1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. 23 * Copyright 2013, Joyent, Inc. All rights reserved. 24 * 25 INSERT COMMENT 26 */ 27 28 # 29 # Privileges can be added to this file at any location, not 30 # necessarily at the end. For patches, it is probably best to 31 # add the new privilege at the end; for ordinary releases privileges 32 # should be ordered alphabetically. 33 # 34 35 privilege PRIV_CONTRACT_EVENT 36 37 Allows a process to request critical events without limitation. 38 Allows a process to request reliable delivery of all events on 39 any event queue. 40 41 privilege PRIV_CONTRACT_IDENTITY 42 43 Allows a process to set the service FMRI value of a process 44 contract template. 45 46 privilege PRIV_CONTRACT_OBSERVER 47 48 Allows a process to observe contract events generated by 49 contracts created and owned by users other than the process's 50 effective user ID. 51 Allows a process to open contract event endpoints belonging to 52 contracts created and owned by users other than the process's 53 effective user ID. 54 55 privilege PRIV_CPC_CPU 56 57 Allow a process to access per-CPU hardware performance counters. 58 59 privilege PRIV_DTRACE_KERNEL 60 61 Allows DTrace kernel-level tracing. 62 63 privilege PRIV_DTRACE_PROC 64 65 Allows DTrace process-level tracing. 66 Allows process-level tracing probes to be placed and enabled in 67 processes to which the user has permissions. 68 69 privilege PRIV_DTRACE_USER 70 71 Allows DTrace user-level tracing. 72 Allows use of the syscall and profile DTrace providers to 73 examine processes to which the user has permissions. 74 75 privilege PRIV_FILE_CHOWN 76 77 Allows a process to change a file's owner user ID. 78 Allows a process to change a file's group ID to one other than 79 the process' effective group ID or one of the process' 80 supplemental group IDs. 81 82 privilege PRIV_FILE_CHOWN_SELF 83 84 Allows a process to give away its files; a process with this 85 privilege will run as if {_POSIX_CHOWN_RESTRICTED} is not 86 in effect. 87 88 privilege PRIV_FILE_DAC_EXECUTE 89 90 Allows a process to execute an executable file whose permission 91 bits or ACL do not allow the process execute permission. 92 93 privilege PRIV_FILE_DAC_READ 94 95 Allows a process to read a file or directory whose permission 96 bits or ACL do not allow the process read permission. 97 98 privilege PRIV_FILE_DAC_SEARCH 99 100 Allows a process to search a directory whose permission bits or 101 ACL do not allow the process search permission. 102 103 privilege PRIV_FILE_DAC_WRITE 104 105 Allows a process to write a file or directory whose permission 106 bits or ACL do not allow the process write permission. 107 In order to write files owned by uid 0 in the absence of an 108 effective uid of 0 ALL privileges are required. 109 110 privilege PRIV_FILE_DOWNGRADE_SL 111 112 Allows a process to set the sensitivity label of a file or 113 directory to a sensitivity label that does not dominate the 114 existing sensitivity label. 115 This privilege is interpreted only if the system is configured 116 with Trusted Extensions. 117 118 privilege PRIV_FILE_FLAG_SET 119 120 Allows a process to set immutable, nounlink or appendonly 121 file attributes. 122 123 basic privilege PRIV_FILE_LINK_ANY 124 125 Allows a process to create hardlinks to files owned by a uid 126 different from the process' effective uid. 127 128 privilege PRIV_FILE_OWNER 129 130 Allows a process which is not the owner of a file or directory 131 to perform the following operations that are normally permitted 132 only for the file owner: modify that file's access and 133 modification times; remove or rename a file or directory whose 134 parent directory has the ``save text image after execution'' 135 (sticky) bit set; mount a ``namefs'' upon a file; modify 136 permission bits or ACL except for the set-uid and set-gid 137 bits. 138 139 basic privilege PRIV_FILE_READ 140 141 Allows a process to read objects in the filesystem. 142 143 privilege PRIV_FILE_SETID 144 145 Allows a process to change the ownership of a file or write to 146 a file without the set-user-ID and set-group-ID bits being 147 cleared. 148 Allows a process to set the set-group-ID bit on a file or 149 directory whose group is not the process' effective group or 150 one of the process' supplemental groups. 151 Allows a process to set the set-user-ID bit on a file with 152 different ownership in the presence of PRIV_FILE_OWNER. 153 Additional restrictions apply when creating or modifying a 154 set-uid 0 file. 155 156 privilege PRIV_FILE_UPGRADE_SL 157 158 Allows a process to set the sensitivity label of a file or 159 directory to a sensitivity label that dominates the existing 160 sensitivity label. 161 This privilege is interpreted only if the system is configured 162 with Trusted Extensions. 163 164 basic privilege PRIV_FILE_WRITE 165 166 Allows a process to modify objects in the filesystem. 167 168 privilege PRIV_GRAPHICS_ACCESS 169 170 Allows a process to make privileged ioctls to graphics devices. 171 Typically only xserver process needs to have this privilege. 172 A process with this privilege is also allowed to perform 173 privileged graphics device mappings. 174 175 privilege PRIV_GRAPHICS_MAP 176 177 Allows a process to perform privileged mappings through a 178 graphics device. 179 180 privilege PRIV_IPC_DAC_READ 181 182 Allows a process to read a System V IPC 183 Message Queue, Semaphore Set, or Shared Memory Segment whose 184 permission bits do not allow the process read permission. 185 Allows a process to read remote shared memory whose 186 permission bits do not allow the process read permission. 187 188 privilege PRIV_IPC_DAC_WRITE 189 190 Allows a process to write a System V IPC 191 Message Queue, Semaphore Set, or Shared Memory Segment whose 192 permission bits do not allow the process write permission. 193 Allows a process to read remote shared memory whose 194 permission bits do not allow the process write permission. 195 Additional restrictions apply if the owner of the object has uid 0 196 and the effective uid of the current process is not 0. 197 198 privilege PRIV_IPC_OWNER 199 200 Allows a process which is not the owner of a System 201 V IPC Message Queue, Semaphore Set, or Shared Memory Segment to 202 remove, change ownership of, or change permission bits of the 203 Message Queue, Semaphore Set, or Shared Memory Segment. 204 Additional restrictions apply if the owner of the object has uid 0 205 and the effective uid of the current process is not 0. 206 207 basic privilege PRIV_NET_ACCESS 208 209 Allows a process to open a TCP, UDP, SDP or SCTP network endpoint. 210 211 privilege PRIV_NET_BINDMLP 212 213 Allow a process to bind to a port that is configured as a 214 multi-level port(MLP) for the process's zone. This privilege 215 applies to both shared address and zone-specific address MLPs. 216 See tnzonecfg(4) from the Trusted Extensions manual pages for 217 information on configuring MLP ports. 218 This privilege is interpreted only if the system is configured 219 with Trusted Extensions. 220 221 privilege PRIV_NET_ICMPACCESS 222 223 Allows a process to send and receive ICMP packets. 224 225 privilege PRIV_NET_MAC_AWARE 226 227 Allows a process to set NET_MAC_AWARE process flag by using 228 setpflags(2). This privilege also allows a process to set 229 SO_MAC_EXEMPT socket option by using setsockopt(3SOCKET). 230 The NET_MAC_AWARE process flag and the SO_MAC_EXEMPT socket 231 option both allow a local process to communicate with an 232 unlabeled peer if the local process' label dominates the 233 peer's default label, or if the local process runs in the 234 global zone. 235 This privilege is interpreted only if the system is configured 236 with Trusted Extensions. 237 238 privilege PRIV_NET_MAC_IMPLICIT 239 240 Allows a process to set SO_MAC_IMPLICIT option by using 241 setsockopt(3SOCKET). This allows a privileged process to 242 transmit implicitly-labeled packets to a peer. 243 This privilege is interpreted only if the system is configured 244 with Trusted Extensions. 245 246 privilege PRIV_NET_OBSERVABILITY 247 248 Allows a process to access /dev/lo0 and the devices in /dev/ipnet/ 249 while not requiring them to need PRIV_NET_RAWACCESS. 250 251 privilege PRIV_NET_PRIVADDR 252 253 Allows a process to bind to a privileged port 254 number. The privilege port numbers are 1-1023 (the traditional 255 UNIX privileged ports) as well as those ports marked as 256 "udp/tcp_extra_priv_ports" with the exception of the ports 257 reserved for use by NFS. 258 259 privilege PRIV_NET_RAWACCESS 260 261 Allows a process to have direct access to the network layer. 262 263 unsafe privilege PRIV_PROC_AUDIT 264 265 Allows a process to generate audit records. 266 Allows a process to get its own audit pre-selection information. 267 268 privilege PRIV_PROC_CHROOT 269 270 Allows a process to change its root directory. 271 272 privilege PRIV_PROC_CLOCK_HIGHRES 273 274 Allows a process to use high resolution timers. 275 276 basic privilege PRIV_PROC_EXEC 277 278 Allows a process to call execve(). 279 280 basic privilege PRIV_PROC_FORK 281 282 Allows a process to call fork1()/forkall()/vfork() 283 284 basic privilege PRIV_PROC_INFO 285 286 Allows a process to examine the status of processes other 287 than those it can send signals to. Processes which cannot 288 be examined cannot be seen in /proc and appear not to exist. 289 290 privilege PRIV_PROC_LOCK_MEMORY 291 292 Allows a process to lock pages in physical memory. 293 294 privilege PRIV_PROC_OWNER 295 296 Allows a process to send signals to other processes, inspect 297 and modify process state to other processes regardless of 298 ownership. When modifying another process, additional 299 restrictions apply: the effective privilege set of the 300 attaching process must be a superset of the target process' 301 effective, permitted and inheritable sets; the limit set must 302 be a superset of the target's limit set; if the target process 303 has any uid set to 0 all privilege must be asserted unless the 304 effective uid is 0. 305 Allows a process to bind arbitrary processes to CPUs. 306 307 privilege PRIV_PROC_PRIOUP 308 309 Allows a process to elevate its priority above its current level. 310 311 privilege PRIV_PROC_PRIOCNTL 312 313 Allows all that PRIV_PROC_PRIOUP allows. 314 Allows a process to change its scheduling class to any scheduling class, 315 including the RT class. 316 317 basic privilege PRIV_PROC_SESSION 318 319 Allows a process to send signals or trace processes outside its 320 session. 321 322 unsafe privilege PRIV_PROC_SETID 323 324 Allows a process to set its uids at will. 325 Assuming uid 0 requires all privileges to be asserted. 326 327 privilege PRIV_PROC_TASKID 328 329 Allows a process to assign a new task ID to the calling process. 330 331 privilege PRIV_PROC_ZONE 332 333 Allows a process to trace or send signals to processes in 334 other zones. 335 336 privilege PRIV_SYS_ACCT 337 338 Allows a process to enable and disable and manage accounting through 339 acct(2), getacct(2), putacct(2) and wracct(2). 340 341 privilege PRIV_SYS_ADMIN 342 343 Allows a process to perform system administration tasks such 344 as setting node and domain name and specifying nscd and coreadm 345 settings. 346 347 privilege PRIV_SYS_AUDIT 348 349 Allows a process to start the (kernel) audit daemon. 350 Allows a process to view and set audit state (audit user ID, 351 audit terminal ID, audit sessions ID, audit pre-selection mask). 352 Allows a process to turn off and on auditing. 353 Allows a process to configure the audit parameters (cache and 354 queue sizes, event to class mappings, policy options). 355 356 privilege PRIV_SYS_CONFIG 357 358 Allows a process to perform various system configuration tasks. 359 Allows a process to add and remove swap devices; when adding a swap 360 device, a process must also have sufficient privileges to read from 361 and write to the swap device. 362 363 privilege PRIV_SYS_DEVICES 364 365 Allows a process to successfully call a kernel module that 366 calls the kernel drv_priv(9F) function to check for allowed 367 access. 368 Allows a process to open the real console device directly. 369 Allows a process to open devices that have been exclusively opened. 370 371 privilege PRIV_SYS_IPC_CONFIG 372 373 Allows a process to increase the size of a System V IPC Message 374 Queue buffer. 375 376 privilege PRIV_SYS_LINKDIR 377 378 Allows a process to unlink and link directories. 379 380 privilege PRIV_SYS_MOUNT 381 382 Allows filesystem specific administrative procedures, such as 383 filesystem configuration ioctls, quota calls and creation/deletion 384 of snapshots. 385 Allows a process to mount and unmount filesystems which would 386 otherwise be restricted (i.e., most filesystems except 387 namefs). 388 A process performing a mount operation needs to have 389 appropriate access to the device being mounted (read-write for 390 "rw" mounts, read for "ro" mounts). 391 A process performing any of the aforementioned 392 filesystem operations needs to have read/write/owner 393 access to the mount point. 394 Only regular files and directories can serve as mount points 395 for processes which do not have all zone privileges asserted. 396 Unless a process has all zone privileges, the mount(2) 397 system call will force the "nosuid" and "restrict" options, the 398 latter only for autofs mountpoints. 399 Regardless of privileges, a process running in a non-global zone may 400 only control mounts performed from within said zone. 401 Outside the global zone, the "nodevices" option is always forced. 402 403 privilege PRIV_SYS_IPTUN_CONFIG 404 405 Allows a process to configure IP tunnel links. 406 407 privilege PRIV_SYS_DL_CONFIG 408 409 Allows a process to configure all classes of datalinks, including 410 configuration allowed by PRIV_SYS_IPTUN_CONFIG. 411 412 privilege PRIV_SYS_IP_CONFIG 413 414 Allows a process to configure a system's IP interfaces and routes. 415 Allows a process to configure network parameters using ndd. 416 Allows a process access to otherwise restricted information using ndd. 417 Allows a process to configure IPsec. 418 Allows a process to pop anchored STREAMs modules with matching zoneid. 419 420 privilege PRIV_SYS_NET_CONFIG 421 422 Allows all that PRIV_SYS_IP_CONFIG, PRIV_SYS_DL_CONFIG, and 423 PRIV_SYS_PPP_CONFIG allow. 424 Allows a process to push the rpcmod STREAMs module. 425 Allows a process to INSERT/REMOVE STREAMs modules on locations other 426 than the top of the module stack. 427 428 privilege PRIV_SYS_NFS 429 430 Allows a process to perform Sun private NFS specific system calls. 431 Allows a process to bind to ports reserved by NFS: ports 2049 (nfs) 432 and port 4045 (lockd). 433 434 privilege PRIV_SYS_PPP_CONFIG 435 436 Allows a process to create and destroy PPP (sppp) interfaces. 437 Allows a process to configure PPP tunnels (sppptun). 438 439 privilege PRIV_SYS_RES_BIND 440 441 Allows a process to bind processes to processor sets. 442 443 privilege PRIV_SYS_RES_CONFIG 444 445 Allows all that PRIV_SYS_RES_BIND allows. 446 Allows a process to create and delete processor sets, assign 447 CPUs to processor sets and override the PSET_NOESCAPE property. 448 Allows a process to change the operational status of CPUs in 449 the system using p_online(2). 450 Allows a process to configure resource pools and to bind 451 processes to pools 452 453 unsafe privilege PRIV_SYS_RESOURCE 454 455 Allows a process to modify the resource limits specified 456 by setrlimit(2) and setrctl(2) without restriction. 457 Allows a process to exceed the per-user maximum number of 458 processes. 459 Allows a process to extend or create files on a filesystem that 460 has less than minfree space in reserve. 461 462 privilege PRIV_SYS_SMB 463 464 Allows a process to access the Sun private SMB kernel module. 465 Allows a process to bind to ports reserved by NetBIOS and SMB: 466 ports 137 (NBNS), 138 (NetBIOS Datagram Service), 139 (NetBIOS 467 Session Service and SMB-over-NBT) and 445 (SMB-over-TCP). 468 469 privilege PRIV_SYS_SUSER_COMPAT 470 471 Allows a process to successfully call a third party loadable module 472 that calls the kernel suser() function to check for allowed access. 473 This privilege exists only for third party loadable module 474 compatibility and is not used by Solaris proper. 475 476 privilege PRIV_SYS_TIME 477 478 Allows a process to manipulate system time using any of the 479 appropriate system calls: stime, adjtime, ntp_adjtime and 480 the IA specific RTC calls. 481 482 privilege PRIV_SYS_TRANS_LABEL 483 484 Allows a process to translate labels that are not dominated 485 by the process' sensitivity label to and from an external 486 string form. 487 This privilege is interpreted only if the system is configured 488 with Trusted Extensions. 489 490 privilege PRIV_VIRT_MANAGE 491 492 Allows a process to manage virtualized environments such as 493 xVM(5). 494 495 privilege PRIV_WIN_COLORMAP 496 497 Allows a process to override colormap restrictions. 498 Allows a process to install or remove colormaps. 499 Allows a process to retrieve colormap cell entries allocated 500 by other processes. 501 This privilege is interpreted only if the system is configured 502 with Trusted Extensions. 503 504 privilege PRIV_WIN_CONFIG 505 506 Allows a process to configure or destroy resources that are 507 permanently retained by the X server. 508 Allows a process to use SetScreenSaver to set the screen 509 saver timeout value. 510 Allows a process to use ChangeHosts to modify the display 511 access control list. 512 Allows a process to use GrabServer. 513 Allows a process to use the SetCloseDownMode request which 514 may retain window, pixmap, colormap, property, cursor, font, 515 or graphic context resources. 516 This privilege is interpreted only if the system is configured 517 with Trusted Extensions. 518 519 privilege PRIV_WIN_DAC_READ 520 521 Allows a process to read from a window resource that it does 522 not own (has a different user ID). 523 This privilege is interpreted only if the system is configured 524 with Trusted Extensions. 525 526 privilege PRIV_WIN_DAC_WRITE 527 528 Allows a process to write to or create a window resource that 529 it does not own (has a different user ID). A newly created 530 window property is created with the window's user ID. 531 This privilege is interpreted only if the system is configured 532 with Trusted Extensions. 533 534 privilege PRIV_WIN_DEVICES 535 536 Allows a process to perform operations on window input devices. 537 Allows a process to get and set keyboard and pointer controls. 538 Allows a process to modify pointer button and key mappings. 539 This privilege is interpreted only if the system is configured 540 with Trusted Extensions. 541 542 privilege PRIV_WIN_DGA 543 544 Allows a process to use the direct graphics access (DGA) X protocol 545 extensions. Direct process access to the frame buffer is still 546 required. Thus the process must have MAC and DAC privileges that 547 allow access to the frame buffer, or the frame buffer must be 548 allocated to the process. 549 This privilege is interpreted only if the system is configured 550 with Trusted Extensions. 551 552 privilege PRIV_WIN_DOWNGRADE_SL 553 554 Allows a process to set the sensitivity label of a window resource 555 to a sensitivity label that does not dominate the existing 556 sensitivity label. 557 This privilege is interpreted only if the system is configured 558 with Trusted Extensions. 559 560 privilege PRIV_WIN_FONTPATH 561 562 Allows a process to set a font path. 563 This privilege is interpreted only if the system is configured 564 with Trusted Extensions. 565 566 privilege PRIV_WIN_MAC_READ 567 568 Allows a process to read from a window resource whose sensitivity 569 label is not equal to the process sensitivity label. 570 This privilege is interpreted only if the system is configured 571 with Trusted Extensions. 572 573 privilege PRIV_WIN_MAC_WRITE 574 575 Allows a process to create a window resource whose sensitivity 576 label is not equal to the process sensitivity label. 577 A newly created window property is created with the window's 578 sensitivity label. 579 This privilege is interpreted only if the system is configured 580 with Trusted Extensions. 581 582 privilege PRIV_WIN_SELECTION 583 584 Allows a process to request inter-window data moves without the 585 intervention of the selection confirmer. 586 This privilege is interpreted only if the system is configured 587 with Trusted Extensions. 588 589 privilege PRIV_WIN_UPGRADE_SL 590 591 Allows a process to set the sensitivity label of a window 592 resource to a sensitivity label that dominates the existing 593 sensitivity label. 594 This privilege is interpreted only if the system is configured 595 with Trusted Extensions. 596 597 privilege PRIV_XVM_CONTROL 598 599 Allows a process access to the xVM(5) control devices for 600 managing guest domains and the hypervisor. This privilege is 601 used only if booted into xVM on x86 platforms. 602 603 set PRIV_EFFECTIVE 604 605 Set of privileges currently in effect. 606 607 set PRIV_INHERITABLE 608 609 Set of privileges that comes into effect on exec. 610 611 set PRIV_PERMITTED 612 613 Set of privileges that can be put into the effective set without 614 restriction. 615 616 set PRIV_LIMIT 617 618 Set of privileges that determines the absolute upper bound of 619 privileges this process and its off-spring can obtain.