module/os/linux/zfs/policy.c

   1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or https://opensource.org/licenses/CDDL-1.0.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21
  22 /*
  23  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
  24  * Copyright 2013, Joyent, Inc. All rights reserved.
  25  * Copyright (C) 2016 Lawrence Livermore National Security, LLC.
  26  *
  27  * For Linux the vast majority of this enforcement is already handled via
  28  * the standard Linux VFS permission checks.  However certain administrative
  29  * commands which bypass the standard mechanisms may need to make use of
  30  * this functionality.
  31  */
  32
  33 #include <sys/policy.h>
  34 #include <linux/security.h>
  35 #include <linux/vfs_compat.h>
  36
  37 /*
  38  * The passed credentials cannot be directly verified because Linux only
  39  * provides and interface to check the *current* process credentials.  In
  40  * order to handle this the capable() test is only run when the passed
  41  * credentials match the current process credentials or the kcred.  In
  42  * all other cases this function must fail and return the passed err.
  43  */
  44 static int
  45 priv_policy_ns(const cred_t *cr, int capability, int err,
  46     struct user_namespace *ns)
  47 {
  48         if (cr != CRED() && (cr != kcred))
  49                 return (err);
  50
  51 #if defined(CONFIG_USER_NS)
  52         if (!(ns ? ns_capable(ns, capability) : capable(capability)))
  53 #else
  54         if (!capable(capability))
  55 #endif
  56                 return (err);
  57
  58         return (0);
  59 }
  60
  61 static int
  62 priv_policy(const cred_t *cr, int capability, int err)
  63 {
  64         return (priv_policy_ns(cr, capability, err, cr->user_ns));
  65 }
  66
  67 static int
  68 priv_policy_user(const cred_t *cr, int capability, int err)
  69 {
  70         /*
  71          * All priv_policy_user checks are preceded by kuid/kgid_has_mapping()
  72          * checks. If we cannot do them, we shouldn't be using ns_capable()
  73          * since we don't know whether the affected files are valid in our
  74          * namespace.
  75          */
  76 #if defined(CONFIG_USER_NS)
  77         return (priv_policy_ns(cr, capability, err, cr->user_ns));
  78 #else
  79         return (priv_policy_ns(cr, capability, err, NULL));
  80 #endif
  81 }
  82
  83 /*
  84  * Checks for operations that are either client-only or are used by
  85  * both clients and servers.
  86  */
  87 int
  88 secpolicy_nfs(const cred_t *cr)
  89 {
  90         return (priv_policy(cr, CAP_SYS_ADMIN, EPERM));
  91 }
  92
  93 /*
  94  * Catch all system configuration.
  95  */
  96 int
  97 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly)
  98 {
  99         return (priv_policy(cr, CAP_SYS_ADMIN, EPERM));
 100 }
 101
 102 /*
 103  * Like secpolicy_vnode_access() but we get the actual wanted mode and the
 104  * current mode of the file, not the missing bits.
 105  *
 106  * Enforced in the Linux VFS.
 107  */
 108 int
 109 secpolicy_vnode_access2(const cred_t *cr, struct inode *ip, uid_t owner,
 110     mode_t curmode, mode_t wantmode)
 111 {
 112         return (0);
 113 }
 114
 115 /*
 116  * This is a special routine for ZFS; it is used to determine whether
 117  * any of the privileges in effect allow any form of access to the
 118  * file.  There's no reason to audit this or any reason to record
 119  * this.  More work is needed to do the "KPLD" stuff.
 120  */
 121 int
 122 secpolicy_vnode_any_access(const cred_t *cr, struct inode *ip, uid_t owner)
 123 {
 124         if (crgetuid(cr) == owner)
 125                 return (0);
 126
 127         if (zpl_inode_owner_or_capable(zfs_init_idmap, ip))
 128                 return (0);
 129
 130 #if defined(CONFIG_USER_NS)
 131         if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
 132                 return (EPERM);
 133 #endif
 134
 135         if (priv_policy_user(cr, CAP_DAC_OVERRIDE, EPERM) == 0)
 136                 return (0);
 137
 138         if (priv_policy_user(cr, CAP_DAC_READ_SEARCH, EPERM) == 0)
 139                 return (0);
 140
 141         return (EPERM);
 142 }
 143
 144 /*
 145  * Determine if subject can chown owner of a file.
 146  */
 147 int
 148 secpolicy_vnode_chown(const cred_t *cr, uid_t owner)
 149 {
 150         if (crgetuid(cr) == owner)
 151                 return (0);
 152
 153 #if defined(CONFIG_USER_NS)
 154         if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
 155                 return (EPERM);
 156 #endif
 157
 158         return (priv_policy_user(cr, CAP_FOWNER, EPERM));
 159 }
 160
 161 /*
 162  * Determine if subject can change group ownership of a file.
 163  */
 164 int
 165 secpolicy_vnode_create_gid(const cred_t *cr)
 166 {
 167         return (priv_policy(cr, CAP_SETGID, EPERM));
 168 }
 169
 170 /*
 171  * Policy determines whether we can remove an entry from a directory,
 172  * regardless of permission bits.
 173  */
 174 int
 175 secpolicy_vnode_remove(const cred_t *cr)
 176 {
 177         return (priv_policy(cr, CAP_FOWNER, EPERM));
 178 }
 179
 180 /*
 181  * Determine that subject can modify the mode of a file.  allzone privilege
 182  * needed when modifying root owned object.
 183  */
 184 int
 185 secpolicy_vnode_setdac(const cred_t *cr, uid_t owner)
 186 {
 187         if (crgetuid(cr) == owner)
 188                 return (0);
 189
 190 #if defined(CONFIG_USER_NS)
 191         if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
 192                 return (EPERM);
 193 #endif
 194
 195         return (priv_policy_user(cr, CAP_FOWNER, EPERM));
 196 }
 197
 198 /*
 199  * Are we allowed to retain the set-uid/set-gid bits when
 200  * changing ownership or when writing to a file?
 201  * "issuid" should be true when set-uid; only in that case
 202  * root ownership is checked (setgid is assumed).
 203  *
 204  * Enforced in the Linux VFS.
 205  */
 206 int
 207 secpolicy_vnode_setid_retain(struct znode *zp __maybe_unused, const cred_t *cr,
 208     boolean_t issuidroot)
 209 {
 210         return (priv_policy_user(cr, CAP_FSETID, EPERM));
 211 }
 212
 213 /*
 214  * Determine that subject can set the file setgid flag.
 215  */
 216 int
 217 secpolicy_vnode_setids_setgids(const cred_t *cr, gid_t gid, zidmap_t *mnt_ns,
 218     struct user_namespace *fs_ns)
 219 {
 220         gid = zfs_gid_to_vfsgid(mnt_ns, fs_ns, gid);
 221 #if defined(CONFIG_USER_NS)
 222         if (!kgid_has_mapping(cr->user_ns, SGID_TO_KGID(gid)))
 223                 return (EPERM);
 224 #endif
 225         if (crgetgid(cr) != gid && !groupmember(gid, cr))
 226                 return (priv_policy_user(cr, CAP_FSETID, EPERM));
 227
 228         return (0);
 229 }
 230
 231 /*
 232  * Determine if the subject can inject faults in the ZFS fault injection
 233  * framework.  Requires all privileges.
 234  */
 235 int
 236 secpolicy_zinject(const cred_t *cr)
 237 {
 238         return (priv_policy(cr, CAP_SYS_ADMIN, EACCES));
 239 }
 240
 241 /*
 242  * Determine if the subject has permission to manipulate ZFS datasets
 243  * (not pools).  Equivalent to the SYS_MOUNT privilege.
 244  */
 245 int
 246 secpolicy_zfs(const cred_t *cr)
 247 {
 248         return (priv_policy(cr, CAP_SYS_ADMIN, EACCES));
 249 }
 250
 251 /*
 252  * Equivalent to secpolicy_zfs(), but works even if the cred_t is not that of
 253  * the current process.  Takes both cred_t and proc_t so that this can work
 254  * easily on all platforms.
 255  */
 256 int
 257 secpolicy_zfs_proc(const cred_t *cr, proc_t *proc)
 258 {
 259         if (!has_capability(proc, CAP_SYS_ADMIN))
 260                 return (EACCES);
 261         return (0);
 262 }
 263
 264 void
 265 secpolicy_setid_clear(vattr_t *vap, cred_t *cr)
 266 {
 267         if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 &&
 268             secpolicy_vnode_setid_retain(NULL, cr,
 269             (vap->va_mode & S_ISUID) != 0 &&
 270             (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) {
 271                 vap->va_mask |= AT_MODE;
 272                 vap->va_mode &= ~(S_ISUID|S_ISGID);
 273         }
 274 }
 275
 276 /*
 277  * Determine that subject can set the file setid flags.
 278  */
 279 static int
 280 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner, zidmap_t *mnt_ns,
 281     struct user_namespace *fs_ns)
 282 {
 283         owner = zfs_uid_to_vfsuid(mnt_ns, fs_ns, owner);
 284
 285         if (crgetuid(cr) == owner)
 286                 return (0);
 287
 288 #if defined(CONFIG_USER_NS)
 289         if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
 290                 return (EPERM);
 291 #endif
 292
 293         return (priv_policy_user(cr, CAP_FSETID, EPERM));
 294 }
 295
 296 /*
 297  * Determine that subject can make a file a "sticky".
 298  *
 299  * Enforced in the Linux VFS.
 300  */
 301 static int
 302 secpolicy_vnode_stky_modify(const cred_t *cr)
 303 {
 304         return (0);
 305 }
 306
 307 int
 308 secpolicy_setid_setsticky_clear(struct inode *ip, vattr_t *vap,
 309     const vattr_t *ovap, cred_t *cr, zidmap_t *mnt_ns,
 310     struct user_namespace *fs_ns)
 311 {
 312         int error;
 313
 314         if ((vap->va_mode & S_ISUID) != 0 &&
 315             (error = secpolicy_vnode_setid_modify(cr,
 316             ovap->va_uid, mnt_ns, fs_ns)) != 0) {
 317                 return (error);
 318         }
 319
 320         /*
 321          * Check privilege if attempting to set the
 322          * sticky bit on a non-directory.
 323          */
 324         if (!S_ISDIR(ip->i_mode) && (vap->va_mode & S_ISVTX) != 0 &&
 325             secpolicy_vnode_stky_modify(cr) != 0) {
 326                 vap->va_mode &= ~S_ISVTX;
 327         }
 328
 329         /*
 330          * Check for privilege if attempting to set the
 331          * group-id bit.
 332          */
 333         if ((vap->va_mode & S_ISGID) != 0 &&
 334             secpolicy_vnode_setids_setgids(cr, ovap->va_gid,
 335             mnt_ns, fs_ns) != 0) {
 336                 vap->va_mode &= ~S_ISGID;
 337         }
 338
 339         return (0);
 340 }
 341
 342 /*
 343  * Check privileges for setting xvattr attributes
 344  */
 345 int
 346 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, mode_t type)
 347 {
 348         return (secpolicy_vnode_chown(cr, owner));
 349 }
 350
 351 /*
 352  * Check privileges for setattr attributes.
 353  *
 354  * Enforced in the Linux VFS.
 355  */
 356 int
 357 secpolicy_vnode_setattr(cred_t *cr, struct inode *ip, struct vattr *vap,
 358     const struct vattr *ovap, int flags,
 359     int unlocked_access(void *, int, cred_t *), void *node)
 360 {
 361         return (0);
 362 }
 363
 364 /*
 365  * Check privileges for links.
 366  *
 367  * Enforced in the Linux VFS.
 368  */
 369 int
 370 secpolicy_basic_link(const cred_t *cr)
 371 {
 372         return (0);
 373 }