illumos_priv/

privileges.rs

// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.

// Copyright 2019 Joyent, Inc.

//! The definitions below are sourced from an illumos system in `/usr/include/sys/priv_names.h`

use std::ffi::CStr;
use std::os::raw::c_char;

#[derive(Debug)]
/// Mapping to the various illumos PRIVILEGES(5).
pub enum Privilege {
    /// Allows a process to request critical events without limitation.
    /// Allows a process to request reliable delivery of all events on
    /// any event queue.
    ContractEvent,

    /// Allows a process to set the service FMRI value of a process
    /// contract template.
    ContractIdentity,

    /// Allows a process to observe contract events generated by
    /// contracts created and owned by users other than the process's
    /// effective user ID.
    /// Allows a process to open contract event endpoints belonging to
    /// contracts created and owned by users other than the process's
    /// effective user ID.
    ContractObserver,

    /// Allow a process to access per-CPU hardware performance counters.
    CpcCpu,

    /// Allows DTrace kernel-level tracing.
    DtraceKernel,

    /// Allows DTrace process-level tracing.
    /// Allows process-level tracing probes to be placed and enabled in
    /// processes to which the user has permissions.
    DtraceProc,

    /// Allows DTrace user-level tracing.
    /// Allows use of the syscall and profile DTrace providers to
    /// examine processes to which the user has permissions.
    DtraceUser,

    /// Allows a process to change a file's owner user ID.
    /// Allows a process to change a file's group ID to one other than
    /// the process' effective group ID or one of the process'
    /// supplemental group IDs.
    FileChown,

    /// Allows a process to give away its files; a process with this
    /// privilege will run as if {_POSIX_CHOWN_RESTRICTED} is not
    /// in effect.
    FileChownSelf,

    /// Allows a process to execute an executable file whose permission
    /// bits or ACL do not allow the process execute permission.
    FileDacExecute,

    /// Allows a process to read a file or directory whose permission
    /// bits or ACL do not allow the process read permission.
    FileDacRead,

    /// Allows a process to search a directory whose permission bits or
    /// ACL do not allow the process search permission.
    FileDacSearch,

    /// Allows a process to write a file or directory whose permission
    /// bits or ACL do not allow the process write permission.
    /// In order to write files owned by uid 0 in the absence of an
    /// effective uid of 0 ALL privileges are required.
    FileDacWrite,

    /// Allows a process to set the sensitivity label of a file or
    /// directory to a sensitivity label that does not dominate the
    /// existing sensitivity label.
    /// This privilege is interpreted only if the system is configured
    /// with Trusted Extensions.
    FileDowngradeSl,

    /// Allows a process to set immutable, nounlink or appendonly
    /// file attributes.
    FileFlagSet,

    /// Allows a process to create hardlinks to files owned by a uid
    /// different from the process' effective uid.
    FileLinkAny,

    /// Allows a process which is not the owner of a file or directory
    /// to perform the following operations that are normally permitted
    /// only for the file owner: modify that file's access and
    /// modification times; remove or rename a file or directory whose
    /// parent directory has the ``save text image after execution''
    /// (sticky) bit set; mount a ``namefs'' upon a file; modify
    /// permission bits or ACL except for the set-uid and set-gid
    /// bits.
    FileOwner,

    /// Allows a process to read objects in the filesystem.
    FileRead,

    /// Allows a process to change the ownership of a file or write to
    /// a file without the set-user-ID and set-group-ID bits being
    /// cleared.
    /// Allows a process to set the set-group-ID bit on a file or
    /// directory whose group is not the process' effective group or
    /// one of the process' supplemental groups.
    /// Allows a process to set the set-user-ID bit on a file with
    /// different ownership in the presence of PRIV_FILE_OWNER.
    /// Additional restrictions apply when creating or modifying a
    /// set-uid 0 file.
    FileSetid,

    /// Allows a process to set the sensitivity label of a file or
    /// directory to a sensitivity label that dominates the existing
    /// sensitivity label.
    /// This privilege is interpreted only if the system is configured
    /// with Trusted Extensions.
    FileUpgradeSl,

    /// Allows a process to modify objects in the filesystem.
    FileWrite,

    /// Allows a process to make privileged ioctls to graphics devices.
    /// Typically only xserver process needs to have this privilege.
    /// A process with this privilege is also allowed to perform
    /// privileged graphics device mappings.
    GraphicsAccess,

    /// Allows a process to perform privileged mappings through a
    /// graphics device.
    GraphicsMap,

    /// Allows a process to manage hyprlofs entries.
    HyprlofsControl,

    /// Allows a process to read a System V IPC
    /// Message Queue, Semaphore Set, or Shared Memory Segment whose
    /// permission bits do not allow the process read permission.
    /// Allows a process to read remote shared memory whose
    /// permission bits do not allow the process read permission.
    IpcDacRead,

    /// Allows a process to write a System V IPC
    /// Message Queue, Semaphore Set, or Shared Memory Segment whose
    /// permission bits do not allow the process write permission.
    /// Allows a process to read remote shared memory whose
    /// permission bits do not allow the process write permission.
    /// Additional restrictions apply if the owner of the object has uid 0
    /// and the effective uid of the current process is not 0.
    IpcDacWrite,

    /// Allows a process which is not the owner of a System
    /// V IPC Message Queue, Semaphore Set, or Shared Memory Segment to
    /// remove, change ownership of, or change permission bits of the
    /// Message Queue, Semaphore Set, or Shared Memory Segment.
    /// Additional restrictions apply if the owner of the object has uid 0
    /// and the effective uid of the current process is not 0.
    IpcOwner,

    /// Allows a process to open a TCP, UDP, SDP or SCTP network endpoint.
    NetAccess,

    /// Allow a process to bind to a port that is configured as a
    /// multi-level port(MLP) for the process's zone. This privilege
    /// applies to both shared address and zone-specific address MLPs.
    /// See tnzonecfg(4) from the Trusted Extensions manual pages for
    /// information on configuring MLP ports.
    /// This privilege is interpreted only if the system is configured
    /// with Trusted Extensions.
    NetBindmlp,

    /// Allows a process to send and receive ICMP packets.
    NetIcmpaccess,

    /// Allows a process to set NET_MAC_AWARE process flag by using
    /// setpflags(2). This privilege also allows a process to set
    /// SO_MAC_EXEMPT socket option by using setsockopt(3SOCKET).
    /// The NET_MAC_AWARE process flag and the SO_MAC_EXEMPT socket
    /// option both allow a local process to communicate with an
    /// unlabeled peer if the local process' label dominates the
    /// peer's default label, or if the local process runs in the
    /// global zone.
    /// This privilege is interpreted only if the system is configured
    /// with Trusted Extensions.
    NetMacAware,

    /// Allows a process to set SO_MAC_IMPLICIT option by using
    /// setsockopt(3SOCKET).  This allows a privileged process to
    /// transmit implicitly-labeled packets to a peer.
    /// This privilege is interpreted only if the system is configured
    /// with Trusted Extensions.
    NetMacImplicit,

    /// Allows a process to access /dev/lo0 and the devices in /dev/ipnet/
    /// while not requiring them to need PRIV_NET_RAWACCESS.
    NetObservability,

    /// Allows a process to bind to a privileged port
    /// number. The privilege port numbers are 1-1023 (the traditional
    /// UNIX privileged ports) as well as those ports marked as
    /// "udp/tcp_extra_priv_ports" with the exception of the ports
    /// reserved for use by NFS.
    NetPrivaddr,

    /// Allows a process to have direct access to the network layer.
    NetRawaccess,

    /// Allows a process to generate audit records.
    /// Allows a process to get its own audit pre-selection information.
    ProcAudit,

    /// Allows a process to change its root directory.
    ProcChroot,

    /// Allows a process to use high resolution timers.
    ProcClockHighres,

    /// Allows a process to call execve().
    ProcExec,

    /// Allows a process to call fork1()/forkall()/vfork()
    ProcFork,

    /// Allows a process to examine the status of processes other
    /// than those it can send signals to.  Processes which cannot
    /// be examined cannot be seen in /proc and appear not to exist.
    ProcInfo,

    /// Allows a process to lock pages in physical memory.
    ProcLockMemory,

    /// Allows a process to access physical memory information.
    ProcMeminfo,

    /// Allows a process to send signals to other processes, inspect
    /// and modify process state to other processes regardless of
    /// ownership.  When modifying another process, additional
    /// restrictions apply:  the effective privilege set of the
    /// attaching process must be a superset of the target process'
    /// effective, permitted and inheritable sets; the limit set must
    /// be a superset of the target's limit set; if the target process
    /// has any uid set to 0 all privilege must be asserted unless the
    /// effective uid is 0.
    /// Allows a process to bind arbitrary processes to CPUs.
    ProcOwner,

    /// Allows a process to elevate its priority above its current level.
    ProcPrioup,

    /// Allows all that PRIV_PROC_PRIOUP allows.
    /// Allows a process to change its scheduling class to any scheduling class,
    /// including the RT class.
    ProcPriocntl,

    /// Allows a process to manipulate the secflags of processes (subject to,
    /// additionally, the ability to signal that process)
    ProcSecflags,

    /// Allows a process to send signals or trace processes outside its
    /// session.
    ProcSession,

    /// Allows a process to set its uids at will.
    /// Assuming uid 0 requires all privileges to be asserted.
    ProcSetid,

    /// Allows a process to assign a new task ID to the calling process.
    ProcTaskid,

    /// Allows a process to trace or send signals to processes in
    /// other zones.
    ProcZone,

    /// Allows a process to enable and disable and manage accounting through
    /// acct(2), getacct(2), putacct(2) and wracct(2).
    SysAcct,

    /// Allows a process to perform system administration tasks such
    /// as setting node and domain name and specifying nscd and coreadm
    /// settings.
    SysAdmin,

    /// Allows a process to start the (kernel) audit daemon.
    /// Allows a process to view and set audit state (audit user ID,
    /// audit terminal ID, audit sessions ID, audit pre-selection mask).
    /// Allows a process to turn off and on auditing.
    /// Allows a process to configure the audit parameters (cache and
    /// queue sizes, event to class mappings, policy options).
    SysAudit,

    /// Allows a process to perform various system configuration tasks.
    /// Allows a process to add and remove swap devices; when adding a swap
    /// device, a process must also have sufficient privileges to read from
    /// and write to the swap device.
    SysConfig,

    /// Allows a process to successfully call a kernel module that
    /// calls the kernel drv_priv(9F) function to check for allowed
    /// access.
    /// Allows a process to open the real console device directly.
    /// Allows a process to open devices that have been exclusively opened.
    SysDevices,

    /// Allows a process to import a potentially untrusted file system.
    SysFsImport,

    /// Allows a process to increase the size of a System V IPC Message
    /// Queue buffer.
    SysIpcConfig,

    /// Allows a process to unlink and link directories.
    SysLinkdir,

    /// Allows filesystem specific administrative procedures, such as
    /// filesystem configuration ioctls, quota calls and creation/deletion
    /// of snapshots.
    /// Allows a process to mount and unmount filesystems which would
    /// otherwise be restricted (i.e., most filesystems except
    /// namefs).
    /// A process performing a mount operation needs to have
    /// appropriate access to the device being mounted (read-write for
    /// "rw" mounts, read for "ro" mounts).
    /// A process performing any of the aforementioned
    /// filesystem operations needs to have read/write/owner
    /// access to the mount point.
    /// Only regular files and directories can serve as mount points
    /// for processes which do not have all zone privileges asserted.
    /// Unless a process has all zone privileges, the mount(2)
    /// system call will force the "nosuid" and "restrict" options, the
    /// latter only for autofs mountpoints.
    /// Regardless of privileges, a process running in a non-global zone may
    /// only control mounts performed from within said zone.
    /// Outside the global zone, the "nodevices" option is always forced.
    SysMount,

    /// Allows a process to configure IP tunnel links.
    SysIptunConfig,

    /// Allows a process to configure all classes of datalinks, including
    /// configuration allowed by PRIV_SYS_IPTUN_CONFIG.
    SysDlConfig,

    /// Allows a process to configure a system's IP interfaces and routes.
    /// Allows a process to configure network parameters using ndd.
    /// Allows a process access to otherwise restricted information using ndd.
    /// Allows a process to configure IPsec.
    /// Allows a process to pop anchored STREAMs modules with matching zoneid.
    SysIpConfig,

    /// Allows all that PRIV_SYS_IP_CONFIG, PRIV_SYS_DL_CONFIG, and
    /// PRIV_SYS_PPP_CONFIG allow.
    /// Allows a process to push the rpcmod STREAMs module.
    /// Allows a process to INSERT/REMOVE STREAMs modules on locations other
    /// than the top of the module stack.
    SysNetConfig,

    /// Allows a process to perform Sun private NFS specific system calls.
    /// Allows a process to bind to ports reserved by NFS: ports 2049 (nfs)
    /// and port 4045 (lockd).
    SysNfs,

    /// Allows a process to create and destroy PPP (sppp) interfaces.
    /// Allows a process to configure PPP tunnels (sppptun).
    SysPppConfig,

    /// Allows a process to bind processes to processor sets.
    SysResBind,

    /// Allows all that PRIV_SYS_RES_BIND allows.
    /// Allows a process to create and delete processor sets, assign
    /// CPUs to processor sets and override the PSET_NOESCAPE property.
    /// Allows a process to change the operational status of CPUs in
    /// the system using p_online(2).
    /// Allows a process to configure resource pools and to bind
    /// processes to pools
    SysResConfig,

    /// Allows a process to modify the resource limits specified
    /// by setrlimit(2) and setrctl(2) without restriction.
    /// Allows a process to exceed the per-user maximum number of
    /// processes.
    /// Allows a process to extend or create files on a filesystem that
    /// has less than minfree space in reserve.
    SysResource,

    /// Allows a process to access the Sun private SMB kernel module.
    /// Allows a process to bind to ports reserved by NetBIOS and SMB:
    /// ports 137 (NBNS), 138 (NetBIOS Datagram Service), 139 (NetBIOS
    /// Session Service and SMB-over-NBT) and 445 (SMB-over-TCP).
    SysSmb,

    /// Allows a process to successfully call a third party loadable module
    /// that calls the kernel suser() function to check for allowed access.
    /// This privilege exists only for third party loadable module
    /// compatibility and is not used by Solaris proper.
    SysSuserCompat,

    /// Allows a process to manipulate system time using any of the
    /// appropriate system calls: stime, adjtime, ntp_adjtime and
    /// the IA specific RTC calls.
    SysTime,

    /// Allows a process to translate labels that are not dominated
    /// by the process' sensitivity label to and from an external
    /// string form.
    /// This privilege is interpreted only if the system is configured
    /// with Trusted Extensions.
    SysTransLabel,

    /// Allows a process to manage virtualized environments such as
    /// xVM(5).
    VirtManage,

    /// Allows a process to override colormap restrictions.
    /// Allows a process to install or remove colormaps.
    /// Allows a process to retrieve colormap cell entries allocated
    /// by other processes.
    /// This privilege is interpreted only if the system is configured
    /// with Trusted Extensions.
    WinColormap,

    /// Allows a process to configure or destroy resources that are
    /// permanently retained by the X server.
    /// Allows a process to use SetScreenSaver to set the screen
    /// saver timeout value.
    /// Allows a process to use ChangeHosts to modify the display
    /// access control list.
    /// Allows a process to use GrabServer.
    /// Allows a process to use the SetCloseDownMode request which
    /// may retain window, pixmap, colormap, property, cursor, font,
    /// or graphic context resources.
    /// This privilege is interpreted only if the system is configured
    /// with Trusted Extensions.
    WinConfig,

    /// Allows a process to read from a window resource that it does
    /// not own (has a different user ID).
    /// This privilege is interpreted only if the system is configured
    /// with Trusted Extensions.
    WinDacRead,

    /// Allows a process to write to or create a window resource that
    /// it does not own (has a different user ID). A newly created
    /// window property is created with the window's user ID.
    /// This privilege is interpreted only if the system is configured
    /// with Trusted Extensions.
    WinDacWrite,

    /// Allows a process to perform operations on window input devices.
    /// Allows a process to get and set keyboard and pointer controls.
    /// Allows a process to modify pointer button and key mappings.
    /// This privilege is interpreted only if the system is configured
    /// with Trusted Extensions.
    WinDevices,

    /// Allows a process to use the direct graphics access (DGA) X protocol
    /// extensions. Direct process access to the frame buffer is still
    /// required. Thus the process must have MAC and DAC privileges that
    /// allow access to the frame buffer, or the frame buffer must be
    /// allocated to the process.
    /// This privilege is interpreted only if the system is configured
    /// with Trusted Extensions.
    WinDga,

    /// Allows a process to set the sensitivity label of a window resource
    /// to a sensitivity label that does not dominate the existing
    /// sensitivity label.
    /// This privilege is interpreted only if the system is configured
    /// with Trusted Extensions.
    WinDowngradeSl,

    /// Allows a process to set a font path.
    /// This privilege is interpreted only if the system is configured
    /// with Trusted Extensions.
    WinFontpath,

    /// Allows a process to read from a window resource whose sensitivity
    /// label is not equal to the process sensitivity label.
    /// This privilege is interpreted only if the system is configured
    /// with Trusted Extensions.
    WinMacRead,

    /// Allows a process to create a window resource whose sensitivity
    /// label is not equal to the process sensitivity label.
    /// A newly created window property is created with the window's
    /// sensitivity label.
    /// This privilege is interpreted only if the system is configured
    /// with Trusted Extensions.
    WinMacWrite,

    /// Allows a process to request inter-window data moves without the
    /// intervention of the selection confirmer.
    /// This privilege is interpreted only if the system is configured
    /// with Trusted Extensions.
    WinSelection,

    /// Allows a process to set the sensitivity label of a window
    /// resource to a sensitivity label that dominates the existing
    /// sensitivity label.
    /// This privilege is interpreted only if the system is configured
    /// with Trusted Extensions.
    WinUpgradeSl,

    /// Allows a process access to the xVM(5) control devices for
    /// managing guest domains and the hypervisor. This privilege is
    /// used only if booted into xVM on x86 platforms.
    XvmControl,
}

impl Privilege {
    fn as_str(&self) -> &'static str {
        match self {
            Privilege::ContractEvent => "contract_event\0",
            Privilege::ContractIdentity => "contract_identity\0",
            Privilege::ContractObserver => "contract_observer\0",
            Privilege::CpcCpu => "cpc_cpu\0",
            Privilege::DtraceKernel => "dtrace_kernel\0",
            Privilege::DtraceProc => "dtrace_proc\0",
            Privilege::DtraceUser => "dtrace_user\0",
            Privilege::FileChown => "file_chown\0",
            Privilege::FileChownSelf => "file_chown_self\0",
            Privilege::FileDacExecute => "file_dac_execute\0",
            Privilege::FileDacRead => "file_dac_read\0",
            Privilege::FileDacSearch => "file_dac_search\0",
            Privilege::FileDacWrite => "file_dac_write\0",
            Privilege::FileDowngradeSl => "file_downgrade_sl\0",
            Privilege::FileFlagSet => "file_flag_set\0",
            Privilege::FileLinkAny => "file_link_any\0",
            Privilege::FileOwner => "file_owner\0",
            Privilege::FileRead => "file_read\0",
            Privilege::FileSetid => "file_setid\0",
            Privilege::FileUpgradeSl => "file_upgrade_sl\0",
            Privilege::FileWrite => "file_write\0",
            Privilege::GraphicsAccess => "graphics_access\0",
            Privilege::GraphicsMap => "graphics_map\0",
            Privilege::HyprlofsControl => "hyprlofs_control\0",
            Privilege::IpcDacRead => "ipc_dac_read\0",
            Privilege::IpcDacWrite => "ipc_dac_write\0",
            Privilege::IpcOwner => "ipc_owner\0",
            Privilege::NetAccess => "net_access\0",
            Privilege::NetBindmlp => "net_bindmlp\0",
            Privilege::NetIcmpaccess => "net_icmpaccess\0",
            Privilege::NetMacAware => "net_mac_aware\0",
            Privilege::NetMacImplicit => "net_mac_implicit\0",
            Privilege::NetObservability => "net_observability\0",
            Privilege::NetPrivaddr => "net_privaddr\0",
            Privilege::NetRawaccess => "net_rawaccess\0",
            Privilege::ProcAudit => "proc_audit\0",
            Privilege::ProcChroot => "proc_chroot\0",
            Privilege::ProcClockHighres => "proc_clock_highres\0",
            Privilege::ProcExec => "proc_exec\0",
            Privilege::ProcFork => "proc_fork\0",
            Privilege::ProcInfo => "proc_info\0",
            Privilege::ProcLockMemory => "proc_lock_memory\0",
            Privilege::ProcMeminfo => "proc_meminfo\0",
            Privilege::ProcOwner => "proc_owner\0",
            Privilege::ProcPrioup => "proc_prioup\0",
            Privilege::ProcPriocntl => "proc_priocntl\0",
            Privilege::ProcSecflags => "proc_secflags\0",
            Privilege::ProcSession => "proc_session\0",
            Privilege::ProcSetid => "proc_setid\0",
            Privilege::ProcTaskid => "proc_taskid\0",
            Privilege::ProcZone => "proc_zone\0",
            Privilege::SysAcct => "sys_acct\0",
            Privilege::SysAdmin => "sys_admin\0",
            Privilege::SysAudit => "sys_audit\0",
            Privilege::SysConfig => "sys_config\0",
            Privilege::SysDevices => "sys_devices\0",
            Privilege::SysFsImport => "sys_fs_import\0",
            Privilege::SysIpcConfig => "sys_ipc_config\0",
            Privilege::SysLinkdir => "sys_linkdir\0",
            Privilege::SysMount => "sys_mount\0",
            Privilege::SysIptunConfig => "sys_iptun_config\0",
            Privilege::SysDlConfig => "sys_dl_config\0",
            Privilege::SysIpConfig => "sys_ip_config\0",
            Privilege::SysNetConfig => "sys_net_config\0",
            Privilege::SysNfs => "sys_nfs\0",
            Privilege::SysPppConfig => "sys_ppp_config\0",
            Privilege::SysResBind => "sys_res_bind\0",
            Privilege::SysResConfig => "sys_res_config\0",
            Privilege::SysResource => "sys_resource\0",
            Privilege::SysSmb => "sys_smb\0",
            Privilege::SysSuserCompat => "sys_suser_compat\0",
            Privilege::SysTime => "sys_time\0",
            Privilege::SysTransLabel => "sys_trans_label\0",
            Privilege::VirtManage => "virt_manage\0",
            Privilege::WinColormap => "win_colormap\0",
            Privilege::WinConfig => "win_config\0",
            Privilege::WinDacRead => "win_dac_read\0",
            Privilege::WinDacWrite => "win_dac_write\0",
            Privilege::WinDevices => "win_devices\0",
            Privilege::WinDga => "win_dga\0",
            Privilege::WinDowngradeSl => "win_downgrade_sl\0",
            Privilege::WinFontpath => "win_fontpath\0",
            Privilege::WinMacRead => "win_mac_read\0",
            Privilege::WinMacWrite => "win_mac_write\0",
            Privilege::WinSelection => "win_selection\0",
            Privilege::WinUpgradeSl => "win_upgrade_sl\0",
            Privilege::XvmControl => "xvm_control\0",
        }
    }

    /// Get the correct mapping as a `*const c_char` from a `Privilege`
    pub(crate) fn as_ptr(&self) -> *const c_char {
        // This works because the lifetime of the mapped value is 'static.
        // Otherwise we would have to ensure that the ptr does not outlive the value.
        CStr::from_bytes_with_nul(self.as_str().as_bytes())
            .expect("all variants should be nul terminated")
            .as_ptr()
    }
}