/*
* This file and its contents are supplied under the terms of the
* Common Development and Distribution License ("CDDL"), version 1.0.
* You may only use this file in accordance with the terms of version
* 1.0 of the CDDL.
*
* A full copy of the text of the CDDL should have accompanied this
* source. A copy of the CDDL is also available via the Internet at
* http://www.illumos.org/license/CDDL.
*/
/* Copyright 2015, Richard Lowe. */
#include <sys/secflags.h>
#include <sys/types.h>
#if defined(_KERNEL)
#include <sys/kmem.h>
#include <sys/sunddi.h>
#else
#include "lint.h" /* libc header */
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#endif
secflagset_t
secflag_to_bit(secflag_t secflag)
{
return (1 << secflag);
}
boolean_t
secflag_isset(secflagset_t flags, secflag_t sf)
{
return ((flags & secflag_to_bit(sf)) != 0);
}
void
secflag_clear(secflagset_t *flags, secflag_t sf)
{
*flags &= ~secflag_to_bit(sf);
}
void
secflag_set(secflagset_t *flags, secflag_t sf)
{
*flags |= secflag_to_bit(sf);
}
boolean_t
secflags_isempty(secflagset_t flags)
{
return (flags == 0);
}
void
secflags_zero(secflagset_t *flags)
{
*flags = 0;
}
void
secflags_fullset(secflagset_t *flags)
{
*flags = PROC_SEC_MASK;
}
void
secflags_copy(secflagset_t *dst, const secflagset_t *src)
{
*dst = *src;
}
boolean_t
secflags_issubset(secflagset_t a, secflagset_t b)
{
return (!(a & ~b));
}
boolean_t
secflags_issuperset(secflagset_t a, secflagset_t b)
{
return (secflags_issubset(b, a));
}
boolean_t
secflags_intersection(secflagset_t a, secflagset_t b)
{
return (a & b);
}
void
secflags_union(secflagset_t *a, const secflagset_t *b)
{
*a |= *b;
}
void
secflags_difference(secflagset_t *a, const secflagset_t *b)
{
*a &= ~*b;
}
boolean_t
psecflags_validate_delta(const psecflags_t *sf, const secflagdelta_t *delta)
{
if (delta->psd_ass_active) {
/*
* If there's a bit in lower not in args, or a bit args not in
* upper
*/
if (!secflags_issubset(delta->psd_assign, sf->psf_upper) ||
!secflags_issuperset(delta->psd_assign, sf->psf_lower)) {
return (B_FALSE);
}
if (!secflags_issubset(delta->psd_assign, PROC_SEC_MASK))
return (B_FALSE);
} else {
/* If we're adding a bit not in upper */
if (!secflags_isempty(delta->psd_add)) {
if (!secflags_issubset(delta->psd_add, sf->psf_upper)) {
return (B_FALSE);
}
}
/* If we're removing a bit that's in lower */
if (!secflags_isempty(delta->psd_rem)) {
if (secflags_intersection(delta->psd_rem,
sf->psf_lower)) {
return (B_FALSE);
}
}
if (!secflags_issubset(delta->psd_add, PROC_SEC_MASK) ||
!secflags_issubset(delta->psd_rem, PROC_SEC_MASK))
return (B_FALSE);
}
return (B_TRUE);
}
boolean_t
psecflags_validate(const psecflags_t *sf)
{
if (!secflags_issubset(sf->psf_lower, PROC_SEC_MASK) ||
!secflags_issubset(sf->psf_inherit, PROC_SEC_MASK) ||
!secflags_issubset(sf->psf_effective, PROC_SEC_MASK) ||
!secflags_issubset(sf->psf_upper, PROC_SEC_MASK))
return (B_FALSE);
if (!secflags_issubset(sf->psf_lower, sf->psf_inherit))
return (B_FALSE);
if (!secflags_issubset(sf->psf_lower, sf->psf_upper))
return (B_FALSE);
if (!secflags_issubset(sf->psf_inherit, sf->psf_upper))
return (B_FALSE);
return (B_TRUE);
}
void
psecflags_default(psecflags_t *sf)
{
secflags_zero(&sf->psf_effective);
secflags_zero(&sf->psf_inherit);
secflags_zero(&sf->psf_lower);
secflags_fullset(&sf->psf_upper);
}
static struct flagdesc {
secflag_t value;
const char *name;
} flagdescs[] = {
{ PROC_SEC_ASLR, "aslr" },
{ PROC_SEC_FORBIDNULLMAP, "forbidnullmap" },
{ PROC_SEC_NOEXECSTACK, "noexecstack" },
{ 0x0, NULL }
};
boolean_t
secflag_by_name(const char *str, secflag_t *ret)
{
struct flagdesc *fd;
for (fd = flagdescs; fd->name != NULL; fd++) {
if (strcasecmp(str, fd->name) == 0) {
*ret = fd->value;
return (B_TRUE);
}
}
return (B_FALSE);
}
const char *
secflag_to_str(secflag_t sf)
{
struct flagdesc *fd;
for (fd = flagdescs; fd->name != NULL; fd++) {
if (sf == fd->value)
return (fd->name);
}
return (NULL);
}
void
secflags_to_str(secflagset_t flags, char *buf, size_t buflen)
{
struct flagdesc *fd;
if (buflen >= 1)
buf[0] = '\0';
if (flags == 0) {
(void) strlcpy(buf, "none", buflen);
return;
}
for (fd = flagdescs; fd->name != NULL; fd++) {
if (secflag_isset(flags, fd->value)) {
if (buf[0] != '\0')
(void) strlcat(buf, ",", buflen);
(void) strlcat(buf, fd->name, buflen);
}
secflag_clear(&flags, fd->value);
}
if (flags != 0) { /* unknown flags */
char hexbuf[19]; /* 0x%16 PRIx64 */
(void) snprintf(hexbuf, sizeof (hexbuf), "0x%16" PRIx64, flags);
if (buf[0] != '\0')
(void) strlcat(buf, ",", buflen);
(void) strlcat(buf, hexbuf, buflen);
}
}