1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <sys/types.h> 29 #include <sys/sysmacros.h> 30 #include <sys/param.h> 31 #include <sys/systm.h> 32 #include <sys/cred_impl.h> 33 #include <sys/vnode.h> 34 #include <sys/vfs.h> 35 #include <sys/stat.h> 36 #include <sys/errno.h> 37 #include <sys/kmem.h> 38 #include <sys/user.h> 39 #include <sys/proc.h> 40 #include <sys/acct.h> 41 #include <sys/ipc_impl.h> 42 #include <sys/cmn_err.h> 43 #include <sys/debug.h> 44 #include <sys/policy.h> 45 #include <sys/kobj.h> 46 #include <sys/msg.h> 47 #include <sys/devpolicy.h> 48 #include <c2/audit.h> 49 #include <sys/varargs.h> 50 #include <sys/modctl.h> 51 #include <sys/disp.h> 52 #include <sys/zone.h> 53 #include <inet/optcom.h> 54 #include <sys/sdt.h> 55 #include <sys/vfs.h> 56 #include <sys/mntent.h> 57 #include <sys/contract_impl.h> 58 59 /* 60 * There are two possible layers of privilege routines and two possible 61 * levels of secpolicy. Plus one other we may not be interested in, so 62 * we may need as many as 6 but no more. 63 */ 64 #define MAXPRIVSTACK 6 65 66 int priv_debug = 0; 67 68 /* 69 * This file contains the majority of the policy routines. 70 * Since the policy routines are defined by function and not 71 * by privilege, there is quite a bit of duplication of 72 * functions. 73 * 74 * The secpolicy functions must not make asssumptions about 75 * locks held or not held as any lock can be held while they're 76 * being called. 77 * 78 * Credentials are read-only so no special precautions need to 79 * be taken while locking them. 80 * 81 * When a new policy check needs to be added to the system the 82 * following procedure should be followed: 83 * 84 * Pick an appropriate secpolicy_*() function 85 * -> done if one exists. 86 * Create a new secpolicy function, preferably with 87 * a descriptive name using the standard template. 88 * Pick an appropriate privilege for the policy. 89 * If no appropraite privilege exists, define new one 90 * (this should be done with extreme care; in most cases 91 * little is gained by adding another privilege) 92 * 93 * WHY ROOT IS STILL SPECIAL. 94 * 95 * In a number of the policy functions, there are still explicit 96 * checks for uid 0. The rationale behind these is that many root 97 * owned files/objects hold configuration information which can give full 98 * privileges to the user once written to. To prevent escalation 99 * of privilege by allowing just a single privilege to modify root owned 100 * objects, we've added these root specific checks where we considered 101 * them necessary: modifying root owned files, changing uids to 0, etc. 102 * 103 * PRIVILEGE ESCALATION AND ZONES. 104 * 105 * A number of operations potentially allow the caller to achieve 106 * privileges beyond the ones normally required to perform the operation. 107 * For example, if allowed to create a setuid 0 executable, a process can 108 * gain privileges beyond PRIV_FILE_SETID. Zones, however, place 109 * restrictions on the ability to gain privileges beyond those available 110 * within the zone through file and process manipulation. Hence, such 111 * operations require that the caller have an effective set that includes 112 * all privileges available within the current zone, or all privileges 113 * if executing in the global zone. 114 * 115 * This is indicated in the priv_policy* policy checking functions 116 * through a combination of parameters. The "priv" parameter indicates 117 * the privilege that is required, and the "allzone" parameter indicates 118 * whether or not all privileges in the zone are required. In addition, 119 * priv can be set to PRIV_ALL to indicate that all privileges are 120 * required (regardless of zone). There are three scenarios of interest: 121 * (1) operation requires a specific privilege 122 * (2) operation requires a specific privilege, and requires all 123 * privileges available within the zone (or all privileges if in 124 * the global zone) 125 * (3) operation requires all privileges, regardless of zone 126 * 127 * For (1), priv should be set to the specific privilege, and allzone 128 * should be set to B_FALSE. 129 * For (2), priv should be set to the specific privilege, and allzone 130 * should be set to B_TRUE. 131 * For (3), priv should be set to PRIV_ALL, and allzone should be set 132 * to B_FALSE. 133 * 134 */ 135 136 /* 137 * The privileges are checked against the Effective set for 138 * ordinary processes and checked against the Limit set 139 * for euid 0 processes that haven't manipulated their privilege 140 * sets. 141 */ 142 #define HAS_ALLPRIVS(cr) priv_isfullset(&CR_OEPRIV(cr)) 143 #define ZONEPRIVS(cr) ((cr)->cr_zone->zone_privset) 144 #define HAS_ALLZONEPRIVS(cr) priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr)) 145 #define HAS_PRIVILEGE(cr, pr) ((pr) == PRIV_ALL ? \ 146 HAS_ALLPRIVS(cr) : \ 147 PRIV_ISASSERT(&CR_OEPRIV(cr), pr)) 148 149 /* 150 * Policy checking functions 151 * 152 * In future, these will migrate to several files when policy 153 * becomes more or less pluggable. 154 * 155 * For now, there's only one policy and this is it. 156 */ 157 158 /* 159 * Generic policy calls 160 * 161 * The "bottom" functions of policy control 162 */ 163 164 static char * 165 mprintf(const char *fmt, ...) 166 { 167 va_list args; 168 char *buf; 169 size_t len; 170 171 va_start(args, fmt); 172 len = vsnprintf(NULL, 0, fmt, args) + 1; 173 va_end(args); 174 175 buf = kmem_alloc(len, KM_NOSLEEP); 176 177 if (buf == NULL) 178 return (NULL); 179 180 va_start(args, fmt); 181 (void) vsnprintf(buf, len, fmt, args); 182 va_end(args); 183 184 return (buf); 185 } 186 187 /* 188 * priv_policy_errmsg() 189 * 190 * Generate an error message if privilege debugging is enabled system wide 191 * or for this particular process. 192 */ 193 194 #define FMTHDR "%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)" 195 #define FMTMSG " for \"%s\"" 196 #define FMTFUN " needed at %s+0x%lx" 197 198 /* The maximum size privilege format: the concatenation of the above */ 199 #define FMTMAX FMTHDR FMTMSG FMTFUN "\n" 200 201 static void 202 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg) 203 { 204 struct proc *me; 205 pc_t stack[MAXPRIVSTACK]; 206 int depth; 207 int i; 208 char *sym; 209 ulong_t off; 210 const char *pname; 211 212 char *cmd; 213 char fmt[sizeof (FMTMAX)]; 214 215 if ((me = curproc) == &p0) 216 return; 217 218 /* Privileges must be defined */ 219 ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE || 220 priv == PRIV_ALLZONE || priv == PRIV_GLOBAL || 221 priv_getbynum(priv) != NULL); 222 223 if (priv == PRIV_ALLZONE && INGLOBALZONE(me)) 224 priv = PRIV_ALL; 225 226 if (curthread->t_pre_sys) 227 ttolwp(curthread)->lwp_badpriv = (short)priv; 228 229 if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0) 230 return; 231 232 (void) strcpy(fmt, FMTHDR); 233 234 if (me->p_user.u_comm[0]) 235 cmd = &me->p_user.u_comm[0]; 236 else 237 cmd = "priv_policy"; 238 239 if (msg != NULL && *msg != '\0') { 240 (void) strcat(fmt, FMTMSG); 241 } else { 242 (void) strcat(fmt, "%s"); 243 msg = ""; 244 } 245 246 sym = NULL; 247 248 depth = getpcstack(stack, MAXPRIVSTACK); 249 250 /* 251 * Try to find the first interesting function on the stack. 252 * priv_policy* that's us, so completely uninteresting. 253 * suser(), drv_priv(), secpolicy_* are also called from 254 * too many locations to convey useful information. 255 */ 256 for (i = 0; i < depth; i++) { 257 sym = kobj_getsymname((uintptr_t)stack[i], &off); 258 if (sym != NULL && 259 strstr(sym, "hasprocperm") == 0 && 260 strcmp("suser", sym) != 0 && 261 strcmp("ipcaccess", sym) != 0 && 262 strcmp("drv_priv", sym) != 0 && 263 strncmp("secpolicy_", sym, 10) != 0 && 264 strncmp("priv_policy", sym, 11) != 0) 265 break; 266 } 267 268 if (sym != NULL) 269 (void) strcat(fmt, FMTFUN); 270 271 (void) strcat(fmt, "\n"); 272 273 switch (priv) { 274 case PRIV_ALL: 275 pname = "ALL"; 276 break; 277 case PRIV_MULTIPLE: 278 pname = "MULTIPLE"; 279 break; 280 case PRIV_ALLZONE: 281 pname = "ZONE"; 282 break; 283 case PRIV_GLOBAL: 284 pname = "GLOBAL"; 285 break; 286 default: 287 pname = priv_getbynum(priv); 288 break; 289 } 290 291 if (CR_FLAGS(cr) & PRIV_DEBUG) { 292 /* Remember last message, just like lwp_badpriv. */ 293 if (curthread->t_pdmsg != NULL) { 294 kmem_free(curthread->t_pdmsg, 295 strlen(curthread->t_pdmsg) + 1); 296 } 297 298 curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname, 299 cr->cr_uid, curthread->t_sysnum, msg, sym, off); 300 301 curthread->t_post_sys = 1; 302 } else { 303 cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid, 304 curthread->t_sysnum, msg, sym, off); 305 } 306 } 307 308 /* 309 * Audit failure, log error message. 310 */ 311 static void 312 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg) 313 { 314 315 #ifdef C2_AUDIT 316 if (audit_active) 317 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0); 318 #endif 319 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 320 321 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 322 curthread->t_pre_sys) { 323 if (allzone && !HAS_ALLZONEPRIVS(cr)) { 324 priv_policy_errmsg(cr, PRIV_ALLZONE, msg); 325 } else { 326 ASSERT(!HAS_PRIVILEGE(cr, priv)); 327 priv_policy_errmsg(cr, priv, msg); 328 } 329 } 330 } 331 332 /* 333 * priv_policy() 334 * return 0 or error. 335 * See block comment above for a description of "priv" and "allzone" usage. 336 */ 337 int 338 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err, 339 const char *msg) 340 { 341 if (HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) { 342 if ((allzone || priv == PRIV_ALL || 343 !PRIV_ISASSERT(priv_basic, priv)) && 344 !servicing_interrupt()) { 345 PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */ 346 #ifdef C2_AUDIT 347 if (audit_active) 348 audit_priv(priv, 349 allzone ? ZONEPRIVS(cr) : NULL, 1); 350 #endif 351 } 352 err = 0; 353 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 354 } else if (!servicing_interrupt()) { 355 /* Failure audited in this procedure */ 356 priv_policy_err(cr, priv, allzone, msg); 357 } 358 359 return (err); 360 } 361 362 /* 363 * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges. 364 */ 365 boolean_t 366 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone) 367 { 368 boolean_t res = HAS_PRIVILEGE(cr, priv) && 369 (!allzone || HAS_ALLZONEPRIVS(cr)); 370 371 #ifdef C2_AUDIT 372 /* Audit success only */ 373 if (res && audit_active && 374 (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) && 375 !servicing_interrupt()) { 376 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1); 377 } 378 #endif 379 if (res) { 380 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 381 } else { 382 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 383 } 384 return (res); 385 } 386 387 /* 388 * Non-auditing variant of priv_policy_choice(). 389 */ 390 boolean_t 391 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone) 392 { 393 boolean_t res = HAS_PRIVILEGE(cr, priv) && 394 (!allzone || HAS_ALLZONEPRIVS(cr)); 395 396 if (res) { 397 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 398 } else { 399 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 400 } 401 return (res); 402 } 403 404 /* 405 * Check whether all privileges in the required set are present. 406 */ 407 static int 408 secpolicy_require_set(const cred_t *cr, const priv_set_t *req, const char *msg) 409 { 410 int priv; 411 int pfound = -1; 412 priv_set_t pset; 413 414 if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req, 415 &CR_OEPRIV(cr))) { 416 return (0); 417 } 418 419 if (req == PRIV_FULLSET || priv_isfullset(req)) { 420 priv_policy_err(cr, PRIV_ALL, B_FALSE, msg); 421 return (EACCES); 422 } 423 424 pset = CR_OEPRIV(cr); /* present privileges */ 425 priv_inverse(&pset); /* all non present privileges */ 426 priv_intersect(req, &pset); /* the actual missing privs */ 427 428 #ifdef C2_AUDIT 429 if (audit_active) 430 audit_priv(PRIV_NONE, &pset, 0); 431 #endif 432 /* 433 * Privilege debugging; special case "one privilege in set". 434 */ 435 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) { 436 for (priv = 0; priv < nprivs; priv++) { 437 if (priv_ismember(&pset, priv)) { 438 if (pfound != -1) { 439 /* Multiple missing privs */ 440 priv_policy_errmsg(cr, PRIV_MULTIPLE, 441 msg); 442 return (EACCES); 443 } 444 pfound = priv; 445 } 446 } 447 ASSERT(pfound != -1); 448 /* Just the one missing privilege */ 449 priv_policy_errmsg(cr, pfound, msg); 450 } 451 452 return (EACCES); 453 } 454 455 /* 456 * Called when an operation requires that the caller be in the 457 * global zone, regardless of privilege. 458 */ 459 static int 460 priv_policy_global(const cred_t *cr) 461 { 462 if (crgetzoneid(cr) == GLOBAL_ZONEID) 463 return (0); /* success */ 464 465 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 466 curthread->t_pre_sys) { 467 priv_policy_errmsg(cr, PRIV_GLOBAL, NULL); 468 } 469 return (EPERM); 470 } 471 472 /* 473 * Changing process priority 474 */ 475 int 476 secpolicy_setpriority(const cred_t *cr) 477 { 478 return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL)); 479 } 480 481 /* 482 * Binding to a privileged port, port must be specified in host byte 483 * order. 484 */ 485 int 486 secpolicy_net_privaddr(const cred_t *cr, in_port_t port) 487 { 488 /* 489 * NFS ports, these are extra privileged ports, allow bind 490 * only if the SYS_NFS privilege is present. 491 */ 492 if (port == 2049 || port == 4045) 493 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EACCES, 494 "NFS port")); 495 else 496 return (PRIV_POLICY(cr, PRIV_NET_PRIVADDR, B_FALSE, EACCES, 497 NULL)); 498 } 499 500 /* 501 * Binding to a multilevel port on a trusted (labeled) system. 502 */ 503 int 504 secpolicy_net_bindmlp(const cred_t *cr) 505 { 506 return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, 507 NULL)); 508 } 509 510 /* 511 * Allow a communication between a zone and an unlabeled host when their 512 * labels don't match. 513 */ 514 int 515 secpolicy_net_mac_aware(const cred_t *cr) 516 { 517 return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, 518 NULL)); 519 } 520 521 /* 522 * Common routine which determines whether a given credential can 523 * act on a given mount. 524 * When called through mount, the parameter needoptcheck is a pointer 525 * to a boolean variable which will be set to either true or false, 526 * depending on whether the mount policy should change the mount options. 527 * In all other cases, needoptcheck should be a NULL pointer. 528 */ 529 static int 530 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp, 531 boolean_t *needoptcheck) 532 { 533 boolean_t allzone = B_FALSE; 534 boolean_t mounting = needoptcheck != NULL; 535 536 /* 537 * Short circuit the following cases: 538 * vfsp == NULL or mvp == NULL (pure privilege check) 539 * have all privileges - no further checks required 540 * and no mount options need to be set. 541 */ 542 if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) { 543 if (mounting) 544 *needoptcheck = B_FALSE; 545 546 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, allzone, EPERM, NULL)); 547 } 548 549 /* 550 * When operating on an existing mount (either we're not mounting 551 * or we're doing a remount and VFS_REMOUNT will be set), zones 552 * can operate only on mounts established by the zone itself. 553 */ 554 if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) { 555 zoneid_t zoneid = crgetzoneid(cr); 556 557 if (zoneid != GLOBAL_ZONEID && 558 vfsp->vfs_zone->zone_id != zoneid) { 559 return (EPERM); 560 } 561 } 562 563 if (mounting) 564 *needoptcheck = B_TRUE; 565 566 /* 567 * Overlay mounts may hide important stuff; if you can't write to a 568 * mount point but would be able to mount on top of it, you can 569 * escalate your privileges. 570 * So we go about asking the same questions namefs does when it 571 * decides whether you can mount over a file or not but with the 572 * added restriction that you can only mount on top of a regular 573 * file or directory. 574 * If we have all the zone's privileges, we skip all other checks, 575 * or else we may actually get in trouble inside the automounter. 576 */ 577 if ((mvp->v_flag & VROOT) != 0 || 578 (mvp->v_type != VDIR && mvp->v_type != VREG) || 579 HAS_ALLZONEPRIVS(cr)) { 580 allzone = B_TRUE; 581 } else { 582 vattr_t va; 583 int err; 584 585 va.va_mask = AT_UID|AT_MODE; 586 err = VOP_GETATTR(mvp, &va, 0, cr); 587 if (err != 0) 588 return (err); 589 590 if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0) 591 return (err); 592 593 if ((va.va_mode & VWRITE) == 0 && 594 secpolicy_vnode_access(cr, mvp, va.va_uid, VWRITE) != 0) { 595 return (EACCES); 596 } 597 } 598 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, allzone, EPERM, NULL)); 599 } 600 601 void 602 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp) 603 { 604 boolean_t amsuper = HAS_ALLZONEPRIVS(cr); 605 606 /* 607 * check; if we don't have either "nosuid" or 608 * both "nosetuid" and "nodevices", then we add 609 * "nosuid"; this depends on how the current 610 * implementation works (it first checks nosuid). In a 611 * zone, a user with all zone privileges can mount with 612 * "setuid" but never with "devices". 613 */ 614 if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) && 615 (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) || 616 !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) { 617 if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper) 618 vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0); 619 else 620 vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0); 621 } 622 /* 623 * If we're not the local super user, we set the "restrict" 624 * option to indicate to automountd that this mount should 625 * be handled with care. 626 */ 627 if (!amsuper) 628 vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0); 629 630 } 631 632 extern vnode_t *rootvp; 633 extern vfs_t *rootvfs; 634 635 int 636 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp) 637 { 638 boolean_t needoptchk; 639 int error; 640 641 /* 642 * If it's a remount, get the underlying mount point, 643 * except for the root where we use the rootvp. 644 */ 645 if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) { 646 if (vfsp == rootvfs) 647 mvp = rootvp; 648 else 649 mvp = vfsp->vfs_vnodecovered; 650 } 651 652 error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk); 653 654 if (error == 0 && needoptchk) { 655 secpolicy_fs_mount_clearopts(cr, vfsp); 656 } 657 658 return (error); 659 } 660 661 /* 662 * Does the policy computations for "ownership" of a mount; 663 * here ownership is defined as the ability to "mount" 664 * the filesystem originally. The rootvfs doesn't cover any 665 * vnodes; we attribute its ownership to the rootvp. 666 */ 667 static int 668 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp) 669 { 670 vnode_t *mvp; 671 672 if (vfsp == NULL) 673 mvp = NULL; 674 else if (vfsp == rootvfs) 675 mvp = rootvp; 676 else 677 mvp = vfsp->vfs_vnodecovered; 678 679 return (secpolicy_fs_common(cr, mvp, vfsp, NULL)); 680 } 681 682 int 683 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp) 684 { 685 return (secpolicy_fs_owner(cr, vfsp)); 686 } 687 688 /* 689 * Quotas are a resource, but if one has the ability to mount a filesystem, he 690 * should be able to modify quotas on it. 691 */ 692 int 693 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp) 694 { 695 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 696 } 697 698 /* 699 * Exceeding minfree: also a per-mount resource constraint. 700 */ 701 int 702 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp) 703 { 704 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 705 } 706 707 int 708 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp) 709 { 710 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 711 } 712 713 /* ARGSUSED */ 714 int 715 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp) 716 { 717 return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL)); 718 } 719 720 /* 721 * Name: secpolicy_vnode_access() 722 * 723 * Parameters: Process credential 724 * vnode 725 * uid of owner of vnode 726 * permission bits not granted to the caller when examining 727 * file mode bits (i.e., when a process wants to open a 728 * mode 444 file for VREAD|VWRITE, this function should be 729 * called only with a VWRITE argument). 730 * 731 * Normal: Verifies that cred has the appropriate privileges to 732 * override the mode bits that were denied. 733 * 734 * Override: file_dac_execute - if VEXEC bit was denied and vnode is 735 * not a directory. 736 * file_dac_read - if VREAD bit was denied. 737 * file_dac_search - if VEXEC bit was denied and vnode is 738 * a directory. 739 * file_dac_write - if VWRITE bit was denied. 740 * 741 * Root owned files are special cased to protect system 742 * configuration files and such. 743 * 744 * Output: EACCES - if privilege check fails. 745 */ 746 747 /* ARGSUSED */ 748 int 749 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode) 750 { 751 if ((mode & VREAD) && 752 PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EACCES, NULL) != 0) 753 return (EACCES); 754 755 if (mode & VWRITE) { 756 boolean_t allzone; 757 758 if (owner == 0 && cr->cr_uid != 0) 759 allzone = B_TRUE; 760 else 761 allzone = B_FALSE; 762 if (PRIV_POLICY(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, NULL) 763 != 0) 764 return (EACCES); 765 } 766 767 if (mode & VEXEC) { 768 /* 769 * Directories use file_dac_search to override the execute bit. 770 */ 771 vtype_t vtype = vp->v_type; 772 773 if (vtype == VDIR) 774 return (PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, 775 EACCES, NULL)); 776 else 777 return (PRIV_POLICY(cr, PRIV_FILE_DAC_EXECUTE, B_FALSE, 778 EACCES, NULL)); 779 } 780 return (0); 781 } 782 783 /* 784 * Name: secpolicy_vnode_setid_modify() 785 * 786 * Normal: verify that subject can set the file setid flags. 787 * 788 * Output: EPERM - if not privileged. 789 */ 790 791 static int 792 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner) 793 { 794 /* If changing to suid root, must have all zone privs */ 795 boolean_t allzone = B_TRUE; 796 797 if (owner != 0) { 798 if (owner == cr->cr_uid) 799 return (0); 800 allzone = B_FALSE; 801 } 802 return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL)); 803 } 804 805 /* 806 * Are we allowed to retain the set-uid/set-gid bits when 807 * changing ownership or when writing to a file? 808 * "issuid" should be true when set-uid; only in that case 809 * root ownership is checked (setgid is assumed). 810 */ 811 int 812 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot) 813 { 814 if (issuidroot && !HAS_ALLZONEPRIVS(cred)) 815 return (EPERM); 816 817 return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE)); 818 } 819 820 /* 821 * Name: secpolicy_vnode_setids_setgids() 822 * 823 * Normal: verify that subject can set the file setgid flag. 824 * 825 * Output: EPERM - if not privileged 826 */ 827 828 int 829 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid) 830 { 831 if (!groupmember(gid, cred)) 832 return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM, 833 NULL)); 834 return (0); 835 } 836 837 /* 838 * Create a file with a group different than any of the groups allowed: 839 * the group of the directory the file is created in, the effective 840 * group or any of the supplementary groups. 841 */ 842 int 843 secpolicy_vnode_create_gid(const cred_t *cred) 844 { 845 if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN)) 846 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM, 847 NULL)); 848 else 849 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM, 850 NULL)); 851 } 852 853 /* 854 * Name: secpolicy_vnode_utime_modify() 855 * 856 * Normal: verify that subject can modify the utime on a file. 857 * 858 * Output: EPERM - if access denied. 859 */ 860 861 static int 862 secpolicy_vnode_utime_modify(const cred_t *cred) 863 { 864 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM, 865 "modify file times")); 866 } 867 868 869 /* 870 * Name: secpolicy_vnode_setdac() 871 * 872 * Normal: verify that subject can modify the mode of a file. 873 * allzone privilege needed when modifying root owned object. 874 * 875 * Output: EPERM - if access denied. 876 */ 877 878 int 879 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner) 880 { 881 if (owner == cred->cr_uid) 882 return (0); 883 884 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL)); 885 } 886 /* 887 * Name: secpolicy_vnode_stky_modify() 888 * 889 * Normal: verify that subject can make a file a "sticky". 890 * 891 * Output: EPERM - if access denied. 892 */ 893 894 int 895 secpolicy_vnode_stky_modify(const cred_t *cred) 896 { 897 return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM, 898 "set file sticky")); 899 } 900 901 /* 902 * Policy determines whether we can remove an entry from a directory, 903 * regardless of permission bits. 904 */ 905 int 906 secpolicy_vnode_remove(const cred_t *cr) 907 { 908 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES, 909 "sticky directory")); 910 } 911 912 int 913 secpolicy_vnode_owner(const cred_t *cr, uid_t owner) 914 { 915 boolean_t allzone = (owner == 0); 916 917 if (owner == cr->cr_uid) 918 return (0); 919 920 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL)); 921 } 922 923 void 924 secpolicy_setid_clear(vattr_t *vap, cred_t *cr) 925 { 926 if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 && 927 secpolicy_vnode_setid_retain(cr, 928 (vap->va_mode & S_ISUID) != 0 && 929 (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) { 930 vap->va_mask |= AT_MODE; 931 vap->va_mode &= ~(S_ISUID|S_ISGID); 932 } 933 } 934 935 int 936 secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap, 937 cred_t *cr) 938 { 939 int error; 940 941 if ((vap->va_mode & S_ISUID) != 0 && 942 (error = secpolicy_vnode_setid_modify(cr, 943 ovap->va_uid)) != 0) { 944 return (error); 945 } 946 947 /* 948 * Check privilege if attempting to set the 949 * sticky bit on a non-directory. 950 */ 951 if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 && 952 secpolicy_vnode_stky_modify(cr) != 0) { 953 vap->va_mode &= ~S_ISVTX; 954 } 955 956 /* 957 * Check for privilege if attempting to set the 958 * group-id bit. 959 */ 960 if ((vap->va_mode & S_ISGID) != 0 && 961 secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) { 962 vap->va_mode &= ~S_ISGID; 963 } 964 965 return (0); 966 } 967 968 /* 969 * This function checks the policy decisions surrounding the 970 * vop setattr call. 971 * 972 * It should be called after sufficient locks have been established 973 * on the underlying data structures. No concurrent modifications 974 * should be allowed. 975 * 976 * The caller must pass in unlocked version of its vaccess function 977 * this is required because vop_access function should lock the 978 * node for reading. A three argument function should be defined 979 * which accepts the following argument: 980 * A pointer to the internal "node" type (inode *) 981 * vnode access bits (VREAD|VWRITE|VEXEC) 982 * a pointer to the credential 983 * 984 * This function makes the following policy decisions: 985 * 986 * - change permissions 987 * - permission to change file mode if not owner 988 * - permission to add sticky bit to non-directory 989 * - permission to add set-gid bit 990 * 991 * The ovap argument should include AT_MODE|AT_UID|AT_GID. 992 * 993 * If the vap argument does not include AT_MODE, the mode will be copied from 994 * ovap. In certain situations set-uid/set-gid bits need to be removed; 995 * this is done by marking vap->va_mask to include AT_MODE and va_mode 996 * is updated to the newly computed mode. 997 */ 998 999 int 1000 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap, 1001 const struct vattr *ovap, int flags, 1002 int unlocked_access(void *, int, cred_t *), 1003 void *node) 1004 { 1005 int mask = vap->va_mask; 1006 int error = 0; 1007 1008 if (mask & AT_SIZE) { 1009 if (vp->v_type == VDIR) { 1010 error = EISDIR; 1011 goto out; 1012 } 1013 error = unlocked_access(node, VWRITE, cr); 1014 if (error) 1015 goto out; 1016 } 1017 if (mask & AT_MODE) { 1018 /* 1019 * If not the owner of the file then check privilege 1020 * for two things: the privilege to set the mode at all 1021 * and, if we're setting setuid, we also need permissions 1022 * to add the set-uid bit, if we're not the owner. 1023 * In the specific case of creating a set-uid root 1024 * file, we need even more permissions. 1025 */ 1026 if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0) 1027 goto out; 1028 1029 if ((error = secpolicy_setid_setsticky_clear(vp, vap, 1030 ovap, cr)) != 0) 1031 goto out; 1032 } else 1033 vap->va_mode = ovap->va_mode; 1034 1035 if (mask & (AT_UID|AT_GID)) { 1036 boolean_t checkpriv = B_FALSE; 1037 int priv; 1038 boolean_t allzone = B_FALSE; 1039 1040 /* 1041 * Chowning files. 1042 * 1043 * If you are the file owner: 1044 * chown to other uid FILE_CHOWN_SELF 1045 * chown to gid (non-member) FILE_CHOWN_SELF 1046 * chown to gid (member) <none> 1047 * 1048 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also 1049 * acceptable but the first one is reported when debugging. 1050 * 1051 * If you are not the file owner: 1052 * chown from root PRIV_FILE_CHOWN + zone 1053 * chown from other to any PRIV_FILE_CHOWN 1054 * 1055 */ 1056 if (cr->cr_uid != ovap->va_uid) { 1057 checkpriv = B_TRUE; 1058 allzone = (ovap->va_uid == 0); 1059 priv = PRIV_FILE_CHOWN; 1060 } else { 1061 if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) || 1062 ((mask & AT_GID) && vap->va_gid != ovap->va_gid && 1063 !groupmember(vap->va_gid, cr))) { 1064 checkpriv = B_TRUE; 1065 priv = HAS_PRIVILEGE(cr, PRIV_FILE_CHOWN) ? 1066 PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF; 1067 } 1068 } 1069 /* 1070 * If necessary, check privilege to see if update can be done. 1071 */ 1072 if (checkpriv && 1073 (error = PRIV_POLICY(cr, priv, allzone, EPERM, NULL)) 1074 != 0) { 1075 goto out; 1076 } 1077 1078 /* 1079 * If the file has either the set UID or set GID bits 1080 * set and the caller can set the bits, then leave them. 1081 */ 1082 secpolicy_setid_clear(vap, cr); 1083 } 1084 if (mask & (AT_ATIME|AT_MTIME)) { 1085 /* 1086 * If not the file owner and not otherwise privileged, 1087 * always return an error when setting the 1088 * time other than the current (ATTR_UTIME flag set). 1089 * If setting the current time (ATTR_UTIME not set) then 1090 * unlocked_access will check permissions according to policy. 1091 */ 1092 if (cr->cr_uid != ovap->va_uid) { 1093 if (flags & ATTR_UTIME) 1094 error = secpolicy_vnode_utime_modify(cr); 1095 else { 1096 error = unlocked_access(node, VWRITE, cr); 1097 if (error == EACCES && 1098 secpolicy_vnode_utime_modify(cr) == 0) 1099 error = 0; 1100 } 1101 if (error) 1102 goto out; 1103 } 1104 } 1105 out: 1106 return (error); 1107 } 1108 1109 /* 1110 * Name: secpolicy_pcfs_modify_bootpartition() 1111 * 1112 * Normal: verify that subject can modify a pcfs boot partition. 1113 * 1114 * Output: EACCES - if privilege check failed. 1115 */ 1116 /*ARGSUSED*/ 1117 int 1118 secpolicy_pcfs_modify_bootpartition(const cred_t *cred) 1119 { 1120 return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES, 1121 "modify pcfs boot partition")); 1122 } 1123 1124 /* 1125 * System V IPC routines 1126 */ 1127 int 1128 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip) 1129 { 1130 if (crgetzoneid(cr) != ip->ipc_zoneid || 1131 (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) { 1132 boolean_t allzone = B_FALSE; 1133 if (ip->ipc_uid == 0 || ip->ipc_cuid == 0) 1134 allzone = B_TRUE; 1135 return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL)); 1136 } 1137 return (0); 1138 } 1139 1140 int 1141 secpolicy_ipc_config(const cred_t *cr) 1142 { 1143 return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL)); 1144 } 1145 1146 int 1147 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode) 1148 { 1149 1150 boolean_t allzone = B_FALSE; 1151 1152 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1153 1154 if ((mode & MSG_R) && 1155 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1156 return (EACCES); 1157 1158 if (mode & MSG_W) { 1159 if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0)) 1160 allzone = B_TRUE; 1161 1162 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1163 NULL)); 1164 } 1165 return (0); 1166 } 1167 1168 int 1169 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode) 1170 { 1171 boolean_t allzone = B_FALSE; 1172 1173 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1174 1175 if ((mode & MSG_R) && 1176 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1177 return (EACCES); 1178 1179 if (mode & MSG_W) { 1180 if (cr->cr_uid != 0 && owner == 0) 1181 allzone = B_TRUE; 1182 1183 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1184 NULL)); 1185 } 1186 return (0); 1187 } 1188 1189 /* 1190 * Audit configuration. 1191 */ 1192 int 1193 secpolicy_audit_config(const cred_t *cr) 1194 { 1195 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1196 } 1197 1198 /* 1199 * Audit record generation. 1200 */ 1201 int 1202 secpolicy_audit_modify(const cred_t *cr) 1203 { 1204 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL)); 1205 } 1206 1207 /* 1208 * Get audit attributes. 1209 * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the 1210 * "Least" of the two privileges on error. 1211 */ 1212 int 1213 secpolicy_audit_getattr(const cred_t *cr) 1214 { 1215 if (!PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE)) { 1216 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, 1217 NULL)); 1218 } else { 1219 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1220 } 1221 } 1222 1223 1224 /* 1225 * Locking physical memory 1226 */ 1227 int 1228 secpolicy_lock_memory(const cred_t *cr) 1229 { 1230 return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL)); 1231 } 1232 1233 /* 1234 * Accounting (both acct(2) and exacct). 1235 */ 1236 int 1237 secpolicy_acct(const cred_t *cr) 1238 { 1239 return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL)); 1240 } 1241 1242 /* 1243 * Is this process privileged to change its uids at will? 1244 * Uid 0 is still considered "special" and having the SETID 1245 * privilege is not sufficient to get uid 0. 1246 * Files are owned by root, so the privilege would give 1247 * full access and euid 0 is still effective. 1248 * 1249 * If you have the privilege and euid 0 only then do you 1250 * get the powers of root wrt uid 0. 1251 * 1252 * For gid manipulations, this is should be called with an 1253 * uid of -1. 1254 * 1255 */ 1256 int 1257 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly) 1258 { 1259 boolean_t allzone = B_FALSE; 1260 1261 if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 && 1262 cr->cr_ruid != 0) { 1263 allzone = B_TRUE; 1264 } 1265 1266 return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) : 1267 PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL)); 1268 } 1269 1270 1271 /* 1272 * Acting on a different process: if the mode is for writing, 1273 * the restrictions are more severe. This is called after 1274 * we've verified that the uids do not match. 1275 */ 1276 int 1277 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode) 1278 { 1279 boolean_t allzone = B_FALSE; 1280 1281 if ((mode & VWRITE) && scr->cr_uid != 0 && 1282 (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0)) 1283 allzone = B_TRUE; 1284 1285 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL)); 1286 } 1287 1288 int 1289 secpolicy_proc_access(const cred_t *scr) 1290 { 1291 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL)); 1292 } 1293 1294 int 1295 secpolicy_proc_excl_open(const cred_t *scr) 1296 { 1297 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL)); 1298 } 1299 1300 int 1301 secpolicy_proc_zone(const cred_t *scr) 1302 { 1303 return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL)); 1304 } 1305 1306 /* 1307 * Destroying the system 1308 */ 1309 1310 int 1311 secpolicy_kmdb(const cred_t *scr) 1312 { 1313 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1314 } 1315 1316 int 1317 secpolicy_error_inject(const cred_t *scr) 1318 { 1319 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1320 } 1321 1322 /* 1323 * Processor sets, cpu configuration, resource pools. 1324 */ 1325 int 1326 secpolicy_pset(const cred_t *cr) 1327 { 1328 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1329 } 1330 1331 int 1332 secpolicy_ponline(const cred_t *cr) 1333 { 1334 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1335 } 1336 1337 int 1338 secpolicy_pool(const cred_t *cr) 1339 { 1340 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1341 } 1342 1343 int 1344 secpolicy_blacklist(const cred_t *cr) 1345 { 1346 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1347 } 1348 1349 /* 1350 * Catch all system configuration. 1351 */ 1352 int 1353 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly) 1354 { 1355 if (checkonly) { 1356 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 : 1357 EPERM); 1358 } else { 1359 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1360 } 1361 } 1362 1363 /* 1364 * Zone administration (halt, reboot, etc.) from within zone. 1365 */ 1366 int 1367 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly) 1368 { 1369 if (checkonly) { 1370 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 : 1371 EPERM); 1372 } else { 1373 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, 1374 NULL)); 1375 } 1376 } 1377 1378 /* 1379 * Zone configuration (create, halt, enter). 1380 */ 1381 int 1382 secpolicy_zone_config(const cred_t *cr) 1383 { 1384 /* 1385 * Require all privileges to avoid possibility of privilege 1386 * escalation. 1387 */ 1388 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1389 } 1390 1391 /* 1392 * Various other system configuration calls 1393 */ 1394 int 1395 secpolicy_coreadm(const cred_t *cr) 1396 { 1397 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1398 } 1399 1400 int 1401 secpolicy_systeminfo(const cred_t *cr) 1402 { 1403 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1404 } 1405 1406 int 1407 secpolicy_dispadm(const cred_t *cr) 1408 { 1409 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1410 } 1411 1412 int 1413 secpolicy_settime(const cred_t *cr) 1414 { 1415 return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL)); 1416 } 1417 1418 /* 1419 * For realtime users: high resolution clock. 1420 */ 1421 int 1422 secpolicy_clock_highres(const cred_t *cr) 1423 { 1424 return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM, 1425 NULL)); 1426 } 1427 1428 /* 1429 * drv_priv() is documented as callable from interrupt context, not that 1430 * anyone ever does, but still. No debugging or auditing can be done when 1431 * it is called from interrupt context. 1432 * returns 0 on succes, EPERM on failure. 1433 */ 1434 int 1435 drv_priv(cred_t *cr) 1436 { 1437 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1438 } 1439 1440 int 1441 secpolicy_sys_devices(const cred_t *cr) 1442 { 1443 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1444 } 1445 1446 int 1447 secpolicy_excl_open(const cred_t *cr) 1448 { 1449 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL)); 1450 } 1451 1452 int 1453 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl) 1454 { 1455 /* zone.* rctls can only be set from the global zone */ 1456 if (is_zone_rctl && priv_policy_global(cr) != 0) 1457 return (EPERM); 1458 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1459 } 1460 1461 int 1462 secpolicy_resource(const cred_t *cr) 1463 { 1464 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1465 } 1466 1467 /* 1468 * Processes with a real uid of 0 escape any form of accounting, much 1469 * like before. 1470 */ 1471 int 1472 secpolicy_newproc(const cred_t *cr) 1473 { 1474 if (cr->cr_ruid == 0) 1475 return (0); 1476 1477 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1478 } 1479 1480 /* 1481 * Networking 1482 */ 1483 int 1484 secpolicy_net_rawaccess(const cred_t *cr) 1485 { 1486 return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL)); 1487 } 1488 1489 /* 1490 * Need this privilege for accessing the ICMP device 1491 */ 1492 int 1493 secpolicy_net_icmpaccess(const cred_t *cr) 1494 { 1495 return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL)); 1496 } 1497 1498 /* 1499 * There are a few rare cases where the kernel generates ioctls() from 1500 * interrupt context with a credential of kcred rather than NULL. 1501 * In those cases, we take the safe and cheap test. 1502 */ 1503 int 1504 secpolicy_net_config(const cred_t *cr, boolean_t checkonly) 1505 { 1506 if (checkonly) { 1507 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ? 1508 0 : EPERM); 1509 } else { 1510 return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM, 1511 NULL)); 1512 } 1513 } 1514 1515 1516 /* 1517 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG. 1518 * 1519 * There are a few rare cases where the kernel generates ioctls() from 1520 * interrupt context with a credential of kcred rather than NULL. 1521 * In those cases, we take the safe and cheap test. 1522 */ 1523 int 1524 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly) 1525 { 1526 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 1527 return (secpolicy_net_config(cr, checkonly)); 1528 1529 if (checkonly) { 1530 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ? 1531 0 : EPERM); 1532 } else { 1533 return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM, 1534 NULL)); 1535 } 1536 } 1537 1538 1539 /* 1540 * Map IP pseudo privileges to actual privileges. 1541 * So we don't need to recompile IP when we change the privileges. 1542 */ 1543 int 1544 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly) 1545 { 1546 int priv = PRIV_ALL; 1547 1548 switch (netpriv) { 1549 case OP_CONFIG: 1550 priv = PRIV_SYS_IP_CONFIG; 1551 break; 1552 case OP_RAW: 1553 priv = PRIV_NET_RAWACCESS; 1554 break; 1555 case OP_PRIVPORT: 1556 priv = PRIV_NET_PRIVADDR; 1557 break; 1558 } 1559 ASSERT(priv != PRIV_ALL); 1560 if (checkonly) 1561 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 1562 else 1563 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 1564 } 1565 1566 /* 1567 * Map network pseudo privileges to actual privileges. 1568 * So we don't need to recompile IP when we change the privileges. 1569 */ 1570 int 1571 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly) 1572 { 1573 int priv = PRIV_ALL; 1574 1575 switch (netpriv) { 1576 case OP_CONFIG: 1577 priv = PRIV_SYS_NET_CONFIG; 1578 break; 1579 case OP_RAW: 1580 priv = PRIV_NET_RAWACCESS; 1581 break; 1582 case OP_PRIVPORT: 1583 priv = PRIV_NET_PRIVADDR; 1584 break; 1585 } 1586 ASSERT(priv != PRIV_ALL); 1587 if (checkonly) 1588 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 1589 else 1590 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 1591 } 1592 1593 /* 1594 * Checks for operations that are either client-only or are used by 1595 * both clients and servers. 1596 */ 1597 int 1598 secpolicy_nfs(const cred_t *cr) 1599 { 1600 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL)); 1601 } 1602 1603 /* 1604 * Special case for opening rpcmod: have NFS privileges or network 1605 * config privileges. 1606 */ 1607 int 1608 secpolicy_rpcmod_open(const cred_t *cr) 1609 { 1610 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE)) 1611 return (secpolicy_nfs(cr)); 1612 else 1613 return (secpolicy_net_config(cr, NULL)); 1614 } 1615 1616 int 1617 secpolicy_chroot(const cred_t *cr) 1618 { 1619 return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL)); 1620 } 1621 1622 int 1623 secpolicy_tasksys(const cred_t *cr) 1624 { 1625 return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL)); 1626 } 1627 1628 /* 1629 * Basic privilege checks. 1630 */ 1631 int 1632 secpolicy_basic_exec(const cred_t *cr) 1633 { 1634 return (PRIV_POLICY(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL)); 1635 } 1636 1637 int 1638 secpolicy_basic_fork(const cred_t *cr) 1639 { 1640 return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL)); 1641 } 1642 1643 int 1644 secpolicy_basic_proc(const cred_t *cr) 1645 { 1646 return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL)); 1647 } 1648 1649 /* 1650 * Slightly complicated because we don't want to trigger the policy too 1651 * often. First we shortcircuit access to "self" (tp == sp) or if 1652 * we don't have the privilege but if we have permission 1653 * just return (0) and we don't flag the privilege as needed. 1654 * Else, we test for the privilege because we either have it or need it. 1655 */ 1656 int 1657 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp) 1658 { 1659 if (tp == sp || 1660 !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) { 1661 return (0); 1662 } else { 1663 return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL)); 1664 } 1665 } 1666 1667 int 1668 secpolicy_basic_link(const cred_t *cr) 1669 { 1670 return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL)); 1671 } 1672 1673 /* 1674 * Additional device protection. 1675 * 1676 * Traditionally, a device has specific permissions on the node in 1677 * the filesystem which govern which devices can be opened by what 1678 * processes. In certain cases, it is desirable to add extra 1679 * restrictions, as writing to certain devices is identical to 1680 * having a complete run of the system. 1681 * 1682 * This mechanism is called the device policy. 1683 * 1684 * When a device is opened, its policy entry is looked up in the 1685 * policy cache and checked. 1686 */ 1687 int 1688 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag) 1689 { 1690 devplcy_t *plcy; 1691 int err; 1692 struct snode *csp = VTOS(common_specvp(vp)); 1693 priv_set_t pset; 1694 1695 mutex_enter(&csp->s_lock); 1696 1697 if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) { 1698 plcy = devpolicy_find(vp); 1699 if (csp->s_plcy) 1700 dpfree(csp->s_plcy); 1701 csp->s_plcy = plcy; 1702 ASSERT(plcy != NULL); 1703 } else 1704 plcy = csp->s_plcy; 1705 1706 if (plcy == nullpolicy) { 1707 mutex_exit(&csp->s_lock); 1708 return (0); 1709 } 1710 1711 dphold(plcy); 1712 1713 mutex_exit(&csp->s_lock); 1714 1715 if (oflag & FWRITE) 1716 pset = plcy->dp_wrp; 1717 else 1718 pset = plcy->dp_rdp; 1719 /* 1720 * Special case: 1721 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG. 1722 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is 1723 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG 1724 * in the required privilege set before doing the check. 1725 */ 1726 if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) && 1727 priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) && 1728 !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) { 1729 priv_delset(&pset, PRIV_SYS_IP_CONFIG); 1730 priv_addset(&pset, PRIV_SYS_NET_CONFIG); 1731 } 1732 1733 err = secpolicy_require_set(cr, &pset, "devpolicy"); 1734 dpfree(plcy); 1735 1736 return (err); 1737 } 1738 1739 int 1740 secpolicy_modctl(const cred_t *cr, int cmd) 1741 { 1742 switch (cmd) { 1743 case MODINFO: 1744 case MODGETMAJBIND: 1745 case MODGETPATH: 1746 case MODGETPATHLEN: 1747 case MODGETNAME: 1748 case MODGETFBNAME: 1749 case MODGETDEVPOLICY: 1750 case MODGETDEVPOLICYBYNAME: 1751 case MODDEVT2INSTANCE: 1752 case MODSIZEOF_DEVID: 1753 case MODGETDEVID: 1754 case MODSIZEOF_MINORNAME: 1755 case MODGETMINORNAME: 1756 case MODGETDEVFSPATH_LEN: 1757 case MODGETDEVFSPATH: 1758 case MODGETDEVFSPATH_MI_LEN: 1759 case MODGETDEVFSPATH_MI: 1760 /* Unprivileged */ 1761 return (0); 1762 case MODLOAD: 1763 case MODSETDEVPOLICY: 1764 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1765 default: 1766 return (secpolicy_sys_config(cr, B_FALSE)); 1767 } 1768 } 1769 1770 int 1771 secpolicy_console(const cred_t *cr) 1772 { 1773 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1774 } 1775 1776 int 1777 secpolicy_power_mgmt(const cred_t *cr) 1778 { 1779 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1780 } 1781 1782 /* 1783 * Simulate terminal input; another escalation of privileges avenue. 1784 */ 1785 1786 int 1787 secpolicy_sti(const cred_t *cr) 1788 { 1789 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1790 } 1791 1792 boolean_t 1793 secpolicy_net_reply_equal(const cred_t *cr) 1794 { 1795 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1796 } 1797 1798 int 1799 secpolicy_swapctl(const cred_t *cr) 1800 { 1801 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1802 } 1803 1804 int 1805 secpolicy_cpc_cpu(const cred_t *cr) 1806 { 1807 return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL)); 1808 } 1809 1810 /* 1811 * secpolicy_contract_observer 1812 * 1813 * Determine if the subject may observe a specific contract's events. 1814 */ 1815 int 1816 secpolicy_contract_observer(const cred_t *cr, struct contract *ct) 1817 { 1818 if (contract_owned(ct, cr, B_FALSE)) 1819 return (0); 1820 return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL)); 1821 } 1822 1823 /* 1824 * secpolicy_contract_observer_choice 1825 * 1826 * Determine if the subject may observe any contract's events. Just 1827 * tests privilege and audits on success. 1828 */ 1829 boolean_t 1830 secpolicy_contract_observer_choice(const cred_t *cr) 1831 { 1832 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE)); 1833 } 1834 1835 /* 1836 * secpolicy_contract_event 1837 * 1838 * Determine if the subject may request critical contract events or 1839 * reliable contract event delivery. 1840 */ 1841 int 1842 secpolicy_contract_event(const cred_t *cr) 1843 { 1844 return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL)); 1845 } 1846 1847 /* 1848 * secpolicy_contract_event_choice 1849 * 1850 * Determine if the subject may retain contract events in its critical 1851 * set when a change in other terms would normally require a change in 1852 * the critical set. Just tests privilege and audits on success. 1853 */ 1854 boolean_t 1855 secpolicy_contract_event_choice(const cred_t *cr) 1856 { 1857 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE)); 1858 } 1859 1860 /* 1861 * secpolicy_gart_access 1862 * 1863 * Determine if the subject has sufficient priveleges to make ioctls to agpgart 1864 * device. 1865 */ 1866 int 1867 secpolicy_gart_access(const cred_t *cr) 1868 { 1869 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL)); 1870 } 1871 1872 /* 1873 * secpolicy_gart_map 1874 * 1875 * Determine if the subject has sufficient priveleges to map aperture range 1876 * through agpgart driver. 1877 */ 1878 int 1879 secpolicy_gart_map(const cred_t *cr) 1880 { 1881 if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) { 1882 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, 1883 NULL)); 1884 } else { 1885 return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM, 1886 NULL)); 1887 } 1888 } 1889 1890 /* 1891 * secpolicy_zinject 1892 * 1893 * Determine if the subject can inject faults in the ZFS fault injection 1894 * framework. Requires all privileges. 1895 */ 1896 int 1897 secpolicy_zinject(const cred_t *cr) 1898 { 1899 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1900 } 1901 1902 /* 1903 * secpolicy_zfs 1904 * 1905 * Determine if the subject has permission to manipulate ZFS datasets 1906 * (not pools). Equivalent to the SYS_MOUNT privilege. 1907 */ 1908 int 1909 secpolicy_zfs(const cred_t *cr) 1910 { 1911 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL)); 1912 } 1913 1914 /* 1915 * secpolicy_idmap 1916 * 1917 * Determine if the calling process has permissions to register an SID 1918 * mapping daemon and allocate ephemeral IDs. 1919 */ 1920 int 1921 secpolicy_idmap(const cred_t *cr) 1922 { 1923 return (PRIV_POLICY(cr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1924 } 1925 1926 /* 1927 * secpolicy_ucode_update 1928 * 1929 * Determine if the subject has sufficient privilege to update microcode. 1930 */ 1931 int 1932 secpolicy_ucode_update(const cred_t *scr) 1933 { 1934 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1935 } 1936 1937 /* 1938 * secpolicy_sadopen 1939 * 1940 * Determine if the subject has sufficient privilege to access /dev/sad/admin. 1941 * /dev/sad/admin appear in global zone and exclusive-IP zones only. 1942 * In global zone, sys_config is required. 1943 * In exclusive-IP zones, sys_ip_config is required. 1944 * Note that sys_config is prohibited in non-global zones. 1945 */ 1946 int 1947 secpolicy_sadopen(const cred_t *credp) 1948 { 1949 priv_set_t pset; 1950 1951 priv_emptyset(&pset); 1952 1953 if (crgetzoneid(credp) == GLOBAL_ZONEID) 1954 priv_addset(&pset, PRIV_SYS_CONFIG); 1955 else 1956 priv_addset(&pset, PRIV_SYS_IP_CONFIG); 1957 1958 return (secpolicy_require_set(credp, &pset, "devpolicy")); 1959 } 1960