1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. 23 * Copyright 2016 Joyent, Inc. 24 * Copyright (c) 2016 by Delphix. All rights reserved. 25 * Copyright 2022 Oxide Computer Company 26 */ 27 28 #include <sys/types.h> 29 #include <sys/sysmacros.h> 30 #include <sys/param.h> 31 #include <sys/systm.h> 32 #include <sys/cred_impl.h> 33 #include <sys/vnode.h> 34 #include <sys/vfs.h> 35 #include <sys/stat.h> 36 #include <sys/errno.h> 37 #include <sys/kmem.h> 38 #include <sys/user.h> 39 #include <sys/proc.h> 40 #include <sys/acct.h> 41 #include <sys/ipc_impl.h> 42 #include <sys/cmn_err.h> 43 #include <sys/debug.h> 44 #include <sys/policy.h> 45 #include <sys/kobj.h> 46 #include <sys/msg.h> 47 #include <sys/devpolicy.h> 48 #include <c2/audit.h> 49 #include <sys/varargs.h> 50 #include <sys/klpd.h> 51 #include <sys/modctl.h> 52 #include <sys/disp.h> 53 #include <sys/zone.h> 54 #include <inet/optcom.h> 55 #include <sys/sdt.h> 56 #include <sys/vfs.h> 57 #include <sys/mntent.h> 58 #include <sys/contract_impl.h> 59 #include <sys/dld_ioc.h> 60 61 /* 62 * There are two possible layers of privilege routines and two possible 63 * levels of secpolicy. Plus one other we may not be interested in, so 64 * we may need as many as 6 but no more. 65 */ 66 #define MAXPRIVSTACK 6 67 68 int priv_debug = 0; 69 int priv_basic_test = -1; 70 71 /* 72 * Unlinking or creating new hard links to directories was historically allowed 73 * in some file systems; e.g., UFS allows root users to do it, at the cost of 74 * almost certain file system corruption that will require fsck to fix. 75 * 76 * Most modern operating systems and file systems (e.g., ZFS) do not allow this 77 * behaviour anymore, and we have elected to stamp it out entirely for 78 * compatibility and safety reasons. An attempt to unlink a directory will 79 * fail with EPERM, as described in the standard. During this transition, one 80 * can turn the behaviour back on, at their own risk, with this tuneable: 81 */ 82 int priv_allow_linkdir = 0; 83 84 /* 85 * This file contains the majority of the policy routines. 86 * Since the policy routines are defined by function and not 87 * by privilege, there is quite a bit of duplication of 88 * functions. 89 * 90 * The secpolicy functions must not make assumptions about 91 * locks held or not held as any lock can be held while they're 92 * being called. 93 * 94 * Credentials are read-only so no special precautions need to 95 * be taken while locking them. 96 * 97 * When a new policy check needs to be added to the system the 98 * following procedure should be followed: 99 * 100 * Pick an appropriate secpolicy_*() function 101 * -> done if one exists. 102 * Create a new secpolicy function, preferably with 103 * a descriptive name using the standard template. 104 * Pick an appropriate privilege for the policy. 105 * If no appropraite privilege exists, define new one 106 * (this should be done with extreme care; in most cases 107 * little is gained by adding another privilege) 108 * 109 * WHY ROOT IS STILL SPECIAL. 110 * 111 * In a number of the policy functions, there are still explicit 112 * checks for uid 0. The rationale behind these is that many root 113 * owned files/objects hold configuration information which can give full 114 * privileges to the user once written to. To prevent escalation 115 * of privilege by allowing just a single privilege to modify root owned 116 * objects, we've added these root specific checks where we considered 117 * them necessary: modifying root owned files, changing uids to 0, etc. 118 * 119 * PRIVILEGE ESCALATION AND ZONES. 120 * 121 * A number of operations potentially allow the caller to achieve 122 * privileges beyond the ones normally required to perform the operation. 123 * For example, if allowed to create a setuid 0 executable, a process can 124 * gain privileges beyond PRIV_FILE_SETID. Zones, however, place 125 * restrictions on the ability to gain privileges beyond those available 126 * within the zone through file and process manipulation. Hence, such 127 * operations require that the caller have an effective set that includes 128 * all privileges available within the current zone, or all privileges 129 * if executing in the global zone. 130 * 131 * This is indicated in the priv_policy* policy checking functions 132 * through a combination of parameters. The "priv" parameter indicates 133 * the privilege that is required, and the "allzone" parameter indicates 134 * whether or not all privileges in the zone are required. In addition, 135 * priv can be set to PRIV_ALL to indicate that all privileges are 136 * required (regardless of zone). There are three scenarios of interest: 137 * (1) operation requires a specific privilege 138 * (2) operation requires a specific privilege, and requires all 139 * privileges available within the zone (or all privileges if in 140 * the global zone) 141 * (3) operation requires all privileges, regardless of zone 142 * 143 * For (1), priv should be set to the specific privilege, and allzone 144 * should be set to B_FALSE. 145 * For (2), priv should be set to the specific privilege, and allzone 146 * should be set to B_TRUE. 147 * For (3), priv should be set to PRIV_ALL, and allzone should be set 148 * to B_FALSE. 149 * 150 */ 151 152 /* 153 * The privileges are checked against the Effective set for 154 * ordinary processes and checked against the Limit set 155 * for euid 0 processes that haven't manipulated their privilege 156 * sets. 157 */ 158 #define HAS_ALLPRIVS(cr) priv_isfullset(&CR_OEPRIV(cr)) 159 #define ZONEPRIVS(cr) ((cr)->cr_zone->zone_privset) 160 #define HAS_ALLZONEPRIVS(cr) priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr)) 161 #define HAS_PRIVILEGE(cr, pr) ((pr) == PRIV_ALL ? \ 162 HAS_ALLPRIVS(cr) : \ 163 PRIV_ISASSERT(&CR_OEPRIV(cr), pr)) 164 165 #define FAST_BASIC_CHECK(cr, priv) \ 166 if (PRIV_ISASSERT(&CR_OEPRIV(cr), priv)) { \ 167 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, B_FALSE); \ 168 return (0); \ 169 } 170 171 /* 172 * Policy checking functions. 173 * 174 * All of the system's policy should be implemented here. 175 */ 176 177 /* 178 * Private functions which take an additional va_list argument to 179 * implement an object specific policy override. 180 */ 181 static int priv_policy_ap(const cred_t *, int, boolean_t, int, 182 const char *, va_list); 183 static int priv_policy_va(const cred_t *, int, boolean_t, int, 184 const char *, ...); 185 186 /* 187 * Generic policy calls 188 * 189 * The "bottom" functions of policy control 190 */ 191 static char * 192 mprintf(const char *fmt, ...) 193 { 194 va_list args; 195 char *buf; 196 size_t len; 197 198 va_start(args, fmt); 199 len = vsnprintf(NULL, 0, fmt, args) + 1; 200 va_end(args); 201 202 buf = kmem_alloc(len, KM_NOSLEEP); 203 204 if (buf == NULL) 205 return (NULL); 206 207 va_start(args, fmt); 208 (void) vsnprintf(buf, len, fmt, args); 209 va_end(args); 210 211 return (buf); 212 } 213 214 /* 215 * priv_policy_errmsg() 216 * 217 * Generate an error message if privilege debugging is enabled system wide 218 * or for this particular process. 219 */ 220 221 #define FMTHDR "%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)" 222 #define FMTMSG " for \"%s\"" 223 #define FMTFUN " needed at %s+0x%lx" 224 225 /* The maximum size privilege format: the concatenation of the above */ 226 #define FMTMAX FMTHDR FMTMSG FMTFUN "\n" 227 228 static void 229 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg) 230 { 231 struct proc *me; 232 pc_t stack[MAXPRIVSTACK]; 233 int depth; 234 int i; 235 char *sym; 236 ulong_t off; 237 const char *pname; 238 239 char *cmd; 240 char fmt[sizeof (FMTMAX)]; 241 242 if ((me = curproc) == &p0) 243 return; 244 245 /* Privileges must be defined */ 246 ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE || 247 priv == PRIV_ALLZONE || priv == PRIV_GLOBAL || 248 priv_getbynum(priv) != NULL); 249 250 if (priv == PRIV_ALLZONE && INGLOBALZONE(me)) 251 priv = PRIV_ALL; 252 253 if (curthread->t_pre_sys) 254 ttolwp(curthread)->lwp_badpriv = (short)priv; 255 256 if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0) 257 return; 258 259 (void) strcpy(fmt, FMTHDR); 260 261 if (me->p_user.u_comm[0]) 262 cmd = &me->p_user.u_comm[0]; 263 else 264 cmd = "priv_policy"; 265 266 if (msg != NULL && *msg != '\0') { 267 (void) strcat(fmt, FMTMSG); 268 } else { 269 (void) strcat(fmt, "%s"); 270 msg = ""; 271 } 272 273 sym = NULL; 274 275 depth = getpcstack(stack, MAXPRIVSTACK); 276 277 /* 278 * Try to find the first interesting function on the stack. 279 * priv_policy* that's us, so completely uninteresting. 280 * suser(), drv_priv(), secpolicy_* are also called from 281 * too many locations to convey useful information. 282 */ 283 for (i = 0; i < depth; i++) { 284 sym = kobj_getsymname((uintptr_t)stack[i], &off); 285 if (sym != NULL && 286 strstr(sym, "hasprocperm") == 0 && 287 strcmp("suser", sym) != 0 && 288 strcmp("ipcaccess", sym) != 0 && 289 strcmp("drv_priv", sym) != 0 && 290 strncmp("secpolicy_", sym, 10) != 0 && 291 strncmp("priv_policy", sym, 11) != 0) 292 break; 293 } 294 295 if (sym != NULL) 296 (void) strcat(fmt, FMTFUN); 297 298 (void) strcat(fmt, "\n"); 299 300 switch (priv) { 301 case PRIV_ALL: 302 pname = "ALL"; 303 break; 304 case PRIV_MULTIPLE: 305 pname = "MULTIPLE"; 306 break; 307 case PRIV_ALLZONE: 308 pname = "ZONE"; 309 break; 310 case PRIV_GLOBAL: 311 pname = "GLOBAL"; 312 break; 313 default: 314 pname = priv_getbynum(priv); 315 break; 316 } 317 318 if (CR_FLAGS(cr) & PRIV_DEBUG) { 319 /* Remember last message, just like lwp_badpriv. */ 320 if (curthread->t_pdmsg != NULL) { 321 kmem_free(curthread->t_pdmsg, 322 strlen(curthread->t_pdmsg) + 1); 323 } 324 325 curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname, 326 cr->cr_uid, curthread->t_sysnum, msg, sym, off); 327 328 curthread->t_post_sys = 1; 329 } 330 if (priv_debug) { 331 cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid, 332 curthread->t_sysnum, msg, sym, off); 333 } 334 } 335 336 /* 337 * Override the policy, if appropriate. Return 0 if the external 338 * policy engine approves. 339 */ 340 static int 341 priv_policy_override(const cred_t *cr, int priv, boolean_t allzone, va_list ap) 342 { 343 priv_set_t set; 344 int ret; 345 346 if (!(CR_FLAGS(cr) & PRIV_XPOLICY)) 347 return (-1); 348 349 if (priv == PRIV_ALL) { 350 priv_fillset(&set); 351 } else if (allzone) { 352 set = *ZONEPRIVS(cr); 353 } else { 354 priv_emptyset(&set); 355 priv_addset(&set, priv); 356 } 357 ret = klpd_call(cr, &set, ap); 358 return (ret); 359 } 360 361 static int 362 priv_policy_override_set(const cred_t *cr, const priv_set_t *req, va_list ap) 363 { 364 if (CR_FLAGS(cr) & PRIV_PFEXEC) 365 return (check_user_privs(cr, req)); 366 if (CR_FLAGS(cr) & PRIV_XPOLICY) { 367 return (klpd_call(cr, req, ap)); 368 } 369 return (-1); 370 } 371 372 static int 373 priv_policy_override_set_va(const cred_t *cr, const priv_set_t *req, ...) 374 { 375 va_list ap; 376 int ret; 377 378 va_start(ap, req); 379 ret = priv_policy_override_set(cr, req, ap); 380 va_end(ap); 381 return (ret); 382 } 383 384 /* 385 * Audit failure, log error message. 386 */ 387 static void 388 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg) 389 { 390 391 if (AU_AUDITING()) 392 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0); 393 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 394 395 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 396 curthread->t_pre_sys) { 397 if (allzone && !HAS_ALLZONEPRIVS(cr)) { 398 priv_policy_errmsg(cr, PRIV_ALLZONE, msg); 399 } else { 400 ASSERT(!HAS_PRIVILEGE(cr, priv)); 401 priv_policy_errmsg(cr, priv, msg); 402 } 403 } 404 } 405 406 /* 407 * priv_policy_ap() 408 * return 0 or error. 409 * See block comment above for a description of "priv" and "allzone" usage. 410 */ 411 static int 412 priv_policy_ap(const cred_t *cr, int priv, boolean_t allzone, int err, 413 const char *msg, va_list ap) 414 { 415 if ((HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) || 416 (!servicing_interrupt() && 417 priv_policy_override(cr, priv, allzone, ap) == 0)) { 418 if ((allzone || priv == PRIV_ALL || 419 !PRIV_ISASSERT(priv_basic, priv)) && 420 !servicing_interrupt()) { 421 PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */ 422 if (AU_AUDITING()) 423 audit_priv(priv, 424 allzone ? ZONEPRIVS(cr) : NULL, 1); 425 } 426 err = 0; 427 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 428 } else if (!servicing_interrupt()) { 429 /* Failure audited in this procedure */ 430 priv_policy_err(cr, priv, allzone, msg); 431 } 432 return (err); 433 } 434 435 int 436 priv_policy_va(const cred_t *cr, int priv, boolean_t allzone, int err, 437 const char *msg, ...) 438 { 439 int ret; 440 va_list ap; 441 442 va_start(ap, msg); 443 ret = priv_policy_ap(cr, priv, allzone, err, msg, ap); 444 va_end(ap); 445 446 return (ret); 447 } 448 449 int 450 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err, 451 const char *msg) 452 { 453 return (priv_policy_va(cr, priv, allzone, err, msg, KLPDARG_NONE)); 454 } 455 456 /* 457 * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges. 458 */ 459 boolean_t 460 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone) 461 { 462 boolean_t res = HAS_PRIVILEGE(cr, priv) && 463 (!allzone || HAS_ALLZONEPRIVS(cr)); 464 465 /* Audit success only */ 466 if (res && AU_AUDITING() && 467 (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) && 468 !servicing_interrupt()) { 469 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1); 470 } 471 if (res) { 472 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 473 } else { 474 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 475 } 476 return (res); 477 } 478 479 /* 480 * Non-auditing variant of priv_policy_choice(). 481 */ 482 boolean_t 483 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone) 484 { 485 boolean_t res = HAS_PRIVILEGE(cr, priv) && 486 (!allzone || HAS_ALLZONEPRIVS(cr)); 487 488 if (res) { 489 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 490 } else { 491 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 492 } 493 return (res); 494 } 495 496 /* 497 * Check whether all privileges in the required set are present. 498 */ 499 static int 500 secpolicy_require_set(const cred_t *cr, const priv_set_t *req, 501 const char *msg, ...) 502 { 503 int priv; 504 int pfound = -1; 505 priv_set_t pset; 506 va_list ap; 507 int ret; 508 509 if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req, 510 &CR_OEPRIV(cr))) { 511 return (0); 512 } 513 514 va_start(ap, msg); 515 ret = priv_policy_override_set(cr, req, ap); 516 va_end(ap); 517 if (ret == 0) 518 return (0); 519 520 if (req == PRIV_FULLSET || priv_isfullset(req)) { 521 priv_policy_err(cr, PRIV_ALL, B_FALSE, msg); 522 return (EACCES); 523 } 524 525 pset = CR_OEPRIV(cr); /* present privileges */ 526 priv_inverse(&pset); /* all non present privileges */ 527 priv_intersect(req, &pset); /* the actual missing privs */ 528 529 if (AU_AUDITING()) 530 audit_priv(PRIV_NONE, &pset, 0); 531 /* 532 * Privilege debugging; special case "one privilege in set". 533 */ 534 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) { 535 for (priv = 0; priv < nprivs; priv++) { 536 if (priv_ismember(&pset, priv)) { 537 if (pfound != -1) { 538 /* Multiple missing privs */ 539 priv_policy_errmsg(cr, PRIV_MULTIPLE, 540 msg); 541 return (EACCES); 542 } 543 pfound = priv; 544 } 545 } 546 ASSERT(pfound != -1); 547 /* Just the one missing privilege */ 548 priv_policy_errmsg(cr, pfound, msg); 549 } 550 551 return (EACCES); 552 } 553 554 /* 555 * Called when an operation requires that the caller be in the 556 * global zone, regardless of privilege. 557 */ 558 static int 559 priv_policy_global(const cred_t *cr) 560 { 561 if (crgetzoneid(cr) == GLOBAL_ZONEID) 562 return (0); /* success */ 563 564 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 565 curthread->t_pre_sys) { 566 priv_policy_errmsg(cr, PRIV_GLOBAL, NULL); 567 } 568 return (EPERM); 569 } 570 571 /* 572 * Raising process priority 573 */ 574 int 575 secpolicy_raisepriority(const cred_t *cr) 576 { 577 if (PRIV_POLICY(cr, PRIV_PROC_PRIOUP, B_FALSE, EPERM, NULL) == 0) 578 return (0); 579 return (secpolicy_setpriority(cr)); 580 } 581 582 /* 583 * Changing process priority or scheduling class 584 */ 585 int 586 secpolicy_setpriority(const cred_t *cr) 587 { 588 return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL)); 589 } 590 591 /* 592 * Binding to a privileged port, port must be specified in host byte 593 * order. 594 * When adding a new privilege which allows binding to currently privileged 595 * ports, then you MUST also allow processes with PRIV_NET_PRIVADDR bind 596 * to these ports because of backward compatibility. 597 */ 598 int 599 secpolicy_net_privaddr(const cred_t *cr, in_port_t port, int proto) 600 { 601 char *reason; 602 int priv; 603 604 switch (port) { 605 case 137: 606 case 138: 607 case 139: 608 case 445: 609 /* 610 * NBT and SMB ports, these are normal privileged ports, 611 * allow bind only if the SYS_SMB or NET_PRIVADDR privilege 612 * is present. 613 * Try both, if neither is present return an error for 614 * priv SYS_SMB. 615 */ 616 if (PRIV_POLICY_ONLY(cr, PRIV_NET_PRIVADDR, B_FALSE)) 617 priv = PRIV_NET_PRIVADDR; 618 else 619 priv = PRIV_SYS_SMB; 620 reason = "NBT or SMB port"; 621 break; 622 623 case 2049: 624 case 4045: 625 /* 626 * NFS ports, these are extra privileged ports, allow bind 627 * only if the SYS_NFS privilege is present. 628 */ 629 priv = PRIV_SYS_NFS; 630 reason = "NFS port"; 631 break; 632 633 default: 634 priv = PRIV_NET_PRIVADDR; 635 reason = NULL; 636 break; 637 638 } 639 640 return (priv_policy_va(cr, priv, B_FALSE, EACCES, reason, 641 KLPDARG_PORT, (int)proto, (int)port, KLPDARG_NOMORE)); 642 } 643 644 /* 645 * Binding to a multilevel port on a trusted (labeled) system. 646 */ 647 int 648 secpolicy_net_bindmlp(const cred_t *cr) 649 { 650 return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, NULL)); 651 } 652 653 /* 654 * Allow a communication between a zone and an unlabeled host when their 655 * labels don't match. 656 */ 657 int 658 secpolicy_net_mac_aware(const cred_t *cr) 659 { 660 return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, NULL)); 661 } 662 663 /* 664 * Allow a privileged process to transmit traffic without explicit labels 665 */ 666 int 667 secpolicy_net_mac_implicit(const cred_t *cr) 668 { 669 return (PRIV_POLICY(cr, PRIV_NET_MAC_IMPLICIT, B_FALSE, EACCES, NULL)); 670 } 671 672 /* 673 * Common routine which determines whether a given credential can 674 * act on a given mount. 675 * When called through mount, the parameter needoptcheck is a pointer 676 * to a boolean variable which will be set to either true or false, 677 * depending on whether the mount policy should change the mount options. 678 * In all other cases, needoptcheck should be a NULL pointer. 679 */ 680 static int 681 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp, 682 boolean_t *needoptcheck) 683 { 684 boolean_t allzone = B_FALSE; 685 boolean_t mounting = needoptcheck != NULL; 686 687 /* 688 * Short circuit the following cases: 689 * vfsp == NULL or mvp == NULL (pure privilege check) 690 * have all privileges - no further checks required 691 * and no mount options need to be set. 692 */ 693 if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) { 694 if (mounting) 695 *needoptcheck = B_FALSE; 696 697 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM, 698 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE)); 699 } 700 701 /* 702 * When operating on an existing mount (either we're not mounting 703 * or we're doing a remount and VFS_REMOUNT will be set), zones 704 * can operate only on mounts established by the zone itself. 705 */ 706 if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) { 707 zoneid_t zoneid = crgetzoneid(cr); 708 709 if (zoneid != GLOBAL_ZONEID && 710 vfsp->vfs_zone->zone_id != zoneid) { 711 return (EPERM); 712 } 713 } 714 715 if (mounting) 716 *needoptcheck = B_TRUE; 717 718 /* 719 * Overlay mounts may hide important stuff; if you can't write to a 720 * mount point but would be able to mount on top of it, you can 721 * escalate your privileges. 722 * So we go about asking the same questions namefs does when it 723 * decides whether you can mount over a file or not but with the 724 * added restriction that you can only mount on top of a regular 725 * file or directory. 726 * If we have all the zone's privileges, we skip all other checks, 727 * or else we may actually get in trouble inside the automounter. 728 */ 729 if ((mvp->v_flag & VROOT) != 0 || 730 (mvp->v_type != VDIR && mvp->v_type != VREG) || 731 HAS_ALLZONEPRIVS(cr)) { 732 allzone = B_TRUE; 733 } else { 734 vattr_t va; 735 int err; 736 737 va.va_mask = AT_UID|AT_MODE; 738 err = VOP_GETATTR(mvp, &va, 0, cr, NULL); 739 if (err != 0) 740 return (err); 741 742 if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0) 743 return (err); 744 745 if (secpolicy_vnode_access2(cr, mvp, va.va_uid, va.va_mode, 746 VWRITE) != 0) { 747 return (EACCES); 748 } 749 } 750 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM, 751 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE)); 752 } 753 754 void 755 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp) 756 { 757 boolean_t amsuper = HAS_ALLZONEPRIVS(cr); 758 759 /* 760 * check; if we don't have either "nosuid" or 761 * both "nosetuid" and "nodevices", then we add 762 * "nosuid"; this depends on how the current 763 * implementation works (it first checks nosuid). In a 764 * zone, a user with all zone privileges can mount with 765 * "setuid" but never with "devices". 766 */ 767 if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) && 768 (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) || 769 !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) { 770 if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper) 771 vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0); 772 else 773 vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0); 774 } 775 /* 776 * If we're not the local super user, we set the "restrict" 777 * option to indicate to automountd that this mount should 778 * be handled with care. 779 */ 780 if (!amsuper) 781 vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0); 782 783 } 784 785 int 786 secpolicy_fs_allowed_mount(const char *fsname) 787 { 788 struct vfssw *vswp; 789 const char *p; 790 size_t len; 791 792 ASSERT(fsname != NULL); 793 ASSERT(fsname[0] != '\0'); 794 795 if (INGLOBALZONE(curproc)) 796 return (0); 797 798 vswp = vfs_getvfssw(fsname); 799 if (vswp == NULL) 800 return (ENOENT); 801 802 if ((vswp->vsw_flag & VSW_ZMOUNT) != 0) { 803 vfs_unrefvfssw(vswp); 804 return (0); 805 } 806 807 vfs_unrefvfssw(vswp); 808 809 p = curzone->zone_fs_allowed; 810 len = strlen(fsname); 811 812 while (p != NULL && *p != '\0') { 813 if (strncmp(p, fsname, len) == 0) { 814 char c = *(p + len); 815 if (c == '\0' || c == ',') 816 return (0); 817 } 818 819 /* skip to beyond the next comma */ 820 if ((p = strchr(p, ',')) != NULL) 821 p++; 822 } 823 824 return (EPERM); 825 } 826 827 extern vnode_t *rootvp; 828 extern vfs_t *rootvfs; 829 830 int 831 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp) 832 { 833 boolean_t needoptchk; 834 int error; 835 836 /* 837 * If it's a remount, get the underlying mount point, 838 * except for the root where we use the rootvp. 839 */ 840 if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) { 841 if (vfsp == rootvfs) 842 mvp = rootvp; 843 else 844 mvp = vfsp->vfs_vnodecovered; 845 } 846 847 error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk); 848 849 if (error == 0 && needoptchk) { 850 secpolicy_fs_mount_clearopts(cr, vfsp); 851 } 852 853 return (error); 854 } 855 856 /* 857 * Does the policy computations for "ownership" of a mount; 858 * here ownership is defined as the ability to "mount" 859 * the filesystem originally. The rootvfs doesn't cover any 860 * vnodes; we attribute its ownership to the rootvp. 861 */ 862 static int 863 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp) 864 { 865 vnode_t *mvp; 866 867 if (vfsp == NULL) 868 mvp = NULL; 869 else if (vfsp == rootvfs) 870 mvp = rootvp; 871 else 872 mvp = vfsp->vfs_vnodecovered; 873 874 return (secpolicy_fs_common(cr, mvp, vfsp, NULL)); 875 } 876 877 int 878 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp) 879 { 880 return (secpolicy_fs_owner(cr, vfsp)); 881 } 882 883 /* 884 * Quotas are a resource, but if one has the ability to mount a filesystem, 885 * they should be able to modify quotas on it. 886 */ 887 int 888 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp) 889 { 890 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 891 } 892 893 /* 894 * Exceeding minfree: also a per-mount resource constraint. 895 */ 896 int 897 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp) 898 { 899 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 900 } 901 902 int 903 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp) 904 { 905 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 906 } 907 908 /* ARGSUSED */ 909 int 910 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp) 911 { 912 if (priv_allow_linkdir == 0) { 913 /* 914 * By default, this policy check will now always return EPERM 915 * unless overridden. 916 * 917 * We do so without triggering auditing or allowing privilege 918 * debugging for two reasons: first, we intend eventually to 919 * deprecate the PRIV_SYS_LINKDIR privilege entirely and remove 920 * the use of this policy check from the file systems; second, 921 * for privilege debugging in particular, because it would be 922 * confusing to report an unlink() failure as the result of a 923 * missing privilege when in fact we are simply no longer 924 * allowing the operation at all. 925 */ 926 return (EPERM); 927 } 928 929 return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL)); 930 } 931 932 /* 933 * Name: secpolicy_vnode_access() 934 * 935 * Parameters: Process credential 936 * vnode 937 * uid of owner of vnode 938 * permission bits not granted to the caller when examining 939 * file mode bits (i.e., when a process wants to open a 940 * mode 444 file for VREAD|VWRITE, this function should be 941 * called only with a VWRITE argument). 942 * 943 * Normal: Verifies that cred has the appropriate privileges to 944 * override the mode bits that were denied. 945 * 946 * Override: file_dac_execute - if VEXEC bit was denied and vnode is 947 * not a directory. 948 * file_dac_read - if VREAD bit was denied. 949 * file_dac_search - if VEXEC bit was denied and vnode is 950 * a directory. 951 * file_dac_write - if VWRITE bit was denied. 952 * 953 * Root owned files are special cased to protect system 954 * configuration files and such. 955 * 956 * Output: EACCES - if privilege check fails. 957 */ 958 959 int 960 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode) 961 { 962 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE, 963 EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL, 964 KLPDARG_NOMORE) != 0) { 965 return (EACCES); 966 } 967 968 if (mode & VWRITE) { 969 boolean_t allzone; 970 971 if (owner == 0 && cr->cr_uid != 0) 972 allzone = B_TRUE; 973 else 974 allzone = B_FALSE; 975 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, 976 NULL, KLPDARG_VNODE, vp, (char *)NULL, 977 KLPDARG_NOMORE) != 0) { 978 return (EACCES); 979 } 980 } 981 982 if (mode & VEXEC) { 983 /* 984 * Directories use file_dac_search to override the execute bit. 985 */ 986 int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH : 987 PRIV_FILE_DAC_EXECUTE; 988 989 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL, 990 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); 991 } 992 return (0); 993 } 994 995 /* 996 * Like secpolicy_vnode_access() but we get the actual wanted mode and the 997 * current mode of the file, not the missing bits. 998 */ 999 int 1000 secpolicy_vnode_access2(const cred_t *cr, vnode_t *vp, uid_t owner, 1001 mode_t curmode, mode_t wantmode) 1002 { 1003 mode_t mode; 1004 1005 /* Inline the basic privileges tests. */ 1006 if ((wantmode & VREAD) && 1007 !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_READ) && 1008 priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL, 1009 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) { 1010 return (EACCES); 1011 } 1012 1013 if ((wantmode & VWRITE) && 1014 !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_WRITE) && 1015 priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL, 1016 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) { 1017 return (EACCES); 1018 } 1019 1020 mode = ~curmode & wantmode; 1021 1022 if (mode == 0) 1023 return (0); 1024 1025 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE, 1026 EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL, 1027 KLPDARG_NOMORE) != 0) { 1028 return (EACCES); 1029 } 1030 1031 if (mode & VWRITE) { 1032 boolean_t allzone; 1033 1034 if (owner == 0 && cr->cr_uid != 0) 1035 allzone = B_TRUE; 1036 else 1037 allzone = B_FALSE; 1038 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, 1039 NULL, KLPDARG_VNODE, vp, (char *)NULL, 1040 KLPDARG_NOMORE) != 0) { 1041 return (EACCES); 1042 } 1043 } 1044 1045 if (mode & VEXEC) { 1046 /* 1047 * Directories use file_dac_search to override the execute bit. 1048 */ 1049 int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH : 1050 PRIV_FILE_DAC_EXECUTE; 1051 1052 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL, 1053 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); 1054 } 1055 return (0); 1056 } 1057 1058 /* 1059 * This is a special routine for ZFS; it is used to determine whether 1060 * any of the privileges in effect allow any form of access to the 1061 * file. There's no reason to audit this or any reason to record 1062 * this. More work is needed to do the "KPLD" stuff. 1063 */ 1064 int 1065 secpolicy_vnode_any_access(const cred_t *cr, vnode_t *vp, uid_t owner) 1066 { 1067 static int privs[] = { 1068 PRIV_FILE_OWNER, 1069 PRIV_FILE_CHOWN, 1070 PRIV_FILE_DAC_READ, 1071 PRIV_FILE_DAC_WRITE, 1072 PRIV_FILE_DAC_EXECUTE, 1073 PRIV_FILE_DAC_SEARCH, 1074 }; 1075 int i; 1076 1077 /* Same as secpolicy_vnode_setdac */ 1078 if (owner == cr->cr_uid) 1079 return (0); 1080 1081 for (i = 0; i < sizeof (privs)/sizeof (int); i++) { 1082 boolean_t allzone = B_FALSE; 1083 int priv; 1084 1085 switch (priv = privs[i]) { 1086 case PRIV_FILE_DAC_EXECUTE: 1087 if (vp->v_type == VDIR) 1088 continue; 1089 break; 1090 case PRIV_FILE_DAC_SEARCH: 1091 if (vp->v_type != VDIR) 1092 continue; 1093 break; 1094 case PRIV_FILE_DAC_WRITE: 1095 case PRIV_FILE_OWNER: 1096 case PRIV_FILE_CHOWN: 1097 /* We know here that if owner == 0, that cr_uid != 0 */ 1098 allzone = owner == 0; 1099 break; 1100 } 1101 if (PRIV_POLICY_CHOICE(cr, priv, allzone)) 1102 return (0); 1103 } 1104 return (EPERM); 1105 } 1106 1107 /* 1108 * Name: secpolicy_vnode_setid_modify() 1109 * 1110 * Normal: verify that subject can set the file setid flags. 1111 * 1112 * Output: EPERM - if not privileged. 1113 */ 1114 1115 static int 1116 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner) 1117 { 1118 /* If changing to suid root, must have all zone privs */ 1119 boolean_t allzone = B_TRUE; 1120 1121 if (owner != 0) { 1122 if (owner == cr->cr_uid) 1123 return (0); 1124 allzone = B_FALSE; 1125 } 1126 return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL)); 1127 } 1128 1129 /* 1130 * Are we allowed to retain the set-uid/set-gid bits when 1131 * changing ownership or when writing to a file? 1132 * "issuid" should be true when set-uid; only in that case 1133 * root ownership is checked (setgid is assumed). 1134 */ 1135 int 1136 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot) 1137 { 1138 if (issuidroot && !HAS_ALLZONEPRIVS(cred)) 1139 return (EPERM); 1140 1141 return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE)); 1142 } 1143 1144 /* 1145 * Name: secpolicy_vnode_setids_setgids() 1146 * 1147 * Normal: verify that subject can set the file setgid flag. 1148 * 1149 * Output: EPERM - if not privileged 1150 */ 1151 1152 int 1153 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid) 1154 { 1155 if (!groupmember(gid, cred)) 1156 return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM, 1157 NULL)); 1158 return (0); 1159 } 1160 1161 /* 1162 * Name: secpolicy_vnode_chown 1163 * 1164 * Normal: Determine if subject can chown owner of a file. 1165 * 1166 * Output: EPERM - if access denied 1167 */ 1168 1169 int 1170 secpolicy_vnode_chown(const cred_t *cred, uid_t owner) 1171 { 1172 boolean_t is_owner = (owner == crgetuid(cred)); 1173 boolean_t allzone = B_FALSE; 1174 int priv; 1175 1176 if (!is_owner) { 1177 allzone = (owner == 0); 1178 priv = PRIV_FILE_CHOWN; 1179 } else { 1180 priv = HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN) ? 1181 PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF; 1182 } 1183 1184 return (PRIV_POLICY(cred, priv, allzone, EPERM, NULL)); 1185 } 1186 1187 /* 1188 * Name: secpolicy_vnode_create_gid 1189 * 1190 * Normal: Determine if subject can change group ownership of a file. 1191 * 1192 * Output: EPERM - if access denied 1193 */ 1194 int 1195 secpolicy_vnode_create_gid(const cred_t *cred) 1196 { 1197 if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN)) 1198 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM, 1199 NULL)); 1200 else 1201 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM, 1202 NULL)); 1203 } 1204 1205 /* 1206 * Name: secpolicy_vnode_utime_modify() 1207 * 1208 * Normal: verify that subject can modify the utime on a file. 1209 * 1210 * Output: EPERM - if access denied. 1211 */ 1212 1213 static int 1214 secpolicy_vnode_utime_modify(const cred_t *cred) 1215 { 1216 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM, 1217 "modify file times")); 1218 } 1219 1220 1221 /* 1222 * Name: secpolicy_vnode_setdac() 1223 * 1224 * Normal: verify that subject can modify the mode of a file. 1225 * allzone privilege needed when modifying root owned object. 1226 * 1227 * Output: EPERM - if access denied. 1228 */ 1229 1230 int 1231 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner) 1232 { 1233 if (owner == cred->cr_uid) 1234 return (0); 1235 1236 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL)); 1237 } 1238 /* 1239 * Name: secpolicy_vnode_stky_modify() 1240 * 1241 * Normal: verify that subject can make a file a "sticky". 1242 * 1243 * Output: EPERM - if access denied. 1244 */ 1245 1246 int 1247 secpolicy_vnode_stky_modify(const cred_t *cred) 1248 { 1249 return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM, 1250 "set file sticky")); 1251 } 1252 1253 /* 1254 * Policy determines whether we can remove an entry from a directory, 1255 * regardless of permission bits. 1256 */ 1257 int 1258 secpolicy_vnode_remove(const cred_t *cr) 1259 { 1260 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES, 1261 "sticky directory")); 1262 } 1263 1264 int 1265 secpolicy_vnode_owner(const cred_t *cr, uid_t owner) 1266 { 1267 boolean_t allzone = (owner == 0); 1268 1269 if (owner == cr->cr_uid) 1270 return (0); 1271 1272 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL)); 1273 } 1274 1275 void 1276 secpolicy_setid_clear(vattr_t *vap, cred_t *cr) 1277 { 1278 if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 && 1279 secpolicy_vnode_setid_retain(cr, 1280 (vap->va_mode & S_ISUID) != 0 && 1281 (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) { 1282 vap->va_mask |= AT_MODE; 1283 vap->va_mode &= ~(S_ISUID|S_ISGID); 1284 } 1285 } 1286 1287 int 1288 secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap, 1289 cred_t *cr) 1290 { 1291 int error; 1292 1293 if ((vap->va_mode & S_ISUID) != 0 && 1294 (error = secpolicy_vnode_setid_modify(cr, 1295 ovap->va_uid)) != 0) { 1296 return (error); 1297 } 1298 1299 /* 1300 * Check privilege if attempting to set the 1301 * sticky bit on a non-directory. 1302 */ 1303 if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 && 1304 secpolicy_vnode_stky_modify(cr) != 0) { 1305 vap->va_mode &= ~S_ISVTX; 1306 } 1307 1308 /* 1309 * Check for privilege if attempting to set the 1310 * group-id bit. 1311 */ 1312 if ((vap->va_mode & S_ISGID) != 0 && 1313 secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) { 1314 vap->va_mode &= ~S_ISGID; 1315 } 1316 1317 return (0); 1318 } 1319 1320 #define ATTR_FLAG_PRIV(attr, value, cr) \ 1321 PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \ 1322 B_FALSE, EPERM, NULL) 1323 1324 /* 1325 * Check privileges for setting xvattr attributes 1326 */ 1327 int 1328 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype) 1329 { 1330 xoptattr_t *xoap; 1331 int error = 0; 1332 1333 if ((xoap = xva_getxoptattr(xvap)) == NULL) 1334 return (EINVAL); 1335 1336 /* 1337 * First process the DOS bits 1338 */ 1339 if (XVA_ISSET_REQ(xvap, XAT_ARCHIVE) || 1340 XVA_ISSET_REQ(xvap, XAT_HIDDEN) || 1341 XVA_ISSET_REQ(xvap, XAT_READONLY) || 1342 XVA_ISSET_REQ(xvap, XAT_SYSTEM) || 1343 XVA_ISSET_REQ(xvap, XAT_CREATETIME) || 1344 XVA_ISSET_REQ(xvap, XAT_OFFLINE) || 1345 XVA_ISSET_REQ(xvap, XAT_SPARSE)) { 1346 if ((error = secpolicy_vnode_owner(cr, owner)) != 0) 1347 return (error); 1348 } 1349 1350 /* 1351 * Now handle special attributes 1352 */ 1353 1354 if (XVA_ISSET_REQ(xvap, XAT_IMMUTABLE)) 1355 error = ATTR_FLAG_PRIV(XAT_IMMUTABLE, 1356 xoap->xoa_immutable, cr); 1357 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NOUNLINK)) 1358 error = ATTR_FLAG_PRIV(XAT_NOUNLINK, 1359 xoap->xoa_nounlink, cr); 1360 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_APPENDONLY)) 1361 error = ATTR_FLAG_PRIV(XAT_APPENDONLY, 1362 xoap->xoa_appendonly, cr); 1363 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NODUMP)) 1364 error = ATTR_FLAG_PRIV(XAT_NODUMP, 1365 xoap->xoa_nodump, cr); 1366 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_OPAQUE)) 1367 error = EPERM; 1368 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_QUARANTINED)) { 1369 error = ATTR_FLAG_PRIV(XAT_AV_QUARANTINED, 1370 xoap->xoa_av_quarantined, cr); 1371 if (error == 0 && vtype != VREG && xoap->xoa_av_quarantined) 1372 error = EINVAL; 1373 } 1374 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_MODIFIED)) 1375 error = ATTR_FLAG_PRIV(XAT_AV_MODIFIED, 1376 xoap->xoa_av_modified, cr); 1377 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_SCANSTAMP)) { 1378 error = ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP, 1379 xoap->xoa_av_scanstamp, cr); 1380 if (error == 0 && vtype != VREG) 1381 error = EINVAL; 1382 } 1383 return (error); 1384 } 1385 1386 /* 1387 * This function checks the policy decisions surrounding the 1388 * vop setattr call. 1389 * 1390 * It should be called after sufficient locks have been established 1391 * on the underlying data structures. No concurrent modifications 1392 * should be allowed. 1393 * 1394 * The caller must pass in unlocked version of its vaccess function 1395 * this is required because vop_access function should lock the 1396 * node for reading. A three argument function should be defined 1397 * which accepts the following argument: 1398 * A pointer to the internal "node" type (inode *) 1399 * vnode access bits (VREAD|VWRITE|VEXEC) 1400 * a pointer to the credential 1401 * 1402 * This function makes the following policy decisions: 1403 * 1404 * - change permissions 1405 * - permission to change file mode if not owner 1406 * - permission to add sticky bit to non-directory 1407 * - permission to add set-gid bit 1408 * 1409 * The ovap argument should include AT_MODE|AT_UID|AT_GID. 1410 * 1411 * If the vap argument does not include AT_MODE, the mode will be copied from 1412 * ovap. In certain situations set-uid/set-gid bits need to be removed; 1413 * this is done by marking vap->va_mask to include AT_MODE and va_mode 1414 * is updated to the newly computed mode. 1415 */ 1416 1417 int 1418 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap, 1419 const struct vattr *ovap, int flags, 1420 int unlocked_access(void *, int, cred_t *), 1421 void *node) 1422 { 1423 int mask = vap->va_mask; 1424 int error = 0; 1425 boolean_t skipaclchk = (flags & ATTR_NOACLCHECK) ? B_TRUE : B_FALSE; 1426 1427 if (mask & AT_SIZE) { 1428 if (vp->v_type == VDIR) { 1429 error = EISDIR; 1430 goto out; 1431 } 1432 1433 /* 1434 * If ATTR_NOACLCHECK is set in the flags, then we don't 1435 * perform the secondary unlocked_access() call since the 1436 * ACL (if any) is being checked there. 1437 */ 1438 if (skipaclchk == B_FALSE) { 1439 error = unlocked_access(node, VWRITE, cr); 1440 if (error) 1441 goto out; 1442 } 1443 } 1444 if (mask & AT_MODE) { 1445 /* 1446 * If not the owner of the file then check privilege 1447 * for two things: the privilege to set the mode at all 1448 * and, if we're setting setuid, we also need permissions 1449 * to add the set-uid bit, if we're not the owner. 1450 * In the specific case of creating a set-uid root 1451 * file, we need even more permissions. 1452 */ 1453 if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0) 1454 goto out; 1455 1456 if ((error = secpolicy_setid_setsticky_clear(vp, vap, 1457 ovap, cr)) != 0) 1458 goto out; 1459 } else 1460 vap->va_mode = ovap->va_mode; 1461 1462 if (mask & (AT_UID|AT_GID)) { 1463 boolean_t checkpriv = B_FALSE; 1464 1465 /* 1466 * Chowning files. 1467 * 1468 * If you are the file owner: 1469 * chown to other uid FILE_CHOWN_SELF 1470 * chown to gid (non-member) FILE_CHOWN_SELF 1471 * chown to gid (member) <none> 1472 * 1473 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also 1474 * acceptable but the first one is reported when debugging. 1475 * 1476 * If you are not the file owner: 1477 * chown from root PRIV_FILE_CHOWN + zone 1478 * chown from other to any PRIV_FILE_CHOWN 1479 * 1480 */ 1481 if (cr->cr_uid != ovap->va_uid) { 1482 checkpriv = B_TRUE; 1483 } else { 1484 if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) || 1485 ((mask & AT_GID) && vap->va_gid != ovap->va_gid && 1486 !groupmember(vap->va_gid, cr))) { 1487 checkpriv = B_TRUE; 1488 } 1489 } 1490 /* 1491 * If necessary, check privilege to see if update can be done. 1492 */ 1493 if (checkpriv && 1494 (error = secpolicy_vnode_chown(cr, ovap->va_uid)) != 0) { 1495 goto out; 1496 } 1497 1498 /* 1499 * If the file has either the set UID or set GID bits 1500 * set and the caller can set the bits, then leave them. 1501 */ 1502 secpolicy_setid_clear(vap, cr); 1503 } 1504 if (mask & (AT_ATIME|AT_MTIME)) { 1505 /* 1506 * If not the file owner and not otherwise privileged, 1507 * always return an error when setting the 1508 * time other than the current (ATTR_UTIME flag set). 1509 * If setting the current time (ATTR_UTIME not set) then 1510 * unlocked_access will check permissions according to policy. 1511 */ 1512 if (cr->cr_uid != ovap->va_uid) { 1513 if (flags & ATTR_UTIME) 1514 error = secpolicy_vnode_utime_modify(cr); 1515 else if (skipaclchk == B_FALSE) { 1516 error = unlocked_access(node, VWRITE, cr); 1517 if (error == EACCES && 1518 secpolicy_vnode_utime_modify(cr) == 0) 1519 error = 0; 1520 } 1521 if (error) 1522 goto out; 1523 } 1524 } 1525 1526 /* 1527 * Check for optional attributes here by checking the following: 1528 */ 1529 if (mask & AT_XVATTR) 1530 error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr, 1531 vp->v_type); 1532 out: 1533 return (error); 1534 } 1535 1536 /* 1537 * Name: secpolicy_pcfs_modify_bootpartition() 1538 * 1539 * Normal: verify that subject can modify a pcfs boot partition. 1540 * 1541 * Output: EACCES - if privilege check failed. 1542 */ 1543 /*ARGSUSED*/ 1544 int 1545 secpolicy_pcfs_modify_bootpartition(const cred_t *cred) 1546 { 1547 return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES, 1548 "modify pcfs boot partition")); 1549 } 1550 1551 /* 1552 * System V IPC routines 1553 */ 1554 int 1555 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip) 1556 { 1557 if (crgetzoneid(cr) != ip->ipc_zoneid || 1558 (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) { 1559 boolean_t allzone = B_FALSE; 1560 if (ip->ipc_uid == 0 || ip->ipc_cuid == 0) 1561 allzone = B_TRUE; 1562 return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL)); 1563 } 1564 return (0); 1565 } 1566 1567 int 1568 secpolicy_ipc_config(const cred_t *cr) 1569 { 1570 return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL)); 1571 } 1572 1573 int 1574 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode) 1575 { 1576 1577 boolean_t allzone = B_FALSE; 1578 1579 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1580 1581 if ((mode & MSG_R) && 1582 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1583 return (EACCES); 1584 1585 if (mode & MSG_W) { 1586 if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0)) 1587 allzone = B_TRUE; 1588 1589 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1590 NULL)); 1591 } 1592 return (0); 1593 } 1594 1595 int 1596 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode) 1597 { 1598 boolean_t allzone = B_FALSE; 1599 1600 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1601 1602 if ((mode & MSG_R) && 1603 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1604 return (EACCES); 1605 1606 if (mode & MSG_W) { 1607 if (cr->cr_uid != 0 && owner == 0) 1608 allzone = B_TRUE; 1609 1610 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1611 NULL)); 1612 } 1613 return (0); 1614 } 1615 1616 /* 1617 * Audit configuration. 1618 */ 1619 int 1620 secpolicy_audit_config(const cred_t *cr) 1621 { 1622 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1623 } 1624 1625 /* 1626 * Audit record generation. 1627 */ 1628 int 1629 secpolicy_audit_modify(const cred_t *cr) 1630 { 1631 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL)); 1632 } 1633 1634 /* 1635 * Get audit attributes. 1636 * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the 1637 * "Least" of the two privileges on error. 1638 */ 1639 int 1640 secpolicy_audit_getattr(const cred_t *cr, boolean_t checkonly) 1641 { 1642 int priv; 1643 1644 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE)) 1645 priv = PRIV_SYS_AUDIT; 1646 else 1647 priv = PRIV_PROC_AUDIT; 1648 1649 if (checkonly) 1650 return (!PRIV_POLICY_ONLY(cr, priv, B_FALSE)); 1651 else 1652 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 1653 } 1654 1655 1656 /* 1657 * Locking physical memory 1658 */ 1659 int 1660 secpolicy_lock_memory(const cred_t *cr) 1661 { 1662 return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL)); 1663 } 1664 1665 /* 1666 * Accounting (both acct(2) and exacct). 1667 */ 1668 int 1669 secpolicy_acct(const cred_t *cr) 1670 { 1671 return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL)); 1672 } 1673 1674 /* 1675 * Is this process privileged to change its uids at will? 1676 * Uid 0 is still considered "special" and having the SETID 1677 * privilege is not sufficient to get uid 0. 1678 * Files are owned by root, so the privilege would give 1679 * full access and euid 0 is still effective. 1680 * 1681 * If you have the privilege and euid 0 only then do you 1682 * get the powers of root wrt uid 0. 1683 * 1684 * For gid manipulations, this is should be called with an 1685 * uid of -1. 1686 * 1687 */ 1688 int 1689 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly) 1690 { 1691 boolean_t allzone = B_FALSE; 1692 1693 if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 && 1694 cr->cr_ruid != 0) { 1695 allzone = B_TRUE; 1696 } 1697 1698 return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) : 1699 PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL)); 1700 } 1701 1702 1703 /* 1704 * Acting on a different process: if the mode is for writing, 1705 * the restrictions are more severe. This is called after 1706 * we've verified that the uids do not match. 1707 */ 1708 int 1709 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode) 1710 { 1711 boolean_t allzone = B_FALSE; 1712 1713 if ((mode & VWRITE) && scr->cr_uid != 0 && 1714 (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0)) 1715 allzone = B_TRUE; 1716 1717 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL)); 1718 } 1719 1720 int 1721 secpolicy_proc_access(const cred_t *scr) 1722 { 1723 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL)); 1724 } 1725 1726 int 1727 secpolicy_proc_excl_open(const cred_t *scr) 1728 { 1729 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL)); 1730 } 1731 1732 int 1733 secpolicy_proc_zone(const cred_t *scr) 1734 { 1735 return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL)); 1736 } 1737 1738 /* 1739 * Destroying the system 1740 */ 1741 1742 int 1743 secpolicy_kmdb(const cred_t *scr) 1744 { 1745 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1746 } 1747 1748 int 1749 secpolicy_error_inject(const cred_t *scr) 1750 { 1751 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1752 } 1753 1754 /* 1755 * Processor sets, cpu configuration, resource pools. 1756 */ 1757 int 1758 secpolicy_pset(const cred_t *cr) 1759 { 1760 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1761 } 1762 1763 /* Process security flags */ 1764 int 1765 secpolicy_psecflags(const cred_t *cr, proc_t *tp, proc_t *sp) 1766 { 1767 if (PRIV_POLICY(cr, PRIV_PROC_SECFLAGS, B_FALSE, EPERM, NULL) != 0) 1768 return (EPERM); 1769 1770 if (!prochasprocperm(tp, sp, cr)) 1771 return (EPERM); 1772 1773 return (0); 1774 } 1775 1776 /* 1777 * Processor set binding. 1778 */ 1779 int 1780 secpolicy_pbind(const cred_t *cr) 1781 { 1782 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_RES_CONFIG, B_FALSE)) 1783 return (secpolicy_pset(cr)); 1784 return (PRIV_POLICY(cr, PRIV_SYS_RES_BIND, B_FALSE, EPERM, NULL)); 1785 } 1786 1787 int 1788 secpolicy_ponline(const cred_t *cr) 1789 { 1790 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1791 } 1792 1793 int 1794 secpolicy_pool(const cred_t *cr) 1795 { 1796 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1797 } 1798 1799 int 1800 secpolicy_blacklist(const cred_t *cr) 1801 { 1802 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1803 } 1804 1805 /* 1806 * Catch all system configuration. 1807 */ 1808 int 1809 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly) 1810 { 1811 if (checkonly) { 1812 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 : 1813 EPERM); 1814 } else { 1815 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1816 } 1817 } 1818 1819 /* 1820 * Zone administration (halt, reboot, etc.) from within zone. 1821 */ 1822 int 1823 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly) 1824 { 1825 if (checkonly) { 1826 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 : 1827 EPERM); 1828 } else { 1829 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, 1830 NULL)); 1831 } 1832 } 1833 1834 /* 1835 * Zone configuration (create, halt, enter). 1836 */ 1837 int 1838 secpolicy_zone_config(const cred_t *cr) 1839 { 1840 /* 1841 * Require all privileges to avoid possibility of privilege 1842 * escalation. 1843 */ 1844 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE)); 1845 } 1846 1847 /* 1848 * Various other system configuration calls 1849 */ 1850 int 1851 secpolicy_coreadm(const cred_t *cr) 1852 { 1853 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1854 } 1855 1856 int 1857 secpolicy_systeminfo(const cred_t *cr) 1858 { 1859 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1860 } 1861 1862 int 1863 secpolicy_dispadm(const cred_t *cr) 1864 { 1865 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1866 } 1867 1868 int 1869 secpolicy_settime(const cred_t *cr) 1870 { 1871 return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL)); 1872 } 1873 1874 /* 1875 * For realtime users: high resolution clock. 1876 */ 1877 int 1878 secpolicy_clock_highres(const cred_t *cr) 1879 { 1880 return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM, 1881 NULL)); 1882 } 1883 1884 /* 1885 * drv_priv() is documented as callable from interrupt context, not that 1886 * anyone ever does, but still. No debugging or auditing can be done when 1887 * it is called from interrupt context. 1888 * returns 0 on succes, EPERM on failure. 1889 */ 1890 int 1891 drv_priv(cred_t *cr) 1892 { 1893 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1894 } 1895 1896 int 1897 secpolicy_sys_devices(const cred_t *cr) 1898 { 1899 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1900 } 1901 1902 int 1903 secpolicy_excl_open(const cred_t *cr) 1904 { 1905 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL)); 1906 } 1907 1908 int 1909 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl) 1910 { 1911 /* zone.* rctls can only be set from the global zone */ 1912 if (is_zone_rctl && priv_policy_global(cr) != 0) 1913 return (EPERM); 1914 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1915 } 1916 1917 int 1918 secpolicy_resource(const cred_t *cr) 1919 { 1920 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1921 } 1922 1923 int 1924 secpolicy_resource_anon_mem(const cred_t *cr) 1925 { 1926 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_RESOURCE, B_FALSE)); 1927 } 1928 1929 /* 1930 * Processes with a real uid of 0 escape any form of accounting, much 1931 * like before. 1932 */ 1933 int 1934 secpolicy_newproc(const cred_t *cr) 1935 { 1936 if (cr->cr_ruid == 0) 1937 return (0); 1938 1939 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1940 } 1941 1942 /* 1943 * Networking 1944 */ 1945 int 1946 secpolicy_net_rawaccess(const cred_t *cr) 1947 { 1948 return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL)); 1949 } 1950 1951 int 1952 secpolicy_net_observability(const cred_t *cr) 1953 { 1954 return (PRIV_POLICY(cr, PRIV_NET_OBSERVABILITY, B_FALSE, EACCES, NULL)); 1955 } 1956 1957 /* 1958 * Need this privilege for accessing the ICMP device 1959 */ 1960 int 1961 secpolicy_net_icmpaccess(const cred_t *cr) 1962 { 1963 return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL)); 1964 } 1965 1966 /* 1967 * There are a few rare cases where the kernel generates ioctls() from 1968 * interrupt context with a credential of kcred rather than NULL. 1969 * In those cases, we take the safe and cheap test. 1970 */ 1971 int 1972 secpolicy_net_config(const cred_t *cr, boolean_t checkonly) 1973 { 1974 if (checkonly) { 1975 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ? 1976 0 : EPERM); 1977 } else { 1978 return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM, 1979 NULL)); 1980 } 1981 } 1982 1983 1984 /* 1985 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG. 1986 * 1987 * There are a few rare cases where the kernel generates ioctls() from 1988 * interrupt context with a credential of kcred rather than NULL. 1989 * In those cases, we take the safe and cheap test. 1990 */ 1991 int 1992 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly) 1993 { 1994 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 1995 return (secpolicy_net_config(cr, checkonly)); 1996 1997 if (checkonly) { 1998 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ? 1999 0 : EPERM); 2000 } else { 2001 return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM, 2002 NULL)); 2003 } 2004 } 2005 2006 /* 2007 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_DL_CONFIG. 2008 */ 2009 int 2010 secpolicy_dl_config(const cred_t *cr) 2011 { 2012 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 2013 return (secpolicy_net_config(cr, B_FALSE)); 2014 return (PRIV_POLICY(cr, PRIV_SYS_DL_CONFIG, B_FALSE, EPERM, NULL)); 2015 } 2016 2017 /* 2018 * PRIV_SYS_DL_CONFIG is a superset of PRIV_SYS_IPTUN_CONFIG. 2019 */ 2020 int 2021 secpolicy_iptun_config(const cred_t *cr) 2022 { 2023 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 2024 return (secpolicy_net_config(cr, B_FALSE)); 2025 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_DL_CONFIG, B_FALSE)) 2026 return (secpolicy_dl_config(cr)); 2027 return (PRIV_POLICY(cr, PRIV_SYS_IPTUN_CONFIG, B_FALSE, EPERM, NULL)); 2028 } 2029 2030 /* 2031 * Map IP pseudo privileges to actual privileges. 2032 * So we don't need to recompile IP when we change the privileges. 2033 */ 2034 int 2035 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly) 2036 { 2037 int priv = PRIV_ALL; 2038 2039 switch (netpriv) { 2040 case OP_CONFIG: 2041 priv = PRIV_SYS_IP_CONFIG; 2042 break; 2043 case OP_RAW: 2044 priv = PRIV_NET_RAWACCESS; 2045 break; 2046 case OP_PRIVPORT: 2047 priv = PRIV_NET_PRIVADDR; 2048 break; 2049 } 2050 ASSERT(priv != PRIV_ALL); 2051 if (checkonly) 2052 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 2053 else 2054 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 2055 } 2056 2057 /* 2058 * Map network pseudo privileges to actual privileges. 2059 * So we don't need to recompile IP when we change the privileges. 2060 */ 2061 int 2062 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly) 2063 { 2064 int priv = PRIV_ALL; 2065 2066 switch (netpriv) { 2067 case OP_CONFIG: 2068 priv = PRIV_SYS_NET_CONFIG; 2069 break; 2070 case OP_RAW: 2071 priv = PRIV_NET_RAWACCESS; 2072 break; 2073 case OP_PRIVPORT: 2074 priv = PRIV_NET_PRIVADDR; 2075 break; 2076 } 2077 ASSERT(priv != PRIV_ALL); 2078 if (checkonly) 2079 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 2080 else 2081 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 2082 } 2083 2084 /* 2085 * Checks for operations that are either client-only or are used by 2086 * both clients and servers. 2087 */ 2088 int 2089 secpolicy_nfs(const cred_t *cr) 2090 { 2091 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL)); 2092 } 2093 2094 /* 2095 * Special case for opening rpcmod: have NFS privileges or network 2096 * config privileges. 2097 */ 2098 int 2099 secpolicy_rpcmod_open(const cred_t *cr) 2100 { 2101 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE)) 2102 return (secpolicy_nfs(cr)); 2103 else 2104 return (secpolicy_net_config(cr, B_FALSE)); 2105 } 2106 2107 int 2108 secpolicy_chroot(const cred_t *cr) 2109 { 2110 return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL)); 2111 } 2112 2113 int 2114 secpolicy_tasksys(const cred_t *cr) 2115 { 2116 return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL)); 2117 } 2118 2119 int 2120 secpolicy_meminfo(const cred_t *cr) 2121 { 2122 return (PRIV_POLICY(cr, PRIV_PROC_MEMINFO, B_FALSE, EPERM, NULL)); 2123 } 2124 2125 int 2126 secpolicy_pfexec_register(const cred_t *cr) 2127 { 2128 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_TRUE, EPERM, NULL)); 2129 } 2130 2131 /* 2132 * Basic privilege checks. 2133 */ 2134 int 2135 secpolicy_basic_exec(const cred_t *cr, vnode_t *vp) 2136 { 2137 FAST_BASIC_CHECK(cr, PRIV_PROC_EXEC); 2138 2139 return (priv_policy_va(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL, 2140 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); 2141 } 2142 2143 int 2144 secpolicy_basic_fork(const cred_t *cr) 2145 { 2146 FAST_BASIC_CHECK(cr, PRIV_PROC_FORK); 2147 2148 return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL)); 2149 } 2150 2151 int 2152 secpolicy_basic_proc(const cred_t *cr) 2153 { 2154 FAST_BASIC_CHECK(cr, PRIV_PROC_SESSION); 2155 2156 return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL)); 2157 } 2158 2159 /* 2160 * Slightly complicated because we don't want to trigger the policy too 2161 * often. First we shortcircuit access to "self" (tp == sp) or if 2162 * we don't have the privilege but if we have permission 2163 * just return (0) and we don't flag the privilege as needed. 2164 * Else, we test for the privilege because we either have it or need it. 2165 */ 2166 int 2167 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp) 2168 { 2169 if (tp == sp || 2170 !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) { 2171 return (0); 2172 } else { 2173 return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL)); 2174 } 2175 } 2176 2177 int 2178 secpolicy_basic_link(const cred_t *cr) 2179 { 2180 FAST_BASIC_CHECK(cr, PRIV_FILE_LINK_ANY); 2181 2182 return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL)); 2183 } 2184 2185 int 2186 secpolicy_basic_net_access(const cred_t *cr) 2187 { 2188 FAST_BASIC_CHECK(cr, PRIV_NET_ACCESS); 2189 2190 return (PRIV_POLICY(cr, PRIV_NET_ACCESS, B_FALSE, EACCES, NULL)); 2191 } 2192 2193 /* ARGSUSED */ 2194 int 2195 secpolicy_basic_file_read(const cred_t *cr, vnode_t *vp, const char *pn) 2196 { 2197 FAST_BASIC_CHECK(cr, PRIV_FILE_READ); 2198 2199 return (priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL, 2200 KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE)); 2201 } 2202 2203 /* ARGSUSED */ 2204 int 2205 secpolicy_basic_file_write(const cred_t *cr, vnode_t *vp, const char *pn) 2206 { 2207 FAST_BASIC_CHECK(cr, PRIV_FILE_WRITE); 2208 2209 return (priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL, 2210 KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE)); 2211 } 2212 2213 /* 2214 * Additional device protection. 2215 * 2216 * Traditionally, a device has specific permissions on the node in 2217 * the filesystem which govern which devices can be opened by what 2218 * processes. In certain cases, it is desirable to add extra 2219 * restrictions, as writing to certain devices is identical to 2220 * having a complete run of the system. 2221 * 2222 * This mechanism is called the device policy. 2223 * 2224 * When a device is opened, its policy entry is looked up in the 2225 * policy cache and checked. 2226 */ 2227 int 2228 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag) 2229 { 2230 devplcy_t *plcy; 2231 int err; 2232 struct snode *csp = VTOS(common_specvp(vp)); 2233 priv_set_t pset; 2234 2235 mutex_enter(&csp->s_lock); 2236 2237 if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) { 2238 plcy = devpolicy_find(vp); 2239 if (csp->s_plcy) 2240 dpfree(csp->s_plcy); 2241 csp->s_plcy = plcy; 2242 ASSERT(plcy != NULL); 2243 } else 2244 plcy = csp->s_plcy; 2245 2246 if (plcy == nullpolicy) { 2247 mutex_exit(&csp->s_lock); 2248 return (0); 2249 } 2250 2251 dphold(plcy); 2252 2253 mutex_exit(&csp->s_lock); 2254 2255 if (oflag & FWRITE) 2256 pset = plcy->dp_wrp; 2257 else 2258 pset = plcy->dp_rdp; 2259 /* 2260 * Special case: 2261 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG. 2262 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is 2263 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG 2264 * in the required privilege set before doing the check. 2265 */ 2266 if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) && 2267 priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) && 2268 !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) { 2269 priv_delset(&pset, PRIV_SYS_IP_CONFIG); 2270 priv_addset(&pset, PRIV_SYS_NET_CONFIG); 2271 } 2272 2273 err = secpolicy_require_set(cr, &pset, "devpolicy", KLPDARG_NONE); 2274 dpfree(plcy); 2275 2276 return (err); 2277 } 2278 2279 int 2280 secpolicy_modctl(const cred_t *cr, int cmd) 2281 { 2282 switch (cmd) { 2283 case MODINFO: 2284 case MODGETMAJBIND: 2285 case MODGETPATH: 2286 case MODGETPATHLEN: 2287 case MODGETNAME: 2288 case MODGETFBNAME: 2289 case MODGETDEVPOLICY: 2290 case MODGETDEVPOLICYBYNAME: 2291 case MODDEVT2INSTANCE: 2292 case MODSIZEOF_DEVID: 2293 case MODGETDEVID: 2294 case MODSIZEOF_MINORNAME: 2295 case MODGETMINORNAME: 2296 case MODGETDEVFSPATH_LEN: 2297 case MODGETDEVFSPATH: 2298 case MODGETDEVFSPATH_MI_LEN: 2299 case MODGETDEVFSPATH_MI: 2300 /* Unprivileged */ 2301 return (0); 2302 case MODLOAD: 2303 case MODSETDEVPOLICY: 2304 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, 2305 KLPDARG_NONE)); 2306 default: 2307 return (secpolicy_sys_config(cr, B_FALSE)); 2308 } 2309 } 2310 2311 int 2312 secpolicy_console(const cred_t *cr) 2313 { 2314 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 2315 } 2316 2317 int 2318 secpolicy_power_mgmt(const cred_t *cr) 2319 { 2320 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 2321 } 2322 2323 /* 2324 * Simulate terminal input; another escalation of privileges avenue. 2325 */ 2326 2327 int 2328 secpolicy_sti(const cred_t *cr) 2329 { 2330 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE)); 2331 } 2332 2333 boolean_t 2334 secpolicy_net_reply_equal(const cred_t *cr) 2335 { 2336 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 2337 } 2338 2339 int 2340 secpolicy_swapctl(const cred_t *cr) 2341 { 2342 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 2343 } 2344 2345 int 2346 secpolicy_cpc_cpu(const cred_t *cr) 2347 { 2348 return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL)); 2349 } 2350 2351 /* 2352 * secpolicy_contract_identity 2353 * 2354 * Determine if the subject may set the process contract FMRI value 2355 */ 2356 int 2357 secpolicy_contract_identity(const cred_t *cr) 2358 { 2359 return (PRIV_POLICY(cr, PRIV_CONTRACT_IDENTITY, B_FALSE, EPERM, NULL)); 2360 } 2361 2362 /* 2363 * secpolicy_contract_observer 2364 * 2365 * Determine if the subject may observe a specific contract's events. 2366 */ 2367 int 2368 secpolicy_contract_observer(const cred_t *cr, struct contract *ct) 2369 { 2370 if (contract_owned(ct, cr, B_FALSE)) 2371 return (0); 2372 return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL)); 2373 } 2374 2375 /* 2376 * secpolicy_contract_observer_choice 2377 * 2378 * Determine if the subject may observe any contract's events. Just 2379 * tests privilege and audits on success. 2380 */ 2381 boolean_t 2382 secpolicy_contract_observer_choice(const cred_t *cr) 2383 { 2384 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE)); 2385 } 2386 2387 /* 2388 * secpolicy_contract_event 2389 * 2390 * Determine if the subject may request critical contract events or 2391 * reliable contract event delivery. 2392 */ 2393 int 2394 secpolicy_contract_event(const cred_t *cr) 2395 { 2396 return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL)); 2397 } 2398 2399 /* 2400 * secpolicy_contract_event_choice 2401 * 2402 * Determine if the subject may retain contract events in its critical 2403 * set when a change in other terms would normally require a change in 2404 * the critical set. Just tests privilege and audits on success. 2405 */ 2406 boolean_t 2407 secpolicy_contract_event_choice(const cred_t *cr) 2408 { 2409 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE)); 2410 } 2411 2412 /* 2413 * secpolicy_gart_access 2414 * 2415 * Determine if the subject has sufficient priveleges to make ioctls to agpgart 2416 * device. 2417 */ 2418 int 2419 secpolicy_gart_access(const cred_t *cr) 2420 { 2421 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL)); 2422 } 2423 2424 /* 2425 * secpolicy_gart_map 2426 * 2427 * Determine if the subject has sufficient priveleges to map aperture range 2428 * through agpgart driver. 2429 */ 2430 int 2431 secpolicy_gart_map(const cred_t *cr) 2432 { 2433 if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) { 2434 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, 2435 NULL)); 2436 } else { 2437 return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM, 2438 NULL)); 2439 } 2440 } 2441 2442 /* 2443 * secpolicy_hwmanip 2444 * 2445 * Determine if the subject can observe and manipulate a hardware device with a 2446 * dangerous blunt hammer, often suggests they can do something destructive. 2447 * Requires all privileges. 2448 */ 2449 int 2450 secpolicy_hwmanip(const cred_t *cr) 2451 { 2452 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE)); 2453 } 2454 2455 /* 2456 * secpolicy_zinject 2457 * 2458 * Determine if the subject can inject faults in the ZFS fault injection 2459 * framework. Requires all privileges. 2460 */ 2461 int 2462 secpolicy_zinject(const cred_t *cr) 2463 { 2464 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE)); 2465 } 2466 2467 /* 2468 * secpolicy_zfs 2469 * 2470 * Determine if the subject has permission to manipulate ZFS datasets 2471 * (not pools). Equivalent to the SYS_MOUNT privilege. 2472 */ 2473 int 2474 secpolicy_zfs(const cred_t *cr) 2475 { 2476 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL)); 2477 } 2478 2479 /* 2480 * secpolicy_idmap 2481 * 2482 * Determine if the calling process has permissions to register an SID 2483 * mapping daemon and allocate ephemeral IDs. 2484 */ 2485 int 2486 secpolicy_idmap(const cred_t *cr) 2487 { 2488 return (PRIV_POLICY(cr, PRIV_FILE_SETID, B_TRUE, EPERM, NULL)); 2489 } 2490 2491 /* 2492 * secpolicy_ucode_update 2493 * 2494 * Determine if the subject has sufficient privilege to update microcode. 2495 */ 2496 int 2497 secpolicy_ucode_update(const cred_t *scr) 2498 { 2499 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 2500 } 2501 2502 /* 2503 * secpolicy_sadopen 2504 * 2505 * Determine if the subject has sufficient privilege to access /dev/sad/admin. 2506 * /dev/sad/admin appear in global zone and exclusive-IP zones only. 2507 * In global zone, sys_config is required. 2508 * In exclusive-IP zones, sys_ip_config is required. 2509 * Note that sys_config is prohibited in non-global zones. 2510 */ 2511 int 2512 secpolicy_sadopen(const cred_t *credp) 2513 { 2514 priv_set_t pset; 2515 2516 priv_emptyset(&pset); 2517 2518 if (crgetzoneid(credp) == GLOBAL_ZONEID) 2519 priv_addset(&pset, PRIV_SYS_CONFIG); 2520 else 2521 priv_addset(&pset, PRIV_SYS_IP_CONFIG); 2522 2523 return (secpolicy_require_set(credp, &pset, "devpolicy", KLPDARG_NONE)); 2524 } 2525 2526 2527 /* 2528 * Add privileges to a particular privilege set; this is called when the 2529 * current sets of privileges are not sufficient. I.e., we should always 2530 * call the policy override functions from here. 2531 * What we are allowed to have is in the Observed Permitted set; so 2532 * we compute the difference between that and the newset. 2533 */ 2534 int 2535 secpolicy_require_privs(const cred_t *cr, const priv_set_t *nset) 2536 { 2537 priv_set_t rqd; 2538 2539 rqd = CR_OPPRIV(cr); 2540 2541 priv_inverse(&rqd); 2542 priv_intersect(nset, &rqd); 2543 2544 return (secpolicy_require_set(cr, &rqd, NULL, KLPDARG_NONE)); 2545 } 2546 2547 /* 2548 * secpolicy_smb 2549 * 2550 * Determine if the cred_t has PRIV_SYS_SMB privilege, indicating 2551 * that it has permission to access the smbsrv kernel driver. 2552 * PRIV_POLICY checks the privilege and audits the check. 2553 * 2554 * Returns: 2555 * 0 Driver access is allowed. 2556 * EPERM Driver access is NOT permitted. 2557 */ 2558 int 2559 secpolicy_smb(const cred_t *cr) 2560 { 2561 return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL)); 2562 } 2563 2564 /* 2565 * secpolicy_vscan 2566 * 2567 * Determine if cred_t has the necessary privileges to access a file 2568 * for virus scanning and update its extended system attributes. 2569 * PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access 2570 * PRIV_FILE_FLAG_SET - set extended system attributes 2571 * 2572 * PRIV_POLICY checks the privilege and audits the check. 2573 * 2574 * Returns: 2575 * 0 file access for virus scanning allowed. 2576 * EPERM file access for virus scanning is NOT permitted. 2577 */ 2578 int 2579 secpolicy_vscan(const cred_t *cr) 2580 { 2581 if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) || 2582 (PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) || 2583 (PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) { 2584 return (EPERM); 2585 } 2586 2587 return (0); 2588 } 2589 2590 /* 2591 * secpolicy_smbfs_login 2592 * 2593 * Determines if the caller can add and delete the smbfs login 2594 * password in the the nsmb kernel module for the CIFS client. 2595 * 2596 * Returns: 2597 * 0 access is allowed. 2598 * EPERM access is NOT allowed. 2599 */ 2600 int 2601 secpolicy_smbfs_login(const cred_t *cr, uid_t uid) 2602 { 2603 uid_t cruid = crgetruid(cr); 2604 2605 if (cruid == uid) 2606 return (0); 2607 return (PRIV_POLICY(cr, PRIV_PROC_OWNER, B_FALSE, 2608 EPERM, NULL)); 2609 } 2610 2611 /* 2612 * secpolicy_xvm_control 2613 * 2614 * Determines if a caller can control the xVM hypervisor and/or running 2615 * domains (x86 specific). 2616 * 2617 * Returns: 2618 * 0 access is allowed. 2619 * EPERM access is NOT allowed. 2620 */ 2621 int 2622 secpolicy_xvm_control(const cred_t *cr) 2623 { 2624 if (PRIV_POLICY(cr, PRIV_XVM_CONTROL, B_FALSE, EPERM, NULL)) 2625 return (EPERM); 2626 return (0); 2627 } 2628 2629 /* 2630 * secpolicy_ppp_config 2631 * 2632 * Determine if the subject has sufficient privileges to configure PPP and 2633 * PPP-related devices. 2634 */ 2635 int 2636 secpolicy_ppp_config(const cred_t *cr) 2637 { 2638 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 2639 return (secpolicy_net_config(cr, B_FALSE)); 2640 return (PRIV_POLICY(cr, PRIV_SYS_PPP_CONFIG, B_FALSE, EPERM, NULL)); 2641 } 2642