1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <sys/param.h> 29 #include <sys/types.h> 30 #include <sys/sysmacros.h> 31 #include <sys/systm.h> 32 #include <sys/cred_impl.h> 33 #include <sys/errno.h> 34 #include <sys/proc.h> 35 #include <sys/priv_impl.h> 36 #include <sys/policy.h> 37 #include <sys/ddi.h> 38 #include <sys/thread.h> 39 #include <c2/audit.h> 40 41 /* 42 * System call support for manipulating privileges. 43 * 44 * 45 * setppriv(2) - set process privilege set 46 * getppriv(2) - get process privilege set 47 * getprivimplinfo(2) - get process privilege implementation information 48 * setpflags(2) - set process (privilege) flags 49 * getpflags(2) - get process (privilege) flags 50 */ 51 52 /* 53 * setppriv (priv_op_t, priv_ptype_t, priv_set_t) 54 */ 55 static int 56 setppriv(priv_op_t op, priv_ptype_t type, priv_set_t *in_pset) 57 { 58 priv_set_t pset, *target; 59 cred_t *cr, *pcr; 60 proc_t *p; 61 boolean_t donocd; 62 63 if (!PRIV_VALIDSET(type) || !PRIV_VALIDOP(op)) 64 return (set_errno(EINVAL)); 65 66 if (copyin(in_pset, &pset, sizeof (priv_set_t))) 67 return (set_errno(EFAULT)); 68 69 p = ttoproc(curthread); 70 cr = cralloc(); 71 mutex_enter(&p->p_crlock); 72 73 pcr = p->p_cred; 74 75 #ifdef C2_AUDIT 76 if (audit_active) 77 audit_setppriv(op, type, &pset, pcr); 78 #endif 79 80 /* 81 * Filter out unallowed request (bad op and bad type) 82 */ 83 switch (op) { 84 case PRIV_ON: 85 case PRIV_SET: 86 /* 87 * Turning on privileges; the limit set cannot grow, 88 * other sets can but only as long as they remain subsets 89 * of P. Only immediately after exec holds that P <= L. 90 */ 91 if (((type == PRIV_LIMIT && 92 !priv_issubset(&pset, &CR_LPRIV(pcr))) || 93 !priv_issubset(&pset, &CR_OPPRIV(pcr))) && 94 !priv_issubset(&pset, priv_getset(pcr, type))) { 95 mutex_exit(&p->p_crlock); 96 crfree(cr); 97 return (set_errno(EPERM)); 98 } 99 break; 100 101 case PRIV_OFF: 102 /* PRIV_OFF is always allowed */ 103 break; 104 } 105 106 /* 107 * OK! everything is cool. 108 * Do cred COW. 109 */ 110 crcopy_to(pcr, cr); 111 112 /* 113 * If we change the effective, permitted or limit set, we attain 114 * "privilege awareness". 115 */ 116 if (type != PRIV_INHERITABLE) 117 priv_set_PA(cr); 118 119 target = &(CR_PRIVS(cr)->crprivs[type]); 120 121 switch (op) { 122 case PRIV_ON: 123 priv_union(&pset, target); 124 break; 125 case PRIV_OFF: 126 priv_inverse(&pset); 127 priv_intersect(target, &pset); 128 129 /* 130 * Fall-thru to set target and change other process 131 * privilege sets. 132 */ 133 /*FALLTHRU*/ 134 135 case PRIV_SET: 136 *target = pset; 137 138 /* 139 * Take privileges no longer permitted out 140 * of other effective sets as well. 141 * Limit set is enforced at exec() time. 142 */ 143 if (type == PRIV_PERMITTED) 144 priv_intersect(&pset, &CR_EPRIV(cr)); 145 break; 146 } 147 148 /* 149 * When we give up privileges not in the inheritable set, 150 * set SNOCD if not already set; first we compute the 151 * privileges removed from P using Diff = (~P') & P 152 * and then we check whether the removed privileges are 153 * a subset of I. If we retain uid 0, all privileges 154 * are required anyway so don't set SNOCD. 155 */ 156 if (type == PRIV_PERMITTED && (p->p_flag & SNOCD) == 0 && 157 cr->cr_uid != 0 && cr->cr_ruid != 0 && cr->cr_suid != 0) { 158 priv_set_t diff = CR_OPPRIV(cr); 159 priv_inverse(&diff); 160 priv_intersect(&CR_OPPRIV(pcr), &diff); 161 donocd = !priv_issubset(&diff, &CR_IPRIV(cr)); 162 } else { 163 donocd = B_FALSE; 164 } 165 166 p->p_cred = cr; 167 mutex_exit(&p->p_crlock); 168 169 if (donocd) { 170 mutex_enter(&p->p_lock); 171 p->p_flag |= SNOCD; 172 mutex_exit(&p->p_lock); 173 } 174 175 crset(p, cr); /* broadcast to process threads */ 176 177 return (0); 178 } 179 180 /* 181 * getppriv (priv_ptype_t, priv_set_t *) 182 */ 183 static int 184 getppriv(priv_ptype_t type, priv_set_t *pset) 185 { 186 if (!PRIV_VALIDSET(type)) 187 return (set_errno(EINVAL)); 188 189 if (copyout(priv_getset(CRED(), type), pset, sizeof (priv_set_t)) != 0) 190 return (set_errno(EFAULT)); 191 192 return (0); 193 } 194 195 static int 196 getprivimplinfo(void *buf, size_t bufsize) 197 { 198 int err; 199 200 err = copyout(priv_hold_implinfo(), buf, min(bufsize, privinfosize)); 201 202 priv_release_implinfo(); 203 204 if (err) 205 return (set_errno(EFAULT)); 206 207 return (0); 208 } 209 210 /* 211 * Set process flags in the given target cred. If NULL is specified, then 212 * CRED() is used; otherwise the cred is assumed to be modifiable (i.e. newly 213 * crdup'ed, or equivalent). Some flags are set in the proc rather than cred; 214 * for these, curproc is always used. 215 * 216 * For now we cheat: the flags are actually bit masks so we can simplify 217 * some; we do make sure that the arguments are valid, though. 218 */ 219 220 int 221 setpflags(uint_t flag, uint_t val, cred_t *tcr) 222 { 223 cred_t *cr, *pcr; 224 proc_t *p = curproc; 225 uint_t newflags; 226 boolean_t use_curcred = (tcr == NULL); 227 228 if (val > 1 || (flag != PRIV_DEBUG && flag != PRIV_AWARE && 229 flag != NET_MAC_AWARE && flag != NET_MAC_AWARE_INHERIT && 230 flag != __PROC_PROTECT)) { 231 return (EINVAL); 232 } 233 234 if (flag == __PROC_PROTECT) { 235 mutex_enter(&p->p_lock); 236 if (val == 0) 237 p->p_flag &= ~SNOCD; 238 else 239 p->p_flag |= SNOCD; 240 mutex_exit(&p->p_lock); 241 return (0); 242 } 243 244 if (use_curcred) { 245 cr = cralloc(); 246 mutex_enter(&p->p_crlock); 247 pcr = p->p_cred; 248 } else { 249 cr = pcr = tcr; 250 } 251 252 newflags = CR_FLAGS(pcr); 253 254 if (val != 0) 255 newflags |= flag; 256 else 257 newflags &= ~flag; 258 259 /* No change */ 260 if (CR_FLAGS(pcr) == newflags) { 261 if (use_curcred) { 262 mutex_exit(&p->p_crlock); 263 crfree(cr); 264 } 265 return (0); 266 } 267 268 /* 269 * Setting either the NET_MAC_AWARE or NET_MAC_AWARE_INHERIT 270 * flags is a restricted operation. 271 * 272 * When invoked via the PRIVSYS_SETPFLAGS syscall 273 * we require that the current cred has the net_mac_aware 274 * privilege in its effective set. 275 * 276 * When called from within the kernel by label-aware 277 * services such as NFS, we don't require a privilege check. 278 * 279 */ 280 if ((flag == NET_MAC_AWARE || flag == NET_MAC_AWARE_INHERIT) && 281 (val == 1) && use_curcred) { 282 if (secpolicy_net_mac_aware(pcr) != 0) { 283 mutex_exit(&p->p_crlock); 284 crfree(cr); 285 return (EPERM); 286 } 287 } 288 289 /* Trying to unset PA; if we can't, return an error */ 290 if (flag == PRIV_AWARE && val == 0 && !priv_can_clear_PA(pcr)) { 291 if (use_curcred) { 292 mutex_exit(&p->p_crlock); 293 crfree(cr); 294 } 295 return (EPERM); 296 } 297 298 /* Committed to changing the flag */ 299 if (use_curcred) 300 crcopy_to(pcr, cr); 301 if (flag == PRIV_AWARE) { 302 if (val != 0) 303 priv_set_PA(cr); 304 else 305 priv_adjust_PA(cr); 306 } else { 307 CR_FLAGS(cr) = newflags; 308 } 309 310 if (use_curcred) { 311 p->p_cred = cr; 312 mutex_exit(&p->p_crlock); 313 crset(p, cr); 314 } 315 316 return (0); 317 } 318 319 /* 320 * Getpflags. Currently only implements single bit flags. 321 */ 322 uint_t 323 getpflags(uint_t flag, const cred_t *cr) 324 { 325 if (flag != PRIV_DEBUG && flag != PRIV_AWARE && 326 flag != NET_MAC_AWARE && flag != NET_MAC_AWARE_INHERIT) 327 return ((uint_t)-1); 328 329 return ((CR_FLAGS(cr) & flag) != 0); 330 } 331 332 /* 333 * Privilege system call entry point 334 */ 335 int 336 privsys(int code, priv_op_t op, priv_ptype_t type, void *buf, size_t bufsize) 337 { 338 int retv; 339 extern int issetugid(void); 340 341 switch (code) { 342 case PRIVSYS_SETPPRIV: 343 if (bufsize < sizeof (priv_set_t)) 344 return (set_errno(ENOMEM)); 345 return (setppriv(op, type, buf)); 346 case PRIVSYS_GETPPRIV: 347 if (bufsize < sizeof (priv_set_t)) 348 return (set_errno(ENOMEM)); 349 return (getppriv(type, buf)); 350 case PRIVSYS_GETIMPLINFO: 351 return (getprivimplinfo(buf, bufsize)); 352 case PRIVSYS_SETPFLAGS: 353 retv = setpflags((uint_t)op, (uint_t)type, NULL); 354 return (retv != 0 ? set_errno(retv) : 0); 355 case PRIVSYS_GETPFLAGS: 356 retv = (int)getpflags((uint_t)op, CRED()); 357 return (retv == -1 ? set_errno(EINVAL) : retv); 358 case PRIVSYS_ISSETUGID: 359 return (issetugid()); 360 } 361 return (set_errno(EINVAL)); 362 } 363 364 #ifdef _SYSCALL32_IMPL 365 int 366 privsys32(int code, priv_op_t op, priv_ptype_t type, caddr32_t *buf, 367 size32_t bufsize) 368 { 369 return (privsys(code, op, type, (void *)buf, (size_t)bufsize)); 370 } 371 #endif 372