xref: /illumos-gate/usr/src/uts/common/os/policy.c (revision ad8f9d95)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23  * Copyright 2016 Joyent, Inc.
24  * Copyright (c) 2016 by Delphix. All rights reserved.
25  * Copyright 2022 Oxide Computer Company
26  */
27 
28 #include <sys/types.h>
29 #include <sys/sysmacros.h>
30 #include <sys/param.h>
31 #include <sys/systm.h>
32 #include <sys/cred_impl.h>
33 #include <sys/vnode.h>
34 #include <sys/vfs.h>
35 #include <sys/stat.h>
36 #include <sys/errno.h>
37 #include <sys/kmem.h>
38 #include <sys/user.h>
39 #include <sys/proc.h>
40 #include <sys/acct.h>
41 #include <sys/ipc_impl.h>
42 #include <sys/cmn_err.h>
43 #include <sys/debug.h>
44 #include <sys/policy.h>
45 #include <sys/kobj.h>
46 #include <sys/msg.h>
47 #include <sys/devpolicy.h>
48 #include <c2/audit.h>
49 #include <sys/varargs.h>
50 #include <sys/klpd.h>
51 #include <sys/modctl.h>
52 #include <sys/disp.h>
53 #include <sys/zone.h>
54 #include <inet/optcom.h>
55 #include <sys/sdt.h>
56 #include <sys/vfs.h>
57 #include <sys/mntent.h>
58 #include <sys/contract_impl.h>
59 #include <sys/dld_ioc.h>
60 
61 /*
62  * There are two possible layers of privilege routines and two possible
63  * levels of secpolicy.  Plus one other we may not be interested in, so
64  * we may need as many as 6 but no more.
65  */
66 #define	MAXPRIVSTACK		6
67 
68 int priv_debug = 0;
69 int priv_basic_test = -1;
70 
71 /*
72  * Unlinking or creating new hard links to directories was historically allowed
73  * in some file systems; e.g., UFS allows root users to do it, at the cost of
74  * almost certain file system corruption that will require fsck to fix.
75  *
76  * Most modern operating systems and file systems (e.g., ZFS) do not allow this
77  * behaviour anymore, and we have elected to stamp it out entirely for
78  * compatibility and safety reasons.  An attempt to unlink a directory will
79  * fail with EPERM, as described in the standard.  During this transition, one
80  * can turn the behaviour back on, at their own risk, with this tuneable:
81  */
82 int priv_allow_linkdir = 0;
83 
84 /*
85  * This file contains the majority of the policy routines.
86  * Since the policy routines are defined by function and not
87  * by privilege, there is quite a bit of duplication of
88  * functions.
89  *
90  * The secpolicy functions must not make assumptions about
91  * locks held or not held as any lock can be held while they're
92  * being called.
93  *
94  * Credentials are read-only so no special precautions need to
95  * be taken while locking them.
96  *
97  * When a new policy check needs to be added to the system the
98  * following procedure should be followed:
99  *
100  *		Pick an appropriate secpolicy_*() function
101  *			-> done if one exists.
102  *		Create a new secpolicy function, preferably with
103  *		a descriptive name using the standard template.
104  *		Pick an appropriate privilege for the policy.
105  *		If no appropraite privilege exists, define new one
106  *		(this should be done with extreme care; in most cases
107  *		little is gained by adding another privilege)
108  *
109  * WHY ROOT IS STILL SPECIAL.
110  *
111  * In a number of the policy functions, there are still explicit
112  * checks for uid 0.  The rationale behind these is that many root
113  * owned files/objects hold configuration information which can give full
114  * privileges to the user once written to.  To prevent escalation
115  * of privilege by allowing just a single privilege to modify root owned
116  * objects, we've added these root specific checks where we considered
117  * them necessary: modifying root owned files, changing uids to 0, etc.
118  *
119  * PRIVILEGE ESCALATION AND ZONES.
120  *
121  * A number of operations potentially allow the caller to achieve
122  * privileges beyond the ones normally required to perform the operation.
123  * For example, if allowed to create a setuid 0 executable, a process can
124  * gain privileges beyond PRIV_FILE_SETID.  Zones, however, place
125  * restrictions on the ability to gain privileges beyond those available
126  * within the zone through file and process manipulation.  Hence, such
127  * operations require that the caller have an effective set that includes
128  * all privileges available within the current zone, or all privileges
129  * if executing in the global zone.
130  *
131  * This is indicated in the priv_policy* policy checking functions
132  * through a combination of parameters.  The "priv" parameter indicates
133  * the privilege that is required, and the "allzone" parameter indicates
134  * whether or not all privileges in the zone are required.  In addition,
135  * priv can be set to PRIV_ALL to indicate that all privileges are
136  * required (regardless of zone).  There are three scenarios of interest:
137  * (1) operation requires a specific privilege
138  * (2) operation requires a specific privilege, and requires all
139  *     privileges available within the zone (or all privileges if in
140  *     the global zone)
141  * (3) operation requires all privileges, regardless of zone
142  *
143  * For (1), priv should be set to the specific privilege, and allzone
144  * should be set to B_FALSE.
145  * For (2), priv should be set to the specific privilege, and allzone
146  * should be set to B_TRUE.
147  * For (3), priv should be set to PRIV_ALL, and allzone should be set
148  * to B_FALSE.
149  *
150  */
151 
152 /*
153  * The privileges are checked against the Effective set for
154  * ordinary processes and checked against the Limit set
155  * for euid 0 processes that haven't manipulated their privilege
156  * sets.
157  */
158 #define	HAS_ALLPRIVS(cr)	priv_isfullset(&CR_OEPRIV(cr))
159 #define	ZONEPRIVS(cr)		((cr)->cr_zone->zone_privset)
160 #define	HAS_ALLZONEPRIVS(cr)	priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr))
161 #define	HAS_PRIVILEGE(cr, pr)	((pr) == PRIV_ALL ? \
162 					HAS_ALLPRIVS(cr) : \
163 					PRIV_ISASSERT(&CR_OEPRIV(cr), pr))
164 
165 #define	FAST_BASIC_CHECK(cr, priv)	\
166 	if (PRIV_ISASSERT(&CR_OEPRIV(cr), priv)) { \
167 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, B_FALSE); \
168 		return (0); \
169 	}
170 
171 /*
172  * Policy checking functions.
173  *
174  * All of the system's policy should be implemented here.
175  */
176 
177 /*
178  * Private functions which take an additional va_list argument to
179  * implement an object specific policy override.
180  */
181 static int priv_policy_ap(const cred_t *, int, boolean_t, int,
182     const char *, va_list);
183 static int priv_policy_va(const cred_t *, int, boolean_t, int,
184     const char *, ...);
185 
186 /*
187  * Generic policy calls
188  *
189  * The "bottom" functions of policy control
190  */
191 static char *
mprintf(const char * fmt,...)192 mprintf(const char *fmt, ...)
193 {
194 	va_list args;
195 	char *buf;
196 	size_t len;
197 
198 	va_start(args, fmt);
199 	len = vsnprintf(NULL, 0, fmt, args) + 1;
200 	va_end(args);
201 
202 	buf = kmem_alloc(len, KM_NOSLEEP);
203 
204 	if (buf == NULL)
205 		return (NULL);
206 
207 	va_start(args, fmt);
208 	(void) vsnprintf(buf, len, fmt, args);
209 	va_end(args);
210 
211 	return (buf);
212 }
213 
214 /*
215  * priv_policy_errmsg()
216  *
217  * Generate an error message if privilege debugging is enabled system wide
218  * or for this particular process.
219  */
220 
221 #define	FMTHDR	"%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)"
222 #define	FMTMSG	" for \"%s\""
223 #define	FMTFUN	" needed at %s+0x%lx"
224 
225 /* The maximum size privilege format: the concatenation of the above */
226 #define	FMTMAX	FMTHDR FMTMSG FMTFUN "\n"
227 
228 static void
priv_policy_errmsg(const cred_t * cr,int priv,const char * msg)229 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg)
230 {
231 	struct proc *me;
232 	pc_t stack[MAXPRIVSTACK];
233 	int depth;
234 	int i;
235 	char *sym;
236 	ulong_t off;
237 	const char *pname;
238 
239 	char *cmd;
240 	char fmt[sizeof (FMTMAX)];
241 
242 	if ((me = curproc) == &p0)
243 		return;
244 
245 	/* Privileges must be defined  */
246 	ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE ||
247 	    priv == PRIV_ALLZONE || priv == PRIV_GLOBAL ||
248 	    priv_getbynum(priv) != NULL);
249 
250 	if (priv == PRIV_ALLZONE && INGLOBALZONE(me))
251 		priv = PRIV_ALL;
252 
253 	if (curthread->t_pre_sys)
254 		ttolwp(curthread)->lwp_badpriv = (short)priv;
255 
256 	if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0)
257 		return;
258 
259 	(void) strcpy(fmt, FMTHDR);
260 
261 	if (me->p_user.u_comm[0])
262 		cmd = &me->p_user.u_comm[0];
263 	else
264 		cmd = "priv_policy";
265 
266 	if (msg != NULL && *msg != '\0') {
267 		(void) strcat(fmt, FMTMSG);
268 	} else {
269 		(void) strcat(fmt, "%s");
270 		msg = "";
271 	}
272 
273 	sym = NULL;
274 
275 	depth = getpcstack(stack, MAXPRIVSTACK);
276 
277 	/*
278 	 * Try to find the first interesting function on the stack.
279 	 * priv_policy* that's us, so completely uninteresting.
280 	 * suser(), drv_priv(), secpolicy_* are also called from
281 	 * too many locations to convey useful information.
282 	 */
283 	for (i = 0; i < depth; i++) {
284 		sym = kobj_getsymname((uintptr_t)stack[i], &off);
285 		if (sym != NULL &&
286 		    strstr(sym, "hasprocperm") == 0 &&
287 		    strcmp("suser", sym) != 0 &&
288 		    strcmp("ipcaccess", sym) != 0 &&
289 		    strcmp("drv_priv", sym) != 0 &&
290 		    strncmp("secpolicy_", sym, 10) != 0 &&
291 		    strncmp("priv_policy", sym, 11) != 0)
292 			break;
293 	}
294 
295 	if (sym != NULL)
296 		(void) strcat(fmt, FMTFUN);
297 
298 	(void) strcat(fmt, "\n");
299 
300 	switch (priv) {
301 	case PRIV_ALL:
302 		pname = "ALL";
303 		break;
304 	case PRIV_MULTIPLE:
305 		pname = "MULTIPLE";
306 		break;
307 	case PRIV_ALLZONE:
308 		pname = "ZONE";
309 		break;
310 	case PRIV_GLOBAL:
311 		pname = "GLOBAL";
312 		break;
313 	default:
314 		pname = priv_getbynum(priv);
315 		break;
316 	}
317 
318 	if (CR_FLAGS(cr) & PRIV_DEBUG) {
319 		/* Remember last message, just like lwp_badpriv. */
320 		if (curthread->t_pdmsg != NULL) {
321 			kmem_free(curthread->t_pdmsg,
322 			    strlen(curthread->t_pdmsg) + 1);
323 		}
324 
325 		curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname,
326 		    cr->cr_uid, curthread->t_sysnum, msg, sym, off);
327 
328 		curthread->t_post_sys = 1;
329 	}
330 	if (priv_debug) {
331 		cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid,
332 		    curthread->t_sysnum, msg, sym, off);
333 	}
334 }
335 
336 /*
337  * Override the policy, if appropriate.  Return 0 if the external
338  * policy engine approves.
339  */
340 static int
priv_policy_override(const cred_t * cr,int priv,boolean_t allzone,va_list ap)341 priv_policy_override(const cred_t *cr, int priv, boolean_t allzone, va_list ap)
342 {
343 	priv_set_t set;
344 	int ret;
345 
346 	if (!(CR_FLAGS(cr) & PRIV_XPOLICY))
347 		return (-1);
348 
349 	if (priv == PRIV_ALL) {
350 		priv_fillset(&set);
351 	} else if (allzone) {
352 		set = *ZONEPRIVS(cr);
353 	} else {
354 		priv_emptyset(&set);
355 		priv_addset(&set, priv);
356 	}
357 	ret = klpd_call(cr, &set, ap);
358 	return (ret);
359 }
360 
361 static int
priv_policy_override_set(const cred_t * cr,const priv_set_t * req,va_list ap)362 priv_policy_override_set(const cred_t *cr, const priv_set_t *req, va_list ap)
363 {
364 	if (CR_FLAGS(cr) & PRIV_PFEXEC)
365 		return (check_user_privs(cr, req));
366 	if (CR_FLAGS(cr) & PRIV_XPOLICY) {
367 		return (klpd_call(cr, req, ap));
368 	}
369 	return (-1);
370 }
371 
372 static int
priv_policy_override_set_va(const cred_t * cr,const priv_set_t * req,...)373 priv_policy_override_set_va(const cred_t *cr, const priv_set_t *req, ...)
374 {
375 	va_list ap;
376 	int ret;
377 
378 	va_start(ap, req);
379 	ret = priv_policy_override_set(cr, req, ap);
380 	va_end(ap);
381 	return (ret);
382 }
383 
384 /*
385  * Audit failure, log error message.
386  */
387 static void
priv_policy_err(const cred_t * cr,int priv,boolean_t allzone,const char * msg)388 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg)
389 {
390 
391 	if (AU_AUDITING())
392 		audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0);
393 	DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
394 
395 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
396 	    curthread->t_pre_sys) {
397 		if (allzone && !HAS_ALLZONEPRIVS(cr)) {
398 			priv_policy_errmsg(cr, PRIV_ALLZONE, msg);
399 		} else {
400 			ASSERT(!HAS_PRIVILEGE(cr, priv));
401 			priv_policy_errmsg(cr, priv, msg);
402 		}
403 	}
404 }
405 
406 /*
407  * priv_policy_ap()
408  * return 0 or error.
409  * See block comment above for a description of "priv" and "allzone" usage.
410  */
411 static int
priv_policy_ap(const cred_t * cr,int priv,boolean_t allzone,int err,const char * msg,va_list ap)412 priv_policy_ap(const cred_t *cr, int priv, boolean_t allzone, int err,
413     const char *msg, va_list ap)
414 {
415 	if ((HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) ||
416 	    (!servicing_interrupt() &&
417 	    priv_policy_override(cr, priv, allzone, ap) == 0)) {
418 		if ((allzone || priv == PRIV_ALL ||
419 		    !PRIV_ISASSERT(priv_basic, priv)) &&
420 		    !servicing_interrupt()) {
421 			PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */
422 			if (AU_AUDITING())
423 				audit_priv(priv,
424 				    allzone ? ZONEPRIVS(cr) : NULL, 1);
425 		}
426 		err = 0;
427 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
428 	} else if (!servicing_interrupt()) {
429 		/* Failure audited in this procedure */
430 		priv_policy_err(cr, priv, allzone, msg);
431 	}
432 	return (err);
433 }
434 
435 int
priv_policy_va(const cred_t * cr,int priv,boolean_t allzone,int err,const char * msg,...)436 priv_policy_va(const cred_t *cr, int priv, boolean_t allzone, int err,
437     const char *msg, ...)
438 {
439 	int ret;
440 	va_list ap;
441 
442 	va_start(ap, msg);
443 	ret = priv_policy_ap(cr, priv, allzone, err, msg, ap);
444 	va_end(ap);
445 
446 	return (ret);
447 }
448 
449 int
priv_policy(const cred_t * cr,int priv,boolean_t allzone,int err,const char * msg)450 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err,
451     const char *msg)
452 {
453 	return (priv_policy_va(cr, priv, allzone, err, msg, KLPDARG_NONE));
454 }
455 
456 /*
457  * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges.
458  */
459 boolean_t
priv_policy_choice(const cred_t * cr,int priv,boolean_t allzone)460 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone)
461 {
462 	boolean_t res = HAS_PRIVILEGE(cr, priv) &&
463 	    (!allzone || HAS_ALLZONEPRIVS(cr));
464 
465 	/* Audit success only */
466 	if (res && AU_AUDITING() &&
467 	    (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) &&
468 	    !servicing_interrupt()) {
469 		audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1);
470 	}
471 	if (res) {
472 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
473 	} else {
474 		DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
475 	}
476 	return (res);
477 }
478 
479 /*
480  * Non-auditing variant of priv_policy_choice().
481  */
482 boolean_t
priv_policy_only(const cred_t * cr,int priv,boolean_t allzone)483 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone)
484 {
485 	boolean_t res = HAS_PRIVILEGE(cr, priv) &&
486 	    (!allzone || HAS_ALLZONEPRIVS(cr));
487 
488 	if (res) {
489 		DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
490 	} else {
491 		DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
492 	}
493 	return (res);
494 }
495 
496 /*
497  * Check whether all privileges in the required set are present.
498  */
499 static int
secpolicy_require_set(const cred_t * cr,const priv_set_t * req,const char * msg,...)500 secpolicy_require_set(const cred_t *cr, const priv_set_t *req,
501     const char *msg, ...)
502 {
503 	int priv;
504 	int pfound = -1;
505 	priv_set_t pset;
506 	va_list ap;
507 	int ret;
508 
509 	if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req,
510 	    &CR_OEPRIV(cr))) {
511 		return (0);
512 	}
513 
514 	va_start(ap, msg);
515 	ret = priv_policy_override_set(cr, req, ap);
516 	va_end(ap);
517 	if (ret == 0)
518 		return (0);
519 
520 	if (req == PRIV_FULLSET || priv_isfullset(req)) {
521 		priv_policy_err(cr, PRIV_ALL, B_FALSE, msg);
522 		return (EACCES);
523 	}
524 
525 	pset = CR_OEPRIV(cr);		/* present privileges */
526 	priv_inverse(&pset);		/* all non present privileges */
527 	priv_intersect(req, &pset);	/* the actual missing privs */
528 
529 	if (AU_AUDITING())
530 		audit_priv(PRIV_NONE, &pset, 0);
531 	/*
532 	 * Privilege debugging; special case "one privilege in set".
533 	 */
534 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) {
535 		for (priv = 0; priv < nprivs; priv++) {
536 			if (priv_ismember(&pset, priv)) {
537 				if (pfound != -1) {
538 					/* Multiple missing privs */
539 					priv_policy_errmsg(cr, PRIV_MULTIPLE,
540 					    msg);
541 					return (EACCES);
542 				}
543 				pfound = priv;
544 			}
545 		}
546 		ASSERT(pfound != -1);
547 		/* Just the one missing privilege */
548 		priv_policy_errmsg(cr, pfound, msg);
549 	}
550 
551 	return (EACCES);
552 }
553 
554 /*
555  * Called when an operation requires that the caller be in the
556  * global zone, regardless of privilege.
557  */
558 static int
priv_policy_global(const cred_t * cr)559 priv_policy_global(const cred_t *cr)
560 {
561 	if (crgetzoneid(cr) == GLOBAL_ZONEID)
562 		return (0);	/* success */
563 
564 	if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
565 	    curthread->t_pre_sys) {
566 		priv_policy_errmsg(cr, PRIV_GLOBAL, NULL);
567 	}
568 	return (EPERM);
569 }
570 
571 /*
572  * Raising process priority
573  */
574 int
secpolicy_raisepriority(const cred_t * cr)575 secpolicy_raisepriority(const cred_t *cr)
576 {
577 	if (PRIV_POLICY(cr, PRIV_PROC_PRIOUP, B_FALSE, EPERM, NULL) == 0)
578 		return (0);
579 	return (secpolicy_setpriority(cr));
580 }
581 
582 /*
583  * Changing process priority or scheduling class
584  */
585 int
secpolicy_setpriority(const cred_t * cr)586 secpolicy_setpriority(const cred_t *cr)
587 {
588 	return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL));
589 }
590 
591 /*
592  * Binding to a privileged port, port must be specified in host byte
593  * order.
594  * When adding a new privilege which allows binding to currently privileged
595  * ports, then you MUST also allow processes with PRIV_NET_PRIVADDR bind
596  * to these ports because of backward compatibility.
597  */
598 int
secpolicy_net_privaddr(const cred_t * cr,in_port_t port,int proto)599 secpolicy_net_privaddr(const cred_t *cr, in_port_t port, int proto)
600 {
601 	char *reason;
602 	int priv;
603 
604 	switch (port) {
605 	case 137:
606 	case 138:
607 	case 139:
608 	case 445:
609 		/*
610 		 * NBT and SMB ports, these are normal privileged ports,
611 		 * allow bind only if the SYS_SMB or NET_PRIVADDR privilege
612 		 * is present.
613 		 * Try both, if neither is present return an error for
614 		 * priv SYS_SMB.
615 		 */
616 		if (PRIV_POLICY_ONLY(cr, PRIV_NET_PRIVADDR, B_FALSE))
617 			priv = PRIV_NET_PRIVADDR;
618 		else
619 			priv = PRIV_SYS_SMB;
620 		reason = "NBT or SMB port";
621 		break;
622 
623 	case 2049:
624 	case 4045:
625 		/*
626 		 * NFS ports, these are extra privileged ports, allow bind
627 		 * only if the SYS_NFS privilege is present.
628 		 */
629 		priv = PRIV_SYS_NFS;
630 		reason = "NFS port";
631 		break;
632 
633 	default:
634 		priv = PRIV_NET_PRIVADDR;
635 		reason = NULL;
636 		break;
637 
638 	}
639 
640 	return (priv_policy_va(cr, priv, B_FALSE, EACCES, reason,
641 	    KLPDARG_PORT, (int)proto, (int)port, KLPDARG_NOMORE));
642 }
643 
644 /*
645  * Binding to a multilevel port on a trusted (labeled) system.
646  */
647 int
secpolicy_net_bindmlp(const cred_t * cr)648 secpolicy_net_bindmlp(const cred_t *cr)
649 {
650 	return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, NULL));
651 }
652 
653 /*
654  * Allow a communication between a zone and an unlabeled host when their
655  * labels don't match.
656  */
657 int
secpolicy_net_mac_aware(const cred_t * cr)658 secpolicy_net_mac_aware(const cred_t *cr)
659 {
660 	return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, NULL));
661 }
662 
663 /*
664  * Allow a privileged process to transmit traffic without explicit labels
665  */
666 int
secpolicy_net_mac_implicit(const cred_t * cr)667 secpolicy_net_mac_implicit(const cred_t *cr)
668 {
669 	return (PRIV_POLICY(cr, PRIV_NET_MAC_IMPLICIT, B_FALSE, EACCES, NULL));
670 }
671 
672 /*
673  * Common routine which determines whether a given credential can
674  * act on a given mount.
675  * When called through mount, the parameter needoptcheck is a pointer
676  * to a boolean variable which will be set to either true or false,
677  * depending on whether the mount policy should change the mount options.
678  * In all other cases, needoptcheck should be a NULL pointer.
679  */
680 static int
secpolicy_fs_common(cred_t * cr,vnode_t * mvp,const vfs_t * vfsp,boolean_t * needoptcheck)681 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp,
682     boolean_t *needoptcheck)
683 {
684 	boolean_t allzone = B_FALSE;
685 	boolean_t mounting = needoptcheck != NULL;
686 
687 	/*
688 	 * Short circuit the following cases:
689 	 *	vfsp == NULL or mvp == NULL (pure privilege check)
690 	 *	have all privileges - no further checks required
691 	 *	and no mount options need to be set.
692 	 */
693 	if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) {
694 		if (mounting)
695 			*needoptcheck = B_FALSE;
696 
697 		return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
698 		    NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE));
699 	}
700 
701 	/*
702 	 * When operating on an existing mount (either we're not mounting
703 	 * or we're doing a remount and VFS_REMOUNT will be set), zones
704 	 * can operate only on mounts established by the zone itself.
705 	 */
706 	if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) {
707 		zoneid_t zoneid = crgetzoneid(cr);
708 
709 		if (zoneid != GLOBAL_ZONEID &&
710 		    vfsp->vfs_zone->zone_id != zoneid) {
711 			return (EPERM);
712 		}
713 	}
714 
715 	if (mounting)
716 		*needoptcheck = B_TRUE;
717 
718 	/*
719 	 * Overlay mounts may hide important stuff; if you can't write to a
720 	 * mount point but would be able to mount on top of it, you can
721 	 * escalate your privileges.
722 	 * So we go about asking the same questions namefs does when it
723 	 * decides whether you can mount over a file or not but with the
724 	 * added restriction that you can only mount on top of a regular
725 	 * file or directory.
726 	 * If we have all the zone's privileges, we skip all other checks,
727 	 * or else we may actually get in trouble inside the automounter.
728 	 */
729 	if ((mvp->v_flag & VROOT) != 0 ||
730 	    (mvp->v_type != VDIR && mvp->v_type != VREG) ||
731 	    HAS_ALLZONEPRIVS(cr)) {
732 		allzone = B_TRUE;
733 	} else {
734 		vattr_t va;
735 		int err;
736 
737 		va.va_mask = AT_UID|AT_MODE;
738 		err = VOP_GETATTR(mvp, &va, 0, cr, NULL);
739 		if (err != 0)
740 			return (err);
741 
742 		if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0)
743 			return (err);
744 
745 		if (secpolicy_vnode_access2(cr, mvp, va.va_uid, va.va_mode,
746 		    VWRITE) != 0) {
747 			return (EACCES);
748 		}
749 	}
750 	return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
751 	    NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE));
752 }
753 
754 void
secpolicy_fs_mount_clearopts(cred_t * cr,struct vfs * vfsp)755 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp)
756 {
757 	boolean_t amsuper = HAS_ALLZONEPRIVS(cr);
758 
759 	/*
760 	 * check; if we don't have either "nosuid" or
761 	 * both "nosetuid" and "nodevices", then we add
762 	 * "nosuid"; this depends on how the current
763 	 * implementation works (it first checks nosuid).  In a
764 	 * zone, a user with all zone privileges can mount with
765 	 * "setuid" but never with "devices".
766 	 */
767 	if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) &&
768 	    (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) ||
769 	    !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) {
770 		if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper)
771 			vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0);
772 		else
773 			vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0);
774 	}
775 	/*
776 	 * If we're not the local super user, we set the "restrict"
777 	 * option to indicate to automountd that this mount should
778 	 * be handled with care.
779 	 */
780 	if (!amsuper)
781 		vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0);
782 
783 }
784 
785 int
secpolicy_fs_allowed_mount(const char * fsname)786 secpolicy_fs_allowed_mount(const char *fsname)
787 {
788 	struct vfssw *vswp;
789 	const char *p;
790 	size_t len;
791 
792 	ASSERT(fsname != NULL);
793 	ASSERT(fsname[0] != '\0');
794 
795 	if (INGLOBALZONE(curproc))
796 		return (0);
797 
798 	vswp = vfs_getvfssw(fsname);
799 	if (vswp == NULL)
800 		return (ENOENT);
801 
802 	if ((vswp->vsw_flag & VSW_ZMOUNT) != 0) {
803 		vfs_unrefvfssw(vswp);
804 		return (0);
805 	}
806 
807 	vfs_unrefvfssw(vswp);
808 
809 	p = curzone->zone_fs_allowed;
810 	len = strlen(fsname);
811 
812 	while (p != NULL && *p != '\0') {
813 		if (strncmp(p, fsname, len) == 0) {
814 			char c = *(p + len);
815 			if (c == '\0' || c == ',')
816 				return (0);
817 		}
818 
819 		/* skip to beyond the next comma */
820 		if ((p = strchr(p, ',')) != NULL)
821 			p++;
822 	}
823 
824 	return (EPERM);
825 }
826 
827 extern vnode_t *rootvp;
828 extern vfs_t *rootvfs;
829 
830 int
secpolicy_fs_mount(cred_t * cr,vnode_t * mvp,struct vfs * vfsp)831 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp)
832 {
833 	boolean_t needoptchk;
834 	int error;
835 
836 	/*
837 	 * If it's a remount, get the underlying mount point,
838 	 * except for the root where we use the rootvp.
839 	 */
840 	if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) {
841 		if (vfsp == rootvfs)
842 			mvp = rootvp;
843 		else
844 			mvp = vfsp->vfs_vnodecovered;
845 	}
846 
847 	error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk);
848 
849 	if (error == 0 && needoptchk) {
850 		secpolicy_fs_mount_clearopts(cr, vfsp);
851 	}
852 
853 	return (error);
854 }
855 
856 /*
857  * Does the policy computations for "ownership" of a mount;
858  * here ownership is defined as the ability to "mount"
859  * the filesystem originally.  The rootvfs doesn't cover any
860  * vnodes; we attribute its ownership to the rootvp.
861  */
862 static int
secpolicy_fs_owner(cred_t * cr,const struct vfs * vfsp)863 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp)
864 {
865 	vnode_t *mvp;
866 
867 	if (vfsp == NULL)
868 		mvp = NULL;
869 	else if (vfsp == rootvfs)
870 		mvp = rootvp;
871 	else
872 		mvp = vfsp->vfs_vnodecovered;
873 
874 	return (secpolicy_fs_common(cr, mvp, vfsp, NULL));
875 }
876 
877 int
secpolicy_fs_unmount(cred_t * cr,struct vfs * vfsp)878 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp)
879 {
880 	return (secpolicy_fs_owner(cr, vfsp));
881 }
882 
883 /*
884  * Quotas are a resource, but if one has the ability to mount a filesystem,
885  * they should be able to modify quotas on it.
886  */
887 int
secpolicy_fs_quota(const cred_t * cr,const vfs_t * vfsp)888 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp)
889 {
890 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
891 }
892 
893 /*
894  * Exceeding minfree: also a per-mount resource constraint.
895  */
896 int
secpolicy_fs_minfree(const cred_t * cr,const vfs_t * vfsp)897 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp)
898 {
899 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
900 }
901 
902 int
secpolicy_fs_config(const cred_t * cr,const vfs_t * vfsp)903 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp)
904 {
905 	return (secpolicy_fs_owner((cred_t *)cr, vfsp));
906 }
907 
908 /* ARGSUSED */
909 int
secpolicy_fs_linkdir(const cred_t * cr,const vfs_t * vfsp)910 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp)
911 {
912 	if (priv_allow_linkdir == 0) {
913 		/*
914 		 * By default, this policy check will now always return EPERM
915 		 * unless overridden.
916 		 *
917 		 * We do so without triggering auditing or allowing privilege
918 		 * debugging for two reasons: first, we intend eventually to
919 		 * deprecate the PRIV_SYS_LINKDIR privilege entirely and remove
920 		 * the use of this policy check from the file systems; second,
921 		 * for privilege debugging in particular, because it would be
922 		 * confusing to report an unlink() failure as the result of a
923 		 * missing privilege when in fact we are simply no longer
924 		 * allowing the operation at all.
925 		 */
926 		return (EPERM);
927 	}
928 
929 	return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL));
930 }
931 
932 /*
933  * Name:        secpolicy_vnode_access()
934  *
935  * Parameters:  Process credential
936  *		vnode
937  *		uid of owner of vnode
938  *		permission bits not granted to the caller when examining
939  *		file mode bits (i.e., when a process wants to open a
940  *		mode 444 file for VREAD|VWRITE, this function should be
941  *		called only with a VWRITE argument).
942  *
943  * Normal:      Verifies that cred has the appropriate privileges to
944  *              override the mode bits that were denied.
945  *
946  * Override:    file_dac_execute - if VEXEC bit was denied and vnode is
947  *                      not a directory.
948  *              file_dac_read - if VREAD bit was denied.
949  *              file_dac_search - if VEXEC bit was denied and vnode is
950  *                      a directory.
951  *              file_dac_write - if VWRITE bit was denied.
952  *
953  *		Root owned files are special cased to protect system
954  *		configuration files and such.
955  *
956  * Output:      EACCES - if privilege check fails.
957  */
958 
959 int
secpolicy_vnode_access(const cred_t * cr,vnode_t * vp,uid_t owner,mode_t mode)960 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode)
961 {
962 	if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE,
963 	    EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL,
964 	    KLPDARG_NOMORE) != 0) {
965 		return (EACCES);
966 	}
967 
968 	if (mode & VWRITE) {
969 		boolean_t allzone;
970 
971 		if (owner == 0 && cr->cr_uid != 0)
972 			allzone = B_TRUE;
973 		else
974 			allzone = B_FALSE;
975 		if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES,
976 		    NULL, KLPDARG_VNODE, vp, (char *)NULL,
977 		    KLPDARG_NOMORE) != 0) {
978 			return (EACCES);
979 		}
980 	}
981 
982 	if (mode & VEXEC) {
983 		/*
984 		 * Directories use file_dac_search to override the execute bit.
985 		 */
986 		int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH :
987 		    PRIV_FILE_DAC_EXECUTE;
988 
989 		return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL,
990 		    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
991 	}
992 	return (0);
993 }
994 
995 /*
996  * Like secpolicy_vnode_access() but we get the actual wanted mode and the
997  * current mode of the file, not the missing bits.
998  */
999 int
secpolicy_vnode_access2(const cred_t * cr,vnode_t * vp,uid_t owner,mode_t curmode,mode_t wantmode)1000 secpolicy_vnode_access2(const cred_t *cr, vnode_t *vp, uid_t owner,
1001     mode_t curmode, mode_t wantmode)
1002 {
1003 	mode_t mode;
1004 
1005 	/* Inline the basic privileges tests. */
1006 	if ((wantmode & VREAD) &&
1007 	    !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_READ) &&
1008 	    priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL,
1009 	    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) {
1010 		return (EACCES);
1011 	}
1012 
1013 	if ((wantmode & VWRITE) &&
1014 	    !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_WRITE) &&
1015 	    priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL,
1016 	    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) {
1017 		return (EACCES);
1018 	}
1019 
1020 	mode = ~curmode & wantmode;
1021 
1022 	if (mode == 0)
1023 		return (0);
1024 
1025 	if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE,
1026 	    EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL,
1027 	    KLPDARG_NOMORE) != 0) {
1028 		return (EACCES);
1029 	}
1030 
1031 	if (mode & VWRITE) {
1032 		boolean_t allzone;
1033 
1034 		if (owner == 0 && cr->cr_uid != 0)
1035 			allzone = B_TRUE;
1036 		else
1037 			allzone = B_FALSE;
1038 		if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES,
1039 		    NULL, KLPDARG_VNODE, vp, (char *)NULL,
1040 		    KLPDARG_NOMORE) != 0) {
1041 			return (EACCES);
1042 		}
1043 	}
1044 
1045 	if (mode & VEXEC) {
1046 		/*
1047 		 * Directories use file_dac_search to override the execute bit.
1048 		 */
1049 		int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH :
1050 		    PRIV_FILE_DAC_EXECUTE;
1051 
1052 		return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL,
1053 		    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
1054 	}
1055 	return (0);
1056 }
1057 
1058 /*
1059  * This is a special routine for ZFS; it is used to determine whether
1060  * any of the privileges in effect allow any form of access to the
1061  * file.  There's no reason to audit this or any reason to record
1062  * this.  More work is needed to do the "KPLD" stuff.
1063  */
1064 int
secpolicy_vnode_any_access(const cred_t * cr,vnode_t * vp,uid_t owner)1065 secpolicy_vnode_any_access(const cred_t *cr, vnode_t *vp, uid_t owner)
1066 {
1067 	static int privs[] = {
1068 	    PRIV_FILE_OWNER,
1069 	    PRIV_FILE_CHOWN,
1070 	    PRIV_FILE_DAC_READ,
1071 	    PRIV_FILE_DAC_WRITE,
1072 	    PRIV_FILE_DAC_EXECUTE,
1073 	    PRIV_FILE_DAC_SEARCH,
1074 	};
1075 	int i;
1076 
1077 	/* Same as secpolicy_vnode_setdac */
1078 	if (owner == cr->cr_uid)
1079 		return (0);
1080 
1081 	for (i = 0; i < sizeof (privs)/sizeof (int); i++) {
1082 		boolean_t allzone = B_FALSE;
1083 		int priv;
1084 
1085 		switch (priv = privs[i]) {
1086 		case PRIV_FILE_DAC_EXECUTE:
1087 			if (vp->v_type == VDIR)
1088 				continue;
1089 			break;
1090 		case PRIV_FILE_DAC_SEARCH:
1091 			if (vp->v_type != VDIR)
1092 				continue;
1093 			break;
1094 		case PRIV_FILE_DAC_WRITE:
1095 		case PRIV_FILE_OWNER:
1096 		case PRIV_FILE_CHOWN:
1097 			/* We know here that if owner == 0, that cr_uid != 0 */
1098 			allzone = owner == 0;
1099 			break;
1100 		}
1101 		if (PRIV_POLICY_CHOICE(cr, priv, allzone))
1102 			return (0);
1103 	}
1104 	return (EPERM);
1105 }
1106 
1107 /*
1108  * Name:	secpolicy_vnode_setid_modify()
1109  *
1110  * Normal:	verify that subject can set the file setid flags.
1111  *
1112  * Output:	EPERM - if not privileged.
1113  */
1114 
1115 static int
secpolicy_vnode_setid_modify(const cred_t * cr,uid_t owner)1116 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner)
1117 {
1118 	/* If changing to suid root, must have all zone privs */
1119 	boolean_t allzone = B_TRUE;
1120 
1121 	if (owner != 0) {
1122 		if (owner == cr->cr_uid)
1123 			return (0);
1124 		allzone = B_FALSE;
1125 	}
1126 	return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL));
1127 }
1128 
1129 /*
1130  * Are we allowed to retain the set-uid/set-gid bits when
1131  * changing ownership or when writing to a file?
1132  * "issuid" should be true when set-uid; only in that case
1133  * root ownership is checked (setgid is assumed).
1134  */
1135 int
secpolicy_vnode_setid_retain(const cred_t * cred,boolean_t issuidroot)1136 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot)
1137 {
1138 	if (issuidroot && !HAS_ALLZONEPRIVS(cred))
1139 		return (EPERM);
1140 
1141 	return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE));
1142 }
1143 
1144 /*
1145  * Name:	secpolicy_vnode_setids_setgids()
1146  *
1147  * Normal:	verify that subject can set the file setgid flag.
1148  *
1149  * Output:	EPERM - if not privileged
1150  */
1151 
1152 int
secpolicy_vnode_setids_setgids(const cred_t * cred,gid_t gid)1153 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid)
1154 {
1155 	if (!groupmember(gid, cred))
1156 		return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM,
1157 		    NULL));
1158 	return (0);
1159 }
1160 
1161 /*
1162  * Name:	secpolicy_vnode_chown
1163  *
1164  * Normal:	Determine if subject can chown owner of a file.
1165  *
1166  * Output:	EPERM - if access denied
1167  */
1168 
1169 int
secpolicy_vnode_chown(const cred_t * cred,uid_t owner)1170 secpolicy_vnode_chown(const cred_t *cred, uid_t owner)
1171 {
1172 	boolean_t is_owner = (owner == crgetuid(cred));
1173 	boolean_t allzone = B_FALSE;
1174 	int priv;
1175 
1176 	if (!is_owner) {
1177 		allzone = (owner == 0);
1178 		priv = PRIV_FILE_CHOWN;
1179 	} else {
1180 		priv = HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN) ?
1181 		    PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF;
1182 	}
1183 
1184 	return (PRIV_POLICY(cred, priv, allzone, EPERM, NULL));
1185 }
1186 
1187 /*
1188  * Name:	secpolicy_vnode_create_gid
1189  *
1190  * Normal:	Determine if subject can change group ownership of a file.
1191  *
1192  * Output:	EPERM - if access denied
1193  */
1194 int
secpolicy_vnode_create_gid(const cred_t * cred)1195 secpolicy_vnode_create_gid(const cred_t *cred)
1196 {
1197 	if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN))
1198 		return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM,
1199 		    NULL));
1200 	else
1201 		return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM,
1202 		    NULL));
1203 }
1204 
1205 /*
1206  * Name:	secpolicy_vnode_utime_modify()
1207  *
1208  * Normal:	verify that subject can modify the utime on a file.
1209  *
1210  * Output:	EPERM - if access denied.
1211  */
1212 
1213 static int
secpolicy_vnode_utime_modify(const cred_t * cred)1214 secpolicy_vnode_utime_modify(const cred_t *cred)
1215 {
1216 	return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM,
1217 	    "modify file times"));
1218 }
1219 
1220 
1221 /*
1222  * Name:	secpolicy_vnode_setdac()
1223  *
1224  * Normal:	verify that subject can modify the mode of a file.
1225  *		allzone privilege needed when modifying root owned object.
1226  *
1227  * Output:	EPERM - if access denied.
1228  */
1229 
1230 int
secpolicy_vnode_setdac(const cred_t * cred,uid_t owner)1231 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner)
1232 {
1233 	if (owner == cred->cr_uid)
1234 		return (0);
1235 
1236 	return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL));
1237 }
1238 /*
1239  * Name:	secpolicy_vnode_stky_modify()
1240  *
1241  * Normal:	verify that subject can make a file a "sticky".
1242  *
1243  * Output:	EPERM - if access denied.
1244  */
1245 
1246 int
secpolicy_vnode_stky_modify(const cred_t * cred)1247 secpolicy_vnode_stky_modify(const cred_t *cred)
1248 {
1249 	return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM,
1250 	    "set file sticky"));
1251 }
1252 
1253 /*
1254  * Policy determines whether we can remove an entry from a directory,
1255  * regardless of permission bits.
1256  */
1257 int
secpolicy_vnode_remove(const cred_t * cr)1258 secpolicy_vnode_remove(const cred_t *cr)
1259 {
1260 	return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES,
1261 	    "sticky directory"));
1262 }
1263 
1264 int
secpolicy_vnode_owner(const cred_t * cr,uid_t owner)1265 secpolicy_vnode_owner(const cred_t *cr, uid_t owner)
1266 {
1267 	boolean_t allzone = (owner == 0);
1268 
1269 	if (owner == cr->cr_uid)
1270 		return (0);
1271 
1272 	return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL));
1273 }
1274 
1275 void
secpolicy_setid_clear(vattr_t * vap,cred_t * cr)1276 secpolicy_setid_clear(vattr_t *vap, cred_t *cr)
1277 {
1278 	if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 &&
1279 	    secpolicy_vnode_setid_retain(cr,
1280 	    (vap->va_mode & S_ISUID) != 0 &&
1281 	    (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) {
1282 		vap->va_mask |= AT_MODE;
1283 		vap->va_mode &= ~(S_ISUID|S_ISGID);
1284 	}
1285 }
1286 
1287 int
secpolicy_setid_setsticky_clear(vnode_t * vp,vattr_t * vap,const vattr_t * ovap,cred_t * cr)1288 secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap,
1289     cred_t *cr)
1290 {
1291 	int error;
1292 
1293 	if ((vap->va_mode & S_ISUID) != 0 &&
1294 	    (error = secpolicy_vnode_setid_modify(cr,
1295 	    ovap->va_uid)) != 0) {
1296 		return (error);
1297 	}
1298 
1299 	/*
1300 	 * Check privilege if attempting to set the
1301 	 * sticky bit on a non-directory.
1302 	 */
1303 	if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 &&
1304 	    secpolicy_vnode_stky_modify(cr) != 0) {
1305 		vap->va_mode &= ~S_ISVTX;
1306 	}
1307 
1308 	/*
1309 	 * Check for privilege if attempting to set the
1310 	 * group-id bit.
1311 	 */
1312 	if ((vap->va_mode & S_ISGID) != 0 &&
1313 	    secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) {
1314 		vap->va_mode &= ~S_ISGID;
1315 	}
1316 
1317 	return (0);
1318 }
1319 
1320 #define	ATTR_FLAG_PRIV(attr, value, cr)	\
1321 	PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \
1322 	B_FALSE, EPERM, NULL)
1323 
1324 /*
1325  * Check privileges for setting xvattr attributes
1326  */
1327 int
secpolicy_xvattr(xvattr_t * xvap,uid_t owner,cred_t * cr,vtype_t vtype)1328 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype)
1329 {
1330 	xoptattr_t *xoap;
1331 	int error = 0;
1332 
1333 	if ((xoap = xva_getxoptattr(xvap)) == NULL)
1334 		return (EINVAL);
1335 
1336 	/*
1337 	 * First process the DOS bits
1338 	 */
1339 	if (XVA_ISSET_REQ(xvap, XAT_ARCHIVE) ||
1340 	    XVA_ISSET_REQ(xvap, XAT_HIDDEN) ||
1341 	    XVA_ISSET_REQ(xvap, XAT_READONLY) ||
1342 	    XVA_ISSET_REQ(xvap, XAT_SYSTEM) ||
1343 	    XVA_ISSET_REQ(xvap, XAT_CREATETIME) ||
1344 	    XVA_ISSET_REQ(xvap, XAT_OFFLINE) ||
1345 	    XVA_ISSET_REQ(xvap, XAT_SPARSE)) {
1346 		if ((error = secpolicy_vnode_owner(cr, owner)) != 0)
1347 			return (error);
1348 	}
1349 
1350 	/*
1351 	 * Now handle special attributes
1352 	 */
1353 
1354 	if (XVA_ISSET_REQ(xvap, XAT_IMMUTABLE))
1355 		error = ATTR_FLAG_PRIV(XAT_IMMUTABLE,
1356 		    xoap->xoa_immutable, cr);
1357 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NOUNLINK))
1358 		error = ATTR_FLAG_PRIV(XAT_NOUNLINK,
1359 		    xoap->xoa_nounlink, cr);
1360 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_APPENDONLY))
1361 		error = ATTR_FLAG_PRIV(XAT_APPENDONLY,
1362 		    xoap->xoa_appendonly, cr);
1363 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NODUMP))
1364 		error = ATTR_FLAG_PRIV(XAT_NODUMP,
1365 		    xoap->xoa_nodump, cr);
1366 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_OPAQUE))
1367 		error = EPERM;
1368 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_QUARANTINED)) {
1369 		error = ATTR_FLAG_PRIV(XAT_AV_QUARANTINED,
1370 		    xoap->xoa_av_quarantined, cr);
1371 		if (error == 0 && vtype != VREG && xoap->xoa_av_quarantined)
1372 			error = EINVAL;
1373 	}
1374 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_MODIFIED))
1375 		error = ATTR_FLAG_PRIV(XAT_AV_MODIFIED,
1376 		    xoap->xoa_av_modified, cr);
1377 	if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_SCANSTAMP)) {
1378 		error = ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP,
1379 		    xoap->xoa_av_scanstamp, cr);
1380 		if (error == 0 && vtype != VREG)
1381 			error = EINVAL;
1382 	}
1383 	return (error);
1384 }
1385 
1386 /*
1387  * This function checks the policy decisions surrounding the
1388  * vop setattr call.
1389  *
1390  * It should be called after sufficient locks have been established
1391  * on the underlying data structures.  No concurrent modifications
1392  * should be allowed.
1393  *
1394  * The caller must pass in unlocked version of its vaccess function
1395  * this is required because vop_access function should lock the
1396  * node for reading.  A three argument function should be defined
1397  * which accepts the following argument:
1398  *	A pointer to the internal "node" type (inode *)
1399  *	vnode access bits (VREAD|VWRITE|VEXEC)
1400  *	a pointer to the credential
1401  *
1402  * This function makes the following policy decisions:
1403  *
1404  *		- change permissions
1405  *			- permission to change file mode if not owner
1406  *			- permission to add sticky bit to non-directory
1407  *			- permission to add set-gid bit
1408  *
1409  * The ovap argument should include AT_MODE|AT_UID|AT_GID.
1410  *
1411  * If the vap argument does not include AT_MODE, the mode will be copied from
1412  * ovap.  In certain situations set-uid/set-gid bits need to be removed;
1413  * this is done by marking vap->va_mask to include AT_MODE and va_mode
1414  * is updated to the newly computed mode.
1415  */
1416 
1417 int
secpolicy_vnode_setattr(cred_t * cr,struct vnode * vp,struct vattr * vap,const struct vattr * ovap,int flags,int unlocked_access (void *,int,cred_t *),void * node)1418 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap,
1419     const struct vattr *ovap, int flags,
1420     int unlocked_access(void *, int, cred_t *),
1421     void *node)
1422 {
1423 	int mask = vap->va_mask;
1424 	int error = 0;
1425 	boolean_t skipaclchk = (flags & ATTR_NOACLCHECK) ? B_TRUE : B_FALSE;
1426 
1427 	if (mask & AT_SIZE) {
1428 		if (vp->v_type == VDIR) {
1429 			error = EISDIR;
1430 			goto out;
1431 		}
1432 
1433 		/*
1434 		 * If ATTR_NOACLCHECK is set in the flags, then we don't
1435 		 * perform the secondary unlocked_access() call since the
1436 		 * ACL (if any) is being checked there.
1437 		 */
1438 		if (skipaclchk == B_FALSE) {
1439 			error = unlocked_access(node, VWRITE, cr);
1440 			if (error)
1441 				goto out;
1442 		}
1443 	}
1444 	if (mask & AT_MODE) {
1445 		/*
1446 		 * If not the owner of the file then check privilege
1447 		 * for two things: the privilege to set the mode at all
1448 		 * and, if we're setting setuid, we also need permissions
1449 		 * to add the set-uid bit, if we're not the owner.
1450 		 * In the specific case of creating a set-uid root
1451 		 * file, we need even more permissions.
1452 		 */
1453 		if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0)
1454 			goto out;
1455 
1456 		if ((error = secpolicy_setid_setsticky_clear(vp, vap,
1457 		    ovap, cr)) != 0)
1458 			goto out;
1459 	} else
1460 		vap->va_mode = ovap->va_mode;
1461 
1462 	if (mask & (AT_UID|AT_GID)) {
1463 		boolean_t checkpriv = B_FALSE;
1464 
1465 		/*
1466 		 * Chowning files.
1467 		 *
1468 		 * If you are the file owner:
1469 		 *	chown to other uid		FILE_CHOWN_SELF
1470 		 *	chown to gid (non-member)	FILE_CHOWN_SELF
1471 		 *	chown to gid (member)		<none>
1472 		 *
1473 		 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also
1474 		 * acceptable but the first one is reported when debugging.
1475 		 *
1476 		 * If you are not the file owner:
1477 		 *	chown from root			PRIV_FILE_CHOWN + zone
1478 		 *	chown from other to any		PRIV_FILE_CHOWN
1479 		 *
1480 		 */
1481 		if (cr->cr_uid != ovap->va_uid) {
1482 			checkpriv = B_TRUE;
1483 		} else {
1484 			if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) ||
1485 			    ((mask & AT_GID) && vap->va_gid != ovap->va_gid &&
1486 			    !groupmember(vap->va_gid, cr))) {
1487 				checkpriv = B_TRUE;
1488 			}
1489 		}
1490 		/*
1491 		 * If necessary, check privilege to see if update can be done.
1492 		 */
1493 		if (checkpriv &&
1494 		    (error = secpolicy_vnode_chown(cr, ovap->va_uid)) != 0) {
1495 			goto out;
1496 		}
1497 
1498 		/*
1499 		 * If the file has either the set UID or set GID bits
1500 		 * set and the caller can set the bits, then leave them.
1501 		 */
1502 		secpolicy_setid_clear(vap, cr);
1503 	}
1504 	if (mask & (AT_ATIME|AT_MTIME)) {
1505 		/*
1506 		 * If not the file owner and not otherwise privileged,
1507 		 * always return an error when setting the
1508 		 * time other than the current (ATTR_UTIME flag set).
1509 		 * If setting the current time (ATTR_UTIME not set) then
1510 		 * unlocked_access will check permissions according to policy.
1511 		 */
1512 		if (cr->cr_uid != ovap->va_uid) {
1513 			if (flags & ATTR_UTIME)
1514 				error = secpolicy_vnode_utime_modify(cr);
1515 			else if (skipaclchk == B_FALSE) {
1516 				error = unlocked_access(node, VWRITE, cr);
1517 				if (error == EACCES &&
1518 				    secpolicy_vnode_utime_modify(cr) == 0)
1519 					error = 0;
1520 			}
1521 			if (error)
1522 				goto out;
1523 		}
1524 	}
1525 
1526 	/*
1527 	 * Check for optional attributes here by checking the following:
1528 	 */
1529 	if (mask & AT_XVATTR)
1530 		error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr,
1531 		    vp->v_type);
1532 out:
1533 	return (error);
1534 }
1535 
1536 /*
1537  * Name:	secpolicy_pcfs_modify_bootpartition()
1538  *
1539  * Normal:	verify that subject can modify a pcfs boot partition.
1540  *
1541  * Output:	EACCES - if privilege check failed.
1542  */
1543 /*ARGSUSED*/
1544 int
secpolicy_pcfs_modify_bootpartition(const cred_t * cred)1545 secpolicy_pcfs_modify_bootpartition(const cred_t *cred)
1546 {
1547 	return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES,
1548 	    "modify pcfs boot partition"));
1549 }
1550 
1551 /*
1552  * System V IPC routines
1553  */
1554 int
secpolicy_ipc_owner(const cred_t * cr,const struct kipc_perm * ip)1555 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip)
1556 {
1557 	if (crgetzoneid(cr) != ip->ipc_zoneid ||
1558 	    (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) {
1559 		boolean_t allzone = B_FALSE;
1560 		if (ip->ipc_uid == 0 || ip->ipc_cuid == 0)
1561 			allzone = B_TRUE;
1562 		return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL));
1563 	}
1564 	return (0);
1565 }
1566 
1567 int
secpolicy_ipc_config(const cred_t * cr)1568 secpolicy_ipc_config(const cred_t *cr)
1569 {
1570 	return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL));
1571 }
1572 
1573 int
secpolicy_ipc_access(const cred_t * cr,const struct kipc_perm * ip,mode_t mode)1574 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode)
1575 {
1576 
1577 	boolean_t allzone = B_FALSE;
1578 
1579 	ASSERT((mode & (MSG_R|MSG_W)) != 0);
1580 
1581 	if ((mode & MSG_R) &&
1582 	    PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1583 		return (EACCES);
1584 
1585 	if (mode & MSG_W) {
1586 		if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0))
1587 			allzone = B_TRUE;
1588 
1589 		return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1590 		    NULL));
1591 	}
1592 	return (0);
1593 }
1594 
1595 int
secpolicy_rsm_access(const cred_t * cr,uid_t owner,mode_t mode)1596 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode)
1597 {
1598 	boolean_t allzone = B_FALSE;
1599 
1600 	ASSERT((mode & (MSG_R|MSG_W)) != 0);
1601 
1602 	if ((mode & MSG_R) &&
1603 	    PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1604 		return (EACCES);
1605 
1606 	if (mode & MSG_W) {
1607 		if (cr->cr_uid != 0 && owner == 0)
1608 			allzone = B_TRUE;
1609 
1610 		return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1611 		    NULL));
1612 	}
1613 	return (0);
1614 }
1615 
1616 /*
1617  * Audit configuration.
1618  */
1619 int
secpolicy_audit_config(const cred_t * cr)1620 secpolicy_audit_config(const cred_t *cr)
1621 {
1622 	return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL));
1623 }
1624 
1625 /*
1626  * Audit record generation.
1627  */
1628 int
secpolicy_audit_modify(const cred_t * cr)1629 secpolicy_audit_modify(const cred_t *cr)
1630 {
1631 	return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL));
1632 }
1633 
1634 /*
1635  * Get audit attributes.
1636  * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the
1637  * "Least" of the two privileges on error.
1638  */
1639 int
secpolicy_audit_getattr(const cred_t * cr,boolean_t checkonly)1640 secpolicy_audit_getattr(const cred_t *cr, boolean_t checkonly)
1641 {
1642 	int priv;
1643 
1644 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE))
1645 		priv = PRIV_SYS_AUDIT;
1646 	else
1647 		priv = PRIV_PROC_AUDIT;
1648 
1649 	if (checkonly)
1650 		return (!PRIV_POLICY_ONLY(cr, priv, B_FALSE));
1651 	else
1652 		return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
1653 }
1654 
1655 
1656 /*
1657  * Locking physical memory
1658  */
1659 int
secpolicy_lock_memory(const cred_t * cr)1660 secpolicy_lock_memory(const cred_t *cr)
1661 {
1662 	return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL));
1663 }
1664 
1665 /*
1666  * Accounting (both acct(2) and exacct).
1667  */
1668 int
secpolicy_acct(const cred_t * cr)1669 secpolicy_acct(const cred_t *cr)
1670 {
1671 	return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL));
1672 }
1673 
1674 /*
1675  * Is this process privileged to change its uids at will?
1676  * Uid 0 is still considered "special" and having the SETID
1677  * privilege is not sufficient to get uid 0.
1678  * Files are owned by root, so the privilege would give
1679  * full access and euid 0 is still effective.
1680  *
1681  * If you have the privilege and euid 0 only then do you
1682  * get the powers of root wrt uid 0.
1683  *
1684  * For gid manipulations, this is should be called with an
1685  * uid of -1.
1686  *
1687  */
1688 int
secpolicy_allow_setid(const cred_t * cr,uid_t newuid,boolean_t checkonly)1689 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly)
1690 {
1691 	boolean_t allzone = B_FALSE;
1692 
1693 	if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 &&
1694 	    cr->cr_ruid != 0) {
1695 		allzone = B_TRUE;
1696 	}
1697 
1698 	return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) :
1699 	    PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL));
1700 }
1701 
1702 
1703 /*
1704  * Acting on a different process: if the mode is for writing,
1705  * the restrictions are more severe.  This is called after
1706  * we've verified that the uids do not match.
1707  */
1708 int
secpolicy_proc_owner(const cred_t * scr,const cred_t * tcr,int mode)1709 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode)
1710 {
1711 	boolean_t allzone = B_FALSE;
1712 
1713 	if ((mode & VWRITE) && scr->cr_uid != 0 &&
1714 	    (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0))
1715 		allzone = B_TRUE;
1716 
1717 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL));
1718 }
1719 
1720 int
secpolicy_proc_access(const cred_t * scr)1721 secpolicy_proc_access(const cred_t *scr)
1722 {
1723 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL));
1724 }
1725 
1726 int
secpolicy_proc_excl_open(const cred_t * scr)1727 secpolicy_proc_excl_open(const cred_t *scr)
1728 {
1729 	return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL));
1730 }
1731 
1732 int
secpolicy_proc_zone(const cred_t * scr)1733 secpolicy_proc_zone(const cred_t *scr)
1734 {
1735 	return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL));
1736 }
1737 
1738 /*
1739  * Destroying the system
1740  */
1741 
1742 int
secpolicy_kmdb(const cred_t * scr)1743 secpolicy_kmdb(const cred_t *scr)
1744 {
1745 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1746 }
1747 
1748 int
secpolicy_error_inject(const cred_t * scr)1749 secpolicy_error_inject(const cred_t *scr)
1750 {
1751 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1752 }
1753 
1754 /*
1755  * Processor sets, cpu configuration, resource pools.
1756  */
1757 int
secpolicy_pset(const cred_t * cr)1758 secpolicy_pset(const cred_t *cr)
1759 {
1760 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1761 }
1762 
1763 /* Process security flags */
1764 int
secpolicy_psecflags(const cred_t * cr,proc_t * tp,proc_t * sp)1765 secpolicy_psecflags(const cred_t *cr, proc_t *tp, proc_t *sp)
1766 {
1767 	if (PRIV_POLICY(cr, PRIV_PROC_SECFLAGS, B_FALSE, EPERM, NULL) != 0)
1768 		return (EPERM);
1769 
1770 	if (!prochasprocperm(tp, sp, cr))
1771 		return (EPERM);
1772 
1773 	return (0);
1774 }
1775 
1776 /*
1777  * Processor set binding.
1778  */
1779 int
secpolicy_pbind(const cred_t * cr)1780 secpolicy_pbind(const cred_t *cr)
1781 {
1782 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_RES_CONFIG, B_FALSE))
1783 		return (secpolicy_pset(cr));
1784 	return (PRIV_POLICY(cr, PRIV_SYS_RES_BIND, B_FALSE, EPERM, NULL));
1785 }
1786 
1787 int
secpolicy_ponline(const cred_t * cr)1788 secpolicy_ponline(const cred_t *cr)
1789 {
1790 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1791 }
1792 
1793 int
secpolicy_pool(const cred_t * cr)1794 secpolicy_pool(const cred_t *cr)
1795 {
1796 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1797 }
1798 
1799 int
secpolicy_blacklist(const cred_t * cr)1800 secpolicy_blacklist(const cred_t *cr)
1801 {
1802 	return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1803 }
1804 
1805 /*
1806  * Catch all system configuration.
1807  */
1808 int
secpolicy_sys_config(const cred_t * cr,boolean_t checkonly)1809 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly)
1810 {
1811 	if (checkonly) {
1812 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 :
1813 		    EPERM);
1814 	} else {
1815 		return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1816 	}
1817 }
1818 
1819 /*
1820  * Zone administration (halt, reboot, etc.) from within zone.
1821  */
1822 int
secpolicy_zone_admin(const cred_t * cr,boolean_t checkonly)1823 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly)
1824 {
1825 	if (checkonly) {
1826 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 :
1827 		    EPERM);
1828 	} else {
1829 		return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM,
1830 		    NULL));
1831 	}
1832 }
1833 
1834 /*
1835  * Zone configuration (create, halt, enter).
1836  */
1837 int
secpolicy_zone_config(const cred_t * cr)1838 secpolicy_zone_config(const cred_t *cr)
1839 {
1840 	/*
1841 	 * Require all privileges to avoid possibility of privilege
1842 	 * escalation.
1843 	 */
1844 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
1845 }
1846 
1847 /*
1848  * Various other system configuration calls
1849  */
1850 int
secpolicy_coreadm(const cred_t * cr)1851 secpolicy_coreadm(const cred_t *cr)
1852 {
1853 	return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1854 }
1855 
1856 int
secpolicy_systeminfo(const cred_t * cr)1857 secpolicy_systeminfo(const cred_t *cr)
1858 {
1859 	return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1860 }
1861 
1862 int
secpolicy_dispadm(const cred_t * cr)1863 secpolicy_dispadm(const cred_t *cr)
1864 {
1865 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1866 }
1867 
1868 int
secpolicy_settime(const cred_t * cr)1869 secpolicy_settime(const cred_t *cr)
1870 {
1871 	return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL));
1872 }
1873 
1874 /*
1875  * For realtime users: high resolution clock.
1876  */
1877 int
secpolicy_clock_highres(const cred_t * cr)1878 secpolicy_clock_highres(const cred_t *cr)
1879 {
1880 	return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM,
1881 	    NULL));
1882 }
1883 
1884 /*
1885  * drv_priv() is documented as callable from interrupt context, not that
1886  * anyone ever does, but still.  No debugging or auditing can be done when
1887  * it is called from interrupt context.
1888  * returns 0 on succes, EPERM on failure.
1889  */
1890 int
drv_priv(cred_t * cr)1891 drv_priv(cred_t *cr)
1892 {
1893 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1894 }
1895 
1896 int
secpolicy_sys_devices(const cred_t * cr)1897 secpolicy_sys_devices(const cred_t *cr)
1898 {
1899 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1900 }
1901 
1902 int
secpolicy_excl_open(const cred_t * cr)1903 secpolicy_excl_open(const cred_t *cr)
1904 {
1905 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL));
1906 }
1907 
1908 int
secpolicy_rctlsys(const cred_t * cr,boolean_t is_zone_rctl)1909 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl)
1910 {
1911 	/* zone.* rctls can only be set from the global zone */
1912 	if (is_zone_rctl && priv_policy_global(cr) != 0)
1913 		return (EPERM);
1914 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1915 }
1916 
1917 int
secpolicy_resource(const cred_t * cr)1918 secpolicy_resource(const cred_t *cr)
1919 {
1920 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1921 }
1922 
1923 int
secpolicy_resource_anon_mem(const cred_t * cr)1924 secpolicy_resource_anon_mem(const cred_t *cr)
1925 {
1926 	return (PRIV_POLICY_ONLY(cr, PRIV_SYS_RESOURCE, B_FALSE));
1927 }
1928 
1929 /*
1930  * Processes with a real uid of 0 escape any form of accounting, much
1931  * like before.
1932  */
1933 int
secpolicy_newproc(const cred_t * cr)1934 secpolicy_newproc(const cred_t *cr)
1935 {
1936 	if (cr->cr_ruid == 0)
1937 		return (0);
1938 
1939 	return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1940 }
1941 
1942 /*
1943  * Networking
1944  */
1945 int
secpolicy_net_rawaccess(const cred_t * cr)1946 secpolicy_net_rawaccess(const cred_t *cr)
1947 {
1948 	return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL));
1949 }
1950 
1951 int
secpolicy_net_observability(const cred_t * cr)1952 secpolicy_net_observability(const cred_t *cr)
1953 {
1954 	return (PRIV_POLICY(cr, PRIV_NET_OBSERVABILITY, B_FALSE, EACCES, NULL));
1955 }
1956 
1957 /*
1958  * Need this privilege for accessing the ICMP device
1959  */
1960 int
secpolicy_net_icmpaccess(const cred_t * cr)1961 secpolicy_net_icmpaccess(const cred_t *cr)
1962 {
1963 	return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL));
1964 }
1965 
1966 /*
1967  * There are a few rare cases where the kernel generates ioctls() from
1968  * interrupt context with a credential of kcred rather than NULL.
1969  * In those cases, we take the safe and cheap test.
1970  */
1971 int
secpolicy_net_config(const cred_t * cr,boolean_t checkonly)1972 secpolicy_net_config(const cred_t *cr, boolean_t checkonly)
1973 {
1974 	if (checkonly) {
1975 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ?
1976 		    0 : EPERM);
1977 	} else {
1978 		return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM,
1979 		    NULL));
1980 	}
1981 }
1982 
1983 
1984 /*
1985  * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
1986  *
1987  * There are a few rare cases where the kernel generates ioctls() from
1988  * interrupt context with a credential of kcred rather than NULL.
1989  * In those cases, we take the safe and cheap test.
1990  */
1991 int
secpolicy_ip_config(const cred_t * cr,boolean_t checkonly)1992 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly)
1993 {
1994 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1995 		return (secpolicy_net_config(cr, checkonly));
1996 
1997 	if (checkonly) {
1998 		return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ?
1999 		    0 : EPERM);
2000 	} else {
2001 		return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM,
2002 		    NULL));
2003 	}
2004 }
2005 
2006 /*
2007  * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_DL_CONFIG.
2008  */
2009 int
secpolicy_dl_config(const cred_t * cr)2010 secpolicy_dl_config(const cred_t *cr)
2011 {
2012 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
2013 		return (secpolicy_net_config(cr, B_FALSE));
2014 	return (PRIV_POLICY(cr, PRIV_SYS_DL_CONFIG, B_FALSE, EPERM, NULL));
2015 }
2016 
2017 /*
2018  * PRIV_SYS_DL_CONFIG is a superset of PRIV_SYS_IPTUN_CONFIG.
2019  */
2020 int
secpolicy_iptun_config(const cred_t * cr)2021 secpolicy_iptun_config(const cred_t *cr)
2022 {
2023 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
2024 		return (secpolicy_net_config(cr, B_FALSE));
2025 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_DL_CONFIG, B_FALSE))
2026 		return (secpolicy_dl_config(cr));
2027 	return (PRIV_POLICY(cr, PRIV_SYS_IPTUN_CONFIG, B_FALSE, EPERM, NULL));
2028 }
2029 
2030 /*
2031  * Map IP pseudo privileges to actual privileges.
2032  * So we don't need to recompile IP when we change the privileges.
2033  */
2034 int
secpolicy_ip(const cred_t * cr,int netpriv,boolean_t checkonly)2035 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly)
2036 {
2037 	int priv = PRIV_ALL;
2038 
2039 	switch (netpriv) {
2040 	case OP_CONFIG:
2041 		priv = PRIV_SYS_IP_CONFIG;
2042 		break;
2043 	case OP_RAW:
2044 		priv = PRIV_NET_RAWACCESS;
2045 		break;
2046 	case OP_PRIVPORT:
2047 		priv = PRIV_NET_PRIVADDR;
2048 		break;
2049 	}
2050 	ASSERT(priv != PRIV_ALL);
2051 	if (checkonly)
2052 		return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
2053 	else
2054 		return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
2055 }
2056 
2057 /*
2058  * Map network pseudo privileges to actual privileges.
2059  * So we don't need to recompile IP when we change the privileges.
2060  */
2061 int
secpolicy_net(const cred_t * cr,int netpriv,boolean_t checkonly)2062 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly)
2063 {
2064 	int priv = PRIV_ALL;
2065 
2066 	switch (netpriv) {
2067 	case OP_CONFIG:
2068 		priv = PRIV_SYS_NET_CONFIG;
2069 		break;
2070 	case OP_RAW:
2071 		priv = PRIV_NET_RAWACCESS;
2072 		break;
2073 	case OP_PRIVPORT:
2074 		priv = PRIV_NET_PRIVADDR;
2075 		break;
2076 	}
2077 	ASSERT(priv != PRIV_ALL);
2078 	if (checkonly)
2079 		return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
2080 	else
2081 		return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
2082 }
2083 
2084 /*
2085  * Checks for operations that are either client-only or are used by
2086  * both clients and servers.
2087  */
2088 int
secpolicy_nfs(const cred_t * cr)2089 secpolicy_nfs(const cred_t *cr)
2090 {
2091 	return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL));
2092 }
2093 
2094 /*
2095  * Special case for opening rpcmod: have NFS privileges or network
2096  * config privileges.
2097  */
2098 int
secpolicy_rpcmod_open(const cred_t * cr)2099 secpolicy_rpcmod_open(const cred_t *cr)
2100 {
2101 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE))
2102 		return (secpolicy_nfs(cr));
2103 	else
2104 		return (secpolicy_net_config(cr, B_FALSE));
2105 }
2106 
2107 int
secpolicy_chroot(const cred_t * cr)2108 secpolicy_chroot(const cred_t *cr)
2109 {
2110 	return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL));
2111 }
2112 
2113 int
secpolicy_tasksys(const cred_t * cr)2114 secpolicy_tasksys(const cred_t *cr)
2115 {
2116 	return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL));
2117 }
2118 
2119 int
secpolicy_meminfo(const cred_t * cr)2120 secpolicy_meminfo(const cred_t *cr)
2121 {
2122 	return (PRIV_POLICY(cr, PRIV_PROC_MEMINFO, B_FALSE, EPERM, NULL));
2123 }
2124 
2125 int
secpolicy_pfexec_register(const cred_t * cr)2126 secpolicy_pfexec_register(const cred_t *cr)
2127 {
2128 	return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_TRUE, EPERM, NULL));
2129 }
2130 
2131 /*
2132  * Basic privilege checks.
2133  */
2134 int
secpolicy_basic_exec(const cred_t * cr,vnode_t * vp)2135 secpolicy_basic_exec(const cred_t *cr, vnode_t *vp)
2136 {
2137 	FAST_BASIC_CHECK(cr, PRIV_PROC_EXEC);
2138 
2139 	return (priv_policy_va(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL,
2140 	    KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
2141 }
2142 
2143 int
secpolicy_basic_fork(const cred_t * cr)2144 secpolicy_basic_fork(const cred_t *cr)
2145 {
2146 	FAST_BASIC_CHECK(cr, PRIV_PROC_FORK);
2147 
2148 	return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL));
2149 }
2150 
2151 int
secpolicy_basic_proc(const cred_t * cr)2152 secpolicy_basic_proc(const cred_t *cr)
2153 {
2154 	FAST_BASIC_CHECK(cr, PRIV_PROC_SESSION);
2155 
2156 	return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL));
2157 }
2158 
2159 /*
2160  * Slightly complicated because we don't want to trigger the policy too
2161  * often.  First we shortcircuit access to "self" (tp == sp) or if
2162  * we don't have the privilege but if we have permission
2163  * just return (0) and we don't flag the privilege as needed.
2164  * Else, we test for the privilege because we either have it or need it.
2165  */
2166 int
secpolicy_basic_procinfo(const cred_t * cr,proc_t * tp,proc_t * sp)2167 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp)
2168 {
2169 	if (tp == sp ||
2170 	    !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) {
2171 		return (0);
2172 	} else {
2173 		return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL));
2174 	}
2175 }
2176 
2177 int
secpolicy_basic_link(const cred_t * cr)2178 secpolicy_basic_link(const cred_t *cr)
2179 {
2180 	FAST_BASIC_CHECK(cr, PRIV_FILE_LINK_ANY);
2181 
2182 	return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL));
2183 }
2184 
2185 int
secpolicy_basic_net_access(const cred_t * cr)2186 secpolicy_basic_net_access(const cred_t *cr)
2187 {
2188 	FAST_BASIC_CHECK(cr, PRIV_NET_ACCESS);
2189 
2190 	return (PRIV_POLICY(cr, PRIV_NET_ACCESS, B_FALSE, EACCES, NULL));
2191 }
2192 
2193 /* ARGSUSED */
2194 int
secpolicy_basic_file_read(const cred_t * cr,vnode_t * vp,const char * pn)2195 secpolicy_basic_file_read(const cred_t *cr, vnode_t *vp, const char *pn)
2196 {
2197 	FAST_BASIC_CHECK(cr, PRIV_FILE_READ);
2198 
2199 	return (priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL,
2200 	    KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE));
2201 }
2202 
2203 /* ARGSUSED */
2204 int
secpolicy_basic_file_write(const cred_t * cr,vnode_t * vp,const char * pn)2205 secpolicy_basic_file_write(const cred_t *cr, vnode_t *vp, const char *pn)
2206 {
2207 	FAST_BASIC_CHECK(cr, PRIV_FILE_WRITE);
2208 
2209 	return (priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL,
2210 	    KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE));
2211 }
2212 
2213 /*
2214  * Additional device protection.
2215  *
2216  * Traditionally, a device has specific permissions on the node in
2217  * the filesystem which govern which devices can be opened by what
2218  * processes.  In certain cases, it is desirable to add extra
2219  * restrictions, as writing to certain devices is identical to
2220  * having a complete run of the system.
2221  *
2222  * This mechanism is called the device policy.
2223  *
2224  * When a device is opened, its policy entry is looked up in the
2225  * policy cache and checked.
2226  */
2227 int
secpolicy_spec_open(const cred_t * cr,struct vnode * vp,int oflag)2228 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag)
2229 {
2230 	devplcy_t *plcy;
2231 	int err;
2232 	struct snode *csp = VTOS(common_specvp(vp));
2233 	priv_set_t pset;
2234 
2235 	mutex_enter(&csp->s_lock);
2236 
2237 	if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) {
2238 		plcy = devpolicy_find(vp);
2239 		if (csp->s_plcy)
2240 			dpfree(csp->s_plcy);
2241 		csp->s_plcy = plcy;
2242 		ASSERT(plcy != NULL);
2243 	} else
2244 		plcy = csp->s_plcy;
2245 
2246 	if (plcy == nullpolicy) {
2247 		mutex_exit(&csp->s_lock);
2248 		return (0);
2249 	}
2250 
2251 	dphold(plcy);
2252 
2253 	mutex_exit(&csp->s_lock);
2254 
2255 	if (oflag & FWRITE)
2256 		pset = plcy->dp_wrp;
2257 	else
2258 		pset = plcy->dp_rdp;
2259 	/*
2260 	 * Special case:
2261 	 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
2262 	 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is
2263 	 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG
2264 	 * in the required privilege set before doing the check.
2265 	 */
2266 	if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) &&
2267 	    priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) &&
2268 	    !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) {
2269 		priv_delset(&pset, PRIV_SYS_IP_CONFIG);
2270 		priv_addset(&pset, PRIV_SYS_NET_CONFIG);
2271 	}
2272 
2273 	err = secpolicy_require_set(cr, &pset, "devpolicy", KLPDARG_NONE);
2274 	dpfree(plcy);
2275 
2276 	return (err);
2277 }
2278 
2279 int
secpolicy_modctl(const cred_t * cr,int cmd)2280 secpolicy_modctl(const cred_t *cr, int cmd)
2281 {
2282 	switch (cmd) {
2283 	case MODINFO:
2284 	case MODGETMAJBIND:
2285 	case MODGETPATH:
2286 	case MODGETPATHLEN:
2287 	case MODGETNAME:
2288 	case MODGETFBNAME:
2289 	case MODGETDEVPOLICY:
2290 	case MODGETDEVPOLICYBYNAME:
2291 	case MODDEVT2INSTANCE:
2292 	case MODSIZEOF_DEVID:
2293 	case MODGETDEVID:
2294 	case MODSIZEOF_MINORNAME:
2295 	case MODGETMINORNAME:
2296 	case MODGETDEVFSPATH_LEN:
2297 	case MODGETDEVFSPATH:
2298 	case MODGETDEVFSPATH_MI_LEN:
2299 	case MODGETDEVFSPATH_MI:
2300 		/* Unprivileged */
2301 		return (0);
2302 	case MODLOAD:
2303 	case MODSETDEVPOLICY:
2304 		return (secpolicy_require_set(cr, PRIV_FULLSET, NULL,
2305 		    KLPDARG_NONE));
2306 	default:
2307 		return (secpolicy_sys_config(cr, B_FALSE));
2308 	}
2309 }
2310 
2311 int
secpolicy_console(const cred_t * cr)2312 secpolicy_console(const cred_t *cr)
2313 {
2314 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
2315 }
2316 
2317 int
secpolicy_power_mgmt(const cred_t * cr)2318 secpolicy_power_mgmt(const cred_t *cr)
2319 {
2320 	return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
2321 }
2322 
2323 /*
2324  * Simulate terminal input; another escalation of privileges avenue.
2325  */
2326 
2327 int
secpolicy_sti(const cred_t * cr)2328 secpolicy_sti(const cred_t *cr)
2329 {
2330 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
2331 }
2332 
2333 boolean_t
secpolicy_net_reply_equal(const cred_t * cr)2334 secpolicy_net_reply_equal(const cred_t *cr)
2335 {
2336 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
2337 }
2338 
2339 int
secpolicy_swapctl(const cred_t * cr)2340 secpolicy_swapctl(const cred_t *cr)
2341 {
2342 	return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
2343 }
2344 
2345 int
secpolicy_cpc_cpu(const cred_t * cr)2346 secpolicy_cpc_cpu(const cred_t *cr)
2347 {
2348 	return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL));
2349 }
2350 
2351 /*
2352  * secpolicy_contract_identity
2353  *
2354  * Determine if the subject may set the process contract FMRI value
2355  */
2356 int
secpolicy_contract_identity(const cred_t * cr)2357 secpolicy_contract_identity(const cred_t *cr)
2358 {
2359 	return (PRIV_POLICY(cr, PRIV_CONTRACT_IDENTITY, B_FALSE, EPERM, NULL));
2360 }
2361 
2362 /*
2363  * secpolicy_contract_observer
2364  *
2365  * Determine if the subject may observe a specific contract's events.
2366  */
2367 int
secpolicy_contract_observer(const cred_t * cr,struct contract * ct)2368 secpolicy_contract_observer(const cred_t *cr, struct contract *ct)
2369 {
2370 	if (contract_owned(ct, cr, B_FALSE))
2371 		return (0);
2372 	return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL));
2373 }
2374 
2375 /*
2376  * secpolicy_contract_observer_choice
2377  *
2378  * Determine if the subject may observe any contract's events.  Just
2379  * tests privilege and audits on success.
2380  */
2381 boolean_t
secpolicy_contract_observer_choice(const cred_t * cr)2382 secpolicy_contract_observer_choice(const cred_t *cr)
2383 {
2384 	return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE));
2385 }
2386 
2387 /*
2388  * secpolicy_contract_event
2389  *
2390  * Determine if the subject may request critical contract events or
2391  * reliable contract event delivery.
2392  */
2393 int
secpolicy_contract_event(const cred_t * cr)2394 secpolicy_contract_event(const cred_t *cr)
2395 {
2396 	return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL));
2397 }
2398 
2399 /*
2400  * secpolicy_contract_event_choice
2401  *
2402  * Determine if the subject may retain contract events in its critical
2403  * set when a change in other terms would normally require a change in
2404  * the critical set.  Just tests privilege and audits on success.
2405  */
2406 boolean_t
secpolicy_contract_event_choice(const cred_t * cr)2407 secpolicy_contract_event_choice(const cred_t *cr)
2408 {
2409 	return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE));
2410 }
2411 
2412 /*
2413  * secpolicy_gart_access
2414  *
2415  * Determine if the subject has sufficient priveleges to make ioctls to agpgart
2416  * device.
2417  */
2418 int
secpolicy_gart_access(const cred_t * cr)2419 secpolicy_gart_access(const cred_t *cr)
2420 {
2421 	return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL));
2422 }
2423 
2424 /*
2425  * secpolicy_gart_map
2426  *
2427  * Determine if the subject has sufficient priveleges to map aperture range
2428  * through agpgart driver.
2429  */
2430 int
secpolicy_gart_map(const cred_t * cr)2431 secpolicy_gart_map(const cred_t *cr)
2432 {
2433 	if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) {
2434 		return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM,
2435 		    NULL));
2436 	} else {
2437 		return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM,
2438 		    NULL));
2439 	}
2440 }
2441 
2442 /*
2443  * secpolicy_hwmanip
2444  *
2445  * Determine if the subject can observe and manipulate a hardware device with a
2446  * dangerous blunt hammer, often suggests they can do something destructive.
2447  * Requires all privileges.
2448  */
2449 int
secpolicy_hwmanip(const cred_t * cr)2450 secpolicy_hwmanip(const cred_t *cr)
2451 {
2452 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
2453 }
2454 
2455 /*
2456  * secpolicy_zinject
2457  *
2458  * Determine if the subject can inject faults in the ZFS fault injection
2459  * framework.  Requires all privileges.
2460  */
2461 int
secpolicy_zinject(const cred_t * cr)2462 secpolicy_zinject(const cred_t *cr)
2463 {
2464 	return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
2465 }
2466 
2467 /*
2468  * secpolicy_zfs
2469  *
2470  * Determine if the subject has permission to manipulate ZFS datasets
2471  * (not pools).  Equivalent to the SYS_MOUNT privilege.
2472  */
2473 int
secpolicy_zfs(const cred_t * cr)2474 secpolicy_zfs(const cred_t *cr)
2475 {
2476 	return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL));
2477 }
2478 
2479 /*
2480  * secpolicy_idmap
2481  *
2482  * Determine if the calling process has permissions to register an SID
2483  * mapping daemon and allocate ephemeral IDs.
2484  */
2485 int
secpolicy_idmap(const cred_t * cr)2486 secpolicy_idmap(const cred_t *cr)
2487 {
2488 	return (PRIV_POLICY(cr, PRIV_FILE_SETID, B_TRUE, EPERM, NULL));
2489 }
2490 
2491 /*
2492  * secpolicy_ucode_update
2493  *
2494  * Determine if the subject has sufficient privilege to update microcode.
2495  */
2496 int
secpolicy_ucode_update(const cred_t * scr)2497 secpolicy_ucode_update(const cred_t *scr)
2498 {
2499 	return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
2500 }
2501 
2502 /*
2503  * secpolicy_sadopen
2504  *
2505  * Determine if the subject has sufficient privilege to access /dev/sad/admin.
2506  * /dev/sad/admin appear in global zone and exclusive-IP zones only.
2507  * In global zone, sys_config is required.
2508  * In exclusive-IP zones, sys_ip_config is required.
2509  * Note that sys_config is prohibited in non-global zones.
2510  */
2511 int
secpolicy_sadopen(const cred_t * credp)2512 secpolicy_sadopen(const cred_t *credp)
2513 {
2514 	priv_set_t pset;
2515 
2516 	priv_emptyset(&pset);
2517 
2518 	if (crgetzoneid(credp) == GLOBAL_ZONEID)
2519 		priv_addset(&pset, PRIV_SYS_CONFIG);
2520 	else
2521 		priv_addset(&pset, PRIV_SYS_IP_CONFIG);
2522 
2523 	return (secpolicy_require_set(credp, &pset, "devpolicy", KLPDARG_NONE));
2524 }
2525 
2526 
2527 /*
2528  * Add privileges to a particular privilege set; this is called when the
2529  * current sets of privileges are not sufficient.  I.e., we should always
2530  * call the policy override functions from here.
2531  * What we are allowed to have is in the Observed Permitted set; so
2532  * we compute the difference between that and the newset.
2533  */
2534 int
secpolicy_require_privs(const cred_t * cr,const priv_set_t * nset)2535 secpolicy_require_privs(const cred_t *cr, const priv_set_t *nset)
2536 {
2537 	priv_set_t rqd;
2538 
2539 	rqd = CR_OPPRIV(cr);
2540 
2541 	priv_inverse(&rqd);
2542 	priv_intersect(nset, &rqd);
2543 
2544 	return (secpolicy_require_set(cr, &rqd, NULL, KLPDARG_NONE));
2545 }
2546 
2547 /*
2548  * secpolicy_smb
2549  *
2550  * Determine if the cred_t has PRIV_SYS_SMB privilege, indicating
2551  * that it has permission to access the smbsrv kernel driver.
2552  * PRIV_POLICY checks the privilege and audits the check.
2553  *
2554  * Returns:
2555  * 0       Driver access is allowed.
2556  * EPERM   Driver access is NOT permitted.
2557  */
2558 int
secpolicy_smb(const cred_t * cr)2559 secpolicy_smb(const cred_t *cr)
2560 {
2561 	return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL));
2562 }
2563 
2564 /*
2565  * secpolicy_vscan
2566  *
2567  * Determine if cred_t has the necessary privileges to access a file
2568  * for virus scanning and update its extended system attributes.
2569  * PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access
2570  * PRIV_FILE_FLAG_SET - set extended system attributes
2571  *
2572  * PRIV_POLICY checks the privilege and audits the check.
2573  *
2574  * Returns:
2575  * 0      file access for virus scanning allowed.
2576  * EPERM  file access for virus scanning is NOT permitted.
2577  */
2578 int
secpolicy_vscan(const cred_t * cr)2579 secpolicy_vscan(const cred_t *cr)
2580 {
2581 	if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) ||
2582 	    (PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) ||
2583 	    (PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) {
2584 		return (EPERM);
2585 	}
2586 
2587 	return (0);
2588 }
2589 
2590 /*
2591  * secpolicy_smbfs_login
2592  *
2593  * Determines if the caller can add and delete the smbfs login
2594  * password in the the nsmb kernel module for the CIFS client.
2595  *
2596  * Returns:
2597  * 0       access is allowed.
2598  * EPERM   access is NOT allowed.
2599  */
2600 int
secpolicy_smbfs_login(const cred_t * cr,uid_t uid)2601 secpolicy_smbfs_login(const cred_t *cr, uid_t uid)
2602 {
2603 	uid_t cruid = crgetruid(cr);
2604 
2605 	if (cruid == uid)
2606 		return (0);
2607 	return (PRIV_POLICY(cr, PRIV_PROC_OWNER, B_FALSE,
2608 	    EPERM, NULL));
2609 }
2610 
2611 /*
2612  * secpolicy_xvm_control
2613  *
2614  * Determines if a caller can control the xVM hypervisor and/or running
2615  * domains (x86 specific).
2616  *
2617  * Returns:
2618  * 0       access is allowed.
2619  * EPERM   access is NOT allowed.
2620  */
2621 int
secpolicy_xvm_control(const cred_t * cr)2622 secpolicy_xvm_control(const cred_t *cr)
2623 {
2624 	if (PRIV_POLICY(cr, PRIV_XVM_CONTROL, B_FALSE, EPERM, NULL))
2625 		return (EPERM);
2626 	return (0);
2627 }
2628 
2629 /*
2630  * secpolicy_ppp_config
2631  *
2632  * Determine if the subject has sufficient privileges to configure PPP and
2633  * PPP-related devices.
2634  */
2635 int
secpolicy_ppp_config(const cred_t * cr)2636 secpolicy_ppp_config(const cred_t *cr)
2637 {
2638 	if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
2639 		return (secpolicy_net_config(cr, B_FALSE));
2640 	return (PRIV_POLICY(cr, PRIV_SYS_PPP_CONFIG, B_FALSE, EPERM, NULL));
2641 }
2642