1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. 23 * Copyright 2013, Joyent, Inc. All rights reserved. 24 */ 25 26 #include <sys/types.h> 27 #include <sys/sysmacros.h> 28 #include <sys/param.h> 29 #include <sys/systm.h> 30 #include <sys/cred_impl.h> 31 #include <sys/vnode.h> 32 #include <sys/vfs.h> 33 #include <sys/stat.h> 34 #include <sys/errno.h> 35 #include <sys/kmem.h> 36 #include <sys/user.h> 37 #include <sys/proc.h> 38 #include <sys/acct.h> 39 #include <sys/ipc_impl.h> 40 #include <sys/cmn_err.h> 41 #include <sys/debug.h> 42 #include <sys/policy.h> 43 #include <sys/kobj.h> 44 #include <sys/msg.h> 45 #include <sys/devpolicy.h> 46 #include <c2/audit.h> 47 #include <sys/varargs.h> 48 #include <sys/klpd.h> 49 #include <sys/modctl.h> 50 #include <sys/disp.h> 51 #include <sys/zone.h> 52 #include <inet/optcom.h> 53 #include <sys/sdt.h> 54 #include <sys/vfs.h> 55 #include <sys/mntent.h> 56 #include <sys/contract_impl.h> 57 #include <sys/dld_ioc.h> 58 59 /* 60 * There are two possible layers of privilege routines and two possible 61 * levels of secpolicy. Plus one other we may not be interested in, so 62 * we may need as many as 6 but no more. 63 */ 64 #define MAXPRIVSTACK 6 65 66 int priv_debug = 0; 67 int priv_basic_test = -1; 68 69 /* 70 * This file contains the majority of the policy routines. 71 * Since the policy routines are defined by function and not 72 * by privilege, there is quite a bit of duplication of 73 * functions. 74 * 75 * The secpolicy functions must not make assumptions about 76 * locks held or not held as any lock can be held while they're 77 * being called. 78 * 79 * Credentials are read-only so no special precautions need to 80 * be taken while locking them. 81 * 82 * When a new policy check needs to be added to the system the 83 * following procedure should be followed: 84 * 85 * Pick an appropriate secpolicy_*() function 86 * -> done if one exists. 87 * Create a new secpolicy function, preferably with 88 * a descriptive name using the standard template. 89 * Pick an appropriate privilege for the policy. 90 * If no appropraite privilege exists, define new one 91 * (this should be done with extreme care; in most cases 92 * little is gained by adding another privilege) 93 * 94 * WHY ROOT IS STILL SPECIAL. 95 * 96 * In a number of the policy functions, there are still explicit 97 * checks for uid 0. The rationale behind these is that many root 98 * owned files/objects hold configuration information which can give full 99 * privileges to the user once written to. To prevent escalation 100 * of privilege by allowing just a single privilege to modify root owned 101 * objects, we've added these root specific checks where we considered 102 * them necessary: modifying root owned files, changing uids to 0, etc. 103 * 104 * PRIVILEGE ESCALATION AND ZONES. 105 * 106 * A number of operations potentially allow the caller to achieve 107 * privileges beyond the ones normally required to perform the operation. 108 * For example, if allowed to create a setuid 0 executable, a process can 109 * gain privileges beyond PRIV_FILE_SETID. Zones, however, place 110 * restrictions on the ability to gain privileges beyond those available 111 * within the zone through file and process manipulation. Hence, such 112 * operations require that the caller have an effective set that includes 113 * all privileges available within the current zone, or all privileges 114 * if executing in the global zone. 115 * 116 * This is indicated in the priv_policy* policy checking functions 117 * through a combination of parameters. The "priv" parameter indicates 118 * the privilege that is required, and the "allzone" parameter indicates 119 * whether or not all privileges in the zone are required. In addition, 120 * priv can be set to PRIV_ALL to indicate that all privileges are 121 * required (regardless of zone). There are three scenarios of interest: 122 * (1) operation requires a specific privilege 123 * (2) operation requires a specific privilege, and requires all 124 * privileges available within the zone (or all privileges if in 125 * the global zone) 126 * (3) operation requires all privileges, regardless of zone 127 * 128 * For (1), priv should be set to the specific privilege, and allzone 129 * should be set to B_FALSE. 130 * For (2), priv should be set to the specific privilege, and allzone 131 * should be set to B_TRUE. 132 * For (3), priv should be set to PRIV_ALL, and allzone should be set 133 * to B_FALSE. 134 * 135 */ 136 137 /* 138 * The privileges are checked against the Effective set for 139 * ordinary processes and checked against the Limit set 140 * for euid 0 processes that haven't manipulated their privilege 141 * sets. 142 */ 143 #define HAS_ALLPRIVS(cr) priv_isfullset(&CR_OEPRIV(cr)) 144 #define ZONEPRIVS(cr) ((cr)->cr_zone->zone_privset) 145 #define HAS_ALLZONEPRIVS(cr) priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr)) 146 #define HAS_PRIVILEGE(cr, pr) ((pr) == PRIV_ALL ? \ 147 HAS_ALLPRIVS(cr) : \ 148 PRIV_ISMEMBER(&CR_OEPRIV(cr), pr)) 149 150 #define FAST_BASIC_CHECK(cr, priv) \ 151 if (PRIV_ISMEMBER(&CR_OEPRIV(cr), priv)) { \ 152 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, B_FALSE); \ 153 return (0); \ 154 } 155 156 /* 157 * Policy checking functions. 158 * 159 * All of the system's policy should be implemented here. 160 */ 161 162 /* 163 * Private functions which take an additional va_list argument to 164 * implement an object specific policy override. 165 */ 166 static int priv_policy_ap(const cred_t *, int, boolean_t, int, 167 const char *, va_list); 168 static int priv_policy_va(const cred_t *, int, boolean_t, int, 169 const char *, ...); 170 171 /* 172 * Generic policy calls 173 * 174 * The "bottom" functions of policy control 175 */ 176 static char * 177 mprintf(const char *fmt, ...) 178 { 179 va_list args; 180 char *buf; 181 size_t len; 182 183 va_start(args, fmt); 184 len = vsnprintf(NULL, 0, fmt, args) + 1; 185 va_end(args); 186 187 buf = kmem_alloc(len, KM_NOSLEEP); 188 189 if (buf == NULL) 190 return (NULL); 191 192 va_start(args, fmt); 193 (void) vsnprintf(buf, len, fmt, args); 194 va_end(args); 195 196 return (buf); 197 } 198 199 /* 200 * priv_policy_errmsg() 201 * 202 * Generate an error message if privilege debugging is enabled system wide 203 * or for this particular process. 204 */ 205 206 #define FMTHDR "%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)" 207 #define FMTMSG " for \"%s\"" 208 #define FMTFUN " needed at %s+0x%lx" 209 210 /* The maximum size privilege format: the concatenation of the above */ 211 #define FMTMAX FMTHDR FMTMSG FMTFUN "\n" 212 213 static void 214 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg) 215 { 216 struct proc *me; 217 pc_t stack[MAXPRIVSTACK]; 218 int depth; 219 int i; 220 char *sym; 221 ulong_t off; 222 const char *pname; 223 224 char *cmd; 225 char fmt[sizeof (FMTMAX)]; 226 227 if ((me = curproc) == &p0) 228 return; 229 230 /* Privileges must be defined */ 231 ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE || 232 priv == PRIV_ALLZONE || priv == PRIV_GLOBAL || 233 priv_getbynum(priv) != NULL); 234 235 if (priv == PRIV_ALLZONE && INGLOBALZONE(me)) 236 priv = PRIV_ALL; 237 238 if (curthread->t_pre_sys) 239 ttolwp(curthread)->lwp_badpriv = (short)priv; 240 241 if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0) 242 return; 243 244 (void) strcpy(fmt, FMTHDR); 245 246 if (me->p_user.u_comm[0]) 247 cmd = &me->p_user.u_comm[0]; 248 else 249 cmd = "priv_policy"; 250 251 if (msg != NULL && *msg != '\0') { 252 (void) strcat(fmt, FMTMSG); 253 } else { 254 (void) strcat(fmt, "%s"); 255 msg = ""; 256 } 257 258 sym = NULL; 259 260 depth = getpcstack(stack, MAXPRIVSTACK); 261 262 /* 263 * Try to find the first interesting function on the stack. 264 * priv_policy* that's us, so completely uninteresting. 265 * suser(), drv_priv(), secpolicy_* are also called from 266 * too many locations to convey useful information. 267 */ 268 for (i = 0; i < depth; i++) { 269 sym = kobj_getsymname((uintptr_t)stack[i], &off); 270 if (sym != NULL && 271 strstr(sym, "hasprocperm") == 0 && 272 strcmp("suser", sym) != 0 && 273 strcmp("ipcaccess", sym) != 0 && 274 strcmp("drv_priv", sym) != 0 && 275 strncmp("secpolicy_", sym, 10) != 0 && 276 strncmp("priv_policy", sym, 11) != 0) 277 break; 278 } 279 280 if (sym != NULL) 281 (void) strcat(fmt, FMTFUN); 282 283 (void) strcat(fmt, "\n"); 284 285 switch (priv) { 286 case PRIV_ALL: 287 pname = "ALL"; 288 break; 289 case PRIV_MULTIPLE: 290 pname = "MULTIPLE"; 291 break; 292 case PRIV_ALLZONE: 293 pname = "ZONE"; 294 break; 295 case PRIV_GLOBAL: 296 pname = "GLOBAL"; 297 break; 298 default: 299 pname = priv_getbynum(priv); 300 break; 301 } 302 303 if (CR_FLAGS(cr) & PRIV_DEBUG) { 304 /* Remember last message, just like lwp_badpriv. */ 305 if (curthread->t_pdmsg != NULL) { 306 kmem_free(curthread->t_pdmsg, 307 strlen(curthread->t_pdmsg) + 1); 308 } 309 310 curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname, 311 cr->cr_uid, curthread->t_sysnum, msg, sym, off); 312 313 curthread->t_post_sys = 1; 314 } 315 if (priv_debug) { 316 cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid, 317 curthread->t_sysnum, msg, sym, off); 318 } 319 } 320 321 /* 322 * Override the policy, if appropriate. Return 0 if the external 323 * policy engine approves. 324 */ 325 static int 326 priv_policy_override(const cred_t *cr, int priv, boolean_t allzone, va_list ap) 327 { 328 priv_set_t set; 329 int ret; 330 331 if (!(CR_FLAGS(cr) & PRIV_XPOLICY)) 332 return (-1); 333 334 if (priv == PRIV_ALL) { 335 priv_fillset(&set); 336 } else if (allzone) { 337 set = *ZONEPRIVS(cr); 338 } else { 339 priv_emptyset(&set); 340 priv_addset(&set, priv); 341 } 342 ret = klpd_call(cr, &set, ap); 343 return (ret); 344 } 345 346 static int 347 priv_policy_override_set(const cred_t *cr, const priv_set_t *req, va_list ap) 348 { 349 if (CR_FLAGS(cr) & PRIV_PFEXEC) 350 return (check_user_privs(cr, req)); 351 if (CR_FLAGS(cr) & PRIV_XPOLICY) { 352 return (klpd_call(cr, req, ap)); 353 } 354 return (-1); 355 } 356 357 static int 358 priv_policy_override_set_va(const cred_t *cr, const priv_set_t *req, ...) 359 { 360 va_list ap; 361 int ret; 362 363 va_start(ap, req); 364 ret = priv_policy_override_set(cr, req, ap); 365 va_end(ap); 366 return (ret); 367 } 368 369 /* 370 * Audit failure, log error message. 371 */ 372 static void 373 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg) 374 { 375 376 if (AU_AUDITING()) 377 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0); 378 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 379 380 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 381 curthread->t_pre_sys) { 382 if (allzone && !HAS_ALLZONEPRIVS(cr)) { 383 priv_policy_errmsg(cr, PRIV_ALLZONE, msg); 384 } else { 385 ASSERT(!HAS_PRIVILEGE(cr, priv)); 386 priv_policy_errmsg(cr, priv, msg); 387 } 388 } 389 } 390 391 /* 392 * priv_policy_ap() 393 * return 0 or error. 394 * See block comment above for a description of "priv" and "allzone" usage. 395 */ 396 static int 397 priv_policy_ap(const cred_t *cr, int priv, boolean_t allzone, int err, 398 const char *msg, va_list ap) 399 { 400 if ((HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) || 401 (!servicing_interrupt() && 402 priv_policy_override(cr, priv, allzone, ap) == 0)) { 403 if ((allzone || priv == PRIV_ALL || 404 !PRIV_ISMEMBER(priv_basic, priv)) && 405 !servicing_interrupt()) { 406 PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */ 407 if (AU_AUDITING()) 408 audit_priv(priv, 409 allzone ? ZONEPRIVS(cr) : NULL, 1); 410 } 411 err = 0; 412 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 413 } else if (!servicing_interrupt()) { 414 /* Failure audited in this procedure */ 415 priv_policy_err(cr, priv, allzone, msg); 416 } 417 return (err); 418 } 419 420 int 421 priv_policy_va(const cred_t *cr, int priv, boolean_t allzone, int err, 422 const char *msg, ...) 423 { 424 int ret; 425 va_list ap; 426 427 va_start(ap, msg); 428 ret = priv_policy_ap(cr, priv, allzone, err, msg, ap); 429 va_end(ap); 430 431 return (ret); 432 } 433 434 int 435 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err, 436 const char *msg) 437 { 438 return (priv_policy_va(cr, priv, allzone, err, msg, KLPDARG_NONE)); 439 } 440 441 /* 442 * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges. 443 */ 444 boolean_t 445 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone) 446 { 447 boolean_t res = HAS_PRIVILEGE(cr, priv) && 448 (!allzone || HAS_ALLZONEPRIVS(cr)); 449 450 /* Audit success only */ 451 if (res && AU_AUDITING() && 452 (allzone || priv == PRIV_ALL || !PRIV_ISMEMBER(priv_basic, priv)) && 453 !servicing_interrupt()) { 454 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1); 455 } 456 if (res) { 457 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 458 } else { 459 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 460 } 461 return (res); 462 } 463 464 /* 465 * Non-auditing variant of priv_policy_choice(). 466 */ 467 boolean_t 468 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone) 469 { 470 boolean_t res = HAS_PRIVILEGE(cr, priv) && 471 (!allzone || HAS_ALLZONEPRIVS(cr)); 472 473 if (res) { 474 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 475 } else { 476 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 477 } 478 return (res); 479 } 480 481 /* 482 * Check whether all privileges in the required set are present. 483 */ 484 static int 485 secpolicy_require_set(const cred_t *cr, const priv_set_t *req, 486 const char *msg, ...) 487 { 488 int priv; 489 int pfound = -1; 490 priv_set_t pset; 491 va_list ap; 492 int ret; 493 494 if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req, 495 &CR_OEPRIV(cr))) { 496 return (0); 497 } 498 499 va_start(ap, msg); 500 ret = priv_policy_override_set(cr, req, ap); 501 va_end(ap); 502 if (ret == 0) 503 return (0); 504 505 if (req == PRIV_FULLSET || priv_isfullset(req)) { 506 priv_policy_err(cr, PRIV_ALL, B_FALSE, msg); 507 return (EACCES); 508 } 509 510 pset = CR_OEPRIV(cr); /* present privileges */ 511 priv_inverse(&pset); /* all non present privileges */ 512 priv_intersect(req, &pset); /* the actual missing privs */ 513 514 if (AU_AUDITING()) 515 audit_priv(PRIV_NONE, &pset, 0); 516 /* 517 * Privilege debugging; special case "one privilege in set". 518 */ 519 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) { 520 for (priv = 0; priv < nprivs; priv++) { 521 if (priv_ismember(&pset, priv)) { 522 if (pfound != -1) { 523 /* Multiple missing privs */ 524 priv_policy_errmsg(cr, PRIV_MULTIPLE, 525 msg); 526 return (EACCES); 527 } 528 pfound = priv; 529 } 530 } 531 ASSERT(pfound != -1); 532 /* Just the one missing privilege */ 533 priv_policy_errmsg(cr, pfound, msg); 534 } 535 536 return (EACCES); 537 } 538 539 /* 540 * Called when an operation requires that the caller be in the 541 * global zone, regardless of privilege. 542 */ 543 static int 544 priv_policy_global(const cred_t *cr) 545 { 546 if (crgetzoneid(cr) == GLOBAL_ZONEID) 547 return (0); /* success */ 548 549 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 550 curthread->t_pre_sys) { 551 priv_policy_errmsg(cr, PRIV_GLOBAL, NULL); 552 } 553 return (EPERM); 554 } 555 556 /* 557 * Raising process priority 558 */ 559 int 560 secpolicy_raisepriority(const cred_t *cr) 561 { 562 if (PRIV_POLICY(cr, PRIV_PROC_PRIOUP, B_FALSE, EPERM, NULL) == 0) 563 return (0); 564 return (secpolicy_setpriority(cr)); 565 } 566 567 /* 568 * Changing process priority or scheduling class 569 */ 570 int 571 secpolicy_setpriority(const cred_t *cr) 572 { 573 return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL)); 574 } 575 576 /* 577 * Binding to a privileged port, port must be specified in host byte 578 * order. 579 * When adding a new privilege which allows binding to currently privileged 580 * ports, then you MUST also allow processes with PRIV_NET_PRIVADDR bind 581 * to these ports because of backward compatibility. 582 */ 583 int 584 secpolicy_net_privaddr(const cred_t *cr, in_port_t port, int proto) 585 { 586 char *reason; 587 int priv; 588 589 switch (port) { 590 case 137: 591 case 138: 592 case 139: 593 case 445: 594 /* 595 * NBT and SMB ports, these are normal privileged ports, 596 * allow bind only if the SYS_SMB or NET_PRIVADDR privilege 597 * is present. 598 * Try both, if neither is present return an error for 599 * priv SYS_SMB. 600 */ 601 if (PRIV_POLICY_ONLY(cr, PRIV_NET_PRIVADDR, B_FALSE)) 602 priv = PRIV_NET_PRIVADDR; 603 else 604 priv = PRIV_SYS_SMB; 605 reason = "NBT or SMB port"; 606 break; 607 608 case 2049: 609 case 4045: 610 /* 611 * NFS ports, these are extra privileged ports, allow bind 612 * only if the SYS_NFS privilege is present. 613 */ 614 priv = PRIV_SYS_NFS; 615 reason = "NFS port"; 616 break; 617 618 default: 619 priv = PRIV_NET_PRIVADDR; 620 reason = NULL; 621 break; 622 623 } 624 625 return (priv_policy_va(cr, priv, B_FALSE, EACCES, reason, 626 KLPDARG_PORT, (int)proto, (int)port, KLPDARG_NOMORE)); 627 } 628 629 /* 630 * Binding to a multilevel port on a trusted (labeled) system. 631 */ 632 int 633 secpolicy_net_bindmlp(const cred_t *cr) 634 { 635 return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, NULL)); 636 } 637 638 /* 639 * Allow a communication between a zone and an unlabeled host when their 640 * labels don't match. 641 */ 642 int 643 secpolicy_net_mac_aware(const cred_t *cr) 644 { 645 return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, NULL)); 646 } 647 648 /* 649 * Allow a privileged process to transmit traffic without explicit labels 650 */ 651 int 652 secpolicy_net_mac_implicit(const cred_t *cr) 653 { 654 return (PRIV_POLICY(cr, PRIV_NET_MAC_IMPLICIT, B_FALSE, EACCES, NULL)); 655 } 656 657 /* 658 * Common routine which determines whether a given credential can 659 * act on a given mount. 660 * When called through mount, the parameter needoptcheck is a pointer 661 * to a boolean variable which will be set to either true or false, 662 * depending on whether the mount policy should change the mount options. 663 * In all other cases, needoptcheck should be a NULL pointer. 664 */ 665 static int 666 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp, 667 boolean_t *needoptcheck) 668 { 669 boolean_t allzone = B_FALSE; 670 boolean_t mounting = needoptcheck != NULL; 671 672 /* 673 * Short circuit the following cases: 674 * vfsp == NULL or mvp == NULL (pure privilege check) 675 * have all privileges - no further checks required 676 * and no mount options need to be set. 677 */ 678 if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) { 679 if (mounting) 680 *needoptcheck = B_FALSE; 681 682 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM, 683 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE)); 684 } 685 686 /* 687 * When operating on an existing mount (either we're not mounting 688 * or we're doing a remount and VFS_REMOUNT will be set), zones 689 * can operate only on mounts established by the zone itself. 690 */ 691 if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) { 692 zoneid_t zoneid = crgetzoneid(cr); 693 694 if (zoneid != GLOBAL_ZONEID && 695 vfsp->vfs_zone->zone_id != zoneid) { 696 return (EPERM); 697 } 698 } 699 700 if (mounting) 701 *needoptcheck = B_TRUE; 702 703 /* 704 * Overlay mounts may hide important stuff; if you can't write to a 705 * mount point but would be able to mount on top of it, you can 706 * escalate your privileges. 707 * So we go about asking the same questions namefs does when it 708 * decides whether you can mount over a file or not but with the 709 * added restriction that you can only mount on top of a regular 710 * file or directory. 711 * If we have all the zone's privileges, we skip all other checks, 712 * or else we may actually get in trouble inside the automounter. 713 */ 714 if ((mvp->v_flag & VROOT) != 0 || 715 (mvp->v_type != VDIR && mvp->v_type != VREG) || 716 HAS_ALLZONEPRIVS(cr)) { 717 allzone = B_TRUE; 718 } else { 719 vattr_t va; 720 int err; 721 722 va.va_mask = AT_UID|AT_MODE; 723 err = VOP_GETATTR(mvp, &va, 0, cr, NULL); 724 if (err != 0) 725 return (err); 726 727 if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0) 728 return (err); 729 730 if (secpolicy_vnode_access2(cr, mvp, va.va_uid, va.va_mode, 731 VWRITE) != 0) { 732 return (EACCES); 733 } 734 } 735 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM, 736 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE)); 737 } 738 739 void 740 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp) 741 { 742 boolean_t amsuper = HAS_ALLZONEPRIVS(cr); 743 744 /* 745 * check; if we don't have either "nosuid" or 746 * both "nosetuid" and "nodevices", then we add 747 * "nosuid"; this depends on how the current 748 * implementation works (it first checks nosuid). In a 749 * zone, a user with all zone privileges can mount with 750 * "setuid" but never with "devices". 751 */ 752 if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) && 753 (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) || 754 !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) { 755 if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper) 756 vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0); 757 else 758 vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0); 759 } 760 /* 761 * If we're not the local super user, we set the "restrict" 762 * option to indicate to automountd that this mount should 763 * be handled with care. 764 */ 765 if (!amsuper) 766 vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0); 767 768 } 769 770 int 771 secpolicy_fs_allowed_mount(const char *fsname) 772 { 773 struct vfssw *vswp; 774 const char *p; 775 size_t len; 776 777 ASSERT(fsname != NULL); 778 ASSERT(fsname[0] != '\0'); 779 780 if (INGLOBALZONE(curproc)) 781 return (0); 782 783 vswp = vfs_getvfssw(fsname); 784 if (vswp == NULL) 785 return (ENOENT); 786 787 if ((vswp->vsw_flag & VSW_ZMOUNT) != 0) { 788 vfs_unrefvfssw(vswp); 789 return (0); 790 } 791 792 vfs_unrefvfssw(vswp); 793 794 p = curzone->zone_fs_allowed; 795 len = strlen(fsname); 796 797 while (p != NULL && *p != '\0') { 798 if (strncmp(p, fsname, len) == 0) { 799 char c = *(p + len); 800 if (c == '\0' || c == ',') 801 return (0); 802 } 803 804 /* skip to beyond the next comma */ 805 if ((p = strchr(p, ',')) != NULL) 806 p++; 807 } 808 809 return (EPERM); 810 } 811 812 extern vnode_t *rootvp; 813 extern vfs_t *rootvfs; 814 815 int 816 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp) 817 { 818 boolean_t needoptchk; 819 int error; 820 821 /* 822 * If it's a remount, get the underlying mount point, 823 * except for the root where we use the rootvp. 824 */ 825 if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) { 826 if (vfsp == rootvfs) 827 mvp = rootvp; 828 else 829 mvp = vfsp->vfs_vnodecovered; 830 } 831 832 error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk); 833 834 if (error == 0 && needoptchk) { 835 secpolicy_fs_mount_clearopts(cr, vfsp); 836 } 837 838 return (error); 839 } 840 841 /* 842 * Does the policy computations for "ownership" of a mount; 843 * here ownership is defined as the ability to "mount" 844 * the filesystem originally. The rootvfs doesn't cover any 845 * vnodes; we attribute its ownership to the rootvp. 846 */ 847 static int 848 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp) 849 { 850 vnode_t *mvp; 851 852 if (vfsp == NULL) 853 mvp = NULL; 854 else if (vfsp == rootvfs) 855 mvp = rootvp; 856 else 857 mvp = vfsp->vfs_vnodecovered; 858 859 return (secpolicy_fs_common(cr, mvp, vfsp, NULL)); 860 } 861 862 int 863 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp) 864 { 865 return (secpolicy_fs_owner(cr, vfsp)); 866 } 867 868 /* 869 * Quotas are a resource, but if one has the ability to mount a filesystem, he 870 * should be able to modify quotas on it. 871 */ 872 int 873 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp) 874 { 875 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 876 } 877 878 /* 879 * Exceeding minfree: also a per-mount resource constraint. 880 */ 881 int 882 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp) 883 { 884 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 885 } 886 887 int 888 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp) 889 { 890 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 891 } 892 893 /* ARGSUSED */ 894 int 895 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp) 896 { 897 return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL)); 898 } 899 900 /* 901 * Name: secpolicy_vnode_access() 902 * 903 * Parameters: Process credential 904 * vnode 905 * uid of owner of vnode 906 * permission bits not granted to the caller when examining 907 * file mode bits (i.e., when a process wants to open a 908 * mode 444 file for VREAD|VWRITE, this function should be 909 * called only with a VWRITE argument). 910 * 911 * Normal: Verifies that cred has the appropriate privileges to 912 * override the mode bits that were denied. 913 * 914 * Override: file_dac_execute - if VEXEC bit was denied and vnode is 915 * not a directory. 916 * file_dac_read - if VREAD bit was denied. 917 * file_dac_search - if VEXEC bit was denied and vnode is 918 * a directory. 919 * file_dac_write - if VWRITE bit was denied. 920 * 921 * Root owned files are special cased to protect system 922 * configuration files and such. 923 * 924 * Output: EACCES - if privilege check fails. 925 */ 926 927 int 928 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode) 929 { 930 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE, 931 EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL, 932 KLPDARG_NOMORE) != 0) { 933 return (EACCES); 934 } 935 936 if (mode & VWRITE) { 937 boolean_t allzone; 938 939 if (owner == 0 && cr->cr_uid != 0) 940 allzone = B_TRUE; 941 else 942 allzone = B_FALSE; 943 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, 944 NULL, KLPDARG_VNODE, vp, (char *)NULL, 945 KLPDARG_NOMORE) != 0) { 946 return (EACCES); 947 } 948 } 949 950 if (mode & VEXEC) { 951 /* 952 * Directories use file_dac_search to override the execute bit. 953 */ 954 int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH : 955 PRIV_FILE_DAC_EXECUTE; 956 957 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL, 958 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); 959 } 960 return (0); 961 } 962 963 /* 964 * Like secpolicy_vnode_access() but we get the actual wanted mode and the 965 * current mode of the file, not the missing bits. 966 */ 967 int 968 secpolicy_vnode_access2(const cred_t *cr, vnode_t *vp, uid_t owner, 969 mode_t curmode, mode_t wantmode) 970 { 971 mode_t mode; 972 973 /* Inline the basic privileges tests. */ 974 if ((wantmode & VREAD) && 975 !PRIV_ISMEMBER(&CR_OEPRIV(cr), PRIV_FILE_READ) && 976 priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL, 977 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) { 978 return (EACCES); 979 } 980 981 if ((wantmode & VWRITE) && 982 !PRIV_ISMEMBER(&CR_OEPRIV(cr), PRIV_FILE_WRITE) && 983 priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL, 984 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) { 985 return (EACCES); 986 } 987 988 mode = ~curmode & wantmode; 989 990 if (mode == 0) 991 return (0); 992 993 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE, 994 EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL, 995 KLPDARG_NOMORE) != 0) { 996 return (EACCES); 997 } 998 999 if (mode & VWRITE) { 1000 boolean_t allzone; 1001 1002 if (owner == 0 && cr->cr_uid != 0) 1003 allzone = B_TRUE; 1004 else 1005 allzone = B_FALSE; 1006 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, 1007 NULL, KLPDARG_VNODE, vp, (char *)NULL, 1008 KLPDARG_NOMORE) != 0) { 1009 return (EACCES); 1010 } 1011 } 1012 1013 if (mode & VEXEC) { 1014 /* 1015 * Directories use file_dac_search to override the execute bit. 1016 */ 1017 int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH : 1018 PRIV_FILE_DAC_EXECUTE; 1019 1020 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL, 1021 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); 1022 } 1023 return (0); 1024 } 1025 1026 /* 1027 * This is a special routine for ZFS; it is used to determine whether 1028 * any of the privileges in effect allow any form of access to the 1029 * file. There's no reason to audit this or any reason to record 1030 * this. More work is needed to do the "KPLD" stuff. 1031 */ 1032 int 1033 secpolicy_vnode_any_access(const cred_t *cr, vnode_t *vp, uid_t owner) 1034 { 1035 static int privs[] = { 1036 PRIV_FILE_OWNER, 1037 PRIV_FILE_CHOWN, 1038 PRIV_FILE_DAC_READ, 1039 PRIV_FILE_DAC_WRITE, 1040 PRIV_FILE_DAC_EXECUTE, 1041 PRIV_FILE_DAC_SEARCH, 1042 }; 1043 int i; 1044 1045 /* Same as secpolicy_vnode_setdac */ 1046 if (owner == cr->cr_uid) 1047 return (0); 1048 1049 for (i = 0; i < sizeof (privs)/sizeof (int); i++) { 1050 boolean_t allzone = B_FALSE; 1051 int priv; 1052 1053 switch (priv = privs[i]) { 1054 case PRIV_FILE_DAC_EXECUTE: 1055 if (vp->v_type == VDIR) 1056 continue; 1057 break; 1058 case PRIV_FILE_DAC_SEARCH: 1059 if (vp->v_type != VDIR) 1060 continue; 1061 break; 1062 case PRIV_FILE_DAC_WRITE: 1063 case PRIV_FILE_OWNER: 1064 case PRIV_FILE_CHOWN: 1065 /* We know here that if owner == 0, that cr_uid != 0 */ 1066 allzone = owner == 0; 1067 break; 1068 } 1069 if (PRIV_POLICY_CHOICE(cr, priv, allzone)) 1070 return (0); 1071 } 1072 return (EPERM); 1073 } 1074 1075 /* 1076 * Name: secpolicy_vnode_setid_modify() 1077 * 1078 * Normal: verify that subject can set the file setid flags. 1079 * 1080 * Output: EPERM - if not privileged. 1081 */ 1082 1083 static int 1084 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner) 1085 { 1086 /* If changing to suid root, must have all zone privs */ 1087 boolean_t allzone = B_TRUE; 1088 1089 if (owner != 0) { 1090 if (owner == cr->cr_uid) 1091 return (0); 1092 allzone = B_FALSE; 1093 } 1094 return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL)); 1095 } 1096 1097 /* 1098 * Are we allowed to retain the set-uid/set-gid bits when 1099 * changing ownership or when writing to a file? 1100 * "issuid" should be true when set-uid; only in that case 1101 * root ownership is checked (setgid is assumed). 1102 */ 1103 int 1104 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot) 1105 { 1106 if (issuidroot && !HAS_ALLZONEPRIVS(cred)) 1107 return (EPERM); 1108 1109 return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE)); 1110 } 1111 1112 /* 1113 * Name: secpolicy_vnode_setids_setgids() 1114 * 1115 * Normal: verify that subject can set the file setgid flag. 1116 * 1117 * Output: EPERM - if not privileged 1118 */ 1119 1120 int 1121 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid) 1122 { 1123 if (!groupmember(gid, cred)) 1124 return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM, 1125 NULL)); 1126 return (0); 1127 } 1128 1129 /* 1130 * Name: secpolicy_vnode_chown 1131 * 1132 * Normal: Determine if subject can chown owner of a file. 1133 * 1134 * Output: EPERM - if access denied 1135 */ 1136 1137 int 1138 secpolicy_vnode_chown(const cred_t *cred, uid_t owner) 1139 { 1140 boolean_t is_owner = (owner == crgetuid(cred)); 1141 boolean_t allzone = B_FALSE; 1142 int priv; 1143 1144 if (!is_owner) { 1145 allzone = (owner == 0); 1146 priv = PRIV_FILE_CHOWN; 1147 } else { 1148 priv = HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN) ? 1149 PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF; 1150 } 1151 1152 return (PRIV_POLICY(cred, priv, allzone, EPERM, NULL)); 1153 } 1154 1155 /* 1156 * Name: secpolicy_vnode_create_gid 1157 * 1158 * Normal: Determine if subject can change group ownership of a file. 1159 * 1160 * Output: EPERM - if access denied 1161 */ 1162 int 1163 secpolicy_vnode_create_gid(const cred_t *cred) 1164 { 1165 if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN)) 1166 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM, 1167 NULL)); 1168 else 1169 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM, 1170 NULL)); 1171 } 1172 1173 /* 1174 * Name: secpolicy_vnode_utime_modify() 1175 * 1176 * Normal: verify that subject can modify the utime on a file. 1177 * 1178 * Output: EPERM - if access denied. 1179 */ 1180 1181 static int 1182 secpolicy_vnode_utime_modify(const cred_t *cred) 1183 { 1184 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM, 1185 "modify file times")); 1186 } 1187 1188 1189 /* 1190 * Name: secpolicy_vnode_setdac() 1191 * 1192 * Normal: verify that subject can modify the mode of a file. 1193 * allzone privilege needed when modifying root owned object. 1194 * 1195 * Output: EPERM - if access denied. 1196 */ 1197 1198 int 1199 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner) 1200 { 1201 if (owner == cred->cr_uid) 1202 return (0); 1203 1204 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL)); 1205 } 1206 /* 1207 * Name: secpolicy_vnode_stky_modify() 1208 * 1209 * Normal: verify that subject can make a file a "sticky". 1210 * 1211 * Output: EPERM - if access denied. 1212 */ 1213 1214 int 1215 secpolicy_vnode_stky_modify(const cred_t *cred) 1216 { 1217 return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM, 1218 "set file sticky")); 1219 } 1220 1221 /* 1222 * Policy determines whether we can remove an entry from a directory, 1223 * regardless of permission bits. 1224 */ 1225 int 1226 secpolicy_vnode_remove(const cred_t *cr) 1227 { 1228 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES, 1229 "sticky directory")); 1230 } 1231 1232 int 1233 secpolicy_vnode_owner(const cred_t *cr, uid_t owner) 1234 { 1235 boolean_t allzone = (owner == 0); 1236 1237 if (owner == cr->cr_uid) 1238 return (0); 1239 1240 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL)); 1241 } 1242 1243 void 1244 secpolicy_setid_clear(vattr_t *vap, cred_t *cr) 1245 { 1246 if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 && 1247 secpolicy_vnode_setid_retain(cr, 1248 (vap->va_mode & S_ISUID) != 0 && 1249 (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) { 1250 vap->va_mask |= AT_MODE; 1251 vap->va_mode &= ~(S_ISUID|S_ISGID); 1252 } 1253 } 1254 1255 int 1256 secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap, 1257 cred_t *cr) 1258 { 1259 int error; 1260 1261 if ((vap->va_mode & S_ISUID) != 0 && 1262 (error = secpolicy_vnode_setid_modify(cr, 1263 ovap->va_uid)) != 0) { 1264 return (error); 1265 } 1266 1267 /* 1268 * Check privilege if attempting to set the 1269 * sticky bit on a non-directory. 1270 */ 1271 if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 && 1272 secpolicy_vnode_stky_modify(cr) != 0) { 1273 vap->va_mode &= ~S_ISVTX; 1274 } 1275 1276 /* 1277 * Check for privilege if attempting to set the 1278 * group-id bit. 1279 */ 1280 if ((vap->va_mode & S_ISGID) != 0 && 1281 secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) { 1282 vap->va_mode &= ~S_ISGID; 1283 } 1284 1285 return (0); 1286 } 1287 1288 #define ATTR_FLAG_PRIV(attr, value, cr) \ 1289 PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \ 1290 B_FALSE, EPERM, NULL) 1291 1292 /* 1293 * Check privileges for setting xvattr attributes 1294 */ 1295 int 1296 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype) 1297 { 1298 xoptattr_t *xoap; 1299 int error = 0; 1300 1301 if ((xoap = xva_getxoptattr(xvap)) == NULL) 1302 return (EINVAL); 1303 1304 /* 1305 * First process the DOS bits 1306 */ 1307 if (XVA_ISSET_REQ(xvap, XAT_ARCHIVE) || 1308 XVA_ISSET_REQ(xvap, XAT_HIDDEN) || 1309 XVA_ISSET_REQ(xvap, XAT_READONLY) || 1310 XVA_ISSET_REQ(xvap, XAT_SYSTEM) || 1311 XVA_ISSET_REQ(xvap, XAT_CREATETIME) || 1312 XVA_ISSET_REQ(xvap, XAT_OFFLINE) || 1313 XVA_ISSET_REQ(xvap, XAT_SPARSE)) { 1314 if ((error = secpolicy_vnode_owner(cr, owner)) != 0) 1315 return (error); 1316 } 1317 1318 /* 1319 * Now handle special attributes 1320 */ 1321 1322 if (XVA_ISSET_REQ(xvap, XAT_IMMUTABLE)) 1323 error = ATTR_FLAG_PRIV(XAT_IMMUTABLE, 1324 xoap->xoa_immutable, cr); 1325 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NOUNLINK)) 1326 error = ATTR_FLAG_PRIV(XAT_NOUNLINK, 1327 xoap->xoa_nounlink, cr); 1328 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_APPENDONLY)) 1329 error = ATTR_FLAG_PRIV(XAT_APPENDONLY, 1330 xoap->xoa_appendonly, cr); 1331 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NODUMP)) 1332 error = ATTR_FLAG_PRIV(XAT_NODUMP, 1333 xoap->xoa_nodump, cr); 1334 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_OPAQUE)) 1335 error = EPERM; 1336 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_QUARANTINED)) { 1337 error = ATTR_FLAG_PRIV(XAT_AV_QUARANTINED, 1338 xoap->xoa_av_quarantined, cr); 1339 if (error == 0 && vtype != VREG && xoap->xoa_av_quarantined) 1340 error = EINVAL; 1341 } 1342 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_MODIFIED)) 1343 error = ATTR_FLAG_PRIV(XAT_AV_MODIFIED, 1344 xoap->xoa_av_modified, cr); 1345 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_SCANSTAMP)) { 1346 error = ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP, 1347 xoap->xoa_av_scanstamp, cr); 1348 if (error == 0 && vtype != VREG) 1349 error = EINVAL; 1350 } 1351 return (error); 1352 } 1353 1354 /* 1355 * This function checks the policy decisions surrounding the 1356 * vop setattr call. 1357 * 1358 * It should be called after sufficient locks have been established 1359 * on the underlying data structures. No concurrent modifications 1360 * should be allowed. 1361 * 1362 * The caller must pass in unlocked version of its vaccess function 1363 * this is required because vop_access function should lock the 1364 * node for reading. A three argument function should be defined 1365 * which accepts the following argument: 1366 * A pointer to the internal "node" type (inode *) 1367 * vnode access bits (VREAD|VWRITE|VEXEC) 1368 * a pointer to the credential 1369 * 1370 * This function makes the following policy decisions: 1371 * 1372 * - change permissions 1373 * - permission to change file mode if not owner 1374 * - permission to add sticky bit to non-directory 1375 * - permission to add set-gid bit 1376 * 1377 * The ovap argument should include AT_MODE|AT_UID|AT_GID. 1378 * 1379 * If the vap argument does not include AT_MODE, the mode will be copied from 1380 * ovap. In certain situations set-uid/set-gid bits need to be removed; 1381 * this is done by marking vap->va_mask to include AT_MODE and va_mode 1382 * is updated to the newly computed mode. 1383 */ 1384 1385 int 1386 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap, 1387 const struct vattr *ovap, int flags, 1388 int unlocked_access(void *, int, cred_t *), 1389 void *node) 1390 { 1391 int mask = vap->va_mask; 1392 int error = 0; 1393 boolean_t skipaclchk = (flags & ATTR_NOACLCHECK) ? B_TRUE : B_FALSE; 1394 1395 if (mask & AT_SIZE) { 1396 if (vp->v_type == VDIR) { 1397 error = EISDIR; 1398 goto out; 1399 } 1400 1401 /* 1402 * If ATTR_NOACLCHECK is set in the flags, then we don't 1403 * perform the secondary unlocked_access() call since the 1404 * ACL (if any) is being checked there. 1405 */ 1406 if (skipaclchk == B_FALSE) { 1407 error = unlocked_access(node, VWRITE, cr); 1408 if (error) 1409 goto out; 1410 } 1411 } 1412 if (mask & AT_MODE) { 1413 /* 1414 * If not the owner of the file then check privilege 1415 * for two things: the privilege to set the mode at all 1416 * and, if we're setting setuid, we also need permissions 1417 * to add the set-uid bit, if we're not the owner. 1418 * In the specific case of creating a set-uid root 1419 * file, we need even more permissions. 1420 */ 1421 if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0) 1422 goto out; 1423 1424 if ((error = secpolicy_setid_setsticky_clear(vp, vap, 1425 ovap, cr)) != 0) 1426 goto out; 1427 } else 1428 vap->va_mode = ovap->va_mode; 1429 1430 if (mask & (AT_UID|AT_GID)) { 1431 boolean_t checkpriv = B_FALSE; 1432 1433 /* 1434 * Chowning files. 1435 * 1436 * If you are the file owner: 1437 * chown to other uid FILE_CHOWN_SELF 1438 * chown to gid (non-member) FILE_CHOWN_SELF 1439 * chown to gid (member) <none> 1440 * 1441 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also 1442 * acceptable but the first one is reported when debugging. 1443 * 1444 * If you are not the file owner: 1445 * chown from root PRIV_FILE_CHOWN + zone 1446 * chown from other to any PRIV_FILE_CHOWN 1447 * 1448 */ 1449 if (cr->cr_uid != ovap->va_uid) { 1450 checkpriv = B_TRUE; 1451 } else { 1452 if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) || 1453 ((mask & AT_GID) && vap->va_gid != ovap->va_gid && 1454 !groupmember(vap->va_gid, cr))) { 1455 checkpriv = B_TRUE; 1456 } 1457 } 1458 /* 1459 * If necessary, check privilege to see if update can be done. 1460 */ 1461 if (checkpriv && 1462 (error = secpolicy_vnode_chown(cr, ovap->va_uid)) != 0) { 1463 goto out; 1464 } 1465 1466 /* 1467 * If the file has either the set UID or set GID bits 1468 * set and the caller can set the bits, then leave them. 1469 */ 1470 secpolicy_setid_clear(vap, cr); 1471 } 1472 if (mask & (AT_ATIME|AT_MTIME)) { 1473 /* 1474 * If not the file owner and not otherwise privileged, 1475 * always return an error when setting the 1476 * time other than the current (ATTR_UTIME flag set). 1477 * If setting the current time (ATTR_UTIME not set) then 1478 * unlocked_access will check permissions according to policy. 1479 */ 1480 if (cr->cr_uid != ovap->va_uid) { 1481 if (flags & ATTR_UTIME) 1482 error = secpolicy_vnode_utime_modify(cr); 1483 else if (skipaclchk == B_FALSE) { 1484 error = unlocked_access(node, VWRITE, cr); 1485 if (error == EACCES && 1486 secpolicy_vnode_utime_modify(cr) == 0) 1487 error = 0; 1488 } 1489 if (error) 1490 goto out; 1491 } 1492 } 1493 1494 /* 1495 * Check for optional attributes here by checking the following: 1496 */ 1497 if (mask & AT_XVATTR) 1498 error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr, 1499 vp->v_type); 1500 out: 1501 return (error); 1502 } 1503 1504 /* 1505 * Name: secpolicy_pcfs_modify_bootpartition() 1506 * 1507 * Normal: verify that subject can modify a pcfs boot partition. 1508 * 1509 * Output: EACCES - if privilege check failed. 1510 */ 1511 /*ARGSUSED*/ 1512 int 1513 secpolicy_pcfs_modify_bootpartition(const cred_t *cred) 1514 { 1515 return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES, 1516 "modify pcfs boot partition")); 1517 } 1518 1519 /* 1520 * System V IPC routines 1521 */ 1522 int 1523 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip) 1524 { 1525 if (crgetzoneid(cr) != ip->ipc_zoneid || 1526 (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) { 1527 boolean_t allzone = B_FALSE; 1528 if (ip->ipc_uid == 0 || ip->ipc_cuid == 0) 1529 allzone = B_TRUE; 1530 return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL)); 1531 } 1532 return (0); 1533 } 1534 1535 int 1536 secpolicy_ipc_config(const cred_t *cr) 1537 { 1538 return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL)); 1539 } 1540 1541 int 1542 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode) 1543 { 1544 1545 boolean_t allzone = B_FALSE; 1546 1547 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1548 1549 if ((mode & MSG_R) && 1550 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1551 return (EACCES); 1552 1553 if (mode & MSG_W) { 1554 if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0)) 1555 allzone = B_TRUE; 1556 1557 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1558 NULL)); 1559 } 1560 return (0); 1561 } 1562 1563 int 1564 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode) 1565 { 1566 boolean_t allzone = B_FALSE; 1567 1568 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1569 1570 if ((mode & MSG_R) && 1571 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1572 return (EACCES); 1573 1574 if (mode & MSG_W) { 1575 if (cr->cr_uid != 0 && owner == 0) 1576 allzone = B_TRUE; 1577 1578 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1579 NULL)); 1580 } 1581 return (0); 1582 } 1583 1584 /* 1585 * Audit configuration. 1586 */ 1587 int 1588 secpolicy_audit_config(const cred_t *cr) 1589 { 1590 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1591 } 1592 1593 /* 1594 * Audit record generation. 1595 */ 1596 int 1597 secpolicy_audit_modify(const cred_t *cr) 1598 { 1599 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL)); 1600 } 1601 1602 /* 1603 * Get audit attributes. 1604 * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the 1605 * "Least" of the two privileges on error. 1606 */ 1607 int 1608 secpolicy_audit_getattr(const cred_t *cr, boolean_t checkonly) 1609 { 1610 int priv; 1611 1612 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE)) 1613 priv = PRIV_SYS_AUDIT; 1614 else 1615 priv = PRIV_PROC_AUDIT; 1616 1617 if (checkonly) 1618 return (!PRIV_POLICY_ONLY(cr, priv, B_FALSE)); 1619 else 1620 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 1621 } 1622 1623 1624 /* 1625 * Locking physical memory 1626 */ 1627 int 1628 secpolicy_lock_memory(const cred_t *cr) 1629 { 1630 return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL)); 1631 } 1632 1633 /* 1634 * Accounting (both acct(2) and exacct). 1635 */ 1636 int 1637 secpolicy_acct(const cred_t *cr) 1638 { 1639 return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL)); 1640 } 1641 1642 /* 1643 * Is this process privileged to change its uids at will? 1644 * Uid 0 is still considered "special" and having the SETID 1645 * privilege is not sufficient to get uid 0. 1646 * Files are owned by root, so the privilege would give 1647 * full access and euid 0 is still effective. 1648 * 1649 * If you have the privilege and euid 0 only then do you 1650 * get the powers of root wrt uid 0. 1651 * 1652 * For gid manipulations, this is should be called with an 1653 * uid of -1. 1654 * 1655 */ 1656 int 1657 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly) 1658 { 1659 boolean_t allzone = B_FALSE; 1660 1661 if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 && 1662 cr->cr_ruid != 0) { 1663 allzone = B_TRUE; 1664 } 1665 1666 return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) : 1667 PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL)); 1668 } 1669 1670 1671 /* 1672 * Acting on a different process: if the mode is for writing, 1673 * the restrictions are more severe. This is called after 1674 * we've verified that the uids do not match. 1675 */ 1676 int 1677 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode) 1678 { 1679 boolean_t allzone = B_FALSE; 1680 1681 if ((mode & VWRITE) && scr->cr_uid != 0 && 1682 (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0)) 1683 allzone = B_TRUE; 1684 1685 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL)); 1686 } 1687 1688 int 1689 secpolicy_proc_access(const cred_t *scr) 1690 { 1691 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL)); 1692 } 1693 1694 int 1695 secpolicy_proc_excl_open(const cred_t *scr) 1696 { 1697 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL)); 1698 } 1699 1700 int 1701 secpolicy_proc_zone(const cred_t *scr) 1702 { 1703 return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL)); 1704 } 1705 1706 /* 1707 * Destroying the system 1708 */ 1709 1710 int 1711 secpolicy_kmdb(const cred_t *scr) 1712 { 1713 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1714 } 1715 1716 int 1717 secpolicy_error_inject(const cred_t *scr) 1718 { 1719 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1720 } 1721 1722 /* 1723 * Processor sets, cpu configuration, resource pools. 1724 */ 1725 int 1726 secpolicy_pset(const cred_t *cr) 1727 { 1728 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1729 } 1730 1731 /* 1732 * Processor set binding. 1733 */ 1734 int 1735 secpolicy_pbind(const cred_t *cr) 1736 { 1737 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_RES_CONFIG, B_FALSE)) 1738 return (secpolicy_pset(cr)); 1739 return (PRIV_POLICY(cr, PRIV_SYS_RES_BIND, B_FALSE, EPERM, NULL)); 1740 } 1741 1742 int 1743 secpolicy_ponline(const cred_t *cr) 1744 { 1745 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1746 } 1747 1748 int 1749 secpolicy_pool(const cred_t *cr) 1750 { 1751 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1752 } 1753 1754 int 1755 secpolicy_blacklist(const cred_t *cr) 1756 { 1757 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1758 } 1759 1760 /* 1761 * Catch all system configuration. 1762 */ 1763 int 1764 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly) 1765 { 1766 if (checkonly) { 1767 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 : 1768 EPERM); 1769 } else { 1770 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1771 } 1772 } 1773 1774 /* 1775 * Zone administration (halt, reboot, etc.) from within zone. 1776 */ 1777 int 1778 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly) 1779 { 1780 if (checkonly) { 1781 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 : 1782 EPERM); 1783 } else { 1784 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, 1785 NULL)); 1786 } 1787 } 1788 1789 /* 1790 * Zone configuration (create, halt, enter). 1791 */ 1792 int 1793 secpolicy_zone_config(const cred_t *cr) 1794 { 1795 /* 1796 * Require all privileges to avoid possibility of privilege 1797 * escalation. 1798 */ 1799 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE)); 1800 } 1801 1802 /* 1803 * Various other system configuration calls 1804 */ 1805 int 1806 secpolicy_coreadm(const cred_t *cr) 1807 { 1808 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1809 } 1810 1811 int 1812 secpolicy_systeminfo(const cred_t *cr) 1813 { 1814 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1815 } 1816 1817 int 1818 secpolicy_dispadm(const cred_t *cr) 1819 { 1820 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1821 } 1822 1823 int 1824 secpolicy_settime(const cred_t *cr) 1825 { 1826 return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL)); 1827 } 1828 1829 /* 1830 * For realtime users: high resolution clock. 1831 */ 1832 int 1833 secpolicy_clock_highres(const cred_t *cr) 1834 { 1835 return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM, 1836 NULL)); 1837 } 1838 1839 /* 1840 * drv_priv() is documented as callable from interrupt context, not that 1841 * anyone ever does, but still. No debugging or auditing can be done when 1842 * it is called from interrupt context. 1843 * returns 0 on succes, EPERM on failure. 1844 */ 1845 int 1846 drv_priv(cred_t *cr) 1847 { 1848 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1849 } 1850 1851 int 1852 secpolicy_sys_devices(const cred_t *cr) 1853 { 1854 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1855 } 1856 1857 int 1858 secpolicy_excl_open(const cred_t *cr) 1859 { 1860 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL)); 1861 } 1862 1863 int 1864 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl) 1865 { 1866 /* zone.* rctls can only be set from the global zone */ 1867 if (is_zone_rctl && priv_policy_global(cr) != 0) 1868 return (EPERM); 1869 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1870 } 1871 1872 int 1873 secpolicy_resource(const cred_t *cr) 1874 { 1875 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1876 } 1877 1878 int 1879 secpolicy_resource_anon_mem(const cred_t *cr) 1880 { 1881 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_RESOURCE, B_FALSE)); 1882 } 1883 1884 /* 1885 * Processes with a real uid of 0 escape any form of accounting, much 1886 * like before. 1887 */ 1888 int 1889 secpolicy_newproc(const cred_t *cr) 1890 { 1891 if (cr->cr_ruid == 0) 1892 return (0); 1893 1894 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1895 } 1896 1897 /* 1898 * Networking 1899 */ 1900 int 1901 secpolicy_net_rawaccess(const cred_t *cr) 1902 { 1903 return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL)); 1904 } 1905 1906 int 1907 secpolicy_net_observability(const cred_t *cr) 1908 { 1909 return (PRIV_POLICY(cr, PRIV_NET_OBSERVABILITY, B_FALSE, EACCES, NULL)); 1910 } 1911 1912 /* 1913 * Need this privilege for accessing the ICMP device 1914 */ 1915 int 1916 secpolicy_net_icmpaccess(const cred_t *cr) 1917 { 1918 return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL)); 1919 } 1920 1921 /* 1922 * There are a few rare cases where the kernel generates ioctls() from 1923 * interrupt context with a credential of kcred rather than NULL. 1924 * In those cases, we take the safe and cheap test. 1925 */ 1926 int 1927 secpolicy_net_config(const cred_t *cr, boolean_t checkonly) 1928 { 1929 if (checkonly) { 1930 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ? 1931 0 : EPERM); 1932 } else { 1933 return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM, 1934 NULL)); 1935 } 1936 } 1937 1938 1939 /* 1940 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG. 1941 * 1942 * There are a few rare cases where the kernel generates ioctls() from 1943 * interrupt context with a credential of kcred rather than NULL. 1944 * In those cases, we take the safe and cheap test. 1945 */ 1946 int 1947 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly) 1948 { 1949 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 1950 return (secpolicy_net_config(cr, checkonly)); 1951 1952 if (checkonly) { 1953 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ? 1954 0 : EPERM); 1955 } else { 1956 return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM, 1957 NULL)); 1958 } 1959 } 1960 1961 /* 1962 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_DL_CONFIG. 1963 */ 1964 int 1965 secpolicy_dl_config(const cred_t *cr) 1966 { 1967 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 1968 return (secpolicy_net_config(cr, B_FALSE)); 1969 return (PRIV_POLICY(cr, PRIV_SYS_DL_CONFIG, B_FALSE, EPERM, NULL)); 1970 } 1971 1972 /* 1973 * PRIV_SYS_DL_CONFIG is a superset of PRIV_SYS_IPTUN_CONFIG. 1974 */ 1975 int 1976 secpolicy_iptun_config(const cred_t *cr) 1977 { 1978 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 1979 return (secpolicy_net_config(cr, B_FALSE)); 1980 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_DL_CONFIG, B_FALSE)) 1981 return (secpolicy_dl_config(cr)); 1982 return (PRIV_POLICY(cr, PRIV_SYS_IPTUN_CONFIG, B_FALSE, EPERM, NULL)); 1983 } 1984 1985 /* 1986 * Map IP pseudo privileges to actual privileges. 1987 * So we don't need to recompile IP when we change the privileges. 1988 */ 1989 int 1990 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly) 1991 { 1992 int priv = PRIV_ALL; 1993 1994 switch (netpriv) { 1995 case OP_CONFIG: 1996 priv = PRIV_SYS_IP_CONFIG; 1997 break; 1998 case OP_RAW: 1999 priv = PRIV_NET_RAWACCESS; 2000 break; 2001 case OP_PRIVPORT: 2002 priv = PRIV_NET_PRIVADDR; 2003 break; 2004 } 2005 ASSERT(priv != PRIV_ALL); 2006 if (checkonly) 2007 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 2008 else 2009 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 2010 } 2011 2012 /* 2013 * Map network pseudo privileges to actual privileges. 2014 * So we don't need to recompile IP when we change the privileges. 2015 */ 2016 int 2017 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly) 2018 { 2019 int priv = PRIV_ALL; 2020 2021 switch (netpriv) { 2022 case OP_CONFIG: 2023 priv = PRIV_SYS_NET_CONFIG; 2024 break; 2025 case OP_RAW: 2026 priv = PRIV_NET_RAWACCESS; 2027 break; 2028 case OP_PRIVPORT: 2029 priv = PRIV_NET_PRIVADDR; 2030 break; 2031 } 2032 ASSERT(priv != PRIV_ALL); 2033 if (checkonly) 2034 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 2035 else 2036 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 2037 } 2038 2039 /* 2040 * Checks for operations that are either client-only or are used by 2041 * both clients and servers. 2042 */ 2043 int 2044 secpolicy_nfs(const cred_t *cr) 2045 { 2046 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL)); 2047 } 2048 2049 /* 2050 * Special case for opening rpcmod: have NFS privileges or network 2051 * config privileges. 2052 */ 2053 int 2054 secpolicy_rpcmod_open(const cred_t *cr) 2055 { 2056 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE)) 2057 return (secpolicy_nfs(cr)); 2058 else 2059 return (secpolicy_net_config(cr, NULL)); 2060 } 2061 2062 int 2063 secpolicy_chroot(const cred_t *cr) 2064 { 2065 return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL)); 2066 } 2067 2068 int 2069 secpolicy_tasksys(const cred_t *cr) 2070 { 2071 return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL)); 2072 } 2073 2074 int 2075 secpolicy_meminfo(const cred_t *cr) 2076 { 2077 return (PRIV_POLICY(cr, PRIV_PROC_MEMINFO, B_FALSE, EPERM, NULL)); 2078 } 2079 2080 int 2081 secpolicy_pfexec_register(const cred_t *cr) 2082 { 2083 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_TRUE, EPERM, NULL)); 2084 } 2085 2086 /* 2087 * Basic privilege checks. 2088 */ 2089 int 2090 secpolicy_basic_exec(const cred_t *cr, vnode_t *vp) 2091 { 2092 FAST_BASIC_CHECK(cr, PRIV_PROC_EXEC); 2093 2094 return (priv_policy_va(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL, 2095 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); 2096 } 2097 2098 int 2099 secpolicy_basic_fork(const cred_t *cr) 2100 { 2101 FAST_BASIC_CHECK(cr, PRIV_PROC_FORK); 2102 2103 return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL)); 2104 } 2105 2106 int 2107 secpolicy_basic_proc(const cred_t *cr) 2108 { 2109 FAST_BASIC_CHECK(cr, PRIV_PROC_SESSION); 2110 2111 return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL)); 2112 } 2113 2114 /* 2115 * Slightly complicated because we don't want to trigger the policy too 2116 * often. First we shortcircuit access to "self" (tp == sp) or if 2117 * we don't have the privilege but if we have permission 2118 * just return (0) and we don't flag the privilege as needed. 2119 * Else, we test for the privilege because we either have it or need it. 2120 */ 2121 int 2122 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp) 2123 { 2124 if (tp == sp || 2125 !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) { 2126 return (0); 2127 } else { 2128 return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL)); 2129 } 2130 } 2131 2132 int 2133 secpolicy_basic_link(const cred_t *cr) 2134 { 2135 FAST_BASIC_CHECK(cr, PRIV_FILE_LINK_ANY); 2136 2137 return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL)); 2138 } 2139 2140 int 2141 secpolicy_basic_net_access(const cred_t *cr) 2142 { 2143 FAST_BASIC_CHECK(cr, PRIV_NET_ACCESS); 2144 2145 return (PRIV_POLICY(cr, PRIV_NET_ACCESS, B_FALSE, EACCES, NULL)); 2146 } 2147 2148 /* ARGSUSED */ 2149 int 2150 secpolicy_basic_file_read(const cred_t *cr, vnode_t *vp, const char *pn) 2151 { 2152 FAST_BASIC_CHECK(cr, PRIV_FILE_READ); 2153 2154 return (priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL, 2155 KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE)); 2156 } 2157 2158 /* ARGSUSED */ 2159 int 2160 secpolicy_basic_file_write(const cred_t *cr, vnode_t *vp, const char *pn) 2161 { 2162 FAST_BASIC_CHECK(cr, PRIV_FILE_WRITE); 2163 2164 return (priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL, 2165 KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE)); 2166 } 2167 2168 /* 2169 * Additional device protection. 2170 * 2171 * Traditionally, a device has specific permissions on the node in 2172 * the filesystem which govern which devices can be opened by what 2173 * processes. In certain cases, it is desirable to add extra 2174 * restrictions, as writing to certain devices is identical to 2175 * having a complete run of the system. 2176 * 2177 * This mechanism is called the device policy. 2178 * 2179 * When a device is opened, its policy entry is looked up in the 2180 * policy cache and checked. 2181 */ 2182 int 2183 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag) 2184 { 2185 devplcy_t *plcy; 2186 int err; 2187 struct snode *csp = VTOS(common_specvp(vp)); 2188 priv_set_t pset; 2189 2190 mutex_enter(&csp->s_lock); 2191 2192 if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) { 2193 plcy = devpolicy_find(vp); 2194 if (csp->s_plcy) 2195 dpfree(csp->s_plcy); 2196 csp->s_plcy = plcy; 2197 ASSERT(plcy != NULL); 2198 } else 2199 plcy = csp->s_plcy; 2200 2201 if (plcy == nullpolicy) { 2202 mutex_exit(&csp->s_lock); 2203 return (0); 2204 } 2205 2206 dphold(plcy); 2207 2208 mutex_exit(&csp->s_lock); 2209 2210 if (oflag & FWRITE) 2211 pset = plcy->dp_wrp; 2212 else 2213 pset = plcy->dp_rdp; 2214 /* 2215 * Special case: 2216 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG. 2217 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is 2218 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG 2219 * in the required privilege set before doing the check. 2220 */ 2221 if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) && 2222 priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) && 2223 !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) { 2224 priv_delset(&pset, PRIV_SYS_IP_CONFIG); 2225 priv_addset(&pset, PRIV_SYS_NET_CONFIG); 2226 } 2227 2228 err = secpolicy_require_set(cr, &pset, "devpolicy", KLPDARG_NONE); 2229 dpfree(plcy); 2230 2231 return (err); 2232 } 2233 2234 int 2235 secpolicy_modctl(const cred_t *cr, int cmd) 2236 { 2237 switch (cmd) { 2238 case MODINFO: 2239 case MODGETMAJBIND: 2240 case MODGETPATH: 2241 case MODGETPATHLEN: 2242 case MODGETNAME: 2243 case MODGETFBNAME: 2244 case MODGETDEVPOLICY: 2245 case MODGETDEVPOLICYBYNAME: 2246 case MODDEVT2INSTANCE: 2247 case MODSIZEOF_DEVID: 2248 case MODGETDEVID: 2249 case MODSIZEOF_MINORNAME: 2250 case MODGETMINORNAME: 2251 case MODGETDEVFSPATH_LEN: 2252 case MODGETDEVFSPATH: 2253 case MODGETDEVFSPATH_MI_LEN: 2254 case MODGETDEVFSPATH_MI: 2255 /* Unprivileged */ 2256 return (0); 2257 case MODLOAD: 2258 case MODSETDEVPOLICY: 2259 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, 2260 KLPDARG_NONE)); 2261 default: 2262 return (secpolicy_sys_config(cr, B_FALSE)); 2263 } 2264 } 2265 2266 int 2267 secpolicy_console(const cred_t *cr) 2268 { 2269 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 2270 } 2271 2272 int 2273 secpolicy_power_mgmt(const cred_t *cr) 2274 { 2275 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 2276 } 2277 2278 /* 2279 * Simulate terminal input; another escalation of privileges avenue. 2280 */ 2281 2282 int 2283 secpolicy_sti(const cred_t *cr) 2284 { 2285 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE)); 2286 } 2287 2288 boolean_t 2289 secpolicy_net_reply_equal(const cred_t *cr) 2290 { 2291 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 2292 } 2293 2294 int 2295 secpolicy_swapctl(const cred_t *cr) 2296 { 2297 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 2298 } 2299 2300 int 2301 secpolicy_cpc_cpu(const cred_t *cr) 2302 { 2303 return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL)); 2304 } 2305 2306 /* 2307 * secpolicy_contract_identity 2308 * 2309 * Determine if the subject may set the process contract FMRI value 2310 */ 2311 int 2312 secpolicy_contract_identity(const cred_t *cr) 2313 { 2314 return (PRIV_POLICY(cr, PRIV_CONTRACT_IDENTITY, B_FALSE, EPERM, NULL)); 2315 } 2316 2317 /* 2318 * secpolicy_contract_observer 2319 * 2320 * Determine if the subject may observe a specific contract's events. 2321 */ 2322 int 2323 secpolicy_contract_observer(const cred_t *cr, struct contract *ct) 2324 { 2325 if (contract_owned(ct, cr, B_FALSE)) 2326 return (0); 2327 return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL)); 2328 } 2329 2330 /* 2331 * secpolicy_contract_observer_choice 2332 * 2333 * Determine if the subject may observe any contract's events. Just 2334 * tests privilege and audits on success. 2335 */ 2336 boolean_t 2337 secpolicy_contract_observer_choice(const cred_t *cr) 2338 { 2339 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE)); 2340 } 2341 2342 /* 2343 * secpolicy_contract_event 2344 * 2345 * Determine if the subject may request critical contract events or 2346 * reliable contract event delivery. 2347 */ 2348 int 2349 secpolicy_contract_event(const cred_t *cr) 2350 { 2351 return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL)); 2352 } 2353 2354 /* 2355 * secpolicy_contract_event_choice 2356 * 2357 * Determine if the subject may retain contract events in its critical 2358 * set when a change in other terms would normally require a change in 2359 * the critical set. Just tests privilege and audits on success. 2360 */ 2361 boolean_t 2362 secpolicy_contract_event_choice(const cred_t *cr) 2363 { 2364 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE)); 2365 } 2366 2367 /* 2368 * secpolicy_gart_access 2369 * 2370 * Determine if the subject has sufficient priveleges to make ioctls to agpgart 2371 * device. 2372 */ 2373 int 2374 secpolicy_gart_access(const cred_t *cr) 2375 { 2376 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL)); 2377 } 2378 2379 /* 2380 * secpolicy_gart_map 2381 * 2382 * Determine if the subject has sufficient priveleges to map aperture range 2383 * through agpgart driver. 2384 */ 2385 int 2386 secpolicy_gart_map(const cred_t *cr) 2387 { 2388 if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) { 2389 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, 2390 NULL)); 2391 } else { 2392 return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM, 2393 NULL)); 2394 } 2395 } 2396 2397 /* 2398 * secpolicy_zinject 2399 * 2400 * Determine if the subject can inject faults in the ZFS fault injection 2401 * framework. Requires all privileges. 2402 */ 2403 int 2404 secpolicy_zinject(const cred_t *cr) 2405 { 2406 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE)); 2407 } 2408 2409 /* 2410 * secpolicy_zfs 2411 * 2412 * Determine if the subject has permission to manipulate ZFS datasets 2413 * (not pools). Equivalent to the SYS_MOUNT privilege. 2414 */ 2415 int 2416 secpolicy_zfs(const cred_t *cr) 2417 { 2418 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL)); 2419 } 2420 2421 /* 2422 * secpolicy_idmap 2423 * 2424 * Determine if the calling process has permissions to register an SID 2425 * mapping daemon and allocate ephemeral IDs. 2426 */ 2427 int 2428 secpolicy_idmap(const cred_t *cr) 2429 { 2430 return (PRIV_POLICY(cr, PRIV_FILE_SETID, B_TRUE, EPERM, NULL)); 2431 } 2432 2433 /* 2434 * secpolicy_ucode_update 2435 * 2436 * Determine if the subject has sufficient privilege to update microcode. 2437 */ 2438 int 2439 secpolicy_ucode_update(const cred_t *scr) 2440 { 2441 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 2442 } 2443 2444 /* 2445 * secpolicy_sadopen 2446 * 2447 * Determine if the subject has sufficient privilege to access /dev/sad/admin. 2448 * /dev/sad/admin appear in global zone and exclusive-IP zones only. 2449 * In global zone, sys_config is required. 2450 * In exclusive-IP zones, sys_ip_config is required. 2451 * Note that sys_config is prohibited in non-global zones. 2452 */ 2453 int 2454 secpolicy_sadopen(const cred_t *credp) 2455 { 2456 priv_set_t pset; 2457 2458 priv_emptyset(&pset); 2459 2460 if (crgetzoneid(credp) == GLOBAL_ZONEID) 2461 priv_addset(&pset, PRIV_SYS_CONFIG); 2462 else 2463 priv_addset(&pset, PRIV_SYS_IP_CONFIG); 2464 2465 return (secpolicy_require_set(credp, &pset, "devpolicy", KLPDARG_NONE)); 2466 } 2467 2468 2469 /* 2470 * Add privileges to a particular privilege set; this is called when the 2471 * current sets of privileges are not sufficient. I.e., we should always 2472 * call the policy override functions from here. 2473 * What we are allowed to have is in the Observed Permitted set; so 2474 * we compute the difference between that and the newset. 2475 */ 2476 int 2477 secpolicy_require_privs(const cred_t *cr, const priv_set_t *nset) 2478 { 2479 priv_set_t rqd; 2480 2481 rqd = CR_OPPRIV(cr); 2482 2483 priv_inverse(&rqd); 2484 priv_intersect(nset, &rqd); 2485 2486 return (secpolicy_require_set(cr, &rqd, NULL, KLPDARG_NONE)); 2487 } 2488 2489 /* 2490 * secpolicy_smb 2491 * 2492 * Determine if the cred_t has PRIV_SYS_SMB privilege, indicating 2493 * that it has permission to access the smbsrv kernel driver. 2494 * PRIV_POLICY checks the privilege and audits the check. 2495 * 2496 * Returns: 2497 * 0 Driver access is allowed. 2498 * EPERM Driver access is NOT permitted. 2499 */ 2500 int 2501 secpolicy_smb(const cred_t *cr) 2502 { 2503 return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL)); 2504 } 2505 2506 /* 2507 * secpolicy_vscan 2508 * 2509 * Determine if cred_t has the necessary privileges to access a file 2510 * for virus scanning and update its extended system attributes. 2511 * PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access 2512 * PRIV_FILE_FLAG_SET - set extended system attributes 2513 * 2514 * PRIV_POLICY checks the privilege and audits the check. 2515 * 2516 * Returns: 2517 * 0 file access for virus scanning allowed. 2518 * EPERM file access for virus scanning is NOT permitted. 2519 */ 2520 int 2521 secpolicy_vscan(const cred_t *cr) 2522 { 2523 if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) || 2524 (PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) || 2525 (PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) { 2526 return (EPERM); 2527 } 2528 2529 return (0); 2530 } 2531 2532 /* 2533 * secpolicy_smbfs_login 2534 * 2535 * Determines if the caller can add and delete the smbfs login 2536 * password in the the nsmb kernel module for the CIFS client. 2537 * 2538 * Returns: 2539 * 0 access is allowed. 2540 * EPERM access is NOT allowed. 2541 */ 2542 int 2543 secpolicy_smbfs_login(const cred_t *cr, uid_t uid) 2544 { 2545 uid_t cruid = crgetruid(cr); 2546 2547 if (cruid == uid) 2548 return (0); 2549 return (PRIV_POLICY(cr, PRIV_PROC_OWNER, B_FALSE, 2550 EPERM, NULL)); 2551 } 2552 2553 /* 2554 * secpolicy_xvm_control 2555 * 2556 * Determines if a caller can control the xVM hypervisor and/or running 2557 * domains (x86 specific). 2558 * 2559 * Returns: 2560 * 0 access is allowed. 2561 * EPERM access is NOT allowed. 2562 */ 2563 int 2564 secpolicy_xvm_control(const cred_t *cr) 2565 { 2566 if (PRIV_POLICY(cr, PRIV_XVM_CONTROL, B_FALSE, EPERM, NULL)) 2567 return (EPERM); 2568 return (0); 2569 } 2570 2571 /* 2572 * secpolicy_ppp_config 2573 * 2574 * Determine if the subject has sufficient privileges to configure PPP and 2575 * PPP-related devices. 2576 */ 2577 int 2578 secpolicy_ppp_config(const cred_t *cr) 2579 { 2580 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) 2581 return (secpolicy_net_config(cr, B_FALSE)); 2582 return (PRIV_POLICY(cr, PRIV_SYS_PPP_CONFIG, B_FALSE, EPERM, NULL)); 2583 }