1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <sys/types.h> 27 #include <sys/sysmacros.h> 28 #include <sys/param.h> 29 #include <sys/systm.h> 30 #include <sys/cred_impl.h> 31 #include <sys/vnode.h> 32 #include <sys/vfs.h> 33 #include <sys/stat.h> 34 #include <sys/errno.h> 35 #include <sys/kmem.h> 36 #include <sys/user.h> 37 #include <sys/proc.h> 38 #include <sys/acct.h> 39 #include <sys/ipc_impl.h> 40 #include <sys/cmn_err.h> 41 #include <sys/debug.h> 42 #include <sys/policy.h> 43 #include <sys/kobj.h> 44 #include <sys/msg.h> 45 #include <sys/devpolicy.h> 46 #include <c2/audit.h> 47 #include <sys/varargs.h> 48 #include <sys/klpd.h> 49 #include <sys/modctl.h> 50 #include <sys/disp.h> 51 #include <sys/zone.h> 52 #include <inet/optcom.h> 53 #include <sys/sdt.h> 54 #include <sys/vfs.h> 55 #include <sys/mntent.h> 56 #include <sys/contract_impl.h> 57 #include <sys/dld_ioc.h> 58 59 /* 60 * There are two possible layers of privilege routines and two possible 61 * levels of secpolicy. Plus one other we may not be interested in, so 62 * we may need as many as 6 but no more. 63 */ 64 #define MAXPRIVSTACK 6 65 66 int priv_debug = 0; 67 int priv_basic_test = -1; 68 69 /* 70 * This file contains the majority of the policy routines. 71 * Since the policy routines are defined by function and not 72 * by privilege, there is quite a bit of duplication of 73 * functions. 74 * 75 * The secpolicy functions must not make assumptions about 76 * locks held or not held as any lock can be held while they're 77 * being called. 78 * 79 * Credentials are read-only so no special precautions need to 80 * be taken while locking them. 81 * 82 * When a new policy check needs to be added to the system the 83 * following procedure should be followed: 84 * 85 * Pick an appropriate secpolicy_*() function 86 * -> done if one exists. 87 * Create a new secpolicy function, preferably with 88 * a descriptive name using the standard template. 89 * Pick an appropriate privilege for the policy. 90 * If no appropraite privilege exists, define new one 91 * (this should be done with extreme care; in most cases 92 * little is gained by adding another privilege) 93 * 94 * WHY ROOT IS STILL SPECIAL. 95 * 96 * In a number of the policy functions, there are still explicit 97 * checks for uid 0. The rationale behind these is that many root 98 * owned files/objects hold configuration information which can give full 99 * privileges to the user once written to. To prevent escalation 100 * of privilege by allowing just a single privilege to modify root owned 101 * objects, we've added these root specific checks where we considered 102 * them necessary: modifying root owned files, changing uids to 0, etc. 103 * 104 * PRIVILEGE ESCALATION AND ZONES. 105 * 106 * A number of operations potentially allow the caller to achieve 107 * privileges beyond the ones normally required to perform the operation. 108 * For example, if allowed to create a setuid 0 executable, a process can 109 * gain privileges beyond PRIV_FILE_SETID. Zones, however, place 110 * restrictions on the ability to gain privileges beyond those available 111 * within the zone through file and process manipulation. Hence, such 112 * operations require that the caller have an effective set that includes 113 * all privileges available within the current zone, or all privileges 114 * if executing in the global zone. 115 * 116 * This is indicated in the priv_policy* policy checking functions 117 * through a combination of parameters. The "priv" parameter indicates 118 * the privilege that is required, and the "allzone" parameter indicates 119 * whether or not all privileges in the zone are required. In addition, 120 * priv can be set to PRIV_ALL to indicate that all privileges are 121 * required (regardless of zone). There are three scenarios of interest: 122 * (1) operation requires a specific privilege 123 * (2) operation requires a specific privilege, and requires all 124 * privileges available within the zone (or all privileges if in 125 * the global zone) 126 * (3) operation requires all privileges, regardless of zone 127 * 128 * For (1), priv should be set to the specific privilege, and allzone 129 * should be set to B_FALSE. 130 * For (2), priv should be set to the specific privilege, and allzone 131 * should be set to B_TRUE. 132 * For (3), priv should be set to PRIV_ALL, and allzone should be set 133 * to B_FALSE. 134 * 135 */ 136 137 /* 138 * The privileges are checked against the Effective set for 139 * ordinary processes and checked against the Limit set 140 * for euid 0 processes that haven't manipulated their privilege 141 * sets. 142 */ 143 #define HAS_ALLPRIVS(cr) priv_isfullset(&CR_OEPRIV(cr)) 144 #define ZONEPRIVS(cr) ((cr)->cr_zone->zone_privset) 145 #define HAS_ALLZONEPRIVS(cr) priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr)) 146 #define HAS_PRIVILEGE(cr, pr) ((pr) == PRIV_ALL ? \ 147 HAS_ALLPRIVS(cr) : \ 148 PRIV_ISASSERT(&CR_OEPRIV(cr), pr)) 149 150 /* 151 * Policy checking functions. 152 * 153 * All of the system's policy should be implemented here. 154 */ 155 156 /* 157 * Private functions which take an additional va_list argument to 158 * implement an object specific policy override. 159 */ 160 static int priv_policy_ap(const cred_t *, int, boolean_t, int, 161 const char *, va_list); 162 static int priv_policy_va(const cred_t *, int, boolean_t, int, 163 const char *, ...); 164 165 /* 166 * Generic policy calls 167 * 168 * The "bottom" functions of policy control 169 */ 170 static char * 171 mprintf(const char *fmt, ...) 172 { 173 va_list args; 174 char *buf; 175 size_t len; 176 177 va_start(args, fmt); 178 len = vsnprintf(NULL, 0, fmt, args) + 1; 179 va_end(args); 180 181 buf = kmem_alloc(len, KM_NOSLEEP); 182 183 if (buf == NULL) 184 return (NULL); 185 186 va_start(args, fmt); 187 (void) vsnprintf(buf, len, fmt, args); 188 va_end(args); 189 190 return (buf); 191 } 192 193 /* 194 * priv_policy_errmsg() 195 * 196 * Generate an error message if privilege debugging is enabled system wide 197 * or for this particular process. 198 */ 199 200 #define FMTHDR "%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)" 201 #define FMTMSG " for \"%s\"" 202 #define FMTFUN " needed at %s+0x%lx" 203 204 /* The maximum size privilege format: the concatenation of the above */ 205 #define FMTMAX FMTHDR FMTMSG FMTFUN "\n" 206 207 static void 208 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg) 209 { 210 struct proc *me; 211 pc_t stack[MAXPRIVSTACK]; 212 int depth; 213 int i; 214 char *sym; 215 ulong_t off; 216 const char *pname; 217 218 char *cmd; 219 char fmt[sizeof (FMTMAX)]; 220 221 if ((me = curproc) == &p0) 222 return; 223 224 /* Privileges must be defined */ 225 ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE || 226 priv == PRIV_ALLZONE || priv == PRIV_GLOBAL || 227 priv_getbynum(priv) != NULL); 228 229 if (priv == PRIV_ALLZONE && INGLOBALZONE(me)) 230 priv = PRIV_ALL; 231 232 if (curthread->t_pre_sys) 233 ttolwp(curthread)->lwp_badpriv = (short)priv; 234 235 if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0) 236 return; 237 238 (void) strcpy(fmt, FMTHDR); 239 240 if (me->p_user.u_comm[0]) 241 cmd = &me->p_user.u_comm[0]; 242 else 243 cmd = "priv_policy"; 244 245 if (msg != NULL && *msg != '\0') { 246 (void) strcat(fmt, FMTMSG); 247 } else { 248 (void) strcat(fmt, "%s"); 249 msg = ""; 250 } 251 252 sym = NULL; 253 254 depth = getpcstack(stack, MAXPRIVSTACK); 255 256 /* 257 * Try to find the first interesting function on the stack. 258 * priv_policy* that's us, so completely uninteresting. 259 * suser(), drv_priv(), secpolicy_* are also called from 260 * too many locations to convey useful information. 261 */ 262 for (i = 0; i < depth; i++) { 263 sym = kobj_getsymname((uintptr_t)stack[i], &off); 264 if (sym != NULL && 265 strstr(sym, "hasprocperm") == 0 && 266 strcmp("suser", sym) != 0 && 267 strcmp("ipcaccess", sym) != 0 && 268 strcmp("drv_priv", sym) != 0 && 269 strncmp("secpolicy_", sym, 10) != 0 && 270 strncmp("priv_policy", sym, 11) != 0) 271 break; 272 } 273 274 if (sym != NULL) 275 (void) strcat(fmt, FMTFUN); 276 277 (void) strcat(fmt, "\n"); 278 279 switch (priv) { 280 case PRIV_ALL: 281 pname = "ALL"; 282 break; 283 case PRIV_MULTIPLE: 284 pname = "MULTIPLE"; 285 break; 286 case PRIV_ALLZONE: 287 pname = "ZONE"; 288 break; 289 case PRIV_GLOBAL: 290 pname = "GLOBAL"; 291 break; 292 default: 293 pname = priv_getbynum(priv); 294 break; 295 } 296 297 if (CR_FLAGS(cr) & PRIV_DEBUG) { 298 /* Remember last message, just like lwp_badpriv. */ 299 if (curthread->t_pdmsg != NULL) { 300 kmem_free(curthread->t_pdmsg, 301 strlen(curthread->t_pdmsg) + 1); 302 } 303 304 curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname, 305 cr->cr_uid, curthread->t_sysnum, msg, sym, off); 306 307 curthread->t_post_sys = 1; 308 } 309 if (priv_debug) { 310 cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid, 311 curthread->t_sysnum, msg, sym, off); 312 } 313 } 314 315 /* 316 * Override the policy, if appropriate. Return 0 if the external 317 * policy engine approves. 318 */ 319 static int 320 priv_policy_override(const cred_t *cr, int priv, boolean_t allzone, va_list ap) 321 { 322 priv_set_t set; 323 int ret; 324 325 if (!(CR_FLAGS(cr) & PRIV_XPOLICY)) 326 return (-1); 327 328 if (priv == PRIV_ALL) { 329 priv_fillset(&set); 330 } else if (allzone) { 331 set = *ZONEPRIVS(cr); 332 } else { 333 priv_emptyset(&set); 334 priv_addset(&set, priv); 335 } 336 ret = klpd_call(cr, &set, ap); 337 return (ret); 338 } 339 340 static int 341 priv_policy_override_set(const cred_t *cr, const priv_set_t *req, ...) 342 { 343 va_list ap; 344 345 if (CR_FLAGS(cr) & PRIV_XPOLICY) { 346 va_start(ap, req); 347 return (klpd_call(cr, req, ap)); 348 } 349 return (-1); 350 } 351 352 /* 353 * Audit failure, log error message. 354 */ 355 static void 356 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg) 357 { 358 359 if (audit_active) 360 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0); 361 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 362 363 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 364 curthread->t_pre_sys) { 365 if (allzone && !HAS_ALLZONEPRIVS(cr)) { 366 priv_policy_errmsg(cr, PRIV_ALLZONE, msg); 367 } else { 368 ASSERT(!HAS_PRIVILEGE(cr, priv)); 369 priv_policy_errmsg(cr, priv, msg); 370 } 371 } 372 } 373 374 /* 375 * priv_policy_ap() 376 * return 0 or error. 377 * See block comment above for a description of "priv" and "allzone" usage. 378 */ 379 static int 380 priv_policy_ap(const cred_t *cr, int priv, boolean_t allzone, int err, 381 const char *msg, va_list ap) 382 { 383 if ((HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) || 384 (!servicing_interrupt() && 385 priv_policy_override(cr, priv, allzone, ap) == 0)) { 386 if ((allzone || priv == PRIV_ALL || 387 !PRIV_ISASSERT(priv_basic, priv)) && 388 !servicing_interrupt()) { 389 PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */ 390 if (audit_active) 391 audit_priv(priv, 392 allzone ? ZONEPRIVS(cr) : NULL, 1); 393 } 394 err = 0; 395 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 396 } else if (!servicing_interrupt()) { 397 /* Failure audited in this procedure */ 398 priv_policy_err(cr, priv, allzone, msg); 399 } 400 return (err); 401 } 402 403 int 404 priv_policy_va(const cred_t *cr, int priv, boolean_t allzone, int err, 405 const char *msg, ...) 406 { 407 int ret; 408 va_list ap; 409 410 va_start(ap, msg); 411 ret = priv_policy_ap(cr, priv, allzone, err, msg, ap); 412 va_end(ap); 413 414 return (ret); 415 } 416 417 int 418 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err, 419 const char *msg) 420 { 421 return (priv_policy_va(cr, priv, allzone, err, msg, KLPDARG_NOMORE)); 422 } 423 424 /* 425 * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges. 426 */ 427 boolean_t 428 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone) 429 { 430 boolean_t res = HAS_PRIVILEGE(cr, priv) && 431 (!allzone || HAS_ALLZONEPRIVS(cr)); 432 433 /* Audit success only */ 434 if (res && audit_active && 435 (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) && 436 !servicing_interrupt()) { 437 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1); 438 } 439 if (res) { 440 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 441 } else { 442 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 443 } 444 return (res); 445 } 446 447 /* 448 * Non-auditing variant of priv_policy_choice(). 449 */ 450 boolean_t 451 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone) 452 { 453 boolean_t res = HAS_PRIVILEGE(cr, priv) && 454 (!allzone || HAS_ALLZONEPRIVS(cr)); 455 456 if (res) { 457 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 458 } else { 459 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 460 } 461 return (res); 462 } 463 464 /* 465 * Check whether all privileges in the required set are present. 466 */ 467 static int 468 secpolicy_require_set(const cred_t *cr, const priv_set_t *req, const char *msg) 469 { 470 int priv; 471 int pfound = -1; 472 priv_set_t pset; 473 474 if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req, 475 &CR_OEPRIV(cr))) { 476 return (0); 477 } 478 479 if (priv_policy_override_set(cr, req, KLPDARG_NOMORE) == 0) 480 return (0); 481 482 if (req == PRIV_FULLSET || priv_isfullset(req)) { 483 priv_policy_err(cr, PRIV_ALL, B_FALSE, msg); 484 return (EACCES); 485 } 486 487 pset = CR_OEPRIV(cr); /* present privileges */ 488 priv_inverse(&pset); /* all non present privileges */ 489 priv_intersect(req, &pset); /* the actual missing privs */ 490 491 if (audit_active) 492 audit_priv(PRIV_NONE, &pset, 0); 493 /* 494 * Privilege debugging; special case "one privilege in set". 495 */ 496 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) { 497 for (priv = 0; priv < nprivs; priv++) { 498 if (priv_ismember(&pset, priv)) { 499 if (pfound != -1) { 500 /* Multiple missing privs */ 501 priv_policy_errmsg(cr, PRIV_MULTIPLE, 502 msg); 503 return (EACCES); 504 } 505 pfound = priv; 506 } 507 } 508 ASSERT(pfound != -1); 509 /* Just the one missing privilege */ 510 priv_policy_errmsg(cr, pfound, msg); 511 } 512 513 return (EACCES); 514 } 515 516 /* 517 * Called when an operation requires that the caller be in the 518 * global zone, regardless of privilege. 519 */ 520 static int 521 priv_policy_global(const cred_t *cr) 522 { 523 if (crgetzoneid(cr) == GLOBAL_ZONEID) 524 return (0); /* success */ 525 526 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 527 curthread->t_pre_sys) { 528 priv_policy_errmsg(cr, PRIV_GLOBAL, NULL); 529 } 530 return (EPERM); 531 } 532 533 /* 534 * Changing process priority 535 */ 536 int 537 secpolicy_setpriority(const cred_t *cr) 538 { 539 return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL)); 540 } 541 542 /* 543 * Binding to a privileged port, port must be specified in host byte 544 * order. 545 */ 546 int 547 secpolicy_net_privaddr(const cred_t *cr, in_port_t port, int proto) 548 { 549 char *reason; 550 int priv; 551 552 switch (port) { 553 case 137: 554 case 138: 555 case 139: 556 case 445: 557 /* 558 * NBT and SMB ports, these are extra privileged ports, 559 * allow bind only if the SYS_SMB privilege is present. 560 */ 561 priv = PRIV_SYS_SMB; 562 reason = "NBT or SMB port"; 563 break; 564 565 case 2049: 566 case 4045: 567 /* 568 * NFS ports, these are extra privileged ports, allow bind 569 * only if the SYS_NFS privilege is present. 570 */ 571 priv = PRIV_SYS_NFS; 572 reason = "NFS port"; 573 break; 574 575 default: 576 priv = PRIV_NET_PRIVADDR; 577 reason = NULL; 578 break; 579 580 } 581 582 return (priv_policy_va(cr, priv, B_FALSE, EACCES, reason, 583 KLPDARG_PORT, (int)proto, (int)port, KLPDARG_NOMORE)); 584 } 585 586 /* 587 * Binding to a multilevel port on a trusted (labeled) system. 588 */ 589 int 590 secpolicy_net_bindmlp(const cred_t *cr) 591 { 592 return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, NULL)); 593 } 594 595 /* 596 * Allow a communication between a zone and an unlabeled host when their 597 * labels don't match. 598 */ 599 int 600 secpolicy_net_mac_aware(const cred_t *cr) 601 { 602 return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, NULL)); 603 } 604 605 /* 606 * Allow a privileged process to transmit traffic without explicit labels 607 */ 608 int 609 secpolicy_net_mac_implicit(const cred_t *cr) 610 { 611 return (PRIV_POLICY(cr, PRIV_NET_MAC_IMPLICIT, B_FALSE, EACCES, NULL)); 612 } 613 614 /* 615 * Common routine which determines whether a given credential can 616 * act on a given mount. 617 * When called through mount, the parameter needoptcheck is a pointer 618 * to a boolean variable which will be set to either true or false, 619 * depending on whether the mount policy should change the mount options. 620 * In all other cases, needoptcheck should be a NULL pointer. 621 */ 622 static int 623 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp, 624 boolean_t *needoptcheck) 625 { 626 boolean_t allzone = B_FALSE; 627 boolean_t mounting = needoptcheck != NULL; 628 629 /* 630 * Short circuit the following cases: 631 * vfsp == NULL or mvp == NULL (pure privilege check) 632 * have all privileges - no further checks required 633 * and no mount options need to be set. 634 */ 635 if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) { 636 if (mounting) 637 *needoptcheck = B_FALSE; 638 639 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM, 640 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE)); 641 } 642 643 /* 644 * When operating on an existing mount (either we're not mounting 645 * or we're doing a remount and VFS_REMOUNT will be set), zones 646 * can operate only on mounts established by the zone itself. 647 */ 648 if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) { 649 zoneid_t zoneid = crgetzoneid(cr); 650 651 if (zoneid != GLOBAL_ZONEID && 652 vfsp->vfs_zone->zone_id != zoneid) { 653 return (EPERM); 654 } 655 } 656 657 if (mounting) 658 *needoptcheck = B_TRUE; 659 660 /* 661 * Overlay mounts may hide important stuff; if you can't write to a 662 * mount point but would be able to mount on top of it, you can 663 * escalate your privileges. 664 * So we go about asking the same questions namefs does when it 665 * decides whether you can mount over a file or not but with the 666 * added restriction that you can only mount on top of a regular 667 * file or directory. 668 * If we have all the zone's privileges, we skip all other checks, 669 * or else we may actually get in trouble inside the automounter. 670 */ 671 if ((mvp->v_flag & VROOT) != 0 || 672 (mvp->v_type != VDIR && mvp->v_type != VREG) || 673 HAS_ALLZONEPRIVS(cr)) { 674 allzone = B_TRUE; 675 } else { 676 vattr_t va; 677 int err; 678 679 va.va_mask = AT_UID|AT_MODE; 680 err = VOP_GETATTR(mvp, &va, 0, cr, NULL); 681 if (err != 0) 682 return (err); 683 684 if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0) 685 return (err); 686 687 if ((va.va_mode & VWRITE) == 0 && 688 secpolicy_vnode_access(cr, mvp, va.va_uid, VWRITE) != 0) { 689 return (EACCES); 690 } 691 } 692 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM, 693 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE)); 694 } 695 696 void 697 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp) 698 { 699 boolean_t amsuper = HAS_ALLZONEPRIVS(cr); 700 701 /* 702 * check; if we don't have either "nosuid" or 703 * both "nosetuid" and "nodevices", then we add 704 * "nosuid"; this depends on how the current 705 * implementation works (it first checks nosuid). In a 706 * zone, a user with all zone privileges can mount with 707 * "setuid" but never with "devices". 708 */ 709 if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) && 710 (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) || 711 !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) { 712 if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper) 713 vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0); 714 else 715 vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0); 716 } 717 /* 718 * If we're not the local super user, we set the "restrict" 719 * option to indicate to automountd that this mount should 720 * be handled with care. 721 */ 722 if (!amsuper) 723 vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0); 724 725 } 726 727 extern vnode_t *rootvp; 728 extern vfs_t *rootvfs; 729 730 int 731 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp) 732 { 733 boolean_t needoptchk; 734 int error; 735 736 /* 737 * If it's a remount, get the underlying mount point, 738 * except for the root where we use the rootvp. 739 */ 740 if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) { 741 if (vfsp == rootvfs) 742 mvp = rootvp; 743 else 744 mvp = vfsp->vfs_vnodecovered; 745 } 746 747 error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk); 748 749 if (error == 0 && needoptchk) { 750 secpolicy_fs_mount_clearopts(cr, vfsp); 751 } 752 753 return (error); 754 } 755 756 /* 757 * Does the policy computations for "ownership" of a mount; 758 * here ownership is defined as the ability to "mount" 759 * the filesystem originally. The rootvfs doesn't cover any 760 * vnodes; we attribute its ownership to the rootvp. 761 */ 762 static int 763 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp) 764 { 765 vnode_t *mvp; 766 767 if (vfsp == NULL) 768 mvp = NULL; 769 else if (vfsp == rootvfs) 770 mvp = rootvp; 771 else 772 mvp = vfsp->vfs_vnodecovered; 773 774 return (secpolicy_fs_common(cr, mvp, vfsp, NULL)); 775 } 776 777 int 778 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp) 779 { 780 return (secpolicy_fs_owner(cr, vfsp)); 781 } 782 783 /* 784 * Quotas are a resource, but if one has the ability to mount a filesystem, he 785 * should be able to modify quotas on it. 786 */ 787 int 788 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp) 789 { 790 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 791 } 792 793 /* 794 * Exceeding minfree: also a per-mount resource constraint. 795 */ 796 int 797 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp) 798 { 799 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 800 } 801 802 int 803 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp) 804 { 805 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 806 } 807 808 /* ARGSUSED */ 809 int 810 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp) 811 { 812 return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL)); 813 } 814 815 /* 816 * Name: secpolicy_vnode_access() 817 * 818 * Parameters: Process credential 819 * vnode 820 * uid of owner of vnode 821 * permission bits not granted to the caller when examining 822 * file mode bits (i.e., when a process wants to open a 823 * mode 444 file for VREAD|VWRITE, this function should be 824 * called only with a VWRITE argument). 825 * 826 * Normal: Verifies that cred has the appropriate privileges to 827 * override the mode bits that were denied. 828 * 829 * Override: file_dac_execute - if VEXEC bit was denied and vnode is 830 * not a directory. 831 * file_dac_read - if VREAD bit was denied. 832 * file_dac_search - if VEXEC bit was denied and vnode is 833 * a directory. 834 * file_dac_write - if VWRITE bit was denied. 835 * 836 * Root owned files are special cased to protect system 837 * configuration files and such. 838 * 839 * Output: EACCES - if privilege check fails. 840 */ 841 842 /* ARGSUSED */ 843 int 844 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode) 845 { 846 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE, 847 EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL, 848 KLPDARG_NOMORE) != 0) { 849 return (EACCES); 850 } 851 852 if (mode & VWRITE) { 853 boolean_t allzone; 854 855 if (owner == 0 && cr->cr_uid != 0) 856 allzone = B_TRUE; 857 else 858 allzone = B_FALSE; 859 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, 860 NULL, KLPDARG_VNODE, vp, (char *)NULL, 861 KLPDARG_NOMORE) != 0) { 862 return (EACCES); 863 } 864 } 865 866 if (mode & VEXEC) { 867 /* 868 * Directories use file_dac_search to override the execute bit. 869 */ 870 int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH : 871 PRIV_FILE_DAC_EXECUTE; 872 873 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL, 874 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); 875 } 876 return (0); 877 } 878 879 /* 880 * Name: secpolicy_vnode_setid_modify() 881 * 882 * Normal: verify that subject can set the file setid flags. 883 * 884 * Output: EPERM - if not privileged. 885 */ 886 887 static int 888 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner) 889 { 890 /* If changing to suid root, must have all zone privs */ 891 boolean_t allzone = B_TRUE; 892 893 if (owner != 0) { 894 if (owner == cr->cr_uid) 895 return (0); 896 allzone = B_FALSE; 897 } 898 return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL)); 899 } 900 901 /* 902 * Are we allowed to retain the set-uid/set-gid bits when 903 * changing ownership or when writing to a file? 904 * "issuid" should be true when set-uid; only in that case 905 * root ownership is checked (setgid is assumed). 906 */ 907 int 908 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot) 909 { 910 if (issuidroot && !HAS_ALLZONEPRIVS(cred)) 911 return (EPERM); 912 913 return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE)); 914 } 915 916 /* 917 * Name: secpolicy_vnode_setids_setgids() 918 * 919 * Normal: verify that subject can set the file setgid flag. 920 * 921 * Output: EPERM - if not privileged 922 */ 923 924 int 925 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid) 926 { 927 if (!groupmember(gid, cred)) 928 return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM, 929 NULL)); 930 return (0); 931 } 932 933 /* 934 * Name: secpolicy_vnode_chown 935 * 936 * Normal: Determine if subject can chown owner of a file. 937 * 938 * Output: EPERM - if access denied 939 */ 940 941 int 942 secpolicy_vnode_chown(const cred_t *cred, uid_t owner) 943 { 944 boolean_t is_owner = (owner == crgetuid(cred)); 945 boolean_t allzone = B_FALSE; 946 int priv; 947 948 if (!is_owner) { 949 allzone = (owner == 0); 950 priv = PRIV_FILE_CHOWN; 951 } else { 952 priv = HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN) ? 953 PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF; 954 } 955 956 return (PRIV_POLICY(cred, priv, allzone, EPERM, NULL)); 957 } 958 959 /* 960 * Name: secpolicy_vnode_create_gid 961 * 962 * Normal: Determine if subject can change group ownership of a file. 963 * 964 * Output: EPERM - if access denied 965 */ 966 int 967 secpolicy_vnode_create_gid(const cred_t *cred) 968 { 969 if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN)) 970 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM, 971 NULL)); 972 else 973 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM, 974 NULL)); 975 } 976 977 /* 978 * Name: secpolicy_vnode_utime_modify() 979 * 980 * Normal: verify that subject can modify the utime on a file. 981 * 982 * Output: EPERM - if access denied. 983 */ 984 985 static int 986 secpolicy_vnode_utime_modify(const cred_t *cred) 987 { 988 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM, 989 "modify file times")); 990 } 991 992 993 /* 994 * Name: secpolicy_vnode_setdac() 995 * 996 * Normal: verify that subject can modify the mode of a file. 997 * allzone privilege needed when modifying root owned object. 998 * 999 * Output: EPERM - if access denied. 1000 */ 1001 1002 int 1003 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner) 1004 { 1005 if (owner == cred->cr_uid) 1006 return (0); 1007 1008 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL)); 1009 } 1010 /* 1011 * Name: secpolicy_vnode_stky_modify() 1012 * 1013 * Normal: verify that subject can make a file a "sticky". 1014 * 1015 * Output: EPERM - if access denied. 1016 */ 1017 1018 int 1019 secpolicy_vnode_stky_modify(const cred_t *cred) 1020 { 1021 return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM, 1022 "set file sticky")); 1023 } 1024 1025 /* 1026 * Policy determines whether we can remove an entry from a directory, 1027 * regardless of permission bits. 1028 */ 1029 int 1030 secpolicy_vnode_remove(const cred_t *cr) 1031 { 1032 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES, 1033 "sticky directory")); 1034 } 1035 1036 int 1037 secpolicy_vnode_owner(const cred_t *cr, uid_t owner) 1038 { 1039 boolean_t allzone = (owner == 0); 1040 1041 if (owner == cr->cr_uid) 1042 return (0); 1043 1044 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL)); 1045 } 1046 1047 void 1048 secpolicy_setid_clear(vattr_t *vap, cred_t *cr) 1049 { 1050 if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 && 1051 secpolicy_vnode_setid_retain(cr, 1052 (vap->va_mode & S_ISUID) != 0 && 1053 (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) { 1054 vap->va_mask |= AT_MODE; 1055 vap->va_mode &= ~(S_ISUID|S_ISGID); 1056 } 1057 } 1058 1059 int 1060 secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap, 1061 cred_t *cr) 1062 { 1063 int error; 1064 1065 if ((vap->va_mode & S_ISUID) != 0 && 1066 (error = secpolicy_vnode_setid_modify(cr, 1067 ovap->va_uid)) != 0) { 1068 return (error); 1069 } 1070 1071 /* 1072 * Check privilege if attempting to set the 1073 * sticky bit on a non-directory. 1074 */ 1075 if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 && 1076 secpolicy_vnode_stky_modify(cr) != 0) { 1077 vap->va_mode &= ~S_ISVTX; 1078 } 1079 1080 /* 1081 * Check for privilege if attempting to set the 1082 * group-id bit. 1083 */ 1084 if ((vap->va_mode & S_ISGID) != 0 && 1085 secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) { 1086 vap->va_mode &= ~S_ISGID; 1087 } 1088 1089 return (0); 1090 } 1091 1092 #define ATTR_FLAG_PRIV(attr, value, cr) \ 1093 PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \ 1094 B_FALSE, EPERM, NULL) 1095 1096 /* 1097 * Check privileges for setting xvattr attributes 1098 */ 1099 int 1100 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype) 1101 { 1102 xoptattr_t *xoap; 1103 int error = 0; 1104 1105 if ((xoap = xva_getxoptattr(xvap)) == NULL) 1106 return (EINVAL); 1107 1108 /* 1109 * First process the DOS bits 1110 */ 1111 if (XVA_ISSET_REQ(xvap, XAT_ARCHIVE) || 1112 XVA_ISSET_REQ(xvap, XAT_HIDDEN) || 1113 XVA_ISSET_REQ(xvap, XAT_READONLY) || 1114 XVA_ISSET_REQ(xvap, XAT_SYSTEM) || 1115 XVA_ISSET_REQ(xvap, XAT_CREATETIME)) { 1116 if ((error = secpolicy_vnode_owner(cr, owner)) != 0) 1117 return (error); 1118 } 1119 1120 /* 1121 * Now handle special attributes 1122 */ 1123 1124 if (XVA_ISSET_REQ(xvap, XAT_IMMUTABLE)) 1125 error = ATTR_FLAG_PRIV(XAT_IMMUTABLE, 1126 xoap->xoa_immutable, cr); 1127 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NOUNLINK)) 1128 error = ATTR_FLAG_PRIV(XAT_NOUNLINK, 1129 xoap->xoa_nounlink, cr); 1130 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_APPENDONLY)) 1131 error = ATTR_FLAG_PRIV(XAT_APPENDONLY, 1132 xoap->xoa_appendonly, cr); 1133 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NODUMP)) 1134 error = ATTR_FLAG_PRIV(XAT_NODUMP, 1135 xoap->xoa_nodump, cr); 1136 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_OPAQUE)) 1137 error = EPERM; 1138 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_QUARANTINED)) { 1139 error = ATTR_FLAG_PRIV(XAT_AV_QUARANTINED, 1140 xoap->xoa_av_quarantined, cr); 1141 if (error == 0 && vtype != VREG && xoap->xoa_av_quarantined) 1142 error = EINVAL; 1143 } 1144 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_MODIFIED)) 1145 error = ATTR_FLAG_PRIV(XAT_AV_MODIFIED, 1146 xoap->xoa_av_modified, cr); 1147 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_SCANSTAMP)) { 1148 error = ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP, 1149 xoap->xoa_av_scanstamp, cr); 1150 if (error == 0 && vtype != VREG) 1151 error = EINVAL; 1152 } 1153 return (error); 1154 } 1155 1156 /* 1157 * This function checks the policy decisions surrounding the 1158 * vop setattr call. 1159 * 1160 * It should be called after sufficient locks have been established 1161 * on the underlying data structures. No concurrent modifications 1162 * should be allowed. 1163 * 1164 * The caller must pass in unlocked version of its vaccess function 1165 * this is required because vop_access function should lock the 1166 * node for reading. A three argument function should be defined 1167 * which accepts the following argument: 1168 * A pointer to the internal "node" type (inode *) 1169 * vnode access bits (VREAD|VWRITE|VEXEC) 1170 * a pointer to the credential 1171 * 1172 * This function makes the following policy decisions: 1173 * 1174 * - change permissions 1175 * - permission to change file mode if not owner 1176 * - permission to add sticky bit to non-directory 1177 * - permission to add set-gid bit 1178 * 1179 * The ovap argument should include AT_MODE|AT_UID|AT_GID. 1180 * 1181 * If the vap argument does not include AT_MODE, the mode will be copied from 1182 * ovap. In certain situations set-uid/set-gid bits need to be removed; 1183 * this is done by marking vap->va_mask to include AT_MODE and va_mode 1184 * is updated to the newly computed mode. 1185 */ 1186 1187 int 1188 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap, 1189 const struct vattr *ovap, int flags, 1190 int unlocked_access(void *, int, cred_t *), 1191 void *node) 1192 { 1193 int mask = vap->va_mask; 1194 int error = 0; 1195 boolean_t skipaclchk = (flags & ATTR_NOACLCHECK) ? B_TRUE : B_FALSE; 1196 1197 if (mask & AT_SIZE) { 1198 if (vp->v_type == VDIR) { 1199 error = EISDIR; 1200 goto out; 1201 } 1202 1203 /* 1204 * If ATTR_NOACLCHECK is set in the flags, then we don't 1205 * perform the secondary unlocked_access() call since the 1206 * ACL (if any) is being checked there. 1207 */ 1208 if (skipaclchk == B_FALSE) { 1209 error = unlocked_access(node, VWRITE, cr); 1210 if (error) 1211 goto out; 1212 } 1213 } 1214 if (mask & AT_MODE) { 1215 /* 1216 * If not the owner of the file then check privilege 1217 * for two things: the privilege to set the mode at all 1218 * and, if we're setting setuid, we also need permissions 1219 * to add the set-uid bit, if we're not the owner. 1220 * In the specific case of creating a set-uid root 1221 * file, we need even more permissions. 1222 */ 1223 if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0) 1224 goto out; 1225 1226 if ((error = secpolicy_setid_setsticky_clear(vp, vap, 1227 ovap, cr)) != 0) 1228 goto out; 1229 } else 1230 vap->va_mode = ovap->va_mode; 1231 1232 if (mask & (AT_UID|AT_GID)) { 1233 boolean_t checkpriv = B_FALSE; 1234 1235 /* 1236 * Chowning files. 1237 * 1238 * If you are the file owner: 1239 * chown to other uid FILE_CHOWN_SELF 1240 * chown to gid (non-member) FILE_CHOWN_SELF 1241 * chown to gid (member) <none> 1242 * 1243 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also 1244 * acceptable but the first one is reported when debugging. 1245 * 1246 * If you are not the file owner: 1247 * chown from root PRIV_FILE_CHOWN + zone 1248 * chown from other to any PRIV_FILE_CHOWN 1249 * 1250 */ 1251 if (cr->cr_uid != ovap->va_uid) { 1252 checkpriv = B_TRUE; 1253 } else { 1254 if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) || 1255 ((mask & AT_GID) && vap->va_gid != ovap->va_gid && 1256 !groupmember(vap->va_gid, cr))) { 1257 checkpriv = B_TRUE; 1258 } 1259 } 1260 /* 1261 * If necessary, check privilege to see if update can be done. 1262 */ 1263 if (checkpriv && 1264 (error = secpolicy_vnode_chown(cr, ovap->va_uid)) != 0) { 1265 goto out; 1266 } 1267 1268 /* 1269 * If the file has either the set UID or set GID bits 1270 * set and the caller can set the bits, then leave them. 1271 */ 1272 secpolicy_setid_clear(vap, cr); 1273 } 1274 if (mask & (AT_ATIME|AT_MTIME)) { 1275 /* 1276 * If not the file owner and not otherwise privileged, 1277 * always return an error when setting the 1278 * time other than the current (ATTR_UTIME flag set). 1279 * If setting the current time (ATTR_UTIME not set) then 1280 * unlocked_access will check permissions according to policy. 1281 */ 1282 if (cr->cr_uid != ovap->va_uid) { 1283 if (flags & ATTR_UTIME) 1284 error = secpolicy_vnode_utime_modify(cr); 1285 else if (skipaclchk == B_FALSE) { 1286 error = unlocked_access(node, VWRITE, cr); 1287 if (error == EACCES && 1288 secpolicy_vnode_utime_modify(cr) == 0) 1289 error = 0; 1290 } 1291 if (error) 1292 goto out; 1293 } 1294 } 1295 1296 /* 1297 * Check for optional attributes here by checking the following: 1298 */ 1299 if (mask & AT_XVATTR) 1300 error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr, 1301 vp->v_type); 1302 out: 1303 return (error); 1304 } 1305 1306 /* 1307 * Name: secpolicy_pcfs_modify_bootpartition() 1308 * 1309 * Normal: verify that subject can modify a pcfs boot partition. 1310 * 1311 * Output: EACCES - if privilege check failed. 1312 */ 1313 /*ARGSUSED*/ 1314 int 1315 secpolicy_pcfs_modify_bootpartition(const cred_t *cred) 1316 { 1317 return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES, 1318 "modify pcfs boot partition")); 1319 } 1320 1321 /* 1322 * System V IPC routines 1323 */ 1324 int 1325 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip) 1326 { 1327 if (crgetzoneid(cr) != ip->ipc_zoneid || 1328 (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) { 1329 boolean_t allzone = B_FALSE; 1330 if (ip->ipc_uid == 0 || ip->ipc_cuid == 0) 1331 allzone = B_TRUE; 1332 return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL)); 1333 } 1334 return (0); 1335 } 1336 1337 int 1338 secpolicy_ipc_config(const cred_t *cr) 1339 { 1340 return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL)); 1341 } 1342 1343 int 1344 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode) 1345 { 1346 1347 boolean_t allzone = B_FALSE; 1348 1349 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1350 1351 if ((mode & MSG_R) && 1352 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1353 return (EACCES); 1354 1355 if (mode & MSG_W) { 1356 if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0)) 1357 allzone = B_TRUE; 1358 1359 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1360 NULL)); 1361 } 1362 return (0); 1363 } 1364 1365 int 1366 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode) 1367 { 1368 boolean_t allzone = B_FALSE; 1369 1370 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1371 1372 if ((mode & MSG_R) && 1373 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1374 return (EACCES); 1375 1376 if (mode & MSG_W) { 1377 if (cr->cr_uid != 0 && owner == 0) 1378 allzone = B_TRUE; 1379 1380 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1381 NULL)); 1382 } 1383 return (0); 1384 } 1385 1386 /* 1387 * Audit configuration. 1388 */ 1389 int 1390 secpolicy_audit_config(const cred_t *cr) 1391 { 1392 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1393 } 1394 1395 /* 1396 * Audit record generation. 1397 */ 1398 int 1399 secpolicy_audit_modify(const cred_t *cr) 1400 { 1401 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL)); 1402 } 1403 1404 /* 1405 * Get audit attributes. 1406 * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the 1407 * "Least" of the two privileges on error. 1408 */ 1409 int 1410 secpolicy_audit_getattr(const cred_t *cr) 1411 { 1412 if (!PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE)) { 1413 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, 1414 NULL)); 1415 } else { 1416 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1417 } 1418 } 1419 1420 1421 /* 1422 * Locking physical memory 1423 */ 1424 int 1425 secpolicy_lock_memory(const cred_t *cr) 1426 { 1427 return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL)); 1428 } 1429 1430 /* 1431 * Accounting (both acct(2) and exacct). 1432 */ 1433 int 1434 secpolicy_acct(const cred_t *cr) 1435 { 1436 return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL)); 1437 } 1438 1439 /* 1440 * Is this process privileged to change its uids at will? 1441 * Uid 0 is still considered "special" and having the SETID 1442 * privilege is not sufficient to get uid 0. 1443 * Files are owned by root, so the privilege would give 1444 * full access and euid 0 is still effective. 1445 * 1446 * If you have the privilege and euid 0 only then do you 1447 * get the powers of root wrt uid 0. 1448 * 1449 * For gid manipulations, this is should be called with an 1450 * uid of -1. 1451 * 1452 */ 1453 int 1454 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly) 1455 { 1456 boolean_t allzone = B_FALSE; 1457 1458 if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 && 1459 cr->cr_ruid != 0) { 1460 allzone = B_TRUE; 1461 } 1462 1463 return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) : 1464 PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL)); 1465 } 1466 1467 1468 /* 1469 * Acting on a different process: if the mode is for writing, 1470 * the restrictions are more severe. This is called after 1471 * we've verified that the uids do not match. 1472 */ 1473 int 1474 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode) 1475 { 1476 boolean_t allzone = B_FALSE; 1477 1478 if ((mode & VWRITE) && scr->cr_uid != 0 && 1479 (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0)) 1480 allzone = B_TRUE; 1481 1482 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL)); 1483 } 1484 1485 int 1486 secpolicy_proc_access(const cred_t *scr) 1487 { 1488 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL)); 1489 } 1490 1491 int 1492 secpolicy_proc_excl_open(const cred_t *scr) 1493 { 1494 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL)); 1495 } 1496 1497 int 1498 secpolicy_proc_zone(const cred_t *scr) 1499 { 1500 return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL)); 1501 } 1502 1503 /* 1504 * Destroying the system 1505 */ 1506 1507 int 1508 secpolicy_kmdb(const cred_t *scr) 1509 { 1510 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1511 } 1512 1513 int 1514 secpolicy_error_inject(const cred_t *scr) 1515 { 1516 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1517 } 1518 1519 /* 1520 * Processor sets, cpu configuration, resource pools. 1521 */ 1522 int 1523 secpolicy_pset(const cred_t *cr) 1524 { 1525 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1526 } 1527 1528 int 1529 secpolicy_ponline(const cred_t *cr) 1530 { 1531 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1532 } 1533 1534 int 1535 secpolicy_pool(const cred_t *cr) 1536 { 1537 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1538 } 1539 1540 int 1541 secpolicy_blacklist(const cred_t *cr) 1542 { 1543 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1544 } 1545 1546 /* 1547 * Catch all system configuration. 1548 */ 1549 int 1550 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly) 1551 { 1552 if (checkonly) { 1553 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 : 1554 EPERM); 1555 } else { 1556 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1557 } 1558 } 1559 1560 /* 1561 * Zone administration (halt, reboot, etc.) from within zone. 1562 */ 1563 int 1564 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly) 1565 { 1566 if (checkonly) { 1567 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 : 1568 EPERM); 1569 } else { 1570 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, 1571 NULL)); 1572 } 1573 } 1574 1575 /* 1576 * Zone configuration (create, halt, enter). 1577 */ 1578 int 1579 secpolicy_zone_config(const cred_t *cr) 1580 { 1581 /* 1582 * Require all privileges to avoid possibility of privilege 1583 * escalation. 1584 */ 1585 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1586 } 1587 1588 /* 1589 * Various other system configuration calls 1590 */ 1591 int 1592 secpolicy_coreadm(const cred_t *cr) 1593 { 1594 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1595 } 1596 1597 int 1598 secpolicy_systeminfo(const cred_t *cr) 1599 { 1600 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1601 } 1602 1603 int 1604 secpolicy_dispadm(const cred_t *cr) 1605 { 1606 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1607 } 1608 1609 int 1610 secpolicy_settime(const cred_t *cr) 1611 { 1612 return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL)); 1613 } 1614 1615 /* 1616 * For realtime users: high resolution clock. 1617 */ 1618 int 1619 secpolicy_clock_highres(const cred_t *cr) 1620 { 1621 return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM, 1622 NULL)); 1623 } 1624 1625 /* 1626 * drv_priv() is documented as callable from interrupt context, not that 1627 * anyone ever does, but still. No debugging or auditing can be done when 1628 * it is called from interrupt context. 1629 * returns 0 on succes, EPERM on failure. 1630 */ 1631 int 1632 drv_priv(cred_t *cr) 1633 { 1634 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1635 } 1636 1637 int 1638 secpolicy_sys_devices(const cred_t *cr) 1639 { 1640 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1641 } 1642 1643 int 1644 secpolicy_excl_open(const cred_t *cr) 1645 { 1646 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL)); 1647 } 1648 1649 int 1650 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl) 1651 { 1652 /* zone.* rctls can only be set from the global zone */ 1653 if (is_zone_rctl && priv_policy_global(cr) != 0) 1654 return (EPERM); 1655 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1656 } 1657 1658 int 1659 secpolicy_resource(const cred_t *cr) 1660 { 1661 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1662 } 1663 1664 int 1665 secpolicy_resource_anon_mem(const cred_t *cr) 1666 { 1667 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_RESOURCE, B_FALSE)); 1668 } 1669 1670 /* 1671 * Processes with a real uid of 0 escape any form of accounting, much 1672 * like before. 1673 */ 1674 int 1675 secpolicy_newproc(const cred_t *cr) 1676 { 1677 if (cr->cr_ruid == 0) 1678 return (0); 1679 1680 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1681 } 1682 1683 /* 1684 * Networking 1685 */ 1686 int 1687 secpolicy_net_rawaccess(const cred_t *cr) 1688 { 1689 return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL)); 1690 } 1691 1692 int 1693 secpolicy_net_observability(const cred_t *cr) 1694 { 1695 return (PRIV_POLICY(cr, PRIV_NET_OBSERVABILITY, B_FALSE, EACCES, NULL)); 1696 } 1697 1698 /* 1699 * Need this privilege for accessing the ICMP device 1700 */ 1701 int 1702 secpolicy_net_icmpaccess(const cred_t *cr) 1703 { 1704 return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL)); 1705 } 1706 1707 /* 1708 * There are a few rare cases where the kernel generates ioctls() from 1709 * interrupt context with a credential of kcred rather than NULL. 1710 * In those cases, we take the safe and cheap test. 1711 */ 1712 int 1713 secpolicy_net_config(const cred_t *cr, boolean_t checkonly) 1714 { 1715 if (checkonly) { 1716 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ? 1717 0 : EPERM); 1718 } else { 1719 return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM, 1720 NULL)); 1721 } 1722 } 1723 1724 1725 /* 1726 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG. 1727 * 1728 * There are a few rare cases where the kernel generates ioctls() from 1729 * interrupt context with a credential of kcred rather than NULL. 1730 * In those cases, we take the safe and cheap test. 1731 */ 1732 int 1733 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly) 1734 { 1735 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 1736 return (secpolicy_net_config(cr, checkonly)); 1737 1738 if (checkonly) { 1739 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ? 1740 0 : EPERM); 1741 } else { 1742 return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM, 1743 NULL)); 1744 } 1745 } 1746 1747 /* 1748 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_DL_CONFIG. 1749 */ 1750 int 1751 secpolicy_dl_config(const cred_t *cr) 1752 { 1753 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 1754 return (secpolicy_net_config(cr, B_FALSE)); 1755 return (PRIV_POLICY(cr, PRIV_SYS_DL_CONFIG, B_FALSE, EPERM, NULL)); 1756 } 1757 1758 /* 1759 * PRIV_SYS_DL_CONFIG is a superset of PRIV_SYS_IPTUN_CONFIG. 1760 */ 1761 int 1762 secpolicy_iptun_config(const cred_t *cr) 1763 { 1764 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 1765 return (secpolicy_net_config(cr, B_FALSE)); 1766 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_DL_CONFIG, B_FALSE)) 1767 return (secpolicy_dl_config(cr)); 1768 return (PRIV_POLICY(cr, PRIV_SYS_IPTUN_CONFIG, B_FALSE, EPERM, NULL)); 1769 } 1770 1771 /* 1772 * Map IP pseudo privileges to actual privileges. 1773 * So we don't need to recompile IP when we change the privileges. 1774 */ 1775 int 1776 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly) 1777 { 1778 int priv = PRIV_ALL; 1779 1780 switch (netpriv) { 1781 case OP_CONFIG: 1782 priv = PRIV_SYS_IP_CONFIG; 1783 break; 1784 case OP_RAW: 1785 priv = PRIV_NET_RAWACCESS; 1786 break; 1787 case OP_PRIVPORT: 1788 priv = PRIV_NET_PRIVADDR; 1789 break; 1790 } 1791 ASSERT(priv != PRIV_ALL); 1792 if (checkonly) 1793 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 1794 else 1795 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 1796 } 1797 1798 /* 1799 * Map network pseudo privileges to actual privileges. 1800 * So we don't need to recompile IP when we change the privileges. 1801 */ 1802 int 1803 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly) 1804 { 1805 int priv = PRIV_ALL; 1806 1807 switch (netpriv) { 1808 case OP_CONFIG: 1809 priv = PRIV_SYS_NET_CONFIG; 1810 break; 1811 case OP_RAW: 1812 priv = PRIV_NET_RAWACCESS; 1813 break; 1814 case OP_PRIVPORT: 1815 priv = PRIV_NET_PRIVADDR; 1816 break; 1817 } 1818 ASSERT(priv != PRIV_ALL); 1819 if (checkonly) 1820 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 1821 else 1822 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 1823 } 1824 1825 /* 1826 * Checks for operations that are either client-only or are used by 1827 * both clients and servers. 1828 */ 1829 int 1830 secpolicy_nfs(const cred_t *cr) 1831 { 1832 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL)); 1833 } 1834 1835 /* 1836 * Special case for opening rpcmod: have NFS privileges or network 1837 * config privileges. 1838 */ 1839 int 1840 secpolicy_rpcmod_open(const cred_t *cr) 1841 { 1842 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE)) 1843 return (secpolicy_nfs(cr)); 1844 else 1845 return (secpolicy_net_config(cr, NULL)); 1846 } 1847 1848 int 1849 secpolicy_chroot(const cred_t *cr) 1850 { 1851 return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL)); 1852 } 1853 1854 int 1855 secpolicy_tasksys(const cred_t *cr) 1856 { 1857 return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL)); 1858 } 1859 1860 /* 1861 * Basic privilege checks. 1862 */ 1863 int 1864 secpolicy_basic_exec(const cred_t *cr, vnode_t *vp) 1865 { 1866 return (priv_policy_va(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL, 1867 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); 1868 } 1869 1870 int 1871 secpolicy_basic_fork(const cred_t *cr) 1872 { 1873 return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL)); 1874 } 1875 1876 int 1877 secpolicy_basic_proc(const cred_t *cr) 1878 { 1879 return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL)); 1880 } 1881 1882 /* 1883 * Slightly complicated because we don't want to trigger the policy too 1884 * often. First we shortcircuit access to "self" (tp == sp) or if 1885 * we don't have the privilege but if we have permission 1886 * just return (0) and we don't flag the privilege as needed. 1887 * Else, we test for the privilege because we either have it or need it. 1888 */ 1889 int 1890 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp) 1891 { 1892 if (tp == sp || 1893 !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) { 1894 return (0); 1895 } else { 1896 return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL)); 1897 } 1898 } 1899 1900 int 1901 secpolicy_basic_link(const cred_t *cr) 1902 { 1903 return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL)); 1904 } 1905 1906 int 1907 secpolicy_basic_net_access(const cred_t *cr) 1908 { 1909 return (PRIV_POLICY(cr, PRIV_NET_ACCESS, B_FALSE, EACCES, NULL)); 1910 } 1911 1912 /* 1913 * Additional device protection. 1914 * 1915 * Traditionally, a device has specific permissions on the node in 1916 * the filesystem which govern which devices can be opened by what 1917 * processes. In certain cases, it is desirable to add extra 1918 * restrictions, as writing to certain devices is identical to 1919 * having a complete run of the system. 1920 * 1921 * This mechanism is called the device policy. 1922 * 1923 * When a device is opened, its policy entry is looked up in the 1924 * policy cache and checked. 1925 */ 1926 int 1927 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag) 1928 { 1929 devplcy_t *plcy; 1930 int err; 1931 struct snode *csp = VTOS(common_specvp(vp)); 1932 priv_set_t pset; 1933 1934 mutex_enter(&csp->s_lock); 1935 1936 if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) { 1937 plcy = devpolicy_find(vp); 1938 if (csp->s_plcy) 1939 dpfree(csp->s_plcy); 1940 csp->s_plcy = plcy; 1941 ASSERT(plcy != NULL); 1942 } else 1943 plcy = csp->s_plcy; 1944 1945 if (plcy == nullpolicy) { 1946 mutex_exit(&csp->s_lock); 1947 return (0); 1948 } 1949 1950 dphold(plcy); 1951 1952 mutex_exit(&csp->s_lock); 1953 1954 if (oflag & FWRITE) 1955 pset = plcy->dp_wrp; 1956 else 1957 pset = plcy->dp_rdp; 1958 /* 1959 * Special case: 1960 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG. 1961 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is 1962 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG 1963 * in the required privilege set before doing the check. 1964 */ 1965 if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) && 1966 priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) && 1967 !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) { 1968 priv_delset(&pset, PRIV_SYS_IP_CONFIG); 1969 priv_addset(&pset, PRIV_SYS_NET_CONFIG); 1970 } 1971 1972 err = secpolicy_require_set(cr, &pset, "devpolicy"); 1973 dpfree(plcy); 1974 1975 return (err); 1976 } 1977 1978 int 1979 secpolicy_modctl(const cred_t *cr, int cmd) 1980 { 1981 switch (cmd) { 1982 case MODINFO: 1983 case MODGETMAJBIND: 1984 case MODGETPATH: 1985 case MODGETPATHLEN: 1986 case MODGETNAME: 1987 case MODGETFBNAME: 1988 case MODGETDEVPOLICY: 1989 case MODGETDEVPOLICYBYNAME: 1990 case MODDEVT2INSTANCE: 1991 case MODSIZEOF_DEVID: 1992 case MODGETDEVID: 1993 case MODSIZEOF_MINORNAME: 1994 case MODGETMINORNAME: 1995 case MODGETDEVFSPATH_LEN: 1996 case MODGETDEVFSPATH: 1997 case MODGETDEVFSPATH_MI_LEN: 1998 case MODGETDEVFSPATH_MI: 1999 /* Unprivileged */ 2000 return (0); 2001 case MODLOAD: 2002 case MODSETDEVPOLICY: 2003 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 2004 default: 2005 return (secpolicy_sys_config(cr, B_FALSE)); 2006 } 2007 } 2008 2009 int 2010 secpolicy_console(const cred_t *cr) 2011 { 2012 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 2013 } 2014 2015 int 2016 secpolicy_power_mgmt(const cred_t *cr) 2017 { 2018 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 2019 } 2020 2021 /* 2022 * Simulate terminal input; another escalation of privileges avenue. 2023 */ 2024 2025 int 2026 secpolicy_sti(const cred_t *cr) 2027 { 2028 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 2029 } 2030 2031 boolean_t 2032 secpolicy_net_reply_equal(const cred_t *cr) 2033 { 2034 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 2035 } 2036 2037 int 2038 secpolicy_swapctl(const cred_t *cr) 2039 { 2040 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 2041 } 2042 2043 int 2044 secpolicy_cpc_cpu(const cred_t *cr) 2045 { 2046 return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL)); 2047 } 2048 2049 /* 2050 * secpolicy_contract_identity 2051 * 2052 * Determine if the subject may set the process contract FMRI value 2053 */ 2054 int 2055 secpolicy_contract_identity(const cred_t *cr) 2056 { 2057 return (PRIV_POLICY(cr, PRIV_CONTRACT_IDENTITY, B_FALSE, EPERM, NULL)); 2058 } 2059 2060 /* 2061 * secpolicy_contract_observer 2062 * 2063 * Determine if the subject may observe a specific contract's events. 2064 */ 2065 int 2066 secpolicy_contract_observer(const cred_t *cr, struct contract *ct) 2067 { 2068 if (contract_owned(ct, cr, B_FALSE)) 2069 return (0); 2070 return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL)); 2071 } 2072 2073 /* 2074 * secpolicy_contract_observer_choice 2075 * 2076 * Determine if the subject may observe any contract's events. Just 2077 * tests privilege and audits on success. 2078 */ 2079 boolean_t 2080 secpolicy_contract_observer_choice(const cred_t *cr) 2081 { 2082 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE)); 2083 } 2084 2085 /* 2086 * secpolicy_contract_event 2087 * 2088 * Determine if the subject may request critical contract events or 2089 * reliable contract event delivery. 2090 */ 2091 int 2092 secpolicy_contract_event(const cred_t *cr) 2093 { 2094 return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL)); 2095 } 2096 2097 /* 2098 * secpolicy_contract_event_choice 2099 * 2100 * Determine if the subject may retain contract events in its critical 2101 * set when a change in other terms would normally require a change in 2102 * the critical set. Just tests privilege and audits on success. 2103 */ 2104 boolean_t 2105 secpolicy_contract_event_choice(const cred_t *cr) 2106 { 2107 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE)); 2108 } 2109 2110 /* 2111 * secpolicy_gart_access 2112 * 2113 * Determine if the subject has sufficient priveleges to make ioctls to agpgart 2114 * device. 2115 */ 2116 int 2117 secpolicy_gart_access(const cred_t *cr) 2118 { 2119 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL)); 2120 } 2121 2122 /* 2123 * secpolicy_gart_map 2124 * 2125 * Determine if the subject has sufficient priveleges to map aperture range 2126 * through agpgart driver. 2127 */ 2128 int 2129 secpolicy_gart_map(const cred_t *cr) 2130 { 2131 if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) { 2132 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, 2133 NULL)); 2134 } else { 2135 return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM, 2136 NULL)); 2137 } 2138 } 2139 2140 /* 2141 * secpolicy_zinject 2142 * 2143 * Determine if the subject can inject faults in the ZFS fault injection 2144 * framework. Requires all privileges. 2145 */ 2146 int 2147 secpolicy_zinject(const cred_t *cr) 2148 { 2149 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 2150 } 2151 2152 /* 2153 * secpolicy_zfs 2154 * 2155 * Determine if the subject has permission to manipulate ZFS datasets 2156 * (not pools). Equivalent to the SYS_MOUNT privilege. 2157 */ 2158 int 2159 secpolicy_zfs(const cred_t *cr) 2160 { 2161 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL)); 2162 } 2163 2164 /* 2165 * secpolicy_idmap 2166 * 2167 * Determine if the calling process has permissions to register an SID 2168 * mapping daemon and allocate ephemeral IDs. 2169 */ 2170 int 2171 secpolicy_idmap(const cred_t *cr) 2172 { 2173 return (PRIV_POLICY(cr, PRIV_FILE_SETID, B_TRUE, EPERM, NULL)); 2174 } 2175 2176 /* 2177 * secpolicy_ucode_update 2178 * 2179 * Determine if the subject has sufficient privilege to update microcode. 2180 */ 2181 int 2182 secpolicy_ucode_update(const cred_t *scr) 2183 { 2184 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 2185 } 2186 2187 /* 2188 * secpolicy_sadopen 2189 * 2190 * Determine if the subject has sufficient privilege to access /dev/sad/admin. 2191 * /dev/sad/admin appear in global zone and exclusive-IP zones only. 2192 * In global zone, sys_config is required. 2193 * In exclusive-IP zones, sys_ip_config is required. 2194 * Note that sys_config is prohibited in non-global zones. 2195 */ 2196 int 2197 secpolicy_sadopen(const cred_t *credp) 2198 { 2199 priv_set_t pset; 2200 2201 priv_emptyset(&pset); 2202 2203 if (crgetzoneid(credp) == GLOBAL_ZONEID) 2204 priv_addset(&pset, PRIV_SYS_CONFIG); 2205 else 2206 priv_addset(&pset, PRIV_SYS_IP_CONFIG); 2207 2208 return (secpolicy_require_set(credp, &pset, "devpolicy")); 2209 } 2210 2211 2212 /* 2213 * Add privileges to a particular privilege set; this is called when the 2214 * current sets of privileges are not sufficient. I.e., we should always 2215 * call the policy override functions from here. 2216 * What we are allowed to have is in the Observed Permitted set; so 2217 * we compute the difference between that and the newset. 2218 */ 2219 int 2220 secpolicy_require_privs(const cred_t *cr, const priv_set_t *nset) 2221 { 2222 priv_set_t rqd; 2223 2224 rqd = CR_OPPRIV(cr); 2225 2226 priv_inverse(&rqd); 2227 priv_intersect(nset, &rqd); 2228 2229 return (secpolicy_require_set(cr, &rqd, NULL)); 2230 } 2231 2232 /* 2233 * secpolicy_smb 2234 * 2235 * Determine if the cred_t has PRIV_SYS_SMB privilege, indicating 2236 * that it has permission to access the smbsrv kernel driver. 2237 * PRIV_POLICY checks the privilege and audits the check. 2238 * 2239 * Returns: 2240 * 0 Driver access is allowed. 2241 * EPERM Driver access is NOT permitted. 2242 */ 2243 int 2244 secpolicy_smb(const cred_t *cr) 2245 { 2246 return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL)); 2247 } 2248 2249 /* 2250 * secpolicy_vscan 2251 * 2252 * Determine if cred_t has the necessary privileges to access a file 2253 * for virus scanning and update its extended system attributes. 2254 * PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access 2255 * PRIV_FILE_FLAG_SET - set extended system attributes 2256 * 2257 * PRIV_POLICY checks the privilege and audits the check. 2258 * 2259 * Returns: 2260 * 0 file access for virus scanning allowed. 2261 * EPERM file access for virus scanning is NOT permitted. 2262 */ 2263 int 2264 secpolicy_vscan(const cred_t *cr) 2265 { 2266 if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) || 2267 (PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) || 2268 (PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) { 2269 return (EPERM); 2270 } 2271 2272 return (0); 2273 } 2274 2275 /* 2276 * secpolicy_smbfs_login 2277 * 2278 * Determines if the caller can add and delete the smbfs login 2279 * password in the the nsmb kernel module for the CIFS client. 2280 * 2281 * Returns: 2282 * 0 access is allowed. 2283 * EPERM access is NOT allowed. 2284 */ 2285 int 2286 secpolicy_smbfs_login(const cred_t *cr, uid_t uid) 2287 { 2288 uid_t cruid = crgetruid(cr); 2289 2290 if (cruid == uid) 2291 return (0); 2292 return (PRIV_POLICY(cr, PRIV_PROC_OWNER, B_FALSE, 2293 EPERM, NULL)); 2294 } 2295 2296 /* 2297 * secpolicy_xvm_control 2298 * 2299 * Determines if a caller can control the xVM hypervisor and/or running 2300 * domains (x86 specific). 2301 * 2302 * Returns: 2303 * 0 access is allowed. 2304 * EPERM access is NOT allowed. 2305 */ 2306 int 2307 secpolicy_xvm_control(const cred_t *cr) 2308 { 2309 if (PRIV_POLICY(cr, PRIV_XVM_CONTROL, B_FALSE, EPERM, NULL)) 2310 return (EPERM); 2311 return (0); 2312 } 2313 2314 /* 2315 * secpolicy_ppp_config 2316 * 2317 * Determine if the subject has sufficient privileges to configure PPP and 2318 * PPP-related devices. 2319 */ 2320 int 2321 secpolicy_ppp_config(const cred_t *cr) 2322 { 2323 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 2324 return (secpolicy_net_config(cr, B_FALSE)); 2325 return (PRIV_POLICY(cr, PRIV_SYS_PPP_CONFIG, B_FALSE, EPERM, NULL)); 2326 } 2327