xref: /titanic_51/usr/src/uts/common/os/priv.c (revision 0c4606f05172c66c6c65847c0f940871a0ea1c15)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * Privilege implementation.
28  *
29  * This file provides the infrastructure for privilege sets and limits
30  * the number of files that requires to include <sys/cred_impl.h> and/or
31  * <sys/priv_impl.h>.
32  *
33  * The Solaris privilege mechanism has been designed in a
34  * future proof manner.  While the kernel may use fixed size arrays
35  * and fixed bitmasks and bit values, the representation of those
36  * is kernel private.  All external interfaces as well as K-to-K interfaces
37  * have been constructed in a manner to provide the maximum flexibility.
38  *
39  * There can be X privilege sets each containing Y 32 bit words.
40  * <X, Y> are constant for a kernel invocation.
41  *
42  * As a consequence, all privilege set manipulation happens in functions
43  * below.
44  *
45  */
46 
47 #include <sys/systm.h>
48 #include <sys/ddi.h>
49 #include <sys/kmem.h>
50 #include <sys/sunddi.h>
51 #include <sys/errno.h>
52 #include <sys/debug.h>
53 #include <sys/priv_impl.h>
54 #include <sys/procfs.h>
55 #include <sys/policy.h>
56 #include <sys/cred_impl.h>
57 #include <sys/devpolicy.h>
58 #include <sys/atomic.h>
59 
60 /*
61  * Privilege name to number mapping table consists in the generated
62  * priv_const.c file.  This lock protects against updates of the privilege
63  * names and counts; all other priv_info fields are read-only.
64  * The actual protected values are:
65  *	global variable nprivs
66  *	the priv_max field
67  *	the priv_names field
68  *	the priv names info item (cnt/strings)
69  */
70 krwlock_t privinfo_lock;
71 
72 static boolean_t priv_valid(const cred_t *);
73 
74 priv_set_t priv_fullset;	/* set of all privileges */
75 priv_set_t priv_unsafe;	/* unsafe to exec set-uid root if these are not in L */
76 
77 /*
78  * Privilege initialization functions.
79  * Called from common/os/cred.c when cred_init is called.
80  */
81 
82 void
83 priv_init(void)
84 {
85 	rw_init(&privinfo_lock, NULL, RW_DRIVER, NULL);
86 
87 	PRIV_BASIC_ASSERT(priv_basic);
88 	PRIV_UNSAFE_ASSERT(&priv_unsafe);
89 	priv_fillset(&priv_fullset);
90 
91 	/*
92 	 * When booting with priv_debug set, then we'll add an additional
93 	 * basic privilege and we verify that it is always present in E.
94 	 */
95 	if (priv_debug == 1 &&
96 	    (priv_basic_test = priv_getbyname("basic_test", PRIV_ALLOC)) >= 0) {
97 		priv_addset(priv_basic, priv_basic_test);
98 	}
99 
100 	devpolicy_init();
101 }
102 
103 /* Utility functions: privilege sets as opaque data types */
104 
105 /*
106  * Guts of prgetprivsize.
107  */
108 int
109 priv_prgetprivsize(prpriv_t *tmpl)
110 {
111 	return (sizeof (prpriv_t) +
112 	    PRIV_SETBYTES - sizeof (priv_chunk_t) +
113 	    (tmpl ? tmpl->pr_infosize : priv_info->priv_infosize));
114 }
115 
116 /*
117  * Guts of prgetpriv.
118  */
119 void
120 cred2prpriv(const cred_t *cp, prpriv_t *pr)
121 {
122 	priv_set_t *psa;
123 	int i;
124 
125 	pr->pr_nsets = PRIV_NSET;
126 	pr->pr_setsize = PRIV_SETSIZE;
127 	pr->pr_infosize = priv_info->priv_infosize;
128 
129 	psa = (priv_set_t *)pr->pr_sets;
130 
131 	for (i = 0; i < PRIV_NSET; i++)
132 		psa[i] = *priv_getset(cp, i);
133 
134 	priv_getinfo(cp, (char *)pr + PRIV_PRPRIV_INFO_OFFSET(pr));
135 }
136 
137 /*
138  * Guts of pr_spriv:
139  *
140  * Set the privileges of a process.
141  *
142  * In order to set the privileges, the setting process will need to
143  * have those privileges in its effective set in order to prevent
144  * specially privileged processes to easily gain additional privileges.
145  * Pre-existing privileges can be retained.  To change any privileges,
146  * PRIV_PROC_OWNER needs to be asserted.
147  *
148  * In formula:
149  *
150  *	S' <= S || S' <= S + Ea
151  *
152  * the new set must either be subset of the old set or a subset of
153  * the oldset merged with the effective set of the acting process; or just:
154  *
155  *	S' <= S + Ea
156  *
157  * It's not legal to grow the limit set this way.
158  *
159  */
160 int
161 priv_pr_spriv(proc_t *p, prpriv_t *prpriv, const cred_t *cr)
162 {
163 	cred_t *oldcred;
164 	cred_t *newcred;
165 	int i;
166 	int err = EPERM;
167 	cred_priv_t *cp, *ocp;
168 	priv_set_t eset;
169 
170 	ASSERT(MUTEX_HELD(&p->p_lock));
171 
172 	/*
173 	 * Set must have proper dimension; infosize must be absent
174 	 * or properly sized.
175 	 */
176 	if (prpriv->pr_nsets != PRIV_NSET ||
177 	    prpriv->pr_setsize != PRIV_SETSIZE ||
178 	    (prpriv->pr_infosize & (sizeof (uint32_t) - 1)) != 0 ||
179 	    prpriv->pr_infosize > priv_info->priv_infosize ||
180 	    prpriv->pr_infosize < 0)
181 		return (EINVAL);
182 
183 	mutex_exit(&p->p_lock);
184 
185 	if (priv_proc_cred_perm(cr, p, &oldcred, VWRITE) != 0) {
186 		mutex_enter(&p->p_lock);
187 		return (EPERM);
188 	}
189 
190 	newcred = crdup(oldcred);
191 
192 	/* Copy the privilege sets from prpriv to newcred */
193 	bcopy(prpriv->pr_sets, CR_PRIVSETS(newcred), PRIV_SETBYTES);
194 
195 	cp = &newcred->cr_priv;
196 	ocp = &oldcred->cr_priv;
197 	eset = CR_OEPRIV(cr);
198 
199 	priv_intersect(&CR_LPRIV(oldcred), &eset);
200 
201 	/*
202 	 * Verify the constraints laid out:
203 	 * for the limit set, we require that the new set is a subset
204 	 * of the old limit set.
205 	 * for all other sets, we require that the new set is either a
206 	 * subset of the old set or a subset of the intersection of
207 	 * the old limit set and the effective set of the acting process.
208 	 */
209 	for (i = 0; i < PRIV_NSET; i++)
210 		if (!priv_issubset(&cp->crprivs[i], &ocp->crprivs[i]) &&
211 		    (i == PRIV_LIMIT || !priv_issubset(&cp->crprivs[i], &eset)))
212 			break;
213 
214 	crfree(oldcred);
215 
216 	if (i < PRIV_NSET || !priv_valid(newcred))
217 		goto err;
218 
219 	/* Load the settable privilege information */
220 	if (prpriv->pr_infosize > 0) {
221 		char *x = (char *)prpriv + PRIV_PRPRIV_INFO_OFFSET(prpriv);
222 		char *lastx = x + prpriv->pr_infosize;
223 
224 		while (x < lastx) {
225 			priv_info_t *pi = (priv_info_t *)x;
226 			priv_info_uint_t *pii;
227 
228 			switch (pi->priv_info_type) {
229 			case PRIV_INFO_FLAGS:
230 				pii = (priv_info_uint_t *)x;
231 				if (pii->info.priv_info_size != sizeof (*pii)) {
232 					err = EINVAL;
233 					goto err;
234 				}
235 				CR_FLAGS(newcred) &= ~PRIV_USER;
236 				CR_FLAGS(newcred) |= (pii->val & PRIV_USER);
237 				break;
238 			default:
239 				err = EINVAL;
240 				goto err;
241 			}
242 			/* Guarantee alignment and forward progress */
243 			if ((pi->priv_info_size & (sizeof (uint32_t) - 1)) ||
244 			    pi->priv_info_size < sizeof (*pi) ||
245 			    lastx - x > pi->priv_info_size) {
246 				err = EINVAL;
247 				goto err;
248 			}
249 
250 			x += pi->priv_info_size;
251 		}
252 	}
253 
254 	/*
255 	 * We'll try to copy the privilege aware flag; but since the
256 	 * privileges sets are all individually set, they are set
257 	 * as if we're privilege aware.  If PRIV_AWARE wasn't set
258 	 * or was explicitely unset, we need to set the flag and then
259 	 * try to get rid of it.
260 	 */
261 	if ((CR_FLAGS(newcred) & PRIV_AWARE) == 0) {
262 		CR_FLAGS(newcred) |= PRIV_AWARE;
263 		priv_adjust_PA(newcred);
264 	}
265 
266 	mutex_enter(&p->p_crlock);
267 	oldcred = p->p_cred;
268 	p->p_cred = newcred;
269 	mutex_exit(&p->p_crlock);
270 	crfree(oldcred);
271 
272 	mutex_enter(&p->p_lock);
273 	return (0);
274 
275 err:
276 	crfree(newcred);
277 	mutex_enter(&p->p_lock);
278 	return (err);
279 }
280 
281 priv_impl_info_t
282 *priv_hold_implinfo(void)
283 {
284 	rw_enter(&privinfo_lock, RW_READER);
285 	return (priv_info);
286 }
287 
288 void
289 priv_release_implinfo(void)
290 {
291 	rw_exit(&privinfo_lock);
292 }
293 
294 size_t
295 priv_get_implinfo_size(void)
296 {
297 	return (privinfosize);
298 }
299 
300 
301 /*
302  * Return the nth privilege set
303  */
304 const priv_set_t *
305 priv_getset(const cred_t *cr, int set)
306 {
307 	ASSERT(PRIV_VALIDSET(set));
308 
309 	if ((CR_FLAGS(cr) & PRIV_AWARE) == 0)
310 		switch (set) {
311 		case PRIV_EFFECTIVE:
312 			return (&CR_OEPRIV(cr));
313 		case PRIV_PERMITTED:
314 			return (&CR_OPPRIV(cr));
315 		}
316 	return (&CR_PRIVS(cr)->crprivs[set]);
317 }
318 
319 /*
320  * Buf must be allocated by caller and contain sufficient space to
321  * contain all additional info structures using priv_info.priv_infosize.
322  * The buffer must be properly aligned.
323  */
324 /*ARGSUSED*/
325 void
326 priv_getinfo(const cred_t *cr, void *buf)
327 {
328 	struct priv_info_uint *ii;
329 
330 	ii = buf;
331 	ii->val = CR_FLAGS(cr);
332 	ii->info.priv_info_size = (uint32_t)sizeof (*ii);
333 	ii->info.priv_info_type = PRIV_INFO_FLAGS;
334 }
335 
336 int
337 priv_getbyname(const char *name, uint_t flag)
338 {
339 	int i;
340 	int wheld = 0;
341 	int len;
342 	char *p;
343 
344 	if (flag != 0 && flag != PRIV_ALLOC)
345 		return (-EINVAL);
346 
347 	if (strncasecmp(name, "priv_", 5) == 0)
348 		name += 5;
349 
350 	rw_enter(&privinfo_lock, RW_READER);
351 rescan:
352 	for (i = 0; i < nprivs; i++)
353 		if (strcasecmp(priv_names[i], name) == 0) {
354 			rw_exit(&privinfo_lock);
355 			return (i);
356 		}
357 
358 
359 	if (!wheld) {
360 		if (!(flag & PRIV_ALLOC)) {
361 			rw_exit(&privinfo_lock);
362 			return (-EINVAL);
363 		}
364 
365 		/* check length, validity and available space */
366 		len = strlen(name) + 1;
367 
368 		if (len > PRIVNAME_MAX) {
369 			rw_exit(&privinfo_lock);
370 			return (-ENAMETOOLONG);
371 		}
372 
373 		for (p = (char *)name; *p != '\0'; p++) {
374 			char c = *p;
375 
376 			if (!((c >= 'A' && c <= 'Z') ||
377 			    (c >= 'a' && c <= 'z') ||
378 			    (c >= '0' && c <= '9') ||
379 			    c == '_')) {
380 				rw_exit(&privinfo_lock);
381 				return (-EINVAL);
382 			}
383 		}
384 
385 		if (!rw_tryupgrade(&privinfo_lock)) {
386 			rw_exit(&privinfo_lock);
387 			rw_enter(&privinfo_lock, RW_WRITER);
388 			wheld = 1;
389 			/* Someone may have added our privilege */
390 			goto rescan;
391 		}
392 	}
393 
394 	if (nprivs == MAX_PRIVILEGE || len + privbytes > maxprivbytes) {
395 		rw_exit(&privinfo_lock);
396 		return (-ENOMEM);
397 	}
398 
399 	priv_names[i] = p = priv_str + privbytes;
400 
401 	bcopy(name, p, len);
402 
403 	/* make the priv_names[i] and privilege name globally visible */
404 	membar_producer();
405 
406 	/* adjust priv count and bytes count */
407 	priv_ninfo->cnt = priv_info->priv_max = ++nprivs;
408 	privbytes += len;
409 
410 	rw_exit(&privinfo_lock);
411 	return (i);
412 }
413 
414 /*
415  * We can't afford locking the privileges here because of the locations
416  * we call this from; so we make sure that the privileges table
417  * is visible to us; it is made visible before the value of nprivs is
418  * updated.
419  */
420 const char *
421 priv_getbynum(int priv)
422 {
423 	int maxpriv = nprivs;
424 
425 	membar_consumer();
426 
427 	if (priv >= 0 && priv < maxpriv)
428 		return (priv_names[priv]);
429 
430 	return (NULL);
431 }
432 
433 const char *
434 priv_getsetbynum(int setno)
435 {
436 	if (!PRIV_VALIDSET(setno))
437 		return (NULL);
438 
439 	return (priv_setnames[setno]);
440 }
441 
442 /*
443  * Privilege sanity checking when setting: E <= P.
444  */
445 static boolean_t
446 priv_valid(const cred_t *cr)
447 {
448 	return (priv_issubset(&CR_EPRIV(cr), &CR_PPRIV(cr)));
449 }
450 
451 /*
452  * Privilege manipulation functions
453  *
454  * Without knowing the details of the privilege set implementation,
455  * opaque pointers can be used to manipulate sets at will.
456  */
457 void
458 priv_emptyset(priv_set_t *set)
459 {
460 	bzero(set, sizeof (*set));
461 }
462 
463 void
464 priv_fillset(priv_set_t *set)
465 {
466 	int i;
467 
468 	/* memset? */
469 	for (i = 0; i < PRIV_SETSIZE; i++)
470 		set->pbits[i] = ~(priv_chunk_t)0;
471 }
472 
473 void
474 priv_addset(priv_set_t *set, int priv)
475 {
476 	ASSERT(priv >= 0 && priv < MAX_PRIVILEGE);
477 	__PRIV_ASSERT(set, priv);
478 }
479 
480 void
481 priv_delset(priv_set_t *set, int priv)
482 {
483 	ASSERT(priv >= 0 && priv < MAX_PRIVILEGE);
484 	__PRIV_CLEAR(set, priv);
485 }
486 
487 boolean_t
488 priv_ismember(const priv_set_t *set, int priv)
489 {
490 	ASSERT(priv >= 0 && priv < MAX_PRIVILEGE);
491 	return (__PRIV_ISASSERT(set, priv) ? B_TRUE : B_FALSE);
492 }
493 
494 #define	PRIV_TEST_BODY(test) \
495 	int i; \
496 \
497 	for (i = 0; i < PRIV_SETSIZE; i++) \
498 		if (!(test)) \
499 			return (B_FALSE); \
500 \
501 	return (B_TRUE)
502 
503 boolean_t
504 priv_isequalset(const priv_set_t *a, const priv_set_t *b)
505 {
506 	return ((boolean_t)(bcmp(a, b, sizeof (*a)) == 0));
507 }
508 
509 boolean_t
510 priv_isemptyset(const priv_set_t *set)
511 {
512 	PRIV_TEST_BODY(set->pbits[i] == 0);
513 }
514 
515 boolean_t
516 priv_isfullset(const priv_set_t *set)
517 {
518 	PRIV_TEST_BODY(set->pbits[i] == ~(priv_chunk_t)0);
519 }
520 
521 /*
522  * Return true if a is a subset of b
523  */
524 boolean_t
525 priv_issubset(const priv_set_t *a, const priv_set_t *b)
526 {
527 	PRIV_TEST_BODY((a->pbits[i] | b->pbits[i]) == b->pbits[i]);
528 }
529 
530 #define	PRIV_CHANGE_BODY(a, op, b) \
531 	int i; \
532 \
533 	for (i = 0; i < PRIV_SETSIZE; i++) \
534 		a->pbits[i] op b->pbits[i]
535 
536 /* B = A ^ B */
537 void
538 priv_intersect(const priv_set_t *a, priv_set_t *b)
539 {
540 	/* CSTYLED */
541 	PRIV_CHANGE_BODY(b, &=, a);
542 }
543 
544 /* B = A v B */
545 void
546 priv_union(const priv_set_t *a, priv_set_t *b)
547 {
548 	/* CSTYLED */
549 	PRIV_CHANGE_BODY(b, |=, a);
550 }
551 
552 /* A = ! A */
553 void
554 priv_inverse(priv_set_t *a)
555 {
556 	PRIV_CHANGE_BODY(a, = ~, a);
557 }
558 
559 /*
560  * Can the source cred act on the target credential?
561  *
562  * We will you allow to gain uids this way but not privileges.
563  */
564 int
565 priv_proc_cred_perm(const cred_t *scr, proc_t *tp, cred_t **pcr, int mode)
566 {
567 	const priv_set_t *eset;
568 	int idsmatch;
569 	cred_t *tcr;
570 	int res = 0;
571 
572 	/* prevent the cred from going away */
573 	mutex_enter(&tp->p_crlock);
574 	crhold(tcr = tp->p_cred);
575 	mutex_exit(&tp->p_crlock);
576 
577 	if (scr == tcr && !(tp->p_flag & SNOCD))
578 		goto out;
579 
580 	idsmatch = (scr->cr_uid == tcr->cr_uid &&
581 	    scr->cr_uid == tcr->cr_ruid &&
582 	    scr->cr_uid == tcr->cr_suid &&
583 	    scr->cr_gid == tcr->cr_gid &&
584 	    scr->cr_gid == tcr->cr_rgid &&
585 	    scr->cr_gid == tcr->cr_sgid &&
586 	    !(tp->p_flag & SNOCD));
587 
588 	/*
589 	 * Source credential must have the proc_zone privilege if referencing
590 	 * a process in another zone.
591 	 */
592 	if (scr->cr_zone != tcr->cr_zone && secpolicy_proc_zone(scr) != 0) {
593 		res = EACCES;
594 		goto out;
595 	}
596 
597 	if (!(mode & VWRITE)) {
598 		if (!idsmatch && secpolicy_proc_owner(scr, tcr, 0) != 0)
599 			res = EACCES;
600 		goto out;
601 	}
602 
603 	/*
604 	 * For writing, the effective set of scr must dominate all sets of tcr,
605 	 * We test Pt <= Es (Et <= Pt so no need to test) and It <= Es
606 	 * The Limit set of scr must be a superset of the limitset of
607 	 * tcr.
608 	 */
609 	eset = &CR_OEPRIV(scr);
610 
611 	if (!priv_issubset(&CR_IPRIV(tcr), eset) ||
612 	    !priv_issubset(&CR_OPPRIV(tcr), eset) ||
613 	    !priv_issubset(&CR_LPRIV(tcr), &CR_LPRIV(scr)) ||
614 	    !idsmatch && secpolicy_proc_owner(scr, tcr, mode) != 0)
615 		res = EACCES;
616 
617 out:
618 	if (res == 0 && pcr != NULL)
619 		*pcr = tcr;
620 	else
621 		crfree(tcr);
622 	return (res);
623 }
624 
625 /*
626  * Set the privilege aware bit, adding L to E/P if necessary.
627  * Each time we set it, we also clear PRIV_AWARE_RESET.
628  */
629 void
630 priv_set_PA(cred_t *cr)
631 {
632 	ASSERT(cr->cr_ref <= 2);
633 
634 	if ((CR_FLAGS(cr) & (PRIV_AWARE|PRIV_AWARE_RESET)) == PRIV_AWARE)
635 		return;
636 
637 	CR_FLAGS(cr) |= PRIV_AWARE;
638 	CR_FLAGS(cr) &= ~PRIV_AWARE_RESET;
639 
640 	if (cr->cr_uid == 0)
641 		priv_union(&CR_LPRIV(cr), &CR_EPRIV(cr));
642 
643 	if (cr->cr_uid == 0 || cr->cr_suid == 0 || cr->cr_ruid == 0)
644 		priv_union(&CR_LPRIV(cr), &CR_PPRIV(cr));
645 }
646 
647 boolean_t
648 priv_can_clear_PA(const cred_t *cr)
649 {
650 	/*
651 	 * We can clear PA in the following cases:
652 	 *
653 	 * None of the uids are 0.
654 	 * Any uid == 0 and P == L and (Euid != 0 or E == L)
655 	 */
656 	return ((cr->cr_suid != 0 && cr->cr_ruid != 0 && cr->cr_uid != 0) ||
657 	    priv_isequalset(&CR_PPRIV(cr), &CR_LPRIV(cr)) &&
658 	    (cr->cr_uid != 0 || priv_isequalset(&CR_EPRIV(cr), &CR_LPRIV(cr))));
659 }
660 
661 /*
662  * Clear privilege aware bit if it is an idempotent operation and by
663  * clearing it the process cannot get to uid 0 and all privileges.
664  *
665  * This function should be called with caution as it may cause "E" to be
666  * lost once a processes assumes euid 0 again.
667  */
668 void
669 priv_adjust_PA(cred_t *cr)
670 {
671 	ASSERT(cr->cr_ref <= 2);
672 
673 	if (!(CR_FLAGS(cr) & PRIV_AWARE) ||
674 	    !priv_can_clear_PA(cr)) {
675 		CR_FLAGS(cr) &= ~PRIV_AWARE_RESET;
676 		return;
677 	}
678 
679 	if (CR_FLAGS(cr) & PRIV_AWARE_INHERIT)
680 		return;
681 
682 	/*
683 	 * We now need to adjust P/E in those cases when uids
684 	 * are zero; the rules are P' = I & L, E' = I & L;
685 	 * but since P = L and E = L, we can use P &= I, E &= I,
686 	 * depending on which uids are 0.
687 	 */
688 	if (cr->cr_suid == 0 || cr->cr_ruid == 0 || cr->cr_uid == 0) {
689 		if (cr->cr_uid == 0)
690 			priv_intersect(&CR_IPRIV(cr), &CR_EPRIV(cr));
691 		priv_intersect(&CR_IPRIV(cr), &CR_PPRIV(cr));
692 	}
693 
694 	CR_FLAGS(cr) &= ~(PRIV_AWARE|PRIV_AWARE_RESET);
695 }
696 
697 /*
698  * Reset privilege aware bit if so requested by setting the PRIV_AWARE_RESET
699  * flag.
700  */
701 void
702 priv_reset_PA(cred_t *cr, boolean_t finalize)
703 {
704 	ASSERT(cr->cr_ref <= 2);
705 
706 	if ((CR_FLAGS(cr) & (PRIV_AWARE|PRIV_AWARE_RESET)) !=
707 	    (PRIV_AWARE|PRIV_AWARE_RESET)) {
708 		CR_FLAGS(cr) &= ~PRIV_AWARE_RESET;
709 		return;
710 	}
711 
712 	/*
713 	 * When PRIV_AWARE_RESET is enabled, any change of uids causes
714 	 * a change to the P and E sets.  Bracketing with
715 	 * seteuid(0) ... seteuid(uid)/setreuid(-1, 0) .. setreuid(-1, uid)
716 	 * will cause the privilege sets "do the right thing.".
717 	 * When the change of the uid is "final", e.g., by using setuid(uid),
718 	 * or setreuid(uid, uid) or when the last set*uid() call causes all
719 	 * uids to be the same, we set P and E to I & L, like when you exec.
720 	 * We make an exception when all the uids are 0; this is required
721 	 * when we login as root as in that particular case we cannot
722 	 * make a distinction between seteuid(0) and seteuid(uid).
723 	 * We rely on seteuid/setreuid/setuid to tell us with the
724 	 * "finalize" argument that we no longer expect new uid changes,
725 	 * cf. setreuid(uid, uid) and setuid(uid).
726 	 */
727 	if (cr->cr_suid == cr->cr_ruid && cr->cr_suid == cr->cr_uid) {
728 		if (finalize || cr->cr_uid != 0) {
729 			CR_EPRIV(cr) = CR_IPRIV(cr);
730 			priv_intersect(&CR_LPRIV(cr), &CR_EPRIV(cr));
731 			CR_PPRIV(cr) = CR_EPRIV(cr);
732 			CR_FLAGS(cr) &= ~(PRIV_AWARE|PRIV_AWARE_RESET);
733 		} else {
734 			CR_EPRIV(cr) = CR_PPRIV(cr);
735 		}
736 	} else if (cr->cr_uid != 0 && (cr->cr_ruid == 0 || cr->cr_suid == 0)) {
737 		CR_EPRIV(cr) = CR_IPRIV(cr);
738 		priv_intersect(&CR_LPRIV(cr), &CR_EPRIV(cr));
739 	}
740 }
741