xref: /titanic_44/usr/src/uts/common/os/policy.c (revision 0398691684c2596072212e4ca9d7033ad7ccfa54)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <sys/types.h>
29 #include <sys/sysmacros.h>
30 #include <sys/param.h>
31 #include <sys/systm.h>
32 #include <sys/cred_impl.h>
33 #include <sys/vnode.h>
34 #include <sys/vfs.h>
35 #include <sys/stat.h>
36 #include <sys/errno.h>
37 #include <sys/kmem.h>
38 #include <sys/user.h>
39 #include <sys/proc.h>
40 #include <sys/acct.h>
41 #include <sys/ipc_impl.h>
42 #include <sys/cmn_err.h>
43 #include <sys/debug.h>
44 #include <sys/policy.h>
45 #include <sys/kobj.h>
46 #include <sys/msg.h>
47 #include <sys/devpolicy.h>
48 #include <c2/audit.h>
49 #include <sys/varargs.h>
50 #include <sys/modctl.h>
51 #include <sys/disp.h>
52 #include <sys/zone.h>
53 #include <inet/optcom.h>
54 #include <sys/sdt.h>
55 #include <sys/vfs.h>
56 #include <sys/mntent.h>
57 #include <sys/contract_impl.h>
58 
59 /*
60  * There are two possible layers of privilege routines and two possible
61  * levels of secpolicy.  Plus one other we may not be interested in, so
62  * we may need as many as 6 but no more.
63  */
64 #define	MAXPRIVSTACK		6
65 
66 int priv_debug = 0;
67 
68 /*
69  * This file contains the majority of the policy routines.
70  * Since the policy routines are defined by function and not
71  * by privilege, there is quite a bit of duplication of
72  * functions.
73  *
74  * The secpolicy functions must not make asssumptions about
75  * locks held or not held as any lock can be held while they're
76  * being called.
77  *
78  * Credentials are read-only so no special precautions need to
79  * be taken while locking them.
80  *
81  * When a new policy check needs to be added to the system the
82  * following procedure should be followed:
83  *
84  *		Pick an appropriate secpolicy_*() function
85  *			-> done if one exists.
86  *		Create a new secpolicy function, preferably with
87  *		a descriptive name using the standard template.
88  *		Pick an appropriate privilege for the policy.
89  *		If no appropraite privilege exists, define new one
90  *		(this should be done with extreme care; in most cases
91  *		little is gained by adding another privilege)
92  *
93  * WHY ROOT IS STILL SPECIAL.
94  *
95  * In a number of the policy functions, there are still explicit
96  * checks for uid 0.  The rationale behind these is that many root
97  * owned files/objects hold configuration information which can give full
98  * privileges to the user once written to.  To prevent escalation
99  * of privilege by allowing just a single privilege to modify root owned
100  * objects, we've added these root specific checks where we considered
101  * them necessary: modifying root owned files, changing uids to 0, etc.
102  *
103  * PRIVILEGE ESCALATION AND ZONES.
104  *
105  * A number of operations potentially allow the caller to achieve
106  * privileges beyond the ones normally required to perform the operation.
107  * For example, if allowed to create a setuid 0 executable, a process can
108  * gain privileges beyond PRIV_FILE_SETID.  Zones, however, place
109  * restrictions on the ability to gain privileges beyond those available
110  * within the zone through file and process manipulation.  Hence, such
111  * operations require that the caller have an effective set that includes
112  * all privileges available within the current zone, or all privileges
113  * if executing in the global zone.
114  *
115  * This is indicated in the priv_policy* policy checking functions
116  * through a combination of parameters.  The "priv" parameter indicates
117  * the privilege that is required, and the "allzone" parameter indicates
118  * whether or not all privileges in the zone are required.  In addition,
119  * priv can be set to PRIV_ALL to indicate that all privileges are
120  * required (regardless of zone).  There are three scenarios of interest:
121  * (1) operation requires a specific privilege
122  * (2) operation requires a specific privilege, and requires all
123  *     privileges available within the zone (or all privileges if in
124  *     the global zone)
125  * (3) operation requires all privileges, regardless of zone
126  *
127  * For (1), priv should be set to the specific privilege, and allzone
128  * should be set to B_FALSE.
129  * For (2), priv should be set to the specific privilege, and allzone
130  * should be set to B_TRUE.
131  * For (3), priv should be set to PRIV_ALL, and allzone should be set
132  * to B_FALSE.
133  *
134  */
135 
136 /*
137  * The privileges are checked against the Effective set for
138  * ordinary processes and checked against the Limit set
139  * for euid 0 processes that haven't manipulated their privilege
140  * sets.
141  */
142 #define	HAS_ALLPRIVS(cr)	priv_isfullset(&CR_OEPRIV(cr))
143 #define	ZONEPRIVS(cr)		((cr)->cr_zone->zone_privset)
144 #define	HAS_ALLZONEPRIVS(cr)	priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr))
145 #define	HAS_PRIVILEGE(cr, pr)	((pr) == PRIV_ALL ? \
146 					HAS_ALLPRIVS(cr) : \
147 					PRIV_ISASSERT(&CR_OEPRIV(cr), pr))
148 
149 /*
150  * Policy checking functions
151  *
152  * In future, these will migrate to several files when policy
153  * becomes more or less pluggable.
154  *
155  * For now, there's only one policy and this is it.
156  */
157 
158 /*
159  * Generic policy calls
160  *
161  * The "bottom" functions of policy control
162  */
163 
164 static char *
165 mprintf(const char *fmt, ...)
166 {
167 	va_list args;
168 	char *buf;
169 	size_t len;
170 
171 	va_start(args, fmt);
172 	len = vsnprintf(NULL, 0, fmt, args) + 1;
173 	va_end(args);
174 
175 	buf = kmem_alloc(len, KM_NOSLEEP);
176 
177 	if (buf == NULL)
178 		return (NULL);
179 
180 	va_start(args, fmt);
181 	(void) vsnprintf(buf, len, fmt, args);
182 	va_end(args);
183 
184 	return (buf);
185 }
186 
187 /*
188  * priv_policy_errmsg()
189  *
190  * Generate an error message if privilege debugging is enabled system wide
191  * or for this particular process.
192  */
193 
194 #define	FMTHDR	"%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)"
195 #define	FMTMSG	" for \"%s\""
196 #define	FMTFUN	" needed at %s+0x%lx"
197 
198 /* The maximum size privilege format: the concatenation of the above */
199 #define	FMTMAX	FMTHDR FMTMSG FMTFUN "\n"
200 
201 static void
202 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg)
203 {
204 	struct proc *me;
205 	pc_t stack[MAXPRIVSTACK];
206 	int depth;
207 	int i;
208 	char *sym;
209 	ulong_t off;
210 	const char *pname;
211 
212 	char *cmd;
213 	char fmt[sizeof (FMTMAX)];
214 
215 	if ((me = curproc) == &p0)
216 		return;
217 
218 	/* Privileges must be defined  */
219 	ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE ||
220 	    priv == PRIV_ALLZONE || priv == PRIV_GLOBAL ||
221 	    priv_getbynum(priv) != NULL);
222 
223 	if (priv == PRIV_ALLZONE && INGLOBALZONE(me))
224 		priv = PRIV_ALL;
225 
226 	if (curthread->t_pre_sys)
227 		ttolwp(curthread)->lwp_badpriv = (short)priv;
228 
229 	if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0)
230 		return;
231 
232 	(void) strcpy(fmt, FMTHDR);
233 
234 	if (me->p_user.u_comm[0])
235 		cmd = &me->p_user.u_comm[0];
236 	else
237 		cmd = "priv_policy";
238 
239 	if (msg != NULL && *msg != '\0') {
240 		(void) strcat(fmt, FMTMSG);
241 	} else {
242 		(void) strcat(fmt, "%s");
243 		msg = "";
244 	}
245 
246 	sym = NULL;
247 
248 	depth = getpcstack(stack, MAXPRIVSTACK);
249 
250 	/*
251 	 * Try to find the first interesting function on the stack.
252 	 * priv_policy* that's us, so completely uninteresting.
253 	 * suser(), drv_priv(), secpolicy_* are also called from
254 	 * too many locations to convey useful information.
255 	 */
256 	for (i = 0; i < depth; i++) {
257 		sym = kobj_getsymname((uintptr_t)stack[i], &off);
258 		if (sym != NULL &&
259 		    strstr(sym, "hasprocperm") == 0 &&
260 		    strcmp("suser", sym) != 0 &&
261 		    strcmp("ipcaccess", sym) != 0 &&
262 		    strcmp("drv_priv", sym) != 0 &&
263 		    strncmp("secpolicy_", sym, 10) != 0 &&
264 		    strncmp("priv_policy", sym, 11) != 0)
265 			break;
266 	}
267 
268 	if (sym != NULL)
269 		(void) strcat(fmt, FMTFUN);
270 
271 	(void) strcat(fmt, "\n");
272 
273 	switch (priv) {
274 	case PRIV_ALL:
275 		pname = "ALL";
276 		break;
277 	case PRIV_MULTIPLE:
278 		pname = "MULTIPLE";
279 		break;
280 	case PRIV_ALLZONE:
281 		pname = "ZONE";
282 		break;
283 	case PRIV_GLOBAL:
284 		pname = "GLOBAL";
285 		break;
286 	default:
287 		pname = priv_getbynum(priv);
288 		break;
289 	}
290 
291 	if (CR_FLAGS(cr) & PRIV_DEBUG) {
292 		/* Remember last message, just like lwp_badpriv. */
293 		if (curthread->t_pdmsg != NULL) {
294 			kmem_free(curthread->t_pdmsg,
295 			    strlen(curthread->t_pdmsg) + 1);
296 		}
297 
298 		curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname,
299 		    cr->cr_uid, curthread->t_sysnum, msg, sym, off);
300 
301 		curthread->t_post_sys = 1;
302 	} else {
303 		cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid,
304 		    curthread->t_sysnum, msg, sym, off);
305 	}
306 }
307 
308 /*
309  * Audit failure, log error message.
310  */
311 static void
312 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg)
313 {
314 
315 #ifdef C2_AUDIT
316 	if (audit_active)
317 		audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0);
318 #endif
319 	DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
320 
321 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
322 	    curthread->t_pre_sys) {
323 		if (allzone && !HAS_ALLZONEPRIVS(cr)) {
324 			priv_policy_errmsg(cr, PRIV_ALLZONE, msg);
325 		} else {
326 			ASSERT(!HAS_PRIVILEGE(cr, priv));
327 			priv_policy_errmsg(cr, priv, msg);
328 		}
329 	}
330 }
331 
332 /*
333  * priv_policy()
334  * return 0 or error.
335  * See block comment above for a description of "priv" and "allzone" usage.
336  */
337 int
338 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err,
339     const char *msg)
340 {
341 	if (HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) {
342 		if ((allzone || priv == PRIV_ALL ||
343 		    !PRIV_ISASSERT(priv_basic, priv)) &&
344 		    !servicing_interrupt()) {
345 			PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */
346 #ifdef C2_AUDIT
347 			if (audit_active)
348 				audit_priv(priv,
349 				    allzone ? ZONEPRIVS(cr) : NULL, 1);
350 #endif
351 		}
352 		err = 0;
353 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
354 	} else if (!servicing_interrupt()) {
355 		/* Failure audited in this procedure */
356 		priv_policy_err(cr, priv, allzone, msg);
357 	}
358 
359 	return (err);
360 }
361 
362 /*
363  * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges.
364  */
365 boolean_t
366 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone)
367 {
368 	boolean_t res = HAS_PRIVILEGE(cr, priv) &&
369 	    (!allzone || HAS_ALLZONEPRIVS(cr));
370 
371 #ifdef C2_AUDIT
372 	/* Audit success only */
373 	if (res && audit_active &&
374 	    (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) &&
375 	    !servicing_interrupt()) {
376 		audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1);
377 	}
378 #endif
379 	if (res) {
380 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
381 	} else {
382 		DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
383 	}
384 	return (res);
385 }
386 
387 /*
388  * Non-auditing variant of priv_policy_choice().
389  */
390 boolean_t
391 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone)
392 {
393 	boolean_t res = HAS_PRIVILEGE(cr, priv) &&
394 	    (!allzone || HAS_ALLZONEPRIVS(cr));
395 
396 	if (res) {
397 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
398 	} else {
399 		DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
400 	}
401 	return (res);
402 }
403 
404 /*
405  * Check whether all privileges in the required set are present.
406  */
407 static int
408 secpolicy_require_set(const cred_t *cr, const priv_set_t *req, const char *msg)
409 {
410 	int priv;
411 	int pfound = -1;
412 	priv_set_t pset;
413 
414 	if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req,
415 	    &CR_OEPRIV(cr))) {
416 		return (0);
417 	}
418 
419 	if (req == PRIV_FULLSET || priv_isfullset(req)) {
420 		priv_policy_err(cr, PRIV_ALL, B_FALSE, msg);
421 		return (EACCES);
422 	}
423 
424 	pset = CR_OEPRIV(cr);		/* present privileges */
425 	priv_inverse(&pset);		/* all non present privileges */
426 	priv_intersect(req, &pset);	/* the actual missing privs */
427 
428 #ifdef C2_AUDIT
429 	if (audit_active)
430 		audit_priv(PRIV_NONE, &pset, 0);
431 #endif
432 	/*
433 	 * Privilege debugging; special case "one privilege in set".
434 	 */
435 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) {
436 		for (priv = 0; priv < nprivs; priv++) {
437 			if (priv_ismember(&pset, priv)) {
438 				if (pfound != -1) {
439 					/* Multiple missing privs */
440 					priv_policy_errmsg(cr, PRIV_MULTIPLE,
441 					    msg);
442 					return (EACCES);
443 				}
444 				pfound = priv;
445 			}
446 		}
447 		ASSERT(pfound != -1);
448 		/* Just the one missing privilege */
449 		priv_policy_errmsg(cr, pfound, msg);
450 	}
451 
452 	return (EACCES);
453 }
454 
455 /*
456  * Called when an operation requires that the caller be in the
457  * global zone, regardless of privilege.
458  */
459 static int
460 priv_policy_global(const cred_t *cr)
461 {
462 	if (crgetzoneid(cr) == GLOBAL_ZONEID)
463 		return (0);	/* success */
464 
465 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
466 	    curthread->t_pre_sys) {
467 		priv_policy_errmsg(cr, PRIV_GLOBAL, NULL);
468 	}
469 	return (EPERM);
470 }
471 
472 /*
473  * Changing process priority
474  */
475 int
476 secpolicy_setpriority(const cred_t *cr)
477 {
478 	return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL));
479 }
480 
481 /*
482  * Binding to a privileged port, port must be specified in host byte
483  * order.
484  */
485 int
486 secpolicy_net_privaddr(const cred_t *cr, in_port_t port)
487 {
488 	/*
489 	 * NFS ports, these are extra privileged ports, allow bind
490 	 * only if the SYS_NFS privilege is present.
491 	 */
492 	if (port == 2049 || port == 4045)
493 		return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EACCES,
494 		    "NFS port"));
495 	else
496 		return (PRIV_POLICY(cr, PRIV_NET_PRIVADDR, B_FALSE, EACCES,
497 		    NULL));
498 }
499 
500 /*
501  * Binding to a multilevel port on a trusted (labeled) system.
502  */
503 int
504 secpolicy_net_bindmlp(const cred_t *cr)
505 {
506 	return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES,
507 	    NULL));
508 }
509 
510 /*
511  * Allow a communication between a zone and an unlabeled host when their
512  * labels don't match.
513  */
514 int
515 secpolicy_net_mac_aware(const cred_t *cr)
516 {
517 	return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES,
518 	    NULL));
519 }
520 
521 /*
522  * Common routine which determines whether a given credential can
523  * act on a given mount.
524  * When called through mount, the parameter needoptcheck is a pointer
525  * to a boolean variable which will be set to either true or false,
526  * depending on whether the mount policy should change the mount options.
527  * In all other cases, needoptcheck should be a NULL pointer.
528  */
529 static int
530 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp,
531     boolean_t *needoptcheck)
532 {
533 	boolean_t allzone = B_FALSE;
534 	boolean_t mounting = needoptcheck != NULL;
535 
536 	/*
537 	 * Short circuit the following cases:
538 	 *	vfsp == NULL or mvp == NULL (pure privilege check)
539 	 *	have all privileges - no further checks required
540 	 *	and no mount options need to be set.
541 	 */
542 	if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) {
543 		if (mounting)
544 			*needoptcheck = B_FALSE;
545 
546 		return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, allzone, EPERM, NULL));
547 	}
548 
549 	/*
550 	 * When operating on an existing mount (either we're not mounting
551 	 * or we're doing a remount and VFS_REMOUNT will be set), zones
552 	 * can operate only on mounts established by the zone itself.
553 	 */
554 	if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) {
555 		zoneid_t zoneid = crgetzoneid(cr);
556 
557 		if (zoneid != GLOBAL_ZONEID &&
558 		    vfsp->vfs_zone->zone_id != zoneid) {
559 			return (EPERM);
560 		}
561 	}
562 
563 	if (mounting)
564 		*needoptcheck = B_TRUE;
565 
566 	/*
567 	 * Overlay mounts may hide important stuff; if you can't write to a
568 	 * mount point but would be able to mount on top of it, you can
569 	 * escalate your privileges.
570 	 * So we go about asking the same questions namefs does when it
571 	 * decides whether you can mount over a file or not but with the
572 	 * added restriction that you can only mount on top of a regular
573 	 * file or directory.
574 	 * If we have all the zone's privileges, we skip all other checks,
575 	 * or else we may actually get in trouble inside the automounter.
576 	 */
577 	if ((mvp->v_flag & VROOT) != 0 ||
578 	    (mvp->v_type != VDIR && mvp->v_type != VREG) ||
579 	    HAS_ALLZONEPRIVS(cr)) {
580 		allzone = B_TRUE;
581 	} else {
582 		vattr_t va;
583 		int err;
584 
585 		va.va_mask = AT_UID|AT_MODE;
586 		err = VOP_GETATTR(mvp, &va, 0, cr);
587 		if (err != 0)
588 			return (err);
589 
590 		if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0)
591 			return (err);
592 
593 		if ((va.va_mode & VWRITE) == 0 &&
594 		    secpolicy_vnode_access(cr, mvp, va.va_uid, VWRITE) != 0) {
595 			return (EACCES);
596 		}
597 	}
598 	return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, allzone, EPERM, NULL));
599 }
600 
601 void
602 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp)
603 {
604 	boolean_t amsuper = HAS_ALLZONEPRIVS(cr);
605 
606 	/*
607 	 * check; if we don't have either "nosuid" or
608 	 * both "nosetuid" and "nodevices", then we add
609 	 * "nosuid"; this depends on how the current
610 	 * implementation works (it first checks nosuid).  In a
611 	 * zone, a user with all zone privileges can mount with
612 	 * "setuid" but never with "devices".
613 	 */
614 	if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) &&
615 	    (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) ||
616 	    !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) {
617 		if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper)
618 			vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0);
619 		else
620 			vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0);
621 	}
622 	/*
623 	 * If we're not the local super user, we set the "restrict"
624 	 * option to indicate to automountd that this mount should
625 	 * be handled with care.
626 	 */
627 	if (!amsuper)
628 		vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0);
629 
630 }
631 
632 extern vnode_t *rootvp;
633 extern vfs_t *rootvfs;
634 
635 int
636 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp)
637 {
638 	boolean_t needoptchk;
639 	int error;
640 
641 	/*
642 	 * If it's a remount, get the underlying mount point,
643 	 * except for the root where we use the rootvp.
644 	 */
645 	if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) {
646 		if (vfsp == rootvfs)
647 			mvp = rootvp;
648 		else
649 			mvp = vfsp->vfs_vnodecovered;
650 	}
651 
652 	error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk);
653 
654 	if (error == 0 && needoptchk) {
655 		secpolicy_fs_mount_clearopts(cr, vfsp);
656 	}
657 
658 	return (error);
659 }
660 
661 /*
662  * Does the policy computations for "ownership" of a mount;
663  * here ownership is defined as the ability to "mount"
664  * the filesystem originally.  The rootvfs doesn't cover any
665  * vnodes; we attribute its ownership to the rootvp.
666  */
667 static int
668 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp)
669 {
670 	vnode_t *mvp;
671 
672 	if (vfsp == NULL)
673 		mvp = NULL;
674 	else if (vfsp == rootvfs)
675 		mvp = rootvp;
676 	else
677 		mvp = vfsp->vfs_vnodecovered;
678 
679 	return (secpolicy_fs_common(cr, mvp, vfsp, NULL));
680 }
681 
682 int
683 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp)
684 {
685 	return (secpolicy_fs_owner(cr, vfsp));
686 }
687 
688 /*
689  * Quotas are a resource, but if one has the ability to mount a filesystem, he
690  * should be able to modify quotas on it.
691  */
692 int
693 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp)
694 {
695 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
696 }
697 
698 /*
699  * Exceeding minfree: also a per-mount resource constraint.
700  */
701 int
702 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp)
703 {
704 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
705 }
706 
707 int
708 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp)
709 {
710 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
711 }
712 
713 /* ARGSUSED */
714 int
715 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp)
716 {
717 	return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL));
718 }
719 
720 /*
721  * Name:        secpolicy_vnode_access()
722  *
723  * Parameters:  Process credential
724  *		vnode
725  *		uid of owner of vnode
726  *		permission bits not granted to the caller when examining
727  *		file mode bits (i.e., when a process wants to open a
728  *		mode 444 file for VREAD|VWRITE, this function should be
729  *		called only with a VWRITE argument).
730  *
731  * Normal:      Verifies that cred has the appropriate privileges to
732  *              override the mode bits that were denied.
733  *
734  * Override:    file_dac_execute - if VEXEC bit was denied and vnode is
735  *                      not a directory.
736  *              file_dac_read - if VREAD bit was denied.
737  *              file_dac_search - if VEXEC bit was denied and vnode is
738  *                      a directory.
739  *              file_dac_write - if VWRITE bit was denied.
740  *
741  *		Root owned files are special cased to protect system
742  *		configuration files and such.
743  *
744  * Output:      EACCES - if privilege check fails.
745  */
746 
747 /* ARGSUSED */
748 int
749 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode)
750 {
751 	if ((mode & VREAD) &&
752 	    PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EACCES, NULL) != 0)
753 		return (EACCES);
754 
755 	if (mode & VWRITE) {
756 		boolean_t allzone;
757 
758 		if (owner == 0 && cr->cr_uid != 0)
759 			allzone = B_TRUE;
760 		else
761 			allzone = B_FALSE;
762 		if (PRIV_POLICY(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, NULL)
763 		    != 0)
764 			return (EACCES);
765 	}
766 
767 	if (mode & VEXEC) {
768 		/*
769 		 * Directories use file_dac_search to override the execute bit.
770 		 */
771 		vtype_t vtype = vp->v_type;
772 
773 		if (vtype == VDIR)
774 			return (PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE,
775 			    EACCES, NULL));
776 		else
777 			return (PRIV_POLICY(cr, PRIV_FILE_DAC_EXECUTE, B_FALSE,
778 			    EACCES, NULL));
779 	}
780 	return (0);
781 }
782 
783 /*
784  * Name:	secpolicy_vnode_setid_modify()
785  *
786  * Normal:	verify that subject can set the file setid flags.
787  *
788  * Output:	EPERM - if not privileged.
789  */
790 
791 static int
792 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner)
793 {
794 	/* If changing to suid root, must have all zone privs */
795 	boolean_t allzone = B_TRUE;
796 
797 	if (owner != 0) {
798 		if (owner == cr->cr_uid)
799 			return (0);
800 		allzone = B_FALSE;
801 	}
802 	return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL));
803 }
804 
805 /*
806  * Are we allowed to retain the set-uid/set-gid bits when
807  * changing ownership or when writing to a file?
808  * "issuid" should be true when set-uid; only in that case
809  * root ownership is checked (setgid is assumed).
810  */
811 int
812 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot)
813 {
814 	if (issuidroot && !HAS_ALLZONEPRIVS(cred))
815 		return (EPERM);
816 
817 	return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE));
818 }
819 
820 /*
821  * Name:	secpolicy_vnode_setids_setgids()
822  *
823  * Normal:	verify that subject can set the file setgid flag.
824  *
825  * Output:	EPERM - if not privileged
826  */
827 
828 int
829 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid)
830 {
831 	if (!groupmember(gid, cred))
832 		return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM,
833 		    NULL));
834 	return (0);
835 }
836 
837 /*
838  * Create a file with a group different than any of the groups allowed:
839  * the group of the directory the file is created in, the effective
840  * group or any of the supplementary groups.
841  */
842 int
843 secpolicy_vnode_create_gid(const cred_t *cred)
844 {
845 	if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN))
846 		return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM,
847 		    NULL));
848 	else
849 		return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM,
850 		    NULL));
851 }
852 
853 /*
854  * Name:	secpolicy_vnode_utime_modify()
855  *
856  * Normal:	verify that subject can modify the utime on a file.
857  *
858  * Output:	EPERM - if access denied.
859  */
860 
861 static int
862 secpolicy_vnode_utime_modify(const cred_t *cred)
863 {
864 	return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM,
865 	    "modify file times"));
866 }
867 
868 
869 /*
870  * Name:	secpolicy_vnode_setdac()
871  *
872  * Normal:	verify that subject can modify the mode of a file.
873  *		allzone privilege needed when modifying root owned object.
874  *
875  * Output:	EPERM - if access denied.
876  */
877 
878 int
879 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner)
880 {
881 	if (owner == cred->cr_uid)
882 		return (0);
883 
884 	return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL));
885 }
886 /*
887  * Name:	secpolicy_vnode_stky_modify()
888  *
889  * Normal:	verify that subject can make a file a "sticky".
890  *
891  * Output:	EPERM - if access denied.
892  */
893 
894 int
895 secpolicy_vnode_stky_modify(const cred_t *cred)
896 {
897 	return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM,
898 	    "set file sticky"));
899 }
900 
901 /*
902  * Policy determines whether we can remove an entry from a directory,
903  * regardless of permission bits.
904  */
905 int
906 secpolicy_vnode_remove(const cred_t *cr)
907 {
908 	return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES,
909 	    "sticky directory"));
910 }
911 
912 int
913 secpolicy_vnode_owner(const cred_t *cr, uid_t owner)
914 {
915 	boolean_t allzone = (owner == 0);
916 
917 	if (owner == cr->cr_uid)
918 		return (0);
919 
920 	return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL));
921 }
922 
923 void
924 secpolicy_setid_clear(vattr_t *vap, cred_t *cr)
925 {
926 	if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 &&
927 	    secpolicy_vnode_setid_retain(cr,
928 	    (vap->va_mode & S_ISUID) != 0 &&
929 	    (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) {
930 		vap->va_mask |= AT_MODE;
931 		vap->va_mode &= ~(S_ISUID|S_ISGID);
932 	}
933 }
934 
935 int
936 secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap,
937     cred_t *cr)
938 {
939 	int error;
940 
941 	if ((vap->va_mode & S_ISUID) != 0 &&
942 	    (error = secpolicy_vnode_setid_modify(cr,
943 	    ovap->va_uid)) != 0) {
944 		return (error);
945 	}
946 
947 	/*
948 	 * Check privilege if attempting to set the
949 	 * sticky bit on a non-directory.
950 	 */
951 	if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 &&
952 	    secpolicy_vnode_stky_modify(cr) != 0) {
953 		vap->va_mode &= ~S_ISVTX;
954 	}
955 
956 	/*
957 	 * Check for privilege if attempting to set the
958 	 * group-id bit.
959 	 */
960 	if ((vap->va_mode & S_ISGID) != 0 &&
961 	    secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) {
962 		vap->va_mode &= ~S_ISGID;
963 	}
964 
965 	return (0);
966 }
967 
968 /*
969  * This function checks the policy decisions surrounding the
970  * vop setattr call.
971  *
972  * It should be called after sufficient locks have been established
973  * on the underlying data structures.  No concurrent modifications
974  * should be allowed.
975  *
976  * The caller must pass in unlocked version of its vaccess function
977  * this is required because vop_access function should lock the
978  * node for reading.  A three argument function should be defined
979  * which accepts the following argument:
980  * 	A pointer to the internal "node" type (inode *)
981  *	vnode access bits (VREAD|VWRITE|VEXEC)
982  *	a pointer to the credential
983  *
984  * This function makes the following policy decisions:
985  *
986  *		- change permissions
987  *			- permission to change file mode if not owner
988  *			- permission to add sticky bit to non-directory
989  *			- permission to add set-gid bit
990  *
991  * The ovap argument should include AT_MODE|AT_UID|AT_GID.
992  *
993  * If the vap argument does not include AT_MODE, the mode will be copied from
994  * ovap.  In certain situations set-uid/set-gid bits need to be removed;
995  * this is done by marking vap->va_mask to include AT_MODE and va_mode
996  * is updated to the newly computed mode.
997  */
998 
999 int
1000 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap,
1001 	const struct vattr *ovap, int flags,
1002 	int unlocked_access(void *, int, cred_t *),
1003 	void *node)
1004 {
1005 	int mask = vap->va_mask;
1006 	int error = 0;
1007 
1008 	if (mask & AT_SIZE) {
1009 		if (vp->v_type == VDIR) {
1010 			error = EISDIR;
1011 			goto out;
1012 		}
1013 		error = unlocked_access(node, VWRITE, cr);
1014 		if (error)
1015 			goto out;
1016 	}
1017 	if (mask & AT_MODE) {
1018 		/*
1019 		 * If not the owner of the file then check privilege
1020 		 * for two things: the privilege to set the mode at all
1021 		 * and, if we're setting setuid, we also need permissions
1022 		 * to add the set-uid bit, if we're not the owner.
1023 		 * In the specific case of creating a set-uid root
1024 		 * file, we need even more permissions.
1025 		 */
1026 		if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0)
1027 			goto out;
1028 
1029 		if ((error = secpolicy_setid_setsticky_clear(vp, vap,
1030 		    ovap, cr)) != 0)
1031 			goto out;
1032 	} else
1033 		vap->va_mode = ovap->va_mode;
1034 
1035 	if (mask & (AT_UID|AT_GID)) {
1036 		boolean_t checkpriv = B_FALSE;
1037 		int priv;
1038 		boolean_t allzone = B_FALSE;
1039 
1040 		/*
1041 		 * Chowning files.
1042 		 *
1043 		 * If you are the file owner:
1044 		 *	chown to other uid		FILE_CHOWN_SELF
1045 		 *	chown to gid (non-member) 	FILE_CHOWN_SELF
1046 		 *	chown to gid (member) 		<none>
1047 		 *
1048 		 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also
1049 		 * acceptable but the first one is reported when debugging.
1050 		 *
1051 		 * If you are not the file owner:
1052 		 *	chown from root			PRIV_FILE_CHOWN + zone
1053 		 *	chown from other to any		PRIV_FILE_CHOWN
1054 		 *
1055 		 */
1056 		if (cr->cr_uid != ovap->va_uid) {
1057 			checkpriv = B_TRUE;
1058 			allzone = (ovap->va_uid == 0);
1059 			priv = PRIV_FILE_CHOWN;
1060 		} else {
1061 			if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) ||
1062 			    ((mask & AT_GID) && vap->va_gid != ovap->va_gid &&
1063 			    !groupmember(vap->va_gid, cr))) {
1064 				checkpriv = B_TRUE;
1065 				priv = HAS_PRIVILEGE(cr, PRIV_FILE_CHOWN) ?
1066 				    PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF;
1067 			}
1068 		}
1069 		/*
1070 		 * If necessary, check privilege to see if update can be done.
1071 		 */
1072 		if (checkpriv &&
1073 		    (error = PRIV_POLICY(cr, priv, allzone, EPERM, NULL))
1074 		    != 0) {
1075 			goto out;
1076 		}
1077 
1078 		/*
1079 		 * If the file has either the set UID or set GID bits
1080 		 * set and the caller can set the bits, then leave them.
1081 		 */
1082 		secpolicy_setid_clear(vap, cr);
1083 	}
1084 	if (mask & (AT_ATIME|AT_MTIME)) {
1085 		/*
1086 		 * If not the file owner and not otherwise privileged,
1087 		 * always return an error when setting the
1088 		 * time other than the current (ATTR_UTIME flag set).
1089 		 * If setting the current time (ATTR_UTIME not set) then
1090 		 * unlocked_access will check permissions according to policy.
1091 		 */
1092 		if (cr->cr_uid != ovap->va_uid) {
1093 			if (flags & ATTR_UTIME)
1094 				error = secpolicy_vnode_utime_modify(cr);
1095 			else {
1096 				error = unlocked_access(node, VWRITE, cr);
1097 				if (error == EACCES &&
1098 				    secpolicy_vnode_utime_modify(cr) == 0)
1099 					error = 0;
1100 			}
1101 			if (error)
1102 				goto out;
1103 		}
1104 	}
1105 out:
1106 	return (error);
1107 }
1108 
1109 /*
1110  * Name:	secpolicy_pcfs_modify_bootpartition()
1111  *
1112  * Normal:	verify that subject can modify a pcfs boot partition.
1113  *
1114  * Output:	EACCES - if privilege check failed.
1115  */
1116 /*ARGSUSED*/
1117 int
1118 secpolicy_pcfs_modify_bootpartition(const cred_t *cred)
1119 {
1120 	return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES,
1121 	    "modify pcfs boot partition"));
1122 }
1123 
1124 /*
1125  * System V IPC routines
1126  */
1127 int
1128 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip)
1129 {
1130 	if (crgetzoneid(cr) != ip->ipc_zoneid ||
1131 	    (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) {
1132 		boolean_t allzone = B_FALSE;
1133 		if (ip->ipc_uid == 0 || ip->ipc_cuid == 0)
1134 			allzone = B_TRUE;
1135 		return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL));
1136 	}
1137 	return (0);
1138 }
1139 
1140 int
1141 secpolicy_ipc_config(const cred_t *cr)
1142 {
1143 	return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL));
1144 }
1145 
1146 int
1147 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode)
1148 {
1149 
1150 	boolean_t allzone = B_FALSE;
1151 
1152 	ASSERT((mode & (MSG_R|MSG_W)) != 0);
1153 
1154 	if ((mode & MSG_R) &&
1155 	    PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1156 		return (EACCES);
1157 
1158 	if (mode & MSG_W) {
1159 		if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0))
1160 			allzone = B_TRUE;
1161 
1162 		return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1163 		    NULL));
1164 	}
1165 	return (0);
1166 }
1167 
1168 int
1169 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode)
1170 {
1171 	boolean_t allzone = B_FALSE;
1172 
1173 	ASSERT((mode & (MSG_R|MSG_W)) != 0);
1174 
1175 	if ((mode & MSG_R) &&
1176 	    PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1177 		return (EACCES);
1178 
1179 	if (mode & MSG_W) {
1180 		if (cr->cr_uid != 0 && owner == 0)
1181 			allzone = B_TRUE;
1182 
1183 		return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1184 		    NULL));
1185 	}
1186 	return (0);
1187 }
1188 
1189 /*
1190  * Audit configuration.
1191  */
1192 int
1193 secpolicy_audit_config(const cred_t *cr)
1194 {
1195 	return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL));
1196 }
1197 
1198 /*
1199  * Audit record generation.
1200  */
1201 int
1202 secpolicy_audit_modify(const cred_t *cr)
1203 {
1204 	return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL));
1205 }
1206 
1207 /*
1208  * Get audit attributes.
1209  * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the
1210  * "Least" of the two privileges on error.
1211  */
1212 int
1213 secpolicy_audit_getattr(const cred_t *cr)
1214 {
1215 	if (!PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE)) {
1216 		return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM,
1217 		    NULL));
1218 	} else {
1219 		return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL));
1220 	}
1221 }
1222 
1223 
1224 /*
1225  * Locking physical memory
1226  */
1227 int
1228 secpolicy_lock_memory(const cred_t *cr)
1229 {
1230 	return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL));
1231 }
1232 
1233 /*
1234  * Accounting (both acct(2) and exacct).
1235  */
1236 int
1237 secpolicy_acct(const cred_t *cr)
1238 {
1239 	return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL));
1240 }
1241 
1242 /*
1243  * Is this process privileged to change its uids at will?
1244  * Uid 0 is still considered "special" and having the SETID
1245  * privilege is not sufficient to get uid 0.
1246  * Files are owned by root, so the privilege would give
1247  * full access and euid 0 is still effective.
1248  *
1249  * If you have the privilege and euid 0 only then do you
1250  * get the powers of root wrt uid 0.
1251  *
1252  * For gid manipulations, this is should be called with an
1253  * uid of -1.
1254  *
1255  */
1256 int
1257 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly)
1258 {
1259 	boolean_t allzone = B_FALSE;
1260 
1261 	if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 &&
1262 	    cr->cr_ruid != 0) {
1263 		allzone = B_TRUE;
1264 	}
1265 
1266 	return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) :
1267 	    PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL));
1268 }
1269 
1270 
1271 /*
1272  * Acting on a different process: if the mode is for writing,
1273  * the restrictions are more severe.  This is called after
1274  * we've verified that the uids do not match.
1275  */
1276 int
1277 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode)
1278 {
1279 	boolean_t allzone = B_FALSE;
1280 
1281 	if ((mode & VWRITE) && scr->cr_uid != 0 &&
1282 	    (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0))
1283 		allzone = B_TRUE;
1284 
1285 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL));
1286 }
1287 
1288 int
1289 secpolicy_proc_access(const cred_t *scr)
1290 {
1291 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL));
1292 }
1293 
1294 int
1295 secpolicy_proc_excl_open(const cred_t *scr)
1296 {
1297 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL));
1298 }
1299 
1300 int
1301 secpolicy_proc_zone(const cred_t *scr)
1302 {
1303 	return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL));
1304 }
1305 
1306 /*
1307  * Destroying the system
1308  */
1309 
1310 int
1311 secpolicy_kmdb(const cred_t *scr)
1312 {
1313 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1314 }
1315 
1316 int
1317 secpolicy_error_inject(const cred_t *scr)
1318 {
1319 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1320 }
1321 
1322 /*
1323  * Processor sets, cpu configuration, resource pools.
1324  */
1325 int
1326 secpolicy_pset(const cred_t *cr)
1327 {
1328 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1329 }
1330 
1331 int
1332 secpolicy_ponline(const cred_t *cr)
1333 {
1334 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1335 }
1336 
1337 int
1338 secpolicy_pool(const cred_t *cr)
1339 {
1340 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1341 }
1342 
1343 int
1344 secpolicy_blacklist(const cred_t *cr)
1345 {
1346 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1347 }
1348 
1349 /*
1350  * Catch all system configuration.
1351  */
1352 int
1353 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly)
1354 {
1355 	if (checkonly) {
1356 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 :
1357 		    EPERM);
1358 	} else {
1359 		return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1360 	}
1361 }
1362 
1363 /*
1364  * Zone administration (halt, reboot, etc.) from within zone.
1365  */
1366 int
1367 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly)
1368 {
1369 	if (checkonly) {
1370 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 :
1371 		    EPERM);
1372 	} else {
1373 		return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM,
1374 		    NULL));
1375 	}
1376 }
1377 
1378 /*
1379  * Zone configuration (create, halt, enter).
1380  */
1381 int
1382 secpolicy_zone_config(const cred_t *cr)
1383 {
1384 	/*
1385 	 * Require all privileges to avoid possibility of privilege
1386 	 * escalation.
1387 	 */
1388 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL));
1389 }
1390 
1391 /*
1392  * Various other system configuration calls
1393  */
1394 int
1395 secpolicy_coreadm(const cred_t *cr)
1396 {
1397 	return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1398 }
1399 
1400 int
1401 secpolicy_systeminfo(const cred_t *cr)
1402 {
1403 	return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1404 }
1405 
1406 int
1407 secpolicy_dispadm(const cred_t *cr)
1408 {
1409 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1410 }
1411 
1412 int
1413 secpolicy_settime(const cred_t *cr)
1414 {
1415 	return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL));
1416 }
1417 
1418 /*
1419  * For realtime users: high resolution clock.
1420  */
1421 int
1422 secpolicy_clock_highres(const cred_t *cr)
1423 {
1424 	return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM,
1425 	    NULL));
1426 }
1427 
1428 /*
1429  * drv_priv() is documented as callable from interrupt context, not that
1430  * anyone ever does, but still.  No debugging or auditing can be done when
1431  * it is called from interrupt context.
1432  * returns 0 on succes, EPERM on failure.
1433  */
1434 int
1435 drv_priv(cred_t *cr)
1436 {
1437 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1438 }
1439 
1440 int
1441 secpolicy_sys_devices(const cred_t *cr)
1442 {
1443 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1444 }
1445 
1446 int
1447 secpolicy_excl_open(const cred_t *cr)
1448 {
1449 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL));
1450 }
1451 
1452 int
1453 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl)
1454 {
1455 	/* zone.* rctls can only be set from the global zone */
1456 	if (is_zone_rctl && priv_policy_global(cr) != 0)
1457 		return (EPERM);
1458 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1459 }
1460 
1461 int
1462 secpolicy_resource(const cred_t *cr)
1463 {
1464 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1465 }
1466 
1467 /*
1468  * Processes with a real uid of 0 escape any form of accounting, much
1469  * like before.
1470  */
1471 int
1472 secpolicy_newproc(const cred_t *cr)
1473 {
1474 	if (cr->cr_ruid == 0)
1475 		return (0);
1476 
1477 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1478 }
1479 
1480 /*
1481  * Networking
1482  */
1483 int
1484 secpolicy_net_rawaccess(const cred_t *cr)
1485 {
1486 	return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL));
1487 }
1488 
1489 /*
1490  * Need this privilege for accessing the ICMP device
1491  */
1492 int
1493 secpolicy_net_icmpaccess(const cred_t *cr)
1494 {
1495 	return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL));
1496 }
1497 
1498 /*
1499  * There are a few rare cases where the kernel generates ioctls() from
1500  * interrupt context with a credential of kcred rather than NULL.
1501  * In those cases, we take the safe and cheap test.
1502  */
1503 int
1504 secpolicy_net_config(const cred_t *cr, boolean_t checkonly)
1505 {
1506 	if (checkonly) {
1507 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ?
1508 		    0 : EPERM);
1509 	} else {
1510 		return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM,
1511 		    NULL));
1512 	}
1513 }
1514 
1515 
1516 /*
1517  * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
1518  *
1519  * There are a few rare cases where the kernel generates ioctls() from
1520  * interrupt context with a credential of kcred rather than NULL.
1521  * In those cases, we take the safe and cheap test.
1522  */
1523 int
1524 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly)
1525 {
1526 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1527 		return (secpolicy_net_config(cr, checkonly));
1528 
1529 	if (checkonly) {
1530 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ?
1531 		    0 : EPERM);
1532 	} else {
1533 		return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM,
1534 		    NULL));
1535 	}
1536 }
1537 
1538 
1539 /*
1540  * Map IP pseudo privileges to actual privileges.
1541  * So we don't need to recompile IP when we change the privileges.
1542  */
1543 int
1544 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly)
1545 {
1546 	int priv = PRIV_ALL;
1547 
1548 	switch (netpriv) {
1549 	case OP_CONFIG:
1550 		priv = PRIV_SYS_IP_CONFIG;
1551 		break;
1552 	case OP_RAW:
1553 		priv = PRIV_NET_RAWACCESS;
1554 		break;
1555 	case OP_PRIVPORT:
1556 		priv = PRIV_NET_PRIVADDR;
1557 		break;
1558 	}
1559 	ASSERT(priv != PRIV_ALL);
1560 	if (checkonly)
1561 		return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
1562 	else
1563 		return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
1564 }
1565 
1566 /*
1567  * Map network pseudo privileges to actual privileges.
1568  * So we don't need to recompile IP when we change the privileges.
1569  */
1570 int
1571 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly)
1572 {
1573 	int priv = PRIV_ALL;
1574 
1575 	switch (netpriv) {
1576 	case OP_CONFIG:
1577 		priv = PRIV_SYS_NET_CONFIG;
1578 		break;
1579 	case OP_RAW:
1580 		priv = PRIV_NET_RAWACCESS;
1581 		break;
1582 	case OP_PRIVPORT:
1583 		priv = PRIV_NET_PRIVADDR;
1584 		break;
1585 	}
1586 	ASSERT(priv != PRIV_ALL);
1587 	if (checkonly)
1588 		return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
1589 	else
1590 		return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
1591 }
1592 
1593 /*
1594  * Checks for operations that are either client-only or are used by
1595  * both clients and servers.
1596  */
1597 int
1598 secpolicy_nfs(const cred_t *cr)
1599 {
1600 	return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL));
1601 }
1602 
1603 /*
1604  * Special case for opening rpcmod: have NFS privileges or network
1605  * config privileges.
1606  */
1607 int
1608 secpolicy_rpcmod_open(const cred_t *cr)
1609 {
1610 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE))
1611 		return (secpolicy_nfs(cr));
1612 	else
1613 		return (secpolicy_net_config(cr, NULL));
1614 }
1615 
1616 int
1617 secpolicy_chroot(const cred_t *cr)
1618 {
1619 	return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL));
1620 }
1621 
1622 int
1623 secpolicy_tasksys(const cred_t *cr)
1624 {
1625 	return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL));
1626 }
1627 
1628 /*
1629  * Basic privilege checks.
1630  */
1631 int
1632 secpolicy_basic_exec(const cred_t *cr)
1633 {
1634 	return (PRIV_POLICY(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL));
1635 }
1636 
1637 int
1638 secpolicy_basic_fork(const cred_t *cr)
1639 {
1640 	return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL));
1641 }
1642 
1643 int
1644 secpolicy_basic_proc(const cred_t *cr)
1645 {
1646 	return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL));
1647 }
1648 
1649 /*
1650  * Slightly complicated because we don't want to trigger the policy too
1651  * often.  First we shortcircuit access to "self" (tp == sp) or if
1652  * we don't have the privilege but if we have permission
1653  * just return (0) and we don't flag the privilege as needed.
1654  * Else, we test for the privilege because we either have it or need it.
1655  */
1656 int
1657 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp)
1658 {
1659 	if (tp == sp ||
1660 	    !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) {
1661 		return (0);
1662 	} else {
1663 		return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL));
1664 	}
1665 }
1666 
1667 int
1668 secpolicy_basic_link(const cred_t *cr)
1669 {
1670 	return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL));
1671 }
1672 
1673 /*
1674  * Additional device protection.
1675  *
1676  * Traditionally, a device has specific permissions on the node in
1677  * the filesystem which govern which devices can be opened by what
1678  * processes.  In certain cases, it is desirable to add extra
1679  * restrictions, as writing to certain devices is identical to
1680  * having a complete run of the system.
1681  *
1682  * This mechanism is called the device policy.
1683  *
1684  * When a device is opened, its policy entry is looked up in the
1685  * policy cache and checked.
1686  */
1687 int
1688 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag)
1689 {
1690 	devplcy_t *plcy;
1691 	int err;
1692 	struct snode *csp = VTOS(common_specvp(vp));
1693 	priv_set_t pset;
1694 
1695 	mutex_enter(&csp->s_lock);
1696 
1697 	if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) {
1698 		plcy = devpolicy_find(vp);
1699 		if (csp->s_plcy)
1700 			dpfree(csp->s_plcy);
1701 		csp->s_plcy = plcy;
1702 		ASSERT(plcy != NULL);
1703 	} else
1704 		plcy = csp->s_plcy;
1705 
1706 	if (plcy == nullpolicy) {
1707 		mutex_exit(&csp->s_lock);
1708 		return (0);
1709 	}
1710 
1711 	dphold(plcy);
1712 
1713 	mutex_exit(&csp->s_lock);
1714 
1715 	if (oflag & FWRITE)
1716 		pset = plcy->dp_wrp;
1717 	else
1718 		pset = plcy->dp_rdp;
1719 	/*
1720 	 * Special case:
1721 	 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
1722 	 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is
1723 	 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG
1724 	 * in the required privilege set before doing the check.
1725 	 */
1726 	if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) &&
1727 	    priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) &&
1728 	    !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) {
1729 		priv_delset(&pset, PRIV_SYS_IP_CONFIG);
1730 		priv_addset(&pset, PRIV_SYS_NET_CONFIG);
1731 	}
1732 
1733 	err = secpolicy_require_set(cr, &pset, "devpolicy");
1734 	dpfree(plcy);
1735 
1736 	return (err);
1737 }
1738 
1739 int
1740 secpolicy_modctl(const cred_t *cr, int cmd)
1741 {
1742 	switch (cmd) {
1743 	case MODINFO:
1744 	case MODGETMAJBIND:
1745 	case MODGETPATH:
1746 	case MODGETPATHLEN:
1747 	case MODGETNAME:
1748 	case MODGETFBNAME:
1749 	case MODGETDEVPOLICY:
1750 	case MODGETDEVPOLICYBYNAME:
1751 	case MODDEVT2INSTANCE:
1752 	case MODSIZEOF_DEVID:
1753 	case MODGETDEVID:
1754 	case MODSIZEOF_MINORNAME:
1755 	case MODGETMINORNAME:
1756 	case MODGETDEVFSPATH_LEN:
1757 	case MODGETDEVFSPATH:
1758 	case MODGETDEVFSPATH_MI_LEN:
1759 	case MODGETDEVFSPATH_MI:
1760 		/* Unprivileged */
1761 		return (0);
1762 	case MODLOAD:
1763 	case MODSETDEVPOLICY:
1764 		return (secpolicy_require_set(cr, PRIV_FULLSET, NULL));
1765 	default:
1766 		return (secpolicy_sys_config(cr, B_FALSE));
1767 	}
1768 }
1769 
1770 int
1771 secpolicy_console(const cred_t *cr)
1772 {
1773 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1774 }
1775 
1776 int
1777 secpolicy_power_mgmt(const cred_t *cr)
1778 {
1779 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1780 }
1781 
1782 /*
1783  * Simulate terminal input; another escalation of privileges avenue.
1784  */
1785 
1786 int
1787 secpolicy_sti(const cred_t *cr)
1788 {
1789 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL));
1790 }
1791 
1792 boolean_t
1793 secpolicy_net_reply_equal(const cred_t *cr)
1794 {
1795 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1796 }
1797 
1798 int
1799 secpolicy_swapctl(const cred_t *cr)
1800 {
1801 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1802 }
1803 
1804 int
1805 secpolicy_cpc_cpu(const cred_t *cr)
1806 {
1807 	return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL));
1808 }
1809 
1810 /*
1811  * secpolicy_contract_observer
1812  *
1813  * Determine if the subject may observe a specific contract's events.
1814  */
1815 int
1816 secpolicy_contract_observer(const cred_t *cr, struct contract *ct)
1817 {
1818 	if (contract_owned(ct, cr, B_FALSE))
1819 		return (0);
1820 	return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL));
1821 }
1822 
1823 /*
1824  * secpolicy_contract_observer_choice
1825  *
1826  * Determine if the subject may observe any contract's events.  Just
1827  * tests privilege and audits on success.
1828  */
1829 boolean_t
1830 secpolicy_contract_observer_choice(const cred_t *cr)
1831 {
1832 	return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE));
1833 }
1834 
1835 /*
1836  * secpolicy_contract_event
1837  *
1838  * Determine if the subject may request critical contract events or
1839  * reliable contract event delivery.
1840  */
1841 int
1842 secpolicy_contract_event(const cred_t *cr)
1843 {
1844 	return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL));
1845 }
1846 
1847 /*
1848  * secpolicy_contract_event_choice
1849  *
1850  * Determine if the subject may retain contract events in its critical
1851  * set when a change in other terms would normally require a change in
1852  * the critical set.  Just tests privilege and audits on success.
1853  */
1854 boolean_t
1855 secpolicy_contract_event_choice(const cred_t *cr)
1856 {
1857 	return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE));
1858 }
1859 
1860 /*
1861  * secpolicy_gart_access
1862  *
1863  * Determine if the subject has sufficient priveleges to make ioctls to agpgart
1864  * device.
1865  */
1866 int
1867 secpolicy_gart_access(const cred_t *cr)
1868 {
1869 	return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL));
1870 }
1871 
1872 /*
1873  * secpolicy_gart_map
1874  *
1875  * Determine if the subject has sufficient priveleges to map aperture range
1876  * through agpgart driver.
1877  */
1878 int
1879 secpolicy_gart_map(const cred_t *cr)
1880 {
1881 	if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) {
1882 		return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM,
1883 		    NULL));
1884 	} else {
1885 		return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM,
1886 		    NULL));
1887 	}
1888 }
1889 
1890 /*
1891  * secpolicy_zinject
1892  *
1893  * Determine if the subject can inject faults in the ZFS fault injection
1894  * framework.  Requires all privileges.
1895  */
1896 int
1897 secpolicy_zinject(const cred_t *cr)
1898 {
1899 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL));
1900 }
1901 
1902 /*
1903  * secpolicy_zfs
1904  *
1905  * Determine if the subject has permission to manipulate ZFS datasets
1906  * (not pools).  Equivalent to the SYS_MOUNT privilege.
1907  */
1908 int
1909 secpolicy_zfs(const cred_t *cr)
1910 {
1911 	return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL));
1912 }
1913 
1914 /*
1915  * secpolicy_idmap
1916  *
1917  * Determine if the calling process has permissions to register an SID
1918  * mapping daemon and allocate ephemeral IDs.
1919  */
1920 int
1921 secpolicy_idmap(const cred_t *cr)
1922 {
1923 	return (PRIV_POLICY(cr, PRIV_ALL, B_FALSE, EPERM, NULL));
1924 }
1925 
1926 /*
1927  * secpolicy_ucode_update
1928  *
1929  * Determine if the subject has sufficient privilege to update microcode.
1930  */
1931 int
1932 secpolicy_ucode_update(const cred_t *scr)
1933 {
1934 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1935 }
1936 
1937 /*
1938  * secpolicy_sadopen
1939  *
1940  * Determine if the subject has sufficient privilege to access /dev/sad/admin.
1941  * /dev/sad/admin appear in global zone and exclusive-IP zones only.
1942  * In global zone, sys_config is required.
1943  * In exclusive-IP zones, sys_ip_config is required.
1944  * Note that sys_config is prohibited in non-global zones.
1945  */
1946 int
1947 secpolicy_sadopen(const cred_t *credp)
1948 {
1949 	priv_set_t pset;
1950 
1951 	priv_emptyset(&pset);
1952 
1953 	if (crgetzoneid(credp) == GLOBAL_ZONEID)
1954 		priv_addset(&pset, PRIV_SYS_CONFIG);
1955 	else
1956 		priv_addset(&pset, PRIV_SYS_IP_CONFIG);
1957 
1958 	return (secpolicy_require_set(credp, &pset, "devpolicy"));
1959 }
1960