1.\" 2.\" This file and its contents are supplied under the terms of the 3.\" Common Development and Distribution License ("CDDL"), version 1.0. 4.\" You may only use this file in accordance with the terms of version 5.\" 1.0 of the CDDL. 6.\" 7.\" A full copy of the text of the CDDL should have accompanied this 8.\" source. A copy of the CDDL is also available via the Internet at 9.\" http://www.illumos.org/license/CDDL. 10.\" 11.\" 12.\" Copyright 2020 Nexenta by DDN, Inc. All rights reserved. 13.\" 14.Dd August 22, 2023 15.Dt CREDENTIALS 9F 16.Os 17.Sh NAME 18.Nm credentials , 19.Nm CRED , 20.Nm crdup , 21.Nm crfree , 22.Nm crget , 23.Nm crhold , 24.Nm kcred , 25.Nm zone_kcred 26.Nd Functions for obtaining credentials in the kernel 27.Sh SYNOPSIS 28.In sys/cred.h 29.Ft "cred_t *" 30.Fo CRED 31.Fc 32.Ft "cred_t *" 33.Fo crdup 34.Fa "cred_t *cr" 35.Fc 36.Ft "void" 37.Fo crfree 38.Fa "cred_t *cr" 39.Fc 40.Ft "cred_t *" 41.Fo crget 42.Fc 43.Ft "void" 44.Fo crhold 45.Fa "cred_t *cr" 46.Fc 47.Ft "cred_t *" 48.Fo zone_kcred 49.Fc 50.Vt cred_t *kcred 51.Sh INTERFACE LEVEL 52.Sy Volatile - 53This interface is still evolving in illumos. 54API and ABI stability is not guaranteed. 55.Sh PARAMETERS 56.Bl -tag -width Fa 57.It Fa cr 58pointer to the user credential structure. 59.El 60.Sh DESCRIPTION 61Some kernel interfaces require a credential as an argument. 62This page documents the credentials available in the system, 63as well as interfaces for creating new credentials. 64.Pp 65Most users do not need to create new credentials. 66Instead, users should generally use the credentials of the executing context. 67.Pp 68This interface is primarily intended for services that must perform operations 69on behalf of multiple remotely authenticated users, whose authentication context 70is unrelated to the context of the executing thread or process. 71Drivers MUST NOT create new credentials. 72Drivers should use the provided credential. 73.Pp 74For functions that do not return new credentials, 75if the credentials will be used outside of their context 76.Po 77i.e. if the output of 78.Fn zone_kcred 79is referenced outside of the zone 80.Pc , 81then one should use 82.Fn crdup 83or 84.Fn crhold 85to ensure that the credentials remain valid. 86.Ss Fn CRED 87The 88.Fn CRED 89function returns the credential of the calling thread. 90Its contents depend on the calling context (user, kernel, interrupt). 91.Ss Fn crdup 92.Fn crdup 93returns a newly-allocated copy of 94.Fa cr 95with reference count of 1. 96It sleeps until the allocation succeeds. 97.Ss Fn crfree 98.Fn crfree 99releases a reference to 100.Fa cr . 101If this is the last reference, the credential is destroyed. 102.Ss Fn crhold 103.Fn crhold 104takes a reference to 105.Fa cr . 106.Ss Va kcred 107.Va kcred 108is the root credential of the global zone. 109Its UIDs and GIDs are all 0. 110It has the following privilege sets by default: 111.Bd -literal -offset indent 112E: basic,proc_secflags 113I: basic,proc_secflags 114P: basic,proc_secflags 115L: all 116.Ed 117.Pp 118.Dv NET_MAC_AWARE 119is set in the credential's flags. 120It is not marked privilege-aware. 121.Pp 122.Va kcred 123will never be freed by the system. 124.Ss Fn zone_kcred 125The 126.Fn zone_kcred 127function returns the root credential of the zone to which the calling thread 128belongs. 129This cred is derived from the global kcred, minus any privileges denied to the 130zone. 131.Ss Fn crget 132The 133.Fn crget 134function returns a copy of 135.Fn zone_kcred 136suitable for modification by the caller. 137This is useful for obtaining a default, 138well-initialized credential in the appropriate zone context, 139that is free of privileges or limitations of the originating thread. 140It must be freed with 141.Fn crfree . 142It sleeps until the allocation succeeds. 143.Ss Considerations 144.Va kcred 145and 146.Fn zone_kcred 147are not privilege-aware, and have all IDs set to 0. 148This causes their Limit set to be used in place of the Effective and Permitted 149sets, which significantly expands their privileges. 150.Pp 151If the output of 152.Fn crget 153is not later marked as privilege aware, and its UID is not set to a non-zero 154value, then its Limit set will be used in place of its Effective and Permitted 155sets, significantly expanding its privileges. 156Callers should either mark the credential as privilege-aware, 157reduce the Limit set appropriately, 158or ensure that they intend for zero-uid users to have expanded privileges. 159.Pp 160.Va kcred , 161.Fn zone_kcred , 162and 163.Fn CRED 164are not suitable for modification by the caller. 165Callers must use 166.Fn crdup 167to create a copy of these credentials that are suitable for modification. 168.Pp 169Callers of 170.Fn zone_kcred 171and 172.Fn crget 173must take care to ensure that the calling thread is 174executing in the context of the appropriate zone. 175If the thread is performing work on behalf of a different zone, 176or if one is uncertain of the zone context of the calling thread, 177then one should find the appropriate zone by other means, and reference 178.Em zone->zone_kcred 179explicitly. 180.Sh CONTEXT 181These functions can be called from 182.Sy user 183and 184.Sy kernel 185contexts. 186.Sh RETURN VALUES 187.Fn zone_kcred 188and 189.Fn CRED 190return a pointer to a 191.Vt cred_t 192that should not be modified. 193.Pp 194.Fn crget 195and 196.Fn crdup 197return a pointer to a newly allocated 198.Vt cred_t . 199.Pp 200.Fn zone_kcred , 201.Fn CRED , 202.Fn crdup , 203and 204.Fn crget 205can never fail, and always return a valid credential. 206.Sh SEE ALSO 207.Xr ddi_cred 9f 208