8322 nl: misleading-indentation

[unleashed/tickless.git] / usr / src / uts / common / os / priv_defs

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
 * Copyright 2015, Joyent, Inc. All rights reserved.
 *
INSERT COMMENT
 */

#
# Privileges can be added to this file at any location, not
# necessarily at the end.  For patches, it is probably best to
# add the new privilege at the end; for ordinary releases privileges
# should be ordered alphabetically.
#

privilege PRIV_CONTRACT_EVENT

        Allows a process to request critical events without limitation.
        Allows a process to request reliable delivery of all events on
        any event queue.

privilege PRIV_CONTRACT_IDENTITY

        Allows a process to set the service FMRI value of a process
        contract template.

privilege PRIV_CONTRACT_OBSERVER

        Allows a process to observe contract events generated by
        contracts created and owned by users other than the process's
        effective user ID.
        Allows a process to open contract event endpoints belonging to
        contracts created and owned by users other than the process's
        effective user ID.

privilege PRIV_CPC_CPU

        Allow a process to access per-CPU hardware performance counters.

privilege PRIV_DTRACE_KERNEL

        Allows DTrace kernel-level tracing.

privilege PRIV_DTRACE_PROC

        Allows DTrace process-level tracing.
        Allows process-level tracing probes to be placed and enabled in
        processes to which the user has permissions.

privilege PRIV_DTRACE_USER

        Allows DTrace user-level tracing.
        Allows use of the syscall and profile DTrace providers to
        examine processes to which the user has permissions.

privilege PRIV_FILE_CHOWN

        Allows a process to change a file's owner user ID.
        Allows a process to change a file's group ID to one other than
        the process' effective group ID or one of the process'
        supplemental group IDs.

privilege PRIV_FILE_CHOWN_SELF

        Allows a process to give away its files; a process with this
        privilege will run as if {_POSIX_CHOWN_RESTRICTED} is not
        in effect.

privilege PRIV_FILE_DAC_EXECUTE

        Allows a process to execute an executable file whose permission
        bits or ACL do not allow the process execute permission.

privilege PRIV_FILE_DAC_READ

        Allows a process to read a file or directory whose permission
        bits or ACL do not allow the process read permission.

privilege PRIV_FILE_DAC_SEARCH

        Allows a process to search a directory whose permission bits or
        ACL do not allow the process search permission.

privilege PRIV_FILE_DAC_WRITE

        Allows a process to write a file or directory whose permission
        bits or ACL do not allow the process write permission.
        In order to write files owned by uid 0 in the absence of an
        effective uid of 0 ALL privileges are required.

privilege PRIV_FILE_DOWNGRADE_SL

        Allows a process to set the sensitivity label of a file or
        directory to a sensitivity label that does not dominate the
        existing sensitivity label.
        This privilege is interpreted only if the system is configured
        with Trusted Extensions.

privilege PRIV_FILE_FLAG_SET

        Allows a process to set immutable, nounlink or appendonly
        file attributes.

basic privilege PRIV_FILE_LINK_ANY

        Allows a process to create hardlinks to files owned by a uid
        different from the process' effective uid.

privilege PRIV_FILE_OWNER

        Allows a process which is not the owner of a file or directory
        to perform the following operations that are normally permitted
        only for the file owner: modify that file's access and
        modification times; remove or rename a file or directory whose
        parent directory has the ``save text image after execution''
        (sticky) bit set; mount a ``namefs'' upon a file; modify
        permission bits or ACL except for the set-uid and set-gid
        bits.

basic privilege PRIV_FILE_READ

        Allows a process to read objects in the filesystem.

privilege PRIV_FILE_SETID

        Allows a process to change the ownership of a file or write to
        a file without the set-user-ID and set-group-ID bits being
        cleared.
        Allows a process to set the set-group-ID bit on a file or
        directory whose group is not the process' effective group or
        one of the process' supplemental groups.
        Allows a process to set the set-user-ID bit on a file with
        different ownership in the presence of PRIV_FILE_OWNER.
        Additional restrictions apply when creating or modifying a
        set-uid 0 file.

privilege PRIV_FILE_UPGRADE_SL

        Allows a process to set the sensitivity label of a file or
        directory to a sensitivity label that dominates the existing
        sensitivity label.
        This privilege is interpreted only if the system is configured
        with Trusted Extensions.

basic privilege PRIV_FILE_WRITE

        Allows a process to modify objects in the filesystem.

privilege PRIV_GRAPHICS_ACCESS

        Allows a process to make privileged ioctls to graphics devices.
        Typically only xserver process needs to have this privilege.
        A process with this privilege is also allowed to perform
        privileged graphics device mappings.

privilege PRIV_GRAPHICS_MAP

        Allows a process to perform privileged mappings through a
        graphics device.

privilege PRIV_IPC_DAC_READ

        Allows a process to read a System V IPC
        Message Queue, Semaphore Set, or Shared Memory Segment whose
        permission bits do not allow the process read permission.
        Allows a process to read remote shared memory whose
        permission bits do not allow the process read permission.

privilege PRIV_IPC_DAC_WRITE

        Allows a process to write a System V IPC
        Message Queue, Semaphore Set, or Shared Memory Segment whose
        permission bits do not allow the process write permission.
        Allows a process to read remote shared memory whose
        permission bits do not allow the process write permission.
        Additional restrictions apply if the owner of the object has uid 0
        and the effective uid of the current process is not 0.

privilege PRIV_IPC_OWNER

        Allows a process which is not the owner of a System
        V IPC Message Queue, Semaphore Set, or Shared Memory Segment to
        remove, change ownership of, or change permission bits of the
        Message Queue, Semaphore Set, or Shared Memory Segment.
        Additional restrictions apply if the owner of the object has uid 0
        and the effective uid of the current process is not 0.

basic privilege PRIV_NET_ACCESS

        Allows a process to open a TCP, UDP, SDP or SCTP network endpoint.

privilege PRIV_NET_BINDMLP

        Allow a process to bind to a port that is configured as a
        multi-level port(MLP) for the process's zone. This privilege
        applies to both shared address and zone-specific address MLPs.
        See tnzonecfg(4) from the Trusted Extensions manual pages for
        information on configuring MLP ports.
        This privilege is interpreted only if the system is configured
        with Trusted Extensions.

privilege PRIV_NET_ICMPACCESS

        Allows a process to send and receive ICMP packets.

privilege PRIV_NET_MAC_AWARE

        Allows a process to set NET_MAC_AWARE process flag by using
        setpflags(2). This privilege also allows a process to set
        SO_MAC_EXEMPT socket option by using setsockopt(3SOCKET).
        The NET_MAC_AWARE process flag and the SO_MAC_EXEMPT socket
        option both allow a local process to communicate with an
        unlabeled peer if the local process' label dominates the
        peer's default label, or if the local process runs in the
        global zone.
        This privilege is interpreted only if the system is configured
        with Trusted Extensions.

privilege PRIV_NET_MAC_IMPLICIT

        Allows a process to set SO_MAC_IMPLICIT option by using 
        setsockopt(3SOCKET).  This allows a privileged process to 
        transmit implicitly-labeled packets to a peer.
        This privilege is interpreted only if the system is configured
        with Trusted Extensions.

privilege PRIV_NET_OBSERVABILITY

        Allows a process to access /dev/lo0 and the devices in /dev/ipnet/
        while not requiring them to need PRIV_NET_RAWACCESS.

privilege PRIV_NET_PRIVADDR

        Allows a process to bind to a privileged port
        number. The privilege port numbers are 1-1023 (the traditional
        UNIX privileged ports) as well as those ports marked as
        "udp/tcp_extra_priv_ports" with the exception of the ports
        reserved for use by NFS.

privilege PRIV_NET_RAWACCESS

        Allows a process to have direct access to the network layer.

unsafe privilege PRIV_PROC_AUDIT

        Allows a process to generate audit records.
        Allows a process to get its own audit pre-selection information.

privilege PRIV_PROC_CHROOT

        Allows a process to change its root directory.

privilege PRIV_PROC_CLOCK_HIGHRES

        Allows a process to use high resolution timers.

basic privilege PRIV_PROC_EXEC

        Allows a process to call execve().

basic privilege PRIV_PROC_FORK

        Allows a process to call fork1()/forkall()/vfork()

basic privilege PRIV_PROC_INFO

        Allows a process to examine the status of processes other
        than those it can send signals to.  Processes which cannot
        be examined cannot be seen in /proc and appear not to exist.

privilege PRIV_PROC_LOCK_MEMORY

        Allows a process to lock pages in physical memory.

privilege PRIV_PROC_MEMINFO

        Allows a process to access physical memory information.

privilege PRIV_PROC_OWNER

        Allows a process to send signals to other processes, inspect
        and modify process state to other processes regardless of
        ownership.  When modifying another process, additional
        restrictions apply:  the effective privilege set of the
        attaching process must be a superset of the target process'
        effective, permitted and inheritable sets; the limit set must
        be a superset of the target's limit set; if the target process
        has any uid set to 0 all privilege must be asserted unless the
        effective uid is 0.
        Allows a process to bind arbitrary processes to CPUs.

privilege PRIV_PROC_PRIOUP

        Allows a process to elevate its priority above its current level.

privilege PRIV_PROC_PRIOCNTL

        Allows all that PRIV_PROC_PRIOUP allows.
        Allows a process to change its scheduling class to any scheduling class,
        including the RT class.

basic privilege PRIV_PROC_SECFLAGS

        Allows a process to manipulate the secflags of processes (subject to,
        additionally, the ability to signal that process)

basic privilege PRIV_PROC_SESSION

        Allows a process to send signals or trace processes outside its
        session.

unsafe privilege PRIV_PROC_SETID

        Allows a process to set its uids at will.
        Assuming uid 0 requires all privileges to be asserted.

privilege PRIV_PROC_TASKID

        Allows a process to assign a new task ID to the calling process.

privilege PRIV_PROC_ZONE

        Allows a process to trace or send signals to processes in
        other zones.

privilege PRIV_SYS_ACCT

        Allows a process to enable and disable and manage accounting through
        acct(2), getacct(2), putacct(2) and wracct(2).

privilege PRIV_SYS_ADMIN

        Allows a process to perform system administration tasks such
        as setting node and domain name and specifying nscd and coreadm
        settings.

privilege PRIV_SYS_AUDIT

        Allows a process to start the (kernel) audit daemon.
        Allows a process to view and set audit state (audit user ID,
        audit terminal ID, audit sessions ID, audit pre-selection mask).
        Allows a process to turn off and on auditing.
        Allows a process to configure the audit parameters (cache and
        queue sizes, event to class mappings, policy options).

privilege PRIV_SYS_CONFIG

        Allows a process to perform various system configuration tasks.
        Allows a process to add and remove swap devices; when adding a swap
        device, a process must also have sufficient privileges to read from
        and write to the swap device.

privilege PRIV_SYS_DEVICES

        Allows a process to successfully call a kernel module that
        calls the kernel drv_priv(9F) function to check for allowed
        access.
        Allows a process to open the real console device directly.
        Allows a process to open devices that have been exclusively opened.

privilege PRIV_SYS_IPC_CONFIG

        Allows a process to increase the size of a System V IPC Message
        Queue buffer.

privilege PRIV_SYS_LINKDIR

        Allows a process to unlink and link directories.

privilege PRIV_SYS_MOUNT

        Allows filesystem specific administrative procedures, such as
        filesystem configuration ioctls, quota calls and creation/deletion
        of snapshots.
        Allows a process to mount and unmount filesystems which would
        otherwise be restricted (i.e., most filesystems except
        namefs).
        A process performing a mount operation needs to have
        appropriate access to the device being mounted (read-write for
        "rw" mounts, read for "ro" mounts).
        A process performing any of the aforementioned
        filesystem operations needs to have read/write/owner
        access to the mount point.
        Only regular files and directories can serve as mount points
        for processes which do not have all zone privileges asserted.
        Unless a process has all zone privileges, the mount(2)
        system call will force the "nosuid" and "restrict" options, the
        latter only for autofs mountpoints.
        Regardless of privileges, a process running in a non-global zone may
        only control mounts performed from within said zone.
        Outside the global zone, the "nodevices" option is always forced.

privilege PRIV_SYS_IPTUN_CONFIG

        Allows a process to configure IP tunnel links.

privilege PRIV_SYS_DL_CONFIG

        Allows a process to configure all classes of datalinks, including
        configuration allowed by PRIV_SYS_IPTUN_CONFIG.

privilege PRIV_SYS_IP_CONFIG

        Allows a process to configure a system's IP interfaces and routes.
        Allows a process to configure network parameters using ndd.
        Allows a process access to otherwise restricted information using ndd.
        Allows a process to configure IPsec.
        Allows a process to pop anchored STREAMs modules with matching zoneid.

privilege PRIV_SYS_NET_CONFIG

        Allows all that PRIV_SYS_IP_CONFIG, PRIV_SYS_DL_CONFIG, and
        PRIV_SYS_PPP_CONFIG allow.
        Allows a process to push the rpcmod STREAMs module.
        Allows a process to INSERT/REMOVE STREAMs modules on locations other
        than the top of the module stack.

privilege PRIV_SYS_NFS

        Allows a process to perform Sun private NFS specific system calls.
        Allows a process to bind to ports reserved by NFS: ports 2049 (nfs)
        and port 4045 (lockd).

privilege PRIV_SYS_PPP_CONFIG

        Allows a process to create and destroy PPP (sppp) interfaces.
        Allows a process to configure PPP tunnels (sppptun).

privilege PRIV_SYS_RES_BIND

        Allows a process to bind processes to processor sets.

privilege PRIV_SYS_RES_CONFIG

        Allows all that PRIV_SYS_RES_BIND allows.
        Allows a process to create and delete processor sets, assign
        CPUs to processor sets and override the PSET_NOESCAPE property.
        Allows a process to change the operational status of CPUs in
        the system using p_online(2).
        Allows a process to configure resource pools and to bind
        processes to pools

unsafe privilege PRIV_SYS_RESOURCE

        Allows a process to modify the resource limits specified
        by setrlimit(2) and setrctl(2) without restriction.
        Allows a process to exceed the per-user maximum number of
        processes.
        Allows a process to extend or create files on a filesystem that
        has less than minfree space in reserve.

privilege PRIV_SYS_SMB

        Allows a process to access the Sun private SMB kernel module.
        Allows a process to bind to ports reserved by NetBIOS and SMB:
        ports 137 (NBNS), 138 (NetBIOS Datagram Service), 139 (NetBIOS
        Session Service and SMB-over-NBT) and 445 (SMB-over-TCP).

privilege PRIV_SYS_SUSER_COMPAT

        Allows a process to successfully call a third party loadable module
        that calls the kernel suser() function to check for allowed access.
        This privilege exists only for third party loadable module
        compatibility and is not used by Solaris proper.

privilege PRIV_SYS_TIME

        Allows a process to manipulate system time using any of the
        appropriate system calls: stime, adjtime, ntp_adjtime and
        the IA specific RTC calls.

privilege PRIV_SYS_TRANS_LABEL

        Allows a process to translate labels that are not dominated
        by the process' sensitivity label to and from an external
        string form.
        This privilege is interpreted only if the system is configured
        with Trusted Extensions.

privilege PRIV_VIRT_MANAGE

        Allows a process to manage virtualized environments such as
        xVM(5).

privilege PRIV_WIN_COLORMAP

        Allows a process to override colormap restrictions.
        Allows a process to install or remove colormaps.
        Allows a process to retrieve colormap cell entries allocated
        by other processes.
        This privilege is interpreted only if the system is configured
        with Trusted Extensions.

privilege PRIV_WIN_CONFIG

        Allows a process to configure or destroy resources that are
        permanently retained by the X server.
        Allows a process to use SetScreenSaver to set the screen
        saver timeout value.
        Allows a process to use ChangeHosts to modify the display
        access control list.
        Allows a process to use GrabServer.
        Allows a process to use the SetCloseDownMode request which
        may retain window, pixmap, colormap, property, cursor, font,
        or graphic context resources.
        This privilege is interpreted only if the system is configured
        with Trusted Extensions.

privilege PRIV_WIN_DAC_READ

        Allows a process to read from a window resource that it does
        not own (has a different user ID).
        This privilege is interpreted only if the system is configured
        with Trusted Extensions.

privilege PRIV_WIN_DAC_WRITE

        Allows a process to write to or create a window resource that
        it does not own (has a different user ID). A newly created
        window property is created with the window's user ID.
        This privilege is interpreted only if the system is configured
        with Trusted Extensions.

privilege PRIV_WIN_DEVICES

        Allows a process to perform operations on window input devices.
        Allows a process to get and set keyboard and pointer controls.
        Allows a process to modify pointer button and key mappings.
        This privilege is interpreted only if the system is configured
        with Trusted Extensions.

privilege PRIV_WIN_DGA

        Allows a process to use the direct graphics access (DGA) X protocol
        extensions. Direct process access to the frame buffer is still
        required. Thus the process must have MAC and DAC privileges that
        allow access to the frame buffer, or the frame buffer must be
        allocated to the process.
        This privilege is interpreted only if the system is configured
        with Trusted Extensions.

privilege PRIV_WIN_DOWNGRADE_SL

        Allows a process to set the sensitivity label of a window resource
        to a sensitivity label that does not dominate the existing
        sensitivity label.
        This privilege is interpreted only if the system is configured
        with Trusted Extensions.

privilege PRIV_WIN_FONTPATH

        Allows a process to set a font path.
        This privilege is interpreted only if the system is configured
        with Trusted Extensions.

privilege PRIV_WIN_MAC_READ

        Allows a process to read from a window resource whose sensitivity
        label is not equal to the process sensitivity label.
        This privilege is interpreted only if the system is configured
        with Trusted Extensions.

privilege PRIV_WIN_MAC_WRITE

        Allows a process to create a window resource whose sensitivity
        label is not equal to the process sensitivity label.
        A newly created window property is created with the window's
        sensitivity label.
        This privilege is interpreted only if the system is configured
        with Trusted Extensions.

privilege PRIV_WIN_SELECTION

        Allows a process to request inter-window data moves without the
        intervention of the selection confirmer.
        This privilege is interpreted only if the system is configured
        with Trusted Extensions.

privilege PRIV_WIN_UPGRADE_SL

        Allows a process to set the sensitivity label of a window
        resource to a sensitivity label that dominates the existing
        sensitivity label.
        This privilege is interpreted only if the system is configured
        with Trusted Extensions.

privilege PRIV_XVM_CONTROL

        Allows a process access to the xVM(5) control devices for
        managing guest domains and the hypervisor. This privilege is
        used only if booted into xVM on x86 platforms.

set PRIV_EFFECTIVE

        Set of privileges currently in effect.

set PRIV_INHERITABLE

        Set of privileges that comes into effect on exec.

set PRIV_PERMITTED

        Set of privileges that can be put into the effective set without
        restriction.

set PRIV_LIMIT

        Set of privileges that determines the absolute upper bound of
        privileges this process and its off-spring can obtain.