xref: /illumos-gate/usr/src/uts/common/os/priv_defs (revision fd6d41c5025e9fb45a115fc82d86e9983d1e9fd6)
1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21/*
22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright 2015, Joyent, Inc. All rights reserved.
24 *
25INSERT COMMENT
26 */
27
28#
29# Privileges can be added to this file at any location, not
30# necessarily at the end.  For patches, it is probably best to
31# add the new privilege at the end; for ordinary releases privileges
32# should be ordered alphabetically.
33#
34
35privilege PRIV_CONTRACT_EVENT
36
37	Allows a process to request critical events without limitation.
38	Allows a process to request reliable delivery of all events on
39	any event queue.
40
41privilege PRIV_CONTRACT_IDENTITY
42
43	Allows a process to set the service FMRI value of a process
44	contract template.
45
46privilege PRIV_CONTRACT_OBSERVER
47
48	Allows a process to observe contract events generated by
49	contracts created and owned by users other than the process's
50	effective user ID.
51	Allows a process to open contract event endpoints belonging to
52	contracts created and owned by users other than the process's
53	effective user ID.
54
55privilege PRIV_CPC_CPU
56
57	Allow a process to access per-CPU hardware performance counters.
58
59privilege PRIV_DTRACE_KERNEL
60
61	Allows DTrace kernel-level tracing.
62
63privilege PRIV_DTRACE_PROC
64
65	Allows DTrace process-level tracing.
66	Allows process-level tracing probes to be placed and enabled in
67	processes to which the user has permissions.
68
69privilege PRIV_DTRACE_USER
70
71	Allows DTrace user-level tracing.
72	Allows use of the syscall and profile DTrace providers to
73	examine processes to which the user has permissions.
74
75privilege PRIV_FILE_CHOWN
76
77	Allows a process to change a file's owner user ID.
78	Allows a process to change a file's group ID to one other than
79	the process' effective group ID or one of the process'
80	supplemental group IDs.
81
82privilege PRIV_FILE_CHOWN_SELF
83
84	Allows a process to give away its files; a process with this
85	privilege will run as if {_POSIX_CHOWN_RESTRICTED} is not
86	in effect.
87
88privilege PRIV_FILE_DAC_EXECUTE
89
90	Allows a process to execute an executable file whose permission
91	bits or ACL do not allow the process execute permission.
92
93privilege PRIV_FILE_DAC_READ
94
95	Allows a process to read a file or directory whose permission
96	bits or ACL do not allow the process read permission.
97
98privilege PRIV_FILE_DAC_SEARCH
99
100	Allows a process to search a directory whose permission bits or
101	ACL do not allow the process search permission.
102
103privilege PRIV_FILE_DAC_WRITE
104
105	Allows a process to write a file or directory whose permission
106	bits or ACL do not allow the process write permission.
107	In order to write files owned by uid 0 in the absence of an
108	effective uid of 0 ALL privileges are required.
109
110privilege PRIV_FILE_DOWNGRADE_SL
111
112	Allows a process to set the sensitivity label of a file or
113	directory to a sensitivity label that does not dominate the
114	existing sensitivity label.
115	This privilege is interpreted only if the system is configured
116	with Trusted Extensions.
117
118privilege PRIV_FILE_FLAG_SET
119
120	Allows a process to set immutable, nounlink or appendonly
121	file attributes.
122
123basic privilege PRIV_FILE_LINK_ANY
124
125	Allows a process to create hardlinks to files owned by a uid
126	different from the process' effective uid.
127
128privilege PRIV_FILE_OWNER
129
130	Allows a process which is not the owner of a file or directory
131	to perform the following operations that are normally permitted
132	only for the file owner: modify that file's access and
133	modification times; remove or rename a file or directory whose
134	parent directory has the ``save text image after execution''
135	(sticky) bit set; mount a ``namefs'' upon a file; modify
136	permission bits or ACL except for the set-uid and set-gid
137	bits.
138
139basic privilege PRIV_FILE_READ
140
141	Allows a process to read objects in the filesystem.
142
143privilege PRIV_FILE_SETID
144
145	Allows a process to change the ownership of a file or write to
146	a file without the set-user-ID and set-group-ID bits being
147	cleared.
148	Allows a process to set the set-group-ID bit on a file or
149	directory whose group is not the process' effective group or
150	one of the process' supplemental groups.
151	Allows a process to set the set-user-ID bit on a file with
152	different ownership in the presence of PRIV_FILE_OWNER.
153	Additional restrictions apply when creating or modifying a
154	set-uid 0 file.
155
156privilege PRIV_FILE_UPGRADE_SL
157
158	Allows a process to set the sensitivity label of a file or
159	directory to a sensitivity label that dominates the existing
160	sensitivity label.
161	This privilege is interpreted only if the system is configured
162	with Trusted Extensions.
163
164basic privilege PRIV_FILE_WRITE
165
166	Allows a process to modify objects in the filesystem.
167
168privilege PRIV_GRAPHICS_ACCESS
169
170	Allows a process to make privileged ioctls to graphics devices.
171	Typically only xserver process needs to have this privilege.
172	A process with this privilege is also allowed to perform
173	privileged graphics device mappings.
174
175privilege PRIV_GRAPHICS_MAP
176
177	Allows a process to perform privileged mappings through a
178	graphics device.
179
180privilege PRIV_IPC_DAC_READ
181
182	Allows a process to read a System V IPC
183	Message Queue, Semaphore Set, or Shared Memory Segment whose
184	permission bits do not allow the process read permission.
185	Allows a process to read remote shared memory whose
186	permission bits do not allow the process read permission.
187
188privilege PRIV_IPC_DAC_WRITE
189
190	Allows a process to write a System V IPC
191	Message Queue, Semaphore Set, or Shared Memory Segment whose
192	permission bits do not allow the process write permission.
193	Allows a process to read remote shared memory whose
194	permission bits do not allow the process write permission.
195	Additional restrictions apply if the owner of the object has uid 0
196	and the effective uid of the current process is not 0.
197
198privilege PRIV_IPC_OWNER
199
200	Allows a process which is not the owner of a System
201	V IPC Message Queue, Semaphore Set, or Shared Memory Segment to
202	remove, change ownership of, or change permission bits of the
203	Message Queue, Semaphore Set, or Shared Memory Segment.
204	Additional restrictions apply if the owner of the object has uid 0
205	and the effective uid of the current process is not 0.
206
207basic privilege PRIV_NET_ACCESS
208
209	Allows a process to open a TCP, UDP, SDP or SCTP network endpoint.
210
211privilege PRIV_NET_BINDMLP
212
213	Allow a process to bind to a port that is configured as a
214	multi-level port(MLP) for the process's zone. This privilege
215	applies to both shared address and zone-specific address MLPs.
216	See tnzonecfg(4) from the Trusted Extensions manual pages for
217	information on configuring MLP ports.
218	This privilege is interpreted only if the system is configured
219	with Trusted Extensions.
220
221privilege PRIV_NET_ICMPACCESS
222
223	Allows a process to send and receive ICMP packets.
224
225privilege PRIV_NET_MAC_AWARE
226
227	Allows a process to set NET_MAC_AWARE process flag by using
228	setpflags(2). This privilege also allows a process to set
229	SO_MAC_EXEMPT socket option by using setsockopt(3SOCKET).
230	The NET_MAC_AWARE process flag and the SO_MAC_EXEMPT socket
231	option both allow a local process to communicate with an
232	unlabeled peer if the local process' label dominates the
233	peer's default label, or if the local process runs in the
234	global zone.
235	This privilege is interpreted only if the system is configured
236	with Trusted Extensions.
237
238privilege PRIV_NET_MAC_IMPLICIT
239
240	Allows a process to set SO_MAC_IMPLICIT option by using
241	setsockopt(3SOCKET).  This allows a privileged process to
242	transmit implicitly-labeled packets to a peer.
243	This privilege is interpreted only if the system is configured
244	with Trusted Extensions.
245
246privilege PRIV_NET_OBSERVABILITY
247
248	Allows a process to access /dev/lo0 and the devices in /dev/ipnet/
249	while not requiring them to need PRIV_NET_RAWACCESS.
250
251privilege PRIV_NET_PRIVADDR
252
253	Allows a process to bind to a privileged port
254	number. The privilege port numbers are 1-1023 (the traditional
255	UNIX privileged ports) as well as those ports marked as
256	"udp/tcp_extra_priv_ports" with the exception of the ports
257	reserved for use by NFS.
258
259privilege PRIV_NET_RAWACCESS
260
261	Allows a process to have direct access to the network layer.
262
263unsafe privilege PRIV_PROC_AUDIT
264
265	Allows a process to generate audit records.
266	Allows a process to get its own audit pre-selection information.
267
268privilege PRIV_PROC_CHROOT
269
270	Allows a process to change its root directory.
271
272privilege PRIV_PROC_CLOCK_HIGHRES
273
274	Allows a process to use high resolution timers.
275
276basic privilege PRIV_PROC_EXEC
277
278	Allows a process to call execve().
279
280basic privilege PRIV_PROC_FORK
281
282	Allows a process to call fork1()/forkall()/vfork()
283
284basic privilege PRIV_PROC_INFO
285
286	Allows a process to examine the status of processes other
287	than those it can send signals to.  Processes which cannot
288	be examined cannot be seen in /proc and appear not to exist.
289
290privilege PRIV_PROC_LOCK_MEMORY
291
292	Allows a process to lock pages in physical memory.
293
294privilege PRIV_PROC_MEMINFO
295
296	Allows a process to access physical memory information.
297
298privilege PRIV_PROC_OWNER
299
300	Allows a process to send signals to other processes, inspect
301	and modify process state to other processes regardless of
302	ownership.  When modifying another process, additional
303	restrictions apply:  the effective privilege set of the
304	attaching process must be a superset of the target process'
305	effective, permitted and inheritable sets; the limit set must
306	be a superset of the target's limit set; if the target process
307	has any uid set to 0 all privilege must be asserted unless the
308	effective uid is 0.
309	Allows a process to bind arbitrary processes to CPUs.
310
311privilege PRIV_PROC_PRIOUP
312
313	Allows a process to elevate its priority above its current level.
314
315privilege PRIV_PROC_PRIOCNTL
316
317	Allows all that PRIV_PROC_PRIOUP allows.
318	Allows a process to change its scheduling class to any scheduling class,
319	including the RT class.
320
321basic privilege PRIV_PROC_SECFLAGS
322
323	Allows a process to manipulate the secflags of processes (subject to,
324	additionally, the ability to signal that process)
325
326basic privilege PRIV_PROC_SESSION
327
328	Allows a process to send signals or trace processes outside its
329	session.
330
331unsafe privilege PRIV_PROC_SETID
332
333	Allows a process to set its uids at will.
334	Assuming uid 0 requires all privileges to be asserted.
335
336privilege PRIV_PROC_TASKID
337
338	Allows a process to assign a new task ID to the calling process.
339
340privilege PRIV_PROC_ZONE
341
342	Allows a process to trace or send signals to processes in
343	other zones.
344
345privilege PRIV_SYS_ACCT
346
347	Allows a process to enable and disable and manage accounting through
348	acct(2), getacct(2), putacct(2) and wracct(2).
349
350privilege PRIV_SYS_ADMIN
351
352	Allows a process to perform system administration tasks such
353	as setting node and domain name and specifying nscd and coreadm
354	settings.
355
356privilege PRIV_SYS_AUDIT
357
358	Allows a process to start the (kernel) audit daemon.
359	Allows a process to view and set audit state (audit user ID,
360	audit terminal ID, audit sessions ID, audit pre-selection mask).
361	Allows a process to turn off and on auditing.
362	Allows a process to configure the audit parameters (cache and
363	queue sizes, event to class mappings, policy options).
364
365privilege PRIV_SYS_CONFIG
366
367	Allows a process to perform various system configuration tasks.
368	Allows a process to add and remove swap devices; when adding a swap
369	device, a process must also have sufficient privileges to read from
370	and write to the swap device.
371
372privilege PRIV_SYS_DEVICES
373
374	Allows a process to successfully call a kernel module that
375	calls the kernel drv_priv(9F) function to check for allowed
376	access.
377	Allows a process to open the real console device directly.
378	Allows a process to open devices that have been exclusively opened.
379
380privilege PRIV_SYS_IPC_CONFIG
381
382	Allows a process to increase the size of a System V IPC Message
383	Queue buffer.
384
385privilege PRIV_SYS_LINKDIR
386
387	Allows a process to unlink and link directories.
388
389privilege PRIV_SYS_MOUNT
390
391	Allows filesystem specific administrative procedures, such as
392	filesystem configuration ioctls, quota calls and creation/deletion
393	of snapshots.
394	Allows a process to mount and unmount filesystems which would
395	otherwise be restricted (i.e., most filesystems except
396	namefs).
397	A process performing a mount operation needs to have
398	appropriate access to the device being mounted (read-write for
399	"rw" mounts, read for "ro" mounts).
400	A process performing any of the aforementioned
401	filesystem operations needs to have read/write/owner
402	access to the mount point.
403	Only regular files and directories can serve as mount points
404	for processes which do not have all zone privileges asserted.
405	Unless a process has all zone privileges, the mount(2)
406	system call will force the "nosuid" and "restrict" options, the
407	latter only for autofs mountpoints.
408	Regardless of privileges, a process running in a non-global zone may
409	only control mounts performed from within said zone.
410	Outside the global zone, the "nodevices" option is always forced.
411
412privilege PRIV_SYS_IPTUN_CONFIG
413
414	Allows a process to configure IP tunnel links.
415
416privilege PRIV_SYS_DL_CONFIG
417
418	Allows a process to configure all classes of datalinks, including
419	configuration allowed by PRIV_SYS_IPTUN_CONFIG.
420
421privilege PRIV_SYS_IP_CONFIG
422
423	Allows a process to configure a system's IP interfaces and routes.
424	Allows a process to configure network parameters using ndd.
425	Allows a process access to otherwise restricted information using ndd.
426	Allows a process to configure IPsec.
427	Allows a process to pop anchored STREAMs modules with matching zoneid.
428
429privilege PRIV_SYS_NET_CONFIG
430
431	Allows all that PRIV_SYS_IP_CONFIG, PRIV_SYS_DL_CONFIG, and
432	PRIV_SYS_PPP_CONFIG allow.
433	Allows a process to push the rpcmod STREAMs module.
434	Allows a process to INSERT/REMOVE STREAMs modules on locations other
435	than the top of the module stack.
436
437privilege PRIV_SYS_NFS
438
439	Allows a process to perform Sun private NFS specific system calls.
440	Allows a process to bind to ports reserved by NFS: ports 2049 (nfs)
441	and port 4045 (lockd).
442
443privilege PRIV_SYS_PPP_CONFIG
444
445	Allows a process to create and destroy PPP (sppp) interfaces.
446	Allows a process to configure PPP tunnels (sppptun).
447
448privilege PRIV_SYS_RES_BIND
449
450	Allows a process to bind processes to processor sets.
451
452privilege PRIV_SYS_RES_CONFIG
453
454	Allows all that PRIV_SYS_RES_BIND allows.
455	Allows a process to create and delete processor sets, assign
456	CPUs to processor sets and override the PSET_NOESCAPE property.
457	Allows a process to change the operational status of CPUs in
458	the system using p_online(2).
459	Allows a process to configure resource pools and to bind
460	processes to pools
461
462unsafe privilege PRIV_SYS_RESOURCE
463
464	Allows a process to modify the resource limits specified
465	by setrlimit(2) and setrctl(2) without restriction.
466	Allows a process to exceed the per-user maximum number of
467	processes.
468	Allows a process to extend or create files on a filesystem that
469	has less than minfree space in reserve.
470
471privilege PRIV_SYS_SMB
472
473	Allows a process to access the Sun private SMB kernel module.
474	Allows a process to bind to ports reserved by NetBIOS and SMB:
475	ports 137 (NBNS), 138 (NetBIOS Datagram Service), 139 (NetBIOS
476	Session Service and SMB-over-NBT) and 445 (SMB-over-TCP).
477
478privilege PRIV_SYS_SUSER_COMPAT
479
480	Allows a process to successfully call a third party loadable module
481	that calls the kernel suser() function to check for allowed access.
482	This privilege exists only for third party loadable module
483	compatibility and is not used by Solaris proper.
484
485privilege PRIV_SYS_TIME
486
487	Allows a process to manipulate system time using any of the
488	appropriate system calls: stime, adjtime, ntp_adjtime and
489	the IA specific RTC calls.
490
491privilege PRIV_SYS_TRANS_LABEL
492
493	Allows a process to translate labels that are not dominated
494	by the process' sensitivity label to and from an external
495	string form.
496	This privilege is interpreted only if the system is configured
497	with Trusted Extensions.
498
499privilege PRIV_VIRT_MANAGE
500
501	Allows a process to manage virtualized environments such as
502	xVM(5).
503
504privilege PRIV_WIN_COLORMAP
505
506	Allows a process to override colormap restrictions.
507        Allows a process to install or remove colormaps.
508        Allows a process to retrieve colormap cell entries allocated
509	by other processes.
510	This privilege is interpreted only if the system is configured
511	with Trusted Extensions.
512
513privilege PRIV_WIN_CONFIG
514
515	Allows a process to configure or destroy resources that are
516	permanently retained by the X server.
517        Allows a process to use SetScreenSaver to set the screen
518	saver timeout value.
519        Allows a process to use ChangeHosts to modify the display
520	access control list.
521        Allows a process to use GrabServer.
522        Allows a process to use the SetCloseDownMode request which
523	may retain window, pixmap, colormap, property, cursor, font,
524	or graphic context resources.
525	This privilege is interpreted only if the system is configured
526	with Trusted Extensions.
527
528privilege PRIV_WIN_DAC_READ
529
530	Allows a process to read from a window resource that it does
531	not own (has a different user ID).
532	This privilege is interpreted only if the system is configured
533	with Trusted Extensions.
534
535privilege PRIV_WIN_DAC_WRITE
536
537	Allows a process to write to or create a window resource that
538	it does not own (has a different user ID). A newly created
539	window property is created with the window's user ID.
540	This privilege is interpreted only if the system is configured
541	with Trusted Extensions.
542
543privilege PRIV_WIN_DEVICES
544
545	Allows a process to perform operations on window input devices.
546        Allows a process to get and set keyboard and pointer controls.
547        Allows a process to modify pointer button and key mappings.
548	This privilege is interpreted only if the system is configured
549	with Trusted Extensions.
550
551privilege PRIV_WIN_DGA
552
553	Allows a process to use the direct graphics access (DGA) X protocol
554	extensions. Direct process access to the frame buffer is still
555	required. Thus the process must have MAC and DAC privileges that
556	allow access to the frame buffer, or the frame buffer must be
557        allocated to the process.
558	This privilege is interpreted only if the system is configured
559	with Trusted Extensions.
560
561privilege PRIV_WIN_DOWNGRADE_SL
562
563	Allows a process to set the sensitivity label of a window resource
564	to a sensitivity label that does not dominate the existing
565	sensitivity label.
566	This privilege is interpreted only if the system is configured
567	with Trusted Extensions.
568
569privilege PRIV_WIN_FONTPATH
570
571	Allows a process to set a font path.
572	This privilege is interpreted only if the system is configured
573	with Trusted Extensions.
574
575privilege PRIV_WIN_MAC_READ
576
577	Allows a process to read from a window resource whose sensitivity
578	label is not equal to the process sensitivity label.
579	This privilege is interpreted only if the system is configured
580	with Trusted Extensions.
581
582privilege PRIV_WIN_MAC_WRITE
583
584	Allows a process to create a window resource whose sensitivity
585	label is not equal to the process sensitivity label.
586	A newly created window property is created with the window's
587	sensitivity label.
588	This privilege is interpreted only if the system is configured
589	with Trusted Extensions.
590
591privilege PRIV_WIN_SELECTION
592
593	Allows a process to request inter-window data moves without the
594	intervention of the selection confirmer.
595	This privilege is interpreted only if the system is configured
596	with Trusted Extensions.
597
598privilege PRIV_WIN_UPGRADE_SL
599
600	Allows a process to set the sensitivity label of a window
601	resource to a sensitivity label that dominates the existing
602	sensitivity label.
603	This privilege is interpreted only if the system is configured
604	with Trusted Extensions.
605
606privilege PRIV_XVM_CONTROL
607
608	Allows a process access to the xVM(5) control devices for
609	managing guest domains and the hypervisor. This privilege is
610	used only if booted into xVM on x86 platforms.
611
612set PRIV_EFFECTIVE
613
614	Set of privileges currently in effect.
615
616set PRIV_INHERITABLE
617
618	Set of privileges that comes into effect on exec.
619
620set PRIV_PERMITTED
621
622	Set of privileges that can be put into the effective set without
623	restriction.
624
625set PRIV_LIMIT
626
627	Set of privileges that determines the absolute upper bound of
628	privileges this process and its off-spring can obtain.
629