xref: /illumos-gate/usr/src/uts/common/os/priv_defs (revision 7c478bd95313f5f23a4c958a745db2134aa03244)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License, Version 1.0 only
 * (the "License").  You may not use this file except in compliance
 * with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 *
INSERT COMMENT
 */

#pragma ident	"%Z%%M%	%I%	%E% SMI"

#
# Privileges can be added to this file at any location, not
# necessarily at the end.  For patches, it is probably best to
# add the new privilege at the end; for ordinary releases privileges
# should be ordered alphabetically.
#

privilege PRIV_CONTRACT_EVENT

	Allows a process to request critical events without limitation.
	Allows a process to request reliable delivery of all events on
	any event queue.

privilege PRIV_CONTRACT_OBSERVER

	Allows a process to observe contract events generated by
	contracts created and owned by users other than the process's
	effective user ID.
	Allows a process to open contract event endpoints belonging to
	contracts created and owned by users other than the process's
	effective user ID.

privilege PRIV_CPC_CPU

	Allow a process to access per-CPU hardware performance counters.

privilege PRIV_DTRACE_KERNEL

	Allows DTrace kernel-level tracing.

privilege PRIV_DTRACE_PROC

	Allows DTrace process-level tracing.
	Allows process-level tracing probes to be placed and enabled in
	processes to which the user has permissions.

privilege PRIV_DTRACE_USER

	Allows DTrace user-level tracing.
	Allows use of the syscall and profile DTrace providers to
	examine processes to which the user has permissions.

privilege PRIV_FILE_CHOWN

	Allows a process to change a file's owner user ID.
	Allows a process to change a file's group ID to one other than
	the process' effective group ID or one of the process'
	supplemental group IDs.

privilege PRIV_FILE_CHOWN_SELF

	Allows a process to give away its files; a process with this
	privilege will run as if {_POSIX_CHOWN_RESTRICTED} is not
	in effect.

privilege PRIV_FILE_DAC_EXECUTE

	Allows a process to execute an executable file whose permission
	bits or ACL do not allow the process execute permission.

privilege PRIV_FILE_DAC_READ

	Allows a process to read a file or directory whose permission
	bits or ACL do not allow the process read permission.

privilege PRIV_FILE_DAC_SEARCH

	Allows a process to search a directory whose permission bits or
	ACL do not allow the process search permission.

privilege PRIV_FILE_DAC_WRITE

	Allows a process to write a file or directory whose permission
	bits or ACL do not allow the process write permission.
	In order to write files owned by uid 0 in the absence of an
	effective uid of 0 ALL privileges are required.

basic privilege PRIV_FILE_LINK_ANY

	Allows a process to create hardlinks to files owned by a uid
	different from the process' effective uid.

privilege PRIV_FILE_OWNER

	Allows a process which is not the owner of a file or directory
	to perform the following operations that are normally permitted
	only for the file owner: modify that file's access and
	modification times; remove or rename a file or directory whose
	parent directory has the ``save text image after execution''
	(sticky) bit set; mount a ``namefs'' upon a file; modify
	permission bits or ACL except for the set-uid and set-gid
	bits.

privilege PRIV_FILE_SETID

	Allows a process to change the ownership of a file or write to
	a file without the set-user-ID and set-group-ID bits being
	cleared.
	Allows a process to set the set-group-ID bit on a file or
	directory whose group is not the process' effective group or
	one of the process' supplemental groups.
	Allows a process to set the set-user-ID bit on a file with
	different ownership in the presence of PRIV_FILE_OWNER.
	Additional restrictions apply when creating or modifying a
	set-uid 0 file.

privilege PRIV_GART_ACCESS

	Allows a process to make ioctls to agpgart device except
	that AGPIOC_INFO ioctl needs no privilege. Typically only
	xserver process needs to have this privilege. And a process
	with this privilege is also allowed to map aperture ranges
	through agpgart driver.

privilege PRIV_GART_MAP

	Allows a process to map aperture ranges through  agpgart
	driver. This privilege won't allow the process to do agpgart
	ioctls other than AGPIOC_INFO.

privilege PRIV_IPC_DAC_READ

	Allows a process to read a System V IPC
	Message Queue, Semaphore Set, or Shared Memory Segment whose
	permission bits do not allow the process read permission.
	Allows a process to read remote shared memory whose
	permission bits do not allow the process read permission.

privilege PRIV_IPC_DAC_WRITE

	Allows a process to write a System V IPC
	Message Queue, Semaphore Set, or Shared Memory Segment whose
	permission bits do not allow the process write permission.
	Allows a process to read remote shared memory whose
	permission bits do not allow the process write permission.
	Additional restrictions apply if the owner of the object has uid 0
	and the effective uid of the current process is not 0.

privilege PRIV_IPC_OWNER

	Allows a process which is not the owner of a System
	V IPC Message Queue, Semaphore Set, or Shared Memory Segment to
	remove, change ownership of, or change permission bits of the
	Message Queue, Semaphore Set, or Shared Memory Segment.
	Additional restrictions apply if the owner of the object has uid 0
	and the effective uid of the current process is not 0.

privilege PRIV_NET_ICMPACCESS

	Allows a process to send and receive ICMP packets.

privilege PRIV_NET_PRIVADDR

	Allows a process to bind to a privileged port
	number. The privilege port numbers are 1-1023 (the traditional
	UNIX privileged ports) as well as those ports marked as
	"udp/tcp_extra_priv_ports" with the exception of the ports
	reserved for use by NFS.

privilege PRIV_NET_RAWACCESS

	Allows a process to have direct access to the network layer.

unsafe privilege PRIV_PROC_AUDIT

	Allows a process to generate audit records.
	Allows a process to get its own audit pre-selection information.

privilege PRIV_PROC_CHROOT

	Allows a process to change its root directory.

privilege PRIV_PROC_CLOCK_HIGHRES

	Allows a process to use high resolution timers.

basic privilege PRIV_PROC_EXEC

	Allows a process to call execve().

basic privilege PRIV_PROC_FORK

	Allows a process to call fork1()/forkall()/vfork()

basic privilege PRIV_PROC_INFO

	Allows a process to examine the status of processes other
	than those it can send signals to.  Processes which cannot
	be examined cannot be seen in /proc and appear not to exist.

privilege PRIV_PROC_LOCK_MEMORY

	Allows a process to lock pages in physical memory.

privilege PRIV_PROC_OWNER

	Allows a process to send signals to other processes, inspect
	and modify process state to other processes regardless of
	ownership.  When modifying another process, additional
	restrictions apply:  the effective privilege set of the
	attaching process must be a superset of the target process'
	effective, permitted and inheritable sets; the limit set must
	be a superset of the target's limit set; if the target process
	has any uid set to 0 all privilege must be asserted unless the
	effective uid is 0.
	Allows a process to bind arbitrary processes to CPUs.

privilege PRIV_PROC_PRIOCNTL

	Allows a process to elevate its priority above its current level.
	Allows a process to change its scheduling class to any scheduling class,
	including the RT class.

basic privilege PRIV_PROC_SESSION

	Allows a process to send signals or trace processes outside its
	session.

unsafe privilege PRIV_PROC_SETID

	Allows a process to set its uids at will.
	Assuming uid 0 requires all privileges to be asserted.

privilege PRIV_PROC_TASKID

	Allows a process to assign a new task ID to the calling process.

privilege PRIV_PROC_ZONE

	Allows a process to trace or send signals to processes in
	other zones.

privilege PRIV_SYS_ACCT

	Allows a process to enable and disable and manage accounting through
	acct(2), getacct(2), putacct(2) and wracct(2).

privilege PRIV_SYS_ADMIN

	Allows a process to perform system administration tasks such
	as setting node and domain name and specifying nscd and coreadm
	settings.

privilege PRIV_SYS_AUDIT

	Allows a process to start the (kernel) audit daemon.
	Allows a process to view and set audit state (audit user ID,
	audit terminal ID, audit sessions ID, audit pre-selection mask).
	Allows a process to turn off and on auditing.
	Allows a process to configure the audit parameters (cache and
	queue sizes, event to class mappings, policy options).

privilege PRIV_SYS_CONFIG

	Allows a process to perform various system configuration tasks.
	Allows a process to add and remove swap devices; when adding a swap
	device, a process must also have sufficient privileges to read from
	and write to the swap device.

privilege PRIV_SYS_DEVICES

	Allows a process to successfully call a kernel module that
	calls the kernel drv_priv(9F) function to check for allowed
	access.
	Allows a process to open the real console device directly.
	Allows a process to open devices that have been exclusively opened.

privilege PRIV_SYS_IPC_CONFIG

	Allows a process to increase the size of a System V IPC Message
	Queue buffer.

privilege PRIV_SYS_LINKDIR

	Allows a process to unlink and link directories.

privilege PRIV_SYS_MOUNT

	Allows filesystem specific administrative procedures, such as
	filesystem configuration ioctls, quota calls and creation/deletion
	of snapshots.
	Allows a process to mount and unmount filesystems which would
	otherwise be restricted (i.e., most filesystems except
	namefs).
	A process performing a mount operation needs to have
	appropriate access to the device being mounted (read-write for
	"rw" mounts, read for "ro" mounts).
	A process performing any of the aforementioned
	filesystem operations needs to have read/write/owner
	access to the mount point.
	Only regular files and directories can serve as mount points
	for processes which do not have all zone privileges asserted.
	Unless a process has all zone privileges, the mount(2)
	system call will force the "nosuid" and "restrict" options, the
	latter only for autofs mountpoints.
	Regardless of privileges, a process running in a non-global zone may
	only control mounts performed from within said zone.
	Outside the global zone, the "nodevices" option is always forced.

privilege PRIV_SYS_NET_CONFIG

	Allows a process to configure a system's network interfaces and routes.
	Allows a process to configure network parameters using ndd.
	Allows a process access to otherwise restricted information using ndd.
	Allows a process to push the rpcmod STREAMs module.
	Allows a process to pop anchored STREAMs modules.
	Allows a process to INSERT/REMOVE STREAMs modules on locations other
	than the top of the module stack.
	Allows a process to configure IPsec.

privilege PRIV_SYS_NFS

	Allows a process to perform Sun private NFS specific system calls.
	Allows a process to bind to ports reserved by NFS: ports 2049 (nfs)
	and port 4045 (lockd).

privilege PRIV_SYS_RES_CONFIG

	Allows a process to create and delete processor sets, assign
	CPUs to processor sets and override the PSET_NOESCAPE property.
	Allows a process to change the operational status of CPUs in
	the system using p_online(2).
	Allows a process to configure resource pools and to bind
	processes to pools

unsafe privilege PRIV_SYS_RESOURCE

	Allows a process to modify the resource limits specified
	by setrlimit(2) and setrctl(2) without restriction.
	Allows a process to exceed the per-user maximum number of
	processes.
	Allows a process to extend or create files on a filesystem that
	has less than minfree space in reserve.

privilege PRIV_SYS_SUSER_COMPAT

	Allows a process to successfully call a third party loadable module
	that calls the kernel suser() function to check for allowed access.
	This privilege exists only for third party loadable module
	compatibility and is not used by Solaris proper.

privilege PRIV_SYS_TIME

	Allows a process to manipulate system time using any of the
	appropriate system calls: stime, adjtime, ntp_adjtime and
	the IA specific RTC calls.
set PRIV_EFFECTIVE

	Set of privileges currently in effect.

set PRIV_INHERITABLE

	Set of privileges that comes into effect on exec.

set PRIV_PERMITTED

	Set of privileges that can be put into the effective set without
	restriction.

set PRIV_LIMIT

	Set of privileges that determines the absolute upper bound of
	privileges this process and its off-spring can obtain.