1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <sys/types.h> 29 #include <sys/sysmacros.h> 30 #include <sys/param.h> 31 #include <sys/systm.h> 32 #include <sys/cred_impl.h> 33 #include <sys/vnode.h> 34 #include <sys/vfs.h> 35 #include <sys/stat.h> 36 #include <sys/errno.h> 37 #include <sys/kmem.h> 38 #include <sys/user.h> 39 #include <sys/proc.h> 40 #include <sys/acct.h> 41 #include <sys/ipc_impl.h> 42 #include <sys/syscall.h> 43 #include <sys/cmn_err.h> 44 #include <sys/debug.h> 45 #include <sys/policy.h> 46 #include <sys/kobj.h> 47 #include <sys/msg.h> 48 #include <sys/devpolicy.h> 49 #include <c2/audit.h> 50 #include <sys/varargs.h> 51 #include <sys/modctl.h> 52 #include <sys/disp.h> 53 #include <sys/zone.h> 54 #include <inet/common.h> 55 #include <inet/optcom.h> 56 #include <sys/sdt.h> 57 #include <sys/mount.h> 58 #include <sys/vfs.h> 59 #include <sys/mntent.h> 60 #include <sys/contract_impl.h> 61 62 #include <sys/sunddi.h> 63 64 /* 65 * There are two possible layers of privilege routines and two possible 66 * levels of secpolicy. Plus one other we may not be interested in, so 67 * we may need as many as 6 but no more. 68 */ 69 #define MAXPRIVSTACK 6 70 71 int priv_debug = 0; 72 73 /* 74 * This file contains the majority of the policy routines. 75 * Since the policy routines are defined by function and not 76 * by privilege, there is quite a bit of duplication of 77 * functions. 78 * 79 * The secpolicy functions must not make asssumptions about 80 * locks held or not held as any lock can be held while they're 81 * being called. 82 * 83 * Credentials are read-only so no special precautions need to 84 * be taken while locking them. 85 * 86 * When a new policy check needs to be added to the system the 87 * following procedure should be followed: 88 * 89 * Pick an appropriate secpolicy_*() function 90 * -> done if one exists. 91 * Create a new secpolicy function, preferably with 92 * a descriptive name using the standard template. 93 * Pick an appropriate privilege for the policy. 94 * If no appropraite privilege exists, define new one 95 * (this should be done with extreme care; in most cases 96 * little is gained by adding another privilege) 97 * 98 * WHY ROOT IS STILL SPECIAL. 99 * 100 * In a number of the policy functions, there are still explicit 101 * checks for uid 0. The rationale behind these is that many root 102 * owned files/objects hold configuration information which can give full 103 * privileges to the user once written to. To prevent escalation 104 * of privilege by allowing just a single privilege to modify root owned 105 * objects, we've added these root specific checks where we considered 106 * them necessary: modifying root owned files, changing uids to 0, etc. 107 * 108 * PRIVILEGE ESCALATION AND ZONES. 109 * 110 * A number of operations potentially allow the caller to achieve 111 * privileges beyond the ones normally required to perform the operation. 112 * For example, if allowed to create a setuid 0 executable, a process can 113 * gain privileges beyond PRIV_FILE_SETID. Zones, however, place 114 * restrictions on the ability to gain privileges beyond those available 115 * within the zone through file and process manipulation. Hence, such 116 * operations require that the caller have an effective set that includes 117 * all privileges available within the current zone, or all privileges 118 * if executing in the global zone. 119 * 120 * This is indicated in the priv_policy* policy checking functions 121 * through a combination of parameters. The "priv" parameter indicates 122 * the privilege that is required, and the "allzone" parameter indicates 123 * whether or not all privileges in the zone are required. In addition, 124 * priv can be set to PRIV_ALL to indicate that all privileges are 125 * required (regardless of zone). There are three scenarios of interest: 126 * (1) operation requires a specific privilege 127 * (2) operation requires a specific privilege, and requires all 128 * privileges available within the zone (or all privileges if in 129 * the global zone) 130 * (3) operation requires all privileges, regardless of zone 131 * 132 * For (1), priv should be set to the specific privilege, and allzone 133 * should be set to B_FALSE. 134 * For (2), priv should be set to the specific privilege, and allzone 135 * should be set to B_TRUE. 136 * For (3), priv should be set to PRIV_ALL, and allzone should be set 137 * to B_FALSE. 138 * 139 */ 140 141 /* 142 * The privileges are checked against the Effective set for 143 * ordinary processes and checked against the Limit set 144 * for euid 0 processes that haven't manipulated their privilege 145 * sets. 146 */ 147 #define HAS_ALLPRIVS(cr) priv_isfullset(&CR_OEPRIV(cr)) 148 #define ZONEPRIVS(cr) ((cr)->cr_zone->zone_privset) 149 #define HAS_ALLZONEPRIVS(cr) priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr)) 150 #define HAS_PRIVILEGE(cr, pr) ((pr) == PRIV_ALL ? \ 151 HAS_ALLPRIVS(cr) : \ 152 PRIV_ISASSERT(&CR_OEPRIV(cr), pr)) 153 154 /* 155 * Policy checking functions 156 * 157 * In future, these will migrate to several files when policy 158 * becomes more or less pluggable. 159 * 160 * For now, there's only one policy and this is it. 161 */ 162 163 /* 164 * Generic policy calls 165 * 166 * The "bottom" functions of policy control 167 */ 168 169 static char * 170 mprintf(const char *fmt, ...) 171 { 172 va_list args; 173 char *buf; 174 size_t len; 175 176 va_start(args, fmt); 177 len = vsnprintf(NULL, 0, fmt, args) + 1; 178 va_end(args); 179 180 buf = kmem_alloc(len, KM_NOSLEEP); 181 182 if (buf == NULL) 183 return (NULL); 184 185 va_start(args, fmt); 186 (void) vsnprintf(buf, len, fmt, args); 187 va_end(args); 188 189 return (buf); 190 } 191 192 /* 193 * priv_policy_errmsg() 194 * 195 * Generate an error message if privilege debugging is enabled system wide 196 * or for this particular process. 197 */ 198 199 #define FMTHDR "%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)" 200 #define FMTMSG " for \"%s\"" 201 #define FMTFUN " needed at %s+0x%lx" 202 203 /* The maximum size privilege format: the concatenation of the above */ 204 #define FMTMAX FMTHDR FMTMSG FMTFUN "\n" 205 206 static void 207 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg) 208 { 209 struct proc *me; 210 pc_t stack[MAXPRIVSTACK]; 211 int depth; 212 int i; 213 char *sym; 214 ulong_t off; 215 const char *pname; 216 217 char *cmd; 218 char fmt[sizeof (FMTMAX)]; 219 220 if ((me = curproc) == &p0) 221 return; 222 223 /* Privileges must be defined */ 224 ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE || 225 priv == PRIV_ALLZONE || priv == PRIV_GLOBAL || 226 priv_getbynum(priv) != NULL); 227 228 if (priv == PRIV_ALLZONE && INGLOBALZONE(me)) 229 priv = PRIV_ALL; 230 231 if (curthread->t_pre_sys) 232 ttolwp(curthread)->lwp_badpriv = (short)priv; 233 234 if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0) 235 return; 236 237 (void) strcpy(fmt, FMTHDR); 238 239 if (me->p_user.u_comm[0]) 240 cmd = &me->p_user.u_comm[0]; 241 else 242 cmd = "priv_policy"; 243 244 if (msg != NULL && *msg != '\0') { 245 (void) strcat(fmt, FMTMSG); 246 } else { 247 (void) strcat(fmt, "%s"); 248 msg = ""; 249 } 250 251 sym = NULL; 252 253 depth = getpcstack(stack, MAXPRIVSTACK); 254 255 /* 256 * Try to find the first interesting function on the stack. 257 * priv_policy* that's us, so completely uninteresting. 258 * suser(), drv_priv(), secpolicy_* are also called from 259 * too many locations to convey useful information. 260 */ 261 for (i = 0; i < depth; i++) { 262 sym = kobj_getsymname((uintptr_t)stack[i], &off); 263 if (sym != NULL && 264 strstr(sym, "hasprocperm") == 0 && 265 strcmp("suser", sym) != 0 && 266 strcmp("ipcaccess", sym) != 0 && 267 strcmp("drv_priv", sym) != 0 && 268 strncmp("secpolicy_", sym, 10) != 0 && 269 strncmp("priv_policy", sym, 11) != 0) 270 break; 271 } 272 273 if (sym != NULL) 274 (void) strcat(fmt, FMTFUN); 275 276 (void) strcat(fmt, "\n"); 277 278 switch (priv) { 279 case PRIV_ALL: 280 pname = "ALL"; 281 break; 282 case PRIV_MULTIPLE: 283 pname = "MULTIPLE"; 284 break; 285 case PRIV_ALLZONE: 286 pname = "ZONE"; 287 break; 288 case PRIV_GLOBAL: 289 pname = "GLOBAL"; 290 break; 291 default: 292 pname = priv_getbynum(priv); 293 break; 294 } 295 296 if (CR_FLAGS(cr) & PRIV_DEBUG) { 297 /* Remember last message, just like lwp_badpriv. */ 298 if (curthread->t_pdmsg != NULL) { 299 kmem_free(curthread->t_pdmsg, 300 strlen(curthread->t_pdmsg) + 1); 301 } 302 303 curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname, 304 cr->cr_uid, curthread->t_sysnum, msg, sym, off); 305 306 curthread->t_post_sys = 1; 307 } else { 308 cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid, 309 curthread->t_sysnum, msg, sym, off); 310 } 311 } 312 313 /* 314 * Audit failure, log error message. 315 */ 316 static void 317 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg) 318 { 319 320 #ifdef C2_AUDIT 321 if (audit_active) 322 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0); 323 #endif 324 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 325 326 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 327 curthread->t_pre_sys) { 328 if (allzone && !HAS_ALLZONEPRIVS(cr)) { 329 priv_policy_errmsg(cr, PRIV_ALLZONE, msg); 330 } else { 331 ASSERT(!HAS_PRIVILEGE(cr, priv)); 332 priv_policy_errmsg(cr, priv, msg); 333 } 334 } 335 } 336 337 /* 338 * priv_policy() 339 * return 0 or error. 340 * See block comment above for a description of "priv" and "allzone" usage. 341 */ 342 int 343 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err, 344 const char *msg) 345 { 346 if (HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) { 347 if ((allzone || priv == PRIV_ALL || 348 !PRIV_ISASSERT(priv_basic, priv)) && 349 !servicing_interrupt()) { 350 u.u_acflag |= ASU; /* Needed for SVVS */ 351 #ifdef C2_AUDIT 352 if (audit_active) 353 audit_priv(priv, 354 allzone ? ZONEPRIVS(cr) : NULL, 1); 355 #endif 356 } 357 err = 0; 358 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 359 } else if (!servicing_interrupt()) { 360 /* Failure audited in this procedure */ 361 priv_policy_err(cr, priv, allzone, msg); 362 } 363 364 return (err); 365 } 366 367 /* 368 * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges. 369 */ 370 boolean_t 371 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone) 372 { 373 boolean_t res = HAS_PRIVILEGE(cr, priv) && 374 (!allzone || HAS_ALLZONEPRIVS(cr)); 375 376 #ifdef C2_AUDIT 377 /* Audit success only */ 378 if (res && audit_active && 379 (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) && 380 !servicing_interrupt()) { 381 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1); 382 } 383 #endif 384 if (res) { 385 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 386 } else { 387 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 388 } 389 return (res); 390 } 391 392 /* 393 * Non-auditing variant of priv_policy_choice(). 394 */ 395 boolean_t 396 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone) 397 { 398 boolean_t res = HAS_PRIVILEGE(cr, priv) && 399 (!allzone || HAS_ALLZONEPRIVS(cr)); 400 401 if (res) { 402 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 403 } else { 404 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 405 } 406 return (res); 407 } 408 409 /* 410 * Check whether all privileges in the required set are present. 411 */ 412 static int 413 secpolicy_require_set(const cred_t *cr, const priv_set_t *req, const char *msg) 414 { 415 int priv; 416 int pfound = -1; 417 priv_set_t pset; 418 419 if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req, 420 &CR_OEPRIV(cr))) { 421 return (0); 422 } 423 424 if (req == PRIV_FULLSET || priv_isfullset(req)) { 425 priv_policy_err(cr, PRIV_ALL, B_FALSE, msg); 426 return (EACCES); 427 } 428 429 pset = CR_OEPRIV(cr); /* present privileges */ 430 priv_inverse(&pset); /* all non present privileges */ 431 priv_intersect(req, &pset); /* the actual missing privs */ 432 433 #ifdef C2_AUDIT 434 if (audit_active) 435 audit_priv(PRIV_NONE, &pset, 0); 436 #endif 437 /* 438 * Privilege debugging; special case "one privilege in set". 439 */ 440 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) { 441 for (priv = 0; priv < nprivs; priv++) { 442 if (priv_ismember(&pset, priv)) { 443 if (pfound != -1) { 444 /* Multiple missing privs */ 445 priv_policy_errmsg(cr, PRIV_MULTIPLE, 446 msg); 447 return (EACCES); 448 } 449 pfound = priv; 450 } 451 } 452 ASSERT(pfound != -1); 453 /* Just the one missing privilege */ 454 priv_policy_errmsg(cr, pfound, msg); 455 } 456 457 return (EACCES); 458 } 459 460 /* 461 * Called when an operation requires that the caller be in the 462 * global zone, regardless of privilege. 463 */ 464 static int 465 priv_policy_global(const cred_t *cr) 466 { 467 if (crgetzoneid(cr) == GLOBAL_ZONEID) 468 return (0); /* success */ 469 470 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 471 curthread->t_pre_sys) { 472 priv_policy_errmsg(cr, PRIV_GLOBAL, NULL); 473 } 474 return (EPERM); 475 } 476 477 /* 478 * Changing process priority 479 */ 480 int 481 secpolicy_setpriority(const cred_t *cr) 482 { 483 return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL)); 484 } 485 486 /* 487 * Binding to a privileged port, port must be specified in host byte 488 * order. 489 */ 490 int 491 secpolicy_net_privaddr(const cred_t *cr, in_port_t port) 492 { 493 /* 494 * NFS ports, these are extra privileged ports, allow bind 495 * only if the SYS_NFS privilege is present. 496 */ 497 if (port == 2049 || port == 4045) 498 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EACCES, 499 "NFS port")); 500 else 501 return (PRIV_POLICY(cr, PRIV_NET_PRIVADDR, B_FALSE, EACCES, 502 NULL)); 503 } 504 505 /* 506 * Common routine which determines whether a given credential can 507 * act on a given mount. 508 * When called through mount, the parameter needoptcheck is a pointer 509 * to a boolean variable which will be set to either true or false, 510 * depending on whether the mount policy should change the mount options. 511 * In all other cases, needoptcheck should be a NULL pointer. 512 */ 513 static int 514 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp, 515 boolean_t *needoptcheck) 516 { 517 boolean_t allzone = B_FALSE; 518 boolean_t mounting = needoptcheck != NULL; 519 520 /* 521 * Short circuit the following cases: 522 * vfsp == NULL or mvp == NULL (pure privilege check) 523 * have all privileges - no further checks required 524 * and no mount options need to be set. 525 */ 526 if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) { 527 if (mounting) 528 *needoptcheck = B_FALSE; 529 530 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, allzone, EPERM, NULL)); 531 } 532 533 /* 534 * When operating on an existing mount (either we're not mounting 535 * or we're doing a remount and VFS_REMOUNT will be set), zones 536 * can operate only on mounts established by the zone itself. 537 */ 538 if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) { 539 zoneid_t zoneid = crgetzoneid(cr); 540 541 if (zoneid != GLOBAL_ZONEID && 542 vfsp->vfs_zone->zone_id != zoneid) { 543 return (EPERM); 544 } 545 } 546 547 if (mounting) 548 *needoptcheck = B_TRUE; 549 550 /* 551 * Overlay mounts may hide important stuff; if you can't write to a 552 * mount point but would be able to mount on top of it, you can 553 * escalate your privileges. 554 * So we go about asking the same questions namefs does when it 555 * decides whether you can mount over a file or not but with the 556 * added restriction that you can only mount on top of a regular 557 * file or directory. 558 * If we have all the zone's privileges, we skip all other checks, 559 * or else we may actually get in trouble inside the automounter. 560 */ 561 if ((mvp->v_flag & VROOT) != 0 || 562 (mvp->v_type != VDIR && mvp->v_type != VREG) || 563 HAS_ALLZONEPRIVS(cr)) { 564 allzone = B_TRUE; 565 } else { 566 vattr_t va; 567 int err; 568 569 va.va_mask = AT_UID|AT_MODE; 570 err = VOP_GETATTR(mvp, &va, 0, cr); 571 if (err != 0) 572 return (err); 573 574 if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0) 575 return (err); 576 577 if ((va.va_mode & VWRITE) == 0 && 578 secpolicy_vnode_access(cr, mvp, va.va_uid, VWRITE) != 0) { 579 return (EACCES); 580 } 581 } 582 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, allzone, EPERM, NULL)); 583 } 584 585 extern vnode_t *rootvp; 586 extern vfs_t *rootvfs; 587 588 int 589 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp) 590 { 591 boolean_t needoptchk; 592 int error; 593 594 /* 595 * If it's a remount, get the underlying mount point, 596 * except for the root where we use the rootvp. 597 */ 598 if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) { 599 if (vfsp == rootvfs) 600 mvp = rootvp; 601 else 602 mvp = vfsp->vfs_vnodecovered; 603 } 604 605 error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk); 606 607 if (error == 0 && needoptchk) { 608 boolean_t amsuper = HAS_ALLZONEPRIVS(cr); 609 610 /* 611 * Third check; if we don't have either "nosuid" or 612 * both "nosetuid" and "nodevices", then we add 613 * "nosuid"; this depends on how the current 614 * implementation works (it first checks nosuid). In a 615 * zone, a user with all zone privileges can mount with 616 * "setuid" but never with "devices". 617 */ 618 if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) && 619 (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) || 620 !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) { 621 if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper) 622 vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0); 623 else 624 vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0); 625 } 626 /* 627 * If we're not the local super user, we set the "restrict" 628 * option to indicate to automountd that this mount should 629 * be handled with care. 630 */ 631 if (!amsuper) 632 vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0); 633 634 } 635 return (error); 636 } 637 638 /* 639 * Does the policy computations for "ownership" of a mount; 640 * here ownership is defined as the ability to "mount" 641 * the filesystem originally. The rootvfs doesn't cover any 642 * vnodes; we attribute its ownership to the rootvp. 643 */ 644 static int 645 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp) 646 { 647 vnode_t *mvp; 648 649 if (vfsp == NULL) 650 mvp = NULL; 651 else if (vfsp == rootvfs) 652 mvp = rootvp; 653 else 654 mvp = vfsp->vfs_vnodecovered; 655 656 return (secpolicy_fs_common(cr, mvp, vfsp, NULL)); 657 } 658 659 int 660 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp) 661 { 662 return (secpolicy_fs_owner(cr, vfsp)); 663 } 664 665 /* 666 * Quotas are a resource, but if one has the ability to mount a filesystem, he 667 * should be able to modify quotas on it. 668 */ 669 int 670 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp) 671 { 672 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 673 } 674 675 /* 676 * Exceeding minfree: also a per-mount resource constraint. 677 */ 678 int 679 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp) 680 { 681 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 682 } 683 684 int 685 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp) 686 { 687 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 688 } 689 690 /* ARGSUSED */ 691 int 692 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp) 693 { 694 return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL)); 695 } 696 697 /* 698 * Name: secpolicy_vnode_access() 699 * 700 * Parameters: Process credential 701 * vnode 702 * uid of owner of vnode 703 * permission bits not granted to the caller when examining 704 * file mode bits (i.e., when a process wants to open a 705 * mode 444 file for VREAD|VWRITE, this function should be 706 * called only with a VWRITE argument). 707 * 708 * Normal: Verifies that cred has the appropriate privileges to 709 * override the mode bits that were denied. 710 * 711 * Override: file_dac_execute - if VEXEC bit was denied and vnode is 712 * not a directory. 713 * file_dac_read - if VREAD bit was denied. 714 * file_dac_search - if VEXEC bit was denied and vnode is 715 * a directory. 716 * file_dac_write - if VWRITE bit was denied. 717 * 718 * Root owned files are special cased to protect system 719 * configuration files and such. 720 * 721 * Output: EACCES - if privilege check fails. 722 */ 723 724 /* ARGSUSED */ 725 int 726 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode) 727 { 728 if ((mode & VREAD) && 729 PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EACCES, NULL) != 0) 730 return (EACCES); 731 732 if (mode & VWRITE) { 733 boolean_t allzone; 734 735 if (owner == 0 && cr->cr_uid != 0) 736 allzone = B_TRUE; 737 else 738 allzone = B_FALSE; 739 if (PRIV_POLICY(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, NULL) 740 != 0) 741 return (EACCES); 742 } 743 744 if (mode & VEXEC) { 745 /* 746 * Directories use file_dac_search to override the execute bit. 747 */ 748 vtype_t vtype = vp->v_type; 749 750 if (vtype == VDIR) 751 return (PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, 752 EACCES, NULL)); 753 else 754 return (PRIV_POLICY(cr, PRIV_FILE_DAC_EXECUTE, B_FALSE, 755 EACCES, NULL)); 756 } 757 return (0); 758 } 759 760 /* 761 * Name: secpolicy_vnode_setid_modify() 762 * 763 * Normal: verify that subject can set the file setid flags. 764 * 765 * Output: EPERM - if not privileged. 766 */ 767 768 static int 769 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner) 770 { 771 /* If changing to suid root, must have all zone privs */ 772 boolean_t allzone = B_TRUE; 773 774 if (owner != 0) { 775 if (owner == cr->cr_uid) 776 return (0); 777 allzone = B_FALSE; 778 } 779 return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL)); 780 } 781 782 /* 783 * Are we allowed to retain the set-uid/set-gid bits when 784 * changing ownership or when writing to a file? 785 * "issuid" should be true when set-uid; only in that case 786 * root ownership is checked (setgid is assumed). 787 */ 788 int 789 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot) 790 { 791 if (issuidroot && !HAS_ALLZONEPRIVS(cred)) 792 return (EPERM); 793 794 return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE)); 795 } 796 797 /* 798 * Name: secpolicy_vnode_setids_setgids() 799 * 800 * Normal: verify that subject can set the file setgid flag. 801 * 802 * Output: EPERM - if not privileged 803 */ 804 805 int 806 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid) 807 { 808 if (!groupmember(gid, cred)) 809 return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM, 810 NULL)); 811 return (0); 812 } 813 814 /* 815 * Create a file with a group different than any of the groups allowed: 816 * the group of the directory the file is created in, the effective 817 * group or any of the supplementary groups. 818 */ 819 int 820 secpolicy_vnode_create_gid(const cred_t *cred) 821 { 822 if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN)) 823 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM, 824 NULL)); 825 else 826 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM, 827 NULL)); 828 } 829 830 /* 831 * Name: secpolicy_vnode_utime_modify() 832 * 833 * Normal: verify that subject can modify the utime on a file. 834 * 835 * Output: EPERM - if access denied. 836 */ 837 838 static int 839 secpolicy_vnode_utime_modify(const cred_t *cred) 840 { 841 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM, 842 "modify file times")); 843 } 844 845 846 /* 847 * Name: secpolicy_vnode_setdac() 848 * 849 * Normal: verify that subject can modify the mode of a file. 850 * allzone privilege needed when modifying root owned object. 851 * 852 * Output: EPERM - if access denied. 853 */ 854 855 int 856 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner) 857 { 858 if (owner == cred->cr_uid) 859 return (0); 860 861 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL)); 862 } 863 /* 864 * Name: secpolicy_vnode_stky_modify() 865 * 866 * Normal: verify that subject can make a file a "sticky". 867 * 868 * Output: EPERM - if access denied. 869 */ 870 871 int 872 secpolicy_vnode_stky_modify(const cred_t *cred) 873 { 874 return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM, 875 "set file sticky")); 876 } 877 878 /* 879 * Policy determines whether we can remove an entry from a directory, 880 * regardless of permission bits. 881 */ 882 int 883 secpolicy_vnode_remove(const cred_t *cr) 884 { 885 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES, 886 "sticky directory")); 887 } 888 889 int 890 secpolicy_vnode_owner(const cred_t *cr, uid_t owner) 891 { 892 boolean_t allzone = (owner == 0); 893 894 if (owner == cr->cr_uid) 895 return (0); 896 897 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL)); 898 } 899 900 void 901 secpolicy_setid_clear(vattr_t *vap, cred_t *cr) 902 { 903 if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 && 904 secpolicy_vnode_setid_retain(cr, 905 (vap->va_mode & S_ISUID) != 0 && 906 (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) { 907 vap->va_mask |= AT_MODE; 908 vap->va_mode &= ~(S_ISUID|S_ISGID); 909 } 910 } 911 912 /* 913 * This function checks the policy decisions surrounding the 914 * vop setattr call. 915 * 916 * It should be called after sufficient locks have been established 917 * on the underlying data structures. No concurrent modifications 918 * should be allowed. 919 * 920 * The caller must pass in unlocked version of its vaccess function 921 * this is required because vop_access function should lock the 922 * node for reading. A three argument function should be defined 923 * which accepts the following argument: 924 * A pointer to the internal "node" type (inode *) 925 * vnode access bits (VREAD|VWRITE|VEXEC) 926 * a pointer to the credential 927 * 928 * This function makes the following policy decisions: 929 * 930 * - change permissions 931 * - permission to change file mode if not owner 932 * - permission to add sticky bit to non-directory 933 * - permission to add set-gid bit 934 * 935 * The ovap argument should include AT_MODE|AT_UID|AT_GID. 936 * 937 * If the vap argument does not include AT_MODE, the mode will be copied from 938 * ovap. In certain situations set-uid/set-gid bits need to be removed; 939 * this is done by marking vap->va_mask to include AT_MODE and va_mode 940 * is updated to the newly computed mode. 941 */ 942 943 int 944 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap, 945 const struct vattr *ovap, int flags, 946 int unlocked_access(void *, int, cred_t *), 947 void *node) 948 { 949 int mask = vap->va_mask; 950 int error = 0; 951 952 if (mask & AT_SIZE) { 953 if (vp->v_type == VDIR) { 954 error = EISDIR; 955 goto out; 956 } 957 error = unlocked_access(node, VWRITE, cr); 958 if (error) 959 goto out; 960 } 961 if (mask & AT_MODE) { 962 /* 963 * If not the owner of the file then check privilege 964 * for two things: the privilege to set the mode at all 965 * and, if we're setting setuid, we also need permissions 966 * to add the set-uid bit, if we're not the owner. 967 * In the specific case of creating a set-uid root 968 * file, we need even more permissions. 969 */ 970 if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0) 971 goto out; 972 973 if ((vap->va_mode & S_ISUID) != 0 && 974 (error = secpolicy_vnode_setid_modify(cr, 975 ovap->va_uid)) != 0) { 976 goto out; 977 } 978 979 /* 980 * Check privilege if attempting to set the 981 * sticky bit on a non-directory. 982 */ 983 if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 && 984 secpolicy_vnode_stky_modify(cr) != 0) { 985 vap->va_mode &= ~S_ISVTX; 986 } 987 988 /* 989 * Check for privilege if attempting to set the 990 * group-id bit. 991 */ 992 if ((vap->va_mode & S_ISGID) != 0 && 993 secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) { 994 vap->va_mode &= ~S_ISGID; 995 } 996 997 } else 998 vap->va_mode = ovap->va_mode; 999 1000 if (mask & (AT_UID|AT_GID)) { 1001 boolean_t checkpriv = B_FALSE; 1002 int priv; 1003 boolean_t allzone = B_FALSE; 1004 1005 /* 1006 * Chowning files. 1007 * 1008 * If you are the file owner: 1009 * chown to other uid FILE_CHOWN_SELF 1010 * chown to gid (non-member) FILE_CHOWN_SELF 1011 * chown to gid (member) <none> 1012 * 1013 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also 1014 * acceptable but the first one is reported when debugging. 1015 * 1016 * If you are not the file owner: 1017 * chown from root PRIV_FILE_CHOWN + zone 1018 * chown from other to any PRIV_FILE_CHOWN 1019 * 1020 */ 1021 if (cr->cr_uid != ovap->va_uid) { 1022 checkpriv = B_TRUE; 1023 allzone = (ovap->va_uid == 0); 1024 priv = PRIV_FILE_CHOWN; 1025 } else { 1026 if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) || 1027 ((mask & AT_GID) && vap->va_gid != ovap->va_gid && 1028 !groupmember(vap->va_gid, cr))) { 1029 checkpriv = B_TRUE; 1030 priv = HAS_PRIVILEGE(cr, PRIV_FILE_CHOWN) ? 1031 PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF; 1032 } 1033 } 1034 /* 1035 * If necessary, check privilege to see if update can be done. 1036 */ 1037 if (checkpriv && 1038 (error = PRIV_POLICY(cr, priv, allzone, EPERM, NULL)) 1039 != 0) { 1040 goto out; 1041 } 1042 1043 /* 1044 * If the file has either the set UID or set GID bits 1045 * set and the caller can set the bits, then leave them. 1046 */ 1047 secpolicy_setid_clear(vap, cr); 1048 } 1049 if (mask & (AT_ATIME|AT_MTIME)) { 1050 /* 1051 * If not the file owner and not otherwise privileged, 1052 * always return an error when setting the 1053 * time other than the current (ATTR_UTIME flag set). 1054 * If setting the current time (ATTR_UTIME not set) then 1055 * unlocked_access will check permissions according to policy. 1056 */ 1057 if (cr->cr_uid != ovap->va_uid) { 1058 if (flags & ATTR_UTIME) 1059 error = secpolicy_vnode_utime_modify(cr); 1060 else { 1061 error = unlocked_access(node, VWRITE, cr); 1062 if (error == EACCES && 1063 secpolicy_vnode_utime_modify(cr) == 0) 1064 error = 0; 1065 } 1066 if (error) 1067 goto out; 1068 } 1069 } 1070 out: 1071 return (error); 1072 } 1073 1074 /* 1075 * Name: secpolicy_pcfs_modify_bootpartition() 1076 * 1077 * Normal: verify that subject can modify a pcfs boot partition. 1078 * 1079 * Output: EACCES - if privilege check failed. 1080 */ 1081 /*ARGSUSED*/ 1082 int 1083 secpolicy_pcfs_modify_bootpartition(const cred_t *cred) 1084 { 1085 return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES, 1086 "modify pcfs boot partition")); 1087 } 1088 1089 /* 1090 * System V IPC routines 1091 */ 1092 int 1093 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip) 1094 { 1095 if (crgetzoneid(cr) != ip->ipc_zoneid || 1096 (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) { 1097 boolean_t allzone = B_FALSE; 1098 if (ip->ipc_uid == 0 || ip->ipc_cuid == 0) 1099 allzone = B_TRUE; 1100 return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL)); 1101 } 1102 return (0); 1103 } 1104 1105 int 1106 secpolicy_ipc_config(const cred_t *cr) 1107 { 1108 return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL)); 1109 } 1110 1111 int 1112 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode) 1113 { 1114 1115 boolean_t allzone = B_FALSE; 1116 1117 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1118 1119 if ((mode & MSG_R) && 1120 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1121 return (EACCES); 1122 1123 if (mode & MSG_W) { 1124 if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0)) 1125 allzone = B_TRUE; 1126 1127 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1128 NULL)); 1129 } 1130 return (0); 1131 } 1132 1133 int 1134 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode) 1135 { 1136 boolean_t allzone = B_FALSE; 1137 1138 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1139 1140 if ((mode & MSG_R) && 1141 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1142 return (EACCES); 1143 1144 if (mode & MSG_W) { 1145 if (cr->cr_uid != 0 && owner == 0) 1146 allzone = B_TRUE; 1147 1148 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1149 NULL)); 1150 } 1151 return (0); 1152 } 1153 1154 /* 1155 * Audit configuration. 1156 */ 1157 int 1158 secpolicy_audit_config(const cred_t *cr) 1159 { 1160 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1161 } 1162 1163 /* 1164 * Audit record generation. 1165 */ 1166 int 1167 secpolicy_audit_modify(const cred_t *cr) 1168 { 1169 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL)); 1170 } 1171 1172 /* 1173 * Get audit attributes. 1174 * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the 1175 * "Least" of the two privileges on error. 1176 */ 1177 int 1178 secpolicy_audit_getattr(const cred_t *cr) 1179 { 1180 if (!PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE)) { 1181 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, 1182 NULL)); 1183 } else { 1184 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1185 } 1186 } 1187 1188 1189 /* 1190 * Locking physical memory 1191 */ 1192 int 1193 secpolicy_lock_memory(const cred_t *cr) 1194 { 1195 return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL)); 1196 } 1197 1198 /* 1199 * Accounting (both acct(2) and exacct). 1200 */ 1201 int 1202 secpolicy_acct(const cred_t *cr) 1203 { 1204 return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL)); 1205 } 1206 1207 /* 1208 * Is this process privileged to change its uids at will? 1209 * Uid 0 is still considered "special" and having the SETID 1210 * privilege is not sufficient to get uid 0. 1211 * Files are owned by root, so the privilege would give 1212 * full access and euid 0 is still effective. 1213 * 1214 * If you have the privilege and euid 0 only then do you 1215 * get the powers of root wrt uid 0. 1216 * 1217 * For gid manipulations, this is should be called with an 1218 * uid of -1. 1219 * 1220 */ 1221 int 1222 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly) 1223 { 1224 boolean_t allzone = B_FALSE; 1225 1226 if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 && 1227 cr->cr_ruid != 0) { 1228 allzone = B_TRUE; 1229 } 1230 1231 return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) : 1232 PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL)); 1233 } 1234 1235 1236 /* 1237 * Acting on a different process: if the mode is for writing, 1238 * the restrictions are more severe. This is called after 1239 * we've verified that the uids do not match. 1240 */ 1241 int 1242 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode) 1243 { 1244 boolean_t allzone = B_FALSE; 1245 1246 if ((mode & VWRITE) && scr->cr_uid != 0 && 1247 (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0)) 1248 allzone = B_TRUE; 1249 1250 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL)); 1251 } 1252 1253 int 1254 secpolicy_proc_access(const cred_t *scr) 1255 { 1256 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL)); 1257 } 1258 1259 int 1260 secpolicy_proc_excl_open(const cred_t *scr) 1261 { 1262 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL)); 1263 } 1264 1265 int 1266 secpolicy_proc_zone(const cred_t *scr) 1267 { 1268 return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL)); 1269 } 1270 1271 /* 1272 * Destroying the system 1273 */ 1274 1275 int 1276 secpolicy_kmdb(const cred_t *scr) 1277 { 1278 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1279 } 1280 1281 int 1282 secpolicy_error_inject(const cred_t *scr) 1283 { 1284 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1285 } 1286 1287 /* 1288 * Processor sets, cpu configuration, resource pools. 1289 */ 1290 int 1291 secpolicy_pset(const cred_t *cr) 1292 { 1293 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1294 } 1295 1296 int 1297 secpolicy_ponline(const cred_t *cr) 1298 { 1299 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1300 } 1301 1302 int 1303 secpolicy_pool(const cred_t *cr) 1304 { 1305 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1306 } 1307 1308 int 1309 secpolicy_blacklist(const cred_t *cr) 1310 { 1311 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1312 } 1313 1314 /* 1315 * Catch all system configuration. 1316 */ 1317 int 1318 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly) 1319 { 1320 if (checkonly) { 1321 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 : 1322 EPERM); 1323 } else { 1324 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1325 } 1326 } 1327 1328 /* 1329 * Zone administration (halt, reboot, etc.) from within zone. 1330 */ 1331 int 1332 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly) 1333 { 1334 if (checkonly) { 1335 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 : 1336 EPERM); 1337 } else { 1338 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, 1339 NULL)); 1340 } 1341 } 1342 1343 /* 1344 * Zone configuration (create, halt, enter). 1345 */ 1346 int 1347 secpolicy_zone_config(const cred_t *cr) 1348 { 1349 /* 1350 * Require all privileges to avoid possibility of privilege 1351 * escalation. 1352 */ 1353 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1354 } 1355 1356 /* 1357 * Various other system configuration calls 1358 */ 1359 int 1360 secpolicy_coreadm(const cred_t *cr) 1361 { 1362 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1363 } 1364 1365 int 1366 secpolicy_systeminfo(const cred_t *cr) 1367 { 1368 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1369 } 1370 1371 int 1372 secpolicy_dispadm(const cred_t *cr) 1373 { 1374 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1375 } 1376 1377 int 1378 secpolicy_settime(const cred_t *cr) 1379 { 1380 return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL)); 1381 } 1382 1383 /* 1384 * For realtime users: high resolution clock. 1385 */ 1386 int 1387 secpolicy_clock_highres(const cred_t *cr) 1388 { 1389 return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM, 1390 NULL)); 1391 } 1392 1393 /* 1394 * drv_priv() is documented as callable from interrupt context, not that 1395 * anyone ever does, but still. No debugging or auditing can be done when 1396 * it is called from interrupt context. 1397 * returns 0 on succes, EPERM on failure. 1398 */ 1399 int 1400 drv_priv(cred_t *cr) 1401 { 1402 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1403 } 1404 1405 int 1406 secpolicy_sys_devices(const cred_t *cr) 1407 { 1408 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1409 } 1410 1411 int 1412 secpolicy_excl_open(const cred_t *cr) 1413 { 1414 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL)); 1415 } 1416 1417 int 1418 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl) 1419 { 1420 /* zone.* rctls can only be set from the global zone */ 1421 if (is_zone_rctl && priv_policy_global(cr) != 0) 1422 return (EPERM); 1423 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1424 } 1425 1426 int 1427 secpolicy_resource(const cred_t *cr) 1428 { 1429 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1430 } 1431 1432 /* 1433 * Processes with a real uid of 0 escape any form of accounting, much 1434 * like before. 1435 */ 1436 int 1437 secpolicy_newproc(const cred_t *cr) 1438 { 1439 if (cr->cr_ruid == 0) 1440 return (0); 1441 1442 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1443 } 1444 1445 /* 1446 * Networking 1447 */ 1448 int 1449 secpolicy_net_rawaccess(const cred_t *cr) 1450 { 1451 return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL)); 1452 } 1453 1454 /* 1455 * Need this privilege for accessing the ICMP device 1456 */ 1457 int 1458 secpolicy_net_icmpaccess(const cred_t *cr) 1459 { 1460 return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL)); 1461 } 1462 1463 /* 1464 * There are a few rare cases where the kernel generates ioctls() from 1465 * interrupt context with a credential of kcred rather than NULL. 1466 * In those cases, we take the safe and cheap test. 1467 */ 1468 int 1469 secpolicy_net_config(const cred_t *cr, boolean_t checkonly) 1470 { 1471 if (checkonly) { 1472 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ? 1473 0 : EPERM); 1474 } else { 1475 return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM, 1476 NULL)); 1477 } 1478 } 1479 1480 1481 /* 1482 * Map network pseudo privileges to actual privileges. 1483 * So we don't need to recompile IP when we change the privileges. 1484 */ 1485 int 1486 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly) 1487 { 1488 int priv = PRIV_ALL; 1489 1490 switch (netpriv) { 1491 case OP_CONFIG: 1492 priv = PRIV_SYS_NET_CONFIG; 1493 break; 1494 case OP_RAW: 1495 priv = PRIV_NET_RAWACCESS; 1496 break; 1497 case OP_PRIVPORT: 1498 priv = PRIV_NET_PRIVADDR; 1499 break; 1500 } 1501 ASSERT(priv != PRIV_ALL); 1502 if (checkonly) 1503 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 1504 else 1505 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 1506 } 1507 1508 /* 1509 * Checks for operations that are either client-only or are used by 1510 * both clients and servers. 1511 */ 1512 int 1513 secpolicy_nfs(const cred_t *cr) 1514 { 1515 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL)); 1516 } 1517 1518 /* 1519 * Special case for opening rpcmod: have NFS privileges or network 1520 * config privileges. 1521 */ 1522 int 1523 secpolicy_rpcmod_open(const cred_t *cr) 1524 { 1525 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE)) 1526 return (secpolicy_nfs(cr)); 1527 else 1528 return (secpolicy_net_config(cr, NULL)); 1529 } 1530 1531 int 1532 secpolicy_chroot(const cred_t *cr) 1533 { 1534 return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL)); 1535 } 1536 1537 int 1538 secpolicy_tasksys(const cred_t *cr) 1539 { 1540 return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL)); 1541 } 1542 1543 /* 1544 * Basic privilege checks. 1545 */ 1546 int 1547 secpolicy_basic_exec(const cred_t *cr) 1548 { 1549 return (PRIV_POLICY(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL)); 1550 } 1551 1552 int 1553 secpolicy_basic_fork(const cred_t *cr) 1554 { 1555 return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL)); 1556 } 1557 1558 int 1559 secpolicy_basic_proc(const cred_t *cr) 1560 { 1561 return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL)); 1562 } 1563 1564 /* 1565 * Slightly complicated because we don't want to trigger the policy too 1566 * often. First we shortcircuit access to "self" (tp == sp) or if 1567 * we don't have the privilege but if we have permission 1568 * just return (0) and we don't flag the privilege as needed. 1569 * Else, we test for the privilege because we either have it or need it. 1570 */ 1571 int 1572 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp) 1573 { 1574 if (tp == sp || 1575 !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) { 1576 return (0); 1577 } else { 1578 return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL)); 1579 } 1580 } 1581 1582 int 1583 secpolicy_basic_link(const cred_t *cr) 1584 { 1585 return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL)); 1586 } 1587 1588 /* 1589 * Additional device protection. 1590 * 1591 * Traditionally, a device has specific permissions on the node in 1592 * the filesystem which govern which devices can be opened by what 1593 * processes. In certain cases, it is desirable to add extra 1594 * restrictions, as writing to certain devices is identical to 1595 * having a complete run of the system. 1596 * 1597 * This mechanism is called the device policy. 1598 * 1599 * When a device is opened, its policy entry is looked up in the 1600 * policy cache and checked. 1601 */ 1602 int 1603 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag) 1604 { 1605 devplcy_t *plcy; 1606 int err; 1607 struct snode *csp = VTOS(common_specvp(vp)); 1608 1609 mutex_enter(&csp->s_lock); 1610 1611 if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) { 1612 plcy = devpolicy_find(vp); 1613 if (csp->s_plcy) 1614 dpfree(csp->s_plcy); 1615 csp->s_plcy = plcy; 1616 ASSERT(plcy != NULL); 1617 } else 1618 plcy = csp->s_plcy; 1619 1620 if (plcy == nullpolicy) { 1621 mutex_exit(&csp->s_lock); 1622 return (0); 1623 } 1624 1625 dphold(plcy); 1626 1627 mutex_exit(&csp->s_lock); 1628 1629 err = secpolicy_require_set(cr, 1630 (oflag & FWRITE) ? &plcy->dp_wrp : &plcy->dp_rdp, "devpolicy"); 1631 dpfree(plcy); 1632 1633 return (err); 1634 } 1635 1636 int 1637 secpolicy_modctl(const cred_t *cr, int cmd) 1638 { 1639 switch (cmd) { 1640 case MODINFO: 1641 case MODGETPATH: 1642 case MODGETPATHLEN: 1643 case MODGETFBNAME: 1644 case MODGETNAME: 1645 case MODGETDEVPOLICY: 1646 case MODGETDEVPOLICYBYNAME: 1647 case MODGETMAJBIND: 1648 /* Unprivileged */ 1649 return (0); 1650 case MODLOAD: 1651 case MODSETDEVPOLICY: 1652 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1653 default: 1654 return (secpolicy_sys_config(cr, B_FALSE)); 1655 } 1656 } 1657 1658 int 1659 secpolicy_console(const cred_t *cr) 1660 { 1661 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1662 } 1663 1664 int 1665 secpolicy_power_mgmt(const cred_t *cr) 1666 { 1667 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1668 } 1669 1670 /* 1671 * Simulate terminal input; another escalation of privileges avenue. 1672 */ 1673 1674 int 1675 secpolicy_sti(const cred_t *cr) 1676 { 1677 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1678 } 1679 1680 int 1681 secpolicy_swapctl(const cred_t *cr) 1682 { 1683 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1684 } 1685 1686 int 1687 secpolicy_cpc_cpu(const cred_t *cr) 1688 { 1689 return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL)); 1690 } 1691 1692 /* 1693 * secpolicy_contract_observer 1694 * 1695 * Determine if the subject may observe a specific contract's events. 1696 */ 1697 int 1698 secpolicy_contract_observer(const cred_t *cr, struct contract *ct) 1699 { 1700 if (contract_owned(ct, cr, B_FALSE)) 1701 return (0); 1702 return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL)); 1703 } 1704 1705 /* 1706 * secpolicy_contract_observer_choice 1707 * 1708 * Determine if the subject may observe any contract's events. Just 1709 * tests privilege and audits on success. 1710 */ 1711 boolean_t 1712 secpolicy_contract_observer_choice(const cred_t *cr) 1713 { 1714 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE)); 1715 } 1716 1717 /* 1718 * secpolicy_contract_event 1719 * 1720 * Determine if the subject may request critical contract events or 1721 * reliable contract event delivery. 1722 */ 1723 int 1724 secpolicy_contract_event(const cred_t *cr) 1725 { 1726 return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL)); 1727 } 1728 1729 /* 1730 * secpolicy_contract_event_choice 1731 * 1732 * Determine if the subject may retain contract events in its critical 1733 * set when a change in other terms would normally require a change in 1734 * the critical set. Just tests privilege and audits on success. 1735 */ 1736 boolean_t 1737 secpolicy_contract_event_choice(const cred_t *cr) 1738 { 1739 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE)); 1740 } 1741 1742 /* 1743 * secpolicy_gart_access 1744 * 1745 * Determine if the subject has sufficient priveleges to make ioctls to agpgart 1746 * device. 1747 */ 1748 int 1749 secpolicy_gart_access(const cred_t *cr) 1750 { 1751 return (PRIV_POLICY(cr, PRIV_GART_ACCESS, B_FALSE, EPERM, NULL)); 1752 } 1753 1754 /* 1755 * secpolicy_gart_map 1756 * 1757 * Determine if the subject has sufficient priveleges to map aperture range 1758 * through agpgart driver. 1759 */ 1760 int 1761 secpolicy_gart_map(const cred_t *cr) 1762 { 1763 if (PRIV_POLICY(cr, PRIV_GART_ACCESS, B_FALSE, EPERM, NULL)) { 1764 return (PRIV_POLICY(cr, PRIV_GART_MAP, B_FALSE, EPERM, NULL)); 1765 } 1766 return (0); 1767 } 1768 1769 /* 1770 * secpolicy_zinject 1771 * 1772 * Determine if the subject can inject faults in the ZFS fault injection 1773 * framework. Requires all privileges. 1774 */ 1775 int 1776 secpolicy_zinject(const cred_t *cr) 1777 { 1778 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1779 } 1780 1781 /* 1782 * secpolicy_zfs 1783 * 1784 * Determine if the subject has permission to manipulate ZFS datasets 1785 * (not pools). Equivalent to the SYS_MOUNT privilege. 1786 */ 1787 int 1788 secpolicy_zfs(const cred_t *cr) 1789 { 1790 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL)); 1791 } 1792