17c478bd9Sstevel@tonic-gate /* 27c478bd9Sstevel@tonic-gate * CDDL HEADER START 37c478bd9Sstevel@tonic-gate * 47c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 545916cd2Sjpk * Common Development and Distribution License (the "License"). 645916cd2Sjpk * You may not use this file except in compliance with the License. 77c478bd9Sstevel@tonic-gate * 87c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 97c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 107c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 117c478bd9Sstevel@tonic-gate * and limitations under the License. 127c478bd9Sstevel@tonic-gate * 137c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 147c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 157c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 167c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 177c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 187c478bd9Sstevel@tonic-gate * 197c478bd9Sstevel@tonic-gate * CDDL HEADER END 207c478bd9Sstevel@tonic-gate */ 217c478bd9Sstevel@tonic-gate /* 22*134a1f4eSCasper H.S. Dik * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. 237c478bd9Sstevel@tonic-gate * 247c478bd9Sstevel@tonic-gate * Program to examine or set process privileges. 257c478bd9Sstevel@tonic-gate */ 267c478bd9Sstevel@tonic-gate 277c478bd9Sstevel@tonic-gate #include <stdio.h> 28004388ebScasper #include <stdio_ext.h> 297c478bd9Sstevel@tonic-gate #include <stdlib.h> 307c478bd9Sstevel@tonic-gate #include <unistd.h> 317c478bd9Sstevel@tonic-gate #include <fcntl.h> 327c478bd9Sstevel@tonic-gate #include <string.h> 337c478bd9Sstevel@tonic-gate #include <limits.h> 347c478bd9Sstevel@tonic-gate #include <sys/types.h> 357c478bd9Sstevel@tonic-gate #include <libproc.h> 367c478bd9Sstevel@tonic-gate #include <priv.h> 377c478bd9Sstevel@tonic-gate #include <errno.h> 387c478bd9Sstevel@tonic-gate #include <ctype.h> 397c478bd9Sstevel@tonic-gate 407c478bd9Sstevel@tonic-gate #include <locale.h> 417c478bd9Sstevel@tonic-gate #include <langinfo.h> 427c478bd9Sstevel@tonic-gate 437c478bd9Sstevel@tonic-gate static int look(char *); 447c478bd9Sstevel@tonic-gate static void perr(char *); 457c478bd9Sstevel@tonic-gate static void usage(void); 467c478bd9Sstevel@tonic-gate static void loadprivinfo(void); 477c478bd9Sstevel@tonic-gate static int parsespec(const char *); 487c478bd9Sstevel@tonic-gate static void privupdate(prpriv_t *, const char *); 497c478bd9Sstevel@tonic-gate static void privupdate_self(void); 507c478bd9Sstevel@tonic-gate static int dumppriv(char **); 517c478bd9Sstevel@tonic-gate static void flags2str(uint_t); 527c478bd9Sstevel@tonic-gate 537c478bd9Sstevel@tonic-gate static char *command; 547c478bd9Sstevel@tonic-gate static char *procname; 557c478bd9Sstevel@tonic-gate static boolean_t verb = B_FALSE; 567c478bd9Sstevel@tonic-gate static boolean_t set = B_FALSE; 577c478bd9Sstevel@tonic-gate static boolean_t exec = B_FALSE; 587c478bd9Sstevel@tonic-gate static boolean_t Don = B_FALSE; 597c478bd9Sstevel@tonic-gate static boolean_t Doff = B_FALSE; 607c478bd9Sstevel@tonic-gate static boolean_t list = B_FALSE; 6145916cd2Sjpk static boolean_t mac_aware = B_FALSE; 62*134a1f4eSCasper H.S. Dik static boolean_t pfexec = B_FALSE; 63ddf7fe95Scasper static boolean_t xpol = B_FALSE; 647c478bd9Sstevel@tonic-gate static int mode = PRIV_STR_PORT; 657c478bd9Sstevel@tonic-gate 667c478bd9Sstevel@tonic-gate int 677c478bd9Sstevel@tonic-gate main(int argc, char **argv) 687c478bd9Sstevel@tonic-gate { 697c478bd9Sstevel@tonic-gate int rc = 0; 707c478bd9Sstevel@tonic-gate int opt; 717c478bd9Sstevel@tonic-gate struct rlimit rlim; 727c478bd9Sstevel@tonic-gate 737c478bd9Sstevel@tonic-gate (void) setlocale(LC_ALL, ""); 747c478bd9Sstevel@tonic-gate (void) textdomain(TEXT_DOMAIN); 757c478bd9Sstevel@tonic-gate 767c478bd9Sstevel@tonic-gate if ((command = strrchr(argv[0], '/')) != NULL) 777c478bd9Sstevel@tonic-gate command++; 787c478bd9Sstevel@tonic-gate else 797c478bd9Sstevel@tonic-gate command = argv[0]; 807c478bd9Sstevel@tonic-gate 81*134a1f4eSCasper H.S. Dik while ((opt = getopt(argc, argv, "lDMNPevs:xS")) != EOF) { 827c478bd9Sstevel@tonic-gate switch (opt) { 837c478bd9Sstevel@tonic-gate case 'l': 847c478bd9Sstevel@tonic-gate list = B_TRUE; 857c478bd9Sstevel@tonic-gate break; 867c478bd9Sstevel@tonic-gate case 'D': 877c478bd9Sstevel@tonic-gate set = B_TRUE; 887c478bd9Sstevel@tonic-gate Don = B_TRUE; 897c478bd9Sstevel@tonic-gate break; 9045916cd2Sjpk case 'M': 9145916cd2Sjpk mac_aware = B_TRUE; 9245916cd2Sjpk break; 937c478bd9Sstevel@tonic-gate case 'N': 947c478bd9Sstevel@tonic-gate set = B_TRUE; 957c478bd9Sstevel@tonic-gate Doff = B_TRUE; 967c478bd9Sstevel@tonic-gate break; 97*134a1f4eSCasper H.S. Dik case 'P': 98*134a1f4eSCasper H.S. Dik set = B_TRUE; 99*134a1f4eSCasper H.S. Dik pfexec = B_TRUE; 100*134a1f4eSCasper H.S. Dik break; 1017c478bd9Sstevel@tonic-gate case 'e': 1027c478bd9Sstevel@tonic-gate exec = B_TRUE; 1037c478bd9Sstevel@tonic-gate break; 1047c478bd9Sstevel@tonic-gate case 'S': 1057c478bd9Sstevel@tonic-gate mode = PRIV_STR_SHORT; 1067c478bd9Sstevel@tonic-gate break; 1077c478bd9Sstevel@tonic-gate case 'v': 1087c478bd9Sstevel@tonic-gate verb = B_TRUE; 1097c478bd9Sstevel@tonic-gate mode = PRIV_STR_LIT; 1107c478bd9Sstevel@tonic-gate break; 1117c478bd9Sstevel@tonic-gate case 's': 1127c478bd9Sstevel@tonic-gate set = B_TRUE; 1137c478bd9Sstevel@tonic-gate if ((rc = parsespec(optarg)) != 0) 1147c478bd9Sstevel@tonic-gate return (rc); 1157c478bd9Sstevel@tonic-gate break; 116ddf7fe95Scasper case 'x': 117ddf7fe95Scasper set = B_TRUE; 118ddf7fe95Scasper xpol = B_TRUE; 119ddf7fe95Scasper break; 1207c478bd9Sstevel@tonic-gate default: 1217c478bd9Sstevel@tonic-gate usage(); 1227c478bd9Sstevel@tonic-gate /*NOTREACHED*/ 1237c478bd9Sstevel@tonic-gate } 1247c478bd9Sstevel@tonic-gate } 1257c478bd9Sstevel@tonic-gate 1267c478bd9Sstevel@tonic-gate argc -= optind; 1277c478bd9Sstevel@tonic-gate argv += optind; 1287c478bd9Sstevel@tonic-gate 12945916cd2Sjpk if ((argc < 1 && !list) || Doff && Don || list && (set || exec) || 13045916cd2Sjpk (mac_aware && !exec)) 1317c478bd9Sstevel@tonic-gate usage(); 1327c478bd9Sstevel@tonic-gate 1337c478bd9Sstevel@tonic-gate /* 1347c478bd9Sstevel@tonic-gate * Make sure we'll have enough file descriptors to handle a target 1357c478bd9Sstevel@tonic-gate * that has many many mappings. 1367c478bd9Sstevel@tonic-gate */ 1377c478bd9Sstevel@tonic-gate if (getrlimit(RLIMIT_NOFILE, &rlim) == 0) { 1387c478bd9Sstevel@tonic-gate rlim.rlim_cur = rlim.rlim_max; 1397c478bd9Sstevel@tonic-gate (void) setrlimit(RLIMIT_NOFILE, &rlim); 140004388ebScasper (void) enable_extended_FILE_stdio(-1, -1); 1417c478bd9Sstevel@tonic-gate } 1427c478bd9Sstevel@tonic-gate 1437c478bd9Sstevel@tonic-gate if (exec) { 1447c478bd9Sstevel@tonic-gate privupdate_self(); 1457c478bd9Sstevel@tonic-gate rc = execvp(argv[0], &argv[0]); 1467c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: %s: %s\n", command, argv[0], 1477c478bd9Sstevel@tonic-gate strerror(errno)); 1487c478bd9Sstevel@tonic-gate } else if (list) { 1497c478bd9Sstevel@tonic-gate rc = dumppriv(argv); 1507c478bd9Sstevel@tonic-gate } else { 1517c478bd9Sstevel@tonic-gate while (argc-- > 0) 1527c478bd9Sstevel@tonic-gate rc += look(*argv++); 1537c478bd9Sstevel@tonic-gate } 1547c478bd9Sstevel@tonic-gate 1557c478bd9Sstevel@tonic-gate return (rc); 1567c478bd9Sstevel@tonic-gate } 1577c478bd9Sstevel@tonic-gate 1587c478bd9Sstevel@tonic-gate static int 1597c478bd9Sstevel@tonic-gate look(char *arg) 1607c478bd9Sstevel@tonic-gate { 1617c478bd9Sstevel@tonic-gate static size_t pprivsz = sizeof (prpriv_t); 1627c478bd9Sstevel@tonic-gate static prpriv_t *ppriv; 1637c478bd9Sstevel@tonic-gate 1647c478bd9Sstevel@tonic-gate struct ps_prochandle *Pr; 1657c478bd9Sstevel@tonic-gate int gcode; 1667c478bd9Sstevel@tonic-gate size_t sz; 1677c478bd9Sstevel@tonic-gate void *pdata; 1687c478bd9Sstevel@tonic-gate char *x; 1697c478bd9Sstevel@tonic-gate int i; 1707c478bd9Sstevel@tonic-gate boolean_t nodata; 1717c478bd9Sstevel@tonic-gate 1727c478bd9Sstevel@tonic-gate procname = arg; /* for perr() */ 1737c478bd9Sstevel@tonic-gate 1747c478bd9Sstevel@tonic-gate if ((Pr = proc_arg_grab(arg, set ? PR_ARG_PIDS : PR_ARG_ANY, 1757c478bd9Sstevel@tonic-gate PGRAB_RETAIN | PGRAB_FORCE | (set ? 0 : PGRAB_RDONLY) | 1767c478bd9Sstevel@tonic-gate PGRAB_NOSTOP, &gcode)) == NULL) { 1777c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: cannot examine %s: %s\n", 1787c478bd9Sstevel@tonic-gate command, arg, Pgrab_error(gcode)); 1797c478bd9Sstevel@tonic-gate return (1); 1807c478bd9Sstevel@tonic-gate } 1817c478bd9Sstevel@tonic-gate 1827c478bd9Sstevel@tonic-gate if (ppriv == NULL) 1837c478bd9Sstevel@tonic-gate ppriv = malloc(pprivsz); 1847c478bd9Sstevel@tonic-gate 1857c478bd9Sstevel@tonic-gate if (Ppriv(Pr, ppriv, pprivsz) == -1) { 1867c478bd9Sstevel@tonic-gate perr(command); 1877c478bd9Sstevel@tonic-gate Prelease(Pr, 0); 1887c478bd9Sstevel@tonic-gate return (1); 1897c478bd9Sstevel@tonic-gate } 1907c478bd9Sstevel@tonic-gate 1917c478bd9Sstevel@tonic-gate sz = PRIV_PRPRIV_SIZE(ppriv); 1927c478bd9Sstevel@tonic-gate 1937c478bd9Sstevel@tonic-gate /* 1947c478bd9Sstevel@tonic-gate * The ppriv fields are unsigned and may overflow, so check them 1957c478bd9Sstevel@tonic-gate * separately. Size must be word aligned, so check that too. 1967c478bd9Sstevel@tonic-gate * Make sure size is "smallish" too. 1977c478bd9Sstevel@tonic-gate */ 1987c478bd9Sstevel@tonic-gate if ((sz & 3) || ppriv->pr_nsets == 0 || 1997c478bd9Sstevel@tonic-gate sz / ppriv->pr_nsets < ppriv->pr_setsize || 2007c478bd9Sstevel@tonic-gate ppriv->pr_infosize > sz || sz > 1024 * 1024) { 2017c478bd9Sstevel@tonic-gate (void) fprintf(stderr, 2027c478bd9Sstevel@tonic-gate "%s: %s: bad PRNOTES section, size = %lx\n", 2037c478bd9Sstevel@tonic-gate command, arg, (long)sz); 2047c478bd9Sstevel@tonic-gate Prelease(Pr, 0); 2057c478bd9Sstevel@tonic-gate return (1); 2067c478bd9Sstevel@tonic-gate } 2077c478bd9Sstevel@tonic-gate 2087c478bd9Sstevel@tonic-gate if (sz > pprivsz) { 2097c478bd9Sstevel@tonic-gate ppriv = realloc(ppriv, sz); 2107c478bd9Sstevel@tonic-gate 2117c478bd9Sstevel@tonic-gate if (ppriv == NULL || Ppriv(Pr, ppriv, sz) != sz) { 2127c478bd9Sstevel@tonic-gate perr(command); 2137c478bd9Sstevel@tonic-gate Prelease(Pr, 0); 2147c478bd9Sstevel@tonic-gate return (1); 2157c478bd9Sstevel@tonic-gate } 2167c478bd9Sstevel@tonic-gate pprivsz = sz; 2177c478bd9Sstevel@tonic-gate } 2187c478bd9Sstevel@tonic-gate 2197c478bd9Sstevel@tonic-gate if (set) { 2207c478bd9Sstevel@tonic-gate privupdate(ppriv, arg); 2217c478bd9Sstevel@tonic-gate if (Psetpriv(Pr, ppriv) != 0) { 2227c478bd9Sstevel@tonic-gate perr(command); 2237c478bd9Sstevel@tonic-gate Prelease(Pr, 0); 2247c478bd9Sstevel@tonic-gate return (1); 2257c478bd9Sstevel@tonic-gate } 2267c478bd9Sstevel@tonic-gate Prelease(Pr, 0); 2277c478bd9Sstevel@tonic-gate return (0); 2287c478bd9Sstevel@tonic-gate } 2297c478bd9Sstevel@tonic-gate 2307c478bd9Sstevel@tonic-gate if (Pstate(Pr) == PS_DEAD) { 2317c478bd9Sstevel@tonic-gate (void) printf("core '%s' of %d:\t%.70s\n", 2327c478bd9Sstevel@tonic-gate arg, (int)Ppsinfo(Pr)->pr_pid, Ppsinfo(Pr)->pr_psargs); 2337c478bd9Sstevel@tonic-gate pdata = Pprivinfo(Pr); 2347c478bd9Sstevel@tonic-gate nodata = Pstate(Pr) == PS_DEAD && pdata == NULL; 2357c478bd9Sstevel@tonic-gate } else { 2367c478bd9Sstevel@tonic-gate (void) printf("%d:\t%.70s\n", 2377c478bd9Sstevel@tonic-gate (int)Ppsinfo(Pr)->pr_pid, Ppsinfo(Pr)->pr_psargs); 2387c478bd9Sstevel@tonic-gate pdata = NULL; 2397c478bd9Sstevel@tonic-gate nodata = B_FALSE; 2407c478bd9Sstevel@tonic-gate } 2417c478bd9Sstevel@tonic-gate 2427c478bd9Sstevel@tonic-gate x = (char *)ppriv + sz - ppriv->pr_infosize; 2437c478bd9Sstevel@tonic-gate while (x < (char *)ppriv + sz) { 2447c478bd9Sstevel@tonic-gate /* LINTED: alignment */ 2457c478bd9Sstevel@tonic-gate priv_info_t *pi = (priv_info_t *)x; 2467c478bd9Sstevel@tonic-gate priv_info_uint_t *pii; 2477c478bd9Sstevel@tonic-gate 2487c478bd9Sstevel@tonic-gate switch (pi->priv_info_type) { 2497c478bd9Sstevel@tonic-gate case PRIV_INFO_FLAGS: 2507c478bd9Sstevel@tonic-gate /* LINTED: alignment */ 2517c478bd9Sstevel@tonic-gate pii = (priv_info_uint_t *)x; 2527c478bd9Sstevel@tonic-gate (void) printf("flags ="); 2537c478bd9Sstevel@tonic-gate flags2str(pii->val); 2547c478bd9Sstevel@tonic-gate (void) putchar('\n'); 2557c478bd9Sstevel@tonic-gate break; 2567c478bd9Sstevel@tonic-gate default: 2577c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: unknown priv_info: %d\n", 2587c478bd9Sstevel@tonic-gate arg, pi->priv_info_type); 2597c478bd9Sstevel@tonic-gate break; 2607c478bd9Sstevel@tonic-gate } 2617c478bd9Sstevel@tonic-gate if (pi->priv_info_size > ppriv->pr_infosize || 2627c478bd9Sstevel@tonic-gate pi->priv_info_size <= sizeof (priv_info_t) || 2637c478bd9Sstevel@tonic-gate (pi->priv_info_size & 3) != 0) { 2647c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: bad priv_info_size: %u\n", 2657c478bd9Sstevel@tonic-gate arg, pi->priv_info_size); 2667c478bd9Sstevel@tonic-gate break; 2677c478bd9Sstevel@tonic-gate } 2687c478bd9Sstevel@tonic-gate x += pi->priv_info_size; 2697c478bd9Sstevel@tonic-gate } 2707c478bd9Sstevel@tonic-gate 2717c478bd9Sstevel@tonic-gate for (i = 0; i < ppriv->pr_nsets; i++) { 2727c478bd9Sstevel@tonic-gate extern const char *__priv_getsetbynum(const void *, int); 273ddf7fe95Scasper const char *setnm = pdata ? __priv_getsetbynum(pdata, i) : 274ddf7fe95Scasper priv_getsetbynum(i); 275ddf7fe95Scasper priv_chunk_t *pc = 276ddf7fe95Scasper (priv_chunk_t *)&ppriv->pr_sets[ppriv->pr_setsize * i]; 2777c478bd9Sstevel@tonic-gate 2787c478bd9Sstevel@tonic-gate 2797c478bd9Sstevel@tonic-gate (void) printf("\t%c: ", setnm && !nodata ? *setnm : '?'); 2807c478bd9Sstevel@tonic-gate if (!nodata) { 2817c478bd9Sstevel@tonic-gate extern char *__priv_set_to_str(void *, 2827c478bd9Sstevel@tonic-gate const priv_set_t *, char, int); 2837c478bd9Sstevel@tonic-gate priv_set_t *pset = (priv_set_t *)pc; 2847c478bd9Sstevel@tonic-gate 2857c478bd9Sstevel@tonic-gate char *s; 2867c478bd9Sstevel@tonic-gate 2877c478bd9Sstevel@tonic-gate if (pdata) 2887c478bd9Sstevel@tonic-gate s = __priv_set_to_str(pdata, pset, ',', mode); 2897c478bd9Sstevel@tonic-gate else 2907c478bd9Sstevel@tonic-gate s = priv_set_to_str(pset, ',', mode); 2917c478bd9Sstevel@tonic-gate (void) puts(s); 2927c478bd9Sstevel@tonic-gate free(s); 2937c478bd9Sstevel@tonic-gate } else { 2947c478bd9Sstevel@tonic-gate int j; 2957c478bd9Sstevel@tonic-gate for (j = 0; j < ppriv->pr_setsize; j++) 2967c478bd9Sstevel@tonic-gate (void) printf("%08x", pc[j]); 2977c478bd9Sstevel@tonic-gate (void) putchar('\n'); 2987c478bd9Sstevel@tonic-gate } 2997c478bd9Sstevel@tonic-gate } 3007c478bd9Sstevel@tonic-gate Prelease(Pr, 0); 3017c478bd9Sstevel@tonic-gate return (0); 3027c478bd9Sstevel@tonic-gate } 3037c478bd9Sstevel@tonic-gate 3047c478bd9Sstevel@tonic-gate static void 3057c478bd9Sstevel@tonic-gate fatal(const char *s) 3067c478bd9Sstevel@tonic-gate { 3077c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: %s: %s\n", command, s, strerror(errno)); 3087c478bd9Sstevel@tonic-gate exit(3); 3097c478bd9Sstevel@tonic-gate } 3107c478bd9Sstevel@tonic-gate 3117c478bd9Sstevel@tonic-gate static void 3127c478bd9Sstevel@tonic-gate perr(char *s) 3137c478bd9Sstevel@tonic-gate { 3147c478bd9Sstevel@tonic-gate int err = errno; 3157c478bd9Sstevel@tonic-gate 3167c478bd9Sstevel@tonic-gate if (s != NULL) 3177c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: ", procname); 3187c478bd9Sstevel@tonic-gate else 3197c478bd9Sstevel@tonic-gate s = procname; 3207c478bd9Sstevel@tonic-gate 3217c478bd9Sstevel@tonic-gate errno = err; 3227c478bd9Sstevel@tonic-gate perror(s); 3237c478bd9Sstevel@tonic-gate } 3247c478bd9Sstevel@tonic-gate 3257c478bd9Sstevel@tonic-gate static void 3267c478bd9Sstevel@tonic-gate usage(void) 3277c478bd9Sstevel@tonic-gate { 3287c478bd9Sstevel@tonic-gate (void) fprintf(stderr, 3297c478bd9Sstevel@tonic-gate "usage:\t%s [-v] [-S] [-D|-N] [-s spec] { pid | core } ...\n" 33045916cd2Sjpk "\t%s -e [-D|-N] [-M] [-s spec] cmd [args ...]\n" 3317c478bd9Sstevel@tonic-gate "\t%s -l [-v] [privilege ...]\n" 3327c478bd9Sstevel@tonic-gate " (report, set or list process privileges)\n", command, 3337c478bd9Sstevel@tonic-gate command, command); 3347c478bd9Sstevel@tonic-gate exit(2); 3357c478bd9Sstevel@tonic-gate /*NOTREACHED*/ 3367c478bd9Sstevel@tonic-gate } 3377c478bd9Sstevel@tonic-gate 3387c478bd9Sstevel@tonic-gate /* 3397c478bd9Sstevel@tonic-gate * Parse the privilege bits to add and/or remove from 3407c478bd9Sstevel@tonic-gate * a privilege set. 3417c478bd9Sstevel@tonic-gate * 3427c478bd9Sstevel@tonic-gate * [EPIL][+-=]priv,priv,priv 3437c478bd9Sstevel@tonic-gate */ 3447c478bd9Sstevel@tonic-gate 3457c478bd9Sstevel@tonic-gate static int 3467c478bd9Sstevel@tonic-gate strindex(char c, const char *str) 3477c478bd9Sstevel@tonic-gate { 3487c478bd9Sstevel@tonic-gate const char *s; 3497c478bd9Sstevel@tonic-gate 3507c478bd9Sstevel@tonic-gate if (islower(c)) 3517c478bd9Sstevel@tonic-gate c = toupper(c); 3527c478bd9Sstevel@tonic-gate 3537c478bd9Sstevel@tonic-gate s = strchr(str, c); 3547c478bd9Sstevel@tonic-gate 3557c478bd9Sstevel@tonic-gate if (s == NULL) 3567c478bd9Sstevel@tonic-gate return (-1); 3577c478bd9Sstevel@tonic-gate else 3587c478bd9Sstevel@tonic-gate return (s - str); 3597c478bd9Sstevel@tonic-gate } 3607c478bd9Sstevel@tonic-gate 3617c478bd9Sstevel@tonic-gate static void 3627c478bd9Sstevel@tonic-gate badspec(const char *spec) 3637c478bd9Sstevel@tonic-gate { 3647c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: bad privilege specification: \"%s\"\n", 3657c478bd9Sstevel@tonic-gate command, spec); 3667c478bd9Sstevel@tonic-gate exit(3); 3677c478bd9Sstevel@tonic-gate /*NOTREACHED*/ 3687c478bd9Sstevel@tonic-gate } 3697c478bd9Sstevel@tonic-gate 3707c478bd9Sstevel@tonic-gate /* 3717c478bd9Sstevel@tonic-gate * For each set, you can set either add and/or 3727c478bd9Sstevel@tonic-gate * remove or you can set assign. 3737c478bd9Sstevel@tonic-gate */ 3747c478bd9Sstevel@tonic-gate static priv_set_t **rem, **add, **assign; 3757c478bd9Sstevel@tonic-gate static const priv_impl_info_t *pri = NULL; 3767c478bd9Sstevel@tonic-gate static char *sets; 3777c478bd9Sstevel@tonic-gate 3787c478bd9Sstevel@tonic-gate static void 3797c478bd9Sstevel@tonic-gate loadprivinfo(void) 3807c478bd9Sstevel@tonic-gate { 3817c478bd9Sstevel@tonic-gate int i; 3827c478bd9Sstevel@tonic-gate 3837c478bd9Sstevel@tonic-gate if (pri != NULL) 3847c478bd9Sstevel@tonic-gate return; 3857c478bd9Sstevel@tonic-gate 3867c478bd9Sstevel@tonic-gate pri = getprivimplinfo(); 3877c478bd9Sstevel@tonic-gate 3887c478bd9Sstevel@tonic-gate if (pri == NULL) 3897c478bd9Sstevel@tonic-gate fatal("getprivimplinfo"); 3907c478bd9Sstevel@tonic-gate 3917c478bd9Sstevel@tonic-gate sets = malloc(pri->priv_nsets + 1); 3927c478bd9Sstevel@tonic-gate if (sets == NULL) 3937c478bd9Sstevel@tonic-gate fatal("malloc"); 3947c478bd9Sstevel@tonic-gate 3957c478bd9Sstevel@tonic-gate for (i = 0; i < pri->priv_nsets; i++) { 3967c478bd9Sstevel@tonic-gate sets[i] = *priv_getsetbynum(i); 3977c478bd9Sstevel@tonic-gate if (islower(sets[i])) 3987c478bd9Sstevel@tonic-gate sets[i] = toupper(sets[i]); 3997c478bd9Sstevel@tonic-gate } 4007c478bd9Sstevel@tonic-gate 4017c478bd9Sstevel@tonic-gate sets[pri->priv_nsets] = '\0'; 4027c478bd9Sstevel@tonic-gate 4037c478bd9Sstevel@tonic-gate rem = calloc(pri->priv_nsets, sizeof (priv_set_t *)); 4047c478bd9Sstevel@tonic-gate add = calloc(pri->priv_nsets, sizeof (priv_set_t *)); 4057c478bd9Sstevel@tonic-gate assign = calloc(pri->priv_nsets, sizeof (priv_set_t *)); 4067c478bd9Sstevel@tonic-gate if (rem == NULL || add == NULL || assign == NULL) 4077c478bd9Sstevel@tonic-gate fatal("calloc"); 4087c478bd9Sstevel@tonic-gate } 4097c478bd9Sstevel@tonic-gate 4107c478bd9Sstevel@tonic-gate static int 4117c478bd9Sstevel@tonic-gate parsespec(const char *spec) 4127c478bd9Sstevel@tonic-gate { 4137c478bd9Sstevel@tonic-gate char *p; 4147c478bd9Sstevel@tonic-gate const char *q; 4157c478bd9Sstevel@tonic-gate int count; 4167c478bd9Sstevel@tonic-gate priv_set_t ***toupd; 4177c478bd9Sstevel@tonic-gate priv_set_t *upd; 4187c478bd9Sstevel@tonic-gate int i; 4197c478bd9Sstevel@tonic-gate boolean_t freeupd = B_TRUE; 4207c478bd9Sstevel@tonic-gate 4217c478bd9Sstevel@tonic-gate if (pri == NULL) 4227c478bd9Sstevel@tonic-gate loadprivinfo(); 4237c478bd9Sstevel@tonic-gate 4247c478bd9Sstevel@tonic-gate p = strpbrk(spec, "+-="); 4257c478bd9Sstevel@tonic-gate 4267c478bd9Sstevel@tonic-gate if (p == NULL || p - spec > pri->priv_nsets) 4277c478bd9Sstevel@tonic-gate badspec(spec); 4287c478bd9Sstevel@tonic-gate 4297c478bd9Sstevel@tonic-gate if (p[1] == '\0' || (upd = priv_str_to_set(p + 1, ",", NULL)) == NULL) 4307c478bd9Sstevel@tonic-gate badspec(p + 1); 4317c478bd9Sstevel@tonic-gate 4327c478bd9Sstevel@tonic-gate count = p - spec; 4337c478bd9Sstevel@tonic-gate switch (*p) { 4347c478bd9Sstevel@tonic-gate case '+': 4357c478bd9Sstevel@tonic-gate toupd = &add; 4367c478bd9Sstevel@tonic-gate break; 4377c478bd9Sstevel@tonic-gate case '-': 4387c478bd9Sstevel@tonic-gate toupd = &rem; 4397c478bd9Sstevel@tonic-gate priv_inverse(upd); 4407c478bd9Sstevel@tonic-gate break; 4417c478bd9Sstevel@tonic-gate case '=': 4427c478bd9Sstevel@tonic-gate toupd = &assign; 4437c478bd9Sstevel@tonic-gate break; 4447c478bd9Sstevel@tonic-gate } 4457c478bd9Sstevel@tonic-gate 4467c478bd9Sstevel@tonic-gate /* Update all sets? */ 4477c478bd9Sstevel@tonic-gate if (count == 0 || *spec == 'a' || *spec == 'A') { 4487c478bd9Sstevel@tonic-gate count = pri->priv_nsets; 4497c478bd9Sstevel@tonic-gate q = sets; 4507c478bd9Sstevel@tonic-gate } else 4517c478bd9Sstevel@tonic-gate q = spec; 4527c478bd9Sstevel@tonic-gate 4537c478bd9Sstevel@tonic-gate for (i = 0; i < count; i++) { 4547c478bd9Sstevel@tonic-gate int ind = strindex(q[i], sets); 4557c478bd9Sstevel@tonic-gate 4567c478bd9Sstevel@tonic-gate if (ind == -1) 4577c478bd9Sstevel@tonic-gate badspec(spec); 4587c478bd9Sstevel@tonic-gate 4597c478bd9Sstevel@tonic-gate /* Assign is mutually exclusive with add/remove and itself */ 4607c478bd9Sstevel@tonic-gate if (((toupd == &rem || toupd == &add) && assign[ind] != NULL) || 4617c478bd9Sstevel@tonic-gate (toupd == &assign && (assign[ind] != NULL || 4627c478bd9Sstevel@tonic-gate rem[ind] != NULL || add[ind] != NULL))) { 4637c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: conflicting spec: %s\n", 4647c478bd9Sstevel@tonic-gate command, spec); 4657c478bd9Sstevel@tonic-gate exit(1); 4667c478bd9Sstevel@tonic-gate } 4677c478bd9Sstevel@tonic-gate if ((*toupd)[ind] != NULL) { 4687c478bd9Sstevel@tonic-gate if (*p == '-') 4697c478bd9Sstevel@tonic-gate priv_intersect(upd, (*toupd)[ind]); 4707c478bd9Sstevel@tonic-gate else 4717c478bd9Sstevel@tonic-gate priv_union(upd, (*toupd)[ind]); 4727c478bd9Sstevel@tonic-gate } else { 4737c478bd9Sstevel@tonic-gate (*toupd)[ind] = upd; 4747c478bd9Sstevel@tonic-gate freeupd = B_FALSE; 4757c478bd9Sstevel@tonic-gate } 4767c478bd9Sstevel@tonic-gate } 4777c478bd9Sstevel@tonic-gate if (freeupd) 4787c478bd9Sstevel@tonic-gate priv_freeset(upd); 4797c478bd9Sstevel@tonic-gate return (0); 4807c478bd9Sstevel@tonic-gate } 4817c478bd9Sstevel@tonic-gate 4827c478bd9Sstevel@tonic-gate static void 4837c478bd9Sstevel@tonic-gate privupdate(prpriv_t *pr, const char *arg) 4847c478bd9Sstevel@tonic-gate { 4857c478bd9Sstevel@tonic-gate int i; 4867c478bd9Sstevel@tonic-gate 4877c478bd9Sstevel@tonic-gate if (sets != NULL) { 4887c478bd9Sstevel@tonic-gate for (i = 0; i < pri->priv_nsets; i++) { 4897c478bd9Sstevel@tonic-gate priv_set_t *target = 4907c478bd9Sstevel@tonic-gate (priv_set_t *)&pr->pr_sets[pr->pr_setsize * i]; 4917c478bd9Sstevel@tonic-gate if (rem[i] != NULL) 4927c478bd9Sstevel@tonic-gate priv_intersect(rem[i], target); 4937c478bd9Sstevel@tonic-gate if (add[i] != NULL) 4947c478bd9Sstevel@tonic-gate priv_union(add[i], target); 4957c478bd9Sstevel@tonic-gate if (assign[i] != NULL) 4967c478bd9Sstevel@tonic-gate priv_copyset(assign[i], target); 4977c478bd9Sstevel@tonic-gate } 4987c478bd9Sstevel@tonic-gate } 4997c478bd9Sstevel@tonic-gate 500*134a1f4eSCasper H.S. Dik if (Doff || Don || pfexec || xpol) { 5017c478bd9Sstevel@tonic-gate priv_info_uint_t *pii; 5027c478bd9Sstevel@tonic-gate int sz = PRIV_PRPRIV_SIZE(pr); 5037c478bd9Sstevel@tonic-gate char *x = (char *)pr + PRIV_PRPRIV_INFO_OFFSET(pr); 5047c478bd9Sstevel@tonic-gate uint32_t fl = 0; 5057c478bd9Sstevel@tonic-gate 5067c478bd9Sstevel@tonic-gate while (x < (char *)pr + sz) { 5077c478bd9Sstevel@tonic-gate /* LINTED: alignment */ 5087c478bd9Sstevel@tonic-gate priv_info_t *pi = (priv_info_t *)x; 5097c478bd9Sstevel@tonic-gate 5107c478bd9Sstevel@tonic-gate if (pi->priv_info_type == PRIV_INFO_FLAGS) { 5117c478bd9Sstevel@tonic-gate /* LINTED: alignment */ 5127c478bd9Sstevel@tonic-gate pii = (priv_info_uint_t *)x; 5137c478bd9Sstevel@tonic-gate fl = pii->val; 5147c478bd9Sstevel@tonic-gate goto done; 5157c478bd9Sstevel@tonic-gate } 5167c478bd9Sstevel@tonic-gate if (pi->priv_info_size > pr->pr_infosize || 5177c478bd9Sstevel@tonic-gate pi->priv_info_size <= sizeof (priv_info_t) || 5187c478bd9Sstevel@tonic-gate (pi->priv_info_size & 3) != 0) 5197c478bd9Sstevel@tonic-gate break; 5207c478bd9Sstevel@tonic-gate x += pi->priv_info_size; 5217c478bd9Sstevel@tonic-gate } 5227c478bd9Sstevel@tonic-gate (void) fprintf(stderr, 5237c478bd9Sstevel@tonic-gate "%s: cannot find privilege flags to set\n", arg); 5247c478bd9Sstevel@tonic-gate pr->pr_infosize = 0; 5257c478bd9Sstevel@tonic-gate return; 5267c478bd9Sstevel@tonic-gate done: 5277c478bd9Sstevel@tonic-gate 5287c478bd9Sstevel@tonic-gate pr->pr_infosize = sizeof (priv_info_uint_t); 5297c478bd9Sstevel@tonic-gate /* LINTED: alignment */ 5307c478bd9Sstevel@tonic-gate pii = (priv_info_uint_t *) 5317c478bd9Sstevel@tonic-gate ((char *)pr + PRIV_PRPRIV_INFO_OFFSET(pr)); 5327c478bd9Sstevel@tonic-gate 5337c478bd9Sstevel@tonic-gate if (Don) 5347c478bd9Sstevel@tonic-gate fl |= PRIV_DEBUG; 535ddf7fe95Scasper if (Doff) 5367c478bd9Sstevel@tonic-gate fl &= ~PRIV_DEBUG; 537*134a1f4eSCasper H.S. Dik if (pfexec) 538*134a1f4eSCasper H.S. Dik fl |= PRIV_PFEXEC; 539ddf7fe95Scasper if (xpol) 540ddf7fe95Scasper fl |= PRIV_XPOLICY; 5417c478bd9Sstevel@tonic-gate 5427c478bd9Sstevel@tonic-gate pii->info.priv_info_size = sizeof (*pii); 5437c478bd9Sstevel@tonic-gate pii->info.priv_info_type = PRIV_INFO_FLAGS; 5447c478bd9Sstevel@tonic-gate pii->val = fl; 5457c478bd9Sstevel@tonic-gate } else { 5467c478bd9Sstevel@tonic-gate pr->pr_infosize = 0; 5477c478bd9Sstevel@tonic-gate } 5487c478bd9Sstevel@tonic-gate } 5497c478bd9Sstevel@tonic-gate 5507c478bd9Sstevel@tonic-gate static void 5517c478bd9Sstevel@tonic-gate privupdate_self(void) 5527c478bd9Sstevel@tonic-gate { 5537c478bd9Sstevel@tonic-gate int set; 5547c478bd9Sstevel@tonic-gate 55545916cd2Sjpk if (mac_aware) { 55645916cd2Sjpk if (setpflags(NET_MAC_AWARE, 1) != 0) 55745916cd2Sjpk fatal("setpflags(NET_MAC_AWARE)"); 55845916cd2Sjpk if (setpflags(NET_MAC_AWARE_INHERIT, 1) != 0) 55945916cd2Sjpk fatal("setpflags(NET_MAC_AWARE_INHERIT)"); 56045916cd2Sjpk } 561*134a1f4eSCasper H.S. Dik if (pfexec) { 562*134a1f4eSCasper H.S. Dik if (setpflags(PRIV_PFEXEC, 1) != 0) 563*134a1f4eSCasper H.S. Dik fatal("setpflags(PRIV_PFEXEC)"); 564*134a1f4eSCasper H.S. Dik } 56545916cd2Sjpk 5667c478bd9Sstevel@tonic-gate if (sets != NULL) { 5677c478bd9Sstevel@tonic-gate priv_set_t *target = priv_allocset(); 5687c478bd9Sstevel@tonic-gate 5697c478bd9Sstevel@tonic-gate if (target == NULL) 5707c478bd9Sstevel@tonic-gate fatal("priv_allocet"); 5717c478bd9Sstevel@tonic-gate 5727c478bd9Sstevel@tonic-gate set = priv_getsetbyname(PRIV_INHERITABLE); 5737c478bd9Sstevel@tonic-gate if (rem[set] != NULL || add[set] != NULL || 5747c478bd9Sstevel@tonic-gate assign[set] != NULL) { 5757c478bd9Sstevel@tonic-gate (void) getppriv(PRIV_INHERITABLE, target); 5767c478bd9Sstevel@tonic-gate if (rem[set] != NULL) 5777c478bd9Sstevel@tonic-gate priv_intersect(rem[set], target); 5787c478bd9Sstevel@tonic-gate if (add[set] != NULL) 5797c478bd9Sstevel@tonic-gate priv_union(add[set], target); 5807c478bd9Sstevel@tonic-gate if (assign[set] != NULL) 5817c478bd9Sstevel@tonic-gate priv_copyset(assign[set], target); 5827c478bd9Sstevel@tonic-gate if (setppriv(PRIV_SET, PRIV_INHERITABLE, target) != 0) 5837c478bd9Sstevel@tonic-gate fatal("setppriv(Inheritable)"); 5847c478bd9Sstevel@tonic-gate } 5857c478bd9Sstevel@tonic-gate set = priv_getsetbyname(PRIV_LIMIT); 5867c478bd9Sstevel@tonic-gate if (rem[set] != NULL || add[set] != NULL || 5877c478bd9Sstevel@tonic-gate assign[set] != NULL) { 5887c478bd9Sstevel@tonic-gate (void) getppriv(PRIV_LIMIT, target); 5897c478bd9Sstevel@tonic-gate if (rem[set] != NULL) 5907c478bd9Sstevel@tonic-gate priv_intersect(rem[set], target); 5917c478bd9Sstevel@tonic-gate if (add[set] != NULL) 5927c478bd9Sstevel@tonic-gate priv_union(add[set], target); 5937c478bd9Sstevel@tonic-gate if (assign[set] != NULL) 5947c478bd9Sstevel@tonic-gate priv_copyset(assign[set], target); 5957c478bd9Sstevel@tonic-gate if (setppriv(PRIV_SET, PRIV_LIMIT, target) != 0) 5967c478bd9Sstevel@tonic-gate fatal("setppriv(Limit)"); 5977c478bd9Sstevel@tonic-gate } 5987c478bd9Sstevel@tonic-gate priv_freeset(target); 5997c478bd9Sstevel@tonic-gate } 6007c478bd9Sstevel@tonic-gate 6017c478bd9Sstevel@tonic-gate if (Doff || Don) 6027c478bd9Sstevel@tonic-gate (void) setpflags(PRIV_DEBUG, Don ? 1 : 0); 603ddf7fe95Scasper if (xpol) 604ddf7fe95Scasper (void) setpflags(PRIV_XPOLICY, 1); 605*134a1f4eSCasper H.S. Dik if (pfexec) 606*134a1f4eSCasper H.S. Dik (void) setpflags(PRIV_PFEXEC, 1); 6077c478bd9Sstevel@tonic-gate } 6087c478bd9Sstevel@tonic-gate 6097c478bd9Sstevel@tonic-gate static int 6107c478bd9Sstevel@tonic-gate dopriv(const char *p) 6117c478bd9Sstevel@tonic-gate { 6127c478bd9Sstevel@tonic-gate (void) puts(p); 6137c478bd9Sstevel@tonic-gate if (verb) { 6147c478bd9Sstevel@tonic-gate char *text = priv_gettext(p); 6157c478bd9Sstevel@tonic-gate char *p, *q; 6167c478bd9Sstevel@tonic-gate if (text == NULL) 6177c478bd9Sstevel@tonic-gate return (1); 618c8d28497Ssayama for (p = text; q = strchr(p, '\n'); p = q + 1) { 619c8d28497Ssayama *q = '\0'; 620c8d28497Ssayama (void) printf("\t%s\n", p); 621c8d28497Ssayama } 6227c478bd9Sstevel@tonic-gate free(text); 6237c478bd9Sstevel@tonic-gate } 6247c478bd9Sstevel@tonic-gate return (0); 6257c478bd9Sstevel@tonic-gate } 6267c478bd9Sstevel@tonic-gate 6277c478bd9Sstevel@tonic-gate static int 6287c478bd9Sstevel@tonic-gate dumppriv(char **argv) 6297c478bd9Sstevel@tonic-gate { 6307c478bd9Sstevel@tonic-gate int rc = 0; 6317c478bd9Sstevel@tonic-gate const char *pname; 6327c478bd9Sstevel@tonic-gate int i; 6337c478bd9Sstevel@tonic-gate 6347c478bd9Sstevel@tonic-gate if (argv[0] == NULL) { 6357c478bd9Sstevel@tonic-gate for (i = 0; ((pname = priv_getbynum(i++)) != NULL); ) 6367c478bd9Sstevel@tonic-gate rc += dopriv(pname); 6377c478bd9Sstevel@tonic-gate } else { 6387c478bd9Sstevel@tonic-gate for (; *argv; argv++) { 6397c478bd9Sstevel@tonic-gate priv_set_t *pset = priv_str_to_set(*argv, ",", NULL); 6407c478bd9Sstevel@tonic-gate 6417c478bd9Sstevel@tonic-gate if (pset == NULL) { 6427c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: %s: bad privilege" 6437c478bd9Sstevel@tonic-gate " list\n", command, *argv); 6447c478bd9Sstevel@tonic-gate rc++; 6457c478bd9Sstevel@tonic-gate continue; 6467c478bd9Sstevel@tonic-gate } 6477c478bd9Sstevel@tonic-gate for (i = 0; ((pname = priv_getbynum(i++)) != NULL); ) 6487c478bd9Sstevel@tonic-gate if (priv_ismember(pset, pname)) 6497c478bd9Sstevel@tonic-gate rc += dopriv(pname); 6507c478bd9Sstevel@tonic-gate } 6517c478bd9Sstevel@tonic-gate } 6527c478bd9Sstevel@tonic-gate return (rc); 6537c478bd9Sstevel@tonic-gate } 6547c478bd9Sstevel@tonic-gate 6557c478bd9Sstevel@tonic-gate static struct { 6567c478bd9Sstevel@tonic-gate int flag; 6577c478bd9Sstevel@tonic-gate char *name; 6587c478bd9Sstevel@tonic-gate } flags[] = { 6597c478bd9Sstevel@tonic-gate { PRIV_DEBUG, "PRIV_DEBUG" }, 6607c478bd9Sstevel@tonic-gate { PRIV_AWARE, "PRIV_AWARE" }, 6617c478bd9Sstevel@tonic-gate { PRIV_AWARE_INHERIT, "PRIV_AWARE_INHERIT" }, 662982b4ad2SCasper H.S. Dik { PRIV_AWARE_RESET, "PRIV_AWARE_RESET" }, 663ddf7fe95Scasper { PRIV_XPOLICY, "PRIV_XPOLICY" }, 664*134a1f4eSCasper H.S. Dik { PRIV_PFEXEC, "PRIV_PFEXEC" }, 665ddf7fe95Scasper { NET_MAC_AWARE, "NET_MAC_AWARE" }, 666ddf7fe95Scasper { NET_MAC_AWARE_INHERIT, "NET_MAC_AWARE_INHERIT" }, 6677c478bd9Sstevel@tonic-gate }; 6687c478bd9Sstevel@tonic-gate 6697c478bd9Sstevel@tonic-gate /* 6707c478bd9Sstevel@tonic-gate * Print flags preceeded by a space. 6717c478bd9Sstevel@tonic-gate */ 6727c478bd9Sstevel@tonic-gate static void 6737c478bd9Sstevel@tonic-gate flags2str(uint_t pflags) 6747c478bd9Sstevel@tonic-gate { 6757c478bd9Sstevel@tonic-gate char c = ' '; 6767c478bd9Sstevel@tonic-gate int i; 6777c478bd9Sstevel@tonic-gate 6787c478bd9Sstevel@tonic-gate if (pflags == 0) { 6797c478bd9Sstevel@tonic-gate (void) fputs(" <none>", stdout); 6807c478bd9Sstevel@tonic-gate return; 6817c478bd9Sstevel@tonic-gate } 6827c478bd9Sstevel@tonic-gate for (i = 0; i < sizeof (flags)/sizeof (flags[0]) && pflags != 0; i++) { 6837c478bd9Sstevel@tonic-gate if ((pflags & flags[i].flag) != 0) { 6847c478bd9Sstevel@tonic-gate (void) printf("%c%s", c, flags[i].name); 6857c478bd9Sstevel@tonic-gate pflags &= ~flags[i].flag; 6867c478bd9Sstevel@tonic-gate c = '|'; 6877c478bd9Sstevel@tonic-gate } 6887c478bd9Sstevel@tonic-gate } 6897c478bd9Sstevel@tonic-gate if (pflags != 0) 6907c478bd9Sstevel@tonic-gate (void) printf("%c<0x%x>", c, pflags); 6917c478bd9Sstevel@tonic-gate } 692