4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
23 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
24 * Copyright 2013, Joyent, Inc. All rights reserved.
25 * Copyright (C) 2016 Lawrence Livermore National Security, LLC.
27 * For Linux the vast majority of this enforcement is already handled via
28 * the standard Linux VFS permission checks. However certain administrative
29 * commands which bypass the standard mechanisms may need to make use of
33 #include <sys/policy.h>
34 #include <linux/security.h>
35 #include <linux/vfs_compat.h>
38 * The passed credentials cannot be directly verified because Linux only
39 * provides and interface to check the *current* process credentials. In
40 * order to handle this the capable() test is only run when the passed
41 * credentials match the current process credentials or the kcred. In
42 * all other cases this function must fail and return the passed err.
45 priv_policy_ns(const cred_t *cr, int capability, boolean_t all, int err,
46 struct user_namespace *ns)
48 ASSERT3S(all, ==, B_FALSE);
50 if (cr != CRED() && (cr != kcred))
53 #if defined(CONFIG_USER_NS)
54 if (!(ns ? ns_capable(ns, capability) : capable(capability)))
56 if (!capable(capability))
64 priv_policy(const cred_t *cr, int capability, boolean_t all, int err)
66 return (priv_policy_ns(cr, capability, all, err, NULL));
70 priv_policy_user(const cred_t *cr, int capability, boolean_t all, int err)
73 * All priv_policy_user checks are preceded by kuid/kgid_has_mapping()
74 * checks. If we cannot do them, we shouldn't be using ns_capable()
75 * since we don't know whether the affected files are valid in our
78 #if defined(CONFIG_USER_NS)
79 return (priv_policy_ns(cr, capability, all, err, cr->user_ns));
81 return (priv_policy_ns(cr, capability, all, err, NULL));
86 * Checks for operations that are either client-only or are used by
87 * both clients and servers.
90 secpolicy_nfs(const cred_t *cr)
92 return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EPERM));
96 * Catch all system configuration.
99 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly)
101 return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EPERM));
105 * Like secpolicy_vnode_access() but we get the actual wanted mode and the
106 * current mode of the file, not the missing bits.
108 * Enforced in the Linux VFS.
111 secpolicy_vnode_access2(const cred_t *cr, struct inode *ip, uid_t owner,
112 mode_t curmode, mode_t wantmode)
118 * This is a special routine for ZFS; it is used to determine whether
119 * any of the privileges in effect allow any form of access to the
120 * file. There's no reason to audit this or any reason to record
121 * this. More work is needed to do the "KPLD" stuff.
124 secpolicy_vnode_any_access(const cred_t *cr, struct inode *ip, uid_t owner)
126 if (crgetfsuid(cr) == owner)
129 if (inode_owner_or_capable(ip))
132 #if defined(CONFIG_USER_NS)
133 if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
137 if (priv_policy_user(cr, CAP_DAC_OVERRIDE, B_FALSE, EPERM) == 0)
140 if (priv_policy_user(cr, CAP_DAC_READ_SEARCH, B_FALSE, EPERM) == 0)
147 * Determine if subject can chown owner of a file.
150 secpolicy_vnode_chown(const cred_t *cr, uid_t owner)
152 if (crgetfsuid(cr) == owner)
155 #if defined(CONFIG_USER_NS)
156 if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
160 return (priv_policy_user(cr, CAP_FOWNER, B_FALSE, EPERM));
164 * Determine if subject can change group ownership of a file.
167 secpolicy_vnode_create_gid(const cred_t *cr)
169 return (priv_policy(cr, CAP_SETGID, B_FALSE, EPERM));
173 * Policy determines whether we can remove an entry from a directory,
174 * regardless of permission bits.
177 secpolicy_vnode_remove(const cred_t *cr)
179 return (priv_policy(cr, CAP_FOWNER, B_FALSE, EPERM));
183 * Determine that subject can modify the mode of a file. allzone privilege
184 * needed when modifying root owned object.
187 secpolicy_vnode_setdac(const cred_t *cr, uid_t owner)
189 if (crgetfsuid(cr) == owner)
192 #if defined(CONFIG_USER_NS)
193 if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
197 return (priv_policy_user(cr, CAP_FOWNER, B_FALSE, EPERM));
201 * Are we allowed to retain the set-uid/set-gid bits when
202 * changing ownership or when writing to a file?
203 * "issuid" should be true when set-uid; only in that case
204 * root ownership is checked (setgid is assumed).
206 * Enforced in the Linux VFS.
209 secpolicy_vnode_setid_retain(const cred_t *cr, boolean_t issuidroot)
211 return (priv_policy_user(cr, CAP_FSETID, B_FALSE, EPERM));
215 * Determine that subject can set the file setgid flag.
218 secpolicy_vnode_setids_setgids(const cred_t *cr, gid_t gid)
220 #if defined(CONFIG_USER_NS)
221 if (!kgid_has_mapping(cr->user_ns, SGID_TO_KGID(gid)))
224 if (crgetfsgid(cr) != gid && !groupmember(gid, cr))
225 return (priv_policy_user(cr, CAP_FSETID, B_FALSE, EPERM));
231 * Determine if the subject can inject faults in the ZFS fault injection
232 * framework. Requires all privileges.
235 secpolicy_zinject(const cred_t *cr)
237 return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EACCES));
241 * Determine if the subject has permission to manipulate ZFS datasets
242 * (not pools). Equivalent to the SYS_MOUNT privilege.
245 secpolicy_zfs(const cred_t *cr)
247 return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EACCES));
251 secpolicy_setid_clear(vattr_t *vap, cred_t *cr)
253 if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 &&
254 secpolicy_vnode_setid_retain(cr,
255 (vap->va_mode & S_ISUID) != 0 &&
256 (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) {
257 vap->va_mask |= AT_MODE;
258 vap->va_mode &= ~(S_ISUID|S_ISGID);
263 * Determine that subject can set the file setid flags.
266 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner)
268 if (crgetfsuid(cr) == owner)
271 #if defined(CONFIG_USER_NS)
272 if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
276 return (priv_policy_user(cr, CAP_FSETID, B_FALSE, EPERM));
280 * Determine that subject can make a file a "sticky".
282 * Enforced in the Linux VFS.
285 secpolicy_vnode_stky_modify(const cred_t *cr)
291 secpolicy_setid_setsticky_clear(struct inode *ip, vattr_t *vap,
292 const vattr_t *ovap, cred_t *cr)
296 if ((vap->va_mode & S_ISUID) != 0 &&
297 (error = secpolicy_vnode_setid_modify(cr,
298 ovap->va_uid)) != 0) {
303 * Check privilege if attempting to set the
304 * sticky bit on a non-directory.
306 if (!S_ISDIR(ip->i_mode) && (vap->va_mode & S_ISVTX) != 0 &&
307 secpolicy_vnode_stky_modify(cr) != 0) {
308 vap->va_mode &= ~S_ISVTX;
312 * Check for privilege if attempting to set the
315 if ((vap->va_mode & S_ISGID) != 0 &&
316 secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) {
317 vap->va_mode &= ~S_ISGID;
324 * Check privileges for setting xvattr attributes
327 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype)
329 return (secpolicy_vnode_chown(cr, owner));
333 * Check privileges for setattr attributes.
335 * Enforced in the Linux VFS.
338 secpolicy_vnode_setattr(cred_t *cr, struct inode *ip, struct vattr *vap,
339 const struct vattr *ovap, int flags,
340 int unlocked_access(void *, int, cred_t *), void *node)
346 * Check privileges for links.
348 * Enforced in the Linux VFS.
351 secpolicy_basic_link(const cred_t *cr)