1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <sys/types.h> 29 #include <sys/sysmacros.h> 30 #include <sys/param.h> 31 #include <sys/systm.h> 32 #include <sys/cred_impl.h> 33 #include <sys/vnode.h> 34 #include <sys/vfs.h> 35 #include <sys/stat.h> 36 #include <sys/errno.h> 37 #include <sys/kmem.h> 38 #include <sys/user.h> 39 #include <sys/proc.h> 40 #include <sys/acct.h> 41 #include <sys/ipc_impl.h> 42 #include <sys/cmn_err.h> 43 #include <sys/debug.h> 44 #include <sys/policy.h> 45 #include <sys/kobj.h> 46 #include <sys/msg.h> 47 #include <sys/devpolicy.h> 48 #include <c2/audit.h> 49 #include <sys/varargs.h> 50 #include <sys/modctl.h> 51 #include <sys/disp.h> 52 #include <sys/zone.h> 53 #include <inet/optcom.h> 54 #include <sys/sdt.h> 55 #include <sys/vfs.h> 56 #include <sys/mntent.h> 57 #include <sys/contract_impl.h> 58 59 /* 60 * There are two possible layers of privilege routines and two possible 61 * levels of secpolicy. Plus one other we may not be interested in, so 62 * we may need as many as 6 but no more. 63 */ 64 #define MAXPRIVSTACK 6 65 66 int priv_debug = 0; 67 68 /* 69 * This file contains the majority of the policy routines. 70 * Since the policy routines are defined by function and not 71 * by privilege, there is quite a bit of duplication of 72 * functions. 73 * 74 * The secpolicy functions must not make assumptions about 75 * locks held or not held as any lock can be held while they're 76 * being called. 77 * 78 * Credentials are read-only so no special precautions need to 79 * be taken while locking them. 80 * 81 * When a new policy check needs to be added to the system the 82 * following procedure should be followed: 83 * 84 * Pick an appropriate secpolicy_*() function 85 * -> done if one exists. 86 * Create a new secpolicy function, preferably with 87 * a descriptive name using the standard template. 88 * Pick an appropriate privilege for the policy. 89 * If no appropraite privilege exists, define new one 90 * (this should be done with extreme care; in most cases 91 * little is gained by adding another privilege) 92 * 93 * WHY ROOT IS STILL SPECIAL. 94 * 95 * In a number of the policy functions, there are still explicit 96 * checks for uid 0. The rationale behind these is that many root 97 * owned files/objects hold configuration information which can give full 98 * privileges to the user once written to. To prevent escalation 99 * of privilege by allowing just a single privilege to modify root owned 100 * objects, we've added these root specific checks where we considered 101 * them necessary: modifying root owned files, changing uids to 0, etc. 102 * 103 * PRIVILEGE ESCALATION AND ZONES. 104 * 105 * A number of operations potentially allow the caller to achieve 106 * privileges beyond the ones normally required to perform the operation. 107 * For example, if allowed to create a setuid 0 executable, a process can 108 * gain privileges beyond PRIV_FILE_SETID. Zones, however, place 109 * restrictions on the ability to gain privileges beyond those available 110 * within the zone through file and process manipulation. Hence, such 111 * operations require that the caller have an effective set that includes 112 * all privileges available within the current zone, or all privileges 113 * if executing in the global zone. 114 * 115 * This is indicated in the priv_policy* policy checking functions 116 * through a combination of parameters. The "priv" parameter indicates 117 * the privilege that is required, and the "allzone" parameter indicates 118 * whether or not all privileges in the zone are required. In addition, 119 * priv can be set to PRIV_ALL to indicate that all privileges are 120 * required (regardless of zone). There are three scenarios of interest: 121 * (1) operation requires a specific privilege 122 * (2) operation requires a specific privilege, and requires all 123 * privileges available within the zone (or all privileges if in 124 * the global zone) 125 * (3) operation requires all privileges, regardless of zone 126 * 127 * For (1), priv should be set to the specific privilege, and allzone 128 * should be set to B_FALSE. 129 * For (2), priv should be set to the specific privilege, and allzone 130 * should be set to B_TRUE. 131 * For (3), priv should be set to PRIV_ALL, and allzone should be set 132 * to B_FALSE. 133 * 134 */ 135 136 /* 137 * The privileges are checked against the Effective set for 138 * ordinary processes and checked against the Limit set 139 * for euid 0 processes that haven't manipulated their privilege 140 * sets. 141 */ 142 #define HAS_ALLPRIVS(cr) priv_isfullset(&CR_OEPRIV(cr)) 143 #define ZONEPRIVS(cr) ((cr)->cr_zone->zone_privset) 144 #define HAS_ALLZONEPRIVS(cr) priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr)) 145 #define HAS_PRIVILEGE(cr, pr) ((pr) == PRIV_ALL ? \ 146 HAS_ALLPRIVS(cr) : \ 147 PRIV_ISASSERT(&CR_OEPRIV(cr), pr)) 148 149 /* 150 * Policy checking functions 151 * 152 * In future, these will migrate to several files when policy 153 * becomes more or less pluggable. 154 * 155 * For now, there's only one policy and this is it. 156 */ 157 158 /* 159 * Generic policy calls 160 * 161 * The "bottom" functions of policy control 162 */ 163 164 static char * 165 mprintf(const char *fmt, ...) 166 { 167 va_list args; 168 char *buf; 169 size_t len; 170 171 va_start(args, fmt); 172 len = vsnprintf(NULL, 0, fmt, args) + 1; 173 va_end(args); 174 175 buf = kmem_alloc(len, KM_NOSLEEP); 176 177 if (buf == NULL) 178 return (NULL); 179 180 va_start(args, fmt); 181 (void) vsnprintf(buf, len, fmt, args); 182 va_end(args); 183 184 return (buf); 185 } 186 187 /* 188 * priv_policy_errmsg() 189 * 190 * Generate an error message if privilege debugging is enabled system wide 191 * or for this particular process. 192 */ 193 194 #define FMTHDR "%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)" 195 #define FMTMSG " for \"%s\"" 196 #define FMTFUN " needed at %s+0x%lx" 197 198 /* The maximum size privilege format: the concatenation of the above */ 199 #define FMTMAX FMTHDR FMTMSG FMTFUN "\n" 200 201 static void 202 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg) 203 { 204 struct proc *me; 205 pc_t stack[MAXPRIVSTACK]; 206 int depth; 207 int i; 208 char *sym; 209 ulong_t off; 210 const char *pname; 211 212 char *cmd; 213 char fmt[sizeof (FMTMAX)]; 214 215 if ((me = curproc) == &p0) 216 return; 217 218 /* Privileges must be defined */ 219 ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE || 220 priv == PRIV_ALLZONE || priv == PRIV_GLOBAL || 221 priv_getbynum(priv) != NULL); 222 223 if (priv == PRIV_ALLZONE && INGLOBALZONE(me)) 224 priv = PRIV_ALL; 225 226 if (curthread->t_pre_sys) 227 ttolwp(curthread)->lwp_badpriv = (short)priv; 228 229 if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0) 230 return; 231 232 (void) strcpy(fmt, FMTHDR); 233 234 if (me->p_user.u_comm[0]) 235 cmd = &me->p_user.u_comm[0]; 236 else 237 cmd = "priv_policy"; 238 239 if (msg != NULL && *msg != '\0') { 240 (void) strcat(fmt, FMTMSG); 241 } else { 242 (void) strcat(fmt, "%s"); 243 msg = ""; 244 } 245 246 sym = NULL; 247 248 depth = getpcstack(stack, MAXPRIVSTACK); 249 250 /* 251 * Try to find the first interesting function on the stack. 252 * priv_policy* that's us, so completely uninteresting. 253 * suser(), drv_priv(), secpolicy_* are also called from 254 * too many locations to convey useful information. 255 */ 256 for (i = 0; i < depth; i++) { 257 sym = kobj_getsymname((uintptr_t)stack[i], &off); 258 if (sym != NULL && 259 strstr(sym, "hasprocperm") == 0 && 260 strcmp("suser", sym) != 0 && 261 strcmp("ipcaccess", sym) != 0 && 262 strcmp("drv_priv", sym) != 0 && 263 strncmp("secpolicy_", sym, 10) != 0 && 264 strncmp("priv_policy", sym, 11) != 0) 265 break; 266 } 267 268 if (sym != NULL) 269 (void) strcat(fmt, FMTFUN); 270 271 (void) strcat(fmt, "\n"); 272 273 switch (priv) { 274 case PRIV_ALL: 275 pname = "ALL"; 276 break; 277 case PRIV_MULTIPLE: 278 pname = "MULTIPLE"; 279 break; 280 case PRIV_ALLZONE: 281 pname = "ZONE"; 282 break; 283 case PRIV_GLOBAL: 284 pname = "GLOBAL"; 285 break; 286 default: 287 pname = priv_getbynum(priv); 288 break; 289 } 290 291 if (CR_FLAGS(cr) & PRIV_DEBUG) { 292 /* Remember last message, just like lwp_badpriv. */ 293 if (curthread->t_pdmsg != NULL) { 294 kmem_free(curthread->t_pdmsg, 295 strlen(curthread->t_pdmsg) + 1); 296 } 297 298 curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname, 299 cr->cr_uid, curthread->t_sysnum, msg, sym, off); 300 301 curthread->t_post_sys = 1; 302 } else { 303 cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid, 304 curthread->t_sysnum, msg, sym, off); 305 } 306 } 307 308 /* 309 * Audit failure, log error message. 310 */ 311 static void 312 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg) 313 { 314 315 if (audit_active) 316 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0); 317 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 318 319 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 320 curthread->t_pre_sys) { 321 if (allzone && !HAS_ALLZONEPRIVS(cr)) { 322 priv_policy_errmsg(cr, PRIV_ALLZONE, msg); 323 } else { 324 ASSERT(!HAS_PRIVILEGE(cr, priv)); 325 priv_policy_errmsg(cr, priv, msg); 326 } 327 } 328 } 329 330 /* 331 * priv_policy() 332 * return 0 or error. 333 * See block comment above for a description of "priv" and "allzone" usage. 334 */ 335 int 336 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err, 337 const char *msg) 338 { 339 if (HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) { 340 if ((allzone || priv == PRIV_ALL || 341 !PRIV_ISASSERT(priv_basic, priv)) && 342 !servicing_interrupt()) { 343 PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */ 344 if (audit_active) 345 audit_priv(priv, 346 allzone ? ZONEPRIVS(cr) : NULL, 1); 347 } 348 err = 0; 349 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 350 } else if (!servicing_interrupt()) { 351 /* Failure audited in this procedure */ 352 priv_policy_err(cr, priv, allzone, msg); 353 } 354 355 return (err); 356 } 357 358 /* 359 * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges. 360 */ 361 boolean_t 362 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone) 363 { 364 boolean_t res = HAS_PRIVILEGE(cr, priv) && 365 (!allzone || HAS_ALLZONEPRIVS(cr)); 366 367 /* Audit success only */ 368 if (res && audit_active && 369 (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) && 370 !servicing_interrupt()) { 371 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1); 372 } 373 if (res) { 374 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 375 } else { 376 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 377 } 378 return (res); 379 } 380 381 /* 382 * Non-auditing variant of priv_policy_choice(). 383 */ 384 boolean_t 385 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone) 386 { 387 boolean_t res = HAS_PRIVILEGE(cr, priv) && 388 (!allzone || HAS_ALLZONEPRIVS(cr)); 389 390 if (res) { 391 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 392 } else { 393 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 394 } 395 return (res); 396 } 397 398 /* 399 * Check whether all privileges in the required set are present. 400 */ 401 static int 402 secpolicy_require_set(const cred_t *cr, const priv_set_t *req, const char *msg) 403 { 404 int priv; 405 int pfound = -1; 406 priv_set_t pset; 407 408 if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req, 409 &CR_OEPRIV(cr))) { 410 return (0); 411 } 412 413 if (req == PRIV_FULLSET || priv_isfullset(req)) { 414 priv_policy_err(cr, PRIV_ALL, B_FALSE, msg); 415 return (EACCES); 416 } 417 418 pset = CR_OEPRIV(cr); /* present privileges */ 419 priv_inverse(&pset); /* all non present privileges */ 420 priv_intersect(req, &pset); /* the actual missing privs */ 421 422 if (audit_active) 423 audit_priv(PRIV_NONE, &pset, 0); 424 /* 425 * Privilege debugging; special case "one privilege in set". 426 */ 427 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) { 428 for (priv = 0; priv < nprivs; priv++) { 429 if (priv_ismember(&pset, priv)) { 430 if (pfound != -1) { 431 /* Multiple missing privs */ 432 priv_policy_errmsg(cr, PRIV_MULTIPLE, 433 msg); 434 return (EACCES); 435 } 436 pfound = priv; 437 } 438 } 439 ASSERT(pfound != -1); 440 /* Just the one missing privilege */ 441 priv_policy_errmsg(cr, pfound, msg); 442 } 443 444 return (EACCES); 445 } 446 447 /* 448 * Called when an operation requires that the caller be in the 449 * global zone, regardless of privilege. 450 */ 451 static int 452 priv_policy_global(const cred_t *cr) 453 { 454 if (crgetzoneid(cr) == GLOBAL_ZONEID) 455 return (0); /* success */ 456 457 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 458 curthread->t_pre_sys) { 459 priv_policy_errmsg(cr, PRIV_GLOBAL, NULL); 460 } 461 return (EPERM); 462 } 463 464 /* 465 * Changing process priority 466 */ 467 int 468 secpolicy_setpriority(const cred_t *cr) 469 { 470 return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL)); 471 } 472 473 /* 474 * Binding to a privileged port, port must be specified in host byte 475 * order. 476 */ 477 int 478 secpolicy_net_privaddr(const cred_t *cr, in_port_t port) 479 { 480 char *reason; 481 int priv; 482 483 switch (port) { 484 case 137: 485 case 138: 486 case 139: 487 case 445: 488 /* 489 * NBT and SMB ports, these are extra privileged ports, 490 * allow bind only if the SYS_SMB privilege is present. 491 */ 492 priv = PRIV_SYS_SMB; 493 reason = "NBT or SMB port"; 494 break; 495 496 case 2049: 497 case 4045: 498 /* 499 * NFS ports, these are extra privileged ports, allow bind 500 * only if the SYS_NFS privilege is present. 501 */ 502 priv = PRIV_SYS_NFS; 503 reason = "NFS port"; 504 break; 505 506 default: 507 priv = PRIV_NET_PRIVADDR; 508 reason = NULL; 509 break; 510 511 } 512 513 return (PRIV_POLICY(cr, priv, B_FALSE, EACCES, reason)); 514 } 515 516 /* 517 * Binding to a multilevel port on a trusted (labeled) system. 518 */ 519 int 520 secpolicy_net_bindmlp(const cred_t *cr) 521 { 522 return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, 523 NULL)); 524 } 525 526 /* 527 * Allow a communication between a zone and an unlabeled host when their 528 * labels don't match. 529 */ 530 int 531 secpolicy_net_mac_aware(const cred_t *cr) 532 { 533 return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, 534 NULL)); 535 } 536 537 /* 538 * Common routine which determines whether a given credential can 539 * act on a given mount. 540 * When called through mount, the parameter needoptcheck is a pointer 541 * to a boolean variable which will be set to either true or false, 542 * depending on whether the mount policy should change the mount options. 543 * In all other cases, needoptcheck should be a NULL pointer. 544 */ 545 static int 546 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp, 547 boolean_t *needoptcheck) 548 { 549 boolean_t allzone = B_FALSE; 550 boolean_t mounting = needoptcheck != NULL; 551 552 /* 553 * Short circuit the following cases: 554 * vfsp == NULL or mvp == NULL (pure privilege check) 555 * have all privileges - no further checks required 556 * and no mount options need to be set. 557 */ 558 if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) { 559 if (mounting) 560 *needoptcheck = B_FALSE; 561 562 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, allzone, EPERM, NULL)); 563 } 564 565 /* 566 * When operating on an existing mount (either we're not mounting 567 * or we're doing a remount and VFS_REMOUNT will be set), zones 568 * can operate only on mounts established by the zone itself. 569 */ 570 if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) { 571 zoneid_t zoneid = crgetzoneid(cr); 572 573 if (zoneid != GLOBAL_ZONEID && 574 vfsp->vfs_zone->zone_id != zoneid) { 575 return (EPERM); 576 } 577 } 578 579 if (mounting) 580 *needoptcheck = B_TRUE; 581 582 /* 583 * Overlay mounts may hide important stuff; if you can't write to a 584 * mount point but would be able to mount on top of it, you can 585 * escalate your privileges. 586 * So we go about asking the same questions namefs does when it 587 * decides whether you can mount over a file or not but with the 588 * added restriction that you can only mount on top of a regular 589 * file or directory. 590 * If we have all the zone's privileges, we skip all other checks, 591 * or else we may actually get in trouble inside the automounter. 592 */ 593 if ((mvp->v_flag & VROOT) != 0 || 594 (mvp->v_type != VDIR && mvp->v_type != VREG) || 595 HAS_ALLZONEPRIVS(cr)) { 596 allzone = B_TRUE; 597 } else { 598 vattr_t va; 599 int err; 600 601 va.va_mask = AT_UID|AT_MODE; 602 err = VOP_GETATTR(mvp, &va, 0, cr, NULL); 603 if (err != 0) 604 return (err); 605 606 if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0) 607 return (err); 608 609 if ((va.va_mode & VWRITE) == 0 && 610 secpolicy_vnode_access(cr, mvp, va.va_uid, VWRITE) != 0) { 611 return (EACCES); 612 } 613 } 614 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, allzone, EPERM, NULL)); 615 } 616 617 void 618 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp) 619 { 620 boolean_t amsuper = HAS_ALLZONEPRIVS(cr); 621 622 /* 623 * check; if we don't have either "nosuid" or 624 * both "nosetuid" and "nodevices", then we add 625 * "nosuid"; this depends on how the current 626 * implementation works (it first checks nosuid). In a 627 * zone, a user with all zone privileges can mount with 628 * "setuid" but never with "devices". 629 */ 630 if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) && 631 (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) || 632 !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) { 633 if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper) 634 vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0); 635 else 636 vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0); 637 } 638 /* 639 * If we're not the local super user, we set the "restrict" 640 * option to indicate to automountd that this mount should 641 * be handled with care. 642 */ 643 if (!amsuper) 644 vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0); 645 646 } 647 648 extern vnode_t *rootvp; 649 extern vfs_t *rootvfs; 650 651 int 652 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp) 653 { 654 boolean_t needoptchk; 655 int error; 656 657 /* 658 * If it's a remount, get the underlying mount point, 659 * except for the root where we use the rootvp. 660 */ 661 if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) { 662 if (vfsp == rootvfs) 663 mvp = rootvp; 664 else 665 mvp = vfsp->vfs_vnodecovered; 666 } 667 668 error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk); 669 670 if (error == 0 && needoptchk) { 671 secpolicy_fs_mount_clearopts(cr, vfsp); 672 } 673 674 return (error); 675 } 676 677 /* 678 * Does the policy computations for "ownership" of a mount; 679 * here ownership is defined as the ability to "mount" 680 * the filesystem originally. The rootvfs doesn't cover any 681 * vnodes; we attribute its ownership to the rootvp. 682 */ 683 static int 684 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp) 685 { 686 vnode_t *mvp; 687 688 if (vfsp == NULL) 689 mvp = NULL; 690 else if (vfsp == rootvfs) 691 mvp = rootvp; 692 else 693 mvp = vfsp->vfs_vnodecovered; 694 695 return (secpolicy_fs_common(cr, mvp, vfsp, NULL)); 696 } 697 698 int 699 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp) 700 { 701 return (secpolicy_fs_owner(cr, vfsp)); 702 } 703 704 /* 705 * Quotas are a resource, but if one has the ability to mount a filesystem, he 706 * should be able to modify quotas on it. 707 */ 708 int 709 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp) 710 { 711 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 712 } 713 714 /* 715 * Exceeding minfree: also a per-mount resource constraint. 716 */ 717 int 718 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp) 719 { 720 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 721 } 722 723 int 724 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp) 725 { 726 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 727 } 728 729 /* ARGSUSED */ 730 int 731 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp) 732 { 733 return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL)); 734 } 735 736 /* 737 * Name: secpolicy_vnode_access() 738 * 739 * Parameters: Process credential 740 * vnode 741 * uid of owner of vnode 742 * permission bits not granted to the caller when examining 743 * file mode bits (i.e., when a process wants to open a 744 * mode 444 file for VREAD|VWRITE, this function should be 745 * called only with a VWRITE argument). 746 * 747 * Normal: Verifies that cred has the appropriate privileges to 748 * override the mode bits that were denied. 749 * 750 * Override: file_dac_execute - if VEXEC bit was denied and vnode is 751 * not a directory. 752 * file_dac_read - if VREAD bit was denied. 753 * file_dac_search - if VEXEC bit was denied and vnode is 754 * a directory. 755 * file_dac_write - if VWRITE bit was denied. 756 * 757 * Root owned files are special cased to protect system 758 * configuration files and such. 759 * 760 * Output: EACCES - if privilege check fails. 761 */ 762 763 /* ARGSUSED */ 764 int 765 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode) 766 { 767 if ((mode & VREAD) && 768 PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EACCES, NULL) != 0) 769 return (EACCES); 770 771 if (mode & VWRITE) { 772 boolean_t allzone; 773 774 if (owner == 0 && cr->cr_uid != 0) 775 allzone = B_TRUE; 776 else 777 allzone = B_FALSE; 778 if (PRIV_POLICY(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, NULL) 779 != 0) 780 return (EACCES); 781 } 782 783 if (mode & VEXEC) { 784 /* 785 * Directories use file_dac_search to override the execute bit. 786 */ 787 vtype_t vtype = vp->v_type; 788 789 if (vtype == VDIR) 790 return (PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, 791 EACCES, NULL)); 792 else 793 return (PRIV_POLICY(cr, PRIV_FILE_DAC_EXECUTE, B_FALSE, 794 EACCES, NULL)); 795 } 796 return (0); 797 } 798 799 /* 800 * Name: secpolicy_vnode_setid_modify() 801 * 802 * Normal: verify that subject can set the file setid flags. 803 * 804 * Output: EPERM - if not privileged. 805 */ 806 807 static int 808 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner) 809 { 810 /* If changing to suid root, must have all zone privs */ 811 boolean_t allzone = B_TRUE; 812 813 if (owner != 0) { 814 if (owner == cr->cr_uid) 815 return (0); 816 allzone = B_FALSE; 817 } 818 return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL)); 819 } 820 821 /* 822 * Are we allowed to retain the set-uid/set-gid bits when 823 * changing ownership or when writing to a file? 824 * "issuid" should be true when set-uid; only in that case 825 * root ownership is checked (setgid is assumed). 826 */ 827 int 828 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot) 829 { 830 if (issuidroot && !HAS_ALLZONEPRIVS(cred)) 831 return (EPERM); 832 833 return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE)); 834 } 835 836 /* 837 * Name: secpolicy_vnode_setids_setgids() 838 * 839 * Normal: verify that subject can set the file setgid flag. 840 * 841 * Output: EPERM - if not privileged 842 */ 843 844 int 845 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid) 846 { 847 if (!groupmember(gid, cred)) 848 return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM, 849 NULL)); 850 return (0); 851 } 852 853 /* 854 * Create a file with a group different than any of the groups allowed: 855 * the group of the directory the file is created in, the effective 856 * group or any of the supplementary groups. 857 */ 858 int 859 secpolicy_vnode_create_gid(const cred_t *cred) 860 { 861 if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN)) 862 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM, 863 NULL)); 864 else 865 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM, 866 NULL)); 867 } 868 869 /* 870 * Name: secpolicy_vnode_utime_modify() 871 * 872 * Normal: verify that subject can modify the utime on a file. 873 * 874 * Output: EPERM - if access denied. 875 */ 876 877 static int 878 secpolicy_vnode_utime_modify(const cred_t *cred) 879 { 880 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM, 881 "modify file times")); 882 } 883 884 885 /* 886 * Name: secpolicy_vnode_setdac() 887 * 888 * Normal: verify that subject can modify the mode of a file. 889 * allzone privilege needed when modifying root owned object. 890 * 891 * Output: EPERM - if access denied. 892 */ 893 894 int 895 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner) 896 { 897 if (owner == cred->cr_uid) 898 return (0); 899 900 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL)); 901 } 902 /* 903 * Name: secpolicy_vnode_stky_modify() 904 * 905 * Normal: verify that subject can make a file a "sticky". 906 * 907 * Output: EPERM - if access denied. 908 */ 909 910 int 911 secpolicy_vnode_stky_modify(const cred_t *cred) 912 { 913 return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM, 914 "set file sticky")); 915 } 916 917 /* 918 * Policy determines whether we can remove an entry from a directory, 919 * regardless of permission bits. 920 */ 921 int 922 secpolicy_vnode_remove(const cred_t *cr) 923 { 924 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES, 925 "sticky directory")); 926 } 927 928 int 929 secpolicy_vnode_owner(const cred_t *cr, uid_t owner) 930 { 931 boolean_t allzone = (owner == 0); 932 933 if (owner == cr->cr_uid) 934 return (0); 935 936 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL)); 937 } 938 939 void 940 secpolicy_setid_clear(vattr_t *vap, cred_t *cr) 941 { 942 if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 && 943 secpolicy_vnode_setid_retain(cr, 944 (vap->va_mode & S_ISUID) != 0 && 945 (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) { 946 vap->va_mask |= AT_MODE; 947 vap->va_mode &= ~(S_ISUID|S_ISGID); 948 } 949 } 950 951 int 952 secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap, 953 cred_t *cr) 954 { 955 int error; 956 957 if ((vap->va_mode & S_ISUID) != 0 && 958 (error = secpolicy_vnode_setid_modify(cr, 959 ovap->va_uid)) != 0) { 960 return (error); 961 } 962 963 /* 964 * Check privilege if attempting to set the 965 * sticky bit on a non-directory. 966 */ 967 if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 && 968 secpolicy_vnode_stky_modify(cr) != 0) { 969 vap->va_mode &= ~S_ISVTX; 970 } 971 972 /* 973 * Check for privilege if attempting to set the 974 * group-id bit. 975 */ 976 if ((vap->va_mode & S_ISGID) != 0 && 977 secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) { 978 vap->va_mode &= ~S_ISGID; 979 } 980 981 return (0); 982 } 983 984 #define ATTR_FLAG_PRIV(attr, value, cr) \ 985 PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \ 986 B_FALSE, EPERM, NULL) 987 988 /* 989 * Check privileges for setting xvattr attributes 990 */ 991 int 992 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype) 993 { 994 xoptattr_t *xoap; 995 int error = 0; 996 997 if ((xoap = xva_getxoptattr(xvap)) == NULL) 998 return (EINVAL); 999 1000 /* 1001 * First process the DOS bits 1002 */ 1003 if (XVA_ISSET_REQ(xvap, XAT_ARCHIVE) || 1004 XVA_ISSET_REQ(xvap, XAT_HIDDEN) || 1005 XVA_ISSET_REQ(xvap, XAT_READONLY) || 1006 XVA_ISSET_REQ(xvap, XAT_SYSTEM) || 1007 XVA_ISSET_REQ(xvap, XAT_CREATETIME)) { 1008 if ((error = secpolicy_vnode_owner(cr, owner)) != 0) 1009 return (error); 1010 } 1011 1012 /* 1013 * Now handle special attributes 1014 */ 1015 1016 if (XVA_ISSET_REQ(xvap, XAT_IMMUTABLE)) 1017 error = ATTR_FLAG_PRIV(XAT_IMMUTABLE, 1018 xoap->xoa_immutable, cr); 1019 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NOUNLINK)) 1020 error = ATTR_FLAG_PRIV(XAT_NOUNLINK, 1021 xoap->xoa_nounlink, cr); 1022 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_APPENDONLY)) 1023 error = ATTR_FLAG_PRIV(XAT_APPENDONLY, 1024 xoap->xoa_appendonly, cr); 1025 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NODUMP)) 1026 error = ATTR_FLAG_PRIV(XAT_NODUMP, 1027 xoap->xoa_nodump, cr); 1028 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_OPAQUE)) 1029 error = EPERM; 1030 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_QUARANTINED)) { 1031 error = ATTR_FLAG_PRIV(XAT_AV_QUARANTINED, 1032 xoap->xoa_av_quarantined, cr); 1033 if (error == 0 && vtype != VREG && xoap->xoa_av_quarantined) 1034 error = EINVAL; 1035 } 1036 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_MODIFIED)) 1037 error = ATTR_FLAG_PRIV(XAT_AV_MODIFIED, 1038 xoap->xoa_av_modified, cr); 1039 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_SCANSTAMP)) { 1040 error = ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP, 1041 xoap->xoa_av_scanstamp, cr); 1042 if (error == 0 && vtype != VREG) 1043 error = EINVAL; 1044 } 1045 return (error); 1046 } 1047 1048 /* 1049 * This function checks the policy decisions surrounding the 1050 * vop setattr call. 1051 * 1052 * It should be called after sufficient locks have been established 1053 * on the underlying data structures. No concurrent modifications 1054 * should be allowed. 1055 * 1056 * The caller must pass in unlocked version of its vaccess function 1057 * this is required because vop_access function should lock the 1058 * node for reading. A three argument function should be defined 1059 * which accepts the following argument: 1060 * A pointer to the internal "node" type (inode *) 1061 * vnode access bits (VREAD|VWRITE|VEXEC) 1062 * a pointer to the credential 1063 * 1064 * This function makes the following policy decisions: 1065 * 1066 * - change permissions 1067 * - permission to change file mode if not owner 1068 * - permission to add sticky bit to non-directory 1069 * - permission to add set-gid bit 1070 * 1071 * The ovap argument should include AT_MODE|AT_UID|AT_GID. 1072 * 1073 * If the vap argument does not include AT_MODE, the mode will be copied from 1074 * ovap. In certain situations set-uid/set-gid bits need to be removed; 1075 * this is done by marking vap->va_mask to include AT_MODE and va_mode 1076 * is updated to the newly computed mode. 1077 */ 1078 1079 int 1080 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap, 1081 const struct vattr *ovap, int flags, 1082 int unlocked_access(void *, int, cred_t *), 1083 void *node) 1084 { 1085 int mask = vap->va_mask; 1086 int error = 0; 1087 boolean_t skipaclchk = (flags & ATTR_NOACLCHECK) ? B_TRUE : B_FALSE; 1088 1089 if (mask & AT_SIZE) { 1090 if (vp->v_type == VDIR) { 1091 error = EISDIR; 1092 goto out; 1093 } 1094 1095 /* 1096 * If ATTR_NOACLCHECK is set in the flags, then we don't 1097 * perform the secondary unlocked_access() call since the 1098 * ACL (if any) is being checked there. 1099 */ 1100 if (skipaclchk == B_FALSE) { 1101 error = unlocked_access(node, VWRITE, cr); 1102 if (error) 1103 goto out; 1104 } 1105 } 1106 if (mask & AT_MODE) { 1107 /* 1108 * If not the owner of the file then check privilege 1109 * for two things: the privilege to set the mode at all 1110 * and, if we're setting setuid, we also need permissions 1111 * to add the set-uid bit, if we're not the owner. 1112 * In the specific case of creating a set-uid root 1113 * file, we need even more permissions. 1114 */ 1115 if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0) 1116 goto out; 1117 1118 if ((error = secpolicy_setid_setsticky_clear(vp, vap, 1119 ovap, cr)) != 0) 1120 goto out; 1121 } else 1122 vap->va_mode = ovap->va_mode; 1123 1124 if (mask & (AT_UID|AT_GID)) { 1125 boolean_t checkpriv = B_FALSE; 1126 int priv; 1127 boolean_t allzone = B_FALSE; 1128 1129 /* 1130 * Chowning files. 1131 * 1132 * If you are the file owner: 1133 * chown to other uid FILE_CHOWN_SELF 1134 * chown to gid (non-member) FILE_CHOWN_SELF 1135 * chown to gid (member) <none> 1136 * 1137 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also 1138 * acceptable but the first one is reported when debugging. 1139 * 1140 * If you are not the file owner: 1141 * chown from root PRIV_FILE_CHOWN + zone 1142 * chown from other to any PRIV_FILE_CHOWN 1143 * 1144 */ 1145 if (cr->cr_uid != ovap->va_uid) { 1146 checkpriv = B_TRUE; 1147 allzone = (ovap->va_uid == 0); 1148 priv = PRIV_FILE_CHOWN; 1149 } else { 1150 if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) || 1151 ((mask & AT_GID) && vap->va_gid != ovap->va_gid && 1152 !groupmember(vap->va_gid, cr))) { 1153 checkpriv = B_TRUE; 1154 priv = HAS_PRIVILEGE(cr, PRIV_FILE_CHOWN) ? 1155 PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF; 1156 } 1157 } 1158 /* 1159 * If necessary, check privilege to see if update can be done. 1160 */ 1161 if (checkpriv && 1162 (error = PRIV_POLICY(cr, priv, allzone, EPERM, NULL)) 1163 != 0) { 1164 goto out; 1165 } 1166 1167 /* 1168 * If the file has either the set UID or set GID bits 1169 * set and the caller can set the bits, then leave them. 1170 */ 1171 secpolicy_setid_clear(vap, cr); 1172 } 1173 if (mask & (AT_ATIME|AT_MTIME)) { 1174 /* 1175 * If not the file owner and not otherwise privileged, 1176 * always return an error when setting the 1177 * time other than the current (ATTR_UTIME flag set). 1178 * If setting the current time (ATTR_UTIME not set) then 1179 * unlocked_access will check permissions according to policy. 1180 */ 1181 if (cr->cr_uid != ovap->va_uid) { 1182 if (flags & ATTR_UTIME) 1183 error = secpolicy_vnode_utime_modify(cr); 1184 else if (skipaclchk == B_FALSE) { 1185 error = unlocked_access(node, VWRITE, cr); 1186 if (error == EACCES && 1187 secpolicy_vnode_utime_modify(cr) == 0) 1188 error = 0; 1189 } 1190 if (error) 1191 goto out; 1192 } 1193 } 1194 1195 /* 1196 * Check for optional attributes here by checking the following: 1197 */ 1198 if (mask & AT_XVATTR) 1199 error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr, 1200 vp->v_type); 1201 out: 1202 return (error); 1203 } 1204 1205 /* 1206 * Name: secpolicy_pcfs_modify_bootpartition() 1207 * 1208 * Normal: verify that subject can modify a pcfs boot partition. 1209 * 1210 * Output: EACCES - if privilege check failed. 1211 */ 1212 /*ARGSUSED*/ 1213 int 1214 secpolicy_pcfs_modify_bootpartition(const cred_t *cred) 1215 { 1216 return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES, 1217 "modify pcfs boot partition")); 1218 } 1219 1220 /* 1221 * System V IPC routines 1222 */ 1223 int 1224 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip) 1225 { 1226 if (crgetzoneid(cr) != ip->ipc_zoneid || 1227 (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) { 1228 boolean_t allzone = B_FALSE; 1229 if (ip->ipc_uid == 0 || ip->ipc_cuid == 0) 1230 allzone = B_TRUE; 1231 return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL)); 1232 } 1233 return (0); 1234 } 1235 1236 int 1237 secpolicy_ipc_config(const cred_t *cr) 1238 { 1239 return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL)); 1240 } 1241 1242 int 1243 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode) 1244 { 1245 1246 boolean_t allzone = B_FALSE; 1247 1248 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1249 1250 if ((mode & MSG_R) && 1251 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1252 return (EACCES); 1253 1254 if (mode & MSG_W) { 1255 if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0)) 1256 allzone = B_TRUE; 1257 1258 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1259 NULL)); 1260 } 1261 return (0); 1262 } 1263 1264 int 1265 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode) 1266 { 1267 boolean_t allzone = B_FALSE; 1268 1269 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1270 1271 if ((mode & MSG_R) && 1272 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1273 return (EACCES); 1274 1275 if (mode & MSG_W) { 1276 if (cr->cr_uid != 0 && owner == 0) 1277 allzone = B_TRUE; 1278 1279 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1280 NULL)); 1281 } 1282 return (0); 1283 } 1284 1285 /* 1286 * Audit configuration. 1287 */ 1288 int 1289 secpolicy_audit_config(const cred_t *cr) 1290 { 1291 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1292 } 1293 1294 /* 1295 * Audit record generation. 1296 */ 1297 int 1298 secpolicy_audit_modify(const cred_t *cr) 1299 { 1300 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL)); 1301 } 1302 1303 /* 1304 * Get audit attributes. 1305 * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the 1306 * "Least" of the two privileges on error. 1307 */ 1308 int 1309 secpolicy_audit_getattr(const cred_t *cr) 1310 { 1311 if (!PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE)) { 1312 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, 1313 NULL)); 1314 } else { 1315 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1316 } 1317 } 1318 1319 1320 /* 1321 * Locking physical memory 1322 */ 1323 int 1324 secpolicy_lock_memory(const cred_t *cr) 1325 { 1326 return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL)); 1327 } 1328 1329 /* 1330 * Accounting (both acct(2) and exacct). 1331 */ 1332 int 1333 secpolicy_acct(const cred_t *cr) 1334 { 1335 return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL)); 1336 } 1337 1338 /* 1339 * Is this process privileged to change its uids at will? 1340 * Uid 0 is still considered "special" and having the SETID 1341 * privilege is not sufficient to get uid 0. 1342 * Files are owned by root, so the privilege would give 1343 * full access and euid 0 is still effective. 1344 * 1345 * If you have the privilege and euid 0 only then do you 1346 * get the powers of root wrt uid 0. 1347 * 1348 * For gid manipulations, this is should be called with an 1349 * uid of -1. 1350 * 1351 */ 1352 int 1353 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly) 1354 { 1355 boolean_t allzone = B_FALSE; 1356 1357 if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 && 1358 cr->cr_ruid != 0) { 1359 allzone = B_TRUE; 1360 } 1361 1362 return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) : 1363 PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL)); 1364 } 1365 1366 1367 /* 1368 * Acting on a different process: if the mode is for writing, 1369 * the restrictions are more severe. This is called after 1370 * we've verified that the uids do not match. 1371 */ 1372 int 1373 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode) 1374 { 1375 boolean_t allzone = B_FALSE; 1376 1377 if ((mode & VWRITE) && scr->cr_uid != 0 && 1378 (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0)) 1379 allzone = B_TRUE; 1380 1381 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL)); 1382 } 1383 1384 int 1385 secpolicy_proc_access(const cred_t *scr) 1386 { 1387 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL)); 1388 } 1389 1390 int 1391 secpolicy_proc_excl_open(const cred_t *scr) 1392 { 1393 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL)); 1394 } 1395 1396 int 1397 secpolicy_proc_zone(const cred_t *scr) 1398 { 1399 return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL)); 1400 } 1401 1402 /* 1403 * Destroying the system 1404 */ 1405 1406 int 1407 secpolicy_kmdb(const cred_t *scr) 1408 { 1409 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1410 } 1411 1412 int 1413 secpolicy_error_inject(const cred_t *scr) 1414 { 1415 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1416 } 1417 1418 /* 1419 * Processor sets, cpu configuration, resource pools. 1420 */ 1421 int 1422 secpolicy_pset(const cred_t *cr) 1423 { 1424 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1425 } 1426 1427 int 1428 secpolicy_ponline(const cred_t *cr) 1429 { 1430 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1431 } 1432 1433 int 1434 secpolicy_pool(const cred_t *cr) 1435 { 1436 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1437 } 1438 1439 int 1440 secpolicy_blacklist(const cred_t *cr) 1441 { 1442 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1443 } 1444 1445 /* 1446 * Catch all system configuration. 1447 */ 1448 int 1449 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly) 1450 { 1451 if (checkonly) { 1452 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 : 1453 EPERM); 1454 } else { 1455 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1456 } 1457 } 1458 1459 /* 1460 * Zone administration (halt, reboot, etc.) from within zone. 1461 */ 1462 int 1463 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly) 1464 { 1465 if (checkonly) { 1466 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 : 1467 EPERM); 1468 } else { 1469 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, 1470 NULL)); 1471 } 1472 } 1473 1474 /* 1475 * Zone configuration (create, halt, enter). 1476 */ 1477 int 1478 secpolicy_zone_config(const cred_t *cr) 1479 { 1480 /* 1481 * Require all privileges to avoid possibility of privilege 1482 * escalation. 1483 */ 1484 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1485 } 1486 1487 /* 1488 * Various other system configuration calls 1489 */ 1490 int 1491 secpolicy_coreadm(const cred_t *cr) 1492 { 1493 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1494 } 1495 1496 int 1497 secpolicy_systeminfo(const cred_t *cr) 1498 { 1499 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1500 } 1501 1502 int 1503 secpolicy_dispadm(const cred_t *cr) 1504 { 1505 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1506 } 1507 1508 int 1509 secpolicy_settime(const cred_t *cr) 1510 { 1511 return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL)); 1512 } 1513 1514 /* 1515 * For realtime users: high resolution clock. 1516 */ 1517 int 1518 secpolicy_clock_highres(const cred_t *cr) 1519 { 1520 return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM, 1521 NULL)); 1522 } 1523 1524 /* 1525 * drv_priv() is documented as callable from interrupt context, not that 1526 * anyone ever does, but still. No debugging or auditing can be done when 1527 * it is called from interrupt context. 1528 * returns 0 on succes, EPERM on failure. 1529 */ 1530 int 1531 drv_priv(cred_t *cr) 1532 { 1533 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1534 } 1535 1536 int 1537 secpolicy_sys_devices(const cred_t *cr) 1538 { 1539 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1540 } 1541 1542 int 1543 secpolicy_excl_open(const cred_t *cr) 1544 { 1545 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL)); 1546 } 1547 1548 int 1549 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl) 1550 { 1551 /* zone.* rctls can only be set from the global zone */ 1552 if (is_zone_rctl && priv_policy_global(cr) != 0) 1553 return (EPERM); 1554 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1555 } 1556 1557 int 1558 secpolicy_resource(const cred_t *cr) 1559 { 1560 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1561 } 1562 1563 /* 1564 * Processes with a real uid of 0 escape any form of accounting, much 1565 * like before. 1566 */ 1567 int 1568 secpolicy_newproc(const cred_t *cr) 1569 { 1570 if (cr->cr_ruid == 0) 1571 return (0); 1572 1573 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1574 } 1575 1576 /* 1577 * Networking 1578 */ 1579 int 1580 secpolicy_net_rawaccess(const cred_t *cr) 1581 { 1582 return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL)); 1583 } 1584 1585 /* 1586 * Need this privilege for accessing the ICMP device 1587 */ 1588 int 1589 secpolicy_net_icmpaccess(const cred_t *cr) 1590 { 1591 return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL)); 1592 } 1593 1594 /* 1595 * There are a few rare cases where the kernel generates ioctls() from 1596 * interrupt context with a credential of kcred rather than NULL. 1597 * In those cases, we take the safe and cheap test. 1598 */ 1599 int 1600 secpolicy_net_config(const cred_t *cr, boolean_t checkonly) 1601 { 1602 if (checkonly) { 1603 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ? 1604 0 : EPERM); 1605 } else { 1606 return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM, 1607 NULL)); 1608 } 1609 } 1610 1611 1612 /* 1613 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG. 1614 * 1615 * There are a few rare cases where the kernel generates ioctls() from 1616 * interrupt context with a credential of kcred rather than NULL. 1617 * In those cases, we take the safe and cheap test. 1618 */ 1619 int 1620 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly) 1621 { 1622 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 1623 return (secpolicy_net_config(cr, checkonly)); 1624 1625 if (checkonly) { 1626 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ? 1627 0 : EPERM); 1628 } else { 1629 return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM, 1630 NULL)); 1631 } 1632 } 1633 1634 1635 /* 1636 * Map IP pseudo privileges to actual privileges. 1637 * So we don't need to recompile IP when we change the privileges. 1638 */ 1639 int 1640 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly) 1641 { 1642 int priv = PRIV_ALL; 1643 1644 switch (netpriv) { 1645 case OP_CONFIG: 1646 priv = PRIV_SYS_IP_CONFIG; 1647 break; 1648 case OP_RAW: 1649 priv = PRIV_NET_RAWACCESS; 1650 break; 1651 case OP_PRIVPORT: 1652 priv = PRIV_NET_PRIVADDR; 1653 break; 1654 } 1655 ASSERT(priv != PRIV_ALL); 1656 if (checkonly) 1657 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 1658 else 1659 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 1660 } 1661 1662 /* 1663 * Map network pseudo privileges to actual privileges. 1664 * So we don't need to recompile IP when we change the privileges. 1665 */ 1666 int 1667 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly) 1668 { 1669 int priv = PRIV_ALL; 1670 1671 switch (netpriv) { 1672 case OP_CONFIG: 1673 priv = PRIV_SYS_NET_CONFIG; 1674 break; 1675 case OP_RAW: 1676 priv = PRIV_NET_RAWACCESS; 1677 break; 1678 case OP_PRIVPORT: 1679 priv = PRIV_NET_PRIVADDR; 1680 break; 1681 } 1682 ASSERT(priv != PRIV_ALL); 1683 if (checkonly) 1684 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 1685 else 1686 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 1687 } 1688 1689 /* 1690 * Checks for operations that are either client-only or are used by 1691 * both clients and servers. 1692 */ 1693 int 1694 secpolicy_nfs(const cred_t *cr) 1695 { 1696 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL)); 1697 } 1698 1699 /* 1700 * Special case for opening rpcmod: have NFS privileges or network 1701 * config privileges. 1702 */ 1703 int 1704 secpolicy_rpcmod_open(const cred_t *cr) 1705 { 1706 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE)) 1707 return (secpolicy_nfs(cr)); 1708 else 1709 return (secpolicy_net_config(cr, NULL)); 1710 } 1711 1712 int 1713 secpolicy_chroot(const cred_t *cr) 1714 { 1715 return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL)); 1716 } 1717 1718 int 1719 secpolicy_tasksys(const cred_t *cr) 1720 { 1721 return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL)); 1722 } 1723 1724 /* 1725 * Basic privilege checks. 1726 */ 1727 int 1728 secpolicy_basic_exec(const cred_t *cr) 1729 { 1730 return (PRIV_POLICY(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL)); 1731 } 1732 1733 int 1734 secpolicy_basic_fork(const cred_t *cr) 1735 { 1736 return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL)); 1737 } 1738 1739 int 1740 secpolicy_basic_proc(const cred_t *cr) 1741 { 1742 return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL)); 1743 } 1744 1745 /* 1746 * Slightly complicated because we don't want to trigger the policy too 1747 * often. First we shortcircuit access to "self" (tp == sp) or if 1748 * we don't have the privilege but if we have permission 1749 * just return (0) and we don't flag the privilege as needed. 1750 * Else, we test for the privilege because we either have it or need it. 1751 */ 1752 int 1753 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp) 1754 { 1755 if (tp == sp || 1756 !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) { 1757 return (0); 1758 } else { 1759 return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL)); 1760 } 1761 } 1762 1763 int 1764 secpolicy_basic_link(const cred_t *cr) 1765 { 1766 return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL)); 1767 } 1768 1769 /* 1770 * Additional device protection. 1771 * 1772 * Traditionally, a device has specific permissions on the node in 1773 * the filesystem which govern which devices can be opened by what 1774 * processes. In certain cases, it is desirable to add extra 1775 * restrictions, as writing to certain devices is identical to 1776 * having a complete run of the system. 1777 * 1778 * This mechanism is called the device policy. 1779 * 1780 * When a device is opened, its policy entry is looked up in the 1781 * policy cache and checked. 1782 */ 1783 int 1784 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag) 1785 { 1786 devplcy_t *plcy; 1787 int err; 1788 struct snode *csp = VTOS(common_specvp(vp)); 1789 priv_set_t pset; 1790 1791 mutex_enter(&csp->s_lock); 1792 1793 if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) { 1794 plcy = devpolicy_find(vp); 1795 if (csp->s_plcy) 1796 dpfree(csp->s_plcy); 1797 csp->s_plcy = plcy; 1798 ASSERT(plcy != NULL); 1799 } else 1800 plcy = csp->s_plcy; 1801 1802 if (plcy == nullpolicy) { 1803 mutex_exit(&csp->s_lock); 1804 return (0); 1805 } 1806 1807 dphold(plcy); 1808 1809 mutex_exit(&csp->s_lock); 1810 1811 if (oflag & FWRITE) 1812 pset = plcy->dp_wrp; 1813 else 1814 pset = plcy->dp_rdp; 1815 /* 1816 * Special case: 1817 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG. 1818 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is 1819 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG 1820 * in the required privilege set before doing the check. 1821 */ 1822 if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) && 1823 priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) && 1824 !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) { 1825 priv_delset(&pset, PRIV_SYS_IP_CONFIG); 1826 priv_addset(&pset, PRIV_SYS_NET_CONFIG); 1827 } 1828 1829 err = secpolicy_require_set(cr, &pset, "devpolicy"); 1830 dpfree(plcy); 1831 1832 return (err); 1833 } 1834 1835 int 1836 secpolicy_modctl(const cred_t *cr, int cmd) 1837 { 1838 switch (cmd) { 1839 case MODINFO: 1840 case MODGETMAJBIND: 1841 case MODGETPATH: 1842 case MODGETPATHLEN: 1843 case MODGETNAME: 1844 case MODGETFBNAME: 1845 case MODGETDEVPOLICY: 1846 case MODGETDEVPOLICYBYNAME: 1847 case MODDEVT2INSTANCE: 1848 case MODSIZEOF_DEVID: 1849 case MODGETDEVID: 1850 case MODSIZEOF_MINORNAME: 1851 case MODGETMINORNAME: 1852 case MODGETDEVFSPATH_LEN: 1853 case MODGETDEVFSPATH: 1854 case MODGETDEVFSPATH_MI_LEN: 1855 case MODGETDEVFSPATH_MI: 1856 /* Unprivileged */ 1857 return (0); 1858 case MODLOAD: 1859 case MODSETDEVPOLICY: 1860 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1861 default: 1862 return (secpolicy_sys_config(cr, B_FALSE)); 1863 } 1864 } 1865 1866 int 1867 secpolicy_console(const cred_t *cr) 1868 { 1869 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1870 } 1871 1872 int 1873 secpolicy_power_mgmt(const cred_t *cr) 1874 { 1875 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1876 } 1877 1878 /* 1879 * Simulate terminal input; another escalation of privileges avenue. 1880 */ 1881 1882 int 1883 secpolicy_sti(const cred_t *cr) 1884 { 1885 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1886 } 1887 1888 boolean_t 1889 secpolicy_net_reply_equal(const cred_t *cr) 1890 { 1891 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1892 } 1893 1894 int 1895 secpolicy_swapctl(const cred_t *cr) 1896 { 1897 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1898 } 1899 1900 int 1901 secpolicy_cpc_cpu(const cred_t *cr) 1902 { 1903 return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL)); 1904 } 1905 1906 /* 1907 * secpolicy_contract_identity 1908 * 1909 * Determine if the subject may set the process contract FMRI value 1910 */ 1911 int 1912 secpolicy_contract_identity(const cred_t *cr) 1913 { 1914 return (PRIV_POLICY(cr, PRIV_CONTRACT_IDENTITY, B_FALSE, EPERM, NULL)); 1915 } 1916 1917 /* 1918 * secpolicy_contract_observer 1919 * 1920 * Determine if the subject may observe a specific contract's events. 1921 */ 1922 int 1923 secpolicy_contract_observer(const cred_t *cr, struct contract *ct) 1924 { 1925 if (contract_owned(ct, cr, B_FALSE)) 1926 return (0); 1927 return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL)); 1928 } 1929 1930 /* 1931 * secpolicy_contract_observer_choice 1932 * 1933 * Determine if the subject may observe any contract's events. Just 1934 * tests privilege and audits on success. 1935 */ 1936 boolean_t 1937 secpolicy_contract_observer_choice(const cred_t *cr) 1938 { 1939 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE)); 1940 } 1941 1942 /* 1943 * secpolicy_contract_event 1944 * 1945 * Determine if the subject may request critical contract events or 1946 * reliable contract event delivery. 1947 */ 1948 int 1949 secpolicy_contract_event(const cred_t *cr) 1950 { 1951 return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL)); 1952 } 1953 1954 /* 1955 * secpolicy_contract_event_choice 1956 * 1957 * Determine if the subject may retain contract events in its critical 1958 * set when a change in other terms would normally require a change in 1959 * the critical set. Just tests privilege and audits on success. 1960 */ 1961 boolean_t 1962 secpolicy_contract_event_choice(const cred_t *cr) 1963 { 1964 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE)); 1965 } 1966 1967 /* 1968 * secpolicy_gart_access 1969 * 1970 * Determine if the subject has sufficient priveleges to make ioctls to agpgart 1971 * device. 1972 */ 1973 int 1974 secpolicy_gart_access(const cred_t *cr) 1975 { 1976 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL)); 1977 } 1978 1979 /* 1980 * secpolicy_gart_map 1981 * 1982 * Determine if the subject has sufficient priveleges to map aperture range 1983 * through agpgart driver. 1984 */ 1985 int 1986 secpolicy_gart_map(const cred_t *cr) 1987 { 1988 if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) { 1989 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, 1990 NULL)); 1991 } else { 1992 return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM, 1993 NULL)); 1994 } 1995 } 1996 1997 /* 1998 * secpolicy_zinject 1999 * 2000 * Determine if the subject can inject faults in the ZFS fault injection 2001 * framework. Requires all privileges. 2002 */ 2003 int 2004 secpolicy_zinject(const cred_t *cr) 2005 { 2006 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 2007 } 2008 2009 /* 2010 * secpolicy_zfs 2011 * 2012 * Determine if the subject has permission to manipulate ZFS datasets 2013 * (not pools). Equivalent to the SYS_MOUNT privilege. 2014 */ 2015 int 2016 secpolicy_zfs(const cred_t *cr) 2017 { 2018 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL)); 2019 } 2020 2021 /* 2022 * secpolicy_idmap 2023 * 2024 * Determine if the calling process has permissions to register an SID 2025 * mapping daemon and allocate ephemeral IDs. 2026 */ 2027 int 2028 secpolicy_idmap(const cred_t *cr) 2029 { 2030 return (PRIV_POLICY(cr, PRIV_FILE_SETID, B_TRUE, EPERM, NULL)); 2031 } 2032 2033 /* 2034 * secpolicy_ucode_update 2035 * 2036 * Determine if the subject has sufficient privilege to update microcode. 2037 */ 2038 int 2039 secpolicy_ucode_update(const cred_t *scr) 2040 { 2041 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 2042 } 2043 2044 /* 2045 * secpolicy_sadopen 2046 * 2047 * Determine if the subject has sufficient privilege to access /dev/sad/admin. 2048 * /dev/sad/admin appear in global zone and exclusive-IP zones only. 2049 * In global zone, sys_config is required. 2050 * In exclusive-IP zones, sys_ip_config is required. 2051 * Note that sys_config is prohibited in non-global zones. 2052 */ 2053 int 2054 secpolicy_sadopen(const cred_t *credp) 2055 { 2056 priv_set_t pset; 2057 2058 priv_emptyset(&pset); 2059 2060 if (crgetzoneid(credp) == GLOBAL_ZONEID) 2061 priv_addset(&pset, PRIV_SYS_CONFIG); 2062 else 2063 priv_addset(&pset, PRIV_SYS_IP_CONFIG); 2064 2065 return (secpolicy_require_set(credp, &pset, "devpolicy")); 2066 } 2067 2068 /* 2069 * secpolicy_smb 2070 * 2071 * Determine if the cred_t has PRIV_SYS_SMB privilege, indicating 2072 * that it has permission to access the smbsrv kernel driver. 2073 * PRIV_POLICY checks the privilege and audits the check. 2074 * 2075 * Returns: 2076 * 0 Driver access is allowed. 2077 * EPERM Driver access is NOT permitted. 2078 */ 2079 int 2080 secpolicy_smb(const cred_t *cr) 2081 { 2082 return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL)); 2083 } 2084 2085 /* 2086 * secpolicy_vscan 2087 * 2088 * Determine if cred_t has the necessary privileges to access a file 2089 * for virus scanning and update its extended system attributes. 2090 * PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access 2091 * PRIV_FILE_FLAG_SET - set extended system attributes 2092 * 2093 * PRIV_POLICY checks the privilege and audits the check. 2094 * 2095 * Returns: 2096 * 0 file access for virus scanning allowed. 2097 * EPERM file access for virus scanning is NOT permitted. 2098 */ 2099 int 2100 secpolicy_vscan(const cred_t *cr) 2101 { 2102 if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) || 2103 (PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) || 2104 (PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) { 2105 return (EPERM); 2106 } 2107 2108 return (0); 2109 } 2110 2111 /* 2112 * secpolicy_smbfs_login 2113 * 2114 * Determines if the caller can add and delete the smbfs login 2115 * password in the the nsmb kernel module for the CIFS client. 2116 * 2117 * Returns: 2118 * 0 access is allowed. 2119 * EPERM access is NOT allowed. 2120 */ 2121 int 2122 secpolicy_smbfs_login(const cred_t *cr, uid_t uid) 2123 { 2124 uid_t cruid = crgetruid(cr); 2125 2126 if (cruid == uid) 2127 return (0); 2128 return (PRIV_POLICY(cr, PRIV_PROC_OWNER, B_FALSE, 2129 EPERM, NULL)); 2130 } 2131