1 /* 2 * Copyright (c) 2006 Chad Mynhier. 3 * 4 * Permission to use, copy, modify, and distribute this software for any 5 * purpose with or without fee is hereby granted, provided that the above 6 * copyright notice and this permission notice appear in all copies. 7 * 8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15 */ 16 17 #include "config.h" 18 #include "includes.h" 19 20 #include <sys/types.h> 21 #include <sys/stat.h> 22 23 #include <errno.h> 24 #ifdef HAVE_FCNTL_H 25 # include <fcntl.h> 26 #endif 27 #include <stdarg.h> 28 #include <string.h> 29 #include <unistd.h> 30 31 #include "log.h" 32 33 #ifdef USE_SOLARIS_PROCESS_CONTRACTS 34 35 #include <libcontract.h> 36 #include <sys/contract/process.h> 37 #include <sys/ctfs.h> 38 39 #define CT_TEMPLATE CTFS_ROOT "/process/template" 40 #define CT_LATEST CTFS_ROOT "/process/latest" 41 42 static int tmpl_fd = -1; 43 44 /* Lookup the latest process contract */ 45 static ctid_t 46 get_active_process_contract_id(void) 47 { 48 int stat_fd; 49 ctid_t ctid = -1; 50 ct_stathdl_t stathdl; 51 52 if ((stat_fd = open64(CT_LATEST, O_RDONLY)) == -1) { 53 error("%s: Error opening 'latest' process " 54 "contract: %s", __func__, strerror(errno)); 55 return -1; 56 } 57 if (ct_status_read(stat_fd, CTD_COMMON, &stathdl) != 0) { 58 error("%s: Error reading process contract " 59 "status: %s", __func__, strerror(errno)); 60 goto out; 61 } 62 if ((ctid = ct_status_get_id(stathdl)) < 0) { 63 error("%s: Error getting process contract id: %s", 64 __func__, strerror(errno)); 65 goto out; 66 } 67 68 ct_status_free(stathdl); 69 out: 70 close(stat_fd); 71 return ctid; 72 } 73 74 void 75 solaris_contract_pre_fork(void) 76 { 77 if ((tmpl_fd = open64(CT_TEMPLATE, O_RDWR)) == -1) { 78 error("%s: open %s: %s", __func__, 79 CT_TEMPLATE, strerror(errno)); 80 return; 81 } 82 83 debug2("%s: setting up process contract template on fd %d", 84 __func__, tmpl_fd); 85 86 /* First we set the template parameters and event sets. */ 87 if (ct_pr_tmpl_set_param(tmpl_fd, CT_PR_PGRPONLY) != 0) { 88 error("%s: Error setting process contract parameter set " 89 "(pgrponly): %s", __func__, strerror(errno)); 90 goto fail; 91 } 92 if (ct_pr_tmpl_set_fatal(tmpl_fd, CT_PR_EV_HWERR) != 0) { 93 error("%s: Error setting process contract template " 94 "fatal events: %s", __func__, strerror(errno)); 95 goto fail; 96 } 97 if (ct_tmpl_set_critical(tmpl_fd, 0) != 0) { 98 error("%s: Error setting process contract template " 99 "critical events: %s", __func__, strerror(errno)); 100 goto fail; 101 } 102 if (ct_tmpl_set_informative(tmpl_fd, CT_PR_EV_HWERR) != 0) { 103 error("%s: Error setting process contract template " 104 "informative events: %s", __func__, strerror(errno)); 105 goto fail; 106 } 107 108 /* Now make this the active template for this process. */ 109 if (ct_tmpl_activate(tmpl_fd) != 0) { 110 error("%s: Error activating process contract " 111 "template: %s", __func__, strerror(errno)); 112 goto fail; 113 } 114 return; 115 116 fail: 117 if (tmpl_fd != -1) { 118 close(tmpl_fd); 119 tmpl_fd = -1; 120 } 121 } 122 123 void 124 solaris_contract_post_fork_child() 125 { 126 debug2("%s: clearing process contract template on fd %d", 127 __func__, tmpl_fd); 128 129 /* Clear the active template. */ 130 if (ct_tmpl_clear(tmpl_fd) != 0) 131 error("%s: Error clearing active process contract " 132 "template: %s", __func__, strerror(errno)); 133 134 close(tmpl_fd); 135 tmpl_fd = -1; 136 } 137 138 void 139 solaris_contract_post_fork_parent(pid_t pid) 140 { 141 ctid_t ctid; 142 char ctl_path[256]; 143 int r, ctl_fd = -1, stat_fd = -1; 144 145 debug2("%s: clearing template (fd %d)", __func__, tmpl_fd); 146 147 if (tmpl_fd == -1) 148 return; 149 150 /* First clear the active template. */ 151 if ((r = ct_tmpl_clear(tmpl_fd)) != 0) 152 error("%s: Error clearing active process contract " 153 "template: %s", __func__, strerror(errno)); 154 155 close(tmpl_fd); 156 tmpl_fd = -1; 157 158 /* 159 * If either the fork didn't succeed (pid < 0), or clearing 160 * th active contract failed (r != 0), then we have nothing 161 * more do. 162 */ 163 if (r != 0 || pid <= 0) 164 return; 165 166 /* Now lookup and abandon the contract we've created. */ 167 ctid = get_active_process_contract_id(); 168 169 debug2("%s: abandoning contract id %ld", __func__, ctid); 170 171 snprintf(ctl_path, sizeof(ctl_path), 172 CTFS_ROOT "/process/%ld/ctl", ctid); 173 if ((ctl_fd = open64(ctl_path, O_WRONLY)) < 0) { 174 error("%s: Error opening process contract " 175 "ctl file: %s", __func__, strerror(errno)); 176 goto fail; 177 } 178 if (ct_ctl_abandon(ctl_fd) < 0) { 179 error("%s: Error abandoning process contract: %s", 180 __func__, strerror(errno)); 181 goto fail; 182 } 183 close(ctl_fd); 184 return; 185 186 fail: 187 if (tmpl_fd != -1) { 188 close(tmpl_fd); 189 tmpl_fd = -1; 190 } 191 if (stat_fd != -1) 192 close(stat_fd); 193 if (ctl_fd != -1) 194 close(ctl_fd); 195 } 196 #endif 197 198 #ifdef USE_SOLARIS_PROJECTS 199 #include <sys/task.h> 200 #include <project.h> 201 202 /* 203 * Get/set solaris default project. 204 * If we fail, just run along gracefully. 205 */ 206 void 207 solaris_set_default_project(struct passwd *pw) 208 { 209 struct project *defaultproject; 210 struct project tempproject; 211 char buf[1024]; 212 213 /* get default project, if we fail just return gracefully */ 214 if ((defaultproject = getdefaultproj(pw->pw_name, &tempproject, &buf, 215 sizeof(buf))) != NULL) { 216 /* set default project */ 217 if (setproject(defaultproject->pj_name, pw->pw_name, 218 TASK_NORMAL) != 0) 219 debug("setproject(%s): %s", defaultproject->pj_name, 220 strerror(errno)); 221 } else { 222 /* debug on getdefaultproj() error */ 223 debug("getdefaultproj(%s): %s", pw->pw_name, strerror(errno)); 224 } 225 } 226 #endif /* USE_SOLARIS_PROJECTS */ 227 228 #ifdef USE_SOLARIS_PRIVS 229 # ifdef HAVE_PRIV_H 230 # include <priv.h> 231 # endif 232 233 priv_set_t * 234 solaris_basic_privset(void) 235 { 236 priv_set_t *pset; 237 238 #ifdef HAVE_PRIV_BASICSET 239 if ((pset = priv_allocset()) == NULL) { 240 error("priv_allocset: %s", strerror(errno)); 241 return NULL; 242 } 243 priv_basicset(pset); 244 #else 245 if ((pset = priv_str_to_set("basic", ",", NULL)) == NULL) { 246 error("priv_str_to_set: %s", strerror(errno)); 247 return NULL; 248 } 249 #endif 250 return pset; 251 } 252 253 void 254 solaris_drop_privs_pinfo_net_fork_exec(void) 255 { 256 priv_set_t *pset = NULL, *npset = NULL; 257 258 /* 259 * Note: this variant avoids dropping DAC filesystem rights, in case 260 * the process calling it is running as root and should have the 261 * ability to read/write/chown any file on the system. 262 * 263 * We start with the basic set, then *add* the DAC rights to it while 264 * taking away other parts of BASIC we don't need. Then we intersect 265 * this with our existing PERMITTED set. In this way we keep any 266 * DAC rights we had before, while otherwise reducing ourselves to 267 * the minimum set of privileges we need to proceed. 268 * 269 * This also means we drop any other parts of "root" that we don't 270 * need (e.g. the ability to kill any process, create new device nodes 271 * etc etc). 272 */ 273 274 if ((pset = priv_allocset()) == NULL) 275 fatal("priv_allocset: %s", strerror(errno)); 276 if ((npset = solaris_basic_privset()) == NULL) 277 fatal("solaris_basic_privset: %s", strerror(errno)); 278 279 if (priv_addset(npset, PRIV_FILE_CHOWN) != 0 || 280 priv_addset(npset, PRIV_FILE_DAC_READ) != 0 || 281 priv_addset(npset, PRIV_FILE_DAC_SEARCH) != 0 || 282 priv_addset(npset, PRIV_FILE_DAC_WRITE) != 0 || 283 priv_addset(npset, PRIV_FILE_OWNER) != 0) 284 fatal("priv_addset: %s", strerror(errno)); 285 286 if (priv_delset(npset, PRIV_PROC_EXEC) != 0 || 287 #ifdef PRIV_NET_ACCESS 288 priv_delset(npset, PRIV_NET_ACCESS) != 0 || 289 #endif 290 priv_delset(npset, PRIV_PROC_FORK) != 0 || 291 priv_delset(npset, PRIV_PROC_INFO) != 0 || 292 priv_delset(npset, PRIV_PROC_SESSION) != 0) 293 fatal("priv_delset: %s", strerror(errno)); 294 295 #ifdef PRIV_XPOLICY 296 /* 297 * It is possible that the user has an extended policy 298 * in place; the LIMIT set restricts the extended policy 299 * and so should not be restricted. 300 * PRIV_XPOLICY is newly defined in Solaris 11 though the extended 301 * policy was not implemented until Solaris 11.1. 302 */ 303 if (getpflags(PRIV_XPOLICY) == 1) { 304 if (getppriv(PRIV_LIMIT, pset) != 0) 305 fatal("getppriv: %s", strerror(errno)); 306 priv_intersect(pset, npset); 307 if (setppriv(PRIV_SET, PRIV_LIMIT, npset) != 0) 308 fatal("setppriv: %s", strerror(errno)); 309 } else 310 #endif 311 { 312 /* Cannot exec, so we can kill the limit set. */ 313 priv_emptyset(pset); 314 if (setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0) 315 fatal("setppriv: %s", strerror(errno)); 316 } 317 318 if (getppriv(PRIV_PERMITTED, pset) != 0) 319 fatal("getppriv: %s", strerror(errno)); 320 321 priv_intersect(pset, npset); 322 323 if (setppriv(PRIV_SET, PRIV_PERMITTED, npset) != 0 || 324 setppriv(PRIV_SET, PRIV_INHERITABLE, npset) != 0) 325 fatal("setppriv: %s", strerror(errno)); 326 327 priv_freeset(pset); 328 priv_freeset(npset); 329 } 330 331 void 332 solaris_drop_privs_root_pinfo_net(void) 333 { 334 priv_set_t *pset = NULL; 335 336 /* Start with "basic" and drop everything we don't need. */ 337 if ((pset = solaris_basic_privset()) == NULL) 338 fatal("solaris_basic_privset: %s", strerror(errno)); 339 340 if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 || 341 #ifdef PRIV_NET_ACCESS 342 priv_delset(pset, PRIV_NET_ACCESS) != 0 || 343 #endif 344 priv_delset(pset, PRIV_PROC_INFO) != 0 || 345 priv_delset(pset, PRIV_PROC_SESSION) != 0) 346 fatal("priv_delset: %s", strerror(errno)); 347 348 if (setppriv(PRIV_SET, PRIV_PERMITTED, pset) != 0 || 349 setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0 || 350 setppriv(PRIV_SET, PRIV_INHERITABLE, pset) != 0) 351 fatal("setppriv: %s", strerror(errno)); 352 353 priv_freeset(pset); 354 } 355 356 void 357 solaris_drop_privs_root_pinfo_net_exec(void) 358 { 359 priv_set_t *pset = NULL; 360 361 362 /* Start with "basic" and drop everything we don't need. */ 363 if ((pset = solaris_basic_privset()) == NULL) 364 fatal("solaris_basic_privset: %s", strerror(errno)); 365 366 if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 || 367 #ifdef PRIV_NET_ACCESS 368 priv_delset(pset, PRIV_NET_ACCESS) != 0 || 369 #endif 370 priv_delset(pset, PRIV_PROC_EXEC) != 0 || 371 priv_delset(pset, PRIV_PROC_INFO) != 0) 372 fatal("priv_delset: %s", strerror(errno)); 373 374 if (setppriv(PRIV_SET, PRIV_PERMITTED, pset) != 0 || 375 setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0 || 376 setppriv(PRIV_SET, PRIV_INHERITABLE, pset) != 0) 377 fatal("setppriv: %s", strerror(errno)); 378 379 priv_freeset(pset); 380 } 381 382 #endif 383