1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T 23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 28 #include <sys/param.h> 29 #include <sys/types.h> 30 #include <sys/sysmacros.h> 31 #include <sys/systm.h> 32 #include <sys/cred.h> 33 #include <sys/sid.h> 34 #include <sys/errno.h> 35 #include <sys/proc.h> 36 #include <sys/debug.h> 37 #include <sys/kmem.h> 38 #include <sys/policy.h> 39 40 int 41 setgroups(int gidsetsize, gid_t *gidset) 42 { 43 proc_t *p; 44 cred_t *cr, *newcr; 45 int i; 46 int n = gidsetsize; 47 int error; 48 int scnt = 0; 49 ksidlist_t *ksl = NULL; 50 zone_t *zone; 51 struct credgrp *grps = NULL; 52 53 /* Perform the cheapest tests before grabbing p_crlock */ 54 if (n > ngroups_max || n < 0) 55 return (set_errno(EINVAL)); 56 57 zone = crgetzone(CRED()); 58 if (n != 0) { 59 const gid_t *groups; 60 61 grps = crgrpcopyin(n, gidset); 62 63 if (grps == NULL) 64 return (set_errno(EFAULT)); 65 66 groups = crgetggroups(grps); 67 68 for (i = 0; i < n; i++) { 69 if (!VALID_GID(groups[i], zone)) { 70 crgrprele(grps); 71 return (set_errno(EINVAL)); 72 } 73 if (groups[i] > MAXUID) 74 scnt++; 75 } 76 if (scnt > 0) { 77 ksl = kcrsid_gidstosids(zone, n, (gid_t *)groups); 78 if (ksl == NULL) { 79 crgrprele(grps); 80 return (set_errno(EINVAL)); 81 } 82 } 83 } 84 85 86 /* 87 * Need to pre-allocate the new cred structure before acquiring 88 * the p_crlock mutex. 89 */ 90 newcr = cralloc_ksid(); 91 p = ttoproc(curthread); 92 mutex_enter(&p->p_crlock); 93 retry: 94 cr = p->p_cred; 95 crhold(cr); 96 mutex_exit(&p->p_crlock); 97 98 if ((error = secpolicy_allow_setid(cr, -1, B_FALSE)) != 0) { 99 if (grps != NULL) 100 crgrprele(grps); 101 if (ksl != NULL) 102 ksidlist_rele(ksl); 103 crfree(newcr); 104 crfree(cr); 105 return (set_errno(error)); 106 } 107 mutex_enter(&p->p_crlock); 108 crfree(cr); 109 if (cr != p->p_cred) 110 goto retry; 111 112 crdup_to(cr, newcr); 113 crsetsidlist(newcr, ksl); 114 crsetcredgrp(newcr, grps); 115 116 p->p_cred = newcr; 117 crhold(newcr); /* hold for the current thread */ 118 crfree(cr); /* free the old one */ 119 mutex_exit(&p->p_crlock); 120 121 /* 122 * Broadcast new cred to process threads (including the current one). 123 */ 124 crset(p, newcr); 125 126 return (0); 127 } 128 129 int 130 getgroups(int gidsetsize, gid_t *gidset) 131 { 132 struct cred *cr; 133 int n; 134 135 cr = curthread->t_cred; 136 n = crgetngroups(cr); 137 138 if (gidsetsize != 0) { 139 if (gidsetsize < n) 140 return (set_errno(EINVAL)); 141 if (copyout(crgetgroups(cr), gidset, n * sizeof (gid_t))) 142 return (set_errno(EFAULT)); 143 } 144 145 return (n); 146 } 147