xref: /titanic_44/usr/src/uts/common/os/priv_defs (revision 7c478bd95313f5f23a4c958a745db2134aa03244) 
1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License, Version 1.0 only
6 * (the "License").  You may not use this file except in compliance
7 * with the License.
8 *
9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 * or http://www.opensolaris.org/os/licensing.
11 * See the License for the specific language governing permissions
12 * and limitations under the License.
13 *
14 * When distributing Covered Code, include this CDDL HEADER in each
15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 * If applicable, add the following below this CDDL HEADER, with the
17 * fields enclosed by brackets "[]" replaced with your own identifying
18 * information: Portions Copyright [yyyy] [name of copyright owner]
19 *
20 * CDDL HEADER END
21 */
22/*
23 * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
24 * Use is subject to license terms.
25 *
26INSERT COMMENT
27 */
28
29#pragma ident	"%Z%%M%	%I%	%E% SMI"
30
31#
32# Privileges can be added to this file at any location, not
33# necessarily at the end.  For patches, it is probably best to
34# add the new privilege at the end; for ordinary releases privileges
35# should be ordered alphabetically.
36#
37
38privilege PRIV_CONTRACT_EVENT
39
40	Allows a process to request critical events without limitation.
41	Allows a process to request reliable delivery of all events on
42	any event queue.
43
44privilege PRIV_CONTRACT_OBSERVER
45
46	Allows a process to observe contract events generated by
47	contracts created and owned by users other than the process's
48	effective user ID.
49	Allows a process to open contract event endpoints belonging to
50	contracts created and owned by users other than the process's
51	effective user ID.
52
53privilege PRIV_CPC_CPU
54
55	Allow a process to access per-CPU hardware performance counters.
56
57privilege PRIV_DTRACE_KERNEL
58
59	Allows DTrace kernel-level tracing.
60
61privilege PRIV_DTRACE_PROC
62
63	Allows DTrace process-level tracing.
64	Allows process-level tracing probes to be placed and enabled in
65	processes to which the user has permissions.
66
67privilege PRIV_DTRACE_USER
68
69	Allows DTrace user-level tracing.
70	Allows use of the syscall and profile DTrace providers to
71	examine processes to which the user has permissions.
72
73privilege PRIV_FILE_CHOWN
74
75	Allows a process to change a file's owner user ID.
76	Allows a process to change a file's group ID to one other than
77	the process' effective group ID or one of the process'
78	supplemental group IDs.
79
80privilege PRIV_FILE_CHOWN_SELF
81
82	Allows a process to give away its files; a process with this
83	privilege will run as if {_POSIX_CHOWN_RESTRICTED} is not
84	in effect.
85
86privilege PRIV_FILE_DAC_EXECUTE
87
88	Allows a process to execute an executable file whose permission
89	bits or ACL do not allow the process execute permission.
90
91privilege PRIV_FILE_DAC_READ
92
93	Allows a process to read a file or directory whose permission
94	bits or ACL do not allow the process read permission.
95
96privilege PRIV_FILE_DAC_SEARCH
97
98	Allows a process to search a directory whose permission bits or
99	ACL do not allow the process search permission.
100
101privilege PRIV_FILE_DAC_WRITE
102
103	Allows a process to write a file or directory whose permission
104	bits or ACL do not allow the process write permission.
105	In order to write files owned by uid 0 in the absence of an
106	effective uid of 0 ALL privileges are required.
107
108basic privilege PRIV_FILE_LINK_ANY
109
110	Allows a process to create hardlinks to files owned by a uid
111	different from the process' effective uid.
112
113privilege PRIV_FILE_OWNER
114
115	Allows a process which is not the owner of a file or directory
116	to perform the following operations that are normally permitted
117	only for the file owner: modify that file's access and
118	modification times; remove or rename a file or directory whose
119	parent directory has the ``save text image after execution''
120	(sticky) bit set; mount a ``namefs'' upon a file; modify
121	permission bits or ACL except for the set-uid and set-gid
122	bits.
123
124privilege PRIV_FILE_SETID
125
126	Allows a process to change the ownership of a file or write to
127	a file without the set-user-ID and set-group-ID bits being
128	cleared.
129	Allows a process to set the set-group-ID bit on a file or
130	directory whose group is not the process' effective group or
131	one of the process' supplemental groups.
132	Allows a process to set the set-user-ID bit on a file with
133	different ownership in the presence of PRIV_FILE_OWNER.
134	Additional restrictions apply when creating or modifying a
135	set-uid 0 file.
136
137privilege PRIV_GART_ACCESS
138
139	Allows a process to make ioctls to agpgart device except
140	that AGPIOC_INFO ioctl needs no privilege. Typically only
141	xserver process needs to have this privilege. And a process
142	with this privilege is also allowed to map aperture ranges
143	through agpgart driver.
144
145privilege PRIV_GART_MAP
146
147	Allows a process to map aperture ranges through  agpgart
148	driver. This privilege won't allow the process to do agpgart
149	ioctls other than AGPIOC_INFO.
150
151privilege PRIV_IPC_DAC_READ
152
153	Allows a process to read a System V IPC
154	Message Queue, Semaphore Set, or Shared Memory Segment whose
155	permission bits do not allow the process read permission.
156	Allows a process to read remote shared memory whose
157	permission bits do not allow the process read permission.
158
159privilege PRIV_IPC_DAC_WRITE
160
161	Allows a process to write a System V IPC
162	Message Queue, Semaphore Set, or Shared Memory Segment whose
163	permission bits do not allow the process write permission.
164	Allows a process to read remote shared memory whose
165	permission bits do not allow the process write permission.
166	Additional restrictions apply if the owner of the object has uid 0
167	and the effective uid of the current process is not 0.
168
169privilege PRIV_IPC_OWNER
170
171	Allows a process which is not the owner of a System
172	V IPC Message Queue, Semaphore Set, or Shared Memory Segment to
173	remove, change ownership of, or change permission bits of the
174	Message Queue, Semaphore Set, or Shared Memory Segment.
175	Additional restrictions apply if the owner of the object has uid 0
176	and the effective uid of the current process is not 0.
177
178privilege PRIV_NET_ICMPACCESS
179
180	Allows a process to send and receive ICMP packets.
181
182privilege PRIV_NET_PRIVADDR
183
184	Allows a process to bind to a privileged port
185	number. The privilege port numbers are 1-1023 (the traditional
186	UNIX privileged ports) as well as those ports marked as
187	"udp/tcp_extra_priv_ports" with the exception of the ports
188	reserved for use by NFS.
189
190privilege PRIV_NET_RAWACCESS
191
192	Allows a process to have direct access to the network layer.
193
194unsafe privilege PRIV_PROC_AUDIT
195
196	Allows a process to generate audit records.
197	Allows a process to get its own audit pre-selection information.
198
199privilege PRIV_PROC_CHROOT
200
201	Allows a process to change its root directory.
202
203privilege PRIV_PROC_CLOCK_HIGHRES
204
205	Allows a process to use high resolution timers.
206
207basic privilege PRIV_PROC_EXEC
208
209	Allows a process to call execve().
210
211basic privilege PRIV_PROC_FORK
212
213	Allows a process to call fork1()/forkall()/vfork()
214
215basic privilege PRIV_PROC_INFO
216
217	Allows a process to examine the status of processes other
218	than those it can send signals to.  Processes which cannot
219	be examined cannot be seen in /proc and appear not to exist.
220
221privilege PRIV_PROC_LOCK_MEMORY
222
223	Allows a process to lock pages in physical memory.
224
225privilege PRIV_PROC_OWNER
226
227	Allows a process to send signals to other processes, inspect
228	and modify process state to other processes regardless of
229	ownership.  When modifying another process, additional
230	restrictions apply:  the effective privilege set of the
231	attaching process must be a superset of the target process'
232	effective, permitted and inheritable sets; the limit set must
233	be a superset of the target's limit set; if the target process
234	has any uid set to 0 all privilege must be asserted unless the
235	effective uid is 0.
236	Allows a process to bind arbitrary processes to CPUs.
237
238privilege PRIV_PROC_PRIOCNTL
239
240	Allows a process to elevate its priority above its current level.
241	Allows a process to change its scheduling class to any scheduling class,
242	including the RT class.
243
244basic privilege PRIV_PROC_SESSION
245
246	Allows a process to send signals or trace processes outside its
247	session.
248
249unsafe privilege PRIV_PROC_SETID
250
251	Allows a process to set its uids at will.
252	Assuming uid 0 requires all privileges to be asserted.
253
254privilege PRIV_PROC_TASKID
255
256	Allows a process to assign a new task ID to the calling process.
257
258privilege PRIV_PROC_ZONE
259
260	Allows a process to trace or send signals to processes in
261	other zones.
262
263privilege PRIV_SYS_ACCT
264
265	Allows a process to enable and disable and manage accounting through
266	acct(2), getacct(2), putacct(2) and wracct(2).
267
268privilege PRIV_SYS_ADMIN
269
270	Allows a process to perform system administration tasks such
271	as setting node and domain name and specifying nscd and coreadm
272	settings.
273
274privilege PRIV_SYS_AUDIT
275
276	Allows a process to start the (kernel) audit daemon.
277	Allows a process to view and set audit state (audit user ID,
278	audit terminal ID, audit sessions ID, audit pre-selection mask).
279	Allows a process to turn off and on auditing.
280	Allows a process to configure the audit parameters (cache and
281	queue sizes, event to class mappings, policy options).
282
283privilege PRIV_SYS_CONFIG
284
285	Allows a process to perform various system configuration tasks.
286	Allows a process to add and remove swap devices; when adding a swap
287	device, a process must also have sufficient privileges to read from
288	and write to the swap device.
289
290privilege PRIV_SYS_DEVICES
291
292	Allows a process to successfully call a kernel module that
293	calls the kernel drv_priv(9F) function to check for allowed
294	access.
295	Allows a process to open the real console device directly.
296	Allows a process to open devices that have been exclusively opened.
297
298privilege PRIV_SYS_IPC_CONFIG
299
300	Allows a process to increase the size of a System V IPC Message
301	Queue buffer.
302
303privilege PRIV_SYS_LINKDIR
304
305	Allows a process to unlink and link directories.
306
307privilege PRIV_SYS_MOUNT
308
309	Allows filesystem specific administrative procedures, such as
310	filesystem configuration ioctls, quota calls and creation/deletion
311	of snapshots.
312	Allows a process to mount and unmount filesystems which would
313	otherwise be restricted (i.e., most filesystems except
314	namefs).
315	A process performing a mount operation needs to have
316	appropriate access to the device being mounted (read-write for
317	"rw" mounts, read for "ro" mounts).
318	A process performing any of the aforementioned
319	filesystem operations needs to have read/write/owner
320	access to the mount point.
321	Only regular files and directories can serve as mount points
322	for processes which do not have all zone privileges asserted.
323	Unless a process has all zone privileges, the mount(2)
324	system call will force the "nosuid" and "restrict" options, the
325	latter only for autofs mountpoints.
326	Regardless of privileges, a process running in a non-global zone may
327	only control mounts performed from within said zone.
328	Outside the global zone, the "nodevices" option is always forced.
329
330privilege PRIV_SYS_NET_CONFIG
331
332	Allows a process to configure a system's network interfaces and routes.
333	Allows a process to configure network parameters using ndd.
334	Allows a process access to otherwise restricted information using ndd.
335	Allows a process to push the rpcmod STREAMs module.
336	Allows a process to pop anchored STREAMs modules.
337	Allows a process to INSERT/REMOVE STREAMs modules on locations other
338	than the top of the module stack.
339	Allows a process to configure IPsec.
340
341privilege PRIV_SYS_NFS
342
343	Allows a process to perform Sun private NFS specific system calls.
344	Allows a process to bind to ports reserved by NFS: ports 2049 (nfs)
345	and port 4045 (lockd).
346
347privilege PRIV_SYS_RES_CONFIG
348
349	Allows a process to create and delete processor sets, assign
350	CPUs to processor sets and override the PSET_NOESCAPE property.
351	Allows a process to change the operational status of CPUs in
352	the system using p_online(2).
353	Allows a process to configure resource pools and to bind
354	processes to pools
355
356unsafe privilege PRIV_SYS_RESOURCE
357
358	Allows a process to modify the resource limits specified
359	by setrlimit(2) and setrctl(2) without restriction.
360	Allows a process to exceed the per-user maximum number of
361	processes.
362	Allows a process to extend or create files on a filesystem that
363	has less than minfree space in reserve.
364
365privilege PRIV_SYS_SUSER_COMPAT
366
367	Allows a process to successfully call a third party loadable module
368	that calls the kernel suser() function to check for allowed access.
369	This privilege exists only for third party loadable module
370	compatibility and is not used by Solaris proper.
371
372privilege PRIV_SYS_TIME
373
374	Allows a process to manipulate system time using any of the
375	appropriate system calls: stime, adjtime, ntp_adjtime and
376	the IA specific RTC calls.
377set PRIV_EFFECTIVE
378
379	Set of privileges currently in effect.
380
381set PRIV_INHERITABLE
382
383	Set of privileges that comes into effect on exec.
384
385set PRIV_PERMITTED
386
387	Set of privileges that can be put into the effective set without
388	restriction.
389
390set PRIV_LIMIT
391
392	Set of privileges that determines the absolute upper bound of
393	privileges this process and its off-spring can obtain.
394