17c478bd9Sstevel@tonic-gate /*
27c478bd9Sstevel@tonic-gate * CDDL HEADER START
37c478bd9Sstevel@tonic-gate *
47c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the
545916cd2Sjpk * Common Development and Distribution License (the "License").
645916cd2Sjpk * You may not use this file except in compliance with the License.
77c478bd9Sstevel@tonic-gate *
87c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
97c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing.
107c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions
117c478bd9Sstevel@tonic-gate * and limitations under the License.
127c478bd9Sstevel@tonic-gate *
137c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each
147c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
157c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the
167c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying
177c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner]
187c478bd9Sstevel@tonic-gate *
197c478bd9Sstevel@tonic-gate * CDDL HEADER END
207c478bd9Sstevel@tonic-gate */
217c478bd9Sstevel@tonic-gate /*
22134a1f4eSCasper H.S. Dik * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23*2a12f85aSJeremy Jones */
24*2a12f85aSJeremy Jones /*
25*2a12f85aSJeremy Jones * Copyright (c) 2013 by Delphix. All rights reserved.
26*2a12f85aSJeremy Jones */
27*2a12f85aSJeremy Jones /*
287c478bd9Sstevel@tonic-gate * Program to examine or set process privileges.
297c478bd9Sstevel@tonic-gate */
307c478bd9Sstevel@tonic-gate
317c478bd9Sstevel@tonic-gate #include <stdio.h>
32004388ebScasper #include <stdio_ext.h>
337c478bd9Sstevel@tonic-gate #include <stdlib.h>
347c478bd9Sstevel@tonic-gate #include <unistd.h>
357c478bd9Sstevel@tonic-gate #include <fcntl.h>
367c478bd9Sstevel@tonic-gate #include <string.h>
377c478bd9Sstevel@tonic-gate #include <limits.h>
387c478bd9Sstevel@tonic-gate #include <sys/types.h>
397c478bd9Sstevel@tonic-gate #include <libproc.h>
407c478bd9Sstevel@tonic-gate #include <priv.h>
417c478bd9Sstevel@tonic-gate #include <errno.h>
427c478bd9Sstevel@tonic-gate #include <ctype.h>
437c478bd9Sstevel@tonic-gate
447c478bd9Sstevel@tonic-gate #include <locale.h>
457c478bd9Sstevel@tonic-gate #include <langinfo.h>
467c478bd9Sstevel@tonic-gate
477c478bd9Sstevel@tonic-gate static int look(char *);
487c478bd9Sstevel@tonic-gate static void perr(char *);
497c478bd9Sstevel@tonic-gate static void usage(void);
507c478bd9Sstevel@tonic-gate static void loadprivinfo(void);
517c478bd9Sstevel@tonic-gate static int parsespec(const char *);
527c478bd9Sstevel@tonic-gate static void privupdate(prpriv_t *, const char *);
537c478bd9Sstevel@tonic-gate static void privupdate_self(void);
547c478bd9Sstevel@tonic-gate static int dumppriv(char **);
557c478bd9Sstevel@tonic-gate static void flags2str(uint_t);
567c478bd9Sstevel@tonic-gate
577c478bd9Sstevel@tonic-gate static char *command;
587c478bd9Sstevel@tonic-gate static char *procname;
597c478bd9Sstevel@tonic-gate static boolean_t verb = B_FALSE;
607c478bd9Sstevel@tonic-gate static boolean_t set = B_FALSE;
617c478bd9Sstevel@tonic-gate static boolean_t exec = B_FALSE;
627c478bd9Sstevel@tonic-gate static boolean_t Don = B_FALSE;
637c478bd9Sstevel@tonic-gate static boolean_t Doff = B_FALSE;
647c478bd9Sstevel@tonic-gate static boolean_t list = B_FALSE;
6545916cd2Sjpk static boolean_t mac_aware = B_FALSE;
66134a1f4eSCasper H.S. Dik static boolean_t pfexec = B_FALSE;
67ddf7fe95Scasper static boolean_t xpol = B_FALSE;
687c478bd9Sstevel@tonic-gate static int mode = PRIV_STR_PORT;
697c478bd9Sstevel@tonic-gate
707c478bd9Sstevel@tonic-gate int
main(int argc,char ** argv)717c478bd9Sstevel@tonic-gate main(int argc, char **argv)
727c478bd9Sstevel@tonic-gate {
737c478bd9Sstevel@tonic-gate int rc = 0;
747c478bd9Sstevel@tonic-gate int opt;
757c478bd9Sstevel@tonic-gate struct rlimit rlim;
767c478bd9Sstevel@tonic-gate
777c478bd9Sstevel@tonic-gate (void) setlocale(LC_ALL, "");
787c478bd9Sstevel@tonic-gate (void) textdomain(TEXT_DOMAIN);
797c478bd9Sstevel@tonic-gate
807c478bd9Sstevel@tonic-gate if ((command = strrchr(argv[0], '/')) != NULL)
817c478bd9Sstevel@tonic-gate command++;
827c478bd9Sstevel@tonic-gate else
837c478bd9Sstevel@tonic-gate command = argv[0];
847c478bd9Sstevel@tonic-gate
85134a1f4eSCasper H.S. Dik while ((opt = getopt(argc, argv, "lDMNPevs:xS")) != EOF) {
867c478bd9Sstevel@tonic-gate switch (opt) {
877c478bd9Sstevel@tonic-gate case 'l':
887c478bd9Sstevel@tonic-gate list = B_TRUE;
897c478bd9Sstevel@tonic-gate break;
907c478bd9Sstevel@tonic-gate case 'D':
917c478bd9Sstevel@tonic-gate set = B_TRUE;
927c478bd9Sstevel@tonic-gate Don = B_TRUE;
937c478bd9Sstevel@tonic-gate break;
9445916cd2Sjpk case 'M':
9545916cd2Sjpk mac_aware = B_TRUE;
9645916cd2Sjpk break;
977c478bd9Sstevel@tonic-gate case 'N':
987c478bd9Sstevel@tonic-gate set = B_TRUE;
997c478bd9Sstevel@tonic-gate Doff = B_TRUE;
1007c478bd9Sstevel@tonic-gate break;
101134a1f4eSCasper H.S. Dik case 'P':
102134a1f4eSCasper H.S. Dik set = B_TRUE;
103134a1f4eSCasper H.S. Dik pfexec = B_TRUE;
104134a1f4eSCasper H.S. Dik break;
1057c478bd9Sstevel@tonic-gate case 'e':
1067c478bd9Sstevel@tonic-gate exec = B_TRUE;
1077c478bd9Sstevel@tonic-gate break;
1087c478bd9Sstevel@tonic-gate case 'S':
1097c478bd9Sstevel@tonic-gate mode = PRIV_STR_SHORT;
1107c478bd9Sstevel@tonic-gate break;
1117c478bd9Sstevel@tonic-gate case 'v':
1127c478bd9Sstevel@tonic-gate verb = B_TRUE;
1137c478bd9Sstevel@tonic-gate mode = PRIV_STR_LIT;
1147c478bd9Sstevel@tonic-gate break;
1157c478bd9Sstevel@tonic-gate case 's':
1167c478bd9Sstevel@tonic-gate set = B_TRUE;
1177c478bd9Sstevel@tonic-gate if ((rc = parsespec(optarg)) != 0)
1187c478bd9Sstevel@tonic-gate return (rc);
1197c478bd9Sstevel@tonic-gate break;
120ddf7fe95Scasper case 'x':
121ddf7fe95Scasper set = B_TRUE;
122ddf7fe95Scasper xpol = B_TRUE;
123ddf7fe95Scasper break;
1247c478bd9Sstevel@tonic-gate default:
1257c478bd9Sstevel@tonic-gate usage();
1267c478bd9Sstevel@tonic-gate /*NOTREACHED*/
1277c478bd9Sstevel@tonic-gate }
1287c478bd9Sstevel@tonic-gate }
1297c478bd9Sstevel@tonic-gate
1307c478bd9Sstevel@tonic-gate argc -= optind;
1317c478bd9Sstevel@tonic-gate argv += optind;
1327c478bd9Sstevel@tonic-gate
13345916cd2Sjpk if ((argc < 1 && !list) || Doff && Don || list && (set || exec) ||
13445916cd2Sjpk (mac_aware && !exec))
1357c478bd9Sstevel@tonic-gate usage();
1367c478bd9Sstevel@tonic-gate
1377c478bd9Sstevel@tonic-gate /*
1387c478bd9Sstevel@tonic-gate * Make sure we'll have enough file descriptors to handle a target
1397c478bd9Sstevel@tonic-gate * that has many many mappings.
1407c478bd9Sstevel@tonic-gate */
1417c478bd9Sstevel@tonic-gate if (getrlimit(RLIMIT_NOFILE, &rlim) == 0) {
1427c478bd9Sstevel@tonic-gate rlim.rlim_cur = rlim.rlim_max;
1437c478bd9Sstevel@tonic-gate (void) setrlimit(RLIMIT_NOFILE, &rlim);
144004388ebScasper (void) enable_extended_FILE_stdio(-1, -1);
1457c478bd9Sstevel@tonic-gate }
1467c478bd9Sstevel@tonic-gate
1477c478bd9Sstevel@tonic-gate if (exec) {
1487c478bd9Sstevel@tonic-gate privupdate_self();
1497c478bd9Sstevel@tonic-gate rc = execvp(argv[0], &argv[0]);
1507c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: %s: %s\n", command, argv[0],
1517c478bd9Sstevel@tonic-gate strerror(errno));
1527c478bd9Sstevel@tonic-gate } else if (list) {
1537c478bd9Sstevel@tonic-gate rc = dumppriv(argv);
1547c478bd9Sstevel@tonic-gate } else {
1557c478bd9Sstevel@tonic-gate while (argc-- > 0)
1567c478bd9Sstevel@tonic-gate rc += look(*argv++);
1577c478bd9Sstevel@tonic-gate }
1587c478bd9Sstevel@tonic-gate
1597c478bd9Sstevel@tonic-gate return (rc);
1607c478bd9Sstevel@tonic-gate }
1617c478bd9Sstevel@tonic-gate
1627c478bd9Sstevel@tonic-gate static int
look(char * arg)1637c478bd9Sstevel@tonic-gate look(char *arg)
1647c478bd9Sstevel@tonic-gate {
1657c478bd9Sstevel@tonic-gate struct ps_prochandle *Pr;
1667c478bd9Sstevel@tonic-gate int gcode;
1677c478bd9Sstevel@tonic-gate size_t sz;
1687c478bd9Sstevel@tonic-gate void *pdata;
1697c478bd9Sstevel@tonic-gate char *x;
1707c478bd9Sstevel@tonic-gate int i;
1717c478bd9Sstevel@tonic-gate boolean_t nodata;
172*2a12f85aSJeremy Jones prpriv_t *ppriv;
1737c478bd9Sstevel@tonic-gate
1747c478bd9Sstevel@tonic-gate procname = arg; /* for perr() */
1757c478bd9Sstevel@tonic-gate
1767c478bd9Sstevel@tonic-gate if ((Pr = proc_arg_grab(arg, set ? PR_ARG_PIDS : PR_ARG_ANY,
1777c478bd9Sstevel@tonic-gate PGRAB_RETAIN | PGRAB_FORCE | (set ? 0 : PGRAB_RDONLY) |
1787c478bd9Sstevel@tonic-gate PGRAB_NOSTOP, &gcode)) == NULL) {
1797c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: cannot examine %s: %s\n",
1807c478bd9Sstevel@tonic-gate command, arg, Pgrab_error(gcode));
1817c478bd9Sstevel@tonic-gate return (1);
1827c478bd9Sstevel@tonic-gate }
1837c478bd9Sstevel@tonic-gate
184*2a12f85aSJeremy Jones if (Ppriv(Pr, &ppriv) == -1) {
1857c478bd9Sstevel@tonic-gate perr(command);
1867c478bd9Sstevel@tonic-gate Prelease(Pr, 0);
1877c478bd9Sstevel@tonic-gate return (1);
1887c478bd9Sstevel@tonic-gate }
1897c478bd9Sstevel@tonic-gate sz = PRIV_PRPRIV_SIZE(ppriv);
1907c478bd9Sstevel@tonic-gate
1917c478bd9Sstevel@tonic-gate /*
1927c478bd9Sstevel@tonic-gate * The ppriv fields are unsigned and may overflow, so check them
1937c478bd9Sstevel@tonic-gate * separately. Size must be word aligned, so check that too.
1947c478bd9Sstevel@tonic-gate * Make sure size is "smallish" too.
1957c478bd9Sstevel@tonic-gate */
1967c478bd9Sstevel@tonic-gate if ((sz & 3) || ppriv->pr_nsets == 0 ||
1977c478bd9Sstevel@tonic-gate sz / ppriv->pr_nsets < ppriv->pr_setsize ||
1987c478bd9Sstevel@tonic-gate ppriv->pr_infosize > sz || sz > 1024 * 1024) {
1997c478bd9Sstevel@tonic-gate (void) fprintf(stderr,
2007c478bd9Sstevel@tonic-gate "%s: %s: bad PRNOTES section, size = %lx\n",
2017c478bd9Sstevel@tonic-gate command, arg, (long)sz);
2027c478bd9Sstevel@tonic-gate Prelease(Pr, 0);
203*2a12f85aSJeremy Jones free(ppriv);
2047c478bd9Sstevel@tonic-gate return (1);
2057c478bd9Sstevel@tonic-gate }
2067c478bd9Sstevel@tonic-gate
2077c478bd9Sstevel@tonic-gate if (set) {
2087c478bd9Sstevel@tonic-gate privupdate(ppriv, arg);
2097c478bd9Sstevel@tonic-gate if (Psetpriv(Pr, ppriv) != 0) {
2107c478bd9Sstevel@tonic-gate perr(command);
2117c478bd9Sstevel@tonic-gate Prelease(Pr, 0);
212*2a12f85aSJeremy Jones free(ppriv);
2137c478bd9Sstevel@tonic-gate return (1);
2147c478bd9Sstevel@tonic-gate }
2157c478bd9Sstevel@tonic-gate Prelease(Pr, 0);
216*2a12f85aSJeremy Jones free(ppriv);
2177c478bd9Sstevel@tonic-gate return (0);
2187c478bd9Sstevel@tonic-gate }
2197c478bd9Sstevel@tonic-gate
2207c478bd9Sstevel@tonic-gate if (Pstate(Pr) == PS_DEAD) {
2217c478bd9Sstevel@tonic-gate (void) printf("core '%s' of %d:\t%.70s\n",
2227c478bd9Sstevel@tonic-gate arg, (int)Ppsinfo(Pr)->pr_pid, Ppsinfo(Pr)->pr_psargs);
2237c478bd9Sstevel@tonic-gate pdata = Pprivinfo(Pr);
2247c478bd9Sstevel@tonic-gate nodata = Pstate(Pr) == PS_DEAD && pdata == NULL;
2257c478bd9Sstevel@tonic-gate } else {
2267c478bd9Sstevel@tonic-gate (void) printf("%d:\t%.70s\n",
2277c478bd9Sstevel@tonic-gate (int)Ppsinfo(Pr)->pr_pid, Ppsinfo(Pr)->pr_psargs);
2287c478bd9Sstevel@tonic-gate pdata = NULL;
2297c478bd9Sstevel@tonic-gate nodata = B_FALSE;
2307c478bd9Sstevel@tonic-gate }
2317c478bd9Sstevel@tonic-gate
2327c478bd9Sstevel@tonic-gate x = (char *)ppriv + sz - ppriv->pr_infosize;
2337c478bd9Sstevel@tonic-gate while (x < (char *)ppriv + sz) {
2347c478bd9Sstevel@tonic-gate /* LINTED: alignment */
2357c478bd9Sstevel@tonic-gate priv_info_t *pi = (priv_info_t *)x;
2367c478bd9Sstevel@tonic-gate priv_info_uint_t *pii;
2377c478bd9Sstevel@tonic-gate
2387c478bd9Sstevel@tonic-gate switch (pi->priv_info_type) {
2397c478bd9Sstevel@tonic-gate case PRIV_INFO_FLAGS:
2407c478bd9Sstevel@tonic-gate /* LINTED: alignment */
2417c478bd9Sstevel@tonic-gate pii = (priv_info_uint_t *)x;
2427c478bd9Sstevel@tonic-gate (void) printf("flags =");
2437c478bd9Sstevel@tonic-gate flags2str(pii->val);
2447c478bd9Sstevel@tonic-gate (void) putchar('\n');
2457c478bd9Sstevel@tonic-gate break;
2467c478bd9Sstevel@tonic-gate default:
2477c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: unknown priv_info: %d\n",
2487c478bd9Sstevel@tonic-gate arg, pi->priv_info_type);
2497c478bd9Sstevel@tonic-gate break;
2507c478bd9Sstevel@tonic-gate }
2517c478bd9Sstevel@tonic-gate if (pi->priv_info_size > ppriv->pr_infosize ||
2527c478bd9Sstevel@tonic-gate pi->priv_info_size <= sizeof (priv_info_t) ||
2537c478bd9Sstevel@tonic-gate (pi->priv_info_size & 3) != 0) {
2547c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: bad priv_info_size: %u\n",
2557c478bd9Sstevel@tonic-gate arg, pi->priv_info_size);
2567c478bd9Sstevel@tonic-gate break;
2577c478bd9Sstevel@tonic-gate }
2587c478bd9Sstevel@tonic-gate x += pi->priv_info_size;
2597c478bd9Sstevel@tonic-gate }
2607c478bd9Sstevel@tonic-gate
2617c478bd9Sstevel@tonic-gate for (i = 0; i < ppriv->pr_nsets; i++) {
2627c478bd9Sstevel@tonic-gate extern const char *__priv_getsetbynum(const void *, int);
263ddf7fe95Scasper const char *setnm = pdata ? __priv_getsetbynum(pdata, i) :
264ddf7fe95Scasper priv_getsetbynum(i);
265ddf7fe95Scasper priv_chunk_t *pc =
266ddf7fe95Scasper (priv_chunk_t *)&ppriv->pr_sets[ppriv->pr_setsize * i];
2677c478bd9Sstevel@tonic-gate
2687c478bd9Sstevel@tonic-gate
2697c478bd9Sstevel@tonic-gate (void) printf("\t%c: ", setnm && !nodata ? *setnm : '?');
2707c478bd9Sstevel@tonic-gate if (!nodata) {
2717c478bd9Sstevel@tonic-gate extern char *__priv_set_to_str(void *,
2727c478bd9Sstevel@tonic-gate const priv_set_t *, char, int);
2737c478bd9Sstevel@tonic-gate priv_set_t *pset = (priv_set_t *)pc;
2747c478bd9Sstevel@tonic-gate
2757c478bd9Sstevel@tonic-gate char *s;
2767c478bd9Sstevel@tonic-gate
2777c478bd9Sstevel@tonic-gate if (pdata)
2787c478bd9Sstevel@tonic-gate s = __priv_set_to_str(pdata, pset, ',', mode);
2797c478bd9Sstevel@tonic-gate else
2807c478bd9Sstevel@tonic-gate s = priv_set_to_str(pset, ',', mode);
2817c478bd9Sstevel@tonic-gate (void) puts(s);
2827c478bd9Sstevel@tonic-gate free(s);
2837c478bd9Sstevel@tonic-gate } else {
2847c478bd9Sstevel@tonic-gate int j;
2857c478bd9Sstevel@tonic-gate for (j = 0; j < ppriv->pr_setsize; j++)
2867c478bd9Sstevel@tonic-gate (void) printf("%08x", pc[j]);
2877c478bd9Sstevel@tonic-gate (void) putchar('\n');
2887c478bd9Sstevel@tonic-gate }
2897c478bd9Sstevel@tonic-gate }
2907c478bd9Sstevel@tonic-gate Prelease(Pr, 0);
291*2a12f85aSJeremy Jones free(ppriv);
2927c478bd9Sstevel@tonic-gate return (0);
2937c478bd9Sstevel@tonic-gate }
2947c478bd9Sstevel@tonic-gate
2957c478bd9Sstevel@tonic-gate static void
fatal(const char * s)2967c478bd9Sstevel@tonic-gate fatal(const char *s)
2977c478bd9Sstevel@tonic-gate {
2987c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: %s: %s\n", command, s, strerror(errno));
2997c478bd9Sstevel@tonic-gate exit(3);
3007c478bd9Sstevel@tonic-gate }
3017c478bd9Sstevel@tonic-gate
3027c478bd9Sstevel@tonic-gate static void
perr(char * s)3037c478bd9Sstevel@tonic-gate perr(char *s)
3047c478bd9Sstevel@tonic-gate {
3057c478bd9Sstevel@tonic-gate int err = errno;
3067c478bd9Sstevel@tonic-gate
3077c478bd9Sstevel@tonic-gate if (s != NULL)
3087c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: ", procname);
3097c478bd9Sstevel@tonic-gate else
3107c478bd9Sstevel@tonic-gate s = procname;
3117c478bd9Sstevel@tonic-gate
3127c478bd9Sstevel@tonic-gate errno = err;
3137c478bd9Sstevel@tonic-gate perror(s);
3147c478bd9Sstevel@tonic-gate }
3157c478bd9Sstevel@tonic-gate
3167c478bd9Sstevel@tonic-gate static void
usage(void)3177c478bd9Sstevel@tonic-gate usage(void)
3187c478bd9Sstevel@tonic-gate {
3197c478bd9Sstevel@tonic-gate (void) fprintf(stderr,
3207c478bd9Sstevel@tonic-gate "usage:\t%s [-v] [-S] [-D|-N] [-s spec] { pid | core } ...\n"
32145916cd2Sjpk "\t%s -e [-D|-N] [-M] [-s spec] cmd [args ...]\n"
3227c478bd9Sstevel@tonic-gate "\t%s -l [-v] [privilege ...]\n"
3237c478bd9Sstevel@tonic-gate " (report, set or list process privileges)\n", command,
3247c478bd9Sstevel@tonic-gate command, command);
3257c478bd9Sstevel@tonic-gate exit(2);
3267c478bd9Sstevel@tonic-gate /*NOTREACHED*/
3277c478bd9Sstevel@tonic-gate }
3287c478bd9Sstevel@tonic-gate
3297c478bd9Sstevel@tonic-gate /*
3307c478bd9Sstevel@tonic-gate * Parse the privilege bits to add and/or remove from
3317c478bd9Sstevel@tonic-gate * a privilege set.
3327c478bd9Sstevel@tonic-gate *
3337c478bd9Sstevel@tonic-gate * [EPIL][+-=]priv,priv,priv
3347c478bd9Sstevel@tonic-gate */
3357c478bd9Sstevel@tonic-gate
3367c478bd9Sstevel@tonic-gate static int
strindex(char c,const char * str)3377c478bd9Sstevel@tonic-gate strindex(char c, const char *str)
3387c478bd9Sstevel@tonic-gate {
3397c478bd9Sstevel@tonic-gate const char *s;
3407c478bd9Sstevel@tonic-gate
3417c478bd9Sstevel@tonic-gate if (islower(c))
3427c478bd9Sstevel@tonic-gate c = toupper(c);
3437c478bd9Sstevel@tonic-gate
3447c478bd9Sstevel@tonic-gate s = strchr(str, c);
3457c478bd9Sstevel@tonic-gate
3467c478bd9Sstevel@tonic-gate if (s == NULL)
3477c478bd9Sstevel@tonic-gate return (-1);
3487c478bd9Sstevel@tonic-gate else
3497c478bd9Sstevel@tonic-gate return (s - str);
3507c478bd9Sstevel@tonic-gate }
3517c478bd9Sstevel@tonic-gate
3527c478bd9Sstevel@tonic-gate static void
badspec(const char * spec)3537c478bd9Sstevel@tonic-gate badspec(const char *spec)
3547c478bd9Sstevel@tonic-gate {
3557c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: bad privilege specification: \"%s\"\n",
3567c478bd9Sstevel@tonic-gate command, spec);
3577c478bd9Sstevel@tonic-gate exit(3);
3587c478bd9Sstevel@tonic-gate /*NOTREACHED*/
3597c478bd9Sstevel@tonic-gate }
3607c478bd9Sstevel@tonic-gate
3617c478bd9Sstevel@tonic-gate /*
3627c478bd9Sstevel@tonic-gate * For each set, you can set either add and/or
3637c478bd9Sstevel@tonic-gate * remove or you can set assign.
3647c478bd9Sstevel@tonic-gate */
3657c478bd9Sstevel@tonic-gate static priv_set_t **rem, **add, **assign;
3667c478bd9Sstevel@tonic-gate static const priv_impl_info_t *pri = NULL;
3677c478bd9Sstevel@tonic-gate static char *sets;
3687c478bd9Sstevel@tonic-gate
3697c478bd9Sstevel@tonic-gate static void
loadprivinfo(void)3707c478bd9Sstevel@tonic-gate loadprivinfo(void)
3717c478bd9Sstevel@tonic-gate {
3727c478bd9Sstevel@tonic-gate int i;
3737c478bd9Sstevel@tonic-gate
3747c478bd9Sstevel@tonic-gate if (pri != NULL)
3757c478bd9Sstevel@tonic-gate return;
3767c478bd9Sstevel@tonic-gate
3777c478bd9Sstevel@tonic-gate pri = getprivimplinfo();
3787c478bd9Sstevel@tonic-gate
3797c478bd9Sstevel@tonic-gate if (pri == NULL)
3807c478bd9Sstevel@tonic-gate fatal("getprivimplinfo");
3817c478bd9Sstevel@tonic-gate
3827c478bd9Sstevel@tonic-gate sets = malloc(pri->priv_nsets + 1);
3837c478bd9Sstevel@tonic-gate if (sets == NULL)
3847c478bd9Sstevel@tonic-gate fatal("malloc");
3857c478bd9Sstevel@tonic-gate
3867c478bd9Sstevel@tonic-gate for (i = 0; i < pri->priv_nsets; i++) {
3877c478bd9Sstevel@tonic-gate sets[i] = *priv_getsetbynum(i);
3887c478bd9Sstevel@tonic-gate if (islower(sets[i]))
3897c478bd9Sstevel@tonic-gate sets[i] = toupper(sets[i]);
3907c478bd9Sstevel@tonic-gate }
3917c478bd9Sstevel@tonic-gate
3927c478bd9Sstevel@tonic-gate sets[pri->priv_nsets] = '\0';
3937c478bd9Sstevel@tonic-gate
3947c478bd9Sstevel@tonic-gate rem = calloc(pri->priv_nsets, sizeof (priv_set_t *));
3957c478bd9Sstevel@tonic-gate add = calloc(pri->priv_nsets, sizeof (priv_set_t *));
3967c478bd9Sstevel@tonic-gate assign = calloc(pri->priv_nsets, sizeof (priv_set_t *));
3977c478bd9Sstevel@tonic-gate if (rem == NULL || add == NULL || assign == NULL)
3987c478bd9Sstevel@tonic-gate fatal("calloc");
3997c478bd9Sstevel@tonic-gate }
4007c478bd9Sstevel@tonic-gate
4017c478bd9Sstevel@tonic-gate static int
parsespec(const char * spec)4027c478bd9Sstevel@tonic-gate parsespec(const char *spec)
4037c478bd9Sstevel@tonic-gate {
4047c478bd9Sstevel@tonic-gate char *p;
4057c478bd9Sstevel@tonic-gate const char *q;
4067c478bd9Sstevel@tonic-gate int count;
4077c478bd9Sstevel@tonic-gate priv_set_t ***toupd;
4087c478bd9Sstevel@tonic-gate priv_set_t *upd;
4097c478bd9Sstevel@tonic-gate int i;
4107c478bd9Sstevel@tonic-gate boolean_t freeupd = B_TRUE;
4117c478bd9Sstevel@tonic-gate
4127c478bd9Sstevel@tonic-gate if (pri == NULL)
4137c478bd9Sstevel@tonic-gate loadprivinfo();
4147c478bd9Sstevel@tonic-gate
4157c478bd9Sstevel@tonic-gate p = strpbrk(spec, "+-=");
4167c478bd9Sstevel@tonic-gate
4177c478bd9Sstevel@tonic-gate if (p == NULL || p - spec > pri->priv_nsets)
4187c478bd9Sstevel@tonic-gate badspec(spec);
4197c478bd9Sstevel@tonic-gate
4207c478bd9Sstevel@tonic-gate if (p[1] == '\0' || (upd = priv_str_to_set(p + 1, ",", NULL)) == NULL)
4217c478bd9Sstevel@tonic-gate badspec(p + 1);
4227c478bd9Sstevel@tonic-gate
4237c478bd9Sstevel@tonic-gate count = p - spec;
4247c478bd9Sstevel@tonic-gate switch (*p) {
4257c478bd9Sstevel@tonic-gate case '+':
4267c478bd9Sstevel@tonic-gate toupd = &add;
4277c478bd9Sstevel@tonic-gate break;
4287c478bd9Sstevel@tonic-gate case '-':
4297c478bd9Sstevel@tonic-gate toupd = &rem;
4307c478bd9Sstevel@tonic-gate priv_inverse(upd);
4317c478bd9Sstevel@tonic-gate break;
4327c478bd9Sstevel@tonic-gate case '=':
4337c478bd9Sstevel@tonic-gate toupd = &assign;
4347c478bd9Sstevel@tonic-gate break;
4357c478bd9Sstevel@tonic-gate }
4367c478bd9Sstevel@tonic-gate
4377c478bd9Sstevel@tonic-gate /* Update all sets? */
4387c478bd9Sstevel@tonic-gate if (count == 0 || *spec == 'a' || *spec == 'A') {
4397c478bd9Sstevel@tonic-gate count = pri->priv_nsets;
4407c478bd9Sstevel@tonic-gate q = sets;
4417c478bd9Sstevel@tonic-gate } else
4427c478bd9Sstevel@tonic-gate q = spec;
4437c478bd9Sstevel@tonic-gate
4447c478bd9Sstevel@tonic-gate for (i = 0; i < count; i++) {
4457c478bd9Sstevel@tonic-gate int ind = strindex(q[i], sets);
4467c478bd9Sstevel@tonic-gate
4477c478bd9Sstevel@tonic-gate if (ind == -1)
4487c478bd9Sstevel@tonic-gate badspec(spec);
4497c478bd9Sstevel@tonic-gate
4507c478bd9Sstevel@tonic-gate /* Assign is mutually exclusive with add/remove and itself */
4517c478bd9Sstevel@tonic-gate if (((toupd == &rem || toupd == &add) && assign[ind] != NULL) ||
4527c478bd9Sstevel@tonic-gate (toupd == &assign && (assign[ind] != NULL ||
4537c478bd9Sstevel@tonic-gate rem[ind] != NULL || add[ind] != NULL))) {
4547c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: conflicting spec: %s\n",
4557c478bd9Sstevel@tonic-gate command, spec);
4567c478bd9Sstevel@tonic-gate exit(1);
4577c478bd9Sstevel@tonic-gate }
4587c478bd9Sstevel@tonic-gate if ((*toupd)[ind] != NULL) {
4597c478bd9Sstevel@tonic-gate if (*p == '-')
4607c478bd9Sstevel@tonic-gate priv_intersect(upd, (*toupd)[ind]);
4617c478bd9Sstevel@tonic-gate else
4627c478bd9Sstevel@tonic-gate priv_union(upd, (*toupd)[ind]);
4637c478bd9Sstevel@tonic-gate } else {
4647c478bd9Sstevel@tonic-gate (*toupd)[ind] = upd;
4657c478bd9Sstevel@tonic-gate freeupd = B_FALSE;
4667c478bd9Sstevel@tonic-gate }
4677c478bd9Sstevel@tonic-gate }
4687c478bd9Sstevel@tonic-gate if (freeupd)
4697c478bd9Sstevel@tonic-gate priv_freeset(upd);
4707c478bd9Sstevel@tonic-gate return (0);
4717c478bd9Sstevel@tonic-gate }
4727c478bd9Sstevel@tonic-gate
4737c478bd9Sstevel@tonic-gate static void
privupdate(prpriv_t * pr,const char * arg)4747c478bd9Sstevel@tonic-gate privupdate(prpriv_t *pr, const char *arg)
4757c478bd9Sstevel@tonic-gate {
4767c478bd9Sstevel@tonic-gate int i;
4777c478bd9Sstevel@tonic-gate
4787c478bd9Sstevel@tonic-gate if (sets != NULL) {
4797c478bd9Sstevel@tonic-gate for (i = 0; i < pri->priv_nsets; i++) {
4807c478bd9Sstevel@tonic-gate priv_set_t *target =
4817c478bd9Sstevel@tonic-gate (priv_set_t *)&pr->pr_sets[pr->pr_setsize * i];
4827c478bd9Sstevel@tonic-gate if (rem[i] != NULL)
4837c478bd9Sstevel@tonic-gate priv_intersect(rem[i], target);
4847c478bd9Sstevel@tonic-gate if (add[i] != NULL)
4857c478bd9Sstevel@tonic-gate priv_union(add[i], target);
4867c478bd9Sstevel@tonic-gate if (assign[i] != NULL)
4877c478bd9Sstevel@tonic-gate priv_copyset(assign[i], target);
4887c478bd9Sstevel@tonic-gate }
4897c478bd9Sstevel@tonic-gate }
4907c478bd9Sstevel@tonic-gate
491134a1f4eSCasper H.S. Dik if (Doff || Don || pfexec || xpol) {
4927c478bd9Sstevel@tonic-gate priv_info_uint_t *pii;
4937c478bd9Sstevel@tonic-gate int sz = PRIV_PRPRIV_SIZE(pr);
4947c478bd9Sstevel@tonic-gate char *x = (char *)pr + PRIV_PRPRIV_INFO_OFFSET(pr);
4957c478bd9Sstevel@tonic-gate uint32_t fl = 0;
4967c478bd9Sstevel@tonic-gate
4977c478bd9Sstevel@tonic-gate while (x < (char *)pr + sz) {
4987c478bd9Sstevel@tonic-gate /* LINTED: alignment */
4997c478bd9Sstevel@tonic-gate priv_info_t *pi = (priv_info_t *)x;
5007c478bd9Sstevel@tonic-gate
5017c478bd9Sstevel@tonic-gate if (pi->priv_info_type == PRIV_INFO_FLAGS) {
5027c478bd9Sstevel@tonic-gate /* LINTED: alignment */
5037c478bd9Sstevel@tonic-gate pii = (priv_info_uint_t *)x;
5047c478bd9Sstevel@tonic-gate fl = pii->val;
5057c478bd9Sstevel@tonic-gate goto done;
5067c478bd9Sstevel@tonic-gate }
5077c478bd9Sstevel@tonic-gate if (pi->priv_info_size > pr->pr_infosize ||
5087c478bd9Sstevel@tonic-gate pi->priv_info_size <= sizeof (priv_info_t) ||
5097c478bd9Sstevel@tonic-gate (pi->priv_info_size & 3) != 0)
5107c478bd9Sstevel@tonic-gate break;
5117c478bd9Sstevel@tonic-gate x += pi->priv_info_size;
5127c478bd9Sstevel@tonic-gate }
5137c478bd9Sstevel@tonic-gate (void) fprintf(stderr,
5147c478bd9Sstevel@tonic-gate "%s: cannot find privilege flags to set\n", arg);
5157c478bd9Sstevel@tonic-gate pr->pr_infosize = 0;
5167c478bd9Sstevel@tonic-gate return;
5177c478bd9Sstevel@tonic-gate done:
5187c478bd9Sstevel@tonic-gate
5197c478bd9Sstevel@tonic-gate pr->pr_infosize = sizeof (priv_info_uint_t);
5207c478bd9Sstevel@tonic-gate /* LINTED: alignment */
5217c478bd9Sstevel@tonic-gate pii = (priv_info_uint_t *)
5227c478bd9Sstevel@tonic-gate ((char *)pr + PRIV_PRPRIV_INFO_OFFSET(pr));
5237c478bd9Sstevel@tonic-gate
5247c478bd9Sstevel@tonic-gate if (Don)
5257c478bd9Sstevel@tonic-gate fl |= PRIV_DEBUG;
526ddf7fe95Scasper if (Doff)
5277c478bd9Sstevel@tonic-gate fl &= ~PRIV_DEBUG;
528134a1f4eSCasper H.S. Dik if (pfexec)
529134a1f4eSCasper H.S. Dik fl |= PRIV_PFEXEC;
530ddf7fe95Scasper if (xpol)
531ddf7fe95Scasper fl |= PRIV_XPOLICY;
5327c478bd9Sstevel@tonic-gate
5337c478bd9Sstevel@tonic-gate pii->info.priv_info_size = sizeof (*pii);
5347c478bd9Sstevel@tonic-gate pii->info.priv_info_type = PRIV_INFO_FLAGS;
5357c478bd9Sstevel@tonic-gate pii->val = fl;
5367c478bd9Sstevel@tonic-gate } else {
5377c478bd9Sstevel@tonic-gate pr->pr_infosize = 0;
5387c478bd9Sstevel@tonic-gate }
5397c478bd9Sstevel@tonic-gate }
5407c478bd9Sstevel@tonic-gate
5417c478bd9Sstevel@tonic-gate static void
privupdate_self(void)5427c478bd9Sstevel@tonic-gate privupdate_self(void)
5437c478bd9Sstevel@tonic-gate {
5447c478bd9Sstevel@tonic-gate int set;
5457c478bd9Sstevel@tonic-gate
54645916cd2Sjpk if (mac_aware) {
54745916cd2Sjpk if (setpflags(NET_MAC_AWARE, 1) != 0)
54845916cd2Sjpk fatal("setpflags(NET_MAC_AWARE)");
54945916cd2Sjpk if (setpflags(NET_MAC_AWARE_INHERIT, 1) != 0)
55045916cd2Sjpk fatal("setpflags(NET_MAC_AWARE_INHERIT)");
55145916cd2Sjpk }
552134a1f4eSCasper H.S. Dik if (pfexec) {
553134a1f4eSCasper H.S. Dik if (setpflags(PRIV_PFEXEC, 1) != 0)
554134a1f4eSCasper H.S. Dik fatal("setpflags(PRIV_PFEXEC)");
555134a1f4eSCasper H.S. Dik }
55645916cd2Sjpk
5577c478bd9Sstevel@tonic-gate if (sets != NULL) {
5587c478bd9Sstevel@tonic-gate priv_set_t *target = priv_allocset();
5597c478bd9Sstevel@tonic-gate
5607c478bd9Sstevel@tonic-gate if (target == NULL)
5617c478bd9Sstevel@tonic-gate fatal("priv_allocet");
5627c478bd9Sstevel@tonic-gate
5637c478bd9Sstevel@tonic-gate set = priv_getsetbyname(PRIV_INHERITABLE);
5647c478bd9Sstevel@tonic-gate if (rem[set] != NULL || add[set] != NULL ||
5657c478bd9Sstevel@tonic-gate assign[set] != NULL) {
5667c478bd9Sstevel@tonic-gate (void) getppriv(PRIV_INHERITABLE, target);
5677c478bd9Sstevel@tonic-gate if (rem[set] != NULL)
5687c478bd9Sstevel@tonic-gate priv_intersect(rem[set], target);
5697c478bd9Sstevel@tonic-gate if (add[set] != NULL)
5707c478bd9Sstevel@tonic-gate priv_union(add[set], target);
5717c478bd9Sstevel@tonic-gate if (assign[set] != NULL)
5727c478bd9Sstevel@tonic-gate priv_copyset(assign[set], target);
5737c478bd9Sstevel@tonic-gate if (setppriv(PRIV_SET, PRIV_INHERITABLE, target) != 0)
5747c478bd9Sstevel@tonic-gate fatal("setppriv(Inheritable)");
5757c478bd9Sstevel@tonic-gate }
5767c478bd9Sstevel@tonic-gate set = priv_getsetbyname(PRIV_LIMIT);
5777c478bd9Sstevel@tonic-gate if (rem[set] != NULL || add[set] != NULL ||
5787c478bd9Sstevel@tonic-gate assign[set] != NULL) {
5797c478bd9Sstevel@tonic-gate (void) getppriv(PRIV_LIMIT, target);
5807c478bd9Sstevel@tonic-gate if (rem[set] != NULL)
5817c478bd9Sstevel@tonic-gate priv_intersect(rem[set], target);
5827c478bd9Sstevel@tonic-gate if (add[set] != NULL)
5837c478bd9Sstevel@tonic-gate priv_union(add[set], target);
5847c478bd9Sstevel@tonic-gate if (assign[set] != NULL)
5857c478bd9Sstevel@tonic-gate priv_copyset(assign[set], target);
5867c478bd9Sstevel@tonic-gate if (setppriv(PRIV_SET, PRIV_LIMIT, target) != 0)
5877c478bd9Sstevel@tonic-gate fatal("setppriv(Limit)");
5887c478bd9Sstevel@tonic-gate }
5897c478bd9Sstevel@tonic-gate priv_freeset(target);
5907c478bd9Sstevel@tonic-gate }
5917c478bd9Sstevel@tonic-gate
5927c478bd9Sstevel@tonic-gate if (Doff || Don)
5937c478bd9Sstevel@tonic-gate (void) setpflags(PRIV_DEBUG, Don ? 1 : 0);
594ddf7fe95Scasper if (xpol)
595ddf7fe95Scasper (void) setpflags(PRIV_XPOLICY, 1);
596134a1f4eSCasper H.S. Dik if (pfexec)
597134a1f4eSCasper H.S. Dik (void) setpflags(PRIV_PFEXEC, 1);
5987c478bd9Sstevel@tonic-gate }
5997c478bd9Sstevel@tonic-gate
6007c478bd9Sstevel@tonic-gate static int
dopriv(const char * p)6017c478bd9Sstevel@tonic-gate dopriv(const char *p)
6027c478bd9Sstevel@tonic-gate {
6037c478bd9Sstevel@tonic-gate (void) puts(p);
6047c478bd9Sstevel@tonic-gate if (verb) {
6057c478bd9Sstevel@tonic-gate char *text = priv_gettext(p);
6067c478bd9Sstevel@tonic-gate char *p, *q;
6077c478bd9Sstevel@tonic-gate if (text == NULL)
6087c478bd9Sstevel@tonic-gate return (1);
609c8d28497Ssayama for (p = text; q = strchr(p, '\n'); p = q + 1) {
610c8d28497Ssayama *q = '\0';
611c8d28497Ssayama (void) printf("\t%s\n", p);
612c8d28497Ssayama }
6137c478bd9Sstevel@tonic-gate free(text);
6147c478bd9Sstevel@tonic-gate }
6157c478bd9Sstevel@tonic-gate return (0);
6167c478bd9Sstevel@tonic-gate }
6177c478bd9Sstevel@tonic-gate
6187c478bd9Sstevel@tonic-gate static int
dumppriv(char ** argv)6197c478bd9Sstevel@tonic-gate dumppriv(char **argv)
6207c478bd9Sstevel@tonic-gate {
6217c478bd9Sstevel@tonic-gate int rc = 0;
6227c478bd9Sstevel@tonic-gate const char *pname;
6237c478bd9Sstevel@tonic-gate int i;
6247c478bd9Sstevel@tonic-gate
6257c478bd9Sstevel@tonic-gate if (argv[0] == NULL) {
6267c478bd9Sstevel@tonic-gate for (i = 0; ((pname = priv_getbynum(i++)) != NULL); )
6277c478bd9Sstevel@tonic-gate rc += dopriv(pname);
6287c478bd9Sstevel@tonic-gate } else {
6297c478bd9Sstevel@tonic-gate for (; *argv; argv++) {
6307c478bd9Sstevel@tonic-gate priv_set_t *pset = priv_str_to_set(*argv, ",", NULL);
6317c478bd9Sstevel@tonic-gate
6327c478bd9Sstevel@tonic-gate if (pset == NULL) {
6337c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: %s: bad privilege"
6347c478bd9Sstevel@tonic-gate " list\n", command, *argv);
6357c478bd9Sstevel@tonic-gate rc++;
6367c478bd9Sstevel@tonic-gate continue;
6377c478bd9Sstevel@tonic-gate }
6387c478bd9Sstevel@tonic-gate for (i = 0; ((pname = priv_getbynum(i++)) != NULL); )
6397c478bd9Sstevel@tonic-gate if (priv_ismember(pset, pname))
6407c478bd9Sstevel@tonic-gate rc += dopriv(pname);
6417c478bd9Sstevel@tonic-gate }
6427c478bd9Sstevel@tonic-gate }
6437c478bd9Sstevel@tonic-gate return (rc);
6447c478bd9Sstevel@tonic-gate }
6457c478bd9Sstevel@tonic-gate
6467c478bd9Sstevel@tonic-gate static struct {
6477c478bd9Sstevel@tonic-gate int flag;
6487c478bd9Sstevel@tonic-gate char *name;
6497c478bd9Sstevel@tonic-gate } flags[] = {
6507c478bd9Sstevel@tonic-gate { PRIV_DEBUG, "PRIV_DEBUG" },
6517c478bd9Sstevel@tonic-gate { PRIV_AWARE, "PRIV_AWARE" },
6527c478bd9Sstevel@tonic-gate { PRIV_AWARE_INHERIT, "PRIV_AWARE_INHERIT" },
653982b4ad2SCasper H.S. Dik { PRIV_AWARE_RESET, "PRIV_AWARE_RESET" },
654ddf7fe95Scasper { PRIV_XPOLICY, "PRIV_XPOLICY" },
655134a1f4eSCasper H.S. Dik { PRIV_PFEXEC, "PRIV_PFEXEC" },
656ddf7fe95Scasper { NET_MAC_AWARE, "NET_MAC_AWARE" },
657ddf7fe95Scasper { NET_MAC_AWARE_INHERIT, "NET_MAC_AWARE_INHERIT" },
6587c478bd9Sstevel@tonic-gate };
6597c478bd9Sstevel@tonic-gate
6607c478bd9Sstevel@tonic-gate /*
6617c478bd9Sstevel@tonic-gate * Print flags preceeded by a space.
6627c478bd9Sstevel@tonic-gate */
6637c478bd9Sstevel@tonic-gate static void
flags2str(uint_t pflags)6647c478bd9Sstevel@tonic-gate flags2str(uint_t pflags)
6657c478bd9Sstevel@tonic-gate {
6667c478bd9Sstevel@tonic-gate char c = ' ';
6677c478bd9Sstevel@tonic-gate int i;
6687c478bd9Sstevel@tonic-gate
6697c478bd9Sstevel@tonic-gate if (pflags == 0) {
6707c478bd9Sstevel@tonic-gate (void) fputs(" <none>", stdout);
6717c478bd9Sstevel@tonic-gate return;
6727c478bd9Sstevel@tonic-gate }
6737c478bd9Sstevel@tonic-gate for (i = 0; i < sizeof (flags)/sizeof (flags[0]) && pflags != 0; i++) {
6747c478bd9Sstevel@tonic-gate if ((pflags & flags[i].flag) != 0) {
6757c478bd9Sstevel@tonic-gate (void) printf("%c%s", c, flags[i].name);
6767c478bd9Sstevel@tonic-gate pflags &= ~flags[i].flag;
6777c478bd9Sstevel@tonic-gate c = '|';
6787c478bd9Sstevel@tonic-gate }
6797c478bd9Sstevel@tonic-gate }
6807c478bd9Sstevel@tonic-gate if (pflags != 0)
6817c478bd9Sstevel@tonic-gate (void) printf("%c<0x%x>", c, pflags);
6827c478bd9Sstevel@tonic-gate }
683