xref: /freebsd/crypto/openssh/openbsd-compat/port-solaris.c (revision acc1a9ef8333c798c210fa94be6af4d5fe2dd794)
1 /* $Id: port-solaris.c,v 1.4 2010/11/05 01:03:05 dtucker Exp $ */
2 
3 /*
4  * Copyright (c) 2006 Chad Mynhier.
5  *
6  * Permission to use, copy, modify, and distribute this software for any
7  * purpose with or without fee is hereby granted, provided that the above
8  * copyright notice and this permission notice appear in all copies.
9  *
10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17  */
18 
19 #include "config.h"
20 #include "includes.h"
21 
22 #ifdef USE_SOLARIS_PROCESS_CONTRACTS
23 
24 #include <sys/types.h>
25 #include <sys/stat.h>
26 #include <sys/param.h>
27 
28 #include <errno.h>
29 #ifdef HAVE_FCNTL_H
30 # include <fcntl.h>
31 #endif
32 #include <stdarg.h>
33 #include <string.h>
34 #include <unistd.h>
35 
36 #include <libcontract.h>
37 #include <sys/contract/process.h>
38 #include <sys/ctfs.h>
39 
40 #include "log.h"
41 
42 #define CT_TEMPLATE	CTFS_ROOT "/process/template"
43 #define CT_LATEST	CTFS_ROOT "/process/latest"
44 
45 static int tmpl_fd = -1;
46 
47 /* Lookup the latest process contract */
48 static ctid_t
49 get_active_process_contract_id(void)
50 {
51 	int stat_fd;
52 	ctid_t ctid = -1;
53 	ct_stathdl_t stathdl;
54 
55 	if ((stat_fd = open64(CT_LATEST, O_RDONLY)) == -1) {
56 		error("%s: Error opening 'latest' process "
57 		    "contract: %s", __func__, strerror(errno));
58 		return -1;
59 	}
60 	if (ct_status_read(stat_fd, CTD_COMMON, &stathdl) != 0) {
61 		error("%s: Error reading process contract "
62 		    "status: %s", __func__, strerror(errno));
63 		goto out;
64 	}
65 	if ((ctid = ct_status_get_id(stathdl)) < 0) {
66 		error("%s: Error getting process contract id: %s",
67 		    __func__, strerror(errno));
68 		goto out;
69 	}
70 
71 	ct_status_free(stathdl);
72  out:
73 	close(stat_fd);
74 	return ctid;
75 }
76 
77 void
78 solaris_contract_pre_fork(void)
79 {
80 	if ((tmpl_fd = open64(CT_TEMPLATE, O_RDWR)) == -1) {
81 		error("%s: open %s: %s", __func__,
82 		    CT_TEMPLATE, strerror(errno));
83 		return;
84 	}
85 
86 	debug2("%s: setting up process contract template on fd %d",
87 	    __func__, tmpl_fd);
88 
89 	/* First we set the template parameters and event sets. */
90 	if (ct_pr_tmpl_set_param(tmpl_fd, CT_PR_PGRPONLY) != 0) {
91 		error("%s: Error setting process contract parameter set "
92 		    "(pgrponly): %s", __func__, strerror(errno));
93 		goto fail;
94 	}
95 	if (ct_pr_tmpl_set_fatal(tmpl_fd, CT_PR_EV_HWERR) != 0) {
96 		error("%s: Error setting process contract template "
97 		    "fatal events: %s", __func__, strerror(errno));
98 		goto fail;
99 	}
100 	if (ct_tmpl_set_critical(tmpl_fd, 0) != 0) {
101 		error("%s: Error setting process contract template "
102 		    "critical events: %s", __func__, strerror(errno));
103 		goto fail;
104 	}
105 	if (ct_tmpl_set_informative(tmpl_fd, CT_PR_EV_HWERR) != 0) {
106 		error("%s: Error setting process contract template "
107 		    "informative events: %s", __func__, strerror(errno));
108 		goto fail;
109 	}
110 
111 	/* Now make this the active template for this process. */
112 	if (ct_tmpl_activate(tmpl_fd) != 0) {
113 		error("%s: Error activating process contract "
114 		    "template: %s", __func__, strerror(errno));
115 		goto fail;
116 	}
117 	return;
118 
119  fail:
120 	if (tmpl_fd != -1) {
121 		close(tmpl_fd);
122 		tmpl_fd = -1;
123 	}
124 }
125 
126 void
127 solaris_contract_post_fork_child()
128 {
129 	debug2("%s: clearing process contract template on fd %d",
130 	    __func__, tmpl_fd);
131 
132 	/* Clear the active template. */
133 	if (ct_tmpl_clear(tmpl_fd) != 0)
134 		error("%s: Error clearing active process contract "
135 		    "template: %s", __func__, strerror(errno));
136 
137 	close(tmpl_fd);
138 	tmpl_fd = -1;
139 }
140 
141 void
142 solaris_contract_post_fork_parent(pid_t pid)
143 {
144 	ctid_t ctid;
145 	char ctl_path[256];
146 	int r, ctl_fd = -1, stat_fd = -1;
147 
148 	debug2("%s: clearing template (fd %d)", __func__, tmpl_fd);
149 
150 	if (tmpl_fd == -1)
151 		return;
152 
153 	/* First clear the active template. */
154 	if ((r = ct_tmpl_clear(tmpl_fd)) != 0)
155 		error("%s: Error clearing active process contract "
156 		    "template: %s", __func__, strerror(errno));
157 
158 	close(tmpl_fd);
159 	tmpl_fd = -1;
160 
161 	/*
162 	 * If either the fork didn't succeed (pid < 0), or clearing
163 	 * th active contract failed (r != 0), then we have nothing
164 	 * more do.
165 	 */
166 	if (r != 0 || pid <= 0)
167 		return;
168 
169 	/* Now lookup and abandon the contract we've created. */
170 	ctid = get_active_process_contract_id();
171 
172 	debug2("%s: abandoning contract id %ld", __func__, ctid);
173 
174 	snprintf(ctl_path, sizeof(ctl_path),
175 	    CTFS_ROOT "/process/%ld/ctl", ctid);
176 	if ((ctl_fd = open64(ctl_path, O_WRONLY)) < 0) {
177 		error("%s: Error opening process contract "
178 		    "ctl file: %s", __func__, strerror(errno));
179 		goto fail;
180 	}
181 	if (ct_ctl_abandon(ctl_fd) < 0) {
182 		error("%s: Error abandoning process contract: %s",
183 		    __func__, strerror(errno));
184 		goto fail;
185 	}
186 	close(ctl_fd);
187 	return;
188 
189  fail:
190 	if (tmpl_fd != -1) {
191 		close(tmpl_fd);
192 		tmpl_fd = -1;
193 	}
194 	if (stat_fd != -1)
195 		close(stat_fd);
196 	if (ctl_fd != -1)
197 		close(ctl_fd);
198 }
199 #endif
200 
201 #ifdef USE_SOLARIS_PROJECTS
202 #include <sys/task.h>
203 #include <project.h>
204 
205 /*
206  * Get/set solaris default project.
207  * If we fail, just run along gracefully.
208  */
209 void
210 solaris_set_default_project(struct passwd *pw)
211 {
212 	struct project  *defaultproject;
213 	struct project   tempproject;
214 	char buf[1024];
215 
216 	/* get default project, if we fail just return gracefully  */
217 	if ((defaultproject = getdefaultproj(pw->pw_name, &tempproject, &buf,
218 	    sizeof(buf))) > 0) {
219 		/* set default project */
220 		if (setproject(defaultproject->pj_name, pw->pw_name,
221 		    TASK_NORMAL) != 0)
222 			debug("setproject(%s): %s", defaultproject->pj_name,
223 			    strerror(errno));
224 	} else {
225 		/* debug on getdefaultproj() error */
226 		debug("getdefaultproj(%s): %s", pw->pw_name, strerror(errno));
227 	}
228 }
229 #endif /* USE_SOLARIS_PROJECTS */
230 
231 #ifdef USE_SOLARIS_PRIVS
232 # ifdef HAVE_PRIV_H
233 #  include <priv.h>
234 # endif
235 
236 priv_set_t *
237 solaris_basic_privset(void)
238 {
239 	priv_set_t *pset;
240 
241 #ifdef HAVE_PRIV_BASICSET
242 	if ((pset = priv_allocset()) == NULL) {
243 		error("priv_allocset: %s", strerror(errno));
244 		return NULL;
245 	}
246 	priv_basicset(pset);
247 #else
248 	if ((pset = priv_str_to_set("basic", ",", NULL)) == NULL) {
249 		error("priv_str_to_set: %s", strerror(errno));
250 		return NULL;
251 	}
252 #endif
253 	return pset;
254 }
255 
256 void
257 solaris_drop_privs_pinfo_net_fork_exec(void)
258 {
259 	priv_set_t *pset = NULL, *npset = NULL;
260 
261 	/*
262 	 * Note: this variant avoids dropping DAC filesystem rights, in case
263 	 * the process calling it is running as root and should have the
264 	 * ability to read/write/chown any file on the system.
265 	 *
266 	 * We start with the basic set, then *add* the DAC rights to it while
267 	 * taking away other parts of BASIC we don't need. Then we intersect
268 	 * this with our existing PERMITTED set. In this way we keep any
269 	 * DAC rights we had before, while otherwise reducing ourselves to
270 	 * the minimum set of privileges we need to proceed.
271 	 *
272 	 * This also means we drop any other parts of "root" that we don't
273 	 * need (e.g. the ability to kill any process, create new device nodes
274 	 * etc etc).
275 	 */
276 
277 	if ((pset = priv_allocset()) == NULL)
278 		fatal("priv_allocset: %s", strerror(errno));
279 	if ((npset = solaris_basic_privset()) == NULL)
280 		fatal("solaris_basic_privset: %s", strerror(errno));
281 
282 	if (priv_addset(npset, PRIV_FILE_CHOWN) != 0 ||
283 	    priv_addset(npset, PRIV_FILE_DAC_READ) != 0 ||
284 	    priv_addset(npset, PRIV_FILE_DAC_SEARCH) != 0 ||
285 	    priv_addset(npset, PRIV_FILE_DAC_WRITE) != 0 ||
286 	    priv_addset(npset, PRIV_FILE_OWNER) != 0)
287 		fatal("priv_addset: %s", strerror(errno));
288 
289 	if (priv_delset(npset, PRIV_FILE_LINK_ANY) != 0 ||
290 #ifdef PRIV_NET_ACCESS
291 	    priv_delset(npset, PRIV_NET_ACCESS) != 0 ||
292 #endif
293 	    priv_delset(npset, PRIV_PROC_EXEC) != 0 ||
294 	    priv_delset(npset, PRIV_PROC_FORK) != 0 ||
295 	    priv_delset(npset, PRIV_PROC_INFO) != 0 ||
296 	    priv_delset(npset, PRIV_PROC_SESSION) != 0)
297 		fatal("priv_delset: %s", strerror(errno));
298 
299 	if (getppriv(PRIV_PERMITTED, pset) != 0)
300 		fatal("getppriv: %s", strerror(errno));
301 
302 	priv_intersect(pset, npset);
303 
304 	if (setppriv(PRIV_SET, PRIV_PERMITTED, npset) != 0 ||
305 	    setppriv(PRIV_SET, PRIV_LIMIT, npset) != 0 ||
306 	    setppriv(PRIV_SET, PRIV_INHERITABLE, npset) != 0)
307 		fatal("setppriv: %s", strerror(errno));
308 
309 	priv_freeset(pset);
310 	priv_freeset(npset);
311 }
312 
313 void
314 solaris_drop_privs_root_pinfo_net(void)
315 {
316 	priv_set_t *pset = NULL;
317 
318 	/* Start with "basic" and drop everything we don't need. */
319 	if ((pset = solaris_basic_privset()) == NULL)
320 		fatal("solaris_basic_privset: %s", strerror(errno));
321 
322 	if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 ||
323 #ifdef PRIV_NET_ACCESS
324 	    priv_delset(pset, PRIV_NET_ACCESS) != 0 ||
325 #endif
326 	    priv_delset(pset, PRIV_PROC_INFO) != 0 ||
327 	    priv_delset(pset, PRIV_PROC_SESSION) != 0)
328 		fatal("priv_delset: %s", strerror(errno));
329 
330 	if (setppriv(PRIV_SET, PRIV_PERMITTED, pset) != 0 ||
331 	    setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0 ||
332 	    setppriv(PRIV_SET, PRIV_INHERITABLE, pset) != 0)
333 		fatal("setppriv: %s", strerror(errno));
334 
335 	priv_freeset(pset);
336 }
337 
338 void
339 solaris_drop_privs_root_pinfo_net_exec(void)
340 {
341 	priv_set_t *pset = NULL;
342 
343 
344 	/* Start with "basic" and drop everything we don't need. */
345 	if ((pset = solaris_basic_privset()) == NULL)
346 		fatal("solaris_basic_privset: %s", strerror(errno));
347 
348 	if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 ||
349 #ifdef PRIV_NET_ACCESS
350 	    priv_delset(pset, PRIV_NET_ACCESS) != 0 ||
351 #endif
352 	    priv_delset(pset, PRIV_PROC_EXEC) != 0 ||
353 	    priv_delset(pset, PRIV_PROC_INFO) != 0 ||
354 	    priv_delset(pset, PRIV_PROC_SESSION) != 0)
355 		fatal("priv_delset: %s", strerror(errno));
356 
357 	if (setppriv(PRIV_SET, PRIV_PERMITTED, pset) != 0 ||
358 	    setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0 ||
359 	    setppriv(PRIV_SET, PRIV_INHERITABLE, pset) != 0)
360 		fatal("setppriv: %s", strerror(errno));
361 
362 	priv_freeset(pset);
363 }
364 
365 #endif
366