1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <sys/types.h> 27 #include <sys/sysmacros.h> 28 #include <sys/param.h> 29 #include <sys/systm.h> 30 #include <sys/cred_impl.h> 31 #include <sys/vnode.h> 32 #include <sys/vfs.h> 33 #include <sys/stat.h> 34 #include <sys/errno.h> 35 #include <sys/kmem.h> 36 #include <sys/user.h> 37 #include <sys/proc.h> 38 #include <sys/acct.h> 39 #include <sys/ipc_impl.h> 40 #include <sys/cmn_err.h> 41 #include <sys/debug.h> 42 #include <sys/policy.h> 43 #include <sys/kobj.h> 44 #include <sys/msg.h> 45 #include <sys/devpolicy.h> 46 #include <c2/audit.h> 47 #include <sys/varargs.h> 48 #include <sys/klpd.h> 49 #include <sys/modctl.h> 50 #include <sys/disp.h> 51 #include <sys/zone.h> 52 #include <inet/optcom.h> 53 #include <sys/sdt.h> 54 #include <sys/vfs.h> 55 #include <sys/mntent.h> 56 #include <sys/contract_impl.h> 57 #include <sys/dld_ioc.h> 58 59 /* 60 * There are two possible layers of privilege routines and two possible 61 * levels of secpolicy. Plus one other we may not be interested in, so 62 * we may need as many as 6 but no more. 63 */ 64 #define MAXPRIVSTACK 6 65 66 int priv_debug = 0; 67 68 /* 69 * This file contains the majority of the policy routines. 70 * Since the policy routines are defined by function and not 71 * by privilege, there is quite a bit of duplication of 72 * functions. 73 * 74 * The secpolicy functions must not make assumptions about 75 * locks held or not held as any lock can be held while they're 76 * being called. 77 * 78 * Credentials are read-only so no special precautions need to 79 * be taken while locking them. 80 * 81 * When a new policy check needs to be added to the system the 82 * following procedure should be followed: 83 * 84 * Pick an appropriate secpolicy_*() function 85 * -> done if one exists. 86 * Create a new secpolicy function, preferably with 87 * a descriptive name using the standard template. 88 * Pick an appropriate privilege for the policy. 89 * If no appropraite privilege exists, define new one 90 * (this should be done with extreme care; in most cases 91 * little is gained by adding another privilege) 92 * 93 * WHY ROOT IS STILL SPECIAL. 94 * 95 * In a number of the policy functions, there are still explicit 96 * checks for uid 0. The rationale behind these is that many root 97 * owned files/objects hold configuration information which can give full 98 * privileges to the user once written to. To prevent escalation 99 * of privilege by allowing just a single privilege to modify root owned 100 * objects, we've added these root specific checks where we considered 101 * them necessary: modifying root owned files, changing uids to 0, etc. 102 * 103 * PRIVILEGE ESCALATION AND ZONES. 104 * 105 * A number of operations potentially allow the caller to achieve 106 * privileges beyond the ones normally required to perform the operation. 107 * For example, if allowed to create a setuid 0 executable, a process can 108 * gain privileges beyond PRIV_FILE_SETID. Zones, however, place 109 * restrictions on the ability to gain privileges beyond those available 110 * within the zone through file and process manipulation. Hence, such 111 * operations require that the caller have an effective set that includes 112 * all privileges available within the current zone, or all privileges 113 * if executing in the global zone. 114 * 115 * This is indicated in the priv_policy* policy checking functions 116 * through a combination of parameters. The "priv" parameter indicates 117 * the privilege that is required, and the "allzone" parameter indicates 118 * whether or not all privileges in the zone are required. In addition, 119 * priv can be set to PRIV_ALL to indicate that all privileges are 120 * required (regardless of zone). There are three scenarios of interest: 121 * (1) operation requires a specific privilege 122 * (2) operation requires a specific privilege, and requires all 123 * privileges available within the zone (or all privileges if in 124 * the global zone) 125 * (3) operation requires all privileges, regardless of zone 126 * 127 * For (1), priv should be set to the specific privilege, and allzone 128 * should be set to B_FALSE. 129 * For (2), priv should be set to the specific privilege, and allzone 130 * should be set to B_TRUE. 131 * For (3), priv should be set to PRIV_ALL, and allzone should be set 132 * to B_FALSE. 133 * 134 */ 135 136 /* 137 * The privileges are checked against the Effective set for 138 * ordinary processes and checked against the Limit set 139 * for euid 0 processes that haven't manipulated their privilege 140 * sets. 141 */ 142 #define HAS_ALLPRIVS(cr) priv_isfullset(&CR_OEPRIV(cr)) 143 #define ZONEPRIVS(cr) ((cr)->cr_zone->zone_privset) 144 #define HAS_ALLZONEPRIVS(cr) priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr)) 145 #define HAS_PRIVILEGE(cr, pr) ((pr) == PRIV_ALL ? \ 146 HAS_ALLPRIVS(cr) : \ 147 PRIV_ISASSERT(&CR_OEPRIV(cr), pr)) 148 149 /* 150 * Policy checking functions. 151 * 152 * All of the system's policy should be implemented here. 153 */ 154 155 /* 156 * Private functions which take an additional va_list argument to 157 * implement an object specific policy override. 158 */ 159 static int priv_policy_ap(const cred_t *, int, boolean_t, int, 160 const char *, va_list); 161 static int priv_policy_va(const cred_t *, int, boolean_t, int, 162 const char *, ...); 163 164 /* 165 * Generic policy calls 166 * 167 * The "bottom" functions of policy control 168 */ 169 static char * 170 mprintf(const char *fmt, ...) 171 { 172 va_list args; 173 char *buf; 174 size_t len; 175 176 va_start(args, fmt); 177 len = vsnprintf(NULL, 0, fmt, args) + 1; 178 va_end(args); 179 180 buf = kmem_alloc(len, KM_NOSLEEP); 181 182 if (buf == NULL) 183 return (NULL); 184 185 va_start(args, fmt); 186 (void) vsnprintf(buf, len, fmt, args); 187 va_end(args); 188 189 return (buf); 190 } 191 192 /* 193 * priv_policy_errmsg() 194 * 195 * Generate an error message if privilege debugging is enabled system wide 196 * or for this particular process. 197 */ 198 199 #define FMTHDR "%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)" 200 #define FMTMSG " for \"%s\"" 201 #define FMTFUN " needed at %s+0x%lx" 202 203 /* The maximum size privilege format: the concatenation of the above */ 204 #define FMTMAX FMTHDR FMTMSG FMTFUN "\n" 205 206 static void 207 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg) 208 { 209 struct proc *me; 210 pc_t stack[MAXPRIVSTACK]; 211 int depth; 212 int i; 213 char *sym; 214 ulong_t off; 215 const char *pname; 216 217 char *cmd; 218 char fmt[sizeof (FMTMAX)]; 219 220 if ((me = curproc) == &p0) 221 return; 222 223 /* Privileges must be defined */ 224 ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE || 225 priv == PRIV_ALLZONE || priv == PRIV_GLOBAL || 226 priv_getbynum(priv) != NULL); 227 228 if (priv == PRIV_ALLZONE && INGLOBALZONE(me)) 229 priv = PRIV_ALL; 230 231 if (curthread->t_pre_sys) 232 ttolwp(curthread)->lwp_badpriv = (short)priv; 233 234 if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0) 235 return; 236 237 (void) strcpy(fmt, FMTHDR); 238 239 if (me->p_user.u_comm[0]) 240 cmd = &me->p_user.u_comm[0]; 241 else 242 cmd = "priv_policy"; 243 244 if (msg != NULL && *msg != '\0') { 245 (void) strcat(fmt, FMTMSG); 246 } else { 247 (void) strcat(fmt, "%s"); 248 msg = ""; 249 } 250 251 sym = NULL; 252 253 depth = getpcstack(stack, MAXPRIVSTACK); 254 255 /* 256 * Try to find the first interesting function on the stack. 257 * priv_policy* that's us, so completely uninteresting. 258 * suser(), drv_priv(), secpolicy_* are also called from 259 * too many locations to convey useful information. 260 */ 261 for (i = 0; i < depth; i++) { 262 sym = kobj_getsymname((uintptr_t)stack[i], &off); 263 if (sym != NULL && 264 strstr(sym, "hasprocperm") == 0 && 265 strcmp("suser", sym) != 0 && 266 strcmp("ipcaccess", sym) != 0 && 267 strcmp("drv_priv", sym) != 0 && 268 strncmp("secpolicy_", sym, 10) != 0 && 269 strncmp("priv_policy", sym, 11) != 0) 270 break; 271 } 272 273 if (sym != NULL) 274 (void) strcat(fmt, FMTFUN); 275 276 (void) strcat(fmt, "\n"); 277 278 switch (priv) { 279 case PRIV_ALL: 280 pname = "ALL"; 281 break; 282 case PRIV_MULTIPLE: 283 pname = "MULTIPLE"; 284 break; 285 case PRIV_ALLZONE: 286 pname = "ZONE"; 287 break; 288 case PRIV_GLOBAL: 289 pname = "GLOBAL"; 290 break; 291 default: 292 pname = priv_getbynum(priv); 293 break; 294 } 295 296 if (CR_FLAGS(cr) & PRIV_DEBUG) { 297 /* Remember last message, just like lwp_badpriv. */ 298 if (curthread->t_pdmsg != NULL) { 299 kmem_free(curthread->t_pdmsg, 300 strlen(curthread->t_pdmsg) + 1); 301 } 302 303 curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname, 304 cr->cr_uid, curthread->t_sysnum, msg, sym, off); 305 306 curthread->t_post_sys = 1; 307 } 308 if (priv_debug) { 309 cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid, 310 curthread->t_sysnum, msg, sym, off); 311 } 312 } 313 314 /* 315 * Override the policy, if appropriate. Return 0 if the external 316 * policy engine approves. 317 */ 318 static int 319 priv_policy_override(const cred_t *cr, int priv, boolean_t allzone, va_list ap) 320 { 321 priv_set_t set; 322 int ret; 323 324 if (!(CR_FLAGS(cr) & PRIV_XPOLICY)) 325 return (-1); 326 327 if (priv == PRIV_ALL) { 328 priv_fillset(&set); 329 } else if (allzone) { 330 set = *ZONEPRIVS(cr); 331 } else { 332 priv_emptyset(&set); 333 priv_addset(&set, priv); 334 } 335 ret = klpd_call(cr, &set, ap); 336 return (ret); 337 } 338 339 static int 340 priv_policy_override_set(const cred_t *cr, const priv_set_t *req, ...) 341 { 342 va_list ap; 343 344 if (CR_FLAGS(cr) & PRIV_XPOLICY) { 345 va_start(ap, req); 346 return (klpd_call(cr, req, ap)); 347 } 348 return (-1); 349 } 350 351 /* 352 * Audit failure, log error message. 353 */ 354 static void 355 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg) 356 { 357 358 if (audit_active) 359 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0); 360 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 361 362 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 363 curthread->t_pre_sys) { 364 if (allzone && !HAS_ALLZONEPRIVS(cr)) { 365 priv_policy_errmsg(cr, PRIV_ALLZONE, msg); 366 } else { 367 ASSERT(!HAS_PRIVILEGE(cr, priv)); 368 priv_policy_errmsg(cr, priv, msg); 369 } 370 } 371 } 372 373 /* 374 * priv_policy_ap() 375 * return 0 or error. 376 * See block comment above for a description of "priv" and "allzone" usage. 377 */ 378 static int 379 priv_policy_ap(const cred_t *cr, int priv, boolean_t allzone, int err, 380 const char *msg, va_list ap) 381 { 382 if ((HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) || 383 (!servicing_interrupt() && 384 priv_policy_override(cr, priv, allzone, ap) == 0)) { 385 if ((allzone || priv == PRIV_ALL || 386 !PRIV_ISASSERT(priv_basic, priv)) && 387 !servicing_interrupt()) { 388 PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */ 389 if (audit_active) 390 audit_priv(priv, 391 allzone ? ZONEPRIVS(cr) : NULL, 1); 392 } 393 err = 0; 394 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 395 } else if (!servicing_interrupt()) { 396 /* Failure audited in this procedure */ 397 priv_policy_err(cr, priv, allzone, msg); 398 } 399 return (err); 400 } 401 402 int 403 priv_policy_va(const cred_t *cr, int priv, boolean_t allzone, int err, 404 const char *msg, ...) 405 { 406 int ret; 407 va_list ap; 408 409 va_start(ap, msg); 410 ret = priv_policy_ap(cr, priv, allzone, err, msg, ap); 411 va_end(ap); 412 413 return (ret); 414 } 415 416 int 417 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err, 418 const char *msg) 419 { 420 return (priv_policy_va(cr, priv, allzone, err, msg, KLPDARG_NOMORE)); 421 } 422 423 /* 424 * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges. 425 */ 426 boolean_t 427 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone) 428 { 429 boolean_t res = HAS_PRIVILEGE(cr, priv) && 430 (!allzone || HAS_ALLZONEPRIVS(cr)); 431 432 /* Audit success only */ 433 if (res && audit_active && 434 (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) && 435 !servicing_interrupt()) { 436 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1); 437 } 438 if (res) { 439 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 440 } else { 441 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 442 } 443 return (res); 444 } 445 446 /* 447 * Non-auditing variant of priv_policy_choice(). 448 */ 449 boolean_t 450 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone) 451 { 452 boolean_t res = HAS_PRIVILEGE(cr, priv) && 453 (!allzone || HAS_ALLZONEPRIVS(cr)); 454 455 if (res) { 456 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 457 } else { 458 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 459 } 460 return (res); 461 } 462 463 /* 464 * Check whether all privileges in the required set are present. 465 */ 466 static int 467 secpolicy_require_set(const cred_t *cr, const priv_set_t *req, const char *msg) 468 { 469 int priv; 470 int pfound = -1; 471 priv_set_t pset; 472 473 if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req, 474 &CR_OEPRIV(cr))) { 475 return (0); 476 } 477 478 if (priv_policy_override_set(cr, req, KLPDARG_NOMORE) == 0) 479 return (0); 480 481 if (req == PRIV_FULLSET || priv_isfullset(req)) { 482 priv_policy_err(cr, PRIV_ALL, B_FALSE, msg); 483 return (EACCES); 484 } 485 486 pset = CR_OEPRIV(cr); /* present privileges */ 487 priv_inverse(&pset); /* all non present privileges */ 488 priv_intersect(req, &pset); /* the actual missing privs */ 489 490 if (audit_active) 491 audit_priv(PRIV_NONE, &pset, 0); 492 /* 493 * Privilege debugging; special case "one privilege in set". 494 */ 495 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) { 496 for (priv = 0; priv < nprivs; priv++) { 497 if (priv_ismember(&pset, priv)) { 498 if (pfound != -1) { 499 /* Multiple missing privs */ 500 priv_policy_errmsg(cr, PRIV_MULTIPLE, 501 msg); 502 return (EACCES); 503 } 504 pfound = priv; 505 } 506 } 507 ASSERT(pfound != -1); 508 /* Just the one missing privilege */ 509 priv_policy_errmsg(cr, pfound, msg); 510 } 511 512 return (EACCES); 513 } 514 515 /* 516 * Called when an operation requires that the caller be in the 517 * global zone, regardless of privilege. 518 */ 519 static int 520 priv_policy_global(const cred_t *cr) 521 { 522 if (crgetzoneid(cr) == GLOBAL_ZONEID) 523 return (0); /* success */ 524 525 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 526 curthread->t_pre_sys) { 527 priv_policy_errmsg(cr, PRIV_GLOBAL, NULL); 528 } 529 return (EPERM); 530 } 531 532 /* 533 * Changing process priority 534 */ 535 int 536 secpolicy_setpriority(const cred_t *cr) 537 { 538 return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL)); 539 } 540 541 /* 542 * Binding to a privileged port, port must be specified in host byte 543 * order. 544 */ 545 int 546 secpolicy_net_privaddr(const cred_t *cr, in_port_t port, int proto) 547 { 548 char *reason; 549 int priv; 550 551 switch (port) { 552 case 137: 553 case 138: 554 case 139: 555 case 445: 556 /* 557 * NBT and SMB ports, these are extra privileged ports, 558 * allow bind only if the SYS_SMB privilege is present. 559 */ 560 priv = PRIV_SYS_SMB; 561 reason = "NBT or SMB port"; 562 break; 563 564 case 2049: 565 case 4045: 566 /* 567 * NFS ports, these are extra privileged ports, allow bind 568 * only if the SYS_NFS privilege is present. 569 */ 570 priv = PRIV_SYS_NFS; 571 reason = "NFS port"; 572 break; 573 574 default: 575 priv = PRIV_NET_PRIVADDR; 576 reason = NULL; 577 break; 578 579 } 580 581 return (priv_policy_va(cr, priv, B_FALSE, EACCES, reason, 582 KLPDARG_PORT, (int)proto, (int)port, KLPDARG_NOMORE)); 583 } 584 585 /* 586 * Binding to a multilevel port on a trusted (labeled) system. 587 */ 588 int 589 secpolicy_net_bindmlp(const cred_t *cr) 590 { 591 return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, NULL)); 592 } 593 594 /* 595 * Allow a communication between a zone and an unlabeled host when their 596 * labels don't match. 597 */ 598 int 599 secpolicy_net_mac_aware(const cred_t *cr) 600 { 601 return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, NULL)); 602 } 603 604 /* 605 * Allow a privileged process to transmit traffic without explicit labels 606 */ 607 int 608 secpolicy_net_mac_implicit(const cred_t *cr) 609 { 610 return (PRIV_POLICY(cr, PRIV_NET_MAC_IMPLICIT, B_FALSE, EACCES, NULL)); 611 } 612 613 /* 614 * Common routine which determines whether a given credential can 615 * act on a given mount. 616 * When called through mount, the parameter needoptcheck is a pointer 617 * to a boolean variable which will be set to either true or false, 618 * depending on whether the mount policy should change the mount options. 619 * In all other cases, needoptcheck should be a NULL pointer. 620 */ 621 static int 622 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp, 623 boolean_t *needoptcheck) 624 { 625 boolean_t allzone = B_FALSE; 626 boolean_t mounting = needoptcheck != NULL; 627 628 /* 629 * Short circuit the following cases: 630 * vfsp == NULL or mvp == NULL (pure privilege check) 631 * have all privileges - no further checks required 632 * and no mount options need to be set. 633 */ 634 if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) { 635 if (mounting) 636 *needoptcheck = B_FALSE; 637 638 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM, 639 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE)); 640 } 641 642 /* 643 * When operating on an existing mount (either we're not mounting 644 * or we're doing a remount and VFS_REMOUNT will be set), zones 645 * can operate only on mounts established by the zone itself. 646 */ 647 if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) { 648 zoneid_t zoneid = crgetzoneid(cr); 649 650 if (zoneid != GLOBAL_ZONEID && 651 vfsp->vfs_zone->zone_id != zoneid) { 652 return (EPERM); 653 } 654 } 655 656 if (mounting) 657 *needoptcheck = B_TRUE; 658 659 /* 660 * Overlay mounts may hide important stuff; if you can't write to a 661 * mount point but would be able to mount on top of it, you can 662 * escalate your privileges. 663 * So we go about asking the same questions namefs does when it 664 * decides whether you can mount over a file or not but with the 665 * added restriction that you can only mount on top of a regular 666 * file or directory. 667 * If we have all the zone's privileges, we skip all other checks, 668 * or else we may actually get in trouble inside the automounter. 669 */ 670 if ((mvp->v_flag & VROOT) != 0 || 671 (mvp->v_type != VDIR && mvp->v_type != VREG) || 672 HAS_ALLZONEPRIVS(cr)) { 673 allzone = B_TRUE; 674 } else { 675 vattr_t va; 676 int err; 677 678 va.va_mask = AT_UID|AT_MODE; 679 err = VOP_GETATTR(mvp, &va, 0, cr, NULL); 680 if (err != 0) 681 return (err); 682 683 if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0) 684 return (err); 685 686 if ((va.va_mode & VWRITE) == 0 && 687 secpolicy_vnode_access(cr, mvp, va.va_uid, VWRITE) != 0) { 688 return (EACCES); 689 } 690 } 691 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM, 692 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE)); 693 } 694 695 void 696 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp) 697 { 698 boolean_t amsuper = HAS_ALLZONEPRIVS(cr); 699 700 /* 701 * check; if we don't have either "nosuid" or 702 * both "nosetuid" and "nodevices", then we add 703 * "nosuid"; this depends on how the current 704 * implementation works (it first checks nosuid). In a 705 * zone, a user with all zone privileges can mount with 706 * "setuid" but never with "devices". 707 */ 708 if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) && 709 (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) || 710 !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) { 711 if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper) 712 vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0); 713 else 714 vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0); 715 } 716 /* 717 * If we're not the local super user, we set the "restrict" 718 * option to indicate to automountd that this mount should 719 * be handled with care. 720 */ 721 if (!amsuper) 722 vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0); 723 724 } 725 726 extern vnode_t *rootvp; 727 extern vfs_t *rootvfs; 728 729 int 730 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp) 731 { 732 boolean_t needoptchk; 733 int error; 734 735 /* 736 * If it's a remount, get the underlying mount point, 737 * except for the root where we use the rootvp. 738 */ 739 if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) { 740 if (vfsp == rootvfs) 741 mvp = rootvp; 742 else 743 mvp = vfsp->vfs_vnodecovered; 744 } 745 746 error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk); 747 748 if (error == 0 && needoptchk) { 749 secpolicy_fs_mount_clearopts(cr, vfsp); 750 } 751 752 return (error); 753 } 754 755 /* 756 * Does the policy computations for "ownership" of a mount; 757 * here ownership is defined as the ability to "mount" 758 * the filesystem originally. The rootvfs doesn't cover any 759 * vnodes; we attribute its ownership to the rootvp. 760 */ 761 static int 762 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp) 763 { 764 vnode_t *mvp; 765 766 if (vfsp == NULL) 767 mvp = NULL; 768 else if (vfsp == rootvfs) 769 mvp = rootvp; 770 else 771 mvp = vfsp->vfs_vnodecovered; 772 773 return (secpolicy_fs_common(cr, mvp, vfsp, NULL)); 774 } 775 776 int 777 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp) 778 { 779 return (secpolicy_fs_owner(cr, vfsp)); 780 } 781 782 /* 783 * Quotas are a resource, but if one has the ability to mount a filesystem, he 784 * should be able to modify quotas on it. 785 */ 786 int 787 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp) 788 { 789 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 790 } 791 792 /* 793 * Exceeding minfree: also a per-mount resource constraint. 794 */ 795 int 796 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp) 797 { 798 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 799 } 800 801 int 802 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp) 803 { 804 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 805 } 806 807 /* ARGSUSED */ 808 int 809 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp) 810 { 811 return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL)); 812 } 813 814 /* 815 * Name: secpolicy_vnode_access() 816 * 817 * Parameters: Process credential 818 * vnode 819 * uid of owner of vnode 820 * permission bits not granted to the caller when examining 821 * file mode bits (i.e., when a process wants to open a 822 * mode 444 file for VREAD|VWRITE, this function should be 823 * called only with a VWRITE argument). 824 * 825 * Normal: Verifies that cred has the appropriate privileges to 826 * override the mode bits that were denied. 827 * 828 * Override: file_dac_execute - if VEXEC bit was denied and vnode is 829 * not a directory. 830 * file_dac_read - if VREAD bit was denied. 831 * file_dac_search - if VEXEC bit was denied and vnode is 832 * a directory. 833 * file_dac_write - if VWRITE bit was denied. 834 * 835 * Root owned files are special cased to protect system 836 * configuration files and such. 837 * 838 * Output: EACCES - if privilege check fails. 839 */ 840 841 /* ARGSUSED */ 842 int 843 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode) 844 { 845 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE, 846 EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL, 847 KLPDARG_NOMORE) != 0) { 848 return (EACCES); 849 } 850 851 if (mode & VWRITE) { 852 boolean_t allzone; 853 854 if (owner == 0 && cr->cr_uid != 0) 855 allzone = B_TRUE; 856 else 857 allzone = B_FALSE; 858 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, 859 NULL, KLPDARG_VNODE, vp, (char *)NULL, 860 KLPDARG_NOMORE) != 0) { 861 return (EACCES); 862 } 863 } 864 865 if (mode & VEXEC) { 866 /* 867 * Directories use file_dac_search to override the execute bit. 868 */ 869 int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH : 870 PRIV_FILE_DAC_EXECUTE; 871 872 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL, 873 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); 874 } 875 return (0); 876 } 877 878 /* 879 * Name: secpolicy_vnode_setid_modify() 880 * 881 * Normal: verify that subject can set the file setid flags. 882 * 883 * Output: EPERM - if not privileged. 884 */ 885 886 static int 887 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner) 888 { 889 /* If changing to suid root, must have all zone privs */ 890 boolean_t allzone = B_TRUE; 891 892 if (owner != 0) { 893 if (owner == cr->cr_uid) 894 return (0); 895 allzone = B_FALSE; 896 } 897 return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL)); 898 } 899 900 /* 901 * Are we allowed to retain the set-uid/set-gid bits when 902 * changing ownership or when writing to a file? 903 * "issuid" should be true when set-uid; only in that case 904 * root ownership is checked (setgid is assumed). 905 */ 906 int 907 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot) 908 { 909 if (issuidroot && !HAS_ALLZONEPRIVS(cred)) 910 return (EPERM); 911 912 return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE)); 913 } 914 915 /* 916 * Name: secpolicy_vnode_setids_setgids() 917 * 918 * Normal: verify that subject can set the file setgid flag. 919 * 920 * Output: EPERM - if not privileged 921 */ 922 923 int 924 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid) 925 { 926 if (!groupmember(gid, cred)) 927 return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM, 928 NULL)); 929 return (0); 930 } 931 932 /* 933 * Name: secpolicy_vnode_chown 934 * 935 * Normal: Determine if subject can chown owner of a file. 936 * 937 * Output: EPERM - if access denied 938 */ 939 940 int 941 secpolicy_vnode_chown(const cred_t *cred, uid_t owner) 942 { 943 boolean_t is_owner = (owner == crgetuid(cred)); 944 boolean_t allzone = B_FALSE; 945 int priv; 946 947 if (!is_owner) { 948 allzone = (owner == 0); 949 priv = PRIV_FILE_CHOWN; 950 } else { 951 priv = HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN) ? 952 PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF; 953 } 954 955 return (PRIV_POLICY(cred, priv, allzone, EPERM, NULL)); 956 } 957 958 /* 959 * Name: secpolicy_vnode_create_gid 960 * 961 * Normal: Determine if subject can change group ownership of a file. 962 * 963 * Output: EPERM - if access denied 964 */ 965 int 966 secpolicy_vnode_create_gid(const cred_t *cred) 967 { 968 if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN)) 969 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM, 970 NULL)); 971 else 972 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM, 973 NULL)); 974 } 975 976 /* 977 * Name: secpolicy_vnode_utime_modify() 978 * 979 * Normal: verify that subject can modify the utime on a file. 980 * 981 * Output: EPERM - if access denied. 982 */ 983 984 static int 985 secpolicy_vnode_utime_modify(const cred_t *cred) 986 { 987 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM, 988 "modify file times")); 989 } 990 991 992 /* 993 * Name: secpolicy_vnode_setdac() 994 * 995 * Normal: verify that subject can modify the mode of a file. 996 * allzone privilege needed when modifying root owned object. 997 * 998 * Output: EPERM - if access denied. 999 */ 1000 1001 int 1002 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner) 1003 { 1004 if (owner == cred->cr_uid) 1005 return (0); 1006 1007 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL)); 1008 } 1009 /* 1010 * Name: secpolicy_vnode_stky_modify() 1011 * 1012 * Normal: verify that subject can make a file a "sticky". 1013 * 1014 * Output: EPERM - if access denied. 1015 */ 1016 1017 int 1018 secpolicy_vnode_stky_modify(const cred_t *cred) 1019 { 1020 return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM, 1021 "set file sticky")); 1022 } 1023 1024 /* 1025 * Policy determines whether we can remove an entry from a directory, 1026 * regardless of permission bits. 1027 */ 1028 int 1029 secpolicy_vnode_remove(const cred_t *cr) 1030 { 1031 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES, 1032 "sticky directory")); 1033 } 1034 1035 int 1036 secpolicy_vnode_owner(const cred_t *cr, uid_t owner) 1037 { 1038 boolean_t allzone = (owner == 0); 1039 1040 if (owner == cr->cr_uid) 1041 return (0); 1042 1043 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL)); 1044 } 1045 1046 void 1047 secpolicy_setid_clear(vattr_t *vap, cred_t *cr) 1048 { 1049 if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 && 1050 secpolicy_vnode_setid_retain(cr, 1051 (vap->va_mode & S_ISUID) != 0 && 1052 (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) { 1053 vap->va_mask |= AT_MODE; 1054 vap->va_mode &= ~(S_ISUID|S_ISGID); 1055 } 1056 } 1057 1058 int 1059 secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap, 1060 cred_t *cr) 1061 { 1062 int error; 1063 1064 if ((vap->va_mode & S_ISUID) != 0 && 1065 (error = secpolicy_vnode_setid_modify(cr, 1066 ovap->va_uid)) != 0) { 1067 return (error); 1068 } 1069 1070 /* 1071 * Check privilege if attempting to set the 1072 * sticky bit on a non-directory. 1073 */ 1074 if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 && 1075 secpolicy_vnode_stky_modify(cr) != 0) { 1076 vap->va_mode &= ~S_ISVTX; 1077 } 1078 1079 /* 1080 * Check for privilege if attempting to set the 1081 * group-id bit. 1082 */ 1083 if ((vap->va_mode & S_ISGID) != 0 && 1084 secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) { 1085 vap->va_mode &= ~S_ISGID; 1086 } 1087 1088 return (0); 1089 } 1090 1091 #define ATTR_FLAG_PRIV(attr, value, cr) \ 1092 PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \ 1093 B_FALSE, EPERM, NULL) 1094 1095 /* 1096 * Check privileges for setting xvattr attributes 1097 */ 1098 int 1099 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype) 1100 { 1101 xoptattr_t *xoap; 1102 int error = 0; 1103 1104 if ((xoap = xva_getxoptattr(xvap)) == NULL) 1105 return (EINVAL); 1106 1107 /* 1108 * First process the DOS bits 1109 */ 1110 if (XVA_ISSET_REQ(xvap, XAT_ARCHIVE) || 1111 XVA_ISSET_REQ(xvap, XAT_HIDDEN) || 1112 XVA_ISSET_REQ(xvap, XAT_READONLY) || 1113 XVA_ISSET_REQ(xvap, XAT_SYSTEM) || 1114 XVA_ISSET_REQ(xvap, XAT_CREATETIME)) { 1115 if ((error = secpolicy_vnode_owner(cr, owner)) != 0) 1116 return (error); 1117 } 1118 1119 /* 1120 * Now handle special attributes 1121 */ 1122 1123 if (XVA_ISSET_REQ(xvap, XAT_IMMUTABLE)) 1124 error = ATTR_FLAG_PRIV(XAT_IMMUTABLE, 1125 xoap->xoa_immutable, cr); 1126 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NOUNLINK)) 1127 error = ATTR_FLAG_PRIV(XAT_NOUNLINK, 1128 xoap->xoa_nounlink, cr); 1129 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_APPENDONLY)) 1130 error = ATTR_FLAG_PRIV(XAT_APPENDONLY, 1131 xoap->xoa_appendonly, cr); 1132 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NODUMP)) 1133 error = ATTR_FLAG_PRIV(XAT_NODUMP, 1134 xoap->xoa_nodump, cr); 1135 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_OPAQUE)) 1136 error = EPERM; 1137 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_QUARANTINED)) { 1138 error = ATTR_FLAG_PRIV(XAT_AV_QUARANTINED, 1139 xoap->xoa_av_quarantined, cr); 1140 if (error == 0 && vtype != VREG && xoap->xoa_av_quarantined) 1141 error = EINVAL; 1142 } 1143 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_MODIFIED)) 1144 error = ATTR_FLAG_PRIV(XAT_AV_MODIFIED, 1145 xoap->xoa_av_modified, cr); 1146 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_SCANSTAMP)) { 1147 error = ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP, 1148 xoap->xoa_av_scanstamp, cr); 1149 if (error == 0 && vtype != VREG) 1150 error = EINVAL; 1151 } 1152 return (error); 1153 } 1154 1155 /* 1156 * This function checks the policy decisions surrounding the 1157 * vop setattr call. 1158 * 1159 * It should be called after sufficient locks have been established 1160 * on the underlying data structures. No concurrent modifications 1161 * should be allowed. 1162 * 1163 * The caller must pass in unlocked version of its vaccess function 1164 * this is required because vop_access function should lock the 1165 * node for reading. A three argument function should be defined 1166 * which accepts the following argument: 1167 * A pointer to the internal "node" type (inode *) 1168 * vnode access bits (VREAD|VWRITE|VEXEC) 1169 * a pointer to the credential 1170 * 1171 * This function makes the following policy decisions: 1172 * 1173 * - change permissions 1174 * - permission to change file mode if not owner 1175 * - permission to add sticky bit to non-directory 1176 * - permission to add set-gid bit 1177 * 1178 * The ovap argument should include AT_MODE|AT_UID|AT_GID. 1179 * 1180 * If the vap argument does not include AT_MODE, the mode will be copied from 1181 * ovap. In certain situations set-uid/set-gid bits need to be removed; 1182 * this is done by marking vap->va_mask to include AT_MODE and va_mode 1183 * is updated to the newly computed mode. 1184 */ 1185 1186 int 1187 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap, 1188 const struct vattr *ovap, int flags, 1189 int unlocked_access(void *, int, cred_t *), 1190 void *node) 1191 { 1192 int mask = vap->va_mask; 1193 int error = 0; 1194 boolean_t skipaclchk = (flags & ATTR_NOACLCHECK) ? B_TRUE : B_FALSE; 1195 1196 if (mask & AT_SIZE) { 1197 if (vp->v_type == VDIR) { 1198 error = EISDIR; 1199 goto out; 1200 } 1201 1202 /* 1203 * If ATTR_NOACLCHECK is set in the flags, then we don't 1204 * perform the secondary unlocked_access() call since the 1205 * ACL (if any) is being checked there. 1206 */ 1207 if (skipaclchk == B_FALSE) { 1208 error = unlocked_access(node, VWRITE, cr); 1209 if (error) 1210 goto out; 1211 } 1212 } 1213 if (mask & AT_MODE) { 1214 /* 1215 * If not the owner of the file then check privilege 1216 * for two things: the privilege to set the mode at all 1217 * and, if we're setting setuid, we also need permissions 1218 * to add the set-uid bit, if we're not the owner. 1219 * In the specific case of creating a set-uid root 1220 * file, we need even more permissions. 1221 */ 1222 if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0) 1223 goto out; 1224 1225 if ((error = secpolicy_setid_setsticky_clear(vp, vap, 1226 ovap, cr)) != 0) 1227 goto out; 1228 } else 1229 vap->va_mode = ovap->va_mode; 1230 1231 if (mask & (AT_UID|AT_GID)) { 1232 boolean_t checkpriv = B_FALSE; 1233 1234 /* 1235 * Chowning files. 1236 * 1237 * If you are the file owner: 1238 * chown to other uid FILE_CHOWN_SELF 1239 * chown to gid (non-member) FILE_CHOWN_SELF 1240 * chown to gid (member) <none> 1241 * 1242 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also 1243 * acceptable but the first one is reported when debugging. 1244 * 1245 * If you are not the file owner: 1246 * chown from root PRIV_FILE_CHOWN + zone 1247 * chown from other to any PRIV_FILE_CHOWN 1248 * 1249 */ 1250 if (cr->cr_uid != ovap->va_uid) { 1251 checkpriv = B_TRUE; 1252 } else { 1253 if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) || 1254 ((mask & AT_GID) && vap->va_gid != ovap->va_gid && 1255 !groupmember(vap->va_gid, cr))) { 1256 checkpriv = B_TRUE; 1257 } 1258 } 1259 /* 1260 * If necessary, check privilege to see if update can be done. 1261 */ 1262 if (checkpriv && 1263 (error = secpolicy_vnode_chown(cr, ovap->va_uid)) != 0) { 1264 goto out; 1265 } 1266 1267 /* 1268 * If the file has either the set UID or set GID bits 1269 * set and the caller can set the bits, then leave them. 1270 */ 1271 secpolicy_setid_clear(vap, cr); 1272 } 1273 if (mask & (AT_ATIME|AT_MTIME)) { 1274 /* 1275 * If not the file owner and not otherwise privileged, 1276 * always return an error when setting the 1277 * time other than the current (ATTR_UTIME flag set). 1278 * If setting the current time (ATTR_UTIME not set) then 1279 * unlocked_access will check permissions according to policy. 1280 */ 1281 if (cr->cr_uid != ovap->va_uid) { 1282 if (flags & ATTR_UTIME) 1283 error = secpolicy_vnode_utime_modify(cr); 1284 else if (skipaclchk == B_FALSE) { 1285 error = unlocked_access(node, VWRITE, cr); 1286 if (error == EACCES && 1287 secpolicy_vnode_utime_modify(cr) == 0) 1288 error = 0; 1289 } 1290 if (error) 1291 goto out; 1292 } 1293 } 1294 1295 /* 1296 * Check for optional attributes here by checking the following: 1297 */ 1298 if (mask & AT_XVATTR) 1299 error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr, 1300 vp->v_type); 1301 out: 1302 return (error); 1303 } 1304 1305 /* 1306 * Name: secpolicy_pcfs_modify_bootpartition() 1307 * 1308 * Normal: verify that subject can modify a pcfs boot partition. 1309 * 1310 * Output: EACCES - if privilege check failed. 1311 */ 1312 /*ARGSUSED*/ 1313 int 1314 secpolicy_pcfs_modify_bootpartition(const cred_t *cred) 1315 { 1316 return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES, 1317 "modify pcfs boot partition")); 1318 } 1319 1320 /* 1321 * System V IPC routines 1322 */ 1323 int 1324 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip) 1325 { 1326 if (crgetzoneid(cr) != ip->ipc_zoneid || 1327 (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) { 1328 boolean_t allzone = B_FALSE; 1329 if (ip->ipc_uid == 0 || ip->ipc_cuid == 0) 1330 allzone = B_TRUE; 1331 return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL)); 1332 } 1333 return (0); 1334 } 1335 1336 int 1337 secpolicy_ipc_config(const cred_t *cr) 1338 { 1339 return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL)); 1340 } 1341 1342 int 1343 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode) 1344 { 1345 1346 boolean_t allzone = B_FALSE; 1347 1348 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1349 1350 if ((mode & MSG_R) && 1351 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1352 return (EACCES); 1353 1354 if (mode & MSG_W) { 1355 if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0)) 1356 allzone = B_TRUE; 1357 1358 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1359 NULL)); 1360 } 1361 return (0); 1362 } 1363 1364 int 1365 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode) 1366 { 1367 boolean_t allzone = B_FALSE; 1368 1369 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1370 1371 if ((mode & MSG_R) && 1372 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1373 return (EACCES); 1374 1375 if (mode & MSG_W) { 1376 if (cr->cr_uid != 0 && owner == 0) 1377 allzone = B_TRUE; 1378 1379 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1380 NULL)); 1381 } 1382 return (0); 1383 } 1384 1385 /* 1386 * Audit configuration. 1387 */ 1388 int 1389 secpolicy_audit_config(const cred_t *cr) 1390 { 1391 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1392 } 1393 1394 /* 1395 * Audit record generation. 1396 */ 1397 int 1398 secpolicy_audit_modify(const cred_t *cr) 1399 { 1400 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL)); 1401 } 1402 1403 /* 1404 * Get audit attributes. 1405 * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the 1406 * "Least" of the two privileges on error. 1407 */ 1408 int 1409 secpolicy_audit_getattr(const cred_t *cr) 1410 { 1411 if (!PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE)) { 1412 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, 1413 NULL)); 1414 } else { 1415 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1416 } 1417 } 1418 1419 1420 /* 1421 * Locking physical memory 1422 */ 1423 int 1424 secpolicy_lock_memory(const cred_t *cr) 1425 { 1426 return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL)); 1427 } 1428 1429 /* 1430 * Accounting (both acct(2) and exacct). 1431 */ 1432 int 1433 secpolicy_acct(const cred_t *cr) 1434 { 1435 return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL)); 1436 } 1437 1438 /* 1439 * Is this process privileged to change its uids at will? 1440 * Uid 0 is still considered "special" and having the SETID 1441 * privilege is not sufficient to get uid 0. 1442 * Files are owned by root, so the privilege would give 1443 * full access and euid 0 is still effective. 1444 * 1445 * If you have the privilege and euid 0 only then do you 1446 * get the powers of root wrt uid 0. 1447 * 1448 * For gid manipulations, this is should be called with an 1449 * uid of -1. 1450 * 1451 */ 1452 int 1453 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly) 1454 { 1455 boolean_t allzone = B_FALSE; 1456 1457 if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 && 1458 cr->cr_ruid != 0) { 1459 allzone = B_TRUE; 1460 } 1461 1462 return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) : 1463 PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL)); 1464 } 1465 1466 1467 /* 1468 * Acting on a different process: if the mode is for writing, 1469 * the restrictions are more severe. This is called after 1470 * we've verified that the uids do not match. 1471 */ 1472 int 1473 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode) 1474 { 1475 boolean_t allzone = B_FALSE; 1476 1477 if ((mode & VWRITE) && scr->cr_uid != 0 && 1478 (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0)) 1479 allzone = B_TRUE; 1480 1481 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL)); 1482 } 1483 1484 int 1485 secpolicy_proc_access(const cred_t *scr) 1486 { 1487 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL)); 1488 } 1489 1490 int 1491 secpolicy_proc_excl_open(const cred_t *scr) 1492 { 1493 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL)); 1494 } 1495 1496 int 1497 secpolicy_proc_zone(const cred_t *scr) 1498 { 1499 return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL)); 1500 } 1501 1502 /* 1503 * Destroying the system 1504 */ 1505 1506 int 1507 secpolicy_kmdb(const cred_t *scr) 1508 { 1509 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1510 } 1511 1512 int 1513 secpolicy_error_inject(const cred_t *scr) 1514 { 1515 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1516 } 1517 1518 /* 1519 * Processor sets, cpu configuration, resource pools. 1520 */ 1521 int 1522 secpolicy_pset(const cred_t *cr) 1523 { 1524 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1525 } 1526 1527 int 1528 secpolicy_ponline(const cred_t *cr) 1529 { 1530 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1531 } 1532 1533 int 1534 secpolicy_pool(const cred_t *cr) 1535 { 1536 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1537 } 1538 1539 int 1540 secpolicy_blacklist(const cred_t *cr) 1541 { 1542 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1543 } 1544 1545 /* 1546 * Catch all system configuration. 1547 */ 1548 int 1549 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly) 1550 { 1551 if (checkonly) { 1552 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 : 1553 EPERM); 1554 } else { 1555 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1556 } 1557 } 1558 1559 /* 1560 * Zone administration (halt, reboot, etc.) from within zone. 1561 */ 1562 int 1563 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly) 1564 { 1565 if (checkonly) { 1566 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 : 1567 EPERM); 1568 } else { 1569 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, 1570 NULL)); 1571 } 1572 } 1573 1574 /* 1575 * Zone configuration (create, halt, enter). 1576 */ 1577 int 1578 secpolicy_zone_config(const cred_t *cr) 1579 { 1580 /* 1581 * Require all privileges to avoid possibility of privilege 1582 * escalation. 1583 */ 1584 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1585 } 1586 1587 /* 1588 * Various other system configuration calls 1589 */ 1590 int 1591 secpolicy_coreadm(const cred_t *cr) 1592 { 1593 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1594 } 1595 1596 int 1597 secpolicy_systeminfo(const cred_t *cr) 1598 { 1599 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1600 } 1601 1602 int 1603 secpolicy_dispadm(const cred_t *cr) 1604 { 1605 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1606 } 1607 1608 int 1609 secpolicy_settime(const cred_t *cr) 1610 { 1611 return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL)); 1612 } 1613 1614 /* 1615 * For realtime users: high resolution clock. 1616 */ 1617 int 1618 secpolicy_clock_highres(const cred_t *cr) 1619 { 1620 return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM, 1621 NULL)); 1622 } 1623 1624 /* 1625 * drv_priv() is documented as callable from interrupt context, not that 1626 * anyone ever does, but still. No debugging or auditing can be done when 1627 * it is called from interrupt context. 1628 * returns 0 on succes, EPERM on failure. 1629 */ 1630 int 1631 drv_priv(cred_t *cr) 1632 { 1633 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1634 } 1635 1636 int 1637 secpolicy_sys_devices(const cred_t *cr) 1638 { 1639 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1640 } 1641 1642 int 1643 secpolicy_excl_open(const cred_t *cr) 1644 { 1645 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL)); 1646 } 1647 1648 int 1649 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl) 1650 { 1651 /* zone.* rctls can only be set from the global zone */ 1652 if (is_zone_rctl && priv_policy_global(cr) != 0) 1653 return (EPERM); 1654 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1655 } 1656 1657 int 1658 secpolicy_resource(const cred_t *cr) 1659 { 1660 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1661 } 1662 1663 int 1664 secpolicy_resource_anon_mem(const cred_t *cr) 1665 { 1666 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_RESOURCE, B_FALSE)); 1667 } 1668 1669 /* 1670 * Processes with a real uid of 0 escape any form of accounting, much 1671 * like before. 1672 */ 1673 int 1674 secpolicy_newproc(const cred_t *cr) 1675 { 1676 if (cr->cr_ruid == 0) 1677 return (0); 1678 1679 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1680 } 1681 1682 /* 1683 * Networking 1684 */ 1685 int 1686 secpolicy_net_rawaccess(const cred_t *cr) 1687 { 1688 return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL)); 1689 } 1690 1691 int 1692 secpolicy_net_observability(const cred_t *cr) 1693 { 1694 return (PRIV_POLICY(cr, PRIV_NET_OBSERVABILITY, B_FALSE, EACCES, NULL)); 1695 } 1696 1697 /* 1698 * Need this privilege for accessing the ICMP device 1699 */ 1700 int 1701 secpolicy_net_icmpaccess(const cred_t *cr) 1702 { 1703 return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL)); 1704 } 1705 1706 /* 1707 * There are a few rare cases where the kernel generates ioctls() from 1708 * interrupt context with a credential of kcred rather than NULL. 1709 * In those cases, we take the safe and cheap test. 1710 */ 1711 int 1712 secpolicy_net_config(const cred_t *cr, boolean_t checkonly) 1713 { 1714 if (checkonly) { 1715 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ? 1716 0 : EPERM); 1717 } else { 1718 return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM, 1719 NULL)); 1720 } 1721 } 1722 1723 1724 /* 1725 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG. 1726 * 1727 * There are a few rare cases where the kernel generates ioctls() from 1728 * interrupt context with a credential of kcred rather than NULL. 1729 * In those cases, we take the safe and cheap test. 1730 */ 1731 int 1732 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly) 1733 { 1734 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 1735 return (secpolicy_net_config(cr, checkonly)); 1736 1737 if (checkonly) { 1738 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ? 1739 0 : EPERM); 1740 } else { 1741 return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM, 1742 NULL)); 1743 } 1744 } 1745 1746 /* 1747 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_DL_CONFIG. 1748 */ 1749 int 1750 secpolicy_dl_config(const cred_t *cr) 1751 { 1752 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 1753 return (secpolicy_net_config(cr, B_FALSE)); 1754 return (PRIV_POLICY(cr, PRIV_SYS_DL_CONFIG, B_FALSE, EPERM, NULL)); 1755 } 1756 1757 /* 1758 * PRIV_SYS_DL_CONFIG is a superset of PRIV_SYS_IPTUN_CONFIG. 1759 */ 1760 int 1761 secpolicy_iptun_config(const cred_t *cr) 1762 { 1763 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 1764 return (secpolicy_net_config(cr, B_FALSE)); 1765 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_DL_CONFIG, B_FALSE)) 1766 return (secpolicy_dl_config(cr)); 1767 return (PRIV_POLICY(cr, PRIV_SYS_IPTUN_CONFIG, B_FALSE, EPERM, NULL)); 1768 } 1769 1770 /* 1771 * Map IP pseudo privileges to actual privileges. 1772 * So we don't need to recompile IP when we change the privileges. 1773 */ 1774 int 1775 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly) 1776 { 1777 int priv = PRIV_ALL; 1778 1779 switch (netpriv) { 1780 case OP_CONFIG: 1781 priv = PRIV_SYS_IP_CONFIG; 1782 break; 1783 case OP_RAW: 1784 priv = PRIV_NET_RAWACCESS; 1785 break; 1786 case OP_PRIVPORT: 1787 priv = PRIV_NET_PRIVADDR; 1788 break; 1789 } 1790 ASSERT(priv != PRIV_ALL); 1791 if (checkonly) 1792 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 1793 else 1794 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 1795 } 1796 1797 /* 1798 * Map network pseudo privileges to actual privileges. 1799 * So we don't need to recompile IP when we change the privileges. 1800 */ 1801 int 1802 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly) 1803 { 1804 int priv = PRIV_ALL; 1805 1806 switch (netpriv) { 1807 case OP_CONFIG: 1808 priv = PRIV_SYS_NET_CONFIG; 1809 break; 1810 case OP_RAW: 1811 priv = PRIV_NET_RAWACCESS; 1812 break; 1813 case OP_PRIVPORT: 1814 priv = PRIV_NET_PRIVADDR; 1815 break; 1816 } 1817 ASSERT(priv != PRIV_ALL); 1818 if (checkonly) 1819 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 1820 else 1821 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 1822 } 1823 1824 /* 1825 * Checks for operations that are either client-only or are used by 1826 * both clients and servers. 1827 */ 1828 int 1829 secpolicy_nfs(const cred_t *cr) 1830 { 1831 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL)); 1832 } 1833 1834 /* 1835 * Special case for opening rpcmod: have NFS privileges or network 1836 * config privileges. 1837 */ 1838 int 1839 secpolicy_rpcmod_open(const cred_t *cr) 1840 { 1841 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE)) 1842 return (secpolicy_nfs(cr)); 1843 else 1844 return (secpolicy_net_config(cr, NULL)); 1845 } 1846 1847 int 1848 secpolicy_chroot(const cred_t *cr) 1849 { 1850 return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL)); 1851 } 1852 1853 int 1854 secpolicy_tasksys(const cred_t *cr) 1855 { 1856 return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL)); 1857 } 1858 1859 /* 1860 * Basic privilege checks. 1861 */ 1862 int 1863 secpolicy_basic_exec(const cred_t *cr, vnode_t *vp) 1864 { 1865 return (priv_policy_va(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL, 1866 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); 1867 } 1868 1869 int 1870 secpolicy_basic_fork(const cred_t *cr) 1871 { 1872 return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL)); 1873 } 1874 1875 int 1876 secpolicy_basic_proc(const cred_t *cr) 1877 { 1878 return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL)); 1879 } 1880 1881 /* 1882 * Slightly complicated because we don't want to trigger the policy too 1883 * often. First we shortcircuit access to "self" (tp == sp) or if 1884 * we don't have the privilege but if we have permission 1885 * just return (0) and we don't flag the privilege as needed. 1886 * Else, we test for the privilege because we either have it or need it. 1887 */ 1888 int 1889 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp) 1890 { 1891 if (tp == sp || 1892 !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) { 1893 return (0); 1894 } else { 1895 return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL)); 1896 } 1897 } 1898 1899 int 1900 secpolicy_basic_link(const cred_t *cr) 1901 { 1902 return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL)); 1903 } 1904 1905 /* 1906 * Additional device protection. 1907 * 1908 * Traditionally, a device has specific permissions on the node in 1909 * the filesystem which govern which devices can be opened by what 1910 * processes. In certain cases, it is desirable to add extra 1911 * restrictions, as writing to certain devices is identical to 1912 * having a complete run of the system. 1913 * 1914 * This mechanism is called the device policy. 1915 * 1916 * When a device is opened, its policy entry is looked up in the 1917 * policy cache and checked. 1918 */ 1919 int 1920 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag) 1921 { 1922 devplcy_t *plcy; 1923 int err; 1924 struct snode *csp = VTOS(common_specvp(vp)); 1925 priv_set_t pset; 1926 1927 mutex_enter(&csp->s_lock); 1928 1929 if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) { 1930 plcy = devpolicy_find(vp); 1931 if (csp->s_plcy) 1932 dpfree(csp->s_plcy); 1933 csp->s_plcy = plcy; 1934 ASSERT(plcy != NULL); 1935 } else 1936 plcy = csp->s_plcy; 1937 1938 if (plcy == nullpolicy) { 1939 mutex_exit(&csp->s_lock); 1940 return (0); 1941 } 1942 1943 dphold(plcy); 1944 1945 mutex_exit(&csp->s_lock); 1946 1947 if (oflag & FWRITE) 1948 pset = plcy->dp_wrp; 1949 else 1950 pset = plcy->dp_rdp; 1951 /* 1952 * Special case: 1953 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG. 1954 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is 1955 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG 1956 * in the required privilege set before doing the check. 1957 */ 1958 if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) && 1959 priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) && 1960 !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) { 1961 priv_delset(&pset, PRIV_SYS_IP_CONFIG); 1962 priv_addset(&pset, PRIV_SYS_NET_CONFIG); 1963 } 1964 1965 err = secpolicy_require_set(cr, &pset, "devpolicy"); 1966 dpfree(plcy); 1967 1968 return (err); 1969 } 1970 1971 int 1972 secpolicy_modctl(const cred_t *cr, int cmd) 1973 { 1974 switch (cmd) { 1975 case MODINFO: 1976 case MODGETMAJBIND: 1977 case MODGETPATH: 1978 case MODGETPATHLEN: 1979 case MODGETNAME: 1980 case MODGETFBNAME: 1981 case MODGETDEVPOLICY: 1982 case MODGETDEVPOLICYBYNAME: 1983 case MODDEVT2INSTANCE: 1984 case MODSIZEOF_DEVID: 1985 case MODGETDEVID: 1986 case MODSIZEOF_MINORNAME: 1987 case MODGETMINORNAME: 1988 case MODGETDEVFSPATH_LEN: 1989 case MODGETDEVFSPATH: 1990 case MODGETDEVFSPATH_MI_LEN: 1991 case MODGETDEVFSPATH_MI: 1992 /* Unprivileged */ 1993 return (0); 1994 case MODLOAD: 1995 case MODSETDEVPOLICY: 1996 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1997 default: 1998 return (secpolicy_sys_config(cr, B_FALSE)); 1999 } 2000 } 2001 2002 int 2003 secpolicy_console(const cred_t *cr) 2004 { 2005 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 2006 } 2007 2008 int 2009 secpolicy_power_mgmt(const cred_t *cr) 2010 { 2011 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 2012 } 2013 2014 /* 2015 * Simulate terminal input; another escalation of privileges avenue. 2016 */ 2017 2018 int 2019 secpolicy_sti(const cred_t *cr) 2020 { 2021 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 2022 } 2023 2024 boolean_t 2025 secpolicy_net_reply_equal(const cred_t *cr) 2026 { 2027 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 2028 } 2029 2030 int 2031 secpolicy_swapctl(const cred_t *cr) 2032 { 2033 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 2034 } 2035 2036 int 2037 secpolicy_cpc_cpu(const cred_t *cr) 2038 { 2039 return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL)); 2040 } 2041 2042 /* 2043 * secpolicy_contract_identity 2044 * 2045 * Determine if the subject may set the process contract FMRI value 2046 */ 2047 int 2048 secpolicy_contract_identity(const cred_t *cr) 2049 { 2050 return (PRIV_POLICY(cr, PRIV_CONTRACT_IDENTITY, B_FALSE, EPERM, NULL)); 2051 } 2052 2053 /* 2054 * secpolicy_contract_observer 2055 * 2056 * Determine if the subject may observe a specific contract's events. 2057 */ 2058 int 2059 secpolicy_contract_observer(const cred_t *cr, struct contract *ct) 2060 { 2061 if (contract_owned(ct, cr, B_FALSE)) 2062 return (0); 2063 return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL)); 2064 } 2065 2066 /* 2067 * secpolicy_contract_observer_choice 2068 * 2069 * Determine if the subject may observe any contract's events. Just 2070 * tests privilege and audits on success. 2071 */ 2072 boolean_t 2073 secpolicy_contract_observer_choice(const cred_t *cr) 2074 { 2075 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE)); 2076 } 2077 2078 /* 2079 * secpolicy_contract_event 2080 * 2081 * Determine if the subject may request critical contract events or 2082 * reliable contract event delivery. 2083 */ 2084 int 2085 secpolicy_contract_event(const cred_t *cr) 2086 { 2087 return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL)); 2088 } 2089 2090 /* 2091 * secpolicy_contract_event_choice 2092 * 2093 * Determine if the subject may retain contract events in its critical 2094 * set when a change in other terms would normally require a change in 2095 * the critical set. Just tests privilege and audits on success. 2096 */ 2097 boolean_t 2098 secpolicy_contract_event_choice(const cred_t *cr) 2099 { 2100 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE)); 2101 } 2102 2103 /* 2104 * secpolicy_gart_access 2105 * 2106 * Determine if the subject has sufficient priveleges to make ioctls to agpgart 2107 * device. 2108 */ 2109 int 2110 secpolicy_gart_access(const cred_t *cr) 2111 { 2112 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL)); 2113 } 2114 2115 /* 2116 * secpolicy_gart_map 2117 * 2118 * Determine if the subject has sufficient priveleges to map aperture range 2119 * through agpgart driver. 2120 */ 2121 int 2122 secpolicy_gart_map(const cred_t *cr) 2123 { 2124 if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) { 2125 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, 2126 NULL)); 2127 } else { 2128 return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM, 2129 NULL)); 2130 } 2131 } 2132 2133 /* 2134 * secpolicy_zinject 2135 * 2136 * Determine if the subject can inject faults in the ZFS fault injection 2137 * framework. Requires all privileges. 2138 */ 2139 int 2140 secpolicy_zinject(const cred_t *cr) 2141 { 2142 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 2143 } 2144 2145 /* 2146 * secpolicy_zfs 2147 * 2148 * Determine if the subject has permission to manipulate ZFS datasets 2149 * (not pools). Equivalent to the SYS_MOUNT privilege. 2150 */ 2151 int 2152 secpolicy_zfs(const cred_t *cr) 2153 { 2154 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL)); 2155 } 2156 2157 /* 2158 * secpolicy_idmap 2159 * 2160 * Determine if the calling process has permissions to register an SID 2161 * mapping daemon and allocate ephemeral IDs. 2162 */ 2163 int 2164 secpolicy_idmap(const cred_t *cr) 2165 { 2166 return (PRIV_POLICY(cr, PRIV_FILE_SETID, B_TRUE, EPERM, NULL)); 2167 } 2168 2169 /* 2170 * secpolicy_ucode_update 2171 * 2172 * Determine if the subject has sufficient privilege to update microcode. 2173 */ 2174 int 2175 secpolicy_ucode_update(const cred_t *scr) 2176 { 2177 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 2178 } 2179 2180 /* 2181 * secpolicy_sadopen 2182 * 2183 * Determine if the subject has sufficient privilege to access /dev/sad/admin. 2184 * /dev/sad/admin appear in global zone and exclusive-IP zones only. 2185 * In global zone, sys_config is required. 2186 * In exclusive-IP zones, sys_ip_config is required. 2187 * Note that sys_config is prohibited in non-global zones. 2188 */ 2189 int 2190 secpolicy_sadopen(const cred_t *credp) 2191 { 2192 priv_set_t pset; 2193 2194 priv_emptyset(&pset); 2195 2196 if (crgetzoneid(credp) == GLOBAL_ZONEID) 2197 priv_addset(&pset, PRIV_SYS_CONFIG); 2198 else 2199 priv_addset(&pset, PRIV_SYS_IP_CONFIG); 2200 2201 return (secpolicy_require_set(credp, &pset, "devpolicy")); 2202 } 2203 2204 2205 /* 2206 * Add privileges to a particular privilege set; this is called when the 2207 * current sets of privileges are not sufficient. I.e., we should always 2208 * call the policy override functions from here. 2209 * What we are allowed to have is in the Observed Permitted set; so 2210 * we compute the difference between that and the newset. 2211 */ 2212 int 2213 secpolicy_require_privs(const cred_t *cr, const priv_set_t *nset) 2214 { 2215 priv_set_t rqd; 2216 2217 rqd = CR_OPPRIV(cr); 2218 2219 priv_inverse(&rqd); 2220 priv_intersect(nset, &rqd); 2221 2222 return (secpolicy_require_set(cr, &rqd, NULL)); 2223 } 2224 2225 /* 2226 * secpolicy_smb 2227 * 2228 * Determine if the cred_t has PRIV_SYS_SMB privilege, indicating 2229 * that it has permission to access the smbsrv kernel driver. 2230 * PRIV_POLICY checks the privilege and audits the check. 2231 * 2232 * Returns: 2233 * 0 Driver access is allowed. 2234 * EPERM Driver access is NOT permitted. 2235 */ 2236 int 2237 secpolicy_smb(const cred_t *cr) 2238 { 2239 return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL)); 2240 } 2241 2242 /* 2243 * secpolicy_vscan 2244 * 2245 * Determine if cred_t has the necessary privileges to access a file 2246 * for virus scanning and update its extended system attributes. 2247 * PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access 2248 * PRIV_FILE_FLAG_SET - set extended system attributes 2249 * 2250 * PRIV_POLICY checks the privilege and audits the check. 2251 * 2252 * Returns: 2253 * 0 file access for virus scanning allowed. 2254 * EPERM file access for virus scanning is NOT permitted. 2255 */ 2256 int 2257 secpolicy_vscan(const cred_t *cr) 2258 { 2259 if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) || 2260 (PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) || 2261 (PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) { 2262 return (EPERM); 2263 } 2264 2265 return (0); 2266 } 2267 2268 /* 2269 * secpolicy_smbfs_login 2270 * 2271 * Determines if the caller can add and delete the smbfs login 2272 * password in the the nsmb kernel module for the CIFS client. 2273 * 2274 * Returns: 2275 * 0 access is allowed. 2276 * EPERM access is NOT allowed. 2277 */ 2278 int 2279 secpolicy_smbfs_login(const cred_t *cr, uid_t uid) 2280 { 2281 uid_t cruid = crgetruid(cr); 2282 2283 if (cruid == uid) 2284 return (0); 2285 return (PRIV_POLICY(cr, PRIV_PROC_OWNER, B_FALSE, 2286 EPERM, NULL)); 2287 } 2288 2289 /* 2290 * secpolicy_xvm_control 2291 * 2292 * Determines if a caller can control the xVM hypervisor and/or running 2293 * domains (x86 specific). 2294 * 2295 * Returns: 2296 * 0 access is allowed. 2297 * EPERM access is NOT allowed. 2298 */ 2299 int 2300 secpolicy_xvm_control(const cred_t *cr) 2301 { 2302 if (PRIV_POLICY(cr, PRIV_XVM_CONTROL, B_FALSE, EPERM, NULL)) 2303 return (EPERM); 2304 return (0); 2305 } 2306 2307 /* 2308 * secpolicy_ppp_config 2309 * 2310 * Determine if the subject has sufficient privileges to configure PPP and 2311 * PPP-related devices. 2312 */ 2313 int 2314 secpolicy_ppp_config(const cred_t *cr) 2315 { 2316 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 2317 return (secpolicy_net_config(cr, B_FALSE)); 2318 return (PRIV_POLICY(cr, PRIV_SYS_PPP_CONFIG, B_FALSE, EPERM, NULL)); 2319 } 2320