/* * CDDL HEADER START * * The contents of this file are subject to the terms of the * Common Development and Distribution License (the "License"). * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. * See the License for the specific language governing permissions * and limitations under the License. * * When distributing Covered Code, include this CDDL HEADER in each * file and include the License file at usr/src/OPENSOLARIS.LICENSE. * If applicable, add the following below this CDDL HEADER, with the * fields enclosed by brackets "[]" replaced with your own identifying * information: Portions Copyright [yyyy] [name of copyright owner] * * CDDL HEADER END */ /* * Copyright 2015 Gary Mills * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. */ #pragma weak _getprivimplinfo = getprivimplinfo #pragma weak _priv_addset = priv_addset #pragma weak _priv_allocset = priv_allocset #pragma weak _priv_copyset = priv_copyset #pragma weak _priv_delset = priv_delset #pragma weak _priv_emptyset = priv_emptyset #pragma weak _priv_basicset = priv_basicset #pragma weak _priv_fillset = priv_fillset #pragma weak _priv_freeset = priv_freeset #pragma weak _priv_getbyname = priv_getbyname #pragma weak _priv_getbynum = priv_getbynum #pragma weak _priv_getsetbyname = priv_getsetbyname #pragma weak _priv_getsetbynum = priv_getsetbynum #pragma weak _priv_ineffect = priv_ineffect #pragma weak _priv_intersect = priv_intersect #pragma weak _priv_inverse = priv_inverse #pragma weak _priv_isemptyset = priv_isemptyset #pragma weak _priv_isequalset = priv_isequalset #pragma weak _priv_isfullset = priv_isfullset #pragma weak _priv_ismember = priv_ismember #pragma weak _priv_issubset = priv_issubset #pragma weak _priv_set = priv_set #pragma weak _priv_union = priv_union #include "lint.h" #define _STRUCTURED_PROC 1 #include "priv_private.h" #include "mtlib.h" #include "libc.h" #include <errno.h> #include <stdarg.h> #include <stdlib.h> #include <unistd.h> #include <strings.h> #include <synch.h> #include <alloca.h> #include <atomic.h> #include <sys/ucred.h> #include <sys/procfs.h> #include <sys/param.h> #include <sys/corectl.h> #include <priv_utils.h> #include <zone.h> /* Include each string only once - until the compiler/linker are fixed */ static const char *permitted = PRIV_PERMITTED; static const char *effective = PRIV_EFFECTIVE; static const char *limit = PRIV_LIMIT; static const char *inheritable = PRIV_INHERITABLE; /* * Data independent privilege set operations. * * Only a few functions are provided that do not default to * the system implementation of privileges. A limited set of * interfaces is provided that accepts a priv_data_t * * argument; this set of interfaces is a private interface between libc * and libproc. It is delivered in order to interpret privilege sets * in debuggers in a implementation independent way. As such, we * don't need to provide the bulk of the interfaces, only a few * boolean tests (isfull, isempty) the name<->num mappings and * set pretty print functions. The boolean tests are only needed for * the latter, so those aren't provided externally. * * Additionally, we provide the function that maps the kernel implementation * structure into a libc private data structure. */ priv_data_t *privdata; static mutex_t pd_lock = DEFAULTMUTEX; static int parseninfo(priv_info_names_t *na, char ***buf, int *cp) { char *q; int i; *buf = libc_malloc(sizeof (char *) * na->cnt); if (*buf == NULL) return (-1); q = na->names; for (i = 0; i < na->cnt; i++) { int l = strlen(q); (*buf)[i] = q; q += l + 1; } *cp = na->cnt; return (0); } struct strint { char *name; int rank; }; static int strintcmp(const void *a, const void *b) { const struct strint *ap = a; const struct strint *bp = b; return (strcasecmp(ap->name, bp->name)); } priv_data_t * __priv_parse_info(priv_impl_info_t *ip) { priv_data_t *tmp; char *x; size_t size = PRIV_IMPL_INFO_SIZE(ip); int i; tmp = libc_malloc(sizeof (*tmp)); if (tmp == NULL) return (NULL); (void) memset(tmp, 0, sizeof (*tmp)); tmp->pd_pinfo = ip; tmp->pd_setsize = sizeof (priv_chunk_t) * ip->priv_setsize; tmp->pd_ucredsize = UCRED_SIZE(ip); x = (char *)ip; x += ip->priv_headersize; while (x < ((char *)ip) + size) { /* LINTED: alignment */ priv_info_names_t *na = (priv_info_names_t *)x; /* LINTED: alignment */ priv_info_set_t *st = (priv_info_set_t *)x; struct strint *tmparr; switch (na->info.priv_info_type) { case PRIV_INFO_SETNAMES: if (parseninfo(na, &tmp->pd_setnames, &tmp->pd_nsets)) goto out; break; case PRIV_INFO_PRIVNAMES: if (parseninfo(na, &tmp->pd_privnames, &tmp->pd_nprivs)) goto out; /* * We compute a sorted index which allows us * to present a sorted list of privileges * without actually having to sort it each time. */ tmp->pd_setsort = libc_malloc(tmp->pd_nprivs * sizeof (int)); if (tmp->pd_setsort == NULL) goto out; tmparr = libc_malloc(tmp->pd_nprivs * sizeof (struct strint)); if (tmparr == NULL) goto out; for (i = 0; i < tmp->pd_nprivs; i++) { tmparr[i].rank = i; tmparr[i].name = tmp->pd_privnames[i]; } qsort(tmparr, tmp->pd_nprivs, sizeof (struct strint), strintcmp); for (i = 0; i < tmp->pd_nprivs; i++) tmp->pd_setsort[i] = tmparr[i].rank; libc_free(tmparr); break; case PRIV_INFO_BASICPRIVS: tmp->pd_basicset = (priv_set_t *)&st->set[0]; break; default: /* unknown, ignore */ break; } x += na->info.priv_info_size; } return (tmp); out: libc_free(tmp->pd_setnames); libc_free(tmp->pd_privnames); libc_free(tmp->pd_setsort); libc_free(tmp); return (NULL); } /* * Caller must have allocated d->pd_pinfo and should free it, * if necessary. */ void __priv_free_info(priv_data_t *d) { libc_free(d->pd_setnames); libc_free(d->pd_privnames); libc_free(d->pd_setsort); libc_free(d); } /* * Return with the pd_lock held and data loaded or indicate failure. */ int lock_data(void) { if (__priv_getdata() == NULL) return (-1); lmutex_lock(&pd_lock); return (0); } boolean_t refresh_data(void) { priv_impl_info_t *ip, ii; priv_data_t *tmp; char *p0, *q0; int oldn, newn; int i; if (getprivinfo(&ii, sizeof (ii)) != 0 || ii.priv_max == privdata->pd_nprivs) return (B_FALSE); ip = alloca(PRIV_IMPL_INFO_SIZE(&ii)); (void) getprivinfo(ip, PRIV_IMPL_INFO_SIZE(&ii)); /* Parse the info; then copy the additional bits */ tmp = __priv_parse_info(ip); if (tmp == NULL) return (B_FALSE); oldn = privdata->pd_nprivs; p0 = privdata->pd_privnames[0]; newn = tmp->pd_nprivs; q0 = tmp->pd_privnames[0]; /* copy the extra information to the old datastructure */ (void) memcpy((char *)privdata->pd_pinfo + sizeof (priv_impl_info_t), (char *)ip + sizeof (priv_impl_info_t), PRIV_IMPL_INFO_SIZE(ip) - sizeof (priv_impl_info_t)); /* Copy the first oldn pointers */ (void) memcpy(tmp->pd_privnames, privdata->pd_privnames, oldn * sizeof (char *)); /* Adjust the rest */ for (i = oldn; i < newn; i++) tmp->pd_privnames[i] += p0 - q0; /* Install the larger arrays */ libc_free(privdata->pd_privnames); privdata->pd_privnames = tmp->pd_privnames; tmp->pd_privnames = NULL; libc_free(privdata->pd_setsort); privdata->pd_setsort = tmp->pd_setsort; tmp->pd_setsort = NULL; /* Copy the rest of the data */ *privdata->pd_pinfo = *ip; privdata->pd_nprivs = newn; __priv_free_info(tmp); return (B_TRUE); } void unlock_data(void) { lmutex_unlock(&pd_lock); } static priv_set_t *__priv_allocset(priv_data_t *); priv_data_t * __priv_getdata(void) { if (privdata == NULL) { lmutex_lock(&pd_lock); if (privdata == NULL) { priv_data_t *tmp; priv_impl_info_t *ip; size_t size = sizeof (priv_impl_info_t) + 2048; size_t realsize; priv_impl_info_t *aip = alloca(size); if (getprivinfo(aip, size) != 0) goto out; realsize = PRIV_IMPL_INFO_SIZE(aip); ip = libc_malloc(realsize); if (ip == NULL) goto out; if (realsize <= size) { (void) memcpy(ip, aip, realsize); } else if (getprivinfo(ip, realsize) != 0) { libc_free(ip); goto out; } if ((tmp = __priv_parse_info(ip)) == NULL) { libc_free(ip); goto out; } /* Allocate the zoneset just once, here */ tmp->pd_zoneset = __priv_allocset(tmp); if (tmp->pd_zoneset == NULL) goto clean; if (zone_getattr(getzoneid(), ZONE_ATTR_PRIVSET, tmp->pd_zoneset, tmp->pd_setsize) == tmp->pd_setsize) { membar_producer(); privdata = tmp; goto out; } priv_freeset(tmp->pd_zoneset); clean: __priv_free_info(tmp); libc_free(ip); } out: lmutex_unlock(&pd_lock); } membar_consumer(); return (privdata); } const priv_impl_info_t * getprivimplinfo(void) { priv_data_t *d; LOADPRIVDATA(d); return (d->pd_pinfo); } static priv_set_t * priv_vlist(va_list ap) { priv_set_t *pset = priv_allocset(); const char *priv; if (pset == NULL) return (NULL); priv_emptyset(pset); while ((priv = va_arg(ap, const char *)) != NULL) { if (priv_addset(pset, priv) < 0) { priv_freeset(pset); return (NULL); } } return (pset); } /* * priv_set(op, set, priv_id1, priv_id2, ..., NULL) * * Library routine to enable a user process to set a specific * privilege set appropriately using a single call. User is * required to terminate the list of privileges with NULL. */ int priv_set(priv_op_t op, priv_ptype_t setname, ...) { va_list ap; priv_set_t *pset; int ret; va_start(ap, setname); pset = priv_vlist(ap); va_end(ap); if (pset == NULL) return (-1); /* All sets */ if (setname == NULL) { priv_data_t *d; int set; LOADPRIVDATA(d); for (set = 0; set < d->pd_nsets; set++) if ((ret = syscall(SYS_privsys, PRIVSYS_SETPPRIV, op, set, (void *)pset, d->pd_setsize)) != 0) break; } else { ret = setppriv(op, setname, pset); } priv_freeset(pset); return (ret); } /* * priv_ineffect(privilege). * tests the existence of a privilege against the effective set. */ boolean_t priv_ineffect(const char *priv) { priv_set_t *curset; boolean_t res; curset = priv_allocset(); if (curset == NULL) return (B_FALSE); if (getppriv(effective, curset) != 0 || !priv_ismember(curset, priv)) res = B_FALSE; else res = B_TRUE; priv_freeset(curset); return (res); } /* * The routine __init_daemon_priv() is private to Solaris and is * used by daemons to limit the privileges they can use and * to set the uid they run under. */ static const char root_cp[] = "/core.%f.%t"; static const char daemon_cp[] = "/var/tmp/core.%f.%t"; int __init_daemon_priv(int flags, uid_t uid, gid_t gid, ...) { priv_set_t *nset; priv_set_t *perm = NULL; va_list pa; priv_data_t *d; int ret = -1; char buf[1024]; LOADPRIVDATA(d); va_start(pa, gid); nset = priv_vlist(pa); va_end(pa); if (nset == NULL) return (-1); /* Always add the basic set */ if (d->pd_basicset != NULL) priv_union(d->pd_basicset, nset); /* * This is not a significant failure: it allows us to start programs * with sufficient privileges and with the proper uid. We don't * care enough about the extra groups in that case. */ if (flags & PU_RESETGROUPS) (void) setgroups(0, NULL); if (gid != (gid_t)-1 && setgid(gid) != 0) goto end; perm = priv_allocset(); if (perm == NULL) goto end; /* E = P */ (void) getppriv(permitted, perm); (void) setppriv(PRIV_SET, effective, perm); /* Now reset suid and euid */ if (uid != (uid_t)-1 && setreuid(uid, uid) != 0) goto end; /* Check for the limit privs */ if ((flags & PU_LIMITPRIVS) && setppriv(PRIV_SET, limit, nset) != 0) goto end; if (flags & PU_CLEARLIMITSET) { priv_emptyset(perm); if (setppriv(PRIV_SET, limit, perm) != 0) goto end; } /* Remove the privileges from all the other sets */ if (setppriv(PRIV_SET, permitted, nset) != 0) goto end; if (!(flags & PU_INHERITPRIVS)) priv_emptyset(nset); ret = setppriv(PRIV_SET, inheritable, nset); end: priv_freeset(nset); priv_freeset(perm); if (core_get_process_path(buf, sizeof (buf), getpid()) == 0 && strcmp(buf, "core") == 0) { if ((uid == (uid_t)-1 ? geteuid() : uid) == 0) { (void) core_set_process_path(root_cp, sizeof (root_cp), getpid()); } else { (void) core_set_process_path(daemon_cp, sizeof (daemon_cp), getpid()); } } (void) setpflags(__PROC_PROTECT, 0); return (ret); } /* * The routine __fini_daemon_priv() is private to Solaris and is * used by daemons to clear remaining unwanted privileges and * reenable core dumps. */ void __fini_daemon_priv(const char *priv, ...) { priv_set_t *nset; va_list pa; if (priv != NULL) { va_start(pa, priv); nset = priv_vlist(pa); va_end(pa); if (nset == NULL) return; (void) priv_addset(nset, priv); (void) setppriv(PRIV_OFF, permitted, nset); priv_freeset(nset); } (void) setpflags(__PROC_PROTECT, 0); } /* * The routine __init_suid_priv() is private to Solaris and is * used by set-uid root programs to limit the privileges acquired * to those actually needed. */ static priv_set_t *bracketpriv; int __init_suid_priv(int flags, ...) { priv_set_t *nset = NULL; priv_set_t *tmpset = NULL; va_list pa; int r = -1; uid_t ruid, euid; euid = geteuid(); /* If we're not set-uid root, don't reset the uid */ if (euid == 0) { ruid = getuid(); /* If we're running as root, keep everything */ if (ruid == 0) return (0); } /* Can call this only once */ if (bracketpriv != NULL) return (-1); va_start(pa, flags); nset = priv_vlist(pa); va_end(pa); if (nset == NULL) goto end; tmpset = priv_allocset(); if (tmpset == NULL) goto end; /* We cannot grow our privileges beyond P, so start there */ (void) getppriv(permitted, tmpset); /* Is the privilege we need even in P? */ if (!priv_issubset(nset, tmpset)) goto end; bracketpriv = priv_allocset(); if (bracketpriv == NULL) goto end; priv_copyset(nset, bracketpriv); /* Always add the basic set */ priv_union(priv_basic(), nset); /* But don't add what we don't have */ priv_intersect(tmpset, nset); (void) getppriv(inheritable, tmpset); /* And stir in the inheritable privileges */ priv_union(tmpset, nset); if ((r = setppriv(PRIV_SET, effective, tmpset)) != 0) goto end; if ((r = setppriv(PRIV_SET, permitted, nset)) != 0) goto end; if (flags & PU_CLEARLIMITSET) priv_emptyset(nset); if ((flags & (PU_LIMITPRIVS|PU_CLEARLIMITSET)) != 0 && (r = setppriv(PRIV_SET, limit, nset)) != 0) goto end; if (euid == 0) r = setreuid(ruid, ruid); end: priv_freeset(tmpset); priv_freeset(nset); if (r != 0) { /* Fail without leaving uid 0 around */ if (euid == 0) (void) setreuid(ruid, ruid); priv_freeset(bracketpriv); bracketpriv = NULL; } return (r); } /* * Toggle privileges on/off in the effective set. */ int __priv_bracket(priv_op_t op) { /* We're running fully privileged or didn't check errors first time */ if (bracketpriv == NULL) return (0); /* Only PRIV_ON and PRIV_OFF are valid */ if (op == PRIV_SET) return (-1); return (setppriv(op, effective, bracketpriv)); } /* * Remove privileges from E & P. */ void __priv_relinquish(void) { if (bracketpriv != NULL) { (void) setppriv(PRIV_OFF, permitted, bracketpriv); priv_freeset(bracketpriv); bracketpriv = NULL; } } /* * Use binary search on the ordered list. */ int __priv_getbyname(const priv_data_t *d, const char *name) { char *const *list; const int *order; int lo = 0; int hi; if (d == NULL) return (-1); list = d->pd_privnames; order = d->pd_setsort; hi = d->pd_nprivs - 1; if (strncasecmp(name, "priv_", 5) == 0) name += 5; do { int mid = (lo + hi) / 2; int res = strcasecmp(name, list[order[mid]]); if (res == 0) return (order[mid]); else if (res < 0) hi = mid - 1; else lo = mid + 1; } while (lo <= hi); errno = EINVAL; return (-1); } int priv_getbyname(const char *name) { WITHPRIVLOCKED(int, -1, __priv_getbyname(GETPRIVDATA(), name)) } int __priv_getsetbyname(const priv_data_t *d, const char *name) { int i; int n = d->pd_nsets; char *const *list = d->pd_setnames; if (strncasecmp(name, "priv_", 5) == 0) name += 5; for (i = 0; i < n; i++) { if (strcasecmp(list[i], name) == 0) return (i); } errno = EINVAL; return (-1); } int priv_getsetbyname(const char *name) { /* Not locked: sets don't change */ return (__priv_getsetbyname(GETPRIVDATA(), name)); } static const char * priv_bynum(int i, int n, char **list) { if (i < 0 || i >= n) return (NULL); return (list[i]); } const char * __priv_getbynum(const priv_data_t *d, int num) { if (d == NULL) return (NULL); return (priv_bynum(num, d->pd_nprivs, d->pd_privnames)); } const char * priv_getbynum(int num) { WITHPRIVLOCKED(const char *, NULL, __priv_getbynum(GETPRIVDATA(), num)) } const char * __priv_getsetbynum(const priv_data_t *d, int num) { if (d == NULL) return (NULL); return (priv_bynum(num, d->pd_nsets, d->pd_setnames)); } const char * priv_getsetbynum(int num) { return (__priv_getsetbynum(GETPRIVDATA(), num)); } /* * Privilege manipulation functions * * Without knowing the details of the privilege set implementation, * opaque pointers can be used to manipulate sets at will. */ static priv_set_t * __priv_allocset(priv_data_t *d) { if (d == NULL) return (NULL); return (libc_malloc(d->pd_setsize)); } priv_set_t * priv_allocset(void) { return (__priv_allocset(GETPRIVDATA())); } void priv_freeset(priv_set_t *p) { int er = errno; libc_free(p); errno = er; } void __priv_emptyset(priv_data_t *d, priv_set_t *set) { (void) memset(set, 0, d->pd_setsize); } void priv_emptyset(priv_set_t *set) { __priv_emptyset(GETPRIVDATA(), set); } void priv_basicset(priv_set_t *set) { priv_copyset(priv_basic(), set); } void __priv_fillset(priv_data_t *d, priv_set_t *set) { (void) memset(set, ~0, d->pd_setsize); } void priv_fillset(priv_set_t *set) { __priv_fillset(GETPRIVDATA(), set); } #define PRIV_TEST_BODY_D(d, test) \ int i; \ \ for (i = d->pd_pinfo->priv_setsize; i-- > 0; ) \ if (!(test)) \ return (B_FALSE); \ \ return (B_TRUE) boolean_t priv_isequalset(const priv_set_t *a, const priv_set_t *b) { priv_data_t *d; LOADPRIVDATA(d); return ((boolean_t)(memcmp(a, b, d->pd_setsize) == 0)); } boolean_t __priv_isemptyset(priv_data_t *d, const priv_set_t *set) { PRIV_TEST_BODY_D(d, ((priv_chunk_t *)set)[i] == 0); } boolean_t priv_isemptyset(const priv_set_t *set) { return (__priv_isemptyset(GETPRIVDATA(), set)); } boolean_t __priv_isfullset(priv_data_t *d, const priv_set_t *set) { PRIV_TEST_BODY_D(d, ((priv_chunk_t *)set)[i] == ~(priv_chunk_t)0); } boolean_t priv_isfullset(const priv_set_t *set) { return (__priv_isfullset(GETPRIVDATA(), set)); } /* * Return true if a is a subset of b */ boolean_t __priv_issubset(priv_data_t *d, const priv_set_t *a, const priv_set_t *b) { PRIV_TEST_BODY_D(d, (((priv_chunk_t *)a)[i] | ((priv_chunk_t *)b)[i]) == ((priv_chunk_t *)b)[i]); } boolean_t priv_issubset(const priv_set_t *a, const priv_set_t *b) { return (__priv_issubset(GETPRIVDATA(), a, b)); } #define PRIV_CHANGE_BODY(a, op, b) \ int i; \ priv_data_t *d; \ \ LOADPRIVDATA(d); \ \ for (i = 0; i < d->pd_pinfo->priv_setsize; i++) \ ((priv_chunk_t *)a)[i] op \ ((priv_chunk_t *)b)[i] /* B = A ^ B */ void priv_intersect(const priv_set_t *a, priv_set_t *b) { /* CSTYLED */ PRIV_CHANGE_BODY(b, &=, a); } /* B = A */ void priv_copyset(const priv_set_t *a, priv_set_t *b) { /* CSTYLED */ PRIV_CHANGE_BODY(b, =, a); } /* B = A v B */ void priv_union(const priv_set_t *a, priv_set_t *b) { /* CSTYLED */ PRIV_CHANGE_BODY(b, |=, a); } /* A = ! A */ void priv_inverse(priv_set_t *a) { PRIV_CHANGE_BODY(a, = ~, a); } /* * Manipulating single privileges. */ int priv_addset(priv_set_t *a, const char *p) { int priv = priv_getbyname(p); if (priv < 0) return (-1); PRIV_ADDSET(a, priv); return (0); } int priv_delset(priv_set_t *a, const char *p) { int priv = priv_getbyname(p); if (priv < 0) return (-1); PRIV_DELSET(a, priv); return (0); } boolean_t priv_ismember(const priv_set_t *a, const char *p) { int priv = priv_getbyname(p); if (priv < 0) return (B_FALSE); return ((boolean_t)PRIV_ISMEMBER(a, priv)); }