1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <sys/param.h> 27 #include <sys/types.h> 28 #include <sys/sysmacros.h> 29 #include <sys/systm.h> 30 #include <sys/cred_impl.h> 31 #include <sys/errno.h> 32 #include <sys/klpd.h> 33 #include <sys/proc.h> 34 #include <sys/priv_impl.h> 35 #include <sys/policy.h> 36 #include <sys/ddi.h> 37 #include <sys/thread.h> 38 #include <c2/audit.h> 39 40 /* 41 * System call support for manipulating privileges. 42 * 43 * 44 * setppriv(2) - set process privilege set 45 * getppriv(2) - get process privilege set 46 * getprivimplinfo(2) - get process privilege implementation information 47 * setpflags(2) - set process (privilege) flags 48 * getpflags(2) - get process (privilege) flags 49 */ 50 51 /* 52 * setppriv (priv_op_t, priv_ptype_t, priv_set_t) 53 */ 54 static int 55 setppriv(priv_op_t op, priv_ptype_t type, priv_set_t *in_pset) 56 { 57 priv_set_t pset, *target; 58 cred_t *cr, *pcr; 59 proc_t *p; 60 boolean_t donocd = B_FALSE; 61 62 if (!PRIV_VALIDSET(type) || !PRIV_VALIDOP(op)) 63 return (set_errno(EINVAL)); 64 65 if (copyin(in_pset, &pset, sizeof (priv_set_t))) 66 return (set_errno(EFAULT)); 67 68 p = ttoproc(curthread); 69 cr = cralloc(); 70 mutex_enter(&p->p_crlock); 71 72 retry: 73 pcr = p->p_cred; 74 75 if (audit_active) 76 audit_setppriv(op, type, &pset, pcr); 77 78 /* 79 * Filter out unallowed request (bad op and bad type) 80 */ 81 switch (op) { 82 case PRIV_ON: 83 case PRIV_SET: 84 /* 85 * Turning on privileges; the limit set cannot grow, 86 * other sets can but only as long as they remain subsets 87 * of P. Only immediately after exec holds that P <= L. 88 */ 89 if (type == PRIV_LIMIT && 90 !priv_issubset(&pset, &CR_LPRIV(pcr))) { 91 mutex_exit(&p->p_crlock); 92 crfree(cr); 93 return (set_errno(EPERM)); 94 } 95 if (!priv_issubset(&pset, &CR_OPPRIV(pcr)) && 96 !priv_issubset(&pset, priv_getset(pcr, type))) { 97 mutex_exit(&p->p_crlock); 98 /* Policy override should not grow beyond L either */ 99 if (type != PRIV_INHERITABLE || 100 !priv_issubset(&pset, &CR_LPRIV(pcr)) || 101 secpolicy_require_privs(CRED(), &pset) != 0) { 102 crfree(cr); 103 return (set_errno(EPERM)); 104 } 105 mutex_enter(&p->p_crlock); 106 if (pcr != p->p_cred) 107 goto retry; 108 donocd = B_TRUE; 109 } 110 break; 111 112 case PRIV_OFF: 113 /* PRIV_OFF is always allowed */ 114 break; 115 } 116 117 /* 118 * OK! everything is cool. 119 * Do cred COW. 120 */ 121 crcopy_to(pcr, cr); 122 123 /* 124 * If we change the effective, permitted or limit set, we attain 125 * "privilege awareness". 126 */ 127 if (type != PRIV_INHERITABLE) 128 priv_set_PA(cr); 129 130 target = &(CR_PRIVS(cr)->crprivs[type]); 131 132 switch (op) { 133 case PRIV_ON: 134 priv_union(&pset, target); 135 break; 136 case PRIV_OFF: 137 priv_inverse(&pset); 138 priv_intersect(target, &pset); 139 140 /* 141 * Fall-thru to set target and change other process 142 * privilege sets. 143 */ 144 /*FALLTHRU*/ 145 146 case PRIV_SET: 147 *target = pset; 148 149 /* 150 * Take privileges no longer permitted out 151 * of other effective sets as well. 152 * Limit set is enforced at exec() time. 153 */ 154 if (type == PRIV_PERMITTED) 155 priv_intersect(&pset, &CR_EPRIV(cr)); 156 break; 157 } 158 159 /* 160 * When we give up privileges not in the inheritable set, 161 * set SNOCD if not already set; first we compute the 162 * privileges removed from P using Diff = (~P') & P 163 * and then we check whether the removed privileges are 164 * a subset of I. If we retain uid 0, all privileges 165 * are required anyway so don't set SNOCD. 166 */ 167 if (type == PRIV_PERMITTED && (p->p_flag & SNOCD) == 0 && 168 cr->cr_uid != 0 && cr->cr_ruid != 0 && cr->cr_suid != 0) { 169 priv_set_t diff = CR_OPPRIV(cr); 170 priv_inverse(&diff); 171 priv_intersect(&CR_OPPRIV(pcr), &diff); 172 donocd = !priv_issubset(&diff, &CR_IPRIV(cr)); 173 } 174 175 p->p_cred = cr; 176 mutex_exit(&p->p_crlock); 177 178 if (donocd) { 179 mutex_enter(&p->p_lock); 180 p->p_flag |= SNOCD; 181 mutex_exit(&p->p_lock); 182 } 183 184 crset(p, cr); /* broadcast to process threads */ 185 186 return (0); 187 } 188 189 /* 190 * getppriv (priv_ptype_t, priv_set_t *) 191 */ 192 static int 193 getppriv(priv_ptype_t type, priv_set_t *pset) 194 { 195 if (!PRIV_VALIDSET(type)) 196 return (set_errno(EINVAL)); 197 198 if (copyout(priv_getset(CRED(), type), pset, sizeof (priv_set_t)) != 0) 199 return (set_errno(EFAULT)); 200 201 return (0); 202 } 203 204 static int 205 getprivimplinfo(void *buf, size_t bufsize) 206 { 207 int err; 208 209 err = copyout(priv_hold_implinfo(), buf, min(bufsize, privinfosize)); 210 211 priv_release_implinfo(); 212 213 if (err) 214 return (set_errno(EFAULT)); 215 216 return (0); 217 } 218 219 /* 220 * Set process flags in the given target cred. If NULL is specified, then 221 * CRED() is used; otherwise the cred is assumed to be modifiable (i.e. newly 222 * crdup'ed, or equivalent). Some flags are set in the proc rather than cred; 223 * for these, curproc is always used. 224 * 225 * For now we cheat: the flags are actually bit masks so we can simplify 226 * some; we do make sure that the arguments are valid, though. 227 */ 228 229 int 230 setpflags(uint_t flag, uint_t val, cred_t *tcr) 231 { 232 cred_t *cr, *pcr; 233 proc_t *p = curproc; 234 uint_t newflags; 235 boolean_t use_curcred = (tcr == NULL); 236 237 if (val > 1 || (flag != PRIV_DEBUG && flag != PRIV_AWARE && 238 flag != NET_MAC_AWARE && flag != NET_MAC_AWARE_INHERIT && 239 flag != __PROC_PROTECT && flag != PRIV_XPOLICY && 240 flag != PRIV_AWARE_RESET)) { 241 return (EINVAL); 242 } 243 244 if (flag == __PROC_PROTECT) { 245 mutex_enter(&p->p_lock); 246 if (val == 0) 247 p->p_flag &= ~SNOCD; 248 else 249 p->p_flag |= SNOCD; 250 mutex_exit(&p->p_lock); 251 return (0); 252 } 253 254 if (use_curcred) { 255 cr = cralloc(); 256 mutex_enter(&p->p_crlock); 257 pcr = p->p_cred; 258 } else { 259 cr = pcr = tcr; 260 } 261 262 newflags = CR_FLAGS(pcr); 263 264 if (val != 0) { 265 if (flag == PRIV_AWARE) 266 newflags &= ~PRIV_AWARE_RESET; 267 newflags |= flag; 268 } else { 269 newflags &= ~flag; 270 } 271 272 /* No change */ 273 if (CR_FLAGS(pcr) == newflags) { 274 if (use_curcred) { 275 mutex_exit(&p->p_crlock); 276 crfree(cr); 277 } 278 return (0); 279 } 280 281 /* 282 * Setting either the NET_MAC_AWARE or NET_MAC_AWARE_INHERIT 283 * flags is a restricted operation. 284 * 285 * When invoked via the PRIVSYS_SETPFLAGS syscall 286 * we require that the current cred has the net_mac_aware 287 * privilege in its effective set. 288 * 289 * When called from within the kernel by label-aware 290 * services such as NFS, we don't require a privilege check. 291 * 292 */ 293 if ((flag == NET_MAC_AWARE || flag == NET_MAC_AWARE_INHERIT) && 294 (val == 1) && use_curcred) { 295 if (secpolicy_net_mac_aware(pcr) != 0) { 296 mutex_exit(&p->p_crlock); 297 crfree(cr); 298 return (EPERM); 299 } 300 } 301 302 /* Trying to unset PA; if we can't, return an error */ 303 if (flag == PRIV_AWARE && val == 0 && !priv_can_clear_PA(pcr)) { 304 if (use_curcred) { 305 mutex_exit(&p->p_crlock); 306 crfree(cr); 307 } 308 return (EPERM); 309 } 310 311 /* Committed to changing the flag */ 312 if (use_curcred) 313 crcopy_to(pcr, cr); 314 if (flag == PRIV_AWARE) { 315 if (val != 0) 316 priv_set_PA(cr); 317 else 318 priv_adjust_PA(cr); 319 } else { 320 CR_FLAGS(cr) = newflags; 321 } 322 323 /* 324 * Unsetting the flag has as side effect getting rid of 325 * the per-credential policy. 326 */ 327 if (flag == PRIV_XPOLICY && val == 0) 328 crsetcrklpd(cr, NULL); 329 330 if (use_curcred) { 331 p->p_cred = cr; 332 mutex_exit(&p->p_crlock); 333 crset(p, cr); 334 } 335 336 return (0); 337 } 338 339 /* 340 * Getpflags. Currently only implements single bit flags. 341 */ 342 uint_t 343 getpflags(uint_t flag, const cred_t *cr) 344 { 345 if (flag != PRIV_DEBUG && flag != PRIV_AWARE && 346 flag != NET_MAC_AWARE && flag != NET_MAC_AWARE_INHERIT && 347 flag != PRIV_XPOLICY && flag != PRIV_AWARE_RESET) 348 return ((uint_t)-1); 349 350 return ((CR_FLAGS(cr) & flag) != 0); 351 } 352 353 /* 354 * Privilege system call entry point 355 */ 356 int 357 privsys(int code, priv_op_t op, priv_ptype_t type, void *buf, size_t bufsize, 358 int itype) 359 { 360 int retv; 361 extern int issetugid(void); 362 363 switch (code) { 364 case PRIVSYS_SETPPRIV: 365 if (bufsize < sizeof (priv_set_t)) 366 return (set_errno(ENOMEM)); 367 return (setppriv(op, type, buf)); 368 case PRIVSYS_GETPPRIV: 369 if (bufsize < sizeof (priv_set_t)) 370 return (set_errno(ENOMEM)); 371 return (getppriv(type, buf)); 372 case PRIVSYS_GETIMPLINFO: 373 return (getprivimplinfo(buf, bufsize)); 374 case PRIVSYS_SETPFLAGS: 375 retv = setpflags((uint_t)op, (uint_t)type, NULL); 376 return (retv != 0 ? set_errno(retv) : 0); 377 case PRIVSYS_GETPFLAGS: 378 retv = (int)getpflags((uint_t)op, CRED()); 379 return (retv == -1 ? set_errno(EINVAL) : retv); 380 case PRIVSYS_ISSETUGID: 381 return (issetugid()); 382 case PRIVSYS_KLPD_REG: 383 if (bufsize < sizeof (priv_set_t)) 384 return (set_errno(ENOMEM)); 385 return ((int)klpd_reg((int)op, (idtype_t)itype, (id_t)type, 386 buf)); 387 case PRIVSYS_KLPD_UNREG: 388 return ((int)klpd_unreg((int)op, (idtype_t)itype, (id_t)type)); 389 } 390 return (set_errno(EINVAL)); 391 } 392 393 #ifdef _SYSCALL32_IMPL 394 int 395 privsys32(int code, priv_op_t op, priv_ptype_t type, caddr32_t buf, 396 size32_t bufsize, int itype) 397 { 398 return (privsys(code, op, type, (void *)(uintptr_t)buf, 399 (size_t)bufsize, itype)); 400 } 401 #endif 402