usr/src/uts/common/syscall/ppriv.c

root/usr/src/uts/common/syscall/ppriv.c
/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
 */

#include <sys/param.h>
#include <sys/types.h>
#include <sys/sysmacros.h>
#include <sys/systm.h>
#include <sys/cred_impl.h>
#include <sys/errno.h>
#include <sys/klpd.h>
#include <sys/proc.h>
#include <sys/priv_impl.h>
#include <sys/policy.h>
#include <sys/ddi.h>
#include <sys/thread.h>
#include <sys/cmn_err.h>
#include <c2/audit.h>

/*
 * System call support for manipulating privileges.
 *
 *
 * setppriv(2) - set process privilege set
 * getppriv(2) - get process privilege set
 * getprivimplinfo(2) - get process privilege implementation information
 * setpflags(2) - set process (privilege) flags
 * getpflags(2) - get process (privilege) flags
 */

/*
 * setppriv (priv_op_t, priv_ptype_t, priv_set_t)
 */
static int
setppriv(priv_op_t op, priv_ptype_t type, priv_set_t *in_pset)
{
        priv_set_t      pset, *target;
        cred_t          *cr, *pcr;
        proc_t          *p;
        boolean_t       donocd = B_FALSE;

        if (!PRIV_VALIDSET(type) || !PRIV_VALIDOP(op))
                return (set_errno(EINVAL));

        if (copyin(in_pset, &pset, sizeof (priv_set_t)))
                return (set_errno(EFAULT));

        p = ttoproc(curthread);
        cr = cralloc();
        mutex_enter(&p->p_crlock);

retry:
        pcr = p->p_cred;

        if (AU_AUDITING())
                audit_setppriv(op, type, &pset, pcr);

        /*
         * Filter out unallowed request (bad op and bad type)
         */
        switch (op) {
        case PRIV_ON:
        case PRIV_SET:
                /*
                 * Turning on privileges; the limit set cannot grow,
                 * other sets can but only as long as they remain subsets
                 * of P.  Only immediately after exec holds that P <= L.
                 */
                if (type == PRIV_LIMIT &&
                    !priv_issubset(&pset, &CR_LPRIV(pcr))) {
                        mutex_exit(&p->p_crlock);
                        crfree(cr);
                        return (set_errno(EPERM));
                }
                if (!priv_issubset(&pset, &CR_OPPRIV(pcr)) &&
                    !priv_issubset(&pset, priv_getset(pcr, type))) {
                        mutex_exit(&p->p_crlock);
                        /* Policy override should not grow beyond L either */
                        if (type != PRIV_INHERITABLE ||
                            !priv_issubset(&pset, &CR_LPRIV(pcr)) ||
                            secpolicy_require_privs(CRED(), &pset) != 0) {
                                crfree(cr);
                                return (set_errno(EPERM));
                        }
                        mutex_enter(&p->p_crlock);
                        if (pcr != p->p_cred)
                                goto retry;
                        donocd = B_TRUE;
                }
                break;

        case PRIV_OFF:
                /* PRIV_OFF is always allowed */
                break;
        }

        /*
         * OK! everything is cool.
         * Do cred COW.
         */
        crcopy_to(pcr, cr);

        /*
         * If we change the effective, permitted or limit set, we attain
         * "privilege awareness".
         */
        if (type != PRIV_INHERITABLE)
                priv_set_PA(cr);

        target = &(CR_PRIVS(cr)->crprivs[type]);

        switch (op) {
        case PRIV_ON:
                priv_union(&pset, target);
                break;
        case PRIV_OFF:
                priv_inverse(&pset);
                priv_intersect(target, &pset);

                /*
                 * Fall-thru to set target and change other process
                 * privilege sets.
                 */
                /*FALLTHRU*/

        case PRIV_SET:
                *target = pset;

                /*
                 * Take privileges no longer permitted out
                 * of other effective sets as well.
                 * Limit set is enforced at exec() time.
                 */
                if (type == PRIV_PERMITTED)
                        priv_intersect(&pset, &CR_EPRIV(cr));
                break;
        }

        /*
         * When we give up privileges not in the inheritable set,
         * set SNOCD if not already set; first we compute the
         * privileges removed from P using Diff = (~P') & P
         * and then we check whether the removed privileges are
         * a subset of I.  If we retain uid 0, all privileges
         * are required anyway so don't set SNOCD.
         */
        if (type == PRIV_PERMITTED && (p->p_flag & SNOCD) == 0 &&
            cr->cr_uid != 0 && cr->cr_ruid != 0 && cr->cr_suid != 0) {
                priv_set_t diff = CR_OPPRIV(cr);
                priv_inverse(&diff);
                priv_intersect(&CR_OPPRIV(pcr), &diff);
                donocd = !priv_issubset(&diff, &CR_IPRIV(cr));
        }

        p->p_cred = cr;
        mutex_exit(&p->p_crlock);

        if (donocd) {
                mutex_enter(&p->p_lock);
                p->p_flag |= SNOCD;
                mutex_exit(&p->p_lock);
        }

        /*
         * The basic_test privilege should not be removed from E;
         * if that has happened, then some programmer typically set the E/P to
         * empty. That is not portable.
         */
        if ((type == PRIV_EFFECTIVE || type == PRIV_PERMITTED) &&
            priv_basic_test >= 0 && !PRIV_ISASSERT(target, priv_basic_test)) {
                proc_t *p = curproc;
                pid_t pid = p->p_pid;
                char *fn = PTOU(p)->u_comm;

                cmn_err(CE_WARN, "%s[%d]: setppriv: basic_test privilege "
                    "removed from E/P", fn, pid);
        }

        crset(p, cr);           /* broadcast to process threads */

        return (0);
}

/*
 * getppriv (priv_ptype_t, priv_set_t *)
 */
static int
getppriv(priv_ptype_t type, priv_set_t *pset)
{
        if (!PRIV_VALIDSET(type))
                return (set_errno(EINVAL));

        if (copyout(priv_getset(CRED(), type), pset, sizeof (priv_set_t)) != 0)
                return (set_errno(EFAULT));

        return (0);
}

static int
getprivimplinfo(void *buf, size_t bufsize)
{
        int err;

        err = copyout(priv_hold_implinfo(), buf, min(bufsize, privinfosize));

        priv_release_implinfo();

        if (err)
                return (set_errno(EFAULT));

        return (0);
}

/*
 * Set process flags in the given target cred.  If NULL is specified, then
 * CRED() is used; otherwise the cred is assumed to be modifiable (i.e. newly
 * crdup'ed, or equivalent).  Some flags are set in the proc rather than cred;
 * for these, curproc is always used.
 *
 * For now we cheat: the flags are actually bit masks so we can simplify
 * some; we do make sure that the arguments are valid, though.
 */

int
setpflags(uint_t flag, uint_t val, cred_t *tcr)
{
        cred_t *cr, *pcr;
        proc_t *p = curproc;
        uint_t newflags;
        boolean_t use_curcred = (tcr == NULL);

        if (val > 1 || (flag != PRIV_DEBUG && flag != PRIV_AWARE &&
            flag != NET_MAC_AWARE && flag != NET_MAC_AWARE_INHERIT &&
            flag != __PROC_PROTECT && flag != PRIV_XPOLICY &&
            flag != PRIV_AWARE_RESET && flag != PRIV_PFEXEC)) {
                return (EINVAL);
        }

        if (flag == __PROC_PROTECT) {
                mutex_enter(&p->p_lock);
                if (val == 0)
                        p->p_flag &= ~SNOCD;
                else
                        p->p_flag |= SNOCD;
                mutex_exit(&p->p_lock);
                return (0);
        }

        if (use_curcred) {
                cr = cralloc();
                mutex_enter(&p->p_crlock);
                pcr = p->p_cred;
        } else {
                cr = pcr = tcr;
        }

        newflags = CR_FLAGS(pcr);

        if (val != 0) {
                if (flag == PRIV_AWARE)
                        newflags &= ~PRIV_AWARE_RESET;
                newflags |= flag;
        } else {
                newflags &= ~flag;
        }

        /* No change */
        if (CR_FLAGS(pcr) == newflags) {
                if (use_curcred) {
                        mutex_exit(&p->p_crlock);
                        crfree(cr);
                }
                return (0);
        }

        /*
         * Setting either the NET_MAC_AWARE or NET_MAC_AWARE_INHERIT
         * flags is a restricted operation.
         *
         * When invoked via the PRIVSYS_SETPFLAGS syscall
         * we require that the current cred has the net_mac_aware
         * privilege in its effective set.
         *
         * When called from within the kernel by label-aware
         * services such as NFS, we don't require a privilege check.
         *
         */
        if ((flag == NET_MAC_AWARE || flag == NET_MAC_AWARE_INHERIT) &&
            (val == 1) && use_curcred) {
                if (secpolicy_net_mac_aware(pcr) != 0) {
                        mutex_exit(&p->p_crlock);
                        crfree(cr);
                        return (EPERM);
                }
        }

        /* Trying to unset PA; if we can't, return an error */
        if (flag == PRIV_AWARE && val == 0 && !priv_can_clear_PA(pcr)) {
                if (use_curcred) {
                        mutex_exit(&p->p_crlock);
                        crfree(cr);
                }
                return (EPERM);
        }

        /* Committed to changing the flag */
        if (use_curcred)
                crcopy_to(pcr, cr);
        if (flag == PRIV_AWARE) {
                if (val != 0)
                        priv_set_PA(cr);
                else
                        priv_adjust_PA(cr);
        } else {
                CR_FLAGS(cr) = newflags;
        }

        /*
         * Unsetting the flag has as side effect getting rid of
         * the per-credential policy.
         */
        if (flag == PRIV_XPOLICY && val == 0)
                crsetcrklpd(cr, NULL);

        if (use_curcred) {
                p->p_cred = cr;
                mutex_exit(&p->p_crlock);
                crset(p, cr);
        }

        return (0);
}

/*
 * Getpflags.  Currently only implements single bit flags.
 */
uint_t
getpflags(uint_t flag, const cred_t *cr)
{
        if (flag != PRIV_DEBUG && flag != PRIV_AWARE &&
            flag != NET_MAC_AWARE && flag != NET_MAC_AWARE_INHERIT &&
            flag != PRIV_XPOLICY && flag != PRIV_PFEXEC &&
            flag != PRIV_AWARE_RESET)
                return ((uint_t)-1);

        return ((CR_FLAGS(cr) & flag) != 0);
}

/*
 * Privilege system call entry point
 */
int
privsys(int code, priv_op_t op, priv_ptype_t type, void *buf, size_t bufsize,
    int itype)
{
        int retv;
        extern int issetugid(void);

        switch (code) {
        case PRIVSYS_SETPPRIV:
                if (bufsize < sizeof (priv_set_t))
                        return (set_errno(ENOMEM));
                return (setppriv(op, type, buf));
        case PRIVSYS_GETPPRIV:
                if (bufsize < sizeof (priv_set_t))
                        return (set_errno(ENOMEM));
                return (getppriv(type, buf));
        case PRIVSYS_GETIMPLINFO:
                return (getprivimplinfo(buf, bufsize));
        case PRIVSYS_SETPFLAGS:
                retv = setpflags((uint_t)op, (uint_t)type, NULL);
                return (retv != 0 ? set_errno(retv) : 0);
        case PRIVSYS_GETPFLAGS:
                retv = (int)getpflags((uint_t)op, CRED());
                return (retv == -1 ? set_errno(EINVAL) : retv);
        case PRIVSYS_ISSETUGID:
                return (issetugid());
        case PRIVSYS_KLPD_REG:
                if (bufsize < sizeof (priv_set_t))
                        return (set_errno(ENOMEM));
                return ((int)klpd_reg((int)op, (idtype_t)itype, (id_t)type,
                    buf));
        case PRIVSYS_KLPD_UNREG:
                return ((int)klpd_unreg((int)op, (idtype_t)itype, (id_t)type));
        case PRIVSYS_PFEXEC_REG:
                return ((int)pfexec_reg((int)op));
        case PRIVSYS_PFEXEC_UNREG:
                return ((int)pfexec_unreg((int)op));
        }
        return (set_errno(EINVAL));
}

#ifdef _SYSCALL32_IMPL
int
privsys32(int code, priv_op_t op, priv_ptype_t type, caddr32_t buf,
    size32_t bufsize, int itype)
{
        return (privsys(code, op, type, (void *)(uintptr_t)buf,
            (size_t)bufsize, itype));
}
#endif
Illumos
