1/* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21/* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 * 25INSERT COMMENT 26 */ 27 28#pragma ident "%Z%%M% %I% %E% SMI" 29 30# 31# Privileges can be added to this file at any location, not 32# necessarily at the end. For patches, it is probably best to 33# add the new privilege at the end; for ordinary releases privileges 34# should be ordered alphabetically. 35# 36 37privilege PRIV_CONTRACT_EVENT 38 39 Allows a process to request critical events without limitation. 40 Allows a process to request reliable delivery of all events on 41 any event queue. 42 43privilege PRIV_CONTRACT_IDENTITY 44 45 Allows a process to set the service FMRI value of a process 46 contract template. 47 48privilege PRIV_CONTRACT_OBSERVER 49 50 Allows a process to observe contract events generated by 51 contracts created and owned by users other than the process's 52 effective user ID. 53 Allows a process to open contract event endpoints belonging to 54 contracts created and owned by users other than the process's 55 effective user ID. 56 57privilege PRIV_CPC_CPU 58 59 Allow a process to access per-CPU hardware performance counters. 60 61privilege PRIV_DTRACE_KERNEL 62 63 Allows DTrace kernel-level tracing. 64 65privilege PRIV_DTRACE_PROC 66 67 Allows DTrace process-level tracing. 68 Allows process-level tracing probes to be placed and enabled in 69 processes to which the user has permissions. 70 71privilege PRIV_DTRACE_USER 72 73 Allows DTrace user-level tracing. 74 Allows use of the syscall and profile DTrace providers to 75 examine processes to which the user has permissions. 76 77privilege PRIV_FILE_CHOWN 78 79 Allows a process to change a file's owner user ID. 80 Allows a process to change a file's group ID to one other than 81 the process' effective group ID or one of the process' 82 supplemental group IDs. 83 84privilege PRIV_FILE_CHOWN_SELF 85 86 Allows a process to give away its files; a process with this 87 privilege will run as if {_POSIX_CHOWN_RESTRICTED} is not 88 in effect. 89 90privilege PRIV_FILE_DAC_EXECUTE 91 92 Allows a process to execute an executable file whose permission 93 bits or ACL do not allow the process execute permission. 94 95privilege PRIV_FILE_DAC_READ 96 97 Allows a process to read a file or directory whose permission 98 bits or ACL do not allow the process read permission. 99 100privilege PRIV_FILE_DAC_SEARCH 101 102 Allows a process to search a directory whose permission bits or 103 ACL do not allow the process search permission. 104 105privilege PRIV_FILE_DAC_WRITE 106 107 Allows a process to write a file or directory whose permission 108 bits or ACL do not allow the process write permission. 109 In order to write files owned by uid 0 in the absence of an 110 effective uid of 0 ALL privileges are required. 111 112privilege PRIV_FILE_DOWNGRADE_SL 113 114 Allows a process to set the sensitivity label of a file or 115 directory to a sensitivity label that does not dominate the 116 existing sensitivity label. 117 This privilege is interpreted only if the system is configured 118 with Trusted Extensions. 119 120basic privilege PRIV_FILE_LINK_ANY 121 122 Allows a process to create hardlinks to files owned by a uid 123 different from the process' effective uid. 124 125privilege PRIV_FILE_OWNER 126 127 Allows a process which is not the owner of a file or directory 128 to perform the following operations that are normally permitted 129 only for the file owner: modify that file's access and 130 modification times; remove or rename a file or directory whose 131 parent directory has the ``save text image after execution'' 132 (sticky) bit set; mount a ``namefs'' upon a file; modify 133 permission bits or ACL except for the set-uid and set-gid 134 bits. 135 136privilege PRIV_FILE_SETID 137 138 Allows a process to change the ownership of a file or write to 139 a file without the set-user-ID and set-group-ID bits being 140 cleared. 141 Allows a process to set the set-group-ID bit on a file or 142 directory whose group is not the process' effective group or 143 one of the process' supplemental groups. 144 Allows a process to set the set-user-ID bit on a file with 145 different ownership in the presence of PRIV_FILE_OWNER. 146 Additional restrictions apply when creating or modifying a 147 set-uid 0 file. 148 149privilege PRIV_FILE_UPGRADE_SL 150 151 Allows a process to set the sensitivity label of a file or 152 directory to a sensitivity label that dominates the existing 153 sensitivity label. 154 This privilege is interpreted only if the system is configured 155 with Trusted Extensions. 156 157privilege PRIV_FILE_FLAG_SET 158 159 Allows a process to set immutable, nounlink or appendonly 160 file attributes. 161 162privilege PRIV_GRAPHICS_ACCESS 163 164 Allows a process to make privileged ioctls to graphics devices. 165 Typically only xserver process needs to have this privilege. 166 A process with this privilege is also allowed to perform 167 privileged graphics device mappings. 168 169privilege PRIV_GRAPHICS_MAP 170 171 Allows a process to perform privileged mappings through a 172 graphics device. 173 174privilege PRIV_IPC_DAC_READ 175 176 Allows a process to read a System V IPC 177 Message Queue, Semaphore Set, or Shared Memory Segment whose 178 permission bits do not allow the process read permission. 179 Allows a process to read remote shared memory whose 180 permission bits do not allow the process read permission. 181 182privilege PRIV_IPC_DAC_WRITE 183 184 Allows a process to write a System V IPC 185 Message Queue, Semaphore Set, or Shared Memory Segment whose 186 permission bits do not allow the process write permission. 187 Allows a process to read remote shared memory whose 188 permission bits do not allow the process write permission. 189 Additional restrictions apply if the owner of the object has uid 0 190 and the effective uid of the current process is not 0. 191 192privilege PRIV_IPC_OWNER 193 194 Allows a process which is not the owner of a System 195 V IPC Message Queue, Semaphore Set, or Shared Memory Segment to 196 remove, change ownership of, or change permission bits of the 197 Message Queue, Semaphore Set, or Shared Memory Segment. 198 Additional restrictions apply if the owner of the object has uid 0 199 and the effective uid of the current process is not 0. 200 201privilege PRIV_NET_BINDMLP 202 203 Allow a process to bind to a port that is configured as a 204 multi-level port(MLP) for the process's zone. This privilege 205 applies to both shared address and zone-specific address MLPs. 206 See tnzonecfg(4) from the Trusted Extensions manual pages for 207 information on configuring MLP ports. 208 This privilege is interpreted only if the system is configured 209 with Trusted Extensions. 210 211privilege PRIV_NET_ICMPACCESS 212 213 Allows a process to send and receive ICMP packets. 214 215privilege PRIV_NET_MAC_AWARE 216 217 Allows a process to set NET_MAC_AWARE process flag by using 218 setpflags(2). This privilege also allows a process to set 219 SO_MAC_EXEMPT socket option by using setsockopt(3SOCKET). 220 The NET_MAC_AWARE process flag and the SO_MAC_EXEMPT socket 221 option both allow a local process to communicate with an 222 unlabeled peer if the local process' label dominates the 223 peer's default label, or if the local process runs in the 224 global zone. 225 This privilege is interpreted only if the system is configured 226 with Trusted Extensions. 227 228privilege PRIV_NET_PRIVADDR 229 230 Allows a process to bind to a privileged port 231 number. The privilege port numbers are 1-1023 (the traditional 232 UNIX privileged ports) as well as those ports marked as 233 "udp/tcp_extra_priv_ports" with the exception of the ports 234 reserved for use by NFS. 235 236privilege PRIV_NET_RAWACCESS 237 238 Allows a process to have direct access to the network layer. 239 240unsafe privilege PRIV_PROC_AUDIT 241 242 Allows a process to generate audit records. 243 Allows a process to get its own audit pre-selection information. 244 245privilege PRIV_PROC_CHROOT 246 247 Allows a process to change its root directory. 248 249privilege PRIV_PROC_CLOCK_HIGHRES 250 251 Allows a process to use high resolution timers. 252 253basic privilege PRIV_PROC_EXEC 254 255 Allows a process to call execve(). 256 257basic privilege PRIV_PROC_FORK 258 259 Allows a process to call fork1()/forkall()/vfork() 260 261basic privilege PRIV_PROC_INFO 262 263 Allows a process to examine the status of processes other 264 than those it can send signals to. Processes which cannot 265 be examined cannot be seen in /proc and appear not to exist. 266 267privilege PRIV_PROC_LOCK_MEMORY 268 269 Allows a process to lock pages in physical memory. 270 271privilege PRIV_PROC_OWNER 272 273 Allows a process to send signals to other processes, inspect 274 and modify process state to other processes regardless of 275 ownership. When modifying another process, additional 276 restrictions apply: the effective privilege set of the 277 attaching process must be a superset of the target process' 278 effective, permitted and inheritable sets; the limit set must 279 be a superset of the target's limit set; if the target process 280 has any uid set to 0 all privilege must be asserted unless the 281 effective uid is 0. 282 Allows a process to bind arbitrary processes to CPUs. 283 284privilege PRIV_PROC_PRIOCNTL 285 286 Allows a process to elevate its priority above its current level. 287 Allows a process to change its scheduling class to any scheduling class, 288 including the RT class. 289 290basic privilege PRIV_PROC_SESSION 291 292 Allows a process to send signals or trace processes outside its 293 session. 294 295unsafe privilege PRIV_PROC_SETID 296 297 Allows a process to set its uids at will. 298 Assuming uid 0 requires all privileges to be asserted. 299 300privilege PRIV_PROC_TASKID 301 302 Allows a process to assign a new task ID to the calling process. 303 304privilege PRIV_PROC_ZONE 305 306 Allows a process to trace or send signals to processes in 307 other zones. 308 309privilege PRIV_SYS_ACCT 310 311 Allows a process to enable and disable and manage accounting through 312 acct(2), getacct(2), putacct(2) and wracct(2). 313 314privilege PRIV_SYS_ADMIN 315 316 Allows a process to perform system administration tasks such 317 as setting node and domain name and specifying nscd and coreadm 318 settings. 319 320privilege PRIV_SYS_AUDIT 321 322 Allows a process to start the (kernel) audit daemon. 323 Allows a process to view and set audit state (audit user ID, 324 audit terminal ID, audit sessions ID, audit pre-selection mask). 325 Allows a process to turn off and on auditing. 326 Allows a process to configure the audit parameters (cache and 327 queue sizes, event to class mappings, policy options). 328 329privilege PRIV_SYS_CONFIG 330 331 Allows a process to perform various system configuration tasks. 332 Allows a process to add and remove swap devices; when adding a swap 333 device, a process must also have sufficient privileges to read from 334 and write to the swap device. 335 336privilege PRIV_SYS_DEVICES 337 338 Allows a process to successfully call a kernel module that 339 calls the kernel drv_priv(9F) function to check for allowed 340 access. 341 Allows a process to open the real console device directly. 342 Allows a process to open devices that have been exclusively opened. 343 344privilege PRIV_SYS_IPC_CONFIG 345 346 Allows a process to increase the size of a System V IPC Message 347 Queue buffer. 348 349privilege PRIV_SYS_LINKDIR 350 351 Allows a process to unlink and link directories. 352 353privilege PRIV_SYS_MOUNT 354 355 Allows filesystem specific administrative procedures, such as 356 filesystem configuration ioctls, quota calls and creation/deletion 357 of snapshots. 358 Allows a process to mount and unmount filesystems which would 359 otherwise be restricted (i.e., most filesystems except 360 namefs). 361 A process performing a mount operation needs to have 362 appropriate access to the device being mounted (read-write for 363 "rw" mounts, read for "ro" mounts). 364 A process performing any of the aforementioned 365 filesystem operations needs to have read/write/owner 366 access to the mount point. 367 Only regular files and directories can serve as mount points 368 for processes which do not have all zone privileges asserted. 369 Unless a process has all zone privileges, the mount(2) 370 system call will force the "nosuid" and "restrict" options, the 371 latter only for autofs mountpoints. 372 Regardless of privileges, a process running in a non-global zone may 373 only control mounts performed from within said zone. 374 Outside the global zone, the "nodevices" option is always forced. 375 376privilege PRIV_SYS_IP_CONFIG 377 378 Allows a process to configure a system's network interfaces and routes. 379 Allows a process to configure network parameters using ndd. 380 Allows a process access to otherwise restricted information using ndd. 381 Allows a process to configure IPsec. 382 Allows a process to pop anchored STREAMs modules with matching zoneid. 383 384privilege PRIV_SYS_NET_CONFIG 385 386 Allows all that PRIV_SYS_IP_CONFIG allows. 387 Allows a process to push the rpcmod STREAMs module. 388 Allows a process to INSERT/REMOVE STREAMs modules on locations other 389 than the top of the module stack. 390 391privilege PRIV_SYS_NFS 392 393 Allows a process to perform Sun private NFS specific system calls. 394 Allows a process to bind to ports reserved by NFS: ports 2049 (nfs) 395 and port 4045 (lockd). 396 397privilege PRIV_SYS_RES_CONFIG 398 399 Allows a process to create and delete processor sets, assign 400 CPUs to processor sets and override the PSET_NOESCAPE property. 401 Allows a process to change the operational status of CPUs in 402 the system using p_online(2). 403 Allows a process to configure resource pools and to bind 404 processes to pools 405 406unsafe privilege PRIV_SYS_RESOURCE 407 408 Allows a process to modify the resource limits specified 409 by setrlimit(2) and setrctl(2) without restriction. 410 Allows a process to exceed the per-user maximum number of 411 processes. 412 Allows a process to extend or create files on a filesystem that 413 has less than minfree space in reserve. 414 415privilege PRIV_SYS_SMB 416 417 Allows a process to access the Sun private SMB kernel module. 418 Allows a process to bind to ports reserved by NetBIOS and SMB: 419 ports 137 (NBNS), 138 (NetBIOS Datagram Service), 139 (NetBIOS 420 Session Service and SMB-over-NBT) and 445 (SMB-over-TCP). 421 422privilege PRIV_SYS_SUSER_COMPAT 423 424 Allows a process to successfully call a third party loadable module 425 that calls the kernel suser() function to check for allowed access. 426 This privilege exists only for third party loadable module 427 compatibility and is not used by Solaris proper. 428 429privilege PRIV_SYS_TIME 430 431 Allows a process to manipulate system time using any of the 432 appropriate system calls: stime, adjtime, ntp_adjtime and 433 the IA specific RTC calls. 434 435privilege PRIV_SYS_TRANS_LABEL 436 437 Allows a process to translate labels that are not dominated 438 by the process' sensitivity label to and from an external 439 string form. 440 This privilege is interpreted only if the system is configured 441 with Trusted Extensions. 442 443privilege PRIV_VIRT_MANAGE 444 445 Allows a process to manage virtualized environments such as 446 xVM(5). 447 448privilege PRIV_WIN_COLORMAP 449 450 Allows a process to override colormap restrictions. 451 Allows a process to install or remove colormaps. 452 Allows a process to retrieve colormap cell entries allocated 453 by other processes. 454 This privilege is interpreted only if the system is configured 455 with Trusted Extensions. 456 457privilege PRIV_WIN_CONFIG 458 459 Allows a process to configure or destroy resources that are 460 permanently retained by the X server. 461 Allows a process to use SetScreenSaver to set the screen 462 saver timeout value. 463 Allows a process to use ChangeHosts to modify the display 464 access control list. 465 Allows a process to use GrabServer. 466 Allows a process to use the SetCloseDownMode request which 467 may retain window, pixmap, colormap, property, cursor, font, 468 or graphic context resources. 469 This privilege is interpreted only if the system is configured 470 with Trusted Extensions. 471 472privilege PRIV_WIN_DAC_READ 473 474 Allows a process to read from a window resource that it does 475 not own (has a different user ID). 476 This privilege is interpreted only if the system is configured 477 with Trusted Extensions. 478 479privilege PRIV_WIN_DAC_WRITE 480 481 Allows a process to write to or create a window resource that 482 it does not own (has a different user ID). A newly created 483 window property is created with the window's user ID. 484 This privilege is interpreted only if the system is configured 485 with Trusted Extensions. 486 487privilege PRIV_WIN_DEVICES 488 489 Allows a process to perform operations on window input devices. 490 Allows a process to get and set keyboard and pointer controls. 491 Allows a process to modify pointer button and key mappings. 492 This privilege is interpreted only if the system is configured 493 with Trusted Extensions. 494 495privilege PRIV_WIN_DGA 496 497 Allows a process to use the direct graphics access (DGA) X protocol 498 extensions. Direct process access to the frame buffer is still 499 required. Thus the process must have MAC and DAC privileges that 500 allow access to the frame buffer, or the frame buffer must be 501 allocated to the process. 502 This privilege is interpreted only if the system is configured 503 with Trusted Extensions. 504 505privilege PRIV_WIN_DOWNGRADE_SL 506 507 Allows a process to set the sensitivity label of a window resource 508 to a sensitivity label that does not dominate the existing 509 sensitivity label. 510 This privilege is interpreted only if the system is configured 511 with Trusted Extensions. 512 513privilege PRIV_WIN_FONTPATH 514 515 Allows a process to set a font path. 516 This privilege is interpreted only if the system is configured 517 with Trusted Extensions. 518 519privilege PRIV_WIN_MAC_READ 520 521 Allows a process to read from a window resource whose sensitivity 522 label is not equal to the process sensitivity label. 523 This privilege is interpreted only if the system is configured 524 with Trusted Extensions. 525 526privilege PRIV_WIN_MAC_WRITE 527 528 Allows a process to create a window resource whose sensitivity 529 label is not equal to the process sensitivity label. 530 A newly created window property is created with the window's 531 sensitivity label. 532 This privilege is interpreted only if the system is configured 533 with Trusted Extensions. 534 535privilege PRIV_WIN_SELECTION 536 537 Allows a process to request inter-window data moves without the 538 intervention of the selection confirmer. 539 This privilege is interpreted only if the system is configured 540 with Trusted Extensions. 541 542privilege PRIV_WIN_UPGRADE_SL 543 544 Allows a process to set the sensitivity label of a window 545 resource to a sensitivity label that dominates the existing 546 sensitivity label. 547 This privilege is interpreted only if the system is configured 548 with Trusted Extensions. 549 550privilege PRIV_XVM_CONTROL 551 552 Allows a process access to the xVM(5) control devices for 553 managing guest domains and the hypervisor. This privilege is 554 used only if booted into xVM on x86 platforms. 555 556set PRIV_EFFECTIVE 557 558 Set of privileges currently in effect. 559 560set PRIV_INHERITABLE 561 562 Set of privileges that comes into effect on exec. 563 564set PRIV_PERMITTED 565 566 Set of privileges that can be put into the effective set without 567 restriction. 568 569set PRIV_LIMIT 570 571 Set of privileges that determines the absolute upper bound of 572 privileges this process and its off-spring can obtain. 573