Print this page
uts: give privilege macros more sensible names
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/os/policy.c
+++ new/usr/src/uts/common/os/policy.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 23 * Copyright 2013, Joyent, Inc. All rights reserved.
24 24 */
25 25
26 26 #include <sys/types.h>
27 27 #include <sys/sysmacros.h>
28 28 #include <sys/param.h>
29 29 #include <sys/systm.h>
30 30 #include <sys/cred_impl.h>
31 31 #include <sys/vnode.h>
32 32 #include <sys/vfs.h>
33 33 #include <sys/stat.h>
34 34 #include <sys/errno.h>
35 35 #include <sys/kmem.h>
36 36 #include <sys/user.h>
37 37 #include <sys/proc.h>
38 38 #include <sys/acct.h>
39 39 #include <sys/ipc_impl.h>
40 40 #include <sys/cmn_err.h>
41 41 #include <sys/debug.h>
42 42 #include <sys/policy.h>
43 43 #include <sys/kobj.h>
44 44 #include <sys/msg.h>
45 45 #include <sys/devpolicy.h>
46 46 #include <c2/audit.h>
47 47 #include <sys/varargs.h>
48 48 #include <sys/klpd.h>
49 49 #include <sys/modctl.h>
50 50 #include <sys/disp.h>
51 51 #include <sys/zone.h>
52 52 #include <inet/optcom.h>
53 53 #include <sys/sdt.h>
54 54 #include <sys/vfs.h>
55 55 #include <sys/mntent.h>
56 56 #include <sys/contract_impl.h>
57 57 #include <sys/dld_ioc.h>
58 58
59 59 /*
60 60 * There are two possible layers of privilege routines and two possible
61 61 * levels of secpolicy. Plus one other we may not be interested in, so
62 62 * we may need as many as 6 but no more.
63 63 */
64 64 #define MAXPRIVSTACK 6
65 65
66 66 int priv_debug = 0;
67 67 int priv_basic_test = -1;
68 68
69 69 /*
70 70 * This file contains the majority of the policy routines.
71 71 * Since the policy routines are defined by function and not
72 72 * by privilege, there is quite a bit of duplication of
73 73 * functions.
74 74 *
75 75 * The secpolicy functions must not make assumptions about
76 76 * locks held or not held as any lock can be held while they're
77 77 * being called.
78 78 *
79 79 * Credentials are read-only so no special precautions need to
80 80 * be taken while locking them.
81 81 *
82 82 * When a new policy check needs to be added to the system the
83 83 * following procedure should be followed:
84 84 *
85 85 * Pick an appropriate secpolicy_*() function
86 86 * -> done if one exists.
87 87 * Create a new secpolicy function, preferably with
88 88 * a descriptive name using the standard template.
89 89 * Pick an appropriate privilege for the policy.
90 90 * If no appropraite privilege exists, define new one
91 91 * (this should be done with extreme care; in most cases
92 92 * little is gained by adding another privilege)
93 93 *
94 94 * WHY ROOT IS STILL SPECIAL.
95 95 *
96 96 * In a number of the policy functions, there are still explicit
97 97 * checks for uid 0. The rationale behind these is that many root
98 98 * owned files/objects hold configuration information which can give full
99 99 * privileges to the user once written to. To prevent escalation
100 100 * of privilege by allowing just a single privilege to modify root owned
101 101 * objects, we've added these root specific checks where we considered
102 102 * them necessary: modifying root owned files, changing uids to 0, etc.
103 103 *
104 104 * PRIVILEGE ESCALATION AND ZONES.
105 105 *
106 106 * A number of operations potentially allow the caller to achieve
107 107 * privileges beyond the ones normally required to perform the operation.
108 108 * For example, if allowed to create a setuid 0 executable, a process can
109 109 * gain privileges beyond PRIV_FILE_SETID. Zones, however, place
110 110 * restrictions on the ability to gain privileges beyond those available
111 111 * within the zone through file and process manipulation. Hence, such
112 112 * operations require that the caller have an effective set that includes
113 113 * all privileges available within the current zone, or all privileges
114 114 * if executing in the global zone.
115 115 *
116 116 * This is indicated in the priv_policy* policy checking functions
117 117 * through a combination of parameters. The "priv" parameter indicates
118 118 * the privilege that is required, and the "allzone" parameter indicates
119 119 * whether or not all privileges in the zone are required. In addition,
120 120 * priv can be set to PRIV_ALL to indicate that all privileges are
121 121 * required (regardless of zone). There are three scenarios of interest:
122 122 * (1) operation requires a specific privilege
123 123 * (2) operation requires a specific privilege, and requires all
124 124 * privileges available within the zone (or all privileges if in
125 125 * the global zone)
126 126 * (3) operation requires all privileges, regardless of zone
127 127 *
128 128 * For (1), priv should be set to the specific privilege, and allzone
129 129 * should be set to B_FALSE.
130 130 * For (2), priv should be set to the specific privilege, and allzone
131 131 * should be set to B_TRUE.
132 132 * For (3), priv should be set to PRIV_ALL, and allzone should be set
133 133 * to B_FALSE.
134 134 *
135 135 */
136 136
137 137 /*
|
↓ open down ↓ |
137 lines elided |
↑ open up ↑ |
138 138 * The privileges are checked against the Effective set for
139 139 * ordinary processes and checked against the Limit set
140 140 * for euid 0 processes that haven't manipulated their privilege
141 141 * sets.
142 142 */
143 143 #define HAS_ALLPRIVS(cr) priv_isfullset(&CR_OEPRIV(cr))
144 144 #define ZONEPRIVS(cr) ((cr)->cr_zone->zone_privset)
145 145 #define HAS_ALLZONEPRIVS(cr) priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr))
146 146 #define HAS_PRIVILEGE(cr, pr) ((pr) == PRIV_ALL ? \
147 147 HAS_ALLPRIVS(cr) : \
148 - PRIV_ISASSERT(&CR_OEPRIV(cr), pr))
148 + PRIV_ISMEMBER(&CR_OEPRIV(cr), pr))
149 149
150 150 #define FAST_BASIC_CHECK(cr, priv) \
151 - if (PRIV_ISASSERT(&CR_OEPRIV(cr), priv)) { \
151 + if (PRIV_ISMEMBER(&CR_OEPRIV(cr), priv)) { \
152 152 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, B_FALSE); \
153 153 return (0); \
154 154 }
155 155
156 156 /*
157 157 * Policy checking functions.
158 158 *
159 159 * All of the system's policy should be implemented here.
160 160 */
161 161
162 162 /*
163 163 * Private functions which take an additional va_list argument to
164 164 * implement an object specific policy override.
165 165 */
166 166 static int priv_policy_ap(const cred_t *, int, boolean_t, int,
167 167 const char *, va_list);
168 168 static int priv_policy_va(const cred_t *, int, boolean_t, int,
169 169 const char *, ...);
170 170
171 171 /*
172 172 * Generic policy calls
173 173 *
174 174 * The "bottom" functions of policy control
175 175 */
176 176 static char *
177 177 mprintf(const char *fmt, ...)
178 178 {
179 179 va_list args;
180 180 char *buf;
181 181 size_t len;
182 182
183 183 va_start(args, fmt);
184 184 len = vsnprintf(NULL, 0, fmt, args) + 1;
185 185 va_end(args);
186 186
187 187 buf = kmem_alloc(len, KM_NOSLEEP);
188 188
189 189 if (buf == NULL)
190 190 return (NULL);
191 191
192 192 va_start(args, fmt);
193 193 (void) vsnprintf(buf, len, fmt, args);
194 194 va_end(args);
195 195
196 196 return (buf);
197 197 }
198 198
199 199 /*
200 200 * priv_policy_errmsg()
201 201 *
202 202 * Generate an error message if privilege debugging is enabled system wide
203 203 * or for this particular process.
204 204 */
205 205
206 206 #define FMTHDR "%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)"
207 207 #define FMTMSG " for \"%s\""
208 208 #define FMTFUN " needed at %s+0x%lx"
209 209
210 210 /* The maximum size privilege format: the concatenation of the above */
211 211 #define FMTMAX FMTHDR FMTMSG FMTFUN "\n"
212 212
213 213 static void
214 214 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg)
215 215 {
216 216 struct proc *me;
217 217 pc_t stack[MAXPRIVSTACK];
218 218 int depth;
219 219 int i;
220 220 char *sym;
221 221 ulong_t off;
222 222 const char *pname;
223 223
224 224 char *cmd;
225 225 char fmt[sizeof (FMTMAX)];
226 226
227 227 if ((me = curproc) == &p0)
228 228 return;
229 229
230 230 /* Privileges must be defined */
231 231 ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE ||
232 232 priv == PRIV_ALLZONE || priv == PRIV_GLOBAL ||
233 233 priv_getbynum(priv) != NULL);
234 234
235 235 if (priv == PRIV_ALLZONE && INGLOBALZONE(me))
236 236 priv = PRIV_ALL;
237 237
238 238 if (curthread->t_pre_sys)
239 239 ttolwp(curthread)->lwp_badpriv = (short)priv;
240 240
241 241 if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0)
242 242 return;
243 243
244 244 (void) strcpy(fmt, FMTHDR);
245 245
246 246 if (me->p_user.u_comm[0])
247 247 cmd = &me->p_user.u_comm[0];
248 248 else
249 249 cmd = "priv_policy";
250 250
251 251 if (msg != NULL && *msg != '\0') {
252 252 (void) strcat(fmt, FMTMSG);
253 253 } else {
254 254 (void) strcat(fmt, "%s");
255 255 msg = "";
256 256 }
257 257
258 258 sym = NULL;
259 259
260 260 depth = getpcstack(stack, MAXPRIVSTACK);
261 261
262 262 /*
263 263 * Try to find the first interesting function on the stack.
264 264 * priv_policy* that's us, so completely uninteresting.
265 265 * suser(), drv_priv(), secpolicy_* are also called from
266 266 * too many locations to convey useful information.
267 267 */
268 268 for (i = 0; i < depth; i++) {
269 269 sym = kobj_getsymname((uintptr_t)stack[i], &off);
270 270 if (sym != NULL &&
271 271 strstr(sym, "hasprocperm") == 0 &&
272 272 strcmp("suser", sym) != 0 &&
273 273 strcmp("ipcaccess", sym) != 0 &&
274 274 strcmp("drv_priv", sym) != 0 &&
275 275 strncmp("secpolicy_", sym, 10) != 0 &&
276 276 strncmp("priv_policy", sym, 11) != 0)
277 277 break;
278 278 }
279 279
280 280 if (sym != NULL)
281 281 (void) strcat(fmt, FMTFUN);
282 282
283 283 (void) strcat(fmt, "\n");
284 284
285 285 switch (priv) {
286 286 case PRIV_ALL:
287 287 pname = "ALL";
288 288 break;
289 289 case PRIV_MULTIPLE:
290 290 pname = "MULTIPLE";
291 291 break;
292 292 case PRIV_ALLZONE:
293 293 pname = "ZONE";
294 294 break;
295 295 case PRIV_GLOBAL:
296 296 pname = "GLOBAL";
297 297 break;
298 298 default:
299 299 pname = priv_getbynum(priv);
300 300 break;
301 301 }
302 302
303 303 if (CR_FLAGS(cr) & PRIV_DEBUG) {
304 304 /* Remember last message, just like lwp_badpriv. */
305 305 if (curthread->t_pdmsg != NULL) {
306 306 kmem_free(curthread->t_pdmsg,
307 307 strlen(curthread->t_pdmsg) + 1);
308 308 }
309 309
310 310 curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname,
311 311 cr->cr_uid, curthread->t_sysnum, msg, sym, off);
312 312
313 313 curthread->t_post_sys = 1;
314 314 }
315 315 if (priv_debug) {
316 316 cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid,
317 317 curthread->t_sysnum, msg, sym, off);
318 318 }
319 319 }
320 320
321 321 /*
322 322 * Override the policy, if appropriate. Return 0 if the external
323 323 * policy engine approves.
324 324 */
325 325 static int
326 326 priv_policy_override(const cred_t *cr, int priv, boolean_t allzone, va_list ap)
327 327 {
328 328 priv_set_t set;
329 329 int ret;
330 330
331 331 if (!(CR_FLAGS(cr) & PRIV_XPOLICY))
332 332 return (-1);
333 333
334 334 if (priv == PRIV_ALL) {
335 335 priv_fillset(&set);
336 336 } else if (allzone) {
337 337 set = *ZONEPRIVS(cr);
338 338 } else {
339 339 priv_emptyset(&set);
340 340 priv_addset(&set, priv);
341 341 }
342 342 ret = klpd_call(cr, &set, ap);
343 343 return (ret);
344 344 }
345 345
346 346 static int
347 347 priv_policy_override_set(const cred_t *cr, const priv_set_t *req, va_list ap)
348 348 {
349 349 if (CR_FLAGS(cr) & PRIV_PFEXEC)
350 350 return (check_user_privs(cr, req));
351 351 if (CR_FLAGS(cr) & PRIV_XPOLICY) {
352 352 return (klpd_call(cr, req, ap));
353 353 }
354 354 return (-1);
355 355 }
356 356
357 357 static int
358 358 priv_policy_override_set_va(const cred_t *cr, const priv_set_t *req, ...)
359 359 {
360 360 va_list ap;
361 361 int ret;
362 362
363 363 va_start(ap, req);
364 364 ret = priv_policy_override_set(cr, req, ap);
365 365 va_end(ap);
366 366 return (ret);
367 367 }
368 368
369 369 /*
370 370 * Audit failure, log error message.
371 371 */
372 372 static void
373 373 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg)
374 374 {
375 375
376 376 if (AU_AUDITING())
377 377 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0);
378 378 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
379 379
380 380 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
381 381 curthread->t_pre_sys) {
382 382 if (allzone && !HAS_ALLZONEPRIVS(cr)) {
383 383 priv_policy_errmsg(cr, PRIV_ALLZONE, msg);
384 384 } else {
385 385 ASSERT(!HAS_PRIVILEGE(cr, priv));
386 386 priv_policy_errmsg(cr, priv, msg);
387 387 }
388 388 }
389 389 }
390 390
391 391 /*
392 392 * priv_policy_ap()
393 393 * return 0 or error.
|
↓ open down ↓ |
232 lines elided |
↑ open up ↑ |
394 394 * See block comment above for a description of "priv" and "allzone" usage.
395 395 */
396 396 static int
397 397 priv_policy_ap(const cred_t *cr, int priv, boolean_t allzone, int err,
398 398 const char *msg, va_list ap)
399 399 {
400 400 if ((HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) ||
401 401 (!servicing_interrupt() &&
402 402 priv_policy_override(cr, priv, allzone, ap) == 0)) {
403 403 if ((allzone || priv == PRIV_ALL ||
404 - !PRIV_ISASSERT(priv_basic, priv)) &&
404 + !PRIV_ISMEMBER(priv_basic, priv)) &&
405 405 !servicing_interrupt()) {
406 406 PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */
407 407 if (AU_AUDITING())
408 408 audit_priv(priv,
409 409 allzone ? ZONEPRIVS(cr) : NULL, 1);
410 410 }
411 411 err = 0;
412 412 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
413 413 } else if (!servicing_interrupt()) {
414 414 /* Failure audited in this procedure */
415 415 priv_policy_err(cr, priv, allzone, msg);
416 416 }
417 417 return (err);
418 418 }
419 419
420 420 int
421 421 priv_policy_va(const cred_t *cr, int priv, boolean_t allzone, int err,
422 422 const char *msg, ...)
423 423 {
424 424 int ret;
425 425 va_list ap;
426 426
427 427 va_start(ap, msg);
428 428 ret = priv_policy_ap(cr, priv, allzone, err, msg, ap);
429 429 va_end(ap);
430 430
431 431 return (ret);
432 432 }
433 433
434 434 int
435 435 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err,
436 436 const char *msg)
437 437 {
438 438 return (priv_policy_va(cr, priv, allzone, err, msg, KLPDARG_NONE));
439 439 }
440 440
441 441 /*
|
↓ open down ↓ |
27 lines elided |
↑ open up ↑ |
442 442 * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges.
443 443 */
444 444 boolean_t
445 445 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone)
446 446 {
447 447 boolean_t res = HAS_PRIVILEGE(cr, priv) &&
448 448 (!allzone || HAS_ALLZONEPRIVS(cr));
449 449
450 450 /* Audit success only */
451 451 if (res && AU_AUDITING() &&
452 - (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) &&
452 + (allzone || priv == PRIV_ALL || !PRIV_ISMEMBER(priv_basic, priv)) &&
453 453 !servicing_interrupt()) {
454 454 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1);
455 455 }
456 456 if (res) {
457 457 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
458 458 } else {
459 459 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
460 460 }
461 461 return (res);
462 462 }
463 463
464 464 /*
465 465 * Non-auditing variant of priv_policy_choice().
466 466 */
467 467 boolean_t
468 468 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone)
469 469 {
470 470 boolean_t res = HAS_PRIVILEGE(cr, priv) &&
471 471 (!allzone || HAS_ALLZONEPRIVS(cr));
472 472
473 473 if (res) {
474 474 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
475 475 } else {
476 476 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
477 477 }
478 478 return (res);
479 479 }
480 480
481 481 /*
482 482 * Check whether all privileges in the required set are present.
483 483 */
484 484 static int
485 485 secpolicy_require_set(const cred_t *cr, const priv_set_t *req,
486 486 const char *msg, ...)
487 487 {
488 488 int priv;
489 489 int pfound = -1;
490 490 priv_set_t pset;
491 491 va_list ap;
492 492 int ret;
493 493
494 494 if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req,
495 495 &CR_OEPRIV(cr))) {
496 496 return (0);
497 497 }
498 498
499 499 va_start(ap, msg);
500 500 ret = priv_policy_override_set(cr, req, ap);
501 501 va_end(ap);
502 502 if (ret == 0)
503 503 return (0);
504 504
505 505 if (req == PRIV_FULLSET || priv_isfullset(req)) {
506 506 priv_policy_err(cr, PRIV_ALL, B_FALSE, msg);
507 507 return (EACCES);
508 508 }
509 509
510 510 pset = CR_OEPRIV(cr); /* present privileges */
511 511 priv_inverse(&pset); /* all non present privileges */
512 512 priv_intersect(req, &pset); /* the actual missing privs */
513 513
514 514 if (AU_AUDITING())
515 515 audit_priv(PRIV_NONE, &pset, 0);
516 516 /*
517 517 * Privilege debugging; special case "one privilege in set".
518 518 */
519 519 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) {
520 520 for (priv = 0; priv < nprivs; priv++) {
521 521 if (priv_ismember(&pset, priv)) {
522 522 if (pfound != -1) {
523 523 /* Multiple missing privs */
524 524 priv_policy_errmsg(cr, PRIV_MULTIPLE,
525 525 msg);
526 526 return (EACCES);
527 527 }
528 528 pfound = priv;
529 529 }
530 530 }
531 531 ASSERT(pfound != -1);
532 532 /* Just the one missing privilege */
533 533 priv_policy_errmsg(cr, pfound, msg);
534 534 }
535 535
536 536 return (EACCES);
537 537 }
538 538
539 539 /*
540 540 * Called when an operation requires that the caller be in the
541 541 * global zone, regardless of privilege.
542 542 */
543 543 static int
544 544 priv_policy_global(const cred_t *cr)
545 545 {
546 546 if (crgetzoneid(cr) == GLOBAL_ZONEID)
547 547 return (0); /* success */
548 548
549 549 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
550 550 curthread->t_pre_sys) {
551 551 priv_policy_errmsg(cr, PRIV_GLOBAL, NULL);
552 552 }
553 553 return (EPERM);
554 554 }
555 555
556 556 /*
557 557 * Raising process priority
558 558 */
559 559 int
560 560 secpolicy_raisepriority(const cred_t *cr)
561 561 {
562 562 if (PRIV_POLICY(cr, PRIV_PROC_PRIOUP, B_FALSE, EPERM, NULL) == 0)
563 563 return (0);
564 564 return (secpolicy_setpriority(cr));
565 565 }
566 566
567 567 /*
568 568 * Changing process priority or scheduling class
569 569 */
570 570 int
571 571 secpolicy_setpriority(const cred_t *cr)
572 572 {
573 573 return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL));
574 574 }
575 575
576 576 /*
577 577 * Binding to a privileged port, port must be specified in host byte
578 578 * order.
579 579 * When adding a new privilege which allows binding to currently privileged
580 580 * ports, then you MUST also allow processes with PRIV_NET_PRIVADDR bind
581 581 * to these ports because of backward compatibility.
582 582 */
583 583 int
584 584 secpolicy_net_privaddr(const cred_t *cr, in_port_t port, int proto)
585 585 {
586 586 char *reason;
587 587 int priv;
588 588
589 589 switch (port) {
590 590 case 137:
591 591 case 138:
592 592 case 139:
593 593 case 445:
594 594 /*
595 595 * NBT and SMB ports, these are normal privileged ports,
596 596 * allow bind only if the SYS_SMB or NET_PRIVADDR privilege
597 597 * is present.
598 598 * Try both, if neither is present return an error for
599 599 * priv SYS_SMB.
600 600 */
601 601 if (PRIV_POLICY_ONLY(cr, PRIV_NET_PRIVADDR, B_FALSE))
602 602 priv = PRIV_NET_PRIVADDR;
603 603 else
604 604 priv = PRIV_SYS_SMB;
605 605 reason = "NBT or SMB port";
606 606 break;
607 607
608 608 case 2049:
609 609 case 4045:
610 610 /*
611 611 * NFS ports, these are extra privileged ports, allow bind
612 612 * only if the SYS_NFS privilege is present.
613 613 */
614 614 priv = PRIV_SYS_NFS;
615 615 reason = "NFS port";
616 616 break;
617 617
618 618 default:
619 619 priv = PRIV_NET_PRIVADDR;
620 620 reason = NULL;
621 621 break;
622 622
623 623 }
624 624
625 625 return (priv_policy_va(cr, priv, B_FALSE, EACCES, reason,
626 626 KLPDARG_PORT, (int)proto, (int)port, KLPDARG_NOMORE));
627 627 }
628 628
629 629 /*
630 630 * Binding to a multilevel port on a trusted (labeled) system.
631 631 */
632 632 int
633 633 secpolicy_net_bindmlp(const cred_t *cr)
634 634 {
635 635 return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, NULL));
636 636 }
637 637
638 638 /*
639 639 * Allow a communication between a zone and an unlabeled host when their
640 640 * labels don't match.
641 641 */
642 642 int
643 643 secpolicy_net_mac_aware(const cred_t *cr)
644 644 {
645 645 return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, NULL));
646 646 }
647 647
648 648 /*
649 649 * Allow a privileged process to transmit traffic without explicit labels
650 650 */
651 651 int
652 652 secpolicy_net_mac_implicit(const cred_t *cr)
653 653 {
654 654 return (PRIV_POLICY(cr, PRIV_NET_MAC_IMPLICIT, B_FALSE, EACCES, NULL));
655 655 }
656 656
657 657 /*
658 658 * Common routine which determines whether a given credential can
659 659 * act on a given mount.
660 660 * When called through mount, the parameter needoptcheck is a pointer
661 661 * to a boolean variable which will be set to either true or false,
662 662 * depending on whether the mount policy should change the mount options.
663 663 * In all other cases, needoptcheck should be a NULL pointer.
664 664 */
665 665 static int
666 666 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp,
667 667 boolean_t *needoptcheck)
668 668 {
669 669 boolean_t allzone = B_FALSE;
670 670 boolean_t mounting = needoptcheck != NULL;
671 671
672 672 /*
673 673 * Short circuit the following cases:
674 674 * vfsp == NULL or mvp == NULL (pure privilege check)
675 675 * have all privileges - no further checks required
676 676 * and no mount options need to be set.
677 677 */
678 678 if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) {
679 679 if (mounting)
680 680 *needoptcheck = B_FALSE;
681 681
682 682 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
683 683 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE));
684 684 }
685 685
686 686 /*
687 687 * When operating on an existing mount (either we're not mounting
688 688 * or we're doing a remount and VFS_REMOUNT will be set), zones
689 689 * can operate only on mounts established by the zone itself.
690 690 */
691 691 if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) {
692 692 zoneid_t zoneid = crgetzoneid(cr);
693 693
694 694 if (zoneid != GLOBAL_ZONEID &&
695 695 vfsp->vfs_zone->zone_id != zoneid) {
696 696 return (EPERM);
697 697 }
698 698 }
699 699
700 700 if (mounting)
701 701 *needoptcheck = B_TRUE;
702 702
703 703 /*
704 704 * Overlay mounts may hide important stuff; if you can't write to a
705 705 * mount point but would be able to mount on top of it, you can
706 706 * escalate your privileges.
707 707 * So we go about asking the same questions namefs does when it
708 708 * decides whether you can mount over a file or not but with the
709 709 * added restriction that you can only mount on top of a regular
710 710 * file or directory.
711 711 * If we have all the zone's privileges, we skip all other checks,
712 712 * or else we may actually get in trouble inside the automounter.
713 713 */
714 714 if ((mvp->v_flag & VROOT) != 0 ||
715 715 (mvp->v_type != VDIR && mvp->v_type != VREG) ||
716 716 HAS_ALLZONEPRIVS(cr)) {
717 717 allzone = B_TRUE;
718 718 } else {
719 719 vattr_t va;
720 720 int err;
721 721
722 722 va.va_mask = AT_UID|AT_MODE;
723 723 err = VOP_GETATTR(mvp, &va, 0, cr, NULL);
724 724 if (err != 0)
725 725 return (err);
726 726
727 727 if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0)
728 728 return (err);
729 729
730 730 if (secpolicy_vnode_access2(cr, mvp, va.va_uid, va.va_mode,
731 731 VWRITE) != 0) {
732 732 return (EACCES);
733 733 }
734 734 }
735 735 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
736 736 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE));
737 737 }
738 738
739 739 void
740 740 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp)
741 741 {
742 742 boolean_t amsuper = HAS_ALLZONEPRIVS(cr);
743 743
744 744 /*
745 745 * check; if we don't have either "nosuid" or
746 746 * both "nosetuid" and "nodevices", then we add
747 747 * "nosuid"; this depends on how the current
748 748 * implementation works (it first checks nosuid). In a
749 749 * zone, a user with all zone privileges can mount with
750 750 * "setuid" but never with "devices".
751 751 */
752 752 if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) &&
753 753 (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) ||
754 754 !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) {
755 755 if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper)
756 756 vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0);
757 757 else
758 758 vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0);
759 759 }
760 760 /*
761 761 * If we're not the local super user, we set the "restrict"
762 762 * option to indicate to automountd that this mount should
763 763 * be handled with care.
764 764 */
765 765 if (!amsuper)
766 766 vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0);
767 767
768 768 }
769 769
770 770 int
771 771 secpolicy_fs_allowed_mount(const char *fsname)
772 772 {
773 773 struct vfssw *vswp;
774 774 const char *p;
775 775 size_t len;
776 776
777 777 ASSERT(fsname != NULL);
778 778 ASSERT(fsname[0] != '\0');
779 779
780 780 if (INGLOBALZONE(curproc))
781 781 return (0);
782 782
783 783 vswp = vfs_getvfssw(fsname);
784 784 if (vswp == NULL)
785 785 return (ENOENT);
786 786
787 787 if ((vswp->vsw_flag & VSW_ZMOUNT) != 0) {
788 788 vfs_unrefvfssw(vswp);
789 789 return (0);
790 790 }
791 791
792 792 vfs_unrefvfssw(vswp);
793 793
794 794 p = curzone->zone_fs_allowed;
795 795 len = strlen(fsname);
796 796
797 797 while (p != NULL && *p != '\0') {
798 798 if (strncmp(p, fsname, len) == 0) {
799 799 char c = *(p + len);
800 800 if (c == '\0' || c == ',')
801 801 return (0);
802 802 }
803 803
804 804 /* skip to beyond the next comma */
805 805 if ((p = strchr(p, ',')) != NULL)
806 806 p++;
807 807 }
808 808
809 809 return (EPERM);
810 810 }
811 811
812 812 extern vnode_t *rootvp;
813 813 extern vfs_t *rootvfs;
814 814
815 815 int
816 816 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp)
817 817 {
818 818 boolean_t needoptchk;
819 819 int error;
820 820
821 821 /*
822 822 * If it's a remount, get the underlying mount point,
823 823 * except for the root where we use the rootvp.
824 824 */
825 825 if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) {
826 826 if (vfsp == rootvfs)
827 827 mvp = rootvp;
828 828 else
829 829 mvp = vfsp->vfs_vnodecovered;
830 830 }
831 831
832 832 error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk);
833 833
834 834 if (error == 0 && needoptchk) {
835 835 secpolicy_fs_mount_clearopts(cr, vfsp);
836 836 }
837 837
838 838 return (error);
839 839 }
840 840
841 841 /*
842 842 * Does the policy computations for "ownership" of a mount;
843 843 * here ownership is defined as the ability to "mount"
844 844 * the filesystem originally. The rootvfs doesn't cover any
845 845 * vnodes; we attribute its ownership to the rootvp.
846 846 */
847 847 static int
848 848 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp)
849 849 {
850 850 vnode_t *mvp;
851 851
852 852 if (vfsp == NULL)
853 853 mvp = NULL;
854 854 else if (vfsp == rootvfs)
855 855 mvp = rootvp;
856 856 else
857 857 mvp = vfsp->vfs_vnodecovered;
858 858
859 859 return (secpolicy_fs_common(cr, mvp, vfsp, NULL));
860 860 }
861 861
862 862 int
863 863 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp)
864 864 {
865 865 return (secpolicy_fs_owner(cr, vfsp));
866 866 }
867 867
868 868 /*
869 869 * Quotas are a resource, but if one has the ability to mount a filesystem, he
870 870 * should be able to modify quotas on it.
871 871 */
872 872 int
873 873 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp)
874 874 {
875 875 return (secpolicy_fs_owner((cred_t *)cr, vfsp));
876 876 }
877 877
878 878 /*
879 879 * Exceeding minfree: also a per-mount resource constraint.
880 880 */
881 881 int
882 882 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp)
883 883 {
884 884 return (secpolicy_fs_owner((cred_t *)cr, vfsp));
885 885 }
886 886
887 887 int
888 888 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp)
889 889 {
890 890 return (secpolicy_fs_owner((cred_t *)cr, vfsp));
891 891 }
892 892
893 893 /* ARGSUSED */
894 894 int
895 895 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp)
896 896 {
897 897 return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL));
898 898 }
899 899
900 900 /*
901 901 * Name: secpolicy_vnode_access()
902 902 *
903 903 * Parameters: Process credential
904 904 * vnode
905 905 * uid of owner of vnode
906 906 * permission bits not granted to the caller when examining
907 907 * file mode bits (i.e., when a process wants to open a
908 908 * mode 444 file for VREAD|VWRITE, this function should be
909 909 * called only with a VWRITE argument).
910 910 *
911 911 * Normal: Verifies that cred has the appropriate privileges to
912 912 * override the mode bits that were denied.
913 913 *
914 914 * Override: file_dac_execute - if VEXEC bit was denied and vnode is
915 915 * not a directory.
916 916 * file_dac_read - if VREAD bit was denied.
917 917 * file_dac_search - if VEXEC bit was denied and vnode is
918 918 * a directory.
919 919 * file_dac_write - if VWRITE bit was denied.
920 920 *
921 921 * Root owned files are special cased to protect system
922 922 * configuration files and such.
923 923 *
924 924 * Output: EACCES - if privilege check fails.
925 925 */
926 926
927 927 int
928 928 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode)
929 929 {
930 930 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE,
931 931 EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL,
932 932 KLPDARG_NOMORE) != 0) {
933 933 return (EACCES);
934 934 }
935 935
936 936 if (mode & VWRITE) {
937 937 boolean_t allzone;
938 938
939 939 if (owner == 0 && cr->cr_uid != 0)
940 940 allzone = B_TRUE;
941 941 else
942 942 allzone = B_FALSE;
943 943 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES,
944 944 NULL, KLPDARG_VNODE, vp, (char *)NULL,
945 945 KLPDARG_NOMORE) != 0) {
946 946 return (EACCES);
947 947 }
948 948 }
949 949
950 950 if (mode & VEXEC) {
951 951 /*
952 952 * Directories use file_dac_search to override the execute bit.
953 953 */
954 954 int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH :
955 955 PRIV_FILE_DAC_EXECUTE;
956 956
957 957 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL,
958 958 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
959 959 }
960 960 return (0);
961 961 }
962 962
963 963 /*
964 964 * Like secpolicy_vnode_access() but we get the actual wanted mode and the
|
↓ open down ↓ |
502 lines elided |
↑ open up ↑ |
965 965 * current mode of the file, not the missing bits.
966 966 */
967 967 int
968 968 secpolicy_vnode_access2(const cred_t *cr, vnode_t *vp, uid_t owner,
969 969 mode_t curmode, mode_t wantmode)
970 970 {
971 971 mode_t mode;
972 972
973 973 /* Inline the basic privileges tests. */
974 974 if ((wantmode & VREAD) &&
975 - !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_READ) &&
975 + !PRIV_ISMEMBER(&CR_OEPRIV(cr), PRIV_FILE_READ) &&
976 976 priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL,
977 977 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) {
978 978 return (EACCES);
979 979 }
980 980
981 981 if ((wantmode & VWRITE) &&
982 - !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_WRITE) &&
982 + !PRIV_ISMEMBER(&CR_OEPRIV(cr), PRIV_FILE_WRITE) &&
983 983 priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL,
984 984 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) {
985 985 return (EACCES);
986 986 }
987 987
988 988 mode = ~curmode & wantmode;
989 989
990 990 if (mode == 0)
991 991 return (0);
992 992
993 993 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE,
994 994 EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL,
995 995 KLPDARG_NOMORE) != 0) {
996 996 return (EACCES);
997 997 }
998 998
999 999 if (mode & VWRITE) {
1000 1000 boolean_t allzone;
1001 1001
1002 1002 if (owner == 0 && cr->cr_uid != 0)
1003 1003 allzone = B_TRUE;
1004 1004 else
1005 1005 allzone = B_FALSE;
1006 1006 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES,
1007 1007 NULL, KLPDARG_VNODE, vp, (char *)NULL,
1008 1008 KLPDARG_NOMORE) != 0) {
1009 1009 return (EACCES);
1010 1010 }
1011 1011 }
1012 1012
1013 1013 if (mode & VEXEC) {
1014 1014 /*
1015 1015 * Directories use file_dac_search to override the execute bit.
1016 1016 */
1017 1017 int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH :
1018 1018 PRIV_FILE_DAC_EXECUTE;
1019 1019
1020 1020 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL,
1021 1021 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
1022 1022 }
1023 1023 return (0);
1024 1024 }
1025 1025
1026 1026 /*
1027 1027 * This is a special routine for ZFS; it is used to determine whether
1028 1028 * any of the privileges in effect allow any form of access to the
1029 1029 * file. There's no reason to audit this or any reason to record
1030 1030 * this. More work is needed to do the "KPLD" stuff.
1031 1031 */
1032 1032 int
1033 1033 secpolicy_vnode_any_access(const cred_t *cr, vnode_t *vp, uid_t owner)
1034 1034 {
1035 1035 static int privs[] = {
1036 1036 PRIV_FILE_OWNER,
1037 1037 PRIV_FILE_CHOWN,
1038 1038 PRIV_FILE_DAC_READ,
1039 1039 PRIV_FILE_DAC_WRITE,
1040 1040 PRIV_FILE_DAC_EXECUTE,
1041 1041 PRIV_FILE_DAC_SEARCH,
1042 1042 };
1043 1043 int i;
1044 1044
1045 1045 /* Same as secpolicy_vnode_setdac */
1046 1046 if (owner == cr->cr_uid)
1047 1047 return (0);
1048 1048
1049 1049 for (i = 0; i < sizeof (privs)/sizeof (int); i++) {
1050 1050 boolean_t allzone = B_FALSE;
1051 1051 int priv;
1052 1052
1053 1053 switch (priv = privs[i]) {
1054 1054 case PRIV_FILE_DAC_EXECUTE:
1055 1055 if (vp->v_type == VDIR)
1056 1056 continue;
1057 1057 break;
1058 1058 case PRIV_FILE_DAC_SEARCH:
1059 1059 if (vp->v_type != VDIR)
1060 1060 continue;
1061 1061 break;
1062 1062 case PRIV_FILE_DAC_WRITE:
1063 1063 case PRIV_FILE_OWNER:
1064 1064 case PRIV_FILE_CHOWN:
1065 1065 /* We know here that if owner == 0, that cr_uid != 0 */
1066 1066 allzone = owner == 0;
1067 1067 break;
1068 1068 }
1069 1069 if (PRIV_POLICY_CHOICE(cr, priv, allzone))
1070 1070 return (0);
1071 1071 }
1072 1072 return (EPERM);
1073 1073 }
1074 1074
1075 1075 /*
1076 1076 * Name: secpolicy_vnode_setid_modify()
1077 1077 *
1078 1078 * Normal: verify that subject can set the file setid flags.
1079 1079 *
1080 1080 * Output: EPERM - if not privileged.
1081 1081 */
1082 1082
1083 1083 static int
1084 1084 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner)
1085 1085 {
1086 1086 /* If changing to suid root, must have all zone privs */
1087 1087 boolean_t allzone = B_TRUE;
1088 1088
1089 1089 if (owner != 0) {
1090 1090 if (owner == cr->cr_uid)
1091 1091 return (0);
1092 1092 allzone = B_FALSE;
1093 1093 }
1094 1094 return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL));
1095 1095 }
1096 1096
1097 1097 /*
1098 1098 * Are we allowed to retain the set-uid/set-gid bits when
1099 1099 * changing ownership or when writing to a file?
1100 1100 * "issuid" should be true when set-uid; only in that case
1101 1101 * root ownership is checked (setgid is assumed).
1102 1102 */
1103 1103 int
1104 1104 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot)
1105 1105 {
1106 1106 if (issuidroot && !HAS_ALLZONEPRIVS(cred))
1107 1107 return (EPERM);
1108 1108
1109 1109 return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE));
1110 1110 }
1111 1111
1112 1112 /*
1113 1113 * Name: secpolicy_vnode_setids_setgids()
1114 1114 *
1115 1115 * Normal: verify that subject can set the file setgid flag.
1116 1116 *
1117 1117 * Output: EPERM - if not privileged
1118 1118 */
1119 1119
1120 1120 int
1121 1121 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid)
1122 1122 {
1123 1123 if (!groupmember(gid, cred))
1124 1124 return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM,
1125 1125 NULL));
1126 1126 return (0);
1127 1127 }
1128 1128
1129 1129 /*
1130 1130 * Name: secpolicy_vnode_chown
1131 1131 *
1132 1132 * Normal: Determine if subject can chown owner of a file.
1133 1133 *
1134 1134 * Output: EPERM - if access denied
1135 1135 */
1136 1136
1137 1137 int
1138 1138 secpolicy_vnode_chown(const cred_t *cred, uid_t owner)
1139 1139 {
1140 1140 boolean_t is_owner = (owner == crgetuid(cred));
1141 1141 boolean_t allzone = B_FALSE;
1142 1142 int priv;
1143 1143
1144 1144 if (!is_owner) {
1145 1145 allzone = (owner == 0);
1146 1146 priv = PRIV_FILE_CHOWN;
1147 1147 } else {
1148 1148 priv = HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN) ?
1149 1149 PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF;
1150 1150 }
1151 1151
1152 1152 return (PRIV_POLICY(cred, priv, allzone, EPERM, NULL));
1153 1153 }
1154 1154
1155 1155 /*
1156 1156 * Name: secpolicy_vnode_create_gid
1157 1157 *
1158 1158 * Normal: Determine if subject can change group ownership of a file.
1159 1159 *
1160 1160 * Output: EPERM - if access denied
1161 1161 */
1162 1162 int
1163 1163 secpolicy_vnode_create_gid(const cred_t *cred)
1164 1164 {
1165 1165 if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN))
1166 1166 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM,
1167 1167 NULL));
1168 1168 else
1169 1169 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM,
1170 1170 NULL));
1171 1171 }
1172 1172
1173 1173 /*
1174 1174 * Name: secpolicy_vnode_utime_modify()
1175 1175 *
1176 1176 * Normal: verify that subject can modify the utime on a file.
1177 1177 *
1178 1178 * Output: EPERM - if access denied.
1179 1179 */
1180 1180
1181 1181 static int
1182 1182 secpolicy_vnode_utime_modify(const cred_t *cred)
1183 1183 {
1184 1184 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM,
1185 1185 "modify file times"));
1186 1186 }
1187 1187
1188 1188
1189 1189 /*
1190 1190 * Name: secpolicy_vnode_setdac()
1191 1191 *
1192 1192 * Normal: verify that subject can modify the mode of a file.
1193 1193 * allzone privilege needed when modifying root owned object.
1194 1194 *
1195 1195 * Output: EPERM - if access denied.
1196 1196 */
1197 1197
1198 1198 int
1199 1199 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner)
1200 1200 {
1201 1201 if (owner == cred->cr_uid)
1202 1202 return (0);
1203 1203
1204 1204 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL));
1205 1205 }
1206 1206 /*
1207 1207 * Name: secpolicy_vnode_stky_modify()
1208 1208 *
1209 1209 * Normal: verify that subject can make a file a "sticky".
1210 1210 *
1211 1211 * Output: EPERM - if access denied.
1212 1212 */
1213 1213
1214 1214 int
1215 1215 secpolicy_vnode_stky_modify(const cred_t *cred)
1216 1216 {
1217 1217 return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM,
1218 1218 "set file sticky"));
1219 1219 }
1220 1220
1221 1221 /*
1222 1222 * Policy determines whether we can remove an entry from a directory,
1223 1223 * regardless of permission bits.
1224 1224 */
1225 1225 int
1226 1226 secpolicy_vnode_remove(const cred_t *cr)
1227 1227 {
1228 1228 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES,
1229 1229 "sticky directory"));
1230 1230 }
1231 1231
1232 1232 int
1233 1233 secpolicy_vnode_owner(const cred_t *cr, uid_t owner)
1234 1234 {
1235 1235 boolean_t allzone = (owner == 0);
1236 1236
1237 1237 if (owner == cr->cr_uid)
1238 1238 return (0);
1239 1239
1240 1240 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL));
1241 1241 }
1242 1242
1243 1243 void
1244 1244 secpolicy_setid_clear(vattr_t *vap, cred_t *cr)
1245 1245 {
1246 1246 if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 &&
1247 1247 secpolicy_vnode_setid_retain(cr,
1248 1248 (vap->va_mode & S_ISUID) != 0 &&
1249 1249 (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) {
1250 1250 vap->va_mask |= AT_MODE;
1251 1251 vap->va_mode &= ~(S_ISUID|S_ISGID);
1252 1252 }
1253 1253 }
1254 1254
1255 1255 int
1256 1256 secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap,
1257 1257 cred_t *cr)
1258 1258 {
1259 1259 int error;
1260 1260
1261 1261 if ((vap->va_mode & S_ISUID) != 0 &&
1262 1262 (error = secpolicy_vnode_setid_modify(cr,
1263 1263 ovap->va_uid)) != 0) {
1264 1264 return (error);
1265 1265 }
1266 1266
1267 1267 /*
1268 1268 * Check privilege if attempting to set the
1269 1269 * sticky bit on a non-directory.
1270 1270 */
1271 1271 if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 &&
1272 1272 secpolicy_vnode_stky_modify(cr) != 0) {
1273 1273 vap->va_mode &= ~S_ISVTX;
1274 1274 }
1275 1275
1276 1276 /*
1277 1277 * Check for privilege if attempting to set the
1278 1278 * group-id bit.
1279 1279 */
1280 1280 if ((vap->va_mode & S_ISGID) != 0 &&
1281 1281 secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) {
1282 1282 vap->va_mode &= ~S_ISGID;
1283 1283 }
1284 1284
1285 1285 return (0);
1286 1286 }
1287 1287
1288 1288 #define ATTR_FLAG_PRIV(attr, value, cr) \
1289 1289 PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \
1290 1290 B_FALSE, EPERM, NULL)
1291 1291
1292 1292 /*
1293 1293 * Check privileges for setting xvattr attributes
1294 1294 */
1295 1295 int
1296 1296 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype)
1297 1297 {
1298 1298 xoptattr_t *xoap;
1299 1299 int error = 0;
1300 1300
1301 1301 if ((xoap = xva_getxoptattr(xvap)) == NULL)
1302 1302 return (EINVAL);
1303 1303
1304 1304 /*
1305 1305 * First process the DOS bits
1306 1306 */
1307 1307 if (XVA_ISSET_REQ(xvap, XAT_ARCHIVE) ||
1308 1308 XVA_ISSET_REQ(xvap, XAT_HIDDEN) ||
1309 1309 XVA_ISSET_REQ(xvap, XAT_READONLY) ||
1310 1310 XVA_ISSET_REQ(xvap, XAT_SYSTEM) ||
1311 1311 XVA_ISSET_REQ(xvap, XAT_CREATETIME) ||
1312 1312 XVA_ISSET_REQ(xvap, XAT_OFFLINE) ||
1313 1313 XVA_ISSET_REQ(xvap, XAT_SPARSE)) {
1314 1314 if ((error = secpolicy_vnode_owner(cr, owner)) != 0)
1315 1315 return (error);
1316 1316 }
1317 1317
1318 1318 /*
1319 1319 * Now handle special attributes
1320 1320 */
1321 1321
1322 1322 if (XVA_ISSET_REQ(xvap, XAT_IMMUTABLE))
1323 1323 error = ATTR_FLAG_PRIV(XAT_IMMUTABLE,
1324 1324 xoap->xoa_immutable, cr);
1325 1325 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NOUNLINK))
1326 1326 error = ATTR_FLAG_PRIV(XAT_NOUNLINK,
1327 1327 xoap->xoa_nounlink, cr);
1328 1328 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_APPENDONLY))
1329 1329 error = ATTR_FLAG_PRIV(XAT_APPENDONLY,
1330 1330 xoap->xoa_appendonly, cr);
1331 1331 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NODUMP))
1332 1332 error = ATTR_FLAG_PRIV(XAT_NODUMP,
1333 1333 xoap->xoa_nodump, cr);
1334 1334 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_OPAQUE))
1335 1335 error = EPERM;
1336 1336 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_QUARANTINED)) {
1337 1337 error = ATTR_FLAG_PRIV(XAT_AV_QUARANTINED,
1338 1338 xoap->xoa_av_quarantined, cr);
1339 1339 if (error == 0 && vtype != VREG && xoap->xoa_av_quarantined)
1340 1340 error = EINVAL;
1341 1341 }
1342 1342 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_MODIFIED))
1343 1343 error = ATTR_FLAG_PRIV(XAT_AV_MODIFIED,
1344 1344 xoap->xoa_av_modified, cr);
1345 1345 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_SCANSTAMP)) {
1346 1346 error = ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP,
1347 1347 xoap->xoa_av_scanstamp, cr);
1348 1348 if (error == 0 && vtype != VREG)
1349 1349 error = EINVAL;
1350 1350 }
1351 1351 return (error);
1352 1352 }
1353 1353
1354 1354 /*
1355 1355 * This function checks the policy decisions surrounding the
1356 1356 * vop setattr call.
1357 1357 *
1358 1358 * It should be called after sufficient locks have been established
1359 1359 * on the underlying data structures. No concurrent modifications
1360 1360 * should be allowed.
1361 1361 *
1362 1362 * The caller must pass in unlocked version of its vaccess function
1363 1363 * this is required because vop_access function should lock the
1364 1364 * node for reading. A three argument function should be defined
1365 1365 * which accepts the following argument:
1366 1366 * A pointer to the internal "node" type (inode *)
1367 1367 * vnode access bits (VREAD|VWRITE|VEXEC)
1368 1368 * a pointer to the credential
1369 1369 *
1370 1370 * This function makes the following policy decisions:
1371 1371 *
1372 1372 * - change permissions
1373 1373 * - permission to change file mode if not owner
1374 1374 * - permission to add sticky bit to non-directory
1375 1375 * - permission to add set-gid bit
1376 1376 *
1377 1377 * The ovap argument should include AT_MODE|AT_UID|AT_GID.
1378 1378 *
1379 1379 * If the vap argument does not include AT_MODE, the mode will be copied from
1380 1380 * ovap. In certain situations set-uid/set-gid bits need to be removed;
1381 1381 * this is done by marking vap->va_mask to include AT_MODE and va_mode
1382 1382 * is updated to the newly computed mode.
1383 1383 */
1384 1384
1385 1385 int
1386 1386 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap,
1387 1387 const struct vattr *ovap, int flags,
1388 1388 int unlocked_access(void *, int, cred_t *),
1389 1389 void *node)
1390 1390 {
1391 1391 int mask = vap->va_mask;
1392 1392 int error = 0;
1393 1393 boolean_t skipaclchk = (flags & ATTR_NOACLCHECK) ? B_TRUE : B_FALSE;
1394 1394
1395 1395 if (mask & AT_SIZE) {
1396 1396 if (vp->v_type == VDIR) {
1397 1397 error = EISDIR;
1398 1398 goto out;
1399 1399 }
1400 1400
1401 1401 /*
1402 1402 * If ATTR_NOACLCHECK is set in the flags, then we don't
1403 1403 * perform the secondary unlocked_access() call since the
1404 1404 * ACL (if any) is being checked there.
1405 1405 */
1406 1406 if (skipaclchk == B_FALSE) {
1407 1407 error = unlocked_access(node, VWRITE, cr);
1408 1408 if (error)
1409 1409 goto out;
1410 1410 }
1411 1411 }
1412 1412 if (mask & AT_MODE) {
1413 1413 /*
1414 1414 * If not the owner of the file then check privilege
1415 1415 * for two things: the privilege to set the mode at all
1416 1416 * and, if we're setting setuid, we also need permissions
1417 1417 * to add the set-uid bit, if we're not the owner.
1418 1418 * In the specific case of creating a set-uid root
1419 1419 * file, we need even more permissions.
1420 1420 */
1421 1421 if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0)
1422 1422 goto out;
1423 1423
1424 1424 if ((error = secpolicy_setid_setsticky_clear(vp, vap,
1425 1425 ovap, cr)) != 0)
1426 1426 goto out;
1427 1427 } else
1428 1428 vap->va_mode = ovap->va_mode;
1429 1429
1430 1430 if (mask & (AT_UID|AT_GID)) {
1431 1431 boolean_t checkpriv = B_FALSE;
1432 1432
1433 1433 /*
1434 1434 * Chowning files.
1435 1435 *
1436 1436 * If you are the file owner:
1437 1437 * chown to other uid FILE_CHOWN_SELF
1438 1438 * chown to gid (non-member) FILE_CHOWN_SELF
1439 1439 * chown to gid (member) <none>
1440 1440 *
1441 1441 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also
1442 1442 * acceptable but the first one is reported when debugging.
1443 1443 *
1444 1444 * If you are not the file owner:
1445 1445 * chown from root PRIV_FILE_CHOWN + zone
1446 1446 * chown from other to any PRIV_FILE_CHOWN
1447 1447 *
1448 1448 */
1449 1449 if (cr->cr_uid != ovap->va_uid) {
1450 1450 checkpriv = B_TRUE;
1451 1451 } else {
1452 1452 if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) ||
1453 1453 ((mask & AT_GID) && vap->va_gid != ovap->va_gid &&
1454 1454 !groupmember(vap->va_gid, cr))) {
1455 1455 checkpriv = B_TRUE;
1456 1456 }
1457 1457 }
1458 1458 /*
1459 1459 * If necessary, check privilege to see if update can be done.
1460 1460 */
1461 1461 if (checkpriv &&
1462 1462 (error = secpolicy_vnode_chown(cr, ovap->va_uid)) != 0) {
1463 1463 goto out;
1464 1464 }
1465 1465
1466 1466 /*
1467 1467 * If the file has either the set UID or set GID bits
1468 1468 * set and the caller can set the bits, then leave them.
1469 1469 */
1470 1470 secpolicy_setid_clear(vap, cr);
1471 1471 }
1472 1472 if (mask & (AT_ATIME|AT_MTIME)) {
1473 1473 /*
1474 1474 * If not the file owner and not otherwise privileged,
1475 1475 * always return an error when setting the
1476 1476 * time other than the current (ATTR_UTIME flag set).
1477 1477 * If setting the current time (ATTR_UTIME not set) then
1478 1478 * unlocked_access will check permissions according to policy.
1479 1479 */
1480 1480 if (cr->cr_uid != ovap->va_uid) {
1481 1481 if (flags & ATTR_UTIME)
1482 1482 error = secpolicy_vnode_utime_modify(cr);
1483 1483 else if (skipaclchk == B_FALSE) {
1484 1484 error = unlocked_access(node, VWRITE, cr);
1485 1485 if (error == EACCES &&
1486 1486 secpolicy_vnode_utime_modify(cr) == 0)
1487 1487 error = 0;
1488 1488 }
1489 1489 if (error)
1490 1490 goto out;
1491 1491 }
1492 1492 }
1493 1493
1494 1494 /*
1495 1495 * Check for optional attributes here by checking the following:
1496 1496 */
1497 1497 if (mask & AT_XVATTR)
1498 1498 error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr,
1499 1499 vp->v_type);
1500 1500 out:
1501 1501 return (error);
1502 1502 }
1503 1503
1504 1504 /*
1505 1505 * Name: secpolicy_pcfs_modify_bootpartition()
1506 1506 *
1507 1507 * Normal: verify that subject can modify a pcfs boot partition.
1508 1508 *
1509 1509 * Output: EACCES - if privilege check failed.
1510 1510 */
1511 1511 /*ARGSUSED*/
1512 1512 int
1513 1513 secpolicy_pcfs_modify_bootpartition(const cred_t *cred)
1514 1514 {
1515 1515 return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES,
1516 1516 "modify pcfs boot partition"));
1517 1517 }
1518 1518
1519 1519 /*
1520 1520 * System V IPC routines
1521 1521 */
1522 1522 int
1523 1523 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip)
1524 1524 {
1525 1525 if (crgetzoneid(cr) != ip->ipc_zoneid ||
1526 1526 (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) {
1527 1527 boolean_t allzone = B_FALSE;
1528 1528 if (ip->ipc_uid == 0 || ip->ipc_cuid == 0)
1529 1529 allzone = B_TRUE;
1530 1530 return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL));
1531 1531 }
1532 1532 return (0);
1533 1533 }
1534 1534
1535 1535 int
1536 1536 secpolicy_ipc_config(const cred_t *cr)
1537 1537 {
1538 1538 return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL));
1539 1539 }
1540 1540
1541 1541 int
1542 1542 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode)
1543 1543 {
1544 1544
1545 1545 boolean_t allzone = B_FALSE;
1546 1546
1547 1547 ASSERT((mode & (MSG_R|MSG_W)) != 0);
1548 1548
1549 1549 if ((mode & MSG_R) &&
1550 1550 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1551 1551 return (EACCES);
1552 1552
1553 1553 if (mode & MSG_W) {
1554 1554 if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0))
1555 1555 allzone = B_TRUE;
1556 1556
1557 1557 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1558 1558 NULL));
1559 1559 }
1560 1560 return (0);
1561 1561 }
1562 1562
1563 1563 int
1564 1564 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode)
1565 1565 {
1566 1566 boolean_t allzone = B_FALSE;
1567 1567
1568 1568 ASSERT((mode & (MSG_R|MSG_W)) != 0);
1569 1569
1570 1570 if ((mode & MSG_R) &&
1571 1571 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1572 1572 return (EACCES);
1573 1573
1574 1574 if (mode & MSG_W) {
1575 1575 if (cr->cr_uid != 0 && owner == 0)
1576 1576 allzone = B_TRUE;
1577 1577
1578 1578 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1579 1579 NULL));
1580 1580 }
1581 1581 return (0);
1582 1582 }
1583 1583
1584 1584 /*
1585 1585 * Audit configuration.
1586 1586 */
1587 1587 int
1588 1588 secpolicy_audit_config(const cred_t *cr)
1589 1589 {
1590 1590 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL));
1591 1591 }
1592 1592
1593 1593 /*
1594 1594 * Audit record generation.
1595 1595 */
1596 1596 int
1597 1597 secpolicy_audit_modify(const cred_t *cr)
1598 1598 {
1599 1599 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL));
1600 1600 }
1601 1601
1602 1602 /*
1603 1603 * Get audit attributes.
1604 1604 * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the
1605 1605 * "Least" of the two privileges on error.
1606 1606 */
1607 1607 int
1608 1608 secpolicy_audit_getattr(const cred_t *cr, boolean_t checkonly)
1609 1609 {
1610 1610 int priv;
1611 1611
1612 1612 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE))
1613 1613 priv = PRIV_SYS_AUDIT;
1614 1614 else
1615 1615 priv = PRIV_PROC_AUDIT;
1616 1616
1617 1617 if (checkonly)
1618 1618 return (!PRIV_POLICY_ONLY(cr, priv, B_FALSE));
1619 1619 else
1620 1620 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
1621 1621 }
1622 1622
1623 1623
1624 1624 /*
1625 1625 * Locking physical memory
1626 1626 */
1627 1627 int
1628 1628 secpolicy_lock_memory(const cred_t *cr)
1629 1629 {
1630 1630 return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL));
1631 1631 }
1632 1632
1633 1633 /*
1634 1634 * Accounting (both acct(2) and exacct).
1635 1635 */
1636 1636 int
1637 1637 secpolicy_acct(const cred_t *cr)
1638 1638 {
1639 1639 return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL));
1640 1640 }
1641 1641
1642 1642 /*
1643 1643 * Is this process privileged to change its uids at will?
1644 1644 * Uid 0 is still considered "special" and having the SETID
1645 1645 * privilege is not sufficient to get uid 0.
1646 1646 * Files are owned by root, so the privilege would give
1647 1647 * full access and euid 0 is still effective.
1648 1648 *
1649 1649 * If you have the privilege and euid 0 only then do you
1650 1650 * get the powers of root wrt uid 0.
1651 1651 *
1652 1652 * For gid manipulations, this is should be called with an
1653 1653 * uid of -1.
1654 1654 *
1655 1655 */
1656 1656 int
1657 1657 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly)
1658 1658 {
1659 1659 boolean_t allzone = B_FALSE;
1660 1660
1661 1661 if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 &&
1662 1662 cr->cr_ruid != 0) {
1663 1663 allzone = B_TRUE;
1664 1664 }
1665 1665
1666 1666 return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) :
1667 1667 PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL));
1668 1668 }
1669 1669
1670 1670
1671 1671 /*
1672 1672 * Acting on a different process: if the mode is for writing,
1673 1673 * the restrictions are more severe. This is called after
1674 1674 * we've verified that the uids do not match.
1675 1675 */
1676 1676 int
1677 1677 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode)
1678 1678 {
1679 1679 boolean_t allzone = B_FALSE;
1680 1680
1681 1681 if ((mode & VWRITE) && scr->cr_uid != 0 &&
1682 1682 (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0))
1683 1683 allzone = B_TRUE;
1684 1684
1685 1685 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL));
1686 1686 }
1687 1687
1688 1688 int
1689 1689 secpolicy_proc_access(const cred_t *scr)
1690 1690 {
1691 1691 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL));
1692 1692 }
1693 1693
1694 1694 int
1695 1695 secpolicy_proc_excl_open(const cred_t *scr)
1696 1696 {
1697 1697 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL));
1698 1698 }
1699 1699
1700 1700 int
1701 1701 secpolicy_proc_zone(const cred_t *scr)
1702 1702 {
1703 1703 return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL));
1704 1704 }
1705 1705
1706 1706 /*
1707 1707 * Destroying the system
1708 1708 */
1709 1709
1710 1710 int
1711 1711 secpolicy_kmdb(const cred_t *scr)
1712 1712 {
1713 1713 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1714 1714 }
1715 1715
1716 1716 int
1717 1717 secpolicy_error_inject(const cred_t *scr)
1718 1718 {
1719 1719 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1720 1720 }
1721 1721
1722 1722 /*
1723 1723 * Processor sets, cpu configuration, resource pools.
1724 1724 */
1725 1725 int
1726 1726 secpolicy_pset(const cred_t *cr)
1727 1727 {
1728 1728 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1729 1729 }
1730 1730
1731 1731 /*
1732 1732 * Processor set binding.
1733 1733 */
1734 1734 int
1735 1735 secpolicy_pbind(const cred_t *cr)
1736 1736 {
1737 1737 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_RES_CONFIG, B_FALSE))
1738 1738 return (secpolicy_pset(cr));
1739 1739 return (PRIV_POLICY(cr, PRIV_SYS_RES_BIND, B_FALSE, EPERM, NULL));
1740 1740 }
1741 1741
1742 1742 int
1743 1743 secpolicy_ponline(const cred_t *cr)
1744 1744 {
1745 1745 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1746 1746 }
1747 1747
1748 1748 int
1749 1749 secpolicy_pool(const cred_t *cr)
1750 1750 {
1751 1751 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1752 1752 }
1753 1753
1754 1754 int
1755 1755 secpolicy_blacklist(const cred_t *cr)
1756 1756 {
1757 1757 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1758 1758 }
1759 1759
1760 1760 /*
1761 1761 * Catch all system configuration.
1762 1762 */
1763 1763 int
1764 1764 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly)
1765 1765 {
1766 1766 if (checkonly) {
1767 1767 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 :
1768 1768 EPERM);
1769 1769 } else {
1770 1770 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1771 1771 }
1772 1772 }
1773 1773
1774 1774 /*
1775 1775 * Zone administration (halt, reboot, etc.) from within zone.
1776 1776 */
1777 1777 int
1778 1778 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly)
1779 1779 {
1780 1780 if (checkonly) {
1781 1781 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 :
1782 1782 EPERM);
1783 1783 } else {
1784 1784 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM,
1785 1785 NULL));
1786 1786 }
1787 1787 }
1788 1788
1789 1789 /*
1790 1790 * Zone configuration (create, halt, enter).
1791 1791 */
1792 1792 int
1793 1793 secpolicy_zone_config(const cred_t *cr)
1794 1794 {
1795 1795 /*
1796 1796 * Require all privileges to avoid possibility of privilege
1797 1797 * escalation.
1798 1798 */
1799 1799 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
1800 1800 }
1801 1801
1802 1802 /*
1803 1803 * Various other system configuration calls
1804 1804 */
1805 1805 int
1806 1806 secpolicy_coreadm(const cred_t *cr)
1807 1807 {
1808 1808 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1809 1809 }
1810 1810
1811 1811 int
1812 1812 secpolicy_systeminfo(const cred_t *cr)
1813 1813 {
1814 1814 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1815 1815 }
1816 1816
1817 1817 int
1818 1818 secpolicy_dispadm(const cred_t *cr)
1819 1819 {
1820 1820 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1821 1821 }
1822 1822
1823 1823 int
1824 1824 secpolicy_settime(const cred_t *cr)
1825 1825 {
1826 1826 return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL));
1827 1827 }
1828 1828
1829 1829 /*
1830 1830 * For realtime users: high resolution clock.
1831 1831 */
1832 1832 int
1833 1833 secpolicy_clock_highres(const cred_t *cr)
1834 1834 {
1835 1835 return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM,
1836 1836 NULL));
1837 1837 }
1838 1838
1839 1839 /*
1840 1840 * drv_priv() is documented as callable from interrupt context, not that
1841 1841 * anyone ever does, but still. No debugging or auditing can be done when
1842 1842 * it is called from interrupt context.
1843 1843 * returns 0 on succes, EPERM on failure.
1844 1844 */
1845 1845 int
1846 1846 drv_priv(cred_t *cr)
1847 1847 {
1848 1848 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1849 1849 }
1850 1850
1851 1851 int
1852 1852 secpolicy_sys_devices(const cred_t *cr)
1853 1853 {
1854 1854 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1855 1855 }
1856 1856
1857 1857 int
1858 1858 secpolicy_excl_open(const cred_t *cr)
1859 1859 {
1860 1860 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL));
1861 1861 }
1862 1862
1863 1863 int
1864 1864 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl)
1865 1865 {
1866 1866 /* zone.* rctls can only be set from the global zone */
1867 1867 if (is_zone_rctl && priv_policy_global(cr) != 0)
1868 1868 return (EPERM);
1869 1869 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1870 1870 }
1871 1871
1872 1872 int
1873 1873 secpolicy_resource(const cred_t *cr)
1874 1874 {
1875 1875 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1876 1876 }
1877 1877
1878 1878 int
1879 1879 secpolicy_resource_anon_mem(const cred_t *cr)
1880 1880 {
1881 1881 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_RESOURCE, B_FALSE));
1882 1882 }
1883 1883
1884 1884 /*
1885 1885 * Processes with a real uid of 0 escape any form of accounting, much
1886 1886 * like before.
1887 1887 */
1888 1888 int
1889 1889 secpolicy_newproc(const cred_t *cr)
1890 1890 {
1891 1891 if (cr->cr_ruid == 0)
1892 1892 return (0);
1893 1893
1894 1894 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1895 1895 }
1896 1896
1897 1897 /*
1898 1898 * Networking
1899 1899 */
1900 1900 int
1901 1901 secpolicy_net_rawaccess(const cred_t *cr)
1902 1902 {
1903 1903 return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL));
1904 1904 }
1905 1905
1906 1906 int
1907 1907 secpolicy_net_observability(const cred_t *cr)
1908 1908 {
1909 1909 return (PRIV_POLICY(cr, PRIV_NET_OBSERVABILITY, B_FALSE, EACCES, NULL));
1910 1910 }
1911 1911
1912 1912 /*
1913 1913 * Need this privilege for accessing the ICMP device
1914 1914 */
1915 1915 int
1916 1916 secpolicy_net_icmpaccess(const cred_t *cr)
1917 1917 {
1918 1918 return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL));
1919 1919 }
1920 1920
1921 1921 /*
1922 1922 * There are a few rare cases where the kernel generates ioctls() from
1923 1923 * interrupt context with a credential of kcred rather than NULL.
1924 1924 * In those cases, we take the safe and cheap test.
1925 1925 */
1926 1926 int
1927 1927 secpolicy_net_config(const cred_t *cr, boolean_t checkonly)
1928 1928 {
1929 1929 if (checkonly) {
1930 1930 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ?
1931 1931 0 : EPERM);
1932 1932 } else {
1933 1933 return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM,
1934 1934 NULL));
1935 1935 }
1936 1936 }
1937 1937
1938 1938
1939 1939 /*
1940 1940 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
1941 1941 *
1942 1942 * There are a few rare cases where the kernel generates ioctls() from
1943 1943 * interrupt context with a credential of kcred rather than NULL.
1944 1944 * In those cases, we take the safe and cheap test.
1945 1945 */
1946 1946 int
1947 1947 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly)
1948 1948 {
1949 1949 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1950 1950 return (secpolicy_net_config(cr, checkonly));
1951 1951
1952 1952 if (checkonly) {
1953 1953 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ?
1954 1954 0 : EPERM);
1955 1955 } else {
1956 1956 return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM,
1957 1957 NULL));
1958 1958 }
1959 1959 }
1960 1960
1961 1961 /*
1962 1962 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_DL_CONFIG.
1963 1963 */
1964 1964 int
1965 1965 secpolicy_dl_config(const cred_t *cr)
1966 1966 {
1967 1967 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1968 1968 return (secpolicy_net_config(cr, B_FALSE));
1969 1969 return (PRIV_POLICY(cr, PRIV_SYS_DL_CONFIG, B_FALSE, EPERM, NULL));
1970 1970 }
1971 1971
1972 1972 /*
1973 1973 * PRIV_SYS_DL_CONFIG is a superset of PRIV_SYS_IPTUN_CONFIG.
1974 1974 */
1975 1975 int
1976 1976 secpolicy_iptun_config(const cred_t *cr)
1977 1977 {
1978 1978 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1979 1979 return (secpolicy_net_config(cr, B_FALSE));
1980 1980 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_DL_CONFIG, B_FALSE))
1981 1981 return (secpolicy_dl_config(cr));
1982 1982 return (PRIV_POLICY(cr, PRIV_SYS_IPTUN_CONFIG, B_FALSE, EPERM, NULL));
1983 1983 }
1984 1984
1985 1985 /*
1986 1986 * Map IP pseudo privileges to actual privileges.
1987 1987 * So we don't need to recompile IP when we change the privileges.
1988 1988 */
1989 1989 int
1990 1990 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly)
1991 1991 {
1992 1992 int priv = PRIV_ALL;
1993 1993
1994 1994 switch (netpriv) {
1995 1995 case OP_CONFIG:
1996 1996 priv = PRIV_SYS_IP_CONFIG;
1997 1997 break;
1998 1998 case OP_RAW:
1999 1999 priv = PRIV_NET_RAWACCESS;
2000 2000 break;
2001 2001 case OP_PRIVPORT:
2002 2002 priv = PRIV_NET_PRIVADDR;
2003 2003 break;
2004 2004 }
2005 2005 ASSERT(priv != PRIV_ALL);
2006 2006 if (checkonly)
2007 2007 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
2008 2008 else
2009 2009 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
2010 2010 }
2011 2011
2012 2012 /*
2013 2013 * Map network pseudo privileges to actual privileges.
2014 2014 * So we don't need to recompile IP when we change the privileges.
2015 2015 */
2016 2016 int
2017 2017 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly)
2018 2018 {
2019 2019 int priv = PRIV_ALL;
2020 2020
2021 2021 switch (netpriv) {
2022 2022 case OP_CONFIG:
2023 2023 priv = PRIV_SYS_NET_CONFIG;
2024 2024 break;
2025 2025 case OP_RAW:
2026 2026 priv = PRIV_NET_RAWACCESS;
2027 2027 break;
2028 2028 case OP_PRIVPORT:
2029 2029 priv = PRIV_NET_PRIVADDR;
2030 2030 break;
2031 2031 }
2032 2032 ASSERT(priv != PRIV_ALL);
2033 2033 if (checkonly)
2034 2034 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
2035 2035 else
2036 2036 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
2037 2037 }
2038 2038
2039 2039 /*
2040 2040 * Checks for operations that are either client-only or are used by
2041 2041 * both clients and servers.
2042 2042 */
2043 2043 int
2044 2044 secpolicy_nfs(const cred_t *cr)
2045 2045 {
2046 2046 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL));
2047 2047 }
2048 2048
2049 2049 /*
2050 2050 * Special case for opening rpcmod: have NFS privileges or network
2051 2051 * config privileges.
2052 2052 */
2053 2053 int
2054 2054 secpolicy_rpcmod_open(const cred_t *cr)
2055 2055 {
2056 2056 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE))
2057 2057 return (secpolicy_nfs(cr));
2058 2058 else
2059 2059 return (secpolicy_net_config(cr, NULL));
2060 2060 }
2061 2061
2062 2062 int
2063 2063 secpolicy_chroot(const cred_t *cr)
2064 2064 {
2065 2065 return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL));
2066 2066 }
2067 2067
2068 2068 int
2069 2069 secpolicy_tasksys(const cred_t *cr)
2070 2070 {
2071 2071 return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL));
2072 2072 }
2073 2073
2074 2074 int
2075 2075 secpolicy_meminfo(const cred_t *cr)
2076 2076 {
2077 2077 return (PRIV_POLICY(cr, PRIV_PROC_MEMINFO, B_FALSE, EPERM, NULL));
2078 2078 }
2079 2079
2080 2080 int
2081 2081 secpolicy_pfexec_register(const cred_t *cr)
2082 2082 {
2083 2083 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_TRUE, EPERM, NULL));
2084 2084 }
2085 2085
2086 2086 /*
2087 2087 * Basic privilege checks.
2088 2088 */
2089 2089 int
2090 2090 secpolicy_basic_exec(const cred_t *cr, vnode_t *vp)
2091 2091 {
2092 2092 FAST_BASIC_CHECK(cr, PRIV_PROC_EXEC);
2093 2093
2094 2094 return (priv_policy_va(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL,
2095 2095 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
2096 2096 }
2097 2097
2098 2098 int
2099 2099 secpolicy_basic_fork(const cred_t *cr)
2100 2100 {
2101 2101 FAST_BASIC_CHECK(cr, PRIV_PROC_FORK);
2102 2102
2103 2103 return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL));
2104 2104 }
2105 2105
2106 2106 int
2107 2107 secpolicy_basic_proc(const cred_t *cr)
2108 2108 {
2109 2109 FAST_BASIC_CHECK(cr, PRIV_PROC_SESSION);
2110 2110
2111 2111 return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL));
2112 2112 }
2113 2113
2114 2114 /*
2115 2115 * Slightly complicated because we don't want to trigger the policy too
2116 2116 * often. First we shortcircuit access to "self" (tp == sp) or if
2117 2117 * we don't have the privilege but if we have permission
2118 2118 * just return (0) and we don't flag the privilege as needed.
2119 2119 * Else, we test for the privilege because we either have it or need it.
2120 2120 */
2121 2121 int
2122 2122 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp)
2123 2123 {
2124 2124 if (tp == sp ||
2125 2125 !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) {
2126 2126 return (0);
2127 2127 } else {
2128 2128 return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL));
2129 2129 }
2130 2130 }
2131 2131
2132 2132 int
2133 2133 secpolicy_basic_link(const cred_t *cr)
2134 2134 {
2135 2135 FAST_BASIC_CHECK(cr, PRIV_FILE_LINK_ANY);
2136 2136
2137 2137 return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL));
2138 2138 }
2139 2139
2140 2140 int
2141 2141 secpolicy_basic_net_access(const cred_t *cr)
2142 2142 {
2143 2143 FAST_BASIC_CHECK(cr, PRIV_NET_ACCESS);
2144 2144
2145 2145 return (PRIV_POLICY(cr, PRIV_NET_ACCESS, B_FALSE, EACCES, NULL));
2146 2146 }
2147 2147
2148 2148 /* ARGSUSED */
2149 2149 int
2150 2150 secpolicy_basic_file_read(const cred_t *cr, vnode_t *vp, const char *pn)
2151 2151 {
2152 2152 FAST_BASIC_CHECK(cr, PRIV_FILE_READ);
2153 2153
2154 2154 return (priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL,
2155 2155 KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE));
2156 2156 }
2157 2157
2158 2158 /* ARGSUSED */
2159 2159 int
2160 2160 secpolicy_basic_file_write(const cred_t *cr, vnode_t *vp, const char *pn)
2161 2161 {
2162 2162 FAST_BASIC_CHECK(cr, PRIV_FILE_WRITE);
2163 2163
2164 2164 return (priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL,
2165 2165 KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE));
2166 2166 }
2167 2167
2168 2168 /*
2169 2169 * Additional device protection.
2170 2170 *
2171 2171 * Traditionally, a device has specific permissions on the node in
2172 2172 * the filesystem which govern which devices can be opened by what
2173 2173 * processes. In certain cases, it is desirable to add extra
2174 2174 * restrictions, as writing to certain devices is identical to
2175 2175 * having a complete run of the system.
2176 2176 *
2177 2177 * This mechanism is called the device policy.
2178 2178 *
2179 2179 * When a device is opened, its policy entry is looked up in the
2180 2180 * policy cache and checked.
2181 2181 */
2182 2182 int
2183 2183 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag)
2184 2184 {
2185 2185 devplcy_t *plcy;
2186 2186 int err;
2187 2187 struct snode *csp = VTOS(common_specvp(vp));
2188 2188 priv_set_t pset;
2189 2189
2190 2190 mutex_enter(&csp->s_lock);
2191 2191
2192 2192 if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) {
2193 2193 plcy = devpolicy_find(vp);
2194 2194 if (csp->s_plcy)
2195 2195 dpfree(csp->s_plcy);
2196 2196 csp->s_plcy = plcy;
2197 2197 ASSERT(plcy != NULL);
2198 2198 } else
2199 2199 plcy = csp->s_plcy;
2200 2200
2201 2201 if (plcy == nullpolicy) {
2202 2202 mutex_exit(&csp->s_lock);
2203 2203 return (0);
2204 2204 }
2205 2205
2206 2206 dphold(plcy);
2207 2207
2208 2208 mutex_exit(&csp->s_lock);
2209 2209
2210 2210 if (oflag & FWRITE)
2211 2211 pset = plcy->dp_wrp;
2212 2212 else
2213 2213 pset = plcy->dp_rdp;
2214 2214 /*
2215 2215 * Special case:
2216 2216 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
2217 2217 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is
2218 2218 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG
2219 2219 * in the required privilege set before doing the check.
2220 2220 */
2221 2221 if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) &&
2222 2222 priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) &&
2223 2223 !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) {
2224 2224 priv_delset(&pset, PRIV_SYS_IP_CONFIG);
2225 2225 priv_addset(&pset, PRIV_SYS_NET_CONFIG);
2226 2226 }
2227 2227
2228 2228 err = secpolicy_require_set(cr, &pset, "devpolicy", KLPDARG_NONE);
2229 2229 dpfree(plcy);
2230 2230
2231 2231 return (err);
2232 2232 }
2233 2233
2234 2234 int
2235 2235 secpolicy_modctl(const cred_t *cr, int cmd)
2236 2236 {
2237 2237 switch (cmd) {
2238 2238 case MODINFO:
2239 2239 case MODGETMAJBIND:
2240 2240 case MODGETPATH:
2241 2241 case MODGETPATHLEN:
2242 2242 case MODGETNAME:
2243 2243 case MODGETFBNAME:
2244 2244 case MODGETDEVPOLICY:
2245 2245 case MODGETDEVPOLICYBYNAME:
2246 2246 case MODDEVT2INSTANCE:
2247 2247 case MODSIZEOF_DEVID:
2248 2248 case MODGETDEVID:
2249 2249 case MODSIZEOF_MINORNAME:
2250 2250 case MODGETMINORNAME:
2251 2251 case MODGETDEVFSPATH_LEN:
2252 2252 case MODGETDEVFSPATH:
2253 2253 case MODGETDEVFSPATH_MI_LEN:
2254 2254 case MODGETDEVFSPATH_MI:
2255 2255 /* Unprivileged */
2256 2256 return (0);
2257 2257 case MODLOAD:
2258 2258 case MODSETDEVPOLICY:
2259 2259 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL,
2260 2260 KLPDARG_NONE));
2261 2261 default:
2262 2262 return (secpolicy_sys_config(cr, B_FALSE));
2263 2263 }
2264 2264 }
2265 2265
2266 2266 int
2267 2267 secpolicy_console(const cred_t *cr)
2268 2268 {
2269 2269 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
2270 2270 }
2271 2271
2272 2272 int
2273 2273 secpolicy_power_mgmt(const cred_t *cr)
2274 2274 {
2275 2275 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
2276 2276 }
2277 2277
2278 2278 /*
2279 2279 * Simulate terminal input; another escalation of privileges avenue.
2280 2280 */
2281 2281
2282 2282 int
2283 2283 secpolicy_sti(const cred_t *cr)
2284 2284 {
2285 2285 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
2286 2286 }
2287 2287
2288 2288 boolean_t
2289 2289 secpolicy_net_reply_equal(const cred_t *cr)
2290 2290 {
2291 2291 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
2292 2292 }
2293 2293
2294 2294 int
2295 2295 secpolicy_swapctl(const cred_t *cr)
2296 2296 {
2297 2297 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
2298 2298 }
2299 2299
2300 2300 int
2301 2301 secpolicy_cpc_cpu(const cred_t *cr)
2302 2302 {
2303 2303 return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL));
2304 2304 }
2305 2305
2306 2306 /*
2307 2307 * secpolicy_contract_identity
2308 2308 *
2309 2309 * Determine if the subject may set the process contract FMRI value
2310 2310 */
2311 2311 int
2312 2312 secpolicy_contract_identity(const cred_t *cr)
2313 2313 {
2314 2314 return (PRIV_POLICY(cr, PRIV_CONTRACT_IDENTITY, B_FALSE, EPERM, NULL));
2315 2315 }
2316 2316
2317 2317 /*
2318 2318 * secpolicy_contract_observer
2319 2319 *
2320 2320 * Determine if the subject may observe a specific contract's events.
2321 2321 */
2322 2322 int
2323 2323 secpolicy_contract_observer(const cred_t *cr, struct contract *ct)
2324 2324 {
2325 2325 if (contract_owned(ct, cr, B_FALSE))
2326 2326 return (0);
2327 2327 return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL));
2328 2328 }
2329 2329
2330 2330 /*
2331 2331 * secpolicy_contract_observer_choice
2332 2332 *
2333 2333 * Determine if the subject may observe any contract's events. Just
2334 2334 * tests privilege and audits on success.
2335 2335 */
2336 2336 boolean_t
2337 2337 secpolicy_contract_observer_choice(const cred_t *cr)
2338 2338 {
2339 2339 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE));
2340 2340 }
2341 2341
2342 2342 /*
2343 2343 * secpolicy_contract_event
2344 2344 *
2345 2345 * Determine if the subject may request critical contract events or
2346 2346 * reliable contract event delivery.
2347 2347 */
2348 2348 int
2349 2349 secpolicy_contract_event(const cred_t *cr)
2350 2350 {
2351 2351 return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL));
2352 2352 }
2353 2353
2354 2354 /*
2355 2355 * secpolicy_contract_event_choice
2356 2356 *
2357 2357 * Determine if the subject may retain contract events in its critical
2358 2358 * set when a change in other terms would normally require a change in
2359 2359 * the critical set. Just tests privilege and audits on success.
2360 2360 */
2361 2361 boolean_t
2362 2362 secpolicy_contract_event_choice(const cred_t *cr)
2363 2363 {
2364 2364 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE));
2365 2365 }
2366 2366
2367 2367 /*
2368 2368 * secpolicy_gart_access
2369 2369 *
2370 2370 * Determine if the subject has sufficient priveleges to make ioctls to agpgart
2371 2371 * device.
2372 2372 */
2373 2373 int
2374 2374 secpolicy_gart_access(const cred_t *cr)
2375 2375 {
2376 2376 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL));
2377 2377 }
2378 2378
2379 2379 /*
2380 2380 * secpolicy_gart_map
2381 2381 *
2382 2382 * Determine if the subject has sufficient priveleges to map aperture range
2383 2383 * through agpgart driver.
2384 2384 */
2385 2385 int
2386 2386 secpolicy_gart_map(const cred_t *cr)
2387 2387 {
2388 2388 if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) {
2389 2389 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM,
2390 2390 NULL));
2391 2391 } else {
2392 2392 return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM,
2393 2393 NULL));
2394 2394 }
2395 2395 }
2396 2396
2397 2397 /*
2398 2398 * secpolicy_zinject
2399 2399 *
2400 2400 * Determine if the subject can inject faults in the ZFS fault injection
2401 2401 * framework. Requires all privileges.
2402 2402 */
2403 2403 int
2404 2404 secpolicy_zinject(const cred_t *cr)
2405 2405 {
2406 2406 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
2407 2407 }
2408 2408
2409 2409 /*
2410 2410 * secpolicy_zfs
2411 2411 *
2412 2412 * Determine if the subject has permission to manipulate ZFS datasets
2413 2413 * (not pools). Equivalent to the SYS_MOUNT privilege.
2414 2414 */
2415 2415 int
2416 2416 secpolicy_zfs(const cred_t *cr)
2417 2417 {
2418 2418 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL));
2419 2419 }
2420 2420
2421 2421 /*
2422 2422 * secpolicy_idmap
2423 2423 *
2424 2424 * Determine if the calling process has permissions to register an SID
2425 2425 * mapping daemon and allocate ephemeral IDs.
2426 2426 */
2427 2427 int
2428 2428 secpolicy_idmap(const cred_t *cr)
2429 2429 {
2430 2430 return (PRIV_POLICY(cr, PRIV_FILE_SETID, B_TRUE, EPERM, NULL));
2431 2431 }
2432 2432
2433 2433 /*
2434 2434 * secpolicy_ucode_update
2435 2435 *
2436 2436 * Determine if the subject has sufficient privilege to update microcode.
2437 2437 */
2438 2438 int
2439 2439 secpolicy_ucode_update(const cred_t *scr)
2440 2440 {
2441 2441 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
2442 2442 }
2443 2443
2444 2444 /*
2445 2445 * secpolicy_sadopen
2446 2446 *
2447 2447 * Determine if the subject has sufficient privilege to access /dev/sad/admin.
2448 2448 * /dev/sad/admin appear in global zone and exclusive-IP zones only.
2449 2449 * In global zone, sys_config is required.
2450 2450 * In exclusive-IP zones, sys_ip_config is required.
2451 2451 * Note that sys_config is prohibited in non-global zones.
2452 2452 */
2453 2453 int
2454 2454 secpolicy_sadopen(const cred_t *credp)
2455 2455 {
2456 2456 priv_set_t pset;
2457 2457
2458 2458 priv_emptyset(&pset);
2459 2459
2460 2460 if (crgetzoneid(credp) == GLOBAL_ZONEID)
2461 2461 priv_addset(&pset, PRIV_SYS_CONFIG);
2462 2462 else
2463 2463 priv_addset(&pset, PRIV_SYS_IP_CONFIG);
2464 2464
2465 2465 return (secpolicy_require_set(credp, &pset, "devpolicy", KLPDARG_NONE));
2466 2466 }
2467 2467
2468 2468
2469 2469 /*
2470 2470 * Add privileges to a particular privilege set; this is called when the
2471 2471 * current sets of privileges are not sufficient. I.e., we should always
2472 2472 * call the policy override functions from here.
2473 2473 * What we are allowed to have is in the Observed Permitted set; so
2474 2474 * we compute the difference between that and the newset.
2475 2475 */
2476 2476 int
2477 2477 secpolicy_require_privs(const cred_t *cr, const priv_set_t *nset)
2478 2478 {
2479 2479 priv_set_t rqd;
2480 2480
2481 2481 rqd = CR_OPPRIV(cr);
2482 2482
2483 2483 priv_inverse(&rqd);
2484 2484 priv_intersect(nset, &rqd);
2485 2485
2486 2486 return (secpolicy_require_set(cr, &rqd, NULL, KLPDARG_NONE));
2487 2487 }
2488 2488
2489 2489 /*
2490 2490 * secpolicy_smb
2491 2491 *
2492 2492 * Determine if the cred_t has PRIV_SYS_SMB privilege, indicating
2493 2493 * that it has permission to access the smbsrv kernel driver.
2494 2494 * PRIV_POLICY checks the privilege and audits the check.
2495 2495 *
2496 2496 * Returns:
2497 2497 * 0 Driver access is allowed.
2498 2498 * EPERM Driver access is NOT permitted.
2499 2499 */
2500 2500 int
2501 2501 secpolicy_smb(const cred_t *cr)
2502 2502 {
2503 2503 return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL));
2504 2504 }
2505 2505
2506 2506 /*
2507 2507 * secpolicy_vscan
2508 2508 *
2509 2509 * Determine if cred_t has the necessary privileges to access a file
2510 2510 * for virus scanning and update its extended system attributes.
2511 2511 * PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access
2512 2512 * PRIV_FILE_FLAG_SET - set extended system attributes
2513 2513 *
2514 2514 * PRIV_POLICY checks the privilege and audits the check.
2515 2515 *
2516 2516 * Returns:
2517 2517 * 0 file access for virus scanning allowed.
2518 2518 * EPERM file access for virus scanning is NOT permitted.
2519 2519 */
2520 2520 int
2521 2521 secpolicy_vscan(const cred_t *cr)
2522 2522 {
2523 2523 if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) ||
2524 2524 (PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) ||
2525 2525 (PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) {
2526 2526 return (EPERM);
2527 2527 }
2528 2528
2529 2529 return (0);
2530 2530 }
2531 2531
2532 2532 /*
2533 2533 * secpolicy_smbfs_login
2534 2534 *
2535 2535 * Determines if the caller can add and delete the smbfs login
2536 2536 * password in the the nsmb kernel module for the CIFS client.
2537 2537 *
2538 2538 * Returns:
2539 2539 * 0 access is allowed.
2540 2540 * EPERM access is NOT allowed.
2541 2541 */
2542 2542 int
2543 2543 secpolicy_smbfs_login(const cred_t *cr, uid_t uid)
2544 2544 {
2545 2545 uid_t cruid = crgetruid(cr);
2546 2546
2547 2547 if (cruid == uid)
2548 2548 return (0);
2549 2549 return (PRIV_POLICY(cr, PRIV_PROC_OWNER, B_FALSE,
2550 2550 EPERM, NULL));
2551 2551 }
2552 2552
2553 2553 /*
2554 2554 * secpolicy_xvm_control
2555 2555 *
2556 2556 * Determines if a caller can control the xVM hypervisor and/or running
2557 2557 * domains (x86 specific).
2558 2558 *
2559 2559 * Returns:
2560 2560 * 0 access is allowed.
2561 2561 * EPERM access is NOT allowed.
2562 2562 */
2563 2563 int
2564 2564 secpolicy_xvm_control(const cred_t *cr)
2565 2565 {
2566 2566 if (PRIV_POLICY(cr, PRIV_XVM_CONTROL, B_FALSE, EPERM, NULL))
2567 2567 return (EPERM);
2568 2568 return (0);
2569 2569 }
2570 2570
2571 2571 /*
2572 2572 * secpolicy_ppp_config
2573 2573 *
2574 2574 * Determine if the subject has sufficient privileges to configure PPP and
2575 2575 * PPP-related devices.
2576 2576 */
2577 2577 int
2578 2578 secpolicy_ppp_config(const cred_t *cr)
2579 2579 {
2580 2580 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
2581 2581 return (secpolicy_net_config(cr, B_FALSE));
2582 2582 return (PRIV_POLICY(cr, PRIV_SYS_PPP_CONFIG, B_FALSE, EPERM, NULL));
2583 2583 }
|
↓ open down ↓ |
1591 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX