xref: /illumos-gate/usr/src/uts/common/os/priv_defs (revision 932cf989e70cd9d0418891b72e973f56f41c28b1)
1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21/*
22 * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23 * Use is subject to license terms.
24 *
25INSERT COMMENT
26 */
27
28#pragma ident	"%Z%%M%	%I%	%E% SMI"
29
30#
31# Privileges can be added to this file at any location, not
32# necessarily at the end.  For patches, it is probably best to
33# add the new privilege at the end; for ordinary releases privileges
34# should be ordered alphabetically.
35#
36
37privilege PRIV_CONTRACT_EVENT
38
39	Allows a process to request critical events without limitation.
40	Allows a process to request reliable delivery of all events on
41	any event queue.
42
43privilege PRIV_CONTRACT_IDENTITY
44	Allows a process to set the service FMRI value of a process
45	contract template.
46
47privilege PRIV_CONTRACT_OBSERVER
48
49	Allows a process to observe contract events generated by
50	contracts created and owned by users other than the process's
51	effective user ID.
52	Allows a process to open contract event endpoints belonging to
53	contracts created and owned by users other than the process's
54	effective user ID.
55
56privilege PRIV_CPC_CPU
57
58	Allow a process to access per-CPU hardware performance counters.
59
60privilege PRIV_DTRACE_KERNEL
61
62	Allows DTrace kernel-level tracing.
63
64privilege PRIV_DTRACE_PROC
65
66	Allows DTrace process-level tracing.
67	Allows process-level tracing probes to be placed and enabled in
68	processes to which the user has permissions.
69
70privilege PRIV_DTRACE_USER
71
72	Allows DTrace user-level tracing.
73	Allows use of the syscall and profile DTrace providers to
74	examine processes to which the user has permissions.
75
76privilege PRIV_FILE_CHOWN
77
78	Allows a process to change a file's owner user ID.
79	Allows a process to change a file's group ID to one other than
80	the process' effective group ID or one of the process'
81	supplemental group IDs.
82
83privilege PRIV_FILE_CHOWN_SELF
84
85	Allows a process to give away its files; a process with this
86	privilege will run as if {_POSIX_CHOWN_RESTRICTED} is not
87	in effect.
88
89privilege PRIV_FILE_DAC_EXECUTE
90
91	Allows a process to execute an executable file whose permission
92	bits or ACL do not allow the process execute permission.
93
94privilege PRIV_FILE_DAC_READ
95
96	Allows a process to read a file or directory whose permission
97	bits or ACL do not allow the process read permission.
98
99privilege PRIV_FILE_DAC_SEARCH
100
101	Allows a process to search a directory whose permission bits or
102	ACL do not allow the process search permission.
103
104privilege PRIV_FILE_DAC_WRITE
105
106	Allows a process to write a file or directory whose permission
107	bits or ACL do not allow the process write permission.
108	In order to write files owned by uid 0 in the absence of an
109	effective uid of 0 ALL privileges are required.
110
111privilege PRIV_FILE_DOWNGRADE_SL
112
113	Allows a process to set the sensitivity label of a file or
114	directory to a sensitivity label that does not dominate the
115	existing sensitivity label.
116	This privilege is interpreted only if the system is configured
117	with Trusted Extensions.
118
119basic privilege PRIV_FILE_LINK_ANY
120
121	Allows a process to create hardlinks to files owned by a uid
122	different from the process' effective uid.
123
124privilege PRIV_FILE_OWNER
125
126	Allows a process which is not the owner of a file or directory
127	to perform the following operations that are normally permitted
128	only for the file owner: modify that file's access and
129	modification times; remove or rename a file or directory whose
130	parent directory has the ``save text image after execution''
131	(sticky) bit set; mount a ``namefs'' upon a file; modify
132	permission bits or ACL except for the set-uid and set-gid
133	bits.
134
135privilege PRIV_FILE_SETID
136
137	Allows a process to change the ownership of a file or write to
138	a file without the set-user-ID and set-group-ID bits being
139	cleared.
140	Allows a process to set the set-group-ID bit on a file or
141	directory whose group is not the process' effective group or
142	one of the process' supplemental groups.
143	Allows a process to set the set-user-ID bit on a file with
144	different ownership in the presence of PRIV_FILE_OWNER.
145	Additional restrictions apply when creating or modifying a
146	set-uid 0 file.
147
148privilege PRIV_FILE_UPGRADE_SL
149
150	Allows a process to set the sensitivity label of a file or
151	directory to a sensitivity label that dominates the existing
152	sensitivity label.
153	This privilege is interpreted only if the system is configured
154	with Trusted Extensions.
155
156privilege PRIV_FILE_FLAG_SET
157
158	Allows a process to set immutable, nounlink or appendonly
159	file attributes.
160
161privilege PRIV_GRAPHICS_ACCESS
162
163	Allows a process to make privileged ioctls to graphics devices.
164	Typically only xserver process needs to have this privilege.
165	A process with this privilege is also allowed to perform
166	privileged graphics device mappings.
167
168privilege PRIV_GRAPHICS_MAP
169
170	Allows a process to perform privileged mappings through a
171	graphics device.
172
173privilege PRIV_IPC_DAC_READ
174
175	Allows a process to read a System V IPC
176	Message Queue, Semaphore Set, or Shared Memory Segment whose
177	permission bits do not allow the process read permission.
178	Allows a process to read remote shared memory whose
179	permission bits do not allow the process read permission.
180
181privilege PRIV_IPC_DAC_WRITE
182
183	Allows a process to write a System V IPC
184	Message Queue, Semaphore Set, or Shared Memory Segment whose
185	permission bits do not allow the process write permission.
186	Allows a process to read remote shared memory whose
187	permission bits do not allow the process write permission.
188	Additional restrictions apply if the owner of the object has uid 0
189	and the effective uid of the current process is not 0.
190
191privilege PRIV_IPC_OWNER
192
193	Allows a process which is not the owner of a System
194	V IPC Message Queue, Semaphore Set, or Shared Memory Segment to
195	remove, change ownership of, or change permission bits of the
196	Message Queue, Semaphore Set, or Shared Memory Segment.
197	Additional restrictions apply if the owner of the object has uid 0
198	and the effective uid of the current process is not 0.
199
200privilege PRIV_NET_BINDMLP
201
202	Allow a process to bind to a port that is configured as a
203	multi-level port(MLP) for the process's zone. This privilege
204	applies to both shared address and zone-specific address MLPs.
205	See tnzonecfg(4) from the Trusted Extensions manual pages for
206	information on configuring MLP ports.
207	This privilege is interpreted only if the system is configured
208	with Trusted Extensions.
209
210privilege PRIV_NET_ICMPACCESS
211
212	Allows a process to send and receive ICMP packets.
213
214privilege PRIV_NET_MAC_AWARE
215
216	Allows a process to set NET_MAC_AWARE process flag by using
217	setpflags(2). This privilege also allows a process to set
218	SO_MAC_EXEMPT socket option by using setsockopt(3SOCKET).
219	The NET_MAC_AWARE process flag and the SO_MAC_EXEMPT socket
220	option both allow a local process to communicate with an
221	unlabeled peer if the local process' label dominates the
222	peer's default label, or if the local process runs in the
223	global zone.
224	This privilege is interpreted only if the system is configured
225	with Trusted Extensions.
226
227privilege PRIV_NET_PRIVADDR
228
229	Allows a process to bind to a privileged port
230	number. The privilege port numbers are 1-1023 (the traditional
231	UNIX privileged ports) as well as those ports marked as
232	"udp/tcp_extra_priv_ports" with the exception of the ports
233	reserved for use by NFS.
234
235privilege PRIV_NET_RAWACCESS
236
237	Allows a process to have direct access to the network layer.
238
239unsafe privilege PRIV_PROC_AUDIT
240
241	Allows a process to generate audit records.
242	Allows a process to get its own audit pre-selection information.
243
244privilege PRIV_PROC_CHROOT
245
246	Allows a process to change its root directory.
247
248privilege PRIV_PROC_CLOCK_HIGHRES
249
250	Allows a process to use high resolution timers.
251
252basic privilege PRIV_PROC_EXEC
253
254	Allows a process to call execve().
255
256basic privilege PRIV_PROC_FORK
257
258	Allows a process to call fork1()/forkall()/vfork()
259
260basic privilege PRIV_PROC_INFO
261
262	Allows a process to examine the status of processes other
263	than those it can send signals to.  Processes which cannot
264	be examined cannot be seen in /proc and appear not to exist.
265
266privilege PRIV_PROC_LOCK_MEMORY
267
268	Allows a process to lock pages in physical memory.
269
270privilege PRIV_PROC_OWNER
271
272	Allows a process to send signals to other processes, inspect
273	and modify process state to other processes regardless of
274	ownership.  When modifying another process, additional
275	restrictions apply:  the effective privilege set of the
276	attaching process must be a superset of the target process'
277	effective, permitted and inheritable sets; the limit set must
278	be a superset of the target's limit set; if the target process
279	has any uid set to 0 all privilege must be asserted unless the
280	effective uid is 0.
281	Allows a process to bind arbitrary processes to CPUs.
282
283privilege PRIV_PROC_PRIOCNTL
284
285	Allows a process to elevate its priority above its current level.
286	Allows a process to change its scheduling class to any scheduling class,
287	including the RT class.
288
289basic privilege PRIV_PROC_SESSION
290
291	Allows a process to send signals or trace processes outside its
292	session.
293
294unsafe privilege PRIV_PROC_SETID
295
296	Allows a process to set its uids at will.
297	Assuming uid 0 requires all privileges to be asserted.
298
299privilege PRIV_PROC_TASKID
300
301	Allows a process to assign a new task ID to the calling process.
302
303privilege PRIV_PROC_ZONE
304
305	Allows a process to trace or send signals to processes in
306	other zones.
307
308privilege PRIV_SYS_ACCT
309
310	Allows a process to enable and disable and manage accounting through
311	acct(2), getacct(2), putacct(2) and wracct(2).
312
313privilege PRIV_SYS_ADMIN
314
315	Allows a process to perform system administration tasks such
316	as setting node and domain name and specifying nscd and coreadm
317	settings.
318
319privilege PRIV_SYS_AUDIT
320
321	Allows a process to start the (kernel) audit daemon.
322	Allows a process to view and set audit state (audit user ID,
323	audit terminal ID, audit sessions ID, audit pre-selection mask).
324	Allows a process to turn off and on auditing.
325	Allows a process to configure the audit parameters (cache and
326	queue sizes, event to class mappings, policy options).
327
328privilege PRIV_SYS_CONFIG
329
330	Allows a process to perform various system configuration tasks.
331	Allows a process to add and remove swap devices; when adding a swap
332	device, a process must also have sufficient privileges to read from
333	and write to the swap device.
334
335privilege PRIV_SYS_DEVICES
336
337	Allows a process to successfully call a kernel module that
338	calls the kernel drv_priv(9F) function to check for allowed
339	access.
340	Allows a process to open the real console device directly.
341	Allows a process to open devices that have been exclusively opened.
342
343privilege PRIV_SYS_IPC_CONFIG
344
345	Allows a process to increase the size of a System V IPC Message
346	Queue buffer.
347
348privilege PRIV_SYS_LINKDIR
349
350	Allows a process to unlink and link directories.
351
352privilege PRIV_SYS_MOUNT
353
354	Allows filesystem specific administrative procedures, such as
355	filesystem configuration ioctls, quota calls and creation/deletion
356	of snapshots.
357	Allows a process to mount and unmount filesystems which would
358	otherwise be restricted (i.e., most filesystems except
359	namefs).
360	A process performing a mount operation needs to have
361	appropriate access to the device being mounted (read-write for
362	"rw" mounts, read for "ro" mounts).
363	A process performing any of the aforementioned
364	filesystem operations needs to have read/write/owner
365	access to the mount point.
366	Only regular files and directories can serve as mount points
367	for processes which do not have all zone privileges asserted.
368	Unless a process has all zone privileges, the mount(2)
369	system call will force the "nosuid" and "restrict" options, the
370	latter only for autofs mountpoints.
371	Regardless of privileges, a process running in a non-global zone may
372	only control mounts performed from within said zone.
373	Outside the global zone, the "nodevices" option is always forced.
374
375privilege PRIV_SYS_IP_CONFIG
376
377	Allows a process to configure a system's network interfaces and routes.
378	Allows a process to configure network parameters using ndd.
379	Allows a process access to otherwise restricted information using ndd.
380	Allows a process to configure IPsec.
381	Allows a process to pop anchored STREAMs modules with matching zoneid.
382
383privilege PRIV_SYS_NET_CONFIG
384
385	Allows all that PRIV_SYS_IP_CONFIG allows.
386	Allows a process to push the rpcmod STREAMs module.
387	Allows a process to INSERT/REMOVE STREAMs modules on locations other
388	than the top of the module stack.
389
390privilege PRIV_SYS_NFS
391
392	Allows a process to perform Sun private NFS specific system calls.
393	Allows a process to bind to ports reserved by NFS: ports 2049 (nfs)
394	and port 4045 (lockd).
395
396privilege PRIV_SYS_RES_CONFIG
397
398	Allows a process to create and delete processor sets, assign
399	CPUs to processor sets and override the PSET_NOESCAPE property.
400	Allows a process to change the operational status of CPUs in
401	the system using p_online(2).
402	Allows a process to configure resource pools and to bind
403	processes to pools
404
405unsafe privilege PRIV_SYS_RESOURCE
406
407	Allows a process to modify the resource limits specified
408	by setrlimit(2) and setrctl(2) without restriction.
409	Allows a process to exceed the per-user maximum number of
410	processes.
411	Allows a process to extend or create files on a filesystem that
412	has less than minfree space in reserve.
413
414privilege PRIV_SYS_SMB
415
416	Allows a process to access the Sun private SMB kernel module.
417	Allows a process to bind to ports reserved by NetBIOS and SMB:
418	ports 137 (NBNS), 138 (NetBIOS Datagram Service), 139 (NetBIOS
419	Session Service and SMB-over-NBT) and 445 (SMB-over-TCP).
420
421privilege PRIV_SYS_SUSER_COMPAT
422
423	Allows a process to successfully call a third party loadable module
424	that calls the kernel suser() function to check for allowed access.
425	This privilege exists only for third party loadable module
426	compatibility and is not used by Solaris proper.
427
428privilege PRIV_SYS_TIME
429
430	Allows a process to manipulate system time using any of the
431	appropriate system calls: stime, adjtime, ntp_adjtime and
432	the IA specific RTC calls.
433
434privilege PRIV_SYS_TRANS_LABEL
435
436	Allows a process to translate labels that are not dominated
437	by the process' sensitivity label to and from an external
438	string form.
439	This privilege is interpreted only if the system is configured
440	with Trusted Extensions.
441
442privilege PRIV_WIN_COLORMAP
443
444	Allows a process to override colormap restrictions.
445        Allows a process to install or remove colormaps.
446        Allows a process to retrieve colormap cell entries allocated
447	by other processes.
448	This privilege is interpreted only if the system is configured
449	with Trusted Extensions.
450
451privilege PRIV_WIN_CONFIG
452
453	Allows a process to configure or destroy resources that are
454	permanently retained by the X server.
455        Allows a process to use SetScreenSaver to set the screen
456	saver timeout value.
457        Allows a process to use ChangeHosts to modify the display
458	access control list.
459        Allows a process to use GrabServer.
460        Allows a process to use the SetCloseDownMode request which
461	may retain window, pixmap, colormap, property, cursor, font,
462	or graphic context resources.
463	This privilege is interpreted only if the system is configured
464	with Trusted Extensions.
465
466privilege PRIV_WIN_DAC_READ
467
468	Allows a process to read from a window resource that it does
469	not own (has a different user ID).
470	This privilege is interpreted only if the system is configured
471	with Trusted Extensions.
472
473privilege PRIV_WIN_DAC_WRITE
474
475	Allows a process to write to or create a window resource that
476	it does not own (has a different user ID). A newly created
477	window property is created with the window's user ID.
478	This privilege is interpreted only if the system is configured
479	with Trusted Extensions.
480
481privilege PRIV_WIN_DEVICES
482
483	Allows a process to perform operations on window input devices.
484        Allows a process to get and set keyboard and pointer controls.
485        Allows a process to modify pointer button and key mappings.
486	This privilege is interpreted only if the system is configured
487	with Trusted Extensions.
488
489privilege PRIV_WIN_DGA
490
491	Allows a process to use the direct graphics access (DGA) X protocol
492	extensions. Direct process access to the frame buffer is still
493	required. Thus the process must have MAC and DAC privileges that
494	allow access to the frame buffer, or the frame buffer must be
495        allocated to the process.
496	This privilege is interpreted only if the system is configured
497	with Trusted Extensions.
498
499privilege PRIV_WIN_DOWNGRADE_SL
500
501	Allows a process to set the sensitivity label of a window resource
502	to a sensitivity label that does not dominate the existing
503	sensitivity label.
504	This privilege is interpreted only if the system is configured
505	with Trusted Extensions.
506
507privilege PRIV_WIN_FONTPATH
508
509	Allows a process to set a font path.
510	This privilege is interpreted only if the system is configured
511	with Trusted Extensions.
512
513privilege PRIV_WIN_MAC_READ
514
515	Allows a process to read from a window resource whose sensitivity
516	label is not equal to the process sensitivity label.
517	This privilege is interpreted only if the system is configured
518	with Trusted Extensions.
519
520privilege PRIV_WIN_MAC_WRITE
521
522	Allows a process to create a window resource whose sensitivity
523	label is not equal to the process sensitivity label.
524	A newly created window property is created with the window's
525	sensitivity label.
526	This privilege is interpreted only if the system is configured
527	with Trusted Extensions.
528
529privilege PRIV_WIN_SELECTION
530
531	Allows a process to request inter-window data moves without the
532	intervention of the selection confirmer.
533	This privilege is interpreted only if the system is configured
534	with Trusted Extensions.
535
536privilege PRIV_WIN_UPGRADE_SL
537
538	Allows a process to set the sensitivity label of a window
539	resource to a sensitivity label that dominates the existing
540	sensitivity label.
541	This privilege is interpreted only if the system is configured
542	with Trusted Extensions.
543
544set PRIV_EFFECTIVE
545
546	Set of privileges currently in effect.
547
548set PRIV_INHERITABLE
549
550	Set of privileges that comes into effect on exec.
551
552set PRIV_PERMITTED
553
554	Set of privileges that can be put into the effective set without
555	restriction.
556
557set PRIV_LIMIT
558
559	Set of privileges that determines the absolute upper bound of
560	privileges this process and its off-spring can obtain.
561