1/* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21/* 22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 * 25INSERT COMMENT 26 */ 27 28#pragma ident "%Z%%M% %I% %E% SMI" 29 30# 31# Privileges can be added to this file at any location, not 32# necessarily at the end. For patches, it is probably best to 33# add the new privilege at the end; for ordinary releases privileges 34# should be ordered alphabetically. 35# 36 37privilege PRIV_CONTRACT_EVENT 38 39 Allows a process to request critical events without limitation. 40 Allows a process to request reliable delivery of all events on 41 any event queue. 42 43privilege PRIV_CONTRACT_OBSERVER 44 45 Allows a process to observe contract events generated by 46 contracts created and owned by users other than the process's 47 effective user ID. 48 Allows a process to open contract event endpoints belonging to 49 contracts created and owned by users other than the process's 50 effective user ID. 51 52privilege PRIV_CPC_CPU 53 54 Allow a process to access per-CPU hardware performance counters. 55 56privilege PRIV_DTRACE_KERNEL 57 58 Allows DTrace kernel-level tracing. 59 60privilege PRIV_DTRACE_PROC 61 62 Allows DTrace process-level tracing. 63 Allows process-level tracing probes to be placed and enabled in 64 processes to which the user has permissions. 65 66privilege PRIV_DTRACE_USER 67 68 Allows DTrace user-level tracing. 69 Allows use of the syscall and profile DTrace providers to 70 examine processes to which the user has permissions. 71 72privilege PRIV_FILE_CHOWN 73 74 Allows a process to change a file's owner user ID. 75 Allows a process to change a file's group ID to one other than 76 the process' effective group ID or one of the process' 77 supplemental group IDs. 78 79privilege PRIV_FILE_CHOWN_SELF 80 81 Allows a process to give away its files; a process with this 82 privilege will run as if {_POSIX_CHOWN_RESTRICTED} is not 83 in effect. 84 85privilege PRIV_FILE_DAC_EXECUTE 86 87 Allows a process to execute an executable file whose permission 88 bits or ACL do not allow the process execute permission. 89 90privilege PRIV_FILE_DAC_READ 91 92 Allows a process to read a file or directory whose permission 93 bits or ACL do not allow the process read permission. 94 95privilege PRIV_FILE_DAC_SEARCH 96 97 Allows a process to search a directory whose permission bits or 98 ACL do not allow the process search permission. 99 100privilege PRIV_FILE_DAC_WRITE 101 102 Allows a process to write a file or directory whose permission 103 bits or ACL do not allow the process write permission. 104 In order to write files owned by uid 0 in the absence of an 105 effective uid of 0 ALL privileges are required. 106 107privilege PRIV_FILE_DOWNGRADE_SL 108 109 Allows a process to set the sensitivity label of a file or 110 directory to a sensitivity label that does not dominate the 111 existing sensitivity label. 112 This privilege is interpreted only if the system is configured 113 with Trusted Extensions. 114 115basic privilege PRIV_FILE_LINK_ANY 116 117 Allows a process to create hardlinks to files owned by a uid 118 different from the process' effective uid. 119 120privilege PRIV_FILE_OWNER 121 122 Allows a process which is not the owner of a file or directory 123 to perform the following operations that are normally permitted 124 only for the file owner: modify that file's access and 125 modification times; remove or rename a file or directory whose 126 parent directory has the ``save text image after execution'' 127 (sticky) bit set; mount a ``namefs'' upon a file; modify 128 permission bits or ACL except for the set-uid and set-gid 129 bits. 130 131privilege PRIV_FILE_SETID 132 133 Allows a process to change the ownership of a file or write to 134 a file without the set-user-ID and set-group-ID bits being 135 cleared. 136 Allows a process to set the set-group-ID bit on a file or 137 directory whose group is not the process' effective group or 138 one of the process' supplemental groups. 139 Allows a process to set the set-user-ID bit on a file with 140 different ownership in the presence of PRIV_FILE_OWNER. 141 Additional restrictions apply when creating or modifying a 142 set-uid 0 file. 143 144privilege PRIV_FILE_UPGRADE_SL 145 146 Allows a process to set the sensitivity label of a file or 147 directory to a sensitivity label that dominates the existing 148 sensitivity label. 149 This privilege is interpreted only if the system is configured 150 with Trusted Extensions. 151 152privilege PRIV_FILE_FLAG_SET 153 154 Allows a process to set immutable, nounlink or appendonly 155 file attributes. 156 157privilege PRIV_GRAPHICS_ACCESS 158 159 Allows a process to make privileged ioctls to graphics devices. 160 Typically only xserver process needs to have this privilege. 161 A process with this privilege is also allowed to perform 162 privileged graphics device mappings. 163 164privilege PRIV_GRAPHICS_MAP 165 166 Allows a process to perform privileged mappings through a 167 graphics device. 168 169privilege PRIV_IPC_DAC_READ 170 171 Allows a process to read a System V IPC 172 Message Queue, Semaphore Set, or Shared Memory Segment whose 173 permission bits do not allow the process read permission. 174 Allows a process to read remote shared memory whose 175 permission bits do not allow the process read permission. 176 177privilege PRIV_IPC_DAC_WRITE 178 179 Allows a process to write a System V IPC 180 Message Queue, Semaphore Set, or Shared Memory Segment whose 181 permission bits do not allow the process write permission. 182 Allows a process to read remote shared memory whose 183 permission bits do not allow the process write permission. 184 Additional restrictions apply if the owner of the object has uid 0 185 and the effective uid of the current process is not 0. 186 187privilege PRIV_IPC_OWNER 188 189 Allows a process which is not the owner of a System 190 V IPC Message Queue, Semaphore Set, or Shared Memory Segment to 191 remove, change ownership of, or change permission bits of the 192 Message Queue, Semaphore Set, or Shared Memory Segment. 193 Additional restrictions apply if the owner of the object has uid 0 194 and the effective uid of the current process is not 0. 195 196privilege PRIV_NET_BINDMLP 197 198 Allow a process to bind to a port that is configured as a 199 multi-level port(MLP) for the process's zone. This privilege 200 applies to both shared address and zone-specific address MLPs. 201 See tnzonecfg(4) from the Trusted Extensions manual pages for 202 information on configuring MLP ports. 203 This privilege is interpreted only if the system is configured 204 with Trusted Extensions. 205 206privilege PRIV_NET_ICMPACCESS 207 208 Allows a process to send and receive ICMP packets. 209 210privilege PRIV_NET_MAC_AWARE 211 212 Allows a process to set NET_MAC_AWARE process flag by using 213 setpflags(2). This privilege also allows a process to set 214 SO_MAC_EXEMPT socket option by using setsockopt(3SOCKET). 215 The NET_MAC_AWARE process flag and the SO_MAC_EXEMPT socket 216 option both allow a local process to communicate with an 217 unlabeled peer if the local process' label dominates the 218 peer's default label, or if the local process runs in the 219 global zone. 220 This privilege is interpreted only if the system is configured 221 with Trusted Extensions. 222 223privilege PRIV_NET_PRIVADDR 224 225 Allows a process to bind to a privileged port 226 number. The privilege port numbers are 1-1023 (the traditional 227 UNIX privileged ports) as well as those ports marked as 228 "udp/tcp_extra_priv_ports" with the exception of the ports 229 reserved for use by NFS. 230 231privilege PRIV_NET_RAWACCESS 232 233 Allows a process to have direct access to the network layer. 234 235unsafe privilege PRIV_PROC_AUDIT 236 237 Allows a process to generate audit records. 238 Allows a process to get its own audit pre-selection information. 239 240privilege PRIV_PROC_CHROOT 241 242 Allows a process to change its root directory. 243 244privilege PRIV_PROC_CLOCK_HIGHRES 245 246 Allows a process to use high resolution timers. 247 248basic privilege PRIV_PROC_EXEC 249 250 Allows a process to call execve(). 251 252basic privilege PRIV_PROC_FORK 253 254 Allows a process to call fork1()/forkall()/vfork() 255 256basic privilege PRIV_PROC_INFO 257 258 Allows a process to examine the status of processes other 259 than those it can send signals to. Processes which cannot 260 be examined cannot be seen in /proc and appear not to exist. 261 262privilege PRIV_PROC_LOCK_MEMORY 263 264 Allows a process to lock pages in physical memory. 265 266privilege PRIV_PROC_OWNER 267 268 Allows a process to send signals to other processes, inspect 269 and modify process state to other processes regardless of 270 ownership. When modifying another process, additional 271 restrictions apply: the effective privilege set of the 272 attaching process must be a superset of the target process' 273 effective, permitted and inheritable sets; the limit set must 274 be a superset of the target's limit set; if the target process 275 has any uid set to 0 all privilege must be asserted unless the 276 effective uid is 0. 277 Allows a process to bind arbitrary processes to CPUs. 278 279privilege PRIV_PROC_PRIOCNTL 280 281 Allows a process to elevate its priority above its current level. 282 Allows a process to change its scheduling class to any scheduling class, 283 including the RT class. 284 285basic privilege PRIV_PROC_SESSION 286 287 Allows a process to send signals or trace processes outside its 288 session. 289 290unsafe privilege PRIV_PROC_SETID 291 292 Allows a process to set its uids at will. 293 Assuming uid 0 requires all privileges to be asserted. 294 295privilege PRIV_PROC_TASKID 296 297 Allows a process to assign a new task ID to the calling process. 298 299privilege PRIV_PROC_ZONE 300 301 Allows a process to trace or send signals to processes in 302 other zones. 303 304privilege PRIV_SYS_ACCT 305 306 Allows a process to enable and disable and manage accounting through 307 acct(2), getacct(2), putacct(2) and wracct(2). 308 309privilege PRIV_SYS_ADMIN 310 311 Allows a process to perform system administration tasks such 312 as setting node and domain name and specifying nscd and coreadm 313 settings. 314 315privilege PRIV_SYS_AUDIT 316 317 Allows a process to start the (kernel) audit daemon. 318 Allows a process to view and set audit state (audit user ID, 319 audit terminal ID, audit sessions ID, audit pre-selection mask). 320 Allows a process to turn off and on auditing. 321 Allows a process to configure the audit parameters (cache and 322 queue sizes, event to class mappings, policy options). 323 324privilege PRIV_SYS_CONFIG 325 326 Allows a process to perform various system configuration tasks. 327 Allows a process to add and remove swap devices; when adding a swap 328 device, a process must also have sufficient privileges to read from 329 and write to the swap device. 330 331privilege PRIV_SYS_DEVICES 332 333 Allows a process to successfully call a kernel module that 334 calls the kernel drv_priv(9F) function to check for allowed 335 access. 336 Allows a process to open the real console device directly. 337 Allows a process to open devices that have been exclusively opened. 338 339privilege PRIV_SYS_IPC_CONFIG 340 341 Allows a process to increase the size of a System V IPC Message 342 Queue buffer. 343 344privilege PRIV_SYS_LINKDIR 345 346 Allows a process to unlink and link directories. 347 348privilege PRIV_SYS_MOUNT 349 350 Allows filesystem specific administrative procedures, such as 351 filesystem configuration ioctls, quota calls and creation/deletion 352 of snapshots. 353 Allows a process to mount and unmount filesystems which would 354 otherwise be restricted (i.e., most filesystems except 355 namefs). 356 A process performing a mount operation needs to have 357 appropriate access to the device being mounted (read-write for 358 "rw" mounts, read for "ro" mounts). 359 A process performing any of the aforementioned 360 filesystem operations needs to have read/write/owner 361 access to the mount point. 362 Only regular files and directories can serve as mount points 363 for processes which do not have all zone privileges asserted. 364 Unless a process has all zone privileges, the mount(2) 365 system call will force the "nosuid" and "restrict" options, the 366 latter only for autofs mountpoints. 367 Regardless of privileges, a process running in a non-global zone may 368 only control mounts performed from within said zone. 369 Outside the global zone, the "nodevices" option is always forced. 370 371privilege PRIV_SYS_IP_CONFIG 372 373 Allows a process to configure a system's network interfaces and routes. 374 Allows a process to configure network parameters using ndd. 375 Allows a process access to otherwise restricted information using ndd. 376 Allows a process to configure IPsec. 377 Allows a process to pop anchored STREAMs modules with matching zoneid. 378 379privilege PRIV_SYS_NET_CONFIG 380 381 Allows all that PRIV_SYS_IP_CONFIG allows. 382 Allows a process to push the rpcmod STREAMs module. 383 Allows a process to INSERT/REMOVE STREAMs modules on locations other 384 than the top of the module stack. 385 386privilege PRIV_SYS_NFS 387 388 Allows a process to perform Sun private NFS specific system calls. 389 Allows a process to bind to ports reserved by NFS: ports 2049 (nfs) 390 and port 4045 (lockd). 391 392privilege PRIV_SYS_RES_CONFIG 393 394 Allows a process to create and delete processor sets, assign 395 CPUs to processor sets and override the PSET_NOESCAPE property. 396 Allows a process to change the operational status of CPUs in 397 the system using p_online(2). 398 Allows a process to configure resource pools and to bind 399 processes to pools 400 401unsafe privilege PRIV_SYS_RESOURCE 402 403 Allows a process to modify the resource limits specified 404 by setrlimit(2) and setrctl(2) without restriction. 405 Allows a process to exceed the per-user maximum number of 406 processes. 407 Allows a process to extend or create files on a filesystem that 408 has less than minfree space in reserve. 409 410privilege PRIV_SYS_SMB 411 412 Allows a process to access the Sun private SMB kernel module. 413 Allows a process to bind to ports reserved by NetBIOS and SMB: 414 ports 137 (NBNS), 138 (NetBIOS Datagram Service), 139 (NetBIOS 415 Session Service and SMB-over-NBT) and 445 (SMB-over-TCP). 416 417privilege PRIV_SYS_SUSER_COMPAT 418 419 Allows a process to successfully call a third party loadable module 420 that calls the kernel suser() function to check for allowed access. 421 This privilege exists only for third party loadable module 422 compatibility and is not used by Solaris proper. 423 424privilege PRIV_SYS_TIME 425 426 Allows a process to manipulate system time using any of the 427 appropriate system calls: stime, adjtime, ntp_adjtime and 428 the IA specific RTC calls. 429 430privilege PRIV_SYS_TRANS_LABEL 431 432 Allows a process to translate labels that are not dominated 433 by the process' sensitivity label to and from an external 434 string form. 435 This privilege is interpreted only if the system is configured 436 with Trusted Extensions. 437 438privilege PRIV_WIN_COLORMAP 439 440 Allows a process to override colormap restrictions. 441 Allows a process to install or remove colormaps. 442 Allows a process to retrieve colormap cell entries allocated 443 by other processes. 444 This privilege is interpreted only if the system is configured 445 with Trusted Extensions. 446 447privilege PRIV_WIN_CONFIG 448 449 Allows a process to configure or destroy resources that are 450 permanently retained by the X server. 451 Allows a process to use SetScreenSaver to set the screen 452 saver timeout value. 453 Allows a process to use ChangeHosts to modify the display 454 access control list. 455 Allows a process to use GrabServer. 456 Allows a process to use the SetCloseDownMode request which 457 may retain window, pixmap, colormap, property, cursor, font, 458 or graphic context resources. 459 This privilege is interpreted only if the system is configured 460 with Trusted Extensions. 461 462privilege PRIV_WIN_DAC_READ 463 464 Allows a process to read from a window resource that it does 465 not own (has a different user ID). 466 This privilege is interpreted only if the system is configured 467 with Trusted Extensions. 468 469privilege PRIV_WIN_DAC_WRITE 470 471 Allows a process to write to or create a window resource that 472 it does not own (has a different user ID). A newly created 473 window property is created with the window's user ID. 474 This privilege is interpreted only if the system is configured 475 with Trusted Extensions. 476 477privilege PRIV_WIN_DEVICES 478 479 Allows a process to perform operations on window input devices. 480 Allows a process to get and set keyboard and pointer controls. 481 Allows a process to modify pointer button and key mappings. 482 This privilege is interpreted only if the system is configured 483 with Trusted Extensions. 484 485privilege PRIV_WIN_DGA 486 487 Allows a process to use the direct graphics access (DGA) X protocol 488 extensions. Direct process access to the frame buffer is still 489 required. Thus the process must have MAC and DAC privileges that 490 allow access to the frame buffer, or the frame buffer must be 491 allocated to the process. 492 This privilege is interpreted only if the system is configured 493 with Trusted Extensions. 494 495privilege PRIV_WIN_DOWNGRADE_SL 496 497 Allows a process to set the sensitivity label of a window resource 498 to a sensitivity label that does not dominate the existing 499 sensitivity label. 500 This privilege is interpreted only if the system is configured 501 with Trusted Extensions. 502 503privilege PRIV_WIN_FONTPATH 504 505 Allows a process to set a font path. 506 This privilege is interpreted only if the system is configured 507 with Trusted Extensions. 508 509privilege PRIV_WIN_MAC_READ 510 511 Allows a process to read from a window resource whose sensitivity 512 label is not equal to the process sensitivity label. 513 This privilege is interpreted only if the system is configured 514 with Trusted Extensions. 515 516privilege PRIV_WIN_MAC_WRITE 517 518 Allows a process to create a window resource whose sensitivity 519 label is not equal to the process sensitivity label. 520 A newly created window property is created with the window's 521 sensitivity label. 522 This privilege is interpreted only if the system is configured 523 with Trusted Extensions. 524 525privilege PRIV_WIN_SELECTION 526 527 Allows a process to request inter-window data moves without the 528 intervention of the selection confirmer. 529 This privilege is interpreted only if the system is configured 530 with Trusted Extensions. 531 532privilege PRIV_WIN_UPGRADE_SL 533 534 Allows a process to set the sensitivity label of a window 535 resource to a sensitivity label that dominates the existing 536 sensitivity label. 537 This privilege is interpreted only if the system is configured 538 with Trusted Extensions. 539 540set PRIV_EFFECTIVE 541 542 Set of privileges currently in effect. 543 544set PRIV_INHERITABLE 545 546 Set of privileges that comes into effect on exec. 547 548set PRIV_PERMITTED 549 550 Set of privileges that can be put into the effective set without 551 restriction. 552 553set PRIV_LIMIT 554 555 Set of privileges that determines the absolute upper bound of 556 privileges this process and its off-spring can obtain. 557