xref: /illumos-gate/usr/src/uts/common/syscall/ppriv.c (revision e38a713ad4e0a9c42f8cccd9350412b2c6ccccdb)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <sys/param.h>
29 #include <sys/types.h>
30 #include <sys/sysmacros.h>
31 #include <sys/systm.h>
32 #include <sys/cred_impl.h>
33 #include <sys/errno.h>
34 #include <sys/proc.h>
35 #include <sys/priv_impl.h>
36 #include <sys/policy.h>
37 #include <sys/ddi.h>
38 #include <sys/thread.h>
39 #include <c2/audit.h>
40 
41 /*
42  * System call support for manipulating privileges.
43  *
44  *
45  * setppriv(2) - set process privilege set
46  * getppriv(2) - get process privilege set
47  * getprivimplinfo(2) - get process privilege implementation information
48  * setpflags(2) - set process (privilege) flags
49  * getpflags(2) - get process (privilege) flags
50  */
51 
52 /*
53  * setppriv (priv_op_t, priv_ptype_t, priv_set_t)
54  */
55 static int
56 setppriv(priv_op_t op, priv_ptype_t type, priv_set_t *in_pset)
57 {
58 	priv_set_t	pset, *target;
59 	cred_t		*cr, *pcr;
60 	proc_t		*p;
61 	boolean_t	donocd;
62 
63 	if (!PRIV_VALIDSET(type) || !PRIV_VALIDOP(op))
64 		return (set_errno(EINVAL));
65 
66 	if (copyin(in_pset, &pset, sizeof (priv_set_t)))
67 		return (set_errno(EFAULT));
68 
69 	p = ttoproc(curthread);
70 	cr = cralloc();
71 	mutex_enter(&p->p_crlock);
72 
73 	pcr = p->p_cred;
74 
75 	if (audit_active)
76 		audit_setppriv(op, type, &pset, pcr);
77 
78 	/*
79 	 * Filter out unallowed request (bad op and bad type)
80 	 */
81 	switch (op) {
82 	case PRIV_ON:
83 	case PRIV_SET:
84 		/*
85 		 * Turning on privileges; the limit set cannot grow,
86 		 * other sets can but only as long as they remain subsets
87 		 * of P.  Only immediately after exec holds that P <= L.
88 		 */
89 		if (((type == PRIV_LIMIT &&
90 		    !priv_issubset(&pset, &CR_LPRIV(pcr))) ||
91 		    !priv_issubset(&pset, &CR_OPPRIV(pcr))) &&
92 		    !priv_issubset(&pset, priv_getset(pcr, type))) {
93 			mutex_exit(&p->p_crlock);
94 			crfree(cr);
95 			return (set_errno(EPERM));
96 		}
97 		break;
98 
99 	case PRIV_OFF:
100 		/* PRIV_OFF is always allowed */
101 		break;
102 	}
103 
104 	/*
105 	 * OK! everything is cool.
106 	 * Do cred COW.
107 	 */
108 	crcopy_to(pcr, cr);
109 
110 	/*
111 	 * If we change the effective, permitted or limit set, we attain
112 	 * "privilege awareness".
113 	 */
114 	if (type != PRIV_INHERITABLE)
115 		priv_set_PA(cr);
116 
117 	target = &(CR_PRIVS(cr)->crprivs[type]);
118 
119 	switch (op) {
120 	case PRIV_ON:
121 		priv_union(&pset, target);
122 		break;
123 	case PRIV_OFF:
124 		priv_inverse(&pset);
125 		priv_intersect(target, &pset);
126 
127 		/*
128 		 * Fall-thru to set target and change other process
129 		 * privilege sets.
130 		 */
131 		/*FALLTHRU*/
132 
133 	case PRIV_SET:
134 		*target = pset;
135 
136 		/*
137 		 * Take privileges no longer permitted out
138 		 * of other effective sets as well.
139 		 * Limit set is enforced at exec() time.
140 		 */
141 		if (type == PRIV_PERMITTED)
142 			priv_intersect(&pset, &CR_EPRIV(cr));
143 		break;
144 	}
145 
146 	/*
147 	 * When we give up privileges not in the inheritable set,
148 	 * set SNOCD if not already set; first we compute the
149 	 * privileges removed from P using Diff = (~P') & P
150 	 * and then we check whether the removed privileges are
151 	 * a subset of I.  If we retain uid 0, all privileges
152 	 * are required anyway so don't set SNOCD.
153 	 */
154 	if (type == PRIV_PERMITTED && (p->p_flag & SNOCD) == 0 &&
155 	    cr->cr_uid != 0 && cr->cr_ruid != 0 && cr->cr_suid != 0) {
156 		priv_set_t diff = CR_OPPRIV(cr);
157 		priv_inverse(&diff);
158 		priv_intersect(&CR_OPPRIV(pcr), &diff);
159 		donocd = !priv_issubset(&diff, &CR_IPRIV(cr));
160 	} else {
161 		donocd = B_FALSE;
162 	}
163 
164 	p->p_cred = cr;
165 	mutex_exit(&p->p_crlock);
166 
167 	if (donocd) {
168 		mutex_enter(&p->p_lock);
169 		p->p_flag |= SNOCD;
170 		mutex_exit(&p->p_lock);
171 	}
172 
173 	crset(p, cr);		/* broadcast to process threads */
174 
175 	return (0);
176 }
177 
178 /*
179  * getppriv (priv_ptype_t, priv_set_t *)
180  */
181 static int
182 getppriv(priv_ptype_t type, priv_set_t *pset)
183 {
184 	if (!PRIV_VALIDSET(type))
185 		return (set_errno(EINVAL));
186 
187 	if (copyout(priv_getset(CRED(), type), pset, sizeof (priv_set_t)) != 0)
188 		return (set_errno(EFAULT));
189 
190 	return (0);
191 }
192 
193 static int
194 getprivimplinfo(void *buf, size_t bufsize)
195 {
196 	int err;
197 
198 	err = copyout(priv_hold_implinfo(), buf, min(bufsize, privinfosize));
199 
200 	priv_release_implinfo();
201 
202 	if (err)
203 		return (set_errno(EFAULT));
204 
205 	return (0);
206 }
207 
208 /*
209  * Set process flags in the given target cred.  If NULL is specified, then
210  * CRED() is used; otherwise the cred is assumed to be modifiable (i.e. newly
211  * crdup'ed, or equivalent).  Some flags are set in the proc rather than cred;
212  * for these, curproc is always used.
213  *
214  * For now we cheat: the flags are actually bit masks so we can simplify
215  * some; we do make sure that the arguments are valid, though.
216  */
217 
218 int
219 setpflags(uint_t flag, uint_t val, cred_t *tcr)
220 {
221 	cred_t *cr, *pcr;
222 	proc_t *p = curproc;
223 	uint_t newflags;
224 	boolean_t use_curcred = (tcr == NULL);
225 
226 	if (val > 1 || (flag != PRIV_DEBUG && flag != PRIV_AWARE &&
227 	    flag != NET_MAC_AWARE && flag != NET_MAC_AWARE_INHERIT &&
228 	    flag != __PROC_PROTECT)) {
229 		return (EINVAL);
230 	}
231 
232 	if (flag == __PROC_PROTECT) {
233 		mutex_enter(&p->p_lock);
234 		if (val == 0)
235 			p->p_flag &= ~SNOCD;
236 		else
237 			p->p_flag |= SNOCD;
238 		mutex_exit(&p->p_lock);
239 		return (0);
240 	}
241 
242 	if (use_curcred) {
243 		cr = cralloc();
244 		mutex_enter(&p->p_crlock);
245 		pcr = p->p_cred;
246 	} else {
247 		cr = pcr = tcr;
248 	}
249 
250 	newflags = CR_FLAGS(pcr);
251 
252 	if (val != 0)
253 		newflags |= flag;
254 	else
255 		newflags &= ~flag;
256 
257 	/* No change */
258 	if (CR_FLAGS(pcr) == newflags) {
259 		if (use_curcred) {
260 			mutex_exit(&p->p_crlock);
261 			crfree(cr);
262 		}
263 		return (0);
264 	}
265 
266 	/*
267 	 * Setting either the NET_MAC_AWARE or NET_MAC_AWARE_INHERIT
268 	 * flags is a restricted operation.
269 	 *
270 	 * When invoked via the PRIVSYS_SETPFLAGS syscall
271 	 * we require that the current cred has the net_mac_aware
272 	 * privilege in its effective set.
273 	 *
274 	 * When called from within the kernel by label-aware
275 	 * services such as NFS, we don't require a privilege check.
276 	 *
277 	 */
278 	if ((flag == NET_MAC_AWARE || flag == NET_MAC_AWARE_INHERIT) &&
279 	    (val == 1) && use_curcred) {
280 		if (secpolicy_net_mac_aware(pcr) != 0) {
281 			mutex_exit(&p->p_crlock);
282 			crfree(cr);
283 			return (EPERM);
284 		}
285 	}
286 
287 	/* Trying to unset PA; if we can't, return an error */
288 	if (flag == PRIV_AWARE && val == 0 && !priv_can_clear_PA(pcr)) {
289 		if (use_curcred) {
290 			mutex_exit(&p->p_crlock);
291 			crfree(cr);
292 		}
293 		return (EPERM);
294 	}
295 
296 	/* Committed to changing the flag */
297 	if (use_curcred)
298 		crcopy_to(pcr, cr);
299 	if (flag == PRIV_AWARE) {
300 		if (val != 0)
301 			priv_set_PA(cr);
302 		else
303 			priv_adjust_PA(cr);
304 	} else {
305 		CR_FLAGS(cr) = newflags;
306 	}
307 
308 	if (use_curcred) {
309 		p->p_cred = cr;
310 		mutex_exit(&p->p_crlock);
311 		crset(p, cr);
312 	}
313 
314 	return (0);
315 }
316 
317 /*
318  * Getpflags.  Currently only implements single bit flags.
319  */
320 uint_t
321 getpflags(uint_t flag, const cred_t *cr)
322 {
323 	if (flag != PRIV_DEBUG && flag != PRIV_AWARE &&
324 	    flag != NET_MAC_AWARE && flag != NET_MAC_AWARE_INHERIT)
325 		return ((uint_t)-1);
326 
327 	return ((CR_FLAGS(cr) & flag) != 0);
328 }
329 
330 /*
331  * Privilege system call entry point
332  */
333 int
334 privsys(int code, priv_op_t op, priv_ptype_t type, void *buf, size_t bufsize)
335 {
336 	int retv;
337 	extern int issetugid(void);
338 
339 	switch (code) {
340 	case PRIVSYS_SETPPRIV:
341 		if (bufsize < sizeof (priv_set_t))
342 			return (set_errno(ENOMEM));
343 		return (setppriv(op, type, buf));
344 	case PRIVSYS_GETPPRIV:
345 		if (bufsize < sizeof (priv_set_t))
346 			return (set_errno(ENOMEM));
347 		return (getppriv(type, buf));
348 	case PRIVSYS_GETIMPLINFO:
349 		return (getprivimplinfo(buf, bufsize));
350 	case PRIVSYS_SETPFLAGS:
351 		retv = setpflags((uint_t)op, (uint_t)type, NULL);
352 		return (retv != 0 ? set_errno(retv) : 0);
353 	case PRIVSYS_GETPFLAGS:
354 		retv = (int)getpflags((uint_t)op, CRED());
355 		return (retv == -1 ? set_errno(EINVAL) : retv);
356 	case PRIVSYS_ISSETUGID:
357 		return (issetugid());
358 	}
359 	return (set_errno(EINVAL));
360 }
361 
362 #ifdef _SYSCALL32_IMPL
363 int
364 privsys32(int code, priv_op_t op, priv_ptype_t type, caddr32_t *buf,
365     size32_t bufsize)
366 {
367 	return (privsys(code, op, type, (void *)buf, (size_t)bufsize));
368 }
369 #endif
370