1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 #include <sys/types.h> 30 #include <sys/sysmacros.h> 31 #include <sys/param.h> 32 #include <sys/systm.h> 33 #include <sys/cred_impl.h> 34 #include <sys/vnode.h> 35 #include <sys/vfs.h> 36 #include <sys/stat.h> 37 #include <sys/errno.h> 38 #include <sys/kmem.h> 39 #include <sys/user.h> 40 #include <sys/proc.h> 41 #include <sys/acct.h> 42 #include <sys/ipc_impl.h> 43 #include <sys/syscall.h> 44 #include <sys/cmn_err.h> 45 #include <sys/debug.h> 46 #include <sys/policy.h> 47 #include <sys/kobj.h> 48 #include <sys/msg.h> 49 #include <sys/devpolicy.h> 50 #include <c2/audit.h> 51 #include <sys/varargs.h> 52 #include <sys/modctl.h> 53 #include <sys/disp.h> 54 #include <sys/zone.h> 55 #include <inet/common.h> 56 #include <inet/optcom.h> 57 #include <sys/sdt.h> 58 #include <sys/mount.h> 59 #include <sys/vfs.h> 60 #include <sys/mntent.h> 61 #include <sys/contract_impl.h> 62 63 #include <sys/sunddi.h> 64 65 /* 66 * There are two possible layers of privilege routines and two possible 67 * levels of secpolicy. Plus one other we may not be interested in, so 68 * we may need as many as 6 but no more. 69 */ 70 #define MAXPRIVSTACK 6 71 72 int priv_debug = 0; 73 74 /* 75 * This file contains the majority of the policy routines. 76 * Since the policy routines are defined by function and not 77 * by privilege, there is quite a bit of duplication of 78 * functions. 79 * 80 * The secpolicy functions must not make asssumptions about 81 * locks held or not held as any lock can be held while they're 82 * being called. 83 * 84 * Credentials are read-only so no special precautions need to 85 * be taken while locking them. 86 * 87 * When a new policy check needs to be added to the system the 88 * following procedure should be followed: 89 * 90 * Pick an appropriate secpolicy_*() function 91 * -> done if one exists. 92 * Create a new secpolicy function, preferably with 93 * a descriptive name using the standard template. 94 * Pick an appropriate privilege for the policy. 95 * If no appropraite privilege exists, define new one 96 * (this should be done with extreme care; in most cases 97 * little is gained by adding another privilege) 98 * 99 * WHY ROOT IS STILL SPECIAL. 100 * 101 * In a number of the policy functions, there are still explicit 102 * checks for uid 0. The rationale behind these is that many root 103 * owned files/objects hold configuration information which can give full 104 * privileges to the user once written to. To prevent escalation 105 * of privilege by allowing just a single privilege to modify root owned 106 * objects, we've added these root specific checks where we considered 107 * them necessary: modifying root owned files, changing uids to 0, etc. 108 * 109 * PRIVILEGE ESCALATION AND ZONES. 110 * 111 * A number of operations potentially allow the caller to achieve 112 * privileges beyond the ones normally required to perform the operation. 113 * For example, if allowed to create a setuid 0 executable, a process can 114 * gain privileges beyond PRIV_FILE_SETID. Zones, however, place 115 * restrictions on the ability to gain privileges beyond those available 116 * within the zone through file and process manipulation. Hence, such 117 * operations require that the caller have an effective set that includes 118 * all privileges available within the current zone, or all privileges 119 * if executing in the global zone. 120 * 121 * This is indicated in the priv_policy* policy checking functions 122 * through a combination of parameters. The "priv" parameter indicates 123 * the privilege that is required, and the "allzone" parameter indicates 124 * whether or not all privileges in the zone are required. In addition, 125 * priv can be set to PRIV_ALL to indicate that all privileges are 126 * required (regardless of zone). There are three scenarios of interest: 127 * (1) operation requires a specific privilege 128 * (2) operation requires a specific privilege, and requires all 129 * privileges available within the zone (or all privileges if in 130 * the global zone) 131 * (3) operation requires all privileges, regardless of zone 132 * 133 * For (1), priv should be set to the specific privilege, and allzone 134 * should be set to B_FALSE. 135 * For (2), priv should be set to the specific privilege, and allzone 136 * should be set to B_TRUE. 137 * For (3), priv should be set to PRIV_ALL, and allzone should be set 138 * to B_FALSE. 139 * 140 */ 141 142 /* 143 * The privileges are checked against the Effective set for 144 * ordinary processes and checked against the Limit set 145 * for euid 0 processes that haven't manipulated their privilege 146 * sets. 147 */ 148 #define HAS_ALLPRIVS(cr) priv_isfullset(&CR_OEPRIV(cr)) 149 #define ZONEPRIVS(cr) ((cr)->cr_zone->zone_privset) 150 #define HAS_ALLZONEPRIVS(cr) priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr)) 151 #define HAS_PRIVILEGE(cr, pr) ((pr) == PRIV_ALL ? \ 152 HAS_ALLPRIVS(cr) : \ 153 PRIV_ISASSERT(&CR_OEPRIV(cr), pr)) 154 155 /* 156 * Policy checking functions 157 * 158 * In future, these will migrate to several files when policy 159 * becomes more or less pluggable. 160 * 161 * For now, there's only one policy and this is it. 162 */ 163 164 /* 165 * Generic policy calls 166 * 167 * The "bottom" functions of policy control 168 */ 169 170 static char * 171 mprintf(const char *fmt, ...) 172 { 173 va_list args; 174 char *buf; 175 size_t len; 176 177 va_start(args, fmt); 178 len = vsnprintf(NULL, 0, fmt, args) + 1; 179 va_end(args); 180 181 buf = kmem_alloc(len, KM_NOSLEEP); 182 183 if (buf == NULL) 184 return (NULL); 185 186 va_start(args, fmt); 187 (void) vsnprintf(buf, len, fmt, args); 188 va_end(args); 189 190 return (buf); 191 } 192 193 /* 194 * priv_policy_errmsg() 195 * 196 * Generate an error message if privilege debugging is enabled system wide 197 * or for this particular process. 198 */ 199 200 #define FMTHDR "%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)" 201 #define FMTMSG " for \"%s\"" 202 #define FMTFUN " needed at %s+0x%lx" 203 204 /* The maximum size privilege format: the concatenation of the above */ 205 #define FMTMAX FMTHDR FMTMSG FMTFUN "\n" 206 207 static void 208 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg) 209 { 210 struct proc *me; 211 pc_t stack[MAXPRIVSTACK]; 212 int depth; 213 int i; 214 char *sym; 215 ulong_t off; 216 const char *pname; 217 218 char *cmd; 219 char fmt[sizeof (FMTMAX)]; 220 221 if ((me = curproc) == &p0) 222 return; 223 224 /* Privileges must be defined */ 225 ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE || 226 priv == PRIV_ALLZONE || priv == PRIV_GLOBAL || 227 priv_getbynum(priv) != NULL); 228 229 if (priv == PRIV_ALLZONE && INGLOBALZONE(me)) 230 priv = PRIV_ALL; 231 232 if (curthread->t_pre_sys) 233 ttolwp(curthread)->lwp_badpriv = (short)priv; 234 235 if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0) 236 return; 237 238 (void) strcpy(fmt, FMTHDR); 239 240 if (me->p_user.u_comm[0]) 241 cmd = &me->p_user.u_comm[0]; 242 else 243 cmd = "priv_policy"; 244 245 if (msg != NULL && *msg != '\0') { 246 (void) strcat(fmt, FMTMSG); 247 } else { 248 (void) strcat(fmt, "%s"); 249 msg = ""; 250 } 251 252 sym = NULL; 253 254 depth = getpcstack(stack, MAXPRIVSTACK); 255 256 /* 257 * Try to find the first interesting function on the stack. 258 * priv_policy* that's us, so completely uninteresting. 259 * suser(), drv_priv(), secpolicy_* are also called from 260 * too many locations to convey useful information. 261 */ 262 for (i = 0; i < depth; i++) { 263 sym = kobj_getsymname((uintptr_t)stack[i], &off); 264 if (sym != NULL && 265 strstr(sym, "hasprocperm") == 0 && 266 strcmp("suser", sym) != 0 && 267 strcmp("ipcaccess", sym) != 0 && 268 strcmp("drv_priv", sym) != 0 && 269 strncmp("secpolicy_", sym, 10) != 0 && 270 strncmp("priv_policy", sym, 11) != 0) 271 break; 272 } 273 274 if (sym != NULL) 275 (void) strcat(fmt, FMTFUN); 276 277 (void) strcat(fmt, "\n"); 278 279 switch (priv) { 280 case PRIV_ALL: 281 pname = "ALL"; 282 break; 283 case PRIV_MULTIPLE: 284 pname = "MULTIPLE"; 285 break; 286 case PRIV_ALLZONE: 287 pname = "ZONE"; 288 break; 289 case PRIV_GLOBAL: 290 pname = "GLOBAL"; 291 break; 292 default: 293 pname = priv_getbynum(priv); 294 break; 295 } 296 297 if (CR_FLAGS(cr) & PRIV_DEBUG) { 298 /* Remember last message, just like lwp_badpriv. */ 299 if (curthread->t_pdmsg != NULL) { 300 kmem_free(curthread->t_pdmsg, 301 strlen(curthread->t_pdmsg) + 1); 302 } 303 304 curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname, 305 cr->cr_uid, curthread->t_sysnum, msg, sym, off); 306 307 curthread->t_post_sys = 1; 308 } else { 309 cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid, 310 curthread->t_sysnum, msg, sym, off); 311 } 312 } 313 314 /* 315 * Audit failure, log error message. 316 */ 317 static void 318 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg) 319 { 320 321 #ifdef C2_AUDIT 322 if (audit_active) 323 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0); 324 #endif 325 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 326 327 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 328 curthread->t_pre_sys) { 329 if (allzone && !HAS_ALLZONEPRIVS(cr)) { 330 priv_policy_errmsg(cr, PRIV_ALLZONE, msg); 331 } else { 332 ASSERT(!HAS_PRIVILEGE(cr, priv)); 333 priv_policy_errmsg(cr, priv, msg); 334 } 335 } 336 } 337 338 /* 339 * priv_policy() 340 * return 0 or error. 341 * See block comment above for a description of "priv" and "allzone" usage. 342 */ 343 int 344 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err, 345 const char *msg) 346 { 347 if (HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) { 348 if ((allzone || priv == PRIV_ALL || 349 !PRIV_ISASSERT(priv_basic, priv)) && 350 !servicing_interrupt()) { 351 u.u_acflag |= ASU; /* Needed for SVVS */ 352 #ifdef C2_AUDIT 353 if (audit_active) 354 audit_priv(priv, 355 allzone ? ZONEPRIVS(cr) : NULL, 1); 356 #endif 357 } 358 err = 0; 359 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 360 } else if (!servicing_interrupt()) { 361 /* Failure audited in this procedure */ 362 priv_policy_err(cr, priv, allzone, msg); 363 } 364 365 return (err); 366 } 367 368 /* 369 * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges. 370 */ 371 boolean_t 372 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone) 373 { 374 boolean_t res = HAS_PRIVILEGE(cr, priv) && 375 (!allzone || HAS_ALLZONEPRIVS(cr)); 376 377 #ifdef C2_AUDIT 378 /* Audit success only */ 379 if (res && audit_active && 380 (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) && 381 !servicing_interrupt()) { 382 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1); 383 } 384 #endif 385 if (res) { 386 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 387 } else { 388 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 389 } 390 return (res); 391 } 392 393 /* 394 * Non-auditing variant of priv_policy_choice(). 395 */ 396 boolean_t 397 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone) 398 { 399 boolean_t res = HAS_PRIVILEGE(cr, priv) && 400 (!allzone || HAS_ALLZONEPRIVS(cr)); 401 402 if (res) { 403 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 404 } else { 405 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 406 } 407 return (res); 408 } 409 410 /* 411 * Check whether all privileges in the required set are present. 412 */ 413 static int 414 secpolicy_require_set(const cred_t *cr, const priv_set_t *req, const char *msg) 415 { 416 int priv; 417 int pfound = -1; 418 priv_set_t pset; 419 420 if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req, 421 &CR_OEPRIV(cr))) { 422 return (0); 423 } 424 425 if (req == PRIV_FULLSET || priv_isfullset(req)) { 426 priv_policy_err(cr, PRIV_ALL, B_FALSE, msg); 427 return (EACCES); 428 } 429 430 pset = CR_OEPRIV(cr); /* present privileges */ 431 priv_inverse(&pset); /* all non present privileges */ 432 priv_intersect(req, &pset); /* the actual missing privs */ 433 434 #ifdef C2_AUDIT 435 if (audit_active) 436 audit_priv(PRIV_NONE, &pset, 0); 437 #endif 438 /* 439 * Privilege debugging; special case "one privilege in set". 440 */ 441 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) { 442 for (priv = 0; priv < nprivs; priv++) { 443 if (priv_ismember(&pset, priv)) { 444 if (pfound != -1) { 445 /* Multiple missing privs */ 446 priv_policy_errmsg(cr, PRIV_MULTIPLE, 447 msg); 448 return (EACCES); 449 } 450 pfound = priv; 451 } 452 } 453 ASSERT(pfound != -1); 454 /* Just the one missing privilege */ 455 priv_policy_errmsg(cr, pfound, msg); 456 } 457 458 return (EACCES); 459 } 460 461 /* 462 * Called when an operation requires that the caller be in the 463 * global zone, regardless of privilege. 464 */ 465 static int 466 priv_policy_global(const cred_t *cr) 467 { 468 if (crgetzoneid(cr) == GLOBAL_ZONEID) 469 return (0); /* success */ 470 471 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 472 curthread->t_pre_sys) { 473 priv_policy_errmsg(cr, PRIV_GLOBAL, NULL); 474 } 475 return (EPERM); 476 } 477 478 /* 479 * Changing process priority 480 */ 481 int 482 secpolicy_setpriority(const cred_t *cr) 483 { 484 return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL)); 485 } 486 487 /* 488 * Binding to a privileged port, port must be specified in host byte 489 * order. 490 */ 491 int 492 secpolicy_net_privaddr(const cred_t *cr, in_port_t port) 493 { 494 /* 495 * NFS ports, these are extra privileged ports, allow bind 496 * only if the SYS_NFS privilege is present. 497 */ 498 if (port == 2049 || port == 4045) 499 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EACCES, 500 "NFS port")); 501 else 502 return (PRIV_POLICY(cr, PRIV_NET_PRIVADDR, B_FALSE, EACCES, 503 NULL)); 504 } 505 506 /* 507 * Common routine which determines whether a given credential can 508 * act on a given mount. 509 * When called through mount, the parameter needoptcheck is a pointer 510 * to a boolean variable which will be set to either true or false, 511 * depending on whether the mount policy should change the mount options. 512 * In all other cases, needoptcheck should be a NULL pointer. 513 */ 514 static int 515 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp, 516 boolean_t *needoptcheck) 517 { 518 boolean_t allzone = B_FALSE; 519 boolean_t mounting = needoptcheck != NULL; 520 521 /* 522 * Short circuit the following cases: 523 * vfsp == NULL or mvp == NULL (pure privilege check) 524 * have all privileges - no further checks required 525 * and no mount options need to be set. 526 */ 527 if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) { 528 if (mounting) 529 *needoptcheck = B_FALSE; 530 531 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, allzone, EPERM, NULL)); 532 } 533 534 /* 535 * When operating on an existing mount (either we're not mounting 536 * or we're doing a remount and VFS_REMOUNT will be set), zones 537 * can operate only on mounts established by the zone itself. 538 * When remounting, we're interested in the covered vnode and 539 * not the directory vnode which was passed in. 540 */ 541 if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) { 542 zoneid_t zoneid = crgetzoneid(cr); 543 544 if (zoneid != GLOBAL_ZONEID && 545 vfsp->vfs_zone->zone_id != zoneid) { 546 return (EPERM); 547 } 548 /* 549 * If it's a remount, get the underlying mount point. 550 * This check should really be (vfsp->vfs_flag & VFS_REMOUNT) 551 * but we cannot depend on the VFS_REMOUNT flag being set 552 * correctly if we're not in a mount system call. 553 * But if we get here and we're mounting we're guaranteed 554 * that VFS_REMOUNT is set by the logic above. 555 */ 556 if (mounting) 557 mvp = vfsp->vfs_vnodecovered; 558 } 559 560 if (mounting) 561 *needoptcheck = B_TRUE; 562 563 /* 564 * Overlay mounts may hide important stuff; if you can't write to a 565 * mount point but would be able to mount on top of it, you can 566 * escalate your privileges. 567 * So we go about asking the same questions namefs does when it 568 * decides whether you can mount over a file or not but with the 569 * added restriction that you can only mount on top of a regular 570 * file or directory. 571 * If we have all the zone's privileges, we skip all other checks, 572 * or else we may actually get in trouble inside the automounter. 573 */ 574 if ((mvp->v_flag & VROOT) != 0 || 575 (mvp->v_type != VDIR && mvp->v_type != VREG) || 576 HAS_ALLZONEPRIVS(cr)) { 577 allzone = B_TRUE; 578 } else { 579 vattr_t va; 580 int err; 581 582 va.va_mask = AT_UID|AT_MODE; 583 err = VOP_GETATTR(mvp, &va, 0, cr); 584 if (err != 0) 585 return (err); 586 587 if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0) 588 return (err); 589 590 if ((va.va_mode & VWRITE) == 0 && 591 secpolicy_vnode_access(cr, mvp, va.va_uid, VWRITE) != 0) { 592 return (EACCES); 593 } 594 } 595 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, allzone, EPERM, NULL)); 596 } 597 598 int 599 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp) 600 { 601 boolean_t needoptchk; 602 int error; 603 604 error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk); 605 606 if (error == 0 && needoptchk) { 607 boolean_t amsuper = HAS_ALLZONEPRIVS(cr); 608 609 /* 610 * Third check; if we don't have either "nosuid" or 611 * both "nosetuid" and "nodevices", then we add 612 * "nosuid"; this depends on how the current 613 * implementation works (it first checks nosuid). In a 614 * zone, a user with all zone privileges can mount with 615 * "setuid" but never with "devices". 616 */ 617 if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) && 618 (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) || 619 !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) { 620 if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper) 621 vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0); 622 else 623 vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0); 624 } 625 /* 626 * If we're not the local super user, we set the "restrict" 627 * option to indicate to automountd that this mount should 628 * be handled with care. 629 */ 630 if (!amsuper) 631 vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0); 632 633 } 634 return (error); 635 } 636 637 /* 638 * Does the policy computations for "ownership" of a mount; 639 * here ownership is defined as the ability to "mount" 640 * the filesystem originally. The rootvfs doesn't cover any 641 * vnodes; we attribute its ownership to the rootvp. 642 */ 643 static int 644 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp) 645 { 646 vnode_t *mvp; 647 648 extern vnode_t *rootvp; 649 extern vfs_t *rootvfs; 650 651 if (vfsp == NULL) 652 mvp = NULL; 653 else if (vfsp == rootvfs) 654 mvp = rootvp; 655 else 656 mvp = vfsp->vfs_vnodecovered; 657 658 return (secpolicy_fs_common(cr, mvp, vfsp, NULL)); 659 } 660 661 int 662 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp) 663 { 664 return (secpolicy_fs_owner(cr, vfsp)); 665 } 666 667 /* 668 * Quotas are a resource, but if one has the ability to mount a filesystem, he 669 * should be able to modify quotas on it. 670 */ 671 int 672 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp) 673 { 674 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 675 } 676 677 /* 678 * Exceeding minfree: also a per-mount resource constraint. 679 */ 680 int 681 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp) 682 { 683 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 684 } 685 686 int 687 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp) 688 { 689 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 690 } 691 692 /* ARGSUSED */ 693 int 694 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp) 695 { 696 return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL)); 697 } 698 699 /* 700 * Name: secpolicy_vnode_access() 701 * 702 * Parameters: Process credential 703 * vnode 704 * uid of owner of vnode 705 * permission bits not granted to the caller when examining 706 * file mode bits (i.e., when a process wants to open a 707 * mode 444 file for VREAD|VWRITE, this function should be 708 * called only with a VWRITE argument). 709 * 710 * Normal: Verifies that cred has the appropriate privileges to 711 * override the mode bits that were denied. 712 * 713 * Override: file_dac_execute - if VEXEC bit was denied and vnode is 714 * not a directory. 715 * file_dac_read - if VREAD bit was denied. 716 * file_dac_search - if VEXEC bit was denied and vnode is 717 * a directory. 718 * file_dac_write - if VWRITE bit was denied. 719 * 720 * Root owned files are special cased to protect system 721 * configuration files and such. 722 * 723 * Output: EACCES - if privilege check fails. 724 */ 725 726 /* ARGSUSED */ 727 int 728 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode) 729 { 730 if ((mode & VREAD) && 731 PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EACCES, NULL) != 0) 732 return (EACCES); 733 734 if (mode & VWRITE) { 735 boolean_t allzone; 736 737 if (owner == 0 && cr->cr_uid != 0) 738 allzone = B_TRUE; 739 else 740 allzone = B_FALSE; 741 if (PRIV_POLICY(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, NULL) 742 != 0) 743 return (EACCES); 744 } 745 746 if (mode & VEXEC) { 747 /* 748 * Directories use file_dac_search to override the execute bit. 749 */ 750 vtype_t vtype = vp->v_type; 751 752 if (vtype == VDIR) 753 return (PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, 754 EACCES, NULL)); 755 else 756 return (PRIV_POLICY(cr, PRIV_FILE_DAC_EXECUTE, B_FALSE, 757 EACCES, NULL)); 758 } 759 return (0); 760 } 761 762 /* 763 * Name: secpolicy_vnode_setid_modify() 764 * 765 * Normal: verify that subject can set the file setid flags. 766 * 767 * Output: EPERM - if not privileged. 768 */ 769 770 static int 771 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner) 772 { 773 /* If changing to suid root, must have all zone privs */ 774 boolean_t allzone = B_TRUE; 775 776 if (owner != 0) { 777 if (owner == cr->cr_uid) 778 return (0); 779 allzone = B_FALSE; 780 } 781 return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL)); 782 } 783 784 /* 785 * Are we allowed to retain the set-uid/set-gid bits when 786 * changing ownership or when writing to a file? 787 * "issuid" should be true when set-uid; only in that case 788 * root ownership is checked (setgid is assumed). 789 */ 790 int 791 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot) 792 { 793 if (issuidroot && !HAS_ALLZONEPRIVS(cred)) 794 return (EPERM); 795 796 return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE)); 797 } 798 799 /* 800 * Name: secpolicy_vnode_setids_setgids() 801 * 802 * Normal: verify that subject can set the file setgid flag. 803 * 804 * Output: EPERM - if not privileged 805 */ 806 807 int 808 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid) 809 { 810 if (!groupmember(gid, cred)) 811 return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM, 812 NULL)); 813 return (0); 814 } 815 816 /* 817 * Create a file with a group different than any of the groups allowed: 818 * the group of the directory the file is created in, the effective 819 * group or any of the supplementary groups. 820 */ 821 int 822 secpolicy_vnode_create_gid(const cred_t *cred) 823 { 824 if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN)) 825 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM, 826 NULL)); 827 else 828 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM, 829 NULL)); 830 } 831 832 /* 833 * Name: secpolicy_vnode_utime_modify() 834 * 835 * Normal: verify that subject can modify the utime on a file. 836 * 837 * Output: EPERM - if access denied. 838 */ 839 840 static int 841 secpolicy_vnode_utime_modify(const cred_t *cred) 842 { 843 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM, 844 "modify file times")); 845 } 846 847 848 /* 849 * Name: secpolicy_vnode_setdac() 850 * 851 * Normal: verify that subject can modify the mode of a file. 852 * allzone privilege needed when modifying root owned object. 853 * 854 * Output: EPERM - if access denied. 855 */ 856 857 int 858 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner) 859 { 860 if (owner == cred->cr_uid) 861 return (0); 862 863 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL)); 864 } 865 /* 866 * Name: secpolicy_vnode_stky_modify() 867 * 868 * Normal: verify that subject can make a file a "sticky". 869 * 870 * Output: EPERM - if access denied. 871 */ 872 873 int 874 secpolicy_vnode_stky_modify(const cred_t *cred) 875 { 876 return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM, 877 "set file sticky")); 878 } 879 880 /* 881 * Policy determines whether we can remove an entry from a directory, 882 * regardless of permission bits. 883 */ 884 int 885 secpolicy_vnode_remove(const cred_t *cr) 886 { 887 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES, 888 "sticky directory")); 889 } 890 891 int 892 secpolicy_vnode_owner(const cred_t *cr, uid_t owner) 893 { 894 boolean_t allzone = (owner == 0); 895 896 if (owner == cr->cr_uid) 897 return (0); 898 899 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL)); 900 } 901 902 /* 903 * This function checks the policy decisions surrounding the 904 * vop setattr call. 905 * 906 * It should be called after sufficient locks have been established 907 * on the underlying data structures. No concurrent modifications 908 * should be allowed. 909 * 910 * The caller must pass in unlocked version of its vaccess function 911 * this is required because vop_access function should lock the 912 * node for reading. A three argument function should be defined 913 * which accepts the following argument: 914 * A pointer to the internal "node" type (inode *) 915 * vnode access bits (VREAD|VWRITE|VEXEC) 916 * a pointer to the credential 917 * 918 * This function makes the following policy decisions: 919 * 920 * - change permissions 921 * - permission to change file mode if not owner 922 * - permission to add sticky bit to non-directory 923 * - permission to add set-gid bit 924 * 925 * The ovap argument should include AT_MODE|AT_UID|AT_GID. 926 * 927 * If the vap argument does not include AT_MODE, the mode will be copied from 928 * ovap. In certain situations set-uid/set-gid bits need to be removed; 929 * this is done by marking vap->va_mask to include AT_MODE and va_mode 930 * is updated to the newly computed mode. 931 */ 932 933 int 934 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap, 935 const struct vattr *ovap, int flags, 936 int unlocked_access(void *, int, cred_t *), 937 void *node) 938 { 939 int mask = vap->va_mask; 940 int error = 0; 941 942 if (mask & AT_SIZE) { 943 if (vp->v_type == VDIR) { 944 error = EISDIR; 945 goto out; 946 } 947 error = unlocked_access(node, VWRITE, cr); 948 if (error) 949 goto out; 950 } 951 if (mask & AT_MODE) { 952 /* 953 * If not the owner of the file then check privilege 954 * for two things: the privilege to set the mode at all 955 * and, if we're setting setuid, we also need permissions 956 * to add the set-uid bit, if we're not the owner. 957 * In the specific case of creating a set-uid root 958 * file, we need even more permissions. 959 */ 960 if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0) 961 goto out; 962 963 if ((vap->va_mode & S_ISUID) != 0 && 964 (error = secpolicy_vnode_setid_modify(cr, 965 ovap->va_uid)) != 0) { 966 goto out; 967 } 968 969 /* 970 * Check privilege if attempting to set the 971 * sticky bit on a non-directory. 972 */ 973 if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 && 974 secpolicy_vnode_stky_modify(cr) != 0) { 975 vap->va_mode &= ~S_ISVTX; 976 } 977 978 /* 979 * Check for privilege if attempting to set the 980 * group-id bit. 981 */ 982 if ((vap->va_mode & S_ISGID) != 0 && 983 secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) { 984 vap->va_mode &= ~S_ISGID; 985 } 986 987 } else 988 vap->va_mode = ovap->va_mode; 989 990 if (mask & (AT_UID|AT_GID)) { 991 boolean_t checkpriv = B_FALSE; 992 int priv; 993 boolean_t allzone = B_FALSE; 994 995 /* 996 * Chowning files. 997 * 998 * If you are the file owner: 999 * chown to other uid FILE_CHOWN_SELF 1000 * chown to gid (non-member) FILE_CHOWN_SELF 1001 * chown to gid (member) <none> 1002 * 1003 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also 1004 * acceptable but the first one is reported when debugging. 1005 * 1006 * If you are not the file owner: 1007 * chown from root PRIV_FILE_CHOWN + zone 1008 * chown from other to any PRIV_FILE_CHOWN 1009 * 1010 */ 1011 if (cr->cr_uid != ovap->va_uid) { 1012 checkpriv = B_TRUE; 1013 allzone = (ovap->va_uid == 0); 1014 priv = PRIV_FILE_CHOWN; 1015 } else { 1016 if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) || 1017 ((mask & AT_GID) && vap->va_gid != ovap->va_gid && 1018 !groupmember(vap->va_gid, cr))) { 1019 checkpriv = B_TRUE; 1020 priv = HAS_PRIVILEGE(cr, PRIV_FILE_CHOWN) ? 1021 PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF; 1022 } 1023 } 1024 /* 1025 * If necessary, check privilege to see if update can be done. 1026 */ 1027 if (checkpriv && 1028 (error = PRIV_POLICY(cr, priv, allzone, EPERM, NULL)) 1029 != 0) { 1030 goto out; 1031 } 1032 1033 /* 1034 * If the file has either the set UID or set GID bits 1035 * set and the caller can set the bits, then leave them. 1036 */ 1037 if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 && 1038 secpolicy_vnode_setid_retain(cr, 1039 (vap->va_mode & S_ISUID) != 0 && 1040 (mask & AT_UID) != 0 && vap->va_uid == 0) != 0) { 1041 /* Copied from ovap above if AT_MODE not specified */ 1042 vap->va_mask |= AT_MODE; 1043 vap->va_mode &= ~(S_ISUID|S_ISGID); 1044 } 1045 } 1046 if (mask & (AT_ATIME|AT_MTIME)) { 1047 /* 1048 * If not the file owner and not otherwise privileged, 1049 * always return an error when setting the 1050 * time other than the current (ATTR_UTIME flag set). 1051 * If setting the current time (ATTR_UTIME not set) then 1052 * unlocked_access will check permissions according to policy. 1053 */ 1054 if (cr->cr_uid != ovap->va_uid) { 1055 if (flags & ATTR_UTIME) 1056 error = secpolicy_vnode_utime_modify(cr); 1057 else { 1058 error = unlocked_access(node, VWRITE, cr); 1059 if (error == EACCES && 1060 secpolicy_vnode_utime_modify(cr) == 0) 1061 error = 0; 1062 } 1063 if (error) 1064 goto out; 1065 } 1066 } 1067 out: 1068 return (error); 1069 } 1070 1071 /* 1072 * Name: secpolicy_pcfs_modify_bootpartition() 1073 * 1074 * Normal: verify that subject can modify a pcfs boot partition. 1075 * 1076 * Output: EACCES - if privilege check failed. 1077 */ 1078 /*ARGSUSED*/ 1079 int 1080 secpolicy_pcfs_modify_bootpartition(const cred_t *cred) 1081 { 1082 return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES, 1083 "modify pcfs boot partition")); 1084 } 1085 1086 /* 1087 * System V IPC routines 1088 */ 1089 int 1090 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip) 1091 { 1092 if (crgetzoneid(cr) != ip->ipc_zoneid || 1093 (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) { 1094 boolean_t allzone = B_FALSE; 1095 if (ip->ipc_uid == 0 || ip->ipc_cuid == 0) 1096 allzone = B_TRUE; 1097 return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL)); 1098 } 1099 return (0); 1100 } 1101 1102 int 1103 secpolicy_ipc_config(const cred_t *cr) 1104 { 1105 return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL)); 1106 } 1107 1108 int 1109 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode) 1110 { 1111 1112 boolean_t allzone = B_FALSE; 1113 1114 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1115 1116 if ((mode & MSG_R) && 1117 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1118 return (EACCES); 1119 1120 if (mode & MSG_W) { 1121 if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0)) 1122 allzone = B_TRUE; 1123 1124 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1125 NULL)); 1126 } 1127 return (0); 1128 } 1129 1130 int 1131 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode) 1132 { 1133 boolean_t allzone = B_FALSE; 1134 1135 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1136 1137 if ((mode & MSG_R) && 1138 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1139 return (EACCES); 1140 1141 if (mode & MSG_W) { 1142 if (cr->cr_uid != 0 && owner == 0) 1143 allzone = B_TRUE; 1144 1145 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1146 NULL)); 1147 } 1148 return (0); 1149 } 1150 1151 /* 1152 * Audit configuration. 1153 */ 1154 int 1155 secpolicy_audit_config(const cred_t *cr) 1156 { 1157 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1158 } 1159 1160 /* 1161 * Audit record generation. 1162 */ 1163 int 1164 secpolicy_audit_modify(const cred_t *cr) 1165 { 1166 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL)); 1167 } 1168 1169 /* 1170 * Get audit attributes. 1171 * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the 1172 * "Least" of the two privileges on error. 1173 */ 1174 int 1175 secpolicy_audit_getattr(const cred_t *cr) 1176 { 1177 if (!PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE)) { 1178 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, 1179 NULL)); 1180 } else { 1181 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1182 } 1183 } 1184 1185 1186 /* 1187 * Locking physical memory 1188 */ 1189 int 1190 secpolicy_lock_memory(const cred_t *cr) 1191 { 1192 return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL)); 1193 } 1194 1195 /* 1196 * Accounting (both acct(2) and exacct). 1197 */ 1198 int 1199 secpolicy_acct(const cred_t *cr) 1200 { 1201 return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL)); 1202 } 1203 1204 /* 1205 * Is this process privileged to change its uids at will? 1206 * Uid 0 is still considered "special" and having the SETID 1207 * privilege is not sufficient to get uid 0. 1208 * Files are owned by root, so the privilege would give 1209 * full access and euid 0 is still effective. 1210 * 1211 * If you have the privilege and euid 0 only then do you 1212 * get the powers of root wrt uid 0. 1213 * 1214 * For gid manipulations, this is should be called with an 1215 * uid of -1. 1216 * 1217 */ 1218 int 1219 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly) 1220 { 1221 boolean_t allzone = B_FALSE; 1222 1223 if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 && 1224 cr->cr_ruid != 0) { 1225 allzone = B_TRUE; 1226 } 1227 1228 return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) : 1229 PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL)); 1230 } 1231 1232 1233 /* 1234 * Acting on a different process: if the mode is for writing, 1235 * the restrictions are more severe. This is called after 1236 * we've verified that the uids do not match. 1237 */ 1238 int 1239 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode) 1240 { 1241 boolean_t allzone = B_FALSE; 1242 1243 if ((mode & VWRITE) && scr->cr_uid != 0 && 1244 (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0)) 1245 allzone = B_TRUE; 1246 1247 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL)); 1248 } 1249 1250 int 1251 secpolicy_proc_access(const cred_t *scr) 1252 { 1253 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL)); 1254 } 1255 1256 int 1257 secpolicy_proc_excl_open(const cred_t *scr) 1258 { 1259 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL)); 1260 } 1261 1262 int 1263 secpolicy_proc_zone(const cred_t *scr) 1264 { 1265 return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL)); 1266 } 1267 1268 /* 1269 * Destroying the system 1270 */ 1271 1272 int 1273 secpolicy_kmdb(const cred_t *scr) 1274 { 1275 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1276 } 1277 1278 /* 1279 * Processor sets, cpu configuration, resource pools. 1280 */ 1281 int 1282 secpolicy_pset(const cred_t *cr) 1283 { 1284 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1285 } 1286 1287 int 1288 secpolicy_ponline(const cred_t *cr) 1289 { 1290 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1291 } 1292 1293 int 1294 secpolicy_pool(const cred_t *cr) 1295 { 1296 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1297 } 1298 1299 int 1300 secpolicy_blacklist(const cred_t *cr) 1301 { 1302 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1303 } 1304 1305 /* 1306 * Catch all system configuration. 1307 */ 1308 int 1309 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly) 1310 { 1311 if (checkonly) { 1312 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 : 1313 EPERM); 1314 } else { 1315 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1316 } 1317 } 1318 1319 /* 1320 * Zone administration (halt, reboot, etc.) from within zone. 1321 */ 1322 int 1323 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly) 1324 { 1325 if (checkonly) { 1326 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 : 1327 EPERM); 1328 } else { 1329 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, 1330 NULL)); 1331 } 1332 } 1333 1334 /* 1335 * Zone configuration (create, halt, enter). 1336 */ 1337 int 1338 secpolicy_zone_config(const cred_t *cr) 1339 { 1340 /* 1341 * Require all privileges to avoid possibility of privilege 1342 * escalation. 1343 */ 1344 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1345 } 1346 1347 /* 1348 * Various other system configuration calls 1349 */ 1350 int 1351 secpolicy_coreadm(const cred_t *cr) 1352 { 1353 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1354 } 1355 1356 int 1357 secpolicy_systeminfo(const cred_t *cr) 1358 { 1359 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1360 } 1361 1362 int 1363 secpolicy_dispadm(const cred_t *cr) 1364 { 1365 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1366 } 1367 1368 int 1369 secpolicy_settime(const cred_t *cr) 1370 { 1371 return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL)); 1372 } 1373 1374 /* 1375 * For realtime users: high resolution clock. 1376 */ 1377 int 1378 secpolicy_clock_highres(const cred_t *cr) 1379 { 1380 return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM, 1381 NULL)); 1382 } 1383 1384 /* 1385 * drv_priv() is documented as callable from interrupt context, not that 1386 * anyone ever does, but still. No debugging or auditing can be done when 1387 * it is called from interrupt context. 1388 * returns 0 on succes, EPERM on failure. 1389 */ 1390 int 1391 drv_priv(cred_t *cr) 1392 { 1393 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1394 } 1395 1396 int 1397 secpolicy_sys_devices(const cred_t *cr) 1398 { 1399 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1400 } 1401 1402 int 1403 secpolicy_excl_open(const cred_t *cr) 1404 { 1405 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL)); 1406 } 1407 1408 int 1409 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl) 1410 { 1411 /* zone.* rctls can only be set from the global zone */ 1412 if (is_zone_rctl && priv_policy_global(cr) != 0) 1413 return (EPERM); 1414 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1415 } 1416 1417 int 1418 secpolicy_resource(const cred_t *cr) 1419 { 1420 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1421 } 1422 1423 /* 1424 * Processes with a real uid of 0 escape any form of accounting, much 1425 * like before. 1426 */ 1427 int 1428 secpolicy_newproc(const cred_t *cr) 1429 { 1430 if (cr->cr_ruid == 0) 1431 return (0); 1432 1433 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1434 } 1435 1436 /* 1437 * Networking 1438 */ 1439 int 1440 secpolicy_net_rawaccess(const cred_t *cr) 1441 { 1442 return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL)); 1443 } 1444 1445 /* 1446 * Need this privilege for accessing the ICMP device 1447 */ 1448 int 1449 secpolicy_net_icmpaccess(const cred_t *cr) 1450 { 1451 return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL)); 1452 } 1453 1454 /* 1455 * There are a few rare cases where the kernel generates ioctls() from 1456 * interrupt context with a credential of kcred rather than NULL. 1457 * In those cases, we take the safe and cheap test. 1458 */ 1459 int 1460 secpolicy_net_config(const cred_t *cr, boolean_t checkonly) 1461 { 1462 if (checkonly) { 1463 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ? 1464 0 : EPERM); 1465 } else { 1466 return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM, 1467 NULL)); 1468 } 1469 } 1470 1471 1472 /* 1473 * Map network pseudo privileges to actual privileges. 1474 * So we don't need to recompile IP when we change the privileges. 1475 */ 1476 int 1477 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly) 1478 { 1479 int priv = PRIV_ALL; 1480 1481 switch (netpriv) { 1482 case OP_CONFIG: 1483 priv = PRIV_SYS_NET_CONFIG; 1484 break; 1485 case OP_RAW: 1486 priv = PRIV_NET_RAWACCESS; 1487 break; 1488 case OP_PRIVPORT: 1489 priv = PRIV_NET_PRIVADDR; 1490 break; 1491 } 1492 ASSERT(priv != PRIV_ALL); 1493 if (checkonly) 1494 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 1495 else 1496 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 1497 } 1498 1499 /* 1500 * Checks for operations that are either client-only or are used by 1501 * both clients and servers. 1502 */ 1503 int 1504 secpolicy_nfs(const cred_t *cr) 1505 { 1506 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL)); 1507 } 1508 1509 /* 1510 * Special case for opening rpcmod: have NFS privileges or network 1511 * config privileges. 1512 */ 1513 int 1514 secpolicy_rpcmod_open(const cred_t *cr) 1515 { 1516 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE)) 1517 return (secpolicy_nfs(cr)); 1518 else 1519 return (secpolicy_net_config(cr, NULL)); 1520 } 1521 1522 int 1523 secpolicy_chroot(const cred_t *cr) 1524 { 1525 return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL)); 1526 } 1527 1528 int 1529 secpolicy_tasksys(const cred_t *cr) 1530 { 1531 return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL)); 1532 } 1533 1534 /* 1535 * Basic privilege checks. 1536 */ 1537 int 1538 secpolicy_basic_exec(const cred_t *cr) 1539 { 1540 return (PRIV_POLICY(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL)); 1541 } 1542 1543 int 1544 secpolicy_basic_fork(const cred_t *cr) 1545 { 1546 return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL)); 1547 } 1548 1549 int 1550 secpolicy_basic_proc(const cred_t *cr) 1551 { 1552 return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL)); 1553 } 1554 1555 /* 1556 * Slightly complicated because we don't want to trigger the policy too 1557 * often. First we shortcircuit access to "self" (tp == sp) or if 1558 * we don't have the privilege but if we have permission 1559 * just return (0) and we don't flag the privilege as needed. 1560 * Else, we test for the privilege because we either have it or need it. 1561 */ 1562 int 1563 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp) 1564 { 1565 if (tp == sp || 1566 !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) { 1567 return (0); 1568 } else { 1569 return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL)); 1570 } 1571 } 1572 1573 int 1574 secpolicy_basic_link(const cred_t *cr) 1575 { 1576 return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL)); 1577 } 1578 1579 /* 1580 * Additional device protection. 1581 * 1582 * Traditionally, a device has specific permissions on the node in 1583 * the filesystem which govern which devices can be opened by what 1584 * processes. In certain cases, it is desirable to add extra 1585 * restrictions, as writing to certain devices is identical to 1586 * having a complete run of the system. 1587 * 1588 * This mechanism is called the device policy. 1589 * 1590 * When a device is opened, its policy entry is looked up in the 1591 * policy cache and checked. 1592 */ 1593 int 1594 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag) 1595 { 1596 devplcy_t *plcy; 1597 int err; 1598 struct snode *csp = VTOS(common_specvp(vp)); 1599 1600 mutex_enter(&csp->s_lock); 1601 1602 if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) { 1603 plcy = devpolicy_find(vp); 1604 if (csp->s_plcy) 1605 dpfree(csp->s_plcy); 1606 csp->s_plcy = plcy; 1607 ASSERT(plcy != NULL); 1608 } else 1609 plcy = csp->s_plcy; 1610 1611 if (plcy == nullpolicy) { 1612 mutex_exit(&csp->s_lock); 1613 return (0); 1614 } 1615 1616 dphold(plcy); 1617 1618 mutex_exit(&csp->s_lock); 1619 1620 err = secpolicy_require_set(cr, 1621 (oflag & FWRITE) ? &plcy->dp_wrp : &plcy->dp_rdp, "devpolicy"); 1622 dpfree(plcy); 1623 1624 return (err); 1625 } 1626 1627 int 1628 secpolicy_modctl(const cred_t *cr, int cmd) 1629 { 1630 switch (cmd) { 1631 case MODINFO: 1632 case MODGETPATH: 1633 case MODGETPATHLEN: 1634 case MODGETFBNAME: 1635 case MODGETNAME: 1636 case MODGETDEVPOLICY: 1637 case MODGETDEVPOLICYBYNAME: 1638 case MODGETMAJBIND: 1639 /* Unprivileged */ 1640 return (0); 1641 case MODLOAD: 1642 case MODSETDEVPOLICY: 1643 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1644 default: 1645 return (secpolicy_sys_config(cr, B_FALSE)); 1646 } 1647 } 1648 1649 int 1650 secpolicy_console(const cred_t *cr) 1651 { 1652 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1653 } 1654 1655 int 1656 secpolicy_power_mgmt(const cred_t *cr) 1657 { 1658 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1659 } 1660 1661 /* 1662 * Simulate terminal input; another escalation of privileges avenue. 1663 */ 1664 1665 int 1666 secpolicy_sti(const cred_t *cr) 1667 { 1668 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1669 } 1670 1671 int 1672 secpolicy_swapctl(const cred_t *cr) 1673 { 1674 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1675 } 1676 1677 int 1678 secpolicy_cpc_cpu(const cred_t *cr) 1679 { 1680 return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL)); 1681 } 1682 1683 /* 1684 * secpolicy_contract_observer 1685 * 1686 * Determine if the subject may observe a specific contract's events. 1687 */ 1688 int 1689 secpolicy_contract_observer(const cred_t *cr, struct contract *ct) 1690 { 1691 if (contract_owned(ct, cr, B_FALSE)) 1692 return (0); 1693 return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL)); 1694 } 1695 1696 /* 1697 * secpolicy_contract_observer_choice 1698 * 1699 * Determine if the subject may observe any contract's events. Just 1700 * tests privilege and audits on success. 1701 */ 1702 boolean_t 1703 secpolicy_contract_observer_choice(const cred_t *cr) 1704 { 1705 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE)); 1706 } 1707 1708 /* 1709 * secpolicy_contract_event 1710 * 1711 * Determine if the subject may request critical contract events or 1712 * reliable contract event delivery. 1713 */ 1714 int 1715 secpolicy_contract_event(const cred_t *cr) 1716 { 1717 return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL)); 1718 } 1719 1720 /* 1721 * secpolicy_contract_event_choice 1722 * 1723 * Determine if the subject may retain contract events in its critical 1724 * set when a change in other terms would normally require a change in 1725 * the critical set. Just tests privilege and audits on success. 1726 */ 1727 boolean_t 1728 secpolicy_contract_event_choice(const cred_t *cr) 1729 { 1730 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE)); 1731 } 1732 1733 /* 1734 * Name: secpolicy_gart_access 1735 * 1736 * Normal: Verify if the subject has sufficient priveleges to make ioctls 1737 * to agpgart device 1738 * 1739 * Output: EPERM - if not privileged 1740 * 1741 */ 1742 int 1743 secpolicy_gart_access(const cred_t *cr) 1744 { 1745 return (PRIV_POLICY(cr, PRIV_GART_ACCESS, B_FALSE, EPERM, NULL)); 1746 } 1747 1748 /* 1749 * Name: secpolicy_gart_map 1750 * 1751 * Normal: Verify if the subject has sufficient privelegs to map aperture 1752 * range through agpgart driver 1753 * 1754 * Output: EPERM - if not privileged 1755 * 1756 */ 1757 int 1758 secpolicy_gart_map(const cred_t *cr) 1759 { 1760 if (PRIV_POLICY(cr, PRIV_GART_ACCESS, B_FALSE, EPERM, NULL)) { 1761 return (PRIV_POLICY(cr, PRIV_GART_MAP, B_FALSE, EPERM, NULL)); 1762 } 1763 return (0); 1764 } 1765