search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
8322 nl: misleading-indentation
[unleashed/tickless.git] / usr / src / uts / common / os / policy.c
blobd6821c83b05a03adfae36932bd21261856ea613c
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright 2016 Joyent, Inc.
24 * Copyright (c) 2016 by Delphix. All rights reserved.
25 */
26
27 #include <sys/types.h>
28 #include <sys/sysmacros.h>
29 #include <sys/param.h>
30 #include <sys/systm.h>
31 #include <sys/cred_impl.h>
32 #include <sys/vnode.h>
33 #include <sys/vfs.h>
34 #include <sys/stat.h>
35 #include <sys/errno.h>
36 #include <sys/kmem.h>
37 #include <sys/user.h>
38 #include <sys/proc.h>
39 #include <sys/acct.h>
40 #include <sys/ipc_impl.h>
41 #include <sys/cmn_err.h>
42 #include <sys/debug.h>
43 #include <sys/policy.h>
44 #include <sys/kobj.h>
45 #include <sys/msg.h>
46 #include <sys/devpolicy.h>
47 #include <c2/audit.h>
48 #include <sys/varargs.h>
49 #include <sys/klpd.h>
50 #include <sys/modctl.h>
51 #include <sys/disp.h>
52 #include <sys/zone.h>
53 #include <inet/optcom.h>
54 #include <sys/sdt.h>
55 #include <sys/vfs.h>
56 #include <sys/mntent.h>
57 #include <sys/contract_impl.h>
58 #include <sys/dld_ioc.h>
59
60 /*
61 * There are two possible layers of privilege routines and two possible
62 * levels of secpolicy. Plus one other we may not be interested in, so
63 * we may need as many as 6 but no more.
64 */
65 #define MAXPRIVSTACK 6
66
67 int priv_debug = 0;
68 int priv_basic_test = -1;
69
70 /*
71 * This file contains the majority of the policy routines.
72 * Since the policy routines are defined by function and not
73 * by privilege, there is quite a bit of duplication of
74 * functions.
75 *
76 * The secpolicy functions must not make assumptions about
77 * locks held or not held as any lock can be held while they're
78 * being called.
79 *
80 * Credentials are read-only so no special precautions need to
81 * be taken while locking them.
82 *
83 * When a new policy check needs to be added to the system the
84 * following procedure should be followed:
85 *
86 * Pick an appropriate secpolicy_*() function
87 * -> done if one exists.
88 * Create a new secpolicy function, preferably with
89 * a descriptive name using the standard template.
90 * Pick an appropriate privilege for the policy.
91 * If no appropraite privilege exists, define new one
92 * (this should be done with extreme care; in most cases
93 * little is gained by adding another privilege)
94 *
95 * WHY ROOT IS STILL SPECIAL.
96 *
97 * In a number of the policy functions, there are still explicit
98 * checks for uid 0. The rationale behind these is that many root
99 * owned files/objects hold configuration information which can give full
100 * privileges to the user once written to. To prevent escalation
101 * of privilege by allowing just a single privilege to modify root owned
102 * objects, we've added these root specific checks where we considered
103 * them necessary: modifying root owned files, changing uids to 0, etc.
104 *
105 * PRIVILEGE ESCALATION AND ZONES.
106 *
107 * A number of operations potentially allow the caller to achieve
108 * privileges beyond the ones normally required to perform the operation.
109 * For example, if allowed to create a setuid 0 executable, a process can
110 * gain privileges beyond PRIV_FILE_SETID. Zones, however, place
111 * restrictions on the ability to gain privileges beyond those available
112 * within the zone through file and process manipulation. Hence, such
113 * operations require that the caller have an effective set that includes
114 * all privileges available within the current zone, or all privileges
115 * if executing in the global zone.
116 *
117 * This is indicated in the priv_policy* policy checking functions
118 * through a combination of parameters. The "priv" parameter indicates
119 * the privilege that is required, and the "allzone" parameter indicates
120 * whether or not all privileges in the zone are required. In addition,
121 * priv can be set to PRIV_ALL to indicate that all privileges are
122 * required (regardless of zone). There are three scenarios of interest:
123 * (1) operation requires a specific privilege
124 * (2) operation requires a specific privilege, and requires all
125 * privileges available within the zone (or all privileges if in
126 * the global zone)
127 * (3) operation requires all privileges, regardless of zone
128 *
129 * For (1), priv should be set to the specific privilege, and allzone
130 * should be set to B_FALSE.
131 * For (2), priv should be set to the specific privilege, and allzone
132 * should be set to B_TRUE.
133 * For (3), priv should be set to PRIV_ALL, and allzone should be set
134 * to B_FALSE.
135 *
136 */
137
138 /*
139 * The privileges are checked against the Effective set for
140 * ordinary processes and checked against the Limit set
141 * for euid 0 processes that haven't manipulated their privilege
142 * sets.
143 */
144 #define HAS_ALLPRIVS(cr) priv_isfullset(&CR_OEPRIV(cr))
145 #define ZONEPRIVS(cr) ((cr)->cr_zone->zone_privset)
146 #define HAS_ALLZONEPRIVS(cr) priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr))
147 #define HAS_PRIVILEGE(cr, pr) ((pr) == PRIV_ALL ? \
148 HAS_ALLPRIVS(cr) : \
149 PRIV_ISASSERT(&CR_OEPRIV(cr), pr))
150
151 #define FAST_BASIC_CHECK(cr, priv) \
152 if (PRIV_ISASSERT(&CR_OEPRIV(cr), priv)) { \
153 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, B_FALSE); \
154 return (0); \
155 }
156
157 /*
158 * Policy checking functions.
159 *
160 * All of the system's policy should be implemented here.
161 */
162
163 /*
164 * Private functions which take an additional va_list argument to
165 * implement an object specific policy override.
166 */
167 static int priv_policy_ap(const cred_t *, int, boolean_t, int,
168 const char *, va_list);
169 static int priv_policy_va(const cred_t *, int, boolean_t, int,
170 const char *, ...);
171
172 /*
173 * Generic policy calls
174 *
175 * The "bottom" functions of policy control
176 */
177 static char *
178 mprintf(const char *fmt, ...)
179 {
180 va_list args;
181 char *buf;
182 size_t len;
183
184 va_start(args, fmt);
185 len = vsnprintf(NULL, 0, fmt, args) + 1;
186 va_end(args);
187
188 buf = kmem_alloc(len, KM_NOSLEEP);
189
190 if (buf == NULL)
191 return (NULL);
192
193 va_start(args, fmt);
194 (void) vsnprintf(buf, len, fmt, args);
195 va_end(args);
196
197 return (buf);
198 }
199
200 /*
201 * priv_policy_errmsg()
202 *
203 * Generate an error message if privilege debugging is enabled system wide
204 * or for this particular process.
205 */
206
207 #define FMTHDR "%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)"
208 #define FMTMSG " for \"%s\""
209 #define FMTFUN " needed at %s+0x%lx"
210
211 /* The maximum size privilege format: the concatenation of the above */
212 #define FMTMAX FMTHDR FMTMSG FMTFUN "\n"
213
214 static void
215 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg)
216 {
217 struct proc *me;
218 pc_t stack[MAXPRIVSTACK];
219 int depth;
220 int i;
221 char *sym;
222 ulong_t off;
223 const char *pname;
224
225 char *cmd;
226 char fmt[sizeof (FMTMAX)];
227
228 if ((me = curproc) == &p0)
229 return;
230
231 /* Privileges must be defined */
232 ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE ||
233 priv == PRIV_ALLZONE || priv == PRIV_GLOBAL ||
234 priv_getbynum(priv) != NULL);
235
236 if (priv == PRIV_ALLZONE && INGLOBALZONE(me))
237 priv = PRIV_ALL;
238
239 if (curthread->t_pre_sys)
240 ttolwp(curthread)->lwp_badpriv = (short)priv;
241
242 if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0)
243 return;
244
245 (void) strcpy(fmt, FMTHDR);
246
247 if (me->p_user.u_comm[0])
248 cmd = &me->p_user.u_comm[0];
249 else
250 cmd = "priv_policy";
251
252 if (msg != NULL && *msg != '\0') {
253 (void) strcat(fmt, FMTMSG);
254 } else {
255 (void) strcat(fmt, "%s");
256 msg = "";
257 }
258
259 sym = NULL;
260
261 depth = getpcstack(stack, MAXPRIVSTACK);
262
263 /*
264 * Try to find the first interesting function on the stack.
265 * priv_policy* that's us, so completely uninteresting.
266 * suser(), drv_priv(), secpolicy_* are also called from
267 * too many locations to convey useful information.
268 */
269 for (i = 0; i < depth; i++) {
270 sym = kobj_getsymname((uintptr_t)stack[i], &off);
271 if (sym != NULL &&
272 strstr(sym, "hasprocperm") == 0 &&
273 strcmp("suser", sym) != 0 &&
274 strcmp("ipcaccess", sym) != 0 &&
275 strcmp("drv_priv", sym) != 0 &&
276 strncmp("secpolicy_", sym, 10) != 0 &&
277 strncmp("priv_policy", sym, 11) != 0)
278 break;
279 }
280
281 if (sym != NULL)
282 (void) strcat(fmt, FMTFUN);
283
284 (void) strcat(fmt, "\n");
285
286 switch (priv) {
287 case PRIV_ALL:
288 pname = "ALL";
289 break;
290 case PRIV_MULTIPLE:
291 pname = "MULTIPLE";
292 break;
293 case PRIV_ALLZONE:
294 pname = "ZONE";
295 break;
296 case PRIV_GLOBAL:
297 pname = "GLOBAL";
298 break;
299 default:
300 pname = priv_getbynum(priv);
301 break;
302 }
303
304 if (CR_FLAGS(cr) & PRIV_DEBUG) {
305 /* Remember last message, just like lwp_badpriv. */
306 if (curthread->t_pdmsg != NULL) {
307 kmem_free(curthread->t_pdmsg,
308 strlen(curthread->t_pdmsg) + 1);
309 }
310
311 curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname,
312 cr->cr_uid, curthread->t_sysnum, msg, sym, off);
313
314 curthread->t_post_sys = 1;
315 }
316 if (priv_debug) {
317 cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid,
318 curthread->t_sysnum, msg, sym, off);
319 }
320 }
321
322 /*
323 * Override the policy, if appropriate. Return 0 if the external
324 * policy engine approves.
325 */
326 static int
327 priv_policy_override(const cred_t *cr, int priv, boolean_t allzone, va_list ap)
328 {
329 priv_set_t set;
330 int ret;
331
332 if (!(CR_FLAGS(cr) & PRIV_XPOLICY))
333 return (-1);
334
335 if (priv == PRIV_ALL) {
336 priv_fillset(&set);
337 } else if (allzone) {
338 set = *ZONEPRIVS(cr);
339 } else {
340 priv_emptyset(&set);
341 priv_addset(&set, priv);
342 }
343 ret = klpd_call(cr, &set, ap);
344 return (ret);
345 }
346
347 static int
348 priv_policy_override_set(const cred_t *cr, const priv_set_t *req, va_list ap)
349 {
350 if (CR_FLAGS(cr) & PRIV_PFEXEC)
351 return (check_user_privs(cr, req));
352 if (CR_FLAGS(cr) & PRIV_XPOLICY) {
353 return (klpd_call(cr, req, ap));
354 }
355 return (-1);
356 }
357
358 static int
359 priv_policy_override_set_va(const cred_t *cr, const priv_set_t *req, ...)
360 {
361 va_list ap;
362 int ret;
363
364 va_start(ap, req);
365 ret = priv_policy_override_set(cr, req, ap);
366 va_end(ap);
367 return (ret);
368 }
369
370 /*
371 * Audit failure, log error message.
372 */
373 static void
374 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg)
375 {
376
377 if (AU_AUDITING())
378 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0);
379 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
380
381 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
382 curthread->t_pre_sys) {
383 if (allzone && !HAS_ALLZONEPRIVS(cr)) {
384 priv_policy_errmsg(cr, PRIV_ALLZONE, msg);
385 } else {
386 ASSERT(!HAS_PRIVILEGE(cr, priv));
387 priv_policy_errmsg(cr, priv, msg);
388 }
389 }
390 }
391
392 /*
393 * priv_policy_ap()
394 * return 0 or error.
395 * See block comment above for a description of "priv" and "allzone" usage.
396 */
397 static int
398 priv_policy_ap(const cred_t *cr, int priv, boolean_t allzone, int err,
399 const char *msg, va_list ap)
400 {
401 if ((HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) ||
402 (!servicing_interrupt() &&
403 priv_policy_override(cr, priv, allzone, ap) == 0)) {
404 if ((allzone || priv == PRIV_ALL ||
405 !PRIV_ISASSERT(priv_basic, priv)) &&
406 !servicing_interrupt()) {
407 PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */
408 if (AU_AUDITING())
409 audit_priv(priv,
410 allzone ? ZONEPRIVS(cr) : NULL, 1);
411 }
412 err = 0;
413 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
414 } else if (!servicing_interrupt()) {
415 /* Failure audited in this procedure */
416 priv_policy_err(cr, priv, allzone, msg);
417 }
418 return (err);
419 }
420
421 int
422 priv_policy_va(const cred_t *cr, int priv, boolean_t allzone, int err,
423 const char *msg, ...)
424 {
425 int ret;
426 va_list ap;
427
428 va_start(ap, msg);
429 ret = priv_policy_ap(cr, priv, allzone, err, msg, ap);
430 va_end(ap);
431
432 return (ret);
433 }
434
435 int
436 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err,
437 const char *msg)
438 {
439 return (priv_policy_va(cr, priv, allzone, err, msg, KLPDARG_NONE));
440 }
441
442 /*
443 * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges.
444 */
445 boolean_t
446 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone)
447 {
448 boolean_t res = HAS_PRIVILEGE(cr, priv) &&
449 (!allzone || HAS_ALLZONEPRIVS(cr));
450
451 /* Audit success only */
452 if (res && AU_AUDITING() &&
453 (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) &&
454 !servicing_interrupt()) {
455 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1);
456 }
457 if (res) {
458 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
459 } else {
460 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
461 }
462 return (res);
463 }
464
465 /*
466 * Non-auditing variant of priv_policy_choice().
467 */
468 boolean_t
469 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone)
470 {
471 boolean_t res = HAS_PRIVILEGE(cr, priv) &&
472 (!allzone || HAS_ALLZONEPRIVS(cr));
473
474 if (res) {
475 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
476 } else {
477 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
478 }
479 return (res);
480 }
481
482 /*
483 * Check whether all privileges in the required set are present.
484 */
485 static int
486 secpolicy_require_set(const cred_t *cr, const priv_set_t *req,
487 const char *msg, ...)
488 {
489 int priv;
490 int pfound = -1;
491 priv_set_t pset;
492 va_list ap;
493 int ret;
494
495 if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req,
496 &CR_OEPRIV(cr))) {
497 return (0);
498 }
499
500 va_start(ap, msg);
501 ret = priv_policy_override_set(cr, req, ap);
502 va_end(ap);
503 if (ret == 0)
504 return (0);
505
506 if (req == PRIV_FULLSET || priv_isfullset(req)) {
507 priv_policy_err(cr, PRIV_ALL, B_FALSE, msg);
508 return (EACCES);
509 }
510
511 pset = CR_OEPRIV(cr); /* present privileges */
512 priv_inverse(&pset); /* all non present privileges */
513 priv_intersect(req, &pset); /* the actual missing privs */
514
515 if (AU_AUDITING())
516 audit_priv(PRIV_NONE, &pset, 0);
517 /*
518 * Privilege debugging; special case "one privilege in set".
519 */
520 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) {
521 for (priv = 0; priv < nprivs; priv++) {
522 if (priv_ismember(&pset, priv)) {
523 if (pfound != -1) {
524 /* Multiple missing privs */
525 priv_policy_errmsg(cr, PRIV_MULTIPLE,
526 msg);
527 return (EACCES);
528 }
529 pfound = priv;
530 }
531 }
532 ASSERT(pfound != -1);
533 /* Just the one missing privilege */
534 priv_policy_errmsg(cr, pfound, msg);
535 }
536
537 return (EACCES);
538 }
539
540 /*
541 * Called when an operation requires that the caller be in the
542 * global zone, regardless of privilege.
543 */
544 static int
545 priv_policy_global(const cred_t *cr)
546 {
547 if (crgetzoneid(cr) == GLOBAL_ZONEID)
548 return (0); /* success */
549
550 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
551 curthread->t_pre_sys) {
552 priv_policy_errmsg(cr, PRIV_GLOBAL, NULL);
553 }
554 return (EPERM);
555 }
556
557 /*
558 * Raising process priority
559 */
560 int
561 secpolicy_raisepriority(const cred_t *cr)
562 {
563 if (PRIV_POLICY(cr, PRIV_PROC_PRIOUP, B_FALSE, EPERM, NULL) == 0)
564 return (0);
565 return (secpolicy_setpriority(cr));
566 }
567
568 /*
569 * Changing process priority or scheduling class
570 */
571 int
572 secpolicy_setpriority(const cred_t *cr)
573 {
574 return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL));
575 }
576
577 /*
578 * Binding to a privileged port, port must be specified in host byte
579 * order.
580 * When adding a new privilege which allows binding to currently privileged
581 * ports, then you MUST also allow processes with PRIV_NET_PRIVADDR bind
582 * to these ports because of backward compatibility.
583 */
584 int
585 secpolicy_net_privaddr(const cred_t *cr, in_port_t port, int proto)
586 {
587 char *reason;
588 int priv;
589
590 switch (port) {
591 case 137:
592 case 138:
593 case 139:
594 case 445:
595 /*
596 * NBT and SMB ports, these are normal privileged ports,
597 * allow bind only if the SYS_SMB or NET_PRIVADDR privilege
598 * is present.
599 * Try both, if neither is present return an error for
600 * priv SYS_SMB.
601 */
602 if (PRIV_POLICY_ONLY(cr, PRIV_NET_PRIVADDR, B_FALSE))
603 priv = PRIV_NET_PRIVADDR;
604 else
605 priv = PRIV_SYS_SMB;
606 reason = "NBT or SMB port";
607 break;
608
609 case 2049:
610 case 4045:
611 /*
612 * NFS ports, these are extra privileged ports, allow bind
613 * only if the SYS_NFS privilege is present.
614 */
615 priv = PRIV_SYS_NFS;
616 reason = "NFS port";
617 break;
618
619 default:
620 priv = PRIV_NET_PRIVADDR;
621 reason = NULL;
622 break;
623
624 }
625
626 return (priv_policy_va(cr, priv, B_FALSE, EACCES, reason,
627 KLPDARG_PORT, (int)proto, (int)port, KLPDARG_NOMORE));
628 }
629
630 /*
631 * Binding to a multilevel port on a trusted (labeled) system.
632 */
633 int
634 secpolicy_net_bindmlp(const cred_t *cr)
635 {
636 return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, NULL));
637 }
638
639 /*
640 * Allow a communication between a zone and an unlabeled host when their
641 * labels don't match.
642 */
643 int
644 secpolicy_net_mac_aware(const cred_t *cr)
645 {
646 return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, NULL));
647 }
648
649 /*
650 * Allow a privileged process to transmit traffic without explicit labels
651 */
652 int
653 secpolicy_net_mac_implicit(const cred_t *cr)
654 {
655 return (PRIV_POLICY(cr, PRIV_NET_MAC_IMPLICIT, B_FALSE, EACCES, NULL));
656 }
657
658 /*
659 * Common routine which determines whether a given credential can
660 * act on a given mount.
661 * When called through mount, the parameter needoptcheck is a pointer
662 * to a boolean variable which will be set to either true or false,
663 * depending on whether the mount policy should change the mount options.
664 * In all other cases, needoptcheck should be a NULL pointer.
665 */
666 static int
667 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp,
668 boolean_t *needoptcheck)
669 {
670 boolean_t allzone = B_FALSE;
671 boolean_t mounting = needoptcheck != NULL;
672
673 /*
674 * Short circuit the following cases:
675 * vfsp == NULL or mvp == NULL (pure privilege check)
676 * have all privileges - no further checks required
677 * and no mount options need to be set.
678 */
679 if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) {
680 if (mounting)
681 *needoptcheck = B_FALSE;
682
683 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
684 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE));
685 }
686
687 /*
688 * When operating on an existing mount (either we're not mounting
689 * or we're doing a remount and VFS_REMOUNT will be set), zones
690 * can operate only on mounts established by the zone itself.
691 */
692 if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) {
693 zoneid_t zoneid = crgetzoneid(cr);
694
695 if (zoneid != GLOBAL_ZONEID &&
696 vfsp->vfs_zone->zone_id != zoneid) {
697 return (EPERM);
698 }
699 }
700
701 if (mounting)
702 *needoptcheck = B_TRUE;
703
704 /*
705 * Overlay mounts may hide important stuff; if you can't write to a
706 * mount point but would be able to mount on top of it, you can
707 * escalate your privileges.
708 * So we go about asking the same questions namefs does when it
709 * decides whether you can mount over a file or not but with the
710 * added restriction that you can only mount on top of a regular
711 * file or directory.
712 * If we have all the zone's privileges, we skip all other checks,
713 * or else we may actually get in trouble inside the automounter.
714 */
715 if ((mvp->v_flag & VROOT) != 0 ||
716 (mvp->v_type != VDIR && mvp->v_type != VREG) ||
717 HAS_ALLZONEPRIVS(cr)) {
718 allzone = B_TRUE;
719 } else {
720 vattr_t va;
721 int err;
722
723 va.va_mask = AT_UID|AT_MODE;
724 err = VOP_GETATTR(mvp, &va, 0, cr, NULL);
725 if (err != 0)
726 return (err);
727
728 if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0)
729 return (err);
730
731 if (secpolicy_vnode_access2(cr, mvp, va.va_uid, va.va_mode,
732 VWRITE) != 0) {
733 return (EACCES);
734 }
735 }
736 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
737 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE));
738 }
739
740 void
741 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp)
742 {
743 boolean_t amsuper = HAS_ALLZONEPRIVS(cr);
744
745 /*
746 * check; if we don't have either "nosuid" or
747 * both "nosetuid" and "nodevices", then we add
748 * "nosuid"; this depends on how the current
749 * implementation works (it first checks nosuid). In a
750 * zone, a user with all zone privileges can mount with
751 * "setuid" but never with "devices".
752 */
753 if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) &&
754 (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) ||
755 !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) {
756 if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper)
757 vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0);
758 else
759 vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0);
760 }
761 /*
762 * If we're not the local super user, we set the "restrict"
763 * option to indicate to automountd that this mount should
764 * be handled with care.
765 */
766 if (!amsuper)
767 vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0);
768
769 }
770
771 int
772 secpolicy_fs_allowed_mount(const char *fsname)
773 {
774 struct vfssw *vswp;
775 const char *p;
776 size_t len;
777
778 ASSERT(fsname != NULL);
779 ASSERT(fsname[0] != '\0');
780
781 if (INGLOBALZONE(curproc))
782 return (0);
783
784 vswp = vfs_getvfssw(fsname);
785 if (vswp == NULL)
786 return (ENOENT);
787
788 if ((vswp->vsw_flag & VSW_ZMOUNT) != 0) {
789 vfs_unrefvfssw(vswp);
790 return (0);
791 }
792
793 vfs_unrefvfssw(vswp);
794
795 p = curzone->zone_fs_allowed;
796 len = strlen(fsname);
797
798 while (p != NULL && *p != '\0') {
799 if (strncmp(p, fsname, len) == 0) {
800 char c = *(p + len);
801 if (c == '\0' || c == ',')
802 return (0);
803 }
804
805 /* skip to beyond the next comma */
806 if ((p = strchr(p, ',')) != NULL)
807 p++;
808 }
809
810 return (EPERM);
811 }
812
813 extern vnode_t *rootvp;
814 extern vfs_t *rootvfs;
815
816 int
817 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp)
818 {
819 boolean_t needoptchk;
820 int error;
821
822 /*
823 * If it's a remount, get the underlying mount point,
824 * except for the root where we use the rootvp.
825 */
826 if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) {
827 if (vfsp == rootvfs)
828 mvp = rootvp;
829 else
830 mvp = vfsp->vfs_vnodecovered;
831 }
832
833 error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk);
834
835 if (error == 0 && needoptchk) {
836 secpolicy_fs_mount_clearopts(cr, vfsp);
837 }
838
839 return (error);
840 }
841
842 /*
843 * Does the policy computations for "ownership" of a mount;
844 * here ownership is defined as the ability to "mount"
845 * the filesystem originally. The rootvfs doesn't cover any
846 * vnodes; we attribute its ownership to the rootvp.
847 */
848 static int
849 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp)
850 {
851 vnode_t *mvp;
852
853 if (vfsp == NULL)
854 mvp = NULL;
855 else if (vfsp == rootvfs)
856 mvp = rootvp;
857 else
858 mvp = vfsp->vfs_vnodecovered;
859
860 return (secpolicy_fs_common(cr, mvp, vfsp, NULL));
861 }
862
863 int
864 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp)
865 {
866 return (secpolicy_fs_owner(cr, vfsp));
867 }
868
869 /*
870 * Quotas are a resource, but if one has the ability to mount a filesystem,
871 * they should be able to modify quotas on it.
872 */
873 int
874 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp)
875 {
876 return (secpolicy_fs_owner((cred_t *)cr, vfsp));
877 }
878
879 /*
880 * Exceeding minfree: also a per-mount resource constraint.
881 */
882 int
883 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp)
884 {
885 return (secpolicy_fs_owner((cred_t *)cr, vfsp));
886 }
887
888 int
889 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp)
890 {
891 return (secpolicy_fs_owner((cred_t *)cr, vfsp));
892 }
893
894 /* ARGSUSED */
895 int
896 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp)
897 {
898 return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL));
899 }
900
901 /*
902 * Name: secpolicy_vnode_access()
903 *
904 * Parameters: Process credential
905 * vnode
906 * uid of owner of vnode
907 * permission bits not granted to the caller when examining
908 * file mode bits (i.e., when a process wants to open a
909 * mode 444 file for VREAD|VWRITE, this function should be
910 * called only with a VWRITE argument).
911 *
912 * Normal: Verifies that cred has the appropriate privileges to
913 * override the mode bits that were denied.
914 *
915 * Override: file_dac_execute - if VEXEC bit was denied and vnode is
916 * not a directory.
917 * file_dac_read - if VREAD bit was denied.
918 * file_dac_search - if VEXEC bit was denied and vnode is
919 * a directory.
920 * file_dac_write - if VWRITE bit was denied.
921 *
922 * Root owned files are special cased to protect system
923 * configuration files and such.
924 *
925 * Output: EACCES - if privilege check fails.
926 */
927
928 int
929 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode)
930 {
931 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE,
932 EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL,
933 KLPDARG_NOMORE) != 0) {
934 return (EACCES);
935 }
936
937 if (mode & VWRITE) {
938 boolean_t allzone;
939
940 if (owner == 0 && cr->cr_uid != 0)
941 allzone = B_TRUE;
942 else
943 allzone = B_FALSE;
944 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES,
945 NULL, KLPDARG_VNODE, vp, (char *)NULL,
946 KLPDARG_NOMORE) != 0) {
947 return (EACCES);
948 }
949 }
950
951 if (mode & VEXEC) {
952 /*
953 * Directories use file_dac_search to override the execute bit.
954 */
955 int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH :
956 PRIV_FILE_DAC_EXECUTE;
957
958 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL,
959 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
960 }
961 return (0);
962 }
963
964 /*
965 * Like secpolicy_vnode_access() but we get the actual wanted mode and the
966 * current mode of the file, not the missing bits.
967 */
968 int
969 secpolicy_vnode_access2(const cred_t *cr, vnode_t *vp, uid_t owner,
970 mode_t curmode, mode_t wantmode)
971 {
972 mode_t mode;
973
974 /* Inline the basic privileges tests. */
975 if ((wantmode & VREAD) &&
976 !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_READ) &&
977 priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL,
978 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) {
979 return (EACCES);
980 }
981
982 if ((wantmode & VWRITE) &&
983 !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_WRITE) &&
984 priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL,
985 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) {
986 return (EACCES);
987 }
988
989 mode = ~curmode & wantmode;
990
991 if (mode == 0)
992 return (0);
993
994 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE,
995 EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL,
996 KLPDARG_NOMORE) != 0) {
997 return (EACCES);
998 }
999
1000 if (mode & VWRITE) {
1001 boolean_t allzone;
1002
1003 if (owner == 0 && cr->cr_uid != 0)
1004 allzone = B_TRUE;
1005 else
1006 allzone = B_FALSE;
1007 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES,
1008 NULL, KLPDARG_VNODE, vp, (char *)NULL,
1009 KLPDARG_NOMORE) != 0) {
1010 return (EACCES);
1011 }
1012 }
1013
1014 if (mode & VEXEC) {
1015 /*
1016 * Directories use file_dac_search to override the execute bit.
1017 */
1018 int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH :
1019 PRIV_FILE_DAC_EXECUTE;
1020
1021 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL,
1022 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
1023 }
1024 return (0);
1025 }
1026
1027 /*
1028 * This is a special routine for ZFS; it is used to determine whether
1029 * any of the privileges in effect allow any form of access to the
1030 * file. There's no reason to audit this or any reason to record
1031 * this. More work is needed to do the "KPLD" stuff.
1032 */
1033 int
1034 secpolicy_vnode_any_access(const cred_t *cr, vnode_t *vp, uid_t owner)
1035 {
1036 static int privs[] = {
1037 PRIV_FILE_OWNER,
1038 PRIV_FILE_CHOWN,
1039 PRIV_FILE_DAC_READ,
1040 PRIV_FILE_DAC_WRITE,
1041 PRIV_FILE_DAC_EXECUTE,
1042 PRIV_FILE_DAC_SEARCH,
1043 };
1044 int i;
1045
1046 /* Same as secpolicy_vnode_setdac */
1047 if (owner == cr->cr_uid)
1048 return (0);
1049
1050 for (i = 0; i < sizeof (privs)/sizeof (int); i++) {
1051 boolean_t allzone = B_FALSE;
1052 int priv;
1053
1054 switch (priv = privs[i]) {
1055 case PRIV_FILE_DAC_EXECUTE:
1056 if (vp->v_type == VDIR)
1057 continue;
1058 break;
1059 case PRIV_FILE_DAC_SEARCH:
1060 if (vp->v_type != VDIR)
1061 continue;
1062 break;
1063 case PRIV_FILE_DAC_WRITE:
1064 case PRIV_FILE_OWNER:
1065 case PRIV_FILE_CHOWN:
1066 /* We know here that if owner == 0, that cr_uid != 0 */
1067 allzone = owner == 0;
1068 break;
1069 }
1070 if (PRIV_POLICY_CHOICE(cr, priv, allzone))
1071 return (0);
1072 }
1073 return (EPERM);
1074 }
1075
1076 /*
1077 * Name: secpolicy_vnode_setid_modify()
1078 *
1079 * Normal: verify that subject can set the file setid flags.
1080 *
1081 * Output: EPERM - if not privileged.
1082 */
1083
1084 static int
1085 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner)
1086 {
1087 /* If changing to suid root, must have all zone privs */
1088 boolean_t allzone = B_TRUE;
1089
1090 if (owner != 0) {
1091 if (owner == cr->cr_uid)
1092 return (0);
1093 allzone = B_FALSE;
1094 }
1095 return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL));
1096 }
1097
1098 /*
1099 * Are we allowed to retain the set-uid/set-gid bits when
1100 * changing ownership or when writing to a file?
1101 * "issuid" should be true when set-uid; only in that case
1102 * root ownership is checked (setgid is assumed).
1103 */
1104 int
1105 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot)
1106 {
1107 if (issuidroot && !HAS_ALLZONEPRIVS(cred))
1108 return (EPERM);
1109
1110 return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE));
1111 }
1112
1113 /*
1114 * Name: secpolicy_vnode_setids_setgids()
1115 *
1116 * Normal: verify that subject can set the file setgid flag.
1117 *
1118 * Output: EPERM - if not privileged
1119 */
1120
1121 int
1122 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid)
1123 {
1124 if (!groupmember(gid, cred))
1125 return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM,
1126 NULL));
1127 return (0);
1128 }
1129
1130 /*
1131 * Name: secpolicy_vnode_chown
1132 *
1133 * Normal: Determine if subject can chown owner of a file.
1134 *
1135 * Output: EPERM - if access denied
1136 */
1137
1138 int
1139 secpolicy_vnode_chown(const cred_t *cred, uid_t owner)
1140 {
1141 boolean_t is_owner = (owner == crgetuid(cred));
1142 boolean_t allzone = B_FALSE;
1143 int priv;
1144
1145 if (!is_owner) {
1146 allzone = (owner == 0);
1147 priv = PRIV_FILE_CHOWN;
1148 } else {
1149 priv = HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN) ?
1150 PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF;
1151 }
1152
1153 return (PRIV_POLICY(cred, priv, allzone, EPERM, NULL));
1154 }
1155
1156 /*
1157 * Name: secpolicy_vnode_create_gid
1158 *
1159 * Normal: Determine if subject can change group ownership of a file.
1160 *
1161 * Output: EPERM - if access denied
1162 */
1163 int
1164 secpolicy_vnode_create_gid(const cred_t *cred)
1165 {
1166 if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN))
1167 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM,
1168 NULL));
1169 else
1170 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM,
1171 NULL));
1172 }
1173
1174 /*
1175 * Name: secpolicy_vnode_utime_modify()
1176 *
1177 * Normal: verify that subject can modify the utime on a file.
1178 *
1179 * Output: EPERM - if access denied.
1180 */
1181
1182 static int
1183 secpolicy_vnode_utime_modify(const cred_t *cred)
1184 {
1185 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM,
1186 "modify file times"));
1187 }
1188
1189
1190 /*
1191 * Name: secpolicy_vnode_setdac()
1192 *
1193 * Normal: verify that subject can modify the mode of a file.
1194 * allzone privilege needed when modifying root owned object.
1195 *
1196 * Output: EPERM - if access denied.
1197 */
1198
1199 int
1200 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner)
1201 {
1202 if (owner == cred->cr_uid)
1203 return (0);
1204
1205 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL));
1206 }
1207 /*
1208 * Name: secpolicy_vnode_stky_modify()
1209 *
1210 * Normal: verify that subject can make a file a "sticky".
1211 *
1212 * Output: EPERM - if access denied.
1213 */
1214
1215 int
1216 secpolicy_vnode_stky_modify(const cred_t *cred)
1217 {
1218 return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM,
1219 "set file sticky"));
1220 }
1221
1222 /*
1223 * Policy determines whether we can remove an entry from a directory,
1224 * regardless of permission bits.
1225 */
1226 int
1227 secpolicy_vnode_remove(const cred_t *cr)
1228 {
1229 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES,
1230 "sticky directory"));
1231 }
1232
1233 int
1234 secpolicy_vnode_owner(const cred_t *cr, uid_t owner)
1235 {
1236 boolean_t allzone = (owner == 0);
1237
1238 if (owner == cr->cr_uid)
1239 return (0);
1240
1241 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL));
1242 }
1243
1244 void
1245 secpolicy_setid_clear(vattr_t *vap, cred_t *cr)
1246 {
1247 if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 &&
1248 secpolicy_vnode_setid_retain(cr,
1249 (vap->va_mode & S_ISUID) != 0 &&
1250 (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) {
1251 vap->va_mask |= AT_MODE;
1252 vap->va_mode &= ~(S_ISUID|S_ISGID);
1253 }
1254 }
1255
1256 int
1257 secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap,
1258 cred_t *cr)
1259 {
1260 int error;
1261
1262 if ((vap->va_mode & S_ISUID) != 0 &&
1263 (error = secpolicy_vnode_setid_modify(cr,
1264 ovap->va_uid)) != 0) {
1265 return (error);
1266 }
1267
1268 /*
1269 * Check privilege if attempting to set the
1270 * sticky bit on a non-directory.
1271 */
1272 if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 &&
1273 secpolicy_vnode_stky_modify(cr) != 0) {
1274 vap->va_mode &= ~S_ISVTX;
1275 }
1276
1277 /*
1278 * Check for privilege if attempting to set the
1279 * group-id bit.
1280 */
1281 if ((vap->va_mode & S_ISGID) != 0 &&
1282 secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) {
1283 vap->va_mode &= ~S_ISGID;
1284 }
1285
1286 return (0);
1287 }
1288
1289 #define ATTR_FLAG_PRIV(attr, value, cr) \
1290 PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \
1291 B_FALSE, EPERM, NULL)
1292
1293 /*
1294 * Check privileges for setting xvattr attributes
1295 */
1296 int
1297 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype)
1298 {
1299 xoptattr_t *xoap;
1300 int error = 0;
1301
1302 if ((xoap = xva_getxoptattr(xvap)) == NULL)
1303 return (EINVAL);
1304
1305 /*
1306 * First process the DOS bits
1307 */
1308 if (XVA_ISSET_REQ(xvap, XAT_ARCHIVE) ||
1309 XVA_ISSET_REQ(xvap, XAT_HIDDEN) ||
1310 XVA_ISSET_REQ(xvap, XAT_READONLY) ||
1311 XVA_ISSET_REQ(xvap, XAT_SYSTEM) ||
1312 XVA_ISSET_REQ(xvap, XAT_CREATETIME) ||
1313 XVA_ISSET_REQ(xvap, XAT_OFFLINE) ||
1314 XVA_ISSET_REQ(xvap, XAT_SPARSE)) {
1315 if ((error = secpolicy_vnode_owner(cr, owner)) != 0)
1316 return (error);
1317 }
1318
1319 /*
1320 * Now handle special attributes
1321 */
1322
1323 if (XVA_ISSET_REQ(xvap, XAT_IMMUTABLE))
1324 error = ATTR_FLAG_PRIV(XAT_IMMUTABLE,
1325 xoap->xoa_immutable, cr);
1326 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NOUNLINK))
1327 error = ATTR_FLAG_PRIV(XAT_NOUNLINK,
1328 xoap->xoa_nounlink, cr);
1329 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_APPENDONLY))
1330 error = ATTR_FLAG_PRIV(XAT_APPENDONLY,
1331 xoap->xoa_appendonly, cr);
1332 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NODUMP))
1333 error = ATTR_FLAG_PRIV(XAT_NODUMP,
1334 xoap->xoa_nodump, cr);
1335 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_OPAQUE))
1336 error = EPERM;
1337 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_QUARANTINED)) {
1338 error = ATTR_FLAG_PRIV(XAT_AV_QUARANTINED,
1339 xoap->xoa_av_quarantined, cr);
1340 if (error == 0 && vtype != VREG && xoap->xoa_av_quarantined)
1341 error = EINVAL;
1342 }
1343 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_MODIFIED))
1344 error = ATTR_FLAG_PRIV(XAT_AV_MODIFIED,
1345 xoap->xoa_av_modified, cr);
1346 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_SCANSTAMP)) {
1347 error = ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP,
1348 xoap->xoa_av_scanstamp, cr);
1349 if (error == 0 && vtype != VREG)
1350 error = EINVAL;
1351 }
1352 return (error);
1353 }
1354
1355 /*
1356 * This function checks the policy decisions surrounding the
1357 * vop setattr call.
1358 *
1359 * It should be called after sufficient locks have been established
1360 * on the underlying data structures. No concurrent modifications
1361 * should be allowed.
1362 *
1363 * The caller must pass in unlocked version of its vaccess function
1364 * this is required because vop_access function should lock the
1365 * node for reading. A three argument function should be defined
1366 * which accepts the following argument:
1367 * A pointer to the internal "node" type (inode *)
1368 * vnode access bits (VREAD|VWRITE|VEXEC)
1369 * a pointer to the credential
1370 *
1371 * This function makes the following policy decisions:
1372 *
1373 * - change permissions
1374 * - permission to change file mode if not owner
1375 * - permission to add sticky bit to non-directory
1376 * - permission to add set-gid bit
1377 *
1378 * The ovap argument should include AT_MODE|AT_UID|AT_GID.
1379 *
1380 * If the vap argument does not include AT_MODE, the mode will be copied from
1381 * ovap. In certain situations set-uid/set-gid bits need to be removed;
1382 * this is done by marking vap->va_mask to include AT_MODE and va_mode
1383 * is updated to the newly computed mode.
1384 */
1385
1386 int
1387 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap,
1388 const struct vattr *ovap, int flags,
1389 int unlocked_access(void *, int, cred_t *),
1390 void *node)
1391 {
1392 int mask = vap->va_mask;
1393 int error = 0;
1394 boolean_t skipaclchk = (flags & ATTR_NOACLCHECK) ? B_TRUE : B_FALSE;
1395
1396 if (mask & AT_SIZE) {
1397 if (vp->v_type == VDIR) {
1398 error = EISDIR;
1399 goto out;
1400 }
1401
1402 /*
1403 * If ATTR_NOACLCHECK is set in the flags, then we don't
1404 * perform the secondary unlocked_access() call since the
1405 * ACL (if any) is being checked there.
1406 */
1407 if (skipaclchk == B_FALSE) {
1408 error = unlocked_access(node, VWRITE, cr);
1409 if (error)
1410 goto out;
1411 }
1412 }
1413 if (mask & AT_MODE) {
1414 /*
1415 * If not the owner of the file then check privilege
1416 * for two things: the privilege to set the mode at all
1417 * and, if we're setting setuid, we also need permissions
1418 * to add the set-uid bit, if we're not the owner.
1419 * In the specific case of creating a set-uid root
1420 * file, we need even more permissions.
1421 */
1422 if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0)
1423 goto out;
1424
1425 if ((error = secpolicy_setid_setsticky_clear(vp, vap,
1426 ovap, cr)) != 0)
1427 goto out;
1428 } else
1429 vap->va_mode = ovap->va_mode;
1430
1431 if (mask & (AT_UID|AT_GID)) {
1432 boolean_t checkpriv = B_FALSE;
1433
1434 /*
1435 * Chowning files.
1436 *
1437 * If you are the file owner:
1438 * chown to other uid FILE_CHOWN_SELF
1439 * chown to gid (non-member) FILE_CHOWN_SELF
1440 * chown to gid (member) <none>
1441 *
1442 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also
1443 * acceptable but the first one is reported when debugging.
1444 *
1445 * If you are not the file owner:
1446 * chown from root PRIV_FILE_CHOWN + zone
1447 * chown from other to any PRIV_FILE_CHOWN
1448 *
1449 */
1450 if (cr->cr_uid != ovap->va_uid) {
1451 checkpriv = B_TRUE;
1452 } else {
1453 if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) ||
1454 ((mask & AT_GID) && vap->va_gid != ovap->va_gid &&
1455 !groupmember(vap->va_gid, cr))) {
1456 checkpriv = B_TRUE;
1457 }
1458 }
1459 /*
1460 * If necessary, check privilege to see if update can be done.
1461 */
1462 if (checkpriv &&
1463 (error = secpolicy_vnode_chown(cr, ovap->va_uid)) != 0) {
1464 goto out;
1465 }
1466
1467 /*
1468 * If the file has either the set UID or set GID bits
1469 * set and the caller can set the bits, then leave them.
1470 */
1471 secpolicy_setid_clear(vap, cr);
1472 }
1473 if (mask & (AT_ATIME|AT_MTIME)) {
1474 /*
1475 * If not the file owner and not otherwise privileged,
1476 * always return an error when setting the
1477 * time other than the current (ATTR_UTIME flag set).
1478 * If setting the current time (ATTR_UTIME not set) then
1479 * unlocked_access will check permissions according to policy.
1480 */
1481 if (cr->cr_uid != ovap->va_uid) {
1482 if (flags & ATTR_UTIME)
1483 error = secpolicy_vnode_utime_modify(cr);
1484 else if (skipaclchk == B_FALSE) {
1485 error = unlocked_access(node, VWRITE, cr);
1486 if (error == EACCES &&
1487 secpolicy_vnode_utime_modify(cr) == 0)
1488 error = 0;
1489 }
1490 if (error)
1491 goto out;
1492 }
1493 }
1494
1495 /*
1496 * Check for optional attributes here by checking the following:
1497 */
1498 if (mask & AT_XVATTR)
1499 error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr,
1500 vp->v_type);
1501 out:
1502 return (error);
1503 }
1504
1505 /*
1506 * Name: secpolicy_pcfs_modify_bootpartition()
1507 *
1508 * Normal: verify that subject can modify a pcfs boot partition.
1509 *
1510 * Output: EACCES - if privilege check failed.
1511 */
1512 /*ARGSUSED*/
1513 int
1514 secpolicy_pcfs_modify_bootpartition(const cred_t *cred)
1515 {
1516 return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES,
1517 "modify pcfs boot partition"));
1518 }
1519
1520 /*
1521 * System V IPC routines
1522 */
1523 int
1524 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip)
1525 {
1526 if (crgetzoneid(cr) != ip->ipc_zoneid ||
1527 (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) {
1528 boolean_t allzone = B_FALSE;
1529 if (ip->ipc_uid == 0 || ip->ipc_cuid == 0)
1530 allzone = B_TRUE;
1531 return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL));
1532 }
1533 return (0);
1534 }
1535
1536 int
1537 secpolicy_ipc_config(const cred_t *cr)
1538 {
1539 return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL));
1540 }
1541
1542 int
1543 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode)
1544 {
1545
1546 boolean_t allzone = B_FALSE;
1547
1548 ASSERT((mode & (MSG_R|MSG_W)) != 0);
1549
1550 if ((mode & MSG_R) &&
1551 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1552 return (EACCES);
1553
1554 if (mode & MSG_W) {
1555 if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0))
1556 allzone = B_TRUE;
1557
1558 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1559 NULL));
1560 }
1561 return (0);
1562 }
1563
1564 int
1565 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode)
1566 {
1567 boolean_t allzone = B_FALSE;
1568
1569 ASSERT((mode & (MSG_R|MSG_W)) != 0);
1570
1571 if ((mode & MSG_R) &&
1572 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1573 return (EACCES);
1574
1575 if (mode & MSG_W) {
1576 if (cr->cr_uid != 0 && owner == 0)
1577 allzone = B_TRUE;
1578
1579 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1580 NULL));
1581 }
1582 return (0);
1583 }
1584
1585 /*
1586 * Audit configuration.
1587 */
1588 int
1589 secpolicy_audit_config(const cred_t *cr)
1590 {
1591 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL));
1592 }
1593
1594 /*
1595 * Audit record generation.
1596 */
1597 int
1598 secpolicy_audit_modify(const cred_t *cr)
1599 {
1600 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL));
1601 }
1602
1603 /*
1604 * Get audit attributes.
1605 * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the
1606 * "Least" of the two privileges on error.
1607 */
1608 int
1609 secpolicy_audit_getattr(const cred_t *cr, boolean_t checkonly)
1610 {
1611 int priv;
1612
1613 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE))
1614 priv = PRIV_SYS_AUDIT;
1615 else
1616 priv = PRIV_PROC_AUDIT;
1617
1618 if (checkonly)
1619 return (!PRIV_POLICY_ONLY(cr, priv, B_FALSE));
1620 else
1621 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
1622 }
1623
1624
1625 /*
1626 * Locking physical memory
1627 */
1628 int
1629 secpolicy_lock_memory(const cred_t *cr)
1630 {
1631 return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL));
1632 }
1633
1634 /*
1635 * Accounting (both acct(2) and exacct).
1636 */
1637 int
1638 secpolicy_acct(const cred_t *cr)
1639 {
1640 return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL));
1641 }
1642
1643 /*
1644 * Is this process privileged to change its uids at will?
1645 * Uid 0 is still considered "special" and having the SETID
1646 * privilege is not sufficient to get uid 0.
1647 * Files are owned by root, so the privilege would give
1648 * full access and euid 0 is still effective.
1649 *
1650 * If you have the privilege and euid 0 only then do you
1651 * get the powers of root wrt uid 0.
1652 *
1653 * For gid manipulations, this is should be called with an
1654 * uid of -1.
1655 *
1656 */
1657 int
1658 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly)
1659 {
1660 boolean_t allzone = B_FALSE;
1661
1662 if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 &&
1663 cr->cr_ruid != 0) {
1664 allzone = B_TRUE;
1665 }
1666
1667 return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) :
1668 PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL));
1669 }
1670
1671
1672 /*
1673 * Acting on a different process: if the mode is for writing,
1674 * the restrictions are more severe. This is called after
1675 * we've verified that the uids do not match.
1676 */
1677 int
1678 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode)
1679 {
1680 boolean_t allzone = B_FALSE;
1681
1682 if ((mode & VWRITE) && scr->cr_uid != 0 &&
1683 (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0))
1684 allzone = B_TRUE;
1685
1686 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL));
1687 }
1688
1689 int
1690 secpolicy_proc_access(const cred_t *scr)
1691 {
1692 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL));
1693 }
1694
1695 int
1696 secpolicy_proc_excl_open(const cred_t *scr)
1697 {
1698 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL));
1699 }
1700
1701 int
1702 secpolicy_proc_zone(const cred_t *scr)
1703 {
1704 return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL));
1705 }
1706
1707 /*
1708 * Destroying the system
1709 */
1710
1711 int
1712 secpolicy_kmdb(const cred_t *scr)
1713 {
1714 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1715 }
1716
1717 int
1718 secpolicy_error_inject(const cred_t *scr)
1719 {
1720 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1721 }
1722
1723 /*
1724 * Processor sets, cpu configuration, resource pools.
1725 */
1726 int
1727 secpolicy_pset(const cred_t *cr)
1728 {
1729 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1730 }
1731
1732 /* Process security flags */
1733 int
1734 secpolicy_psecflags(const cred_t *cr, proc_t *tp, proc_t *sp)
1735 {
1736 if (PRIV_POLICY(cr, PRIV_PROC_SECFLAGS, B_FALSE, EPERM, NULL) != 0)
1737 return (EPERM);
1738
1739 if (!prochasprocperm(tp, sp, cr))
1740 return (EPERM);
1741
1742 return (0);
1743 }
1744
1745 /*
1746 * Processor set binding.
1747 */
1748 int
1749 secpolicy_pbind(const cred_t *cr)
1750 {
1751 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_RES_CONFIG, B_FALSE))
1752 return (secpolicy_pset(cr));
1753 return (PRIV_POLICY(cr, PRIV_SYS_RES_BIND, B_FALSE, EPERM, NULL));
1754 }
1755
1756 int
1757 secpolicy_ponline(const cred_t *cr)
1758 {
1759 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1760 }
1761
1762 int
1763 secpolicy_pool(const cred_t *cr)
1764 {
1765 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1766 }
1767
1768 int
1769 secpolicy_blacklist(const cred_t *cr)
1770 {
1771 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1772 }
1773
1774 /*
1775 * Catch all system configuration.
1776 */
1777 int
1778 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly)
1779 {
1780 if (checkonly) {
1781 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 :
1782 EPERM);
1783 } else {
1784 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1785 }
1786 }
1787
1788 /*
1789 * Zone administration (halt, reboot, etc.) from within zone.
1790 */
1791 int
1792 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly)
1793 {
1794 if (checkonly) {
1795 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 :
1796 EPERM);
1797 } else {
1798 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM,
1799 NULL));
1800 }
1801 }
1802
1803 /*
1804 * Zone configuration (create, halt, enter).
1805 */
1806 int
1807 secpolicy_zone_config(const cred_t *cr)
1808 {
1809 /*
1810 * Require all privileges to avoid possibility of privilege
1811 * escalation.
1812 */
1813 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
1814 }
1815
1816 /*
1817 * Various other system configuration calls
1818 */
1819 int
1820 secpolicy_coreadm(const cred_t *cr)
1821 {
1822 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1823 }
1824
1825 int
1826 secpolicy_systeminfo(const cred_t *cr)
1827 {
1828 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1829 }
1830
1831 int
1832 secpolicy_dispadm(const cred_t *cr)
1833 {
1834 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1835 }
1836
1837 int
1838 secpolicy_settime(const cred_t *cr)
1839 {
1840 return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL));
1841 }
1842
1843 /*
1844 * For realtime users: high resolution clock.
1845 */
1846 int
1847 secpolicy_clock_highres(const cred_t *cr)
1848 {
1849 return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM,
1850 NULL));
1851 }
1852
1853 /*
1854 * drv_priv() is documented as callable from interrupt context, not that
1855 * anyone ever does, but still. No debugging or auditing can be done when
1856 * it is called from interrupt context.
1857 * returns 0 on succes, EPERM on failure.
1858 */
1859 int
1860 drv_priv(cred_t *cr)
1861 {
1862 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1863 }
1864
1865 int
1866 secpolicy_sys_devices(const cred_t *cr)
1867 {
1868 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1869 }
1870
1871 int
1872 secpolicy_excl_open(const cred_t *cr)
1873 {
1874 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL));
1875 }
1876
1877 int
1878 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl)
1879 {
1880 /* zone.* rctls can only be set from the global zone */
1881 if (is_zone_rctl && priv_policy_global(cr) != 0)
1882 return (EPERM);
1883 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1884 }
1885
1886 int
1887 secpolicy_resource(const cred_t *cr)
1888 {
1889 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1890 }
1891
1892 int
1893 secpolicy_resource_anon_mem(const cred_t *cr)
1894 {
1895 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_RESOURCE, B_FALSE));
1896 }
1897
1898 /*
1899 * Processes with a real uid of 0 escape any form of accounting, much
1900 * like before.
1901 */
1902 int
1903 secpolicy_newproc(const cred_t *cr)
1904 {
1905 if (cr->cr_ruid == 0)
1906 return (0);
1907
1908 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1909 }
1910
1911 /*
1912 * Networking
1913 */
1914 int
1915 secpolicy_net_rawaccess(const cred_t *cr)
1916 {
1917 return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL));
1918 }
1919
1920 int
1921 secpolicy_net_observability(const cred_t *cr)
1922 {
1923 return (PRIV_POLICY(cr, PRIV_NET_OBSERVABILITY, B_FALSE, EACCES, NULL));
1924 }
1925
1926 /*
1927 * Need this privilege for accessing the ICMP device
1928 */
1929 int
1930 secpolicy_net_icmpaccess(const cred_t *cr)
1931 {
1932 return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL));
1933 }
1934
1935 /*
1936 * There are a few rare cases where the kernel generates ioctls() from
1937 * interrupt context with a credential of kcred rather than NULL.
1938 * In those cases, we take the safe and cheap test.
1939 */
1940 int
1941 secpolicy_net_config(const cred_t *cr, boolean_t checkonly)
1942 {
1943 if (checkonly) {
1944 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ?
1945 0 : EPERM);
1946 } else {
1947 return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM,
1948 NULL));
1949 }
1950 }
1951
1952
1953 /*
1954 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
1955 *
1956 * There are a few rare cases where the kernel generates ioctls() from
1957 * interrupt context with a credential of kcred rather than NULL.
1958 * In those cases, we take the safe and cheap test.
1959 */
1960 int
1961 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly)
1962 {
1963 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1964 return (secpolicy_net_config(cr, checkonly));
1965
1966 if (checkonly) {
1967 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ?
1968 0 : EPERM);
1969 } else {
1970 return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM,
1971 NULL));
1972 }
1973 }
1974
1975 /*
1976 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_DL_CONFIG.
1977 */
1978 int
1979 secpolicy_dl_config(const cred_t *cr)
1980 {
1981 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1982 return (secpolicy_net_config(cr, B_FALSE));
1983 return (PRIV_POLICY(cr, PRIV_SYS_DL_CONFIG, B_FALSE, EPERM, NULL));
1984 }
1985
1986 /*
1987 * PRIV_SYS_DL_CONFIG is a superset of PRIV_SYS_IPTUN_CONFIG.
1988 */
1989 int
1990 secpolicy_iptun_config(const cred_t *cr)
1991 {
1992 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1993 return (secpolicy_net_config(cr, B_FALSE));
1994 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_DL_CONFIG, B_FALSE))
1995 return (secpolicy_dl_config(cr));
1996 return (PRIV_POLICY(cr, PRIV_SYS_IPTUN_CONFIG, B_FALSE, EPERM, NULL));
1997 }
1998
1999 /*
2000 * Map IP pseudo privileges to actual privileges.
2001 * So we don't need to recompile IP when we change the privileges.
2002 */
2003 int
2004 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly)
2005 {
2006 int priv = PRIV_ALL;
2007
2008 switch (netpriv) {
2009 case OP_CONFIG:
2010 priv = PRIV_SYS_IP_CONFIG;
2011 break;
2012 case OP_RAW:
2013 priv = PRIV_NET_RAWACCESS;
2014 break;
2015 case OP_PRIVPORT:
2016 priv = PRIV_NET_PRIVADDR;
2017 break;
2018 }
2019 ASSERT(priv != PRIV_ALL);
2020 if (checkonly)
2021 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
2022 else
2023 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
2024 }
2025
2026 /*
2027 * Map network pseudo privileges to actual privileges.
2028 * So we don't need to recompile IP when we change the privileges.
2029 */
2030 int
2031 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly)
2032 {
2033 int priv = PRIV_ALL;
2034
2035 switch (netpriv) {
2036 case OP_CONFIG:
2037 priv = PRIV_SYS_NET_CONFIG;
2038 break;
2039 case OP_RAW:
2040 priv = PRIV_NET_RAWACCESS;
2041 break;
2042 case OP_PRIVPORT:
2043 priv = PRIV_NET_PRIVADDR;
2044 break;
2045 }
2046 ASSERT(priv != PRIV_ALL);
2047 if (checkonly)
2048 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
2049 else
2050 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
2051 }
2052
2053 /*
2054 * Checks for operations that are either client-only or are used by
2055 * both clients and servers.
2056 */
2057 int
2058 secpolicy_nfs(const cred_t *cr)
2059 {
2060 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL));
2061 }
2062
2063 /*
2064 * Special case for opening rpcmod: have NFS privileges or network
2065 * config privileges.
2066 */
2067 int
2068 secpolicy_rpcmod_open(const cred_t *cr)
2069 {
2070 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE))
2071 return (secpolicy_nfs(cr));
2072 else
2073 return (secpolicy_net_config(cr, NULL));
2074 }
2075
2076 int
2077 secpolicy_chroot(const cred_t *cr)
2078 {
2079 return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL));
2080 }
2081
2082 int
2083 secpolicy_tasksys(const cred_t *cr)
2084 {
2085 return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL));
2086 }
2087
2088 int
2089 secpolicy_meminfo(const cred_t *cr)
2090 {
2091 return (PRIV_POLICY(cr, PRIV_PROC_MEMINFO, B_FALSE, EPERM, NULL));
2092 }
2093
2094 int
2095 secpolicy_pfexec_register(const cred_t *cr)
2096 {
2097 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_TRUE, EPERM, NULL));
2098 }
2099
2100 /*
2101 * Basic privilege checks.
2102 */
2103 int
2104 secpolicy_basic_exec(const cred_t *cr, vnode_t *vp)
2105 {
2106 FAST_BASIC_CHECK(cr, PRIV_PROC_EXEC);
2107
2108 return (priv_policy_va(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL,
2109 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
2110 }
2111
2112 int
2113 secpolicy_basic_fork(const cred_t *cr)
2114 {
2115 FAST_BASIC_CHECK(cr, PRIV_PROC_FORK);
2116
2117 return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL));
2118 }
2119
2120 int
2121 secpolicy_basic_proc(const cred_t *cr)
2122 {
2123 FAST_BASIC_CHECK(cr, PRIV_PROC_SESSION);
2124
2125 return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL));
2126 }
2127
2128 /*
2129 * Slightly complicated because we don't want to trigger the policy too
2130 * often. First we shortcircuit access to "self" (tp == sp) or if
2131 * we don't have the privilege but if we have permission
2132 * just return (0) and we don't flag the privilege as needed.
2133 * Else, we test for the privilege because we either have it or need it.
2134 */
2135 int
2136 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp)
2137 {
2138 if (tp == sp ||
2139 !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) {
2140 return (0);
2141 } else {
2142 return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL));
2143 }
2144 }
2145
2146 int
2147 secpolicy_basic_link(const cred_t *cr)
2148 {
2149 FAST_BASIC_CHECK(cr, PRIV_FILE_LINK_ANY);
2150
2151 return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL));
2152 }
2153
2154 int
2155 secpolicy_basic_net_access(const cred_t *cr)
2156 {
2157 FAST_BASIC_CHECK(cr, PRIV_NET_ACCESS);
2158
2159 return (PRIV_POLICY(cr, PRIV_NET_ACCESS, B_FALSE, EACCES, NULL));
2160 }
2161
2162 /* ARGSUSED */
2163 int
2164 secpolicy_basic_file_read(const cred_t *cr, vnode_t *vp, const char *pn)
2165 {
2166 FAST_BASIC_CHECK(cr, PRIV_FILE_READ);
2167
2168 return (priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL,
2169 KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE));
2170 }
2171
2172 /* ARGSUSED */
2173 int
2174 secpolicy_basic_file_write(const cred_t *cr, vnode_t *vp, const char *pn)
2175 {
2176 FAST_BASIC_CHECK(cr, PRIV_FILE_WRITE);
2177
2178 return (priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL,
2179 KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE));
2180 }
2181
2182 /*
2183 * Additional device protection.
2184 *
2185 * Traditionally, a device has specific permissions on the node in
2186 * the filesystem which govern which devices can be opened by what
2187 * processes. In certain cases, it is desirable to add extra
2188 * restrictions, as writing to certain devices is identical to
2189 * having a complete run of the system.
2190 *
2191 * This mechanism is called the device policy.
2192 *
2193 * When a device is opened, its policy entry is looked up in the
2194 * policy cache and checked.
2195 */
2196 int
2197 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag)
2198 {
2199 devplcy_t *plcy;
2200 int err;
2201 struct snode *csp = VTOS(common_specvp(vp));
2202 priv_set_t pset;
2203
2204 mutex_enter(&csp->s_lock);
2205
2206 if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) {
2207 plcy = devpolicy_find(vp);
2208 if (csp->s_plcy)
2209 dpfree(csp->s_plcy);
2210 csp->s_plcy = plcy;
2211 ASSERT(plcy != NULL);
2212 } else
2213 plcy = csp->s_plcy;
2214
2215 if (plcy == nullpolicy) {
2216 mutex_exit(&csp->s_lock);
2217 return (0);
2218 }
2219
2220 dphold(plcy);
2221
2222 mutex_exit(&csp->s_lock);
2223
2224 if (oflag & FWRITE)
2225 pset = plcy->dp_wrp;
2226 else
2227 pset = plcy->dp_rdp;
2228 /*
2229 * Special case:
2230 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
2231 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is
2232 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG
2233 * in the required privilege set before doing the check.
2234 */
2235 if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) &&
2236 priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) &&
2237 !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) {
2238 priv_delset(&pset, PRIV_SYS_IP_CONFIG);
2239 priv_addset(&pset, PRIV_SYS_NET_CONFIG);
2240 }
2241
2242 err = secpolicy_require_set(cr, &pset, "devpolicy", KLPDARG_NONE);
2243 dpfree(plcy);
2244
2245 return (err);
2246 }
2247
2248 int
2249 secpolicy_modctl(const cred_t *cr, int cmd)
2250 {
2251 switch (cmd) {
2252 case MODINFO:
2253 case MODGETMAJBIND:
2254 case MODGETPATH:
2255 case MODGETPATHLEN:
2256 case MODGETNAME:
2257 case MODGETFBNAME:
2258 case MODGETDEVPOLICY:
2259 case MODGETDEVPOLICYBYNAME:
2260 case MODDEVT2INSTANCE:
2261 case MODSIZEOF_DEVID:
2262 case MODGETDEVID:
2263 case MODSIZEOF_MINORNAME:
2264 case MODGETMINORNAME:
2265 case MODGETDEVFSPATH_LEN:
2266 case MODGETDEVFSPATH:
2267 case MODGETDEVFSPATH_MI_LEN:
2268 case MODGETDEVFSPATH_MI:
2269 /* Unprivileged */
2270 return (0);
2271 case MODLOAD:
2272 case MODSETDEVPOLICY:
2273 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL,
2274 KLPDARG_NONE));
2275 default:
2276 return (secpolicy_sys_config(cr, B_FALSE));
2277 }
2278 }
2279
2280 int
2281 secpolicy_console(const cred_t *cr)
2282 {
2283 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
2284 }
2285
2286 int
2287 secpolicy_power_mgmt(const cred_t *cr)
2288 {
2289 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
2290 }
2291
2292 /*
2293 * Simulate terminal input; another escalation of privileges avenue.
2294 */
2295
2296 int
2297 secpolicy_sti(const cred_t *cr)
2298 {
2299 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
2300 }
2301
2302 boolean_t
2303 secpolicy_net_reply_equal(const cred_t *cr)
2304 {
2305 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
2306 }
2307
2308 int
2309 secpolicy_swapctl(const cred_t *cr)
2310 {
2311 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
2312 }
2313
2314 int
2315 secpolicy_cpc_cpu(const cred_t *cr)
2316 {
2317 return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL));
2318 }
2319
2320 /*
2321 * secpolicy_contract_identity
2322 *
2323 * Determine if the subject may set the process contract FMRI value
2324 */
2325 int
2326 secpolicy_contract_identity(const cred_t *cr)
2327 {
2328 return (PRIV_POLICY(cr, PRIV_CONTRACT_IDENTITY, B_FALSE, EPERM, NULL));
2329 }
2330
2331 /*
2332 * secpolicy_contract_observer
2333 *
2334 * Determine if the subject may observe a specific contract's events.
2335 */
2336 int
2337 secpolicy_contract_observer(const cred_t *cr, struct contract *ct)
2338 {
2339 if (contract_owned(ct, cr, B_FALSE))
2340 return (0);
2341 return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL));
2342 }
2343
2344 /*
2345 * secpolicy_contract_observer_choice
2346 *
2347 * Determine if the subject may observe any contract's events. Just
2348 * tests privilege and audits on success.
2349 */
2350 boolean_t
2351 secpolicy_contract_observer_choice(const cred_t *cr)
2352 {
2353 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE));
2354 }
2355
2356 /*
2357 * secpolicy_contract_event
2358 *
2359 * Determine if the subject may request critical contract events or
2360 * reliable contract event delivery.
2361 */
2362 int
2363 secpolicy_contract_event(const cred_t *cr)
2364 {
2365 return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL));
2366 }
2367
2368 /*
2369 * secpolicy_contract_event_choice
2370 *
2371 * Determine if the subject may retain contract events in its critical
2372 * set when a change in other terms would normally require a change in
2373 * the critical set. Just tests privilege and audits on success.
2374 */
2375 boolean_t
2376 secpolicy_contract_event_choice(const cred_t *cr)
2377 {
2378 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE));
2379 }
2380
2381 /*
2382 * secpolicy_gart_access
2383 *
2384 * Determine if the subject has sufficient priveleges to make ioctls to agpgart
2385 * device.
2386 */
2387 int
2388 secpolicy_gart_access(const cred_t *cr)
2389 {
2390 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL));
2391 }
2392
2393 /*
2394 * secpolicy_gart_map
2395 *
2396 * Determine if the subject has sufficient priveleges to map aperture range
2397 * through agpgart driver.
2398 */
2399 int
2400 secpolicy_gart_map(const cred_t *cr)
2401 {
2402 if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) {
2403 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM,
2404 NULL));
2405 } else {
2406 return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM,
2407 NULL));
2408 }
2409 }
2410
2411 /*
2412 * secpolicy_xhci
2413 *
2414 * Determine if the subject can observe and manipulate the xhci driver with a
2415 * dangerous blunt hammer. Requires all privileges.
2416 */
2417 int
2418 secpolicy_xhci(const cred_t *cr)
2419 {
2420 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
2421 }
2422
2423 /*
2424 * secpolicy_zinject
2425 *
2426 * Determine if the subject can inject faults in the ZFS fault injection
2427 * framework. Requires all privileges.
2428 */
2429 int
2430 secpolicy_zinject(const cred_t *cr)
2431 {
2432 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
2433 }
2434
2435 /*
2436 * secpolicy_zfs
2437 *
2438 * Determine if the subject has permission to manipulate ZFS datasets
2439 * (not pools). Equivalent to the SYS_MOUNT privilege.
2440 */
2441 int
2442 secpolicy_zfs(const cred_t *cr)
2443 {
2444 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL));
2445 }
2446
2447 /*
2448 * secpolicy_idmap
2449 *
2450 * Determine if the calling process has permissions to register an SID
2451 * mapping daemon and allocate ephemeral IDs.
2452 */
2453 int
2454 secpolicy_idmap(const cred_t *cr)
2455 {
2456 return (PRIV_POLICY(cr, PRIV_FILE_SETID, B_TRUE, EPERM, NULL));
2457 }
2458
2459 /*
2460 * secpolicy_ucode_update
2461 *
2462 * Determine if the subject has sufficient privilege to update microcode.
2463 */
2464 int
2465 secpolicy_ucode_update(const cred_t *scr)
2466 {
2467 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
2468 }
2469
2470 /*
2471 * secpolicy_sadopen
2472 *
2473 * Determine if the subject has sufficient privilege to access /dev/sad/admin.
2474 * /dev/sad/admin appear in global zone and exclusive-IP zones only.
2475 * In global zone, sys_config is required.
2476 * In exclusive-IP zones, sys_ip_config is required.
2477 * Note that sys_config is prohibited in non-global zones.
2478 */
2479 int
2480 secpolicy_sadopen(const cred_t *credp)
2481 {
2482 priv_set_t pset;
2483
2484 priv_emptyset(&pset);
2485
2486 if (crgetzoneid(credp) == GLOBAL_ZONEID)
2487 priv_addset(&pset, PRIV_SYS_CONFIG);
2488 else
2489 priv_addset(&pset, PRIV_SYS_IP_CONFIG);
2490
2491 return (secpolicy_require_set(credp, &pset, "devpolicy", KLPDARG_NONE));
2492 }
2493
2494
2495 /*
2496 * Add privileges to a particular privilege set; this is called when the
2497 * current sets of privileges are not sufficient. I.e., we should always
2498 * call the policy override functions from here.
2499 * What we are allowed to have is in the Observed Permitted set; so
2500 * we compute the difference between that and the newset.
2501 */
2502 int
2503 secpolicy_require_privs(const cred_t *cr, const priv_set_t *nset)
2504 {
2505 priv_set_t rqd;
2506
2507 rqd = CR_OPPRIV(cr);
2508
2509 priv_inverse(&rqd);
2510 priv_intersect(nset, &rqd);
2511
2512 return (secpolicy_require_set(cr, &rqd, NULL, KLPDARG_NONE));
2513 }
2514
2515 /*
2516 * secpolicy_smb
2517 *
2518 * Determine if the cred_t has PRIV_SYS_SMB privilege, indicating
2519 * that it has permission to access the smbsrv kernel driver.
2520 * PRIV_POLICY checks the privilege and audits the check.
2521 *
2522 * Returns:
2523 * 0 Driver access is allowed.
2524 * EPERM Driver access is NOT permitted.
2525 */
2526 int
2527 secpolicy_smb(const cred_t *cr)
2528 {
2529 return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL));
2530 }
2531
2532 /*
2533 * secpolicy_vscan
2534 *
2535 * Determine if cred_t has the necessary privileges to access a file
2536 * for virus scanning and update its extended system attributes.
2537 * PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access
2538 * PRIV_FILE_FLAG_SET - set extended system attributes
2539 *
2540 * PRIV_POLICY checks the privilege and audits the check.
2541 *
2542 * Returns:
2543 * 0 file access for virus scanning allowed.
2544 * EPERM file access for virus scanning is NOT permitted.
2545 */
2546 int
2547 secpolicy_vscan(const cred_t *cr)
2548 {
2549 if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) ||
2550 (PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) ||
2551 (PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) {
2552 return (EPERM);
2553 }
2554
2555 return (0);
2556 }
2557
2558 /*
2559 * secpolicy_smbfs_login
2560 *
2561 * Determines if the caller can add and delete the smbfs login
2562 * password in the the nsmb kernel module for the CIFS client.
2563 *
2564 * Returns:
2565 * 0 access is allowed.
2566 * EPERM access is NOT allowed.
2567 */
2568 int
2569 secpolicy_smbfs_login(const cred_t *cr, uid_t uid)
2570 {
2571 uid_t cruid = crgetruid(cr);
2572
2573 if (cruid == uid)
2574 return (0);
2575 return (PRIV_POLICY(cr, PRIV_PROC_OWNER, B_FALSE,
2576 EPERM, NULL));
2577 }
2578
2579 /*
2580 * secpolicy_xvm_control
2581 *
2582 * Determines if a caller can control the xVM hypervisor and/or running
2583 * domains (x86 specific).
2584 *
2585 * Returns:
2586 * 0 access is allowed.
2587 * EPERM access is NOT allowed.
2588 */
2589 int
2590 secpolicy_xvm_control(const cred_t *cr)
2591 {
2592 if (PRIV_POLICY(cr, PRIV_XVM_CONTROL, B_FALSE, EPERM, NULL))
2593 return (EPERM);
2594 return (0);
2595 }
2596
2597 /*
2598 * secpolicy_ppp_config
2599 *
2600 * Determine if the subject has sufficient privileges to configure PPP and
2601 * PPP-related devices.
2602 */
2603 int
2604 secpolicy_ppp_config(const cred_t *cr)
2605 {
2606 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
2607 return (secpolicy_net_config(cr, B_FALSE));
2608 return (PRIV_POLICY(cr, PRIV_SYS_PPP_CONFIG, B_FALSE, EPERM, NULL));
2609 }
unleashed repo fork