1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 */
24
25 #include <sys/types.h>
26 #include <sys/sysmacros.h>
27 #include <sys/param.h>
28 #include <sys/systm.h>
29 #include <sys/cred_impl.h>
30 #include <sys/vnode.h>
31 #include <sys/vfs.h>
32 #include <sys/stat.h>
33 #include <sys/errno.h>
34 #include <sys/kmem.h>
35 #include <sys/user.h>
36 #include <sys/proc.h>
37 #include <sys/acct.h>
38 #include <sys/ipc_impl.h>
39 #include <sys/cmn_err.h>
40 #include <sys/debug.h>
41 #include <sys/policy.h>
42 #include <sys/kobj.h>
43 #include <sys/msg.h>
44 #include <sys/devpolicy.h>
45 #include <c2/audit.h>
46 #include <sys/varargs.h>
47 #include <sys/klpd.h>
48 #include <sys/modctl.h>
49 #include <sys/disp.h>
50 #include <sys/zone.h>
51 #include <inet/optcom.h>
52 #include <sys/sdt.h>
53 #include <sys/vfs.h>
54 #include <sys/mntent.h>
55 #include <sys/contract_impl.h>
56 #include <sys/dld_ioc.h>
57
58 /*
59 * There are two possible layers of privilege routines and two possible
60 * levels of secpolicy. Plus one other we may not be interested in, so
61 * we may need as many as 6 but no more.
62 */
63 #define MAXPRIVSTACK 6
64
65 int priv_debug = 0;
66 int priv_basic_test = -1;
67
68 /*
69 * This file contains the majority of the policy routines.
70 * Since the policy routines are defined by function and not
71 * by privilege, there is quite a bit of duplication of
72 * functions.
73 *
74 * The secpolicy functions must not make assumptions about
75 * locks held or not held as any lock can be held while they're
76 * being called.
77 *
78 * Credentials are read-only so no special precautions need to
79 * be taken while locking them.
80 *
81 * When a new policy check needs to be added to the system the
82 * following procedure should be followed:
83 *
84 * Pick an appropriate secpolicy_*() function
85 * -> done if one exists.
86 * Create a new secpolicy function, preferably with
87 * a descriptive name using the standard template.
88 * Pick an appropriate privilege for the policy.
89 * If no appropraite privilege exists, define new one
90 * (this should be done with extreme care; in most cases
91 * little is gained by adding another privilege)
92 *
93 * WHY ROOT IS STILL SPECIAL.
94 *
95 * In a number of the policy functions, there are still explicit
96 * checks for uid 0. The rationale behind these is that many root
97 * owned files/objects hold configuration information which can give full
98 * privileges to the user once written to. To prevent escalation
99 * of privilege by allowing just a single privilege to modify root owned
100 * objects, we've added these root specific checks where we considered
101 * them necessary: modifying root owned files, changing uids to 0, etc.
102 *
103 * PRIVILEGE ESCALATION AND ZONES.
104 *
105 * A number of operations potentially allow the caller to achieve
106 * privileges beyond the ones normally required to perform the operation.
107 * For example, if allowed to create a setuid 0 executable, a process can
108 * gain privileges beyond PRIV_FILE_SETID. Zones, however, place
109 * restrictions on the ability to gain privileges beyond those available
110 * within the zone through file and process manipulation. Hence, such
111 * operations require that the caller have an effective set that includes
112 * all privileges available within the current zone, or all privileges
113 * if executing in the global zone.
114 *
115 * This is indicated in the priv_policy* policy checking functions
116 * through a combination of parameters. The "priv" parameter indicates
117 * the privilege that is required, and the "allzone" parameter indicates
118 * whether or not all privileges in the zone are required. In addition,
119 * priv can be set to PRIV_ALL to indicate that all privileges are
120 * required (regardless of zone). There are three scenarios of interest:
121 * (1) operation requires a specific privilege
122 * (2) operation requires a specific privilege, and requires all
123 * privileges available within the zone (or all privileges if in
124 * the global zone)
125 * (3) operation requires all privileges, regardless of zone
126 *
127 * For (1), priv should be set to the specific privilege, and allzone
128 * should be set to B_FALSE.
129 * For (2), priv should be set to the specific privilege, and allzone
130 * should be set to B_TRUE.
131 * For (3), priv should be set to PRIV_ALL, and allzone should be set
132 * to B_FALSE.
133 *
134 */
135
136 /*
137 * The privileges are checked against the Effective set for
138 * ordinary processes and checked against the Limit set
139 * for euid 0 processes that haven't manipulated their privilege
140 * sets.
141 */
142 #define HAS_ALLPRIVS(cr) priv_isfullset(&CR_OEPRIV(cr))
143 #define ZONEPRIVS(cr) ((cr)->cr_zone->zone_privset)
144 #define HAS_ALLZONEPRIVS(cr) priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr))
145 #define HAS_PRIVILEGE(cr, pr) ((pr) == PRIV_ALL ? \
146 HAS_ALLPRIVS(cr) : \
147 PRIV_ISASSERT(&CR_OEPRIV(cr), pr))
148
149 #define FAST_BASIC_CHECK(cr, priv) \
150 if (PRIV_ISASSERT(&CR_OEPRIV(cr), priv)) { \
151 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, B_FALSE); \
152 return (0); \
153 }
154
155 /*
156 * Policy checking functions.
157 *
158 * All of the system's policy should be implemented here.
159 */
160
161 /*
162 * Private functions which take an additional va_list argument to
163 * implement an object specific policy override.
164 */
165 static int priv_policy_ap(const cred_t *, int, boolean_t, int,
166 const char *, va_list);
167 static int priv_policy_va(const cred_t *, int, boolean_t, int,
168 const char *, ...);
169
170 /*
171 * Generic policy calls
172 *
173 * The "bottom" functions of policy control
174 */
175 static char *
mprintf(const char * fmt,...)176 mprintf(const char *fmt, ...)
177 {
178 va_list args;
179 char *buf;
180 size_t len;
181
182 va_start(args, fmt);
183 len = vsnprintf(NULL, 0, fmt, args) + 1;
184 va_end(args);
185
186 buf = kmem_alloc(len, KM_NOSLEEP);
187
188 if (buf == NULL)
189 return (NULL);
190
191 va_start(args, fmt);
192 (void) vsnprintf(buf, len, fmt, args);
193 va_end(args);
194
195 return (buf);
196 }
197
198 /*
199 * priv_policy_errmsg()
200 *
201 * Generate an error message if privilege debugging is enabled system wide
202 * or for this particular process.
203 */
204
205 #define FMTHDR "%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)"
206 #define FMTMSG " for \"%s\""
207 #define FMTFUN " needed at %s+0x%lx"
208
209 /* The maximum size privilege format: the concatenation of the above */
210 #define FMTMAX FMTHDR FMTMSG FMTFUN "\n"
211
212 static void
priv_policy_errmsg(const cred_t * cr,int priv,const char * msg)213 priv_policy_errmsg(const cred_t *cr, int priv, const char *msg)
214 {
215 struct proc *me;
216 pc_t stack[MAXPRIVSTACK];
217 int depth;
218 int i;
219 char *sym;
220 ulong_t off;
221 const char *pname;
222
223 char *cmd;
224 char fmt[sizeof (FMTMAX)];
225
226 if ((me = curproc) == &p0)
227 return;
228
229 /* Privileges must be defined */
230 ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE ||
231 priv == PRIV_ALLZONE || priv == PRIV_GLOBAL ||
232 priv_getbynum(priv) != NULL);
233
234 if (priv == PRIV_ALLZONE && INGLOBALZONE(me))
235 priv = PRIV_ALL;
236
237 if (curthread->t_pre_sys)
238 ttolwp(curthread)->lwp_badpriv = (short)priv;
239
240 if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0)
241 return;
242
243 (void) strcpy(fmt, FMTHDR);
244
245 if (me->p_user.u_comm[0])
246 cmd = &me->p_user.u_comm[0];
247 else
248 cmd = "priv_policy";
249
250 if (msg != NULL && *msg != '\0') {
251 (void) strcat(fmt, FMTMSG);
252 } else {
253 (void) strcat(fmt, "%s");
254 msg = "";
255 }
256
257 sym = NULL;
258
259 depth = getpcstack(stack, MAXPRIVSTACK);
260
261 /*
262 * Try to find the first interesting function on the stack.
263 * priv_policy* that's us, so completely uninteresting.
264 * suser(), drv_priv(), secpolicy_* are also called from
265 * too many locations to convey useful information.
266 */
267 for (i = 0; i < depth; i++) {
268 sym = kobj_getsymname((uintptr_t)stack[i], &off);
269 if (sym != NULL &&
270 strstr(sym, "hasprocperm") == 0 &&
271 strcmp("suser", sym) != 0 &&
272 strcmp("ipcaccess", sym) != 0 &&
273 strcmp("drv_priv", sym) != 0 &&
274 strncmp("secpolicy_", sym, 10) != 0 &&
275 strncmp("priv_policy", sym, 11) != 0)
276 break;
277 }
278
279 if (sym != NULL)
280 (void) strcat(fmt, FMTFUN);
281
282 (void) strcat(fmt, "\n");
283
284 switch (priv) {
285 case PRIV_ALL:
286 pname = "ALL";
287 break;
288 case PRIV_MULTIPLE:
289 pname = "MULTIPLE";
290 break;
291 case PRIV_ALLZONE:
292 pname = "ZONE";
293 break;
294 case PRIV_GLOBAL:
295 pname = "GLOBAL";
296 break;
297 default:
298 pname = priv_getbynum(priv);
299 break;
300 }
301
302 if (CR_FLAGS(cr) & PRIV_DEBUG) {
303 /* Remember last message, just like lwp_badpriv. */
304 if (curthread->t_pdmsg != NULL) {
305 kmem_free(curthread->t_pdmsg,
306 strlen(curthread->t_pdmsg) + 1);
307 }
308
309 curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname,
310 cr->cr_uid, curthread->t_sysnum, msg, sym, off);
311
312 curthread->t_post_sys = 1;
313 }
314 if (priv_debug) {
315 cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid,
316 curthread->t_sysnum, msg, sym, off);
317 }
318 }
319
320 /*
321 * Override the policy, if appropriate. Return 0 if the external
322 * policy engine approves.
323 */
324 static int
priv_policy_override(const cred_t * cr,int priv,boolean_t allzone,va_list ap)325 priv_policy_override(const cred_t *cr, int priv, boolean_t allzone, va_list ap)
326 {
327 priv_set_t set;
328 int ret;
329
330 if (!(CR_FLAGS(cr) & PRIV_XPOLICY))
331 return (-1);
332
333 if (priv == PRIV_ALL) {
334 priv_fillset(&set);
335 } else if (allzone) {
336 set = *ZONEPRIVS(cr);
337 } else {
338 priv_emptyset(&set);
339 priv_addset(&set, priv);
340 }
341 ret = klpd_call(cr, &set, ap);
342 return (ret);
343 }
344
345 static int
priv_policy_override_set(const cred_t * cr,const priv_set_t * req,va_list ap)346 priv_policy_override_set(const cred_t *cr, const priv_set_t *req, va_list ap)
347 {
348 if (CR_FLAGS(cr) & PRIV_PFEXEC)
349 return (check_user_privs(cr, req));
350 if (CR_FLAGS(cr) & PRIV_XPOLICY) {
351 return (klpd_call(cr, req, ap));
352 }
353 return (-1);
354 }
355
356 static int
priv_policy_override_set_va(const cred_t * cr,const priv_set_t * req,...)357 priv_policy_override_set_va(const cred_t *cr, const priv_set_t *req, ...)
358 {
359 va_list ap;
360 int ret;
361
362 va_start(ap, req);
363 ret = priv_policy_override_set(cr, req, ap);
364 va_end(ap);
365 return (ret);
366 }
367
368 /*
369 * Audit failure, log error message.
370 */
371 static void
priv_policy_err(const cred_t * cr,int priv,boolean_t allzone,const char * msg)372 priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg)
373 {
374
375 if (AU_AUDITING())
376 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0);
377 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
378
379 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
380 curthread->t_pre_sys) {
381 if (allzone && !HAS_ALLZONEPRIVS(cr)) {
382 priv_policy_errmsg(cr, PRIV_ALLZONE, msg);
383 } else {
384 ASSERT(!HAS_PRIVILEGE(cr, priv));
385 priv_policy_errmsg(cr, priv, msg);
386 }
387 }
388 }
389
390 /*
391 * priv_policy_ap()
392 * return 0 or error.
393 * See block comment above for a description of "priv" and "allzone" usage.
394 */
395 static int
priv_policy_ap(const cred_t * cr,int priv,boolean_t allzone,int err,const char * msg,va_list ap)396 priv_policy_ap(const cred_t *cr, int priv, boolean_t allzone, int err,
397 const char *msg, va_list ap)
398 {
399 if ((HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) ||
400 (!servicing_interrupt() &&
401 priv_policy_override(cr, priv, allzone, ap) == 0)) {
402 if ((allzone || priv == PRIV_ALL ||
403 !PRIV_ISASSERT(priv_basic, priv)) &&
404 !servicing_interrupt()) {
405 PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */
406 if (AU_AUDITING())
407 audit_priv(priv,
408 allzone ? ZONEPRIVS(cr) : NULL, 1);
409 }
410 err = 0;
411 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
412 } else if (!servicing_interrupt()) {
413 /* Failure audited in this procedure */
414 priv_policy_err(cr, priv, allzone, msg);
415 }
416 return (err);
417 }
418
419 int
priv_policy_va(const cred_t * cr,int priv,boolean_t allzone,int err,const char * msg,...)420 priv_policy_va(const cred_t *cr, int priv, boolean_t allzone, int err,
421 const char *msg, ...)
422 {
423 int ret;
424 va_list ap;
425
426 va_start(ap, msg);
427 ret = priv_policy_ap(cr, priv, allzone, err, msg, ap);
428 va_end(ap);
429
430 return (ret);
431 }
432
433 int
priv_policy(const cred_t * cr,int priv,boolean_t allzone,int err,const char * msg)434 priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err,
435 const char *msg)
436 {
437 return (priv_policy_va(cr, priv, allzone, err, msg, KLPDARG_NONE));
438 }
439
440 /*
441 * Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges.
442 */
443 boolean_t
priv_policy_choice(const cred_t * cr,int priv,boolean_t allzone)444 priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone)
445 {
446 boolean_t res = HAS_PRIVILEGE(cr, priv) &&
447 (!allzone || HAS_ALLZONEPRIVS(cr));
448
449 /* Audit success only */
450 if (res && AU_AUDITING() &&
451 (allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) &&
452 !servicing_interrupt()) {
453 audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1);
454 }
455 if (res) {
456 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
457 } else {
458 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
459 }
460 return (res);
461 }
462
463 /*
464 * Non-auditing variant of priv_policy_choice().
465 */
466 boolean_t
priv_policy_only(const cred_t * cr,int priv,boolean_t allzone)467 priv_policy_only(const cred_t *cr, int priv, boolean_t allzone)
468 {
469 boolean_t res = HAS_PRIVILEGE(cr, priv) &&
470 (!allzone || HAS_ALLZONEPRIVS(cr));
471
472 if (res) {
473 DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone);
474 } else {
475 DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone);
476 }
477 return (res);
478 }
479
480 /*
481 * Check whether all privileges in the required set are present.
482 */
483 static int
secpolicy_require_set(const cred_t * cr,const priv_set_t * req,const char * msg,...)484 secpolicy_require_set(const cred_t *cr, const priv_set_t *req,
485 const char *msg, ...)
486 {
487 int priv;
488 int pfound = -1;
489 priv_set_t pset;
490 va_list ap;
491 int ret;
492
493 if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req,
494 &CR_OEPRIV(cr))) {
495 return (0);
496 }
497
498 va_start(ap, msg);
499 ret = priv_policy_override_set(cr, req, ap);
500 va_end(ap);
501 if (ret == 0)
502 return (0);
503
504 if (req == PRIV_FULLSET || priv_isfullset(req)) {
505 priv_policy_err(cr, PRIV_ALL, B_FALSE, msg);
506 return (EACCES);
507 }
508
509 pset = CR_OEPRIV(cr); /* present privileges */
510 priv_inverse(&pset); /* all non present privileges */
511 priv_intersect(req, &pset); /* the actual missing privs */
512
513 if (AU_AUDITING())
514 audit_priv(PRIV_NONE, &pset, 0);
515 /*
516 * Privilege debugging; special case "one privilege in set".
517 */
518 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) {
519 for (priv = 0; priv < nprivs; priv++) {
520 if (priv_ismember(&pset, priv)) {
521 if (pfound != -1) {
522 /* Multiple missing privs */
523 priv_policy_errmsg(cr, PRIV_MULTIPLE,
524 msg);
525 return (EACCES);
526 }
527 pfound = priv;
528 }
529 }
530 ASSERT(pfound != -1);
531 /* Just the one missing privilege */
532 priv_policy_errmsg(cr, pfound, msg);
533 }
534
535 return (EACCES);
536 }
537
538 /*
539 * Called when an operation requires that the caller be in the
540 * global zone, regardless of privilege.
541 */
542 static int
priv_policy_global(const cred_t * cr)543 priv_policy_global(const cred_t *cr)
544 {
545 if (crgetzoneid(cr) == GLOBAL_ZONEID)
546 return (0); /* success */
547
548 if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) ||
549 curthread->t_pre_sys) {
550 priv_policy_errmsg(cr, PRIV_GLOBAL, NULL);
551 }
552 return (EPERM);
553 }
554
555 /*
556 * Changing process priority
557 */
558 int
secpolicy_setpriority(const cred_t * cr)559 secpolicy_setpriority(const cred_t *cr)
560 {
561 return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL));
562 }
563
564 /*
565 * Binding to a privileged port, port must be specified in host byte
566 * order.
567 * When adding a new privilege which allows binding to currently privileged
568 * ports, then you MUST also allow processes with PRIV_NET_PRIVADDR bind
569 * to these ports because of backward compatibility.
570 */
571 int
secpolicy_net_privaddr(const cred_t * cr,in_port_t port,int proto)572 secpolicy_net_privaddr(const cred_t *cr, in_port_t port, int proto)
573 {
574 char *reason;
575 int priv;
576
577 switch (port) {
578 case 137:
579 case 138:
580 case 139:
581 case 445:
582 /*
583 * NBT and SMB ports, these are normal privileged ports,
584 * allow bind only if the SYS_SMB or NET_PRIVADDR privilege
585 * is present.
586 * Try both, if neither is present return an error for
587 * priv SYS_SMB.
588 */
589 if (PRIV_POLICY_ONLY(cr, PRIV_NET_PRIVADDR, B_FALSE))
590 priv = PRIV_NET_PRIVADDR;
591 else
592 priv = PRIV_SYS_SMB;
593 reason = "NBT or SMB port";
594 break;
595
596 case 2049:
597 case 4045:
598 /*
599 * NFS ports, these are extra privileged ports, allow bind
600 * only if the SYS_NFS privilege is present.
601 */
602 priv = PRIV_SYS_NFS;
603 reason = "NFS port";
604 break;
605
606 default:
607 priv = PRIV_NET_PRIVADDR;
608 reason = NULL;
609 break;
610
611 }
612
613 return (priv_policy_va(cr, priv, B_FALSE, EACCES, reason,
614 KLPDARG_PORT, (int)proto, (int)port, KLPDARG_NOMORE));
615 }
616
617 /*
618 * Binding to a multilevel port on a trusted (labeled) system.
619 */
620 int
secpolicy_net_bindmlp(const cred_t * cr)621 secpolicy_net_bindmlp(const cred_t *cr)
622 {
623 return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, NULL));
624 }
625
626 /*
627 * Allow a communication between a zone and an unlabeled host when their
628 * labels don't match.
629 */
630 int
secpolicy_net_mac_aware(const cred_t * cr)631 secpolicy_net_mac_aware(const cred_t *cr)
632 {
633 return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, NULL));
634 }
635
636 /*
637 * Allow a privileged process to transmit traffic without explicit labels
638 */
639 int
secpolicy_net_mac_implicit(const cred_t * cr)640 secpolicy_net_mac_implicit(const cred_t *cr)
641 {
642 return (PRIV_POLICY(cr, PRIV_NET_MAC_IMPLICIT, B_FALSE, EACCES, NULL));
643 }
644
645 /*
646 * Common routine which determines whether a given credential can
647 * act on a given mount.
648 * When called through mount, the parameter needoptcheck is a pointer
649 * to a boolean variable which will be set to either true or false,
650 * depending on whether the mount policy should change the mount options.
651 * In all other cases, needoptcheck should be a NULL pointer.
652 */
653 static int
secpolicy_fs_common(cred_t * cr,vnode_t * mvp,const vfs_t * vfsp,boolean_t * needoptcheck)654 secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp,
655 boolean_t *needoptcheck)
656 {
657 boolean_t allzone = B_FALSE;
658 boolean_t mounting = needoptcheck != NULL;
659
660 /*
661 * Short circuit the following cases:
662 * vfsp == NULL or mvp == NULL (pure privilege check)
663 * have all privileges - no further checks required
664 * and no mount options need to be set.
665 */
666 if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) {
667 if (mounting)
668 *needoptcheck = B_FALSE;
669
670 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
671 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE));
672 }
673
674 /*
675 * When operating on an existing mount (either we're not mounting
676 * or we're doing a remount and VFS_REMOUNT will be set), zones
677 * can operate only on mounts established by the zone itself.
678 */
679 if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) {
680 zoneid_t zoneid = crgetzoneid(cr);
681
682 if (zoneid != GLOBAL_ZONEID &&
683 vfsp->vfs_zone->zone_id != zoneid) {
684 return (EPERM);
685 }
686 }
687
688 if (mounting)
689 *needoptcheck = B_TRUE;
690
691 /*
692 * Overlay mounts may hide important stuff; if you can't write to a
693 * mount point but would be able to mount on top of it, you can
694 * escalate your privileges.
695 * So we go about asking the same questions namefs does when it
696 * decides whether you can mount over a file or not but with the
697 * added restriction that you can only mount on top of a regular
698 * file or directory.
699 * If we have all the zone's privileges, we skip all other checks,
700 * or else we may actually get in trouble inside the automounter.
701 */
702 if ((mvp->v_flag & VROOT) != 0 ||
703 (mvp->v_type != VDIR && mvp->v_type != VREG) ||
704 HAS_ALLZONEPRIVS(cr)) {
705 allzone = B_TRUE;
706 } else {
707 vattr_t va;
708 int err;
709
710 va.va_mask = AT_UID|AT_MODE;
711 err = VOP_GETATTR(mvp, &va, 0, cr, NULL);
712 if (err != 0)
713 return (err);
714
715 if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0)
716 return (err);
717
718 if (secpolicy_vnode_access2(cr, mvp, va.va_uid, va.va_mode,
719 VWRITE) != 0) {
720 return (EACCES);
721 }
722 }
723 return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
724 NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE));
725 }
726
727 void
secpolicy_fs_mount_clearopts(cred_t * cr,struct vfs * vfsp)728 secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp)
729 {
730 boolean_t amsuper = HAS_ALLZONEPRIVS(cr);
731
732 /*
733 * check; if we don't have either "nosuid" or
734 * both "nosetuid" and "nodevices", then we add
735 * "nosuid"; this depends on how the current
736 * implementation works (it first checks nosuid). In a
737 * zone, a user with all zone privileges can mount with
738 * "setuid" but never with "devices".
739 */
740 if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) &&
741 (!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) ||
742 !vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) {
743 if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper)
744 vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0);
745 else
746 vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0);
747 }
748 /*
749 * If we're not the local super user, we set the "restrict"
750 * option to indicate to automountd that this mount should
751 * be handled with care.
752 */
753 if (!amsuper)
754 vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0);
755
756 }
757
758 int
secpolicy_fs_allowed_mount(const char * fsname)759 secpolicy_fs_allowed_mount(const char *fsname)
760 {
761 struct vfssw *vswp;
762 const char *p;
763 size_t len;
764
765 ASSERT(fsname != NULL);
766 ASSERT(fsname[0] != '\0');
767
768 if (INGLOBALZONE(curproc))
769 return (0);
770
771 vswp = vfs_getvfssw(fsname);
772 if (vswp == NULL)
773 return (ENOENT);
774
775 if ((vswp->vsw_flag & VSW_ZMOUNT) != 0) {
776 vfs_unrefvfssw(vswp);
777 return (0);
778 }
779
780 vfs_unrefvfssw(vswp);
781
782 p = curzone->zone_fs_allowed;
783 len = strlen(fsname);
784
785 while (p != NULL && *p != '\0') {
786 if (strncmp(p, fsname, len) == 0) {
787 char c = *(p + len);
788 if (c == '\0' || c == ',')
789 return (0);
790 }
791
792 /* skip to beyond the next comma */
793 if ((p = strchr(p, ',')) != NULL)
794 p++;
795 }
796
797 return (EPERM);
798 }
799
800 extern vnode_t *rootvp;
801 extern vfs_t *rootvfs;
802
803 int
secpolicy_fs_mount(cred_t * cr,vnode_t * mvp,struct vfs * vfsp)804 secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp)
805 {
806 boolean_t needoptchk;
807 int error;
808
809 /*
810 * If it's a remount, get the underlying mount point,
811 * except for the root where we use the rootvp.
812 */
813 if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) {
814 if (vfsp == rootvfs)
815 mvp = rootvp;
816 else
817 mvp = vfsp->vfs_vnodecovered;
818 }
819
820 error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk);
821
822 if (error == 0 && needoptchk) {
823 secpolicy_fs_mount_clearopts(cr, vfsp);
824 }
825
826 return (error);
827 }
828
829 /*
830 * Does the policy computations for "ownership" of a mount;
831 * here ownership is defined as the ability to "mount"
832 * the filesystem originally. The rootvfs doesn't cover any
833 * vnodes; we attribute its ownership to the rootvp.
834 */
835 static int
secpolicy_fs_owner(cred_t * cr,const struct vfs * vfsp)836 secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp)
837 {
838 vnode_t *mvp;
839
840 if (vfsp == NULL)
841 mvp = NULL;
842 else if (vfsp == rootvfs)
843 mvp = rootvp;
844 else
845 mvp = vfsp->vfs_vnodecovered;
846
847 return (secpolicy_fs_common(cr, mvp, vfsp, NULL));
848 }
849
850 int
secpolicy_fs_unmount(cred_t * cr,struct vfs * vfsp)851 secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp)
852 {
853 return (secpolicy_fs_owner(cr, vfsp));
854 }
855
856 /*
857 * Quotas are a resource, but if one has the ability to mount a filesystem, he
858 * should be able to modify quotas on it.
859 */
860 int
secpolicy_fs_quota(const cred_t * cr,const vfs_t * vfsp)861 secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp)
862 {
863 return (secpolicy_fs_owner((cred_t *)cr, vfsp));
864 }
865
866 /*
867 * Exceeding minfree: also a per-mount resource constraint.
868 */
869 int
secpolicy_fs_minfree(const cred_t * cr,const vfs_t * vfsp)870 secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp)
871 {
872 return (secpolicy_fs_owner((cred_t *)cr, vfsp));
873 }
874
875 int
secpolicy_fs_config(const cred_t * cr,const vfs_t * vfsp)876 secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp)
877 {
878 return (secpolicy_fs_owner((cred_t *)cr, vfsp));
879 }
880
881 /* ARGSUSED */
882 int
secpolicy_fs_linkdir(const cred_t * cr,const vfs_t * vfsp)883 secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp)
884 {
885 return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL));
886 }
887
888 /*
889 * Name: secpolicy_vnode_access()
890 *
891 * Parameters: Process credential
892 * vnode
893 * uid of owner of vnode
894 * permission bits not granted to the caller when examining
895 * file mode bits (i.e., when a process wants to open a
896 * mode 444 file for VREAD|VWRITE, this function should be
897 * called only with a VWRITE argument).
898 *
899 * Normal: Verifies that cred has the appropriate privileges to
900 * override the mode bits that were denied.
901 *
902 * Override: file_dac_execute - if VEXEC bit was denied and vnode is
903 * not a directory.
904 * file_dac_read - if VREAD bit was denied.
905 * file_dac_search - if VEXEC bit was denied and vnode is
906 * a directory.
907 * file_dac_write - if VWRITE bit was denied.
908 *
909 * Root owned files are special cased to protect system
910 * configuration files and such.
911 *
912 * Output: EACCES - if privilege check fails.
913 */
914
915 int
secpolicy_vnode_access(const cred_t * cr,vnode_t * vp,uid_t owner,mode_t mode)916 secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode)
917 {
918 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE,
919 EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL,
920 KLPDARG_NOMORE) != 0) {
921 return (EACCES);
922 }
923
924 if (mode & VWRITE) {
925 boolean_t allzone;
926
927 if (owner == 0 && cr->cr_uid != 0)
928 allzone = B_TRUE;
929 else
930 allzone = B_FALSE;
931 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES,
932 NULL, KLPDARG_VNODE, vp, (char *)NULL,
933 KLPDARG_NOMORE) != 0) {
934 return (EACCES);
935 }
936 }
937
938 if (mode & VEXEC) {
939 /*
940 * Directories use file_dac_search to override the execute bit.
941 */
942 int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH :
943 PRIV_FILE_DAC_EXECUTE;
944
945 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL,
946 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
947 }
948 return (0);
949 }
950
951 /*
952 * Like secpolicy_vnode_access() but we get the actual wanted mode and the
953 * current mode of the file, not the missing bits.
954 */
955 int
secpolicy_vnode_access2(const cred_t * cr,vnode_t * vp,uid_t owner,mode_t curmode,mode_t wantmode)956 secpolicy_vnode_access2(const cred_t *cr, vnode_t *vp, uid_t owner,
957 mode_t curmode, mode_t wantmode)
958 {
959 mode_t mode;
960
961 /* Inline the basic privileges tests. */
962 if ((wantmode & VREAD) &&
963 !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_READ) &&
964 priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL,
965 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) {
966 return (EACCES);
967 }
968
969 if ((wantmode & VWRITE) &&
970 !PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_WRITE) &&
971 priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL,
972 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) {
973 return (EACCES);
974 }
975
976 mode = ~curmode & wantmode;
977
978 if (mode == 0)
979 return (0);
980
981 if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE,
982 EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL,
983 KLPDARG_NOMORE) != 0) {
984 return (EACCES);
985 }
986
987 if (mode & VWRITE) {
988 boolean_t allzone;
989
990 if (owner == 0 && cr->cr_uid != 0)
991 allzone = B_TRUE;
992 else
993 allzone = B_FALSE;
994 if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES,
995 NULL, KLPDARG_VNODE, vp, (char *)NULL,
996 KLPDARG_NOMORE) != 0) {
997 return (EACCES);
998 }
999 }
1000
1001 if (mode & VEXEC) {
1002 /*
1003 * Directories use file_dac_search to override the execute bit.
1004 */
1005 int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH :
1006 PRIV_FILE_DAC_EXECUTE;
1007
1008 return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL,
1009 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
1010 }
1011 return (0);
1012 }
1013
1014 /*
1015 * This is a special routine for ZFS; it is used to determine whether
1016 * any of the privileges in effect allow any form of access to the
1017 * file. There's no reason to audit this or any reason to record
1018 * this. More work is needed to do the "KPLD" stuff.
1019 */
1020 int
secpolicy_vnode_any_access(const cred_t * cr,vnode_t * vp,uid_t owner)1021 secpolicy_vnode_any_access(const cred_t *cr, vnode_t *vp, uid_t owner)
1022 {
1023 static int privs[] = {
1024 PRIV_FILE_OWNER,
1025 PRIV_FILE_CHOWN,
1026 PRIV_FILE_DAC_READ,
1027 PRIV_FILE_DAC_WRITE,
1028 PRIV_FILE_DAC_EXECUTE,
1029 PRIV_FILE_DAC_SEARCH,
1030 };
1031 int i;
1032
1033 /* Same as secpolicy_vnode_setdac */
1034 if (owner == cr->cr_uid)
1035 return (0);
1036
1037 for (i = 0; i < sizeof (privs)/sizeof (int); i++) {
1038 boolean_t allzone = B_FALSE;
1039 int priv;
1040
1041 switch (priv = privs[i]) {
1042 case PRIV_FILE_DAC_EXECUTE:
1043 if (vp->v_type == VDIR)
1044 continue;
1045 break;
1046 case PRIV_FILE_DAC_SEARCH:
1047 if (vp->v_type != VDIR)
1048 continue;
1049 break;
1050 case PRIV_FILE_DAC_WRITE:
1051 case PRIV_FILE_OWNER:
1052 case PRIV_FILE_CHOWN:
1053 /* We know here that if owner == 0, that cr_uid != 0 */
1054 allzone = owner == 0;
1055 break;
1056 }
1057 if (PRIV_POLICY_CHOICE(cr, priv, allzone))
1058 return (0);
1059 }
1060 return (EPERM);
1061 }
1062
1063 /*
1064 * Name: secpolicy_vnode_setid_modify()
1065 *
1066 * Normal: verify that subject can set the file setid flags.
1067 *
1068 * Output: EPERM - if not privileged.
1069 */
1070
1071 static int
secpolicy_vnode_setid_modify(const cred_t * cr,uid_t owner)1072 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner)
1073 {
1074 /* If changing to suid root, must have all zone privs */
1075 boolean_t allzone = B_TRUE;
1076
1077 if (owner != 0) {
1078 if (owner == cr->cr_uid)
1079 return (0);
1080 allzone = B_FALSE;
1081 }
1082 return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL));
1083 }
1084
1085 /*
1086 * Are we allowed to retain the set-uid/set-gid bits when
1087 * changing ownership or when writing to a file?
1088 * "issuid" should be true when set-uid; only in that case
1089 * root ownership is checked (setgid is assumed).
1090 */
1091 int
secpolicy_vnode_setid_retain(const cred_t * cred,boolean_t issuidroot)1092 secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot)
1093 {
1094 if (issuidroot && !HAS_ALLZONEPRIVS(cred))
1095 return (EPERM);
1096
1097 return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE));
1098 }
1099
1100 /*
1101 * Name: secpolicy_vnode_setids_setgids()
1102 *
1103 * Normal: verify that subject can set the file setgid flag.
1104 *
1105 * Output: EPERM - if not privileged
1106 */
1107
1108 int
secpolicy_vnode_setids_setgids(const cred_t * cred,gid_t gid)1109 secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid)
1110 {
1111 if (!groupmember(gid, cred))
1112 return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM,
1113 NULL));
1114 return (0);
1115 }
1116
1117 /*
1118 * Name: secpolicy_vnode_chown
1119 *
1120 * Normal: Determine if subject can chown owner of a file.
1121 *
1122 * Output: EPERM - if access denied
1123 */
1124
1125 int
secpolicy_vnode_chown(const cred_t * cred,uid_t owner)1126 secpolicy_vnode_chown(const cred_t *cred, uid_t owner)
1127 {
1128 boolean_t is_owner = (owner == crgetuid(cred));
1129 boolean_t allzone = B_FALSE;
1130 int priv;
1131
1132 if (!is_owner) {
1133 allzone = (owner == 0);
1134 priv = PRIV_FILE_CHOWN;
1135 } else {
1136 priv = HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN) ?
1137 PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF;
1138 }
1139
1140 return (PRIV_POLICY(cred, priv, allzone, EPERM, NULL));
1141 }
1142
1143 /*
1144 * Name: secpolicy_vnode_create_gid
1145 *
1146 * Normal: Determine if subject can change group ownership of a file.
1147 *
1148 * Output: EPERM - if access denied
1149 */
1150 int
secpolicy_vnode_create_gid(const cred_t * cred)1151 secpolicy_vnode_create_gid(const cred_t *cred)
1152 {
1153 if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN))
1154 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM,
1155 NULL));
1156 else
1157 return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM,
1158 NULL));
1159 }
1160
1161 /*
1162 * Name: secpolicy_vnode_utime_modify()
1163 *
1164 * Normal: verify that subject can modify the utime on a file.
1165 *
1166 * Output: EPERM - if access denied.
1167 */
1168
1169 static int
secpolicy_vnode_utime_modify(const cred_t * cred)1170 secpolicy_vnode_utime_modify(const cred_t *cred)
1171 {
1172 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM,
1173 "modify file times"));
1174 }
1175
1176
1177 /*
1178 * Name: secpolicy_vnode_setdac()
1179 *
1180 * Normal: verify that subject can modify the mode of a file.
1181 * allzone privilege needed when modifying root owned object.
1182 *
1183 * Output: EPERM - if access denied.
1184 */
1185
1186 int
secpolicy_vnode_setdac(const cred_t * cred,uid_t owner)1187 secpolicy_vnode_setdac(const cred_t *cred, uid_t owner)
1188 {
1189 if (owner == cred->cr_uid)
1190 return (0);
1191
1192 return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL));
1193 }
1194 /*
1195 * Name: secpolicy_vnode_stky_modify()
1196 *
1197 * Normal: verify that subject can make a file a "sticky".
1198 *
1199 * Output: EPERM - if access denied.
1200 */
1201
1202 int
secpolicy_vnode_stky_modify(const cred_t * cred)1203 secpolicy_vnode_stky_modify(const cred_t *cred)
1204 {
1205 return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM,
1206 "set file sticky"));
1207 }
1208
1209 /*
1210 * Policy determines whether we can remove an entry from a directory,
1211 * regardless of permission bits.
1212 */
1213 int
secpolicy_vnode_remove(const cred_t * cr)1214 secpolicy_vnode_remove(const cred_t *cr)
1215 {
1216 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES,
1217 "sticky directory"));
1218 }
1219
1220 int
secpolicy_vnode_owner(const cred_t * cr,uid_t owner)1221 secpolicy_vnode_owner(const cred_t *cr, uid_t owner)
1222 {
1223 boolean_t allzone = (owner == 0);
1224
1225 if (owner == cr->cr_uid)
1226 return (0);
1227
1228 return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL));
1229 }
1230
1231 void
secpolicy_setid_clear(vattr_t * vap,cred_t * cr)1232 secpolicy_setid_clear(vattr_t *vap, cred_t *cr)
1233 {
1234 if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 &&
1235 secpolicy_vnode_setid_retain(cr,
1236 (vap->va_mode & S_ISUID) != 0 &&
1237 (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) {
1238 vap->va_mask |= AT_MODE;
1239 vap->va_mode &= ~(S_ISUID|S_ISGID);
1240 }
1241 }
1242
1243 int
secpolicy_setid_setsticky_clear(vnode_t * vp,vattr_t * vap,const vattr_t * ovap,cred_t * cr)1244 secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap,
1245 cred_t *cr)
1246 {
1247 int error;
1248
1249 if ((vap->va_mode & S_ISUID) != 0 &&
1250 (error = secpolicy_vnode_setid_modify(cr,
1251 ovap->va_uid)) != 0) {
1252 return (error);
1253 }
1254
1255 /*
1256 * Check privilege if attempting to set the
1257 * sticky bit on a non-directory.
1258 */
1259 if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 &&
1260 secpolicy_vnode_stky_modify(cr) != 0) {
1261 vap->va_mode &= ~S_ISVTX;
1262 }
1263
1264 /*
1265 * Check for privilege if attempting to set the
1266 * group-id bit.
1267 */
1268 if ((vap->va_mode & S_ISGID) != 0 &&
1269 secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) {
1270 vap->va_mode &= ~S_ISGID;
1271 }
1272
1273 return (0);
1274 }
1275
1276 #define ATTR_FLAG_PRIV(attr, value, cr) \
1277 PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \
1278 B_FALSE, EPERM, NULL)
1279
1280 /*
1281 * Check privileges for setting xvattr attributes
1282 */
1283 int
secpolicy_xvattr(xvattr_t * xvap,uid_t owner,cred_t * cr,vtype_t vtype)1284 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype)
1285 {
1286 xoptattr_t *xoap;
1287 int error = 0;
1288
1289 if ((xoap = xva_getxoptattr(xvap)) == NULL)
1290 return (EINVAL);
1291
1292 /*
1293 * First process the DOS bits
1294 */
1295 if (XVA_ISSET_REQ(xvap, XAT_ARCHIVE) ||
1296 XVA_ISSET_REQ(xvap, XAT_HIDDEN) ||
1297 XVA_ISSET_REQ(xvap, XAT_READONLY) ||
1298 XVA_ISSET_REQ(xvap, XAT_SYSTEM) ||
1299 XVA_ISSET_REQ(xvap, XAT_CREATETIME) ||
1300 XVA_ISSET_REQ(xvap, XAT_OFFLINE) ||
1301 XVA_ISSET_REQ(xvap, XAT_SPARSE)) {
1302 if ((error = secpolicy_vnode_owner(cr, owner)) != 0)
1303 return (error);
1304 }
1305
1306 /*
1307 * Now handle special attributes
1308 */
1309
1310 if (XVA_ISSET_REQ(xvap, XAT_IMMUTABLE))
1311 error = ATTR_FLAG_PRIV(XAT_IMMUTABLE,
1312 xoap->xoa_immutable, cr);
1313 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NOUNLINK))
1314 error = ATTR_FLAG_PRIV(XAT_NOUNLINK,
1315 xoap->xoa_nounlink, cr);
1316 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_APPENDONLY))
1317 error = ATTR_FLAG_PRIV(XAT_APPENDONLY,
1318 xoap->xoa_appendonly, cr);
1319 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NODUMP))
1320 error = ATTR_FLAG_PRIV(XAT_NODUMP,
1321 xoap->xoa_nodump, cr);
1322 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_OPAQUE))
1323 error = EPERM;
1324 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_QUARANTINED)) {
1325 error = ATTR_FLAG_PRIV(XAT_AV_QUARANTINED,
1326 xoap->xoa_av_quarantined, cr);
1327 if (error == 0 && vtype != VREG && xoap->xoa_av_quarantined)
1328 error = EINVAL;
1329 }
1330 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_MODIFIED))
1331 error = ATTR_FLAG_PRIV(XAT_AV_MODIFIED,
1332 xoap->xoa_av_modified, cr);
1333 if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_SCANSTAMP)) {
1334 error = ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP,
1335 xoap->xoa_av_scanstamp, cr);
1336 if (error == 0 && vtype != VREG)
1337 error = EINVAL;
1338 }
1339 return (error);
1340 }
1341
1342 /*
1343 * This function checks the policy decisions surrounding the
1344 * vop setattr call.
1345 *
1346 * It should be called after sufficient locks have been established
1347 * on the underlying data structures. No concurrent modifications
1348 * should be allowed.
1349 *
1350 * The caller must pass in unlocked version of its vaccess function
1351 * this is required because vop_access function should lock the
1352 * node for reading. A three argument function should be defined
1353 * which accepts the following argument:
1354 * A pointer to the internal "node" type (inode *)
1355 * vnode access bits (VREAD|VWRITE|VEXEC)
1356 * a pointer to the credential
1357 *
1358 * This function makes the following policy decisions:
1359 *
1360 * - change permissions
1361 * - permission to change file mode if not owner
1362 * - permission to add sticky bit to non-directory
1363 * - permission to add set-gid bit
1364 *
1365 * The ovap argument should include AT_MODE|AT_UID|AT_GID.
1366 *
1367 * If the vap argument does not include AT_MODE, the mode will be copied from
1368 * ovap. In certain situations set-uid/set-gid bits need to be removed;
1369 * this is done by marking vap->va_mask to include AT_MODE and va_mode
1370 * is updated to the newly computed mode.
1371 */
1372
1373 int
secpolicy_vnode_setattr(cred_t * cr,struct vnode * vp,struct vattr * vap,const struct vattr * ovap,int flags,int unlocked_access (void *,int,cred_t *),void * node)1374 secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap,
1375 const struct vattr *ovap, int flags,
1376 int unlocked_access(void *, int, cred_t *),
1377 void *node)
1378 {
1379 int mask = vap->va_mask;
1380 int error = 0;
1381 boolean_t skipaclchk = (flags & ATTR_NOACLCHECK) ? B_TRUE : B_FALSE;
1382
1383 if (mask & AT_SIZE) {
1384 if (vp->v_type == VDIR) {
1385 error = EISDIR;
1386 goto out;
1387 }
1388
1389 /*
1390 * If ATTR_NOACLCHECK is set in the flags, then we don't
1391 * perform the secondary unlocked_access() call since the
1392 * ACL (if any) is being checked there.
1393 */
1394 if (skipaclchk == B_FALSE) {
1395 error = unlocked_access(node, VWRITE, cr);
1396 if (error)
1397 goto out;
1398 }
1399 }
1400 if (mask & AT_MODE) {
1401 /*
1402 * If not the owner of the file then check privilege
1403 * for two things: the privilege to set the mode at all
1404 * and, if we're setting setuid, we also need permissions
1405 * to add the set-uid bit, if we're not the owner.
1406 * In the specific case of creating a set-uid root
1407 * file, we need even more permissions.
1408 */
1409 if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0)
1410 goto out;
1411
1412 if ((error = secpolicy_setid_setsticky_clear(vp, vap,
1413 ovap, cr)) != 0)
1414 goto out;
1415 } else
1416 vap->va_mode = ovap->va_mode;
1417
1418 if (mask & (AT_UID|AT_GID)) {
1419 boolean_t checkpriv = B_FALSE;
1420
1421 /*
1422 * Chowning files.
1423 *
1424 * If you are the file owner:
1425 * chown to other uid FILE_CHOWN_SELF
1426 * chown to gid (non-member) FILE_CHOWN_SELF
1427 * chown to gid (member) <none>
1428 *
1429 * Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also
1430 * acceptable but the first one is reported when debugging.
1431 *
1432 * If you are not the file owner:
1433 * chown from root PRIV_FILE_CHOWN + zone
1434 * chown from other to any PRIV_FILE_CHOWN
1435 *
1436 */
1437 if (cr->cr_uid != ovap->va_uid) {
1438 checkpriv = B_TRUE;
1439 } else {
1440 if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) ||
1441 ((mask & AT_GID) && vap->va_gid != ovap->va_gid &&
1442 !groupmember(vap->va_gid, cr))) {
1443 checkpriv = B_TRUE;
1444 }
1445 }
1446 /*
1447 * If necessary, check privilege to see if update can be done.
1448 */
1449 if (checkpriv &&
1450 (error = secpolicy_vnode_chown(cr, ovap->va_uid)) != 0) {
1451 goto out;
1452 }
1453
1454 /*
1455 * If the file has either the set UID or set GID bits
1456 * set and the caller can set the bits, then leave them.
1457 */
1458 secpolicy_setid_clear(vap, cr);
1459 }
1460 if (mask & (AT_ATIME|AT_MTIME)) {
1461 /*
1462 * If not the file owner and not otherwise privileged,
1463 * always return an error when setting the
1464 * time other than the current (ATTR_UTIME flag set).
1465 * If setting the current time (ATTR_UTIME not set) then
1466 * unlocked_access will check permissions according to policy.
1467 */
1468 if (cr->cr_uid != ovap->va_uid) {
1469 if (flags & ATTR_UTIME)
1470 error = secpolicy_vnode_utime_modify(cr);
1471 else if (skipaclchk == B_FALSE) {
1472 error = unlocked_access(node, VWRITE, cr);
1473 if (error == EACCES &&
1474 secpolicy_vnode_utime_modify(cr) == 0)
1475 error = 0;
1476 }
1477 if (error)
1478 goto out;
1479 }
1480 }
1481
1482 /*
1483 * Check for optional attributes here by checking the following:
1484 */
1485 if (mask & AT_XVATTR)
1486 error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr,
1487 vp->v_type);
1488 out:
1489 return (error);
1490 }
1491
1492 /*
1493 * Name: secpolicy_pcfs_modify_bootpartition()
1494 *
1495 * Normal: verify that subject can modify a pcfs boot partition.
1496 *
1497 * Output: EACCES - if privilege check failed.
1498 */
1499 /*ARGSUSED*/
1500 int
secpolicy_pcfs_modify_bootpartition(const cred_t * cred)1501 secpolicy_pcfs_modify_bootpartition(const cred_t *cred)
1502 {
1503 return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES,
1504 "modify pcfs boot partition"));
1505 }
1506
1507 /*
1508 * System V IPC routines
1509 */
1510 int
secpolicy_ipc_owner(const cred_t * cr,const struct kipc_perm * ip)1511 secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip)
1512 {
1513 if (crgetzoneid(cr) != ip->ipc_zoneid ||
1514 (cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) {
1515 boolean_t allzone = B_FALSE;
1516 if (ip->ipc_uid == 0 || ip->ipc_cuid == 0)
1517 allzone = B_TRUE;
1518 return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL));
1519 }
1520 return (0);
1521 }
1522
1523 int
secpolicy_ipc_config(const cred_t * cr)1524 secpolicy_ipc_config(const cred_t *cr)
1525 {
1526 return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL));
1527 }
1528
1529 int
secpolicy_ipc_access(const cred_t * cr,const struct kipc_perm * ip,mode_t mode)1530 secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode)
1531 {
1532
1533 boolean_t allzone = B_FALSE;
1534
1535 ASSERT((mode & (MSG_R|MSG_W)) != 0);
1536
1537 if ((mode & MSG_R) &&
1538 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1539 return (EACCES);
1540
1541 if (mode & MSG_W) {
1542 if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0))
1543 allzone = B_TRUE;
1544
1545 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1546 NULL));
1547 }
1548 return (0);
1549 }
1550
1551 int
secpolicy_rsm_access(const cred_t * cr,uid_t owner,mode_t mode)1552 secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode)
1553 {
1554 boolean_t allzone = B_FALSE;
1555
1556 ASSERT((mode & (MSG_R|MSG_W)) != 0);
1557
1558 if ((mode & MSG_R) &&
1559 PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0)
1560 return (EACCES);
1561
1562 if (mode & MSG_W) {
1563 if (cr->cr_uid != 0 && owner == 0)
1564 allzone = B_TRUE;
1565
1566 return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES,
1567 NULL));
1568 }
1569 return (0);
1570 }
1571
1572 /*
1573 * Audit configuration.
1574 */
1575 int
secpolicy_audit_config(const cred_t * cr)1576 secpolicy_audit_config(const cred_t *cr)
1577 {
1578 return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL));
1579 }
1580
1581 /*
1582 * Audit record generation.
1583 */
1584 int
secpolicy_audit_modify(const cred_t * cr)1585 secpolicy_audit_modify(const cred_t *cr)
1586 {
1587 return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL));
1588 }
1589
1590 /*
1591 * Get audit attributes.
1592 * Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the
1593 * "Least" of the two privileges on error.
1594 */
1595 int
secpolicy_audit_getattr(const cred_t * cr,boolean_t checkonly)1596 secpolicy_audit_getattr(const cred_t *cr, boolean_t checkonly)
1597 {
1598 int priv;
1599
1600 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE))
1601 priv = PRIV_SYS_AUDIT;
1602 else
1603 priv = PRIV_PROC_AUDIT;
1604
1605 if (checkonly)
1606 return (!PRIV_POLICY_ONLY(cr, priv, B_FALSE));
1607 else
1608 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
1609 }
1610
1611
1612 /*
1613 * Locking physical memory
1614 */
1615 int
secpolicy_lock_memory(const cred_t * cr)1616 secpolicy_lock_memory(const cred_t *cr)
1617 {
1618 return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL));
1619 }
1620
1621 /*
1622 * Accounting (both acct(2) and exacct).
1623 */
1624 int
secpolicy_acct(const cred_t * cr)1625 secpolicy_acct(const cred_t *cr)
1626 {
1627 return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL));
1628 }
1629
1630 /*
1631 * Is this process privileged to change its uids at will?
1632 * Uid 0 is still considered "special" and having the SETID
1633 * privilege is not sufficient to get uid 0.
1634 * Files are owned by root, so the privilege would give
1635 * full access and euid 0 is still effective.
1636 *
1637 * If you have the privilege and euid 0 only then do you
1638 * get the powers of root wrt uid 0.
1639 *
1640 * For gid manipulations, this is should be called with an
1641 * uid of -1.
1642 *
1643 */
1644 int
secpolicy_allow_setid(const cred_t * cr,uid_t newuid,boolean_t checkonly)1645 secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly)
1646 {
1647 boolean_t allzone = B_FALSE;
1648
1649 if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 &&
1650 cr->cr_ruid != 0) {
1651 allzone = B_TRUE;
1652 }
1653
1654 return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) :
1655 PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL));
1656 }
1657
1658
1659 /*
1660 * Acting on a different process: if the mode is for writing,
1661 * the restrictions are more severe. This is called after
1662 * we've verified that the uids do not match.
1663 */
1664 int
secpolicy_proc_owner(const cred_t * scr,const cred_t * tcr,int mode)1665 secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode)
1666 {
1667 boolean_t allzone = B_FALSE;
1668
1669 if ((mode & VWRITE) && scr->cr_uid != 0 &&
1670 (tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0))
1671 allzone = B_TRUE;
1672
1673 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL));
1674 }
1675
1676 int
secpolicy_proc_access(const cred_t * scr)1677 secpolicy_proc_access(const cred_t *scr)
1678 {
1679 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL));
1680 }
1681
1682 int
secpolicy_proc_excl_open(const cred_t * scr)1683 secpolicy_proc_excl_open(const cred_t *scr)
1684 {
1685 return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL));
1686 }
1687
1688 int
secpolicy_proc_zone(const cred_t * scr)1689 secpolicy_proc_zone(const cred_t *scr)
1690 {
1691 return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL));
1692 }
1693
1694 /*
1695 * Destroying the system
1696 */
1697
1698 int
secpolicy_kmdb(const cred_t * scr)1699 secpolicy_kmdb(const cred_t *scr)
1700 {
1701 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1702 }
1703
1704 int
secpolicy_error_inject(const cred_t * scr)1705 secpolicy_error_inject(const cred_t *scr)
1706 {
1707 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
1708 }
1709
1710 /*
1711 * Processor sets, cpu configuration, resource pools.
1712 */
1713 int
secpolicy_pset(const cred_t * cr)1714 secpolicy_pset(const cred_t *cr)
1715 {
1716 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1717 }
1718
1719 /*
1720 * Processor set binding.
1721 */
1722 int
secpolicy_pbind(const cred_t * cr)1723 secpolicy_pbind(const cred_t *cr)
1724 {
1725 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_RES_CONFIG, B_FALSE))
1726 return (secpolicy_pset(cr));
1727 return (PRIV_POLICY(cr, PRIV_SYS_RES_BIND, B_FALSE, EPERM, NULL));
1728 }
1729
1730 int
secpolicy_ponline(const cred_t * cr)1731 secpolicy_ponline(const cred_t *cr)
1732 {
1733 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1734 }
1735
1736 int
secpolicy_pool(const cred_t * cr)1737 secpolicy_pool(const cred_t *cr)
1738 {
1739 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1740 }
1741
1742 int
secpolicy_blacklist(const cred_t * cr)1743 secpolicy_blacklist(const cred_t *cr)
1744 {
1745 return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL));
1746 }
1747
1748 /*
1749 * Catch all system configuration.
1750 */
1751 int
secpolicy_sys_config(const cred_t * cr,boolean_t checkonly)1752 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly)
1753 {
1754 if (checkonly) {
1755 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 :
1756 EPERM);
1757 } else {
1758 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1759 }
1760 }
1761
1762 /*
1763 * Zone administration (halt, reboot, etc.) from within zone.
1764 */
1765 int
secpolicy_zone_admin(const cred_t * cr,boolean_t checkonly)1766 secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly)
1767 {
1768 if (checkonly) {
1769 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 :
1770 EPERM);
1771 } else {
1772 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM,
1773 NULL));
1774 }
1775 }
1776
1777 /*
1778 * Zone configuration (create, halt, enter).
1779 */
1780 int
secpolicy_zone_config(const cred_t * cr)1781 secpolicy_zone_config(const cred_t *cr)
1782 {
1783 /*
1784 * Require all privileges to avoid possibility of privilege
1785 * escalation.
1786 */
1787 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
1788 }
1789
1790 /*
1791 * Various other system configuration calls
1792 */
1793 int
secpolicy_coreadm(const cred_t * cr)1794 secpolicy_coreadm(const cred_t *cr)
1795 {
1796 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1797 }
1798
1799 int
secpolicy_systeminfo(const cred_t * cr)1800 secpolicy_systeminfo(const cred_t *cr)
1801 {
1802 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL));
1803 }
1804
1805 int
secpolicy_dispadm(const cred_t * cr)1806 secpolicy_dispadm(const cred_t *cr)
1807 {
1808 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
1809 }
1810
1811 int
secpolicy_settime(const cred_t * cr)1812 secpolicy_settime(const cred_t *cr)
1813 {
1814 return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL));
1815 }
1816
1817 /*
1818 * For realtime users: high resolution clock.
1819 */
1820 int
secpolicy_clock_highres(const cred_t * cr)1821 secpolicy_clock_highres(const cred_t *cr)
1822 {
1823 return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM,
1824 NULL));
1825 }
1826
1827 /*
1828 * drv_priv() is documented as callable from interrupt context, not that
1829 * anyone ever does, but still. No debugging or auditing can be done when
1830 * it is called from interrupt context.
1831 * returns 0 on succes, EPERM on failure.
1832 */
1833 int
drv_priv(cred_t * cr)1834 drv_priv(cred_t *cr)
1835 {
1836 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1837 }
1838
1839 int
secpolicy_sys_devices(const cred_t * cr)1840 secpolicy_sys_devices(const cred_t *cr)
1841 {
1842 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
1843 }
1844
1845 int
secpolicy_excl_open(const cred_t * cr)1846 secpolicy_excl_open(const cred_t *cr)
1847 {
1848 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL));
1849 }
1850
1851 int
secpolicy_rctlsys(const cred_t * cr,boolean_t is_zone_rctl)1852 secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl)
1853 {
1854 /* zone.* rctls can only be set from the global zone */
1855 if (is_zone_rctl && priv_policy_global(cr) != 0)
1856 return (EPERM);
1857 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1858 }
1859
1860 int
secpolicy_resource(const cred_t * cr)1861 secpolicy_resource(const cred_t *cr)
1862 {
1863 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1864 }
1865
1866 int
secpolicy_resource_anon_mem(const cred_t * cr)1867 secpolicy_resource_anon_mem(const cred_t *cr)
1868 {
1869 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_RESOURCE, B_FALSE));
1870 }
1871
1872 /*
1873 * Processes with a real uid of 0 escape any form of accounting, much
1874 * like before.
1875 */
1876 int
secpolicy_newproc(const cred_t * cr)1877 secpolicy_newproc(const cred_t *cr)
1878 {
1879 if (cr->cr_ruid == 0)
1880 return (0);
1881
1882 return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL));
1883 }
1884
1885 /*
1886 * Networking
1887 */
1888 int
secpolicy_net_rawaccess(const cred_t * cr)1889 secpolicy_net_rawaccess(const cred_t *cr)
1890 {
1891 return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL));
1892 }
1893
1894 int
secpolicy_net_observability(const cred_t * cr)1895 secpolicy_net_observability(const cred_t *cr)
1896 {
1897 return (PRIV_POLICY(cr, PRIV_NET_OBSERVABILITY, B_FALSE, EACCES, NULL));
1898 }
1899
1900 /*
1901 * Need this privilege for accessing the ICMP device
1902 */
1903 int
secpolicy_net_icmpaccess(const cred_t * cr)1904 secpolicy_net_icmpaccess(const cred_t *cr)
1905 {
1906 return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL));
1907 }
1908
1909 /*
1910 * There are a few rare cases where the kernel generates ioctls() from
1911 * interrupt context with a credential of kcred rather than NULL.
1912 * In those cases, we take the safe and cheap test.
1913 */
1914 int
secpolicy_net_config(const cred_t * cr,boolean_t checkonly)1915 secpolicy_net_config(const cred_t *cr, boolean_t checkonly)
1916 {
1917 if (checkonly) {
1918 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ?
1919 0 : EPERM);
1920 } else {
1921 return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM,
1922 NULL));
1923 }
1924 }
1925
1926
1927 /*
1928 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
1929 *
1930 * There are a few rare cases where the kernel generates ioctls() from
1931 * interrupt context with a credential of kcred rather than NULL.
1932 * In those cases, we take the safe and cheap test.
1933 */
1934 int
secpolicy_ip_config(const cred_t * cr,boolean_t checkonly)1935 secpolicy_ip_config(const cred_t *cr, boolean_t checkonly)
1936 {
1937 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1938 return (secpolicy_net_config(cr, checkonly));
1939
1940 if (checkonly) {
1941 return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ?
1942 0 : EPERM);
1943 } else {
1944 return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM,
1945 NULL));
1946 }
1947 }
1948
1949 /*
1950 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_DL_CONFIG.
1951 */
1952 int
secpolicy_dl_config(const cred_t * cr)1953 secpolicy_dl_config(const cred_t *cr)
1954 {
1955 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1956 return (secpolicy_net_config(cr, B_FALSE));
1957 return (PRIV_POLICY(cr, PRIV_SYS_DL_CONFIG, B_FALSE, EPERM, NULL));
1958 }
1959
1960 /*
1961 * PRIV_SYS_DL_CONFIG is a superset of PRIV_SYS_IPTUN_CONFIG.
1962 */
1963 int
secpolicy_iptun_config(const cred_t * cr)1964 secpolicy_iptun_config(const cred_t *cr)
1965 {
1966 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
1967 return (secpolicy_net_config(cr, B_FALSE));
1968 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_DL_CONFIG, B_FALSE))
1969 return (secpolicy_dl_config(cr));
1970 return (PRIV_POLICY(cr, PRIV_SYS_IPTUN_CONFIG, B_FALSE, EPERM, NULL));
1971 }
1972
1973 /*
1974 * Map IP pseudo privileges to actual privileges.
1975 * So we don't need to recompile IP when we change the privileges.
1976 */
1977 int
secpolicy_ip(const cred_t * cr,int netpriv,boolean_t checkonly)1978 secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly)
1979 {
1980 int priv = PRIV_ALL;
1981
1982 switch (netpriv) {
1983 case OP_CONFIG:
1984 priv = PRIV_SYS_IP_CONFIG;
1985 break;
1986 case OP_RAW:
1987 priv = PRIV_NET_RAWACCESS;
1988 break;
1989 case OP_PRIVPORT:
1990 priv = PRIV_NET_PRIVADDR;
1991 break;
1992 }
1993 ASSERT(priv != PRIV_ALL);
1994 if (checkonly)
1995 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
1996 else
1997 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
1998 }
1999
2000 /*
2001 * Map network pseudo privileges to actual privileges.
2002 * So we don't need to recompile IP when we change the privileges.
2003 */
2004 int
secpolicy_net(const cred_t * cr,int netpriv,boolean_t checkonly)2005 secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly)
2006 {
2007 int priv = PRIV_ALL;
2008
2009 switch (netpriv) {
2010 case OP_CONFIG:
2011 priv = PRIV_SYS_NET_CONFIG;
2012 break;
2013 case OP_RAW:
2014 priv = PRIV_NET_RAWACCESS;
2015 break;
2016 case OP_PRIVPORT:
2017 priv = PRIV_NET_PRIVADDR;
2018 break;
2019 }
2020 ASSERT(priv != PRIV_ALL);
2021 if (checkonly)
2022 return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM);
2023 else
2024 return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL));
2025 }
2026
2027 /*
2028 * Checks for operations that are either client-only or are used by
2029 * both clients and servers.
2030 */
2031 int
secpolicy_nfs(const cred_t * cr)2032 secpolicy_nfs(const cred_t *cr)
2033 {
2034 return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL));
2035 }
2036
2037 /*
2038 * Special case for opening rpcmod: have NFS privileges or network
2039 * config privileges.
2040 */
2041 int
secpolicy_rpcmod_open(const cred_t * cr)2042 secpolicy_rpcmod_open(const cred_t *cr)
2043 {
2044 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE))
2045 return (secpolicy_nfs(cr));
2046 else
2047 return (secpolicy_net_config(cr, NULL));
2048 }
2049
2050 int
secpolicy_chroot(const cred_t * cr)2051 secpolicy_chroot(const cred_t *cr)
2052 {
2053 return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL));
2054 }
2055
2056 int
secpolicy_tasksys(const cred_t * cr)2057 secpolicy_tasksys(const cred_t *cr)
2058 {
2059 return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL));
2060 }
2061
2062 int
secpolicy_pfexec_register(const cred_t * cr)2063 secpolicy_pfexec_register(const cred_t *cr)
2064 {
2065 return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_TRUE, EPERM, NULL));
2066 }
2067
2068 /*
2069 * Basic privilege checks.
2070 */
2071 int
secpolicy_basic_exec(const cred_t * cr,vnode_t * vp)2072 secpolicy_basic_exec(const cred_t *cr, vnode_t *vp)
2073 {
2074 FAST_BASIC_CHECK(cr, PRIV_PROC_EXEC);
2075
2076 return (priv_policy_va(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL,
2077 KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
2078 }
2079
2080 int
secpolicy_basic_fork(const cred_t * cr)2081 secpolicy_basic_fork(const cred_t *cr)
2082 {
2083 FAST_BASIC_CHECK(cr, PRIV_PROC_FORK);
2084
2085 return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL));
2086 }
2087
2088 int
secpolicy_basic_proc(const cred_t * cr)2089 secpolicy_basic_proc(const cred_t *cr)
2090 {
2091 FAST_BASIC_CHECK(cr, PRIV_PROC_SESSION);
2092
2093 return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL));
2094 }
2095
2096 /*
2097 * Slightly complicated because we don't want to trigger the policy too
2098 * often. First we shortcircuit access to "self" (tp == sp) or if
2099 * we don't have the privilege but if we have permission
2100 * just return (0) and we don't flag the privilege as needed.
2101 * Else, we test for the privilege because we either have it or need it.
2102 */
2103 int
secpolicy_basic_procinfo(const cred_t * cr,proc_t * tp,proc_t * sp)2104 secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp)
2105 {
2106 if (tp == sp ||
2107 !HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) {
2108 return (0);
2109 } else {
2110 return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL));
2111 }
2112 }
2113
2114 int
secpolicy_basic_link(const cred_t * cr)2115 secpolicy_basic_link(const cred_t *cr)
2116 {
2117 FAST_BASIC_CHECK(cr, PRIV_FILE_LINK_ANY);
2118
2119 return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL));
2120 }
2121
2122 int
secpolicy_basic_net_access(const cred_t * cr)2123 secpolicy_basic_net_access(const cred_t *cr)
2124 {
2125 FAST_BASIC_CHECK(cr, PRIV_NET_ACCESS);
2126
2127 return (PRIV_POLICY(cr, PRIV_NET_ACCESS, B_FALSE, EACCES, NULL));
2128 }
2129
2130 /* ARGSUSED */
2131 int
secpolicy_basic_file_read(const cred_t * cr,vnode_t * vp,const char * pn)2132 secpolicy_basic_file_read(const cred_t *cr, vnode_t *vp, const char *pn)
2133 {
2134 FAST_BASIC_CHECK(cr, PRIV_FILE_READ);
2135
2136 return (priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL,
2137 KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE));
2138 }
2139
2140 /* ARGSUSED */
2141 int
secpolicy_basic_file_write(const cred_t * cr,vnode_t * vp,const char * pn)2142 secpolicy_basic_file_write(const cred_t *cr, vnode_t *vp, const char *pn)
2143 {
2144 FAST_BASIC_CHECK(cr, PRIV_FILE_WRITE);
2145
2146 return (priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL,
2147 KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE));
2148 }
2149
2150 /*
2151 * Additional device protection.
2152 *
2153 * Traditionally, a device has specific permissions on the node in
2154 * the filesystem which govern which devices can be opened by what
2155 * processes. In certain cases, it is desirable to add extra
2156 * restrictions, as writing to certain devices is identical to
2157 * having a complete run of the system.
2158 *
2159 * This mechanism is called the device policy.
2160 *
2161 * When a device is opened, its policy entry is looked up in the
2162 * policy cache and checked.
2163 */
2164 int
secpolicy_spec_open(const cred_t * cr,struct vnode * vp,int oflag)2165 secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag)
2166 {
2167 devplcy_t *plcy;
2168 int err;
2169 struct snode *csp = VTOS(common_specvp(vp));
2170 priv_set_t pset;
2171
2172 mutex_enter(&csp->s_lock);
2173
2174 if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) {
2175 plcy = devpolicy_find(vp);
2176 if (csp->s_plcy)
2177 dpfree(csp->s_plcy);
2178 csp->s_plcy = plcy;
2179 ASSERT(plcy != NULL);
2180 } else
2181 plcy = csp->s_plcy;
2182
2183 if (plcy == nullpolicy) {
2184 mutex_exit(&csp->s_lock);
2185 return (0);
2186 }
2187
2188 dphold(plcy);
2189
2190 mutex_exit(&csp->s_lock);
2191
2192 if (oflag & FWRITE)
2193 pset = plcy->dp_wrp;
2194 else
2195 pset = plcy->dp_rdp;
2196 /*
2197 * Special case:
2198 * PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG.
2199 * If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is
2200 * required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG
2201 * in the required privilege set before doing the check.
2202 */
2203 if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) &&
2204 priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) &&
2205 !priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) {
2206 priv_delset(&pset, PRIV_SYS_IP_CONFIG);
2207 priv_addset(&pset, PRIV_SYS_NET_CONFIG);
2208 }
2209
2210 err = secpolicy_require_set(cr, &pset, "devpolicy", KLPDARG_NONE);
2211 dpfree(plcy);
2212
2213 return (err);
2214 }
2215
2216 int
secpolicy_modctl(const cred_t * cr,int cmd)2217 secpolicy_modctl(const cred_t *cr, int cmd)
2218 {
2219 switch (cmd) {
2220 case MODINFO:
2221 case MODGETMAJBIND:
2222 case MODGETPATH:
2223 case MODGETPATHLEN:
2224 case MODGETNAME:
2225 case MODGETFBNAME:
2226 case MODGETDEVPOLICY:
2227 case MODGETDEVPOLICYBYNAME:
2228 case MODDEVT2INSTANCE:
2229 case MODSIZEOF_DEVID:
2230 case MODGETDEVID:
2231 case MODSIZEOF_MINORNAME:
2232 case MODGETMINORNAME:
2233 case MODGETDEVFSPATH_LEN:
2234 case MODGETDEVFSPATH:
2235 case MODGETDEVFSPATH_MI_LEN:
2236 case MODGETDEVFSPATH_MI:
2237 /* Unprivileged */
2238 return (0);
2239 case MODLOAD:
2240 case MODSETDEVPOLICY:
2241 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL,
2242 KLPDARG_NONE));
2243 default:
2244 return (secpolicy_sys_config(cr, B_FALSE));
2245 }
2246 }
2247
2248 int
secpolicy_console(const cred_t * cr)2249 secpolicy_console(const cred_t *cr)
2250 {
2251 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
2252 }
2253
2254 int
secpolicy_power_mgmt(const cred_t * cr)2255 secpolicy_power_mgmt(const cred_t *cr)
2256 {
2257 return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL));
2258 }
2259
2260 /*
2261 * Simulate terminal input; another escalation of privileges avenue.
2262 */
2263
2264 int
secpolicy_sti(const cred_t * cr)2265 secpolicy_sti(const cred_t *cr)
2266 {
2267 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
2268 }
2269
2270 boolean_t
secpolicy_net_reply_equal(const cred_t * cr)2271 secpolicy_net_reply_equal(const cred_t *cr)
2272 {
2273 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
2274 }
2275
2276 int
secpolicy_swapctl(const cred_t * cr)2277 secpolicy_swapctl(const cred_t *cr)
2278 {
2279 return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL));
2280 }
2281
2282 int
secpolicy_cpc_cpu(const cred_t * cr)2283 secpolicy_cpc_cpu(const cred_t *cr)
2284 {
2285 return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL));
2286 }
2287
2288 /*
2289 * secpolicy_contract_identity
2290 *
2291 * Determine if the subject may set the process contract FMRI value
2292 */
2293 int
secpolicy_contract_identity(const cred_t * cr)2294 secpolicy_contract_identity(const cred_t *cr)
2295 {
2296 return (PRIV_POLICY(cr, PRIV_CONTRACT_IDENTITY, B_FALSE, EPERM, NULL));
2297 }
2298
2299 /*
2300 * secpolicy_contract_observer
2301 *
2302 * Determine if the subject may observe a specific contract's events.
2303 */
2304 int
secpolicy_contract_observer(const cred_t * cr,struct contract * ct)2305 secpolicy_contract_observer(const cred_t *cr, struct contract *ct)
2306 {
2307 if (contract_owned(ct, cr, B_FALSE))
2308 return (0);
2309 return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL));
2310 }
2311
2312 /*
2313 * secpolicy_contract_observer_choice
2314 *
2315 * Determine if the subject may observe any contract's events. Just
2316 * tests privilege and audits on success.
2317 */
2318 boolean_t
secpolicy_contract_observer_choice(const cred_t * cr)2319 secpolicy_contract_observer_choice(const cred_t *cr)
2320 {
2321 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE));
2322 }
2323
2324 /*
2325 * secpolicy_contract_event
2326 *
2327 * Determine if the subject may request critical contract events or
2328 * reliable contract event delivery.
2329 */
2330 int
secpolicy_contract_event(const cred_t * cr)2331 secpolicy_contract_event(const cred_t *cr)
2332 {
2333 return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL));
2334 }
2335
2336 /*
2337 * secpolicy_contract_event_choice
2338 *
2339 * Determine if the subject may retain contract events in its critical
2340 * set when a change in other terms would normally require a change in
2341 * the critical set. Just tests privilege and audits on success.
2342 */
2343 boolean_t
secpolicy_contract_event_choice(const cred_t * cr)2344 secpolicy_contract_event_choice(const cred_t *cr)
2345 {
2346 return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE));
2347 }
2348
2349 /*
2350 * secpolicy_gart_access
2351 *
2352 * Determine if the subject has sufficient priveleges to make ioctls to agpgart
2353 * device.
2354 */
2355 int
secpolicy_gart_access(const cred_t * cr)2356 secpolicy_gart_access(const cred_t *cr)
2357 {
2358 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL));
2359 }
2360
2361 /*
2362 * secpolicy_gart_map
2363 *
2364 * Determine if the subject has sufficient priveleges to map aperture range
2365 * through agpgart driver.
2366 */
2367 int
secpolicy_gart_map(const cred_t * cr)2368 secpolicy_gart_map(const cred_t *cr)
2369 {
2370 if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) {
2371 return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM,
2372 NULL));
2373 } else {
2374 return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM,
2375 NULL));
2376 }
2377 }
2378
2379 /*
2380 * secpolicy_zinject
2381 *
2382 * Determine if the subject can inject faults in the ZFS fault injection
2383 * framework. Requires all privileges.
2384 */
2385 int
secpolicy_zinject(const cred_t * cr)2386 secpolicy_zinject(const cred_t *cr)
2387 {
2388 return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE));
2389 }
2390
2391 /*
2392 * secpolicy_zfs
2393 *
2394 * Determine if the subject has permission to manipulate ZFS datasets
2395 * (not pools). Equivalent to the SYS_MOUNT privilege.
2396 */
2397 int
secpolicy_zfs(const cred_t * cr)2398 secpolicy_zfs(const cred_t *cr)
2399 {
2400 return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL));
2401 }
2402
2403 /*
2404 * secpolicy_idmap
2405 *
2406 * Determine if the calling process has permissions to register an SID
2407 * mapping daemon and allocate ephemeral IDs.
2408 */
2409 int
secpolicy_idmap(const cred_t * cr)2410 secpolicy_idmap(const cred_t *cr)
2411 {
2412 return (PRIV_POLICY(cr, PRIV_FILE_SETID, B_TRUE, EPERM, NULL));
2413 }
2414
2415 /*
2416 * secpolicy_ucode_update
2417 *
2418 * Determine if the subject has sufficient privilege to update microcode.
2419 */
2420 int
secpolicy_ucode_update(const cred_t * scr)2421 secpolicy_ucode_update(const cred_t *scr)
2422 {
2423 return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL));
2424 }
2425
2426 /*
2427 * secpolicy_sadopen
2428 *
2429 * Determine if the subject has sufficient privilege to access /dev/sad/admin.
2430 * /dev/sad/admin appear in global zone and exclusive-IP zones only.
2431 * In global zone, sys_config is required.
2432 * In exclusive-IP zones, sys_ip_config is required.
2433 * Note that sys_config is prohibited in non-global zones.
2434 */
2435 int
secpolicy_sadopen(const cred_t * credp)2436 secpolicy_sadopen(const cred_t *credp)
2437 {
2438 priv_set_t pset;
2439
2440 priv_emptyset(&pset);
2441
2442 if (crgetzoneid(credp) == GLOBAL_ZONEID)
2443 priv_addset(&pset, PRIV_SYS_CONFIG);
2444 else
2445 priv_addset(&pset, PRIV_SYS_IP_CONFIG);
2446
2447 return (secpolicy_require_set(credp, &pset, "devpolicy", KLPDARG_NONE));
2448 }
2449
2450
2451 /*
2452 * Add privileges to a particular privilege set; this is called when the
2453 * current sets of privileges are not sufficient. I.e., we should always
2454 * call the policy override functions from here.
2455 * What we are allowed to have is in the Observed Permitted set; so
2456 * we compute the difference between that and the newset.
2457 */
2458 int
secpolicy_require_privs(const cred_t * cr,const priv_set_t * nset)2459 secpolicy_require_privs(const cred_t *cr, const priv_set_t *nset)
2460 {
2461 priv_set_t rqd;
2462
2463 rqd = CR_OPPRIV(cr);
2464
2465 priv_inverse(&rqd);
2466 priv_intersect(nset, &rqd);
2467
2468 return (secpolicy_require_set(cr, &rqd, NULL, KLPDARG_NONE));
2469 }
2470
2471 /*
2472 * secpolicy_smb
2473 *
2474 * Determine if the cred_t has PRIV_SYS_SMB privilege, indicating
2475 * that it has permission to access the smbsrv kernel driver.
2476 * PRIV_POLICY checks the privilege and audits the check.
2477 *
2478 * Returns:
2479 * 0 Driver access is allowed.
2480 * EPERM Driver access is NOT permitted.
2481 */
2482 int
secpolicy_smb(const cred_t * cr)2483 secpolicy_smb(const cred_t *cr)
2484 {
2485 return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL));
2486 }
2487
2488 /*
2489 * secpolicy_vscan
2490 *
2491 * Determine if cred_t has the necessary privileges to access a file
2492 * for virus scanning and update its extended system attributes.
2493 * PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access
2494 * PRIV_FILE_FLAG_SET - set extended system attributes
2495 *
2496 * PRIV_POLICY checks the privilege and audits the check.
2497 *
2498 * Returns:
2499 * 0 file access for virus scanning allowed.
2500 * EPERM file access for virus scanning is NOT permitted.
2501 */
2502 int
secpolicy_vscan(const cred_t * cr)2503 secpolicy_vscan(const cred_t *cr)
2504 {
2505 if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) ||
2506 (PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) ||
2507 (PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) {
2508 return (EPERM);
2509 }
2510
2511 return (0);
2512 }
2513
2514 /*
2515 * secpolicy_smbfs_login
2516 *
2517 * Determines if the caller can add and delete the smbfs login
2518 * password in the the nsmb kernel module for the CIFS client.
2519 *
2520 * Returns:
2521 * 0 access is allowed.
2522 * EPERM access is NOT allowed.
2523 */
2524 int
secpolicy_smbfs_login(const cred_t * cr,uid_t uid)2525 secpolicy_smbfs_login(const cred_t *cr, uid_t uid)
2526 {
2527 uid_t cruid = crgetruid(cr);
2528
2529 if (cruid == uid)
2530 return (0);
2531 return (PRIV_POLICY(cr, PRIV_PROC_OWNER, B_FALSE,
2532 EPERM, NULL));
2533 }
2534
2535 /*
2536 * secpolicy_xvm_control
2537 *
2538 * Determines if a caller can control the xVM hypervisor and/or running
2539 * domains (x86 specific).
2540 *
2541 * Returns:
2542 * 0 access is allowed.
2543 * EPERM access is NOT allowed.
2544 */
2545 int
secpolicy_xvm_control(const cred_t * cr)2546 secpolicy_xvm_control(const cred_t *cr)
2547 {
2548 if (PRIV_POLICY(cr, PRIV_XVM_CONTROL, B_FALSE, EPERM, NULL))
2549 return (EPERM);
2550 return (0);
2551 }
2552
2553 /*
2554 * secpolicy_ppp_config
2555 *
2556 * Determine if the subject has sufficient privileges to configure PPP and
2557 * PPP-related devices.
2558 */
2559 int
secpolicy_ppp_config(const cred_t * cr)2560 secpolicy_ppp_config(const cred_t *cr)
2561 {
2562 if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE))
2563 return (secpolicy_net_config(cr, B_FALSE));
2564 return (PRIV_POLICY(cr, PRIV_SYS_PPP_CONFIG, B_FALSE, EPERM, NULL));
2565 }
2566