1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
  23  * Copyright 2015, Joyent, Inc. All rights reserved.
  24  *
  25 INSERT COMMENT
  26  */
  27 
  28 #
  29 # Privileges can be added to this file at any location, not
  30 # necessarily at the end.  For patches, it is probably best to
  31 # add the new privilege at the end; for ordinary releases privileges
  32 # should be ordered alphabetically.
  33 #
  34 
  35 privilege PRIV_CONTRACT_EVENT
  36 
  37         Allows a process to request critical events without limitation.
  38         Allows a process to request reliable delivery of all events on
  39         any event queue.
  40 
  41 privilege PRIV_CONTRACT_IDENTITY
  42 
  43         Allows a process to set the service FMRI value of a process
  44         contract template.
  45 
  46 privilege PRIV_CONTRACT_OBSERVER
  47 
  48         Allows a process to observe contract events generated by
  49         contracts created and owned by users other than the process's
  50         effective user ID.
  51         Allows a process to open contract event endpoints belonging to
  52         contracts created and owned by users other than the process's
  53         effective user ID.
  54 
  55 privilege PRIV_CPC_CPU
  56 
  57         Allow a process to access per-CPU hardware performance counters.
  58 
  59 privilege PRIV_DTRACE_KERNEL
  60 
  61         Allows DTrace kernel-level tracing.
  62 
  63 privilege PRIV_DTRACE_PROC
  64 
  65         Allows DTrace process-level tracing.
  66         Allows process-level tracing probes to be placed and enabled in
  67         processes to which the user has permissions.
  68 
  69 privilege PRIV_DTRACE_USER
  70 
  71         Allows DTrace user-level tracing.
  72         Allows use of the syscall and profile DTrace providers to
  73         examine processes to which the user has permissions.
  74 
  75 privilege PRIV_FILE_CHOWN
  76 
  77         Allows a process to change a file's owner user ID.
  78         Allows a process to change a file's group ID to one other than
  79         the process' effective group ID or one of the process'
  80         supplemental group IDs.
  81 
  82 privilege PRIV_FILE_CHOWN_SELF
  83 
  84         Allows a process to give away its files; a process with this
  85         privilege will run as if {_POSIX_CHOWN_RESTRICTED} is not
  86         in effect.
  87 
  88 privilege PRIV_FILE_DAC_EXECUTE
  89 
  90         Allows a process to execute an executable file whose permission
  91         bits or ACL do not allow the process execute permission.
  92 
  93 privilege PRIV_FILE_DAC_READ
  94 
  95         Allows a process to read a file or directory whose permission
  96         bits or ACL do not allow the process read permission.
  97 
  98 privilege PRIV_FILE_DAC_SEARCH
  99 
 100         Allows a process to search a directory whose permission bits or
 101         ACL do not allow the process search permission.
 102 
 103 privilege PRIV_FILE_DAC_WRITE
 104 
 105         Allows a process to write a file or directory whose permission
 106         bits or ACL do not allow the process write permission.
 107         In order to write files owned by uid 0 in the absence of an
 108         effective uid of 0 ALL privileges are required.
 109 
 110 privilege PRIV_FILE_DOWNGRADE_SL
 111 
 112         Allows a process to set the sensitivity label of a file or
 113         directory to a sensitivity label that does not dominate the
 114         existing sensitivity label.
 115         This privilege is interpreted only if the system is configured
 116         with Trusted Extensions.
 117 
 118 privilege PRIV_FILE_FLAG_SET
 119 
 120         Allows a process to set immutable, nounlink or appendonly
 121         file attributes.
 122 
 123 basic privilege PRIV_FILE_LINK_ANY
 124 
 125         Allows a process to create hardlinks to files owned by a uid
 126         different from the process' effective uid.
 127 
 128 privilege PRIV_FILE_OWNER
 129 
 130         Allows a process which is not the owner of a file or directory
 131         to perform the following operations that are normally permitted
 132         only for the file owner: modify that file's access and
 133         modification times; remove or rename a file or directory whose
 134         parent directory has the ``save text image after execution''
 135         (sticky) bit set; mount a ``namefs'' upon a file; modify
 136         permission bits or ACL except for the set-uid and set-gid
 137         bits.
 138 
 139 basic privilege PRIV_FILE_READ
 140 
 141         Allows a process to read objects in the filesystem.
 142 
 143 privilege PRIV_FILE_SETID
 144 
 145         Allows a process to change the ownership of a file or write to
 146         a file without the set-user-ID and set-group-ID bits being
 147         cleared.
 148         Allows a process to set the set-group-ID bit on a file or
 149         directory whose group is not the process' effective group or
 150         one of the process' supplemental groups.
 151         Allows a process to set the set-user-ID bit on a file with
 152         different ownership in the presence of PRIV_FILE_OWNER.
 153         Additional restrictions apply when creating or modifying a
 154         set-uid 0 file.
 155 
 156 privilege PRIV_FILE_UPGRADE_SL
 157 
 158         Allows a process to set the sensitivity label of a file or
 159         directory to a sensitivity label that dominates the existing
 160         sensitivity label.
 161         This privilege is interpreted only if the system is configured
 162         with Trusted Extensions.
 163 
 164 basic privilege PRIV_FILE_WRITE
 165 
 166         Allows a process to modify objects in the filesystem.
 167 
 168 privilege PRIV_GRAPHICS_ACCESS
 169 
 170         Allows a process to make privileged ioctls to graphics devices.
 171         Typically only xserver process needs to have this privilege.
 172         A process with this privilege is also allowed to perform
 173         privileged graphics device mappings.
 174 
 175 privilege PRIV_GRAPHICS_MAP
 176 
 177         Allows a process to perform privileged mappings through a
 178         graphics device.
 179 
 180 privilege PRIV_IPC_DAC_READ
 181 
 182         Allows a process to read a System V IPC
 183         Message Queue, Semaphore Set, or Shared Memory Segment whose
 184         permission bits do not allow the process read permission.
 185         Allows a process to read remote shared memory whose
 186         permission bits do not allow the process read permission.
 187 
 188 privilege PRIV_IPC_DAC_WRITE
 189 
 190         Allows a process to write a System V IPC
 191         Message Queue, Semaphore Set, or Shared Memory Segment whose
 192         permission bits do not allow the process write permission.
 193         Allows a process to read remote shared memory whose
 194         permission bits do not allow the process write permission.
 195         Additional restrictions apply if the owner of the object has uid 0
 196         and the effective uid of the current process is not 0.
 197 
 198 privilege PRIV_IPC_OWNER
 199 
 200         Allows a process which is not the owner of a System
 201         V IPC Message Queue, Semaphore Set, or Shared Memory Segment to
 202         remove, change ownership of, or change permission bits of the
 203         Message Queue, Semaphore Set, or Shared Memory Segment.
 204         Additional restrictions apply if the owner of the object has uid 0
 205         and the effective uid of the current process is not 0.
 206 
 207 basic privilege PRIV_NET_ACCESS
 208 
 209         Allows a process to open a TCP, UDP, SDP or SCTP network endpoint.
 210 
 211 privilege PRIV_NET_BINDMLP
 212 
 213         Allow a process to bind to a port that is configured as a
 214         multi-level port(MLP) for the process's zone. This privilege
 215         applies to both shared address and zone-specific address MLPs.
 216         See tnzonecfg(4) from the Trusted Extensions manual pages for
 217         information on configuring MLP ports.
 218         This privilege is interpreted only if the system is configured
 219         with Trusted Extensions.
 220 
 221 privilege PRIV_NET_ICMPACCESS
 222 
 223         Allows a process to send and receive ICMP packets.
 224 
 225 privilege PRIV_NET_MAC_AWARE
 226 
 227         Allows a process to set NET_MAC_AWARE process flag by using
 228         setpflags(2). This privilege also allows a process to set
 229         SO_MAC_EXEMPT socket option by using setsockopt(3SOCKET).
 230         The NET_MAC_AWARE process flag and the SO_MAC_EXEMPT socket
 231         option both allow a local process to communicate with an
 232         unlabeled peer if the local process' label dominates the
 233         peer's default label, or if the local process runs in the
 234         global zone.
 235         This privilege is interpreted only if the system is configured
 236         with Trusted Extensions.
 237 
 238 privilege PRIV_NET_MAC_IMPLICIT
 239 
 240         Allows a process to set SO_MAC_IMPLICIT option by using 
 241         setsockopt(3SOCKET).  This allows a privileged process to 
 242         transmit implicitly-labeled packets to a peer.
 243         This privilege is interpreted only if the system is configured
 244         with Trusted Extensions.
 245 
 246 privilege PRIV_NET_OBSERVABILITY
 247 
 248         Allows a process to access /dev/lo0 and the devices in /dev/ipnet/
 249         while not requiring them to need PRIV_NET_RAWACCESS.
 250 
 251 privilege PRIV_NET_PRIVADDR
 252 
 253         Allows a process to bind to a privileged port
 254         number. The privilege port numbers are 1-1023 (the traditional
 255         UNIX privileged ports) as well as those ports marked as
 256         "udp/tcp_extra_priv_ports" with the exception of the ports
 257         reserved for use by NFS.
 258 
 259 privilege PRIV_NET_RAWACCESS
 260 
 261         Allows a process to have direct access to the network layer.
 262 
 263 unsafe privilege PRIV_PROC_AUDIT
 264 
 265         Allows a process to generate audit records.
 266         Allows a process to get its own audit pre-selection information.
 267 
 268 privilege PRIV_PROC_CHROOT
 269 
 270         Allows a process to change its root directory.
 271 
 272 privilege PRIV_PROC_CLOCK_HIGHRES
 273 
 274         Allows a process to use high resolution timers.
 275 
 276 basic privilege PRIV_PROC_EXEC
 277 
 278         Allows a process to call execve().
 279 
 280 basic privilege PRIV_PROC_FORK
 281 
 282         Allows a process to call fork1()/forkall()/vfork()
 283 
 284 basic privilege PRIV_PROC_INFO
 285 
 286         Allows a process to examine the status of processes other
 287         than those it can send signals to.  Processes which cannot
 288         be examined cannot be seen in /proc and appear not to exist.
 289 
 290 privilege PRIV_PROC_LOCK_MEMORY
 291 
 292         Allows a process to lock pages in physical memory.
 293 
 294 privilege PRIV_PROC_MEMINFO
 295 
 296         Allows a process to access physical memory information.
 297 
 298 privilege PRIV_PROC_OWNER
 299 
 300         Allows a process to send signals to other processes, inspect
 301         and modify process state to other processes regardless of
 302         ownership.  When modifying another process, additional
 303         restrictions apply:  the effective privilege set of the
 304         attaching process must be a superset of the target process'
 305         effective, permitted and inheritable sets; the limit set must
 306         be a superset of the target's limit set; if the target process
 307         has any uid set to 0 all privilege must be asserted unless the
 308         effective uid is 0.
 309         Allows a process to bind arbitrary processes to CPUs.
 310 
 311 privilege PRIV_PROC_PRIOUP
 312 
 313         Allows a process to elevate its priority above its current level.
 314 
 315 privilege PRIV_PROC_PRIOCNTL
 316 
 317         Allows all that PRIV_PROC_PRIOUP allows.
 318         Allows a process to change its scheduling class to any scheduling class,
 319         including the RT class.
 320 
 321 basic privilege PRIV_PROC_SECFLAGS
 322 
 323         Allows a process to manipulate the secflags of processes (subject to,
 324         additionally, the ability to signal that process)
 325 
 326 basic privilege PRIV_PROC_SESSION
 327 
 328         Allows a process to send signals or trace processes outside its
 329         session.
 330 
 331 unsafe privilege PRIV_PROC_SETID
 332 
 333         Allows a process to set its uids at will.
 334         Assuming uid 0 requires all privileges to be asserted.
 335 
 336 privilege PRIV_PROC_TASKID
 337 
 338         Allows a process to assign a new task ID to the calling process.
 339 
 340 privilege PRIV_PROC_ZONE
 341 
 342         Allows a process to trace or send signals to processes in
 343         other zones.
 344 
 345 privilege PRIV_SYS_ACCT
 346 
 347         Allows a process to enable and disable and manage accounting through
 348         acct(2), getacct(2), putacct(2) and wracct(2).
 349 
 350 privilege PRIV_SYS_ADMIN
 351 
 352         Allows a process to perform system administration tasks such
 353         as setting node and domain name and specifying nscd and coreadm
 354         settings.
 355 
 356 privilege PRIV_SYS_AUDIT
 357 
 358         Allows a process to start the (kernel) audit daemon.
 359         Allows a process to view and set audit state (audit user ID,
 360         audit terminal ID, audit sessions ID, audit pre-selection mask).
 361         Allows a process to turn off and on auditing.
 362         Allows a process to configure the audit parameters (cache and
 363         queue sizes, event to class mappings, policy options).
 364 
 365 privilege PRIV_SYS_CONFIG
 366 
 367         Allows a process to perform various system configuration tasks.
 368         Allows a process to add and remove swap devices; when adding a swap
 369         device, a process must also have sufficient privileges to read from
 370         and write to the swap device.
 371 
 372 privilege PRIV_SYS_DEVICES
 373 
 374         Allows a process to successfully call a kernel module that
 375         calls the kernel drv_priv(9F) function to check for allowed
 376         access.
 377         Allows a process to open the real console device directly.
 378         Allows a process to open devices that have been exclusively opened.
 379 
 380 privilege PRIV_SYS_IPC_CONFIG
 381 
 382         Allows a process to increase the size of a System V IPC Message
 383         Queue buffer.
 384 
 385 privilege PRIV_SYS_LINKDIR
 386 
 387         Allows a process to unlink and link directories.
 388 
 389 privilege PRIV_SYS_MOUNT
 390 
 391         Allows filesystem specific administrative procedures, such as
 392         filesystem configuration ioctls, quota calls and creation/deletion
 393         of snapshots.
 394         Allows a process to mount and unmount filesystems which would
 395         otherwise be restricted (i.e., most filesystems except
 396         namefs).
 397         A process performing a mount operation needs to have
 398         appropriate access to the device being mounted (read-write for
 399         "rw" mounts, read for "ro" mounts).
 400         A process performing any of the aforementioned
 401         filesystem operations needs to have read/write/owner
 402         access to the mount point.
 403         Only regular files and directories can serve as mount points
 404         for processes which do not have all zone privileges asserted.
 405         Unless a process has all zone privileges, the mount(2)
 406         system call will force the "nosuid" and "restrict" options, the
 407         latter only for autofs mountpoints.
 408         Regardless of privileges, a process running in a non-global zone may
 409         only control mounts performed from within said zone.
 410         Outside the global zone, the "nodevices" option is always forced.
 411 
 412 privilege PRIV_SYS_IPTUN_CONFIG
 413 
 414         Allows a process to configure IP tunnel links.
 415 
 416 privilege PRIV_SYS_DL_CONFIG
 417 
 418         Allows a process to configure all classes of datalinks, including
 419         configuration allowed by PRIV_SYS_IPTUN_CONFIG.
 420 
 421 privilege PRIV_SYS_IP_CONFIG
 422 
 423         Allows a process to configure a system's IP interfaces and routes.
 424         Allows a process to configure network parameters using ndd.
 425         Allows a process access to otherwise restricted information using ndd.
 426         Allows a process to configure IPsec.
 427         Allows a process to pop anchored STREAMs modules with matching zoneid.
 428 
 429 privilege PRIV_SYS_NET_CONFIG
 430 
 431         Allows all that PRIV_SYS_IP_CONFIG, PRIV_SYS_DL_CONFIG, and
 432         PRIV_SYS_PPP_CONFIG allow.
 433         Allows a process to push the rpcmod STREAMs module.
 434         Allows a process to INSERT/REMOVE STREAMs modules on locations other
 435         than the top of the module stack.
 436 
 437 privilege PRIV_SYS_NFS
 438 
 439         Allows a process to perform Sun private NFS specific system calls.
 440         Allows a process to bind to ports reserved by NFS: ports 2049 (nfs)
 441         and port 4045 (lockd).
 442 
 443 privilege PRIV_SYS_PPP_CONFIG
 444 
 445         Allows a process to create and destroy PPP (sppp) interfaces.
 446         Allows a process to configure PPP tunnels (sppptun).
 447 
 448 privilege PRIV_SYS_RES_BIND
 449 
 450         Allows a process to bind processes to processor sets.
 451 
 452 privilege PRIV_SYS_RES_CONFIG
 453 
 454         Allows all that PRIV_SYS_RES_BIND allows.
 455         Allows a process to create and delete processor sets, assign
 456         CPUs to processor sets and override the PSET_NOESCAPE property.
 457         Allows a process to change the operational status of CPUs in
 458         the system using p_online(2).
 459         Allows a process to configure resource pools and to bind
 460         processes to pools
 461 
 462 unsafe privilege PRIV_SYS_RESOURCE
 463 
 464         Allows a process to modify the resource limits specified
 465         by setrlimit(2) and setrctl(2) without restriction.
 466         Allows a process to exceed the per-user maximum number of
 467         processes.
 468         Allows a process to extend or create files on a filesystem that
 469         has less than minfree space in reserve.
 470 
 471 privilege PRIV_SYS_SMB
 472 
 473         Allows a process to access the Sun private SMB kernel module.
 474         Allows a process to bind to ports reserved by NetBIOS and SMB:
 475         ports 137 (NBNS), 138 (NetBIOS Datagram Service), 139 (NetBIOS
 476         Session Service and SMB-over-NBT) and 445 (SMB-over-TCP).
 477 
 478 privilege PRIV_SYS_SUSER_COMPAT
 479 
 480         Allows a process to successfully call a third party loadable module
 481         that calls the kernel suser() function to check for allowed access.
 482         This privilege exists only for third party loadable module
 483         compatibility and is not used by Solaris proper.
 484 
 485 privilege PRIV_SYS_TIME
 486 
 487         Allows a process to manipulate system time using any of the
 488         appropriate system calls: stime, adjtime, ntp_adjtime and
 489         the IA specific RTC calls.
 490 
 491 privilege PRIV_SYS_TRANS_LABEL
 492 
 493         Allows a process to translate labels that are not dominated
 494         by the process' sensitivity label to and from an external
 495         string form.
 496         This privilege is interpreted only if the system is configured
 497         with Trusted Extensions.
 498 
 499 privilege PRIV_VIRT_MANAGE
 500 
 501         Allows a process to manage virtualized environments such as
 502         xVM(5).
 503 
 504 privilege PRIV_WIN_COLORMAP
 505 
 506         Allows a process to override colormap restrictions.
 507         Allows a process to install or remove colormaps.
 508         Allows a process to retrieve colormap cell entries allocated
 509         by other processes.
 510         This privilege is interpreted only if the system is configured
 511         with Trusted Extensions.
 512 
 513 privilege PRIV_WIN_CONFIG
 514 
 515         Allows a process to configure or destroy resources that are
 516         permanently retained by the X server.
 517         Allows a process to use SetScreenSaver to set the screen
 518         saver timeout value.
 519         Allows a process to use ChangeHosts to modify the display
 520         access control list.
 521         Allows a process to use GrabServer.
 522         Allows a process to use the SetCloseDownMode request which
 523         may retain window, pixmap, colormap, property, cursor, font,
 524         or graphic context resources.
 525         This privilege is interpreted only if the system is configured
 526         with Trusted Extensions.
 527 
 528 privilege PRIV_WIN_DAC_READ
 529 
 530         Allows a process to read from a window resource that it does
 531         not own (has a different user ID).
 532         This privilege is interpreted only if the system is configured
 533         with Trusted Extensions.
 534 
 535 privilege PRIV_WIN_DAC_WRITE
 536 
 537         Allows a process to write to or create a window resource that
 538         it does not own (has a different user ID). A newly created
 539         window property is created with the window's user ID.
 540         This privilege is interpreted only if the system is configured
 541         with Trusted Extensions.
 542 
 543 privilege PRIV_WIN_DEVICES
 544 
 545         Allows a process to perform operations on window input devices.
 546         Allows a process to get and set keyboard and pointer controls.
 547         Allows a process to modify pointer button and key mappings.
 548         This privilege is interpreted only if the system is configured
 549         with Trusted Extensions.
 550 
 551 privilege PRIV_WIN_DGA
 552 
 553         Allows a process to use the direct graphics access (DGA) X protocol
 554         extensions. Direct process access to the frame buffer is still
 555         required. Thus the process must have MAC and DAC privileges that
 556         allow access to the frame buffer, or the frame buffer must be
 557         allocated to the process.
 558         This privilege is interpreted only if the system is configured
 559         with Trusted Extensions.
 560 
 561 privilege PRIV_WIN_DOWNGRADE_SL
 562 
 563         Allows a process to set the sensitivity label of a window resource
 564         to a sensitivity label that does not dominate the existing
 565         sensitivity label.
 566         This privilege is interpreted only if the system is configured
 567         with Trusted Extensions.
 568 
 569 privilege PRIV_WIN_FONTPATH
 570 
 571         Allows a process to set a font path.
 572         This privilege is interpreted only if the system is configured
 573         with Trusted Extensions.
 574 
 575 privilege PRIV_WIN_MAC_READ
 576 
 577         Allows a process to read from a window resource whose sensitivity
 578         label is not equal to the process sensitivity label.
 579         This privilege is interpreted only if the system is configured
 580         with Trusted Extensions.
 581 
 582 privilege PRIV_WIN_MAC_WRITE
 583 
 584         Allows a process to create a window resource whose sensitivity
 585         label is not equal to the process sensitivity label.
 586         A newly created window property is created with the window's
 587         sensitivity label.
 588         This privilege is interpreted only if the system is configured
 589         with Trusted Extensions.
 590 
 591 privilege PRIV_WIN_SELECTION
 592 
 593         Allows a process to request inter-window data moves without the
 594         intervention of the selection confirmer.
 595         This privilege is interpreted only if the system is configured
 596         with Trusted Extensions.
 597 
 598 privilege PRIV_WIN_UPGRADE_SL
 599 
 600         Allows a process to set the sensitivity label of a window
 601         resource to a sensitivity label that dominates the existing
 602         sensitivity label.
 603         This privilege is interpreted only if the system is configured
 604         with Trusted Extensions.
 605 
 606 privilege PRIV_XVM_CONTROL
 607 
 608         Allows a process access to the xVM(5) control devices for
 609         managing guest domains and the hypervisor. This privilege is
 610         used only if booted into xVM on x86 platforms.
 611 
 612 set PRIV_EFFECTIVE
 613 
 614         Set of privileges currently in effect.
 615 
 616 set PRIV_INHERITABLE
 617 
 618         Set of privileges that comes into effect on exec.
 619 
 620 set PRIV_PERMITTED
 621 
 622         Set of privileges that can be put into the effective set without
 623         restriction.
 624 
 625 set PRIV_LIMIT
 626 
 627         Set of privileges that determines the absolute upper bound of
 628         privileges this process and its off-spring can obtain.