17c478bd9Sstevel@tonic-gate /* 27c478bd9Sstevel@tonic-gate * CDDL HEADER START 37c478bd9Sstevel@tonic-gate * 47c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 5*45916cd2Sjpk * Common Development and Distribution License (the "License"). 6*45916cd2Sjpk * You may not use this file except in compliance with the License. 77c478bd9Sstevel@tonic-gate * 87c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 97c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 107c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 117c478bd9Sstevel@tonic-gate * and limitations under the License. 127c478bd9Sstevel@tonic-gate * 137c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 147c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 157c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 167c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 177c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 187c478bd9Sstevel@tonic-gate * 197c478bd9Sstevel@tonic-gate * CDDL HEADER END 207c478bd9Sstevel@tonic-gate */ 217c478bd9Sstevel@tonic-gate /* 22*45916cd2Sjpk * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 237c478bd9Sstevel@tonic-gate * Use is subject to license terms. 247c478bd9Sstevel@tonic-gate * 257c478bd9Sstevel@tonic-gate * Program to examine or set process privileges. 267c478bd9Sstevel@tonic-gate */ 277c478bd9Sstevel@tonic-gate 287c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 297c478bd9Sstevel@tonic-gate 307c478bd9Sstevel@tonic-gate #include <stdio.h> 317c478bd9Sstevel@tonic-gate #include <stdlib.h> 327c478bd9Sstevel@tonic-gate #include <unistd.h> 337c478bd9Sstevel@tonic-gate #include <fcntl.h> 347c478bd9Sstevel@tonic-gate #include <string.h> 357c478bd9Sstevel@tonic-gate #include <limits.h> 367c478bd9Sstevel@tonic-gate #include <sys/types.h> 377c478bd9Sstevel@tonic-gate #include <libproc.h> 387c478bd9Sstevel@tonic-gate #include <priv.h> 397c478bd9Sstevel@tonic-gate #include <errno.h> 407c478bd9Sstevel@tonic-gate #include <ctype.h> 417c478bd9Sstevel@tonic-gate 427c478bd9Sstevel@tonic-gate #include <locale.h> 437c478bd9Sstevel@tonic-gate #include <langinfo.h> 447c478bd9Sstevel@tonic-gate 457c478bd9Sstevel@tonic-gate static int look(char *); 467c478bd9Sstevel@tonic-gate static void perr(char *); 477c478bd9Sstevel@tonic-gate static void usage(void); 487c478bd9Sstevel@tonic-gate static void loadprivinfo(void); 497c478bd9Sstevel@tonic-gate static int parsespec(const char *); 507c478bd9Sstevel@tonic-gate static void privupdate(prpriv_t *, const char *); 517c478bd9Sstevel@tonic-gate static void privupdate_self(void); 527c478bd9Sstevel@tonic-gate static int dumppriv(char **); 537c478bd9Sstevel@tonic-gate static void flags2str(uint_t); 547c478bd9Sstevel@tonic-gate 557c478bd9Sstevel@tonic-gate static char *command; 567c478bd9Sstevel@tonic-gate static char *procname; 577c478bd9Sstevel@tonic-gate static boolean_t verb = B_FALSE; 587c478bd9Sstevel@tonic-gate static boolean_t set = B_FALSE; 597c478bd9Sstevel@tonic-gate static boolean_t exec = B_FALSE; 607c478bd9Sstevel@tonic-gate static boolean_t Don = B_FALSE; 617c478bd9Sstevel@tonic-gate static boolean_t Doff = B_FALSE; 627c478bd9Sstevel@tonic-gate static boolean_t list = B_FALSE; 63*45916cd2Sjpk static boolean_t mac_aware = B_FALSE; 647c478bd9Sstevel@tonic-gate static int mode = PRIV_STR_PORT; 657c478bd9Sstevel@tonic-gate 667c478bd9Sstevel@tonic-gate int 677c478bd9Sstevel@tonic-gate main(int argc, char **argv) 687c478bd9Sstevel@tonic-gate { 697c478bd9Sstevel@tonic-gate int rc = 0; 707c478bd9Sstevel@tonic-gate int opt; 717c478bd9Sstevel@tonic-gate struct rlimit rlim; 727c478bd9Sstevel@tonic-gate 737c478bd9Sstevel@tonic-gate (void) setlocale(LC_ALL, ""); 747c478bd9Sstevel@tonic-gate (void) textdomain(TEXT_DOMAIN); 757c478bd9Sstevel@tonic-gate 767c478bd9Sstevel@tonic-gate if ((command = strrchr(argv[0], '/')) != NULL) 777c478bd9Sstevel@tonic-gate command++; 787c478bd9Sstevel@tonic-gate else 797c478bd9Sstevel@tonic-gate command = argv[0]; 807c478bd9Sstevel@tonic-gate 81*45916cd2Sjpk while ((opt = getopt(argc, argv, "lDMNevs:S")) != EOF) { 827c478bd9Sstevel@tonic-gate switch (opt) { 837c478bd9Sstevel@tonic-gate case 'l': 847c478bd9Sstevel@tonic-gate list = B_TRUE; 857c478bd9Sstevel@tonic-gate break; 867c478bd9Sstevel@tonic-gate case 'D': 877c478bd9Sstevel@tonic-gate set = B_TRUE; 887c478bd9Sstevel@tonic-gate Don = B_TRUE; 897c478bd9Sstevel@tonic-gate break; 90*45916cd2Sjpk case 'M': 91*45916cd2Sjpk mac_aware = B_TRUE; 92*45916cd2Sjpk break; 937c478bd9Sstevel@tonic-gate case 'N': 947c478bd9Sstevel@tonic-gate set = B_TRUE; 957c478bd9Sstevel@tonic-gate Doff = B_TRUE; 967c478bd9Sstevel@tonic-gate break; 977c478bd9Sstevel@tonic-gate case 'e': 987c478bd9Sstevel@tonic-gate exec = B_TRUE; 997c478bd9Sstevel@tonic-gate break; 1007c478bd9Sstevel@tonic-gate case 'S': 1017c478bd9Sstevel@tonic-gate mode = PRIV_STR_SHORT; 1027c478bd9Sstevel@tonic-gate break; 1037c478bd9Sstevel@tonic-gate case 'v': 1047c478bd9Sstevel@tonic-gate verb = B_TRUE; 1057c478bd9Sstevel@tonic-gate mode = PRIV_STR_LIT; 1067c478bd9Sstevel@tonic-gate break; 1077c478bd9Sstevel@tonic-gate case 's': 1087c478bd9Sstevel@tonic-gate set = B_TRUE; 1097c478bd9Sstevel@tonic-gate if ((rc = parsespec(optarg)) != 0) 1107c478bd9Sstevel@tonic-gate return (rc); 1117c478bd9Sstevel@tonic-gate break; 1127c478bd9Sstevel@tonic-gate default: 1137c478bd9Sstevel@tonic-gate usage(); 1147c478bd9Sstevel@tonic-gate /*NOTREACHED*/ 1157c478bd9Sstevel@tonic-gate } 1167c478bd9Sstevel@tonic-gate } 1177c478bd9Sstevel@tonic-gate 1187c478bd9Sstevel@tonic-gate argc -= optind; 1197c478bd9Sstevel@tonic-gate argv += optind; 1207c478bd9Sstevel@tonic-gate 121*45916cd2Sjpk if ((argc < 1 && !list) || Doff && Don || list && (set || exec) || 122*45916cd2Sjpk (mac_aware && !exec)) 1237c478bd9Sstevel@tonic-gate usage(); 1247c478bd9Sstevel@tonic-gate 1257c478bd9Sstevel@tonic-gate /* 1267c478bd9Sstevel@tonic-gate * Make sure we'll have enough file descriptors to handle a target 1277c478bd9Sstevel@tonic-gate * that has many many mappings. 1287c478bd9Sstevel@tonic-gate */ 1297c478bd9Sstevel@tonic-gate if (getrlimit(RLIMIT_NOFILE, &rlim) == 0) { 1307c478bd9Sstevel@tonic-gate rlim.rlim_cur = rlim.rlim_max; 1317c478bd9Sstevel@tonic-gate (void) setrlimit(RLIMIT_NOFILE, &rlim); 1327c478bd9Sstevel@tonic-gate } 1337c478bd9Sstevel@tonic-gate 1347c478bd9Sstevel@tonic-gate if (exec) { 1357c478bd9Sstevel@tonic-gate privupdate_self(); 1367c478bd9Sstevel@tonic-gate rc = execvp(argv[0], &argv[0]); 1377c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: %s: %s\n", command, argv[0], 1387c478bd9Sstevel@tonic-gate strerror(errno)); 1397c478bd9Sstevel@tonic-gate } else if (list) { 1407c478bd9Sstevel@tonic-gate rc = dumppriv(argv); 1417c478bd9Sstevel@tonic-gate } else { 1427c478bd9Sstevel@tonic-gate while (argc-- > 0) 1437c478bd9Sstevel@tonic-gate rc += look(*argv++); 1447c478bd9Sstevel@tonic-gate } 1457c478bd9Sstevel@tonic-gate 1467c478bd9Sstevel@tonic-gate return (rc); 1477c478bd9Sstevel@tonic-gate } 1487c478bd9Sstevel@tonic-gate 1497c478bd9Sstevel@tonic-gate static int 1507c478bd9Sstevel@tonic-gate look(char *arg) 1517c478bd9Sstevel@tonic-gate { 1527c478bd9Sstevel@tonic-gate static size_t pprivsz = sizeof (prpriv_t); 1537c478bd9Sstevel@tonic-gate static prpriv_t *ppriv; 1547c478bd9Sstevel@tonic-gate 1557c478bd9Sstevel@tonic-gate struct ps_prochandle *Pr; 1567c478bd9Sstevel@tonic-gate int gcode; 1577c478bd9Sstevel@tonic-gate size_t sz; 1587c478bd9Sstevel@tonic-gate void *pdata; 1597c478bd9Sstevel@tonic-gate char *x; 1607c478bd9Sstevel@tonic-gate int i; 1617c478bd9Sstevel@tonic-gate boolean_t nodata; 1627c478bd9Sstevel@tonic-gate 1637c478bd9Sstevel@tonic-gate procname = arg; /* for perr() */ 1647c478bd9Sstevel@tonic-gate 1657c478bd9Sstevel@tonic-gate if ((Pr = proc_arg_grab(arg, set ? PR_ARG_PIDS : PR_ARG_ANY, 1667c478bd9Sstevel@tonic-gate PGRAB_RETAIN | PGRAB_FORCE | (set ? 0 : PGRAB_RDONLY) | 1677c478bd9Sstevel@tonic-gate PGRAB_NOSTOP, &gcode)) == NULL) { 1687c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: cannot examine %s: %s\n", 1697c478bd9Sstevel@tonic-gate command, arg, Pgrab_error(gcode)); 1707c478bd9Sstevel@tonic-gate return (1); 1717c478bd9Sstevel@tonic-gate } 1727c478bd9Sstevel@tonic-gate 1737c478bd9Sstevel@tonic-gate if (ppriv == NULL) 1747c478bd9Sstevel@tonic-gate ppriv = malloc(pprivsz); 1757c478bd9Sstevel@tonic-gate 1767c478bd9Sstevel@tonic-gate if (Ppriv(Pr, ppriv, pprivsz) == -1) { 1777c478bd9Sstevel@tonic-gate perr(command); 1787c478bd9Sstevel@tonic-gate Prelease(Pr, 0); 1797c478bd9Sstevel@tonic-gate return (1); 1807c478bd9Sstevel@tonic-gate } 1817c478bd9Sstevel@tonic-gate 1827c478bd9Sstevel@tonic-gate sz = PRIV_PRPRIV_SIZE(ppriv); 1837c478bd9Sstevel@tonic-gate 1847c478bd9Sstevel@tonic-gate /* 1857c478bd9Sstevel@tonic-gate * The ppriv fields are unsigned and may overflow, so check them 1867c478bd9Sstevel@tonic-gate * separately. Size must be word aligned, so check that too. 1877c478bd9Sstevel@tonic-gate * Make sure size is "smallish" too. 1887c478bd9Sstevel@tonic-gate */ 1897c478bd9Sstevel@tonic-gate if ((sz & 3) || ppriv->pr_nsets == 0 || 1907c478bd9Sstevel@tonic-gate sz / ppriv->pr_nsets < ppriv->pr_setsize || 1917c478bd9Sstevel@tonic-gate ppriv->pr_infosize > sz || sz > 1024 * 1024) { 1927c478bd9Sstevel@tonic-gate (void) fprintf(stderr, 1937c478bd9Sstevel@tonic-gate "%s: %s: bad PRNOTES section, size = %lx\n", 1947c478bd9Sstevel@tonic-gate command, arg, (long)sz); 1957c478bd9Sstevel@tonic-gate Prelease(Pr, 0); 1967c478bd9Sstevel@tonic-gate return (1); 1977c478bd9Sstevel@tonic-gate } 1987c478bd9Sstevel@tonic-gate 1997c478bd9Sstevel@tonic-gate if (sz > pprivsz) { 2007c478bd9Sstevel@tonic-gate ppriv = realloc(ppriv, sz); 2017c478bd9Sstevel@tonic-gate 2027c478bd9Sstevel@tonic-gate if (ppriv == NULL || Ppriv(Pr, ppriv, sz) != sz) { 2037c478bd9Sstevel@tonic-gate perr(command); 2047c478bd9Sstevel@tonic-gate Prelease(Pr, 0); 2057c478bd9Sstevel@tonic-gate return (1); 2067c478bd9Sstevel@tonic-gate } 2077c478bd9Sstevel@tonic-gate pprivsz = sz; 2087c478bd9Sstevel@tonic-gate } 2097c478bd9Sstevel@tonic-gate 2107c478bd9Sstevel@tonic-gate if (set) { 2117c478bd9Sstevel@tonic-gate privupdate(ppriv, arg); 2127c478bd9Sstevel@tonic-gate if (Psetpriv(Pr, ppriv) != 0) { 2137c478bd9Sstevel@tonic-gate perr(command); 2147c478bd9Sstevel@tonic-gate Prelease(Pr, 0); 2157c478bd9Sstevel@tonic-gate return (1); 2167c478bd9Sstevel@tonic-gate } 2177c478bd9Sstevel@tonic-gate Prelease(Pr, 0); 2187c478bd9Sstevel@tonic-gate return (0); 2197c478bd9Sstevel@tonic-gate } 2207c478bd9Sstevel@tonic-gate 2217c478bd9Sstevel@tonic-gate if (Pstate(Pr) == PS_DEAD) { 2227c478bd9Sstevel@tonic-gate (void) printf("core '%s' of %d:\t%.70s\n", 2237c478bd9Sstevel@tonic-gate arg, (int)Ppsinfo(Pr)->pr_pid, Ppsinfo(Pr)->pr_psargs); 2247c478bd9Sstevel@tonic-gate pdata = Pprivinfo(Pr); 2257c478bd9Sstevel@tonic-gate nodata = Pstate(Pr) == PS_DEAD && pdata == NULL; 2267c478bd9Sstevel@tonic-gate } else { 2277c478bd9Sstevel@tonic-gate (void) printf("%d:\t%.70s\n", 2287c478bd9Sstevel@tonic-gate (int)Ppsinfo(Pr)->pr_pid, Ppsinfo(Pr)->pr_psargs); 2297c478bd9Sstevel@tonic-gate pdata = NULL; 2307c478bd9Sstevel@tonic-gate nodata = B_FALSE; 2317c478bd9Sstevel@tonic-gate } 2327c478bd9Sstevel@tonic-gate 2337c478bd9Sstevel@tonic-gate x = (char *)ppriv + sz - ppriv->pr_infosize; 2347c478bd9Sstevel@tonic-gate while (x < (char *)ppriv + sz) { 2357c478bd9Sstevel@tonic-gate /* LINTED: alignment */ 2367c478bd9Sstevel@tonic-gate priv_info_t *pi = (priv_info_t *)x; 2377c478bd9Sstevel@tonic-gate priv_info_uint_t *pii; 2387c478bd9Sstevel@tonic-gate 2397c478bd9Sstevel@tonic-gate switch (pi->priv_info_type) { 2407c478bd9Sstevel@tonic-gate case PRIV_INFO_FLAGS: 2417c478bd9Sstevel@tonic-gate /* LINTED: alignment */ 2427c478bd9Sstevel@tonic-gate pii = (priv_info_uint_t *)x; 2437c478bd9Sstevel@tonic-gate (void) printf("flags ="); 2447c478bd9Sstevel@tonic-gate flags2str(pii->val); 2457c478bd9Sstevel@tonic-gate (void) putchar('\n'); 2467c478bd9Sstevel@tonic-gate break; 2477c478bd9Sstevel@tonic-gate default: 2487c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: unknown priv_info: %d\n", 2497c478bd9Sstevel@tonic-gate arg, pi->priv_info_type); 2507c478bd9Sstevel@tonic-gate break; 2517c478bd9Sstevel@tonic-gate } 2527c478bd9Sstevel@tonic-gate if (pi->priv_info_size > ppriv->pr_infosize || 2537c478bd9Sstevel@tonic-gate pi->priv_info_size <= sizeof (priv_info_t) || 2547c478bd9Sstevel@tonic-gate (pi->priv_info_size & 3) != 0) { 2557c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: bad priv_info_size: %u\n", 2567c478bd9Sstevel@tonic-gate arg, pi->priv_info_size); 2577c478bd9Sstevel@tonic-gate break; 2587c478bd9Sstevel@tonic-gate } 2597c478bd9Sstevel@tonic-gate x += pi->priv_info_size; 2607c478bd9Sstevel@tonic-gate } 2617c478bd9Sstevel@tonic-gate 2627c478bd9Sstevel@tonic-gate for (i = 0; i < ppriv->pr_nsets; i++) { 2637c478bd9Sstevel@tonic-gate extern const char *__priv_getsetbynum(const void *, int); 2647c478bd9Sstevel@tonic-gate const char *setnm = pdata ? __priv_getsetbynum(pdata, i) 2657c478bd9Sstevel@tonic-gate : priv_getsetbynum(i); 2667c478bd9Sstevel@tonic-gate priv_chunk_t *pc = (priv_chunk_t *) 2677c478bd9Sstevel@tonic-gate &ppriv->pr_sets[ppriv->pr_setsize * i]; 2687c478bd9Sstevel@tonic-gate 2697c478bd9Sstevel@tonic-gate 2707c478bd9Sstevel@tonic-gate (void) printf("\t%c: ", setnm && !nodata ? *setnm : '?'); 2717c478bd9Sstevel@tonic-gate if (!nodata) { 2727c478bd9Sstevel@tonic-gate extern char *__priv_set_to_str(void *, 2737c478bd9Sstevel@tonic-gate const priv_set_t *, char, int); 2747c478bd9Sstevel@tonic-gate priv_set_t *pset = (priv_set_t *)pc; 2757c478bd9Sstevel@tonic-gate 2767c478bd9Sstevel@tonic-gate char *s; 2777c478bd9Sstevel@tonic-gate 2787c478bd9Sstevel@tonic-gate if (pdata) 2797c478bd9Sstevel@tonic-gate s = __priv_set_to_str(pdata, pset, ',', mode); 2807c478bd9Sstevel@tonic-gate else 2817c478bd9Sstevel@tonic-gate s = priv_set_to_str(pset, ',', mode); 2827c478bd9Sstevel@tonic-gate (void) puts(s); 2837c478bd9Sstevel@tonic-gate free(s); 2847c478bd9Sstevel@tonic-gate } else { 2857c478bd9Sstevel@tonic-gate int j; 2867c478bd9Sstevel@tonic-gate for (j = 0; j < ppriv->pr_setsize; j++) 2877c478bd9Sstevel@tonic-gate (void) printf("%08x", pc[j]); 2887c478bd9Sstevel@tonic-gate (void) putchar('\n'); 2897c478bd9Sstevel@tonic-gate } 2907c478bd9Sstevel@tonic-gate } 2917c478bd9Sstevel@tonic-gate Prelease(Pr, 0); 2927c478bd9Sstevel@tonic-gate return (0); 2937c478bd9Sstevel@tonic-gate } 2947c478bd9Sstevel@tonic-gate 2957c478bd9Sstevel@tonic-gate static void 2967c478bd9Sstevel@tonic-gate fatal(const char *s) 2977c478bd9Sstevel@tonic-gate { 2987c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: %s: %s\n", command, s, strerror(errno)); 2997c478bd9Sstevel@tonic-gate exit(3); 3007c478bd9Sstevel@tonic-gate } 3017c478bd9Sstevel@tonic-gate 3027c478bd9Sstevel@tonic-gate static void 3037c478bd9Sstevel@tonic-gate perr(char *s) 3047c478bd9Sstevel@tonic-gate { 3057c478bd9Sstevel@tonic-gate int err = errno; 3067c478bd9Sstevel@tonic-gate 3077c478bd9Sstevel@tonic-gate if (s != NULL) 3087c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: ", procname); 3097c478bd9Sstevel@tonic-gate else 3107c478bd9Sstevel@tonic-gate s = procname; 3117c478bd9Sstevel@tonic-gate 3127c478bd9Sstevel@tonic-gate errno = err; 3137c478bd9Sstevel@tonic-gate perror(s); 3147c478bd9Sstevel@tonic-gate } 3157c478bd9Sstevel@tonic-gate 3167c478bd9Sstevel@tonic-gate static void 3177c478bd9Sstevel@tonic-gate usage(void) 3187c478bd9Sstevel@tonic-gate { 3197c478bd9Sstevel@tonic-gate (void) fprintf(stderr, 3207c478bd9Sstevel@tonic-gate "usage:\t%s [-v] [-S] [-D|-N] [-s spec] { pid | core } ...\n" 321*45916cd2Sjpk "\t%s -e [-D|-N] [-M] [-s spec] cmd [args ...]\n" 3227c478bd9Sstevel@tonic-gate "\t%s -l [-v] [privilege ...]\n" 3237c478bd9Sstevel@tonic-gate " (report, set or list process privileges)\n", command, 3247c478bd9Sstevel@tonic-gate command, command); 3257c478bd9Sstevel@tonic-gate exit(2); 3267c478bd9Sstevel@tonic-gate /*NOTREACHED*/ 3277c478bd9Sstevel@tonic-gate } 3287c478bd9Sstevel@tonic-gate 3297c478bd9Sstevel@tonic-gate /* 3307c478bd9Sstevel@tonic-gate * Parse the privilege bits to add and/or remove from 3317c478bd9Sstevel@tonic-gate * a privilege set. 3327c478bd9Sstevel@tonic-gate * 3337c478bd9Sstevel@tonic-gate * [EPIL][+-=]priv,priv,priv 3347c478bd9Sstevel@tonic-gate */ 3357c478bd9Sstevel@tonic-gate 3367c478bd9Sstevel@tonic-gate static int 3377c478bd9Sstevel@tonic-gate strindex(char c, const char *str) 3387c478bd9Sstevel@tonic-gate { 3397c478bd9Sstevel@tonic-gate const char *s; 3407c478bd9Sstevel@tonic-gate 3417c478bd9Sstevel@tonic-gate if (islower(c)) 3427c478bd9Sstevel@tonic-gate c = toupper(c); 3437c478bd9Sstevel@tonic-gate 3447c478bd9Sstevel@tonic-gate s = strchr(str, c); 3457c478bd9Sstevel@tonic-gate 3467c478bd9Sstevel@tonic-gate if (s == NULL) 3477c478bd9Sstevel@tonic-gate return (-1); 3487c478bd9Sstevel@tonic-gate else 3497c478bd9Sstevel@tonic-gate return (s - str); 3507c478bd9Sstevel@tonic-gate } 3517c478bd9Sstevel@tonic-gate 3527c478bd9Sstevel@tonic-gate static void 3537c478bd9Sstevel@tonic-gate badspec(const char *spec) 3547c478bd9Sstevel@tonic-gate { 3557c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: bad privilege specification: \"%s\"\n", 3567c478bd9Sstevel@tonic-gate command, spec); 3577c478bd9Sstevel@tonic-gate exit(3); 3587c478bd9Sstevel@tonic-gate /*NOTREACHED*/ 3597c478bd9Sstevel@tonic-gate } 3607c478bd9Sstevel@tonic-gate 3617c478bd9Sstevel@tonic-gate /* 3627c478bd9Sstevel@tonic-gate * For each set, you can set either add and/or 3637c478bd9Sstevel@tonic-gate * remove or you can set assign. 3647c478bd9Sstevel@tonic-gate */ 3657c478bd9Sstevel@tonic-gate static priv_set_t **rem, **add, **assign; 3667c478bd9Sstevel@tonic-gate static const priv_impl_info_t *pri = NULL; 3677c478bd9Sstevel@tonic-gate static char *sets; 3687c478bd9Sstevel@tonic-gate 3697c478bd9Sstevel@tonic-gate static void 3707c478bd9Sstevel@tonic-gate loadprivinfo(void) 3717c478bd9Sstevel@tonic-gate { 3727c478bd9Sstevel@tonic-gate int i; 3737c478bd9Sstevel@tonic-gate 3747c478bd9Sstevel@tonic-gate if (pri != NULL) 3757c478bd9Sstevel@tonic-gate return; 3767c478bd9Sstevel@tonic-gate 3777c478bd9Sstevel@tonic-gate pri = getprivimplinfo(); 3787c478bd9Sstevel@tonic-gate 3797c478bd9Sstevel@tonic-gate if (pri == NULL) 3807c478bd9Sstevel@tonic-gate fatal("getprivimplinfo"); 3817c478bd9Sstevel@tonic-gate 3827c478bd9Sstevel@tonic-gate sets = malloc(pri->priv_nsets + 1); 3837c478bd9Sstevel@tonic-gate if (sets == NULL) 3847c478bd9Sstevel@tonic-gate fatal("malloc"); 3857c478bd9Sstevel@tonic-gate 3867c478bd9Sstevel@tonic-gate for (i = 0; i < pri->priv_nsets; i++) { 3877c478bd9Sstevel@tonic-gate sets[i] = *priv_getsetbynum(i); 3887c478bd9Sstevel@tonic-gate if (islower(sets[i])) 3897c478bd9Sstevel@tonic-gate sets[i] = toupper(sets[i]); 3907c478bd9Sstevel@tonic-gate } 3917c478bd9Sstevel@tonic-gate 3927c478bd9Sstevel@tonic-gate sets[pri->priv_nsets] = '\0'; 3937c478bd9Sstevel@tonic-gate 3947c478bd9Sstevel@tonic-gate rem = calloc(pri->priv_nsets, sizeof (priv_set_t *)); 3957c478bd9Sstevel@tonic-gate add = calloc(pri->priv_nsets, sizeof (priv_set_t *)); 3967c478bd9Sstevel@tonic-gate assign = calloc(pri->priv_nsets, sizeof (priv_set_t *)); 3977c478bd9Sstevel@tonic-gate if (rem == NULL || add == NULL || assign == NULL) 3987c478bd9Sstevel@tonic-gate fatal("calloc"); 3997c478bd9Sstevel@tonic-gate } 4007c478bd9Sstevel@tonic-gate 4017c478bd9Sstevel@tonic-gate static int 4027c478bd9Sstevel@tonic-gate parsespec(const char *spec) 4037c478bd9Sstevel@tonic-gate { 4047c478bd9Sstevel@tonic-gate char *p; 4057c478bd9Sstevel@tonic-gate const char *q; 4067c478bd9Sstevel@tonic-gate int count; 4077c478bd9Sstevel@tonic-gate priv_set_t ***toupd; 4087c478bd9Sstevel@tonic-gate priv_set_t *upd; 4097c478bd9Sstevel@tonic-gate int i; 4107c478bd9Sstevel@tonic-gate boolean_t freeupd = B_TRUE; 4117c478bd9Sstevel@tonic-gate 4127c478bd9Sstevel@tonic-gate if (pri == NULL) 4137c478bd9Sstevel@tonic-gate loadprivinfo(); 4147c478bd9Sstevel@tonic-gate 4157c478bd9Sstevel@tonic-gate p = strpbrk(spec, "+-="); 4167c478bd9Sstevel@tonic-gate 4177c478bd9Sstevel@tonic-gate if (p == NULL || p - spec > pri->priv_nsets) 4187c478bd9Sstevel@tonic-gate badspec(spec); 4197c478bd9Sstevel@tonic-gate 4207c478bd9Sstevel@tonic-gate if (p[1] == '\0' || (upd = priv_str_to_set(p + 1, ",", NULL)) == NULL) 4217c478bd9Sstevel@tonic-gate badspec(p + 1); 4227c478bd9Sstevel@tonic-gate 4237c478bd9Sstevel@tonic-gate count = p - spec; 4247c478bd9Sstevel@tonic-gate switch (*p) { 4257c478bd9Sstevel@tonic-gate case '+': 4267c478bd9Sstevel@tonic-gate toupd = &add; 4277c478bd9Sstevel@tonic-gate break; 4287c478bd9Sstevel@tonic-gate case '-': 4297c478bd9Sstevel@tonic-gate toupd = &rem; 4307c478bd9Sstevel@tonic-gate priv_inverse(upd); 4317c478bd9Sstevel@tonic-gate break; 4327c478bd9Sstevel@tonic-gate case '=': 4337c478bd9Sstevel@tonic-gate toupd = &assign; 4347c478bd9Sstevel@tonic-gate break; 4357c478bd9Sstevel@tonic-gate } 4367c478bd9Sstevel@tonic-gate 4377c478bd9Sstevel@tonic-gate /* Update all sets? */ 4387c478bd9Sstevel@tonic-gate if (count == 0 || *spec == 'a' || *spec == 'A') { 4397c478bd9Sstevel@tonic-gate count = pri->priv_nsets; 4407c478bd9Sstevel@tonic-gate q = sets; 4417c478bd9Sstevel@tonic-gate } else 4427c478bd9Sstevel@tonic-gate q = spec; 4437c478bd9Sstevel@tonic-gate 4447c478bd9Sstevel@tonic-gate for (i = 0; i < count; i++) { 4457c478bd9Sstevel@tonic-gate int ind = strindex(q[i], sets); 4467c478bd9Sstevel@tonic-gate 4477c478bd9Sstevel@tonic-gate if (ind == -1) 4487c478bd9Sstevel@tonic-gate badspec(spec); 4497c478bd9Sstevel@tonic-gate 4507c478bd9Sstevel@tonic-gate /* Assign is mutually exclusive with add/remove and itself */ 4517c478bd9Sstevel@tonic-gate if (((toupd == &rem || toupd == &add) && assign[ind] != NULL) || 4527c478bd9Sstevel@tonic-gate (toupd == &assign && (assign[ind] != NULL || 4537c478bd9Sstevel@tonic-gate rem[ind] != NULL || add[ind] != NULL))) { 4547c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: conflicting spec: %s\n", 4557c478bd9Sstevel@tonic-gate command, spec); 4567c478bd9Sstevel@tonic-gate exit(1); 4577c478bd9Sstevel@tonic-gate } 4587c478bd9Sstevel@tonic-gate if ((*toupd)[ind] != NULL) { 4597c478bd9Sstevel@tonic-gate if (*p == '-') 4607c478bd9Sstevel@tonic-gate priv_intersect(upd, (*toupd)[ind]); 4617c478bd9Sstevel@tonic-gate else 4627c478bd9Sstevel@tonic-gate priv_union(upd, (*toupd)[ind]); 4637c478bd9Sstevel@tonic-gate } else { 4647c478bd9Sstevel@tonic-gate (*toupd)[ind] = upd; 4657c478bd9Sstevel@tonic-gate freeupd = B_FALSE; 4667c478bd9Sstevel@tonic-gate } 4677c478bd9Sstevel@tonic-gate } 4687c478bd9Sstevel@tonic-gate if (freeupd) 4697c478bd9Sstevel@tonic-gate priv_freeset(upd); 4707c478bd9Sstevel@tonic-gate return (0); 4717c478bd9Sstevel@tonic-gate } 4727c478bd9Sstevel@tonic-gate 4737c478bd9Sstevel@tonic-gate static void 4747c478bd9Sstevel@tonic-gate privupdate(prpriv_t *pr, const char *arg) 4757c478bd9Sstevel@tonic-gate { 4767c478bd9Sstevel@tonic-gate int i; 4777c478bd9Sstevel@tonic-gate 4787c478bd9Sstevel@tonic-gate if (sets != NULL) { 4797c478bd9Sstevel@tonic-gate for (i = 0; i < pri->priv_nsets; i++) { 4807c478bd9Sstevel@tonic-gate priv_set_t *target = 4817c478bd9Sstevel@tonic-gate (priv_set_t *)&pr->pr_sets[pr->pr_setsize * i]; 4827c478bd9Sstevel@tonic-gate if (rem[i] != NULL) 4837c478bd9Sstevel@tonic-gate priv_intersect(rem[i], target); 4847c478bd9Sstevel@tonic-gate if (add[i] != NULL) 4857c478bd9Sstevel@tonic-gate priv_union(add[i], target); 4867c478bd9Sstevel@tonic-gate if (assign[i] != NULL) 4877c478bd9Sstevel@tonic-gate priv_copyset(assign[i], target); 4887c478bd9Sstevel@tonic-gate } 4897c478bd9Sstevel@tonic-gate } 4907c478bd9Sstevel@tonic-gate 4917c478bd9Sstevel@tonic-gate if (Doff || Don) { 4927c478bd9Sstevel@tonic-gate priv_info_uint_t *pii; 4937c478bd9Sstevel@tonic-gate int sz = PRIV_PRPRIV_SIZE(pr); 4947c478bd9Sstevel@tonic-gate char *x = (char *)pr + PRIV_PRPRIV_INFO_OFFSET(pr); 4957c478bd9Sstevel@tonic-gate uint32_t fl = 0; 4967c478bd9Sstevel@tonic-gate 4977c478bd9Sstevel@tonic-gate while (x < (char *)pr + sz) { 4987c478bd9Sstevel@tonic-gate /* LINTED: alignment */ 4997c478bd9Sstevel@tonic-gate priv_info_t *pi = (priv_info_t *)x; 5007c478bd9Sstevel@tonic-gate 5017c478bd9Sstevel@tonic-gate if (pi->priv_info_type == PRIV_INFO_FLAGS) { 5027c478bd9Sstevel@tonic-gate /* LINTED: alignment */ 5037c478bd9Sstevel@tonic-gate pii = (priv_info_uint_t *)x; 5047c478bd9Sstevel@tonic-gate fl = pii->val; 5057c478bd9Sstevel@tonic-gate goto done; 5067c478bd9Sstevel@tonic-gate } 5077c478bd9Sstevel@tonic-gate if (pi->priv_info_size > pr->pr_infosize || 5087c478bd9Sstevel@tonic-gate pi->priv_info_size <= sizeof (priv_info_t) || 5097c478bd9Sstevel@tonic-gate (pi->priv_info_size & 3) != 0) 5107c478bd9Sstevel@tonic-gate break; 5117c478bd9Sstevel@tonic-gate x += pi->priv_info_size; 5127c478bd9Sstevel@tonic-gate } 5137c478bd9Sstevel@tonic-gate (void) fprintf(stderr, 5147c478bd9Sstevel@tonic-gate "%s: cannot find privilege flags to set\n", arg); 5157c478bd9Sstevel@tonic-gate pr->pr_infosize = 0; 5167c478bd9Sstevel@tonic-gate return; 5177c478bd9Sstevel@tonic-gate done: 5187c478bd9Sstevel@tonic-gate 5197c478bd9Sstevel@tonic-gate pr->pr_infosize = sizeof (priv_info_uint_t); 5207c478bd9Sstevel@tonic-gate /* LINTED: alignment */ 5217c478bd9Sstevel@tonic-gate pii = (priv_info_uint_t *) 5227c478bd9Sstevel@tonic-gate ((char *)pr + PRIV_PRPRIV_INFO_OFFSET(pr)); 5237c478bd9Sstevel@tonic-gate 5247c478bd9Sstevel@tonic-gate if (Don) 5257c478bd9Sstevel@tonic-gate fl |= PRIV_DEBUG; 5267c478bd9Sstevel@tonic-gate else 5277c478bd9Sstevel@tonic-gate fl &= ~PRIV_DEBUG; 5287c478bd9Sstevel@tonic-gate 5297c478bd9Sstevel@tonic-gate pii->info.priv_info_size = sizeof (*pii); 5307c478bd9Sstevel@tonic-gate pii->info.priv_info_type = PRIV_INFO_FLAGS; 5317c478bd9Sstevel@tonic-gate pii->val = fl; 5327c478bd9Sstevel@tonic-gate } else { 5337c478bd9Sstevel@tonic-gate pr->pr_infosize = 0; 5347c478bd9Sstevel@tonic-gate } 5357c478bd9Sstevel@tonic-gate } 5367c478bd9Sstevel@tonic-gate 5377c478bd9Sstevel@tonic-gate static void 5387c478bd9Sstevel@tonic-gate privupdate_self(void) 5397c478bd9Sstevel@tonic-gate { 5407c478bd9Sstevel@tonic-gate int set; 5417c478bd9Sstevel@tonic-gate 542*45916cd2Sjpk if (mac_aware) { 543*45916cd2Sjpk if (setpflags(NET_MAC_AWARE, 1) != 0) 544*45916cd2Sjpk fatal("setpflags(NET_MAC_AWARE)"); 545*45916cd2Sjpk if (setpflags(NET_MAC_AWARE_INHERIT, 1) != 0) 546*45916cd2Sjpk fatal("setpflags(NET_MAC_AWARE_INHERIT)"); 547*45916cd2Sjpk } 548*45916cd2Sjpk 5497c478bd9Sstevel@tonic-gate if (sets != NULL) { 5507c478bd9Sstevel@tonic-gate priv_set_t *target = priv_allocset(); 5517c478bd9Sstevel@tonic-gate 5527c478bd9Sstevel@tonic-gate if (target == NULL) 5537c478bd9Sstevel@tonic-gate fatal("priv_allocet"); 5547c478bd9Sstevel@tonic-gate 5557c478bd9Sstevel@tonic-gate set = priv_getsetbyname(PRIV_INHERITABLE); 5567c478bd9Sstevel@tonic-gate if (rem[set] != NULL || add[set] != NULL || 5577c478bd9Sstevel@tonic-gate assign[set] != NULL) { 5587c478bd9Sstevel@tonic-gate (void) getppriv(PRIV_INHERITABLE, target); 5597c478bd9Sstevel@tonic-gate if (rem[set] != NULL) 5607c478bd9Sstevel@tonic-gate priv_intersect(rem[set], target); 5617c478bd9Sstevel@tonic-gate if (add[set] != NULL) 5627c478bd9Sstevel@tonic-gate priv_union(add[set], target); 5637c478bd9Sstevel@tonic-gate if (assign[set] != NULL) 5647c478bd9Sstevel@tonic-gate priv_copyset(assign[set], target); 5657c478bd9Sstevel@tonic-gate if (setppriv(PRIV_SET, PRIV_INHERITABLE, target) != 0) 5667c478bd9Sstevel@tonic-gate fatal("setppriv(Inheritable)"); 5677c478bd9Sstevel@tonic-gate } 5687c478bd9Sstevel@tonic-gate set = priv_getsetbyname(PRIV_LIMIT); 5697c478bd9Sstevel@tonic-gate if (rem[set] != NULL || add[set] != NULL || 5707c478bd9Sstevel@tonic-gate assign[set] != NULL) { 5717c478bd9Sstevel@tonic-gate (void) getppriv(PRIV_LIMIT, target); 5727c478bd9Sstevel@tonic-gate if (rem[set] != NULL) 5737c478bd9Sstevel@tonic-gate priv_intersect(rem[set], target); 5747c478bd9Sstevel@tonic-gate if (add[set] != NULL) 5757c478bd9Sstevel@tonic-gate priv_union(add[set], target); 5767c478bd9Sstevel@tonic-gate if (assign[set] != NULL) 5777c478bd9Sstevel@tonic-gate priv_copyset(assign[set], target); 5787c478bd9Sstevel@tonic-gate if (setppriv(PRIV_SET, PRIV_LIMIT, target) != 0) 5797c478bd9Sstevel@tonic-gate fatal("setppriv(Limit)"); 5807c478bd9Sstevel@tonic-gate } 5817c478bd9Sstevel@tonic-gate priv_freeset(target); 5827c478bd9Sstevel@tonic-gate } 5837c478bd9Sstevel@tonic-gate 5847c478bd9Sstevel@tonic-gate if (Doff || Don) 5857c478bd9Sstevel@tonic-gate (void) setpflags(PRIV_DEBUG, Don ? 1 : 0); 5867c478bd9Sstevel@tonic-gate } 5877c478bd9Sstevel@tonic-gate 5887c478bd9Sstevel@tonic-gate static int 5897c478bd9Sstevel@tonic-gate dopriv(const char *p) 5907c478bd9Sstevel@tonic-gate { 5917c478bd9Sstevel@tonic-gate (void) puts(p); 5927c478bd9Sstevel@tonic-gate if (verb) { 5937c478bd9Sstevel@tonic-gate char *text = priv_gettext(p); 5947c478bd9Sstevel@tonic-gate char *p, *q; 5957c478bd9Sstevel@tonic-gate if (text == NULL) 5967c478bd9Sstevel@tonic-gate return (1); 5977c478bd9Sstevel@tonic-gate for (p = text; q = strchr(p, '\n'); p = q + 1) 5987c478bd9Sstevel@tonic-gate (void) printf("\t%.*s", (int)(q - p + 1), p); 5997c478bd9Sstevel@tonic-gate free(text); 6007c478bd9Sstevel@tonic-gate } 6017c478bd9Sstevel@tonic-gate return (0); 6027c478bd9Sstevel@tonic-gate } 6037c478bd9Sstevel@tonic-gate 6047c478bd9Sstevel@tonic-gate static int 6057c478bd9Sstevel@tonic-gate dumppriv(char **argv) 6067c478bd9Sstevel@tonic-gate { 6077c478bd9Sstevel@tonic-gate int rc = 0; 6087c478bd9Sstevel@tonic-gate const char *pname; 6097c478bd9Sstevel@tonic-gate int i; 6107c478bd9Sstevel@tonic-gate 6117c478bd9Sstevel@tonic-gate if (argv[0] == NULL) { 6127c478bd9Sstevel@tonic-gate for (i = 0; ((pname = priv_getbynum(i++)) != NULL); ) 6137c478bd9Sstevel@tonic-gate rc += dopriv(pname); 6147c478bd9Sstevel@tonic-gate } else { 6157c478bd9Sstevel@tonic-gate for (; *argv; argv++) { 6167c478bd9Sstevel@tonic-gate priv_set_t *pset = priv_str_to_set(*argv, ",", NULL); 6177c478bd9Sstevel@tonic-gate 6187c478bd9Sstevel@tonic-gate if (pset == NULL) { 6197c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: %s: bad privilege" 6207c478bd9Sstevel@tonic-gate " list\n", command, *argv); 6217c478bd9Sstevel@tonic-gate rc++; 6227c478bd9Sstevel@tonic-gate continue; 6237c478bd9Sstevel@tonic-gate } 6247c478bd9Sstevel@tonic-gate for (i = 0; ((pname = priv_getbynum(i++)) != NULL); ) 6257c478bd9Sstevel@tonic-gate if (priv_ismember(pset, pname)) 6267c478bd9Sstevel@tonic-gate rc += dopriv(pname); 6277c478bd9Sstevel@tonic-gate } 6287c478bd9Sstevel@tonic-gate } 6297c478bd9Sstevel@tonic-gate return (rc); 6307c478bd9Sstevel@tonic-gate } 6317c478bd9Sstevel@tonic-gate 6327c478bd9Sstevel@tonic-gate static struct { 6337c478bd9Sstevel@tonic-gate int flag; 6347c478bd9Sstevel@tonic-gate char *name; 6357c478bd9Sstevel@tonic-gate } flags[] = { 6367c478bd9Sstevel@tonic-gate { PRIV_DEBUG, "PRIV_DEBUG" }, 6377c478bd9Sstevel@tonic-gate { PRIV_AWARE, "PRIV_AWARE" }, 6387c478bd9Sstevel@tonic-gate { PRIV_AWARE_INHERIT, "PRIV_AWARE_INHERIT" }, 6397c478bd9Sstevel@tonic-gate }; 6407c478bd9Sstevel@tonic-gate 6417c478bd9Sstevel@tonic-gate /* 6427c478bd9Sstevel@tonic-gate * Print flags preceeded by a space. 6437c478bd9Sstevel@tonic-gate */ 6447c478bd9Sstevel@tonic-gate static void 6457c478bd9Sstevel@tonic-gate flags2str(uint_t pflags) 6467c478bd9Sstevel@tonic-gate { 6477c478bd9Sstevel@tonic-gate char c = ' '; 6487c478bd9Sstevel@tonic-gate int i; 6497c478bd9Sstevel@tonic-gate 6507c478bd9Sstevel@tonic-gate if (pflags == 0) { 6517c478bd9Sstevel@tonic-gate (void) fputs(" <none>", stdout); 6527c478bd9Sstevel@tonic-gate return; 6537c478bd9Sstevel@tonic-gate } 6547c478bd9Sstevel@tonic-gate for (i = 0; i < sizeof (flags)/sizeof (flags[0]) && pflags != 0; i++) { 6557c478bd9Sstevel@tonic-gate if ((pflags & flags[i].flag) != 0) { 6567c478bd9Sstevel@tonic-gate (void) printf("%c%s", c, flags[i].name); 6577c478bd9Sstevel@tonic-gate pflags &= ~flags[i].flag; 6587c478bd9Sstevel@tonic-gate c = '|'; 6597c478bd9Sstevel@tonic-gate } 6607c478bd9Sstevel@tonic-gate } 6617c478bd9Sstevel@tonic-gate if (pflags != 0) 6627c478bd9Sstevel@tonic-gate (void) printf("%c<0x%x>", c, pflags); 6637c478bd9Sstevel@tonic-gate } 664