xref: /illumos-gate/usr/src/uts/common/os/priv_defs (revision ac88567a7a5bb7f01cf22cf366bc9d6203e24d7a)
1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21/*
22 * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
23 * Use is subject to license terms.
24 *
25INSERT COMMENT
26 */
27
28#
29# Privileges can be added to this file at any location, not
30# necessarily at the end.  For patches, it is probably best to
31# add the new privilege at the end; for ordinary releases privileges
32# should be ordered alphabetically.
33#
34
35privilege PRIV_CONTRACT_EVENT
36
37	Allows a process to request critical events without limitation.
38	Allows a process to request reliable delivery of all events on
39	any event queue.
40
41privilege PRIV_CONTRACT_IDENTITY
42
43	Allows a process to set the service FMRI value of a process
44	contract template.
45
46privilege PRIV_CONTRACT_OBSERVER
47
48	Allows a process to observe contract events generated by
49	contracts created and owned by users other than the process's
50	effective user ID.
51	Allows a process to open contract event endpoints belonging to
52	contracts created and owned by users other than the process's
53	effective user ID.
54
55privilege PRIV_CPC_CPU
56
57	Allow a process to access per-CPU hardware performance counters.
58
59privilege PRIV_DTRACE_KERNEL
60
61	Allows DTrace kernel-level tracing.
62
63privilege PRIV_DTRACE_PROC
64
65	Allows DTrace process-level tracing.
66	Allows process-level tracing probes to be placed and enabled in
67	processes to which the user has permissions.
68
69privilege PRIV_DTRACE_USER
70
71	Allows DTrace user-level tracing.
72	Allows use of the syscall and profile DTrace providers to
73	examine processes to which the user has permissions.
74
75privilege PRIV_FILE_CHOWN
76
77	Allows a process to change a file's owner user ID.
78	Allows a process to change a file's group ID to one other than
79	the process' effective group ID or one of the process'
80	supplemental group IDs.
81
82privilege PRIV_FILE_CHOWN_SELF
83
84	Allows a process to give away its files; a process with this
85	privilege will run as if {_POSIX_CHOWN_RESTRICTED} is not
86	in effect.
87
88privilege PRIV_FILE_DAC_EXECUTE
89
90	Allows a process to execute an executable file whose permission
91	bits or ACL do not allow the process execute permission.
92
93privilege PRIV_FILE_DAC_READ
94
95	Allows a process to read a file or directory whose permission
96	bits or ACL do not allow the process read permission.
97
98privilege PRIV_FILE_DAC_SEARCH
99
100	Allows a process to search a directory whose permission bits or
101	ACL do not allow the process search permission.
102
103privilege PRIV_FILE_DAC_WRITE
104
105	Allows a process to write a file or directory whose permission
106	bits or ACL do not allow the process write permission.
107	In order to write files owned by uid 0 in the absence of an
108	effective uid of 0 ALL privileges are required.
109
110privilege PRIV_FILE_DOWNGRADE_SL
111
112	Allows a process to set the sensitivity label of a file or
113	directory to a sensitivity label that does not dominate the
114	existing sensitivity label.
115	This privilege is interpreted only if the system is configured
116	with Trusted Extensions.
117
118privilege PRIV_FILE_FLAG_SET
119
120	Allows a process to set immutable, nounlink or appendonly
121	file attributes.
122
123basic privilege PRIV_FILE_LINK_ANY
124
125	Allows a process to create hardlinks to files owned by a uid
126	different from the process' effective uid.
127
128privilege PRIV_FILE_OWNER
129
130	Allows a process which is not the owner of a file or directory
131	to perform the following operations that are normally permitted
132	only for the file owner: modify that file's access and
133	modification times; remove or rename a file or directory whose
134	parent directory has the ``save text image after execution''
135	(sticky) bit set; mount a ``namefs'' upon a file; modify
136	permission bits or ACL except for the set-uid and set-gid
137	bits.
138
139privilege PRIV_FILE_SETID
140
141	Allows a process to change the ownership of a file or write to
142	a file without the set-user-ID and set-group-ID bits being
143	cleared.
144	Allows a process to set the set-group-ID bit on a file or
145	directory whose group is not the process' effective group or
146	one of the process' supplemental groups.
147	Allows a process to set the set-user-ID bit on a file with
148	different ownership in the presence of PRIV_FILE_OWNER.
149	Additional restrictions apply when creating or modifying a
150	set-uid 0 file.
151
152privilege PRIV_FILE_UPGRADE_SL
153
154	Allows a process to set the sensitivity label of a file or
155	directory to a sensitivity label that dominates the existing
156	sensitivity label.
157	This privilege is interpreted only if the system is configured
158	with Trusted Extensions.
159
160privilege PRIV_GRAPHICS_ACCESS
161
162	Allows a process to make privileged ioctls to graphics devices.
163	Typically only xserver process needs to have this privilege.
164	A process with this privilege is also allowed to perform
165	privileged graphics device mappings.
166
167privilege PRIV_GRAPHICS_MAP
168
169	Allows a process to perform privileged mappings through a
170	graphics device.
171
172privilege PRIV_IPC_DAC_READ
173
174	Allows a process to read a System V IPC
175	Message Queue, Semaphore Set, or Shared Memory Segment whose
176	permission bits do not allow the process read permission.
177	Allows a process to read remote shared memory whose
178	permission bits do not allow the process read permission.
179
180privilege PRIV_IPC_DAC_WRITE
181
182	Allows a process to write a System V IPC
183	Message Queue, Semaphore Set, or Shared Memory Segment whose
184	permission bits do not allow the process write permission.
185	Allows a process to read remote shared memory whose
186	permission bits do not allow the process write permission.
187	Additional restrictions apply if the owner of the object has uid 0
188	and the effective uid of the current process is not 0.
189
190privilege PRIV_IPC_OWNER
191
192	Allows a process which is not the owner of a System
193	V IPC Message Queue, Semaphore Set, or Shared Memory Segment to
194	remove, change ownership of, or change permission bits of the
195	Message Queue, Semaphore Set, or Shared Memory Segment.
196	Additional restrictions apply if the owner of the object has uid 0
197	and the effective uid of the current process is not 0.
198
199basic privilege PRIV_NET_ACCESS
200
201	Allows a process to open a TCP, UDP, SDP or SCTP network endpoint.
202
203privilege PRIV_NET_BINDMLP
204
205	Allow a process to bind to a port that is configured as a
206	multi-level port(MLP) for the process's zone. This privilege
207	applies to both shared address and zone-specific address MLPs.
208	See tnzonecfg(4) from the Trusted Extensions manual pages for
209	information on configuring MLP ports.
210	This privilege is interpreted only if the system is configured
211	with Trusted Extensions.
212
213privilege PRIV_NET_ICMPACCESS
214
215	Allows a process to send and receive ICMP packets.
216
217privilege PRIV_NET_MAC_AWARE
218
219	Allows a process to set NET_MAC_AWARE process flag by using
220	setpflags(2). This privilege also allows a process to set
221	SO_MAC_EXEMPT socket option by using setsockopt(3SOCKET).
222	The NET_MAC_AWARE process flag and the SO_MAC_EXEMPT socket
223	option both allow a local process to communicate with an
224	unlabeled peer if the local process' label dominates the
225	peer's default label, or if the local process runs in the
226	global zone.
227	This privilege is interpreted only if the system is configured
228	with Trusted Extensions.
229
230privilege PRIV_NET_MAC_IMPLICIT
231
232	Allows a process to set SO_MAC_IMPLICIT option by using
233	setsockopt(3SOCKET).  This allows a privileged process to
234	transmit implicitly-labeled packets to a peer.
235	This privilege is interpreted only if the system is configured
236	with Trusted Extensions.
237
238privilege PRIV_NET_OBSERVABILITY
239
240	Allows a process to access /dev/lo0 and the devices in /dev/ipnet/
241	while not requiring them to need PRIV_NET_RAWACCESS.
242
243privilege PRIV_NET_PRIVADDR
244
245	Allows a process to bind to a privileged port
246	number. The privilege port numbers are 1-1023 (the traditional
247	UNIX privileged ports) as well as those ports marked as
248	"udp/tcp_extra_priv_ports" with the exception of the ports
249	reserved for use by NFS.
250
251privilege PRIV_NET_RAWACCESS
252
253	Allows a process to have direct access to the network layer.
254
255unsafe privilege PRIV_PROC_AUDIT
256
257	Allows a process to generate audit records.
258	Allows a process to get its own audit pre-selection information.
259
260privilege PRIV_PROC_CHROOT
261
262	Allows a process to change its root directory.
263
264privilege PRIV_PROC_CLOCK_HIGHRES
265
266	Allows a process to use high resolution timers.
267
268basic privilege PRIV_PROC_EXEC
269
270	Allows a process to call execve().
271
272basic privilege PRIV_PROC_FORK
273
274	Allows a process to call fork1()/forkall()/vfork()
275
276basic privilege PRIV_PROC_INFO
277
278	Allows a process to examine the status of processes other
279	than those it can send signals to.  Processes which cannot
280	be examined cannot be seen in /proc and appear not to exist.
281
282privilege PRIV_PROC_LOCK_MEMORY
283
284	Allows a process to lock pages in physical memory.
285
286privilege PRIV_PROC_OWNER
287
288	Allows a process to send signals to other processes, inspect
289	and modify process state to other processes regardless of
290	ownership.  When modifying another process, additional
291	restrictions apply:  the effective privilege set of the
292	attaching process must be a superset of the target process'
293	effective, permitted and inheritable sets; the limit set must
294	be a superset of the target's limit set; if the target process
295	has any uid set to 0 all privilege must be asserted unless the
296	effective uid is 0.
297	Allows a process to bind arbitrary processes to CPUs.
298
299privilege PRIV_PROC_PRIOCNTL
300
301	Allows a process to elevate its priority above its current level.
302	Allows a process to change its scheduling class to any scheduling class,
303	including the RT class.
304
305basic privilege PRIV_PROC_SESSION
306
307	Allows a process to send signals or trace processes outside its
308	session.
309
310unsafe privilege PRIV_PROC_SETID
311
312	Allows a process to set its uids at will.
313	Assuming uid 0 requires all privileges to be asserted.
314
315privilege PRIV_PROC_TASKID
316
317	Allows a process to assign a new task ID to the calling process.
318
319privilege PRIV_PROC_ZONE
320
321	Allows a process to trace or send signals to processes in
322	other zones.
323
324privilege PRIV_SYS_ACCT
325
326	Allows a process to enable and disable and manage accounting through
327	acct(2), getacct(2), putacct(2) and wracct(2).
328
329privilege PRIV_SYS_ADMIN
330
331	Allows a process to perform system administration tasks such
332	as setting node and domain name and specifying nscd and coreadm
333	settings.
334
335privilege PRIV_SYS_AUDIT
336
337	Allows a process to start the (kernel) audit daemon.
338	Allows a process to view and set audit state (audit user ID,
339	audit terminal ID, audit sessions ID, audit pre-selection mask).
340	Allows a process to turn off and on auditing.
341	Allows a process to configure the audit parameters (cache and
342	queue sizes, event to class mappings, policy options).
343
344privilege PRIV_SYS_CONFIG
345
346	Allows a process to perform various system configuration tasks.
347	Allows a process to add and remove swap devices; when adding a swap
348	device, a process must also have sufficient privileges to read from
349	and write to the swap device.
350
351privilege PRIV_SYS_DEVICES
352
353	Allows a process to successfully call a kernel module that
354	calls the kernel drv_priv(9F) function to check for allowed
355	access.
356	Allows a process to open the real console device directly.
357	Allows a process to open devices that have been exclusively opened.
358
359privilege PRIV_SYS_IPC_CONFIG
360
361	Allows a process to increase the size of a System V IPC Message
362	Queue buffer.
363
364privilege PRIV_SYS_LINKDIR
365
366	Allows a process to unlink and link directories.
367
368privilege PRIV_SYS_MOUNT
369
370	Allows filesystem specific administrative procedures, such as
371	filesystem configuration ioctls, quota calls and creation/deletion
372	of snapshots.
373	Allows a process to mount and unmount filesystems which would
374	otherwise be restricted (i.e., most filesystems except
375	namefs).
376	A process performing a mount operation needs to have
377	appropriate access to the device being mounted (read-write for
378	"rw" mounts, read for "ro" mounts).
379	A process performing any of the aforementioned
380	filesystem operations needs to have read/write/owner
381	access to the mount point.
382	Only regular files and directories can serve as mount points
383	for processes which do not have all zone privileges asserted.
384	Unless a process has all zone privileges, the mount(2)
385	system call will force the "nosuid" and "restrict" options, the
386	latter only for autofs mountpoints.
387	Regardless of privileges, a process running in a non-global zone may
388	only control mounts performed from within said zone.
389	Outside the global zone, the "nodevices" option is always forced.
390
391privilege PRIV_SYS_IPTUN_CONFIG
392
393	Allows a process to configure IP tunnel links.
394
395privilege PRIV_SYS_DL_CONFIG
396
397	Allows a process to configure all classes of datalinks, including
398	configuration allowed by PRIV_SYS_IPTUN_CONFIG.
399
400privilege PRIV_SYS_IP_CONFIG
401
402	Allows a process to configure a system's IP interfaces and routes.
403	Allows a process to configure network parameters using ndd.
404	Allows a process access to otherwise restricted information using ndd.
405	Allows a process to configure IPsec.
406	Allows a process to pop anchored STREAMs modules with matching zoneid.
407
408privilege PRIV_SYS_NET_CONFIG
409
410	Allows all that PRIV_SYS_IP_CONFIG, PRIV_SYS_DL_CONFIG, and
411	PRIV_SYS_PPP_CONFIG allow.
412	Allows a process to push the rpcmod STREAMs module.
413	Allows a process to INSERT/REMOVE STREAMs modules on locations other
414	than the top of the module stack.
415
416privilege PRIV_SYS_NFS
417
418	Allows a process to perform Sun private NFS specific system calls.
419	Allows a process to bind to ports reserved by NFS: ports 2049 (nfs)
420	and port 4045 (lockd).
421
422privilege PRIV_SYS_PPP_CONFIG
423
424	Allows a process to create and destroy PPP (sppp) interfaces.
425	Allows a process to configure PPP tunnels (sppptun).
426
427privilege PRIV_SYS_RES_CONFIG
428
429	Allows a process to create and delete processor sets, assign
430	CPUs to processor sets and override the PSET_NOESCAPE property.
431	Allows a process to change the operational status of CPUs in
432	the system using p_online(2).
433	Allows a process to configure resource pools and to bind
434	processes to pools
435
436unsafe privilege PRIV_SYS_RESOURCE
437
438	Allows a process to modify the resource limits specified
439	by setrlimit(2) and setrctl(2) without restriction.
440	Allows a process to exceed the per-user maximum number of
441	processes.
442	Allows a process to extend or create files on a filesystem that
443	has less than minfree space in reserve.
444
445privilege PRIV_SYS_SMB
446
447	Allows a process to access the Sun private SMB kernel module.
448	Allows a process to bind to ports reserved by NetBIOS and SMB:
449	ports 137 (NBNS), 138 (NetBIOS Datagram Service), 139 (NetBIOS
450	Session Service and SMB-over-NBT) and 445 (SMB-over-TCP).
451
452privilege PRIV_SYS_SUSER_COMPAT
453
454	Allows a process to successfully call a third party loadable module
455	that calls the kernel suser() function to check for allowed access.
456	This privilege exists only for third party loadable module
457	compatibility and is not used by Solaris proper.
458
459privilege PRIV_SYS_TIME
460
461	Allows a process to manipulate system time using any of the
462	appropriate system calls: stime, adjtime, ntp_adjtime and
463	the IA specific RTC calls.
464
465privilege PRIV_SYS_TRANS_LABEL
466
467	Allows a process to translate labels that are not dominated
468	by the process' sensitivity label to and from an external
469	string form.
470	This privilege is interpreted only if the system is configured
471	with Trusted Extensions.
472
473privilege PRIV_VIRT_MANAGE
474
475	Allows a process to manage virtualized environments such as
476	xVM(5).
477
478privilege PRIV_WIN_COLORMAP
479
480	Allows a process to override colormap restrictions.
481        Allows a process to install or remove colormaps.
482        Allows a process to retrieve colormap cell entries allocated
483	by other processes.
484	This privilege is interpreted only if the system is configured
485	with Trusted Extensions.
486
487privilege PRIV_WIN_CONFIG
488
489	Allows a process to configure or destroy resources that are
490	permanently retained by the X server.
491        Allows a process to use SetScreenSaver to set the screen
492	saver timeout value.
493        Allows a process to use ChangeHosts to modify the display
494	access control list.
495        Allows a process to use GrabServer.
496        Allows a process to use the SetCloseDownMode request which
497	may retain window, pixmap, colormap, property, cursor, font,
498	or graphic context resources.
499	This privilege is interpreted only if the system is configured
500	with Trusted Extensions.
501
502privilege PRIV_WIN_DAC_READ
503
504	Allows a process to read from a window resource that it does
505	not own (has a different user ID).
506	This privilege is interpreted only if the system is configured
507	with Trusted Extensions.
508
509privilege PRIV_WIN_DAC_WRITE
510
511	Allows a process to write to or create a window resource that
512	it does not own (has a different user ID). A newly created
513	window property is created with the window's user ID.
514	This privilege is interpreted only if the system is configured
515	with Trusted Extensions.
516
517privilege PRIV_WIN_DEVICES
518
519	Allows a process to perform operations on window input devices.
520        Allows a process to get and set keyboard and pointer controls.
521        Allows a process to modify pointer button and key mappings.
522	This privilege is interpreted only if the system is configured
523	with Trusted Extensions.
524
525privilege PRIV_WIN_DGA
526
527	Allows a process to use the direct graphics access (DGA) X protocol
528	extensions. Direct process access to the frame buffer is still
529	required. Thus the process must have MAC and DAC privileges that
530	allow access to the frame buffer, or the frame buffer must be
531        allocated to the process.
532	This privilege is interpreted only if the system is configured
533	with Trusted Extensions.
534
535privilege PRIV_WIN_DOWNGRADE_SL
536
537	Allows a process to set the sensitivity label of a window resource
538	to a sensitivity label that does not dominate the existing
539	sensitivity label.
540	This privilege is interpreted only if the system is configured
541	with Trusted Extensions.
542
543privilege PRIV_WIN_FONTPATH
544
545	Allows a process to set a font path.
546	This privilege is interpreted only if the system is configured
547	with Trusted Extensions.
548
549privilege PRIV_WIN_MAC_READ
550
551	Allows a process to read from a window resource whose sensitivity
552	label is not equal to the process sensitivity label.
553	This privilege is interpreted only if the system is configured
554	with Trusted Extensions.
555
556privilege PRIV_WIN_MAC_WRITE
557
558	Allows a process to create a window resource whose sensitivity
559	label is not equal to the process sensitivity label.
560	A newly created window property is created with the window's
561	sensitivity label.
562	This privilege is interpreted only if the system is configured
563	with Trusted Extensions.
564
565privilege PRIV_WIN_SELECTION
566
567	Allows a process to request inter-window data moves without the
568	intervention of the selection confirmer.
569	This privilege is interpreted only if the system is configured
570	with Trusted Extensions.
571
572privilege PRIV_WIN_UPGRADE_SL
573
574	Allows a process to set the sensitivity label of a window
575	resource to a sensitivity label that dominates the existing
576	sensitivity label.
577	This privilege is interpreted only if the system is configured
578	with Trusted Extensions.
579
580privilege PRIV_XVM_CONTROL
581
582	Allows a process access to the xVM(5) control devices for
583	managing guest domains and the hypervisor. This privilege is
584	used only if booted into xVM on x86 platforms.
585
586set PRIV_EFFECTIVE
587
588	Set of privileges currently in effect.
589
590set PRIV_INHERITABLE
591
592	Set of privileges that comes into effect on exec.
593
594set PRIV_PERMITTED
595
596	Set of privileges that can be put into the effective set without
597	restriction.
598
599set PRIV_LIMIT
600
601	Set of privileges that determines the absolute upper bound of
602	privileges this process and its off-spring can obtain.
603