17c478bd9Sstevel@tonic-gate /* 27c478bd9Sstevel@tonic-gate * CDDL HEADER START 37c478bd9Sstevel@tonic-gate * 47c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 545916cd2Sjpk * Common Development and Distribution License (the "License"). 645916cd2Sjpk * You may not use this file except in compliance with the License. 77c478bd9Sstevel@tonic-gate * 87c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 97c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 107c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 117c478bd9Sstevel@tonic-gate * and limitations under the License. 127c478bd9Sstevel@tonic-gate * 137c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 147c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 157c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 167c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 177c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 187c478bd9Sstevel@tonic-gate * 197c478bd9Sstevel@tonic-gate * CDDL HEADER END 207c478bd9Sstevel@tonic-gate */ 217c478bd9Sstevel@tonic-gate /* 22134a1f4eSCasper H.S. Dik * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. 23*2a12f85aSJeremy Jones */ 24*2a12f85aSJeremy Jones /* 25*2a12f85aSJeremy Jones * Copyright (c) 2013 by Delphix. All rights reserved. 26*2a12f85aSJeremy Jones */ 27*2a12f85aSJeremy Jones /* 287c478bd9Sstevel@tonic-gate * Program to examine or set process privileges. 297c478bd9Sstevel@tonic-gate */ 307c478bd9Sstevel@tonic-gate 317c478bd9Sstevel@tonic-gate #include <stdio.h> 32004388ebScasper #include <stdio_ext.h> 337c478bd9Sstevel@tonic-gate #include <stdlib.h> 347c478bd9Sstevel@tonic-gate #include <unistd.h> 357c478bd9Sstevel@tonic-gate #include <fcntl.h> 367c478bd9Sstevel@tonic-gate #include <string.h> 377c478bd9Sstevel@tonic-gate #include <limits.h> 387c478bd9Sstevel@tonic-gate #include <sys/types.h> 397c478bd9Sstevel@tonic-gate #include <libproc.h> 407c478bd9Sstevel@tonic-gate #include <priv.h> 417c478bd9Sstevel@tonic-gate #include <errno.h> 427c478bd9Sstevel@tonic-gate #include <ctype.h> 437c478bd9Sstevel@tonic-gate 447c478bd9Sstevel@tonic-gate #include <locale.h> 457c478bd9Sstevel@tonic-gate #include <langinfo.h> 467c478bd9Sstevel@tonic-gate 477c478bd9Sstevel@tonic-gate static int look(char *); 487c478bd9Sstevel@tonic-gate static void perr(char *); 497c478bd9Sstevel@tonic-gate static void usage(void); 507c478bd9Sstevel@tonic-gate static void loadprivinfo(void); 517c478bd9Sstevel@tonic-gate static int parsespec(const char *); 527c478bd9Sstevel@tonic-gate static void privupdate(prpriv_t *, const char *); 537c478bd9Sstevel@tonic-gate static void privupdate_self(void); 547c478bd9Sstevel@tonic-gate static int dumppriv(char **); 557c478bd9Sstevel@tonic-gate static void flags2str(uint_t); 567c478bd9Sstevel@tonic-gate 577c478bd9Sstevel@tonic-gate static char *command; 587c478bd9Sstevel@tonic-gate static char *procname; 597c478bd9Sstevel@tonic-gate static boolean_t verb = B_FALSE; 607c478bd9Sstevel@tonic-gate static boolean_t set = B_FALSE; 617c478bd9Sstevel@tonic-gate static boolean_t exec = B_FALSE; 627c478bd9Sstevel@tonic-gate static boolean_t Don = B_FALSE; 637c478bd9Sstevel@tonic-gate static boolean_t Doff = B_FALSE; 647c478bd9Sstevel@tonic-gate static boolean_t list = B_FALSE; 6545916cd2Sjpk static boolean_t mac_aware = B_FALSE; 66134a1f4eSCasper H.S. Dik static boolean_t pfexec = B_FALSE; 67ddf7fe95Scasper static boolean_t xpol = B_FALSE; 687c478bd9Sstevel@tonic-gate static int mode = PRIV_STR_PORT; 697c478bd9Sstevel@tonic-gate 707c478bd9Sstevel@tonic-gate int 717c478bd9Sstevel@tonic-gate main(int argc, char **argv) 727c478bd9Sstevel@tonic-gate { 737c478bd9Sstevel@tonic-gate int rc = 0; 747c478bd9Sstevel@tonic-gate int opt; 757c478bd9Sstevel@tonic-gate struct rlimit rlim; 767c478bd9Sstevel@tonic-gate 777c478bd9Sstevel@tonic-gate (void) setlocale(LC_ALL, ""); 787c478bd9Sstevel@tonic-gate (void) textdomain(TEXT_DOMAIN); 797c478bd9Sstevel@tonic-gate 807c478bd9Sstevel@tonic-gate if ((command = strrchr(argv[0], '/')) != NULL) 817c478bd9Sstevel@tonic-gate command++; 827c478bd9Sstevel@tonic-gate else 837c478bd9Sstevel@tonic-gate command = argv[0]; 847c478bd9Sstevel@tonic-gate 85134a1f4eSCasper H.S. Dik while ((opt = getopt(argc, argv, "lDMNPevs:xS")) != EOF) { 867c478bd9Sstevel@tonic-gate switch (opt) { 877c478bd9Sstevel@tonic-gate case 'l': 887c478bd9Sstevel@tonic-gate list = B_TRUE; 897c478bd9Sstevel@tonic-gate break; 907c478bd9Sstevel@tonic-gate case 'D': 917c478bd9Sstevel@tonic-gate set = B_TRUE; 927c478bd9Sstevel@tonic-gate Don = B_TRUE; 937c478bd9Sstevel@tonic-gate break; 9445916cd2Sjpk case 'M': 9545916cd2Sjpk mac_aware = B_TRUE; 9645916cd2Sjpk break; 977c478bd9Sstevel@tonic-gate case 'N': 987c478bd9Sstevel@tonic-gate set = B_TRUE; 997c478bd9Sstevel@tonic-gate Doff = B_TRUE; 1007c478bd9Sstevel@tonic-gate break; 101134a1f4eSCasper H.S. Dik case 'P': 102134a1f4eSCasper H.S. Dik set = B_TRUE; 103134a1f4eSCasper H.S. Dik pfexec = B_TRUE; 104134a1f4eSCasper H.S. Dik break; 1057c478bd9Sstevel@tonic-gate case 'e': 1067c478bd9Sstevel@tonic-gate exec = B_TRUE; 1077c478bd9Sstevel@tonic-gate break; 1087c478bd9Sstevel@tonic-gate case 'S': 1097c478bd9Sstevel@tonic-gate mode = PRIV_STR_SHORT; 1107c478bd9Sstevel@tonic-gate break; 1117c478bd9Sstevel@tonic-gate case 'v': 1127c478bd9Sstevel@tonic-gate verb = B_TRUE; 1137c478bd9Sstevel@tonic-gate mode = PRIV_STR_LIT; 1147c478bd9Sstevel@tonic-gate break; 1157c478bd9Sstevel@tonic-gate case 's': 1167c478bd9Sstevel@tonic-gate set = B_TRUE; 1177c478bd9Sstevel@tonic-gate if ((rc = parsespec(optarg)) != 0) 1187c478bd9Sstevel@tonic-gate return (rc); 1197c478bd9Sstevel@tonic-gate break; 120ddf7fe95Scasper case 'x': 121ddf7fe95Scasper set = B_TRUE; 122ddf7fe95Scasper xpol = B_TRUE; 123ddf7fe95Scasper break; 1247c478bd9Sstevel@tonic-gate default: 1257c478bd9Sstevel@tonic-gate usage(); 1267c478bd9Sstevel@tonic-gate /*NOTREACHED*/ 1277c478bd9Sstevel@tonic-gate } 1287c478bd9Sstevel@tonic-gate } 1297c478bd9Sstevel@tonic-gate 1307c478bd9Sstevel@tonic-gate argc -= optind; 1317c478bd9Sstevel@tonic-gate argv += optind; 1327c478bd9Sstevel@tonic-gate 13345916cd2Sjpk if ((argc < 1 && !list) || Doff && Don || list && (set || exec) || 13445916cd2Sjpk (mac_aware && !exec)) 1357c478bd9Sstevel@tonic-gate usage(); 1367c478bd9Sstevel@tonic-gate 1377c478bd9Sstevel@tonic-gate /* 1387c478bd9Sstevel@tonic-gate * Make sure we'll have enough file descriptors to handle a target 1397c478bd9Sstevel@tonic-gate * that has many many mappings. 1407c478bd9Sstevel@tonic-gate */ 1417c478bd9Sstevel@tonic-gate if (getrlimit(RLIMIT_NOFILE, &rlim) == 0) { 1427c478bd9Sstevel@tonic-gate rlim.rlim_cur = rlim.rlim_max; 1437c478bd9Sstevel@tonic-gate (void) setrlimit(RLIMIT_NOFILE, &rlim); 144004388ebScasper (void) enable_extended_FILE_stdio(-1, -1); 1457c478bd9Sstevel@tonic-gate } 1467c478bd9Sstevel@tonic-gate 1477c478bd9Sstevel@tonic-gate if (exec) { 1487c478bd9Sstevel@tonic-gate privupdate_self(); 1497c478bd9Sstevel@tonic-gate rc = execvp(argv[0], &argv[0]); 1507c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: %s: %s\n", command, argv[0], 1517c478bd9Sstevel@tonic-gate strerror(errno)); 1527c478bd9Sstevel@tonic-gate } else if (list) { 1537c478bd9Sstevel@tonic-gate rc = dumppriv(argv); 1547c478bd9Sstevel@tonic-gate } else { 1557c478bd9Sstevel@tonic-gate while (argc-- > 0) 1567c478bd9Sstevel@tonic-gate rc += look(*argv++); 1577c478bd9Sstevel@tonic-gate } 1587c478bd9Sstevel@tonic-gate 1597c478bd9Sstevel@tonic-gate return (rc); 1607c478bd9Sstevel@tonic-gate } 1617c478bd9Sstevel@tonic-gate 1627c478bd9Sstevel@tonic-gate static int 1637c478bd9Sstevel@tonic-gate look(char *arg) 1647c478bd9Sstevel@tonic-gate { 1657c478bd9Sstevel@tonic-gate struct ps_prochandle *Pr; 1667c478bd9Sstevel@tonic-gate int gcode; 1677c478bd9Sstevel@tonic-gate size_t sz; 1687c478bd9Sstevel@tonic-gate void *pdata; 1697c478bd9Sstevel@tonic-gate char *x; 1707c478bd9Sstevel@tonic-gate int i; 1717c478bd9Sstevel@tonic-gate boolean_t nodata; 172*2a12f85aSJeremy Jones prpriv_t *ppriv; 1737c478bd9Sstevel@tonic-gate 1747c478bd9Sstevel@tonic-gate procname = arg; /* for perr() */ 1757c478bd9Sstevel@tonic-gate 1767c478bd9Sstevel@tonic-gate if ((Pr = proc_arg_grab(arg, set ? PR_ARG_PIDS : PR_ARG_ANY, 1777c478bd9Sstevel@tonic-gate PGRAB_RETAIN | PGRAB_FORCE | (set ? 0 : PGRAB_RDONLY) | 1787c478bd9Sstevel@tonic-gate PGRAB_NOSTOP, &gcode)) == NULL) { 1797c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: cannot examine %s: %s\n", 1807c478bd9Sstevel@tonic-gate command, arg, Pgrab_error(gcode)); 1817c478bd9Sstevel@tonic-gate return (1); 1827c478bd9Sstevel@tonic-gate } 1837c478bd9Sstevel@tonic-gate 184*2a12f85aSJeremy Jones if (Ppriv(Pr, &ppriv) == -1) { 1857c478bd9Sstevel@tonic-gate perr(command); 1867c478bd9Sstevel@tonic-gate Prelease(Pr, 0); 1877c478bd9Sstevel@tonic-gate return (1); 1887c478bd9Sstevel@tonic-gate } 1897c478bd9Sstevel@tonic-gate sz = PRIV_PRPRIV_SIZE(ppriv); 1907c478bd9Sstevel@tonic-gate 1917c478bd9Sstevel@tonic-gate /* 1927c478bd9Sstevel@tonic-gate * The ppriv fields are unsigned and may overflow, so check them 1937c478bd9Sstevel@tonic-gate * separately. Size must be word aligned, so check that too. 1947c478bd9Sstevel@tonic-gate * Make sure size is "smallish" too. 1957c478bd9Sstevel@tonic-gate */ 1967c478bd9Sstevel@tonic-gate if ((sz & 3) || ppriv->pr_nsets == 0 || 1977c478bd9Sstevel@tonic-gate sz / ppriv->pr_nsets < ppriv->pr_setsize || 1987c478bd9Sstevel@tonic-gate ppriv->pr_infosize > sz || sz > 1024 * 1024) { 1997c478bd9Sstevel@tonic-gate (void) fprintf(stderr, 2007c478bd9Sstevel@tonic-gate "%s: %s: bad PRNOTES section, size = %lx\n", 2017c478bd9Sstevel@tonic-gate command, arg, (long)sz); 2027c478bd9Sstevel@tonic-gate Prelease(Pr, 0); 203*2a12f85aSJeremy Jones free(ppriv); 2047c478bd9Sstevel@tonic-gate return (1); 2057c478bd9Sstevel@tonic-gate } 2067c478bd9Sstevel@tonic-gate 2077c478bd9Sstevel@tonic-gate if (set) { 2087c478bd9Sstevel@tonic-gate privupdate(ppriv, arg); 2097c478bd9Sstevel@tonic-gate if (Psetpriv(Pr, ppriv) != 0) { 2107c478bd9Sstevel@tonic-gate perr(command); 2117c478bd9Sstevel@tonic-gate Prelease(Pr, 0); 212*2a12f85aSJeremy Jones free(ppriv); 2137c478bd9Sstevel@tonic-gate return (1); 2147c478bd9Sstevel@tonic-gate } 2157c478bd9Sstevel@tonic-gate Prelease(Pr, 0); 216*2a12f85aSJeremy Jones free(ppriv); 2177c478bd9Sstevel@tonic-gate return (0); 2187c478bd9Sstevel@tonic-gate } 2197c478bd9Sstevel@tonic-gate 2207c478bd9Sstevel@tonic-gate if (Pstate(Pr) == PS_DEAD) { 2217c478bd9Sstevel@tonic-gate (void) printf("core '%s' of %d:\t%.70s\n", 2227c478bd9Sstevel@tonic-gate arg, (int)Ppsinfo(Pr)->pr_pid, Ppsinfo(Pr)->pr_psargs); 2237c478bd9Sstevel@tonic-gate pdata = Pprivinfo(Pr); 2247c478bd9Sstevel@tonic-gate nodata = Pstate(Pr) == PS_DEAD && pdata == NULL; 2257c478bd9Sstevel@tonic-gate } else { 2267c478bd9Sstevel@tonic-gate (void) printf("%d:\t%.70s\n", 2277c478bd9Sstevel@tonic-gate (int)Ppsinfo(Pr)->pr_pid, Ppsinfo(Pr)->pr_psargs); 2287c478bd9Sstevel@tonic-gate pdata = NULL; 2297c478bd9Sstevel@tonic-gate nodata = B_FALSE; 2307c478bd9Sstevel@tonic-gate } 2317c478bd9Sstevel@tonic-gate 2327c478bd9Sstevel@tonic-gate x = (char *)ppriv + sz - ppriv->pr_infosize; 2337c478bd9Sstevel@tonic-gate while (x < (char *)ppriv + sz) { 2347c478bd9Sstevel@tonic-gate /* LINTED: alignment */ 2357c478bd9Sstevel@tonic-gate priv_info_t *pi = (priv_info_t *)x; 2367c478bd9Sstevel@tonic-gate priv_info_uint_t *pii; 2377c478bd9Sstevel@tonic-gate 2387c478bd9Sstevel@tonic-gate switch (pi->priv_info_type) { 2397c478bd9Sstevel@tonic-gate case PRIV_INFO_FLAGS: 2407c478bd9Sstevel@tonic-gate /* LINTED: alignment */ 2417c478bd9Sstevel@tonic-gate pii = (priv_info_uint_t *)x; 2427c478bd9Sstevel@tonic-gate (void) printf("flags ="); 2437c478bd9Sstevel@tonic-gate flags2str(pii->val); 2447c478bd9Sstevel@tonic-gate (void) putchar('\n'); 2457c478bd9Sstevel@tonic-gate break; 2467c478bd9Sstevel@tonic-gate default: 2477c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: unknown priv_info: %d\n", 2487c478bd9Sstevel@tonic-gate arg, pi->priv_info_type); 2497c478bd9Sstevel@tonic-gate break; 2507c478bd9Sstevel@tonic-gate } 2517c478bd9Sstevel@tonic-gate if (pi->priv_info_size > ppriv->pr_infosize || 2527c478bd9Sstevel@tonic-gate pi->priv_info_size <= sizeof (priv_info_t) || 2537c478bd9Sstevel@tonic-gate (pi->priv_info_size & 3) != 0) { 2547c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: bad priv_info_size: %u\n", 2557c478bd9Sstevel@tonic-gate arg, pi->priv_info_size); 2567c478bd9Sstevel@tonic-gate break; 2577c478bd9Sstevel@tonic-gate } 2587c478bd9Sstevel@tonic-gate x += pi->priv_info_size; 2597c478bd9Sstevel@tonic-gate } 2607c478bd9Sstevel@tonic-gate 2617c478bd9Sstevel@tonic-gate for (i = 0; i < ppriv->pr_nsets; i++) { 2627c478bd9Sstevel@tonic-gate extern const char *__priv_getsetbynum(const void *, int); 263ddf7fe95Scasper const char *setnm = pdata ? __priv_getsetbynum(pdata, i) : 264ddf7fe95Scasper priv_getsetbynum(i); 265ddf7fe95Scasper priv_chunk_t *pc = 266ddf7fe95Scasper (priv_chunk_t *)&ppriv->pr_sets[ppriv->pr_setsize * i]; 2677c478bd9Sstevel@tonic-gate 2687c478bd9Sstevel@tonic-gate 2697c478bd9Sstevel@tonic-gate (void) printf("\t%c: ", setnm && !nodata ? *setnm : '?'); 2707c478bd9Sstevel@tonic-gate if (!nodata) { 2717c478bd9Sstevel@tonic-gate extern char *__priv_set_to_str(void *, 2727c478bd9Sstevel@tonic-gate const priv_set_t *, char, int); 2737c478bd9Sstevel@tonic-gate priv_set_t *pset = (priv_set_t *)pc; 2747c478bd9Sstevel@tonic-gate 2757c478bd9Sstevel@tonic-gate char *s; 2767c478bd9Sstevel@tonic-gate 2777c478bd9Sstevel@tonic-gate if (pdata) 2787c478bd9Sstevel@tonic-gate s = __priv_set_to_str(pdata, pset, ',', mode); 2797c478bd9Sstevel@tonic-gate else 2807c478bd9Sstevel@tonic-gate s = priv_set_to_str(pset, ',', mode); 2817c478bd9Sstevel@tonic-gate (void) puts(s); 2827c478bd9Sstevel@tonic-gate free(s); 2837c478bd9Sstevel@tonic-gate } else { 2847c478bd9Sstevel@tonic-gate int j; 2857c478bd9Sstevel@tonic-gate for (j = 0; j < ppriv->pr_setsize; j++) 2867c478bd9Sstevel@tonic-gate (void) printf("%08x", pc[j]); 2877c478bd9Sstevel@tonic-gate (void) putchar('\n'); 2887c478bd9Sstevel@tonic-gate } 2897c478bd9Sstevel@tonic-gate } 2907c478bd9Sstevel@tonic-gate Prelease(Pr, 0); 291*2a12f85aSJeremy Jones free(ppriv); 2927c478bd9Sstevel@tonic-gate return (0); 2937c478bd9Sstevel@tonic-gate } 2947c478bd9Sstevel@tonic-gate 2957c478bd9Sstevel@tonic-gate static void 2967c478bd9Sstevel@tonic-gate fatal(const char *s) 2977c478bd9Sstevel@tonic-gate { 2987c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: %s: %s\n", command, s, strerror(errno)); 2997c478bd9Sstevel@tonic-gate exit(3); 3007c478bd9Sstevel@tonic-gate } 3017c478bd9Sstevel@tonic-gate 3027c478bd9Sstevel@tonic-gate static void 3037c478bd9Sstevel@tonic-gate perr(char *s) 3047c478bd9Sstevel@tonic-gate { 3057c478bd9Sstevel@tonic-gate int err = errno; 3067c478bd9Sstevel@tonic-gate 3077c478bd9Sstevel@tonic-gate if (s != NULL) 3087c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: ", procname); 3097c478bd9Sstevel@tonic-gate else 3107c478bd9Sstevel@tonic-gate s = procname; 3117c478bd9Sstevel@tonic-gate 3127c478bd9Sstevel@tonic-gate errno = err; 3137c478bd9Sstevel@tonic-gate perror(s); 3147c478bd9Sstevel@tonic-gate } 3157c478bd9Sstevel@tonic-gate 3167c478bd9Sstevel@tonic-gate static void 3177c478bd9Sstevel@tonic-gate usage(void) 3187c478bd9Sstevel@tonic-gate { 3197c478bd9Sstevel@tonic-gate (void) fprintf(stderr, 3207c478bd9Sstevel@tonic-gate "usage:\t%s [-v] [-S] [-D|-N] [-s spec] { pid | core } ...\n" 32145916cd2Sjpk "\t%s -e [-D|-N] [-M] [-s spec] cmd [args ...]\n" 3227c478bd9Sstevel@tonic-gate "\t%s -l [-v] [privilege ...]\n" 3237c478bd9Sstevel@tonic-gate " (report, set or list process privileges)\n", command, 3247c478bd9Sstevel@tonic-gate command, command); 3257c478bd9Sstevel@tonic-gate exit(2); 3267c478bd9Sstevel@tonic-gate /*NOTREACHED*/ 3277c478bd9Sstevel@tonic-gate } 3287c478bd9Sstevel@tonic-gate 3297c478bd9Sstevel@tonic-gate /* 3307c478bd9Sstevel@tonic-gate * Parse the privilege bits to add and/or remove from 3317c478bd9Sstevel@tonic-gate * a privilege set. 3327c478bd9Sstevel@tonic-gate * 3337c478bd9Sstevel@tonic-gate * [EPIL][+-=]priv,priv,priv 3347c478bd9Sstevel@tonic-gate */ 3357c478bd9Sstevel@tonic-gate 3367c478bd9Sstevel@tonic-gate static int 3377c478bd9Sstevel@tonic-gate strindex(char c, const char *str) 3387c478bd9Sstevel@tonic-gate { 3397c478bd9Sstevel@tonic-gate const char *s; 3407c478bd9Sstevel@tonic-gate 3417c478bd9Sstevel@tonic-gate if (islower(c)) 3427c478bd9Sstevel@tonic-gate c = toupper(c); 3437c478bd9Sstevel@tonic-gate 3447c478bd9Sstevel@tonic-gate s = strchr(str, c); 3457c478bd9Sstevel@tonic-gate 3467c478bd9Sstevel@tonic-gate if (s == NULL) 3477c478bd9Sstevel@tonic-gate return (-1); 3487c478bd9Sstevel@tonic-gate else 3497c478bd9Sstevel@tonic-gate return (s - str); 3507c478bd9Sstevel@tonic-gate } 3517c478bd9Sstevel@tonic-gate 3527c478bd9Sstevel@tonic-gate static void 3537c478bd9Sstevel@tonic-gate badspec(const char *spec) 3547c478bd9Sstevel@tonic-gate { 3557c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: bad privilege specification: \"%s\"\n", 3567c478bd9Sstevel@tonic-gate command, spec); 3577c478bd9Sstevel@tonic-gate exit(3); 3587c478bd9Sstevel@tonic-gate /*NOTREACHED*/ 3597c478bd9Sstevel@tonic-gate } 3607c478bd9Sstevel@tonic-gate 3617c478bd9Sstevel@tonic-gate /* 3627c478bd9Sstevel@tonic-gate * For each set, you can set either add and/or 3637c478bd9Sstevel@tonic-gate * remove or you can set assign. 3647c478bd9Sstevel@tonic-gate */ 3657c478bd9Sstevel@tonic-gate static priv_set_t **rem, **add, **assign; 3667c478bd9Sstevel@tonic-gate static const priv_impl_info_t *pri = NULL; 3677c478bd9Sstevel@tonic-gate static char *sets; 3687c478bd9Sstevel@tonic-gate 3697c478bd9Sstevel@tonic-gate static void 3707c478bd9Sstevel@tonic-gate loadprivinfo(void) 3717c478bd9Sstevel@tonic-gate { 3727c478bd9Sstevel@tonic-gate int i; 3737c478bd9Sstevel@tonic-gate 3747c478bd9Sstevel@tonic-gate if (pri != NULL) 3757c478bd9Sstevel@tonic-gate return; 3767c478bd9Sstevel@tonic-gate 3777c478bd9Sstevel@tonic-gate pri = getprivimplinfo(); 3787c478bd9Sstevel@tonic-gate 3797c478bd9Sstevel@tonic-gate if (pri == NULL) 3807c478bd9Sstevel@tonic-gate fatal("getprivimplinfo"); 3817c478bd9Sstevel@tonic-gate 3827c478bd9Sstevel@tonic-gate sets = malloc(pri->priv_nsets + 1); 3837c478bd9Sstevel@tonic-gate if (sets == NULL) 3847c478bd9Sstevel@tonic-gate fatal("malloc"); 3857c478bd9Sstevel@tonic-gate 3867c478bd9Sstevel@tonic-gate for (i = 0; i < pri->priv_nsets; i++) { 3877c478bd9Sstevel@tonic-gate sets[i] = *priv_getsetbynum(i); 3887c478bd9Sstevel@tonic-gate if (islower(sets[i])) 3897c478bd9Sstevel@tonic-gate sets[i] = toupper(sets[i]); 3907c478bd9Sstevel@tonic-gate } 3917c478bd9Sstevel@tonic-gate 3927c478bd9Sstevel@tonic-gate sets[pri->priv_nsets] = '\0'; 3937c478bd9Sstevel@tonic-gate 3947c478bd9Sstevel@tonic-gate rem = calloc(pri->priv_nsets, sizeof (priv_set_t *)); 3957c478bd9Sstevel@tonic-gate add = calloc(pri->priv_nsets, sizeof (priv_set_t *)); 3967c478bd9Sstevel@tonic-gate assign = calloc(pri->priv_nsets, sizeof (priv_set_t *)); 3977c478bd9Sstevel@tonic-gate if (rem == NULL || add == NULL || assign == NULL) 3987c478bd9Sstevel@tonic-gate fatal("calloc"); 3997c478bd9Sstevel@tonic-gate } 4007c478bd9Sstevel@tonic-gate 4017c478bd9Sstevel@tonic-gate static int 4027c478bd9Sstevel@tonic-gate parsespec(const char *spec) 4037c478bd9Sstevel@tonic-gate { 4047c478bd9Sstevel@tonic-gate char *p; 4057c478bd9Sstevel@tonic-gate const char *q; 4067c478bd9Sstevel@tonic-gate int count; 4077c478bd9Sstevel@tonic-gate priv_set_t ***toupd; 4087c478bd9Sstevel@tonic-gate priv_set_t *upd; 4097c478bd9Sstevel@tonic-gate int i; 4107c478bd9Sstevel@tonic-gate boolean_t freeupd = B_TRUE; 4117c478bd9Sstevel@tonic-gate 4127c478bd9Sstevel@tonic-gate if (pri == NULL) 4137c478bd9Sstevel@tonic-gate loadprivinfo(); 4147c478bd9Sstevel@tonic-gate 4157c478bd9Sstevel@tonic-gate p = strpbrk(spec, "+-="); 4167c478bd9Sstevel@tonic-gate 4177c478bd9Sstevel@tonic-gate if (p == NULL || p - spec > pri->priv_nsets) 4187c478bd9Sstevel@tonic-gate badspec(spec); 4197c478bd9Sstevel@tonic-gate 4207c478bd9Sstevel@tonic-gate if (p[1] == '\0' || (upd = priv_str_to_set(p + 1, ",", NULL)) == NULL) 4217c478bd9Sstevel@tonic-gate badspec(p + 1); 4227c478bd9Sstevel@tonic-gate 4237c478bd9Sstevel@tonic-gate count = p - spec; 4247c478bd9Sstevel@tonic-gate switch (*p) { 4257c478bd9Sstevel@tonic-gate case '+': 4267c478bd9Sstevel@tonic-gate toupd = &add; 4277c478bd9Sstevel@tonic-gate break; 4287c478bd9Sstevel@tonic-gate case '-': 4297c478bd9Sstevel@tonic-gate toupd = &rem; 4307c478bd9Sstevel@tonic-gate priv_inverse(upd); 4317c478bd9Sstevel@tonic-gate break; 4327c478bd9Sstevel@tonic-gate case '=': 4337c478bd9Sstevel@tonic-gate toupd = &assign; 4347c478bd9Sstevel@tonic-gate break; 4357c478bd9Sstevel@tonic-gate } 4367c478bd9Sstevel@tonic-gate 4377c478bd9Sstevel@tonic-gate /* Update all sets? */ 4387c478bd9Sstevel@tonic-gate if (count == 0 || *spec == 'a' || *spec == 'A') { 4397c478bd9Sstevel@tonic-gate count = pri->priv_nsets; 4407c478bd9Sstevel@tonic-gate q = sets; 4417c478bd9Sstevel@tonic-gate } else 4427c478bd9Sstevel@tonic-gate q = spec; 4437c478bd9Sstevel@tonic-gate 4447c478bd9Sstevel@tonic-gate for (i = 0; i < count; i++) { 4457c478bd9Sstevel@tonic-gate int ind = strindex(q[i], sets); 4467c478bd9Sstevel@tonic-gate 4477c478bd9Sstevel@tonic-gate if (ind == -1) 4487c478bd9Sstevel@tonic-gate badspec(spec); 4497c478bd9Sstevel@tonic-gate 4507c478bd9Sstevel@tonic-gate /* Assign is mutually exclusive with add/remove and itself */ 4517c478bd9Sstevel@tonic-gate if (((toupd == &rem || toupd == &add) && assign[ind] != NULL) || 4527c478bd9Sstevel@tonic-gate (toupd == &assign && (assign[ind] != NULL || 4537c478bd9Sstevel@tonic-gate rem[ind] != NULL || add[ind] != NULL))) { 4547c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: conflicting spec: %s\n", 4557c478bd9Sstevel@tonic-gate command, spec); 4567c478bd9Sstevel@tonic-gate exit(1); 4577c478bd9Sstevel@tonic-gate } 4587c478bd9Sstevel@tonic-gate if ((*toupd)[ind] != NULL) { 4597c478bd9Sstevel@tonic-gate if (*p == '-') 4607c478bd9Sstevel@tonic-gate priv_intersect(upd, (*toupd)[ind]); 4617c478bd9Sstevel@tonic-gate else 4627c478bd9Sstevel@tonic-gate priv_union(upd, (*toupd)[ind]); 4637c478bd9Sstevel@tonic-gate } else { 4647c478bd9Sstevel@tonic-gate (*toupd)[ind] = upd; 4657c478bd9Sstevel@tonic-gate freeupd = B_FALSE; 4667c478bd9Sstevel@tonic-gate } 4677c478bd9Sstevel@tonic-gate } 4687c478bd9Sstevel@tonic-gate if (freeupd) 4697c478bd9Sstevel@tonic-gate priv_freeset(upd); 4707c478bd9Sstevel@tonic-gate return (0); 4717c478bd9Sstevel@tonic-gate } 4727c478bd9Sstevel@tonic-gate 4737c478bd9Sstevel@tonic-gate static void 4747c478bd9Sstevel@tonic-gate privupdate(prpriv_t *pr, const char *arg) 4757c478bd9Sstevel@tonic-gate { 4767c478bd9Sstevel@tonic-gate int i; 4777c478bd9Sstevel@tonic-gate 4787c478bd9Sstevel@tonic-gate if (sets != NULL) { 4797c478bd9Sstevel@tonic-gate for (i = 0; i < pri->priv_nsets; i++) { 4807c478bd9Sstevel@tonic-gate priv_set_t *target = 4817c478bd9Sstevel@tonic-gate (priv_set_t *)&pr->pr_sets[pr->pr_setsize * i]; 4827c478bd9Sstevel@tonic-gate if (rem[i] != NULL) 4837c478bd9Sstevel@tonic-gate priv_intersect(rem[i], target); 4847c478bd9Sstevel@tonic-gate if (add[i] != NULL) 4857c478bd9Sstevel@tonic-gate priv_union(add[i], target); 4867c478bd9Sstevel@tonic-gate if (assign[i] != NULL) 4877c478bd9Sstevel@tonic-gate priv_copyset(assign[i], target); 4887c478bd9Sstevel@tonic-gate } 4897c478bd9Sstevel@tonic-gate } 4907c478bd9Sstevel@tonic-gate 491134a1f4eSCasper H.S. Dik if (Doff || Don || pfexec || xpol) { 4927c478bd9Sstevel@tonic-gate priv_info_uint_t *pii; 4937c478bd9Sstevel@tonic-gate int sz = PRIV_PRPRIV_SIZE(pr); 4947c478bd9Sstevel@tonic-gate char *x = (char *)pr + PRIV_PRPRIV_INFO_OFFSET(pr); 4957c478bd9Sstevel@tonic-gate uint32_t fl = 0; 4967c478bd9Sstevel@tonic-gate 4977c478bd9Sstevel@tonic-gate while (x < (char *)pr + sz) { 4987c478bd9Sstevel@tonic-gate /* LINTED: alignment */ 4997c478bd9Sstevel@tonic-gate priv_info_t *pi = (priv_info_t *)x; 5007c478bd9Sstevel@tonic-gate 5017c478bd9Sstevel@tonic-gate if (pi->priv_info_type == PRIV_INFO_FLAGS) { 5027c478bd9Sstevel@tonic-gate /* LINTED: alignment */ 5037c478bd9Sstevel@tonic-gate pii = (priv_info_uint_t *)x; 5047c478bd9Sstevel@tonic-gate fl = pii->val; 5057c478bd9Sstevel@tonic-gate goto done; 5067c478bd9Sstevel@tonic-gate } 5077c478bd9Sstevel@tonic-gate if (pi->priv_info_size > pr->pr_infosize || 5087c478bd9Sstevel@tonic-gate pi->priv_info_size <= sizeof (priv_info_t) || 5097c478bd9Sstevel@tonic-gate (pi->priv_info_size & 3) != 0) 5107c478bd9Sstevel@tonic-gate break; 5117c478bd9Sstevel@tonic-gate x += pi->priv_info_size; 5127c478bd9Sstevel@tonic-gate } 5137c478bd9Sstevel@tonic-gate (void) fprintf(stderr, 5147c478bd9Sstevel@tonic-gate "%s: cannot find privilege flags to set\n", arg); 5157c478bd9Sstevel@tonic-gate pr->pr_infosize = 0; 5167c478bd9Sstevel@tonic-gate return; 5177c478bd9Sstevel@tonic-gate done: 5187c478bd9Sstevel@tonic-gate 5197c478bd9Sstevel@tonic-gate pr->pr_infosize = sizeof (priv_info_uint_t); 5207c478bd9Sstevel@tonic-gate /* LINTED: alignment */ 5217c478bd9Sstevel@tonic-gate pii = (priv_info_uint_t *) 5227c478bd9Sstevel@tonic-gate ((char *)pr + PRIV_PRPRIV_INFO_OFFSET(pr)); 5237c478bd9Sstevel@tonic-gate 5247c478bd9Sstevel@tonic-gate if (Don) 5257c478bd9Sstevel@tonic-gate fl |= PRIV_DEBUG; 526ddf7fe95Scasper if (Doff) 5277c478bd9Sstevel@tonic-gate fl &= ~PRIV_DEBUG; 528134a1f4eSCasper H.S. Dik if (pfexec) 529134a1f4eSCasper H.S. Dik fl |= PRIV_PFEXEC; 530ddf7fe95Scasper if (xpol) 531ddf7fe95Scasper fl |= PRIV_XPOLICY; 5327c478bd9Sstevel@tonic-gate 5337c478bd9Sstevel@tonic-gate pii->info.priv_info_size = sizeof (*pii); 5347c478bd9Sstevel@tonic-gate pii->info.priv_info_type = PRIV_INFO_FLAGS; 5357c478bd9Sstevel@tonic-gate pii->val = fl; 5367c478bd9Sstevel@tonic-gate } else { 5377c478bd9Sstevel@tonic-gate pr->pr_infosize = 0; 5387c478bd9Sstevel@tonic-gate } 5397c478bd9Sstevel@tonic-gate } 5407c478bd9Sstevel@tonic-gate 5417c478bd9Sstevel@tonic-gate static void 5427c478bd9Sstevel@tonic-gate privupdate_self(void) 5437c478bd9Sstevel@tonic-gate { 5447c478bd9Sstevel@tonic-gate int set; 5457c478bd9Sstevel@tonic-gate 54645916cd2Sjpk if (mac_aware) { 54745916cd2Sjpk if (setpflags(NET_MAC_AWARE, 1) != 0) 54845916cd2Sjpk fatal("setpflags(NET_MAC_AWARE)"); 54945916cd2Sjpk if (setpflags(NET_MAC_AWARE_INHERIT, 1) != 0) 55045916cd2Sjpk fatal("setpflags(NET_MAC_AWARE_INHERIT)"); 55145916cd2Sjpk } 552134a1f4eSCasper H.S. Dik if (pfexec) { 553134a1f4eSCasper H.S. Dik if (setpflags(PRIV_PFEXEC, 1) != 0) 554134a1f4eSCasper H.S. Dik fatal("setpflags(PRIV_PFEXEC)"); 555134a1f4eSCasper H.S. Dik } 55645916cd2Sjpk 5577c478bd9Sstevel@tonic-gate if (sets != NULL) { 5587c478bd9Sstevel@tonic-gate priv_set_t *target = priv_allocset(); 5597c478bd9Sstevel@tonic-gate 5607c478bd9Sstevel@tonic-gate if (target == NULL) 5617c478bd9Sstevel@tonic-gate fatal("priv_allocet"); 5627c478bd9Sstevel@tonic-gate 5637c478bd9Sstevel@tonic-gate set = priv_getsetbyname(PRIV_INHERITABLE); 5647c478bd9Sstevel@tonic-gate if (rem[set] != NULL || add[set] != NULL || 5657c478bd9Sstevel@tonic-gate assign[set] != NULL) { 5667c478bd9Sstevel@tonic-gate (void) getppriv(PRIV_INHERITABLE, target); 5677c478bd9Sstevel@tonic-gate if (rem[set] != NULL) 5687c478bd9Sstevel@tonic-gate priv_intersect(rem[set], target); 5697c478bd9Sstevel@tonic-gate if (add[set] != NULL) 5707c478bd9Sstevel@tonic-gate priv_union(add[set], target); 5717c478bd9Sstevel@tonic-gate if (assign[set] != NULL) 5727c478bd9Sstevel@tonic-gate priv_copyset(assign[set], target); 5737c478bd9Sstevel@tonic-gate if (setppriv(PRIV_SET, PRIV_INHERITABLE, target) != 0) 5747c478bd9Sstevel@tonic-gate fatal("setppriv(Inheritable)"); 5757c478bd9Sstevel@tonic-gate } 5767c478bd9Sstevel@tonic-gate set = priv_getsetbyname(PRIV_LIMIT); 5777c478bd9Sstevel@tonic-gate if (rem[set] != NULL || add[set] != NULL || 5787c478bd9Sstevel@tonic-gate assign[set] != NULL) { 5797c478bd9Sstevel@tonic-gate (void) getppriv(PRIV_LIMIT, target); 5807c478bd9Sstevel@tonic-gate if (rem[set] != NULL) 5817c478bd9Sstevel@tonic-gate priv_intersect(rem[set], target); 5827c478bd9Sstevel@tonic-gate if (add[set] != NULL) 5837c478bd9Sstevel@tonic-gate priv_union(add[set], target); 5847c478bd9Sstevel@tonic-gate if (assign[set] != NULL) 5857c478bd9Sstevel@tonic-gate priv_copyset(assign[set], target); 5867c478bd9Sstevel@tonic-gate if (setppriv(PRIV_SET, PRIV_LIMIT, target) != 0) 5877c478bd9Sstevel@tonic-gate fatal("setppriv(Limit)"); 5887c478bd9Sstevel@tonic-gate } 5897c478bd9Sstevel@tonic-gate priv_freeset(target); 5907c478bd9Sstevel@tonic-gate } 5917c478bd9Sstevel@tonic-gate 5927c478bd9Sstevel@tonic-gate if (Doff || Don) 5937c478bd9Sstevel@tonic-gate (void) setpflags(PRIV_DEBUG, Don ? 1 : 0); 594ddf7fe95Scasper if (xpol) 595ddf7fe95Scasper (void) setpflags(PRIV_XPOLICY, 1); 596134a1f4eSCasper H.S. Dik if (pfexec) 597134a1f4eSCasper H.S. Dik (void) setpflags(PRIV_PFEXEC, 1); 5987c478bd9Sstevel@tonic-gate } 5997c478bd9Sstevel@tonic-gate 6007c478bd9Sstevel@tonic-gate static int 6017c478bd9Sstevel@tonic-gate dopriv(const char *p) 6027c478bd9Sstevel@tonic-gate { 6037c478bd9Sstevel@tonic-gate (void) puts(p); 6047c478bd9Sstevel@tonic-gate if (verb) { 6057c478bd9Sstevel@tonic-gate char *text = priv_gettext(p); 6067c478bd9Sstevel@tonic-gate char *p, *q; 6077c478bd9Sstevel@tonic-gate if (text == NULL) 6087c478bd9Sstevel@tonic-gate return (1); 609c8d28497Ssayama for (p = text; q = strchr(p, '\n'); p = q + 1) { 610c8d28497Ssayama *q = '\0'; 611c8d28497Ssayama (void) printf("\t%s\n", p); 612c8d28497Ssayama } 6137c478bd9Sstevel@tonic-gate free(text); 6147c478bd9Sstevel@tonic-gate } 6157c478bd9Sstevel@tonic-gate return (0); 6167c478bd9Sstevel@tonic-gate } 6177c478bd9Sstevel@tonic-gate 6187c478bd9Sstevel@tonic-gate static int 6197c478bd9Sstevel@tonic-gate dumppriv(char **argv) 6207c478bd9Sstevel@tonic-gate { 6217c478bd9Sstevel@tonic-gate int rc = 0; 6227c478bd9Sstevel@tonic-gate const char *pname; 6237c478bd9Sstevel@tonic-gate int i; 6247c478bd9Sstevel@tonic-gate 6257c478bd9Sstevel@tonic-gate if (argv[0] == NULL) { 6267c478bd9Sstevel@tonic-gate for (i = 0; ((pname = priv_getbynum(i++)) != NULL); ) 6277c478bd9Sstevel@tonic-gate rc += dopriv(pname); 6287c478bd9Sstevel@tonic-gate } else { 6297c478bd9Sstevel@tonic-gate for (; *argv; argv++) { 6307c478bd9Sstevel@tonic-gate priv_set_t *pset = priv_str_to_set(*argv, ",", NULL); 6317c478bd9Sstevel@tonic-gate 6327c478bd9Sstevel@tonic-gate if (pset == NULL) { 6337c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: %s: bad privilege" 6347c478bd9Sstevel@tonic-gate " list\n", command, *argv); 6357c478bd9Sstevel@tonic-gate rc++; 6367c478bd9Sstevel@tonic-gate continue; 6377c478bd9Sstevel@tonic-gate } 6387c478bd9Sstevel@tonic-gate for (i = 0; ((pname = priv_getbynum(i++)) != NULL); ) 6397c478bd9Sstevel@tonic-gate if (priv_ismember(pset, pname)) 6407c478bd9Sstevel@tonic-gate rc += dopriv(pname); 6417c478bd9Sstevel@tonic-gate } 6427c478bd9Sstevel@tonic-gate } 6437c478bd9Sstevel@tonic-gate return (rc); 6447c478bd9Sstevel@tonic-gate } 6457c478bd9Sstevel@tonic-gate 6467c478bd9Sstevel@tonic-gate static struct { 6477c478bd9Sstevel@tonic-gate int flag; 6487c478bd9Sstevel@tonic-gate char *name; 6497c478bd9Sstevel@tonic-gate } flags[] = { 6507c478bd9Sstevel@tonic-gate { PRIV_DEBUG, "PRIV_DEBUG" }, 6517c478bd9Sstevel@tonic-gate { PRIV_AWARE, "PRIV_AWARE" }, 6527c478bd9Sstevel@tonic-gate { PRIV_AWARE_INHERIT, "PRIV_AWARE_INHERIT" }, 653982b4ad2SCasper H.S. Dik { PRIV_AWARE_RESET, "PRIV_AWARE_RESET" }, 654ddf7fe95Scasper { PRIV_XPOLICY, "PRIV_XPOLICY" }, 655134a1f4eSCasper H.S. Dik { PRIV_PFEXEC, "PRIV_PFEXEC" }, 656ddf7fe95Scasper { NET_MAC_AWARE, "NET_MAC_AWARE" }, 657ddf7fe95Scasper { NET_MAC_AWARE_INHERIT, "NET_MAC_AWARE_INHERIT" }, 6587c478bd9Sstevel@tonic-gate }; 6597c478bd9Sstevel@tonic-gate 6607c478bd9Sstevel@tonic-gate /* 6617c478bd9Sstevel@tonic-gate * Print flags preceeded by a space. 6627c478bd9Sstevel@tonic-gate */ 6637c478bd9Sstevel@tonic-gate static void 6647c478bd9Sstevel@tonic-gate flags2str(uint_t pflags) 6657c478bd9Sstevel@tonic-gate { 6667c478bd9Sstevel@tonic-gate char c = ' '; 6677c478bd9Sstevel@tonic-gate int i; 6687c478bd9Sstevel@tonic-gate 6697c478bd9Sstevel@tonic-gate if (pflags == 0) { 6707c478bd9Sstevel@tonic-gate (void) fputs(" <none>", stdout); 6717c478bd9Sstevel@tonic-gate return; 6727c478bd9Sstevel@tonic-gate } 6737c478bd9Sstevel@tonic-gate for (i = 0; i < sizeof (flags)/sizeof (flags[0]) && pflags != 0; i++) { 6747c478bd9Sstevel@tonic-gate if ((pflags & flags[i].flag) != 0) { 6757c478bd9Sstevel@tonic-gate (void) printf("%c%s", c, flags[i].name); 6767c478bd9Sstevel@tonic-gate pflags &= ~flags[i].flag; 6777c478bd9Sstevel@tonic-gate c = '|'; 6787c478bd9Sstevel@tonic-gate } 6797c478bd9Sstevel@tonic-gate } 6807c478bd9Sstevel@tonic-gate if (pflags != 0) 6817c478bd9Sstevel@tonic-gate (void) printf("%c<0x%x>", c, pflags); 6827c478bd9Sstevel@tonic-gate } 683