#include <sys/types.h>
#include <sys/sysmacros.h>
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/cred_impl.h>
#include <sys/policy.h>
#include <sys/vnode.h>
#include <sys/errno.h>
#include <sys/kmem.h>
#include <sys/user.h>
#include <sys/proc.h>
#include <sys/syscall.h>
#include <sys/debug.h>
#include <sys/atomic.h>
#include <sys/ucred.h>
#include <sys/prsystm.h>
#include <sys/modctl.h>
#include <sys/avl.h>
#include <sys/door.h>
#include <c2/audit.h>
#include <sys/zone.h>
#include <sys/tsol/label.h>
#include <sys/sid.h>
#include <sys/idmap.h>
#include <sys/klpd.h>
#include <sys/varargs.h>
#include <sys/sysconf.h>
#include <util/qsort.h>
typedef struct ephemeral_zsd {
uid_t min_uid;
uid_t last_uid;
gid_t min_gid;
gid_t last_gid;
kmutex_t eph_lock;
cred_t *eph_nobody;
} ephemeral_zsd_t;
static void crgrphold(credgrp_t *);
#define CREDGRPSZ(ngrp) (sizeof (credgrp_t) + ((ngrp - 1) * sizeof (gid_t)))
static kmutex_t ephemeral_zone_mutex;
static zone_key_t ephemeral_zone_key;
static struct kmem_cache *cred_cache;
static size_t crsize = 0;
static int audoff = 0;
uint32_t ucredsize;
cred_t *kcred;
static cred_t *dummycr;
int rstlink;
static int get_c2audit_load(void);
#define CR_AUINFO(c) (auditinfo_addr_t *)((audoff == 0) ? NULL : \
((char *)(c)) + audoff)
#define REMOTE_PEER_CRED(c) ((c)->cr_gid == -1)
#define BIN_GROUP_SEARCH_CUTOFF 16
static boolean_t hasephids = B_FALSE;
static ephemeral_zsd_t *
get_ephemeral_zsd(zone_t *zone)
{
ephemeral_zsd_t *eph_zsd;
eph_zsd = zone_getspecific(ephemeral_zone_key, zone);
if (eph_zsd != NULL) {
return (eph_zsd);
}
mutex_enter(&ephemeral_zone_mutex);
eph_zsd = zone_getspecific(ephemeral_zone_key, zone);
if (eph_zsd == NULL) {
eph_zsd = kmem_zalloc(sizeof (ephemeral_zsd_t), KM_SLEEP);
eph_zsd->min_uid = MAXUID;
eph_zsd->last_uid = IDMAP_WK__MAX_UID;
eph_zsd->min_gid = MAXUID;
eph_zsd->last_gid = IDMAP_WK__MAX_GID;
mutex_init(&eph_zsd->eph_lock, NULL, MUTEX_DEFAULT, NULL);
eph_zsd->eph_nobody = crdup(zone->zone_kcred);
(void) crsetugid(eph_zsd->eph_nobody, UID_NOBODY, GID_NOBODY);
CR_FLAGS(eph_zsd->eph_nobody) = 0;
eph_zsd->eph_nobody->cr_zone = zone;
(void) zone_setspecific(ephemeral_zone_key, zone, eph_zsd);
}
mutex_exit(&ephemeral_zone_mutex);
return (eph_zsd);
}
static cred_t *crdup_flags(const cred_t *, int);
static cred_t *cralloc_flags(int);
static void
destroy_ephemeral_zsd(zoneid_t zone_id, void *arg)
{
ephemeral_zsd_t *eph_zsd = arg;
if (eph_zsd != NULL) {
mutex_destroy(&eph_zsd->eph_lock);
crfree(eph_zsd->eph_nobody);
kmem_free(eph_zsd, sizeof (ephemeral_zsd_t));
}
}
void
cred_init(void)
{
priv_init();
crsize = sizeof (cred_t);
if (get_c2audit_load() > 0) {
#ifdef _LP64
audoff = (crsize +
sizeof (int64_t) - 1) & ~(sizeof (int64_t) - 1);
#else
audoff = crsize;
#endif
crsize = audoff + sizeof (auditinfo_addr_t);
crsize = (crsize + sizeof (int) - 1) & ~(sizeof (int) - 1);
}
cred_cache = kmem_cache_create("cred_cache", crsize, 0,
NULL, NULL, NULL, NULL, NULL, 0);
dummycr = cralloc();
bzero(dummycr, crsize);
dummycr->cr_ref = 1;
dummycr->cr_uid = (uid_t)-1;
dummycr->cr_gid = (gid_t)-1;
dummycr->cr_ruid = (uid_t)-1;
dummycr->cr_rgid = (gid_t)-1;
dummycr->cr_suid = (uid_t)-1;
dummycr->cr_sgid = (gid_t)-1;
kcred = cralloc();
bzero(kcred, crsize);
kcred->cr_ref = 1;
kcred->cr_zone = &zone0;
priv_fillset(&CR_LPRIV(kcred));
CR_IPRIV(kcred) = *priv_basic;
priv_addset(&CR_IPRIV(kcred), PRIV_PROC_SECFLAGS);
if (!rstchown)
priv_addset(&CR_IPRIV(kcred), PRIV_FILE_CHOWN_SELF);
if (rstlink)
priv_delset(&CR_IPRIV(kcred), PRIV_FILE_LINK_ANY);
CR_EPRIV(kcred) = CR_PPRIV(kcred) = CR_IPRIV(kcred);
CR_FLAGS(kcred) = NET_MAC_AWARE;
ttoproc(curthread)->p_cred = kcred;
curthread->t_cred = kcred;
ucredsize = UCRED_SIZE;
mutex_init(&ephemeral_zone_mutex, NULL, MUTEX_DEFAULT, NULL);
zone_key_create(&ephemeral_zone_key, NULL, NULL, destroy_ephemeral_zsd);
}
static cred_t *
cralloc_flags(int flgs)
{
cred_t *cr = kmem_cache_alloc(cred_cache, flgs);
if (cr == NULL)
return (NULL);
cr->cr_ref = 1;
cr->cr_zone = NULL;
cr->cr_label = NULL;
cr->cr_ksid = NULL;
cr->cr_klpd = NULL;
cr->cr_grps = NULL;
return (cr);
}
cred_t *
cralloc(void)
{
return (cralloc_flags(KM_SLEEP));
}
cred_t *
cralloc_ksid(void)
{
cred_t *cr = cralloc();
if (hasephids)
cr->cr_ksid = kcrsid_alloc();
return (cr);
}
cred_t *
crget(void)
{
cred_t *cr = kmem_cache_alloc(cred_cache, KM_SLEEP);
bcopy(zone_kcred(), cr, crsize);
cr->cr_ref = 1;
zone_cred_hold(cr->cr_zone);
if (cr->cr_label)
label_hold(cr->cr_label);
ASSERT(cr->cr_klpd == NULL);
ASSERT(cr->cr_grps == NULL);
return (cr);
}
void
crset(proc_t *p, cred_t *cr)
{
kthread_id_t t;
kthread_id_t first;
cred_t *oldcr;
ASSERT(p == curproc);
t = curthread;
oldcr = t->t_cred;
t->t_cred = cr;
crfree(oldcr);
if (p->p_lwpcnt > 1) {
mutex_enter(&p->p_lock);
first = curthread;
for (t = first->t_forw; t != first; t = t->t_forw)
t->t_pre_sys = 1;
mutex_exit(&p->p_lock);
}
}
void
crhold(cred_t *cr)
{
ASSERT(cr->cr_ref != 0xdeadbeef && cr->cr_ref != 0);
atomic_inc_32(&cr->cr_ref);
}
void
crfree(cred_t *cr)
{
ASSERT(cr->cr_ref != 0xdeadbeef && cr->cr_ref != 0);
if (atomic_dec_32_nv(&cr->cr_ref) == 0) {
ASSERT(cr != kcred);
if (cr->cr_label)
label_rele(cr->cr_label);
if (cr->cr_klpd)
crklpd_rele(cr->cr_klpd);
if (cr->cr_zone)
zone_cred_rele(cr->cr_zone);
if (cr->cr_ksid)
kcrsid_rele(cr->cr_ksid);
if (cr->cr_grps)
crgrprele(cr->cr_grps);
kmem_cache_free(cred_cache, cr);
}
}
cred_t *
crcopy(cred_t *cr)
{
cred_t *newcr;
newcr = cralloc();
bcopy(cr, newcr, crsize);
if (newcr->cr_zone)
zone_cred_hold(newcr->cr_zone);
if (newcr->cr_label)
label_hold(newcr->cr_label);
if (newcr->cr_ksid)
kcrsid_hold(newcr->cr_ksid);
if (newcr->cr_klpd)
crklpd_hold(newcr->cr_klpd);
if (newcr->cr_grps)
crgrphold(newcr->cr_grps);
crfree(cr);
newcr->cr_ref = 2;
return (newcr);
}
void
crcopy_to(cred_t *oldcr, cred_t *newcr)
{
credsid_t *nkcr = newcr->cr_ksid;
bcopy(oldcr, newcr, crsize);
if (newcr->cr_zone)
zone_cred_hold(newcr->cr_zone);
if (newcr->cr_label)
label_hold(newcr->cr_label);
if (newcr->cr_klpd)
crklpd_hold(newcr->cr_klpd);
if (newcr->cr_grps)
crgrphold(newcr->cr_grps);
if (nkcr) {
newcr->cr_ksid = nkcr;
kcrsidcopy_to(oldcr->cr_ksid, newcr->cr_ksid);
} else if (newcr->cr_ksid)
kcrsid_hold(newcr->cr_ksid);
crfree(oldcr);
newcr->cr_ref = 2;
}
static cred_t *
crdup_flags(const cred_t *cr, int flgs)
{
cred_t *newcr;
newcr = cralloc_flags(flgs);
if (newcr == NULL)
return (NULL);
bcopy(cr, newcr, crsize);
if (newcr->cr_zone)
zone_cred_hold(newcr->cr_zone);
if (newcr->cr_label)
label_hold(newcr->cr_label);
if (newcr->cr_klpd)
crklpd_hold(newcr->cr_klpd);
if (newcr->cr_ksid)
kcrsid_hold(newcr->cr_ksid);
if (newcr->cr_grps)
crgrphold(newcr->cr_grps);
newcr->cr_ref = 1;
return (newcr);
}
cred_t *
crdup(cred_t *cr)
{
return (crdup_flags(cr, KM_SLEEP));
}
void
crdup_to(cred_t *oldcr, cred_t *newcr)
{
credsid_t *nkcr = newcr->cr_ksid;
bcopy(oldcr, newcr, crsize);
if (newcr->cr_zone)
zone_cred_hold(newcr->cr_zone);
if (newcr->cr_label)
label_hold(newcr->cr_label);
if (newcr->cr_klpd)
crklpd_hold(newcr->cr_klpd);
if (newcr->cr_grps)
crgrphold(newcr->cr_grps);
if (nkcr) {
newcr->cr_ksid = nkcr;
kcrsidcopy_to(oldcr->cr_ksid, newcr->cr_ksid);
} else if (newcr->cr_ksid)
kcrsid_hold(newcr->cr_ksid);
newcr->cr_ref = 1;
}
cred_t *
crgetcred(void)
{
cred_t *cr;
proc_t *p;
p = ttoproc(curthread);
mutex_enter(&p->p_crlock);
crhold(cr = p->p_cred);
mutex_exit(&p->p_crlock);
return (cr);
}
int
suser(cred_t *cr)
{
return (PRIV_POLICY(cr, PRIV_SYS_SUSER_COMPAT, B_FALSE, EPERM, NULL)
== 0);
}
int
groupmember(gid_t gid, const cred_t *cr)
{
if (gid == cr->cr_gid)
return (1);
return (supgroupmember(gid, cr));
}
int
supgroupmember(gid_t gid, const cred_t *cr)
{
int hi, lo;
credgrp_t *grps = cr->cr_grps;
const gid_t *gp, *endgp;
if (grps == NULL)
return (0);
if (grps->crg_ngroups <= BIN_GROUP_SEARCH_CUTOFF) {
endgp = &grps->crg_groups[grps->crg_ngroups];
for (gp = grps->crg_groups; gp < endgp; gp++)
if (*gp == gid)
return (1);
return (0);
}
lo = 0;
hi = grps->crg_ngroups - 1;
gp = grps->crg_groups;
do {
int m = (lo + hi) / 2;
if (gid > gp[m])
lo = m + 1;
else if (gid < gp[m])
hi = m - 1;
else
return (1);
} while (lo <= hi);
return (0);
}
int
hasprocperm(const cred_t *tcrp, const cred_t *scrp)
{
if (scrp == tcrp)
return (1);
if (scrp->cr_zone != tcrp->cr_zone &&
(scrp->cr_zone != global_zone ||
secpolicy_proc_zone(scrp) != 0))
return (0);
if (scrp->cr_uid == tcrp->cr_ruid ||
scrp->cr_ruid == tcrp->cr_ruid ||
scrp->cr_uid == tcrp->cr_suid ||
scrp->cr_ruid == tcrp->cr_suid ||
!PRIV_POLICY(scrp, PRIV_PROC_OWNER, B_FALSE, EPERM, "hasprocperm"))
return (1);
return (0);
}
int
prochasprocperm(proc_t *tp, proc_t *sp, const cred_t *scrp)
{
int rets;
cred_t *tcrp;
ASSERT(MUTEX_NOT_HELD(&tp->p_crlock));
if (tp == sp)
return (1);
if (tp->p_sessp != sp->p_sessp && secpolicy_basic_proc(scrp) != 0)
return (0);
mutex_enter(&tp->p_crlock);
crhold(tcrp = tp->p_cred);
mutex_exit(&tp->p_crlock);
rets = hasprocperm(tcrp, scrp);
crfree(tcrp);
return (rets);
}
int
crcmp(const cred_t *cr1, const cred_t *cr2)
{
credgrp_t *grp1, *grp2;
if (cr1 == cr2)
return (0);
if (cr1->cr_uid == cr2->cr_uid &&
cr1->cr_gid == cr2->cr_gid &&
cr1->cr_ruid == cr2->cr_ruid &&
cr1->cr_rgid == cr2->cr_rgid &&
cr1->cr_zone == cr2->cr_zone &&
((grp1 = cr1->cr_grps) == (grp2 = cr2->cr_grps) ||
(grp1 != NULL && grp2 != NULL &&
grp1->crg_ngroups == grp2->crg_ngroups &&
bcmp(grp1->crg_groups, grp2->crg_groups,
grp1->crg_ngroups * sizeof (gid_t)) == 0))) {
return (!priv_isequalset(&CR_OEPRIV(cr1), &CR_OEPRIV(cr2)));
}
return (1);
}
uid_t
crgetuid(const cred_t *cr)
{
return (cr->cr_uid);
}
uid_t
crgetruid(const cred_t *cr)
{
return (cr->cr_ruid);
}
uid_t
crgetsuid(const cred_t *cr)
{
return (cr->cr_suid);
}
gid_t
crgetgid(const cred_t *cr)
{
return (cr->cr_gid);
}
gid_t
crgetrgid(const cred_t *cr)
{
return (cr->cr_rgid);
}
gid_t
crgetsgid(const cred_t *cr)
{
return (cr->cr_sgid);
}
const auditinfo_addr_t *
crgetauinfo(const cred_t *cr)
{
return ((const auditinfo_addr_t *)CR_AUINFO(cr));
}
auditinfo_addr_t *
crgetauinfo_modifiable(cred_t *cr)
{
return (CR_AUINFO(cr));
}
zoneid_t
crgetzoneid(const cred_t *cr)
{
return (cr->cr_zone == NULL ?
(cr->cr_uid == -1 ? (zoneid_t)-1 : GLOBAL_ZONEID) :
cr->cr_zone->zone_id);
}
projid_t
crgetprojid(const cred_t *cr)
{
return (cr->cr_projid);
}
zone_t *
crgetzone(const cred_t *cr)
{
return (cr->cr_zone);
}
struct ts_label_s *
crgetlabel(const cred_t *cr)
{
return (cr->cr_label ?
cr->cr_label :
(cr->cr_zone ? cr->cr_zone->zone_slabel : NULL));
}
boolean_t
crisremote(const cred_t *cr)
{
return (REMOTE_PEER_CRED(cr));
}
#define BADUID(x, zn) ((x) != -1 && !VALID_UID((x), (zn)))
#define BADGID(x, zn) ((x) != -1 && !VALID_GID((x), (zn)))
int
crsetresuid(cred_t *cr, uid_t r, uid_t e, uid_t s)
{
zone_t *zone = crgetzone(cr);
ASSERT(cr->cr_ref <= 2);
if (BADUID(r, zone) || BADUID(e, zone) || BADUID(s, zone))
return (-1);
if (r != -1)
cr->cr_ruid = r;
if (e != -1)
cr->cr_uid = e;
if (s != -1)
cr->cr_suid = s;
return (0);
}
int
crsetresgid(cred_t *cr, gid_t r, gid_t e, gid_t s)
{
zone_t *zone = crgetzone(cr);
ASSERT(cr->cr_ref <= 2);
if (BADGID(r, zone) || BADGID(e, zone) || BADGID(s, zone))
return (-1);
if (r != -1)
cr->cr_rgid = r;
if (e != -1)
cr->cr_gid = e;
if (s != -1)
cr->cr_sgid = s;
return (0);
}
int
crsetugid(cred_t *cr, uid_t uid, gid_t gid)
{
zone_t *zone = crgetzone(cr);
ASSERT(cr->cr_ref <= 2);
if (!VALID_UID(uid, zone) || !VALID_GID(gid, zone))
return (-1);
cr->cr_uid = cr->cr_ruid = cr->cr_suid = uid;
cr->cr_gid = cr->cr_rgid = cr->cr_sgid = gid;
return (0);
}
static int
gidcmp(const void *v1, const void *v2)
{
gid_t g1 = *(gid_t *)v1;
gid_t g2 = *(gid_t *)v2;
if (g1 < g2)
return (-1);
else if (g1 > g2)
return (1);
else
return (0);
}
int
crsetgroups(cred_t *cr, int n, gid_t *grp)
{
ASSERT(cr->cr_ref <= 2);
if (n > ngroups_max || n < 0)
return (-1);
if (cr->cr_grps != NULL)
crgrprele(cr->cr_grps);
if (n > 0) {
cr->cr_grps = kmem_alloc(CREDGRPSZ(n), KM_SLEEP);
bcopy(grp, cr->cr_grps->crg_groups, n * sizeof (gid_t));
cr->cr_grps->crg_ref = 1;
cr->cr_grps->crg_ngroups = n;
qsort(cr->cr_grps->crg_groups, n, sizeof (gid_t), gidcmp);
} else {
cr->cr_grps = NULL;
}
return (0);
}
void
crsetprojid(cred_t *cr, projid_t projid)
{
ASSERT(projid >= 0 && projid <= MAXPROJID);
cr->cr_projid = projid;
}
const gid_t *
crgetgroups(const cred_t *cr)
{
return (cr->cr_grps == NULL ? &cr->cr_gid : cr->cr_grps->crg_groups);
}
int
crgetngroups(const cred_t *cr)
{
return (cr->cr_grps == NULL ? 0 : cr->cr_grps->crg_ngroups);
}
void
cred2prcred(const cred_t *cr, prcred_t *pcrp)
{
pcrp->pr_euid = cr->cr_uid;
pcrp->pr_ruid = cr->cr_ruid;
pcrp->pr_suid = cr->cr_suid;
pcrp->pr_egid = cr->cr_gid;
pcrp->pr_rgid = cr->cr_rgid;
pcrp->pr_sgid = cr->cr_sgid;
pcrp->pr_groups[0] = 0;
pcrp->pr_ngroups = cr->cr_grps == NULL ? 0 : cr->cr_grps->crg_ngroups;
if (pcrp->pr_ngroups != 0)
bcopy(cr->cr_grps->crg_groups, pcrp->pr_groups,
sizeof (gid_t) * pcrp->pr_ngroups);
}
static int
cred2ucaud(const cred_t *cr, auditinfo64_addr_t *ainfo, const cred_t *rcr)
{
auditinfo_addr_t *ai;
au_tid_addr_t tid;
if (secpolicy_audit_getattr(rcr, B_TRUE) != 0)
return (-1);
ai = CR_AUINFO(cr);
tid = ai->ai_termid;
ainfo->ai_auid = ai->ai_auid;
ainfo->ai_mask = ai->ai_mask;
ainfo->ai_asid = ai->ai_asid;
ainfo->ai_termid.at_type = tid.at_type;
bcopy(&tid.at_addr, &ainfo->ai_termid.at_addr, 4 * sizeof (uint_t));
ainfo->ai_termid.at_port.at_major = (uint32_t)getmajor(tid.at_port);
ainfo->ai_termid.at_port.at_minor = (uint32_t)getminor(tid.at_port);
return (0);
}
void
cred2uclabel(const cred_t *cr, bslabel_t *labelp)
{
ts_label_t *tslp;
if ((tslp = crgetlabel(cr)) != NULL)
bcopy(&tslp->tsl_label, labelp, sizeof (bslabel_t));
}
struct ucred_s *
cred2ucred(const cred_t *cr, pid_t pid, void *buf, const cred_t *rcr)
{
struct ucred_s *uc;
uint32_t realsz = ucredminsize(cr);
ts_label_t *tslp = is_system_labeled() ? crgetlabel(cr) : NULL;
if (buf == NULL) {
uc = kmem_zalloc(realsz, KM_SLEEP);
} else {
bzero(buf, realsz);
uc = buf;
}
uc->uc_size = realsz;
uc->uc_pid = pid;
uc->uc_projid = cr->cr_projid;
uc->uc_zoneid = crgetzoneid(cr);
if (REMOTE_PEER_CRED(cr)) {
uc->uc_labeloff = tslp == NULL ? 0 : sizeof (struct ucred_s);
} else {
uc->uc_credoff = UCRED_CRED_OFF;
uc->uc_privoff = UCRED_PRIV_OFF;
uc->uc_audoff = UCRED_AUD_OFF;
uc->uc_labeloff = tslp == NULL ? 0 : UCRED_LABEL_OFF;
cred2prcred(cr, UCCRED(uc));
cred2prpriv(cr, UCPRIV(uc));
if (audoff == 0 || cred2ucaud(cr, UCAUD(uc), rcr) != 0)
uc->uc_audoff = 0;
}
if (tslp != NULL)
bcopy(&tslp->tsl_label, UCLABEL(uc), sizeof (bslabel_t));
return (uc);
}
uint32_t
ucredminsize(const cred_t *cr)
{
int ndiff;
if (cr == NULL)
return (ucredsize);
if (REMOTE_PEER_CRED(cr)) {
if (is_system_labeled())
return (sizeof (struct ucred_s) + sizeof (bslabel_t));
else
return (sizeof (struct ucred_s));
}
if (cr->cr_grps == NULL)
ndiff = ngroups_max - 1;
else
ndiff = ngroups_max - cr->cr_grps->crg_ngroups;
return (ucredsize - ndiff * sizeof (gid_t));
}
struct ucred_s *
pgetucred(proc_t *p)
{
cred_t *cr;
struct ucred_s *uc;
mutex_enter(&p->p_crlock);
cr = p->p_cred;
crhold(cr);
mutex_exit(&p->p_crlock);
uc = cred2ucred(cr, p->p_pid, NULL, CRED());
crfree(cr);
return (uc);
}
cred_t *
crnetadjust(cred_t *cr)
{
if (cr->cr_uid == 0 && cr->cr_ruid != 0) {
cr = crdup(cr);
cr->cr_uid = cr->cr_ruid;
return (cr);
}
return (NULL);
}
uint_t
crgetref(const cred_t *cr)
{
return (cr->cr_ref);
}
static int
get_c2audit_load(void)
{
static int gotit = 0;
static int c2audit_load;
if (gotit)
return (c2audit_load);
c2audit_load = 1;
if (mod_sysctl(SYS_CHECK_EXCLUDE, "c2audit") != 0)
c2audit_load = 0;
gotit++;
return (c2audit_load);
}
int
get_audit_ucrsize(void)
{
return (get_c2audit_load() ? sizeof (auditinfo64_addr_t) : 0);
}
void
crsetzone(cred_t *cr, zone_t *zptr)
{
zone_t *oldzptr = cr->cr_zone;
ASSERT(cr != kcred);
ASSERT(cr->cr_ref <= 2);
cr->cr_zone = zptr;
zone_cred_hold(zptr);
if (oldzptr)
zone_cred_rele(oldzptr);
}
cred_t *
newcred_from_bslabel(bslabel_t *blabel, uint32_t doi, int flags)
{
ts_label_t *lbl = labelalloc(blabel, doi, flags);
cred_t *cr = NULL;
if (lbl != NULL) {
if ((cr = crdup_flags(dummycr, flags)) != NULL) {
cr->cr_label = lbl;
} else {
label_rele(lbl);
}
}
return (cr);
}
cred_t *
copycred_from_tslabel(const cred_t *cr, ts_label_t *label, int flags)
{
cred_t *newcr = NULL;
if ((newcr = crdup_flags(cr, flags)) != NULL) {
if (newcr->cr_label != NULL)
label_rele(newcr->cr_label);
label_hold(label);
newcr->cr_label = label;
}
return (newcr);
}
cred_t *
copycred_from_bslabel(const cred_t *cr, bslabel_t *blabel,
uint32_t doi, int flags)
{
ts_label_t *lbl = labelalloc(blabel, doi, flags);
cred_t *newcr = NULL;
if (lbl != NULL) {
newcr = copycred_from_tslabel(cr, lbl, flags);
label_rele(lbl);
}
return (newcr);
}
cred_t *
zone_kcred(void)
{
zone_t *zone;
if ((zone = CRED()->cr_zone) != NULL)
return (zone->zone_kcred);
else
return (kcred);
}
boolean_t
valid_ephemeral_uid(zone_t *zone, uid_t id)
{
ephemeral_zsd_t *eph_zsd;
if (id <= IDMAP_WK__MAX_UID)
return (B_TRUE);
eph_zsd = get_ephemeral_zsd(zone);
ASSERT(eph_zsd != NULL);
membar_consumer();
return (id > eph_zsd->min_uid && id <= eph_zsd->last_uid);
}
boolean_t
valid_ephemeral_gid(zone_t *zone, gid_t id)
{
ephemeral_zsd_t *eph_zsd;
if (id <= IDMAP_WK__MAX_GID)
return (B_TRUE);
eph_zsd = get_ephemeral_zsd(zone);
ASSERT(eph_zsd != NULL);
membar_consumer();
return (id > eph_zsd->min_gid && id <= eph_zsd->last_gid);
}
int
eph_uid_alloc(zone_t *zone, int flags, uid_t *start, int count)
{
ephemeral_zsd_t *eph_zsd = get_ephemeral_zsd(zone);
ASSERT(eph_zsd != NULL);
mutex_enter(&eph_zsd->eph_lock);
if (eph_zsd->last_uid + count < eph_zsd->last_uid) {
mutex_exit(&eph_zsd->eph_lock);
return (-1);
}
if (flags != 0)
eph_zsd->min_uid = eph_zsd->last_uid;
hasephids = B_TRUE;
*start = eph_zsd->last_uid + 1;
atomic_add_32(&eph_zsd->last_uid, count);
mutex_exit(&eph_zsd->eph_lock);
return (0);
}
int
eph_gid_alloc(zone_t *zone, int flags, gid_t *start, int count)
{
ephemeral_zsd_t *eph_zsd = get_ephemeral_zsd(zone);
ASSERT(eph_zsd != NULL);
mutex_enter(&eph_zsd->eph_lock);
if (eph_zsd->last_gid + count < eph_zsd->last_gid) {
mutex_exit(&eph_zsd->eph_lock);
return (-1);
}
if (flags != 0)
eph_zsd->min_gid = eph_zsd->last_gid;
hasephids = B_TRUE;
*start = eph_zsd->last_gid + 1;
atomic_add_32(&eph_zsd->last_gid, count);
mutex_exit(&eph_zsd->eph_lock);
return (0);
}
void
get_ephemeral_data(zone_t *zone, uid_t *min_uid, uid_t *last_uid,
gid_t *min_gid, gid_t *last_gid)
{
ephemeral_zsd_t *eph_zsd = get_ephemeral_zsd(zone);
ASSERT(eph_zsd != NULL);
mutex_enter(&eph_zsd->eph_lock);
*min_uid = eph_zsd->min_uid;
*last_uid = eph_zsd->last_uid;
*min_gid = eph_zsd->min_gid;
*last_gid = eph_zsd->last_gid;
mutex_exit(&eph_zsd->eph_lock);
}
void
set_ephemeral_data(zone_t *zone, uid_t min_uid, uid_t last_uid,
gid_t min_gid, gid_t last_gid)
{
ephemeral_zsd_t *eph_zsd = get_ephemeral_zsd(zone);
ASSERT(eph_zsd != NULL);
mutex_enter(&eph_zsd->eph_lock);
if (min_uid != 0)
eph_zsd->min_uid = min_uid;
if (last_uid != 0)
eph_zsd->last_uid = last_uid;
if (min_gid != 0)
eph_zsd->min_gid = min_gid;
if (last_gid != 0)
eph_zsd->last_gid = last_gid;
mutex_exit(&eph_zsd->eph_lock);
}
cred_t *
crgetmapped(const cred_t *cr)
{
ephemeral_zsd_t *eph_zsd;
if (cr == NULL)
return (NULL);
if (cr->cr_ksid != NULL) {
if (cr->cr_ksid->kr_sidx[KSID_USER].ks_id > MAXUID) {
eph_zsd = get_ephemeral_zsd(crgetzone(cr));
return (eph_zsd->eph_nobody);
}
if (cr->cr_ksid->kr_sidx[KSID_GROUP].ks_id > MAXUID) {
eph_zsd = get_ephemeral_zsd(crgetzone(cr));
return (eph_zsd->eph_nobody);
}
}
return ((cred_t *)cr);
}
void
crsetsid(cred_t *cr, ksid_t *ksp, int index)
{
ASSERT(cr->cr_ref <= 2);
ASSERT(index >= 0 && index < KSID_COUNT);
if (cr->cr_ksid == NULL && ksp == NULL)
return;
cr->cr_ksid = kcrsid_setsid(cr->cr_ksid, ksp, index);
}
void
crsetsidlist(cred_t *cr, ksidlist_t *ksl)
{
ASSERT(cr->cr_ref <= 2);
if (cr->cr_ksid == NULL && ksl == NULL)
return;
cr->cr_ksid = kcrsid_setsidlist(cr->cr_ksid, ksl);
}
ksid_t *
crgetsid(const cred_t *cr, int i)
{
ASSERT(i >= 0 && i < KSID_COUNT);
if (cr->cr_ksid != NULL && cr->cr_ksid->kr_sidx[i].ks_domain)
return ((ksid_t *)&cr->cr_ksid->kr_sidx[i]);
return (NULL);
}
ksidlist_t *
crgetsidlist(const cred_t *cr)
{
if (cr->cr_ksid != NULL)
return (cr->cr_ksid->kr_sidlist);
return (NULL);
}
int
crsetpriv(cred_t *cr, ...)
{
va_list ap;
const char *privnm;
ASSERT(cr->cr_ref <= 2);
priv_set_PA(cr);
va_start(ap, cr);
while ((privnm = va_arg(ap, const char *)) != NULL) {
int priv = priv_getbyname(privnm, 0);
if (priv < 0)
return (-1);
priv_addset(&CR_PPRIV(cr), priv);
priv_addset(&CR_EPRIV(cr), priv);
}
priv_adjust_PA(cr);
va_end(ap);
return (0);
}
void
crset_zone_privall(cred_t *cr)
{
zone_t *zone = crgetzone(cr);
priv_fillset(&CR_LPRIV(cr));
CR_EPRIV(cr) = CR_PPRIV(cr) = CR_IPRIV(cr) = CR_LPRIV(cr);
priv_intersect(zone->zone_privset, &CR_LPRIV(cr));
priv_intersect(zone->zone_privset, &CR_EPRIV(cr));
priv_intersect(zone->zone_privset, &CR_IPRIV(cr));
priv_intersect(zone->zone_privset, &CR_PPRIV(cr));
}
struct credklpd *
crgetcrklpd(const cred_t *cr)
{
return (cr->cr_klpd);
}
void
crsetcrklpd(cred_t *cr, struct credklpd *crklpd)
{
ASSERT(cr->cr_ref <= 2);
if (cr->cr_klpd != NULL)
crklpd_rele(cr->cr_klpd);
cr->cr_klpd = crklpd;
}
credgrp_t *
crgrpcopyin(int n, gid_t *gidset)
{
credgrp_t *mem;
size_t sz = CREDGRPSZ(n);
ASSERT(n > 0);
mem = kmem_alloc(sz, KM_SLEEP);
if (copyin(gidset, mem->crg_groups, sizeof (gid_t) * n)) {
kmem_free(mem, sz);
return (NULL);
}
mem->crg_ref = 1;
mem->crg_ngroups = n;
qsort(mem->crg_groups, n, sizeof (gid_t), gidcmp);
return (mem);
}
const gid_t *
crgetggroups(const credgrp_t *grps)
{
return (grps->crg_groups);
}
void
crsetcredgrp(cred_t *cr, credgrp_t *grps)
{
ASSERT(cr->cr_ref <= 2);
if (cr->cr_grps != NULL)
crgrprele(cr->cr_grps);
cr->cr_grps = grps;
}
void
crgrprele(credgrp_t *grps)
{
if (atomic_dec_32_nv(&grps->crg_ref) == 0)
kmem_free(grps, CREDGRPSZ(grps->crg_ngroups));
}
static void
crgrphold(credgrp_t *grps)
{
atomic_inc_32(&grps->crg_ref);
}
