1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2003 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 /* 30 * Privilege implementation. 31 * 32 * This file provides the infrastructure for privilege sets and limits 33 * the number of files that requires to include <sys/cred_impl.h> and/or 34 * <sys/priv_impl.h>. 35 * 36 * The Solaris privilege mechanism has been designed in a 37 * future proof manner. While the kernel may use fixed size arrays 38 * and fixed bitmasks and bit values, the representation of those 39 * is kernel private. All external interfaces as well as K-to-K interfaces 40 * have been constructed in a manner to provide the maximum flexibility. 41 * 42 * There can be X privilege sets each containing Y 32 bit words. 43 * <X, Y> are constant for a kernel invocation. 44 * 45 * As a consequence, all privilege set manipulation happens in functions 46 * below. 47 * 48 */ 49 50 #include <sys/systm.h> 51 #include <sys/ddi.h> 52 #include <sys/kmem.h> 53 #include <sys/sunddi.h> 54 #include <sys/errno.h> 55 #include <sys/debug.h> 56 #include <sys/priv_impl.h> 57 #include <sys/procfs.h> 58 #include <sys/policy.h> 59 #include <sys/cred_impl.h> 60 #include <sys/devpolicy.h> 61 #include <sys/atomic.h> 62 63 /* 64 * Privilege name to number mapping table consists in the generated 65 * priv_const.c file. This lock protects against updates of the privilege 66 * names and counts; all other priv_info fields are read-only. 67 * The actual protected values are: 68 * global variable nprivs 69 * the priv_max field 70 * the priv_names field 71 * the priv names info item (cnt/strings) 72 */ 73 krwlock_t privinfo_lock; 74 75 static boolean_t priv_valid(const cred_t *); 76 77 priv_set_t priv_fullset; /* set of all privileges */ 78 priv_set_t priv_unsafe; /* unsafe to exec set-uid root if these are not in L */ 79 80 /* 81 * Privilege initialization functions. 82 * Called from common/os/cred.c when cred_init is called. 83 */ 84 85 void 86 priv_init(void) 87 { 88 rw_init(&privinfo_lock, NULL, RW_DRIVER, NULL); 89 90 PRIV_BASIC_ASSERT(priv_basic); 91 PRIV_UNSAFE_ASSERT(&priv_unsafe); 92 priv_fillset(&priv_fullset); 93 94 devpolicy_init(); 95 } 96 97 /* Utility functions: privilege sets as opaque data types */ 98 99 /* 100 * Guts of prgetprivsize. 101 */ 102 int 103 priv_prgetprivsize(prpriv_t *tmpl) 104 { 105 return (sizeof (prpriv_t) + 106 PRIV_SETBYTES - sizeof (priv_chunk_t) + 107 (tmpl ? tmpl->pr_infosize : priv_info->priv_infosize)); 108 } 109 110 /* 111 * Guts of prgetpriv. 112 */ 113 void 114 cred2prpriv(const cred_t *cp, prpriv_t *pr) 115 { 116 priv_set_t *psa; 117 int i; 118 119 pr->pr_nsets = PRIV_NSET; 120 pr->pr_setsize = PRIV_SETSIZE; 121 pr->pr_infosize = priv_info->priv_infosize; 122 123 psa = (priv_set_t *)pr->pr_sets; 124 125 for (i = 0; i < PRIV_NSET; i++) 126 psa[i] = *priv_getset(cp, i); 127 128 priv_getinfo(cp, (char *)pr + PRIV_PRPRIV_INFO_OFFSET(pr)); 129 } 130 131 /* 132 * Guts of pr_spriv: 133 * 134 * Set the privileges of a process. 135 * 136 * In order to set the privileges, the setting process will need to 137 * have those privileges in its effective set in order to prevent 138 * specially privileged processes to easily gain additional privileges. 139 * Pre-existing privileges can be retained. To change any privileges, 140 * PRIV_PROC_OWNER needs to be asserted. 141 * 142 * In formula: 143 * 144 * S' <= S || S' <= S + Ea 145 * 146 * the new set must either be subset of the old set or a subset of 147 * the oldset merged with the effective set of the acting process; or just: 148 * 149 * S' <= S + Ea 150 * 151 * It's not legal to grow the limit set this way. 152 * 153 */ 154 int 155 priv_pr_spriv(proc_t *p, prpriv_t *prpriv, const cred_t *cr) 156 { 157 cred_t *oldcred; 158 cred_t *newcred; 159 int i; 160 int err = EPERM; 161 cred_priv_t *cp, *ocp; 162 priv_set_t eset; 163 164 ASSERT(MUTEX_HELD(&p->p_lock)); 165 166 /* 167 * Set must have proper dimension; infosize must be absent 168 * or properly sized. 169 */ 170 if (prpriv->pr_nsets != PRIV_NSET || 171 prpriv->pr_setsize != PRIV_SETSIZE || 172 (prpriv->pr_infosize & (sizeof (uint32_t) - 1)) != 0 || 173 prpriv->pr_infosize > priv_info->priv_infosize || 174 prpriv->pr_infosize < 0) 175 return (EINVAL); 176 177 mutex_exit(&p->p_lock); 178 179 if (priv_proc_cred_perm(cr, p, &oldcred, VWRITE) != 0) { 180 mutex_enter(&p->p_lock); 181 return (EPERM); 182 } 183 184 newcred = crdup(oldcred); 185 186 /* Copy the privilege sets from prpriv to newcred */ 187 bcopy(prpriv->pr_sets, CR_PRIVSETS(newcred), PRIV_SETBYTES); 188 189 cp = &newcred->cr_priv; 190 ocp = &oldcred->cr_priv; 191 eset = CR_OEPRIV(cr); 192 193 priv_intersect(&CR_LPRIV(oldcred), &eset); 194 195 /* 196 * Verify the constraints laid out: 197 * for the limit set, we require that the new set is a subset 198 * of the old limit set. 199 * for all other sets, we require that the new set is either a 200 * subset of the old set or a subset of the intersection of 201 * the old limit set and the effective set of the acting process. 202 */ 203 for (i = 0; i < PRIV_NSET; i++) 204 if (!priv_issubset(&cp->crprivs[i], &ocp->crprivs[i]) && 205 (i == PRIV_LIMIT || !priv_issubset(&cp->crprivs[i], &eset))) 206 break; 207 208 crfree(oldcred); 209 210 if (i < PRIV_NSET || !priv_valid(newcred)) 211 goto err; 212 213 /* Load the settable privilege information */ 214 if (prpriv->pr_infosize > 0) { 215 char *x = (char *)prpriv + PRIV_PRPRIV_INFO_OFFSET(prpriv); 216 char *lastx = x + prpriv->pr_infosize; 217 218 while (x < lastx) { 219 priv_info_t *pi = (priv_info_t *)x; 220 priv_info_uint_t *pii; 221 222 switch (pi->priv_info_type) { 223 case PRIV_INFO_FLAGS: 224 pii = (priv_info_uint_t *)x; 225 if (pii->info.priv_info_size != sizeof (*pii)) { 226 err = EINVAL; 227 goto err; 228 } 229 CR_FLAGS(newcred) &= ~PRIV_USER; 230 CR_FLAGS(newcred) |= (pii->val & PRIV_USER); 231 break; 232 default: 233 err = EINVAL; 234 goto err; 235 } 236 /* Guarantee alignment and forward progress */ 237 if ((pi->priv_info_size & (sizeof (uint32_t) - 1)) || 238 pi->priv_info_size < sizeof (*pi) || 239 lastx - x > pi->priv_info_size) { 240 err = EINVAL; 241 goto err; 242 } 243 244 x += pi->priv_info_size; 245 } 246 } 247 248 /* 249 * We'll try to copy the privilege aware flag; but since the 250 * privileges sets are all individually set, they are set 251 * as if we're privilege aware. If PRIV_AWARE wasn't set 252 * or was explicitely unset, we need to set the flag and then 253 * try to get rid of it. 254 */ 255 if ((CR_FLAGS(newcred) & PRIV_AWARE) == 0) { 256 CR_FLAGS(newcred) |= PRIV_AWARE; 257 priv_adjust_PA(newcred); 258 } 259 260 mutex_enter(&p->p_crlock); 261 oldcred = p->p_cred; 262 p->p_cred = newcred; 263 mutex_exit(&p->p_crlock); 264 crfree(oldcred); 265 266 mutex_enter(&p->p_lock); 267 return (0); 268 269 err: 270 crfree(newcred); 271 mutex_enter(&p->p_lock); 272 return (err); 273 } 274 275 priv_impl_info_t 276 *priv_hold_implinfo(void) 277 { 278 rw_enter(&privinfo_lock, RW_READER); 279 return (priv_info); 280 } 281 282 void 283 priv_release_implinfo(void) 284 { 285 rw_exit(&privinfo_lock); 286 } 287 288 size_t 289 priv_get_implinfo_size(void) 290 { 291 return (privinfosize); 292 } 293 294 295 /* 296 * Return the nth privilege set 297 */ 298 const priv_set_t * 299 priv_getset(const cred_t *cr, int set) 300 { 301 ASSERT(PRIV_VALIDSET(set)); 302 303 if ((CR_FLAGS(cr) & PRIV_AWARE) == 0) 304 switch (set) { 305 case PRIV_EFFECTIVE: 306 return (&CR_OEPRIV(cr)); 307 case PRIV_PERMITTED: 308 return (&CR_OPPRIV(cr)); 309 } 310 return (&CR_PRIVS(cr)->crprivs[set]); 311 } 312 313 /* 314 * Buf must be allocated by caller and contain sufficient space to 315 * contain all additional info structures using priv_info.priv_infosize. 316 * The buffer must be properly aligned. 317 */ 318 /*ARGSUSED*/ 319 void 320 priv_getinfo(const cred_t *cr, void *buf) 321 { 322 struct priv_info_uint *ii; 323 324 ii = buf; 325 ii->val = CR_FLAGS(cr); 326 ii->info.priv_info_size = (uint32_t)sizeof (*ii); 327 ii->info.priv_info_type = PRIV_INFO_FLAGS; 328 } 329 330 int 331 priv_getbyname(const char *name, uint_t flag) 332 { 333 int i; 334 int wheld = 0; 335 int len; 336 char *p; 337 338 if (flag != 0 && flag != PRIV_ALLOC) 339 return (-EINVAL); 340 341 if (strncasecmp(name, "priv_", 5) == 0) 342 name += 5; 343 344 rw_enter(&privinfo_lock, RW_READER); 345 rescan: 346 for (i = 0; i < nprivs; i++) 347 if (strcasecmp(priv_names[i], name) == 0) { 348 rw_exit(&privinfo_lock); 349 return (i); 350 } 351 352 353 if (!wheld) { 354 if (!(flag & PRIV_ALLOC)) { 355 rw_exit(&privinfo_lock); 356 return (-EINVAL); 357 } 358 359 /* check length, validity and available space */ 360 len = strlen(name) + 1; 361 362 if (len > PRIVNAME_MAX) { 363 rw_exit(&privinfo_lock); 364 return (-ENAMETOOLONG); 365 } 366 367 for (p = (char *)name; *p != '\0'; p++) { 368 char c = *p; 369 370 if (!((c >= 'A' && c <= 'Z') || 371 (c >= 'a' && c <= 'z') || 372 (c >= '0' && c <= '9') || 373 c == '_')) { 374 rw_exit(&privinfo_lock); 375 return (-EINVAL); 376 } 377 } 378 379 if (!rw_tryupgrade(&privinfo_lock)) { 380 rw_exit(&privinfo_lock); 381 rw_enter(&privinfo_lock, RW_WRITER); 382 wheld = 1; 383 /* Someone may have added our privilege */ 384 goto rescan; 385 } 386 } 387 388 if (nprivs == MAX_PRIVILEGE || len + privbytes > maxprivbytes) { 389 rw_exit(&privinfo_lock); 390 return (-ENOMEM); 391 } 392 393 priv_names[i] = p = priv_str + privbytes; 394 395 bcopy(name, p, len); 396 397 /* make the priv_names[i] and privilege name globally visible */ 398 membar_producer(); 399 400 /* adjust priv count and bytes count */ 401 priv_ninfo->cnt = priv_info->priv_max = ++nprivs; 402 privbytes += len; 403 404 rw_exit(&privinfo_lock); 405 return (i); 406 } 407 408 /* 409 * We can't afford locking the privileges here because of the locations 410 * we call this from; so we make sure that the privileges table 411 * is visible to us; it is made visible before the value of nprivs is 412 * updated. 413 */ 414 const char * 415 priv_getbynum(int priv) 416 { 417 int maxpriv = nprivs; 418 419 membar_consumer(); 420 421 if (priv >= 0 && priv < maxpriv) 422 return (priv_names[priv]); 423 424 return (NULL); 425 } 426 427 const char * 428 priv_getsetbynum(int setno) 429 { 430 if (!PRIV_VALIDSET(setno)) 431 return (NULL); 432 433 return (priv_setnames[setno]); 434 } 435 436 /* 437 * Privilege sanity checking when setting: E <= P. 438 */ 439 static boolean_t 440 priv_valid(const cred_t *cr) 441 { 442 return (priv_issubset(&CR_EPRIV(cr), &CR_PPRIV(cr))); 443 } 444 445 /* 446 * Privilege manipulation functions 447 * 448 * Without knowing the details of the privilege set implementation, 449 * opaque pointers can be used to manipulate sets at will. 450 */ 451 void 452 priv_emptyset(priv_set_t *set) 453 { 454 bzero(set, sizeof (*set)); 455 } 456 457 void 458 priv_fillset(priv_set_t *set) 459 { 460 int i; 461 462 /* memset? */ 463 for (i = 0; i < PRIV_SETSIZE; i++) 464 set->pbits[i] = ~(priv_chunk_t)0; 465 } 466 467 void 468 priv_addset(priv_set_t *set, int priv) 469 { 470 ASSERT(priv >= 0 && priv < MAX_PRIVILEGE); 471 __PRIV_ASSERT(set, priv); 472 } 473 474 void 475 priv_delset(priv_set_t *set, int priv) 476 { 477 ASSERT(priv >= 0 && priv < MAX_PRIVILEGE); 478 __PRIV_CLEAR(set, priv); 479 } 480 481 boolean_t 482 priv_ismember(const priv_set_t *set, int priv) 483 { 484 ASSERT(priv >= 0 && priv < MAX_PRIVILEGE); 485 return (__PRIV_ISASSERT(set, priv) ? B_TRUE : B_FALSE); 486 } 487 488 #define PRIV_TEST_BODY(test) \ 489 int i; \ 490 \ 491 for (i = 0; i < PRIV_SETSIZE; i++) \ 492 if (!(test)) \ 493 return (B_FALSE); \ 494 \ 495 return (B_TRUE) 496 497 boolean_t 498 priv_isequalset(const priv_set_t *a, const priv_set_t *b) 499 { 500 return ((boolean_t)(bcmp(a, b, sizeof (*a)) == 0)); 501 } 502 503 boolean_t 504 priv_isemptyset(const priv_set_t *set) 505 { 506 PRIV_TEST_BODY(set->pbits[i] == 0); 507 } 508 509 boolean_t 510 priv_isfullset(const priv_set_t *set) 511 { 512 PRIV_TEST_BODY(set->pbits[i] == ~(priv_chunk_t)0); 513 } 514 515 /* 516 * Return true if a is a subset of b 517 */ 518 boolean_t 519 priv_issubset(const priv_set_t *a, const priv_set_t *b) 520 { 521 PRIV_TEST_BODY((a->pbits[i] | b->pbits[i]) == b->pbits[i]); 522 } 523 524 #define PRIV_CHANGE_BODY(a, op, b) \ 525 int i; \ 526 \ 527 for (i = 0; i < PRIV_SETSIZE; i++) \ 528 a->pbits[i] op b->pbits[i] 529 530 /* B = A ^ B */ 531 void 532 priv_intersect(const priv_set_t *a, priv_set_t *b) 533 { 534 /* CSTYLED */ 535 PRIV_CHANGE_BODY(b, &=, a); 536 } 537 538 /* B = A v B */ 539 void 540 priv_union(const priv_set_t *a, priv_set_t *b) 541 { 542 /* CSTYLED */ 543 PRIV_CHANGE_BODY(b, |=, a); 544 } 545 546 /* A = ! A */ 547 void 548 priv_inverse(priv_set_t *a) 549 { 550 PRIV_CHANGE_BODY(a, = ~, a); 551 } 552 553 /* 554 * Can the source cred act on the target credential? 555 * 556 * We will you allow to gain uids this way but not privileges. 557 */ 558 int 559 priv_proc_cred_perm(const cred_t *scr, proc_t *tp, cred_t **pcr, int mode) 560 { 561 const priv_set_t *eset; 562 int idsmatch; 563 cred_t *tcr; 564 int res = 0; 565 566 /* prevent the cred from going away */ 567 mutex_enter(&tp->p_crlock); 568 crhold(tcr = tp->p_cred); 569 mutex_exit(&tp->p_crlock); 570 571 if (scr == tcr) 572 goto out; 573 574 idsmatch = (scr->cr_uid == tcr->cr_uid && 575 scr->cr_uid == tcr->cr_ruid && 576 scr->cr_uid == tcr->cr_suid && 577 scr->cr_gid == tcr->cr_gid && 578 scr->cr_gid == tcr->cr_rgid && 579 scr->cr_gid == tcr->cr_sgid && 580 !(tp->p_flag & SNOCD)); 581 582 /* 583 * Source credential must have the proc_zone privilege if referencing 584 * a process in another zone. 585 */ 586 if (scr->cr_zone != tcr->cr_zone && secpolicy_proc_zone(scr) != 0) { 587 res = EACCES; 588 goto out; 589 } 590 591 if (!(mode & VWRITE)) { 592 if (!idsmatch && secpolicy_proc_owner(scr, tcr, 0) != 0) 593 res = EACCES; 594 goto out; 595 } 596 597 /* 598 * For writing, the effective set of scr must dominate all sets of tcr, 599 * We test Pt <= Es (Et <= Pt so no need to test) and It <= Es 600 * The Limit set of scr must be a superset of the limitset of 601 * tcr. 602 */ 603 eset = &CR_OEPRIV(scr); 604 605 if (!priv_issubset(&CR_IPRIV(tcr), eset) || 606 !priv_issubset(&CR_OPPRIV(tcr), eset) || 607 !priv_issubset(&CR_LPRIV(tcr), &CR_LPRIV(scr)) || 608 !idsmatch && secpolicy_proc_owner(scr, tcr, mode) != 0) 609 res = EACCES; 610 611 out: 612 if (res == 0 && pcr != NULL) 613 *pcr = tcr; 614 else 615 crfree(tcr); 616 return (res); 617 } 618 619 /* 620 * Set the privilege aware bit, adding L to E/P if 621 * necessasry. 622 */ 623 void 624 priv_set_PA(cred_t *cr) 625 { 626 ASSERT(cr->cr_ref <= 2); 627 628 if (CR_FLAGS(cr) & PRIV_AWARE) 629 return; 630 631 CR_FLAGS(cr) |= PRIV_AWARE; 632 633 if (cr->cr_uid == 0) 634 priv_union(&CR_LPRIV(cr), &CR_EPRIV(cr)); 635 636 if (cr->cr_uid == 0 || cr->cr_suid == 0 || cr->cr_ruid == 0) 637 priv_union(&CR_LPRIV(cr), &CR_PPRIV(cr)); 638 } 639 640 boolean_t 641 priv_can_clear_PA(const cred_t *cr) 642 { 643 /* 644 * We can clear PA in the following cases: 645 * 646 * None of the uids are 0. 647 * Any uid == 0 and P == L and (Euid != 0 or E == L) 648 */ 649 return ((cr->cr_suid != 0 && cr->cr_ruid != 0 && cr->cr_uid != 0) || 650 priv_isequalset(&CR_PPRIV(cr), &CR_LPRIV(cr)) && 651 (cr->cr_uid != 0 || priv_isequalset(&CR_EPRIV(cr), &CR_LPRIV(cr)))); 652 } 653 654 /* 655 * Clear privilege aware bit if it is an idempotent operation and by 656 * clearing it the process cannot get to uid 0 and all privileges. 657 * 658 * This function should be called with caution as it may cause "E" to be 659 * lost once a processes assumes euid 0 again. 660 */ 661 void 662 priv_adjust_PA(cred_t *cr) 663 { 664 ASSERT(cr->cr_ref <= 2); 665 666 if (!(CR_FLAGS(cr) & PRIV_AWARE) || 667 !priv_can_clear_PA(cr)) 668 return; 669 670 if (CR_FLAGS(cr) & PRIV_AWARE_INHERIT) 671 return; 672 673 /* 674 * We now need to adjust P/E in those cases when uids 675 * are zero; the rules are P' = I & L, E' = I & L; 676 * but since P = L and E = L, we can use P &= I, E &= I, 677 * depending on which uids are 0. 678 */ 679 if (cr->cr_suid == 0 || cr->cr_ruid == 0 || cr->cr_uid == 0) { 680 if (cr->cr_uid == 0) 681 priv_intersect(&CR_IPRIV(cr), &CR_EPRIV(cr)); 682 priv_intersect(&CR_IPRIV(cr), &CR_PPRIV(cr)); 683 } 684 685 CR_FLAGS(cr) &= ~PRIV_AWARE; 686 } 687