xref: /freebsd/crypto/openssh/openbsd-compat/port-solaris.c (revision 069ac18495ad8fde2748bc94b0f80a50250bb01d) 
1761efaa7SDag-Erling Smørgrav /*
2761efaa7SDag-Erling Smørgrav  * Copyright (c) 2006 Chad Mynhier.
3761efaa7SDag-Erling Smørgrav  *
4761efaa7SDag-Erling Smørgrav  * Permission to use, copy, modify, and distribute this software for any
5761efaa7SDag-Erling Smørgrav  * purpose with or without fee is hereby granted, provided that the above
6761efaa7SDag-Erling Smørgrav  * copyright notice and this permission notice appear in all copies.
7761efaa7SDag-Erling Smørgrav  *
8761efaa7SDag-Erling Smørgrav  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9761efaa7SDag-Erling Smørgrav  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10761efaa7SDag-Erling Smørgrav  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11761efaa7SDag-Erling Smørgrav  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12761efaa7SDag-Erling Smørgrav  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13761efaa7SDag-Erling Smørgrav  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14761efaa7SDag-Erling Smørgrav  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15761efaa7SDag-Erling Smørgrav  */
16761efaa7SDag-Erling Smørgrav 
17761efaa7SDag-Erling Smørgrav #include "config.h"
18761efaa7SDag-Erling Smørgrav #include "includes.h"
19761efaa7SDag-Erling Smørgrav 
20761efaa7SDag-Erling Smørgrav #include <sys/types.h>
21761efaa7SDag-Erling Smørgrav #include <sys/stat.h>
22761efaa7SDag-Erling Smørgrav 
23761efaa7SDag-Erling Smørgrav #include <errno.h>
24761efaa7SDag-Erling Smørgrav #ifdef HAVE_FCNTL_H
25761efaa7SDag-Erling Smørgrav # include <fcntl.h>
26761efaa7SDag-Erling Smørgrav #endif
27761efaa7SDag-Erling Smørgrav #include <stdarg.h>
28761efaa7SDag-Erling Smørgrav #include <string.h>
29761efaa7SDag-Erling Smørgrav #include <unistd.h>
30761efaa7SDag-Erling Smørgrav 
3119261079SEd Maste #include "log.h"
3219261079SEd Maste 
3319261079SEd Maste #ifdef USE_SOLARIS_PROCESS_CONTRACTS
3419261079SEd Maste 
35761efaa7SDag-Erling Smørgrav #include <libcontract.h>
36761efaa7SDag-Erling Smørgrav #include <sys/contract/process.h>
37761efaa7SDag-Erling Smørgrav #include <sys/ctfs.h>
38761efaa7SDag-Erling Smørgrav 
39761efaa7SDag-Erling Smørgrav #define CT_TEMPLATE	CTFS_ROOT "/process/template"
40761efaa7SDag-Erling Smørgrav #define CT_LATEST	CTFS_ROOT "/process/latest"
41761efaa7SDag-Erling Smørgrav 
42761efaa7SDag-Erling Smørgrav static int tmpl_fd = -1;
43761efaa7SDag-Erling Smørgrav 
44761efaa7SDag-Erling Smørgrav /* Lookup the latest process contract */
45761efaa7SDag-Erling Smørgrav static ctid_t
get_active_process_contract_id(void)46761efaa7SDag-Erling Smørgrav get_active_process_contract_id(void)
47761efaa7SDag-Erling Smørgrav {
48761efaa7SDag-Erling Smørgrav 	int stat_fd;
49761efaa7SDag-Erling Smørgrav 	ctid_t ctid = -1;
50761efaa7SDag-Erling Smørgrav 	ct_stathdl_t stathdl;
51761efaa7SDag-Erling Smørgrav 
52761efaa7SDag-Erling Smørgrav 	if ((stat_fd = open64(CT_LATEST, O_RDONLY)) == -1) {
53761efaa7SDag-Erling Smørgrav 		error("%s: Error opening 'latest' process "
54761efaa7SDag-Erling Smørgrav 		    "contract: %s", __func__, strerror(errno));
55761efaa7SDag-Erling Smørgrav 		return -1;
56761efaa7SDag-Erling Smørgrav 	}
57761efaa7SDag-Erling Smørgrav 	if (ct_status_read(stat_fd, CTD_COMMON, &stathdl) != 0) {
58761efaa7SDag-Erling Smørgrav 		error("%s: Error reading process contract "
59761efaa7SDag-Erling Smørgrav 		    "status: %s", __func__, strerror(errno));
60761efaa7SDag-Erling Smørgrav 		goto out;
61761efaa7SDag-Erling Smørgrav 	}
62761efaa7SDag-Erling Smørgrav 	if ((ctid = ct_status_get_id(stathdl)) < 0) {
63761efaa7SDag-Erling Smørgrav 		error("%s: Error getting process contract id: %s",
64761efaa7SDag-Erling Smørgrav 		    __func__, strerror(errno));
65761efaa7SDag-Erling Smørgrav 		goto out;
66761efaa7SDag-Erling Smørgrav 	}
67761efaa7SDag-Erling Smørgrav 
68761efaa7SDag-Erling Smørgrav 	ct_status_free(stathdl);
69761efaa7SDag-Erling Smørgrav  out:
70761efaa7SDag-Erling Smørgrav 	close(stat_fd);
71761efaa7SDag-Erling Smørgrav 	return ctid;
72761efaa7SDag-Erling Smørgrav }
73761efaa7SDag-Erling Smørgrav 
74761efaa7SDag-Erling Smørgrav void
solaris_contract_pre_fork(void)75761efaa7SDag-Erling Smørgrav solaris_contract_pre_fork(void)
76761efaa7SDag-Erling Smørgrav {
77761efaa7SDag-Erling Smørgrav 	if ((tmpl_fd = open64(CT_TEMPLATE, O_RDWR)) == -1) {
78761efaa7SDag-Erling Smørgrav 		error("%s: open %s: %s", __func__,
79761efaa7SDag-Erling Smørgrav 		    CT_TEMPLATE, strerror(errno));
80761efaa7SDag-Erling Smørgrav 		return;
81761efaa7SDag-Erling Smørgrav 	}
82761efaa7SDag-Erling Smørgrav 
83761efaa7SDag-Erling Smørgrav 	debug2("%s: setting up process contract template on fd %d",
84761efaa7SDag-Erling Smørgrav 	    __func__, tmpl_fd);
85761efaa7SDag-Erling Smørgrav 
8692eb0aa1SDag-Erling Smørgrav 	/* First we set the template parameters and event sets. */
8792eb0aa1SDag-Erling Smørgrav 	if (ct_pr_tmpl_set_param(tmpl_fd, CT_PR_PGRPONLY) != 0) {
8892eb0aa1SDag-Erling Smørgrav 		error("%s: Error setting process contract parameter set "
8992eb0aa1SDag-Erling Smørgrav 		    "(pgrponly): %s", __func__, strerror(errno));
9092eb0aa1SDag-Erling Smørgrav 		goto fail;
9192eb0aa1SDag-Erling Smørgrav 	}
9292eb0aa1SDag-Erling Smørgrav 	if (ct_pr_tmpl_set_fatal(tmpl_fd, CT_PR_EV_HWERR) != 0) {
93761efaa7SDag-Erling Smørgrav 		error("%s: Error setting process contract template "
94761efaa7SDag-Erling Smørgrav 		    "fatal events: %s", __func__, strerror(errno));
95761efaa7SDag-Erling Smørgrav 		goto fail;
96761efaa7SDag-Erling Smørgrav 	}
9792eb0aa1SDag-Erling Smørgrav 	if (ct_tmpl_set_critical(tmpl_fd, 0) != 0) {
98761efaa7SDag-Erling Smørgrav 		error("%s: Error setting process contract template "
99761efaa7SDag-Erling Smørgrav 		    "critical events: %s", __func__, strerror(errno));
100761efaa7SDag-Erling Smørgrav 		goto fail;
101761efaa7SDag-Erling Smørgrav 	}
10292eb0aa1SDag-Erling Smørgrav 	if (ct_tmpl_set_informative(tmpl_fd, CT_PR_EV_HWERR) != 0) {
10392eb0aa1SDag-Erling Smørgrav 		error("%s: Error setting process contract template "
10492eb0aa1SDag-Erling Smørgrav 		    "informative events: %s", __func__, strerror(errno));
10592eb0aa1SDag-Erling Smørgrav 		goto fail;
10692eb0aa1SDag-Erling Smørgrav 	}
107761efaa7SDag-Erling Smørgrav 
108761efaa7SDag-Erling Smørgrav 	/* Now make this the active template for this process. */
109761efaa7SDag-Erling Smørgrav 	if (ct_tmpl_activate(tmpl_fd) != 0) {
110761efaa7SDag-Erling Smørgrav 		error("%s: Error activating process contract "
111761efaa7SDag-Erling Smørgrav 		    "template: %s", __func__, strerror(errno));
112761efaa7SDag-Erling Smørgrav 		goto fail;
113761efaa7SDag-Erling Smørgrav 	}
114761efaa7SDag-Erling Smørgrav 	return;
115761efaa7SDag-Erling Smørgrav 
116761efaa7SDag-Erling Smørgrav  fail:
117761efaa7SDag-Erling Smørgrav 	if (tmpl_fd != -1) {
118761efaa7SDag-Erling Smørgrav 		close(tmpl_fd);
119761efaa7SDag-Erling Smørgrav 		tmpl_fd = -1;
120761efaa7SDag-Erling Smørgrav 	}
121761efaa7SDag-Erling Smørgrav }
122761efaa7SDag-Erling Smørgrav 
123761efaa7SDag-Erling Smørgrav void
solaris_contract_post_fork_child()124761efaa7SDag-Erling Smørgrav solaris_contract_post_fork_child()
125761efaa7SDag-Erling Smørgrav {
126761efaa7SDag-Erling Smørgrav 	debug2("%s: clearing process contract template on fd %d",
127761efaa7SDag-Erling Smørgrav 	    __func__, tmpl_fd);
128761efaa7SDag-Erling Smørgrav 
129761efaa7SDag-Erling Smørgrav 	/* Clear the active template. */
130761efaa7SDag-Erling Smørgrav 	if (ct_tmpl_clear(tmpl_fd) != 0)
131761efaa7SDag-Erling Smørgrav 		error("%s: Error clearing active process contract "
132761efaa7SDag-Erling Smørgrav 		    "template: %s", __func__, strerror(errno));
133761efaa7SDag-Erling Smørgrav 
134761efaa7SDag-Erling Smørgrav 	close(tmpl_fd);
135761efaa7SDag-Erling Smørgrav 	tmpl_fd = -1;
136761efaa7SDag-Erling Smørgrav }
137761efaa7SDag-Erling Smørgrav 
138761efaa7SDag-Erling Smørgrav void
solaris_contract_post_fork_parent(pid_t pid)139761efaa7SDag-Erling Smørgrav solaris_contract_post_fork_parent(pid_t pid)
140761efaa7SDag-Erling Smørgrav {
141761efaa7SDag-Erling Smørgrav 	ctid_t ctid;
142761efaa7SDag-Erling Smørgrav 	char ctl_path[256];
143761efaa7SDag-Erling Smørgrav 	int r, ctl_fd = -1, stat_fd = -1;
144761efaa7SDag-Erling Smørgrav 
145761efaa7SDag-Erling Smørgrav 	debug2("%s: clearing template (fd %d)", __func__, tmpl_fd);
146761efaa7SDag-Erling Smørgrav 
147761efaa7SDag-Erling Smørgrav 	if (tmpl_fd == -1)
148761efaa7SDag-Erling Smørgrav 		return;
149761efaa7SDag-Erling Smørgrav 
150761efaa7SDag-Erling Smørgrav 	/* First clear the active template. */
151761efaa7SDag-Erling Smørgrav 	if ((r = ct_tmpl_clear(tmpl_fd)) != 0)
152761efaa7SDag-Erling Smørgrav 		error("%s: Error clearing active process contract "
153761efaa7SDag-Erling Smørgrav 		    "template: %s", __func__, strerror(errno));
154761efaa7SDag-Erling Smørgrav 
155761efaa7SDag-Erling Smørgrav 	close(tmpl_fd);
156761efaa7SDag-Erling Smørgrav 	tmpl_fd = -1;
157761efaa7SDag-Erling Smørgrav 
158761efaa7SDag-Erling Smørgrav 	/*
159761efaa7SDag-Erling Smørgrav 	 * If either the fork didn't succeed (pid < 0), or clearing
160761efaa7SDag-Erling Smørgrav 	 * th active contract failed (r != 0), then we have nothing
161761efaa7SDag-Erling Smørgrav 	 * more do.
162761efaa7SDag-Erling Smørgrav 	 */
163761efaa7SDag-Erling Smørgrav 	if (r != 0 || pid <= 0)
164761efaa7SDag-Erling Smørgrav 		return;
165761efaa7SDag-Erling Smørgrav 
166761efaa7SDag-Erling Smørgrav 	/* Now lookup and abandon the contract we've created. */
167761efaa7SDag-Erling Smørgrav 	ctid = get_active_process_contract_id();
168761efaa7SDag-Erling Smørgrav 
169761efaa7SDag-Erling Smørgrav 	debug2("%s: abandoning contract id %ld", __func__, ctid);
170761efaa7SDag-Erling Smørgrav 
171761efaa7SDag-Erling Smørgrav 	snprintf(ctl_path, sizeof(ctl_path),
172761efaa7SDag-Erling Smørgrav 	    CTFS_ROOT "/process/%ld/ctl", ctid);
173761efaa7SDag-Erling Smørgrav 	if ((ctl_fd = open64(ctl_path, O_WRONLY)) < 0) {
174761efaa7SDag-Erling Smørgrav 		error("%s: Error opening process contract "
175761efaa7SDag-Erling Smørgrav 		    "ctl file: %s", __func__, strerror(errno));
176761efaa7SDag-Erling Smørgrav 		goto fail;
177761efaa7SDag-Erling Smørgrav 	}
178761efaa7SDag-Erling Smørgrav 	if (ct_ctl_abandon(ctl_fd) < 0) {
179761efaa7SDag-Erling Smørgrav 		error("%s: Error abandoning process contract: %s",
180761efaa7SDag-Erling Smørgrav 		    __func__, strerror(errno));
181761efaa7SDag-Erling Smørgrav 		goto fail;
182761efaa7SDag-Erling Smørgrav 	}
183761efaa7SDag-Erling Smørgrav 	close(ctl_fd);
184761efaa7SDag-Erling Smørgrav 	return;
185761efaa7SDag-Erling Smørgrav 
186761efaa7SDag-Erling Smørgrav  fail:
187761efaa7SDag-Erling Smørgrav 	if (tmpl_fd != -1) {
188761efaa7SDag-Erling Smørgrav 		close(tmpl_fd);
189761efaa7SDag-Erling Smørgrav 		tmpl_fd = -1;
190761efaa7SDag-Erling Smørgrav 	}
191761efaa7SDag-Erling Smørgrav 	if (stat_fd != -1)
192761efaa7SDag-Erling Smørgrav 		close(stat_fd);
193761efaa7SDag-Erling Smørgrav 	if (ctl_fd != -1)
194761efaa7SDag-Erling Smørgrav 		close(ctl_fd);
195761efaa7SDag-Erling Smørgrav }
196761efaa7SDag-Erling Smørgrav #endif
1974a421b63SDag-Erling Smørgrav 
1984a421b63SDag-Erling Smørgrav #ifdef USE_SOLARIS_PROJECTS
1994a421b63SDag-Erling Smørgrav #include <sys/task.h>
2004a421b63SDag-Erling Smørgrav #include <project.h>
2014a421b63SDag-Erling Smørgrav 
2024a421b63SDag-Erling Smørgrav /*
2034a421b63SDag-Erling Smørgrav  * Get/set solaris default project.
2044a421b63SDag-Erling Smørgrav  * If we fail, just run along gracefully.
2054a421b63SDag-Erling Smørgrav  */
2064a421b63SDag-Erling Smørgrav void
solaris_set_default_project(struct passwd * pw)2074a421b63SDag-Erling Smørgrav solaris_set_default_project(struct passwd *pw)
2084a421b63SDag-Erling Smørgrav {
2094a421b63SDag-Erling Smørgrav 	struct project  *defaultproject;
2104a421b63SDag-Erling Smørgrav 	struct project   tempproject;
2114a421b63SDag-Erling Smørgrav 	char buf[1024];
2124a421b63SDag-Erling Smørgrav 
2134a421b63SDag-Erling Smørgrav 	/* get default project, if we fail just return gracefully  */
2144a421b63SDag-Erling Smørgrav 	if ((defaultproject = getdefaultproj(pw->pw_name, &tempproject, &buf,
215ca86bcf2SDag-Erling Smørgrav 	    sizeof(buf))) != NULL) {
2164a421b63SDag-Erling Smørgrav 		/* set default project */
2174a421b63SDag-Erling Smørgrav 		if (setproject(defaultproject->pj_name, pw->pw_name,
2184a421b63SDag-Erling Smørgrav 		    TASK_NORMAL) != 0)
2194a421b63SDag-Erling Smørgrav 			debug("setproject(%s): %s", defaultproject->pj_name,
2204a421b63SDag-Erling Smørgrav 			    strerror(errno));
2214a421b63SDag-Erling Smørgrav 	} else {
2224a421b63SDag-Erling Smørgrav 		/* debug on getdefaultproj() error */
2234a421b63SDag-Erling Smørgrav 		debug("getdefaultproj(%s): %s", pw->pw_name, strerror(errno));
2244a421b63SDag-Erling Smørgrav 	}
2254a421b63SDag-Erling Smørgrav }
2264a421b63SDag-Erling Smørgrav #endif /* USE_SOLARIS_PROJECTS */
227acc1a9efSDag-Erling Smørgrav 
228acc1a9efSDag-Erling Smørgrav #ifdef USE_SOLARIS_PRIVS
229acc1a9efSDag-Erling Smørgrav # ifdef HAVE_PRIV_H
230acc1a9efSDag-Erling Smørgrav #  include <priv.h>
231acc1a9efSDag-Erling Smørgrav # endif
232acc1a9efSDag-Erling Smørgrav 
233acc1a9efSDag-Erling Smørgrav priv_set_t *
solaris_basic_privset(void)234acc1a9efSDag-Erling Smørgrav solaris_basic_privset(void)
235acc1a9efSDag-Erling Smørgrav {
236acc1a9efSDag-Erling Smørgrav 	priv_set_t *pset;
237acc1a9efSDag-Erling Smørgrav 
238acc1a9efSDag-Erling Smørgrav #ifdef HAVE_PRIV_BASICSET
239acc1a9efSDag-Erling Smørgrav 	if ((pset = priv_allocset()) == NULL) {
240acc1a9efSDag-Erling Smørgrav 		error("priv_allocset: %s", strerror(errno));
241acc1a9efSDag-Erling Smørgrav 		return NULL;
242acc1a9efSDag-Erling Smørgrav 	}
243acc1a9efSDag-Erling Smørgrav 	priv_basicset(pset);
244acc1a9efSDag-Erling Smørgrav #else
245acc1a9efSDag-Erling Smørgrav 	if ((pset = priv_str_to_set("basic", ",", NULL)) == NULL) {
246acc1a9efSDag-Erling Smørgrav 		error("priv_str_to_set: %s", strerror(errno));
247acc1a9efSDag-Erling Smørgrav 		return NULL;
248acc1a9efSDag-Erling Smørgrav 	}
249acc1a9efSDag-Erling Smørgrav #endif
250acc1a9efSDag-Erling Smørgrav 	return pset;
251acc1a9efSDag-Erling Smørgrav }
252acc1a9efSDag-Erling Smørgrav 
253acc1a9efSDag-Erling Smørgrav void
solaris_drop_privs_pinfo_net_fork_exec(void)254acc1a9efSDag-Erling Smørgrav solaris_drop_privs_pinfo_net_fork_exec(void)
255acc1a9efSDag-Erling Smørgrav {
256acc1a9efSDag-Erling Smørgrav 	priv_set_t *pset = NULL, *npset = NULL;
257acc1a9efSDag-Erling Smørgrav 
258acc1a9efSDag-Erling Smørgrav 	/*
259acc1a9efSDag-Erling Smørgrav 	 * Note: this variant avoids dropping DAC filesystem rights, in case
260acc1a9efSDag-Erling Smørgrav 	 * the process calling it is running as root and should have the
261acc1a9efSDag-Erling Smørgrav 	 * ability to read/write/chown any file on the system.
262acc1a9efSDag-Erling Smørgrav 	 *
263acc1a9efSDag-Erling Smørgrav 	 * We start with the basic set, then *add* the DAC rights to it while
264acc1a9efSDag-Erling Smørgrav 	 * taking away other parts of BASIC we don't need. Then we intersect
265acc1a9efSDag-Erling Smørgrav 	 * this with our existing PERMITTED set. In this way we keep any
266acc1a9efSDag-Erling Smørgrav 	 * DAC rights we had before, while otherwise reducing ourselves to
267acc1a9efSDag-Erling Smørgrav 	 * the minimum set of privileges we need to proceed.
268acc1a9efSDag-Erling Smørgrav 	 *
269acc1a9efSDag-Erling Smørgrav 	 * This also means we drop any other parts of "root" that we don't
270acc1a9efSDag-Erling Smørgrav 	 * need (e.g. the ability to kill any process, create new device nodes
271acc1a9efSDag-Erling Smørgrav 	 * etc etc).
272acc1a9efSDag-Erling Smørgrav 	 */
273acc1a9efSDag-Erling Smørgrav 
274acc1a9efSDag-Erling Smørgrav 	if ((pset = priv_allocset()) == NULL)
275acc1a9efSDag-Erling Smørgrav 		fatal("priv_allocset: %s", strerror(errno));
276acc1a9efSDag-Erling Smørgrav 	if ((npset = solaris_basic_privset()) == NULL)
277acc1a9efSDag-Erling Smørgrav 		fatal("solaris_basic_privset: %s", strerror(errno));
278acc1a9efSDag-Erling Smørgrav 
279acc1a9efSDag-Erling Smørgrav 	if (priv_addset(npset, PRIV_FILE_CHOWN) != 0 ||
280acc1a9efSDag-Erling Smørgrav 	    priv_addset(npset, PRIV_FILE_DAC_READ) != 0 ||
281acc1a9efSDag-Erling Smørgrav 	    priv_addset(npset, PRIV_FILE_DAC_SEARCH) != 0 ||
282acc1a9efSDag-Erling Smørgrav 	    priv_addset(npset, PRIV_FILE_DAC_WRITE) != 0 ||
283acc1a9efSDag-Erling Smørgrav 	    priv_addset(npset, PRIV_FILE_OWNER) != 0)
284acc1a9efSDag-Erling Smørgrav 		fatal("priv_addset: %s", strerror(errno));
285acc1a9efSDag-Erling Smørgrav 
28619261079SEd Maste 	if (priv_delset(npset, PRIV_PROC_EXEC) != 0 ||
287acc1a9efSDag-Erling Smørgrav #ifdef PRIV_NET_ACCESS
288acc1a9efSDag-Erling Smørgrav 	    priv_delset(npset, PRIV_NET_ACCESS) != 0 ||
289acc1a9efSDag-Erling Smørgrav #endif
290acc1a9efSDag-Erling Smørgrav 	    priv_delset(npset, PRIV_PROC_FORK) != 0 ||
291acc1a9efSDag-Erling Smørgrav 	    priv_delset(npset, PRIV_PROC_INFO) != 0 ||
292acc1a9efSDag-Erling Smørgrav 	    priv_delset(npset, PRIV_PROC_SESSION) != 0)
293acc1a9efSDag-Erling Smørgrav 		fatal("priv_delset: %s", strerror(errno));
294acc1a9efSDag-Erling Smørgrav 
295*069ac184SEd Maste #ifdef PRIV_XPOLICY
296*069ac184SEd Maste 	/*
297*069ac184SEd Maste 	 * It is possible that the user has an extended policy
298*069ac184SEd Maste 	 * in place; the LIMIT set restricts the extended policy
299*069ac184SEd Maste 	 * and so should not be restricted.
300*069ac184SEd Maste 	 * PRIV_XPOLICY is newly defined in Solaris 11 though the extended
301*069ac184SEd Maste 	 * policy was not implemented until Solaris 11.1.
302*069ac184SEd Maste 	 */
303*069ac184SEd Maste 	if (getpflags(PRIV_XPOLICY) == 1) {
304*069ac184SEd Maste 		if (getppriv(PRIV_LIMIT, pset) != 0)
305*069ac184SEd Maste 			fatal("getppriv: %s", strerror(errno));
306*069ac184SEd Maste 		priv_intersect(pset, npset);
307*069ac184SEd Maste 		if (setppriv(PRIV_SET, PRIV_LIMIT, npset) != 0)
308*069ac184SEd Maste 			fatal("setppriv: %s", strerror(errno));
309*069ac184SEd Maste 	} else
310*069ac184SEd Maste #endif
311*069ac184SEd Maste 	{
312*069ac184SEd Maste 		/* Cannot exec, so we can kill the limit set. */
313*069ac184SEd Maste 		priv_emptyset(pset);
314*069ac184SEd Maste 		if (setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0)
315*069ac184SEd Maste 			fatal("setppriv: %s", strerror(errno));
316*069ac184SEd Maste 	}
317*069ac184SEd Maste 
318acc1a9efSDag-Erling Smørgrav 	if (getppriv(PRIV_PERMITTED, pset) != 0)
319acc1a9efSDag-Erling Smørgrav 		fatal("getppriv: %s", strerror(errno));
320acc1a9efSDag-Erling Smørgrav 
321acc1a9efSDag-Erling Smørgrav 	priv_intersect(pset, npset);
322acc1a9efSDag-Erling Smørgrav 
323acc1a9efSDag-Erling Smørgrav 	if (setppriv(PRIV_SET, PRIV_PERMITTED, npset) != 0 ||
324acc1a9efSDag-Erling Smørgrav 	    setppriv(PRIV_SET, PRIV_INHERITABLE, npset) != 0)
325acc1a9efSDag-Erling Smørgrav 		fatal("setppriv: %s", strerror(errno));
326acc1a9efSDag-Erling Smørgrav 
327acc1a9efSDag-Erling Smørgrav 	priv_freeset(pset);
328acc1a9efSDag-Erling Smørgrav 	priv_freeset(npset);
329acc1a9efSDag-Erling Smørgrav }
330acc1a9efSDag-Erling Smørgrav 
331acc1a9efSDag-Erling Smørgrav void
solaris_drop_privs_root_pinfo_net(void)332acc1a9efSDag-Erling Smørgrav solaris_drop_privs_root_pinfo_net(void)
333acc1a9efSDag-Erling Smørgrav {
334acc1a9efSDag-Erling Smørgrav 	priv_set_t *pset = NULL;
335acc1a9efSDag-Erling Smørgrav 
336acc1a9efSDag-Erling Smørgrav 	/* Start with "basic" and drop everything we don't need. */
337acc1a9efSDag-Erling Smørgrav 	if ((pset = solaris_basic_privset()) == NULL)
338acc1a9efSDag-Erling Smørgrav 		fatal("solaris_basic_privset: %s", strerror(errno));
339acc1a9efSDag-Erling Smørgrav 
340acc1a9efSDag-Erling Smørgrav 	if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 ||
341acc1a9efSDag-Erling Smørgrav #ifdef PRIV_NET_ACCESS
342acc1a9efSDag-Erling Smørgrav 	    priv_delset(pset, PRIV_NET_ACCESS) != 0 ||
343acc1a9efSDag-Erling Smørgrav #endif
344acc1a9efSDag-Erling Smørgrav 	    priv_delset(pset, PRIV_PROC_INFO) != 0 ||
345acc1a9efSDag-Erling Smørgrav 	    priv_delset(pset, PRIV_PROC_SESSION) != 0)
346acc1a9efSDag-Erling Smørgrav 		fatal("priv_delset: %s", strerror(errno));
347acc1a9efSDag-Erling Smørgrav 
348acc1a9efSDag-Erling Smørgrav 	if (setppriv(PRIV_SET, PRIV_PERMITTED, pset) != 0 ||
349acc1a9efSDag-Erling Smørgrav 	    setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0 ||
350acc1a9efSDag-Erling Smørgrav 	    setppriv(PRIV_SET, PRIV_INHERITABLE, pset) != 0)
351acc1a9efSDag-Erling Smørgrav 		fatal("setppriv: %s", strerror(errno));
352acc1a9efSDag-Erling Smørgrav 
353acc1a9efSDag-Erling Smørgrav 	priv_freeset(pset);
354acc1a9efSDag-Erling Smørgrav }
355acc1a9efSDag-Erling Smørgrav 
356acc1a9efSDag-Erling Smørgrav void
solaris_drop_privs_root_pinfo_net_exec(void)357acc1a9efSDag-Erling Smørgrav solaris_drop_privs_root_pinfo_net_exec(void)
358acc1a9efSDag-Erling Smørgrav {
359acc1a9efSDag-Erling Smørgrav 	priv_set_t *pset = NULL;
360acc1a9efSDag-Erling Smørgrav 
361acc1a9efSDag-Erling Smørgrav 
362acc1a9efSDag-Erling Smørgrav 	/* Start with "basic" and drop everything we don't need. */
363acc1a9efSDag-Erling Smørgrav 	if ((pset = solaris_basic_privset()) == NULL)
364acc1a9efSDag-Erling Smørgrav 		fatal("solaris_basic_privset: %s", strerror(errno));
365acc1a9efSDag-Erling Smørgrav 
366acc1a9efSDag-Erling Smørgrav 	if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 ||
367acc1a9efSDag-Erling Smørgrav #ifdef PRIV_NET_ACCESS
368acc1a9efSDag-Erling Smørgrav 	    priv_delset(pset, PRIV_NET_ACCESS) != 0 ||
369acc1a9efSDag-Erling Smørgrav #endif
370acc1a9efSDag-Erling Smørgrav 	    priv_delset(pset, PRIV_PROC_EXEC) != 0 ||
37119261079SEd Maste 	    priv_delset(pset, PRIV_PROC_INFO) != 0)
372acc1a9efSDag-Erling Smørgrav 		fatal("priv_delset: %s", strerror(errno));
373acc1a9efSDag-Erling Smørgrav 
374acc1a9efSDag-Erling Smørgrav 	if (setppriv(PRIV_SET, PRIV_PERMITTED, pset) != 0 ||
375acc1a9efSDag-Erling Smørgrav 	    setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0 ||
376acc1a9efSDag-Erling Smørgrav 	    setppriv(PRIV_SET, PRIV_INHERITABLE, pset) != 0)
377acc1a9efSDag-Erling Smørgrav 		fatal("setppriv: %s", strerror(errno));
378acc1a9efSDag-Erling Smørgrav 
379acc1a9efSDag-Erling Smørgrav 	priv_freeset(pset);
380acc1a9efSDag-Erling Smørgrav }
381acc1a9efSDag-Erling Smørgrav 
382acc1a9efSDag-Erling Smørgrav #endif
383