ppriv.c revision 4321:a8930ec16e52 
1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21/*
22 * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23 * Use is subject to license terms.
24 */
25
26#pragma ident	"%Z%%M%	%I%	%E% SMI"
27
28#include <sys/param.h>
29#include <sys/types.h>
30#include <sys/sysmacros.h>
31#include <sys/systm.h>
32#include <sys/cred_impl.h>
33#include <sys/errno.h>
34#include <sys/proc.h>
35#include <sys/priv_impl.h>
36#include <sys/policy.h>
37#include <sys/ddi.h>
38#include <sys/thread.h>
39#include <c2/audit.h>
40
41/*
42 * System call support for manipulating privileges.
43 *
44 *
45 * setppriv(2) - set process privilege set
46 * getppriv(2) - get process privilege set
47 * getprivimplinfo(2) - get process privilege implementation information
48 * setpflags(2) - set process (privilege) flags
49 * getpflags(2) - get process (privilege) flags
50 */
51
52/*
53 * setppriv (priv_op_t, priv_ptype_t, priv_set_t)
54 */
55static int
56setppriv(priv_op_t op, priv_ptype_t type, priv_set_t *in_pset)
57{
58	priv_set_t	pset, *target;
59	cred_t		*cr, *pcr;
60	proc_t		*p;
61	boolean_t	donocd;
62
63	if (!PRIV_VALIDSET(type) || !PRIV_VALIDOP(op))
64		return (set_errno(EINVAL));
65
66	if (copyin(in_pset, &pset, sizeof (priv_set_t)))
67		return (set_errno(EFAULT));
68
69	p = ttoproc(curthread);
70	cr = cralloc();
71	mutex_enter(&p->p_crlock);
72
73	pcr = p->p_cred;
74
75#ifdef C2_AUDIT
76	if (audit_active)
77		audit_setppriv(op, type, &pset, pcr);
78#endif
79
80	/*
81	 * Filter out unallowed request (bad op and bad type)
82	 */
83	switch (op) {
84	case PRIV_ON:
85	case PRIV_SET:
86		/*
87		 * Turning on privileges; the limit set cannot grow,
88		 * other sets can but only as long as they remain subsets
89		 * of P.  Only immediately after exec holds that P <= L.
90		 */
91		if (((type == PRIV_LIMIT &&
92			!priv_issubset(&pset, &CR_LPRIV(pcr))) ||
93		    !priv_issubset(&pset, &CR_OPPRIV(pcr))) &&
94		    !priv_issubset(&pset, priv_getset(pcr, type))) {
95			mutex_exit(&p->p_crlock);
96			crfree(cr);
97			return (set_errno(EPERM));
98		}
99		break;
100
101	case PRIV_OFF:
102		/* PRIV_OFF is always allowed */
103		break;
104	}
105
106	/*
107	 * OK! everything is cool.
108	 * Do cred COW.
109	 */
110	crcopy_to(pcr, cr);
111
112	/*
113	 * If we change the effective, permitted or limit set, we attain
114	 * "privilege awareness".
115	 */
116	if (type != PRIV_INHERITABLE)
117		priv_set_PA(cr);
118
119	target = &(CR_PRIVS(cr)->crprivs[type]);
120
121	switch (op) {
122	case PRIV_ON:
123		priv_union(&pset, target);
124		break;
125	case PRIV_OFF:
126		priv_inverse(&pset);
127		priv_intersect(target, &pset);
128
129		/*
130		 * Fall-thru to set target and change other process
131		 * privilege sets.
132		 */
133		/*FALLTHRU*/
134
135	case PRIV_SET:
136		*target = pset;
137
138		/*
139		 * Take privileges no longer permitted out
140		 * of other effective sets as well.
141		 * Limit set is enforced at exec() time.
142		 */
143		if (type == PRIV_PERMITTED)
144			priv_intersect(&pset, &CR_EPRIV(cr));
145		break;
146	}
147
148	/*
149	 * When we give up privileges not in the inheritable set,
150	 * set SNOCD if not already set; first we compute the
151	 * privileges removed from P using Diff = (~P') & P
152	 * and then we check whether the removed privileges are
153	 * a subset of I.  If we retain uid 0, all privileges
154	 * are required anyway so don't set SNOCD.
155	 */
156	if (type == PRIV_PERMITTED && (p->p_flag & SNOCD) == 0 &&
157	    cr->cr_uid != 0 && cr->cr_ruid != 0 && cr->cr_suid != 0) {
158		priv_set_t diff = CR_OPPRIV(cr);
159		priv_inverse(&diff);
160		priv_intersect(&CR_OPPRIV(pcr), &diff);
161		donocd = !priv_issubset(&diff, &CR_IPRIV(cr));
162	} else {
163		donocd = B_FALSE;
164	}
165
166	p->p_cred = cr;
167	mutex_exit(&p->p_crlock);
168
169	if (donocd) {
170		mutex_enter(&p->p_lock);
171		p->p_flag |= SNOCD;
172		mutex_exit(&p->p_lock);
173	}
174
175	crset(p, cr);		/* broadcast to process threads */
176
177	return (0);
178}
179
180/*
181 * getppriv (priv_ptype_t, priv_set_t *)
182 */
183static int
184getppriv(priv_ptype_t type, priv_set_t *pset)
185{
186	if (!PRIV_VALIDSET(type))
187		return (set_errno(EINVAL));
188
189	if (copyout(priv_getset(CRED(), type), pset, sizeof (priv_set_t)) != 0)
190		return (set_errno(EFAULT));
191
192	return (0);
193}
194
195static int
196getprivimplinfo(void *buf, size_t bufsize)
197{
198	int err;
199
200	err = copyout(priv_hold_implinfo(), buf, min(bufsize, privinfosize));
201
202	priv_release_implinfo();
203
204	if (err)
205		return (set_errno(EFAULT));
206
207	return (0);
208}
209
210/*
211 * Set process flags in the given target cred.  If NULL is specified, then
212 * CRED() is used; otherwise the cred is assumed to be modifiable (i.e. newly
213 * crdup'ed, or equivalent).  Some flags are set in the proc rather than cred;
214 * for these, curproc is always used.
215 *
216 * For now we cheat: the flags are actually bit masks so we can simplify
217 * some; we do make sure that the arguments are valid, though.
218 */
219
220int
221setpflags(uint_t flag, uint_t val, cred_t *tcr)
222{
223	cred_t *cr, *pcr;
224	proc_t *p = curproc;
225	uint_t newflags;
226	boolean_t use_curcred = (tcr == NULL);
227
228	if (val > 1 || (flag != PRIV_DEBUG && flag != PRIV_AWARE &&
229	    flag != NET_MAC_AWARE && flag != NET_MAC_AWARE_INHERIT &&
230	    flag != __PROC_PROTECT)) {
231		return (EINVAL);
232	}
233
234	if (flag == __PROC_PROTECT) {
235		mutex_enter(&p->p_lock);
236		if (val == 0)
237			p->p_flag &= ~SNOCD;
238		else
239			p->p_flag |= SNOCD;
240		mutex_exit(&p->p_lock);
241		return (0);
242	}
243
244	if (use_curcred) {
245		cr = cralloc();
246		mutex_enter(&p->p_crlock);
247		pcr = p->p_cred;
248	} else {
249		cr = pcr = tcr;
250	}
251
252	newflags = CR_FLAGS(pcr);
253
254	if (val != 0)
255		newflags |= flag;
256	else
257		newflags &= ~flag;
258
259	/* No change */
260	if (CR_FLAGS(pcr) == newflags) {
261		if (use_curcred) {
262			mutex_exit(&p->p_crlock);
263			crfree(cr);
264		}
265		return (0);
266	}
267
268	/*
269	 * Setting either the NET_MAC_AWARE or NET_MAC_AWARE_INHERIT
270	 * flags is a restricted operation.
271	 *
272	 * When invoked via the PRIVSYS_SETPFLAGS syscall
273	 * we require that the current cred has the net_mac_aware
274	 * privilege in its effective set.
275	 *
276	 * When called from within the kernel by label-aware
277	 * services such as NFS, we don't require a privilege check.
278	 *
279	 */
280	if ((flag == NET_MAC_AWARE || flag == NET_MAC_AWARE_INHERIT) &&
281	    (val == 1) && use_curcred) {
282		if (secpolicy_net_mac_aware(pcr) != 0) {
283			mutex_exit(&p->p_crlock);
284			crfree(cr);
285			return (EPERM);
286		}
287	}
288
289	/* Trying to unset PA; if we can't, return an error */
290	if (flag == PRIV_AWARE && val == 0 && !priv_can_clear_PA(pcr)) {
291		if (use_curcred) {
292			mutex_exit(&p->p_crlock);
293			crfree(cr);
294		}
295		return (EPERM);
296	}
297
298	/* Committed to changing the flag */
299	if (use_curcred)
300		crcopy_to(pcr, cr);
301	if (flag == PRIV_AWARE) {
302		if (val != 0)
303			priv_set_PA(cr);
304		else
305			priv_adjust_PA(cr);
306	} else {
307		CR_FLAGS(cr) = newflags;
308	}
309
310	if (use_curcred) {
311		p->p_cred = cr;
312		mutex_exit(&p->p_crlock);
313		crset(p, cr);
314	}
315
316	return (0);
317}
318
319/*
320 * Getpflags.  Currently only implements single bit flags.
321 */
322uint_t
323getpflags(uint_t flag, const cred_t *cr)
324{
325	if (flag != PRIV_DEBUG && flag != PRIV_AWARE &&
326	    flag != NET_MAC_AWARE && flag != NET_MAC_AWARE_INHERIT)
327		return ((uint_t)-1);
328
329	return ((CR_FLAGS(cr) & flag) != 0);
330}
331
332/*
333 * Privilege system call entry point
334 */
335int
336privsys(int code, priv_op_t op, priv_ptype_t type, void *buf, size_t bufsize)
337{
338	int retv;
339	extern int issetugid(void);
340
341	switch (code) {
342	case PRIVSYS_SETPPRIV:
343		if (bufsize < sizeof (priv_set_t))
344			return (set_errno(ENOMEM));
345		return (setppriv(op, type, buf));
346	case PRIVSYS_GETPPRIV:
347		if (bufsize < sizeof (priv_set_t))
348			return (set_errno(ENOMEM));
349		return (getppriv(type, buf));
350	case PRIVSYS_GETIMPLINFO:
351		return (getprivimplinfo(buf, bufsize));
352	case PRIVSYS_SETPFLAGS:
353		retv = setpflags((uint_t)op, (uint_t)type, NULL);
354		return (retv != 0 ? set_errno(retv) : 0);
355	case PRIVSYS_GETPFLAGS:
356		retv = (int)getpflags((uint_t)op, CRED());
357		return (retv == -1 ? set_errno(EINVAL) : retv);
358	case PRIVSYS_ISSETUGID:
359		return (issetugid());
360	}
361	return (set_errno(EINVAL));
362}
363
364#ifdef _SYSCALL32_IMPL
365int
366privsys32(int code, priv_op_t op, priv_ptype_t type, caddr32_t *buf,
367    size32_t bufsize)
368{
369	return (privsys(code, op, type, (void *)buf, (size_t)bufsize));
370}
371#endif
372