2025-01-04 03:04:27 +03:00
|
|
|
// SPDX-License-Identifier: CDDL-1.0
|
2016-06-07 19:16:52 +03:00
|
|
|
/*
|
|
|
|
|
* CDDL HEADER START
|
|
|
|
|
*
|
|
|
|
|
* The contents of this file are subject to the terms of the
|
|
|
|
|
* Common Development and Distribution License (the "License").
|
|
|
|
|
* You may not use this file except in compliance with the License.
|
|
|
|
|
*
|
|
|
|
|
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
|
2022-07-12 00:16:13 +03:00
|
|
|
* or https://opensource.org/licenses/CDDL-1.0.
|
2016-06-07 19:16:52 +03:00
|
|
|
* See the License for the specific language governing permissions
|
|
|
|
|
* and limitations under the License.
|
|
|
|
|
*
|
|
|
|
|
* When distributing Covered Code, include this CDDL HEADER in each
|
|
|
|
|
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
|
|
|
|
|
* If applicable, add the following below this CDDL HEADER, with the
|
|
|
|
|
* fields enclosed by brackets "[]" replaced with your own identifying
|
|
|
|
|
* information: Portions Copyright [yyyy] [name of copyright owner]
|
|
|
|
|
*
|
|
|
|
|
* CDDL HEADER END
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
|
|
|
|
|
* Copyright 2013, Joyent, Inc. All rights reserved.
|
|
|
|
|
* Copyright (C) 2016 Lawrence Livermore National Security, LLC.
|
cred: properly pass and test creds on other threads (#17273)
### Background
Various admin operations will be invoked by some userspace task, but the
work will be done on a separate kernel thread at a later time. Snapshots
are an example, which are triggered through zfs_ioc_snapshot() ->
dsl_dataset_snapshot(), but the actual work is from a task dispatched to
dp_sync_taskq.
Many such tasks end up in dsl_enforce_ds_ss_limits(), where various
limits and permissions are enforced. Among other things, it is necessary
to ensure that the invoking task (that is, the user) has permission to
do things. We can't simply check if the running task has permission; it
is a privileged kernel thread, which can do anything.
However, in the general case it's not safe to simply query the task for
its permissions at the check time, as the task may not exist any more,
or its permissions may have changed since it was first invoked. So
instead, we capture the permissions by saving CRED() in the user task,
and then using it for the check through the secpolicy_* functions.
### Current implementation
The current code calls CRED() to get the credential, which gets a
pointer to the cred_t inside the current task and passes it to the
worker task. However, it doesn't take a reference to the cred_t, and so
expects that it won't change, and that the task continues to exist. In
practice that is always the case, because we don't let the calling task
return from the kernel until the work is done.
For Linux, we also take a reference to the current task, because the
Linux credential APIs for the most part do not check an arbitrary
credential, but rather, query what a task can do. See
secpolicy_zfs_proc(). Again, we don't take a reference on the task, just
a pointer to it.
### Changes
We change to calling crhold() on the task credential, and crfree() when
we're done with it. This ensures it stays alive and unchanged for the
duration of the call.
On the Linux side, we change the main policy checking function
priv_policy_ns() to use override_creds()/revert_creds() if necessary to
make the provided credential active in the current task, allowing the
standard task-permission APIs to do the needed check. Since the task
pointer is no longer required, this lets us entirely remove
secpolicy_zfs_proc() and the need to carry a task pointer around as
well.
Sponsored-by: https://despairlabs.com/sponsor/
Signed-off-by: Rob Norris <robn@despairlabs.com>
Reviewed-by: Pavel Snajdr <snajpa@snajpa.net>
Reviewed-by: Alexander Motin <mav@FreeBSD.org>
Reviewed-by: Kyle Evans <kevans@FreeBSD.org>
Reviewed-by: Tony Hutter <hutter2@llnl.gov>
2025-04-30 02:27:48 +03:00
|
|
|
* Copyright (c) 2025, Rob Norris <robn@despairlabs.com>
|
2016-06-07 19:16:52 +03:00
|
|
|
*
|
|
|
|
|
* For Linux the vast majority of this enforcement is already handled via
|
|
|
|
|
* the standard Linux VFS permission checks. However certain administrative
|
|
|
|
|
* commands which bypass the standard mechanisms may need to make use of
|
|
|
|
|
* this functionality.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <sys/policy.h>
|
|
|
|
|
#include <linux/security.h>
|
|
|
|
|
#include <linux/vfs_compat.h>
|
|
|
|
|
|
|
|
|
|
static int
|
2020-07-12 03:18:02 +03:00
|
|
|
priv_policy_ns(const cred_t *cr, int capability, int err,
|
2018-03-08 02:40:42 +03:00
|
|
|
struct user_namespace *ns)
|
2016-06-07 19:16:52 +03:00
|
|
|
{
|
cred: properly pass and test creds on other threads (#17273)
### Background
Various admin operations will be invoked by some userspace task, but the
work will be done on a separate kernel thread at a later time. Snapshots
are an example, which are triggered through zfs_ioc_snapshot() ->
dsl_dataset_snapshot(), but the actual work is from a task dispatched to
dp_sync_taskq.
Many such tasks end up in dsl_enforce_ds_ss_limits(), where various
limits and permissions are enforced. Among other things, it is necessary
to ensure that the invoking task (that is, the user) has permission to
do things. We can't simply check if the running task has permission; it
is a privileged kernel thread, which can do anything.
However, in the general case it's not safe to simply query the task for
its permissions at the check time, as the task may not exist any more,
or its permissions may have changed since it was first invoked. So
instead, we capture the permissions by saving CRED() in the user task,
and then using it for the check through the secpolicy_* functions.
### Current implementation
The current code calls CRED() to get the credential, which gets a
pointer to the cred_t inside the current task and passes it to the
worker task. However, it doesn't take a reference to the cred_t, and so
expects that it won't change, and that the task continues to exist. In
practice that is always the case, because we don't let the calling task
return from the kernel until the work is done.
For Linux, we also take a reference to the current task, because the
Linux credential APIs for the most part do not check an arbitrary
credential, but rather, query what a task can do. See
secpolicy_zfs_proc(). Again, we don't take a reference on the task, just
a pointer to it.
### Changes
We change to calling crhold() on the task credential, and crfree() when
we're done with it. This ensures it stays alive and unchanged for the
duration of the call.
On the Linux side, we change the main policy checking function
priv_policy_ns() to use override_creds()/revert_creds() if necessary to
make the provided credential active in the current task, allowing the
standard task-permission APIs to do the needed check. Since the task
pointer is no longer required, this lets us entirely remove
secpolicy_zfs_proc() and the need to carry a task pointer around as
well.
Sponsored-by: https://despairlabs.com/sponsor/
Signed-off-by: Rob Norris <robn@despairlabs.com>
Reviewed-by: Pavel Snajdr <snajpa@snajpa.net>
Reviewed-by: Alexander Motin <mav@FreeBSD.org>
Reviewed-by: Kyle Evans <kevans@FreeBSD.org>
Reviewed-by: Tony Hutter <hutter2@llnl.gov>
2025-04-30 02:27:48 +03:00
|
|
|
/*
|
|
|
|
|
* The passed credentials cannot be directly verified because Linux
|
|
|
|
|
* only provides an interface to check the *current* process
|
|
|
|
|
* credentials. In order to handle this we check if the passed in
|
|
|
|
|
* creds match the current process credentials or the kcred. If not,
|
|
|
|
|
* we swap the passed credentials into the current task, perform the
|
|
|
|
|
* check, and then revert it before returning.
|
|
|
|
|
*/
|
|
|
|
|
const cred_t *old =
|
|
|
|
|
(cr != CRED() && cr != kcred) ? override_creds(cr) : NULL;
|
2016-06-07 19:16:52 +03:00
|
|
|
|
2019-11-12 19:59:06 +03:00
|
|
|
#if defined(CONFIG_USER_NS)
|
cred: properly pass and test creds on other threads (#17273)
### Background
Various admin operations will be invoked by some userspace task, but the
work will be done on a separate kernel thread at a later time. Snapshots
are an example, which are triggered through zfs_ioc_snapshot() ->
dsl_dataset_snapshot(), but the actual work is from a task dispatched to
dp_sync_taskq.
Many such tasks end up in dsl_enforce_ds_ss_limits(), where various
limits and permissions are enforced. Among other things, it is necessary
to ensure that the invoking task (that is, the user) has permission to
do things. We can't simply check if the running task has permission; it
is a privileged kernel thread, which can do anything.
However, in the general case it's not safe to simply query the task for
its permissions at the check time, as the task may not exist any more,
or its permissions may have changed since it was first invoked. So
instead, we capture the permissions by saving CRED() in the user task,
and then using it for the check through the secpolicy_* functions.
### Current implementation
The current code calls CRED() to get the credential, which gets a
pointer to the cred_t inside the current task and passes it to the
worker task. However, it doesn't take a reference to the cred_t, and so
expects that it won't change, and that the task continues to exist. In
practice that is always the case, because we don't let the calling task
return from the kernel until the work is done.
For Linux, we also take a reference to the current task, because the
Linux credential APIs for the most part do not check an arbitrary
credential, but rather, query what a task can do. See
secpolicy_zfs_proc(). Again, we don't take a reference on the task, just
a pointer to it.
### Changes
We change to calling crhold() on the task credential, and crfree() when
we're done with it. This ensures it stays alive and unchanged for the
duration of the call.
On the Linux side, we change the main policy checking function
priv_policy_ns() to use override_creds()/revert_creds() if necessary to
make the provided credential active in the current task, allowing the
standard task-permission APIs to do the needed check. Since the task
pointer is no longer required, this lets us entirely remove
secpolicy_zfs_proc() and the need to carry a task pointer around as
well.
Sponsored-by: https://despairlabs.com/sponsor/
Signed-off-by: Rob Norris <robn@despairlabs.com>
Reviewed-by: Pavel Snajdr <snajpa@snajpa.net>
Reviewed-by: Alexander Motin <mav@FreeBSD.org>
Reviewed-by: Kyle Evans <kevans@FreeBSD.org>
Reviewed-by: Tony Hutter <hutter2@llnl.gov>
2025-04-30 02:27:48 +03:00
|
|
|
if (ns ? ns_capable(ns, capability) : capable(capability))
|
2018-03-08 02:40:42 +03:00
|
|
|
#else
|
cred: properly pass and test creds on other threads (#17273)
### Background
Various admin operations will be invoked by some userspace task, but the
work will be done on a separate kernel thread at a later time. Snapshots
are an example, which are triggered through zfs_ioc_snapshot() ->
dsl_dataset_snapshot(), but the actual work is from a task dispatched to
dp_sync_taskq.
Many such tasks end up in dsl_enforce_ds_ss_limits(), where various
limits and permissions are enforced. Among other things, it is necessary
to ensure that the invoking task (that is, the user) has permission to
do things. We can't simply check if the running task has permission; it
is a privileged kernel thread, which can do anything.
However, in the general case it's not safe to simply query the task for
its permissions at the check time, as the task may not exist any more,
or its permissions may have changed since it was first invoked. So
instead, we capture the permissions by saving CRED() in the user task,
and then using it for the check through the secpolicy_* functions.
### Current implementation
The current code calls CRED() to get the credential, which gets a
pointer to the cred_t inside the current task and passes it to the
worker task. However, it doesn't take a reference to the cred_t, and so
expects that it won't change, and that the task continues to exist. In
practice that is always the case, because we don't let the calling task
return from the kernel until the work is done.
For Linux, we also take a reference to the current task, because the
Linux credential APIs for the most part do not check an arbitrary
credential, but rather, query what a task can do. See
secpolicy_zfs_proc(). Again, we don't take a reference on the task, just
a pointer to it.
### Changes
We change to calling crhold() on the task credential, and crfree() when
we're done with it. This ensures it stays alive and unchanged for the
duration of the call.
On the Linux side, we change the main policy checking function
priv_policy_ns() to use override_creds()/revert_creds() if necessary to
make the provided credential active in the current task, allowing the
standard task-permission APIs to do the needed check. Since the task
pointer is no longer required, this lets us entirely remove
secpolicy_zfs_proc() and the need to carry a task pointer around as
well.
Sponsored-by: https://despairlabs.com/sponsor/
Signed-off-by: Rob Norris <robn@despairlabs.com>
Reviewed-by: Pavel Snajdr <snajpa@snajpa.net>
Reviewed-by: Alexander Motin <mav@FreeBSD.org>
Reviewed-by: Kyle Evans <kevans@FreeBSD.org>
Reviewed-by: Tony Hutter <hutter2@llnl.gov>
2025-04-30 02:27:48 +03:00
|
|
|
if (capable(capability))
|
2018-03-08 02:40:42 +03:00
|
|
|
#endif
|
cred: properly pass and test creds on other threads (#17273)
### Background
Various admin operations will be invoked by some userspace task, but the
work will be done on a separate kernel thread at a later time. Snapshots
are an example, which are triggered through zfs_ioc_snapshot() ->
dsl_dataset_snapshot(), but the actual work is from a task dispatched to
dp_sync_taskq.
Many such tasks end up in dsl_enforce_ds_ss_limits(), where various
limits and permissions are enforced. Among other things, it is necessary
to ensure that the invoking task (that is, the user) has permission to
do things. We can't simply check if the running task has permission; it
is a privileged kernel thread, which can do anything.
However, in the general case it's not safe to simply query the task for
its permissions at the check time, as the task may not exist any more,
or its permissions may have changed since it was first invoked. So
instead, we capture the permissions by saving CRED() in the user task,
and then using it for the check through the secpolicy_* functions.
### Current implementation
The current code calls CRED() to get the credential, which gets a
pointer to the cred_t inside the current task and passes it to the
worker task. However, it doesn't take a reference to the cred_t, and so
expects that it won't change, and that the task continues to exist. In
practice that is always the case, because we don't let the calling task
return from the kernel until the work is done.
For Linux, we also take a reference to the current task, because the
Linux credential APIs for the most part do not check an arbitrary
credential, but rather, query what a task can do. See
secpolicy_zfs_proc(). Again, we don't take a reference on the task, just
a pointer to it.
### Changes
We change to calling crhold() on the task credential, and crfree() when
we're done with it. This ensures it stays alive and unchanged for the
duration of the call.
On the Linux side, we change the main policy checking function
priv_policy_ns() to use override_creds()/revert_creds() if necessary to
make the provided credential active in the current task, allowing the
standard task-permission APIs to do the needed check. Since the task
pointer is no longer required, this lets us entirely remove
secpolicy_zfs_proc() and the need to carry a task pointer around as
well.
Sponsored-by: https://despairlabs.com/sponsor/
Signed-off-by: Rob Norris <robn@despairlabs.com>
Reviewed-by: Pavel Snajdr <snajpa@snajpa.net>
Reviewed-by: Alexander Motin <mav@FreeBSD.org>
Reviewed-by: Kyle Evans <kevans@FreeBSD.org>
Reviewed-by: Tony Hutter <hutter2@llnl.gov>
2025-04-30 02:27:48 +03:00
|
|
|
err = 0;
|
2016-06-07 19:16:52 +03:00
|
|
|
|
cred: properly pass and test creds on other threads (#17273)
### Background
Various admin operations will be invoked by some userspace task, but the
work will be done on a separate kernel thread at a later time. Snapshots
are an example, which are triggered through zfs_ioc_snapshot() ->
dsl_dataset_snapshot(), but the actual work is from a task dispatched to
dp_sync_taskq.
Many such tasks end up in dsl_enforce_ds_ss_limits(), where various
limits and permissions are enforced. Among other things, it is necessary
to ensure that the invoking task (that is, the user) has permission to
do things. We can't simply check if the running task has permission; it
is a privileged kernel thread, which can do anything.
However, in the general case it's not safe to simply query the task for
its permissions at the check time, as the task may not exist any more,
or its permissions may have changed since it was first invoked. So
instead, we capture the permissions by saving CRED() in the user task,
and then using it for the check through the secpolicy_* functions.
### Current implementation
The current code calls CRED() to get the credential, which gets a
pointer to the cred_t inside the current task and passes it to the
worker task. However, it doesn't take a reference to the cred_t, and so
expects that it won't change, and that the task continues to exist. In
practice that is always the case, because we don't let the calling task
return from the kernel until the work is done.
For Linux, we also take a reference to the current task, because the
Linux credential APIs for the most part do not check an arbitrary
credential, but rather, query what a task can do. See
secpolicy_zfs_proc(). Again, we don't take a reference on the task, just
a pointer to it.
### Changes
We change to calling crhold() on the task credential, and crfree() when
we're done with it. This ensures it stays alive and unchanged for the
duration of the call.
On the Linux side, we change the main policy checking function
priv_policy_ns() to use override_creds()/revert_creds() if necessary to
make the provided credential active in the current task, allowing the
standard task-permission APIs to do the needed check. Since the task
pointer is no longer required, this lets us entirely remove
secpolicy_zfs_proc() and the need to carry a task pointer around as
well.
Sponsored-by: https://despairlabs.com/sponsor/
Signed-off-by: Rob Norris <robn@despairlabs.com>
Reviewed-by: Pavel Snajdr <snajpa@snajpa.net>
Reviewed-by: Alexander Motin <mav@FreeBSD.org>
Reviewed-by: Kyle Evans <kevans@FreeBSD.org>
Reviewed-by: Tony Hutter <hutter2@llnl.gov>
2025-04-30 02:27:48 +03:00
|
|
|
if (old)
|
|
|
|
|
revert_creds(old);
|
|
|
|
|
|
|
|
|
|
return (err);
|
2016-06-07 19:16:52 +03:00
|
|
|
}
|
|
|
|
|
|
2018-03-08 02:40:42 +03:00
|
|
|
static int
|
2020-07-12 03:18:02 +03:00
|
|
|
priv_policy(const cred_t *cr, int capability, int err)
|
2018-03-08 02:40:42 +03:00
|
|
|
{
|
2021-02-21 19:19:43 +03:00
|
|
|
return (priv_policy_ns(cr, capability, err, cr->user_ns));
|
2018-03-08 02:40:42 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
2020-07-12 03:18:02 +03:00
|
|
|
priv_policy_user(const cred_t *cr, int capability, int err)
|
2018-03-08 02:40:42 +03:00
|
|
|
{
|
|
|
|
|
/*
|
2019-09-03 03:56:41 +03:00
|
|
|
* All priv_policy_user checks are preceded by kuid/kgid_has_mapping()
|
2018-03-08 02:40:42 +03:00
|
|
|
* checks. If we cannot do them, we shouldn't be using ns_capable()
|
|
|
|
|
* since we don't know whether the affected files are valid in our
|
2019-11-12 19:59:06 +03:00
|
|
|
* namespace.
|
2018-03-08 02:40:42 +03:00
|
|
|
*/
|
2019-11-12 19:59:06 +03:00
|
|
|
#if defined(CONFIG_USER_NS)
|
2020-07-12 03:18:02 +03:00
|
|
|
return (priv_policy_ns(cr, capability, err, cr->user_ns));
|
2018-03-08 02:40:42 +03:00
|
|
|
#else
|
2020-07-12 03:18:02 +03:00
|
|
|
return (priv_policy_ns(cr, capability, err, NULL));
|
2018-03-08 02:40:42 +03:00
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
2016-06-07 19:16:52 +03:00
|
|
|
/*
|
|
|
|
|
* Checks for operations that are either client-only or are used by
|
|
|
|
|
* both clients and servers.
|
|
|
|
|
*/
|
|
|
|
|
int
|
|
|
|
|
secpolicy_nfs(const cred_t *cr)
|
|
|
|
|
{
|
2020-07-12 03:18:02 +03:00
|
|
|
return (priv_policy(cr, CAP_SYS_ADMIN, EPERM));
|
2016-06-07 19:16:52 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Catch all system configuration.
|
|
|
|
|
*/
|
|
|
|
|
int
|
|
|
|
|
secpolicy_sys_config(const cred_t *cr, boolean_t checkonly)
|
|
|
|
|
{
|
2020-07-12 03:18:02 +03:00
|
|
|
return (priv_policy(cr, CAP_SYS_ADMIN, EPERM));
|
2016-06-07 19:16:52 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Like secpolicy_vnode_access() but we get the actual wanted mode and the
|
|
|
|
|
* current mode of the file, not the missing bits.
|
|
|
|
|
*
|
|
|
|
|
* Enforced in the Linux VFS.
|
|
|
|
|
*/
|
|
|
|
|
int
|
|
|
|
|
secpolicy_vnode_access2(const cred_t *cr, struct inode *ip, uid_t owner,
|
2017-01-21 00:17:55 +03:00
|
|
|
mode_t curmode, mode_t wantmode)
|
2016-06-07 19:16:52 +03:00
|
|
|
{
|
|
|
|
|
return (0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* This is a special routine for ZFS; it is used to determine whether
|
|
|
|
|
* any of the privileges in effect allow any form of access to the
|
|
|
|
|
* file. There's no reason to audit this or any reason to record
|
|
|
|
|
* this. More work is needed to do the "KPLD" stuff.
|
|
|
|
|
*/
|
|
|
|
|
int
|
|
|
|
|
secpolicy_vnode_any_access(const cred_t *cr, struct inode *ip, uid_t owner)
|
|
|
|
|
{
|
2022-03-18 15:47:57 +03:00
|
|
|
if (crgetuid(cr) == owner)
|
2016-06-07 19:16:52 +03:00
|
|
|
return (0);
|
|
|
|
|
|
2023-04-11 00:15:36 +03:00
|
|
|
if (zpl_inode_owner_or_capable(zfs_init_idmap, ip))
|
2016-06-07 19:16:52 +03:00
|
|
|
return (0);
|
|
|
|
|
|
2019-11-12 19:59:06 +03:00
|
|
|
#if defined(CONFIG_USER_NS)
|
2018-03-08 02:40:42 +03:00
|
|
|
if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
|
|
|
|
|
return (EPERM);
|
|
|
|
|
#endif
|
|
|
|
|
|
2020-07-12 03:18:02 +03:00
|
|
|
if (priv_policy_user(cr, CAP_DAC_OVERRIDE, EPERM) == 0)
|
2016-06-07 19:16:52 +03:00
|
|
|
return (0);
|
|
|
|
|
|
2020-07-12 03:18:02 +03:00
|
|
|
if (priv_policy_user(cr, CAP_DAC_READ_SEARCH, EPERM) == 0)
|
2016-06-07 19:16:52 +03:00
|
|
|
return (0);
|
|
|
|
|
|
|
|
|
|
return (EPERM);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Determine if subject can chown owner of a file.
|
|
|
|
|
*/
|
|
|
|
|
int
|
|
|
|
|
secpolicy_vnode_chown(const cred_t *cr, uid_t owner)
|
|
|
|
|
{
|
2022-03-18 15:47:57 +03:00
|
|
|
if (crgetuid(cr) == owner)
|
2016-06-07 19:16:52 +03:00
|
|
|
return (0);
|
|
|
|
|
|
2019-11-12 19:59:06 +03:00
|
|
|
#if defined(CONFIG_USER_NS)
|
2018-03-08 02:40:42 +03:00
|
|
|
if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
|
|
|
|
|
return (EPERM);
|
|
|
|
|
#endif
|
|
|
|
|
|
2020-07-12 03:18:02 +03:00
|
|
|
return (priv_policy_user(cr, CAP_FOWNER, EPERM));
|
2016-06-07 19:16:52 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Determine if subject can change group ownership of a file.
|
|
|
|
|
*/
|
|
|
|
|
int
|
|
|
|
|
secpolicy_vnode_create_gid(const cred_t *cr)
|
|
|
|
|
{
|
2020-07-12 03:18:02 +03:00
|
|
|
return (priv_policy(cr, CAP_SETGID, EPERM));
|
2016-06-07 19:16:52 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Policy determines whether we can remove an entry from a directory,
|
|
|
|
|
* regardless of permission bits.
|
|
|
|
|
*/
|
|
|
|
|
int
|
|
|
|
|
secpolicy_vnode_remove(const cred_t *cr)
|
|
|
|
|
{
|
2020-07-12 03:18:02 +03:00
|
|
|
return (priv_policy(cr, CAP_FOWNER, EPERM));
|
2016-06-07 19:16:52 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Determine that subject can modify the mode of a file. allzone privilege
|
|
|
|
|
* needed when modifying root owned object.
|
|
|
|
|
*/
|
|
|
|
|
int
|
|
|
|
|
secpolicy_vnode_setdac(const cred_t *cr, uid_t owner)
|
|
|
|
|
{
|
2022-03-18 15:47:57 +03:00
|
|
|
if (crgetuid(cr) == owner)
|
2016-06-07 19:16:52 +03:00
|
|
|
return (0);
|
|
|
|
|
|
2019-11-12 19:59:06 +03:00
|
|
|
#if defined(CONFIG_USER_NS)
|
2018-03-08 02:40:42 +03:00
|
|
|
if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
|
|
|
|
|
return (EPERM);
|
|
|
|
|
#endif
|
|
|
|
|
|
2020-07-12 03:18:02 +03:00
|
|
|
return (priv_policy_user(cr, CAP_FOWNER, EPERM));
|
2016-06-07 19:16:52 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Are we allowed to retain the set-uid/set-gid bits when
|
|
|
|
|
* changing ownership or when writing to a file?
|
|
|
|
|
* "issuid" should be true when set-uid; only in that case
|
|
|
|
|
* root ownership is checked (setgid is assumed).
|
|
|
|
|
*
|
|
|
|
|
* Enforced in the Linux VFS.
|
|
|
|
|
*/
|
|
|
|
|
int
|
2020-10-22 00:08:06 +03:00
|
|
|
secpolicy_vnode_setid_retain(struct znode *zp __maybe_unused, const cred_t *cr,
|
|
|
|
|
boolean_t issuidroot)
|
2016-06-07 19:16:52 +03:00
|
|
|
{
|
2020-07-12 03:18:02 +03:00
|
|
|
return (priv_policy_user(cr, CAP_FSETID, EPERM));
|
2016-06-07 19:16:52 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Determine that subject can set the file setgid flag.
|
|
|
|
|
*/
|
|
|
|
|
int
|
2023-04-11 00:15:36 +03:00
|
|
|
secpolicy_vnode_setids_setgids(const cred_t *cr, gid_t gid, zidmap_t *mnt_ns,
|
|
|
|
|
struct user_namespace *fs_ns)
|
2016-06-07 19:16:52 +03:00
|
|
|
{
|
2022-11-08 21:28:56 +03:00
|
|
|
gid = zfs_gid_to_vfsgid(mnt_ns, fs_ns, gid);
|
2019-11-12 19:59:06 +03:00
|
|
|
#if defined(CONFIG_USER_NS)
|
2018-03-08 02:40:42 +03:00
|
|
|
if (!kgid_has_mapping(cr->user_ns, SGID_TO_KGID(gid)))
|
|
|
|
|
return (EPERM);
|
|
|
|
|
#endif
|
2022-03-18 15:47:57 +03:00
|
|
|
if (crgetgid(cr) != gid && !groupmember(gid, cr))
|
2020-07-12 03:18:02 +03:00
|
|
|
return (priv_policy_user(cr, CAP_FSETID, EPERM));
|
2016-06-07 19:16:52 +03:00
|
|
|
|
|
|
|
|
return (0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Determine if the subject can inject faults in the ZFS fault injection
|
|
|
|
|
* framework. Requires all privileges.
|
|
|
|
|
*/
|
|
|
|
|
int
|
|
|
|
|
secpolicy_zinject(const cred_t *cr)
|
|
|
|
|
{
|
2020-07-12 03:18:02 +03:00
|
|
|
return (priv_policy(cr, CAP_SYS_ADMIN, EACCES));
|
2016-06-07 19:16:52 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Determine if the subject has permission to manipulate ZFS datasets
|
|
|
|
|
* (not pools). Equivalent to the SYS_MOUNT privilege.
|
|
|
|
|
*/
|
|
|
|
|
int
|
|
|
|
|
secpolicy_zfs(const cred_t *cr)
|
|
|
|
|
{
|
2020-07-12 03:18:02 +03:00
|
|
|
return (priv_policy(cr, CAP_SYS_ADMIN, EACCES));
|
|
|
|
|
}
|
|
|
|
|
|
2016-06-07 19:16:52 +03:00
|
|
|
void
|
|
|
|
|
secpolicy_setid_clear(vattr_t *vap, cred_t *cr)
|
|
|
|
|
{
|
|
|
|
|
if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 &&
|
2020-10-22 00:08:06 +03:00
|
|
|
secpolicy_vnode_setid_retain(NULL, cr,
|
2016-06-07 19:16:52 +03:00
|
|
|
(vap->va_mode & S_ISUID) != 0 &&
|
|
|
|
|
(vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) {
|
|
|
|
|
vap->va_mask |= AT_MODE;
|
|
|
|
|
vap->va_mode &= ~(S_ISUID|S_ISGID);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Determine that subject can set the file setid flags.
|
|
|
|
|
*/
|
|
|
|
|
static int
|
2023-04-11 00:15:36 +03:00
|
|
|
secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner, zidmap_t *mnt_ns,
|
|
|
|
|
struct user_namespace *fs_ns)
|
2016-06-07 19:16:52 +03:00
|
|
|
{
|
2022-11-08 21:28:56 +03:00
|
|
|
owner = zfs_uid_to_vfsuid(mnt_ns, fs_ns, owner);
|
2022-10-19 21:17:09 +03:00
|
|
|
|
2022-03-18 15:47:57 +03:00
|
|
|
if (crgetuid(cr) == owner)
|
2016-06-07 19:16:52 +03:00
|
|
|
return (0);
|
|
|
|
|
|
2019-11-12 19:59:06 +03:00
|
|
|
#if defined(CONFIG_USER_NS)
|
2018-03-08 02:40:42 +03:00
|
|
|
if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
|
|
|
|
|
return (EPERM);
|
|
|
|
|
#endif
|
|
|
|
|
|
2020-07-12 03:18:02 +03:00
|
|
|
return (priv_policy_user(cr, CAP_FSETID, EPERM));
|
2016-06-07 19:16:52 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Determine that subject can make a file a "sticky".
|
|
|
|
|
*
|
|
|
|
|
* Enforced in the Linux VFS.
|
|
|
|
|
*/
|
|
|
|
|
static int
|
|
|
|
|
secpolicy_vnode_stky_modify(const cred_t *cr)
|
|
|
|
|
{
|
|
|
|
|
return (0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int
|
|
|
|
|
secpolicy_setid_setsticky_clear(struct inode *ip, vattr_t *vap,
|
2023-04-11 00:15:36 +03:00
|
|
|
const vattr_t *ovap, cred_t *cr, zidmap_t *mnt_ns,
|
|
|
|
|
struct user_namespace *fs_ns)
|
2016-06-07 19:16:52 +03:00
|
|
|
{
|
|
|
|
|
int error;
|
|
|
|
|
|
|
|
|
|
if ((vap->va_mode & S_ISUID) != 0 &&
|
|
|
|
|
(error = secpolicy_vnode_setid_modify(cr,
|
2022-11-08 21:28:56 +03:00
|
|
|
ovap->va_uid, mnt_ns, fs_ns)) != 0) {
|
2016-06-07 19:16:52 +03:00
|
|
|
return (error);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Check privilege if attempting to set the
|
|
|
|
|
* sticky bit on a non-directory.
|
|
|
|
|
*/
|
|
|
|
|
if (!S_ISDIR(ip->i_mode) && (vap->va_mode & S_ISVTX) != 0 &&
|
|
|
|
|
secpolicy_vnode_stky_modify(cr) != 0) {
|
|
|
|
|
vap->va_mode &= ~S_ISVTX;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Check for privilege if attempting to set the
|
|
|
|
|
* group-id bit.
|
|
|
|
|
*/
|
|
|
|
|
if ((vap->va_mode & S_ISGID) != 0 &&
|
2022-11-08 21:28:56 +03:00
|
|
|
secpolicy_vnode_setids_setgids(cr, ovap->va_gid,
|
|
|
|
|
mnt_ns, fs_ns) != 0) {
|
2016-06-07 19:16:52 +03:00
|
|
|
vap->va_mode &= ~S_ISGID;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return (0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Check privileges for setting xvattr attributes
|
|
|
|
|
*/
|
|
|
|
|
int
|
2019-11-21 20:32:57 +03:00
|
|
|
secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, mode_t type)
|
2016-06-07 19:16:52 +03:00
|
|
|
{
|
|
|
|
|
return (secpolicy_vnode_chown(cr, owner));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Check privileges for setattr attributes.
|
|
|
|
|
*
|
|
|
|
|
* Enforced in the Linux VFS.
|
|
|
|
|
*/
|
|
|
|
|
int
|
|
|
|
|
secpolicy_vnode_setattr(cred_t *cr, struct inode *ip, struct vattr *vap,
|
|
|
|
|
const struct vattr *ovap, int flags,
|
|
|
|
|
int unlocked_access(void *, int, cred_t *), void *node)
|
|
|
|
|
{
|
|
|
|
|
return (0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Check privileges for links.
|
|
|
|
|
*
|
|
|
|
|
* Enforced in the Linux VFS.
|
|
|
|
|
*/
|
|
|
|
|
int
|
|
|
|
|
secpolicy_basic_link(const cred_t *cr)
|
|
|
|
|
{
|
|
|
|
|
return (0);
|
|
|
|
|
}
|