1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <sys/param.h> 29 #include <sys/types.h> 30 #include <sys/sysmacros.h> 31 #include <sys/systm.h> 32 #include <sys/cred_impl.h> 33 #include <sys/errno.h> 34 #include <sys/klpd.h> 35 #include <sys/proc.h> 36 #include <sys/priv_impl.h> 37 #include <sys/policy.h> 38 #include <sys/ddi.h> 39 #include <sys/thread.h> 40 #include <c2/audit.h> 41 42 /* 43 * System call support for manipulating privileges. 44 * 45 * 46 * setppriv(2) - set process privilege set 47 * getppriv(2) - get process privilege set 48 * getprivimplinfo(2) - get process privilege implementation information 49 * setpflags(2) - set process (privilege) flags 50 * getpflags(2) - get process (privilege) flags 51 */ 52 53 /* 54 * setppriv (priv_op_t, priv_ptype_t, priv_set_t) 55 */ 56 static int 57 setppriv(priv_op_t op, priv_ptype_t type, priv_set_t *in_pset) 58 { 59 priv_set_t pset, *target; 60 cred_t *cr, *pcr; 61 proc_t *p; 62 boolean_t donocd = B_FALSE; 63 64 if (!PRIV_VALIDSET(type) || !PRIV_VALIDOP(op)) 65 return (set_errno(EINVAL)); 66 67 if (copyin(in_pset, &pset, sizeof (priv_set_t))) 68 return (set_errno(EFAULT)); 69 70 p = ttoproc(curthread); 71 cr = cralloc(); 72 mutex_enter(&p->p_crlock); 73 74 retry: 75 pcr = p->p_cred; 76 77 if (audit_active) 78 audit_setppriv(op, type, &pset, pcr); 79 80 /* 81 * Filter out unallowed request (bad op and bad type) 82 */ 83 switch (op) { 84 case PRIV_ON: 85 case PRIV_SET: 86 /* 87 * Turning on privileges; the limit set cannot grow, 88 * other sets can but only as long as they remain subsets 89 * of P. Only immediately after exec holds that P <= L. 90 */ 91 if (type == PRIV_LIMIT && 92 !priv_issubset(&pset, &CR_LPRIV(pcr))) { 93 crfree(cr); 94 return (set_errno(EPERM)); 95 } 96 if (!priv_issubset(&pset, &CR_OPPRIV(pcr)) && 97 !priv_issubset(&pset, priv_getset(pcr, type))) { 98 mutex_exit(&p->p_crlock); 99 /* Policy override should not grow beyond L either */ 100 if (type != PRIV_INHERITABLE || 101 !priv_issubset(&pset, &CR_LPRIV(pcr)) || 102 secpolicy_require_privs(CRED(), &pset) != 0) { 103 crfree(cr); 104 return (set_errno(EPERM)); 105 } 106 mutex_enter(&p->p_crlock); 107 if (pcr != p->p_cred) 108 goto retry; 109 donocd = B_TRUE; 110 } 111 break; 112 113 case PRIV_OFF: 114 /* PRIV_OFF is always allowed */ 115 break; 116 } 117 118 /* 119 * OK! everything is cool. 120 * Do cred COW. 121 */ 122 crcopy_to(pcr, cr); 123 124 /* 125 * If we change the effective, permitted or limit set, we attain 126 * "privilege awareness". 127 */ 128 if (type != PRIV_INHERITABLE) 129 priv_set_PA(cr); 130 131 target = &(CR_PRIVS(cr)->crprivs[type]); 132 133 switch (op) { 134 case PRIV_ON: 135 priv_union(&pset, target); 136 break; 137 case PRIV_OFF: 138 priv_inverse(&pset); 139 priv_intersect(target, &pset); 140 141 /* 142 * Fall-thru to set target and change other process 143 * privilege sets. 144 */ 145 /*FALLTHRU*/ 146 147 case PRIV_SET: 148 *target = pset; 149 150 /* 151 * Take privileges no longer permitted out 152 * of other effective sets as well. 153 * Limit set is enforced at exec() time. 154 */ 155 if (type == PRIV_PERMITTED) 156 priv_intersect(&pset, &CR_EPRIV(cr)); 157 break; 158 } 159 160 /* 161 * When we give up privileges not in the inheritable set, 162 * set SNOCD if not already set; first we compute the 163 * privileges removed from P using Diff = (~P') & P 164 * and then we check whether the removed privileges are 165 * a subset of I. If we retain uid 0, all privileges 166 * are required anyway so don't set SNOCD. 167 */ 168 if (type == PRIV_PERMITTED && (p->p_flag & SNOCD) == 0 && 169 cr->cr_uid != 0 && cr->cr_ruid != 0 && cr->cr_suid != 0) { 170 priv_set_t diff = CR_OPPRIV(cr); 171 priv_inverse(&diff); 172 priv_intersect(&CR_OPPRIV(pcr), &diff); 173 donocd = !priv_issubset(&diff, &CR_IPRIV(cr)); 174 } 175 176 p->p_cred = cr; 177 mutex_exit(&p->p_crlock); 178 179 if (donocd) { 180 mutex_enter(&p->p_lock); 181 p->p_flag |= SNOCD; 182 mutex_exit(&p->p_lock); 183 } 184 185 crset(p, cr); /* broadcast to process threads */ 186 187 return (0); 188 } 189 190 /* 191 * getppriv (priv_ptype_t, priv_set_t *) 192 */ 193 static int 194 getppriv(priv_ptype_t type, priv_set_t *pset) 195 { 196 if (!PRIV_VALIDSET(type)) 197 return (set_errno(EINVAL)); 198 199 if (copyout(priv_getset(CRED(), type), pset, sizeof (priv_set_t)) != 0) 200 return (set_errno(EFAULT)); 201 202 return (0); 203 } 204 205 static int 206 getprivimplinfo(void *buf, size_t bufsize) 207 { 208 int err; 209 210 err = copyout(priv_hold_implinfo(), buf, min(bufsize, privinfosize)); 211 212 priv_release_implinfo(); 213 214 if (err) 215 return (set_errno(EFAULT)); 216 217 return (0); 218 } 219 220 /* 221 * Set process flags in the given target cred. If NULL is specified, then 222 * CRED() is used; otherwise the cred is assumed to be modifiable (i.e. newly 223 * crdup'ed, or equivalent). Some flags are set in the proc rather than cred; 224 * for these, curproc is always used. 225 * 226 * For now we cheat: the flags are actually bit masks so we can simplify 227 * some; we do make sure that the arguments are valid, though. 228 */ 229 230 int 231 setpflags(uint_t flag, uint_t val, cred_t *tcr) 232 { 233 cred_t *cr, *pcr; 234 proc_t *p = curproc; 235 uint_t newflags; 236 boolean_t use_curcred = (tcr == NULL); 237 238 if (val > 1 || (flag != PRIV_DEBUG && flag != PRIV_AWARE && 239 flag != NET_MAC_AWARE && flag != NET_MAC_AWARE_INHERIT && 240 flag != __PROC_PROTECT && flag != PRIV_XPOLICY)) { 241 return (EINVAL); 242 } 243 244 if (flag == __PROC_PROTECT) { 245 mutex_enter(&p->p_lock); 246 if (val == 0) 247 p->p_flag &= ~SNOCD; 248 else 249 p->p_flag |= SNOCD; 250 mutex_exit(&p->p_lock); 251 return (0); 252 } 253 254 if (use_curcred) { 255 cr = cralloc(); 256 mutex_enter(&p->p_crlock); 257 pcr = p->p_cred; 258 } else { 259 cr = pcr = tcr; 260 } 261 262 newflags = CR_FLAGS(pcr); 263 264 if (val != 0) 265 newflags |= flag; 266 else 267 newflags &= ~flag; 268 269 /* No change */ 270 if (CR_FLAGS(pcr) == newflags) { 271 if (use_curcred) { 272 mutex_exit(&p->p_crlock); 273 crfree(cr); 274 } 275 return (0); 276 } 277 278 /* 279 * Setting either the NET_MAC_AWARE or NET_MAC_AWARE_INHERIT 280 * flags is a restricted operation. 281 * 282 * When invoked via the PRIVSYS_SETPFLAGS syscall 283 * we require that the current cred has the net_mac_aware 284 * privilege in its effective set. 285 * 286 * When called from within the kernel by label-aware 287 * services such as NFS, we don't require a privilege check. 288 * 289 */ 290 if ((flag == NET_MAC_AWARE || flag == NET_MAC_AWARE_INHERIT) && 291 (val == 1) && use_curcred) { 292 if (secpolicy_net_mac_aware(pcr) != 0) { 293 mutex_exit(&p->p_crlock); 294 crfree(cr); 295 return (EPERM); 296 } 297 } 298 299 /* Trying to unset PA; if we can't, return an error */ 300 if (flag == PRIV_AWARE && val == 0 && !priv_can_clear_PA(pcr)) { 301 if (use_curcred) { 302 mutex_exit(&p->p_crlock); 303 crfree(cr); 304 } 305 return (EPERM); 306 } 307 308 /* Committed to changing the flag */ 309 if (use_curcred) 310 crcopy_to(pcr, cr); 311 if (flag == PRIV_AWARE) { 312 if (val != 0) 313 priv_set_PA(cr); 314 else 315 priv_adjust_PA(cr); 316 } else { 317 CR_FLAGS(cr) = newflags; 318 } 319 320 /* 321 * Unsetting the flag has as side effect getting rid of 322 * the per-credential policy. 323 */ 324 if (flag == PRIV_XPOLICY && val == 0) 325 crsetcrklpd(cr, NULL); 326 327 if (use_curcred) { 328 p->p_cred = cr; 329 mutex_exit(&p->p_crlock); 330 crset(p, cr); 331 } 332 333 return (0); 334 } 335 336 /* 337 * Getpflags. Currently only implements single bit flags. 338 */ 339 uint_t 340 getpflags(uint_t flag, const cred_t *cr) 341 { 342 if (flag != PRIV_DEBUG && flag != PRIV_AWARE && 343 flag != NET_MAC_AWARE && flag != NET_MAC_AWARE_INHERIT && 344 flag != PRIV_XPOLICY) 345 return ((uint_t)-1); 346 347 return ((CR_FLAGS(cr) & flag) != 0); 348 } 349 350 /* 351 * Privilege system call entry point 352 */ 353 int 354 privsys(int code, priv_op_t op, priv_ptype_t type, void *buf, size_t bufsize, 355 int itype) 356 { 357 int retv; 358 extern int issetugid(void); 359 360 switch (code) { 361 case PRIVSYS_SETPPRIV: 362 if (bufsize < sizeof (priv_set_t)) 363 return (set_errno(ENOMEM)); 364 return (setppriv(op, type, buf)); 365 case PRIVSYS_GETPPRIV: 366 if (bufsize < sizeof (priv_set_t)) 367 return (set_errno(ENOMEM)); 368 return (getppriv(type, buf)); 369 case PRIVSYS_GETIMPLINFO: 370 return (getprivimplinfo(buf, bufsize)); 371 case PRIVSYS_SETPFLAGS: 372 retv = setpflags((uint_t)op, (uint_t)type, NULL); 373 return (retv != 0 ? set_errno(retv) : 0); 374 case PRIVSYS_GETPFLAGS: 375 retv = (int)getpflags((uint_t)op, CRED()); 376 return (retv == -1 ? set_errno(EINVAL) : retv); 377 case PRIVSYS_ISSETUGID: 378 return (issetugid()); 379 case PRIVSYS_KLPD_REG: 380 if (bufsize < sizeof (priv_set_t)) 381 return (set_errno(ENOMEM)); 382 return ((int)klpd_reg((int)op, (idtype_t)itype, (id_t)type, 383 buf)); 384 case PRIVSYS_KLPD_UNREG: 385 return ((int)klpd_unreg((int)op, (idtype_t)itype, (id_t)type)); 386 } 387 return (set_errno(EINVAL)); 388 } 389 390 #ifdef _SYSCALL32_IMPL 391 int 392 privsys32(int code, priv_op_t op, priv_ptype_t type, caddr32_t buf, 393 size32_t bufsize, int itype) 394 { 395 return (privsys(code, op, type, (void *)(uintptr_t)buf, 396 (size_t)bufsize, itype)); 397 } 398 #endif 399