]>
Commit | Line | Data |
---|---|---|
f74b821a BB |
1 | /* |
2 | * CDDL HEADER START | |
3 | * | |
4 | * The contents of this file are subject to the terms of the | |
5 | * Common Development and Distribution License (the "License"). | |
6 | * You may not use this file except in compliance with the License. | |
7 | * | |
8 | * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE | |
9 | * or http://www.opensolaris.org/os/licensing. | |
10 | * See the License for the specific language governing permissions | |
11 | * and limitations under the License. | |
12 | * | |
13 | * When distributing Covered Code, include this CDDL HEADER in each | |
14 | * file and include the License file at usr/src/OPENSOLARIS.LICENSE. | |
15 | * If applicable, add the following below this CDDL HEADER, with the | |
16 | * fields enclosed by brackets "[]" replaced with your own identifying | |
17 | * information: Portions Copyright [yyyy] [name of copyright owner] | |
18 | * | |
19 | * CDDL HEADER END | |
20 | */ | |
21 | ||
22 | /* | |
23 | * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. | |
24 | * Copyright 2013, Joyent, Inc. All rights reserved. | |
25 | * Copyright (C) 2016 Lawrence Livermore National Security, LLC. | |
26 | * | |
27 | * For Linux the vast majority of this enforcement is already handled via | |
28 | * the standard Linux VFS permission checks. However certain administrative | |
29 | * commands which bypass the standard mechanisms may need to make use of | |
30 | * this functionality. | |
31 | */ | |
32 | ||
33 | #include <sys/policy.h> | |
34 | #include <linux/security.h> | |
35 | #include <linux/vfs_compat.h> | |
36 | ||
37 | /* | |
38 | * The passed credentials cannot be directly verified because Linux only | |
4e33ba4c | 39 | * provides and interface to check the *current* process credentials. In |
f74b821a BB |
40 | * order to handle this the capable() test is only run when the passed |
41 | * credentials match the current process credentials or the kcred. In | |
42 | * all other cases this function must fail and return the passed err. | |
43 | */ | |
44 | static int | |
0e85048f WB |
45 | priv_policy_ns(const cred_t *cr, int capability, boolean_t all, int err, |
46 | struct user_namespace *ns) | |
f74b821a BB |
47 | { |
48 | ASSERT3S(all, ==, B_FALSE); | |
49 | ||
50 | if (cr != CRED() && (cr != kcred)) | |
51 | return (err); | |
52 | ||
0e85048f WB |
53 | #if defined(CONFIG_USER_NS) && defined(HAVE_NS_CAPABLE) |
54 | if (!(ns ? ns_capable(ns, capability) : capable(capability))) | |
55 | #else | |
f74b821a | 56 | if (!capable(capability)) |
0e85048f | 57 | #endif |
f74b821a BB |
58 | return (err); |
59 | ||
60 | return (0); | |
61 | } | |
62 | ||
0e85048f WB |
63 | static int |
64 | priv_policy(const cred_t *cr, int capability, boolean_t all, int err) | |
65 | { | |
66 | return (priv_policy_ns(cr, capability, all, err, NULL)); | |
67 | } | |
68 | ||
69 | static int | |
70 | priv_policy_user(const cred_t *cr, int capability, boolean_t all, int err) | |
71 | { | |
72 | /* | |
73 | * All priv_policy_user checks are preceeded by kuid/kgid_has_mapping() | |
74 | * checks. If we cannot do them, we shouldn't be using ns_capable() | |
75 | * since we don't know whether the affected files are valid in our | |
76 | * namespace. Note that kuid_has_mapping() came after cred->user_ns, so | |
77 | * we shouldn't need to re-check for HAVE_CRED_USER_NS | |
78 | */ | |
79 | #if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING) | |
80 | return (priv_policy_ns(cr, capability, all, err, cr->user_ns)); | |
81 | #else | |
82 | return (priv_policy_ns(cr, capability, all, err, NULL)); | |
83 | #endif | |
84 | } | |
85 | ||
f74b821a BB |
86 | /* |
87 | * Checks for operations that are either client-only or are used by | |
88 | * both clients and servers. | |
89 | */ | |
90 | int | |
91 | secpolicy_nfs(const cred_t *cr) | |
92 | { | |
93 | return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EPERM)); | |
94 | } | |
95 | ||
96 | /* | |
97 | * Catch all system configuration. | |
98 | */ | |
99 | int | |
100 | secpolicy_sys_config(const cred_t *cr, boolean_t checkonly) | |
101 | { | |
102 | return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EPERM)); | |
103 | } | |
104 | ||
105 | /* | |
106 | * Like secpolicy_vnode_access() but we get the actual wanted mode and the | |
107 | * current mode of the file, not the missing bits. | |
108 | * | |
109 | * Enforced in the Linux VFS. | |
110 | */ | |
111 | int | |
112 | secpolicy_vnode_access2(const cred_t *cr, struct inode *ip, uid_t owner, | |
4ea3f864 | 113 | mode_t curmode, mode_t wantmode) |
f74b821a BB |
114 | { |
115 | return (0); | |
116 | } | |
117 | ||
118 | /* | |
119 | * This is a special routine for ZFS; it is used to determine whether | |
120 | * any of the privileges in effect allow any form of access to the | |
121 | * file. There's no reason to audit this or any reason to record | |
122 | * this. More work is needed to do the "KPLD" stuff. | |
123 | */ | |
124 | int | |
125 | secpolicy_vnode_any_access(const cred_t *cr, struct inode *ip, uid_t owner) | |
126 | { | |
100a91aa | 127 | if (crgetfsuid(cr) == owner) |
f74b821a BB |
128 | return (0); |
129 | ||
130 | if (zpl_inode_owner_or_capable(ip)) | |
131 | return (0); | |
132 | ||
0e85048f WB |
133 | #if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING) |
134 | if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner))) | |
135 | return (EPERM); | |
136 | #endif | |
137 | ||
138 | if (priv_policy_user(cr, CAP_DAC_OVERRIDE, B_FALSE, EPERM) == 0) | |
f74b821a BB |
139 | return (0); |
140 | ||
0e85048f | 141 | if (priv_policy_user(cr, CAP_DAC_READ_SEARCH, B_FALSE, EPERM) == 0) |
f74b821a BB |
142 | return (0); |
143 | ||
144 | return (EPERM); | |
145 | } | |
146 | ||
147 | /* | |
148 | * Determine if subject can chown owner of a file. | |
149 | */ | |
150 | int | |
151 | secpolicy_vnode_chown(const cred_t *cr, uid_t owner) | |
152 | { | |
100a91aa | 153 | if (crgetfsuid(cr) == owner) |
f74b821a BB |
154 | return (0); |
155 | ||
0e85048f WB |
156 | #if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING) |
157 | if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner))) | |
158 | return (EPERM); | |
159 | #endif | |
160 | ||
161 | return (priv_policy_user(cr, CAP_FOWNER, B_FALSE, EPERM)); | |
f74b821a BB |
162 | } |
163 | ||
164 | /* | |
165 | * Determine if subject can change group ownership of a file. | |
166 | */ | |
167 | int | |
168 | secpolicy_vnode_create_gid(const cred_t *cr) | |
169 | { | |
170 | return (priv_policy(cr, CAP_SETGID, B_FALSE, EPERM)); | |
171 | } | |
172 | ||
173 | /* | |
174 | * Policy determines whether we can remove an entry from a directory, | |
175 | * regardless of permission bits. | |
176 | */ | |
177 | int | |
178 | secpolicy_vnode_remove(const cred_t *cr) | |
179 | { | |
180 | return (priv_policy(cr, CAP_FOWNER, B_FALSE, EPERM)); | |
181 | } | |
182 | ||
183 | /* | |
184 | * Determine that subject can modify the mode of a file. allzone privilege | |
185 | * needed when modifying root owned object. | |
186 | */ | |
187 | int | |
188 | secpolicy_vnode_setdac(const cred_t *cr, uid_t owner) | |
189 | { | |
100a91aa | 190 | if (crgetfsuid(cr) == owner) |
f74b821a BB |
191 | return (0); |
192 | ||
0e85048f WB |
193 | #if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING) |
194 | if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner))) | |
195 | return (EPERM); | |
196 | #endif | |
197 | ||
198 | return (priv_policy_user(cr, CAP_FOWNER, B_FALSE, EPERM)); | |
f74b821a BB |
199 | } |
200 | ||
201 | /* | |
202 | * Are we allowed to retain the set-uid/set-gid bits when | |
203 | * changing ownership or when writing to a file? | |
204 | * "issuid" should be true when set-uid; only in that case | |
205 | * root ownership is checked (setgid is assumed). | |
206 | * | |
207 | * Enforced in the Linux VFS. | |
208 | */ | |
209 | int | |
210 | secpolicy_vnode_setid_retain(const cred_t *cr, boolean_t issuidroot) | |
211 | { | |
212 | return (0); | |
213 | } | |
214 | ||
215 | /* | |
216 | * Determine that subject can set the file setgid flag. | |
217 | */ | |
218 | int | |
219 | secpolicy_vnode_setids_setgids(const cred_t *cr, gid_t gid) | |
220 | { | |
0e85048f WB |
221 | #if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING) |
222 | if (!kgid_has_mapping(cr->user_ns, SGID_TO_KGID(gid))) | |
223 | return (EPERM); | |
224 | #endif | |
100a91aa | 225 | if (crgetfsgid(cr) != gid && !groupmember(gid, cr)) |
0e85048f | 226 | return (priv_policy_user(cr, CAP_FSETID, B_FALSE, EPERM)); |
f74b821a BB |
227 | |
228 | return (0); | |
229 | } | |
230 | ||
231 | /* | |
232 | * Determine if the subject can inject faults in the ZFS fault injection | |
233 | * framework. Requires all privileges. | |
234 | */ | |
235 | int | |
236 | secpolicy_zinject(const cred_t *cr) | |
237 | { | |
238 | return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EACCES)); | |
239 | } | |
240 | ||
241 | /* | |
242 | * Determine if the subject has permission to manipulate ZFS datasets | |
243 | * (not pools). Equivalent to the SYS_MOUNT privilege. | |
244 | */ | |
245 | int | |
246 | secpolicy_zfs(const cred_t *cr) | |
247 | { | |
248 | return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EACCES)); | |
249 | } | |
250 | ||
251 | void | |
252 | secpolicy_setid_clear(vattr_t *vap, cred_t *cr) | |
253 | { | |
254 | if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 && | |
255 | secpolicy_vnode_setid_retain(cr, | |
256 | (vap->va_mode & S_ISUID) != 0 && | |
257 | (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) { | |
258 | vap->va_mask |= AT_MODE; | |
259 | vap->va_mode &= ~(S_ISUID|S_ISGID); | |
260 | } | |
261 | } | |
262 | ||
263 | /* | |
264 | * Determine that subject can set the file setid flags. | |
265 | */ | |
266 | static int | |
267 | secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner) | |
268 | { | |
100a91aa | 269 | if (crgetfsuid(cr) == owner) |
f74b821a BB |
270 | return (0); |
271 | ||
0e85048f WB |
272 | #if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING) |
273 | if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner))) | |
274 | return (EPERM); | |
275 | #endif | |
276 | ||
277 | return (priv_policy_user(cr, CAP_FSETID, B_FALSE, EPERM)); | |
f74b821a BB |
278 | } |
279 | ||
280 | /* | |
281 | * Determine that subject can make a file a "sticky". | |
282 | * | |
283 | * Enforced in the Linux VFS. | |
284 | */ | |
285 | static int | |
286 | secpolicy_vnode_stky_modify(const cred_t *cr) | |
287 | { | |
288 | return (0); | |
289 | } | |
290 | ||
291 | int | |
292 | secpolicy_setid_setsticky_clear(struct inode *ip, vattr_t *vap, | |
293 | const vattr_t *ovap, cred_t *cr) | |
294 | { | |
295 | int error; | |
296 | ||
297 | if ((vap->va_mode & S_ISUID) != 0 && | |
298 | (error = secpolicy_vnode_setid_modify(cr, | |
299 | ovap->va_uid)) != 0) { | |
300 | return (error); | |
301 | } | |
302 | ||
303 | /* | |
304 | * Check privilege if attempting to set the | |
305 | * sticky bit on a non-directory. | |
306 | */ | |
307 | if (!S_ISDIR(ip->i_mode) && (vap->va_mode & S_ISVTX) != 0 && | |
308 | secpolicy_vnode_stky_modify(cr) != 0) { | |
309 | vap->va_mode &= ~S_ISVTX; | |
310 | } | |
311 | ||
312 | /* | |
313 | * Check for privilege if attempting to set the | |
314 | * group-id bit. | |
315 | */ | |
316 | if ((vap->va_mode & S_ISGID) != 0 && | |
317 | secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) { | |
318 | vap->va_mode &= ~S_ISGID; | |
319 | } | |
320 | ||
321 | return (0); | |
322 | } | |
323 | ||
324 | /* | |
325 | * Check privileges for setting xvattr attributes | |
326 | */ | |
327 | int | |
328 | secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype) | |
329 | { | |
330 | return (secpolicy_vnode_chown(cr, owner)); | |
331 | } | |
332 | ||
333 | /* | |
334 | * Check privileges for setattr attributes. | |
335 | * | |
336 | * Enforced in the Linux VFS. | |
337 | */ | |
338 | int | |
339 | secpolicy_vnode_setattr(cred_t *cr, struct inode *ip, struct vattr *vap, | |
340 | const struct vattr *ovap, int flags, | |
341 | int unlocked_access(void *, int, cred_t *), void *node) | |
342 | { | |
343 | return (0); | |
344 | } | |
345 | ||
346 | /* | |
347 | * Check privileges for links. | |
348 | * | |
349 | * Enforced in the Linux VFS. | |
350 | */ | |
351 | int | |
352 | secpolicy_basic_link(const cred_t *cr) | |
353 | { | |
354 | return (0); | |
355 | } |