1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <sys/types.h> 27 #include <sys/sysmacros.h> 28 #include <sys/param.h> 29 #include <sys/systm.h> 30 #include <sys/cred_impl.h> 31 #include <sys/vnode.h> 32 #include <sys/vfs.h> 33 #include <sys/stat.h> 34 #include <sys/errno.h> 35 #include <sys/kmem.h> 36 #include <sys/user.h> 37 #include <sys/proc.h> 38 #include <sys/acct.h> 39 #include <sys/ipc_impl.h> 40 #include <sys/cmn_err.h> 41 #include <sys/debug.h> 42 #include <sys/policy.h> 43 #include <sys/kobj.h> 44 #include <sys/msg.h> 45 #include <sys/devpolicy.h> 46 #include <c2/audit.h> 47 #include <sys/varargs.h> 48 #include <sys/klpd.h> 49 #include <sys/modctl.h> 50 #include <sys/disp.h> 51 #include <sys/zone.h> 52 #include <inet/optcom.h> 53 #include <sys/sdt.h> 54 #include <sys/vfs.h> 55 #include <sys/mntent.h> 56 #include <sys/contract_impl.h> 57 #include <sys/dld_ioc.h> 58 59 /* 60 * There are two possible layers of privilege routines and two possible 61 * levels of secpolicy. Plus one other we may not be interested in, so 62 * we may need as many as 6 but no more. 63 */ 64 #define MAXPRIVSTACK 6 65 66 int priv_debug = 0; 67 68 /* 69 * This file contains the majority of the policy routines. 70 * Since the policy routines are defined by function and not 71 * by privilege, there is quite a bit of duplication of 72 * functions. 73 * 74 * The secpolicy functions must not make assumptions about 75 * locks held or not held as any lock can be held while they're 76 * being called. 77 * 78 * Credentials are read-only so no special precautions need to 79 * be taken while locking them. 80 * 81 * When a new policy check needs to be added to the system the 82 * following procedure should be followed: 83 * 84 * Pick an appropriate secpolicy_*() function 85 * -> done if one exists. 86 * Create a new secpolicy function, preferably with 87 * a descriptive name using the standard template. 88 * Pick an appropriate privilege for the policy. 89 * If no appropraite privilege exists, define new one 90 * (this should be done with extreme care; in most cases 91 * little is gained by adding another privilege) 92 * 93 * WHY ROOT IS STILL SPECIAL. 94 * 95 * In a number of the policy functions, there are still explicit 96 * checks for uid 0. The rationale behind these is that many root 97 * owned files/objects hold configuration information which can give full 98 * privileges to the user once written to. To prevent escalation 99 * of privilege by allowing just a single privilege to modify root owned 100 * objects, we've added these root specific checks where we considered 101 * them necessary: modifying root owned files, changing uids to 0, etc. 102 * 103 * PRIVILEGE ESCALATION AND ZONES. 104 * 105 * A number of operations potentially allow the caller to achieve 106 * privileges beyond the ones normally required to perform the operation. 107 * For example, if allowed to create a setuid 0 executable, a process can 108 * gain privileges beyond PRIV_FILE_SETID. Zones, however, place 109 * restrictions on the ability to gain privileges beyond those available 110 * within the zone through file and process manipulation. Hence, such 111 * operations require that the caller have an effective set that includes 112 * all privileges available within the current zone, or all privileges 113 * if executing in the global zone. 114 * 115 * This is indicated in the priv_policy* policy checking functions 116 * through a combination of parameters. The "priv" parameter indicates 117 * the privilege that is required, and the "allzone" parameter indicates 118 * whether or not all privileges in the zone are required. In addition, 119 * priv can be set to PRIV_ALL to indicate that all privileges are 120 * required (regardless of zone). There are three scenarios of interest: 121 * (1) operation requires a specific privilege 122 * (2) operation requires a specific privilege, and requires all 123 * privileges available within the zone (or all privileges if in 124 * the global zone) 125 * (3) operation requires all privileges, regardless of zone 126 * 127 * For (1), priv should be set to the specific privilege, and allzone 128 * should be set to B_FALSE. 129 * For (2), priv should be set to the specific privilege, and allzone 130 * should be set to B_TRUE. 131 * For (3), priv should be set to PRIV_ALL, and allzone should be set 132 * to B_FALSE. 133 * 134 */ 135 136 /* 137 * The privileges are checked against the Effective set for 138 * ordinary processes and checked against the Limit set 139 * for euid 0 processes that haven't manipulated their privilege 140 * sets. 141 */ 142 #define HAS_ALLPRIVS(cr) priv_isfullset(&CR_OEPRIV(cr)) 143 #define ZONEPRIVS(cr) ((cr)->cr_zone->zone_privset) 144 #define HAS_ALLZONEPRIVS(cr) priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr)) 145 #define HAS_PRIVILEGE(cr, pr) ((pr) == PRIV_ALL ? \ 146 HAS_ALLPRIVS(cr) : \ 147 PRIV_ISASSERT(&CR_OEPRIV(cr), pr)) 148 149 /* 150 * Policy checking functions. 151 * 152 * All of the system's policy should be implemented here. 153 */ 154 155 /* 156 * Private functions which take an additional va_list argument to 157 * implement an object specific policy override. 158 */ 159 static int priv_policy_ap(const cred_t *, int, boolean_t, int, 160 const char *, va_list); 161 static int priv_policy_va(const cred_t *, int, boolean_t, int, 162 const char *, ...); 163 164 /* 165 * Generic policy calls 166 * 167 * The "bottom" functions of policy control 168 */ 169 static char * 170 mprintf(const char *fmt, ...) 171 { 172 va_list args; 173 char *buf; 174 size_t len; 175 176 va_start(args, fmt); 177 len = vsnprintf(NULL, 0, fmt, args) + 1; 178 va_end(args); 179 180 buf = kmem_alloc(len, KM_NOSLEEP); 181 182 if (buf == NULL) 183 return (NULL); 184 185 va_start(args, fmt); 186 (void) vsnprintf(buf, len, fmt, args); 187 va_end(args); 188 189 return (buf); 190 } 191 192 /* 193 * priv_policy_errmsg() 194 * 195 * Generate an error message if privilege debugging is enabled system wide 196 * or for this particular process. 197 */ 198 199 #define FMTHDR "%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)" 200 #define FMTMSG " for \"%s\"" 201 #define FMTFUN " needed at %s+0x%lx" 202 203 /* The maximum size privilege format: the concatenation of the above */ 204 #define FMTMAX FMTHDR FMTMSG FMTFUN "\n" 205 206 static void 207 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg) 208 { 209 struct proc *me; 210 pc_t stack[MAXPRIVSTACK]; 211 int depth; 212 int i; 213 char *sym; 214 ulong_t off; 215 const char *pname; 216 217 char *cmd; 218 char fmt[sizeof (FMTMAX)]; 219 220 if ((me = curproc) == &p0) 221 return; 222 223 /* Privileges must be defined */ 224 ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE || 225 priv == PRIV_ALLZONE || priv == PRIV_GLOBAL || 226 priv_getbynum(priv) != NULL); 227 228 if (priv == PRIV_ALLZONE && INGLOBALZONE(me)) 229 priv = PRIV_ALL; 230 231 if (curthread->t_pre_sys) 232 ttolwp(curthread)->lwp_badpriv = (short)priv; 233 234 if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0) 235 return; 236 237 (void) strcpy(fmt, FMTHDR); 238 239 if (me->p_user.u_comm[0]) 240 cmd = &me->p_user.u_comm[0]; 241 else 242 cmd = "priv_policy"; 243 244 if (msg != NULL && *msg != '\0') { 245 (void) strcat(fmt, FMTMSG); 246 } else { 247 (void) strcat(fmt, "%s"); 248 msg = ""; 249 } 250 251 sym = NULL; 252 253 depth = getpcstack(stack, MAXPRIVSTACK); 254 255 /* 256 * Try to find the first interesting function on the stack. 257 * priv_policy* that's us, so completely uninteresting. 258 * suser(), drv_priv(), secpolicy_* are also called from 259 * too many locations to convey useful information. 260 */ 261 for (i = 0; i < depth; i++) { 262 sym = kobj_getsymname((uintptr_t)stack[i], &off); 263 if (sym != NULL && 264 strstr(sym, "hasprocperm") == 0 && 265 strcmp("suser", sym) != 0 && 266 strcmp("ipcaccess", sym) != 0 && 267 strcmp("drv_priv", sym) != 0 && 268 strncmp("secpolicy_", sym, 10) != 0 && 269 strncmp("priv_policy", sym, 11) != 0) 270 break; 271 } 272 273 if (sym != NULL) 274 (void) strcat(fmt, FMTFUN); 275 276 (void) strcat(fmt, "\n"); 277 278 switch (priv) { 279 case PRIV_ALL: 280 pname = "ALL"; 281 break; 282 case PRIV_MULTIPLE: 283 pname = "MULTIPLE"; 284 break; 285 case PRIV_ALLZONE: 286 pname = "ZONE"; 287 break; 288 case PRIV_GLOBAL: 289 pname = "GLOBAL"; 290 break; 291 default: 292 pname = priv_getbynum(priv); 293 break; 294 } 295 296 if (CR_FLAGS(cr) & PRIV_DEBUG) { 297 /* Remember last message, just like lwp_badpriv. */ 298 if (curthread->t_pdmsg != NULL) { 299 kmem_free(curthread->t_pdmsg, 300 strlen(curthread->t_pdmsg) + 1); 301 } 302 303 curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname, 304 cr->cr_uid, curthread->t_sysnum, msg, sym, off); 305 306 curthread->t_post_sys = 1; 307 } 308 if (priv_debug) { 309 cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid, 310 curthread->t_sysnum, msg, sym, off); 311 } 312 } 313 314 /* 315 * Override the policy, if appropriate. Return 0 if the external 316 * policy engine approves. 317 */ 318 static int 319 priv_policy_override(const cred_t *cr, int priv, boolean_t allzone, va_list ap) 320 { 321 priv_set_t set; 322 int ret; 323 324 if (!(CR_FLAGS(cr) & PRIV_XPOLICY)) 325 return (-1); 326 327 if (priv == PRIV_ALL) { 328 priv_fillset(&set); 329 } else if (allzone) { 330 set = *ZONEPRIVS(cr); 331 } else { 332 priv_emptyset(&set); 333 priv_addset(&set, priv); 334 } 335 ret = klpd_call(cr, &set, ap); 336 return (ret); 337 } 338 339 static int 340 priv_policy_override_set(const cred_t *cr, const priv_set_t *req, ...) 341 { 342 va_list ap; 343 344 if (CR_FLAGS(cr) & PRIV_XPOLICY) { 345 va_start(ap, req); 346 return (klpd_call(cr, req, ap)); 347 } 348 return (-1); 349 } 350 351 /* 352 * Audit failure, log error message. 353 */ 354 static void 355 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg) 356 { 357 358 if (audit_active) 359 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0); 360 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 361 362 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 363 curthread->t_pre_sys) { 364 if (allzone && !HAS_ALLZONEPRIVS(cr)) { 365 priv_policy_errmsg(cr, PRIV_ALLZONE, msg); 366 } else { 367 ASSERT(!HAS_PRIVILEGE(cr, priv)); 368 priv_policy_errmsg(cr, priv, msg); 369 } 370 } 371 } 372 373 /* 374 * priv_policy_ap() 375 * return 0 or error. 376 * See block comment above for a description of "priv" and "allzone" usage. 377 */ 378 static int 379 priv_policy_ap(const cred_t *cr, int priv, boolean_t allzone, int err, 380 const char *msg, va_list ap) 381 { 382 if ((HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) || 383 (!servicing_interrupt() && 384 priv_policy_override(cr, priv, allzone, ap) == 0)) { 385 if ((allzone || priv == PRIV_ALL || 386 !PRIV_ISASSERT(priv_basic, priv)) && 387 !servicing_interrupt()) { 388 PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */ 389 if (audit_active) 390 audit_priv(priv, 391 allzone ? ZONEPRIVS(cr) : NULL, 1); 392 } 393 err = 0; 394 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 395 } else if (!servicing_interrupt()) { 396 /* Failure audited in this procedure */ 397 priv_policy_err(cr, priv, allzone, msg); 398 } 399 return (err); 400 } 401 402 int 403 priv_policy_va(const cred_t *cr, int priv, boolean_t allzone, int err, 404 const char *msg, ...) 405 { 406 int ret; 407 va_list ap; 408 409 va_start(ap, msg); 410 ret = priv_policy_ap(cr, priv, allzone, err, msg, ap); 411 va_end(ap); 412 413 return (ret); 414 } 415 416 int 417 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err, 418 const char *msg) 419 { 420 return (priv_policy_va(cr, priv, allzone, err, msg, KLPDARG_NOMORE)); 421 } 422 423 /* 424 * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges. 425 */ 426 boolean_t 427 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone) 428 { 429 boolean_t res = HAS_PRIVILEGE(cr, priv) && 430 (!allzone || HAS_ALLZONEPRIVS(cr)); 431 432 /* Audit success only */ 433 if (res && audit_active && 434 (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) && 435 !servicing_interrupt()) { 436 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1); 437 } 438 if (res) { 439 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 440 } else { 441 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 442 } 443 return (res); 444 } 445 446 /* 447 * Non-auditing variant of priv_policy_choice(). 448 */ 449 boolean_t 450 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone) 451 { 452 boolean_t res = HAS_PRIVILEGE(cr, priv) && 453 (!allzone || HAS_ALLZONEPRIVS(cr)); 454 455 if (res) { 456 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 457 } else { 458 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 459 } 460 return (res); 461 } 462 463 /* 464 * Check whether all privileges in the required set are present. 465 */ 466 static int 467 secpolicy_require_set(const cred_t *cr, const priv_set_t *req, const char *msg) 468 { 469 int priv; 470 int pfound = -1; 471 priv_set_t pset; 472 473 if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req, 474 &CR_OEPRIV(cr))) { 475 return (0); 476 } 477 478 if (priv_policy_override_set(cr, req, KLPDARG_NOMORE) == 0) 479 return (0); 480 481 if (req == PRIV_FULLSET || priv_isfullset(req)) { 482 priv_policy_err(cr, PRIV_ALL, B_FALSE, msg); 483 return (EACCES); 484 } 485 486 pset = CR_OEPRIV(cr); /* present privileges */ 487 priv_inverse(&pset); /* all non present privileges */ 488 priv_intersect(req, &pset); /* the actual missing privs */ 489 490 if (audit_active) 491 audit_priv(PRIV_NONE, &pset, 0); 492 /* 493 * Privilege debugging; special case "one privilege in set". 494 */ 495 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) { 496 for (priv = 0; priv < nprivs; priv++) { 497 if (priv_ismember(&pset, priv)) { 498 if (pfound != -1) { 499 /* Multiple missing privs */ 500 priv_policy_errmsg(cr, PRIV_MULTIPLE, 501 msg); 502 return (EACCES); 503 } 504 pfound = priv; 505 } 506 } 507 ASSERT(pfound != -1); 508 /* Just the one missing privilege */ 509 priv_policy_errmsg(cr, pfound, msg); 510 } 511 512 return (EACCES); 513 } 514 515 /* 516 * Called when an operation requires that the caller be in the 517 * global zone, regardless of privilege. 518 */ 519 static int 520 priv_policy_global(const cred_t *cr) 521 { 522 if (crgetzoneid(cr) == GLOBAL_ZONEID) 523 return (0); /* success */ 524 525 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 526 curthread->t_pre_sys) { 527 priv_policy_errmsg(cr, PRIV_GLOBAL, NULL); 528 } 529 return (EPERM); 530 } 531 532 /* 533 * Changing process priority 534 */ 535 int 536 secpolicy_setpriority(const cred_t *cr) 537 { 538 return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL)); 539 } 540 541 /* 542 * Binding to a privileged port, port must be specified in host byte 543 * order. 544 */ 545 int 546 secpolicy_net_privaddr(const cred_t *cr, in_port_t port, int proto) 547 { 548 char *reason; 549 int priv; 550 551 switch (port) { 552 case 137: 553 case 138: 554 case 139: 555 case 445: 556 /* 557 * NBT and SMB ports, these are extra privileged ports, 558 * allow bind only if the SYS_SMB privilege is present. 559 */ 560 priv = PRIV_SYS_SMB; 561 reason = "NBT or SMB port"; 562 break; 563 564 case 2049: 565 case 4045: 566 /* 567 * NFS ports, these are extra privileged ports, allow bind 568 * only if the SYS_NFS privilege is present. 569 */ 570 priv = PRIV_SYS_NFS; 571 reason = "NFS port"; 572 break; 573 574 default: 575 priv = PRIV_NET_PRIVADDR; 576 reason = NULL; 577 break; 578 579 } 580 581 return (priv_policy_va(cr, priv, B_FALSE, EACCES, reason, 582 KLPDARG_PORT, (int)proto, (int)port, KLPDARG_NOMORE)); 583 } 584 585 /* 586 * Binding to a multilevel port on a trusted (labeled) system. 587 */ 588 int 589 secpolicy_net_bindmlp(const cred_t *cr) 590 { 591 return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, NULL)); 592 } 593 594 /* 595 * Allow a communication between a zone and an unlabeled host when their 596 * labels don't match. 597 */ 598 int 599 secpolicy_net_mac_aware(const cred_t *cr) 600 { 601 return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, NULL)); 602 } 603 604 /* 605 * Common routine which determines whether a given credential can 606 * act on a given mount. 607 * When called through mount, the parameter needoptcheck is a pointer 608 * to a boolean variable which will be set to either true or false, 609 * depending on whether the mount policy should change the mount options. 610 * In all other cases, needoptcheck should be a NULL pointer. 611 */ 612 static int 613 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp, 614 boolean_t *needoptcheck) 615 { 616 boolean_t allzone = B_FALSE; 617 boolean_t mounting = needoptcheck != NULL; 618 619 /* 620 * Short circuit the following cases: 621 * vfsp == NULL or mvp == NULL (pure privilege check) 622 * have all privileges - no further checks required 623 * and no mount options need to be set. 624 */ 625 if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) { 626 if (mounting) 627 *needoptcheck = B_FALSE; 628 629 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM, 630 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE)); 631 } 632 633 /* 634 * When operating on an existing mount (either we're not mounting 635 * or we're doing a remount and VFS_REMOUNT will be set), zones 636 * can operate only on mounts established by the zone itself. 637 */ 638 if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) { 639 zoneid_t zoneid = crgetzoneid(cr); 640 641 if (zoneid != GLOBAL_ZONEID && 642 vfsp->vfs_zone->zone_id != zoneid) { 643 return (EPERM); 644 } 645 } 646 647 if (mounting) 648 *needoptcheck = B_TRUE; 649 650 /* 651 * Overlay mounts may hide important stuff; if you can't write to a 652 * mount point but would be able to mount on top of it, you can 653 * escalate your privileges. 654 * So we go about asking the same questions namefs does when it 655 * decides whether you can mount over a file or not but with the 656 * added restriction that you can only mount on top of a regular 657 * file or directory. 658 * If we have all the zone's privileges, we skip all other checks, 659 * or else we may actually get in trouble inside the automounter. 660 */ 661 if ((mvp->v_flag & VROOT) != 0 || 662 (mvp->v_type != VDIR && mvp->v_type != VREG) || 663 HAS_ALLZONEPRIVS(cr)) { 664 allzone = B_TRUE; 665 } else { 666 vattr_t va; 667 int err; 668 669 va.va_mask = AT_UID|AT_MODE; 670 err = VOP_GETATTR(mvp, &va, 0, cr, NULL); 671 if (err != 0) 672 return (err); 673 674 if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0) 675 return (err); 676 677 if ((va.va_mode & VWRITE) == 0 && 678 secpolicy_vnode_access(cr, mvp, va.va_uid, VWRITE) != 0) { 679 return (EACCES); 680 } 681 } 682 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM, 683 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE)); 684 } 685 686 void 687 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp) 688 { 689 boolean_t amsuper = HAS_ALLZONEPRIVS(cr); 690 691 /* 692 * check; if we don't have either "nosuid" or 693 * both "nosetuid" and "nodevices", then we add 694 * "nosuid"; this depends on how the current 695 * implementation works (it first checks nosuid). In a 696 * zone, a user with all zone privileges can mount with 697 * "setuid" but never with "devices". 698 */ 699 if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) && 700 (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) || 701 !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) { 702 if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper) 703 vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0); 704 else 705 vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0); 706 } 707 /* 708 * If we're not the local super user, we set the "restrict" 709 * option to indicate to automountd that this mount should 710 * be handled with care. 711 */ 712 if (!amsuper) 713 vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0); 714 715 } 716 717 extern vnode_t *rootvp; 718 extern vfs_t *rootvfs; 719 720 int 721 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp) 722 { 723 boolean_t needoptchk; 724 int error; 725 726 /* 727 * If it's a remount, get the underlying mount point, 728 * except for the root where we use the rootvp. 729 */ 730 if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) { 731 if (vfsp == rootvfs) 732 mvp = rootvp; 733 else 734 mvp = vfsp->vfs_vnodecovered; 735 } 736 737 error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk); 738 739 if (error == 0 && needoptchk) { 740 secpolicy_fs_mount_clearopts(cr, vfsp); 741 } 742 743 return (error); 744 } 745 746 /* 747 * Does the policy computations for "ownership" of a mount; 748 * here ownership is defined as the ability to "mount" 749 * the filesystem originally. The rootvfs doesn't cover any 750 * vnodes; we attribute its ownership to the rootvp. 751 */ 752 static int 753 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp) 754 { 755 vnode_t *mvp; 756 757 if (vfsp == NULL) 758 mvp = NULL; 759 else if (vfsp == rootvfs) 760 mvp = rootvp; 761 else 762 mvp = vfsp->vfs_vnodecovered; 763 764 return (secpolicy_fs_common(cr, mvp, vfsp, NULL)); 765 } 766 767 int 768 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp) 769 { 770 return (secpolicy_fs_owner(cr, vfsp)); 771 } 772 773 /* 774 * Quotas are a resource, but if one has the ability to mount a filesystem, he 775 * should be able to modify quotas on it. 776 */ 777 int 778 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp) 779 { 780 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 781 } 782 783 /* 784 * Exceeding minfree: also a per-mount resource constraint. 785 */ 786 int 787 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp) 788 { 789 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 790 } 791 792 int 793 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp) 794 { 795 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 796 } 797 798 /* ARGSUSED */ 799 int 800 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp) 801 { 802 return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL)); 803 } 804 805 /* 806 * Name: secpolicy_vnode_access() 807 * 808 * Parameters: Process credential 809 * vnode 810 * uid of owner of vnode 811 * permission bits not granted to the caller when examining 812 * file mode bits (i.e., when a process wants to open a 813 * mode 444 file for VREAD|VWRITE, this function should be 814 * called only with a VWRITE argument). 815 * 816 * Normal: Verifies that cred has the appropriate privileges to 817 * override the mode bits that were denied. 818 * 819 * Override: file_dac_execute - if VEXEC bit was denied and vnode is 820 * not a directory. 821 * file_dac_read - if VREAD bit was denied. 822 * file_dac_search - if VEXEC bit was denied and vnode is 823 * a directory. 824 * file_dac_write - if VWRITE bit was denied. 825 * 826 * Root owned files are special cased to protect system 827 * configuration files and such. 828 * 829 * Output: EACCES - if privilege check fails. 830 */ 831 832 /* ARGSUSED */ 833 int 834 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode) 835 { 836 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE, 837 EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL, 838 KLPDARG_NOMORE) != 0) { 839 return (EACCES); 840 } 841 842 if (mode & VWRITE) { 843 boolean_t allzone; 844 845 if (owner == 0 && cr->cr_uid != 0) 846 allzone = B_TRUE; 847 else 848 allzone = B_FALSE; 849 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, 850 NULL, KLPDARG_VNODE, vp, (char *)NULL, 851 KLPDARG_NOMORE) != 0) { 852 return (EACCES); 853 } 854 } 855 856 if (mode & VEXEC) { 857 /* 858 * Directories use file_dac_search to override the execute bit. 859 */ 860 int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH : 861 PRIV_FILE_DAC_EXECUTE; 862 863 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL, 864 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); 865 } 866 return (0); 867 } 868 869 /* 870 * Name: secpolicy_vnode_setid_modify() 871 * 872 * Normal: verify that subject can set the file setid flags. 873 * 874 * Output: EPERM - if not privileged. 875 */ 876 877 static int 878 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner) 879 { 880 /* If changing to suid root, must have all zone privs */ 881 boolean_t allzone = B_TRUE; 882 883 if (owner != 0) { 884 if (owner == cr->cr_uid) 885 return (0); 886 allzone = B_FALSE; 887 } 888 return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL)); 889 } 890 891 /* 892 * Are we allowed to retain the set-uid/set-gid bits when 893 * changing ownership or when writing to a file? 894 * "issuid" should be true when set-uid; only in that case 895 * root ownership is checked (setgid is assumed). 896 */ 897 int 898 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot) 899 { 900 if (issuidroot && !HAS_ALLZONEPRIVS(cred)) 901 return (EPERM); 902 903 return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE)); 904 } 905 906 /* 907 * Name: secpolicy_vnode_setids_setgids() 908 * 909 * Normal: verify that subject can set the file setgid flag. 910 * 911 * Output: EPERM - if not privileged 912 */ 913 914 int 915 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid) 916 { 917 if (!groupmember(gid, cred)) 918 return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM, 919 NULL)); 920 return (0); 921 } 922 923 /* 924 * Name: secpolicy_vnode_chown 925 * 926 * Normal: Determine if subject can chown owner of a file. 927 * 928 * Output: EPERM - if access denied 929 */ 930 931 int 932 secpolicy_vnode_chown(const cred_t *cred, boolean_t check_self) 933 { 934 if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN)) 935 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM, 936 NULL)); 937 else if (check_self) 938 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM, 939 NULL)); 940 else 941 return (EPERM); 942 } 943 944 /* 945 * Name: secpolicy_vnode_create_gid 946 * 947 * Normal: Determine if subject can change group ownership of a file. 948 * 949 * Output: EPERM - if access denied 950 */ 951 int 952 secpolicy_vnode_create_gid(const cred_t *cred) 953 { 954 return (secpolicy_vnode_chown(cred, B_TRUE)); 955 } 956 957 /* 958 * Name: secpolicy_vnode_utime_modify() 959 * 960 * Normal: verify that subject can modify the utime on a file. 961 * 962 * Output: EPERM - if access denied. 963 */ 964 965 static int 966 secpolicy_vnode_utime_modify(const cred_t *cred) 967 { 968 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM, 969 "modify file times")); 970 } 971 972 973 /* 974 * Name: secpolicy_vnode_setdac() 975 * 976 * Normal: verify that subject can modify the mode of a file. 977 * allzone privilege needed when modifying root owned object. 978 * 979 * Output: EPERM - if access denied. 980 */ 981 982 int 983 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner) 984 { 985 if (owner == cred->cr_uid) 986 return (0); 987 988 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL)); 989 } 990 /* 991 * Name: secpolicy_vnode_stky_modify() 992 * 993 * Normal: verify that subject can make a file a "sticky". 994 * 995 * Output: EPERM - if access denied. 996 */ 997 998 int 999 secpolicy_vnode_stky_modify(const cred_t *cred) 1000 { 1001 return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM, 1002 "set file sticky")); 1003 } 1004 1005 /* 1006 * Policy determines whether we can remove an entry from a directory, 1007 * regardless of permission bits. 1008 */ 1009 int 1010 secpolicy_vnode_remove(const cred_t *cr) 1011 { 1012 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES, 1013 "sticky directory")); 1014 } 1015 1016 int 1017 secpolicy_vnode_owner(const cred_t *cr, uid_t owner) 1018 { 1019 boolean_t allzone = (owner == 0); 1020 1021 if (owner == cr->cr_uid) 1022 return (0); 1023 1024 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL)); 1025 } 1026 1027 void 1028 secpolicy_setid_clear(vattr_t *vap, cred_t *cr) 1029 { 1030 if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 && 1031 secpolicy_vnode_setid_retain(cr, 1032 (vap->va_mode & S_ISUID) != 0 && 1033 (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) { 1034 vap->va_mask |= AT_MODE; 1035 vap->va_mode &= ~(S_ISUID|S_ISGID); 1036 } 1037 } 1038 1039 int 1040 secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap, 1041 cred_t *cr) 1042 { 1043 int error; 1044 1045 if ((vap->va_mode & S_ISUID) != 0 && 1046 (error = secpolicy_vnode_setid_modify(cr, 1047 ovap->va_uid)) != 0) { 1048 return (error); 1049 } 1050 1051 /* 1052 * Check privilege if attempting to set the 1053 * sticky bit on a non-directory. 1054 */ 1055 if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 && 1056 secpolicy_vnode_stky_modify(cr) != 0) { 1057 vap->va_mode &= ~S_ISVTX; 1058 } 1059 1060 /* 1061 * Check for privilege if attempting to set the 1062 * group-id bit. 1063 */ 1064 if ((vap->va_mode & S_ISGID) != 0 && 1065 secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) { 1066 vap->va_mode &= ~S_ISGID; 1067 } 1068 1069 return (0); 1070 } 1071 1072 #define ATTR_FLAG_PRIV(attr, value, cr) \ 1073 PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \ 1074 B_FALSE, EPERM, NULL) 1075 1076 /* 1077 * Check privileges for setting xvattr attributes 1078 */ 1079 int 1080 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype) 1081 { 1082 xoptattr_t *xoap; 1083 int error = 0; 1084 1085 if ((xoap = xva_getxoptattr(xvap)) == NULL) 1086 return (EINVAL); 1087 1088 /* 1089 * First process the DOS bits 1090 */ 1091 if (XVA_ISSET_REQ(xvap, XAT_ARCHIVE) || 1092 XVA_ISSET_REQ(xvap, XAT_HIDDEN) || 1093 XVA_ISSET_REQ(xvap, XAT_READONLY) || 1094 XVA_ISSET_REQ(xvap, XAT_SYSTEM) || 1095 XVA_ISSET_REQ(xvap, XAT_CREATETIME)) { 1096 if ((error = secpolicy_vnode_owner(cr, owner)) != 0) 1097 return (error); 1098 } 1099 1100 /* 1101 * Now handle special attributes 1102 */ 1103 1104 if (XVA_ISSET_REQ(xvap, XAT_IMMUTABLE)) 1105 error = ATTR_FLAG_PRIV(XAT_IMMUTABLE, 1106 xoap->xoa_immutable, cr); 1107 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NOUNLINK)) 1108 error = ATTR_FLAG_PRIV(XAT_NOUNLINK, 1109 xoap->xoa_nounlink, cr); 1110 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_APPENDONLY)) 1111 error = ATTR_FLAG_PRIV(XAT_APPENDONLY, 1112 xoap->xoa_appendonly, cr); 1113 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NODUMP)) 1114 error = ATTR_FLAG_PRIV(XAT_NODUMP, 1115 xoap->xoa_nodump, cr); 1116 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_OPAQUE)) 1117 error = EPERM; 1118 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_QUARANTINED)) { 1119 error = ATTR_FLAG_PRIV(XAT_AV_QUARANTINED, 1120 xoap->xoa_av_quarantined, cr); 1121 if (error == 0 && vtype != VREG && xoap->xoa_av_quarantined) 1122 error = EINVAL; 1123 } 1124 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_MODIFIED)) 1125 error = ATTR_FLAG_PRIV(XAT_AV_MODIFIED, 1126 xoap->xoa_av_modified, cr); 1127 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_SCANSTAMP)) { 1128 error = ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP, 1129 xoap->xoa_av_scanstamp, cr); 1130 if (error == 0 && vtype != VREG) 1131 error = EINVAL; 1132 } 1133 return (error); 1134 } 1135 1136 /* 1137 * This function checks the policy decisions surrounding the 1138 * vop setattr call. 1139 * 1140 * It should be called after sufficient locks have been established 1141 * on the underlying data structures. No concurrent modifications 1142 * should be allowed. 1143 * 1144 * The caller must pass in unlocked version of its vaccess function 1145 * this is required because vop_access function should lock the 1146 * node for reading. A three argument function should be defined 1147 * which accepts the following argument: 1148 * A pointer to the internal "node" type (inode *) 1149 * vnode access bits (VREAD|VWRITE|VEXEC) 1150 * a pointer to the credential 1151 * 1152 * This function makes the following policy decisions: 1153 * 1154 * - change permissions 1155 * - permission to change file mode if not owner 1156 * - permission to add sticky bit to non-directory 1157 * - permission to add set-gid bit 1158 * 1159 * The ovap argument should include AT_MODE|AT_UID|AT_GID. 1160 * 1161 * If the vap argument does not include AT_MODE, the mode will be copied from 1162 * ovap. In certain situations set-uid/set-gid bits need to be removed; 1163 * this is done by marking vap->va_mask to include AT_MODE and va_mode 1164 * is updated to the newly computed mode. 1165 */ 1166 1167 int 1168 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap, 1169 const struct vattr *ovap, int flags, 1170 int unlocked_access(void *, int, cred_t *), 1171 void *node) 1172 { 1173 int mask = vap->va_mask; 1174 int error = 0; 1175 boolean_t skipaclchk = (flags & ATTR_NOACLCHECK) ? B_TRUE : B_FALSE; 1176 1177 if (mask & AT_SIZE) { 1178 if (vp->v_type == VDIR) { 1179 error = EISDIR; 1180 goto out; 1181 } 1182 1183 /* 1184 * If ATTR_NOACLCHECK is set in the flags, then we don't 1185 * perform the secondary unlocked_access() call since the 1186 * ACL (if any) is being checked there. 1187 */ 1188 if (skipaclchk == B_FALSE) { 1189 error = unlocked_access(node, VWRITE, cr); 1190 if (error) 1191 goto out; 1192 } 1193 } 1194 if (mask & AT_MODE) { 1195 /* 1196 * If not the owner of the file then check privilege 1197 * for two things: the privilege to set the mode at all 1198 * and, if we're setting setuid, we also need permissions 1199 * to add the set-uid bit, if we're not the owner. 1200 * In the specific case of creating a set-uid root 1201 * file, we need even more permissions. 1202 */ 1203 if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0) 1204 goto out; 1205 1206 if ((error = secpolicy_setid_setsticky_clear(vp, vap, 1207 ovap, cr)) != 0) 1208 goto out; 1209 } else 1210 vap->va_mode = ovap->va_mode; 1211 1212 if (mask & (AT_UID|AT_GID)) { 1213 boolean_t checkpriv = B_FALSE; 1214 int priv; 1215 boolean_t allzone = B_FALSE; 1216 1217 /* 1218 * Chowning files. 1219 * 1220 * If you are the file owner: 1221 * chown to other uid FILE_CHOWN_SELF 1222 * chown to gid (non-member) FILE_CHOWN_SELF 1223 * chown to gid (member) <none> 1224 * 1225 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also 1226 * acceptable but the first one is reported when debugging. 1227 * 1228 * If you are not the file owner: 1229 * chown from root PRIV_FILE_CHOWN + zone 1230 * chown from other to any PRIV_FILE_CHOWN 1231 * 1232 */ 1233 if (cr->cr_uid != ovap->va_uid) { 1234 checkpriv = B_TRUE; 1235 allzone = (ovap->va_uid == 0); 1236 priv = PRIV_FILE_CHOWN; 1237 } else { 1238 if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) || 1239 ((mask & AT_GID) && vap->va_gid != ovap->va_gid && 1240 !groupmember(vap->va_gid, cr))) { 1241 checkpriv = B_TRUE; 1242 priv = HAS_PRIVILEGE(cr, PRIV_FILE_CHOWN) ? 1243 PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF; 1244 } 1245 } 1246 /* 1247 * If necessary, check privilege to see if update can be done. 1248 */ 1249 if (checkpriv && 1250 (error = PRIV_POLICY(cr, priv, allzone, EPERM, NULL)) 1251 != 0) { 1252 goto out; 1253 } 1254 1255 /* 1256 * If the file has either the set UID or set GID bits 1257 * set and the caller can set the bits, then leave them. 1258 */ 1259 secpolicy_setid_clear(vap, cr); 1260 } 1261 if (mask & (AT_ATIME|AT_MTIME)) { 1262 /* 1263 * If not the file owner and not otherwise privileged, 1264 * always return an error when setting the 1265 * time other than the current (ATTR_UTIME flag set). 1266 * If setting the current time (ATTR_UTIME not set) then 1267 * unlocked_access will check permissions according to policy. 1268 */ 1269 if (cr->cr_uid != ovap->va_uid) { 1270 if (flags & ATTR_UTIME) 1271 error = secpolicy_vnode_utime_modify(cr); 1272 else if (skipaclchk == B_FALSE) { 1273 error = unlocked_access(node, VWRITE, cr); 1274 if (error == EACCES && 1275 secpolicy_vnode_utime_modify(cr) == 0) 1276 error = 0; 1277 } 1278 if (error) 1279 goto out; 1280 } 1281 } 1282 1283 /* 1284 * Check for optional attributes here by checking the following: 1285 */ 1286 if (mask & AT_XVATTR) 1287 error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr, 1288 vp->v_type); 1289 out: 1290 return (error); 1291 } 1292 1293 /* 1294 * Name: secpolicy_pcfs_modify_bootpartition() 1295 * 1296 * Normal: verify that subject can modify a pcfs boot partition. 1297 * 1298 * Output: EACCES - if privilege check failed. 1299 */ 1300 /*ARGSUSED*/ 1301 int 1302 secpolicy_pcfs_modify_bootpartition(const cred_t *cred) 1303 { 1304 return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES, 1305 "modify pcfs boot partition")); 1306 } 1307 1308 /* 1309 * System V IPC routines 1310 */ 1311 int 1312 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip) 1313 { 1314 if (crgetzoneid(cr) != ip->ipc_zoneid || 1315 (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) { 1316 boolean_t allzone = B_FALSE; 1317 if (ip->ipc_uid == 0 || ip->ipc_cuid == 0) 1318 allzone = B_TRUE; 1319 return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL)); 1320 } 1321 return (0); 1322 } 1323 1324 int 1325 secpolicy_ipc_config(const cred_t *cr) 1326 { 1327 return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL)); 1328 } 1329 1330 int 1331 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode) 1332 { 1333 1334 boolean_t allzone = B_FALSE; 1335 1336 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1337 1338 if ((mode & MSG_R) && 1339 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1340 return (EACCES); 1341 1342 if (mode & MSG_W) { 1343 if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0)) 1344 allzone = B_TRUE; 1345 1346 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1347 NULL)); 1348 } 1349 return (0); 1350 } 1351 1352 int 1353 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode) 1354 { 1355 boolean_t allzone = B_FALSE; 1356 1357 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1358 1359 if ((mode & MSG_R) && 1360 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1361 return (EACCES); 1362 1363 if (mode & MSG_W) { 1364 if (cr->cr_uid != 0 && owner == 0) 1365 allzone = B_TRUE; 1366 1367 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1368 NULL)); 1369 } 1370 return (0); 1371 } 1372 1373 /* 1374 * Audit configuration. 1375 */ 1376 int 1377 secpolicy_audit_config(const cred_t *cr) 1378 { 1379 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1380 } 1381 1382 /* 1383 * Audit record generation. 1384 */ 1385 int 1386 secpolicy_audit_modify(const cred_t *cr) 1387 { 1388 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL)); 1389 } 1390 1391 /* 1392 * Get audit attributes. 1393 * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the 1394 * "Least" of the two privileges on error. 1395 */ 1396 int 1397 secpolicy_audit_getattr(const cred_t *cr) 1398 { 1399 if (!PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE)) { 1400 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, 1401 NULL)); 1402 } else { 1403 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1404 } 1405 } 1406 1407 1408 /* 1409 * Locking physical memory 1410 */ 1411 int 1412 secpolicy_lock_memory(const cred_t *cr) 1413 { 1414 return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL)); 1415 } 1416 1417 /* 1418 * Accounting (both acct(2) and exacct). 1419 */ 1420 int 1421 secpolicy_acct(const cred_t *cr) 1422 { 1423 return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL)); 1424 } 1425 1426 /* 1427 * Is this process privileged to change its uids at will? 1428 * Uid 0 is still considered "special" and having the SETID 1429 * privilege is not sufficient to get uid 0. 1430 * Files are owned by root, so the privilege would give 1431 * full access and euid 0 is still effective. 1432 * 1433 * If you have the privilege and euid 0 only then do you 1434 * get the powers of root wrt uid 0. 1435 * 1436 * For gid manipulations, this is should be called with an 1437 * uid of -1. 1438 * 1439 */ 1440 int 1441 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly) 1442 { 1443 boolean_t allzone = B_FALSE; 1444 1445 if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 && 1446 cr->cr_ruid != 0) { 1447 allzone = B_TRUE; 1448 } 1449 1450 return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) : 1451 PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL)); 1452 } 1453 1454 1455 /* 1456 * Acting on a different process: if the mode is for writing, 1457 * the restrictions are more severe. This is called after 1458 * we've verified that the uids do not match. 1459 */ 1460 int 1461 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode) 1462 { 1463 boolean_t allzone = B_FALSE; 1464 1465 if ((mode & VWRITE) && scr->cr_uid != 0 && 1466 (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0)) 1467 allzone = B_TRUE; 1468 1469 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL)); 1470 } 1471 1472 int 1473 secpolicy_proc_access(const cred_t *scr) 1474 { 1475 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL)); 1476 } 1477 1478 int 1479 secpolicy_proc_excl_open(const cred_t *scr) 1480 { 1481 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL)); 1482 } 1483 1484 int 1485 secpolicy_proc_zone(const cred_t *scr) 1486 { 1487 return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL)); 1488 } 1489 1490 /* 1491 * Destroying the system 1492 */ 1493 1494 int 1495 secpolicy_kmdb(const cred_t *scr) 1496 { 1497 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1498 } 1499 1500 int 1501 secpolicy_error_inject(const cred_t *scr) 1502 { 1503 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1504 } 1505 1506 /* 1507 * Processor sets, cpu configuration, resource pools. 1508 */ 1509 int 1510 secpolicy_pset(const cred_t *cr) 1511 { 1512 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1513 } 1514 1515 int 1516 secpolicy_ponline(const cred_t *cr) 1517 { 1518 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1519 } 1520 1521 int 1522 secpolicy_pool(const cred_t *cr) 1523 { 1524 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1525 } 1526 1527 int 1528 secpolicy_blacklist(const cred_t *cr) 1529 { 1530 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1531 } 1532 1533 /* 1534 * Catch all system configuration. 1535 */ 1536 int 1537 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly) 1538 { 1539 if (checkonly) { 1540 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 : 1541 EPERM); 1542 } else { 1543 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1544 } 1545 } 1546 1547 /* 1548 * Zone administration (halt, reboot, etc.) from within zone. 1549 */ 1550 int 1551 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly) 1552 { 1553 if (checkonly) { 1554 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 : 1555 EPERM); 1556 } else { 1557 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, 1558 NULL)); 1559 } 1560 } 1561 1562 /* 1563 * Zone configuration (create, halt, enter). 1564 */ 1565 int 1566 secpolicy_zone_config(const cred_t *cr) 1567 { 1568 /* 1569 * Require all privileges to avoid possibility of privilege 1570 * escalation. 1571 */ 1572 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1573 } 1574 1575 /* 1576 * Various other system configuration calls 1577 */ 1578 int 1579 secpolicy_coreadm(const cred_t *cr) 1580 { 1581 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1582 } 1583 1584 int 1585 secpolicy_systeminfo(const cred_t *cr) 1586 { 1587 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1588 } 1589 1590 int 1591 secpolicy_dispadm(const cred_t *cr) 1592 { 1593 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1594 } 1595 1596 int 1597 secpolicy_settime(const cred_t *cr) 1598 { 1599 return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL)); 1600 } 1601 1602 /* 1603 * For realtime users: high resolution clock. 1604 */ 1605 int 1606 secpolicy_clock_highres(const cred_t *cr) 1607 { 1608 return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM, 1609 NULL)); 1610 } 1611 1612 /* 1613 * drv_priv() is documented as callable from interrupt context, not that 1614 * anyone ever does, but still. No debugging or auditing can be done when 1615 * it is called from interrupt context. 1616 * returns 0 on succes, EPERM on failure. 1617 */ 1618 int 1619 drv_priv(cred_t *cr) 1620 { 1621 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1622 } 1623 1624 int 1625 secpolicy_sys_devices(const cred_t *cr) 1626 { 1627 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1628 } 1629 1630 int 1631 secpolicy_excl_open(const cred_t *cr) 1632 { 1633 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL)); 1634 } 1635 1636 int 1637 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl) 1638 { 1639 /* zone.* rctls can only be set from the global zone */ 1640 if (is_zone_rctl && priv_policy_global(cr) != 0) 1641 return (EPERM); 1642 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1643 } 1644 1645 int 1646 secpolicy_resource(const cred_t *cr) 1647 { 1648 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1649 } 1650 1651 /* 1652 * Processes with a real uid of 0 escape any form of accounting, much 1653 * like before. 1654 */ 1655 int 1656 secpolicy_newproc(const cred_t *cr) 1657 { 1658 if (cr->cr_ruid == 0) 1659 return (0); 1660 1661 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1662 } 1663 1664 /* 1665 * Networking 1666 */ 1667 int 1668 secpolicy_net_rawaccess(const cred_t *cr) 1669 { 1670 return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL)); 1671 } 1672 1673 /* 1674 * Need this privilege for accessing the ICMP device 1675 */ 1676 int 1677 secpolicy_net_icmpaccess(const cred_t *cr) 1678 { 1679 return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL)); 1680 } 1681 1682 /* 1683 * There are a few rare cases where the kernel generates ioctls() from 1684 * interrupt context with a credential of kcred rather than NULL. 1685 * In those cases, we take the safe and cheap test. 1686 */ 1687 int 1688 secpolicy_net_config(const cred_t *cr, boolean_t checkonly) 1689 { 1690 if (checkonly) { 1691 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ? 1692 0 : EPERM); 1693 } else { 1694 return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM, 1695 NULL)); 1696 } 1697 } 1698 1699 1700 /* 1701 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG. 1702 * 1703 * There are a few rare cases where the kernel generates ioctls() from 1704 * interrupt context with a credential of kcred rather than NULL. 1705 * In those cases, we take the safe and cheap test. 1706 */ 1707 int 1708 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly) 1709 { 1710 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 1711 return (secpolicy_net_config(cr, checkonly)); 1712 1713 if (checkonly) { 1714 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ? 1715 0 : EPERM); 1716 } else { 1717 return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM, 1718 NULL)); 1719 } 1720 } 1721 1722 /* 1723 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_DL_CONFIG. 1724 */ 1725 int 1726 secpolicy_dl_config(const cred_t *cr) 1727 { 1728 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 1729 return (secpolicy_net_config(cr, B_FALSE)); 1730 return (PRIV_POLICY(cr, PRIV_SYS_DL_CONFIG, B_FALSE, EPERM, 1731 NULL)); 1732 } 1733 1734 1735 /* 1736 * Map IP pseudo privileges to actual privileges. 1737 * So we don't need to recompile IP when we change the privileges. 1738 */ 1739 int 1740 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly) 1741 { 1742 int priv = PRIV_ALL; 1743 1744 switch (netpriv) { 1745 case OP_CONFIG: 1746 priv = PRIV_SYS_IP_CONFIG; 1747 break; 1748 case OP_RAW: 1749 priv = PRIV_NET_RAWACCESS; 1750 break; 1751 case OP_PRIVPORT: 1752 priv = PRIV_NET_PRIVADDR; 1753 break; 1754 } 1755 ASSERT(priv != PRIV_ALL); 1756 if (checkonly) 1757 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 1758 else 1759 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 1760 } 1761 1762 /* 1763 * Map network pseudo privileges to actual privileges. 1764 * So we don't need to recompile IP when we change the privileges. 1765 */ 1766 int 1767 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly) 1768 { 1769 int priv = PRIV_ALL; 1770 1771 switch (netpriv) { 1772 case OP_CONFIG: 1773 priv = PRIV_SYS_NET_CONFIG; 1774 break; 1775 case OP_RAW: 1776 priv = PRIV_NET_RAWACCESS; 1777 break; 1778 case OP_PRIVPORT: 1779 priv = PRIV_NET_PRIVADDR; 1780 break; 1781 } 1782 ASSERT(priv != PRIV_ALL); 1783 if (checkonly) 1784 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 1785 else 1786 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 1787 } 1788 1789 /* 1790 * Checks for operations that are either client-only or are used by 1791 * both clients and servers. 1792 */ 1793 int 1794 secpolicy_nfs(const cred_t *cr) 1795 { 1796 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL)); 1797 } 1798 1799 /* 1800 * Special case for opening rpcmod: have NFS privileges or network 1801 * config privileges. 1802 */ 1803 int 1804 secpolicy_rpcmod_open(const cred_t *cr) 1805 { 1806 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE)) 1807 return (secpolicy_nfs(cr)); 1808 else 1809 return (secpolicy_net_config(cr, NULL)); 1810 } 1811 1812 int 1813 secpolicy_chroot(const cred_t *cr) 1814 { 1815 return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL)); 1816 } 1817 1818 int 1819 secpolicy_tasksys(const cred_t *cr) 1820 { 1821 return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL)); 1822 } 1823 1824 /* 1825 * Basic privilege checks. 1826 */ 1827 int 1828 secpolicy_basic_exec(const cred_t *cr, vnode_t *vp) 1829 { 1830 return (priv_policy_va(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL, 1831 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); 1832 } 1833 1834 int 1835 secpolicy_basic_fork(const cred_t *cr) 1836 { 1837 return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL)); 1838 } 1839 1840 int 1841 secpolicy_basic_proc(const cred_t *cr) 1842 { 1843 return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL)); 1844 } 1845 1846 /* 1847 * Slightly complicated because we don't want to trigger the policy too 1848 * often. First we shortcircuit access to "self" (tp == sp) or if 1849 * we don't have the privilege but if we have permission 1850 * just return (0) and we don't flag the privilege as needed. 1851 * Else, we test for the privilege because we either have it or need it. 1852 */ 1853 int 1854 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp) 1855 { 1856 if (tp == sp || 1857 !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) { 1858 return (0); 1859 } else { 1860 return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL)); 1861 } 1862 } 1863 1864 int 1865 secpolicy_basic_link(const cred_t *cr) 1866 { 1867 return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL)); 1868 } 1869 1870 /* 1871 * Additional device protection. 1872 * 1873 * Traditionally, a device has specific permissions on the node in 1874 * the filesystem which govern which devices can be opened by what 1875 * processes. In certain cases, it is desirable to add extra 1876 * restrictions, as writing to certain devices is identical to 1877 * having a complete run of the system. 1878 * 1879 * This mechanism is called the device policy. 1880 * 1881 * When a device is opened, its policy entry is looked up in the 1882 * policy cache and checked. 1883 */ 1884 int 1885 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag) 1886 { 1887 devplcy_t *plcy; 1888 int err; 1889 struct snode *csp = VTOS(common_specvp(vp)); 1890 priv_set_t pset; 1891 1892 mutex_enter(&csp->s_lock); 1893 1894 if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) { 1895 plcy = devpolicy_find(vp); 1896 if (csp->s_plcy) 1897 dpfree(csp->s_plcy); 1898 csp->s_plcy = plcy; 1899 ASSERT(plcy != NULL); 1900 } else 1901 plcy = csp->s_plcy; 1902 1903 if (plcy == nullpolicy) { 1904 mutex_exit(&csp->s_lock); 1905 return (0); 1906 } 1907 1908 dphold(plcy); 1909 1910 mutex_exit(&csp->s_lock); 1911 1912 if (oflag & FWRITE) 1913 pset = plcy->dp_wrp; 1914 else 1915 pset = plcy->dp_rdp; 1916 /* 1917 * Special case: 1918 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG. 1919 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is 1920 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG 1921 * in the required privilege set before doing the check. 1922 */ 1923 if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) && 1924 priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) && 1925 !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) { 1926 priv_delset(&pset, PRIV_SYS_IP_CONFIG); 1927 priv_addset(&pset, PRIV_SYS_NET_CONFIG); 1928 } 1929 1930 err = secpolicy_require_set(cr, &pset, "devpolicy"); 1931 dpfree(plcy); 1932 1933 return (err); 1934 } 1935 1936 int 1937 secpolicy_modctl(const cred_t *cr, int cmd) 1938 { 1939 switch (cmd) { 1940 case MODINFO: 1941 case MODGETMAJBIND: 1942 case MODGETPATH: 1943 case MODGETPATHLEN: 1944 case MODGETNAME: 1945 case MODGETFBNAME: 1946 case MODGETDEVPOLICY: 1947 case MODGETDEVPOLICYBYNAME: 1948 case MODDEVT2INSTANCE: 1949 case MODSIZEOF_DEVID: 1950 case MODGETDEVID: 1951 case MODSIZEOF_MINORNAME: 1952 case MODGETMINORNAME: 1953 case MODGETDEVFSPATH_LEN: 1954 case MODGETDEVFSPATH: 1955 case MODGETDEVFSPATH_MI_LEN: 1956 case MODGETDEVFSPATH_MI: 1957 /* Unprivileged */ 1958 return (0); 1959 case MODLOAD: 1960 case MODSETDEVPOLICY: 1961 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1962 default: 1963 return (secpolicy_sys_config(cr, B_FALSE)); 1964 } 1965 } 1966 1967 int 1968 secpolicy_console(const cred_t *cr) 1969 { 1970 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1971 } 1972 1973 int 1974 secpolicy_power_mgmt(const cred_t *cr) 1975 { 1976 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1977 } 1978 1979 /* 1980 * Simulate terminal input; another escalation of privileges avenue. 1981 */ 1982 1983 int 1984 secpolicy_sti(const cred_t *cr) 1985 { 1986 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1987 } 1988 1989 boolean_t 1990 secpolicy_net_reply_equal(const cred_t *cr) 1991 { 1992 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1993 } 1994 1995 int 1996 secpolicy_swapctl(const cred_t *cr) 1997 { 1998 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1999 } 2000 2001 int 2002 secpolicy_cpc_cpu(const cred_t *cr) 2003 { 2004 return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL)); 2005 } 2006 2007 /* 2008 * secpolicy_contract_identity 2009 * 2010 * Determine if the subject may set the process contract FMRI value 2011 */ 2012 int 2013 secpolicy_contract_identity(const cred_t *cr) 2014 { 2015 return (PRIV_POLICY(cr, PRIV_CONTRACT_IDENTITY, B_FALSE, EPERM, NULL)); 2016 } 2017 2018 /* 2019 * secpolicy_contract_observer 2020 * 2021 * Determine if the subject may observe a specific contract's events. 2022 */ 2023 int 2024 secpolicy_contract_observer(const cred_t *cr, struct contract *ct) 2025 { 2026 if (contract_owned(ct, cr, B_FALSE)) 2027 return (0); 2028 return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL)); 2029 } 2030 2031 /* 2032 * secpolicy_contract_observer_choice 2033 * 2034 * Determine if the subject may observe any contract's events. Just 2035 * tests privilege and audits on success. 2036 */ 2037 boolean_t 2038 secpolicy_contract_observer_choice(const cred_t *cr) 2039 { 2040 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE)); 2041 } 2042 2043 /* 2044 * secpolicy_contract_event 2045 * 2046 * Determine if the subject may request critical contract events or 2047 * reliable contract event delivery. 2048 */ 2049 int 2050 secpolicy_contract_event(const cred_t *cr) 2051 { 2052 return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL)); 2053 } 2054 2055 /* 2056 * secpolicy_contract_event_choice 2057 * 2058 * Determine if the subject may retain contract events in its critical 2059 * set when a change in other terms would normally require a change in 2060 * the critical set. Just tests privilege and audits on success. 2061 */ 2062 boolean_t 2063 secpolicy_contract_event_choice(const cred_t *cr) 2064 { 2065 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE)); 2066 } 2067 2068 /* 2069 * secpolicy_gart_access 2070 * 2071 * Determine if the subject has sufficient priveleges to make ioctls to agpgart 2072 * device. 2073 */ 2074 int 2075 secpolicy_gart_access(const cred_t *cr) 2076 { 2077 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL)); 2078 } 2079 2080 /* 2081 * secpolicy_gart_map 2082 * 2083 * Determine if the subject has sufficient priveleges to map aperture range 2084 * through agpgart driver. 2085 */ 2086 int 2087 secpolicy_gart_map(const cred_t *cr) 2088 { 2089 if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) { 2090 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, 2091 NULL)); 2092 } else { 2093 return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM, 2094 NULL)); 2095 } 2096 } 2097 2098 /* 2099 * secpolicy_zinject 2100 * 2101 * Determine if the subject can inject faults in the ZFS fault injection 2102 * framework. Requires all privileges. 2103 */ 2104 int 2105 secpolicy_zinject(const cred_t *cr) 2106 { 2107 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 2108 } 2109 2110 /* 2111 * secpolicy_zfs 2112 * 2113 * Determine if the subject has permission to manipulate ZFS datasets 2114 * (not pools). Equivalent to the SYS_MOUNT privilege. 2115 */ 2116 int 2117 secpolicy_zfs(const cred_t *cr) 2118 { 2119 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL)); 2120 } 2121 2122 /* 2123 * secpolicy_idmap 2124 * 2125 * Determine if the calling process has permissions to register an SID 2126 * mapping daemon and allocate ephemeral IDs. 2127 */ 2128 int 2129 secpolicy_idmap(const cred_t *cr) 2130 { 2131 return (PRIV_POLICY(cr, PRIV_FILE_SETID, B_TRUE, EPERM, NULL)); 2132 } 2133 2134 /* 2135 * secpolicy_ucode_update 2136 * 2137 * Determine if the subject has sufficient privilege to update microcode. 2138 */ 2139 int 2140 secpolicy_ucode_update(const cred_t *scr) 2141 { 2142 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 2143 } 2144 2145 /* 2146 * secpolicy_sadopen 2147 * 2148 * Determine if the subject has sufficient privilege to access /dev/sad/admin. 2149 * /dev/sad/admin appear in global zone and exclusive-IP zones only. 2150 * In global zone, sys_config is required. 2151 * In exclusive-IP zones, sys_ip_config is required. 2152 * Note that sys_config is prohibited in non-global zones. 2153 */ 2154 int 2155 secpolicy_sadopen(const cred_t *credp) 2156 { 2157 priv_set_t pset; 2158 2159 priv_emptyset(&pset); 2160 2161 if (crgetzoneid(credp) == GLOBAL_ZONEID) 2162 priv_addset(&pset, PRIV_SYS_CONFIG); 2163 else 2164 priv_addset(&pset, PRIV_SYS_IP_CONFIG); 2165 2166 return (secpolicy_require_set(credp, &pset, "devpolicy")); 2167 } 2168 2169 2170 /* 2171 * Add privileges to a particular privilege set; this is called when the 2172 * current sets of privileges are not sufficient. I.e., we should always 2173 * call the policy override functions from here. 2174 * What we are allowed to have is in the Observed Permitted set; so 2175 * we compute the difference between that and the newset. 2176 */ 2177 int 2178 secpolicy_require_privs(const cred_t *cr, const priv_set_t *nset) 2179 { 2180 priv_set_t rqd; 2181 2182 rqd = CR_OPPRIV(cr); 2183 2184 priv_inverse(&rqd); 2185 priv_intersect(nset, &rqd); 2186 2187 return (secpolicy_require_set(cr, &rqd, NULL)); 2188 } 2189 2190 /* 2191 * secpolicy_smb 2192 * 2193 * Determine if the cred_t has PRIV_SYS_SMB privilege, indicating 2194 * that it has permission to access the smbsrv kernel driver. 2195 * PRIV_POLICY checks the privilege and audits the check. 2196 * 2197 * Returns: 2198 * 0 Driver access is allowed. 2199 * EPERM Driver access is NOT permitted. 2200 */ 2201 int 2202 secpolicy_smb(const cred_t *cr) 2203 { 2204 return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL)); 2205 } 2206 2207 /* 2208 * secpolicy_vscan 2209 * 2210 * Determine if cred_t has the necessary privileges to access a file 2211 * for virus scanning and update its extended system attributes. 2212 * PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access 2213 * PRIV_FILE_FLAG_SET - set extended system attributes 2214 * 2215 * PRIV_POLICY checks the privilege and audits the check. 2216 * 2217 * Returns: 2218 * 0 file access for virus scanning allowed. 2219 * EPERM file access for virus scanning is NOT permitted. 2220 */ 2221 int 2222 secpolicy_vscan(const cred_t *cr) 2223 { 2224 if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) || 2225 (PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) || 2226 (PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) { 2227 return (EPERM); 2228 } 2229 2230 return (0); 2231 } 2232 2233 /* 2234 * secpolicy_smbfs_login 2235 * 2236 * Determines if the caller can add and delete the smbfs login 2237 * password in the the nsmb kernel module for the CIFS client. 2238 * 2239 * Returns: 2240 * 0 access is allowed. 2241 * EPERM access is NOT allowed. 2242 */ 2243 int 2244 secpolicy_smbfs_login(const cred_t *cr, uid_t uid) 2245 { 2246 uid_t cruid = crgetruid(cr); 2247 2248 if (cruid == uid) 2249 return (0); 2250 return (PRIV_POLICY(cr, PRIV_PROC_OWNER, B_FALSE, 2251 EPERM, NULL)); 2252 } 2253 2254 /* 2255 * secpolicy_xvm_control 2256 * 2257 * Determines if a caller can control the xVM hypervisor and/or running 2258 * domains (x86 specific). 2259 * 2260 * Returns: 2261 * 0 access is allowed. 2262 * EPERM access is NOT allowed. 2263 */ 2264 int 2265 secpolicy_xvm_control(const cred_t *cr) 2266 { 2267 if (PRIV_POLICY(cr, PRIV_XVM_CONTROL, B_FALSE, EPERM, NULL)) 2268 return (EPERM); 2269 return (0); 2270 } 2271 2272 /* 2273 * secpolicy_dld_ioctl 2274 * 2275 * Determine if the subject has permission to use certain dld ioctls. 2276 * Each ioctl should require a limited number of privileges. A large 2277 * number indicates a poor design. 2278 */ 2279 int 2280 secpolicy_dld_ioctl(const cred_t *cr, const char *dld_priv, const char *msg) 2281 { 2282 int rv; 2283 2284 if ((rv = priv_getbyname(dld_priv, 0)) >= 0) { 2285 return (PRIV_POLICY(cr, rv, B_FALSE, EPERM, msg)); 2286 } 2287 /* priv_getbyname() returns -ve errno */ 2288 return (-rv); 2289 2290 } 2291