author | <gerald.jelinek@sun.com> |
Tue, 25 May 2010 16:50:45 -0600 | |
changeset 12494 | 15439b11d535 |
parent 12484 | df5689211682 |
child 12633 | 9f2cda0ed938 |
permissions | -rw-r--r-- |
0 | 1 |
/* |
2 |
* CDDL HEADER START |
|
3 |
* |
|
4 |
* The contents of this file are subject to the terms of the |
|
1544 | 5 |
* Common Development and Distribution License (the "License"). |
6 |
* You may not use this file except in compliance with the License. |
|
0 | 7 |
* |
8 |
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE |
|
9 |
* or http://www.opensolaris.org/os/licensing. |
|
10 |
* See the License for the specific language governing permissions |
|
11 |
* and limitations under the License. |
|
12 |
* |
|
13 |
* When distributing Covered Code, include this CDDL HEADER in each |
|
14 |
* file and include the License file at usr/src/OPENSOLARIS.LICENSE. |
|
15 |
* If applicable, add the following below this CDDL HEADER, with the |
|
16 |
* fields enclosed by brackets "[]" replaced with your own identifying |
|
17 |
* information: Portions Copyright [yyyy] [name of copyright owner] |
|
18 |
* |
|
19 |
* CDDL HEADER END |
|
20 |
*/ |
|
21 |
/* |
|
12273
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
22 |
* Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. |
0 | 23 |
*/ |
24 |
||
25 |
#include <sys/types.h> |
|
26 |
#include <sys/sysmacros.h> |
|
27 |
#include <sys/param.h> |
|
28 |
#include <sys/systm.h> |
|
29 |
#include <sys/cred_impl.h> |
|
30 |
#include <sys/vnode.h> |
|
31 |
#include <sys/vfs.h> |
|
32 |
#include <sys/stat.h> |
|
33 |
#include <sys/errno.h> |
|
34 |
#include <sys/kmem.h> |
|
35 |
#include <sys/user.h> |
|
36 |
#include <sys/proc.h> |
|
37 |
#include <sys/acct.h> |
|
38 |
#include <sys/ipc_impl.h> |
|
39 |
#include <sys/cmn_err.h> |
|
40 |
#include <sys/debug.h> |
|
41 |
#include <sys/policy.h> |
|
42 |
#include <sys/kobj.h> |
|
43 |
#include <sys/msg.h> |
|
44 |
#include <sys/devpolicy.h> |
|
45 |
#include <c2/audit.h> |
|
46 |
#include <sys/varargs.h> |
|
6134
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
47 |
#include <sys/klpd.h> |
0 | 48 |
#include <sys/modctl.h> |
49 |
#include <sys/disp.h> |
|
50 |
#include <sys/zone.h> |
|
51 |
#include <inet/optcom.h> |
|
52 |
#include <sys/sdt.h> |
|
53 |
#include <sys/vfs.h> |
|
54 |
#include <sys/mntent.h> |
|
55 |
#include <sys/contract_impl.h> |
|
8275
7c223a798022
PSARC/2006/357 Crossbow - Network Virtualization and Resource Management
Eric Cheng
parents:
7624
diff
changeset
|
56 |
#include <sys/dld_ioc.h> |
0 | 57 |
|
58 |
/* |
|
59 |
* There are two possible layers of privilege routines and two possible |
|
60 |
* levels of secpolicy. Plus one other we may not be interested in, so |
|
61 |
* we may need as many as 6 but no more. |
|
62 |
*/ |
|
63 |
#define MAXPRIVSTACK 6 |
|
64 |
||
65 |
int priv_debug = 0; |
|
11537
8eca52188202
PSARC 2009/686 Improving the use and debugging of the basic privilege set.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
10934
diff
changeset
|
66 |
int priv_basic_test = -1; |
0 | 67 |
|
68 |
/* |
|
69 |
* This file contains the majority of the policy routines. |
|
70 |
* Since the policy routines are defined by function and not |
|
71 |
* by privilege, there is quite a bit of duplication of |
|
72 |
* functions. |
|
73 |
* |
|
5331 | 74 |
* The secpolicy functions must not make assumptions about |
0 | 75 |
* locks held or not held as any lock can be held while they're |
76 |
* being called. |
|
77 |
* |
|
78 |
* Credentials are read-only so no special precautions need to |
|
79 |
* be taken while locking them. |
|
80 |
* |
|
81 |
* When a new policy check needs to be added to the system the |
|
82 |
* following procedure should be followed: |
|
83 |
* |
|
84 |
* Pick an appropriate secpolicy_*() function |
|
85 |
* -> done if one exists. |
|
86 |
* Create a new secpolicy function, preferably with |
|
87 |
* a descriptive name using the standard template. |
|
88 |
* Pick an appropriate privilege for the policy. |
|
89 |
* If no appropraite privilege exists, define new one |
|
90 |
* (this should be done with extreme care; in most cases |
|
91 |
* little is gained by adding another privilege) |
|
92 |
* |
|
93 |
* WHY ROOT IS STILL SPECIAL. |
|
94 |
* |
|
95 |
* In a number of the policy functions, there are still explicit |
|
96 |
* checks for uid 0. The rationale behind these is that many root |
|
97 |
* owned files/objects hold configuration information which can give full |
|
98 |
* privileges to the user once written to. To prevent escalation |
|
99 |
* of privilege by allowing just a single privilege to modify root owned |
|
100 |
* objects, we've added these root specific checks where we considered |
|
101 |
* them necessary: modifying root owned files, changing uids to 0, etc. |
|
102 |
* |
|
103 |
* PRIVILEGE ESCALATION AND ZONES. |
|
104 |
* |
|
105 |
* A number of operations potentially allow the caller to achieve |
|
106 |
* privileges beyond the ones normally required to perform the operation. |
|
107 |
* For example, if allowed to create a setuid 0 executable, a process can |
|
108 |
* gain privileges beyond PRIV_FILE_SETID. Zones, however, place |
|
109 |
* restrictions on the ability to gain privileges beyond those available |
|
110 |
* within the zone through file and process manipulation. Hence, such |
|
111 |
* operations require that the caller have an effective set that includes |
|
112 |
* all privileges available within the current zone, or all privileges |
|
113 |
* if executing in the global zone. |
|
114 |
* |
|
115 |
* This is indicated in the priv_policy* policy checking functions |
|
116 |
* through a combination of parameters. The "priv" parameter indicates |
|
117 |
* the privilege that is required, and the "allzone" parameter indicates |
|
118 |
* whether or not all privileges in the zone are required. In addition, |
|
119 |
* priv can be set to PRIV_ALL to indicate that all privileges are |
|
120 |
* required (regardless of zone). There are three scenarios of interest: |
|
121 |
* (1) operation requires a specific privilege |
|
122 |
* (2) operation requires a specific privilege, and requires all |
|
123 |
* privileges available within the zone (or all privileges if in |
|
124 |
* the global zone) |
|
125 |
* (3) operation requires all privileges, regardless of zone |
|
126 |
* |
|
127 |
* For (1), priv should be set to the specific privilege, and allzone |
|
128 |
* should be set to B_FALSE. |
|
129 |
* For (2), priv should be set to the specific privilege, and allzone |
|
130 |
* should be set to B_TRUE. |
|
131 |
* For (3), priv should be set to PRIV_ALL, and allzone should be set |
|
132 |
* to B_FALSE. |
|
133 |
* |
|
134 |
*/ |
|
135 |
||
136 |
/* |
|
137 |
* The privileges are checked against the Effective set for |
|
138 |
* ordinary processes and checked against the Limit set |
|
139 |
* for euid 0 processes that haven't manipulated their privilege |
|
140 |
* sets. |
|
141 |
*/ |
|
142 |
#define HAS_ALLPRIVS(cr) priv_isfullset(&CR_OEPRIV(cr)) |
|
143 |
#define ZONEPRIVS(cr) ((cr)->cr_zone->zone_privset) |
|
144 |
#define HAS_ALLZONEPRIVS(cr) priv_issubset(ZONEPRIVS(cr), &CR_OEPRIV(cr)) |
|
145 |
#define HAS_PRIVILEGE(cr, pr) ((pr) == PRIV_ALL ? \ |
|
146 |
HAS_ALLPRIVS(cr) : \ |
|
147 |
PRIV_ISASSERT(&CR_OEPRIV(cr), pr)) |
|
148 |
||
12273
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
149 |
#define FAST_BASIC_CHECK(cr, priv) \ |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
150 |
if (PRIV_ISASSERT(&CR_OEPRIV(cr), priv)) { \ |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
151 |
DTRACE_PROBE2(priv__ok, int, priv, boolean_t, B_FALSE); \ |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
152 |
return (0); \ |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
153 |
} |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
154 |
|
0 | 155 |
/* |
6134
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
156 |
* Policy checking functions. |
0 | 157 |
* |
6134
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
158 |
* All of the system's policy should be implemented here. |
0 | 159 |
*/ |
160 |
||
161 |
/* |
|
6134
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
162 |
* Private functions which take an additional va_list argument to |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
163 |
* implement an object specific policy override. |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
164 |
*/ |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
165 |
static int priv_policy_ap(const cred_t *, int, boolean_t, int, |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
166 |
const char *, va_list); |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
167 |
static int priv_policy_va(const cred_t *, int, boolean_t, int, |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
168 |
const char *, ...); |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
169 |
|
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
170 |
/* |
0 | 171 |
* Generic policy calls |
172 |
* |
|
173 |
* The "bottom" functions of policy control |
|
174 |
*/ |
|
175 |
static char * |
|
176 |
mprintf(const char *fmt, ...) |
|
177 |
{ |
|
178 |
va_list args; |
|
179 |
char *buf; |
|
180 |
size_t len; |
|
181 |
||
182 |
va_start(args, fmt); |
|
183 |
len = vsnprintf(NULL, 0, fmt, args) + 1; |
|
184 |
va_end(args); |
|
185 |
||
186 |
buf = kmem_alloc(len, KM_NOSLEEP); |
|
187 |
||
188 |
if (buf == NULL) |
|
189 |
return (NULL); |
|
190 |
||
191 |
va_start(args, fmt); |
|
192 |
(void) vsnprintf(buf, len, fmt, args); |
|
193 |
va_end(args); |
|
194 |
||
195 |
return (buf); |
|
196 |
} |
|
197 |
||
198 |
/* |
|
199 |
* priv_policy_errmsg() |
|
200 |
* |
|
201 |
* Generate an error message if privilege debugging is enabled system wide |
|
202 |
* or for this particular process. |
|
203 |
*/ |
|
204 |
||
205 |
#define FMTHDR "%s[%d]: missing privilege \"%s\" (euid = %d, syscall = %d)" |
|
206 |
#define FMTMSG " for \"%s\"" |
|
207 |
#define FMTFUN " needed at %s+0x%lx" |
|
208 |
||
209 |
/* The maximum size privilege format: the concatenation of the above */ |
|
210 |
#define FMTMAX FMTHDR FMTMSG FMTFUN "\n" |
|
211 |
||
212 |
static void |
|
213 |
priv_policy_errmsg(const cred_t *cr, int priv, const char *msg) |
|
214 |
{ |
|
215 |
struct proc *me; |
|
216 |
pc_t stack[MAXPRIVSTACK]; |
|
217 |
int depth; |
|
218 |
int i; |
|
219 |
char *sym; |
|
220 |
ulong_t off; |
|
221 |
const char *pname; |
|
222 |
||
223 |
char *cmd; |
|
224 |
char fmt[sizeof (FMTMAX)]; |
|
225 |
||
226 |
if ((me = curproc) == &p0) |
|
227 |
return; |
|
228 |
||
229 |
/* Privileges must be defined */ |
|
230 |
ASSERT(priv == PRIV_ALL || priv == PRIV_MULTIPLE || |
|
231 |
priv == PRIV_ALLZONE || priv == PRIV_GLOBAL || |
|
232 |
priv_getbynum(priv) != NULL); |
|
233 |
||
234 |
if (priv == PRIV_ALLZONE && INGLOBALZONE(me)) |
|
235 |
priv = PRIV_ALL; |
|
236 |
||
237 |
if (curthread->t_pre_sys) |
|
238 |
ttolwp(curthread)->lwp_badpriv = (short)priv; |
|
239 |
||
240 |
if (priv_debug == 0 && (CR_FLAGS(cr) & PRIV_DEBUG) == 0) |
|
241 |
return; |
|
242 |
||
243 |
(void) strcpy(fmt, FMTHDR); |
|
244 |
||
245 |
if (me->p_user.u_comm[0]) |
|
246 |
cmd = &me->p_user.u_comm[0]; |
|
247 |
else |
|
248 |
cmd = "priv_policy"; |
|
249 |
||
250 |
if (msg != NULL && *msg != '\0') { |
|
251 |
(void) strcat(fmt, FMTMSG); |
|
252 |
} else { |
|
253 |
(void) strcat(fmt, "%s"); |
|
254 |
msg = ""; |
|
255 |
} |
|
256 |
||
257 |
sym = NULL; |
|
258 |
||
259 |
depth = getpcstack(stack, MAXPRIVSTACK); |
|
260 |
||
261 |
/* |
|
262 |
* Try to find the first interesting function on the stack. |
|
263 |
* priv_policy* that's us, so completely uninteresting. |
|
264 |
* suser(), drv_priv(), secpolicy_* are also called from |
|
265 |
* too many locations to convey useful information. |
|
266 |
*/ |
|
267 |
for (i = 0; i < depth; i++) { |
|
268 |
sym = kobj_getsymname((uintptr_t)stack[i], &off); |
|
269 |
if (sym != NULL && |
|
270 |
strstr(sym, "hasprocperm") == 0 && |
|
271 |
strcmp("suser", sym) != 0 && |
|
272 |
strcmp("ipcaccess", sym) != 0 && |
|
273 |
strcmp("drv_priv", sym) != 0 && |
|
274 |
strncmp("secpolicy_", sym, 10) != 0 && |
|
275 |
strncmp("priv_policy", sym, 11) != 0) |
|
276 |
break; |
|
277 |
} |
|
278 |
||
279 |
if (sym != NULL) |
|
280 |
(void) strcat(fmt, FMTFUN); |
|
281 |
||
282 |
(void) strcat(fmt, "\n"); |
|
283 |
||
284 |
switch (priv) { |
|
285 |
case PRIV_ALL: |
|
286 |
pname = "ALL"; |
|
287 |
break; |
|
288 |
case PRIV_MULTIPLE: |
|
289 |
pname = "MULTIPLE"; |
|
290 |
break; |
|
291 |
case PRIV_ALLZONE: |
|
292 |
pname = "ZONE"; |
|
293 |
break; |
|
294 |
case PRIV_GLOBAL: |
|
295 |
pname = "GLOBAL"; |
|
296 |
break; |
|
297 |
default: |
|
298 |
pname = priv_getbynum(priv); |
|
299 |
break; |
|
300 |
} |
|
301 |
||
302 |
if (CR_FLAGS(cr) & PRIV_DEBUG) { |
|
303 |
/* Remember last message, just like lwp_badpriv. */ |
|
304 |
if (curthread->t_pdmsg != NULL) { |
|
305 |
kmem_free(curthread->t_pdmsg, |
|
306 |
strlen(curthread->t_pdmsg) + 1); |
|
307 |
} |
|
308 |
||
309 |
curthread->t_pdmsg = mprintf(fmt, cmd, me->p_pid, pname, |
|
4543 | 310 |
cr->cr_uid, curthread->t_sysnum, msg, sym, off); |
0 | 311 |
|
312 |
curthread->t_post_sys = 1; |
|
6134
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
313 |
} |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
314 |
if (priv_debug) { |
0 | 315 |
cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid, |
316 |
curthread->t_sysnum, msg, sym, off); |
|
317 |
} |
|
318 |
} |
|
319 |
||
320 |
/* |
|
6134
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
321 |
* Override the policy, if appropriate. Return 0 if the external |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
322 |
* policy engine approves. |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
323 |
*/ |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
324 |
static int |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
325 |
priv_policy_override(const cred_t *cr, int priv, boolean_t allzone, va_list ap) |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
326 |
{ |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
327 |
priv_set_t set; |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
328 |
int ret; |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
329 |
|
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
330 |
if (!(CR_FLAGS(cr) & PRIV_XPOLICY)) |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
331 |
return (-1); |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
332 |
|
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
333 |
if (priv == PRIV_ALL) { |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
334 |
priv_fillset(&set); |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
335 |
} else if (allzone) { |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
336 |
set = *ZONEPRIVS(cr); |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
337 |
} else { |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
338 |
priv_emptyset(&set); |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
339 |
priv_addset(&set, priv); |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
340 |
} |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
341 |
ret = klpd_call(cr, &set, ap); |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
342 |
return (ret); |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
343 |
} |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
344 |
|
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
345 |
static int |
12273
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
346 |
priv_policy_override_set(const cred_t *cr, const priv_set_t *req, va_list ap) |
6134
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
347 |
{ |
12273
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
348 |
if (CR_FLAGS(cr) & PRIV_PFEXEC) |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
349 |
return (check_user_privs(cr, req)); |
6134
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
350 |
if (CR_FLAGS(cr) & PRIV_XPOLICY) { |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
351 |
return (klpd_call(cr, req, ap)); |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
352 |
} |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
353 |
return (-1); |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
354 |
} |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
355 |
|
12273
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
356 |
static int |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
357 |
priv_policy_override_set_va(const cred_t *cr, const priv_set_t *req, ...) |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
358 |
{ |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
359 |
va_list ap; |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
360 |
int ret; |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
361 |
|
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
362 |
va_start(ap, req); |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
363 |
ret = priv_policy_override_set(cr, req, ap); |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
364 |
va_end(ap); |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
365 |
return (ret); |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
366 |
} |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
367 |
|
6134
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
368 |
/* |
0 | 369 |
* Audit failure, log error message. |
370 |
*/ |
|
371 |
static void |
|
372 |
priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg) |
|
373 |
{ |
|
374 |
||
11861
a63258283f8f
PSARC/2009/354 Always on / no reboot Solaris Audit
Marek Pospisil <Marek.Pospisil@Sun.COM>
parents:
11569
diff
changeset
|
375 |
if (AU_AUDITING()) |
0 | 376 |
audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 0); |
377 |
DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); |
|
378 |
||
379 |
if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || |
|
380 |
curthread->t_pre_sys) { |
|
381 |
if (allzone && !HAS_ALLZONEPRIVS(cr)) { |
|
382 |
priv_policy_errmsg(cr, PRIV_ALLZONE, msg); |
|
383 |
} else { |
|
384 |
ASSERT(!HAS_PRIVILEGE(cr, priv)); |
|
385 |
priv_policy_errmsg(cr, priv, msg); |
|
386 |
} |
|
387 |
} |
|
388 |
} |
|
389 |
||
390 |
/* |
|
6134
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
391 |
* priv_policy_ap() |
0 | 392 |
* return 0 or error. |
393 |
* See block comment above for a description of "priv" and "allzone" usage. |
|
394 |
*/ |
|
6134
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
395 |
static int |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
396 |
priv_policy_ap(const cred_t *cr, int priv, boolean_t allzone, int err, |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
397 |
const char *msg, va_list ap) |
0 | 398 |
{ |
6134
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
399 |
if ((HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) || |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
400 |
(!servicing_interrupt() && |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
401 |
priv_policy_override(cr, priv, allzone, ap) == 0)) { |
0 | 402 |
if ((allzone || priv == PRIV_ALL || |
403 |
!PRIV_ISASSERT(priv_basic, priv)) && |
|
404 |
!servicing_interrupt()) { |
|
3446 | 405 |
PTOU(curproc)->u_acflag |= ASU; /* Needed for SVVS */ |
11861
a63258283f8f
PSARC/2009/354 Always on / no reboot Solaris Audit
Marek Pospisil <Marek.Pospisil@Sun.COM>
parents:
11569
diff
changeset
|
406 |
if (AU_AUDITING()) |
0 | 407 |
audit_priv(priv, |
408 |
allzone ? ZONEPRIVS(cr) : NULL, 1); |
|
409 |
} |
|
410 |
err = 0; |
|
411 |
DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); |
|
412 |
} else if (!servicing_interrupt()) { |
|
413 |
/* Failure audited in this procedure */ |
|
414 |
priv_policy_err(cr, priv, allzone, msg); |
|
415 |
} |
|
6134
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
416 |
return (err); |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
417 |
} |
0 | 418 |
|
6134
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
419 |
int |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
420 |
priv_policy_va(const cred_t *cr, int priv, boolean_t allzone, int err, |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
421 |
const char *msg, ...) |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
422 |
{ |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
423 |
int ret; |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
424 |
va_list ap; |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
425 |
|
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
426 |
va_start(ap, msg); |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
427 |
ret = priv_policy_ap(cr, priv, allzone, err, msg, ap); |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
428 |
va_end(ap); |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
429 |
|
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
430 |
return (ret); |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
431 |
} |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
432 |
|
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
433 |
int |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
434 |
priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err, |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
435 |
const char *msg) |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
436 |
{ |
12273
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
437 |
return (priv_policy_va(cr, priv, allzone, err, msg, KLPDARG_NONE)); |
0 | 438 |
} |
439 |
||
440 |
/* |
|
441 |
* Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges. |
|
442 |
*/ |
|
443 |
boolean_t |
|
444 |
priv_policy_choice(const cred_t *cr, int priv, boolean_t allzone) |
|
445 |
{ |
|
446 |
boolean_t res = HAS_PRIVILEGE(cr, priv) && |
|
447 |
(!allzone || HAS_ALLZONEPRIVS(cr)); |
|
448 |
||
449 |
/* Audit success only */ |
|
11861
a63258283f8f
PSARC/2009/354 Always on / no reboot Solaris Audit
Marek Pospisil <Marek.Pospisil@Sun.COM>
parents:
11569
diff
changeset
|
450 |
if (res && AU_AUDITING() && |
0 | 451 |
(allzone || priv == PRIV_ALL || !PRIV_ISASSERT(priv_basic, priv)) && |
452 |
!servicing_interrupt()) { |
|
453 |
audit_priv(priv, allzone ? ZONEPRIVS(cr) : NULL, 1); |
|
454 |
} |
|
455 |
if (res) { |
|
456 |
DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); |
|
457 |
} else { |
|
458 |
DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); |
|
459 |
} |
|
460 |
return (res); |
|
461 |
} |
|
462 |
||
463 |
/* |
|
464 |
* Non-auditing variant of priv_policy_choice(). |
|
465 |
*/ |
|
466 |
boolean_t |
|
467 |
priv_policy_only(const cred_t *cr, int priv, boolean_t allzone) |
|
468 |
{ |
|
469 |
boolean_t res = HAS_PRIVILEGE(cr, priv) && |
|
470 |
(!allzone || HAS_ALLZONEPRIVS(cr)); |
|
471 |
||
472 |
if (res) { |
|
473 |
DTRACE_PROBE2(priv__ok, int, priv, boolean_t, allzone); |
|
474 |
} else { |
|
475 |
DTRACE_PROBE2(priv__err, int, priv, boolean_t, allzone); |
|
476 |
} |
|
477 |
return (res); |
|
478 |
} |
|
479 |
||
480 |
/* |
|
481 |
* Check whether all privileges in the required set are present. |
|
482 |
*/ |
|
483 |
static int |
|
12273
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
484 |
secpolicy_require_set(const cred_t *cr, const priv_set_t *req, |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
485 |
const char *msg, ...) |
0 | 486 |
{ |
487 |
int priv; |
|
488 |
int pfound = -1; |
|
489 |
priv_set_t pset; |
|
12273
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
490 |
va_list ap; |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
491 |
int ret; |
0 | 492 |
|
493 |
if (req == PRIV_FULLSET ? HAS_ALLPRIVS(cr) : priv_issubset(req, |
|
4543 | 494 |
&CR_OEPRIV(cr))) { |
0 | 495 |
return (0); |
496 |
} |
|
497 |
||
12273
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
498 |
va_start(ap, msg); |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
499 |
ret = priv_policy_override_set(cr, req, ap); |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
500 |
va_end(ap); |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
501 |
if (ret == 0) |
6134
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
502 |
return (0); |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
503 |
|
0 | 504 |
if (req == PRIV_FULLSET || priv_isfullset(req)) { |
505 |
priv_policy_err(cr, PRIV_ALL, B_FALSE, msg); |
|
506 |
return (EACCES); |
|
507 |
} |
|
508 |
||
509 |
pset = CR_OEPRIV(cr); /* present privileges */ |
|
510 |
priv_inverse(&pset); /* all non present privileges */ |
|
511 |
priv_intersect(req, &pset); /* the actual missing privs */ |
|
512 |
||
11861
a63258283f8f
PSARC/2009/354 Always on / no reboot Solaris Audit
Marek Pospisil <Marek.Pospisil@Sun.COM>
parents:
11569
diff
changeset
|
513 |
if (AU_AUDITING()) |
0 | 514 |
audit_priv(PRIV_NONE, &pset, 0); |
515 |
/* |
|
516 |
* Privilege debugging; special case "one privilege in set". |
|
517 |
*/ |
|
518 |
if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || curthread->t_pre_sys) { |
|
519 |
for (priv = 0; priv < nprivs; priv++) { |
|
520 |
if (priv_ismember(&pset, priv)) { |
|
521 |
if (pfound != -1) { |
|
522 |
/* Multiple missing privs */ |
|
523 |
priv_policy_errmsg(cr, PRIV_MULTIPLE, |
|
4543 | 524 |
msg); |
0 | 525 |
return (EACCES); |
526 |
} |
|
527 |
pfound = priv; |
|
528 |
} |
|
529 |
} |
|
530 |
ASSERT(pfound != -1); |
|
531 |
/* Just the one missing privilege */ |
|
532 |
priv_policy_errmsg(cr, pfound, msg); |
|
533 |
} |
|
534 |
||
535 |
return (EACCES); |
|
536 |
} |
|
537 |
||
538 |
/* |
|
539 |
* Called when an operation requires that the caller be in the |
|
540 |
* global zone, regardless of privilege. |
|
541 |
*/ |
|
542 |
static int |
|
543 |
priv_policy_global(const cred_t *cr) |
|
544 |
{ |
|
545 |
if (crgetzoneid(cr) == GLOBAL_ZONEID) |
|
546 |
return (0); /* success */ |
|
547 |
||
548 |
if (priv_debug || (CR_FLAGS(cr) & PRIV_DEBUG) || |
|
549 |
curthread->t_pre_sys) { |
|
550 |
priv_policy_errmsg(cr, PRIV_GLOBAL, NULL); |
|
551 |
} |
|
552 |
return (EPERM); |
|
553 |
} |
|
554 |
||
555 |
/* |
|
556 |
* Changing process priority |
|
557 |
*/ |
|
558 |
int |
|
559 |
secpolicy_setpriority(const cred_t *cr) |
|
560 |
{ |
|
561 |
return (PRIV_POLICY(cr, PRIV_PROC_PRIOCNTL, B_FALSE, EPERM, NULL)); |
|
562 |
} |
|
563 |
||
564 |
/* |
|
565 |
* Binding to a privileged port, port must be specified in host byte |
|
566 |
* order. |
|
12273
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
567 |
* When adding a new privilege which allows binding to currently privileged |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
568 |
* ports, then you MUST also allow processes with PRIV_NET_PRIVADDR bind |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
569 |
* to these ports because of backward compatibility. |
0 | 570 |
*/ |
571 |
int |
|
6134
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
572 |
secpolicy_net_privaddr(const cred_t *cr, in_port_t port, int proto) |
0 | 573 |
{ |
5331 | 574 |
char *reason; |
575 |
int priv; |
|
576 |
||
577 |
switch (port) { |
|
578 |
case 137: |
|
579 |
case 138: |
|
580 |
case 139: |
|
581 |
case 445: |
|
582 |
/* |
|
12273
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
583 |
* NBT and SMB ports, these are normal privileged ports, |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
584 |
* allow bind only if the SYS_SMB or NET_PRIVADDR privilege |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
585 |
* is present. |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
586 |
* Try both, if neither is present return an error for |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
587 |
* priv SYS_SMB. |
5331 | 588 |
*/ |
12273
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
589 |
if (PRIV_POLICY_ONLY(cr, PRIV_NET_PRIVADDR, B_FALSE)) |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
590 |
priv = PRIV_NET_PRIVADDR; |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
591 |
else |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
592 |
priv = PRIV_SYS_SMB; |
5331 | 593 |
reason = "NBT or SMB port"; |
594 |
break; |
|
595 |
||
596 |
case 2049: |
|
597 |
case 4045: |
|
598 |
/* |
|
599 |
* NFS ports, these are extra privileged ports, allow bind |
|
600 |
* only if the SYS_NFS privilege is present. |
|
601 |
*/ |
|
602 |
priv = PRIV_SYS_NFS; |
|
603 |
reason = "NFS port"; |
|
604 |
break; |
|
605 |
||
606 |
default: |
|
607 |
priv = PRIV_NET_PRIVADDR; |
|
608 |
reason = NULL; |
|
609 |
break; |
|
610 |
||
611 |
} |
|
612 |
||
6134
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
613 |
return (priv_policy_va(cr, priv, B_FALSE, EACCES, reason, |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
614 |
KLPDARG_PORT, (int)proto, (int)port, KLPDARG_NOMORE)); |
0 | 615 |
} |
616 |
||
617 |
/* |
|
1676 | 618 |
* Binding to a multilevel port on a trusted (labeled) system. |
619 |
*/ |
|
620 |
int |
|
621 |
secpolicy_net_bindmlp(const cred_t *cr) |
|
622 |
{ |
|
6134
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
623 |
return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, NULL)); |
1676 | 624 |
} |
625 |
||
626 |
/* |
|
627 |
* Allow a communication between a zone and an unlabeled host when their |
|
628 |
* labels don't match. |
|
629 |
*/ |
|
630 |
int |
|
631 |
secpolicy_net_mac_aware(const cred_t *cr) |
|
632 |
{ |
|
6134
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
633 |
return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, NULL)); |
1676 | 634 |
} |
635 |
||
636 |
/* |
|
10934
e209937a4f19
PSARC/2008/252 Labeled IPsec phase 1
Bill Sommerfeld <sommerfeld@sun.com>
parents:
10639
diff
changeset
|
637 |
* Allow a privileged process to transmit traffic without explicit labels |
e209937a4f19
PSARC/2008/252 Labeled IPsec phase 1
Bill Sommerfeld <sommerfeld@sun.com>
parents:
10639
diff
changeset
|
638 |
*/ |
e209937a4f19
PSARC/2008/252 Labeled IPsec phase 1
Bill Sommerfeld <sommerfeld@sun.com>
parents:
10639
diff
changeset
|
639 |
int |
e209937a4f19
PSARC/2008/252 Labeled IPsec phase 1
Bill Sommerfeld <sommerfeld@sun.com>
parents:
10639
diff
changeset
|
640 |
secpolicy_net_mac_implicit(const cred_t *cr) |
e209937a4f19
PSARC/2008/252 Labeled IPsec phase 1
Bill Sommerfeld <sommerfeld@sun.com>
parents:
10639
diff
changeset
|
641 |
{ |
e209937a4f19
PSARC/2008/252 Labeled IPsec phase 1
Bill Sommerfeld <sommerfeld@sun.com>
parents:
10639
diff
changeset
|
642 |
return (PRIV_POLICY(cr, PRIV_NET_MAC_IMPLICIT, B_FALSE, EACCES, NULL)); |
e209937a4f19
PSARC/2008/252 Labeled IPsec phase 1
Bill Sommerfeld <sommerfeld@sun.com>
parents:
10639
diff
changeset
|
643 |
} |
e209937a4f19
PSARC/2008/252 Labeled IPsec phase 1
Bill Sommerfeld <sommerfeld@sun.com>
parents:
10639
diff
changeset
|
644 |
|
e209937a4f19
PSARC/2008/252 Labeled IPsec phase 1
Bill Sommerfeld <sommerfeld@sun.com>
parents:
10639
diff
changeset
|
645 |
/* |
0 | 646 |
* Common routine which determines whether a given credential can |
647 |
* act on a given mount. |
|
648 |
* When called through mount, the parameter needoptcheck is a pointer |
|
649 |
* to a boolean variable which will be set to either true or false, |
|
650 |
* depending on whether the mount policy should change the mount options. |
|
651 |
* In all other cases, needoptcheck should be a NULL pointer. |
|
652 |
*/ |
|
653 |
static int |
|
654 |
secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp, |
|
655 |
boolean_t *needoptcheck) |
|
656 |
{ |
|
657 |
boolean_t allzone = B_FALSE; |
|
658 |
boolean_t mounting = needoptcheck != NULL; |
|
659 |
||
660 |
/* |
|
661 |
* Short circuit the following cases: |
|
662 |
* vfsp == NULL or mvp == NULL (pure privilege check) |
|
663 |
* have all privileges - no further checks required |
|
664 |
* and no mount options need to be set. |
|
665 |
*/ |
|
666 |
if (vfsp == NULL || mvp == NULL || HAS_ALLPRIVS(cr)) { |
|
667 |
if (mounting) |
|
668 |
*needoptcheck = B_FALSE; |
|
669 |
||
6134
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
670 |
return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM, |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
671 |
NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE)); |
0 | 672 |
} |
673 |
||
674 |
/* |
|
675 |
* When operating on an existing mount (either we're not mounting |
|
676 |
* or we're doing a remount and VFS_REMOUNT will be set), zones |
|
677 |
* can operate only on mounts established by the zone itself. |
|
678 |
*/ |
|
679 |
if (!mounting || (vfsp->vfs_flag & VFS_REMOUNT) != 0) { |
|
680 |
zoneid_t zoneid = crgetzoneid(cr); |
|
681 |
||
682 |
if (zoneid != GLOBAL_ZONEID && |
|
683 |
vfsp->vfs_zone->zone_id != zoneid) { |
|
684 |
return (EPERM); |
|
685 |
} |
|
686 |
} |
|
687 |
||
688 |
if (mounting) |
|
689 |
*needoptcheck = B_TRUE; |
|
690 |
||
691 |
/* |
|
692 |
* Overlay mounts may hide important stuff; if you can't write to a |
|
693 |
* mount point but would be able to mount on top of it, you can |
|
694 |
* escalate your privileges. |
|
695 |
* So we go about asking the same questions namefs does when it |
|
696 |
* decides whether you can mount over a file or not but with the |
|
697 |
* added restriction that you can only mount on top of a regular |
|
698 |
* file or directory. |
|
699 |
* If we have all the zone's privileges, we skip all other checks, |
|
700 |
* or else we may actually get in trouble inside the automounter. |
|
701 |
*/ |
|
702 |
if ((mvp->v_flag & VROOT) != 0 || |
|
703 |
(mvp->v_type != VDIR && mvp->v_type != VREG) || |
|
704 |
HAS_ALLZONEPRIVS(cr)) { |
|
705 |
allzone = B_TRUE; |
|
706 |
} else { |
|
707 |
vattr_t va; |
|
708 |
int err; |
|
709 |
||
710 |
va.va_mask = AT_UID|AT_MODE; |
|
5331 | 711 |
err = VOP_GETATTR(mvp, &va, 0, cr, NULL); |
0 | 712 |
if (err != 0) |
713 |
return (err); |
|
714 |
||
715 |
if ((err = secpolicy_vnode_owner(cr, va.va_uid)) != 0) |
|
716 |
return (err); |
|
717 |
||
12273
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
718 |
if (secpolicy_vnode_access2(cr, mvp, va.va_uid, va.va_mode, |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
719 |
VWRITE) != 0) { |
0 | 720 |
return (EACCES); |
721 |
} |
|
722 |
} |
|
6134
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
723 |
return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM, |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
724 |
NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE)); |
0 | 725 |
} |
726 |
||
4543 | 727 |
void |
728 |
secpolicy_fs_mount_clearopts(cred_t *cr, struct vfs *vfsp) |
|
729 |
{ |
|
730 |
boolean_t amsuper = HAS_ALLZONEPRIVS(cr); |
|
731 |
||
732 |
/* |
|
733 |
* check; if we don't have either "nosuid" or |
|
734 |
* both "nosetuid" and "nodevices", then we add |
|
735 |
* "nosuid"; this depends on how the current |
|
736 |
* implementation works (it first checks nosuid). In a |
|
737 |
* zone, a user with all zone privileges can mount with |
|
738 |
* "setuid" but never with "devices". |
|
739 |
*/ |
|
740 |
if (!vfs_optionisset(vfsp, MNTOPT_NOSUID, NULL) && |
|
741 |
(!vfs_optionisset(vfsp, MNTOPT_NODEVICES, NULL) || |
|
742 |
!vfs_optionisset(vfsp, MNTOPT_NOSETUID, NULL))) { |
|
743 |
if (crgetzoneid(cr) == GLOBAL_ZONEID || !amsuper) |
|
744 |
vfs_setmntopt(vfsp, MNTOPT_NOSUID, NULL, 0); |
|
745 |
else |
|
746 |
vfs_setmntopt(vfsp, MNTOPT_NODEVICES, NULL, 0); |
|
747 |
} |
|
748 |
/* |
|
749 |
* If we're not the local super user, we set the "restrict" |
|
750 |
* option to indicate to automountd that this mount should |
|
751 |
* be handled with care. |
|
752 |
*/ |
|
753 |
if (!amsuper) |
|
754 |
vfs_setmntopt(vfsp, MNTOPT_RESTRICT, NULL, 0); |
|
755 |
||
756 |
} |
|
757 |
||
148 | 758 |
extern vnode_t *rootvp; |
759 |
extern vfs_t *rootvfs; |
|
760 |
||
0 | 761 |
int |
762 |
secpolicy_fs_mount(cred_t *cr, vnode_t *mvp, struct vfs *vfsp) |
|
763 |
{ |
|
764 |
boolean_t needoptchk; |
|
765 |
int error; |
|
766 |
||
148 | 767 |
/* |
768 |
* If it's a remount, get the underlying mount point, |
|
769 |
* except for the root where we use the rootvp. |
|
770 |
*/ |
|
771 |
if ((vfsp->vfs_flag & VFS_REMOUNT) != 0) { |
|
772 |
if (vfsp == rootvfs) |
|
773 |
mvp = rootvp; |
|
774 |
else |
|
775 |
mvp = vfsp->vfs_vnodecovered; |
|
776 |
} |
|
777 |
||
0 | 778 |
error = secpolicy_fs_common(cr, mvp, vfsp, &needoptchk); |
779 |
||
780 |
if (error == 0 && needoptchk) { |
|
4543 | 781 |
secpolicy_fs_mount_clearopts(cr, vfsp); |
782 |
} |
|
0 | 783 |
|
784 |
return (error); |
|
785 |
} |
|
786 |
||
787 |
/* |
|
788 |
* Does the policy computations for "ownership" of a mount; |
|
789 |
* here ownership is defined as the ability to "mount" |
|
790 |
* the filesystem originally. The rootvfs doesn't cover any |
|
791 |
* vnodes; we attribute its ownership to the rootvp. |
|
792 |
*/ |
|
793 |
static int |
|
794 |
secpolicy_fs_owner(cred_t *cr, const struct vfs *vfsp) |
|
795 |
{ |
|
796 |
vnode_t *mvp; |
|
797 |
||
798 |
if (vfsp == NULL) |
|
799 |
mvp = NULL; |
|
800 |
else if (vfsp == rootvfs) |
|
801 |
mvp = rootvp; |
|
802 |
else |
|
803 |
mvp = vfsp->vfs_vnodecovered; |
|
804 |
||
805 |
return (secpolicy_fs_common(cr, mvp, vfsp, NULL)); |
|
806 |
} |
|
807 |
||
808 |
int |
|
809 |
secpolicy_fs_unmount(cred_t *cr, struct vfs *vfsp) |
|
810 |
{ |
|
811 |
return (secpolicy_fs_owner(cr, vfsp)); |
|
812 |
} |
|
813 |
||
814 |
/* |
|
815 |
* Quotas are a resource, but if one has the ability to mount a filesystem, he |
|
816 |
* should be able to modify quotas on it. |
|
817 |
*/ |
|
818 |
int |
|
819 |
secpolicy_fs_quota(const cred_t *cr, const vfs_t *vfsp) |
|
820 |
{ |
|
821 |
return (secpolicy_fs_owner((cred_t *)cr, vfsp)); |
|
822 |
} |
|
823 |
||
824 |
/* |
|
825 |
* Exceeding minfree: also a per-mount resource constraint. |
|
826 |
*/ |
|
827 |
int |
|
828 |
secpolicy_fs_minfree(const cred_t *cr, const vfs_t *vfsp) |
|
829 |
{ |
|
830 |
return (secpolicy_fs_owner((cred_t *)cr, vfsp)); |
|
831 |
} |
|
832 |
||
833 |
int |
|
834 |
secpolicy_fs_config(const cred_t *cr, const vfs_t *vfsp) |
|
835 |
{ |
|
836 |
return (secpolicy_fs_owner((cred_t *)cr, vfsp)); |
|
837 |
} |
|
838 |
||
839 |
/* ARGSUSED */ |
|
840 |
int |
|
841 |
secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp) |
|
842 |
{ |
|
843 |
return (PRIV_POLICY(cr, PRIV_SYS_LINKDIR, B_FALSE, EPERM, NULL)); |
|
844 |
} |
|
845 |
||
846 |
/* |
|
847 |
* Name: secpolicy_vnode_access() |
|
848 |
* |
|
849 |
* Parameters: Process credential |
|
850 |
* vnode |
|
851 |
* uid of owner of vnode |
|
852 |
* permission bits not granted to the caller when examining |
|
853 |
* file mode bits (i.e., when a process wants to open a |
|
854 |
* mode 444 file for VREAD|VWRITE, this function should be |
|
855 |
* called only with a VWRITE argument). |
|
856 |
* |
|
857 |
* Normal: Verifies that cred has the appropriate privileges to |
|
858 |
* override the mode bits that were denied. |
|
859 |
* |
|
860 |
* Override: file_dac_execute - if VEXEC bit was denied and vnode is |
|
861 |
* not a directory. |
|
862 |
* file_dac_read - if VREAD bit was denied. |
|
863 |
* file_dac_search - if VEXEC bit was denied and vnode is |
|
864 |
* a directory. |
|
865 |
* file_dac_write - if VWRITE bit was denied. |
|
866 |
* |
|
867 |
* Root owned files are special cased to protect system |
|
868 |
* configuration files and such. |
|
869 |
* |
|
870 |
* Output: EACCES - if privilege check fails. |
|
871 |
*/ |
|
872 |
||
873 |
int |
|
874 |
secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode) |
|
875 |
{ |
|
6134
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
876 |
if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE, |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
877 |
EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL, |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
878 |
KLPDARG_NOMORE) != 0) { |
0 | 879 |
return (EACCES); |
6134
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
880 |
} |
0 | 881 |
|
882 |
if (mode & VWRITE) { |
|
883 |
boolean_t allzone; |
|
884 |
||
885 |
if (owner == 0 && cr->cr_uid != 0) |
|
886 |
allzone = B_TRUE; |
|
887 |
else |
|
888 |
allzone = B_FALSE; |
|
6134
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
889 |
if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
890 |
NULL, KLPDARG_VNODE, vp, (char *)NULL, |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
891 |
KLPDARG_NOMORE) != 0) { |
0 | 892 |
return (EACCES); |
6134
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
893 |
} |
0 | 894 |
} |
895 |
||
896 |
if (mode & VEXEC) { |
|
897 |
/* |
|
898 |
* Directories use file_dac_search to override the execute bit. |
|
899 |
*/ |
|
6134
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
900 |
int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH : |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
901 |
PRIV_FILE_DAC_EXECUTE; |
0 | 902 |
|
6134
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
903 |
return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL, |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
904 |
KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); |
0 | 905 |
} |
906 |
return (0); |
|
907 |
} |
|
908 |
||
909 |
/* |
|
12273
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
910 |
* Like secpolicy_vnode_access() but we get the actual wanted mode and the |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
911 |
* current mode of the file, not the missing bits. |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
912 |
*/ |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
913 |
int |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
914 |
secpolicy_vnode_access2(const cred_t *cr, vnode_t *vp, uid_t owner, |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
915 |
mode_t curmode, mode_t wantmode) |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
916 |
{ |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
917 |
mode_t mode; |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
918 |
|
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
919 |
/* Inline the basic privileges tests. */ |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
920 |
if ((wantmode & VREAD) && |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
921 |
!PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_READ) && |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
922 |
priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL, |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
923 |
KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) { |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
924 |
return (EACCES); |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
925 |
} |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
926 |
|
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
927 |
if ((wantmode & VWRITE) && |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
928 |
!PRIV_ISASSERT(&CR_OEPRIV(cr), PRIV_FILE_WRITE) && |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
929 |
priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL, |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
930 |
KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE) != 0) { |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
931 |
return (EACCES); |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
932 |
} |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
933 |
|
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
934 |
mode = ~curmode & wantmode; |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
935 |
|
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
936 |
if (mode == 0) |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
937 |
return (0); |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
938 |
|
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
939 |
if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE, |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
940 |
EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL, |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
941 |
KLPDARG_NOMORE) != 0) { |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
942 |
return (EACCES); |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
943 |
} |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
944 |
|
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
945 |
if (mode & VWRITE) { |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
946 |
boolean_t allzone; |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
947 |
|
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
948 |
if (owner == 0 && cr->cr_uid != 0) |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
949 |
allzone = B_TRUE; |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
950 |
else |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
951 |
allzone = B_FALSE; |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
952 |
if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
953 |
NULL, KLPDARG_VNODE, vp, (char *)NULL, |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
954 |
KLPDARG_NOMORE) != 0) { |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
955 |
return (EACCES); |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
956 |
} |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
957 |
} |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
958 |
|
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
959 |
if (mode & VEXEC) { |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
960 |
/* |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
961 |
* Directories use file_dac_search to override the execute bit. |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
962 |
*/ |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
963 |
int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH : |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
964 |
PRIV_FILE_DAC_EXECUTE; |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
965 |
|
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
966 |
return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL, |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
967 |
KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
968 |
} |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
969 |
return (0); |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
970 |
} |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
971 |
|
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
972 |
/* |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
973 |
* This is a special routine for ZFS; it is used to determine whether |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
974 |
* any of the privileges in effect allow any form of access to the |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
975 |
* file. There's no reason to audit this or any reason to record |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
976 |
* this. More work is needed to do the "KPLD" stuff. |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
977 |
*/ |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
978 |
int |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
979 |
secpolicy_vnode_any_access(const cred_t *cr, vnode_t *vp, uid_t owner) |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
980 |
{ |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
981 |
static int privs[] = { |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
982 |
PRIV_FILE_OWNER, |
12484
df5689211682
6954837 PRIV_FILE_CHOWN missing from 6859862 breaks ABE
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
12273
diff
changeset
|
983 |
PRIV_FILE_CHOWN, |
12273
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
984 |
PRIV_FILE_DAC_READ, |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
985 |
PRIV_FILE_DAC_WRITE, |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
986 |
PRIV_FILE_DAC_EXECUTE, |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
987 |
PRIV_FILE_DAC_SEARCH, |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
988 |
}; |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
989 |
int i; |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
990 |
|
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
991 |
/* Same as secpolicy_vnode_setdac */ |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
992 |
if (owner == cr->cr_uid) |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
993 |
return (0); |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
994 |
|
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
995 |
for (i = 0; i < sizeof (privs)/sizeof (int); i++) { |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
996 |
boolean_t allzone = B_FALSE; |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
997 |
int priv; |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
998 |
|
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
999 |
switch (priv = privs[i]) { |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1000 |
case PRIV_FILE_DAC_EXECUTE: |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1001 |
if (vp->v_type == VDIR) |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1002 |
continue; |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1003 |
break; |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1004 |
case PRIV_FILE_DAC_SEARCH: |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1005 |
if (vp->v_type != VDIR) |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1006 |
continue; |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1007 |
break; |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1008 |
case PRIV_FILE_DAC_WRITE: |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1009 |
case PRIV_FILE_OWNER: |
12484
df5689211682
6954837 PRIV_FILE_CHOWN missing from 6859862 breaks ABE
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
12273
diff
changeset
|
1010 |
case PRIV_FILE_CHOWN: |
12273
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1011 |
/* We know here that if owner == 0, that cr_uid != 0 */ |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1012 |
allzone = owner == 0; |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1013 |
break; |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1014 |
} |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1015 |
if (PRIV_POLICY_CHOICE(cr, priv, allzone)) |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1016 |
return (0); |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1017 |
} |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1018 |
return (EPERM); |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1019 |
} |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1020 |
|
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1021 |
/* |
0 | 1022 |
* Name: secpolicy_vnode_setid_modify() |
1023 |
* |
|
1024 |
* Normal: verify that subject can set the file setid flags. |
|
1025 |
* |
|
1026 |
* Output: EPERM - if not privileged. |
|
1027 |
*/ |
|
1028 |
||
1029 |
static int |
|
1030 |
secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner) |
|
1031 |
{ |
|
1032 |
/* If changing to suid root, must have all zone privs */ |
|
1033 |
boolean_t allzone = B_TRUE; |
|
1034 |
||
1035 |
if (owner != 0) { |
|
1036 |
if (owner == cr->cr_uid) |
|
1037 |
return (0); |
|
1038 |
allzone = B_FALSE; |
|
1039 |
} |
|
1040 |
return (PRIV_POLICY(cr, PRIV_FILE_SETID, allzone, EPERM, NULL)); |
|
1041 |
} |
|
1042 |
||
1043 |
/* |
|
1044 |
* Are we allowed to retain the set-uid/set-gid bits when |
|
1045 |
* changing ownership or when writing to a file? |
|
1046 |
* "issuid" should be true when set-uid; only in that case |
|
1047 |
* root ownership is checked (setgid is assumed). |
|
1048 |
*/ |
|
1049 |
int |
|
1050 |
secpolicy_vnode_setid_retain(const cred_t *cred, boolean_t issuidroot) |
|
1051 |
{ |
|
1052 |
if (issuidroot && !HAS_ALLZONEPRIVS(cred)) |
|
1053 |
return (EPERM); |
|
1054 |
||
1055 |
return (!PRIV_POLICY_CHOICE(cred, PRIV_FILE_SETID, B_FALSE)); |
|
1056 |
} |
|
1057 |
||
1058 |
/* |
|
1059 |
* Name: secpolicy_vnode_setids_setgids() |
|
1060 |
* |
|
1061 |
* Normal: verify that subject can set the file setgid flag. |
|
1062 |
* |
|
1063 |
* Output: EPERM - if not privileged |
|
1064 |
*/ |
|
1065 |
||
1066 |
int |
|
1067 |
secpolicy_vnode_setids_setgids(const cred_t *cred, gid_t gid) |
|
1068 |
{ |
|
1069 |
if (!groupmember(gid, cred)) |
|
1070 |
return (PRIV_POLICY(cred, PRIV_FILE_SETID, B_FALSE, EPERM, |
|
1071 |
NULL)); |
|
1072 |
return (0); |
|
1073 |
} |
|
1074 |
||
1075 |
/* |
|
7624
0a59f685e81b
6744510 Should not allow to rename a file/folder when a user does not have permission
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7408
diff
changeset
|
1076 |
* Name: secpolicy_vnode_chown |
0a59f685e81b
6744510 Should not allow to rename a file/folder when a user does not have permission
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7408
diff
changeset
|
1077 |
* |
0a59f685e81b
6744510 Should not allow to rename a file/folder when a user does not have permission
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7408
diff
changeset
|
1078 |
* Normal: Determine if subject can chown owner of a file. |
0a59f685e81b
6744510 Should not allow to rename a file/folder when a user does not have permission
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7408
diff
changeset
|
1079 |
* |
0a59f685e81b
6744510 Should not allow to rename a file/folder when a user does not have permission
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7408
diff
changeset
|
1080 |
* Output: EPERM - if access denied |
0a59f685e81b
6744510 Should not allow to rename a file/folder when a user does not have permission
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7408
diff
changeset
|
1081 |
*/ |
0a59f685e81b
6744510 Should not allow to rename a file/folder when a user does not have permission
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7408
diff
changeset
|
1082 |
|
0a59f685e81b
6744510 Should not allow to rename a file/folder when a user does not have permission
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7408
diff
changeset
|
1083 |
int |
9866
ddc5f1d8eb4e
6848431 zfs with rstchown=0 or file_chown_self privilege allows user to "take" ownership
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
9751
diff
changeset
|
1084 |
secpolicy_vnode_chown(const cred_t *cred, uid_t owner) |
7624
0a59f685e81b
6744510 Should not allow to rename a file/folder when a user does not have permission
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7408
diff
changeset
|
1085 |
{ |
9866
ddc5f1d8eb4e
6848431 zfs with rstchown=0 or file_chown_self privilege allows user to "take" ownership
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
9751
diff
changeset
|
1086 |
boolean_t is_owner = (owner == crgetuid(cred)); |
ddc5f1d8eb4e
6848431 zfs with rstchown=0 or file_chown_self privilege allows user to "take" ownership
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
9751
diff
changeset
|
1087 |
boolean_t allzone = B_FALSE; |
ddc5f1d8eb4e
6848431 zfs with rstchown=0 or file_chown_self privilege allows user to "take" ownership
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
9751
diff
changeset
|
1088 |
int priv; |
ddc5f1d8eb4e
6848431 zfs with rstchown=0 or file_chown_self privilege allows user to "take" ownership
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
9751
diff
changeset
|
1089 |
|
ddc5f1d8eb4e
6848431 zfs with rstchown=0 or file_chown_self privilege allows user to "take" ownership
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
9751
diff
changeset
|
1090 |
if (!is_owner) { |
ddc5f1d8eb4e
6848431 zfs with rstchown=0 or file_chown_self privilege allows user to "take" ownership
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
9751
diff
changeset
|
1091 |
allzone = (owner == 0); |
ddc5f1d8eb4e
6848431 zfs with rstchown=0 or file_chown_self privilege allows user to "take" ownership
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
9751
diff
changeset
|
1092 |
priv = PRIV_FILE_CHOWN; |
ddc5f1d8eb4e
6848431 zfs with rstchown=0 or file_chown_self privilege allows user to "take" ownership
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
9751
diff
changeset
|
1093 |
} else { |
ddc5f1d8eb4e
6848431 zfs with rstchown=0 or file_chown_self privilege allows user to "take" ownership
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
9751
diff
changeset
|
1094 |
priv = HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN) ? |
ddc5f1d8eb4e
6848431 zfs with rstchown=0 or file_chown_self privilege allows user to "take" ownership
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
9751
diff
changeset
|
1095 |
PRIV_FILE_CHOWN : PRIV_FILE_CHOWN_SELF; |
ddc5f1d8eb4e
6848431 zfs with rstchown=0 or file_chown_self privilege allows user to "take" ownership
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
9751
diff
changeset
|
1096 |
} |
ddc5f1d8eb4e
6848431 zfs with rstchown=0 or file_chown_self privilege allows user to "take" ownership
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
9751
diff
changeset
|
1097 |
|
ddc5f1d8eb4e
6848431 zfs with rstchown=0 or file_chown_self privilege allows user to "take" ownership
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
9751
diff
changeset
|
1098 |
return (PRIV_POLICY(cred, priv, allzone, EPERM, NULL)); |
7624
0a59f685e81b
6744510 Should not allow to rename a file/folder when a user does not have permission
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7408
diff
changeset
|
1099 |
} |
0a59f685e81b
6744510 Should not allow to rename a file/folder when a user does not have permission
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7408
diff
changeset
|
1100 |
|
0a59f685e81b
6744510 Should not allow to rename a file/folder when a user does not have permission
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7408
diff
changeset
|
1101 |
/* |
0a59f685e81b
6744510 Should not allow to rename a file/folder when a user does not have permission
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7408
diff
changeset
|
1102 |
* Name: secpolicy_vnode_create_gid |
0a59f685e81b
6744510 Should not allow to rename a file/folder when a user does not have permission
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7408
diff
changeset
|
1103 |
* |
0a59f685e81b
6744510 Should not allow to rename a file/folder when a user does not have permission
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7408
diff
changeset
|
1104 |
* Normal: Determine if subject can change group ownership of a file. |
0a59f685e81b
6744510 Should not allow to rename a file/folder when a user does not have permission
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7408
diff
changeset
|
1105 |
* |
0a59f685e81b
6744510 Should not allow to rename a file/folder when a user does not have permission
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7408
diff
changeset
|
1106 |
* Output: EPERM - if access denied |
0 | 1107 |
*/ |
1108 |
int |
|
1109 |
secpolicy_vnode_create_gid(const cred_t *cred) |
|
1110 |
{ |
|
9866
ddc5f1d8eb4e
6848431 zfs with rstchown=0 or file_chown_self privilege allows user to "take" ownership
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
9751
diff
changeset
|
1111 |
if (HAS_PRIVILEGE(cred, PRIV_FILE_CHOWN)) |
ddc5f1d8eb4e
6848431 zfs with rstchown=0 or file_chown_self privilege allows user to "take" ownership
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
9751
diff
changeset
|
1112 |
return (PRIV_POLICY(cred, PRIV_FILE_CHOWN, B_FALSE, EPERM, |
ddc5f1d8eb4e
6848431 zfs with rstchown=0 or file_chown_self privilege allows user to "take" ownership
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
9751
diff
changeset
|
1113 |
NULL)); |
ddc5f1d8eb4e
6848431 zfs with rstchown=0 or file_chown_self privilege allows user to "take" ownership
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
9751
diff
changeset
|
1114 |
else |
ddc5f1d8eb4e
6848431 zfs with rstchown=0 or file_chown_self privilege allows user to "take" ownership
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
9751
diff
changeset
|
1115 |
return (PRIV_POLICY(cred, PRIV_FILE_CHOWN_SELF, B_FALSE, EPERM, |
ddc5f1d8eb4e
6848431 zfs with rstchown=0 or file_chown_self privilege allows user to "take" ownership
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
9751
diff
changeset
|
1116 |
NULL)); |
0 | 1117 |
} |
1118 |
||
1119 |
/* |
|
1120 |
* Name: secpolicy_vnode_utime_modify() |
|
1121 |
* |
|
1122 |
* Normal: verify that subject can modify the utime on a file. |
|
1123 |
* |
|
1124 |
* Output: EPERM - if access denied. |
|
1125 |
*/ |
|
1126 |
||
1127 |
static int |
|
1128 |
secpolicy_vnode_utime_modify(const cred_t *cred) |
|
1129 |
{ |
|
1130 |
return (PRIV_POLICY(cred, PRIV_FILE_OWNER, B_FALSE, EPERM, |
|
1131 |
"modify file times")); |
|
1132 |
} |
|
1133 |
||
1134 |
||
1135 |
/* |
|
1136 |
* Name: secpolicy_vnode_setdac() |
|
1137 |
* |
|
1138 |
* Normal: verify that subject can modify the mode of a file. |
|
1139 |
* allzone privilege needed when modifying root owned object. |
|
1140 |
* |
|
1141 |
* Output: EPERM - if access denied. |
|
1142 |
*/ |
|
1143 |
||
1144 |
int |
|
1145 |
secpolicy_vnode_setdac(const cred_t *cred, uid_t owner) |
|
1146 |
{ |
|
1147 |
if (owner == cred->cr_uid) |
|
1148 |
return (0); |
|
1149 |
||
1150 |
return (PRIV_POLICY(cred, PRIV_FILE_OWNER, owner == 0, EPERM, NULL)); |
|
1151 |
} |
|
1152 |
/* |
|
1153 |
* Name: secpolicy_vnode_stky_modify() |
|
1154 |
* |
|
1155 |
* Normal: verify that subject can make a file a "sticky". |
|
1156 |
* |
|
1157 |
* Output: EPERM - if access denied. |
|
1158 |
*/ |
|
1159 |
||
1160 |
int |
|
1161 |
secpolicy_vnode_stky_modify(const cred_t *cred) |
|
1162 |
{ |
|
1163 |
return (PRIV_POLICY(cred, PRIV_SYS_CONFIG, B_FALSE, EPERM, |
|
1164 |
"set file sticky")); |
|
1165 |
} |
|
1166 |
||
1167 |
/* |
|
1168 |
* Policy determines whether we can remove an entry from a directory, |
|
1169 |
* regardless of permission bits. |
|
1170 |
*/ |
|
1171 |
int |
|
1172 |
secpolicy_vnode_remove(const cred_t *cr) |
|
1173 |
{ |
|
1174 |
return (PRIV_POLICY(cr, PRIV_FILE_OWNER, B_FALSE, EACCES, |
|
1175 |
"sticky directory")); |
|
1176 |
} |
|
1177 |
||
1178 |
int |
|
1179 |
secpolicy_vnode_owner(const cred_t *cr, uid_t owner) |
|
1180 |
{ |
|
1181 |
boolean_t allzone = (owner == 0); |
|
1182 |
||
1183 |
if (owner == cr->cr_uid) |
|
1184 |
return (0); |
|
1185 |
||
1186 |
return (PRIV_POLICY(cr, PRIV_FILE_OWNER, allzone, EPERM, NULL)); |
|
1187 |
} |
|
1188 |
||
1115 | 1189 |
void |
1190 |
secpolicy_setid_clear(vattr_t *vap, cred_t *cr) |
|
1191 |
{ |
|
1192 |
if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 && |
|
1193 |
secpolicy_vnode_setid_retain(cr, |
|
1194 |
(vap->va_mode & S_ISUID) != 0 && |
|
1195 |
(vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) { |
|
1196 |
vap->va_mask |= AT_MODE; |
|
1197 |
vap->va_mode &= ~(S_ISUID|S_ISGID); |
|
1198 |
} |
|
1199 |
} |
|
1200 |
||
2796
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1201 |
int |
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1202 |
secpolicy_setid_setsticky_clear(vnode_t *vp, vattr_t *vap, const vattr_t *ovap, |
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1203 |
cred_t *cr) |
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1204 |
{ |
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1205 |
int error; |
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1206 |
|
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1207 |
if ((vap->va_mode & S_ISUID) != 0 && |
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1208 |
(error = secpolicy_vnode_setid_modify(cr, |
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1209 |
ovap->va_uid)) != 0) { |
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1210 |
return (error); |
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1211 |
} |
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1212 |
|
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1213 |
/* |
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1214 |
* Check privilege if attempting to set the |
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1215 |
* sticky bit on a non-directory. |
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1216 |
*/ |
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1217 |
if (vp->v_type != VDIR && (vap->va_mode & S_ISVTX) != 0 && |
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1218 |
secpolicy_vnode_stky_modify(cr) != 0) { |
4543 | 1219 |
vap->va_mode &= ~S_ISVTX; |
2796
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1220 |
} |
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1221 |
|
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1222 |
/* |
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1223 |
* Check for privilege if attempting to set the |
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1224 |
* group-id bit. |
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1225 |
*/ |
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1226 |
if ((vap->va_mode & S_ISGID) != 0 && |
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1227 |
secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) { |
4543 | 1228 |
vap->va_mode &= ~S_ISGID; |
2796
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1229 |
} |
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1230 |
|
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1231 |
return (0); |
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1232 |
} |
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1233 |
|
5331 | 1234 |
#define ATTR_FLAG_PRIV(attr, value, cr) \ |
1235 |
PRIV_POLICY(cr, value ? PRIV_FILE_FLAG_SET : PRIV_ALL, \ |
|
1236 |
B_FALSE, EPERM, NULL) |
|
1237 |
||
1238 |
/* |
|
1239 |
* Check privileges for setting xvattr attributes |
|
1240 |
*/ |
|
1241 |
int |
|
1242 |
secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype) |
|
1243 |
{ |
|
1244 |
xoptattr_t *xoap; |
|
1245 |
int error = 0; |
|
1246 |
||
1247 |
if ((xoap = xva_getxoptattr(xvap)) == NULL) |
|
1248 |
return (EINVAL); |
|
1249 |
||
1250 |
/* |
|
1251 |
* First process the DOS bits |
|
1252 |
*/ |
|
1253 |
if (XVA_ISSET_REQ(xvap, XAT_ARCHIVE) || |
|
1254 |
XVA_ISSET_REQ(xvap, XAT_HIDDEN) || |
|
1255 |
XVA_ISSET_REQ(xvap, XAT_READONLY) || |
|
1256 |
XVA_ISSET_REQ(xvap, XAT_SYSTEM) || |
|
1257 |
XVA_ISSET_REQ(xvap, XAT_CREATETIME)) { |
|
1258 |
if ((error = secpolicy_vnode_owner(cr, owner)) != 0) |
|
1259 |
return (error); |
|
1260 |
} |
|
1261 |
||
1262 |
/* |
|
1263 |
* Now handle special attributes |
|
1264 |
*/ |
|
1265 |
||
1266 |
if (XVA_ISSET_REQ(xvap, XAT_IMMUTABLE)) |
|
1267 |
error = ATTR_FLAG_PRIV(XAT_IMMUTABLE, |
|
1268 |
xoap->xoa_immutable, cr); |
|
1269 |
if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NOUNLINK)) |
|
1270 |
error = ATTR_FLAG_PRIV(XAT_NOUNLINK, |
|
1271 |
xoap->xoa_nounlink, cr); |
|
1272 |
if (error == 0 && XVA_ISSET_REQ(xvap, XAT_APPENDONLY)) |
|
1273 |
error = ATTR_FLAG_PRIV(XAT_APPENDONLY, |
|
1274 |
xoap->xoa_appendonly, cr); |
|
1275 |
if (error == 0 && XVA_ISSET_REQ(xvap, XAT_NODUMP)) |
|
1276 |
error = ATTR_FLAG_PRIV(XAT_NODUMP, |
|
1277 |
xoap->xoa_nodump, cr); |
|
1278 |
if (error == 0 && XVA_ISSET_REQ(xvap, XAT_OPAQUE)) |
|
1279 |
error = EPERM; |
|
1280 |
if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_QUARANTINED)) { |
|
1281 |
error = ATTR_FLAG_PRIV(XAT_AV_QUARANTINED, |
|
1282 |
xoap->xoa_av_quarantined, cr); |
|
5545
62533366078f
6623426 if immutable is set on a directory, unsetting all attributes fails
marks
parents:
5440
diff
changeset
|
1283 |
if (error == 0 && vtype != VREG && xoap->xoa_av_quarantined) |
5331 | 1284 |
error = EINVAL; |
1285 |
} |
|
1286 |
if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_MODIFIED)) |
|
1287 |
error = ATTR_FLAG_PRIV(XAT_AV_MODIFIED, |
|
1288 |
xoap->xoa_av_modified, cr); |
|
1289 |
if (error == 0 && XVA_ISSET_REQ(xvap, XAT_AV_SCANSTAMP)) { |
|
1290 |
error = ATTR_FLAG_PRIV(XAT_AV_SCANSTAMP, |
|
1291 |
xoap->xoa_av_scanstamp, cr); |
|
1292 |
if (error == 0 && vtype != VREG) |
|
1293 |
error = EINVAL; |
|
1294 |
} |
|
1295 |
return (error); |
|
1296 |
} |
|
1297 |
||
0 | 1298 |
/* |
1299 |
* This function checks the policy decisions surrounding the |
|
1300 |
* vop setattr call. |
|
1301 |
* |
|
1302 |
* It should be called after sufficient locks have been established |
|
1303 |
* on the underlying data structures. No concurrent modifications |
|
1304 |
* should be allowed. |
|
1305 |
* |
|
1306 |
* The caller must pass in unlocked version of its vaccess function |
|
1307 |
* this is required because vop_access function should lock the |
|
1308 |
* node for reading. A three argument function should be defined |
|
1309 |
* which accepts the following argument: |
|
1310 |
* A pointer to the internal "node" type (inode *) |
|
1311 |
* vnode access bits (VREAD|VWRITE|VEXEC) |
|
1312 |
* a pointer to the credential |
|
1313 |
* |
|
1314 |
* This function makes the following policy decisions: |
|
1315 |
* |
|
1316 |
* - change permissions |
|
1317 |
* - permission to change file mode if not owner |
|
1318 |
* - permission to add sticky bit to non-directory |
|
1319 |
* - permission to add set-gid bit |
|
1320 |
* |
|
1321 |
* The ovap argument should include AT_MODE|AT_UID|AT_GID. |
|
1322 |
* |
|
1323 |
* If the vap argument does not include AT_MODE, the mode will be copied from |
|
1324 |
* ovap. In certain situations set-uid/set-gid bits need to be removed; |
|
1325 |
* this is done by marking vap->va_mask to include AT_MODE and va_mode |
|
1326 |
* is updated to the newly computed mode. |
|
1327 |
*/ |
|
1328 |
||
1329 |
int |
|
1330 |
secpolicy_vnode_setattr(cred_t *cr, struct vnode *vp, struct vattr *vap, |
|
1331 |
const struct vattr *ovap, int flags, |
|
1332 |
int unlocked_access(void *, int, cred_t *), |
|
1333 |
void *node) |
|
1334 |
{ |
|
1335 |
int mask = vap->va_mask; |
|
1336 |
int error = 0; |
|
5331 | 1337 |
boolean_t skipaclchk = (flags & ATTR_NOACLCHECK) ? B_TRUE : B_FALSE; |
0 | 1338 |
|
1339 |
if (mask & AT_SIZE) { |
|
1340 |
if (vp->v_type == VDIR) { |
|
1341 |
error = EISDIR; |
|
1342 |
goto out; |
|
1343 |
} |
|
5331 | 1344 |
|
1345 |
/* |
|
1346 |
* If ATTR_NOACLCHECK is set in the flags, then we don't |
|
1347 |
* perform the secondary unlocked_access() call since the |
|
1348 |
* ACL (if any) is being checked there. |
|
1349 |
*/ |
|
1350 |
if (skipaclchk == B_FALSE) { |
|
1351 |
error = unlocked_access(node, VWRITE, cr); |
|
1352 |
if (error) |
|
1353 |
goto out; |
|
1354 |
} |
|
0 | 1355 |
} |
1356 |
if (mask & AT_MODE) { |
|
1357 |
/* |
|
1358 |
* If not the owner of the file then check privilege |
|
1359 |
* for two things: the privilege to set the mode at all |
|
1360 |
* and, if we're setting setuid, we also need permissions |
|
1361 |
* to add the set-uid bit, if we're not the owner. |
|
1362 |
* In the specific case of creating a set-uid root |
|
1363 |
* file, we need even more permissions. |
|
1364 |
*/ |
|
1365 |
if ((error = secpolicy_vnode_setdac(cr, ovap->va_uid)) != 0) |
|
1366 |
goto out; |
|
1367 |
||
2796
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1368 |
if ((error = secpolicy_setid_setsticky_clear(vp, vap, |
95109e1ced2b
6445680 Having write_acl allowed in an ACL doesn't give the ability to set the mode via chmod
marks
parents:
2723
diff
changeset
|
1369 |
ovap, cr)) != 0) |
0 | 1370 |
goto out; |
1371 |
} else |
|
1372 |
vap->va_mode = ovap->va_mode; |
|
1373 |
||
1374 |
if (mask & (AT_UID|AT_GID)) { |
|
1375 |
boolean_t checkpriv = B_FALSE; |
|
1376 |
||
1377 |
/* |
|
1378 |
* Chowning files. |
|
1379 |
* |
|
1380 |
* If you are the file owner: |
|
1381 |
* chown to other uid FILE_CHOWN_SELF |
|
1382 |
* chown to gid (non-member) FILE_CHOWN_SELF |
|
1383 |
* chown to gid (member) <none> |
|
1384 |
* |
|
1385 |
* Instead of PRIV_FILE_CHOWN_SELF, FILE_CHOWN is also |
|
1386 |
* acceptable but the first one is reported when debugging. |
|
1387 |
* |
|
1388 |
* If you are not the file owner: |
|
1389 |
* chown from root PRIV_FILE_CHOWN + zone |
|
1390 |
* chown from other to any PRIV_FILE_CHOWN |
|
1391 |
* |
|
1392 |
*/ |
|
1393 |
if (cr->cr_uid != ovap->va_uid) { |
|
1394 |
checkpriv = B_TRUE; |
|
1395 |
} else { |
|
1396 |
if (((mask & AT_UID) && vap->va_uid != ovap->va_uid) || |
|
1397 |
((mask & AT_GID) && vap->va_gid != ovap->va_gid && |
|
1398 |
!groupmember(vap->va_gid, cr))) { |
|
1399 |
checkpriv = B_TRUE; |
|
1400 |
} |
|
1401 |
} |
|
1402 |
/* |
|
1403 |
* If necessary, check privilege to see if update can be done. |
|
1404 |
*/ |
|
1405 |
if (checkpriv && |
|
9866
ddc5f1d8eb4e
6848431 zfs with rstchown=0 or file_chown_self privilege allows user to "take" ownership
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
9751
diff
changeset
|
1406 |
(error = secpolicy_vnode_chown(cr, ovap->va_uid)) != 0) { |
0 | 1407 |
goto out; |
1408 |
} |
|
1409 |
||
1410 |
/* |
|
1411 |
* If the file has either the set UID or set GID bits |
|
1412 |
* set and the caller can set the bits, then leave them. |
|
1413 |
*/ |
|
1115 | 1414 |
secpolicy_setid_clear(vap, cr); |
0 | 1415 |
} |
1416 |
if (mask & (AT_ATIME|AT_MTIME)) { |
|
1417 |
/* |
|
1418 |
* If not the file owner and not otherwise privileged, |
|
1419 |
* always return an error when setting the |
|
1420 |
* time other than the current (ATTR_UTIME flag set). |
|
1421 |
* If setting the current time (ATTR_UTIME not set) then |
|
1422 |
* unlocked_access will check permissions according to policy. |
|
1423 |
*/ |
|
1424 |
if (cr->cr_uid != ovap->va_uid) { |
|
1425 |
if (flags & ATTR_UTIME) |
|
1426 |
error = secpolicy_vnode_utime_modify(cr); |
|
5331 | 1427 |
else if (skipaclchk == B_FALSE) { |
0 | 1428 |
error = unlocked_access(node, VWRITE, cr); |
1429 |
if (error == EACCES && |
|
1430 |
secpolicy_vnode_utime_modify(cr) == 0) |
|
1431 |
error = 0; |
|
1432 |
} |
|
1433 |
if (error) |
|
1434 |
goto out; |
|
1435 |
} |
|
1436 |
} |
|
5331 | 1437 |
|
1438 |
/* |
|
1439 |
* Check for optional attributes here by checking the following: |
|
1440 |
*/ |
|
1441 |
if (mask & AT_XVATTR) |
|
1442 |
error = secpolicy_xvattr((xvattr_t *)vap, ovap->va_uid, cr, |
|
1443 |
vp->v_type); |
|
0 | 1444 |
out: |
1445 |
return (error); |
|
1446 |
} |
|
1447 |
||
1448 |
/* |
|
1449 |
* Name: secpolicy_pcfs_modify_bootpartition() |
|
1450 |
* |
|
1451 |
* Normal: verify that subject can modify a pcfs boot partition. |
|
1452 |
* |
|
1453 |
* Output: EACCES - if privilege check failed. |
|
1454 |
*/ |
|
1455 |
/*ARGSUSED*/ |
|
1456 |
int |
|
1457 |
secpolicy_pcfs_modify_bootpartition(const cred_t *cred) |
|
1458 |
{ |
|
1459 |
return (PRIV_POLICY(cred, PRIV_ALL, B_FALSE, EACCES, |
|
1460 |
"modify pcfs boot partition")); |
|
1461 |
} |
|
1462 |
||
1463 |
/* |
|
1464 |
* System V IPC routines |
|
1465 |
*/ |
|
1466 |
int |
|
1467 |
secpolicy_ipc_owner(const cred_t *cr, const struct kipc_perm *ip) |
|
1468 |
{ |
|
1469 |
if (crgetzoneid(cr) != ip->ipc_zoneid || |
|
1470 |
(cr->cr_uid != ip->ipc_uid && cr->cr_uid != ip->ipc_cuid)) { |
|
1471 |
boolean_t allzone = B_FALSE; |
|
1472 |
if (ip->ipc_uid == 0 || ip->ipc_cuid == 0) |
|
1473 |
allzone = B_TRUE; |
|
1474 |
return (PRIV_POLICY(cr, PRIV_IPC_OWNER, allzone, EPERM, NULL)); |
|
1475 |
} |
|
1476 |
return (0); |
|
1477 |
} |
|
1478 |
||
1479 |
int |
|
1480 |
secpolicy_ipc_config(const cred_t *cr) |
|
1481 |
{ |
|
1482 |
return (PRIV_POLICY(cr, PRIV_SYS_IPC_CONFIG, B_FALSE, EPERM, NULL)); |
|
1483 |
} |
|
1484 |
||
1485 |
int |
|
1486 |
secpolicy_ipc_access(const cred_t *cr, const struct kipc_perm *ip, mode_t mode) |
|
1487 |
{ |
|
1488 |
||
1489 |
boolean_t allzone = B_FALSE; |
|
1490 |
||
1491 |
ASSERT((mode & (MSG_R|MSG_W)) != 0); |
|
1492 |
||
1493 |
if ((mode & MSG_R) && |
|
1494 |
PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) |
|
1495 |
return (EACCES); |
|
1496 |
||
1497 |
if (mode & MSG_W) { |
|
1498 |
if (cr->cr_uid != 0 && (ip->ipc_uid == 0 || ip->ipc_cuid == 0)) |
|
1499 |
allzone = B_TRUE; |
|
1500 |
||
1501 |
return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, |
|
1502 |
NULL)); |
|
1503 |
} |
|
1504 |
return (0); |
|
1505 |
} |
|
1506 |
||
1507 |
int |
|
1508 |
secpolicy_rsm_access(const cred_t *cr, uid_t owner, mode_t mode) |
|
1509 |
{ |
|
1510 |
boolean_t allzone = B_FALSE; |
|
1511 |
||
1512 |
ASSERT((mode & (MSG_R|MSG_W)) != 0); |
|
1513 |
||
1514 |
if ((mode & MSG_R) && |
|
1515 |
PRIV_POLICY(cr, PRIV_IPC_DAC_READ, allzone, EACCES, NULL) != 0) |
|
1516 |
return (EACCES); |
|
1517 |
||
1518 |
if (mode & MSG_W) { |
|
1519 |
if (cr->cr_uid != 0 && owner == 0) |
|
1520 |
allzone = B_TRUE; |
|
1521 |
||
1522 |
return (PRIV_POLICY(cr, PRIV_IPC_DAC_WRITE, allzone, EACCES, |
|
1523 |
NULL)); |
|
1524 |
} |
|
1525 |
return (0); |
|
1526 |
} |
|
1527 |
||
1528 |
/* |
|
1529 |
* Audit configuration. |
|
1530 |
*/ |
|
1531 |
int |
|
1532 |
secpolicy_audit_config(const cred_t *cr) |
|
1533 |
{ |
|
1534 |
return (PRIV_POLICY(cr, PRIV_SYS_AUDIT, B_FALSE, EPERM, NULL)); |
|
1535 |
} |
|
1536 |
||
1537 |
/* |
|
1538 |
* Audit record generation. |
|
1539 |
*/ |
|
1540 |
int |
|
1541 |
secpolicy_audit_modify(const cred_t *cr) |
|
1542 |
{ |
|
1543 |
return (PRIV_POLICY(cr, PRIV_PROC_AUDIT, B_FALSE, EPERM, NULL)); |
|
1544 |
} |
|
1545 |
||
1546 |
/* |
|
1547 |
* Get audit attributes. |
|
1548 |
* Either PRIV_SYS_AUDIT or PRIV_PROC_AUDIT required; report the |
|
1549 |
* "Least" of the two privileges on error. |
|
1550 |
*/ |
|
1551 |
int |
|
12273
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1552 |
secpolicy_audit_getattr(const cred_t *cr, boolean_t checkonly) |
0 | 1553 |
{ |
12273
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1554 |
int priv; |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1555 |
|
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1556 |
if (PRIV_POLICY_ONLY(cr, PRIV_SYS_AUDIT, B_FALSE)) |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1557 |
priv = PRIV_SYS_AUDIT; |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1558 |
else |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1559 |
priv = PRIV_PROC_AUDIT; |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1560 |
|
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1561 |
if (checkonly) |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1562 |
return (!PRIV_POLICY_ONLY(cr, priv, B_FALSE)); |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1563 |
else |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1564 |
return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); |
0 | 1565 |
} |
1566 |
||
1567 |
||
1568 |
/* |
|
1569 |
* Locking physical memory |
|
1570 |
*/ |
|
1571 |
int |
|
1572 |
secpolicy_lock_memory(const cred_t *cr) |
|
1573 |
{ |
|
1574 |
return (PRIV_POLICY(cr, PRIV_PROC_LOCK_MEMORY, B_FALSE, EPERM, NULL)); |
|
1575 |
} |
|
1576 |
||
1577 |
/* |
|
1578 |
* Accounting (both acct(2) and exacct). |
|
1579 |
*/ |
|
1580 |
int |
|
1581 |
secpolicy_acct(const cred_t *cr) |
|
1582 |
{ |
|
1583 |
return (PRIV_POLICY(cr, PRIV_SYS_ACCT, B_FALSE, EPERM, NULL)); |
|
1584 |
} |
|
1585 |
||
1586 |
/* |
|
1587 |
* Is this process privileged to change its uids at will? |
|
1588 |
* Uid 0 is still considered "special" and having the SETID |
|
1589 |
* privilege is not sufficient to get uid 0. |
|
1590 |
* Files are owned by root, so the privilege would give |
|
1591 |
* full access and euid 0 is still effective. |
|
1592 |
* |
|
1593 |
* If you have the privilege and euid 0 only then do you |
|
1594 |
* get the powers of root wrt uid 0. |
|
1595 |
* |
|
1596 |
* For gid manipulations, this is should be called with an |
|
1597 |
* uid of -1. |
|
1598 |
* |
|
1599 |
*/ |
|
1600 |
int |
|
1601 |
secpolicy_allow_setid(const cred_t *cr, uid_t newuid, boolean_t checkonly) |
|
1602 |
{ |
|
1603 |
boolean_t allzone = B_FALSE; |
|
1604 |
||
1605 |
if (newuid == 0 && cr->cr_uid != 0 && cr->cr_suid != 0 && |
|
1606 |
cr->cr_ruid != 0) { |
|
1607 |
allzone = B_TRUE; |
|
1608 |
} |
|
1609 |
||
1610 |
return (checkonly ? !PRIV_POLICY_ONLY(cr, PRIV_PROC_SETID, allzone) : |
|
1611 |
PRIV_POLICY(cr, PRIV_PROC_SETID, allzone, EPERM, NULL)); |
|
1612 |
} |
|
1613 |
||
1614 |
||
1615 |
/* |
|
1616 |
* Acting on a different process: if the mode is for writing, |
|
1617 |
* the restrictions are more severe. This is called after |
|
1618 |
* we've verified that the uids do not match. |
|
1619 |
*/ |
|
1620 |
int |
|
1621 |
secpolicy_proc_owner(const cred_t *scr, const cred_t *tcr, int mode) |
|
1622 |
{ |
|
1623 |
boolean_t allzone = B_FALSE; |
|
1624 |
||
1625 |
if ((mode & VWRITE) && scr->cr_uid != 0 && |
|
1626 |
(tcr->cr_uid == 0 || tcr->cr_ruid == 0 || tcr->cr_suid == 0)) |
|
1627 |
allzone = B_TRUE; |
|
1628 |
||
1629 |
return (PRIV_POLICY(scr, PRIV_PROC_OWNER, allzone, EPERM, NULL)); |
|
1630 |
} |
|
1631 |
||
1632 |
int |
|
1633 |
secpolicy_proc_access(const cred_t *scr) |
|
1634 |
{ |
|
1635 |
return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL)); |
|
1636 |
} |
|
1637 |
||
1638 |
int |
|
1639 |
secpolicy_proc_excl_open(const cred_t *scr) |
|
1640 |
{ |
|
1641 |
return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EBUSY, NULL)); |
|
1642 |
} |
|
1643 |
||
1644 |
int |
|
1645 |
secpolicy_proc_zone(const cred_t *scr) |
|
1646 |
{ |
|
1647 |
return (PRIV_POLICY(scr, PRIV_PROC_ZONE, B_FALSE, EPERM, NULL)); |
|
1648 |
} |
|
1649 |
||
1650 |
/* |
|
1651 |
* Destroying the system |
|
1652 |
*/ |
|
1653 |
||
1654 |
int |
|
1655 |
secpolicy_kmdb(const cred_t *scr) |
|
1656 |
{ |
|
1657 |
return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); |
|
1658 |
} |
|
1659 |
||
1414
b4126407ac5b
PSARC 2006/020 FMA for Athlon 64 and Opteron Processors
cindi
parents:
1115
diff
changeset
|
1660 |
int |
b4126407ac5b
PSARC 2006/020 FMA for Athlon 64 and Opteron Processors
cindi
parents:
1115
diff
changeset
|
1661 |
secpolicy_error_inject(const cred_t *scr) |
b4126407ac5b
PSARC 2006/020 FMA for Athlon 64 and Opteron Processors
cindi
parents:
1115
diff
changeset
|
1662 |
{ |
b4126407ac5b
PSARC 2006/020 FMA for Athlon 64 and Opteron Processors
cindi
parents:
1115
diff
changeset
|
1663 |
return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); |
b4126407ac5b
PSARC 2006/020 FMA for Athlon 64 and Opteron Processors
cindi
parents:
1115
diff
changeset
|
1664 |
} |
b4126407ac5b
PSARC 2006/020 FMA for Athlon 64 and Opteron Processors
cindi
parents:
1115
diff
changeset
|
1665 |
|
0 | 1666 |
/* |
1667 |
* Processor sets, cpu configuration, resource pools. |
|
1668 |
*/ |
|
1669 |
int |
|
1670 |
secpolicy_pset(const cred_t *cr) |
|
1671 |
{ |
|
1672 |
return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); |
|
1673 |
} |
|
1674 |
||
12494
15439b11d535
PSARC/2010/181 PRIV_SYS_RES_BIND privilege
<gerald.jelinek@sun.com>
parents:
12484
diff
changeset
|
1675 |
/* |
15439b11d535
PSARC/2010/181 PRIV_SYS_RES_BIND privilege
<gerald.jelinek@sun.com>
parents:
12484
diff
changeset
|
1676 |
* Processor set binding. |
15439b11d535
PSARC/2010/181 PRIV_SYS_RES_BIND privilege
<gerald.jelinek@sun.com>
parents:
12484
diff
changeset
|
1677 |
*/ |
15439b11d535
PSARC/2010/181 PRIV_SYS_RES_BIND privilege
<gerald.jelinek@sun.com>
parents:
12484
diff
changeset
|
1678 |
int |
15439b11d535
PSARC/2010/181 PRIV_SYS_RES_BIND privilege
<gerald.jelinek@sun.com>
parents:
12484
diff
changeset
|
1679 |
secpolicy_pbind(const cred_t *cr) |
15439b11d535
PSARC/2010/181 PRIV_SYS_RES_BIND privilege
<gerald.jelinek@sun.com>
parents:
12484
diff
changeset
|
1680 |
{ |
15439b11d535
PSARC/2010/181 PRIV_SYS_RES_BIND privilege
<gerald.jelinek@sun.com>
parents:
12484
diff
changeset
|
1681 |
if (PRIV_POLICY_ONLY(cr, PRIV_SYS_RES_CONFIG, B_FALSE)) |
15439b11d535
PSARC/2010/181 PRIV_SYS_RES_BIND privilege
<gerald.jelinek@sun.com>
parents:
12484
diff
changeset
|
1682 |
return (secpolicy_pset(cr)); |
15439b11d535
PSARC/2010/181 PRIV_SYS_RES_BIND privilege
<gerald.jelinek@sun.com>
parents:
12484
diff
changeset
|
1683 |
return (PRIV_POLICY(cr, PRIV_SYS_RES_BIND, B_FALSE, EPERM, NULL)); |
15439b11d535
PSARC/2010/181 PRIV_SYS_RES_BIND privilege
<gerald.jelinek@sun.com>
parents:
12484
diff
changeset
|
1684 |
} |
15439b11d535
PSARC/2010/181 PRIV_SYS_RES_BIND privilege
<gerald.jelinek@sun.com>
parents:
12484
diff
changeset
|
1685 |
|
0 | 1686 |
int |
1687 |
secpolicy_ponline(const cred_t *cr) |
|
1688 |
{ |
|
1689 |
return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); |
|
1690 |
} |
|
1691 |
||
1692 |
int |
|
1693 |
secpolicy_pool(const cred_t *cr) |
|
1694 |
{ |
|
1695 |
return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); |
|
1696 |
} |
|
1697 |
||
1698 |
int |
|
1699 |
secpolicy_blacklist(const cred_t *cr) |
|
1700 |
{ |
|
1701 |
return (PRIV_POLICY(cr, PRIV_SYS_RES_CONFIG, B_FALSE, EPERM, NULL)); |
|
1702 |
} |
|
1703 |
||
1704 |
/* |
|
1705 |
* Catch all system configuration. |
|
1706 |
*/ |
|
1707 |
int |
|
1708 |
secpolicy_sys_config(const cred_t *cr, boolean_t checkonly) |
|
1709 |
{ |
|
1710 |
if (checkonly) { |
|
1711 |
return (PRIV_POLICY_ONLY(cr, PRIV_SYS_CONFIG, B_FALSE) ? 0 : |
|
1712 |
EPERM); |
|
1713 |
} else { |
|
1714 |
return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); |
|
1715 |
} |
|
1716 |
} |
|
1717 |
||
1718 |
/* |
|
1719 |
* Zone administration (halt, reboot, etc.) from within zone. |
|
1720 |
*/ |
|
1721 |
int |
|
1722 |
secpolicy_zone_admin(const cred_t *cr, boolean_t checkonly) |
|
1723 |
{ |
|
1724 |
if (checkonly) { |
|
1725 |
return (PRIV_POLICY_ONLY(cr, PRIV_SYS_ADMIN, B_FALSE) ? 0 : |
|
1726 |
EPERM); |
|
1727 |
} else { |
|
1728 |
return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, |
|
1729 |
NULL)); |
|
1730 |
} |
|
1731 |
} |
|
1732 |
||
1733 |
/* |
|
1734 |
* Zone configuration (create, halt, enter). |
|
1735 |
*/ |
|
1736 |
int |
|
1737 |
secpolicy_zone_config(const cred_t *cr) |
|
1738 |
{ |
|
1739 |
/* |
|
1740 |
* Require all privileges to avoid possibility of privilege |
|
1741 |
* escalation. |
|
1742 |
*/ |
|
12273
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
1743 |
return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE)); |
0 | 1744 |
} |
1745 |
||
1746 |
/* |
|
1747 |
* Various other system configuration calls |
|
1748 |
*/ |
|
1749 |
int |
|
1750 |
secpolicy_coreadm(const cred_t *cr) |
|
1751 |
{ |
|
1752 |
return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); |
|
1753 |
} |
|
1754 |
||
1755 |
int |
|
1756 |
secpolicy_systeminfo(const cred_t *cr) |
|
1757 |
{ |
|
1758 |
return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_FALSE, EPERM, NULL)); |
|
1759 |
} |
|
1760 |
||
1761 |
int |
|
1762 |
secpolicy_dispadm(const cred_t *cr) |
|
1763 |
{ |
|
1764 |
return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); |
|
1765 |
} |
|
1766 |
||
1767 |
int |
|
1768 |
secpolicy_settime(const cred_t *cr) |
|
1769 |
{ |
|
1770 |
return (PRIV_POLICY(cr, PRIV_SYS_TIME, B_FALSE, EPERM, NULL)); |
|
1771 |
} |
|
1772 |
||
1773 |
/* |
|
1774 |
* For realtime users: high resolution clock. |
|
1775 |
*/ |
|
1776 |
int |
|
1777 |
secpolicy_clock_highres(const cred_t *cr) |
|
1778 |
{ |
|
1779 |
return (PRIV_POLICY(cr, PRIV_PROC_CLOCK_HIGHRES, B_FALSE, EPERM, |
|
1780 |
NULL)); |
|
1781 |
} |
|
1782 |
||
1783 |
/* |
|
1784 |
* drv_priv() is documented as callable from interrupt context, not that |
|
1785 |
* anyone ever does, but still. No debugging or auditing can be done when |
|
1786 |
* it is called from interrupt context. |
|
1787 |
* returns 0 on succes, EPERM on failure. |
|
1788 |
*/ |
|
1789 |
int |
|
1790 |
drv_priv(cred_t *cr) |
|
1791 |
{ |
|
1792 |
return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); |
|
1793 |
} |
|
1794 |
||
1795 |
int |
|
1796 |
secpolicy_sys_devices(const cred_t *cr) |
|
1797 |
{ |
|
1798 |
return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); |
|
1799 |
} |
|
1800 |
||
1801 |
int |
|
1802 |
secpolicy_excl_open(const cred_t *cr) |
|
1803 |
{ |
|
1804 |
return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EBUSY, NULL)); |
|
1805 |
} |
|
1806 |
||
1807 |
int |
|
1808 |
secpolicy_rctlsys(const cred_t *cr, boolean_t is_zone_rctl) |
|
1809 |
{ |
|
1810 |
/* zone.* rctls can only be set from the global zone */ |
|
1811 |
if (is_zone_rctl && priv_policy_global(cr) != 0) |
|
1812 |
return (EPERM); |
|
1813 |
return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); |
|
1814 |
} |
|
1815 |
||
1816 |
int |
|
1817 |
secpolicy_resource(const cred_t *cr) |
|
1818 |
{ |
|
1819 |
return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); |
|
1820 |
} |
|
1821 |
||
10154
dba0925413c6
6636344 when low on swap, anon_resvmem() overly throttles root-owned processes
Stan Studzinski <Stan.Studzinski@Sun.COM>
parents:
9866
diff
changeset
|
1822 |
int |
dba0925413c6
6636344 when low on swap, anon_resvmem() overly throttles root-owned processes
Stan Studzinski <Stan.Studzinski@Sun.COM>
parents:
9866
diff
changeset
|
1823 |
secpolicy_resource_anon_mem(const cred_t *cr) |
dba0925413c6
6636344 when low on swap, anon_resvmem() overly throttles root-owned processes
Stan Studzinski <Stan.Studzinski@Sun.COM>
parents:
9866
diff
changeset
|
1824 |
{ |
dba0925413c6
6636344 when low on swap, anon_resvmem() overly throttles root-owned processes
Stan Studzinski <Stan.Studzinski@Sun.COM>
parents:
9866
diff
changeset
|
1825 |
return (PRIV_POLICY_ONLY(cr, PRIV_SYS_RESOURCE, B_FALSE)); |
dba0925413c6
6636344 when low on swap, anon_resvmem() overly throttles root-owned processes
Stan Studzinski <Stan.Studzinski@Sun.COM>
parents:
9866
diff
changeset
|
1826 |
} |
dba0925413c6
6636344 when low on swap, anon_resvmem() overly throttles root-owned processes
Stan Studzinski <Stan.Studzinski@Sun.COM>
parents:
9866
diff
changeset
|
1827 |
|
0 | 1828 |
/* |
1829 |
* Processes with a real uid of 0 escape any form of accounting, much |
|
1830 |
* like before. |
|
1831 |
*/ |
|
1832 |
int |
|
1833 |
secpolicy_newproc(const cred_t *cr) |
|
1834 |
{ |
|
1835 |
if (cr->cr_ruid == 0) |
|
1836 |
return (0); |
|
1837 |
||
1838 |
return (PRIV_POLICY(cr, PRIV_SYS_RESOURCE, B_FALSE, EPERM, NULL)); |
|
1839 |
} |
|
1840 |
||
1841 |
/* |
|
1842 |
* Networking |
|
1843 |
*/ |
|
1844 |
int |
|
1845 |
secpolicy_net_rawaccess(const cred_t *cr) |
|
1846 |
{ |
|
1847 |
return (PRIV_POLICY(cr, PRIV_NET_RAWACCESS, B_FALSE, EACCES, NULL)); |
|
1848 |
} |
|
1849 |
||
10639
368f1335a058
PSARC/2009/232 Solaris Packet Capture
Darren Reed <Darren.Reed@Sun.COM>
parents:
10616
diff
changeset
|
1850 |
int |
368f1335a058
PSARC/2009/232 Solaris Packet Capture
Darren Reed <Darren.Reed@Sun.COM>
parents:
10616
diff
changeset
|
1851 |
secpolicy_net_observability(const cred_t *cr) |
368f1335a058
PSARC/2009/232 Solaris Packet Capture
Darren Reed <Darren.Reed@Sun.COM>
parents:
10616
diff
changeset
|
1852 |
{ |
368f1335a058
PSARC/2009/232 Solaris Packet Capture
Darren Reed <Darren.Reed@Sun.COM>
parents:
10616
diff
changeset
|
1853 |
return (PRIV_POLICY(cr, PRIV_NET_OBSERVABILITY, B_FALSE, EACCES, NULL)); |
368f1335a058
PSARC/2009/232 Solaris Packet Capture
Darren Reed <Darren.Reed@Sun.COM>
parents:
10616
diff
changeset
|
1854 |
} |
368f1335a058
PSARC/2009/232 Solaris Packet Capture
Darren Reed <Darren.Reed@Sun.COM>
parents:
10616
diff
changeset
|
1855 |
|
0 | 1856 |
/* |
1857 |
* Need this privilege for accessing the ICMP device |
|
1858 |
*/ |
|
1859 |
int |
|
1860 |
secpolicy_net_icmpaccess(const cred_t *cr) |
|
1861 |
{ |
|
1862 |
return (PRIV_POLICY(cr, PRIV_NET_ICMPACCESS, B_FALSE, EACCES, NULL)); |
|
1863 |
} |
|
1864 |
||
1865 |
/* |
|
1866 |
* There are a few rare cases where the kernel generates ioctls() from |
|
1867 |
* interrupt context with a credential of kcred rather than NULL. |
|
1868 |
* In those cases, we take the safe and cheap test. |
|
1869 |
*/ |
|
1870 |
int |
|
1871 |
secpolicy_net_config(const cred_t *cr, boolean_t checkonly) |
|
1872 |
{ |
|
1873 |
if (checkonly) { |
|
1874 |
return (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE) ? |
|
1875 |
0 : EPERM); |
|
1876 |
} else { |
|
1877 |
return (PRIV_POLICY(cr, PRIV_SYS_NET_CONFIG, B_FALSE, EPERM, |
|
1878 |
NULL)); |
|
1879 |
} |
|
1880 |
} |
|
1881 |
||
1882 |
||
1883 |
/* |
|
4962
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
1884 |
* PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG. |
3448 | 1885 |
* |
1886 |
* There are a few rare cases where the kernel generates ioctls() from |
|
1887 |
* interrupt context with a credential of kcred rather than NULL. |
|
1888 |
* In those cases, we take the safe and cheap test. |
|
1889 |
*/ |
|
1890 |
int |
|
1891 |
secpolicy_ip_config(const cred_t *cr, boolean_t checkonly) |
|
1892 |
{ |
|
1893 |
if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) |
|
1894 |
return (secpolicy_net_config(cr, checkonly)); |
|
1895 |
||
1896 |
if (checkonly) { |
|
1897 |
return (PRIV_POLICY_ONLY(cr, PRIV_SYS_IP_CONFIG, B_FALSE) ? |
|
1898 |
0 : EPERM); |
|
1899 |
} else { |
|
1900 |
return (PRIV_POLICY(cr, PRIV_SYS_IP_CONFIG, B_FALSE, EPERM, |
|
1901 |
NULL)); |
|
1902 |
} |
|
1903 |
} |
|
1904 |
||
7408
eff7960d93cd
PSARC 2008/473 Fine-Grained Privileges for Datalink Administration
Sebastien Roy <Sebastien.Roy@Sun.COM>
parents:
6784
diff
changeset
|
1905 |
/* |
eff7960d93cd
PSARC 2008/473 Fine-Grained Privileges for Datalink Administration
Sebastien Roy <Sebastien.Roy@Sun.COM>
parents:
6784
diff
changeset
|
1906 |
* PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_DL_CONFIG. |
eff7960d93cd
PSARC 2008/473 Fine-Grained Privileges for Datalink Administration
Sebastien Roy <Sebastien.Roy@Sun.COM>
parents:
6784
diff
changeset
|
1907 |
*/ |
eff7960d93cd
PSARC 2008/473 Fine-Grained Privileges for Datalink Administration
Sebastien Roy <Sebastien.Roy@Sun.COM>
parents:
6784
diff
changeset
|
1908 |
int |
eff7960d93cd
PSARC 2008/473 Fine-Grained Privileges for Datalink Administration
Sebastien Roy <Sebastien.Roy@Sun.COM>
parents:
6784
diff
changeset
|
1909 |
secpolicy_dl_config(const cred_t *cr) |
eff7960d93cd
PSARC 2008/473 Fine-Grained Privileges for Datalink Administration
Sebastien Roy <Sebastien.Roy@Sun.COM>
parents:
6784
diff
changeset
|
1910 |
{ |
eff7960d93cd
PSARC 2008/473 Fine-Grained Privileges for Datalink Administration
Sebastien Roy <Sebastien.Roy@Sun.COM>
parents:
6784
diff
changeset
|
1911 |
if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) |
eff7960d93cd
PSARC 2008/473 Fine-Grained Privileges for Datalink Administration
Sebastien Roy <Sebastien.Roy@Sun.COM>
parents:
6784
diff
changeset
|
1912 |
return (secpolicy_net_config(cr, B_FALSE)); |
10616
3be00c4a6835
PSARC 2009/373 Clearview IP Tunneling
Sebastien Roy <Sebastien.Roy@Sun.COM>
parents:
10154
diff
changeset
|
1913 |
return (PRIV_POLICY(cr, PRIV_SYS_DL_CONFIG, B_FALSE, EPERM, NULL)); |
7408
eff7960d93cd
PSARC 2008/473 Fine-Grained Privileges for Datalink Administration
Sebastien Roy <Sebastien.Roy@Sun.COM>
parents:
6784
diff
changeset
|
1914 |
} |
eff7960d93cd
PSARC 2008/473 Fine-Grained Privileges for Datalink Administration
Sebastien Roy <Sebastien.Roy@Sun.COM>
parents:
6784
diff
changeset
|
1915 |
|
10616
3be00c4a6835
PSARC 2009/373 Clearview IP Tunneling
Sebastien Roy <Sebastien.Roy@Sun.COM>
parents:
10154
diff
changeset
|
1916 |
/* |
3be00c4a6835
PSARC 2009/373 Clearview IP Tunneling
Sebastien Roy <Sebastien.Roy@Sun.COM>
parents:
10154
diff
changeset
|
1917 |
* PRIV_SYS_DL_CONFIG is a superset of PRIV_SYS_IPTUN_CONFIG. |
3be00c4a6835
PSARC 2009/373 Clearview IP Tunneling
Sebastien Roy <Sebastien.Roy@Sun.COM>
parents:
10154
diff
changeset
|
1918 |
*/ |
3be00c4a6835
PSARC 2009/373 Clearview IP Tunneling
Sebastien Roy <Sebastien.Roy@Sun.COM>
parents:
10154
diff
changeset
|
1919 |
int |
3be00c4a6835
PSARC 2009/373 Clearview IP Tunneling
Sebastien Roy <Sebastien.Roy@Sun.COM>
parents:
10154
diff
changeset
|
1920 |
secpolicy_iptun_config(const cred_t *cr) |
3be00c4a6835
PSARC 2009/373 Clearview IP Tunneling
Sebastien Roy <Sebastien.Roy@Sun.COM>
parents:
10154
diff
changeset
|
1921 |
{ |
3be00c4a6835
PSARC 2009/373 Clearview IP Tunneling
Sebastien Roy <Sebastien.Roy@Sun.COM>
parents:
10154
diff
changeset
|
1922 |
if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) |
3be00c4a6835
PSARC 2009/373 Clearview IP Tunneling
Sebastien Roy <Sebastien.Roy@Sun.COM>
parents:
10154
diff
changeset
|
1923 |
return (secpolicy_net_config(cr, B_FALSE)); |
3be00c4a6835
PSARC 2009/373 Clearview IP Tunneling
Sebastien Roy <Sebastien.Roy@Sun.COM>
parents:
10154
diff
changeset
|
1924 |
if (PRIV_POLICY_ONLY(cr, PRIV_SYS_DL_CONFIG, B_FALSE)) |
3be00c4a6835
PSARC 2009/373 Clearview IP Tunneling
Sebastien Roy <Sebastien.Roy@Sun.COM>
parents:
10154
diff
changeset
|
1925 |
return (secpolicy_dl_config(cr)); |
3be00c4a6835
PSARC 2009/373 Clearview IP Tunneling
Sebastien Roy <Sebastien.Roy@Sun.COM>
parents:
10154
diff
changeset
|
1926 |
return (PRIV_POLICY(cr, PRIV_SYS_IPTUN_CONFIG, B_FALSE, EPERM, NULL)); |
3be00c4a6835
PSARC 2009/373 Clearview IP Tunneling
Sebastien Roy <Sebastien.Roy@Sun.COM>
parents:
10154
diff
changeset
|
1927 |
} |
3448 | 1928 |
|
1929 |
/* |
|
1930 |
* Map IP pseudo privileges to actual privileges. |
|
1931 |
* So we don't need to recompile IP when we change the privileges. |
|
1932 |
*/ |
|
1933 |
int |
|
1934 |
secpolicy_ip(const cred_t *cr, int netpriv, boolean_t checkonly) |
|
1935 |
{ |
|
1936 |
int priv = PRIV_ALL; |
|
1937 |
||
1938 |
switch (netpriv) { |
|
1939 |
case OP_CONFIG: |
|
1940 |
priv = PRIV_SYS_IP_CONFIG; |
|
1941 |
break; |
|
1942 |
case OP_RAW: |
|
1943 |
priv = PRIV_NET_RAWACCESS; |
|
1944 |
break; |
|
1945 |
case OP_PRIVPORT: |
|
1946 |
priv = PRIV_NET_PRIVADDR; |
|
1947 |
break; |
|
1948 |
} |
|
1949 |
ASSERT(priv != PRIV_ALL); |
|
1950 |
if (checkonly) |
|
1951 |
return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); |
|
1952 |
else |
|
1953 |
return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); |
|
1954 |
} |
|
1955 |
||
1956 |
/* |
|
0 | 1957 |
* Map network pseudo privileges to actual privileges. |
1958 |
* So we don't need to recompile IP when we change the privileges. |
|
1959 |
*/ |
|
1960 |
int |
|
1961 |
secpolicy_net(const cred_t *cr, int netpriv, boolean_t checkonly) |
|
1962 |
{ |
|
1963 |
int priv = PRIV_ALL; |
|
1964 |
||
1965 |
switch (netpriv) { |
|
1966 |
case OP_CONFIG: |
|
1967 |
priv = PRIV_SYS_NET_CONFIG; |
|
1968 |
break; |
|
1969 |
case OP_RAW: |
|
1970 |
priv = PRIV_NET_RAWACCESS; |
|
1971 |
break; |
|
1972 |
case OP_PRIVPORT: |
|
1973 |
priv = PRIV_NET_PRIVADDR; |
|
1974 |
break; |
|
1975 |
} |
|
1976 |
ASSERT(priv != PRIV_ALL); |
|
1977 |
if (checkonly) |
|
1978 |
return (PRIV_POLICY_ONLY(cr, priv, B_FALSE) ? 0 : EPERM); |
|
1979 |
else |
|
1980 |
return (PRIV_POLICY(cr, priv, B_FALSE, EPERM, NULL)); |
|
1981 |
} |
|
1982 |
||
1983 |
/* |
|
1984 |
* Checks for operations that are either client-only or are used by |
|
1985 |
* both clients and servers. |
|
1986 |
*/ |
|
1987 |
int |
|
1988 |
secpolicy_nfs(const cred_t *cr) |
|
1989 |
{ |
|
1990 |
return (PRIV_POLICY(cr, PRIV_SYS_NFS, B_FALSE, EPERM, NULL)); |
|
1991 |
} |
|
1992 |
||
1993 |
/* |
|
1994 |
* Special case for opening rpcmod: have NFS privileges or network |
|
1995 |
* config privileges. |
|
1996 |
*/ |
|
1997 |
int |
|
1998 |
secpolicy_rpcmod_open(const cred_t *cr) |
|
1999 |
{ |
|
2000 |
if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NFS, B_FALSE)) |
|
2001 |
return (secpolicy_nfs(cr)); |
|
2002 |
else |
|
2003 |
return (secpolicy_net_config(cr, NULL)); |
|
2004 |
} |
|
2005 |
||
2006 |
int |
|
2007 |
secpolicy_chroot(const cred_t *cr) |
|
2008 |
{ |
|
2009 |
return (PRIV_POLICY(cr, PRIV_PROC_CHROOT, B_FALSE, EPERM, NULL)); |
|
2010 |
} |
|
2011 |
||
2012 |
int |
|
2013 |
secpolicy_tasksys(const cred_t *cr) |
|
2014 |
{ |
|
2015 |
return (PRIV_POLICY(cr, PRIV_PROC_TASKID, B_FALSE, EPERM, NULL)); |
|
2016 |
} |
|
2017 |
||
12273
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2018 |
int |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2019 |
secpolicy_pfexec_register(const cred_t *cr) |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2020 |
{ |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2021 |
return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_TRUE, EPERM, NULL)); |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2022 |
} |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2023 |
|
0 | 2024 |
/* |
2025 |
* Basic privilege checks. |
|
2026 |
*/ |
|
2027 |
int |
|
6134
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
2028 |
secpolicy_basic_exec(const cred_t *cr, vnode_t *vp) |
0 | 2029 |
{ |
12273
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2030 |
FAST_BASIC_CHECK(cr, PRIV_PROC_EXEC); |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2031 |
|
6134
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
2032 |
return (priv_policy_va(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL, |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
2033 |
KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE)); |
0 | 2034 |
} |
2035 |
||
2036 |
int |
|
2037 |
secpolicy_basic_fork(const cred_t *cr) |
|
2038 |
{ |
|
12273
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2039 |
FAST_BASIC_CHECK(cr, PRIV_PROC_FORK); |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2040 |
|
0 | 2041 |
return (PRIV_POLICY(cr, PRIV_PROC_FORK, B_FALSE, EPERM, NULL)); |
2042 |
} |
|
2043 |
||
2044 |
int |
|
2045 |
secpolicy_basic_proc(const cred_t *cr) |
|
2046 |
{ |
|
12273
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2047 |
FAST_BASIC_CHECK(cr, PRIV_PROC_SESSION); |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2048 |
|
0 | 2049 |
return (PRIV_POLICY(cr, PRIV_PROC_SESSION, B_FALSE, EPERM, NULL)); |
2050 |
} |
|
2051 |
||
2052 |
/* |
|
2053 |
* Slightly complicated because we don't want to trigger the policy too |
|
2054 |
* often. First we shortcircuit access to "self" (tp == sp) or if |
|
2055 |
* we don't have the privilege but if we have permission |
|
2056 |
* just return (0) and we don't flag the privilege as needed. |
|
2057 |
* Else, we test for the privilege because we either have it or need it. |
|
2058 |
*/ |
|
2059 |
int |
|
2060 |
secpolicy_basic_procinfo(const cred_t *cr, proc_t *tp, proc_t *sp) |
|
2061 |
{ |
|
2062 |
if (tp == sp || |
|
2063 |
!HAS_PRIVILEGE(cr, PRIV_PROC_INFO) && prochasprocperm(tp, sp, cr)) { |
|
2064 |
return (0); |
|
2065 |
} else { |
|
2066 |
return (PRIV_POLICY(cr, PRIV_PROC_INFO, B_FALSE, EPERM, NULL)); |
|
2067 |
} |
|
2068 |
} |
|
2069 |
||
2070 |
int |
|
2071 |
secpolicy_basic_link(const cred_t *cr) |
|
2072 |
{ |
|
12273
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2073 |
FAST_BASIC_CHECK(cr, PRIV_FILE_LINK_ANY); |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2074 |
|
0 | 2075 |
return (PRIV_POLICY(cr, PRIV_FILE_LINK_ANY, B_FALSE, EPERM, NULL)); |
2076 |
} |
|
2077 |
||
11537
8eca52188202
PSARC 2009/686 Improving the use and debugging of the basic privilege set.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
10934
diff
changeset
|
2078 |
int |
8eca52188202
PSARC 2009/686 Improving the use and debugging of the basic privilege set.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
10934
diff
changeset
|
2079 |
secpolicy_basic_net_access(const cred_t *cr) |
8eca52188202
PSARC 2009/686 Improving the use and debugging of the basic privilege set.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
10934
diff
changeset
|
2080 |
{ |
12273
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2081 |
FAST_BASIC_CHECK(cr, PRIV_NET_ACCESS); |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2082 |
|
11537
8eca52188202
PSARC 2009/686 Improving the use and debugging of the basic privilege set.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
10934
diff
changeset
|
2083 |
return (PRIV_POLICY(cr, PRIV_NET_ACCESS, B_FALSE, EACCES, NULL)); |
8eca52188202
PSARC 2009/686 Improving the use and debugging of the basic privilege set.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
10934
diff
changeset
|
2084 |
} |
8eca52188202
PSARC 2009/686 Improving the use and debugging of the basic privilege set.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
10934
diff
changeset
|
2085 |
|
12273
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2086 |
/* ARGSUSED */ |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2087 |
int |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2088 |
secpolicy_basic_file_read(const cred_t *cr, vnode_t *vp, const char *pn) |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2089 |
{ |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2090 |
FAST_BASIC_CHECK(cr, PRIV_FILE_READ); |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2091 |
|
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2092 |
return (priv_policy_va(cr, PRIV_FILE_READ, B_FALSE, EACCES, NULL, |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2093 |
KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE)); |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2094 |
} |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2095 |
|
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2096 |
/* ARGSUSED */ |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2097 |
int |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2098 |
secpolicy_basic_file_write(const cred_t *cr, vnode_t *vp, const char *pn) |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2099 |
{ |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2100 |
FAST_BASIC_CHECK(cr, PRIV_FILE_WRITE); |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2101 |
|
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2102 |
return (priv_policy_va(cr, PRIV_FILE_WRITE, B_FALSE, EACCES, NULL, |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2103 |
KLPDARG_VNODE, vp, (char *)pn, KLPDARG_NOMORE)); |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2104 |
} |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2105 |
|
0 | 2106 |
/* |
2107 |
* Additional device protection. |
|
2108 |
* |
|
2109 |
* Traditionally, a device has specific permissions on the node in |
|
2110 |
* the filesystem which govern which devices can be opened by what |
|
2111 |
* processes. In certain cases, it is desirable to add extra |
|
2112 |
* restrictions, as writing to certain devices is identical to |
|
2113 |
* having a complete run of the system. |
|
2114 |
* |
|
2115 |
* This mechanism is called the device policy. |
|
2116 |
* |
|
2117 |
* When a device is opened, its policy entry is looked up in the |
|
2118 |
* policy cache and checked. |
|
2119 |
*/ |
|
2120 |
int |
|
2121 |
secpolicy_spec_open(const cred_t *cr, struct vnode *vp, int oflag) |
|
2122 |
{ |
|
2123 |
devplcy_t *plcy; |
|
2124 |
int err; |
|
2125 |
struct snode *csp = VTOS(common_specvp(vp)); |
|
4962
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2126 |
priv_set_t pset; |
0 | 2127 |
|
2128 |
mutex_enter(&csp->s_lock); |
|
2129 |
||
2130 |
if (csp->s_plcy == NULL || csp->s_plcy->dp_gen != devplcy_gen) { |
|
2131 |
plcy = devpolicy_find(vp); |
|
2132 |
if (csp->s_plcy) |
|
2133 |
dpfree(csp->s_plcy); |
|
2134 |
csp->s_plcy = plcy; |
|
2135 |
ASSERT(plcy != NULL); |
|
2136 |
} else |
|
2137 |
plcy = csp->s_plcy; |
|
2138 |
||
2139 |
if (plcy == nullpolicy) { |
|
2140 |
mutex_exit(&csp->s_lock); |
|
2141 |
return (0); |
|
2142 |
} |
|
2143 |
||
2144 |
dphold(plcy); |
|
2145 |
||
2146 |
mutex_exit(&csp->s_lock); |
|
2147 |
||
4962
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2148 |
if (oflag & FWRITE) |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2149 |
pset = plcy->dp_wrp; |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2150 |
else |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2151 |
pset = plcy->dp_rdp; |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2152 |
/* |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2153 |
* Special case: |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2154 |
* PRIV_SYS_NET_CONFIG is a superset of PRIV_SYS_IP_CONFIG. |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2155 |
* If PRIV_SYS_NET_CONFIG is present and PRIV_SYS_IP_CONFIG is |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2156 |
* required, replace PRIV_SYS_IP_CONFIG with PRIV_SYS_NET_CONFIG |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2157 |
* in the required privilege set before doing the check. |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2158 |
*/ |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2159 |
if (priv_ismember(&pset, PRIV_SYS_IP_CONFIG) && |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2160 |
priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_NET_CONFIG) && |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2161 |
!priv_ismember(&CR_OEPRIV(cr), PRIV_SYS_IP_CONFIG)) { |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2162 |
priv_delset(&pset, PRIV_SYS_IP_CONFIG); |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2163 |
priv_addset(&pset, PRIV_SYS_NET_CONFIG); |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2164 |
} |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2165 |
|
12273
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2166 |
err = secpolicy_require_set(cr, &pset, "devpolicy", KLPDARG_NONE); |
0 | 2167 |
dpfree(plcy); |
2168 |
||
2169 |
return (err); |
|
2170 |
} |
|
2171 |
||
2172 |
int |
|
2173 |
secpolicy_modctl(const cred_t *cr, int cmd) |
|
2174 |
{ |
|
2175 |
switch (cmd) { |
|
2176 |
case MODINFO: |
|
2723
200331b43252
PSARC/2006/519 Metadevice Names in iostat/vmstat Output
cth
parents:
1862
diff
changeset
|
2177 |
case MODGETMAJBIND: |
0 | 2178 |
case MODGETPATH: |
2179 |
case MODGETPATHLEN: |
|
2723
200331b43252
PSARC/2006/519 Metadevice Names in iostat/vmstat Output
cth
parents:
1862
diff
changeset
|
2180 |
case MODGETNAME: |
0 | 2181 |
case MODGETFBNAME: |
2182 |
case MODGETDEVPOLICY: |
|
2183 |
case MODGETDEVPOLICYBYNAME: |
|
2723
200331b43252
PSARC/2006/519 Metadevice Names in iostat/vmstat Output
cth
parents:
1862
diff
changeset
|
2184 |
case MODDEVT2INSTANCE: |
200331b43252
PSARC/2006/519 Metadevice Names in iostat/vmstat Output
cth
parents:
1862
diff
changeset
|
2185 |
case MODSIZEOF_DEVID: |
200331b43252
PSARC/2006/519 Metadevice Names in iostat/vmstat Output
cth
parents:
1862
diff
changeset
|
2186 |
case MODGETDEVID: |
200331b43252
PSARC/2006/519 Metadevice Names in iostat/vmstat Output
cth
parents:
1862
diff
changeset
|
2187 |
case MODSIZEOF_MINORNAME: |
200331b43252
PSARC/2006/519 Metadevice Names in iostat/vmstat Output
cth
parents:
1862
diff
changeset
|
2188 |
case MODGETMINORNAME: |
200331b43252
PSARC/2006/519 Metadevice Names in iostat/vmstat Output
cth
parents:
1862
diff
changeset
|
2189 |
case MODGETDEVFSPATH_LEN: |
200331b43252
PSARC/2006/519 Metadevice Names in iostat/vmstat Output
cth
parents:
1862
diff
changeset
|
2190 |
case MODGETDEVFSPATH: |
200331b43252
PSARC/2006/519 Metadevice Names in iostat/vmstat Output
cth
parents:
1862
diff
changeset
|
2191 |
case MODGETDEVFSPATH_MI_LEN: |
200331b43252
PSARC/2006/519 Metadevice Names in iostat/vmstat Output
cth
parents:
1862
diff
changeset
|
2192 |
case MODGETDEVFSPATH_MI: |
0 | 2193 |
/* Unprivileged */ |
2194 |
return (0); |
|
2195 |
case MODLOAD: |
|
2196 |
case MODSETDEVPOLICY: |
|
12273
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2197 |
return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, |
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2198 |
KLPDARG_NONE)); |
0 | 2199 |
default: |
2200 |
return (secpolicy_sys_config(cr, B_FALSE)); |
|
2201 |
} |
|
2202 |
} |
|
2203 |
||
2204 |
int |
|
2205 |
secpolicy_console(const cred_t *cr) |
|
2206 |
{ |
|
2207 |
return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); |
|
2208 |
} |
|
2209 |
||
2210 |
int |
|
2211 |
secpolicy_power_mgmt(const cred_t *cr) |
|
2212 |
{ |
|
2213 |
return (PRIV_POLICY(cr, PRIV_SYS_DEVICES, B_FALSE, EPERM, NULL)); |
|
2214 |
} |
|
2215 |
||
2216 |
/* |
|
2217 |
* Simulate terminal input; another escalation of privileges avenue. |
|
2218 |
*/ |
|
2219 |
||
2220 |
int |
|
2221 |
secpolicy_sti(const cred_t *cr) |
|
2222 |
{ |
|
12273
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2223 |
return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE)); |
0 | 2224 |
} |
2225 |
||
1676 | 2226 |
boolean_t |
2227 |
secpolicy_net_reply_equal(const cred_t *cr) |
|
2228 |
{ |
|
2229 |
return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); |
|
2230 |
} |
|
2231 |
||
0 | 2232 |
int |
2233 |
secpolicy_swapctl(const cred_t *cr) |
|
2234 |
{ |
|
2235 |
return (PRIV_POLICY(cr, PRIV_SYS_CONFIG, B_FALSE, EPERM, NULL)); |
|
2236 |
} |
|
2237 |
||
2238 |
int |
|
2239 |
secpolicy_cpc_cpu(const cred_t *cr) |
|
2240 |
{ |
|
2241 |
return (PRIV_POLICY(cr, PRIV_CPC_CPU, B_FALSE, EACCES, NULL)); |
|
2242 |
} |
|
2243 |
||
2244 |
/* |
|
6073 | 2245 |
* secpolicy_contract_identity |
2246 |
* |
|
2247 |
* Determine if the subject may set the process contract FMRI value |
|
2248 |
*/ |
|
2249 |
int |
|
2250 |
secpolicy_contract_identity(const cred_t *cr) |
|
2251 |
{ |
|
2252 |
return (PRIV_POLICY(cr, PRIV_CONTRACT_IDENTITY, B_FALSE, EPERM, NULL)); |
|
2253 |
} |
|
2254 |
||
2255 |
/* |
|
0 | 2256 |
* secpolicy_contract_observer |
2257 |
* |
|
2258 |
* Determine if the subject may observe a specific contract's events. |
|
2259 |
*/ |
|
2260 |
int |
|
2261 |
secpolicy_contract_observer(const cred_t *cr, struct contract *ct) |
|
2262 |
{ |
|
2263 |
if (contract_owned(ct, cr, B_FALSE)) |
|
2264 |
return (0); |
|
2265 |
return (PRIV_POLICY(cr, PRIV_CONTRACT_OBSERVER, B_FALSE, EPERM, NULL)); |
|
2266 |
} |
|
2267 |
||
2268 |
/* |
|
2269 |
* secpolicy_contract_observer_choice |
|
2270 |
* |
|
2271 |
* Determine if the subject may observe any contract's events. Just |
|
2272 |
* tests privilege and audits on success. |
|
2273 |
*/ |
|
2274 |
boolean_t |
|
2275 |
secpolicy_contract_observer_choice(const cred_t *cr) |
|
2276 |
{ |
|
2277 |
return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_OBSERVER, B_FALSE)); |
|
2278 |
} |
|
2279 |
||
2280 |
/* |
|
2281 |
* secpolicy_contract_event |
|
2282 |
* |
|
2283 |
* Determine if the subject may request critical contract events or |
|
2284 |
* reliable contract event delivery. |
|
2285 |
*/ |
|
2286 |
int |
|
2287 |
secpolicy_contract_event(const cred_t *cr) |
|
2288 |
{ |
|
2289 |
return (PRIV_POLICY(cr, PRIV_CONTRACT_EVENT, B_FALSE, EPERM, NULL)); |
|
2290 |
} |
|
2291 |
||
2292 |
/* |
|
2293 |
* secpolicy_contract_event_choice |
|
2294 |
* |
|
2295 |
* Determine if the subject may retain contract events in its critical |
|
2296 |
* set when a change in other terms would normally require a change in |
|
2297 |
* the critical set. Just tests privilege and audits on success. |
|
2298 |
*/ |
|
2299 |
boolean_t |
|
2300 |
secpolicy_contract_event_choice(const cred_t *cr) |
|
2301 |
{ |
|
2302 |
return (PRIV_POLICY_CHOICE(cr, PRIV_CONTRACT_EVENT, B_FALSE)); |
|
2303 |
} |
|
2304 |
||
2305 |
/* |
|
1544 | 2306 |
* secpolicy_gart_access |
0 | 2307 |
* |
1544 | 2308 |
* Determine if the subject has sufficient priveleges to make ioctls to agpgart |
2309 |
* device. |
|
0 | 2310 |
*/ |
2311 |
int |
|
2312 |
secpolicy_gart_access(const cred_t *cr) |
|
2313 |
{ |
|
1862 | 2314 |
return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, NULL)); |
0 | 2315 |
} |
2316 |
||
2317 |
/* |
|
1544 | 2318 |
* secpolicy_gart_map |
0 | 2319 |
* |
1544 | 2320 |
* Determine if the subject has sufficient priveleges to map aperture range |
2321 |
* through agpgart driver. |
|
0 | 2322 |
*/ |
2323 |
int |
|
2324 |
secpolicy_gart_map(const cred_t *cr) |
|
2325 |
{ |
|
1862 | 2326 |
if (PRIV_POLICY_ONLY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE)) { |
2327 |
return (PRIV_POLICY(cr, PRIV_GRAPHICS_ACCESS, B_FALSE, EPERM, |
|
2328 |
NULL)); |
|
2329 |
} else { |
|
2330 |
return (PRIV_POLICY(cr, PRIV_GRAPHICS_MAP, B_FALSE, EPERM, |
|
2331 |
NULL)); |
|
0 | 2332 |
} |
2333 |
} |
|
789 | 2334 |
|
2335 |
/* |
|
1544 | 2336 |
* secpolicy_zinject |
2337 |
* |
|
2338 |
* Determine if the subject can inject faults in the ZFS fault injection |
|
2339 |
* framework. Requires all privileges. |
|
2340 |
*/ |
|
2341 |
int |
|
2342 |
secpolicy_zinject(const cred_t *cr) |
|
2343 |
{ |
|
12273
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2344 |
return (secpolicy_require_set(cr, PRIV_FULLSET, NULL, KLPDARG_NONE)); |
1544 | 2345 |
} |
2346 |
||
2347 |
/* |
|
789 | 2348 |
* secpolicy_zfs |
2349 |
* |
|
1544 | 2350 |
* Determine if the subject has permission to manipulate ZFS datasets |
2351 |
* (not pools). Equivalent to the SYS_MOUNT privilege. |
|
789 | 2352 |
*/ |
2353 |
int |
|
2354 |
secpolicy_zfs(const cred_t *cr) |
|
2355 |
{ |
|
2356 |
return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, B_FALSE, EPERM, NULL)); |
|
2357 |
} |
|
4321
a8930ec16e52
PSARC 2007/064 Unified POSIX and Windows Credentials for Solaris
casper
parents:
3448
diff
changeset
|
2358 |
|
a8930ec16e52
PSARC 2007/064 Unified POSIX and Windows Credentials for Solaris
casper
parents:
3448
diff
changeset
|
2359 |
/* |
a8930ec16e52
PSARC 2007/064 Unified POSIX and Windows Credentials for Solaris
casper
parents:
3448
diff
changeset
|
2360 |
* secpolicy_idmap |
a8930ec16e52
PSARC 2007/064 Unified POSIX and Windows Credentials for Solaris
casper
parents:
3448
diff
changeset
|
2361 |
* |
a8930ec16e52
PSARC 2007/064 Unified POSIX and Windows Credentials for Solaris
casper
parents:
3448
diff
changeset
|
2362 |
* Determine if the calling process has permissions to register an SID |
a8930ec16e52
PSARC 2007/064 Unified POSIX and Windows Credentials for Solaris
casper
parents:
3448
diff
changeset
|
2363 |
* mapping daemon and allocate ephemeral IDs. |
a8930ec16e52
PSARC 2007/064 Unified POSIX and Windows Credentials for Solaris
casper
parents:
3448
diff
changeset
|
2364 |
*/ |
a8930ec16e52
PSARC 2007/064 Unified POSIX and Windows Credentials for Solaris
casper
parents:
3448
diff
changeset
|
2365 |
int |
a8930ec16e52
PSARC 2007/064 Unified POSIX and Windows Credentials for Solaris
casper
parents:
3448
diff
changeset
|
2366 |
secpolicy_idmap(const cred_t *cr) |
a8930ec16e52
PSARC 2007/064 Unified POSIX and Windows Credentials for Solaris
casper
parents:
3448
diff
changeset
|
2367 |
{ |
5771 | 2368 |
return (PRIV_POLICY(cr, PRIV_FILE_SETID, B_TRUE, EPERM, NULL)); |
4321
a8930ec16e52
PSARC 2007/064 Unified POSIX and Windows Credentials for Solaris
casper
parents:
3448
diff
changeset
|
2369 |
} |
4581 | 2370 |
|
2371 |
/* |
|
2372 |
* secpolicy_ucode_update |
|
2373 |
* |
|
2374 |
* Determine if the subject has sufficient privilege to update microcode. |
|
2375 |
*/ |
|
2376 |
int |
|
2377 |
secpolicy_ucode_update(const cred_t *scr) |
|
2378 |
{ |
|
2379 |
return (PRIV_POLICY(scr, PRIV_ALL, B_FALSE, EPERM, NULL)); |
|
2380 |
} |
|
4962
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2381 |
|
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2382 |
/* |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2383 |
* secpolicy_sadopen |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2384 |
* |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2385 |
* Determine if the subject has sufficient privilege to access /dev/sad/admin. |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2386 |
* /dev/sad/admin appear in global zone and exclusive-IP zones only. |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2387 |
* In global zone, sys_config is required. |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2388 |
* In exclusive-IP zones, sys_ip_config is required. |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2389 |
* Note that sys_config is prohibited in non-global zones. |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2390 |
*/ |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2391 |
int |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2392 |
secpolicy_sadopen(const cred_t *credp) |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2393 |
{ |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2394 |
priv_set_t pset; |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2395 |
|
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2396 |
priv_emptyset(&pset); |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2397 |
|
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2398 |
if (crgetzoneid(credp) == GLOBAL_ZONEID) |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2399 |
priv_addset(&pset, PRIV_SYS_CONFIG); |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2400 |
else |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2401 |
priv_addset(&pset, PRIV_SYS_IP_CONFIG); |
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2402 |
|
12273
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2403 |
return (secpolicy_require_set(credp, &pset, "devpolicy", KLPDARG_NONE)); |
4962
44219572abba
6557414 autopush doesn't work in exclusive-IP zones
dh155122
parents:
4581
diff
changeset
|
2404 |
} |
5331 | 2405 |
|
6134
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
2406 |
|
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
2407 |
/* |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
2408 |
* Add privileges to a particular privilege set; this is called when the |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
2409 |
* current sets of privileges are not sufficient. I.e., we should always |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
2410 |
* call the policy override functions from here. |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
2411 |
* What we are allowed to have is in the Observed Permitted set; so |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
2412 |
* we compute the difference between that and the newset. |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
2413 |
*/ |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
2414 |
int |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
2415 |
secpolicy_require_privs(const cred_t *cr, const priv_set_t *nset) |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
2416 |
{ |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
2417 |
priv_set_t rqd; |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
2418 |
|
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
2419 |
rqd = CR_OPPRIV(cr); |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
2420 |
|
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
2421 |
priv_inverse(&rqd); |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
2422 |
priv_intersect(nset, &rqd); |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
2423 |
|
12273
63678502e95e
PSARC 2009/377 In-kernel pfexec implementation.
Casper H.S. Dik <Casper.Dik@Sun.COM>
parents:
11861
diff
changeset
|
2424 |
return (secpolicy_require_set(cr, &rqd, NULL, KLPDARG_NONE)); |
6134
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
2425 |
} |
27ee74117a16
PSARC 2008/109 Fine Grained Access Permissions (FGAP)
casper
parents:
6073
diff
changeset
|
2426 |
|
5331 | 2427 |
/* |
2428 |
* secpolicy_smb |
|
2429 |
* |
|
2430 |
* Determine if the cred_t has PRIV_SYS_SMB privilege, indicating |
|
2431 |
* that it has permission to access the smbsrv kernel driver. |
|
2432 |
* PRIV_POLICY checks the privilege and audits the check. |
|
2433 |
* |
|
2434 |
* Returns: |
|
2435 |
* 0 Driver access is allowed. |
|
2436 |
* EPERM Driver access is NOT permitted. |
|
2437 |
*/ |
|
2438 |
int |
|
2439 |
secpolicy_smb(const cred_t *cr) |
|
2440 |
{ |
|
2441 |
return (PRIV_POLICY(cr, PRIV_SYS_SMB, B_FALSE, EPERM, NULL)); |
|
2442 |
} |
|
5440 | 2443 |
|
2444 |
/* |
|
2445 |
* secpolicy_vscan |
|
2446 |
* |
|
2447 |
* Determine if cred_t has the necessary privileges to access a file |
|
2448 |
* for virus scanning and update its extended system attributes. |
|
2449 |
* PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ - file access |
|
2450 |
* PRIV_FILE_FLAG_SET - set extended system attributes |
|
2451 |
* |
|
2452 |
* PRIV_POLICY checks the privilege and audits the check. |
|
2453 |
* |
|
2454 |
* Returns: |
|
2455 |
* 0 file access for virus scanning allowed. |
|
2456 |
* EPERM file access for virus scanning is NOT permitted. |
|
2457 |
*/ |
|
2458 |
int |
|
2459 |
secpolicy_vscan(const cred_t *cr) |
|
2460 |
{ |
|
2461 |
if ((PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE, EPERM, NULL)) || |
|
2462 |
(PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EPERM, NULL)) || |
|
2463 |
(PRIV_POLICY(cr, PRIV_FILE_FLAG_SET, B_FALSE, EPERM, NULL))) { |
|
2464 |
return (EPERM); |
|
2465 |
} |
|
2466 |
||
2467 |
return (0); |
|
2468 |
} |
|
6007 | 2469 |
|
2470 |
/* |
|
2471 |
* secpolicy_smbfs_login |
|
2472 |
* |
|
2473 |
* Determines if the caller can add and delete the smbfs login |
|
2474 |
* password in the the nsmb kernel module for the CIFS client. |
|
2475 |
* |
|
2476 |
* Returns: |
|
2477 |
* 0 access is allowed. |
|
2478 |
* EPERM access is NOT allowed. |
|
2479 |
*/ |
|
2480 |
int |
|
2481 |
secpolicy_smbfs_login(const cred_t *cr, uid_t uid) |
|
2482 |
{ |
|
2483 |
uid_t cruid = crgetruid(cr); |
|
2484 |
||
2485 |
if (cruid == uid) |
|
2486 |
return (0); |
|
2487 |
return (PRIV_POLICY(cr, PRIV_PROC_OWNER, B_FALSE, |
|
2488 |
EPERM, NULL)); |
|
2489 |
} |
|
6784 | 2490 |
|
2491 |
/* |
|
2492 |
* secpolicy_xvm_control |
|
2493 |
* |
|
2494 |
* Determines if a caller can control the xVM hypervisor and/or running |
|
2495 |
* domains (x86 specific). |
|
2496 |
* |
|
2497 |
* Returns: |
|
2498 |
* 0 access is allowed. |
|
2499 |
* EPERM access is NOT allowed. |
|
2500 |
*/ |
|
2501 |
int |
|
2502 |
secpolicy_xvm_control(const cred_t *cr) |
|
2503 |
{ |
|
2504 |
if (PRIV_POLICY(cr, PRIV_XVM_CONTROL, B_FALSE, EPERM, NULL)) |
|
2505 |
return (EPERM); |
|
2506 |
return (0); |
|
2507 |
} |
|
8275
7c223a798022
PSARC/2006/357 Crossbow - Network Virtualization and Resource Management
Eric Cheng
parents:
7624
diff
changeset
|
2508 |
|
7c223a798022
PSARC/2006/357 Crossbow - Network Virtualization and Resource Management
Eric Cheng
parents:
7624
diff
changeset
|
2509 |
/* |
9751
8e29565352fc
PSARC 2009/317 Solaris PPP/PPPoE Updates
James Carlson <james.d.carlson@sun.com>
parents:
8275
diff
changeset
|
2510 |
* secpolicy_ppp_config |
8e29565352fc
PSARC 2009/317 Solaris PPP/PPPoE Updates
James Carlson <james.d.carlson@sun.com>
parents:
8275
diff
changeset
|
2511 |
* |
8e29565352fc
PSARC 2009/317 Solaris PPP/PPPoE Updates
James Carlson <james.d.carlson@sun.com>
parents:
8275
diff
changeset
|
2512 |
* Determine if the subject has sufficient privileges to configure PPP and |
8e29565352fc
PSARC 2009/317 Solaris PPP/PPPoE Updates
James Carlson <james.d.carlson@sun.com>
parents:
8275
diff
changeset
|
2513 |
* PPP-related devices. |
8e29565352fc
PSARC 2009/317 Solaris PPP/PPPoE Updates
James Carlson <james.d.carlson@sun.com>
parents:
8275
diff
changeset
|
2514 |
*/ |
8e29565352fc
PSARC 2009/317 Solaris PPP/PPPoE Updates
James Carlson <james.d.carlson@sun.com>
parents:
8275
diff
changeset
|
2515 |
int |
8e29565352fc
PSARC 2009/317 Solaris PPP/PPPoE Updates
James Carlson <james.d.carlson@sun.com>
parents:
8275
diff
changeset
|
2516 |
secpolicy_ppp_config(const cred_t *cr) |
8e29565352fc
PSARC 2009/317 Solaris PPP/PPPoE Updates
James Carlson <james.d.carlson@sun.com>
parents:
8275
diff
changeset
|
2517 |
{ |
8e29565352fc
PSARC 2009/317 Solaris PPP/PPPoE Updates
James Carlson <james.d.carlson@sun.com>
parents:
8275
diff
changeset
|
2518 |
if (PRIV_POLICY_ONLY(cr, PRIV_SYS_NET_CONFIG, B_FALSE)) |
8e29565352fc
PSARC 2009/317 Solaris PPP/PPPoE Updates
James Carlson <james.d.carlson@sun.com>
parents:
8275
diff
changeset
|
2519 |
return (secpolicy_net_config(cr, B_FALSE)); |
8e29565352fc
PSARC 2009/317 Solaris PPP/PPPoE Updates
James Carlson <james.d.carlson@sun.com>
parents:
8275
diff
changeset
|
2520 |
return (PRIV_POLICY(cr, PRIV_SYS_PPP_CONFIG, B_FALSE, EPERM, NULL)); |
8e29565352fc
PSARC 2009/317 Solaris PPP/PPPoE Updates
James Carlson <james.d.carlson@sun.com>
parents:
8275
diff
changeset
|
2521 |
} |