xref: /illumos-gate/usr/src/uts/common/os/priv_defs (revision 1be2e5dfebda7cac010af97aae7a3a1b45649aed)
1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21/*
22 * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23 * Use is subject to license terms.
24 *
25INSERT COMMENT
26 */
27
28#pragma ident	"%Z%%M%	%I%	%E% SMI"
29
30#
31# Privileges can be added to this file at any location, not
32# necessarily at the end.  For patches, it is probably best to
33# add the new privilege at the end; for ordinary releases privileges
34# should be ordered alphabetically.
35#
36
37privilege PRIV_CONTRACT_EVENT
38
39	Allows a process to request critical events without limitation.
40	Allows a process to request reliable delivery of all events on
41	any event queue.
42
43privilege PRIV_CONTRACT_OBSERVER
44
45	Allows a process to observe contract events generated by
46	contracts created and owned by users other than the process's
47	effective user ID.
48	Allows a process to open contract event endpoints belonging to
49	contracts created and owned by users other than the process's
50	effective user ID.
51
52privilege PRIV_CPC_CPU
53
54	Allow a process to access per-CPU hardware performance counters.
55
56privilege PRIV_DTRACE_KERNEL
57
58	Allows DTrace kernel-level tracing.
59
60privilege PRIV_DTRACE_PROC
61
62	Allows DTrace process-level tracing.
63	Allows process-level tracing probes to be placed and enabled in
64	processes to which the user has permissions.
65
66privilege PRIV_DTRACE_USER
67
68	Allows DTrace user-level tracing.
69	Allows use of the syscall and profile DTrace providers to
70	examine processes to which the user has permissions.
71
72privilege PRIV_FILE_CHOWN
73
74	Allows a process to change a file's owner user ID.
75	Allows a process to change a file's group ID to one other than
76	the process' effective group ID or one of the process'
77	supplemental group IDs.
78
79privilege PRIV_FILE_CHOWN_SELF
80
81	Allows a process to give away its files; a process with this
82	privilege will run as if {_POSIX_CHOWN_RESTRICTED} is not
83	in effect.
84
85privilege PRIV_FILE_DAC_EXECUTE
86
87	Allows a process to execute an executable file whose permission
88	bits or ACL do not allow the process execute permission.
89
90privilege PRIV_FILE_DAC_READ
91
92	Allows a process to read a file or directory whose permission
93	bits or ACL do not allow the process read permission.
94
95privilege PRIV_FILE_DAC_SEARCH
96
97	Allows a process to search a directory whose permission bits or
98	ACL do not allow the process search permission.
99
100privilege PRIV_FILE_DAC_WRITE
101
102	Allows a process to write a file or directory whose permission
103	bits or ACL do not allow the process write permission.
104	In order to write files owned by uid 0 in the absence of an
105	effective uid of 0 ALL privileges are required.
106
107privilege PRIV_FILE_DOWNGRADE_SL
108
109	Allows a process to set the sensitivity label of a file or
110	directory to a sensitivity label that does not dominate the
111	existing sensitivity label.
112	This privilege is interpreted only if the system is configured
113	with Trusted Extensions.
114
115basic privilege PRIV_FILE_LINK_ANY
116
117	Allows a process to create hardlinks to files owned by a uid
118	different from the process' effective uid.
119
120privilege PRIV_FILE_OWNER
121
122	Allows a process which is not the owner of a file or directory
123	to perform the following operations that are normally permitted
124	only for the file owner: modify that file's access and
125	modification times; remove or rename a file or directory whose
126	parent directory has the ``save text image after execution''
127	(sticky) bit set; mount a ``namefs'' upon a file; modify
128	permission bits or ACL except for the set-uid and set-gid
129	bits.
130
131privilege PRIV_FILE_SETID
132
133	Allows a process to change the ownership of a file or write to
134	a file without the set-user-ID and set-group-ID bits being
135	cleared.
136	Allows a process to set the set-group-ID bit on a file or
137	directory whose group is not the process' effective group or
138	one of the process' supplemental groups.
139	Allows a process to set the set-user-ID bit on a file with
140	different ownership in the presence of PRIV_FILE_OWNER.
141	Additional restrictions apply when creating or modifying a
142	set-uid 0 file.
143
144privilege PRIV_FILE_UPGRADE_SL
145
146	Allows a process to set the sensitivity label of a file or
147	directory to a sensitivity label that dominates the existing
148	sensitivity label.
149	This privilege is interpreted only if the system is configured
150	with Trusted Extensions.
151
152privilege PRIV_FILE_FLAG_SET
153
154	Allows a process to set immutable, nounlink or appendonly
155	file attributes.
156
157privilege PRIV_GRAPHICS_ACCESS
158
159	Allows a process to make privileged ioctls to graphics devices.
160	Typically only xserver process needs to have this privilege.
161	A process with this privilege is also allowed to perform
162	privileged graphics device mappings.
163
164privilege PRIV_GRAPHICS_MAP
165
166	Allows a process to perform privileged mappings through a
167	graphics device.
168
169privilege PRIV_IPC_DAC_READ
170
171	Allows a process to read a System V IPC
172	Message Queue, Semaphore Set, or Shared Memory Segment whose
173	permission bits do not allow the process read permission.
174	Allows a process to read remote shared memory whose
175	permission bits do not allow the process read permission.
176
177privilege PRIV_IPC_DAC_WRITE
178
179	Allows a process to write a System V IPC
180	Message Queue, Semaphore Set, or Shared Memory Segment whose
181	permission bits do not allow the process write permission.
182	Allows a process to read remote shared memory whose
183	permission bits do not allow the process write permission.
184	Additional restrictions apply if the owner of the object has uid 0
185	and the effective uid of the current process is not 0.
186
187privilege PRIV_IPC_OWNER
188
189	Allows a process which is not the owner of a System
190	V IPC Message Queue, Semaphore Set, or Shared Memory Segment to
191	remove, change ownership of, or change permission bits of the
192	Message Queue, Semaphore Set, or Shared Memory Segment.
193	Additional restrictions apply if the owner of the object has uid 0
194	and the effective uid of the current process is not 0.
195
196privilege PRIV_NET_BINDMLP
197
198	Allow a process to bind to a port that is configured as a
199	multi-level port(MLP) for the process's zone. This privilege
200	applies to both shared address and zone-specific address MLPs.
201	See tnzonecfg(4) from the Trusted Extensions manual pages for
202	information on configuring MLP ports.
203	This privilege is interpreted only if the system is configured
204	with Trusted Extensions.
205
206privilege PRIV_NET_ICMPACCESS
207
208	Allows a process to send and receive ICMP packets.
209
210privilege PRIV_NET_MAC_AWARE
211
212	Allows a process to set NET_MAC_AWARE process flag by using
213	setpflags(2). This privilege also allows a process to set
214	SO_MAC_EXEMPT socket option by using setsockopt(3SOCKET).
215	The NET_MAC_AWARE process flag and the SO_MAC_EXEMPT socket
216	option both allow a local process to communicate with an
217	unlabeled peer if the local process' label dominates the
218	peer's default label, or if the local process runs in the
219	global zone.
220	This privilege is interpreted only if the system is configured
221	with Trusted Extensions.
222
223privilege PRIV_NET_PRIVADDR
224
225	Allows a process to bind to a privileged port
226	number. The privilege port numbers are 1-1023 (the traditional
227	UNIX privileged ports) as well as those ports marked as
228	"udp/tcp_extra_priv_ports" with the exception of the ports
229	reserved for use by NFS.
230
231privilege PRIV_NET_RAWACCESS
232
233	Allows a process to have direct access to the network layer.
234
235unsafe privilege PRIV_PROC_AUDIT
236
237	Allows a process to generate audit records.
238	Allows a process to get its own audit pre-selection information.
239
240privilege PRIV_PROC_CHROOT
241
242	Allows a process to change its root directory.
243
244privilege PRIV_PROC_CLOCK_HIGHRES
245
246	Allows a process to use high resolution timers.
247
248basic privilege PRIV_PROC_EXEC
249
250	Allows a process to call execve().
251
252basic privilege PRIV_PROC_FORK
253
254	Allows a process to call fork1()/forkall()/vfork()
255
256basic privilege PRIV_PROC_INFO
257
258	Allows a process to examine the status of processes other
259	than those it can send signals to.  Processes which cannot
260	be examined cannot be seen in /proc and appear not to exist.
261
262privilege PRIV_PROC_LOCK_MEMORY
263
264	Allows a process to lock pages in physical memory.
265
266privilege PRIV_PROC_OWNER
267
268	Allows a process to send signals to other processes, inspect
269	and modify process state to other processes regardless of
270	ownership.  When modifying another process, additional
271	restrictions apply:  the effective privilege set of the
272	attaching process must be a superset of the target process'
273	effective, permitted and inheritable sets; the limit set must
274	be a superset of the target's limit set; if the target process
275	has any uid set to 0 all privilege must be asserted unless the
276	effective uid is 0.
277	Allows a process to bind arbitrary processes to CPUs.
278
279privilege PRIV_PROC_PRIOCNTL
280
281	Allows a process to elevate its priority above its current level.
282	Allows a process to change its scheduling class to any scheduling class,
283	including the RT class.
284
285basic privilege PRIV_PROC_SESSION
286
287	Allows a process to send signals or trace processes outside its
288	session.
289
290unsafe privilege PRIV_PROC_SETID
291
292	Allows a process to set its uids at will.
293	Assuming uid 0 requires all privileges to be asserted.
294
295privilege PRIV_PROC_TASKID
296
297	Allows a process to assign a new task ID to the calling process.
298
299privilege PRIV_PROC_ZONE
300
301	Allows a process to trace or send signals to processes in
302	other zones.
303
304privilege PRIV_SYS_ACCT
305
306	Allows a process to enable and disable and manage accounting through
307	acct(2), getacct(2), putacct(2) and wracct(2).
308
309privilege PRIV_SYS_ADMIN
310
311	Allows a process to perform system administration tasks such
312	as setting node and domain name and specifying nscd and coreadm
313	settings.
314
315privilege PRIV_SYS_AUDIT
316
317	Allows a process to start the (kernel) audit daemon.
318	Allows a process to view and set audit state (audit user ID,
319	audit terminal ID, audit sessions ID, audit pre-selection mask).
320	Allows a process to turn off and on auditing.
321	Allows a process to configure the audit parameters (cache and
322	queue sizes, event to class mappings, policy options).
323
324privilege PRIV_SYS_CONFIG
325
326	Allows a process to perform various system configuration tasks.
327	Allows a process to add and remove swap devices; when adding a swap
328	device, a process must also have sufficient privileges to read from
329	and write to the swap device.
330
331privilege PRIV_SYS_DEVICES
332
333	Allows a process to successfully call a kernel module that
334	calls the kernel drv_priv(9F) function to check for allowed
335	access.
336	Allows a process to open the real console device directly.
337	Allows a process to open devices that have been exclusively opened.
338
339privilege PRIV_SYS_IPC_CONFIG
340
341	Allows a process to increase the size of a System V IPC Message
342	Queue buffer.
343
344privilege PRIV_SYS_LINKDIR
345
346	Allows a process to unlink and link directories.
347
348privilege PRIV_SYS_MOUNT
349
350	Allows filesystem specific administrative procedures, such as
351	filesystem configuration ioctls, quota calls and creation/deletion
352	of snapshots.
353	Allows a process to mount and unmount filesystems which would
354	otherwise be restricted (i.e., most filesystems except
355	namefs).
356	A process performing a mount operation needs to have
357	appropriate access to the device being mounted (read-write for
358	"rw" mounts, read for "ro" mounts).
359	A process performing any of the aforementioned
360	filesystem operations needs to have read/write/owner
361	access to the mount point.
362	Only regular files and directories can serve as mount points
363	for processes which do not have all zone privileges asserted.
364	Unless a process has all zone privileges, the mount(2)
365	system call will force the "nosuid" and "restrict" options, the
366	latter only for autofs mountpoints.
367	Regardless of privileges, a process running in a non-global zone may
368	only control mounts performed from within said zone.
369	Outside the global zone, the "nodevices" option is always forced.
370
371privilege PRIV_SYS_IP_CONFIG
372
373	Allows a process to configure a system's network interfaces and routes.
374	Allows a process to configure network parameters using ndd.
375	Allows a process access to otherwise restricted information using ndd.
376	Allows a process to configure IPsec.
377	Allows a process to pop anchored STREAMs modules with matching zoneid.
378
379privilege PRIV_SYS_NET_CONFIG
380
381	Allows all that PRIV_SYS_IP_CONFIG allows.
382	Allows a process to push the rpcmod STREAMs module.
383	Allows a process to INSERT/REMOVE STREAMs modules on locations other
384	than the top of the module stack.
385
386privilege PRIV_SYS_NFS
387
388	Allows a process to perform Sun private NFS specific system calls.
389	Allows a process to bind to ports reserved by NFS: ports 2049 (nfs)
390	and port 4045 (lockd).
391
392privilege PRIV_SYS_RES_CONFIG
393
394	Allows a process to create and delete processor sets, assign
395	CPUs to processor sets and override the PSET_NOESCAPE property.
396	Allows a process to change the operational status of CPUs in
397	the system using p_online(2).
398	Allows a process to configure resource pools and to bind
399	processes to pools
400
401unsafe privilege PRIV_SYS_RESOURCE
402
403	Allows a process to modify the resource limits specified
404	by setrlimit(2) and setrctl(2) without restriction.
405	Allows a process to exceed the per-user maximum number of
406	processes.
407	Allows a process to extend or create files on a filesystem that
408	has less than minfree space in reserve.
409
410privilege PRIV_SYS_SMB
411
412	Allows a process to access the Sun private SMB kernel module.
413	Allows a process to bind to ports reserved by NetBIOS and SMB:
414	ports 137 (NBNS), 138 (NetBIOS Datagram Service), 139 (NetBIOS
415	Session Service and SMB-over-NBT) and 445 (SMB-over-TCP).
416
417privilege PRIV_SYS_SUSER_COMPAT
418
419	Allows a process to successfully call a third party loadable module
420	that calls the kernel suser() function to check for allowed access.
421	This privilege exists only for third party loadable module
422	compatibility and is not used by Solaris proper.
423
424privilege PRIV_SYS_TIME
425
426	Allows a process to manipulate system time using any of the
427	appropriate system calls: stime, adjtime, ntp_adjtime and
428	the IA specific RTC calls.
429
430privilege PRIV_SYS_TRANS_LABEL
431
432	Allows a process to translate labels that are not dominated
433	by the process' sensitivity label to and from an external
434	string form.
435	This privilege is interpreted only if the system is configured
436	with Trusted Extensions.
437
438privilege PRIV_WIN_COLORMAP
439
440	Allows a process to override colormap restrictions.
441        Allows a process to install or remove colormaps.
442        Allows a process to retrieve colormap cell entries allocated
443	by other processes.
444	This privilege is interpreted only if the system is configured
445	with Trusted Extensions.
446
447privilege PRIV_WIN_CONFIG
448
449	Allows a process to configure or destroy resources that are
450	permanently retained by the X server.
451        Allows a process to use SetScreenSaver to set the screen
452	saver timeout value.
453        Allows a process to use ChangeHosts to modify the display
454	access control list.
455        Allows a process to use GrabServer.
456        Allows a process to use the SetCloseDownMode request which
457	may retain window, pixmap, colormap, property, cursor, font,
458	or graphic context resources.
459	This privilege is interpreted only if the system is configured
460	with Trusted Extensions.
461
462privilege PRIV_WIN_DAC_READ
463
464	Allows a process to read from a window resource that it does
465	not own (has a different user ID).
466	This privilege is interpreted only if the system is configured
467	with Trusted Extensions.
468
469privilege PRIV_WIN_DAC_WRITE
470
471	Allows a process to write to or create a window resource that
472	it does not own (has a different user ID). A newly created
473	window property is created with the window's user ID.
474	This privilege is interpreted only if the system is configured
475	with Trusted Extensions.
476
477privilege PRIV_WIN_DEVICES
478
479	Allows a process to perform operations on window input devices.
480        Allows a process to get and set keyboard and pointer controls.
481        Allows a process to modify pointer button and key mappings.
482	This privilege is interpreted only if the system is configured
483	with Trusted Extensions.
484
485privilege PRIV_WIN_DGA
486
487	Allows a process to use the direct graphics access (DGA) X protocol
488	extensions. Direct process access to the frame buffer is still
489	required. Thus the process must have MAC and DAC privileges that
490	allow access to the frame buffer, or the frame buffer must be
491        allocated to the process.
492	This privilege is interpreted only if the system is configured
493	with Trusted Extensions.
494
495privilege PRIV_WIN_DOWNGRADE_SL
496
497	Allows a process to set the sensitivity label of a window resource
498	to a sensitivity label that does not dominate the existing
499	sensitivity label.
500	This privilege is interpreted only if the system is configured
501	with Trusted Extensions.
502
503privilege PRIV_WIN_FONTPATH
504
505	Allows a process to set a font path.
506	This privilege is interpreted only if the system is configured
507	with Trusted Extensions.
508
509privilege PRIV_WIN_MAC_READ
510
511	Allows a process to read from a window resource whose sensitivity
512	label is not equal to the process sensitivity label.
513	This privilege is interpreted only if the system is configured
514	with Trusted Extensions.
515
516privilege PRIV_WIN_MAC_WRITE
517
518	Allows a process to create a window resource whose sensitivity
519	label is not equal to the process sensitivity label.
520	A newly created window property is created with the window's
521	sensitivity label.
522	This privilege is interpreted only if the system is configured
523	with Trusted Extensions.
524
525privilege PRIV_WIN_SELECTION
526
527	Allows a process to request inter-window data moves without the
528	intervention of the selection confirmer.
529	This privilege is interpreted only if the system is configured
530	with Trusted Extensions.
531
532privilege PRIV_WIN_UPGRADE_SL
533
534	Allows a process to set the sensitivity label of a window
535	resource to a sensitivity label that dominates the existing
536	sensitivity label.
537	This privilege is interpreted only if the system is configured
538	with Trusted Extensions.
539
540set PRIV_EFFECTIVE
541
542	Set of privileges currently in effect.
543
544set PRIV_INHERITABLE
545
546	Set of privileges that comes into effect on exec.
547
548set PRIV_PERMITTED
549
550	Set of privileges that can be put into the effective set without
551	restriction.
552
553set PRIV_LIMIT
554
555	Set of privileges that determines the absolute upper bound of
556	privileges this process and its off-spring can obtain.
557