1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright 2013, Joyent, Inc. All rights reserved.
24 */
25
26 #include <sys/types.h>
27 #include <sys/sysmacros.h>
28 #include <sys/param.h>
29 #include <sys/systm.h>
30 #include <sys/cred_impl.h>
31 #include <sys/vnode.h>
32 #include <sys/vfs.h>
33 #include <sys/stat.h>
34 #include <sys/errno.h>
35 #include <sys/kmem.h>
36 #include <sys/user.h>
37 #include <sys/proc.h>
38 #include <sys/acct.h>
39 #include <sys/ipc_impl.h>
40 #include <sys/cmn_err.h>
41 #include <sys/debug.h>
42 #include <sys/policy.h>
43 #include <sys/kobj.h>
44 #include <sys/msg.h>
45 #include <sys/devpolicy.h>
46 #include <c2/audit.h>
47 #include <sys/varargs.h>
48 #include <sys/klpd.h>
49 #include <sys/modctl.h>
50 #include <sys/disp.h>
51 #include <sys/zone.h>
52 #include <inet/optcom.h>
53 #include <sys/sdt.h>
54 #include <sys/vfs.h>
55 #include <sys/mntent.h>
56 #include <sys/contract_impl.h>
57 #include <sys/dld_ioc.h>
58
59 /*
60 * There are two possible layers of privilege routines and two possible
61 * levels of secpolicy. Plus one other we may not be interested in, so
62 * we may need as many as 6 but no more.
63 */
64 #define MAXPRIVSTACK 6
65
66 int priv_debug = 0;
67 int priv_basic_test = -1;
68
69 /*
70 * This file contains the majority of the policy routines.
71 * Since the policy routines are defined by function and not
72 * by privilege, there is quite a bit of duplication of
73 * functions.
74 *
75 * The secpolicy functions must not make assumptions about
76 * locks held or not held as any lock can be held while they're
77 * being called.
78 *
79 * Credentials are read-only so no special precautions need to
80 * be taken while locking them.
81 *
82 * When a new policy check needs to be added to the system the
83 * following procedure should be followed:
84 *
85 * Pick an appropriate secpolicy_*() function
86 * -> done if one exists.
87 * Create a new secpolicy function, preferably with
88 * a descriptive name using the standard template.
89 * Pick an appropriate privilege for the policy.
90 * If no appropraite privilege exists, define new one
91 * (this should be done with extreme care; in most cases
92 * little is gained by adding another privilege)
93 *
94 * WHY ROOT IS STILL SPECIAL.
95 *
96 * In a number of the policy functions, there are still explicit
97 * checks for uid 0. The rationale behind these is that many root
98 * owned files/objects hold configuration information which can give full
99 * privileges to the user once written to. To prevent escalation
100 * of privilege by allowing just a single privilege to modify root owned
101 * objects, we've added these root specific checks where we considered
102 * them necessary: modifying root owned files, changing uids to 0, etc.
103 *
104 * PRIVILEGE ESCALATION AND ZONES.
105 *
106 * A number of operations potentially allow the caller to achieve
107 * privileges beyond the ones normally required to perform the operation.
108 * For example, if allowed to create a setuid 0 executable, a process can
109 * gain privileges beyond PRIV_FILE_SETID. Zones, however, place
110 * restrictions on the ability to gain privileges beyond those available
111 * within the zone through file and process manipulation. Hence, such
112 * operations require that the caller have an effective set that includes
113 * all privileges available within the current zone, or all privileges
114 * if executing in the global zone.
115 *
116 * This is indicated in the priv_policy* policy checking functions
117 * through a combination of parameters. The "priv" parameter indicates
118 * the privilege that is required, and the "allzone" parameter indicates
119 * whether or not all privileges in the zone are required. In addition,
120 * priv can be set to PRIV_ALL to indicate that all privileges are
121 * required (regardless of zone). There are three scenarios of interest:
122 * (1) operation requires a specific privilege
123 * (2) operation requires a specific privilege, and requires all
124 * privileges available within the zone (or all privileges if in
125 * the global zone)
126 * (3) operation requires all privileges, regardless of zone
127 *
128 * For (1), priv should be set to the specific privilege, and allzone
129 * should be set to B_FALSE.
130 * For (2), priv should be set to the specific privilege, and allzone
131 * should be set to B_TRUE.
132 * For (3), priv should be set to PRIV_ALL, and allzone should be set
133 * to B_FALSE.
134 *
135 */
136
137 /*
138 * The privileges are checked against the Effective set for
139 * ordinary processes and checked against the Limit set
140 * for euid 0 processes that haven't manipulated their privilege
141 * sets.
142 */
143 #define HAS_ALLPRIVS(cr) priv_isfullset(&CR_OEPRIV(cr))
144 #define ZONEPRIVS(cr) ((cr)->cr_zone->zone_privset)
145 #define HAS_ALLZONEPRIVS(cr) priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr))
146 #define HAS_PRIVILEGE(cr, pr) ((pr) == PRIV_ALL ? \
147 HAS_ALLPRIVS(cr) : \
148 PRIV_ISMEMBER(&CR_OEPRIV(cr), pr))
149
150 #define FAST_BASIC_CHECK(cr, priv) \
151 if (PRIV_ISMEMBER(&CR_OEPRIV(cr), priv)) { \
152 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, B_FALSE); \
153 return (0); \
154 }
155
156 /*
157 * Policy checking functions.
158 *
159 * All of the system's policy should be implemented here.
160 */
161
162 /*
163 * Private functions which take an additional va_list argument to
164 * implement an object specific policy override.
165 */
166 static int priv_policy_ap(const cred_t *, int, boolean_t, int,
167 const char *, va_list);
168 static int priv_policy_va(const cred_t *, int, boolean_t, int,
169 const char *, ...);
170
171 /*
172 * Generic policy calls
173 *
174 * The "bottom" functions of policy control
175 */
176 static char *
177 mprintf(const char *fmt, ...)
178 {
179 va_list args;
180 char *buf;
181 size_t len;
182
183 va_start(args, fmt);
184 len = vsnprintf(NULL, 0, fmt, args) + 1;
185 va_end(args);
186
187 buf = kmem_alloc(len, KM_NOSLEEP);
188
189 if (buf == NULL)
190 return (NULL);
191
192 va_start(args, fmt);
193 (void) vsnprintf(buf, len, fmt, args);
194 va_end(args);
195
196 return (buf);
197 }
198
199 /*
200 * priv_policy_errmsg()
201 *
202 * Generate an error message if privilege debugging is enabled system wide
203 * or for this particular process.
204 */
205
206 #define FMTHDR "%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)"
207 #define FMTMSG " for \"%s\""
208 #define FMTFUN " needed at %s+0x%lx"
209
210 /* The maximum size privilege format: the concatenation of the above */
211 #define FMTMAX FMTHDR FMTMSG FMTFUN "\n"
212
213 static void
214 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg)
215 {
216 struct proc *me;
217 pc_t stack[MAXPRIVSTACK];
218 int depth;
219 int i;
220 char *sym;
221 ulong_t off;
222 const char *pname;
223
224 char *cmd;
225 char fmt[sizeof (FMTMAX)];
226
227 if ((me = curproc) == &p0)
228 return;
229
230 /* Privileges must be defined */
231 ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE ||
232 priv == PRIV_ALLZONE || priv == PRIV_GLOBAL ||
233 priv_getbynum(priv) != NULL);
234
235 if (priv == PRIV_ALLZONE && INGLOBALZONE(me))
236 priv = PRIV_ALL;
237
238 if (curthread->t_pre_sys)
239 ttolwp(curthread)->lwp_badpriv = (short)priv;
240
241 if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0)
242 return;
243
244 (void) strcpy(fmt, FMTHDR);
245
246 if (me->p_user.u_comm[0])
247 cmd = &me->p_user.u_comm[0];
248 else
249 cmd = "priv_policy";
250
251 if (msg != NULL && *msg != '\0') {
252 (void) strcat(fmt, FMTMSG);
253 } else {
254 (void) strcat(fmt, "%s");
255 msg = "";
256 }
257
258 sym = NULL;
259
260 depth = getpcstack(stack, MAXPRIVSTACK);
261
262 /*
263 * Try to find the first interesting function on the stack.
264 * priv_policy* that's us, so completely uninteresting.
265 * suser(), drv_priv(), secpolicy_* are also called from
266 * too many locations to convey useful information.
267 */
268 for (i = 0; i < depth; i++) {
269 sym = kobj_getsymname((uintptr_t)stack[i], &off);
270 if (sym != NULL &&
271 strstr(sym, "hasprocperm") == 0 &&
272 strcmp("suser", sym) != 0 &&
273 strcmp("ipcaccess", sym) != 0 &&
274 strcmp("drv_priv", sym) != 0 &&
275 strncmp("secpolicy_", sym, 10) != 0 &&
276 strncmp("priv_policy", sym, 11) != 0)
277 break;
278 }
279
280 if (sym != NULL)
281 (void) strcat(fmt, FMTFUN);
282
283 (void) strcat(fmt, "\n");
284
285 switch (priv) {
286 case PRIV_ALL:
287 pname = "ALL";
288 break;
289 case PRIV_MULTIPLE:
290 pname = "MULTIPLE";
291 break;
292 case PRIV_ALLZONE:
293 pname = "ZONE";
294 break;
295 case PRIV_GLOBAL:
296 pname = "GLOBAL";
297 break;
298 default:
299 pname = priv_getbynum(priv);
300 break;
301 }
302
303 if (CR_FLAGS(cr) & PRIV_DEBUG) {
304 /* Remember last message, just like lwp_badpriv. */
305 if (curthread->t_pdmsg != NULL) {
306 kmem_free(curthread->t_pdmsg,
307 strlen(curthread->t_pdmsg) + 1);
308 }
309
310 curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname,
311 cr->cr_uid, curthread->t_sysnum, msg, sym, off);
312
313 curthread->t_post_sys = 1;
314 }
315 if (priv_debug) {
316 cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid,
317 curthread->t_sysnum, msg, sym, off);
318 }
319 }
320
321 /*
322 * Override the policy, if appropriate. Return 0 if the external
323 * policy engine approves.
324 */
325 static int
326 priv_policy_override(const cred_t *cr, int priv, boolean_t allzone, va_list ap)
327 {
328 priv_set_t set;
329 int ret;
330
331 if (!(CR_FLAGS(cr) & PRIV_XPOLICY))
332 return (-1);
333
334 if (priv == PRIV_ALL) {
335 priv_fillset(&set);
336 } else if (allzone) {
337 set = *ZONEPRIVS(cr);
338 } else {
339 priv_emptyset(&set);
340 priv_addset(&set, priv);
341 }
342 ret = klpd_call(cr, &set, ap);
343 return (ret);
344 }
345
346 static int
347 priv_policy_override_set(const cred_t *cr, const priv_set_t *req, va_list ap)
348 {
349 if (CR_FLAGS(cr) & PRIV_PFEXEC)
350 return (check_user_privs(cr, req));
351 if (CR_FLAGS(cr) & PRIV_XPOLICY) {
352 return (klpd_call(cr, req, ap));
353 }
354 return (-1);
355 }
356
357 static int
358 priv_policy_override_set_va(const cred_t *cr, const priv_set_t *req, ...)
359 {
360 va_list ap;
361 int ret;
362
363 va_start(ap, req);
364 ret = priv_policy_override_set(cr, req, ap);
365 va_end(ap);
366 return (ret);
367 }
368
369 /*
370 * Audit failure, log error message.
371 */
372 static void
373 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg)
374 {
375
376 if (AU_AUDITING())
377 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0);
378 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
379
380 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
381 curthread->t_pre_sys) {
382 if (allzone && !HAS_ALLZONEPRIVS(cr)) {
383 priv_policy_errmsg(cr, PRIV_ALLZONE, msg);
384 } else {
385 ASSERT(!HAS_PRIVILEGE(cr, priv));
386 priv_policy_errmsg(cr, priv, msg);
387 }
388 }
389 }
390
391 /*
392 * priv_policy_ap()
393 * return 0 or error.
394 * See block comment above for a description of "priv" and "allzone" usage.
395 */
396 static int
397 priv_policy_ap(const cred_t *cr, int priv, boolean_t allzone, int err,
398 const char *msg, va_list ap)
399 {
400 if ((HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) ||
401 (!servicing_interrupt() &&
402 priv_policy_override(cr, priv, allzone, ap) == 0)) {
403 if ((allzone || priv == PRIV_ALL ||
404 !PRIV_ISMEMBER(priv_basic, priv)) &&
405 !servicing_interrupt()) {
406 PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */
407 if (AU_AUDITING())
408 audit_priv(priv,
409 allzone ? ZONEPRIVS(cr) : NULL, 1);
410 }
411 err = 0;
412 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
413 } else if (!servicing_interrupt()) {
414 /* Failure audited in this procedure */
415 priv_policy_err(cr, priv, allzone, msg);
416 }
417 return (err);
418 }
419
420 int
421 priv_policy_va(const cred_t *cr, int priv, boolean_t allzone, int err,
422 const char *msg, ...)
423 {
424 int ret;
425 va_list ap;
426
427 va_start(ap, msg);
428 ret = priv_policy_ap(cr, priv, allzone, err, msg, ap);
429 va_end(ap);
430
431 return (ret);
432 }
433
434 int
435 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err,
436 const char *msg)
437 {
438 return (priv_policy_va(cr, priv, allzone, err, msg, KLPDARG_NONE));
439 }
440
441 /*
442 * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges.
443 */
444 boolean_t
445 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone)
446 {
447 boolean_t res = HAS_PRIVILEGE(cr, priv) &&
448 (!allzone || HAS_ALLZONEPRIVS(cr));
449
450 /* Audit success only */
451 if (res && AU_AUDITING() &&
452 (allzone || priv == PRIV_ALL || !PRIV_ISMEMBER(priv_basic, priv)) &&
453 !servicing_interrupt()) {
454 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1);
455 }
456 if (res) {
457 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
458 } else {
459 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
460 }
461 return (res);
462 }
463
464 /*
465 * Non-auditing variant of priv_policy_choice().
466 */
467 boolean_t
468 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone)
469 {
470 boolean_t res = HAS_PRIVILEGE(cr, priv) &&
471 (!allzone || HAS_ALLZONEPRIVS(cr));
472
473 if (res) {
474 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
475 } else {
476 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
477 }
478 return (res);
479 }
480
481 /*
482 * Check whether all privileges in the required set are present.
483 */
484 static int
485 secpolicy_require_set(const cred_t *cr, const priv_set_t *req,
486 const char *msg, ...)
487 {
488 int priv;
489 int pfound = -1;
490 priv_set_t pset;
491 va_list ap;
492 int ret;
493
494 if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req,
495 &CR_OEPRIV(cr))) {
496 return (0);
497 }
498
499 va_start(ap, msg);
500 ret = priv_policy_override_set(cr, req, ap);
501 va_end(ap);
502 if (ret == 0)
503 return (0);
504
505 if (req == PRIV_FULLSET || priv_isfullset(req)) {
506 priv_policy_err(cr, PRIV_ALL, B_FALSE, msg);
507 return (EACCES);
508 }
509
510 pset = CR_OEPRIV(cr); /* present privileges */
511 priv_inverse(&pset); /* all non present privileges */
512 priv_intersect(req, &pset); /* the actual missing privs */
513
514 if (AU_AUDITING())
515 audit_priv(PRIV_NONE, &pset, 0);
516 /*
517 * Privilege debugging; special case "one privilege in set".
518 */
519 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) {
520 for (priv = 0; priv < nprivs; priv++) {
521 if (priv_ismember(&pset, priv)) {
522 if (pfound != -1) {
523 /* Multiple missing privs */
524 priv_policy_errmsg(cr, PRIV_MULTIPLE,
525 msg);
526 return (EACCES);
527 }
528 pfound = priv;
529 }
530 }
531 ASSERT(pfound != -1);
532 /* Just the one missing privilege */
533 priv_policy_errmsg(cr, pfound, msg);
534 }
535
536 return (EACCES);
537 }
538
539 /*
540 * Called when an operation requires that the caller be in the
541 * global zone, regardless of privilege.
542 */
543 static int
544 priv_policy_global(const cred_t *cr)
545 {
546 if (crgetzoneid(cr) == GLOBAL_ZONEID)
547 return (0); /* success */
548
549 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
550 curthread->t_pre_sys) {
551 priv_policy_errmsg(cr, PRIV_GLOBAL, NULL);
552 }
553 return (EPERM);
554 }
555
556 /*
557 * Raising process priority
558 */
559 int
560 secpolicy_raisepriority(const cred_t *cr)
561 {
562 if (PRIV_POLICY(cr, PRIV_PROC_PRIOUP, B_FALSE, EPERM, NULL) == 0)
563 return (0);
564 return (secpolicy_setpriority(cr));
565 }
566
567 /*
568 * Changing process priority or scheduling class
569 */
570 int
571 secpolicy_setpriority(const cred_t *cr)
572 {
573 return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL));
574 }
575
576 /*
577 * Binding to a privileged port, port must be specified in host byte
578 * order.
579 * When adding a new privilege which allows binding to currently privileged
580 * ports, then you MUST also allow processes with PRIV_NET_PRIVADDR bind
581 * to these ports because of backward compatibility.
582 */
583 int
584 secpolicy_net_privaddr(const cred_t *cr, in_port_t port, int proto)
585 {
586 char *reason;
587 int priv;
588
589 switch (port) {
590 case 137:
591 case 138:
592 case 139:
593 case 445:
594 /*
595 * NBT and SMB ports, these are normal privileged ports,
596 * allow bind only if the SYS_SMB or NET_PRIVADDR privilege
597 * is present.
598 * Try both, if neither is present return an error for
599 * priv SYS_SMB.
600 */
601 if (PRIV_POLICY_ONLY(cr, PRIV_NET_PRIVADDR, B_FALSE))
602 priv = PRIV_NET_PRIVADDR;
603 else
604 priv = PRIV_SYS_SMB;
605 reason = "NBT or SMB port";
606 break;
607
608 case 2049:
609 case 4045:
610 /*
611 * NFS ports, these are extra privileged ports, allow bind
612 * only if the SYS_NFS privilege is present.
613 */
614 priv = PRIV_SYS_NFS;
615 reason = "NFS port";
616 break;
617
618 default:
619 priv = PRIV_NET_PRIVADDR;
620 reason = NULL;
621 break;
622
623 }
624
625 return (priv_policy_va(cr, priv, B_FALSE, EACCES, reason,
626 KLPDARG_PORT, (int)proto, (int)port, KLPDARG_NOMORE));
627 }
628
629 /*
630 * Binding to a multilevel port on a trusted (labeled) system.
631 */
632 int
633 secpolicy_net_bindmlp(const cred_t *cr)
634 {
635 return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, NULL));
636 }
637
638 /*
639 * Allow a communication between a zone and an unlabeled host when their
640 * labels don't match.
641 */
642 int
643 secpolicy_net_mac_aware(const cred_t *cr)
644 {
645 return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, NULL));
646 }
647
648 /*
649 * Allow a privileged process to transmit traffic without explicit labels
650 */
651 int
652 secpolicy_net_mac_implicit(const cred_t *cr)
653 {
654 return (PRIV_POLICY(cr, PRIV_NET_MAC_IMPLICIT, B_FALSE, EACCES, NULL));
655 }
656
657 /*
658 * Common routine which determines whether a given credential can
659 * act on a given mount.
660 * When called through mount, the parameter needoptcheck is a pointer
661 * to a boolean variable which will be set to either true or false,
662 * depending on whether the mount policy should change the mount options.
663 * In all other cases, needoptcheck should be a NULL pointer.
664 */
665 static int
666 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp,
667 boolean_t *needoptcheck)
668 {
669 boolean_t allzone = B_FALSE;
670 boolean_t mounting = needoptcheck != NULL;
671
672 /*
673 * Short circuit the following cases:
674 * vfsp == NULL or mvp == NULL (pure privilege check)
675 * have all privileges - no further checks required
676 * and no mount options need to be set.
677 */
678 if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) {
679 if (mounting)
680 *needoptcheck = B_FALSE;
681
682 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
683 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE));
684 }
685
686 /*
687 * When operating on an existing mount (either we're not mounting
688 * or we're doing a remount and VFS_REMOUNT will be set), zones
689 * can operate only on mounts established by the zone itself.
690 */
691 if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) {
692 zoneid_t zoneid = crgetzoneid(cr);
693
694 if (zoneid != GLOBAL_ZONEID &&
695 vfsp->vfs_zone->zone_id != zoneid) {
696 return (EPERM);
697 }
698 }
699
700 if (mounting)
701 *needoptcheck = B_TRUE;
702
703 /*
704 * Overlay mounts may hide important stuff; if you can't write to a
705 * mount point but would be able to mount on top of it, you can
706 * escalate your privileges.
707 * So we go about asking the same questions namefs does when it
708 * decides whether you can mount over a file or not but with the
709 * added restriction that you can only mount on top of a regular
710 * file or directory.
711 * If we have all the zone's privileges, we skip all other checks,
712 * or else we may actually get in trouble inside the automounter.
713 */
714 if ((mvp->v_flag & VROOT) != 0 ||
715 (mvp->v_type != VDIR && mvp->v_type != VREG) ||
716 HAS_ALLZONEPRIVS(cr)) {
717 allzone = B_TRUE;
718 } else {
719 vattr_t va;
720 int err;
721
722 va.va_mask = AT_UID|AT_MODE;
723 err = VOP_GETATTR(mvp, &va, 0, cr, NULL);
724 if (err != 0)
725 return (err);
726
727 if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0)
728 return (err);
729
730 if (secpolicy_vnode_access2(cr, mvp, va.va_uid, va.va_mode,
731 VWRITE) != 0) {
732 return (EACCES);
733 }
734 }
735 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
736 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE));
737 }
738
739 void
740 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp)
741 {
742 boolean_t amsuper = HAS_ALLZONEPRIVS(cr);
743
744 /*
745 * check; if we don't have either "nosuid" or
746 * both "nosetuid" and "nodevices", then we add
747 * "nosuid"; this depends on how the current
748 * implementation works (it first checks nosuid). In a
749 * zone, a user with all zone privileges can mount with
750 * "setuid" but never with "devices".
751 */
752 if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) &&
753 (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) ||
754 !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) {
755 if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper)
756 vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0);
757 else
758 vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0);
759 }
760 /*
761 * If we're not the local super user, we set the "restrict"
762 * option to indicate to automountd that this mount should
763 * be handled with care.
764 */
765 if (!amsuper)
766 vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0);
767
768 }
769
770 int
771 secpolicy_fs_allowed_mount(const char *fsname)
772 {
773 struct vfssw *vswp;
774 const char *p;
775 size_t len;
776
777 ASSERT(fsname != NULL);
778 ASSERT(fsname[0] != '\0');
779
780 if (INGLOBALZONE(curproc))
781 return (0);
782
783 vswp = vfs_getvfssw(fsname);
784 if (vswp == NULL)
785 return (ENOENT);
786
787 if ((vswp->vsw_flag & VSW_ZMOUNT) != 0) {
788 vfs_unrefvfssw(vswp);
789 return (0);
790 }
791
792 vfs_unrefvfssw(vswp);
793
794 p = curzone->zone_fs_allowed;
795 len = strlen(fsname);
796
797 while (p != NULL && *p != '\0') {
798 if (strncmp(p, fsname, len) == 0) {
799 char c = *(p + len);
800 if (c == '\0' || c == ',')
801 return (0);
802 }
803
804 /* skip to beyond the next comma */
805 if ((p = strchr(p, ',')) != NULL)
806 p++;
807 }
808
809 return (EPERM);
810 }
811
812 extern vnode_t *rootvp;
813 extern vfs_t *rootvfs;
814
815 int
816 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp)
817 {
818 boolean_t needoptchk;
819 int error;
820
821 /*
822 * If it's a remount, get the underlying mount point,
823 * except for the root where we use the rootvp.
824 */
825 if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) {
826 if (vfsp == rootvfs)
827 mvp = rootvp;
828 else
829 mvp = vfsp->vfs_vnodecovered;
830 }
831
832 error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk);
833
834 if (error == 0 && needoptchk) {
835 secpolicy_fs_mount_clearopts(cr, vfsp);
836 }
837
838 return (error);
839 }
840
841 /*
842 * Does the policy computations for "ownership" of a mount;
843 * here ownership is defined as the ability to "mount"
844 * the filesystem originally. The rootvfs doesn't cover any
845 * vnodes; we attribute its ownership to the rootvp.
846 */
847 static int
848 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp)
849 {
850 vnode_t *mvp;
851
852 if (vfsp == NULL)
853 mvp = NULL;
854 else if (vfsp == rootvfs)
855 mvp = rootvp;
856 else
857 mvp = vfsp->vfs_vnodecovered;
858
859 return (secpolicy_fs_common(cr, mvp, vfsp, NULL));
860 }
861
862 int
863 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp)
864 {
865 return (secpolicy_fs_owner(cr, vfsp));
866 }
867
868 /*
869 * Quotas are a resource, but if one has the ability to mount a filesystem, he
870 * should be able to modify quotas on it.
871 */
872 int
873 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp)
874 {
875 return (secpolicy_fs_owner((cred_t *)cr, vfsp));
876 }
877
878 /*
879 * Exceeding minfree: also a per-mount resource constraint.
880 */
881 int
882 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp)
883 {
884 return (secpolicy_fs_owner((cred_t *)cr, vfsp));
885 }
886
887 int
888 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp)
889 {
890 return (secpolicy_fs_owner((cred_t *)cr, vfsp));
891 }
892
893 /* ARGSUSED */
894 int
895 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp)
896 {
897 return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL));
898 }
899
900 /*
901 * Name: secpolicy_vnode_access()
902 *
903 * Parameters: Process credential
904 * vnode
905 * uid of owner of vnode
906 * permission bits not granted to the caller when examining
907 * file mode bits (i.e., when a process wants to open a
908 * mode 444 file for VREAD|VWRITE, this function should be
909 * called only with a VWRITE argument).
910 *
911 * Normal: Verifies that cred has the appropriate privileges to
912 * override the mode bits that were denied.
913 *
914 * Override: file_dac_execute - if VEXEC bit was denied and vnode is
915 * not a directory.
916 * file_dac_read - if VREAD bit was denied.
917 * file_dac_search - if VEXEC bit was denied and vnode is
918 * a directory.
919 * file_dac_write - if VWRITE bit was denied.
920 *
921 * Root owned files are special cased to protect system
922 * configuration files and such.
923 *
924 * Output: EACCES - if privilege check fails.
925 */
926
927 int
928 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode)
929 {
930 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE,
931 EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL,
932 KLPDARG_NOMORE) != 0) {
933 return (EACCES);
934 }
935
936 if (mode & VWRITE) {
937 boolean_t allzone;
938
939 if (owner == 0 && cr->cr_uid != 0)
940 allzone = B_TRUE;
941 else
942 allzone = B_FALSE;
943 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES,
944 NULL, KLPDARG_VNODE, vp, (char *)NULL,
945 KLPDARG_NOMORE) != 0) {
946 return (EACCES);
947 }
948 }
949
950 if (mode & VEXEC) {
951 /*
952 * Directories use file_dac_search to override the execute bit.
953 */
954 int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH :
955 PRIV_FILE_DAC_EXECUTE;
956
957 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL,
958 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
959 }
960 return (0);
961 }
962
963 /*
964 * Like secpolicy_vnode_access() but we get the actual wanted mode and the
965 * current mode of the file, not the missing bits.
966 */
967 int
968 secpolicy_vnode_access2(const cred_t *cr, vnode_t *vp, uid_t owner,
969 mode_t curmode, mode_t wantmode)
970 {
971 mode_t mode;
972
973 /* Inline the basic privileges tests. */
974 if ((wantmode & VREAD) &&
975 !PRIV_ISMEMBER(&CR_OEPRIV(cr), PRIV_FILE_READ) &&
976 priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL,
977 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) {
978 return (EACCES);
979 }
980
981 if ((wantmode & VWRITE) &&
982 !PRIV_ISMEMBER(&CR_OEPRIV(cr), PRIV_FILE_WRITE) &&
983 priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL,
984 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) {
985 return (EACCES);
986 }
987
988 mode = ~curmode & wantmode;
989
990 if (mode == 0)
991 return (0);
992
993 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE,
994 EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL,
995 KLPDARG_NOMORE) != 0) {
996 return (EACCES);
997 }
998
999 if (mode & VWRITE) {
1000 boolean_t allzone;
1001
1002 if (owner == 0 && cr->cr_uid != 0)
1003 allzone = B_TRUE;
1004 else
1005 allzone = B_FALSE;
1006 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES,
1007 NULL, KLPDARG_VNODE, vp, (char *)NULL,
1008 KLPDARG_NOMORE) != 0) {
1009 return (EACCES);
1010 }
1011 }
1012
1013 if (mode & VEXEC) {
1014 /*
1015 * Directories use file_dac_search to override the execute bit.
1016 */
1017 int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH :
1018 PRIV_FILE_DAC_EXECUTE;
1019
1020 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL,
1021 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
1022 }
1023 return (0);
1024 }
1025
1026 /*
1027 * This is a special routine for ZFS; it is used to determine whether
1028 * any of the privileges in effect allow any form of access to the
1029 * file. There's no reason to audit this or any reason to record
1030 * this. More work is needed to do the "KPLD" stuff.
1031 */
1032 int
1033 secpolicy_vnode_any_access(const cred_t *cr, vnode_t *vp, uid_t owner)
1034 {
1035 static int privs[] = {
1036 PRIV_FILE_OWNER,
1037 PRIV_FILE_CHOWN,
1038 PRIV_FILE_DAC_READ,
1039 PRIV_FILE_DAC_WRITE,
1040 PRIV_FILE_DAC_EXECUTE,
1041 PRIV_FILE_DAC_SEARCH,
1042 };
1043 int i;
1044
1045 /* Same as secpolicy_vnode_setdac */
1046 if (owner == cr->cr_uid)
1047 return (0);
1048
1049 for (i = 0; i < sizeof (privs)/sizeof (int); i++) {
1050 boolean_t allzone = B_FALSE;
1051 int priv;
1052
1053 switch (priv = privs[i]) {
1054 case PRIV_FILE_DAC_EXECUTE:
1055 if (vp->v_type == VDIR)
1056 continue;
1057 break;
1058 case PRIV_FILE_DAC_SEARCH:
1059 if (vp->v_type != VDIR)
1060 continue;
1061 break;
1062 case PRIV_FILE_DAC_WRITE:
1063 case PRIV_FILE_OWNER:
1064 case PRIV_FILE_CHOWN:
1065 /* We know here that if owner == 0, that cr_uid != 0 */
1066 allzone = owner == 0;
1067 break;
1068 }
1069 if (PRIV_POLICY_CHOICE(cr, priv, allzone))
1070 return (0);
1071 }
1072 return (EPERM);
1073 }
1074
1075 /*
1076 * Name: secpolicy_vnode_setid_modify()
1077 *
1078 * Normal: verify that subject can set the file setid flags.
1079 *
1080 * Output: EPERM - if not privileged.
1081 */
1082
1083 static int
1084 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner)
1085 {
1086 /* If changing to suid root, must have all zone privs */
1087 boolean_t allzone = B_TRUE;
1088
1089 if (owner != 0) {
1090 if (owner == cr->cr_uid)
1091 return (0);
1092 allzone = B_FALSE;
1093 }
1094 return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL));
1095 }
1096
1097 /*
1098 * Are we allowed to retain the set-uid/set-gid bits when
1099 * changing ownership or when writing to a file?
1100 * "issuid" should be true when set-uid; only in that case
1101 * root ownership is checked (setgid is assumed).
1102 */
1103 int
1104 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot)
1105 {
1106 if (issuidroot && !HAS_ALLZONEPRIVS(cred))
1107 return (EPERM);
1108
1109 return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE));
1110 }
1111
1112 /*
1113 * Name: secpolicy_vnode_setids_setgids()
1114 *
1115 * Normal: verify that subject can set the file setgid flag.
1116 *
1117 * Output: EPERM - if not privileged
1118 */
1119
1120 int
1121 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid)
1122 {
1123 if (!groupmember(gid, cred))
1124 return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM,
1125 NULL));
1126 return (0);
1127 }
1128
1129 /*
1130 * Name: secpolicy_vnode_chown
1131 *
1132 * Normal: Determine if subject can chown owner of a file.
1133 *
1134 * Output: EPERM - if access denied
1135 */
1136
1137 int
1138 secpolicy_vnode_chown(const cred_t *cred, uid_t owner)
1139 {
1140 boolean_t is_owner = (owner == crgetuid(cred));
1141 boolean_t allzone = B_FALSE;
1142 int priv;
1143
1144 if (!is_owner) {
1145 allzone = (owner == 0);
1146 priv = PRIV_FILE_CHOWN;
1147 } else {
1148 priv = HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN) ?
1149 PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF;
1150 }
1151
1152 return (PRIV_POLICY(cred, priv, allzone, EPERM, NULL));
1153 }
1154
1155 /*
1156 * Name: secpolicy_vnode_create_gid
1157 *
1158 * Normal: Determine if subject can change group ownership of a file.
1159 *
1160 * Output: EPERM - if access denied
1161 */
1162 int
1163 secpolicy_vnode_create_gid(const cred_t *cred)
1164 {
1165 if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN))
1166 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM,
1167 NULL));
1168 else
1169 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM,
1170 NULL));
1171 }
1172
1173 /*
1174 * Name: secpolicy_vnode_utime_modify()
1175 *
1176 * Normal: verify that subject can modify the utime on a file.
1177 *
1178 * Output: EPERM - if access denied.
1179 */
1180
1181 static int
1182 secpolicy_vnode_utime_modify(const cred_t *cred)
1183 {
1184 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM,
1185 "modify file times"));
1186 }
1187
1188
1189 /*
1190 * Name: secpolicy_vnode_setdac()
1191 *
1192 * Normal: verify that subject can modify the mode of a file.
1193 * allzone privilege needed when modifying root owned object.
1194 *
1195 * Output: EPERM - if access denied.
1196 */
1197
1198 int
1199 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner)
1200 {
1201 if (owner == cred->cr_uid)
1202 return (0);
1203
1204 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL));
1205 }
1206 /*
1207 * Name: secpolicy_vnode_stky_modify()
1208 *
1209 * Normal: verify that subject can make a file a "sticky".
1210 *
1211 * Output: EPERM - if access denied.
1212 */
1213
1214 int
1215 secpolicy_vnode_stky_modify(const cred_t *cred)
1216 {
1217 return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM,
1218 "set file sticky"));
1219 }
1220
1221 /*
1222 * Policy determines whether we can remove an entry from a directory,
1223 * regardless of permission bits.
1224 */
1225 int
1226 secpolicy_vnode_remove(const cred_t *cr)
1227 {
1228 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES,
1229 "sticky directory"));
1230 }
1231
1232 int
1233 secpolicy_vnode_owner(const cred_t *cr, uid_t owner)
1234 {
1235 boolean_t allzone = (owner == 0);
1236
1237 if (owner == cr->cr_uid)
1238 return (0);
1239
1240 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL));
1241 }
1242
1243 void
1244 secpolicy_setid_clear(vattr_t *vap, cred_t *cr)
1245 {
1246 if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 &&
1247 secpolicy_vnode_setid_retain(cr,
1248 (vap->va_mode & S_ISUID) != 0 &&
1249 (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) {
1250 vap->va_mask |= AT_MODE;
1251 vap->va_mode &= ~(S_ISUID|S_ISGID);
1252 }
1253 }
1254
1255 int
1256 secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap,
1257 cred_t *cr)
1258 {
1259 int error;
1260
1261 if ((vap->va_mode & S_ISUID) != 0 &&
1262 (error = secpolicy_vnode_setid_modify(cr,
1263 ovap->va_uid)) != 0) {
1264 return (error);
1265 }
1266
1267 /*
1268 * Check privilege if attempting to set the
1269 * sticky bit on a non-directory.
1270 */
1271 if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 &&
1272 secpolicy_vnode_stky_modify(cr) != 0) {
1273 vap->va_mode &= ~S_ISVTX;
1274 }
1275
1276 /*
1277 * Check for privilege if attempting to set the
1278 * group-id bit.
1279 */
1280 if ((vap->va_mode & S_ISGID) != 0 &&
1281 secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) {
1282 vap->va_mode &= ~S_ISGID;
1283 }
1284
1285 return (0);
1286 }
1287
1288 #define ATTR_FLAG_PRIV(attr, value, cr) \
1289 PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \
1290 B_FALSE, EPERM, NULL)
1291
1292 /*
1293 * Check privileges for setting xvattr attributes
1294 */
1295 int
1296 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype)
1297 {
1298 xoptattr_t *xoap;
1299 int error = 0;
1300
1301 if ((xoap = xva_getxoptattr(xvap)) == NULL)
1302 return (EINVAL);
1303
1304 /*
1305 * First process the DOS bits
1306 */
1307 if (XVA_ISSET_REQ(xvap, XAT_ARCHIVE) ||
1308 XVA_ISSET_REQ(xvap, XAT_HIDDEN) ||
1309 XVA_ISSET_REQ(xvap, XAT_READONLY) ||
1310 XVA_ISSET_REQ(xvap, XAT_SYSTEM) ||
1311 XVA_ISSET_REQ(xvap, XAT_CREATETIME) ||
1312 XVA_ISSET_REQ(xvap, XAT_OFFLINE) ||
1313 XVA_ISSET_REQ(xvap, XAT_SPARSE)) {
1314 if ((error = secpolicy_vnode_owner(cr, owner)) != 0)
1315 return (error);
1316 }
1317
1318 /*
1319 * Now handle special attributes
1320 */
1321
1322 if (XVA_ISSET_REQ(xvap, XAT_IMMUTABLE))
1323 error = ATTR_FLAG_PRIV(XAT_IMMUTABLE,
1324 xoap->xoa_immutable, cr);
1325 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NOUNLINK))
1326 error = ATTR_FLAG_PRIV(XAT_NOUNLINK,
1327 xoap->xoa_nounlink, cr);
1328 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_APPENDONLY))
1329 error = ATTR_FLAG_PRIV(XAT_APPENDONLY,
1330 xoap->xoa_appendonly, cr);
1331 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NODUMP))
1332 error = ATTR_FLAG_PRIV(XAT_NODUMP,
1333 xoap->xoa_nodump, cr);
1334 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_OPAQUE))
1335 error = EPERM;
1336 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_QUARANTINED)) {
1337 error = ATTR_FLAG_PRIV(XAT_AV_QUARANTINED,
1338 xoap->xoa_av_quarantined, cr);
1339 if (error == 0 && vtype != VREG && xoap->xoa_av_quarantined)
1340 error = EINVAL;
1341 }
1342 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_MODIFIED))
1343 error = ATTR_FLAG_PRIV(XAT_AV_MODIFIED,
1344 xoap->xoa_av_modified, cr);
1345 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_SCANSTAMP)) {
1346 error = ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP,
1347 xoap->xoa_av_scanstamp, cr);
1348 if (error == 0 && vtype != VREG)
1349 error = EINVAL;
1350 }
1351 return (error);
1352 }
1353
1354 /*
1355 * This function checks the policy decisions surrounding the
1356 * vop setattr call.
1357 *
1358 * It should be called after sufficient locks have been established
1359 * on the underlying data structures. No concurrent modifications
1360 * should be allowed.
1361 *
1362 * The caller must pass in unlocked version of its vaccess function
1363 * this is required because vop_access function should lock the
1364 * node for reading. A three argument function should be defined
1365 * which accepts the following argument:
1366 * A pointer to the internal "node" type (inode *)
1367 * vnode access bits (VREAD|VWRITE|VEXEC)
1368 * a pointer to the credential
1369 *
1370 * This function makes the following policy decisions:
1371 *
1372 * - change permissions
1373 * - permission to change file mode if not owner
1374 * - permission to add sticky bit to non-directory
1375 * - permission to add set-gid bit
1376 *
1377 * The ovap argument should include AT_MODE|AT_UID|AT_GID.
1378 *
1379 * If the vap argument does not include AT_MODE, the mode will be copied from
1380 * ovap. In certain situations set-uid/set-gid bits need to be removed;
1381 * this is done by marking vap->va_mask to include AT_MODE and va_mode
1382 * is updated to the newly computed mode.
1383 */
1384
1385 int
1386 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap,
1387 const struct vattr *ovap, int flags,
1388 int unlocked_access(void *, int, cred_t *),
1389 void *node)
1390 {
1391 int mask = vap->va_mask;
1392 int error = 0;
1393 boolean_t skipaclchk = (flags & ATTR_NOACLCHECK) ? B_TRUE : B_FALSE;
1394
1395 if (mask & AT_SIZE) {
1396 if (vp->v_type == VDIR) {
1397 error = EISDIR;
1398 goto out;
1399 }
1400
1401 /*
1402 * If ATTR_NOACLCHECK is set in the flags, then we don't
1403 * perform the secondary unlocked_access() call since the
1404 * ACL (if any) is being checked there.
1405 */
1406 if (skipaclchk == B_FALSE) {
1407 error = unlocked_access(node, VWRITE, cr);
1408 if (error)
1409 goto out;
1410 }
1411 }
1412 if (mask & AT_MODE) {
1413 /*
1414 * If not the owner of the file then check privilege
1415 * for two things: the privilege to set the mode at all
1416 * and, if we're setting setuid, we also need permissions
1417 * to add the set-uid bit, if we're not the owner.
1418 * In the specific case of creating a set-uid root
1419 * file, we need even more permissions.
1420 */
1421 if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0)
1422 goto out;
1423
1424 if ((error = secpolicy_setid_setsticky_clear(vp, vap,
1425 ovap, cr)) != 0)
1426 goto out;
1427 } else
1428 vap->va_mode = ovap->va_mode;
1429
1430 if (mask & (AT_UID|AT_GID)) {
1431 boolean_t checkpriv = B_FALSE;
1432
1433 /*
1434 * Chowning files.
1435 *
1436 * If you are the file owner:
1437 * chown to other uid FILE_CHOWN_SELF
1438 * chown to gid (non-member) FILE_CHOWN_SELF
1439 * chown to gid (member) <none>
1440 *
1441 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also
1442 * acceptable but the first one is reported when debugging.
1443 *
1444 * If you are not the file owner:
1445 * chown from root PRIV_FILE_CHOWN + zone
1446 * chown from other to any PRIV_FILE_CHOWN
1447 *
1448 */
1449 if (cr->cr_uid != ovap->va_uid) {
1450 checkpriv = B_TRUE;
1451 } else {
1452 if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) ||
1453 ((mask & AT_GID) && vap->va_gid != ovap->va_gid &&
1454 !groupmember(vap->va_gid, cr))) {
1455 checkpriv = B_TRUE;
1456 }
1457 }
1458 /*
1459 * If necessary, check privilege to see if update can be done.
1460 */
1461 if (checkpriv &&
1462 (error = secpolicy_vnode_chown(cr, ovap->va_uid)) != 0) {
1463 goto out;
1464 }
1465
1466 /*
1467 * If the file has either the set UID or set GID bits
1468 * set and the caller can set the bits, then leave them.
1469 */
1470 secpolicy_setid_clear(vap, cr);
1471 }
1472 if (mask & (AT_ATIME|AT_MTIME)) {
1473 /*
1474 * If not the file owner and not otherwise privileged,
1475 * always return an error when setting the
1476 * time other than the current (ATTR_UTIME flag set).
1477 * If setting the current time (ATTR_UTIME not set) then
1478 * unlocked_access will check permissions according to policy.
1479 */
1480 if (cr->cr_uid != ovap->va_uid) {
1481 if (flags & ATTR_UTIME)
1482 error = secpolicy_vnode_utime_modify(cr);
1483 else if (skipaclchk == B_FALSE) {
1484 error = unlocked_access(node, VWRITE, cr);
1485 if (error == EACCES &&
1486 secpolicy_vnode_utime_modify(cr) == 0)
1487 error = 0;
1488 }
1489 if (error)
1490 goto out;
1491 }
1492 }
1493
1494 /*
1495 * Check for optional attributes here by checking the following:
1496 */
1497 if (mask & AT_XVATTR)
1498 error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr,
1499 vp->v_type);
1500 out:
1501 return (error);
1502 }
1503
1504 /*
1505 * Name: secpolicy_pcfs_modify_bootpartition()
1506 *
1507 * Normal: verify that subject can modify a pcfs boot partition.
1508 *
1509 * Output: EACCES - if privilege check failed.
1510 */
1511 /*ARGSUSED*/
1512 int
1513 secpolicy_pcfs_modify_bootpartition(const cred_t *cred)
1514 {
1515 return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES,
1516 "modify pcfs boot partition"));
1517 }
1518
1519 /*
1520 * System V IPC routines
1521 */
1522 int
1523 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip)
1524 {
1525 if (crgetzoneid(cr) != ip->ipc_zoneid ||
1526 (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) {
1527 boolean_t allzone = B_FALSE;
1528 if (ip->ipc_uid == 0 || ip->ipc_cuid == 0)
1529 allzone = B_TRUE;
1530 return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL));
1531 }
1532 return (0);
1533 }
1534
1535 int
1536 secpolicy_ipc_config(const cred_t *cr)
1537 {
1538 return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL));
1539 }
1540
1541 int
1542 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode)
1543 {
1544
1545 boolean_t allzone = B_FALSE;
1546
1547 ASSERT((mode & (MSG_R|MSG_W)) != 0);
1548
1549 if ((mode & MSG_R) &&
1550 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1551 return (EACCES);
1552
1553 if (mode & MSG_W) {
1554 if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0))
1555 allzone = B_TRUE;
1556
1557 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1558 NULL));
1559 }
1560 return (0);
1561 }
1562
1563 int
1564 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode)
1565 {
1566 boolean_t allzone = B_FALSE;
1567
1568 ASSERT((mode & (MSG_R|MSG_W)) != 0);
1569
1570 if ((mode & MSG_R) &&
1571 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1572 return (EACCES);
1573
1574 if (mode & MSG_W) {
1575 if (cr->cr_uid != 0 && owner == 0)
1576 allzone = B_TRUE;
1577
1578 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1579 NULL));
1580 }
1581 return (0);
1582 }
1583
1584 /*
1585 * Audit configuration.
1586 */
1587 int
1588 secpolicy_audit_config(const cred_t *cr)
1589 {
1590 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL));
1591 }
1592
1593 /*
1594 * Audit record generation.
1595 */
1596 int
1597 secpolicy_audit_modify(const cred_t *cr)
1598 {
1599 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL));
1600 }
1601
1602 /*
1603 * Get audit attributes.
1604 * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the
1605 * "Least" of the two privileges on error.
1606 */
1607 int
1608 secpolicy_audit_getattr(const cred_t *cr, boolean_t checkonly)
1609 {
1610 int priv;
1611
1612 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE))
1613 priv = PRIV_SYS_AUDIT;
1614 else
1615 priv = PRIV_PROC_AUDIT;
1616
1617 if (checkonly)
1618 return (!PRIV_POLICY_ONLY(cr, priv, B_FALSE));
1619 else
1620 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
1621 }
1622
1623
1624 /*
1625 * Locking physical memory
1626 */
1627 int
1628 secpolicy_lock_memory(const cred_t *cr)
1629 {
1630 return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL));
1631 }
1632
1633 /*
1634 * Accounting (both acct(2) and exacct).
1635 */
1636 int
1637 secpolicy_acct(const cred_t *cr)
1638 {
1639 return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL));
1640 }
1641
1642 /*
1643 * Is this process privileged to change its uids at will?
1644 * Uid 0 is still considered "special" and having the SETID
1645 * privilege is not sufficient to get uid 0.
1646 * Files are owned by root, so the privilege would give
1647 * full access and euid 0 is still effective.
1648 *
1649 * If you have the privilege and euid 0 only then do you
1650 * get the powers of root wrt uid 0.
1651 *
1652 * For gid manipulations, this is should be called with an
1653 * uid of -1.
1654 *
1655 */
1656 int
1657 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly)
1658 {
1659 boolean_t allzone = B_FALSE;
1660
1661 if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 &&
1662 cr->cr_ruid != 0) {
1663 allzone = B_TRUE;
1664 }
1665
1666 return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) :
1667 PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL));
1668 }
1669
1670
1671 /*
1672 * Acting on a different process: if the mode is for writing,
1673 * the restrictions are more severe. This is called after
1674 * we've verified that the uids do not match.
1675 */
1676 int
1677 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode)
1678 {
1679 boolean_t allzone = B_FALSE;
1680
1681 if ((mode & VWRITE) && scr->cr_uid != 0 &&
1682 (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0))
1683 allzone = B_TRUE;
1684
1685 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL));
1686 }
1687
1688 int
1689 secpolicy_proc_access(const cred_t *scr)
1690 {
1691 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL));
1692 }
1693
1694 int
1695 secpolicy_proc_excl_open(const cred_t *scr)
1696 {
1697 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL));
1698 }
1699
1700 int
1701 secpolicy_proc_zone(const cred_t *scr)
1702 {
1703 return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL));
1704 }
1705
1706 /*
1707 * Destroying the system
1708 */
1709
1710 int
1711 secpolicy_kmdb(const cred_t *scr)
1712 {
1713 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1714 }
1715
1716 int
1717 secpolicy_error_inject(const cred_t *scr)
1718 {
1719 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1720 }
1721
1722 /*
1723 * Processor sets, cpu configuration, resource pools.
1724 */
1725 int
1726 secpolicy_pset(const cred_t *cr)
1727 {
1728 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1729 }
1730
1731 /* Process security flags */
1732 int
1733 secpolicy_psecflags(const cred_t *cr, proc_t *tp, proc_t *sp)
1734 {
1735 if (PRIV_POLICY(cr, PRIV_PROC_SECFLAGS, B_FALSE, EPERM, NULL) != 0)
1736 return (EPERM);
1737
1738 if (!prochasprocperm(tp, sp, cr))
1739 return (EPERM);
1740
1741 return (0);
1742 }
1743
1744 /*
1745 * Processor set binding.
1746 */
1747 int
1748 secpolicy_pbind(const cred_t *cr)
1749 {
1750 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_RES_CONFIG, B_FALSE))
1751 return (secpolicy_pset(cr));
1752 return (PRIV_POLICY(cr, PRIV_SYS_RES_BIND, B_FALSE, EPERM, NULL));
1753 }
1754
1755 int
1756 secpolicy_ponline(const cred_t *cr)
1757 {
1758 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1759 }
1760
1761 int
1762 secpolicy_pool(const cred_t *cr)
1763 {
1764 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1765 }
1766
1767 int
1768 secpolicy_blacklist(const cred_t *cr)
1769 {
1770 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1771 }
1772
1773 /*
1774 * Catch all system configuration.
1775 */
1776 int
1777 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly)
1778 {
1779 if (checkonly) {
1780 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 :
1781 EPERM);
1782 } else {
1783 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1784 }
1785 }
1786
1787 /*
1788 * Zone administration (halt, reboot, etc.) from within zone.
1789 */
1790 int
1791 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly)
1792 {
1793 if (checkonly) {
1794 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 :
1795 EPERM);
1796 } else {
1797 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM,
1798 NULL));
1799 }
1800 }
1801
1802 /*
1803 * Zone configuration (create, halt, enter).
1804 */
1805 int
1806 secpolicy_zone_config(const cred_t *cr)
1807 {
1808 /*
1809 * Require all privileges to avoid possibility of privilege
1810 * escalation.
1811 */
1812 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
1813 }
1814
1815 /*
1816 * Various other system configuration calls
1817 */
1818 int
1819 secpolicy_coreadm(const cred_t *cr)
1820 {
1821 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1822 }
1823
1824 int
1825 secpolicy_systeminfo(const cred_t *cr)
1826 {
1827 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1828 }
1829
1830 int
1831 secpolicy_dispadm(const cred_t *cr)
1832 {
1833 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1834 }
1835
1836 int
1837 secpolicy_settime(const cred_t *cr)
1838 {
1839 return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL));
1840 }
1841
1842 /*
1843 * For realtime users: high resolution clock.
1844 */
1845 int
1846 secpolicy_clock_highres(const cred_t *cr)
1847 {
1848 return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM,
1849 NULL));
1850 }
1851
1852 /*
1853 * drv_priv() is documented as callable from interrupt context, not that
1854 * anyone ever does, but still. No debugging or auditing can be done when
1855 * it is called from interrupt context.
1856 * returns 0 on succes, EPERM on failure.
1857 */
1858 int
1859 drv_priv(cred_t *cr)
1860 {
1861 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1862 }
1863
1864 int
1865 secpolicy_sys_devices(const cred_t *cr)
1866 {
1867 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1868 }
1869
1870 int
1871 secpolicy_excl_open(const cred_t *cr)
1872 {
1873 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL));
1874 }
1875
1876 int
1877 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl)
1878 {
1879 /* zone.* rctls can only be set from the global zone */
1880 if (is_zone_rctl && priv_policy_global(cr) != 0)
1881 return (EPERM);
1882 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1883 }
1884
1885 int
1886 secpolicy_resource(const cred_t *cr)
1887 {
1888 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1889 }
1890
1891 int
1892 secpolicy_resource_anon_mem(const cred_t *cr)
1893 {
1894 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_RESOURCE, B_FALSE));
1895 }
1896
1897 /*
1898 * Processes with a real uid of 0 escape any form of accounting, much
1899 * like before.
1900 */
1901 int
1902 secpolicy_newproc(const cred_t *cr)
1903 {
1904 if (cr->cr_ruid == 0)
1905 return (0);
1906
1907 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1908 }
1909
1910 /*
1911 * Networking
1912 */
1913 int
1914 secpolicy_net_rawaccess(const cred_t *cr)
1915 {
1916 return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL));
1917 }
1918
1919 int
1920 secpolicy_net_observability(const cred_t *cr)
1921 {
1922 return (PRIV_POLICY(cr, PRIV_NET_OBSERVABILITY, B_FALSE, EACCES, NULL));
1923 }
1924
1925 /*
1926 * Need this privilege for accessing the ICMP device
1927 */
1928 int
1929 secpolicy_net_icmpaccess(const cred_t *cr)
1930 {
1931 return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL));
1932 }
1933
1934 /*
1935 * There are a few rare cases where the kernel generates ioctls() from
1936 * interrupt context with a credential of kcred rather than NULL.
1937 * In those cases, we take the safe and cheap test.
1938 */
1939 int
1940 secpolicy_net_config(const cred_t *cr, boolean_t checkonly)
1941 {
1942 if (checkonly) {
1943 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ?
1944 0 : EPERM);
1945 } else {
1946 return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM,
1947 NULL));
1948 }
1949 }
1950
1951
1952 /*
1953 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
1954 *
1955 * There are a few rare cases where the kernel generates ioctls() from
1956 * interrupt context with a credential of kcred rather than NULL.
1957 * In those cases, we take the safe and cheap test.
1958 */
1959 int
1960 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly)
1961 {
1962 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1963 return (secpolicy_net_config(cr, checkonly));
1964
1965 if (checkonly) {
1966 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ?
1967 0 : EPERM);
1968 } else {
1969 return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM,
1970 NULL));
1971 }
1972 }
1973
1974 /*
1975 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_DL_CONFIG.
1976 */
1977 int
1978 secpolicy_dl_config(const cred_t *cr)
1979 {
1980 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1981 return (secpolicy_net_config(cr, B_FALSE));
1982 return (PRIV_POLICY(cr, PRIV_SYS_DL_CONFIG, B_FALSE, EPERM, NULL));
1983 }
1984
1985 /*
1986 * PRIV_SYS_DL_CONFIG is a superset of PRIV_SYS_IPTUN_CONFIG.
1987 */
1988 int
1989 secpolicy_iptun_config(const cred_t *cr)
1990 {
1991 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1992 return (secpolicy_net_config(cr, B_FALSE));
1993 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_DL_CONFIG, B_FALSE))
1994 return (secpolicy_dl_config(cr));
1995 return (PRIV_POLICY(cr, PRIV_SYS_IPTUN_CONFIG, B_FALSE, EPERM, NULL));
1996 }
1997
1998 /*
1999 * Map IP pseudo privileges to actual privileges.
2000 * So we don't need to recompile IP when we change the privileges.
2001 */
2002 int
2003 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly)
2004 {
2005 int priv = PRIV_ALL;
2006
2007 switch (netpriv) {
2008 case OP_CONFIG:
2009 priv = PRIV_SYS_IP_CONFIG;
2010 break;
2011 case OP_RAW:
2012 priv = PRIV_NET_RAWACCESS;
2013 break;
2014 case OP_PRIVPORT:
2015 priv = PRIV_NET_PRIVADDR;
2016 break;
2017 }
2018 ASSERT(priv != PRIV_ALL);
2019 if (checkonly)
2020 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
2021 else
2022 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
2023 }
2024
2025 /*
2026 * Map network pseudo privileges to actual privileges.
2027 * So we don't need to recompile IP when we change the privileges.
2028 */
2029 int
2030 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly)
2031 {
2032 int priv = PRIV_ALL;
2033
2034 switch (netpriv) {
2035 case OP_CONFIG:
2036 priv = PRIV_SYS_NET_CONFIG;
2037 break;
2038 case OP_RAW:
2039 priv = PRIV_NET_RAWACCESS;
2040 break;
2041 case OP_PRIVPORT:
2042 priv = PRIV_NET_PRIVADDR;
2043 break;
2044 }
2045 ASSERT(priv != PRIV_ALL);
2046 if (checkonly)
2047 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
2048 else
2049 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
2050 }
2051
2052 /*
2053 * Checks for operations that are either client-only or are used by
2054 * both clients and servers.
2055 */
2056 int
2057 secpolicy_nfs(const cred_t *cr)
2058 {
2059 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL));
2060 }
2061
2062 /*
2063 * Special case for opening rpcmod: have NFS privileges or network
2064 * config privileges.
2065 */
2066 int
2067 secpolicy_rpcmod_open(const cred_t *cr)
2068 {
2069 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE))
2070 return (secpolicy_nfs(cr));
2071 else
2072 return (secpolicy_net_config(cr, NULL));
2073 }
2074
2075 int
2076 secpolicy_chroot(const cred_t *cr)
2077 {
2078 return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL));
2079 }
2080
2081 int
2082 secpolicy_tasksys(const cred_t *cr)
2083 {
2084 return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL));
2085 }
2086
2087 int
2088 secpolicy_meminfo(const cred_t *cr)
2089 {
2090 return (PRIV_POLICY(cr, PRIV_PROC_MEMINFO, B_FALSE, EPERM, NULL));
2091 }
2092
2093 int
2094 secpolicy_pfexec_register(const cred_t *cr)
2095 {
2096 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_TRUE, EPERM, NULL));
2097 }
2098
2099 /*
2100 * Basic privilege checks.
2101 */
2102 int
2103 secpolicy_basic_exec(const cred_t *cr, vnode_t *vp)
2104 {
2105 FAST_BASIC_CHECK(cr, PRIV_PROC_EXEC);
2106
2107 return (priv_policy_va(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL,
2108 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
2109 }
2110
2111 int
2112 secpolicy_basic_fork(const cred_t *cr)
2113 {
2114 FAST_BASIC_CHECK(cr, PRIV_PROC_FORK);
2115
2116 return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL));
2117 }
2118
2119 int
2120 secpolicy_basic_proc(const cred_t *cr)
2121 {
2122 FAST_BASIC_CHECK(cr, PRIV_PROC_SESSION);
2123
2124 return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL));
2125 }
2126
2127 /*
2128 * Slightly complicated because we don't want to trigger the policy too
2129 * often. First we shortcircuit access to "self" (tp == sp) or if
2130 * we don't have the privilege but if we have permission
2131 * just return (0) and we don't flag the privilege as needed.
2132 * Else, we test for the privilege because we either have it or need it.
2133 */
2134 int
2135 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp)
2136 {
2137 if (tp == sp ||
2138 !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) {
2139 return (0);
2140 } else {
2141 return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL));
2142 }
2143 }
2144
2145 int
2146 secpolicy_basic_link(const cred_t *cr)
2147 {
2148 FAST_BASIC_CHECK(cr, PRIV_FILE_LINK_ANY);
2149
2150 return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL));
2151 }
2152
2153 int
2154 secpolicy_basic_net_access(const cred_t *cr)
2155 {
2156 FAST_BASIC_CHECK(cr, PRIV_NET_ACCESS);
2157
2158 return (PRIV_POLICY(cr, PRIV_NET_ACCESS, B_FALSE, EACCES, NULL));
2159 }
2160
2161 /* ARGSUSED */
2162 int
2163 secpolicy_basic_file_read(const cred_t *cr, vnode_t *vp, const char *pn)
2164 {
2165 FAST_BASIC_CHECK(cr, PRIV_FILE_READ);
2166
2167 return (priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL,
2168 KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE));
2169 }
2170
2171 /* ARGSUSED */
2172 int
2173 secpolicy_basic_file_write(const cred_t *cr, vnode_t *vp, const char *pn)
2174 {
2175 FAST_BASIC_CHECK(cr, PRIV_FILE_WRITE);
2176
2177 return (priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL,
2178 KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE));
2179 }
2180
2181 /*
2182 * Additional device protection.
2183 *
2184 * Traditionally, a device has specific permissions on the node in
2185 * the filesystem which govern which devices can be opened by what
2186 * processes. In certain cases, it is desirable to add extra
2187 * restrictions, as writing to certain devices is identical to
2188 * having a complete run of the system.
2189 *
2190 * This mechanism is called the device policy.
2191 *
2192 * When a device is opened, its policy entry is looked up in the
2193 * policy cache and checked.
2194 */
2195 int
2196 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag)
2197 {
2198 devplcy_t *plcy;
2199 int err;
2200 struct snode *csp = VTOS(common_specvp(vp));
2201 priv_set_t pset;
2202
2203 mutex_enter(&csp->s_lock);
2204
2205 if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) {
2206 plcy = devpolicy_find(vp);
2207 if (csp->s_plcy)
2208 dpfree(csp->s_plcy);
2209 csp->s_plcy = plcy;
2210 ASSERT(plcy != NULL);
2211 } else
2212 plcy = csp->s_plcy;
2213
2214 if (plcy == nullpolicy) {
2215 mutex_exit(&csp->s_lock);
2216 return (0);
2217 }
2218
2219 dphold(plcy);
2220
2221 mutex_exit(&csp->s_lock);
2222
2223 if (oflag & FWRITE)
2224 pset = plcy->dp_wrp;
2225 else
2226 pset = plcy->dp_rdp;
2227 /*
2228 * Special case:
2229 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
2230 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is
2231 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG
2232 * in the required privilege set before doing the check.
2233 */
2234 if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) &&
2235 priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) &&
2236 !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) {
2237 priv_delset(&pset, PRIV_SYS_IP_CONFIG);
2238 priv_addset(&pset, PRIV_SYS_NET_CONFIG);
2239 }
2240
2241 err = secpolicy_require_set(cr, &pset, "devpolicy", KLPDARG_NONE);
2242 dpfree(plcy);
2243
2244 return (err);
2245 }
2246
2247 int
2248 secpolicy_modctl(const cred_t *cr, int cmd)
2249 {
2250 switch (cmd) {
2251 case MODINFO:
2252 case MODGETMAJBIND:
2253 case MODGETPATH:
2254 case MODGETPATHLEN:
2255 case MODGETNAME:
2256 case MODGETFBNAME:
2257 case MODGETDEVPOLICY:
2258 case MODGETDEVPOLICYBYNAME:
2259 case MODDEVT2INSTANCE:
2260 case MODSIZEOF_DEVID:
2261 case MODGETDEVID:
2262 case MODSIZEOF_MINORNAME:
2263 case MODGETMINORNAME:
2264 case MODGETDEVFSPATH_LEN:
2265 case MODGETDEVFSPATH:
2266 case MODGETDEVFSPATH_MI_LEN:
2267 case MODGETDEVFSPATH_MI:
2268 /* Unprivileged */
2269 return (0);
2270 case MODLOAD:
2271 case MODSETDEVPOLICY:
2272 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL,
2273 KLPDARG_NONE));
2274 default:
2275 return (secpolicy_sys_config(cr, B_FALSE));
2276 }
2277 }
2278
2279 int
2280 secpolicy_console(const cred_t *cr)
2281 {
2282 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
2283 }
2284
2285 int
2286 secpolicy_power_mgmt(const cred_t *cr)
2287 {
2288 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
2289 }
2290
2291 /*
2292 * Simulate terminal input; another escalation of privileges avenue.
2293 */
2294
2295 int
2296 secpolicy_sti(const cred_t *cr)
2297 {
2298 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
2299 }
2300
2301 boolean_t
2302 secpolicy_net_reply_equal(const cred_t *cr)
2303 {
2304 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
2305 }
2306
2307 int
2308 secpolicy_swapctl(const cred_t *cr)
2309 {
2310 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
2311 }
2312
2313 int
2314 secpolicy_cpc_cpu(const cred_t *cr)
2315 {
2316 return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL));
2317 }
2318
2319 /*
2320 * secpolicy_contract_identity
2321 *
2322 * Determine if the subject may set the process contract FMRI value
2323 */
2324 int
2325 secpolicy_contract_identity(const cred_t *cr)
2326 {
2327 return (PRIV_POLICY(cr, PRIV_CONTRACT_IDENTITY, B_FALSE, EPERM, NULL));
2328 }
2329
2330 /*
2331 * secpolicy_contract_observer
2332 *
2333 * Determine if the subject may observe a specific contract's events.
2334 */
2335 int
2336 secpolicy_contract_observer(const cred_t *cr, struct contract *ct)
2337 {
2338 if (contract_owned(ct, cr, B_FALSE))
2339 return (0);
2340 return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL));
2341 }
2342
2343 /*
2344 * secpolicy_contract_observer_choice
2345 *
2346 * Determine if the subject may observe any contract's events. Just
2347 * tests privilege and audits on success.
2348 */
2349 boolean_t
2350 secpolicy_contract_observer_choice(const cred_t *cr)
2351 {
2352 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE));
2353 }
2354
2355 /*
2356 * secpolicy_contract_event
2357 *
2358 * Determine if the subject may request critical contract events or
2359 * reliable contract event delivery.
2360 */
2361 int
2362 secpolicy_contract_event(const cred_t *cr)
2363 {
2364 return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL));
2365 }
2366
2367 /*
2368 * secpolicy_contract_event_choice
2369 *
2370 * Determine if the subject may retain contract events in its critical
2371 * set when a change in other terms would normally require a change in
2372 * the critical set. Just tests privilege and audits on success.
2373 */
2374 boolean_t
2375 secpolicy_contract_event_choice(const cred_t *cr)
2376 {
2377 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE));
2378 }
2379
2380 /*
2381 * secpolicy_gart_access
2382 *
2383 * Determine if the subject has sufficient priveleges to make ioctls to agpgart
2384 * device.
2385 */
2386 int
2387 secpolicy_gart_access(const cred_t *cr)
2388 {
2389 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL));
2390 }
2391
2392 /*
2393 * secpolicy_gart_map
2394 *
2395 * Determine if the subject has sufficient priveleges to map aperture range
2396 * through agpgart driver.
2397 */
2398 int
2399 secpolicy_gart_map(const cred_t *cr)
2400 {
2401 if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) {
2402 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM,
2403 NULL));
2404 } else {
2405 return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM,
2406 NULL));
2407 }
2408 }
2409
2410 /*
2411 * secpolicy_zinject
2412 *
2413 * Determine if the subject can inject faults in the ZFS fault injection
2414 * framework. Requires all privileges.
2415 */
2416 int
2417 secpolicy_zinject(const cred_t *cr)
2418 {
2419 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
2420 }
2421
2422 /*
2423 * secpolicy_zfs
2424 *
2425 * Determine if the subject has permission to manipulate ZFS datasets
2426 * (not pools). Equivalent to the SYS_MOUNT privilege.
2427 */
2428 int
2429 secpolicy_zfs(const cred_t *cr)
2430 {
2431 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL));
2432 }
2433
2434 /*
2435 * secpolicy_idmap
2436 *
2437 * Determine if the calling process has permissions to register an SID
2438 * mapping daemon and allocate ephemeral IDs.
2439 */
2440 int
2441 secpolicy_idmap(const cred_t *cr)
2442 {
2443 return (PRIV_POLICY(cr, PRIV_FILE_SETID, B_TRUE, EPERM, NULL));
2444 }
2445
2446 /*
2447 * secpolicy_ucode_update
2448 *
2449 * Determine if the subject has sufficient privilege to update microcode.
2450 */
2451 int
2452 secpolicy_ucode_update(const cred_t *scr)
2453 {
2454 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
2455 }
2456
2457 /*
2458 * secpolicy_sadopen
2459 *
2460 * Determine if the subject has sufficient privilege to access /dev/sad/admin.
2461 * /dev/sad/admin appear in global zone and exclusive-IP zones only.
2462 * In global zone, sys_config is required.
2463 * In exclusive-IP zones, sys_ip_config is required.
2464 * Note that sys_config is prohibited in non-global zones.
2465 */
2466 int
2467 secpolicy_sadopen(const cred_t *credp)
2468 {
2469 priv_set_t pset;
2470
2471 priv_emptyset(&pset);
2472
2473 if (crgetzoneid(credp) == GLOBAL_ZONEID)
2474 priv_addset(&pset, PRIV_SYS_CONFIG);
2475 else
2476 priv_addset(&pset, PRIV_SYS_IP_CONFIG);
2477
2478 return (secpolicy_require_set(credp, &pset, "devpolicy", KLPDARG_NONE));
2479 }
2480
2481
2482 /*
2483 * Add privileges to a particular privilege set; this is called when the
2484 * current sets of privileges are not sufficient. I.e., we should always
2485 * call the policy override functions from here.
2486 * What we are allowed to have is in the Observed Permitted set; so
2487 * we compute the difference between that and the newset.
2488 */
2489 int
2490 secpolicy_require_privs(const cred_t *cr, const priv_set_t *nset)
2491 {
2492 priv_set_t rqd;
2493
2494 rqd = CR_OPPRIV(cr);
2495
2496 priv_inverse(&rqd);
2497 priv_intersect(nset, &rqd);
2498
2499 return (secpolicy_require_set(cr, &rqd, NULL, KLPDARG_NONE));
2500 }
2501
2502 /*
2503 * secpolicy_smb
2504 *
2505 * Determine if the cred_t has PRIV_SYS_SMB privilege, indicating
2506 * that it has permission to access the smbsrv kernel driver.
2507 * PRIV_POLICY checks the privilege and audits the check.
2508 *
2509 * Returns:
2510 * 0 Driver access is allowed.
2511 * EPERM Driver access is NOT permitted.
2512 */
2513 int
2514 secpolicy_smb(const cred_t *cr)
2515 {
2516 return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL));
2517 }
2518
2519 /*
2520 * secpolicy_vscan
2521 *
2522 * Determine if cred_t has the necessary privileges to access a file
2523 * for virus scanning and update its extended system attributes.
2524 * PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access
2525 * PRIV_FILE_FLAG_SET - set extended system attributes
2526 *
2527 * PRIV_POLICY checks the privilege and audits the check.
2528 *
2529 * Returns:
2530 * 0 file access for virus scanning allowed.
2531 * EPERM file access for virus scanning is NOT permitted.
2532 */
2533 int
2534 secpolicy_vscan(const cred_t *cr)
2535 {
2536 if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) ||
2537 (PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) ||
2538 (PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) {
2539 return (EPERM);
2540 }
2541
2542 return (0);
2543 }
2544
2545 /*
2546 * secpolicy_smbfs_login
2547 *
2548 * Determines if the caller can add and delete the smbfs login
2549 * password in the the nsmb kernel module for the CIFS client.
2550 *
2551 * Returns:
2552 * 0 access is allowed.
2553 * EPERM access is NOT allowed.
2554 */
2555 int
2556 secpolicy_smbfs_login(const cred_t *cr, uid_t uid)
2557 {
2558 uid_t cruid = crgetruid(cr);
2559
2560 if (cruid == uid)
2561 return (0);
2562 return (PRIV_POLICY(cr, PRIV_PROC_OWNER, B_FALSE,
2563 EPERM, NULL));
2564 }
2565
2566 /*
2567 * secpolicy_xvm_control
2568 *
2569 * Determines if a caller can control the xVM hypervisor and/or running
2570 * domains (x86 specific).
2571 *
2572 * Returns:
2573 * 0 access is allowed.
2574 * EPERM access is NOT allowed.
2575 */
2576 int
2577 secpolicy_xvm_control(const cred_t *cr)
2578 {
2579 if (PRIV_POLICY(cr, PRIV_XVM_CONTROL, B_FALSE, EPERM, NULL))
2580 return (EPERM);
2581 return (0);
2582 }
2583
2584 /*
2585 * secpolicy_ppp_config
2586 *
2587 * Determine if the subject has sufficient privileges to configure PPP and
2588 * PPP-related devices.
2589 */
2590 int
2591 secpolicy_ppp_config(const cred_t *cr)
2592 {
2593 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
2594 return (secpolicy_net_config(cr, B_FALSE));
2595 return (PRIV_POLICY(cr, PRIV_SYS_PPP_CONFIG, B_FALSE, EPERM, NULL));
2596 }