xref: /illumos-gate/usr/src/uts/common/os/priv.c (revision 3d7072f8bd27709dba14f6fe336f149d25d9e207)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 /*
23  * Copyright 2003 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #pragma ident	"%Z%%M%	%I%	%E% SMI"
28 
29 /*
30  * Privilege implementation.
31  *
32  * This file provides the infrastructure for privilege sets and limits
33  * the number of files that requires to include <sys/cred_impl.h> and/or
34  * <sys/priv_impl.h>.
35  *
36  * The Solaris privilege mechanism has been designed in a
37  * future proof manner.  While the kernel may use fixed size arrays
38  * and fixed bitmasks and bit values, the representation of those
39  * is kernel private.  All external interfaces as well as K-to-K interfaces
40  * have been constructed in a manner to provide the maximum flexibility.
41  *
42  * There can be X privilege sets each containing Y 32 bit words.
43  * <X, Y> are constant for a kernel invocation.
44  *
45  * As a consequence, all privilege set manipulation happens in functions
46  * below.
47  *
48  */
49 
50 #include <sys/systm.h>
51 #include <sys/ddi.h>
52 #include <sys/kmem.h>
53 #include <sys/sunddi.h>
54 #include <sys/errno.h>
55 #include <sys/debug.h>
56 #include <sys/priv_impl.h>
57 #include <sys/procfs.h>
58 #include <sys/policy.h>
59 #include <sys/cred_impl.h>
60 #include <sys/devpolicy.h>
61 #include <sys/atomic.h>
62 
63 /*
64  * Privilege name to number mapping table consists in the generated
65  * priv_const.c file.  This lock protects against updates of the privilege
66  * names and counts; all other priv_info fields are read-only.
67  * The actual protected values are:
68  *	global variable nprivs
69  *	the priv_max field
70  *	the priv_names field
71  *	the priv names info item (cnt/strings)
72  */
73 krwlock_t privinfo_lock;
74 
75 static boolean_t priv_valid(const cred_t *);
76 
77 priv_set_t priv_fullset;	/* set of all privileges */
78 priv_set_t priv_unsafe;	/* unsafe to exec set-uid root if these are not in L */
79 
80 /*
81  * Privilege initialization functions.
82  * Called from common/os/cred.c when cred_init is called.
83  */
84 
85 void
86 priv_init(void)
87 {
88 	rw_init(&privinfo_lock, NULL, RW_DRIVER, NULL);
89 
90 	PRIV_BASIC_ASSERT(priv_basic);
91 	PRIV_UNSAFE_ASSERT(&priv_unsafe);
92 	priv_fillset(&priv_fullset);
93 
94 	devpolicy_init();
95 }
96 
97 /* Utility functions: privilege sets as opaque data types */
98 
99 /*
100  * Guts of prgetprivsize.
101  */
102 int
103 priv_prgetprivsize(prpriv_t *tmpl)
104 {
105 	return (sizeof (prpriv_t) +
106 		PRIV_SETBYTES - sizeof (priv_chunk_t) +
107 		(tmpl ? tmpl->pr_infosize : priv_info->priv_infosize));
108 }
109 
110 /*
111  * Guts of prgetpriv.
112  */
113 void
114 cred2prpriv(const cred_t *cp, prpriv_t *pr)
115 {
116 	priv_set_t *psa;
117 	int i;
118 
119 	pr->pr_nsets = PRIV_NSET;
120 	pr->pr_setsize = PRIV_SETSIZE;
121 	pr->pr_infosize = priv_info->priv_infosize;
122 
123 	psa = (priv_set_t *)pr->pr_sets;
124 
125 	for (i = 0; i < PRIV_NSET; i++)
126 		psa[i] = *priv_getset(cp, i);
127 
128 	priv_getinfo(cp, (char *)pr + PRIV_PRPRIV_INFO_OFFSET(pr));
129 }
130 
131 /*
132  * Guts of pr_spriv:
133  *
134  * Set the privileges of a process.
135  *
136  * In order to set the privileges, the setting process will need to
137  * have those privileges in its effective set in order to prevent
138  * specially privileged processes to easily gain additional privileges.
139  * Pre-existing privileges can be retained.  To change any privileges,
140  * PRIV_PROC_OWNER needs to be asserted.
141  *
142  * In formula:
143  *
144  *	S' <= S || S' <= S + Ea
145  *
146  * the new set must either be subset of the old set or a subset of
147  * the oldset merged with the effective set of the acting process; or just:
148  *
149  *	S' <= S + Ea
150  *
151  * It's not legal to grow the limit set this way.
152  *
153  */
154 int
155 priv_pr_spriv(proc_t *p, prpriv_t *prpriv, const cred_t *cr)
156 {
157 	cred_t *oldcred;
158 	cred_t *newcred;
159 	int i;
160 	int err = EPERM;
161 	cred_priv_t *cp, *ocp;
162 	priv_set_t eset;
163 
164 	ASSERT(MUTEX_HELD(&p->p_lock));
165 
166 	/*
167 	 * Set must have proper dimension; infosize must be absent
168 	 * or properly sized.
169 	 */
170 	if (prpriv->pr_nsets != PRIV_NSET ||
171 	    prpriv->pr_setsize != PRIV_SETSIZE ||
172 	    (prpriv->pr_infosize & (sizeof (uint32_t) - 1)) != 0 ||
173 	    prpriv->pr_infosize > priv_info->priv_infosize ||
174 	    prpriv->pr_infosize < 0)
175 		    return (EINVAL);
176 
177 	mutex_exit(&p->p_lock);
178 
179 	if (priv_proc_cred_perm(cr, p, &oldcred, VWRITE) != 0) {
180 		mutex_enter(&p->p_lock);
181 		return (EPERM);
182 	}
183 
184 	newcred = crdup(oldcred);
185 
186 	/* Copy the privilege sets from prpriv to newcred */
187 	bcopy(prpriv->pr_sets, CR_PRIVSETS(newcred), PRIV_SETBYTES);
188 
189 	cp = &newcred->cr_priv;
190 	ocp = &oldcred->cr_priv;
191 	eset = CR_OEPRIV(cr);
192 
193 	priv_intersect(&CR_LPRIV(oldcred), &eset);
194 
195 	/*
196 	 * Verify the constraints laid out:
197 	 * for the limit set, we require that the new set is a subset
198 	 * of the old limit set.
199 	 * for all other sets, we require that the new set is either a
200 	 * subset of the old set or a subset of the intersection of
201 	 * the old limit set and the effective set of the acting process.
202 	 */
203 	for (i = 0; i < PRIV_NSET; i++)
204 		if (!priv_issubset(&cp->crprivs[i], &ocp->crprivs[i]) &&
205 		    (i == PRIV_LIMIT || !priv_issubset(&cp->crprivs[i], &eset)))
206 			break;
207 
208 	crfree(oldcred);
209 
210 	if (i < PRIV_NSET || !priv_valid(newcred))
211 		goto err;
212 
213 	/* Load the settable privilege information */
214 	if (prpriv->pr_infosize > 0) {
215 		char *x = (char *)prpriv + PRIV_PRPRIV_INFO_OFFSET(prpriv);
216 		char *lastx = x + prpriv->pr_infosize;
217 
218 		while (x < lastx) {
219 			priv_info_t *pi = (priv_info_t *)x;
220 			priv_info_uint_t *pii;
221 
222 			switch (pi->priv_info_type) {
223 			case PRIV_INFO_FLAGS:
224 				pii = (priv_info_uint_t *)x;
225 				if (pii->info.priv_info_size != sizeof (*pii)) {
226 					err = EINVAL;
227 					goto err;
228 				}
229 				CR_FLAGS(newcred) &= ~PRIV_USER;
230 				CR_FLAGS(newcred) |= (pii->val & PRIV_USER);
231 				break;
232 			default:
233 				err = EINVAL;
234 				goto err;
235 			}
236 			/* Guarantee alignment and forward progress */
237 			if ((pi->priv_info_size & (sizeof (uint32_t) - 1)) ||
238 			    pi->priv_info_size < sizeof (*pi) ||
239 			    lastx - x > pi->priv_info_size) {
240 				err = EINVAL;
241 				goto err;
242 			}
243 
244 			x += pi->priv_info_size;
245 		}
246 	}
247 
248 	/*
249 	 * We'll try to copy the privilege aware flag; but since the
250 	 * privileges sets are all individually set, they are set
251 	 * as if we're privilege aware.  If PRIV_AWARE wasn't set
252 	 * or was explicitely unset, we need to set the flag and then
253 	 * try to get rid of it.
254 	 */
255 	if ((CR_FLAGS(newcred) & PRIV_AWARE) == 0) {
256 		CR_FLAGS(newcred) |= PRIV_AWARE;
257 		priv_adjust_PA(newcred);
258 	}
259 
260 	mutex_enter(&p->p_crlock);
261 	oldcred = p->p_cred;
262 	p->p_cred = newcred;
263 	mutex_exit(&p->p_crlock);
264 	crfree(oldcred);
265 
266 	mutex_enter(&p->p_lock);
267 	return (0);
268 
269 err:
270 	crfree(newcred);
271 	mutex_enter(&p->p_lock);
272 	return (err);
273 }
274 
275 priv_impl_info_t
276 *priv_hold_implinfo(void)
277 {
278 	rw_enter(&privinfo_lock, RW_READER);
279 	return (priv_info);
280 }
281 
282 void
283 priv_release_implinfo(void)
284 {
285 	rw_exit(&privinfo_lock);
286 }
287 
288 size_t
289 priv_get_implinfo_size(void)
290 {
291 	return (privinfosize);
292 }
293 
294 
295 /*
296  * Return the nth privilege set
297  */
298 const priv_set_t *
299 priv_getset(const cred_t *cr, int set)
300 {
301 	ASSERT(PRIV_VALIDSET(set));
302 
303 	if ((CR_FLAGS(cr) & PRIV_AWARE) == 0)
304 		switch (set) {
305 		case PRIV_EFFECTIVE:
306 			return (&CR_OEPRIV(cr));
307 		case PRIV_PERMITTED:
308 			return (&CR_OPPRIV(cr));
309 		}
310 	return (&CR_PRIVS(cr)->crprivs[set]);
311 }
312 
313 /*
314  * Buf must be allocated by caller and contain sufficient space to
315  * contain all additional info structures using priv_info.priv_infosize.
316  * The buffer must be properly aligned.
317  */
318 /*ARGSUSED*/
319 void
320 priv_getinfo(const cred_t *cr, void *buf)
321 {
322 	struct priv_info_uint *ii;
323 
324 	ii = buf;
325 	ii->val = CR_FLAGS(cr);
326 	ii->info.priv_info_size = (uint32_t)sizeof (*ii);
327 	ii->info.priv_info_type = PRIV_INFO_FLAGS;
328 }
329 
330 int
331 priv_getbyname(const char *name, uint_t flag)
332 {
333 	int i;
334 	int wheld = 0;
335 	int len;
336 	char *p;
337 
338 	if (flag != 0 && flag != PRIV_ALLOC)
339 		return (-EINVAL);
340 
341 	if (strncasecmp(name, "priv_", 5) == 0)
342 		name += 5;
343 
344 	rw_enter(&privinfo_lock, RW_READER);
345 rescan:
346 	for (i = 0; i < nprivs; i++)
347 		if (strcasecmp(priv_names[i], name) == 0) {
348 			rw_exit(&privinfo_lock);
349 			return (i);
350 		}
351 
352 
353 	if (!wheld) {
354 		if (!(flag & PRIV_ALLOC)) {
355 			rw_exit(&privinfo_lock);
356 			return (-EINVAL);
357 		}
358 
359 		/* check length, validity and available space */
360 		len = strlen(name) + 1;
361 
362 		if (len > PRIVNAME_MAX) {
363 			rw_exit(&privinfo_lock);
364 			return (-ENAMETOOLONG);
365 		}
366 
367 		for (p = (char *)name; *p != '\0'; p++) {
368 			char c = *p;
369 
370 			if (!((c >= 'A' && c <= 'Z') ||
371 			    (c >= 'a' && c <= 'z') ||
372 			    (c >= '0' && c <= '9') ||
373 			    c == '_')) {
374 				rw_exit(&privinfo_lock);
375 				return (-EINVAL);
376 			}
377 		}
378 
379 		if (!rw_tryupgrade(&privinfo_lock)) {
380 			rw_exit(&privinfo_lock);
381 			rw_enter(&privinfo_lock, RW_WRITER);
382 			wheld = 1;
383 			/* Someone may have added our privilege */
384 			goto rescan;
385 		}
386 	}
387 
388 	if (nprivs == MAX_PRIVILEGE || len + privbytes > maxprivbytes) {
389 		rw_exit(&privinfo_lock);
390 		return (-ENOMEM);
391 	}
392 
393 	priv_names[i] = p = priv_str + privbytes;
394 
395 	bcopy(name, p, len);
396 
397 	/* make the priv_names[i] and privilege name globally visible */
398 	membar_producer();
399 
400 	/* adjust priv count and bytes count */
401 	priv_ninfo->cnt = priv_info->priv_max = ++nprivs;
402 	privbytes += len;
403 
404 	rw_exit(&privinfo_lock);
405 	return (i);
406 }
407 
408 /*
409  * We can't afford locking the privileges here because of the locations
410  * we call this from; so we make sure that the privileges table
411  * is visible to us; it is made visible before the value of nprivs is
412  * updated.
413  */
414 const char *
415 priv_getbynum(int priv)
416 {
417 	int maxpriv = nprivs;
418 
419 	membar_consumer();
420 
421 	if (priv >= 0 && priv < maxpriv)
422 		return (priv_names[priv]);
423 
424 	return (NULL);
425 }
426 
427 const char *
428 priv_getsetbynum(int setno)
429 {
430 	if (!PRIV_VALIDSET(setno))
431 		return (NULL);
432 
433 	return (priv_setnames[setno]);
434 }
435 
436 /*
437  * Privilege sanity checking when setting: E <= P.
438  */
439 static boolean_t
440 priv_valid(const cred_t *cr)
441 {
442 	return (priv_issubset(&CR_EPRIV(cr), &CR_PPRIV(cr)));
443 }
444 
445 /*
446  * Privilege manipulation functions
447  *
448  * Without knowing the details of the privilege set implementation,
449  * opaque pointers can be used to manipulate sets at will.
450  */
451 void
452 priv_emptyset(priv_set_t *set)
453 {
454 	bzero(set, sizeof (*set));
455 }
456 
457 void
458 priv_fillset(priv_set_t *set)
459 {
460 	int i;
461 
462 	/* memset? */
463 	for (i = 0; i < PRIV_SETSIZE; i++)
464 		set->pbits[i] = ~(priv_chunk_t)0;
465 }
466 
467 void
468 priv_addset(priv_set_t *set, int priv)
469 {
470 	ASSERT(priv >= 0 && priv < MAX_PRIVILEGE);
471 	__PRIV_ASSERT(set, priv);
472 }
473 
474 void
475 priv_delset(priv_set_t *set, int priv)
476 {
477 	ASSERT(priv >= 0 && priv < MAX_PRIVILEGE);
478 	__PRIV_CLEAR(set, priv);
479 }
480 
481 boolean_t
482 priv_ismember(const priv_set_t *set, int priv)
483 {
484 	ASSERT(priv >= 0 && priv < MAX_PRIVILEGE);
485 	return (__PRIV_ISASSERT(set, priv) ? B_TRUE : B_FALSE);
486 }
487 
488 #define	PRIV_TEST_BODY(test) \
489 	int i; \
490 \
491 	for (i = 0; i < PRIV_SETSIZE; i++) \
492 		if (!(test)) \
493 			return (B_FALSE); \
494 \
495 	return (B_TRUE)
496 
497 boolean_t
498 priv_isequalset(const priv_set_t *a, const priv_set_t *b)
499 {
500 	return ((boolean_t)(bcmp(a, b, sizeof (*a)) == 0));
501 }
502 
503 boolean_t
504 priv_isemptyset(const priv_set_t *set)
505 {
506 	PRIV_TEST_BODY(set->pbits[i] == 0);
507 }
508 
509 boolean_t
510 priv_isfullset(const priv_set_t *set)
511 {
512 	PRIV_TEST_BODY(set->pbits[i] == ~(priv_chunk_t)0);
513 }
514 
515 /*
516  * Return true if a is a subset of b
517  */
518 boolean_t
519 priv_issubset(const priv_set_t *a, const priv_set_t *b)
520 {
521 	PRIV_TEST_BODY((a->pbits[i] | b->pbits[i]) == b->pbits[i]);
522 }
523 
524 #define	PRIV_CHANGE_BODY(a, op, b) \
525 	int i; \
526 \
527 	for (i = 0; i < PRIV_SETSIZE; i++) \
528 		a->pbits[i] op b->pbits[i]
529 
530 /* B = A ^ B */
531 void
532 priv_intersect(const priv_set_t *a, priv_set_t *b)
533 {
534 	/* CSTYLED */
535 	PRIV_CHANGE_BODY(b, &=, a);
536 }
537 
538 /* B = A v B */
539 void
540 priv_union(const priv_set_t *a, priv_set_t *b)
541 {
542 	/* CSTYLED */
543 	PRIV_CHANGE_BODY(b, |=, a);
544 }
545 
546 /* A = ! A */
547 void
548 priv_inverse(priv_set_t *a)
549 {
550 	PRIV_CHANGE_BODY(a, = ~, a);
551 }
552 
553 /*
554  * Can the source cred act on the target credential?
555  *
556  * We will you allow to gain uids this way but not privileges.
557  */
558 int
559 priv_proc_cred_perm(const cred_t *scr, proc_t *tp, cred_t **pcr, int mode)
560 {
561 	const priv_set_t *eset;
562 	int idsmatch;
563 	cred_t *tcr;
564 	int res = 0;
565 
566 	/* prevent the cred from going away */
567 	mutex_enter(&tp->p_crlock);
568 	crhold(tcr = tp->p_cred);
569 	mutex_exit(&tp->p_crlock);
570 
571 	if (scr == tcr)
572 		goto out;
573 
574 	idsmatch = (scr->cr_uid == tcr->cr_uid &&
575 		    scr->cr_uid == tcr->cr_ruid &&
576 		    scr->cr_uid == tcr->cr_suid &&
577 		    scr->cr_gid == tcr->cr_gid &&
578 		    scr->cr_gid == tcr->cr_rgid &&
579 		    scr->cr_gid == tcr->cr_sgid &&
580 		    !(tp->p_flag & SNOCD));
581 
582 	/*
583 	 * Source credential must have the proc_zone privilege if referencing
584 	 * a process in another zone.
585 	 */
586 	if (scr->cr_zone != tcr->cr_zone && secpolicy_proc_zone(scr) != 0) {
587 		res = EACCES;
588 		goto out;
589 	}
590 
591 	if (!(mode & VWRITE)) {
592 		if (!idsmatch && secpolicy_proc_owner(scr, tcr, 0) != 0)
593 			res = EACCES;
594 		goto out;
595 	}
596 
597 	/*
598 	 * For writing, the effective set of scr must dominate all sets of tcr,
599 	 * We test Pt <= Es (Et <= Pt so no need to test) and It <= Es
600 	 * The Limit set of scr must be a superset of the limitset of
601 	 * tcr.
602 	 */
603 	eset = &CR_OEPRIV(scr);
604 
605 	if (!priv_issubset(&CR_IPRIV(tcr), eset) ||
606 	    !priv_issubset(&CR_OPPRIV(tcr), eset) ||
607 	    !priv_issubset(&CR_LPRIV(tcr), &CR_LPRIV(scr)) ||
608 	    !idsmatch && secpolicy_proc_owner(scr, tcr, mode) != 0)
609 		res = EACCES;
610 
611 out:
612 	if (res == 0 && pcr != NULL)
613 		*pcr = tcr;
614 	else
615 		crfree(tcr);
616 	return (res);
617 }
618 
619 /*
620  * Set the privilege aware bit, adding L to E/P if
621  * necessasry.
622  */
623 void
624 priv_set_PA(cred_t *cr)
625 {
626 	ASSERT(cr->cr_ref <= 2);
627 
628 	if (CR_FLAGS(cr) & PRIV_AWARE)
629 		return;
630 
631 	CR_FLAGS(cr) |= PRIV_AWARE;
632 
633 	if (cr->cr_uid == 0)
634 		priv_union(&CR_LPRIV(cr), &CR_EPRIV(cr));
635 
636 	if (cr->cr_uid == 0 || cr->cr_suid == 0 || cr->cr_ruid == 0)
637 		priv_union(&CR_LPRIV(cr), &CR_PPRIV(cr));
638 }
639 
640 boolean_t
641 priv_can_clear_PA(const cred_t *cr)
642 {
643 	/*
644 	 * We can clear PA in the following cases:
645 	 *
646 	 * None of the uids are 0.
647 	 * Any uid == 0 and P == L and (Euid != 0 or E == L)
648 	 */
649 	return ((cr->cr_suid != 0 && cr->cr_ruid != 0 && cr->cr_uid != 0) ||
650 	    priv_isequalset(&CR_PPRIV(cr), &CR_LPRIV(cr)) &&
651 	    (cr->cr_uid != 0 || priv_isequalset(&CR_EPRIV(cr), &CR_LPRIV(cr))));
652 }
653 
654 /*
655  * Clear privilege aware bit if it is an idempotent operation and by
656  * clearing it the process cannot get to uid 0 and all privileges.
657  *
658  * This function should be called with caution as it may cause "E" to be
659  * lost once a processes assumes euid 0 again.
660  */
661 void
662 priv_adjust_PA(cred_t *cr)
663 {
664 	ASSERT(cr->cr_ref <= 2);
665 
666 	if (!(CR_FLAGS(cr) & PRIV_AWARE) ||
667 	    !priv_can_clear_PA(cr))
668 		return;
669 
670 	if (CR_FLAGS(cr) & PRIV_AWARE_INHERIT)
671 		return;
672 
673 	/*
674 	 * We now need to adjust P/E in those cases when uids
675 	 * are zero; the rules are P' = I & L, E' = I & L;
676 	 * but since P = L and E = L, we can use P &= I, E &= I,
677 	 * depending on which uids are 0.
678 	 */
679 	if (cr->cr_suid == 0 || cr->cr_ruid == 0 || cr->cr_uid == 0) {
680 		if (cr->cr_uid == 0)
681 			priv_intersect(&CR_IPRIV(cr), &CR_EPRIV(cr));
682 		priv_intersect(&CR_IPRIV(cr), &CR_PPRIV(cr));
683 	}
684 
685 	CR_FLAGS(cr) &= ~PRIV_AWARE;
686 }
687