1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 #include <sys/types.h> 30 #include <sys/sysmacros.h> 31 #include <sys/param.h> 32 #include <sys/systm.h> 33 #include <sys/cred_impl.h> 34 #include <sys/vnode.h> 35 #include <sys/vfs.h> 36 #include <sys/stat.h> 37 #include <sys/errno.h> 38 #include <sys/kmem.h> 39 #include <sys/user.h> 40 #include <sys/proc.h> 41 #include <sys/acct.h> 42 #include <sys/ipc_impl.h> 43 #include <sys/syscall.h> 44 #include <sys/cmn_err.h> 45 #include <sys/debug.h> 46 #include <sys/policy.h> 47 #include <sys/kobj.h> 48 #include <sys/msg.h> 49 #include <sys/devpolicy.h> 50 #include <c2/audit.h> 51 #include <sys/varargs.h> 52 #include <sys/modctl.h> 53 #include <sys/disp.h> 54 #include <sys/zone.h> 55 #include <inet/common.h> 56 #include <inet/optcom.h> 57 #include <sys/sdt.h> 58 #include <sys/mount.h> 59 #include <sys/vfs.h> 60 #include <sys/mntent.h> 61 #include <sys/contract_impl.h> 62 63 #include <sys/sunddi.h> 64 65 /* 66 * There are two possible layers of privilege routines and two possible 67 * levels of secpolicy. Plus one other we may not be interested in, so 68 * we may need as many as 6 but no more. 69 */ 70 #define MAXPRIVSTACK 6 71 72 int priv_debug = 0; 73 74 /* 75 * This file contains the majority of the policy routines. 76 * Since the policy routines are defined by function and not 77 * by privilege, there is quite a bit of duplication of 78 * functions. 79 * 80 * The secpolicy functions must not make asssumptions about 81 * locks held or not held as any lock can be held while they're 82 * being called. 83 * 84 * Credentials are read-only so no special precautions need to 85 * be taken while locking them. 86 * 87 * When a new policy check needs to be added to the system the 88 * following procedure should be followed: 89 * 90 * Pick an appropriate secpolicy_*() function 91 * -> done if one exists. 92 * Create a new secpolicy function, preferably with 93 * a descriptive name using the standard template. 94 * Pick an appropriate privilege for the policy. 95 * If no appropraite privilege exists, define new one 96 * (this should be done with extreme care; in most cases 97 * little is gained by adding another privilege) 98 * 99 * WHY ROOT IS STILL SPECIAL. 100 * 101 * In a number of the policy functions, there are still explicit 102 * checks for uid 0. The rationale behind these is that many root 103 * owned files/objects hold configuration information which can give full 104 * privileges to the user once written to. To prevent escalation 105 * of privilege by allowing just a single privilege to modify root owned 106 * objects, we've added these root specific checks where we considered 107 * them necessary: modifying root owned files, changing uids to 0, etc. 108 * 109 * PRIVILEGE ESCALATION AND ZONES. 110 * 111 * A number of operations potentially allow the caller to achieve 112 * privileges beyond the ones normally required to perform the operation. 113 * For example, if allowed to create a setuid 0 executable, a process can 114 * gain privileges beyond PRIV_FILE_SETID. Zones, however, place 115 * restrictions on the ability to gain privileges beyond those available 116 * within the zone through file and process manipulation. Hence, such 117 * operations require that the caller have an effective set that includes 118 * all privileges available within the current zone, or all privileges 119 * if executing in the global zone. 120 * 121 * This is indicated in the priv_policy* policy checking functions 122 * through a combination of parameters. The "priv" parameter indicates 123 * the privilege that is required, and the "allzone" parameter indicates 124 * whether or not all privileges in the zone are required. In addition, 125 * priv can be set to PRIV_ALL to indicate that all privileges are 126 * required (regardless of zone). There are three scenarios of interest: 127 * (1) operation requires a specific privilege 128 * (2) operation requires a specific privilege, and requires all 129 * privileges available within the zone (or all privileges if in 130 * the global zone) 131 * (3) operation requires all privileges, regardless of zone 132 * 133 * For (1), priv should be set to the specific privilege, and allzone 134 * should be set to B_FALSE. 135 * For (2), priv should be set to the specific privilege, and allzone 136 * should be set to B_TRUE. 137 * For (3), priv should be set to PRIV_ALL, and allzone should be set 138 * to B_FALSE. 139 * 140 */ 141 142 /* 143 * The privileges are checked against the Effective set for 144 * ordinary processes and checked against the Limit set 145 * for euid 0 processes that haven't manipulated their privilege 146 * sets. 147 */ 148 #define HAS_ALLPRIVS(cr) priv_isfullset(&CR_OEPRIV(cr)) 149 #define ZONEPRIVS(cr) ((cr)->cr_zone->zone_privset) 150 #define HAS_ALLZONEPRIVS(cr) priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr)) 151 #define HAS_PRIVILEGE(cr, pr) ((pr) == PRIV_ALL ? \ 152 HAS_ALLPRIVS(cr) : \ 153 PRIV_ISASSERT(&CR_OEPRIV(cr), pr)) 154 155 /* 156 * Policy checking functions 157 * 158 * In future, these will migrate to several files when policy 159 * becomes more or less pluggable. 160 * 161 * For now, there's only one policy and this is it. 162 */ 163 164 /* 165 * Generic policy calls 166 * 167 * The "bottom" functions of policy control 168 */ 169 170 static char * 171 mprintf(const char *fmt, ...) 172 { 173 va_list args; 174 char *buf; 175 size_t len; 176 177 va_start(args, fmt); 178 len = vsnprintf(NULL, 0, fmt, args) + 1; 179 va_end(args); 180 181 buf = kmem_alloc(len, KM_NOSLEEP); 182 183 if (buf == NULL) 184 return (NULL); 185 186 va_start(args, fmt); 187 (void) vsnprintf(buf, len, fmt, args); 188 va_end(args); 189 190 return (buf); 191 } 192 193 /* 194 * priv_policy_errmsg() 195 * 196 * Generate an error message if privilege debugging is enabled system wide 197 * or for this particular process. 198 */ 199 200 #define FMTHDR "%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)" 201 #define FMTMSG " for \"%s\"" 202 #define FMTFUN " needed at %s+0x%lx" 203 204 /* The maximum size privilege format: the concatenation of the above */ 205 #define FMTMAX FMTHDR FMTMSG FMTFUN "\n" 206 207 static void 208 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg) 209 { 210 struct proc *me; 211 pc_t stack[MAXPRIVSTACK]; 212 int depth; 213 int i; 214 char *sym; 215 ulong_t off; 216 const char *pname; 217 218 char *cmd; 219 char fmt[sizeof (FMTMAX)]; 220 221 if ((me = curproc) == &p0) 222 return; 223 224 /* Privileges must be defined */ 225 ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE || 226 priv == PRIV_ALLZONE || priv == PRIV_GLOBAL || 227 priv_getbynum(priv) != NULL); 228 229 if (priv == PRIV_ALLZONE && INGLOBALZONE(me)) 230 priv = PRIV_ALL; 231 232 if (curthread->t_pre_sys) 233 ttolwp(curthread)->lwp_badpriv = (short)priv; 234 235 if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0) 236 return; 237 238 (void) strcpy(fmt, FMTHDR); 239 240 if (me->p_user.u_comm[0]) 241 cmd = &me->p_user.u_comm[0]; 242 else 243 cmd = "priv_policy"; 244 245 if (msg != NULL && *msg != '\0') { 246 (void) strcat(fmt, FMTMSG); 247 } else { 248 (void) strcat(fmt, "%s"); 249 msg = ""; 250 } 251 252 sym = NULL; 253 254 depth = getpcstack(stack, MAXPRIVSTACK); 255 256 /* 257 * Try to find the first interesting function on the stack. 258 * priv_policy* that's us, so completely uninteresting. 259 * suser(), drv_priv(), secpolicy_* are also called from 260 * too many locations to convey useful information. 261 */ 262 for (i = 0; i < depth; i++) { 263 sym = kobj_getsymname((uintptr_t)stack[i], &off); 264 if (sym != NULL && 265 strstr(sym, "hasprocperm") == 0 && 266 strcmp("suser", sym) != 0 && 267 strcmp("ipcaccess", sym) != 0 && 268 strcmp("drv_priv", sym) != 0 && 269 strncmp("secpolicy_", sym, 10) != 0 && 270 strncmp("priv_policy", sym, 11) != 0) 271 break; 272 } 273 274 if (sym != NULL) 275 (void) strcat(fmt, FMTFUN); 276 277 (void) strcat(fmt, "\n"); 278 279 switch (priv) { 280 case PRIV_ALL: 281 pname = "ALL"; 282 break; 283 case PRIV_MULTIPLE: 284 pname = "MULTIPLE"; 285 break; 286 case PRIV_ALLZONE: 287 pname = "ZONE"; 288 break; 289 case PRIV_GLOBAL: 290 pname = "GLOBAL"; 291 break; 292 default: 293 pname = priv_getbynum(priv); 294 break; 295 } 296 297 if (CR_FLAGS(cr) & PRIV_DEBUG) { 298 /* Remember last message, just like lwp_badpriv. */ 299 if (curthread->t_pdmsg != NULL) { 300 kmem_free(curthread->t_pdmsg, 301 strlen(curthread->t_pdmsg) + 1); 302 } 303 304 curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname, 305 cr->cr_uid, curthread->t_sysnum, msg, sym, off); 306 307 curthread->t_post_sys = 1; 308 } else { 309 cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid, 310 curthread->t_sysnum, msg, sym, off); 311 } 312 } 313 314 /* 315 * Audit failure, log error message. 316 */ 317 static void 318 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg) 319 { 320 321 #ifdef C2_AUDIT 322 if (audit_active) 323 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0); 324 #endif 325 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 326 327 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 328 curthread->t_pre_sys) { 329 if (allzone && !HAS_ALLZONEPRIVS(cr)) { 330 priv_policy_errmsg(cr, PRIV_ALLZONE, msg); 331 } else { 332 ASSERT(!HAS_PRIVILEGE(cr, priv)); 333 priv_policy_errmsg(cr, priv, msg); 334 } 335 } 336 } 337 338 /* 339 * priv_policy() 340 * return 0 or error. 341 * See block comment above for a description of "priv" and "allzone" usage. 342 */ 343 int 344 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err, 345 const char *msg) 346 { 347 if (HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) { 348 if ((allzone || priv == PRIV_ALL || 349 !PRIV_ISASSERT(priv_basic, priv)) && 350 !servicing_interrupt()) { 351 u.u_acflag |= ASU; /* Needed for SVVS */ 352 #ifdef C2_AUDIT 353 if (audit_active) 354 audit_priv(priv, 355 allzone ? ZONEPRIVS(cr) : NULL, 1); 356 #endif 357 } 358 err = 0; 359 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 360 } else if (!servicing_interrupt()) { 361 /* Failure audited in this procedure */ 362 priv_policy_err(cr, priv, allzone, msg); 363 } 364 365 return (err); 366 } 367 368 /* 369 * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges. 370 */ 371 boolean_t 372 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone) 373 { 374 boolean_t res = HAS_PRIVILEGE(cr, priv) && 375 (!allzone || HAS_ALLZONEPRIVS(cr)); 376 377 #ifdef C2_AUDIT 378 /* Audit success only */ 379 if (res && audit_active && 380 (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) && 381 !servicing_interrupt()) { 382 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1); 383 } 384 #endif 385 if (res) { 386 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 387 } else { 388 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 389 } 390 return (res); 391 } 392 393 /* 394 * Non-auditing variant of priv_policy_choice(). 395 */ 396 boolean_t 397 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone) 398 { 399 boolean_t res = HAS_PRIVILEGE(cr, priv) && 400 (!allzone || HAS_ALLZONEPRIVS(cr)); 401 402 if (res) { 403 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); 404 } else { 405 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); 406 } 407 return (res); 408 } 409 410 /* 411 * Check whether all privileges in the required set are present. 412 */ 413 static int 414 secpolicy_require_set(const cred_t *cr, const priv_set_t *req, const char *msg) 415 { 416 int priv; 417 int pfound = -1; 418 priv_set_t pset; 419 420 if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req, 421 &CR_OEPRIV(cr))) { 422 return (0); 423 } 424 425 if (req == PRIV_FULLSET || priv_isfullset(req)) { 426 priv_policy_err(cr, PRIV_ALL, B_FALSE, msg); 427 return (EACCES); 428 } 429 430 pset = CR_OEPRIV(cr); /* present privileges */ 431 priv_inverse(&pset); /* all non present privileges */ 432 priv_intersect(req, &pset); /* the actual missing privs */ 433 434 #ifdef C2_AUDIT 435 if (audit_active) 436 audit_priv(PRIV_NONE, &pset, 0); 437 #endif 438 /* 439 * Privilege debugging; special case "one privilege in set". 440 */ 441 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) { 442 for (priv = 0; priv < nprivs; priv++) { 443 if (priv_ismember(&pset, priv)) { 444 if (pfound != -1) { 445 /* Multiple missing privs */ 446 priv_policy_errmsg(cr, PRIV_MULTIPLE, 447 msg); 448 return (EACCES); 449 } 450 pfound = priv; 451 } 452 } 453 ASSERT(pfound != -1); 454 /* Just the one missing privilege */ 455 priv_policy_errmsg(cr, pfound, msg); 456 } 457 458 return (EACCES); 459 } 460 461 /* 462 * Called when an operation requires that the caller be in the 463 * global zone, regardless of privilege. 464 */ 465 static int 466 priv_policy_global(const cred_t *cr) 467 { 468 if (crgetzoneid(cr) == GLOBAL_ZONEID) 469 return (0); /* success */ 470 471 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || 472 curthread->t_pre_sys) { 473 priv_policy_errmsg(cr, PRIV_GLOBAL, NULL); 474 } 475 return (EPERM); 476 } 477 478 /* 479 * Changing process priority 480 */ 481 int 482 secpolicy_setpriority(const cred_t *cr) 483 { 484 return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL)); 485 } 486 487 /* 488 * Binding to a privileged port, port must be specified in host byte 489 * order. 490 */ 491 int 492 secpolicy_net_privaddr(const cred_t *cr, in_port_t port) 493 { 494 /* 495 * NFS ports, these are extra privileged ports, allow bind 496 * only if the SYS_NFS privilege is present. 497 */ 498 if (port == 2049 || port == 4045) 499 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EACCES, 500 "NFS port")); 501 else 502 return (PRIV_POLICY(cr, PRIV_NET_PRIVADDR, B_FALSE, EACCES, 503 NULL)); 504 } 505 506 /* 507 * Common routine which determines whether a given credential can 508 * act on a given mount. 509 * When called through mount, the parameter needoptcheck is a pointer 510 * to a boolean variable which will be set to either true or false, 511 * depending on whether the mount policy should change the mount options. 512 * In all other cases, needoptcheck should be a NULL pointer. 513 */ 514 static int 515 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp, 516 boolean_t *needoptcheck) 517 { 518 boolean_t allzone = B_FALSE; 519 boolean_t mounting = needoptcheck != NULL; 520 521 /* 522 * Short circuit the following cases: 523 * vfsp == NULL or mvp == NULL (pure privilege check) 524 * have all privileges - no further checks required 525 * and no mount options need to be set. 526 */ 527 if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) { 528 if (mounting) 529 *needoptcheck = B_FALSE; 530 531 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, allzone, EPERM, NULL)); 532 } 533 534 /* 535 * When operating on an existing mount (either we're not mounting 536 * or we're doing a remount and VFS_REMOUNT will be set), zones 537 * can operate only on mounts established by the zone itself. 538 */ 539 if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) { 540 zoneid_t zoneid = crgetzoneid(cr); 541 542 if (zoneid != GLOBAL_ZONEID && 543 vfsp->vfs_zone->zone_id != zoneid) { 544 return (EPERM); 545 } 546 } 547 548 if (mounting) 549 *needoptcheck = B_TRUE; 550 551 /* 552 * Overlay mounts may hide important stuff; if you can't write to a 553 * mount point but would be able to mount on top of it, you can 554 * escalate your privileges. 555 * So we go about asking the same questions namefs does when it 556 * decides whether you can mount over a file or not but with the 557 * added restriction that you can only mount on top of a regular 558 * file or directory. 559 * If we have all the zone's privileges, we skip all other checks, 560 * or else we may actually get in trouble inside the automounter. 561 */ 562 if ((mvp->v_flag & VROOT) != 0 || 563 (mvp->v_type != VDIR && mvp->v_type != VREG) || 564 HAS_ALLZONEPRIVS(cr)) { 565 allzone = B_TRUE; 566 } else { 567 vattr_t va; 568 int err; 569 570 va.va_mask = AT_UID|AT_MODE; 571 err = VOP_GETATTR(mvp, &va, 0, cr); 572 if (err != 0) 573 return (err); 574 575 if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0) 576 return (err); 577 578 if ((va.va_mode & VWRITE) == 0 && 579 secpolicy_vnode_access(cr, mvp, va.va_uid, VWRITE) != 0) { 580 return (EACCES); 581 } 582 } 583 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, allzone, EPERM, NULL)); 584 } 585 586 extern vnode_t *rootvp; 587 extern vfs_t *rootvfs; 588 589 int 590 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp) 591 { 592 boolean_t needoptchk; 593 int error; 594 595 /* 596 * If it's a remount, get the underlying mount point, 597 * except for the root where we use the rootvp. 598 */ 599 if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) { 600 if (vfsp == rootvfs) 601 mvp = rootvp; 602 else 603 mvp = vfsp->vfs_vnodecovered; 604 } 605 606 error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk); 607 608 if (error == 0 && needoptchk) { 609 boolean_t amsuper = HAS_ALLZONEPRIVS(cr); 610 611 /* 612 * Third check; if we don't have either "nosuid" or 613 * both "nosetuid" and "nodevices", then we add 614 * "nosuid"; this depends on how the current 615 * implementation works (it first checks nosuid). In a 616 * zone, a user with all zone privileges can mount with 617 * "setuid" but never with "devices". 618 */ 619 if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) && 620 (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) || 621 !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) { 622 if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper) 623 vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0); 624 else 625 vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0); 626 } 627 /* 628 * If we're not the local super user, we set the "restrict" 629 * option to indicate to automountd that this mount should 630 * be handled with care. 631 */ 632 if (!amsuper) 633 vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0); 634 635 } 636 return (error); 637 } 638 639 /* 640 * Does the policy computations for "ownership" of a mount; 641 * here ownership is defined as the ability to "mount" 642 * the filesystem originally. The rootvfs doesn't cover any 643 * vnodes; we attribute its ownership to the rootvp. 644 */ 645 static int 646 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp) 647 { 648 vnode_t *mvp; 649 650 if (vfsp == NULL) 651 mvp = NULL; 652 else if (vfsp == rootvfs) 653 mvp = rootvp; 654 else 655 mvp = vfsp->vfs_vnodecovered; 656 657 return (secpolicy_fs_common(cr, mvp, vfsp, NULL)); 658 } 659 660 int 661 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp) 662 { 663 return (secpolicy_fs_owner(cr, vfsp)); 664 } 665 666 /* 667 * Quotas are a resource, but if one has the ability to mount a filesystem, he 668 * should be able to modify quotas on it. 669 */ 670 int 671 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp) 672 { 673 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 674 } 675 676 /* 677 * Exceeding minfree: also a per-mount resource constraint. 678 */ 679 int 680 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp) 681 { 682 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 683 } 684 685 int 686 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp) 687 { 688 return (secpolicy_fs_owner((cred_t *)cr, vfsp)); 689 } 690 691 /* ARGSUSED */ 692 int 693 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp) 694 { 695 return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL)); 696 } 697 698 /* 699 * Name: secpolicy_vnode_access() 700 * 701 * Parameters: Process credential 702 * vnode 703 * uid of owner of vnode 704 * permission bits not granted to the caller when examining 705 * file mode bits (i.e., when a process wants to open a 706 * mode 444 file for VREAD|VWRITE, this function should be 707 * called only with a VWRITE argument). 708 * 709 * Normal: Verifies that cred has the appropriate privileges to 710 * override the mode bits that were denied. 711 * 712 * Override: file_dac_execute - if VEXEC bit was denied and vnode is 713 * not a directory. 714 * file_dac_read - if VREAD bit was denied. 715 * file_dac_search - if VEXEC bit was denied and vnode is 716 * a directory. 717 * file_dac_write - if VWRITE bit was denied. 718 * 719 * Root owned files are special cased to protect system 720 * configuration files and such. 721 * 722 * Output: EACCES - if privilege check fails. 723 */ 724 725 /* ARGSUSED */ 726 int 727 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode) 728 { 729 if ((mode & VREAD) && 730 PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EACCES, NULL) != 0) 731 return (EACCES); 732 733 if (mode & VWRITE) { 734 boolean_t allzone; 735 736 if (owner == 0 && cr->cr_uid != 0) 737 allzone = B_TRUE; 738 else 739 allzone = B_FALSE; 740 if (PRIV_POLICY(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, NULL) 741 != 0) 742 return (EACCES); 743 } 744 745 if (mode & VEXEC) { 746 /* 747 * Directories use file_dac_search to override the execute bit. 748 */ 749 vtype_t vtype = vp->v_type; 750 751 if (vtype == VDIR) 752 return (PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, 753 EACCES, NULL)); 754 else 755 return (PRIV_POLICY(cr, PRIV_FILE_DAC_EXECUTE, B_FALSE, 756 EACCES, NULL)); 757 } 758 return (0); 759 } 760 761 /* 762 * Name: secpolicy_vnode_setid_modify() 763 * 764 * Normal: verify that subject can set the file setid flags. 765 * 766 * Output: EPERM - if not privileged. 767 */ 768 769 static int 770 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner) 771 { 772 /* If changing to suid root, must have all zone privs */ 773 boolean_t allzone = B_TRUE; 774 775 if (owner != 0) { 776 if (owner == cr->cr_uid) 777 return (0); 778 allzone = B_FALSE; 779 } 780 return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL)); 781 } 782 783 /* 784 * Are we allowed to retain the set-uid/set-gid bits when 785 * changing ownership or when writing to a file? 786 * "issuid" should be true when set-uid; only in that case 787 * root ownership is checked (setgid is assumed). 788 */ 789 int 790 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot) 791 { 792 if (issuidroot && !HAS_ALLZONEPRIVS(cred)) 793 return (EPERM); 794 795 return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE)); 796 } 797 798 /* 799 * Name: secpolicy_vnode_setids_setgids() 800 * 801 * Normal: verify that subject can set the file setgid flag. 802 * 803 * Output: EPERM - if not privileged 804 */ 805 806 int 807 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid) 808 { 809 if (!groupmember(gid, cred)) 810 return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM, 811 NULL)); 812 return (0); 813 } 814 815 /* 816 * Create a file with a group different than any of the groups allowed: 817 * the group of the directory the file is created in, the effective 818 * group or any of the supplementary groups. 819 */ 820 int 821 secpolicy_vnode_create_gid(const cred_t *cred) 822 { 823 if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN)) 824 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM, 825 NULL)); 826 else 827 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM, 828 NULL)); 829 } 830 831 /* 832 * Name: secpolicy_vnode_utime_modify() 833 * 834 * Normal: verify that subject can modify the utime on a file. 835 * 836 * Output: EPERM - if access denied. 837 */ 838 839 static int 840 secpolicy_vnode_utime_modify(const cred_t *cred) 841 { 842 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM, 843 "modify file times")); 844 } 845 846 847 /* 848 * Name: secpolicy_vnode_setdac() 849 * 850 * Normal: verify that subject can modify the mode of a file. 851 * allzone privilege needed when modifying root owned object. 852 * 853 * Output: EPERM - if access denied. 854 */ 855 856 int 857 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner) 858 { 859 if (owner == cred->cr_uid) 860 return (0); 861 862 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL)); 863 } 864 /* 865 * Name: secpolicy_vnode_stky_modify() 866 * 867 * Normal: verify that subject can make a file a "sticky". 868 * 869 * Output: EPERM - if access denied. 870 */ 871 872 int 873 secpolicy_vnode_stky_modify(const cred_t *cred) 874 { 875 return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM, 876 "set file sticky")); 877 } 878 879 /* 880 * Policy determines whether we can remove an entry from a directory, 881 * regardless of permission bits. 882 */ 883 int 884 secpolicy_vnode_remove(const cred_t *cr) 885 { 886 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES, 887 "sticky directory")); 888 } 889 890 int 891 secpolicy_vnode_owner(const cred_t *cr, uid_t owner) 892 { 893 boolean_t allzone = (owner == 0); 894 895 if (owner == cr->cr_uid) 896 return (0); 897 898 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL)); 899 } 900 901 /* 902 * This function checks the policy decisions surrounding the 903 * vop setattr call. 904 * 905 * It should be called after sufficient locks have been established 906 * on the underlying data structures. No concurrent modifications 907 * should be allowed. 908 * 909 * The caller must pass in unlocked version of its vaccess function 910 * this is required because vop_access function should lock the 911 * node for reading. A three argument function should be defined 912 * which accepts the following argument: 913 * A pointer to the internal "node" type (inode *) 914 * vnode access bits (VREAD|VWRITE|VEXEC) 915 * a pointer to the credential 916 * 917 * This function makes the following policy decisions: 918 * 919 * - change permissions 920 * - permission to change file mode if not owner 921 * - permission to add sticky bit to non-directory 922 * - permission to add set-gid bit 923 * 924 * The ovap argument should include AT_MODE|AT_UID|AT_GID. 925 * 926 * If the vap argument does not include AT_MODE, the mode will be copied from 927 * ovap. In certain situations set-uid/set-gid bits need to be removed; 928 * this is done by marking vap->va_mask to include AT_MODE and va_mode 929 * is updated to the newly computed mode. 930 */ 931 932 int 933 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap, 934 const struct vattr *ovap, int flags, 935 int unlocked_access(void *, int, cred_t *), 936 void *node) 937 { 938 int mask = vap->va_mask; 939 int error = 0; 940 941 if (mask & AT_SIZE) { 942 if (vp->v_type == VDIR) { 943 error = EISDIR; 944 goto out; 945 } 946 error = unlocked_access(node, VWRITE, cr); 947 if (error) 948 goto out; 949 } 950 if (mask & AT_MODE) { 951 /* 952 * If not the owner of the file then check privilege 953 * for two things: the privilege to set the mode at all 954 * and, if we're setting setuid, we also need permissions 955 * to add the set-uid bit, if we're not the owner. 956 * In the specific case of creating a set-uid root 957 * file, we need even more permissions. 958 */ 959 if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0) 960 goto out; 961 962 if ((vap->va_mode & S_ISUID) != 0 && 963 (error = secpolicy_vnode_setid_modify(cr, 964 ovap->va_uid)) != 0) { 965 goto out; 966 } 967 968 /* 969 * Check privilege if attempting to set the 970 * sticky bit on a non-directory. 971 */ 972 if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 && 973 secpolicy_vnode_stky_modify(cr) != 0) { 974 vap->va_mode &= ~S_ISVTX; 975 } 976 977 /* 978 * Check for privilege if attempting to set the 979 * group-id bit. 980 */ 981 if ((vap->va_mode & S_ISGID) != 0 && 982 secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) { 983 vap->va_mode &= ~S_ISGID; 984 } 985 986 } else 987 vap->va_mode = ovap->va_mode; 988 989 if (mask & (AT_UID|AT_GID)) { 990 boolean_t checkpriv = B_FALSE; 991 int priv; 992 boolean_t allzone = B_FALSE; 993 994 /* 995 * Chowning files. 996 * 997 * If you are the file owner: 998 * chown to other uid FILE_CHOWN_SELF 999 * chown to gid (non-member) FILE_CHOWN_SELF 1000 * chown to gid (member) <none> 1001 * 1002 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also 1003 * acceptable but the first one is reported when debugging. 1004 * 1005 * If you are not the file owner: 1006 * chown from root PRIV_FILE_CHOWN + zone 1007 * chown from other to any PRIV_FILE_CHOWN 1008 * 1009 */ 1010 if (cr->cr_uid != ovap->va_uid) { 1011 checkpriv = B_TRUE; 1012 allzone = (ovap->va_uid == 0); 1013 priv = PRIV_FILE_CHOWN; 1014 } else { 1015 if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) || 1016 ((mask & AT_GID) && vap->va_gid != ovap->va_gid && 1017 !groupmember(vap->va_gid, cr))) { 1018 checkpriv = B_TRUE; 1019 priv = HAS_PRIVILEGE(cr, PRIV_FILE_CHOWN) ? 1020 PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF; 1021 } 1022 } 1023 /* 1024 * If necessary, check privilege to see if update can be done. 1025 */ 1026 if (checkpriv && 1027 (error = PRIV_POLICY(cr, priv, allzone, EPERM, NULL)) 1028 != 0) { 1029 goto out; 1030 } 1031 1032 /* 1033 * If the file has either the set UID or set GID bits 1034 * set and the caller can set the bits, then leave them. 1035 */ 1036 if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 && 1037 secpolicy_vnode_setid_retain(cr, 1038 (vap->va_mode & S_ISUID) != 0 && 1039 (mask & AT_UID) != 0 && vap->va_uid == 0) != 0) { 1040 /* Copied from ovap above if AT_MODE not specified */ 1041 vap->va_mask |= AT_MODE; 1042 vap->va_mode &= ~(S_ISUID|S_ISGID); 1043 } 1044 } 1045 if (mask & (AT_ATIME|AT_MTIME)) { 1046 /* 1047 * If not the file owner and not otherwise privileged, 1048 * always return an error when setting the 1049 * time other than the current (ATTR_UTIME flag set). 1050 * If setting the current time (ATTR_UTIME not set) then 1051 * unlocked_access will check permissions according to policy. 1052 */ 1053 if (cr->cr_uid != ovap->va_uid) { 1054 if (flags & ATTR_UTIME) 1055 error = secpolicy_vnode_utime_modify(cr); 1056 else { 1057 error = unlocked_access(node, VWRITE, cr); 1058 if (error == EACCES && 1059 secpolicy_vnode_utime_modify(cr) == 0) 1060 error = 0; 1061 } 1062 if (error) 1063 goto out; 1064 } 1065 } 1066 out: 1067 return (error); 1068 } 1069 1070 /* 1071 * Name: secpolicy_pcfs_modify_bootpartition() 1072 * 1073 * Normal: verify that subject can modify a pcfs boot partition. 1074 * 1075 * Output: EACCES - if privilege check failed. 1076 */ 1077 /*ARGSUSED*/ 1078 int 1079 secpolicy_pcfs_modify_bootpartition(const cred_t *cred) 1080 { 1081 return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES, 1082 "modify pcfs boot partition")); 1083 } 1084 1085 /* 1086 * System V IPC routines 1087 */ 1088 int 1089 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip) 1090 { 1091 if (crgetzoneid(cr) != ip->ipc_zoneid || 1092 (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) { 1093 boolean_t allzone = B_FALSE; 1094 if (ip->ipc_uid == 0 || ip->ipc_cuid == 0) 1095 allzone = B_TRUE; 1096 return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL)); 1097 } 1098 return (0); 1099 } 1100 1101 int 1102 secpolicy_ipc_config(const cred_t *cr) 1103 { 1104 return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL)); 1105 } 1106 1107 int 1108 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode) 1109 { 1110 1111 boolean_t allzone = B_FALSE; 1112 1113 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1114 1115 if ((mode & MSG_R) && 1116 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1117 return (EACCES); 1118 1119 if (mode & MSG_W) { 1120 if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0)) 1121 allzone = B_TRUE; 1122 1123 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1124 NULL)); 1125 } 1126 return (0); 1127 } 1128 1129 int 1130 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode) 1131 { 1132 boolean_t allzone = B_FALSE; 1133 1134 ASSERT((mode & (MSG_R|MSG_W)) != 0); 1135 1136 if ((mode & MSG_R) && 1137 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) 1138 return (EACCES); 1139 1140 if (mode & MSG_W) { 1141 if (cr->cr_uid != 0 && owner == 0) 1142 allzone = B_TRUE; 1143 1144 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, 1145 NULL)); 1146 } 1147 return (0); 1148 } 1149 1150 /* 1151 * Audit configuration. 1152 */ 1153 int 1154 secpolicy_audit_config(const cred_t *cr) 1155 { 1156 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1157 } 1158 1159 /* 1160 * Audit record generation. 1161 */ 1162 int 1163 secpolicy_audit_modify(const cred_t *cr) 1164 { 1165 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL)); 1166 } 1167 1168 /* 1169 * Get audit attributes. 1170 * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the 1171 * "Least" of the two privileges on error. 1172 */ 1173 int 1174 secpolicy_audit_getattr(const cred_t *cr) 1175 { 1176 if (!PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE)) { 1177 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, 1178 NULL)); 1179 } else { 1180 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); 1181 } 1182 } 1183 1184 1185 /* 1186 * Locking physical memory 1187 */ 1188 int 1189 secpolicy_lock_memory(const cred_t *cr) 1190 { 1191 return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL)); 1192 } 1193 1194 /* 1195 * Accounting (both acct(2) and exacct). 1196 */ 1197 int 1198 secpolicy_acct(const cred_t *cr) 1199 { 1200 return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL)); 1201 } 1202 1203 /* 1204 * Is this process privileged to change its uids at will? 1205 * Uid 0 is still considered "special" and having the SETID 1206 * privilege is not sufficient to get uid 0. 1207 * Files are owned by root, so the privilege would give 1208 * full access and euid 0 is still effective. 1209 * 1210 * If you have the privilege and euid 0 only then do you 1211 * get the powers of root wrt uid 0. 1212 * 1213 * For gid manipulations, this is should be called with an 1214 * uid of -1. 1215 * 1216 */ 1217 int 1218 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly) 1219 { 1220 boolean_t allzone = B_FALSE; 1221 1222 if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 && 1223 cr->cr_ruid != 0) { 1224 allzone = B_TRUE; 1225 } 1226 1227 return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) : 1228 PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL)); 1229 } 1230 1231 1232 /* 1233 * Acting on a different process: if the mode is for writing, 1234 * the restrictions are more severe. This is called after 1235 * we've verified that the uids do not match. 1236 */ 1237 int 1238 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode) 1239 { 1240 boolean_t allzone = B_FALSE; 1241 1242 if ((mode & VWRITE) && scr->cr_uid != 0 && 1243 (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0)) 1244 allzone = B_TRUE; 1245 1246 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL)); 1247 } 1248 1249 int 1250 secpolicy_proc_access(const cred_t *scr) 1251 { 1252 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL)); 1253 } 1254 1255 int 1256 secpolicy_proc_excl_open(const cred_t *scr) 1257 { 1258 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL)); 1259 } 1260 1261 int 1262 secpolicy_proc_zone(const cred_t *scr) 1263 { 1264 return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL)); 1265 } 1266 1267 /* 1268 * Destroying the system 1269 */ 1270 1271 int 1272 secpolicy_kmdb(const cred_t *scr) 1273 { 1274 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); 1275 } 1276 1277 /* 1278 * Processor sets, cpu configuration, resource pools. 1279 */ 1280 int 1281 secpolicy_pset(const cred_t *cr) 1282 { 1283 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1284 } 1285 1286 int 1287 secpolicy_ponline(const cred_t *cr) 1288 { 1289 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1290 } 1291 1292 int 1293 secpolicy_pool(const cred_t *cr) 1294 { 1295 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1296 } 1297 1298 int 1299 secpolicy_blacklist(const cred_t *cr) 1300 { 1301 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); 1302 } 1303 1304 /* 1305 * Catch all system configuration. 1306 */ 1307 int 1308 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly) 1309 { 1310 if (checkonly) { 1311 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 : 1312 EPERM); 1313 } else { 1314 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1315 } 1316 } 1317 1318 /* 1319 * Zone administration (halt, reboot, etc.) from within zone. 1320 */ 1321 int 1322 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly) 1323 { 1324 if (checkonly) { 1325 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 : 1326 EPERM); 1327 } else { 1328 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, 1329 NULL)); 1330 } 1331 } 1332 1333 /* 1334 * Zone configuration (create, halt, enter). 1335 */ 1336 int 1337 secpolicy_zone_config(const cred_t *cr) 1338 { 1339 /* 1340 * Require all privileges to avoid possibility of privilege 1341 * escalation. 1342 */ 1343 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1344 } 1345 1346 /* 1347 * Various other system configuration calls 1348 */ 1349 int 1350 secpolicy_coreadm(const cred_t *cr) 1351 { 1352 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1353 } 1354 1355 int 1356 secpolicy_systeminfo(const cred_t *cr) 1357 { 1358 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); 1359 } 1360 1361 int 1362 secpolicy_dispadm(const cred_t *cr) 1363 { 1364 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1365 } 1366 1367 int 1368 secpolicy_settime(const cred_t *cr) 1369 { 1370 return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL)); 1371 } 1372 1373 /* 1374 * For realtime users: high resolution clock. 1375 */ 1376 int 1377 secpolicy_clock_highres(const cred_t *cr) 1378 { 1379 return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM, 1380 NULL)); 1381 } 1382 1383 /* 1384 * drv_priv() is documented as callable from interrupt context, not that 1385 * anyone ever does, but still. No debugging or auditing can be done when 1386 * it is called from interrupt context. 1387 * returns 0 on succes, EPERM on failure. 1388 */ 1389 int 1390 drv_priv(cred_t *cr) 1391 { 1392 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1393 } 1394 1395 int 1396 secpolicy_sys_devices(const cred_t *cr) 1397 { 1398 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1399 } 1400 1401 int 1402 secpolicy_excl_open(const cred_t *cr) 1403 { 1404 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL)); 1405 } 1406 1407 int 1408 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl) 1409 { 1410 /* zone.* rctls can only be set from the global zone */ 1411 if (is_zone_rctl && priv_policy_global(cr) != 0) 1412 return (EPERM); 1413 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1414 } 1415 1416 int 1417 secpolicy_resource(const cred_t *cr) 1418 { 1419 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1420 } 1421 1422 /* 1423 * Processes with a real uid of 0 escape any form of accounting, much 1424 * like before. 1425 */ 1426 int 1427 secpolicy_newproc(const cred_t *cr) 1428 { 1429 if (cr->cr_ruid == 0) 1430 return (0); 1431 1432 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); 1433 } 1434 1435 /* 1436 * Networking 1437 */ 1438 int 1439 secpolicy_net_rawaccess(const cred_t *cr) 1440 { 1441 return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL)); 1442 } 1443 1444 /* 1445 * Need this privilege for accessing the ICMP device 1446 */ 1447 int 1448 secpolicy_net_icmpaccess(const cred_t *cr) 1449 { 1450 return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL)); 1451 } 1452 1453 /* 1454 * There are a few rare cases where the kernel generates ioctls() from 1455 * interrupt context with a credential of kcred rather than NULL. 1456 * In those cases, we take the safe and cheap test. 1457 */ 1458 int 1459 secpolicy_net_config(const cred_t *cr, boolean_t checkonly) 1460 { 1461 if (checkonly) { 1462 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ? 1463 0 : EPERM); 1464 } else { 1465 return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM, 1466 NULL)); 1467 } 1468 } 1469 1470 1471 /* 1472 * Map network pseudo privileges to actual privileges. 1473 * So we don't need to recompile IP when we change the privileges. 1474 */ 1475 int 1476 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly) 1477 { 1478 int priv = PRIV_ALL; 1479 1480 switch (netpriv) { 1481 case OP_CONFIG: 1482 priv = PRIV_SYS_NET_CONFIG; 1483 break; 1484 case OP_RAW: 1485 priv = PRIV_NET_RAWACCESS; 1486 break; 1487 case OP_PRIVPORT: 1488 priv = PRIV_NET_PRIVADDR; 1489 break; 1490 } 1491 ASSERT(priv != PRIV_ALL); 1492 if (checkonly) 1493 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); 1494 else 1495 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); 1496 } 1497 1498 /* 1499 * Checks for operations that are either client-only or are used by 1500 * both clients and servers. 1501 */ 1502 int 1503 secpolicy_nfs(const cred_t *cr) 1504 { 1505 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL)); 1506 } 1507 1508 /* 1509 * Special case for opening rpcmod: have NFS privileges or network 1510 * config privileges. 1511 */ 1512 int 1513 secpolicy_rpcmod_open(const cred_t *cr) 1514 { 1515 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE)) 1516 return (secpolicy_nfs(cr)); 1517 else 1518 return (secpolicy_net_config(cr, NULL)); 1519 } 1520 1521 int 1522 secpolicy_chroot(const cred_t *cr) 1523 { 1524 return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL)); 1525 } 1526 1527 int 1528 secpolicy_tasksys(const cred_t *cr) 1529 { 1530 return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL)); 1531 } 1532 1533 /* 1534 * Basic privilege checks. 1535 */ 1536 int 1537 secpolicy_basic_exec(const cred_t *cr) 1538 { 1539 return (PRIV_POLICY(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL)); 1540 } 1541 1542 int 1543 secpolicy_basic_fork(const cred_t *cr) 1544 { 1545 return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL)); 1546 } 1547 1548 int 1549 secpolicy_basic_proc(const cred_t *cr) 1550 { 1551 return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL)); 1552 } 1553 1554 /* 1555 * Slightly complicated because we don't want to trigger the policy too 1556 * often. First we shortcircuit access to "self" (tp == sp) or if 1557 * we don't have the privilege but if we have permission 1558 * just return (0) and we don't flag the privilege as needed. 1559 * Else, we test for the privilege because we either have it or need it. 1560 */ 1561 int 1562 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp) 1563 { 1564 if (tp == sp || 1565 !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) { 1566 return (0); 1567 } else { 1568 return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL)); 1569 } 1570 } 1571 1572 int 1573 secpolicy_basic_link(const cred_t *cr) 1574 { 1575 return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL)); 1576 } 1577 1578 /* 1579 * Additional device protection. 1580 * 1581 * Traditionally, a device has specific permissions on the node in 1582 * the filesystem which govern which devices can be opened by what 1583 * processes. In certain cases, it is desirable to add extra 1584 * restrictions, as writing to certain devices is identical to 1585 * having a complete run of the system. 1586 * 1587 * This mechanism is called the device policy. 1588 * 1589 * When a device is opened, its policy entry is looked up in the 1590 * policy cache and checked. 1591 */ 1592 int 1593 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag) 1594 { 1595 devplcy_t *plcy; 1596 int err; 1597 struct snode *csp = VTOS(common_specvp(vp)); 1598 1599 mutex_enter(&csp->s_lock); 1600 1601 if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) { 1602 plcy = devpolicy_find(vp); 1603 if (csp->s_plcy) 1604 dpfree(csp->s_plcy); 1605 csp->s_plcy = plcy; 1606 ASSERT(plcy != NULL); 1607 } else 1608 plcy = csp->s_plcy; 1609 1610 if (plcy == nullpolicy) { 1611 mutex_exit(&csp->s_lock); 1612 return (0); 1613 } 1614 1615 dphold(plcy); 1616 1617 mutex_exit(&csp->s_lock); 1618 1619 err = secpolicy_require_set(cr, 1620 (oflag & FWRITE) ? &plcy->dp_wrp : &plcy->dp_rdp, "devpolicy"); 1621 dpfree(plcy); 1622 1623 return (err); 1624 } 1625 1626 int 1627 secpolicy_modctl(const cred_t *cr, int cmd) 1628 { 1629 switch (cmd) { 1630 case MODINFO: 1631 case MODGETPATH: 1632 case MODGETPATHLEN: 1633 case MODGETFBNAME: 1634 case MODGETNAME: 1635 case MODGETDEVPOLICY: 1636 case MODGETDEVPOLICYBYNAME: 1637 case MODGETMAJBIND: 1638 /* Unprivileged */ 1639 return (0); 1640 case MODLOAD: 1641 case MODSETDEVPOLICY: 1642 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1643 default: 1644 return (secpolicy_sys_config(cr, B_FALSE)); 1645 } 1646 } 1647 1648 int 1649 secpolicy_console(const cred_t *cr) 1650 { 1651 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1652 } 1653 1654 int 1655 secpolicy_power_mgmt(const cred_t *cr) 1656 { 1657 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); 1658 } 1659 1660 /* 1661 * Simulate terminal input; another escalation of privileges avenue. 1662 */ 1663 1664 int 1665 secpolicy_sti(const cred_t *cr) 1666 { 1667 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL)); 1668 } 1669 1670 int 1671 secpolicy_swapctl(const cred_t *cr) 1672 { 1673 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); 1674 } 1675 1676 int 1677 secpolicy_cpc_cpu(const cred_t *cr) 1678 { 1679 return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL)); 1680 } 1681 1682 /* 1683 * secpolicy_contract_observer 1684 * 1685 * Determine if the subject may observe a specific contract's events. 1686 */ 1687 int 1688 secpolicy_contract_observer(const cred_t *cr, struct contract *ct) 1689 { 1690 if (contract_owned(ct, cr, B_FALSE)) 1691 return (0); 1692 return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL)); 1693 } 1694 1695 /* 1696 * secpolicy_contract_observer_choice 1697 * 1698 * Determine if the subject may observe any contract's events. Just 1699 * tests privilege and audits on success. 1700 */ 1701 boolean_t 1702 secpolicy_contract_observer_choice(const cred_t *cr) 1703 { 1704 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE)); 1705 } 1706 1707 /* 1708 * secpolicy_contract_event 1709 * 1710 * Determine if the subject may request critical contract events or 1711 * reliable contract event delivery. 1712 */ 1713 int 1714 secpolicy_contract_event(const cred_t *cr) 1715 { 1716 return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL)); 1717 } 1718 1719 /* 1720 * secpolicy_contract_event_choice 1721 * 1722 * Determine if the subject may retain contract events in its critical 1723 * set when a change in other terms would normally require a change in 1724 * the critical set. Just tests privilege and audits on success. 1725 */ 1726 boolean_t 1727 secpolicy_contract_event_choice(const cred_t *cr) 1728 { 1729 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE)); 1730 } 1731 1732 /* 1733 * Name: secpolicy_gart_access 1734 * 1735 * Normal: Verify if the subject has sufficient priveleges to make ioctls 1736 * to agpgart device 1737 * 1738 * Output: EPERM - if not privileged 1739 * 1740 */ 1741 int 1742 secpolicy_gart_access(const cred_t *cr) 1743 { 1744 return (PRIV_POLICY(cr, PRIV_GART_ACCESS, B_FALSE, EPERM, NULL)); 1745 } 1746 1747 /* 1748 * Name: secpolicy_gart_map 1749 * 1750 * Normal: Verify if the subject has sufficient privelegs to map aperture 1751 * range through agpgart driver 1752 * 1753 * Output: EPERM - if not privileged 1754 * 1755 */ 1756 int 1757 secpolicy_gart_map(const cred_t *cr) 1758 { 1759 if (PRIV_POLICY(cr, PRIV_GART_ACCESS, B_FALSE, EPERM, NULL)) { 1760 return (PRIV_POLICY(cr, PRIV_GART_MAP, B_FALSE, EPERM, NULL)); 1761 } 1762 return (0); 1763 } 1764 1765 /* 1766 * secpolicy_zfs 1767 * 1768 * Determine if the user has permission to manipulate ZFS datasets (not pools). 1769 * Equivalent to the SYS_MOUNT privilege. 1770 */ 1771 int 1772 secpolicy_zfs(const cred_t *cr) 1773 { 1774 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL)); 1775 } 1776