NAME | SYNOPSIS | DESCRIPTION | FILES | ATTRIBUTES | SEE ALSO
#include <tsol/priv.h>
Every defined privilege has a manifest constant for use in programs, a name for use in user interfaces, and a description displayed by certain administrative tools. When a process has a privilege in its effective set, that process has the power to bypass security policy and perform the task allowed by that privilege.
The following section gives the manifest constant, name, and description for each privilege defined on this system.
PRIV_FILE_AUDIT
file_audit
Allows a process to get or set a file's or directory's audit preselection information. The audit preselection information may override the preselection information associated with a process' access to a file or directory. Allows a process to get or set a file's or directory's public object flag. The public object flag may override the successful read/search access preselection information associated with a process' access to a file or directory. Allows a process to write to or modify a file or directory without the file's or directory's audit preselection information or public object flag being cleared.
PRIV_FILE_CHOWN
file_chown
Allows a process to change a file's owner user ID. Allows a process to change a file's group ID to one other than the process' effective group ID or one of the process' supplemental group IDs.
PRIV_FILE_DAC_EXECUTE
file_dac_execute
Allows a process to execute an executable file whose permission bits or ACL do not allow the process execute permission.
PRIV_FILE_DAC_READ
file_dac_read
Allows a process to read a file or directory whose permission bits or ACL do not allow the process read permission.
PRIV_FILE_DAC_SEARCH
file_dac_search
Allows a process to search a directory whose permission bits or ACL do not allow the process search permission.
PRIV_FILE_DAC_WRITE
file_dac_write
Allows a process to write a file or directory whose permission bits or ACL do not allow the process write permission.
PRIV_FILE_DOWNGRADE_SL
file_downgrade_sl
Allows a process to set the Sensitivity Label of a file or directory to a Sensitivity Label that does not dominate the existing Sensitivity Label.
PRIV_FILE_FILE_LOCK
file_lock
Allows a process to get accurate lock information for a file lock that it does not hold.
PRIV_FILE_MAC_READ
file_mac_read
Allows a process to read a file or directory whose Sensitivity Label is not dominated by the process' Sensitivity Label. Allows a process to get accurate file attributes of a file or directory whose Sensitivity Label is not dominated by the process' Sensitivity Label. Allows a process, when upgraded directory names are hidden, to get directory entries whose Sensitivity Label is not dominated by the process' Sensitivity Label.
PRIV_FILE_MAC_SEARCH
file_mac_search
Allows a process to search a directory whose Sensitivity Label is not dominated by the process' Sensitivity Label.
PRIV_FILE_MAC_WRITE
file_mac_write
Allows a process to write a file or directory whose Sensitivity Label does not dominate the process' Sensitivity Label, or whose Sensitivity Label dominates the process' Clearance.
PRIV_FILE_OWNER
file_owner
Allows a process which is not the owner of a file to modify that file's access and modification times, audit preselection attributes, privileges, or downgrade labels. Allows a process which is not the owner of a directory to modify that directory's access and modification times or downgrade labels. Allows a process which is not the owner of a file or directory to remove or rename a file or directory whose parent directory has the ``save text image after execution'' (sticky) bit set. Allows a process which is not the owner of a file to mount a ``namefs'' upon that file. (Does not apply to setting access permission bits or ACLs.)
PRIV_FILE_SETDAC
file_setdac
Allows a process which is not the owner of a file or directory to modify that file's or directory's permission bits or ACL.
PRIV_FILE_SETID
file_setid
Allows a process to change the ownership of a file or write to a file without the set-user-ID and set-group-ID bits being cleared. Allows a process to set the set-user-ID bit on a file whose owner is not the process' effective user. Allows a process to set the set-group-ID bit on a file whose group is not the process' effective group or one of the process' supplemental groups.
PRIV_FILE_SETPRIV
file_setpriv
Allows a process to set the privilege sets on an executable file that the process owns. Allows a process to write to an executable file without the file's allowed and forced privilege sets being emptied.
PRIV_FILE_UPGRADE_SL
file_upgrade_sl
Allows a process to set the Sensitivity Label of a file or directory to a Sensitivity Label that dominates the existing Sensitivity Label.
PRIV_IPC_DAC_READ
ipc_dac_read
Allows a process to read a System V IPC Message Queue, Semaphore Set, or Shared Memory Segment whose permission bits do not allow the process read permission.
PRIV_IPC_DAC_WRITE
ipc_dac_write
Allows a process to write a System V IPC Message Queue, Semaphore Set, or Shared Memory Segment whose permission bits do not allow the process write permission.
PRIV_IPC_MAC_WRITE
ipc_mac_write
Allows a process to write a System V IPC Message Queue, Semaphore Set, or Shared Memory Segment whose Sensitivity Label does not dominate the process' Sensitivity Label, or whose Sensitivity Label dominates the process' Clearance.
PRIV_IPC_OWNER
ipc_owner
Allows a process which is not the owner of a System V IPC Message Queue, Semaphore Set, or Shared Memory Segment to remove, change ownership of, or change permission bits of the Message Queue, Semaphore Set, or Shared Memory Segment.
PRIV_NET_BROADCAST
net_broadcast
Allows a process to send broadcast or multicast packets. Because broadcast packets are delivered to all machines on the local network, they are not labeled.
PRIV_NET_DOWNGRADE_SL
net_downgrade_sl
Allows a process to specify a Sensitivity Label for data being written or to set the network endpoint default Sensitivity Label to an Sensitivity Label which does not dominate the process' Sensitivity Label.
PRIV_NET_MAC_READ
net_mac_read
Allows a process to bind to or accept with a multi-level port. Binding to a multi-level port allows the process to read all data sent to that port socket for which there is not a bound single level port that matches the Sensitivity Label of the data. Accepting with a multi-level port allows a process to receive all data sent to that connected port. (There can be no single level connected port for the accept to succeed.) Allows a process to create a multi-level RPC port mapping.
PRIV_NET_PRIVADDR
net_privaddr
Allows a process to bind to a privileged port number. The privilege port numbers are 1-1023 (the traditional UNIX privileged ports) and 6000-6002 (the XSun server ports). Privileged port numbers include the Internet reserved (well known) port numbers.
PRIV_NET_RAWACCESS
net_rawaccess
Allows a process to have direct access to the network layer. Direct access to the network layer bypasses network labeling. Auditing is not bypassed.
PRIV_NET_REPLY_EQUAL
net_reply_equal
Allows a process to reply with the Sensitivity Label of the last packet received rather than its own Sensitivity Label. A combination of net_mac_read and net_reply_equal allow unmodified programs to successfully receive and reply at all Sensitivity Labels. This privilege exists for unmodified program compatibility and is not used by modified Trusted Solaris programs.
PRIV_NET_SETCLR
net_setclr
Allows a process to specify a Clearance for data being written or to set the network endpoint default Clearance to a value different from the process' Clearance.
PRIV_NET_SETID
net_setid
Allows a process to specify an effective user ID, effective group ID, or set of supplemental groups for data being written or to set the network endpoint default effective user ID, effective group ID, or set of supplemental groups to values different from the process' values. Allows a process which is not the owner of a RPC port mapping to remove the mapping.
PRIV_NET_SETPRIV
net_setpriv
Allows a process to specify the effective privilege set for data being written or to set the network endpoint default effective privilege set to privileges contained in the process' permitted privilege set.
PRIV_NET_UPGRADE_SL
net_upgrade_sl
Allows a process to specify a Sensitivity Label for data being written or to set the network endpoint default Sensitivity Label to a Sensitivity Label which dominates the process' Sensitivity Label.
PRIV_PROC_AUDIT_APPL
proc_audit_appl
Allows a process to generate audit records with an audit event outside the Trusted Solaris TCB event number range. Allows a process to get its own audit preselection information.
PRIV_PROC_AUDIT_TCB
proc_audit_tcb
Allows a process to generate audit records with an audit event within the Trusted Solaris TCB event number range. Allows a process to get its own audit preselection information.
PRIV_PROC_CHROOT
proc_chroot
Allows a process to change its root directory.
PRIV_PROC_DEBUG_NONTRANQUIL
proc_debug_nontranquil
Allows a process to retain access to a process object when that process object changes its Sensitivity Label. Mandatory Access Control is enforced on the new Sensitivity Label.
This privilege is intended to be used to debug processes that change their Sensitivity Labels and not for other purposes.
PRIV_PROC_DUMPCORE
proc_dumpcore
Allows a TCB process to execute a new program which is set-user-ID, set-group-ID, or permits the use of privilege to have a ``core'' file created for it when taking the default action for SIGQUIT, SIGILL, SIGTRAP, SIGABRT, SIGEMT, SIGFPE, SIGBUS, SIGSEGV, SIGSYS, SIGXCPU, or SIGXFSZ signals. Allows a TCB process to have a ``core'' file created for it when taking the default action for SIGQUIT, SIGILL, SIGTRAP, SIGABRT, SIGEMT, SIGFPE, SIGBUS, SIGSEGV, SIGSYS, SIGXCPU, or SIGXFSZ signals.
PRIV_PROC_MAC_READ
proc_mac_read
Allows a process to read another process whose Sensitivity Label is not dominated by the reading process' Sensitivity Label.
PRIV_PROC_MAC_WRITE
proc_mac_write
Allows a process to write another process whose Sensitivity Label does not dominate the writing process' Sensitivity Label, or whose Sensitivity Label dominates the writing process' Clearance.
PRIV_PROC_NODELAY
proc_nodelay
Allows a process to not be delayed when doing operations that are identified as covert channels.
PRIV_PROC_OWNER
proc_owner
Allows a process to read from and write to another process with a different process owner. Allows a process to bind a process to a CPU with a different process owner. Allows a process to open a process whose program file is set-user-ID or set-group-ID, or has the use of privilege.
PRIV_PROC_SETCLR
proc_setclr
Allows a process to set its Clearance to a Clearance that is not equal to the process' current Clearance.
PRIV_PROC_SETID
proc_setid
Allows a process to set its user or group IDs to one different from its current effective, real, or saved IDs. Allows a process to set its supplemental group IDs. Allows a process to set the process group of a controlling terminal to one not in the process' process group. Allows a process to set the window size on a terminal not in its session.
PRIV_PROC_SETSL
proc_setsl
Allows a process to set its Sensitivity Label to a Sensitivity Label that is not equal to the process' current Sensitivity Label.
PRIV_PROC_TRANQUIL
proc_tranquil
Allows a process to set the Sensitivity Label of an object to a Sensitivity Label that is not equal to the current Sensitivity Label when the object is in use by another process.
PRIV_SYS_AUDIT
sys_audit
Allows a process to start the (kernel) audit daemon. Allows a process to view and set the audit state (audit user ID, audit terminal ID, audit session ID, audit preselection mask). Allows a process to turn off and on auditing. Allows a process to configure the audit parameters (cache and queue sizes, event to class mappings, policy options).
PRIV_SYS_BOOT
sys_boot
Allows a process to halt, re-boot, or suspend a Trusted Solaris machine.
PRIV_SYS_CONFIG
sys_config
Allows a process to lock into memory and unlock from memory a memory mapped file or Shared Memory Segment. Allows a process to change the scheduling priority of a process not owned by this process, or increase this process' priority. Allows a process to increase its resource or process limits. Allows a process to set the ``save text image after execution'' (sticky) bit on executable files. Allows a process to turn on and off accounting. Allows a process to change the machine time of day clock. Allows a process to change the machine high resolution timer clock. Allows a process to reconfigure scheduling classes. Allows a process to create and delete (hard) links to directories. Allows a process to place a processor on-line or off-line. Allows a process to modify kernel driver statistics values.
PRIV_SYS_CONSOLE
sys_console
Allows a process to redirect console output to another device.
PRIV_SYS_DEVICES
sys_devices
Allows a process to create device special files. Allows a process to use mknod(2) to create directory and regular files. Allows a process to revoke all access to a device special file. Allows a process to reassign a controlling terminal from one process to another. Allows a process to open a terminal already exclusively opened. Allows a process to revoke access to its controlling terminal. Allows a process to enable or disable keyboard abort processing. Allows a process to map frame buffer devices into its address space. Allows a process to enable or disable a disk's write-check capability. Allows a process to load a kernel loadable driver. Allows a process to control the Floating Point Accelerator. Allows a process to configure autopush STREAMS modules. Allows a process to configure the device driver policy table. Allows a process to successfully call a third party loadable module that calls DDI drv_priv.
PRIV_SYS_FS_CONFIG
sys_fs_config
Allows a process to manipulate filesystem locks. Allows a process to set/clear the automatic update (delayed I/O) state of a filesystem. Allows a process to get meta disk allocation information. Allows a process to open a specified inode in a filesystem. Allows a process to set the last access time of a file system object.
PRIV_SYS_IPC_CONFIG
sys_ipc_config
Allows a process to increase the size of a System V IPC Message Queue buffer.
PRIV_SYS_MAXPROC
sys_maxproc
Allows a process to create processes when the maximum number of processes for this process' owning user is exceeded. Allows a process to create the last available process in the system.
PRIV_SYS_MINFREE
sys_minfree
Allows a process to write to a filesystem whose available storage space is below the minimum allowed.
PRIV_SYS_MOUNT
sys_mount
Allows a process to mount filesystems which are restricted from being freely mounted. Such filesystems include those of type ufs, nfs, tmpfs, procfs, ... Allows a process to remount the root filesystem. Allows a process to add and remove swap filesystems. Allows a process to determine the users of a filesystem.
PRIV_SYS_NET_CONFIG
sys_net_config
Allows a process to configure a machine's network interfaces and routes. Allows a process to set a machine's host and domain names. Allows a process to set a machine's kerberos realm. Allows a process to load and unload host type, accreditation, and default information. Allows a process direct access to network devices. Allows a process to set endpoint names. Allows a process to use the rpcmod STREAMS module.
PRIV_SYS_NFS
sys_nfs
Allows a process to start a kernel NFS daemon. Allows a process to start and stop a kernel NFS lock manager daemon. Allows a process to export directories for use by NFS clients. Allows a process to retrieve the NFS file handle for a path name. Allows a process to revoke NFS RPC credentials for a client it does not own.
PRIV_SYS_SUSER_COMPAT
sys_suser_compat
Allows a process to successfully call a third party loadable module that calls the kernel suser() function to check for allowed access. This privilege exists only for third party loadable module compatibility and is not used by Trusted Solaris.
PRIV_SYS_SYSTEM_DOOR
sys_system_door
Allows a process to create a door that can be opened by processes at any Sensitivity Label.
PRIV_SYS_TRANS_LABEL
sys_trans_label
Allows a process to translate labels to and from ``external string form'' that are not dominated by the process' Sensitivity Label.
PRIV_WIN_COLORMAP
win_colormap
Allows a process to override colormap restrictions. Allows a process to install or remove colormaps. Allows a process to retrieve colormap cell entries allocated by other processes.
PRIV_WIN_CONFIG
win_config
Allows a process to configure or destroy resources that are permanently retained by the X server. Allows a process to use SetScreenSaver to set the screen saver timeout value. Allows a process to use ChangeHosts to modify the display access control list. Allows a process to use GrabServer. Allows a process to use the SetCloseDownMode request which may retain window, pixmap, colormap, property, cursor, font, or graphic context resources.
PRIV_WIN_DAC_READ
win_dac_read
Allows a process to read from a window resource that it does not own (has a different user ID.
PRIV_WIN_DAC_WRITE
win_dac_write
Allows a process to write to or create a window resource that it does not own (has a different user ID). A newly created window property is created with the window's user ID.
PRIV_WIN_DEVICES
win_devices
Allows a process to perform operations on window input devices. Allows a process to get and set keyboard and pointer controls. Allows a process to modify pointer button and key mappings.
PRIV_WIN_DGA
win_dga
Allows a process to use the direct graphics access (DGA) X protocol extensions. Direct process access to the frame buffer is still required. Thus the process must have MAC and DAC privileges that allow access to the frame buffer, or the frame buffer must be allocated to the process.
PRIV_WIN_DOWNGRADE_SL
win_downgrade_sl
Allows a process to set the Sensitivity Label of a window resource to a Sensitivity Label that does not dominate the existing Sensitivity Label.
PRIV_WIN_FONTPATH
win_fontpath
Allows a process to set a font path.
PRIV_WIN_MAC_READ
win_mac_read
Allows a process to read from a window resource whose Sensitivity Label is not equal to the process Sensitivity Label.
PRIV_WIN_MAC_WRITE
win_mac_write
Allows a process to write to create a window resource whose Sensitivity Label is not equal to the process Sensitivity Label. A newly created window property is created with the window's Sensitivity Label.
PRIV_WIN_SELECTION
win_selection
Allows a process to request inter-window data moves without the intervention of the selection arbitrator.
PRIV_WIN_UPGRADE_SL
win_upgrade_sl
Allows a process to set the Sensitivity Label of a window resource to a Sensitivity Label that dominates the existing Sensitivity Label.
Privileges descriptions
Manifest constant and ID value definitions
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
---|---|
Availability | SUNWtsu |
Intro(2), getfpriv(2), setfpriv(2), priv_to_str(3TSOL), set_effective_priv(3TSOL), priv_name(4), priv_macros(5)
Trusted Solaris administrator's document set, Trusted Solaris Developer's Guide
NAME | SYNOPSIS | DESCRIPTION | FILES | ATTRIBUTES | SEE ALSO