1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. 23 */ 24 25 #include <sys/types.h> 26 #include <sys/sysmacros.h> 27 #include <sys/param.h> 28 #include <sys/systm.h> 29 #include <sys/cred_impl.h> 30 #include <sys/vnode.h> 31 #include <sys/vfs.h> 32 #include <sys/stat.h> 33 #include <sys/errno.h> 34 #include <sys/kmem.h> 35 #include <sys/user.h> 36 #include <sys/proc.h> 37 #include <sys/acct.h> 38 #include <sys/ipc_impl.h> 39 #include <sys/cmn_err.h> 40 #include <sys/debug.h> 41 #include <sys/policy.h> 42 #include <sys/kobj.h> 43 #include <sys/msg.h> 44 #include <sys/devpolicy.h> 45 #include <c2/audit.h> 46 #include <sys/varargs.h> 47 #include <sys/klpd.h> 48 #include <sys/modctl.h> 49 #include <sys/disp.h> 50 #include <sys/zone.h> 51 #include <inet/optcom.h> 52 #include <sys/sdt.h> 53 #include <sys/vfs.h> 54 #include <sys/mntent.h> 55 #include <sys/contract_impl.h> 56 #include <sys/dld_ioc.h> 57 58 /* 59 * There are two possible layers of privilege routines and two possible 60 * levels of secpolicy. Plus one other we may not be interested in, so 61 * we may need as many as 6 but no more. 62 */ 63 #define MAXPRIVSTACK 6 64 65 int priv_debug = 0; 66 int priv_basic_test = -1; 67 68 /* 69 * This file contains the majority of the policy routines. 70 * Since the policy routines are defined by function and not 71 * by privilege, there is quite a bit of duplication of 72 * functions. 73 * 74 * The secpolicy functions must not make assumptions about 75 * locks held or not held as any lock can be held while they're 76 * being called. 77 * 78 * Credentials are read-only so no special precautions need to 79 * be taken while locking them. 80 * 81 * When a new policy check needs to be added to the system the 82 * following procedure should be followed: 83 * 84 * Pick an appropriate secpolicy_*() function 85 * -> done if one exists. 86 * Create a new secpolicy function, preferably with 87 * a descriptive name using the standard template. 88 * Pick an appropriate privilege for the policy. 89 * If no appropraite privilege exists, define new one 90 * (this should be done with extreme care; in most cases 91 * little is gained by adding another privilege) 92 * 93 * WHY ROOT IS STILL SPECIAL. 94 * 95 * In a number of the policy functions, there are still explicit 96 * checks for uid 0. The rationale behind these is that many root 97 * owned files/objects hold configuration information which can give full 98 * privileges to the user once written to. To prevent escalation 99 * of privilege by allowing just a single privilege to modify root owned 100 * objects, we've added these root specific checks where we considered 101 * them necessary: modifying root owned files, changing uids to 0, etc. 102 * 103 * PRIVILEGE ESCALATION AND ZONES. 104 * 105 * A number of operations potentially allow the caller to achieve 106 * privileges beyond the ones normally required to perform the operation. 107 * For example, if allowed to create a setuid 0 executable, a process can 108 * gain privileges beyond PRIV_FILE_SETID. Zones, however, place 109 * restrictions on the ability to gain privileges beyond those available 110 * within the zone through file and process manipulation. Hence, such 111 * operations require that the caller have an effective set that includes 112 * all privileges available within the current zone, or all privileges 113 * if executing in the global zone. 114 * 115 * This is indicated in the priv_policy* policy checking functions 116 * through a combination of parameters. The "priv" parameter indicates 117 * the privilege that is required, and the "allzone" parameter indicates 118 * whether or not all privileges in the zone are required. In addition, 119 * priv can be set to PRIV_ALL to indicate that all privileges are 120 * required (regardless of zone). There are three scenarios of interest: 121 * (1) operation requires a specific privilege 122 * (2) operation requires a specific privilege, and requires all 123 * privileges available within the zone (or all privileges if in 124 * the global zone) 125 * (3) operation requires all privileges, regardless of zone 126 * 127 * For (1), priv should be set to the specific privilege, and allzone 128 * should be set to B_FALSE. 129 * For (2), priv should be set to the specific privilege, and allzone 130 * should be set to B_TRUE. 131 * For (3), priv should be set to PRIV_ALL, and allzone should be set 132 * to B_FALSE. 133 * 134 */ 135 136 /* 137 * The privileges are checked against the Effective set for 138 * ordinary processes and checked against the Limit set 139 * for euid 0 processes that haven't manipulated their privilege 140 * sets. 141 */ 142 #define HAS_ALLPRIVS(cr) priv_isfullset(&CR_OEPRIV(cr)) 143 #define ZONEPRIVS(cr) ((cr)->cr_zone->zone_privset) 144 #define HAS_ALLZONEPRIVS(cr) priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr)) 145 #define HAS_PRIVILEGE(cr, pr) ((pr) == PRIV_ALL ? \ 146 HAS_ALLPRIVS(cr) : \ 147 PRIV_ISASSERT(&CR_OEPRIV(cr), pr)) 148 149 #define FAST_BASIC_CHECK(cr, priv) \ 150 if (PRIV_ISASSERT(&CR_OEPRIV(cr), priv)) { \ 151 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, B_FALSE); \ 152 return (0); \ 153 } 154 155 /* 156 * Policy checking functions. 157 * 158 * All of the system's policy should be implemented here. 159 */ 160 161 /* 162 * Private functions which take an additional va_list argument to 163 * implement an object specific policy override. 164 */ 165 static int priv_policy_ap(const cred_t *, int, boolean_t, int, 166 const char *, va_list); 167 static int priv_policy_va(const cred_t *, int, boolean_t, int, 168 const char *, ...); 169 170 /* 171 * Generic policy calls 172 * 173 * The "bottom" functions of policy control 174 */ 175 static char * 176 mprintf(const char *fmt, ...) 177 { 178 va_list args; 179 char *buf; 180 size_t len; 181 182 va_start(args, fmt); 183 len = vsnprintf(NULL, 0, fmt, args) + 1; 184 va_end(args); 185 186 buf = kmem_alloc(len, KM_NOSLEEP); 187 188 if (buf == NULL) 189 return (NULL); 190 191 va_start(args, fmt); 192 (void) vsnprintf(buf, len, fmt, args); 193 va_end(args); 194 195 return (buf); 196 } 197 198 /* 199 * priv_policy_errmsg() 200 * 201 * Generate an error message if privilege debugging is enabled system wide 202 * or for this particular process. 203 */ 204 205 #define FMTHDR "%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)" 206 #define FMTMSG " for \"%s\"" 207 #define FMTFUN " needed at %s+0x%lx" 208 209 /* The maximum size privilege format: the concatenation of the above */ 210 #define FMTMAX FMTHDR FMTMSG FMTFUN "\n" 211 212 static void 213 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg) 214 { 215 struct proc *me; 216 pc_t stack[MAXPRIVSTACK]; 217 int depth; 218 int i; 219 char *sym; 220 ulong_t off; 221 const char *pname; 222 223 char *cmd; 224 char fmt[sizeof (FMTMAX)]; 225 226 if ((me = curproc) == &p0) 227 return; 228 229 /* Privileges must be defined */ 230 ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE || 231 priv == PRIV_ALLZONE || priv == PRIV_GLOBAL || 232 priv_getbynum(priv) != NULL); 233 234 if (priv == PRIV_ALLZONE && INGLOBALZONE(me)) 235 priv = PRIV_ALL; 236 237 if (curthread->t_pre_sys) 238 ttolwp(curthread)->lwp_badpriv = (short)priv; 239 240 if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0) 241 return; 242 243 (void) strcpy(fmt, FMTHDR); 244 245 if (me->p_user.u_comm[0]) 246 cmd = &me->p_user.u_comm[0]; 247 else 248 cmd = "priv_policy"; 249 250 if (msg != NULL && *msg != '\0') { 251 (void) strcat(fmt, FMTMSG); 252 } else { 253 (void) strcat(fmt, "%s"); 254 msg = ""; 255 } 256 257 sym = NULL; 258 259 depth = getpcstack(stack, MAXPRIVSTACK); 260 261 /* 262 * Try to find the first interesting function on the stack. 263 * priv_policy* that's us, so completely uninteresting. 264 * suser(), drv_priv(), secpolicy_* are also called from 265 * too many locations to convey useful information. 266 */ 267 for (i = 0; i < depth; i++) { 268 sym = kobj_getsymname((uintptr_t)stack[i], &off); 269 if (sym != NULL && 270 strstr(sym, "hasprocperm") == 0 && 271 strcmp("suser", sym) != 0 && 272 strcmp("ipcaccess", sym) != 0 && 273 strcmp("drv_priv", sym) != 0 && 274 strncmp("secpolicy_", sym, 10) != 0 && 275 strncmp("priv_policy", sym, 11) != 0) 276 break; 277 } 278 279 if (sym != NULL) 280 (void) strcat(fmt, FMTFUN); 281 282 (void) strcat(fmt, "\n"); 283 284 switch (priv) { 285 case PRIV_ALL: 286 pname = "ALL"; 287 break; 288 case PRIV_MULTIPLE: 289 pname = "MULTIPLE"; 290 break; 291 case PRIV_ALLZONE: 292 pname = "ZONE"; 293 break; 294 case PRIV_GLOBAL: 295 pname = "GLOBAL"; 296 break; 297 default: 298 pname = priv_getbynum(priv); 299 break; 300 } 301 302 if (CR_FLAGS(cr) & PRIV_DEBUG) { 303 /* Remember last message, just like lwp_badpriv. */ 304 if (curthread->t_pdmsg != NULL) { 305 kmem_free(curthread->t_pdmsg, 306 strlen(curthread->t_pdmsg) + 1); 307 } 308 309 curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname, 310 cr->cr_uid, curthread->t_sysnum, msg, sym, off); 311 312 curthread->t_post_sys = 1; 313 } 314 if (priv_debug) { 315 cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid, 316 curthread->t_sysnum, msg, sym, off); 317 } 318 } 319 320 /* 321 * Override the policy, if appropriate. Return 0 if the external 322 * policy engine approves. 323 */ 324 static int 325 priv_policy_override(const cred_t *cr, int priv, boolean_t allzone, va_list ap) 326 { 327 priv_set_t set; 328 int ret; 329 330 if (!(CR_FLAGS(cr) & PRIV_XPOLICY)) 331 return (-1); 332 333 if (priv == PRIV_ALL) { 334 priv_fillset(&set); 335 } else if (allzone) { 336 set = *ZONEPRIVS(cr); 337 } else { 338 priv_emptyset(&set); 339 priv_addset(&set, priv); 340 } 341 ret = klpd_call(cr, &set, ap); 342 return (ret); 343 } 344 345 static int 346 priv_policy_override_set(const cred_t *cr, const priv_set_t *req, va_list ap) 347 { 348 if (CR_FLAGS(cr) & PRIV_PFEXEC) 349 return (check_user_privs(cr, req)); 350 if (CR_FLAGS(cr) & PRIV_XPOLICY) { 351 return (klpd_call(cr, req, ap)); 352 } 353 return (-1); 354 } 355 356 static int 357 priv_policy_override_set_va(const cred_t *cr, const priv_set_t *req, ...) 358 { 359 va_list ap; 360 int ret; 361 362 va_start(ap, req); 363 ret = priv_policy_override_set(cr, req, ap); 364 va_end(ap); 365 return (ret); 366 } 367 368 /* 369 * Audit failure, log error message. 370 */ 371 static void 372 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg) 373 { 374 375 if (AU_AUDITING()) 376 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0); 377 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 378 379 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 380 curthread->t_pre_sys) { 381 if (allzone && !HAS_ALLZONEPRIVS(cr)) { 382 priv_policy_errmsg(cr, PRIV_ALLZONE, msg); 383 } else { 384 ASSERT(!HAS_PRIVILEGE(cr, priv)); 385 priv_policy_errmsg(cr, priv, msg); 386 } 387 } 388 } 389 390 /* 391 * priv_policy_ap() 392 * return 0 or error. 393 * See block comment above for a description of "priv" and "allzone" usage. 394 */ 395 static int 396 priv_policy_ap(const cred_t *cr, int priv, boolean_t allzone, int err, 397 const char *msg, va_list ap) 398 { 399 if ((HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) || 400 (!servicing_interrupt() && 401 priv_policy_override(cr, priv, allzone, ap) == 0)) { 402 if ((allzone || priv == PRIV_ALL || 403 !PRIV_ISASSERT(priv_basic, priv)) && 404 !servicing_interrupt()) { 405 PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */ 406 if (AU_AUDITING()) 407 audit_priv(priv, 408 allzone ? ZONEPRIVS(cr) : NULL, 1); 409 } 410 err = 0; 411 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 412 } else if (!servicing_interrupt()) { 413 /* Failure audited in this procedure */ 414 priv_policy_err(cr, priv, allzone, msg); 415 } 416 return (err); 417 } 418 419 int 420 priv_policy_va(const cred_t *cr, int priv, boolean_t allzone, int err, 421 const char *msg, ...) 422 { 423 int ret; 424 va_list ap; 425 426 va_start(ap, msg); 427 ret = priv_policy_ap(cr, priv, allzone, err, msg, ap); 428 va_end(ap); 429 430 return (ret); 431 } 432 433 int 434 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err, 435 const char *msg) 436 { 437 return (priv_policy_va(cr, priv, allzone, err, msg, KLPDARG_NONE)); 438 } 439 440 /* 441 * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges. 442 */ 443 boolean_t 444 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone) 445 { 446 boolean_t res = HAS_PRIVILEGE(cr, priv) && 447 (!allzone || HAS_ALLZONEPRIVS(cr)); 448 449 /* Audit success only */ 450 if (res && AU_AUDITING() && 451 (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) && 452 !servicing_interrupt()) { 453 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1); 454 } 455 if (res) { 456 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 457 } else { 458 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 459 } 460 return (res); 461 } 462 463 /* 464 * Non-auditing variant of priv_policy_choice(). 465 */ 466 boolean_t 467 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone) 468 { 469 boolean_t res = HAS_PRIVILEGE(cr, priv) && 470 (!allzone || HAS_ALLZONEPRIVS(cr)); 471 472 if (res) { 473 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 474 } else { 475 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 476 } 477 return (res); 478 } 479 480 /* 481 * Check whether all privileges in the required set are present. 482 */ 483 static int 484 secpolicy_require_set(const cred_t *cr, const priv_set_t *req, 485 const char *msg, ...) 486 { 487 int priv; 488 int pfound = -1; 489 priv_set_t pset; 490 va_list ap; 491 int ret; 492 493 if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req, 494 &CR_OEPRIV(cr))) { 495 return (0); 496 } 497 498 va_start(ap, msg); 499 ret = priv_policy_override_set(cr, req, ap); 500 va_end(ap); 501 if (ret == 0) 502 return (0); 503 504 if (req == PRIV_FULLSET || priv_isfullset(req)) { 505 priv_policy_err(cr, PRIV_ALL, B_FALSE, msg); 506 return (EACCES); 507 } 508 509 pset = CR_OEPRIV(cr); /* present privileges */ 510 priv_inverse(&pset); /* all non present privileges */ 511 priv_intersect(req, &pset); /* the actual missing privs */ 512 513 if (AU_AUDITING()) 514 audit_priv(PRIV_NONE, &pset, 0); 515 /* 516 * Privilege debugging; special case "one privilege in set". 517 */ 518 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) { 519 for (priv = 0; priv < nprivs; priv++) { 520 if (priv_ismember(&pset, priv)) { 521 if (pfound != -1) { 522 /* Multiple missing privs */ 523 priv_policy_errmsg(cr, PRIV_MULTIPLE, 524 msg); 525 return (EACCES); 526 } 527 pfound = priv; 528 } 529 } 530 ASSERT(pfound != -1); 531 /* Just the one missing privilege */ 532 priv_policy_errmsg(cr, pfound, msg); 533 } 534 535 return (EACCES); 536 } 537 538 /* 539 * Called when an operation requires that the caller be in the 540 * global zone, regardless of privilege. 541 */ 542 static int 543 priv_policy_global(const cred_t *cr) 544 { 545 if (crgetzoneid(cr) == GLOBAL_ZONEID) 546 return (0); /* success */ 547 548 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 549 curthread->t_pre_sys) { 550 priv_policy_errmsg(cr, PRIV_GLOBAL, NULL); 551 } 552 return (EPERM); 553 } 554 555 /* 556 * Changing process priority 557 */ 558 int 559 secpolicy_setpriority(const cred_t *cr) 560 { 561 return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL)); 562 } 563 564 /* 565 * Binding to a privileged port, port must be specified in host byte 566 * order. 567 * When adding a new privilege which allows binding to currently privileged 568 * ports, then you MUST also allow processes with PRIV_NET_PRIVADDR bind 569 * to these ports because of backward compatibility. 570 */ 571 int 572 secpolicy_net_privaddr(const cred_t *cr, in_port_t port, int proto) 573 { 574 char *reason; 575 int priv; 576 577 switch (port) { 578 case 137: 579 case 138: 580 case 139: 581 case 445: 582 /* 583 * NBT and SMB ports, these are normal privileged ports, 584 * allow bind only if the SYS_SMB or NET_PRIVADDR privilege 585 * is present. 586 * Try both, if neither is present return an error for 587 * priv SYS_SMB. 588 */ 589 if (PRIV_POLICY_ONLY(cr, PRIV_NET_PRIVADDR, B_FALSE)) 590 priv = PRIV_NET_PRIVADDR; 591 else 592 priv = PRIV_SYS_SMB; 593 reason = "NBT or SMB port"; 594 break; 595 596 case 2049: 597 case 4045: 598 /* 599 * NFS ports, these are extra privileged ports, allow bind 600 * only if the SYS_NFS privilege is present. 601 */ 602 priv = PRIV_SYS_NFS; 603 reason = "NFS port"; 604 break; 605 606 default: 607 priv = PRIV_NET_PRIVADDR; 608 reason = NULL; 609 break; 610 611 } 612 613 return (priv_policy_va(cr, priv, B_FALSE, EACCES, reason, 614 KLPDARG_PORT, (int)proto, (int)port, KLPDARG_NOMORE)); 615 } 616 617 /* 618 * Binding to a multilevel port on a trusted (labeled) system. 619 */ 620 int 621 secpolicy_net_bindmlp(const cred_t *cr) 622 { 623 return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, NULL)); 624 } 625 626 /* 627 * Allow a communication between a zone and an unlabeled host when their 628 * labels don't match. 629 */ 630 int 631 secpolicy_net_mac_aware(const cred_t *cr) 632 { 633 return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, NULL)); 634 } 635 636 /* 637 * Allow a privileged process to transmit traffic without explicit labels 638 */ 639 int 640 secpolicy_net_mac_implicit(const cred_t *cr) 641 { 642 return (PRIV_POLICY(cr, PRIV_NET_MAC_IMPLICIT, B_FALSE, EACCES, NULL)); 643 } 644 645 /* 646 * Common routine which determines whether a given credential can 647 * act on a given mount. 648 * When called through mount, the parameter needoptcheck is a pointer 649 * to a boolean variable which will be set to either true or false, 650 * depending on whether the mount policy should change the mount options. 651 * In all other cases, needoptcheck should be a NULL pointer. 652 */ 653 static int 654 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp, 655 boolean_t *needoptcheck) 656 { 657 boolean_t allzone = B_FALSE; 658 boolean_t mounting = needoptcheck != NULL; 659 660 /* 661 * Short circuit the following cases: 662 * vfsp == NULL or mvp == NULL (pure privilege check) 663 * have all privileges - no further checks required 664 * and no mount options need to be set. 665 */ 666 if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) { 667 if (mounting) 668 *needoptcheck = B_FALSE; 669 670 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM, 671 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE)); 672 } 673 674 /* 675 * When operating on an existing mount (either we're not mounting 676 * or we're doing a remount and VFS_REMOUNT will be set), zones 677 * can operate only on mounts established by the zone itself. 678 */ 679 if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) { 680 zoneid_t zoneid = crgetzoneid(cr); 681 682 if (zoneid != GLOBAL_ZONEID && 683 vfsp->vfs_zone->zone_id != zoneid) { 684 return (EPERM); 685 } 686 } 687 688 if (mounting) 689 *needoptcheck = B_TRUE; 690 691 /* 692 * Overlay mounts may hide important stuff; if you can't write to a 693 * mount point but would be able to mount on top of it, you can 694 * escalate your privileges. 695 * So we go about asking the same questions namefs does when it 696 * decides whether you can mount over a file or not but with the 697 * added restriction that you can only mount on top of a regular 698 * file or directory. 699 * If we have all the zone's privileges, we skip all other checks, 700 * or else we may actually get in trouble inside the automounter. 701 */ 702 if ((mvp->v_flag & VROOT) != 0 || 703 (mvp->v_type != VDIR && mvp->v_type != VREG) || 704 HAS_ALLZONEPRIVS(cr)) { 705 allzone = B_TRUE; 706 } else { 707 vattr_t va; 708 int err; 709 710 va.va_mask = AT_UID|AT_MODE; 711 err = VOP_GETATTR(mvp, &va, 0, cr, NULL); 712 if (err != 0) 713 return (err); 714 715 if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0) 716 return (err); 717 718 if (secpolicy_vnode_access2(cr, mvp, va.va_uid, va.va_mode, 719 VWRITE) != 0) { 720 return (EACCES); 721 } 722 } 723 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM, 724 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE)); 725 } 726 727 void 728 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp) 729 { 730 boolean_t amsuper = HAS_ALLZONEPRIVS(cr); 731 732 /* 733 * check; if we don't have either "nosuid" or 734 * both "nosetuid" and "nodevices", then we add 735 * "nosuid"; this depends on how the current 736 * implementation works (it first checks nosuid). In a 737 * zone, a user with all zone privileges can mount with 738 * "setuid" but never with "devices". 739 */ 740 if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) && 741 (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) || 742 !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) { 743 if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper) 744 vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0); 745 else 746 vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0); 747 } 748 /* 749 * If we're not the local super user, we set the "restrict" 750 * option to indicate to automountd that this mount should 751 * be handled with care. 752 */ 753 if (!amsuper) 754 vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0); 755 756 } 757 758 int 759 secpolicy_fs_allowed_mount(const char *fsname) 760 { 761 struct vfssw *vswp; 762 const char *p; 763 size_t len; 764 765 ASSERT(fsname != NULL); 766 ASSERT(fsname[0] != '\0'); 767 768 if (INGLOBALZONE(curproc)) 769 return (0); 770 771 vswp = vfs_getvfssw(fsname); 772 if (vswp == NULL) 773 return (ENOENT); 774 775 if ((vswp->vsw_flag & VSW_ZMOUNT) != 0) { 776 vfs_unrefvfssw(vswp); 777 return (0); 778 } 779 780 vfs_unrefvfssw(vswp); 781 782 p = curzone->zone_fs_allowed; 783 len = strlen(fsname); 784 785 while (p != NULL && *p != '\0') { 786 if (strncmp(p, fsname, len) == 0) { 787 char c = *(p + len); 788 if (c == '\0' || c == ',') 789 return (0); 790 } 791 792 /* skip to beyond the next comma */ 793 if ((p = strchr(p, ',')) != NULL) 794 p++; 795 } 796 797 return (EPERM); 798 } 799 800 extern vnode_t *rootvp; 801 extern vfs_t *rootvfs; 802 803 int 804 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp) 805 { 806 boolean_t needoptchk; 807 int error; 808 809 /* 810 * If it's a remount, get the underlying mount point, 811 * except for the root where we use the rootvp. 812 */ 813 if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) { 814 if (vfsp == rootvfs) 815 mvp = rootvp; 816 else 817 mvp = vfsp->vfs_vnodecovered; 818 } 819 820 error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk); 821 822 if (error == 0 && needoptchk) { 823 secpolicy_fs_mount_clearopts(cr, vfsp); 824 } 825 826 return (error); 827 } 828 829 /* 830 * Does the policy computations for "ownership" of a mount; 831 * here ownership is defined as the ability to "mount" 832 * the filesystem originally. The rootvfs doesn't cover any 833 * vnodes; we attribute its ownership to the rootvp. 834 */ 835 static int 836 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp) 837 { 838 vnode_t *mvp; 839 840 if (vfsp == NULL) 841 mvp = NULL; 842 else if (vfsp == rootvfs) 843 mvp = rootvp; 844 else 845 mvp = vfsp->vfs_vnodecovered; 846 847 return (secpolicy_fs_common(cr, mvp, vfsp, NULL)); 848 } 849 850 int 851 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp) 852 { 853 return (secpolicy_fs_owner(cr, vfsp)); 854 } 855 856 /* 857 * Quotas are a resource, but if one has the ability to mount a filesystem, he 858 * should be able to modify quotas on it. 859 */ 860 int 861 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp) 862 { 863 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 864 } 865 866 /* 867 * Exceeding minfree: also a per-mount resource constraint. 868 */ 869 int 870 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp) 871 { 872 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 873 } 874 875 int 876 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp) 877 { 878 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 879 } 880 881 /* ARGSUSED */ 882 int 883 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp) 884 { 885 return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL)); 886 } 887 888 /* 889 * Name: secpolicy_vnode_access() 890 * 891 * Parameters: Process credential 892 * vnode 893 * uid of owner of vnode 894 * permission bits not granted to the caller when examining 895 * file mode bits (i.e., when a process wants to open a 896 * mode 444 file for VREAD|VWRITE, this function should be 897 * called only with a VWRITE argument). 898 * 899 * Normal: Verifies that cred has the appropriate privileges to 900 * override the mode bits that were denied. 901 * 902 * Override: file_dac_execute - if VEXEC bit was denied and vnode is 903 * not a directory. 904 * file_dac_read - if VREAD bit was denied. 905 * file_dac_search - if VEXEC bit was denied and vnode is 906 * a directory. 907 * file_dac_write - if VWRITE bit was denied. 908 * 909 * Root owned files are special cased to protect system 910 * configuration files and such. 911 * 912 * Output: EACCES - if privilege check fails. 913 */ 914 915 int 916 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode) 917 { 918 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE, 919 EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL, 920 KLPDARG_NOMORE) != 0) { 921 return (EACCES); 922 } 923 924 if (mode & VWRITE) { 925 boolean_t allzone; 926 927 if (owner == 0 && cr->cr_uid != 0) 928 allzone = B_TRUE; 929 else 930 allzone = B_FALSE; 931 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, 932 NULL, KLPDARG_VNODE, vp, (char *)NULL, 933 KLPDARG_NOMORE) != 0) { 934 return (EACCES); 935 } 936 } 937 938 if (mode & VEXEC) { 939 /* 940 * Directories use file_dac_search to override the execute bit. 941 */ 942 int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH : 943 PRIV_FILE_DAC_EXECUTE; 944 945 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL, 946 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); 947 } 948 return (0); 949 } 950 951 /* 952 * Like secpolicy_vnode_access() but we get the actual wanted mode and the 953 * current mode of the file, not the missing bits. 954 */ 955 int 956 secpolicy_vnode_access2(const cred_t *cr, vnode_t *vp, uid_t owner, 957 mode_t curmode, mode_t wantmode) 958 { 959 mode_t mode; 960 961 /* Inline the basic privileges tests. */ 962 if ((wantmode & VREAD) && 963 !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_READ) && 964 priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL, 965 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) { 966 return (EACCES); 967 } 968 969 if ((wantmode & VWRITE) && 970 !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_WRITE) && 971 priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL, 972 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) { 973 return (EACCES); 974 } 975 976 mode = ~curmode & wantmode; 977 978 if (mode == 0) 979 return (0); 980 981 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE, 982 EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL, 983 KLPDARG_NOMORE) != 0) { 984 return (EACCES); 985 } 986 987 if (mode & VWRITE) { 988 boolean_t allzone; 989 990 if (owner == 0 && cr->cr_uid != 0) 991 allzone = B_TRUE; 992 else 993 allzone = B_FALSE; 994 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, 995 NULL, KLPDARG_VNODE, vp, (char *)NULL, 996 KLPDARG_NOMORE) != 0) { 997 return (EACCES); 998 } 999 } 1000 1001 if (mode & VEXEC) { 1002 /* 1003 * Directories use file_dac_search to override the execute bit. 1004 */ 1005 int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH : 1006 PRIV_FILE_DAC_EXECUTE; 1007 1008 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL, 1009 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); 1010 } 1011 return (0); 1012 } 1013 1014 /* 1015 * This is a special routine for ZFS; it is used to determine whether 1016 * any of the privileges in effect allow any form of access to the 1017 * file. There's no reason to audit this or any reason to record 1018 * this. More work is needed to do the "KPLD" stuff. 1019 */ 1020 int 1021 secpolicy_vnode_any_access(const cred_t *cr, vnode_t *vp, uid_t owner) 1022 { 1023 static int privs[] = { 1024 PRIV_FILE_OWNER, 1025 PRIV_FILE_CHOWN, 1026 PRIV_FILE_DAC_READ, 1027 PRIV_FILE_DAC_WRITE, 1028 PRIV_FILE_DAC_EXECUTE, 1029 PRIV_FILE_DAC_SEARCH, 1030 }; 1031 int i; 1032 1033 /* Same as secpolicy_vnode_setdac */ 1034 if (owner == cr->cr_uid) 1035 return (0); 1036 1037 for (i = 0; i < sizeof (privs)/sizeof (int); i++) { 1038 boolean_t allzone = B_FALSE; 1039 int priv; 1040 1041 switch (priv = privs[i]) { 1042 case PRIV_FILE_DAC_EXECUTE: 1043 if (vp->v_type == VDIR) 1044 continue; 1045 break; 1046 case PRIV_FILE_DAC_SEARCH: 1047 if (vp->v_type != VDIR) 1048 continue; 1049 break; 1050 case PRIV_FILE_DAC_WRITE: 1051 case PRIV_FILE_OWNER: 1052 case PRIV_FILE_CHOWN: 1053 /* We know here that if owner == 0, that cr_uid != 0 */ 1054 allzone = owner == 0; 1055 break; 1056 } 1057 if (PRIV_POLICY_CHOICE(cr, priv, allzone)) 1058 return (0); 1059 } 1060 return (EPERM); 1061 } 1062 1063 /* 1064 * Name: secpolicy_vnode_setid_modify() 1065 * 1066 * Normal: verify that subject can set the file setid flags. 1067 * 1068 * Output: EPERM - if not privileged. 1069 */ 1070 1071 static int 1072 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner) 1073 { 1074 /* If changing to suid root, must have all zone privs */ 1075 boolean_t allzone = B_TRUE; 1076 1077 if (owner != 0) { 1078 if (owner == cr->cr_uid) 1079 return (0); 1080 allzone = B_FALSE; 1081 } 1082 return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL)); 1083 } 1084 1085 /* 1086 * Are we allowed to retain the set-uid/set-gid bits when 1087 * changing ownership or when writing to a file? 1088 * "issuid" should be true when set-uid; only in that case 1089 * root ownership is checked (setgid is assumed). 1090 */ 1091 int 1092 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot) 1093 { 1094 if (issuidroot && !HAS_ALLZONEPRIVS(cred)) 1095 return (EPERM); 1096 1097 return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE)); 1098 } 1099 1100 /* 1101 * Name: secpolicy_vnode_setids_setgids() 1102 * 1103 * Normal: verify that subject can set the file setgid flag. 1104 * 1105 * Output: EPERM - if not privileged 1106 */ 1107 1108 int 1109 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid) 1110 { 1111 if (!groupmember(gid, cred)) 1112 return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM, 1113 NULL)); 1114 return (0); 1115 } 1116 1117 /* 1118 * Name: secpolicy_vnode_chown 1119 * 1120 * Normal: Determine if subject can chown owner of a file. 1121 * 1122 * Output: EPERM - if access denied 1123 */ 1124 1125 int 1126 secpolicy_vnode_chown(const cred_t *cred, uid_t owner) 1127 { 1128 boolean_t is_owner = (owner == crgetuid(cred)); 1129 boolean_t allzone = B_FALSE; 1130 int priv; 1131 1132 if (!is_owner) { 1133 allzone = (owner == 0); 1134 priv = PRIV_FILE_CHOWN; 1135 } else { 1136 priv = HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN) ? 1137 PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF; 1138 } 1139 1140 return (PRIV_POLICY(cred, priv, allzone, EPERM, NULL)); 1141 } 1142 1143 /* 1144 * Name: secpolicy_vnode_create_gid 1145 * 1146 * Normal: Determine if subject can change group ownership of a file. 1147 * 1148 * Output: EPERM - if access denied 1149 */ 1150 int 1151 secpolicy_vnode_create_gid(const cred_t *cred) 1152 { 1153 if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN)) 1154 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM, 1155 NULL)); 1156 else 1157 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM, 1158 NULL)); 1159 } 1160 1161 /* 1162 * Name: secpolicy_vnode_utime_modify() 1163 * 1164 * Normal: verify that subject can modify the utime on a file. 1165 * 1166 * Output: EPERM - if access denied. 1167 */ 1168 1169 static int 1170 secpolicy_vnode_utime_modify(const cred_t *cred) 1171 { 1172 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM, 1173 "modify file times")); 1174 } 1175 1176 1177 /* 1178 * Name: secpolicy_vnode_setdac() 1179 * 1180 * Normal: verify that subject can modify the mode of a file. 1181 * allzone privilege needed when modifying root owned object. 1182 * 1183 * Output: EPERM - if access denied. 1184 */ 1185 1186 int 1187 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner) 1188 { 1189 if (owner == cred->cr_uid) 1190 return (0); 1191 1192 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL)); 1193 } 1194 /* 1195 * Name: secpolicy_vnode_stky_modify() 1196 * 1197 * Normal: verify that subject can make a file a "sticky". 1198 * 1199 * Output: EPERM - if access denied. 1200 */ 1201 1202 int 1203 secpolicy_vnode_stky_modify(const cred_t *cred) 1204 { 1205 return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM, 1206 "set file sticky")); 1207 } 1208 1209 /* 1210 * Policy determines whether we can remove an entry from a directory, 1211 * regardless of permission bits. 1212 */ 1213 int 1214 secpolicy_vnode_remove(const cred_t *cr) 1215 { 1216 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES, 1217 "sticky directory")); 1218 } 1219 1220 int 1221 secpolicy_vnode_owner(const cred_t *cr, uid_t owner) 1222 { 1223 boolean_t allzone = (owner == 0); 1224 1225 if (owner == cr->cr_uid) 1226 return (0); 1227 1228 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL)); 1229 } 1230 1231 void 1232 secpolicy_setid_clear(vattr_t *vap, cred_t *cr) 1233 { 1234 if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 && 1235 secpolicy_vnode_setid_retain(cr, 1236 (vap->va_mode & S_ISUID) != 0 && 1237 (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) { 1238 vap->va_mask |= AT_MODE; 1239 vap->va_mode &= ~(S_ISUID|S_ISGID); 1240 } 1241 } 1242 1243 int 1244 secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap, 1245 cred_t *cr) 1246 { 1247 int error; 1248 1249 if ((vap->va_mode & S_ISUID) != 0 && 1250 (error = secpolicy_vnode_setid_modify(cr, 1251 ovap->va_uid)) != 0) { 1252 return (error); 1253 } 1254 1255 /* 1256 * Check privilege if attempting to set the 1257 * sticky bit on a non-directory. 1258 */ 1259 if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 && 1260 secpolicy_vnode_stky_modify(cr) != 0) { 1261 vap->va_mode &= ~S_ISVTX; 1262 } 1263 1264 /* 1265 * Check for privilege if attempting to set the 1266 * group-id bit. 1267 */ 1268 if ((vap->va_mode & S_ISGID) != 0 && 1269 secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) { 1270 vap->va_mode &= ~S_ISGID; 1271 } 1272 1273 return (0); 1274 } 1275 1276 #define ATTR_FLAG_PRIV(attr, value, cr) \ 1277 PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \ 1278 B_FALSE, EPERM, NULL) 1279 1280 /* 1281 * Check privileges for setting xvattr attributes 1282 */ 1283 int 1284 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype) 1285 { 1286 xoptattr_t *xoap; 1287 int error = 0; 1288 1289 if ((xoap = xva_getxoptattr(xvap)) == NULL) 1290 return (EINVAL); 1291 1292 /* 1293 * First process the DOS bits 1294 */ 1295 if (XVA_ISSET_REQ(xvap, XAT_ARCHIVE) || 1296 XVA_ISSET_REQ(xvap, XAT_HIDDEN) || 1297 XVA_ISSET_REQ(xvap, XAT_READONLY) || 1298 XVA_ISSET_REQ(xvap, XAT_SYSTEM) || 1299 XVA_ISSET_REQ(xvap, XAT_CREATETIME) || 1300 XVA_ISSET_REQ(xvap, XAT_OFFLINE) || 1301 XVA_ISSET_REQ(xvap, XAT_SPARSE)) { 1302 if ((error = secpolicy_vnode_owner(cr, owner)) != 0) 1303 return (error); 1304 } 1305 1306 /* 1307 * Now handle special attributes 1308 */ 1309 1310 if (XVA_ISSET_REQ(xvap, XAT_IMMUTABLE)) 1311 error = ATTR_FLAG_PRIV(XAT_IMMUTABLE, 1312 xoap->xoa_immutable, cr); 1313 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NOUNLINK)) 1314 error = ATTR_FLAG_PRIV(XAT_NOUNLINK, 1315 xoap->xoa_nounlink, cr); 1316 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_APPENDONLY)) 1317 error = ATTR_FLAG_PRIV(XAT_APPENDONLY, 1318 xoap->xoa_appendonly, cr); 1319 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NODUMP)) 1320 error = ATTR_FLAG_PRIV(XAT_NODUMP, 1321 xoap->xoa_nodump, cr); 1322 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_OPAQUE)) 1323 error = EPERM; 1324 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_QUARANTINED)) { 1325 error = ATTR_FLAG_PRIV(XAT_AV_QUARANTINED, 1326 xoap->xoa_av_quarantined, cr); 1327 if (error == 0 && vtype != VREG && xoap->xoa_av_quarantined) 1328 error = EINVAL; 1329 } 1330 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_MODIFIED)) 1331 error = ATTR_FLAG_PRIV(XAT_AV_MODIFIED, 1332 xoap->xoa_av_modified, cr); 1333 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_SCANSTAMP)) { 1334 error = ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP, 1335 xoap->xoa_av_scanstamp, cr); 1336 if (error == 0 && vtype != VREG) 1337 error = EINVAL; 1338 } 1339 return (error); 1340 } 1341 1342 /* 1343 * This function checks the policy decisions surrounding the 1344 * vop setattr call. 1345 * 1346 * It should be called after sufficient locks have been established 1347 * on the underlying data structures. No concurrent modifications 1348 * should be allowed. 1349 * 1350 * The caller must pass in unlocked version of its vaccess function 1351 * this is required because vop_access function should lock the 1352 * node for reading. A three argument function should be defined 1353 * which accepts the following argument: 1354 * A pointer to the internal "node" type (inode *) 1355 * vnode access bits (VREAD|VWRITE|VEXEC) 1356 * a pointer to the credential 1357 * 1358 * This function makes the following policy decisions: 1359 * 1360 * - change permissions 1361 * - permission to change file mode if not owner 1362 * - permission to add sticky bit to non-directory 1363 * - permission to add set-gid bit 1364 * 1365 * The ovap argument should include AT_MODE|AT_UID|AT_GID. 1366 * 1367 * If the vap argument does not include AT_MODE, the mode will be copied from 1368 * ovap. In certain situations set-uid/set-gid bits need to be removed; 1369 * this is done by marking vap->va_mask to include AT_MODE and va_mode 1370 * is updated to the newly computed mode. 1371 */ 1372 1373 int 1374 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap, 1375 const struct vattr *ovap, int flags, 1376 int unlocked_access(void *, int, cred_t *), 1377 void *node) 1378 { 1379 int mask = vap->va_mask; 1380 int error = 0; 1381 boolean_t skipaclchk = (flags & ATTR_NOACLCHECK) ? B_TRUE : B_FALSE; 1382 1383 if (mask & AT_SIZE) { 1384 if (vp->v_type == VDIR) { 1385 error = EISDIR; 1386 goto out; 1387 } 1388 1389 /* 1390 * If ATTR_NOACLCHECK is set in the flags, then we don't 1391 * perform the secondary unlocked_access() call since the 1392 * ACL (if any) is being checked there. 1393 */ 1394 if (skipaclchk == B_FALSE) { 1395 error = unlocked_access(node, VWRITE, cr); 1396 if (error) 1397 goto out; 1398 } 1399 } 1400 if (mask & AT_MODE) { 1401 /* 1402 * If not the owner of the file then check privilege 1403 * for two things: the privilege to set the mode at all 1404 * and, if we're setting setuid, we also need permissions 1405 * to add the set-uid bit, if we're not the owner. 1406 * In the specific case of creating a set-uid root 1407 * file, we need even more permissions. 1408 */ 1409 if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0) 1410 goto out; 1411 1412 if ((error = secpolicy_setid_setsticky_clear(vp, vap, 1413 ovap, cr)) != 0) 1414 goto out; 1415 } else 1416 vap->va_mode = ovap->va_mode; 1417 1418 if (mask & (AT_UID|AT_GID)) { 1419 boolean_t checkpriv = B_FALSE; 1420 1421 /* 1422 * Chowning files. 1423 * 1424 * If you are the file owner: 1425 * chown to other uid FILE_CHOWN_SELF 1426 * chown to gid (non-member) FILE_CHOWN_SELF 1427 * chown to gid (member) <none> 1428 * 1429 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also 1430 * acceptable but the first one is reported when debugging. 1431 * 1432 * If you are not the file owner: 1433 * chown from root PRIV_FILE_CHOWN + zone 1434 * chown from other to any PRIV_FILE_CHOWN 1435 * 1436 */ 1437 if (cr->cr_uid != ovap->va_uid) { 1438 checkpriv = B_TRUE; 1439 } else { 1440 if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) || 1441 ((mask & AT_GID) && vap->va_gid != ovap->va_gid && 1442 !groupmember(vap->va_gid, cr))) { 1443 checkpriv = B_TRUE; 1444 } 1445 } 1446 /* 1447 * If necessary, check privilege to see if update can be done. 1448 */ 1449 if (checkpriv && 1450 (error = secpolicy_vnode_chown(cr, ovap->va_uid)) != 0) { 1451 goto out; 1452 } 1453 1454 /* 1455 * If the file has either the set UID or set GID bits 1456 * set and the caller can set the bits, then leave them. 1457 */ 1458 secpolicy_setid_clear(vap, cr); 1459 } 1460 if (mask & (AT_ATIME|AT_MTIME)) { 1461 /* 1462 * If not the file owner and not otherwise privileged, 1463 * always return an error when setting the 1464 * time other than the current (ATTR_UTIME flag set). 1465 * If setting the current time (ATTR_UTIME not set) then 1466 * unlocked_access will check permissions according to policy. 1467 */ 1468 if (cr->cr_uid != ovap->va_uid) { 1469 if (flags & ATTR_UTIME) 1470 error = secpolicy_vnode_utime_modify(cr); 1471 else if (skipaclchk == B_FALSE) { 1472 error = unlocked_access(node, VWRITE, cr); 1473 if (error == EACCES && 1474 secpolicy_vnode_utime_modify(cr) == 0) 1475 error = 0; 1476 } 1477 if (error) 1478 goto out; 1479 } 1480 } 1481 1482 /* 1483 * Check for optional attributes here by checking the following: 1484 */ 1485 if (mask & AT_XVATTR) 1486 error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr, 1487 vp->v_type); 1488 out: 1489 return (error); 1490 } 1491 1492 /* 1493 * Name: secpolicy_pcfs_modify_bootpartition() 1494 * 1495 * Normal: verify that subject can modify a pcfs boot partition. 1496 * 1497 * Output: EACCES - if privilege check failed. 1498 */ 1499 /*ARGSUSED*/ 1500 int 1501 secpolicy_pcfs_modify_bootpartition(const cred_t *cred) 1502 { 1503 return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES, 1504 "modify pcfs boot partition")); 1505 } 1506 1507 /* 1508 * System V IPC routines 1509 */ 1510 int 1511 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip) 1512 { 1513 if (crgetzoneid(cr) != ip->ipc_zoneid || 1514 (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) { 1515 boolean_t allzone = B_FALSE; 1516 if (ip->ipc_uid == 0 || ip->ipc_cuid == 0) 1517 allzone = B_TRUE; 1518 return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL)); 1519 } 1520 return (0); 1521 } 1522 1523 int 1524 secpolicy_ipc_config(const cred_t *cr) 1525 { 1526 return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL)); 1527 } 1528 1529 int 1530 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode) 1531 { 1532 1533 boolean_t allzone = B_FALSE; 1534 1535 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1536 1537 if ((mode & MSG_R) && 1538 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1539 return (EACCES); 1540 1541 if (mode & MSG_W) { 1542 if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0)) 1543 allzone = B_TRUE; 1544 1545 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1546 NULL)); 1547 } 1548 return (0); 1549 } 1550 1551 int 1552 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode) 1553 { 1554 boolean_t allzone = B_FALSE; 1555 1556 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1557 1558 if ((mode & MSG_R) && 1559 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1560 return (EACCES); 1561 1562 if (mode & MSG_W) { 1563 if (cr->cr_uid != 0 && owner == 0) 1564 allzone = B_TRUE; 1565 1566 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1567 NULL)); 1568 } 1569 return (0); 1570 } 1571 1572 /* 1573 * Audit configuration. 1574 */ 1575 int 1576 secpolicy_audit_config(const cred_t *cr) 1577 { 1578 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1579 } 1580 1581 /* 1582 * Audit record generation. 1583 */ 1584 int 1585 secpolicy_audit_modify(const cred_t *cr) 1586 { 1587 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL)); 1588 } 1589 1590 /* 1591 * Get audit attributes. 1592 * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the 1593 * "Least" of the two privileges on error. 1594 */ 1595 int 1596 secpolicy_audit_getattr(const cred_t *cr, boolean_t checkonly) 1597 { 1598 int priv; 1599 1600 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE)) 1601 priv = PRIV_SYS_AUDIT; 1602 else 1603 priv = PRIV_PROC_AUDIT; 1604 1605 if (checkonly) 1606 return (!PRIV_POLICY_ONLY(cr, priv, B_FALSE)); 1607 else 1608 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 1609 } 1610 1611 1612 /* 1613 * Locking physical memory 1614 */ 1615 int 1616 secpolicy_lock_memory(const cred_t *cr) 1617 { 1618 return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL)); 1619 } 1620 1621 /* 1622 * Accounting (both acct(2) and exacct). 1623 */ 1624 int 1625 secpolicy_acct(const cred_t *cr) 1626 { 1627 return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL)); 1628 } 1629 1630 /* 1631 * Is this process privileged to change its uids at will? 1632 * Uid 0 is still considered "special" and having the SETID 1633 * privilege is not sufficient to get uid 0. 1634 * Files are owned by root, so the privilege would give 1635 * full access and euid 0 is still effective. 1636 * 1637 * If you have the privilege and euid 0 only then do you 1638 * get the powers of root wrt uid 0. 1639 * 1640 * For gid manipulations, this is should be called with an 1641 * uid of -1. 1642 * 1643 */ 1644 int 1645 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly) 1646 { 1647 boolean_t allzone = B_FALSE; 1648 1649 if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 && 1650 cr->cr_ruid != 0) { 1651 allzone = B_TRUE; 1652 } 1653 1654 return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) : 1655 PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL)); 1656 } 1657 1658 1659 /* 1660 * Acting on a different process: if the mode is for writing, 1661 * the restrictions are more severe. This is called after 1662 * we've verified that the uids do not match. 1663 */ 1664 int 1665 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode) 1666 { 1667 boolean_t allzone = B_FALSE; 1668 1669 if ((mode & VWRITE) && scr->cr_uid != 0 && 1670 (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0)) 1671 allzone = B_TRUE; 1672 1673 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL)); 1674 } 1675 1676 int 1677 secpolicy_proc_access(const cred_t *scr) 1678 { 1679 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL)); 1680 } 1681 1682 int 1683 secpolicy_proc_excl_open(const cred_t *scr) 1684 { 1685 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL)); 1686 } 1687 1688 int 1689 secpolicy_proc_zone(const cred_t *scr) 1690 { 1691 return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL)); 1692 } 1693 1694 /* 1695 * Destroying the system 1696 */ 1697 1698 int 1699 secpolicy_kmdb(const cred_t *scr) 1700 { 1701 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1702 } 1703 1704 int 1705 secpolicy_error_inject(const cred_t *scr) 1706 { 1707 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1708 } 1709 1710 /* 1711 * Processor sets, cpu configuration, resource pools. 1712 */ 1713 int 1714 secpolicy_pset(const cred_t *cr) 1715 { 1716 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1717 } 1718 1719 /* 1720 * Processor set binding. 1721 */ 1722 int 1723 secpolicy_pbind(const cred_t *cr) 1724 { 1725 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_RES_CONFIG, B_FALSE)) 1726 return (secpolicy_pset(cr)); 1727 return (PRIV_POLICY(cr, PRIV_SYS_RES_BIND, B_FALSE, EPERM, NULL)); 1728 } 1729 1730 int 1731 secpolicy_ponline(const cred_t *cr) 1732 { 1733 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1734 } 1735 1736 int 1737 secpolicy_pool(const cred_t *cr) 1738 { 1739 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1740 } 1741 1742 int 1743 secpolicy_blacklist(const cred_t *cr) 1744 { 1745 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1746 } 1747 1748 /* 1749 * Catch all system configuration. 1750 */ 1751 int 1752 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly) 1753 { 1754 if (checkonly) { 1755 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 : 1756 EPERM); 1757 } else { 1758 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1759 } 1760 } 1761 1762 /* 1763 * Zone administration (halt, reboot, etc.) from within zone. 1764 */ 1765 int 1766 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly) 1767 { 1768 if (checkonly) { 1769 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 : 1770 EPERM); 1771 } else { 1772 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, 1773 NULL)); 1774 } 1775 } 1776 1777 /* 1778 * Zone configuration (create, halt, enter). 1779 */ 1780 int 1781 secpolicy_zone_config(const cred_t *cr) 1782 { 1783 /* 1784 * Require all privileges to avoid possibility of privilege 1785 * escalation. 1786 */ 1787 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE)); 1788 } 1789 1790 /* 1791 * Various other system configuration calls 1792 */ 1793 int 1794 secpolicy_coreadm(const cred_t *cr) 1795 { 1796 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1797 } 1798 1799 int 1800 secpolicy_systeminfo(const cred_t *cr) 1801 { 1802 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1803 } 1804 1805 int 1806 secpolicy_dispadm(const cred_t *cr) 1807 { 1808 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1809 } 1810 1811 int 1812 secpolicy_settime(const cred_t *cr) 1813 { 1814 return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL)); 1815 } 1816 1817 /* 1818 * For realtime users: high resolution clock. 1819 */ 1820 int 1821 secpolicy_clock_highres(const cred_t *cr) 1822 { 1823 return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM, 1824 NULL)); 1825 } 1826 1827 /* 1828 * drv_priv() is documented as callable from interrupt context, not that 1829 * anyone ever does, but still. No debugging or auditing can be done when 1830 * it is called from interrupt context. 1831 * returns 0 on succes, EPERM on failure. 1832 */ 1833 int 1834 drv_priv(cred_t *cr) 1835 { 1836 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1837 } 1838 1839 int 1840 secpolicy_sys_devices(const cred_t *cr) 1841 { 1842 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1843 } 1844 1845 int 1846 secpolicy_excl_open(const cred_t *cr) 1847 { 1848 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL)); 1849 } 1850 1851 int 1852 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl) 1853 { 1854 /* zone.* rctls can only be set from the global zone */ 1855 if (is_zone_rctl && priv_policy_global(cr) != 0) 1856 return (EPERM); 1857 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1858 } 1859 1860 int 1861 secpolicy_resource(const cred_t *cr) 1862 { 1863 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1864 } 1865 1866 int 1867 secpolicy_resource_anon_mem(const cred_t *cr) 1868 { 1869 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_RESOURCE, B_FALSE)); 1870 } 1871 1872 /* 1873 * Processes with a real uid of 0 escape any form of accounting, much 1874 * like before. 1875 */ 1876 int 1877 secpolicy_newproc(const cred_t *cr) 1878 { 1879 if (cr->cr_ruid == 0) 1880 return (0); 1881 1882 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1883 } 1884 1885 /* 1886 * Networking 1887 */ 1888 int 1889 secpolicy_net_rawaccess(const cred_t *cr) 1890 { 1891 return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL)); 1892 } 1893 1894 int 1895 secpolicy_net_observability(const cred_t *cr) 1896 { 1897 return (PRIV_POLICY(cr, PRIV_NET_OBSERVABILITY, B_FALSE, EACCES, NULL)); 1898 } 1899 1900 /* 1901 * Need this privilege for accessing the ICMP device 1902 */ 1903 int 1904 secpolicy_net_icmpaccess(const cred_t *cr) 1905 { 1906 return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL)); 1907 } 1908 1909 /* 1910 * There are a few rare cases where the kernel generates ioctls() from 1911 * interrupt context with a credential of kcred rather than NULL. 1912 * In those cases, we take the safe and cheap test. 1913 */ 1914 int 1915 secpolicy_net_config(const cred_t *cr, boolean_t checkonly) 1916 { 1917 if (checkonly) { 1918 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ? 1919 0 : EPERM); 1920 } else { 1921 return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM, 1922 NULL)); 1923 } 1924 } 1925 1926 1927 /* 1928 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG. 1929 * 1930 * There are a few rare cases where the kernel generates ioctls() from 1931 * interrupt context with a credential of kcred rather than NULL. 1932 * In those cases, we take the safe and cheap test. 1933 */ 1934 int 1935 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly) 1936 { 1937 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 1938 return (secpolicy_net_config(cr, checkonly)); 1939 1940 if (checkonly) { 1941 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ? 1942 0 : EPERM); 1943 } else { 1944 return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM, 1945 NULL)); 1946 } 1947 } 1948 1949 /* 1950 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_DL_CONFIG. 1951 */ 1952 int 1953 secpolicy_dl_config(const cred_t *cr) 1954 { 1955 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 1956 return (secpolicy_net_config(cr, B_FALSE)); 1957 return (PRIV_POLICY(cr, PRIV_SYS_DL_CONFIG, B_FALSE, EPERM, NULL)); 1958 } 1959 1960 /* 1961 * PRIV_SYS_DL_CONFIG is a superset of PRIV_SYS_IPTUN_CONFIG. 1962 */ 1963 int 1964 secpolicy_iptun_config(const cred_t *cr) 1965 { 1966 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 1967 return (secpolicy_net_config(cr, B_FALSE)); 1968 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_DL_CONFIG, B_FALSE)) 1969 return (secpolicy_dl_config(cr)); 1970 return (PRIV_POLICY(cr, PRIV_SYS_IPTUN_CONFIG, B_FALSE, EPERM, NULL)); 1971 } 1972 1973 /* 1974 * Map IP pseudo privileges to actual privileges. 1975 * So we don't need to recompile IP when we change the privileges. 1976 */ 1977 int 1978 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly) 1979 { 1980 int priv = PRIV_ALL; 1981 1982 switch (netpriv) { 1983 case OP_CONFIG: 1984 priv = PRIV_SYS_IP_CONFIG; 1985 break; 1986 case OP_RAW: 1987 priv = PRIV_NET_RAWACCESS; 1988 break; 1989 case OP_PRIVPORT: 1990 priv = PRIV_NET_PRIVADDR; 1991 break; 1992 } 1993 ASSERT(priv != PRIV_ALL); 1994 if (checkonly) 1995 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 1996 else 1997 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 1998 } 1999 2000 /* 2001 * Map network pseudo privileges to actual privileges. 2002 * So we don't need to recompile IP when we change the privileges. 2003 */ 2004 int 2005 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly) 2006 { 2007 int priv = PRIV_ALL; 2008 2009 switch (netpriv) { 2010 case OP_CONFIG: 2011 priv = PRIV_SYS_NET_CONFIG; 2012 break; 2013 case OP_RAW: 2014 priv = PRIV_NET_RAWACCESS; 2015 break; 2016 case OP_PRIVPORT: 2017 priv = PRIV_NET_PRIVADDR; 2018 break; 2019 } 2020 ASSERT(priv != PRIV_ALL); 2021 if (checkonly) 2022 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 2023 else 2024 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 2025 } 2026 2027 /* 2028 * Checks for operations that are either client-only or are used by 2029 * both clients and servers. 2030 */ 2031 int 2032 secpolicy_nfs(const cred_t *cr) 2033 { 2034 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL)); 2035 } 2036 2037 /* 2038 * Special case for opening rpcmod: have NFS privileges or network 2039 * config privileges. 2040 */ 2041 int 2042 secpolicy_rpcmod_open(const cred_t *cr) 2043 { 2044 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE)) 2045 return (secpolicy_nfs(cr)); 2046 else 2047 return (secpolicy_net_config(cr, NULL)); 2048 } 2049 2050 int 2051 secpolicy_chroot(const cred_t *cr) 2052 { 2053 return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL)); 2054 } 2055 2056 int 2057 secpolicy_tasksys(const cred_t *cr) 2058 { 2059 return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL)); 2060 } 2061 2062 int 2063 secpolicy_pfexec_register(const cred_t *cr) 2064 { 2065 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_TRUE, EPERM, NULL)); 2066 } 2067 2068 /* 2069 * Basic privilege checks. 2070 */ 2071 int 2072 secpolicy_basic_exec(const cred_t *cr, vnode_t *vp) 2073 { 2074 FAST_BASIC_CHECK(cr, PRIV_PROC_EXEC); 2075 2076 return (priv_policy_va(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL, 2077 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); 2078 } 2079 2080 int 2081 secpolicy_basic_fork(const cred_t *cr) 2082 { 2083 FAST_BASIC_CHECK(cr, PRIV_PROC_FORK); 2084 2085 return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL)); 2086 } 2087 2088 int 2089 secpolicy_basic_proc(const cred_t *cr) 2090 { 2091 FAST_BASIC_CHECK(cr, PRIV_PROC_SESSION); 2092 2093 return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL)); 2094 } 2095 2096 /* 2097 * Slightly complicated because we don't want to trigger the policy too 2098 * often. First we shortcircuit access to "self" (tp == sp) or if 2099 * we don't have the privilege but if we have permission 2100 * just return (0) and we don't flag the privilege as needed. 2101 * Else, we test for the privilege because we either have it or need it. 2102 */ 2103 int 2104 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp) 2105 { 2106 if (tp == sp || 2107 !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) { 2108 return (0); 2109 } else { 2110 return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL)); 2111 } 2112 } 2113 2114 int 2115 secpolicy_basic_link(const cred_t *cr) 2116 { 2117 FAST_BASIC_CHECK(cr, PRIV_FILE_LINK_ANY); 2118 2119 return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL)); 2120 } 2121 2122 int 2123 secpolicy_basic_net_access(const cred_t *cr) 2124 { 2125 FAST_BASIC_CHECK(cr, PRIV_NET_ACCESS); 2126 2127 return (PRIV_POLICY(cr, PRIV_NET_ACCESS, B_FALSE, EACCES, NULL)); 2128 } 2129 2130 /* ARGSUSED */ 2131 int 2132 secpolicy_basic_file_read(const cred_t *cr, vnode_t *vp, const char *pn) 2133 { 2134 FAST_BASIC_CHECK(cr, PRIV_FILE_READ); 2135 2136 return (priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL, 2137 KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE)); 2138 } 2139 2140 /* ARGSUSED */ 2141 int 2142 secpolicy_basic_file_write(const cred_t *cr, vnode_t *vp, const char *pn) 2143 { 2144 FAST_BASIC_CHECK(cr, PRIV_FILE_WRITE); 2145 2146 return (priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL, 2147 KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE)); 2148 } 2149 2150 /* 2151 * Additional device protection. 2152 * 2153 * Traditionally, a device has specific permissions on the node in 2154 * the filesystem which govern which devices can be opened by what 2155 * processes. In certain cases, it is desirable to add extra 2156 * restrictions, as writing to certain devices is identical to 2157 * having a complete run of the system. 2158 * 2159 * This mechanism is called the device policy. 2160 * 2161 * When a device is opened, its policy entry is looked up in the 2162 * policy cache and checked. 2163 */ 2164 int 2165 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag) 2166 { 2167 devplcy_t *plcy; 2168 int err; 2169 struct snode *csp = VTOS(common_specvp(vp)); 2170 priv_set_t pset; 2171 2172 mutex_enter(&csp->s_lock); 2173 2174 if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) { 2175 plcy = devpolicy_find(vp); 2176 if (csp->s_plcy) 2177 dpfree(csp->s_plcy); 2178 csp->s_plcy = plcy; 2179 ASSERT(plcy != NULL); 2180 } else 2181 plcy = csp->s_plcy; 2182 2183 if (plcy == nullpolicy) { 2184 mutex_exit(&csp->s_lock); 2185 return (0); 2186 } 2187 2188 dphold(plcy); 2189 2190 mutex_exit(&csp->s_lock); 2191 2192 if (oflag & FWRITE) 2193 pset = plcy->dp_wrp; 2194 else 2195 pset = plcy->dp_rdp; 2196 /* 2197 * Special case: 2198 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG. 2199 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is 2200 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG 2201 * in the required privilege set before doing the check. 2202 */ 2203 if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) && 2204 priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) && 2205 !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) { 2206 priv_delset(&pset, PRIV_SYS_IP_CONFIG); 2207 priv_addset(&pset, PRIV_SYS_NET_CONFIG); 2208 } 2209 2210 err = secpolicy_require_set(cr, &pset, "devpolicy", KLPDARG_NONE); 2211 dpfree(plcy); 2212 2213 return (err); 2214 } 2215 2216 int 2217 secpolicy_modctl(const cred_t *cr, int cmd) 2218 { 2219 switch (cmd) { 2220 case MODINFO: 2221 case MODGETMAJBIND: 2222 case MODGETPATH: 2223 case MODGETPATHLEN: 2224 case MODGETNAME: 2225 case MODGETFBNAME: 2226 case MODGETDEVPOLICY: 2227 case MODGETDEVPOLICYBYNAME: 2228 case MODDEVT2INSTANCE: 2229 case MODSIZEOF_DEVID: 2230 case MODGETDEVID: 2231 case MODSIZEOF_MINORNAME: 2232 case MODGETMINORNAME: 2233 case MODGETDEVFSPATH_LEN: 2234 case MODGETDEVFSPATH: 2235 case MODGETDEVFSPATH_MI_LEN: 2236 case MODGETDEVFSPATH_MI: 2237 /* Unprivileged */ 2238 return (0); 2239 case MODLOAD: 2240 case MODSETDEVPOLICY: 2241 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, 2242 KLPDARG_NONE)); 2243 default: 2244 return (secpolicy_sys_config(cr, B_FALSE)); 2245 } 2246 } 2247 2248 int 2249 secpolicy_console(const cred_t *cr) 2250 { 2251 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 2252 } 2253 2254 int 2255 secpolicy_power_mgmt(const cred_t *cr) 2256 { 2257 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 2258 } 2259 2260 /* 2261 * Simulate terminal input; another escalation of privileges avenue. 2262 */ 2263 2264 int 2265 secpolicy_sti(const cred_t *cr) 2266 { 2267 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE)); 2268 } 2269 2270 boolean_t 2271 secpolicy_net_reply_equal(const cred_t *cr) 2272 { 2273 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 2274 } 2275 2276 int 2277 secpolicy_swapctl(const cred_t *cr) 2278 { 2279 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 2280 } 2281 2282 int 2283 secpolicy_cpc_cpu(const cred_t *cr) 2284 { 2285 return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL)); 2286 } 2287 2288 /* 2289 * secpolicy_contract_identity 2290 * 2291 * Determine if the subject may set the process contract FMRI value 2292 */ 2293 int 2294 secpolicy_contract_identity(const cred_t *cr) 2295 { 2296 return (PRIV_POLICY(cr, PRIV_CONTRACT_IDENTITY, B_FALSE, EPERM, NULL)); 2297 } 2298 2299 /* 2300 * secpolicy_contract_observer 2301 * 2302 * Determine if the subject may observe a specific contract's events. 2303 */ 2304 int 2305 secpolicy_contract_observer(const cred_t *cr, struct contract *ct) 2306 { 2307 if (contract_owned(ct, cr, B_FALSE)) 2308 return (0); 2309 return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL)); 2310 } 2311 2312 /* 2313 * secpolicy_contract_observer_choice 2314 * 2315 * Determine if the subject may observe any contract's events. Just 2316 * tests privilege and audits on success. 2317 */ 2318 boolean_t 2319 secpolicy_contract_observer_choice(const cred_t *cr) 2320 { 2321 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE)); 2322 } 2323 2324 /* 2325 * secpolicy_contract_event 2326 * 2327 * Determine if the subject may request critical contract events or 2328 * reliable contract event delivery. 2329 */ 2330 int 2331 secpolicy_contract_event(const cred_t *cr) 2332 { 2333 return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL)); 2334 } 2335 2336 /* 2337 * secpolicy_contract_event_choice 2338 * 2339 * Determine if the subject may retain contract events in its critical 2340 * set when a change in other terms would normally require a change in 2341 * the critical set. Just tests privilege and audits on success. 2342 */ 2343 boolean_t 2344 secpolicy_contract_event_choice(const cred_t *cr) 2345 { 2346 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE)); 2347 } 2348 2349 /* 2350 * secpolicy_gart_access 2351 * 2352 * Determine if the subject has sufficient priveleges to make ioctls to agpgart 2353 * device. 2354 */ 2355 int 2356 secpolicy_gart_access(const cred_t *cr) 2357 { 2358 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL)); 2359 } 2360 2361 /* 2362 * secpolicy_gart_map 2363 * 2364 * Determine if the subject has sufficient priveleges to map aperture range 2365 * through agpgart driver. 2366 */ 2367 int 2368 secpolicy_gart_map(const cred_t *cr) 2369 { 2370 if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) { 2371 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, 2372 NULL)); 2373 } else { 2374 return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM, 2375 NULL)); 2376 } 2377 } 2378 2379 /* 2380 * secpolicy_zinject 2381 * 2382 * Determine if the subject can inject faults in the ZFS fault injection 2383 * framework. Requires all privileges. 2384 */ 2385 int 2386 secpolicy_zinject(const cred_t *cr) 2387 { 2388 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE)); 2389 } 2390 2391 /* 2392 * secpolicy_zfs 2393 * 2394 * Determine if the subject has permission to manipulate ZFS datasets 2395 * (not pools). Equivalent to the SYS_MOUNT privilege. 2396 */ 2397 int 2398 secpolicy_zfs(const cred_t *cr) 2399 { 2400 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL)); 2401 } 2402 2403 /* 2404 * secpolicy_idmap 2405 * 2406 * Determine if the calling process has permissions to register an SID 2407 * mapping daemon and allocate ephemeral IDs. 2408 */ 2409 int 2410 secpolicy_idmap(const cred_t *cr) 2411 { 2412 return (PRIV_POLICY(cr, PRIV_FILE_SETID, B_TRUE, EPERM, NULL)); 2413 } 2414 2415 /* 2416 * secpolicy_ucode_update 2417 * 2418 * Determine if the subject has sufficient privilege to update microcode. 2419 */ 2420 int 2421 secpolicy_ucode_update(const cred_t *scr) 2422 { 2423 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 2424 } 2425 2426 /* 2427 * secpolicy_sadopen 2428 * 2429 * Determine if the subject has sufficient privilege to access /dev/sad/admin. 2430 * /dev/sad/admin appear in global zone and exclusive-IP zones only. 2431 * In global zone, sys_config is required. 2432 * In exclusive-IP zones, sys_ip_config is required. 2433 * Note that sys_config is prohibited in non-global zones. 2434 */ 2435 int 2436 secpolicy_sadopen(const cred_t *credp) 2437 { 2438 priv_set_t pset; 2439 2440 priv_emptyset(&pset); 2441 2442 if (crgetzoneid(credp) == GLOBAL_ZONEID) 2443 priv_addset(&pset, PRIV_SYS_CONFIG); 2444 else 2445 priv_addset(&pset, PRIV_SYS_IP_CONFIG); 2446 2447 return (secpolicy_require_set(credp, &pset, "devpolicy", KLPDARG_NONE)); 2448 } 2449 2450 2451 /* 2452 * Add privileges to a particular privilege set; this is called when the 2453 * current sets of privileges are not sufficient. I.e., we should always 2454 * call the policy override functions from here. 2455 * What we are allowed to have is in the Observed Permitted set; so 2456 * we compute the difference between that and the newset. 2457 */ 2458 int 2459 secpolicy_require_privs(const cred_t *cr, const priv_set_t *nset) 2460 { 2461 priv_set_t rqd; 2462 2463 rqd = CR_OPPRIV(cr); 2464 2465 priv_inverse(&rqd); 2466 priv_intersect(nset, &rqd); 2467 2468 return (secpolicy_require_set(cr, &rqd, NULL, KLPDARG_NONE)); 2469 } 2470 2471 /* 2472 * secpolicy_smb 2473 * 2474 * Determine if the cred_t has PRIV_SYS_SMB privilege, indicating 2475 * that it has permission to access the smbsrv kernel driver. 2476 * PRIV_POLICY checks the privilege and audits the check. 2477 * 2478 * Returns: 2479 * 0 Driver access is allowed. 2480 * EPERM Driver access is NOT permitted. 2481 */ 2482 int 2483 secpolicy_smb(const cred_t *cr) 2484 { 2485 return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL)); 2486 } 2487 2488 /* 2489 * secpolicy_vscan 2490 * 2491 * Determine if cred_t has the necessary privileges to access a file 2492 * for virus scanning and update its extended system attributes. 2493 * PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access 2494 * PRIV_FILE_FLAG_SET - set extended system attributes 2495 * 2496 * PRIV_POLICY checks the privilege and audits the check. 2497 * 2498 * Returns: 2499 * 0 file access for virus scanning allowed. 2500 * EPERM file access for virus scanning is NOT permitted. 2501 */ 2502 int 2503 secpolicy_vscan(const cred_t *cr) 2504 { 2505 if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) || 2506 (PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) || 2507 (PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) { 2508 return (EPERM); 2509 } 2510 2511 return (0); 2512 } 2513 2514 /* 2515 * secpolicy_smbfs_login 2516 * 2517 * Determines if the caller can add and delete the smbfs login 2518 * password in the the nsmb kernel module for the CIFS client. 2519 * 2520 * Returns: 2521 * 0 access is allowed. 2522 * EPERM access is NOT allowed. 2523 */ 2524 int 2525 secpolicy_smbfs_login(const cred_t *cr, uid_t uid) 2526 { 2527 uid_t cruid = crgetruid(cr); 2528 2529 if (cruid == uid) 2530 return (0); 2531 return (PRIV_POLICY(cr, PRIV_PROC_OWNER, B_FALSE, 2532 EPERM, NULL)); 2533 } 2534 2535 /* 2536 * secpolicy_xvm_control 2537 * 2538 * Determines if a caller can control the xVM hypervisor and/or running 2539 * domains (x86 specific). 2540 * 2541 * Returns: 2542 * 0 access is allowed. 2543 * EPERM access is NOT allowed. 2544 */ 2545 int 2546 secpolicy_xvm_control(const cred_t *cr) 2547 { 2548 if (PRIV_POLICY(cr, PRIV_XVM_CONTROL, B_FALSE, EPERM, NULL)) 2549 return (EPERM); 2550 return (0); 2551 } 2552 2553 /* 2554 * secpolicy_ppp_config 2555 * 2556 * Determine if the subject has sufficient privileges to configure PPP and 2557 * PPP-related devices. 2558 */ 2559 int 2560 secpolicy_ppp_config(const cred_t *cr) 2561 { 2562 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 2563 return (secpolicy_net_config(cr, B_FALSE)); 2564 return (PRIV_POLICY(cr, PRIV_SYS_PPP_CONFIG, B_FALSE, EPERM, NULL)); 2565 } 2566