xref: /illumos-gate/usr/src/uts/common/os/priv_defs (revision e4f5a11d4a234623168c1558fcdf4341e11769e1)
1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21/*
22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 *
24INSERT COMMENT
25 */
26
27#
28# Privileges can be added to this file at any location, not
29# necessarily at the end.  For patches, it is probably best to
30# add the new privilege at the end; for ordinary releases privileges
31# should be ordered alphabetically.
32#
33
34privilege PRIV_CONTRACT_EVENT
35
36	Allows a process to request critical events without limitation.
37	Allows a process to request reliable delivery of all events on
38	any event queue.
39
40privilege PRIV_CONTRACT_IDENTITY
41
42	Allows a process to set the service FMRI value of a process
43	contract template.
44
45privilege PRIV_CONTRACT_OBSERVER
46
47	Allows a process to observe contract events generated by
48	contracts created and owned by users other than the process's
49	effective user ID.
50	Allows a process to open contract event endpoints belonging to
51	contracts created and owned by users other than the process's
52	effective user ID.
53
54privilege PRIV_CPC_CPU
55
56	Allow a process to access per-CPU hardware performance counters.
57
58privilege PRIV_DTRACE_KERNEL
59
60	Allows DTrace kernel-level tracing.
61
62privilege PRIV_DTRACE_PROC
63
64	Allows DTrace process-level tracing.
65	Allows process-level tracing probes to be placed and enabled in
66	processes to which the user has permissions.
67
68privilege PRIV_DTRACE_USER
69
70	Allows DTrace user-level tracing.
71	Allows use of the syscall and profile DTrace providers to
72	examine processes to which the user has permissions.
73
74privilege PRIV_FILE_CHOWN
75
76	Allows a process to change a file's owner user ID.
77	Allows a process to change a file's group ID to one other than
78	the process' effective group ID or one of the process'
79	supplemental group IDs.
80
81privilege PRIV_FILE_CHOWN_SELF
82
83	Allows a process to give away its files; a process with this
84	privilege will run as if {_POSIX_CHOWN_RESTRICTED} is not
85	in effect.
86
87privilege PRIV_FILE_DAC_EXECUTE
88
89	Allows a process to execute an executable file whose permission
90	bits or ACL do not allow the process execute permission.
91
92privilege PRIV_FILE_DAC_READ
93
94	Allows a process to read a file or directory whose permission
95	bits or ACL do not allow the process read permission.
96
97privilege PRIV_FILE_DAC_SEARCH
98
99	Allows a process to search a directory whose permission bits or
100	ACL do not allow the process search permission.
101
102privilege PRIV_FILE_DAC_WRITE
103
104	Allows a process to write a file or directory whose permission
105	bits or ACL do not allow the process write permission.
106	In order to write files owned by uid 0 in the absence of an
107	effective uid of 0 ALL privileges are required.
108
109privilege PRIV_FILE_DOWNGRADE_SL
110
111	Allows a process to set the sensitivity label of a file or
112	directory to a sensitivity label that does not dominate the
113	existing sensitivity label.
114	This privilege is interpreted only if the system is configured
115	with Trusted Extensions.
116
117privilege PRIV_FILE_FLAG_SET
118
119	Allows a process to set immutable, nounlink or appendonly
120	file attributes.
121
122basic privilege PRIV_FILE_LINK_ANY
123
124	Allows a process to create hardlinks to files owned by a uid
125	different from the process' effective uid.
126
127privilege PRIV_FILE_OWNER
128
129	Allows a process which is not the owner of a file or directory
130	to perform the following operations that are normally permitted
131	only for the file owner: modify that file's access and
132	modification times; remove or rename a file or directory whose
133	parent directory has the ``save text image after execution''
134	(sticky) bit set; mount a ``namefs'' upon a file; modify
135	permission bits or ACL except for the set-uid and set-gid
136	bits.
137
138basic privilege PRIV_FILE_READ
139
140	Allows a process to read objects in the filesystem.
141
142privilege PRIV_FILE_SETID
143
144	Allows a process to change the ownership of a file or write to
145	a file without the set-user-ID and set-group-ID bits being
146	cleared.
147	Allows a process to set the set-group-ID bit on a file or
148	directory whose group is not the process' effective group or
149	one of the process' supplemental groups.
150	Allows a process to set the set-user-ID bit on a file with
151	different ownership in the presence of PRIV_FILE_OWNER.
152	Additional restrictions apply when creating or modifying a
153	set-uid 0 file.
154
155privilege PRIV_FILE_UPGRADE_SL
156
157	Allows a process to set the sensitivity label of a file or
158	directory to a sensitivity label that dominates the existing
159	sensitivity label.
160	This privilege is interpreted only if the system is configured
161	with Trusted Extensions.
162
163basic privilege PRIV_FILE_WRITE
164
165	Allows a process to modify objects in the filesystem.
166
167privilege PRIV_GRAPHICS_ACCESS
168
169	Allows a process to make privileged ioctls to graphics devices.
170	Typically only xserver process needs to have this privilege.
171	A process with this privilege is also allowed to perform
172	privileged graphics device mappings.
173
174privilege PRIV_GRAPHICS_MAP
175
176	Allows a process to perform privileged mappings through a
177	graphics device.
178
179privilege PRIV_IPC_DAC_READ
180
181	Allows a process to read a System V IPC
182	Message Queue, Semaphore Set, or Shared Memory Segment whose
183	permission bits do not allow the process read permission.
184	Allows a process to read remote shared memory whose
185	permission bits do not allow the process read permission.
186
187privilege PRIV_IPC_DAC_WRITE
188
189	Allows a process to write a System V IPC
190	Message Queue, Semaphore Set, or Shared Memory Segment whose
191	permission bits do not allow the process write permission.
192	Allows a process to read remote shared memory whose
193	permission bits do not allow the process write permission.
194	Additional restrictions apply if the owner of the object has uid 0
195	and the effective uid of the current process is not 0.
196
197privilege PRIV_IPC_OWNER
198
199	Allows a process which is not the owner of a System
200	V IPC Message Queue, Semaphore Set, or Shared Memory Segment to
201	remove, change ownership of, or change permission bits of the
202	Message Queue, Semaphore Set, or Shared Memory Segment.
203	Additional restrictions apply if the owner of the object has uid 0
204	and the effective uid of the current process is not 0.
205
206basic privilege PRIV_NET_ACCESS
207
208	Allows a process to open a TCP, UDP, SDP or SCTP network endpoint.
209
210privilege PRIV_NET_BINDMLP
211
212	Allow a process to bind to a port that is configured as a
213	multi-level port(MLP) for the process's zone. This privilege
214	applies to both shared address and zone-specific address MLPs.
215	See tnzonecfg(4) from the Trusted Extensions manual pages for
216	information on configuring MLP ports.
217	This privilege is interpreted only if the system is configured
218	with Trusted Extensions.
219
220privilege PRIV_NET_ICMPACCESS
221
222	Allows a process to send and receive ICMP packets.
223
224privilege PRIV_NET_MAC_AWARE
225
226	Allows a process to set NET_MAC_AWARE process flag by using
227	setpflags(2). This privilege also allows a process to set
228	SO_MAC_EXEMPT socket option by using setsockopt(3SOCKET).
229	The NET_MAC_AWARE process flag and the SO_MAC_EXEMPT socket
230	option both allow a local process to communicate with an
231	unlabeled peer if the local process' label dominates the
232	peer's default label, or if the local process runs in the
233	global zone.
234	This privilege is interpreted only if the system is configured
235	with Trusted Extensions.
236
237privilege PRIV_NET_MAC_IMPLICIT
238
239	Allows a process to set SO_MAC_IMPLICIT option by using
240	setsockopt(3SOCKET).  This allows a privileged process to
241	transmit implicitly-labeled packets to a peer.
242	This privilege is interpreted only if the system is configured
243	with Trusted Extensions.
244
245privilege PRIV_NET_OBSERVABILITY
246
247	Allows a process to access /dev/lo0 and the devices in /dev/ipnet/
248	while not requiring them to need PRIV_NET_RAWACCESS.
249
250privilege PRIV_NET_PRIVADDR
251
252	Allows a process to bind to a privileged port
253	number. The privilege port numbers are 1-1023 (the traditional
254	UNIX privileged ports) as well as those ports marked as
255	"udp/tcp_extra_priv_ports" with the exception of the ports
256	reserved for use by NFS.
257
258privilege PRIV_NET_RAWACCESS
259
260	Allows a process to have direct access to the network layer.
261
262unsafe privilege PRIV_PROC_AUDIT
263
264	Allows a process to generate audit records.
265	Allows a process to get its own audit pre-selection information.
266
267privilege PRIV_PROC_CHROOT
268
269	Allows a process to change its root directory.
270
271privilege PRIV_PROC_CLOCK_HIGHRES
272
273	Allows a process to use high resolution timers.
274
275basic privilege PRIV_PROC_EXEC
276
277	Allows a process to call execve().
278
279basic privilege PRIV_PROC_FORK
280
281	Allows a process to call fork1()/forkall()/vfork()
282
283basic privilege PRIV_PROC_INFO
284
285	Allows a process to examine the status of processes other
286	than those it can send signals to.  Processes which cannot
287	be examined cannot be seen in /proc and appear not to exist.
288
289privilege PRIV_PROC_LOCK_MEMORY
290
291	Allows a process to lock pages in physical memory.
292
293privilege PRIV_PROC_OWNER
294
295	Allows a process to send signals to other processes, inspect
296	and modify process state to other processes regardless of
297	ownership.  When modifying another process, additional
298	restrictions apply:  the effective privilege set of the
299	attaching process must be a superset of the target process'
300	effective, permitted and inheritable sets; the limit set must
301	be a superset of the target's limit set; if the target process
302	has any uid set to 0 all privilege must be asserted unless the
303	effective uid is 0.
304	Allows a process to bind arbitrary processes to CPUs.
305
306privilege PRIV_PROC_PRIOCNTL
307
308	Allows a process to elevate its priority above its current level.
309	Allows a process to change its scheduling class to any scheduling class,
310	including the RT class.
311
312basic privilege PRIV_PROC_SESSION
313
314	Allows a process to send signals or trace processes outside its
315	session.
316
317unsafe privilege PRIV_PROC_SETID
318
319	Allows a process to set its uids at will.
320	Assuming uid 0 requires all privileges to be asserted.
321
322privilege PRIV_PROC_TASKID
323
324	Allows a process to assign a new task ID to the calling process.
325
326privilege PRIV_PROC_ZONE
327
328	Allows a process to trace or send signals to processes in
329	other zones.
330
331privilege PRIV_SYS_ACCT
332
333	Allows a process to enable and disable and manage accounting through
334	acct(2), getacct(2), putacct(2) and wracct(2).
335
336privilege PRIV_SYS_ADMIN
337
338	Allows a process to perform system administration tasks such
339	as setting node and domain name and specifying nscd and coreadm
340	settings.
341
342privilege PRIV_SYS_AUDIT
343
344	Allows a process to start the (kernel) audit daemon.
345	Allows a process to view and set audit state (audit user ID,
346	audit terminal ID, audit sessions ID, audit pre-selection mask).
347	Allows a process to turn off and on auditing.
348	Allows a process to configure the audit parameters (cache and
349	queue sizes, event to class mappings, policy options).
350
351privilege PRIV_SYS_CONFIG
352
353	Allows a process to perform various system configuration tasks.
354	Allows a process to add and remove swap devices; when adding a swap
355	device, a process must also have sufficient privileges to read from
356	and write to the swap device.
357
358privilege PRIV_SYS_DEVICES
359
360	Allows a process to successfully call a kernel module that
361	calls the kernel drv_priv(9F) function to check for allowed
362	access.
363	Allows a process to open the real console device directly.
364	Allows a process to open devices that have been exclusively opened.
365
366privilege PRIV_SYS_IPC_CONFIG
367
368	Allows a process to increase the size of a System V IPC Message
369	Queue buffer.
370
371privilege PRIV_SYS_LINKDIR
372
373	Allows a process to unlink and link directories.
374
375privilege PRIV_SYS_MOUNT
376
377	Allows filesystem specific administrative procedures, such as
378	filesystem configuration ioctls, quota calls and creation/deletion
379	of snapshots.
380	Allows a process to mount and unmount filesystems which would
381	otherwise be restricted (i.e., most filesystems except
382	namefs).
383	A process performing a mount operation needs to have
384	appropriate access to the device being mounted (read-write for
385	"rw" mounts, read for "ro" mounts).
386	A process performing any of the aforementioned
387	filesystem operations needs to have read/write/owner
388	access to the mount point.
389	Only regular files and directories can serve as mount points
390	for processes which do not have all zone privileges asserted.
391	Unless a process has all zone privileges, the mount(2)
392	system call will force the "nosuid" and "restrict" options, the
393	latter only for autofs mountpoints.
394	Regardless of privileges, a process running in a non-global zone may
395	only control mounts performed from within said zone.
396	Outside the global zone, the "nodevices" option is always forced.
397
398privilege PRIV_SYS_IPTUN_CONFIG
399
400	Allows a process to configure IP tunnel links.
401
402privilege PRIV_SYS_DL_CONFIG
403
404	Allows a process to configure all classes of datalinks, including
405	configuration allowed by PRIV_SYS_IPTUN_CONFIG.
406
407privilege PRIV_SYS_IP_CONFIG
408
409	Allows a process to configure a system's IP interfaces and routes.
410	Allows a process to configure network parameters using ndd.
411	Allows a process access to otherwise restricted information using ndd.
412	Allows a process to configure IPsec.
413	Allows a process to pop anchored STREAMs modules with matching zoneid.
414
415privilege PRIV_SYS_NET_CONFIG
416
417	Allows all that PRIV_SYS_IP_CONFIG, PRIV_SYS_DL_CONFIG, and
418	PRIV_SYS_PPP_CONFIG allow.
419	Allows a process to push the rpcmod STREAMs module.
420	Allows a process to INSERT/REMOVE STREAMs modules on locations other
421	than the top of the module stack.
422
423privilege PRIV_SYS_NFS
424
425	Allows a process to perform Sun private NFS specific system calls.
426	Allows a process to bind to ports reserved by NFS: ports 2049 (nfs)
427	and port 4045 (lockd).
428
429privilege PRIV_SYS_PPP_CONFIG
430
431	Allows a process to create and destroy PPP (sppp) interfaces.
432	Allows a process to configure PPP tunnels (sppptun).
433
434privilege PRIV_SYS_RES_BIND
435
436	Allows a process to bind processes to processor sets.
437
438privilege PRIV_SYS_RES_CONFIG
439
440	Allows all that PRIV_SYS_RES_BIND allows.
441	Allows a process to create and delete processor sets, assign
442	CPUs to processor sets and override the PSET_NOESCAPE property.
443	Allows a process to change the operational status of CPUs in
444	the system using p_online(2).
445	Allows a process to configure resource pools and to bind
446	processes to pools
447
448unsafe privilege PRIV_SYS_RESOURCE
449
450	Allows a process to modify the resource limits specified
451	by setrlimit(2) and setrctl(2) without restriction.
452	Allows a process to exceed the per-user maximum number of
453	processes.
454	Allows a process to extend or create files on a filesystem that
455	has less than minfree space in reserve.
456
457privilege PRIV_SYS_SMB
458
459	Allows a process to access the Sun private SMB kernel module.
460	Allows a process to bind to ports reserved by NetBIOS and SMB:
461	ports 137 (NBNS), 138 (NetBIOS Datagram Service), 139 (NetBIOS
462	Session Service and SMB-over-NBT) and 445 (SMB-over-TCP).
463
464privilege PRIV_SYS_SUSER_COMPAT
465
466	Allows a process to successfully call a third party loadable module
467	that calls the kernel suser() function to check for allowed access.
468	This privilege exists only for third party loadable module
469	compatibility and is not used by Solaris proper.
470
471privilege PRIV_SYS_TIME
472
473	Allows a process to manipulate system time using any of the
474	appropriate system calls: stime, adjtime, ntp_adjtime and
475	the IA specific RTC calls.
476
477privilege PRIV_SYS_TRANS_LABEL
478
479	Allows a process to translate labels that are not dominated
480	by the process' sensitivity label to and from an external
481	string form.
482	This privilege is interpreted only if the system is configured
483	with Trusted Extensions.
484
485privilege PRIV_VIRT_MANAGE
486
487	Allows a process to manage virtualized environments such as
488	xVM(5).
489
490privilege PRIV_WIN_COLORMAP
491
492	Allows a process to override colormap restrictions.
493        Allows a process to install or remove colormaps.
494        Allows a process to retrieve colormap cell entries allocated
495	by other processes.
496	This privilege is interpreted only if the system is configured
497	with Trusted Extensions.
498
499privilege PRIV_WIN_CONFIG
500
501	Allows a process to configure or destroy resources that are
502	permanently retained by the X server.
503        Allows a process to use SetScreenSaver to set the screen
504	saver timeout value.
505        Allows a process to use ChangeHosts to modify the display
506	access control list.
507        Allows a process to use GrabServer.
508        Allows a process to use the SetCloseDownMode request which
509	may retain window, pixmap, colormap, property, cursor, font,
510	or graphic context resources.
511	This privilege is interpreted only if the system is configured
512	with Trusted Extensions.
513
514privilege PRIV_WIN_DAC_READ
515
516	Allows a process to read from a window resource that it does
517	not own (has a different user ID).
518	This privilege is interpreted only if the system is configured
519	with Trusted Extensions.
520
521privilege PRIV_WIN_DAC_WRITE
522
523	Allows a process to write to or create a window resource that
524	it does not own (has a different user ID). A newly created
525	window property is created with the window's user ID.
526	This privilege is interpreted only if the system is configured
527	with Trusted Extensions.
528
529privilege PRIV_WIN_DEVICES
530
531	Allows a process to perform operations on window input devices.
532        Allows a process to get and set keyboard and pointer controls.
533        Allows a process to modify pointer button and key mappings.
534	This privilege is interpreted only if the system is configured
535	with Trusted Extensions.
536
537privilege PRIV_WIN_DGA
538
539	Allows a process to use the direct graphics access (DGA) X protocol
540	extensions. Direct process access to the frame buffer is still
541	required. Thus the process must have MAC and DAC privileges that
542	allow access to the frame buffer, or the frame buffer must be
543        allocated to the process.
544	This privilege is interpreted only if the system is configured
545	with Trusted Extensions.
546
547privilege PRIV_WIN_DOWNGRADE_SL
548
549	Allows a process to set the sensitivity label of a window resource
550	to a sensitivity label that does not dominate the existing
551	sensitivity label.
552	This privilege is interpreted only if the system is configured
553	with Trusted Extensions.
554
555privilege PRIV_WIN_FONTPATH
556
557	Allows a process to set a font path.
558	This privilege is interpreted only if the system is configured
559	with Trusted Extensions.
560
561privilege PRIV_WIN_MAC_READ
562
563	Allows a process to read from a window resource whose sensitivity
564	label is not equal to the process sensitivity label.
565	This privilege is interpreted only if the system is configured
566	with Trusted Extensions.
567
568privilege PRIV_WIN_MAC_WRITE
569
570	Allows a process to create a window resource whose sensitivity
571	label is not equal to the process sensitivity label.
572	A newly created window property is created with the window's
573	sensitivity label.
574	This privilege is interpreted only if the system is configured
575	with Trusted Extensions.
576
577privilege PRIV_WIN_SELECTION
578
579	Allows a process to request inter-window data moves without the
580	intervention of the selection confirmer.
581	This privilege is interpreted only if the system is configured
582	with Trusted Extensions.
583
584privilege PRIV_WIN_UPGRADE_SL
585
586	Allows a process to set the sensitivity label of a window
587	resource to a sensitivity label that dominates the existing
588	sensitivity label.
589	This privilege is interpreted only if the system is configured
590	with Trusted Extensions.
591
592privilege PRIV_XVM_CONTROL
593
594	Allows a process access to the xVM(5) control devices for
595	managing guest domains and the hypervisor. This privilege is
596	used only if booted into xVM on x86 platforms.
597
598set PRIV_EFFECTIVE
599
600	Set of privileges currently in effect.
601
602set PRIV_INHERITABLE
603
604	Set of privileges that comes into effect on exec.
605
606set PRIV_PERMITTED
607
608	Set of privileges that can be put into the effective set without
609	restriction.
610
611set PRIV_LIMIT
612
613	Set of privileges that determines the absolute upper bound of
614	privileges this process and its off-spring can obtain.
615