[mirror_zfs.git] / module / zfs / policy.c

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */

/*
 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
 * Copyright 2013, Joyent, Inc. All rights reserved.
 * Copyright (C) 2016 Lawrence Livermore National Security, LLC.
 *
 * For Linux the vast majority of this enforcement is already handled via
 * the standard Linux VFS permission checks.  However certain administrative
 * commands which bypass the standard mechanisms may need to make use of
 * this functionality.
 */

#include <sys/policy.h>
#include <linux/security.h>
#include <linux/vfs_compat.h>

/*
 * The passed credentials cannot be directly verified because Linux only
 * provides and interface to check the *current* proces credentials.  In
 * order to handle this the capable() test is only run when the passed
 * credentials match the current process credentials or the kcred.  In
 * all other cases this function must fail and return the passed err.
 */
static int
priv_policy(const cred_t *cr, int capability, boolean_t all, int err)
{
	ASSERT3S(all, ==, B_FALSE);

	if (cr != CRED() && (cr != kcred))
		return (err);

	if (!capable(capability))
		return (err);

	return (0);
}

/*
 * Checks for operations that are either client-only or are used by
 * both clients and servers.
 */
int
secpolicy_nfs(const cred_t *cr)
{
	return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EPERM));
}

/*
 * Catch all system configuration.
 */
int
secpolicy_sys_config(const cred_t *cr, boolean_t checkonly)
{
	return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EPERM));
}

/*
 * Like secpolicy_vnode_access() but we get the actual wanted mode and the
 * current mode of the file, not the missing bits.
 *
 * Enforced in the Linux VFS.
 */
int
secpolicy_vnode_access2(const cred_t *cr, struct inode *ip, uid_t owner,
	mode_t curmode, mode_t wantmode)
{
	return (0);
}

/*
 * This is a special routine for ZFS; it is used to determine whether
 * any of the privileges in effect allow any form of access to the
 * file.  There's no reason to audit this or any reason to record
 * this.  More work is needed to do the "KPLD" stuff.
 */
int
secpolicy_vnode_any_access(const cred_t *cr, struct inode *ip, uid_t owner)
{
	if (crgetfsuid(cr) == owner)
		return (0);

	if (zpl_inode_owner_or_capable(ip))
		return (0);

	if (priv_policy(cr, CAP_DAC_OVERRIDE, B_FALSE, EPERM) == 0)
		return (0);

	if (priv_policy(cr, CAP_DAC_READ_SEARCH, B_FALSE, EPERM) == 0)
		return (0);

	return (EPERM);
}

/*
 * Determine if subject can chown owner of a file.
 */
int
secpolicy_vnode_chown(const cred_t *cr, uid_t owner)
{
	if (crgetfsuid(cr) == owner)
		return (0);

	return (priv_policy(cr, CAP_FOWNER, B_FALSE, EPERM));
}

/*
 * Determine if subject can change group ownership of a file.
 */
int
secpolicy_vnode_create_gid(const cred_t *cr)
{
	return (priv_policy(cr, CAP_SETGID, B_FALSE, EPERM));
}

/*
 * Policy determines whether we can remove an entry from a directory,
 * regardless of permission bits.
 */
int
secpolicy_vnode_remove(const cred_t *cr)
{
	return (priv_policy(cr, CAP_FOWNER, B_FALSE, EPERM));
}

/*
 * Determine that subject can modify the mode of a file.  allzone privilege
 * needed when modifying root owned object.
 */
int
secpolicy_vnode_setdac(const cred_t *cr, uid_t owner)
{
	if (crgetfsuid(cr) == owner)
		return (0);

	return (priv_policy(cr, CAP_FOWNER, B_FALSE, EPERM));
}

/*
 * Are we allowed to retain the set-uid/set-gid bits when
 * changing ownership or when writing to a file?
 * "issuid" should be true when set-uid; only in that case
 * root ownership is checked (setgid is assumed).
 *
 * Enforced in the Linux VFS.
 */
int
secpolicy_vnode_setid_retain(const cred_t *cr, boolean_t issuidroot)
{
	return (0);
}

/*
 * Determine that subject can set the file setgid flag.
 */
int
secpolicy_vnode_setids_setgids(const cred_t *cr, gid_t gid)
{
	if (crgetfsgid(cr) != gid && !groupmember(gid, cr))
		return (priv_policy(cr, CAP_FSETID, B_FALSE, EPERM));

	return (0);
}

/*
 * Determine if the subject can inject faults in the ZFS fault injection
 * framework.  Requires all privileges.
 */
int
secpolicy_zinject(const cred_t *cr)
{
	return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EACCES));
}

/*
 * Determine if the subject has permission to manipulate ZFS datasets
 * (not pools).  Equivalent to the SYS_MOUNT privilege.
 */
int
secpolicy_zfs(const cred_t *cr)
{
	return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EACCES));
}

void
secpolicy_setid_clear(vattr_t *vap, cred_t *cr)
{
	if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 &&
	    secpolicy_vnode_setid_retain(cr,
	    (vap->va_mode & S_ISUID) != 0 &&
	    (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) {
		vap->va_mask |= AT_MODE;
		vap->va_mode &= ~(S_ISUID|S_ISGID);
	}
}

/*
 * Determine that subject can set the file setid flags.
 */
static int
secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner)
{
	if (crgetfsuid(cr) == owner)
		return (0);

	return (priv_policy(cr, CAP_FSETID, B_FALSE, EPERM));
}

/*
 * Determine that subject can make a file a "sticky".
 *
 * Enforced in the Linux VFS.
 */
static int
secpolicy_vnode_stky_modify(const cred_t *cr)
{
	return (0);
}

int
secpolicy_setid_setsticky_clear(struct inode *ip, vattr_t *vap,
    const vattr_t *ovap, cred_t *cr)
{
	int error;

	if ((vap->va_mode & S_ISUID) != 0 &&
	    (error = secpolicy_vnode_setid_modify(cr,
	    ovap->va_uid)) != 0) {
		return (error);
	}

	/*
	 * Check privilege if attempting to set the
	 * sticky bit on a non-directory.
	 */
	if (!S_ISDIR(ip->i_mode) && (vap->va_mode & S_ISVTX) != 0 &&
	    secpolicy_vnode_stky_modify(cr) != 0) {
		vap->va_mode &= ~S_ISVTX;
	}

	/*
	 * Check for privilege if attempting to set the
	 * group-id bit.
	 */
	if ((vap->va_mode & S_ISGID) != 0 &&
	    secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) {
		vap->va_mode &= ~S_ISGID;
	}

	return (0);
}

/*
 * Check privileges for setting xvattr attributes
 */
int
secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype)
{
	return (secpolicy_vnode_chown(cr, owner));
}

/*
 * Check privileges for setattr attributes.
 *
 * Enforced in the Linux VFS.
 */
int
secpolicy_vnode_setattr(cred_t *cr, struct inode *ip, struct vattr *vap,
    const struct vattr *ovap, int flags,
    int unlocked_access(void *, int, cred_t *), void *node)
{
	return (0);
}

/*
 * Check privileges for links.
 *
 * Enforced in the Linux VFS.
 */
int
secpolicy_basic_link(const cred_t *cr)
{
	return (0);
}
Commit	Line	Data
f74b821a BB	1	/*
	2	* CDDL HEADER START
	3	*
	4	* The contents of this file are subject to the terms of the
	5	* Common Development and Distribution License (the "License").
	6	* You may not use this file except in compliance with the License.
	7	*
	8	* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
	9	* or http://www.opensolaris.org/os/licensing.
	10	* See the License for the specific language governing permissions
	11	* and limitations under the License.
	12	*
	13	* When distributing Covered Code, include this CDDL HEADER in each
	14	* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
	15	* If applicable, add the following below this CDDL HEADER, with the
	16	* fields enclosed by brackets "[]" replaced with your own identifying
	17	* information: Portions Copyright [yyyy] [name of copyright owner]
	18	*
	19	* CDDL HEADER END
	20	*/
	21
	22	/*
	23	* Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
	24	* Copyright 2013, Joyent, Inc. All rights reserved.
	25	* Copyright (C) 2016 Lawrence Livermore National Security, LLC.
	26	*
	27	* For Linux the vast majority of this enforcement is already handled via
	28	* the standard Linux VFS permission checks. However certain administrative
	29	* commands which bypass the standard mechanisms may need to make use of
	30	* this functionality.
	31	*/
	32
	33	#include <sys/policy.h>
	34	#include <linux/security.h>
	35	#include <linux/vfs_compat.h>
	36
	37	/*
	38	* The passed credentials cannot be directly verified because Linux only
	39	* provides and interface to check the current proces credentials. In
	40	* order to handle this the capable() test is only run when the passed
	41	* credentials match the current process credentials or the kcred. In
	42	* all other cases this function must fail and return the passed err.
	43	*/
	44	static int
	45	priv_policy(const cred_t *cr, int capability, boolean_t all, int err)
	46	{
	47	ASSERT3S(all, ==, B_FALSE);
	48
	49	if (cr != CRED() && (cr != kcred))
	50	return (err);
	51
	52	if (!capable(capability))
	53	return (err);
	54
	55	return (0);
	56	}
	57
	58	/*
	59	* Checks for operations that are either client-only or are used by
	60	* both clients and servers.
	61	*/
	62	int
	63	secpolicy_nfs(const cred_t *cr)
	64	{
65	return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EPERM));
66	}
67
68	/*
69	* Catch all system configuration.
70	*/
71	int
72	secpolicy_sys_config(const cred_t *cr, boolean_t checkonly)
73	{
74	return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EPERM));
75	}
76
77	/*
78	* Like secpolicy_vnode_access() but we get the actual wanted mode and the
79	* current mode of the file, not the missing bits.
80	*
81	* Enforced in the Linux VFS.
82	*/
83	int
84	secpolicy_vnode_access2(const cred_t cr, struct inode ip, uid_t owner,
85	mode_t curmode, mode_t wantmode)
86	{
87	return (0);
88	}
89
90	/*
91	* This is a special routine for ZFS; it is used to determine whether
92	* any of the privileges in effect allow any form of access to the
93	* file. There's no reason to audit this or any reason to record
94	* this. More work is needed to do the "KPLD" stuff.
95	*/
96	int
97	secpolicy_vnode_any_access(const cred_t cr, struct inode ip, uid_t owner)
98	{
100a91aa	99	if (crgetfsuid(cr) == owner)
f74b821a BB	100	return (0);
	101
	102	if (zpl_inode_owner_or_capable(ip))
	103	return (0);
	104
	105	if (priv_policy(cr, CAP_DAC_OVERRIDE, B_FALSE, EPERM) == 0)
	106	return (0);
	107
	108	if (priv_policy(cr, CAP_DAC_READ_SEARCH, B_FALSE, EPERM) == 0)
	109	return (0);
	110
	111	return (EPERM);
	112	}
	113
	114	/*
	115	* Determine if subject can chown owner of a file.
	116	*/
	117	int
	118	secpolicy_vnode_chown(const cred_t *cr, uid_t owner)
	119	{
100a91aa	120	if (crgetfsuid(cr) == owner)
f74b821a BB	121	return (0);
	122
	123	return (priv_policy(cr, CAP_FOWNER, B_FALSE, EPERM));
	124	}
	125
	126	/*
	127	* Determine if subject can change group ownership of a file.
	128	*/
	129	int
	130	secpolicy_vnode_create_gid(const cred_t *cr)
	131	{
	132	return (priv_policy(cr, CAP_SETGID, B_FALSE, EPERM));
	133	}
	134
	135	/*
	136	* Policy determines whether we can remove an entry from a directory,
	137	* regardless of permission bits.
	138	*/
	139	int
	140	secpolicy_vnode_remove(const cred_t *cr)
	141	{
	142	return (priv_policy(cr, CAP_FOWNER, B_FALSE, EPERM));
	143	}
	144
	145	/*
	146	* Determine that subject can modify the mode of a file. allzone privilege
	147	* needed when modifying root owned object.
	148	*/
	149	int
	150	secpolicy_vnode_setdac(const cred_t *cr, uid_t owner)
	151	{
100a91aa	152	if (crgetfsuid(cr) == owner)
f74b821a BB	153	return (0);
	154
	155	return (priv_policy(cr, CAP_FOWNER, B_FALSE, EPERM));
	156	}
	157
	158	/*
	159	* Are we allowed to retain the set-uid/set-gid bits when
	160	* changing ownership or when writing to a file?
	161	* "issuid" should be true when set-uid; only in that case
	162	* root ownership is checked (setgid is assumed).
	163	*
	164	* Enforced in the Linux VFS.
	165	*/
	166	int
	167	secpolicy_vnode_setid_retain(const cred_t *cr, boolean_t issuidroot)
	168	{
	169	return (0);
	170	}
	171
	172	/*
	173	* Determine that subject can set the file setgid flag.
	174	*/
	175	int
	176	secpolicy_vnode_setids_setgids(const cred_t *cr, gid_t gid)
	177	{
100a91aa	178	if (crgetfsgid(cr) != gid && !groupmember(gid, cr))
f74b821a BB	179	return (priv_policy(cr, CAP_FSETID, B_FALSE, EPERM));
	180
	181	return (0);
	182	}
	183
	184	/*
	185	* Determine if the subject can inject faults in the ZFS fault injection
	186	* framework. Requires all privileges.
	187	*/
	188	int
	189	secpolicy_zinject(const cred_t *cr)
	190	{
	191	return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EACCES));
	192	}
	193
	194	/*
	195	* Determine if the subject has permission to manipulate ZFS datasets
	196	* (not pools). Equivalent to the SYS_MOUNT privilege.
	197	*/
	198	int
	199	secpolicy_zfs(const cred_t *cr)
	200	{
	201	return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EACCES));
	202	}
	203
	204	void
	205	secpolicy_setid_clear(vattr_t vap, cred_t cr)
	206	{
	207	if ((vap->va_mode & (S_ISUID \| S_ISGID)) != 0 &&
	208	secpolicy_vnode_setid_retain(cr,
	209	(vap->va_mode & S_ISUID) != 0 &&
	210	(vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) {
	211	vap->va_mask \|= AT_MODE;
	212	vap->va_mode &= ~(S_ISUID\|S_ISGID);
	213	}
	214	}
	215
	216	/*
	217	* Determine that subject can set the file setid flags.
	218	*/
	219	static int
	220	secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner)
	221	{
100a91aa	222	if (crgetfsuid(cr) == owner)
f74b821a BB	223	return (0);
	224
	225	return (priv_policy(cr, CAP_FSETID, B_FALSE, EPERM));
	226	}
	227
	228	/*
	229	* Determine that subject can make a file a "sticky".
	230	*
	231	* Enforced in the Linux VFS.
	232	*/
	233	static int
	234	secpolicy_vnode_stky_modify(const cred_t *cr)
	235	{
	236	return (0);
	237	}
	238
	239	int
	240	secpolicy_setid_setsticky_clear(struct inode ip, vattr_t vap,
	241	const vattr_t ovap, cred_t cr)
	242	{
	243	int error;
	244
	245	if ((vap->va_mode & S_ISUID) != 0 &&
	246	(error = secpolicy_vnode_setid_modify(cr,
	247	ovap->va_uid)) != 0) {
	248	return (error);
	249	}
	250
	251	/*
	252	* Check privilege if attempting to set the
	253	* sticky bit on a non-directory.
	254	*/
	255	if (!S_ISDIR(ip->i_mode) && (vap->va_mode & S_ISVTX) != 0 &&
	256	secpolicy_vnode_stky_modify(cr) != 0) {
	257	vap->va_mode &= ~S_ISVTX;
	258	}
	259
	260	/*
	261	* Check for privilege if attempting to set the
	262	* group-id bit.
	263	*/
	264	if ((vap->va_mode & S_ISGID) != 0 &&
	265	secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) {
	266	vap->va_mode &= ~S_ISGID;
	267	}
	268
	269	return (0);
	270	}
	271
	272	/*
	273	* Check privileges for setting xvattr attributes
	274	*/
	275	int
	276	secpolicy_xvattr(xvattr_t xvap, uid_t owner, cred_t cr, vtype_t vtype)
	277	{
	278	return (secpolicy_vnode_chown(cr, owner));
	279	}
	280
	281	/*
	282	* Check privileges for setattr attributes.
	283	*
	284	* Enforced in the Linux VFS.
	285	*/
	286	int
287	secpolicy_vnode_setattr(cred_t cr, struct inode ip, struct vattr *vap,
288	const struct vattr *ovap, int flags,
289	int unlocked_access(void , int, cred_t ), void *node)
290	{
291	return (0);
292	}
293
294	/*
295	* Check privileges for links.
296	*
297	* Enforced in the Linux VFS.
298	*/
299	int
300	secpolicy_basic_link(const cred_t *cr)
301	{
302	return (0);
303	}