xref: /illumos-gate/usr/src/uts/common/syscall/ppriv.c (revision 69b1fd3f24d0ee2e682883606201c61f52085805)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23  */
24 
25 #include <sys/param.h>
26 #include <sys/types.h>
27 #include <sys/sysmacros.h>
28 #include <sys/systm.h>
29 #include <sys/cred_impl.h>
30 #include <sys/errno.h>
31 #include <sys/klpd.h>
32 #include <sys/proc.h>
33 #include <sys/priv_impl.h>
34 #include <sys/policy.h>
35 #include <sys/ddi.h>
36 #include <sys/thread.h>
37 #include <sys/cmn_err.h>
38 #include <c2/audit.h>
39 
40 /*
41  * System call support for manipulating privileges.
42  *
43  *
44  * setppriv(2) - set process privilege set
45  * getppriv(2) - get process privilege set
46  * getprivimplinfo(2) - get process privilege implementation information
47  * setpflags(2) - set process (privilege) flags
48  * getpflags(2) - get process (privilege) flags
49  */
50 
51 /*
52  * setppriv (priv_op_t, priv_ptype_t, priv_set_t)
53  */
54 static int
55 setppriv(priv_op_t op, priv_ptype_t type, priv_set_t *in_pset)
56 {
57 	priv_set_t	pset, *target;
58 	cred_t		*cr, *pcr;
59 	proc_t		*p;
60 	boolean_t	donocd = B_FALSE;
61 
62 	if (!PRIV_VALIDSET(type) || !PRIV_VALIDOP(op))
63 		return (set_errno(EINVAL));
64 
65 	if (copyin(in_pset, &pset, sizeof (priv_set_t)))
66 		return (set_errno(EFAULT));
67 
68 	p = ttoproc(curthread);
69 	cr = cralloc();
70 	mutex_enter(&p->p_crlock);
71 
72 retry:
73 	pcr = p->p_cred;
74 
75 	if (AU_AUDITING())
76 		audit_setppriv(op, type, &pset, pcr);
77 
78 	/*
79 	 * Filter out unallowed request (bad op and bad type)
80 	 */
81 	switch (op) {
82 	case PRIV_ON:
83 	case PRIV_SET:
84 		/*
85 		 * Turning on privileges; the limit set cannot grow,
86 		 * other sets can but only as long as they remain subsets
87 		 * of P.  Only immediately after exec holds that P <= L.
88 		 */
89 		if (type == PRIV_LIMIT &&
90 		    !priv_issubset(&pset, &CR_LPRIV(pcr))) {
91 			mutex_exit(&p->p_crlock);
92 			crfree(cr);
93 			return (set_errno(EPERM));
94 		}
95 		if (!priv_issubset(&pset, &CR_OPPRIV(pcr)) &&
96 		    !priv_issubset(&pset, priv_getset(pcr, type))) {
97 			mutex_exit(&p->p_crlock);
98 			/* Policy override should not grow beyond L either */
99 			if (type != PRIV_INHERITABLE ||
100 			    !priv_issubset(&pset, &CR_LPRIV(pcr)) ||
101 			    secpolicy_require_privs(CRED(), &pset) != 0) {
102 				crfree(cr);
103 				return (set_errno(EPERM));
104 			}
105 			mutex_enter(&p->p_crlock);
106 			if (pcr != p->p_cred)
107 				goto retry;
108 			donocd = B_TRUE;
109 		}
110 		break;
111 
112 	case PRIV_OFF:
113 		/* PRIV_OFF is always allowed */
114 		break;
115 	}
116 
117 	/*
118 	 * OK! everything is cool.
119 	 * Do cred COW.
120 	 */
121 	crcopy_to(pcr, cr);
122 
123 	/*
124 	 * If we change the effective, permitted or limit set, we attain
125 	 * "privilege awareness".
126 	 */
127 	if (type != PRIV_INHERITABLE)
128 		priv_set_PA(cr);
129 
130 	target = &(CR_PRIVS(cr)->crprivs[type]);
131 
132 	switch (op) {
133 	case PRIV_ON:
134 		priv_union(&pset, target);
135 		break;
136 	case PRIV_OFF:
137 		priv_inverse(&pset);
138 		priv_intersect(target, &pset);
139 
140 		/*
141 		 * Fall-thru to set target and change other process
142 		 * privilege sets.
143 		 */
144 		/*FALLTHRU*/
145 
146 	case PRIV_SET:
147 		*target = pset;
148 
149 		/*
150 		 * Take privileges no longer permitted out
151 		 * of other effective sets as well.
152 		 * Limit set is enforced at exec() time.
153 		 */
154 		if (type == PRIV_PERMITTED)
155 			priv_intersect(&pset, &CR_EPRIV(cr));
156 		break;
157 	}
158 
159 	/*
160 	 * When we give up privileges not in the inheritable set,
161 	 * set SNOCD if not already set; first we compute the
162 	 * privileges removed from P using Diff = (~P') & P
163 	 * and then we check whether the removed privileges are
164 	 * a subset of I.  If we retain uid 0, all privileges
165 	 * are required anyway so don't set SNOCD.
166 	 */
167 	if (type == PRIV_PERMITTED && (p->p_flag & SNOCD) == 0 &&
168 	    cr->cr_uid != 0 && cr->cr_ruid != 0 && cr->cr_suid != 0) {
169 		priv_set_t diff = CR_OPPRIV(cr);
170 		priv_inverse(&diff);
171 		priv_intersect(&CR_OPPRIV(pcr), &diff);
172 		donocd = !priv_issubset(&diff, &CR_IPRIV(cr));
173 	}
174 
175 	p->p_cred = cr;
176 	mutex_exit(&p->p_crlock);
177 
178 	if (donocd) {
179 		mutex_enter(&p->p_lock);
180 		p->p_flag |= SNOCD;
181 		mutex_exit(&p->p_lock);
182 	}
183 
184 	/*
185 	 * The basic_test privilege should not be removed from E;
186 	 * if that has happened, then some programmer typically set the E/P to
187 	 * empty. That is not portable.
188 	 */
189 	if ((type == PRIV_EFFECTIVE || type == PRIV_PERMITTED) &&
190 	    priv_basic_test >= 0 && !PRIV_ISASSERT(target, priv_basic_test)) {
191 		proc_t *p = curproc;
192 		pid_t pid = p->p_pid;
193 		char *fn = PTOU(p)->u_comm;
194 
195 		cmn_err(CE_WARN, "%s[%d]: setppriv: basic_test privilege "
196 		    "removed from E/P", fn, pid);
197 	}
198 
199 	crset(p, cr);		/* broadcast to process threads */
200 
201 	return (0);
202 }
203 
204 /*
205  * getppriv (priv_ptype_t, priv_set_t *)
206  */
207 static int
208 getppriv(priv_ptype_t type, priv_set_t *pset)
209 {
210 	if (!PRIV_VALIDSET(type))
211 		return (set_errno(EINVAL));
212 
213 	if (copyout(priv_getset(CRED(), type), pset, sizeof (priv_set_t)) != 0)
214 		return (set_errno(EFAULT));
215 
216 	return (0);
217 }
218 
219 static int
220 getprivimplinfo(void *buf, size_t bufsize)
221 {
222 	int err;
223 
224 	err = copyout(priv_hold_implinfo(), buf, min(bufsize, privinfosize));
225 
226 	priv_release_implinfo();
227 
228 	if (err)
229 		return (set_errno(EFAULT));
230 
231 	return (0);
232 }
233 
234 /*
235  * Set process flags in the given target cred.  If NULL is specified, then
236  * CRED() is used; otherwise the cred is assumed to be modifiable (i.e. newly
237  * crdup'ed, or equivalent).  Some flags are set in the proc rather than cred;
238  * for these, curproc is always used.
239  *
240  * For now we cheat: the flags are actually bit masks so we can simplify
241  * some; we do make sure that the arguments are valid, though.
242  */
243 
244 int
245 setpflags(uint_t flag, uint_t val, cred_t *tcr)
246 {
247 	cred_t *cr, *pcr;
248 	proc_t *p = curproc;
249 	uint_t newflags;
250 	boolean_t use_curcred = (tcr == NULL);
251 
252 	if (val > 1 || (flag != PRIV_DEBUG && flag != PRIV_AWARE &&
253 	    flag != NET_MAC_AWARE && flag != NET_MAC_AWARE_INHERIT &&
254 	    flag != __PROC_PROTECT && flag != PRIV_XPOLICY &&
255 	    flag != PRIV_AWARE_RESET && flag != PRIV_PFEXEC)) {
256 		return (EINVAL);
257 	}
258 
259 	if (flag == __PROC_PROTECT) {
260 		mutex_enter(&p->p_lock);
261 		if (val == 0)
262 			p->p_flag &= ~SNOCD;
263 		else
264 			p->p_flag |= SNOCD;
265 		mutex_exit(&p->p_lock);
266 		return (0);
267 	}
268 
269 	if (use_curcred) {
270 		cr = cralloc();
271 		mutex_enter(&p->p_crlock);
272 		pcr = p->p_cred;
273 	} else {
274 		cr = pcr = tcr;
275 	}
276 
277 	newflags = CR_FLAGS(pcr);
278 
279 	if (val != 0) {
280 		if (flag == PRIV_AWARE)
281 			newflags &= ~PRIV_AWARE_RESET;
282 		newflags |= flag;
283 	} else {
284 		newflags &= ~flag;
285 	}
286 
287 	/* No change */
288 	if (CR_FLAGS(pcr) == newflags) {
289 		if (use_curcred) {
290 			mutex_exit(&p->p_crlock);
291 			crfree(cr);
292 		}
293 		return (0);
294 	}
295 
296 	/*
297 	 * Setting either the NET_MAC_AWARE or NET_MAC_AWARE_INHERIT
298 	 * flags is a restricted operation.
299 	 *
300 	 * When invoked via the PRIVSYS_SETPFLAGS syscall
301 	 * we require that the current cred has the net_mac_aware
302 	 * privilege in its effective set.
303 	 *
304 	 * When called from within the kernel by label-aware
305 	 * services such as NFS, we don't require a privilege check.
306 	 *
307 	 */
308 	if ((flag == NET_MAC_AWARE || flag == NET_MAC_AWARE_INHERIT) &&
309 	    (val == 1) && use_curcred) {
310 		if (secpolicy_net_mac_aware(pcr) != 0) {
311 			mutex_exit(&p->p_crlock);
312 			crfree(cr);
313 			return (EPERM);
314 		}
315 	}
316 
317 	/* Trying to unset PA; if we can't, return an error */
318 	if (flag == PRIV_AWARE && val == 0 && !priv_can_clear_PA(pcr)) {
319 		if (use_curcred) {
320 			mutex_exit(&p->p_crlock);
321 			crfree(cr);
322 		}
323 		return (EPERM);
324 	}
325 
326 	/* Committed to changing the flag */
327 	if (use_curcred)
328 		crcopy_to(pcr, cr);
329 	if (flag == PRIV_AWARE) {
330 		if (val != 0)
331 			priv_set_PA(cr);
332 		else
333 			priv_adjust_PA(cr);
334 	} else {
335 		CR_FLAGS(cr) = newflags;
336 	}
337 
338 	/*
339 	 * Unsetting the flag has as side effect getting rid of
340 	 * the per-credential policy.
341 	 */
342 	if (flag == PRIV_XPOLICY && val == 0)
343 		crsetcrklpd(cr, NULL);
344 
345 	if (use_curcred) {
346 		p->p_cred = cr;
347 		mutex_exit(&p->p_crlock);
348 		crset(p, cr);
349 	}
350 
351 	return (0);
352 }
353 
354 /*
355  * Getpflags.  Currently only implements single bit flags.
356  */
357 uint_t
358 getpflags(uint_t flag, const cred_t *cr)
359 {
360 	if (flag != PRIV_DEBUG && flag != PRIV_AWARE &&
361 	    flag != NET_MAC_AWARE && flag != NET_MAC_AWARE_INHERIT &&
362 	    flag != PRIV_XPOLICY && flag != PRIV_PFEXEC &&
363 	    flag != PRIV_AWARE_RESET)
364 		return ((uint_t)-1);
365 
366 	return ((CR_FLAGS(cr) & flag) != 0);
367 }
368 
369 /*
370  * Privilege system call entry point
371  */
372 int
373 privsys(int code, priv_op_t op, priv_ptype_t type, void *buf, size_t bufsize,
374     int itype)
375 {
376 	int retv;
377 	extern int issetugid(void);
378 
379 	switch (code) {
380 	case PRIVSYS_SETPPRIV:
381 		if (bufsize < sizeof (priv_set_t))
382 			return (set_errno(ENOMEM));
383 		return (setppriv(op, type, buf));
384 	case PRIVSYS_GETPPRIV:
385 		if (bufsize < sizeof (priv_set_t))
386 			return (set_errno(ENOMEM));
387 		return (getppriv(type, buf));
388 	case PRIVSYS_GETIMPLINFO:
389 		return (getprivimplinfo(buf, bufsize));
390 	case PRIVSYS_SETPFLAGS:
391 		retv = setpflags((uint_t)op, (uint_t)type, NULL);
392 		return (retv != 0 ? set_errno(retv) : 0);
393 	case PRIVSYS_GETPFLAGS:
394 		retv = (int)getpflags((uint_t)op, CRED());
395 		return (retv == -1 ? set_errno(EINVAL) : retv);
396 	case PRIVSYS_ISSETUGID:
397 		return (issetugid());
398 	case PRIVSYS_KLPD_REG:
399 		if (bufsize < sizeof (priv_set_t))
400 			return (set_errno(ENOMEM));
401 		return ((int)klpd_reg((int)op, (idtype_t)itype, (id_t)type,
402 		    buf));
403 	case PRIVSYS_KLPD_UNREG:
404 		return ((int)klpd_unreg((int)op, (idtype_t)itype, (id_t)type));
405 	case PRIVSYS_PFEXEC_REG:
406 		return ((int)pfexec_reg((int)op));
407 	case PRIVSYS_PFEXEC_UNREG:
408 		return ((int)pfexec_unreg((int)op));
409 	}
410 	return (set_errno(EINVAL));
411 }
412 
413 #ifdef _SYSCALL32_IMPL
414 int
415 privsys32(int code, priv_op_t op, priv_ptype_t type, caddr32_t buf,
416     size32_t bufsize, int itype)
417 {
418 	return (privsys(code, op, type, (void *)(uintptr_t)buf,
419 	    (size_t)bufsize, itype));
420 }
421 #endif
422