xref: /illumos-gate/usr/src/uts/common/os/priv_defs (revision 80ab886d233f514d54c2a6bdeb9fdfd951bd6881) 
1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21/*
22 * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
23 * Use is subject to license terms.
24 *
25INSERT COMMENT
26 */
27
28#pragma ident	"%Z%%M%	%I%	%E% SMI"
29
30#
31# Privileges can be added to this file at any location, not
32# necessarily at the end.  For patches, it is probably best to
33# add the new privilege at the end; for ordinary releases privileges
34# should be ordered alphabetically.
35#
36
37privilege PRIV_CONTRACT_EVENT
38
39	Allows a process to request critical events without limitation.
40	Allows a process to request reliable delivery of all events on
41	any event queue.
42
43privilege PRIV_CONTRACT_OBSERVER
44
45	Allows a process to observe contract events generated by
46	contracts created and owned by users other than the process's
47	effective user ID.
48	Allows a process to open contract event endpoints belonging to
49	contracts created and owned by users other than the process's
50	effective user ID.
51
52privilege PRIV_CPC_CPU
53
54	Allow a process to access per-CPU hardware performance counters.
55
56privilege PRIV_DTRACE_KERNEL
57
58	Allows DTrace kernel-level tracing.
59
60privilege PRIV_DTRACE_PROC
61
62	Allows DTrace process-level tracing.
63	Allows process-level tracing probes to be placed and enabled in
64	processes to which the user has permissions.
65
66privilege PRIV_DTRACE_USER
67
68	Allows DTrace user-level tracing.
69	Allows use of the syscall and profile DTrace providers to
70	examine processes to which the user has permissions.
71
72privilege PRIV_FILE_CHOWN
73
74	Allows a process to change a file's owner user ID.
75	Allows a process to change a file's group ID to one other than
76	the process' effective group ID or one of the process'
77	supplemental group IDs.
78
79privilege PRIV_FILE_CHOWN_SELF
80
81	Allows a process to give away its files; a process with this
82	privilege will run as if {_POSIX_CHOWN_RESTRICTED} is not
83	in effect.
84
85privilege PRIV_FILE_DAC_EXECUTE
86
87	Allows a process to execute an executable file whose permission
88	bits or ACL do not allow the process execute permission.
89
90privilege PRIV_FILE_DAC_READ
91
92	Allows a process to read a file or directory whose permission
93	bits or ACL do not allow the process read permission.
94
95privilege PRIV_FILE_DAC_SEARCH
96
97	Allows a process to search a directory whose permission bits or
98	ACL do not allow the process search permission.
99
100privilege PRIV_FILE_DAC_WRITE
101
102	Allows a process to write a file or directory whose permission
103	bits or ACL do not allow the process write permission.
104	In order to write files owned by uid 0 in the absence of an
105	effective uid of 0 ALL privileges are required.
106
107privilege PRIV_FILE_DOWNGRADE_SL
108
109	Allows a process to set the sensitivity label of a file or
110	directory to a sensitivity label that does not dominate the
111	existing sensitivity label.
112	This privilege is interpreted only if the system is configured
113	with Trusted Extensions.
114
115basic privilege PRIV_FILE_LINK_ANY
116
117	Allows a process to create hardlinks to files owned by a uid
118	different from the process' effective uid.
119
120privilege PRIV_FILE_OWNER
121
122	Allows a process which is not the owner of a file or directory
123	to perform the following operations that are normally permitted
124	only for the file owner: modify that file's access and
125	modification times; remove or rename a file or directory whose
126	parent directory has the ``save text image after execution''
127	(sticky) bit set; mount a ``namefs'' upon a file; modify
128	permission bits or ACL except for the set-uid and set-gid
129	bits.
130
131privilege PRIV_FILE_SETID
132
133	Allows a process to change the ownership of a file or write to
134	a file without the set-user-ID and set-group-ID bits being
135	cleared.
136	Allows a process to set the set-group-ID bit on a file or
137	directory whose group is not the process' effective group or
138	one of the process' supplemental groups.
139	Allows a process to set the set-user-ID bit on a file with
140	different ownership in the presence of PRIV_FILE_OWNER.
141	Additional restrictions apply when creating or modifying a
142	set-uid 0 file.
143
144privilege PRIV_FILE_UPGRADE_SL
145
146	Allows a process to set the sensitivity label of a file or
147	directory to a sensitivity label that dominates the existing
148	sensitivity label.
149	This privilege is interpreted only if the system is configured
150	with Trusted Extensions.
151
152privilege PRIV_GART_ACCESS
153
154	Allows a process to make ioctls to agpgart device except
155	that AGPIOC_INFO ioctl needs no privilege. Typically only
156	xserver process needs to have this privilege. And a process
157	with this privilege is also allowed to map aperture ranges
158	through agpgart driver.
159
160privilege PRIV_GART_MAP
161
162	Allows a process to map aperture ranges through  agpgart
163	driver. This privilege won't allow the process to do agpgart
164	ioctls other than AGPIOC_INFO.
165
166privilege PRIV_IPC_DAC_READ
167
168	Allows a process to read a System V IPC
169	Message Queue, Semaphore Set, or Shared Memory Segment whose
170	permission bits do not allow the process read permission.
171	Allows a process to read remote shared memory whose
172	permission bits do not allow the process read permission.
173
174privilege PRIV_IPC_DAC_WRITE
175
176	Allows a process to write a System V IPC
177	Message Queue, Semaphore Set, or Shared Memory Segment whose
178	permission bits do not allow the process write permission.
179	Allows a process to read remote shared memory whose
180	permission bits do not allow the process write permission.
181	Additional restrictions apply if the owner of the object has uid 0
182	and the effective uid of the current process is not 0.
183
184privilege PRIV_IPC_OWNER
185
186	Allows a process which is not the owner of a System
187	V IPC Message Queue, Semaphore Set, or Shared Memory Segment to
188	remove, change ownership of, or change permission bits of the
189	Message Queue, Semaphore Set, or Shared Memory Segment.
190	Additional restrictions apply if the owner of the object has uid 0
191	and the effective uid of the current process is not 0.
192
193privilege PRIV_NET_BINDMLP
194
195	Allow a process to bind to a port that is configured as a
196	multi-level port(MLP) for the process's zone. This privilege
197	applies to both shared address and zone-specific address MLPs.
198	See tnzonecfg(4) from the Trusted Extensions manual pages for
199	information on configuring MLP ports.
200	This privilege is interpreted only if the system is configured
201	with Trusted Extensions.
202
203privilege PRIV_NET_ICMPACCESS
204
205	Allows a process to send and receive ICMP packets.
206
207privilege PRIV_NET_MAC_AWARE
208
209	Allows a process to set NET_MAC_AWARE process flag by using
210	setpflags(2). This privilege also allows a process to set
211	SO_MAC_EXEMPT socket option by using setsockopt(3SOCKET).
212	The NET_MAC_AWARE process flag and the SO_MAC_EXEMPT socket
213	option both allow a local process to communicate with an
214	unlabeled peer if the local process' label dominates the
215	peer's default label, or if the local process runs in the
216	global zone.
217	This privilege is interpreted only if the system is configured
218	with Trusted Extensions.
219
220privilege PRIV_NET_PRIVADDR
221
222	Allows a process to bind to a privileged port
223	number. The privilege port numbers are 1-1023 (the traditional
224	UNIX privileged ports) as well as those ports marked as
225	"udp/tcp_extra_priv_ports" with the exception of the ports
226	reserved for use by NFS.
227
228privilege PRIV_NET_RAWACCESS
229
230	Allows a process to have direct access to the network layer.
231
232unsafe privilege PRIV_PROC_AUDIT
233
234	Allows a process to generate audit records.
235	Allows a process to get its own audit pre-selection information.
236
237privilege PRIV_PROC_CHROOT
238
239	Allows a process to change its root directory.
240
241privilege PRIV_PROC_CLOCK_HIGHRES
242
243	Allows a process to use high resolution timers.
244
245basic privilege PRIV_PROC_EXEC
246
247	Allows a process to call execve().
248
249basic privilege PRIV_PROC_FORK
250
251	Allows a process to call fork1()/forkall()/vfork()
252
253basic privilege PRIV_PROC_INFO
254
255	Allows a process to examine the status of processes other
256	than those it can send signals to.  Processes which cannot
257	be examined cannot be seen in /proc and appear not to exist.
258
259privilege PRIV_PROC_LOCK_MEMORY
260
261	Allows a process to lock pages in physical memory.
262
263privilege PRIV_PROC_OWNER
264
265	Allows a process to send signals to other processes, inspect
266	and modify process state to other processes regardless of
267	ownership.  When modifying another process, additional
268	restrictions apply:  the effective privilege set of the
269	attaching process must be a superset of the target process'
270	effective, permitted and inheritable sets; the limit set must
271	be a superset of the target's limit set; if the target process
272	has any uid set to 0 all privilege must be asserted unless the
273	effective uid is 0.
274	Allows a process to bind arbitrary processes to CPUs.
275
276privilege PRIV_PROC_PRIOCNTL
277
278	Allows a process to elevate its priority above its current level.
279	Allows a process to change its scheduling class to any scheduling class,
280	including the RT class.
281
282basic privilege PRIV_PROC_SESSION
283
284	Allows a process to send signals or trace processes outside its
285	session.
286
287unsafe privilege PRIV_PROC_SETID
288
289	Allows a process to set its uids at will.
290	Assuming uid 0 requires all privileges to be asserted.
291
292privilege PRIV_PROC_TASKID
293
294	Allows a process to assign a new task ID to the calling process.
295
296privilege PRIV_PROC_ZONE
297
298	Allows a process to trace or send signals to processes in
299	other zones.
300
301privilege PRIV_SYS_ACCT
302
303	Allows a process to enable and disable and manage accounting through
304	acct(2), getacct(2), putacct(2) and wracct(2).
305
306privilege PRIV_SYS_ADMIN
307
308	Allows a process to perform system administration tasks such
309	as setting node and domain name and specifying nscd and coreadm
310	settings.
311
312privilege PRIV_SYS_AUDIT
313
314	Allows a process to start the (kernel) audit daemon.
315	Allows a process to view and set audit state (audit user ID,
316	audit terminal ID, audit sessions ID, audit pre-selection mask).
317	Allows a process to turn off and on auditing.
318	Allows a process to configure the audit parameters (cache and
319	queue sizes, event to class mappings, policy options).
320
321privilege PRIV_SYS_CONFIG
322
323	Allows a process to perform various system configuration tasks.
324	Allows a process to add and remove swap devices; when adding a swap
325	device, a process must also have sufficient privileges to read from
326	and write to the swap device.
327
328privilege PRIV_SYS_DEVICES
329
330	Allows a process to successfully call a kernel module that
331	calls the kernel drv_priv(9F) function to check for allowed
332	access.
333	Allows a process to open the real console device directly.
334	Allows a process to open devices that have been exclusively opened.
335
336privilege PRIV_SYS_IPC_CONFIG
337
338	Allows a process to increase the size of a System V IPC Message
339	Queue buffer.
340
341privilege PRIV_SYS_LINKDIR
342
343	Allows a process to unlink and link directories.
344
345privilege PRIV_SYS_MOUNT
346
347	Allows filesystem specific administrative procedures, such as
348	filesystem configuration ioctls, quota calls and creation/deletion
349	of snapshots.
350	Allows a process to mount and unmount filesystems which would
351	otherwise be restricted (i.e., most filesystems except
352	namefs).
353	A process performing a mount operation needs to have
354	appropriate access to the device being mounted (read-write for
355	"rw" mounts, read for "ro" mounts).
356	A process performing any of the aforementioned
357	filesystem operations needs to have read/write/owner
358	access to the mount point.
359	Only regular files and directories can serve as mount points
360	for processes which do not have all zone privileges asserted.
361	Unless a process has all zone privileges, the mount(2)
362	system call will force the "nosuid" and "restrict" options, the
363	latter only for autofs mountpoints.
364	Regardless of privileges, a process running in a non-global zone may
365	only control mounts performed from within said zone.
366	Outside the global zone, the "nodevices" option is always forced.
367
368privilege PRIV_SYS_NET_CONFIG
369
370	Allows a process to configure a system's network interfaces and routes.
371	Allows a process to configure network parameters using ndd.
372	Allows a process access to otherwise restricted information using ndd.
373	Allows a process to push the rpcmod STREAMs module.
374	Allows a process to pop anchored STREAMs modules.
375	Allows a process to INSERT/REMOVE STREAMs modules on locations other
376	than the top of the module stack.
377	Allows a process to configure IPsec.
378
379privilege PRIV_SYS_NFS
380
381	Allows a process to perform Sun private NFS specific system calls.
382	Allows a process to bind to ports reserved by NFS: ports 2049 (nfs)
383	and port 4045 (lockd).
384
385privilege PRIV_SYS_RES_CONFIG
386
387	Allows a process to create and delete processor sets, assign
388	CPUs to processor sets and override the PSET_NOESCAPE property.
389	Allows a process to change the operational status of CPUs in
390	the system using p_online(2).
391	Allows a process to configure resource pools and to bind
392	processes to pools
393
394unsafe privilege PRIV_SYS_RESOURCE
395
396	Allows a process to modify the resource limits specified
397	by setrlimit(2) and setrctl(2) without restriction.
398	Allows a process to exceed the per-user maximum number of
399	processes.
400	Allows a process to extend or create files on a filesystem that
401	has less than minfree space in reserve.
402
403privilege PRIV_SYS_SUSER_COMPAT
404
405	Allows a process to successfully call a third party loadable module
406	that calls the kernel suser() function to check for allowed access.
407	This privilege exists only for third party loadable module
408	compatibility and is not used by Solaris proper.
409
410privilege PRIV_SYS_TIME
411
412	Allows a process to manipulate system time using any of the
413	appropriate system calls: stime, adjtime, ntp_adjtime and
414	the IA specific RTC calls.
415
416privilege PRIV_SYS_TRANS_LABEL
417
418	Allows a process to translate labels that are not dominated
419	by the process' sensitivity label to and from an external
420	string form.
421	This privilege is interpreted only if the system is configured
422	with Trusted Extensions.
423
424privilege PRIV_WIN_COLORMAP
425
426	Allows a process to override colormap restrictions.
427        Allows a process to install or remove colormaps.
428        Allows a process to retrieve colormap cell entries allocated
429	by other processes.
430	This privilege is interpreted only if the system is configured
431	with Trusted Extensions.
432
433privilege PRIV_WIN_CONFIG
434
435	Allows a process to configure or destroy resources that are
436	permanently retained by the X server.
437        Allows a process to use SetScreenSaver to set the screen
438	saver timeout value.
439        Allows a process to use ChangeHosts to modify the display
440	access control list.
441        Allows a process to use GrabServer.
442        Allows a process to use the SetCloseDownMode request which
443	may retain window, pixmap, colormap, property, cursor, font,
444	or graphic context resources.
445	This privilege is interpreted only if the system is configured
446	with Trusted Extensions.
447
448privilege PRIV_WIN_DAC_READ
449
450	Allows a process to read from a window resource that it does
451	not own (has a different user ID).
452	This privilege is interpreted only if the system is configured
453	with Trusted Extensions.
454
455privilege PRIV_WIN_DAC_WRITE
456
457	Allows a process to write to or create a window resource that
458	it does not own (has a different user ID). A newly created
459	window property is created with the window's user ID.
460	This privilege is interpreted only if the system is configured
461	with Trusted Extensions.
462
463privilege PRIV_WIN_DEVICES
464
465	Allows a process to perform operations on window input devices.
466        Allows a process to get and set keyboard and pointer controls.
467        Allows a process to modify pointer button and key mappings.
468	This privilege is interpreted only if the system is configured
469	with Trusted Extensions.
470
471privilege PRIV_WIN_DGA
472
473	Allows a process to use the direct graphics access (DGA) X protocol
474	extensions. Direct process access to the frame buffer is still
475	required. Thus the process must have MAC and DAC privileges that
476	allow access to the frame buffer, or the frame buffer must be
477        allocated to the process.
478	This privilege is interpreted only if the system is configured
479	with Trusted Extensions.
480
481privilege PRIV_WIN_DOWNGRADE_SL
482
483	Allows a process to set the sensitivity label of a window resource
484	to a sensitivity label that does not dominate the existing
485	sensitivity label.
486	This privilege is interpreted only if the system is configured
487	with Trusted Extensions.
488
489privilege PRIV_WIN_FONTPATH
490
491	Allows a process to set a font path.
492	This privilege is interpreted only if the system is configured
493	with Trusted Extensions.
494
495privilege PRIV_WIN_MAC_READ
496
497	Allows a process to read from a window resource whose sensitivity
498	label is not equal to the process sensitivity label.
499	This privilege is interpreted only if the system is configured
500	with Trusted Extensions.
501
502privilege PRIV_WIN_MAC_WRITE
503
504	Allows a process to create a window resource whose sensitivity
505	label is not equal to the process sensitivity label.
506	A newly created window property is created with the window's
507	sensitivity label.
508	This privilege is interpreted only if the system is configured
509	with Trusted Extensions.
510
511privilege PRIV_WIN_SELECTION
512
513	Allows a process to request inter-window data moves without the
514	intervention of the selection confirmer.
515	This privilege is interpreted only if the system is configured
516	with Trusted Extensions.
517
518privilege PRIV_WIN_UPGRADE_SL
519
520	Allows a process to set the sensitivity label of a window
521	resource to a sensitivity label that dominates the existing
522	sensitivity label.
523	This privilege is interpreted only if the system is configured
524	with Trusted Extensions.
525
526set PRIV_EFFECTIVE
527
528	Set of privileges currently in effect.
529
530set PRIV_INHERITABLE
531
532	Set of privileges that comes into effect on exec.
533
534set PRIV_PERMITTED
535
536	Set of privileges that can be put into the effective set without
537	restriction.
538
539set PRIV_LIMIT
540
541	Set of privileges that determines the absolute upper bound of
542	privileges this process and its off-spring can obtain.
543