1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright 2015, Joyent, Inc. All rights reserved.
24 *
25 INSERT COMMENT
26 */
27
28 #
29 # Privileges can be added to this file at any location, not
30 # necessarily at the end. For patches, it is probably best to
31 # add the new privilege at the end; for ordinary releases privileges
32 # should be ordered alphabetically.
33 #
34
35 privilege PRIV_CONTRACT_EVENT
36
37 Allows a process to request critical events without limitation.
38 Allows a process to request reliable delivery of all events on
39 any event queue.
40
41 privilege PRIV_CONTRACT_IDENTITY
42
43 Allows a process to set the service FMRI value of a process
44 contract template.
45
46 privilege PRIV_CONTRACT_OBSERVER
47
48 Allows a process to observe contract events generated by
49 contracts created and owned by users other than the process's
50 effective user ID.
51 Allows a process to open contract event endpoints belonging to
52 contracts created and owned by users other than the process's
53 effective user ID.
54
55 privilege PRIV_CPC_CPU
56
57 Allow a process to access per-CPU hardware performance counters.
58
59 privilege PRIV_DTRACE_KERNEL
60
61 Allows DTrace kernel-level tracing.
62
63 privilege PRIV_DTRACE_PROC
64
65 Allows DTrace process-level tracing.
66 Allows process-level tracing probes to be placed and enabled in
67 processes to which the user has permissions.
68
69 privilege PRIV_DTRACE_USER
70
71 Allows DTrace user-level tracing.
72 Allows use of the syscall and profile DTrace providers to
73 examine processes to which the user has permissions.
74
75 privilege PRIV_FILE_CHOWN
76
77 Allows a process to change a file's owner user ID.
78 Allows a process to change a file's group ID to one other than
79 the process' effective group ID or one of the process'
80 supplemental group IDs.
81
82 privilege PRIV_FILE_CHOWN_SELF
83
84 Allows a process to give away its files; a process with this
85 privilege will run as if {_POSIX_CHOWN_RESTRICTED} is not
86 in effect.
87
88 privilege PRIV_FILE_DAC_EXECUTE
89
90 Allows a process to execute an executable file whose permission
91 bits or ACL do not allow the process execute permission.
92
93 privilege PRIV_FILE_DAC_READ
94
95 Allows a process to read a file or directory whose permission
96 bits or ACL do not allow the process read permission.
97
98 privilege PRIV_FILE_DAC_SEARCH
99
100 Allows a process to search a directory whose permission bits or
101 ACL do not allow the process search permission.
102
103 privilege PRIV_FILE_DAC_WRITE
104
105 Allows a process to write a file or directory whose permission
106 bits or ACL do not allow the process write permission.
107 In order to write files owned by uid 0 in the absence of an
108 effective uid of 0 ALL privileges are required.
109
110 privilege PRIV_FILE_DOWNGRADE_SL
111
112 Allows a process to set the sensitivity label of a file or
113 directory to a sensitivity label that does not dominate the
114 existing sensitivity label.
115 This privilege is interpreted only if the system is configured
116 with Trusted Extensions.
117
118 privilege PRIV_FILE_FLAG_SET
119
120 Allows a process to set immutable, nounlink or appendonly
121 file attributes.
122
123 basic privilege PRIV_FILE_LINK_ANY
124
125 Allows a process to create hardlinks to files owned by a uid
126 different from the process' effective uid.
127
128 privilege PRIV_FILE_OWNER
129
130 Allows a process which is not the owner of a file or directory
131 to perform the following operations that are normally permitted
132 only for the file owner: modify that file's access and
133 modification times; remove or rename a file or directory whose
134 parent directory has the ``save text image after execution''
135 (sticky) bit set; mount a ``namefs'' upon a file; modify
136 permission bits or ACL except for the set-uid and set-gid
137 bits.
138
139 basic privilege PRIV_FILE_READ
140
141 Allows a process to read objects in the filesystem.
142
143 privilege PRIV_FILE_SETID
144
145 Allows a process to change the ownership of a file or write to
146 a file without the set-user-ID and set-group-ID bits being
147 cleared.
148 Allows a process to set the set-group-ID bit on a file or
149 directory whose group is not the process' effective group or
150 one of the process' supplemental groups.
151 Allows a process to set the set-user-ID bit on a file with
152 different ownership in the presence of PRIV_FILE_OWNER.
153 Additional restrictions apply when creating or modifying a
154 set-uid 0 file.
155
156 privilege PRIV_FILE_UPGRADE_SL
157
158 Allows a process to set the sensitivity label of a file or
159 directory to a sensitivity label that dominates the existing
160 sensitivity label.
161 This privilege is interpreted only if the system is configured
162 with Trusted Extensions.
163
164 basic privilege PRIV_FILE_WRITE
165
166 Allows a process to modify objects in the filesystem.
167
168 privilege PRIV_GRAPHICS_ACCESS
169
170 Allows a process to make privileged ioctls to graphics devices.
171 Typically only xserver process needs to have this privilege.
172 A process with this privilege is also allowed to perform
173 privileged graphics device mappings.
174
175 privilege PRIV_GRAPHICS_MAP
176
177 Allows a process to perform privileged mappings through a
178 graphics device.
179
180 privilege PRIV_IPC_DAC_READ
181
182 Allows a process to read a System V IPC
183 Message Queue, Semaphore Set, or Shared Memory Segment whose
184 permission bits do not allow the process read permission.
185 Allows a process to read remote shared memory whose
186 permission bits do not allow the process read permission.
187
188 privilege PRIV_IPC_DAC_WRITE
189
190 Allows a process to write a System V IPC
191 Message Queue, Semaphore Set, or Shared Memory Segment whose
192 permission bits do not allow the process write permission.
193 Allows a process to read remote shared memory whose
194 permission bits do not allow the process write permission.
195 Additional restrictions apply if the owner of the object has uid 0
196 and the effective uid of the current process is not 0.
197
198 privilege PRIV_IPC_OWNER
199
200 Allows a process which is not the owner of a System
201 V IPC Message Queue, Semaphore Set, or Shared Memory Segment to
202 remove, change ownership of, or change permission bits of the
203 Message Queue, Semaphore Set, or Shared Memory Segment.
204 Additional restrictions apply if the owner of the object has uid 0
205 and the effective uid of the current process is not 0.
206
207 basic privilege PRIV_NET_ACCESS
208
209 Allows a process to open a TCP, UDP, SDP or SCTP network endpoint.
210
211 privilege PRIV_NET_BINDMLP
212
213 Allow a process to bind to a port that is configured as a
214 multi-level port(MLP) for the process's zone. This privilege
215 applies to both shared address and zone-specific address MLPs.
216 See tnzonecfg(4) from the Trusted Extensions manual pages for
217 information on configuring MLP ports.
218 This privilege is interpreted only if the system is configured
219 with Trusted Extensions.
220
221 privilege PRIV_NET_ICMPACCESS
222
223 Allows a process to send and receive ICMP packets.
224
225 privilege PRIV_NET_MAC_AWARE
226
227 Allows a process to set NET_MAC_AWARE process flag by using
228 setpflags(2). This privilege also allows a process to set
229 SO_MAC_EXEMPT socket option by using setsockopt(3SOCKET).
230 The NET_MAC_AWARE process flag and the SO_MAC_EXEMPT socket
231 option both allow a local process to communicate with an
232 unlabeled peer if the local process' label dominates the
233 peer's default label, or if the local process runs in the
234 global zone.
235 This privilege is interpreted only if the system is configured
236 with Trusted Extensions.
237
238 privilege PRIV_NET_MAC_IMPLICIT
239
240 Allows a process to set SO_MAC_IMPLICIT option by using
241 setsockopt(3SOCKET). This allows a privileged process to
242 transmit implicitly-labeled packets to a peer.
243 This privilege is interpreted only if the system is configured
244 with Trusted Extensions.
245
246 privilege PRIV_NET_OBSERVABILITY
247
248 Allows a process to access /dev/lo0 and the devices in /dev/ipnet/
249 while not requiring them to need PRIV_NET_RAWACCESS.
250
251 privilege PRIV_NET_PRIVADDR
252
253 Allows a process to bind to a privileged port
254 number. The privilege port numbers are 1-1023 (the traditional
255 UNIX privileged ports) as well as those ports marked as
256 "udp/tcp_extra_priv_ports" with the exception of the ports
257 reserved for use by NFS.
258
259 privilege PRIV_NET_RAWACCESS
260
261 Allows a process to have direct access to the network layer.
262
263 unsafe privilege PRIV_PROC_AUDIT
264
265 Allows a process to generate audit records.
266 Allows a process to get its own audit pre-selection information.
267
268 privilege PRIV_PROC_CHROOT
269
270 Allows a process to change its root directory.
271
272 privilege PRIV_PROC_CLOCK_HIGHRES
273
274 Allows a process to use high resolution timers.
275
276 basic privilege PRIV_PROC_EXEC
277
278 Allows a process to call execve().
279
280 basic privilege PRIV_PROC_FORK
281
282 Allows a process to call fork1()/forkall()/vfork()
283
284 basic privilege PRIV_PROC_INFO
285
286 Allows a process to examine the status of processes other
287 than those it can send signals to. Processes which cannot
288 be examined cannot be seen in /proc and appear not to exist.
289
290 privilege PRIV_PROC_LOCK_MEMORY
291
292 Allows a process to lock pages in physical memory.
293
294 privilege PRIV_PROC_MEMINFO
295
296 Allows a process to access physical memory information.
297
298 privilege PRIV_PROC_OWNER
299
300 Allows a process to send signals to other processes, inspect
301 and modify process state to other processes regardless of
302 ownership. When modifying another process, additional
303 restrictions apply: the effective privilege set of the
304 attaching process must be a superset of the target process'
305 effective, permitted and inheritable sets; the limit set must
306 be a superset of the target's limit set; if the target process
307 has any uid set to 0 all privilege must be asserted unless the
308 effective uid is 0.
309 Allows a process to bind arbitrary processes to CPUs.
310
311 privilege PRIV_PROC_PRIOUP
312
313 Allows a process to elevate its priority above its current level.
314
315 privilege PRIV_PROC_PRIOCNTL
316
317 Allows all that PRIV_PROC_PRIOUP allows.
318 Allows a process to change its scheduling class to any scheduling class,
319 including the RT class.
320
321 basic privilege PRIV_PROC_SECFLAGS
322
323 Allows a process to manipulate the secflags of processes (subject to,
324 additionally, the ability to signal that process)
325
326 basic privilege PRIV_PROC_SESSION
327
328 Allows a process to send signals or trace processes outside its
329 session.
330
331 unsafe privilege PRIV_PROC_SETID
332
333 Allows a process to set its uids at will.
334 Assuming uid 0 requires all privileges to be asserted.
335
336 privilege PRIV_PROC_TASKID
337
338 Allows a process to assign a new task ID to the calling process.
339
340 privilege PRIV_PROC_ZONE
341
342 Allows a process to trace or send signals to processes in
343 other zones.
344
345 privilege PRIV_SYS_ACCT
346
347 Allows a process to enable and disable and manage accounting through
348 acct(2), getacct(2), putacct(2) and wracct(2).
349
350 privilege PRIV_SYS_ADMIN
351
352 Allows a process to perform system administration tasks such
353 as setting node and domain name and specifying nscd and coreadm
354 settings.
355
356 privilege PRIV_SYS_AUDIT
357
358 Allows a process to start the (kernel) audit daemon.
359 Allows a process to view and set audit state (audit user ID,
360 audit terminal ID, audit sessions ID, audit pre-selection mask).
361 Allows a process to turn off and on auditing.
362 Allows a process to configure the audit parameters (cache and
363 queue sizes, event to class mappings, policy options).
364
365 privilege PRIV_SYS_CONFIG
366
367 Allows a process to perform various system configuration tasks.
368 Allows a process to add and remove swap devices; when adding a swap
369 device, a process must also have sufficient privileges to read from
370 and write to the swap device.
371
372 privilege PRIV_SYS_DEVICES
373
374 Allows a process to successfully call a kernel module that
375 calls the kernel drv_priv(9F) function to check for allowed
376 access.
377 Allows a process to open the real console device directly.
378 Allows a process to open devices that have been exclusively opened.
379
380 privilege PRIV_SYS_IPC_CONFIG
381
382 Allows a process to increase the size of a System V IPC Message
383 Queue buffer.
384
385 privilege PRIV_SYS_LINKDIR
386
387 Allows a process to unlink and link directories.
388
389 privilege PRIV_SYS_MOUNT
390
391 Allows filesystem specific administrative procedures, such as
392 filesystem configuration ioctls, quota calls and creation/deletion
393 of snapshots.
394 Allows a process to mount and unmount filesystems which would
395 otherwise be restricted (i.e., most filesystems except
396 namefs).
397 A process performing a mount operation needs to have
398 appropriate access to the device being mounted (read-write for
399 "rw" mounts, read for "ro" mounts).
400 A process performing any of the aforementioned
401 filesystem operations needs to have read/write/owner
402 access to the mount point.
403 Only regular files and directories can serve as mount points
404 for processes which do not have all zone privileges asserted.
405 Unless a process has all zone privileges, the mount(2)
406 system call will force the "nosuid" and "restrict" options, the
407 latter only for autofs mountpoints.
408 Regardless of privileges, a process running in a non-global zone may
409 only control mounts performed from within said zone.
410 Outside the global zone, the "nodevices" option is always forced.
411
412 privilege PRIV_SYS_IPTUN_CONFIG
413
414 Allows a process to configure IP tunnel links.
415
416 privilege PRIV_SYS_DL_CONFIG
417
418 Allows a process to configure all classes of datalinks, including
419 configuration allowed by PRIV_SYS_IPTUN_CONFIG.
420
421 privilege PRIV_SYS_IP_CONFIG
422
423 Allows a process to configure a system's IP interfaces and routes.
424 Allows a process to configure network parameters using ndd.
425 Allows a process access to otherwise restricted information using ndd.
426 Allows a process to configure IPsec.
427 Allows a process to pop anchored STREAMs modules with matching zoneid.
428
429 privilege PRIV_SYS_NET_CONFIG
430
431 Allows all that PRIV_SYS_IP_CONFIG, PRIV_SYS_DL_CONFIG, and
432 PRIV_SYS_PPP_CONFIG allow.
433 Allows a process to push the rpcmod STREAMs module.
434 Allows a process to INSERT/REMOVE STREAMs modules on locations other
435 than the top of the module stack.
436
437 privilege PRIV_SYS_NFS
438
439 Allows a process to perform Sun private NFS specific system calls.
440 Allows a process to bind to ports reserved by NFS: ports 2049 (nfs)
441 and port 4045 (lockd).
442
443 privilege PRIV_SYS_PPP_CONFIG
444
445 Allows a process to create and destroy PPP (sppp) interfaces.
446 Allows a process to configure PPP tunnels (sppptun).
447
448 privilege PRIV_SYS_RES_BIND
449
450 Allows a process to bind processes to processor sets.
451
452 privilege PRIV_SYS_RES_CONFIG
453
454 Allows all that PRIV_SYS_RES_BIND allows.
455 Allows a process to create and delete processor sets, assign
456 CPUs to processor sets and override the PSET_NOESCAPE property.
457 Allows a process to change the operational status of CPUs in
458 the system using p_online(2).
459 Allows a process to configure resource pools and to bind
460 processes to pools
461
462 unsafe privilege PRIV_SYS_RESOURCE
463
464 Allows a process to modify the resource limits specified
465 by setrlimit(2) and setrctl(2) without restriction.
466 Allows a process to exceed the per-user maximum number of
467 processes.
468 Allows a process to extend or create files on a filesystem that
469 has less than minfree space in reserve.
470
471 privilege PRIV_SYS_SMB
472
473 Allows a process to access the Sun private SMB kernel module.
474 Allows a process to bind to ports reserved by NetBIOS and SMB:
475 ports 137 (NBNS), 138 (NetBIOS Datagram Service), 139 (NetBIOS
476 Session Service and SMB-over-NBT) and 445 (SMB-over-TCP).
477
478 privilege PRIV_SYS_SUSER_COMPAT
479
480 Allows a process to successfully call a third party loadable module
481 that calls the kernel suser() function to check for allowed access.
482 This privilege exists only for third party loadable module
483 compatibility and is not used by Solaris proper.
484
485 privilege PRIV_SYS_TIME
486
487 Allows a process to manipulate system time using any of the
488 appropriate system calls: stime, adjtime, ntp_adjtime and
489 the IA specific RTC calls.
490
491 privilege PRIV_SYS_TRANS_LABEL
492
493 Allows a process to translate labels that are not dominated
494 by the process' sensitivity label to and from an external
495 string form.
496 This privilege is interpreted only if the system is configured
497 with Trusted Extensions.
498
499 privilege PRIV_VIRT_MANAGE
500
501 Allows a process to manage virtualized environments such as
502 xVM(5).
503
504 privilege PRIV_WIN_COLORMAP
505
506 Allows a process to override colormap restrictions.
507 Allows a process to install or remove colormaps.
508 Allows a process to retrieve colormap cell entries allocated
509 by other processes.
510 This privilege is interpreted only if the system is configured
511 with Trusted Extensions.
512
513 privilege PRIV_WIN_CONFIG
514
515 Allows a process to configure or destroy resources that are
516 permanently retained by the X server.
517 Allows a process to use SetScreenSaver to set the screen
518 saver timeout value.
519 Allows a process to use ChangeHosts to modify the display
520 access control list.
521 Allows a process to use GrabServer.
522 Allows a process to use the SetCloseDownMode request which
523 may retain window, pixmap, colormap, property, cursor, font,
524 or graphic context resources.
525 This privilege is interpreted only if the system is configured
526 with Trusted Extensions.
527
528 privilege PRIV_WIN_DAC_READ
529
530 Allows a process to read from a window resource that it does
531 not own (has a different user ID).
532 This privilege is interpreted only if the system is configured
533 with Trusted Extensions.
534
535 privilege PRIV_WIN_DAC_WRITE
536
537 Allows a process to write to or create a window resource that
538 it does not own (has a different user ID). A newly created
539 window property is created with the window's user ID.
540 This privilege is interpreted only if the system is configured
541 with Trusted Extensions.
542
543 privilege PRIV_WIN_DEVICES
544
545 Allows a process to perform operations on window input devices.
546 Allows a process to get and set keyboard and pointer controls.
547 Allows a process to modify pointer button and key mappings.
548 This privilege is interpreted only if the system is configured
549 with Trusted Extensions.
550
551 privilege PRIV_WIN_DGA
552
553 Allows a process to use the direct graphics access (DGA) X protocol
554 extensions. Direct process access to the frame buffer is still
555 required. Thus the process must have MAC and DAC privileges that
556 allow access to the frame buffer, or the frame buffer must be
557 allocated to the process.
558 This privilege is interpreted only if the system is configured
559 with Trusted Extensions.
560
561 privilege PRIV_WIN_DOWNGRADE_SL
562
563 Allows a process to set the sensitivity label of a window resource
564 to a sensitivity label that does not dominate the existing
565 sensitivity label.
566 This privilege is interpreted only if the system is configured
567 with Trusted Extensions.
568
569 privilege PRIV_WIN_FONTPATH
570
571 Allows a process to set a font path.
572 This privilege is interpreted only if the system is configured
573 with Trusted Extensions.
574
575 privilege PRIV_WIN_MAC_READ
576
577 Allows a process to read from a window resource whose sensitivity
578 label is not equal to the process sensitivity label.
579 This privilege is interpreted only if the system is configured
580 with Trusted Extensions.
581
582 privilege PRIV_WIN_MAC_WRITE
583
584 Allows a process to create a window resource whose sensitivity
585 label is not equal to the process sensitivity label.
586 A newly created window property is created with the window's
587 sensitivity label.
588 This privilege is interpreted only if the system is configured
589 with Trusted Extensions.
590
591 privilege PRIV_WIN_SELECTION
592
593 Allows a process to request inter-window data moves without the
594 intervention of the selection confirmer.
595 This privilege is interpreted only if the system is configured
596 with Trusted Extensions.
597
598 privilege PRIV_WIN_UPGRADE_SL
599
600 Allows a process to set the sensitivity label of a window
601 resource to a sensitivity label that dominates the existing
602 sensitivity label.
603 This privilege is interpreted only if the system is configured
604 with Trusted Extensions.
605
606 privilege PRIV_XVM_CONTROL
607
608 Allows a process access to the xVM(5) control devices for
609 managing guest domains and the hypervisor. This privilege is
610 used only if booted into xVM on x86 platforms.
611
612 set PRIV_EFFECTIVE
613
614 Set of privileges currently in effect.
615
616 set PRIV_INHERITABLE
617
618 Set of privileges that comes into effect on exec.
619
620 set PRIV_PERMITTED
621
622 Set of privileges that can be put into the effective set without
623 restriction.
624
625 set PRIV_LIMIT
626
627 Set of privileges that determines the absolute upper bound of
628 privileges this process and its off-spring can obtain.