1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
  23  * Copyright 2015, Joyent, Inc. All rights reserved.
  24  *
  25 INSERT COMMENT
  26  */
  27 
  28 #
  29 # Privileges can be added to this file at any location, not
  30 # necessarily at the end.  For patches, it is probably best to
  31 # add the new privilege at the end; for ordinary releases privileges
  32 # should be ordered alphabetically.
  33 #
  34 
  35 privilege PRIV_CONTRACT_EVENT
  36 
  37         Allows a process to request critical events without limitation.
  38         Allows a process to request reliable delivery of all events on
  39         any event queue.
  40 
  41 privilege PRIV_CONTRACT_IDENTITY
  42 
  43         Allows a process to set the service FMRI value of a process
  44         contract template.
  45 
  46 privilege PRIV_CONTRACT_OBSERVER
  47 
  48         Allows a process to observe contract events generated by
  49         contracts created and owned by users other than the process's
  50         effective user ID.
  51         Allows a process to open contract event endpoints belonging to
  52         contracts created and owned by users other than the process's
  53         effective user ID.
  54 
  55 privilege PRIV_CPC_CPU
  56 
  57         Allow a process to access per-CPU hardware performance counters.
  58 
  59 privilege PRIV_DTRACE_KERNEL
  60 
  61         Allows DTrace kernel-level tracing.
  62 
  63 privilege PRIV_DTRACE_PROC
  64 
  65         Allows DTrace process-level tracing.
  66         Allows process-level tracing probes to be placed and enabled in
  67         processes to which the user has permissions.
  68 
  69 privilege PRIV_DTRACE_USER
  70 
  71         Allows DTrace user-level tracing.
  72         Allows use of the syscall and profile DTrace providers to
  73         examine processes to which the user has permissions.
  74 
  75 privilege PRIV_FILE_CHOWN
  76 
  77         Allows a process to change a file's owner user ID.
  78         Allows a process to change a file's group ID to one other than
  79         the process' effective group ID or one of the process'
  80         supplemental group IDs.
  81 
  82 privilege PRIV_FILE_CHOWN_SELF
  83 
  84         Allows a process to give away its files; a process with this
  85         privilege will run as if {_POSIX_CHOWN_RESTRICTED} is not
  86         in effect.
  87 
  88 privilege PRIV_FILE_DAC_EXECUTE
  89 
  90         Allows a process to execute an executable file whose permission
  91         bits or ACL do not allow the process execute permission.
  92 
  93 privilege PRIV_FILE_DAC_READ
  94 
  95         Allows a process to read a file or directory whose permission
  96         bits or ACL do not allow the process read permission.
  97 
  98 privilege PRIV_FILE_DAC_SEARCH
  99 
 100         Allows a process to search a directory whose permission bits or
 101         ACL do not allow the process search permission.
 102 
 103 privilege PRIV_FILE_DAC_WRITE
 104 
 105         Allows a process to write a file or directory whose permission
 106         bits or ACL do not allow the process write permission.
 107         In order to write files owned by uid 0 in the absence of an
 108         effective uid of 0 ALL privileges are required.
 109 
 110 privilege PRIV_FILE_DOWNGRADE_SL
 111 
 112         Allows a process to set the sensitivity label of a file or
 113         directory to a sensitivity label that does not dominate the
 114         existing sensitivity label.
 115         This privilege is interpreted only if the system is configured
 116         with Trusted Extensions.
 117 
 118 privilege PRIV_FILE_FLAG_SET
 119 
 120         Allows a process to set immutable, nounlink or appendonly
 121         file attributes.
 122 
 123 basic privilege PRIV_FILE_LINK_ANY
 124 
 125         Allows a process to create hardlinks to files owned by a uid
 126         different from the process' effective uid.
 127 
 128 privilege PRIV_FILE_OWNER
 129 
 130         Allows a process which is not the owner of a file or directory
 131         to perform the following operations that are normally permitted
 132         only for the file owner: modify that file's access and
 133         modification times; remove or rename a file or directory whose
 134         parent directory has the ``save text image after execution''
 135         (sticky) bit set; mount a ``namefs'' upon a file; modify
 136         permission bits or ACL except for the set-uid and set-gid
 137         bits.
 138 
 139 basic privilege PRIV_FILE_READ
 140 
 141         Allows a process to read objects in the filesystem.
 142 
 143 privilege PRIV_FILE_SETID
 144 
 145         Allows a process to change the ownership of a file or write to
 146         a file without the set-user-ID and set-group-ID bits being
 147         cleared.
 148         Allows a process to set the set-group-ID bit on a file or
 149         directory whose group is not the process' effective group or
 150         one of the process' supplemental groups.
 151         Allows a process to set the set-user-ID bit on a file with
 152         different ownership in the presence of PRIV_FILE_OWNER.
 153         Additional restrictions apply when creating or modifying a
 154         set-uid 0 file.
 155 
 156 privilege PRIV_FILE_UPGRADE_SL
 157 
 158         Allows a process to set the sensitivity label of a file or
 159         directory to a sensitivity label that dominates the existing
 160         sensitivity label.
 161         This privilege is interpreted only if the system is configured
 162         with Trusted Extensions.
 163 
 164 basic privilege PRIV_FILE_WRITE
 165 
 166         Allows a process to modify objects in the filesystem.
 167 
 168 privilege PRIV_GRAPHICS_ACCESS
 169 
 170         Allows a process to make privileged ioctls to graphics devices.
 171         Typically only xserver process needs to have this privilege.
 172         A process with this privilege is also allowed to perform
 173         privileged graphics device mappings.
 174 
 175 privilege PRIV_GRAPHICS_MAP
 176 
 177         Allows a process to perform privileged mappings through a
 178         graphics device.
 179 
 180 privilege PRIV_IPC_DAC_READ
 181 
 182         Allows a process to read a System V IPC
 183         Message Queue, Semaphore Set, or Shared Memory Segment whose
 184         permission bits do not allow the process read permission.
 185         Allows a process to read remote shared memory whose
 186         permission bits do not allow the process read permission.
 187 
 188 privilege PRIV_IPC_DAC_WRITE
 189 
 190         Allows a process to write a System V IPC
 191         Message Queue, Semaphore Set, or Shared Memory Segment whose
 192         permission bits do not allow the process write permission.
 193         Allows a process to read remote shared memory whose
 194         permission bits do not allow the process write permission.
 195         Additional restrictions apply if the owner of the object has uid 0
 196         and the effective uid of the current process is not 0.
 197 
 198 privilege PRIV_IPC_OWNER
 199 
 200         Allows a process which is not the owner of a System
 201         V IPC Message Queue, Semaphore Set, or Shared Memory Segment to
 202         remove, change ownership of, or change permission bits of the
 203         Message Queue, Semaphore Set, or Shared Memory Segment.
 204         Additional restrictions apply if the owner of the object has uid 0
 205         and the effective uid of the current process is not 0.
 206 
 207 basic privilege PRIV_NET_ACCESS
 208 
 209         Allows a process to open a TCP, UDP, SDP or SCTP network endpoint.
 210 
 211 privilege PRIV_NET_BINDMLP
 212 
 213         Allow a process to bind to a port that is configured as a
 214         multi-level port(MLP) for the process's zone. This privilege
 215         applies to both shared address and zone-specific address MLPs.
 216         See tnzonecfg(4) from the Trusted Extensions manual pages for
 217         information on configuring MLP ports.
 218         This privilege is interpreted only if the system is configured
 219         with Trusted Extensions.
 220 
 221 privilege PRIV_NET_ICMPACCESS
 222 
 223         Allows a process to send and receive ICMP packets.
 224 
 225 privilege PRIV_NET_MAC_AWARE
 226 
 227         Allows a process to set NET_MAC_AWARE process flag by using
 228         setpflags(2). This privilege also allows a process to set
 229         SO_MAC_EXEMPT socket option by using setsockopt(3SOCKET).
 230         The NET_MAC_AWARE process flag and the SO_MAC_EXEMPT socket
 231         option both allow a local process to communicate with an
 232         unlabeled peer if the local process' label dominates the
 233         peer's default label, or if the local process runs in the
 234         global zone.
 235         This privilege is interpreted only if the system is configured
 236         with Trusted Extensions.
 237 
 238 privilege PRIV_NET_MAC_IMPLICIT
 239 
 240         Allows a process to set SO_MAC_IMPLICIT option by using 
 241         setsockopt(3SOCKET).  This allows a privileged process to 
 242         transmit implicitly-labeled packets to a peer.
 243         This privilege is interpreted only if the system is configured
 244         with Trusted Extensions.
 245 
 246 privilege PRIV_NET_OBSERVABILITY
 247 
 248         Allows a process to access /dev/lo0 and the devices in /dev/ipnet/
 249         while not requiring them to need PRIV_NET_RAWACCESS.
 250 
 251 privilege PRIV_NET_PRIVADDR
 252 
 253         Allows a process to bind to a privileged port
 254         number. The privilege port numbers are 1-1023 (the traditional
 255         UNIX privileged ports) as well as those ports marked as
 256         "udp/tcp_extra_priv_ports" with the exception of the ports
 257         reserved for use by NFS.
 258 
 259 privilege PRIV_NET_RAWACCESS
 260 
 261         Allows a process to have direct access to the network layer.
 262 
 263 unsafe privilege PRIV_PROC_AUDIT
 264 
 265         Allows a process to generate audit records.
 266         Allows a process to get its own audit pre-selection information.
 267 
 268 privilege PRIV_PROC_CHROOT
 269 
 270         Allows a process to change its root directory.
 271 
 272 privilege PRIV_PROC_CLOCK_HIGHRES
 273 
 274         Allows a process to use high resolution timers.
 275 
 276 basic privilege PRIV_PROC_EXEC
 277 
 278         Allows a process to call execve().
 279 
 280 basic privilege PRIV_PROC_FORK
 281 
 282         Allows a process to call fork1()/forkall()/vfork()
 283 
 284 basic privilege PRIV_PROC_INFO
 285 
 286         Allows a process to examine the status of processes other
 287         than those it can send signals to.  Processes which cannot
 288         be examined cannot be seen in /proc and appear not to exist.
 289 
 290 privilege PRIV_PROC_LOCK_MEMORY
 291 
 292         Allows a process to lock pages in physical memory.
 293 
 294 privilege PRIV_PROC_MEMINFO
 295 
 296         Allows a process to access physical memory information.
 297 
 298 privilege PRIV_PROC_OWNER
 299 
 300         Allows a process to send signals to other processes, inspect
 301         and modify process state to other processes regardless of
 302         ownership.  When modifying another process, additional
 303         restrictions apply:  the effective privilege set of the
 304         attaching process must be a superset of the target process'
 305         effective, permitted and inheritable sets; the limit set must
 306         be a superset of the target's limit set; if the target process
 307         has any uid set to 0 all privilege must be asserted unless the
 308         effective uid is 0.
 309         Allows a process to bind arbitrary processes to CPUs.
 310 
 311 privilege PRIV_PROC_PRIOUP
 312 
 313         Allows a process to elevate its priority above its current level.
 314 
 315 privilege PRIV_PROC_PRIOCNTL
 316 
 317         Allows all that PRIV_PROC_PRIOUP allows.
 318         Allows a process to change its scheduling class to any scheduling class,
 319         including the RT class.
 320 
 321 basic privilege PRIV_PROC_SESSION
 322 
 323         Allows a process to send signals or trace processes outside its
 324         session.
 325 
 326 unsafe privilege PRIV_PROC_SETID
 327 
 328         Allows a process to set its uids at will.
 329         Assuming uid 0 requires all privileges to be asserted.
 330 
 331 privilege PRIV_PROC_TASKID
 332 
 333         Allows a process to assign a new task ID to the calling process.
 334 
 335 privilege PRIV_PROC_ZONE
 336 
 337         Allows a process to trace or send signals to processes in
 338         other zones.
 339 
 340 privilege PRIV_SYS_ACCT
 341 
 342         Allows a process to enable and disable and manage accounting through
 343         acct(2), getacct(2), putacct(2) and wracct(2).
 344 
 345 privilege PRIV_SYS_ADMIN
 346 
 347         Allows a process to perform system administration tasks such
 348         as setting node and domain name and specifying nscd and coreadm
 349         settings.
 350 
 351 privilege PRIV_SYS_AUDIT
 352 
 353         Allows a process to start the (kernel) audit daemon.
 354         Allows a process to view and set audit state (audit user ID,
 355         audit terminal ID, audit sessions ID, audit pre-selection mask).
 356         Allows a process to turn off and on auditing.
 357         Allows a process to configure the audit parameters (cache and
 358         queue sizes, event to class mappings, policy options).
 359 
 360 privilege PRIV_SYS_CONFIG
 361 
 362         Allows a process to perform various system configuration tasks.
 363         Allows a process to add and remove swap devices; when adding a swap
 364         device, a process must also have sufficient privileges to read from
 365         and write to the swap device.
 366 
 367 privilege PRIV_SYS_DEVICES
 368 
 369         Allows a process to successfully call a kernel module that
 370         calls the kernel drv_priv(9F) function to check for allowed
 371         access.
 372         Allows a process to open the real console device directly.
 373         Allows a process to open devices that have been exclusively opened.
 374 
 375 privilege PRIV_SYS_IPC_CONFIG
 376 
 377         Allows a process to increase the size of a System V IPC Message
 378         Queue buffer.
 379 
 380 privilege PRIV_SYS_LINKDIR
 381 
 382         Allows a process to unlink and link directories.
 383 
 384 privilege PRIV_SYS_MOUNT
 385 
 386         Allows filesystem specific administrative procedures, such as
 387         filesystem configuration ioctls, quota calls and creation/deletion
 388         of snapshots.
 389         Allows a process to mount and unmount filesystems which would
 390         otherwise be restricted (i.e., most filesystems except
 391         namefs).
 392         A process performing a mount operation needs to have
 393         appropriate access to the device being mounted (read-write for
 394         "rw" mounts, read for "ro" mounts).
 395         A process performing any of the aforementioned
 396         filesystem operations needs to have read/write/owner
 397         access to the mount point.
 398         Only regular files and directories can serve as mount points
 399         for processes which do not have all zone privileges asserted.
 400         Unless a process has all zone privileges, the mount(2)
 401         system call will force the "nosuid" and "restrict" options, the
 402         latter only for autofs mountpoints.
 403         Regardless of privileges, a process running in a non-global zone may
 404         only control mounts performed from within said zone.
 405         Outside the global zone, the "nodevices" option is always forced.
 406 
 407 privilege PRIV_SYS_IPTUN_CONFIG
 408 
 409         Allows a process to configure IP tunnel links.
 410 
 411 privilege PRIV_SYS_DL_CONFIG
 412 
 413         Allows a process to configure all classes of datalinks, including
 414         configuration allowed by PRIV_SYS_IPTUN_CONFIG.
 415 
 416 privilege PRIV_SYS_IP_CONFIG
 417 
 418         Allows a process to configure a system's IP interfaces and routes.
 419         Allows a process to configure network parameters using ndd.
 420         Allows a process access to otherwise restricted information using ndd.
 421         Allows a process to configure IPsec.
 422         Allows a process to pop anchored STREAMs modules with matching zoneid.
 423 
 424 privilege PRIV_SYS_NET_CONFIG
 425 
 426         Allows all that PRIV_SYS_IP_CONFIG, PRIV_SYS_DL_CONFIG, and
 427         PRIV_SYS_PPP_CONFIG allow.
 428         Allows a process to push the rpcmod STREAMs module.
 429         Allows a process to INSERT/REMOVE STREAMs modules on locations other
 430         than the top of the module stack.
 431 
 432 privilege PRIV_SYS_NFS
 433 
 434         Allows a process to perform Sun private NFS specific system calls.
 435         Allows a process to bind to ports reserved by NFS: ports 2049 (nfs)
 436         and port 4045 (lockd).
 437 
 438 privilege PRIV_SYS_PPP_CONFIG
 439 
 440         Allows a process to create and destroy PPP (sppp) interfaces.
 441         Allows a process to configure PPP tunnels (sppptun).
 442 
 443 privilege PRIV_SYS_RES_BIND
 444 
 445         Allows a process to bind processes to processor sets.
 446 
 447 privilege PRIV_SYS_RES_CONFIG
 448 
 449         Allows all that PRIV_SYS_RES_BIND allows.
 450         Allows a process to create and delete processor sets, assign
 451         CPUs to processor sets and override the PSET_NOESCAPE property.
 452         Allows a process to change the operational status of CPUs in
 453         the system using p_online(2).
 454         Allows a process to configure resource pools and to bind
 455         processes to pools
 456 
 457 unsafe privilege PRIV_SYS_RESOURCE
 458 
 459         Allows a process to modify the resource limits specified
 460         by setrlimit(2) and setrctl(2) without restriction.
 461         Allows a process to exceed the per-user maximum number of
 462         processes.
 463         Allows a process to extend or create files on a filesystem that
 464         has less than minfree space in reserve.
 465 
 466 privilege PRIV_SYS_SMB
 467 
 468         Allows a process to access the Sun private SMB kernel module.
 469         Allows a process to bind to ports reserved by NetBIOS and SMB:
 470         ports 137 (NBNS), 138 (NetBIOS Datagram Service), 139 (NetBIOS
 471         Session Service and SMB-over-NBT) and 445 (SMB-over-TCP).
 472 
 473 privilege PRIV_SYS_SUSER_COMPAT
 474 
 475         Allows a process to successfully call a third party loadable module
 476         that calls the kernel suser() function to check for allowed access.
 477         This privilege exists only for third party loadable module
 478         compatibility and is not used by Solaris proper.
 479 
 480 privilege PRIV_SYS_TIME
 481 
 482         Allows a process to manipulate system time using any of the
 483         appropriate system calls: stime, adjtime, ntp_adjtime and
 484         the IA specific RTC calls.
 485 
 486 privilege PRIV_SYS_TRANS_LABEL
 487 
 488         Allows a process to translate labels that are not dominated
 489         by the process' sensitivity label to and from an external
 490         string form.
 491         This privilege is interpreted only if the system is configured
 492         with Trusted Extensions.
 493 
 494 privilege PRIV_VIRT_MANAGE
 495 
 496         Allows a process to manage virtualized environments such as
 497         xVM(5).
 498 
 499 privilege PRIV_WIN_COLORMAP
 500 
 501         Allows a process to override colormap restrictions.
 502         Allows a process to install or remove colormaps.
 503         Allows a process to retrieve colormap cell entries allocated
 504         by other processes.
 505         This privilege is interpreted only if the system is configured
 506         with Trusted Extensions.
 507 
 508 privilege PRIV_WIN_CONFIG
 509 
 510         Allows a process to configure or destroy resources that are
 511         permanently retained by the X server.
 512         Allows a process to use SetScreenSaver to set the screen
 513         saver timeout value.
 514         Allows a process to use ChangeHosts to modify the display
 515         access control list.
 516         Allows a process to use GrabServer.
 517         Allows a process to use the SetCloseDownMode request which
 518         may retain window, pixmap, colormap, property, cursor, font,
 519         or graphic context resources.
 520         This privilege is interpreted only if the system is configured
 521         with Trusted Extensions.
 522 
 523 privilege PRIV_WIN_DAC_READ
 524 
 525         Allows a process to read from a window resource that it does
 526         not own (has a different user ID).
 527         This privilege is interpreted only if the system is configured
 528         with Trusted Extensions.
 529 
 530 privilege PRIV_WIN_DAC_WRITE
 531 
 532         Allows a process to write to or create a window resource that
 533         it does not own (has a different user ID). A newly created
 534         window property is created with the window's user ID.
 535         This privilege is interpreted only if the system is configured
 536         with Trusted Extensions.
 537 
 538 privilege PRIV_WIN_DEVICES
 539 
 540         Allows a process to perform operations on window input devices.
 541         Allows a process to get and set keyboard and pointer controls.
 542         Allows a process to modify pointer button and key mappings.
 543         This privilege is interpreted only if the system is configured
 544         with Trusted Extensions.
 545 
 546 privilege PRIV_WIN_DGA
 547 
 548         Allows a process to use the direct graphics access (DGA) X protocol
 549         extensions. Direct process access to the frame buffer is still
 550         required. Thus the process must have MAC and DAC privileges that
 551         allow access to the frame buffer, or the frame buffer must be
 552         allocated to the process.
 553         This privilege is interpreted only if the system is configured
 554         with Trusted Extensions.
 555 
 556 privilege PRIV_WIN_DOWNGRADE_SL
 557 
 558         Allows a process to set the sensitivity label of a window resource
 559         to a sensitivity label that does not dominate the existing
 560         sensitivity label.
 561         This privilege is interpreted only if the system is configured
 562         with Trusted Extensions.
 563 
 564 privilege PRIV_WIN_FONTPATH
 565 
 566         Allows a process to set a font path.
 567         This privilege is interpreted only if the system is configured
 568         with Trusted Extensions.
 569 
 570 privilege PRIV_WIN_MAC_READ
 571 
 572         Allows a process to read from a window resource whose sensitivity
 573         label is not equal to the process sensitivity label.
 574         This privilege is interpreted only if the system is configured
 575         with Trusted Extensions.
 576 
 577 privilege PRIV_WIN_MAC_WRITE
 578 
 579         Allows a process to create a window resource whose sensitivity
 580         label is not equal to the process sensitivity label.
 581         A newly created window property is created with the window's
 582         sensitivity label.
 583         This privilege is interpreted only if the system is configured
 584         with Trusted Extensions.
 585 
 586 privilege PRIV_WIN_SELECTION
 587 
 588         Allows a process to request inter-window data moves without the
 589         intervention of the selection confirmer.
 590         This privilege is interpreted only if the system is configured
 591         with Trusted Extensions.
 592 
 593 privilege PRIV_WIN_UPGRADE_SL
 594 
 595         Allows a process to set the sensitivity label of a window
 596         resource to a sensitivity label that dominates the existing
 597         sensitivity label.
 598         This privilege is interpreted only if the system is configured
 599         with Trusted Extensions.
 600 
 601 privilege PRIV_XVM_CONTROL
 602 
 603         Allows a process access to the xVM(5) control devices for
 604         managing guest domains and the hypervisor. This privilege is
 605         used only if booted into xVM on x86 platforms.
 606 
 607 set PRIV_EFFECTIVE
 608 
 609         Set of privileges currently in effect.
 610 
 611 set PRIV_INHERITABLE
 612 
 613         Set of privileges that comes into effect on exec.
 614 
 615 set PRIV_PERMITTED
 616 
 617         Set of privileges that can be put into the effective set without
 618         restriction.
 619 
 620 set PRIV_LIMIT
 621 
 622         Set of privileges that determines the absolute upper bound of
 623         privileges this process and its off-spring can obtain.