xref: /illumos-gate/usr/src/uts/common/os/policy.c (revision c863ec5ced24601bff789e9045054a5b515268ac)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <sys/types.h>
29 #include <sys/sysmacros.h>
30 #include <sys/param.h>
31 #include <sys/systm.h>
32 #include <sys/cred_impl.h>
33 #include <sys/vnode.h>
34 #include <sys/vfs.h>
35 #include <sys/stat.h>
36 #include <sys/errno.h>
37 #include <sys/kmem.h>
38 #include <sys/user.h>
39 #include <sys/proc.h>
40 #include <sys/acct.h>
41 #include <sys/ipc_impl.h>
42 #include <sys/syscall.h>
43 #include <sys/cmn_err.h>
44 #include <sys/debug.h>
45 #include <sys/policy.h>
46 #include <sys/kobj.h>
47 #include <sys/msg.h>
48 #include <sys/devpolicy.h>
49 #include <c2/audit.h>
50 #include <sys/varargs.h>
51 #include <sys/modctl.h>
52 #include <sys/disp.h>
53 #include <sys/zone.h>
54 #include <inet/common.h>
55 #include <inet/optcom.h>
56 #include <sys/sdt.h>
57 #include <sys/mount.h>
58 #include <sys/vfs.h>
59 #include <sys/mntent.h>
60 #include <sys/contract_impl.h>
61 
62 #include <sys/sunddi.h>
63 
64 /*
65  * There are two possible layers of privilege routines and two possible
66  * levels of secpolicy.  Plus one other we may not be interested in, so
67  * we may need as many as 6 but no more.
68  */
69 #define	MAXPRIVSTACK		6
70 
71 int priv_debug = 0;
72 
73 /*
74  * This file contains the majority of the policy routines.
75  * Since the policy routines are defined by function and not
76  * by privilege, there is quite a bit of duplication of
77  * functions.
78  *
79  * The secpolicy functions must not make asssumptions about
80  * locks held or not held as any lock can be held while they're
81  * being called.
82  *
83  * Credentials are read-only so no special precautions need to
84  * be taken while locking them.
85  *
86  * When a new policy check needs to be added to the system the
87  * following procedure should be followed:
88  *
89  *		Pick an appropriate secpolicy_*() function
90  *			-> done if one exists.
91  *		Create a new secpolicy function, preferably with
92  *		a descriptive name using the standard template.
93  *		Pick an appropriate privilege for the policy.
94  *		If no appropraite privilege exists, define new one
95  *		(this should be done with extreme care; in most cases
96  *		little is gained by adding another privilege)
97  *
98  * WHY ROOT IS STILL SPECIAL.
99  *
100  * In a number of the policy functions, there are still explicit
101  * checks for uid 0.  The rationale behind these is that many root
102  * owned files/objects hold configuration information which can give full
103  * privileges to the user once written to.  To prevent escalation
104  * of privilege by allowing just a single privilege to modify root owned
105  * objects, we've added these root specific checks where we considered
106  * them necessary: modifying root owned files, changing uids to 0, etc.
107  *
108  * PRIVILEGE ESCALATION AND ZONES.
109  *
110  * A number of operations potentially allow the caller to achieve
111  * privileges beyond the ones normally required to perform the operation.
112  * For example, if allowed to create a setuid 0 executable, a process can
113  * gain privileges beyond PRIV_FILE_SETID.  Zones, however, place
114  * restrictions on the ability to gain privileges beyond those available
115  * within the zone through file and process manipulation.  Hence, such
116  * operations require that the caller have an effective set that includes
117  * all privileges available within the current zone, or all privileges
118  * if executing in the global zone.
119  *
120  * This is indicated in the priv_policy* policy checking functions
121  * through a combination of parameters.  The "priv" parameter indicates
122  * the privilege that is required, and the "allzone" parameter indicates
123  * whether or not all privileges in the zone are required.  In addition,
124  * priv can be set to PRIV_ALL to indicate that all privileges are
125  * required (regardless of zone).  There are three scenarios of interest:
126  * (1) operation requires a specific privilege
127  * (2) operation requires a specific privilege, and requires all
128  *     privileges available within the zone (or all privileges if in
129  *     the global zone)
130  * (3) operation requires all privileges, regardless of zone
131  *
132  * For (1), priv should be set to the specific privilege, and allzone
133  * should be set to B_FALSE.
134  * For (2), priv should be set to the specific privilege, and allzone
135  * should be set to B_TRUE.
136  * For (3), priv should be set to PRIV_ALL, and allzone should be set
137  * to B_FALSE.
138  *
139  */
140 
141 /*
142  * The privileges are checked against the Effective set for
143  * ordinary processes and checked against the Limit set
144  * for euid 0 processes that haven't manipulated their privilege
145  * sets.
146  */
147 #define	HAS_ALLPRIVS(cr)	priv_isfullset(&CR_OEPRIV(cr))
148 #define	ZONEPRIVS(cr)		((cr)->cr_zone->zone_privset)
149 #define	HAS_ALLZONEPRIVS(cr)	priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr))
150 #define	HAS_PRIVILEGE(cr, pr)	((pr) == PRIV_ALL ? \
151 					HAS_ALLPRIVS(cr) : \
152 					PRIV_ISASSERT(&CR_OEPRIV(cr), pr))
153 
154 /*
155  * Policy checking functions
156  *
157  * In future, these will migrate to several files when policy
158  * becomes more or less pluggable.
159  *
160  * For now, there's only one policy and this is it.
161  */
162 
163 /*
164  * Generic policy calls
165  *
166  * The "bottom" functions of policy control
167  */
168 
169 static char *
170 mprintf(const char *fmt, ...)
171 {
172 	va_list args;
173 	char *buf;
174 	size_t len;
175 
176 	va_start(args, fmt);
177 	len = vsnprintf(NULL, 0, fmt, args) + 1;
178 	va_end(args);
179 
180 	buf = kmem_alloc(len, KM_NOSLEEP);
181 
182 	if (buf == NULL)
183 		return (NULL);
184 
185 	va_start(args, fmt);
186 	(void) vsnprintf(buf, len, fmt, args);
187 	va_end(args);
188 
189 	return (buf);
190 }
191 
192 /*
193  * priv_policy_errmsg()
194  *
195  * Generate an error message if privilege debugging is enabled system wide
196  * or for this particular process.
197  */
198 
199 #define	FMTHDR	"%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)"
200 #define	FMTMSG	" for \"%s\""
201 #define	FMTFUN	" needed at %s+0x%lx"
202 
203 /* The maximum size privilege format: the concatenation of the above */
204 #define	FMTMAX	FMTHDR FMTMSG FMTFUN "\n"
205 
206 static void
207 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg)
208 {
209 	struct proc *me;
210 	pc_t stack[MAXPRIVSTACK];
211 	int depth;
212 	int i;
213 	char *sym;
214 	ulong_t off;
215 	const char *pname;
216 
217 	char *cmd;
218 	char fmt[sizeof (FMTMAX)];
219 
220 	if ((me = curproc) == &p0)
221 		return;
222 
223 	/* Privileges must be defined  */
224 	ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE ||
225 	    priv == PRIV_ALLZONE || priv == PRIV_GLOBAL ||
226 	    priv_getbynum(priv) != NULL);
227 
228 	if (priv == PRIV_ALLZONE && INGLOBALZONE(me))
229 		priv = PRIV_ALL;
230 
231 	if (curthread->t_pre_sys)
232 		ttolwp(curthread)->lwp_badpriv = (short)priv;
233 
234 	if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0)
235 		return;
236 
237 	(void) strcpy(fmt, FMTHDR);
238 
239 	if (me->p_user.u_comm[0])
240 		cmd = &me->p_user.u_comm[0];
241 	else
242 		cmd = "priv_policy";
243 
244 	if (msg != NULL && *msg != '\0') {
245 		(void) strcat(fmt, FMTMSG);
246 	} else {
247 		(void) strcat(fmt, "%s");
248 		msg = "";
249 	}
250 
251 	sym = NULL;
252 
253 	depth = getpcstack(stack, MAXPRIVSTACK);
254 
255 	/*
256 	 * Try to find the first interesting function on the stack.
257 	 * priv_policy* that's us, so completely uninteresting.
258 	 * suser(), drv_priv(), secpolicy_* are also called from
259 	 * too many locations to convey useful information.
260 	 */
261 	for (i = 0; i < depth; i++) {
262 		sym = kobj_getsymname((uintptr_t)stack[i], &off);
263 		if (sym != NULL &&
264 		    strstr(sym, "hasprocperm") == 0 &&
265 		    strcmp("suser", sym) != 0 &&
266 		    strcmp("ipcaccess", sym) != 0 &&
267 		    strcmp("drv_priv", sym) != 0 &&
268 		    strncmp("secpolicy_", sym, 10) != 0 &&
269 		    strncmp("priv_policy", sym, 11) != 0)
270 			break;
271 	}
272 
273 	if (sym != NULL)
274 		(void) strcat(fmt, FMTFUN);
275 
276 	(void) strcat(fmt, "\n");
277 
278 	switch (priv) {
279 	case PRIV_ALL:
280 		pname = "ALL";
281 		break;
282 	case PRIV_MULTIPLE:
283 		pname = "MULTIPLE";
284 		break;
285 	case PRIV_ALLZONE:
286 		pname = "ZONE";
287 		break;
288 	case PRIV_GLOBAL:
289 		pname = "GLOBAL";
290 		break;
291 	default:
292 		pname = priv_getbynum(priv);
293 		break;
294 	}
295 
296 	if (CR_FLAGS(cr) & PRIV_DEBUG) {
297 		/* Remember last message, just like lwp_badpriv. */
298 		if (curthread->t_pdmsg != NULL) {
299 			kmem_free(curthread->t_pdmsg,
300 			    strlen(curthread->t_pdmsg) + 1);
301 		}
302 
303 		curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname,
304 			    cr->cr_uid, curthread->t_sysnum, msg, sym, off);
305 
306 		curthread->t_post_sys = 1;
307 	} else {
308 		cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid,
309 		    curthread->t_sysnum, msg, sym, off);
310 	}
311 }
312 
313 /*
314  * Audit failure, log error message.
315  */
316 static void
317 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg)
318 {
319 
320 #ifdef C2_AUDIT
321 	if (audit_active)
322 		audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0);
323 #endif
324 	DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
325 
326 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
327 	    curthread->t_pre_sys) {
328 		if (allzone && !HAS_ALLZONEPRIVS(cr)) {
329 			priv_policy_errmsg(cr, PRIV_ALLZONE, msg);
330 		} else {
331 			ASSERT(!HAS_PRIVILEGE(cr, priv));
332 			priv_policy_errmsg(cr, priv, msg);
333 		}
334 	}
335 }
336 
337 /*
338  * priv_policy()
339  * return 0 or error.
340  * See block comment above for a description of "priv" and "allzone" usage.
341  */
342 int
343 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err,
344     const char *msg)
345 {
346 	if (HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) {
347 		if ((allzone || priv == PRIV_ALL ||
348 		    !PRIV_ISASSERT(priv_basic, priv)) &&
349 		    !servicing_interrupt()) {
350 			u.u_acflag |= ASU;		/* Needed for SVVS */
351 #ifdef C2_AUDIT
352 			if (audit_active)
353 				audit_priv(priv,
354 				    allzone ? ZONEPRIVS(cr) : NULL, 1);
355 #endif
356 		}
357 		err = 0;
358 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
359 	} else if (!servicing_interrupt()) {
360 		/* Failure audited in this procedure */
361 		priv_policy_err(cr, priv, allzone, msg);
362 	}
363 
364 	return (err);
365 }
366 
367 /*
368  * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges.
369  */
370 boolean_t
371 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone)
372 {
373 	boolean_t res = HAS_PRIVILEGE(cr, priv) &&
374 	    (!allzone || HAS_ALLZONEPRIVS(cr));
375 
376 #ifdef C2_AUDIT
377 	/* Audit success only */
378 	if (res && audit_active &&
379 	    (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) &&
380 	    !servicing_interrupt()) {
381 		audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1);
382 	}
383 #endif
384 	if (res) {
385 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
386 	} else {
387 		DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
388 	}
389 	return (res);
390 }
391 
392 /*
393  * Non-auditing variant of priv_policy_choice().
394  */
395 boolean_t
396 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone)
397 {
398 	boolean_t res = HAS_PRIVILEGE(cr, priv) &&
399 	    (!allzone || HAS_ALLZONEPRIVS(cr));
400 
401 	if (res) {
402 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
403 	} else {
404 		DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
405 	}
406 	return (res);
407 }
408 
409 /*
410  * Check whether all privileges in the required set are present.
411  */
412 static int
413 secpolicy_require_set(const cred_t *cr, const priv_set_t *req, const char *msg)
414 {
415 	int priv;
416 	int pfound = -1;
417 	priv_set_t pset;
418 
419 	if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req,
420 							    &CR_OEPRIV(cr))) {
421 		return (0);
422 	}
423 
424 	if (req == PRIV_FULLSET || priv_isfullset(req)) {
425 		priv_policy_err(cr, PRIV_ALL, B_FALSE, msg);
426 		return (EACCES);
427 	}
428 
429 	pset = CR_OEPRIV(cr);		/* present privileges */
430 	priv_inverse(&pset);		/* all non present privileges */
431 	priv_intersect(req, &pset);	/* the actual missing privs */
432 
433 #ifdef C2_AUDIT
434 	if (audit_active)
435 		audit_priv(PRIV_NONE, &pset, 0);
436 #endif
437 	/*
438 	 * Privilege debugging; special case "one privilege in set".
439 	 */
440 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) {
441 		for (priv = 0; priv < nprivs; priv++) {
442 			if (priv_ismember(&pset, priv)) {
443 				if (pfound != -1) {
444 					/* Multiple missing privs */
445 					priv_policy_errmsg(cr, PRIV_MULTIPLE,
446 								    msg);
447 					return (EACCES);
448 				}
449 				pfound = priv;
450 			}
451 		}
452 		ASSERT(pfound != -1);
453 		/* Just the one missing privilege */
454 		priv_policy_errmsg(cr, pfound, msg);
455 	}
456 
457 	return (EACCES);
458 }
459 
460 /*
461  * Called when an operation requires that the caller be in the
462  * global zone, regardless of privilege.
463  */
464 static int
465 priv_policy_global(const cred_t *cr)
466 {
467 	if (crgetzoneid(cr) == GLOBAL_ZONEID)
468 		return (0);	/* success */
469 
470 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
471 	    curthread->t_pre_sys) {
472 		priv_policy_errmsg(cr, PRIV_GLOBAL, NULL);
473 	}
474 	return (EPERM);
475 }
476 
477 /*
478  * Changing process priority
479  */
480 int
481 secpolicy_setpriority(const cred_t *cr)
482 {
483 	return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL));
484 }
485 
486 /*
487  * Binding to a privileged port, port must be specified in host byte
488  * order.
489  */
490 int
491 secpolicy_net_privaddr(const cred_t *cr, in_port_t port)
492 {
493 	/*
494 	 * NFS ports, these are extra privileged ports, allow bind
495 	 * only if the SYS_NFS privilege is present.
496 	 */
497 	if (port == 2049 || port == 4045)
498 		return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EACCES,
499 		    "NFS port"));
500 	else
501 		return (PRIV_POLICY(cr, PRIV_NET_PRIVADDR, B_FALSE, EACCES,
502 		    NULL));
503 }
504 
505 /*
506  * Common routine which determines whether a given credential can
507  * act on a given mount.
508  * When called through mount, the parameter needoptcheck is a pointer
509  * to a boolean variable which will be set to either true or false,
510  * depending on whether the mount policy should change the mount options.
511  * In all other cases, needoptcheck should be a NULL pointer.
512  */
513 static int
514 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp,
515     boolean_t *needoptcheck)
516 {
517 	boolean_t allzone = B_FALSE;
518 	boolean_t mounting = needoptcheck != NULL;
519 
520 	/*
521 	 * Short circuit the following cases:
522 	 *	vfsp == NULL or mvp == NULL (pure privilege check)
523 	 *	have all privileges - no further checks required
524 	 *	and no mount options need to be set.
525 	 */
526 	if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) {
527 		if (mounting)
528 			*needoptcheck = B_FALSE;
529 
530 		return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, allzone, EPERM, NULL));
531 	}
532 
533 	/*
534 	 * When operating on an existing mount (either we're not mounting
535 	 * or we're doing a remount and VFS_REMOUNT will be set), zones
536 	 * can operate only on mounts established by the zone itself.
537 	 */
538 	if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) {
539 		zoneid_t zoneid = crgetzoneid(cr);
540 
541 		if (zoneid != GLOBAL_ZONEID &&
542 		    vfsp->vfs_zone->zone_id != zoneid) {
543 			return (EPERM);
544 		}
545 	}
546 
547 	if (mounting)
548 		*needoptcheck = B_TRUE;
549 
550 	/*
551 	 * Overlay mounts may hide important stuff; if you can't write to a
552 	 * mount point but would be able to mount on top of it, you can
553 	 * escalate your privileges.
554 	 * So we go about asking the same questions namefs does when it
555 	 * decides whether you can mount over a file or not but with the
556 	 * added restriction that you can only mount on top of a regular
557 	 * file or directory.
558 	 * If we have all the zone's privileges, we skip all other checks,
559 	 * or else we may actually get in trouble inside the automounter.
560 	 */
561 	if ((mvp->v_flag & VROOT) != 0 ||
562 	    (mvp->v_type != VDIR && mvp->v_type != VREG) ||
563 	    HAS_ALLZONEPRIVS(cr)) {
564 		allzone = B_TRUE;
565 	} else {
566 		vattr_t va;
567 		int err;
568 
569 		va.va_mask = AT_UID|AT_MODE;
570 		err = VOP_GETATTR(mvp, &va, 0, cr);
571 		if (err != 0)
572 			return (err);
573 
574 		if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0)
575 			return (err);
576 
577 		if ((va.va_mode & VWRITE) == 0 &&
578 		    secpolicy_vnode_access(cr, mvp, va.va_uid, VWRITE) != 0) {
579 			return (EACCES);
580 		}
581 	}
582 	return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, allzone, EPERM, NULL));
583 }
584 
585 extern vnode_t *rootvp;
586 extern vfs_t *rootvfs;
587 
588 int
589 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp)
590 {
591 	boolean_t needoptchk;
592 	int error;
593 
594 	/*
595 	 * If it's a remount, get the underlying mount point,
596 	 * except for the root where we use the rootvp.
597 	 */
598 	if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) {
599 		if (vfsp == rootvfs)
600 			mvp = rootvp;
601 		else
602 			mvp = vfsp->vfs_vnodecovered;
603 	}
604 
605 	error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk);
606 
607 	if (error == 0 && needoptchk) {
608 		boolean_t amsuper = HAS_ALLZONEPRIVS(cr);
609 
610 		/*
611 		 * Third check; if we don't have either "nosuid" or
612 		 * both "nosetuid" and "nodevices", then we add
613 		 * "nosuid"; this depends on how the current
614 		 * implementation works (it first checks nosuid).  In a
615 		 * zone, a user with all zone privileges can mount with
616 		 * "setuid" but never with "devices".
617 		 */
618 		if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) &&
619 		    (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) ||
620 		    !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) {
621 			if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper)
622 				vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0);
623 			else
624 				vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0);
625 		}
626 		/*
627 		 * If we're not the local super user, we set the "restrict"
628 		 * option to indicate to automountd that this mount should
629 		 * be handled with care.
630 		 */
631 		if (!amsuper)
632 			vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0);
633 
634 	}
635 	return (error);
636 }
637 
638 /*
639  * Does the policy computations for "ownership" of a mount;
640  * here ownership is defined as the ability to "mount"
641  * the filesystem originally.  The rootvfs doesn't cover any
642  * vnodes; we attribute its ownership to the rootvp.
643  */
644 static int
645 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp)
646 {
647 	vnode_t *mvp;
648 
649 	if (vfsp == NULL)
650 		mvp = NULL;
651 	else if (vfsp == rootvfs)
652 		mvp = rootvp;
653 	else
654 		mvp = vfsp->vfs_vnodecovered;
655 
656 	return (secpolicy_fs_common(cr, mvp, vfsp, NULL));
657 }
658 
659 int
660 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp)
661 {
662 	return (secpolicy_fs_owner(cr, vfsp));
663 }
664 
665 /*
666  * Quotas are a resource, but if one has the ability to mount a filesystem, he
667  * should be able to modify quotas on it.
668  */
669 int
670 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp)
671 {
672 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
673 }
674 
675 /*
676  * Exceeding minfree: also a per-mount resource constraint.
677  */
678 int
679 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp)
680 {
681 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
682 }
683 
684 int
685 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp)
686 {
687 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
688 }
689 
690 /* ARGSUSED */
691 int
692 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp)
693 {
694 	return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL));
695 }
696 
697 /*
698  * Name:        secpolicy_vnode_access()
699  *
700  * Parameters:  Process credential
701  *		vnode
702  *		uid of owner of vnode
703  *		permission bits not granted to the caller when examining
704  *		file mode bits (i.e., when a process wants to open a
705  *		mode 444 file for VREAD|VWRITE, this function should be
706  *		called only with a VWRITE argument).
707  *
708  * Normal:      Verifies that cred has the appropriate privileges to
709  *              override the mode bits that were denied.
710  *
711  * Override:    file_dac_execute - if VEXEC bit was denied and vnode is
712  *                      not a directory.
713  *              file_dac_read - if VREAD bit was denied.
714  *              file_dac_search - if VEXEC bit was denied and vnode is
715  *                      a directory.
716  *              file_dac_write - if VWRITE bit was denied.
717  *
718  *		Root owned files are special cased to protect system
719  *		configuration files and such.
720  *
721  * Output:      EACCES - if privilege check fails.
722  */
723 
724 /* ARGSUSED */
725 int
726 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode)
727 {
728 	if ((mode & VREAD) &&
729 	    PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EACCES, NULL) != 0)
730 		return (EACCES);
731 
732 	if (mode & VWRITE) {
733 		boolean_t allzone;
734 
735 		if (owner == 0 && cr->cr_uid != 0)
736 			allzone = B_TRUE;
737 		else
738 			allzone = B_FALSE;
739 		if (PRIV_POLICY(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, NULL)
740 		    != 0)
741 			return (EACCES);
742 	}
743 
744 	if (mode & VEXEC) {
745 		/*
746 		 * Directories use file_dac_search to override the execute bit.
747 		 */
748 		vtype_t vtype = vp->v_type;
749 
750 		if (vtype == VDIR)
751 			return (PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE,
752 			    EACCES, NULL));
753 		else
754 			return (PRIV_POLICY(cr, PRIV_FILE_DAC_EXECUTE, B_FALSE,
755 			    EACCES, NULL));
756 	}
757 	return (0);
758 }
759 
760 /*
761  * Name:	secpolicy_vnode_setid_modify()
762  *
763  * Normal:	verify that subject can set the file setid flags.
764  *
765  * Output:	EPERM - if not privileged.
766  */
767 
768 static int
769 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner)
770 {
771 	/* If changing to suid root, must have all zone privs */
772 	boolean_t allzone = B_TRUE;
773 
774 	if (owner != 0) {
775 		if (owner == cr->cr_uid)
776 			return (0);
777 		allzone = B_FALSE;
778 	}
779 	return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL));
780 }
781 
782 /*
783  * Are we allowed to retain the set-uid/set-gid bits when
784  * changing ownership or when writing to a file?
785  * "issuid" should be true when set-uid; only in that case
786  * root ownership is checked (setgid is assumed).
787  */
788 int
789 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot)
790 {
791 	if (issuidroot && !HAS_ALLZONEPRIVS(cred))
792 		return (EPERM);
793 
794 	return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE));
795 }
796 
797 /*
798  * Name:	secpolicy_vnode_setids_setgids()
799  *
800  * Normal:	verify that subject can set the file setgid flag.
801  *
802  * Output:	EPERM - if not privileged
803  */
804 
805 int
806 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid)
807 {
808 	if (!groupmember(gid, cred))
809 		return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM,
810 		    NULL));
811 	return (0);
812 }
813 
814 /*
815  * Create a file with a group different than any of the groups allowed:
816  * the group of the directory the file is created in, the effective
817  * group or any of the supplementary groups.
818  */
819 int
820 secpolicy_vnode_create_gid(const cred_t *cred)
821 {
822 	if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN))
823 		return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM,
824 		    NULL));
825 	else
826 		return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM,
827 		    NULL));
828 }
829 
830 /*
831  * Name:	secpolicy_vnode_utime_modify()
832  *
833  * Normal:	verify that subject can modify the utime on a file.
834  *
835  * Output:	EPERM - if access denied.
836  */
837 
838 static int
839 secpolicy_vnode_utime_modify(const cred_t *cred)
840 {
841 	return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM,
842 	    "modify file times"));
843 }
844 
845 
846 /*
847  * Name:	secpolicy_vnode_setdac()
848  *
849  * Normal:	verify that subject can modify the mode of a file.
850  *		allzone privilege needed when modifying root owned object.
851  *
852  * Output:	EPERM - if access denied.
853  */
854 
855 int
856 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner)
857 {
858 	if (owner == cred->cr_uid)
859 		return (0);
860 
861 	return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL));
862 }
863 /*
864  * Name:	secpolicy_vnode_stky_modify()
865  *
866  * Normal:	verify that subject can make a file a "sticky".
867  *
868  * Output:	EPERM - if access denied.
869  */
870 
871 int
872 secpolicy_vnode_stky_modify(const cred_t *cred)
873 {
874 	return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM,
875 	    "set file sticky"));
876 }
877 
878 /*
879  * Policy determines whether we can remove an entry from a directory,
880  * regardless of permission bits.
881  */
882 int
883 secpolicy_vnode_remove(const cred_t *cr)
884 {
885 	return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES,
886 	    "sticky directory"));
887 }
888 
889 int
890 secpolicy_vnode_owner(const cred_t *cr, uid_t owner)
891 {
892 	boolean_t allzone = (owner == 0);
893 
894 	if (owner == cr->cr_uid)
895 		return (0);
896 
897 	return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL));
898 }
899 
900 void
901 secpolicy_setid_clear(vattr_t *vap, cred_t *cr)
902 {
903 	if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 &&
904 	    secpolicy_vnode_setid_retain(cr,
905 	    (vap->va_mode & S_ISUID) != 0 &&
906 	    (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) {
907 		vap->va_mask |= AT_MODE;
908 		vap->va_mode &= ~(S_ISUID|S_ISGID);
909 	}
910 }
911 
912 /*
913  * This function checks the policy decisions surrounding the
914  * vop setattr call.
915  *
916  * It should be called after sufficient locks have been established
917  * on the underlying data structures.  No concurrent modifications
918  * should be allowed.
919  *
920  * The caller must pass in unlocked version of its vaccess function
921  * this is required because vop_access function should lock the
922  * node for reading.  A three argument function should be defined
923  * which accepts the following argument:
924  * 	A pointer to the internal "node" type (inode *)
925  *	vnode access bits (VREAD|VWRITE|VEXEC)
926  *	a pointer to the credential
927  *
928  * This function makes the following policy decisions:
929  *
930  *		- change permissions
931  *			- permission to change file mode if not owner
932  *			- permission to add sticky bit to non-directory
933  *			- permission to add set-gid bit
934  *
935  * The ovap argument should include AT_MODE|AT_UID|AT_GID.
936  *
937  * If the vap argument does not include AT_MODE, the mode will be copied from
938  * ovap.  In certain situations set-uid/set-gid bits need to be removed;
939  * this is done by marking vap->va_mask to include AT_MODE and va_mode
940  * is updated to the newly computed mode.
941  */
942 
943 int
944 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap,
945 	const struct vattr *ovap, int flags,
946 	int unlocked_access(void *, int, cred_t *),
947 	void *node)
948 {
949 	int mask = vap->va_mask;
950 	int error = 0;
951 
952 	if (mask & AT_SIZE) {
953 		if (vp->v_type == VDIR) {
954 			error = EISDIR;
955 			goto out;
956 		}
957 		error = unlocked_access(node, VWRITE, cr);
958 		if (error)
959 			goto out;
960 	}
961 	if (mask & AT_MODE) {
962 		/*
963 		 * If not the owner of the file then check privilege
964 		 * for two things: the privilege to set the mode at all
965 		 * and, if we're setting setuid, we also need permissions
966 		 * to add the set-uid bit, if we're not the owner.
967 		 * In the specific case of creating a set-uid root
968 		 * file, we need even more permissions.
969 		 */
970 		if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0)
971 			goto out;
972 
973 		if ((vap->va_mode & S_ISUID) != 0 &&
974 		    (error = secpolicy_vnode_setid_modify(cr,
975 							ovap->va_uid)) != 0) {
976 			goto out;
977 		}
978 
979 		/*
980 		 * Check privilege if attempting to set the
981 		 * sticky bit on a non-directory.
982 		 */
983 		if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 &&
984 		    secpolicy_vnode_stky_modify(cr) != 0) {
985 			vap->va_mode &= ~S_ISVTX;
986 		}
987 
988 		/*
989 		 * Check for privilege if attempting to set the
990 		 * group-id bit.
991 		 */
992 		if ((vap->va_mode & S_ISGID) != 0 &&
993 		    secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) {
994 			vap->va_mode &= ~S_ISGID;
995 		}
996 
997 	} else
998 		vap->va_mode = ovap->va_mode;
999 
1000 	if (mask & (AT_UID|AT_GID)) {
1001 		boolean_t checkpriv = B_FALSE;
1002 		int priv;
1003 		boolean_t allzone = B_FALSE;
1004 
1005 		/*
1006 		 * Chowning files.
1007 		 *
1008 		 * If you are the file owner:
1009 		 *	chown to other uid		FILE_CHOWN_SELF
1010 		 *	chown to gid (non-member) 	FILE_CHOWN_SELF
1011 		 *	chown to gid (member) 		<none>
1012 		 *
1013 		 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also
1014 		 * acceptable but the first one is reported when debugging.
1015 		 *
1016 		 * If you are not the file owner:
1017 		 *	chown from root			PRIV_FILE_CHOWN + zone
1018 		 *	chown from other to any		PRIV_FILE_CHOWN
1019 		 *
1020 		 */
1021 		if (cr->cr_uid != ovap->va_uid) {
1022 			checkpriv = B_TRUE;
1023 			allzone = (ovap->va_uid == 0);
1024 			priv = PRIV_FILE_CHOWN;
1025 		} else {
1026 			if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) ||
1027 			    ((mask & AT_GID) && vap->va_gid != ovap->va_gid &&
1028 			    !groupmember(vap->va_gid, cr))) {
1029 				checkpriv = B_TRUE;
1030 				priv = HAS_PRIVILEGE(cr, PRIV_FILE_CHOWN) ?
1031 				    PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF;
1032 			}
1033 		}
1034 		/*
1035 		 * If necessary, check privilege to see if update can be done.
1036 		 */
1037 		if (checkpriv &&
1038 		    (error = PRIV_POLICY(cr, priv, allzone, EPERM, NULL))
1039 		    != 0) {
1040 			goto out;
1041 		}
1042 
1043 		/*
1044 		 * If the file has either the set UID or set GID bits
1045 		 * set and the caller can set the bits, then leave them.
1046 		 */
1047 		secpolicy_setid_clear(vap, cr);
1048 	}
1049 	if (mask & (AT_ATIME|AT_MTIME)) {
1050 		/*
1051 		 * If not the file owner and not otherwise privileged,
1052 		 * always return an error when setting the
1053 		 * time other than the current (ATTR_UTIME flag set).
1054 		 * If setting the current time (ATTR_UTIME not set) then
1055 		 * unlocked_access will check permissions according to policy.
1056 		 */
1057 		if (cr->cr_uid != ovap->va_uid) {
1058 			if (flags & ATTR_UTIME)
1059 				error = secpolicy_vnode_utime_modify(cr);
1060 			else {
1061 				error = unlocked_access(node, VWRITE, cr);
1062 				if (error == EACCES &&
1063 				    secpolicy_vnode_utime_modify(cr) == 0)
1064 					error = 0;
1065 			}
1066 			if (error)
1067 				goto out;
1068 		}
1069 	}
1070 out:
1071 	return (error);
1072 }
1073 
1074 /*
1075  * Name:	secpolicy_pcfs_modify_bootpartition()
1076  *
1077  * Normal:	verify that subject can modify a pcfs boot partition.
1078  *
1079  * Output:	EACCES - if privilege check failed.
1080  */
1081 /*ARGSUSED*/
1082 int
1083 secpolicy_pcfs_modify_bootpartition(const cred_t *cred)
1084 {
1085 	return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES,
1086 	    "modify pcfs boot partition"));
1087 }
1088 
1089 /*
1090  * System V IPC routines
1091  */
1092 int
1093 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip)
1094 {
1095 	if (crgetzoneid(cr) != ip->ipc_zoneid ||
1096 	    (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) {
1097 		boolean_t allzone = B_FALSE;
1098 		if (ip->ipc_uid == 0 || ip->ipc_cuid == 0)
1099 			allzone = B_TRUE;
1100 		return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL));
1101 	}
1102 	return (0);
1103 }
1104 
1105 int
1106 secpolicy_ipc_config(const cred_t *cr)
1107 {
1108 	return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL));
1109 }
1110 
1111 int
1112 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode)
1113 {
1114 
1115 	boolean_t allzone = B_FALSE;
1116 
1117 	ASSERT((mode & (MSG_R|MSG_W)) != 0);
1118 
1119 	if ((mode & MSG_R) &&
1120 	    PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1121 		return (EACCES);
1122 
1123 	if (mode & MSG_W) {
1124 		if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0))
1125 			allzone = B_TRUE;
1126 
1127 		return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1128 		    NULL));
1129 	}
1130 	return (0);
1131 }
1132 
1133 int
1134 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode)
1135 {
1136 	boolean_t allzone = B_FALSE;
1137 
1138 	ASSERT((mode & (MSG_R|MSG_W)) != 0);
1139 
1140 	if ((mode & MSG_R) &&
1141 	    PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1142 		return (EACCES);
1143 
1144 	if (mode & MSG_W) {
1145 		if (cr->cr_uid != 0 && owner == 0)
1146 			allzone = B_TRUE;
1147 
1148 		return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1149 		    NULL));
1150 	}
1151 	return (0);
1152 }
1153 
1154 /*
1155  * Audit configuration.
1156  */
1157 int
1158 secpolicy_audit_config(const cred_t *cr)
1159 {
1160 	return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL));
1161 }
1162 
1163 /*
1164  * Audit record generation.
1165  */
1166 int
1167 secpolicy_audit_modify(const cred_t *cr)
1168 {
1169 	return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL));
1170 }
1171 
1172 /*
1173  * Get audit attributes.
1174  * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the
1175  * "Least" of the two privileges on error.
1176  */
1177 int
1178 secpolicy_audit_getattr(const cred_t *cr)
1179 {
1180 	if (!PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE)) {
1181 		return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM,
1182 		    NULL));
1183 	} else {
1184 		return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL));
1185 	}
1186 }
1187 
1188 
1189 /*
1190  * Locking physical memory
1191  */
1192 int
1193 secpolicy_lock_memory(const cred_t *cr)
1194 {
1195 	return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL));
1196 }
1197 
1198 /*
1199  * Accounting (both acct(2) and exacct).
1200  */
1201 int
1202 secpolicy_acct(const cred_t *cr)
1203 {
1204 	return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL));
1205 }
1206 
1207 /*
1208  * Is this process privileged to change its uids at will?
1209  * Uid 0 is still considered "special" and having the SETID
1210  * privilege is not sufficient to get uid 0.
1211  * Files are owned by root, so the privilege would give
1212  * full access and euid 0 is still effective.
1213  *
1214  * If you have the privilege and euid 0 only then do you
1215  * get the powers of root wrt uid 0.
1216  *
1217  * For gid manipulations, this is should be called with an
1218  * uid of -1.
1219  *
1220  */
1221 int
1222 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly)
1223 {
1224 	boolean_t allzone = B_FALSE;
1225 
1226 	if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 &&
1227 	    cr->cr_ruid != 0) {
1228 		allzone = B_TRUE;
1229 	}
1230 
1231 	return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) :
1232 	    PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL));
1233 }
1234 
1235 
1236 /*
1237  * Acting on a different process: if the mode is for writing,
1238  * the restrictions are more severe.  This is called after
1239  * we've verified that the uids do not match.
1240  */
1241 int
1242 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode)
1243 {
1244 	boolean_t allzone = B_FALSE;
1245 
1246 	if ((mode & VWRITE) && scr->cr_uid != 0 &&
1247 	    (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0))
1248 		allzone = B_TRUE;
1249 
1250 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL));
1251 }
1252 
1253 int
1254 secpolicy_proc_access(const cred_t *scr)
1255 {
1256 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL));
1257 }
1258 
1259 int
1260 secpolicy_proc_excl_open(const cred_t *scr)
1261 {
1262 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL));
1263 }
1264 
1265 int
1266 secpolicy_proc_zone(const cred_t *scr)
1267 {
1268 	return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL));
1269 }
1270 
1271 /*
1272  * Destroying the system
1273  */
1274 
1275 int
1276 secpolicy_kmdb(const cred_t *scr)
1277 {
1278 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1279 }
1280 
1281 int
1282 secpolicy_error_inject(const cred_t *scr)
1283 {
1284 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1285 }
1286 
1287 /*
1288  * Processor sets, cpu configuration, resource pools.
1289  */
1290 int
1291 secpolicy_pset(const cred_t *cr)
1292 {
1293 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1294 }
1295 
1296 int
1297 secpolicy_ponline(const cred_t *cr)
1298 {
1299 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1300 }
1301 
1302 int
1303 secpolicy_pool(const cred_t *cr)
1304 {
1305 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1306 }
1307 
1308 int
1309 secpolicy_blacklist(const cred_t *cr)
1310 {
1311 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1312 }
1313 
1314 /*
1315  * Catch all system configuration.
1316  */
1317 int
1318 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly)
1319 {
1320 	if (checkonly) {
1321 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 :
1322 		    EPERM);
1323 	} else {
1324 		return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1325 	}
1326 }
1327 
1328 /*
1329  * Zone administration (halt, reboot, etc.) from within zone.
1330  */
1331 int
1332 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly)
1333 {
1334 	if (checkonly) {
1335 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 :
1336 		    EPERM);
1337 	} else {
1338 		return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM,
1339 		    NULL));
1340 	}
1341 }
1342 
1343 /*
1344  * Zone configuration (create, halt, enter).
1345  */
1346 int
1347 secpolicy_zone_config(const cred_t *cr)
1348 {
1349 	/*
1350 	 * Require all privileges to avoid possibility of privilege
1351 	 * escalation.
1352 	 */
1353 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL));
1354 }
1355 
1356 /*
1357  * Various other system configuration calls
1358  */
1359 int
1360 secpolicy_coreadm(const cred_t *cr)
1361 {
1362 	return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1363 }
1364 
1365 int
1366 secpolicy_systeminfo(const cred_t *cr)
1367 {
1368 	return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1369 }
1370 
1371 int
1372 secpolicy_dispadm(const cred_t *cr)
1373 {
1374 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1375 }
1376 
1377 int
1378 secpolicy_settime(const cred_t *cr)
1379 {
1380 	return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL));
1381 }
1382 
1383 /*
1384  * For realtime users: high resolution clock.
1385  */
1386 int
1387 secpolicy_clock_highres(const cred_t *cr)
1388 {
1389 	return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM,
1390 	    NULL));
1391 }
1392 
1393 /*
1394  * drv_priv() is documented as callable from interrupt context, not that
1395  * anyone ever does, but still.  No debugging or auditing can be done when
1396  * it is called from interrupt context.
1397  * returns 0 on succes, EPERM on failure.
1398  */
1399 int
1400 drv_priv(cred_t *cr)
1401 {
1402 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1403 }
1404 
1405 int
1406 secpolicy_sys_devices(const cred_t *cr)
1407 {
1408 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1409 }
1410 
1411 int
1412 secpolicy_excl_open(const cred_t *cr)
1413 {
1414 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL));
1415 }
1416 
1417 int
1418 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl)
1419 {
1420 	/* zone.* rctls can only be set from the global zone */
1421 	if (is_zone_rctl && priv_policy_global(cr) != 0)
1422 		return (EPERM);
1423 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1424 }
1425 
1426 int
1427 secpolicy_resource(const cred_t *cr)
1428 {
1429 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1430 }
1431 
1432 /*
1433  * Processes with a real uid of 0 escape any form of accounting, much
1434  * like before.
1435  */
1436 int
1437 secpolicy_newproc(const cred_t *cr)
1438 {
1439 	if (cr->cr_ruid == 0)
1440 		return (0);
1441 
1442 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1443 }
1444 
1445 /*
1446  * Networking
1447  */
1448 int
1449 secpolicy_net_rawaccess(const cred_t *cr)
1450 {
1451 	return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL));
1452 }
1453 
1454 /*
1455  * Need this privilege for accessing the ICMP device
1456  */
1457 int
1458 secpolicy_net_icmpaccess(const cred_t *cr)
1459 {
1460 	return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL));
1461 }
1462 
1463 /*
1464  * There are a few rare cases where the kernel generates ioctls() from
1465  * interrupt context with a credential of kcred rather than NULL.
1466  * In those cases, we take the safe and cheap test.
1467  */
1468 int
1469 secpolicy_net_config(const cred_t *cr, boolean_t checkonly)
1470 {
1471 	if (checkonly) {
1472 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ?
1473 		    0 : EPERM);
1474 	} else {
1475 		return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM,
1476 		    NULL));
1477 	}
1478 }
1479 
1480 
1481 /*
1482  * Map network pseudo privileges to actual privileges.
1483  * So we don't need to recompile IP when we change the privileges.
1484  */
1485 int
1486 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly)
1487 {
1488 	int priv = PRIV_ALL;
1489 
1490 	switch (netpriv) {
1491 	case OP_CONFIG:
1492 		priv = PRIV_SYS_NET_CONFIG;
1493 		break;
1494 	case OP_RAW:
1495 		priv = PRIV_NET_RAWACCESS;
1496 		break;
1497 	case OP_PRIVPORT:
1498 		priv = PRIV_NET_PRIVADDR;
1499 		break;
1500 	}
1501 	ASSERT(priv != PRIV_ALL);
1502 	if (checkonly)
1503 		return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
1504 	else
1505 		return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
1506 }
1507 
1508 /*
1509  * Checks for operations that are either client-only or are used by
1510  * both clients and servers.
1511  */
1512 int
1513 secpolicy_nfs(const cred_t *cr)
1514 {
1515 	return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL));
1516 }
1517 
1518 /*
1519  * Special case for opening rpcmod: have NFS privileges or network
1520  * config privileges.
1521  */
1522 int
1523 secpolicy_rpcmod_open(const cred_t *cr)
1524 {
1525 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE))
1526 		return (secpolicy_nfs(cr));
1527 	else
1528 		return (secpolicy_net_config(cr, NULL));
1529 }
1530 
1531 int
1532 secpolicy_chroot(const cred_t *cr)
1533 {
1534 	return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL));
1535 }
1536 
1537 int
1538 secpolicy_tasksys(const cred_t *cr)
1539 {
1540 	return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL));
1541 }
1542 
1543 /*
1544  * Basic privilege checks.
1545  */
1546 int
1547 secpolicy_basic_exec(const cred_t *cr)
1548 {
1549 	return (PRIV_POLICY(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL));
1550 }
1551 
1552 int
1553 secpolicy_basic_fork(const cred_t *cr)
1554 {
1555 	return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL));
1556 }
1557 
1558 int
1559 secpolicy_basic_proc(const cred_t *cr)
1560 {
1561 	return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL));
1562 }
1563 
1564 /*
1565  * Slightly complicated because we don't want to trigger the policy too
1566  * often.  First we shortcircuit access to "self" (tp == sp) or if
1567  * we don't have the privilege but if we have permission
1568  * just return (0) and we don't flag the privilege as needed.
1569  * Else, we test for the privilege because we either have it or need it.
1570  */
1571 int
1572 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp)
1573 {
1574 	if (tp == sp ||
1575 	    !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) {
1576 		return (0);
1577 	} else {
1578 		return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL));
1579 	}
1580 }
1581 
1582 int
1583 secpolicy_basic_link(const cred_t *cr)
1584 {
1585 	return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL));
1586 }
1587 
1588 /*
1589  * Additional device protection.
1590  *
1591  * Traditionally, a device has specific permissions on the node in
1592  * the filesystem which govern which devices can be opened by what
1593  * processes.  In certain cases, it is desirable to add extra
1594  * restrictions, as writing to certain devices is identical to
1595  * having a complete run of the system.
1596  *
1597  * This mechanism is called the device policy.
1598  *
1599  * When a device is opened, its policy entry is looked up in the
1600  * policy cache and checked.
1601  */
1602 int
1603 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag)
1604 {
1605 	devplcy_t *plcy;
1606 	int err;
1607 	struct snode *csp = VTOS(common_specvp(vp));
1608 
1609 	mutex_enter(&csp->s_lock);
1610 
1611 	if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) {
1612 		plcy = devpolicy_find(vp);
1613 		if (csp->s_plcy)
1614 			dpfree(csp->s_plcy);
1615 		csp->s_plcy = plcy;
1616 		ASSERT(plcy != NULL);
1617 	} else
1618 		plcy = csp->s_plcy;
1619 
1620 	if (plcy == nullpolicy) {
1621 		mutex_exit(&csp->s_lock);
1622 		return (0);
1623 	}
1624 
1625 	dphold(plcy);
1626 
1627 	mutex_exit(&csp->s_lock);
1628 
1629 	err = secpolicy_require_set(cr,
1630 	    (oflag & FWRITE) ? &plcy->dp_wrp : &plcy->dp_rdp, "devpolicy");
1631 	dpfree(plcy);
1632 
1633 	return (err);
1634 }
1635 
1636 int
1637 secpolicy_modctl(const cred_t *cr, int cmd)
1638 {
1639 	switch (cmd) {
1640 	case MODINFO:
1641 	case MODGETPATH:
1642 	case MODGETPATHLEN:
1643 	case MODGETFBNAME:
1644 	case MODGETNAME:
1645 	case MODGETDEVPOLICY:
1646 	case MODGETDEVPOLICYBYNAME:
1647 	case MODGETMAJBIND:
1648 		/* Unprivileged */
1649 		return (0);
1650 	case MODLOAD:
1651 	case MODSETDEVPOLICY:
1652 		return (secpolicy_require_set(cr, PRIV_FULLSET, NULL));
1653 	default:
1654 		return (secpolicy_sys_config(cr, B_FALSE));
1655 	}
1656 }
1657 
1658 int
1659 secpolicy_console(const cred_t *cr)
1660 {
1661 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1662 }
1663 
1664 int
1665 secpolicy_power_mgmt(const cred_t *cr)
1666 {
1667 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1668 }
1669 
1670 /*
1671  * Simulate terminal input; another escalation of privileges avenue.
1672  */
1673 
1674 int
1675 secpolicy_sti(const cred_t *cr)
1676 {
1677 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL));
1678 }
1679 
1680 int
1681 secpolicy_swapctl(const cred_t *cr)
1682 {
1683 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1684 }
1685 
1686 int
1687 secpolicy_cpc_cpu(const cred_t *cr)
1688 {
1689 	return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL));
1690 }
1691 
1692 /*
1693  * secpolicy_contract_observer
1694  *
1695  * Determine if the subject may observe a specific contract's events.
1696  */
1697 int
1698 secpolicy_contract_observer(const cred_t *cr, struct contract *ct)
1699 {
1700 	if (contract_owned(ct, cr, B_FALSE))
1701 		return (0);
1702 	return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL));
1703 }
1704 
1705 /*
1706  * secpolicy_contract_observer_choice
1707  *
1708  * Determine if the subject may observe any contract's events.  Just
1709  * tests privilege and audits on success.
1710  */
1711 boolean_t
1712 secpolicy_contract_observer_choice(const cred_t *cr)
1713 {
1714 	return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE));
1715 }
1716 
1717 /*
1718  * secpolicy_contract_event
1719  *
1720  * Determine if the subject may request critical contract events or
1721  * reliable contract event delivery.
1722  */
1723 int
1724 secpolicy_contract_event(const cred_t *cr)
1725 {
1726 	return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL));
1727 }
1728 
1729 /*
1730  * secpolicy_contract_event_choice
1731  *
1732  * Determine if the subject may retain contract events in its critical
1733  * set when a change in other terms would normally require a change in
1734  * the critical set.  Just tests privilege and audits on success.
1735  */
1736 boolean_t
1737 secpolicy_contract_event_choice(const cred_t *cr)
1738 {
1739 	return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE));
1740 }
1741 
1742 /*
1743  * secpolicy_gart_access
1744  *
1745  * Determine if the subject has sufficient priveleges to make ioctls to agpgart
1746  * device.
1747  */
1748 int
1749 secpolicy_gart_access(const cred_t *cr)
1750 {
1751 	return (PRIV_POLICY(cr, PRIV_GART_ACCESS, B_FALSE, EPERM, NULL));
1752 }
1753 
1754 /*
1755  * secpolicy_gart_map
1756  *
1757  * Determine if the subject has sufficient priveleges to map aperture range
1758  * through agpgart driver.
1759  */
1760 int
1761 secpolicy_gart_map(const cred_t *cr)
1762 {
1763 	if (PRIV_POLICY(cr, PRIV_GART_ACCESS, B_FALSE, EPERM, NULL)) {
1764 		return (PRIV_POLICY(cr, PRIV_GART_MAP, B_FALSE, EPERM, NULL));
1765 	}
1766 	return (0);
1767 }
1768 
1769 /*
1770  * secpolicy_zinject
1771  *
1772  * Determine if the subject can inject faults in the ZFS fault injection
1773  * framework.  Requires all privileges.
1774  */
1775 int
1776 secpolicy_zinject(const cred_t *cr)
1777 {
1778 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL));
1779 }
1780 
1781 /*
1782  * secpolicy_zfs
1783  *
1784  * Determine if the subject has permission to manipulate ZFS datasets
1785  * (not pools).  Equivalent to the SYS_MOUNT privilege.
1786  */
1787 int
1788 secpolicy_zfs(const cred_t *cr)
1789 {
1790 	return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL));
1791 }
1792