1/* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21/* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 * 25INSERT COMMENT 26 */ 27 28#pragma ident "%Z%%M% %I% %E% SMI" 29 30# 31# Privileges can be added to this file at any location, not 32# necessarily at the end. For patches, it is probably best to 33# add the new privilege at the end; for ordinary releases privileges 34# should be ordered alphabetically. 35# 36 37privilege PRIV_CONTRACT_EVENT 38 39 Allows a process to request critical events without limitation. 40 Allows a process to request reliable delivery of all events on 41 any event queue. 42 43privilege PRIV_CONTRACT_IDENTITY 44 Allows a process to set the service FMRI value of a process 45 contract template. 46 47privilege PRIV_CONTRACT_OBSERVER 48 49 Allows a process to observe contract events generated by 50 contracts created and owned by users other than the process's 51 effective user ID. 52 Allows a process to open contract event endpoints belonging to 53 contracts created and owned by users other than the process's 54 effective user ID. 55 56privilege PRIV_CPC_CPU 57 58 Allow a process to access per-CPU hardware performance counters. 59 60privilege PRIV_DTRACE_KERNEL 61 62 Allows DTrace kernel-level tracing. 63 64privilege PRIV_DTRACE_PROC 65 66 Allows DTrace process-level tracing. 67 Allows process-level tracing probes to be placed and enabled in 68 processes to which the user has permissions. 69 70privilege PRIV_DTRACE_USER 71 72 Allows DTrace user-level tracing. 73 Allows use of the syscall and profile DTrace providers to 74 examine processes to which the user has permissions. 75 76privilege PRIV_FILE_CHOWN 77 78 Allows a process to change a file's owner user ID. 79 Allows a process to change a file's group ID to one other than 80 the process' effective group ID or one of the process' 81 supplemental group IDs. 82 83privilege PRIV_FILE_CHOWN_SELF 84 85 Allows a process to give away its files; a process with this 86 privilege will run as if {_POSIX_CHOWN_RESTRICTED} is not 87 in effect. 88 89privilege PRIV_FILE_DAC_EXECUTE 90 91 Allows a process to execute an executable file whose permission 92 bits or ACL do not allow the process execute permission. 93 94privilege PRIV_FILE_DAC_READ 95 96 Allows a process to read a file or directory whose permission 97 bits or ACL do not allow the process read permission. 98 99privilege PRIV_FILE_DAC_SEARCH 100 101 Allows a process to search a directory whose permission bits or 102 ACL do not allow the process search permission. 103 104privilege PRIV_FILE_DAC_WRITE 105 106 Allows a process to write a file or directory whose permission 107 bits or ACL do not allow the process write permission. 108 In order to write files owned by uid 0 in the absence of an 109 effective uid of 0 ALL privileges are required. 110 111privilege PRIV_FILE_DOWNGRADE_SL 112 113 Allows a process to set the sensitivity label of a file or 114 directory to a sensitivity label that does not dominate the 115 existing sensitivity label. 116 This privilege is interpreted only if the system is configured 117 with Trusted Extensions. 118 119basic privilege PRIV_FILE_LINK_ANY 120 121 Allows a process to create hardlinks to files owned by a uid 122 different from the process' effective uid. 123 124privilege PRIV_FILE_OWNER 125 126 Allows a process which is not the owner of a file or directory 127 to perform the following operations that are normally permitted 128 only for the file owner: modify that file's access and 129 modification times; remove or rename a file or directory whose 130 parent directory has the ``save text image after execution'' 131 (sticky) bit set; mount a ``namefs'' upon a file; modify 132 permission bits or ACL except for the set-uid and set-gid 133 bits. 134 135privilege PRIV_FILE_SETID 136 137 Allows a process to change the ownership of a file or write to 138 a file without the set-user-ID and set-group-ID bits being 139 cleared. 140 Allows a process to set the set-group-ID bit on a file or 141 directory whose group is not the process' effective group or 142 one of the process' supplemental groups. 143 Allows a process to set the set-user-ID bit on a file with 144 different ownership in the presence of PRIV_FILE_OWNER. 145 Additional restrictions apply when creating or modifying a 146 set-uid 0 file. 147 148privilege PRIV_FILE_UPGRADE_SL 149 150 Allows a process to set the sensitivity label of a file or 151 directory to a sensitivity label that dominates the existing 152 sensitivity label. 153 This privilege is interpreted only if the system is configured 154 with Trusted Extensions. 155 156privilege PRIV_FILE_FLAG_SET 157 158 Allows a process to set immutable, nounlink or appendonly 159 file attributes. 160 161privilege PRIV_GRAPHICS_ACCESS 162 163 Allows a process to make privileged ioctls to graphics devices. 164 Typically only xserver process needs to have this privilege. 165 A process with this privilege is also allowed to perform 166 privileged graphics device mappings. 167 168privilege PRIV_GRAPHICS_MAP 169 170 Allows a process to perform privileged mappings through a 171 graphics device. 172 173privilege PRIV_IPC_DAC_READ 174 175 Allows a process to read a System V IPC 176 Message Queue, Semaphore Set, or Shared Memory Segment whose 177 permission bits do not allow the process read permission. 178 Allows a process to read remote shared memory whose 179 permission bits do not allow the process read permission. 180 181privilege PRIV_IPC_DAC_WRITE 182 183 Allows a process to write a System V IPC 184 Message Queue, Semaphore Set, or Shared Memory Segment whose 185 permission bits do not allow the process write permission. 186 Allows a process to read remote shared memory whose 187 permission bits do not allow the process write permission. 188 Additional restrictions apply if the owner of the object has uid 0 189 and the effective uid of the current process is not 0. 190 191privilege PRIV_IPC_OWNER 192 193 Allows a process which is not the owner of a System 194 V IPC Message Queue, Semaphore Set, or Shared Memory Segment to 195 remove, change ownership of, or change permission bits of the 196 Message Queue, Semaphore Set, or Shared Memory Segment. 197 Additional restrictions apply if the owner of the object has uid 0 198 and the effective uid of the current process is not 0. 199 200privilege PRIV_NET_BINDMLP 201 202 Allow a process to bind to a port that is configured as a 203 multi-level port(MLP) for the process's zone. This privilege 204 applies to both shared address and zone-specific address MLPs. 205 See tnzonecfg(4) from the Trusted Extensions manual pages for 206 information on configuring MLP ports. 207 This privilege is interpreted only if the system is configured 208 with Trusted Extensions. 209 210privilege PRIV_NET_ICMPACCESS 211 212 Allows a process to send and receive ICMP packets. 213 214privilege PRIV_NET_MAC_AWARE 215 216 Allows a process to set NET_MAC_AWARE process flag by using 217 setpflags(2). This privilege also allows a process to set 218 SO_MAC_EXEMPT socket option by using setsockopt(3SOCKET). 219 The NET_MAC_AWARE process flag and the SO_MAC_EXEMPT socket 220 option both allow a local process to communicate with an 221 unlabeled peer if the local process' label dominates the 222 peer's default label, or if the local process runs in the 223 global zone. 224 This privilege is interpreted only if the system is configured 225 with Trusted Extensions. 226 227privilege PRIV_NET_PRIVADDR 228 229 Allows a process to bind to a privileged port 230 number. The privilege port numbers are 1-1023 (the traditional 231 UNIX privileged ports) as well as those ports marked as 232 "udp/tcp_extra_priv_ports" with the exception of the ports 233 reserved for use by NFS. 234 235privilege PRIV_NET_RAWACCESS 236 237 Allows a process to have direct access to the network layer. 238 239unsafe privilege PRIV_PROC_AUDIT 240 241 Allows a process to generate audit records. 242 Allows a process to get its own audit pre-selection information. 243 244privilege PRIV_PROC_CHROOT 245 246 Allows a process to change its root directory. 247 248privilege PRIV_PROC_CLOCK_HIGHRES 249 250 Allows a process to use high resolution timers. 251 252basic privilege PRIV_PROC_EXEC 253 254 Allows a process to call execve(). 255 256basic privilege PRIV_PROC_FORK 257 258 Allows a process to call fork1()/forkall()/vfork() 259 260basic privilege PRIV_PROC_INFO 261 262 Allows a process to examine the status of processes other 263 than those it can send signals to. Processes which cannot 264 be examined cannot be seen in /proc and appear not to exist. 265 266privilege PRIV_PROC_LOCK_MEMORY 267 268 Allows a process to lock pages in physical memory. 269 270privilege PRIV_PROC_OWNER 271 272 Allows a process to send signals to other processes, inspect 273 and modify process state to other processes regardless of 274 ownership. When modifying another process, additional 275 restrictions apply: the effective privilege set of the 276 attaching process must be a superset of the target process' 277 effective, permitted and inheritable sets; the limit set must 278 be a superset of the target's limit set; if the target process 279 has any uid set to 0 all privilege must be asserted unless the 280 effective uid is 0. 281 Allows a process to bind arbitrary processes to CPUs. 282 283privilege PRIV_PROC_PRIOCNTL 284 285 Allows a process to elevate its priority above its current level. 286 Allows a process to change its scheduling class to any scheduling class, 287 including the RT class. 288 289basic privilege PRIV_PROC_SESSION 290 291 Allows a process to send signals or trace processes outside its 292 session. 293 294unsafe privilege PRIV_PROC_SETID 295 296 Allows a process to set its uids at will. 297 Assuming uid 0 requires all privileges to be asserted. 298 299privilege PRIV_PROC_TASKID 300 301 Allows a process to assign a new task ID to the calling process. 302 303privilege PRIV_PROC_ZONE 304 305 Allows a process to trace or send signals to processes in 306 other zones. 307 308privilege PRIV_SYS_ACCT 309 310 Allows a process to enable and disable and manage accounting through 311 acct(2), getacct(2), putacct(2) and wracct(2). 312 313privilege PRIV_SYS_ADMIN 314 315 Allows a process to perform system administration tasks such 316 as setting node and domain name and specifying nscd and coreadm 317 settings. 318 319privilege PRIV_SYS_AUDIT 320 321 Allows a process to start the (kernel) audit daemon. 322 Allows a process to view and set audit state (audit user ID, 323 audit terminal ID, audit sessions ID, audit pre-selection mask). 324 Allows a process to turn off and on auditing. 325 Allows a process to configure the audit parameters (cache and 326 queue sizes, event to class mappings, policy options). 327 328privilege PRIV_SYS_CONFIG 329 330 Allows a process to perform various system configuration tasks. 331 Allows a process to add and remove swap devices; when adding a swap 332 device, a process must also have sufficient privileges to read from 333 and write to the swap device. 334 335privilege PRIV_SYS_DEVICES 336 337 Allows a process to successfully call a kernel module that 338 calls the kernel drv_priv(9F) function to check for allowed 339 access. 340 Allows a process to open the real console device directly. 341 Allows a process to open devices that have been exclusively opened. 342 343privilege PRIV_SYS_IPC_CONFIG 344 345 Allows a process to increase the size of a System V IPC Message 346 Queue buffer. 347 348privilege PRIV_SYS_LINKDIR 349 350 Allows a process to unlink and link directories. 351 352privilege PRIV_SYS_MOUNT 353 354 Allows filesystem specific administrative procedures, such as 355 filesystem configuration ioctls, quota calls and creation/deletion 356 of snapshots. 357 Allows a process to mount and unmount filesystems which would 358 otherwise be restricted (i.e., most filesystems except 359 namefs). 360 A process performing a mount operation needs to have 361 appropriate access to the device being mounted (read-write for 362 "rw" mounts, read for "ro" mounts). 363 A process performing any of the aforementioned 364 filesystem operations needs to have read/write/owner 365 access to the mount point. 366 Only regular files and directories can serve as mount points 367 for processes which do not have all zone privileges asserted. 368 Unless a process has all zone privileges, the mount(2) 369 system call will force the "nosuid" and "restrict" options, the 370 latter only for autofs mountpoints. 371 Regardless of privileges, a process running in a non-global zone may 372 only control mounts performed from within said zone. 373 Outside the global zone, the "nodevices" option is always forced. 374 375privilege PRIV_SYS_IP_CONFIG 376 377 Allows a process to configure a system's network interfaces and routes. 378 Allows a process to configure network parameters using ndd. 379 Allows a process access to otherwise restricted information using ndd. 380 Allows a process to configure IPsec. 381 Allows a process to pop anchored STREAMs modules with matching zoneid. 382 383privilege PRIV_SYS_NET_CONFIG 384 385 Allows all that PRIV_SYS_IP_CONFIG allows. 386 Allows a process to push the rpcmod STREAMs module. 387 Allows a process to INSERT/REMOVE STREAMs modules on locations other 388 than the top of the module stack. 389 390privilege PRIV_SYS_NFS 391 392 Allows a process to perform Sun private NFS specific system calls. 393 Allows a process to bind to ports reserved by NFS: ports 2049 (nfs) 394 and port 4045 (lockd). 395 396privilege PRIV_SYS_RES_CONFIG 397 398 Allows a process to create and delete processor sets, assign 399 CPUs to processor sets and override the PSET_NOESCAPE property. 400 Allows a process to change the operational status of CPUs in 401 the system using p_online(2). 402 Allows a process to configure resource pools and to bind 403 processes to pools 404 405unsafe privilege PRIV_SYS_RESOURCE 406 407 Allows a process to modify the resource limits specified 408 by setrlimit(2) and setrctl(2) without restriction. 409 Allows a process to exceed the per-user maximum number of 410 processes. 411 Allows a process to extend or create files on a filesystem that 412 has less than minfree space in reserve. 413 414privilege PRIV_SYS_SMB 415 416 Allows a process to access the Sun private SMB kernel module. 417 Allows a process to bind to ports reserved by NetBIOS and SMB: 418 ports 137 (NBNS), 138 (NetBIOS Datagram Service), 139 (NetBIOS 419 Session Service and SMB-over-NBT) and 445 (SMB-over-TCP). 420 421privilege PRIV_SYS_SUSER_COMPAT 422 423 Allows a process to successfully call a third party loadable module 424 that calls the kernel suser() function to check for allowed access. 425 This privilege exists only for third party loadable module 426 compatibility and is not used by Solaris proper. 427 428privilege PRIV_SYS_TIME 429 430 Allows a process to manipulate system time using any of the 431 appropriate system calls: stime, adjtime, ntp_adjtime and 432 the IA specific RTC calls. 433 434privilege PRIV_SYS_TRANS_LABEL 435 436 Allows a process to translate labels that are not dominated 437 by the process' sensitivity label to and from an external 438 string form. 439 This privilege is interpreted only if the system is configured 440 with Trusted Extensions. 441 442privilege PRIV_WIN_COLORMAP 443 444 Allows a process to override colormap restrictions. 445 Allows a process to install or remove colormaps. 446 Allows a process to retrieve colormap cell entries allocated 447 by other processes. 448 This privilege is interpreted only if the system is configured 449 with Trusted Extensions. 450 451privilege PRIV_WIN_CONFIG 452 453 Allows a process to configure or destroy resources that are 454 permanently retained by the X server. 455 Allows a process to use SetScreenSaver to set the screen 456 saver timeout value. 457 Allows a process to use ChangeHosts to modify the display 458 access control list. 459 Allows a process to use GrabServer. 460 Allows a process to use the SetCloseDownMode request which 461 may retain window, pixmap, colormap, property, cursor, font, 462 or graphic context resources. 463 This privilege is interpreted only if the system is configured 464 with Trusted Extensions. 465 466privilege PRIV_WIN_DAC_READ 467 468 Allows a process to read from a window resource that it does 469 not own (has a different user ID). 470 This privilege is interpreted only if the system is configured 471 with Trusted Extensions. 472 473privilege PRIV_WIN_DAC_WRITE 474 475 Allows a process to write to or create a window resource that 476 it does not own (has a different user ID). A newly created 477 window property is created with the window's user ID. 478 This privilege is interpreted only if the system is configured 479 with Trusted Extensions. 480 481privilege PRIV_WIN_DEVICES 482 483 Allows a process to perform operations on window input devices. 484 Allows a process to get and set keyboard and pointer controls. 485 Allows a process to modify pointer button and key mappings. 486 This privilege is interpreted only if the system is configured 487 with Trusted Extensions. 488 489privilege PRIV_WIN_DGA 490 491 Allows a process to use the direct graphics access (DGA) X protocol 492 extensions. Direct process access to the frame buffer is still 493 required. Thus the process must have MAC and DAC privileges that 494 allow access to the frame buffer, or the frame buffer must be 495 allocated to the process. 496 This privilege is interpreted only if the system is configured 497 with Trusted Extensions. 498 499privilege PRIV_WIN_DOWNGRADE_SL 500 501 Allows a process to set the sensitivity label of a window resource 502 to a sensitivity label that does not dominate the existing 503 sensitivity label. 504 This privilege is interpreted only if the system is configured 505 with Trusted Extensions. 506 507privilege PRIV_WIN_FONTPATH 508 509 Allows a process to set a font path. 510 This privilege is interpreted only if the system is configured 511 with Trusted Extensions. 512 513privilege PRIV_WIN_MAC_READ 514 515 Allows a process to read from a window resource whose sensitivity 516 label is not equal to the process sensitivity label. 517 This privilege is interpreted only if the system is configured 518 with Trusted Extensions. 519 520privilege PRIV_WIN_MAC_WRITE 521 522 Allows a process to create a window resource whose sensitivity 523 label is not equal to the process sensitivity label. 524 A newly created window property is created with the window's 525 sensitivity label. 526 This privilege is interpreted only if the system is configured 527 with Trusted Extensions. 528 529privilege PRIV_WIN_SELECTION 530 531 Allows a process to request inter-window data moves without the 532 intervention of the selection confirmer. 533 This privilege is interpreted only if the system is configured 534 with Trusted Extensions. 535 536privilege PRIV_WIN_UPGRADE_SL 537 538 Allows a process to set the sensitivity label of a window 539 resource to a sensitivity label that dominates the existing 540 sensitivity label. 541 This privilege is interpreted only if the system is configured 542 with Trusted Extensions. 543 544set PRIV_EFFECTIVE 545 546 Set of privileges currently in effect. 547 548set PRIV_INHERITABLE 549 550 Set of privileges that comes into effect on exec. 551 552set PRIV_PERMITTED 553 554 Set of privileges that can be put into the effective set without 555 restriction. 556 557set PRIV_LIMIT 558 559 Set of privileges that determines the absolute upper bound of 560 privileges this process and its off-spring can obtain. 561