1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. 23 * Copyright 2016 Joyent, Inc. 24 * Copyright (c) 2016 by Delphix. All rights reserved. 25 * Copyright 2022 Oxide Computer Company 26 * Copyright 2023 RackTop Systems, Inc. 27 */ 28 29 #include <sys/types.h> 30 #include <sys/sysmacros.h> 31 #include <sys/param.h> 32 #include <sys/systm.h> 33 #include <sys/cred_impl.h> 34 #include <sys/vnode.h> 35 #include <sys/vfs.h> 36 #include <sys/stat.h> 37 #include <sys/errno.h> 38 #include <sys/kmem.h> 39 #include <sys/user.h> 40 #include <sys/proc.h> 41 #include <sys/acct.h> 42 #include <sys/ipc_impl.h> 43 #include <sys/cmn_err.h> 44 #include <sys/debug.h> 45 #include <sys/policy.h> 46 #include <sys/kobj.h> 47 #include <sys/msg.h> 48 #include <sys/devpolicy.h> 49 #include <c2/audit.h> 50 #include <sys/varargs.h> 51 #include <sys/klpd.h> 52 #include <sys/modctl.h> 53 #include <sys/disp.h> 54 #include <sys/zone.h> 55 #include <inet/optcom.h> 56 #include <sys/sdt.h> 57 #include <sys/vfs.h> 58 #include <sys/mntent.h> 59 #include <sys/contract_impl.h> 60 #include <sys/dld_ioc.h> 61 62 /* 63 * There are two possible layers of privilege routines and two possible 64 * levels of secpolicy. Plus one other we may not be interested in, so 65 * we may need as many as 6 but no more. 66 */ 67 #define MAXPRIVSTACK 6 68 69 int priv_debug = 0; 70 int priv_basic_test = -1; 71 72 /* 73 * Unlinking or creating new hard links to directories was historically allowed 74 * in some file systems; e.g., UFS allows root users to do it, at the cost of 75 * almost certain file system corruption that will require fsck to fix. 76 * 77 * Most modern operating systems and file systems (e.g., ZFS) do not allow this 78 * behaviour anymore, and we have elected to stamp it out entirely for 79 * compatibility and safety reasons. An attempt to unlink a directory will 80 * fail with EPERM, as described in the standard. During this transition, one 81 * can turn the behaviour back on, at their own risk, with this tuneable: 82 */ 83 int priv_allow_linkdir = 0; 84 85 /* 86 * This file contains the majority of the policy routines. 87 * Since the policy routines are defined by function and not 88 * by privilege, there is quite a bit of duplication of 89 * functions. 90 * 91 * The secpolicy functions must not make assumptions about 92 * locks held or not held as any lock can be held while they're 93 * being called. 94 * 95 * Credentials are read-only so no special precautions need to 96 * be taken while locking them. 97 * 98 * When a new policy check needs to be added to the system the 99 * following procedure should be followed: 100 * 101 * Pick an appropriate secpolicy_*() function 102 * -> done if one exists. 103 * Create a new secpolicy function, preferably with 104 * a descriptive name using the standard template. 105 * Pick an appropriate privilege for the policy. 106 * If no appropraite privilege exists, define new one 107 * (this should be done with extreme care; in most cases 108 * little is gained by adding another privilege) 109 * 110 * WHY ROOT IS STILL SPECIAL. 111 * 112 * In a number of the policy functions, there are still explicit 113 * checks for uid 0. The rationale behind these is that many root 114 * owned files/objects hold configuration information which can give full 115 * privileges to the user once written to. To prevent escalation 116 * of privilege by allowing just a single privilege to modify root owned 117 * objects, we've added these root specific checks where we considered 118 * them necessary: modifying root owned files, changing uids to 0, etc. 119 * 120 * PRIVILEGE ESCALATION AND ZONES. 121 * 122 * A number of operations potentially allow the caller to achieve 123 * privileges beyond the ones normally required to perform the operation. 124 * For example, if allowed to create a setuid 0 executable, a process can 125 * gain privileges beyond PRIV_FILE_SETID. Zones, however, place 126 * restrictions on the ability to gain privileges beyond those available 127 * within the zone through file and process manipulation. Hence, such 128 * operations require that the caller have an effective set that includes 129 * all privileges available within the current zone, or all privileges 130 * if executing in the global zone. 131 * 132 * This is indicated in the priv_policy* policy checking functions 133 * through a combination of parameters. The "priv" parameter indicates 134 * the privilege that is required, and the "allzone" parameter indicates 135 * whether or not all privileges in the zone are required. In addition, 136 * priv can be set to PRIV_ALL to indicate that all privileges are 137 * required (regardless of zone). There are three scenarios of interest: 138 * (1) operation requires a specific privilege 139 * (2) operation requires a specific privilege, and requires all 140 * privileges available within the zone (or all privileges if in 141 * the global zone) 142 * (3) operation requires all privileges, regardless of zone 143 * 144 * For (1), priv should be set to the specific privilege, and allzone 145 * should be set to B_FALSE. 146 * For (2), priv should be set to the specific privilege, and allzone 147 * should be set to B_TRUE. 148 * For (3), priv should be set to PRIV_ALL, and allzone should be set 149 * to B_FALSE. 150 * 151 */ 152 153 /* 154 * The privileges are checked against the Effective set for 155 * ordinary processes and checked against the Limit set 156 * for euid 0 processes that haven't manipulated their privilege 157 * sets. 158 */ 159 #define HAS_ALLPRIVS(cr) priv_isfullset(&CR_OEPRIV(cr)) 160 #define ZONEPRIVS(cr) ((cr)->cr_zone->zone_privset) 161 #define HAS_ALLZONEPRIVS(cr) priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr)) 162 #define HAS_PRIVILEGE(cr, pr) ((pr) == PRIV_ALL ? \ 163 HAS_ALLPRIVS(cr) : \ 164 PRIV_ISASSERT(&CR_OEPRIV(cr), pr)) 165 166 #define FAST_BASIC_CHECK(cr, priv) \ 167 if (PRIV_ISASSERT(&CR_OEPRIV(cr), priv)) { \ 168 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, B_FALSE); \ 169 return (0); \ 170 } 171 172 /* 173 * Policy checking functions. 174 * 175 * All of the system's policy should be implemented here. 176 */ 177 178 /* 179 * Private functions which take an additional va_list argument to 180 * implement an object specific policy override. 181 */ 182 static int priv_policy_ap(const cred_t *, int, boolean_t, int, 183 const char *, va_list); 184 static int priv_policy_va(const cred_t *, int, boolean_t, int, 185 const char *, ...); 186 187 /* 188 * Generic policy calls 189 * 190 * The "bottom" functions of policy control 191 */ 192 static char * 193 mprintf(const char *fmt, ...) 194 { 195 va_list args; 196 char *buf; 197 size_t len; 198 199 va_start(args, fmt); 200 len = vsnprintf(NULL, 0, fmt, args) + 1; 201 va_end(args); 202 203 buf = kmem_alloc(len, KM_NOSLEEP); 204 205 if (buf == NULL) 206 return (NULL); 207 208 va_start(args, fmt); 209 (void) vsnprintf(buf, len, fmt, args); 210 va_end(args); 211 212 return (buf); 213 } 214 215 /* 216 * priv_policy_errmsg() 217 * 218 * Generate an error message if privilege debugging is enabled system wide 219 * or for this particular process. 220 */ 221 222 #define FMTHDR "%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)" 223 #define FMTMSG " for \"%s\"" 224 #define FMTFUN " needed at %s+0x%lx" 225 226 /* The maximum size privilege format: the concatenation of the above */ 227 #define FMTMAX FMTHDR FMTMSG FMTFUN "\n" 228 229 static void 230 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg) 231 { 232 struct proc *me; 233 pc_t stack[MAXPRIVSTACK]; 234 int depth; 235 int i; 236 char *sym; 237 ulong_t off; 238 const char *pname; 239 240 char *cmd; 241 char fmt[sizeof (FMTMAX)]; 242 243 if ((me = curproc) == &p0) 244 return; 245 246 /* Privileges must be defined */ 247 ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE || 248 priv == PRIV_ALLZONE || priv == PRIV_GLOBAL || 249 priv_getbynum(priv) != NULL); 250 251 if (priv == PRIV_ALLZONE && INGLOBALZONE(me)) 252 priv = PRIV_ALL; 253 254 if (curthread->t_pre_sys) 255 ttolwp(curthread)->lwp_badpriv = (short)priv; 256 257 if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0) 258 return; 259 260 (void) strcpy(fmt, FMTHDR); 261 262 if (me->p_user.u_comm[0]) 263 cmd = &me->p_user.u_comm[0]; 264 else 265 cmd = "priv_policy"; 266 267 if (msg != NULL && *msg != '\0') { 268 (void) strcat(fmt, FMTMSG); 269 } else { 270 (void) strcat(fmt, "%s"); 271 msg = ""; 272 } 273 274 sym = NULL; 275 276 depth = getpcstack(stack, MAXPRIVSTACK); 277 278 /* 279 * Try to find the first interesting function on the stack. 280 * priv_policy* that's us, so completely uninteresting. 281 * suser(), drv_priv(), secpolicy_* are also called from 282 * too many locations to convey useful information. 283 */ 284 for (i = 0; i < depth; i++) { 285 sym = kobj_getsymname((uintptr_t)stack[i], &off); 286 if (sym != NULL && 287 strstr(sym, "hasprocperm") == 0 && 288 strcmp("suser", sym) != 0 && 289 strcmp("ipcaccess", sym) != 0 && 290 strcmp("drv_priv", sym) != 0 && 291 strncmp("secpolicy_", sym, 10) != 0 && 292 strncmp("priv_policy", sym, 11) != 0) 293 break; 294 } 295 296 if (sym != NULL) 297 (void) strcat(fmt, FMTFUN); 298 299 (void) strcat(fmt, "\n"); 300 301 switch (priv) { 302 case PRIV_ALL: 303 pname = "ALL"; 304 break; 305 case PRIV_MULTIPLE: 306 pname = "MULTIPLE"; 307 break; 308 case PRIV_ALLZONE: 309 pname = "ZONE"; 310 break; 311 case PRIV_GLOBAL: 312 pname = "GLOBAL"; 313 break; 314 default: 315 pname = priv_getbynum(priv); 316 break; 317 } 318 319 if (CR_FLAGS(cr) & PRIV_DEBUG) { 320 /* Remember last message, just like lwp_badpriv. */ 321 if (curthread->t_pdmsg != NULL) { 322 kmem_free(curthread->t_pdmsg, 323 strlen(curthread->t_pdmsg) + 1); 324 } 325 326 curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname, 327 cr->cr_uid, curthread->t_sysnum, msg, sym, off); 328 329 curthread->t_post_sys = 1; 330 } 331 if (priv_debug) { 332 cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid, 333 curthread->t_sysnum, msg, sym, off); 334 } 335 } 336 337 /* 338 * Override the policy, if appropriate. Return 0 if the external 339 * policy engine approves. 340 */ 341 static int 342 priv_policy_override(const cred_t *cr, int priv, boolean_t allzone, va_list ap) 343 { 344 priv_set_t set; 345 int ret; 346 347 if (!(CR_FLAGS(cr) & PRIV_XPOLICY)) 348 return (-1); 349 350 if (priv == PRIV_ALL) { 351 priv_fillset(&set); 352 } else if (allzone) { 353 set = *ZONEPRIVS(cr); 354 } else { 355 priv_emptyset(&set); 356 priv_addset(&set, priv); 357 } 358 ret = klpd_call(cr, &set, ap); 359 return (ret); 360 } 361 362 static int 363 priv_policy_override_set(const cred_t *cr, const priv_set_t *req, va_list ap) 364 { 365 if (CR_FLAGS(cr) & PRIV_PFEXEC) 366 return (check_user_privs(cr, req)); 367 if (CR_FLAGS(cr) & PRIV_XPOLICY) { 368 return (klpd_call(cr, req, ap)); 369 } 370 return (-1); 371 } 372 373 static int 374 priv_policy_override_set_va(const cred_t *cr, const priv_set_t *req, ...) 375 { 376 va_list ap; 377 int ret; 378 379 va_start(ap, req); 380 ret = priv_policy_override_set(cr, req, ap); 381 va_end(ap); 382 return (ret); 383 } 384 385 /* 386 * Audit failure, log error message. 387 */ 388 static void 389 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg) 390 { 391 392 if (AU_AUDITING()) 393 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0); 394 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 395 396 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 397 curthread->t_pre_sys) { 398 if (allzone && !HAS_ALLZONEPRIVS(cr)) { 399 priv_policy_errmsg(cr, PRIV_ALLZONE, msg); 400 } else { 401 ASSERT(!HAS_PRIVILEGE(cr, priv)); 402 priv_policy_errmsg(cr, priv, msg); 403 } 404 } 405 } 406 407 /* 408 * priv_policy_ap() 409 * return 0 or error. 410 * See block comment above for a description of "priv" and "allzone" usage. 411 */ 412 static int 413 priv_policy_ap(const cred_t *cr, int priv, boolean_t allzone, int err, 414 const char *msg, va_list ap) 415 { 416 if ((HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) || 417 (!servicing_interrupt() && 418 priv_policy_override(cr, priv, allzone, ap) == 0)) { 419 if ((allzone || priv == PRIV_ALL || 420 !PRIV_ISASSERT(priv_basic, priv)) && 421 !servicing_interrupt()) { 422 PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */ 423 if (AU_AUDITING()) 424 audit_priv(priv, 425 allzone ? ZONEPRIVS(cr) : NULL, 1); 426 } 427 err = 0; 428 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 429 } else if (!servicing_interrupt()) { 430 /* Failure audited in this procedure */ 431 priv_policy_err(cr, priv, allzone, msg); 432 } 433 return (err); 434 } 435 436 int 437 priv_policy_va(const cred_t *cr, int priv, boolean_t allzone, int err, 438 const char *msg, ...) 439 { 440 int ret; 441 va_list ap; 442 443 va_start(ap, msg); 444 ret = priv_policy_ap(cr, priv, allzone, err, msg, ap); 445 va_end(ap); 446 447 return (ret); 448 } 449 450 int 451 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err, 452 const char *msg) 453 { 454 return (priv_policy_va(cr, priv, allzone, err, msg, KLPDARG_NONE)); 455 } 456 457 /* 458 * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges. 459 */ 460 boolean_t 461 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone) 462 { 463 boolean_t res = HAS_PRIVILEGE(cr, priv) && 464 (!allzone || HAS_ALLZONEPRIVS(cr)); 465 466 /* Audit success only */ 467 if (res && AU_AUDITING() && 468 (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) && 469 !servicing_interrupt()) { 470 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1); 471 } 472 if (res) { 473 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 474 } else { 475 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 476 } 477 return (res); 478 } 479 480 /* 481 * Non-auditing variant of priv_policy_choice(). 482 */ 483 boolean_t 484 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone) 485 { 486 boolean_t res = HAS_PRIVILEGE(cr, priv) && 487 (!allzone || HAS_ALLZONEPRIVS(cr)); 488 489 if (res) { 490 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 491 } else { 492 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 493 } 494 return (res); 495 } 496 497 /* 498 * Check whether all privileges in the required set are present. 499 */ 500 static int 501 secpolicy_require_set(const cred_t *cr, const priv_set_t *req, 502 const char *msg, ...) 503 { 504 int priv; 505 int pfound = -1; 506 priv_set_t pset; 507 va_list ap; 508 int ret; 509 510 if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req, 511 &CR_OEPRIV(cr))) { 512 return (0); 513 } 514 515 va_start(ap, msg); 516 ret = priv_policy_override_set(cr, req, ap); 517 va_end(ap); 518 if (ret == 0) 519 return (0); 520 521 if (req == PRIV_FULLSET || priv_isfullset(req)) { 522 priv_policy_err(cr, PRIV_ALL, B_FALSE, msg); 523 return (EACCES); 524 } 525 526 pset = CR_OEPRIV(cr); /* present privileges */ 527 priv_inverse(&pset); /* all non present privileges */ 528 priv_intersect(req, &pset); /* the actual missing privs */ 529 530 if (AU_AUDITING()) 531 audit_priv(PRIV_NONE, &pset, 0); 532 /* 533 * Privilege debugging; special case "one privilege in set". 534 */ 535 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) { 536 for (priv = 0; priv < nprivs; priv++) { 537 if (priv_ismember(&pset, priv)) { 538 if (pfound != -1) { 539 /* Multiple missing privs */ 540 priv_policy_errmsg(cr, PRIV_MULTIPLE, 541 msg); 542 return (EACCES); 543 } 544 pfound = priv; 545 } 546 } 547 ASSERT(pfound != -1); 548 /* Just the one missing privilege */ 549 priv_policy_errmsg(cr, pfound, msg); 550 } 551 552 return (EACCES); 553 } 554 555 /* 556 * Called when an operation requires that the caller be in the 557 * global zone, regardless of privilege. 558 */ 559 static int 560 priv_policy_global(const cred_t *cr) 561 { 562 if (crgetzoneid(cr) == GLOBAL_ZONEID) 563 return (0); /* success */ 564 565 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 566 curthread->t_pre_sys) { 567 priv_policy_errmsg(cr, PRIV_GLOBAL, NULL); 568 } 569 return (EPERM); 570 } 571 572 /* 573 * Raising process priority 574 */ 575 int 576 secpolicy_raisepriority(const cred_t *cr) 577 { 578 if (PRIV_POLICY(cr, PRIV_PROC_PRIOUP, B_FALSE, EPERM, NULL) == 0) 579 return (0); 580 return (secpolicy_setpriority(cr)); 581 } 582 583 /* 584 * Changing process priority or scheduling class 585 */ 586 int 587 secpolicy_setpriority(const cred_t *cr) 588 { 589 return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL)); 590 } 591 592 /* 593 * Binding to a privileged port, port must be specified in host byte 594 * order. 595 * When adding a new privilege which allows binding to currently privileged 596 * ports, then you MUST also allow processes with PRIV_NET_PRIVADDR bind 597 * to these ports because of backward compatibility. 598 */ 599 int 600 secpolicy_net_privaddr(const cred_t *cr, in_port_t port, int proto) 601 { 602 char *reason; 603 int priv; 604 605 switch (port) { 606 case 137: 607 case 138: 608 case 139: 609 case 445: 610 /* 611 * NBT and SMB ports, these are normal privileged ports, 612 * allow bind only if the SYS_SMB or NET_PRIVADDR privilege 613 * is present. 614 * Try both, if neither is present return an error for 615 * priv SYS_SMB. 616 */ 617 if (PRIV_POLICY_ONLY(cr, PRIV_NET_PRIVADDR, B_FALSE)) 618 priv = PRIV_NET_PRIVADDR; 619 else 620 priv = PRIV_SYS_SMB; 621 reason = "NBT or SMB port"; 622 break; 623 624 case 2049: 625 case 4045: 626 /* 627 * NFS ports, these are extra privileged ports, allow bind 628 * only if the SYS_NFS privilege is present. 629 */ 630 priv = PRIV_SYS_NFS; 631 reason = "NFS port"; 632 break; 633 634 default: 635 priv = PRIV_NET_PRIVADDR; 636 reason = NULL; 637 break; 638 639 } 640 641 return (priv_policy_va(cr, priv, B_FALSE, EACCES, reason, 642 KLPDARG_PORT, (int)proto, (int)port, KLPDARG_NOMORE)); 643 } 644 645 /* 646 * Binding to a multilevel port on a trusted (labeled) system. 647 */ 648 int 649 secpolicy_net_bindmlp(const cred_t *cr) 650 { 651 return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, NULL)); 652 } 653 654 /* 655 * Allow a communication between a zone and an unlabeled host when their 656 * labels don't match. 657 */ 658 int 659 secpolicy_net_mac_aware(const cred_t *cr) 660 { 661 return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, NULL)); 662 } 663 664 /* 665 * Allow a privileged process to transmit traffic without explicit labels 666 */ 667 int 668 secpolicy_net_mac_implicit(const cred_t *cr) 669 { 670 return (PRIV_POLICY(cr, PRIV_NET_MAC_IMPLICIT, B_FALSE, EACCES, NULL)); 671 } 672 673 /* 674 * Common routine which determines whether a given credential can 675 * act on a given mount. 676 * When called through mount, the parameter needoptcheck is a pointer 677 * to a boolean variable which will be set to either true or false, 678 * depending on whether the mount policy should change the mount options. 679 * In all other cases, needoptcheck should be a NULL pointer. 680 */ 681 static int 682 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp, 683 boolean_t *needoptcheck) 684 { 685 boolean_t allzone = B_FALSE; 686 boolean_t mounting = needoptcheck != NULL; 687 688 /* 689 * Short circuit the following cases: 690 * vfsp == NULL or mvp == NULL (pure privilege check) 691 * have all privileges - no further checks required 692 * and no mount options need to be set. 693 */ 694 if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) { 695 if (mounting) 696 *needoptcheck = B_FALSE; 697 698 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM, 699 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE)); 700 } 701 702 /* 703 * When operating on an existing mount (either we're not mounting 704 * or we're doing a remount and VFS_REMOUNT will be set), zones 705 * can operate only on mounts established by the zone itself. 706 */ 707 if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) { 708 zoneid_t zoneid = crgetzoneid(cr); 709 710 if (zoneid != GLOBAL_ZONEID && 711 vfsp->vfs_zone->zone_id != zoneid) { 712 return (EPERM); 713 } 714 } 715 716 if (mounting) 717 *needoptcheck = B_TRUE; 718 719 /* 720 * Overlay mounts may hide important stuff; if you can't write to a 721 * mount point but would be able to mount on top of it, you can 722 * escalate your privileges. 723 * So we go about asking the same questions namefs does when it 724 * decides whether you can mount over a file or not but with the 725 * added restriction that you can only mount on top of a regular 726 * file or directory. 727 * If we have all the zone's privileges, we skip all other checks, 728 * or else we may actually get in trouble inside the automounter. 729 */ 730 if ((mvp->v_flag & VROOT) != 0 || 731 (mvp->v_type != VDIR && mvp->v_type != VREG) || 732 HAS_ALLZONEPRIVS(cr)) { 733 allzone = B_TRUE; 734 } else { 735 vattr_t va; 736 int err; 737 738 va.va_mask = AT_UID|AT_MODE; 739 err = VOP_GETATTR(mvp, &va, 0, cr, NULL); 740 if (err != 0) 741 return (err); 742 743 if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0) 744 return (err); 745 746 if (secpolicy_vnode_access2(cr, mvp, va.va_uid, va.va_mode, 747 VWRITE) != 0) { 748 return (EACCES); 749 } 750 } 751 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM, 752 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE)); 753 } 754 755 void 756 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp) 757 { 758 boolean_t amsuper = HAS_ALLZONEPRIVS(cr); 759 760 /* 761 * check; if we don't have either "nosuid" or 762 * both "nosetuid" and "nodevices", then we add 763 * "nosuid"; this depends on how the current 764 * implementation works (it first checks nosuid). In a 765 * zone, a user with all zone privileges can mount with 766 * "setuid" but never with "devices". 767 */ 768 if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) && 769 (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) || 770 !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) { 771 if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper) 772 vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0); 773 else 774 vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0); 775 } 776 /* 777 * If we're not the local super user, we set the "restrict" 778 * option to indicate to automountd that this mount should 779 * be handled with care. 780 */ 781 if (!amsuper) 782 vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0); 783 784 } 785 786 int 787 secpolicy_fs_allowed_mount(const char *fsname) 788 { 789 struct vfssw *vswp; 790 const char *p; 791 size_t len; 792 793 ASSERT(fsname != NULL); 794 ASSERT(fsname[0] != '\0'); 795 796 if (INGLOBALZONE(curproc)) 797 return (0); 798 799 vswp = vfs_getvfssw(fsname); 800 if (vswp == NULL) 801 return (ENOENT); 802 803 if ((vswp->vsw_flag & VSW_ZMOUNT) != 0) { 804 vfs_unrefvfssw(vswp); 805 return (0); 806 } 807 808 vfs_unrefvfssw(vswp); 809 810 p = curzone->zone_fs_allowed; 811 len = strlen(fsname); 812 813 while (p != NULL && *p != '\0') { 814 if (strncmp(p, fsname, len) == 0) { 815 char c = *(p + len); 816 if (c == '\0' || c == ',') 817 return (0); 818 } 819 820 /* skip to beyond the next comma */ 821 if ((p = strchr(p, ',')) != NULL) 822 p++; 823 } 824 825 return (EPERM); 826 } 827 828 extern vnode_t *rootvp; 829 extern vfs_t *rootvfs; 830 831 int 832 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp) 833 { 834 boolean_t needoptchk; 835 int error; 836 837 /* 838 * If it's a remount, get the underlying mount point, 839 * except for the root where we use the rootvp. 840 */ 841 if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) { 842 if (vfsp == rootvfs) 843 mvp = rootvp; 844 else 845 mvp = vfsp->vfs_vnodecovered; 846 } 847 848 error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk); 849 850 if (error == 0 && needoptchk) { 851 secpolicy_fs_mount_clearopts(cr, vfsp); 852 } 853 854 return (error); 855 } 856 857 /* 858 * Does the policy computations for "ownership" of a mount; 859 * here ownership is defined as the ability to "mount" 860 * the filesystem originally. The rootvfs doesn't cover any 861 * vnodes; we attribute its ownership to the rootvp. 862 */ 863 static int 864 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp) 865 { 866 vnode_t *mvp; 867 868 if (vfsp == NULL) 869 mvp = NULL; 870 else if (vfsp == rootvfs) 871 mvp = rootvp; 872 else 873 mvp = vfsp->vfs_vnodecovered; 874 875 return (secpolicy_fs_common(cr, mvp, vfsp, NULL)); 876 } 877 878 int 879 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp) 880 { 881 return (secpolicy_fs_owner(cr, vfsp)); 882 } 883 884 /* 885 * Quotas are a resource, but if one has the ability to mount a filesystem, 886 * they should be able to modify quotas on it. 887 */ 888 int 889 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp) 890 { 891 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 892 } 893 894 /* 895 * Exceeding minfree: also a per-mount resource constraint. 896 */ 897 int 898 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp) 899 { 900 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 901 } 902 903 int 904 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp) 905 { 906 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 907 } 908 909 /* ARGSUSED */ 910 int 911 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp) 912 { 913 if (priv_allow_linkdir == 0) { 914 /* 915 * By default, this policy check will now always return EPERM 916 * unless overridden. 917 * 918 * We do so without triggering auditing or allowing privilege 919 * debugging for two reasons: first, we intend eventually to 920 * deprecate the PRIV_SYS_LINKDIR privilege entirely and remove 921 * the use of this policy check from the file systems; second, 922 * for privilege debugging in particular, because it would be 923 * confusing to report an unlink() failure as the result of a 924 * missing privilege when in fact we are simply no longer 925 * allowing the operation at all. 926 */ 927 return (EPERM); 928 } 929 930 return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL)); 931 } 932 933 /* 934 * Name: secpolicy_vnode_access() 935 * 936 * Parameters: Process credential 937 * vnode 938 * uid of owner of vnode 939 * permission bits not granted to the caller when examining 940 * file mode bits (i.e., when a process wants to open a 941 * mode 444 file for VREAD|VWRITE, this function should be 942 * called only with a VWRITE argument). 943 * 944 * Normal: Verifies that cred has the appropriate privileges to 945 * override the mode bits that were denied. 946 * 947 * Override: file_dac_execute - if VEXEC bit was denied and vnode is 948 * not a directory. 949 * file_dac_read - if VREAD bit was denied. 950 * file_dac_search - if VEXEC bit was denied and vnode is 951 * a directory. 952 * file_dac_write - if VWRITE bit was denied. 953 * 954 * Root owned files are special cased to protect system 955 * configuration files and such. 956 * 957 * Output: EACCES - if privilege check fails. 958 */ 959 960 int 961 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode) 962 { 963 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE, 964 EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL, 965 KLPDARG_NOMORE) != 0) { 966 return (EACCES); 967 } 968 969 if (mode & VWRITE) { 970 boolean_t allzone; 971 972 if (owner == 0 && cr->cr_uid != 0) 973 allzone = B_TRUE; 974 else 975 allzone = B_FALSE; 976 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, 977 NULL, KLPDARG_VNODE, vp, (char *)NULL, 978 KLPDARG_NOMORE) != 0) { 979 return (EACCES); 980 } 981 } 982 983 if (mode & VEXEC) { 984 /* 985 * Directories use file_dac_search to override the execute bit. 986 */ 987 int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH : 988 PRIV_FILE_DAC_EXECUTE; 989 990 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL, 991 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); 992 } 993 return (0); 994 } 995 996 /* 997 * Like secpolicy_vnode_access() but we get the actual wanted mode and the 998 * current mode of the file, not the missing bits. 999 */ 1000 int 1001 secpolicy_vnode_access2(const cred_t *cr, vnode_t *vp, uid_t owner, 1002 mode_t curmode, mode_t wantmode) 1003 { 1004 mode_t mode; 1005 1006 /* Inline the basic privileges tests. */ 1007 if ((wantmode & VREAD) && 1008 !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_READ) && 1009 priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL, 1010 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) { 1011 return (EACCES); 1012 } 1013 1014 if ((wantmode & VWRITE) && 1015 !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_WRITE) && 1016 priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL, 1017 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) { 1018 return (EACCES); 1019 } 1020 1021 mode = ~curmode & wantmode; 1022 1023 if (mode == 0) 1024 return (0); 1025 1026 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE, 1027 EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL, 1028 KLPDARG_NOMORE) != 0) { 1029 return (EACCES); 1030 } 1031 1032 if (mode & VWRITE) { 1033 boolean_t allzone; 1034 1035 if (owner == 0 && cr->cr_uid != 0) 1036 allzone = B_TRUE; 1037 else 1038 allzone = B_FALSE; 1039 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, 1040 NULL, KLPDARG_VNODE, vp, (char *)NULL, 1041 KLPDARG_NOMORE) != 0) { 1042 return (EACCES); 1043 } 1044 } 1045 1046 if (mode & VEXEC) { 1047 /* 1048 * Directories use file_dac_search to override the execute bit. 1049 */ 1050 int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH : 1051 PRIV_FILE_DAC_EXECUTE; 1052 1053 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL, 1054 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); 1055 } 1056 return (0); 1057 } 1058 1059 /* 1060 * This is a special routine for ZFS; it is used to determine whether 1061 * any of the privileges in effect allow any form of access to the 1062 * file. There's no reason to audit this or any reason to record 1063 * this. More work is needed to do the "KPLD" stuff. 1064 */ 1065 int 1066 secpolicy_vnode_any_access(const cred_t *cr, vnode_t *vp, uid_t owner) 1067 { 1068 static int privs[] = { 1069 PRIV_FILE_OWNER, 1070 PRIV_FILE_CHOWN, 1071 PRIV_FILE_DAC_READ, 1072 PRIV_FILE_DAC_WRITE, 1073 PRIV_FILE_DAC_EXECUTE, 1074 PRIV_FILE_DAC_SEARCH, 1075 }; 1076 int i; 1077 1078 /* Same as secpolicy_vnode_setdac */ 1079 if (owner == cr->cr_uid) 1080 return (0); 1081 1082 for (i = 0; i < sizeof (privs)/sizeof (int); i++) { 1083 boolean_t allzone = B_FALSE; 1084 int priv; 1085 1086 switch (priv = privs[i]) { 1087 case PRIV_FILE_DAC_EXECUTE: 1088 if (vp->v_type == VDIR) 1089 continue; 1090 break; 1091 case PRIV_FILE_DAC_SEARCH: 1092 if (vp->v_type != VDIR) 1093 continue; 1094 break; 1095 case PRIV_FILE_DAC_WRITE: 1096 case PRIV_FILE_OWNER: 1097 case PRIV_FILE_CHOWN: 1098 /* We know here that if owner == 0, that cr_uid != 0 */ 1099 allzone = owner == 0; 1100 break; 1101 } 1102 if (PRIV_POLICY_CHOICE(cr, priv, allzone)) 1103 return (0); 1104 } 1105 return (EPERM); 1106 } 1107 1108 /* 1109 * Name: secpolicy_vnode_setid_modify() 1110 * 1111 * Normal: verify that subject can set the file setid flags. 1112 * 1113 * Output: EPERM - if not privileged. 1114 */ 1115 1116 static int 1117 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner) 1118 { 1119 /* If changing to suid root, must have all zone privs */ 1120 boolean_t allzone = B_TRUE; 1121 1122 if (owner != 0) { 1123 if (owner == cr->cr_uid) 1124 return (0); 1125 allzone = B_FALSE; 1126 } 1127 return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL)); 1128 } 1129 1130 /* 1131 * Are we allowed to retain the set-uid/set-gid bits when 1132 * changing ownership or when writing to a file? 1133 * "issuid" should be true when set-uid; only in that case 1134 * root ownership is checked (setgid is assumed). 1135 */ 1136 int 1137 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot) 1138 { 1139 if (issuidroot && !HAS_ALLZONEPRIVS(cred)) 1140 return (EPERM); 1141 1142 return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE)); 1143 } 1144 1145 /* 1146 * Name: secpolicy_vnode_setids_setgids() 1147 * 1148 * Normal: verify that subject can set the file setgid flag. 1149 * 1150 * Output: EPERM - if not privileged 1151 */ 1152 1153 int 1154 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid) 1155 { 1156 if (!groupmember(gid, cred)) 1157 return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM, 1158 NULL)); 1159 return (0); 1160 } 1161 1162 /* 1163 * Name: secpolicy_vnode_chown 1164 * 1165 * Normal: Determine if subject can chown owner of a file. 1166 * 1167 * Output: EPERM - if access denied 1168 */ 1169 1170 int 1171 secpolicy_vnode_chown(const cred_t *cred, uid_t owner) 1172 { 1173 boolean_t is_owner = (owner == crgetuid(cred)); 1174 boolean_t allzone = B_FALSE; 1175 int priv; 1176 1177 if (!is_owner) { 1178 allzone = (owner == 0); 1179 priv = PRIV_FILE_CHOWN; 1180 } else { 1181 priv = HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN) ? 1182 PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF; 1183 } 1184 1185 return (PRIV_POLICY(cred, priv, allzone, EPERM, NULL)); 1186 } 1187 1188 /* 1189 * Name: secpolicy_vnode_create_gid 1190 * 1191 * Normal: Determine if subject can change group ownership of a file. 1192 * 1193 * Output: EPERM - if access denied 1194 */ 1195 int 1196 secpolicy_vnode_create_gid(const cred_t *cred) 1197 { 1198 if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN)) 1199 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM, 1200 NULL)); 1201 else 1202 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM, 1203 NULL)); 1204 } 1205 1206 /* 1207 * Name: secpolicy_vnode_utime_modify() 1208 * 1209 * Normal: verify that subject can modify the utime on a file. 1210 * 1211 * Output: EPERM - if access denied. 1212 */ 1213 1214 static int 1215 secpolicy_vnode_utime_modify(const cred_t *cred) 1216 { 1217 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM, 1218 "modify file times")); 1219 } 1220 1221 1222 /* 1223 * Name: secpolicy_vnode_setdac() 1224 * 1225 * Normal: verify that subject can modify the mode of a file. 1226 * allzone privilege needed when modifying root owned object. 1227 * 1228 * Output: EPERM - if access denied. 1229 */ 1230 1231 int 1232 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner) 1233 { 1234 boolean_t allzone = (owner == 0); 1235 1236 if (owner == cred->cr_uid) 1237 return (0); 1238 1239 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, allzone, EPERM, NULL)); 1240 } 1241 1242 /* 1243 * Name: secpolicy_vnode_setdac3() 1244 * 1245 * Normal: Variant of secpolicy_vnode_setdac() that conditionally 1246 * grants implicit rights to the owner of a file. 1247 * allzone privilege needed when modifying root owned object. 1248 * 1249 * Output: EPERM - if access denied. 1250 */ 1251 1252 int 1253 secpolicy_vnode_setdac3(const cred_t *cred, uid_t owner, 1254 boolean_t owner_implicit_rights) 1255 { 1256 boolean_t allzone = (owner == 0); 1257 1258 if (owner_implicit_rights && owner == cred->cr_uid) 1259 return (0); 1260 1261 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, allzone, EPERM, NULL)); 1262 } 1263 1264 /* 1265 * Name: secpolicy_vnode_stky_modify() 1266 * 1267 * Normal: verify that subject can make a file a "sticky". 1268 * 1269 * Output: EPERM - if access denied. 1270 */ 1271 1272 int 1273 secpolicy_vnode_stky_modify(const cred_t *cred) 1274 { 1275 return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM, 1276 "set file sticky")); 1277 } 1278 1279 /* 1280 * Policy determines whether we can remove an entry from a directory, 1281 * regardless of permission bits. 1282 */ 1283 int 1284 secpolicy_vnode_remove(const cred_t *cr) 1285 { 1286 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES, 1287 "sticky directory")); 1288 } 1289 1290 int 1291 secpolicy_vnode_owner(const cred_t *cr, uid_t owner) 1292 { 1293 boolean_t allzone = (owner == 0); 1294 1295 if (owner == cr->cr_uid) 1296 return (0); 1297 1298 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL)); 1299 } 1300 1301 void 1302 secpolicy_setid_clear(vattr_t *vap, cred_t *cr) 1303 { 1304 if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 && 1305 secpolicy_vnode_setid_retain(cr, 1306 (vap->va_mode & S_ISUID) != 0 && 1307 (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) { 1308 vap->va_mask |= AT_MODE; 1309 vap->va_mode &= ~(S_ISUID|S_ISGID); 1310 } 1311 } 1312 1313 int 1314 secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap, 1315 cred_t *cr) 1316 { 1317 int error; 1318 1319 if ((vap->va_mode & S_ISUID) != 0 && 1320 (error = secpolicy_vnode_setid_modify(cr, 1321 ovap->va_uid)) != 0) { 1322 return (error); 1323 } 1324 1325 /* 1326 * Check privilege if attempting to set the 1327 * sticky bit on a non-directory. 1328 */ 1329 if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 && 1330 secpolicy_vnode_stky_modify(cr) != 0) { 1331 vap->va_mode &= ~S_ISVTX; 1332 } 1333 1334 /* 1335 * Check for privilege if attempting to set the 1336 * group-id bit. 1337 */ 1338 if ((vap->va_mode & S_ISGID) != 0 && 1339 secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) { 1340 vap->va_mode &= ~S_ISGID; 1341 } 1342 1343 return (0); 1344 } 1345 1346 #define ATTR_FLAG_PRIV(attr, value, cr) \ 1347 PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \ 1348 B_FALSE, EPERM, NULL) 1349 1350 /* 1351 * Check privileges for setting xvattr attributes 1352 */ 1353 int 1354 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype) 1355 { 1356 xoptattr_t *xoap; 1357 int error = 0; 1358 1359 if ((xoap = xva_getxoptattr(xvap)) == NULL) 1360 return (EINVAL); 1361 1362 /* 1363 * First process the DOS bits 1364 */ 1365 if (XVA_ISSET_REQ(xvap, XAT_ARCHIVE) || 1366 XVA_ISSET_REQ(xvap, XAT_HIDDEN) || 1367 XVA_ISSET_REQ(xvap, XAT_READONLY) || 1368 XVA_ISSET_REQ(xvap, XAT_SYSTEM) || 1369 XVA_ISSET_REQ(xvap, XAT_CREATETIME) || 1370 XVA_ISSET_REQ(xvap, XAT_OFFLINE) || 1371 XVA_ISSET_REQ(xvap, XAT_SPARSE)) { 1372 if ((error = secpolicy_vnode_owner(cr, owner)) != 0) 1373 return (error); 1374 } 1375 1376 /* 1377 * Now handle special attributes 1378 */ 1379 1380 if (XVA_ISSET_REQ(xvap, XAT_IMMUTABLE)) 1381 error = ATTR_FLAG_PRIV(XAT_IMMUTABLE, 1382 xoap->xoa_immutable, cr); 1383 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NOUNLINK)) 1384 error = ATTR_FLAG_PRIV(XAT_NOUNLINK, 1385 xoap->xoa_nounlink, cr); 1386 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_APPENDONLY)) 1387 error = ATTR_FLAG_PRIV(XAT_APPENDONLY, 1388 xoap->xoa_appendonly, cr); 1389 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NODUMP)) 1390 error = ATTR_FLAG_PRIV(XAT_NODUMP, 1391 xoap->xoa_nodump, cr); 1392 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_OPAQUE)) 1393 error = EPERM; 1394 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_QUARANTINED)) { 1395 error = ATTR_FLAG_PRIV(XAT_AV_QUARANTINED, 1396 xoap->xoa_av_quarantined, cr); 1397 if (error == 0 && vtype != VREG && xoap->xoa_av_quarantined) 1398 error = EINVAL; 1399 } 1400 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_MODIFIED)) 1401 error = ATTR_FLAG_PRIV(XAT_AV_MODIFIED, 1402 xoap->xoa_av_modified, cr); 1403 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_SCANSTAMP)) { 1404 error = ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP, 1405 xoap->xoa_av_scanstamp, cr); 1406 if (error == 0 && vtype != VREG) 1407 error = EINVAL; 1408 } 1409 return (error); 1410 } 1411 1412 /* 1413 * This function checks the policy decisions surrounding the 1414 * vop setattr call. 1415 * 1416 * It should be called after sufficient locks have been established 1417 * on the underlying data structures. No concurrent modifications 1418 * should be allowed. 1419 * 1420 * The caller must pass in unlocked version of its vaccess function 1421 * this is required because vop_access function should lock the 1422 * node for reading. A three argument function should be defined 1423 * which accepts the following argument: 1424 * A pointer to the internal "node" type (inode *) 1425 * vnode access bits (VREAD|VWRITE|VEXEC) 1426 * a pointer to the credential 1427 * 1428 * This function makes the following policy decisions: 1429 * 1430 * - change permissions 1431 * - permission to change file mode if not owner 1432 * - permission to add sticky bit to non-directory 1433 * - permission to add set-gid bit 1434 * 1435 * The ovap argument should include AT_MODE|AT_UID|AT_GID. 1436 * 1437 * If the vap argument does not include AT_MODE, the mode will be copied from 1438 * ovap. In certain situations set-uid/set-gid bits need to be removed; 1439 * this is done by marking vap->va_mask to include AT_MODE and va_mode 1440 * is updated to the newly computed mode. 1441 */ 1442 1443 int 1444 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap, 1445 const struct vattr *ovap, int flags, 1446 int unlocked_access(void *, int, cred_t *), 1447 void *node) 1448 { 1449 int mask = vap->va_mask; 1450 int error = 0; 1451 boolean_t skipaclchk = (flags & ATTR_NOACLCHECK) ? B_TRUE : B_FALSE; 1452 boolean_t implicit = (flags & ATTR_NOIMPLICIT) ? B_FALSE : B_TRUE; 1453 1454 if (mask & AT_SIZE) { 1455 if (vp->v_type == VDIR) { 1456 error = EISDIR; 1457 goto out; 1458 } 1459 1460 /* 1461 * If ATTR_NOACLCHECK is set in the flags, then we don't 1462 * perform the secondary unlocked_access() call since the 1463 * ACL (if any) is being checked there. 1464 */ 1465 if (skipaclchk == B_FALSE) { 1466 error = unlocked_access(node, VWRITE, cr); 1467 if (error) 1468 goto out; 1469 } 1470 } 1471 if (mask & AT_MODE) { 1472 /* 1473 * If not the owner of the file then check privilege 1474 * for two things: the privilege to set the mode at all 1475 * and, if we're setting setuid, we also need permissions 1476 * to add the set-uid bit, if we're not the owner. 1477 * In the specific case of creating a set-uid root 1478 * file, we need even more permissions. 1479 */ 1480 error = secpolicy_vnode_setdac3(cr, ovap->va_uid, implicit); 1481 if (error != 0) 1482 goto out; 1483 1484 if ((error = secpolicy_setid_setsticky_clear(vp, vap, 1485 ovap, cr)) != 0) 1486 goto out; 1487 } else 1488 vap->va_mode = ovap->va_mode; 1489 1490 if (mask & (AT_UID|AT_GID)) { 1491 boolean_t checkpriv = B_FALSE; 1492 1493 /* 1494 * Chowning files. 1495 * 1496 * If you are the file owner: 1497 * chown to other uid FILE_CHOWN_SELF 1498 * chown to gid (non-member) FILE_CHOWN_SELF 1499 * chown to gid (member) <none> 1500 * 1501 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also 1502 * acceptable but the first one is reported when debugging. 1503 * 1504 * If you are not the file owner: 1505 * chown from root PRIV_FILE_CHOWN + zone 1506 * chown from other to any PRIV_FILE_CHOWN 1507 * 1508 */ 1509 if (!implicit) { 1510 checkpriv = B_TRUE; 1511 } else if (cr->cr_uid != ovap->va_uid) { 1512 checkpriv = B_TRUE; 1513 } else { 1514 if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) || 1515 ((mask & AT_GID) && vap->va_gid != ovap->va_gid && 1516 !groupmember(vap->va_gid, cr))) { 1517 checkpriv = B_TRUE; 1518 } 1519 } 1520 /* 1521 * If necessary, check privilege to see if update can be done. 1522 */ 1523 if (checkpriv && 1524 (error = secpolicy_vnode_chown(cr, ovap->va_uid)) != 0) { 1525 goto out; 1526 } 1527 1528 /* 1529 * If the file has either the set UID or set GID bits 1530 * set and the caller can set the bits, then leave them. 1531 */ 1532 secpolicy_setid_clear(vap, cr); 1533 } 1534 if (mask & (AT_ATIME|AT_MTIME)) { 1535 /* 1536 * If not the file owner and not otherwise privileged, 1537 * always return an error when setting the 1538 * time other than the current (ATTR_UTIME flag set). 1539 * If setting the current time (ATTR_UTIME not set) then 1540 * unlocked_access will check permissions according to policy. 1541 */ 1542 if (cr->cr_uid != ovap->va_uid) { 1543 if (flags & ATTR_UTIME) 1544 error = secpolicy_vnode_utime_modify(cr); 1545 else if (skipaclchk == B_FALSE) { 1546 error = unlocked_access(node, VWRITE, cr); 1547 if (error == EACCES && 1548 secpolicy_vnode_utime_modify(cr) == 0) 1549 error = 0; 1550 } 1551 if (error) 1552 goto out; 1553 } 1554 } 1555 1556 /* 1557 * Check for optional attributes here by checking the following: 1558 */ 1559 if (mask & AT_XVATTR) 1560 error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr, 1561 vp->v_type); 1562 out: 1563 return (error); 1564 } 1565 1566 /* 1567 * Name: secpolicy_pcfs_modify_bootpartition() 1568 * 1569 * Normal: verify that subject can modify a pcfs boot partition. 1570 * 1571 * Output: EACCES - if privilege check failed. 1572 */ 1573 /*ARGSUSED*/ 1574 int 1575 secpolicy_pcfs_modify_bootpartition(const cred_t *cred) 1576 { 1577 return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES, 1578 "modify pcfs boot partition")); 1579 } 1580 1581 /* 1582 * System V IPC routines 1583 */ 1584 int 1585 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip) 1586 { 1587 if (crgetzoneid(cr) != ip->ipc_zoneid || 1588 (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) { 1589 boolean_t allzone = B_FALSE; 1590 if (ip->ipc_uid == 0 || ip->ipc_cuid == 0) 1591 allzone = B_TRUE; 1592 return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL)); 1593 } 1594 return (0); 1595 } 1596 1597 int 1598 secpolicy_ipc_config(const cred_t *cr) 1599 { 1600 return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL)); 1601 } 1602 1603 int 1604 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode) 1605 { 1606 1607 boolean_t allzone = B_FALSE; 1608 1609 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1610 1611 if ((mode & MSG_R) && 1612 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1613 return (EACCES); 1614 1615 if (mode & MSG_W) { 1616 if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0)) 1617 allzone = B_TRUE; 1618 1619 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1620 NULL)); 1621 } 1622 return (0); 1623 } 1624 1625 int 1626 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode) 1627 { 1628 boolean_t allzone = B_FALSE; 1629 1630 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1631 1632 if ((mode & MSG_R) && 1633 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1634 return (EACCES); 1635 1636 if (mode & MSG_W) { 1637 if (cr->cr_uid != 0 && owner == 0) 1638 allzone = B_TRUE; 1639 1640 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1641 NULL)); 1642 } 1643 return (0); 1644 } 1645 1646 /* 1647 * Audit configuration. 1648 */ 1649 int 1650 secpolicy_audit_config(const cred_t *cr) 1651 { 1652 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1653 } 1654 1655 /* 1656 * Audit record generation. 1657 */ 1658 int 1659 secpolicy_audit_modify(const cred_t *cr) 1660 { 1661 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL)); 1662 } 1663 1664 /* 1665 * Get audit attributes. 1666 * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the 1667 * "Least" of the two privileges on error. 1668 */ 1669 int 1670 secpolicy_audit_getattr(const cred_t *cr, boolean_t checkonly) 1671 { 1672 int priv; 1673 1674 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE)) 1675 priv = PRIV_SYS_AUDIT; 1676 else 1677 priv = PRIV_PROC_AUDIT; 1678 1679 if (checkonly) 1680 return (!PRIV_POLICY_ONLY(cr, priv, B_FALSE)); 1681 else 1682 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 1683 } 1684 1685 1686 /* 1687 * Locking physical memory 1688 */ 1689 int 1690 secpolicy_lock_memory(const cred_t *cr) 1691 { 1692 return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL)); 1693 } 1694 1695 /* 1696 * Accounting (both acct(2) and exacct). 1697 */ 1698 int 1699 secpolicy_acct(const cred_t *cr) 1700 { 1701 return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL)); 1702 } 1703 1704 /* 1705 * Is this process privileged to change its uids at will? 1706 * Uid 0 is still considered "special" and having the SETID 1707 * privilege is not sufficient to get uid 0. 1708 * Files are owned by root, so the privilege would give 1709 * full access and euid 0 is still effective. 1710 * 1711 * If you have the privilege and euid 0 only then do you 1712 * get the powers of root wrt uid 0. 1713 * 1714 * For gid manipulations, this is should be called with an 1715 * uid of -1. 1716 * 1717 */ 1718 int 1719 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly) 1720 { 1721 boolean_t allzone = B_FALSE; 1722 1723 if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 && 1724 cr->cr_ruid != 0) { 1725 allzone = B_TRUE; 1726 } 1727 1728 return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) : 1729 PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL)); 1730 } 1731 1732 1733 /* 1734 * Acting on a different process: if the mode is for writing, 1735 * the restrictions are more severe. This is called after 1736 * we've verified that the uids do not match. 1737 */ 1738 int 1739 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode) 1740 { 1741 boolean_t allzone = B_FALSE; 1742 1743 if ((mode & VWRITE) && scr->cr_uid != 0 && 1744 (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0)) 1745 allzone = B_TRUE; 1746 1747 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL)); 1748 } 1749 1750 int 1751 secpolicy_proc_access(const cred_t *scr) 1752 { 1753 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL)); 1754 } 1755 1756 int 1757 secpolicy_proc_excl_open(const cred_t *scr) 1758 { 1759 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL)); 1760 } 1761 1762 int 1763 secpolicy_proc_zone(const cred_t *scr) 1764 { 1765 return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL)); 1766 } 1767 1768 /* 1769 * Destroying the system 1770 */ 1771 1772 int 1773 secpolicy_kmdb(const cred_t *scr) 1774 { 1775 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1776 } 1777 1778 int 1779 secpolicy_error_inject(const cred_t *scr) 1780 { 1781 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1782 } 1783 1784 /* 1785 * Processor sets, cpu configuration, resource pools. 1786 */ 1787 int 1788 secpolicy_pset(const cred_t *cr) 1789 { 1790 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1791 } 1792 1793 /* Process security flags */ 1794 int 1795 secpolicy_psecflags(const cred_t *cr, proc_t *tp, proc_t *sp) 1796 { 1797 if (PRIV_POLICY(cr, PRIV_PROC_SECFLAGS, B_FALSE, EPERM, NULL) != 0) 1798 return (EPERM); 1799 1800 if (!prochasprocperm(tp, sp, cr)) 1801 return (EPERM); 1802 1803 return (0); 1804 } 1805 1806 /* 1807 * Processor set binding. 1808 */ 1809 int 1810 secpolicy_pbind(const cred_t *cr) 1811 { 1812 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_RES_CONFIG, B_FALSE)) 1813 return (secpolicy_pset(cr)); 1814 return (PRIV_POLICY(cr, PRIV_SYS_RES_BIND, B_FALSE, EPERM, NULL)); 1815 } 1816 1817 int 1818 secpolicy_ponline(const cred_t *cr) 1819 { 1820 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1821 } 1822 1823 int 1824 secpolicy_pool(const cred_t *cr) 1825 { 1826 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1827 } 1828 1829 int 1830 secpolicy_blacklist(const cred_t *cr) 1831 { 1832 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1833 } 1834 1835 /* 1836 * Catch all system configuration. 1837 */ 1838 int 1839 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly) 1840 { 1841 if (checkonly) { 1842 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 : 1843 EPERM); 1844 } else { 1845 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1846 } 1847 } 1848 1849 /* 1850 * Zone administration (halt, reboot, etc.) from within zone. 1851 */ 1852 int 1853 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly) 1854 { 1855 if (checkonly) { 1856 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 : 1857 EPERM); 1858 } else { 1859 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, 1860 NULL)); 1861 } 1862 } 1863 1864 /* 1865 * Zone configuration (create, halt, enter). 1866 */ 1867 int 1868 secpolicy_zone_config(const cred_t *cr) 1869 { 1870 /* 1871 * Require all privileges to avoid possibility of privilege 1872 * escalation. 1873 */ 1874 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE)); 1875 } 1876 1877 /* 1878 * Various other system configuration calls 1879 */ 1880 int 1881 secpolicy_coreadm(const cred_t *cr) 1882 { 1883 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1884 } 1885 1886 int 1887 secpolicy_systeminfo(const cred_t *cr) 1888 { 1889 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1890 } 1891 1892 int 1893 secpolicy_dispadm(const cred_t *cr) 1894 { 1895 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1896 } 1897 1898 int 1899 secpolicy_settime(const cred_t *cr) 1900 { 1901 return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL)); 1902 } 1903 1904 /* 1905 * For realtime users: high resolution clock. 1906 */ 1907 int 1908 secpolicy_clock_highres(const cred_t *cr) 1909 { 1910 return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM, 1911 NULL)); 1912 } 1913 1914 /* 1915 * drv_priv() is documented as callable from interrupt context, not that 1916 * anyone ever does, but still. No debugging or auditing can be done when 1917 * it is called from interrupt context. 1918 * returns 0 on succes, EPERM on failure. 1919 */ 1920 int 1921 drv_priv(cred_t *cr) 1922 { 1923 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1924 } 1925 1926 int 1927 secpolicy_sys_devices(const cred_t *cr) 1928 { 1929 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1930 } 1931 1932 int 1933 secpolicy_excl_open(const cred_t *cr) 1934 { 1935 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL)); 1936 } 1937 1938 int 1939 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl) 1940 { 1941 /* zone.* rctls can only be set from the global zone */ 1942 if (is_zone_rctl && priv_policy_global(cr) != 0) 1943 return (EPERM); 1944 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1945 } 1946 1947 int 1948 secpolicy_resource(const cred_t *cr) 1949 { 1950 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1951 } 1952 1953 int 1954 secpolicy_resource_anon_mem(const cred_t *cr) 1955 { 1956 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_RESOURCE, B_FALSE)); 1957 } 1958 1959 /* 1960 * Processes with a real uid of 0 escape any form of accounting, much 1961 * like before. 1962 */ 1963 int 1964 secpolicy_newproc(const cred_t *cr) 1965 { 1966 if (cr->cr_ruid == 0) 1967 return (0); 1968 1969 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1970 } 1971 1972 /* 1973 * Networking 1974 */ 1975 int 1976 secpolicy_net_rawaccess(const cred_t *cr) 1977 { 1978 return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL)); 1979 } 1980 1981 int 1982 secpolicy_net_observability(const cred_t *cr) 1983 { 1984 return (PRIV_POLICY(cr, PRIV_NET_OBSERVABILITY, B_FALSE, EACCES, NULL)); 1985 } 1986 1987 /* 1988 * Need this privilege for accessing the ICMP device 1989 */ 1990 int 1991 secpolicy_net_icmpaccess(const cred_t *cr) 1992 { 1993 return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL)); 1994 } 1995 1996 /* 1997 * There are a few rare cases where the kernel generates ioctls() from 1998 * interrupt context with a credential of kcred rather than NULL. 1999 * In those cases, we take the safe and cheap test. 2000 */ 2001 int 2002 secpolicy_net_config(const cred_t *cr, boolean_t checkonly) 2003 { 2004 if (checkonly) { 2005 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ? 2006 0 : EPERM); 2007 } else { 2008 return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM, 2009 NULL)); 2010 } 2011 } 2012 2013 2014 /* 2015 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG. 2016 * 2017 * There are a few rare cases where the kernel generates ioctls() from 2018 * interrupt context with a credential of kcred rather than NULL. 2019 * In those cases, we take the safe and cheap test. 2020 */ 2021 int 2022 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly) 2023 { 2024 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 2025 return (secpolicy_net_config(cr, checkonly)); 2026 2027 if (checkonly) { 2028 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ? 2029 0 : EPERM); 2030 } else { 2031 return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM, 2032 NULL)); 2033 } 2034 } 2035 2036 /* 2037 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_DL_CONFIG. 2038 */ 2039 int 2040 secpolicy_dl_config(const cred_t *cr) 2041 { 2042 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 2043 return (secpolicy_net_config(cr, B_FALSE)); 2044 return (PRIV_POLICY(cr, PRIV_SYS_DL_CONFIG, B_FALSE, EPERM, NULL)); 2045 } 2046 2047 /* 2048 * PRIV_SYS_DL_CONFIG is a superset of PRIV_SYS_IPTUN_CONFIG. 2049 */ 2050 int 2051 secpolicy_iptun_config(const cred_t *cr) 2052 { 2053 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 2054 return (secpolicy_net_config(cr, B_FALSE)); 2055 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_DL_CONFIG, B_FALSE)) 2056 return (secpolicy_dl_config(cr)); 2057 return (PRIV_POLICY(cr, PRIV_SYS_IPTUN_CONFIG, B_FALSE, EPERM, NULL)); 2058 } 2059 2060 /* 2061 * Map IP pseudo privileges to actual privileges. 2062 * So we don't need to recompile IP when we change the privileges. 2063 */ 2064 int 2065 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly) 2066 { 2067 int priv = PRIV_ALL; 2068 2069 switch (netpriv) { 2070 case OP_CONFIG: 2071 priv = PRIV_SYS_IP_CONFIG; 2072 break; 2073 case OP_RAW: 2074 priv = PRIV_NET_RAWACCESS; 2075 break; 2076 case OP_PRIVPORT: 2077 priv = PRIV_NET_PRIVADDR; 2078 break; 2079 } 2080 ASSERT(priv != PRIV_ALL); 2081 if (checkonly) 2082 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 2083 else 2084 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 2085 } 2086 2087 /* 2088 * Map network pseudo privileges to actual privileges. 2089 * So we don't need to recompile IP when we change the privileges. 2090 */ 2091 int 2092 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly) 2093 { 2094 int priv = PRIV_ALL; 2095 2096 switch (netpriv) { 2097 case OP_CONFIG: 2098 priv = PRIV_SYS_NET_CONFIG; 2099 break; 2100 case OP_RAW: 2101 priv = PRIV_NET_RAWACCESS; 2102 break; 2103 case OP_PRIVPORT: 2104 priv = PRIV_NET_PRIVADDR; 2105 break; 2106 } 2107 ASSERT(priv != PRIV_ALL); 2108 if (checkonly) 2109 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 2110 else 2111 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 2112 } 2113 2114 /* 2115 * Checks for operations that are either client-only or are used by 2116 * both clients and servers. 2117 */ 2118 int 2119 secpolicy_nfs(const cred_t *cr) 2120 { 2121 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL)); 2122 } 2123 2124 /* 2125 * Special case for opening rpcmod: have NFS privileges or network 2126 * config privileges. 2127 */ 2128 int 2129 secpolicy_rpcmod_open(const cred_t *cr) 2130 { 2131 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE)) 2132 return (secpolicy_nfs(cr)); 2133 else 2134 return (secpolicy_net_config(cr, B_FALSE)); 2135 } 2136 2137 int 2138 secpolicy_chroot(const cred_t *cr) 2139 { 2140 return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL)); 2141 } 2142 2143 int 2144 secpolicy_tasksys(const cred_t *cr) 2145 { 2146 return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL)); 2147 } 2148 2149 int 2150 secpolicy_meminfo(const cred_t *cr) 2151 { 2152 return (PRIV_POLICY(cr, PRIV_PROC_MEMINFO, B_FALSE, EPERM, NULL)); 2153 } 2154 2155 int 2156 secpolicy_pfexec_register(const cred_t *cr) 2157 { 2158 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_TRUE, EPERM, NULL)); 2159 } 2160 2161 /* 2162 * Basic privilege checks. 2163 */ 2164 int 2165 secpolicy_basic_exec(const cred_t *cr, vnode_t *vp) 2166 { 2167 FAST_BASIC_CHECK(cr, PRIV_PROC_EXEC); 2168 2169 return (priv_policy_va(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL, 2170 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); 2171 } 2172 2173 int 2174 secpolicy_basic_fork(const cred_t *cr) 2175 { 2176 FAST_BASIC_CHECK(cr, PRIV_PROC_FORK); 2177 2178 return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL)); 2179 } 2180 2181 int 2182 secpolicy_basic_proc(const cred_t *cr) 2183 { 2184 FAST_BASIC_CHECK(cr, PRIV_PROC_SESSION); 2185 2186 return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL)); 2187 } 2188 2189 /* 2190 * Slightly complicated because we don't want to trigger the policy too 2191 * often. First we shortcircuit access to "self" (tp == sp) or if 2192 * we don't have the privilege but if we have permission 2193 * just return (0) and we don't flag the privilege as needed. 2194 * Else, we test for the privilege because we either have it or need it. 2195 */ 2196 int 2197 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp) 2198 { 2199 if (tp == sp || 2200 !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) { 2201 return (0); 2202 } else { 2203 return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL)); 2204 } 2205 } 2206 2207 int 2208 secpolicy_basic_link(const cred_t *cr) 2209 { 2210 FAST_BASIC_CHECK(cr, PRIV_FILE_LINK_ANY); 2211 2212 return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL)); 2213 } 2214 2215 int 2216 secpolicy_basic_net_access(const cred_t *cr) 2217 { 2218 FAST_BASIC_CHECK(cr, PRIV_NET_ACCESS); 2219 2220 return (PRIV_POLICY(cr, PRIV_NET_ACCESS, B_FALSE, EACCES, NULL)); 2221 } 2222 2223 /* ARGSUSED */ 2224 int 2225 secpolicy_basic_file_read(const cred_t *cr, vnode_t *vp, const char *pn) 2226 { 2227 FAST_BASIC_CHECK(cr, PRIV_FILE_READ); 2228 2229 return (priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL, 2230 KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE)); 2231 } 2232 2233 /* ARGSUSED */ 2234 int 2235 secpolicy_basic_file_write(const cred_t *cr, vnode_t *vp, const char *pn) 2236 { 2237 FAST_BASIC_CHECK(cr, PRIV_FILE_WRITE); 2238 2239 return (priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL, 2240 KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE)); 2241 } 2242 2243 /* 2244 * Additional device protection. 2245 * 2246 * Traditionally, a device has specific permissions on the node in 2247 * the filesystem which govern which devices can be opened by what 2248 * processes. In certain cases, it is desirable to add extra 2249 * restrictions, as writing to certain devices is identical to 2250 * having a complete run of the system. 2251 * 2252 * This mechanism is called the device policy. 2253 * 2254 * When a device is opened, its policy entry is looked up in the 2255 * policy cache and checked. 2256 */ 2257 int 2258 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag) 2259 { 2260 devplcy_t *plcy; 2261 int err; 2262 struct snode *csp = VTOS(common_specvp(vp)); 2263 priv_set_t pset; 2264 2265 mutex_enter(&csp->s_lock); 2266 2267 if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) { 2268 plcy = devpolicy_find(vp); 2269 if (csp->s_plcy) 2270 dpfree(csp->s_plcy); 2271 csp->s_plcy = plcy; 2272 ASSERT(plcy != NULL); 2273 } else 2274 plcy = csp->s_plcy; 2275 2276 if (plcy == nullpolicy) { 2277 mutex_exit(&csp->s_lock); 2278 return (0); 2279 } 2280 2281 dphold(plcy); 2282 2283 mutex_exit(&csp->s_lock); 2284 2285 if (oflag & FWRITE) 2286 pset = plcy->dp_wrp; 2287 else 2288 pset = plcy->dp_rdp; 2289 /* 2290 * Special case: 2291 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG. 2292 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is 2293 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG 2294 * in the required privilege set before doing the check. 2295 */ 2296 if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) && 2297 priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) && 2298 !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) { 2299 priv_delset(&pset, PRIV_SYS_IP_CONFIG); 2300 priv_addset(&pset, PRIV_SYS_NET_CONFIG); 2301 } 2302 2303 err = secpolicy_require_set(cr, &pset, "devpolicy", KLPDARG_NONE); 2304 dpfree(plcy); 2305 2306 return (err); 2307 } 2308 2309 int 2310 secpolicy_modctl(const cred_t *cr, int cmd) 2311 { 2312 switch (cmd) { 2313 case MODINFO: 2314 case MODGETMAJBIND: 2315 case MODGETPATH: 2316 case MODGETPATHLEN: 2317 case MODGETNAME: 2318 case MODGETFBNAME: 2319 case MODGETDEVPOLICY: 2320 case MODGETDEVPOLICYBYNAME: 2321 case MODDEVT2INSTANCE: 2322 case MODSIZEOF_DEVID: 2323 case MODGETDEVID: 2324 case MODSIZEOF_MINORNAME: 2325 case MODGETMINORNAME: 2326 case MODGETDEVFSPATH_LEN: 2327 case MODGETDEVFSPATH: 2328 case MODGETDEVFSPATH_MI_LEN: 2329 case MODGETDEVFSPATH_MI: 2330 /* Unprivileged */ 2331 return (0); 2332 case MODLOAD: 2333 case MODSETDEVPOLICY: 2334 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, 2335 KLPDARG_NONE)); 2336 default: 2337 return (secpolicy_sys_config(cr, B_FALSE)); 2338 } 2339 } 2340 2341 int 2342 secpolicy_console(const cred_t *cr) 2343 { 2344 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 2345 } 2346 2347 int 2348 secpolicy_power_mgmt(const cred_t *cr) 2349 { 2350 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 2351 } 2352 2353 /* 2354 * Simulate terminal input; another escalation of privileges avenue. 2355 */ 2356 2357 int 2358 secpolicy_sti(const cred_t *cr) 2359 { 2360 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE)); 2361 } 2362 2363 boolean_t 2364 secpolicy_net_reply_equal(const cred_t *cr) 2365 { 2366 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 2367 } 2368 2369 int 2370 secpolicy_swapctl(const cred_t *cr) 2371 { 2372 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 2373 } 2374 2375 int 2376 secpolicy_cpc_cpu(const cred_t *cr) 2377 { 2378 return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL)); 2379 } 2380 2381 /* 2382 * secpolicy_contract_identity 2383 * 2384 * Determine if the subject may set the process contract FMRI value 2385 */ 2386 int 2387 secpolicy_contract_identity(const cred_t *cr) 2388 { 2389 return (PRIV_POLICY(cr, PRIV_CONTRACT_IDENTITY, B_FALSE, EPERM, NULL)); 2390 } 2391 2392 /* 2393 * secpolicy_contract_observer 2394 * 2395 * Determine if the subject may observe a specific contract's events. 2396 */ 2397 int 2398 secpolicy_contract_observer(const cred_t *cr, struct contract *ct) 2399 { 2400 if (contract_owned(ct, cr, B_FALSE)) 2401 return (0); 2402 return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL)); 2403 } 2404 2405 /* 2406 * secpolicy_contract_observer_choice 2407 * 2408 * Determine if the subject may observe any contract's events. Just 2409 * tests privilege and audits on success. 2410 */ 2411 boolean_t 2412 secpolicy_contract_observer_choice(const cred_t *cr) 2413 { 2414 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE)); 2415 } 2416 2417 /* 2418 * secpolicy_contract_event 2419 * 2420 * Determine if the subject may request critical contract events or 2421 * reliable contract event delivery. 2422 */ 2423 int 2424 secpolicy_contract_event(const cred_t *cr) 2425 { 2426 return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL)); 2427 } 2428 2429 /* 2430 * secpolicy_contract_event_choice 2431 * 2432 * Determine if the subject may retain contract events in its critical 2433 * set when a change in other terms would normally require a change in 2434 * the critical set. Just tests privilege and audits on success. 2435 */ 2436 boolean_t 2437 secpolicy_contract_event_choice(const cred_t *cr) 2438 { 2439 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE)); 2440 } 2441 2442 /* 2443 * secpolicy_gart_access 2444 * 2445 * Determine if the subject has sufficient priveleges to make ioctls to agpgart 2446 * device. 2447 */ 2448 int 2449 secpolicy_gart_access(const cred_t *cr) 2450 { 2451 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL)); 2452 } 2453 2454 /* 2455 * secpolicy_gart_map 2456 * 2457 * Determine if the subject has sufficient priveleges to map aperture range 2458 * through agpgart driver. 2459 */ 2460 int 2461 secpolicy_gart_map(const cred_t *cr) 2462 { 2463 if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) { 2464 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, 2465 NULL)); 2466 } else { 2467 return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM, 2468 NULL)); 2469 } 2470 } 2471 2472 /* 2473 * secpolicy_hwmanip 2474 * 2475 * Determine if the subject can observe and manipulate a hardware device with a 2476 * dangerous blunt hammer, often suggests they can do something destructive. 2477 * Requires all privileges. 2478 */ 2479 int 2480 secpolicy_hwmanip(const cred_t *cr) 2481 { 2482 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE)); 2483 } 2484 2485 /* 2486 * secpolicy_zinject 2487 * 2488 * Determine if the subject can inject faults in the ZFS fault injection 2489 * framework. Requires all privileges. 2490 */ 2491 int 2492 secpolicy_zinject(const cred_t *cr) 2493 { 2494 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE)); 2495 } 2496 2497 /* 2498 * secpolicy_zfs 2499 * 2500 * Determine if the subject has permission to manipulate ZFS datasets 2501 * (not pools). Equivalent to the SYS_MOUNT privilege. 2502 */ 2503 int 2504 secpolicy_zfs(const cred_t *cr) 2505 { 2506 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL)); 2507 } 2508 2509 /* 2510 * secpolicy_idmap 2511 * 2512 * Determine if the calling process has permissions to register an SID 2513 * mapping daemon and allocate ephemeral IDs. 2514 */ 2515 int 2516 secpolicy_idmap(const cred_t *cr) 2517 { 2518 return (PRIV_POLICY(cr, PRIV_FILE_SETID, B_TRUE, EPERM, NULL)); 2519 } 2520 2521 /* 2522 * secpolicy_ucode_update 2523 * 2524 * Determine if the subject has sufficient privilege to update microcode. 2525 */ 2526 int 2527 secpolicy_ucode_update(const cred_t *scr) 2528 { 2529 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 2530 } 2531 2532 /* 2533 * secpolicy_sadopen 2534 * 2535 * Determine if the subject has sufficient privilege to access /dev/sad/admin. 2536 * /dev/sad/admin appear in global zone and exclusive-IP zones only. 2537 * In global zone, sys_config is required. 2538 * In exclusive-IP zones, sys_ip_config is required. 2539 * Note that sys_config is prohibited in non-global zones. 2540 */ 2541 int 2542 secpolicy_sadopen(const cred_t *credp) 2543 { 2544 priv_set_t pset; 2545 2546 priv_emptyset(&pset); 2547 2548 if (crgetzoneid(credp) == GLOBAL_ZONEID) 2549 priv_addset(&pset, PRIV_SYS_CONFIG); 2550 else 2551 priv_addset(&pset, PRIV_SYS_IP_CONFIG); 2552 2553 return (secpolicy_require_set(credp, &pset, "devpolicy", KLPDARG_NONE)); 2554 } 2555 2556 2557 /* 2558 * Add privileges to a particular privilege set; this is called when the 2559 * current sets of privileges are not sufficient. I.e., we should always 2560 * call the policy override functions from here. 2561 * What we are allowed to have is in the Observed Permitted set; so 2562 * we compute the difference between that and the newset. 2563 */ 2564 int 2565 secpolicy_require_privs(const cred_t *cr, const priv_set_t *nset) 2566 { 2567 priv_set_t rqd; 2568 2569 rqd = CR_OPPRIV(cr); 2570 2571 priv_inverse(&rqd); 2572 priv_intersect(nset, &rqd); 2573 2574 return (secpolicy_require_set(cr, &rqd, NULL, KLPDARG_NONE)); 2575 } 2576 2577 /* 2578 * secpolicy_smb 2579 * 2580 * Determine if the cred_t has PRIV_SYS_SMB privilege, indicating 2581 * that it has permission to access the smbsrv kernel driver. 2582 * PRIV_POLICY checks the privilege and audits the check. 2583 * 2584 * Returns: 2585 * 0 Driver access is allowed. 2586 * EPERM Driver access is NOT permitted. 2587 */ 2588 int 2589 secpolicy_smb(const cred_t *cr) 2590 { 2591 return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL)); 2592 } 2593 2594 /* 2595 * secpolicy_vscan 2596 * 2597 * Determine if cred_t has the necessary privileges to access a file 2598 * for virus scanning and update its extended system attributes. 2599 * PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access 2600 * PRIV_FILE_FLAG_SET - set extended system attributes 2601 * 2602 * PRIV_POLICY checks the privilege and audits the check. 2603 * 2604 * Returns: 2605 * 0 file access for virus scanning allowed. 2606 * EPERM file access for virus scanning is NOT permitted. 2607 */ 2608 int 2609 secpolicy_vscan(const cred_t *cr) 2610 { 2611 if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) || 2612 (PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) || 2613 (PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) { 2614 return (EPERM); 2615 } 2616 2617 return (0); 2618 } 2619 2620 /* 2621 * secpolicy_smbfs_login 2622 * 2623 * Determines if the caller can add and delete the smbfs login 2624 * password in the the nsmb kernel module for the CIFS client. 2625 * 2626 * Returns: 2627 * 0 access is allowed. 2628 * EPERM access is NOT allowed. 2629 */ 2630 int 2631 secpolicy_smbfs_login(const cred_t *cr, uid_t uid) 2632 { 2633 uid_t cruid = crgetruid(cr); 2634 2635 if (cruid == uid) 2636 return (0); 2637 return (PRIV_POLICY(cr, PRIV_PROC_OWNER, B_FALSE, 2638 EPERM, NULL)); 2639 } 2640 2641 /* 2642 * secpolicy_xvm_control 2643 * 2644 * Determines if a caller can control the xVM hypervisor and/or running 2645 * domains (x86 specific). 2646 * 2647 * Returns: 2648 * 0 access is allowed. 2649 * EPERM access is NOT allowed. 2650 */ 2651 int 2652 secpolicy_xvm_control(const cred_t *cr) 2653 { 2654 if (PRIV_POLICY(cr, PRIV_XVM_CONTROL, B_FALSE, EPERM, NULL)) 2655 return (EPERM); 2656 return (0); 2657 } 2658 2659 /* 2660 * secpolicy_ppp_config 2661 * 2662 * Determine if the subject has sufficient privileges to configure PPP and 2663 * PPP-related devices. 2664 */ 2665 int 2666 secpolicy_ppp_config(const cred_t *cr) 2667 { 2668 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 2669 return (secpolicy_net_config(cr, B_FALSE)); 2670 return (PRIV_POLICY(cr, PRIV_SYS_PPP_CONFIG, B_FALSE, EPERM, NULL)); 2671 } 2672