1# 2# CDDL HEADER START 3# 4# The contents of this file are subject to the terms of the 5# Common Development and Distribution License (the "License"). 6# You may not use this file except in compliance with the License. 7# 8# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9# or http://www.opensolaris.org/os/licensing. 10# See the License for the specific language governing permissions 11# and limitations under the License. 12# 13# When distributing Covered Code, include this CDDL HEADER in each 14# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15# If applicable, add the following below this CDDL HEADER, with the 16# fields enclosed by brackets "[]" replaced with your own identifying 17# information: Portions Copyright [yyyy] [name of copyright owner] 18# 19# CDDL HEADER END 20# 21# Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. 22# Copyright 2015, Joyent, Inc. All rights reserved. 23# 24# 25# Privilege name explanation file 26# The format of entries is a privilege name starting at the 27# beginning of a line directly folowed by a new line followed 28# by several lines of texts starting with white space terminated 29# by a line with a single newline or not starting with white space 30# 31 32contract_event 33 Allows a process to request critical events without limitation. 34 Allows a process to request reliable delivery of all events on 35 any event queue. 36 37contract_identity 38 Allows a process to set the service FMRI value of a process 39 contract template. 40 41contract_observer 42 Allows a process to observe contract events generated by 43 contracts created and owned by users other than the process's 44 effective user ID. 45 Allows a process to open contract event endpoints belonging to 46 contracts created and owned by users other than the process's 47 effective user ID. 48 49cpc_cpu 50 Allow a process to access per-CPU hardware performance counters. 51 52dtrace_kernel 53 Allows DTrace kernel-level tracing. 54 55dtrace_proc 56 Allows DTrace process-level tracing. 57 Allows process-level tracing probes to be placed and enabled in 58 processes to which the user has permissions. 59 60dtrace_user 61 Allows DTrace user-level tracing. 62 Allows use of the syscall and profile DTrace providers to 63 examine processes to which the user has permissions. 64 65file_chown 66 Allows a process to change a file's owner user ID. 67 Allows a process to change a file's group ID to one other than 68 the process' effective group ID or one of the process' 69 supplemental group IDs. 70 71file_chown_self 72 Allows a process to give away its files; a process with this 73 privilege will run as if {_POSIX_CHOWN_RESTRICTED} is not 74 in effect. 75 76file_dac_execute 77 Allows a process to execute an executable file whose permission 78 bits or ACL do not allow the process execute permission. 79 80file_dac_read 81 Allows a process to read a file or directory whose permission 82 bits or ACL do not allow the process read permission. 83 84file_dac_search 85 Allows a process to search a directory whose permission bits or 86 ACL do not allow the process search permission. 87 88file_dac_write 89 Allows a process to write a file or directory whose permission 90 bits or ACL do not allow the process write permission. 91 In order to write files owned by uid 0 in the absence of an 92 effective uid of 0 ALL privileges are required. 93 94file_downgrade_sl 95 Allows a process to set the sensitivity label of a file or 96 directory to a sensitivity label that does not dominate the 97 existing sensitivity label. 98 This privilege is interpreted only if the system is configured 99 with Trusted Extensions. 100 101file_flag_set 102 Allows a process to set immutable, nounlink or appendonly 103 file attributes. 104 105file_link_any 106 Allows a process to create hardlinks to files owned by a uid 107 different from the process' effective uid. 108 109file_owner 110 Allows a process which is not the owner of a file or directory 111 to perform the following operations that are normally permitted 112 only for the file owner: modify that file's access and 113 modification times; remove or rename a file or directory whose 114 parent directory has the ``save text image after execution'' 115 (sticky) bit set; mount a ``namefs'' upon a file; modify 116 permission bits or ACL except for the set-uid and set-gid 117 bits. 118 119file_read 120 Allows a process to read objects in the filesystem. 121 122file_setid 123 Allows a process to change the ownership of a file or write to 124 a file without the set-user-ID and set-group-ID bits being 125 cleared. 126 Allows a process to set the set-group-ID bit on a file or 127 directory whose group is not the process' effective group or 128 one of the process' supplemental groups. 129 Allows a process to set the set-user-ID bit on a file with 130 different ownership in the presence of PRIV_FILE_OWNER. 131 Additional restrictions apply when creating or modifying a 132 set-uid 0 file. 133 134file_upgrade_sl 135 Allows a process to set the sensitivity label of a file or 136 directory to a sensitivity label that dominates the existing 137 sensitivity label. 138 This privilege is interpreted only if the system is configured 139 with Trusted Extensions. 140 141file_write 142 Allows a process to modify objects in the filesystem. 143 144graphics_access 145 Allows a process to make privileged ioctls to graphics devices. 146 Typically only xserver process needs to have this privilege. 147 A process with this privilege is also allowed to perform 148 privileged graphics device mappings. 149 150graphics_map 151 Allows a process to perform privileged mappings through a 152 graphics device. 153 154ipc_dac_read 155 Allows a process to read a System V IPC 156 Message Queue, Semaphore Set, or Shared Memory Segment whose 157 permission bits do not allow the process read permission. 158 Allows a process to read remote shared memory whose 159 permission bits do not allow the process read permission. 160 161ipc_dac_write 162 Allows a process to write a System V IPC 163 Message Queue, Semaphore Set, or Shared Memory Segment whose 164 permission bits do not allow the process write permission. 165 Allows a process to read remote shared memory whose 166 permission bits do not allow the process write permission. 167 Additional restrictions apply if the owner of the object has uid 0 168 and the effective uid of the current process is not 0. 169 170ipc_owner 171 Allows a process which is not the owner of a System 172 V IPC Message Queue, Semaphore Set, or Shared Memory Segment to 173 remove, change ownership of, or change permission bits of the 174 Message Queue, Semaphore Set, or Shared Memory Segment. 175 Additional restrictions apply if the owner of the object has uid 0 176 and the effective uid of the current process is not 0. 177 178net_access 179 Allows a process to open a TCP, UDP, SDP or SCTP network endpoint. 180 181net_bindmlp 182 Allow a process to bind to a port that is configured as a 183 multi-level port(MLP) for the process's zone. This privilege 184 applies to both shared address and zone-specific address MLPs. 185 See tnzonecfg(4) from the Trusted Extensions manual pages for 186 information on configuring MLP ports. 187 This privilege is interpreted only if the system is configured 188 with Trusted Extensions. 189 190net_icmpaccess 191 Allows a process to send and receive ICMP packets. 192 193net_mac_aware 194 Allows a process to set NET_MAC_AWARE process flag by using 195 setpflags(2). This privilege also allows a process to set 196 SO_MAC_EXEMPT socket option by using setsockopt(3SOCKET). 197 The NET_MAC_AWARE process flag and the SO_MAC_EXEMPT socket 198 option both allow a local process to communicate with an 199 unlabeled peer if the local process' label dominates the 200 peer's default label, or if the local process runs in the 201 global zone. 202 This privilege is interpreted only if the system is configured 203 with Trusted Extensions. 204 205net_mac_implicit 206 Allows a process to set SO_MAC_IMPLICIT option by using 207 setsockopt(3SOCKET). This allows a privileged process to 208 transmit implicitly-labeled packets to a peer. 209 This privilege is interpreted only if the system is configured 210 with Trusted Extensions. 211 212net_observability 213 Allows a process to access /dev/lo0 and the devices in /dev/ipnet/ 214 while not requiring them to need PRIV_NET_RAWACCESS. 215 216net_privaddr 217 Allows a process to bind to a privileged port 218 number. The privilege port numbers are 1-1023 (the traditional 219 UNIX privileged ports) as well as those ports marked as 220 "udp/tcp_extra_priv_ports" with the exception of the ports 221 reserved for use by NFS. 222 223net_rawaccess 224 Allows a process to have direct access to the network layer. 225 226proc_audit 227 Allows a process to generate audit records. 228 Allows a process to get its own audit pre-selection information. 229 230proc_chroot 231 Allows a process to change its root directory. 232 233proc_clock_highres 234 Allows a process to use high resolution timers. 235 236proc_exec 237 Allows a process to call execve(). 238 239proc_fork 240 Allows a process to call fork1()/forkall()/vfork() 241 242proc_info 243 Allows a process to examine the status of processes other 244 than those it can send signals to. Processes which cannot 245 be examined cannot be seen in /proc and appear not to exist. 246 247proc_lock_memory 248 Allows a process to lock pages in physical memory. 249 250proc_meminfo 251 Allows a process to access physical memory information. 252 253proc_owner 254 Allows a process to send signals to other processes, inspect 255 and modify process state to other processes regardless of 256 ownership. When modifying another process, additional 257 restrictions apply: the effective privilege set of the 258 attaching process must be a superset of the target process' 259 effective, permitted and inheritable sets; the limit set must 260 be a superset of the target's limit set; if the target process 261 has any uid set to 0 all privilege must be asserted unless the 262 effective uid is 0. 263 Allows a process to bind arbitrary processes to CPUs. 264 265proc_prioup 266 Allows a process to elevate its priority above its current level. 267 268proc_priocntl 269 Allows all that PRIV_PROC_PRIOUP allows. 270 Allows a process to change its scheduling class to any scheduling class, 271 including the RT class. 272 273proc_session 274 Allows a process to send signals or trace processes outside its 275 session. 276 277proc_setid 278 Allows a process to set its uids at will. 279 Assuming uid 0 requires all privileges to be asserted. 280 281proc_taskid 282 Allows a process to assign a new task ID to the calling process. 283 284proc_zone 285 Allows a process to trace or send signals to processes in 286 other zones. 287 288sys_acct 289 Allows a process to enable and disable and manage accounting through 290 acct(2), getacct(2), putacct(2) and wracct(2). 291 292sys_admin 293 Allows a process to perform system administration tasks such 294 as setting node and domain name and specifying nscd and coreadm 295 settings. 296 297sys_audit 298 Allows a process to start the (kernel) audit daemon. 299 Allows a process to view and set audit state (audit user ID, 300 audit terminal ID, audit sessions ID, audit pre-selection mask). 301 Allows a process to turn off and on auditing. 302 Allows a process to configure the audit parameters (cache and 303 queue sizes, event to class mappings, policy options). 304 305sys_config 306 Allows a process to perform various system configuration tasks. 307 Allows a process to add and remove swap devices; when adding a swap 308 device, a process must also have sufficient privileges to read from 309 and write to the swap device. 310 311sys_devices 312 Allows a process to successfully call a kernel module that 313 calls the kernel drv_priv(9F) function to check for allowed 314 access. 315 Allows a process to open the real console device directly. 316 Allows a process to open devices that have been exclusively opened. 317 318sys_ipc_config 319 Allows a process to increase the size of a System V IPC Message 320 Queue buffer. 321 322sys_linkdir 323 Allows a process to unlink and link directories. 324 325sys_mount 326 Allows filesystem specific administrative procedures, such as 327 filesystem configuration ioctls, quota calls and creation/deletion 328 of snapshots. 329 Allows a process to mount and unmount filesystems which would 330 otherwise be restricted (i.e., most filesystems except 331 namefs). 332 A process performing a mount operation needs to have 333 appropriate access to the device being mounted (read-write for 334 "rw" mounts, read for "ro" mounts). 335 A process performing any of the aforementioned 336 filesystem operations needs to have read/write/owner 337 access to the mount point. 338 Only regular files and directories can serve as mount points 339 for processes which do not have all zone privileges asserted. 340 Unless a process has all zone privileges, the mount(2) 341 system call will force the "nosuid" and "restrict" options, the 342 latter only for autofs mountpoints. 343 Regardless of privileges, a process running in a non-global zone may 344 only control mounts performed from within said zone. 345 Outside the global zone, the "nodevices" option is always forced. 346 347sys_iptun_config 348 Allows a process to configure IP tunnel links. 349 350sys_dl_config 351 Allows a process to configure all classes of datalinks, including 352 configuration allowed by PRIV_SYS_IPTUN_CONFIG. 353 354sys_ip_config 355 Allows a process to configure a system's IP interfaces and routes. 356 Allows a process to configure network parameters using ndd. 357 Allows a process access to otherwise restricted information using ndd. 358 Allows a process to configure IPsec. 359 Allows a process to pop anchored STREAMs modules with matching zoneid. 360 361sys_net_config 362 Allows all that PRIV_SYS_IP_CONFIG, PRIV_SYS_DL_CONFIG, and 363 PRIV_SYS_PPP_CONFIG allow. 364 Allows a process to push the rpcmod STREAMs module. 365 Allows a process to INSERT/REMOVE STREAMs modules on locations other 366 than the top of the module stack. 367 368sys_nfs 369 Allows a process to perform Sun private NFS specific system calls. 370 Allows a process to bind to ports reserved by NFS: ports 2049 (nfs) 371 and port 4045 (lockd). 372 373sys_ppp_config 374 Allows a process to create and destroy PPP (sppp) interfaces. 375 Allows a process to configure PPP tunnels (sppptun). 376 377sys_res_bind 378 Allows a process to bind processes to processor sets. 379 380sys_res_config 381 Allows all that PRIV_SYS_RES_BIND allows. 382 Allows a process to create and delete processor sets, assign 383 CPUs to processor sets and override the PSET_NOESCAPE property. 384 Allows a process to change the operational status of CPUs in 385 the system using p_online(2). 386 Allows a process to configure resource pools and to bind 387 processes to pools 388 389sys_resource 390 Allows a process to modify the resource limits specified 391 by setrlimit(2) and setrctl(2) without restriction. 392 Allows a process to exceed the per-user maximum number of 393 processes. 394 Allows a process to extend or create files on a filesystem that 395 has less than minfree space in reserve. 396 397sys_smb 398 Allows a process to access the Sun private SMB kernel module. 399 Allows a process to bind to ports reserved by NetBIOS and SMB: 400 ports 137 (NBNS), 138 (NetBIOS Datagram Service), 139 (NetBIOS 401 Session Service and SMB-over-NBT) and 445 (SMB-over-TCP). 402 403sys_suser_compat 404 Allows a process to successfully call a third party loadable module 405 that calls the kernel suser() function to check for allowed access. 406 This privilege exists only for third party loadable module 407 compatibility and is not used by Solaris proper. 408 409sys_time 410 Allows a process to manipulate system time using any of the 411 appropriate system calls: stime, adjtime, ntp_adjtime and 412 the IA specific RTC calls. 413 414sys_trans_label 415 Allows a process to translate labels that are not dominated 416 by the process' sensitivity label to and from an external 417 string form. 418 This privilege is interpreted only if the system is configured 419 with Trusted Extensions. 420 421virt_manage 422 Allows a process to manage virtualized environments such as 423 xVM(5). 424 425win_colormap 426 Allows a process to override colormap restrictions. 427 Allows a process to install or remove colormaps. 428 Allows a process to retrieve colormap cell entries allocated 429 by other processes. 430 This privilege is interpreted only if the system is configured 431 with Trusted Extensions. 432 433win_config 434 Allows a process to configure or destroy resources that are 435 permanently retained by the X server. 436 Allows a process to use SetScreenSaver to set the screen 437 saver timeout value. 438 Allows a process to use ChangeHosts to modify the display 439 access control list. 440 Allows a process to use GrabServer. 441 Allows a process to use the SetCloseDownMode request which 442 may retain window, pixmap, colormap, property, cursor, font, 443 or graphic context resources. 444 This privilege is interpreted only if the system is configured 445 with Trusted Extensions. 446 447win_dac_read 448 Allows a process to read from a window resource that it does 449 not own (has a different user ID). 450 This privilege is interpreted only if the system is configured 451 with Trusted Extensions. 452 453win_dac_write 454 Allows a process to write to or create a window resource that 455 it does not own (has a different user ID). A newly created 456 window property is created with the window's user ID. 457 This privilege is interpreted only if the system is configured 458 with Trusted Extensions. 459 460win_devices 461 Allows a process to perform operations on window input devices. 462 Allows a process to get and set keyboard and pointer controls. 463 Allows a process to modify pointer button and key mappings. 464 This privilege is interpreted only if the system is configured 465 with Trusted Extensions. 466 467win_dga 468 Allows a process to use the direct graphics access (DGA) X protocol 469 extensions. Direct process access to the frame buffer is still 470 required. Thus the process must have MAC and DAC privileges that 471 allow access to the frame buffer, or the frame buffer must be 472 allocated to the process. 473 This privilege is interpreted only if the system is configured 474 with Trusted Extensions. 475 476win_downgrade_sl 477 Allows a process to set the sensitivity label of a window resource 478 to a sensitivity label that does not dominate the existing 479 sensitivity label. 480 This privilege is interpreted only if the system is configured 481 with Trusted Extensions. 482 483win_fontpath 484 Allows a process to set a font path. 485 This privilege is interpreted only if the system is configured 486 with Trusted Extensions. 487 488win_mac_read 489 Allows a process to read from a window resource whose sensitivity 490 label is not equal to the process sensitivity label. 491 This privilege is interpreted only if the system is configured 492 with Trusted Extensions. 493 494win_mac_write 495 Allows a process to create a window resource whose sensitivity 496 label is not equal to the process sensitivity label. 497 A newly created window property is created with the window's 498 sensitivity label. 499 This privilege is interpreted only if the system is configured 500 with Trusted Extensions. 501 502win_selection 503 Allows a process to request inter-window data moves without the 504 intervention of the selection confirmer. 505 This privilege is interpreted only if the system is configured 506 with Trusted Extensions. 507 508win_upgrade_sl 509 Allows a process to set the sensitivity label of a window 510 resource to a sensitivity label that dominates the existing 511 sensitivity label. 512 This privilege is interpreted only if the system is configured 513 with Trusted Extensions. 514 515xvm_control 516 Allows a process access to the xVM(5) control devices for 517 managing guest domains and the hypervisor. This privilege is 518 used only if booted into xVM on x86 platforms. 519 520