]>
git.proxmox.com Git - mirror_zfs.git/blob - module/zfs/policy.c
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
23 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
24 * Copyright 2013, Joyent, Inc. All rights reserved.
25 * Copyright (C) 2016 Lawrence Livermore National Security, LLC.
27 * For Linux the vast majority of this enforcement is already handled via
28 * the standard Linux VFS permission checks. However certain administrative
29 * commands which bypass the standard mechanisms may need to make use of
33 #include <sys/policy.h>
34 #include <linux/security.h>
35 #include <linux/vfs_compat.h>
38 * The passed credentials cannot be directly verified because Linux only
39 * provides and interface to check the *current* process credentials. In
40 * order to handle this the capable() test is only run when the passed
41 * credentials match the current process credentials or the kcred. In
42 * all other cases this function must fail and return the passed err.
45 priv_policy_ns(const cred_t
*cr
, int capability
, boolean_t all
, int err
,
46 struct user_namespace
*ns
)
48 ASSERT3S(all
, ==, B_FALSE
);
50 if (cr
!= CRED() && (cr
!= kcred
))
53 #if defined(CONFIG_USER_NS) && defined(HAVE_NS_CAPABLE)
54 if (!(ns
? ns_capable(ns
, capability
) : capable(capability
)))
56 if (!capable(capability
))
64 priv_policy(const cred_t
*cr
, int capability
, boolean_t all
, int err
)
66 return (priv_policy_ns(cr
, capability
, all
, err
, NULL
));
70 priv_policy_user(const cred_t
*cr
, int capability
, boolean_t all
, int err
)
73 * All priv_policy_user checks are preceeded by kuid/kgid_has_mapping()
74 * checks. If we cannot do them, we shouldn't be using ns_capable()
75 * since we don't know whether the affected files are valid in our
76 * namespace. Note that kuid_has_mapping() came after cred->user_ns, so
77 * we shouldn't need to re-check for HAVE_CRED_USER_NS
79 #if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING)
80 return (priv_policy_ns(cr
, capability
, all
, err
, cr
->user_ns
));
82 return (priv_policy_ns(cr
, capability
, all
, err
, NULL
));
87 * Checks for operations that are either client-only or are used by
88 * both clients and servers.
91 secpolicy_nfs(const cred_t
*cr
)
93 return (priv_policy(cr
, CAP_SYS_ADMIN
, B_FALSE
, EPERM
));
97 * Catch all system configuration.
100 secpolicy_sys_config(const cred_t
*cr
, boolean_t checkonly
)
102 return (priv_policy(cr
, CAP_SYS_ADMIN
, B_FALSE
, EPERM
));
106 * Like secpolicy_vnode_access() but we get the actual wanted mode and the
107 * current mode of the file, not the missing bits.
109 * Enforced in the Linux VFS.
112 secpolicy_vnode_access2(const cred_t
*cr
, struct inode
*ip
, uid_t owner
,
113 mode_t curmode
, mode_t wantmode
)
119 * This is a special routine for ZFS; it is used to determine whether
120 * any of the privileges in effect allow any form of access to the
121 * file. There's no reason to audit this or any reason to record
122 * this. More work is needed to do the "KPLD" stuff.
125 secpolicy_vnode_any_access(const cred_t
*cr
, struct inode
*ip
, uid_t owner
)
127 if (crgetfsuid(cr
) == owner
)
130 if (zpl_inode_owner_or_capable(ip
))
133 #if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING)
134 if (!kuid_has_mapping(cr
->user_ns
, SUID_TO_KUID(owner
)))
138 if (priv_policy_user(cr
, CAP_DAC_OVERRIDE
, B_FALSE
, EPERM
) == 0)
141 if (priv_policy_user(cr
, CAP_DAC_READ_SEARCH
, B_FALSE
, EPERM
) == 0)
148 * Determine if subject can chown owner of a file.
151 secpolicy_vnode_chown(const cred_t
*cr
, uid_t owner
)
153 if (crgetfsuid(cr
) == owner
)
156 #if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING)
157 if (!kuid_has_mapping(cr
->user_ns
, SUID_TO_KUID(owner
)))
161 return (priv_policy_user(cr
, CAP_FOWNER
, B_FALSE
, EPERM
));
165 * Determine if subject can change group ownership of a file.
168 secpolicy_vnode_create_gid(const cred_t
*cr
)
170 return (priv_policy(cr
, CAP_SETGID
, B_FALSE
, EPERM
));
174 * Policy determines whether we can remove an entry from a directory,
175 * regardless of permission bits.
178 secpolicy_vnode_remove(const cred_t
*cr
)
180 return (priv_policy(cr
, CAP_FOWNER
, B_FALSE
, EPERM
));
184 * Determine that subject can modify the mode of a file. allzone privilege
185 * needed when modifying root owned object.
188 secpolicy_vnode_setdac(const cred_t
*cr
, uid_t owner
)
190 if (crgetfsuid(cr
) == owner
)
193 #if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING)
194 if (!kuid_has_mapping(cr
->user_ns
, SUID_TO_KUID(owner
)))
198 return (priv_policy_user(cr
, CAP_FOWNER
, B_FALSE
, EPERM
));
202 * Are we allowed to retain the set-uid/set-gid bits when
203 * changing ownership or when writing to a file?
204 * "issuid" should be true when set-uid; only in that case
205 * root ownership is checked (setgid is assumed).
207 * Enforced in the Linux VFS.
210 secpolicy_vnode_setid_retain(const cred_t
*cr
, boolean_t issuidroot
)
216 * Determine that subject can set the file setgid flag.
219 secpolicy_vnode_setids_setgids(const cred_t
*cr
, gid_t gid
)
221 #if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING)
222 if (!kgid_has_mapping(cr
->user_ns
, SGID_TO_KGID(gid
)))
225 if (crgetfsgid(cr
) != gid
&& !groupmember(gid
, cr
))
226 return (priv_policy_user(cr
, CAP_FSETID
, B_FALSE
, EPERM
));
232 * Determine if the subject can inject faults in the ZFS fault injection
233 * framework. Requires all privileges.
236 secpolicy_zinject(const cred_t
*cr
)
238 return (priv_policy(cr
, CAP_SYS_ADMIN
, B_FALSE
, EACCES
));
242 * Determine if the subject has permission to manipulate ZFS datasets
243 * (not pools). Equivalent to the SYS_MOUNT privilege.
246 secpolicy_zfs(const cred_t
*cr
)
248 return (priv_policy(cr
, CAP_SYS_ADMIN
, B_FALSE
, EACCES
));
252 secpolicy_setid_clear(vattr_t
*vap
, cred_t
*cr
)
254 if ((vap
->va_mode
& (S_ISUID
| S_ISGID
)) != 0 &&
255 secpolicy_vnode_setid_retain(cr
,
256 (vap
->va_mode
& S_ISUID
) != 0 &&
257 (vap
->va_mask
& AT_UID
) != 0 && vap
->va_uid
== 0) != 0) {
258 vap
->va_mask
|= AT_MODE
;
259 vap
->va_mode
&= ~(S_ISUID
|S_ISGID
);
264 * Determine that subject can set the file setid flags.
267 secpolicy_vnode_setid_modify(const cred_t
*cr
, uid_t owner
)
269 if (crgetfsuid(cr
) == owner
)
272 #if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING)
273 if (!kuid_has_mapping(cr
->user_ns
, SUID_TO_KUID(owner
)))
277 return (priv_policy_user(cr
, CAP_FSETID
, B_FALSE
, EPERM
));
281 * Determine that subject can make a file a "sticky".
283 * Enforced in the Linux VFS.
286 secpolicy_vnode_stky_modify(const cred_t
*cr
)
292 secpolicy_setid_setsticky_clear(struct inode
*ip
, vattr_t
*vap
,
293 const vattr_t
*ovap
, cred_t
*cr
)
297 if ((vap
->va_mode
& S_ISUID
) != 0 &&
298 (error
= secpolicy_vnode_setid_modify(cr
,
299 ovap
->va_uid
)) != 0) {
304 * Check privilege if attempting to set the
305 * sticky bit on a non-directory.
307 if (!S_ISDIR(ip
->i_mode
) && (vap
->va_mode
& S_ISVTX
) != 0 &&
308 secpolicy_vnode_stky_modify(cr
) != 0) {
309 vap
->va_mode
&= ~S_ISVTX
;
313 * Check for privilege if attempting to set the
316 if ((vap
->va_mode
& S_ISGID
) != 0 &&
317 secpolicy_vnode_setids_setgids(cr
, ovap
->va_gid
) != 0) {
318 vap
->va_mode
&= ~S_ISGID
;
325 * Check privileges for setting xvattr attributes
328 secpolicy_xvattr(xvattr_t
*xvap
, uid_t owner
, cred_t
*cr
, vtype_t vtype
)
330 return (secpolicy_vnode_chown(cr
, owner
));
334 * Check privileges for setattr attributes.
336 * Enforced in the Linux VFS.
339 secpolicy_vnode_setattr(cred_t
*cr
, struct inode
*ip
, struct vattr
*vap
,
340 const struct vattr
*ovap
, int flags
,
341 int unlocked_access(void *, int, cred_t
*), void *node
)
347 * Check privileges for links.
349 * Enforced in the Linux VFS.
352 secpolicy_basic_link(const cred_t
*cr
)