4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
25 #include <sys/param.h>
26 #include <sys/types.h>
27 #include <sys/sysmacros.h>
28 #include <sys/systm.h>
29 #include <sys/cred_impl.h>
30 #include <sys/errno.h>
31 #include <sys/pathname.h>
34 #include <sys/priv_impl.h>
35 #include <sys/policy.h>
37 #include <sys/thread.h>
38 #include <sys/cmn_err.h>
41 * System call support for manipulating privileges.
44 * setppriv(2) - set process privilege set
45 * getppriv(2) - get process privilege set
46 * getprivimplinfo(2) - get process privilege implementation information
47 * setpflags(2) - set process (privilege) flags
48 * getpflags(2) - get process (privilege) flags
52 * setppriv (priv_op_t, priv_ptype_t, priv_set_t)
55 setppriv(priv_op_t op
, priv_ptype_t type
, priv_set_t
*in_pset
)
57 priv_set_t pset
, *target
;
60 boolean_t donocd
= B_FALSE
;
62 if (!PRIV_VALIDSET(type
) || !PRIV_VALIDOP(op
))
63 return (set_errno(EINVAL
));
65 if (copyin(in_pset
, &pset
, sizeof (priv_set_t
)))
66 return (set_errno(EFAULT
));
68 p
= ttoproc(curthread
);
70 mutex_enter(&p
->p_crlock
);
76 * Filter out unallowed request (bad op and bad type)
82 * Turning on privileges; the limit set cannot grow,
83 * other sets can but only as long as they remain subsets
84 * of P. Only immediately after exec holds that P <= L.
86 if (type
== PRIV_LIMIT
&&
87 !priv_issubset(&pset
, &CR_LPRIV(pcr
))) {
88 mutex_exit(&p
->p_crlock
);
90 return (set_errno(EPERM
));
92 if (!priv_issubset(&pset
, &CR_OPPRIV(pcr
)) &&
93 !priv_issubset(&pset
, priv_getset(pcr
, type
))) {
94 mutex_exit(&p
->p_crlock
);
95 /* Policy override should not grow beyond L either */
96 if (type
!= PRIV_INHERITABLE
||
97 !priv_issubset(&pset
, &CR_LPRIV(pcr
)) ||
98 secpolicy_require_privs(CRED(), &pset
) != 0) {
100 return (set_errno(EPERM
));
102 mutex_enter(&p
->p_crlock
);
103 if (pcr
!= p
->p_cred
)
110 /* PRIV_OFF is always allowed */
115 * OK! everything is cool.
121 * If we change the effective, permitted or limit set, we attain
122 * "privilege awareness".
124 if (type
!= PRIV_INHERITABLE
)
127 target
= &(CR_PRIVS(cr
)->crprivs
[type
]);
131 priv_union(&pset
, target
);
135 priv_intersect(target
, &pset
);
138 * Fall-thru to set target and change other process
147 * Take privileges no longer permitted out
148 * of other effective sets as well.
149 * Limit set is enforced at exec() time.
151 if (type
== PRIV_PERMITTED
)
152 priv_intersect(&pset
, &CR_EPRIV(cr
));
157 * When we give up privileges not in the inheritable set,
158 * set SNOCD if not already set; first we compute the
159 * privileges removed from P using Diff = (~P') & P
160 * and then we check whether the removed privileges are
161 * a subset of I. If we retain uid 0, all privileges
162 * are required anyway so don't set SNOCD.
164 if (type
== PRIV_PERMITTED
&& (p
->p_flag
& SNOCD
) == 0 &&
165 cr
->cr_uid
!= 0 && cr
->cr_ruid
!= 0 && cr
->cr_suid
!= 0) {
166 priv_set_t diff
= CR_OPPRIV(cr
);
168 priv_intersect(&CR_OPPRIV(pcr
), &diff
);
169 donocd
= !priv_issubset(&diff
, &CR_IPRIV(cr
));
173 mutex_exit(&p
->p_crlock
);
176 mutex_enter(&p
->p_lock
);
178 mutex_exit(&p
->p_lock
);
182 * The basic_test privilege should not be removed from E;
183 * if that has happened, then some programmer typically set the E/P to
184 * empty. That is not portable.
186 if ((type
== PRIV_EFFECTIVE
|| type
== PRIV_PERMITTED
) &&
187 priv_basic_test
>= 0 && !PRIV_ISMEMBER(target
, priv_basic_test
)) {
189 pid_t pid
= p
->p_pid
;
190 char *fn
= PTOU(p
)->u_comm
;
192 cmn_err(CE_WARN
, "%s[%d]: setppriv: basic_test privilege "
193 "removed from E/P", fn
, pid
);
196 crset(p
, cr
); /* broadcast to process threads */
202 * getppriv (priv_ptype_t, priv_set_t *)
205 getppriv(priv_ptype_t type
, priv_set_t
*pset
)
207 if (!PRIV_VALIDSET(type
))
208 return (set_errno(EINVAL
));
210 if (copyout(priv_getset(CRED(), type
), pset
, sizeof (priv_set_t
)) != 0)
211 return (set_errno(EFAULT
));
217 getprivimplinfo(void *buf
, size_t bufsize
)
221 err
= copyout(priv_hold_implinfo(), buf
, min(bufsize
, privinfosize
));
223 priv_release_implinfo();
226 return (set_errno(EFAULT
));
232 * Set process flags in the given target cred. If NULL is specified, then
233 * CRED() is used; otherwise the cred is assumed to be modifiable (i.e. newly
234 * crdup'ed, or equivalent). Some flags are set in the proc rather than cred;
235 * for these, curproc is always used.
237 * For now we cheat: the flags are actually bit masks so we can simplify
238 * some; we do make sure that the arguments are valid, though.
242 setpflags(uint_t flag
, uint_t val
, cred_t
*tcr
)
247 boolean_t use_curcred
= (tcr
== NULL
);
249 if (val
> 1 || (flag
!= PRIV_DEBUG
&& flag
!= PRIV_AWARE
&&
250 flag
!= __PROC_PROTECT
&& flag
!= PRIV_XPOLICY
&&
251 flag
!= PRIV_AWARE_RESET
&& flag
!= PRIV_PFEXEC
)) {
255 if (flag
== __PROC_PROTECT
) {
256 mutex_enter(&p
->p_lock
);
261 mutex_exit(&p
->p_lock
);
267 mutex_enter(&p
->p_crlock
);
273 newflags
= CR_FLAGS(pcr
);
276 if (flag
== PRIV_AWARE
)
277 newflags
&= ~PRIV_AWARE_RESET
;
284 if (CR_FLAGS(pcr
) == newflags
) {
286 mutex_exit(&p
->p_crlock
);
292 /* Trying to unset PA; if we can't, return an error */
293 if (flag
== PRIV_AWARE
&& val
== 0 && !priv_can_clear_PA(pcr
)) {
295 mutex_exit(&p
->p_crlock
);
301 /* Committed to changing the flag */
304 if (flag
== PRIV_AWARE
) {
310 CR_FLAGS(cr
) = newflags
;
314 * Unsetting the flag has as side effect getting rid of
315 * the per-credential policy.
317 if (flag
== PRIV_XPOLICY
&& val
== 0)
318 crsetcrklpd(cr
, NULL
);
322 mutex_exit(&p
->p_crlock
);
330 * Getpflags. Currently only implements single bit flags.
333 getpflags(uint_t flag
, const cred_t
*cr
)
335 if (flag
!= PRIV_DEBUG
&& flag
!= PRIV_AWARE
&&
336 flag
!= PRIV_XPOLICY
&& flag
!= PRIV_PFEXEC
&&
337 flag
!= PRIV_AWARE_RESET
)
340 return ((CR_FLAGS(cr
) & flag
) != 0);
344 * Privilege system call entry point
347 privsys(int code
, priv_op_t op
, priv_ptype_t type
, void *buf
, size_t bufsize
,
351 extern int issetugid(void);
354 case PRIVSYS_SETPPRIV
:
355 if (bufsize
< sizeof (priv_set_t
))
356 return (set_errno(ENOMEM
));
357 return (setppriv(op
, type
, buf
));
358 case PRIVSYS_GETPPRIV
:
359 if (bufsize
< sizeof (priv_set_t
))
360 return (set_errno(ENOMEM
));
361 return (getppriv(type
, buf
));
362 case PRIVSYS_GETIMPLINFO
:
363 return (getprivimplinfo(buf
, bufsize
));
364 case PRIVSYS_SETPFLAGS
:
365 retv
= setpflags((uint_t
)op
, (uint_t
)type
, NULL
);
366 return (retv
!= 0 ? set_errno(retv
) : 0);
367 case PRIVSYS_GETPFLAGS
:
368 retv
= (int)getpflags((uint_t
)op
, CRED());
369 return (retv
== -1 ? set_errno(EINVAL
) : retv
);
370 case PRIVSYS_ISSETUGID
:
371 return (issetugid());
372 case PRIVSYS_KLPD_REG
:
373 if (bufsize
< sizeof (priv_set_t
))
374 return (set_errno(ENOMEM
));
375 return ((int)klpd_reg((int)op
, (idtype_t
)itype
, (id_t
)type
,
377 case PRIVSYS_KLPD_UNREG
:
378 return ((int)klpd_unreg((int)op
, (idtype_t
)itype
, (id_t
)type
));
379 case PRIVSYS_PFEXEC_REG
:
380 return ((int)pfexec_reg((int)op
));
381 case PRIVSYS_PFEXEC_UNREG
:
382 return ((int)pfexec_unreg((int)op
));
384 return (set_errno(EINVAL
));
387 #ifdef _SYSCALL32_IMPL
389 privsys32(int code
, priv_op_t op
, priv_ptype_t type
, caddr32_t buf
,
390 size32_t bufsize
, int itype
)
392 return (privsys(code
, op
, type
, (void *)(uintptr_t)buf
,
393 (size_t)bufsize
, itype
));