kernel/syscall/ppriv.c

   1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
  23  */
  24
  25 #include <sys/param.h>
  26 #include <sys/types.h>
  27 #include <sys/sysmacros.h>
  28 #include <sys/systm.h>
  29 #include <sys/cred_impl.h>
  30 #include <sys/errno.h>
  31 #include <sys/pathname.h>
  32 #include <sys/klpd.h>
  33 #include <sys/proc.h>
  34 #include <sys/priv_impl.h>
  35 #include <sys/policy.h>
  36 #include <sys/ddi.h>
  37 #include <sys/thread.h>
  38 #include <sys/cmn_err.h>
  39
  40 /*
  41  * System call support for manipulating privileges.
  42  *
  43  *
  44  * setppriv(2) - set process privilege set
  45  * getppriv(2) - get process privilege set
  46  * getprivimplinfo(2) - get process privilege implementation information
  47  * setpflags(2) - set process (privilege) flags
  48  * getpflags(2) - get process (privilege) flags
  49  */
  50
  51 /*
  52  * setppriv (priv_op_t, priv_ptype_t, priv_set_t)
  53  */
  54 static int
  55 setppriv(priv_op_t op, priv_ptype_t type, priv_set_t *in_pset)
  56 {
  57         priv_set_t      pset, *target;
  58         cred_t          *cr, *pcr;
  59         proc_t          *p;
  60         boolean_t       donocd = B_FALSE;
  61
  62         if (!PRIV_VALIDSET(type) || !PRIV_VALIDOP(op))
  63                 return (set_errno(EINVAL));
  64
  65         if (copyin(in_pset, &pset, sizeof (priv_set_t)))
  66                 return (set_errno(EFAULT));
  67
  68         p = ttoproc(curthread);
  69         cr = cralloc();
  70         mutex_enter(&p->p_crlock);
  71
  72 retry:
  73         pcr = p->p_cred;
  74
  75         /*
  76          * Filter out unallowed request (bad op and bad type)
  77          */
  78         switch (op) {
  79         case PRIV_ON:
  80         case PRIV_SET:
  81                 /*
  82                  * Turning on privileges; the limit set cannot grow,
  83                  * other sets can but only as long as they remain subsets
  84                  * of P.  Only immediately after exec holds that P <= L.
  85                  */
  86                 if (type == PRIV_LIMIT &&
  87                     !priv_issubset(&pset, &CR_LPRIV(pcr))) {
  88                         mutex_exit(&p->p_crlock);
  89                         crfree(cr);
  90                         return (set_errno(EPERM));
  91                 }
  92                 if (!priv_issubset(&pset, &CR_OPPRIV(pcr)) &&
  93                     !priv_issubset(&pset, priv_getset(pcr, type))) {
  94                         mutex_exit(&p->p_crlock);
  95                         /* Policy override should not grow beyond L either */
  96                         if (type != PRIV_INHERITABLE ||
  97                             !priv_issubset(&pset, &CR_LPRIV(pcr)) ||
  98                             secpolicy_require_privs(CRED(), &pset) != 0) {
  99                                 crfree(cr);
 100                                 return (set_errno(EPERM));
 101                         }
 102                         mutex_enter(&p->p_crlock);
 103                         if (pcr != p->p_cred)
 104                                 goto retry;
 105                         donocd = B_TRUE;
 106                 }
 107                 break;
 108
 109         case PRIV_OFF:
 110                 /* PRIV_OFF is always allowed */
 111                 break;
 112         }
 113
 114         /*
 115          * OK! everything is cool.
 116          * Do cred COW.
 117          */
 118         crcopy_to(pcr, cr);
 119
 120         /*
 121          * If we change the effective, permitted or limit set, we attain
 122          * "privilege awareness".
 123          */
 124         if (type != PRIV_INHERITABLE)
 125                 priv_set_PA(cr);
 126
 127         target = &(CR_PRIVS(cr)->crprivs[type]);
 128
 129         switch (op) {
 130         case PRIV_ON:
 131                 priv_union(&pset, target);
 132                 break;
 133         case PRIV_OFF:
 134                 priv_inverse(&pset);
 135                 priv_intersect(target, &pset);
 136
 137                 /*
 138                  * Fall-thru to set target and change other process
 139                  * privilege sets.
 140                  */
 141                 /*FALLTHRU*/
 142
 143         case PRIV_SET:
 144                 *target = pset;
 145
 146                 /*
 147                  * Take privileges no longer permitted out
 148                  * of other effective sets as well.
 149                  * Limit set is enforced at exec() time.
 150                  */
 151                 if (type == PRIV_PERMITTED)
 152                         priv_intersect(&pset, &CR_EPRIV(cr));
 153                 break;
 154         }
 155
 156         /*
 157          * When we give up privileges not in the inheritable set,
 158          * set SNOCD if not already set; first we compute the
 159          * privileges removed from P using Diff = (~P') & P
 160          * and then we check whether the removed privileges are
 161          * a subset of I.  If we retain uid 0, all privileges
 162          * are required anyway so don't set SNOCD.
 163          */
 164         if (type == PRIV_PERMITTED && (p->p_flag & SNOCD) == 0 &&
 165             cr->cr_uid != 0 && cr->cr_ruid != 0 && cr->cr_suid != 0) {
 166                 priv_set_t diff = CR_OPPRIV(cr);
 167                 priv_inverse(&diff);
 168                 priv_intersect(&CR_OPPRIV(pcr), &diff);
 169                 donocd = !priv_issubset(&diff, &CR_IPRIV(cr));
 170         }
 171
 172         p->p_cred = cr;
 173         mutex_exit(&p->p_crlock);
 174
 175         if (donocd) {
 176                 mutex_enter(&p->p_lock);
 177                 p->p_flag |= SNOCD;
 178                 mutex_exit(&p->p_lock);
 179         }
 180
 181         /*
 182          * The basic_test privilege should not be removed from E;
 183          * if that has happened, then some programmer typically set the E/P to
 184          * empty. That is not portable.
 185          */
 186         if ((type == PRIV_EFFECTIVE || type == PRIV_PERMITTED) &&
 187             priv_basic_test >= 0 && !PRIV_ISMEMBER(target, priv_basic_test)) {
 188                 proc_t *p = curproc;
 189                 pid_t pid = p->p_pid;
 190                 char *fn = PTOU(p)->u_comm;
 191
 192                 cmn_err(CE_WARN, "%s[%d]: setppriv: basic_test privilege "
 193                     "removed from E/P", fn, pid);
 194         }
 195
 196         crset(p, cr);           /* broadcast to process threads */
 197
 198         return (0);
 199 }
 200
 201 /*
 202  * getppriv (priv_ptype_t, priv_set_t *)
 203  */
 204 static int
 205 getppriv(priv_ptype_t type, priv_set_t *pset)
 206 {
 207         if (!PRIV_VALIDSET(type))
 208                 return (set_errno(EINVAL));
 209
 210         if (copyout(priv_getset(CRED(), type), pset, sizeof (priv_set_t)) != 0)
 211                 return (set_errno(EFAULT));
 212
 213         return (0);
 214 }
 215
 216 static int
 217 getprivimplinfo(void *buf, size_t bufsize)
 218 {
 219         int err;
 220
 221         err = copyout(priv_hold_implinfo(), buf, min(bufsize, privinfosize));
 222
 223         priv_release_implinfo();
 224
 225         if (err)
 226                 return (set_errno(EFAULT));
 227
 228         return (0);
 229 }
 230
 231 /*
 232  * Set process flags in the given target cred.  If NULL is specified, then
 233  * CRED() is used; otherwise the cred is assumed to be modifiable (i.e. newly
 234  * crdup'ed, or equivalent).  Some flags are set in the proc rather than cred;
 235  * for these, curproc is always used.
 236  *
 237  * For now we cheat: the flags are actually bit masks so we can simplify
 238  * some; we do make sure that the arguments are valid, though.
 239  */
 240
 241 int
 242 setpflags(uint_t flag, uint_t val, cred_t *tcr)
 243 {
 244         cred_t *cr, *pcr;
 245         proc_t *p = curproc;
 246         uint_t newflags;
 247         boolean_t use_curcred = (tcr == NULL);
 248
 249         if (val > 1 || (flag != PRIV_DEBUG && flag != PRIV_AWARE &&
 250             flag != __PROC_PROTECT && flag != PRIV_XPOLICY &&
 251             flag != PRIV_AWARE_RESET && flag != PRIV_PFEXEC)) {
 252                 return (EINVAL);
 253         }
 254
 255         if (flag == __PROC_PROTECT) {
 256                 mutex_enter(&p->p_lock);
 257                 if (val == 0)
 258                         p->p_flag &= ~SNOCD;
 259                 else
 260                         p->p_flag |= SNOCD;
 261                 mutex_exit(&p->p_lock);
 262                 return (0);
 263         }
 264
 265         if (use_curcred) {
 266                 cr = cralloc();
 267                 mutex_enter(&p->p_crlock);
 268                 pcr = p->p_cred;
 269         } else {
 270                 cr = pcr = tcr;
 271         }
 272
 273         newflags = CR_FLAGS(pcr);
 274
 275         if (val != 0) {
 276                 if (flag == PRIV_AWARE)
 277                         newflags &= ~PRIV_AWARE_RESET;
 278                 newflags |= flag;
 279         } else {
 280                 newflags &= ~flag;
 281         }
 282
 283         /* No change */
 284         if (CR_FLAGS(pcr) == newflags) {
 285                 if (use_curcred) {
 286                         mutex_exit(&p->p_crlock);
 287                         crfree(cr);
 288                 }
 289                 return (0);
 290         }
 291
 292         /* Trying to unset PA; if we can't, return an error */
 293         if (flag == PRIV_AWARE && val == 0 && !priv_can_clear_PA(pcr)) {
 294                 if (use_curcred) {
 295                         mutex_exit(&p->p_crlock);
 296                         crfree(cr);
 297                 }
 298                 return (EPERM);
 299         }
 300
 301         /* Committed to changing the flag */
 302         if (use_curcred)
 303                 crcopy_to(pcr, cr);
 304         if (flag == PRIV_AWARE) {
 305                 if (val != 0)
 306                         priv_set_PA(cr);
 307                 else
 308                         priv_adjust_PA(cr);
 309         } else {
 310                 CR_FLAGS(cr) = newflags;
 311         }
 312
 313         /*
 314          * Unsetting the flag has as side effect getting rid of
 315          * the per-credential policy.
 316          */
 317         if (flag == PRIV_XPOLICY && val == 0)
 318                 crsetcrklpd(cr, NULL);
 319
 320         if (use_curcred) {
 321                 p->p_cred = cr;
 322                 mutex_exit(&p->p_crlock);
 323                 crset(p, cr);
 324         }
 325
 326         return (0);
 327 }
 328
 329 /*
 330  * Getpflags.  Currently only implements single bit flags.
 331  */
 332 uint_t
 333 getpflags(uint_t flag, const cred_t *cr)
 334 {
 335         if (flag != PRIV_DEBUG && flag != PRIV_AWARE &&
 336             flag != PRIV_XPOLICY && flag != PRIV_PFEXEC &&
 337             flag != PRIV_AWARE_RESET)
 338                 return ((uint_t)-1);
 339
 340         return ((CR_FLAGS(cr) & flag) != 0);
 341 }
 342
 343 /*
 344  * Privilege system call entry point
 345  */
 346 int
 347 privsys(int code, priv_op_t op, priv_ptype_t type, void *buf, size_t bufsize,
 348     int itype)
 349 {
 350         int retv;
 351         extern int issetugid(void);
 352
 353         switch (code) {
 354         case PRIVSYS_SETPPRIV:
 355                 if (bufsize < sizeof (priv_set_t))
 356                         return (set_errno(ENOMEM));
 357                 return (setppriv(op, type, buf));
 358         case PRIVSYS_GETPPRIV:
 359                 if (bufsize < sizeof (priv_set_t))
 360                         return (set_errno(ENOMEM));
 361                 return (getppriv(type, buf));
 362         case PRIVSYS_GETIMPLINFO:
 363                 return (getprivimplinfo(buf, bufsize));
 364         case PRIVSYS_SETPFLAGS:
 365                 retv = setpflags((uint_t)op, (uint_t)type, NULL);
 366                 return (retv != 0 ? set_errno(retv) : 0);
 367         case PRIVSYS_GETPFLAGS:
 368                 retv = (int)getpflags((uint_t)op, CRED());
 369                 return (retv == -1 ? set_errno(EINVAL) : retv);
 370         case PRIVSYS_ISSETUGID:
 371                 return (issetugid());
 372         case PRIVSYS_KLPD_REG:
 373                 if (bufsize < sizeof (priv_set_t))
 374                         return (set_errno(ENOMEM));
 375                 return ((int)klpd_reg((int)op, (idtype_t)itype, (id_t)type,
 376                     buf));
 377         case PRIVSYS_KLPD_UNREG:
 378                 return ((int)klpd_unreg((int)op, (idtype_t)itype, (id_t)type));
 379         case PRIVSYS_PFEXEC_REG:
 380                 return ((int)pfexec_reg((int)op));
 381         case PRIVSYS_PFEXEC_UNREG:
 382                 return ((int)pfexec_unreg((int)op));
 383         }
 384         return (set_errno(EINVAL));
 385 }
 386
 387 #ifdef _SYSCALL32_IMPL
 388 int
 389 privsys32(int code, priv_op_t op, priv_ptype_t type, caddr32_t buf,
 390     size32_t bufsize, int itype)
 391 {
 392         return (privsys(code, op, type, (void *)(uintptr_t)buf,
 393             (size_t)bufsize, itype));
 394 }
 395 #endif