1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <sys/types.h> 29 #include <sys/sysmacros.h> 30 #include <sys/param.h> 31 #include <sys/systm.h> 32 #include <sys/cred_impl.h> 33 #include <sys/vnode.h> 34 #include <sys/vfs.h> 35 #include <sys/stat.h> 36 #include <sys/errno.h> 37 #include <sys/kmem.h> 38 #include <sys/user.h> 39 #include <sys/proc.h> 40 #include <sys/acct.h> 41 #include <sys/ipc_impl.h> 42 #include <sys/cmn_err.h> 43 #include <sys/debug.h> 44 #include <sys/policy.h> 45 #include <sys/kobj.h> 46 #include <sys/msg.h> 47 #include <sys/devpolicy.h> 48 #include <c2/audit.h> 49 #include <sys/varargs.h> 50 #include <sys/modctl.h> 51 #include <sys/disp.h> 52 #include <sys/zone.h> 53 #include <inet/optcom.h> 54 #include <sys/sdt.h> 55 #include <sys/vfs.h> 56 #include <sys/mntent.h> 57 #include <sys/contract_impl.h> 58 59 /* 60 * There are two possible layers of privilege routines and two possible 61 * levels of secpolicy. Plus one other we may not be interested in, so 62 * we may need as many as 6 but no more. 63 */ 64 #define MAXPRIVSTACK 6 65 66 int priv_debug = 0; 67 68 /* 69 * This file contains the majority of the policy routines. 70 * Since the policy routines are defined by function and not 71 * by privilege, there is quite a bit of duplication of 72 * functions. 73 * 74 * The secpolicy functions must not make asssumptions about 75 * locks held or not held as any lock can be held while they're 76 * being called. 77 * 78 * Credentials are read-only so no special precautions need to 79 * be taken while locking them. 80 * 81 * When a new policy check needs to be added to the system the 82 * following procedure should be followed: 83 * 84 * Pick an appropriate secpolicy_*() function 85 * -> done if one exists. 86 * Create a new secpolicy function, preferably with 87 * a descriptive name using the standard template. 88 * Pick an appropriate privilege for the policy. 89 * If no appropraite privilege exists, define new one 90 * (this should be done with extreme care; in most cases 91 * little is gained by adding another privilege) 92 * 93 * WHY ROOT IS STILL SPECIAL. 94 * 95 * In a number of the policy functions, there are still explicit 96 * checks for uid 0. The rationale behind these is that many root 97 * owned files/objects hold configuration information which can give full 98 * privileges to the user once written to. To prevent escalation 99 * of privilege by allowing just a single privilege to modify root owned 100 * objects, we've added these root specific checks where we considered 101 * them necessary: modifying root owned files, changing uids to 0, etc. 102 * 103 * PRIVILEGE ESCALATION AND ZONES. 104 * 105 * A number of operations potentially allow the caller to achieve 106 * privileges beyond the ones normally required to perform the operation. 107 * For example, if allowed to create a setuid 0 executable, a process can 108 * gain privileges beyond PRIV_FILE_SETID. Zones, however, place 109 * restrictions on the ability to gain privileges beyond those available 110 * within the zone through file and process manipulation. Hence, such 111 * operations require that the caller have an effective set that includes 112 * all privileges available within the current zone, or all privileges 113 * if executing in the global zone. 114 * 115 * This is indicated in the priv_policy* policy checking functions 116 * through a combination of parameters. The "priv" parameter indicates 117 * the privilege that is required, and the "allzone" parameter indicates 118 * whether or not all privileges in the zone are required. In addition, 119 * priv can be set to PRIV_ALL to indicate that all privileges are 120 * required (regardless of zone). There are three scenarios of interest: 121 * (1) operation requires a specific privilege 122 * (2) operation requires a specific privilege, and requires all 123 * privileges available within the zone (or all privileges if in 124 * the global zone) 125 * (3) operation requires all privileges, regardless of zone 126 * 127 * For (1), priv should be set to the specific privilege, and allzone 128 * should be set to B_FALSE. 129 * For (2), priv should be set to the specific privilege, and allzone 130 * should be set to B_TRUE. 131 * For (3), priv should be set to PRIV_ALL, and allzone should be set 132 * to B_FALSE. 133 * 134 */ 135 136 /* 137 * The privileges are checked against the Effective set for 138 * ordinary processes and checked against the Limit set 139 * for euid 0 processes that haven't manipulated their privilege 140 * sets. 141 */ 142 #define HAS_ALLPRIVS(cr) priv_isfullset(&CR_OEPRIV(cr)) 143 #define ZONEPRIVS(cr) ((cr)->cr_zone->zone_privset) 144 #define HAS_ALLZONEPRIVS(cr) priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr)) 145 #define HAS_PRIVILEGE(cr, pr) ((pr) == PRIV_ALL ? \ 146 HAS_ALLPRIVS(cr) : \ 147 PRIV_ISASSERT(&CR_OEPRIV(cr), pr)) 148 149 /* 150 * Policy checking functions 151 * 152 * In future, these will migrate to several files when policy 153 * becomes more or less pluggable. 154 * 155 * For now, there's only one policy and this is it. 156 */ 157 158 /* 159 * Generic policy calls 160 * 161 * The "bottom" functions of policy control 162 */ 163 164 static char * 165 mprintf(const char *fmt, ...) 166 { 167 va_list args; 168 char *buf; 169 size_t len; 170 171 va_start(args, fmt); 172 len = vsnprintf(NULL, 0, fmt, args) + 1; 173 va_end(args); 174 175 buf = kmem_alloc(len, KM_NOSLEEP); 176 177 if (buf == NULL) 178 return (NULL); 179 180 va_start(args, fmt); 181 (void) vsnprintf(buf, len, fmt, args); 182 va_end(args); 183 184 return (buf); 185 } 186 187 /* 188 * priv_policy_errmsg() 189 * 190 * Generate an error message if privilege debugging is enabled system wide 191 * or for this particular process. 192 */ 193 194 #define FMTHDR "%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)" 195 #define FMTMSG " for \"%s\"" 196 #define FMTFUN " needed at %s+0x%lx" 197 198 /* The maximum size privilege format: the concatenation of the above */ 199 #define FMTMAX FMTHDR FMTMSG FMTFUN "\n" 200 201 static void 202 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg) 203 { 204 struct proc *me; 205 pc_t stack[MAXPRIVSTACK]; 206 int depth; 207 int i; 208 char *sym; 209 ulong_t off; 210 const char *pname; 211 212 char *cmd; 213 char fmt[sizeof (FMTMAX)]; 214 215 if ((me = curproc) == &p0) 216 return; 217 218 /* Privileges must be defined */ 219 ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE || 220 priv == PRIV_ALLZONE || priv == PRIV_GLOBAL || 221 priv_getbynum(priv) != NULL); 222 223 if (priv == PRIV_ALLZONE && INGLOBALZONE(me)) 224 priv = PRIV_ALL; 225 226 if (curthread->t_pre_sys) 227 ttolwp(curthread)->lwp_badpriv = (short)priv; 228 229 if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0) 230 return; 231 232 (void) strcpy(fmt, FMTHDR); 233 234 if (me->p_user.u_comm[0]) 235 cmd = &me->p_user.u_comm[0]; 236 else 237 cmd = "priv_policy"; 238 239 if (msg != NULL && *msg != '\0') { 240 (void) strcat(fmt, FMTMSG); 241 } else { 242 (void) strcat(fmt, "%s"); 243 msg = ""; 244 } 245 246 sym = NULL; 247 248 depth = getpcstack(stack, MAXPRIVSTACK); 249 250 /* 251 * Try to find the first interesting function on the stack. 252 * priv_policy* that's us, so completely uninteresting. 253 * suser(), drv_priv(), secpolicy_* are also called from 254 * too many locations to convey useful information. 255 */ 256 for (i = 0; i < depth; i++) { 257 sym = kobj_getsymname((uintptr_t)stack[i], &off); 258 if (sym != NULL && 259 strstr(sym, "hasprocperm") == 0 && 260 strcmp("suser", sym) != 0 && 261 strcmp("ipcaccess", sym) != 0 && 262 strcmp("drv_priv", sym) != 0 && 263 strncmp("secpolicy_", sym, 10) != 0 && 264 strncmp("priv_policy", sym, 11) != 0) 265 break; 266 } 267 268 if (sym != NULL) 269 (void) strcat(fmt, FMTFUN); 270 271 (void) strcat(fmt, "\n"); 272 273 switch (priv) { 274 case PRIV_ALL: 275 pname = "ALL"; 276 break; 277 case PRIV_MULTIPLE: 278 pname = "MULTIPLE"; 279 break; 280 case PRIV_ALLZONE: 281 pname = "ZONE"; 282 break; 283 case PRIV_GLOBAL: 284 pname = "GLOBAL"; 285 break; 286 default: 287 pname = priv_getbynum(priv); 288 break; 289 } 290 291 if (CR_FLAGS(cr) & PRIV_DEBUG) { 292 /* Remember last message, just like lwp_badpriv. */ 293 if (curthread->t_pdmsg != NULL) { 294 kmem_free(curthread->t_pdmsg, 295 strlen(curthread->t_pdmsg) + 1); 296 } 297 298 curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname, 299 cr->cr_uid, curthread->t_sysnum, msg, sym, off); 300 301 curthread->t_post_sys = 1; 302 } else { 303 cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid, 304 curthread->t_sysnum, msg, sym, off); 305 } 306 } 307 308 /* 309 * Audit failure, log error message. 310 */ 311 static void 312 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg) 313 { 314 315 #ifdef C2_AUDIT 316 if (audit_active) 317 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0); 318 #endif 319 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 320 321 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 322 curthread->t_pre_sys) { 323 if (allzone && !HAS_ALLZONEPRIVS(cr)) { 324 priv_policy_errmsg(cr, PRIV_ALLZONE, msg); 325 } else { 326 ASSERT(!HAS_PRIVILEGE(cr, priv)); 327 priv_policy_errmsg(cr, priv, msg); 328 } 329 } 330 } 331 332 /* 333 * priv_policy() 334 * return 0 or error. 335 * See block comment above for a description of "priv" and "allzone" usage. 336 */ 337 int 338 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err, 339 const char *msg) 340 { 341 if (HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) { 342 if ((allzone || priv == PRIV_ALL || 343 !PRIV_ISASSERT(priv_basic, priv)) && 344 !servicing_interrupt()) { 345 u.u_acflag |= ASU; /* Needed for SVVS */ 346 #ifdef C2_AUDIT 347 if (audit_active) 348 audit_priv(priv, 349 allzone ? ZONEPRIVS(cr) : NULL, 1); 350 #endif 351 } 352 err = 0; 353 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 354 } else if (!servicing_interrupt()) { 355 /* Failure audited in this procedure */ 356 priv_policy_err(cr, priv, allzone, msg); 357 } 358 359 return (err); 360 } 361 362 /* 363 * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges. 364 */ 365 boolean_t 366 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone) 367 { 368 boolean_t res = HAS_PRIVILEGE(cr, priv) && 369 (!allzone || HAS_ALLZONEPRIVS(cr)); 370 371 #ifdef C2_AUDIT 372 /* Audit success only */ 373 if (res && audit_active && 374 (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) && 375 !servicing_interrupt()) { 376 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1); 377 } 378 #endif 379 if (res) { 380 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 381 } else { 382 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 383 } 384 return (res); 385 } 386 387 /* 388 * Non-auditing variant of priv_policy_choice(). 389 */ 390 boolean_t 391 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone) 392 { 393 boolean_t res = HAS_PRIVILEGE(cr, priv) && 394 (!allzone || HAS_ALLZONEPRIVS(cr)); 395 396 if (res) { 397 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 398 } else { 399 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 400 } 401 return (res); 402 } 403 404 /* 405 * Check whether all privileges in the required set are present. 406 */ 407 static int 408 secpolicy_require_set(const cred_t *cr, const priv_set_t *req, const char *msg) 409 { 410 int priv; 411 int pfound = -1; 412 priv_set_t pset; 413 414 if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req, 415 &CR_OEPRIV(cr))) { 416 return (0); 417 } 418 419 if (req == PRIV_FULLSET || priv_isfullset(req)) { 420 priv_policy_err(cr, PRIV_ALL, B_FALSE, msg); 421 return (EACCES); 422 } 423 424 pset = CR_OEPRIV(cr); /* present privileges */ 425 priv_inverse(&pset); /* all non present privileges */ 426 priv_intersect(req, &pset); /* the actual missing privs */ 427 428 #ifdef C2_AUDIT 429 if (audit_active) 430 audit_priv(PRIV_NONE, &pset, 0); 431 #endif 432 /* 433 * Privilege debugging; special case "one privilege in set". 434 */ 435 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) { 436 for (priv = 0; priv < nprivs; priv++) { 437 if (priv_ismember(&pset, priv)) { 438 if (pfound != -1) { 439 /* Multiple missing privs */ 440 priv_policy_errmsg(cr, PRIV_MULTIPLE, 441 msg); 442 return (EACCES); 443 } 444 pfound = priv; 445 } 446 } 447 ASSERT(pfound != -1); 448 /* Just the one missing privilege */ 449 priv_policy_errmsg(cr, pfound, msg); 450 } 451 452 return (EACCES); 453 } 454 455 /* 456 * Called when an operation requires that the caller be in the 457 * global zone, regardless of privilege. 458 */ 459 static int 460 priv_policy_global(const cred_t *cr) 461 { 462 if (crgetzoneid(cr) == GLOBAL_ZONEID) 463 return (0); /* success */ 464 465 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 466 curthread->t_pre_sys) { 467 priv_policy_errmsg(cr, PRIV_GLOBAL, NULL); 468 } 469 return (EPERM); 470 } 471 472 /* 473 * Changing process priority 474 */ 475 int 476 secpolicy_setpriority(const cred_t *cr) 477 { 478 return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL)); 479 } 480 481 /* 482 * Binding to a privileged port, port must be specified in host byte 483 * order. 484 */ 485 int 486 secpolicy_net_privaddr(const cred_t *cr, in_port_t port) 487 { 488 /* 489 * NFS ports, these are extra privileged ports, allow bind 490 * only if the SYS_NFS privilege is present. 491 */ 492 if (port == 2049 || port == 4045) 493 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EACCES, 494 "NFS port")); 495 else 496 return (PRIV_POLICY(cr, PRIV_NET_PRIVADDR, B_FALSE, EACCES, 497 NULL)); 498 } 499 500 /* 501 * Binding to a multilevel port on a trusted (labeled) system. 502 */ 503 int 504 secpolicy_net_bindmlp(const cred_t *cr) 505 { 506 return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, 507 NULL)); 508 } 509 510 /* 511 * Allow a communication between a zone and an unlabeled host when their 512 * labels don't match. 513 */ 514 int 515 secpolicy_net_mac_aware(const cred_t *cr) 516 { 517 return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, 518 NULL)); 519 } 520 521 /* 522 * Common routine which determines whether a given credential can 523 * act on a given mount. 524 * When called through mount, the parameter needoptcheck is a pointer 525 * to a boolean variable which will be set to either true or false, 526 * depending on whether the mount policy should change the mount options. 527 * In all other cases, needoptcheck should be a NULL pointer. 528 */ 529 static int 530 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp, 531 boolean_t *needoptcheck) 532 { 533 boolean_t allzone = B_FALSE; 534 boolean_t mounting = needoptcheck != NULL; 535 536 /* 537 * Short circuit the following cases: 538 * vfsp == NULL or mvp == NULL (pure privilege check) 539 * have all privileges - no further checks required 540 * and no mount options need to be set. 541 */ 542 if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) { 543 if (mounting) 544 *needoptcheck = B_FALSE; 545 546 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, allzone, EPERM, NULL)); 547 } 548 549 /* 550 * When operating on an existing mount (either we're not mounting 551 * or we're doing a remount and VFS_REMOUNT will be set), zones 552 * can operate only on mounts established by the zone itself. 553 */ 554 if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) { 555 zoneid_t zoneid = crgetzoneid(cr); 556 557 if (zoneid != GLOBAL_ZONEID && 558 vfsp->vfs_zone->zone_id != zoneid) { 559 return (EPERM); 560 } 561 } 562 563 if (mounting) 564 *needoptcheck = B_TRUE; 565 566 /* 567 * Overlay mounts may hide important stuff; if you can't write to a 568 * mount point but would be able to mount on top of it, you can 569 * escalate your privileges. 570 * So we go about asking the same questions namefs does when it 571 * decides whether you can mount over a file or not but with the 572 * added restriction that you can only mount on top of a regular 573 * file or directory. 574 * If we have all the zone's privileges, we skip all other checks, 575 * or else we may actually get in trouble inside the automounter. 576 */ 577 if ((mvp->v_flag & VROOT) != 0 || 578 (mvp->v_type != VDIR && mvp->v_type != VREG) || 579 HAS_ALLZONEPRIVS(cr)) { 580 allzone = B_TRUE; 581 } else { 582 vattr_t va; 583 int err; 584 585 va.va_mask = AT_UID|AT_MODE; 586 err = VOP_GETATTR(mvp, &va, 0, cr); 587 if (err != 0) 588 return (err); 589 590 if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0) 591 return (err); 592 593 if ((va.va_mode & VWRITE) == 0 && 594 secpolicy_vnode_access(cr, mvp, va.va_uid, VWRITE) != 0) { 595 return (EACCES); 596 } 597 } 598 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, allzone, EPERM, NULL)); 599 } 600 601 extern vnode_t *rootvp; 602 extern vfs_t *rootvfs; 603 604 int 605 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp) 606 { 607 boolean_t needoptchk; 608 int error; 609 610 /* 611 * If it's a remount, get the underlying mount point, 612 * except for the root where we use the rootvp. 613 */ 614 if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) { 615 if (vfsp == rootvfs) 616 mvp = rootvp; 617 else 618 mvp = vfsp->vfs_vnodecovered; 619 } 620 621 error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk); 622 623 if (error == 0 && needoptchk) { 624 boolean_t amsuper = HAS_ALLZONEPRIVS(cr); 625 626 /* 627 * Third check; if we don't have either "nosuid" or 628 * both "nosetuid" and "nodevices", then we add 629 * "nosuid"; this depends on how the current 630 * implementation works (it first checks nosuid). In a 631 * zone, a user with all zone privileges can mount with 632 * "setuid" but never with "devices". 633 */ 634 if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) && 635 (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) || 636 !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) { 637 if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper) 638 vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0); 639 else 640 vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0); 641 } 642 /* 643 * If we're not the local super user, we set the "restrict" 644 * option to indicate to automountd that this mount should 645 * be handled with care. 646 */ 647 if (!amsuper) 648 vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0); 649 650 } 651 return (error); 652 } 653 654 /* 655 * Does the policy computations for "ownership" of a mount; 656 * here ownership is defined as the ability to "mount" 657 * the filesystem originally. The rootvfs doesn't cover any 658 * vnodes; we attribute its ownership to the rootvp. 659 */ 660 static int 661 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp) 662 { 663 vnode_t *mvp; 664 665 if (vfsp == NULL) 666 mvp = NULL; 667 else if (vfsp == rootvfs) 668 mvp = rootvp; 669 else 670 mvp = vfsp->vfs_vnodecovered; 671 672 return (secpolicy_fs_common(cr, mvp, vfsp, NULL)); 673 } 674 675 int 676 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp) 677 { 678 return (secpolicy_fs_owner(cr, vfsp)); 679 } 680 681 /* 682 * Quotas are a resource, but if one has the ability to mount a filesystem, he 683 * should be able to modify quotas on it. 684 */ 685 int 686 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp) 687 { 688 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 689 } 690 691 /* 692 * Exceeding minfree: also a per-mount resource constraint. 693 */ 694 int 695 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp) 696 { 697 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 698 } 699 700 int 701 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp) 702 { 703 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 704 } 705 706 /* ARGSUSED */ 707 int 708 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp) 709 { 710 return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL)); 711 } 712 713 /* 714 * Name: secpolicy_vnode_access() 715 * 716 * Parameters: Process credential 717 * vnode 718 * uid of owner of vnode 719 * permission bits not granted to the caller when examining 720 * file mode bits (i.e., when a process wants to open a 721 * mode 444 file for VREAD|VWRITE, this function should be 722 * called only with a VWRITE argument). 723 * 724 * Normal: Verifies that cred has the appropriate privileges to 725 * override the mode bits that were denied. 726 * 727 * Override: file_dac_execute - if VEXEC bit was denied and vnode is 728 * not a directory. 729 * file_dac_read - if VREAD bit was denied. 730 * file_dac_search - if VEXEC bit was denied and vnode is 731 * a directory. 732 * file_dac_write - if VWRITE bit was denied. 733 * 734 * Root owned files are special cased to protect system 735 * configuration files and such. 736 * 737 * Output: EACCES - if privilege check fails. 738 */ 739 740 /* ARGSUSED */ 741 int 742 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode) 743 { 744 if ((mode & VREAD) && 745 PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EACCES, NULL) != 0) 746 return (EACCES); 747 748 if (mode & VWRITE) { 749 boolean_t allzone; 750 751 if (owner == 0 && cr->cr_uid != 0) 752 allzone = B_TRUE; 753 else 754 allzone = B_FALSE; 755 if (PRIV_POLICY(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, NULL) 756 != 0) 757 return (EACCES); 758 } 759 760 if (mode & VEXEC) { 761 /* 762 * Directories use file_dac_search to override the execute bit. 763 */ 764 vtype_t vtype = vp->v_type; 765 766 if (vtype == VDIR) 767 return (PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, 768 EACCES, NULL)); 769 else 770 return (PRIV_POLICY(cr, PRIV_FILE_DAC_EXECUTE, B_FALSE, 771 EACCES, NULL)); 772 } 773 return (0); 774 } 775 776 /* 777 * Name: secpolicy_vnode_setid_modify() 778 * 779 * Normal: verify that subject can set the file setid flags. 780 * 781 * Output: EPERM - if not privileged. 782 */ 783 784 static int 785 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner) 786 { 787 /* If changing to suid root, must have all zone privs */ 788 boolean_t allzone = B_TRUE; 789 790 if (owner != 0) { 791 if (owner == cr->cr_uid) 792 return (0); 793 allzone = B_FALSE; 794 } 795 return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL)); 796 } 797 798 /* 799 * Are we allowed to retain the set-uid/set-gid bits when 800 * changing ownership or when writing to a file? 801 * "issuid" should be true when set-uid; only in that case 802 * root ownership is checked (setgid is assumed). 803 */ 804 int 805 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot) 806 { 807 if (issuidroot && !HAS_ALLZONEPRIVS(cred)) 808 return (EPERM); 809 810 return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE)); 811 } 812 813 /* 814 * Name: secpolicy_vnode_setids_setgids() 815 * 816 * Normal: verify that subject can set the file setgid flag. 817 * 818 * Output: EPERM - if not privileged 819 */ 820 821 int 822 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid) 823 { 824 if (!groupmember(gid, cred)) 825 return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM, 826 NULL)); 827 return (0); 828 } 829 830 /* 831 * Create a file with a group different than any of the groups allowed: 832 * the group of the directory the file is created in, the effective 833 * group or any of the supplementary groups. 834 */ 835 int 836 secpolicy_vnode_create_gid(const cred_t *cred) 837 { 838 if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN)) 839 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM, 840 NULL)); 841 else 842 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM, 843 NULL)); 844 } 845 846 /* 847 * Name: secpolicy_vnode_utime_modify() 848 * 849 * Normal: verify that subject can modify the utime on a file. 850 * 851 * Output: EPERM - if access denied. 852 */ 853 854 static int 855 secpolicy_vnode_utime_modify(const cred_t *cred) 856 { 857 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM, 858 "modify file times")); 859 } 860 861 862 /* 863 * Name: secpolicy_vnode_setdac() 864 * 865 * Normal: verify that subject can modify the mode of a file. 866 * allzone privilege needed when modifying root owned object. 867 * 868 * Output: EPERM - if access denied. 869 */ 870 871 int 872 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner) 873 { 874 if (owner == cred->cr_uid) 875 return (0); 876 877 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL)); 878 } 879 /* 880 * Name: secpolicy_vnode_stky_modify() 881 * 882 * Normal: verify that subject can make a file a "sticky". 883 * 884 * Output: EPERM - if access denied. 885 */ 886 887 int 888 secpolicy_vnode_stky_modify(const cred_t *cred) 889 { 890 return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM, 891 "set file sticky")); 892 } 893 894 /* 895 * Policy determines whether we can remove an entry from a directory, 896 * regardless of permission bits. 897 */ 898 int 899 secpolicy_vnode_remove(const cred_t *cr) 900 { 901 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES, 902 "sticky directory")); 903 } 904 905 int 906 secpolicy_vnode_owner(const cred_t *cr, uid_t owner) 907 { 908 boolean_t allzone = (owner == 0); 909 910 if (owner == cr->cr_uid) 911 return (0); 912 913 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL)); 914 } 915 916 void 917 secpolicy_setid_clear(vattr_t *vap, cred_t *cr) 918 { 919 if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 && 920 secpolicy_vnode_setid_retain(cr, 921 (vap->va_mode & S_ISUID) != 0 && 922 (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) { 923 vap->va_mask |= AT_MODE; 924 vap->va_mode &= ~(S_ISUID|S_ISGID); 925 } 926 } 927 928 /* 929 * This function checks the policy decisions surrounding the 930 * vop setattr call. 931 * 932 * It should be called after sufficient locks have been established 933 * on the underlying data structures. No concurrent modifications 934 * should be allowed. 935 * 936 * The caller must pass in unlocked version of its vaccess function 937 * this is required because vop_access function should lock the 938 * node for reading. A three argument function should be defined 939 * which accepts the following argument: 940 * A pointer to the internal "node" type (inode *) 941 * vnode access bits (VREAD|VWRITE|VEXEC) 942 * a pointer to the credential 943 * 944 * This function makes the following policy decisions: 945 * 946 * - change permissions 947 * - permission to change file mode if not owner 948 * - permission to add sticky bit to non-directory 949 * - permission to add set-gid bit 950 * 951 * The ovap argument should include AT_MODE|AT_UID|AT_GID. 952 * 953 * If the vap argument does not include AT_MODE, the mode will be copied from 954 * ovap. In certain situations set-uid/set-gid bits need to be removed; 955 * this is done by marking vap->va_mask to include AT_MODE and va_mode 956 * is updated to the newly computed mode. 957 */ 958 959 int 960 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap, 961 const struct vattr *ovap, int flags, 962 int unlocked_access(void *, int, cred_t *), 963 void *node) 964 { 965 int mask = vap->va_mask; 966 int error = 0; 967 968 if (mask & AT_SIZE) { 969 if (vp->v_type == VDIR) { 970 error = EISDIR; 971 goto out; 972 } 973 error = unlocked_access(node, VWRITE, cr); 974 if (error) 975 goto out; 976 } 977 if (mask & AT_MODE) { 978 /* 979 * If not the owner of the file then check privilege 980 * for two things: the privilege to set the mode at all 981 * and, if we're setting setuid, we also need permissions 982 * to add the set-uid bit, if we're not the owner. 983 * In the specific case of creating a set-uid root 984 * file, we need even more permissions. 985 */ 986 if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0) 987 goto out; 988 989 if ((vap->va_mode & S_ISUID) != 0 && 990 (error = secpolicy_vnode_setid_modify(cr, 991 ovap->va_uid)) != 0) { 992 goto out; 993 } 994 995 /* 996 * Check privilege if attempting to set the 997 * sticky bit on a non-directory. 998 */ 999 if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 && 1000 secpolicy_vnode_stky_modify(cr) != 0) { 1001 vap->va_mode &= ~S_ISVTX; 1002 } 1003 1004 /* 1005 * Check for privilege if attempting to set the 1006 * group-id bit. 1007 */ 1008 if ((vap->va_mode & S_ISGID) != 0 && 1009 secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) { 1010 vap->va_mode &= ~S_ISGID; 1011 } 1012 1013 } else 1014 vap->va_mode = ovap->va_mode; 1015 1016 if (mask & (AT_UID|AT_GID)) { 1017 boolean_t checkpriv = B_FALSE; 1018 int priv; 1019 boolean_t allzone = B_FALSE; 1020 1021 /* 1022 * Chowning files. 1023 * 1024 * If you are the file owner: 1025 * chown to other uid FILE_CHOWN_SELF 1026 * chown to gid (non-member) FILE_CHOWN_SELF 1027 * chown to gid (member) <none> 1028 * 1029 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also 1030 * acceptable but the first one is reported when debugging. 1031 * 1032 * If you are not the file owner: 1033 * chown from root PRIV_FILE_CHOWN + zone 1034 * chown from other to any PRIV_FILE_CHOWN 1035 * 1036 */ 1037 if (cr->cr_uid != ovap->va_uid) { 1038 checkpriv = B_TRUE; 1039 allzone = (ovap->va_uid == 0); 1040 priv = PRIV_FILE_CHOWN; 1041 } else { 1042 if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) || 1043 ((mask & AT_GID) && vap->va_gid != ovap->va_gid && 1044 !groupmember(vap->va_gid, cr))) { 1045 checkpriv = B_TRUE; 1046 priv = HAS_PRIVILEGE(cr, PRIV_FILE_CHOWN) ? 1047 PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF; 1048 } 1049 } 1050 /* 1051 * If necessary, check privilege to see if update can be done. 1052 */ 1053 if (checkpriv && 1054 (error = PRIV_POLICY(cr, priv, allzone, EPERM, NULL)) 1055 != 0) { 1056 goto out; 1057 } 1058 1059 /* 1060 * If the file has either the set UID or set GID bits 1061 * set and the caller can set the bits, then leave them. 1062 */ 1063 secpolicy_setid_clear(vap, cr); 1064 } 1065 if (mask & (AT_ATIME|AT_MTIME)) { 1066 /* 1067 * If not the file owner and not otherwise privileged, 1068 * always return an error when setting the 1069 * time other than the current (ATTR_UTIME flag set). 1070 * If setting the current time (ATTR_UTIME not set) then 1071 * unlocked_access will check permissions according to policy. 1072 */ 1073 if (cr->cr_uid != ovap->va_uid) { 1074 if (flags & ATTR_UTIME) 1075 error = secpolicy_vnode_utime_modify(cr); 1076 else { 1077 error = unlocked_access(node, VWRITE, cr); 1078 if (error == EACCES && 1079 secpolicy_vnode_utime_modify(cr) == 0) 1080 error = 0; 1081 } 1082 if (error) 1083 goto out; 1084 } 1085 } 1086 out: 1087 return (error); 1088 } 1089 1090 /* 1091 * Name: secpolicy_pcfs_modify_bootpartition() 1092 * 1093 * Normal: verify that subject can modify a pcfs boot partition. 1094 * 1095 * Output: EACCES - if privilege check failed. 1096 */ 1097 /*ARGSUSED*/ 1098 int 1099 secpolicy_pcfs_modify_bootpartition(const cred_t *cred) 1100 { 1101 return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES, 1102 "modify pcfs boot partition")); 1103 } 1104 1105 /* 1106 * System V IPC routines 1107 */ 1108 int 1109 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip) 1110 { 1111 if (crgetzoneid(cr) != ip->ipc_zoneid || 1112 (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) { 1113 boolean_t allzone = B_FALSE; 1114 if (ip->ipc_uid == 0 || ip->ipc_cuid == 0) 1115 allzone = B_TRUE; 1116 return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL)); 1117 } 1118 return (0); 1119 } 1120 1121 int 1122 secpolicy_ipc_config(const cred_t *cr) 1123 { 1124 return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL)); 1125 } 1126 1127 int 1128 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode) 1129 { 1130 1131 boolean_t allzone = B_FALSE; 1132 1133 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1134 1135 if ((mode & MSG_R) && 1136 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1137 return (EACCES); 1138 1139 if (mode & MSG_W) { 1140 if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0)) 1141 allzone = B_TRUE; 1142 1143 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1144 NULL)); 1145 } 1146 return (0); 1147 } 1148 1149 int 1150 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode) 1151 { 1152 boolean_t allzone = B_FALSE; 1153 1154 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1155 1156 if ((mode & MSG_R) && 1157 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1158 return (EACCES); 1159 1160 if (mode & MSG_W) { 1161 if (cr->cr_uid != 0 && owner == 0) 1162 allzone = B_TRUE; 1163 1164 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1165 NULL)); 1166 } 1167 return (0); 1168 } 1169 1170 /* 1171 * Audit configuration. 1172 */ 1173 int 1174 secpolicy_audit_config(const cred_t *cr) 1175 { 1176 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1177 } 1178 1179 /* 1180 * Audit record generation. 1181 */ 1182 int 1183 secpolicy_audit_modify(const cred_t *cr) 1184 { 1185 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL)); 1186 } 1187 1188 /* 1189 * Get audit attributes. 1190 * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the 1191 * "Least" of the two privileges on error. 1192 */ 1193 int 1194 secpolicy_audit_getattr(const cred_t *cr) 1195 { 1196 if (!PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE)) { 1197 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, 1198 NULL)); 1199 } else { 1200 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1201 } 1202 } 1203 1204 1205 /* 1206 * Locking physical memory 1207 */ 1208 int 1209 secpolicy_lock_memory(const cred_t *cr) 1210 { 1211 return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL)); 1212 } 1213 1214 /* 1215 * Accounting (both acct(2) and exacct). 1216 */ 1217 int 1218 secpolicy_acct(const cred_t *cr) 1219 { 1220 return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL)); 1221 } 1222 1223 /* 1224 * Is this process privileged to change its uids at will? 1225 * Uid 0 is still considered "special" and having the SETID 1226 * privilege is not sufficient to get uid 0. 1227 * Files are owned by root, so the privilege would give 1228 * full access and euid 0 is still effective. 1229 * 1230 * If you have the privilege and euid 0 only then do you 1231 * get the powers of root wrt uid 0. 1232 * 1233 * For gid manipulations, this is should be called with an 1234 * uid of -1. 1235 * 1236 */ 1237 int 1238 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly) 1239 { 1240 boolean_t allzone = B_FALSE; 1241 1242 if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 && 1243 cr->cr_ruid != 0) { 1244 allzone = B_TRUE; 1245 } 1246 1247 return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) : 1248 PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL)); 1249 } 1250 1251 1252 /* 1253 * Acting on a different process: if the mode is for writing, 1254 * the restrictions are more severe. This is called after 1255 * we've verified that the uids do not match. 1256 */ 1257 int 1258 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode) 1259 { 1260 boolean_t allzone = B_FALSE; 1261 1262 if ((mode & VWRITE) && scr->cr_uid != 0 && 1263 (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0)) 1264 allzone = B_TRUE; 1265 1266 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL)); 1267 } 1268 1269 int 1270 secpolicy_proc_access(const cred_t *scr) 1271 { 1272 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL)); 1273 } 1274 1275 int 1276 secpolicy_proc_excl_open(const cred_t *scr) 1277 { 1278 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL)); 1279 } 1280 1281 int 1282 secpolicy_proc_zone(const cred_t *scr) 1283 { 1284 return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL)); 1285 } 1286 1287 /* 1288 * Destroying the system 1289 */ 1290 1291 int 1292 secpolicy_kmdb(const cred_t *scr) 1293 { 1294 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1295 } 1296 1297 int 1298 secpolicy_error_inject(const cred_t *scr) 1299 { 1300 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1301 } 1302 1303 /* 1304 * Processor sets, cpu configuration, resource pools. 1305 */ 1306 int 1307 secpolicy_pset(const cred_t *cr) 1308 { 1309 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1310 } 1311 1312 int 1313 secpolicy_ponline(const cred_t *cr) 1314 { 1315 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1316 } 1317 1318 int 1319 secpolicy_pool(const cred_t *cr) 1320 { 1321 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1322 } 1323 1324 int 1325 secpolicy_blacklist(const cred_t *cr) 1326 { 1327 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1328 } 1329 1330 /* 1331 * Catch all system configuration. 1332 */ 1333 int 1334 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly) 1335 { 1336 if (checkonly) { 1337 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 : 1338 EPERM); 1339 } else { 1340 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1341 } 1342 } 1343 1344 /* 1345 * Zone administration (halt, reboot, etc.) from within zone. 1346 */ 1347 int 1348 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly) 1349 { 1350 if (checkonly) { 1351 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 : 1352 EPERM); 1353 } else { 1354 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, 1355 NULL)); 1356 } 1357 } 1358 1359 /* 1360 * Zone configuration (create, halt, enter). 1361 */ 1362 int 1363 secpolicy_zone_config(const cred_t *cr) 1364 { 1365 /* 1366 * Require all privileges to avoid possibility of privilege 1367 * escalation. 1368 */ 1369 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1370 } 1371 1372 /* 1373 * Various other system configuration calls 1374 */ 1375 int 1376 secpolicy_coreadm(const cred_t *cr) 1377 { 1378 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1379 } 1380 1381 int 1382 secpolicy_systeminfo(const cred_t *cr) 1383 { 1384 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1385 } 1386 1387 int 1388 secpolicy_dispadm(const cred_t *cr) 1389 { 1390 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1391 } 1392 1393 int 1394 secpolicy_settime(const cred_t *cr) 1395 { 1396 return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL)); 1397 } 1398 1399 /* 1400 * For realtime users: high resolution clock. 1401 */ 1402 int 1403 secpolicy_clock_highres(const cred_t *cr) 1404 { 1405 return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM, 1406 NULL)); 1407 } 1408 1409 /* 1410 * drv_priv() is documented as callable from interrupt context, not that 1411 * anyone ever does, but still. No debugging or auditing can be done when 1412 * it is called from interrupt context. 1413 * returns 0 on succes, EPERM on failure. 1414 */ 1415 int 1416 drv_priv(cred_t *cr) 1417 { 1418 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1419 } 1420 1421 int 1422 secpolicy_sys_devices(const cred_t *cr) 1423 { 1424 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1425 } 1426 1427 int 1428 secpolicy_excl_open(const cred_t *cr) 1429 { 1430 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL)); 1431 } 1432 1433 int 1434 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl) 1435 { 1436 /* zone.* rctls can only be set from the global zone */ 1437 if (is_zone_rctl && priv_policy_global(cr) != 0) 1438 return (EPERM); 1439 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1440 } 1441 1442 int 1443 secpolicy_resource(const cred_t *cr) 1444 { 1445 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1446 } 1447 1448 /* 1449 * Processes with a real uid of 0 escape any form of accounting, much 1450 * like before. 1451 */ 1452 int 1453 secpolicy_newproc(const cred_t *cr) 1454 { 1455 if (cr->cr_ruid == 0) 1456 return (0); 1457 1458 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1459 } 1460 1461 /* 1462 * Networking 1463 */ 1464 int 1465 secpolicy_net_rawaccess(const cred_t *cr) 1466 { 1467 return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL)); 1468 } 1469 1470 /* 1471 * Need this privilege for accessing the ICMP device 1472 */ 1473 int 1474 secpolicy_net_icmpaccess(const cred_t *cr) 1475 { 1476 return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL)); 1477 } 1478 1479 /* 1480 * There are a few rare cases where the kernel generates ioctls() from 1481 * interrupt context with a credential of kcred rather than NULL. 1482 * In those cases, we take the safe and cheap test. 1483 */ 1484 int 1485 secpolicy_net_config(const cred_t *cr, boolean_t checkonly) 1486 { 1487 if (checkonly) { 1488 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ? 1489 0 : EPERM); 1490 } else { 1491 return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM, 1492 NULL)); 1493 } 1494 } 1495 1496 1497 /* 1498 * Map network pseudo privileges to actual privileges. 1499 * So we don't need to recompile IP when we change the privileges. 1500 */ 1501 int 1502 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly) 1503 { 1504 int priv = PRIV_ALL; 1505 1506 switch (netpriv) { 1507 case OP_CONFIG: 1508 priv = PRIV_SYS_NET_CONFIG; 1509 break; 1510 case OP_RAW: 1511 priv = PRIV_NET_RAWACCESS; 1512 break; 1513 case OP_PRIVPORT: 1514 priv = PRIV_NET_PRIVADDR; 1515 break; 1516 } 1517 ASSERT(priv != PRIV_ALL); 1518 if (checkonly) 1519 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 1520 else 1521 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 1522 } 1523 1524 /* 1525 * Checks for operations that are either client-only or are used by 1526 * both clients and servers. 1527 */ 1528 int 1529 secpolicy_nfs(const cred_t *cr) 1530 { 1531 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL)); 1532 } 1533 1534 /* 1535 * Special case for opening rpcmod: have NFS privileges or network 1536 * config privileges. 1537 */ 1538 int 1539 secpolicy_rpcmod_open(const cred_t *cr) 1540 { 1541 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE)) 1542 return (secpolicy_nfs(cr)); 1543 else 1544 return (secpolicy_net_config(cr, NULL)); 1545 } 1546 1547 int 1548 secpolicy_chroot(const cred_t *cr) 1549 { 1550 return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL)); 1551 } 1552 1553 int 1554 secpolicy_tasksys(const cred_t *cr) 1555 { 1556 return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL)); 1557 } 1558 1559 /* 1560 * Basic privilege checks. 1561 */ 1562 int 1563 secpolicy_basic_exec(const cred_t *cr) 1564 { 1565 return (PRIV_POLICY(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL)); 1566 } 1567 1568 int 1569 secpolicy_basic_fork(const cred_t *cr) 1570 { 1571 return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL)); 1572 } 1573 1574 int 1575 secpolicy_basic_proc(const cred_t *cr) 1576 { 1577 return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL)); 1578 } 1579 1580 /* 1581 * Slightly complicated because we don't want to trigger the policy too 1582 * often. First we shortcircuit access to "self" (tp == sp) or if 1583 * we don't have the privilege but if we have permission 1584 * just return (0) and we don't flag the privilege as needed. 1585 * Else, we test for the privilege because we either have it or need it. 1586 */ 1587 int 1588 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp) 1589 { 1590 if (tp == sp || 1591 !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) { 1592 return (0); 1593 } else { 1594 return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL)); 1595 } 1596 } 1597 1598 int 1599 secpolicy_basic_link(const cred_t *cr) 1600 { 1601 return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL)); 1602 } 1603 1604 /* 1605 * Additional device protection. 1606 * 1607 * Traditionally, a device has specific permissions on the node in 1608 * the filesystem which govern which devices can be opened by what 1609 * processes. In certain cases, it is desirable to add extra 1610 * restrictions, as writing to certain devices is identical to 1611 * having a complete run of the system. 1612 * 1613 * This mechanism is called the device policy. 1614 * 1615 * When a device is opened, its policy entry is looked up in the 1616 * policy cache and checked. 1617 */ 1618 int 1619 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag) 1620 { 1621 devplcy_t *plcy; 1622 int err; 1623 struct snode *csp = VTOS(common_specvp(vp)); 1624 1625 mutex_enter(&csp->s_lock); 1626 1627 if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) { 1628 plcy = devpolicy_find(vp); 1629 if (csp->s_plcy) 1630 dpfree(csp->s_plcy); 1631 csp->s_plcy = plcy; 1632 ASSERT(plcy != NULL); 1633 } else 1634 plcy = csp->s_plcy; 1635 1636 if (plcy == nullpolicy) { 1637 mutex_exit(&csp->s_lock); 1638 return (0); 1639 } 1640 1641 dphold(plcy); 1642 1643 mutex_exit(&csp->s_lock); 1644 1645 err = secpolicy_require_set(cr, 1646 (oflag & FWRITE) ? &plcy->dp_wrp : &plcy->dp_rdp, "devpolicy"); 1647 dpfree(plcy); 1648 1649 return (err); 1650 } 1651 1652 int 1653 secpolicy_modctl(const cred_t *cr, int cmd) 1654 { 1655 switch (cmd) { 1656 case MODINFO: 1657 case MODGETPATH: 1658 case MODGETPATHLEN: 1659 case MODGETFBNAME: 1660 case MODGETNAME: 1661 case MODGETDEVPOLICY: 1662 case MODGETDEVPOLICYBYNAME: 1663 case MODGETMAJBIND: 1664 /* Unprivileged */ 1665 return (0); 1666 case MODLOAD: 1667 case MODSETDEVPOLICY: 1668 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1669 default: 1670 return (secpolicy_sys_config(cr, B_FALSE)); 1671 } 1672 } 1673 1674 int 1675 secpolicy_console(const cred_t *cr) 1676 { 1677 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1678 } 1679 1680 int 1681 secpolicy_power_mgmt(const cred_t *cr) 1682 { 1683 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1684 } 1685 1686 /* 1687 * Simulate terminal input; another escalation of privileges avenue. 1688 */ 1689 1690 int 1691 secpolicy_sti(const cred_t *cr) 1692 { 1693 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1694 } 1695 1696 boolean_t 1697 secpolicy_net_reply_equal(const cred_t *cr) 1698 { 1699 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1700 } 1701 1702 int 1703 secpolicy_swapctl(const cred_t *cr) 1704 { 1705 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1706 } 1707 1708 int 1709 secpolicy_cpc_cpu(const cred_t *cr) 1710 { 1711 return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL)); 1712 } 1713 1714 /* 1715 * secpolicy_contract_observer 1716 * 1717 * Determine if the subject may observe a specific contract's events. 1718 */ 1719 int 1720 secpolicy_contract_observer(const cred_t *cr, struct contract *ct) 1721 { 1722 if (contract_owned(ct, cr, B_FALSE)) 1723 return (0); 1724 return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL)); 1725 } 1726 1727 /* 1728 * secpolicy_contract_observer_choice 1729 * 1730 * Determine if the subject may observe any contract's events. Just 1731 * tests privilege and audits on success. 1732 */ 1733 boolean_t 1734 secpolicy_contract_observer_choice(const cred_t *cr) 1735 { 1736 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE)); 1737 } 1738 1739 /* 1740 * secpolicy_contract_event 1741 * 1742 * Determine if the subject may request critical contract events or 1743 * reliable contract event delivery. 1744 */ 1745 int 1746 secpolicy_contract_event(const cred_t *cr) 1747 { 1748 return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL)); 1749 } 1750 1751 /* 1752 * secpolicy_contract_event_choice 1753 * 1754 * Determine if the subject may retain contract events in its critical 1755 * set when a change in other terms would normally require a change in 1756 * the critical set. Just tests privilege and audits on success. 1757 */ 1758 boolean_t 1759 secpolicy_contract_event_choice(const cred_t *cr) 1760 { 1761 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE)); 1762 } 1763 1764 /* 1765 * secpolicy_gart_access 1766 * 1767 * Determine if the subject has sufficient priveleges to make ioctls to agpgart 1768 * device. 1769 */ 1770 int 1771 secpolicy_gart_access(const cred_t *cr) 1772 { 1773 return (PRIV_POLICY(cr, PRIV_GART_ACCESS, B_FALSE, EPERM, NULL)); 1774 } 1775 1776 /* 1777 * secpolicy_gart_map 1778 * 1779 * Determine if the subject has sufficient priveleges to map aperture range 1780 * through agpgart driver. 1781 */ 1782 int 1783 secpolicy_gart_map(const cred_t *cr) 1784 { 1785 if (PRIV_POLICY(cr, PRIV_GART_ACCESS, B_FALSE, EPERM, NULL)) { 1786 return (PRIV_POLICY(cr, PRIV_GART_MAP, B_FALSE, EPERM, NULL)); 1787 } 1788 return (0); 1789 } 1790 1791 /* 1792 * secpolicy_zinject 1793 * 1794 * Determine if the subject can inject faults in the ZFS fault injection 1795 * framework. Requires all privileges. 1796 */ 1797 int 1798 secpolicy_zinject(const cred_t *cr) 1799 { 1800 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1801 } 1802 1803 /* 1804 * secpolicy_zfs 1805 * 1806 * Determine if the subject has permission to manipulate ZFS datasets 1807 * (not pools). Equivalent to the SYS_MOUNT privilege. 1808 */ 1809 int 1810 secpolicy_zfs(const cred_t *cr) 1811 { 1812 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL)); 1813 } 1814