]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | * CDDL HEADER START | |
3 | * | |
4 | * The contents of this file are subject to the terms of the | |
5 | * Common Development and Distribution License (the "License"). | |
6 | * You may not use this file except in compliance with the License. | |
7 | * | |
8 | * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE | |
9 | * or http://www.opensolaris.org/os/licensing. | |
10 | * See the License for the specific language governing permissions | |
11 | * and limitations under the License. | |
12 | * | |
13 | * When distributing Covered Code, include this CDDL HEADER in each | |
14 | * file and include the License file at usr/src/OPENSOLARIS.LICENSE. | |
15 | * If applicable, add the following below this CDDL HEADER, with the | |
16 | * fields enclosed by brackets "[]" replaced with your own identifying | |
17 | * information: Portions Copyright [yyyy] [name of copyright owner] | |
18 | * | |
19 | * CDDL HEADER END | |
20 | */ | |
21 | ||
22 | /* | |
23 | * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. | |
24 | * Copyright 2013, Joyent, Inc. All rights reserved. | |
25 | * Copyright (C) 2016 Lawrence Livermore National Security, LLC. | |
26 | * | |
27 | * For Linux the vast majority of this enforcement is already handled via | |
28 | * the standard Linux VFS permission checks. However certain administrative | |
29 | * commands which bypass the standard mechanisms may need to make use of | |
30 | * this functionality. | |
31 | */ | |
32 | ||
33 | #include <sys/policy.h> | |
34 | #include <linux/security.h> | |
35 | #include <linux/vfs_compat.h> | |
36 | ||
37 | /* | |
38 | * The passed credentials cannot be directly verified because Linux only | |
39 | * provides and interface to check the *current* proces credentials. In | |
40 | * order to handle this the capable() test is only run when the passed | |
41 | * credentials match the current process credentials or the kcred. In | |
42 | * all other cases this function must fail and return the passed err. | |
43 | */ | |
44 | static int | |
45 | priv_policy(const cred_t *cr, int capability, boolean_t all, int err) | |
46 | { | |
47 | ASSERT3S(all, ==, B_FALSE); | |
48 | ||
49 | if (cr != CRED() && (cr != kcred)) | |
50 | return (err); | |
51 | ||
52 | if (!capable(capability)) | |
53 | return (err); | |
54 | ||
55 | return (0); | |
56 | } | |
57 | ||
58 | /* | |
59 | * Checks for operations that are either client-only or are used by | |
60 | * both clients and servers. | |
61 | */ | |
62 | int | |
63 | secpolicy_nfs(const cred_t *cr) | |
64 | { | |
65 | return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EPERM)); | |
66 | } | |
67 | ||
68 | /* | |
69 | * Catch all system configuration. | |
70 | */ | |
71 | int | |
72 | secpolicy_sys_config(const cred_t *cr, boolean_t checkonly) | |
73 | { | |
74 | return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EPERM)); | |
75 | } | |
76 | ||
77 | /* | |
78 | * Like secpolicy_vnode_access() but we get the actual wanted mode and the | |
79 | * current mode of the file, not the missing bits. | |
80 | * | |
81 | * Enforced in the Linux VFS. | |
82 | */ | |
83 | int | |
84 | secpolicy_vnode_access2(const cred_t *cr, struct inode *ip, uid_t owner, | |
85 | mode_t curmode, mode_t wantmode) | |
86 | { | |
87 | return (0); | |
88 | } | |
89 | ||
90 | /* | |
91 | * This is a special routine for ZFS; it is used to determine whether | |
92 | * any of the privileges in effect allow any form of access to the | |
93 | * file. There's no reason to audit this or any reason to record | |
94 | * this. More work is needed to do the "KPLD" stuff. | |
95 | */ | |
96 | int | |
97 | secpolicy_vnode_any_access(const cred_t *cr, struct inode *ip, uid_t owner) | |
98 | { | |
99 | if (crgetfsuid(cr) == owner) | |
100 | return (0); | |
101 | ||
102 | if (zpl_inode_owner_or_capable(ip)) | |
103 | return (0); | |
104 | ||
105 | if (priv_policy(cr, CAP_DAC_OVERRIDE, B_FALSE, EPERM) == 0) | |
106 | return (0); | |
107 | ||
108 | if (priv_policy(cr, CAP_DAC_READ_SEARCH, B_FALSE, EPERM) == 0) | |
109 | return (0); | |
110 | ||
111 | return (EPERM); | |
112 | } | |
113 | ||
114 | /* | |
115 | * Determine if subject can chown owner of a file. | |
116 | */ | |
117 | int | |
118 | secpolicy_vnode_chown(const cred_t *cr, uid_t owner) | |
119 | { | |
120 | if (crgetfsuid(cr) == owner) | |
121 | return (0); | |
122 | ||
123 | return (priv_policy(cr, CAP_FOWNER, B_FALSE, EPERM)); | |
124 | } | |
125 | ||
126 | /* | |
127 | * Determine if subject can change group ownership of a file. | |
128 | */ | |
129 | int | |
130 | secpolicy_vnode_create_gid(const cred_t *cr) | |
131 | { | |
132 | return (priv_policy(cr, CAP_SETGID, B_FALSE, EPERM)); | |
133 | } | |
134 | ||
135 | /* | |
136 | * Policy determines whether we can remove an entry from a directory, | |
137 | * regardless of permission bits. | |
138 | */ | |
139 | int | |
140 | secpolicy_vnode_remove(const cred_t *cr) | |
141 | { | |
142 | return (priv_policy(cr, CAP_FOWNER, B_FALSE, EPERM)); | |
143 | } | |
144 | ||
145 | /* | |
146 | * Determine that subject can modify the mode of a file. allzone privilege | |
147 | * needed when modifying root owned object. | |
148 | */ | |
149 | int | |
150 | secpolicy_vnode_setdac(const cred_t *cr, uid_t owner) | |
151 | { | |
152 | if (crgetfsuid(cr) == owner) | |
153 | return (0); | |
154 | ||
155 | return (priv_policy(cr, CAP_FOWNER, B_FALSE, EPERM)); | |
156 | } | |
157 | ||
158 | /* | |
159 | * Are we allowed to retain the set-uid/set-gid bits when | |
160 | * changing ownership or when writing to a file? | |
161 | * "issuid" should be true when set-uid; only in that case | |
162 | * root ownership is checked (setgid is assumed). | |
163 | * | |
164 | * Enforced in the Linux VFS. | |
165 | */ | |
166 | int | |
167 | secpolicy_vnode_setid_retain(const cred_t *cr, boolean_t issuidroot) | |
168 | { | |
169 | return (0); | |
170 | } | |
171 | ||
172 | /* | |
173 | * Determine that subject can set the file setgid flag. | |
174 | */ | |
175 | int | |
176 | secpolicy_vnode_setids_setgids(const cred_t *cr, gid_t gid) | |
177 | { | |
178 | if (crgetfsgid(cr) != gid && !groupmember(gid, cr)) | |
179 | return (priv_policy(cr, CAP_FSETID, B_FALSE, EPERM)); | |
180 | ||
181 | return (0); | |
182 | } | |
183 | ||
184 | /* | |
185 | * Determine if the subject can inject faults in the ZFS fault injection | |
186 | * framework. Requires all privileges. | |
187 | */ | |
188 | int | |
189 | secpolicy_zinject(const cred_t *cr) | |
190 | { | |
191 | return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EACCES)); | |
192 | } | |
193 | ||
194 | /* | |
195 | * Determine if the subject has permission to manipulate ZFS datasets | |
196 | * (not pools). Equivalent to the SYS_MOUNT privilege. | |
197 | */ | |
198 | int | |
199 | secpolicy_zfs(const cred_t *cr) | |
200 | { | |
201 | return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EACCES)); | |
202 | } | |
203 | ||
204 | void | |
205 | secpolicy_setid_clear(vattr_t *vap, cred_t *cr) | |
206 | { | |
207 | if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 && | |
208 | secpolicy_vnode_setid_retain(cr, | |
209 | (vap->va_mode & S_ISUID) != 0 && | |
210 | (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) { | |
211 | vap->va_mask |= AT_MODE; | |
212 | vap->va_mode &= ~(S_ISUID|S_ISGID); | |
213 | } | |
214 | } | |
215 | ||
216 | /* | |
217 | * Determine that subject can set the file setid flags. | |
218 | */ | |
219 | static int | |
220 | secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner) | |
221 | { | |
222 | if (crgetfsuid(cr) == owner) | |
223 | return (0); | |
224 | ||
225 | return (priv_policy(cr, CAP_FSETID, B_FALSE, EPERM)); | |
226 | } | |
227 | ||
228 | /* | |
229 | * Determine that subject can make a file a "sticky". | |
230 | * | |
231 | * Enforced in the Linux VFS. | |
232 | */ | |
233 | static int | |
234 | secpolicy_vnode_stky_modify(const cred_t *cr) | |
235 | { | |
236 | return (0); | |
237 | } | |
238 | ||
239 | int | |
240 | secpolicy_setid_setsticky_clear(struct inode *ip, vattr_t *vap, | |
241 | const vattr_t *ovap, cred_t *cr) | |
242 | { | |
243 | int error; | |
244 | ||
245 | if ((vap->va_mode & S_ISUID) != 0 && | |
246 | (error = secpolicy_vnode_setid_modify(cr, | |
247 | ovap->va_uid)) != 0) { | |
248 | return (error); | |
249 | } | |
250 | ||
251 | /* | |
252 | * Check privilege if attempting to set the | |
253 | * sticky bit on a non-directory. | |
254 | */ | |
255 | if (!S_ISDIR(ip->i_mode) && (vap->va_mode & S_ISVTX) != 0 && | |
256 | secpolicy_vnode_stky_modify(cr) != 0) { | |
257 | vap->va_mode &= ~S_ISVTX; | |
258 | } | |
259 | ||
260 | /* | |
261 | * Check for privilege if attempting to set the | |
262 | * group-id bit. | |
263 | */ | |
264 | if ((vap->va_mode & S_ISGID) != 0 && | |
265 | secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) { | |
266 | vap->va_mode &= ~S_ISGID; | |
267 | } | |
268 | ||
269 | return (0); | |
270 | } | |
271 | ||
272 | /* | |
273 | * Check privileges for setting xvattr attributes | |
274 | */ | |
275 | int | |
276 | secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype) | |
277 | { | |
278 | return (secpolicy_vnode_chown(cr, owner)); | |
279 | } | |
280 | ||
281 | /* | |
282 | * Check privileges for setattr attributes. | |
283 | * | |
284 | * Enforced in the Linux VFS. | |
285 | */ | |
286 | int | |
287 | secpolicy_vnode_setattr(cred_t *cr, struct inode *ip, struct vattr *vap, | |
288 | const struct vattr *ovap, int flags, | |
289 | int unlocked_access(void *, int, cred_t *), void *node) | |
290 | { | |
291 | return (0); | |
292 | } | |
293 | ||
294 | /* | |
295 | * Check privileges for links. | |
296 | * | |
297 | * Enforced in the Linux VFS. | |
298 | */ | |
299 | int | |
300 | secpolicy_basic_link(const cred_t *cr) | |
301 | { | |
302 | return (0); | |
303 | } |