1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <sys/types.h> 27 #include <sys/sysmacros.h> 28 #include <sys/param.h> 29 #include <sys/systm.h> 30 #include <sys/cred_impl.h> 31 #include <sys/vnode.h> 32 #include <sys/vfs.h> 33 #include <sys/stat.h> 34 #include <sys/errno.h> 35 #include <sys/kmem.h> 36 #include <sys/user.h> 37 #include <sys/proc.h> 38 #include <sys/acct.h> 39 #include <sys/ipc_impl.h> 40 #include <sys/cmn_err.h> 41 #include <sys/debug.h> 42 #include <sys/policy.h> 43 #include <sys/kobj.h> 44 #include <sys/msg.h> 45 #include <sys/devpolicy.h> 46 #include <c2/audit.h> 47 #include <sys/varargs.h> 48 #include <sys/klpd.h> 49 #include <sys/modctl.h> 50 #include <sys/disp.h> 51 #include <sys/zone.h> 52 #include <inet/optcom.h> 53 #include <sys/sdt.h> 54 #include <sys/vfs.h> 55 #include <sys/mntent.h> 56 #include <sys/contract_impl.h> 57 58 /* 59 * There are two possible layers of privilege routines and two possible 60 * levels of secpolicy. Plus one other we may not be interested in, so 61 * we may need as many as 6 but no more. 62 */ 63 #define MAXPRIVSTACK 6 64 65 int priv_debug = 0; 66 67 /* 68 * This file contains the majority of the policy routines. 69 * Since the policy routines are defined by function and not 70 * by privilege, there is quite a bit of duplication of 71 * functions. 72 * 73 * The secpolicy functions must not make assumptions about 74 * locks held or not held as any lock can be held while they're 75 * being called. 76 * 77 * Credentials are read-only so no special precautions need to 78 * be taken while locking them. 79 * 80 * When a new policy check needs to be added to the system the 81 * following procedure should be followed: 82 * 83 * Pick an appropriate secpolicy_*() function 84 * -> done if one exists. 85 * Create a new secpolicy function, preferably with 86 * a descriptive name using the standard template. 87 * Pick an appropriate privilege for the policy. 88 * If no appropraite privilege exists, define new one 89 * (this should be done with extreme care; in most cases 90 * little is gained by adding another privilege) 91 * 92 * WHY ROOT IS STILL SPECIAL. 93 * 94 * In a number of the policy functions, there are still explicit 95 * checks for uid 0. The rationale behind these is that many root 96 * owned files/objects hold configuration information which can give full 97 * privileges to the user once written to. To prevent escalation 98 * of privilege by allowing just a single privilege to modify root owned 99 * objects, we've added these root specific checks where we considered 100 * them necessary: modifying root owned files, changing uids to 0, etc. 101 * 102 * PRIVILEGE ESCALATION AND ZONES. 103 * 104 * A number of operations potentially allow the caller to achieve 105 * privileges beyond the ones normally required to perform the operation. 106 * For example, if allowed to create a setuid 0 executable, a process can 107 * gain privileges beyond PRIV_FILE_SETID. Zones, however, place 108 * restrictions on the ability to gain privileges beyond those available 109 * within the zone through file and process manipulation. Hence, such 110 * operations require that the caller have an effective set that includes 111 * all privileges available within the current zone, or all privileges 112 * if executing in the global zone. 113 * 114 * This is indicated in the priv_policy* policy checking functions 115 * through a combination of parameters. The "priv" parameter indicates 116 * the privilege that is required, and the "allzone" parameter indicates 117 * whether or not all privileges in the zone are required. In addition, 118 * priv can be set to PRIV_ALL to indicate that all privileges are 119 * required (regardless of zone). There are three scenarios of interest: 120 * (1) operation requires a specific privilege 121 * (2) operation requires a specific privilege, and requires all 122 * privileges available within the zone (or all privileges if in 123 * the global zone) 124 * (3) operation requires all privileges, regardless of zone 125 * 126 * For (1), priv should be set to the specific privilege, and allzone 127 * should be set to B_FALSE. 128 * For (2), priv should be set to the specific privilege, and allzone 129 * should be set to B_TRUE. 130 * For (3), priv should be set to PRIV_ALL, and allzone should be set 131 * to B_FALSE. 132 * 133 */ 134 135 /* 136 * The privileges are checked against the Effective set for 137 * ordinary processes and checked against the Limit set 138 * for euid 0 processes that haven't manipulated their privilege 139 * sets. 140 */ 141 #define HAS_ALLPRIVS(cr) priv_isfullset(&CR_OEPRIV(cr)) 142 #define ZONEPRIVS(cr) ((cr)->cr_zone->zone_privset) 143 #define HAS_ALLZONEPRIVS(cr) priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr)) 144 #define HAS_PRIVILEGE(cr, pr) ((pr) == PRIV_ALL ? \ 145 HAS_ALLPRIVS(cr) : \ 146 PRIV_ISASSERT(&CR_OEPRIV(cr), pr)) 147 148 /* 149 * Policy checking functions. 150 * 151 * All of the system's policy should be implemented here. 152 */ 153 154 /* 155 * Private functions which take an additional va_list argument to 156 * implement an object specific policy override. 157 */ 158 static int priv_policy_ap(const cred_t *, int, boolean_t, int, 159 const char *, va_list); 160 static int priv_policy_va(const cred_t *, int, boolean_t, int, 161 const char *, ...); 162 163 /* 164 * Generic policy calls 165 * 166 * The "bottom" functions of policy control 167 */ 168 static char * 169 mprintf(const char *fmt, ...) 170 { 171 va_list args; 172 char *buf; 173 size_t len; 174 175 va_start(args, fmt); 176 len = vsnprintf(NULL, 0, fmt, args) + 1; 177 va_end(args); 178 179 buf = kmem_alloc(len, KM_NOSLEEP); 180 181 if (buf == NULL) 182 return (NULL); 183 184 va_start(args, fmt); 185 (void) vsnprintf(buf, len, fmt, args); 186 va_end(args); 187 188 return (buf); 189 } 190 191 /* 192 * priv_policy_errmsg() 193 * 194 * Generate an error message if privilege debugging is enabled system wide 195 * or for this particular process. 196 */ 197 198 #define FMTHDR "%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)" 199 #define FMTMSG " for \"%s\"" 200 #define FMTFUN " needed at %s+0x%lx" 201 202 /* The maximum size privilege format: the concatenation of the above */ 203 #define FMTMAX FMTHDR FMTMSG FMTFUN "\n" 204 205 static void 206 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg) 207 { 208 struct proc *me; 209 pc_t stack[MAXPRIVSTACK]; 210 int depth; 211 int i; 212 char *sym; 213 ulong_t off; 214 const char *pname; 215 216 char *cmd; 217 char fmt[sizeof (FMTMAX)]; 218 219 if ((me = curproc) == &p0) 220 return; 221 222 /* Privileges must be defined */ 223 ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE || 224 priv == PRIV_ALLZONE || priv == PRIV_GLOBAL || 225 priv_getbynum(priv) != NULL); 226 227 if (priv == PRIV_ALLZONE && INGLOBALZONE(me)) 228 priv = PRIV_ALL; 229 230 if (curthread->t_pre_sys) 231 ttolwp(curthread)->lwp_badpriv = (short)priv; 232 233 if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0) 234 return; 235 236 (void) strcpy(fmt, FMTHDR); 237 238 if (me->p_user.u_comm[0]) 239 cmd = &me->p_user.u_comm[0]; 240 else 241 cmd = "priv_policy"; 242 243 if (msg != NULL && *msg != '\0') { 244 (void) strcat(fmt, FMTMSG); 245 } else { 246 (void) strcat(fmt, "%s"); 247 msg = ""; 248 } 249 250 sym = NULL; 251 252 depth = getpcstack(stack, MAXPRIVSTACK); 253 254 /* 255 * Try to find the first interesting function on the stack. 256 * priv_policy* that's us, so completely uninteresting. 257 * suser(), drv_priv(), secpolicy_* are also called from 258 * too many locations to convey useful information. 259 */ 260 for (i = 0; i < depth; i++) { 261 sym = kobj_getsymname((uintptr_t)stack[i], &off); 262 if (sym != NULL && 263 strstr(sym, "hasprocperm") == 0 && 264 strcmp("suser", sym) != 0 && 265 strcmp("ipcaccess", sym) != 0 && 266 strcmp("drv_priv", sym) != 0 && 267 strncmp("secpolicy_", sym, 10) != 0 && 268 strncmp("priv_policy", sym, 11) != 0) 269 break; 270 } 271 272 if (sym != NULL) 273 (void) strcat(fmt, FMTFUN); 274 275 (void) strcat(fmt, "\n"); 276 277 switch (priv) { 278 case PRIV_ALL: 279 pname = "ALL"; 280 break; 281 case PRIV_MULTIPLE: 282 pname = "MULTIPLE"; 283 break; 284 case PRIV_ALLZONE: 285 pname = "ZONE"; 286 break; 287 case PRIV_GLOBAL: 288 pname = "GLOBAL"; 289 break; 290 default: 291 pname = priv_getbynum(priv); 292 break; 293 } 294 295 if (CR_FLAGS(cr) & PRIV_DEBUG) { 296 /* Remember last message, just like lwp_badpriv. */ 297 if (curthread->t_pdmsg != NULL) { 298 kmem_free(curthread->t_pdmsg, 299 strlen(curthread->t_pdmsg) + 1); 300 } 301 302 curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname, 303 cr->cr_uid, curthread->t_sysnum, msg, sym, off); 304 305 curthread->t_post_sys = 1; 306 } 307 if (priv_debug) { 308 cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid, 309 curthread->t_sysnum, msg, sym, off); 310 } 311 } 312 313 /* 314 * Override the policy, if appropriate. Return 0 if the external 315 * policy engine approves. 316 */ 317 static int 318 priv_policy_override(const cred_t *cr, int priv, boolean_t allzone, va_list ap) 319 { 320 priv_set_t set; 321 int ret; 322 323 if (!(CR_FLAGS(cr) & PRIV_XPOLICY)) 324 return (-1); 325 326 if (priv == PRIV_ALL) { 327 priv_fillset(&set); 328 } else if (allzone) { 329 set = *ZONEPRIVS(cr); 330 } else { 331 priv_emptyset(&set); 332 priv_addset(&set, priv); 333 } 334 ret = klpd_call(cr, &set, ap); 335 return (ret); 336 } 337 338 static int 339 priv_policy_override_set(const cred_t *cr, const priv_set_t *req, ...) 340 { 341 va_list ap; 342 343 if (CR_FLAGS(cr) & PRIV_XPOLICY) { 344 va_start(ap, req); 345 return (klpd_call(cr, req, ap)); 346 } 347 return (-1); 348 } 349 350 /* 351 * Audit failure, log error message. 352 */ 353 static void 354 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg) 355 { 356 357 if (audit_active) 358 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0); 359 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 360 361 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 362 curthread->t_pre_sys) { 363 if (allzone && !HAS_ALLZONEPRIVS(cr)) { 364 priv_policy_errmsg(cr, PRIV_ALLZONE, msg); 365 } else { 366 ASSERT(!HAS_PRIVILEGE(cr, priv)); 367 priv_policy_errmsg(cr, priv, msg); 368 } 369 } 370 } 371 372 /* 373 * priv_policy_ap() 374 * return 0 or error. 375 * See block comment above for a description of "priv" and "allzone" usage. 376 */ 377 static int 378 priv_policy_ap(const cred_t *cr, int priv, boolean_t allzone, int err, 379 const char *msg, va_list ap) 380 { 381 if ((HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) || 382 (!servicing_interrupt() && 383 priv_policy_override(cr, priv, allzone, ap) == 0)) { 384 if ((allzone || priv == PRIV_ALL || 385 !PRIV_ISASSERT(priv_basic, priv)) && 386 !servicing_interrupt()) { 387 PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */ 388 if (audit_active) 389 audit_priv(priv, 390 allzone ? ZONEPRIVS(cr) : NULL, 1); 391 } 392 err = 0; 393 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 394 } else if (!servicing_interrupt()) { 395 /* Failure audited in this procedure */ 396 priv_policy_err(cr, priv, allzone, msg); 397 } 398 return (err); 399 } 400 401 int 402 priv_policy_va(const cred_t *cr, int priv, boolean_t allzone, int err, 403 const char *msg, ...) 404 { 405 int ret; 406 va_list ap; 407 408 va_start(ap, msg); 409 ret = priv_policy_ap(cr, priv, allzone, err, msg, ap); 410 va_end(ap); 411 412 return (ret); 413 } 414 415 int 416 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err, 417 const char *msg) 418 { 419 return (priv_policy_va(cr, priv, allzone, err, msg, KLPDARG_NOMORE)); 420 } 421 422 /* 423 * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges. 424 */ 425 boolean_t 426 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone) 427 { 428 boolean_t res = HAS_PRIVILEGE(cr, priv) && 429 (!allzone || HAS_ALLZONEPRIVS(cr)); 430 431 /* Audit success only */ 432 if (res && audit_active && 433 (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) && 434 !servicing_interrupt()) { 435 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1); 436 } 437 if (res) { 438 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 439 } else { 440 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 441 } 442 return (res); 443 } 444 445 /* 446 * Non-auditing variant of priv_policy_choice(). 447 */ 448 boolean_t 449 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone) 450 { 451 boolean_t res = HAS_PRIVILEGE(cr, priv) && 452 (!allzone || HAS_ALLZONEPRIVS(cr)); 453 454 if (res) { 455 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 456 } else { 457 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 458 } 459 return (res); 460 } 461 462 /* 463 * Check whether all privileges in the required set are present. 464 */ 465 static int 466 secpolicy_require_set(const cred_t *cr, const priv_set_t *req, const char *msg) 467 { 468 int priv; 469 int pfound = -1; 470 priv_set_t pset; 471 472 if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req, 473 &CR_OEPRIV(cr))) { 474 return (0); 475 } 476 477 if (priv_policy_override_set(cr, req, KLPDARG_NOMORE) == 0) 478 return (0); 479 480 if (req == PRIV_FULLSET || priv_isfullset(req)) { 481 priv_policy_err(cr, PRIV_ALL, B_FALSE, msg); 482 return (EACCES); 483 } 484 485 pset = CR_OEPRIV(cr); /* present privileges */ 486 priv_inverse(&pset); /* all non present privileges */ 487 priv_intersect(req, &pset); /* the actual missing privs */ 488 489 if (audit_active) 490 audit_priv(PRIV_NONE, &pset, 0); 491 /* 492 * Privilege debugging; special case "one privilege in set". 493 */ 494 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) { 495 for (priv = 0; priv < nprivs; priv++) { 496 if (priv_ismember(&pset, priv)) { 497 if (pfound != -1) { 498 /* Multiple missing privs */ 499 priv_policy_errmsg(cr, PRIV_MULTIPLE, 500 msg); 501 return (EACCES); 502 } 503 pfound = priv; 504 } 505 } 506 ASSERT(pfound != -1); 507 /* Just the one missing privilege */ 508 priv_policy_errmsg(cr, pfound, msg); 509 } 510 511 return (EACCES); 512 } 513 514 /* 515 * Called when an operation requires that the caller be in the 516 * global zone, regardless of privilege. 517 */ 518 static int 519 priv_policy_global(const cred_t *cr) 520 { 521 if (crgetzoneid(cr) == GLOBAL_ZONEID) 522 return (0); /* success */ 523 524 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 525 curthread->t_pre_sys) { 526 priv_policy_errmsg(cr, PRIV_GLOBAL, NULL); 527 } 528 return (EPERM); 529 } 530 531 /* 532 * Changing process priority 533 */ 534 int 535 secpolicy_setpriority(const cred_t *cr) 536 { 537 return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL)); 538 } 539 540 /* 541 * Binding to a privileged port, port must be specified in host byte 542 * order. 543 */ 544 int 545 secpolicy_net_privaddr(const cred_t *cr, in_port_t port, int proto) 546 { 547 char *reason; 548 int priv; 549 550 switch (port) { 551 case 137: 552 case 138: 553 case 139: 554 case 445: 555 /* 556 * NBT and SMB ports, these are extra privileged ports, 557 * allow bind only if the SYS_SMB privilege is present. 558 */ 559 priv = PRIV_SYS_SMB; 560 reason = "NBT or SMB port"; 561 break; 562 563 case 2049: 564 case 4045: 565 /* 566 * NFS ports, these are extra privileged ports, allow bind 567 * only if the SYS_NFS privilege is present. 568 */ 569 priv = PRIV_SYS_NFS; 570 reason = "NFS port"; 571 break; 572 573 default: 574 priv = PRIV_NET_PRIVADDR; 575 reason = NULL; 576 break; 577 578 } 579 580 return (priv_policy_va(cr, priv, B_FALSE, EACCES, reason, 581 KLPDARG_PORT, (int)proto, (int)port, KLPDARG_NOMORE)); 582 } 583 584 /* 585 * Binding to a multilevel port on a trusted (labeled) system. 586 */ 587 int 588 secpolicy_net_bindmlp(const cred_t *cr) 589 { 590 return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, NULL)); 591 } 592 593 /* 594 * Allow a communication between a zone and an unlabeled host when their 595 * labels don't match. 596 */ 597 int 598 secpolicy_net_mac_aware(const cred_t *cr) 599 { 600 return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, NULL)); 601 } 602 603 /* 604 * Common routine which determines whether a given credential can 605 * act on a given mount. 606 * When called through mount, the parameter needoptcheck is a pointer 607 * to a boolean variable which will be set to either true or false, 608 * depending on whether the mount policy should change the mount options. 609 * In all other cases, needoptcheck should be a NULL pointer. 610 */ 611 static int 612 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp, 613 boolean_t *needoptcheck) 614 { 615 boolean_t allzone = B_FALSE; 616 boolean_t mounting = needoptcheck != NULL; 617 618 /* 619 * Short circuit the following cases: 620 * vfsp == NULL or mvp == NULL (pure privilege check) 621 * have all privileges - no further checks required 622 * and no mount options need to be set. 623 */ 624 if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) { 625 if (mounting) 626 *needoptcheck = B_FALSE; 627 628 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM, 629 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE)); 630 } 631 632 /* 633 * When operating on an existing mount (either we're not mounting 634 * or we're doing a remount and VFS_REMOUNT will be set), zones 635 * can operate only on mounts established by the zone itself. 636 */ 637 if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) { 638 zoneid_t zoneid = crgetzoneid(cr); 639 640 if (zoneid != GLOBAL_ZONEID && 641 vfsp->vfs_zone->zone_id != zoneid) { 642 return (EPERM); 643 } 644 } 645 646 if (mounting) 647 *needoptcheck = B_TRUE; 648 649 /* 650 * Overlay mounts may hide important stuff; if you can't write to a 651 * mount point but would be able to mount on top of it, you can 652 * escalate your privileges. 653 * So we go about asking the same questions namefs does when it 654 * decides whether you can mount over a file or not but with the 655 * added restriction that you can only mount on top of a regular 656 * file or directory. 657 * If we have all the zone's privileges, we skip all other checks, 658 * or else we may actually get in trouble inside the automounter. 659 */ 660 if ((mvp->v_flag & VROOT) != 0 || 661 (mvp->v_type != VDIR && mvp->v_type != VREG) || 662 HAS_ALLZONEPRIVS(cr)) { 663 allzone = B_TRUE; 664 } else { 665 vattr_t va; 666 int err; 667 668 va.va_mask = AT_UID|AT_MODE; 669 err = VOP_GETATTR(mvp, &va, 0, cr, NULL); 670 if (err != 0) 671 return (err); 672 673 if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0) 674 return (err); 675 676 if ((va.va_mode & VWRITE) == 0 && 677 secpolicy_vnode_access(cr, mvp, va.va_uid, VWRITE) != 0) { 678 return (EACCES); 679 } 680 } 681 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM, 682 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE)); 683 } 684 685 void 686 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp) 687 { 688 boolean_t amsuper = HAS_ALLZONEPRIVS(cr); 689 690 /* 691 * check; if we don't have either "nosuid" or 692 * both "nosetuid" and "nodevices", then we add 693 * "nosuid"; this depends on how the current 694 * implementation works (it first checks nosuid). In a 695 * zone, a user with all zone privileges can mount with 696 * "setuid" but never with "devices". 697 */ 698 if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) && 699 (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) || 700 !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) { 701 if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper) 702 vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0); 703 else 704 vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0); 705 } 706 /* 707 * If we're not the local super user, we set the "restrict" 708 * option to indicate to automountd that this mount should 709 * be handled with care. 710 */ 711 if (!amsuper) 712 vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0); 713 714 } 715 716 extern vnode_t *rootvp; 717 extern vfs_t *rootvfs; 718 719 int 720 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp) 721 { 722 boolean_t needoptchk; 723 int error; 724 725 /* 726 * If it's a remount, get the underlying mount point, 727 * except for the root where we use the rootvp. 728 */ 729 if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) { 730 if (vfsp == rootvfs) 731 mvp = rootvp; 732 else 733 mvp = vfsp->vfs_vnodecovered; 734 } 735 736 error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk); 737 738 if (error == 0 && needoptchk) { 739 secpolicy_fs_mount_clearopts(cr, vfsp); 740 } 741 742 return (error); 743 } 744 745 /* 746 * Does the policy computations for "ownership" of a mount; 747 * here ownership is defined as the ability to "mount" 748 * the filesystem originally. The rootvfs doesn't cover any 749 * vnodes; we attribute its ownership to the rootvp. 750 */ 751 static int 752 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp) 753 { 754 vnode_t *mvp; 755 756 if (vfsp == NULL) 757 mvp = NULL; 758 else if (vfsp == rootvfs) 759 mvp = rootvp; 760 else 761 mvp = vfsp->vfs_vnodecovered; 762 763 return (secpolicy_fs_common(cr, mvp, vfsp, NULL)); 764 } 765 766 int 767 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp) 768 { 769 return (secpolicy_fs_owner(cr, vfsp)); 770 } 771 772 /* 773 * Quotas are a resource, but if one has the ability to mount a filesystem, he 774 * should be able to modify quotas on it. 775 */ 776 int 777 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp) 778 { 779 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 780 } 781 782 /* 783 * Exceeding minfree: also a per-mount resource constraint. 784 */ 785 int 786 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp) 787 { 788 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 789 } 790 791 int 792 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp) 793 { 794 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 795 } 796 797 /* ARGSUSED */ 798 int 799 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp) 800 { 801 return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL)); 802 } 803 804 /* 805 * Name: secpolicy_vnode_access() 806 * 807 * Parameters: Process credential 808 * vnode 809 * uid of owner of vnode 810 * permission bits not granted to the caller when examining 811 * file mode bits (i.e., when a process wants to open a 812 * mode 444 file for VREAD|VWRITE, this function should be 813 * called only with a VWRITE argument). 814 * 815 * Normal: Verifies that cred has the appropriate privileges to 816 * override the mode bits that were denied. 817 * 818 * Override: file_dac_execute - if VEXEC bit was denied and vnode is 819 * not a directory. 820 * file_dac_read - if VREAD bit was denied. 821 * file_dac_search - if VEXEC bit was denied and vnode is 822 * a directory. 823 * file_dac_write - if VWRITE bit was denied. 824 * 825 * Root owned files are special cased to protect system 826 * configuration files and such. 827 * 828 * Output: EACCES - if privilege check fails. 829 */ 830 831 /* ARGSUSED */ 832 int 833 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode) 834 { 835 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE, 836 EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL, 837 KLPDARG_NOMORE) != 0) { 838 return (EACCES); 839 } 840 841 if (mode & VWRITE) { 842 boolean_t allzone; 843 844 if (owner == 0 && cr->cr_uid != 0) 845 allzone = B_TRUE; 846 else 847 allzone = B_FALSE; 848 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, 849 NULL, KLPDARG_VNODE, vp, (char *)NULL, 850 KLPDARG_NOMORE) != 0) { 851 return (EACCES); 852 } 853 } 854 855 if (mode & VEXEC) { 856 /* 857 * Directories use file_dac_search to override the execute bit. 858 */ 859 int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH : 860 PRIV_FILE_DAC_EXECUTE; 861 862 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL, 863 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); 864 } 865 return (0); 866 } 867 868 /* 869 * Name: secpolicy_vnode_setid_modify() 870 * 871 * Normal: verify that subject can set the file setid flags. 872 * 873 * Output: EPERM - if not privileged. 874 */ 875 876 static int 877 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner) 878 { 879 /* If changing to suid root, must have all zone privs */ 880 boolean_t allzone = B_TRUE; 881 882 if (owner != 0) { 883 if (owner == cr->cr_uid) 884 return (0); 885 allzone = B_FALSE; 886 } 887 return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL)); 888 } 889 890 /* 891 * Are we allowed to retain the set-uid/set-gid bits when 892 * changing ownership or when writing to a file? 893 * "issuid" should be true when set-uid; only in that case 894 * root ownership is checked (setgid is assumed). 895 */ 896 int 897 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot) 898 { 899 if (issuidroot && !HAS_ALLZONEPRIVS(cred)) 900 return (EPERM); 901 902 return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE)); 903 } 904 905 /* 906 * Name: secpolicy_vnode_setids_setgids() 907 * 908 * Normal: verify that subject can set the file setgid flag. 909 * 910 * Output: EPERM - if not privileged 911 */ 912 913 int 914 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid) 915 { 916 if (!groupmember(gid, cred)) 917 return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM, 918 NULL)); 919 return (0); 920 } 921 922 /* 923 * Name: secpolicy_vnode_chown 924 * 925 * Normal: Determine if subject can chown owner of a file. 926 * 927 * Output: EPERM - if access denied 928 */ 929 930 int 931 secpolicy_vnode_chown(const cred_t *cred, boolean_t check_self) 932 { 933 if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN)) 934 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM, 935 NULL)); 936 else if (check_self) 937 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM, 938 NULL)); 939 else 940 return (EPERM); 941 } 942 943 /* 944 * Name: secpolicy_vnode_create_gid 945 * 946 * Normal: Determine if subject can change group ownership of a file. 947 * 948 * Output: EPERM - if access denied 949 */ 950 int 951 secpolicy_vnode_create_gid(const cred_t *cred) 952 { 953 return (secpolicy_vnode_chown(cred, B_TRUE)); 954 } 955 956 /* 957 * Name: secpolicy_vnode_utime_modify() 958 * 959 * Normal: verify that subject can modify the utime on a file. 960 * 961 * Output: EPERM - if access denied. 962 */ 963 964 static int 965 secpolicy_vnode_utime_modify(const cred_t *cred) 966 { 967 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM, 968 "modify file times")); 969 } 970 971 972 /* 973 * Name: secpolicy_vnode_setdac() 974 * 975 * Normal: verify that subject can modify the mode of a file. 976 * allzone privilege needed when modifying root owned object. 977 * 978 * Output: EPERM - if access denied. 979 */ 980 981 int 982 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner) 983 { 984 if (owner == cred->cr_uid) 985 return (0); 986 987 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL)); 988 } 989 /* 990 * Name: secpolicy_vnode_stky_modify() 991 * 992 * Normal: verify that subject can make a file a "sticky". 993 * 994 * Output: EPERM - if access denied. 995 */ 996 997 int 998 secpolicy_vnode_stky_modify(const cred_t *cred) 999 { 1000 return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM, 1001 "set file sticky")); 1002 } 1003 1004 /* 1005 * Policy determines whether we can remove an entry from a directory, 1006 * regardless of permission bits. 1007 */ 1008 int 1009 secpolicy_vnode_remove(const cred_t *cr) 1010 { 1011 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES, 1012 "sticky directory")); 1013 } 1014 1015 int 1016 secpolicy_vnode_owner(const cred_t *cr, uid_t owner) 1017 { 1018 boolean_t allzone = (owner == 0); 1019 1020 if (owner == cr->cr_uid) 1021 return (0); 1022 1023 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL)); 1024 } 1025 1026 void 1027 secpolicy_setid_clear(vattr_t *vap, cred_t *cr) 1028 { 1029 if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 && 1030 secpolicy_vnode_setid_retain(cr, 1031 (vap->va_mode & S_ISUID) != 0 && 1032 (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) { 1033 vap->va_mask |= AT_MODE; 1034 vap->va_mode &= ~(S_ISUID|S_ISGID); 1035 } 1036 } 1037 1038 int 1039 secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap, 1040 cred_t *cr) 1041 { 1042 int error; 1043 1044 if ((vap->va_mode & S_ISUID) != 0 && 1045 (error = secpolicy_vnode_setid_modify(cr, 1046 ovap->va_uid)) != 0) { 1047 return (error); 1048 } 1049 1050 /* 1051 * Check privilege if attempting to set the 1052 * sticky bit on a non-directory. 1053 */ 1054 if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 && 1055 secpolicy_vnode_stky_modify(cr) != 0) { 1056 vap->va_mode &= ~S_ISVTX; 1057 } 1058 1059 /* 1060 * Check for privilege if attempting to set the 1061 * group-id bit. 1062 */ 1063 if ((vap->va_mode & S_ISGID) != 0 && 1064 secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) { 1065 vap->va_mode &= ~S_ISGID; 1066 } 1067 1068 return (0); 1069 } 1070 1071 #define ATTR_FLAG_PRIV(attr, value, cr) \ 1072 PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \ 1073 B_FALSE, EPERM, NULL) 1074 1075 /* 1076 * Check privileges for setting xvattr attributes 1077 */ 1078 int 1079 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype) 1080 { 1081 xoptattr_t *xoap; 1082 int error = 0; 1083 1084 if ((xoap = xva_getxoptattr(xvap)) == NULL) 1085 return (EINVAL); 1086 1087 /* 1088 * First process the DOS bits 1089 */ 1090 if (XVA_ISSET_REQ(xvap, XAT_ARCHIVE) || 1091 XVA_ISSET_REQ(xvap, XAT_HIDDEN) || 1092 XVA_ISSET_REQ(xvap, XAT_READONLY) || 1093 XVA_ISSET_REQ(xvap, XAT_SYSTEM) || 1094 XVA_ISSET_REQ(xvap, XAT_CREATETIME)) { 1095 if ((error = secpolicy_vnode_owner(cr, owner)) != 0) 1096 return (error); 1097 } 1098 1099 /* 1100 * Now handle special attributes 1101 */ 1102 1103 if (XVA_ISSET_REQ(xvap, XAT_IMMUTABLE)) 1104 error = ATTR_FLAG_PRIV(XAT_IMMUTABLE, 1105 xoap->xoa_immutable, cr); 1106 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NOUNLINK)) 1107 error = ATTR_FLAG_PRIV(XAT_NOUNLINK, 1108 xoap->xoa_nounlink, cr); 1109 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_APPENDONLY)) 1110 error = ATTR_FLAG_PRIV(XAT_APPENDONLY, 1111 xoap->xoa_appendonly, cr); 1112 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NODUMP)) 1113 error = ATTR_FLAG_PRIV(XAT_NODUMP, 1114 xoap->xoa_nodump, cr); 1115 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_OPAQUE)) 1116 error = EPERM; 1117 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_QUARANTINED)) { 1118 error = ATTR_FLAG_PRIV(XAT_AV_QUARANTINED, 1119 xoap->xoa_av_quarantined, cr); 1120 if (error == 0 && vtype != VREG && xoap->xoa_av_quarantined) 1121 error = EINVAL; 1122 } 1123 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_MODIFIED)) 1124 error = ATTR_FLAG_PRIV(XAT_AV_MODIFIED, 1125 xoap->xoa_av_modified, cr); 1126 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_SCANSTAMP)) { 1127 error = ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP, 1128 xoap->xoa_av_scanstamp, cr); 1129 if (error == 0 && vtype != VREG) 1130 error = EINVAL; 1131 } 1132 return (error); 1133 } 1134 1135 /* 1136 * This function checks the policy decisions surrounding the 1137 * vop setattr call. 1138 * 1139 * It should be called after sufficient locks have been established 1140 * on the underlying data structures. No concurrent modifications 1141 * should be allowed. 1142 * 1143 * The caller must pass in unlocked version of its vaccess function 1144 * this is required because vop_access function should lock the 1145 * node for reading. A three argument function should be defined 1146 * which accepts the following argument: 1147 * A pointer to the internal "node" type (inode *) 1148 * vnode access bits (VREAD|VWRITE|VEXEC) 1149 * a pointer to the credential 1150 * 1151 * This function makes the following policy decisions: 1152 * 1153 * - change permissions 1154 * - permission to change file mode if not owner 1155 * - permission to add sticky bit to non-directory 1156 * - permission to add set-gid bit 1157 * 1158 * The ovap argument should include AT_MODE|AT_UID|AT_GID. 1159 * 1160 * If the vap argument does not include AT_MODE, the mode will be copied from 1161 * ovap. In certain situations set-uid/set-gid bits need to be removed; 1162 * this is done by marking vap->va_mask to include AT_MODE and va_mode 1163 * is updated to the newly computed mode. 1164 */ 1165 1166 int 1167 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap, 1168 const struct vattr *ovap, int flags, 1169 int unlocked_access(void *, int, cred_t *), 1170 void *node) 1171 { 1172 int mask = vap->va_mask; 1173 int error = 0; 1174 boolean_t skipaclchk = (flags & ATTR_NOACLCHECK) ? B_TRUE : B_FALSE; 1175 1176 if (mask & AT_SIZE) { 1177 if (vp->v_type == VDIR) { 1178 error = EISDIR; 1179 goto out; 1180 } 1181 1182 /* 1183 * If ATTR_NOACLCHECK is set in the flags, then we don't 1184 * perform the secondary unlocked_access() call since the 1185 * ACL (if any) is being checked there. 1186 */ 1187 if (skipaclchk == B_FALSE) { 1188 error = unlocked_access(node, VWRITE, cr); 1189 if (error) 1190 goto out; 1191 } 1192 } 1193 if (mask & AT_MODE) { 1194 /* 1195 * If not the owner of the file then check privilege 1196 * for two things: the privilege to set the mode at all 1197 * and, if we're setting setuid, we also need permissions 1198 * to add the set-uid bit, if we're not the owner. 1199 * In the specific case of creating a set-uid root 1200 * file, we need even more permissions. 1201 */ 1202 if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0) 1203 goto out; 1204 1205 if ((error = secpolicy_setid_setsticky_clear(vp, vap, 1206 ovap, cr)) != 0) 1207 goto out; 1208 } else 1209 vap->va_mode = ovap->va_mode; 1210 1211 if (mask & (AT_UID|AT_GID)) { 1212 boolean_t checkpriv = B_FALSE; 1213 int priv; 1214 boolean_t allzone = B_FALSE; 1215 1216 /* 1217 * Chowning files. 1218 * 1219 * If you are the file owner: 1220 * chown to other uid FILE_CHOWN_SELF 1221 * chown to gid (non-member) FILE_CHOWN_SELF 1222 * chown to gid (member) <none> 1223 * 1224 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also 1225 * acceptable but the first one is reported when debugging. 1226 * 1227 * If you are not the file owner: 1228 * chown from root PRIV_FILE_CHOWN + zone 1229 * chown from other to any PRIV_FILE_CHOWN 1230 * 1231 */ 1232 if (cr->cr_uid != ovap->va_uid) { 1233 checkpriv = B_TRUE; 1234 allzone = (ovap->va_uid == 0); 1235 priv = PRIV_FILE_CHOWN; 1236 } else { 1237 if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) || 1238 ((mask & AT_GID) && vap->va_gid != ovap->va_gid && 1239 !groupmember(vap->va_gid, cr))) { 1240 checkpriv = B_TRUE; 1241 priv = HAS_PRIVILEGE(cr, PRIV_FILE_CHOWN) ? 1242 PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF; 1243 } 1244 } 1245 /* 1246 * If necessary, check privilege to see if update can be done. 1247 */ 1248 if (checkpriv && 1249 (error = PRIV_POLICY(cr, priv, allzone, EPERM, NULL)) 1250 != 0) { 1251 goto out; 1252 } 1253 1254 /* 1255 * If the file has either the set UID or set GID bits 1256 * set and the caller can set the bits, then leave them. 1257 */ 1258 secpolicy_setid_clear(vap, cr); 1259 } 1260 if (mask & (AT_ATIME|AT_MTIME)) { 1261 /* 1262 * If not the file owner and not otherwise privileged, 1263 * always return an error when setting the 1264 * time other than the current (ATTR_UTIME flag set). 1265 * If setting the current time (ATTR_UTIME not set) then 1266 * unlocked_access will check permissions according to policy. 1267 */ 1268 if (cr->cr_uid != ovap->va_uid) { 1269 if (flags & ATTR_UTIME) 1270 error = secpolicy_vnode_utime_modify(cr); 1271 else if (skipaclchk == B_FALSE) { 1272 error = unlocked_access(node, VWRITE, cr); 1273 if (error == EACCES && 1274 secpolicy_vnode_utime_modify(cr) == 0) 1275 error = 0; 1276 } 1277 if (error) 1278 goto out; 1279 } 1280 } 1281 1282 /* 1283 * Check for optional attributes here by checking the following: 1284 */ 1285 if (mask & AT_XVATTR) 1286 error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr, 1287 vp->v_type); 1288 out: 1289 return (error); 1290 } 1291 1292 /* 1293 * Name: secpolicy_pcfs_modify_bootpartition() 1294 * 1295 * Normal: verify that subject can modify a pcfs boot partition. 1296 * 1297 * Output: EACCES - if privilege check failed. 1298 */ 1299 /*ARGSUSED*/ 1300 int 1301 secpolicy_pcfs_modify_bootpartition(const cred_t *cred) 1302 { 1303 return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES, 1304 "modify pcfs boot partition")); 1305 } 1306 1307 /* 1308 * System V IPC routines 1309 */ 1310 int 1311 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip) 1312 { 1313 if (crgetzoneid(cr) != ip->ipc_zoneid || 1314 (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) { 1315 boolean_t allzone = B_FALSE; 1316 if (ip->ipc_uid == 0 || ip->ipc_cuid == 0) 1317 allzone = B_TRUE; 1318 return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL)); 1319 } 1320 return (0); 1321 } 1322 1323 int 1324 secpolicy_ipc_config(const cred_t *cr) 1325 { 1326 return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL)); 1327 } 1328 1329 int 1330 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode) 1331 { 1332 1333 boolean_t allzone = B_FALSE; 1334 1335 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1336 1337 if ((mode & MSG_R) && 1338 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1339 return (EACCES); 1340 1341 if (mode & MSG_W) { 1342 if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0)) 1343 allzone = B_TRUE; 1344 1345 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1346 NULL)); 1347 } 1348 return (0); 1349 } 1350 1351 int 1352 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode) 1353 { 1354 boolean_t allzone = B_FALSE; 1355 1356 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1357 1358 if ((mode & MSG_R) && 1359 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1360 return (EACCES); 1361 1362 if (mode & MSG_W) { 1363 if (cr->cr_uid != 0 && owner == 0) 1364 allzone = B_TRUE; 1365 1366 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1367 NULL)); 1368 } 1369 return (0); 1370 } 1371 1372 /* 1373 * Audit configuration. 1374 */ 1375 int 1376 secpolicy_audit_config(const cred_t *cr) 1377 { 1378 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1379 } 1380 1381 /* 1382 * Audit record generation. 1383 */ 1384 int 1385 secpolicy_audit_modify(const cred_t *cr) 1386 { 1387 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL)); 1388 } 1389 1390 /* 1391 * Get audit attributes. 1392 * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the 1393 * "Least" of the two privileges on error. 1394 */ 1395 int 1396 secpolicy_audit_getattr(const cred_t *cr) 1397 { 1398 if (!PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE)) { 1399 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, 1400 NULL)); 1401 } else { 1402 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1403 } 1404 } 1405 1406 1407 /* 1408 * Locking physical memory 1409 */ 1410 int 1411 secpolicy_lock_memory(const cred_t *cr) 1412 { 1413 return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL)); 1414 } 1415 1416 /* 1417 * Accounting (both acct(2) and exacct). 1418 */ 1419 int 1420 secpolicy_acct(const cred_t *cr) 1421 { 1422 return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL)); 1423 } 1424 1425 /* 1426 * Is this process privileged to change its uids at will? 1427 * Uid 0 is still considered "special" and having the SETID 1428 * privilege is not sufficient to get uid 0. 1429 * Files are owned by root, so the privilege would give 1430 * full access and euid 0 is still effective. 1431 * 1432 * If you have the privilege and euid 0 only then do you 1433 * get the powers of root wrt uid 0. 1434 * 1435 * For gid manipulations, this is should be called with an 1436 * uid of -1. 1437 * 1438 */ 1439 int 1440 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly) 1441 { 1442 boolean_t allzone = B_FALSE; 1443 1444 if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 && 1445 cr->cr_ruid != 0) { 1446 allzone = B_TRUE; 1447 } 1448 1449 return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) : 1450 PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL)); 1451 } 1452 1453 1454 /* 1455 * Acting on a different process: if the mode is for writing, 1456 * the restrictions are more severe. This is called after 1457 * we've verified that the uids do not match. 1458 */ 1459 int 1460 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode) 1461 { 1462 boolean_t allzone = B_FALSE; 1463 1464 if ((mode & VWRITE) && scr->cr_uid != 0 && 1465 (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0)) 1466 allzone = B_TRUE; 1467 1468 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL)); 1469 } 1470 1471 int 1472 secpolicy_proc_access(const cred_t *scr) 1473 { 1474 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL)); 1475 } 1476 1477 int 1478 secpolicy_proc_excl_open(const cred_t *scr) 1479 { 1480 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL)); 1481 } 1482 1483 int 1484 secpolicy_proc_zone(const cred_t *scr) 1485 { 1486 return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL)); 1487 } 1488 1489 /* 1490 * Destroying the system 1491 */ 1492 1493 int 1494 secpolicy_kmdb(const cred_t *scr) 1495 { 1496 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1497 } 1498 1499 int 1500 secpolicy_error_inject(const cred_t *scr) 1501 { 1502 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1503 } 1504 1505 /* 1506 * Processor sets, cpu configuration, resource pools. 1507 */ 1508 int 1509 secpolicy_pset(const cred_t *cr) 1510 { 1511 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1512 } 1513 1514 int 1515 secpolicy_ponline(const cred_t *cr) 1516 { 1517 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1518 } 1519 1520 int 1521 secpolicy_pool(const cred_t *cr) 1522 { 1523 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1524 } 1525 1526 int 1527 secpolicy_blacklist(const cred_t *cr) 1528 { 1529 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1530 } 1531 1532 /* 1533 * Catch all system configuration. 1534 */ 1535 int 1536 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly) 1537 { 1538 if (checkonly) { 1539 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 : 1540 EPERM); 1541 } else { 1542 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1543 } 1544 } 1545 1546 /* 1547 * Zone administration (halt, reboot, etc.) from within zone. 1548 */ 1549 int 1550 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly) 1551 { 1552 if (checkonly) { 1553 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 : 1554 EPERM); 1555 } else { 1556 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, 1557 NULL)); 1558 } 1559 } 1560 1561 /* 1562 * Zone configuration (create, halt, enter). 1563 */ 1564 int 1565 secpolicy_zone_config(const cred_t *cr) 1566 { 1567 /* 1568 * Require all privileges to avoid possibility of privilege 1569 * escalation. 1570 */ 1571 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1572 } 1573 1574 /* 1575 * Various other system configuration calls 1576 */ 1577 int 1578 secpolicy_coreadm(const cred_t *cr) 1579 { 1580 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1581 } 1582 1583 int 1584 secpolicy_systeminfo(const cred_t *cr) 1585 { 1586 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1587 } 1588 1589 int 1590 secpolicy_dispadm(const cred_t *cr) 1591 { 1592 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1593 } 1594 1595 int 1596 secpolicy_settime(const cred_t *cr) 1597 { 1598 return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL)); 1599 } 1600 1601 /* 1602 * For realtime users: high resolution clock. 1603 */ 1604 int 1605 secpolicy_clock_highres(const cred_t *cr) 1606 { 1607 return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM, 1608 NULL)); 1609 } 1610 1611 /* 1612 * drv_priv() is documented as callable from interrupt context, not that 1613 * anyone ever does, but still. No debugging or auditing can be done when 1614 * it is called from interrupt context. 1615 * returns 0 on succes, EPERM on failure. 1616 */ 1617 int 1618 drv_priv(cred_t *cr) 1619 { 1620 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1621 } 1622 1623 int 1624 secpolicy_sys_devices(const cred_t *cr) 1625 { 1626 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1627 } 1628 1629 int 1630 secpolicy_excl_open(const cred_t *cr) 1631 { 1632 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL)); 1633 } 1634 1635 int 1636 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl) 1637 { 1638 /* zone.* rctls can only be set from the global zone */ 1639 if (is_zone_rctl && priv_policy_global(cr) != 0) 1640 return (EPERM); 1641 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1642 } 1643 1644 int 1645 secpolicy_resource(const cred_t *cr) 1646 { 1647 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1648 } 1649 1650 /* 1651 * Processes with a real uid of 0 escape any form of accounting, much 1652 * like before. 1653 */ 1654 int 1655 secpolicy_newproc(const cred_t *cr) 1656 { 1657 if (cr->cr_ruid == 0) 1658 return (0); 1659 1660 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1661 } 1662 1663 /* 1664 * Networking 1665 */ 1666 int 1667 secpolicy_net_rawaccess(const cred_t *cr) 1668 { 1669 return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL)); 1670 } 1671 1672 /* 1673 * Need this privilege for accessing the ICMP device 1674 */ 1675 int 1676 secpolicy_net_icmpaccess(const cred_t *cr) 1677 { 1678 return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL)); 1679 } 1680 1681 /* 1682 * There are a few rare cases where the kernel generates ioctls() from 1683 * interrupt context with a credential of kcred rather than NULL. 1684 * In those cases, we take the safe and cheap test. 1685 */ 1686 int 1687 secpolicy_net_config(const cred_t *cr, boolean_t checkonly) 1688 { 1689 if (checkonly) { 1690 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ? 1691 0 : EPERM); 1692 } else { 1693 return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM, 1694 NULL)); 1695 } 1696 } 1697 1698 1699 /* 1700 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG. 1701 * 1702 * There are a few rare cases where the kernel generates ioctls() from 1703 * interrupt context with a credential of kcred rather than NULL. 1704 * In those cases, we take the safe and cheap test. 1705 */ 1706 int 1707 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly) 1708 { 1709 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 1710 return (secpolicy_net_config(cr, checkonly)); 1711 1712 if (checkonly) { 1713 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ? 1714 0 : EPERM); 1715 } else { 1716 return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM, 1717 NULL)); 1718 } 1719 } 1720 1721 /* 1722 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_DL_CONFIG. 1723 */ 1724 int 1725 secpolicy_dl_config(const cred_t *cr) 1726 { 1727 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 1728 return (secpolicy_net_config(cr, B_FALSE)); 1729 return (PRIV_POLICY(cr, PRIV_SYS_DL_CONFIG, B_FALSE, EPERM, 1730 NULL)); 1731 } 1732 1733 1734 /* 1735 * Map IP pseudo privileges to actual privileges. 1736 * So we don't need to recompile IP when we change the privileges. 1737 */ 1738 int 1739 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly) 1740 { 1741 int priv = PRIV_ALL; 1742 1743 switch (netpriv) { 1744 case OP_CONFIG: 1745 priv = PRIV_SYS_IP_CONFIG; 1746 break; 1747 case OP_RAW: 1748 priv = PRIV_NET_RAWACCESS; 1749 break; 1750 case OP_PRIVPORT: 1751 priv = PRIV_NET_PRIVADDR; 1752 break; 1753 } 1754 ASSERT(priv != PRIV_ALL); 1755 if (checkonly) 1756 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 1757 else 1758 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 1759 } 1760 1761 /* 1762 * Map network pseudo privileges to actual privileges. 1763 * So we don't need to recompile IP when we change the privileges. 1764 */ 1765 int 1766 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly) 1767 { 1768 int priv = PRIV_ALL; 1769 1770 switch (netpriv) { 1771 case OP_CONFIG: 1772 priv = PRIV_SYS_NET_CONFIG; 1773 break; 1774 case OP_RAW: 1775 priv = PRIV_NET_RAWACCESS; 1776 break; 1777 case OP_PRIVPORT: 1778 priv = PRIV_NET_PRIVADDR; 1779 break; 1780 } 1781 ASSERT(priv != PRIV_ALL); 1782 if (checkonly) 1783 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 1784 else 1785 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 1786 } 1787 1788 /* 1789 * Checks for operations that are either client-only or are used by 1790 * both clients and servers. 1791 */ 1792 int 1793 secpolicy_nfs(const cred_t *cr) 1794 { 1795 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL)); 1796 } 1797 1798 /* 1799 * Special case for opening rpcmod: have NFS privileges or network 1800 * config privileges. 1801 */ 1802 int 1803 secpolicy_rpcmod_open(const cred_t *cr) 1804 { 1805 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE)) 1806 return (secpolicy_nfs(cr)); 1807 else 1808 return (secpolicy_net_config(cr, NULL)); 1809 } 1810 1811 int 1812 secpolicy_chroot(const cred_t *cr) 1813 { 1814 return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL)); 1815 } 1816 1817 int 1818 secpolicy_tasksys(const cred_t *cr) 1819 { 1820 return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL)); 1821 } 1822 1823 /* 1824 * Basic privilege checks. 1825 */ 1826 int 1827 secpolicy_basic_exec(const cred_t *cr, vnode_t *vp) 1828 { 1829 return (priv_policy_va(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL, 1830 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); 1831 } 1832 1833 int 1834 secpolicy_basic_fork(const cred_t *cr) 1835 { 1836 return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL)); 1837 } 1838 1839 int 1840 secpolicy_basic_proc(const cred_t *cr) 1841 { 1842 return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL)); 1843 } 1844 1845 /* 1846 * Slightly complicated because we don't want to trigger the policy too 1847 * often. First we shortcircuit access to "self" (tp == sp) or if 1848 * we don't have the privilege but if we have permission 1849 * just return (0) and we don't flag the privilege as needed. 1850 * Else, we test for the privilege because we either have it or need it. 1851 */ 1852 int 1853 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp) 1854 { 1855 if (tp == sp || 1856 !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) { 1857 return (0); 1858 } else { 1859 return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL)); 1860 } 1861 } 1862 1863 int 1864 secpolicy_basic_link(const cred_t *cr) 1865 { 1866 return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL)); 1867 } 1868 1869 /* 1870 * Additional device protection. 1871 * 1872 * Traditionally, a device has specific permissions on the node in 1873 * the filesystem which govern which devices can be opened by what 1874 * processes. In certain cases, it is desirable to add extra 1875 * restrictions, as writing to certain devices is identical to 1876 * having a complete run of the system. 1877 * 1878 * This mechanism is called the device policy. 1879 * 1880 * When a device is opened, its policy entry is looked up in the 1881 * policy cache and checked. 1882 */ 1883 int 1884 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag) 1885 { 1886 devplcy_t *plcy; 1887 int err; 1888 struct snode *csp = VTOS(common_specvp(vp)); 1889 priv_set_t pset; 1890 1891 mutex_enter(&csp->s_lock); 1892 1893 if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) { 1894 plcy = devpolicy_find(vp); 1895 if (csp->s_plcy) 1896 dpfree(csp->s_plcy); 1897 csp->s_plcy = plcy; 1898 ASSERT(plcy != NULL); 1899 } else 1900 plcy = csp->s_plcy; 1901 1902 if (plcy == nullpolicy) { 1903 mutex_exit(&csp->s_lock); 1904 return (0); 1905 } 1906 1907 dphold(plcy); 1908 1909 mutex_exit(&csp->s_lock); 1910 1911 if (oflag & FWRITE) 1912 pset = plcy->dp_wrp; 1913 else 1914 pset = plcy->dp_rdp; 1915 /* 1916 * Special case: 1917 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG. 1918 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is 1919 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG 1920 * in the required privilege set before doing the check. 1921 */ 1922 if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) && 1923 priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) && 1924 !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) { 1925 priv_delset(&pset, PRIV_SYS_IP_CONFIG); 1926 priv_addset(&pset, PRIV_SYS_NET_CONFIG); 1927 } 1928 1929 err = secpolicy_require_set(cr, &pset, "devpolicy"); 1930 dpfree(plcy); 1931 1932 return (err); 1933 } 1934 1935 int 1936 secpolicy_modctl(const cred_t *cr, int cmd) 1937 { 1938 switch (cmd) { 1939 case MODINFO: 1940 case MODGETMAJBIND: 1941 case MODGETPATH: 1942 case MODGETPATHLEN: 1943 case MODGETNAME: 1944 case MODGETFBNAME: 1945 case MODGETDEVPOLICY: 1946 case MODGETDEVPOLICYBYNAME: 1947 case MODDEVT2INSTANCE: 1948 case MODSIZEOF_DEVID: 1949 case MODGETDEVID: 1950 case MODSIZEOF_MINORNAME: 1951 case MODGETMINORNAME: 1952 case MODGETDEVFSPATH_LEN: 1953 case MODGETDEVFSPATH: 1954 case MODGETDEVFSPATH_MI_LEN: 1955 case MODGETDEVFSPATH_MI: 1956 /* Unprivileged */ 1957 return (0); 1958 case MODLOAD: 1959 case MODSETDEVPOLICY: 1960 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1961 default: 1962 return (secpolicy_sys_config(cr, B_FALSE)); 1963 } 1964 } 1965 1966 int 1967 secpolicy_console(const cred_t *cr) 1968 { 1969 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1970 } 1971 1972 int 1973 secpolicy_power_mgmt(const cred_t *cr) 1974 { 1975 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1976 } 1977 1978 /* 1979 * Simulate terminal input; another escalation of privileges avenue. 1980 */ 1981 1982 int 1983 secpolicy_sti(const cred_t *cr) 1984 { 1985 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1986 } 1987 1988 boolean_t 1989 secpolicy_net_reply_equal(const cred_t *cr) 1990 { 1991 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1992 } 1993 1994 int 1995 secpolicy_swapctl(const cred_t *cr) 1996 { 1997 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1998 } 1999 2000 int 2001 secpolicy_cpc_cpu(const cred_t *cr) 2002 { 2003 return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL)); 2004 } 2005 2006 /* 2007 * secpolicy_contract_identity 2008 * 2009 * Determine if the subject may set the process contract FMRI value 2010 */ 2011 int 2012 secpolicy_contract_identity(const cred_t *cr) 2013 { 2014 return (PRIV_POLICY(cr, PRIV_CONTRACT_IDENTITY, B_FALSE, EPERM, NULL)); 2015 } 2016 2017 /* 2018 * secpolicy_contract_observer 2019 * 2020 * Determine if the subject may observe a specific contract's events. 2021 */ 2022 int 2023 secpolicy_contract_observer(const cred_t *cr, struct contract *ct) 2024 { 2025 if (contract_owned(ct, cr, B_FALSE)) 2026 return (0); 2027 return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL)); 2028 } 2029 2030 /* 2031 * secpolicy_contract_observer_choice 2032 * 2033 * Determine if the subject may observe any contract's events. Just 2034 * tests privilege and audits on success. 2035 */ 2036 boolean_t 2037 secpolicy_contract_observer_choice(const cred_t *cr) 2038 { 2039 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE)); 2040 } 2041 2042 /* 2043 * secpolicy_contract_event 2044 * 2045 * Determine if the subject may request critical contract events or 2046 * reliable contract event delivery. 2047 */ 2048 int 2049 secpolicy_contract_event(const cred_t *cr) 2050 { 2051 return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL)); 2052 } 2053 2054 /* 2055 * secpolicy_contract_event_choice 2056 * 2057 * Determine if the subject may retain contract events in its critical 2058 * set when a change in other terms would normally require a change in 2059 * the critical set. Just tests privilege and audits on success. 2060 */ 2061 boolean_t 2062 secpolicy_contract_event_choice(const cred_t *cr) 2063 { 2064 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE)); 2065 } 2066 2067 /* 2068 * secpolicy_gart_access 2069 * 2070 * Determine if the subject has sufficient priveleges to make ioctls to agpgart 2071 * device. 2072 */ 2073 int 2074 secpolicy_gart_access(const cred_t *cr) 2075 { 2076 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL)); 2077 } 2078 2079 /* 2080 * secpolicy_gart_map 2081 * 2082 * Determine if the subject has sufficient priveleges to map aperture range 2083 * through agpgart driver. 2084 */ 2085 int 2086 secpolicy_gart_map(const cred_t *cr) 2087 { 2088 if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) { 2089 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, 2090 NULL)); 2091 } else { 2092 return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM, 2093 NULL)); 2094 } 2095 } 2096 2097 /* 2098 * secpolicy_zinject 2099 * 2100 * Determine if the subject can inject faults in the ZFS fault injection 2101 * framework. Requires all privileges. 2102 */ 2103 int 2104 secpolicy_zinject(const cred_t *cr) 2105 { 2106 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 2107 } 2108 2109 /* 2110 * secpolicy_zfs 2111 * 2112 * Determine if the subject has permission to manipulate ZFS datasets 2113 * (not pools). Equivalent to the SYS_MOUNT privilege. 2114 */ 2115 int 2116 secpolicy_zfs(const cred_t *cr) 2117 { 2118 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL)); 2119 } 2120 2121 /* 2122 * secpolicy_idmap 2123 * 2124 * Determine if the calling process has permissions to register an SID 2125 * mapping daemon and allocate ephemeral IDs. 2126 */ 2127 int 2128 secpolicy_idmap(const cred_t *cr) 2129 { 2130 return (PRIV_POLICY(cr, PRIV_FILE_SETID, B_TRUE, EPERM, NULL)); 2131 } 2132 2133 /* 2134 * secpolicy_ucode_update 2135 * 2136 * Determine if the subject has sufficient privilege to update microcode. 2137 */ 2138 int 2139 secpolicy_ucode_update(const cred_t *scr) 2140 { 2141 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 2142 } 2143 2144 /* 2145 * secpolicy_sadopen 2146 * 2147 * Determine if the subject has sufficient privilege to access /dev/sad/admin. 2148 * /dev/sad/admin appear in global zone and exclusive-IP zones only. 2149 * In global zone, sys_config is required. 2150 * In exclusive-IP zones, sys_ip_config is required. 2151 * Note that sys_config is prohibited in non-global zones. 2152 */ 2153 int 2154 secpolicy_sadopen(const cred_t *credp) 2155 { 2156 priv_set_t pset; 2157 2158 priv_emptyset(&pset); 2159 2160 if (crgetzoneid(credp) == GLOBAL_ZONEID) 2161 priv_addset(&pset, PRIV_SYS_CONFIG); 2162 else 2163 priv_addset(&pset, PRIV_SYS_IP_CONFIG); 2164 2165 return (secpolicy_require_set(credp, &pset, "devpolicy")); 2166 } 2167 2168 2169 /* 2170 * Add privileges to a particular privilege set; this is called when the 2171 * current sets of privileges are not sufficient. I.e., we should always 2172 * call the policy override functions from here. 2173 * What we are allowed to have is in the Observed Permitted set; so 2174 * we compute the difference between that and the newset. 2175 */ 2176 int 2177 secpolicy_require_privs(const cred_t *cr, const priv_set_t *nset) 2178 { 2179 priv_set_t rqd; 2180 2181 rqd = CR_OPPRIV(cr); 2182 2183 priv_inverse(&rqd); 2184 priv_intersect(nset, &rqd); 2185 2186 return (secpolicy_require_set(cr, &rqd, NULL)); 2187 } 2188 2189 /* 2190 * secpolicy_smb 2191 * 2192 * Determine if the cred_t has PRIV_SYS_SMB privilege, indicating 2193 * that it has permission to access the smbsrv kernel driver. 2194 * PRIV_POLICY checks the privilege and audits the check. 2195 * 2196 * Returns: 2197 * 0 Driver access is allowed. 2198 * EPERM Driver access is NOT permitted. 2199 */ 2200 int 2201 secpolicy_smb(const cred_t *cr) 2202 { 2203 return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL)); 2204 } 2205 2206 /* 2207 * secpolicy_vscan 2208 * 2209 * Determine if cred_t has the necessary privileges to access a file 2210 * for virus scanning and update its extended system attributes. 2211 * PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access 2212 * PRIV_FILE_FLAG_SET - set extended system attributes 2213 * 2214 * PRIV_POLICY checks the privilege and audits the check. 2215 * 2216 * Returns: 2217 * 0 file access for virus scanning allowed. 2218 * EPERM file access for virus scanning is NOT permitted. 2219 */ 2220 int 2221 secpolicy_vscan(const cred_t *cr) 2222 { 2223 if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) || 2224 (PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) || 2225 (PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) { 2226 return (EPERM); 2227 } 2228 2229 return (0); 2230 } 2231 2232 /* 2233 * secpolicy_smbfs_login 2234 * 2235 * Determines if the caller can add and delete the smbfs login 2236 * password in the the nsmb kernel module for the CIFS client. 2237 * 2238 * Returns: 2239 * 0 access is allowed. 2240 * EPERM access is NOT allowed. 2241 */ 2242 int 2243 secpolicy_smbfs_login(const cred_t *cr, uid_t uid) 2244 { 2245 uid_t cruid = crgetruid(cr); 2246 2247 if (cruid == uid) 2248 return (0); 2249 return (PRIV_POLICY(cr, PRIV_PROC_OWNER, B_FALSE, 2250 EPERM, NULL)); 2251 } 2252 2253 /* 2254 * secpolicy_xvm_control 2255 * 2256 * Determines if a caller can control the xVM hypervisor and/or running 2257 * domains (x86 specific). 2258 * 2259 * Returns: 2260 * 0 access is allowed. 2261 * EPERM access is NOT allowed. 2262 */ 2263 int 2264 secpolicy_xvm_control(const cred_t *cr) 2265 { 2266 if (PRIV_POLICY(cr, PRIV_XVM_CONTROL, B_FALSE, EPERM, NULL)) 2267 return (EPERM); 2268 return (0); 2269 } 2270