1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. 23 * Copyright 2013, Joyent, Inc. All rights reserved. 24 */ 25 26 #include <sys/types.h> 27 #include <sys/sysmacros.h> 28 #include <sys/param.h> 29 #include <sys/systm.h> 30 #include <sys/cred_impl.h> 31 #include <sys/vnode.h> 32 #include <sys/vfs.h> 33 #include <sys/stat.h> 34 #include <sys/errno.h> 35 #include <sys/kmem.h> 36 #include <sys/user.h> 37 #include <sys/proc.h> 38 #include <sys/acct.h> 39 #include <sys/ipc_impl.h> 40 #include <sys/cmn_err.h> 41 #include <sys/debug.h> 42 #include <sys/policy.h> 43 #include <sys/kobj.h> 44 #include <sys/msg.h> 45 #include <sys/devpolicy.h> 46 #include <c2/audit.h> 47 #include <sys/varargs.h> 48 #include <sys/klpd.h> 49 #include <sys/modctl.h> 50 #include <sys/disp.h> 51 #include <sys/zone.h> 52 #include <inet/optcom.h> 53 #include <sys/sdt.h> 54 #include <sys/vfs.h> 55 #include <sys/mntent.h> 56 #include <sys/contract_impl.h> 57 #include <sys/dld_ioc.h> 58 59 /* 60 * There are two possible layers of privilege routines and two possible 61 * levels of secpolicy. Plus one other we may not be interested in, so 62 * we may need as many as 6 but no more. 63 */ 64 #define MAXPRIVSTACK 6 65 66 int priv_debug = 0; 67 int priv_basic_test = -1; 68 69 /* 70 * This file contains the majority of the policy routines. 71 * Since the policy routines are defined by function and not 72 * by privilege, there is quite a bit of duplication of 73 * functions. 74 * 75 * The secpolicy functions must not make assumptions about 76 * locks held or not held as any lock can be held while they're 77 * being called. 78 * 79 * Credentials are read-only so no special precautions need to 80 * be taken while locking them. 81 * 82 * When a new policy check needs to be added to the system the 83 * following procedure should be followed: 84 * 85 * Pick an appropriate secpolicy_*() function 86 * -> done if one exists. 87 * Create a new secpolicy function, preferably with 88 * a descriptive name using the standard template. 89 * Pick an appropriate privilege for the policy. 90 * If no appropraite privilege exists, define new one 91 * (this should be done with extreme care; in most cases 92 * little is gained by adding another privilege) 93 * 94 * WHY ROOT IS STILL SPECIAL. 95 * 96 * In a number of the policy functions, there are still explicit 97 * checks for uid 0. The rationale behind these is that many root 98 * owned files/objects hold configuration information which can give full 99 * privileges to the user once written to. To prevent escalation 100 * of privilege by allowing just a single privilege to modify root owned 101 * objects, we've added these root specific checks where we considered 102 * them necessary: modifying root owned files, changing uids to 0, etc. 103 * 104 * PRIVILEGE ESCALATION AND ZONES. 105 * 106 * A number of operations potentially allow the caller to achieve 107 * privileges beyond the ones normally required to perform the operation. 108 * For example, if allowed to create a setuid 0 executable, a process can 109 * gain privileges beyond PRIV_FILE_SETID. Zones, however, place 110 * restrictions on the ability to gain privileges beyond those available 111 * within the zone through file and process manipulation. Hence, such 112 * operations require that the caller have an effective set that includes 113 * all privileges available within the current zone, or all privileges 114 * if executing in the global zone. 115 * 116 * This is indicated in the priv_policy* policy checking functions 117 * through a combination of parameters. The "priv" parameter indicates 118 * the privilege that is required, and the "allzone" parameter indicates 119 * whether or not all privileges in the zone are required. In addition, 120 * priv can be set to PRIV_ALL to indicate that all privileges are 121 * required (regardless of zone). There are three scenarios of interest: 122 * (1) operation requires a specific privilege 123 * (2) operation requires a specific privilege, and requires all 124 * privileges available within the zone (or all privileges if in 125 * the global zone) 126 * (3) operation requires all privileges, regardless of zone 127 * 128 * For (1), priv should be set to the specific privilege, and allzone 129 * should be set to B_FALSE. 130 * For (2), priv should be set to the specific privilege, and allzone 131 * should be set to B_TRUE. 132 * For (3), priv should be set to PRIV_ALL, and allzone should be set 133 * to B_FALSE. 134 * 135 */ 136 137 /* 138 * The privileges are checked against the Effective set for 139 * ordinary processes and checked against the Limit set 140 * for euid 0 processes that haven't manipulated their privilege 141 * sets. 142 */ 143 #define HAS_ALLPRIVS(cr) priv_isfullset(&CR_OEPRIV(cr)) 144 #define ZONEPRIVS(cr) ((cr)->cr_zone->zone_privset) 145 #define HAS_ALLZONEPRIVS(cr) priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr)) 146 #define HAS_PRIVILEGE(cr, pr) ((pr) == PRIV_ALL ? \ 147 HAS_ALLPRIVS(cr) : \ 148 PRIV_ISASSERT(&CR_OEPRIV(cr), pr)) 149 150 #define FAST_BASIC_CHECK(cr, priv) \ 151 if (PRIV_ISASSERT(&CR_OEPRIV(cr), priv)) { \ 152 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, B_FALSE); \ 153 return (0); \ 154 } 155 156 /* 157 * Policy checking functions. 158 * 159 * All of the system's policy should be implemented here. 160 */ 161 162 /* 163 * Private functions which take an additional va_list argument to 164 * implement an object specific policy override. 165 */ 166 static int priv_policy_ap(const cred_t *, int, boolean_t, int, 167 const char *, va_list); 168 static int priv_policy_va(const cred_t *, int, boolean_t, int, 169 const char *, ...); 170 171 /* 172 * Generic policy calls 173 * 174 * The "bottom" functions of policy control 175 */ 176 static char * 177 mprintf(const char *fmt, ...) 178 { 179 va_list args; 180 char *buf; 181 size_t len; 182 183 va_start(args, fmt); 184 len = vsnprintf(NULL, 0, fmt, args) + 1; 185 va_end(args); 186 187 buf = kmem_alloc(len, KM_NOSLEEP); 188 189 if (buf == NULL) 190 return (NULL); 191 192 va_start(args, fmt); 193 (void) vsnprintf(buf, len, fmt, args); 194 va_end(args); 195 196 return (buf); 197 } 198 199 /* 200 * priv_policy_errmsg() 201 * 202 * Generate an error message if privilege debugging is enabled system wide 203 * or for this particular process. 204 */ 205 206 #define FMTHDR "%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)" 207 #define FMTMSG " for \"%s\"" 208 #define FMTFUN " needed at %s+0x%lx" 209 210 /* The maximum size privilege format: the concatenation of the above */ 211 #define FMTMAX FMTHDR FMTMSG FMTFUN "\n" 212 213 static void 214 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg) 215 { 216 struct proc *me; 217 pc_t stack[MAXPRIVSTACK]; 218 int depth; 219 int i; 220 char *sym; 221 ulong_t off; 222 const char *pname; 223 224 char *cmd; 225 char fmt[sizeof (FMTMAX)]; 226 227 if ((me = curproc) == &p0) 228 return; 229 230 /* Privileges must be defined */ 231 ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE || 232 priv == PRIV_ALLZONE || priv == PRIV_GLOBAL || 233 priv_getbynum(priv) != NULL); 234 235 if (priv == PRIV_ALLZONE && INGLOBALZONE(me)) 236 priv = PRIV_ALL; 237 238 if (curthread->t_pre_sys) 239 ttolwp(curthread)->lwp_badpriv = (short)priv; 240 241 if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0) 242 return; 243 244 (void) strcpy(fmt, FMTHDR); 245 246 if (me->p_user.u_comm[0]) 247 cmd = &me->p_user.u_comm[0]; 248 else 249 cmd = "priv_policy"; 250 251 if (msg != NULL && *msg != '\0') { 252 (void) strcat(fmt, FMTMSG); 253 } else { 254 (void) strcat(fmt, "%s"); 255 msg = ""; 256 } 257 258 sym = NULL; 259 260 depth = getpcstack(stack, MAXPRIVSTACK); 261 262 /* 263 * Try to find the first interesting function on the stack. 264 * priv_policy* that's us, so completely uninteresting. 265 * suser(), drv_priv(), secpolicy_* are also called from 266 * too many locations to convey useful information. 267 */ 268 for (i = 0; i < depth; i++) { 269 sym = kobj_getsymname((uintptr_t)stack[i], &off); 270 if (sym != NULL && 271 strstr(sym, "hasprocperm") == 0 && 272 strcmp("suser", sym) != 0 && 273 strcmp("ipcaccess", sym) != 0 && 274 strcmp("drv_priv", sym) != 0 && 275 strncmp("secpolicy_", sym, 10) != 0 && 276 strncmp("priv_policy", sym, 11) != 0) 277 break; 278 } 279 280 if (sym != NULL) 281 (void) strcat(fmt, FMTFUN); 282 283 (void) strcat(fmt, "\n"); 284 285 switch (priv) { 286 case PRIV_ALL: 287 pname = "ALL"; 288 break; 289 case PRIV_MULTIPLE: 290 pname = "MULTIPLE"; 291 break; 292 case PRIV_ALLZONE: 293 pname = "ZONE"; 294 break; 295 case PRIV_GLOBAL: 296 pname = "GLOBAL"; 297 break; 298 default: 299 pname = priv_getbynum(priv); 300 break; 301 } 302 303 if (CR_FLAGS(cr) & PRIV_DEBUG) { 304 /* Remember last message, just like lwp_badpriv. */ 305 if (curthread->t_pdmsg != NULL) { 306 kmem_free(curthread->t_pdmsg, 307 strlen(curthread->t_pdmsg) + 1); 308 } 309 310 curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname, 311 cr->cr_uid, curthread->t_sysnum, msg, sym, off); 312 313 curthread->t_post_sys = 1; 314 } 315 if (priv_debug) { 316 cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid, 317 curthread->t_sysnum, msg, sym, off); 318 } 319 } 320 321 /* 322 * Override the policy, if appropriate. Return 0 if the external 323 * policy engine approves. 324 */ 325 static int 326 priv_policy_override(const cred_t *cr, int priv, boolean_t allzone, va_list ap) 327 { 328 priv_set_t set; 329 int ret; 330 331 if (!(CR_FLAGS(cr) & PRIV_XPOLICY)) 332 return (-1); 333 334 if (priv == PRIV_ALL) { 335 priv_fillset(&set); 336 } else if (allzone) { 337 set = *ZONEPRIVS(cr); 338 } else { 339 priv_emptyset(&set); 340 priv_addset(&set, priv); 341 } 342 ret = klpd_call(cr, &set, ap); 343 return (ret); 344 } 345 346 static int 347 priv_policy_override_set(const cred_t *cr, const priv_set_t *req, va_list ap) 348 { 349 if (CR_FLAGS(cr) & PRIV_PFEXEC) 350 return (check_user_privs(cr, req)); 351 if (CR_FLAGS(cr) & PRIV_XPOLICY) { 352 return (klpd_call(cr, req, ap)); 353 } 354 return (-1); 355 } 356 357 static int 358 priv_policy_override_set_va(const cred_t *cr, const priv_set_t *req, ...) 359 { 360 va_list ap; 361 int ret; 362 363 va_start(ap, req); 364 ret = priv_policy_override_set(cr, req, ap); 365 va_end(ap); 366 return (ret); 367 } 368 369 /* 370 * Audit failure, log error message. 371 */ 372 static void 373 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg) 374 { 375 376 if (AU_AUDITING()) 377 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0); 378 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 379 380 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 381 curthread->t_pre_sys) { 382 if (allzone && !HAS_ALLZONEPRIVS(cr)) { 383 priv_policy_errmsg(cr, PRIV_ALLZONE, msg); 384 } else { 385 ASSERT(!HAS_PRIVILEGE(cr, priv)); 386 priv_policy_errmsg(cr, priv, msg); 387 } 388 } 389 } 390 391 /* 392 * priv_policy_ap() 393 * return 0 or error. 394 * See block comment above for a description of "priv" and "allzone" usage. 395 */ 396 static int 397 priv_policy_ap(const cred_t *cr, int priv, boolean_t allzone, int err, 398 const char *msg, va_list ap) 399 { 400 if ((HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) || 401 (!servicing_interrupt() && 402 priv_policy_override(cr, priv, allzone, ap) == 0)) { 403 if ((allzone || priv == PRIV_ALL || 404 !PRIV_ISASSERT(priv_basic, priv)) && 405 !servicing_interrupt()) { 406 PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */ 407 if (AU_AUDITING()) 408 audit_priv(priv, 409 allzone ? ZONEPRIVS(cr) : NULL, 1); 410 } 411 err = 0; 412 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 413 } else if (!servicing_interrupt()) { 414 /* Failure audited in this procedure */ 415 priv_policy_err(cr, priv, allzone, msg); 416 } 417 return (err); 418 } 419 420 int 421 priv_policy_va(const cred_t *cr, int priv, boolean_t allzone, int err, 422 const char *msg, ...) 423 { 424 int ret; 425 va_list ap; 426 427 va_start(ap, msg); 428 ret = priv_policy_ap(cr, priv, allzone, err, msg, ap); 429 va_end(ap); 430 431 return (ret); 432 } 433 434 int 435 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err, 436 const char *msg) 437 { 438 return (priv_policy_va(cr, priv, allzone, err, msg, KLPDARG_NONE)); 439 } 440 441 /* 442 * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges. 443 */ 444 boolean_t 445 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone) 446 { 447 boolean_t res = HAS_PRIVILEGE(cr, priv) && 448 (!allzone || HAS_ALLZONEPRIVS(cr)); 449 450 /* Audit success only */ 451 if (res && AU_AUDITING() && 452 (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) && 453 !servicing_interrupt()) { 454 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1); 455 } 456 if (res) { 457 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 458 } else { 459 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 460 } 461 return (res); 462 } 463 464 /* 465 * Non-auditing variant of priv_policy_choice(). 466 */ 467 boolean_t 468 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone) 469 { 470 boolean_t res = HAS_PRIVILEGE(cr, priv) && 471 (!allzone || HAS_ALLZONEPRIVS(cr)); 472 473 if (res) { 474 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 475 } else { 476 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 477 } 478 return (res); 479 } 480 481 /* 482 * Check whether all privileges in the required set are present. 483 */ 484 static int 485 secpolicy_require_set(const cred_t *cr, const priv_set_t *req, 486 const char *msg, ...) 487 { 488 int priv; 489 int pfound = -1; 490 priv_set_t pset; 491 va_list ap; 492 int ret; 493 494 if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req, 495 &CR_OEPRIV(cr))) { 496 return (0); 497 } 498 499 va_start(ap, msg); 500 ret = priv_policy_override_set(cr, req, ap); 501 va_end(ap); 502 if (ret == 0) 503 return (0); 504 505 if (req == PRIV_FULLSET || priv_isfullset(req)) { 506 priv_policy_err(cr, PRIV_ALL, B_FALSE, msg); 507 return (EACCES); 508 } 509 510 pset = CR_OEPRIV(cr); /* present privileges */ 511 priv_inverse(&pset); /* all non present privileges */ 512 priv_intersect(req, &pset); /* the actual missing privs */ 513 514 if (AU_AUDITING()) 515 audit_priv(PRIV_NONE, &pset, 0); 516 /* 517 * Privilege debugging; special case "one privilege in set". 518 */ 519 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) { 520 for (priv = 0; priv < nprivs; priv++) { 521 if (priv_ismember(&pset, priv)) { 522 if (pfound != -1) { 523 /* Multiple missing privs */ 524 priv_policy_errmsg(cr, PRIV_MULTIPLE, 525 msg); 526 return (EACCES); 527 } 528 pfound = priv; 529 } 530 } 531 ASSERT(pfound != -1); 532 /* Just the one missing privilege */ 533 priv_policy_errmsg(cr, pfound, msg); 534 } 535 536 return (EACCES); 537 } 538 539 /* 540 * Called when an operation requires that the caller be in the 541 * global zone, regardless of privilege. 542 */ 543 static int 544 priv_policy_global(const cred_t *cr) 545 { 546 if (crgetzoneid(cr) == GLOBAL_ZONEID) 547 return (0); /* success */ 548 549 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 550 curthread->t_pre_sys) { 551 priv_policy_errmsg(cr, PRIV_GLOBAL, NULL); 552 } 553 return (EPERM); 554 } 555 556 /* 557 * Raising process priority 558 */ 559 int 560 secpolicy_raisepriority(const cred_t *cr) 561 { 562 if (PRIV_POLICY(cr, PRIV_PROC_PRIOUP, B_FALSE, EPERM, NULL) == 0) 563 return (0); 564 return (secpolicy_setpriority(cr)); 565 } 566 567 /* 568 * Changing process priority or scheduling class 569 */ 570 int 571 secpolicy_setpriority(const cred_t *cr) 572 { 573 return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL)); 574 } 575 576 /* 577 * Binding to a privileged port, port must be specified in host byte 578 * order. 579 * When adding a new privilege which allows binding to currently privileged 580 * ports, then you MUST also allow processes with PRIV_NET_PRIVADDR bind 581 * to these ports because of backward compatibility. 582 */ 583 int 584 secpolicy_net_privaddr(const cred_t *cr, in_port_t port, int proto) 585 { 586 char *reason; 587 int priv; 588 589 switch (port) { 590 case 137: 591 case 138: 592 case 139: 593 case 445: 594 /* 595 * NBT and SMB ports, these are normal privileged ports, 596 * allow bind only if the SYS_SMB or NET_PRIVADDR privilege 597 * is present. 598 * Try both, if neither is present return an error for 599 * priv SYS_SMB. 600 */ 601 if (PRIV_POLICY_ONLY(cr, PRIV_NET_PRIVADDR, B_FALSE)) 602 priv = PRIV_NET_PRIVADDR; 603 else 604 priv = PRIV_SYS_SMB; 605 reason = "NBT or SMB port"; 606 break; 607 608 case 2049: 609 case 4045: 610 /* 611 * NFS ports, these are extra privileged ports, allow bind 612 * only if the SYS_NFS privilege is present. 613 */ 614 priv = PRIV_SYS_NFS; 615 reason = "NFS port"; 616 break; 617 618 default: 619 priv = PRIV_NET_PRIVADDR; 620 reason = NULL; 621 break; 622 623 } 624 625 return (priv_policy_va(cr, priv, B_FALSE, EACCES, reason, 626 KLPDARG_PORT, (int)proto, (int)port, KLPDARG_NOMORE)); 627 } 628 629 /* 630 * Binding to a multilevel port on a trusted (labeled) system. 631 */ 632 int 633 secpolicy_net_bindmlp(const cred_t *cr) 634 { 635 return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, NULL)); 636 } 637 638 /* 639 * Allow a communication between a zone and an unlabeled host when their 640 * labels don't match. 641 */ 642 int 643 secpolicy_net_mac_aware(const cred_t *cr) 644 { 645 return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, NULL)); 646 } 647 648 /* 649 * Allow a privileged process to transmit traffic without explicit labels 650 */ 651 int 652 secpolicy_net_mac_implicit(const cred_t *cr) 653 { 654 return (PRIV_POLICY(cr, PRIV_NET_MAC_IMPLICIT, B_FALSE, EACCES, NULL)); 655 } 656 657 /* 658 * Common routine which determines whether a given credential can 659 * act on a given mount. 660 * When called through mount, the parameter needoptcheck is a pointer 661 * to a boolean variable which will be set to either true or false, 662 * depending on whether the mount policy should change the mount options. 663 * In all other cases, needoptcheck should be a NULL pointer. 664 */ 665 static int 666 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp, 667 boolean_t *needoptcheck) 668 { 669 boolean_t allzone = B_FALSE; 670 boolean_t mounting = needoptcheck != NULL; 671 672 /* 673 * Short circuit the following cases: 674 * vfsp == NULL or mvp == NULL (pure privilege check) 675 * have all privileges - no further checks required 676 * and no mount options need to be set. 677 */ 678 if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) { 679 if (mounting) 680 *needoptcheck = B_FALSE; 681 682 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM, 683 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE)); 684 } 685 686 /* 687 * When operating on an existing mount (either we're not mounting 688 * or we're doing a remount and VFS_REMOUNT will be set), zones 689 * can operate only on mounts established by the zone itself. 690 */ 691 if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) { 692 zoneid_t zoneid = crgetzoneid(cr); 693 694 if (zoneid != GLOBAL_ZONEID && 695 vfsp->vfs_zone->zone_id != zoneid) { 696 return (EPERM); 697 } 698 } 699 700 if (mounting) 701 *needoptcheck = B_TRUE; 702 703 /* 704 * Overlay mounts may hide important stuff; if you can't write to a 705 * mount point but would be able to mount on top of it, you can 706 * escalate your privileges. 707 * So we go about asking the same questions namefs does when it 708 * decides whether you can mount over a file or not but with the 709 * added restriction that you can only mount on top of a regular 710 * file or directory. 711 * If we have all the zone's privileges, we skip all other checks, 712 * or else we may actually get in trouble inside the automounter. 713 */ 714 if ((mvp->v_flag & VROOT) != 0 || 715 (mvp->v_type != VDIR && mvp->v_type != VREG) || 716 HAS_ALLZONEPRIVS(cr)) { 717 allzone = B_TRUE; 718 } else { 719 vattr_t va; 720 int err; 721 722 va.va_mask = AT_UID|AT_MODE; 723 err = VOP_GETATTR(mvp, &va, 0, cr, NULL); 724 if (err != 0) 725 return (err); 726 727 if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0) 728 return (err); 729 730 if (secpolicy_vnode_access2(cr, mvp, va.va_uid, va.va_mode, 731 VWRITE) != 0) { 732 return (EACCES); 733 } 734 } 735 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM, 736 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE)); 737 } 738 739 void 740 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp) 741 { 742 boolean_t amsuper = HAS_ALLZONEPRIVS(cr); 743 744 /* 745 * check; if we don't have either "nosuid" or 746 * both "nosetuid" and "nodevices", then we add 747 * "nosuid"; this depends on how the current 748 * implementation works (it first checks nosuid). In a 749 * zone, a user with all zone privileges can mount with 750 * "setuid" but never with "devices". 751 */ 752 if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) && 753 (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) || 754 !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) { 755 if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper) 756 vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0); 757 else 758 vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0); 759 } 760 /* 761 * If we're not the local super user, we set the "restrict" 762 * option to indicate to automountd that this mount should 763 * be handled with care. 764 */ 765 if (!amsuper) 766 vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0); 767 768 } 769 770 int 771 secpolicy_fs_allowed_mount(const char *fsname) 772 { 773 struct vfssw *vswp; 774 const char *p; 775 size_t len; 776 777 ASSERT(fsname != NULL); 778 ASSERT(fsname[0] != '\0'); 779 780 if (INGLOBALZONE(curproc)) 781 return (0); 782 783 vswp = vfs_getvfssw(fsname); 784 if (vswp == NULL) 785 return (ENOENT); 786 787 if ((vswp->vsw_flag & VSW_ZMOUNT) != 0) { 788 vfs_unrefvfssw(vswp); 789 return (0); 790 } 791 792 vfs_unrefvfssw(vswp); 793 794 p = curzone->zone_fs_allowed; 795 len = strlen(fsname); 796 797 while (p != NULL && *p != '\0') { 798 if (strncmp(p, fsname, len) == 0) { 799 char c = *(p + len); 800 if (c == '\0' || c == ',') 801 return (0); 802 } 803 804 /* skip to beyond the next comma */ 805 if ((p = strchr(p, ',')) != NULL) 806 p++; 807 } 808 809 return (EPERM); 810 } 811 812 extern vnode_t *rootvp; 813 extern vfs_t *rootvfs; 814 815 int 816 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp) 817 { 818 boolean_t needoptchk; 819 int error; 820 821 /* 822 * If it's a remount, get the underlying mount point, 823 * except for the root where we use the rootvp. 824 */ 825 if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) { 826 if (vfsp == rootvfs) 827 mvp = rootvp; 828 else 829 mvp = vfsp->vfs_vnodecovered; 830 } 831 832 error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk); 833 834 if (error == 0 && needoptchk) { 835 secpolicy_fs_mount_clearopts(cr, vfsp); 836 } 837 838 return (error); 839 } 840 841 /* 842 * Does the policy computations for "ownership" of a mount; 843 * here ownership is defined as the ability to "mount" 844 * the filesystem originally. The rootvfs doesn't cover any 845 * vnodes; we attribute its ownership to the rootvp. 846 */ 847 static int 848 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp) 849 { 850 vnode_t *mvp; 851 852 if (vfsp == NULL) 853 mvp = NULL; 854 else if (vfsp == rootvfs) 855 mvp = rootvp; 856 else 857 mvp = vfsp->vfs_vnodecovered; 858 859 return (secpolicy_fs_common(cr, mvp, vfsp, NULL)); 860 } 861 862 int 863 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp) 864 { 865 return (secpolicy_fs_owner(cr, vfsp)); 866 } 867 868 /* 869 * Quotas are a resource, but if one has the ability to mount a filesystem, he 870 * should be able to modify quotas on it. 871 */ 872 int 873 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp) 874 { 875 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 876 } 877 878 /* 879 * Exceeding minfree: also a per-mount resource constraint. 880 */ 881 int 882 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp) 883 { 884 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 885 } 886 887 int 888 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp) 889 { 890 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 891 } 892 893 /* ARGSUSED */ 894 int 895 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp) 896 { 897 return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL)); 898 } 899 900 /* 901 * Name: secpolicy_vnode_access() 902 * 903 * Parameters: Process credential 904 * vnode 905 * uid of owner of vnode 906 * permission bits not granted to the caller when examining 907 * file mode bits (i.e., when a process wants to open a 908 * mode 444 file for VREAD|VWRITE, this function should be 909 * called only with a VWRITE argument). 910 * 911 * Normal: Verifies that cred has the appropriate privileges to 912 * override the mode bits that were denied. 913 * 914 * Override: file_dac_execute - if VEXEC bit was denied and vnode is 915 * not a directory. 916 * file_dac_read - if VREAD bit was denied. 917 * file_dac_search - if VEXEC bit was denied and vnode is 918 * a directory. 919 * file_dac_write - if VWRITE bit was denied. 920 * 921 * Root owned files are special cased to protect system 922 * configuration files and such. 923 * 924 * Output: EACCES - if privilege check fails. 925 */ 926 927 int 928 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode) 929 { 930 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE, 931 EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL, 932 KLPDARG_NOMORE) != 0) { 933 return (EACCES); 934 } 935 936 if (mode & VWRITE) { 937 boolean_t allzone; 938 939 if (owner == 0 && cr->cr_uid != 0) 940 allzone = B_TRUE; 941 else 942 allzone = B_FALSE; 943 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, 944 NULL, KLPDARG_VNODE, vp, (char *)NULL, 945 KLPDARG_NOMORE) != 0) { 946 return (EACCES); 947 } 948 } 949 950 if (mode & VEXEC) { 951 /* 952 * Directories use file_dac_search to override the execute bit. 953 */ 954 int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH : 955 PRIV_FILE_DAC_EXECUTE; 956 957 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL, 958 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); 959 } 960 return (0); 961 } 962 963 /* 964 * Like secpolicy_vnode_access() but we get the actual wanted mode and the 965 * current mode of the file, not the missing bits. 966 */ 967 int 968 secpolicy_vnode_access2(const cred_t *cr, vnode_t *vp, uid_t owner, 969 mode_t curmode, mode_t wantmode) 970 { 971 mode_t mode; 972 973 /* Inline the basic privileges tests. */ 974 if ((wantmode & VREAD) && 975 !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_READ) && 976 priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL, 977 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) { 978 return (EACCES); 979 } 980 981 if ((wantmode & VWRITE) && 982 !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_WRITE) && 983 priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL, 984 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) { 985 return (EACCES); 986 } 987 988 mode = ~curmode & wantmode; 989 990 if (mode == 0) 991 return (0); 992 993 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE, 994 EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL, 995 KLPDARG_NOMORE) != 0) { 996 return (EACCES); 997 } 998 999 if (mode & VWRITE) { 1000 boolean_t allzone; 1001 1002 if (owner == 0 && cr->cr_uid != 0) 1003 allzone = B_TRUE; 1004 else 1005 allzone = B_FALSE; 1006 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, 1007 NULL, KLPDARG_VNODE, vp, (char *)NULL, 1008 KLPDARG_NOMORE) != 0) { 1009 return (EACCES); 1010 } 1011 } 1012 1013 if (mode & VEXEC) { 1014 /* 1015 * Directories use file_dac_search to override the execute bit. 1016 */ 1017 int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH : 1018 PRIV_FILE_DAC_EXECUTE; 1019 1020 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL, 1021 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); 1022 } 1023 return (0); 1024 } 1025 1026 /* 1027 * This is a special routine for ZFS; it is used to determine whether 1028 * any of the privileges in effect allow any form of access to the 1029 * file. There's no reason to audit this or any reason to record 1030 * this. More work is needed to do the "KPLD" stuff. 1031 */ 1032 int 1033 secpolicy_vnode_any_access(const cred_t *cr, vnode_t *vp, uid_t owner) 1034 { 1035 static int privs[] = { 1036 PRIV_FILE_OWNER, 1037 PRIV_FILE_CHOWN, 1038 PRIV_FILE_DAC_READ, 1039 PRIV_FILE_DAC_WRITE, 1040 PRIV_FILE_DAC_EXECUTE, 1041 PRIV_FILE_DAC_SEARCH, 1042 }; 1043 int i; 1044 1045 /* Same as secpolicy_vnode_setdac */ 1046 if (owner == cr->cr_uid) 1047 return (0); 1048 1049 for (i = 0; i < sizeof (privs)/sizeof (int); i++) { 1050 boolean_t allzone = B_FALSE; 1051 int priv; 1052 1053 switch (priv = privs[i]) { 1054 case PRIV_FILE_DAC_EXECUTE: 1055 if (vp->v_type == VDIR) 1056 continue; 1057 break; 1058 case PRIV_FILE_DAC_SEARCH: 1059 if (vp->v_type != VDIR) 1060 continue; 1061 break; 1062 case PRIV_FILE_DAC_WRITE: 1063 case PRIV_FILE_OWNER: 1064 case PRIV_FILE_CHOWN: 1065 /* We know here that if owner == 0, that cr_uid != 0 */ 1066 allzone = owner == 0; 1067 break; 1068 } 1069 if (PRIV_POLICY_CHOICE(cr, priv, allzone)) 1070 return (0); 1071 } 1072 return (EPERM); 1073 } 1074 1075 /* 1076 * Name: secpolicy_vnode_setid_modify() 1077 * 1078 * Normal: verify that subject can set the file setid flags. 1079 * 1080 * Output: EPERM - if not privileged. 1081 */ 1082 1083 static int 1084 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner) 1085 { 1086 /* If changing to suid root, must have all zone privs */ 1087 boolean_t allzone = B_TRUE; 1088 1089 if (owner != 0) { 1090 if (owner == cr->cr_uid) 1091 return (0); 1092 allzone = B_FALSE; 1093 } 1094 return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL)); 1095 } 1096 1097 /* 1098 * Are we allowed to retain the set-uid/set-gid bits when 1099 * changing ownership or when writing to a file? 1100 * "issuid" should be true when set-uid; only in that case 1101 * root ownership is checked (setgid is assumed). 1102 */ 1103 int 1104 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot) 1105 { 1106 if (issuidroot && !HAS_ALLZONEPRIVS(cred)) 1107 return (EPERM); 1108 1109 return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE)); 1110 } 1111 1112 /* 1113 * Name: secpolicy_vnode_setids_setgids() 1114 * 1115 * Normal: verify that subject can set the file setgid flag. 1116 * 1117 * Output: EPERM - if not privileged 1118 */ 1119 1120 int 1121 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid) 1122 { 1123 if (!groupmember(gid, cred)) 1124 return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM, 1125 NULL)); 1126 return (0); 1127 } 1128 1129 /* 1130 * Name: secpolicy_vnode_chown 1131 * 1132 * Normal: Determine if subject can chown owner of a file. 1133 * 1134 * Output: EPERM - if access denied 1135 */ 1136 1137 int 1138 secpolicy_vnode_chown(const cred_t *cred, uid_t owner) 1139 { 1140 boolean_t is_owner = (owner == crgetuid(cred)); 1141 boolean_t allzone = B_FALSE; 1142 int priv; 1143 1144 if (!is_owner) { 1145 allzone = (owner == 0); 1146 priv = PRIV_FILE_CHOWN; 1147 } else { 1148 priv = HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN) ? 1149 PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF; 1150 } 1151 1152 return (PRIV_POLICY(cred, priv, allzone, EPERM, NULL)); 1153 } 1154 1155 /* 1156 * Name: secpolicy_vnode_create_gid 1157 * 1158 * Normal: Determine if subject can change group ownership of a file. 1159 * 1160 * Output: EPERM - if access denied 1161 */ 1162 int 1163 secpolicy_vnode_create_gid(const cred_t *cred) 1164 { 1165 if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN)) 1166 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM, 1167 NULL)); 1168 else 1169 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM, 1170 NULL)); 1171 } 1172 1173 /* 1174 * Name: secpolicy_vnode_utime_modify() 1175 * 1176 * Normal: verify that subject can modify the utime on a file. 1177 * 1178 * Output: EPERM - if access denied. 1179 */ 1180 1181 static int 1182 secpolicy_vnode_utime_modify(const cred_t *cred) 1183 { 1184 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM, 1185 "modify file times")); 1186 } 1187 1188 1189 /* 1190 * Name: secpolicy_vnode_setdac() 1191 * 1192 * Normal: verify that subject can modify the mode of a file. 1193 * allzone privilege needed when modifying root owned object. 1194 * 1195 * Output: EPERM - if access denied. 1196 */ 1197 1198 int 1199 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner) 1200 { 1201 if (owner == cred->cr_uid) 1202 return (0); 1203 1204 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL)); 1205 } 1206 /* 1207 * Name: secpolicy_vnode_stky_modify() 1208 * 1209 * Normal: verify that subject can make a file a "sticky". 1210 * 1211 * Output: EPERM - if access denied. 1212 */ 1213 1214 int 1215 secpolicy_vnode_stky_modify(const cred_t *cred) 1216 { 1217 return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM, 1218 "set file sticky")); 1219 } 1220 1221 /* 1222 * Policy determines whether we can remove an entry from a directory, 1223 * regardless of permission bits. 1224 */ 1225 int 1226 secpolicy_vnode_remove(const cred_t *cr) 1227 { 1228 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES, 1229 "sticky directory")); 1230 } 1231 1232 int 1233 secpolicy_vnode_owner(const cred_t *cr, uid_t owner) 1234 { 1235 boolean_t allzone = (owner == 0); 1236 1237 if (owner == cr->cr_uid) 1238 return (0); 1239 1240 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL)); 1241 } 1242 1243 void 1244 secpolicy_setid_clear(vattr_t *vap, cred_t *cr) 1245 { 1246 if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 && 1247 secpolicy_vnode_setid_retain(cr, 1248 (vap->va_mode & S_ISUID) != 0 && 1249 (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) { 1250 vap->va_mask |= AT_MODE; 1251 vap->va_mode &= ~(S_ISUID|S_ISGID); 1252 } 1253 } 1254 1255 int 1256 secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap, 1257 cred_t *cr) 1258 { 1259 int error; 1260 1261 if ((vap->va_mode & S_ISUID) != 0 && 1262 (error = secpolicy_vnode_setid_modify(cr, 1263 ovap->va_uid)) != 0) { 1264 return (error); 1265 } 1266 1267 /* 1268 * Check privilege if attempting to set the 1269 * sticky bit on a non-directory. 1270 */ 1271 if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 && 1272 secpolicy_vnode_stky_modify(cr) != 0) { 1273 vap->va_mode &= ~S_ISVTX; 1274 } 1275 1276 /* 1277 * Check for privilege if attempting to set the 1278 * group-id bit. 1279 */ 1280 if ((vap->va_mode & S_ISGID) != 0 && 1281 secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) { 1282 vap->va_mode &= ~S_ISGID; 1283 } 1284 1285 return (0); 1286 } 1287 1288 #define ATTR_FLAG_PRIV(attr, value, cr) \ 1289 PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \ 1290 B_FALSE, EPERM, NULL) 1291 1292 /* 1293 * Check privileges for setting xvattr attributes 1294 */ 1295 int 1296 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype) 1297 { 1298 xoptattr_t *xoap; 1299 int error = 0; 1300 1301 if ((xoap = xva_getxoptattr(xvap)) == NULL) 1302 return (EINVAL); 1303 1304 /* 1305 * First process the DOS bits 1306 */ 1307 if (XVA_ISSET_REQ(xvap, XAT_ARCHIVE) || 1308 XVA_ISSET_REQ(xvap, XAT_HIDDEN) || 1309 XVA_ISSET_REQ(xvap, XAT_READONLY) || 1310 XVA_ISSET_REQ(xvap, XAT_SYSTEM) || 1311 XVA_ISSET_REQ(xvap, XAT_CREATETIME) || 1312 XVA_ISSET_REQ(xvap, XAT_OFFLINE) || 1313 XVA_ISSET_REQ(xvap, XAT_SPARSE)) { 1314 if ((error = secpolicy_vnode_owner(cr, owner)) != 0) 1315 return (error); 1316 } 1317 1318 /* 1319 * Now handle special attributes 1320 */ 1321 1322 if (XVA_ISSET_REQ(xvap, XAT_IMMUTABLE)) 1323 error = ATTR_FLAG_PRIV(XAT_IMMUTABLE, 1324 xoap->xoa_immutable, cr); 1325 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NOUNLINK)) 1326 error = ATTR_FLAG_PRIV(XAT_NOUNLINK, 1327 xoap->xoa_nounlink, cr); 1328 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_APPENDONLY)) 1329 error = ATTR_FLAG_PRIV(XAT_APPENDONLY, 1330 xoap->xoa_appendonly, cr); 1331 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NODUMP)) 1332 error = ATTR_FLAG_PRIV(XAT_NODUMP, 1333 xoap->xoa_nodump, cr); 1334 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_OPAQUE)) 1335 error = EPERM; 1336 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_QUARANTINED)) { 1337 error = ATTR_FLAG_PRIV(XAT_AV_QUARANTINED, 1338 xoap->xoa_av_quarantined, cr); 1339 if (error == 0 && vtype != VREG && xoap->xoa_av_quarantined) 1340 error = EINVAL; 1341 } 1342 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_MODIFIED)) 1343 error = ATTR_FLAG_PRIV(XAT_AV_MODIFIED, 1344 xoap->xoa_av_modified, cr); 1345 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_SCANSTAMP)) { 1346 error = ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP, 1347 xoap->xoa_av_scanstamp, cr); 1348 if (error == 0 && vtype != VREG) 1349 error = EINVAL; 1350 } 1351 return (error); 1352 } 1353 1354 /* 1355 * This function checks the policy decisions surrounding the 1356 * vop setattr call. 1357 * 1358 * It should be called after sufficient locks have been established 1359 * on the underlying data structures. No concurrent modifications 1360 * should be allowed. 1361 * 1362 * The caller must pass in unlocked version of its vaccess function 1363 * this is required because vop_access function should lock the 1364 * node for reading. A three argument function should be defined 1365 * which accepts the following argument: 1366 * A pointer to the internal "node" type (inode *) 1367 * vnode access bits (VREAD|VWRITE|VEXEC) 1368 * a pointer to the credential 1369 * 1370 * This function makes the following policy decisions: 1371 * 1372 * - change permissions 1373 * - permission to change file mode if not owner 1374 * - permission to add sticky bit to non-directory 1375 * - permission to add set-gid bit 1376 * 1377 * The ovap argument should include AT_MODE|AT_UID|AT_GID. 1378 * 1379 * If the vap argument does not include AT_MODE, the mode will be copied from 1380 * ovap. In certain situations set-uid/set-gid bits need to be removed; 1381 * this is done by marking vap->va_mask to include AT_MODE and va_mode 1382 * is updated to the newly computed mode. 1383 */ 1384 1385 int 1386 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap, 1387 const struct vattr *ovap, int flags, 1388 int unlocked_access(void *, int, cred_t *), 1389 void *node) 1390 { 1391 int mask = vap->va_mask; 1392 int error = 0; 1393 boolean_t skipaclchk = (flags & ATTR_NOACLCHECK) ? B_TRUE : B_FALSE; 1394 1395 if (mask & AT_SIZE) { 1396 if (vp->v_type == VDIR) { 1397 error = EISDIR; 1398 goto out; 1399 } 1400 1401 /* 1402 * If ATTR_NOACLCHECK is set in the flags, then we don't 1403 * perform the secondary unlocked_access() call since the 1404 * ACL (if any) is being checked there. 1405 */ 1406 if (skipaclchk == B_FALSE) { 1407 error = unlocked_access(node, VWRITE, cr); 1408 if (error) 1409 goto out; 1410 } 1411 } 1412 if (mask & AT_MODE) { 1413 /* 1414 * If not the owner of the file then check privilege 1415 * for two things: the privilege to set the mode at all 1416 * and, if we're setting setuid, we also need permissions 1417 * to add the set-uid bit, if we're not the owner. 1418 * In the specific case of creating a set-uid root 1419 * file, we need even more permissions. 1420 */ 1421 if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0) 1422 goto out; 1423 1424 if ((error = secpolicy_setid_setsticky_clear(vp, vap, 1425 ovap, cr)) != 0) 1426 goto out; 1427 } else 1428 vap->va_mode = ovap->va_mode; 1429 1430 if (mask & (AT_UID|AT_GID)) { 1431 boolean_t checkpriv = B_FALSE; 1432 1433 /* 1434 * Chowning files. 1435 * 1436 * If you are the file owner: 1437 * chown to other uid FILE_CHOWN_SELF 1438 * chown to gid (non-member) FILE_CHOWN_SELF 1439 * chown to gid (member) <none> 1440 * 1441 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also 1442 * acceptable but the first one is reported when debugging. 1443 * 1444 * If you are not the file owner: 1445 * chown from root PRIV_FILE_CHOWN + zone 1446 * chown from other to any PRIV_FILE_CHOWN 1447 * 1448 */ 1449 if (cr->cr_uid != ovap->va_uid) { 1450 checkpriv = B_TRUE; 1451 } else { 1452 if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) || 1453 ((mask & AT_GID) && vap->va_gid != ovap->va_gid && 1454 !groupmember(vap->va_gid, cr))) { 1455 checkpriv = B_TRUE; 1456 } 1457 } 1458 /* 1459 * If necessary, check privilege to see if update can be done. 1460 */ 1461 if (checkpriv && 1462 (error = secpolicy_vnode_chown(cr, ovap->va_uid)) != 0) { 1463 goto out; 1464 } 1465 1466 /* 1467 * If the file has either the set UID or set GID bits 1468 * set and the caller can set the bits, then leave them. 1469 */ 1470 secpolicy_setid_clear(vap, cr); 1471 } 1472 if (mask & (AT_ATIME|AT_MTIME)) { 1473 /* 1474 * If not the file owner and not otherwise privileged, 1475 * always return an error when setting the 1476 * time other than the current (ATTR_UTIME flag set). 1477 * If setting the current time (ATTR_UTIME not set) then 1478 * unlocked_access will check permissions according to policy. 1479 */ 1480 if (cr->cr_uid != ovap->va_uid) { 1481 if (flags & ATTR_UTIME) 1482 error = secpolicy_vnode_utime_modify(cr); 1483 else if (skipaclchk == B_FALSE) { 1484 error = unlocked_access(node, VWRITE, cr); 1485 if (error == EACCES && 1486 secpolicy_vnode_utime_modify(cr) == 0) 1487 error = 0; 1488 } 1489 if (error) 1490 goto out; 1491 } 1492 } 1493 1494 /* 1495 * Check for optional attributes here by checking the following: 1496 */ 1497 if (mask & AT_XVATTR) 1498 error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr, 1499 vp->v_type); 1500 out: 1501 return (error); 1502 } 1503 1504 /* 1505 * Name: secpolicy_pcfs_modify_bootpartition() 1506 * 1507 * Normal: verify that subject can modify a pcfs boot partition. 1508 * 1509 * Output: EACCES - if privilege check failed. 1510 */ 1511 /*ARGSUSED*/ 1512 int 1513 secpolicy_pcfs_modify_bootpartition(const cred_t *cred) 1514 { 1515 return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES, 1516 "modify pcfs boot partition")); 1517 } 1518 1519 /* 1520 * System V IPC routines 1521 */ 1522 int 1523 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip) 1524 { 1525 if (crgetzoneid(cr) != ip->ipc_zoneid || 1526 (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) { 1527 boolean_t allzone = B_FALSE; 1528 if (ip->ipc_uid == 0 || ip->ipc_cuid == 0) 1529 allzone = B_TRUE; 1530 return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL)); 1531 } 1532 return (0); 1533 } 1534 1535 int 1536 secpolicy_ipc_config(const cred_t *cr) 1537 { 1538 return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL)); 1539 } 1540 1541 int 1542 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode) 1543 { 1544 1545 boolean_t allzone = B_FALSE; 1546 1547 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1548 1549 if ((mode & MSG_R) && 1550 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1551 return (EACCES); 1552 1553 if (mode & MSG_W) { 1554 if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0)) 1555 allzone = B_TRUE; 1556 1557 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1558 NULL)); 1559 } 1560 return (0); 1561 } 1562 1563 int 1564 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode) 1565 { 1566 boolean_t allzone = B_FALSE; 1567 1568 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1569 1570 if ((mode & MSG_R) && 1571 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1572 return (EACCES); 1573 1574 if (mode & MSG_W) { 1575 if (cr->cr_uid != 0 && owner == 0) 1576 allzone = B_TRUE; 1577 1578 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1579 NULL)); 1580 } 1581 return (0); 1582 } 1583 1584 /* 1585 * Audit configuration. 1586 */ 1587 int 1588 secpolicy_audit_config(const cred_t *cr) 1589 { 1590 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1591 } 1592 1593 /* 1594 * Audit record generation. 1595 */ 1596 int 1597 secpolicy_audit_modify(const cred_t *cr) 1598 { 1599 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL)); 1600 } 1601 1602 /* 1603 * Get audit attributes. 1604 * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the 1605 * "Least" of the two privileges on error. 1606 */ 1607 int 1608 secpolicy_audit_getattr(const cred_t *cr, boolean_t checkonly) 1609 { 1610 int priv; 1611 1612 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE)) 1613 priv = PRIV_SYS_AUDIT; 1614 else 1615 priv = PRIV_PROC_AUDIT; 1616 1617 if (checkonly) 1618 return (!PRIV_POLICY_ONLY(cr, priv, B_FALSE)); 1619 else 1620 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 1621 } 1622 1623 1624 /* 1625 * Locking physical memory 1626 */ 1627 int 1628 secpolicy_lock_memory(const cred_t *cr) 1629 { 1630 return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL)); 1631 } 1632 1633 /* 1634 * Accounting (both acct(2) and exacct). 1635 */ 1636 int 1637 secpolicy_acct(const cred_t *cr) 1638 { 1639 return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL)); 1640 } 1641 1642 /* 1643 * Is this process privileged to change its uids at will? 1644 * Uid 0 is still considered "special" and having the SETID 1645 * privilege is not sufficient to get uid 0. 1646 * Files are owned by root, so the privilege would give 1647 * full access and euid 0 is still effective. 1648 * 1649 * If you have the privilege and euid 0 only then do you 1650 * get the powers of root wrt uid 0. 1651 * 1652 * For gid manipulations, this is should be called with an 1653 * uid of -1. 1654 * 1655 */ 1656 int 1657 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly) 1658 { 1659 boolean_t allzone = B_FALSE; 1660 1661 if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 && 1662 cr->cr_ruid != 0) { 1663 allzone = B_TRUE; 1664 } 1665 1666 return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) : 1667 PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL)); 1668 } 1669 1670 1671 /* 1672 * Acting on a different process: if the mode is for writing, 1673 * the restrictions are more severe. This is called after 1674 * we've verified that the uids do not match. 1675 */ 1676 int 1677 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode) 1678 { 1679 boolean_t allzone = B_FALSE; 1680 1681 if ((mode & VWRITE) && scr->cr_uid != 0 && 1682 (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0)) 1683 allzone = B_TRUE; 1684 1685 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL)); 1686 } 1687 1688 int 1689 secpolicy_proc_access(const cred_t *scr) 1690 { 1691 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL)); 1692 } 1693 1694 int 1695 secpolicy_proc_excl_open(const cred_t *scr) 1696 { 1697 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL)); 1698 } 1699 1700 int 1701 secpolicy_proc_zone(const cred_t *scr) 1702 { 1703 return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL)); 1704 } 1705 1706 /* 1707 * Destroying the system 1708 */ 1709 1710 int 1711 secpolicy_kmdb(const cred_t *scr) 1712 { 1713 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1714 } 1715 1716 int 1717 secpolicy_error_inject(const cred_t *scr) 1718 { 1719 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1720 } 1721 1722 /* 1723 * Processor sets, cpu configuration, resource pools. 1724 */ 1725 int 1726 secpolicy_pset(const cred_t *cr) 1727 { 1728 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1729 } 1730 1731 /* Process security flags */ 1732 int 1733 secpolicy_psecflags(const cred_t *cr, proc_t *tp, proc_t *sp) 1734 { 1735 if (PRIV_POLICY(cr, PRIV_PROC_SECFLAGS, B_FALSE, EPERM, NULL) != 0) 1736 return (EPERM); 1737 1738 if (!prochasprocperm(tp, sp, cr)) 1739 return (EPERM); 1740 1741 return (0); 1742 } 1743 1744 /* 1745 * Processor set binding. 1746 */ 1747 int 1748 secpolicy_pbind(const cred_t *cr) 1749 { 1750 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_RES_CONFIG, B_FALSE)) 1751 return (secpolicy_pset(cr)); 1752 return (PRIV_POLICY(cr, PRIV_SYS_RES_BIND, B_FALSE, EPERM, NULL)); 1753 } 1754 1755 int 1756 secpolicy_ponline(const cred_t *cr) 1757 { 1758 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1759 } 1760 1761 int 1762 secpolicy_pool(const cred_t *cr) 1763 { 1764 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1765 } 1766 1767 int 1768 secpolicy_blacklist(const cred_t *cr) 1769 { 1770 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1771 } 1772 1773 /* 1774 * Catch all system configuration. 1775 */ 1776 int 1777 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly) 1778 { 1779 if (checkonly) { 1780 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 : 1781 EPERM); 1782 } else { 1783 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1784 } 1785 } 1786 1787 /* 1788 * Zone administration (halt, reboot, etc.) from within zone. 1789 */ 1790 int 1791 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly) 1792 { 1793 if (checkonly) { 1794 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 : 1795 EPERM); 1796 } else { 1797 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, 1798 NULL)); 1799 } 1800 } 1801 1802 /* 1803 * Zone configuration (create, halt, enter). 1804 */ 1805 int 1806 secpolicy_zone_config(const cred_t *cr) 1807 { 1808 /* 1809 * Require all privileges to avoid possibility of privilege 1810 * escalation. 1811 */ 1812 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE)); 1813 } 1814 1815 /* 1816 * Various other system configuration calls 1817 */ 1818 int 1819 secpolicy_coreadm(const cred_t *cr) 1820 { 1821 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1822 } 1823 1824 int 1825 secpolicy_systeminfo(const cred_t *cr) 1826 { 1827 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1828 } 1829 1830 int 1831 secpolicy_dispadm(const cred_t *cr) 1832 { 1833 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1834 } 1835 1836 int 1837 secpolicy_settime(const cred_t *cr) 1838 { 1839 return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL)); 1840 } 1841 1842 /* 1843 * For realtime users: high resolution clock. 1844 */ 1845 int 1846 secpolicy_clock_highres(const cred_t *cr) 1847 { 1848 return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM, 1849 NULL)); 1850 } 1851 1852 /* 1853 * drv_priv() is documented as callable from interrupt context, not that 1854 * anyone ever does, but still. No debugging or auditing can be done when 1855 * it is called from interrupt context. 1856 * returns 0 on succes, EPERM on failure. 1857 */ 1858 int 1859 drv_priv(cred_t *cr) 1860 { 1861 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1862 } 1863 1864 int 1865 secpolicy_sys_devices(const cred_t *cr) 1866 { 1867 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1868 } 1869 1870 int 1871 secpolicy_excl_open(const cred_t *cr) 1872 { 1873 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL)); 1874 } 1875 1876 int 1877 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl) 1878 { 1879 /* zone.* rctls can only be set from the global zone */ 1880 if (is_zone_rctl && priv_policy_global(cr) != 0) 1881 return (EPERM); 1882 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1883 } 1884 1885 int 1886 secpolicy_resource(const cred_t *cr) 1887 { 1888 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1889 } 1890 1891 int 1892 secpolicy_resource_anon_mem(const cred_t *cr) 1893 { 1894 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_RESOURCE, B_FALSE)); 1895 } 1896 1897 /* 1898 * Processes with a real uid of 0 escape any form of accounting, much 1899 * like before. 1900 */ 1901 int 1902 secpolicy_newproc(const cred_t *cr) 1903 { 1904 if (cr->cr_ruid == 0) 1905 return (0); 1906 1907 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1908 } 1909 1910 /* 1911 * Networking 1912 */ 1913 int 1914 secpolicy_net_rawaccess(const cred_t *cr) 1915 { 1916 return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL)); 1917 } 1918 1919 int 1920 secpolicy_net_observability(const cred_t *cr) 1921 { 1922 return (PRIV_POLICY(cr, PRIV_NET_OBSERVABILITY, B_FALSE, EACCES, NULL)); 1923 } 1924 1925 /* 1926 * Need this privilege for accessing the ICMP device 1927 */ 1928 int 1929 secpolicy_net_icmpaccess(const cred_t *cr) 1930 { 1931 return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL)); 1932 } 1933 1934 /* 1935 * There are a few rare cases where the kernel generates ioctls() from 1936 * interrupt context with a credential of kcred rather than NULL. 1937 * In those cases, we take the safe and cheap test. 1938 */ 1939 int 1940 secpolicy_net_config(const cred_t *cr, boolean_t checkonly) 1941 { 1942 if (checkonly) { 1943 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ? 1944 0 : EPERM); 1945 } else { 1946 return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM, 1947 NULL)); 1948 } 1949 } 1950 1951 1952 /* 1953 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG. 1954 * 1955 * There are a few rare cases where the kernel generates ioctls() from 1956 * interrupt context with a credential of kcred rather than NULL. 1957 * In those cases, we take the safe and cheap test. 1958 */ 1959 int 1960 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly) 1961 { 1962 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 1963 return (secpolicy_net_config(cr, checkonly)); 1964 1965 if (checkonly) { 1966 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ? 1967 0 : EPERM); 1968 } else { 1969 return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM, 1970 NULL)); 1971 } 1972 } 1973 1974 /* 1975 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_DL_CONFIG. 1976 */ 1977 int 1978 secpolicy_dl_config(const cred_t *cr) 1979 { 1980 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 1981 return (secpolicy_net_config(cr, B_FALSE)); 1982 return (PRIV_POLICY(cr, PRIV_SYS_DL_CONFIG, B_FALSE, EPERM, NULL)); 1983 } 1984 1985 /* 1986 * PRIV_SYS_DL_CONFIG is a superset of PRIV_SYS_IPTUN_CONFIG. 1987 */ 1988 int 1989 secpolicy_iptun_config(const cred_t *cr) 1990 { 1991 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 1992 return (secpolicy_net_config(cr, B_FALSE)); 1993 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_DL_CONFIG, B_FALSE)) 1994 return (secpolicy_dl_config(cr)); 1995 return (PRIV_POLICY(cr, PRIV_SYS_IPTUN_CONFIG, B_FALSE, EPERM, NULL)); 1996 } 1997 1998 /* 1999 * Map IP pseudo privileges to actual privileges. 2000 * So we don't need to recompile IP when we change the privileges. 2001 */ 2002 int 2003 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly) 2004 { 2005 int priv = PRIV_ALL; 2006 2007 switch (netpriv) { 2008 case OP_CONFIG: 2009 priv = PRIV_SYS_IP_CONFIG; 2010 break; 2011 case OP_RAW: 2012 priv = PRIV_NET_RAWACCESS; 2013 break; 2014 case OP_PRIVPORT: 2015 priv = PRIV_NET_PRIVADDR; 2016 break; 2017 } 2018 ASSERT(priv != PRIV_ALL); 2019 if (checkonly) 2020 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 2021 else 2022 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 2023 } 2024 2025 /* 2026 * Map network pseudo privileges to actual privileges. 2027 * So we don't need to recompile IP when we change the privileges. 2028 */ 2029 int 2030 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly) 2031 { 2032 int priv = PRIV_ALL; 2033 2034 switch (netpriv) { 2035 case OP_CONFIG: 2036 priv = PRIV_SYS_NET_CONFIG; 2037 break; 2038 case OP_RAW: 2039 priv = PRIV_NET_RAWACCESS; 2040 break; 2041 case OP_PRIVPORT: 2042 priv = PRIV_NET_PRIVADDR; 2043 break; 2044 } 2045 ASSERT(priv != PRIV_ALL); 2046 if (checkonly) 2047 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 2048 else 2049 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 2050 } 2051 2052 /* 2053 * Checks for operations that are either client-only or are used by 2054 * both clients and servers. 2055 */ 2056 int 2057 secpolicy_nfs(const cred_t *cr) 2058 { 2059 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL)); 2060 } 2061 2062 /* 2063 * Special case for opening rpcmod: have NFS privileges or network 2064 * config privileges. 2065 */ 2066 int 2067 secpolicy_rpcmod_open(const cred_t *cr) 2068 { 2069 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE)) 2070 return (secpolicy_nfs(cr)); 2071 else 2072 return (secpolicy_net_config(cr, NULL)); 2073 } 2074 2075 int 2076 secpolicy_chroot(const cred_t *cr) 2077 { 2078 return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL)); 2079 } 2080 2081 int 2082 secpolicy_tasksys(const cred_t *cr) 2083 { 2084 return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL)); 2085 } 2086 2087 int 2088 secpolicy_meminfo(const cred_t *cr) 2089 { 2090 return (PRIV_POLICY(cr, PRIV_PROC_MEMINFO, B_FALSE, EPERM, NULL)); 2091 } 2092 2093 int 2094 secpolicy_pfexec_register(const cred_t *cr) 2095 { 2096 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_TRUE, EPERM, NULL)); 2097 } 2098 2099 /* 2100 * Basic privilege checks. 2101 */ 2102 int 2103 secpolicy_basic_exec(const cred_t *cr, vnode_t *vp) 2104 { 2105 FAST_BASIC_CHECK(cr, PRIV_PROC_EXEC); 2106 2107 return (priv_policy_va(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL, 2108 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); 2109 } 2110 2111 int 2112 secpolicy_basic_fork(const cred_t *cr) 2113 { 2114 FAST_BASIC_CHECK(cr, PRIV_PROC_FORK); 2115 2116 return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL)); 2117 } 2118 2119 int 2120 secpolicy_basic_proc(const cred_t *cr) 2121 { 2122 FAST_BASIC_CHECK(cr, PRIV_PROC_SESSION); 2123 2124 return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL)); 2125 } 2126 2127 /* 2128 * Slightly complicated because we don't want to trigger the policy too 2129 * often. First we shortcircuit access to "self" (tp == sp) or if 2130 * we don't have the privilege but if we have permission 2131 * just return (0) and we don't flag the privilege as needed. 2132 * Else, we test for the privilege because we either have it or need it. 2133 */ 2134 int 2135 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp) 2136 { 2137 if (tp == sp || 2138 !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) { 2139 return (0); 2140 } else { 2141 return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL)); 2142 } 2143 } 2144 2145 int 2146 secpolicy_basic_link(const cred_t *cr) 2147 { 2148 FAST_BASIC_CHECK(cr, PRIV_FILE_LINK_ANY); 2149 2150 return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL)); 2151 } 2152 2153 int 2154 secpolicy_basic_net_access(const cred_t *cr) 2155 { 2156 FAST_BASIC_CHECK(cr, PRIV_NET_ACCESS); 2157 2158 return (PRIV_POLICY(cr, PRIV_NET_ACCESS, B_FALSE, EACCES, NULL)); 2159 } 2160 2161 /* ARGSUSED */ 2162 int 2163 secpolicy_basic_file_read(const cred_t *cr, vnode_t *vp, const char *pn) 2164 { 2165 FAST_BASIC_CHECK(cr, PRIV_FILE_READ); 2166 2167 return (priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL, 2168 KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE)); 2169 } 2170 2171 /* ARGSUSED */ 2172 int 2173 secpolicy_basic_file_write(const cred_t *cr, vnode_t *vp, const char *pn) 2174 { 2175 FAST_BASIC_CHECK(cr, PRIV_FILE_WRITE); 2176 2177 return (priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL, 2178 KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE)); 2179 } 2180 2181 /* 2182 * Additional device protection. 2183 * 2184 * Traditionally, a device has specific permissions on the node in 2185 * the filesystem which govern which devices can be opened by what 2186 * processes. In certain cases, it is desirable to add extra 2187 * restrictions, as writing to certain devices is identical to 2188 * having a complete run of the system. 2189 * 2190 * This mechanism is called the device policy. 2191 * 2192 * When a device is opened, its policy entry is looked up in the 2193 * policy cache and checked. 2194 */ 2195 int 2196 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag) 2197 { 2198 devplcy_t *plcy; 2199 int err; 2200 struct snode *csp = VTOS(common_specvp(vp)); 2201 priv_set_t pset; 2202 2203 mutex_enter(&csp->s_lock); 2204 2205 if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) { 2206 plcy = devpolicy_find(vp); 2207 if (csp->s_plcy) 2208 dpfree(csp->s_plcy); 2209 csp->s_plcy = plcy; 2210 ASSERT(plcy != NULL); 2211 } else 2212 plcy = csp->s_plcy; 2213 2214 if (plcy == nullpolicy) { 2215 mutex_exit(&csp->s_lock); 2216 return (0); 2217 } 2218 2219 dphold(plcy); 2220 2221 mutex_exit(&csp->s_lock); 2222 2223 if (oflag & FWRITE) 2224 pset = plcy->dp_wrp; 2225 else 2226 pset = plcy->dp_rdp; 2227 /* 2228 * Special case: 2229 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG. 2230 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is 2231 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG 2232 * in the required privilege set before doing the check. 2233 */ 2234 if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) && 2235 priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) && 2236 !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) { 2237 priv_delset(&pset, PRIV_SYS_IP_CONFIG); 2238 priv_addset(&pset, PRIV_SYS_NET_CONFIG); 2239 } 2240 2241 err = secpolicy_require_set(cr, &pset, "devpolicy", KLPDARG_NONE); 2242 dpfree(plcy); 2243 2244 return (err); 2245 } 2246 2247 int 2248 secpolicy_modctl(const cred_t *cr, int cmd) 2249 { 2250 switch (cmd) { 2251 case MODINFO: 2252 case MODGETMAJBIND: 2253 case MODGETPATH: 2254 case MODGETPATHLEN: 2255 case MODGETNAME: 2256 case MODGETFBNAME: 2257 case MODGETDEVPOLICY: 2258 case MODGETDEVPOLICYBYNAME: 2259 case MODDEVT2INSTANCE: 2260 case MODSIZEOF_DEVID: 2261 case MODGETDEVID: 2262 case MODSIZEOF_MINORNAME: 2263 case MODGETMINORNAME: 2264 case MODGETDEVFSPATH_LEN: 2265 case MODGETDEVFSPATH: 2266 case MODGETDEVFSPATH_MI_LEN: 2267 case MODGETDEVFSPATH_MI: 2268 /* Unprivileged */ 2269 return (0); 2270 case MODLOAD: 2271 case MODSETDEVPOLICY: 2272 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, 2273 KLPDARG_NONE)); 2274 default: 2275 return (secpolicy_sys_config(cr, B_FALSE)); 2276 } 2277 } 2278 2279 int 2280 secpolicy_console(const cred_t *cr) 2281 { 2282 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 2283 } 2284 2285 int 2286 secpolicy_power_mgmt(const cred_t *cr) 2287 { 2288 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 2289 } 2290 2291 /* 2292 * Simulate terminal input; another escalation of privileges avenue. 2293 */ 2294 2295 int 2296 secpolicy_sti(const cred_t *cr) 2297 { 2298 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE)); 2299 } 2300 2301 boolean_t 2302 secpolicy_net_reply_equal(const cred_t *cr) 2303 { 2304 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 2305 } 2306 2307 int 2308 secpolicy_swapctl(const cred_t *cr) 2309 { 2310 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 2311 } 2312 2313 int 2314 secpolicy_cpc_cpu(const cred_t *cr) 2315 { 2316 return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL)); 2317 } 2318 2319 /* 2320 * secpolicy_contract_identity 2321 * 2322 * Determine if the subject may set the process contract FMRI value 2323 */ 2324 int 2325 secpolicy_contract_identity(const cred_t *cr) 2326 { 2327 return (PRIV_POLICY(cr, PRIV_CONTRACT_IDENTITY, B_FALSE, EPERM, NULL)); 2328 } 2329 2330 /* 2331 * secpolicy_contract_observer 2332 * 2333 * Determine if the subject may observe a specific contract's events. 2334 */ 2335 int 2336 secpolicy_contract_observer(const cred_t *cr, struct contract *ct) 2337 { 2338 if (contract_owned(ct, cr, B_FALSE)) 2339 return (0); 2340 return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL)); 2341 } 2342 2343 /* 2344 * secpolicy_contract_observer_choice 2345 * 2346 * Determine if the subject may observe any contract's events. Just 2347 * tests privilege and audits on success. 2348 */ 2349 boolean_t 2350 secpolicy_contract_observer_choice(const cred_t *cr) 2351 { 2352 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE)); 2353 } 2354 2355 /* 2356 * secpolicy_contract_event 2357 * 2358 * Determine if the subject may request critical contract events or 2359 * reliable contract event delivery. 2360 */ 2361 int 2362 secpolicy_contract_event(const cred_t *cr) 2363 { 2364 return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL)); 2365 } 2366 2367 /* 2368 * secpolicy_contract_event_choice 2369 * 2370 * Determine if the subject may retain contract events in its critical 2371 * set when a change in other terms would normally require a change in 2372 * the critical set. Just tests privilege and audits on success. 2373 */ 2374 boolean_t 2375 secpolicy_contract_event_choice(const cred_t *cr) 2376 { 2377 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE)); 2378 } 2379 2380 /* 2381 * secpolicy_gart_access 2382 * 2383 * Determine if the subject has sufficient priveleges to make ioctls to agpgart 2384 * device. 2385 */ 2386 int 2387 secpolicy_gart_access(const cred_t *cr) 2388 { 2389 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL)); 2390 } 2391 2392 /* 2393 * secpolicy_gart_map 2394 * 2395 * Determine if the subject has sufficient priveleges to map aperture range 2396 * through agpgart driver. 2397 */ 2398 int 2399 secpolicy_gart_map(const cred_t *cr) 2400 { 2401 if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) { 2402 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, 2403 NULL)); 2404 } else { 2405 return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM, 2406 NULL)); 2407 } 2408 } 2409 2410 /* 2411 * secpolicy_zinject 2412 * 2413 * Determine if the subject can inject faults in the ZFS fault injection 2414 * framework. Requires all privileges. 2415 */ 2416 int 2417 secpolicy_zinject(const cred_t *cr) 2418 { 2419 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE)); 2420 } 2421 2422 /* 2423 * secpolicy_zfs 2424 * 2425 * Determine if the subject has permission to manipulate ZFS datasets 2426 * (not pools). Equivalent to the SYS_MOUNT privilege. 2427 */ 2428 int 2429 secpolicy_zfs(const cred_t *cr) 2430 { 2431 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL)); 2432 } 2433 2434 /* 2435 * secpolicy_idmap 2436 * 2437 * Determine if the calling process has permissions to register an SID 2438 * mapping daemon and allocate ephemeral IDs. 2439 */ 2440 int 2441 secpolicy_idmap(const cred_t *cr) 2442 { 2443 return (PRIV_POLICY(cr, PRIV_FILE_SETID, B_TRUE, EPERM, NULL)); 2444 } 2445 2446 /* 2447 * secpolicy_ucode_update 2448 * 2449 * Determine if the subject has sufficient privilege to update microcode. 2450 */ 2451 int 2452 secpolicy_ucode_update(const cred_t *scr) 2453 { 2454 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 2455 } 2456 2457 /* 2458 * secpolicy_sadopen 2459 * 2460 * Determine if the subject has sufficient privilege to access /dev/sad/admin. 2461 * /dev/sad/admin appear in global zone and exclusive-IP zones only. 2462 * In global zone, sys_config is required. 2463 * In exclusive-IP zones, sys_ip_config is required. 2464 * Note that sys_config is prohibited in non-global zones. 2465 */ 2466 int 2467 secpolicy_sadopen(const cred_t *credp) 2468 { 2469 priv_set_t pset; 2470 2471 priv_emptyset(&pset); 2472 2473 if (crgetzoneid(credp) == GLOBAL_ZONEID) 2474 priv_addset(&pset, PRIV_SYS_CONFIG); 2475 else 2476 priv_addset(&pset, PRIV_SYS_IP_CONFIG); 2477 2478 return (secpolicy_require_set(credp, &pset, "devpolicy", KLPDARG_NONE)); 2479 } 2480 2481 2482 /* 2483 * Add privileges to a particular privilege set; this is called when the 2484 * current sets of privileges are not sufficient. I.e., we should always 2485 * call the policy override functions from here. 2486 * What we are allowed to have is in the Observed Permitted set; so 2487 * we compute the difference between that and the newset. 2488 */ 2489 int 2490 secpolicy_require_privs(const cred_t *cr, const priv_set_t *nset) 2491 { 2492 priv_set_t rqd; 2493 2494 rqd = CR_OPPRIV(cr); 2495 2496 priv_inverse(&rqd); 2497 priv_intersect(nset, &rqd); 2498 2499 return (secpolicy_require_set(cr, &rqd, NULL, KLPDARG_NONE)); 2500 } 2501 2502 /* 2503 * secpolicy_smb 2504 * 2505 * Determine if the cred_t has PRIV_SYS_SMB privilege, indicating 2506 * that it has permission to access the smbsrv kernel driver. 2507 * PRIV_POLICY checks the privilege and audits the check. 2508 * 2509 * Returns: 2510 * 0 Driver access is allowed. 2511 * EPERM Driver access is NOT permitted. 2512 */ 2513 int 2514 secpolicy_smb(const cred_t *cr) 2515 { 2516 return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL)); 2517 } 2518 2519 /* 2520 * secpolicy_vscan 2521 * 2522 * Determine if cred_t has the necessary privileges to access a file 2523 * for virus scanning and update its extended system attributes. 2524 * PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access 2525 * PRIV_FILE_FLAG_SET - set extended system attributes 2526 * 2527 * PRIV_POLICY checks the privilege and audits the check. 2528 * 2529 * Returns: 2530 * 0 file access for virus scanning allowed. 2531 * EPERM file access for virus scanning is NOT permitted. 2532 */ 2533 int 2534 secpolicy_vscan(const cred_t *cr) 2535 { 2536 if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) || 2537 (PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) || 2538 (PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) { 2539 return (EPERM); 2540 } 2541 2542 return (0); 2543 } 2544 2545 /* 2546 * secpolicy_smbfs_login 2547 * 2548 * Determines if the caller can add and delete the smbfs login 2549 * password in the the nsmb kernel module for the CIFS client. 2550 * 2551 * Returns: 2552 * 0 access is allowed. 2553 * EPERM access is NOT allowed. 2554 */ 2555 int 2556 secpolicy_smbfs_login(const cred_t *cr, uid_t uid) 2557 { 2558 uid_t cruid = crgetruid(cr); 2559 2560 if (cruid == uid) 2561 return (0); 2562 return (PRIV_POLICY(cr, PRIV_PROC_OWNER, B_FALSE, 2563 EPERM, NULL)); 2564 } 2565 2566 /* 2567 * secpolicy_xvm_control 2568 * 2569 * Determines if a caller can control the xVM hypervisor and/or running 2570 * domains (x86 specific). 2571 * 2572 * Returns: 2573 * 0 access is allowed. 2574 * EPERM access is NOT allowed. 2575 */ 2576 int 2577 secpolicy_xvm_control(const cred_t *cr) 2578 { 2579 if (PRIV_POLICY(cr, PRIV_XVM_CONTROL, B_FALSE, EPERM, NULL)) 2580 return (EPERM); 2581 return (0); 2582 } 2583 2584 /* 2585 * secpolicy_ppp_config 2586 * 2587 * Determine if the subject has sufficient privileges to configure PPP and 2588 * PPP-related devices. 2589 */ 2590 int 2591 secpolicy_ppp_config(const cred_t *cr) 2592 { 2593 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 2594 return (secpolicy_net_config(cr, B_FALSE)); 2595 return (PRIV_POLICY(cr, PRIV_SYS_PPP_CONFIG, B_FALSE, EPERM, NULL)); 2596 } 2597