xref: /illumos-gate/usr/src/uts/common/os/policy.c (revision 047043c2)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23  * Copyright 2016 Joyent, Inc.
24  * Copyright (c) 2016 by Delphix. All rights reserved.
25  */
26 
27 #include <sys/types.h>
28 #include <sys/sysmacros.h>
29 #include <sys/param.h>
30 #include <sys/systm.h>
31 #include <sys/cred_impl.h>
32 #include <sys/vnode.h>
33 #include <sys/vfs.h>
34 #include <sys/stat.h>
35 #include <sys/errno.h>
36 #include <sys/kmem.h>
37 #include <sys/user.h>
38 #include <sys/proc.h>
39 #include <sys/acct.h>
40 #include <sys/ipc_impl.h>
41 #include <sys/cmn_err.h>
42 #include <sys/debug.h>
43 #include <sys/policy.h>
44 #include <sys/kobj.h>
45 #include <sys/msg.h>
46 #include <sys/devpolicy.h>
47 #include <c2/audit.h>
48 #include <sys/varargs.h>
49 #include <sys/klpd.h>
50 #include <sys/modctl.h>
51 #include <sys/disp.h>
52 #include <sys/zone.h>
53 #include <inet/optcom.h>
54 #include <sys/sdt.h>
55 #include <sys/vfs.h>
56 #include <sys/mntent.h>
57 #include <sys/contract_impl.h>
58 #include <sys/dld_ioc.h>
59 
60 /*
61  * There are two possible layers of privilege routines and two possible
62  * levels of secpolicy.  Plus one other we may not be interested in, so
63  * we may need as many as 6 but no more.
64  */
65 #define	MAXPRIVSTACK		6
66 
67 int priv_debug = 0;
68 int priv_basic_test = -1;
69 
70 /*
71  * This file contains the majority of the policy routines.
72  * Since the policy routines are defined by function and not
73  * by privilege, there is quite a bit of duplication of
74  * functions.
75  *
76  * The secpolicy functions must not make assumptions about
77  * locks held or not held as any lock can be held while they're
78  * being called.
79  *
80  * Credentials are read-only so no special precautions need to
81  * be taken while locking them.
82  *
83  * When a new policy check needs to be added to the system the
84  * following procedure should be followed:
85  *
86  *		Pick an appropriate secpolicy_*() function
87  *			-> done if one exists.
88  *		Create a new secpolicy function, preferably with
89  *		a descriptive name using the standard template.
90  *		Pick an appropriate privilege for the policy.
91  *		If no appropraite privilege exists, define new one
92  *		(this should be done with extreme care; in most cases
93  *		little is gained by adding another privilege)
94  *
95  * WHY ROOT IS STILL SPECIAL.
96  *
97  * In a number of the policy functions, there are still explicit
98  * checks for uid 0.  The rationale behind these is that many root
99  * owned files/objects hold configuration information which can give full
100  * privileges to the user once written to.  To prevent escalation
101  * of privilege by allowing just a single privilege to modify root owned
102  * objects, we've added these root specific checks where we considered
103  * them necessary: modifying root owned files, changing uids to 0, etc.
104  *
105  * PRIVILEGE ESCALATION AND ZONES.
106  *
107  * A number of operations potentially allow the caller to achieve
108  * privileges beyond the ones normally required to perform the operation.
109  * For example, if allowed to create a setuid 0 executable, a process can
110  * gain privileges beyond PRIV_FILE_SETID.  Zones, however, place
111  * restrictions on the ability to gain privileges beyond those available
112  * within the zone through file and process manipulation.  Hence, such
113  * operations require that the caller have an effective set that includes
114  * all privileges available within the current zone, or all privileges
115  * if executing in the global zone.
116  *
117  * This is indicated in the priv_policy* policy checking functions
118  * through a combination of parameters.  The "priv" parameter indicates
119  * the privilege that is required, and the "allzone" parameter indicates
120  * whether or not all privileges in the zone are required.  In addition,
121  * priv can be set to PRIV_ALL to indicate that all privileges are
122  * required (regardless of zone).  There are three scenarios of interest:
123  * (1) operation requires a specific privilege
124  * (2) operation requires a specific privilege, and requires all
125  *     privileges available within the zone (or all privileges if in
126  *     the global zone)
127  * (3) operation requires all privileges, regardless of zone
128  *
129  * For (1), priv should be set to the specific privilege, and allzone
130  * should be set to B_FALSE.
131  * For (2), priv should be set to the specific privilege, and allzone
132  * should be set to B_TRUE.
133  * For (3), priv should be set to PRIV_ALL, and allzone should be set
134  * to B_FALSE.
135  *
136  */
137 
138 /*
139  * The privileges are checked against the Effective set for
140  * ordinary processes and checked against the Limit set
141  * for euid 0 processes that haven't manipulated their privilege
142  * sets.
143  */
144 #define	HAS_ALLPRIVS(cr)	priv_isfullset(&CR_OEPRIV(cr))
145 #define	ZONEPRIVS(cr)		((cr)->cr_zone->zone_privset)
146 #define	HAS_ALLZONEPRIVS(cr)	priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr))
147 #define	HAS_PRIVILEGE(cr, pr)	((pr) == PRIV_ALL ? \
148 					HAS_ALLPRIVS(cr) : \
149 					PRIV_ISASSERT(&CR_OEPRIV(cr), pr))
150 
151 #define	FAST_BASIC_CHECK(cr, priv)	\
152 	if (PRIV_ISASSERT(&CR_OEPRIV(cr), priv)) { \
153 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, B_FALSE); \
154 		return (0); \
155 	}
156 
157 /*
158  * Policy checking functions.
159  *
160  * All of the system's policy should be implemented here.
161  */
162 
163 /*
164  * Private functions which take an additional va_list argument to
165  * implement an object specific policy override.
166  */
167 static int priv_policy_ap(const cred_t *, int, boolean_t, int,
168     const char *, va_list);
169 static int priv_policy_va(const cred_t *, int, boolean_t, int,
170     const char *, ...);
171 
172 /*
173  * Generic policy calls
174  *
175  * The "bottom" functions of policy control
176  */
177 static char *
mprintf(const char * fmt,...)178 mprintf(const char *fmt, ...)
179 {
180 	va_list args;
181 	char *buf;
182 	size_t len;
183 
184 	va_start(args, fmt);
185 	len = vsnprintf(NULL, 0, fmt, args) + 1;
186 	va_end(args);
187 
188 	buf = kmem_alloc(len, KM_NOSLEEP);
189 
190 	if (buf == NULL)
191 		return (NULL);
192 
193 	va_start(args, fmt);
194 	(void) vsnprintf(buf, len, fmt, args);
195 	va_end(args);
196 
197 	return (buf);
198 }
199 
200 /*
201  * priv_policy_errmsg()
202  *
203  * Generate an error message if privilege debugging is enabled system wide
204  * or for this particular process.
205  */
206 
207 #define	FMTHDR	"%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)"
208 #define	FMTMSG	" for \"%s\""
209 #define	FMTFUN	" needed at %s+0x%lx"
210 
211 /* The maximum size privilege format: the concatenation of the above */
212 #define	FMTMAX	FMTHDR FMTMSG FMTFUN "\n"
213 
214 static void
priv_policy_errmsg(const cred_t * cr,int priv,const char * msg)215 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg)
216 {
217 	struct proc *me;
218 	pc_t stack[MAXPRIVSTACK];
219 	int depth;
220 	int i;
221 	char *sym;
222 	ulong_t off;
223 	const char *pname;
224 
225 	char *cmd;
226 	char fmt[sizeof (FMTMAX)];
227 
228 	if ((me = curproc) == &p0)
229 		return;
230 
231 	/* Privileges must be defined  */
232 	ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE ||
233 	    priv == PRIV_ALLZONE || priv == PRIV_GLOBAL ||
234 	    priv_getbynum(priv) != NULL);
235 
236 	if (priv == PRIV_ALLZONE && INGLOBALZONE(me))
237 		priv = PRIV_ALL;
238 
239 	if (curthread->t_pre_sys)
240 		ttolwp(curthread)->lwp_badpriv = (short)priv;
241 
242 	if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0)
243 		return;
244 
245 	(void) strcpy(fmt, FMTHDR);
246 
247 	if (me->p_user.u_comm[0])
248 		cmd = &me->p_user.u_comm[0];
249 	else
250 		cmd = "priv_policy";
251 
252 	if (msg != NULL && *msg != '\0') {
253 		(void) strcat(fmt, FMTMSG);
254 	} else {
255 		(void) strcat(fmt, "%s");
256 		msg = "";
257 	}
258 
259 	sym = NULL;
260 
261 	depth = getpcstack(stack, MAXPRIVSTACK);
262 
263 	/*
264 	 * Try to find the first interesting function on the stack.
265 	 * priv_policy* that's us, so completely uninteresting.
266 	 * suser(), drv_priv(), secpolicy_* are also called from
267 	 * too many locations to convey useful information.
268 	 */
269 	for (i = 0; i < depth; i++) {
270 		sym = kobj_getsymname((uintptr_t)stack[i], &off);
271 		if (sym != NULL &&
272 		    strstr(sym, "hasprocperm") == 0 &&
273 		    strcmp("suser", sym) != 0 &&
274 		    strcmp("ipcaccess", sym) != 0 &&
275 		    strcmp("drv_priv", sym) != 0 &&
276 		    strncmp("secpolicy_", sym, 10) != 0 &&
277 		    strncmp("priv_policy", sym, 11) != 0)
278 			break;
279 	}
280 
281 	if (sym != NULL)
282 		(void) strcat(fmt, FMTFUN);
283 
284 	(void) strcat(fmt, "\n");
285 
286 	switch (priv) {
287 	case PRIV_ALL:
288 		pname = "ALL";
289 		break;
290 	case PRIV_MULTIPLE:
291 		pname = "MULTIPLE";
292 		break;
293 	case PRIV_ALLZONE:
294 		pname = "ZONE";
295 		break;
296 	case PRIV_GLOBAL:
297 		pname = "GLOBAL";
298 		break;
299 	default:
300 		pname = priv_getbynum(priv);
301 		break;
302 	}
303 
304 	if (CR_FLAGS(cr) & PRIV_DEBUG) {
305 		/* Remember last message, just like lwp_badpriv. */
306 		if (curthread->t_pdmsg != NULL) {
307 			kmem_free(curthread->t_pdmsg,
308 			    strlen(curthread->t_pdmsg) + 1);
309 		}
310 
311 		curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname,
312 		    cr->cr_uid, curthread->t_sysnum, msg, sym, off);
313 
314 		curthread->t_post_sys = 1;
315 	}
316 	if (priv_debug) {
317 		cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid,
318 		    curthread->t_sysnum, msg, sym, off);
319 	}
320 }
321 
322 /*
323  * Override the policy, if appropriate.  Return 0 if the external
324  * policy engine approves.
325  */
326 static int
priv_policy_override(const cred_t * cr,int priv,boolean_t allzone,va_list ap)327 priv_policy_override(const cred_t *cr, int priv, boolean_t allzone, va_list ap)
328 {
329 	priv_set_t set;
330 	int ret;
331 
332 	if (!(CR_FLAGS(cr) & PRIV_XPOLICY))
333 		return (-1);
334 
335 	if (priv == PRIV_ALL) {
336 		priv_fillset(&set);
337 	} else if (allzone) {
338 		set = *ZONEPRIVS(cr);
339 	} else {
340 		priv_emptyset(&set);
341 		priv_addset(&set, priv);
342 	}
343 	ret = klpd_call(cr, &set, ap);
344 	return (ret);
345 }
346 
347 static int
priv_policy_override_set(const cred_t * cr,const priv_set_t * req,va_list ap)348 priv_policy_override_set(const cred_t *cr, const priv_set_t *req, va_list ap)
349 {
350 	if (CR_FLAGS(cr) & PRIV_PFEXEC)
351 		return (check_user_privs(cr, req));
352 	if (CR_FLAGS(cr) & PRIV_XPOLICY) {
353 		return (klpd_call(cr, req, ap));
354 	}
355 	return (-1);
356 }
357 
358 static int
priv_policy_override_set_va(const cred_t * cr,const priv_set_t * req,...)359 priv_policy_override_set_va(const cred_t *cr, const priv_set_t *req, ...)
360 {
361 	va_list ap;
362 	int ret;
363 
364 	va_start(ap, req);
365 	ret = priv_policy_override_set(cr, req, ap);
366 	va_end(ap);
367 	return (ret);
368 }
369 
370 /*
371  * Audit failure, log error message.
372  */
373 static void
priv_policy_err(const cred_t * cr,int priv,boolean_t allzone,const char * msg)374 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg)
375 {
376 
377 	if (AU_AUDITING())
378 		audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0);
379 	DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
380 
381 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
382 	    curthread->t_pre_sys) {
383 		if (allzone && !HAS_ALLZONEPRIVS(cr)) {
384 			priv_policy_errmsg(cr, PRIV_ALLZONE, msg);
385 		} else {
386 			ASSERT(!HAS_PRIVILEGE(cr, priv));
387 			priv_policy_errmsg(cr, priv, msg);
388 		}
389 	}
390 }
391 
392 /*
393  * priv_policy_ap()
394  * return 0 or error.
395  * See block comment above for a description of "priv" and "allzone" usage.
396  */
397 static int
priv_policy_ap(const cred_t * cr,int priv,boolean_t allzone,int err,const char * msg,va_list ap)398 priv_policy_ap(const cred_t *cr, int priv, boolean_t allzone, int err,
399     const char *msg, va_list ap)
400 {
401 	if ((HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) ||
402 	    (!servicing_interrupt() &&
403 	    priv_policy_override(cr, priv, allzone, ap) == 0)) {
404 		if ((allzone || priv == PRIV_ALL ||
405 		    !PRIV_ISASSERT(priv_basic, priv)) &&
406 		    !servicing_interrupt()) {
407 			PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */
408 			if (AU_AUDITING())
409 				audit_priv(priv,
410 				    allzone ? ZONEPRIVS(cr) : NULL, 1);
411 		}
412 		err = 0;
413 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
414 	} else if (!servicing_interrupt()) {
415 		/* Failure audited in this procedure */
416 		priv_policy_err(cr, priv, allzone, msg);
417 	}
418 	return (err);
419 }
420 
421 int
priv_policy_va(const cred_t * cr,int priv,boolean_t allzone,int err,const char * msg,...)422 priv_policy_va(const cred_t *cr, int priv, boolean_t allzone, int err,
423     const char *msg, ...)
424 {
425 	int ret;
426 	va_list ap;
427 
428 	va_start(ap, msg);
429 	ret = priv_policy_ap(cr, priv, allzone, err, msg, ap);
430 	va_end(ap);
431 
432 	return (ret);
433 }
434 
435 int
priv_policy(const cred_t * cr,int priv,boolean_t allzone,int err,const char * msg)436 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err,
437     const char *msg)
438 {
439 	return (priv_policy_va(cr, priv, allzone, err, msg, KLPDARG_NONE));
440 }
441 
442 /*
443  * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges.
444  */
445 boolean_t
priv_policy_choice(const cred_t * cr,int priv,boolean_t allzone)446 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone)
447 {
448 	boolean_t res = HAS_PRIVILEGE(cr, priv) &&
449 	    (!allzone || HAS_ALLZONEPRIVS(cr));
450 
451 	/* Audit success only */
452 	if (res && AU_AUDITING() &&
453 	    (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) &&
454 	    !servicing_interrupt()) {
455 		audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1);
456 	}
457 	if (res) {
458 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
459 	} else {
460 		DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
461 	}
462 	return (res);
463 }
464 
465 /*
466  * Non-auditing variant of priv_policy_choice().
467  */
468 boolean_t
priv_policy_only(const cred_t * cr,int priv,boolean_t allzone)469 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone)
470 {
471 	boolean_t res = HAS_PRIVILEGE(cr, priv) &&
472 	    (!allzone || HAS_ALLZONEPRIVS(cr));
473 
474 	if (res) {
475 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
476 	} else {
477 		DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
478 	}
479 	return (res);
480 }
481 
482 /*
483  * Check whether all privileges in the required set are present.
484  */
485 static int
secpolicy_require_set(const cred_t * cr,const priv_set_t * req,const char * msg,...)486 secpolicy_require_set(const cred_t *cr, const priv_set_t *req,
487     const char *msg, ...)
488 {
489 	int priv;
490 	int pfound = -1;
491 	priv_set_t pset;
492 	va_list ap;
493 	int ret;
494 
495 	if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req,
496 	    &CR_OEPRIV(cr))) {
497 		return (0);
498 	}
499 
500 	va_start(ap, msg);
501 	ret = priv_policy_override_set(cr, req, ap);
502 	va_end(ap);
503 	if (ret == 0)
504 		return (0);
505 
506 	if (req == PRIV_FULLSET || priv_isfullset(req)) {
507 		priv_policy_err(cr, PRIV_ALL, B_FALSE, msg);
508 		return (EACCES);
509 	}
510 
511 	pset = CR_OEPRIV(cr);		/* present privileges */
512 	priv_inverse(&pset);		/* all non present privileges */
513 	priv_intersect(req, &pset);	/* the actual missing privs */
514 
515 	if (AU_AUDITING())
516 		audit_priv(PRIV_NONE, &pset, 0);
517 	/*
518 	 * Privilege debugging; special case "one privilege in set".
519 	 */
520 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) {
521 		for (priv = 0; priv < nprivs; priv++) {
522 			if (priv_ismember(&pset, priv)) {
523 				if (pfound != -1) {
524 					/* Multiple missing privs */
525 					priv_policy_errmsg(cr, PRIV_MULTIPLE,
526 					    msg);
527 					return (EACCES);
528 				}
529 				pfound = priv;
530 			}
531 		}
532 		ASSERT(pfound != -1);
533 		/* Just the one missing privilege */
534 		priv_policy_errmsg(cr, pfound, msg);
535 	}
536 
537 	return (EACCES);
538 }
539 
540 /*
541  * Called when an operation requires that the caller be in the
542  * global zone, regardless of privilege.
543  */
544 static int
priv_policy_global(const cred_t * cr)545 priv_policy_global(const cred_t *cr)
546 {
547 	if (crgetzoneid(cr) == GLOBAL_ZONEID)
548 		return (0);	/* success */
549 
550 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
551 	    curthread->t_pre_sys) {
552 		priv_policy_errmsg(cr, PRIV_GLOBAL, NULL);
553 	}
554 	return (EPERM);
555 }
556 
557 /*
558  * Raising process priority
559  */
560 int
secpolicy_raisepriority(const cred_t * cr)561 secpolicy_raisepriority(const cred_t *cr)
562 {
563 	if (PRIV_POLICY(cr, PRIV_PROC_PRIOUP, B_FALSE, EPERM, NULL) == 0)
564 		return (0);
565 	return (secpolicy_setpriority(cr));
566 }
567 
568 /*
569  * Changing process priority or scheduling class
570  */
571 int
secpolicy_setpriority(const cred_t * cr)572 secpolicy_setpriority(const cred_t *cr)
573 {
574 	return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL));
575 }
576 
577 /*
578  * Binding to a privileged port, port must be specified in host byte
579  * order.
580  * When adding a new privilege which allows binding to currently privileged
581  * ports, then you MUST also allow processes with PRIV_NET_PRIVADDR bind
582  * to these ports because of backward compatibility.
583  */
584 int
secpolicy_net_privaddr(const cred_t * cr,in_port_t port,int proto)585 secpolicy_net_privaddr(const cred_t *cr, in_port_t port, int proto)
586 {
587 	char *reason;
588 	int priv;
589 
590 	switch (port) {
591 	case 137:
592 	case 138:
593 	case 139:
594 	case 445:
595 		/*
596 		 * NBT and SMB ports, these are normal privileged ports,
597 		 * allow bind only if the SYS_SMB or NET_PRIVADDR privilege
598 		 * is present.
599 		 * Try both, if neither is present return an error for
600 		 * priv SYS_SMB.
601 		 */
602 		if (PRIV_POLICY_ONLY(cr, PRIV_NET_PRIVADDR, B_FALSE))
603 			priv = PRIV_NET_PRIVADDR;
604 		else
605 			priv = PRIV_SYS_SMB;
606 		reason = "NBT or SMB port";
607 		break;
608 
609 	case 2049:
610 	case 4045:
611 		/*
612 		 * NFS ports, these are extra privileged ports, allow bind
613 		 * only if the SYS_NFS privilege is present.
614 		 */
615 		priv = PRIV_SYS_NFS;
616 		reason = "NFS port";
617 		break;
618 
619 	default:
620 		priv = PRIV_NET_PRIVADDR;
621 		reason = NULL;
622 		break;
623 
624 	}
625 
626 	return (priv_policy_va(cr, priv, B_FALSE, EACCES, reason,
627 	    KLPDARG_PORT, (int)proto, (int)port, KLPDARG_NOMORE));
628 }
629 
630 /*
631  * Binding to a multilevel port on a trusted (labeled) system.
632  */
633 int
secpolicy_net_bindmlp(const cred_t * cr)634 secpolicy_net_bindmlp(const cred_t *cr)
635 {
636 	return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, NULL));
637 }
638 
639 /*
640  * Allow a communication between a zone and an unlabeled host when their
641  * labels don't match.
642  */
643 int
secpolicy_net_mac_aware(const cred_t * cr)644 secpolicy_net_mac_aware(const cred_t *cr)
645 {
646 	return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, NULL));
647 }
648 
649 /*
650  * Allow a privileged process to transmit traffic without explicit labels
651  */
652 int
secpolicy_net_mac_implicit(const cred_t * cr)653 secpolicy_net_mac_implicit(const cred_t *cr)
654 {
655 	return (PRIV_POLICY(cr, PRIV_NET_MAC_IMPLICIT, B_FALSE, EACCES, NULL));
656 }
657 
658 /*
659  * Common routine which determines whether a given credential can
660  * act on a given mount.
661  * When called through mount, the parameter needoptcheck is a pointer
662  * to a boolean variable which will be set to either true or false,
663  * depending on whether the mount policy should change the mount options.
664  * In all other cases, needoptcheck should be a NULL pointer.
665  */
666 static int
secpolicy_fs_common(cred_t * cr,vnode_t * mvp,const vfs_t * vfsp,boolean_t * needoptcheck)667 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp,
668     boolean_t *needoptcheck)
669 {
670 	boolean_t allzone = B_FALSE;
671 	boolean_t mounting = needoptcheck != NULL;
672 
673 	/*
674 	 * Short circuit the following cases:
675 	 *	vfsp == NULL or mvp == NULL (pure privilege check)
676 	 *	have all privileges - no further checks required
677 	 *	and no mount options need to be set.
678 	 */
679 	if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) {
680 		if (mounting)
681 			*needoptcheck = B_FALSE;
682 
683 		return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
684 		    NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE));
685 	}
686 
687 	/*
688 	 * When operating on an existing mount (either we're not mounting
689 	 * or we're doing a remount and VFS_REMOUNT will be set), zones
690 	 * can operate only on mounts established by the zone itself.
691 	 */
692 	if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) {
693 		zoneid_t zoneid = crgetzoneid(cr);
694 
695 		if (zoneid != GLOBAL_ZONEID &&
696 		    vfsp->vfs_zone->zone_id != zoneid) {
697 			return (EPERM);
698 		}
699 	}
700 
701 	if (mounting)
702 		*needoptcheck = B_TRUE;
703 
704 	/*
705 	 * Overlay mounts may hide important stuff; if you can't write to a
706 	 * mount point but would be able to mount on top of it, you can
707 	 * escalate your privileges.
708 	 * So we go about asking the same questions namefs does when it
709 	 * decides whether you can mount over a file or not but with the
710 	 * added restriction that you can only mount on top of a regular
711 	 * file or directory.
712 	 * If we have all the zone's privileges, we skip all other checks,
713 	 * or else we may actually get in trouble inside the automounter.
714 	 */
715 	if ((mvp->v_flag & VROOT) != 0 ||
716 	    (mvp->v_type != VDIR && mvp->v_type != VREG) ||
717 	    HAS_ALLZONEPRIVS(cr)) {
718 		allzone = B_TRUE;
719 	} else {
720 		vattr_t va;
721 		int err;
722 
723 		va.va_mask = AT_UID|AT_MODE;
724 		err = VOP_GETATTR(mvp, &va, 0, cr, NULL);
725 		if (err != 0)
726 			return (err);
727 
728 		if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0)
729 			return (err);
730 
731 		if (secpolicy_vnode_access2(cr, mvp, va.va_uid, va.va_mode,
732 		    VWRITE) != 0) {
733 			return (EACCES);
734 		}
735 	}
736 	return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
737 	    NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE));
738 }
739 
740 void
secpolicy_fs_mount_clearopts(cred_t * cr,struct vfs * vfsp)741 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp)
742 {
743 	boolean_t amsuper = HAS_ALLZONEPRIVS(cr);
744 
745 	/*
746 	 * check; if we don't have either "nosuid" or
747 	 * both "nosetuid" and "nodevices", then we add
748 	 * "nosuid"; this depends on how the current
749 	 * implementation works (it first checks nosuid).  In a
750 	 * zone, a user with all zone privileges can mount with
751 	 * "setuid" but never with "devices".
752 	 */
753 	if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) &&
754 	    (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) ||
755 	    !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) {
756 		if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper)
757 			vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0);
758 		else
759 			vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0);
760 	}
761 	/*
762 	 * If we're not the local super user, we set the "restrict"
763 	 * option to indicate to automountd that this mount should
764 	 * be handled with care.
765 	 */
766 	if (!amsuper)
767 		vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0);
768 
769 }
770 
771 int
secpolicy_fs_allowed_mount(const char * fsname)772 secpolicy_fs_allowed_mount(const char *fsname)
773 {
774 	struct vfssw *vswp;
775 	const char *p;
776 	size_t len;
777 
778 	ASSERT(fsname != NULL);
779 	ASSERT(fsname[0] != '\0');
780 
781 	if (INGLOBALZONE(curproc))
782 		return (0);
783 
784 	vswp = vfs_getvfssw(fsname);
785 	if (vswp == NULL)
786 		return (ENOENT);
787 
788 	if ((vswp->vsw_flag & VSW_ZMOUNT) != 0) {
789 		vfs_unrefvfssw(vswp);
790 		return (0);
791 	}
792 
793 	vfs_unrefvfssw(vswp);
794 
795 	p = curzone->zone_fs_allowed;
796 	len = strlen(fsname);
797 
798 	while (p != NULL && *p != '\0') {
799 		if (strncmp(p, fsname, len) == 0) {
800 			char c = *(p + len);
801 			if (c == '\0' || c == ',')
802 				return (0);
803 		}
804 
805 		/* skip to beyond the next comma */
806 		if ((p = strchr(p, ',')) != NULL)
807 			p++;
808 	}
809 
810 	return (EPERM);
811 }
812 
813 extern vnode_t *rootvp;
814 extern vfs_t *rootvfs;
815 
816 int
secpolicy_fs_mount(cred_t * cr,vnode_t * mvp,struct vfs * vfsp)817 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp)
818 {
819 	boolean_t needoptchk;
820 	int error;
821 
822 	/*
823 	 * If it's a remount, get the underlying mount point,
824 	 * except for the root where we use the rootvp.
825 	 */
826 	if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) {
827 		if (vfsp == rootvfs)
828 			mvp = rootvp;
829 		else
830 			mvp = vfsp->vfs_vnodecovered;
831 	}
832 
833 	error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk);
834 
835 	if (error == 0 && needoptchk) {
836 		secpolicy_fs_mount_clearopts(cr, vfsp);
837 	}
838 
839 	return (error);
840 }
841 
842 /*
843  * Does the policy computations for "ownership" of a mount;
844  * here ownership is defined as the ability to "mount"
845  * the filesystem originally.  The rootvfs doesn't cover any
846  * vnodes; we attribute its ownership to the rootvp.
847  */
848 static int
secpolicy_fs_owner(cred_t * cr,const struct vfs * vfsp)849 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp)
850 {
851 	vnode_t *mvp;
852 
853 	if (vfsp == NULL)
854 		mvp = NULL;
855 	else if (vfsp == rootvfs)
856 		mvp = rootvp;
857 	else
858 		mvp = vfsp->vfs_vnodecovered;
859 
860 	return (secpolicy_fs_common(cr, mvp, vfsp, NULL));
861 }
862 
863 int
secpolicy_fs_unmount(cred_t * cr,struct vfs * vfsp)864 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp)
865 {
866 	return (secpolicy_fs_owner(cr, vfsp));
867 }
868 
869 /*
870  * Quotas are a resource, but if one has the ability to mount a filesystem,
871  * they should be able to modify quotas on it.
872  */
873 int
secpolicy_fs_quota(const cred_t * cr,const vfs_t * vfsp)874 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp)
875 {
876 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
877 }
878 
879 /*
880  * Exceeding minfree: also a per-mount resource constraint.
881  */
882 int
secpolicy_fs_minfree(const cred_t * cr,const vfs_t * vfsp)883 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp)
884 {
885 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
886 }
887 
888 int
secpolicy_fs_config(const cred_t * cr,const vfs_t * vfsp)889 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp)
890 {
891 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
892 }
893 
894 /* ARGSUSED */
895 int
secpolicy_fs_linkdir(const cred_t * cr,const vfs_t * vfsp)896 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp)
897 {
898 	return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL));
899 }
900 
901 /*
902  * Name:        secpolicy_vnode_access()
903  *
904  * Parameters:  Process credential
905  *		vnode
906  *		uid of owner of vnode
907  *		permission bits not granted to the caller when examining
908  *		file mode bits (i.e., when a process wants to open a
909  *		mode 444 file for VREAD|VWRITE, this function should be
910  *		called only with a VWRITE argument).
911  *
912  * Normal:      Verifies that cred has the appropriate privileges to
913  *              override the mode bits that were denied.
914  *
915  * Override:    file_dac_execute - if VEXEC bit was denied and vnode is
916  *                      not a directory.
917  *              file_dac_read - if VREAD bit was denied.
918  *              file_dac_search - if VEXEC bit was denied and vnode is
919  *                      a directory.
920  *              file_dac_write - if VWRITE bit was denied.
921  *
922  *		Root owned files are special cased to protect system
923  *		configuration files and such.
924  *
925  * Output:      EACCES - if privilege check fails.
926  */
927 
928 int
secpolicy_vnode_access(const cred_t * cr,vnode_t * vp,uid_t owner,mode_t mode)929 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode)
930 {
931 	if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE,
932 	    EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL,
933 	    KLPDARG_NOMORE) != 0) {
934 		return (EACCES);
935 	}
936 
937 	if (mode & VWRITE) {
938 		boolean_t allzone;
939 
940 		if (owner == 0 && cr->cr_uid != 0)
941 			allzone = B_TRUE;
942 		else
943 			allzone = B_FALSE;
944 		if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES,
945 		    NULL, KLPDARG_VNODE, vp, (char *)NULL,
946 		    KLPDARG_NOMORE) != 0) {
947 			return (EACCES);
948 		}
949 	}
950 
951 	if (mode & VEXEC) {
952 		/*
953 		 * Directories use file_dac_search to override the execute bit.
954 		 */
955 		int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH :
956 		    PRIV_FILE_DAC_EXECUTE;
957 
958 		return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL,
959 		    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
960 	}
961 	return (0);
962 }
963 
964 /*
965  * Like secpolicy_vnode_access() but we get the actual wanted mode and the
966  * current mode of the file, not the missing bits.
967  */
968 int
secpolicy_vnode_access2(const cred_t * cr,vnode_t * vp,uid_t owner,mode_t curmode,mode_t wantmode)969 secpolicy_vnode_access2(const cred_t *cr, vnode_t *vp, uid_t owner,
970     mode_t curmode, mode_t wantmode)
971 {
972 	mode_t mode;
973 
974 	/* Inline the basic privileges tests. */
975 	if ((wantmode & VREAD) &&
976 	    !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_READ) &&
977 	    priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL,
978 	    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) {
979 		return (EACCES);
980 	}
981 
982 	if ((wantmode & VWRITE) &&
983 	    !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_WRITE) &&
984 	    priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL,
985 	    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) {
986 		return (EACCES);
987 	}
988 
989 	mode = ~curmode & wantmode;
990 
991 	if (mode == 0)
992 		return (0);
993 
994 	if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE,
995 	    EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL,
996 	    KLPDARG_NOMORE) != 0) {
997 		return (EACCES);
998 	}
999 
1000 	if (mode & VWRITE) {
1001 		boolean_t allzone;
1002 
1003 		if (owner == 0 && cr->cr_uid != 0)
1004 			allzone = B_TRUE;
1005 		else
1006 			allzone = B_FALSE;
1007 		if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES,
1008 		    NULL, KLPDARG_VNODE, vp, (char *)NULL,
1009 		    KLPDARG_NOMORE) != 0) {
1010 			return (EACCES);
1011 		}
1012 	}
1013 
1014 	if (mode & VEXEC) {
1015 		/*
1016 		 * Directories use file_dac_search to override the execute bit.
1017 		 */
1018 		int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH :
1019 		    PRIV_FILE_DAC_EXECUTE;
1020 
1021 		return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL,
1022 		    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
1023 	}
1024 	return (0);
1025 }
1026 
1027 /*
1028  * This is a special routine for ZFS; it is used to determine whether
1029  * any of the privileges in effect allow any form of access to the
1030  * file.  There's no reason to audit this or any reason to record
1031  * this.  More work is needed to do the "KPLD" stuff.
1032  */
1033 int
secpolicy_vnode_any_access(const cred_t * cr,vnode_t * vp,uid_t owner)1034 secpolicy_vnode_any_access(const cred_t *cr, vnode_t *vp, uid_t owner)
1035 {
1036 	static int privs[] = {
1037 	    PRIV_FILE_OWNER,
1038 	    PRIV_FILE_CHOWN,
1039 	    PRIV_FILE_DAC_READ,
1040 	    PRIV_FILE_DAC_WRITE,
1041 	    PRIV_FILE_DAC_EXECUTE,
1042 	    PRIV_FILE_DAC_SEARCH,
1043 	};
1044 	int i;
1045 
1046 	/* Same as secpolicy_vnode_setdac */
1047 	if (owner == cr->cr_uid)
1048 		return (0);
1049 
1050 	for (i = 0; i < sizeof (privs)/sizeof (int); i++) {
1051 		boolean_t allzone = B_FALSE;
1052 		int priv;
1053 
1054 		switch (priv = privs[i]) {
1055 		case PRIV_FILE_DAC_EXECUTE:
1056 			if (vp->v_type == VDIR)
1057 				continue;
1058 			break;
1059 		case PRIV_FILE_DAC_SEARCH:
1060 			if (vp->v_type != VDIR)
1061 				continue;
1062 			break;
1063 		case PRIV_FILE_DAC_WRITE:
1064 		case PRIV_FILE_OWNER:
1065 		case PRIV_FILE_CHOWN:
1066 			/* We know here that if owner == 0, that cr_uid != 0 */
1067 			allzone = owner == 0;
1068 			break;
1069 		}
1070 		if (PRIV_POLICY_CHOICE(cr, priv, allzone))
1071 			return (0);
1072 	}
1073 	return (EPERM);
1074 }
1075 
1076 /*
1077  * Name:	secpolicy_vnode_setid_modify()
1078  *
1079  * Normal:	verify that subject can set the file setid flags.
1080  *
1081  * Output:	EPERM - if not privileged.
1082  */
1083 
1084 static int
secpolicy_vnode_setid_modify(const cred_t * cr,uid_t owner)1085 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner)
1086 {
1087 	/* If changing to suid root, must have all zone privs */
1088 	boolean_t allzone = B_TRUE;
1089 
1090 	if (owner != 0) {
1091 		if (owner == cr->cr_uid)
1092 			return (0);
1093 		allzone = B_FALSE;
1094 	}
1095 	return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL));
1096 }
1097 
1098 /*
1099  * Are we allowed to retain the set-uid/set-gid bits when
1100  * changing ownership or when writing to a file?
1101  * "issuid" should be true when set-uid; only in that case
1102  * root ownership is checked (setgid is assumed).
1103  */
1104 int
secpolicy_vnode_setid_retain(const cred_t * cred,boolean_t issuidroot)1105 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot)
1106 {
1107 	if (issuidroot && !HAS_ALLZONEPRIVS(cred))
1108 		return (EPERM);
1109 
1110 	return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE));
1111 }
1112 
1113 /*
1114  * Name:	secpolicy_vnode_setids_setgids()
1115  *
1116  * Normal:	verify that subject can set the file setgid flag.
1117  *
1118  * Output:	EPERM - if not privileged
1119  */
1120 
1121 int
secpolicy_vnode_setids_setgids(const cred_t * cred,gid_t gid)1122 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid)
1123 {
1124 	if (!groupmember(gid, cred))
1125 		return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM,
1126 		    NULL));
1127 	return (0);
1128 }
1129 
1130 /*
1131  * Name:	secpolicy_vnode_chown
1132  *
1133  * Normal:	Determine if subject can chown owner of a file.
1134  *
1135  * Output:	EPERM - if access denied
1136  */
1137 
1138 int
secpolicy_vnode_chown(const cred_t * cred,uid_t owner)1139 secpolicy_vnode_chown(const cred_t *cred, uid_t owner)
1140 {
1141 	boolean_t is_owner = (owner == crgetuid(cred));
1142 	boolean_t allzone = B_FALSE;
1143 	int priv;
1144 
1145 	if (!is_owner) {
1146 		allzone = (owner == 0);
1147 		priv = PRIV_FILE_CHOWN;
1148 	} else {
1149 		priv = HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN) ?
1150 		    PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF;
1151 	}
1152 
1153 	return (PRIV_POLICY(cred, priv, allzone, EPERM, NULL));
1154 }
1155 
1156 /*
1157  * Name:	secpolicy_vnode_create_gid
1158  *
1159  * Normal:	Determine if subject can change group ownership of a file.
1160  *
1161  * Output:	EPERM - if access denied
1162  */
1163 int
secpolicy_vnode_create_gid(const cred_t * cred)1164 secpolicy_vnode_create_gid(const cred_t *cred)
1165 {
1166 	if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN))
1167 		return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM,
1168 		    NULL));
1169 	else
1170 		return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM,
1171 		    NULL));
1172 }
1173 
1174 /*
1175  * Name:	secpolicy_vnode_utime_modify()
1176  *
1177  * Normal:	verify that subject can modify the utime on a file.
1178  *
1179  * Output:	EPERM - if access denied.
1180  */
1181 
1182 static int
secpolicy_vnode_utime_modify(const cred_t * cred)1183 secpolicy_vnode_utime_modify(const cred_t *cred)
1184 {
1185 	return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM,
1186 	    "modify file times"));
1187 }
1188 
1189 
1190 /*
1191  * Name:	secpolicy_vnode_setdac()
1192  *
1193  * Normal:	verify that subject can modify the mode of a file.
1194  *		allzone privilege needed when modifying root owned object.
1195  *
1196  * Output:	EPERM - if access denied.
1197  */
1198 
1199 int
secpolicy_vnode_setdac(const cred_t * cred,uid_t owner)1200 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner)
1201 {
1202 	if (owner == cred->cr_uid)
1203 		return (0);
1204 
1205 	return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL));
1206 }
1207 /*
1208  * Name:	secpolicy_vnode_stky_modify()
1209  *
1210  * Normal:	verify that subject can make a file a "sticky".
1211  *
1212  * Output:	EPERM - if access denied.
1213  */
1214 
1215 int
secpolicy_vnode_stky_modify(const cred_t * cred)1216 secpolicy_vnode_stky_modify(const cred_t *cred)
1217 {
1218 	return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM,
1219 	    "set file sticky"));
1220 }
1221 
1222 /*
1223  * Policy determines whether we can remove an entry from a directory,
1224  * regardless of permission bits.
1225  */
1226 int
secpolicy_vnode_remove(const cred_t * cr)1227 secpolicy_vnode_remove(const cred_t *cr)
1228 {
1229 	return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES,
1230 	    "sticky directory"));
1231 }
1232 
1233 int
secpolicy_vnode_owner(const cred_t * cr,uid_t owner)1234 secpolicy_vnode_owner(const cred_t *cr, uid_t owner)
1235 {
1236 	boolean_t allzone = (owner == 0);
1237 
1238 	if (owner == cr->cr_uid)
1239 		return (0);
1240 
1241 	return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL));
1242 }
1243 
1244 void
secpolicy_setid_clear(vattr_t * vap,cred_t * cr)1245 secpolicy_setid_clear(vattr_t *vap, cred_t *cr)
1246 {
1247 	if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 &&
1248 	    secpolicy_vnode_setid_retain(cr,
1249 	    (vap->va_mode & S_ISUID) != 0 &&
1250 	    (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) {
1251 		vap->va_mask |= AT_MODE;
1252 		vap->va_mode &= ~(S_ISUID|S_ISGID);
1253 	}
1254 }
1255 
1256 int
secpolicy_setid_setsticky_clear(vnode_t * vp,vattr_t * vap,const vattr_t * ovap,cred_t * cr)1257 secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap,
1258     cred_t *cr)
1259 {
1260 	int error;
1261 
1262 	if ((vap->va_mode & S_ISUID) != 0 &&
1263 	    (error = secpolicy_vnode_setid_modify(cr,
1264 	    ovap->va_uid)) != 0) {
1265 		return (error);
1266 	}
1267 
1268 	/*
1269 	 * Check privilege if attempting to set the
1270 	 * sticky bit on a non-directory.
1271 	 */
1272 	if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 &&
1273 	    secpolicy_vnode_stky_modify(cr) != 0) {
1274 		vap->va_mode &= ~S_ISVTX;
1275 	}
1276 
1277 	/*
1278 	 * Check for privilege if attempting to set the
1279 	 * group-id bit.
1280 	 */
1281 	if ((vap->va_mode & S_ISGID) != 0 &&
1282 	    secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) {
1283 		vap->va_mode &= ~S_ISGID;
1284 	}
1285 
1286 	return (0);
1287 }
1288 
1289 #define	ATTR_FLAG_PRIV(attr, value, cr)	\
1290 	PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \
1291 	B_FALSE, EPERM, NULL)
1292 
1293 /*
1294  * Check privileges for setting xvattr attributes
1295  */
1296 int
secpolicy_xvattr(xvattr_t * xvap,uid_t owner,cred_t * cr,vtype_t vtype)1297 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype)
1298 {
1299 	xoptattr_t *xoap;
1300 	int error = 0;
1301 
1302 	if ((xoap = xva_getxoptattr(xvap)) == NULL)
1303 		return (EINVAL);
1304 
1305 	/*
1306 	 * First process the DOS bits
1307 	 */
1308 	if (XVA_ISSET_REQ(xvap, XAT_ARCHIVE) ||
1309 	    XVA_ISSET_REQ(xvap, XAT_HIDDEN) ||
1310 	    XVA_ISSET_REQ(xvap, XAT_READONLY) ||
1311 	    XVA_ISSET_REQ(xvap, XAT_SYSTEM) ||
1312 	    XVA_ISSET_REQ(xvap, XAT_CREATETIME) ||
1313 	    XVA_ISSET_REQ(xvap, XAT_OFFLINE) ||
1314 	    XVA_ISSET_REQ(xvap, XAT_SPARSE)) {
1315 		if ((error = secpolicy_vnode_owner(cr, owner)) != 0)
1316 			return (error);
1317 	}
1318 
1319 	/*
1320 	 * Now handle special attributes
1321 	 */
1322 
1323 	if (XVA_ISSET_REQ(xvap, XAT_IMMUTABLE))
1324 		error = ATTR_FLAG_PRIV(XAT_IMMUTABLE,
1325 		    xoap->xoa_immutable, cr);
1326 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NOUNLINK))
1327 		error = ATTR_FLAG_PRIV(XAT_NOUNLINK,
1328 		    xoap->xoa_nounlink, cr);
1329 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_APPENDONLY))
1330 		error = ATTR_FLAG_PRIV(XAT_APPENDONLY,
1331 		    xoap->xoa_appendonly, cr);
1332 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NODUMP))
1333 		error = ATTR_FLAG_PRIV(XAT_NODUMP,
1334 		    xoap->xoa_nodump, cr);
1335 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_OPAQUE))
1336 		error = EPERM;
1337 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_QUARANTINED)) {
1338 		error = ATTR_FLAG_PRIV(XAT_AV_QUARANTINED,
1339 		    xoap->xoa_av_quarantined, cr);
1340 		if (error == 0 && vtype != VREG && xoap->xoa_av_quarantined)
1341 			error = EINVAL;
1342 	}
1343 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_MODIFIED))
1344 		error = ATTR_FLAG_PRIV(XAT_AV_MODIFIED,
1345 		    xoap->xoa_av_modified, cr);
1346 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_SCANSTAMP)) {
1347 		error = ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP,
1348 		    xoap->xoa_av_scanstamp, cr);
1349 		if (error == 0 && vtype != VREG)
1350 			error = EINVAL;
1351 	}
1352 	return (error);
1353 }
1354 
1355 /*
1356  * This function checks the policy decisions surrounding the
1357  * vop setattr call.
1358  *
1359  * It should be called after sufficient locks have been established
1360  * on the underlying data structures.  No concurrent modifications
1361  * should be allowed.
1362  *
1363  * The caller must pass in unlocked version of its vaccess function
1364  * this is required because vop_access function should lock the
1365  * node for reading.  A three argument function should be defined
1366  * which accepts the following argument:
1367  *	A pointer to the internal "node" type (inode *)
1368  *	vnode access bits (VREAD|VWRITE|VEXEC)
1369  *	a pointer to the credential
1370  *
1371  * This function makes the following policy decisions:
1372  *
1373  *		- change permissions
1374  *			- permission to change file mode if not owner
1375  *			- permission to add sticky bit to non-directory
1376  *			- permission to add set-gid bit
1377  *
1378  * The ovap argument should include AT_MODE|AT_UID|AT_GID.
1379  *
1380  * If the vap argument does not include AT_MODE, the mode will be copied from
1381  * ovap.  In certain situations set-uid/set-gid bits need to be removed;
1382  * this is done by marking vap->va_mask to include AT_MODE and va_mode
1383  * is updated to the newly computed mode.
1384  */
1385 
1386 int
secpolicy_vnode_setattr(cred_t * cr,struct vnode * vp,struct vattr * vap,const struct vattr * ovap,int flags,int unlocked_access (void *,int,cred_t *),void * node)1387 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap,
1388     const struct vattr *ovap, int flags,
1389     int unlocked_access(void *, int, cred_t *),
1390     void *node)
1391 {
1392 	int mask = vap->va_mask;
1393 	int error = 0;
1394 	boolean_t skipaclchk = (flags & ATTR_NOACLCHECK) ? B_TRUE : B_FALSE;
1395 
1396 	if (mask & AT_SIZE) {
1397 		if (vp->v_type == VDIR) {
1398 			error = EISDIR;
1399 			goto out;
1400 		}
1401 
1402 		/*
1403 		 * If ATTR_NOACLCHECK is set in the flags, then we don't
1404 		 * perform the secondary unlocked_access() call since the
1405 		 * ACL (if any) is being checked there.
1406 		 */
1407 		if (skipaclchk == B_FALSE) {
1408 			error = unlocked_access(node, VWRITE, cr);
1409 			if (error)
1410 				goto out;
1411 		}
1412 	}
1413 	if (mask & AT_MODE) {
1414 		/*
1415 		 * If not the owner of the file then check privilege
1416 		 * for two things: the privilege to set the mode at all
1417 		 * and, if we're setting setuid, we also need permissions
1418 		 * to add the set-uid bit, if we're not the owner.
1419 		 * In the specific case of creating a set-uid root
1420 		 * file, we need even more permissions.
1421 		 */
1422 		if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0)
1423 			goto out;
1424 
1425 		if ((error = secpolicy_setid_setsticky_clear(vp, vap,
1426 		    ovap, cr)) != 0)
1427 			goto out;
1428 	} else
1429 		vap->va_mode = ovap->va_mode;
1430 
1431 	if (mask & (AT_UID|AT_GID)) {
1432 		boolean_t checkpriv = B_FALSE;
1433 
1434 		/*
1435 		 * Chowning files.
1436 		 *
1437 		 * If you are the file owner:
1438 		 *	chown to other uid		FILE_CHOWN_SELF
1439 		 *	chown to gid (non-member)	FILE_CHOWN_SELF
1440 		 *	chown to gid (member)		<none>
1441 		 *
1442 		 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also
1443 		 * acceptable but the first one is reported when debugging.
1444 		 *
1445 		 * If you are not the file owner:
1446 		 *	chown from root			PRIV_FILE_CHOWN + zone
1447 		 *	chown from other to any		PRIV_FILE_CHOWN
1448 		 *
1449 		 */
1450 		if (cr->cr_uid != ovap->va_uid) {
1451 			checkpriv = B_TRUE;
1452 		} else {
1453 			if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) ||
1454 			    ((mask & AT_GID) && vap->va_gid != ovap->va_gid &&
1455 			    !groupmember(vap->va_gid, cr))) {
1456 				checkpriv = B_TRUE;
1457 			}
1458 		}
1459 		/*
1460 		 * If necessary, check privilege to see if update can be done.
1461 		 */
1462 		if (checkpriv &&
1463 		    (error = secpolicy_vnode_chown(cr, ovap->va_uid)) != 0) {
1464 			goto out;
1465 		}
1466 
1467 		/*
1468 		 * If the file has either the set UID or set GID bits
1469 		 * set and the caller can set the bits, then leave them.
1470 		 */
1471 		secpolicy_setid_clear(vap, cr);
1472 	}
1473 	if (mask & (AT_ATIME|AT_MTIME)) {
1474 		/*
1475 		 * If not the file owner and not otherwise privileged,
1476 		 * always return an error when setting the
1477 		 * time other than the current (ATTR_UTIME flag set).
1478 		 * If setting the current time (ATTR_UTIME not set) then
1479 		 * unlocked_access will check permissions according to policy.
1480 		 */
1481 		if (cr->cr_uid != ovap->va_uid) {
1482 			if (flags & ATTR_UTIME)
1483 				error = secpolicy_vnode_utime_modify(cr);
1484 			else if (skipaclchk == B_FALSE) {
1485 				error = unlocked_access(node, VWRITE, cr);
1486 				if (error == EACCES &&
1487 				    secpolicy_vnode_utime_modify(cr) == 0)
1488 					error = 0;
1489 			}
1490 			if (error)
1491 				goto out;
1492 		}
1493 	}
1494 
1495 	/*
1496 	 * Check for optional attributes here by checking the following:
1497 	 */
1498 	if (mask & AT_XVATTR)
1499 		error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr,
1500 		    vp->v_type);
1501 out:
1502 	return (error);
1503 }
1504 
1505 /*
1506  * Name:	secpolicy_pcfs_modify_bootpartition()
1507  *
1508  * Normal:	verify that subject can modify a pcfs boot partition.
1509  *
1510  * Output:	EACCES - if privilege check failed.
1511  */
1512 /*ARGSUSED*/
1513 int
secpolicy_pcfs_modify_bootpartition(const cred_t * cred)1514 secpolicy_pcfs_modify_bootpartition(const cred_t *cred)
1515 {
1516 	return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES,
1517 	    "modify pcfs boot partition"));
1518 }
1519 
1520 /*
1521  * System V IPC routines
1522  */
1523 int
secpolicy_ipc_owner(const cred_t * cr,const struct kipc_perm * ip)1524 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip)
1525 {
1526 	if (crgetzoneid(cr) != ip->ipc_zoneid ||
1527 	    (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) {
1528 		boolean_t allzone = B_FALSE;
1529 		if (ip->ipc_uid == 0 || ip->ipc_cuid == 0)
1530 			allzone = B_TRUE;
1531 		return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL));
1532 	}
1533 	return (0);
1534 }
1535 
1536 int
secpolicy_ipc_config(const cred_t * cr)1537 secpolicy_ipc_config(const cred_t *cr)
1538 {
1539 	return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL));
1540 }
1541 
1542 int
secpolicy_ipc_access(const cred_t * cr,const struct kipc_perm * ip,mode_t mode)1543 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode)
1544 {
1545 
1546 	boolean_t allzone = B_FALSE;
1547 
1548 	ASSERT((mode & (MSG_R|MSG_W)) != 0);
1549 
1550 	if ((mode & MSG_R) &&
1551 	    PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1552 		return (EACCES);
1553 
1554 	if (mode & MSG_W) {
1555 		if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0))
1556 			allzone = B_TRUE;
1557 
1558 		return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1559 		    NULL));
1560 	}
1561 	return (0);
1562 }
1563 
1564 int
secpolicy_rsm_access(const cred_t * cr,uid_t owner,mode_t mode)1565 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode)
1566 {
1567 	boolean_t allzone = B_FALSE;
1568 
1569 	ASSERT((mode & (MSG_R|MSG_W)) != 0);
1570 
1571 	if ((mode & MSG_R) &&
1572 	    PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1573 		return (EACCES);
1574 
1575 	if (mode & MSG_W) {
1576 		if (cr->cr_uid != 0 && owner == 0)
1577 			allzone = B_TRUE;
1578 
1579 		return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1580 		    NULL));
1581 	}
1582 	return (0);
1583 }
1584 
1585 /*
1586  * Audit configuration.
1587  */
1588 int
secpolicy_audit_config(const cred_t * cr)1589 secpolicy_audit_config(const cred_t *cr)
1590 {
1591 	return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL));
1592 }
1593 
1594 /*
1595  * Audit record generation.
1596  */
1597 int
secpolicy_audit_modify(const cred_t * cr)1598 secpolicy_audit_modify(const cred_t *cr)
1599 {
1600 	return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL));
1601 }
1602 
1603 /*
1604  * Get audit attributes.
1605  * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the
1606  * "Least" of the two privileges on error.
1607  */
1608 int
secpolicy_audit_getattr(const cred_t * cr,boolean_t checkonly)1609 secpolicy_audit_getattr(const cred_t *cr, boolean_t checkonly)
1610 {
1611 	int priv;
1612 
1613 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE))
1614 		priv = PRIV_SYS_AUDIT;
1615 	else
1616 		priv = PRIV_PROC_AUDIT;
1617 
1618 	if (checkonly)
1619 		return (!PRIV_POLICY_ONLY(cr, priv, B_FALSE));
1620 	else
1621 		return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
1622 }
1623 
1624 
1625 /*
1626  * Locking physical memory
1627  */
1628 int
secpolicy_lock_memory(const cred_t * cr)1629 secpolicy_lock_memory(const cred_t *cr)
1630 {
1631 	return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL));
1632 }
1633 
1634 /*
1635  * Accounting (both acct(2) and exacct).
1636  */
1637 int
secpolicy_acct(const cred_t * cr)1638 secpolicy_acct(const cred_t *cr)
1639 {
1640 	return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL));
1641 }
1642 
1643 /*
1644  * Is this process privileged to change its uids at will?
1645  * Uid 0 is still considered "special" and having the SETID
1646  * privilege is not sufficient to get uid 0.
1647  * Files are owned by root, so the privilege would give
1648  * full access and euid 0 is still effective.
1649  *
1650  * If you have the privilege and euid 0 only then do you
1651  * get the powers of root wrt uid 0.
1652  *
1653  * For gid manipulations, this is should be called with an
1654  * uid of -1.
1655  *
1656  */
1657 int
secpolicy_allow_setid(const cred_t * cr,uid_t newuid,boolean_t checkonly)1658 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly)
1659 {
1660 	boolean_t allzone = B_FALSE;
1661 
1662 	if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 &&
1663 	    cr->cr_ruid != 0) {
1664 		allzone = B_TRUE;
1665 	}
1666 
1667 	return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) :
1668 	    PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL));
1669 }
1670 
1671 
1672 /*
1673  * Acting on a different process: if the mode is for writing,
1674  * the restrictions are more severe.  This is called after
1675  * we've verified that the uids do not match.
1676  */
1677 int
secpolicy_proc_owner(const cred_t * scr,const cred_t * tcr,int mode)1678 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode)
1679 {
1680 	boolean_t allzone = B_FALSE;
1681 
1682 	if ((mode & VWRITE) && scr->cr_uid != 0 &&
1683 	    (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0))
1684 		allzone = B_TRUE;
1685 
1686 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL));
1687 }
1688 
1689 int
secpolicy_proc_access(const cred_t * scr)1690 secpolicy_proc_access(const cred_t *scr)
1691 {
1692 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL));
1693 }
1694 
1695 int
secpolicy_proc_excl_open(const cred_t * scr)1696 secpolicy_proc_excl_open(const cred_t *scr)
1697 {
1698 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL));
1699 }
1700 
1701 int
secpolicy_proc_zone(const cred_t * scr)1702 secpolicy_proc_zone(const cred_t *scr)
1703 {
1704 	return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL));
1705 }
1706 
1707 /*
1708  * Destroying the system
1709  */
1710 
1711 int
secpolicy_kmdb(const cred_t * scr)1712 secpolicy_kmdb(const cred_t *scr)
1713 {
1714 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1715 }
1716 
1717 int
secpolicy_error_inject(const cred_t * scr)1718 secpolicy_error_inject(const cred_t *scr)
1719 {
1720 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1721 }
1722 
1723 /*
1724  * Processor sets, cpu configuration, resource pools.
1725  */
1726 int
secpolicy_pset(const cred_t * cr)1727 secpolicy_pset(const cred_t *cr)
1728 {
1729 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1730 }
1731 
1732 /* Process security flags */
1733 int
secpolicy_psecflags(const cred_t * cr,proc_t * tp,proc_t * sp)1734 secpolicy_psecflags(const cred_t *cr, proc_t *tp, proc_t *sp)
1735 {
1736 	if (PRIV_POLICY(cr, PRIV_PROC_SECFLAGS, B_FALSE, EPERM, NULL) != 0)
1737 		return (EPERM);
1738 
1739 	if (!prochasprocperm(tp, sp, cr))
1740 		return (EPERM);
1741 
1742 	return (0);
1743 }
1744 
1745 /*
1746  * Processor set binding.
1747  */
1748 int
secpolicy_pbind(const cred_t * cr)1749 secpolicy_pbind(const cred_t *cr)
1750 {
1751 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_RES_CONFIG, B_FALSE))
1752 		return (secpolicy_pset(cr));
1753 	return (PRIV_POLICY(cr, PRIV_SYS_RES_BIND, B_FALSE, EPERM, NULL));
1754 }
1755 
1756 int
secpolicy_ponline(const cred_t * cr)1757 secpolicy_ponline(const cred_t *cr)
1758 {
1759 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1760 }
1761 
1762 int
secpolicy_pool(const cred_t * cr)1763 secpolicy_pool(const cred_t *cr)
1764 {
1765 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1766 }
1767 
1768 int
secpolicy_blacklist(const cred_t * cr)1769 secpolicy_blacklist(const cred_t *cr)
1770 {
1771 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1772 }
1773 
1774 /*
1775  * Catch all system configuration.
1776  */
1777 int
secpolicy_sys_config(const cred_t * cr,boolean_t checkonly)1778 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly)
1779 {
1780 	if (checkonly) {
1781 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 :
1782 		    EPERM);
1783 	} else {
1784 		return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1785 	}
1786 }
1787 
1788 /*
1789  * Zone administration (halt, reboot, etc.) from within zone.
1790  */
1791 int
secpolicy_zone_admin(const cred_t * cr,boolean_t checkonly)1792 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly)
1793 {
1794 	if (checkonly) {
1795 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 :
1796 		    EPERM);
1797 	} else {
1798 		return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM,
1799 		    NULL));
1800 	}
1801 }
1802 
1803 /*
1804  * Zone configuration (create, halt, enter).
1805  */
1806 int
secpolicy_zone_config(const cred_t * cr)1807 secpolicy_zone_config(const cred_t *cr)
1808 {
1809 	/*
1810 	 * Require all privileges to avoid possibility of privilege
1811 	 * escalation.
1812 	 */
1813 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
1814 }
1815 
1816 /*
1817  * Various other system configuration calls
1818  */
1819 int
secpolicy_coreadm(const cred_t * cr)1820 secpolicy_coreadm(const cred_t *cr)
1821 {
1822 	return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1823 }
1824 
1825 int
secpolicy_systeminfo(const cred_t * cr)1826 secpolicy_systeminfo(const cred_t *cr)
1827 {
1828 	return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1829 }
1830 
1831 int
secpolicy_dispadm(const cred_t * cr)1832 secpolicy_dispadm(const cred_t *cr)
1833 {
1834 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1835 }
1836 
1837 int
secpolicy_settime(const cred_t * cr)1838 secpolicy_settime(const cred_t *cr)
1839 {
1840 	return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL));
1841 }
1842 
1843 /*
1844  * For realtime users: high resolution clock.
1845  */
1846 int
secpolicy_clock_highres(const cred_t * cr)1847 secpolicy_clock_highres(const cred_t *cr)
1848 {
1849 	return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM,
1850 	    NULL));
1851 }
1852 
1853 /*
1854  * drv_priv() is documented as callable from interrupt context, not that
1855  * anyone ever does, but still.  No debugging or auditing can be done when
1856  * it is called from interrupt context.
1857  * returns 0 on succes, EPERM on failure.
1858  */
1859 int
drv_priv(cred_t * cr)1860 drv_priv(cred_t *cr)
1861 {
1862 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1863 }
1864 
1865 int
secpolicy_sys_devices(const cred_t * cr)1866 secpolicy_sys_devices(const cred_t *cr)
1867 {
1868 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1869 }
1870 
1871 int
secpolicy_excl_open(const cred_t * cr)1872 secpolicy_excl_open(const cred_t *cr)
1873 {
1874 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL));
1875 }
1876 
1877 int
secpolicy_rctlsys(const cred_t * cr,boolean_t is_zone_rctl)1878 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl)
1879 {
1880 	/* zone.* rctls can only be set from the global zone */
1881 	if (is_zone_rctl && priv_policy_global(cr) != 0)
1882 		return (EPERM);
1883 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1884 }
1885 
1886 int
secpolicy_resource(const cred_t * cr)1887 secpolicy_resource(const cred_t *cr)
1888 {
1889 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1890 }
1891 
1892 int
secpolicy_resource_anon_mem(const cred_t * cr)1893 secpolicy_resource_anon_mem(const cred_t *cr)
1894 {
1895 	return (PRIV_POLICY_ONLY(cr, PRIV_SYS_RESOURCE, B_FALSE));
1896 }
1897 
1898 /*
1899  * Processes with a real uid of 0 escape any form of accounting, much
1900  * like before.
1901  */
1902 int
secpolicy_newproc(const cred_t * cr)1903 secpolicy_newproc(const cred_t *cr)
1904 {
1905 	if (cr->cr_ruid == 0)
1906 		return (0);
1907 
1908 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1909 }
1910 
1911 /*
1912  * Networking
1913  */
1914 int
secpolicy_net_rawaccess(const cred_t * cr)1915 secpolicy_net_rawaccess(const cred_t *cr)
1916 {
1917 	return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL));
1918 }
1919 
1920 int
secpolicy_net_observability(const cred_t * cr)1921 secpolicy_net_observability(const cred_t *cr)
1922 {
1923 	return (PRIV_POLICY(cr, PRIV_NET_OBSERVABILITY, B_FALSE, EACCES, NULL));
1924 }
1925 
1926 /*
1927  * Need this privilege for accessing the ICMP device
1928  */
1929 int
secpolicy_net_icmpaccess(const cred_t * cr)1930 secpolicy_net_icmpaccess(const cred_t *cr)
1931 {
1932 	return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL));
1933 }
1934 
1935 /*
1936  * There are a few rare cases where the kernel generates ioctls() from
1937  * interrupt context with a credential of kcred rather than NULL.
1938  * In those cases, we take the safe and cheap test.
1939  */
1940 int
secpolicy_net_config(const cred_t * cr,boolean_t checkonly)1941 secpolicy_net_config(const cred_t *cr, boolean_t checkonly)
1942 {
1943 	if (checkonly) {
1944 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ?
1945 		    0 : EPERM);
1946 	} else {
1947 		return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM,
1948 		    NULL));
1949 	}
1950 }
1951 
1952 
1953 /*
1954  * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
1955  *
1956  * There are a few rare cases where the kernel generates ioctls() from
1957  * interrupt context with a credential of kcred rather than NULL.
1958  * In those cases, we take the safe and cheap test.
1959  */
1960 int
secpolicy_ip_config(const cred_t * cr,boolean_t checkonly)1961 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly)
1962 {
1963 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1964 		return (secpolicy_net_config(cr, checkonly));
1965 
1966 	if (checkonly) {
1967 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ?
1968 		    0 : EPERM);
1969 	} else {
1970 		return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM,
1971 		    NULL));
1972 	}
1973 }
1974 
1975 /*
1976  * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_DL_CONFIG.
1977  */
1978 int
secpolicy_dl_config(const cred_t * cr)1979 secpolicy_dl_config(const cred_t *cr)
1980 {
1981 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1982 		return (secpolicy_net_config(cr, B_FALSE));
1983 	return (PRIV_POLICY(cr, PRIV_SYS_DL_CONFIG, B_FALSE, EPERM, NULL));
1984 }
1985 
1986 /*
1987  * PRIV_SYS_DL_CONFIG is a superset of PRIV_SYS_IPTUN_CONFIG.
1988  */
1989 int
secpolicy_iptun_config(const cred_t * cr)1990 secpolicy_iptun_config(const cred_t *cr)
1991 {
1992 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1993 		return (secpolicy_net_config(cr, B_FALSE));
1994 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_DL_CONFIG, B_FALSE))
1995 		return (secpolicy_dl_config(cr));
1996 	return (PRIV_POLICY(cr, PRIV_SYS_IPTUN_CONFIG, B_FALSE, EPERM, NULL));
1997 }
1998 
1999 /*
2000  * Map IP pseudo privileges to actual privileges.
2001  * So we don't need to recompile IP when we change the privileges.
2002  */
2003 int
secpolicy_ip(const cred_t * cr,int netpriv,boolean_t checkonly)2004 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly)
2005 {
2006 	int priv = PRIV_ALL;
2007 
2008 	switch (netpriv) {
2009 	case OP_CONFIG:
2010 		priv = PRIV_SYS_IP_CONFIG;
2011 		break;
2012 	case OP_RAW:
2013 		priv = PRIV_NET_RAWACCESS;
2014 		break;
2015 	case OP_PRIVPORT:
2016 		priv = PRIV_NET_PRIVADDR;
2017 		break;
2018 	}
2019 	ASSERT(priv != PRIV_ALL);
2020 	if (checkonly)
2021 		return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
2022 	else
2023 		return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
2024 }
2025 
2026 /*
2027  * Map network pseudo privileges to actual privileges.
2028  * So we don't need to recompile IP when we change the privileges.
2029  */
2030 int
secpolicy_net(const cred_t * cr,int netpriv,boolean_t checkonly)2031 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly)
2032 {
2033 	int priv = PRIV_ALL;
2034 
2035 	switch (netpriv) {
2036 	case OP_CONFIG:
2037 		priv = PRIV_SYS_NET_CONFIG;
2038 		break;
2039 	case OP_RAW:
2040 		priv = PRIV_NET_RAWACCESS;
2041 		break;
2042 	case OP_PRIVPORT:
2043 		priv = PRIV_NET_PRIVADDR;
2044 		break;
2045 	}
2046 	ASSERT(priv != PRIV_ALL);
2047 	if (checkonly)
2048 		return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
2049 	else
2050 		return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
2051 }
2052 
2053 /*
2054  * Checks for operations that are either client-only or are used by
2055  * both clients and servers.
2056  */
2057 int
secpolicy_nfs(const cred_t * cr)2058 secpolicy_nfs(const cred_t *cr)
2059 {
2060 	return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL));
2061 }
2062 
2063 /*
2064  * Special case for opening rpcmod: have NFS privileges or network
2065  * config privileges.
2066  */
2067 int
secpolicy_rpcmod_open(const cred_t * cr)2068 secpolicy_rpcmod_open(const cred_t *cr)
2069 {
2070 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE))
2071 		return (secpolicy_nfs(cr));
2072 	else
2073 		return (secpolicy_net_config(cr, B_FALSE));
2074 }
2075 
2076 int
secpolicy_chroot(const cred_t * cr)2077 secpolicy_chroot(const cred_t *cr)
2078 {
2079 	return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL));
2080 }
2081 
2082 int
secpolicy_tasksys(const cred_t * cr)2083 secpolicy_tasksys(const cred_t *cr)
2084 {
2085 	return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL));
2086 }
2087 
2088 int
secpolicy_meminfo(const cred_t * cr)2089 secpolicy_meminfo(const cred_t *cr)
2090 {
2091 	return (PRIV_POLICY(cr, PRIV_PROC_MEMINFO, B_FALSE, EPERM, NULL));
2092 }
2093 
2094 int
secpolicy_pfexec_register(const cred_t * cr)2095 secpolicy_pfexec_register(const cred_t *cr)
2096 {
2097 	return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_TRUE, EPERM, NULL));
2098 }
2099 
2100 /*
2101  * Basic privilege checks.
2102  */
2103 int
secpolicy_basic_exec(const cred_t * cr,vnode_t * vp)2104 secpolicy_basic_exec(const cred_t *cr, vnode_t *vp)
2105 {
2106 	FAST_BASIC_CHECK(cr, PRIV_PROC_EXEC);
2107 
2108 	return (priv_policy_va(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL,
2109 	    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
2110 }
2111 
2112 int
secpolicy_basic_fork(const cred_t * cr)2113 secpolicy_basic_fork(const cred_t *cr)
2114 {
2115 	FAST_BASIC_CHECK(cr, PRIV_PROC_FORK);
2116 
2117 	return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL));
2118 }
2119 
2120 int
secpolicy_basic_proc(const cred_t * cr)2121 secpolicy_basic_proc(const cred_t *cr)
2122 {
2123 	FAST_BASIC_CHECK(cr, PRIV_PROC_SESSION);
2124 
2125 	return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL));
2126 }
2127 
2128 /*
2129  * Slightly complicated because we don't want to trigger the policy too
2130  * often.  First we shortcircuit access to "self" (tp == sp) or if
2131  * we don't have the privilege but if we have permission
2132  * just return (0) and we don't flag the privilege as needed.
2133  * Else, we test for the privilege because we either have it or need it.
2134  */
2135 int
secpolicy_basic_procinfo(const cred_t * cr,proc_t * tp,proc_t * sp)2136 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp)
2137 {
2138 	if (tp == sp ||
2139 	    !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) {
2140 		return (0);
2141 	} else {
2142 		return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL));
2143 	}
2144 }
2145 
2146 int
secpolicy_basic_link(const cred_t * cr)2147 secpolicy_basic_link(const cred_t *cr)
2148 {
2149 	FAST_BASIC_CHECK(cr, PRIV_FILE_LINK_ANY);
2150 
2151 	return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL));
2152 }
2153 
2154 int
secpolicy_basic_net_access(const cred_t * cr)2155 secpolicy_basic_net_access(const cred_t *cr)
2156 {
2157 	FAST_BASIC_CHECK(cr, PRIV_NET_ACCESS);
2158 
2159 	return (PRIV_POLICY(cr, PRIV_NET_ACCESS, B_FALSE, EACCES, NULL));
2160 }
2161 
2162 /* ARGSUSED */
2163 int
secpolicy_basic_file_read(const cred_t * cr,vnode_t * vp,const char * pn)2164 secpolicy_basic_file_read(const cred_t *cr, vnode_t *vp, const char *pn)
2165 {
2166 	FAST_BASIC_CHECK(cr, PRIV_FILE_READ);
2167 
2168 	return (priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL,
2169 	    KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE));
2170 }
2171 
2172 /* ARGSUSED */
2173 int
secpolicy_basic_file_write(const cred_t * cr,vnode_t * vp,const char * pn)2174 secpolicy_basic_file_write(const cred_t *cr, vnode_t *vp, const char *pn)
2175 {
2176 	FAST_BASIC_CHECK(cr, PRIV_FILE_WRITE);
2177 
2178 	return (priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL,
2179 	    KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE));
2180 }
2181 
2182 /*
2183  * Additional device protection.
2184  *
2185  * Traditionally, a device has specific permissions on the node in
2186  * the filesystem which govern which devices can be opened by what
2187  * processes.  In certain cases, it is desirable to add extra
2188  * restrictions, as writing to certain devices is identical to
2189  * having a complete run of the system.
2190  *
2191  * This mechanism is called the device policy.
2192  *
2193  * When a device is opened, its policy entry is looked up in the
2194  * policy cache and checked.
2195  */
2196 int
secpolicy_spec_open(const cred_t * cr,struct vnode * vp,int oflag)2197 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag)
2198 {
2199 	devplcy_t *plcy;
2200 	int err;
2201 	struct snode *csp = VTOS(common_specvp(vp));
2202 	priv_set_t pset;
2203 
2204 	mutex_enter(&csp->s_lock);
2205 
2206 	if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) {
2207 		plcy = devpolicy_find(vp);
2208 		if (csp->s_plcy)
2209 			dpfree(csp->s_plcy);
2210 		csp->s_plcy = plcy;
2211 		ASSERT(plcy != NULL);
2212 	} else
2213 		plcy = csp->s_plcy;
2214 
2215 	if (plcy == nullpolicy) {
2216 		mutex_exit(&csp->s_lock);
2217 		return (0);
2218 	}
2219 
2220 	dphold(plcy);
2221 
2222 	mutex_exit(&csp->s_lock);
2223 
2224 	if (oflag & FWRITE)
2225 		pset = plcy->dp_wrp;
2226 	else
2227 		pset = plcy->dp_rdp;
2228 	/*
2229 	 * Special case:
2230 	 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
2231 	 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is
2232 	 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG
2233 	 * in the required privilege set before doing the check.
2234 	 */
2235 	if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) &&
2236 	    priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) &&
2237 	    !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) {
2238 		priv_delset(&pset, PRIV_SYS_IP_CONFIG);
2239 		priv_addset(&pset, PRIV_SYS_NET_CONFIG);
2240 	}
2241 
2242 	err = secpolicy_require_set(cr, &pset, "devpolicy", KLPDARG_NONE);
2243 	dpfree(plcy);
2244 
2245 	return (err);
2246 }
2247 
2248 int
secpolicy_modctl(const cred_t * cr,int cmd)2249 secpolicy_modctl(const cred_t *cr, int cmd)
2250 {
2251 	switch (cmd) {
2252 	case MODINFO:
2253 	case MODGETMAJBIND:
2254 	case MODGETPATH:
2255 	case MODGETPATHLEN:
2256 	case MODGETNAME:
2257 	case MODGETFBNAME:
2258 	case MODGETDEVPOLICY:
2259 	case MODGETDEVPOLICYBYNAME:
2260 	case MODDEVT2INSTANCE:
2261 	case MODSIZEOF_DEVID:
2262 	case MODGETDEVID:
2263 	case MODSIZEOF_MINORNAME:
2264 	case MODGETMINORNAME:
2265 	case MODGETDEVFSPATH_LEN:
2266 	case MODGETDEVFSPATH:
2267 	case MODGETDEVFSPATH_MI_LEN:
2268 	case MODGETDEVFSPATH_MI:
2269 		/* Unprivileged */
2270 		return (0);
2271 	case MODLOAD:
2272 	case MODSETDEVPOLICY:
2273 		return (secpolicy_require_set(cr, PRIV_FULLSET, NULL,
2274 		    KLPDARG_NONE));
2275 	default:
2276 		return (secpolicy_sys_config(cr, B_FALSE));
2277 	}
2278 }
2279 
2280 int
secpolicy_console(const cred_t * cr)2281 secpolicy_console(const cred_t *cr)
2282 {
2283 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
2284 }
2285 
2286 int
secpolicy_power_mgmt(const cred_t * cr)2287 secpolicy_power_mgmt(const cred_t *cr)
2288 {
2289 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
2290 }
2291 
2292 /*
2293  * Simulate terminal input; another escalation of privileges avenue.
2294  */
2295 
2296 int
secpolicy_sti(const cred_t * cr)2297 secpolicy_sti(const cred_t *cr)
2298 {
2299 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
2300 }
2301 
2302 boolean_t
secpolicy_net_reply_equal(const cred_t * cr)2303 secpolicy_net_reply_equal(const cred_t *cr)
2304 {
2305 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
2306 }
2307 
2308 int
secpolicy_swapctl(const cred_t * cr)2309 secpolicy_swapctl(const cred_t *cr)
2310 {
2311 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
2312 }
2313 
2314 int
secpolicy_cpc_cpu(const cred_t * cr)2315 secpolicy_cpc_cpu(const cred_t *cr)
2316 {
2317 	return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL));
2318 }
2319 
2320 /*
2321  * secpolicy_contract_identity
2322  *
2323  * Determine if the subject may set the process contract FMRI value
2324  */
2325 int
secpolicy_contract_identity(const cred_t * cr)2326 secpolicy_contract_identity(const cred_t *cr)
2327 {
2328 	return (PRIV_POLICY(cr, PRIV_CONTRACT_IDENTITY, B_FALSE, EPERM, NULL));
2329 }
2330 
2331 /*
2332  * secpolicy_contract_observer
2333  *
2334  * Determine if the subject may observe a specific contract's events.
2335  */
2336 int
secpolicy_contract_observer(const cred_t * cr,struct contract * ct)2337 secpolicy_contract_observer(const cred_t *cr, struct contract *ct)
2338 {
2339 	if (contract_owned(ct, cr, B_FALSE))
2340 		return (0);
2341 	return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL));
2342 }
2343 
2344 /*
2345  * secpolicy_contract_observer_choice
2346  *
2347  * Determine if the subject may observe any contract's events.  Just
2348  * tests privilege and audits on success.
2349  */
2350 boolean_t
secpolicy_contract_observer_choice(const cred_t * cr)2351 secpolicy_contract_observer_choice(const cred_t *cr)
2352 {
2353 	return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE));
2354 }
2355 
2356 /*
2357  * secpolicy_contract_event
2358  *
2359  * Determine if the subject may request critical contract events or
2360  * reliable contract event delivery.
2361  */
2362 int
secpolicy_contract_event(const cred_t * cr)2363 secpolicy_contract_event(const cred_t *cr)
2364 {
2365 	return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL));
2366 }
2367 
2368 /*
2369  * secpolicy_contract_event_choice
2370  *
2371  * Determine if the subject may retain contract events in its critical
2372  * set when a change in other terms would normally require a change in
2373  * the critical set.  Just tests privilege and audits on success.
2374  */
2375 boolean_t
secpolicy_contract_event_choice(const cred_t * cr)2376 secpolicy_contract_event_choice(const cred_t *cr)
2377 {
2378 	return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE));
2379 }
2380 
2381 /*
2382  * secpolicy_gart_access
2383  *
2384  * Determine if the subject has sufficient priveleges to make ioctls to agpgart
2385  * device.
2386  */
2387 int
secpolicy_gart_access(const cred_t * cr)2388 secpolicy_gart_access(const cred_t *cr)
2389 {
2390 	return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL));
2391 }
2392 
2393 /*
2394  * secpolicy_gart_map
2395  *
2396  * Determine if the subject has sufficient priveleges to map aperture range
2397  * through agpgart driver.
2398  */
2399 int
secpolicy_gart_map(const cred_t * cr)2400 secpolicy_gart_map(const cred_t *cr)
2401 {
2402 	if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) {
2403 		return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM,
2404 		    NULL));
2405 	} else {
2406 		return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM,
2407 		    NULL));
2408 	}
2409 }
2410 
2411 /*
2412  * secpolicy_hwmanip
2413  *
2414  * Determine if the subject can observe and manipulate a hardware device with a
2415  * dangerous blunt hammer, often suggests they can do something destructive.
2416  * Requires all privileges.
2417  */
2418 int
secpolicy_hwmanip(const cred_t * cr)2419 secpolicy_hwmanip(const cred_t *cr)
2420 {
2421 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
2422 }
2423 
2424 /*
2425  * secpolicy_zinject
2426  *
2427  * Determine if the subject can inject faults in the ZFS fault injection
2428  * framework.  Requires all privileges.
2429  */
2430 int
secpolicy_zinject(const cred_t * cr)2431 secpolicy_zinject(const cred_t *cr)
2432 {
2433 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
2434 }
2435 
2436 /*
2437  * secpolicy_zfs
2438  *
2439  * Determine if the subject has permission to manipulate ZFS datasets
2440  * (not pools).  Equivalent to the SYS_MOUNT privilege.
2441  */
2442 int
secpolicy_zfs(const cred_t * cr)2443 secpolicy_zfs(const cred_t *cr)
2444 {
2445 	return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL));
2446 }
2447 
2448 /*
2449  * secpolicy_idmap
2450  *
2451  * Determine if the calling process has permissions to register an SID
2452  * mapping daemon and allocate ephemeral IDs.
2453  */
2454 int
secpolicy_idmap(const cred_t * cr)2455 secpolicy_idmap(const cred_t *cr)
2456 {
2457 	return (PRIV_POLICY(cr, PRIV_FILE_SETID, B_TRUE, EPERM, NULL));
2458 }
2459 
2460 /*
2461  * secpolicy_ucode_update
2462  *
2463  * Determine if the subject has sufficient privilege to update microcode.
2464  */
2465 int
secpolicy_ucode_update(const cred_t * scr)2466 secpolicy_ucode_update(const cred_t *scr)
2467 {
2468 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
2469 }
2470 
2471 /*
2472  * secpolicy_sadopen
2473  *
2474  * Determine if the subject has sufficient privilege to access /dev/sad/admin.
2475  * /dev/sad/admin appear in global zone and exclusive-IP zones only.
2476  * In global zone, sys_config is required.
2477  * In exclusive-IP zones, sys_ip_config is required.
2478  * Note that sys_config is prohibited in non-global zones.
2479  */
2480 int
secpolicy_sadopen(const cred_t * credp)2481 secpolicy_sadopen(const cred_t *credp)
2482 {
2483 	priv_set_t pset;
2484 
2485 	priv_emptyset(&pset);
2486 
2487 	if (crgetzoneid(credp) == GLOBAL_ZONEID)
2488 		priv_addset(&pset, PRIV_SYS_CONFIG);
2489 	else
2490 		priv_addset(&pset, PRIV_SYS_IP_CONFIG);
2491 
2492 	return (secpolicy_require_set(credp, &pset, "devpolicy", KLPDARG_NONE));
2493 }
2494 
2495 
2496 /*
2497  * Add privileges to a particular privilege set; this is called when the
2498  * current sets of privileges are not sufficient.  I.e., we should always
2499  * call the policy override functions from here.
2500  * What we are allowed to have is in the Observed Permitted set; so
2501  * we compute the difference between that and the newset.
2502  */
2503 int
secpolicy_require_privs(const cred_t * cr,const priv_set_t * nset)2504 secpolicy_require_privs(const cred_t *cr, const priv_set_t *nset)
2505 {
2506 	priv_set_t rqd;
2507 
2508 	rqd = CR_OPPRIV(cr);
2509 
2510 	priv_inverse(&rqd);
2511 	priv_intersect(nset, &rqd);
2512 
2513 	return (secpolicy_require_set(cr, &rqd, NULL, KLPDARG_NONE));
2514 }
2515 
2516 /*
2517  * secpolicy_smb
2518  *
2519  * Determine if the cred_t has PRIV_SYS_SMB privilege, indicating
2520  * that it has permission to access the smbsrv kernel driver.
2521  * PRIV_POLICY checks the privilege and audits the check.
2522  *
2523  * Returns:
2524  * 0       Driver access is allowed.
2525  * EPERM   Driver access is NOT permitted.
2526  */
2527 int
secpolicy_smb(const cred_t * cr)2528 secpolicy_smb(const cred_t *cr)
2529 {
2530 	return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL));
2531 }
2532 
2533 /*
2534  * secpolicy_vscan
2535  *
2536  * Determine if cred_t has the necessary privileges to access a file
2537  * for virus scanning and update its extended system attributes.
2538  * PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access
2539  * PRIV_FILE_FLAG_SET - set extended system attributes
2540  *
2541  * PRIV_POLICY checks the privilege and audits the check.
2542  *
2543  * Returns:
2544  * 0      file access for virus scanning allowed.
2545  * EPERM  file access for virus scanning is NOT permitted.
2546  */
2547 int
secpolicy_vscan(const cred_t * cr)2548 secpolicy_vscan(const cred_t *cr)
2549 {
2550 	if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) ||
2551 	    (PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) ||
2552 	    (PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) {
2553 		return (EPERM);
2554 	}
2555 
2556 	return (0);
2557 }
2558 
2559 /*
2560  * secpolicy_smbfs_login
2561  *
2562  * Determines if the caller can add and delete the smbfs login
2563  * password in the the nsmb kernel module for the CIFS client.
2564  *
2565  * Returns:
2566  * 0       access is allowed.
2567  * EPERM   access is NOT allowed.
2568  */
2569 int
secpolicy_smbfs_login(const cred_t * cr,uid_t uid)2570 secpolicy_smbfs_login(const cred_t *cr, uid_t uid)
2571 {
2572 	uid_t cruid = crgetruid(cr);
2573 
2574 	if (cruid == uid)
2575 		return (0);
2576 	return (PRIV_POLICY(cr, PRIV_PROC_OWNER, B_FALSE,
2577 	    EPERM, NULL));
2578 }
2579 
2580 /*
2581  * secpolicy_xvm_control
2582  *
2583  * Determines if a caller can control the xVM hypervisor and/or running
2584  * domains (x86 specific).
2585  *
2586  * Returns:
2587  * 0       access is allowed.
2588  * EPERM   access is NOT allowed.
2589  */
2590 int
secpolicy_xvm_control(const cred_t * cr)2591 secpolicy_xvm_control(const cred_t *cr)
2592 {
2593 	if (PRIV_POLICY(cr, PRIV_XVM_CONTROL, B_FALSE, EPERM, NULL))
2594 		return (EPERM);
2595 	return (0);
2596 }
2597 
2598 /*
2599  * secpolicy_ppp_config
2600  *
2601  * Determine if the subject has sufficient privileges to configure PPP and
2602  * PPP-related devices.
2603  */
2604 int
secpolicy_ppp_config(const cred_t * cr)2605 secpolicy_ppp_config(const cred_t *cr)
2606 {
2607 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
2608 		return (secpolicy_net_config(cr, B_FALSE));
2609 	return (PRIV_POLICY(cr, PRIV_SYS_PPP_CONFIG, B_FALSE, EPERM, NULL));
2610 }
2611