1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
  23  * Copyright 2015, Joyent, Inc. All rights reserved.
  24  *
  25 INSERT COMMENT
  26  */
  27 
  28 #
  29 # Privileges can be added to this file at any location, not
  30 # necessarily at the end.  For patches, it is probably best to
  31 # add the new privilege at the end; for ordinary releases privileges
  32 # should be ordered alphabetically.
  33 #
  34 
  35 privilege PRIV_CONTRACT_EVENT
  36 
  37         Allows a process to request critical events without limitation.
  38         Allows a process to request reliable delivery of all events on
  39         any event queue.
  40 
  41 privilege PRIV_CONTRACT_IDENTITY
  42 
  43         Allows a process to set the service FMRI value of a process
  44         contract template.
  45 
  46 privilege PRIV_CONTRACT_OBSERVER
  47 
  48         Allows a process to observe contract events generated by
  49         contracts created and owned by users other than the process's
  50         effective user ID.
  51         Allows a process to open contract event endpoints belonging to
  52         contracts created and owned by users other than the process's
  53         effective user ID.
  54 
  55 privilege PRIV_CPC_CPU
  56 
  57         Allow a process to access per-CPU hardware performance counters.
  58 
  59 privilege PRIV_DTRACE_KERNEL
  60 
  61         Allows DTrace kernel-level tracing.
  62 
  63 privilege PRIV_DTRACE_PROC
  64 
  65         Allows DTrace process-level tracing.
  66         Allows process-level tracing probes to be placed and enabled in
  67         processes to which the user has permissions.
  68 
  69 privilege PRIV_DTRACE_USER
  70 
  71         Allows DTrace user-level tracing.
  72         Allows use of the syscall and profile DTrace providers to
  73         examine processes to which the user has permissions.
  74 
  75 privilege PRIV_FILE_CHOWN
  76 
  77         Allows a process to change a file's owner user ID.
  78         Allows a process to change a file's group ID to one other than
  79         the process' effective group ID or one of the process'
  80         supplemental group IDs.
  81 
  82 privilege PRIV_FILE_CHOWN_SELF
  83 
  84         Allows a process to give away its files; a process with this
  85         privilege will run as if {_POSIX_CHOWN_RESTRICTED} is not
  86         in effect.
  87 
  88 privilege PRIV_FILE_DAC_EXECUTE
  89 
  90         Allows a process to execute an executable file whose permission
  91         bits or ACL do not allow the process execute permission.
  92 
  93 privilege PRIV_FILE_DAC_READ
  94 
  95         Allows a process to read a file or directory whose permission
  96         bits or ACL do not allow the process read permission.
  97 
  98 privilege PRIV_FILE_DAC_SEARCH
  99 
 100         Allows a process to search a directory whose permission bits or
 101         ACL do not allow the process search permission.
 102 
 103 privilege PRIV_FILE_DAC_WRITE
 104 
 105         Allows a process to write a file or directory whose permission
 106         bits or ACL do not allow the process write permission.
 107         In order to write files owned by uid 0 in the absence of an
 108         effective uid of 0 ALL privileges are required.
 109 
 110 privilege PRIV_FILE_DOWNGRADE_SL
 111 
 112         Allows a process to set the sensitivity label of a file or
 113         directory to a sensitivity label that does not dominate the
 114         existing sensitivity label.
 115         This privilege is interpreted only if the system is configured
 116         with Trusted Extensions.
 117 
 118 privilege PRIV_FILE_FLAG_SET
 119 
 120         Allows a process to set immutable, nounlink or appendonly
 121         file attributes.
 122 
 123 basic privilege PRIV_FILE_LINK_ANY
 124 
 125         Allows a process to create hardlinks to files owned by a uid
 126         different from the process' effective uid.
 127 
 128 privilege PRIV_FILE_OWNER
 129 
 130         Allows a process which is not the owner of a file or directory
 131         to perform the following operations that are normally permitted
 132         only for the file owner: modify that file's access and
 133         modification times; remove or rename a file or directory whose
 134         parent directory has the ``save text image after execution''
 135         (sticky) bit set; mount a ``namefs'' upon a file; modify
 136         permission bits or ACL except for the set-uid and set-gid
 137         bits.
 138 
 139 basic privilege PRIV_FILE_READ
 140 
 141         Allows a process to read objects in the filesystem.
 142 
 143 privilege PRIV_FILE_SETID
 144 
 145         Allows a process to change the ownership of a file or write to
 146         a file without the set-user-ID and set-group-ID bits being
 147         cleared.
 148         Allows a process to set the set-group-ID bit on a file or
 149         directory whose group is not the process' effective group or
 150         one of the process' supplemental groups.
 151         Allows a process to set the set-user-ID bit on a file with
 152         different ownership in the presence of PRIV_FILE_OWNER.
 153         Additional restrictions apply when creating or modifying a
 154         set-uid 0 file.
 155 
 156 privilege PRIV_FILE_UPGRADE_SL
 157 
 158         Allows a process to set the sensitivity label of a file or
 159         directory to a sensitivity label that dominates the existing
 160         sensitivity label.
 161         This privilege is interpreted only if the system is configured
 162         with Trusted Extensions.
 163 
 164 basic privilege PRIV_FILE_WRITE
 165 
 166         Allows a process to modify objects in the filesystem.
 167 
 168 privilege PRIV_GRAPHICS_ACCESS
 169 
 170         Allows a process to make privileged ioctls to graphics devices.
 171         Typically only xserver process needs to have this privilege.
 172         A process with this privilege is also allowed to perform
 173         privileged graphics device mappings.
 174 
 175 privilege PRIV_GRAPHICS_MAP
 176 
 177         Allows a process to perform privileged mappings through a
 178         graphics device.
 179 
 180 privilege PRIV_IPC_DAC_READ
 181 
 182         Allows a process to read a System V IPC
 183         Message Queue, Semaphore Set, or Shared Memory Segment whose
 184         permission bits do not allow the process read permission.
 185         Allows a process to read remote shared memory whose
 186         permission bits do not allow the process read permission.
 187 
 188 privilege PRIV_IPC_DAC_WRITE
 189 
 190         Allows a process to write a System V IPC
 191         Message Queue, Semaphore Set, or Shared Memory Segment whose
 192         permission bits do not allow the process write permission.
 193         Allows a process to read remote shared memory whose
 194         permission bits do not allow the process write permission.
 195         Additional restrictions apply if the owner of the object has uid 0
 196         and the effective uid of the current process is not 0.
 197 
 198 privilege PRIV_IPC_OWNER
 199 
 200         Allows a process which is not the owner of a System
 201         V IPC Message Queue, Semaphore Set, or Shared Memory Segment to
 202         remove, change ownership of, or change permission bits of the
 203         Message Queue, Semaphore Set, or Shared Memory Segment.
 204         Additional restrictions apply if the owner of the object has uid 0
 205         and the effective uid of the current process is not 0.
 206 
 207 basic privilege PRIV_NET_ACCESS
 208 
 209         Allows a process to open a TCP, UDP, SDP or SCTP network endpoint.
 210 
 211 privilege PRIV_NET_BINDMLP
 212 
 213         Allow a process to bind to a port that is configured as a
 214         multi-level port(MLP) for the process's zone. This privilege
 215         applies to both shared address and zone-specific address MLPs.
 216         See tnzonecfg(4) from the Trusted Extensions manual pages for
 217         information on configuring MLP ports.
 218         This privilege is interpreted only if the system is configured
 219         with Trusted Extensions.
 220 
 221 privilege PRIV_NET_ICMPACCESS
 222 
 223         Allows a process to send and receive ICMP packets.
 224 
 225 privilege PRIV_NET_MAC_AWARE
 226 
 227         Allows a process to set NET_MAC_AWARE process flag by using
 228         setpflags(2). This privilege also allows a process to set
 229         SO_MAC_EXEMPT socket option by using setsockopt(3SOCKET).
 230         The NET_MAC_AWARE process flag and the SO_MAC_EXEMPT socket
 231         option both allow a local process to communicate with an
 232         unlabeled peer if the local process' label dominates the
 233         peer's default label, or if the local process runs in the
 234         global zone.
 235         This privilege is interpreted only if the system is configured
 236         with Trusted Extensions.
 237 
 238 privilege PRIV_NET_MAC_IMPLICIT
 239 
 240         Allows a process to set SO_MAC_IMPLICIT option by using 
 241         setsockopt(3SOCKET).  This allows a privileged process to 
 242         transmit implicitly-labeled packets to a peer.
 243         This privilege is interpreted only if the system is configured
 244         with Trusted Extensions.
 245 
 246 privilege PRIV_NET_OBSERVABILITY
 247 
 248         Allows a process to access /dev/lo0 and the devices in /dev/ipnet/
 249         while not requiring them to need PRIV_NET_RAWACCESS.
 250 
 251 privilege PRIV_NET_PRIVADDR
 252 
 253         Allows a process to bind to a privileged port
 254         number. The privilege port numbers are 1-1023 (the traditional
 255         UNIX privileged ports) as well as those ports marked as
 256         "udp/tcp_extra_priv_ports" with the exception of the ports
 257         reserved for use by NFS.
 258 
 259 privilege PRIV_NET_RAWACCESS
 260 
 261         Allows a process to have direct access to the network layer.
 262 
 263 unsafe privilege PRIV_PROC_AUDIT
 264 
 265         Allows a process to generate audit records.
 266         Allows a process to get its own audit pre-selection information.
 267 
 268 privilege PRIV_PROC_CHROOT
 269 
 270         Allows a process to change its root directory.
 271 
 272 privilege PRIV_PROC_CLOCK_HIGHRES
 273 
 274         Allows a process to use high resolution timers.
 275 
 276 basic privilege PRIV_PROC_EXEC
 277 
 278         Allows a process to call execve().
 279 
 280 basic privilege PRIV_PROC_FORK
 281 
 282         Allows a process to call fork1()/forkall()/vfork()
 283 
 284 basic privilege PRIV_PROC_INFO
 285 
 286         Allows a process to examine the status of processes other
 287         than those it can send signals to.  Processes which cannot
 288         be examined cannot be seen in /proc and appear not to exist.
 289 
 290 privilege PRIV_PROC_LOCK_MEMORY
 291 
 292         Allows a process to lock pages in physical memory.
 293 
 294 privilege PRIV_PROC_MEMINFO
 295 
 296         Allows a process to access physical memory information.
 297 
 298 privilege PRIV_PROC_OWNER
 299 
 300         Allows a process to send signals to other processes, inspect
 301         and modify process state to other processes regardless of
 302         ownership.  When modifying another process, additional
 303         restrictions apply:  the effective privilege set of the
 304         attaching process must be a superset of the target process'
 305         effective, permitted and inheritable sets; the limit set must
 306         be a superset of the target's limit set; if the target process
 307         has any uid set to 0 all privilege must be asserted unless the
 308         effective uid is 0.
 309         Allows a process to bind arbitrary processes to CPUs.
 310 
 311 # XXX: This is made default merely for test purposes.  DO NOT LEAVE HERE
 312 default privilege PRIV_PROC_PRIOUP
 313 
 314         Allows a process to elevate its priority above its current level.
 315 
 316 privilege PRIV_PROC_PRIOCNTL
 317 
 318         Allows all that PRIV_PROC_PRIOUP allows.
 319         Allows a process to change its scheduling class to any scheduling class,
 320         including the RT class.
 321 
 322 basic privilege PRIV_PROC_SESSION
 323 
 324         Allows a process to send signals or trace processes outside its
 325         session.
 326 
 327 unsafe privilege PRIV_PROC_SETID
 328 
 329         Allows a process to set its uids at will.
 330         Assuming uid 0 requires all privileges to be asserted.
 331 
 332 privilege PRIV_PROC_TASKID
 333 
 334         Allows a process to assign a new task ID to the calling process.
 335 
 336 privilege PRIV_PROC_ZONE
 337 
 338         Allows a process to trace or send signals to processes in
 339         other zones.
 340 
 341 privilege PRIV_SYS_ACCT
 342 
 343         Allows a process to enable and disable and manage accounting through
 344         acct(2), getacct(2), putacct(2) and wracct(2).
 345 
 346 privilege PRIV_SYS_ADMIN
 347 
 348         Allows a process to perform system administration tasks such
 349         as setting node and domain name and specifying nscd and coreadm
 350         settings.
 351 
 352 privilege PRIV_SYS_AUDIT
 353 
 354         Allows a process to start the (kernel) audit daemon.
 355         Allows a process to view and set audit state (audit user ID,
 356         audit terminal ID, audit sessions ID, audit pre-selection mask).
 357         Allows a process to turn off and on auditing.
 358         Allows a process to configure the audit parameters (cache and
 359         queue sizes, event to class mappings, policy options).
 360 
 361 privilege PRIV_SYS_CONFIG
 362 
 363         Allows a process to perform various system configuration tasks.
 364         Allows a process to add and remove swap devices; when adding a swap
 365         device, a process must also have sufficient privileges to read from
 366         and write to the swap device.
 367 
 368 privilege PRIV_SYS_DEVICES
 369 
 370         Allows a process to successfully call a kernel module that
 371         calls the kernel drv_priv(9F) function to check for allowed
 372         access.
 373         Allows a process to open the real console device directly.
 374         Allows a process to open devices that have been exclusively opened.
 375 
 376 privilege PRIV_SYS_IPC_CONFIG
 377 
 378         Allows a process to increase the size of a System V IPC Message
 379         Queue buffer.
 380 
 381 privilege PRIV_SYS_LINKDIR
 382 
 383         Allows a process to unlink and link directories.
 384 
 385 privilege PRIV_SYS_MOUNT
 386 
 387         Allows filesystem specific administrative procedures, such as
 388         filesystem configuration ioctls, quota calls and creation/deletion
 389         of snapshots.
 390         Allows a process to mount and unmount filesystems which would
 391         otherwise be restricted (i.e., most filesystems except
 392         namefs).
 393         A process performing a mount operation needs to have
 394         appropriate access to the device being mounted (read-write for
 395         "rw" mounts, read for "ro" mounts).
 396         A process performing any of the aforementioned
 397         filesystem operations needs to have read/write/owner
 398         access to the mount point.
 399         Only regular files and directories can serve as mount points
 400         for processes which do not have all zone privileges asserted.
 401         Unless a process has all zone privileges, the mount(2)
 402         system call will force the "nosuid" and "restrict" options, the
 403         latter only for autofs mountpoints.
 404         Regardless of privileges, a process running in a non-global zone may
 405         only control mounts performed from within said zone.
 406         Outside the global zone, the "nodevices" option is always forced.
 407 
 408 privilege PRIV_SYS_IPTUN_CONFIG
 409 
 410         Allows a process to configure IP tunnel links.
 411 
 412 privilege PRIV_SYS_DL_CONFIG
 413 
 414         Allows a process to configure all classes of datalinks, including
 415         configuration allowed by PRIV_SYS_IPTUN_CONFIG.
 416 
 417 privilege PRIV_SYS_IP_CONFIG
 418 
 419         Allows a process to configure a system's IP interfaces and routes.
 420         Allows a process to configure network parameters using ndd.
 421         Allows a process access to otherwise restricted information using ndd.
 422         Allows a process to configure IPsec.
 423         Allows a process to pop anchored STREAMs modules with matching zoneid.
 424 
 425 privilege PRIV_SYS_NET_CONFIG
 426 
 427         Allows all that PRIV_SYS_IP_CONFIG, PRIV_SYS_DL_CONFIG, and
 428         PRIV_SYS_PPP_CONFIG allow.
 429         Allows a process to push the rpcmod STREAMs module.
 430         Allows a process to INSERT/REMOVE STREAMs modules on locations other
 431         than the top of the module stack.
 432 
 433 privilege PRIV_SYS_NFS
 434 
 435         Allows a process to perform Sun private NFS specific system calls.
 436         Allows a process to bind to ports reserved by NFS: ports 2049 (nfs)
 437         and port 4045 (lockd).
 438 
 439 privilege PRIV_SYS_PPP_CONFIG
 440 
 441         Allows a process to create and destroy PPP (sppp) interfaces.
 442         Allows a process to configure PPP tunnels (sppptun).
 443 
 444 privilege PRIV_SYS_RES_BIND
 445 
 446         Allows a process to bind processes to processor sets.
 447 
 448 privilege PRIV_SYS_RES_CONFIG
 449 
 450         Allows all that PRIV_SYS_RES_BIND allows.
 451         Allows a process to create and delete processor sets, assign
 452         CPUs to processor sets and override the PSET_NOESCAPE property.
 453         Allows a process to change the operational status of CPUs in
 454         the system using p_online(2).
 455         Allows a process to configure resource pools and to bind
 456         processes to pools
 457 
 458 unsafe privilege PRIV_SYS_RESOURCE
 459 
 460         Allows a process to modify the resource limits specified
 461         by setrlimit(2) and setrctl(2) without restriction.
 462         Allows a process to exceed the per-user maximum number of
 463         processes.
 464         Allows a process to extend or create files on a filesystem that
 465         has less than minfree space in reserve.
 466 
 467 privilege PRIV_SYS_SMB
 468 
 469         Allows a process to access the Sun private SMB kernel module.
 470         Allows a process to bind to ports reserved by NetBIOS and SMB:
 471         ports 137 (NBNS), 138 (NetBIOS Datagram Service), 139 (NetBIOS
 472         Session Service and SMB-over-NBT) and 445 (SMB-over-TCP).
 473 
 474 privilege PRIV_SYS_SUSER_COMPAT
 475 
 476         Allows a process to successfully call a third party loadable module
 477         that calls the kernel suser() function to check for allowed access.
 478         This privilege exists only for third party loadable module
 479         compatibility and is not used by Solaris proper.
 480 
 481 privilege PRIV_SYS_TIME
 482 
 483         Allows a process to manipulate system time using any of the
 484         appropriate system calls: stime, adjtime, ntp_adjtime and
 485         the IA specific RTC calls.
 486 
 487 privilege PRIV_SYS_TRANS_LABEL
 488 
 489         Allows a process to translate labels that are not dominated
 490         by the process' sensitivity label to and from an external
 491         string form.
 492         This privilege is interpreted only if the system is configured
 493         with Trusted Extensions.
 494 
 495 privilege PRIV_VIRT_MANAGE
 496 
 497         Allows a process to manage virtualized environments such as
 498         xVM(5).
 499 
 500 privilege PRIV_WIN_COLORMAP
 501 
 502         Allows a process to override colormap restrictions.
 503         Allows a process to install or remove colormaps.
 504         Allows a process to retrieve colormap cell entries allocated
 505         by other processes.
 506         This privilege is interpreted only if the system is configured
 507         with Trusted Extensions.
 508 
 509 privilege PRIV_WIN_CONFIG
 510 
 511         Allows a process to configure or destroy resources that are
 512         permanently retained by the X server.
 513         Allows a process to use SetScreenSaver to set the screen
 514         saver timeout value.
 515         Allows a process to use ChangeHosts to modify the display
 516         access control list.
 517         Allows a process to use GrabServer.
 518         Allows a process to use the SetCloseDownMode request which
 519         may retain window, pixmap, colormap, property, cursor, font,
 520         or graphic context resources.
 521         This privilege is interpreted only if the system is configured
 522         with Trusted Extensions.
 523 
 524 privilege PRIV_WIN_DAC_READ
 525 
 526         Allows a process to read from a window resource that it does
 527         not own (has a different user ID).
 528         This privilege is interpreted only if the system is configured
 529         with Trusted Extensions.
 530 
 531 privilege PRIV_WIN_DAC_WRITE
 532 
 533         Allows a process to write to or create a window resource that
 534         it does not own (has a different user ID). A newly created
 535         window property is created with the window's user ID.
 536         This privilege is interpreted only if the system is configured
 537         with Trusted Extensions.
 538 
 539 privilege PRIV_WIN_DEVICES
 540 
 541         Allows a process to perform operations on window input devices.
 542         Allows a process to get and set keyboard and pointer controls.
 543         Allows a process to modify pointer button and key mappings.
 544         This privilege is interpreted only if the system is configured
 545         with Trusted Extensions.
 546 
 547 privilege PRIV_WIN_DGA
 548 
 549         Allows a process to use the direct graphics access (DGA) X protocol
 550         extensions. Direct process access to the frame buffer is still
 551         required. Thus the process must have MAC and DAC privileges that
 552         allow access to the frame buffer, or the frame buffer must be
 553         allocated to the process.
 554         This privilege is interpreted only if the system is configured
 555         with Trusted Extensions.
 556 
 557 privilege PRIV_WIN_DOWNGRADE_SL
 558 
 559         Allows a process to set the sensitivity label of a window resource
 560         to a sensitivity label that does not dominate the existing
 561         sensitivity label.
 562         This privilege is interpreted only if the system is configured
 563         with Trusted Extensions.
 564 
 565 privilege PRIV_WIN_FONTPATH
 566 
 567         Allows a process to set a font path.
 568         This privilege is interpreted only if the system is configured
 569         with Trusted Extensions.
 570 
 571 privilege PRIV_WIN_MAC_READ
 572 
 573         Allows a process to read from a window resource whose sensitivity
 574         label is not equal to the process sensitivity label.
 575         This privilege is interpreted only if the system is configured
 576         with Trusted Extensions.
 577 
 578 privilege PRIV_WIN_MAC_WRITE
 579 
 580         Allows a process to create a window resource whose sensitivity
 581         label is not equal to the process sensitivity label.
 582         A newly created window property is created with the window's
 583         sensitivity label.
 584         This privilege is interpreted only if the system is configured
 585         with Trusted Extensions.
 586 
 587 privilege PRIV_WIN_SELECTION
 588 
 589         Allows a process to request inter-window data moves without the
 590         intervention of the selection confirmer.
 591         This privilege is interpreted only if the system is configured
 592         with Trusted Extensions.
 593 
 594 privilege PRIV_WIN_UPGRADE_SL
 595 
 596         Allows a process to set the sensitivity label of a window
 597         resource to a sensitivity label that dominates the existing
 598         sensitivity label.
 599         This privilege is interpreted only if the system is configured
 600         with Trusted Extensions.
 601 
 602 privilege PRIV_XVM_CONTROL
 603 
 604         Allows a process access to the xVM(5) control devices for
 605         managing guest domains and the hypervisor. This privilege is
 606         used only if booted into xVM on x86 platforms.
 607 
 608 set PRIV_EFFECTIVE
 609 
 610         Set of privileges currently in effect.
 611 
 612 set PRIV_INHERITABLE
 613 
 614         Set of privileges that comes into effect on exec.
 615 
 616 set PRIV_PERMITTED
 617 
 618         Set of privileges that can be put into the effective set without
 619         restriction.
 620 
 621 set PRIV_LIMIT
 622 
 623         Set of privileges that determines the absolute upper bound of
 624         privileges this process and its off-spring can obtain.