1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <sys/types.h> 27 #include <sys/sysmacros.h> 28 #include <sys/param.h> 29 #include <sys/systm.h> 30 #include <sys/cred_impl.h> 31 #include <sys/vnode.h> 32 #include <sys/vfs.h> 33 #include <sys/stat.h> 34 #include <sys/errno.h> 35 #include <sys/kmem.h> 36 #include <sys/user.h> 37 #include <sys/proc.h> 38 #include <sys/acct.h> 39 #include <sys/ipc_impl.h> 40 #include <sys/cmn_err.h> 41 #include <sys/debug.h> 42 #include <sys/policy.h> 43 #include <sys/kobj.h> 44 #include <sys/msg.h> 45 #include <sys/devpolicy.h> 46 #include <c2/audit.h> 47 #include <sys/varargs.h> 48 #include <sys/klpd.h> 49 #include <sys/modctl.h> 50 #include <sys/disp.h> 51 #include <sys/zone.h> 52 #include <inet/optcom.h> 53 #include <sys/sdt.h> 54 #include <sys/vfs.h> 55 #include <sys/mntent.h> 56 #include <sys/contract_impl.h> 57 58 /* 59 * There are two possible layers of privilege routines and two possible 60 * levels of secpolicy. Plus one other we may not be interested in, so 61 * we may need as many as 6 but no more. 62 */ 63 #define MAXPRIVSTACK 6 64 65 int priv_debug = 0; 66 67 /* 68 * This file contains the majority of the policy routines. 69 * Since the policy routines are defined by function and not 70 * by privilege, there is quite a bit of duplication of 71 * functions. 72 * 73 * The secpolicy functions must not make assumptions about 74 * locks held or not held as any lock can be held while they're 75 * being called. 76 * 77 * Credentials are read-only so no special precautions need to 78 * be taken while locking them. 79 * 80 * When a new policy check needs to be added to the system the 81 * following procedure should be followed: 82 * 83 * Pick an appropriate secpolicy_*() function 84 * -> done if one exists. 85 * Create a new secpolicy function, preferably with 86 * a descriptive name using the standard template. 87 * Pick an appropriate privilege for the policy. 88 * If no appropraite privilege exists, define new one 89 * (this should be done with extreme care; in most cases 90 * little is gained by adding another privilege) 91 * 92 * WHY ROOT IS STILL SPECIAL. 93 * 94 * In a number of the policy functions, there are still explicit 95 * checks for uid 0. The rationale behind these is that many root 96 * owned files/objects hold configuration information which can give full 97 * privileges to the user once written to. To prevent escalation 98 * of privilege by allowing just a single privilege to modify root owned 99 * objects, we've added these root specific checks where we considered 100 * them necessary: modifying root owned files, changing uids to 0, etc. 101 * 102 * PRIVILEGE ESCALATION AND ZONES. 103 * 104 * A number of operations potentially allow the caller to achieve 105 * privileges beyond the ones normally required to perform the operation. 106 * For example, if allowed to create a setuid 0 executable, a process can 107 * gain privileges beyond PRIV_FILE_SETID. Zones, however, place 108 * restrictions on the ability to gain privileges beyond those available 109 * within the zone through file and process manipulation. Hence, such 110 * operations require that the caller have an effective set that includes 111 * all privileges available within the current zone, or all privileges 112 * if executing in the global zone. 113 * 114 * This is indicated in the priv_policy* policy checking functions 115 * through a combination of parameters. The "priv" parameter indicates 116 * the privilege that is required, and the "allzone" parameter indicates 117 * whether or not all privileges in the zone are required. In addition, 118 * priv can be set to PRIV_ALL to indicate that all privileges are 119 * required (regardless of zone). There are three scenarios of interest: 120 * (1) operation requires a specific privilege 121 * (2) operation requires a specific privilege, and requires all 122 * privileges available within the zone (or all privileges if in 123 * the global zone) 124 * (3) operation requires all privileges, regardless of zone 125 * 126 * For (1), priv should be set to the specific privilege, and allzone 127 * should be set to B_FALSE. 128 * For (2), priv should be set to the specific privilege, and allzone 129 * should be set to B_TRUE. 130 * For (3), priv should be set to PRIV_ALL, and allzone should be set 131 * to B_FALSE. 132 * 133 */ 134 135 /* 136 * The privileges are checked against the Effective set for 137 * ordinary processes and checked against the Limit set 138 * for euid 0 processes that haven't manipulated their privilege 139 * sets. 140 */ 141 #define HAS_ALLPRIVS(cr) priv_isfullset(&CR_OEPRIV(cr)) 142 #define ZONEPRIVS(cr) ((cr)->cr_zone->zone_privset) 143 #define HAS_ALLZONEPRIVS(cr) priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr)) 144 #define HAS_PRIVILEGE(cr, pr) ((pr) == PRIV_ALL ? \ 145 HAS_ALLPRIVS(cr) : \ 146 PRIV_ISASSERT(&CR_OEPRIV(cr), pr)) 147 148 /* 149 * Policy checking functions. 150 * 151 * All of the system's policy should be implemented here. 152 */ 153 154 /* 155 * Private functions which take an additional va_list argument to 156 * implement an object specific policy override. 157 */ 158 static int priv_policy_ap(const cred_t *, int, boolean_t, int, 159 const char *, va_list); 160 static int priv_policy_va(const cred_t *, int, boolean_t, int, 161 const char *, ...); 162 163 /* 164 * Generic policy calls 165 * 166 * The "bottom" functions of policy control 167 */ 168 static char * 169 mprintf(const char *fmt, ...) 170 { 171 va_list args; 172 char *buf; 173 size_t len; 174 175 va_start(args, fmt); 176 len = vsnprintf(NULL, 0, fmt, args) + 1; 177 va_end(args); 178 179 buf = kmem_alloc(len, KM_NOSLEEP); 180 181 if (buf == NULL) 182 return (NULL); 183 184 va_start(args, fmt); 185 (void) vsnprintf(buf, len, fmt, args); 186 va_end(args); 187 188 return (buf); 189 } 190 191 /* 192 * priv_policy_errmsg() 193 * 194 * Generate an error message if privilege debugging is enabled system wide 195 * or for this particular process. 196 */ 197 198 #define FMTHDR "%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)" 199 #define FMTMSG " for \"%s\"" 200 #define FMTFUN " needed at %s+0x%lx" 201 202 /* The maximum size privilege format: the concatenation of the above */ 203 #define FMTMAX FMTHDR FMTMSG FMTFUN "\n" 204 205 static void 206 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg) 207 { 208 struct proc *me; 209 pc_t stack[MAXPRIVSTACK]; 210 int depth; 211 int i; 212 char *sym; 213 ulong_t off; 214 const char *pname; 215 216 char *cmd; 217 char fmt[sizeof (FMTMAX)]; 218 219 if ((me = curproc) == &p0) 220 return; 221 222 /* Privileges must be defined */ 223 ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE || 224 priv == PRIV_ALLZONE || priv == PRIV_GLOBAL || 225 priv_getbynum(priv) != NULL); 226 227 if (priv == PRIV_ALLZONE && INGLOBALZONE(me)) 228 priv = PRIV_ALL; 229 230 if (curthread->t_pre_sys) 231 ttolwp(curthread)->lwp_badpriv = (short)priv; 232 233 if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0) 234 return; 235 236 (void) strcpy(fmt, FMTHDR); 237 238 if (me->p_user.u_comm[0]) 239 cmd = &me->p_user.u_comm[0]; 240 else 241 cmd = "priv_policy"; 242 243 if (msg != NULL && *msg != '\0') { 244 (void) strcat(fmt, FMTMSG); 245 } else { 246 (void) strcat(fmt, "%s"); 247 msg = ""; 248 } 249 250 sym = NULL; 251 252 depth = getpcstack(stack, MAXPRIVSTACK); 253 254 /* 255 * Try to find the first interesting function on the stack. 256 * priv_policy* that's us, so completely uninteresting. 257 * suser(), drv_priv(), secpolicy_* are also called from 258 * too many locations to convey useful information. 259 */ 260 for (i = 0; i < depth; i++) { 261 sym = kobj_getsymname((uintptr_t)stack[i], &off); 262 if (sym != NULL && 263 strstr(sym, "hasprocperm") == 0 && 264 strcmp("suser", sym) != 0 && 265 strcmp("ipcaccess", sym) != 0 && 266 strcmp("drv_priv", sym) != 0 && 267 strncmp("secpolicy_", sym, 10) != 0 && 268 strncmp("priv_policy", sym, 11) != 0) 269 break; 270 } 271 272 if (sym != NULL) 273 (void) strcat(fmt, FMTFUN); 274 275 (void) strcat(fmt, "\n"); 276 277 switch (priv) { 278 case PRIV_ALL: 279 pname = "ALL"; 280 break; 281 case PRIV_MULTIPLE: 282 pname = "MULTIPLE"; 283 break; 284 case PRIV_ALLZONE: 285 pname = "ZONE"; 286 break; 287 case PRIV_GLOBAL: 288 pname = "GLOBAL"; 289 break; 290 default: 291 pname = priv_getbynum(priv); 292 break; 293 } 294 295 if (CR_FLAGS(cr) & PRIV_DEBUG) { 296 /* Remember last message, just like lwp_badpriv. */ 297 if (curthread->t_pdmsg != NULL) { 298 kmem_free(curthread->t_pdmsg, 299 strlen(curthread->t_pdmsg) + 1); 300 } 301 302 curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname, 303 cr->cr_uid, curthread->t_sysnum, msg, sym, off); 304 305 curthread->t_post_sys = 1; 306 } 307 if (priv_debug) { 308 cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid, 309 curthread->t_sysnum, msg, sym, off); 310 } 311 } 312 313 /* 314 * Override the policy, if appropriate. Return 0 if the external 315 * policy engine approves. 316 */ 317 static int 318 priv_policy_override(const cred_t *cr, int priv, boolean_t allzone, va_list ap) 319 { 320 priv_set_t set; 321 int ret; 322 323 if (!(CR_FLAGS(cr) & PRIV_XPOLICY)) 324 return (-1); 325 326 if (priv == PRIV_ALL) { 327 priv_fillset(&set); 328 } else if (allzone) { 329 set = *ZONEPRIVS(cr); 330 } else { 331 priv_emptyset(&set); 332 priv_addset(&set, priv); 333 } 334 ret = klpd_call(cr, &set, ap); 335 return (ret); 336 } 337 338 static int 339 priv_policy_override_set(const cred_t *cr, const priv_set_t *req, ...) 340 { 341 va_list ap; 342 343 if (CR_FLAGS(cr) & PRIV_XPOLICY) { 344 va_start(ap, req); 345 return (klpd_call(cr, req, ap)); 346 } 347 return (-1); 348 } 349 350 /* 351 * Audit failure, log error message. 352 */ 353 static void 354 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg) 355 { 356 357 if (audit_active) 358 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0); 359 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 360 361 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 362 curthread->t_pre_sys) { 363 if (allzone && !HAS_ALLZONEPRIVS(cr)) { 364 priv_policy_errmsg(cr, PRIV_ALLZONE, msg); 365 } else { 366 ASSERT(!HAS_PRIVILEGE(cr, priv)); 367 priv_policy_errmsg(cr, priv, msg); 368 } 369 } 370 } 371 372 /* 373 * priv_policy_ap() 374 * return 0 or error. 375 * See block comment above for a description of "priv" and "allzone" usage. 376 */ 377 static int 378 priv_policy_ap(const cred_t *cr, int priv, boolean_t allzone, int err, 379 const char *msg, va_list ap) 380 { 381 if ((HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) || 382 (!servicing_interrupt() && 383 priv_policy_override(cr, priv, allzone, ap) == 0)) { 384 if ((allzone || priv == PRIV_ALL || 385 !PRIV_ISASSERT(priv_basic, priv)) && 386 !servicing_interrupt()) { 387 PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */ 388 if (audit_active) 389 audit_priv(priv, 390 allzone ? ZONEPRIVS(cr) : NULL, 1); 391 } 392 err = 0; 393 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 394 } else if (!servicing_interrupt()) { 395 /* Failure audited in this procedure */ 396 priv_policy_err(cr, priv, allzone, msg); 397 } 398 return (err); 399 } 400 401 int 402 priv_policy_va(const cred_t *cr, int priv, boolean_t allzone, int err, 403 const char *msg, ...) 404 { 405 int ret; 406 va_list ap; 407 408 va_start(ap, msg); 409 ret = priv_policy_ap(cr, priv, allzone, err, msg, ap); 410 va_end(ap); 411 412 return (ret); 413 } 414 415 int 416 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err, 417 const char *msg) 418 { 419 return (priv_policy_va(cr, priv, allzone, err, msg, KLPDARG_NOMORE)); 420 } 421 422 /* 423 * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges. 424 */ 425 boolean_t 426 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone) 427 { 428 boolean_t res = HAS_PRIVILEGE(cr, priv) && 429 (!allzone || HAS_ALLZONEPRIVS(cr)); 430 431 /* Audit success only */ 432 if (res && audit_active && 433 (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) && 434 !servicing_interrupt()) { 435 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1); 436 } 437 if (res) { 438 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 439 } else { 440 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 441 } 442 return (res); 443 } 444 445 /* 446 * Non-auditing variant of priv_policy_choice(). 447 */ 448 boolean_t 449 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone) 450 { 451 boolean_t res = HAS_PRIVILEGE(cr, priv) && 452 (!allzone || HAS_ALLZONEPRIVS(cr)); 453 454 if (res) { 455 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 456 } else { 457 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 458 } 459 return (res); 460 } 461 462 /* 463 * Check whether all privileges in the required set are present. 464 */ 465 static int 466 secpolicy_require_set(const cred_t *cr, const priv_set_t *req, const char *msg) 467 { 468 int priv; 469 int pfound = -1; 470 priv_set_t pset; 471 472 if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req, 473 &CR_OEPRIV(cr))) { 474 return (0); 475 } 476 477 if (priv_policy_override_set(cr, req, KLPDARG_NOMORE) == 0) 478 return (0); 479 480 if (req == PRIV_FULLSET || priv_isfullset(req)) { 481 priv_policy_err(cr, PRIV_ALL, B_FALSE, msg); 482 return (EACCES); 483 } 484 485 pset = CR_OEPRIV(cr); /* present privileges */ 486 priv_inverse(&pset); /* all non present privileges */ 487 priv_intersect(req, &pset); /* the actual missing privs */ 488 489 if (audit_active) 490 audit_priv(PRIV_NONE, &pset, 0); 491 /* 492 * Privilege debugging; special case "one privilege in set". 493 */ 494 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) { 495 for (priv = 0; priv < nprivs; priv++) { 496 if (priv_ismember(&pset, priv)) { 497 if (pfound != -1) { 498 /* Multiple missing privs */ 499 priv_policy_errmsg(cr, PRIV_MULTIPLE, 500 msg); 501 return (EACCES); 502 } 503 pfound = priv; 504 } 505 } 506 ASSERT(pfound != -1); 507 /* Just the one missing privilege */ 508 priv_policy_errmsg(cr, pfound, msg); 509 } 510 511 return (EACCES); 512 } 513 514 /* 515 * Called when an operation requires that the caller be in the 516 * global zone, regardless of privilege. 517 */ 518 static int 519 priv_policy_global(const cred_t *cr) 520 { 521 if (crgetzoneid(cr) == GLOBAL_ZONEID) 522 return (0); /* success */ 523 524 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 525 curthread->t_pre_sys) { 526 priv_policy_errmsg(cr, PRIV_GLOBAL, NULL); 527 } 528 return (EPERM); 529 } 530 531 /* 532 * Changing process priority 533 */ 534 int 535 secpolicy_setpriority(const cred_t *cr) 536 { 537 return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL)); 538 } 539 540 /* 541 * Binding to a privileged port, port must be specified in host byte 542 * order. 543 */ 544 int 545 secpolicy_net_privaddr(const cred_t *cr, in_port_t port, int proto) 546 { 547 char *reason; 548 int priv; 549 550 switch (port) { 551 case 137: 552 case 138: 553 case 139: 554 case 445: 555 /* 556 * NBT and SMB ports, these are extra privileged ports, 557 * allow bind only if the SYS_SMB privilege is present. 558 */ 559 priv = PRIV_SYS_SMB; 560 reason = "NBT or SMB port"; 561 break; 562 563 case 2049: 564 case 4045: 565 /* 566 * NFS ports, these are extra privileged ports, allow bind 567 * only if the SYS_NFS privilege is present. 568 */ 569 priv = PRIV_SYS_NFS; 570 reason = "NFS port"; 571 break; 572 573 default: 574 priv = PRIV_NET_PRIVADDR; 575 reason = NULL; 576 break; 577 578 } 579 580 return (priv_policy_va(cr, priv, B_FALSE, EACCES, reason, 581 KLPDARG_PORT, (int)proto, (int)port, KLPDARG_NOMORE)); 582 } 583 584 /* 585 * Binding to a multilevel port on a trusted (labeled) system. 586 */ 587 int 588 secpolicy_net_bindmlp(const cred_t *cr) 589 { 590 return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, NULL)); 591 } 592 593 /* 594 * Allow a communication between a zone and an unlabeled host when their 595 * labels don't match. 596 */ 597 int 598 secpolicy_net_mac_aware(const cred_t *cr) 599 { 600 return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, NULL)); 601 } 602 603 /* 604 * Common routine which determines whether a given credential can 605 * act on a given mount. 606 * When called through mount, the parameter needoptcheck is a pointer 607 * to a boolean variable which will be set to either true or false, 608 * depending on whether the mount policy should change the mount options. 609 * In all other cases, needoptcheck should be a NULL pointer. 610 */ 611 static int 612 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp, 613 boolean_t *needoptcheck) 614 { 615 boolean_t allzone = B_FALSE; 616 boolean_t mounting = needoptcheck != NULL; 617 618 /* 619 * Short circuit the following cases: 620 * vfsp == NULL or mvp == NULL (pure privilege check) 621 * have all privileges - no further checks required 622 * and no mount options need to be set. 623 */ 624 if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) { 625 if (mounting) 626 *needoptcheck = B_FALSE; 627 628 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM, 629 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE)); 630 } 631 632 /* 633 * When operating on an existing mount (either we're not mounting 634 * or we're doing a remount and VFS_REMOUNT will be set), zones 635 * can operate only on mounts established by the zone itself. 636 */ 637 if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) { 638 zoneid_t zoneid = crgetzoneid(cr); 639 640 if (zoneid != GLOBAL_ZONEID && 641 vfsp->vfs_zone->zone_id != zoneid) { 642 return (EPERM); 643 } 644 } 645 646 if (mounting) 647 *needoptcheck = B_TRUE; 648 649 /* 650 * Overlay mounts may hide important stuff; if you can't write to a 651 * mount point but would be able to mount on top of it, you can 652 * escalate your privileges. 653 * So we go about asking the same questions namefs does when it 654 * decides whether you can mount over a file or not but with the 655 * added restriction that you can only mount on top of a regular 656 * file or directory. 657 * If we have all the zone's privileges, we skip all other checks, 658 * or else we may actually get in trouble inside the automounter. 659 */ 660 if ((mvp->v_flag & VROOT) != 0 || 661 (mvp->v_type != VDIR && mvp->v_type != VREG) || 662 HAS_ALLZONEPRIVS(cr)) { 663 allzone = B_TRUE; 664 } else { 665 vattr_t va; 666 int err; 667 668 va.va_mask = AT_UID|AT_MODE; 669 err = VOP_GETATTR(mvp, &va, 0, cr, NULL); 670 if (err != 0) 671 return (err); 672 673 if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0) 674 return (err); 675 676 if ((va.va_mode & VWRITE) == 0 && 677 secpolicy_vnode_access(cr, mvp, va.va_uid, VWRITE) != 0) { 678 return (EACCES); 679 } 680 } 681 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM, 682 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE)); 683 } 684 685 void 686 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp) 687 { 688 boolean_t amsuper = HAS_ALLZONEPRIVS(cr); 689 690 /* 691 * check; if we don't have either "nosuid" or 692 * both "nosetuid" and "nodevices", then we add 693 * "nosuid"; this depends on how the current 694 * implementation works (it first checks nosuid). In a 695 * zone, a user with all zone privileges can mount with 696 * "setuid" but never with "devices". 697 */ 698 if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) && 699 (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) || 700 !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) { 701 if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper) 702 vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0); 703 else 704 vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0); 705 } 706 /* 707 * If we're not the local super user, we set the "restrict" 708 * option to indicate to automountd that this mount should 709 * be handled with care. 710 */ 711 if (!amsuper) 712 vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0); 713 714 } 715 716 extern vnode_t *rootvp; 717 extern vfs_t *rootvfs; 718 719 int 720 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp) 721 { 722 boolean_t needoptchk; 723 int error; 724 725 /* 726 * If it's a remount, get the underlying mount point, 727 * except for the root where we use the rootvp. 728 */ 729 if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) { 730 if (vfsp == rootvfs) 731 mvp = rootvp; 732 else 733 mvp = vfsp->vfs_vnodecovered; 734 } 735 736 error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk); 737 738 if (error == 0 && needoptchk) { 739 secpolicy_fs_mount_clearopts(cr, vfsp); 740 } 741 742 return (error); 743 } 744 745 /* 746 * Does the policy computations for "ownership" of a mount; 747 * here ownership is defined as the ability to "mount" 748 * the filesystem originally. The rootvfs doesn't cover any 749 * vnodes; we attribute its ownership to the rootvp. 750 */ 751 static int 752 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp) 753 { 754 vnode_t *mvp; 755 756 if (vfsp == NULL) 757 mvp = NULL; 758 else if (vfsp == rootvfs) 759 mvp = rootvp; 760 else 761 mvp = vfsp->vfs_vnodecovered; 762 763 return (secpolicy_fs_common(cr, mvp, vfsp, NULL)); 764 } 765 766 int 767 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp) 768 { 769 return (secpolicy_fs_owner(cr, vfsp)); 770 } 771 772 /* 773 * Quotas are a resource, but if one has the ability to mount a filesystem, he 774 * should be able to modify quotas on it. 775 */ 776 int 777 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp) 778 { 779 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 780 } 781 782 /* 783 * Exceeding minfree: also a per-mount resource constraint. 784 */ 785 int 786 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp) 787 { 788 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 789 } 790 791 int 792 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp) 793 { 794 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 795 } 796 797 /* ARGSUSED */ 798 int 799 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp) 800 { 801 return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL)); 802 } 803 804 /* 805 * Name: secpolicy_vnode_access() 806 * 807 * Parameters: Process credential 808 * vnode 809 * uid of owner of vnode 810 * permission bits not granted to the caller when examining 811 * file mode bits (i.e., when a process wants to open a 812 * mode 444 file for VREAD|VWRITE, this function should be 813 * called only with a VWRITE argument). 814 * 815 * Normal: Verifies that cred has the appropriate privileges to 816 * override the mode bits that were denied. 817 * 818 * Override: file_dac_execute - if VEXEC bit was denied and vnode is 819 * not a directory. 820 * file_dac_read - if VREAD bit was denied. 821 * file_dac_search - if VEXEC bit was denied and vnode is 822 * a directory. 823 * file_dac_write - if VWRITE bit was denied. 824 * 825 * Root owned files are special cased to protect system 826 * configuration files and such. 827 * 828 * Output: EACCES - if privilege check fails. 829 */ 830 831 /* ARGSUSED */ 832 int 833 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode) 834 { 835 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE, 836 EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL, 837 KLPDARG_NOMORE) != 0) { 838 return (EACCES); 839 } 840 841 if (mode & VWRITE) { 842 boolean_t allzone; 843 844 if (owner == 0 && cr->cr_uid != 0) 845 allzone = B_TRUE; 846 else 847 allzone = B_FALSE; 848 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, 849 NULL, KLPDARG_VNODE, vp, (char *)NULL, 850 KLPDARG_NOMORE) != 0) { 851 return (EACCES); 852 } 853 } 854 855 if (mode & VEXEC) { 856 /* 857 * Directories use file_dac_search to override the execute bit. 858 */ 859 int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH : 860 PRIV_FILE_DAC_EXECUTE; 861 862 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL, 863 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); 864 } 865 return (0); 866 } 867 868 /* 869 * Name: secpolicy_vnode_setid_modify() 870 * 871 * Normal: verify that subject can set the file setid flags. 872 * 873 * Output: EPERM - if not privileged. 874 */ 875 876 static int 877 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner) 878 { 879 /* If changing to suid root, must have all zone privs */ 880 boolean_t allzone = B_TRUE; 881 882 if (owner != 0) { 883 if (owner == cr->cr_uid) 884 return (0); 885 allzone = B_FALSE; 886 } 887 return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL)); 888 } 889 890 /* 891 * Are we allowed to retain the set-uid/set-gid bits when 892 * changing ownership or when writing to a file? 893 * "issuid" should be true when set-uid; only in that case 894 * root ownership is checked (setgid is assumed). 895 */ 896 int 897 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot) 898 { 899 if (issuidroot && !HAS_ALLZONEPRIVS(cred)) 900 return (EPERM); 901 902 return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE)); 903 } 904 905 /* 906 * Name: secpolicy_vnode_setids_setgids() 907 * 908 * Normal: verify that subject can set the file setgid flag. 909 * 910 * Output: EPERM - if not privileged 911 */ 912 913 int 914 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid) 915 { 916 if (!groupmember(gid, cred)) 917 return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM, 918 NULL)); 919 return (0); 920 } 921 922 /* 923 * Create a file with a group different than any of the groups allowed: 924 * the group of the directory the file is created in, the effective 925 * group or any of the supplementary groups. 926 */ 927 int 928 secpolicy_vnode_create_gid(const cred_t *cred) 929 { 930 if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN)) 931 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM, 932 NULL)); 933 else 934 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM, 935 NULL)); 936 } 937 938 /* 939 * Name: secpolicy_vnode_utime_modify() 940 * 941 * Normal: verify that subject can modify the utime on a file. 942 * 943 * Output: EPERM - if access denied. 944 */ 945 946 static int 947 secpolicy_vnode_utime_modify(const cred_t *cred) 948 { 949 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM, 950 "modify file times")); 951 } 952 953 954 /* 955 * Name: secpolicy_vnode_setdac() 956 * 957 * Normal: verify that subject can modify the mode of a file. 958 * allzone privilege needed when modifying root owned object. 959 * 960 * Output: EPERM - if access denied. 961 */ 962 963 int 964 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner) 965 { 966 if (owner == cred->cr_uid) 967 return (0); 968 969 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL)); 970 } 971 /* 972 * Name: secpolicy_vnode_stky_modify() 973 * 974 * Normal: verify that subject can make a file a "sticky". 975 * 976 * Output: EPERM - if access denied. 977 */ 978 979 int 980 secpolicy_vnode_stky_modify(const cred_t *cred) 981 { 982 return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM, 983 "set file sticky")); 984 } 985 986 /* 987 * Policy determines whether we can remove an entry from a directory, 988 * regardless of permission bits. 989 */ 990 int 991 secpolicy_vnode_remove(const cred_t *cr) 992 { 993 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES, 994 "sticky directory")); 995 } 996 997 int 998 secpolicy_vnode_owner(const cred_t *cr, uid_t owner) 999 { 1000 boolean_t allzone = (owner == 0); 1001 1002 if (owner == cr->cr_uid) 1003 return (0); 1004 1005 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL)); 1006 } 1007 1008 void 1009 secpolicy_setid_clear(vattr_t *vap, cred_t *cr) 1010 { 1011 if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 && 1012 secpolicy_vnode_setid_retain(cr, 1013 (vap->va_mode & S_ISUID) != 0 && 1014 (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) { 1015 vap->va_mask |= AT_MODE; 1016 vap->va_mode &= ~(S_ISUID|S_ISGID); 1017 } 1018 } 1019 1020 int 1021 secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap, 1022 cred_t *cr) 1023 { 1024 int error; 1025 1026 if ((vap->va_mode & S_ISUID) != 0 && 1027 (error = secpolicy_vnode_setid_modify(cr, 1028 ovap->va_uid)) != 0) { 1029 return (error); 1030 } 1031 1032 /* 1033 * Check privilege if attempting to set the 1034 * sticky bit on a non-directory. 1035 */ 1036 if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 && 1037 secpolicy_vnode_stky_modify(cr) != 0) { 1038 vap->va_mode &= ~S_ISVTX; 1039 } 1040 1041 /* 1042 * Check for privilege if attempting to set the 1043 * group-id bit. 1044 */ 1045 if ((vap->va_mode & S_ISGID) != 0 && 1046 secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) { 1047 vap->va_mode &= ~S_ISGID; 1048 } 1049 1050 return (0); 1051 } 1052 1053 #define ATTR_FLAG_PRIV(attr, value, cr) \ 1054 PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \ 1055 B_FALSE, EPERM, NULL) 1056 1057 /* 1058 * Check privileges for setting xvattr attributes 1059 */ 1060 int 1061 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype) 1062 { 1063 xoptattr_t *xoap; 1064 int error = 0; 1065 1066 if ((xoap = xva_getxoptattr(xvap)) == NULL) 1067 return (EINVAL); 1068 1069 /* 1070 * First process the DOS bits 1071 */ 1072 if (XVA_ISSET_REQ(xvap, XAT_ARCHIVE) || 1073 XVA_ISSET_REQ(xvap, XAT_HIDDEN) || 1074 XVA_ISSET_REQ(xvap, XAT_READONLY) || 1075 XVA_ISSET_REQ(xvap, XAT_SYSTEM) || 1076 XVA_ISSET_REQ(xvap, XAT_CREATETIME)) { 1077 if ((error = secpolicy_vnode_owner(cr, owner)) != 0) 1078 return (error); 1079 } 1080 1081 /* 1082 * Now handle special attributes 1083 */ 1084 1085 if (XVA_ISSET_REQ(xvap, XAT_IMMUTABLE)) 1086 error = ATTR_FLAG_PRIV(XAT_IMMUTABLE, 1087 xoap->xoa_immutable, cr); 1088 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NOUNLINK)) 1089 error = ATTR_FLAG_PRIV(XAT_NOUNLINK, 1090 xoap->xoa_nounlink, cr); 1091 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_APPENDONLY)) 1092 error = ATTR_FLAG_PRIV(XAT_APPENDONLY, 1093 xoap->xoa_appendonly, cr); 1094 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NODUMP)) 1095 error = ATTR_FLAG_PRIV(XAT_NODUMP, 1096 xoap->xoa_nodump, cr); 1097 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_OPAQUE)) 1098 error = EPERM; 1099 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_QUARANTINED)) { 1100 error = ATTR_FLAG_PRIV(XAT_AV_QUARANTINED, 1101 xoap->xoa_av_quarantined, cr); 1102 if (error == 0 && vtype != VREG && xoap->xoa_av_quarantined) 1103 error = EINVAL; 1104 } 1105 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_MODIFIED)) 1106 error = ATTR_FLAG_PRIV(XAT_AV_MODIFIED, 1107 xoap->xoa_av_modified, cr); 1108 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_SCANSTAMP)) { 1109 error = ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP, 1110 xoap->xoa_av_scanstamp, cr); 1111 if (error == 0 && vtype != VREG) 1112 error = EINVAL; 1113 } 1114 return (error); 1115 } 1116 1117 /* 1118 * This function checks the policy decisions surrounding the 1119 * vop setattr call. 1120 * 1121 * It should be called after sufficient locks have been established 1122 * on the underlying data structures. No concurrent modifications 1123 * should be allowed. 1124 * 1125 * The caller must pass in unlocked version of its vaccess function 1126 * this is required because vop_access function should lock the 1127 * node for reading. A three argument function should be defined 1128 * which accepts the following argument: 1129 * A pointer to the internal "node" type (inode *) 1130 * vnode access bits (VREAD|VWRITE|VEXEC) 1131 * a pointer to the credential 1132 * 1133 * This function makes the following policy decisions: 1134 * 1135 * - change permissions 1136 * - permission to change file mode if not owner 1137 * - permission to add sticky bit to non-directory 1138 * - permission to add set-gid bit 1139 * 1140 * The ovap argument should include AT_MODE|AT_UID|AT_GID. 1141 * 1142 * If the vap argument does not include AT_MODE, the mode will be copied from 1143 * ovap. In certain situations set-uid/set-gid bits need to be removed; 1144 * this is done by marking vap->va_mask to include AT_MODE and va_mode 1145 * is updated to the newly computed mode. 1146 */ 1147 1148 int 1149 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap, 1150 const struct vattr *ovap, int flags, 1151 int unlocked_access(void *, int, cred_t *), 1152 void *node) 1153 { 1154 int mask = vap->va_mask; 1155 int error = 0; 1156 boolean_t skipaclchk = (flags & ATTR_NOACLCHECK) ? B_TRUE : B_FALSE; 1157 1158 if (mask & AT_SIZE) { 1159 if (vp->v_type == VDIR) { 1160 error = EISDIR; 1161 goto out; 1162 } 1163 1164 /* 1165 * If ATTR_NOACLCHECK is set in the flags, then we don't 1166 * perform the secondary unlocked_access() call since the 1167 * ACL (if any) is being checked there. 1168 */ 1169 if (skipaclchk == B_FALSE) { 1170 error = unlocked_access(node, VWRITE, cr); 1171 if (error) 1172 goto out; 1173 } 1174 } 1175 if (mask & AT_MODE) { 1176 /* 1177 * If not the owner of the file then check privilege 1178 * for two things: the privilege to set the mode at all 1179 * and, if we're setting setuid, we also need permissions 1180 * to add the set-uid bit, if we're not the owner. 1181 * In the specific case of creating a set-uid root 1182 * file, we need even more permissions. 1183 */ 1184 if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0) 1185 goto out; 1186 1187 if ((error = secpolicy_setid_setsticky_clear(vp, vap, 1188 ovap, cr)) != 0) 1189 goto out; 1190 } else 1191 vap->va_mode = ovap->va_mode; 1192 1193 if (mask & (AT_UID|AT_GID)) { 1194 boolean_t checkpriv = B_FALSE; 1195 int priv; 1196 boolean_t allzone = B_FALSE; 1197 1198 /* 1199 * Chowning files. 1200 * 1201 * If you are the file owner: 1202 * chown to other uid FILE_CHOWN_SELF 1203 * chown to gid (non-member) FILE_CHOWN_SELF 1204 * chown to gid (member) <none> 1205 * 1206 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also 1207 * acceptable but the first one is reported when debugging. 1208 * 1209 * If you are not the file owner: 1210 * chown from root PRIV_FILE_CHOWN + zone 1211 * chown from other to any PRIV_FILE_CHOWN 1212 * 1213 */ 1214 if (cr->cr_uid != ovap->va_uid) { 1215 checkpriv = B_TRUE; 1216 allzone = (ovap->va_uid == 0); 1217 priv = PRIV_FILE_CHOWN; 1218 } else { 1219 if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) || 1220 ((mask & AT_GID) && vap->va_gid != ovap->va_gid && 1221 !groupmember(vap->va_gid, cr))) { 1222 checkpriv = B_TRUE; 1223 priv = HAS_PRIVILEGE(cr, PRIV_FILE_CHOWN) ? 1224 PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF; 1225 } 1226 } 1227 /* 1228 * If necessary, check privilege to see if update can be done. 1229 */ 1230 if (checkpriv && 1231 (error = PRIV_POLICY(cr, priv, allzone, EPERM, NULL)) 1232 != 0) { 1233 goto out; 1234 } 1235 1236 /* 1237 * If the file has either the set UID or set GID bits 1238 * set and the caller can set the bits, then leave them. 1239 */ 1240 secpolicy_setid_clear(vap, cr); 1241 } 1242 if (mask & (AT_ATIME|AT_MTIME)) { 1243 /* 1244 * If not the file owner and not otherwise privileged, 1245 * always return an error when setting the 1246 * time other than the current (ATTR_UTIME flag set). 1247 * If setting the current time (ATTR_UTIME not set) then 1248 * unlocked_access will check permissions according to policy. 1249 */ 1250 if (cr->cr_uid != ovap->va_uid) { 1251 if (flags & ATTR_UTIME) 1252 error = secpolicy_vnode_utime_modify(cr); 1253 else if (skipaclchk == B_FALSE) { 1254 error = unlocked_access(node, VWRITE, cr); 1255 if (error == EACCES && 1256 secpolicy_vnode_utime_modify(cr) == 0) 1257 error = 0; 1258 } 1259 if (error) 1260 goto out; 1261 } 1262 } 1263 1264 /* 1265 * Check for optional attributes here by checking the following: 1266 */ 1267 if (mask & AT_XVATTR) 1268 error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr, 1269 vp->v_type); 1270 out: 1271 return (error); 1272 } 1273 1274 /* 1275 * Name: secpolicy_pcfs_modify_bootpartition() 1276 * 1277 * Normal: verify that subject can modify a pcfs boot partition. 1278 * 1279 * Output: EACCES - if privilege check failed. 1280 */ 1281 /*ARGSUSED*/ 1282 int 1283 secpolicy_pcfs_modify_bootpartition(const cred_t *cred) 1284 { 1285 return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES, 1286 "modify pcfs boot partition")); 1287 } 1288 1289 /* 1290 * System V IPC routines 1291 */ 1292 int 1293 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip) 1294 { 1295 if (crgetzoneid(cr) != ip->ipc_zoneid || 1296 (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) { 1297 boolean_t allzone = B_FALSE; 1298 if (ip->ipc_uid == 0 || ip->ipc_cuid == 0) 1299 allzone = B_TRUE; 1300 return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL)); 1301 } 1302 return (0); 1303 } 1304 1305 int 1306 secpolicy_ipc_config(const cred_t *cr) 1307 { 1308 return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL)); 1309 } 1310 1311 int 1312 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode) 1313 { 1314 1315 boolean_t allzone = B_FALSE; 1316 1317 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1318 1319 if ((mode & MSG_R) && 1320 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1321 return (EACCES); 1322 1323 if (mode & MSG_W) { 1324 if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0)) 1325 allzone = B_TRUE; 1326 1327 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1328 NULL)); 1329 } 1330 return (0); 1331 } 1332 1333 int 1334 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode) 1335 { 1336 boolean_t allzone = B_FALSE; 1337 1338 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1339 1340 if ((mode & MSG_R) && 1341 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1342 return (EACCES); 1343 1344 if (mode & MSG_W) { 1345 if (cr->cr_uid != 0 && owner == 0) 1346 allzone = B_TRUE; 1347 1348 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1349 NULL)); 1350 } 1351 return (0); 1352 } 1353 1354 /* 1355 * Audit configuration. 1356 */ 1357 int 1358 secpolicy_audit_config(const cred_t *cr) 1359 { 1360 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1361 } 1362 1363 /* 1364 * Audit record generation. 1365 */ 1366 int 1367 secpolicy_audit_modify(const cred_t *cr) 1368 { 1369 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL)); 1370 } 1371 1372 /* 1373 * Get audit attributes. 1374 * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the 1375 * "Least" of the two privileges on error. 1376 */ 1377 int 1378 secpolicy_audit_getattr(const cred_t *cr) 1379 { 1380 if (!PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE)) { 1381 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, 1382 NULL)); 1383 } else { 1384 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1385 } 1386 } 1387 1388 1389 /* 1390 * Locking physical memory 1391 */ 1392 int 1393 secpolicy_lock_memory(const cred_t *cr) 1394 { 1395 return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL)); 1396 } 1397 1398 /* 1399 * Accounting (both acct(2) and exacct). 1400 */ 1401 int 1402 secpolicy_acct(const cred_t *cr) 1403 { 1404 return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL)); 1405 } 1406 1407 /* 1408 * Is this process privileged to change its uids at will? 1409 * Uid 0 is still considered "special" and having the SETID 1410 * privilege is not sufficient to get uid 0. 1411 * Files are owned by root, so the privilege would give 1412 * full access and euid 0 is still effective. 1413 * 1414 * If you have the privilege and euid 0 only then do you 1415 * get the powers of root wrt uid 0. 1416 * 1417 * For gid manipulations, this is should be called with an 1418 * uid of -1. 1419 * 1420 */ 1421 int 1422 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly) 1423 { 1424 boolean_t allzone = B_FALSE; 1425 1426 if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 && 1427 cr->cr_ruid != 0) { 1428 allzone = B_TRUE; 1429 } 1430 1431 return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) : 1432 PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL)); 1433 } 1434 1435 1436 /* 1437 * Acting on a different process: if the mode is for writing, 1438 * the restrictions are more severe. This is called after 1439 * we've verified that the uids do not match. 1440 */ 1441 int 1442 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode) 1443 { 1444 boolean_t allzone = B_FALSE; 1445 1446 if ((mode & VWRITE) && scr->cr_uid != 0 && 1447 (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0)) 1448 allzone = B_TRUE; 1449 1450 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL)); 1451 } 1452 1453 int 1454 secpolicy_proc_access(const cred_t *scr) 1455 { 1456 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL)); 1457 } 1458 1459 int 1460 secpolicy_proc_excl_open(const cred_t *scr) 1461 { 1462 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL)); 1463 } 1464 1465 int 1466 secpolicy_proc_zone(const cred_t *scr) 1467 { 1468 return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL)); 1469 } 1470 1471 /* 1472 * Destroying the system 1473 */ 1474 1475 int 1476 secpolicy_kmdb(const cred_t *scr) 1477 { 1478 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1479 } 1480 1481 int 1482 secpolicy_error_inject(const cred_t *scr) 1483 { 1484 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1485 } 1486 1487 /* 1488 * Processor sets, cpu configuration, resource pools. 1489 */ 1490 int 1491 secpolicy_pset(const cred_t *cr) 1492 { 1493 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1494 } 1495 1496 int 1497 secpolicy_ponline(const cred_t *cr) 1498 { 1499 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1500 } 1501 1502 int 1503 secpolicy_pool(const cred_t *cr) 1504 { 1505 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1506 } 1507 1508 int 1509 secpolicy_blacklist(const cred_t *cr) 1510 { 1511 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1512 } 1513 1514 /* 1515 * Catch all system configuration. 1516 */ 1517 int 1518 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly) 1519 { 1520 if (checkonly) { 1521 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 : 1522 EPERM); 1523 } else { 1524 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1525 } 1526 } 1527 1528 /* 1529 * Zone administration (halt, reboot, etc.) from within zone. 1530 */ 1531 int 1532 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly) 1533 { 1534 if (checkonly) { 1535 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 : 1536 EPERM); 1537 } else { 1538 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, 1539 NULL)); 1540 } 1541 } 1542 1543 /* 1544 * Zone configuration (create, halt, enter). 1545 */ 1546 int 1547 secpolicy_zone_config(const cred_t *cr) 1548 { 1549 /* 1550 * Require all privileges to avoid possibility of privilege 1551 * escalation. 1552 */ 1553 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1554 } 1555 1556 /* 1557 * Various other system configuration calls 1558 */ 1559 int 1560 secpolicy_coreadm(const cred_t *cr) 1561 { 1562 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1563 } 1564 1565 int 1566 secpolicy_systeminfo(const cred_t *cr) 1567 { 1568 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1569 } 1570 1571 int 1572 secpolicy_dispadm(const cred_t *cr) 1573 { 1574 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1575 } 1576 1577 int 1578 secpolicy_settime(const cred_t *cr) 1579 { 1580 return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL)); 1581 } 1582 1583 /* 1584 * For realtime users: high resolution clock. 1585 */ 1586 int 1587 secpolicy_clock_highres(const cred_t *cr) 1588 { 1589 return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM, 1590 NULL)); 1591 } 1592 1593 /* 1594 * drv_priv() is documented as callable from interrupt context, not that 1595 * anyone ever does, but still. No debugging or auditing can be done when 1596 * it is called from interrupt context. 1597 * returns 0 on succes, EPERM on failure. 1598 */ 1599 int 1600 drv_priv(cred_t *cr) 1601 { 1602 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1603 } 1604 1605 int 1606 secpolicy_sys_devices(const cred_t *cr) 1607 { 1608 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1609 } 1610 1611 int 1612 secpolicy_excl_open(const cred_t *cr) 1613 { 1614 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL)); 1615 } 1616 1617 int 1618 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl) 1619 { 1620 /* zone.* rctls can only be set from the global zone */ 1621 if (is_zone_rctl && priv_policy_global(cr) != 0) 1622 return (EPERM); 1623 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1624 } 1625 1626 int 1627 secpolicy_resource(const cred_t *cr) 1628 { 1629 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1630 } 1631 1632 /* 1633 * Processes with a real uid of 0 escape any form of accounting, much 1634 * like before. 1635 */ 1636 int 1637 secpolicy_newproc(const cred_t *cr) 1638 { 1639 if (cr->cr_ruid == 0) 1640 return (0); 1641 1642 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1643 } 1644 1645 /* 1646 * Networking 1647 */ 1648 int 1649 secpolicy_net_rawaccess(const cred_t *cr) 1650 { 1651 return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL)); 1652 } 1653 1654 /* 1655 * Need this privilege for accessing the ICMP device 1656 */ 1657 int 1658 secpolicy_net_icmpaccess(const cred_t *cr) 1659 { 1660 return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL)); 1661 } 1662 1663 /* 1664 * There are a few rare cases where the kernel generates ioctls() from 1665 * interrupt context with a credential of kcred rather than NULL. 1666 * In those cases, we take the safe and cheap test. 1667 */ 1668 int 1669 secpolicy_net_config(const cred_t *cr, boolean_t checkonly) 1670 { 1671 if (checkonly) { 1672 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ? 1673 0 : EPERM); 1674 } else { 1675 return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM, 1676 NULL)); 1677 } 1678 } 1679 1680 1681 /* 1682 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG. 1683 * 1684 * There are a few rare cases where the kernel generates ioctls() from 1685 * interrupt context with a credential of kcred rather than NULL. 1686 * In those cases, we take the safe and cheap test. 1687 */ 1688 int 1689 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly) 1690 { 1691 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 1692 return (secpolicy_net_config(cr, checkonly)); 1693 1694 if (checkonly) { 1695 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ? 1696 0 : EPERM); 1697 } else { 1698 return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM, 1699 NULL)); 1700 } 1701 } 1702 1703 /* 1704 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_DL_CONFIG. 1705 */ 1706 int 1707 secpolicy_dl_config(const cred_t *cr) 1708 { 1709 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 1710 return (secpolicy_net_config(cr, B_FALSE)); 1711 return (PRIV_POLICY(cr, PRIV_SYS_DL_CONFIG, B_FALSE, EPERM, 1712 NULL)); 1713 } 1714 1715 1716 /* 1717 * Map IP pseudo privileges to actual privileges. 1718 * So we don't need to recompile IP when we change the privileges. 1719 */ 1720 int 1721 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly) 1722 { 1723 int priv = PRIV_ALL; 1724 1725 switch (netpriv) { 1726 case OP_CONFIG: 1727 priv = PRIV_SYS_IP_CONFIG; 1728 break; 1729 case OP_RAW: 1730 priv = PRIV_NET_RAWACCESS; 1731 break; 1732 case OP_PRIVPORT: 1733 priv = PRIV_NET_PRIVADDR; 1734 break; 1735 } 1736 ASSERT(priv != PRIV_ALL); 1737 if (checkonly) 1738 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 1739 else 1740 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 1741 } 1742 1743 /* 1744 * Map network pseudo privileges to actual privileges. 1745 * So we don't need to recompile IP when we change the privileges. 1746 */ 1747 int 1748 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly) 1749 { 1750 int priv = PRIV_ALL; 1751 1752 switch (netpriv) { 1753 case OP_CONFIG: 1754 priv = PRIV_SYS_NET_CONFIG; 1755 break; 1756 case OP_RAW: 1757 priv = PRIV_NET_RAWACCESS; 1758 break; 1759 case OP_PRIVPORT: 1760 priv = PRIV_NET_PRIVADDR; 1761 break; 1762 } 1763 ASSERT(priv != PRIV_ALL); 1764 if (checkonly) 1765 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 1766 else 1767 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 1768 } 1769 1770 /* 1771 * Checks for operations that are either client-only or are used by 1772 * both clients and servers. 1773 */ 1774 int 1775 secpolicy_nfs(const cred_t *cr) 1776 { 1777 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL)); 1778 } 1779 1780 /* 1781 * Special case for opening rpcmod: have NFS privileges or network 1782 * config privileges. 1783 */ 1784 int 1785 secpolicy_rpcmod_open(const cred_t *cr) 1786 { 1787 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE)) 1788 return (secpolicy_nfs(cr)); 1789 else 1790 return (secpolicy_net_config(cr, NULL)); 1791 } 1792 1793 int 1794 secpolicy_chroot(const cred_t *cr) 1795 { 1796 return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL)); 1797 } 1798 1799 int 1800 secpolicy_tasksys(const cred_t *cr) 1801 { 1802 return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL)); 1803 } 1804 1805 /* 1806 * Basic privilege checks. 1807 */ 1808 int 1809 secpolicy_basic_exec(const cred_t *cr, vnode_t *vp) 1810 { 1811 return (priv_policy_va(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL, 1812 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); 1813 } 1814 1815 int 1816 secpolicy_basic_fork(const cred_t *cr) 1817 { 1818 return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL)); 1819 } 1820 1821 int 1822 secpolicy_basic_proc(const cred_t *cr) 1823 { 1824 return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL)); 1825 } 1826 1827 /* 1828 * Slightly complicated because we don't want to trigger the policy too 1829 * often. First we shortcircuit access to "self" (tp == sp) or if 1830 * we don't have the privilege but if we have permission 1831 * just return (0) and we don't flag the privilege as needed. 1832 * Else, we test for the privilege because we either have it or need it. 1833 */ 1834 int 1835 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp) 1836 { 1837 if (tp == sp || 1838 !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) { 1839 return (0); 1840 } else { 1841 return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL)); 1842 } 1843 } 1844 1845 int 1846 secpolicy_basic_link(const cred_t *cr) 1847 { 1848 return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL)); 1849 } 1850 1851 /* 1852 * Additional device protection. 1853 * 1854 * Traditionally, a device has specific permissions on the node in 1855 * the filesystem which govern which devices can be opened by what 1856 * processes. In certain cases, it is desirable to add extra 1857 * restrictions, as writing to certain devices is identical to 1858 * having a complete run of the system. 1859 * 1860 * This mechanism is called the device policy. 1861 * 1862 * When a device is opened, its policy entry is looked up in the 1863 * policy cache and checked. 1864 */ 1865 int 1866 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag) 1867 { 1868 devplcy_t *plcy; 1869 int err; 1870 struct snode *csp = VTOS(common_specvp(vp)); 1871 priv_set_t pset; 1872 1873 mutex_enter(&csp->s_lock); 1874 1875 if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) { 1876 plcy = devpolicy_find(vp); 1877 if (csp->s_plcy) 1878 dpfree(csp->s_plcy); 1879 csp->s_plcy = plcy; 1880 ASSERT(plcy != NULL); 1881 } else 1882 plcy = csp->s_plcy; 1883 1884 if (plcy == nullpolicy) { 1885 mutex_exit(&csp->s_lock); 1886 return (0); 1887 } 1888 1889 dphold(plcy); 1890 1891 mutex_exit(&csp->s_lock); 1892 1893 if (oflag & FWRITE) 1894 pset = plcy->dp_wrp; 1895 else 1896 pset = plcy->dp_rdp; 1897 /* 1898 * Special case: 1899 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG. 1900 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is 1901 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG 1902 * in the required privilege set before doing the check. 1903 */ 1904 if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) && 1905 priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) && 1906 !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) { 1907 priv_delset(&pset, PRIV_SYS_IP_CONFIG); 1908 priv_addset(&pset, PRIV_SYS_NET_CONFIG); 1909 } 1910 1911 err = secpolicy_require_set(cr, &pset, "devpolicy"); 1912 dpfree(plcy); 1913 1914 return (err); 1915 } 1916 1917 int 1918 secpolicy_modctl(const cred_t *cr, int cmd) 1919 { 1920 switch (cmd) { 1921 case MODINFO: 1922 case MODGETMAJBIND: 1923 case MODGETPATH: 1924 case MODGETPATHLEN: 1925 case MODGETNAME: 1926 case MODGETFBNAME: 1927 case MODGETDEVPOLICY: 1928 case MODGETDEVPOLICYBYNAME: 1929 case MODDEVT2INSTANCE: 1930 case MODSIZEOF_DEVID: 1931 case MODGETDEVID: 1932 case MODSIZEOF_MINORNAME: 1933 case MODGETMINORNAME: 1934 case MODGETDEVFSPATH_LEN: 1935 case MODGETDEVFSPATH: 1936 case MODGETDEVFSPATH_MI_LEN: 1937 case MODGETDEVFSPATH_MI: 1938 /* Unprivileged */ 1939 return (0); 1940 case MODLOAD: 1941 case MODSETDEVPOLICY: 1942 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1943 default: 1944 return (secpolicy_sys_config(cr, B_FALSE)); 1945 } 1946 } 1947 1948 int 1949 secpolicy_console(const cred_t *cr) 1950 { 1951 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1952 } 1953 1954 int 1955 secpolicy_power_mgmt(const cred_t *cr) 1956 { 1957 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1958 } 1959 1960 /* 1961 * Simulate terminal input; another escalation of privileges avenue. 1962 */ 1963 1964 int 1965 secpolicy_sti(const cred_t *cr) 1966 { 1967 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1968 } 1969 1970 boolean_t 1971 secpolicy_net_reply_equal(const cred_t *cr) 1972 { 1973 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1974 } 1975 1976 int 1977 secpolicy_swapctl(const cred_t *cr) 1978 { 1979 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1980 } 1981 1982 int 1983 secpolicy_cpc_cpu(const cred_t *cr) 1984 { 1985 return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL)); 1986 } 1987 1988 /* 1989 * secpolicy_contract_identity 1990 * 1991 * Determine if the subject may set the process contract FMRI value 1992 */ 1993 int 1994 secpolicy_contract_identity(const cred_t *cr) 1995 { 1996 return (PRIV_POLICY(cr, PRIV_CONTRACT_IDENTITY, B_FALSE, EPERM, NULL)); 1997 } 1998 1999 /* 2000 * secpolicy_contract_observer 2001 * 2002 * Determine if the subject may observe a specific contract's events. 2003 */ 2004 int 2005 secpolicy_contract_observer(const cred_t *cr, struct contract *ct) 2006 { 2007 if (contract_owned(ct, cr, B_FALSE)) 2008 return (0); 2009 return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL)); 2010 } 2011 2012 /* 2013 * secpolicy_contract_observer_choice 2014 * 2015 * Determine if the subject may observe any contract's events. Just 2016 * tests privilege and audits on success. 2017 */ 2018 boolean_t 2019 secpolicy_contract_observer_choice(const cred_t *cr) 2020 { 2021 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE)); 2022 } 2023 2024 /* 2025 * secpolicy_contract_event 2026 * 2027 * Determine if the subject may request critical contract events or 2028 * reliable contract event delivery. 2029 */ 2030 int 2031 secpolicy_contract_event(const cred_t *cr) 2032 { 2033 return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL)); 2034 } 2035 2036 /* 2037 * secpolicy_contract_event_choice 2038 * 2039 * Determine if the subject may retain contract events in its critical 2040 * set when a change in other terms would normally require a change in 2041 * the critical set. Just tests privilege and audits on success. 2042 */ 2043 boolean_t 2044 secpolicy_contract_event_choice(const cred_t *cr) 2045 { 2046 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE)); 2047 } 2048 2049 /* 2050 * secpolicy_gart_access 2051 * 2052 * Determine if the subject has sufficient priveleges to make ioctls to agpgart 2053 * device. 2054 */ 2055 int 2056 secpolicy_gart_access(const cred_t *cr) 2057 { 2058 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL)); 2059 } 2060 2061 /* 2062 * secpolicy_gart_map 2063 * 2064 * Determine if the subject has sufficient priveleges to map aperture range 2065 * through agpgart driver. 2066 */ 2067 int 2068 secpolicy_gart_map(const cred_t *cr) 2069 { 2070 if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) { 2071 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, 2072 NULL)); 2073 } else { 2074 return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM, 2075 NULL)); 2076 } 2077 } 2078 2079 /* 2080 * secpolicy_zinject 2081 * 2082 * Determine if the subject can inject faults in the ZFS fault injection 2083 * framework. Requires all privileges. 2084 */ 2085 int 2086 secpolicy_zinject(const cred_t *cr) 2087 { 2088 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 2089 } 2090 2091 /* 2092 * secpolicy_zfs 2093 * 2094 * Determine if the subject has permission to manipulate ZFS datasets 2095 * (not pools). Equivalent to the SYS_MOUNT privilege. 2096 */ 2097 int 2098 secpolicy_zfs(const cred_t *cr) 2099 { 2100 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL)); 2101 } 2102 2103 /* 2104 * secpolicy_idmap 2105 * 2106 * Determine if the calling process has permissions to register an SID 2107 * mapping daemon and allocate ephemeral IDs. 2108 */ 2109 int 2110 secpolicy_idmap(const cred_t *cr) 2111 { 2112 return (PRIV_POLICY(cr, PRIV_FILE_SETID, B_TRUE, EPERM, NULL)); 2113 } 2114 2115 /* 2116 * secpolicy_ucode_update 2117 * 2118 * Determine if the subject has sufficient privilege to update microcode. 2119 */ 2120 int 2121 secpolicy_ucode_update(const cred_t *scr) 2122 { 2123 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 2124 } 2125 2126 /* 2127 * secpolicy_sadopen 2128 * 2129 * Determine if the subject has sufficient privilege to access /dev/sad/admin. 2130 * /dev/sad/admin appear in global zone and exclusive-IP zones only. 2131 * In global zone, sys_config is required. 2132 * In exclusive-IP zones, sys_ip_config is required. 2133 * Note that sys_config is prohibited in non-global zones. 2134 */ 2135 int 2136 secpolicy_sadopen(const cred_t *credp) 2137 { 2138 priv_set_t pset; 2139 2140 priv_emptyset(&pset); 2141 2142 if (crgetzoneid(credp) == GLOBAL_ZONEID) 2143 priv_addset(&pset, PRIV_SYS_CONFIG); 2144 else 2145 priv_addset(&pset, PRIV_SYS_IP_CONFIG); 2146 2147 return (secpolicy_require_set(credp, &pset, "devpolicy")); 2148 } 2149 2150 2151 /* 2152 * Add privileges to a particular privilege set; this is called when the 2153 * current sets of privileges are not sufficient. I.e., we should always 2154 * call the policy override functions from here. 2155 * What we are allowed to have is in the Observed Permitted set; so 2156 * we compute the difference between that and the newset. 2157 */ 2158 int 2159 secpolicy_require_privs(const cred_t *cr, const priv_set_t *nset) 2160 { 2161 priv_set_t rqd; 2162 2163 rqd = CR_OPPRIV(cr); 2164 2165 priv_inverse(&rqd); 2166 priv_intersect(nset, &rqd); 2167 2168 return (secpolicy_require_set(cr, &rqd, NULL)); 2169 } 2170 2171 /* 2172 * secpolicy_smb 2173 * 2174 * Determine if the cred_t has PRIV_SYS_SMB privilege, indicating 2175 * that it has permission to access the smbsrv kernel driver. 2176 * PRIV_POLICY checks the privilege and audits the check. 2177 * 2178 * Returns: 2179 * 0 Driver access is allowed. 2180 * EPERM Driver access is NOT permitted. 2181 */ 2182 int 2183 secpolicy_smb(const cred_t *cr) 2184 { 2185 return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL)); 2186 } 2187 2188 /* 2189 * secpolicy_vscan 2190 * 2191 * Determine if cred_t has the necessary privileges to access a file 2192 * for virus scanning and update its extended system attributes. 2193 * PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access 2194 * PRIV_FILE_FLAG_SET - set extended system attributes 2195 * 2196 * PRIV_POLICY checks the privilege and audits the check. 2197 * 2198 * Returns: 2199 * 0 file access for virus scanning allowed. 2200 * EPERM file access for virus scanning is NOT permitted. 2201 */ 2202 int 2203 secpolicy_vscan(const cred_t *cr) 2204 { 2205 if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) || 2206 (PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) || 2207 (PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) { 2208 return (EPERM); 2209 } 2210 2211 return (0); 2212 } 2213 2214 /* 2215 * secpolicy_smbfs_login 2216 * 2217 * Determines if the caller can add and delete the smbfs login 2218 * password in the the nsmb kernel module for the CIFS client. 2219 * 2220 * Returns: 2221 * 0 access is allowed. 2222 * EPERM access is NOT allowed. 2223 */ 2224 int 2225 secpolicy_smbfs_login(const cred_t *cr, uid_t uid) 2226 { 2227 uid_t cruid = crgetruid(cr); 2228 2229 if (cruid == uid) 2230 return (0); 2231 return (PRIV_POLICY(cr, PRIV_PROC_OWNER, B_FALSE, 2232 EPERM, NULL)); 2233 } 2234 2235 /* 2236 * secpolicy_xvm_control 2237 * 2238 * Determines if a caller can control the xVM hypervisor and/or running 2239 * domains (x86 specific). 2240 * 2241 * Returns: 2242 * 0 access is allowed. 2243 * EPERM access is NOT allowed. 2244 */ 2245 int 2246 secpolicy_xvm_control(const cred_t *cr) 2247 { 2248 if (PRIV_POLICY(cr, PRIV_XVM_CONTROL, B_FALSE, EPERM, NULL)) 2249 return (EPERM); 2250 return (0); 2251 } 2252