xref: /illumos-gate/usr/src/uts/common/os/policy.c (revision 70561057)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23  * Copyright 2016 Joyent, Inc.
24  * Copyright (c) 2016 by Delphix. All rights reserved.
25  * Copyright 2022 Oxide Computer Company
26  * Copyright 2023 RackTop Systems, Inc.
27  */
28 
29 #include <sys/types.h>
30 #include <sys/sysmacros.h>
31 #include <sys/param.h>
32 #include <sys/systm.h>
33 #include <sys/cred_impl.h>
34 #include <sys/vnode.h>
35 #include <sys/vfs.h>
36 #include <sys/stat.h>
37 #include <sys/errno.h>
38 #include <sys/kmem.h>
39 #include <sys/user.h>
40 #include <sys/proc.h>
41 #include <sys/acct.h>
42 #include <sys/ipc_impl.h>
43 #include <sys/cmn_err.h>
44 #include <sys/debug.h>
45 #include <sys/policy.h>
46 #include <sys/kobj.h>
47 #include <sys/msg.h>
48 #include <sys/devpolicy.h>
49 #include <c2/audit.h>
50 #include <sys/varargs.h>
51 #include <sys/klpd.h>
52 #include <sys/modctl.h>
53 #include <sys/disp.h>
54 #include <sys/zone.h>
55 #include <inet/optcom.h>
56 #include <sys/sdt.h>
57 #include <sys/vfs.h>
58 #include <sys/mntent.h>
59 #include <sys/contract_impl.h>
60 #include <sys/dld_ioc.h>
61 
62 /*
63  * There are two possible layers of privilege routines and two possible
64  * levels of secpolicy.  Plus one other we may not be interested in, so
65  * we may need as many as 6 but no more.
66  */
67 #define	MAXPRIVSTACK		6
68 
69 int priv_debug = 0;
70 int priv_basic_test = -1;
71 
72 /*
73  * Unlinking or creating new hard links to directories was historically allowed
74  * in some file systems; e.g., UFS allows root users to do it, at the cost of
75  * almost certain file system corruption that will require fsck to fix.
76  *
77  * Most modern operating systems and file systems (e.g., ZFS) do not allow this
78  * behaviour anymore, and we have elected to stamp it out entirely for
79  * compatibility and safety reasons.  An attempt to unlink a directory will
80  * fail with EPERM, as described in the standard.  During this transition, one
81  * can turn the behaviour back on, at their own risk, with this tuneable:
82  */
83 int priv_allow_linkdir = 0;
84 
85 /*
86  * This file contains the majority of the policy routines.
87  * Since the policy routines are defined by function and not
88  * by privilege, there is quite a bit of duplication of
89  * functions.
90  *
91  * The secpolicy functions must not make assumptions about
92  * locks held or not held as any lock can be held while they're
93  * being called.
94  *
95  * Credentials are read-only so no special precautions need to
96  * be taken while locking them.
97  *
98  * When a new policy check needs to be added to the system the
99  * following procedure should be followed:
100  *
101  *		Pick an appropriate secpolicy_*() function
102  *			-> done if one exists.
103  *		Create a new secpolicy function, preferably with
104  *		a descriptive name using the standard template.
105  *		Pick an appropriate privilege for the policy.
106  *		If no appropraite privilege exists, define new one
107  *		(this should be done with extreme care; in most cases
108  *		little is gained by adding another privilege)
109  *
110  * WHY ROOT IS STILL SPECIAL.
111  *
112  * In a number of the policy functions, there are still explicit
113  * checks for uid 0.  The rationale behind these is that many root
114  * owned files/objects hold configuration information which can give full
115  * privileges to the user once written to.  To prevent escalation
116  * of privilege by allowing just a single privilege to modify root owned
117  * objects, we've added these root specific checks where we considered
118  * them necessary: modifying root owned files, changing uids to 0, etc.
119  *
120  * PRIVILEGE ESCALATION AND ZONES.
121  *
122  * A number of operations potentially allow the caller to achieve
123  * privileges beyond the ones normally required to perform the operation.
124  * For example, if allowed to create a setuid 0 executable, a process can
125  * gain privileges beyond PRIV_FILE_SETID.  Zones, however, place
126  * restrictions on the ability to gain privileges beyond those available
127  * within the zone through file and process manipulation.  Hence, such
128  * operations require that the caller have an effective set that includes
129  * all privileges available within the current zone, or all privileges
130  * if executing in the global zone.
131  *
132  * This is indicated in the priv_policy* policy checking functions
133  * through a combination of parameters.  The "priv" parameter indicates
134  * the privilege that is required, and the "allzone" parameter indicates
135  * whether or not all privileges in the zone are required.  In addition,
136  * priv can be set to PRIV_ALL to indicate that all privileges are
137  * required (regardless of zone).  There are three scenarios of interest:
138  * (1) operation requires a specific privilege
139  * (2) operation requires a specific privilege, and requires all
140  *     privileges available within the zone (or all privileges if in
141  *     the global zone)
142  * (3) operation requires all privileges, regardless of zone
143  *
144  * For (1), priv should be set to the specific privilege, and allzone
145  * should be set to B_FALSE.
146  * For (2), priv should be set to the specific privilege, and allzone
147  * should be set to B_TRUE.
148  * For (3), priv should be set to PRIV_ALL, and allzone should be set
149  * to B_FALSE.
150  *
151  */
152 
153 /*
154  * The privileges are checked against the Effective set for
155  * ordinary processes and checked against the Limit set
156  * for euid 0 processes that haven't manipulated their privilege
157  * sets.
158  */
159 #define	HAS_ALLPRIVS(cr)	priv_isfullset(&CR_OEPRIV(cr))
160 #define	ZONEPRIVS(cr)		((cr)->cr_zone->zone_privset)
161 #define	HAS_ALLZONEPRIVS(cr)	priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr))
162 #define	HAS_PRIVILEGE(cr, pr)	((pr) == PRIV_ALL ? \
163 					HAS_ALLPRIVS(cr) : \
164 					PRIV_ISASSERT(&CR_OEPRIV(cr), pr))
165 
166 #define	FAST_BASIC_CHECK(cr, priv)	\
167 	if (PRIV_ISASSERT(&CR_OEPRIV(cr), priv)) { \
168 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, B_FALSE); \
169 		return (0); \
170 	}
171 
172 /*
173  * Policy checking functions.
174  *
175  * All of the system's policy should be implemented here.
176  */
177 
178 /*
179  * Private functions which take an additional va_list argument to
180  * implement an object specific policy override.
181  */
182 static int priv_policy_ap(const cred_t *, int, boolean_t, int,
183     const char *, va_list);
184 static int priv_policy_va(const cred_t *, int, boolean_t, int,
185     const char *, ...);
186 
187 /*
188  * Generic policy calls
189  *
190  * The "bottom" functions of policy control
191  */
192 static char *
mprintf(const char * fmt,...)193 mprintf(const char *fmt, ...)
194 {
195 	va_list args;
196 	char *buf;
197 	size_t len;
198 
199 	va_start(args, fmt);
200 	len = vsnprintf(NULL, 0, fmt, args) + 1;
201 	va_end(args);
202 
203 	buf = kmem_alloc(len, KM_NOSLEEP);
204 
205 	if (buf == NULL)
206 		return (NULL);
207 
208 	va_start(args, fmt);
209 	(void) vsnprintf(buf, len, fmt, args);
210 	va_end(args);
211 
212 	return (buf);
213 }
214 
215 /*
216  * priv_policy_errmsg()
217  *
218  * Generate an error message if privilege debugging is enabled system wide
219  * or for this particular process.
220  */
221 
222 #define	FMTHDR	"%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)"
223 #define	FMTMSG	" for \"%s\""
224 #define	FMTFUN	" needed at %s+0x%lx"
225 
226 /* The maximum size privilege format: the concatenation of the above */
227 #define	FMTMAX	FMTHDR FMTMSG FMTFUN "\n"
228 
229 static void
priv_policy_errmsg(const cred_t * cr,int priv,const char * msg)230 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg)
231 {
232 	struct proc *me;
233 	pc_t stack[MAXPRIVSTACK];
234 	int depth;
235 	int i;
236 	char *sym;
237 	ulong_t off;
238 	const char *pname;
239 
240 	char *cmd;
241 	char fmt[sizeof (FMTMAX)];
242 
243 	if ((me = curproc) == &p0)
244 		return;
245 
246 	/* Privileges must be defined  */
247 	ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE ||
248 	    priv == PRIV_ALLZONE || priv == PRIV_GLOBAL ||
249 	    priv_getbynum(priv) != NULL);
250 
251 	if (priv == PRIV_ALLZONE && INGLOBALZONE(me))
252 		priv = PRIV_ALL;
253 
254 	if (curthread->t_pre_sys)
255 		ttolwp(curthread)->lwp_badpriv = (short)priv;
256 
257 	if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0)
258 		return;
259 
260 	(void) strcpy(fmt, FMTHDR);
261 
262 	if (me->p_user.u_comm[0])
263 		cmd = &me->p_user.u_comm[0];
264 	else
265 		cmd = "priv_policy";
266 
267 	if (msg != NULL && *msg != '\0') {
268 		(void) strcat(fmt, FMTMSG);
269 	} else {
270 		(void) strcat(fmt, "%s");
271 		msg = "";
272 	}
273 
274 	sym = NULL;
275 
276 	depth = getpcstack(stack, MAXPRIVSTACK);
277 
278 	/*
279 	 * Try to find the first interesting function on the stack.
280 	 * priv_policy* that's us, so completely uninteresting.
281 	 * suser(), drv_priv(), secpolicy_* are also called from
282 	 * too many locations to convey useful information.
283 	 */
284 	for (i = 0; i < depth; i++) {
285 		sym = kobj_getsymname((uintptr_t)stack[i], &off);
286 		if (sym != NULL &&
287 		    strstr(sym, "hasprocperm") == 0 &&
288 		    strcmp("suser", sym) != 0 &&
289 		    strcmp("ipcaccess", sym) != 0 &&
290 		    strcmp("drv_priv", sym) != 0 &&
291 		    strncmp("secpolicy_", sym, 10) != 0 &&
292 		    strncmp("priv_policy", sym, 11) != 0)
293 			break;
294 	}
295 
296 	if (sym != NULL)
297 		(void) strcat(fmt, FMTFUN);
298 
299 	(void) strcat(fmt, "\n");
300 
301 	switch (priv) {
302 	case PRIV_ALL:
303 		pname = "ALL";
304 		break;
305 	case PRIV_MULTIPLE:
306 		pname = "MULTIPLE";
307 		break;
308 	case PRIV_ALLZONE:
309 		pname = "ZONE";
310 		break;
311 	case PRIV_GLOBAL:
312 		pname = "GLOBAL";
313 		break;
314 	default:
315 		pname = priv_getbynum(priv);
316 		break;
317 	}
318 
319 	if (CR_FLAGS(cr) & PRIV_DEBUG) {
320 		/* Remember last message, just like lwp_badpriv. */
321 		if (curthread->t_pdmsg != NULL) {
322 			kmem_free(curthread->t_pdmsg,
323 			    strlen(curthread->t_pdmsg) + 1);
324 		}
325 
326 		curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname,
327 		    cr->cr_uid, curthread->t_sysnum, msg, sym, off);
328 
329 		curthread->t_post_sys = 1;
330 	}
331 	if (priv_debug) {
332 		cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid,
333 		    curthread->t_sysnum, msg, sym, off);
334 	}
335 }
336 
337 /*
338  * Override the policy, if appropriate.  Return 0 if the external
339  * policy engine approves.
340  */
341 static int
priv_policy_override(const cred_t * cr,int priv,boolean_t allzone,va_list ap)342 priv_policy_override(const cred_t *cr, int priv, boolean_t allzone, va_list ap)
343 {
344 	priv_set_t set;
345 	int ret;
346 
347 	if (!(CR_FLAGS(cr) & PRIV_XPOLICY))
348 		return (-1);
349 
350 	if (priv == PRIV_ALL) {
351 		priv_fillset(&set);
352 	} else if (allzone) {
353 		set = *ZONEPRIVS(cr);
354 	} else {
355 		priv_emptyset(&set);
356 		priv_addset(&set, priv);
357 	}
358 	ret = klpd_call(cr, &set, ap);
359 	return (ret);
360 }
361 
362 static int
priv_policy_override_set(const cred_t * cr,const priv_set_t * req,va_list ap)363 priv_policy_override_set(const cred_t *cr, const priv_set_t *req, va_list ap)
364 {
365 	if (CR_FLAGS(cr) & PRIV_PFEXEC)
366 		return (check_user_privs(cr, req));
367 	if (CR_FLAGS(cr) & PRIV_XPOLICY) {
368 		return (klpd_call(cr, req, ap));
369 	}
370 	return (-1);
371 }
372 
373 static int
priv_policy_override_set_va(const cred_t * cr,const priv_set_t * req,...)374 priv_policy_override_set_va(const cred_t *cr, const priv_set_t *req, ...)
375 {
376 	va_list ap;
377 	int ret;
378 
379 	va_start(ap, req);
380 	ret = priv_policy_override_set(cr, req, ap);
381 	va_end(ap);
382 	return (ret);
383 }
384 
385 /*
386  * Audit failure, log error message.
387  */
388 static void
priv_policy_err(const cred_t * cr,int priv,boolean_t allzone,const char * msg)389 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg)
390 {
391 
392 	if (AU_AUDITING())
393 		audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0);
394 	DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
395 
396 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
397 	    curthread->t_pre_sys) {
398 		if (allzone && !HAS_ALLZONEPRIVS(cr)) {
399 			priv_policy_errmsg(cr, PRIV_ALLZONE, msg);
400 		} else {
401 			ASSERT(!HAS_PRIVILEGE(cr, priv));
402 			priv_policy_errmsg(cr, priv, msg);
403 		}
404 	}
405 }
406 
407 /*
408  * priv_policy_ap()
409  * return 0 or error.
410  * See block comment above for a description of "priv" and "allzone" usage.
411  */
412 static int
priv_policy_ap(const cred_t * cr,int priv,boolean_t allzone,int err,const char * msg,va_list ap)413 priv_policy_ap(const cred_t *cr, int priv, boolean_t allzone, int err,
414     const char *msg, va_list ap)
415 {
416 	if ((HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) ||
417 	    (!servicing_interrupt() &&
418 	    priv_policy_override(cr, priv, allzone, ap) == 0)) {
419 		if ((allzone || priv == PRIV_ALL ||
420 		    !PRIV_ISASSERT(priv_basic, priv)) &&
421 		    !servicing_interrupt()) {
422 			PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */
423 			if (AU_AUDITING())
424 				audit_priv(priv,
425 				    allzone ? ZONEPRIVS(cr) : NULL, 1);
426 		}
427 		err = 0;
428 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
429 	} else if (!servicing_interrupt()) {
430 		/* Failure audited in this procedure */
431 		priv_policy_err(cr, priv, allzone, msg);
432 	}
433 	return (err);
434 }
435 
436 int
priv_policy_va(const cred_t * cr,int priv,boolean_t allzone,int err,const char * msg,...)437 priv_policy_va(const cred_t *cr, int priv, boolean_t allzone, int err,
438     const char *msg, ...)
439 {
440 	int ret;
441 	va_list ap;
442 
443 	va_start(ap, msg);
444 	ret = priv_policy_ap(cr, priv, allzone, err, msg, ap);
445 	va_end(ap);
446 
447 	return (ret);
448 }
449 
450 int
priv_policy(const cred_t * cr,int priv,boolean_t allzone,int err,const char * msg)451 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err,
452     const char *msg)
453 {
454 	return (priv_policy_va(cr, priv, allzone, err, msg, KLPDARG_NONE));
455 }
456 
457 /*
458  * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges.
459  */
460 boolean_t
priv_policy_choice(const cred_t * cr,int priv,boolean_t allzone)461 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone)
462 {
463 	boolean_t res = HAS_PRIVILEGE(cr, priv) &&
464 	    (!allzone || HAS_ALLZONEPRIVS(cr));
465 
466 	/* Audit success only */
467 	if (res && AU_AUDITING() &&
468 	    (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) &&
469 	    !servicing_interrupt()) {
470 		audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1);
471 	}
472 	if (res) {
473 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
474 	} else {
475 		DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
476 	}
477 	return (res);
478 }
479 
480 /*
481  * Non-auditing variant of priv_policy_choice().
482  */
483 boolean_t
priv_policy_only(const cred_t * cr,int priv,boolean_t allzone)484 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone)
485 {
486 	boolean_t res = HAS_PRIVILEGE(cr, priv) &&
487 	    (!allzone || HAS_ALLZONEPRIVS(cr));
488 
489 	if (res) {
490 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
491 	} else {
492 		DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
493 	}
494 	return (res);
495 }
496 
497 /*
498  * Check whether all privileges in the required set are present.
499  */
500 static int
secpolicy_require_set(const cred_t * cr,const priv_set_t * req,const char * msg,...)501 secpolicy_require_set(const cred_t *cr, const priv_set_t *req,
502     const char *msg, ...)
503 {
504 	int priv;
505 	int pfound = -1;
506 	priv_set_t pset;
507 	va_list ap;
508 	int ret;
509 
510 	if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req,
511 	    &CR_OEPRIV(cr))) {
512 		return (0);
513 	}
514 
515 	va_start(ap, msg);
516 	ret = priv_policy_override_set(cr, req, ap);
517 	va_end(ap);
518 	if (ret == 0)
519 		return (0);
520 
521 	if (req == PRIV_FULLSET || priv_isfullset(req)) {
522 		priv_policy_err(cr, PRIV_ALL, B_FALSE, msg);
523 		return (EACCES);
524 	}
525 
526 	pset = CR_OEPRIV(cr);		/* present privileges */
527 	priv_inverse(&pset);		/* all non present privileges */
528 	priv_intersect(req, &pset);	/* the actual missing privs */
529 
530 	if (AU_AUDITING())
531 		audit_priv(PRIV_NONE, &pset, 0);
532 	/*
533 	 * Privilege debugging; special case "one privilege in set".
534 	 */
535 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) {
536 		for (priv = 0; priv < nprivs; priv++) {
537 			if (priv_ismember(&pset, priv)) {
538 				if (pfound != -1) {
539 					/* Multiple missing privs */
540 					priv_policy_errmsg(cr, PRIV_MULTIPLE,
541 					    msg);
542 					return (EACCES);
543 				}
544 				pfound = priv;
545 			}
546 		}
547 		ASSERT(pfound != -1);
548 		/* Just the one missing privilege */
549 		priv_policy_errmsg(cr, pfound, msg);
550 	}
551 
552 	return (EACCES);
553 }
554 
555 /*
556  * Called when an operation requires that the caller be in the
557  * global zone, regardless of privilege.
558  */
559 static int
priv_policy_global(const cred_t * cr)560 priv_policy_global(const cred_t *cr)
561 {
562 	if (crgetzoneid(cr) == GLOBAL_ZONEID)
563 		return (0);	/* success */
564 
565 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
566 	    curthread->t_pre_sys) {
567 		priv_policy_errmsg(cr, PRIV_GLOBAL, NULL);
568 	}
569 	return (EPERM);
570 }
571 
572 /*
573  * Raising process priority
574  */
575 int
secpolicy_raisepriority(const cred_t * cr)576 secpolicy_raisepriority(const cred_t *cr)
577 {
578 	if (PRIV_POLICY(cr, PRIV_PROC_PRIOUP, B_FALSE, EPERM, NULL) == 0)
579 		return (0);
580 	return (secpolicy_setpriority(cr));
581 }
582 
583 /*
584  * Changing process priority or scheduling class
585  */
586 int
secpolicy_setpriority(const cred_t * cr)587 secpolicy_setpriority(const cred_t *cr)
588 {
589 	return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL));
590 }
591 
592 /*
593  * Binding to a privileged port, port must be specified in host byte
594  * order.
595  * When adding a new privilege which allows binding to currently privileged
596  * ports, then you MUST also allow processes with PRIV_NET_PRIVADDR bind
597  * to these ports because of backward compatibility.
598  */
599 int
secpolicy_net_privaddr(const cred_t * cr,in_port_t port,int proto)600 secpolicy_net_privaddr(const cred_t *cr, in_port_t port, int proto)
601 {
602 	char *reason;
603 	int priv;
604 
605 	switch (port) {
606 	case 137:
607 	case 138:
608 	case 139:
609 	case 445:
610 		/*
611 		 * NBT and SMB ports, these are normal privileged ports,
612 		 * allow bind only if the SYS_SMB or NET_PRIVADDR privilege
613 		 * is present.
614 		 * Try both, if neither is present return an error for
615 		 * priv SYS_SMB.
616 		 */
617 		if (PRIV_POLICY_ONLY(cr, PRIV_NET_PRIVADDR, B_FALSE))
618 			priv = PRIV_NET_PRIVADDR;
619 		else
620 			priv = PRIV_SYS_SMB;
621 		reason = "NBT or SMB port";
622 		break;
623 
624 	case 2049:
625 	case 4045:
626 		/*
627 		 * NFS ports, these are extra privileged ports, allow bind
628 		 * only if the SYS_NFS privilege is present.
629 		 */
630 		priv = PRIV_SYS_NFS;
631 		reason = "NFS port";
632 		break;
633 
634 	default:
635 		priv = PRIV_NET_PRIVADDR;
636 		reason = NULL;
637 		break;
638 
639 	}
640 
641 	return (priv_policy_va(cr, priv, B_FALSE, EACCES, reason,
642 	    KLPDARG_PORT, (int)proto, (int)port, KLPDARG_NOMORE));
643 }
644 
645 /*
646  * Binding to a multilevel port on a trusted (labeled) system.
647  */
648 int
secpolicy_net_bindmlp(const cred_t * cr)649 secpolicy_net_bindmlp(const cred_t *cr)
650 {
651 	return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, NULL));
652 }
653 
654 /*
655  * Allow a communication between a zone and an unlabeled host when their
656  * labels don't match.
657  */
658 int
secpolicy_net_mac_aware(const cred_t * cr)659 secpolicy_net_mac_aware(const cred_t *cr)
660 {
661 	return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, NULL));
662 }
663 
664 /*
665  * Allow a privileged process to transmit traffic without explicit labels
666  */
667 int
secpolicy_net_mac_implicit(const cred_t * cr)668 secpolicy_net_mac_implicit(const cred_t *cr)
669 {
670 	return (PRIV_POLICY(cr, PRIV_NET_MAC_IMPLICIT, B_FALSE, EACCES, NULL));
671 }
672 
673 /*
674  * Common routine which determines whether a given credential can
675  * act on a given mount.
676  * When called through mount, the parameter needoptcheck is a pointer
677  * to a boolean variable which will be set to either true or false,
678  * depending on whether the mount policy should change the mount options.
679  * In all other cases, needoptcheck should be a NULL pointer.
680  */
681 static int
secpolicy_fs_common(cred_t * cr,vnode_t * mvp,const vfs_t * vfsp,boolean_t * needoptcheck)682 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp,
683     boolean_t *needoptcheck)
684 {
685 	boolean_t allzone = B_FALSE;
686 	boolean_t mounting = needoptcheck != NULL;
687 
688 	/*
689 	 * Short circuit the following cases:
690 	 *	vfsp == NULL or mvp == NULL (pure privilege check)
691 	 *	have all privileges - no further checks required
692 	 *	and no mount options need to be set.
693 	 */
694 	if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) {
695 		if (mounting)
696 			*needoptcheck = B_FALSE;
697 
698 		return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
699 		    NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE));
700 	}
701 
702 	/*
703 	 * When operating on an existing mount (either we're not mounting
704 	 * or we're doing a remount and VFS_REMOUNT will be set), zones
705 	 * can operate only on mounts established by the zone itself.
706 	 */
707 	if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) {
708 		zoneid_t zoneid = crgetzoneid(cr);
709 
710 		if (zoneid != GLOBAL_ZONEID &&
711 		    vfsp->vfs_zone->zone_id != zoneid) {
712 			return (EPERM);
713 		}
714 	}
715 
716 	if (mounting)
717 		*needoptcheck = B_TRUE;
718 
719 	/*
720 	 * Overlay mounts may hide important stuff; if you can't write to a
721 	 * mount point but would be able to mount on top of it, you can
722 	 * escalate your privileges.
723 	 * So we go about asking the same questions namefs does when it
724 	 * decides whether you can mount over a file or not but with the
725 	 * added restriction that you can only mount on top of a regular
726 	 * file or directory.
727 	 * If we have all the zone's privileges, we skip all other checks,
728 	 * or else we may actually get in trouble inside the automounter.
729 	 */
730 	if ((mvp->v_flag & VROOT) != 0 ||
731 	    (mvp->v_type != VDIR && mvp->v_type != VREG) ||
732 	    HAS_ALLZONEPRIVS(cr)) {
733 		allzone = B_TRUE;
734 	} else {
735 		vattr_t va;
736 		int err;
737 
738 		va.va_mask = AT_UID|AT_MODE;
739 		err = VOP_GETATTR(mvp, &va, 0, cr, NULL);
740 		if (err != 0)
741 			return (err);
742 
743 		if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0)
744 			return (err);
745 
746 		if (secpolicy_vnode_access2(cr, mvp, va.va_uid, va.va_mode,
747 		    VWRITE) != 0) {
748 			return (EACCES);
749 		}
750 	}
751 	return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
752 	    NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE));
753 }
754 
755 void
secpolicy_fs_mount_clearopts(cred_t * cr,struct vfs * vfsp)756 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp)
757 {
758 	boolean_t amsuper = HAS_ALLZONEPRIVS(cr);
759 
760 	/*
761 	 * check; if we don't have either "nosuid" or
762 	 * both "nosetuid" and "nodevices", then we add
763 	 * "nosuid"; this depends on how the current
764 	 * implementation works (it first checks nosuid).  In a
765 	 * zone, a user with all zone privileges can mount with
766 	 * "setuid" but never with "devices".
767 	 */
768 	if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) &&
769 	    (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) ||
770 	    !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) {
771 		if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper)
772 			vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0);
773 		else
774 			vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0);
775 	}
776 	/*
777 	 * If we're not the local super user, we set the "restrict"
778 	 * option to indicate to automountd that this mount should
779 	 * be handled with care.
780 	 */
781 	if (!amsuper)
782 		vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0);
783 
784 }
785 
786 int
secpolicy_fs_allowed_mount(const char * fsname)787 secpolicy_fs_allowed_mount(const char *fsname)
788 {
789 	struct vfssw *vswp;
790 	const char *p;
791 	size_t len;
792 
793 	ASSERT(fsname != NULL);
794 	ASSERT(fsname[0] != '\0');
795 
796 	if (INGLOBALZONE(curproc))
797 		return (0);
798 
799 	vswp = vfs_getvfssw(fsname);
800 	if (vswp == NULL)
801 		return (ENOENT);
802 
803 	if ((vswp->vsw_flag & VSW_ZMOUNT) != 0) {
804 		vfs_unrefvfssw(vswp);
805 		return (0);
806 	}
807 
808 	vfs_unrefvfssw(vswp);
809 
810 	p = curzone->zone_fs_allowed;
811 	len = strlen(fsname);
812 
813 	while (p != NULL && *p != '\0') {
814 		if (strncmp(p, fsname, len) == 0) {
815 			char c = *(p + len);
816 			if (c == '\0' || c == ',')
817 				return (0);
818 		}
819 
820 		/* skip to beyond the next comma */
821 		if ((p = strchr(p, ',')) != NULL)
822 			p++;
823 	}
824 
825 	return (EPERM);
826 }
827 
828 extern vnode_t *rootvp;
829 extern vfs_t *rootvfs;
830 
831 int
secpolicy_fs_mount(cred_t * cr,vnode_t * mvp,struct vfs * vfsp)832 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp)
833 {
834 	boolean_t needoptchk;
835 	int error;
836 
837 	/*
838 	 * If it's a remount, get the underlying mount point,
839 	 * except for the root where we use the rootvp.
840 	 */
841 	if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) {
842 		if (vfsp == rootvfs)
843 			mvp = rootvp;
844 		else
845 			mvp = vfsp->vfs_vnodecovered;
846 	}
847 
848 	error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk);
849 
850 	if (error == 0 && needoptchk) {
851 		secpolicy_fs_mount_clearopts(cr, vfsp);
852 	}
853 
854 	return (error);
855 }
856 
857 /*
858  * Does the policy computations for "ownership" of a mount;
859  * here ownership is defined as the ability to "mount"
860  * the filesystem originally.  The rootvfs doesn't cover any
861  * vnodes; we attribute its ownership to the rootvp.
862  */
863 static int
secpolicy_fs_owner(cred_t * cr,const struct vfs * vfsp)864 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp)
865 {
866 	vnode_t *mvp;
867 
868 	if (vfsp == NULL)
869 		mvp = NULL;
870 	else if (vfsp == rootvfs)
871 		mvp = rootvp;
872 	else
873 		mvp = vfsp->vfs_vnodecovered;
874 
875 	return (secpolicy_fs_common(cr, mvp, vfsp, NULL));
876 }
877 
878 int
secpolicy_fs_unmount(cred_t * cr,struct vfs * vfsp)879 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp)
880 {
881 	return (secpolicy_fs_owner(cr, vfsp));
882 }
883 
884 /*
885  * Quotas are a resource, but if one has the ability to mount a filesystem,
886  * they should be able to modify quotas on it.
887  */
888 int
secpolicy_fs_quota(const cred_t * cr,const vfs_t * vfsp)889 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp)
890 {
891 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
892 }
893 
894 /*
895  * Exceeding minfree: also a per-mount resource constraint.
896  */
897 int
secpolicy_fs_minfree(const cred_t * cr,const vfs_t * vfsp)898 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp)
899 {
900 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
901 }
902 
903 int
secpolicy_fs_config(const cred_t * cr,const vfs_t * vfsp)904 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp)
905 {
906 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
907 }
908 
909 /* ARGSUSED */
910 int
secpolicy_fs_linkdir(const cred_t * cr,const vfs_t * vfsp)911 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp)
912 {
913 	if (priv_allow_linkdir == 0) {
914 		/*
915 		 * By default, this policy check will now always return EPERM
916 		 * unless overridden.
917 		 *
918 		 * We do so without triggering auditing or allowing privilege
919 		 * debugging for two reasons: first, we intend eventually to
920 		 * deprecate the PRIV_SYS_LINKDIR privilege entirely and remove
921 		 * the use of this policy check from the file systems; second,
922 		 * for privilege debugging in particular, because it would be
923 		 * confusing to report an unlink() failure as the result of a
924 		 * missing privilege when in fact we are simply no longer
925 		 * allowing the operation at all.
926 		 */
927 		return (EPERM);
928 	}
929 
930 	return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL));
931 }
932 
933 /*
934  * Name:        secpolicy_vnode_access()
935  *
936  * Parameters:  Process credential
937  *		vnode
938  *		uid of owner of vnode
939  *		permission bits not granted to the caller when examining
940  *		file mode bits (i.e., when a process wants to open a
941  *		mode 444 file for VREAD|VWRITE, this function should be
942  *		called only with a VWRITE argument).
943  *
944  * Normal:      Verifies that cred has the appropriate privileges to
945  *              override the mode bits that were denied.
946  *
947  * Override:    file_dac_execute - if VEXEC bit was denied and vnode is
948  *                      not a directory.
949  *              file_dac_read - if VREAD bit was denied.
950  *              file_dac_search - if VEXEC bit was denied and vnode is
951  *                      a directory.
952  *              file_dac_write - if VWRITE bit was denied.
953  *
954  *		Root owned files are special cased to protect system
955  *		configuration files and such.
956  *
957  * Output:      EACCES - if privilege check fails.
958  */
959 
960 int
secpolicy_vnode_access(const cred_t * cr,vnode_t * vp,uid_t owner,mode_t mode)961 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode)
962 {
963 	if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE,
964 	    EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL,
965 	    KLPDARG_NOMORE) != 0) {
966 		return (EACCES);
967 	}
968 
969 	if (mode & VWRITE) {
970 		boolean_t allzone;
971 
972 		if (owner == 0 && cr->cr_uid != 0)
973 			allzone = B_TRUE;
974 		else
975 			allzone = B_FALSE;
976 		if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES,
977 		    NULL, KLPDARG_VNODE, vp, (char *)NULL,
978 		    KLPDARG_NOMORE) != 0) {
979 			return (EACCES);
980 		}
981 	}
982 
983 	if (mode & VEXEC) {
984 		/*
985 		 * Directories use file_dac_search to override the execute bit.
986 		 */
987 		int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH :
988 		    PRIV_FILE_DAC_EXECUTE;
989 
990 		return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL,
991 		    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
992 	}
993 	return (0);
994 }
995 
996 /*
997  * Like secpolicy_vnode_access() but we get the actual wanted mode and the
998  * current mode of the file, not the missing bits.
999  */
1000 int
secpolicy_vnode_access2(const cred_t * cr,vnode_t * vp,uid_t owner,mode_t curmode,mode_t wantmode)1001 secpolicy_vnode_access2(const cred_t *cr, vnode_t *vp, uid_t owner,
1002     mode_t curmode, mode_t wantmode)
1003 {
1004 	mode_t mode;
1005 
1006 	/* Inline the basic privileges tests. */
1007 	if ((wantmode & VREAD) &&
1008 	    !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_READ) &&
1009 	    priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL,
1010 	    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) {
1011 		return (EACCES);
1012 	}
1013 
1014 	if ((wantmode & VWRITE) &&
1015 	    !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_WRITE) &&
1016 	    priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL,
1017 	    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) {
1018 		return (EACCES);
1019 	}
1020 
1021 	mode = ~curmode & wantmode;
1022 
1023 	if (mode == 0)
1024 		return (0);
1025 
1026 	if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE,
1027 	    EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL,
1028 	    KLPDARG_NOMORE) != 0) {
1029 		return (EACCES);
1030 	}
1031 
1032 	if (mode & VWRITE) {
1033 		boolean_t allzone;
1034 
1035 		if (owner == 0 && cr->cr_uid != 0)
1036 			allzone = B_TRUE;
1037 		else
1038 			allzone = B_FALSE;
1039 		if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES,
1040 		    NULL, KLPDARG_VNODE, vp, (char *)NULL,
1041 		    KLPDARG_NOMORE) != 0) {
1042 			return (EACCES);
1043 		}
1044 	}
1045 
1046 	if (mode & VEXEC) {
1047 		/*
1048 		 * Directories use file_dac_search to override the execute bit.
1049 		 */
1050 		int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH :
1051 		    PRIV_FILE_DAC_EXECUTE;
1052 
1053 		return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL,
1054 		    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
1055 	}
1056 	return (0);
1057 }
1058 
1059 /*
1060  * This is a special routine for ZFS; it is used to determine whether
1061  * any of the privileges in effect allow any form of access to the
1062  * file.  There's no reason to audit this or any reason to record
1063  * this.  More work is needed to do the "KPLD" stuff.
1064  */
1065 int
secpolicy_vnode_any_access(const cred_t * cr,vnode_t * vp,uid_t owner)1066 secpolicy_vnode_any_access(const cred_t *cr, vnode_t *vp, uid_t owner)
1067 {
1068 	static int privs[] = {
1069 	    PRIV_FILE_OWNER,
1070 	    PRIV_FILE_CHOWN,
1071 	    PRIV_FILE_DAC_READ,
1072 	    PRIV_FILE_DAC_WRITE,
1073 	    PRIV_FILE_DAC_EXECUTE,
1074 	    PRIV_FILE_DAC_SEARCH,
1075 	};
1076 	int i;
1077 
1078 	/* Same as secpolicy_vnode_setdac */
1079 	if (owner == cr->cr_uid)
1080 		return (0);
1081 
1082 	for (i = 0; i < sizeof (privs)/sizeof (int); i++) {
1083 		boolean_t allzone = B_FALSE;
1084 		int priv;
1085 
1086 		switch (priv = privs[i]) {
1087 		case PRIV_FILE_DAC_EXECUTE:
1088 			if (vp->v_type == VDIR)
1089 				continue;
1090 			break;
1091 		case PRIV_FILE_DAC_SEARCH:
1092 			if (vp->v_type != VDIR)
1093 				continue;
1094 			break;
1095 		case PRIV_FILE_DAC_WRITE:
1096 		case PRIV_FILE_OWNER:
1097 		case PRIV_FILE_CHOWN:
1098 			/* We know here that if owner == 0, that cr_uid != 0 */
1099 			allzone = owner == 0;
1100 			break;
1101 		}
1102 		if (PRIV_POLICY_CHOICE(cr, priv, allzone))
1103 			return (0);
1104 	}
1105 	return (EPERM);
1106 }
1107 
1108 /*
1109  * Name:	secpolicy_vnode_setid_modify()
1110  *
1111  * Normal:	verify that subject can set the file setid flags.
1112  *
1113  * Output:	EPERM - if not privileged.
1114  */
1115 
1116 static int
secpolicy_vnode_setid_modify(const cred_t * cr,uid_t owner)1117 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner)
1118 {
1119 	/* If changing to suid root, must have all zone privs */
1120 	boolean_t allzone = B_TRUE;
1121 
1122 	if (owner != 0) {
1123 		if (owner == cr->cr_uid)
1124 			return (0);
1125 		allzone = B_FALSE;
1126 	}
1127 	return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL));
1128 }
1129 
1130 /*
1131  * Are we allowed to retain the set-uid/set-gid bits when
1132  * changing ownership or when writing to a file?
1133  * "issuid" should be true when set-uid; only in that case
1134  * root ownership is checked (setgid is assumed).
1135  */
1136 int
secpolicy_vnode_setid_retain(const cred_t * cred,boolean_t issuidroot)1137 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot)
1138 {
1139 	if (issuidroot && !HAS_ALLZONEPRIVS(cred))
1140 		return (EPERM);
1141 
1142 	return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE));
1143 }
1144 
1145 /*
1146  * Name:	secpolicy_vnode_setids_setgids()
1147  *
1148  * Normal:	verify that subject can set the file setgid flag.
1149  *
1150  * Output:	EPERM - if not privileged
1151  */
1152 
1153 int
secpolicy_vnode_setids_setgids(const cred_t * cred,gid_t gid)1154 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid)
1155 {
1156 	if (!groupmember(gid, cred))
1157 		return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM,
1158 		    NULL));
1159 	return (0);
1160 }
1161 
1162 /*
1163  * Name:	secpolicy_vnode_chown
1164  *
1165  * Normal:	Determine if subject can chown owner of a file.
1166  *
1167  * Output:	EPERM - if access denied
1168  */
1169 
1170 int
secpolicy_vnode_chown(const cred_t * cred,uid_t owner)1171 secpolicy_vnode_chown(const cred_t *cred, uid_t owner)
1172 {
1173 	boolean_t is_owner = (owner == crgetuid(cred));
1174 	boolean_t allzone = B_FALSE;
1175 	int priv;
1176 
1177 	if (!is_owner) {
1178 		allzone = (owner == 0);
1179 		priv = PRIV_FILE_CHOWN;
1180 	} else {
1181 		priv = HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN) ?
1182 		    PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF;
1183 	}
1184 
1185 	return (PRIV_POLICY(cred, priv, allzone, EPERM, NULL));
1186 }
1187 
1188 /*
1189  * Name:	secpolicy_vnode_create_gid
1190  *
1191  * Normal:	Determine if subject can change group ownership of a file.
1192  *
1193  * Output:	EPERM - if access denied
1194  */
1195 int
secpolicy_vnode_create_gid(const cred_t * cred)1196 secpolicy_vnode_create_gid(const cred_t *cred)
1197 {
1198 	if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN))
1199 		return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM,
1200 		    NULL));
1201 	else
1202 		return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM,
1203 		    NULL));
1204 }
1205 
1206 /*
1207  * Name:	secpolicy_vnode_utime_modify()
1208  *
1209  * Normal:	verify that subject can modify the utime on a file.
1210  *
1211  * Output:	EPERM - if access denied.
1212  */
1213 
1214 static int
secpolicy_vnode_utime_modify(const cred_t * cred)1215 secpolicy_vnode_utime_modify(const cred_t *cred)
1216 {
1217 	return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM,
1218 	    "modify file times"));
1219 }
1220 
1221 
1222 /*
1223  * Name:	secpolicy_vnode_setdac()
1224  *
1225  * Normal:	verify that subject can modify the mode of a file.
1226  *		allzone privilege needed when modifying root owned object.
1227  *
1228  * Output:	EPERM - if access denied.
1229  */
1230 
1231 int
secpolicy_vnode_setdac(const cred_t * cred,uid_t owner)1232 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner)
1233 {
1234 	boolean_t allzone = (owner == 0);
1235 
1236 	if (owner == cred->cr_uid)
1237 		return (0);
1238 
1239 	return (PRIV_POLICY(cred, PRIV_FILE_OWNER, allzone, EPERM, NULL));
1240 }
1241 
1242 /*
1243  * Name:	secpolicy_vnode_setdac3()
1244  *
1245  * Normal:	Variant of secpolicy_vnode_setdac() that conditionally
1246  *		grants implicit rights to the owner of a file.
1247  *		allzone privilege needed when modifying root owned object.
1248  *
1249  * Output:	EPERM - if access denied.
1250  */
1251 
1252 int
secpolicy_vnode_setdac3(const cred_t * cred,uid_t owner,boolean_t owner_implicit_rights)1253 secpolicy_vnode_setdac3(const cred_t *cred, uid_t owner,
1254     boolean_t owner_implicit_rights)
1255 {
1256 	boolean_t allzone = (owner == 0);
1257 
1258 	if (owner_implicit_rights && owner == cred->cr_uid)
1259 		return (0);
1260 
1261 	return (PRIV_POLICY(cred, PRIV_FILE_OWNER, allzone, EPERM, NULL));
1262 }
1263 
1264 /*
1265  * Name:	secpolicy_vnode_stky_modify()
1266  *
1267  * Normal:	verify that subject can make a file a "sticky".
1268  *
1269  * Output:	EPERM - if access denied.
1270  */
1271 
1272 int
secpolicy_vnode_stky_modify(const cred_t * cred)1273 secpolicy_vnode_stky_modify(const cred_t *cred)
1274 {
1275 	return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM,
1276 	    "set file sticky"));
1277 }
1278 
1279 /*
1280  * Policy determines whether we can remove an entry from a directory,
1281  * regardless of permission bits.
1282  */
1283 int
secpolicy_vnode_remove(const cred_t * cr)1284 secpolicy_vnode_remove(const cred_t *cr)
1285 {
1286 	return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES,
1287 	    "sticky directory"));
1288 }
1289 
1290 int
secpolicy_vnode_owner(const cred_t * cr,uid_t owner)1291 secpolicy_vnode_owner(const cred_t *cr, uid_t owner)
1292 {
1293 	boolean_t allzone = (owner == 0);
1294 
1295 	if (owner == cr->cr_uid)
1296 		return (0);
1297 
1298 	return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL));
1299 }
1300 
1301 void
secpolicy_setid_clear(vattr_t * vap,cred_t * cr)1302 secpolicy_setid_clear(vattr_t *vap, cred_t *cr)
1303 {
1304 	if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 &&
1305 	    secpolicy_vnode_setid_retain(cr,
1306 	    (vap->va_mode & S_ISUID) != 0 &&
1307 	    (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) {
1308 		vap->va_mask |= AT_MODE;
1309 		vap->va_mode &= ~(S_ISUID|S_ISGID);
1310 	}
1311 }
1312 
1313 int
secpolicy_setid_setsticky_clear(vnode_t * vp,vattr_t * vap,const vattr_t * ovap,cred_t * cr)1314 secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap,
1315     cred_t *cr)
1316 {
1317 	int error;
1318 
1319 	if ((vap->va_mode & S_ISUID) != 0 &&
1320 	    (error = secpolicy_vnode_setid_modify(cr,
1321 	    ovap->va_uid)) != 0) {
1322 		return (error);
1323 	}
1324 
1325 	/*
1326 	 * Check privilege if attempting to set the
1327 	 * sticky bit on a non-directory.
1328 	 */
1329 	if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 &&
1330 	    secpolicy_vnode_stky_modify(cr) != 0) {
1331 		vap->va_mode &= ~S_ISVTX;
1332 	}
1333 
1334 	/*
1335 	 * Check for privilege if attempting to set the
1336 	 * group-id bit.
1337 	 */
1338 	if ((vap->va_mode & S_ISGID) != 0 &&
1339 	    secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) {
1340 		vap->va_mode &= ~S_ISGID;
1341 	}
1342 
1343 	return (0);
1344 }
1345 
1346 #define	ATTR_FLAG_PRIV(attr, value, cr)	\
1347 	PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \
1348 	B_FALSE, EPERM, NULL)
1349 
1350 /*
1351  * Check privileges for setting xvattr attributes
1352  */
1353 int
secpolicy_xvattr(xvattr_t * xvap,uid_t owner,cred_t * cr,vtype_t vtype)1354 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype)
1355 {
1356 	xoptattr_t *xoap;
1357 	int error = 0;
1358 
1359 	if ((xoap = xva_getxoptattr(xvap)) == NULL)
1360 		return (EINVAL);
1361 
1362 	/*
1363 	 * First process the DOS bits
1364 	 */
1365 	if (XVA_ISSET_REQ(xvap, XAT_ARCHIVE) ||
1366 	    XVA_ISSET_REQ(xvap, XAT_HIDDEN) ||
1367 	    XVA_ISSET_REQ(xvap, XAT_READONLY) ||
1368 	    XVA_ISSET_REQ(xvap, XAT_SYSTEM) ||
1369 	    XVA_ISSET_REQ(xvap, XAT_CREATETIME) ||
1370 	    XVA_ISSET_REQ(xvap, XAT_OFFLINE) ||
1371 	    XVA_ISSET_REQ(xvap, XAT_SPARSE)) {
1372 		if ((error = secpolicy_vnode_owner(cr, owner)) != 0)
1373 			return (error);
1374 	}
1375 
1376 	/*
1377 	 * Now handle special attributes
1378 	 */
1379 
1380 	if (XVA_ISSET_REQ(xvap, XAT_IMMUTABLE))
1381 		error = ATTR_FLAG_PRIV(XAT_IMMUTABLE,
1382 		    xoap->xoa_immutable, cr);
1383 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NOUNLINK))
1384 		error = ATTR_FLAG_PRIV(XAT_NOUNLINK,
1385 		    xoap->xoa_nounlink, cr);
1386 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_APPENDONLY))
1387 		error = ATTR_FLAG_PRIV(XAT_APPENDONLY,
1388 		    xoap->xoa_appendonly, cr);
1389 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NODUMP))
1390 		error = ATTR_FLAG_PRIV(XAT_NODUMP,
1391 		    xoap->xoa_nodump, cr);
1392 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_OPAQUE))
1393 		error = EPERM;
1394 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_QUARANTINED)) {
1395 		error = ATTR_FLAG_PRIV(XAT_AV_QUARANTINED,
1396 		    xoap->xoa_av_quarantined, cr);
1397 		if (error == 0 && vtype != VREG && xoap->xoa_av_quarantined)
1398 			error = EINVAL;
1399 	}
1400 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_MODIFIED))
1401 		error = ATTR_FLAG_PRIV(XAT_AV_MODIFIED,
1402 		    xoap->xoa_av_modified, cr);
1403 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_SCANSTAMP)) {
1404 		error = ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP,
1405 		    xoap->xoa_av_scanstamp, cr);
1406 		if (error == 0 && vtype != VREG)
1407 			error = EINVAL;
1408 	}
1409 	return (error);
1410 }
1411 
1412 /*
1413  * This function checks the policy decisions surrounding the
1414  * vop setattr call.
1415  *
1416  * It should be called after sufficient locks have been established
1417  * on the underlying data structures.  No concurrent modifications
1418  * should be allowed.
1419  *
1420  * The caller must pass in unlocked version of its vaccess function
1421  * this is required because vop_access function should lock the
1422  * node for reading.  A three argument function should be defined
1423  * which accepts the following argument:
1424  *	A pointer to the internal "node" type (inode *)
1425  *	vnode access bits (VREAD|VWRITE|VEXEC)
1426  *	a pointer to the credential
1427  *
1428  * This function makes the following policy decisions:
1429  *
1430  *		- change permissions
1431  *			- permission to change file mode if not owner
1432  *			- permission to add sticky bit to non-directory
1433  *			- permission to add set-gid bit
1434  *
1435  * The ovap argument should include AT_MODE|AT_UID|AT_GID.
1436  *
1437  * If the vap argument does not include AT_MODE, the mode will be copied from
1438  * ovap.  In certain situations set-uid/set-gid bits need to be removed;
1439  * this is done by marking vap->va_mask to include AT_MODE and va_mode
1440  * is updated to the newly computed mode.
1441  */
1442 
1443 int
secpolicy_vnode_setattr(cred_t * cr,struct vnode * vp,struct vattr * vap,const struct vattr * ovap,int flags,int unlocked_access (void *,int,cred_t *),void * node)1444 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap,
1445     const struct vattr *ovap, int flags,
1446     int unlocked_access(void *, int, cred_t *),
1447     void *node)
1448 {
1449 	int mask = vap->va_mask;
1450 	int error = 0;
1451 	boolean_t skipaclchk = (flags & ATTR_NOACLCHECK) ? B_TRUE : B_FALSE;
1452 	boolean_t implicit = (flags & ATTR_NOIMPLICIT) ? B_FALSE : B_TRUE;
1453 
1454 	if (mask & AT_SIZE) {
1455 		if (vp->v_type == VDIR) {
1456 			error = EISDIR;
1457 			goto out;
1458 		}
1459 
1460 		/*
1461 		 * If ATTR_NOACLCHECK is set in the flags, then we don't
1462 		 * perform the secondary unlocked_access() call since the
1463 		 * ACL (if any) is being checked there.
1464 		 */
1465 		if (skipaclchk == B_FALSE) {
1466 			error = unlocked_access(node, VWRITE, cr);
1467 			if (error)
1468 				goto out;
1469 		}
1470 	}
1471 	if (mask & AT_MODE) {
1472 		/*
1473 		 * If not the owner of the file then check privilege
1474 		 * for two things: the privilege to set the mode at all
1475 		 * and, if we're setting setuid, we also need permissions
1476 		 * to add the set-uid bit, if we're not the owner.
1477 		 * In the specific case of creating a set-uid root
1478 		 * file, we need even more permissions.
1479 		 */
1480 		error = secpolicy_vnode_setdac3(cr, ovap->va_uid, implicit);
1481 		if (error != 0)
1482 			goto out;
1483 
1484 		if ((error = secpolicy_setid_setsticky_clear(vp, vap,
1485 		    ovap, cr)) != 0)
1486 			goto out;
1487 	} else
1488 		vap->va_mode = ovap->va_mode;
1489 
1490 	if (mask & (AT_UID|AT_GID)) {
1491 		boolean_t checkpriv = B_FALSE;
1492 
1493 		/*
1494 		 * Chowning files.
1495 		 *
1496 		 * If you are the file owner:
1497 		 *	chown to other uid		FILE_CHOWN_SELF
1498 		 *	chown to gid (non-member)	FILE_CHOWN_SELF
1499 		 *	chown to gid (member)		<none>
1500 		 *
1501 		 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also
1502 		 * acceptable but the first one is reported when debugging.
1503 		 *
1504 		 * If you are not the file owner:
1505 		 *	chown from root			PRIV_FILE_CHOWN + zone
1506 		 *	chown from other to any		PRIV_FILE_CHOWN
1507 		 *
1508 		 */
1509 		if (!implicit) {
1510 			checkpriv = B_TRUE;
1511 		} else if (cr->cr_uid != ovap->va_uid) {
1512 			checkpriv = B_TRUE;
1513 		} else {
1514 			if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) ||
1515 			    ((mask & AT_GID) && vap->va_gid != ovap->va_gid &&
1516 			    !groupmember(vap->va_gid, cr))) {
1517 				checkpriv = B_TRUE;
1518 			}
1519 		}
1520 		/*
1521 		 * If necessary, check privilege to see if update can be done.
1522 		 */
1523 		if (checkpriv &&
1524 		    (error = secpolicy_vnode_chown(cr, ovap->va_uid)) != 0) {
1525 			goto out;
1526 		}
1527 
1528 		/*
1529 		 * If the file has either the set UID or set GID bits
1530 		 * set and the caller can set the bits, then leave them.
1531 		 */
1532 		secpolicy_setid_clear(vap, cr);
1533 	}
1534 	if (mask & (AT_ATIME|AT_MTIME)) {
1535 		/*
1536 		 * If not the file owner and not otherwise privileged,
1537 		 * always return an error when setting the
1538 		 * time other than the current (ATTR_UTIME flag set).
1539 		 * If setting the current time (ATTR_UTIME not set) then
1540 		 * unlocked_access will check permissions according to policy.
1541 		 */
1542 		if (cr->cr_uid != ovap->va_uid) {
1543 			if (flags & ATTR_UTIME)
1544 				error = secpolicy_vnode_utime_modify(cr);
1545 			else if (skipaclchk == B_FALSE) {
1546 				error = unlocked_access(node, VWRITE, cr);
1547 				if (error == EACCES &&
1548 				    secpolicy_vnode_utime_modify(cr) == 0)
1549 					error = 0;
1550 			}
1551 			if (error)
1552 				goto out;
1553 		}
1554 	}
1555 
1556 	/*
1557 	 * Check for optional attributes here by checking the following:
1558 	 */
1559 	if (mask & AT_XVATTR)
1560 		error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr,
1561 		    vp->v_type);
1562 out:
1563 	return (error);
1564 }
1565 
1566 /*
1567  * Name:	secpolicy_pcfs_modify_bootpartition()
1568  *
1569  * Normal:	verify that subject can modify a pcfs boot partition.
1570  *
1571  * Output:	EACCES - if privilege check failed.
1572  */
1573 /*ARGSUSED*/
1574 int
secpolicy_pcfs_modify_bootpartition(const cred_t * cred)1575 secpolicy_pcfs_modify_bootpartition(const cred_t *cred)
1576 {
1577 	return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES,
1578 	    "modify pcfs boot partition"));
1579 }
1580 
1581 /*
1582  * System V IPC routines
1583  */
1584 int
secpolicy_ipc_owner(const cred_t * cr,const struct kipc_perm * ip)1585 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip)
1586 {
1587 	if (crgetzoneid(cr) != ip->ipc_zoneid ||
1588 	    (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) {
1589 		boolean_t allzone = B_FALSE;
1590 		if (ip->ipc_uid == 0 || ip->ipc_cuid == 0)
1591 			allzone = B_TRUE;
1592 		return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL));
1593 	}
1594 	return (0);
1595 }
1596 
1597 int
secpolicy_ipc_config(const cred_t * cr)1598 secpolicy_ipc_config(const cred_t *cr)
1599 {
1600 	return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL));
1601 }
1602 
1603 int
secpolicy_ipc_access(const cred_t * cr,const struct kipc_perm * ip,mode_t mode)1604 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode)
1605 {
1606 
1607 	boolean_t allzone = B_FALSE;
1608 
1609 	ASSERT((mode & (MSG_R|MSG_W)) != 0);
1610 
1611 	if ((mode & MSG_R) &&
1612 	    PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1613 		return (EACCES);
1614 
1615 	if (mode & MSG_W) {
1616 		if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0))
1617 			allzone = B_TRUE;
1618 
1619 		return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1620 		    NULL));
1621 	}
1622 	return (0);
1623 }
1624 
1625 int
secpolicy_rsm_access(const cred_t * cr,uid_t owner,mode_t mode)1626 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode)
1627 {
1628 	boolean_t allzone = B_FALSE;
1629 
1630 	ASSERT((mode & (MSG_R|MSG_W)) != 0);
1631 
1632 	if ((mode & MSG_R) &&
1633 	    PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1634 		return (EACCES);
1635 
1636 	if (mode & MSG_W) {
1637 		if (cr->cr_uid != 0 && owner == 0)
1638 			allzone = B_TRUE;
1639 
1640 		return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1641 		    NULL));
1642 	}
1643 	return (0);
1644 }
1645 
1646 /*
1647  * Audit configuration.
1648  */
1649 int
secpolicy_audit_config(const cred_t * cr)1650 secpolicy_audit_config(const cred_t *cr)
1651 {
1652 	return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL));
1653 }
1654 
1655 /*
1656  * Audit record generation.
1657  */
1658 int
secpolicy_audit_modify(const cred_t * cr)1659 secpolicy_audit_modify(const cred_t *cr)
1660 {
1661 	return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL));
1662 }
1663 
1664 /*
1665  * Get audit attributes.
1666  * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the
1667  * "Least" of the two privileges on error.
1668  */
1669 int
secpolicy_audit_getattr(const cred_t * cr,boolean_t checkonly)1670 secpolicy_audit_getattr(const cred_t *cr, boolean_t checkonly)
1671 {
1672 	int priv;
1673 
1674 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE))
1675 		priv = PRIV_SYS_AUDIT;
1676 	else
1677 		priv = PRIV_PROC_AUDIT;
1678 
1679 	if (checkonly)
1680 		return (!PRIV_POLICY_ONLY(cr, priv, B_FALSE));
1681 	else
1682 		return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
1683 }
1684 
1685 
1686 /*
1687  * Locking physical memory
1688  */
1689 int
secpolicy_lock_memory(const cred_t * cr)1690 secpolicy_lock_memory(const cred_t *cr)
1691 {
1692 	return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL));
1693 }
1694 
1695 /*
1696  * Accounting (both acct(2) and exacct).
1697  */
1698 int
secpolicy_acct(const cred_t * cr)1699 secpolicy_acct(const cred_t *cr)
1700 {
1701 	return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL));
1702 }
1703 
1704 /*
1705  * Is this process privileged to change its uids at will?
1706  * Uid 0 is still considered "special" and having the SETID
1707  * privilege is not sufficient to get uid 0.
1708  * Files are owned by root, so the privilege would give
1709  * full access and euid 0 is still effective.
1710  *
1711  * If you have the privilege and euid 0 only then do you
1712  * get the powers of root wrt uid 0.
1713  *
1714  * For gid manipulations, this is should be called with an
1715  * uid of -1.
1716  *
1717  */
1718 int
secpolicy_allow_setid(const cred_t * cr,uid_t newuid,boolean_t checkonly)1719 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly)
1720 {
1721 	boolean_t allzone = B_FALSE;
1722 
1723 	if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 &&
1724 	    cr->cr_ruid != 0) {
1725 		allzone = B_TRUE;
1726 	}
1727 
1728 	return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) :
1729 	    PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL));
1730 }
1731 
1732 
1733 /*
1734  * Acting on a different process: if the mode is for writing,
1735  * the restrictions are more severe.  This is called after
1736  * we've verified that the uids do not match.
1737  */
1738 int
secpolicy_proc_owner(const cred_t * scr,const cred_t * tcr,int mode)1739 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode)
1740 {
1741 	boolean_t allzone = B_FALSE;
1742 
1743 	if ((mode & VWRITE) && scr->cr_uid != 0 &&
1744 	    (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0))
1745 		allzone = B_TRUE;
1746 
1747 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL));
1748 }
1749 
1750 int
secpolicy_proc_access(const cred_t * scr)1751 secpolicy_proc_access(const cred_t *scr)
1752 {
1753 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL));
1754 }
1755 
1756 int
secpolicy_proc_excl_open(const cred_t * scr)1757 secpolicy_proc_excl_open(const cred_t *scr)
1758 {
1759 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL));
1760 }
1761 
1762 int
secpolicy_proc_zone(const cred_t * scr)1763 secpolicy_proc_zone(const cred_t *scr)
1764 {
1765 	return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL));
1766 }
1767 
1768 /*
1769  * Destroying the system
1770  */
1771 
1772 int
secpolicy_kmdb(const cred_t * scr)1773 secpolicy_kmdb(const cred_t *scr)
1774 {
1775 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1776 }
1777 
1778 int
secpolicy_error_inject(const cred_t * scr)1779 secpolicy_error_inject(const cred_t *scr)
1780 {
1781 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1782 }
1783 
1784 /*
1785  * Processor sets, cpu configuration, resource pools.
1786  */
1787 int
secpolicy_pset(const cred_t * cr)1788 secpolicy_pset(const cred_t *cr)
1789 {
1790 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1791 }
1792 
1793 /* Process security flags */
1794 int
secpolicy_psecflags(const cred_t * cr,proc_t * tp,proc_t * sp)1795 secpolicy_psecflags(const cred_t *cr, proc_t *tp, proc_t *sp)
1796 {
1797 	if (PRIV_POLICY(cr, PRIV_PROC_SECFLAGS, B_FALSE, EPERM, NULL) != 0)
1798 		return (EPERM);
1799 
1800 	if (!prochasprocperm(tp, sp, cr))
1801 		return (EPERM);
1802 
1803 	return (0);
1804 }
1805 
1806 /*
1807  * Processor set binding.
1808  */
1809 int
secpolicy_pbind(const cred_t * cr)1810 secpolicy_pbind(const cred_t *cr)
1811 {
1812 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_RES_CONFIG, B_FALSE))
1813 		return (secpolicy_pset(cr));
1814 	return (PRIV_POLICY(cr, PRIV_SYS_RES_BIND, B_FALSE, EPERM, NULL));
1815 }
1816 
1817 int
secpolicy_ponline(const cred_t * cr)1818 secpolicy_ponline(const cred_t *cr)
1819 {
1820 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1821 }
1822 
1823 int
secpolicy_pool(const cred_t * cr)1824 secpolicy_pool(const cred_t *cr)
1825 {
1826 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1827 }
1828 
1829 int
secpolicy_blacklist(const cred_t * cr)1830 secpolicy_blacklist(const cred_t *cr)
1831 {
1832 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1833 }
1834 
1835 /*
1836  * Catch all system configuration.
1837  */
1838 int
secpolicy_sys_config(const cred_t * cr,boolean_t checkonly)1839 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly)
1840 {
1841 	if (checkonly) {
1842 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 :
1843 		    EPERM);
1844 	} else {
1845 		return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1846 	}
1847 }
1848 
1849 /*
1850  * Zone administration (halt, reboot, etc.) from within zone.
1851  */
1852 int
secpolicy_zone_admin(const cred_t * cr,boolean_t checkonly)1853 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly)
1854 {
1855 	if (checkonly) {
1856 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 :
1857 		    EPERM);
1858 	} else {
1859 		return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM,
1860 		    NULL));
1861 	}
1862 }
1863 
1864 /*
1865  * Zone configuration (create, halt, enter).
1866  */
1867 int
secpolicy_zone_config(const cred_t * cr)1868 secpolicy_zone_config(const cred_t *cr)
1869 {
1870 	/*
1871 	 * Require all privileges to avoid possibility of privilege
1872 	 * escalation.
1873 	 */
1874 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
1875 }
1876 
1877 /*
1878  * Various other system configuration calls
1879  */
1880 int
secpolicy_coreadm(const cred_t * cr)1881 secpolicy_coreadm(const cred_t *cr)
1882 {
1883 	return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1884 }
1885 
1886 int
secpolicy_systeminfo(const cred_t * cr)1887 secpolicy_systeminfo(const cred_t *cr)
1888 {
1889 	return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1890 }
1891 
1892 int
secpolicy_dispadm(const cred_t * cr)1893 secpolicy_dispadm(const cred_t *cr)
1894 {
1895 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1896 }
1897 
1898 int
secpolicy_settime(const cred_t * cr)1899 secpolicy_settime(const cred_t *cr)
1900 {
1901 	return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL));
1902 }
1903 
1904 /*
1905  * For realtime users: high resolution clock.
1906  */
1907 int
secpolicy_clock_highres(const cred_t * cr)1908 secpolicy_clock_highres(const cred_t *cr)
1909 {
1910 	return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM,
1911 	    NULL));
1912 }
1913 
1914 /*
1915  * drv_priv() is documented as callable from interrupt context, not that
1916  * anyone ever does, but still.  No debugging or auditing can be done when
1917  * it is called from interrupt context.
1918  * returns 0 on succes, EPERM on failure.
1919  */
1920 int
drv_priv(cred_t * cr)1921 drv_priv(cred_t *cr)
1922 {
1923 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1924 }
1925 
1926 int
secpolicy_sys_devices(const cred_t * cr)1927 secpolicy_sys_devices(const cred_t *cr)
1928 {
1929 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1930 }
1931 
1932 int
secpolicy_excl_open(const cred_t * cr)1933 secpolicy_excl_open(const cred_t *cr)
1934 {
1935 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL));
1936 }
1937 
1938 int
secpolicy_rctlsys(const cred_t * cr,boolean_t is_zone_rctl)1939 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl)
1940 {
1941 	/* zone.* rctls can only be set from the global zone */
1942 	if (is_zone_rctl && priv_policy_global(cr) != 0)
1943 		return (EPERM);
1944 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1945 }
1946 
1947 int
secpolicy_resource(const cred_t * cr)1948 secpolicy_resource(const cred_t *cr)
1949 {
1950 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1951 }
1952 
1953 int
secpolicy_resource_anon_mem(const cred_t * cr)1954 secpolicy_resource_anon_mem(const cred_t *cr)
1955 {
1956 	return (PRIV_POLICY_ONLY(cr, PRIV_SYS_RESOURCE, B_FALSE));
1957 }
1958 
1959 /*
1960  * Processes with a real uid of 0 escape any form of accounting, much
1961  * like before.
1962  */
1963 int
secpolicy_newproc(const cred_t * cr)1964 secpolicy_newproc(const cred_t *cr)
1965 {
1966 	if (cr->cr_ruid == 0)
1967 		return (0);
1968 
1969 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1970 }
1971 
1972 /*
1973  * Networking
1974  */
1975 int
secpolicy_net_rawaccess(const cred_t * cr)1976 secpolicy_net_rawaccess(const cred_t *cr)
1977 {
1978 	return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL));
1979 }
1980 
1981 int
secpolicy_net_observability(const cred_t * cr)1982 secpolicy_net_observability(const cred_t *cr)
1983 {
1984 	return (PRIV_POLICY(cr, PRIV_NET_OBSERVABILITY, B_FALSE, EACCES, NULL));
1985 }
1986 
1987 /*
1988  * Need this privilege for accessing the ICMP device
1989  */
1990 int
secpolicy_net_icmpaccess(const cred_t * cr)1991 secpolicy_net_icmpaccess(const cred_t *cr)
1992 {
1993 	return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL));
1994 }
1995 
1996 /*
1997  * There are a few rare cases where the kernel generates ioctls() from
1998  * interrupt context with a credential of kcred rather than NULL.
1999  * In those cases, we take the safe and cheap test.
2000  */
2001 int
secpolicy_net_config(const cred_t * cr,boolean_t checkonly)2002 secpolicy_net_config(const cred_t *cr, boolean_t checkonly)
2003 {
2004 	if (checkonly) {
2005 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ?
2006 		    0 : EPERM);
2007 	} else {
2008 		return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM,
2009 		    NULL));
2010 	}
2011 }
2012 
2013 
2014 /*
2015  * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
2016  *
2017  * There are a few rare cases where the kernel generates ioctls() from
2018  * interrupt context with a credential of kcred rather than NULL.
2019  * In those cases, we take the safe and cheap test.
2020  */
2021 int
secpolicy_ip_config(const cred_t * cr,boolean_t checkonly)2022 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly)
2023 {
2024 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
2025 		return (secpolicy_net_config(cr, checkonly));
2026 
2027 	if (checkonly) {
2028 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ?
2029 		    0 : EPERM);
2030 	} else {
2031 		return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM,
2032 		    NULL));
2033 	}
2034 }
2035 
2036 /*
2037  * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_DL_CONFIG.
2038  */
2039 int
secpolicy_dl_config(const cred_t * cr)2040 secpolicy_dl_config(const cred_t *cr)
2041 {
2042 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
2043 		return (secpolicy_net_config(cr, B_FALSE));
2044 	return (PRIV_POLICY(cr, PRIV_SYS_DL_CONFIG, B_FALSE, EPERM, NULL));
2045 }
2046 
2047 /*
2048  * PRIV_SYS_DL_CONFIG is a superset of PRIV_SYS_IPTUN_CONFIG.
2049  */
2050 int
secpolicy_iptun_config(const cred_t * cr)2051 secpolicy_iptun_config(const cred_t *cr)
2052 {
2053 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
2054 		return (secpolicy_net_config(cr, B_FALSE));
2055 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_DL_CONFIG, B_FALSE))
2056 		return (secpolicy_dl_config(cr));
2057 	return (PRIV_POLICY(cr, PRIV_SYS_IPTUN_CONFIG, B_FALSE, EPERM, NULL));
2058 }
2059 
2060 /*
2061  * Map IP pseudo privileges to actual privileges.
2062  * So we don't need to recompile IP when we change the privileges.
2063  */
2064 int
secpolicy_ip(const cred_t * cr,int netpriv,boolean_t checkonly)2065 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly)
2066 {
2067 	int priv = PRIV_ALL;
2068 
2069 	switch (netpriv) {
2070 	case OP_CONFIG:
2071 		priv = PRIV_SYS_IP_CONFIG;
2072 		break;
2073 	case OP_RAW:
2074 		priv = PRIV_NET_RAWACCESS;
2075 		break;
2076 	case OP_PRIVPORT:
2077 		priv = PRIV_NET_PRIVADDR;
2078 		break;
2079 	}
2080 	ASSERT(priv != PRIV_ALL);
2081 	if (checkonly)
2082 		return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
2083 	else
2084 		return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
2085 }
2086 
2087 /*
2088  * Map network pseudo privileges to actual privileges.
2089  * So we don't need to recompile IP when we change the privileges.
2090  */
2091 int
secpolicy_net(const cred_t * cr,int netpriv,boolean_t checkonly)2092 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly)
2093 {
2094 	int priv = PRIV_ALL;
2095 
2096 	switch (netpriv) {
2097 	case OP_CONFIG:
2098 		priv = PRIV_SYS_NET_CONFIG;
2099 		break;
2100 	case OP_RAW:
2101 		priv = PRIV_NET_RAWACCESS;
2102 		break;
2103 	case OP_PRIVPORT:
2104 		priv = PRIV_NET_PRIVADDR;
2105 		break;
2106 	}
2107 	ASSERT(priv != PRIV_ALL);
2108 	if (checkonly)
2109 		return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
2110 	else
2111 		return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
2112 }
2113 
2114 /*
2115  * Checks for operations that are either client-only or are used by
2116  * both clients and servers.
2117  */
2118 int
secpolicy_nfs(const cred_t * cr)2119 secpolicy_nfs(const cred_t *cr)
2120 {
2121 	return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL));
2122 }
2123 
2124 /*
2125  * Special case for opening rpcmod: have NFS privileges or network
2126  * config privileges.
2127  */
2128 int
secpolicy_rpcmod_open(const cred_t * cr)2129 secpolicy_rpcmod_open(const cred_t *cr)
2130 {
2131 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE))
2132 		return (secpolicy_nfs(cr));
2133 	else
2134 		return (secpolicy_net_config(cr, B_FALSE));
2135 }
2136 
2137 int
secpolicy_chroot(const cred_t * cr)2138 secpolicy_chroot(const cred_t *cr)
2139 {
2140 	return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL));
2141 }
2142 
2143 int
secpolicy_tasksys(const cred_t * cr)2144 secpolicy_tasksys(const cred_t *cr)
2145 {
2146 	return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL));
2147 }
2148 
2149 int
secpolicy_meminfo(const cred_t * cr)2150 secpolicy_meminfo(const cred_t *cr)
2151 {
2152 	return (PRIV_POLICY(cr, PRIV_PROC_MEMINFO, B_FALSE, EPERM, NULL));
2153 }
2154 
2155 int
secpolicy_pfexec_register(const cred_t * cr)2156 secpolicy_pfexec_register(const cred_t *cr)
2157 {
2158 	return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_TRUE, EPERM, NULL));
2159 }
2160 
2161 /*
2162  * Basic privilege checks.
2163  */
2164 int
secpolicy_basic_exec(const cred_t * cr,vnode_t * vp)2165 secpolicy_basic_exec(const cred_t *cr, vnode_t *vp)
2166 {
2167 	FAST_BASIC_CHECK(cr, PRIV_PROC_EXEC);
2168 
2169 	return (priv_policy_va(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL,
2170 	    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
2171 }
2172 
2173 int
secpolicy_basic_fork(const cred_t * cr)2174 secpolicy_basic_fork(const cred_t *cr)
2175 {
2176 	FAST_BASIC_CHECK(cr, PRIV_PROC_FORK);
2177 
2178 	return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL));
2179 }
2180 
2181 int
secpolicy_basic_proc(const cred_t * cr)2182 secpolicy_basic_proc(const cred_t *cr)
2183 {
2184 	FAST_BASIC_CHECK(cr, PRIV_PROC_SESSION);
2185 
2186 	return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL));
2187 }
2188 
2189 /*
2190  * Slightly complicated because we don't want to trigger the policy too
2191  * often.  First we shortcircuit access to "self" (tp == sp) or if
2192  * we don't have the privilege but if we have permission
2193  * just return (0) and we don't flag the privilege as needed.
2194  * Else, we test for the privilege because we either have it or need it.
2195  */
2196 int
secpolicy_basic_procinfo(const cred_t * cr,proc_t * tp,proc_t * sp)2197 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp)
2198 {
2199 	if (tp == sp ||
2200 	    !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) {
2201 		return (0);
2202 	} else {
2203 		return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL));
2204 	}
2205 }
2206 
2207 int
secpolicy_basic_link(const cred_t * cr)2208 secpolicy_basic_link(const cred_t *cr)
2209 {
2210 	FAST_BASIC_CHECK(cr, PRIV_FILE_LINK_ANY);
2211 
2212 	return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL));
2213 }
2214 
2215 int
secpolicy_basic_net_access(const cred_t * cr)2216 secpolicy_basic_net_access(const cred_t *cr)
2217 {
2218 	FAST_BASIC_CHECK(cr, PRIV_NET_ACCESS);
2219 
2220 	return (PRIV_POLICY(cr, PRIV_NET_ACCESS, B_FALSE, EACCES, NULL));
2221 }
2222 
2223 /* ARGSUSED */
2224 int
secpolicy_basic_file_read(const cred_t * cr,vnode_t * vp,const char * pn)2225 secpolicy_basic_file_read(const cred_t *cr, vnode_t *vp, const char *pn)
2226 {
2227 	FAST_BASIC_CHECK(cr, PRIV_FILE_READ);
2228 
2229 	return (priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL,
2230 	    KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE));
2231 }
2232 
2233 /* ARGSUSED */
2234 int
secpolicy_basic_file_write(const cred_t * cr,vnode_t * vp,const char * pn)2235 secpolicy_basic_file_write(const cred_t *cr, vnode_t *vp, const char *pn)
2236 {
2237 	FAST_BASIC_CHECK(cr, PRIV_FILE_WRITE);
2238 
2239 	return (priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL,
2240 	    KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE));
2241 }
2242 
2243 /*
2244  * Additional device protection.
2245  *
2246  * Traditionally, a device has specific permissions on the node in
2247  * the filesystem which govern which devices can be opened by what
2248  * processes.  In certain cases, it is desirable to add extra
2249  * restrictions, as writing to certain devices is identical to
2250  * having a complete run of the system.
2251  *
2252  * This mechanism is called the device policy.
2253  *
2254  * When a device is opened, its policy entry is looked up in the
2255  * policy cache and checked.
2256  */
2257 int
secpolicy_spec_open(const cred_t * cr,struct vnode * vp,int oflag)2258 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag)
2259 {
2260 	devplcy_t *plcy;
2261 	int err;
2262 	struct snode *csp = VTOS(common_specvp(vp));
2263 	priv_set_t pset;
2264 
2265 	mutex_enter(&csp->s_lock);
2266 
2267 	if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) {
2268 		plcy = devpolicy_find(vp);
2269 		if (csp->s_plcy)
2270 			dpfree(csp->s_plcy);
2271 		csp->s_plcy = plcy;
2272 		ASSERT(plcy != NULL);
2273 	} else
2274 		plcy = csp->s_plcy;
2275 
2276 	if (plcy == nullpolicy) {
2277 		mutex_exit(&csp->s_lock);
2278 		return (0);
2279 	}
2280 
2281 	dphold(plcy);
2282 
2283 	mutex_exit(&csp->s_lock);
2284 
2285 	if (oflag & FWRITE)
2286 		pset = plcy->dp_wrp;
2287 	else
2288 		pset = plcy->dp_rdp;
2289 	/*
2290 	 * Special case:
2291 	 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
2292 	 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is
2293 	 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG
2294 	 * in the required privilege set before doing the check.
2295 	 */
2296 	if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) &&
2297 	    priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) &&
2298 	    !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) {
2299 		priv_delset(&pset, PRIV_SYS_IP_CONFIG);
2300 		priv_addset(&pset, PRIV_SYS_NET_CONFIG);
2301 	}
2302 
2303 	err = secpolicy_require_set(cr, &pset, "devpolicy", KLPDARG_NONE);
2304 	dpfree(plcy);
2305 
2306 	return (err);
2307 }
2308 
2309 int
secpolicy_modctl(const cred_t * cr,int cmd)2310 secpolicy_modctl(const cred_t *cr, int cmd)
2311 {
2312 	switch (cmd) {
2313 	case MODINFO:
2314 	case MODGETMAJBIND:
2315 	case MODGETPATH:
2316 	case MODGETPATHLEN:
2317 	case MODGETNAME:
2318 	case MODGETFBNAME:
2319 	case MODGETDEVPOLICY:
2320 	case MODGETDEVPOLICYBYNAME:
2321 	case MODDEVT2INSTANCE:
2322 	case MODSIZEOF_DEVID:
2323 	case MODGETDEVID:
2324 	case MODSIZEOF_MINORNAME:
2325 	case MODGETMINORNAME:
2326 	case MODGETDEVFSPATH_LEN:
2327 	case MODGETDEVFSPATH:
2328 	case MODGETDEVFSPATH_MI_LEN:
2329 	case MODGETDEVFSPATH_MI:
2330 		/* Unprivileged */
2331 		return (0);
2332 	case MODLOAD:
2333 	case MODSETDEVPOLICY:
2334 		return (secpolicy_require_set(cr, PRIV_FULLSET, NULL,
2335 		    KLPDARG_NONE));
2336 	default:
2337 		return (secpolicy_sys_config(cr, B_FALSE));
2338 	}
2339 }
2340 
2341 int
secpolicy_console(const cred_t * cr)2342 secpolicy_console(const cred_t *cr)
2343 {
2344 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
2345 }
2346 
2347 int
secpolicy_power_mgmt(const cred_t * cr)2348 secpolicy_power_mgmt(const cred_t *cr)
2349 {
2350 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
2351 }
2352 
2353 /*
2354  * Simulate terminal input; another escalation of privileges avenue.
2355  */
2356 
2357 int
secpolicy_sti(const cred_t * cr)2358 secpolicy_sti(const cred_t *cr)
2359 {
2360 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
2361 }
2362 
2363 boolean_t
secpolicy_net_reply_equal(const cred_t * cr)2364 secpolicy_net_reply_equal(const cred_t *cr)
2365 {
2366 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
2367 }
2368 
2369 int
secpolicy_swapctl(const cred_t * cr)2370 secpolicy_swapctl(const cred_t *cr)
2371 {
2372 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
2373 }
2374 
2375 int
secpolicy_cpc_cpu(const cred_t * cr)2376 secpolicy_cpc_cpu(const cred_t *cr)
2377 {
2378 	return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL));
2379 }
2380 
2381 /*
2382  * secpolicy_contract_identity
2383  *
2384  * Determine if the subject may set the process contract FMRI value
2385  */
2386 int
secpolicy_contract_identity(const cred_t * cr)2387 secpolicy_contract_identity(const cred_t *cr)
2388 {
2389 	return (PRIV_POLICY(cr, PRIV_CONTRACT_IDENTITY, B_FALSE, EPERM, NULL));
2390 }
2391 
2392 /*
2393  * secpolicy_contract_observer
2394  *
2395  * Determine if the subject may observe a specific contract's events.
2396  */
2397 int
secpolicy_contract_observer(const cred_t * cr,struct contract * ct)2398 secpolicy_contract_observer(const cred_t *cr, struct contract *ct)
2399 {
2400 	if (contract_owned(ct, cr, B_FALSE))
2401 		return (0);
2402 	return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL));
2403 }
2404 
2405 /*
2406  * secpolicy_contract_observer_choice
2407  *
2408  * Determine if the subject may observe any contract's events.  Just
2409  * tests privilege and audits on success.
2410  */
2411 boolean_t
secpolicy_contract_observer_choice(const cred_t * cr)2412 secpolicy_contract_observer_choice(const cred_t *cr)
2413 {
2414 	return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE));
2415 }
2416 
2417 /*
2418  * secpolicy_contract_event
2419  *
2420  * Determine if the subject may request critical contract events or
2421  * reliable contract event delivery.
2422  */
2423 int
secpolicy_contract_event(const cred_t * cr)2424 secpolicy_contract_event(const cred_t *cr)
2425 {
2426 	return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL));
2427 }
2428 
2429 /*
2430  * secpolicy_contract_event_choice
2431  *
2432  * Determine if the subject may retain contract events in its critical
2433  * set when a change in other terms would normally require a change in
2434  * the critical set.  Just tests privilege and audits on success.
2435  */
2436 boolean_t
secpolicy_contract_event_choice(const cred_t * cr)2437 secpolicy_contract_event_choice(const cred_t *cr)
2438 {
2439 	return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE));
2440 }
2441 
2442 /*
2443  * secpolicy_gart_access
2444  *
2445  * Determine if the subject has sufficient priveleges to make ioctls to agpgart
2446  * device.
2447  */
2448 int
secpolicy_gart_access(const cred_t * cr)2449 secpolicy_gart_access(const cred_t *cr)
2450 {
2451 	return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL));
2452 }
2453 
2454 /*
2455  * secpolicy_gart_map
2456  *
2457  * Determine if the subject has sufficient priveleges to map aperture range
2458  * through agpgart driver.
2459  */
2460 int
secpolicy_gart_map(const cred_t * cr)2461 secpolicy_gart_map(const cred_t *cr)
2462 {
2463 	if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) {
2464 		return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM,
2465 		    NULL));
2466 	} else {
2467 		return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM,
2468 		    NULL));
2469 	}
2470 }
2471 
2472 /*
2473  * secpolicy_hwmanip
2474  *
2475  * Determine if the subject can observe and manipulate a hardware device with a
2476  * dangerous blunt hammer, often suggests they can do something destructive.
2477  * Requires all privileges.
2478  */
2479 int
secpolicy_hwmanip(const cred_t * cr)2480 secpolicy_hwmanip(const cred_t *cr)
2481 {
2482 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
2483 }
2484 
2485 /*
2486  * secpolicy_zinject
2487  *
2488  * Determine if the subject can inject faults in the ZFS fault injection
2489  * framework.  Requires all privileges.
2490  */
2491 int
secpolicy_zinject(const cred_t * cr)2492 secpolicy_zinject(const cred_t *cr)
2493 {
2494 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
2495 }
2496 
2497 /*
2498  * secpolicy_zfs
2499  *
2500  * Determine if the subject has permission to manipulate ZFS datasets
2501  * (not pools).  Equivalent to the SYS_MOUNT privilege.
2502  */
2503 int
secpolicy_zfs(const cred_t * cr)2504 secpolicy_zfs(const cred_t *cr)
2505 {
2506 	return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL));
2507 }
2508 
2509 /*
2510  * secpolicy_idmap
2511  *
2512  * Determine if the calling process has permissions to register an SID
2513  * mapping daemon and allocate ephemeral IDs.
2514  */
2515 int
secpolicy_idmap(const cred_t * cr)2516 secpolicy_idmap(const cred_t *cr)
2517 {
2518 	return (PRIV_POLICY(cr, PRIV_FILE_SETID, B_TRUE, EPERM, NULL));
2519 }
2520 
2521 /*
2522  * secpolicy_ucode_update
2523  *
2524  * Determine if the subject has sufficient privilege to update microcode.
2525  */
2526 int
secpolicy_ucode_update(const cred_t * scr)2527 secpolicy_ucode_update(const cred_t *scr)
2528 {
2529 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
2530 }
2531 
2532 /*
2533  * secpolicy_sadopen
2534  *
2535  * Determine if the subject has sufficient privilege to access /dev/sad/admin.
2536  * /dev/sad/admin appear in global zone and exclusive-IP zones only.
2537  * In global zone, sys_config is required.
2538  * In exclusive-IP zones, sys_ip_config is required.
2539  * Note that sys_config is prohibited in non-global zones.
2540  */
2541 int
secpolicy_sadopen(const cred_t * credp)2542 secpolicy_sadopen(const cred_t *credp)
2543 {
2544 	priv_set_t pset;
2545 
2546 	priv_emptyset(&pset);
2547 
2548 	if (crgetzoneid(credp) == GLOBAL_ZONEID)
2549 		priv_addset(&pset, PRIV_SYS_CONFIG);
2550 	else
2551 		priv_addset(&pset, PRIV_SYS_IP_CONFIG);
2552 
2553 	return (secpolicy_require_set(credp, &pset, "devpolicy", KLPDARG_NONE));
2554 }
2555 
2556 
2557 /*
2558  * Add privileges to a particular privilege set; this is called when the
2559  * current sets of privileges are not sufficient.  I.e., we should always
2560  * call the policy override functions from here.
2561  * What we are allowed to have is in the Observed Permitted set; so
2562  * we compute the difference between that and the newset.
2563  */
2564 int
secpolicy_require_privs(const cred_t * cr,const priv_set_t * nset)2565 secpolicy_require_privs(const cred_t *cr, const priv_set_t *nset)
2566 {
2567 	priv_set_t rqd;
2568 
2569 	rqd = CR_OPPRIV(cr);
2570 
2571 	priv_inverse(&rqd);
2572 	priv_intersect(nset, &rqd);
2573 
2574 	return (secpolicy_require_set(cr, &rqd, NULL, KLPDARG_NONE));
2575 }
2576 
2577 /*
2578  * secpolicy_smb
2579  *
2580  * Determine if the cred_t has PRIV_SYS_SMB privilege, indicating
2581  * that it has permission to access the smbsrv kernel driver.
2582  * PRIV_POLICY checks the privilege and audits the check.
2583  *
2584  * Returns:
2585  * 0       Driver access is allowed.
2586  * EPERM   Driver access is NOT permitted.
2587  */
2588 int
secpolicy_smb(const cred_t * cr)2589 secpolicy_smb(const cred_t *cr)
2590 {
2591 	return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL));
2592 }
2593 
2594 /*
2595  * secpolicy_vscan
2596  *
2597  * Determine if cred_t has the necessary privileges to access a file
2598  * for virus scanning and update its extended system attributes.
2599  * PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access
2600  * PRIV_FILE_FLAG_SET - set extended system attributes
2601  *
2602  * PRIV_POLICY checks the privilege and audits the check.
2603  *
2604  * Returns:
2605  * 0      file access for virus scanning allowed.
2606  * EPERM  file access for virus scanning is NOT permitted.
2607  */
2608 int
secpolicy_vscan(const cred_t * cr)2609 secpolicy_vscan(const cred_t *cr)
2610 {
2611 	if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) ||
2612 	    (PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) ||
2613 	    (PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) {
2614 		return (EPERM);
2615 	}
2616 
2617 	return (0);
2618 }
2619 
2620 /*
2621  * secpolicy_smbfs_login
2622  *
2623  * Determines if the caller can add and delete the smbfs login
2624  * password in the the nsmb kernel module for the CIFS client.
2625  *
2626  * Returns:
2627  * 0       access is allowed.
2628  * EPERM   access is NOT allowed.
2629  */
2630 int
secpolicy_smbfs_login(const cred_t * cr,uid_t uid)2631 secpolicy_smbfs_login(const cred_t *cr, uid_t uid)
2632 {
2633 	uid_t cruid = crgetruid(cr);
2634 
2635 	if (cruid == uid)
2636 		return (0);
2637 	return (PRIV_POLICY(cr, PRIV_PROC_OWNER, B_FALSE,
2638 	    EPERM, NULL));
2639 }
2640 
2641 /*
2642  * secpolicy_xvm_control
2643  *
2644  * Determines if a caller can control the xVM hypervisor and/or running
2645  * domains (x86 specific).
2646  *
2647  * Returns:
2648  * 0       access is allowed.
2649  * EPERM   access is NOT allowed.
2650  */
2651 int
secpolicy_xvm_control(const cred_t * cr)2652 secpolicy_xvm_control(const cred_t *cr)
2653 {
2654 	if (PRIV_POLICY(cr, PRIV_XVM_CONTROL, B_FALSE, EPERM, NULL))
2655 		return (EPERM);
2656 	return (0);
2657 }
2658 
2659 /*
2660  * secpolicy_ppp_config
2661  *
2662  * Determine if the subject has sufficient privileges to configure PPP and
2663  * PPP-related devices.
2664  */
2665 int
secpolicy_ppp_config(const cred_t * cr)2666 secpolicy_ppp_config(const cred_t *cr)
2667 {
2668 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
2669 		return (secpolicy_net_config(cr, B_FALSE));
2670 	return (PRIV_POLICY(cr, PRIV_SYS_PPP_CONFIG, B_FALSE, EPERM, NULL));
2671 }
2672