1336695Sdavidcs/* $Id: port-solaris.c,v 1.4 2010/11/05 01:03:05 dtucker Exp $ */ 2336695Sdavidcs 3336695Sdavidcs/* 4336695Sdavidcs * Copyright (c) 2006 Chad Mynhier. 5336695Sdavidcs * 6336695Sdavidcs * Permission to use, copy, modify, and distribute this software for any 7336695Sdavidcs * purpose with or without fee is hereby granted, provided that the above 8336695Sdavidcs * copyright notice and this permission notice appear in all copies. 9336695Sdavidcs * 10336695Sdavidcs * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11336695Sdavidcs * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12336695Sdavidcs * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13336695Sdavidcs * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14336695Sdavidcs * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15336695Sdavidcs * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16336695Sdavidcs * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17336695Sdavidcs */ 18336695Sdavidcs 19336695Sdavidcs#include "config.h" 20336695Sdavidcs#include "includes.h" 21336695Sdavidcs 22336695Sdavidcs#ifdef USE_SOLARIS_PROCESS_CONTRACTS 23336695Sdavidcs 24336695Sdavidcs#include <sys/types.h> 25336695Sdavidcs#include <sys/stat.h> 26336695Sdavidcs#include <sys/param.h> 27336695Sdavidcs 28336695Sdavidcs#include <errno.h> 29336695Sdavidcs#ifdef HAVE_FCNTL_H 30336695Sdavidcs# include <fcntl.h> 31336695Sdavidcs#endif 32336695Sdavidcs#include <stdarg.h> 33336695Sdavidcs#include <string.h> 34336695Sdavidcs#include <unistd.h> 35336695Sdavidcs 36336695Sdavidcs#include <libcontract.h> 37336695Sdavidcs#include <sys/contract/process.h> 38336695Sdavidcs#include <sys/ctfs.h> 39336695Sdavidcs 40336695Sdavidcs#include "log.h" 41336695Sdavidcs 42336695Sdavidcs#define CT_TEMPLATE CTFS_ROOT "/process/template" 43336695Sdavidcs#define CT_LATEST CTFS_ROOT "/process/latest" 44336695Sdavidcs 45336695Sdavidcsstatic int tmpl_fd = -1; 46336695Sdavidcs 47336695Sdavidcs/* Lookup the latest process contract */ 48336695Sdavidcsstatic ctid_t 49336695Sdavidcsget_active_process_contract_id(void) 50336695Sdavidcs{ 51336695Sdavidcs int stat_fd; 52336695Sdavidcs ctid_t ctid = -1; 53336695Sdavidcs ct_stathdl_t stathdl; 54336695Sdavidcs 55336695Sdavidcs if ((stat_fd = open64(CT_LATEST, O_RDONLY)) == -1) { 56336695Sdavidcs error("%s: Error opening 'latest' process " 57336695Sdavidcs "contract: %s", __func__, strerror(errno)); 58336695Sdavidcs return -1; 59336695Sdavidcs } 60336695Sdavidcs if (ct_status_read(stat_fd, CTD_COMMON, &stathdl) != 0) { 61336695Sdavidcs error("%s: Error reading process contract " 62336695Sdavidcs "status: %s", __func__, strerror(errno)); 63336695Sdavidcs goto out; 64336695Sdavidcs } 65336695Sdavidcs if ((ctid = ct_status_get_id(stathdl)) < 0) { 66336695Sdavidcs error("%s: Error getting process contract id: %s", 67336695Sdavidcs __func__, strerror(errno)); 68336695Sdavidcs goto out; 69336695Sdavidcs } 70336695Sdavidcs 71336695Sdavidcs ct_status_free(stathdl); 72336695Sdavidcs out: 73336695Sdavidcs close(stat_fd); 74336695Sdavidcs return ctid; 75336695Sdavidcs} 76336695Sdavidcs 77336695Sdavidcsvoid 78336695Sdavidcssolaris_contract_pre_fork(void) 79336695Sdavidcs{ 80336695Sdavidcs if ((tmpl_fd = open64(CT_TEMPLATE, O_RDWR)) == -1) { 81336695Sdavidcs error("%s: open %s: %s", __func__, 82336695Sdavidcs CT_TEMPLATE, strerror(errno)); 83336695Sdavidcs return; 84336695Sdavidcs } 85336695Sdavidcs 86336695Sdavidcs debug2("%s: setting up process contract template on fd %d", 87336695Sdavidcs __func__, tmpl_fd); 88336695Sdavidcs 89336695Sdavidcs /* First we set the template parameters and event sets. */ 90336695Sdavidcs if (ct_pr_tmpl_set_param(tmpl_fd, CT_PR_PGRPONLY) != 0) { 91336695Sdavidcs error("%s: Error setting process contract parameter set " 92336695Sdavidcs "(pgrponly): %s", __func__, strerror(errno)); 93336695Sdavidcs goto fail; 94336695Sdavidcs } 95336695Sdavidcs if (ct_pr_tmpl_set_fatal(tmpl_fd, CT_PR_EV_HWERR) != 0) { 96336695Sdavidcs error("%s: Error setting process contract template " 97336695Sdavidcs "fatal events: %s", __func__, strerror(errno)); 98336695Sdavidcs goto fail; 99336695Sdavidcs } 100336695Sdavidcs if (ct_tmpl_set_critical(tmpl_fd, 0) != 0) { 101336695Sdavidcs error("%s: Error setting process contract template " 102336695Sdavidcs "critical events: %s", __func__, strerror(errno)); 103336695Sdavidcs goto fail; 104336695Sdavidcs } 105336695Sdavidcs if (ct_tmpl_set_informative(tmpl_fd, CT_PR_EV_HWERR) != 0) { 106336695Sdavidcs error("%s: Error setting process contract template " 107336695Sdavidcs "informative events: %s", __func__, strerror(errno)); 108336695Sdavidcs goto fail; 109336695Sdavidcs } 110336695Sdavidcs 111336695Sdavidcs /* Now make this the active template for this process. */ 112336695Sdavidcs if (ct_tmpl_activate(tmpl_fd) != 0) { 113336695Sdavidcs error("%s: Error activating process contract " 114336695Sdavidcs "template: %s", __func__, strerror(errno)); 115336695Sdavidcs goto fail; 116336695Sdavidcs } 117336695Sdavidcs return; 118336695Sdavidcs 119336695Sdavidcs fail: 120336695Sdavidcs if (tmpl_fd != -1) { 121336695Sdavidcs close(tmpl_fd); 122336695Sdavidcs tmpl_fd = -1; 123336695Sdavidcs } 124336695Sdavidcs} 125336695Sdavidcs 126336695Sdavidcsvoid 127336695Sdavidcssolaris_contract_post_fork_child() 128336695Sdavidcs{ 129336695Sdavidcs debug2("%s: clearing process contract template on fd %d", 130336695Sdavidcs __func__, tmpl_fd); 131336695Sdavidcs 132336695Sdavidcs /* Clear the active template. */ 133336695Sdavidcs if (ct_tmpl_clear(tmpl_fd) != 0) 134336695Sdavidcs error("%s: Error clearing active process contract " 135336695Sdavidcs "template: %s", __func__, strerror(errno)); 136336695Sdavidcs 137336695Sdavidcs close(tmpl_fd); 138336695Sdavidcs tmpl_fd = -1; 139336695Sdavidcs} 140336695Sdavidcs 141void 142solaris_contract_post_fork_parent(pid_t pid) 143{ 144 ctid_t ctid; 145 char ctl_path[256]; 146 int r, ctl_fd = -1, stat_fd = -1; 147 148 debug2("%s: clearing template (fd %d)", __func__, tmpl_fd); 149 150 if (tmpl_fd == -1) 151 return; 152 153 /* First clear the active template. */ 154 if ((r = ct_tmpl_clear(tmpl_fd)) != 0) 155 error("%s: Error clearing active process contract " 156 "template: %s", __func__, strerror(errno)); 157 158 close(tmpl_fd); 159 tmpl_fd = -1; 160 161 /* 162 * If either the fork didn't succeed (pid < 0), or clearing 163 * th active contract failed (r != 0), then we have nothing 164 * more do. 165 */ 166 if (r != 0 || pid <= 0) 167 return; 168 169 /* Now lookup and abandon the contract we've created. */ 170 ctid = get_active_process_contract_id(); 171 172 debug2("%s: abandoning contract id %ld", __func__, ctid); 173 174 snprintf(ctl_path, sizeof(ctl_path), 175 CTFS_ROOT "/process/%ld/ctl", ctid); 176 if ((ctl_fd = open64(ctl_path, O_WRONLY)) < 0) { 177 error("%s: Error opening process contract " 178 "ctl file: %s", __func__, strerror(errno)); 179 goto fail; 180 } 181 if (ct_ctl_abandon(ctl_fd) < 0) { 182 error("%s: Error abandoning process contract: %s", 183 __func__, strerror(errno)); 184 goto fail; 185 } 186 close(ctl_fd); 187 return; 188 189 fail: 190 if (tmpl_fd != -1) { 191 close(tmpl_fd); 192 tmpl_fd = -1; 193 } 194 if (stat_fd != -1) 195 close(stat_fd); 196 if (ctl_fd != -1) 197 close(ctl_fd); 198} 199#endif 200 201#ifdef USE_SOLARIS_PROJECTS 202#include <sys/task.h> 203#include <project.h> 204 205/* 206 * Get/set solaris default project. 207 * If we fail, just run along gracefully. 208 */ 209void 210solaris_set_default_project(struct passwd *pw) 211{ 212 struct project *defaultproject; 213 struct project tempproject; 214 char buf[1024]; 215 216 /* get default project, if we fail just return gracefully */ 217 if ((defaultproject = getdefaultproj(pw->pw_name, &tempproject, &buf, 218 sizeof(buf))) > 0) { 219 /* set default project */ 220 if (setproject(defaultproject->pj_name, pw->pw_name, 221 TASK_NORMAL) != 0) 222 debug("setproject(%s): %s", defaultproject->pj_name, 223 strerror(errno)); 224 } else { 225 /* debug on getdefaultproj() error */ 226 debug("getdefaultproj(%s): %s", pw->pw_name, strerror(errno)); 227 } 228} 229#endif /* USE_SOLARIS_PROJECTS */ 230 231#ifdef USE_SOLARIS_PRIVS 232# ifdef HAVE_PRIV_H 233# include <priv.h> 234# endif 235 236priv_set_t * 237solaris_basic_privset(void) 238{ 239 priv_set_t *pset; 240 241#ifdef HAVE_PRIV_BASICSET 242 if ((pset = priv_allocset()) == NULL) { 243 error("priv_allocset: %s", strerror(errno)); 244 return NULL; 245 } 246 priv_basicset(pset); 247#else 248 if ((pset = priv_str_to_set("basic", ",", NULL)) == NULL) { 249 error("priv_str_to_set: %s", strerror(errno)); 250 return NULL; 251 } 252#endif 253 return pset; 254} 255 256void 257solaris_drop_privs_pinfo_net_fork_exec(void) 258{ 259 priv_set_t *pset = NULL, *npset = NULL; 260 261 /* 262 * Note: this variant avoids dropping DAC filesystem rights, in case 263 * the process calling it is running as root and should have the 264 * ability to read/write/chown any file on the system. 265 * 266 * We start with the basic set, then *add* the DAC rights to it while 267 * taking away other parts of BASIC we don't need. Then we intersect 268 * this with our existing PERMITTED set. In this way we keep any 269 * DAC rights we had before, while otherwise reducing ourselves to 270 * the minimum set of privileges we need to proceed. 271 * 272 * This also means we drop any other parts of "root" that we don't 273 * need (e.g. the ability to kill any process, create new device nodes 274 * etc etc). 275 */ 276 277 if ((pset = priv_allocset()) == NULL) 278 fatal("priv_allocset: %s", strerror(errno)); 279 if ((npset = solaris_basic_privset()) == NULL) 280 fatal("solaris_basic_privset: %s", strerror(errno)); 281 282 if (priv_addset(npset, PRIV_FILE_CHOWN) != 0 || 283 priv_addset(npset, PRIV_FILE_DAC_READ) != 0 || 284 priv_addset(npset, PRIV_FILE_DAC_SEARCH) != 0 || 285 priv_addset(npset, PRIV_FILE_DAC_WRITE) != 0 || 286 priv_addset(npset, PRIV_FILE_OWNER) != 0) 287 fatal("priv_addset: %s", strerror(errno)); 288 289 if (priv_delset(npset, PRIV_FILE_LINK_ANY) != 0 || 290#ifdef PRIV_NET_ACCESS 291 priv_delset(npset, PRIV_NET_ACCESS) != 0 || 292#endif 293 priv_delset(npset, PRIV_PROC_EXEC) != 0 || 294 priv_delset(npset, PRIV_PROC_FORK) != 0 || 295 priv_delset(npset, PRIV_PROC_INFO) != 0 || 296 priv_delset(npset, PRIV_PROC_SESSION) != 0) 297 fatal("priv_delset: %s", strerror(errno)); 298 299 if (getppriv(PRIV_PERMITTED, pset) != 0) 300 fatal("getppriv: %s", strerror(errno)); 301 302 priv_intersect(pset, npset); 303 304 if (setppriv(PRIV_SET, PRIV_PERMITTED, npset) != 0 || 305 setppriv(PRIV_SET, PRIV_LIMIT, npset) != 0 || 306 setppriv(PRIV_SET, PRIV_INHERITABLE, npset) != 0) 307 fatal("setppriv: %s", strerror(errno)); 308 309 priv_freeset(pset); 310 priv_freeset(npset); 311} 312 313void 314solaris_drop_privs_root_pinfo_net(void) 315{ 316 priv_set_t *pset = NULL; 317 318 /* Start with "basic" and drop everything we don't need. */ 319 if ((pset = solaris_basic_privset()) == NULL) 320 fatal("solaris_basic_privset: %s", strerror(errno)); 321 322 if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 || 323#ifdef PRIV_NET_ACCESS 324 priv_delset(pset, PRIV_NET_ACCESS) != 0 || 325#endif 326 priv_delset(pset, PRIV_PROC_INFO) != 0 || 327 priv_delset(pset, PRIV_PROC_SESSION) != 0) 328 fatal("priv_delset: %s", strerror(errno)); 329 330 if (setppriv(PRIV_SET, PRIV_PERMITTED, pset) != 0 || 331 setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0 || 332 setppriv(PRIV_SET, PRIV_INHERITABLE, pset) != 0) 333 fatal("setppriv: %s", strerror(errno)); 334 335 priv_freeset(pset); 336} 337 338void 339solaris_drop_privs_root_pinfo_net_exec(void) 340{ 341 priv_set_t *pset = NULL; 342 343 344 /* Start with "basic" and drop everything we don't need. */ 345 if ((pset = solaris_basic_privset()) == NULL) 346 fatal("solaris_basic_privset: %s", strerror(errno)); 347 348 if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 || 349#ifdef PRIV_NET_ACCESS 350 priv_delset(pset, PRIV_NET_ACCESS) != 0 || 351#endif 352 priv_delset(pset, PRIV_PROC_EXEC) != 0 || 353 priv_delset(pset, PRIV_PROC_INFO) != 0 || 354 priv_delset(pset, PRIV_PROC_SESSION) != 0) 355 fatal("priv_delset: %s", strerror(errno)); 356 357 if (setppriv(PRIV_SET, PRIV_PERMITTED, pset) != 0 || 358 setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0 || 359 setppriv(PRIV_SET, PRIV_INHERITABLE, pset) != 0) 360 fatal("setppriv: %s", strerror(errno)); 361 362 priv_freeset(pset); 363} 364 365#endif 366