1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 #include <sys/types.h> 30 #include <sys/sysmacros.h> 31 #include <sys/param.h> 32 #include <sys/systm.h> 33 #include <sys/cred_impl.h> 34 #include <sys/vnode.h> 35 #include <sys/vfs.h> 36 #include <sys/stat.h> 37 #include <sys/errno.h> 38 #include <sys/kmem.h> 39 #include <sys/user.h> 40 #include <sys/proc.h> 41 #include <sys/acct.h> 42 #include <sys/ipc_impl.h> 43 #include <sys/syscall.h> 44 #include <sys/cmn_err.h> 45 #include <sys/debug.h> 46 #include <sys/policy.h> 47 #include <sys/kobj.h> 48 #include <sys/msg.h> 49 #include <sys/devpolicy.h> 50 #include <c2/audit.h> 51 #include <sys/varargs.h> 52 #include <sys/modctl.h> 53 #include <sys/disp.h> 54 #include <sys/zone.h> 55 #include <inet/common.h> 56 #include <inet/optcom.h> 57 #include <sys/sdt.h> 58 #include <sys/mount.h> 59 #include <sys/vfs.h> 60 #include <sys/mntent.h> 61 #include <sys/contract_impl.h> 62 63 #include <sys/sunddi.h> 64 65 /* 66 * There are two possible layers of privilege routines and two possible 67 * levels of secpolicy. Plus one other we may not be interested in, so 68 * we may need as many as 6 but no more. 69 */ 70 #define MAXPRIVSTACK 6 71 72 int priv_debug = 0; 73 74 /* 75 * This file contains the majority of the policy routines. 76 * Since the policy routines are defined by function and not 77 * by privilege, there is quite a bit of duplication of 78 * functions. 79 * 80 * The secpolicy functions must not make asssumptions about 81 * locks held or not held as any lock can be held while they're 82 * being called. 83 * 84 * Credentials are read-only so no special precautions need to 85 * be taken while locking them. 86 * 87 * When a new policy check needs to be added to the system the 88 * following procedure should be followed: 89 * 90 * Pick an appropriate secpolicy_*() function 91 * -> done if one exists. 92 * Create a new secpolicy function, preferably with 93 * a descriptive name using the standard template. 94 * Pick an appropriate privilege for the policy. 95 * If no appropraite privilege exists, define new one 96 * (this should be done with extreme care; in most cases 97 * little is gained by adding another privilege) 98 * 99 * WHY ROOT IS STILL SPECIAL. 100 * 101 * In a number of the policy functions, there are still explicit 102 * checks for uid 0. The rationale behind these is that many root 103 * owned files/objects hold configuration information which can give full 104 * privileges to the user once written to. To prevent escalation 105 * of privilege by allowing just a single privilege to modify root owned 106 * objects, we've added these root specific checks where we considered 107 * them necessary: modifying root owned files, changing uids to 0, etc. 108 * 109 * PRIVILEGE ESCALATION AND ZONES. 110 * 111 * A number of operations potentially allow the caller to achieve 112 * privileges beyond the ones normally required to perform the operation. 113 * For example, if allowed to create a setuid 0 executable, a process can 114 * gain privileges beyond PRIV_FILE_SETID. Zones, however, place 115 * restrictions on the ability to gain privileges beyond those available 116 * within the zone through file and process manipulation. Hence, such 117 * operations require that the caller have an effective set that includes 118 * all privileges available within the current zone, or all privileges 119 * if executing in the global zone. 120 * 121 * This is indicated in the priv_policy* policy checking functions 122 * through a combination of parameters. The "priv" parameter indicates 123 * the privilege that is required, and the "allzone" parameter indicates 124 * whether or not all privileges in the zone are required. In addition, 125 * priv can be set to PRIV_ALL to indicate that all privileges are 126 * required (regardless of zone). There are three scenarios of interest: 127 * (1) operation requires a specific privilege 128 * (2) operation requires a specific privilege, and requires all 129 * privileges available within the zone (or all privileges if in 130 * the global zone) 131 * (3) operation requires all privileges, regardless of zone 132 * 133 * For (1), priv should be set to the specific privilege, and allzone 134 * should be set to B_FALSE. 135 * For (2), priv should be set to the specific privilege, and allzone 136 * should be set to B_TRUE. 137 * For (3), priv should be set to PRIV_ALL, and allzone should be set 138 * to B_FALSE. 139 * 140 */ 141 142 /* 143 * The privileges are checked against the Effective set for 144 * ordinary processes and checked against the Limit set 145 * for euid 0 processes that haven't manipulated their privilege 146 * sets. 147 */ 148 #define HAS_ALLPRIVS(cr) priv_isfullset(&CR_OEPRIV(cr)) 149 #define ZONEPRIVS(cr) ((cr)->cr_zone->zone_privset) 150 #define HAS_ALLZONEPRIVS(cr) priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr)) 151 #define HAS_PRIVILEGE(cr, pr) ((pr) == PRIV_ALL ? \ 152 HAS_ALLPRIVS(cr) : \ 153 PRIV_ISASSERT(&CR_OEPRIV(cr), pr)) 154 155 /* 156 * Policy checking functions 157 * 158 * In future, these will migrate to several files when policy 159 * becomes more or less pluggable. 160 * 161 * For now, there's only one policy and this is it. 162 */ 163 164 /* 165 * Generic policy calls 166 * 167 * The "bottom" functions of policy control 168 */ 169 170 static char * 171 mprintf(const char *fmt, ...) 172 { 173 va_list args; 174 char *buf; 175 size_t len; 176 177 va_start(args, fmt); 178 len = vsnprintf(NULL, 0, fmt, args) + 1; 179 va_end(args); 180 181 buf = kmem_alloc(len, KM_NOSLEEP); 182 183 if (buf == NULL) 184 return (NULL); 185 186 va_start(args, fmt); 187 (void) vsnprintf(buf, len, fmt, args); 188 va_end(args); 189 190 return (buf); 191 } 192 193 /* 194 * priv_policy_errmsg() 195 * 196 * Generate an error message if privilege debugging is enabled system wide 197 * or for this particular process. 198 */ 199 200 #define FMTHDR "%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)" 201 #define FMTMSG " for \"%s\"" 202 #define FMTFUN " needed at %s+0x%lx" 203 204 /* The maximum size privilege format: the concatenation of the above */ 205 #define FMTMAX FMTHDR FMTMSG FMTFUN "\n" 206 207 static void 208 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg) 209 { 210 struct proc *me; 211 pc_t stack[MAXPRIVSTACK]; 212 int depth; 213 int i; 214 char *sym; 215 ulong_t off; 216 const char *pname; 217 218 char *cmd; 219 char fmt[sizeof (FMTMAX)]; 220 221 if ((me = curproc) == &p0) 222 return; 223 224 /* Privileges must be defined */ 225 ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE || 226 priv == PRIV_ALLZONE || priv == PRIV_GLOBAL || 227 priv_getbynum(priv) != NULL); 228 229 if (priv == PRIV_ALLZONE && INGLOBALZONE(me)) 230 priv = PRIV_ALL; 231 232 if (curthread->t_pre_sys) 233 ttolwp(curthread)->lwp_badpriv = (short)priv; 234 235 if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0) 236 return; 237 238 (void) strcpy(fmt, FMTHDR); 239 240 if (me->p_user.u_comm[0]) 241 cmd = &me->p_user.u_comm[0]; 242 else 243 cmd = "priv_policy"; 244 245 if (msg != NULL && *msg != '\0') { 246 (void) strcat(fmt, FMTMSG); 247 } else { 248 (void) strcat(fmt, "%s"); 249 msg = ""; 250 } 251 252 sym = NULL; 253 254 depth = getpcstack(stack, MAXPRIVSTACK); 255 256 /* 257 * Try to find the first interesting function on the stack. 258 * priv_policy* that's us, so completely uninteresting. 259 * suser(), drv_priv(), secpolicy_* are also called from 260 * too many locations to convey useful information. 261 */ 262 for (i = 0; i < depth; i++) { 263 sym = kobj_getsymname((uintptr_t)stack[i], &off); 264 if (sym != NULL && 265 strstr(sym, "hasprocperm") == 0 && 266 strcmp("suser", sym) != 0 && 267 strcmp("ipcaccess", sym) != 0 && 268 strcmp("drv_priv", sym) != 0 && 269 strncmp("secpolicy_", sym, 10) != 0 && 270 strncmp("priv_policy", sym, 11) != 0) 271 break; 272 } 273 274 if (sym != NULL) 275 (void) strcat(fmt, FMTFUN); 276 277 (void) strcat(fmt, "\n"); 278 279 switch (priv) { 280 case PRIV_ALL: 281 pname = "ALL"; 282 break; 283 case PRIV_MULTIPLE: 284 pname = "MULTIPLE"; 285 break; 286 case PRIV_ALLZONE: 287 pname = "ZONE"; 288 break; 289 case PRIV_GLOBAL: 290 pname = "GLOBAL"; 291 break; 292 default: 293 pname = priv_getbynum(priv); 294 break; 295 } 296 297 if (CR_FLAGS(cr) & PRIV_DEBUG) { 298 /* Remember last message, just like lwp_badpriv. */ 299 if (curthread->t_pdmsg != NULL) { 300 kmem_free(curthread->t_pdmsg, 301 strlen(curthread->t_pdmsg) + 1); 302 } 303 304 curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname, 305 cr->cr_uid, curthread->t_sysnum, msg, sym, off); 306 307 curthread->t_post_sys = 1; 308 } else { 309 cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid, 310 curthread->t_sysnum, msg, sym, off); 311 } 312 } 313 314 /* 315 * Audit failure, log error message. 316 */ 317 static void 318 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg) 319 { 320 321 #ifdef C2_AUDIT 322 if (audit_active) 323 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0); 324 #endif 325 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 326 327 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 328 curthread->t_pre_sys) { 329 if (allzone && !HAS_ALLZONEPRIVS(cr)) { 330 priv_policy_errmsg(cr, PRIV_ALLZONE, msg); 331 } else { 332 ASSERT(!HAS_PRIVILEGE(cr, priv)); 333 priv_policy_errmsg(cr, priv, msg); 334 } 335 } 336 } 337 338 /* 339 * priv_policy() 340 * return 0 or error. 341 * See block comment above for a description of "priv" and "allzone" usage. 342 */ 343 int 344 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err, 345 const char *msg) 346 { 347 if (HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) { 348 if ((allzone || priv == PRIV_ALL || 349 !PRIV_ISASSERT(priv_basic, priv)) && 350 !servicing_interrupt()) { 351 u.u_acflag |= ASU; /* Needed for SVVS */ 352 #ifdef C2_AUDIT 353 if (audit_active) 354 audit_priv(priv, 355 allzone ? ZONEPRIVS(cr) : NULL, 1); 356 #endif 357 } 358 err = 0; 359 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 360 } else if (!servicing_interrupt()) { 361 /* Failure audited in this procedure */ 362 priv_policy_err(cr, priv, allzone, msg); 363 } 364 365 return (err); 366 } 367 368 /* 369 * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges. 370 */ 371 boolean_t 372 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone) 373 { 374 boolean_t res = HAS_PRIVILEGE(cr, priv) && 375 (!allzone || HAS_ALLZONEPRIVS(cr)); 376 377 #ifdef C2_AUDIT 378 /* Audit success only */ 379 if (res && audit_active && 380 (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) && 381 !servicing_interrupt()) { 382 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1); 383 } 384 #endif 385 if (res) { 386 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 387 } else { 388 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 389 } 390 return (res); 391 } 392 393 /* 394 * Non-auditing variant of priv_policy_choice(). 395 */ 396 boolean_t 397 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone) 398 { 399 boolean_t res = HAS_PRIVILEGE(cr, priv) && 400 (!allzone || HAS_ALLZONEPRIVS(cr)); 401 402 if (res) { 403 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 404 } else { 405 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 406 } 407 return (res); 408 } 409 410 /* 411 * Check whether all privileges in the required set are present. 412 */ 413 static int 414 secpolicy_require_set(const cred_t *cr, const priv_set_t *req, const char *msg) 415 { 416 int priv; 417 int pfound = -1; 418 priv_set_t pset; 419 420 if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req, 421 &CR_OEPRIV(cr))) { 422 return (0); 423 } 424 425 if (req == PRIV_FULLSET || priv_isfullset(req)) { 426 priv_policy_err(cr, PRIV_ALL, B_FALSE, msg); 427 return (EACCES); 428 } 429 430 pset = CR_OEPRIV(cr); /* present privileges */ 431 priv_inverse(&pset); /* all non present privileges */ 432 priv_intersect(req, &pset); /* the actual missing privs */ 433 434 #ifdef C2_AUDIT 435 if (audit_active) 436 audit_priv(PRIV_NONE, &pset, 0); 437 #endif 438 /* 439 * Privilege debugging; special case "one privilege in set". 440 */ 441 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) { 442 for (priv = 0; priv < nprivs; priv++) { 443 if (priv_ismember(&pset, priv)) { 444 if (pfound != -1) { 445 /* Multiple missing privs */ 446 priv_policy_errmsg(cr, PRIV_MULTIPLE, 447 msg); 448 return (EACCES); 449 } 450 pfound = priv; 451 } 452 } 453 ASSERT(pfound != -1); 454 /* Just the one missing privilege */ 455 priv_policy_errmsg(cr, pfound, msg); 456 } 457 458 return (EACCES); 459 } 460 461 /* 462 * Called when an operation requires that the caller be in the 463 * global zone, regardless of privilege. 464 */ 465 static int 466 priv_policy_global(const cred_t *cr) 467 { 468 if (crgetzoneid(cr) == GLOBAL_ZONEID) 469 return (0); /* success */ 470 471 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 472 curthread->t_pre_sys) { 473 priv_policy_errmsg(cr, PRIV_GLOBAL, NULL); 474 } 475 return (EPERM); 476 } 477 478 /* 479 * Changing process priority 480 */ 481 int 482 secpolicy_setpriority(const cred_t *cr) 483 { 484 return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL)); 485 } 486 487 /* 488 * Binding to a privileged port, port must be specified in host byte 489 * order. 490 */ 491 int 492 secpolicy_net_privaddr(const cred_t *cr, in_port_t port) 493 { 494 /* 495 * NFS ports, these are extra privileged ports, allow bind 496 * only if the SYS_NFS privilege is present. 497 */ 498 if (port == 2049 || port == 4045) 499 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EACCES, 500 "NFS port")); 501 else 502 return (PRIV_POLICY(cr, PRIV_NET_PRIVADDR, B_FALSE, EACCES, 503 NULL)); 504 } 505 506 /* 507 * Common routine which determines whether a given credential can 508 * act on a given mount. 509 * When called through mount, the parameter needoptcheck is a pointer 510 * to a boolean variable which will be set to either true or false, 511 * depending on whether the mount policy should change the mount options. 512 * In all other cases, needoptcheck should be a NULL pointer. 513 */ 514 static int 515 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp, 516 boolean_t *needoptcheck) 517 { 518 boolean_t allzone = B_FALSE; 519 boolean_t mounting = needoptcheck != NULL; 520 521 /* 522 * Short circuit the following cases: 523 * vfsp == NULL or mvp == NULL (pure privilege check) 524 * have all privileges - no further checks required 525 * and no mount options need to be set. 526 */ 527 if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) { 528 if (mounting) 529 *needoptcheck = B_FALSE; 530 531 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, allzone, EPERM, NULL)); 532 } 533 534 /* 535 * When operating on an existing mount (either we're not mounting 536 * or we're doing a remount and VFS_REMOUNT will be set), zones 537 * can operate only on mounts established by the zone itself. 538 */ 539 if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) { 540 zoneid_t zoneid = crgetzoneid(cr); 541 542 if (zoneid != GLOBAL_ZONEID && 543 vfsp->vfs_zone->zone_id != zoneid) { 544 return (EPERM); 545 } 546 } 547 548 if (mounting) 549 *needoptcheck = B_TRUE; 550 551 /* 552 * Overlay mounts may hide important stuff; if you can't write to a 553 * mount point but would be able to mount on top of it, you can 554 * escalate your privileges. 555 * So we go about asking the same questions namefs does when it 556 * decides whether you can mount over a file or not but with the 557 * added restriction that you can only mount on top of a regular 558 * file or directory. 559 * If we have all the zone's privileges, we skip all other checks, 560 * or else we may actually get in trouble inside the automounter. 561 */ 562 if ((mvp->v_flag & VROOT) != 0 || 563 (mvp->v_type != VDIR && mvp->v_type != VREG) || 564 HAS_ALLZONEPRIVS(cr)) { 565 allzone = B_TRUE; 566 } else { 567 vattr_t va; 568 int err; 569 570 va.va_mask = AT_UID|AT_MODE; 571 err = VOP_GETATTR(mvp, &va, 0, cr); 572 if (err != 0) 573 return (err); 574 575 if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0) 576 return (err); 577 578 if ((va.va_mode & VWRITE) == 0 && 579 secpolicy_vnode_access(cr, mvp, va.va_uid, VWRITE) != 0) { 580 return (EACCES); 581 } 582 } 583 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, allzone, EPERM, NULL)); 584 } 585 586 extern vnode_t *rootvp; 587 extern vfs_t *rootvfs; 588 589 int 590 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp) 591 { 592 boolean_t needoptchk; 593 int error; 594 595 /* 596 * If it's a remount, get the underlying mount point, 597 * except for the root where we use the rootvp. 598 */ 599 if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) { 600 if (vfsp == rootvfs) 601 mvp = rootvp; 602 else 603 mvp = vfsp->vfs_vnodecovered; 604 } 605 606 error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk); 607 608 if (error == 0 && needoptchk) { 609 boolean_t amsuper = HAS_ALLZONEPRIVS(cr); 610 611 /* 612 * Third check; if we don't have either "nosuid" or 613 * both "nosetuid" and "nodevices", then we add 614 * "nosuid"; this depends on how the current 615 * implementation works (it first checks nosuid). In a 616 * zone, a user with all zone privileges can mount with 617 * "setuid" but never with "devices". 618 */ 619 if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) && 620 (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) || 621 !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) { 622 if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper) 623 vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0); 624 else 625 vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0); 626 } 627 /* 628 * If we're not the local super user, we set the "restrict" 629 * option to indicate to automountd that this mount should 630 * be handled with care. 631 */ 632 if (!amsuper) 633 vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0); 634 635 } 636 return (error); 637 } 638 639 /* 640 * Does the policy computations for "ownership" of a mount; 641 * here ownership is defined as the ability to "mount" 642 * the filesystem originally. The rootvfs doesn't cover any 643 * vnodes; we attribute its ownership to the rootvp. 644 */ 645 static int 646 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp) 647 { 648 vnode_t *mvp; 649 650 if (vfsp == NULL) 651 mvp = NULL; 652 else if (vfsp == rootvfs) 653 mvp = rootvp; 654 else 655 mvp = vfsp->vfs_vnodecovered; 656 657 return (secpolicy_fs_common(cr, mvp, vfsp, NULL)); 658 } 659 660 int 661 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp) 662 { 663 return (secpolicy_fs_owner(cr, vfsp)); 664 } 665 666 /* 667 * Quotas are a resource, but if one has the ability to mount a filesystem, he 668 * should be able to modify quotas on it. 669 */ 670 int 671 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp) 672 { 673 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 674 } 675 676 /* 677 * Exceeding minfree: also a per-mount resource constraint. 678 */ 679 int 680 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp) 681 { 682 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 683 } 684 685 int 686 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp) 687 { 688 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 689 } 690 691 /* ARGSUSED */ 692 int 693 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp) 694 { 695 return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL)); 696 } 697 698 /* 699 * Name: secpolicy_vnode_access() 700 * 701 * Parameters: Process credential 702 * vnode 703 * uid of owner of vnode 704 * permission bits not granted to the caller when examining 705 * file mode bits (i.e., when a process wants to open a 706 * mode 444 file for VREAD|VWRITE, this function should be 707 * called only with a VWRITE argument). 708 * 709 * Normal: Verifies that cred has the appropriate privileges to 710 * override the mode bits that were denied. 711 * 712 * Override: file_dac_execute - if VEXEC bit was denied and vnode is 713 * not a directory. 714 * file_dac_read - if VREAD bit was denied. 715 * file_dac_search - if VEXEC bit was denied and vnode is 716 * a directory. 717 * file_dac_write - if VWRITE bit was denied. 718 * 719 * Root owned files are special cased to protect system 720 * configuration files and such. 721 * 722 * Output: EACCES - if privilege check fails. 723 */ 724 725 /* ARGSUSED */ 726 int 727 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode) 728 { 729 if ((mode & VREAD) && 730 PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EACCES, NULL) != 0) 731 return (EACCES); 732 733 if (mode & VWRITE) { 734 boolean_t allzone; 735 736 if (owner == 0 && cr->cr_uid != 0) 737 allzone = B_TRUE; 738 else 739 allzone = B_FALSE; 740 if (PRIV_POLICY(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, NULL) 741 != 0) 742 return (EACCES); 743 } 744 745 if (mode & VEXEC) { 746 /* 747 * Directories use file_dac_search to override the execute bit. 748 */ 749 vtype_t vtype = vp->v_type; 750 751 if (vtype == VDIR) 752 return (PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, 753 EACCES, NULL)); 754 else 755 return (PRIV_POLICY(cr, PRIV_FILE_DAC_EXECUTE, B_FALSE, 756 EACCES, NULL)); 757 } 758 return (0); 759 } 760 761 /* 762 * Name: secpolicy_vnode_setid_modify() 763 * 764 * Normal: verify that subject can set the file setid flags. 765 * 766 * Output: EPERM - if not privileged. 767 */ 768 769 static int 770 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner) 771 { 772 /* If changing to suid root, must have all zone privs */ 773 boolean_t allzone = B_TRUE; 774 775 if (owner != 0) { 776 if (owner == cr->cr_uid) 777 return (0); 778 allzone = B_FALSE; 779 } 780 return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL)); 781 } 782 783 /* 784 * Are we allowed to retain the set-uid/set-gid bits when 785 * changing ownership or when writing to a file? 786 * "issuid" should be true when set-uid; only in that case 787 * root ownership is checked (setgid is assumed). 788 */ 789 int 790 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot) 791 { 792 if (issuidroot && !HAS_ALLZONEPRIVS(cred)) 793 return (EPERM); 794 795 return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE)); 796 } 797 798 /* 799 * Name: secpolicy_vnode_setids_setgids() 800 * 801 * Normal: verify that subject can set the file setgid flag. 802 * 803 * Output: EPERM - if not privileged 804 */ 805 806 int 807 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid) 808 { 809 if (!groupmember(gid, cred)) 810 return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM, 811 NULL)); 812 return (0); 813 } 814 815 /* 816 * Create a file with a group different than any of the groups allowed: 817 * the group of the directory the file is created in, the effective 818 * group or any of the supplementary groups. 819 */ 820 int 821 secpolicy_vnode_create_gid(const cred_t *cred) 822 { 823 if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN)) 824 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM, 825 NULL)); 826 else 827 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM, 828 NULL)); 829 } 830 831 /* 832 * Name: secpolicy_vnode_utime_modify() 833 * 834 * Normal: verify that subject can modify the utime on a file. 835 * 836 * Output: EPERM - if access denied. 837 */ 838 839 static int 840 secpolicy_vnode_utime_modify(const cred_t *cred) 841 { 842 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM, 843 "modify file times")); 844 } 845 846 847 /* 848 * Name: secpolicy_vnode_setdac() 849 * 850 * Normal: verify that subject can modify the mode of a file. 851 * allzone privilege needed when modifying root owned object. 852 * 853 * Output: EPERM - if access denied. 854 */ 855 856 int 857 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner) 858 { 859 if (owner == cred->cr_uid) 860 return (0); 861 862 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL)); 863 } 864 /* 865 * Name: secpolicy_vnode_stky_modify() 866 * 867 * Normal: verify that subject can make a file a "sticky". 868 * 869 * Output: EPERM - if access denied. 870 */ 871 872 int 873 secpolicy_vnode_stky_modify(const cred_t *cred) 874 { 875 return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM, 876 "set file sticky")); 877 } 878 879 /* 880 * Policy determines whether we can remove an entry from a directory, 881 * regardless of permission bits. 882 */ 883 int 884 secpolicy_vnode_remove(const cred_t *cr) 885 { 886 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES, 887 "sticky directory")); 888 } 889 890 int 891 secpolicy_vnode_owner(const cred_t *cr, uid_t owner) 892 { 893 boolean_t allzone = (owner == 0); 894 895 if (owner == cr->cr_uid) 896 return (0); 897 898 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL)); 899 } 900 901 void 902 secpolicy_setid_clear(vattr_t *vap, cred_t *cr) 903 { 904 if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 && 905 secpolicy_vnode_setid_retain(cr, 906 (vap->va_mode & S_ISUID) != 0 && 907 (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) { 908 vap->va_mask |= AT_MODE; 909 vap->va_mode &= ~(S_ISUID|S_ISGID); 910 } 911 } 912 913 /* 914 * This function checks the policy decisions surrounding the 915 * vop setattr call. 916 * 917 * It should be called after sufficient locks have been established 918 * on the underlying data structures. No concurrent modifications 919 * should be allowed. 920 * 921 * The caller must pass in unlocked version of its vaccess function 922 * this is required because vop_access function should lock the 923 * node for reading. A three argument function should be defined 924 * which accepts the following argument: 925 * A pointer to the internal "node" type (inode *) 926 * vnode access bits (VREAD|VWRITE|VEXEC) 927 * a pointer to the credential 928 * 929 * This function makes the following policy decisions: 930 * 931 * - change permissions 932 * - permission to change file mode if not owner 933 * - permission to add sticky bit to non-directory 934 * - permission to add set-gid bit 935 * 936 * The ovap argument should include AT_MODE|AT_UID|AT_GID. 937 * 938 * If the vap argument does not include AT_MODE, the mode will be copied from 939 * ovap. In certain situations set-uid/set-gid bits need to be removed; 940 * this is done by marking vap->va_mask to include AT_MODE and va_mode 941 * is updated to the newly computed mode. 942 */ 943 944 int 945 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap, 946 const struct vattr *ovap, int flags, 947 int unlocked_access(void *, int, cred_t *), 948 void *node) 949 { 950 int mask = vap->va_mask; 951 int error = 0; 952 953 if (mask & AT_SIZE) { 954 if (vp->v_type == VDIR) { 955 error = EISDIR; 956 goto out; 957 } 958 error = unlocked_access(node, VWRITE, cr); 959 if (error) 960 goto out; 961 } 962 if (mask & AT_MODE) { 963 /* 964 * If not the owner of the file then check privilege 965 * for two things: the privilege to set the mode at all 966 * and, if we're setting setuid, we also need permissions 967 * to add the set-uid bit, if we're not the owner. 968 * In the specific case of creating a set-uid root 969 * file, we need even more permissions. 970 */ 971 if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0) 972 goto out; 973 974 if ((vap->va_mode & S_ISUID) != 0 && 975 (error = secpolicy_vnode_setid_modify(cr, 976 ovap->va_uid)) != 0) { 977 goto out; 978 } 979 980 /* 981 * Check privilege if attempting to set the 982 * sticky bit on a non-directory. 983 */ 984 if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 && 985 secpolicy_vnode_stky_modify(cr) != 0) { 986 vap->va_mode &= ~S_ISVTX; 987 } 988 989 /* 990 * Check for privilege if attempting to set the 991 * group-id bit. 992 */ 993 if ((vap->va_mode & S_ISGID) != 0 && 994 secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) { 995 vap->va_mode &= ~S_ISGID; 996 } 997 998 } else 999 vap->va_mode = ovap->va_mode; 1000 1001 if (mask & (AT_UID|AT_GID)) { 1002 boolean_t checkpriv = B_FALSE; 1003 int priv; 1004 boolean_t allzone = B_FALSE; 1005 1006 /* 1007 * Chowning files. 1008 * 1009 * If you are the file owner: 1010 * chown to other uid FILE_CHOWN_SELF 1011 * chown to gid (non-member) FILE_CHOWN_SELF 1012 * chown to gid (member) <none> 1013 * 1014 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also 1015 * acceptable but the first one is reported when debugging. 1016 * 1017 * If you are not the file owner: 1018 * chown from root PRIV_FILE_CHOWN + zone 1019 * chown from other to any PRIV_FILE_CHOWN 1020 * 1021 */ 1022 if (cr->cr_uid != ovap->va_uid) { 1023 checkpriv = B_TRUE; 1024 allzone = (ovap->va_uid == 0); 1025 priv = PRIV_FILE_CHOWN; 1026 } else { 1027 if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) || 1028 ((mask & AT_GID) && vap->va_gid != ovap->va_gid && 1029 !groupmember(vap->va_gid, cr))) { 1030 checkpriv = B_TRUE; 1031 priv = HAS_PRIVILEGE(cr, PRIV_FILE_CHOWN) ? 1032 PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF; 1033 } 1034 } 1035 /* 1036 * If necessary, check privilege to see if update can be done. 1037 */ 1038 if (checkpriv && 1039 (error = PRIV_POLICY(cr, priv, allzone, EPERM, NULL)) 1040 != 0) { 1041 goto out; 1042 } 1043 1044 /* 1045 * If the file has either the set UID or set GID bits 1046 * set and the caller can set the bits, then leave them. 1047 */ 1048 secpolicy_setid_clear(vap, cr); 1049 } 1050 if (mask & (AT_ATIME|AT_MTIME)) { 1051 /* 1052 * If not the file owner and not otherwise privileged, 1053 * always return an error when setting the 1054 * time other than the current (ATTR_UTIME flag set). 1055 * If setting the current time (ATTR_UTIME not set) then 1056 * unlocked_access will check permissions according to policy. 1057 */ 1058 if (cr->cr_uid != ovap->va_uid) { 1059 if (flags & ATTR_UTIME) 1060 error = secpolicy_vnode_utime_modify(cr); 1061 else { 1062 error = unlocked_access(node, VWRITE, cr); 1063 if (error == EACCES && 1064 secpolicy_vnode_utime_modify(cr) == 0) 1065 error = 0; 1066 } 1067 if (error) 1068 goto out; 1069 } 1070 } 1071 out: 1072 return (error); 1073 } 1074 1075 /* 1076 * Name: secpolicy_pcfs_modify_bootpartition() 1077 * 1078 * Normal: verify that subject can modify a pcfs boot partition. 1079 * 1080 * Output: EACCES - if privilege check failed. 1081 */ 1082 /*ARGSUSED*/ 1083 int 1084 secpolicy_pcfs_modify_bootpartition(const cred_t *cred) 1085 { 1086 return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES, 1087 "modify pcfs boot partition")); 1088 } 1089 1090 /* 1091 * System V IPC routines 1092 */ 1093 int 1094 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip) 1095 { 1096 if (crgetzoneid(cr) != ip->ipc_zoneid || 1097 (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) { 1098 boolean_t allzone = B_FALSE; 1099 if (ip->ipc_uid == 0 || ip->ipc_cuid == 0) 1100 allzone = B_TRUE; 1101 return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL)); 1102 } 1103 return (0); 1104 } 1105 1106 int 1107 secpolicy_ipc_config(const cred_t *cr) 1108 { 1109 return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL)); 1110 } 1111 1112 int 1113 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode) 1114 { 1115 1116 boolean_t allzone = B_FALSE; 1117 1118 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1119 1120 if ((mode & MSG_R) && 1121 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1122 return (EACCES); 1123 1124 if (mode & MSG_W) { 1125 if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0)) 1126 allzone = B_TRUE; 1127 1128 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1129 NULL)); 1130 } 1131 return (0); 1132 } 1133 1134 int 1135 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode) 1136 { 1137 boolean_t allzone = B_FALSE; 1138 1139 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1140 1141 if ((mode & MSG_R) && 1142 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1143 return (EACCES); 1144 1145 if (mode & MSG_W) { 1146 if (cr->cr_uid != 0 && owner == 0) 1147 allzone = B_TRUE; 1148 1149 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1150 NULL)); 1151 } 1152 return (0); 1153 } 1154 1155 /* 1156 * Audit configuration. 1157 */ 1158 int 1159 secpolicy_audit_config(const cred_t *cr) 1160 { 1161 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1162 } 1163 1164 /* 1165 * Audit record generation. 1166 */ 1167 int 1168 secpolicy_audit_modify(const cred_t *cr) 1169 { 1170 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL)); 1171 } 1172 1173 /* 1174 * Get audit attributes. 1175 * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the 1176 * "Least" of the two privileges on error. 1177 */ 1178 int 1179 secpolicy_audit_getattr(const cred_t *cr) 1180 { 1181 if (!PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE)) { 1182 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, 1183 NULL)); 1184 } else { 1185 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1186 } 1187 } 1188 1189 1190 /* 1191 * Locking physical memory 1192 */ 1193 int 1194 secpolicy_lock_memory(const cred_t *cr) 1195 { 1196 return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL)); 1197 } 1198 1199 /* 1200 * Accounting (both acct(2) and exacct). 1201 */ 1202 int 1203 secpolicy_acct(const cred_t *cr) 1204 { 1205 return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL)); 1206 } 1207 1208 /* 1209 * Is this process privileged to change its uids at will? 1210 * Uid 0 is still considered "special" and having the SETID 1211 * privilege is not sufficient to get uid 0. 1212 * Files are owned by root, so the privilege would give 1213 * full access and euid 0 is still effective. 1214 * 1215 * If you have the privilege and euid 0 only then do you 1216 * get the powers of root wrt uid 0. 1217 * 1218 * For gid manipulations, this is should be called with an 1219 * uid of -1. 1220 * 1221 */ 1222 int 1223 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly) 1224 { 1225 boolean_t allzone = B_FALSE; 1226 1227 if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 && 1228 cr->cr_ruid != 0) { 1229 allzone = B_TRUE; 1230 } 1231 1232 return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) : 1233 PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL)); 1234 } 1235 1236 1237 /* 1238 * Acting on a different process: if the mode is for writing, 1239 * the restrictions are more severe. This is called after 1240 * we've verified that the uids do not match. 1241 */ 1242 int 1243 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode) 1244 { 1245 boolean_t allzone = B_FALSE; 1246 1247 if ((mode & VWRITE) && scr->cr_uid != 0 && 1248 (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0)) 1249 allzone = B_TRUE; 1250 1251 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL)); 1252 } 1253 1254 int 1255 secpolicy_proc_access(const cred_t *scr) 1256 { 1257 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL)); 1258 } 1259 1260 int 1261 secpolicy_proc_excl_open(const cred_t *scr) 1262 { 1263 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL)); 1264 } 1265 1266 int 1267 secpolicy_proc_zone(const cred_t *scr) 1268 { 1269 return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL)); 1270 } 1271 1272 /* 1273 * Destroying the system 1274 */ 1275 1276 int 1277 secpolicy_kmdb(const cred_t *scr) 1278 { 1279 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1280 } 1281 1282 int 1283 secpolicy_error_inject(const cred_t *scr) 1284 { 1285 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1286 } 1287 1288 /* 1289 * Processor sets, cpu configuration, resource pools. 1290 */ 1291 int 1292 secpolicy_pset(const cred_t *cr) 1293 { 1294 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1295 } 1296 1297 int 1298 secpolicy_ponline(const cred_t *cr) 1299 { 1300 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1301 } 1302 1303 int 1304 secpolicy_pool(const cred_t *cr) 1305 { 1306 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1307 } 1308 1309 int 1310 secpolicy_blacklist(const cred_t *cr) 1311 { 1312 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1313 } 1314 1315 /* 1316 * Catch all system configuration. 1317 */ 1318 int 1319 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly) 1320 { 1321 if (checkonly) { 1322 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 : 1323 EPERM); 1324 } else { 1325 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1326 } 1327 } 1328 1329 /* 1330 * Zone administration (halt, reboot, etc.) from within zone. 1331 */ 1332 int 1333 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly) 1334 { 1335 if (checkonly) { 1336 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 : 1337 EPERM); 1338 } else { 1339 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, 1340 NULL)); 1341 } 1342 } 1343 1344 /* 1345 * Zone configuration (create, halt, enter). 1346 */ 1347 int 1348 secpolicy_zone_config(const cred_t *cr) 1349 { 1350 /* 1351 * Require all privileges to avoid possibility of privilege 1352 * escalation. 1353 */ 1354 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1355 } 1356 1357 /* 1358 * Various other system configuration calls 1359 */ 1360 int 1361 secpolicy_coreadm(const cred_t *cr) 1362 { 1363 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1364 } 1365 1366 int 1367 secpolicy_systeminfo(const cred_t *cr) 1368 { 1369 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1370 } 1371 1372 int 1373 secpolicy_dispadm(const cred_t *cr) 1374 { 1375 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1376 } 1377 1378 int 1379 secpolicy_settime(const cred_t *cr) 1380 { 1381 return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL)); 1382 } 1383 1384 /* 1385 * For realtime users: high resolution clock. 1386 */ 1387 int 1388 secpolicy_clock_highres(const cred_t *cr) 1389 { 1390 return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM, 1391 NULL)); 1392 } 1393 1394 /* 1395 * drv_priv() is documented as callable from interrupt context, not that 1396 * anyone ever does, but still. No debugging or auditing can be done when 1397 * it is called from interrupt context. 1398 * returns 0 on succes, EPERM on failure. 1399 */ 1400 int 1401 drv_priv(cred_t *cr) 1402 { 1403 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1404 } 1405 1406 int 1407 secpolicy_sys_devices(const cred_t *cr) 1408 { 1409 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1410 } 1411 1412 int 1413 secpolicy_excl_open(const cred_t *cr) 1414 { 1415 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL)); 1416 } 1417 1418 int 1419 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl) 1420 { 1421 /* zone.* rctls can only be set from the global zone */ 1422 if (is_zone_rctl && priv_policy_global(cr) != 0) 1423 return (EPERM); 1424 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1425 } 1426 1427 int 1428 secpolicy_resource(const cred_t *cr) 1429 { 1430 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1431 } 1432 1433 /* 1434 * Processes with a real uid of 0 escape any form of accounting, much 1435 * like before. 1436 */ 1437 int 1438 secpolicy_newproc(const cred_t *cr) 1439 { 1440 if (cr->cr_ruid == 0) 1441 return (0); 1442 1443 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1444 } 1445 1446 /* 1447 * Networking 1448 */ 1449 int 1450 secpolicy_net_rawaccess(const cred_t *cr) 1451 { 1452 return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL)); 1453 } 1454 1455 /* 1456 * Need this privilege for accessing the ICMP device 1457 */ 1458 int 1459 secpolicy_net_icmpaccess(const cred_t *cr) 1460 { 1461 return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL)); 1462 } 1463 1464 /* 1465 * There are a few rare cases where the kernel generates ioctls() from 1466 * interrupt context with a credential of kcred rather than NULL. 1467 * In those cases, we take the safe and cheap test. 1468 */ 1469 int 1470 secpolicy_net_config(const cred_t *cr, boolean_t checkonly) 1471 { 1472 if (checkonly) { 1473 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ? 1474 0 : EPERM); 1475 } else { 1476 return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM, 1477 NULL)); 1478 } 1479 } 1480 1481 1482 /* 1483 * Map network pseudo privileges to actual privileges. 1484 * So we don't need to recompile IP when we change the privileges. 1485 */ 1486 int 1487 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly) 1488 { 1489 int priv = PRIV_ALL; 1490 1491 switch (netpriv) { 1492 case OP_CONFIG: 1493 priv = PRIV_SYS_NET_CONFIG; 1494 break; 1495 case OP_RAW: 1496 priv = PRIV_NET_RAWACCESS; 1497 break; 1498 case OP_PRIVPORT: 1499 priv = PRIV_NET_PRIVADDR; 1500 break; 1501 } 1502 ASSERT(priv != PRIV_ALL); 1503 if (checkonly) 1504 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 1505 else 1506 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 1507 } 1508 1509 /* 1510 * Checks for operations that are either client-only or are used by 1511 * both clients and servers. 1512 */ 1513 int 1514 secpolicy_nfs(const cred_t *cr) 1515 { 1516 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL)); 1517 } 1518 1519 /* 1520 * Special case for opening rpcmod: have NFS privileges or network 1521 * config privileges. 1522 */ 1523 int 1524 secpolicy_rpcmod_open(const cred_t *cr) 1525 { 1526 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE)) 1527 return (secpolicy_nfs(cr)); 1528 else 1529 return (secpolicy_net_config(cr, NULL)); 1530 } 1531 1532 int 1533 secpolicy_chroot(const cred_t *cr) 1534 { 1535 return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL)); 1536 } 1537 1538 int 1539 secpolicy_tasksys(const cred_t *cr) 1540 { 1541 return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL)); 1542 } 1543 1544 /* 1545 * Basic privilege checks. 1546 */ 1547 int 1548 secpolicy_basic_exec(const cred_t *cr) 1549 { 1550 return (PRIV_POLICY(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL)); 1551 } 1552 1553 int 1554 secpolicy_basic_fork(const cred_t *cr) 1555 { 1556 return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL)); 1557 } 1558 1559 int 1560 secpolicy_basic_proc(const cred_t *cr) 1561 { 1562 return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL)); 1563 } 1564 1565 /* 1566 * Slightly complicated because we don't want to trigger the policy too 1567 * often. First we shortcircuit access to "self" (tp == sp) or if 1568 * we don't have the privilege but if we have permission 1569 * just return (0) and we don't flag the privilege as needed. 1570 * Else, we test for the privilege because we either have it or need it. 1571 */ 1572 int 1573 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp) 1574 { 1575 if (tp == sp || 1576 !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) { 1577 return (0); 1578 } else { 1579 return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL)); 1580 } 1581 } 1582 1583 int 1584 secpolicy_basic_link(const cred_t *cr) 1585 { 1586 return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL)); 1587 } 1588 1589 /* 1590 * Additional device protection. 1591 * 1592 * Traditionally, a device has specific permissions on the node in 1593 * the filesystem which govern which devices can be opened by what 1594 * processes. In certain cases, it is desirable to add extra 1595 * restrictions, as writing to certain devices is identical to 1596 * having a complete run of the system. 1597 * 1598 * This mechanism is called the device policy. 1599 * 1600 * When a device is opened, its policy entry is looked up in the 1601 * policy cache and checked. 1602 */ 1603 int 1604 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag) 1605 { 1606 devplcy_t *plcy; 1607 int err; 1608 struct snode *csp = VTOS(common_specvp(vp)); 1609 1610 mutex_enter(&csp->s_lock); 1611 1612 if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) { 1613 plcy = devpolicy_find(vp); 1614 if (csp->s_plcy) 1615 dpfree(csp->s_plcy); 1616 csp->s_plcy = plcy; 1617 ASSERT(plcy != NULL); 1618 } else 1619 plcy = csp->s_plcy; 1620 1621 if (plcy == nullpolicy) { 1622 mutex_exit(&csp->s_lock); 1623 return (0); 1624 } 1625 1626 dphold(plcy); 1627 1628 mutex_exit(&csp->s_lock); 1629 1630 err = secpolicy_require_set(cr, 1631 (oflag & FWRITE) ? &plcy->dp_wrp : &plcy->dp_rdp, "devpolicy"); 1632 dpfree(plcy); 1633 1634 return (err); 1635 } 1636 1637 int 1638 secpolicy_modctl(const cred_t *cr, int cmd) 1639 { 1640 switch (cmd) { 1641 case MODINFO: 1642 case MODGETPATH: 1643 case MODGETPATHLEN: 1644 case MODGETFBNAME: 1645 case MODGETNAME: 1646 case MODGETDEVPOLICY: 1647 case MODGETDEVPOLICYBYNAME: 1648 case MODGETMAJBIND: 1649 /* Unprivileged */ 1650 return (0); 1651 case MODLOAD: 1652 case MODSETDEVPOLICY: 1653 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1654 default: 1655 return (secpolicy_sys_config(cr, B_FALSE)); 1656 } 1657 } 1658 1659 int 1660 secpolicy_console(const cred_t *cr) 1661 { 1662 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1663 } 1664 1665 int 1666 secpolicy_power_mgmt(const cred_t *cr) 1667 { 1668 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1669 } 1670 1671 /* 1672 * Simulate terminal input; another escalation of privileges avenue. 1673 */ 1674 1675 int 1676 secpolicy_sti(const cred_t *cr) 1677 { 1678 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1679 } 1680 1681 int 1682 secpolicy_swapctl(const cred_t *cr) 1683 { 1684 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1685 } 1686 1687 int 1688 secpolicy_cpc_cpu(const cred_t *cr) 1689 { 1690 return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL)); 1691 } 1692 1693 /* 1694 * secpolicy_contract_observer 1695 * 1696 * Determine if the subject may observe a specific contract's events. 1697 */ 1698 int 1699 secpolicy_contract_observer(const cred_t *cr, struct contract *ct) 1700 { 1701 if (contract_owned(ct, cr, B_FALSE)) 1702 return (0); 1703 return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL)); 1704 } 1705 1706 /* 1707 * secpolicy_contract_observer_choice 1708 * 1709 * Determine if the subject may observe any contract's events. Just 1710 * tests privilege and audits on success. 1711 */ 1712 boolean_t 1713 secpolicy_contract_observer_choice(const cred_t *cr) 1714 { 1715 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE)); 1716 } 1717 1718 /* 1719 * secpolicy_contract_event 1720 * 1721 * Determine if the subject may request critical contract events or 1722 * reliable contract event delivery. 1723 */ 1724 int 1725 secpolicy_contract_event(const cred_t *cr) 1726 { 1727 return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL)); 1728 } 1729 1730 /* 1731 * secpolicy_contract_event_choice 1732 * 1733 * Determine if the subject may retain contract events in its critical 1734 * set when a change in other terms would normally require a change in 1735 * the critical set. Just tests privilege and audits on success. 1736 */ 1737 boolean_t 1738 secpolicy_contract_event_choice(const cred_t *cr) 1739 { 1740 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE)); 1741 } 1742 1743 /* 1744 * Name: secpolicy_gart_access 1745 * 1746 * Normal: Verify if the subject has sufficient priveleges to make ioctls 1747 * to agpgart device 1748 * 1749 * Output: EPERM - if not privileged 1750 * 1751 */ 1752 int 1753 secpolicy_gart_access(const cred_t *cr) 1754 { 1755 return (PRIV_POLICY(cr, PRIV_GART_ACCESS, B_FALSE, EPERM, NULL)); 1756 } 1757 1758 /* 1759 * Name: secpolicy_gart_map 1760 * 1761 * Normal: Verify if the subject has sufficient privelegs to map aperture 1762 * range through agpgart driver 1763 * 1764 * Output: EPERM - if not privileged 1765 * 1766 */ 1767 int 1768 secpolicy_gart_map(const cred_t *cr) 1769 { 1770 if (PRIV_POLICY(cr, PRIV_GART_ACCESS, B_FALSE, EPERM, NULL)) { 1771 return (PRIV_POLICY(cr, PRIV_GART_MAP, B_FALSE, EPERM, NULL)); 1772 } 1773 return (0); 1774 } 1775 1776 /* 1777 * secpolicy_zfs 1778 * 1779 * Determine if the user has permission to manipulate ZFS datasets (not pools). 1780 * Equivalent to the SYS_MOUNT privilege. 1781 */ 1782 int 1783 secpolicy_zfs(const cred_t *cr) 1784 { 1785 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL)); 1786 } 1787