xref: /illumos-gate/usr/src/uts/common/os/priv_defs (revision f899e5733f35e45012ad40c8325b2622dcc2b673)
1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21/*
22 * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23 * Use is subject to license terms.
24 *
25INSERT COMMENT
26 */
27
28#
29# Privileges can be added to this file at any location, not
30# necessarily at the end.  For patches, it is probably best to
31# add the new privilege at the end; for ordinary releases privileges
32# should be ordered alphabetically.
33#
34
35privilege PRIV_CONTRACT_EVENT
36
37	Allows a process to request critical events without limitation.
38	Allows a process to request reliable delivery of all events on
39	any event queue.
40
41privilege PRIV_CONTRACT_IDENTITY
42
43	Allows a process to set the service FMRI value of a process
44	contract template.
45
46privilege PRIV_CONTRACT_OBSERVER
47
48	Allows a process to observe contract events generated by
49	contracts created and owned by users other than the process's
50	effective user ID.
51	Allows a process to open contract event endpoints belonging to
52	contracts created and owned by users other than the process's
53	effective user ID.
54
55privilege PRIV_CPC_CPU
56
57	Allow a process to access per-CPU hardware performance counters.
58
59privilege PRIV_DTRACE_KERNEL
60
61	Allows DTrace kernel-level tracing.
62
63privilege PRIV_DTRACE_PROC
64
65	Allows DTrace process-level tracing.
66	Allows process-level tracing probes to be placed and enabled in
67	processes to which the user has permissions.
68
69privilege PRIV_DTRACE_USER
70
71	Allows DTrace user-level tracing.
72	Allows use of the syscall and profile DTrace providers to
73	examine processes to which the user has permissions.
74
75privilege PRIV_FILE_CHOWN
76
77	Allows a process to change a file's owner user ID.
78	Allows a process to change a file's group ID to one other than
79	the process' effective group ID or one of the process'
80	supplemental group IDs.
81
82privilege PRIV_FILE_CHOWN_SELF
83
84	Allows a process to give away its files; a process with this
85	privilege will run as if {_POSIX_CHOWN_RESTRICTED} is not
86	in effect.
87
88privilege PRIV_FILE_DAC_EXECUTE
89
90	Allows a process to execute an executable file whose permission
91	bits or ACL do not allow the process execute permission.
92
93privilege PRIV_FILE_DAC_READ
94
95	Allows a process to read a file or directory whose permission
96	bits or ACL do not allow the process read permission.
97
98privilege PRIV_FILE_DAC_SEARCH
99
100	Allows a process to search a directory whose permission bits or
101	ACL do not allow the process search permission.
102
103privilege PRIV_FILE_DAC_WRITE
104
105	Allows a process to write a file or directory whose permission
106	bits or ACL do not allow the process write permission.
107	In order to write files owned by uid 0 in the absence of an
108	effective uid of 0 ALL privileges are required.
109
110privilege PRIV_FILE_DOWNGRADE_SL
111
112	Allows a process to set the sensitivity label of a file or
113	directory to a sensitivity label that does not dominate the
114	existing sensitivity label.
115	This privilege is interpreted only if the system is configured
116	with Trusted Extensions.
117
118basic privilege PRIV_FILE_LINK_ANY
119
120	Allows a process to create hardlinks to files owned by a uid
121	different from the process' effective uid.
122
123privilege PRIV_FILE_OWNER
124
125	Allows a process which is not the owner of a file or directory
126	to perform the following operations that are normally permitted
127	only for the file owner: modify that file's access and
128	modification times; remove or rename a file or directory whose
129	parent directory has the ``save text image after execution''
130	(sticky) bit set; mount a ``namefs'' upon a file; modify
131	permission bits or ACL except for the set-uid and set-gid
132	bits.
133
134privilege PRIV_FILE_SETID
135
136	Allows a process to change the ownership of a file or write to
137	a file without the set-user-ID and set-group-ID bits being
138	cleared.
139	Allows a process to set the set-group-ID bit on a file or
140	directory whose group is not the process' effective group or
141	one of the process' supplemental groups.
142	Allows a process to set the set-user-ID bit on a file with
143	different ownership in the presence of PRIV_FILE_OWNER.
144	Additional restrictions apply when creating or modifying a
145	set-uid 0 file.
146
147privilege PRIV_FILE_UPGRADE_SL
148
149	Allows a process to set the sensitivity label of a file or
150	directory to a sensitivity label that dominates the existing
151	sensitivity label.
152	This privilege is interpreted only if the system is configured
153	with Trusted Extensions.
154
155privilege PRIV_FILE_FLAG_SET
156
157	Allows a process to set immutable, nounlink or appendonly
158	file attributes.
159
160privilege PRIV_GRAPHICS_ACCESS
161
162	Allows a process to make privileged ioctls to graphics devices.
163	Typically only xserver process needs to have this privilege.
164	A process with this privilege is also allowed to perform
165	privileged graphics device mappings.
166
167privilege PRIV_GRAPHICS_MAP
168
169	Allows a process to perform privileged mappings through a
170	graphics device.
171
172privilege PRIV_IPC_DAC_READ
173
174	Allows a process to read a System V IPC
175	Message Queue, Semaphore Set, or Shared Memory Segment whose
176	permission bits do not allow the process read permission.
177	Allows a process to read remote shared memory whose
178	permission bits do not allow the process read permission.
179
180privilege PRIV_IPC_DAC_WRITE
181
182	Allows a process to write a System V IPC
183	Message Queue, Semaphore Set, or Shared Memory Segment whose
184	permission bits do not allow the process write permission.
185	Allows a process to read remote shared memory whose
186	permission bits do not allow the process write permission.
187	Additional restrictions apply if the owner of the object has uid 0
188	and the effective uid of the current process is not 0.
189
190privilege PRIV_IPC_OWNER
191
192	Allows a process which is not the owner of a System
193	V IPC Message Queue, Semaphore Set, or Shared Memory Segment to
194	remove, change ownership of, or change permission bits of the
195	Message Queue, Semaphore Set, or Shared Memory Segment.
196	Additional restrictions apply if the owner of the object has uid 0
197	and the effective uid of the current process is not 0.
198
199privilege PRIV_NET_BINDMLP
200
201	Allow a process to bind to a port that is configured as a
202	multi-level port(MLP) for the process's zone. This privilege
203	applies to both shared address and zone-specific address MLPs.
204	See tnzonecfg(4) from the Trusted Extensions manual pages for
205	information on configuring MLP ports.
206	This privilege is interpreted only if the system is configured
207	with Trusted Extensions.
208
209privilege PRIV_NET_ICMPACCESS
210
211	Allows a process to send and receive ICMP packets.
212
213privilege PRIV_NET_MAC_AWARE
214
215	Allows a process to set NET_MAC_AWARE process flag by using
216	setpflags(2). This privilege also allows a process to set
217	SO_MAC_EXEMPT socket option by using setsockopt(3SOCKET).
218	The NET_MAC_AWARE process flag and the SO_MAC_EXEMPT socket
219	option both allow a local process to communicate with an
220	unlabeled peer if the local process' label dominates the
221	peer's default label, or if the local process runs in the
222	global zone.
223	This privilege is interpreted only if the system is configured
224	with Trusted Extensions.
225
226privilege PRIV_NET_OBSERVABILITY
227
228	Allows a process to access /dev/lo0 and the devices in /dev/ipnet/
229	while not requiring them to need PRIV_NET_RAWACCESS.
230
231privilege PRIV_NET_PRIVADDR
232
233	Allows a process to bind to a privileged port
234	number. The privilege port numbers are 1-1023 (the traditional
235	UNIX privileged ports) as well as those ports marked as
236	"udp/tcp_extra_priv_ports" with the exception of the ports
237	reserved for use by NFS.
238
239privilege PRIV_NET_RAWACCESS
240
241	Allows a process to have direct access to the network layer.
242
243unsafe privilege PRIV_PROC_AUDIT
244
245	Allows a process to generate audit records.
246	Allows a process to get its own audit pre-selection information.
247
248privilege PRIV_PROC_CHROOT
249
250	Allows a process to change its root directory.
251
252privilege PRIV_PROC_CLOCK_HIGHRES
253
254	Allows a process to use high resolution timers.
255
256basic privilege PRIV_PROC_EXEC
257
258	Allows a process to call execve().
259
260basic privilege PRIV_PROC_FORK
261
262	Allows a process to call fork1()/forkall()/vfork()
263
264basic privilege PRIV_PROC_INFO
265
266	Allows a process to examine the status of processes other
267	than those it can send signals to.  Processes which cannot
268	be examined cannot be seen in /proc and appear not to exist.
269
270privilege PRIV_PROC_LOCK_MEMORY
271
272	Allows a process to lock pages in physical memory.
273
274privilege PRIV_PROC_OWNER
275
276	Allows a process to send signals to other processes, inspect
277	and modify process state to other processes regardless of
278	ownership.  When modifying another process, additional
279	restrictions apply:  the effective privilege set of the
280	attaching process must be a superset of the target process'
281	effective, permitted and inheritable sets; the limit set must
282	be a superset of the target's limit set; if the target process
283	has any uid set to 0 all privilege must be asserted unless the
284	effective uid is 0.
285	Allows a process to bind arbitrary processes to CPUs.
286
287privilege PRIV_PROC_PRIOCNTL
288
289	Allows a process to elevate its priority above its current level.
290	Allows a process to change its scheduling class to any scheduling class,
291	including the RT class.
292
293basic privilege PRIV_PROC_SESSION
294
295	Allows a process to send signals or trace processes outside its
296	session.
297
298unsafe privilege PRIV_PROC_SETID
299
300	Allows a process to set its uids at will.
301	Assuming uid 0 requires all privileges to be asserted.
302
303privilege PRIV_PROC_TASKID
304
305	Allows a process to assign a new task ID to the calling process.
306
307privilege PRIV_PROC_ZONE
308
309	Allows a process to trace or send signals to processes in
310	other zones.
311
312privilege PRIV_SYS_ACCT
313
314	Allows a process to enable and disable and manage accounting through
315	acct(2), getacct(2), putacct(2) and wracct(2).
316
317privilege PRIV_SYS_ADMIN
318
319	Allows a process to perform system administration tasks such
320	as setting node and domain name and specifying nscd and coreadm
321	settings.
322
323privilege PRIV_SYS_AUDIT
324
325	Allows a process to start the (kernel) audit daemon.
326	Allows a process to view and set audit state (audit user ID,
327	audit terminal ID, audit sessions ID, audit pre-selection mask).
328	Allows a process to turn off and on auditing.
329	Allows a process to configure the audit parameters (cache and
330	queue sizes, event to class mappings, policy options).
331
332privilege PRIV_SYS_CONFIG
333
334	Allows a process to perform various system configuration tasks.
335	Allows a process to add and remove swap devices; when adding a swap
336	device, a process must also have sufficient privileges to read from
337	and write to the swap device.
338
339privilege PRIV_SYS_DEVICES
340
341	Allows a process to successfully call a kernel module that
342	calls the kernel drv_priv(9F) function to check for allowed
343	access.
344	Allows a process to open the real console device directly.
345	Allows a process to open devices that have been exclusively opened.
346
347privilege PRIV_SYS_IPC_CONFIG
348
349	Allows a process to increase the size of a System V IPC Message
350	Queue buffer.
351
352privilege PRIV_SYS_LINKDIR
353
354	Allows a process to unlink and link directories.
355
356privilege PRIV_SYS_MOUNT
357
358	Allows filesystem specific administrative procedures, such as
359	filesystem configuration ioctls, quota calls and creation/deletion
360	of snapshots.
361	Allows a process to mount and unmount filesystems which would
362	otherwise be restricted (i.e., most filesystems except
363	namefs).
364	A process performing a mount operation needs to have
365	appropriate access to the device being mounted (read-write for
366	"rw" mounts, read for "ro" mounts).
367	A process performing any of the aforementioned
368	filesystem operations needs to have read/write/owner
369	access to the mount point.
370	Only regular files and directories can serve as mount points
371	for processes which do not have all zone privileges asserted.
372	Unless a process has all zone privileges, the mount(2)
373	system call will force the "nosuid" and "restrict" options, the
374	latter only for autofs mountpoints.
375	Regardless of privileges, a process running in a non-global zone may
376	only control mounts performed from within said zone.
377	Outside the global zone, the "nodevices" option is always forced.
378
379privilege PRIV_SYS_IPTUN_CONFIG
380
381	Allows a process to configure IP tunnel links.
382
383privilege PRIV_SYS_DL_CONFIG
384
385	Allows a process to configure all classes of datalinks, including
386	configuration allowed by PRIV_SYS_IPTUN_CONFIG.
387
388privilege PRIV_SYS_IP_CONFIG
389
390	Allows a process to configure a system's IP interfaces and routes.
391	Allows a process to configure network parameters using ndd.
392	Allows a process access to otherwise restricted information using ndd.
393	Allows a process to configure IPsec.
394	Allows a process to pop anchored STREAMs modules with matching zoneid.
395
396privilege PRIV_SYS_NET_CONFIG
397
398	Allows all that PRIV_SYS_IP_CONFIG, PRIV_SYS_DL_CONFIG, and
399	PRIV_SYS_PPP_CONFIG allow.
400	Allows a process to push the rpcmod STREAMs module.
401	Allows a process to INSERT/REMOVE STREAMs modules on locations other
402	than the top of the module stack.
403
404privilege PRIV_SYS_NFS
405
406	Allows a process to perform Sun private NFS specific system calls.
407	Allows a process to bind to ports reserved by NFS: ports 2049 (nfs)
408	and port 4045 (lockd).
409
410privilege PRIV_SYS_PPP_CONFIG
411
412	Allows a process to create and destroy PPP (sppp) interfaces.
413	Allows a process to configure PPP tunnels (sppptun).
414
415privilege PRIV_SYS_RES_CONFIG
416
417	Allows a process to create and delete processor sets, assign
418	CPUs to processor sets and override the PSET_NOESCAPE property.
419	Allows a process to change the operational status of CPUs in
420	the system using p_online(2).
421	Allows a process to configure resource pools and to bind
422	processes to pools
423
424unsafe privilege PRIV_SYS_RESOURCE
425
426	Allows a process to modify the resource limits specified
427	by setrlimit(2) and setrctl(2) without restriction.
428	Allows a process to exceed the per-user maximum number of
429	processes.
430	Allows a process to extend or create files on a filesystem that
431	has less than minfree space in reserve.
432
433privilege PRIV_SYS_SMB
434
435	Allows a process to access the Sun private SMB kernel module.
436	Allows a process to bind to ports reserved by NetBIOS and SMB:
437	ports 137 (NBNS), 138 (NetBIOS Datagram Service), 139 (NetBIOS
438	Session Service and SMB-over-NBT) and 445 (SMB-over-TCP).
439
440privilege PRIV_SYS_SUSER_COMPAT
441
442	Allows a process to successfully call a third party loadable module
443	that calls the kernel suser() function to check for allowed access.
444	This privilege exists only for third party loadable module
445	compatibility and is not used by Solaris proper.
446
447privilege PRIV_SYS_TIME
448
449	Allows a process to manipulate system time using any of the
450	appropriate system calls: stime, adjtime, ntp_adjtime and
451	the IA specific RTC calls.
452
453privilege PRIV_SYS_TRANS_LABEL
454
455	Allows a process to translate labels that are not dominated
456	by the process' sensitivity label to and from an external
457	string form.
458	This privilege is interpreted only if the system is configured
459	with Trusted Extensions.
460
461privilege PRIV_VIRT_MANAGE
462
463	Allows a process to manage virtualized environments such as
464	xVM(5).
465
466privilege PRIV_WIN_COLORMAP
467
468	Allows a process to override colormap restrictions.
469        Allows a process to install or remove colormaps.
470        Allows a process to retrieve colormap cell entries allocated
471	by other processes.
472	This privilege is interpreted only if the system is configured
473	with Trusted Extensions.
474
475privilege PRIV_WIN_CONFIG
476
477	Allows a process to configure or destroy resources that are
478	permanently retained by the X server.
479        Allows a process to use SetScreenSaver to set the screen
480	saver timeout value.
481        Allows a process to use ChangeHosts to modify the display
482	access control list.
483        Allows a process to use GrabServer.
484        Allows a process to use the SetCloseDownMode request which
485	may retain window, pixmap, colormap, property, cursor, font,
486	or graphic context resources.
487	This privilege is interpreted only if the system is configured
488	with Trusted Extensions.
489
490privilege PRIV_WIN_DAC_READ
491
492	Allows a process to read from a window resource that it does
493	not own (has a different user ID).
494	This privilege is interpreted only if the system is configured
495	with Trusted Extensions.
496
497privilege PRIV_WIN_DAC_WRITE
498
499	Allows a process to write to or create a window resource that
500	it does not own (has a different user ID). A newly created
501	window property is created with the window's user ID.
502	This privilege is interpreted only if the system is configured
503	with Trusted Extensions.
504
505privilege PRIV_WIN_DEVICES
506
507	Allows a process to perform operations on window input devices.
508        Allows a process to get and set keyboard and pointer controls.
509        Allows a process to modify pointer button and key mappings.
510	This privilege is interpreted only if the system is configured
511	with Trusted Extensions.
512
513privilege PRIV_WIN_DGA
514
515	Allows a process to use the direct graphics access (DGA) X protocol
516	extensions. Direct process access to the frame buffer is still
517	required. Thus the process must have MAC and DAC privileges that
518	allow access to the frame buffer, or the frame buffer must be
519        allocated to the process.
520	This privilege is interpreted only if the system is configured
521	with Trusted Extensions.
522
523privilege PRIV_WIN_DOWNGRADE_SL
524
525	Allows a process to set the sensitivity label of a window resource
526	to a sensitivity label that does not dominate the existing
527	sensitivity label.
528	This privilege is interpreted only if the system is configured
529	with Trusted Extensions.
530
531privilege PRIV_WIN_FONTPATH
532
533	Allows a process to set a font path.
534	This privilege is interpreted only if the system is configured
535	with Trusted Extensions.
536
537privilege PRIV_WIN_MAC_READ
538
539	Allows a process to read from a window resource whose sensitivity
540	label is not equal to the process sensitivity label.
541	This privilege is interpreted only if the system is configured
542	with Trusted Extensions.
543
544privilege PRIV_WIN_MAC_WRITE
545
546	Allows a process to create a window resource whose sensitivity
547	label is not equal to the process sensitivity label.
548	A newly created window property is created with the window's
549	sensitivity label.
550	This privilege is interpreted only if the system is configured
551	with Trusted Extensions.
552
553privilege PRIV_WIN_SELECTION
554
555	Allows a process to request inter-window data moves without the
556	intervention of the selection confirmer.
557	This privilege is interpreted only if the system is configured
558	with Trusted Extensions.
559
560privilege PRIV_WIN_UPGRADE_SL
561
562	Allows a process to set the sensitivity label of a window
563	resource to a sensitivity label that dominates the existing
564	sensitivity label.
565	This privilege is interpreted only if the system is configured
566	with Trusted Extensions.
567
568privilege PRIV_XVM_CONTROL
569
570	Allows a process access to the xVM(5) control devices for
571	managing guest domains and the hypervisor. This privilege is
572	used only if booted into xVM on x86 platforms.
573
574set PRIV_EFFECTIVE
575
576	Set of privileges currently in effect.
577
578set PRIV_INHERITABLE
579
580	Set of privileges that comes into effect on exec.
581
582set PRIV_PERMITTED
583
584	Set of privileges that can be put into the effective set without
585	restriction.
586
587set PRIV_LIMIT
588
589	Set of privileges that determines the absolute upper bound of
590	privileges this process and its off-spring can obtain.
591