xref: /illumos-gate/usr/src/uts/common/os/priv_defs (revision 9db67a327daf1243e630c20b81978ffd2a7baad7)
1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21/*
22 * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23 * Use is subject to license terms.
24 *
25INSERT COMMENT
26 */
27
28#pragma ident	"%Z%%M%	%I%	%E% SMI"
29
30#
31# Privileges can be added to this file at any location, not
32# necessarily at the end.  For patches, it is probably best to
33# add the new privilege at the end; for ordinary releases privileges
34# should be ordered alphabetically.
35#
36
37privilege PRIV_CONTRACT_EVENT
38
39	Allows a process to request critical events without limitation.
40	Allows a process to request reliable delivery of all events on
41	any event queue.
42
43privilege PRIV_CONTRACT_IDENTITY
44
45	Allows a process to set the service FMRI value of a process
46	contract template.
47
48privilege PRIV_CONTRACT_OBSERVER
49
50	Allows a process to observe contract events generated by
51	contracts created and owned by users other than the process's
52	effective user ID.
53	Allows a process to open contract event endpoints belonging to
54	contracts created and owned by users other than the process's
55	effective user ID.
56
57privilege PRIV_CPC_CPU
58
59	Allow a process to access per-CPU hardware performance counters.
60
61privilege PRIV_DTRACE_KERNEL
62
63	Allows DTrace kernel-level tracing.
64
65privilege PRIV_DTRACE_PROC
66
67	Allows DTrace process-level tracing.
68	Allows process-level tracing probes to be placed and enabled in
69	processes to which the user has permissions.
70
71privilege PRIV_DTRACE_USER
72
73	Allows DTrace user-level tracing.
74	Allows use of the syscall and profile DTrace providers to
75	examine processes to which the user has permissions.
76
77privilege PRIV_FILE_CHOWN
78
79	Allows a process to change a file's owner user ID.
80	Allows a process to change a file's group ID to one other than
81	the process' effective group ID or one of the process'
82	supplemental group IDs.
83
84privilege PRIV_FILE_CHOWN_SELF
85
86	Allows a process to give away its files; a process with this
87	privilege will run as if {_POSIX_CHOWN_RESTRICTED} is not
88	in effect.
89
90privilege PRIV_FILE_DAC_EXECUTE
91
92	Allows a process to execute an executable file whose permission
93	bits or ACL do not allow the process execute permission.
94
95privilege PRIV_FILE_DAC_READ
96
97	Allows a process to read a file or directory whose permission
98	bits or ACL do not allow the process read permission.
99
100privilege PRIV_FILE_DAC_SEARCH
101
102	Allows a process to search a directory whose permission bits or
103	ACL do not allow the process search permission.
104
105privilege PRIV_FILE_DAC_WRITE
106
107	Allows a process to write a file or directory whose permission
108	bits or ACL do not allow the process write permission.
109	In order to write files owned by uid 0 in the absence of an
110	effective uid of 0 ALL privileges are required.
111
112privilege PRIV_FILE_DOWNGRADE_SL
113
114	Allows a process to set the sensitivity label of a file or
115	directory to a sensitivity label that does not dominate the
116	existing sensitivity label.
117	This privilege is interpreted only if the system is configured
118	with Trusted Extensions.
119
120basic privilege PRIV_FILE_LINK_ANY
121
122	Allows a process to create hardlinks to files owned by a uid
123	different from the process' effective uid.
124
125privilege PRIV_FILE_OWNER
126
127	Allows a process which is not the owner of a file or directory
128	to perform the following operations that are normally permitted
129	only for the file owner: modify that file's access and
130	modification times; remove or rename a file or directory whose
131	parent directory has the ``save text image after execution''
132	(sticky) bit set; mount a ``namefs'' upon a file; modify
133	permission bits or ACL except for the set-uid and set-gid
134	bits.
135
136privilege PRIV_FILE_SETID
137
138	Allows a process to change the ownership of a file or write to
139	a file without the set-user-ID and set-group-ID bits being
140	cleared.
141	Allows a process to set the set-group-ID bit on a file or
142	directory whose group is not the process' effective group or
143	one of the process' supplemental groups.
144	Allows a process to set the set-user-ID bit on a file with
145	different ownership in the presence of PRIV_FILE_OWNER.
146	Additional restrictions apply when creating or modifying a
147	set-uid 0 file.
148
149privilege PRIV_FILE_UPGRADE_SL
150
151	Allows a process to set the sensitivity label of a file or
152	directory to a sensitivity label that dominates the existing
153	sensitivity label.
154	This privilege is interpreted only if the system is configured
155	with Trusted Extensions.
156
157privilege PRIV_FILE_FLAG_SET
158
159	Allows a process to set immutable, nounlink or appendonly
160	file attributes.
161
162privilege PRIV_GRAPHICS_ACCESS
163
164	Allows a process to make privileged ioctls to graphics devices.
165	Typically only xserver process needs to have this privilege.
166	A process with this privilege is also allowed to perform
167	privileged graphics device mappings.
168
169privilege PRIV_GRAPHICS_MAP
170
171	Allows a process to perform privileged mappings through a
172	graphics device.
173
174privilege PRIV_IPC_DAC_READ
175
176	Allows a process to read a System V IPC
177	Message Queue, Semaphore Set, or Shared Memory Segment whose
178	permission bits do not allow the process read permission.
179	Allows a process to read remote shared memory whose
180	permission bits do not allow the process read permission.
181
182privilege PRIV_IPC_DAC_WRITE
183
184	Allows a process to write a System V IPC
185	Message Queue, Semaphore Set, or Shared Memory Segment whose
186	permission bits do not allow the process write permission.
187	Allows a process to read remote shared memory whose
188	permission bits do not allow the process write permission.
189	Additional restrictions apply if the owner of the object has uid 0
190	and the effective uid of the current process is not 0.
191
192privilege PRIV_IPC_OWNER
193
194	Allows a process which is not the owner of a System
195	V IPC Message Queue, Semaphore Set, or Shared Memory Segment to
196	remove, change ownership of, or change permission bits of the
197	Message Queue, Semaphore Set, or Shared Memory Segment.
198	Additional restrictions apply if the owner of the object has uid 0
199	and the effective uid of the current process is not 0.
200
201privilege PRIV_NET_BINDMLP
202
203	Allow a process to bind to a port that is configured as a
204	multi-level port(MLP) for the process's zone. This privilege
205	applies to both shared address and zone-specific address MLPs.
206	See tnzonecfg(4) from the Trusted Extensions manual pages for
207	information on configuring MLP ports.
208	This privilege is interpreted only if the system is configured
209	with Trusted Extensions.
210
211privilege PRIV_NET_ICMPACCESS
212
213	Allows a process to send and receive ICMP packets.
214
215privilege PRIV_NET_MAC_AWARE
216
217	Allows a process to set NET_MAC_AWARE process flag by using
218	setpflags(2). This privilege also allows a process to set
219	SO_MAC_EXEMPT socket option by using setsockopt(3SOCKET).
220	The NET_MAC_AWARE process flag and the SO_MAC_EXEMPT socket
221	option both allow a local process to communicate with an
222	unlabeled peer if the local process' label dominates the
223	peer's default label, or if the local process runs in the
224	global zone.
225	This privilege is interpreted only if the system is configured
226	with Trusted Extensions.
227
228privilege PRIV_NET_PRIVADDR
229
230	Allows a process to bind to a privileged port
231	number. The privilege port numbers are 1-1023 (the traditional
232	UNIX privileged ports) as well as those ports marked as
233	"udp/tcp_extra_priv_ports" with the exception of the ports
234	reserved for use by NFS.
235
236privilege PRIV_NET_RAWACCESS
237
238	Allows a process to have direct access to the network layer.
239
240unsafe privilege PRIV_PROC_AUDIT
241
242	Allows a process to generate audit records.
243	Allows a process to get its own audit pre-selection information.
244
245privilege PRIV_PROC_CHROOT
246
247	Allows a process to change its root directory.
248
249privilege PRIV_PROC_CLOCK_HIGHRES
250
251	Allows a process to use high resolution timers.
252
253basic privilege PRIV_PROC_EXEC
254
255	Allows a process to call execve().
256
257basic privilege PRIV_PROC_FORK
258
259	Allows a process to call fork1()/forkall()/vfork()
260
261basic privilege PRIV_PROC_INFO
262
263	Allows a process to examine the status of processes other
264	than those it can send signals to.  Processes which cannot
265	be examined cannot be seen in /proc and appear not to exist.
266
267privilege PRIV_PROC_LOCK_MEMORY
268
269	Allows a process to lock pages in physical memory.
270
271privilege PRIV_PROC_OWNER
272
273	Allows a process to send signals to other processes, inspect
274	and modify process state to other processes regardless of
275	ownership.  When modifying another process, additional
276	restrictions apply:  the effective privilege set of the
277	attaching process must be a superset of the target process'
278	effective, permitted and inheritable sets; the limit set must
279	be a superset of the target's limit set; if the target process
280	has any uid set to 0 all privilege must be asserted unless the
281	effective uid is 0.
282	Allows a process to bind arbitrary processes to CPUs.
283
284privilege PRIV_PROC_PRIOCNTL
285
286	Allows a process to elevate its priority above its current level.
287	Allows a process to change its scheduling class to any scheduling class,
288	including the RT class.
289
290basic privilege PRIV_PROC_SESSION
291
292	Allows a process to send signals or trace processes outside its
293	session.
294
295unsafe privilege PRIV_PROC_SETID
296
297	Allows a process to set its uids at will.
298	Assuming uid 0 requires all privileges to be asserted.
299
300privilege PRIV_PROC_TASKID
301
302	Allows a process to assign a new task ID to the calling process.
303
304privilege PRIV_PROC_ZONE
305
306	Allows a process to trace or send signals to processes in
307	other zones.
308
309privilege PRIV_SYS_ACCT
310
311	Allows a process to enable and disable and manage accounting through
312	acct(2), getacct(2), putacct(2) and wracct(2).
313
314privilege PRIV_SYS_ADMIN
315
316	Allows a process to perform system administration tasks such
317	as setting node and domain name and specifying nscd and coreadm
318	settings.
319
320privilege PRIV_SYS_AUDIT
321
322	Allows a process to start the (kernel) audit daemon.
323	Allows a process to view and set audit state (audit user ID,
324	audit terminal ID, audit sessions ID, audit pre-selection mask).
325	Allows a process to turn off and on auditing.
326	Allows a process to configure the audit parameters (cache and
327	queue sizes, event to class mappings, policy options).
328
329privilege PRIV_SYS_CONFIG
330
331	Allows a process to perform various system configuration tasks.
332	Allows a process to add and remove swap devices; when adding a swap
333	device, a process must also have sufficient privileges to read from
334	and write to the swap device.
335
336privilege PRIV_SYS_DEVICES
337
338	Allows a process to successfully call a kernel module that
339	calls the kernel drv_priv(9F) function to check for allowed
340	access.
341	Allows a process to open the real console device directly.
342	Allows a process to open devices that have been exclusively opened.
343
344privilege PRIV_SYS_IPC_CONFIG
345
346	Allows a process to increase the size of a System V IPC Message
347	Queue buffer.
348
349privilege PRIV_SYS_LINKDIR
350
351	Allows a process to unlink and link directories.
352
353privilege PRIV_SYS_MOUNT
354
355	Allows filesystem specific administrative procedures, such as
356	filesystem configuration ioctls, quota calls and creation/deletion
357	of snapshots.
358	Allows a process to mount and unmount filesystems which would
359	otherwise be restricted (i.e., most filesystems except
360	namefs).
361	A process performing a mount operation needs to have
362	appropriate access to the device being mounted (read-write for
363	"rw" mounts, read for "ro" mounts).
364	A process performing any of the aforementioned
365	filesystem operations needs to have read/write/owner
366	access to the mount point.
367	Only regular files and directories can serve as mount points
368	for processes which do not have all zone privileges asserted.
369	Unless a process has all zone privileges, the mount(2)
370	system call will force the "nosuid" and "restrict" options, the
371	latter only for autofs mountpoints.
372	Regardless of privileges, a process running in a non-global zone may
373	only control mounts performed from within said zone.
374	Outside the global zone, the "nodevices" option is always forced.
375
376privilege PRIV_SYS_IP_CONFIG
377
378	Allows a process to configure a system's network interfaces and routes.
379	Allows a process to configure network parameters using ndd.
380	Allows a process access to otherwise restricted information using ndd.
381	Allows a process to configure IPsec.
382	Allows a process to pop anchored STREAMs modules with matching zoneid.
383
384privilege PRIV_SYS_NET_CONFIG
385
386	Allows all that PRIV_SYS_IP_CONFIG allows.
387	Allows a process to push the rpcmod STREAMs module.
388	Allows a process to INSERT/REMOVE STREAMs modules on locations other
389	than the top of the module stack.
390
391privilege PRIV_SYS_NFS
392
393	Allows a process to perform Sun private NFS specific system calls.
394	Allows a process to bind to ports reserved by NFS: ports 2049 (nfs)
395	and port 4045 (lockd).
396
397privilege PRIV_SYS_RES_CONFIG
398
399	Allows a process to create and delete processor sets, assign
400	CPUs to processor sets and override the PSET_NOESCAPE property.
401	Allows a process to change the operational status of CPUs in
402	the system using p_online(2).
403	Allows a process to configure resource pools and to bind
404	processes to pools
405
406unsafe privilege PRIV_SYS_RESOURCE
407
408	Allows a process to modify the resource limits specified
409	by setrlimit(2) and setrctl(2) without restriction.
410	Allows a process to exceed the per-user maximum number of
411	processes.
412	Allows a process to extend or create files on a filesystem that
413	has less than minfree space in reserve.
414
415privilege PRIV_SYS_SMB
416
417	Allows a process to access the Sun private SMB kernel module.
418	Allows a process to bind to ports reserved by NetBIOS and SMB:
419	ports 137 (NBNS), 138 (NetBIOS Datagram Service), 139 (NetBIOS
420	Session Service and SMB-over-NBT) and 445 (SMB-over-TCP).
421
422privilege PRIV_SYS_SUSER_COMPAT
423
424	Allows a process to successfully call a third party loadable module
425	that calls the kernel suser() function to check for allowed access.
426	This privilege exists only for third party loadable module
427	compatibility and is not used by Solaris proper.
428
429privilege PRIV_SYS_TIME
430
431	Allows a process to manipulate system time using any of the
432	appropriate system calls: stime, adjtime, ntp_adjtime and
433	the IA specific RTC calls.
434
435privilege PRIV_SYS_TRANS_LABEL
436
437	Allows a process to translate labels that are not dominated
438	by the process' sensitivity label to and from an external
439	string form.
440	This privilege is interpreted only if the system is configured
441	with Trusted Extensions.
442
443privilege PRIV_VIRT_MANAGE
444
445	Allows a process to manage virtualized environments such as
446	xVM(5).
447
448privilege PRIV_WIN_COLORMAP
449
450	Allows a process to override colormap restrictions.
451        Allows a process to install or remove colormaps.
452        Allows a process to retrieve colormap cell entries allocated
453	by other processes.
454	This privilege is interpreted only if the system is configured
455	with Trusted Extensions.
456
457privilege PRIV_WIN_CONFIG
458
459	Allows a process to configure or destroy resources that are
460	permanently retained by the X server.
461        Allows a process to use SetScreenSaver to set the screen
462	saver timeout value.
463        Allows a process to use ChangeHosts to modify the display
464	access control list.
465        Allows a process to use GrabServer.
466        Allows a process to use the SetCloseDownMode request which
467	may retain window, pixmap, colormap, property, cursor, font,
468	or graphic context resources.
469	This privilege is interpreted only if the system is configured
470	with Trusted Extensions.
471
472privilege PRIV_WIN_DAC_READ
473
474	Allows a process to read from a window resource that it does
475	not own (has a different user ID).
476	This privilege is interpreted only if the system is configured
477	with Trusted Extensions.
478
479privilege PRIV_WIN_DAC_WRITE
480
481	Allows a process to write to or create a window resource that
482	it does not own (has a different user ID). A newly created
483	window property is created with the window's user ID.
484	This privilege is interpreted only if the system is configured
485	with Trusted Extensions.
486
487privilege PRIV_WIN_DEVICES
488
489	Allows a process to perform operations on window input devices.
490        Allows a process to get and set keyboard and pointer controls.
491        Allows a process to modify pointer button and key mappings.
492	This privilege is interpreted only if the system is configured
493	with Trusted Extensions.
494
495privilege PRIV_WIN_DGA
496
497	Allows a process to use the direct graphics access (DGA) X protocol
498	extensions. Direct process access to the frame buffer is still
499	required. Thus the process must have MAC and DAC privileges that
500	allow access to the frame buffer, or the frame buffer must be
501        allocated to the process.
502	This privilege is interpreted only if the system is configured
503	with Trusted Extensions.
504
505privilege PRIV_WIN_DOWNGRADE_SL
506
507	Allows a process to set the sensitivity label of a window resource
508	to a sensitivity label that does not dominate the existing
509	sensitivity label.
510	This privilege is interpreted only if the system is configured
511	with Trusted Extensions.
512
513privilege PRIV_WIN_FONTPATH
514
515	Allows a process to set a font path.
516	This privilege is interpreted only if the system is configured
517	with Trusted Extensions.
518
519privilege PRIV_WIN_MAC_READ
520
521	Allows a process to read from a window resource whose sensitivity
522	label is not equal to the process sensitivity label.
523	This privilege is interpreted only if the system is configured
524	with Trusted Extensions.
525
526privilege PRIV_WIN_MAC_WRITE
527
528	Allows a process to create a window resource whose sensitivity
529	label is not equal to the process sensitivity label.
530	A newly created window property is created with the window's
531	sensitivity label.
532	This privilege is interpreted only if the system is configured
533	with Trusted Extensions.
534
535privilege PRIV_WIN_SELECTION
536
537	Allows a process to request inter-window data moves without the
538	intervention of the selection confirmer.
539	This privilege is interpreted only if the system is configured
540	with Trusted Extensions.
541
542privilege PRIV_WIN_UPGRADE_SL
543
544	Allows a process to set the sensitivity label of a window
545	resource to a sensitivity label that dominates the existing
546	sensitivity label.
547	This privilege is interpreted only if the system is configured
548	with Trusted Extensions.
549
550privilege PRIV_XVM_CONTROL
551
552	Allows a process access to the xVM(5) control devices for
553	managing guest domains and the hypervisor. This privilege is
554	used only if booted into xVM on x86 platforms.
555
556set PRIV_EFFECTIVE
557
558	Set of privileges currently in effect.
559
560set PRIV_INHERITABLE
561
562	Set of privileges that comes into effect on exec.
563
564set PRIV_PERMITTED
565
566	Set of privileges that can be put into the effective set without
567	restriction.
568
569set PRIV_LIMIT
570
571	Set of privileges that determines the absolute upper bound of
572	privileges this process and its off-spring can obtain.
573