xref: /titanic_50/usr/src/uts/common/syscall/ppriv.c (revision 69b3e10436272b0970d58743de375d0dd61046ce)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #include <sys/param.h>
27 #include <sys/types.h>
28 #include <sys/sysmacros.h>
29 #include <sys/systm.h>
30 #include <sys/cred_impl.h>
31 #include <sys/errno.h>
32 #include <sys/klpd.h>
33 #include <sys/proc.h>
34 #include <sys/priv_impl.h>
35 #include <sys/policy.h>
36 #include <sys/ddi.h>
37 #include <sys/thread.h>
38 #include <sys/cmn_err.h>
39 #include <c2/audit.h>
40 
41 /*
42  * System call support for manipulating privileges.
43  *
44  *
45  * setppriv(2) - set process privilege set
46  * getppriv(2) - get process privilege set
47  * getprivimplinfo(2) - get process privilege implementation information
48  * setpflags(2) - set process (privilege) flags
49  * getpflags(2) - get process (privilege) flags
50  */
51 
52 /*
53  * setppriv (priv_op_t, priv_ptype_t, priv_set_t)
54  */
55 static int
56 setppriv(priv_op_t op, priv_ptype_t type, priv_set_t *in_pset)
57 {
58 	priv_set_t	pset, *target;
59 	cred_t		*cr, *pcr;
60 	proc_t		*p;
61 	boolean_t	donocd = B_FALSE;
62 
63 	if (!PRIV_VALIDSET(type) || !PRIV_VALIDOP(op))
64 		return (set_errno(EINVAL));
65 
66 	if (copyin(in_pset, &pset, sizeof (priv_set_t)))
67 		return (set_errno(EFAULT));
68 
69 	p = ttoproc(curthread);
70 	cr = cralloc();
71 	mutex_enter(&p->p_crlock);
72 
73 retry:
74 	pcr = p->p_cred;
75 
76 	if (audit_active)
77 		audit_setppriv(op, type, &pset, pcr);
78 
79 	/*
80 	 * Filter out unallowed request (bad op and bad type)
81 	 */
82 	switch (op) {
83 	case PRIV_ON:
84 	case PRIV_SET:
85 		/*
86 		 * Turning on privileges; the limit set cannot grow,
87 		 * other sets can but only as long as they remain subsets
88 		 * of P.  Only immediately after exec holds that P <= L.
89 		 */
90 		if (type == PRIV_LIMIT &&
91 		    !priv_issubset(&pset, &CR_LPRIV(pcr))) {
92 			mutex_exit(&p->p_crlock);
93 			crfree(cr);
94 			return (set_errno(EPERM));
95 		}
96 		if (!priv_issubset(&pset, &CR_OPPRIV(pcr)) &&
97 		    !priv_issubset(&pset, priv_getset(pcr, type))) {
98 			mutex_exit(&p->p_crlock);
99 			/* Policy override should not grow beyond L either */
100 			if (type != PRIV_INHERITABLE ||
101 			    !priv_issubset(&pset, &CR_LPRIV(pcr)) ||
102 			    secpolicy_require_privs(CRED(), &pset) != 0) {
103 				crfree(cr);
104 				return (set_errno(EPERM));
105 			}
106 			mutex_enter(&p->p_crlock);
107 			if (pcr != p->p_cred)
108 				goto retry;
109 			donocd = B_TRUE;
110 		}
111 		break;
112 
113 	case PRIV_OFF:
114 		/* PRIV_OFF is always allowed */
115 		break;
116 	}
117 
118 	/*
119 	 * OK! everything is cool.
120 	 * Do cred COW.
121 	 */
122 	crcopy_to(pcr, cr);
123 
124 	/*
125 	 * If we change the effective, permitted or limit set, we attain
126 	 * "privilege awareness".
127 	 */
128 	if (type != PRIV_INHERITABLE)
129 		priv_set_PA(cr);
130 
131 	target = &(CR_PRIVS(cr)->crprivs[type]);
132 
133 	switch (op) {
134 	case PRIV_ON:
135 		priv_union(&pset, target);
136 		break;
137 	case PRIV_OFF:
138 		priv_inverse(&pset);
139 		priv_intersect(target, &pset);
140 
141 		/*
142 		 * Fall-thru to set target and change other process
143 		 * privilege sets.
144 		 */
145 		/*FALLTHRU*/
146 
147 	case PRIV_SET:
148 		*target = pset;
149 
150 		/*
151 		 * Take privileges no longer permitted out
152 		 * of other effective sets as well.
153 		 * Limit set is enforced at exec() time.
154 		 */
155 		if (type == PRIV_PERMITTED)
156 			priv_intersect(&pset, &CR_EPRIV(cr));
157 		break;
158 	}
159 
160 	/*
161 	 * When we give up privileges not in the inheritable set,
162 	 * set SNOCD if not already set; first we compute the
163 	 * privileges removed from P using Diff = (~P') & P
164 	 * and then we check whether the removed privileges are
165 	 * a subset of I.  If we retain uid 0, all privileges
166 	 * are required anyway so don't set SNOCD.
167 	 */
168 	if (type == PRIV_PERMITTED && (p->p_flag & SNOCD) == 0 &&
169 	    cr->cr_uid != 0 && cr->cr_ruid != 0 && cr->cr_suid != 0) {
170 		priv_set_t diff = CR_OPPRIV(cr);
171 		priv_inverse(&diff);
172 		priv_intersect(&CR_OPPRIV(pcr), &diff);
173 		donocd = !priv_issubset(&diff, &CR_IPRIV(cr));
174 	}
175 
176 	p->p_cred = cr;
177 	mutex_exit(&p->p_crlock);
178 
179 	if (donocd) {
180 		mutex_enter(&p->p_lock);
181 		p->p_flag |= SNOCD;
182 		mutex_exit(&p->p_lock);
183 	}
184 
185 	/*
186 	 * The basic_test privilege should not be removed from E;
187 	 * if that has happened, then some programmer typically set the E/P to
188 	 * empty. That is not portable.
189 	 */
190 	if ((type == PRIV_EFFECTIVE || type == PRIV_PERMITTED) &&
191 	    priv_basic_test >= 0 && !PRIV_ISASSERT(target, priv_basic_test)) {
192 		proc_t *p = curproc;
193 		pid_t pid = p->p_pid;
194 		char *fn = PTOU(p)->u_comm;
195 
196 		cmn_err(CE_WARN, "%s[%d]: setppriv: basic_test privilege "
197 		    "removed from E/P", fn, pid);
198 	}
199 
200 	crset(p, cr);		/* broadcast to process threads */
201 
202 	return (0);
203 }
204 
205 /*
206  * getppriv (priv_ptype_t, priv_set_t *)
207  */
208 static int
209 getppriv(priv_ptype_t type, priv_set_t *pset)
210 {
211 	if (!PRIV_VALIDSET(type))
212 		return (set_errno(EINVAL));
213 
214 	if (copyout(priv_getset(CRED(), type), pset, sizeof (priv_set_t)) != 0)
215 		return (set_errno(EFAULT));
216 
217 	return (0);
218 }
219 
220 static int
221 getprivimplinfo(void *buf, size_t bufsize)
222 {
223 	int err;
224 
225 	err = copyout(priv_hold_implinfo(), buf, min(bufsize, privinfosize));
226 
227 	priv_release_implinfo();
228 
229 	if (err)
230 		return (set_errno(EFAULT));
231 
232 	return (0);
233 }
234 
235 /*
236  * Set process flags in the given target cred.  If NULL is specified, then
237  * CRED() is used; otherwise the cred is assumed to be modifiable (i.e. newly
238  * crdup'ed, or equivalent).  Some flags are set in the proc rather than cred;
239  * for these, curproc is always used.
240  *
241  * For now we cheat: the flags are actually bit masks so we can simplify
242  * some; we do make sure that the arguments are valid, though.
243  */
244 
245 int
246 setpflags(uint_t flag, uint_t val, cred_t *tcr)
247 {
248 	cred_t *cr, *pcr;
249 	proc_t *p = curproc;
250 	uint_t newflags;
251 	boolean_t use_curcred = (tcr == NULL);
252 
253 	if (val > 1 || (flag != PRIV_DEBUG && flag != PRIV_AWARE &&
254 	    flag != NET_MAC_AWARE && flag != NET_MAC_AWARE_INHERIT &&
255 	    flag != __PROC_PROTECT && flag != PRIV_XPOLICY &&
256 	    flag != PRIV_AWARE_RESET)) {
257 		return (EINVAL);
258 	}
259 
260 	if (flag == __PROC_PROTECT) {
261 		mutex_enter(&p->p_lock);
262 		if (val == 0)
263 			p->p_flag &= ~SNOCD;
264 		else
265 			p->p_flag |= SNOCD;
266 		mutex_exit(&p->p_lock);
267 		return (0);
268 	}
269 
270 	if (use_curcred) {
271 		cr = cralloc();
272 		mutex_enter(&p->p_crlock);
273 		pcr = p->p_cred;
274 	} else {
275 		cr = pcr = tcr;
276 	}
277 
278 	newflags = CR_FLAGS(pcr);
279 
280 	if (val != 0) {
281 		if (flag == PRIV_AWARE)
282 			newflags &= ~PRIV_AWARE_RESET;
283 		newflags |= flag;
284 	} else {
285 		newflags &= ~flag;
286 	}
287 
288 	/* No change */
289 	if (CR_FLAGS(pcr) == newflags) {
290 		if (use_curcred) {
291 			mutex_exit(&p->p_crlock);
292 			crfree(cr);
293 		}
294 		return (0);
295 	}
296 
297 	/*
298 	 * Setting either the NET_MAC_AWARE or NET_MAC_AWARE_INHERIT
299 	 * flags is a restricted operation.
300 	 *
301 	 * When invoked via the PRIVSYS_SETPFLAGS syscall
302 	 * we require that the current cred has the net_mac_aware
303 	 * privilege in its effective set.
304 	 *
305 	 * When called from within the kernel by label-aware
306 	 * services such as NFS, we don't require a privilege check.
307 	 *
308 	 */
309 	if ((flag == NET_MAC_AWARE || flag == NET_MAC_AWARE_INHERIT) &&
310 	    (val == 1) && use_curcred) {
311 		if (secpolicy_net_mac_aware(pcr) != 0) {
312 			mutex_exit(&p->p_crlock);
313 			crfree(cr);
314 			return (EPERM);
315 		}
316 	}
317 
318 	/* Trying to unset PA; if we can't, return an error */
319 	if (flag == PRIV_AWARE && val == 0 && !priv_can_clear_PA(pcr)) {
320 		if (use_curcred) {
321 			mutex_exit(&p->p_crlock);
322 			crfree(cr);
323 		}
324 		return (EPERM);
325 	}
326 
327 	/* Committed to changing the flag */
328 	if (use_curcred)
329 		crcopy_to(pcr, cr);
330 	if (flag == PRIV_AWARE) {
331 		if (val != 0)
332 			priv_set_PA(cr);
333 		else
334 			priv_adjust_PA(cr);
335 	} else {
336 		CR_FLAGS(cr) = newflags;
337 	}
338 
339 	/*
340 	 * Unsetting the flag has as side effect getting rid of
341 	 * the per-credential policy.
342 	 */
343 	if (flag == PRIV_XPOLICY && val == 0)
344 		crsetcrklpd(cr, NULL);
345 
346 	if (use_curcred) {
347 		p->p_cred = cr;
348 		mutex_exit(&p->p_crlock);
349 		crset(p, cr);
350 	}
351 
352 	return (0);
353 }
354 
355 /*
356  * Getpflags.  Currently only implements single bit flags.
357  */
358 uint_t
359 getpflags(uint_t flag, const cred_t *cr)
360 {
361 	if (flag != PRIV_DEBUG && flag != PRIV_AWARE &&
362 	    flag != NET_MAC_AWARE && flag != NET_MAC_AWARE_INHERIT &&
363 	    flag != PRIV_XPOLICY && flag != PRIV_AWARE_RESET)
364 		return ((uint_t)-1);
365 
366 	return ((CR_FLAGS(cr) & flag) != 0);
367 }
368 
369 /*
370  * Privilege system call entry point
371  */
372 int
373 privsys(int code, priv_op_t op, priv_ptype_t type, void *buf, size_t bufsize,
374     int itype)
375 {
376 	int retv;
377 	extern int issetugid(void);
378 
379 	switch (code) {
380 	case PRIVSYS_SETPPRIV:
381 		if (bufsize < sizeof (priv_set_t))
382 			return (set_errno(ENOMEM));
383 		return (setppriv(op, type, buf));
384 	case PRIVSYS_GETPPRIV:
385 		if (bufsize < sizeof (priv_set_t))
386 			return (set_errno(ENOMEM));
387 		return (getppriv(type, buf));
388 	case PRIVSYS_GETIMPLINFO:
389 		return (getprivimplinfo(buf, bufsize));
390 	case PRIVSYS_SETPFLAGS:
391 		retv = setpflags((uint_t)op, (uint_t)type, NULL);
392 		return (retv != 0 ? set_errno(retv) : 0);
393 	case PRIVSYS_GETPFLAGS:
394 		retv = (int)getpflags((uint_t)op, CRED());
395 		return (retv == -1 ? set_errno(EINVAL) : retv);
396 	case PRIVSYS_ISSETUGID:
397 		return (issetugid());
398 	case PRIVSYS_KLPD_REG:
399 		if (bufsize < sizeof (priv_set_t))
400 			return (set_errno(ENOMEM));
401 		return ((int)klpd_reg((int)op, (idtype_t)itype, (id_t)type,
402 		    buf));
403 	case PRIVSYS_KLPD_UNREG:
404 		return ((int)klpd_unreg((int)op, (idtype_t)itype, (id_t)type));
405 	}
406 	return (set_errno(EINVAL));
407 }
408 
409 #ifdef _SYSCALL32_IMPL
410 int
411 privsys32(int code, priv_op_t op, priv_ptype_t type, caddr32_t buf,
412     size32_t bufsize, int itype)
413 {
414 	return (privsys(code, op, type, (void *)(uintptr_t)buf,
415 	    (size_t)bufsize, itype));
416 }
417 #endif
418