module/zfs/policy.c

   1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21
  22 /*
  23  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
  24  * Copyright 2013, Joyent, Inc. All rights reserved.
  25  * Copyright (C) 2016 Lawrence Livermore National Security, LLC.
  26  *
  27  * For Linux the vast majority of this enforcement is already handled via
  28  * the standard Linux VFS permission checks.  However certain administrative
  29  * commands which bypass the standard mechanisms may need to make use of
  30  * this functionality.
  31  */
  32
  33 #include <sys/policy.h>
  34 #include <linux/security.h>
  35 #include <linux/vfs_compat.h>
  36
  37 /*
  38  * The passed credentials cannot be directly verified because Linux only
  39  * provides and interface to check the *current* process credentials.  In
  40  * order to handle this the capable() test is only run when the passed
  41  * credentials match the current process credentials or the kcred.  In
  42  * all other cases this function must fail and return the passed err.
  43  */
  44 static int
  45 priv_policy_ns(const cred_t *cr, int capability, boolean_t all, int err,
  46     struct user_namespace *ns)
  47 {
  48         ASSERT3S(all, ==, B_FALSE);
  49
  50         if (cr != CRED() && (cr != kcred))
  51                 return (err);
  52
  53 #if defined(CONFIG_USER_NS) && defined(HAVE_NS_CAPABLE)
  54         if (!(ns ? ns_capable(ns, capability) : capable(capability)))
  55 #else
  56         if (!capable(capability))
  57 #endif
  58                 return (err);
  59
  60         return (0);
  61 }
  62
  63 static int
  64 priv_policy(const cred_t *cr, int capability, boolean_t all, int err)
  65 {
  66         return (priv_policy_ns(cr, capability, all, err, NULL));
  67 }
  68
  69 static int
  70 priv_policy_user(const cred_t *cr, int capability, boolean_t all, int err)
  71 {
  72         /*
  73          * All priv_policy_user checks are preceeded by kuid/kgid_has_mapping()
  74          * checks. If we cannot do them, we shouldn't be using ns_capable()
  75          * since we don't know whether the affected files are valid in our
  76          * namespace. Note that kuid_has_mapping() came after cred->user_ns, so
  77          * we shouldn't need to re-check for HAVE_CRED_USER_NS
  78          */
  79 #if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING)
  80         return (priv_policy_ns(cr, capability, all, err, cr->user_ns));
  81 #else
  82         return (priv_policy_ns(cr, capability, all, err, NULL));
  83 #endif
  84 }
  85
  86 /*
  87  * Checks for operations that are either client-only or are used by
  88  * both clients and servers.
  89  */
  90 int
  91 secpolicy_nfs(const cred_t *cr)
  92 {
  93         return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EPERM));
  94 }
  95
  96 /*
  97  * Catch all system configuration.
  98  */
  99 int
 100 secpolicy_sys_config(const cred_t *cr, boolean_t checkonly)
 101 {
 102         return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EPERM));
 103 }
 104
 105 /*
 106  * Like secpolicy_vnode_access() but we get the actual wanted mode and the
 107  * current mode of the file, not the missing bits.
 108  *
 109  * Enforced in the Linux VFS.
 110  */
 111 int
 112 secpolicy_vnode_access2(const cred_t *cr, struct inode *ip, uid_t owner,
 113     mode_t curmode, mode_t wantmode)
 114 {
 115         return (0);
 116 }
 117
 118 /*
 119  * This is a special routine for ZFS; it is used to determine whether
 120  * any of the privileges in effect allow any form of access to the
 121  * file.  There's no reason to audit this or any reason to record
 122  * this.  More work is needed to do the "KPLD" stuff.
 123  */
 124 int
 125 secpolicy_vnode_any_access(const cred_t *cr, struct inode *ip, uid_t owner)
 126 {
 127         if (crgetfsuid(cr) == owner)
 128                 return (0);
 129
 130         if (zpl_inode_owner_or_capable(ip))
 131                 return (0);
 132
 133 #if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING)
 134         if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
 135                 return (EPERM);
 136 #endif
 137
 138         if (priv_policy_user(cr, CAP_DAC_OVERRIDE, B_FALSE, EPERM) == 0)
 139                 return (0);
 140
 141         if (priv_policy_user(cr, CAP_DAC_READ_SEARCH, B_FALSE, EPERM) == 0)
 142                 return (0);
 143
 144         return (EPERM);
 145 }
 146
 147 /*
 148  * Determine if subject can chown owner of a file.
 149  */
 150 int
 151 secpolicy_vnode_chown(const cred_t *cr, uid_t owner)
 152 {
 153         if (crgetfsuid(cr) == owner)
 154                 return (0);
 155
 156 #if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING)
 157         if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
 158                 return (EPERM);
 159 #endif
 160
 161         return (priv_policy_user(cr, CAP_FOWNER, B_FALSE, EPERM));
 162 }
 163
 164 /*
 165  * Determine if subject can change group ownership of a file.
 166  */
 167 int
 168 secpolicy_vnode_create_gid(const cred_t *cr)
 169 {
 170         return (priv_policy(cr, CAP_SETGID, B_FALSE, EPERM));
 171 }
 172
 173 /*
 174  * Policy determines whether we can remove an entry from a directory,
 175  * regardless of permission bits.
 176  */
 177 int
 178 secpolicy_vnode_remove(const cred_t *cr)
 179 {
 180         return (priv_policy(cr, CAP_FOWNER, B_FALSE, EPERM));
 181 }
 182
 183 /*
 184  * Determine that subject can modify the mode of a file.  allzone privilege
 185  * needed when modifying root owned object.
 186  */
 187 int
 188 secpolicy_vnode_setdac(const cred_t *cr, uid_t owner)
 189 {
 190         if (crgetfsuid(cr) == owner)
 191                 return (0);
 192
 193 #if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING)
 194         if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
 195                 return (EPERM);
 196 #endif
 197
 198         return (priv_policy_user(cr, CAP_FOWNER, B_FALSE, EPERM));
 199 }
 200
 201 /*
 202  * Are we allowed to retain the set-uid/set-gid bits when
 203  * changing ownership or when writing to a file?
 204  * "issuid" should be true when set-uid; only in that case
 205  * root ownership is checked (setgid is assumed).
 206  *
 207  * Enforced in the Linux VFS.
 208  */
 209 int
 210 secpolicy_vnode_setid_retain(const cred_t *cr, boolean_t issuidroot)
 211 {
 212         return (0);
 213 }
 214
 215 /*
 216  * Determine that subject can set the file setgid flag.
 217  */
 218 int
 219 secpolicy_vnode_setids_setgids(const cred_t *cr, gid_t gid)
 220 {
 221 #if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING)
 222         if (!kgid_has_mapping(cr->user_ns, SGID_TO_KGID(gid)))
 223                 return (EPERM);
 224 #endif
 225         if (crgetfsgid(cr) != gid && !groupmember(gid, cr))
 226                 return (priv_policy_user(cr, CAP_FSETID, B_FALSE, EPERM));
 227
 228         return (0);
 229 }
 230
 231 /*
 232  * Determine if the subject can inject faults in the ZFS fault injection
 233  * framework.  Requires all privileges.
 234  */
 235 int
 236 secpolicy_zinject(const cred_t *cr)
 237 {
 238         return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EACCES));
 239 }
 240
 241 /*
 242  * Determine if the subject has permission to manipulate ZFS datasets
 243  * (not pools).  Equivalent to the SYS_MOUNT privilege.
 244  */
 245 int
 246 secpolicy_zfs(const cred_t *cr)
 247 {
 248         return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EACCES));
 249 }
 250
 251 void
 252 secpolicy_setid_clear(vattr_t *vap, cred_t *cr)
 253 {
 254         if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 &&
 255             secpolicy_vnode_setid_retain(cr,
 256             (vap->va_mode & S_ISUID) != 0 &&
 257             (vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) {
 258                 vap->va_mask |= AT_MODE;
 259                 vap->va_mode &= ~(S_ISUID|S_ISGID);
 260         }
 261 }
 262
 263 /*
 264  * Determine that subject can set the file setid flags.
 265  */
 266 static int
 267 secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner)
 268 {
 269         if (crgetfsuid(cr) == owner)
 270                 return (0);
 271
 272 #if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING)
 273         if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
 274                 return (EPERM);
 275 #endif
 276
 277         return (priv_policy_user(cr, CAP_FSETID, B_FALSE, EPERM));
 278 }
 279
 280 /*
 281  * Determine that subject can make a file a "sticky".
 282  *
 283  * Enforced in the Linux VFS.
 284  */
 285 static int
 286 secpolicy_vnode_stky_modify(const cred_t *cr)
 287 {
 288         return (0);
 289 }
 290
 291 int
 292 secpolicy_setid_setsticky_clear(struct inode *ip, vattr_t *vap,
 293     const vattr_t *ovap, cred_t *cr)
 294 {
 295         int error;
 296
 297         if ((vap->va_mode & S_ISUID) != 0 &&
 298             (error = secpolicy_vnode_setid_modify(cr,
 299             ovap->va_uid)) != 0) {
 300                 return (error);
 301         }
 302
 303         /*
 304          * Check privilege if attempting to set the
 305          * sticky bit on a non-directory.
 306          */
 307         if (!S_ISDIR(ip->i_mode) && (vap->va_mode & S_ISVTX) != 0 &&
 308             secpolicy_vnode_stky_modify(cr) != 0) {
 309                 vap->va_mode &= ~S_ISVTX;
 310         }
 311
 312         /*
 313          * Check for privilege if attempting to set the
 314          * group-id bit.
 315          */
 316         if ((vap->va_mode & S_ISGID) != 0 &&
 317             secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) {
 318                 vap->va_mode &= ~S_ISGID;
 319         }
 320
 321         return (0);
 322 }
 323
 324 /*
 325  * Check privileges for setting xvattr attributes
 326  */
 327 int
 328 secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, vtype_t vtype)
 329 {
 330         return (secpolicy_vnode_chown(cr, owner));
 331 }
 332
 333 /*
 334  * Check privileges for setattr attributes.
 335  *
 336  * Enforced in the Linux VFS.
 337  */
 338 int
 339 secpolicy_vnode_setattr(cred_t *cr, struct inode *ip, struct vattr *vap,
 340     const struct vattr *ovap, int flags,
 341     int unlocked_access(void *, int, cred_t *), void *node)
 342 {
 343         return (0);
 344 }
 345
 346 /*
 347  * Check privileges for links.
 348  *
 349  * Enforced in the Linux VFS.
 350  */
 351 int
 352 secpolicy_basic_link(const cred_t *cr)
 353 {
 354         return (0);
 355 }