[mirror_zfs-debian.git] / module / zfs / policy.c

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */

/*
 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
 * Copyright 2013, Joyent, Inc. All rights reserved.
 * Copyright (C) 2016 Lawrence Livermore National Security, LLC.
 *
 * For Linux the vast majority of this enforcement is already handled via
 * the standard Linux VFS permission checks.  However certain administrative
 * commands which bypass the standard mechanisms may need to make use of
 * this functionality.
 */

#include <sys/policy.h>
#include <linux/security.h>
#include <linux/vfs_compat.h>

/*
 * The passed credentials cannot be directly verified because Linux only
 * provides and interface to check the *current* process credentials.  In
 * order to handle this the capable() test is only run when the passed
 * credentials match the current process credentials or the kcred.  In
 * all other cases this function must fail and return the passed err.
 */
static int
priv_policy_ns(const cred_t *cr, int capability, boolean_t all, int err,
    struct user_namespace *ns)
{
	ASSERT3S(all, ==, B_FALSE);

	if (cr != CRED() && (cr != kcred))
		return (err);

#if defined(CONFIG_USER_NS) && defined(HAVE_NS_CAPABLE)
	if (!(ns ? ns_capable(ns, capability) : capable(capability)))
#else
	if (!capable(capability))
#endif
		return (err);

	return (0);
}

static int
priv_policy(const cred_t *cr, int capability, boolean_t all, int err)
{
	return (priv_policy_ns(cr, capability, all, err, NULL));
}

static int
priv_policy_user(const cred_t *cr, int capability, boolean_t all, int err)
{
	/*
	 * All priv_policy_user checks are preceeded by kuid/kgid_has_mapping()
	 * checks. If we cannot do them, we shouldn't be using ns_capable()
	 * since we don't know whether the affected files are valid in our
	 * namespace. Note that kuid_has_mapping() came after cred->user_ns, so
	 * we shouldn't need to re-check for HAVE_CRED_USER_NS
	 */
#if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING)
	return (priv_policy_ns(cr, capability, all, err, cr->user_ns));
#else
	return (priv_policy_ns(cr, capability, all, err, NULL));
#endif
}

/*
 * Checks for operations that are either client-only or are used by
 * both clients and servers.
 */
int
secpolicy_nfs(const cred_t *cr)
{
	return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EPERM));
}

/*
 * Catch all system configuration.
 */
int
secpolicy_sys_config(const cred_t *cr, boolean_t checkonly)
{
	return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EPERM));
}

/*
 * Like secpolicy_vnode_access() but we get the actual wanted mode and the
 * current mode of the file, not the missing bits.
 *
 * Enforced in the Linux VFS.
 */
int
secpolicy_vnode_access2(const cred_t *cr, struct inode *ip, uid_t owner,
    mode_t curmode, mode_t wantmode)
{
	return (0);
}

/*
 * This is a special routine for ZFS; it is used to determine whether
 * any of the privileges in effect allow any form of access to the
 * file.  There's no reason to audit this or any reason to record
 * this.  More work is needed to do the "KPLD" stuff.
 */
int
secpolicy_vnode_any_access(const cred_t *cr, struct inode *ip, uid_t owner)
{
	if (crgetfsuid(cr) == owner)
		return (0);

	if (zpl_inode_owner_or_capable(ip))
		return (0);

#if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING)
	if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
		return (EPERM);
#endif

	if (priv_policy_user(cr, CAP_DAC_OVERRIDE, B_FALSE, EPERM) == 0)
		return (0);

	if (priv_policy_user(cr, CAP_DAC_READ_SEARCH, B_FALSE, EPERM) == 0)
		return (0);

	return (EPERM);
}

/*
 * Determine if subject can chown owner of a file.
 */
int
secpolicy_vnode_chown(const cred_t *cr, uid_t owner)
{
	if (crgetfsuid(cr) == owner)
		return (0);

#if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING)
	if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
		return (EPERM);
#endif

	return (priv_policy_user(cr, CAP_FOWNER, B_FALSE, EPERM));
}

/*
 * Determine if subject can change group ownership of a file.
 */
int
secpolicy_vnode_create_gid(const cred_t *cr)
{
	return (priv_policy(cr, CAP_SETGID, B_FALSE, EPERM));
}

/*
 * Policy determines whether we can remove an entry from a directory,
 * regardless of permission bits.
 */
int
secpolicy_vnode_remove(const cred_t *cr)
{
	return (priv_policy(cr, CAP_FOWNER, B_FALSE, EPERM));
}

/*
 * Determine that subject can modify the mode of a file.  allzone privilege
 * needed when modifying root owned object.
 */
int
secpolicy_vnode_setdac(const cred_t *cr, uid_t owner)
{
	if (crgetfsuid(cr) == owner)
		return (0);

#if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING)
	if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
		return (EPERM);
#endif

	return (priv_policy_user(cr, CAP_FOWNER, B_FALSE, EPERM));
}

/*
 * Are we allowed to retain the set-uid/set-gid bits when
 * changing ownership or when writing to a file?
 * "issuid" should be true when set-uid; only in that case
 * root ownership is checked (setgid is assumed).
 *
 * Enforced in the Linux VFS.
 */
int
secpolicy_vnode_setid_retain(const cred_t *cr, boolean_t issuidroot)
{
	return (0);
}

/*
 * Determine that subject can set the file setgid flag.
 */
int
secpolicy_vnode_setids_setgids(const cred_t *cr, gid_t gid)
{
#if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING)
	if (!kgid_has_mapping(cr->user_ns, SGID_TO_KGID(gid)))
		return (EPERM);
#endif
	if (crgetfsgid(cr) != gid && !groupmember(gid, cr))
		return (priv_policy_user(cr, CAP_FSETID, B_FALSE, EPERM));

	return (0);
}

/*
 * Determine if the subject can inject faults in the ZFS fault injection
 * framework.  Requires all privileges.
 */
int
secpolicy_zinject(const cred_t *cr)
{
	return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EACCES));
}

/*
 * Determine if the subject has permission to manipulate ZFS datasets
 * (not pools).  Equivalent to the SYS_MOUNT privilege.
 */
int
secpolicy_zfs(const cred_t *cr)
{
	return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EACCES));
}

void
secpolicy_setid_clear(vattr_t *vap, cred_t *cr)
{
	if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 &&
	    secpolicy_vnode_setid_retain(cr,
	    (vap->va_mode & S_ISUID) != 0 &&
	    (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) {
		vap->va_mask |= AT_MODE;
		vap->va_mode &= ~(S_ISUID|S_ISGID);
	}
}

/*
 * Determine that subject can set the file setid flags.
 */
static int
secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner)
{
	if (crgetfsuid(cr) == owner)
		return (0);

#if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING)
	if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
		return (EPERM);
#endif

	return (priv_policy_user(cr, CAP_FSETID, B_FALSE, EPERM));
}

/*
 * Determine that subject can make a file a "sticky".
 *
 * Enforced in the Linux VFS.
 */
static int
secpolicy_vnode_stky_modify(const cred_t *cr)
{
	return (0);
}

int
secpolicy_setid_setsticky_clear(struct inode *ip, vattr_t *vap,
    const vattr_t *ovap, cred_t *cr)
{
	int error;

	if ((vap->va_mode & S_ISUID) != 0 &&
	    (error = secpolicy_vnode_setid_modify(cr,
	    ovap->va_uid)) != 0) {
		return (error);
	}

	/*
	 * Check privilege if attempting to set the
	 * sticky bit on a non-directory.
	 */
	if (!S_ISDIR(ip->i_mode) && (vap->va_mode & S_ISVTX) != 0 &&
	    secpolicy_vnode_stky_modify(cr) != 0) {
		vap->va_mode &= ~S_ISVTX;
	}

	/*
	 * Check for privilege if attempting to set the
	 * group-id bit.
	 */
	if ((vap->va_mode & S_ISGID) != 0 &&
	    secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) {
		vap->va_mode &= ~S_ISGID;
	}

	return (0);
}

/*
 * Check privileges for setting xvattr attributes
 */
int
secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype)
{
	return (secpolicy_vnode_chown(cr, owner));
}

/*
 * Check privileges for setattr attributes.
 *
 * Enforced in the Linux VFS.
 */
int
secpolicy_vnode_setattr(cred_t *cr, struct inode *ip, struct vattr *vap,
    const struct vattr *ovap, int flags,
    int unlocked_access(void *, int, cred_t *), void *node)
{
	return (0);
}

/*
 * Check privileges for links.
 *
 * Enforced in the Linux VFS.
 */
int
secpolicy_basic_link(const cred_t *cr)
{
	return (0);
}
Commit	Line	Data
cae5b340 AX	1	/*
	2	* CDDL HEADER START
	3	*
	4	* The contents of this file are subject to the terms of the
	5	* Common Development and Distribution License (the "License").
	6	* You may not use this file except in compliance with the License.
	7	*
	8	* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
	9	* or http://www.opensolaris.org/os/licensing.
	10	* See the License for the specific language governing permissions
	11	* and limitations under the License.
	12	*
	13	* When distributing Covered Code, include this CDDL HEADER in each
	14	* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
	15	* If applicable, add the following below this CDDL HEADER, with the
	16	* fields enclosed by brackets "[]" replaced with your own identifying
	17	* information: Portions Copyright [yyyy] [name of copyright owner]
	18	*
	19	* CDDL HEADER END
	20	*/
	21
	22	/*
	23	* Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
	24	* Copyright 2013, Joyent, Inc. All rights reserved.
	25	* Copyright (C) 2016 Lawrence Livermore National Security, LLC.
	26	*
	27	* For Linux the vast majority of this enforcement is already handled via
	28	* the standard Linux VFS permission checks. However certain administrative
	29	* commands which bypass the standard mechanisms may need to make use of
	30	* this functionality.
	31	*/
	32
	33	#include <sys/policy.h>
	34	#include <linux/security.h>
	35	#include <linux/vfs_compat.h>
	36
	37	/*
	38	* The passed credentials cannot be directly verified because Linux only
	39	* provides and interface to check the current process credentials. In
	40	* order to handle this the capable() test is only run when the passed
	41	* credentials match the current process credentials or the kcred. In
	42	* all other cases this function must fail and return the passed err.
	43	*/
	44	static int
42f7b73b AX	45	priv_policy_ns(const cred_t *cr, int capability, boolean_t all, int err,
42f7b73b AX	46	struct user_namespace *ns)
cae5b340 AX	47	{
	48	ASSERT3S(all, ==, B_FALSE);
	49
	50	if (cr != CRED() && (cr != kcred))
	51	return (err);
	52
42f7b73b AX	53	#if defined(CONFIG_USER_NS) && defined(HAVE_NS_CAPABLE)
	54	if (!(ns ? ns_capable(ns, capability) : capable(capability)))
	55	#else
cae5b340	56	if (!capable(capability))
42f7b73b	57	#endif
cae5b340 AX	58	return (err);
	59
	60	return (0);
	61	}
	62
42f7b73b AX	63	static int
	64	priv_policy(const cred_t *cr, int capability, boolean_t all, int err)
	65	{
	66	return (priv_policy_ns(cr, capability, all, err, NULL));
	67	}
	68
	69	static int
	70	priv_policy_user(const cred_t *cr, int capability, boolean_t all, int err)
	71	{
	72	/*
	73	* All priv_policy_user checks are preceeded by kuid/kgid_has_mapping()
	74	* checks. If we cannot do them, we shouldn't be using ns_capable()
	75	* since we don't know whether the affected files are valid in our
	76	* namespace. Note that kuid_has_mapping() came after cred->user_ns, so
	77	* we shouldn't need to re-check for HAVE_CRED_USER_NS
	78	*/
	79	#if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING)
	80	return (priv_policy_ns(cr, capability, all, err, cr->user_ns));
	81	#else
	82	return (priv_policy_ns(cr, capability, all, err, NULL));
	83	#endif
	84	}
	85
cae5b340 AX	86	/*
	87	* Checks for operations that are either client-only or are used by
	88	* both clients and servers.
	89	*/
	90	int
	91	secpolicy_nfs(const cred_t *cr)
	92	{
	93	return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EPERM));
	94	}
	95
	96	/*
	97	* Catch all system configuration.
	98	*/
	99	int
	100	secpolicy_sys_config(const cred_t *cr, boolean_t checkonly)
	101	{
	102	return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EPERM));
	103	}
	104
	105	/*
	106	* Like secpolicy_vnode_access() but we get the actual wanted mode and the
	107	* current mode of the file, not the missing bits.
	108	*
	109	* Enforced in the Linux VFS.
	110	*/
	111	int
	112	secpolicy_vnode_access2(const cred_t cr, struct inode ip, uid_t owner,
	113	mode_t curmode, mode_t wantmode)
	114	{
	115	return (0);
	116	}
	117
	118	/*
	119	* This is a special routine for ZFS; it is used to determine whether
	120	* any of the privileges in effect allow any form of access to the
	121	* file. There's no reason to audit this or any reason to record
	122	* this. More work is needed to do the "KPLD" stuff.
	123	*/
	124	int
	125	secpolicy_vnode_any_access(const cred_t cr, struct inode ip, uid_t owner)
	126	{
	127	if (crgetfsuid(cr) == owner)
	128	return (0);
	129
	130	if (zpl_inode_owner_or_capable(ip))
	131	return (0);
	132
42f7b73b AX	133	#if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING)
	134	if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
	135	return (EPERM);
	136	#endif
	137
	138	if (priv_policy_user(cr, CAP_DAC_OVERRIDE, B_FALSE, EPERM) == 0)
cae5b340 AX	139	return (0);
cae5b340 AX	140
42f7b73b	141	if (priv_policy_user(cr, CAP_DAC_READ_SEARCH, B_FALSE, EPERM) == 0)
cae5b340 AX	142	return (0);
	143
	144	return (EPERM);
	145	}
	146
	147	/*
	148	* Determine if subject can chown owner of a file.
	149	*/
	150	int
	151	secpolicy_vnode_chown(const cred_t *cr, uid_t owner)
	152	{
	153	if (crgetfsuid(cr) == owner)
	154	return (0);
	155
42f7b73b AX	156	#if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING)
	157	if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
	158	return (EPERM);
	159	#endif
	160
	161	return (priv_policy_user(cr, CAP_FOWNER, B_FALSE, EPERM));
cae5b340 AX	162	}
	163
	164	/*
	165	* Determine if subject can change group ownership of a file.
	166	*/
	167	int
	168	secpolicy_vnode_create_gid(const cred_t *cr)
	169	{
	170	return (priv_policy(cr, CAP_SETGID, B_FALSE, EPERM));
	171	}
	172
	173	/*
	174	* Policy determines whether we can remove an entry from a directory,
	175	* regardless of permission bits.
	176	*/
	177	int
	178	secpolicy_vnode_remove(const cred_t *cr)
	179	{
	180	return (priv_policy(cr, CAP_FOWNER, B_FALSE, EPERM));
	181	}
	182
	183	/*
	184	* Determine that subject can modify the mode of a file. allzone privilege
	185	* needed when modifying root owned object.
	186	*/
	187	int
	188	secpolicy_vnode_setdac(const cred_t *cr, uid_t owner)
	189	{
	190	if (crgetfsuid(cr) == owner)
	191	return (0);
	192
42f7b73b AX	193	#if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING)
	194	if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
	195	return (EPERM);
	196	#endif
	197
	198	return (priv_policy_user(cr, CAP_FOWNER, B_FALSE, EPERM));
cae5b340 AX	199	}
	200
	201	/*
	202	* Are we allowed to retain the set-uid/set-gid bits when
	203	* changing ownership or when writing to a file?
	204	* "issuid" should be true when set-uid; only in that case
	205	* root ownership is checked (setgid is assumed).
	206	*
	207	* Enforced in the Linux VFS.
	208	*/
	209	int
	210	secpolicy_vnode_setid_retain(const cred_t *cr, boolean_t issuidroot)
	211	{
	212	return (0);
	213	}
	214
	215	/*
	216	* Determine that subject can set the file setgid flag.
	217	*/
	218	int
	219	secpolicy_vnode_setids_setgids(const cred_t *cr, gid_t gid)
	220	{
42f7b73b AX	221	#if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING)
	222	if (!kgid_has_mapping(cr->user_ns, SGID_TO_KGID(gid)))
	223	return (EPERM);
	224	#endif
cae5b340	225	if (crgetfsgid(cr) != gid && !groupmember(gid, cr))
42f7b73b	226	return (priv_policy_user(cr, CAP_FSETID, B_FALSE, EPERM));
cae5b340 AX	227
	228	return (0);
	229	}
	230
	231	/*
	232	* Determine if the subject can inject faults in the ZFS fault injection
	233	* framework. Requires all privileges.
	234	*/
	235	int
	236	secpolicy_zinject(const cred_t *cr)
	237	{
	238	return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EACCES));
	239	}
	240
	241	/*
	242	* Determine if the subject has permission to manipulate ZFS datasets
	243	* (not pools). Equivalent to the SYS_MOUNT privilege.
	244	*/
	245	int
	246	secpolicy_zfs(const cred_t *cr)
	247	{
	248	return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EACCES));
	249	}
	250
	251	void
	252	secpolicy_setid_clear(vattr_t vap, cred_t cr)
	253	{
	254	if ((vap->va_mode & (S_ISUID \| S_ISGID)) != 0 &&
	255	secpolicy_vnode_setid_retain(cr,
	256	(vap->va_mode & S_ISUID) != 0 &&
	257	(vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) {
	258	vap->va_mask \|= AT_MODE;
	259	vap->va_mode &= ~(S_ISUID\|S_ISGID);
	260	}
	261	}
	262
	263	/*
	264	* Determine that subject can set the file setid flags.
	265	*/
	266	static int
	267	secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner)
	268	{
	269	if (crgetfsuid(cr) == owner)
	270	return (0);
	271
42f7b73b AX	272	#if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING)
	273	if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
	274	return (EPERM);
	275	#endif
	276
	277	return (priv_policy_user(cr, CAP_FSETID, B_FALSE, EPERM));
cae5b340 AX	278	}
	279
	280	/*
	281	* Determine that subject can make a file a "sticky".
	282	*
	283	* Enforced in the Linux VFS.
	284	*/
	285	static int
	286	secpolicy_vnode_stky_modify(const cred_t *cr)
	287	{
	288	return (0);
	289	}
	290
	291	int
	292	secpolicy_setid_setsticky_clear(struct inode ip, vattr_t vap,
	293	const vattr_t ovap, cred_t cr)
	294	{
	295	int error;
	296
	297	if ((vap->va_mode & S_ISUID) != 0 &&
	298	(error = secpolicy_vnode_setid_modify(cr,
	299	ovap->va_uid)) != 0) {
	300	return (error);
	301	}
	302
	303	/*
	304	* Check privilege if attempting to set the
	305	* sticky bit on a non-directory.
	306	*/
	307	if (!S_ISDIR(ip->i_mode) && (vap->va_mode & S_ISVTX) != 0 &&
	308	secpolicy_vnode_stky_modify(cr) != 0) {
	309	vap->va_mode &= ~S_ISVTX;
	310	}
	311
	312	/*
	313	* Check for privilege if attempting to set the
	314	* group-id bit.
	315	*/
	316	if ((vap->va_mode & S_ISGID) != 0 &&
	317	secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) {
	318	vap->va_mode &= ~S_ISGID;
	319	}
	320
	321	return (0);
	322	}
	323
	324	/*
	325	* Check privileges for setting xvattr attributes
	326	*/
	327	int
	328	secpolicy_xvattr(xvattr_t xvap, uid_t owner, cred_t cr, vtype_t vtype)
	329	{
	330	return (secpolicy_vnode_chown(cr, owner));
	331	}
	332
	333	/*
	334	* Check privileges for setattr attributes.
	335	*
	336	* Enforced in the Linux VFS.
	337	*/
	338	int
	339	secpolicy_vnode_setattr(cred_t cr, struct inode ip, struct vattr *vap,
	340	const struct vattr *ovap, int flags,
	341	int unlocked_access(void , int, cred_t ), void *node)
342	{
343	return (0);
344	}
345
346	/*
347	* Check privileges for links.
348	*
349	* Enforced in the Linux VFS.
350	*/
351	int
352	secpolicy_basic_link(const cred_t *cr)
353	{
354	return (0);
355	}