1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21/*
22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright 2016 Joyent, Inc.
24 * Copyright (c) 2016 by Delphix. All rights reserved.
25 */
26
27#include <sys/types.h>
28#include <sys/sysmacros.h>
29#include <sys/param.h>
30#include <sys/systm.h>
31#include <sys/cred_impl.h>
32#include <sys/vnode.h>
33#include <sys/vfs.h>
34#include <sys/stat.h>
35#include <sys/errno.h>
36#include <sys/kmem.h>
37#include <sys/user.h>
38#include <sys/proc.h>
39#include <sys/acct.h>
40#include <sys/ipc_impl.h>
41#include <sys/cmn_err.h>
42#include <sys/debug.h>
43#include <sys/policy.h>
44#include <sys/kobj.h>
45#include <sys/msg.h>
46#include <sys/devpolicy.h>
47#include <c2/audit.h>
48#include <sys/varargs.h>
49#include <sys/klpd.h>
50#include <sys/modctl.h>
51#include <sys/disp.h>
52#include <sys/zone.h>
53#include <inet/optcom.h>
54#include <sys/sdt.h>
55#include <sys/vfs.h>
56#include <sys/mntent.h>
57#include <sys/contract_impl.h>
58#include <sys/dld_ioc.h>
59
60/*
61 * There are two possible layers of privilege routines and two possible
62 * levels of secpolicy.  Plus one other we may not be interested in, so
63 * we may need as many as 6 but no more.
64 */
65#define	MAXPRIVSTACK		6
66
67int priv_debug = 0;
68int priv_basic_test = -1;
69
70/*
71 * This file contains the majority of the policy routines.
72 * Since the policy routines are defined by function and not
73 * by privilege, there is quite a bit of duplication of
74 * functions.
75 *
76 * The secpolicy functions must not make assumptions about
77 * locks held or not held as any lock can be held while they're
78 * being called.
79 *
80 * Credentials are read-only so no special precautions need to
81 * be taken while locking them.
82 *
83 * When a new policy check needs to be added to the system the
84 * following procedure should be followed:
85 *
86 *		Pick an appropriate secpolicy_*() function
87 *			-> done if one exists.
88 *		Create a new secpolicy function, preferably with
89 *		a descriptive name using the standard template.
90 *		Pick an appropriate privilege for the policy.
91 *		If no appropraite privilege exists, define new one
92 *		(this should be done with extreme care; in most cases
93 *		little is gained by adding another privilege)
94 *
95 * WHY ROOT IS STILL SPECIAL.
96 *
97 * In a number of the policy functions, there are still explicit
98 * checks for uid 0.  The rationale behind these is that many root
99 * owned files/objects hold configuration information which can give full
100 * privileges to the user once written to.  To prevent escalation
101 * of privilege by allowing just a single privilege to modify root owned
102 * objects, we've added these root specific checks where we considered
103 * them necessary: modifying root owned files, changing uids to 0, etc.
104 *
105 * PRIVILEGE ESCALATION AND ZONES.
106 *
107 * A number of operations potentially allow the caller to achieve
108 * privileges beyond the ones normally required to perform the operation.
109 * For example, if allowed to create a setuid 0 executable, a process can
110 * gain privileges beyond PRIV_FILE_SETID.  Zones, however, place
111 * restrictions on the ability to gain privileges beyond those available
112 * within the zone through file and process manipulation.  Hence, such
113 * operations require that the caller have an effective set that includes
114 * all privileges available within the current zone, or all privileges
115 * if executing in the global zone.
116 *
117 * This is indicated in the priv_policy* policy checking functions
118 * through a combination of parameters.  The "priv" parameter indicates
119 * the privilege that is required, and the "allzone" parameter indicates
120 * whether or not all privileges in the zone are required.  In addition,
121 * priv can be set to PRIV_ALL to indicate that all privileges are
122 * required (regardless of zone).  There are three scenarios of interest:
123 * (1) operation requires a specific privilege
124 * (2) operation requires a specific privilege, and requires all
125 *     privileges available within the zone (or all privileges if in
126 *     the global zone)
127 * (3) operation requires all privileges, regardless of zone
128 *
129 * For (1), priv should be set to the specific privilege, and allzone
130 * should be set to B_FALSE.
131 * For (2), priv should be set to the specific privilege, and allzone
132 * should be set to B_TRUE.
133 * For (3), priv should be set to PRIV_ALL, and allzone should be set
134 * to B_FALSE.
135 *
136 */
137
138/*
139 * The privileges are checked against the Effective set for
140 * ordinary processes and checked against the Limit set
141 * for euid 0 processes that haven't manipulated their privilege
142 * sets.
143 */
144#define	HAS_ALLPRIVS(cr)	priv_isfullset(&CR_OEPRIV(cr))
145#define	ZONEPRIVS(cr)		((cr)->cr_zone->zone_privset)
146#define	HAS_ALLZONEPRIVS(cr)	priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr))
147#define	HAS_PRIVILEGE(cr, pr)	((pr) == PRIV_ALL ? \
148					HAS_ALLPRIVS(cr) : \
149					PRIV_ISASSERT(&CR_OEPRIV(cr), pr))
150
151#define	FAST_BASIC_CHECK(cr, priv)	\
152	if (PRIV_ISASSERT(&CR_OEPRIV(cr), priv)) { \
153		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, B_FALSE); \
154		return (0); \
155	}
156
157/*
158 * Policy checking functions.
159 *
160 * All of the system's policy should be implemented here.
161 */
162
163/*
164 * Private functions which take an additional va_list argument to
165 * implement an object specific policy override.
166 */
167static int priv_policy_ap(const cred_t *, int, boolean_t, int,
168    const char *, va_list);
169static int priv_policy_va(const cred_t *, int, boolean_t, int,
170    const char *, ...);
171
172/*
173 * Generic policy calls
174 *
175 * The "bottom" functions of policy control
176 */
177static char *
178mprintf(const char *fmt, ...)
179{
180	va_list args;
181	char *buf;
182	size_t len;
183
184	va_start(args, fmt);
185	len = vsnprintf(NULL, 0, fmt, args) + 1;
186	va_end(args);
187
188	buf = kmem_alloc(len, KM_NOSLEEP);
189
190	if (buf == NULL)
191		return (NULL);
192
193	va_start(args, fmt);
194	(void) vsnprintf(buf, len, fmt, args);
195	va_end(args);
196
197	return (buf);
198}
199
200/*
201 * priv_policy_errmsg()
202 *
203 * Generate an error message if privilege debugging is enabled system wide
204 * or for this particular process.
205 */
206
207#define	FMTHDR	"%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)"
208#define	FMTMSG	" for \"%s\""
209#define	FMTFUN	" needed at %s+0x%lx"
210
211/* The maximum size privilege format: the concatenation of the above */
212#define	FMTMAX	FMTHDR FMTMSG FMTFUN "\n"
213
214static void
215priv_policy_errmsg(const cred_t *cr, int priv, const char *msg)
216{
217	struct proc *me;
218	pc_t stack[MAXPRIVSTACK];
219	int depth;
220	int i;
221	char *sym;
222	ulong_t off;
223	const char *pname;
224
225	char *cmd;
226	char fmt[sizeof (FMTMAX)];
227
228	if ((me = curproc) == &p0)
229		return;
230
231	/* Privileges must be defined  */
232	ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE ||
233	    priv == PRIV_ALLZONE || priv == PRIV_GLOBAL ||
234	    priv_getbynum(priv) != NULL);
235
236	if (priv == PRIV_ALLZONE && INGLOBALZONE(me))
237		priv = PRIV_ALL;
238
239	if (curthread->t_pre_sys)
240		ttolwp(curthread)->lwp_badpriv = (short)priv;
241
242	if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0)
243		return;
244
245	(void) strcpy(fmt, FMTHDR);
246
247	if (me->p_user.u_comm[0])
248		cmd = &me->p_user.u_comm[0];
249	else
250		cmd = "priv_policy";
251
252	if (msg != NULL && *msg != '\0') {
253		(void) strcat(fmt, FMTMSG);
254	} else {
255		(void) strcat(fmt, "%s");
256		msg = "";
257	}
258
259	sym = NULL;
260
261	depth = getpcstack(stack, MAXPRIVSTACK);
262
263	/*
264	 * Try to find the first interesting function on the stack.
265	 * priv_policy* that's us, so completely uninteresting.
266	 * suser(), drv_priv(), secpolicy_* are also called from
267	 * too many locations to convey useful information.
268	 */
269	for (i = 0; i < depth; i++) {
270		sym = kobj_getsymname((uintptr_t)stack[i], &off);
271		if (sym != NULL &&
272		    strstr(sym, "hasprocperm") == 0 &&
273		    strcmp("suser", sym) != 0 &&
274		    strcmp("ipcaccess", sym) != 0 &&
275		    strcmp("drv_priv", sym) != 0 &&
276		    strncmp("secpolicy_", sym, 10) != 0 &&
277		    strncmp("priv_policy", sym, 11) != 0)
278			break;
279	}
280
281	if (sym != NULL)
282		(void) strcat(fmt, FMTFUN);
283
284	(void) strcat(fmt, "\n");
285
286	switch (priv) {
287	case PRIV_ALL:
288		pname = "ALL";
289		break;
290	case PRIV_MULTIPLE:
291		pname = "MULTIPLE";
292		break;
293	case PRIV_ALLZONE:
294		pname = "ZONE";
295		break;
296	case PRIV_GLOBAL:
297		pname = "GLOBAL";
298		break;
299	default:
300		pname = priv_getbynum(priv);
301		break;
302	}
303
304	if (CR_FLAGS(cr) & PRIV_DEBUG) {
305		/* Remember last message, just like lwp_badpriv. */
306		if (curthread->t_pdmsg != NULL) {
307			kmem_free(curthread->t_pdmsg,
308			    strlen(curthread->t_pdmsg) + 1);
309		}
310
311		curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname,
312		    cr->cr_uid, curthread->t_sysnum, msg, sym, off);
313
314		curthread->t_post_sys = 1;
315	}
316	if (priv_debug) {
317		cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid,
318		    curthread->t_sysnum, msg, sym, off);
319	}
320}
321
322/*
323 * Override the policy, if appropriate.  Return 0 if the external
324 * policy engine approves.
325 */
326static int
327priv_policy_override(const cred_t *cr, int priv, boolean_t allzone, va_list ap)
328{
329	priv_set_t set;
330	int ret;
331
332	if (!(CR_FLAGS(cr) & PRIV_XPOLICY))
333		return (-1);
334
335	if (priv == PRIV_ALL) {
336		priv_fillset(&set);
337	} else if (allzone) {
338		set = *ZONEPRIVS(cr);
339	} else {
340		priv_emptyset(&set);
341		priv_addset(&set, priv);
342	}
343	ret = klpd_call(cr, &set, ap);
344	return (ret);
345}
346
347static int
348priv_policy_override_set(const cred_t *cr, const priv_set_t *req, va_list ap)
349{
350	if (CR_FLAGS(cr) & PRIV_PFEXEC)
351		return (check_user_privs(cr, req));
352	if (CR_FLAGS(cr) & PRIV_XPOLICY) {
353		return (klpd_call(cr, req, ap));
354	}
355	return (-1);
356}
357
358static int
359priv_policy_override_set_va(const cred_t *cr, const priv_set_t *req, ...)
360{
361	va_list ap;
362	int ret;
363
364	va_start(ap, req);
365	ret = priv_policy_override_set(cr, req, ap);
366	va_end(ap);
367	return (ret);
368}
369
370/*
371 * Audit failure, log error message.
372 */
373static void
374priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg)
375{
376
377	if (AU_AUDITING())
378		audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0);
379	DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
380
381	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
382	    curthread->t_pre_sys) {
383		if (allzone && !HAS_ALLZONEPRIVS(cr)) {
384			priv_policy_errmsg(cr, PRIV_ALLZONE, msg);
385		} else {
386			ASSERT(!HAS_PRIVILEGE(cr, priv));
387			priv_policy_errmsg(cr, priv, msg);
388		}
389	}
390}
391
392/*
393 * priv_policy_ap()
394 * return 0 or error.
395 * See block comment above for a description of "priv" and "allzone" usage.
396 */
397static int
398priv_policy_ap(const cred_t *cr, int priv, boolean_t allzone, int err,
399    const char *msg, va_list ap)
400{
401	if ((HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) ||
402	    (!servicing_interrupt() &&
403	    priv_policy_override(cr, priv, allzone, ap) == 0)) {
404		if ((allzone || priv == PRIV_ALL ||
405		    !PRIV_ISASSERT(priv_basic, priv)) &&
406		    !servicing_interrupt()) {
407			PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */
408			if (AU_AUDITING())
409				audit_priv(priv,
410				    allzone ? ZONEPRIVS(cr) : NULL, 1);
411		}
412		err = 0;
413		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
414	} else if (!servicing_interrupt()) {
415		/* Failure audited in this procedure */
416		priv_policy_err(cr, priv, allzone, msg);
417	}
418	return (err);
419}
420
421int
422priv_policy_va(const cred_t *cr, int priv, boolean_t allzone, int err,
423    const char *msg, ...)
424{
425	int ret;
426	va_list ap;
427
428	va_start(ap, msg);
429	ret = priv_policy_ap(cr, priv, allzone, err, msg, ap);
430	va_end(ap);
431
432	return (ret);
433}
434
435int
436priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err,
437    const char *msg)
438{
439	return (priv_policy_va(cr, priv, allzone, err, msg, KLPDARG_NONE));
440}
441
442/*
443 * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges.
444 */
445boolean_t
446priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone)
447{
448	boolean_t res = HAS_PRIVILEGE(cr, priv) &&
449	    (!allzone || HAS_ALLZONEPRIVS(cr));
450
451	/* Audit success only */
452	if (res && AU_AUDITING() &&
453	    (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) &&
454	    !servicing_interrupt()) {
455		audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1);
456	}
457	if (res) {
458		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
459	} else {
460		DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
461	}
462	return (res);
463}
464
465/*
466 * Non-auditing variant of priv_policy_choice().
467 */
468boolean_t
469priv_policy_only(const cred_t *cr, int priv, boolean_t allzone)
470{
471	boolean_t res = HAS_PRIVILEGE(cr, priv) &&
472	    (!allzone || HAS_ALLZONEPRIVS(cr));
473
474	if (res) {
475		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
476	} else {
477		DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
478	}
479	return (res);
480}
481
482/*
483 * Check whether all privileges in the required set are present.
484 */
485static int
486secpolicy_require_set(const cred_t *cr, const priv_set_t *req,
487    const char *msg, ...)
488{
489	int priv;
490	int pfound = -1;
491	priv_set_t pset;
492	va_list ap;
493	int ret;
494
495	if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req,
496	    &CR_OEPRIV(cr))) {
497		return (0);
498	}
499
500	va_start(ap, msg);
501	ret = priv_policy_override_set(cr, req, ap);
502	va_end(ap);
503	if (ret == 0)
504		return (0);
505
506	if (req == PRIV_FULLSET || priv_isfullset(req)) {
507		priv_policy_err(cr, PRIV_ALL, B_FALSE, msg);
508		return (EACCES);
509	}
510
511	pset = CR_OEPRIV(cr);		/* present privileges */
512	priv_inverse(&pset);		/* all non present privileges */
513	priv_intersect(req, &pset);	/* the actual missing privs */
514
515	if (AU_AUDITING())
516		audit_priv(PRIV_NONE, &pset, 0);
517	/*
518	 * Privilege debugging; special case "one privilege in set".
519	 */
520	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) {
521		for (priv = 0; priv < nprivs; priv++) {
522			if (priv_ismember(&pset, priv)) {
523				if (pfound != -1) {
524					/* Multiple missing privs */
525					priv_policy_errmsg(cr, PRIV_MULTIPLE,
526					    msg);
527					return (EACCES);
528				}
529				pfound = priv;
530			}
531		}
532		ASSERT(pfound != -1);
533		/* Just the one missing privilege */
534		priv_policy_errmsg(cr, pfound, msg);
535	}
536
537	return (EACCES);
538}
539
540/*
541 * Called when an operation requires that the caller be in the
542 * global zone, regardless of privilege.
543 */
544static int
545priv_policy_global(const cred_t *cr)
546{
547	if (crgetzoneid(cr) == GLOBAL_ZONEID)
548		return (0);	/* success */
549
550	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
551	    curthread->t_pre_sys) {
552		priv_policy_errmsg(cr, PRIV_GLOBAL, NULL);
553	}
554	return (EPERM);
555}
556
557/*
558 * Raising process priority
559 */
560int
561secpolicy_raisepriority(const cred_t *cr)
562{
563	if (PRIV_POLICY(cr, PRIV_PROC_PRIOUP, B_FALSE, EPERM, NULL) == 0)
564		return (0);
565	return (secpolicy_setpriority(cr));
566}
567
568/*
569 * Changing process priority or scheduling class
570 */
571int
572secpolicy_setpriority(const cred_t *cr)
573{
574	return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL));
575}
576
577/*
578 * Binding to a privileged port, port must be specified in host byte
579 * order.
580 * When adding a new privilege which allows binding to currently privileged
581 * ports, then you MUST also allow processes with PRIV_NET_PRIVADDR bind
582 * to these ports because of backward compatibility.
583 */
584int
585secpolicy_net_privaddr(const cred_t *cr, in_port_t port, int proto)
586{
587	char *reason;
588	int priv;
589
590	switch (port) {
591	case 137:
592	case 138:
593	case 139:
594	case 445:
595		/*
596		 * NBT and SMB ports, these are normal privileged ports,
597		 * allow bind only if the SYS_SMB or NET_PRIVADDR privilege
598		 * is present.
599		 * Try both, if neither is present return an error for
600		 * priv SYS_SMB.
601		 */
602		if (PRIV_POLICY_ONLY(cr, PRIV_NET_PRIVADDR, B_FALSE))
603			priv = PRIV_NET_PRIVADDR;
604		else
605			priv = PRIV_SYS_SMB;
606		reason = "NBT or SMB port";
607		break;
608
609	case 2049:
610	case 4045:
611		/*
612		 * NFS ports, these are extra privileged ports, allow bind
613		 * only if the SYS_NFS privilege is present.
614		 */
615		priv = PRIV_SYS_NFS;
616		reason = "NFS port";
617		break;
618
619	default:
620		priv = PRIV_NET_PRIVADDR;
621		reason = NULL;
622		break;
623
624	}
625
626	return (priv_policy_va(cr, priv, B_FALSE, EACCES, reason,
627	    KLPDARG_PORT, (int)proto, (int)port, KLPDARG_NOMORE));
628}
629
630/*
631 * Binding to a multilevel port on a trusted (labeled) system.
632 */
633int
634secpolicy_net_bindmlp(const cred_t *cr)
635{
636	return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, NULL));
637}
638
639/*
640 * Allow a communication between a zone and an unlabeled host when their
641 * labels don't match.
642 */
643int
644secpolicy_net_mac_aware(const cred_t *cr)
645{
646	return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, NULL));
647}
648
649/*
650 * Allow a privileged process to transmit traffic without explicit labels
651 */
652int
653secpolicy_net_mac_implicit(const cred_t *cr)
654{
655	return (PRIV_POLICY(cr, PRIV_NET_MAC_IMPLICIT, B_FALSE, EACCES, NULL));
656}
657
658/*
659 * Common routine which determines whether a given credential can
660 * act on a given mount.
661 * When called through mount, the parameter needoptcheck is a pointer
662 * to a boolean variable which will be set to either true or false,
663 * depending on whether the mount policy should change the mount options.
664 * In all other cases, needoptcheck should be a NULL pointer.
665 */
666static int
667secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp,
668    boolean_t *needoptcheck)
669{
670	boolean_t allzone = B_FALSE;
671	boolean_t mounting = needoptcheck != NULL;
672
673	/*
674	 * Short circuit the following cases:
675	 *	vfsp == NULL or mvp == NULL (pure privilege check)
676	 *	have all privileges - no further checks required
677	 *	and no mount options need to be set.
678	 */
679	if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) {
680		if (mounting)
681			*needoptcheck = B_FALSE;
682
683		return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
684		    NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE));
685	}
686
687	/*
688	 * When operating on an existing mount (either we're not mounting
689	 * or we're doing a remount and VFS_REMOUNT will be set), zones
690	 * can operate only on mounts established by the zone itself.
691	 */
692	if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) {
693		zoneid_t zoneid = crgetzoneid(cr);
694
695		if (zoneid != GLOBAL_ZONEID &&
696		    vfsp->vfs_zone->zone_id != zoneid) {
697			return (EPERM);
698		}
699	}
700
701	if (mounting)
702		*needoptcheck = B_TRUE;
703
704	/*
705	 * Overlay mounts may hide important stuff; if you can't write to a
706	 * mount point but would be able to mount on top of it, you can
707	 * escalate your privileges.
708	 * So we go about asking the same questions namefs does when it
709	 * decides whether you can mount over a file or not but with the
710	 * added restriction that you can only mount on top of a regular
711	 * file or directory.
712	 * If we have all the zone's privileges, we skip all other checks,
713	 * or else we may actually get in trouble inside the automounter.
714	 */
715	if ((mvp->v_flag & VROOT) != 0 ||
716	    (mvp->v_type != VDIR && mvp->v_type != VREG) ||
717	    HAS_ALLZONEPRIVS(cr)) {
718		allzone = B_TRUE;
719	} else {
720		vattr_t va;
721		int err;
722
723		va.va_mask = AT_UID|AT_MODE;
724		err = VOP_GETATTR(mvp, &va, 0, cr, NULL);
725		if (err != 0)
726			return (err);
727
728		if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0)
729			return (err);
730
731		if (secpolicy_vnode_access2(cr, mvp, va.va_uid, va.va_mode,
732		    VWRITE) != 0) {
733			return (EACCES);
734		}
735	}
736	return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
737	    NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE));
738}
739
740void
741secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp)
742{
743	boolean_t amsuper = HAS_ALLZONEPRIVS(cr);
744
745	/*
746	 * check; if we don't have either "nosuid" or
747	 * both "nosetuid" and "nodevices", then we add
748	 * "nosuid"; this depends on how the current
749	 * implementation works (it first checks nosuid).  In a
750	 * zone, a user with all zone privileges can mount with
751	 * "setuid" but never with "devices".
752	 */
753	if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) &&
754	    (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) ||
755	    !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) {
756		if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper)
757			vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0);
758		else
759			vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0);
760	}
761	/*
762	 * If we're not the local super user, we set the "restrict"
763	 * option to indicate to automountd that this mount should
764	 * be handled with care.
765	 */
766	if (!amsuper)
767		vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0);
768
769}
770
771int
772secpolicy_fs_allowed_mount(const char *fsname)
773{
774	struct vfssw *vswp;
775	const char *p;
776	size_t len;
777
778	ASSERT(fsname != NULL);
779	ASSERT(fsname[0] != '\0');
780
781	if (INGLOBALZONE(curproc))
782		return (0);
783
784	vswp = vfs_getvfssw(fsname);
785	if (vswp == NULL)
786		return (ENOENT);
787
788	if ((vswp->vsw_flag & VSW_ZMOUNT) != 0) {
789		vfs_unrefvfssw(vswp);
790		return (0);
791	}
792
793	vfs_unrefvfssw(vswp);
794
795	p = curzone->zone_fs_allowed;
796	len = strlen(fsname);
797
798	while (p != NULL && *p != '\0') {
799		if (strncmp(p, fsname, len) == 0) {
800			char c = *(p + len);
801			if (c == '\0' || c == ',')
802				return (0);
803		}
804
805		/* skip to beyond the next comma */
806		if ((p = strchr(p, ',')) != NULL)
807			p++;
808	}
809
810	return (EPERM);
811}
812
813extern vnode_t *rootvp;
814extern vfs_t *rootvfs;
815
816int
817secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp)
818{
819	boolean_t needoptchk;
820	int error;
821
822	/*
823	 * If it's a remount, get the underlying mount point,
824	 * except for the root where we use the rootvp.
825	 */
826	if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) {
827		if (vfsp == rootvfs)
828			mvp = rootvp;
829		else
830			mvp = vfsp->vfs_vnodecovered;
831	}
832
833	error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk);
834
835	if (error == 0 && needoptchk) {
836		secpolicy_fs_mount_clearopts(cr, vfsp);
837	}
838
839	return (error);
840}
841
842/*
843 * Does the policy computations for "ownership" of a mount;
844 * here ownership is defined as the ability to "mount"
845 * the filesystem originally.  The rootvfs doesn't cover any
846 * vnodes; we attribute its ownership to the rootvp.
847 */
848static int
849secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp)
850{
851	vnode_t *mvp;
852
853	if (vfsp == NULL)
854		mvp = NULL;
855	else if (vfsp == rootvfs)
856		mvp = rootvp;
857	else
858		mvp = vfsp->vfs_vnodecovered;
859
860	return (secpolicy_fs_common(cr, mvp, vfsp, NULL));
861}
862
863int
864secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp)
865{
866	return (secpolicy_fs_owner(cr, vfsp));
867}
868
869/*
870 * Quotas are a resource, but if one has the ability to mount a filesystem,
871 * they should be able to modify quotas on it.
872 */
873int
874secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp)
875{
876	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
877}
878
879/*
880 * Exceeding minfree: also a per-mount resource constraint.
881 */
882int
883secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp)
884{
885	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
886}
887
888int
889secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp)
890{
891	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
892}
893
894/* ARGSUSED */
895int
896secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp)
897{
898	return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL));
899}
900
901/*
902 * Name:        secpolicy_vnode_access()
903 *
904 * Parameters:  Process credential
905 *		vnode
906 *		uid of owner of vnode
907 *		permission bits not granted to the caller when examining
908 *		file mode bits (i.e., when a process wants to open a
909 *		mode 444 file for VREAD|VWRITE, this function should be
910 *		called only with a VWRITE argument).
911 *
912 * Normal:      Verifies that cred has the appropriate privileges to
913 *              override the mode bits that were denied.
914 *
915 * Override:    file_dac_execute - if VEXEC bit was denied and vnode is
916 *                      not a directory.
917 *              file_dac_read - if VREAD bit was denied.
918 *              file_dac_search - if VEXEC bit was denied and vnode is
919 *                      a directory.
920 *              file_dac_write - if VWRITE bit was denied.
921 *
922 *		Root owned files are special cased to protect system
923 *		configuration files and such.
924 *
925 * Output:      EACCES - if privilege check fails.
926 */
927
928int
929secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode)
930{
931	if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE,
932	    EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL,
933	    KLPDARG_NOMORE) != 0) {
934		return (EACCES);
935	}
936
937	if (mode & VWRITE) {
938		boolean_t allzone;
939
940		if (owner == 0 && cr->cr_uid != 0)
941			allzone = B_TRUE;
942		else
943			allzone = B_FALSE;
944		if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES,
945		    NULL, KLPDARG_VNODE, vp, (char *)NULL,
946		    KLPDARG_NOMORE) != 0) {
947			return (EACCES);
948		}
949	}
950
951	if (mode & VEXEC) {
952		/*
953		 * Directories use file_dac_search to override the execute bit.
954		 */
955		int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH :
956		    PRIV_FILE_DAC_EXECUTE;
957
958		return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL,
959		    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
960	}
961	return (0);
962}
963
964/*
965 * Like secpolicy_vnode_access() but we get the actual wanted mode and the
966 * current mode of the file, not the missing bits.
967 */
968int
969secpolicy_vnode_access2(const cred_t *cr, vnode_t *vp, uid_t owner,
970    mode_t curmode, mode_t wantmode)
971{
972	mode_t mode;
973
974	/* Inline the basic privileges tests. */
975	if ((wantmode & VREAD) &&
976	    !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_READ) &&
977	    priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL,
978	    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) {
979		return (EACCES);
980	}
981
982	if ((wantmode & VWRITE) &&
983	    !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_WRITE) &&
984	    priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL,
985	    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) {
986		return (EACCES);
987	}
988
989	mode = ~curmode & wantmode;
990
991	if (mode == 0)
992		return (0);
993
994	if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE,
995	    EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL,
996	    KLPDARG_NOMORE) != 0) {
997		return (EACCES);
998	}
999
1000	if (mode & VWRITE) {
1001		boolean_t allzone;
1002
1003		if (owner == 0 && cr->cr_uid != 0)
1004			allzone = B_TRUE;
1005		else
1006			allzone = B_FALSE;
1007		if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES,
1008		    NULL, KLPDARG_VNODE, vp, (char *)NULL,
1009		    KLPDARG_NOMORE) != 0) {
1010			return (EACCES);
1011		}
1012	}
1013
1014	if (mode & VEXEC) {
1015		/*
1016		 * Directories use file_dac_search to override the execute bit.
1017		 */
1018		int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH :
1019		    PRIV_FILE_DAC_EXECUTE;
1020
1021		return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL,
1022		    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
1023	}
1024	return (0);
1025}
1026
1027/*
1028 * This is a special routine for ZFS; it is used to determine whether
1029 * any of the privileges in effect allow any form of access to the
1030 * file.  There's no reason to audit this or any reason to record
1031 * this.  More work is needed to do the "KPLD" stuff.
1032 */
1033int
1034secpolicy_vnode_any_access(const cred_t *cr, vnode_t *vp, uid_t owner)
1035{
1036	static int privs[] = {
1037	    PRIV_FILE_OWNER,
1038	    PRIV_FILE_CHOWN,
1039	    PRIV_FILE_DAC_READ,
1040	    PRIV_FILE_DAC_WRITE,
1041	    PRIV_FILE_DAC_EXECUTE,
1042	    PRIV_FILE_DAC_SEARCH,
1043	};
1044	int i;
1045
1046	/* Same as secpolicy_vnode_setdac */
1047	if (owner == cr->cr_uid)
1048		return (0);
1049
1050	for (i = 0; i < sizeof (privs)/sizeof (int); i++) {
1051		boolean_t allzone = B_FALSE;
1052		int priv;
1053
1054		switch (priv = privs[i]) {
1055		case PRIV_FILE_DAC_EXECUTE:
1056			if (vp->v_type == VDIR)
1057				continue;
1058			break;
1059		case PRIV_FILE_DAC_SEARCH:
1060			if (vp->v_type != VDIR)
1061				continue;
1062			break;
1063		case PRIV_FILE_DAC_WRITE:
1064		case PRIV_FILE_OWNER:
1065		case PRIV_FILE_CHOWN:
1066			/* We know here that if owner == 0, that cr_uid != 0 */
1067			allzone = owner == 0;
1068			break;
1069		}
1070		if (PRIV_POLICY_CHOICE(cr, priv, allzone))
1071			return (0);
1072	}
1073	return (EPERM);
1074}
1075
1076/*
1077 * Name:	secpolicy_vnode_setid_modify()
1078 *
1079 * Normal:	verify that subject can set the file setid flags.
1080 *
1081 * Output:	EPERM - if not privileged.
1082 */
1083
1084static int
1085secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner)
1086{
1087	/* If changing to suid root, must have all zone privs */
1088	boolean_t allzone = B_TRUE;
1089
1090	if (owner != 0) {
1091		if (owner == cr->cr_uid)
1092			return (0);
1093		allzone = B_FALSE;
1094	}
1095	return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL));
1096}
1097
1098/*
1099 * Are we allowed to retain the set-uid/set-gid bits when
1100 * changing ownership or when writing to a file?
1101 * "issuid" should be true when set-uid; only in that case
1102 * root ownership is checked (setgid is assumed).
1103 */
1104int
1105secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot)
1106{
1107	if (issuidroot && !HAS_ALLZONEPRIVS(cred))
1108		return (EPERM);
1109
1110	return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE));
1111}
1112
1113/*
1114 * Name:	secpolicy_vnode_setids_setgids()
1115 *
1116 * Normal:	verify that subject can set the file setgid flag.
1117 *
1118 * Output:	EPERM - if not privileged
1119 */
1120
1121int
1122secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid)
1123{
1124	if (!groupmember(gid, cred))
1125		return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM,
1126		    NULL));
1127	return (0);
1128}
1129
1130/*
1131 * Name:	secpolicy_vnode_chown
1132 *
1133 * Normal:	Determine if subject can chown owner of a file.
1134 *
1135 * Output:	EPERM - if access denied
1136 */
1137
1138int
1139secpolicy_vnode_chown(const cred_t *cred, uid_t owner)
1140{
1141	boolean_t is_owner = (owner == crgetuid(cred));
1142	boolean_t allzone = B_FALSE;
1143	int priv;
1144
1145	if (!is_owner) {
1146		allzone = (owner == 0);
1147		priv = PRIV_FILE_CHOWN;
1148	} else {
1149		priv = HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN) ?
1150		    PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF;
1151	}
1152
1153	return (PRIV_POLICY(cred, priv, allzone, EPERM, NULL));
1154}
1155
1156/*
1157 * Name:	secpolicy_vnode_create_gid
1158 *
1159 * Normal:	Determine if subject can change group ownership of a file.
1160 *
1161 * Output:	EPERM - if access denied
1162 */
1163int
1164secpolicy_vnode_create_gid(const cred_t *cred)
1165{
1166	if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN))
1167		return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM,
1168		    NULL));
1169	else
1170		return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM,
1171		    NULL));
1172}
1173
1174/*
1175 * Name:	secpolicy_vnode_utime_modify()
1176 *
1177 * Normal:	verify that subject can modify the utime on a file.
1178 *
1179 * Output:	EPERM - if access denied.
1180 */
1181
1182static int
1183secpolicy_vnode_utime_modify(const cred_t *cred)
1184{
1185	return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM,
1186	    "modify file times"));
1187}
1188
1189
1190/*
1191 * Name:	secpolicy_vnode_setdac()
1192 *
1193 * Normal:	verify that subject can modify the mode of a file.
1194 *		allzone privilege needed when modifying root owned object.
1195 *
1196 * Output:	EPERM - if access denied.
1197 */
1198
1199int
1200secpolicy_vnode_setdac(const cred_t *cred, uid_t owner)
1201{
1202	if (owner == cred->cr_uid)
1203		return (0);
1204
1205	return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL));
1206}
1207/*
1208 * Name:	secpolicy_vnode_stky_modify()
1209 *
1210 * Normal:	verify that subject can make a file a "sticky".
1211 *
1212 * Output:	EPERM - if access denied.
1213 */
1214
1215int
1216secpolicy_vnode_stky_modify(const cred_t *cred)
1217{
1218	return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM,
1219	    "set file sticky"));
1220}
1221
1222/*
1223 * Policy determines whether we can remove an entry from a directory,
1224 * regardless of permission bits.
1225 */
1226int
1227secpolicy_vnode_remove(const cred_t *cr)
1228{
1229	return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES,
1230	    "sticky directory"));
1231}
1232
1233int
1234secpolicy_vnode_owner(const cred_t *cr, uid_t owner)
1235{
1236	boolean_t allzone = (owner == 0);
1237
1238	if (owner == cr->cr_uid)
1239		return (0);
1240
1241	return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL));
1242}
1243
1244void
1245secpolicy_setid_clear(vattr_t *vap, cred_t *cr)
1246{
1247	if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 &&
1248	    secpolicy_vnode_setid_retain(cr,
1249	    (vap->va_mode & S_ISUID) != 0 &&
1250	    (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) {
1251		vap->va_mask |= AT_MODE;
1252		vap->va_mode &= ~(S_ISUID|S_ISGID);
1253	}
1254}
1255
1256int
1257secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap,
1258    cred_t *cr)
1259{
1260	int error;
1261
1262	if ((vap->va_mode & S_ISUID) != 0 &&
1263	    (error = secpolicy_vnode_setid_modify(cr,
1264	    ovap->va_uid)) != 0) {
1265		return (error);
1266	}
1267
1268	/*
1269	 * Check privilege if attempting to set the
1270	 * sticky bit on a non-directory.
1271	 */
1272	if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 &&
1273	    secpolicy_vnode_stky_modify(cr) != 0) {
1274		vap->va_mode &= ~S_ISVTX;
1275	}
1276
1277	/*
1278	 * Check for privilege if attempting to set the
1279	 * group-id bit.
1280	 */
1281	if ((vap->va_mode & S_ISGID) != 0 &&
1282	    secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) {
1283		vap->va_mode &= ~S_ISGID;
1284	}
1285
1286	return (0);
1287}
1288
1289#define	ATTR_FLAG_PRIV(attr, value, cr)	\
1290	PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \
1291	B_FALSE, EPERM, NULL)
1292
1293/*
1294 * Check privileges for setting xvattr attributes
1295 */
1296int
1297secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype)
1298{
1299	xoptattr_t *xoap;
1300	int error = 0;
1301
1302	if ((xoap = xva_getxoptattr(xvap)) == NULL)
1303		return (EINVAL);
1304
1305	/*
1306	 * First process the DOS bits
1307	 */
1308	if (XVA_ISSET_REQ(xvap, XAT_ARCHIVE) ||
1309	    XVA_ISSET_REQ(xvap, XAT_HIDDEN) ||
1310	    XVA_ISSET_REQ(xvap, XAT_READONLY) ||
1311	    XVA_ISSET_REQ(xvap, XAT_SYSTEM) ||
1312	    XVA_ISSET_REQ(xvap, XAT_CREATETIME) ||
1313	    XVA_ISSET_REQ(xvap, XAT_OFFLINE) ||
1314	    XVA_ISSET_REQ(xvap, XAT_SPARSE)) {
1315		if ((error = secpolicy_vnode_owner(cr, owner)) != 0)
1316			return (error);
1317	}
1318
1319	/*
1320	 * Now handle special attributes
1321	 */
1322
1323	if (XVA_ISSET_REQ(xvap, XAT_IMMUTABLE))
1324		error = ATTR_FLAG_PRIV(XAT_IMMUTABLE,
1325		    xoap->xoa_immutable, cr);
1326	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NOUNLINK))
1327		error = ATTR_FLAG_PRIV(XAT_NOUNLINK,
1328		    xoap->xoa_nounlink, cr);
1329	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_APPENDONLY))
1330		error = ATTR_FLAG_PRIV(XAT_APPENDONLY,
1331		    xoap->xoa_appendonly, cr);
1332	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NODUMP))
1333		error = ATTR_FLAG_PRIV(XAT_NODUMP,
1334		    xoap->xoa_nodump, cr);
1335	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_OPAQUE))
1336		error = EPERM;
1337	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_QUARANTINED)) {
1338		error = ATTR_FLAG_PRIV(XAT_AV_QUARANTINED,
1339		    xoap->xoa_av_quarantined, cr);
1340		if (error == 0 && vtype != VREG && xoap->xoa_av_quarantined)
1341			error = EINVAL;
1342	}
1343	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_MODIFIED))
1344		error = ATTR_FLAG_PRIV(XAT_AV_MODIFIED,
1345		    xoap->xoa_av_modified, cr);
1346	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_SCANSTAMP)) {
1347		error = ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP,
1348		    xoap->xoa_av_scanstamp, cr);
1349		if (error == 0 && vtype != VREG)
1350			error = EINVAL;
1351	}
1352	return (error);
1353}
1354
1355/*
1356 * This function checks the policy decisions surrounding the
1357 * vop setattr call.
1358 *
1359 * It should be called after sufficient locks have been established
1360 * on the underlying data structures.  No concurrent modifications
1361 * should be allowed.
1362 *
1363 * The caller must pass in unlocked version of its vaccess function
1364 * this is required because vop_access function should lock the
1365 * node for reading.  A three argument function should be defined
1366 * which accepts the following argument:
1367 * 	A pointer to the internal "node" type (inode *)
1368 *	vnode access bits (VREAD|VWRITE|VEXEC)
1369 *	a pointer to the credential
1370 *
1371 * This function makes the following policy decisions:
1372 *
1373 *		- change permissions
1374 *			- permission to change file mode if not owner
1375 *			- permission to add sticky bit to non-directory
1376 *			- permission to add set-gid bit
1377 *
1378 * The ovap argument should include AT_MODE|AT_UID|AT_GID.
1379 *
1380 * If the vap argument does not include AT_MODE, the mode will be copied from
1381 * ovap.  In certain situations set-uid/set-gid bits need to be removed;
1382 * this is done by marking vap->va_mask to include AT_MODE and va_mode
1383 * is updated to the newly computed mode.
1384 */
1385
1386int
1387secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap,
1388    const struct vattr *ovap, int flags,
1389    int unlocked_access(void *, int, cred_t *),
1390    void *node)
1391{
1392	int mask = vap->va_mask;
1393	int error = 0;
1394	boolean_t skipaclchk = (flags & ATTR_NOACLCHECK) ? B_TRUE : B_FALSE;
1395
1396	if (mask & AT_SIZE) {
1397		if (vp->v_type == VDIR) {
1398			error = EISDIR;
1399			goto out;
1400		}
1401
1402		/*
1403		 * If ATTR_NOACLCHECK is set in the flags, then we don't
1404		 * perform the secondary unlocked_access() call since the
1405		 * ACL (if any) is being checked there.
1406		 */
1407		if (skipaclchk == B_FALSE) {
1408			error = unlocked_access(node, VWRITE, cr);
1409			if (error)
1410				goto out;
1411		}
1412	}
1413	if (mask & AT_MODE) {
1414		/*
1415		 * If not the owner of the file then check privilege
1416		 * for two things: the privilege to set the mode at all
1417		 * and, if we're setting setuid, we also need permissions
1418		 * to add the set-uid bit, if we're not the owner.
1419		 * In the specific case of creating a set-uid root
1420		 * file, we need even more permissions.
1421		 */
1422		if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0)
1423			goto out;
1424
1425		if ((error = secpolicy_setid_setsticky_clear(vp, vap,
1426		    ovap, cr)) != 0)
1427			goto out;
1428	} else
1429		vap->va_mode = ovap->va_mode;
1430
1431	if (mask & (AT_UID|AT_GID)) {
1432		boolean_t checkpriv = B_FALSE;
1433
1434		/*
1435		 * Chowning files.
1436		 *
1437		 * If you are the file owner:
1438		 *	chown to other uid		FILE_CHOWN_SELF
1439		 *	chown to gid (non-member) 	FILE_CHOWN_SELF
1440		 *	chown to gid (member) 		<none>
1441		 *
1442		 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also
1443		 * acceptable but the first one is reported when debugging.
1444		 *
1445		 * If you are not the file owner:
1446		 *	chown from root			PRIV_FILE_CHOWN + zone
1447		 *	chown from other to any		PRIV_FILE_CHOWN
1448		 *
1449		 */
1450		if (cr->cr_uid != ovap->va_uid) {
1451			checkpriv = B_TRUE;
1452		} else {
1453			if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) ||
1454			    ((mask & AT_GID) && vap->va_gid != ovap->va_gid &&
1455			    !groupmember(vap->va_gid, cr))) {
1456				checkpriv = B_TRUE;
1457			}
1458		}
1459		/*
1460		 * If necessary, check privilege to see if update can be done.
1461		 */
1462		if (checkpriv &&
1463		    (error = secpolicy_vnode_chown(cr, ovap->va_uid)) != 0) {
1464			goto out;
1465		}
1466
1467		/*
1468		 * If the file has either the set UID or set GID bits
1469		 * set and the caller can set the bits, then leave them.
1470		 */
1471		secpolicy_setid_clear(vap, cr);
1472	}
1473	if (mask & (AT_ATIME|AT_MTIME)) {
1474		/*
1475		 * If not the file owner and not otherwise privileged,
1476		 * always return an error when setting the
1477		 * time other than the current (ATTR_UTIME flag set).
1478		 * If setting the current time (ATTR_UTIME not set) then
1479		 * unlocked_access will check permissions according to policy.
1480		 */
1481		if (cr->cr_uid != ovap->va_uid) {
1482			if (flags & ATTR_UTIME)
1483				error = secpolicy_vnode_utime_modify(cr);
1484			else if (skipaclchk == B_FALSE) {
1485				error = unlocked_access(node, VWRITE, cr);
1486				if (error == EACCES &&
1487				    secpolicy_vnode_utime_modify(cr) == 0)
1488					error = 0;
1489			}
1490			if (error)
1491				goto out;
1492		}
1493	}
1494
1495	/*
1496	 * Check for optional attributes here by checking the following:
1497	 */
1498	if (mask & AT_XVATTR)
1499		error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr,
1500		    vp->v_type);
1501out:
1502	return (error);
1503}
1504
1505/*
1506 * Name:	secpolicy_pcfs_modify_bootpartition()
1507 *
1508 * Normal:	verify that subject can modify a pcfs boot partition.
1509 *
1510 * Output:	EACCES - if privilege check failed.
1511 */
1512/*ARGSUSED*/
1513int
1514secpolicy_pcfs_modify_bootpartition(const cred_t *cred)
1515{
1516	return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES,
1517	    "modify pcfs boot partition"));
1518}
1519
1520/*
1521 * System V IPC routines
1522 */
1523int
1524secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip)
1525{
1526	if (crgetzoneid(cr) != ip->ipc_zoneid ||
1527	    (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) {
1528		boolean_t allzone = B_FALSE;
1529		if (ip->ipc_uid == 0 || ip->ipc_cuid == 0)
1530			allzone = B_TRUE;
1531		return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL));
1532	}
1533	return (0);
1534}
1535
1536int
1537secpolicy_ipc_config(const cred_t *cr)
1538{
1539	return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL));
1540}
1541
1542int
1543secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode)
1544{
1545
1546	boolean_t allzone = B_FALSE;
1547
1548	ASSERT((mode & (MSG_R|MSG_W)) != 0);
1549
1550	if ((mode & MSG_R) &&
1551	    PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1552		return (EACCES);
1553
1554	if (mode & MSG_W) {
1555		if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0))
1556			allzone = B_TRUE;
1557
1558		return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1559		    NULL));
1560	}
1561	return (0);
1562}
1563
1564int
1565secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode)
1566{
1567	boolean_t allzone = B_FALSE;
1568
1569	ASSERT((mode & (MSG_R|MSG_W)) != 0);
1570
1571	if ((mode & MSG_R) &&
1572	    PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1573		return (EACCES);
1574
1575	if (mode & MSG_W) {
1576		if (cr->cr_uid != 0 && owner == 0)
1577			allzone = B_TRUE;
1578
1579		return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1580		    NULL));
1581	}
1582	return (0);
1583}
1584
1585/*
1586 * Audit configuration.
1587 */
1588int
1589secpolicy_audit_config(const cred_t *cr)
1590{
1591	return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL));
1592}
1593
1594/*
1595 * Audit record generation.
1596 */
1597int
1598secpolicy_audit_modify(const cred_t *cr)
1599{
1600	return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL));
1601}
1602
1603/*
1604 * Get audit attributes.
1605 * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the
1606 * "Least" of the two privileges on error.
1607 */
1608int
1609secpolicy_audit_getattr(const cred_t *cr, boolean_t checkonly)
1610{
1611	int priv;
1612
1613	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE))
1614		priv = PRIV_SYS_AUDIT;
1615	else
1616		priv = PRIV_PROC_AUDIT;
1617
1618	if (checkonly)
1619		return (!PRIV_POLICY_ONLY(cr, priv, B_FALSE));
1620	else
1621		return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
1622}
1623
1624
1625/*
1626 * Locking physical memory
1627 */
1628int
1629secpolicy_lock_memory(const cred_t *cr)
1630{
1631	return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL));
1632}
1633
1634/*
1635 * Accounting (both acct(2) and exacct).
1636 */
1637int
1638secpolicy_acct(const cred_t *cr)
1639{
1640	return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL));
1641}
1642
1643/*
1644 * Is this process privileged to change its uids at will?
1645 * Uid 0 is still considered "special" and having the SETID
1646 * privilege is not sufficient to get uid 0.
1647 * Files are owned by root, so the privilege would give
1648 * full access and euid 0 is still effective.
1649 *
1650 * If you have the privilege and euid 0 only then do you
1651 * get the powers of root wrt uid 0.
1652 *
1653 * For gid manipulations, this is should be called with an
1654 * uid of -1.
1655 *
1656 */
1657int
1658secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly)
1659{
1660	boolean_t allzone = B_FALSE;
1661
1662	if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 &&
1663	    cr->cr_ruid != 0) {
1664		allzone = B_TRUE;
1665	}
1666
1667	return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) :
1668	    PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL));
1669}
1670
1671
1672/*
1673 * Acting on a different process: if the mode is for writing,
1674 * the restrictions are more severe.  This is called after
1675 * we've verified that the uids do not match.
1676 */
1677int
1678secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode)
1679{
1680	boolean_t allzone = B_FALSE;
1681
1682	if ((mode & VWRITE) && scr->cr_uid != 0 &&
1683	    (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0))
1684		allzone = B_TRUE;
1685
1686	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL));
1687}
1688
1689int
1690secpolicy_proc_access(const cred_t *scr)
1691{
1692	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL));
1693}
1694
1695int
1696secpolicy_proc_excl_open(const cred_t *scr)
1697{
1698	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL));
1699}
1700
1701int
1702secpolicy_proc_zone(const cred_t *scr)
1703{
1704	return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL));
1705}
1706
1707/*
1708 * Destroying the system
1709 */
1710
1711int
1712secpolicy_kmdb(const cred_t *scr)
1713{
1714	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1715}
1716
1717int
1718secpolicy_error_inject(const cred_t *scr)
1719{
1720	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1721}
1722
1723/*
1724 * Processor sets, cpu configuration, resource pools.
1725 */
1726int
1727secpolicy_pset(const cred_t *cr)
1728{
1729	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1730}
1731
1732/* Process security flags */
1733int
1734secpolicy_psecflags(const cred_t *cr, proc_t *tp, proc_t *sp)
1735{
1736	if (PRIV_POLICY(cr, PRIV_PROC_SECFLAGS, B_FALSE, EPERM, NULL) != 0)
1737		return (EPERM);
1738
1739	if (!prochasprocperm(tp, sp, cr))
1740		return (EPERM);
1741
1742	return (0);
1743}
1744
1745/*
1746 * Processor set binding.
1747 */
1748int
1749secpolicy_pbind(const cred_t *cr)
1750{
1751	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_RES_CONFIG, B_FALSE))
1752		return (secpolicy_pset(cr));
1753	return (PRIV_POLICY(cr, PRIV_SYS_RES_BIND, B_FALSE, EPERM, NULL));
1754}
1755
1756int
1757secpolicy_ponline(const cred_t *cr)
1758{
1759	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1760}
1761
1762int
1763secpolicy_pool(const cred_t *cr)
1764{
1765	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1766}
1767
1768int
1769secpolicy_blacklist(const cred_t *cr)
1770{
1771	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1772}
1773
1774/*
1775 * Catch all system configuration.
1776 */
1777int
1778secpolicy_sys_config(const cred_t *cr, boolean_t checkonly)
1779{
1780	if (checkonly) {
1781		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 :
1782		    EPERM);
1783	} else {
1784		return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1785	}
1786}
1787
1788/*
1789 * Zone administration (halt, reboot, etc.) from within zone.
1790 */
1791int
1792secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly)
1793{
1794	if (checkonly) {
1795		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 :
1796		    EPERM);
1797	} else {
1798		return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM,
1799		    NULL));
1800	}
1801}
1802
1803/*
1804 * Zone configuration (create, halt, enter).
1805 */
1806int
1807secpolicy_zone_config(const cred_t *cr)
1808{
1809	/*
1810	 * Require all privileges to avoid possibility of privilege
1811	 * escalation.
1812	 */
1813	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
1814}
1815
1816/*
1817 * Various other system configuration calls
1818 */
1819int
1820secpolicy_coreadm(const cred_t *cr)
1821{
1822	return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1823}
1824
1825int
1826secpolicy_systeminfo(const cred_t *cr)
1827{
1828	return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1829}
1830
1831int
1832secpolicy_dispadm(const cred_t *cr)
1833{
1834	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1835}
1836
1837int
1838secpolicy_settime(const cred_t *cr)
1839{
1840	return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL));
1841}
1842
1843/*
1844 * For realtime users: high resolution clock.
1845 */
1846int
1847secpolicy_clock_highres(const cred_t *cr)
1848{
1849	return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM,
1850	    NULL));
1851}
1852
1853/*
1854 * drv_priv() is documented as callable from interrupt context, not that
1855 * anyone ever does, but still.  No debugging or auditing can be done when
1856 * it is called from interrupt context.
1857 * returns 0 on succes, EPERM on failure.
1858 */
1859int
1860drv_priv(cred_t *cr)
1861{
1862	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1863}
1864
1865int
1866secpolicy_sys_devices(const cred_t *cr)
1867{
1868	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1869}
1870
1871int
1872secpolicy_excl_open(const cred_t *cr)
1873{
1874	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL));
1875}
1876
1877int
1878secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl)
1879{
1880	/* zone.* rctls can only be set from the global zone */
1881	if (is_zone_rctl && priv_policy_global(cr) != 0)
1882		return (EPERM);
1883	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1884}
1885
1886int
1887secpolicy_resource(const cred_t *cr)
1888{
1889	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1890}
1891
1892int
1893secpolicy_resource_anon_mem(const cred_t *cr)
1894{
1895	return (PRIV_POLICY_ONLY(cr, PRIV_SYS_RESOURCE, B_FALSE));
1896}
1897
1898/*
1899 * Processes with a real uid of 0 escape any form of accounting, much
1900 * like before.
1901 */
1902int
1903secpolicy_newproc(const cred_t *cr)
1904{
1905	if (cr->cr_ruid == 0)
1906		return (0);
1907
1908	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1909}
1910
1911/*
1912 * Networking
1913 */
1914int
1915secpolicy_net_rawaccess(const cred_t *cr)
1916{
1917	return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL));
1918}
1919
1920int
1921secpolicy_net_observability(const cred_t *cr)
1922{
1923	return (PRIV_POLICY(cr, PRIV_NET_OBSERVABILITY, B_FALSE, EACCES, NULL));
1924}
1925
1926/*
1927 * Need this privilege for accessing the ICMP device
1928 */
1929int
1930secpolicy_net_icmpaccess(const cred_t *cr)
1931{
1932	return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL));
1933}
1934
1935/*
1936 * There are a few rare cases where the kernel generates ioctls() from
1937 * interrupt context with a credential of kcred rather than NULL.
1938 * In those cases, we take the safe and cheap test.
1939 */
1940int
1941secpolicy_net_config(const cred_t *cr, boolean_t checkonly)
1942{
1943	if (checkonly) {
1944		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ?
1945		    0 : EPERM);
1946	} else {
1947		return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM,
1948		    NULL));
1949	}
1950}
1951
1952
1953/*
1954 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
1955 *
1956 * There are a few rare cases where the kernel generates ioctls() from
1957 * interrupt context with a credential of kcred rather than NULL.
1958 * In those cases, we take the safe and cheap test.
1959 */
1960int
1961secpolicy_ip_config(const cred_t *cr, boolean_t checkonly)
1962{
1963	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1964		return (secpolicy_net_config(cr, checkonly));
1965
1966	if (checkonly) {
1967		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ?
1968		    0 : EPERM);
1969	} else {
1970		return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM,
1971		    NULL));
1972	}
1973}
1974
1975/*
1976 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_DL_CONFIG.
1977 */
1978int
1979secpolicy_dl_config(const cred_t *cr)
1980{
1981	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1982		return (secpolicy_net_config(cr, B_FALSE));
1983	return (PRIV_POLICY(cr, PRIV_SYS_DL_CONFIG, B_FALSE, EPERM, NULL));
1984}
1985
1986/*
1987 * PRIV_SYS_DL_CONFIG is a superset of PRIV_SYS_IPTUN_CONFIG.
1988 */
1989int
1990secpolicy_iptun_config(const cred_t *cr)
1991{
1992	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1993		return (secpolicy_net_config(cr, B_FALSE));
1994	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_DL_CONFIG, B_FALSE))
1995		return (secpolicy_dl_config(cr));
1996	return (PRIV_POLICY(cr, PRIV_SYS_IPTUN_CONFIG, B_FALSE, EPERM, NULL));
1997}
1998
1999/*
2000 * Map IP pseudo privileges to actual privileges.
2001 * So we don't need to recompile IP when we change the privileges.
2002 */
2003int
2004secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly)
2005{
2006	int priv = PRIV_ALL;
2007
2008	switch (netpriv) {
2009	case OP_CONFIG:
2010		priv = PRIV_SYS_IP_CONFIG;
2011		break;
2012	case OP_RAW:
2013		priv = PRIV_NET_RAWACCESS;
2014		break;
2015	case OP_PRIVPORT:
2016		priv = PRIV_NET_PRIVADDR;
2017		break;
2018	}
2019	ASSERT(priv != PRIV_ALL);
2020	if (checkonly)
2021		return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
2022	else
2023		return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
2024}
2025
2026/*
2027 * Map network pseudo privileges to actual privileges.
2028 * So we don't need to recompile IP when we change the privileges.
2029 */
2030int
2031secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly)
2032{
2033	int priv = PRIV_ALL;
2034
2035	switch (netpriv) {
2036	case OP_CONFIG:
2037		priv = PRIV_SYS_NET_CONFIG;
2038		break;
2039	case OP_RAW:
2040		priv = PRIV_NET_RAWACCESS;
2041		break;
2042	case OP_PRIVPORT:
2043		priv = PRIV_NET_PRIVADDR;
2044		break;
2045	}
2046	ASSERT(priv != PRIV_ALL);
2047	if (checkonly)
2048		return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
2049	else
2050		return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
2051}
2052
2053/*
2054 * Checks for operations that are either client-only or are used by
2055 * both clients and servers.
2056 */
2057int
2058secpolicy_nfs(const cred_t *cr)
2059{
2060	return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL));
2061}
2062
2063/*
2064 * Special case for opening rpcmod: have NFS privileges or network
2065 * config privileges.
2066 */
2067int
2068secpolicy_rpcmod_open(const cred_t *cr)
2069{
2070	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE))
2071		return (secpolicy_nfs(cr));
2072	else
2073		return (secpolicy_net_config(cr, B_FALSE));
2074}
2075
2076int
2077secpolicy_chroot(const cred_t *cr)
2078{
2079	return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL));
2080}
2081
2082int
2083secpolicy_tasksys(const cred_t *cr)
2084{
2085	return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL));
2086}
2087
2088int
2089secpolicy_meminfo(const cred_t *cr)
2090{
2091	return (PRIV_POLICY(cr, PRIV_PROC_MEMINFO, B_FALSE, EPERM, NULL));
2092}
2093
2094int
2095secpolicy_pfexec_register(const cred_t *cr)
2096{
2097	return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_TRUE, EPERM, NULL));
2098}
2099
2100/*
2101 * Basic privilege checks.
2102 */
2103int
2104secpolicy_basic_exec(const cred_t *cr, vnode_t *vp)
2105{
2106	FAST_BASIC_CHECK(cr, PRIV_PROC_EXEC);
2107
2108	return (priv_policy_va(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL,
2109	    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
2110}
2111
2112int
2113secpolicy_basic_fork(const cred_t *cr)
2114{
2115	FAST_BASIC_CHECK(cr, PRIV_PROC_FORK);
2116
2117	return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL));
2118}
2119
2120int
2121secpolicy_basic_proc(const cred_t *cr)
2122{
2123	FAST_BASIC_CHECK(cr, PRIV_PROC_SESSION);
2124
2125	return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL));
2126}
2127
2128/*
2129 * Slightly complicated because we don't want to trigger the policy too
2130 * often.  First we shortcircuit access to "self" (tp == sp) or if
2131 * we don't have the privilege but if we have permission
2132 * just return (0) and we don't flag the privilege as needed.
2133 * Else, we test for the privilege because we either have it or need it.
2134 */
2135int
2136secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp)
2137{
2138	if (tp == sp ||
2139	    !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) {
2140		return (0);
2141	} else {
2142		return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL));
2143	}
2144}
2145
2146int
2147secpolicy_basic_link(const cred_t *cr)
2148{
2149	FAST_BASIC_CHECK(cr, PRIV_FILE_LINK_ANY);
2150
2151	return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL));
2152}
2153
2154int
2155secpolicy_basic_net_access(const cred_t *cr)
2156{
2157	FAST_BASIC_CHECK(cr, PRIV_NET_ACCESS);
2158
2159	return (PRIV_POLICY(cr, PRIV_NET_ACCESS, B_FALSE, EACCES, NULL));
2160}
2161
2162/* ARGSUSED */
2163int
2164secpolicy_basic_file_read(const cred_t *cr, vnode_t *vp, const char *pn)
2165{
2166	FAST_BASIC_CHECK(cr, PRIV_FILE_READ);
2167
2168	return (priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL,
2169	    KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE));
2170}
2171
2172/* ARGSUSED */
2173int
2174secpolicy_basic_file_write(const cred_t *cr, vnode_t *vp, const char *pn)
2175{
2176	FAST_BASIC_CHECK(cr, PRIV_FILE_WRITE);
2177
2178	return (priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL,
2179	    KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE));
2180}
2181
2182/*
2183 * Additional device protection.
2184 *
2185 * Traditionally, a device has specific permissions on the node in
2186 * the filesystem which govern which devices can be opened by what
2187 * processes.  In certain cases, it is desirable to add extra
2188 * restrictions, as writing to certain devices is identical to
2189 * having a complete run of the system.
2190 *
2191 * This mechanism is called the device policy.
2192 *
2193 * When a device is opened, its policy entry is looked up in the
2194 * policy cache and checked.
2195 */
2196int
2197secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag)
2198{
2199	devplcy_t *plcy;
2200	int err;
2201	struct snode *csp = VTOS(common_specvp(vp));
2202	priv_set_t pset;
2203
2204	mutex_enter(&csp->s_lock);
2205
2206	if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) {
2207		plcy = devpolicy_find(vp);
2208		if (csp->s_plcy)
2209			dpfree(csp->s_plcy);
2210		csp->s_plcy = plcy;
2211		ASSERT(plcy != NULL);
2212	} else
2213		plcy = csp->s_plcy;
2214
2215	if (plcy == nullpolicy) {
2216		mutex_exit(&csp->s_lock);
2217		return (0);
2218	}
2219
2220	dphold(plcy);
2221
2222	mutex_exit(&csp->s_lock);
2223
2224	if (oflag & FWRITE)
2225		pset = plcy->dp_wrp;
2226	else
2227		pset = plcy->dp_rdp;
2228	/*
2229	 * Special case:
2230	 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
2231	 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is
2232	 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG
2233	 * in the required privilege set before doing the check.
2234	 */
2235	if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) &&
2236	    priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) &&
2237	    !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) {
2238		priv_delset(&pset, PRIV_SYS_IP_CONFIG);
2239		priv_addset(&pset, PRIV_SYS_NET_CONFIG);
2240	}
2241
2242	err = secpolicy_require_set(cr, &pset, "devpolicy", KLPDARG_NONE);
2243	dpfree(plcy);
2244
2245	return (err);
2246}
2247
2248int
2249secpolicy_modctl(const cred_t *cr, int cmd)
2250{
2251	switch (cmd) {
2252	case MODINFO:
2253	case MODGETMAJBIND:
2254	case MODGETPATH:
2255	case MODGETPATHLEN:
2256	case MODGETNAME:
2257	case MODGETFBNAME:
2258	case MODGETDEVPOLICY:
2259	case MODGETDEVPOLICYBYNAME:
2260	case MODDEVT2INSTANCE:
2261	case MODSIZEOF_DEVID:
2262	case MODGETDEVID:
2263	case MODSIZEOF_MINORNAME:
2264	case MODGETMINORNAME:
2265	case MODGETDEVFSPATH_LEN:
2266	case MODGETDEVFSPATH:
2267	case MODGETDEVFSPATH_MI_LEN:
2268	case MODGETDEVFSPATH_MI:
2269		/* Unprivileged */
2270		return (0);
2271	case MODLOAD:
2272	case MODSETDEVPOLICY:
2273		return (secpolicy_require_set(cr, PRIV_FULLSET, NULL,
2274		    KLPDARG_NONE));
2275	default:
2276		return (secpolicy_sys_config(cr, B_FALSE));
2277	}
2278}
2279
2280int
2281secpolicy_console(const cred_t *cr)
2282{
2283	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
2284}
2285
2286int
2287secpolicy_power_mgmt(const cred_t *cr)
2288{
2289	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
2290}
2291
2292/*
2293 * Simulate terminal input; another escalation of privileges avenue.
2294 */
2295
2296int
2297secpolicy_sti(const cred_t *cr)
2298{
2299	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
2300}
2301
2302boolean_t
2303secpolicy_net_reply_equal(const cred_t *cr)
2304{
2305	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
2306}
2307
2308int
2309secpolicy_swapctl(const cred_t *cr)
2310{
2311	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
2312}
2313
2314int
2315secpolicy_cpc_cpu(const cred_t *cr)
2316{
2317	return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL));
2318}
2319
2320/*
2321 * secpolicy_contract_identity
2322 *
2323 * Determine if the subject may set the process contract FMRI value
2324 */
2325int
2326secpolicy_contract_identity(const cred_t *cr)
2327{
2328	return (PRIV_POLICY(cr, PRIV_CONTRACT_IDENTITY, B_FALSE, EPERM, NULL));
2329}
2330
2331/*
2332 * secpolicy_contract_observer
2333 *
2334 * Determine if the subject may observe a specific contract's events.
2335 */
2336int
2337secpolicy_contract_observer(const cred_t *cr, struct contract *ct)
2338{
2339	if (contract_owned(ct, cr, B_FALSE))
2340		return (0);
2341	return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL));
2342}
2343
2344/*
2345 * secpolicy_contract_observer_choice
2346 *
2347 * Determine if the subject may observe any contract's events.  Just
2348 * tests privilege and audits on success.
2349 */
2350boolean_t
2351secpolicy_contract_observer_choice(const cred_t *cr)
2352{
2353	return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE));
2354}
2355
2356/*
2357 * secpolicy_contract_event
2358 *
2359 * Determine if the subject may request critical contract events or
2360 * reliable contract event delivery.
2361 */
2362int
2363secpolicy_contract_event(const cred_t *cr)
2364{
2365	return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL));
2366}
2367
2368/*
2369 * secpolicy_contract_event_choice
2370 *
2371 * Determine if the subject may retain contract events in its critical
2372 * set when a change in other terms would normally require a change in
2373 * the critical set.  Just tests privilege and audits on success.
2374 */
2375boolean_t
2376secpolicy_contract_event_choice(const cred_t *cr)
2377{
2378	return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE));
2379}
2380
2381/*
2382 * secpolicy_gart_access
2383 *
2384 * Determine if the subject has sufficient priveleges to make ioctls to agpgart
2385 * device.
2386 */
2387int
2388secpolicy_gart_access(const cred_t *cr)
2389{
2390	return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL));
2391}
2392
2393/*
2394 * secpolicy_gart_map
2395 *
2396 * Determine if the subject has sufficient priveleges to map aperture range
2397 * through agpgart driver.
2398 */
2399int
2400secpolicy_gart_map(const cred_t *cr)
2401{
2402	if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) {
2403		return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM,
2404		    NULL));
2405	} else {
2406		return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM,
2407		    NULL));
2408	}
2409}
2410
2411/*
2412 * secpolicy_xhci
2413 *
2414 * Determine if the subject can observe and manipulate the xhci driver with a
2415 * dangerous blunt hammer.  Requires all privileges.
2416 */
2417int
2418secpolicy_xhci(const cred_t *cr)
2419{
2420	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
2421}
2422
2423/*
2424 * secpolicy_zinject
2425 *
2426 * Determine if the subject can inject faults in the ZFS fault injection
2427 * framework.  Requires all privileges.
2428 */
2429int
2430secpolicy_zinject(const cred_t *cr)
2431{
2432	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
2433}
2434
2435/*
2436 * secpolicy_zfs
2437 *
2438 * Determine if the subject has permission to manipulate ZFS datasets
2439 * (not pools).  Equivalent to the SYS_MOUNT privilege.
2440 */
2441int
2442secpolicy_zfs(const cred_t *cr)
2443{
2444	return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL));
2445}
2446
2447/*
2448 * secpolicy_idmap
2449 *
2450 * Determine if the calling process has permissions to register an SID
2451 * mapping daemon and allocate ephemeral IDs.
2452 */
2453int
2454secpolicy_idmap(const cred_t *cr)
2455{
2456	return (PRIV_POLICY(cr, PRIV_FILE_SETID, B_TRUE, EPERM, NULL));
2457}
2458
2459/*
2460 * secpolicy_ucode_update
2461 *
2462 * Determine if the subject has sufficient privilege to update microcode.
2463 */
2464int
2465secpolicy_ucode_update(const cred_t *scr)
2466{
2467	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
2468}
2469
2470/*
2471 * secpolicy_sadopen
2472 *
2473 * Determine if the subject has sufficient privilege to access /dev/sad/admin.
2474 * /dev/sad/admin appear in global zone and exclusive-IP zones only.
2475 * In global zone, sys_config is required.
2476 * In exclusive-IP zones, sys_ip_config is required.
2477 * Note that sys_config is prohibited in non-global zones.
2478 */
2479int
2480secpolicy_sadopen(const cred_t *credp)
2481{
2482	priv_set_t pset;
2483
2484	priv_emptyset(&pset);
2485
2486	if (crgetzoneid(credp) == GLOBAL_ZONEID)
2487		priv_addset(&pset, PRIV_SYS_CONFIG);
2488	else
2489		priv_addset(&pset, PRIV_SYS_IP_CONFIG);
2490
2491	return (secpolicy_require_set(credp, &pset, "devpolicy", KLPDARG_NONE));
2492}
2493
2494
2495/*
2496 * Add privileges to a particular privilege set; this is called when the
2497 * current sets of privileges are not sufficient.  I.e., we should always
2498 * call the policy override functions from here.
2499 * What we are allowed to have is in the Observed Permitted set; so
2500 * we compute the difference between that and the newset.
2501 */
2502int
2503secpolicy_require_privs(const cred_t *cr, const priv_set_t *nset)
2504{
2505	priv_set_t rqd;
2506
2507	rqd = CR_OPPRIV(cr);
2508
2509	priv_inverse(&rqd);
2510	priv_intersect(nset, &rqd);
2511
2512	return (secpolicy_require_set(cr, &rqd, NULL, KLPDARG_NONE));
2513}
2514
2515/*
2516 * secpolicy_smb
2517 *
2518 * Determine if the cred_t has PRIV_SYS_SMB privilege, indicating
2519 * that it has permission to access the smbsrv kernel driver.
2520 * PRIV_POLICY checks the privilege and audits the check.
2521 *
2522 * Returns:
2523 * 0       Driver access is allowed.
2524 * EPERM   Driver access is NOT permitted.
2525 */
2526int
2527secpolicy_smb(const cred_t *cr)
2528{
2529	return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL));
2530}
2531
2532/*
2533 * secpolicy_vscan
2534 *
2535 * Determine if cred_t has the necessary privileges to access a file
2536 * for virus scanning and update its extended system attributes.
2537 * PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access
2538 * PRIV_FILE_FLAG_SET - set extended system attributes
2539 *
2540 * PRIV_POLICY checks the privilege and audits the check.
2541 *
2542 * Returns:
2543 * 0      file access for virus scanning allowed.
2544 * EPERM  file access for virus scanning is NOT permitted.
2545 */
2546int
2547secpolicy_vscan(const cred_t *cr)
2548{
2549	if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) ||
2550	    (PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) ||
2551	    (PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) {
2552		return (EPERM);
2553	}
2554
2555	return (0);
2556}
2557
2558/*
2559 * secpolicy_smbfs_login
2560 *
2561 * Determines if the caller can add and delete the smbfs login
2562 * password in the the nsmb kernel module for the CIFS client.
2563 *
2564 * Returns:
2565 * 0       access is allowed.
2566 * EPERM   access is NOT allowed.
2567 */
2568int
2569secpolicy_smbfs_login(const cred_t *cr, uid_t uid)
2570{
2571	uid_t cruid = crgetruid(cr);
2572
2573	if (cruid == uid)
2574		return (0);
2575	return (PRIV_POLICY(cr, PRIV_PROC_OWNER, B_FALSE,
2576	    EPERM, NULL));
2577}
2578
2579/*
2580 * secpolicy_xvm_control
2581 *
2582 * Determines if a caller can control the xVM hypervisor and/or running
2583 * domains (x86 specific).
2584 *
2585 * Returns:
2586 * 0       access is allowed.
2587 * EPERM   access is NOT allowed.
2588 */
2589int
2590secpolicy_xvm_control(const cred_t *cr)
2591{
2592	if (PRIV_POLICY(cr, PRIV_XVM_CONTROL, B_FALSE, EPERM, NULL))
2593		return (EPERM);
2594	return (0);
2595}
2596
2597/*
2598 * secpolicy_ppp_config
2599 *
2600 * Determine if the subject has sufficient privileges to configure PPP and
2601 * PPP-related devices.
2602 */
2603int
2604secpolicy_ppp_config(const cred_t *cr)
2605{
2606	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
2607		return (secpolicy_net_config(cr, B_FALSE));
2608	return (PRIV_POLICY(cr, PRIV_SYS_PPP_CONFIG, B_FALSE, EPERM, NULL));
2609}
2610