1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. 23 * Copyright 2016 Joyent, Inc. 24 * Copyright (c) 2016 by Delphix. All rights reserved. 25 */ 26 27 #include <sys/types.h> 28 #include <sys/sysmacros.h> 29 #include <sys/param.h> 30 #include <sys/systm.h> 31 #include <sys/cred_impl.h> 32 #include <sys/vnode.h> 33 #include <sys/vfs.h> 34 #include <sys/stat.h> 35 #include <sys/errno.h> 36 #include <sys/kmem.h> 37 #include <sys/user.h> 38 #include <sys/proc.h> 39 #include <sys/acct.h> 40 #include <sys/ipc_impl.h> 41 #include <sys/cmn_err.h> 42 #include <sys/debug.h> 43 #include <sys/policy.h> 44 #include <sys/kobj.h> 45 #include <sys/msg.h> 46 #include <sys/devpolicy.h> 47 #include <c2/audit.h> 48 #include <sys/varargs.h> 49 #include <sys/klpd.h> 50 #include <sys/modctl.h> 51 #include <sys/disp.h> 52 #include <sys/zone.h> 53 #include <inet/optcom.h> 54 #include <sys/sdt.h> 55 #include <sys/vfs.h> 56 #include <sys/mntent.h> 57 #include <sys/contract_impl.h> 58 #include <sys/dld_ioc.h> 59 60 /* 61 * There are two possible layers of privilege routines and two possible 62 * levels of secpolicy. Plus one other we may not be interested in, so 63 * we may need as many as 6 but no more. 64 */ 65 #define MAXPRIVSTACK 6 66 67 int priv_debug = 0; 68 int priv_basic_test = -1; 69 70 /* 71 * This file contains the majority of the policy routines. 72 * Since the policy routines are defined by function and not 73 * by privilege, there is quite a bit of duplication of 74 * functions. 75 * 76 * The secpolicy functions must not make assumptions about 77 * locks held or not held as any lock can be held while they're 78 * being called. 79 * 80 * Credentials are read-only so no special precautions need to 81 * be taken while locking them. 82 * 83 * When a new policy check needs to be added to the system the 84 * following procedure should be followed: 85 * 86 * Pick an appropriate secpolicy_*() function 87 * -> done if one exists. 88 * Create a new secpolicy function, preferably with 89 * a descriptive name using the standard template. 90 * Pick an appropriate privilege for the policy. 91 * If no appropraite privilege exists, define new one 92 * (this should be done with extreme care; in most cases 93 * little is gained by adding another privilege) 94 * 95 * WHY ROOT IS STILL SPECIAL. 96 * 97 * In a number of the policy functions, there are still explicit 98 * checks for uid 0. The rationale behind these is that many root 99 * owned files/objects hold configuration information which can give full 100 * privileges to the user once written to. To prevent escalation 101 * of privilege by allowing just a single privilege to modify root owned 102 * objects, we've added these root specific checks where we considered 103 * them necessary: modifying root owned files, changing uids to 0, etc. 104 * 105 * PRIVILEGE ESCALATION AND ZONES. 106 * 107 * A number of operations potentially allow the caller to achieve 108 * privileges beyond the ones normally required to perform the operation. 109 * For example, if allowed to create a setuid 0 executable, a process can 110 * gain privileges beyond PRIV_FILE_SETID. Zones, however, place 111 * restrictions on the ability to gain privileges beyond those available 112 * within the zone through file and process manipulation. Hence, such 113 * operations require that the caller have an effective set that includes 114 * all privileges available within the current zone, or all privileges 115 * if executing in the global zone. 116 * 117 * This is indicated in the priv_policy* policy checking functions 118 * through a combination of parameters. The "priv" parameter indicates 119 * the privilege that is required, and the "allzone" parameter indicates 120 * whether or not all privileges in the zone are required. In addition, 121 * priv can be set to PRIV_ALL to indicate that all privileges are 122 * required (regardless of zone). There are three scenarios of interest: 123 * (1) operation requires a specific privilege 124 * (2) operation requires a specific privilege, and requires all 125 * privileges available within the zone (or all privileges if in 126 * the global zone) 127 * (3) operation requires all privileges, regardless of zone 128 * 129 * For (1), priv should be set to the specific privilege, and allzone 130 * should be set to B_FALSE. 131 * For (2), priv should be set to the specific privilege, and allzone 132 * should be set to B_TRUE. 133 * For (3), priv should be set to PRIV_ALL, and allzone should be set 134 * to B_FALSE. 135 * 136 */ 137 138 /* 139 * The privileges are checked against the Effective set for 140 * ordinary processes and checked against the Limit set 141 * for euid 0 processes that haven't manipulated their privilege 142 * sets. 143 */ 144 #define HAS_ALLPRIVS(cr) priv_isfullset(&CR_OEPRIV(cr)) 145 #define ZONEPRIVS(cr) ((cr)->cr_zone->zone_privset) 146 #define HAS_ALLZONEPRIVS(cr) priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr)) 147 #define HAS_PRIVILEGE(cr, pr) ((pr) == PRIV_ALL ? \ 148 HAS_ALLPRIVS(cr) : \ 149 PRIV_ISASSERT(&CR_OEPRIV(cr), pr)) 150 151 #define FAST_BASIC_CHECK(cr, priv) \ 152 if (PRIV_ISASSERT(&CR_OEPRIV(cr), priv)) { \ 153 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, B_FALSE); \ 154 return (0); \ 155 } 156 157 /* 158 * Policy checking functions. 159 * 160 * All of the system's policy should be implemented here. 161 */ 162 163 /* 164 * Private functions which take an additional va_list argument to 165 * implement an object specific policy override. 166 */ 167 static int priv_policy_ap(const cred_t *, int, boolean_t, int, 168 const char *, va_list); 169 static int priv_policy_va(const cred_t *, int, boolean_t, int, 170 const char *, ...); 171 172 /* 173 * Generic policy calls 174 * 175 * The "bottom" functions of policy control 176 */ 177 static char * 178 mprintf(const char *fmt, ...) 179 { 180 va_list args; 181 char *buf; 182 size_t len; 183 184 va_start(args, fmt); 185 len = vsnprintf(NULL, 0, fmt, args) + 1; 186 va_end(args); 187 188 buf = kmem_alloc(len, KM_NOSLEEP); 189 190 if (buf == NULL) 191 return (NULL); 192 193 va_start(args, fmt); 194 (void) vsnprintf(buf, len, fmt, args); 195 va_end(args); 196 197 return (buf); 198 } 199 200 /* 201 * priv_policy_errmsg() 202 * 203 * Generate an error message if privilege debugging is enabled system wide 204 * or for this particular process. 205 */ 206 207 #define FMTHDR "%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)" 208 #define FMTMSG " for \"%s\"" 209 #define FMTFUN " needed at %s+0x%lx" 210 211 /* The maximum size privilege format: the concatenation of the above */ 212 #define FMTMAX FMTHDR FMTMSG FMTFUN "\n" 213 214 static void 215 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg) 216 { 217 struct proc *me; 218 pc_t stack[MAXPRIVSTACK]; 219 int depth; 220 int i; 221 char *sym; 222 ulong_t off; 223 const char *pname; 224 225 char *cmd; 226 char fmt[sizeof (FMTMAX)]; 227 228 if ((me = curproc) == &p0) 229 return; 230 231 /* Privileges must be defined */ 232 ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE || 233 priv == PRIV_ALLZONE || priv == PRIV_GLOBAL || 234 priv_getbynum(priv) != NULL); 235 236 if (priv == PRIV_ALLZONE && INGLOBALZONE(me)) 237 priv = PRIV_ALL; 238 239 if (curthread->t_pre_sys) 240 ttolwp(curthread)->lwp_badpriv = (short)priv; 241 242 if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0) 243 return; 244 245 (void) strcpy(fmt, FMTHDR); 246 247 if (me->p_user.u_comm[0]) 248 cmd = &me->p_user.u_comm[0]; 249 else 250 cmd = "priv_policy"; 251 252 if (msg != NULL && *msg != '\0') { 253 (void) strcat(fmt, FMTMSG); 254 } else { 255 (void) strcat(fmt, "%s"); 256 msg = ""; 257 } 258 259 sym = NULL; 260 261 depth = getpcstack(stack, MAXPRIVSTACK); 262 263 /* 264 * Try to find the first interesting function on the stack. 265 * priv_policy* that's us, so completely uninteresting. 266 * suser(), drv_priv(), secpolicy_* are also called from 267 * too many locations to convey useful information. 268 */ 269 for (i = 0; i < depth; i++) { 270 sym = kobj_getsymname((uintptr_t)stack[i], &off); 271 if (sym != NULL && 272 strstr(sym, "hasprocperm") == 0 && 273 strcmp("suser", sym) != 0 && 274 strcmp("ipcaccess", sym) != 0 && 275 strcmp("drv_priv", sym) != 0 && 276 strncmp("secpolicy_", sym, 10) != 0 && 277 strncmp("priv_policy", sym, 11) != 0) 278 break; 279 } 280 281 if (sym != NULL) 282 (void) strcat(fmt, FMTFUN); 283 284 (void) strcat(fmt, "\n"); 285 286 switch (priv) { 287 case PRIV_ALL: 288 pname = "ALL"; 289 break; 290 case PRIV_MULTIPLE: 291 pname = "MULTIPLE"; 292 break; 293 case PRIV_ALLZONE: 294 pname = "ZONE"; 295 break; 296 case PRIV_GLOBAL: 297 pname = "GLOBAL"; 298 break; 299 default: 300 pname = priv_getbynum(priv); 301 break; 302 } 303 304 if (CR_FLAGS(cr) & PRIV_DEBUG) { 305 /* Remember last message, just like lwp_badpriv. */ 306 if (curthread->t_pdmsg != NULL) { 307 kmem_free(curthread->t_pdmsg, 308 strlen(curthread->t_pdmsg) + 1); 309 } 310 311 curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname, 312 cr->cr_uid, curthread->t_sysnum, msg, sym, off); 313 314 curthread->t_post_sys = 1; 315 } 316 if (priv_debug) { 317 cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid, 318 curthread->t_sysnum, msg, sym, off); 319 } 320 } 321 322 /* 323 * Override the policy, if appropriate. Return 0 if the external 324 * policy engine approves. 325 */ 326 static int 327 priv_policy_override(const cred_t *cr, int priv, boolean_t allzone, va_list ap) 328 { 329 priv_set_t set; 330 int ret; 331 332 if (!(CR_FLAGS(cr) & PRIV_XPOLICY)) 333 return (-1); 334 335 if (priv == PRIV_ALL) { 336 priv_fillset(&set); 337 } else if (allzone) { 338 set = *ZONEPRIVS(cr); 339 } else { 340 priv_emptyset(&set); 341 priv_addset(&set, priv); 342 } 343 ret = klpd_call(cr, &set, ap); 344 return (ret); 345 } 346 347 static int 348 priv_policy_override_set(const cred_t *cr, const priv_set_t *req, va_list ap) 349 { 350 if (CR_FLAGS(cr) & PRIV_PFEXEC) 351 return (check_user_privs(cr, req)); 352 if (CR_FLAGS(cr) & PRIV_XPOLICY) { 353 return (klpd_call(cr, req, ap)); 354 } 355 return (-1); 356 } 357 358 static int 359 priv_policy_override_set_va(const cred_t *cr, const priv_set_t *req, ...) 360 { 361 va_list ap; 362 int ret; 363 364 va_start(ap, req); 365 ret = priv_policy_override_set(cr, req, ap); 366 va_end(ap); 367 return (ret); 368 } 369 370 /* 371 * Audit failure, log error message. 372 */ 373 static void 374 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg) 375 { 376 377 if (AU_AUDITING()) 378 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0); 379 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 380 381 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 382 curthread->t_pre_sys) { 383 if (allzone && !HAS_ALLZONEPRIVS(cr)) { 384 priv_policy_errmsg(cr, PRIV_ALLZONE, msg); 385 } else { 386 ASSERT(!HAS_PRIVILEGE(cr, priv)); 387 priv_policy_errmsg(cr, priv, msg); 388 } 389 } 390 } 391 392 /* 393 * priv_policy_ap() 394 * return 0 or error. 395 * See block comment above for a description of "priv" and "allzone" usage. 396 */ 397 static int 398 priv_policy_ap(const cred_t *cr, int priv, boolean_t allzone, int err, 399 const char *msg, va_list ap) 400 { 401 if ((HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) || 402 (!servicing_interrupt() && 403 priv_policy_override(cr, priv, allzone, ap) == 0)) { 404 if ((allzone || priv == PRIV_ALL || 405 !PRIV_ISASSERT(priv_basic, priv)) && 406 !servicing_interrupt()) { 407 PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */ 408 if (AU_AUDITING()) 409 audit_priv(priv, 410 allzone ? ZONEPRIVS(cr) : NULL, 1); 411 } 412 err = 0; 413 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 414 } else if (!servicing_interrupt()) { 415 /* Failure audited in this procedure */ 416 priv_policy_err(cr, priv, allzone, msg); 417 } 418 return (err); 419 } 420 421 int 422 priv_policy_va(const cred_t *cr, int priv, boolean_t allzone, int err, 423 const char *msg, ...) 424 { 425 int ret; 426 va_list ap; 427 428 va_start(ap, msg); 429 ret = priv_policy_ap(cr, priv, allzone, err, msg, ap); 430 va_end(ap); 431 432 return (ret); 433 } 434 435 int 436 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err, 437 const char *msg) 438 { 439 return (priv_policy_va(cr, priv, allzone, err, msg, KLPDARG_NONE)); 440 } 441 442 /* 443 * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges. 444 */ 445 boolean_t 446 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone) 447 { 448 boolean_t res = HAS_PRIVILEGE(cr, priv) && 449 (!allzone || HAS_ALLZONEPRIVS(cr)); 450 451 /* Audit success only */ 452 if (res && AU_AUDITING() && 453 (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) && 454 !servicing_interrupt()) { 455 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1); 456 } 457 if (res) { 458 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 459 } else { 460 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 461 } 462 return (res); 463 } 464 465 /* 466 * Non-auditing variant of priv_policy_choice(). 467 */ 468 boolean_t 469 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone) 470 { 471 boolean_t res = HAS_PRIVILEGE(cr, priv) && 472 (!allzone || HAS_ALLZONEPRIVS(cr)); 473 474 if (res) { 475 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 476 } else { 477 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 478 } 479 return (res); 480 } 481 482 /* 483 * Check whether all privileges in the required set are present. 484 */ 485 static int 486 secpolicy_require_set(const cred_t *cr, const priv_set_t *req, 487 const char *msg, ...) 488 { 489 int priv; 490 int pfound = -1; 491 priv_set_t pset; 492 va_list ap; 493 int ret; 494 495 if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req, 496 &CR_OEPRIV(cr))) { 497 return (0); 498 } 499 500 va_start(ap, msg); 501 ret = priv_policy_override_set(cr, req, ap); 502 va_end(ap); 503 if (ret == 0) 504 return (0); 505 506 if (req == PRIV_FULLSET || priv_isfullset(req)) { 507 priv_policy_err(cr, PRIV_ALL, B_FALSE, msg); 508 return (EACCES); 509 } 510 511 pset = CR_OEPRIV(cr); /* present privileges */ 512 priv_inverse(&pset); /* all non present privileges */ 513 priv_intersect(req, &pset); /* the actual missing privs */ 514 515 if (AU_AUDITING()) 516 audit_priv(PRIV_NONE, &pset, 0); 517 /* 518 * Privilege debugging; special case "one privilege in set". 519 */ 520 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) { 521 for (priv = 0; priv < nprivs; priv++) { 522 if (priv_ismember(&pset, priv)) { 523 if (pfound != -1) { 524 /* Multiple missing privs */ 525 priv_policy_errmsg(cr, PRIV_MULTIPLE, 526 msg); 527 return (EACCES); 528 } 529 pfound = priv; 530 } 531 } 532 ASSERT(pfound != -1); 533 /* Just the one missing privilege */ 534 priv_policy_errmsg(cr, pfound, msg); 535 } 536 537 return (EACCES); 538 } 539 540 /* 541 * Called when an operation requires that the caller be in the 542 * global zone, regardless of privilege. 543 */ 544 static int 545 priv_policy_global(const cred_t *cr) 546 { 547 if (crgetzoneid(cr) == GLOBAL_ZONEID) 548 return (0); /* success */ 549 550 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 551 curthread->t_pre_sys) { 552 priv_policy_errmsg(cr, PRIV_GLOBAL, NULL); 553 } 554 return (EPERM); 555 } 556 557 /* 558 * Raising process priority 559 */ 560 int 561 secpolicy_raisepriority(const cred_t *cr) 562 { 563 if (PRIV_POLICY(cr, PRIV_PROC_PRIOUP, B_FALSE, EPERM, NULL) == 0) 564 return (0); 565 return (secpolicy_setpriority(cr)); 566 } 567 568 /* 569 * Changing process priority or scheduling class 570 */ 571 int 572 secpolicy_setpriority(const cred_t *cr) 573 { 574 return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL)); 575 } 576 577 /* 578 * Binding to a privileged port, port must be specified in host byte 579 * order. 580 * When adding a new privilege which allows binding to currently privileged 581 * ports, then you MUST also allow processes with PRIV_NET_PRIVADDR bind 582 * to these ports because of backward compatibility. 583 */ 584 int 585 secpolicy_net_privaddr(const cred_t *cr, in_port_t port, int proto) 586 { 587 char *reason; 588 int priv; 589 590 switch (port) { 591 case 137: 592 case 138: 593 case 139: 594 case 445: 595 /* 596 * NBT and SMB ports, these are normal privileged ports, 597 * allow bind only if the SYS_SMB or NET_PRIVADDR privilege 598 * is present. 599 * Try both, if neither is present return an error for 600 * priv SYS_SMB. 601 */ 602 if (PRIV_POLICY_ONLY(cr, PRIV_NET_PRIVADDR, B_FALSE)) 603 priv = PRIV_NET_PRIVADDR; 604 else 605 priv = PRIV_SYS_SMB; 606 reason = "NBT or SMB port"; 607 break; 608 609 case 2049: 610 case 4045: 611 /* 612 * NFS ports, these are extra privileged ports, allow bind 613 * only if the SYS_NFS privilege is present. 614 */ 615 priv = PRIV_SYS_NFS; 616 reason = "NFS port"; 617 break; 618 619 default: 620 priv = PRIV_NET_PRIVADDR; 621 reason = NULL; 622 break; 623 624 } 625 626 return (priv_policy_va(cr, priv, B_FALSE, EACCES, reason, 627 KLPDARG_PORT, (int)proto, (int)port, KLPDARG_NOMORE)); 628 } 629 630 /* 631 * Binding to a multilevel port on a trusted (labeled) system. 632 */ 633 int 634 secpolicy_net_bindmlp(const cred_t *cr) 635 { 636 return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, NULL)); 637 } 638 639 /* 640 * Allow a communication between a zone and an unlabeled host when their 641 * labels don't match. 642 */ 643 int 644 secpolicy_net_mac_aware(const cred_t *cr) 645 { 646 return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, NULL)); 647 } 648 649 /* 650 * Allow a privileged process to transmit traffic without explicit labels 651 */ 652 int 653 secpolicy_net_mac_implicit(const cred_t *cr) 654 { 655 return (PRIV_POLICY(cr, PRIV_NET_MAC_IMPLICIT, B_FALSE, EACCES, NULL)); 656 } 657 658 /* 659 * Common routine which determines whether a given credential can 660 * act on a given mount. 661 * When called through mount, the parameter needoptcheck is a pointer 662 * to a boolean variable which will be set to either true or false, 663 * depending on whether the mount policy should change the mount options. 664 * In all other cases, needoptcheck should be a NULL pointer. 665 */ 666 static int 667 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp, 668 boolean_t *needoptcheck) 669 { 670 boolean_t allzone = B_FALSE; 671 boolean_t mounting = needoptcheck != NULL; 672 673 /* 674 * Short circuit the following cases: 675 * vfsp == NULL or mvp == NULL (pure privilege check) 676 * have all privileges - no further checks required 677 * and no mount options need to be set. 678 */ 679 if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) { 680 if (mounting) 681 *needoptcheck = B_FALSE; 682 683 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM, 684 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE)); 685 } 686 687 /* 688 * When operating on an existing mount (either we're not mounting 689 * or we're doing a remount and VFS_REMOUNT will be set), zones 690 * can operate only on mounts established by the zone itself. 691 */ 692 if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) { 693 zoneid_t zoneid = crgetzoneid(cr); 694 695 if (zoneid != GLOBAL_ZONEID && 696 vfsp->vfs_zone->zone_id != zoneid) { 697 return (EPERM); 698 } 699 } 700 701 if (mounting) 702 *needoptcheck = B_TRUE; 703 704 /* 705 * Overlay mounts may hide important stuff; if you can't write to a 706 * mount point but would be able to mount on top of it, you can 707 * escalate your privileges. 708 * So we go about asking the same questions namefs does when it 709 * decides whether you can mount over a file or not but with the 710 * added restriction that you can only mount on top of a regular 711 * file or directory. 712 * If we have all the zone's privileges, we skip all other checks, 713 * or else we may actually get in trouble inside the automounter. 714 */ 715 if ((mvp->v_flag & VROOT) != 0 || 716 (mvp->v_type != VDIR && mvp->v_type != VREG) || 717 HAS_ALLZONEPRIVS(cr)) { 718 allzone = B_TRUE; 719 } else { 720 vattr_t va; 721 int err; 722 723 va.va_mask = AT_UID|AT_MODE; 724 err = VOP_GETATTR(mvp, &va, 0, cr, NULL); 725 if (err != 0) 726 return (err); 727 728 if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0) 729 return (err); 730 731 if (secpolicy_vnode_access2(cr, mvp, va.va_uid, va.va_mode, 732 VWRITE) != 0) { 733 return (EACCES); 734 } 735 } 736 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM, 737 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE)); 738 } 739 740 void 741 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp) 742 { 743 boolean_t amsuper = HAS_ALLZONEPRIVS(cr); 744 745 /* 746 * check; if we don't have either "nosuid" or 747 * both "nosetuid" and "nodevices", then we add 748 * "nosuid"; this depends on how the current 749 * implementation works (it first checks nosuid). In a 750 * zone, a user with all zone privileges can mount with 751 * "setuid" but never with "devices". 752 */ 753 if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) && 754 (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) || 755 !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) { 756 if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper) 757 vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0); 758 else 759 vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0); 760 } 761 /* 762 * If we're not the local super user, we set the "restrict" 763 * option to indicate to automountd that this mount should 764 * be handled with care. 765 */ 766 if (!amsuper) 767 vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0); 768 769 } 770 771 int 772 secpolicy_fs_allowed_mount(const char *fsname) 773 { 774 struct vfssw *vswp; 775 const char *p; 776 size_t len; 777 778 ASSERT(fsname != NULL); 779 ASSERT(fsname[0] != '\0'); 780 781 if (INGLOBALZONE(curproc)) 782 return (0); 783 784 vswp = vfs_getvfssw(fsname); 785 if (vswp == NULL) 786 return (ENOENT); 787 788 if ((vswp->vsw_flag & VSW_ZMOUNT) != 0) { 789 vfs_unrefvfssw(vswp); 790 return (0); 791 } 792 793 vfs_unrefvfssw(vswp); 794 795 p = curzone->zone_fs_allowed; 796 len = strlen(fsname); 797 798 while (p != NULL && *p != '\0') { 799 if (strncmp(p, fsname, len) == 0) { 800 char c = *(p + len); 801 if (c == '\0' || c == ',') 802 return (0); 803 } 804 805 /* skip to beyond the next comma */ 806 if ((p = strchr(p, ',')) != NULL) 807 p++; 808 } 809 810 return (EPERM); 811 } 812 813 extern vnode_t *rootvp; 814 extern vfs_t *rootvfs; 815 816 int 817 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp) 818 { 819 boolean_t needoptchk; 820 int error; 821 822 /* 823 * If it's a remount, get the underlying mount point, 824 * except for the root where we use the rootvp. 825 */ 826 if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) { 827 if (vfsp == rootvfs) 828 mvp = rootvp; 829 else 830 mvp = vfsp->vfs_vnodecovered; 831 } 832 833 error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk); 834 835 if (error == 0 && needoptchk) { 836 secpolicy_fs_mount_clearopts(cr, vfsp); 837 } 838 839 return (error); 840 } 841 842 /* 843 * Does the policy computations for "ownership" of a mount; 844 * here ownership is defined as the ability to "mount" 845 * the filesystem originally. The rootvfs doesn't cover any 846 * vnodes; we attribute its ownership to the rootvp. 847 */ 848 static int 849 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp) 850 { 851 vnode_t *mvp; 852 853 if (vfsp == NULL) 854 mvp = NULL; 855 else if (vfsp == rootvfs) 856 mvp = rootvp; 857 else 858 mvp = vfsp->vfs_vnodecovered; 859 860 return (secpolicy_fs_common(cr, mvp, vfsp, NULL)); 861 } 862 863 int 864 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp) 865 { 866 return (secpolicy_fs_owner(cr, vfsp)); 867 } 868 869 /* 870 * Quotas are a resource, but if one has the ability to mount a filesystem, 871 * they should be able to modify quotas on it. 872 */ 873 int 874 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp) 875 { 876 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 877 } 878 879 /* 880 * Exceeding minfree: also a per-mount resource constraint. 881 */ 882 int 883 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp) 884 { 885 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 886 } 887 888 int 889 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp) 890 { 891 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 892 } 893 894 /* ARGSUSED */ 895 int 896 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp) 897 { 898 return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL)); 899 } 900 901 /* 902 * Name: secpolicy_vnode_access() 903 * 904 * Parameters: Process credential 905 * vnode 906 * uid of owner of vnode 907 * permission bits not granted to the caller when examining 908 * file mode bits (i.e., when a process wants to open a 909 * mode 444 file for VREAD|VWRITE, this function should be 910 * called only with a VWRITE argument). 911 * 912 * Normal: Verifies that cred has the appropriate privileges to 913 * override the mode bits that were denied. 914 * 915 * Override: file_dac_execute - if VEXEC bit was denied and vnode is 916 * not a directory. 917 * file_dac_read - if VREAD bit was denied. 918 * file_dac_search - if VEXEC bit was denied and vnode is 919 * a directory. 920 * file_dac_write - if VWRITE bit was denied. 921 * 922 * Root owned files are special cased to protect system 923 * configuration files and such. 924 * 925 * Output: EACCES - if privilege check fails. 926 */ 927 928 int 929 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode) 930 { 931 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE, 932 EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL, 933 KLPDARG_NOMORE) != 0) { 934 return (EACCES); 935 } 936 937 if (mode & VWRITE) { 938 boolean_t allzone; 939 940 if (owner == 0 && cr->cr_uid != 0) 941 allzone = B_TRUE; 942 else 943 allzone = B_FALSE; 944 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, 945 NULL, KLPDARG_VNODE, vp, (char *)NULL, 946 KLPDARG_NOMORE) != 0) { 947 return (EACCES); 948 } 949 } 950 951 if (mode & VEXEC) { 952 /* 953 * Directories use file_dac_search to override the execute bit. 954 */ 955 int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH : 956 PRIV_FILE_DAC_EXECUTE; 957 958 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL, 959 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); 960 } 961 return (0); 962 } 963 964 /* 965 * Like secpolicy_vnode_access() but we get the actual wanted mode and the 966 * current mode of the file, not the missing bits. 967 */ 968 int 969 secpolicy_vnode_access2(const cred_t *cr, vnode_t *vp, uid_t owner, 970 mode_t curmode, mode_t wantmode) 971 { 972 mode_t mode; 973 974 /* Inline the basic privileges tests. */ 975 if ((wantmode & VREAD) && 976 !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_READ) && 977 priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL, 978 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) { 979 return (EACCES); 980 } 981 982 if ((wantmode & VWRITE) && 983 !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_WRITE) && 984 priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL, 985 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) { 986 return (EACCES); 987 } 988 989 mode = ~curmode & wantmode; 990 991 if (mode == 0) 992 return (0); 993 994 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE, 995 EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL, 996 KLPDARG_NOMORE) != 0) { 997 return (EACCES); 998 } 999 1000 if (mode & VWRITE) { 1001 boolean_t allzone; 1002 1003 if (owner == 0 && cr->cr_uid != 0) 1004 allzone = B_TRUE; 1005 else 1006 allzone = B_FALSE; 1007 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, 1008 NULL, KLPDARG_VNODE, vp, (char *)NULL, 1009 KLPDARG_NOMORE) != 0) { 1010 return (EACCES); 1011 } 1012 } 1013 1014 if (mode & VEXEC) { 1015 /* 1016 * Directories use file_dac_search to override the execute bit. 1017 */ 1018 int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH : 1019 PRIV_FILE_DAC_EXECUTE; 1020 1021 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL, 1022 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); 1023 } 1024 return (0); 1025 } 1026 1027 /* 1028 * This is a special routine for ZFS; it is used to determine whether 1029 * any of the privileges in effect allow any form of access to the 1030 * file. There's no reason to audit this or any reason to record 1031 * this. More work is needed to do the "KPLD" stuff. 1032 */ 1033 int 1034 secpolicy_vnode_any_access(const cred_t *cr, vnode_t *vp, uid_t owner) 1035 { 1036 static int privs[] = { 1037 PRIV_FILE_OWNER, 1038 PRIV_FILE_CHOWN, 1039 PRIV_FILE_DAC_READ, 1040 PRIV_FILE_DAC_WRITE, 1041 PRIV_FILE_DAC_EXECUTE, 1042 PRIV_FILE_DAC_SEARCH, 1043 }; 1044 int i; 1045 1046 /* Same as secpolicy_vnode_setdac */ 1047 if (owner == cr->cr_uid) 1048 return (0); 1049 1050 for (i = 0; i < sizeof (privs)/sizeof (int); i++) { 1051 boolean_t allzone = B_FALSE; 1052 int priv; 1053 1054 switch (priv = privs[i]) { 1055 case PRIV_FILE_DAC_EXECUTE: 1056 if (vp->v_type == VDIR) 1057 continue; 1058 break; 1059 case PRIV_FILE_DAC_SEARCH: 1060 if (vp->v_type != VDIR) 1061 continue; 1062 break; 1063 case PRIV_FILE_DAC_WRITE: 1064 case PRIV_FILE_OWNER: 1065 case PRIV_FILE_CHOWN: 1066 /* We know here that if owner == 0, that cr_uid != 0 */ 1067 allzone = owner == 0; 1068 break; 1069 } 1070 if (PRIV_POLICY_CHOICE(cr, priv, allzone)) 1071 return (0); 1072 } 1073 return (EPERM); 1074 } 1075 1076 /* 1077 * Name: secpolicy_vnode_setid_modify() 1078 * 1079 * Normal: verify that subject can set the file setid flags. 1080 * 1081 * Output: EPERM - if not privileged. 1082 */ 1083 1084 static int 1085 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner) 1086 { 1087 /* If changing to suid root, must have all zone privs */ 1088 boolean_t allzone = B_TRUE; 1089 1090 if (owner != 0) { 1091 if (owner == cr->cr_uid) 1092 return (0); 1093 allzone = B_FALSE; 1094 } 1095 return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL)); 1096 } 1097 1098 /* 1099 * Are we allowed to retain the set-uid/set-gid bits when 1100 * changing ownership or when writing to a file? 1101 * "issuid" should be true when set-uid; only in that case 1102 * root ownership is checked (setgid is assumed). 1103 */ 1104 int 1105 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot) 1106 { 1107 if (issuidroot && !HAS_ALLZONEPRIVS(cred)) 1108 return (EPERM); 1109 1110 return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE)); 1111 } 1112 1113 /* 1114 * Name: secpolicy_vnode_setids_setgids() 1115 * 1116 * Normal: verify that subject can set the file setgid flag. 1117 * 1118 * Output: EPERM - if not privileged 1119 */ 1120 1121 int 1122 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid) 1123 { 1124 if (!groupmember(gid, cred)) 1125 return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM, 1126 NULL)); 1127 return (0); 1128 } 1129 1130 /* 1131 * Name: secpolicy_vnode_chown 1132 * 1133 * Normal: Determine if subject can chown owner of a file. 1134 * 1135 * Output: EPERM - if access denied 1136 */ 1137 1138 int 1139 secpolicy_vnode_chown(const cred_t *cred, uid_t owner) 1140 { 1141 boolean_t is_owner = (owner == crgetuid(cred)); 1142 boolean_t allzone = B_FALSE; 1143 int priv; 1144 1145 if (!is_owner) { 1146 allzone = (owner == 0); 1147 priv = PRIV_FILE_CHOWN; 1148 } else { 1149 priv = HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN) ? 1150 PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF; 1151 } 1152 1153 return (PRIV_POLICY(cred, priv, allzone, EPERM, NULL)); 1154 } 1155 1156 /* 1157 * Name: secpolicy_vnode_create_gid 1158 * 1159 * Normal: Determine if subject can change group ownership of a file. 1160 * 1161 * Output: EPERM - if access denied 1162 */ 1163 int 1164 secpolicy_vnode_create_gid(const cred_t *cred) 1165 { 1166 if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN)) 1167 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM, 1168 NULL)); 1169 else 1170 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM, 1171 NULL)); 1172 } 1173 1174 /* 1175 * Name: secpolicy_vnode_utime_modify() 1176 * 1177 * Normal: verify that subject can modify the utime on a file. 1178 * 1179 * Output: EPERM - if access denied. 1180 */ 1181 1182 static int 1183 secpolicy_vnode_utime_modify(const cred_t *cred) 1184 { 1185 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM, 1186 "modify file times")); 1187 } 1188 1189 1190 /* 1191 * Name: secpolicy_vnode_setdac() 1192 * 1193 * Normal: verify that subject can modify the mode of a file. 1194 * allzone privilege needed when modifying root owned object. 1195 * 1196 * Output: EPERM - if access denied. 1197 */ 1198 1199 int 1200 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner) 1201 { 1202 if (owner == cred->cr_uid) 1203 return (0); 1204 1205 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL)); 1206 } 1207 /* 1208 * Name: secpolicy_vnode_stky_modify() 1209 * 1210 * Normal: verify that subject can make a file a "sticky". 1211 * 1212 * Output: EPERM - if access denied. 1213 */ 1214 1215 int 1216 secpolicy_vnode_stky_modify(const cred_t *cred) 1217 { 1218 return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM, 1219 "set file sticky")); 1220 } 1221 1222 /* 1223 * Policy determines whether we can remove an entry from a directory, 1224 * regardless of permission bits. 1225 */ 1226 int 1227 secpolicy_vnode_remove(const cred_t *cr) 1228 { 1229 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES, 1230 "sticky directory")); 1231 } 1232 1233 int 1234 secpolicy_vnode_owner(const cred_t *cr, uid_t owner) 1235 { 1236 boolean_t allzone = (owner == 0); 1237 1238 if (owner == cr->cr_uid) 1239 return (0); 1240 1241 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL)); 1242 } 1243 1244 void 1245 secpolicy_setid_clear(vattr_t *vap, cred_t *cr) 1246 { 1247 if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 && 1248 secpolicy_vnode_setid_retain(cr, 1249 (vap->va_mode & S_ISUID) != 0 && 1250 (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) { 1251 vap->va_mask |= AT_MODE; 1252 vap->va_mode &= ~(S_ISUID|S_ISGID); 1253 } 1254 } 1255 1256 int 1257 secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap, 1258 cred_t *cr) 1259 { 1260 int error; 1261 1262 if ((vap->va_mode & S_ISUID) != 0 && 1263 (error = secpolicy_vnode_setid_modify(cr, 1264 ovap->va_uid)) != 0) { 1265 return (error); 1266 } 1267 1268 /* 1269 * Check privilege if attempting to set the 1270 * sticky bit on a non-directory. 1271 */ 1272 if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 && 1273 secpolicy_vnode_stky_modify(cr) != 0) { 1274 vap->va_mode &= ~S_ISVTX; 1275 } 1276 1277 /* 1278 * Check for privilege if attempting to set the 1279 * group-id bit. 1280 */ 1281 if ((vap->va_mode & S_ISGID) != 0 && 1282 secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) { 1283 vap->va_mode &= ~S_ISGID; 1284 } 1285 1286 return (0); 1287 } 1288 1289 #define ATTR_FLAG_PRIV(attr, value, cr) \ 1290 PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \ 1291 B_FALSE, EPERM, NULL) 1292 1293 /* 1294 * Check privileges for setting xvattr attributes 1295 */ 1296 int 1297 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype) 1298 { 1299 xoptattr_t *xoap; 1300 int error = 0; 1301 1302 if ((xoap = xva_getxoptattr(xvap)) == NULL) 1303 return (EINVAL); 1304 1305 /* 1306 * First process the DOS bits 1307 */ 1308 if (XVA_ISSET_REQ(xvap, XAT_ARCHIVE) || 1309 XVA_ISSET_REQ(xvap, XAT_HIDDEN) || 1310 XVA_ISSET_REQ(xvap, XAT_READONLY) || 1311 XVA_ISSET_REQ(xvap, XAT_SYSTEM) || 1312 XVA_ISSET_REQ(xvap, XAT_CREATETIME) || 1313 XVA_ISSET_REQ(xvap, XAT_OFFLINE) || 1314 XVA_ISSET_REQ(xvap, XAT_SPARSE)) { 1315 if ((error = secpolicy_vnode_owner(cr, owner)) != 0) 1316 return (error); 1317 } 1318 1319 /* 1320 * Now handle special attributes 1321 */ 1322 1323 if (XVA_ISSET_REQ(xvap, XAT_IMMUTABLE)) 1324 error = ATTR_FLAG_PRIV(XAT_IMMUTABLE, 1325 xoap->xoa_immutable, cr); 1326 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NOUNLINK)) 1327 error = ATTR_FLAG_PRIV(XAT_NOUNLINK, 1328 xoap->xoa_nounlink, cr); 1329 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_APPENDONLY)) 1330 error = ATTR_FLAG_PRIV(XAT_APPENDONLY, 1331 xoap->xoa_appendonly, cr); 1332 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NODUMP)) 1333 error = ATTR_FLAG_PRIV(XAT_NODUMP, 1334 xoap->xoa_nodump, cr); 1335 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_OPAQUE)) 1336 error = EPERM; 1337 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_QUARANTINED)) { 1338 error = ATTR_FLAG_PRIV(XAT_AV_QUARANTINED, 1339 xoap->xoa_av_quarantined, cr); 1340 if (error == 0 && vtype != VREG && xoap->xoa_av_quarantined) 1341 error = EINVAL; 1342 } 1343 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_MODIFIED)) 1344 error = ATTR_FLAG_PRIV(XAT_AV_MODIFIED, 1345 xoap->xoa_av_modified, cr); 1346 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_SCANSTAMP)) { 1347 error = ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP, 1348 xoap->xoa_av_scanstamp, cr); 1349 if (error == 0 && vtype != VREG) 1350 error = EINVAL; 1351 } 1352 return (error); 1353 } 1354 1355 /* 1356 * This function checks the policy decisions surrounding the 1357 * vop setattr call. 1358 * 1359 * It should be called after sufficient locks have been established 1360 * on the underlying data structures. No concurrent modifications 1361 * should be allowed. 1362 * 1363 * The caller must pass in unlocked version of its vaccess function 1364 * this is required because vop_access function should lock the 1365 * node for reading. A three argument function should be defined 1366 * which accepts the following argument: 1367 * A pointer to the internal "node" type (inode *) 1368 * vnode access bits (VREAD|VWRITE|VEXEC) 1369 * a pointer to the credential 1370 * 1371 * This function makes the following policy decisions: 1372 * 1373 * - change permissions 1374 * - permission to change file mode if not owner 1375 * - permission to add sticky bit to non-directory 1376 * - permission to add set-gid bit 1377 * 1378 * The ovap argument should include AT_MODE|AT_UID|AT_GID. 1379 * 1380 * If the vap argument does not include AT_MODE, the mode will be copied from 1381 * ovap. In certain situations set-uid/set-gid bits need to be removed; 1382 * this is done by marking vap->va_mask to include AT_MODE and va_mode 1383 * is updated to the newly computed mode. 1384 */ 1385 1386 int 1387 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap, 1388 const struct vattr *ovap, int flags, 1389 int unlocked_access(void *, int, cred_t *), 1390 void *node) 1391 { 1392 int mask = vap->va_mask; 1393 int error = 0; 1394 boolean_t skipaclchk = (flags & ATTR_NOACLCHECK) ? B_TRUE : B_FALSE; 1395 1396 if (mask & AT_SIZE) { 1397 if (vp->v_type == VDIR) { 1398 error = EISDIR; 1399 goto out; 1400 } 1401 1402 /* 1403 * If ATTR_NOACLCHECK is set in the flags, then we don't 1404 * perform the secondary unlocked_access() call since the 1405 * ACL (if any) is being checked there. 1406 */ 1407 if (skipaclchk == B_FALSE) { 1408 error = unlocked_access(node, VWRITE, cr); 1409 if (error) 1410 goto out; 1411 } 1412 } 1413 if (mask & AT_MODE) { 1414 /* 1415 * If not the owner of the file then check privilege 1416 * for two things: the privilege to set the mode at all 1417 * and, if we're setting setuid, we also need permissions 1418 * to add the set-uid bit, if we're not the owner. 1419 * In the specific case of creating a set-uid root 1420 * file, we need even more permissions. 1421 */ 1422 if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0) 1423 goto out; 1424 1425 if ((error = secpolicy_setid_setsticky_clear(vp, vap, 1426 ovap, cr)) != 0) 1427 goto out; 1428 } else 1429 vap->va_mode = ovap->va_mode; 1430 1431 if (mask & (AT_UID|AT_GID)) { 1432 boolean_t checkpriv = B_FALSE; 1433 1434 /* 1435 * Chowning files. 1436 * 1437 * If you are the file owner: 1438 * chown to other uid FILE_CHOWN_SELF 1439 * chown to gid (non-member) FILE_CHOWN_SELF 1440 * chown to gid (member) <none> 1441 * 1442 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also 1443 * acceptable but the first one is reported when debugging. 1444 * 1445 * If you are not the file owner: 1446 * chown from root PRIV_FILE_CHOWN + zone 1447 * chown from other to any PRIV_FILE_CHOWN 1448 * 1449 */ 1450 if (cr->cr_uid != ovap->va_uid) { 1451 checkpriv = B_TRUE; 1452 } else { 1453 if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) || 1454 ((mask & AT_GID) && vap->va_gid != ovap->va_gid && 1455 !groupmember(vap->va_gid, cr))) { 1456 checkpriv = B_TRUE; 1457 } 1458 } 1459 /* 1460 * If necessary, check privilege to see if update can be done. 1461 */ 1462 if (checkpriv && 1463 (error = secpolicy_vnode_chown(cr, ovap->va_uid)) != 0) { 1464 goto out; 1465 } 1466 1467 /* 1468 * If the file has either the set UID or set GID bits 1469 * set and the caller can set the bits, then leave them. 1470 */ 1471 secpolicy_setid_clear(vap, cr); 1472 } 1473 if (mask & (AT_ATIME|AT_MTIME)) { 1474 /* 1475 * If not the file owner and not otherwise privileged, 1476 * always return an error when setting the 1477 * time other than the current (ATTR_UTIME flag set). 1478 * If setting the current time (ATTR_UTIME not set) then 1479 * unlocked_access will check permissions according to policy. 1480 */ 1481 if (cr->cr_uid != ovap->va_uid) { 1482 if (flags & ATTR_UTIME) 1483 error = secpolicy_vnode_utime_modify(cr); 1484 else if (skipaclchk == B_FALSE) { 1485 error = unlocked_access(node, VWRITE, cr); 1486 if (error == EACCES && 1487 secpolicy_vnode_utime_modify(cr) == 0) 1488 error = 0; 1489 } 1490 if (error) 1491 goto out; 1492 } 1493 } 1494 1495 /* 1496 * Check for optional attributes here by checking the following: 1497 */ 1498 if (mask & AT_XVATTR) 1499 error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr, 1500 vp->v_type); 1501 out: 1502 return (error); 1503 } 1504 1505 /* 1506 * Name: secpolicy_pcfs_modify_bootpartition() 1507 * 1508 * Normal: verify that subject can modify a pcfs boot partition. 1509 * 1510 * Output: EACCES - if privilege check failed. 1511 */ 1512 /*ARGSUSED*/ 1513 int 1514 secpolicy_pcfs_modify_bootpartition(const cred_t *cred) 1515 { 1516 return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES, 1517 "modify pcfs boot partition")); 1518 } 1519 1520 /* 1521 * System V IPC routines 1522 */ 1523 int 1524 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip) 1525 { 1526 if (crgetzoneid(cr) != ip->ipc_zoneid || 1527 (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) { 1528 boolean_t allzone = B_FALSE; 1529 if (ip->ipc_uid == 0 || ip->ipc_cuid == 0) 1530 allzone = B_TRUE; 1531 return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL)); 1532 } 1533 return (0); 1534 } 1535 1536 int 1537 secpolicy_ipc_config(const cred_t *cr) 1538 { 1539 return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL)); 1540 } 1541 1542 int 1543 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode) 1544 { 1545 1546 boolean_t allzone = B_FALSE; 1547 1548 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1549 1550 if ((mode & MSG_R) && 1551 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1552 return (EACCES); 1553 1554 if (mode & MSG_W) { 1555 if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0)) 1556 allzone = B_TRUE; 1557 1558 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1559 NULL)); 1560 } 1561 return (0); 1562 } 1563 1564 int 1565 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode) 1566 { 1567 boolean_t allzone = B_FALSE; 1568 1569 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1570 1571 if ((mode & MSG_R) && 1572 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1573 return (EACCES); 1574 1575 if (mode & MSG_W) { 1576 if (cr->cr_uid != 0 && owner == 0) 1577 allzone = B_TRUE; 1578 1579 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1580 NULL)); 1581 } 1582 return (0); 1583 } 1584 1585 /* 1586 * Audit configuration. 1587 */ 1588 int 1589 secpolicy_audit_config(const cred_t *cr) 1590 { 1591 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1592 } 1593 1594 /* 1595 * Audit record generation. 1596 */ 1597 int 1598 secpolicy_audit_modify(const cred_t *cr) 1599 { 1600 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL)); 1601 } 1602 1603 /* 1604 * Get audit attributes. 1605 * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the 1606 * "Least" of the two privileges on error. 1607 */ 1608 int 1609 secpolicy_audit_getattr(const cred_t *cr, boolean_t checkonly) 1610 { 1611 int priv; 1612 1613 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE)) 1614 priv = PRIV_SYS_AUDIT; 1615 else 1616 priv = PRIV_PROC_AUDIT; 1617 1618 if (checkonly) 1619 return (!PRIV_POLICY_ONLY(cr, priv, B_FALSE)); 1620 else 1621 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 1622 } 1623 1624 1625 /* 1626 * Locking physical memory 1627 */ 1628 int 1629 secpolicy_lock_memory(const cred_t *cr) 1630 { 1631 return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL)); 1632 } 1633 1634 /* 1635 * Accounting (both acct(2) and exacct). 1636 */ 1637 int 1638 secpolicy_acct(const cred_t *cr) 1639 { 1640 return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL)); 1641 } 1642 1643 /* 1644 * Is this process privileged to change its uids at will? 1645 * Uid 0 is still considered "special" and having the SETID 1646 * privilege is not sufficient to get uid 0. 1647 * Files are owned by root, so the privilege would give 1648 * full access and euid 0 is still effective. 1649 * 1650 * If you have the privilege and euid 0 only then do you 1651 * get the powers of root wrt uid 0. 1652 * 1653 * For gid manipulations, this is should be called with an 1654 * uid of -1. 1655 * 1656 */ 1657 int 1658 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly) 1659 { 1660 boolean_t allzone = B_FALSE; 1661 1662 if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 && 1663 cr->cr_ruid != 0) { 1664 allzone = B_TRUE; 1665 } 1666 1667 return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) : 1668 PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL)); 1669 } 1670 1671 1672 /* 1673 * Acting on a different process: if the mode is for writing, 1674 * the restrictions are more severe. This is called after 1675 * we've verified that the uids do not match. 1676 */ 1677 int 1678 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode) 1679 { 1680 boolean_t allzone = B_FALSE; 1681 1682 if ((mode & VWRITE) && scr->cr_uid != 0 && 1683 (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0)) 1684 allzone = B_TRUE; 1685 1686 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL)); 1687 } 1688 1689 int 1690 secpolicy_proc_access(const cred_t *scr) 1691 { 1692 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL)); 1693 } 1694 1695 int 1696 secpolicy_proc_excl_open(const cred_t *scr) 1697 { 1698 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL)); 1699 } 1700 1701 int 1702 secpolicy_proc_zone(const cred_t *scr) 1703 { 1704 return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL)); 1705 } 1706 1707 /* 1708 * Destroying the system 1709 */ 1710 1711 int 1712 secpolicy_kmdb(const cred_t *scr) 1713 { 1714 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1715 } 1716 1717 int 1718 secpolicy_error_inject(const cred_t *scr) 1719 { 1720 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1721 } 1722 1723 /* 1724 * Processor sets, cpu configuration, resource pools. 1725 */ 1726 int 1727 secpolicy_pset(const cred_t *cr) 1728 { 1729 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1730 } 1731 1732 /* Process security flags */ 1733 int 1734 secpolicy_psecflags(const cred_t *cr, proc_t *tp, proc_t *sp) 1735 { 1736 if (PRIV_POLICY(cr, PRIV_PROC_SECFLAGS, B_FALSE, EPERM, NULL) != 0) 1737 return (EPERM); 1738 1739 if (!prochasprocperm(tp, sp, cr)) 1740 return (EPERM); 1741 1742 return (0); 1743 } 1744 1745 /* 1746 * Processor set binding. 1747 */ 1748 int 1749 secpolicy_pbind(const cred_t *cr) 1750 { 1751 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_RES_CONFIG, B_FALSE)) 1752 return (secpolicy_pset(cr)); 1753 return (PRIV_POLICY(cr, PRIV_SYS_RES_BIND, B_FALSE, EPERM, NULL)); 1754 } 1755 1756 int 1757 secpolicy_ponline(const cred_t *cr) 1758 { 1759 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1760 } 1761 1762 int 1763 secpolicy_pool(const cred_t *cr) 1764 { 1765 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1766 } 1767 1768 int 1769 secpolicy_blacklist(const cred_t *cr) 1770 { 1771 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1772 } 1773 1774 /* 1775 * Catch all system configuration. 1776 */ 1777 int 1778 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly) 1779 { 1780 if (checkonly) { 1781 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 : 1782 EPERM); 1783 } else { 1784 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1785 } 1786 } 1787 1788 /* 1789 * Zone administration (halt, reboot, etc.) from within zone. 1790 */ 1791 int 1792 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly) 1793 { 1794 if (checkonly) { 1795 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 : 1796 EPERM); 1797 } else { 1798 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, 1799 NULL)); 1800 } 1801 } 1802 1803 /* 1804 * Zone configuration (create, halt, enter). 1805 */ 1806 int 1807 secpolicy_zone_config(const cred_t *cr) 1808 { 1809 /* 1810 * Require all privileges to avoid possibility of privilege 1811 * escalation. 1812 */ 1813 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE)); 1814 } 1815 1816 /* 1817 * Various other system configuration calls 1818 */ 1819 int 1820 secpolicy_coreadm(const cred_t *cr) 1821 { 1822 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1823 } 1824 1825 int 1826 secpolicy_systeminfo(const cred_t *cr) 1827 { 1828 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1829 } 1830 1831 int 1832 secpolicy_dispadm(const cred_t *cr) 1833 { 1834 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1835 } 1836 1837 int 1838 secpolicy_settime(const cred_t *cr) 1839 { 1840 return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL)); 1841 } 1842 1843 /* 1844 * For realtime users: high resolution clock. 1845 */ 1846 int 1847 secpolicy_clock_highres(const cred_t *cr) 1848 { 1849 return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM, 1850 NULL)); 1851 } 1852 1853 /* 1854 * drv_priv() is documented as callable from interrupt context, not that 1855 * anyone ever does, but still. No debugging or auditing can be done when 1856 * it is called from interrupt context. 1857 * returns 0 on succes, EPERM on failure. 1858 */ 1859 int 1860 drv_priv(cred_t *cr) 1861 { 1862 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1863 } 1864 1865 int 1866 secpolicy_sys_devices(const cred_t *cr) 1867 { 1868 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1869 } 1870 1871 int 1872 secpolicy_excl_open(const cred_t *cr) 1873 { 1874 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL)); 1875 } 1876 1877 int 1878 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl) 1879 { 1880 /* zone.* rctls can only be set from the global zone */ 1881 if (is_zone_rctl && priv_policy_global(cr) != 0) 1882 return (EPERM); 1883 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1884 } 1885 1886 int 1887 secpolicy_resource(const cred_t *cr) 1888 { 1889 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1890 } 1891 1892 int 1893 secpolicy_resource_anon_mem(const cred_t *cr) 1894 { 1895 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_RESOURCE, B_FALSE)); 1896 } 1897 1898 /* 1899 * Processes with a real uid of 0 escape any form of accounting, much 1900 * like before. 1901 */ 1902 int 1903 secpolicy_newproc(const cred_t *cr) 1904 { 1905 if (cr->cr_ruid == 0) 1906 return (0); 1907 1908 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1909 } 1910 1911 /* 1912 * Networking 1913 */ 1914 int 1915 secpolicy_net_rawaccess(const cred_t *cr) 1916 { 1917 return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL)); 1918 } 1919 1920 int 1921 secpolicy_net_observability(const cred_t *cr) 1922 { 1923 return (PRIV_POLICY(cr, PRIV_NET_OBSERVABILITY, B_FALSE, EACCES, NULL)); 1924 } 1925 1926 /* 1927 * Need this privilege for accessing the ICMP device 1928 */ 1929 int 1930 secpolicy_net_icmpaccess(const cred_t *cr) 1931 { 1932 return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL)); 1933 } 1934 1935 /* 1936 * There are a few rare cases where the kernel generates ioctls() from 1937 * interrupt context with a credential of kcred rather than NULL. 1938 * In those cases, we take the safe and cheap test. 1939 */ 1940 int 1941 secpolicy_net_config(const cred_t *cr, boolean_t checkonly) 1942 { 1943 if (checkonly) { 1944 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ? 1945 0 : EPERM); 1946 } else { 1947 return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM, 1948 NULL)); 1949 } 1950 } 1951 1952 1953 /* 1954 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG. 1955 * 1956 * There are a few rare cases where the kernel generates ioctls() from 1957 * interrupt context with a credential of kcred rather than NULL. 1958 * In those cases, we take the safe and cheap test. 1959 */ 1960 int 1961 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly) 1962 { 1963 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 1964 return (secpolicy_net_config(cr, checkonly)); 1965 1966 if (checkonly) { 1967 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ? 1968 0 : EPERM); 1969 } else { 1970 return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM, 1971 NULL)); 1972 } 1973 } 1974 1975 /* 1976 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_DL_CONFIG. 1977 */ 1978 int 1979 secpolicy_dl_config(const cred_t *cr) 1980 { 1981 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 1982 return (secpolicy_net_config(cr, B_FALSE)); 1983 return (PRIV_POLICY(cr, PRIV_SYS_DL_CONFIG, B_FALSE, EPERM, NULL)); 1984 } 1985 1986 /* 1987 * PRIV_SYS_DL_CONFIG is a superset of PRIV_SYS_IPTUN_CONFIG. 1988 */ 1989 int 1990 secpolicy_iptun_config(const cred_t *cr) 1991 { 1992 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 1993 return (secpolicy_net_config(cr, B_FALSE)); 1994 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_DL_CONFIG, B_FALSE)) 1995 return (secpolicy_dl_config(cr)); 1996 return (PRIV_POLICY(cr, PRIV_SYS_IPTUN_CONFIG, B_FALSE, EPERM, NULL)); 1997 } 1998 1999 /* 2000 * Map IP pseudo privileges to actual privileges. 2001 * So we don't need to recompile IP when we change the privileges. 2002 */ 2003 int 2004 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly) 2005 { 2006 int priv = PRIV_ALL; 2007 2008 switch (netpriv) { 2009 case OP_CONFIG: 2010 priv = PRIV_SYS_IP_CONFIG; 2011 break; 2012 case OP_RAW: 2013 priv = PRIV_NET_RAWACCESS; 2014 break; 2015 case OP_PRIVPORT: 2016 priv = PRIV_NET_PRIVADDR; 2017 break; 2018 } 2019 ASSERT(priv != PRIV_ALL); 2020 if (checkonly) 2021 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 2022 else 2023 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 2024 } 2025 2026 /* 2027 * Map network pseudo privileges to actual privileges. 2028 * So we don't need to recompile IP when we change the privileges. 2029 */ 2030 int 2031 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly) 2032 { 2033 int priv = PRIV_ALL; 2034 2035 switch (netpriv) { 2036 case OP_CONFIG: 2037 priv = PRIV_SYS_NET_CONFIG; 2038 break; 2039 case OP_RAW: 2040 priv = PRIV_NET_RAWACCESS; 2041 break; 2042 case OP_PRIVPORT: 2043 priv = PRIV_NET_PRIVADDR; 2044 break; 2045 } 2046 ASSERT(priv != PRIV_ALL); 2047 if (checkonly) 2048 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 2049 else 2050 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 2051 } 2052 2053 /* 2054 * Checks for operations that are either client-only or are used by 2055 * both clients and servers. 2056 */ 2057 int 2058 secpolicy_nfs(const cred_t *cr) 2059 { 2060 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL)); 2061 } 2062 2063 /* 2064 * Special case for opening rpcmod: have NFS privileges or network 2065 * config privileges. 2066 */ 2067 int 2068 secpolicy_rpcmod_open(const cred_t *cr) 2069 { 2070 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE)) 2071 return (secpolicy_nfs(cr)); 2072 else 2073 return (secpolicy_net_config(cr, B_FALSE)); 2074 } 2075 2076 int 2077 secpolicy_chroot(const cred_t *cr) 2078 { 2079 return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL)); 2080 } 2081 2082 int 2083 secpolicy_tasksys(const cred_t *cr) 2084 { 2085 return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL)); 2086 } 2087 2088 int 2089 secpolicy_meminfo(const cred_t *cr) 2090 { 2091 return (PRIV_POLICY(cr, PRIV_PROC_MEMINFO, B_FALSE, EPERM, NULL)); 2092 } 2093 2094 int 2095 secpolicy_pfexec_register(const cred_t *cr) 2096 { 2097 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_TRUE, EPERM, NULL)); 2098 } 2099 2100 /* 2101 * Basic privilege checks. 2102 */ 2103 int 2104 secpolicy_basic_exec(const cred_t *cr, vnode_t *vp) 2105 { 2106 FAST_BASIC_CHECK(cr, PRIV_PROC_EXEC); 2107 2108 return (priv_policy_va(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL, 2109 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); 2110 } 2111 2112 int 2113 secpolicy_basic_fork(const cred_t *cr) 2114 { 2115 FAST_BASIC_CHECK(cr, PRIV_PROC_FORK); 2116 2117 return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL)); 2118 } 2119 2120 int 2121 secpolicy_basic_proc(const cred_t *cr) 2122 { 2123 FAST_BASIC_CHECK(cr, PRIV_PROC_SESSION); 2124 2125 return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL)); 2126 } 2127 2128 /* 2129 * Slightly complicated because we don't want to trigger the policy too 2130 * often. First we shortcircuit access to "self" (tp == sp) or if 2131 * we don't have the privilege but if we have permission 2132 * just return (0) and we don't flag the privilege as needed. 2133 * Else, we test for the privilege because we either have it or need it. 2134 */ 2135 int 2136 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp) 2137 { 2138 if (tp == sp || 2139 !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) { 2140 return (0); 2141 } else { 2142 return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL)); 2143 } 2144 } 2145 2146 int 2147 secpolicy_basic_link(const cred_t *cr) 2148 { 2149 FAST_BASIC_CHECK(cr, PRIV_FILE_LINK_ANY); 2150 2151 return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL)); 2152 } 2153 2154 int 2155 secpolicy_basic_net_access(const cred_t *cr) 2156 { 2157 FAST_BASIC_CHECK(cr, PRIV_NET_ACCESS); 2158 2159 return (PRIV_POLICY(cr, PRIV_NET_ACCESS, B_FALSE, EACCES, NULL)); 2160 } 2161 2162 /* ARGSUSED */ 2163 int 2164 secpolicy_basic_file_read(const cred_t *cr, vnode_t *vp, const char *pn) 2165 { 2166 FAST_BASIC_CHECK(cr, PRIV_FILE_READ); 2167 2168 return (priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL, 2169 KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE)); 2170 } 2171 2172 /* ARGSUSED */ 2173 int 2174 secpolicy_basic_file_write(const cred_t *cr, vnode_t *vp, const char *pn) 2175 { 2176 FAST_BASIC_CHECK(cr, PRIV_FILE_WRITE); 2177 2178 return (priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL, 2179 KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE)); 2180 } 2181 2182 /* 2183 * Additional device protection. 2184 * 2185 * Traditionally, a device has specific permissions on the node in 2186 * the filesystem which govern which devices can be opened by what 2187 * processes. In certain cases, it is desirable to add extra 2188 * restrictions, as writing to certain devices is identical to 2189 * having a complete run of the system. 2190 * 2191 * This mechanism is called the device policy. 2192 * 2193 * When a device is opened, its policy entry is looked up in the 2194 * policy cache and checked. 2195 */ 2196 int 2197 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag) 2198 { 2199 devplcy_t *plcy; 2200 int err; 2201 struct snode *csp = VTOS(common_specvp(vp)); 2202 priv_set_t pset; 2203 2204 mutex_enter(&csp->s_lock); 2205 2206 if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) { 2207 plcy = devpolicy_find(vp); 2208 if (csp->s_plcy) 2209 dpfree(csp->s_plcy); 2210 csp->s_plcy = plcy; 2211 ASSERT(plcy != NULL); 2212 } else 2213 plcy = csp->s_plcy; 2214 2215 if (plcy == nullpolicy) { 2216 mutex_exit(&csp->s_lock); 2217 return (0); 2218 } 2219 2220 dphold(plcy); 2221 2222 mutex_exit(&csp->s_lock); 2223 2224 if (oflag & FWRITE) 2225 pset = plcy->dp_wrp; 2226 else 2227 pset = plcy->dp_rdp; 2228 /* 2229 * Special case: 2230 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG. 2231 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is 2232 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG 2233 * in the required privilege set before doing the check. 2234 */ 2235 if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) && 2236 priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) && 2237 !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) { 2238 priv_delset(&pset, PRIV_SYS_IP_CONFIG); 2239 priv_addset(&pset, PRIV_SYS_NET_CONFIG); 2240 } 2241 2242 err = secpolicy_require_set(cr, &pset, "devpolicy", KLPDARG_NONE); 2243 dpfree(plcy); 2244 2245 return (err); 2246 } 2247 2248 int 2249 secpolicy_modctl(const cred_t *cr, int cmd) 2250 { 2251 switch (cmd) { 2252 case MODINFO: 2253 case MODGETMAJBIND: 2254 case MODGETPATH: 2255 case MODGETPATHLEN: 2256 case MODGETNAME: 2257 case MODGETFBNAME: 2258 case MODGETDEVPOLICY: 2259 case MODGETDEVPOLICYBYNAME: 2260 case MODDEVT2INSTANCE: 2261 case MODSIZEOF_DEVID: 2262 case MODGETDEVID: 2263 case MODSIZEOF_MINORNAME: 2264 case MODGETMINORNAME: 2265 case MODGETDEVFSPATH_LEN: 2266 case MODGETDEVFSPATH: 2267 case MODGETDEVFSPATH_MI_LEN: 2268 case MODGETDEVFSPATH_MI: 2269 /* Unprivileged */ 2270 return (0); 2271 case MODLOAD: 2272 case MODSETDEVPOLICY: 2273 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, 2274 KLPDARG_NONE)); 2275 default: 2276 return (secpolicy_sys_config(cr, B_FALSE)); 2277 } 2278 } 2279 2280 int 2281 secpolicy_console(const cred_t *cr) 2282 { 2283 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 2284 } 2285 2286 int 2287 secpolicy_power_mgmt(const cred_t *cr) 2288 { 2289 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 2290 } 2291 2292 /* 2293 * Simulate terminal input; another escalation of privileges avenue. 2294 */ 2295 2296 int 2297 secpolicy_sti(const cred_t *cr) 2298 { 2299 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE)); 2300 } 2301 2302 boolean_t 2303 secpolicy_net_reply_equal(const cred_t *cr) 2304 { 2305 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 2306 } 2307 2308 int 2309 secpolicy_swapctl(const cred_t *cr) 2310 { 2311 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 2312 } 2313 2314 int 2315 secpolicy_cpc_cpu(const cred_t *cr) 2316 { 2317 return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL)); 2318 } 2319 2320 /* 2321 * secpolicy_contract_identity 2322 * 2323 * Determine if the subject may set the process contract FMRI value 2324 */ 2325 int 2326 secpolicy_contract_identity(const cred_t *cr) 2327 { 2328 return (PRIV_POLICY(cr, PRIV_CONTRACT_IDENTITY, B_FALSE, EPERM, NULL)); 2329 } 2330 2331 /* 2332 * secpolicy_contract_observer 2333 * 2334 * Determine if the subject may observe a specific contract's events. 2335 */ 2336 int 2337 secpolicy_contract_observer(const cred_t *cr, struct contract *ct) 2338 { 2339 if (contract_owned(ct, cr, B_FALSE)) 2340 return (0); 2341 return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL)); 2342 } 2343 2344 /* 2345 * secpolicy_contract_observer_choice 2346 * 2347 * Determine if the subject may observe any contract's events. Just 2348 * tests privilege and audits on success. 2349 */ 2350 boolean_t 2351 secpolicy_contract_observer_choice(const cred_t *cr) 2352 { 2353 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE)); 2354 } 2355 2356 /* 2357 * secpolicy_contract_event 2358 * 2359 * Determine if the subject may request critical contract events or 2360 * reliable contract event delivery. 2361 */ 2362 int 2363 secpolicy_contract_event(const cred_t *cr) 2364 { 2365 return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL)); 2366 } 2367 2368 /* 2369 * secpolicy_contract_event_choice 2370 * 2371 * Determine if the subject may retain contract events in its critical 2372 * set when a change in other terms would normally require a change in 2373 * the critical set. Just tests privilege and audits on success. 2374 */ 2375 boolean_t 2376 secpolicy_contract_event_choice(const cred_t *cr) 2377 { 2378 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE)); 2379 } 2380 2381 /* 2382 * secpolicy_gart_access 2383 * 2384 * Determine if the subject has sufficient priveleges to make ioctls to agpgart 2385 * device. 2386 */ 2387 int 2388 secpolicy_gart_access(const cred_t *cr) 2389 { 2390 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL)); 2391 } 2392 2393 /* 2394 * secpolicy_gart_map 2395 * 2396 * Determine if the subject has sufficient priveleges to map aperture range 2397 * through agpgart driver. 2398 */ 2399 int 2400 secpolicy_gart_map(const cred_t *cr) 2401 { 2402 if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) { 2403 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, 2404 NULL)); 2405 } else { 2406 return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM, 2407 NULL)); 2408 } 2409 } 2410 2411 /* 2412 * secpolicy_hwmanip 2413 * 2414 * Determine if the subject can observe and manipulate a hardware device with a 2415 * dangerous blunt hammer, often suggests they can do something destructive. 2416 * Requires all privileges. 2417 */ 2418 int 2419 secpolicy_hwmanip(const cred_t *cr) 2420 { 2421 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE)); 2422 } 2423 2424 /* 2425 * secpolicy_zinject 2426 * 2427 * Determine if the subject can inject faults in the ZFS fault injection 2428 * framework. Requires all privileges. 2429 */ 2430 int 2431 secpolicy_zinject(const cred_t *cr) 2432 { 2433 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE)); 2434 } 2435 2436 /* 2437 * secpolicy_zfs 2438 * 2439 * Determine if the subject has permission to manipulate ZFS datasets 2440 * (not pools). Equivalent to the SYS_MOUNT privilege. 2441 */ 2442 int 2443 secpolicy_zfs(const cred_t *cr) 2444 { 2445 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL)); 2446 } 2447 2448 /* 2449 * secpolicy_idmap 2450 * 2451 * Determine if the calling process has permissions to register an SID 2452 * mapping daemon and allocate ephemeral IDs. 2453 */ 2454 int 2455 secpolicy_idmap(const cred_t *cr) 2456 { 2457 return (PRIV_POLICY(cr, PRIV_FILE_SETID, B_TRUE, EPERM, NULL)); 2458 } 2459 2460 /* 2461 * secpolicy_ucode_update 2462 * 2463 * Determine if the subject has sufficient privilege to update microcode. 2464 */ 2465 int 2466 secpolicy_ucode_update(const cred_t *scr) 2467 { 2468 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 2469 } 2470 2471 /* 2472 * secpolicy_sadopen 2473 * 2474 * Determine if the subject has sufficient privilege to access /dev/sad/admin. 2475 * /dev/sad/admin appear in global zone and exclusive-IP zones only. 2476 * In global zone, sys_config is required. 2477 * In exclusive-IP zones, sys_ip_config is required. 2478 * Note that sys_config is prohibited in non-global zones. 2479 */ 2480 int 2481 secpolicy_sadopen(const cred_t *credp) 2482 { 2483 priv_set_t pset; 2484 2485 priv_emptyset(&pset); 2486 2487 if (crgetzoneid(credp) == GLOBAL_ZONEID) 2488 priv_addset(&pset, PRIV_SYS_CONFIG); 2489 else 2490 priv_addset(&pset, PRIV_SYS_IP_CONFIG); 2491 2492 return (secpolicy_require_set(credp, &pset, "devpolicy", KLPDARG_NONE)); 2493 } 2494 2495 2496 /* 2497 * Add privileges to a particular privilege set; this is called when the 2498 * current sets of privileges are not sufficient. I.e., we should always 2499 * call the policy override functions from here. 2500 * What we are allowed to have is in the Observed Permitted set; so 2501 * we compute the difference between that and the newset. 2502 */ 2503 int 2504 secpolicy_require_privs(const cred_t *cr, const priv_set_t *nset) 2505 { 2506 priv_set_t rqd; 2507 2508 rqd = CR_OPPRIV(cr); 2509 2510 priv_inverse(&rqd); 2511 priv_intersect(nset, &rqd); 2512 2513 return (secpolicy_require_set(cr, &rqd, NULL, KLPDARG_NONE)); 2514 } 2515 2516 /* 2517 * secpolicy_smb 2518 * 2519 * Determine if the cred_t has PRIV_SYS_SMB privilege, indicating 2520 * that it has permission to access the smbsrv kernel driver. 2521 * PRIV_POLICY checks the privilege and audits the check. 2522 * 2523 * Returns: 2524 * 0 Driver access is allowed. 2525 * EPERM Driver access is NOT permitted. 2526 */ 2527 int 2528 secpolicy_smb(const cred_t *cr) 2529 { 2530 return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL)); 2531 } 2532 2533 /* 2534 * secpolicy_vscan 2535 * 2536 * Determine if cred_t has the necessary privileges to access a file 2537 * for virus scanning and update its extended system attributes. 2538 * PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access 2539 * PRIV_FILE_FLAG_SET - set extended system attributes 2540 * 2541 * PRIV_POLICY checks the privilege and audits the check. 2542 * 2543 * Returns: 2544 * 0 file access for virus scanning allowed. 2545 * EPERM file access for virus scanning is NOT permitted. 2546 */ 2547 int 2548 secpolicy_vscan(const cred_t *cr) 2549 { 2550 if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) || 2551 (PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) || 2552 (PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) { 2553 return (EPERM); 2554 } 2555 2556 return (0); 2557 } 2558 2559 /* 2560 * secpolicy_smbfs_login 2561 * 2562 * Determines if the caller can add and delete the smbfs login 2563 * password in the the nsmb kernel module for the CIFS client. 2564 * 2565 * Returns: 2566 * 0 access is allowed. 2567 * EPERM access is NOT allowed. 2568 */ 2569 int 2570 secpolicy_smbfs_login(const cred_t *cr, uid_t uid) 2571 { 2572 uid_t cruid = crgetruid(cr); 2573 2574 if (cruid == uid) 2575 return (0); 2576 return (PRIV_POLICY(cr, PRIV_PROC_OWNER, B_FALSE, 2577 EPERM, NULL)); 2578 } 2579 2580 /* 2581 * secpolicy_xvm_control 2582 * 2583 * Determines if a caller can control the xVM hypervisor and/or running 2584 * domains (x86 specific). 2585 * 2586 * Returns: 2587 * 0 access is allowed. 2588 * EPERM access is NOT allowed. 2589 */ 2590 int 2591 secpolicy_xvm_control(const cred_t *cr) 2592 { 2593 if (PRIV_POLICY(cr, PRIV_XVM_CONTROL, B_FALSE, EPERM, NULL)) 2594 return (EPERM); 2595 return (0); 2596 } 2597 2598 /* 2599 * secpolicy_ppp_config 2600 * 2601 * Determine if the subject has sufficient privileges to configure PPP and 2602 * PPP-related devices. 2603 */ 2604 int 2605 secpolicy_ppp_config(const cred_t *cr) 2606 { 2607 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 2608 return (secpolicy_net_config(cr, B_FALSE)); 2609 return (PRIV_POLICY(cr, PRIV_SYS_PPP_CONFIG, B_FALSE, EPERM, NULL)); 2610 } 2611