Print this page
OS-3926 lxbrand in-kernel fchownat(2), fchown(2), lchown(2), chown(2) and 16-bit ID counterparts
OS-3920 lxbrand use native *at(2) system calls for LX emulation
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/os/policy.c
+++ new/usr/src/uts/common/os/policy.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
|
↓ open down ↓ |
12 lines elided |
↑ open up ↑ |
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 - * Copyright 2013, Joyent, Inc. All rights reserved.
23 + * Copyright 2015 Joyent, Inc.
24 24 */
25 25
26 26 #include <sys/types.h>
27 27 #include <sys/sysmacros.h>
28 28 #include <sys/param.h>
29 29 #include <sys/systm.h>
30 30 #include <sys/cred_impl.h>
31 31 #include <sys/vnode.h>
32 32 #include <sys/vfs.h>
33 33 #include <sys/stat.h>
34 34 #include <sys/errno.h>
35 35 #include <sys/kmem.h>
36 36 #include <sys/user.h>
37 37 #include <sys/proc.h>
38 38 #include <sys/acct.h>
39 39 #include <sys/ipc_impl.h>
40 40 #include <sys/cmn_err.h>
41 41 #include <sys/debug.h>
42 42 #include <sys/policy.h>
43 43 #include <sys/kobj.h>
44 44 #include <sys/msg.h>
45 45 #include <sys/devpolicy.h>
46 46 #include <c2/audit.h>
47 47 #include <sys/varargs.h>
|
↓ open down ↓ |
14 lines elided |
↑ open up ↑ |
48 48 #include <sys/klpd.h>
49 49 #include <sys/modctl.h>
50 50 #include <sys/disp.h>
51 51 #include <sys/zone.h>
52 52 #include <inet/optcom.h>
53 53 #include <sys/sdt.h>
54 54 #include <sys/vfs.h>
55 55 #include <sys/mntent.h>
56 56 #include <sys/contract_impl.h>
57 57 #include <sys/dld_ioc.h>
58 +#include <sys/brand.h>
58 59
59 60 /*
60 61 * There are two possible layers of privilege routines and two possible
61 62 * levels of secpolicy. Plus one other we may not be interested in, so
62 63 * we may need as many as 6 but no more.
63 64 */
64 65 #define MAXPRIVSTACK 6
65 66
66 67 int priv_debug = 0;
67 68 int priv_basic_test = -1;
68 69
69 70 /*
70 71 * This file contains the majority of the policy routines.
71 72 * Since the policy routines are defined by function and not
72 73 * by privilege, there is quite a bit of duplication of
73 74 * functions.
74 75 *
75 76 * The secpolicy functions must not make assumptions about
76 77 * locks held or not held as any lock can be held while they're
77 78 * being called.
78 79 *
79 80 * Credentials are read-only so no special precautions need to
80 81 * be taken while locking them.
81 82 *
82 83 * When a new policy check needs to be added to the system the
83 84 * following procedure should be followed:
84 85 *
85 86 * Pick an appropriate secpolicy_*() function
86 87 * -> done if one exists.
87 88 * Create a new secpolicy function, preferably with
88 89 * a descriptive name using the standard template.
89 90 * Pick an appropriate privilege for the policy.
90 91 * If no appropraite privilege exists, define new one
91 92 * (this should be done with extreme care; in most cases
92 93 * little is gained by adding another privilege)
93 94 *
94 95 * WHY ROOT IS STILL SPECIAL.
95 96 *
96 97 * In a number of the policy functions, there are still explicit
97 98 * checks for uid 0. The rationale behind these is that many root
98 99 * owned files/objects hold configuration information which can give full
99 100 * privileges to the user once written to. To prevent escalation
100 101 * of privilege by allowing just a single privilege to modify root owned
101 102 * objects, we've added these root specific checks where we considered
102 103 * them necessary: modifying root owned files, changing uids to 0, etc.
103 104 *
104 105 * PRIVILEGE ESCALATION AND ZONES.
105 106 *
106 107 * A number of operations potentially allow the caller to achieve
107 108 * privileges beyond the ones normally required to perform the operation.
108 109 * For example, if allowed to create a setuid 0 executable, a process can
109 110 * gain privileges beyond PRIV_FILE_SETID. Zones, however, place
110 111 * restrictions on the ability to gain privileges beyond those available
111 112 * within the zone through file and process manipulation. Hence, such
112 113 * operations require that the caller have an effective set that includes
113 114 * all privileges available within the current zone, or all privileges
114 115 * if executing in the global zone.
115 116 *
116 117 * This is indicated in the priv_policy* policy checking functions
117 118 * through a combination of parameters. The "priv" parameter indicates
118 119 * the privilege that is required, and the "allzone" parameter indicates
119 120 * whether or not all privileges in the zone are required. In addition,
120 121 * priv can be set to PRIV_ALL to indicate that all privileges are
121 122 * required (regardless of zone). There are three scenarios of interest:
122 123 * (1) operation requires a specific privilege
123 124 * (2) operation requires a specific privilege, and requires all
124 125 * privileges available within the zone (or all privileges if in
125 126 * the global zone)
126 127 * (3) operation requires all privileges, regardless of zone
127 128 *
128 129 * For (1), priv should be set to the specific privilege, and allzone
129 130 * should be set to B_FALSE.
130 131 * For (2), priv should be set to the specific privilege, and allzone
131 132 * should be set to B_TRUE.
132 133 * For (3), priv should be set to PRIV_ALL, and allzone should be set
133 134 * to B_FALSE.
134 135 *
135 136 */
136 137
137 138 /*
138 139 * The privileges are checked against the Effective set for
139 140 * ordinary processes and checked against the Limit set
140 141 * for euid 0 processes that haven't manipulated their privilege
141 142 * sets.
142 143 */
143 144 #define HAS_ALLPRIVS(cr) priv_isfullset(&CR_OEPRIV(cr))
144 145 #define ZONEPRIVS(cr) ((cr)->cr_zone->zone_privset)
145 146 #define HAS_ALLZONEPRIVS(cr) priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr))
146 147 #define HAS_PRIVILEGE(cr, pr) ((pr) == PRIV_ALL ? \
147 148 HAS_ALLPRIVS(cr) : \
148 149 PRIV_ISASSERT(&CR_OEPRIV(cr), pr))
149 150
150 151 #define FAST_BASIC_CHECK(cr, priv) \
151 152 if (PRIV_ISASSERT(&CR_OEPRIV(cr), priv)) { \
152 153 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, B_FALSE); \
153 154 return (0); \
154 155 }
155 156
156 157 /*
157 158 * Policy checking functions.
158 159 *
159 160 * All of the system's policy should be implemented here.
160 161 */
161 162
162 163 /*
163 164 * Private functions which take an additional va_list argument to
164 165 * implement an object specific policy override.
165 166 */
166 167 static int priv_policy_ap(const cred_t *, int, boolean_t, int,
167 168 const char *, va_list);
168 169 static int priv_policy_va(const cred_t *, int, boolean_t, int,
169 170 const char *, ...);
170 171
171 172 /*
172 173 * Generic policy calls
173 174 *
174 175 * The "bottom" functions of policy control
175 176 */
176 177 static char *
177 178 mprintf(const char *fmt, ...)
178 179 {
179 180 va_list args;
180 181 char *buf;
181 182 size_t len;
182 183
183 184 va_start(args, fmt);
184 185 len = vsnprintf(NULL, 0, fmt, args) + 1;
185 186 va_end(args);
186 187
187 188 buf = kmem_alloc(len, KM_NOSLEEP);
188 189
189 190 if (buf == NULL)
190 191 return (NULL);
191 192
192 193 va_start(args, fmt);
193 194 (void) vsnprintf(buf, len, fmt, args);
194 195 va_end(args);
195 196
196 197 return (buf);
197 198 }
198 199
199 200 /*
200 201 * priv_policy_errmsg()
201 202 *
202 203 * Generate an error message if privilege debugging is enabled system wide
203 204 * or for this particular process.
204 205 */
205 206
206 207 #define FMTHDR "%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)"
207 208 #define FMTMSG " for \"%s\""
208 209 #define FMTFUN " needed at %s+0x%lx"
209 210
210 211 /* The maximum size privilege format: the concatenation of the above */
211 212 #define FMTMAX FMTHDR FMTMSG FMTFUN "\n"
212 213
213 214 static void
214 215 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg)
215 216 {
216 217 struct proc *me;
217 218 pc_t stack[MAXPRIVSTACK];
218 219 int depth;
219 220 int i;
220 221 char *sym;
221 222 ulong_t off;
222 223 const char *pname;
223 224
224 225 char *cmd;
225 226 char fmt[sizeof (FMTMAX)];
226 227
227 228 if ((me = curproc) == &p0)
228 229 return;
229 230
230 231 /* Privileges must be defined */
231 232 ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE ||
232 233 priv == PRIV_ALLZONE || priv == PRIV_GLOBAL ||
233 234 priv_getbynum(priv) != NULL);
234 235
235 236 if (priv == PRIV_ALLZONE && INGLOBALZONE(me))
236 237 priv = PRIV_ALL;
237 238
238 239 if (curthread->t_pre_sys)
239 240 ttolwp(curthread)->lwp_badpriv = (short)priv;
240 241
241 242 if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0)
242 243 return;
243 244
244 245 (void) strcpy(fmt, FMTHDR);
245 246
246 247 if (me->p_user.u_comm[0])
247 248 cmd = &me->p_user.u_comm[0];
248 249 else
249 250 cmd = "priv_policy";
250 251
251 252 if (msg != NULL && *msg != '\0') {
252 253 (void) strcat(fmt, FMTMSG);
253 254 } else {
254 255 (void) strcat(fmt, "%s");
255 256 msg = "";
256 257 }
257 258
258 259 sym = NULL;
259 260
260 261 depth = getpcstack(stack, MAXPRIVSTACK);
261 262
262 263 /*
263 264 * Try to find the first interesting function on the stack.
264 265 * priv_policy* that's us, so completely uninteresting.
265 266 * suser(), drv_priv(), secpolicy_* are also called from
266 267 * too many locations to convey useful information.
267 268 */
268 269 for (i = 0; i < depth; i++) {
269 270 sym = kobj_getsymname((uintptr_t)stack[i], &off);
270 271 if (sym != NULL &&
271 272 strstr(sym, "hasprocperm") == 0 &&
272 273 strcmp("suser", sym) != 0 &&
273 274 strcmp("ipcaccess", sym) != 0 &&
274 275 strcmp("drv_priv", sym) != 0 &&
275 276 strncmp("secpolicy_", sym, 10) != 0 &&
276 277 strncmp("priv_policy", sym, 11) != 0)
277 278 break;
278 279 }
279 280
280 281 if (sym != NULL)
281 282 (void) strcat(fmt, FMTFUN);
282 283
283 284 (void) strcat(fmt, "\n");
284 285
285 286 switch (priv) {
286 287 case PRIV_ALL:
287 288 pname = "ALL";
288 289 break;
289 290 case PRIV_MULTIPLE:
290 291 pname = "MULTIPLE";
291 292 break;
292 293 case PRIV_ALLZONE:
293 294 pname = "ZONE";
294 295 break;
295 296 case PRIV_GLOBAL:
296 297 pname = "GLOBAL";
297 298 break;
298 299 default:
299 300 pname = priv_getbynum(priv);
300 301 break;
301 302 }
302 303
303 304 if (CR_FLAGS(cr) & PRIV_DEBUG) {
304 305 /* Remember last message, just like lwp_badpriv. */
305 306 if (curthread->t_pdmsg != NULL) {
306 307 kmem_free(curthread->t_pdmsg,
307 308 strlen(curthread->t_pdmsg) + 1);
308 309 }
309 310
310 311 curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname,
311 312 cr->cr_uid, curthread->t_sysnum, msg, sym, off);
312 313
313 314 curthread->t_post_sys = 1;
314 315 }
315 316 if (priv_debug) {
316 317 cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid,
317 318 curthread->t_sysnum, msg, sym, off);
318 319 }
319 320 }
320 321
321 322 /*
322 323 * Override the policy, if appropriate. Return 0 if the external
323 324 * policy engine approves.
324 325 */
325 326 static int
326 327 priv_policy_override(const cred_t *cr, int priv, boolean_t allzone, va_list ap)
327 328 {
328 329 priv_set_t set;
329 330 int ret;
330 331
331 332 if (!(CR_FLAGS(cr) & PRIV_XPOLICY))
332 333 return (-1);
333 334
334 335 if (priv == PRIV_ALL) {
335 336 priv_fillset(&set);
336 337 } else if (allzone) {
337 338 set = *ZONEPRIVS(cr);
338 339 } else {
339 340 priv_emptyset(&set);
340 341 priv_addset(&set, priv);
341 342 }
342 343 ret = klpd_call(cr, &set, ap);
343 344 return (ret);
344 345 }
345 346
346 347 static int
347 348 priv_policy_override_set(const cred_t *cr, const priv_set_t *req, va_list ap)
348 349 {
349 350 if (CR_FLAGS(cr) & PRIV_PFEXEC)
350 351 return (check_user_privs(cr, req));
351 352 if (CR_FLAGS(cr) & PRIV_XPOLICY) {
352 353 return (klpd_call(cr, req, ap));
353 354 }
354 355 return (-1);
355 356 }
356 357
357 358 static int
358 359 priv_policy_override_set_va(const cred_t *cr, const priv_set_t *req, ...)
359 360 {
360 361 va_list ap;
361 362 int ret;
362 363
363 364 va_start(ap, req);
364 365 ret = priv_policy_override_set(cr, req, ap);
365 366 va_end(ap);
366 367 return (ret);
367 368 }
368 369
369 370 /*
370 371 * Audit failure, log error message.
371 372 */
372 373 static void
373 374 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg)
374 375 {
375 376
376 377 if (AU_AUDITING())
377 378 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0);
378 379 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
379 380
380 381 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
381 382 curthread->t_pre_sys) {
382 383 if (allzone && !HAS_ALLZONEPRIVS(cr)) {
383 384 priv_policy_errmsg(cr, PRIV_ALLZONE, msg);
384 385 } else {
385 386 ASSERT(!HAS_PRIVILEGE(cr, priv));
386 387 priv_policy_errmsg(cr, priv, msg);
387 388 }
388 389 }
389 390 }
390 391
391 392 /*
392 393 * priv_policy_ap()
393 394 * return 0 or error.
394 395 * See block comment above for a description of "priv" and "allzone" usage.
395 396 */
396 397 static int
397 398 priv_policy_ap(const cred_t *cr, int priv, boolean_t allzone, int err,
398 399 const char *msg, va_list ap)
399 400 {
400 401 if ((HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) ||
401 402 (!servicing_interrupt() &&
402 403 priv_policy_override(cr, priv, allzone, ap) == 0)) {
403 404 if ((allzone || priv == PRIV_ALL ||
404 405 !PRIV_ISASSERT(priv_basic, priv)) &&
405 406 !servicing_interrupt()) {
406 407 PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */
407 408 if (AU_AUDITING())
408 409 audit_priv(priv,
409 410 allzone ? ZONEPRIVS(cr) : NULL, 1);
410 411 }
411 412 err = 0;
412 413 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
413 414 } else if (!servicing_interrupt()) {
414 415 /* Failure audited in this procedure */
415 416 priv_policy_err(cr, priv, allzone, msg);
416 417 }
417 418 return (err);
418 419 }
419 420
420 421 int
421 422 priv_policy_va(const cred_t *cr, int priv, boolean_t allzone, int err,
422 423 const char *msg, ...)
423 424 {
424 425 int ret;
425 426 va_list ap;
426 427
427 428 va_start(ap, msg);
428 429 ret = priv_policy_ap(cr, priv, allzone, err, msg, ap);
429 430 va_end(ap);
430 431
431 432 return (ret);
432 433 }
433 434
434 435 int
435 436 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err,
436 437 const char *msg)
437 438 {
438 439 return (priv_policy_va(cr, priv, allzone, err, msg, KLPDARG_NONE));
439 440 }
440 441
441 442 /*
442 443 * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges.
443 444 */
444 445 boolean_t
445 446 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone)
446 447 {
447 448 boolean_t res = HAS_PRIVILEGE(cr, priv) &&
448 449 (!allzone || HAS_ALLZONEPRIVS(cr));
449 450
450 451 /* Audit success only */
451 452 if (res && AU_AUDITING() &&
452 453 (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) &&
453 454 !servicing_interrupt()) {
454 455 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1);
455 456 }
456 457 if (res) {
457 458 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
458 459 } else {
459 460 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
460 461 }
461 462 return (res);
462 463 }
463 464
464 465 /*
465 466 * Non-auditing variant of priv_policy_choice().
466 467 */
467 468 boolean_t
468 469 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone)
469 470 {
470 471 boolean_t res = HAS_PRIVILEGE(cr, priv) &&
471 472 (!allzone || HAS_ALLZONEPRIVS(cr));
472 473
473 474 if (res) {
474 475 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
475 476 } else {
476 477 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
477 478 }
478 479 return (res);
479 480 }
480 481
481 482 /*
482 483 * Check whether all privileges in the required set are present.
483 484 */
484 485 static int
485 486 secpolicy_require_set(const cred_t *cr, const priv_set_t *req,
486 487 const char *msg, ...)
487 488 {
488 489 int priv;
489 490 int pfound = -1;
490 491 priv_set_t pset;
491 492 va_list ap;
492 493 int ret;
493 494
494 495 if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req,
495 496 &CR_OEPRIV(cr))) {
496 497 return (0);
497 498 }
498 499
499 500 va_start(ap, msg);
500 501 ret = priv_policy_override_set(cr, req, ap);
501 502 va_end(ap);
502 503 if (ret == 0)
503 504 return (0);
504 505
505 506 if (req == PRIV_FULLSET || priv_isfullset(req)) {
506 507 priv_policy_err(cr, PRIV_ALL, B_FALSE, msg);
507 508 return (EACCES);
508 509 }
509 510
510 511 pset = CR_OEPRIV(cr); /* present privileges */
511 512 priv_inverse(&pset); /* all non present privileges */
512 513 priv_intersect(req, &pset); /* the actual missing privs */
513 514
514 515 if (AU_AUDITING())
515 516 audit_priv(PRIV_NONE, &pset, 0);
516 517 /*
517 518 * Privilege debugging; special case "one privilege in set".
518 519 */
519 520 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) {
520 521 for (priv = 0; priv < nprivs; priv++) {
521 522 if (priv_ismember(&pset, priv)) {
522 523 if (pfound != -1) {
523 524 /* Multiple missing privs */
524 525 priv_policy_errmsg(cr, PRIV_MULTIPLE,
525 526 msg);
526 527 return (EACCES);
527 528 }
528 529 pfound = priv;
529 530 }
530 531 }
531 532 ASSERT(pfound != -1);
532 533 /* Just the one missing privilege */
533 534 priv_policy_errmsg(cr, pfound, msg);
534 535 }
535 536
536 537 return (EACCES);
537 538 }
538 539
539 540 /*
540 541 * Called when an operation requires that the caller be in the
541 542 * global zone, regardless of privilege.
542 543 */
543 544 static int
544 545 priv_policy_global(const cred_t *cr)
545 546 {
546 547 if (crgetzoneid(cr) == GLOBAL_ZONEID)
547 548 return (0); /* success */
548 549
549 550 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
550 551 curthread->t_pre_sys) {
551 552 priv_policy_errmsg(cr, PRIV_GLOBAL, NULL);
552 553 }
553 554 return (EPERM);
554 555 }
555 556
556 557 /*
557 558 * Raising process priority
558 559 */
559 560 int
560 561 secpolicy_raisepriority(const cred_t *cr)
561 562 {
562 563 if (PRIV_POLICY(cr, PRIV_PROC_PRIOUP, B_FALSE, EPERM, NULL) == 0)
563 564 return (0);
564 565 return (secpolicy_setpriority(cr));
565 566 }
566 567
567 568 /*
568 569 * Changing process priority or scheduling class
569 570 */
570 571 int
571 572 secpolicy_setpriority(const cred_t *cr)
572 573 {
573 574 return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL));
574 575 }
575 576
576 577 /*
577 578 * Binding to a privileged port, port must be specified in host byte
578 579 * order.
579 580 * When adding a new privilege which allows binding to currently privileged
580 581 * ports, then you MUST also allow processes with PRIV_NET_PRIVADDR bind
581 582 * to these ports because of backward compatibility.
582 583 */
583 584 int
584 585 secpolicy_net_privaddr(const cred_t *cr, in_port_t port, int proto)
585 586 {
586 587 char *reason;
587 588 int priv;
588 589
589 590 switch (port) {
590 591 case 137:
591 592 case 138:
592 593 case 139:
593 594 case 445:
594 595 /*
595 596 * NBT and SMB ports, these are normal privileged ports,
596 597 * allow bind only if the SYS_SMB or NET_PRIVADDR privilege
597 598 * is present.
598 599 * Try both, if neither is present return an error for
599 600 * priv SYS_SMB.
600 601 */
601 602 if (PRIV_POLICY_ONLY(cr, PRIV_NET_PRIVADDR, B_FALSE))
602 603 priv = PRIV_NET_PRIVADDR;
603 604 else
604 605 priv = PRIV_SYS_SMB;
605 606 reason = "NBT or SMB port";
606 607 break;
607 608
608 609 case 2049:
609 610 case 4045:
610 611 /*
611 612 * NFS ports, these are extra privileged ports, allow bind
612 613 * only if the SYS_NFS privilege is present.
613 614 */
614 615 priv = PRIV_SYS_NFS;
615 616 reason = "NFS port";
616 617 break;
617 618
618 619 default:
619 620 priv = PRIV_NET_PRIVADDR;
620 621 reason = NULL;
621 622 break;
622 623
623 624 }
624 625
625 626 return (priv_policy_va(cr, priv, B_FALSE, EACCES, reason,
626 627 KLPDARG_PORT, (int)proto, (int)port, KLPDARG_NOMORE));
627 628 }
628 629
629 630 /*
630 631 * Binding to a multilevel port on a trusted (labeled) system.
631 632 */
632 633 int
633 634 secpolicy_net_bindmlp(const cred_t *cr)
634 635 {
635 636 return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, NULL));
636 637 }
637 638
638 639 /*
639 640 * Allow a communication between a zone and an unlabeled host when their
640 641 * labels don't match.
641 642 */
642 643 int
643 644 secpolicy_net_mac_aware(const cred_t *cr)
644 645 {
645 646 return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, NULL));
646 647 }
647 648
648 649 /*
649 650 * Allow a privileged process to transmit traffic without explicit labels
650 651 */
651 652 int
652 653 secpolicy_net_mac_implicit(const cred_t *cr)
653 654 {
654 655 return (PRIV_POLICY(cr, PRIV_NET_MAC_IMPLICIT, B_FALSE, EACCES, NULL));
655 656 }
656 657
657 658 /*
658 659 * Common routine which determines whether a given credential can
659 660 * act on a given mount.
660 661 * When called through mount, the parameter needoptcheck is a pointer
661 662 * to a boolean variable which will be set to either true or false,
662 663 * depending on whether the mount policy should change the mount options.
663 664 * In all other cases, needoptcheck should be a NULL pointer.
664 665 */
665 666 static int
666 667 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp,
667 668 boolean_t *needoptcheck)
668 669 {
669 670 boolean_t allzone = B_FALSE;
670 671 boolean_t mounting = needoptcheck != NULL;
671 672
672 673 /*
673 674 * Short circuit the following cases:
674 675 * vfsp == NULL or mvp == NULL (pure privilege check)
675 676 * have all privileges - no further checks required
676 677 * and no mount options need to be set.
677 678 */
678 679 if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) {
679 680 if (mounting)
680 681 *needoptcheck = B_FALSE;
681 682
682 683 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
683 684 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE));
684 685 }
685 686
686 687 /*
687 688 * When operating on an existing mount (either we're not mounting
688 689 * or we're doing a remount and VFS_REMOUNT will be set), zones
689 690 * can operate only on mounts established by the zone itself.
690 691 */
691 692 if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) {
692 693 zoneid_t zoneid = crgetzoneid(cr);
693 694
694 695 if (zoneid != GLOBAL_ZONEID &&
695 696 vfsp->vfs_zone->zone_id != zoneid) {
696 697 return (EPERM);
697 698 }
698 699 }
699 700
700 701 if (mounting)
701 702 *needoptcheck = B_TRUE;
702 703
703 704 /*
704 705 * Overlay mounts may hide important stuff; if you can't write to a
705 706 * mount point but would be able to mount on top of it, you can
706 707 * escalate your privileges.
707 708 * So we go about asking the same questions namefs does when it
708 709 * decides whether you can mount over a file or not but with the
709 710 * added restriction that you can only mount on top of a regular
710 711 * file or directory.
711 712 * If we have all the zone's privileges, we skip all other checks,
712 713 * or else we may actually get in trouble inside the automounter.
713 714 */
714 715 if ((mvp->v_flag & VROOT) != 0 ||
715 716 (mvp->v_type != VDIR && mvp->v_type != VREG) ||
716 717 HAS_ALLZONEPRIVS(cr)) {
717 718 allzone = B_TRUE;
718 719 } else {
719 720 vattr_t va;
720 721 int err;
721 722
722 723 va.va_mask = AT_UID|AT_MODE;
723 724 err = VOP_GETATTR(mvp, &va, 0, cr, NULL);
724 725 if (err != 0)
725 726 return (err);
726 727
727 728 if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0)
728 729 return (err);
729 730
730 731 if (secpolicy_vnode_access2(cr, mvp, va.va_uid, va.va_mode,
731 732 VWRITE) != 0) {
732 733 return (EACCES);
733 734 }
734 735 }
735 736 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
736 737 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE));
737 738 }
738 739
739 740 void
740 741 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp)
741 742 {
742 743 boolean_t amsuper = HAS_ALLZONEPRIVS(cr);
743 744
744 745 /*
745 746 * check; if we don't have either "nosuid" or
746 747 * both "nosetuid" and "nodevices", then we add
747 748 * "nosuid"; this depends on how the current
748 749 * implementation works (it first checks nosuid). In a
749 750 * zone, a user with all zone privileges can mount with
750 751 * "setuid" but never with "devices".
751 752 */
752 753 if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) &&
753 754 (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) ||
754 755 !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) {
755 756 if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper)
756 757 vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0);
757 758 else
758 759 vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0);
759 760 }
760 761 /*
761 762 * If we're not the local super user, we set the "restrict"
762 763 * option to indicate to automountd that this mount should
763 764 * be handled with care.
764 765 */
765 766 if (!amsuper)
766 767 vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0);
767 768
768 769 }
769 770
770 771 int
771 772 secpolicy_fs_allowed_mount(const char *fsname)
772 773 {
773 774 struct vfssw *vswp;
774 775 const char *p;
775 776 size_t len;
776 777
777 778 ASSERT(fsname != NULL);
778 779 ASSERT(fsname[0] != '\0');
779 780
780 781 if (INGLOBALZONE(curproc))
781 782 return (0);
782 783
783 784 vswp = vfs_getvfssw(fsname);
784 785 if (vswp == NULL)
785 786 return (ENOENT);
786 787
787 788 if ((vswp->vsw_flag & VSW_ZMOUNT) != 0) {
788 789 vfs_unrefvfssw(vswp);
789 790 return (0);
790 791 }
791 792
792 793 vfs_unrefvfssw(vswp);
793 794
794 795 p = curzone->zone_fs_allowed;
795 796 len = strlen(fsname);
796 797
797 798 while (p != NULL && *p != '\0') {
798 799 if (strncmp(p, fsname, len) == 0) {
799 800 char c = *(p + len);
800 801 if (c == '\0' || c == ',')
801 802 return (0);
802 803 }
803 804
804 805 /* skip to beyond the next comma */
805 806 if ((p = strchr(p, ',')) != NULL)
806 807 p++;
807 808 }
808 809
809 810 return (EPERM);
810 811 }
811 812
812 813 extern vnode_t *rootvp;
813 814 extern vfs_t *rootvfs;
814 815
815 816 int
816 817 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp)
817 818 {
818 819 boolean_t needoptchk;
819 820 int error;
820 821
821 822 /*
822 823 * If it's a remount, get the underlying mount point,
823 824 * except for the root where we use the rootvp.
824 825 */
825 826 if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) {
826 827 if (vfsp == rootvfs)
827 828 mvp = rootvp;
828 829 else
829 830 mvp = vfsp->vfs_vnodecovered;
830 831 }
831 832
832 833 error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk);
833 834
834 835 if (error == 0 && needoptchk) {
835 836 secpolicy_fs_mount_clearopts(cr, vfsp);
836 837 }
837 838
838 839 return (error);
839 840 }
840 841
841 842 /*
842 843 * Does the policy computations for "ownership" of a mount;
843 844 * here ownership is defined as the ability to "mount"
844 845 * the filesystem originally. The rootvfs doesn't cover any
845 846 * vnodes; we attribute its ownership to the rootvp.
846 847 */
847 848 static int
848 849 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp)
849 850 {
850 851 vnode_t *mvp;
851 852
852 853 if (vfsp == NULL)
853 854 mvp = NULL;
854 855 else if (vfsp == rootvfs)
855 856 mvp = rootvp;
856 857 else
857 858 mvp = vfsp->vfs_vnodecovered;
858 859
859 860 return (secpolicy_fs_common(cr, mvp, vfsp, NULL));
860 861 }
861 862
862 863 int
863 864 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp)
864 865 {
865 866 return (secpolicy_fs_owner(cr, vfsp));
866 867 }
867 868
868 869 /*
869 870 * Quotas are a resource, but if one has the ability to mount a filesystem, he
870 871 * should be able to modify quotas on it.
871 872 */
872 873 int
873 874 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp)
874 875 {
875 876 return (secpolicy_fs_owner((cred_t *)cr, vfsp));
876 877 }
877 878
878 879 /*
879 880 * Exceeding minfree: also a per-mount resource constraint.
880 881 */
881 882 int
882 883 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp)
883 884 {
884 885 return (secpolicy_fs_owner((cred_t *)cr, vfsp));
885 886 }
886 887
887 888 int
888 889 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp)
889 890 {
890 891 return (secpolicy_fs_owner((cred_t *)cr, vfsp));
891 892 }
892 893
893 894 /* ARGSUSED */
894 895 int
895 896 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp)
896 897 {
897 898 return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL));
898 899 }
899 900
900 901 /*
901 902 * Name: secpolicy_vnode_access()
902 903 *
903 904 * Parameters: Process credential
904 905 * vnode
905 906 * uid of owner of vnode
906 907 * permission bits not granted to the caller when examining
907 908 * file mode bits (i.e., when a process wants to open a
908 909 * mode 444 file for VREAD|VWRITE, this function should be
909 910 * called only with a VWRITE argument).
910 911 *
911 912 * Normal: Verifies that cred has the appropriate privileges to
912 913 * override the mode bits that were denied.
913 914 *
914 915 * Override: file_dac_execute - if VEXEC bit was denied and vnode is
915 916 * not a directory.
916 917 * file_dac_read - if VREAD bit was denied.
917 918 * file_dac_search - if VEXEC bit was denied and vnode is
918 919 * a directory.
919 920 * file_dac_write - if VWRITE bit was denied.
920 921 *
921 922 * Root owned files are special cased to protect system
922 923 * configuration files and such.
923 924 *
924 925 * Output: EACCES - if privilege check fails.
925 926 */
926 927
927 928 int
928 929 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode)
929 930 {
930 931 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE,
931 932 EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL,
932 933 KLPDARG_NOMORE) != 0) {
933 934 return (EACCES);
934 935 }
935 936
936 937 if (mode & VWRITE) {
937 938 boolean_t allzone;
938 939
939 940 if (owner == 0 && cr->cr_uid != 0)
940 941 allzone = B_TRUE;
941 942 else
942 943 allzone = B_FALSE;
943 944 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES,
944 945 NULL, KLPDARG_VNODE, vp, (char *)NULL,
945 946 KLPDARG_NOMORE) != 0) {
946 947 return (EACCES);
947 948 }
948 949 }
949 950
950 951 if (mode & VEXEC) {
951 952 /*
952 953 * Directories use file_dac_search to override the execute bit.
953 954 */
954 955 int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH :
955 956 PRIV_FILE_DAC_EXECUTE;
956 957
957 958 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL,
958 959 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
959 960 }
960 961 return (0);
961 962 }
962 963
963 964 /*
964 965 * Like secpolicy_vnode_access() but we get the actual wanted mode and the
965 966 * current mode of the file, not the missing bits.
966 967 */
967 968 int
968 969 secpolicy_vnode_access2(const cred_t *cr, vnode_t *vp, uid_t owner,
969 970 mode_t curmode, mode_t wantmode)
970 971 {
971 972 mode_t mode;
972 973
973 974 /* Inline the basic privileges tests. */
974 975 if ((wantmode & VREAD) &&
975 976 !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_READ) &&
976 977 priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL,
977 978 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) {
978 979 return (EACCES);
979 980 }
980 981
981 982 if ((wantmode & VWRITE) &&
982 983 !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_WRITE) &&
983 984 priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL,
984 985 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) {
985 986 return (EACCES);
986 987 }
987 988
988 989 mode = ~curmode & wantmode;
989 990
990 991 if (mode == 0)
991 992 return (0);
992 993
993 994 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE,
994 995 EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL,
995 996 KLPDARG_NOMORE) != 0) {
996 997 return (EACCES);
997 998 }
998 999
999 1000 if (mode & VWRITE) {
1000 1001 boolean_t allzone;
1001 1002
1002 1003 if (owner == 0 && cr->cr_uid != 0)
1003 1004 allzone = B_TRUE;
1004 1005 else
1005 1006 allzone = B_FALSE;
1006 1007 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES,
1007 1008 NULL, KLPDARG_VNODE, vp, (char *)NULL,
1008 1009 KLPDARG_NOMORE) != 0) {
1009 1010 return (EACCES);
1010 1011 }
1011 1012 }
1012 1013
1013 1014 if (mode & VEXEC) {
1014 1015 /*
1015 1016 * Directories use file_dac_search to override the execute bit.
1016 1017 */
1017 1018 int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH :
1018 1019 PRIV_FILE_DAC_EXECUTE;
1019 1020
1020 1021 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL,
1021 1022 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
1022 1023 }
1023 1024 return (0);
1024 1025 }
1025 1026
1026 1027 /*
1027 1028 * This is a special routine for ZFS; it is used to determine whether
1028 1029 * any of the privileges in effect allow any form of access to the
1029 1030 * file. There's no reason to audit this or any reason to record
1030 1031 * this. More work is needed to do the "KPLD" stuff.
1031 1032 */
1032 1033 int
1033 1034 secpolicy_vnode_any_access(const cred_t *cr, vnode_t *vp, uid_t owner)
1034 1035 {
1035 1036 static int privs[] = {
1036 1037 PRIV_FILE_OWNER,
1037 1038 PRIV_FILE_CHOWN,
1038 1039 PRIV_FILE_DAC_READ,
1039 1040 PRIV_FILE_DAC_WRITE,
1040 1041 PRIV_FILE_DAC_EXECUTE,
1041 1042 PRIV_FILE_DAC_SEARCH,
1042 1043 };
1043 1044 int i;
1044 1045
1045 1046 /* Same as secpolicy_vnode_setdac */
1046 1047 if (owner == cr->cr_uid)
1047 1048 return (0);
1048 1049
1049 1050 for (i = 0; i < sizeof (privs)/sizeof (int); i++) {
1050 1051 boolean_t allzone = B_FALSE;
1051 1052 int priv;
1052 1053
1053 1054 switch (priv = privs[i]) {
1054 1055 case PRIV_FILE_DAC_EXECUTE:
1055 1056 if (vp->v_type == VDIR)
1056 1057 continue;
1057 1058 break;
1058 1059 case PRIV_FILE_DAC_SEARCH:
1059 1060 if (vp->v_type != VDIR)
1060 1061 continue;
1061 1062 break;
1062 1063 case PRIV_FILE_DAC_WRITE:
1063 1064 case PRIV_FILE_OWNER:
1064 1065 case PRIV_FILE_CHOWN:
1065 1066 /* We know here that if owner == 0, that cr_uid != 0 */
1066 1067 allzone = owner == 0;
1067 1068 break;
1068 1069 }
1069 1070 if (PRIV_POLICY_CHOICE(cr, priv, allzone))
1070 1071 return (0);
1071 1072 }
1072 1073 return (EPERM);
1073 1074 }
1074 1075
1075 1076 /*
1076 1077 * Name: secpolicy_vnode_setid_modify()
1077 1078 *
1078 1079 * Normal: verify that subject can set the file setid flags.
1079 1080 *
1080 1081 * Output: EPERM - if not privileged.
1081 1082 */
1082 1083
1083 1084 static int
1084 1085 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner)
1085 1086 {
1086 1087 /* If changing to suid root, must have all zone privs */
1087 1088 boolean_t allzone = B_TRUE;
1088 1089
1089 1090 if (owner != 0) {
1090 1091 if (owner == cr->cr_uid)
1091 1092 return (0);
1092 1093 allzone = B_FALSE;
1093 1094 }
1094 1095 return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL));
1095 1096 }
1096 1097
1097 1098 /*
1098 1099 * Are we allowed to retain the set-uid/set-gid bits when
1099 1100 * changing ownership or when writing to a file?
1100 1101 * "issuid" should be true when set-uid; only in that case
1101 1102 * root ownership is checked (setgid is assumed).
1102 1103 */
1103 1104 int
1104 1105 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot)
1105 1106 {
1106 1107 if (issuidroot && !HAS_ALLZONEPRIVS(cred))
1107 1108 return (EPERM);
1108 1109
1109 1110 return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE));
1110 1111 }
1111 1112
1112 1113 /*
1113 1114 * Name: secpolicy_vnode_setids_setgids()
1114 1115 *
1115 1116 * Normal: verify that subject can set the file setgid flag.
1116 1117 *
1117 1118 * Output: EPERM - if not privileged
1118 1119 */
1119 1120
1120 1121 int
1121 1122 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid)
1122 1123 {
1123 1124 if (!groupmember(gid, cred))
1124 1125 return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM,
1125 1126 NULL));
1126 1127 return (0);
1127 1128 }
1128 1129
1129 1130 /*
1130 1131 * Name: secpolicy_vnode_chown
1131 1132 *
1132 1133 * Normal: Determine if subject can chown owner of a file.
1133 1134 *
1134 1135 * Output: EPERM - if access denied
1135 1136 */
1136 1137
1137 1138 int
1138 1139 secpolicy_vnode_chown(const cred_t *cred, uid_t owner)
1139 1140 {
1140 1141 boolean_t is_owner = (owner == crgetuid(cred));
1141 1142 boolean_t allzone = B_FALSE;
1142 1143 int priv;
1143 1144
1144 1145 if (!is_owner) {
1145 1146 allzone = (owner == 0);
1146 1147 priv = PRIV_FILE_CHOWN;
1147 1148 } else {
1148 1149 priv = HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN) ?
1149 1150 PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF;
1150 1151 }
1151 1152
1152 1153 return (PRIV_POLICY(cred, priv, allzone, EPERM, NULL));
1153 1154 }
1154 1155
1155 1156 /*
1156 1157 * Name: secpolicy_vnode_create_gid
1157 1158 *
1158 1159 * Normal: Determine if subject can change group ownership of a file.
1159 1160 *
1160 1161 * Output: EPERM - if access denied
1161 1162 */
1162 1163 int
1163 1164 secpolicy_vnode_create_gid(const cred_t *cred)
1164 1165 {
1165 1166 if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN))
1166 1167 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM,
1167 1168 NULL));
1168 1169 else
1169 1170 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM,
1170 1171 NULL));
1171 1172 }
1172 1173
1173 1174 /*
1174 1175 * Name: secpolicy_vnode_utime_modify()
1175 1176 *
1176 1177 * Normal: verify that subject can modify the utime on a file.
1177 1178 *
1178 1179 * Output: EPERM - if access denied.
1179 1180 */
1180 1181
1181 1182 static int
1182 1183 secpolicy_vnode_utime_modify(const cred_t *cred)
1183 1184 {
1184 1185 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM,
1185 1186 "modify file times"));
1186 1187 }
1187 1188
1188 1189
1189 1190 /*
1190 1191 * Name: secpolicy_vnode_setdac()
1191 1192 *
1192 1193 * Normal: verify that subject can modify the mode of a file.
1193 1194 * allzone privilege needed when modifying root owned object.
1194 1195 *
1195 1196 * Output: EPERM - if access denied.
1196 1197 */
1197 1198
1198 1199 int
1199 1200 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner)
1200 1201 {
1201 1202 if (owner == cred->cr_uid)
1202 1203 return (0);
1203 1204
1204 1205 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL));
1205 1206 }
1206 1207 /*
1207 1208 * Name: secpolicy_vnode_stky_modify()
1208 1209 *
1209 1210 * Normal: verify that subject can make a file a "sticky".
1210 1211 *
1211 1212 * Output: EPERM - if access denied.
1212 1213 */
1213 1214
1214 1215 int
1215 1216 secpolicy_vnode_stky_modify(const cred_t *cred)
1216 1217 {
1217 1218 return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM,
1218 1219 "set file sticky"));
1219 1220 }
1220 1221
1221 1222 /*
1222 1223 * Policy determines whether we can remove an entry from a directory,
1223 1224 * regardless of permission bits.
1224 1225 */
1225 1226 int
1226 1227 secpolicy_vnode_remove(const cred_t *cr)
1227 1228 {
1228 1229 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES,
1229 1230 "sticky directory"));
1230 1231 }
1231 1232
1232 1233 int
1233 1234 secpolicy_vnode_owner(const cred_t *cr, uid_t owner)
1234 1235 {
1235 1236 boolean_t allzone = (owner == 0);
|
↓ open down ↓ |
1168 lines elided |
↑ open up ↑ |
1236 1237
1237 1238 if (owner == cr->cr_uid)
1238 1239 return (0);
1239 1240
1240 1241 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL));
1241 1242 }
1242 1243
1243 1244 void
1244 1245 secpolicy_setid_clear(vattr_t *vap, cred_t *cr)
1245 1246 {
1247 + proc_t *p = curproc;
1248 +
1249 + /*
1250 + * Allow the brand to override this behaviour.
1251 + */
1252 + if (PROC_IS_BRANDED(p) && BROP(p)->b_setid_clear != NULL) {
1253 + /*
1254 + * This brand hook will return 0 if handling is complete, or
1255 + * some other value if the brand would like us to fall back to
1256 + * the usual behaviour.
1257 + */
1258 + if (BROP(p)->b_setid_clear(vap, cr) == 0) {
1259 + return;
1260 + }
1261 + }
1262 +
1246 1263 if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 &&
1247 1264 secpolicy_vnode_setid_retain(cr,
1248 1265 (vap->va_mode & S_ISUID) != 0 &&
1249 1266 (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) {
1250 1267 vap->va_mask |= AT_MODE;
1251 1268 vap->va_mode &= ~(S_ISUID|S_ISGID);
1252 1269 }
1253 1270 }
1254 1271
1255 1272 int
1256 1273 secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap,
1257 1274 cred_t *cr)
1258 1275 {
1259 1276 int error;
1260 1277
1261 1278 if ((vap->va_mode & S_ISUID) != 0 &&
1262 1279 (error = secpolicy_vnode_setid_modify(cr,
1263 1280 ovap->va_uid)) != 0) {
1264 1281 return (error);
1265 1282 }
1266 1283
1267 1284 /*
1268 1285 * Check privilege if attempting to set the
1269 1286 * sticky bit on a non-directory.
1270 1287 */
1271 1288 if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 &&
1272 1289 secpolicy_vnode_stky_modify(cr) != 0) {
1273 1290 vap->va_mode &= ~S_ISVTX;
1274 1291 }
1275 1292
1276 1293 /*
1277 1294 * Check for privilege if attempting to set the
1278 1295 * group-id bit.
1279 1296 */
1280 1297 if ((vap->va_mode & S_ISGID) != 0 &&
1281 1298 secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) {
1282 1299 vap->va_mode &= ~S_ISGID;
1283 1300 }
1284 1301
1285 1302 return (0);
1286 1303 }
1287 1304
1288 1305 #define ATTR_FLAG_PRIV(attr, value, cr) \
1289 1306 PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \
1290 1307 B_FALSE, EPERM, NULL)
1291 1308
1292 1309 /*
1293 1310 * Check privileges for setting xvattr attributes
1294 1311 */
1295 1312 int
1296 1313 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype)
1297 1314 {
1298 1315 xoptattr_t *xoap;
1299 1316 int error = 0;
1300 1317
1301 1318 if ((xoap = xva_getxoptattr(xvap)) == NULL)
1302 1319 return (EINVAL);
1303 1320
1304 1321 /*
1305 1322 * First process the DOS bits
1306 1323 */
1307 1324 if (XVA_ISSET_REQ(xvap, XAT_ARCHIVE) ||
1308 1325 XVA_ISSET_REQ(xvap, XAT_HIDDEN) ||
1309 1326 XVA_ISSET_REQ(xvap, XAT_READONLY) ||
1310 1327 XVA_ISSET_REQ(xvap, XAT_SYSTEM) ||
1311 1328 XVA_ISSET_REQ(xvap, XAT_CREATETIME) ||
1312 1329 XVA_ISSET_REQ(xvap, XAT_OFFLINE) ||
1313 1330 XVA_ISSET_REQ(xvap, XAT_SPARSE)) {
1314 1331 if ((error = secpolicy_vnode_owner(cr, owner)) != 0)
1315 1332 return (error);
1316 1333 }
1317 1334
1318 1335 /*
1319 1336 * Now handle special attributes
1320 1337 */
1321 1338
1322 1339 if (XVA_ISSET_REQ(xvap, XAT_IMMUTABLE))
1323 1340 error = ATTR_FLAG_PRIV(XAT_IMMUTABLE,
1324 1341 xoap->xoa_immutable, cr);
1325 1342 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NOUNLINK))
1326 1343 error = ATTR_FLAG_PRIV(XAT_NOUNLINK,
1327 1344 xoap->xoa_nounlink, cr);
1328 1345 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_APPENDONLY))
1329 1346 error = ATTR_FLAG_PRIV(XAT_APPENDONLY,
1330 1347 xoap->xoa_appendonly, cr);
1331 1348 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NODUMP))
1332 1349 error = ATTR_FLAG_PRIV(XAT_NODUMP,
1333 1350 xoap->xoa_nodump, cr);
1334 1351 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_OPAQUE))
1335 1352 error = EPERM;
1336 1353 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_QUARANTINED)) {
1337 1354 error = ATTR_FLAG_PRIV(XAT_AV_QUARANTINED,
1338 1355 xoap->xoa_av_quarantined, cr);
1339 1356 if (error == 0 && vtype != VREG && xoap->xoa_av_quarantined)
1340 1357 error = EINVAL;
1341 1358 }
1342 1359 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_MODIFIED))
1343 1360 error = ATTR_FLAG_PRIV(XAT_AV_MODIFIED,
1344 1361 xoap->xoa_av_modified, cr);
1345 1362 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_SCANSTAMP)) {
1346 1363 error = ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP,
1347 1364 xoap->xoa_av_scanstamp, cr);
1348 1365 if (error == 0 && vtype != VREG)
1349 1366 error = EINVAL;
1350 1367 }
1351 1368 return (error);
1352 1369 }
1353 1370
1354 1371 /*
1355 1372 * This function checks the policy decisions surrounding the
1356 1373 * vop setattr call.
1357 1374 *
1358 1375 * It should be called after sufficient locks have been established
1359 1376 * on the underlying data structures. No concurrent modifications
1360 1377 * should be allowed.
1361 1378 *
1362 1379 * The caller must pass in unlocked version of its vaccess function
1363 1380 * this is required because vop_access function should lock the
1364 1381 * node for reading. A three argument function should be defined
1365 1382 * which accepts the following argument:
1366 1383 * A pointer to the internal "node" type (inode *)
1367 1384 * vnode access bits (VREAD|VWRITE|VEXEC)
1368 1385 * a pointer to the credential
1369 1386 *
1370 1387 * This function makes the following policy decisions:
1371 1388 *
1372 1389 * - change permissions
1373 1390 * - permission to change file mode if not owner
1374 1391 * - permission to add sticky bit to non-directory
1375 1392 * - permission to add set-gid bit
1376 1393 *
1377 1394 * The ovap argument should include AT_MODE|AT_UID|AT_GID.
1378 1395 *
1379 1396 * If the vap argument does not include AT_MODE, the mode will be copied from
1380 1397 * ovap. In certain situations set-uid/set-gid bits need to be removed;
1381 1398 * this is done by marking vap->va_mask to include AT_MODE and va_mode
1382 1399 * is updated to the newly computed mode.
1383 1400 */
1384 1401
1385 1402 int
1386 1403 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap,
1387 1404 const struct vattr *ovap, int flags,
1388 1405 int unlocked_access(void *, int, cred_t *),
1389 1406 void *node)
1390 1407 {
1391 1408 int mask = vap->va_mask;
1392 1409 int error = 0;
1393 1410 boolean_t skipaclchk = (flags & ATTR_NOACLCHECK) ? B_TRUE : B_FALSE;
1394 1411
1395 1412 if (mask & AT_SIZE) {
1396 1413 if (vp->v_type == VDIR) {
1397 1414 error = EISDIR;
1398 1415 goto out;
1399 1416 }
1400 1417
1401 1418 /*
1402 1419 * If ATTR_NOACLCHECK is set in the flags, then we don't
1403 1420 * perform the secondary unlocked_access() call since the
1404 1421 * ACL (if any) is being checked there.
1405 1422 */
1406 1423 if (skipaclchk == B_FALSE) {
1407 1424 error = unlocked_access(node, VWRITE, cr);
1408 1425 if (error)
1409 1426 goto out;
1410 1427 }
1411 1428 }
1412 1429 if (mask & AT_MODE) {
1413 1430 /*
1414 1431 * If not the owner of the file then check privilege
1415 1432 * for two things: the privilege to set the mode at all
1416 1433 * and, if we're setting setuid, we also need permissions
1417 1434 * to add the set-uid bit, if we're not the owner.
1418 1435 * In the specific case of creating a set-uid root
1419 1436 * file, we need even more permissions.
1420 1437 */
1421 1438 if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0)
1422 1439 goto out;
1423 1440
1424 1441 if ((error = secpolicy_setid_setsticky_clear(vp, vap,
1425 1442 ovap, cr)) != 0)
1426 1443 goto out;
1427 1444 } else
1428 1445 vap->va_mode = ovap->va_mode;
1429 1446
1430 1447 if (mask & (AT_UID|AT_GID)) {
1431 1448 boolean_t checkpriv = B_FALSE;
1432 1449
1433 1450 /*
1434 1451 * Chowning files.
1435 1452 *
1436 1453 * If you are the file owner:
1437 1454 * chown to other uid FILE_CHOWN_SELF
1438 1455 * chown to gid (non-member) FILE_CHOWN_SELF
1439 1456 * chown to gid (member) <none>
1440 1457 *
1441 1458 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also
1442 1459 * acceptable but the first one is reported when debugging.
1443 1460 *
1444 1461 * If you are not the file owner:
1445 1462 * chown from root PRIV_FILE_CHOWN + zone
1446 1463 * chown from other to any PRIV_FILE_CHOWN
1447 1464 *
1448 1465 */
1449 1466 if (cr->cr_uid != ovap->va_uid) {
1450 1467 checkpriv = B_TRUE;
1451 1468 } else {
1452 1469 if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) ||
1453 1470 ((mask & AT_GID) && vap->va_gid != ovap->va_gid &&
1454 1471 !groupmember(vap->va_gid, cr))) {
1455 1472 checkpriv = B_TRUE;
1456 1473 }
1457 1474 }
1458 1475 /*
1459 1476 * If necessary, check privilege to see if update can be done.
1460 1477 */
1461 1478 if (checkpriv &&
1462 1479 (error = secpolicy_vnode_chown(cr, ovap->va_uid)) != 0) {
1463 1480 goto out;
1464 1481 }
1465 1482
1466 1483 /*
1467 1484 * If the file has either the set UID or set GID bits
1468 1485 * set and the caller can set the bits, then leave them.
1469 1486 */
1470 1487 secpolicy_setid_clear(vap, cr);
1471 1488 }
1472 1489 if (mask & (AT_ATIME|AT_MTIME)) {
1473 1490 /*
1474 1491 * If not the file owner and not otherwise privileged,
1475 1492 * always return an error when setting the
1476 1493 * time other than the current (ATTR_UTIME flag set).
1477 1494 * If setting the current time (ATTR_UTIME not set) then
1478 1495 * unlocked_access will check permissions according to policy.
1479 1496 */
1480 1497 if (cr->cr_uid != ovap->va_uid) {
1481 1498 if (flags & ATTR_UTIME)
1482 1499 error = secpolicy_vnode_utime_modify(cr);
1483 1500 else if (skipaclchk == B_FALSE) {
1484 1501 error = unlocked_access(node, VWRITE, cr);
1485 1502 if (error == EACCES &&
1486 1503 secpolicy_vnode_utime_modify(cr) == 0)
1487 1504 error = 0;
1488 1505 }
1489 1506 if (error)
1490 1507 goto out;
1491 1508 }
1492 1509 }
1493 1510
1494 1511 /*
1495 1512 * Check for optional attributes here by checking the following:
1496 1513 */
1497 1514 if (mask & AT_XVATTR)
1498 1515 error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr,
1499 1516 vp->v_type);
1500 1517 out:
1501 1518 return (error);
1502 1519 }
1503 1520
1504 1521 /*
1505 1522 * Name: secpolicy_pcfs_modify_bootpartition()
1506 1523 *
1507 1524 * Normal: verify that subject can modify a pcfs boot partition.
1508 1525 *
1509 1526 * Output: EACCES - if privilege check failed.
1510 1527 */
1511 1528 /*ARGSUSED*/
1512 1529 int
1513 1530 secpolicy_pcfs_modify_bootpartition(const cred_t *cred)
1514 1531 {
1515 1532 return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES,
1516 1533 "modify pcfs boot partition"));
1517 1534 }
1518 1535
1519 1536 /*
1520 1537 * System V IPC routines
1521 1538 */
1522 1539 int
1523 1540 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip)
1524 1541 {
1525 1542 if (crgetzoneid(cr) != ip->ipc_zoneid ||
1526 1543 (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) {
1527 1544 boolean_t allzone = B_FALSE;
1528 1545 if (ip->ipc_uid == 0 || ip->ipc_cuid == 0)
1529 1546 allzone = B_TRUE;
1530 1547 return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL));
1531 1548 }
1532 1549 return (0);
1533 1550 }
1534 1551
1535 1552 int
1536 1553 secpolicy_ipc_config(const cred_t *cr)
1537 1554 {
1538 1555 return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL));
1539 1556 }
1540 1557
1541 1558 int
1542 1559 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode)
1543 1560 {
1544 1561
1545 1562 boolean_t allzone = B_FALSE;
1546 1563
1547 1564 ASSERT((mode & (MSG_R|MSG_W)) != 0);
1548 1565
1549 1566 if ((mode & MSG_R) &&
1550 1567 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1551 1568 return (EACCES);
1552 1569
1553 1570 if (mode & MSG_W) {
1554 1571 if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0))
1555 1572 allzone = B_TRUE;
1556 1573
1557 1574 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1558 1575 NULL));
1559 1576 }
1560 1577 return (0);
1561 1578 }
1562 1579
1563 1580 int
1564 1581 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode)
1565 1582 {
1566 1583 boolean_t allzone = B_FALSE;
1567 1584
1568 1585 ASSERT((mode & (MSG_R|MSG_W)) != 0);
1569 1586
1570 1587 if ((mode & MSG_R) &&
1571 1588 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1572 1589 return (EACCES);
1573 1590
1574 1591 if (mode & MSG_W) {
1575 1592 if (cr->cr_uid != 0 && owner == 0)
1576 1593 allzone = B_TRUE;
1577 1594
1578 1595 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1579 1596 NULL));
1580 1597 }
1581 1598 return (0);
1582 1599 }
1583 1600
1584 1601 /*
1585 1602 * Audit configuration.
1586 1603 */
1587 1604 int
1588 1605 secpolicy_audit_config(const cred_t *cr)
1589 1606 {
1590 1607 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL));
1591 1608 }
1592 1609
1593 1610 /*
1594 1611 * Audit record generation.
1595 1612 */
1596 1613 int
1597 1614 secpolicy_audit_modify(const cred_t *cr)
1598 1615 {
1599 1616 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL));
1600 1617 }
1601 1618
1602 1619 /*
1603 1620 * Get audit attributes.
1604 1621 * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the
1605 1622 * "Least" of the two privileges on error.
1606 1623 */
1607 1624 int
1608 1625 secpolicy_audit_getattr(const cred_t *cr, boolean_t checkonly)
1609 1626 {
1610 1627 int priv;
1611 1628
1612 1629 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE))
1613 1630 priv = PRIV_SYS_AUDIT;
1614 1631 else
1615 1632 priv = PRIV_PROC_AUDIT;
1616 1633
1617 1634 if (checkonly)
1618 1635 return (!PRIV_POLICY_ONLY(cr, priv, B_FALSE));
1619 1636 else
1620 1637 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
1621 1638 }
1622 1639
1623 1640
1624 1641 /*
1625 1642 * Locking physical memory
1626 1643 */
1627 1644 int
1628 1645 secpolicy_lock_memory(const cred_t *cr)
1629 1646 {
1630 1647 return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL));
1631 1648 }
1632 1649
1633 1650 /*
1634 1651 * Accounting (both acct(2) and exacct).
1635 1652 */
1636 1653 int
1637 1654 secpolicy_acct(const cred_t *cr)
1638 1655 {
1639 1656 return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL));
1640 1657 }
1641 1658
1642 1659 /*
1643 1660 * Is this process privileged to change its uids at will?
1644 1661 * Uid 0 is still considered "special" and having the SETID
1645 1662 * privilege is not sufficient to get uid 0.
1646 1663 * Files are owned by root, so the privilege would give
1647 1664 * full access and euid 0 is still effective.
1648 1665 *
1649 1666 * If you have the privilege and euid 0 only then do you
1650 1667 * get the powers of root wrt uid 0.
1651 1668 *
1652 1669 * For gid manipulations, this is should be called with an
1653 1670 * uid of -1.
1654 1671 *
1655 1672 */
1656 1673 int
1657 1674 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly)
1658 1675 {
1659 1676 boolean_t allzone = B_FALSE;
1660 1677
1661 1678 if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 &&
1662 1679 cr->cr_ruid != 0) {
1663 1680 allzone = B_TRUE;
1664 1681 }
1665 1682
1666 1683 return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) :
1667 1684 PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL));
1668 1685 }
1669 1686
1670 1687
1671 1688 /*
1672 1689 * Acting on a different process: if the mode is for writing,
1673 1690 * the restrictions are more severe. This is called after
1674 1691 * we've verified that the uids do not match.
1675 1692 */
1676 1693 int
1677 1694 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode)
1678 1695 {
1679 1696 boolean_t allzone = B_FALSE;
1680 1697
1681 1698 if ((mode & VWRITE) && scr->cr_uid != 0 &&
1682 1699 (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0))
1683 1700 allzone = B_TRUE;
1684 1701
1685 1702 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL));
1686 1703 }
1687 1704
1688 1705 int
1689 1706 secpolicy_proc_access(const cred_t *scr)
1690 1707 {
1691 1708 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL));
1692 1709 }
1693 1710
1694 1711 int
1695 1712 secpolicy_proc_excl_open(const cred_t *scr)
1696 1713 {
1697 1714 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL));
1698 1715 }
1699 1716
1700 1717 int
1701 1718 secpolicy_proc_zone(const cred_t *scr)
1702 1719 {
1703 1720 return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL));
1704 1721 }
1705 1722
1706 1723 /*
1707 1724 * Destroying the system
1708 1725 */
1709 1726
1710 1727 int
1711 1728 secpolicy_kmdb(const cred_t *scr)
1712 1729 {
1713 1730 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1714 1731 }
1715 1732
1716 1733 int
1717 1734 secpolicy_error_inject(const cred_t *scr)
1718 1735 {
1719 1736 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1720 1737 }
1721 1738
1722 1739 /*
1723 1740 * Processor sets, cpu configuration, resource pools.
1724 1741 */
1725 1742 int
1726 1743 secpolicy_pset(const cred_t *cr)
1727 1744 {
1728 1745 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1729 1746 }
1730 1747
1731 1748 /*
1732 1749 * Processor set binding.
1733 1750 */
1734 1751 int
1735 1752 secpolicy_pbind(const cred_t *cr)
1736 1753 {
1737 1754 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_RES_CONFIG, B_FALSE))
1738 1755 return (secpolicy_pset(cr));
1739 1756 return (PRIV_POLICY(cr, PRIV_SYS_RES_BIND, B_FALSE, EPERM, NULL));
1740 1757 }
1741 1758
1742 1759 int
1743 1760 secpolicy_ponline(const cred_t *cr)
1744 1761 {
1745 1762 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1746 1763 }
1747 1764
1748 1765 int
1749 1766 secpolicy_pool(const cred_t *cr)
1750 1767 {
1751 1768 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1752 1769 }
1753 1770
1754 1771 int
1755 1772 secpolicy_blacklist(const cred_t *cr)
1756 1773 {
1757 1774 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1758 1775 }
1759 1776
1760 1777 /*
1761 1778 * Catch all system configuration.
1762 1779 */
1763 1780 int
1764 1781 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly)
1765 1782 {
1766 1783 if (checkonly) {
1767 1784 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 :
1768 1785 EPERM);
1769 1786 } else {
1770 1787 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1771 1788 }
1772 1789 }
1773 1790
1774 1791 /*
1775 1792 * Zone administration (halt, reboot, etc.) from within zone.
1776 1793 */
1777 1794 int
1778 1795 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly)
1779 1796 {
1780 1797 if (checkonly) {
1781 1798 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 :
1782 1799 EPERM);
1783 1800 } else {
1784 1801 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM,
1785 1802 NULL));
1786 1803 }
1787 1804 }
1788 1805
1789 1806 /*
1790 1807 * Zone configuration (create, halt, enter).
1791 1808 */
1792 1809 int
1793 1810 secpolicy_zone_config(const cred_t *cr)
1794 1811 {
1795 1812 /*
1796 1813 * Require all privileges to avoid possibility of privilege
1797 1814 * escalation.
1798 1815 */
1799 1816 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
1800 1817 }
1801 1818
1802 1819 /*
1803 1820 * Various other system configuration calls
1804 1821 */
1805 1822 int
1806 1823 secpolicy_coreadm(const cred_t *cr)
1807 1824 {
1808 1825 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1809 1826 }
1810 1827
1811 1828 int
1812 1829 secpolicy_systeminfo(const cred_t *cr)
1813 1830 {
1814 1831 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1815 1832 }
1816 1833
1817 1834 int
1818 1835 secpolicy_dispadm(const cred_t *cr)
1819 1836 {
1820 1837 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1821 1838 }
1822 1839
1823 1840 int
1824 1841 secpolicy_settime(const cred_t *cr)
1825 1842 {
1826 1843 return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL));
1827 1844 }
1828 1845
1829 1846 /*
1830 1847 * For realtime users: high resolution clock.
1831 1848 */
1832 1849 int
1833 1850 secpolicy_clock_highres(const cred_t *cr)
1834 1851 {
1835 1852 return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM,
1836 1853 NULL));
1837 1854 }
1838 1855
1839 1856 /*
1840 1857 * drv_priv() is documented as callable from interrupt context, not that
1841 1858 * anyone ever does, but still. No debugging or auditing can be done when
1842 1859 * it is called from interrupt context.
1843 1860 * returns 0 on succes, EPERM on failure.
1844 1861 */
1845 1862 int
1846 1863 drv_priv(cred_t *cr)
1847 1864 {
1848 1865 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1849 1866 }
1850 1867
1851 1868 int
1852 1869 secpolicy_sys_devices(const cred_t *cr)
1853 1870 {
1854 1871 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1855 1872 }
1856 1873
1857 1874 int
1858 1875 secpolicy_excl_open(const cred_t *cr)
1859 1876 {
1860 1877 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL));
1861 1878 }
1862 1879
1863 1880 int
1864 1881 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl)
1865 1882 {
1866 1883 /* zone.* rctls can only be set from the global zone */
1867 1884 if (is_zone_rctl && priv_policy_global(cr) != 0)
1868 1885 return (EPERM);
1869 1886 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1870 1887 }
1871 1888
1872 1889 int
1873 1890 secpolicy_resource(const cred_t *cr)
1874 1891 {
1875 1892 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1876 1893 }
1877 1894
1878 1895 int
1879 1896 secpolicy_resource_anon_mem(const cred_t *cr)
1880 1897 {
1881 1898 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_RESOURCE, B_FALSE));
1882 1899 }
1883 1900
1884 1901 /*
1885 1902 * Processes with a real uid of 0 escape any form of accounting, much
1886 1903 * like before.
1887 1904 */
1888 1905 int
1889 1906 secpolicy_newproc(const cred_t *cr)
1890 1907 {
1891 1908 if (cr->cr_ruid == 0)
1892 1909 return (0);
1893 1910
1894 1911 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1895 1912 }
1896 1913
1897 1914 /*
1898 1915 * Networking
1899 1916 */
1900 1917 int
1901 1918 secpolicy_net_rawaccess(const cred_t *cr)
1902 1919 {
1903 1920 return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL));
1904 1921 }
1905 1922
1906 1923 int
1907 1924 secpolicy_net_observability(const cred_t *cr)
1908 1925 {
1909 1926 return (PRIV_POLICY(cr, PRIV_NET_OBSERVABILITY, B_FALSE, EACCES, NULL));
1910 1927 }
1911 1928
1912 1929 /*
1913 1930 * Need this privilege for accessing the ICMP device
1914 1931 */
1915 1932 int
1916 1933 secpolicy_net_icmpaccess(const cred_t *cr)
1917 1934 {
1918 1935 return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL));
1919 1936 }
1920 1937
1921 1938 /*
1922 1939 * There are a few rare cases where the kernel generates ioctls() from
1923 1940 * interrupt context with a credential of kcred rather than NULL.
1924 1941 * In those cases, we take the safe and cheap test.
1925 1942 */
1926 1943 int
1927 1944 secpolicy_net_config(const cred_t *cr, boolean_t checkonly)
1928 1945 {
1929 1946 if (checkonly) {
1930 1947 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ?
1931 1948 0 : EPERM);
1932 1949 } else {
1933 1950 return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM,
1934 1951 NULL));
1935 1952 }
1936 1953 }
1937 1954
1938 1955
1939 1956 /*
1940 1957 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
1941 1958 *
1942 1959 * There are a few rare cases where the kernel generates ioctls() from
1943 1960 * interrupt context with a credential of kcred rather than NULL.
1944 1961 * In those cases, we take the safe and cheap test.
1945 1962 */
1946 1963 int
1947 1964 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly)
1948 1965 {
1949 1966 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1950 1967 return (secpolicy_net_config(cr, checkonly));
1951 1968
1952 1969 if (checkonly) {
1953 1970 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ?
1954 1971 0 : EPERM);
1955 1972 } else {
1956 1973 return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM,
1957 1974 NULL));
1958 1975 }
1959 1976 }
1960 1977
1961 1978 /*
1962 1979 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_DL_CONFIG.
1963 1980 */
1964 1981 int
1965 1982 secpolicy_dl_config(const cred_t *cr)
1966 1983 {
1967 1984 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1968 1985 return (secpolicy_net_config(cr, B_FALSE));
1969 1986 return (PRIV_POLICY(cr, PRIV_SYS_DL_CONFIG, B_FALSE, EPERM, NULL));
1970 1987 }
1971 1988
1972 1989 /*
1973 1990 * PRIV_SYS_DL_CONFIG is a superset of PRIV_SYS_IPTUN_CONFIG.
1974 1991 */
1975 1992 int
1976 1993 secpolicy_iptun_config(const cred_t *cr)
1977 1994 {
1978 1995 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1979 1996 return (secpolicy_net_config(cr, B_FALSE));
1980 1997 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_DL_CONFIG, B_FALSE))
1981 1998 return (secpolicy_dl_config(cr));
1982 1999 return (PRIV_POLICY(cr, PRIV_SYS_IPTUN_CONFIG, B_FALSE, EPERM, NULL));
1983 2000 }
1984 2001
1985 2002 /*
1986 2003 * Map IP pseudo privileges to actual privileges.
1987 2004 * So we don't need to recompile IP when we change the privileges.
1988 2005 */
1989 2006 int
1990 2007 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly)
1991 2008 {
1992 2009 int priv = PRIV_ALL;
1993 2010
1994 2011 switch (netpriv) {
1995 2012 case OP_CONFIG:
1996 2013 priv = PRIV_SYS_IP_CONFIG;
1997 2014 break;
1998 2015 case OP_RAW:
1999 2016 priv = PRIV_NET_RAWACCESS;
2000 2017 break;
2001 2018 case OP_PRIVPORT:
2002 2019 priv = PRIV_NET_PRIVADDR;
2003 2020 break;
2004 2021 }
2005 2022 ASSERT(priv != PRIV_ALL);
2006 2023 if (checkonly)
2007 2024 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
2008 2025 else
2009 2026 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
2010 2027 }
2011 2028
2012 2029 /*
2013 2030 * Map network pseudo privileges to actual privileges.
2014 2031 * So we don't need to recompile IP when we change the privileges.
2015 2032 */
2016 2033 int
2017 2034 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly)
2018 2035 {
2019 2036 int priv = PRIV_ALL;
2020 2037
2021 2038 switch (netpriv) {
2022 2039 case OP_CONFIG:
2023 2040 priv = PRIV_SYS_NET_CONFIG;
2024 2041 break;
2025 2042 case OP_RAW:
2026 2043 priv = PRIV_NET_RAWACCESS;
2027 2044 break;
2028 2045 case OP_PRIVPORT:
2029 2046 priv = PRIV_NET_PRIVADDR;
2030 2047 break;
2031 2048 }
2032 2049 ASSERT(priv != PRIV_ALL);
2033 2050 if (checkonly)
2034 2051 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
2035 2052 else
2036 2053 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
2037 2054 }
2038 2055
2039 2056 /*
2040 2057 * Checks for operations that are either client-only or are used by
2041 2058 * both clients and servers.
2042 2059 */
2043 2060 int
2044 2061 secpolicy_nfs(const cred_t *cr)
2045 2062 {
2046 2063 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL));
2047 2064 }
2048 2065
2049 2066 /*
2050 2067 * Special case for opening rpcmod: have NFS privileges or network
2051 2068 * config privileges.
2052 2069 */
2053 2070 int
2054 2071 secpolicy_rpcmod_open(const cred_t *cr)
2055 2072 {
2056 2073 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE))
2057 2074 return (secpolicy_nfs(cr));
2058 2075 else
2059 2076 return (secpolicy_net_config(cr, NULL));
2060 2077 }
2061 2078
2062 2079 int
2063 2080 secpolicy_chroot(const cred_t *cr)
2064 2081 {
2065 2082 return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL));
2066 2083 }
2067 2084
2068 2085 int
2069 2086 secpolicy_tasksys(const cred_t *cr)
2070 2087 {
2071 2088 return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL));
2072 2089 }
2073 2090
2074 2091 int
2075 2092 secpolicy_meminfo(const cred_t *cr)
2076 2093 {
2077 2094 return (PRIV_POLICY(cr, PRIV_PROC_MEMINFO, B_FALSE, EPERM, NULL));
2078 2095 }
2079 2096
2080 2097 int
2081 2098 secpolicy_pfexec_register(const cred_t *cr)
2082 2099 {
2083 2100 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_TRUE, EPERM, NULL));
2084 2101 }
2085 2102
2086 2103 /*
2087 2104 * Basic privilege checks.
2088 2105 */
2089 2106 int
2090 2107 secpolicy_basic_exec(const cred_t *cr, vnode_t *vp)
2091 2108 {
2092 2109 FAST_BASIC_CHECK(cr, PRIV_PROC_EXEC);
2093 2110
2094 2111 return (priv_policy_va(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL,
2095 2112 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
2096 2113 }
2097 2114
2098 2115 int
2099 2116 secpolicy_basic_fork(const cred_t *cr)
2100 2117 {
2101 2118 FAST_BASIC_CHECK(cr, PRIV_PROC_FORK);
2102 2119
2103 2120 return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL));
2104 2121 }
2105 2122
2106 2123 int
2107 2124 secpolicy_basic_proc(const cred_t *cr)
2108 2125 {
2109 2126 FAST_BASIC_CHECK(cr, PRIV_PROC_SESSION);
2110 2127
2111 2128 return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL));
2112 2129 }
2113 2130
2114 2131 /*
2115 2132 * Slightly complicated because we don't want to trigger the policy too
2116 2133 * often. First we shortcircuit access to "self" (tp == sp) or if
2117 2134 * we don't have the privilege but if we have permission
2118 2135 * just return (0) and we don't flag the privilege as needed.
2119 2136 * Else, we test for the privilege because we either have it or need it.
2120 2137 */
2121 2138 int
2122 2139 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp)
2123 2140 {
2124 2141 if (tp == sp ||
2125 2142 !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) {
2126 2143 return (0);
2127 2144 } else {
2128 2145 return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL));
2129 2146 }
2130 2147 }
2131 2148
2132 2149 int
2133 2150 secpolicy_basic_link(const cred_t *cr)
2134 2151 {
2135 2152 FAST_BASIC_CHECK(cr, PRIV_FILE_LINK_ANY);
2136 2153
2137 2154 return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL));
2138 2155 }
2139 2156
2140 2157 int
2141 2158 secpolicy_basic_net_access(const cred_t *cr)
2142 2159 {
2143 2160 FAST_BASIC_CHECK(cr, PRIV_NET_ACCESS);
2144 2161
2145 2162 return (PRIV_POLICY(cr, PRIV_NET_ACCESS, B_FALSE, EACCES, NULL));
2146 2163 }
2147 2164
2148 2165 /* ARGSUSED */
2149 2166 int
2150 2167 secpolicy_basic_file_read(const cred_t *cr, vnode_t *vp, const char *pn)
2151 2168 {
2152 2169 FAST_BASIC_CHECK(cr, PRIV_FILE_READ);
2153 2170
2154 2171 return (priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL,
2155 2172 KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE));
2156 2173 }
2157 2174
2158 2175 /* ARGSUSED */
2159 2176 int
2160 2177 secpolicy_basic_file_write(const cred_t *cr, vnode_t *vp, const char *pn)
2161 2178 {
2162 2179 FAST_BASIC_CHECK(cr, PRIV_FILE_WRITE);
2163 2180
2164 2181 return (priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL,
2165 2182 KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE));
2166 2183 }
2167 2184
2168 2185 /*
2169 2186 * Additional device protection.
2170 2187 *
2171 2188 * Traditionally, a device has specific permissions on the node in
2172 2189 * the filesystem which govern which devices can be opened by what
2173 2190 * processes. In certain cases, it is desirable to add extra
2174 2191 * restrictions, as writing to certain devices is identical to
2175 2192 * having a complete run of the system.
2176 2193 *
2177 2194 * This mechanism is called the device policy.
2178 2195 *
2179 2196 * When a device is opened, its policy entry is looked up in the
2180 2197 * policy cache and checked.
2181 2198 */
2182 2199 int
2183 2200 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag)
2184 2201 {
2185 2202 devplcy_t *plcy;
2186 2203 int err;
2187 2204 struct snode *csp = VTOS(common_specvp(vp));
2188 2205 priv_set_t pset;
2189 2206
2190 2207 mutex_enter(&csp->s_lock);
2191 2208
2192 2209 if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) {
2193 2210 plcy = devpolicy_find(vp);
2194 2211 if (csp->s_plcy)
2195 2212 dpfree(csp->s_plcy);
2196 2213 csp->s_plcy = plcy;
2197 2214 ASSERT(plcy != NULL);
2198 2215 } else
2199 2216 plcy = csp->s_plcy;
2200 2217
2201 2218 if (plcy == nullpolicy) {
2202 2219 mutex_exit(&csp->s_lock);
2203 2220 return (0);
2204 2221 }
2205 2222
2206 2223 dphold(plcy);
2207 2224
2208 2225 mutex_exit(&csp->s_lock);
2209 2226
2210 2227 if (oflag & FWRITE)
2211 2228 pset = plcy->dp_wrp;
2212 2229 else
2213 2230 pset = plcy->dp_rdp;
2214 2231 /*
2215 2232 * Special case:
2216 2233 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
2217 2234 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is
2218 2235 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG
2219 2236 * in the required privilege set before doing the check.
2220 2237 */
2221 2238 if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) &&
2222 2239 priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) &&
2223 2240 !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) {
2224 2241 priv_delset(&pset, PRIV_SYS_IP_CONFIG);
2225 2242 priv_addset(&pset, PRIV_SYS_NET_CONFIG);
2226 2243 }
2227 2244
2228 2245 err = secpolicy_require_set(cr, &pset, "devpolicy", KLPDARG_NONE);
2229 2246 dpfree(plcy);
2230 2247
2231 2248 return (err);
2232 2249 }
2233 2250
2234 2251 int
2235 2252 secpolicy_modctl(const cred_t *cr, int cmd)
2236 2253 {
2237 2254 switch (cmd) {
2238 2255 case MODINFO:
2239 2256 case MODGETMAJBIND:
2240 2257 case MODGETPATH:
2241 2258 case MODGETPATHLEN:
2242 2259 case MODGETNAME:
2243 2260 case MODGETFBNAME:
2244 2261 case MODGETDEVPOLICY:
2245 2262 case MODGETDEVPOLICYBYNAME:
2246 2263 case MODDEVT2INSTANCE:
2247 2264 case MODSIZEOF_DEVID:
2248 2265 case MODGETDEVID:
2249 2266 case MODSIZEOF_MINORNAME:
2250 2267 case MODGETMINORNAME:
2251 2268 case MODGETDEVFSPATH_LEN:
2252 2269 case MODGETDEVFSPATH:
2253 2270 case MODGETDEVFSPATH_MI_LEN:
2254 2271 case MODGETDEVFSPATH_MI:
2255 2272 /* Unprivileged */
2256 2273 return (0);
2257 2274 case MODLOAD:
2258 2275 case MODSETDEVPOLICY:
2259 2276 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL,
2260 2277 KLPDARG_NONE));
2261 2278 default:
2262 2279 return (secpolicy_sys_config(cr, B_FALSE));
2263 2280 }
2264 2281 }
2265 2282
2266 2283 int
2267 2284 secpolicy_console(const cred_t *cr)
2268 2285 {
2269 2286 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
2270 2287 }
2271 2288
2272 2289 int
2273 2290 secpolicy_power_mgmt(const cred_t *cr)
2274 2291 {
2275 2292 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
2276 2293 }
2277 2294
2278 2295 /*
2279 2296 * Simulate terminal input; another escalation of privileges avenue.
2280 2297 */
2281 2298
2282 2299 int
2283 2300 secpolicy_sti(const cred_t *cr)
2284 2301 {
2285 2302 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
2286 2303 }
2287 2304
2288 2305 boolean_t
2289 2306 secpolicy_net_reply_equal(const cred_t *cr)
2290 2307 {
2291 2308 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
2292 2309 }
2293 2310
2294 2311 int
2295 2312 secpolicy_swapctl(const cred_t *cr)
2296 2313 {
2297 2314 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
2298 2315 }
2299 2316
2300 2317 int
2301 2318 secpolicy_cpc_cpu(const cred_t *cr)
2302 2319 {
2303 2320 return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL));
2304 2321 }
2305 2322
2306 2323 /*
2307 2324 * secpolicy_contract_identity
2308 2325 *
2309 2326 * Determine if the subject may set the process contract FMRI value
2310 2327 */
2311 2328 int
2312 2329 secpolicy_contract_identity(const cred_t *cr)
2313 2330 {
2314 2331 return (PRIV_POLICY(cr, PRIV_CONTRACT_IDENTITY, B_FALSE, EPERM, NULL));
2315 2332 }
2316 2333
2317 2334 /*
2318 2335 * secpolicy_contract_observer
2319 2336 *
2320 2337 * Determine if the subject may observe a specific contract's events.
2321 2338 */
2322 2339 int
2323 2340 secpolicy_contract_observer(const cred_t *cr, struct contract *ct)
2324 2341 {
2325 2342 if (contract_owned(ct, cr, B_FALSE))
2326 2343 return (0);
2327 2344 return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL));
2328 2345 }
2329 2346
2330 2347 /*
2331 2348 * secpolicy_contract_observer_choice
2332 2349 *
2333 2350 * Determine if the subject may observe any contract's events. Just
2334 2351 * tests privilege and audits on success.
2335 2352 */
2336 2353 boolean_t
2337 2354 secpolicy_contract_observer_choice(const cred_t *cr)
2338 2355 {
2339 2356 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE));
2340 2357 }
2341 2358
2342 2359 /*
2343 2360 * secpolicy_contract_event
2344 2361 *
2345 2362 * Determine if the subject may request critical contract events or
2346 2363 * reliable contract event delivery.
2347 2364 */
2348 2365 int
2349 2366 secpolicy_contract_event(const cred_t *cr)
2350 2367 {
2351 2368 return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL));
2352 2369 }
2353 2370
2354 2371 /*
2355 2372 * secpolicy_contract_event_choice
2356 2373 *
2357 2374 * Determine if the subject may retain contract events in its critical
2358 2375 * set when a change in other terms would normally require a change in
2359 2376 * the critical set. Just tests privilege and audits on success.
2360 2377 */
2361 2378 boolean_t
2362 2379 secpolicy_contract_event_choice(const cred_t *cr)
2363 2380 {
2364 2381 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE));
2365 2382 }
2366 2383
2367 2384 /*
2368 2385 * secpolicy_gart_access
2369 2386 *
2370 2387 * Determine if the subject has sufficient priveleges to make ioctls to agpgart
2371 2388 * device.
2372 2389 */
2373 2390 int
2374 2391 secpolicy_gart_access(const cred_t *cr)
2375 2392 {
2376 2393 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL));
2377 2394 }
2378 2395
2379 2396 /*
2380 2397 * secpolicy_gart_map
2381 2398 *
2382 2399 * Determine if the subject has sufficient priveleges to map aperture range
2383 2400 * through agpgart driver.
2384 2401 */
2385 2402 int
2386 2403 secpolicy_gart_map(const cred_t *cr)
2387 2404 {
2388 2405 if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) {
2389 2406 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM,
2390 2407 NULL));
2391 2408 } else {
2392 2409 return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM,
2393 2410 NULL));
2394 2411 }
2395 2412 }
2396 2413
2397 2414 /*
2398 2415 * secpolicy_zinject
2399 2416 *
2400 2417 * Determine if the subject can inject faults in the ZFS fault injection
2401 2418 * framework. Requires all privileges.
2402 2419 */
2403 2420 int
2404 2421 secpolicy_zinject(const cred_t *cr)
2405 2422 {
2406 2423 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
2407 2424 }
2408 2425
2409 2426 /*
2410 2427 * secpolicy_zfs
2411 2428 *
2412 2429 * Determine if the subject has permission to manipulate ZFS datasets
2413 2430 * (not pools). Equivalent to the SYS_MOUNT privilege.
2414 2431 */
2415 2432 int
2416 2433 secpolicy_zfs(const cred_t *cr)
2417 2434 {
2418 2435 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL));
2419 2436 }
2420 2437
2421 2438 /*
2422 2439 * secpolicy_idmap
2423 2440 *
2424 2441 * Determine if the calling process has permissions to register an SID
2425 2442 * mapping daemon and allocate ephemeral IDs.
2426 2443 */
2427 2444 int
2428 2445 secpolicy_idmap(const cred_t *cr)
2429 2446 {
2430 2447 return (PRIV_POLICY(cr, PRIV_FILE_SETID, B_TRUE, EPERM, NULL));
2431 2448 }
2432 2449
2433 2450 /*
2434 2451 * secpolicy_ucode_update
2435 2452 *
2436 2453 * Determine if the subject has sufficient privilege to update microcode.
2437 2454 */
2438 2455 int
2439 2456 secpolicy_ucode_update(const cred_t *scr)
2440 2457 {
2441 2458 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
2442 2459 }
2443 2460
2444 2461 /*
2445 2462 * secpolicy_sadopen
2446 2463 *
2447 2464 * Determine if the subject has sufficient privilege to access /dev/sad/admin.
2448 2465 * /dev/sad/admin appear in global zone and exclusive-IP zones only.
2449 2466 * In global zone, sys_config is required.
2450 2467 * In exclusive-IP zones, sys_ip_config is required.
2451 2468 * Note that sys_config is prohibited in non-global zones.
2452 2469 */
2453 2470 int
2454 2471 secpolicy_sadopen(const cred_t *credp)
2455 2472 {
2456 2473 priv_set_t pset;
2457 2474
2458 2475 priv_emptyset(&pset);
2459 2476
2460 2477 if (crgetzoneid(credp) == GLOBAL_ZONEID)
2461 2478 priv_addset(&pset, PRIV_SYS_CONFIG);
2462 2479 else
2463 2480 priv_addset(&pset, PRIV_SYS_IP_CONFIG);
2464 2481
2465 2482 return (secpolicy_require_set(credp, &pset, "devpolicy", KLPDARG_NONE));
2466 2483 }
2467 2484
2468 2485
2469 2486 /*
2470 2487 * Add privileges to a particular privilege set; this is called when the
2471 2488 * current sets of privileges are not sufficient. I.e., we should always
2472 2489 * call the policy override functions from here.
2473 2490 * What we are allowed to have is in the Observed Permitted set; so
2474 2491 * we compute the difference between that and the newset.
2475 2492 */
2476 2493 int
2477 2494 secpolicy_require_privs(const cred_t *cr, const priv_set_t *nset)
2478 2495 {
2479 2496 priv_set_t rqd;
2480 2497
2481 2498 rqd = CR_OPPRIV(cr);
2482 2499
2483 2500 priv_inverse(&rqd);
2484 2501 priv_intersect(nset, &rqd);
2485 2502
2486 2503 return (secpolicy_require_set(cr, &rqd, NULL, KLPDARG_NONE));
2487 2504 }
2488 2505
2489 2506 /*
2490 2507 * secpolicy_smb
2491 2508 *
2492 2509 * Determine if the cred_t has PRIV_SYS_SMB privilege, indicating
2493 2510 * that it has permission to access the smbsrv kernel driver.
2494 2511 * PRIV_POLICY checks the privilege and audits the check.
2495 2512 *
2496 2513 * Returns:
2497 2514 * 0 Driver access is allowed.
2498 2515 * EPERM Driver access is NOT permitted.
2499 2516 */
2500 2517 int
2501 2518 secpolicy_smb(const cred_t *cr)
2502 2519 {
2503 2520 return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL));
2504 2521 }
2505 2522
2506 2523 /*
2507 2524 * secpolicy_vscan
2508 2525 *
2509 2526 * Determine if cred_t has the necessary privileges to access a file
2510 2527 * for virus scanning and update its extended system attributes.
2511 2528 * PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access
2512 2529 * PRIV_FILE_FLAG_SET - set extended system attributes
2513 2530 *
2514 2531 * PRIV_POLICY checks the privilege and audits the check.
2515 2532 *
2516 2533 * Returns:
2517 2534 * 0 file access for virus scanning allowed.
2518 2535 * EPERM file access for virus scanning is NOT permitted.
2519 2536 */
2520 2537 int
2521 2538 secpolicy_vscan(const cred_t *cr)
2522 2539 {
2523 2540 if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) ||
2524 2541 (PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) ||
2525 2542 (PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) {
2526 2543 return (EPERM);
2527 2544 }
2528 2545
2529 2546 return (0);
2530 2547 }
2531 2548
2532 2549 /*
2533 2550 * secpolicy_smbfs_login
2534 2551 *
2535 2552 * Determines if the caller can add and delete the smbfs login
2536 2553 * password in the the nsmb kernel module for the CIFS client.
2537 2554 *
2538 2555 * Returns:
2539 2556 * 0 access is allowed.
2540 2557 * EPERM access is NOT allowed.
2541 2558 */
2542 2559 int
2543 2560 secpolicy_smbfs_login(const cred_t *cr, uid_t uid)
2544 2561 {
2545 2562 uid_t cruid = crgetruid(cr);
2546 2563
2547 2564 if (cruid == uid)
2548 2565 return (0);
2549 2566 return (PRIV_POLICY(cr, PRIV_PROC_OWNER, B_FALSE,
2550 2567 EPERM, NULL));
2551 2568 }
2552 2569
2553 2570 /*
2554 2571 * secpolicy_xvm_control
2555 2572 *
2556 2573 * Determines if a caller can control the xVM hypervisor and/or running
2557 2574 * domains (x86 specific).
2558 2575 *
2559 2576 * Returns:
2560 2577 * 0 access is allowed.
2561 2578 * EPERM access is NOT allowed.
2562 2579 */
2563 2580 int
2564 2581 secpolicy_xvm_control(const cred_t *cr)
2565 2582 {
2566 2583 if (PRIV_POLICY(cr, PRIV_XVM_CONTROL, B_FALSE, EPERM, NULL))
2567 2584 return (EPERM);
2568 2585 return (0);
2569 2586 }
2570 2587
2571 2588 /*
2572 2589 * secpolicy_ppp_config
2573 2590 *
2574 2591 * Determine if the subject has sufficient privileges to configure PPP and
2575 2592 * PPP-related devices.
2576 2593 */
2577 2594 int
2578 2595 secpolicy_ppp_config(const cred_t *cr)
2579 2596 {
2580 2597 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
2581 2598 return (secpolicy_net_config(cr, B_FALSE));
2582 2599 return (PRIV_POLICY(cr, PRIV_SYS_PPP_CONFIG, B_FALSE, EPERM, NULL));
2583 2600 }
|
↓ open down ↓ |
1328 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX