1/* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21/* 22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. 23 * 24INSERT COMMENT 25 */ 26 27# 28# Privileges can be added to this file at any location, not 29# necessarily at the end. For patches, it is probably best to 30# add the new privilege at the end; for ordinary releases privileges 31# should be ordered alphabetically. 32# 33 34privilege PRIV_CONTRACT_EVENT 35 36 Allows a process to request critical events without limitation. 37 Allows a process to request reliable delivery of all events on 38 any event queue. 39 40privilege PRIV_CONTRACT_IDENTITY 41 42 Allows a process to set the service FMRI value of a process 43 contract template. 44 45privilege PRIV_CONTRACT_OBSERVER 46 47 Allows a process to observe contract events generated by 48 contracts created and owned by users other than the process's 49 effective user ID. 50 Allows a process to open contract event endpoints belonging to 51 contracts created and owned by users other than the process's 52 effective user ID. 53 54privilege PRIV_CPC_CPU 55 56 Allow a process to access per-CPU hardware performance counters. 57 58privilege PRIV_DTRACE_KERNEL 59 60 Allows DTrace kernel-level tracing. 61 62privilege PRIV_DTRACE_PROC 63 64 Allows DTrace process-level tracing. 65 Allows process-level tracing probes to be placed and enabled in 66 processes to which the user has permissions. 67 68privilege PRIV_DTRACE_USER 69 70 Allows DTrace user-level tracing. 71 Allows use of the syscall and profile DTrace providers to 72 examine processes to which the user has permissions. 73 74privilege PRIV_FILE_CHOWN 75 76 Allows a process to change a file's owner user ID. 77 Allows a process to change a file's group ID to one other than 78 the process' effective group ID or one of the process' 79 supplemental group IDs. 80 81privilege PRIV_FILE_CHOWN_SELF 82 83 Allows a process to give away its files; a process with this 84 privilege will run as if {_POSIX_CHOWN_RESTRICTED} is not 85 in effect. 86 87privilege PRIV_FILE_DAC_EXECUTE 88 89 Allows a process to execute an executable file whose permission 90 bits or ACL do not allow the process execute permission. 91 92privilege PRIV_FILE_DAC_READ 93 94 Allows a process to read a file or directory whose permission 95 bits or ACL do not allow the process read permission. 96 97privilege PRIV_FILE_DAC_SEARCH 98 99 Allows a process to search a directory whose permission bits or 100 ACL do not allow the process search permission. 101 102privilege PRIV_FILE_DAC_WRITE 103 104 Allows a process to write a file or directory whose permission 105 bits or ACL do not allow the process write permission. 106 In order to write files owned by uid 0 in the absence of an 107 effective uid of 0 ALL privileges are required. 108 109privilege PRIV_FILE_DOWNGRADE_SL 110 111 Allows a process to set the sensitivity label of a file or 112 directory to a sensitivity label that does not dominate the 113 existing sensitivity label. 114 This privilege is interpreted only if the system is configured 115 with Trusted Extensions. 116 117privilege PRIV_FILE_FLAG_SET 118 119 Allows a process to set immutable, nounlink or appendonly 120 file attributes. 121 122basic privilege PRIV_FILE_LINK_ANY 123 124 Allows a process to create hardlinks to files owned by a uid 125 different from the process' effective uid. 126 127privilege PRIV_FILE_OWNER 128 129 Allows a process which is not the owner of a file or directory 130 to perform the following operations that are normally permitted 131 only for the file owner: modify that file's access and 132 modification times; remove or rename a file or directory whose 133 parent directory has the ``save text image after execution'' 134 (sticky) bit set; mount a ``namefs'' upon a file; modify 135 permission bits or ACL except for the set-uid and set-gid 136 bits. 137 138basic privilege PRIV_FILE_READ 139 140 Allows a process to read objects in the filesystem. 141 142privilege PRIV_FILE_SETID 143 144 Allows a process to change the ownership of a file or write to 145 a file without the set-user-ID and set-group-ID bits being 146 cleared. 147 Allows a process to set the set-group-ID bit on a file or 148 directory whose group is not the process' effective group or 149 one of the process' supplemental groups. 150 Allows a process to set the set-user-ID bit on a file with 151 different ownership in the presence of PRIV_FILE_OWNER. 152 Additional restrictions apply when creating or modifying a 153 set-uid 0 file. 154 155privilege PRIV_FILE_UPGRADE_SL 156 157 Allows a process to set the sensitivity label of a file or 158 directory to a sensitivity label that dominates the existing 159 sensitivity label. 160 This privilege is interpreted only if the system is configured 161 with Trusted Extensions. 162 163basic privilege PRIV_FILE_WRITE 164 165 Allows a process to modify objects in the filesystem. 166 167privilege PRIV_GRAPHICS_ACCESS 168 169 Allows a process to make privileged ioctls to graphics devices. 170 Typically only xserver process needs to have this privilege. 171 A process with this privilege is also allowed to perform 172 privileged graphics device mappings. 173 174privilege PRIV_GRAPHICS_MAP 175 176 Allows a process to perform privileged mappings through a 177 graphics device. 178 179privilege PRIV_IPC_DAC_READ 180 181 Allows a process to read a System V IPC 182 Message Queue, Semaphore Set, or Shared Memory Segment whose 183 permission bits do not allow the process read permission. 184 Allows a process to read remote shared memory whose 185 permission bits do not allow the process read permission. 186 187privilege PRIV_IPC_DAC_WRITE 188 189 Allows a process to write a System V IPC 190 Message Queue, Semaphore Set, or Shared Memory Segment whose 191 permission bits do not allow the process write permission. 192 Allows a process to read remote shared memory whose 193 permission bits do not allow the process write permission. 194 Additional restrictions apply if the owner of the object has uid 0 195 and the effective uid of the current process is not 0. 196 197privilege PRIV_IPC_OWNER 198 199 Allows a process which is not the owner of a System 200 V IPC Message Queue, Semaphore Set, or Shared Memory Segment to 201 remove, change ownership of, or change permission bits of the 202 Message Queue, Semaphore Set, or Shared Memory Segment. 203 Additional restrictions apply if the owner of the object has uid 0 204 and the effective uid of the current process is not 0. 205 206basic privilege PRIV_NET_ACCESS 207 208 Allows a process to open a TCP, UDP, SDP or SCTP network endpoint. 209 210privilege PRIV_NET_BINDMLP 211 212 Allow a process to bind to a port that is configured as a 213 multi-level port(MLP) for the process's zone. This privilege 214 applies to both shared address and zone-specific address MLPs. 215 See tnzonecfg(4) from the Trusted Extensions manual pages for 216 information on configuring MLP ports. 217 This privilege is interpreted only if the system is configured 218 with Trusted Extensions. 219 220privilege PRIV_NET_ICMPACCESS 221 222 Allows a process to send and receive ICMP packets. 223 224privilege PRIV_NET_MAC_AWARE 225 226 Allows a process to set NET_MAC_AWARE process flag by using 227 setpflags(2). This privilege also allows a process to set 228 SO_MAC_EXEMPT socket option by using setsockopt(3SOCKET). 229 The NET_MAC_AWARE process flag and the SO_MAC_EXEMPT socket 230 option both allow a local process to communicate with an 231 unlabeled peer if the local process' label dominates the 232 peer's default label, or if the local process runs in the 233 global zone. 234 This privilege is interpreted only if the system is configured 235 with Trusted Extensions. 236 237privilege PRIV_NET_MAC_IMPLICIT 238 239 Allows a process to set SO_MAC_IMPLICIT option by using 240 setsockopt(3SOCKET). This allows a privileged process to 241 transmit implicitly-labeled packets to a peer. 242 This privilege is interpreted only if the system is configured 243 with Trusted Extensions. 244 245privilege PRIV_NET_OBSERVABILITY 246 247 Allows a process to access /dev/lo0 and the devices in /dev/ipnet/ 248 while not requiring them to need PRIV_NET_RAWACCESS. 249 250privilege PRIV_NET_PRIVADDR 251 252 Allows a process to bind to a privileged port 253 number. The privilege port numbers are 1-1023 (the traditional 254 UNIX privileged ports) as well as those ports marked as 255 "udp/tcp_extra_priv_ports" with the exception of the ports 256 reserved for use by NFS. 257 258privilege PRIV_NET_RAWACCESS 259 260 Allows a process to have direct access to the network layer. 261 262unsafe privilege PRIV_PROC_AUDIT 263 264 Allows a process to generate audit records. 265 Allows a process to get its own audit pre-selection information. 266 267privilege PRIV_PROC_CHROOT 268 269 Allows a process to change its root directory. 270 271privilege PRIV_PROC_CLOCK_HIGHRES 272 273 Allows a process to use high resolution timers. 274 275basic privilege PRIV_PROC_EXEC 276 277 Allows a process to call execve(). 278 279basic privilege PRIV_PROC_FORK 280 281 Allows a process to call fork1()/forkall()/vfork() 282 283basic privilege PRIV_PROC_INFO 284 285 Allows a process to examine the status of processes other 286 than those it can send signals to. Processes which cannot 287 be examined cannot be seen in /proc and appear not to exist. 288 289privilege PRIV_PROC_LOCK_MEMORY 290 291 Allows a process to lock pages in physical memory. 292 293privilege PRIV_PROC_OWNER 294 295 Allows a process to send signals to other processes, inspect 296 and modify process state to other processes regardless of 297 ownership. When modifying another process, additional 298 restrictions apply: the effective privilege set of the 299 attaching process must be a superset of the target process' 300 effective, permitted and inheritable sets; the limit set must 301 be a superset of the target's limit set; if the target process 302 has any uid set to 0 all privilege must be asserted unless the 303 effective uid is 0. 304 Allows a process to bind arbitrary processes to CPUs. 305 306privilege PRIV_PROC_PRIOCNTL 307 308 Allows a process to elevate its priority above its current level. 309 Allows a process to change its scheduling class to any scheduling class, 310 including the RT class. 311 312basic privilege PRIV_PROC_SESSION 313 314 Allows a process to send signals or trace processes outside its 315 session. 316 317unsafe privilege PRIV_PROC_SETID 318 319 Allows a process to set its uids at will. 320 Assuming uid 0 requires all privileges to be asserted. 321 322privilege PRIV_PROC_TASKID 323 324 Allows a process to assign a new task ID to the calling process. 325 326privilege PRIV_PROC_ZONE 327 328 Allows a process to trace or send signals to processes in 329 other zones. 330 331privilege PRIV_SYS_ACCT 332 333 Allows a process to enable and disable and manage accounting through 334 acct(2), getacct(2), putacct(2) and wracct(2). 335 336privilege PRIV_SYS_ADMIN 337 338 Allows a process to perform system administration tasks such 339 as setting node and domain name and specifying nscd and coreadm 340 settings. 341 342privilege PRIV_SYS_AUDIT 343 344 Allows a process to start the (kernel) audit daemon. 345 Allows a process to view and set audit state (audit user ID, 346 audit terminal ID, audit sessions ID, audit pre-selection mask). 347 Allows a process to turn off and on auditing. 348 Allows a process to configure the audit parameters (cache and 349 queue sizes, event to class mappings, policy options). 350 351privilege PRIV_SYS_CONFIG 352 353 Allows a process to perform various system configuration tasks. 354 Allows a process to add and remove swap devices; when adding a swap 355 device, a process must also have sufficient privileges to read from 356 and write to the swap device. 357 358privilege PRIV_SYS_DEVICES 359 360 Allows a process to successfully call a kernel module that 361 calls the kernel drv_priv(9F) function to check for allowed 362 access. 363 Allows a process to open the real console device directly. 364 Allows a process to open devices that have been exclusively opened. 365 366privilege PRIV_SYS_IPC_CONFIG 367 368 Allows a process to increase the size of a System V IPC Message 369 Queue buffer. 370 371privilege PRIV_SYS_LINKDIR 372 373 Allows a process to unlink and link directories. 374 375privilege PRIV_SYS_MOUNT 376 377 Allows filesystem specific administrative procedures, such as 378 filesystem configuration ioctls, quota calls and creation/deletion 379 of snapshots. 380 Allows a process to mount and unmount filesystems which would 381 otherwise be restricted (i.e., most filesystems except 382 namefs). 383 A process performing a mount operation needs to have 384 appropriate access to the device being mounted (read-write for 385 "rw" mounts, read for "ro" mounts). 386 A process performing any of the aforementioned 387 filesystem operations needs to have read/write/owner 388 access to the mount point. 389 Only regular files and directories can serve as mount points 390 for processes which do not have all zone privileges asserted. 391 Unless a process has all zone privileges, the mount(2) 392 system call will force the "nosuid" and "restrict" options, the 393 latter only for autofs mountpoints. 394 Regardless of privileges, a process running in a non-global zone may 395 only control mounts performed from within said zone. 396 Outside the global zone, the "nodevices" option is always forced. 397 398privilege PRIV_SYS_IPTUN_CONFIG 399 400 Allows a process to configure IP tunnel links. 401 402privilege PRIV_SYS_DL_CONFIG 403 404 Allows a process to configure all classes of datalinks, including 405 configuration allowed by PRIV_SYS_IPTUN_CONFIG. 406 407privilege PRIV_SYS_IP_CONFIG 408 409 Allows a process to configure a system's IP interfaces and routes. 410 Allows a process to configure network parameters using ndd. 411 Allows a process access to otherwise restricted information using ndd. 412 Allows a process to configure IPsec. 413 Allows a process to pop anchored STREAMs modules with matching zoneid. 414 415privilege PRIV_SYS_NET_CONFIG 416 417 Allows all that PRIV_SYS_IP_CONFIG, PRIV_SYS_DL_CONFIG, and 418 PRIV_SYS_PPP_CONFIG allow. 419 Allows a process to push the rpcmod STREAMs module. 420 Allows a process to INSERT/REMOVE STREAMs modules on locations other 421 than the top of the module stack. 422 423privilege PRIV_SYS_NFS 424 425 Allows a process to perform Sun private NFS specific system calls. 426 Allows a process to bind to ports reserved by NFS: ports 2049 (nfs) 427 and port 4045 (lockd). 428 429privilege PRIV_SYS_PPP_CONFIG 430 431 Allows a process to create and destroy PPP (sppp) interfaces. 432 Allows a process to configure PPP tunnels (sppptun). 433 434privilege PRIV_SYS_RES_BIND 435 436 Allows a process to bind processes to processor sets. 437 438privilege PRIV_SYS_RES_CONFIG 439 440 Allows all that PRIV_SYS_RES_BIND allows. 441 Allows a process to create and delete processor sets, assign 442 CPUs to processor sets and override the PSET_NOESCAPE property. 443 Allows a process to change the operational status of CPUs in 444 the system using p_online(2). 445 Allows a process to configure resource pools and to bind 446 processes to pools 447 448unsafe privilege PRIV_SYS_RESOURCE 449 450 Allows a process to modify the resource limits specified 451 by setrlimit(2) and setrctl(2) without restriction. 452 Allows a process to exceed the per-user maximum number of 453 processes. 454 Allows a process to extend or create files on a filesystem that 455 has less than minfree space in reserve. 456 457privilege PRIV_SYS_SMB 458 459 Allows a process to access the Sun private SMB kernel module. 460 Allows a process to bind to ports reserved by NetBIOS and SMB: 461 ports 137 (NBNS), 138 (NetBIOS Datagram Service), 139 (NetBIOS 462 Session Service and SMB-over-NBT) and 445 (SMB-over-TCP). 463 464privilege PRIV_SYS_SUSER_COMPAT 465 466 Allows a process to successfully call a third party loadable module 467 that calls the kernel suser() function to check for allowed access. 468 This privilege exists only for third party loadable module 469 compatibility and is not used by Solaris proper. 470 471privilege PRIV_SYS_TIME 472 473 Allows a process to manipulate system time using any of the 474 appropriate system calls: stime, adjtime, ntp_adjtime and 475 the IA specific RTC calls. 476 477privilege PRIV_SYS_TRANS_LABEL 478 479 Allows a process to translate labels that are not dominated 480 by the process' sensitivity label to and from an external 481 string form. 482 This privilege is interpreted only if the system is configured 483 with Trusted Extensions. 484 485privilege PRIV_VIRT_MANAGE 486 487 Allows a process to manage virtualized environments such as 488 xVM(5). 489 490privilege PRIV_WIN_COLORMAP 491 492 Allows a process to override colormap restrictions. 493 Allows a process to install or remove colormaps. 494 Allows a process to retrieve colormap cell entries allocated 495 by other processes. 496 This privilege is interpreted only if the system is configured 497 with Trusted Extensions. 498 499privilege PRIV_WIN_CONFIG 500 501 Allows a process to configure or destroy resources that are 502 permanently retained by the X server. 503 Allows a process to use SetScreenSaver to set the screen 504 saver timeout value. 505 Allows a process to use ChangeHosts to modify the display 506 access control list. 507 Allows a process to use GrabServer. 508 Allows a process to use the SetCloseDownMode request which 509 may retain window, pixmap, colormap, property, cursor, font, 510 or graphic context resources. 511 This privilege is interpreted only if the system is configured 512 with Trusted Extensions. 513 514privilege PRIV_WIN_DAC_READ 515 516 Allows a process to read from a window resource that it does 517 not own (has a different user ID). 518 This privilege is interpreted only if the system is configured 519 with Trusted Extensions. 520 521privilege PRIV_WIN_DAC_WRITE 522 523 Allows a process to write to or create a window resource that 524 it does not own (has a different user ID). A newly created 525 window property is created with the window's user ID. 526 This privilege is interpreted only if the system is configured 527 with Trusted Extensions. 528 529privilege PRIV_WIN_DEVICES 530 531 Allows a process to perform operations on window input devices. 532 Allows a process to get and set keyboard and pointer controls. 533 Allows a process to modify pointer button and key mappings. 534 This privilege is interpreted only if the system is configured 535 with Trusted Extensions. 536 537privilege PRIV_WIN_DGA 538 539 Allows a process to use the direct graphics access (DGA) X protocol 540 extensions. Direct process access to the frame buffer is still 541 required. Thus the process must have MAC and DAC privileges that 542 allow access to the frame buffer, or the frame buffer must be 543 allocated to the process. 544 This privilege is interpreted only if the system is configured 545 with Trusted Extensions. 546 547privilege PRIV_WIN_DOWNGRADE_SL 548 549 Allows a process to set the sensitivity label of a window resource 550 to a sensitivity label that does not dominate the existing 551 sensitivity label. 552 This privilege is interpreted only if the system is configured 553 with Trusted Extensions. 554 555privilege PRIV_WIN_FONTPATH 556 557 Allows a process to set a font path. 558 This privilege is interpreted only if the system is configured 559 with Trusted Extensions. 560 561privilege PRIV_WIN_MAC_READ 562 563 Allows a process to read from a window resource whose sensitivity 564 label is not equal to the process sensitivity label. 565 This privilege is interpreted only if the system is configured 566 with Trusted Extensions. 567 568privilege PRIV_WIN_MAC_WRITE 569 570 Allows a process to create a window resource whose sensitivity 571 label is not equal to the process sensitivity label. 572 A newly created window property is created with the window's 573 sensitivity label. 574 This privilege is interpreted only if the system is configured 575 with Trusted Extensions. 576 577privilege PRIV_WIN_SELECTION 578 579 Allows a process to request inter-window data moves without the 580 intervention of the selection confirmer. 581 This privilege is interpreted only if the system is configured 582 with Trusted Extensions. 583 584privilege PRIV_WIN_UPGRADE_SL 585 586 Allows a process to set the sensitivity label of a window 587 resource to a sensitivity label that dominates the existing 588 sensitivity label. 589 This privilege is interpreted only if the system is configured 590 with Trusted Extensions. 591 592privilege PRIV_XVM_CONTROL 593 594 Allows a process access to the xVM(5) control devices for 595 managing guest domains and the hypervisor. This privilege is 596 used only if booted into xVM on x86 platforms. 597 598set PRIV_EFFECTIVE 599 600 Set of privileges currently in effect. 601 602set PRIV_INHERITABLE 603 604 Set of privileges that comes into effect on exec. 605 606set PRIV_PERMITTED 607 608 Set of privileges that can be put into the effective set without 609 restriction. 610 611set PRIV_LIMIT 612 613 Set of privileges that determines the absolute upper bound of 614 privileges this process and its off-spring can obtain. 615