xref: /illumos-gate/usr/src/uts/common/os/policy.c (revision a07094369b21309434206d9b3601d162693466fc)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 /*
23  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #pragma ident	"%Z%%M%	%I%	%E% SMI"
28 
29 #include <sys/types.h>
30 #include <sys/sysmacros.h>
31 #include <sys/param.h>
32 #include <sys/systm.h>
33 #include <sys/cred_impl.h>
34 #include <sys/vnode.h>
35 #include <sys/vfs.h>
36 #include <sys/stat.h>
37 #include <sys/errno.h>
38 #include <sys/kmem.h>
39 #include <sys/user.h>
40 #include <sys/proc.h>
41 #include <sys/acct.h>
42 #include <sys/ipc_impl.h>
43 #include <sys/syscall.h>
44 #include <sys/cmn_err.h>
45 #include <sys/debug.h>
46 #include <sys/policy.h>
47 #include <sys/kobj.h>
48 #include <sys/msg.h>
49 #include <sys/devpolicy.h>
50 #include <c2/audit.h>
51 #include <sys/varargs.h>
52 #include <sys/modctl.h>
53 #include <sys/disp.h>
54 #include <sys/zone.h>
55 #include <inet/common.h>
56 #include <inet/optcom.h>
57 #include <sys/sdt.h>
58 #include <sys/mount.h>
59 #include <sys/vfs.h>
60 #include <sys/mntent.h>
61 #include <sys/contract_impl.h>
62 
63 #include <sys/sunddi.h>
64 
65 /*
66  * There are two possible layers of privilege routines and two possible
67  * levels of secpolicy.  Plus one other we may not be interested in, so
68  * we may need as many as 6 but no more.
69  */
70 #define	MAXPRIVSTACK		6
71 
72 int priv_debug = 0;
73 
74 /*
75  * This file contains the majority of the policy routines.
76  * Since the policy routines are defined by function and not
77  * by privilege, there is quite a bit of duplication of
78  * functions.
79  *
80  * The secpolicy functions must not make asssumptions about
81  * locks held or not held as any lock can be held while they're
82  * being called.
83  *
84  * Credentials are read-only so no special precautions need to
85  * be taken while locking them.
86  *
87  * When a new policy check needs to be added to the system the
88  * following procedure should be followed:
89  *
90  *		Pick an appropriate secpolicy_*() function
91  *			-> done if one exists.
92  *		Create a new secpolicy function, preferably with
93  *		a descriptive name using the standard template.
94  *		Pick an appropriate privilege for the policy.
95  *		If no appropraite privilege exists, define new one
96  *		(this should be done with extreme care; in most cases
97  *		little is gained by adding another privilege)
98  *
99  * WHY ROOT IS STILL SPECIAL.
100  *
101  * In a number of the policy functions, there are still explicit
102  * checks for uid 0.  The rationale behind these is that many root
103  * owned files/objects hold configuration information which can give full
104  * privileges to the user once written to.  To prevent escalation
105  * of privilege by allowing just a single privilege to modify root owned
106  * objects, we've added these root specific checks where we considered
107  * them necessary: modifying root owned files, changing uids to 0, etc.
108  *
109  * PRIVILEGE ESCALATION AND ZONES.
110  *
111  * A number of operations potentially allow the caller to achieve
112  * privileges beyond the ones normally required to perform the operation.
113  * For example, if allowed to create a setuid 0 executable, a process can
114  * gain privileges beyond PRIV_FILE_SETID.  Zones, however, place
115  * restrictions on the ability to gain privileges beyond those available
116  * within the zone through file and process manipulation.  Hence, such
117  * operations require that the caller have an effective set that includes
118  * all privileges available within the current zone, or all privileges
119  * if executing in the global zone.
120  *
121  * This is indicated in the priv_policy* policy checking functions
122  * through a combination of parameters.  The "priv" parameter indicates
123  * the privilege that is required, and the "allzone" parameter indicates
124  * whether or not all privileges in the zone are required.  In addition,
125  * priv can be set to PRIV_ALL to indicate that all privileges are
126  * required (regardless of zone).  There are three scenarios of interest:
127  * (1) operation requires a specific privilege
128  * (2) operation requires a specific privilege, and requires all
129  *     privileges available within the zone (or all privileges if in
130  *     the global zone)
131  * (3) operation requires all privileges, regardless of zone
132  *
133  * For (1), priv should be set to the specific privilege, and allzone
134  * should be set to B_FALSE.
135  * For (2), priv should be set to the specific privilege, and allzone
136  * should be set to B_TRUE.
137  * For (3), priv should be set to PRIV_ALL, and allzone should be set
138  * to B_FALSE.
139  *
140  */
141 
142 /*
143  * The privileges are checked against the Effective set for
144  * ordinary processes and checked against the Limit set
145  * for euid 0 processes that haven't manipulated their privilege
146  * sets.
147  */
148 #define	HAS_ALLPRIVS(cr)	priv_isfullset(&CR_OEPRIV(cr))
149 #define	ZONEPRIVS(cr)		((cr)->cr_zone->zone_privset)
150 #define	HAS_ALLZONEPRIVS(cr)	priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr))
151 #define	HAS_PRIVILEGE(cr, pr)	((pr) == PRIV_ALL ? \
152 					HAS_ALLPRIVS(cr) : \
153 					PRIV_ISASSERT(&CR_OEPRIV(cr), pr))
154 
155 /*
156  * Policy checking functions
157  *
158  * In future, these will migrate to several files when policy
159  * becomes more or less pluggable.
160  *
161  * For now, there's only one policy and this is it.
162  */
163 
164 /*
165  * Generic policy calls
166  *
167  * The "bottom" functions of policy control
168  */
169 
170 static char *
171 mprintf(const char *fmt, ...)
172 {
173 	va_list args;
174 	char *buf;
175 	size_t len;
176 
177 	va_start(args, fmt);
178 	len = vsnprintf(NULL, 0, fmt, args) + 1;
179 	va_end(args);
180 
181 	buf = kmem_alloc(len, KM_NOSLEEP);
182 
183 	if (buf == NULL)
184 		return (NULL);
185 
186 	va_start(args, fmt);
187 	(void) vsnprintf(buf, len, fmt, args);
188 	va_end(args);
189 
190 	return (buf);
191 }
192 
193 /*
194  * priv_policy_errmsg()
195  *
196  * Generate an error message if privilege debugging is enabled system wide
197  * or for this particular process.
198  */
199 
200 #define	FMTHDR	"%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)"
201 #define	FMTMSG	" for \"%s\""
202 #define	FMTFUN	" needed at %s+0x%lx"
203 
204 /* The maximum size privilege format: the concatenation of the above */
205 #define	FMTMAX	FMTHDR FMTMSG FMTFUN "\n"
206 
207 static void
208 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg)
209 {
210 	struct proc *me;
211 	pc_t stack[MAXPRIVSTACK];
212 	int depth;
213 	int i;
214 	char *sym;
215 	ulong_t off;
216 	const char *pname;
217 
218 	char *cmd;
219 	char fmt[sizeof (FMTMAX)];
220 
221 	if ((me = curproc) == &p0)
222 		return;
223 
224 	/* Privileges must be defined  */
225 	ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE ||
226 	    priv == PRIV_ALLZONE || priv == PRIV_GLOBAL ||
227 	    priv_getbynum(priv) != NULL);
228 
229 	if (priv == PRIV_ALLZONE && INGLOBALZONE(me))
230 		priv = PRIV_ALL;
231 
232 	if (curthread->t_pre_sys)
233 		ttolwp(curthread)->lwp_badpriv = (short)priv;
234 
235 	if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0)
236 		return;
237 
238 	(void) strcpy(fmt, FMTHDR);
239 
240 	if (me->p_user.u_comm[0])
241 		cmd = &me->p_user.u_comm[0];
242 	else
243 		cmd = "priv_policy";
244 
245 	if (msg != NULL && *msg != '\0') {
246 		(void) strcat(fmt, FMTMSG);
247 	} else {
248 		(void) strcat(fmt, "%s");
249 		msg = "";
250 	}
251 
252 	sym = NULL;
253 
254 	depth = getpcstack(stack, MAXPRIVSTACK);
255 
256 	/*
257 	 * Try to find the first interesting function on the stack.
258 	 * priv_policy* that's us, so completely uninteresting.
259 	 * suser(), drv_priv(), secpolicy_* are also called from
260 	 * too many locations to convey useful information.
261 	 */
262 	for (i = 0; i < depth; i++) {
263 		sym = kobj_getsymname((uintptr_t)stack[i], &off);
264 		if (sym != NULL &&
265 		    strstr(sym, "hasprocperm") == 0 &&
266 		    strcmp("suser", sym) != 0 &&
267 		    strcmp("ipcaccess", sym) != 0 &&
268 		    strcmp("drv_priv", sym) != 0 &&
269 		    strncmp("secpolicy_", sym, 10) != 0 &&
270 		    strncmp("priv_policy", sym, 11) != 0)
271 			break;
272 	}
273 
274 	if (sym != NULL)
275 		(void) strcat(fmt, FMTFUN);
276 
277 	(void) strcat(fmt, "\n");
278 
279 	switch (priv) {
280 	case PRIV_ALL:
281 		pname = "ALL";
282 		break;
283 	case PRIV_MULTIPLE:
284 		pname = "MULTIPLE";
285 		break;
286 	case PRIV_ALLZONE:
287 		pname = "ZONE";
288 		break;
289 	case PRIV_GLOBAL:
290 		pname = "GLOBAL";
291 		break;
292 	default:
293 		pname = priv_getbynum(priv);
294 		break;
295 	}
296 
297 	if (CR_FLAGS(cr) & PRIV_DEBUG) {
298 		/* Remember last message, just like lwp_badpriv. */
299 		if (curthread->t_pdmsg != NULL) {
300 			kmem_free(curthread->t_pdmsg,
301 			    strlen(curthread->t_pdmsg) + 1);
302 		}
303 
304 		curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname,
305 			    cr->cr_uid, curthread->t_sysnum, msg, sym, off);
306 
307 		curthread->t_post_sys = 1;
308 	} else {
309 		cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid,
310 		    curthread->t_sysnum, msg, sym, off);
311 	}
312 }
313 
314 /*
315  * Audit failure, log error message.
316  */
317 static void
318 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg)
319 {
320 
321 #ifdef C2_AUDIT
322 	if (audit_active)
323 		audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0);
324 #endif
325 	DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
326 
327 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
328 	    curthread->t_pre_sys) {
329 		if (allzone && !HAS_ALLZONEPRIVS(cr)) {
330 			priv_policy_errmsg(cr, PRIV_ALLZONE, msg);
331 		} else {
332 			ASSERT(!HAS_PRIVILEGE(cr, priv));
333 			priv_policy_errmsg(cr, priv, msg);
334 		}
335 	}
336 }
337 
338 /*
339  * priv_policy()
340  * return 0 or error.
341  * See block comment above for a description of "priv" and "allzone" usage.
342  */
343 int
344 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err,
345     const char *msg)
346 {
347 	if (HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) {
348 		if ((allzone || priv == PRIV_ALL ||
349 		    !PRIV_ISASSERT(priv_basic, priv)) &&
350 		    !servicing_interrupt()) {
351 			u.u_acflag |= ASU;		/* Needed for SVVS */
352 #ifdef C2_AUDIT
353 			if (audit_active)
354 				audit_priv(priv,
355 				    allzone ? ZONEPRIVS(cr) : NULL, 1);
356 #endif
357 		}
358 		err = 0;
359 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
360 	} else if (!servicing_interrupt()) {
361 		/* Failure audited in this procedure */
362 		priv_policy_err(cr, priv, allzone, msg);
363 	}
364 
365 	return (err);
366 }
367 
368 /*
369  * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges.
370  */
371 boolean_t
372 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone)
373 {
374 	boolean_t res = HAS_PRIVILEGE(cr, priv) &&
375 	    (!allzone || HAS_ALLZONEPRIVS(cr));
376 
377 #ifdef C2_AUDIT
378 	/* Audit success only */
379 	if (res && audit_active &&
380 	    (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) &&
381 	    !servicing_interrupt()) {
382 		audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1);
383 	}
384 #endif
385 	if (res) {
386 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
387 	} else {
388 		DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
389 	}
390 	return (res);
391 }
392 
393 /*
394  * Non-auditing variant of priv_policy_choice().
395  */
396 boolean_t
397 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone)
398 {
399 	boolean_t res = HAS_PRIVILEGE(cr, priv) &&
400 	    (!allzone || HAS_ALLZONEPRIVS(cr));
401 
402 	if (res) {
403 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
404 	} else {
405 		DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
406 	}
407 	return (res);
408 }
409 
410 /*
411  * Check whether all privileges in the required set are present.
412  */
413 static int
414 secpolicy_require_set(const cred_t *cr, const priv_set_t *req, const char *msg)
415 {
416 	int priv;
417 	int pfound = -1;
418 	priv_set_t pset;
419 
420 	if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req,
421 							    &CR_OEPRIV(cr))) {
422 		return (0);
423 	}
424 
425 	if (req == PRIV_FULLSET || priv_isfullset(req)) {
426 		priv_policy_err(cr, PRIV_ALL, B_FALSE, msg);
427 		return (EACCES);
428 	}
429 
430 	pset = CR_OEPRIV(cr);		/* present privileges */
431 	priv_inverse(&pset);		/* all non present privileges */
432 	priv_intersect(req, &pset);	/* the actual missing privs */
433 
434 #ifdef C2_AUDIT
435 	if (audit_active)
436 		audit_priv(PRIV_NONE, &pset, 0);
437 #endif
438 	/*
439 	 * Privilege debugging; special case "one privilege in set".
440 	 */
441 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) {
442 		for (priv = 0; priv < nprivs; priv++) {
443 			if (priv_ismember(&pset, priv)) {
444 				if (pfound != -1) {
445 					/* Multiple missing privs */
446 					priv_policy_errmsg(cr, PRIV_MULTIPLE,
447 								    msg);
448 					return (EACCES);
449 				}
450 				pfound = priv;
451 			}
452 		}
453 		ASSERT(pfound != -1);
454 		/* Just the one missing privilege */
455 		priv_policy_errmsg(cr, pfound, msg);
456 	}
457 
458 	return (EACCES);
459 }
460 
461 /*
462  * Called when an operation requires that the caller be in the
463  * global zone, regardless of privilege.
464  */
465 static int
466 priv_policy_global(const cred_t *cr)
467 {
468 	if (crgetzoneid(cr) == GLOBAL_ZONEID)
469 		return (0);	/* success */
470 
471 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
472 	    curthread->t_pre_sys) {
473 		priv_policy_errmsg(cr, PRIV_GLOBAL, NULL);
474 	}
475 	return (EPERM);
476 }
477 
478 /*
479  * Changing process priority
480  */
481 int
482 secpolicy_setpriority(const cred_t *cr)
483 {
484 	return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL));
485 }
486 
487 /*
488  * Binding to a privileged port, port must be specified in host byte
489  * order.
490  */
491 int
492 secpolicy_net_privaddr(const cred_t *cr, in_port_t port)
493 {
494 	/*
495 	 * NFS ports, these are extra privileged ports, allow bind
496 	 * only if the SYS_NFS privilege is present.
497 	 */
498 	if (port == 2049 || port == 4045)
499 		return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EACCES,
500 		    "NFS port"));
501 	else
502 		return (PRIV_POLICY(cr, PRIV_NET_PRIVADDR, B_FALSE, EACCES,
503 		    NULL));
504 }
505 
506 /*
507  * Common routine which determines whether a given credential can
508  * act on a given mount.
509  * When called through mount, the parameter needoptcheck is a pointer
510  * to a boolean variable which will be set to either true or false,
511  * depending on whether the mount policy should change the mount options.
512  * In all other cases, needoptcheck should be a NULL pointer.
513  */
514 static int
515 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp,
516     boolean_t *needoptcheck)
517 {
518 	boolean_t allzone = B_FALSE;
519 	boolean_t mounting = needoptcheck != NULL;
520 
521 	/*
522 	 * Short circuit the following cases:
523 	 *	vfsp == NULL or mvp == NULL (pure privilege check)
524 	 *	have all privileges - no further checks required
525 	 *	and no mount options need to be set.
526 	 */
527 	if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) {
528 		if (mounting)
529 			*needoptcheck = B_FALSE;
530 
531 		return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, allzone, EPERM, NULL));
532 	}
533 
534 	/*
535 	 * When operating on an existing mount (either we're not mounting
536 	 * or we're doing a remount and VFS_REMOUNT will be set), zones
537 	 * can operate only on mounts established by the zone itself.
538 	 */
539 	if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) {
540 		zoneid_t zoneid = crgetzoneid(cr);
541 
542 		if (zoneid != GLOBAL_ZONEID &&
543 		    vfsp->vfs_zone->zone_id != zoneid) {
544 			return (EPERM);
545 		}
546 	}
547 
548 	if (mounting)
549 		*needoptcheck = B_TRUE;
550 
551 	/*
552 	 * Overlay mounts may hide important stuff; if you can't write to a
553 	 * mount point but would be able to mount on top of it, you can
554 	 * escalate your privileges.
555 	 * So we go about asking the same questions namefs does when it
556 	 * decides whether you can mount over a file or not but with the
557 	 * added restriction that you can only mount on top of a regular
558 	 * file or directory.
559 	 * If we have all the zone's privileges, we skip all other checks,
560 	 * or else we may actually get in trouble inside the automounter.
561 	 */
562 	if ((mvp->v_flag & VROOT) != 0 ||
563 	    (mvp->v_type != VDIR && mvp->v_type != VREG) ||
564 	    HAS_ALLZONEPRIVS(cr)) {
565 		allzone = B_TRUE;
566 	} else {
567 		vattr_t va;
568 		int err;
569 
570 		va.va_mask = AT_UID|AT_MODE;
571 		err = VOP_GETATTR(mvp, &va, 0, cr);
572 		if (err != 0)
573 			return (err);
574 
575 		if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0)
576 			return (err);
577 
578 		if ((va.va_mode & VWRITE) == 0 &&
579 		    secpolicy_vnode_access(cr, mvp, va.va_uid, VWRITE) != 0) {
580 			return (EACCES);
581 		}
582 	}
583 	return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, allzone, EPERM, NULL));
584 }
585 
586 extern vnode_t *rootvp;
587 extern vfs_t *rootvfs;
588 
589 int
590 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp)
591 {
592 	boolean_t needoptchk;
593 	int error;
594 
595 	/*
596 	 * If it's a remount, get the underlying mount point,
597 	 * except for the root where we use the rootvp.
598 	 */
599 	if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) {
600 		if (vfsp == rootvfs)
601 			mvp = rootvp;
602 		else
603 			mvp = vfsp->vfs_vnodecovered;
604 	}
605 
606 	error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk);
607 
608 	if (error == 0 && needoptchk) {
609 		boolean_t amsuper = HAS_ALLZONEPRIVS(cr);
610 
611 		/*
612 		 * Third check; if we don't have either "nosuid" or
613 		 * both "nosetuid" and "nodevices", then we add
614 		 * "nosuid"; this depends on how the current
615 		 * implementation works (it first checks nosuid).  In a
616 		 * zone, a user with all zone privileges can mount with
617 		 * "setuid" but never with "devices".
618 		 */
619 		if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) &&
620 		    (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) ||
621 		    !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) {
622 			if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper)
623 				vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0);
624 			else
625 				vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0);
626 		}
627 		/*
628 		 * If we're not the local super user, we set the "restrict"
629 		 * option to indicate to automountd that this mount should
630 		 * be handled with care.
631 		 */
632 		if (!amsuper)
633 			vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0);
634 
635 	}
636 	return (error);
637 }
638 
639 /*
640  * Does the policy computations for "ownership" of a mount;
641  * here ownership is defined as the ability to "mount"
642  * the filesystem originally.  The rootvfs doesn't cover any
643  * vnodes; we attribute its ownership to the rootvp.
644  */
645 static int
646 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp)
647 {
648 	vnode_t *mvp;
649 
650 	if (vfsp == NULL)
651 		mvp = NULL;
652 	else if (vfsp == rootvfs)
653 		mvp = rootvp;
654 	else
655 		mvp = vfsp->vfs_vnodecovered;
656 
657 	return (secpolicy_fs_common(cr, mvp, vfsp, NULL));
658 }
659 
660 int
661 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp)
662 {
663 	return (secpolicy_fs_owner(cr, vfsp));
664 }
665 
666 /*
667  * Quotas are a resource, but if one has the ability to mount a filesystem, he
668  * should be able to modify quotas on it.
669  */
670 int
671 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp)
672 {
673 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
674 }
675 
676 /*
677  * Exceeding minfree: also a per-mount resource constraint.
678  */
679 int
680 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp)
681 {
682 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
683 }
684 
685 int
686 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp)
687 {
688 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
689 }
690 
691 /* ARGSUSED */
692 int
693 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp)
694 {
695 	return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL));
696 }
697 
698 /*
699  * Name:        secpolicy_vnode_access()
700  *
701  * Parameters:  Process credential
702  *		vnode
703  *		uid of owner of vnode
704  *		permission bits not granted to the caller when examining
705  *		file mode bits (i.e., when a process wants to open a
706  *		mode 444 file for VREAD|VWRITE, this function should be
707  *		called only with a VWRITE argument).
708  *
709  * Normal:      Verifies that cred has the appropriate privileges to
710  *              override the mode bits that were denied.
711  *
712  * Override:    file_dac_execute - if VEXEC bit was denied and vnode is
713  *                      not a directory.
714  *              file_dac_read - if VREAD bit was denied.
715  *              file_dac_search - if VEXEC bit was denied and vnode is
716  *                      a directory.
717  *              file_dac_write - if VWRITE bit was denied.
718  *
719  *		Root owned files are special cased to protect system
720  *		configuration files and such.
721  *
722  * Output:      EACCES - if privilege check fails.
723  */
724 
725 /* ARGSUSED */
726 int
727 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode)
728 {
729 	if ((mode & VREAD) &&
730 	    PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EACCES, NULL) != 0)
731 		return (EACCES);
732 
733 	if (mode & VWRITE) {
734 		boolean_t allzone;
735 
736 		if (owner == 0 && cr->cr_uid != 0)
737 			allzone = B_TRUE;
738 		else
739 			allzone = B_FALSE;
740 		if (PRIV_POLICY(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, NULL)
741 		    != 0)
742 			return (EACCES);
743 	}
744 
745 	if (mode & VEXEC) {
746 		/*
747 		 * Directories use file_dac_search to override the execute bit.
748 		 */
749 		vtype_t vtype = vp->v_type;
750 
751 		if (vtype == VDIR)
752 			return (PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE,
753 			    EACCES, NULL));
754 		else
755 			return (PRIV_POLICY(cr, PRIV_FILE_DAC_EXECUTE, B_FALSE,
756 			    EACCES, NULL));
757 	}
758 	return (0);
759 }
760 
761 /*
762  * Name:	secpolicy_vnode_setid_modify()
763  *
764  * Normal:	verify that subject can set the file setid flags.
765  *
766  * Output:	EPERM - if not privileged.
767  */
768 
769 static int
770 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner)
771 {
772 	/* If changing to suid root, must have all zone privs */
773 	boolean_t allzone = B_TRUE;
774 
775 	if (owner != 0) {
776 		if (owner == cr->cr_uid)
777 			return (0);
778 		allzone = B_FALSE;
779 	}
780 	return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL));
781 }
782 
783 /*
784  * Are we allowed to retain the set-uid/set-gid bits when
785  * changing ownership or when writing to a file?
786  * "issuid" should be true when set-uid; only in that case
787  * root ownership is checked (setgid is assumed).
788  */
789 int
790 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot)
791 {
792 	if (issuidroot && !HAS_ALLZONEPRIVS(cred))
793 		return (EPERM);
794 
795 	return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE));
796 }
797 
798 /*
799  * Name:	secpolicy_vnode_setids_setgids()
800  *
801  * Normal:	verify that subject can set the file setgid flag.
802  *
803  * Output:	EPERM - if not privileged
804  */
805 
806 int
807 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid)
808 {
809 	if (!groupmember(gid, cred))
810 		return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM,
811 		    NULL));
812 	return (0);
813 }
814 
815 /*
816  * Create a file with a group different than any of the groups allowed:
817  * the group of the directory the file is created in, the effective
818  * group or any of the supplementary groups.
819  */
820 int
821 secpolicy_vnode_create_gid(const cred_t *cred)
822 {
823 	if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN))
824 		return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM,
825 		    NULL));
826 	else
827 		return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM,
828 		    NULL));
829 }
830 
831 /*
832  * Name:	secpolicy_vnode_utime_modify()
833  *
834  * Normal:	verify that subject can modify the utime on a file.
835  *
836  * Output:	EPERM - if access denied.
837  */
838 
839 static int
840 secpolicy_vnode_utime_modify(const cred_t *cred)
841 {
842 	return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM,
843 	    "modify file times"));
844 }
845 
846 
847 /*
848  * Name:	secpolicy_vnode_setdac()
849  *
850  * Normal:	verify that subject can modify the mode of a file.
851  *		allzone privilege needed when modifying root owned object.
852  *
853  * Output:	EPERM - if access denied.
854  */
855 
856 int
857 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner)
858 {
859 	if (owner == cred->cr_uid)
860 		return (0);
861 
862 	return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL));
863 }
864 /*
865  * Name:	secpolicy_vnode_stky_modify()
866  *
867  * Normal:	verify that subject can make a file a "sticky".
868  *
869  * Output:	EPERM - if access denied.
870  */
871 
872 int
873 secpolicy_vnode_stky_modify(const cred_t *cred)
874 {
875 	return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM,
876 	    "set file sticky"));
877 }
878 
879 /*
880  * Policy determines whether we can remove an entry from a directory,
881  * regardless of permission bits.
882  */
883 int
884 secpolicy_vnode_remove(const cred_t *cr)
885 {
886 	return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES,
887 	    "sticky directory"));
888 }
889 
890 int
891 secpolicy_vnode_owner(const cred_t *cr, uid_t owner)
892 {
893 	boolean_t allzone = (owner == 0);
894 
895 	if (owner == cr->cr_uid)
896 		return (0);
897 
898 	return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL));
899 }
900 
901 void
902 secpolicy_setid_clear(vattr_t *vap, cred_t *cr)
903 {
904 	if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 &&
905 	    secpolicy_vnode_setid_retain(cr,
906 	    (vap->va_mode & S_ISUID) != 0 &&
907 	    (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) {
908 		vap->va_mask |= AT_MODE;
909 		vap->va_mode &= ~(S_ISUID|S_ISGID);
910 	}
911 }
912 
913 /*
914  * This function checks the policy decisions surrounding the
915  * vop setattr call.
916  *
917  * It should be called after sufficient locks have been established
918  * on the underlying data structures.  No concurrent modifications
919  * should be allowed.
920  *
921  * The caller must pass in unlocked version of its vaccess function
922  * this is required because vop_access function should lock the
923  * node for reading.  A three argument function should be defined
924  * which accepts the following argument:
925  * 	A pointer to the internal "node" type (inode *)
926  *	vnode access bits (VREAD|VWRITE|VEXEC)
927  *	a pointer to the credential
928  *
929  * This function makes the following policy decisions:
930  *
931  *		- change permissions
932  *			- permission to change file mode if not owner
933  *			- permission to add sticky bit to non-directory
934  *			- permission to add set-gid bit
935  *
936  * The ovap argument should include AT_MODE|AT_UID|AT_GID.
937  *
938  * If the vap argument does not include AT_MODE, the mode will be copied from
939  * ovap.  In certain situations set-uid/set-gid bits need to be removed;
940  * this is done by marking vap->va_mask to include AT_MODE and va_mode
941  * is updated to the newly computed mode.
942  */
943 
944 int
945 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap,
946 	const struct vattr *ovap, int flags,
947 	int unlocked_access(void *, int, cred_t *),
948 	void *node)
949 {
950 	int mask = vap->va_mask;
951 	int error = 0;
952 
953 	if (mask & AT_SIZE) {
954 		if (vp->v_type == VDIR) {
955 			error = EISDIR;
956 			goto out;
957 		}
958 		error = unlocked_access(node, VWRITE, cr);
959 		if (error)
960 			goto out;
961 	}
962 	if (mask & AT_MODE) {
963 		/*
964 		 * If not the owner of the file then check privilege
965 		 * for two things: the privilege to set the mode at all
966 		 * and, if we're setting setuid, we also need permissions
967 		 * to add the set-uid bit, if we're not the owner.
968 		 * In the specific case of creating a set-uid root
969 		 * file, we need even more permissions.
970 		 */
971 		if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0)
972 			goto out;
973 
974 		if ((vap->va_mode & S_ISUID) != 0 &&
975 		    (error = secpolicy_vnode_setid_modify(cr,
976 							ovap->va_uid)) != 0) {
977 			goto out;
978 		}
979 
980 		/*
981 		 * Check privilege if attempting to set the
982 		 * sticky bit on a non-directory.
983 		 */
984 		if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 &&
985 		    secpolicy_vnode_stky_modify(cr) != 0) {
986 			vap->va_mode &= ~S_ISVTX;
987 		}
988 
989 		/*
990 		 * Check for privilege if attempting to set the
991 		 * group-id bit.
992 		 */
993 		if ((vap->va_mode & S_ISGID) != 0 &&
994 		    secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) {
995 			vap->va_mode &= ~S_ISGID;
996 		}
997 
998 	} else
999 		vap->va_mode = ovap->va_mode;
1000 
1001 	if (mask & (AT_UID|AT_GID)) {
1002 		boolean_t checkpriv = B_FALSE;
1003 		int priv;
1004 		boolean_t allzone = B_FALSE;
1005 
1006 		/*
1007 		 * Chowning files.
1008 		 *
1009 		 * If you are the file owner:
1010 		 *	chown to other uid		FILE_CHOWN_SELF
1011 		 *	chown to gid (non-member) 	FILE_CHOWN_SELF
1012 		 *	chown to gid (member) 		<none>
1013 		 *
1014 		 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also
1015 		 * acceptable but the first one is reported when debugging.
1016 		 *
1017 		 * If you are not the file owner:
1018 		 *	chown from root			PRIV_FILE_CHOWN + zone
1019 		 *	chown from other to any		PRIV_FILE_CHOWN
1020 		 *
1021 		 */
1022 		if (cr->cr_uid != ovap->va_uid) {
1023 			checkpriv = B_TRUE;
1024 			allzone = (ovap->va_uid == 0);
1025 			priv = PRIV_FILE_CHOWN;
1026 		} else {
1027 			if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) ||
1028 			    ((mask & AT_GID) && vap->va_gid != ovap->va_gid &&
1029 			    !groupmember(vap->va_gid, cr))) {
1030 				checkpriv = B_TRUE;
1031 				priv = HAS_PRIVILEGE(cr, PRIV_FILE_CHOWN) ?
1032 				    PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF;
1033 			}
1034 		}
1035 		/*
1036 		 * If necessary, check privilege to see if update can be done.
1037 		 */
1038 		if (checkpriv &&
1039 		    (error = PRIV_POLICY(cr, priv, allzone, EPERM, NULL))
1040 		    != 0) {
1041 			goto out;
1042 		}
1043 
1044 		/*
1045 		 * If the file has either the set UID or set GID bits
1046 		 * set and the caller can set the bits, then leave them.
1047 		 */
1048 		secpolicy_setid_clear(vap, cr);
1049 	}
1050 	if (mask & (AT_ATIME|AT_MTIME)) {
1051 		/*
1052 		 * If not the file owner and not otherwise privileged,
1053 		 * always return an error when setting the
1054 		 * time other than the current (ATTR_UTIME flag set).
1055 		 * If setting the current time (ATTR_UTIME not set) then
1056 		 * unlocked_access will check permissions according to policy.
1057 		 */
1058 		if (cr->cr_uid != ovap->va_uid) {
1059 			if (flags & ATTR_UTIME)
1060 				error = secpolicy_vnode_utime_modify(cr);
1061 			else {
1062 				error = unlocked_access(node, VWRITE, cr);
1063 				if (error == EACCES &&
1064 				    secpolicy_vnode_utime_modify(cr) == 0)
1065 					error = 0;
1066 			}
1067 			if (error)
1068 				goto out;
1069 		}
1070 	}
1071 out:
1072 	return (error);
1073 }
1074 
1075 /*
1076  * Name:	secpolicy_pcfs_modify_bootpartition()
1077  *
1078  * Normal:	verify that subject can modify a pcfs boot partition.
1079  *
1080  * Output:	EACCES - if privilege check failed.
1081  */
1082 /*ARGSUSED*/
1083 int
1084 secpolicy_pcfs_modify_bootpartition(const cred_t *cred)
1085 {
1086 	return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES,
1087 	    "modify pcfs boot partition"));
1088 }
1089 
1090 /*
1091  * System V IPC routines
1092  */
1093 int
1094 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip)
1095 {
1096 	if (crgetzoneid(cr) != ip->ipc_zoneid ||
1097 	    (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) {
1098 		boolean_t allzone = B_FALSE;
1099 		if (ip->ipc_uid == 0 || ip->ipc_cuid == 0)
1100 			allzone = B_TRUE;
1101 		return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL));
1102 	}
1103 	return (0);
1104 }
1105 
1106 int
1107 secpolicy_ipc_config(const cred_t *cr)
1108 {
1109 	return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL));
1110 }
1111 
1112 int
1113 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode)
1114 {
1115 
1116 	boolean_t allzone = B_FALSE;
1117 
1118 	ASSERT((mode & (MSG_R|MSG_W)) != 0);
1119 
1120 	if ((mode & MSG_R) &&
1121 	    PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1122 		return (EACCES);
1123 
1124 	if (mode & MSG_W) {
1125 		if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0))
1126 			allzone = B_TRUE;
1127 
1128 		return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1129 		    NULL));
1130 	}
1131 	return (0);
1132 }
1133 
1134 int
1135 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode)
1136 {
1137 	boolean_t allzone = B_FALSE;
1138 
1139 	ASSERT((mode & (MSG_R|MSG_W)) != 0);
1140 
1141 	if ((mode & MSG_R) &&
1142 	    PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1143 		return (EACCES);
1144 
1145 	if (mode & MSG_W) {
1146 		if (cr->cr_uid != 0 && owner == 0)
1147 			allzone = B_TRUE;
1148 
1149 		return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1150 		    NULL));
1151 	}
1152 	return (0);
1153 }
1154 
1155 /*
1156  * Audit configuration.
1157  */
1158 int
1159 secpolicy_audit_config(const cred_t *cr)
1160 {
1161 	return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL));
1162 }
1163 
1164 /*
1165  * Audit record generation.
1166  */
1167 int
1168 secpolicy_audit_modify(const cred_t *cr)
1169 {
1170 	return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL));
1171 }
1172 
1173 /*
1174  * Get audit attributes.
1175  * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the
1176  * "Least" of the two privileges on error.
1177  */
1178 int
1179 secpolicy_audit_getattr(const cred_t *cr)
1180 {
1181 	if (!PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE)) {
1182 		return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM,
1183 		    NULL));
1184 	} else {
1185 		return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL));
1186 	}
1187 }
1188 
1189 
1190 /*
1191  * Locking physical memory
1192  */
1193 int
1194 secpolicy_lock_memory(const cred_t *cr)
1195 {
1196 	return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL));
1197 }
1198 
1199 /*
1200  * Accounting (both acct(2) and exacct).
1201  */
1202 int
1203 secpolicy_acct(const cred_t *cr)
1204 {
1205 	return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL));
1206 }
1207 
1208 /*
1209  * Is this process privileged to change its uids at will?
1210  * Uid 0 is still considered "special" and having the SETID
1211  * privilege is not sufficient to get uid 0.
1212  * Files are owned by root, so the privilege would give
1213  * full access and euid 0 is still effective.
1214  *
1215  * If you have the privilege and euid 0 only then do you
1216  * get the powers of root wrt uid 0.
1217  *
1218  * For gid manipulations, this is should be called with an
1219  * uid of -1.
1220  *
1221  */
1222 int
1223 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly)
1224 {
1225 	boolean_t allzone = B_FALSE;
1226 
1227 	if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 &&
1228 	    cr->cr_ruid != 0) {
1229 		allzone = B_TRUE;
1230 	}
1231 
1232 	return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) :
1233 	    PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL));
1234 }
1235 
1236 
1237 /*
1238  * Acting on a different process: if the mode is for writing,
1239  * the restrictions are more severe.  This is called after
1240  * we've verified that the uids do not match.
1241  */
1242 int
1243 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode)
1244 {
1245 	boolean_t allzone = B_FALSE;
1246 
1247 	if ((mode & VWRITE) && scr->cr_uid != 0 &&
1248 	    (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0))
1249 		allzone = B_TRUE;
1250 
1251 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL));
1252 }
1253 
1254 int
1255 secpolicy_proc_access(const cred_t *scr)
1256 {
1257 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL));
1258 }
1259 
1260 int
1261 secpolicy_proc_excl_open(const cred_t *scr)
1262 {
1263 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL));
1264 }
1265 
1266 int
1267 secpolicy_proc_zone(const cred_t *scr)
1268 {
1269 	return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL));
1270 }
1271 
1272 /*
1273  * Destroying the system
1274  */
1275 
1276 int
1277 secpolicy_kmdb(const cred_t *scr)
1278 {
1279 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1280 }
1281 
1282 int
1283 secpolicy_error_inject(const cred_t *scr)
1284 {
1285 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1286 }
1287 
1288 /*
1289  * Processor sets, cpu configuration, resource pools.
1290  */
1291 int
1292 secpolicy_pset(const cred_t *cr)
1293 {
1294 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1295 }
1296 
1297 int
1298 secpolicy_ponline(const cred_t *cr)
1299 {
1300 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1301 }
1302 
1303 int
1304 secpolicy_pool(const cred_t *cr)
1305 {
1306 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1307 }
1308 
1309 int
1310 secpolicy_blacklist(const cred_t *cr)
1311 {
1312 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1313 }
1314 
1315 /*
1316  * Catch all system configuration.
1317  */
1318 int
1319 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly)
1320 {
1321 	if (checkonly) {
1322 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 :
1323 		    EPERM);
1324 	} else {
1325 		return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1326 	}
1327 }
1328 
1329 /*
1330  * Zone administration (halt, reboot, etc.) from within zone.
1331  */
1332 int
1333 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly)
1334 {
1335 	if (checkonly) {
1336 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 :
1337 		    EPERM);
1338 	} else {
1339 		return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM,
1340 		    NULL));
1341 	}
1342 }
1343 
1344 /*
1345  * Zone configuration (create, halt, enter).
1346  */
1347 int
1348 secpolicy_zone_config(const cred_t *cr)
1349 {
1350 	/*
1351 	 * Require all privileges to avoid possibility of privilege
1352 	 * escalation.
1353 	 */
1354 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL));
1355 }
1356 
1357 /*
1358  * Various other system configuration calls
1359  */
1360 int
1361 secpolicy_coreadm(const cred_t *cr)
1362 {
1363 	return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1364 }
1365 
1366 int
1367 secpolicy_systeminfo(const cred_t *cr)
1368 {
1369 	return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1370 }
1371 
1372 int
1373 secpolicy_dispadm(const cred_t *cr)
1374 {
1375 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1376 }
1377 
1378 int
1379 secpolicy_settime(const cred_t *cr)
1380 {
1381 	return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL));
1382 }
1383 
1384 /*
1385  * For realtime users: high resolution clock.
1386  */
1387 int
1388 secpolicy_clock_highres(const cred_t *cr)
1389 {
1390 	return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM,
1391 	    NULL));
1392 }
1393 
1394 /*
1395  * drv_priv() is documented as callable from interrupt context, not that
1396  * anyone ever does, but still.  No debugging or auditing can be done when
1397  * it is called from interrupt context.
1398  * returns 0 on succes, EPERM on failure.
1399  */
1400 int
1401 drv_priv(cred_t *cr)
1402 {
1403 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1404 }
1405 
1406 int
1407 secpolicy_sys_devices(const cred_t *cr)
1408 {
1409 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1410 }
1411 
1412 int
1413 secpolicy_excl_open(const cred_t *cr)
1414 {
1415 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL));
1416 }
1417 
1418 int
1419 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl)
1420 {
1421 	/* zone.* rctls can only be set from the global zone */
1422 	if (is_zone_rctl && priv_policy_global(cr) != 0)
1423 		return (EPERM);
1424 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1425 }
1426 
1427 int
1428 secpolicy_resource(const cred_t *cr)
1429 {
1430 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1431 }
1432 
1433 /*
1434  * Processes with a real uid of 0 escape any form of accounting, much
1435  * like before.
1436  */
1437 int
1438 secpolicy_newproc(const cred_t *cr)
1439 {
1440 	if (cr->cr_ruid == 0)
1441 		return (0);
1442 
1443 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1444 }
1445 
1446 /*
1447  * Networking
1448  */
1449 int
1450 secpolicy_net_rawaccess(const cred_t *cr)
1451 {
1452 	return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL));
1453 }
1454 
1455 /*
1456  * Need this privilege for accessing the ICMP device
1457  */
1458 int
1459 secpolicy_net_icmpaccess(const cred_t *cr)
1460 {
1461 	return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL));
1462 }
1463 
1464 /*
1465  * There are a few rare cases where the kernel generates ioctls() from
1466  * interrupt context with a credential of kcred rather than NULL.
1467  * In those cases, we take the safe and cheap test.
1468  */
1469 int
1470 secpolicy_net_config(const cred_t *cr, boolean_t checkonly)
1471 {
1472 	if (checkonly) {
1473 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ?
1474 		    0 : EPERM);
1475 	} else {
1476 		return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM,
1477 		    NULL));
1478 	}
1479 }
1480 
1481 
1482 /*
1483  * Map network pseudo privileges to actual privileges.
1484  * So we don't need to recompile IP when we change the privileges.
1485  */
1486 int
1487 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly)
1488 {
1489 	int priv = PRIV_ALL;
1490 
1491 	switch (netpriv) {
1492 	case OP_CONFIG:
1493 		priv = PRIV_SYS_NET_CONFIG;
1494 		break;
1495 	case OP_RAW:
1496 		priv = PRIV_NET_RAWACCESS;
1497 		break;
1498 	case OP_PRIVPORT:
1499 		priv = PRIV_NET_PRIVADDR;
1500 		break;
1501 	}
1502 	ASSERT(priv != PRIV_ALL);
1503 	if (checkonly)
1504 		return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
1505 	else
1506 		return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
1507 }
1508 
1509 /*
1510  * Checks for operations that are either client-only or are used by
1511  * both clients and servers.
1512  */
1513 int
1514 secpolicy_nfs(const cred_t *cr)
1515 {
1516 	return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL));
1517 }
1518 
1519 /*
1520  * Special case for opening rpcmod: have NFS privileges or network
1521  * config privileges.
1522  */
1523 int
1524 secpolicy_rpcmod_open(const cred_t *cr)
1525 {
1526 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE))
1527 		return (secpolicy_nfs(cr));
1528 	else
1529 		return (secpolicy_net_config(cr, NULL));
1530 }
1531 
1532 int
1533 secpolicy_chroot(const cred_t *cr)
1534 {
1535 	return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL));
1536 }
1537 
1538 int
1539 secpolicy_tasksys(const cred_t *cr)
1540 {
1541 	return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL));
1542 }
1543 
1544 /*
1545  * Basic privilege checks.
1546  */
1547 int
1548 secpolicy_basic_exec(const cred_t *cr)
1549 {
1550 	return (PRIV_POLICY(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL));
1551 }
1552 
1553 int
1554 secpolicy_basic_fork(const cred_t *cr)
1555 {
1556 	return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL));
1557 }
1558 
1559 int
1560 secpolicy_basic_proc(const cred_t *cr)
1561 {
1562 	return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL));
1563 }
1564 
1565 /*
1566  * Slightly complicated because we don't want to trigger the policy too
1567  * often.  First we shortcircuit access to "self" (tp == sp) or if
1568  * we don't have the privilege but if we have permission
1569  * just return (0) and we don't flag the privilege as needed.
1570  * Else, we test for the privilege because we either have it or need it.
1571  */
1572 int
1573 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp)
1574 {
1575 	if (tp == sp ||
1576 	    !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) {
1577 		return (0);
1578 	} else {
1579 		return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL));
1580 	}
1581 }
1582 
1583 int
1584 secpolicy_basic_link(const cred_t *cr)
1585 {
1586 	return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL));
1587 }
1588 
1589 /*
1590  * Additional device protection.
1591  *
1592  * Traditionally, a device has specific permissions on the node in
1593  * the filesystem which govern which devices can be opened by what
1594  * processes.  In certain cases, it is desirable to add extra
1595  * restrictions, as writing to certain devices is identical to
1596  * having a complete run of the system.
1597  *
1598  * This mechanism is called the device policy.
1599  *
1600  * When a device is opened, its policy entry is looked up in the
1601  * policy cache and checked.
1602  */
1603 int
1604 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag)
1605 {
1606 	devplcy_t *plcy;
1607 	int err;
1608 	struct snode *csp = VTOS(common_specvp(vp));
1609 
1610 	mutex_enter(&csp->s_lock);
1611 
1612 	if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) {
1613 		plcy = devpolicy_find(vp);
1614 		if (csp->s_plcy)
1615 			dpfree(csp->s_plcy);
1616 		csp->s_plcy = plcy;
1617 		ASSERT(plcy != NULL);
1618 	} else
1619 		plcy = csp->s_plcy;
1620 
1621 	if (plcy == nullpolicy) {
1622 		mutex_exit(&csp->s_lock);
1623 		return (0);
1624 	}
1625 
1626 	dphold(plcy);
1627 
1628 	mutex_exit(&csp->s_lock);
1629 
1630 	err = secpolicy_require_set(cr,
1631 	    (oflag & FWRITE) ? &plcy->dp_wrp : &plcy->dp_rdp, "devpolicy");
1632 	dpfree(plcy);
1633 
1634 	return (err);
1635 }
1636 
1637 int
1638 secpolicy_modctl(const cred_t *cr, int cmd)
1639 {
1640 	switch (cmd) {
1641 	case MODINFO:
1642 	case MODGETPATH:
1643 	case MODGETPATHLEN:
1644 	case MODGETFBNAME:
1645 	case MODGETNAME:
1646 	case MODGETDEVPOLICY:
1647 	case MODGETDEVPOLICYBYNAME:
1648 	case MODGETMAJBIND:
1649 		/* Unprivileged */
1650 		return (0);
1651 	case MODLOAD:
1652 	case MODSETDEVPOLICY:
1653 		return (secpolicy_require_set(cr, PRIV_FULLSET, NULL));
1654 	default:
1655 		return (secpolicy_sys_config(cr, B_FALSE));
1656 	}
1657 }
1658 
1659 int
1660 secpolicy_console(const cred_t *cr)
1661 {
1662 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1663 }
1664 
1665 int
1666 secpolicy_power_mgmt(const cred_t *cr)
1667 {
1668 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1669 }
1670 
1671 /*
1672  * Simulate terminal input; another escalation of privileges avenue.
1673  */
1674 
1675 int
1676 secpolicy_sti(const cred_t *cr)
1677 {
1678 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL));
1679 }
1680 
1681 int
1682 secpolicy_swapctl(const cred_t *cr)
1683 {
1684 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1685 }
1686 
1687 int
1688 secpolicy_cpc_cpu(const cred_t *cr)
1689 {
1690 	return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL));
1691 }
1692 
1693 /*
1694  * secpolicy_contract_observer
1695  *
1696  * Determine if the subject may observe a specific contract's events.
1697  */
1698 int
1699 secpolicy_contract_observer(const cred_t *cr, struct contract *ct)
1700 {
1701 	if (contract_owned(ct, cr, B_FALSE))
1702 		return (0);
1703 	return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL));
1704 }
1705 
1706 /*
1707  * secpolicy_contract_observer_choice
1708  *
1709  * Determine if the subject may observe any contract's events.  Just
1710  * tests privilege and audits on success.
1711  */
1712 boolean_t
1713 secpolicy_contract_observer_choice(const cred_t *cr)
1714 {
1715 	return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE));
1716 }
1717 
1718 /*
1719  * secpolicy_contract_event
1720  *
1721  * Determine if the subject may request critical contract events or
1722  * reliable contract event delivery.
1723  */
1724 int
1725 secpolicy_contract_event(const cred_t *cr)
1726 {
1727 	return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL));
1728 }
1729 
1730 /*
1731  * secpolicy_contract_event_choice
1732  *
1733  * Determine if the subject may retain contract events in its critical
1734  * set when a change in other terms would normally require a change in
1735  * the critical set.  Just tests privilege and audits on success.
1736  */
1737 boolean_t
1738 secpolicy_contract_event_choice(const cred_t *cr)
1739 {
1740 	return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE));
1741 }
1742 
1743 /*
1744  * Name:   secpolicy_gart_access
1745  *
1746  * Normal: Verify if the subject has sufficient priveleges to make ioctls
1747  *	   to agpgart device
1748  *
1749  * Output: EPERM - if not privileged
1750  *
1751  */
1752 int
1753 secpolicy_gart_access(const cred_t *cr)
1754 {
1755 	return (PRIV_POLICY(cr, PRIV_GART_ACCESS, B_FALSE, EPERM, NULL));
1756 }
1757 
1758 /*
1759  * Name:   secpolicy_gart_map
1760  *
1761  * Normal: Verify if the subject has sufficient privelegs to map aperture
1762  *	   range through agpgart driver
1763  *
1764  * Output: EPERM - if not privileged
1765  *
1766  */
1767 int
1768 secpolicy_gart_map(const cred_t *cr)
1769 {
1770 	if (PRIV_POLICY(cr, PRIV_GART_ACCESS, B_FALSE, EPERM, NULL)) {
1771 		return (PRIV_POLICY(cr, PRIV_GART_MAP, B_FALSE, EPERM, NULL));
1772 	}
1773 	return (0);
1774 }
1775 
1776 /*
1777  * secpolicy_zfs
1778  *
1779  * Determine if the user has permission to manipulate ZFS datasets (not pools).
1780  * Equivalent to the SYS_MOUNT privilege.
1781  */
1782 int
1783 secpolicy_zfs(const cred_t *cr)
1784 {
1785 	return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL));
1786 }
1787