 } 829 830 /* 831 * Create a file with a group different than any of the groups allowed: 832 * the group of the directory the file is created in, the effective 833 * group or any of the supplementary groups. 834 */ 835 int 836 secpolicy_vnode_create_gid(const cred_t *cred) 837 { 838 if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN)) 839 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM, 840 NULL)); 841 else 842 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM, 843 NULL)); 844 } 845 846 /* 847 * Name: secpolicy_vnode_utime_modify() 848 * 849 * Normal: verify that subject can modify the utime on a file. 850 * 851 * Output: EPERM - if access denied. 852 */ 853 854 static int 855 secpolicy_vnode_utime_modify(const cred_t *cred) 856 { 857 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM, 858 "modify file times")); 859 } 860 861 862 /* 863 * Name: secpolicy_vnode_setdac() 864 * 865 * Normal: verify that subject can modify the mode of a file. 866 * allzone privilege needed when modifying root owned object. 867 * 868 * Output: EPERM - if access denied. 869 */ 870 871 int 872 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner) 873 { 874 if (owner == cred->cr_uid) 875 return (0); 876 877 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL)); 878 } 879 /* 880 * Name: secpolicy_vnode_stky_modify() 881 * 882 * Normal: verify that subject can make a file a "sticky". 883 * 884 * Output: EPERM - if access denied. 885 */ 886 887 int 888 secpolicy_vnode_stky_modify(const cred_t *cred) 889 { 890 return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM, 891 "set file sticky")); 892 } 893 894 /* 895 * Policy determines whether we can remove an entry from a directory, 896 * regardless of permission bits. 897 */ 898 int 899 secpolicy_vnode_remove(const cred_t *cr) 900 { 901 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES, 902 "sticky directory")); 903 } 904 905 int 906 secpolicy_vnode_owner(const cred_t *cr, uid_t owner) 907 { 908 boolean_t allzone = (owner == 0); 909 910 if (owner == cr->cr_uid) 911 return (0); 912 913 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL)); 914 } 915 916 void 917 secpolicy_setid_clear(vattr_t *vap, cred_t *cr) 918 { 919 if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 && 920 secpolicy_vnode_setid_retain(cr, 921 (vap->va_mode & S_ISUID) != 0 && 922 (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) { 923 vap->va_mask |= AT_MODE; 924 vap->va_mode &= ~(S_ISUID|S_ISGID); 925 } 926 } 927 928 int 929 secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap, 930 cred_t *cr) 931 { 932 int error; 933 934 if ((vap->va_mode & S_ISUID) != 0 && 935 (error = secpolicy_vnode_setid_modify(cr, 936 ovap->va_uid)) != 0) { 937 return (error); 938 } 939 940 /* 941 * Check privilege if attempting to set the 942 * sticky bit on a non-directory. 943 */ 944 if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 && 945 secpolicy_vnode_stky_modify(cr) != 0) { 946 vap->va_mode &= ~S_ISVTX; 947 } 948 949 /* 950 * Check for privilege if attempting to set the 951 * group-id bit. 952 */ 953 if ((vap->va_mode & S_ISGID) != 0 && 954 secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) { 955 vap->va_mode &= ~S_ISGID; 956 } 957 958 return (0); 959 } 960 961 /* 962 * This function checks the policy decisions surrounding the 963 * vop setattr call. 964 * 965 * It should be called after sufficient locks have been established 966 * on the underlying data structures. No concurrent modifications 967 * should be allowed. 968 * 969 * The caller must pass in unlocked version of its vaccess function 970 * this is required because vop_access function should lock the 971 * node for reading. A three argument function should be defined 972 * which accepts the following argument: 973 * A pointer to the internal "node" type (inode *) 974 * vnode access bits (VREAD|VWRITE|VEXEC) 975 * a pointer to the credential 976 * 977 * This function makes the following policy decisions: 978 * 979 * - change permissions 980 * - permission to change file mode if not owner 981 * - permission to add sticky bit to non-directory 982 * - permission to add set-gid bit 983 * 984 * The ovap argument should include AT_MODE|AT_UID|AT_GID. 985 * 986 * If the vap argument does not include AT_MODE, the mode will be copied from 987 * ovap. In certain situations set-uid/set-gid bits need to be removed; 988 * this is done by marking vap->va_mask to include AT_MODE and va_mode 989 * is updated to the newly computed mode. 990 */ 991 992 int 993 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap, 994 const struct vattr *ovap, int flags, 995 int unlocked_access(void *, int, cred_t *), 996 void *node) 997 { 998 int mask = vap->va_mask; 999 int error = 0; 1000 1001 if (mask & AT_SIZE) { 1002 if (vp->v_type == VDIR) { 1003 error = EISDIR; 1004 goto out; 1005 } 1006 error = unlocked_access(node, VWRITE, cr); 1007 if (error) 1008 goto out; 1009 } 1010 if (mask & AT_MODE) { 1011 /* 1012 * If not the owner of the file then check privilege 1013 * for two things: the privilege to set the mode at all 1014 * and, if we're setting setuid, we also need permissions 1015 * to add the set-uid bit, if we're not the owner. 1016 * In the specific case of creating a set-uid root 1017 * file, we need even more permissions. 1018 */ 1019 if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0) 1020 goto out; 1021 1022 if ((error = secpolicy_setid_setsticky_clear(vp, vap, 1023 ovap, cr)) != 0) 1024 goto out; 1025 } else 1026 vap->va_mode = ovap->va_mode; 1027 1028 if (mask & (AT_UID|AT_GID)) { 1029 boolean_t checkpriv = B_FALSE; 1030 int priv; 1031 boolean_t allzone = B_FALSE; 1032 1033 /* 1034 * Chowning files. 1035 * 1036 * If you are the file owner: 1037 * chown to other uid FILE_CHOWN_SELF 1038 * chown to gid (non-member) FILE_CHOWN_SELF 1039 * chown to gid (member) <none> 1040 * 1041 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also 1042 * acceptable but the first one is reported when debugging. 1043 * 1044 * If you are not the file owner: 1045 * chown from root PRIV_FILE_CHOWN + zone 1046 * chown from other to any PRIV_FILE_CHOWN 1047 * 1048 */ 1049 if (cr->cr_uid != ovap->va_uid) { 1050 checkpriv = B_TRUE; 1051 allzone = (ovap->va_uid == 0); 1052 priv = PRIV_FILE_CHOWN; 1053 } else { 1054 if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) || 1055 ((mask & AT_GID) && vap->va_gid != ovap->va_gid && 1056 !groupmember(vap->va_gid, cr))) { 1057 checkpriv = B_TRUE; 1058 priv = HAS_PRIVILEGE(cr, PRIV_FILE_CHOWN) ? 1059 PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF; 1060 } 1061 } 1062 /* 1063 * If necessary, check privilege to see if update can be done. 1064 */ 1065 if (checkpriv && 1066 (error = PRIV_POLICY(cr, priv, allzone, EPERM, NULL)) 1067 != 0) { 1068 goto out; 1069 } 1070 1071 /* 1072 * If the file has either the set UID or set GID bits 1073 * set and the caller can set the bits, then leave them. 1074 */ 1075 secpolicy_setid_clear(vap, cr); 1076 } 1077 if (mask & (AT_ATIME|AT_MTIME)) { 1078 /* 1079 * If not the file owner and not otherwise privileged, 1080 * always return an error when setting the 1081 * time other than the current (ATTR_UTIME flag set). 1082 * If setting the current time (ATTR_UTIME not set) then 1083 * unlocked_access will check permissions according to policy. 1084 */ 1085 if (cr->cr_uid != ovap->va_uid) { 1086 if (flags & ATTR_UTIME) 1087 error = secpolicy_vnode_utime_modify(cr); 1088 else { 1089 error = unlocked_access(node, VWRITE, cr); 1090 if (error == EACCES && 1091 secpolicy_vnode_utime_modify(cr) == 0) 1092 error = 0; 1093 } 1094 if (error) 1095 goto out; 1096 } 1097 } 1098 out: 1099 return (error); 1100 } 1101 1102 /* 1103 * Name: secpolicy_pcfs_modify_bootpartition() 1104 * 1105 * Normal: verify that subject can modify a pcfs boot partition. 1106 * 1107 * Output: EACCES - if privilege check failed. 1108 */ 1109 /*ARGSUSED*/ 1110 int 1111 secpolicy_pcfs_modify_bootpartition(const cred_t *cred) 1112 { 1113 return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES, 1114 "modify pcfs boot partition")); 1115 } 1116 1117 /* 1118 * System V IPC routines 1119 */ 1120 int 1121 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip) 1122 { 1123 if (crgetzoneid(cr) != ip->ipc_zoneid || 1124 (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) { 1125 boolean_t allzone = B_FALSE; 1126 if (ip->ipc_uid == 0 || ip->ipc_cuid == 0) 1127 allzone = B_TRUE; 1128 return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL)); 1129 } 1130 return (0); 1131 } 1132 1133 int 1134 secpolicy_ipc_config(const cred_t *cr) 1135 { 1136 return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL)); 1137 } 1138 1139 int 1140 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode) 1141 { 1142 1143 boolean_t allzone = B_FALSE; 1144 1145 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1146 1147 if ((mode & MSG_R) && 1148 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1149 return (EACCES); 1150 1151 if (mode & MSG_W) { 1152 if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0)) 1153 allzone = B_TRUE; 1154 1155 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1156 NULL)); 1157 } 1158 return (0); 1159 } 1160 1161 int 1162 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode) 1163 { 1164 boolean_t allzone = B_FALSE; 1165 1166 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1167 1168 if ((mode & MSG_R) && 1169 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1170 return (EACCES); 1171 1172 if (mode & MSG_W) { 1173 if (cr->cr_uid != 0 && owner == 0) 1174 allzone = B_TRUE; 1175 1176 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1177 NULL)); 1178 } 1179 return (0); 1180 } 1181 1182 /* 1183 * Audit configuration. 1184 */ 1185 int 1186 secpolicy_audit_config(const cred_t *cr) 1187 { 1188 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1189 } 1190 1191 /* 1192 * Audit record generation. 1193 */ 1194 int 1195 secpolicy_audit_modify(const cred_t *cr) 1196 { 1197 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL)); 1198 } 1199 1200 /* 1201 * Get audit attributes. 1202 * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the 1203 * "Least" of the two privileges on error. 1204 */ 1205 int 1206 secpolicy_audit_getattr(const cred_t *cr) 1207 { 1208 if (!PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE)) { 1209 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, 1210 NULL)); 1211 } else { 1212 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1213 } 1214 } 1215 1216 1217 /* 1218 * Locking physical memory 1219 */ 1220 int 1221 secpolicy_lock_memory(const cred_t *cr) 1222 { 1223 return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL)); 1224 } 1225 1226 /* 1227 * Accounting (both acct(2) and exacct). 1228 */ 1229 int 1230 secpolicy_acct(const cred_t *cr) 1231 { 1232 return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL)); 1233 } 1234 1235 /* 1236 * Is this process privileged to change its uids at will? 1237 * Uid 0 is still considered "special" and having the SETID 1238 * privilege is not sufficient to get uid 0. 1239 * Files are owned by root, so the privilege would give 1240 * full access and euid 0 is still effective. 1241 * 1242 * If you have the privilege and euid 0 only then do you 1243 * get the powers of root wrt uid 0. 1244 * 1245 * For gid manipulations, this is should be called with an 1246 * uid of -1. 1247 * 1248 */ 1249 int 1250 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly) 1251 { 1252 boolean_t allzone = B_FALSE; 1253 1254 if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 && 1255 cr->cr_ruid != 0) { 1256 allzone = B_TRUE; 1257 } 1258 1259 return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) : 1260 PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL)); 1261 } 1262 1263 1264 /* 1265 * Acting on a different process: if the mode is for writing, 1266 * the restrictions are more severe. This is called after 1267 * we've verified that the uids do not match. 1268 */ 1269 int 1270 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode) 1271 { 1272 boolean_t allzone = B_FALSE; 1273 1274 if ((mode & VWRITE) && scr->cr_uid != 0 && 1275 (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0)) 1276 allzone = B_TRUE; 1277 1278 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL)); 1279 } 1280 1281 int 1282 secpolicy_proc_access(const cred_t *scr) 1283 { 1284 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL)); 1285 } 1286 1287 int 1288 secpolicy_proc_excl_open(const cred_t *scr) 1289 { 1290 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL)); 1291 } 1292 1293 int 1294 secpolicy_proc_zone(const cred_t *scr) 1295 { 1296 return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL)); 1297 } 1298 1299 /* 1300 * Destroying the system 1301 */ 1302 1303 int 1304 secpolicy_kmdb(const cred_t *scr) 1305 { 1306 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1307 } 1308 1309 int 1310 secpolicy_error_inject(const cred_t *scr) 1311 { 1312 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1313 } 1314 1315 /* 1316 * Processor sets, cpu configuration, resource pools. 1317 */ 1318 int 1319 secpolicy_pset(const cred_t *cr) 1320 { 1321 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1322 } 1323 1324 int 1325 secpolicy_ponline(const cred_t *cr) 1326 { 1327 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1328 } 1329 1330 int 1331 secpolicy_pool(const cred_t *cr) 1332 { 1333 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1334 } 1335 1336 int 1337 secpolicy_blacklist(const cred_t *cr) 1338 { 1339 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1340 } 1341 1342 /* 1343 * Catch all system configuration. 1344 */ 1345 int 1346 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly) 1347 { 1348 if (checkonly) { 1349 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 : 1350 EPERM); 1351 } else { 1352 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1353 } 1354 } 1355 1356 /* 1357 * Zone administration (halt, reboot, etc.) from within zone. 1358 */ 1359 int 1360 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly) 1361 { 1362 if (checkonly) { 1363 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 : 1364 EPERM); 1365 } else { 1366 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, 1367 NULL)); 1368 } 1369 } 1370 1371 /* 1372 * Zone configuration (create, halt, enter). 1373 */ 1374 int 1375 secpolicy_zone_config(const cred_t *cr) 1376 { 1377 /* 1378 * Require all privileges to avoid possibility of privilege 1379 * escalation. 1380 */ 1381 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1382 } 1383 1384 /* 1385 * Various other system configuration calls 1386 */ 1387 int 1388 secpolicy_coreadm(const cred_t *cr) 1389 { 1390 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1391 } 1392 1393 int 1394 secpolicy_systeminfo(const cred_t *cr) 1395 { 1396 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1397 } 1398 1399 int 1400 secpolicy_dispadm(const cred_t *cr) 1401 { 1402 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1403 } 1404 1405 int 1406 secpolicy_settime(const cred_t *cr) 1407 { 1408 return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL)); 1409 } 1410 1411 /* 1412 * For realtime users: high resolution clock. 1413 */ 1414 int 1415 secpolicy_clock_highres(const cred_t *cr) 1416 { 1417 return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM, 1418 NULL)); 1419 } 1420 1421 /* 1422 * drv_priv() is documented as callable from interrupt context, not that 1423 * anyone ever does, but still. No debugging or auditing can be done when 1424 * it is called from interrupt context. 1425 * returns 0 on succes, EPERM on failure. 1426 */ 1427 int 1428 drv_priv(cred_t *cr) 1429 { 1430 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1431 } 1432 1433 int 1434 secpolicy_sys_devices(const cred_t *cr) 1435 { 1436 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1437 } 1438 1439 int 1440 secpolicy_excl_open(const cred_t *cr) 1441 { 1442 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL)); 1443 } 1444 1445 int 1446 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl) 1447 { 1448 /* zone.* rctls can only be set from the global zone */ 1449 if (is_zone_rctl && priv_policy_global(cr) != 0) 1450 return (EPERM); 1451 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1452 } 1453 1454 int 1455 secpolicy_resource(const cred_t *cr) 1456 { 1457 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1458 } 1459 1460 /* 1461 * Processes with a real uid of 0 escape any form of accounting, much 1462 * like before. 1463 */ 1464 int 1465 secpolicy_newproc(const cred_t *cr) 1466 { 1467 if (cr->cr_ruid == 0) 1468 return (0); 1469 1470 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1471 } 1472 1473 /* 1474 * Networking 1475 */ 1476 int 1477 secpolicy_net_rawaccess(const cred_t *cr) 1478 { 1479 return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL)); 1480 } 1481 1482 /* 1483 * Need this privilege for accessing the ICMP device 1484 */ 1485 int 1486 secpolicy_net_icmpaccess(const cred_t *cr) 1487 { 1488 return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL)); 1489 } 1490 1491 /* 1492 * There are a few rare cases where the kernel generates ioctls() from 1493 * interrupt context with a credential of kcred rather than NULL. 1494 * In those cases, we take the safe and cheap test. 1495 */ 1496 int 1497 secpolicy_net_config(const cred_t *cr, boolean_t checkonly) 1498 { 1499 if (checkonly) { 1500 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ? 1501 0 : EPERM); 1502 } else { 1503 return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM, 1504 NULL)); 1505 } 1506 } 1507 1508 1509 /* 1510 * Map network pseudo privileges to actual privileges. 1511 * So we don't need to recompile IP when we change the privileges. 1512 */ 1513 int 1514 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly) 1515 { 1516 int priv = PRIV_ALL; 1517 1518 switch (netpriv) { 1519 case OP_CONFIG: 1520 priv = PRIV_SYS_NET_CONFIG; 1521 break; 1522 case OP_RAW: 1523 priv = PRIV_NET_RAWACCESS; 1524 break; 1525 case OP_PRIVPORT: 1526 priv = PRIV_NET_PRIVADDR; 1527 break; 1528 } 1529 ASSERT(priv != PRIV_ALL); 1530 if (checkonly) 1531 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 1532 else 1533 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 1534 } 1535 1536 /* 1537 * Checks for operations that are either client-only or are used by 1538 * both clients and servers. 1539 */ 1540 int 1541 secpolicy_nfs(const cred_t *cr) 1542 { 1543 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL)); 1544 } 1545 1546 /* 1547 * Special case for opening rpcmod: have NFS privileges or network 1548 * config privileges. 1549 */ 1550 int 1551 secpolicy_rpcmod_open(const cred_t *cr) 1552 { 1553 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE)) 1554 return (secpolicy_nfs(cr)); 1555 else 1556 return (secpolicy_net_config(cr, NULL)); 1557 } 1558 1559 int 1560 secpolicy_chroot(const cred_t *cr) 1561 { 1562 return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL)); 1563 } 1564 1565 int 1566 secpolicy_tasksys(const cred_t *cr) 1567 { 1568 return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL)); 1569 } 1570 1571 /* 1572 * Basic privilege checks. 1573 */ 1574 int 1575 secpolicy_basic_exec(const cred_t *cr) 1576 { 1577 return (PRIV_POLICY(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL)); 1578 } 1579 1580 int 1581 secpolicy_basic_fork(const cred_t *cr) 1582 { 1583 return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL)); 1584 } 1585 1586 int 1587 secpolicy_basic_proc(const cred_t *cr) 1588 { 1589 return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL)); 1590 } 1591 1592 /* 1593 * Slightly complicated because we don't want to trigger the policy too 1594 * often. First we shortcircuit access to "self" (tp == sp) or if 1595 * we don't have the privilege but if we have permission 1596 * just return (0) and we don't flag the privilege as needed. 1597 * Else, we test for the privilege because we either have it or need it. 1598 */ 1599 int 1600 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp) 1601 { 1602 if (tp == sp || 1603 !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) { 1604 return (0); 1605 } else { 1606 return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL)); 1607 } 1608 } 1609 1610 int 1611 secpolicy_basic_link(const cred_t *cr) 1612 { 1613 return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL)); 1614 } 1615 1616 /* 1617 * Additional device protection. 1618 * 1619 * Traditionally, a device has specific permissions on the node in 1620 * the filesystem which govern which devices can be opened by what 1621 * processes. In certain cases, it is desirable to add extra 1622 * restrictions, as writing to certain devices is identical to 1623 * having a complete run of the system. 1624 * 1625 * This mechanism is called the device policy. 1626 * 1627 * When a device is opened, its policy entry is looked up in the 1628 * policy cache and checked. 1629 */ 1630 int 1631 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag) 1632 { 1633 devplcy_t *plcy; 1634 int err; 1635 struct snode *csp = VTOS(common_specvp(vp)); 1636 1637 mutex_enter(&csp->s_lock); 1638 1639 if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) { 1640 plcy = devpolicy_find(vp); 1641 if (csp->s_plcy) 1642 dpfree(csp->s_plcy); 1643 csp->s_plcy = plcy; 1644 ASSERT(plcy != NULL); 1645 } else 1646 plcy = csp->s_plcy; 1647 1648 if (plcy == nullpolicy) { 1649 mutex_exit(&csp->s_lock); 1650 return (0); 1651 } 1652 1653 dphold(plcy); 1654 1655 mutex_exit(&csp->s_lock); 1656 1657 err = secpolicy_require_set(cr, 1658 (oflag & FWRITE) ? &plcy->dp_wrp : &plcy->dp_rdp, "devpolicy"); 1659 dpfree(plcy); 1660 1661 return (err); 1662 } 1663 1664 int 1665 secpolicy_modctl(const cred_t *cr, int cmd) 1666 { 1667 switch (cmd) { 1668 case MODINFO: 1669 case MODGETMAJBIND: 1670 case MODGETPATH: 1671 case MODGETPATHLEN: 1672 case MODGETNAME: 1673 case MODGETFBNAME: 1674 case MODGETDEVPOLICY: 1675 case MODGETDEVPOLICYBYNAME: 1676 case MODDEVT2INSTANCE: 1677 case MODSIZEOF_DEVID: 1678 case MODGETDEVID: 1679 case MODSIZEOF_MINORNAME: 1680 case MODGETMINORNAME: 1681 case MODGETDEVFSPATH_LEN: 1682 case MODGETDEVFSPATH: 1683 case MODGETDEVFSPATH_MI_LEN: 1684 case MODGETDEVFSPATH_MI: 1685 /* Unprivileged */ 1686 return (0); 1687 case MODLOAD: 1688 case MODSETDEVPOLICY: 1689 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1690 default: 1691 return (secpolicy_sys_config(cr, B_FALSE)); 1692 } 1693 } 1694 1695 int 1696 secpolicy_console(const cred_t *cr) 1697 { 1698 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1699 } 1700 1701 int 1702 secpolicy_power_mgmt(const cred_t *cr) 1703 { 1704 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1705 } 1706 1707 /* 1708 * Simulate terminal input; another escalation of privileges avenue. 1709 */ 1710 1711 int 1712 secpolicy_sti(const cred_t *cr) 1713 { 1714 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1715 } 1716 1717 boolean_t 1718 secpolicy_net_reply_equal(const cred_t *cr) 1719 { 1720 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1721 } 1722 1723 int 1724 secpolicy_swapctl(const cred_t *cr) 1725 { 1726 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1727 } 1728 1729 int 1730 secpolicy_cpc_cpu(const cred_t *cr) 1731 { 1732 return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL)); 1733 } 1734 1735 /* 1736 * secpolicy_contract_observer 1737 * 1738 * Determine if the subject may observe a specific contract's events. 1739 */ 1740 int 1741 secpolicy_contract_observer(const cred_t *cr, struct contract *ct) 1742 { 1743 if (contract_owned(ct, cr, B_FALSE)) 1744 return (0); 1745 return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL)); 1746 } 1747 1748 /* 1749 * secpolicy_contract_observer_choice 1750 * 1751 * Determine if the subject may observe any contract's events. Just 1752 * tests privilege and audits on success. 1753 */ 1754 boolean_t 1755 secpolicy_contract_observer_choice(const cred_t *cr) 1756 { 1757 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE)); 1758 } 1759 1760 /* 1761 * secpolicy_contract_event 1762 * 1763 * Determine if the subject may request critical contract events or 1764 * reliable contract event delivery. 1765 */ 1766 int 1767 secpolicy_contract_event(const cred_t *cr) 1768 { 1769 return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL)); 1770 } 1771 1772 /* 1773 * secpolicy_contract_event_choice 1774 * 1775 * Determine if the subject may retain contract events in its critical 1776 * set when a change in other terms would normally require a change in 1777 * the critical set. Just tests privilege and audits on success. 1778 */ 1779 boolean_t 1780 secpolicy_contract_event_choice(const cred_t *cr) 1781 { 1782 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE)); 1783 } 1784 1785 /* 1786 * secpolicy_gart_access 1787 * 1788 * Determine if the subject has sufficient priveleges to make ioctls to agpgart 1789 * device. 1790 */ 1791 int 1792 secpolicy_gart_access(const cred_t *cr) 1793 { 1794 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL)); 1795 } 1796 1797 /* 1798 * secpolicy_gart_map 1799 * 1800 * Determine if the subject has sufficient priveleges to map aperture range 1801 * through agpgart driver. 1802 */ 1803 int 1804 secpolicy_gart_map(const cred_t *cr) 1805 { 1806 if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) { 1807 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, 1808 NULL)); 1809 } else { 1810 return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM, 1811 NULL)); 1812 } 1813 } 1814 1815 /* 1816 * secpolicy_zinject 1817 * 1818 * Determine if the subject can inject faults in the ZFS fault injection 1819 * framework. Requires all privileges. 1820 */ 1821 int 1822 secpolicy_zinject(const cred_t *cr) 1823 { 1824 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1825 } 1826 1827 /* 1828 * secpolicy_zfs 1829 * 1830 * Determine if the subject has permission to manipulate ZFS datasets 1831 * (not pools). Equivalent to the SYS_MOUNT privilege. 1832 */ 1833 int 1834 secpolicy_zfs(const cred_t *cr) 1835 { 1836 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL)); 1837 } 1838