xref: /titanic_50/usr/src/cmd/pfexecd/pfexecd.c (revision f6ad203ad2c23f486fa36e76e7734a97dd33e270)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  *
21  * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
22  * Copyright 2015, Joyent, Inc.
23  */
24 
25 #define	_POSIX_PTHREAD_SEMANTICS 1
26 
27 #include <sys/param.h>
28 #include <sys/klpd.h>
29 #include <sys/syscall.h>
30 #include <sys/systeminfo.h>
31 
32 #include <alloca.h>
33 #include <ctype.h>
34 #include <deflt.h>
35 #include <door.h>
36 #include <errno.h>
37 #include <grp.h>
38 #include <priv.h>
39 #include <pwd.h>
40 #include <regex.h>
41 #include <secdb.h>
42 #include <signal.h>
43 #include <stdio.h>
44 #include <stdlib.h>
45 #include <string.h>
46 #include <syslog.h>
47 #include <unistd.h>
48 
49 #include <auth_attr.h>
50 #include <exec_attr.h>
51 #include <prof_attr.h>
52 #include <user_attr.h>
53 
54 static int doorfd = -1;
55 
56 static size_t repsz, setsz;
57 
58 static uid_t get_uid(const char *, boolean_t *, char *);
59 static gid_t get_gid(const char *, boolean_t *, char *);
60 static priv_set_t *get_privset(const char *, boolean_t *, char *);
61 static priv_set_t *get_granted_privs(uid_t);
62 
63 /*
64  * Remove the isaexec path of an executable if we can't find the
65  * executable at the first attempt.
66  */
67 
68 static regex_t regc;
69 static boolean_t cansplice = B_TRUE;
70 
71 static void
72 init_isa_regex(void)
73 {
74 	char *isalist;
75 	size_t isalen = 255;		/* wild guess */
76 	size_t len;
77 	long ret;
78 	char *regexpr;
79 	char *p;
80 
81 	/*
82 	 * Extract the isalist(5) for userland from the kernel.
83 	 */
84 	isalist = malloc(isalen);
85 	do {
86 		ret = sysinfo(SI_ISALIST, isalist, isalen);
87 		if (ret == -1l) {
88 			free(isalist);
89 			return;
90 		}
91 		if (ret > isalen) {
92 			isalen = ret;
93 			isalist = realloc(isalist, isalen);
94 		} else
95 			break;
96 	} while (isalist != NULL);
97 
98 
99 	if (isalist == NULL)
100 		return;
101 
102 	/* allocate room for the regex + (/())/[^/]*$ + needed \\. */
103 #define	LEFT	"(/("
104 #define	RIGHT	"))/[^/]*$"
105 
106 	regexpr = alloca(ret * 2 + sizeof (LEFT RIGHT));
107 	(void) strcpy(regexpr, LEFT);
108 	len = strlen(regexpr);
109 
110 	for (p = isalist; *p; p++) {
111 		switch (*p) {
112 		case '+':
113 		case '|':
114 		case '*':
115 		case '[':
116 		case ']':
117 		case '{':
118 		case '}':
119 		case '\\':
120 			regexpr[len++] = '\\';
121 		default:
122 			regexpr[len++] = *p;
123 			break;
124 		case ' ':
125 		case '\t':
126 			regexpr[len++] = '|';
127 			break;
128 		}
129 	}
130 
131 	free(isalist);
132 	regexpr[len] = '\0';
133 	(void) strcat(regexpr, RIGHT);
134 
135 	if (regcomp(&regc, regexpr, REG_EXTENDED) != 0)
136 		return;
137 
138 	cansplice = B_TRUE;
139 }
140 
141 #define	NMATCH	2
142 
143 static boolean_t
144 removeisapath(char *path)
145 {
146 	regmatch_t match[NMATCH];
147 
148 	if (!cansplice || regexec(&regc, path, NMATCH, match, 0) != 0)
149 		return (B_FALSE);
150 
151 	/*
152 	 * The first match includes the whole matched expression including the
153 	 * end of the string.  The second match includes the "/" + "isa" and
154 	 * that is the part we need to remove.
155 	 */
156 
157 	if (match[1].rm_so == -1)
158 		return (B_FALSE);
159 
160 	/* match[0].rm_eo == strlen(path) */
161 	(void) memmove(path + match[1].rm_so, path + match[1].rm_eo,
162 	    match[0].rm_eo - match[1].rm_eo + 1);
163 
164 	return (B_TRUE);
165 }
166 
167 static int
168 register_pfexec(int fd)
169 {
170 	int ret = syscall(SYS_privsys, PRIVSYS_PFEXEC_REG, fd);
171 
172 	return (ret);
173 }
174 
175 /* ARGSUSED */
176 static void
177 unregister_pfexec(int sig)
178 {
179 	if (doorfd != -1)
180 		(void) syscall(SYS_privsys, PRIVSYS_PFEXEC_UNREG, doorfd);
181 	_exit(0);
182 }
183 
184 static int
185 alldigits(const char *s)
186 {
187 	int c;
188 
189 	if (*s == '\0')
190 		return (0);
191 
192 	while ((c = *s++) != '\0') {
193 		if (!isdigit(c)) {
194 			return (0);
195 		}
196 	}
197 
198 	return (1);
199 }
200 
201 static uid_t
202 get_uid(const char *v, boolean_t *ok, char *path)
203 {
204 	struct passwd *pwd, pwdm;
205 	char buf[1024];
206 
207 	if (getpwnam_r(v, &pwdm, buf, sizeof (buf), &pwd) == 0 && pwd != NULL)
208 		return (pwd->pw_uid);
209 
210 	if (alldigits(v))
211 		return (atoi(v));
212 
213 	*ok = B_FALSE;
214 	syslog(LOG_ERR, "%s: %s: unknown username\n", path, v);
215 	return ((uid_t)-1);
216 }
217 
218 static uid_t
219 get_gid(const char *v, boolean_t *ok, char *path)
220 {
221 	struct group *grp, grpm;
222 	char buf[1024];
223 
224 	if (getgrnam_r(v, &grpm, buf, sizeof (buf), &grp) == 0 && grp != NULL)
225 		return (grp->gr_gid);
226 
227 	if (alldigits(v))
228 		return (atoi(v));
229 
230 	*ok = B_FALSE;
231 	syslog(LOG_ERR, "%s: %s: unknown groupname\n", path, v);
232 	return ((gid_t)-1);
233 }
234 
235 static priv_set_t *
236 get_privset(const char *s, boolean_t *ok, char *path)
237 {
238 	priv_set_t *res;
239 
240 	if ((res = priv_str_to_set(s, ",", NULL)) == NULL) {
241 		syslog(LOG_ERR, "%s: %s: bad privilege set\n", path, s);
242 		if (ok != NULL)
243 			*ok = B_FALSE;
244 	}
245 	return (res);
246 }
247 
248 /*ARGSUSED*/
249 static int
250 ggp_callback(const char *prof, kva_t *attr, void *ctxt, void *vres)
251 {
252 	priv_set_t *res = vres;
253 	char *privs;
254 
255 	if (attr == NULL)
256 		return (0);
257 
258 	/* get privs from this profile */
259 	privs = kva_match(attr, PROFATTR_PRIVS_KW);
260 	if (privs != NULL) {
261 		priv_set_t *tmp = priv_str_to_set(privs, ",", NULL);
262 		if (tmp != NULL) {
263 			priv_union(tmp, res);
264 			priv_freeset(tmp);
265 		}
266 	}
267 
268 	return (0);
269 }
270 
271 /*
272  * This routine exists on failure and returns NULL if no granted privileges
273  * are set.
274  */
275 static priv_set_t *
276 get_granted_privs(uid_t uid)
277 {
278 	priv_set_t *res;
279 	struct passwd *pwd, pwdm;
280 	char buf[1024];
281 
282 	if (getpwuid_r(uid, &pwdm, buf, sizeof (buf), &pwd) != 0 || pwd == NULL)
283 		return (NULL);
284 
285 	res = priv_allocset();
286 	if (res == NULL)
287 		return (NULL);
288 
289 	priv_emptyset(res);
290 
291 	(void) _enum_profs(pwd->pw_name, ggp_callback, NULL, res);
292 
293 	return (res);
294 }
295 
296 static void
297 callback_forced_privs(pfexec_arg_t *pap)
298 {
299 	execattr_t *exec;
300 	char *value;
301 	priv_set_t *fset;
302 	void *res = alloca(setsz);
303 
304 	/* Empty set signifies no forced privileges. */
305 	priv_emptyset(res);
306 
307 	exec = getexecprof("Forced Privilege", KV_COMMAND, pap->pfa_path,
308 	    GET_ONE);
309 
310 	if (exec == NULL && removeisapath(pap->pfa_path)) {
311 		exec = getexecprof("Forced Privilege", KV_COMMAND,
312 		    pap->pfa_path, GET_ONE);
313 	}
314 
315 	if (exec == NULL) {
316 		(void) door_return(res, setsz, NULL, 0);
317 		return;
318 	}
319 
320 	if ((value = kva_match(exec->attr, EXECATTR_IPRIV_KW)) == NULL ||
321 	    (fset = get_privset(value, NULL, pap->pfa_path)) == NULL) {
322 		free_execattr(exec);
323 		(void) door_return(res, setsz, NULL, 0);
324 		return;
325 	}
326 
327 	priv_copyset(fset, res);
328 	priv_freeset(fset);
329 
330 	free_execattr(exec);
331 	(void) door_return(res, setsz, NULL, 0);
332 }
333 
334 static void
335 callback_user_privs(pfexec_arg_t *pap)
336 {
337 	priv_set_t *gset, *wset;
338 	uint32_t res;
339 
340 	wset = (priv_set_t *)&pap->pfa_buf;
341 	gset = get_granted_privs(pap->pfa_uid);
342 
343 	res = priv_issubset(wset, gset);
344 	priv_freeset(gset);
345 
346 	(void) door_return((char *)&res, sizeof (res), NULL, 0);
347 }
348 
349 static void
350 callback_pfexec(pfexec_arg_t *pap)
351 {
352 	pfexec_reply_t *res = alloca(repsz);
353 	uid_t uid, euid, uuid;
354 	gid_t gid, egid;
355 	struct passwd pw, *pwd;
356 	char buf[1024];
357 	execattr_t *exec = NULL;
358 	char *value;
359 	priv_set_t *lset, *iset;
360 	size_t mysz = repsz - 2 * setsz;
361 	char *path = pap->pfa_path;
362 
363 	/*
364 	 * Initialize the pfexec_reply_t to a sane state.
365 	 */
366 	res->pfr_vers = pap->pfa_vers;
367 	res->pfr_len = 0;
368 	res->pfr_ruid = PFEXEC_NOTSET;
369 	res->pfr_euid = PFEXEC_NOTSET;
370 	res->pfr_rgid = PFEXEC_NOTSET;
371 	res->pfr_egid = PFEXEC_NOTSET;
372 	res->pfr_setcred = B_FALSE;
373 	res->pfr_scrubenv = B_TRUE;
374 	res->pfr_allowed = B_FALSE;
375 	res->pfr_ioff = 0;
376 	res->pfr_loff = 0;
377 
378 	uuid = pap->pfa_uid;
379 
380 	if (getpwuid_r(uuid, &pw, buf, sizeof (buf), &pwd) != 0 || pwd == NULL)
381 		goto stdexec;
382 
383 	exec = getexecuser(pwd->pw_name, KV_COMMAND, path, GET_ONE);
384 
385 	if ((exec == NULL || exec->attr == NULL) && removeisapath(path)) {
386 		free_execattr(exec);
387 		exec = getexecuser(pwd->pw_name, KV_COMMAND, path, GET_ONE);
388 	}
389 
390 	if (exec == NULL) {
391 		res->pfr_allowed = B_FALSE;
392 		goto ret;
393 	}
394 
395 	if (exec->attr == NULL)
396 		goto stdexec;
397 
398 	/* Found in execattr, so clearly we can use it */
399 	res->pfr_allowed = B_TRUE;
400 
401 	uid = euid = (uid_t)-1;
402 	gid = egid = (gid_t)-1;
403 	lset = iset = NULL;
404 
405 	/*
406 	 * If there's an error in parsing uid, gid, privs, then return
407 	 * failure.
408 	 */
409 	if ((value = kva_match(exec->attr, EXECATTR_UID_KW)) != NULL)
410 		euid = uid = get_uid(value, &res->pfr_allowed, path);
411 
412 	if ((value = kva_match(exec->attr, EXECATTR_GID_KW)) != NULL)
413 		egid = gid = get_gid(value, &res->pfr_allowed, path);
414 
415 	if ((value = kva_match(exec->attr, EXECATTR_EUID_KW)) != NULL)
416 		euid = get_uid(value, &res->pfr_allowed, path);
417 
418 	if ((value = kva_match(exec->attr, EXECATTR_EGID_KW)) != NULL)
419 		egid = get_gid(value, &res->pfr_allowed, path);
420 
421 	if ((value = kva_match(exec->attr, EXECATTR_LPRIV_KW)) != NULL)
422 		lset = get_privset(value, &res->pfr_allowed, path);
423 
424 	if ((value = kva_match(exec->attr, EXECATTR_IPRIV_KW)) != NULL)
425 		iset = get_privset(value, &res->pfr_allowed, path);
426 
427 	/*
428 	 * Remove LD_* variables in the kernel when the runtime linker might
429 	 * use them later on because the uids are equal.
430 	 */
431 	res->pfr_scrubenv = (uid != (uid_t)-1 && euid == uid) ||
432 	    (gid != (gid_t)-1 && egid == gid) || iset != NULL;
433 
434 	res->pfr_euid = euid;
435 	res->pfr_ruid = uid;
436 	res->pfr_egid = egid;
437 	res->pfr_rgid = gid;
438 
439 	/* Now add the privilege sets */
440 	res->pfr_ioff = res->pfr_loff = 0;
441 	if (iset != NULL) {
442 		res->pfr_ioff = mysz;
443 		priv_copyset(iset, PFEXEC_REPLY_IPRIV(res));
444 		mysz += setsz;
445 		priv_freeset(iset);
446 	}
447 	if (lset != NULL) {
448 		res->pfr_loff = mysz;
449 		priv_copyset(lset, PFEXEC_REPLY_LPRIV(res));
450 		mysz += setsz;
451 		priv_freeset(lset);
452 	}
453 
454 	res->pfr_setcred = uid != (uid_t)-1 || euid != (uid_t)-1 ||
455 	    egid != (gid_t)-1 || gid != (gid_t)-1 || iset != NULL ||
456 	    lset != NULL;
457 
458 	/* If the real uid changes, we stop running under a profile shell */
459 	res->pfr_clearflag = uid != (uid_t)-1 && uid != uuid;
460 	free_execattr(exec);
461 ret:
462 	(void) door_return((char *)res, mysz, NULL, 0);
463 	return;
464 
465 stdexec:
466 	free_execattr(exec);
467 
468 	res->pfr_scrubenv = B_FALSE;
469 	res->pfr_setcred = B_FALSE;
470 	res->pfr_allowed = B_TRUE;
471 
472 	(void) door_return((char *)res, mysz, NULL, 0);
473 }
474 
475 /* ARGSUSED */
476 static void
477 callback(void *cookie, char *argp, size_t asz, door_desc_t *dp, uint_t ndesc)
478 {
479 	/* LINTED ALIGNMENT */
480 	pfexec_arg_t *pap = (pfexec_arg_t *)argp;
481 
482 	if (asz < sizeof (pfexec_arg_t) || pap->pfa_vers != PFEXEC_ARG_VERS) {
483 		(void) door_return(NULL, 0, NULL, 0);
484 		return;
485 	}
486 
487 	switch (pap->pfa_call) {
488 	case PFEXEC_EXEC_ATTRS:
489 		callback_pfexec(pap);
490 		break;
491 	case PFEXEC_FORCED_PRIVS:
492 		callback_forced_privs(pap);
493 		break;
494 	case PFEXEC_USER_PRIVS:
495 		callback_user_privs(pap);
496 		break;
497 	default:
498 		syslog(LOG_ERR, "Bad Call: %d\n", pap->pfa_call);
499 		break;
500 	}
501 
502 	/*
503 	 * If the door_return(ptr, size, NULL, 0) fails, make sure we
504 	 * don't lose server threads.
505 	 */
506 	(void) door_return(NULL, 0, NULL, 0);
507 }
508 
509 int
510 main(void)
511 {
512 	const priv_impl_info_t *info;
513 
514 	(void) signal(SIGINT, unregister_pfexec);
515 	(void) signal(SIGQUIT, unregister_pfexec);
516 	(void) signal(SIGTERM, unregister_pfexec);
517 	(void) signal(SIGHUP, unregister_pfexec);
518 
519 	info = getprivimplinfo();
520 	if (info == NULL)
521 		exit(1);
522 
523 	if (fork() > 0)
524 		_exit(0);
525 
526 	openlog("pfexecd", LOG_PID, LOG_DAEMON);
527 	setsz = info->priv_setsize * sizeof (priv_chunk_t);
528 	repsz = 2 * setsz + sizeof (pfexec_reply_t);
529 
530 	init_isa_regex();
531 
532 	doorfd = door_create(callback, NULL, DOOR_REFUSE_DESC);
533 
534 	if (doorfd == -1 || register_pfexec(doorfd) != 0) {
535 		perror("doorfd");
536 		exit(1);
537 	}
538 
539 	/* LINTED CONSTCOND */
540 	while (1)
541 		(void) sigpause(SIGINT);
542 
543 	return (0);
544 }
545