search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
kill tsol ("Trusted Solaris") aka TX ("Trusted Extensions")
[unleashed.git] / kernel / os / cred.c
blobbb97b30c732008f647c7002914f57250d3179448
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2013, Ira Cooper. All rights reserved.
23 */
24 /*
25 * Copyright (c) 1989, 2010, Oracle and/or its affiliates. All rights reserved.
26 */
27
28 /* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */
29 /* All Rights Reserved */
30
31 /*
32 * University Copyright- Copyright (c) 1982, 1986, 1988
33 * The Regents of the University of California
34 * All Rights Reserved
35 *
36 * University Acknowledgment- Portions of this document are derived from
37 * software developed by the University of California, Berkeley, and its
38 * contributors.
39 */
40
41 #include <sys/types.h>
42 #include <sys/sysmacros.h>
43 #include <sys/param.h>
44 #include <sys/systm.h>
45 #include <sys/cred_impl.h>
46 #include <sys/policy.h>
47 #include <sys/vnode.h>
48 #include <sys/errno.h>
49 #include <sys/kmem.h>
50 #include <sys/user.h>
51 #include <sys/proc.h>
52 #include <sys/syscall.h>
53 #include <sys/debug.h>
54 #include <sys/atomic.h>
55 #include <sys/ucred.h>
56 #include <sys/prsystm.h>
57 #include <sys/modctl.h>
58 #include <sys/avl.h>
59 #include <sys/door.h>
60 #include <c2/audit.h>
61 #include <sys/zone.h>
62 #include <sys/sid.h>
63 #include <sys/idmap.h>
64 #include <sys/klpd.h>
65 #include <sys/varargs.h>
66 #include <sys/sysconf.h>
67 #include <util/qsort.h>
68
69
70 /* Ephemeral IDs Zones specific data */
71 typedef struct ephemeral_zsd {
72 uid_t min_uid;
73 uid_t last_uid;
74 gid_t min_gid;
75 gid_t last_gid;
76 kmutex_t eph_lock;
77 cred_t *eph_nobody;
78 } ephemeral_zsd_t;
79
80 static void crgrphold(credgrp_t *);
81
82 #define CREDGRPSZ(ngrp) (sizeof (credgrp_t) + ((ngrp - 1) * sizeof (gid_t)))
83
84 static kmutex_t ephemeral_zone_mutex;
85 static zone_key_t ephemeral_zone_key;
86
87 static struct kmem_cache *cred_cache;
88 static size_t crsize = 0;
89 static int audoff = 0;
90 uint32_t ucredsize;
91 cred_t *kcred;
92 static cred_t *dummycr;
93
94 int rstlink; /* link(2) restricted to files owned by user? */
95
96 static int get_c2audit_load(void);
97
98 #define CR_AUINFO(c) (auditinfo_addr_t *)((audoff == 0) ? NULL : \
99 ((char *)(c)) + audoff)
100
101 #define REMOTE_PEER_CRED(c) ((c)->cr_gid == -1)
102
103 #define BIN_GROUP_SEARCH_CUTOFF 16
104
105 static boolean_t hasephids = B_FALSE;
106
107 static ephemeral_zsd_t *
108 get_ephemeral_zsd(zone_t *zone)
109 {
110 ephemeral_zsd_t *eph_zsd;
111
112 eph_zsd = zone_getspecific(ephemeral_zone_key, zone);
113 if (eph_zsd != NULL) {
114 return (eph_zsd);
115 }
116
117 mutex_enter(&ephemeral_zone_mutex);
118 eph_zsd = zone_getspecific(ephemeral_zone_key, zone);
119 if (eph_zsd == NULL) {
120 eph_zsd = kmem_zalloc(sizeof (ephemeral_zsd_t), KM_SLEEP);
121 eph_zsd->min_uid = MAXUID;
122 eph_zsd->last_uid = IDMAP_WK__MAX_UID;
123 eph_zsd->min_gid = MAXUID;
124 eph_zsd->last_gid = IDMAP_WK__MAX_GID;
125 mutex_init(&eph_zsd->eph_lock, NULL, MUTEX_DEFAULT, NULL);
126
127 /*
128 * nobody is used to map SID containing CRs.
129 */
130 eph_zsd->eph_nobody = crdup(zone->zone_kcred);
131 (void) crsetugid(eph_zsd->eph_nobody, UID_NOBODY, GID_NOBODY);
132 CR_FLAGS(eph_zsd->eph_nobody) = 0;
133 eph_zsd->eph_nobody->cr_zone = zone;
134
135 (void) zone_setspecific(ephemeral_zone_key, zone, eph_zsd);
136 }
137 mutex_exit(&ephemeral_zone_mutex);
138 return (eph_zsd);
139 }
140
141 static cred_t *crdup_flags(const cred_t *, int);
142 static cred_t *cralloc_flags(int);
143
144 /*
145 * This function is called when a zone is destroyed
146 */
147 static void
148 /* ARGSUSED */
149 destroy_ephemeral_zsd(zoneid_t zone_id, void *arg)
150 {
151 ephemeral_zsd_t *eph_zsd = arg;
152 if (eph_zsd != NULL) {
153 mutex_destroy(&eph_zsd->eph_lock);
154 crfree(eph_zsd->eph_nobody);
155 kmem_free(eph_zsd, sizeof (ephemeral_zsd_t));
156 }
157 }
158
159
160
161 /*
162 * Initialize credentials data structures.
163 */
164
165 void
166 cred_init(void)
167 {
168 priv_init();
169
170 crsize = sizeof (cred_t);
171
172 if (get_c2audit_load() > 0) {
173 #ifdef _LP64
174 /* assure audit context is 64-bit aligned */
175 audoff = (crsize +
176 sizeof (int64_t) - 1) & ~(sizeof (int64_t) - 1);
177 #else /* _LP64 */
178 audoff = crsize;
179 #endif /* _LP64 */
180 crsize = audoff + sizeof (auditinfo_addr_t);
181 crsize = (crsize + sizeof (int) - 1) & ~(sizeof (int) - 1);
182 }
183
184 cred_cache = kmem_cache_create("cred_cache", crsize, 0,
185 NULL, NULL, NULL, NULL, NULL, 0);
186
187 /*
188 * dummycr is used to copy initial state for creds.
189 */
190 dummycr = cralloc();
191 bzero(dummycr, crsize);
192 dummycr->cr_ref = 1;
193 dummycr->cr_uid = (uid_t)-1;
194 dummycr->cr_gid = (gid_t)-1;
195 dummycr->cr_ruid = (uid_t)-1;
196 dummycr->cr_rgid = (gid_t)-1;
197 dummycr->cr_suid = (uid_t)-1;
198 dummycr->cr_sgid = (gid_t)-1;
199
200
201 /*
202 * kcred is used by anything that needs all privileges; it's
203 * also the template used for crget as it has all the compatible
204 * sets filled in.
205 */
206 kcred = cralloc();
207
208 bzero(kcred, crsize);
209 kcred->cr_ref = 1;
210
211 /* kcred is never freed, so we don't need zone_cred_hold here */
212 kcred->cr_zone = &zone0;
213
214 priv_fillset(&CR_LPRIV(kcred));
215 CR_IPRIV(kcred) = *priv_basic;
216
217 priv_addset(&CR_IPRIV(kcred), PRIV_PROC_SECFLAGS);
218
219 /* Not a basic privilege, if chown is not restricted add it to I0 */
220 if (!rstchown)
221 priv_addset(&CR_IPRIV(kcred), PRIV_FILE_CHOWN_SELF);
222
223 /* Basic privilege, if link is restricted remove it from I0 */
224 if (rstlink)
225 priv_delset(&CR_IPRIV(kcred), PRIV_FILE_LINK_ANY);
226
227 CR_EPRIV(kcred) = CR_PPRIV(kcred) = CR_IPRIV(kcred);
228
229 /*
230 * Set up credentials of p0.
231 */
232 ttoproc(curthread)->p_cred = kcred;
233 curthread->t_cred = kcred;
234
235 ucredsize = UCRED_SIZE;
236
237 mutex_init(&ephemeral_zone_mutex, NULL, MUTEX_DEFAULT, NULL);
238 zone_key_create(&ephemeral_zone_key, NULL, NULL, destroy_ephemeral_zsd);
239 }
240
241 /*
242 * Allocate (nearly) uninitialized cred_t.
243 */
244 static cred_t *
245 cralloc_flags(int flgs)
246 {
247 cred_t *cr = kmem_cache_alloc(cred_cache, flgs);
248
249 if (cr == NULL)
250 return (NULL);
251
252 cr->cr_ref = 1; /* So we can crfree() */
253 cr->cr_zone = NULL;
254 cr->cr_ksid = NULL;
255 cr->cr_klpd = NULL;
256 cr->cr_grps = NULL;
257 return (cr);
258 }
259
260 cred_t *
261 cralloc(void)
262 {
263 return (cralloc_flags(KM_SLEEP));
264 }
265
266 /*
267 * As cralloc but prepared for ksid change (if appropriate).
268 */
269 cred_t *
270 cralloc_ksid(void)
271 {
272 cred_t *cr = cralloc();
273 if (hasephids)
274 cr->cr_ksid = kcrsid_alloc();
275 return (cr);
276 }
277
278 /*
279 * Allocate a initialized cred structure and crhold() it.
280 * Initialized means: all ids 0, group count 0, L=Full, E=P=I=I0
281 */
282 cred_t *
283 crget(void)
284 {
285 cred_t *cr = kmem_cache_alloc(cred_cache, KM_SLEEP);
286
287 bcopy(kcred, cr, crsize);
288 cr->cr_ref = 1;
289 zone_cred_hold(cr->cr_zone);
290 ASSERT(cr->cr_klpd == NULL);
291 ASSERT(cr->cr_grps == NULL);
292 return (cr);
293 }
294
295 /*
296 * Broadcast the cred to all the threads in the process.
297 * The current thread's credentials can be set right away, but other
298 * threads must wait until the start of the next system call or trap.
299 * This avoids changing the cred in the middle of a system call.
300 *
301 * The cred has already been held for the process and the thread (2 holds),
302 * and p->p_cred set.
303 *
304 * p->p_crlock shouldn't be held here, since p_lock must be acquired.
305 */
306 void
307 crset(proc_t *p, cred_t *cr)
308 {
309 kthread_id_t t;
310 kthread_id_t first;
311 cred_t *oldcr;
312
313 ASSERT(p == curproc); /* assumes p_lwpcnt can't change */
314
315 /*
316 * DTrace accesses t_cred in probe context. t_cred must always be
317 * either NULL, or point to a valid, allocated cred structure.
318 */
319 t = curthread;
320 oldcr = t->t_cred;
321 t->t_cred = cr; /* the cred is held by caller for this thread */
322 crfree(oldcr); /* free the old cred for the thread */
323
324 /*
325 * Broadcast to other threads, if any.
326 */
327 if (p->p_lwpcnt > 1) {
328 mutex_enter(&p->p_lock); /* to keep thread list safe */
329 first = curthread;
330 for (t = first->t_forw; t != first; t = t->t_forw)
331 t->t_pre_sys = 1; /* so syscall will get new cred */
332 mutex_exit(&p->p_lock);
333 }
334 }
335
336 /*
337 * Put a hold on a cred structure.
338 */
339 void
340 crhold(cred_t *cr)
341 {
342 ASSERT(cr->cr_ref != 0xdeadbeef && cr->cr_ref != 0);
343 atomic_inc_32(&cr->cr_ref);
344 }
345
346 /*
347 * Release previous hold on a cred structure. Free it if refcnt == 0.
348 */
349 void
350 crfree(cred_t *cr)
351 {
352 ASSERT(cr->cr_ref != 0xdeadbeef && cr->cr_ref != 0);
353 if (atomic_dec_32_nv(&cr->cr_ref) == 0) {
354 ASSERT(cr != kcred);
355 if (cr->cr_klpd)
356 crklpd_rele(cr->cr_klpd);
357 if (cr->cr_zone)
358 zone_cred_rele(cr->cr_zone);
359 if (cr->cr_ksid)
360 kcrsid_rele(cr->cr_ksid);
361 if (cr->cr_grps)
362 crgrprele(cr->cr_grps);
363
364 kmem_cache_free(cred_cache, cr);
365 }
366 }
367
368 /*
369 * Copy a cred structure to a new one and free the old one.
370 * The new cred will have two references. One for the calling process,
371 * and one for the thread.
372 */
373 cred_t *
374 crcopy(cred_t *cr)
375 {
376 cred_t *newcr;
377
378 newcr = cralloc();
379 bcopy(cr, newcr, crsize);
380 if (newcr->cr_zone)
381 zone_cred_hold(newcr->cr_zone);
382 if (newcr->cr_ksid)
383 kcrsid_hold(newcr->cr_ksid);
384 if (newcr->cr_klpd)
385 crklpd_hold(newcr->cr_klpd);
386 if (newcr->cr_grps)
387 crgrphold(newcr->cr_grps);
388 crfree(cr);
389 newcr->cr_ref = 2; /* caller gets two references */
390 return (newcr);
391 }
392
393 /*
394 * Copy a cred structure to a new one and free the old one.
395 * The new cred will have two references. One for the calling process,
396 * and one for the thread.
397 * This variation on crcopy uses a pre-allocated structure for the
398 * "new" cred.
399 */
400 void
401 crcopy_to(cred_t *oldcr, cred_t *newcr)
402 {
403 credsid_t *nkcr = newcr->cr_ksid;
404
405 bcopy(oldcr, newcr, crsize);
406 if (newcr->cr_zone)
407 zone_cred_hold(newcr->cr_zone);
408 if (newcr->cr_klpd)
409 crklpd_hold(newcr->cr_klpd);
410 if (newcr->cr_grps)
411 crgrphold(newcr->cr_grps);
412 if (nkcr) {
413 newcr->cr_ksid = nkcr;
414 kcrsidcopy_to(oldcr->cr_ksid, newcr->cr_ksid);
415 } else if (newcr->cr_ksid)
416 kcrsid_hold(newcr->cr_ksid);
417 crfree(oldcr);
418 newcr->cr_ref = 2; /* caller gets two references */
419 }
420
421 /*
422 * Dup a cred struct to a new held one.
423 * The old cred is not freed.
424 */
425 static cred_t *
426 crdup_flags(const cred_t *cr, int flgs)
427 {
428 cred_t *newcr;
429
430 newcr = cralloc_flags(flgs);
431
432 if (newcr == NULL)
433 return (NULL);
434
435 bcopy(cr, newcr, crsize);
436 if (newcr->cr_zone)
437 zone_cred_hold(newcr->cr_zone);
438 if (newcr->cr_klpd)
439 crklpd_hold(newcr->cr_klpd);
440 if (newcr->cr_ksid)
441 kcrsid_hold(newcr->cr_ksid);
442 if (newcr->cr_grps)
443 crgrphold(newcr->cr_grps);
444 newcr->cr_ref = 1;
445 return (newcr);
446 }
447
448 cred_t *
449 crdup(cred_t *cr)
450 {
451 return (crdup_flags(cr, KM_SLEEP));
452 }
453
454 /*
455 * Dup a cred struct to a new held one.
456 * The old cred is not freed.
457 * This variation on crdup uses a pre-allocated structure for the
458 * "new" cred.
459 */
460 void
461 crdup_to(cred_t *oldcr, cred_t *newcr)
462 {
463 credsid_t *nkcr = newcr->cr_ksid;
464
465 bcopy(oldcr, newcr, crsize);
466 if (newcr->cr_zone)
467 zone_cred_hold(newcr->cr_zone);
468 if (newcr->cr_klpd)
469 crklpd_hold(newcr->cr_klpd);
470 if (newcr->cr_grps)
471 crgrphold(newcr->cr_grps);
472 if (nkcr) {
473 newcr->cr_ksid = nkcr;
474 kcrsidcopy_to(oldcr->cr_ksid, newcr->cr_ksid);
475 } else if (newcr->cr_ksid)
476 kcrsid_hold(newcr->cr_ksid);
477 newcr->cr_ref = 1;
478 }
479
480 /*
481 * Return the (held) credentials for the current running process.
482 */
483 cred_t *
484 crgetcred(void)
485 {
486 cred_t *cr;
487 proc_t *p;
488
489 p = ttoproc(curthread);
490 mutex_enter(&p->p_crlock);
491 crhold(cr = p->p_cred);
492 mutex_exit(&p->p_crlock);
493 return (cr);
494 }
495
496 /*
497 * Backward compatibility check for suser().
498 * Accounting flag is now set in the policy functions; auditing is
499 * done through use of privilege in the audit trail.
500 */
501 int
502 suser(cred_t *cr)
503 {
504 return (PRIV_POLICY(cr, PRIV_SYS_SUSER_COMPAT, B_FALSE, EPERM, NULL)
505 == 0);
506 }
507
508 /*
509 * Determine whether the supplied group id is a member of the group
510 * described by the supplied credentials.
511 */
512 int
513 groupmember(gid_t gid, const cred_t *cr)
514 {
515 if (gid == cr->cr_gid)
516 return (1);
517 return (supgroupmember(gid, cr));
518 }
519
520 /*
521 * As groupmember but only check against the supplemental groups.
522 */
523 int
524 supgroupmember(gid_t gid, const cred_t *cr)
525 {
526 int hi, lo;
527 credgrp_t *grps = cr->cr_grps;
528 const gid_t *gp, *endgp;
529
530 if (grps == NULL)
531 return (0);
532
533 /* For a small number of groups, use sequentials search. */
534 if (grps->crg_ngroups <= BIN_GROUP_SEARCH_CUTOFF) {
535 endgp = &grps->crg_groups[grps->crg_ngroups];
536 for (gp = grps->crg_groups; gp < endgp; gp++)
537 if (*gp == gid)
538 return (1);
539 return (0);
540 }
541
542 /* We use binary search when we have many groups. */
543 lo = 0;
544 hi = grps->crg_ngroups - 1;
545 gp = grps->crg_groups;
546
547 do {
548 int m = (lo + hi) / 2;
549
550 if (gid > gp[m])
551 lo = m + 1;
552 else if (gid < gp[m])
553 hi = m - 1;
554 else
555 return (1);
556 } while (lo <= hi);
557
558 return (0);
559 }
560
561 /*
562 * This function is called to check whether the credentials set
563 * "scrp" has permission to act on credentials set "tcrp". It enforces the
564 * permission requirements needed to send a signal to a process.
565 * The same requirements are imposed by other system calls, however.
566 *
567 * The rules are:
568 * (1) if the credentials are the same, the check succeeds
569 * (2) if the zone ids don't match, and scrp is not in the global zone or
570 * does not have the PRIV_PROC_ZONE privilege, the check fails
571 * (3) if the real or effective user id of scrp matches the real or saved
572 * user id of tcrp or scrp has the PRIV_PROC_OWNER privilege, the check
573 * succeeds
574 * (4) otherwise, the check fails
575 */
576 int
577 hasprocperm(const cred_t *tcrp, const cred_t *scrp)
578 {
579 if (scrp == tcrp)
580 return (1);
581 if (scrp->cr_zone != tcrp->cr_zone &&
582 (scrp->cr_zone != global_zone ||
583 secpolicy_proc_zone(scrp) != 0))
584 return (0);
585 if (scrp->cr_uid == tcrp->cr_ruid ||
586 scrp->cr_ruid == tcrp->cr_ruid ||
587 scrp->cr_uid == tcrp->cr_suid ||
588 scrp->cr_ruid == tcrp->cr_suid ||
589 !PRIV_POLICY(scrp, PRIV_PROC_OWNER, B_FALSE, EPERM, "hasprocperm"))
590 return (1);
591 return (0);
592 }
593
594 /*
595 * This interface replaces hasprocperm; it works like hasprocperm but
596 * additionally returns success if the proc_t's match
597 * It is the preferred interface for most uses.
598 * And it will acquire p_crlock itself, so it assert's that it shouldn't
599 * be held.
600 */
601 int
602 prochasprocperm(proc_t *tp, proc_t *sp, const cred_t *scrp)
603 {
604 int rets;
605 cred_t *tcrp;
606
607 ASSERT(MUTEX_NOT_HELD(&tp->p_crlock));
608
609 if (tp == sp)
610 return (1);
611
612 if (tp->p_sessp != sp->p_sessp && secpolicy_basic_proc(scrp) != 0)
613 return (0);
614
615 mutex_enter(&tp->p_crlock);
616 crhold(tcrp = tp->p_cred);
617 mutex_exit(&tp->p_crlock);
618 rets = hasprocperm(tcrp, scrp);
619 crfree(tcrp);
620
621 return (rets);
622 }
623
624 /*
625 * This routine is used to compare two credentials to determine if
626 * they refer to the same "user". If the pointers are equal, then
627 * they must refer to the same user. Otherwise, the contents of
628 * the credentials are compared to see whether they are equivalent.
629 *
630 * This routine returns 0 if the credentials refer to the same user,
631 * 1 if they do not.
632 */
633 int
634 crcmp(const cred_t *cr1, const cred_t *cr2)
635 {
636 credgrp_t *grp1, *grp2;
637
638 if (cr1 == cr2)
639 return (0);
640
641 if (cr1->cr_uid == cr2->cr_uid &&
642 cr1->cr_gid == cr2->cr_gid &&
643 cr1->cr_ruid == cr2->cr_ruid &&
644 cr1->cr_rgid == cr2->cr_rgid &&
645 cr1->cr_zone == cr2->cr_zone &&
646 ((grp1 = cr1->cr_grps) == (grp2 = cr2->cr_grps) ||
647 (grp1 != NULL && grp2 != NULL &&
648 grp1->crg_ngroups == grp2->crg_ngroups &&
649 bcmp(grp1->crg_groups, grp2->crg_groups,
650 grp1->crg_ngroups * sizeof (gid_t)) == 0))) {
651 return (!priv_isequalset(&CR_OEPRIV(cr1), &CR_OEPRIV(cr2)));
652 }
653 return (1);
654 }
655
656 /*
657 * Read access functions to cred_t.
658 */
659 uid_t
660 crgetuid(const cred_t *cr)
661 {
662 return (cr->cr_uid);
663 }
664
665 uid_t
666 crgetruid(const cred_t *cr)
667 {
668 return (cr->cr_ruid);
669 }
670
671 uid_t
672 crgetsuid(const cred_t *cr)
673 {
674 return (cr->cr_suid);
675 }
676
677 gid_t
678 crgetgid(const cred_t *cr)
679 {
680 return (cr->cr_gid);
681 }
682
683 gid_t
684 crgetrgid(const cred_t *cr)
685 {
686 return (cr->cr_rgid);
687 }
688
689 gid_t
690 crgetsgid(const cred_t *cr)
691 {
692 return (cr->cr_sgid);
693 }
694
695 const auditinfo_addr_t *
696 crgetauinfo(const cred_t *cr)
697 {
698 return ((const auditinfo_addr_t *)CR_AUINFO(cr));
699 }
700
701 auditinfo_addr_t *
702 crgetauinfo_modifiable(cred_t *cr)
703 {
704 return (CR_AUINFO(cr));
705 }
706
707 zoneid_t
708 crgetzoneid(const cred_t *cr)
709 {
710 return (cr->cr_zone == NULL ?
711 (cr->cr_uid == -1 ? (zoneid_t)-1 : GLOBAL_ZONEID) :
712 cr->cr_zone->zone_id);
713 }
714
715 projid_t
716 crgetprojid(const cred_t *cr)
717 {
718 return (cr->cr_projid);
719 }
720
721 zone_t *
722 crgetzone(const cred_t *cr)
723 {
724 return (cr->cr_zone);
725 }
726
727 boolean_t
728 crisremote(const cred_t *cr)
729 {
730 return (REMOTE_PEER_CRED(cr));
731 }
732
733 #define BADUID(x, zn) ((x) != -1 && !VALID_UID((x), (zn)))
734 #define BADGID(x, zn) ((x) != -1 && !VALID_GID((x), (zn)))
735
736 int
737 crsetresuid(cred_t *cr, uid_t r, uid_t e, uid_t s)
738 {
739 zone_t *zone = crgetzone(cr);
740
741 ASSERT(cr->cr_ref <= 2);
742
743 if (BADUID(r, zone) || BADUID(e, zone) || BADUID(s, zone))
744 return (-1);
745
746 if (r != -1)
747 cr->cr_ruid = r;
748 if (e != -1)
749 cr->cr_uid = e;
750 if (s != -1)
751 cr->cr_suid = s;
752
753 return (0);
754 }
755
756 int
757 crsetresgid(cred_t *cr, gid_t r, gid_t e, gid_t s)
758 {
759 zone_t *zone = crgetzone(cr);
760
761 ASSERT(cr->cr_ref <= 2);
762
763 if (BADGID(r, zone) || BADGID(e, zone) || BADGID(s, zone))
764 return (-1);
765
766 if (r != -1)
767 cr->cr_rgid = r;
768 if (e != -1)
769 cr->cr_gid = e;
770 if (s != -1)
771 cr->cr_sgid = s;
772
773 return (0);
774 }
775
776 int
777 crsetugid(cred_t *cr, uid_t uid, gid_t gid)
778 {
779 zone_t *zone = crgetzone(cr);
780
781 ASSERT(cr->cr_ref <= 2);
782
783 if (!VALID_UID(uid, zone) || !VALID_GID(gid, zone))
784 return (-1);
785
786 cr->cr_uid = cr->cr_ruid = cr->cr_suid = uid;
787 cr->cr_gid = cr->cr_rgid = cr->cr_sgid = gid;
788
789 return (0);
790 }
791
792 static int
793 gidcmp(const void *v1, const void *v2)
794 {
795 gid_t g1 = *(gid_t *)v1;
796 gid_t g2 = *(gid_t *)v2;
797
798 if (g1 < g2)
799 return (-1);
800 else if (g1 > g2)
801 return (1);
802 else
803 return (0);
804 }
805
806 int
807 crsetgroups(cred_t *cr, int n, gid_t *grp)
808 {
809 ASSERT(cr->cr_ref <= 2);
810
811 if (n > ngroups_max || n < 0)
812 return (-1);
813
814 if (cr->cr_grps != NULL)
815 crgrprele(cr->cr_grps);
816
817 if (n > 0) {
818 cr->cr_grps = kmem_alloc(CREDGRPSZ(n), KM_SLEEP);
819 bcopy(grp, cr->cr_grps->crg_groups, n * sizeof (gid_t));
820 cr->cr_grps->crg_ref = 1;
821 cr->cr_grps->crg_ngroups = n;
822 qsort(cr->cr_grps->crg_groups, n, sizeof (gid_t), gidcmp);
823 } else {
824 cr->cr_grps = NULL;
825 }
826
827 return (0);
828 }
829
830 void
831 crsetprojid(cred_t *cr, projid_t projid)
832 {
833 ASSERT(projid >= 0 && projid <= MAXPROJID);
834 cr->cr_projid = projid;
835 }
836
837 /*
838 * This routine returns the pointer to the first element of the crg_groups
839 * array. It can move around in an implementation defined way.
840 * Note that when we have no grouplist, we return one element but the
841 * caller should never reference it.
842 */
843 const gid_t *
844 crgetgroups(const cred_t *cr)
845 {
846 return (cr->cr_grps == NULL ? &cr->cr_gid : cr->cr_grps->crg_groups);
847 }
848
849 int
850 crgetngroups(const cred_t *cr)
851 {
852 return (cr->cr_grps == NULL ? 0 : cr->cr_grps->crg_ngroups);
853 }
854
855 void
856 cred2prcred(const cred_t *cr, prcred_t *pcrp)
857 {
858 pcrp->pr_euid = cr->cr_uid;
859 pcrp->pr_ruid = cr->cr_ruid;
860 pcrp->pr_suid = cr->cr_suid;
861 pcrp->pr_egid = cr->cr_gid;
862 pcrp->pr_rgid = cr->cr_rgid;
863 pcrp->pr_sgid = cr->cr_sgid;
864 pcrp->pr_groups[0] = 0; /* in case ngroups == 0 */
865 pcrp->pr_ngroups = cr->cr_grps == NULL ? 0 : cr->cr_grps->crg_ngroups;
866
867 if (pcrp->pr_ngroups != 0)
868 bcopy(cr->cr_grps->crg_groups, pcrp->pr_groups,
869 sizeof (gid_t) * pcrp->pr_ngroups);
870 }
871
872 static int
873 cred2ucaud(const cred_t *cr, auditinfo64_addr_t *ainfo, const cred_t *rcr)
874 {
875 auditinfo_addr_t *ai;
876 au_tid_addr_t tid;
877
878 if (secpolicy_audit_getattr(rcr, B_TRUE) != 0)
879 return (-1);
880
881 ai = CR_AUINFO(cr); /* caller makes sure this is non-NULL */
882 tid = ai->ai_termid;
883
884 ainfo->ai_auid = ai->ai_auid;
885 ainfo->ai_mask = ai->ai_mask;
886 ainfo->ai_asid = ai->ai_asid;
887
888 ainfo->ai_termid.at_type = tid.at_type;
889 bcopy(&tid.at_addr, &ainfo->ai_termid.at_addr, 4 * sizeof (uint_t));
890
891 ainfo->ai_termid.at_port.at_major = (uint32_t)getmajor(tid.at_port);
892 ainfo->ai_termid.at_port.at_minor = (uint32_t)getminor(tid.at_port);
893
894 return (0);
895 }
896
897 /*
898 * Convert a credential into a "ucred". Allow the caller to specify
899 * and aligned buffer, e.g., in an mblk, so we don't have to allocate
900 * memory and copy it twice.
901 *
902 * This function may call cred2ucaud(), which calls CRED(). Since this
903 * can be called from an interrupt thread, receiver's cred (rcr) is needed
904 * to determine whether audit info should be included.
905 */
906 struct ucred_s *
907 cred2ucred(const cred_t *cr, pid_t pid, void *buf, const cred_t *rcr)
908 {
909 struct ucred_s *uc;
910 uint32_t realsz = ucredminsize(cr);
911
912 /* The structure isn't always completely filled in, so zero it */
913 if (buf == NULL) {
914 uc = kmem_zalloc(realsz, KM_SLEEP);
915 } else {
916 bzero(buf, realsz);
917 uc = buf;
918 }
919 uc->uc_size = realsz;
920 uc->uc_pid = pid;
921 uc->uc_projid = cr->cr_projid;
922 uc->uc_zoneid = crgetzoneid(cr);
923
924 if (!REMOTE_PEER_CRED(cr)) {
925 uc->uc_credoff = UCRED_CRED_OFF;
926 uc->uc_privoff = UCRED_PRIV_OFF;
927 uc->uc_audoff = UCRED_AUD_OFF;
928
929 cred2prcred(cr, UCCRED(uc));
930 cred2prpriv(cr, UCPRIV(uc));
931
932 if (audoff == 0 || cred2ucaud(cr, UCAUD(uc), rcr) != 0)
933 uc->uc_audoff = 0;
934 }
935
936 return (uc);
937 }
938
939 /*
940 * Don't allocate the non-needed group entries. Note: this function
941 * must match the code in cred2ucred; they must agree about the
942 * minimal size of the ucred.
943 */
944 uint32_t
945 ucredminsize(const cred_t *cr)
946 {
947 int ndiff;
948
949 if (cr == NULL)
950 return (ucredsize);
951
952 if (REMOTE_PEER_CRED(cr)) {
953 return (sizeof (struct ucred_s));
954 }
955
956 if (cr->cr_grps == NULL)
957 ndiff = ngroups_max - 1; /* Needs one for prcred_t */
958 else
959 ndiff = ngroups_max - cr->cr_grps->crg_ngroups;
960
961 return (ucredsize - ndiff * sizeof (gid_t));
962 }
963
964 /*
965 * Get the "ucred" of a process.
966 */
967 struct ucred_s *
968 pgetucred(proc_t *p)
969 {
970 cred_t *cr;
971 struct ucred_s *uc;
972
973 mutex_enter(&p->p_crlock);
974 cr = p->p_cred;
975 crhold(cr);
976 mutex_exit(&p->p_crlock);
977
978 uc = cred2ucred(cr, p->p_pid, NULL, CRED());
979 crfree(cr);
980
981 return (uc);
982 }
983
984 /*
985 * If the reply status is NFSERR_EACCES, it may be because we are
986 * root (no root net access). Check the real uid, if it isn't root
987 * make that the uid instead and retry the call.
988 * Private interface for NFS.
989 */
990 cred_t *
991 crnetadjust(cred_t *cr)
992 {
993 if (cr->cr_uid == 0 && cr->cr_ruid != 0) {
994 cr = crdup(cr);
995 cr->cr_uid = cr->cr_ruid;
996 return (cr);
997 }
998 return (NULL);
999 }
1000
1001 /*
1002 * The reference count is of interest when you want to check
1003 * whether it is ok to modify the credential in place.
1004 */
1005 uint_t
1006 crgetref(const cred_t *cr)
1007 {
1008 return (cr->cr_ref);
1009 }
1010
1011 static int
1012 get_c2audit_load(void)
1013 {
1014 static int gotit = 0;
1015 static int c2audit_load;
1016
1017 if (gotit)
1018 return (c2audit_load);
1019 c2audit_load = 1; /* set default value once */
1020 if (mod_sysctl(SYS_CHECK_EXCLUDE, "c2audit") != 0)
1021 c2audit_load = 0;
1022 gotit++;
1023
1024 return (c2audit_load);
1025 }
1026
1027 int
1028 get_audit_ucrsize(void)
1029 {
1030 return (get_c2audit_load() ? sizeof (auditinfo64_addr_t) : 0);
1031 }
1032
1033 /*
1034 * Set zone pointer in credential to indicated value. First adds a
1035 * hold for the new zone, then drops the hold on previous zone (if any).
1036 * This is done in this order in case the old and new zones are the
1037 * same.
1038 */
1039 void
1040 crsetzone(cred_t *cr, zone_t *zptr)
1041 {
1042 zone_t *oldzptr = cr->cr_zone;
1043
1044 ASSERT(cr != kcred);
1045 ASSERT(cr->cr_ref <= 2);
1046 cr->cr_zone = zptr;
1047 zone_cred_hold(zptr);
1048 if (oldzptr)
1049 zone_cred_rele(oldzptr);
1050 }
1051
1052 /*
1053 * This function returns a pointer to the kcred-equivalent in the current zone.
1054 */
1055 cred_t *
1056 zone_kcred(void)
1057 {
1058 zone_t *zone;
1059
1060 if ((zone = CRED()->cr_zone) != NULL)
1061 return (zone->zone_kcred);
1062 else
1063 return (kcred);
1064 }
1065
1066 boolean_t
1067 valid_ephemeral_uid(zone_t *zone, uid_t id)
1068 {
1069 ephemeral_zsd_t *eph_zsd;
1070 if (id <= IDMAP_WK__MAX_UID)
1071 return (B_TRUE);
1072
1073 eph_zsd = get_ephemeral_zsd(zone);
1074 ASSERT(eph_zsd != NULL);
1075 membar_consumer();
1076 return (id > eph_zsd->min_uid && id <= eph_zsd->last_uid);
1077 }
1078
1079 boolean_t
1080 valid_ephemeral_gid(zone_t *zone, gid_t id)
1081 {
1082 ephemeral_zsd_t *eph_zsd;
1083 if (id <= IDMAP_WK__MAX_GID)
1084 return (B_TRUE);
1085
1086 eph_zsd = get_ephemeral_zsd(zone);
1087 ASSERT(eph_zsd != NULL);
1088 membar_consumer();
1089 return (id > eph_zsd->min_gid && id <= eph_zsd->last_gid);
1090 }
1091
1092 int
1093 eph_uid_alloc(zone_t *zone, int flags, uid_t *start, int count)
1094 {
1095 ephemeral_zsd_t *eph_zsd = get_ephemeral_zsd(zone);
1096
1097 ASSERT(eph_zsd != NULL);
1098
1099 mutex_enter(&eph_zsd->eph_lock);
1100
1101 /* Test for unsigned integer wrap around */
1102 if (eph_zsd->last_uid + count < eph_zsd->last_uid) {
1103 mutex_exit(&eph_zsd->eph_lock);
1104 return (-1);
1105 }
1106
1107 /* first call or idmap crashed and state corrupted */
1108 if (flags != 0)
1109 eph_zsd->min_uid = eph_zsd->last_uid;
1110
1111 hasephids = B_TRUE;
1112 *start = eph_zsd->last_uid + 1;
1113 atomic_add_32(&eph_zsd->last_uid, count);
1114 mutex_exit(&eph_zsd->eph_lock);
1115 return (0);
1116 }
1117
1118 int
1119 eph_gid_alloc(zone_t *zone, int flags, gid_t *start, int count)
1120 {
1121 ephemeral_zsd_t *eph_zsd = get_ephemeral_zsd(zone);
1122
1123 ASSERT(eph_zsd != NULL);
1124
1125 mutex_enter(&eph_zsd->eph_lock);
1126
1127 /* Test for unsigned integer wrap around */
1128 if (eph_zsd->last_gid + count < eph_zsd->last_gid) {
1129 mutex_exit(&eph_zsd->eph_lock);
1130 return (-1);
1131 }
1132
1133 /* first call or idmap crashed and state corrupted */
1134 if (flags != 0)
1135 eph_zsd->min_gid = eph_zsd->last_gid;
1136
1137 hasephids = B_TRUE;
1138 *start = eph_zsd->last_gid + 1;
1139 atomic_add_32(&eph_zsd->last_gid, count);
1140 mutex_exit(&eph_zsd->eph_lock);
1141 return (0);
1142 }
1143
1144 /*
1145 * IMPORTANT.The two functions get_ephemeral_data() and set_ephemeral_data()
1146 * are project private functions that are for use of the test system only and
1147 * are not to be used for other purposes.
1148 */
1149
1150 void
1151 get_ephemeral_data(zone_t *zone, uid_t *min_uid, uid_t *last_uid,
1152 gid_t *min_gid, gid_t *last_gid)
1153 {
1154 ephemeral_zsd_t *eph_zsd = get_ephemeral_zsd(zone);
1155
1156 ASSERT(eph_zsd != NULL);
1157
1158 mutex_enter(&eph_zsd->eph_lock);
1159
1160 *min_uid = eph_zsd->min_uid;
1161 *last_uid = eph_zsd->last_uid;
1162 *min_gid = eph_zsd->min_gid;
1163 *last_gid = eph_zsd->last_gid;
1164
1165 mutex_exit(&eph_zsd->eph_lock);
1166 }
1167
1168
1169 void
1170 set_ephemeral_data(zone_t *zone, uid_t min_uid, uid_t last_uid,
1171 gid_t min_gid, gid_t last_gid)
1172 {
1173 ephemeral_zsd_t *eph_zsd = get_ephemeral_zsd(zone);
1174
1175 ASSERT(eph_zsd != NULL);
1176
1177 mutex_enter(&eph_zsd->eph_lock);
1178
1179 if (min_uid != 0)
1180 eph_zsd->min_uid = min_uid;
1181 if (last_uid != 0)
1182 eph_zsd->last_uid = last_uid;
1183 if (min_gid != 0)
1184 eph_zsd->min_gid = min_gid;
1185 if (last_gid != 0)
1186 eph_zsd->last_gid = last_gid;
1187
1188 mutex_exit(&eph_zsd->eph_lock);
1189 }
1190
1191 /*
1192 * If the credential user SID or group SID is mapped to an ephemeral
1193 * ID, map the credential to nobody.
1194 */
1195 cred_t *
1196 crgetmapped(const cred_t *cr)
1197 {
1198 ephemeral_zsd_t *eph_zsd;
1199 /*
1200 * Someone incorrectly passed a NULL cred to a vnode operation
1201 * either on purpose or by calling CRED() in interrupt context.
1202 */
1203 if (cr == NULL)
1204 return (NULL);
1205
1206 if (cr->cr_ksid != NULL) {
1207 if (cr->cr_ksid->kr_sidx[KSID_USER].ks_id > MAXUID) {
1208 eph_zsd = get_ephemeral_zsd(crgetzone(cr));
1209 return (eph_zsd->eph_nobody);
1210 }
1211
1212 if (cr->cr_ksid->kr_sidx[KSID_GROUP].ks_id > MAXUID) {
1213 eph_zsd = get_ephemeral_zsd(crgetzone(cr));
1214 return (eph_zsd->eph_nobody);
1215 }
1216 }
1217
1218 return ((cred_t *)cr);
1219 }
1220
1221 /* index should be in range for a ksidindex_t */
1222 void
1223 crsetsid(cred_t *cr, ksid_t *ksp, int index)
1224 {
1225 ASSERT(cr->cr_ref <= 2);
1226 ASSERT(index >= 0 && index < KSID_COUNT);
1227 if (cr->cr_ksid == NULL && ksp == NULL)
1228 return;
1229 cr->cr_ksid = kcrsid_setsid(cr->cr_ksid, ksp, index);
1230 }
1231
1232 void
1233 crsetsidlist(cred_t *cr, ksidlist_t *ksl)
1234 {
1235 ASSERT(cr->cr_ref <= 2);
1236 if (cr->cr_ksid == NULL && ksl == NULL)
1237 return;
1238 cr->cr_ksid = kcrsid_setsidlist(cr->cr_ksid, ksl);
1239 }
1240
1241 ksid_t *
1242 crgetsid(const cred_t *cr, int i)
1243 {
1244 ASSERT(i >= 0 && i < KSID_COUNT);
1245 if (cr->cr_ksid != NULL && cr->cr_ksid->kr_sidx[i].ks_domain)
1246 return ((ksid_t *)&cr->cr_ksid->kr_sidx[i]);
1247 return (NULL);
1248 }
1249
1250 ksidlist_t *
1251 crgetsidlist(const cred_t *cr)
1252 {
1253 if (cr->cr_ksid != NULL)
1254 return (cr->cr_ksid->kr_sidlist);
1255 return (NULL);
1256 }
1257
1258 /*
1259 * Interface to set the effective and permitted privileges for
1260 * a credential; this interface does no security checks and is
1261 * intended for kernel (file)servers creating credentials with
1262 * specific privileges.
1263 */
1264 int
1265 crsetpriv(cred_t *cr, ...)
1266 {
1267 va_list ap;
1268 const char *privnm;
1269
1270 ASSERT(cr->cr_ref <= 2);
1271
1272 priv_set_PA(cr);
1273
1274 va_start(ap, cr);
1275
1276 while ((privnm = va_arg(ap, const char *)) != NULL) {
1277 int priv = priv_getbyname(privnm, 0);
1278 if (priv < 0)
1279 return (-1);
1280
1281 priv_addset(&CR_PPRIV(cr), priv);
1282 priv_addset(&CR_EPRIV(cr), priv);
1283 }
1284 priv_adjust_PA(cr);
1285 va_end(ap);
1286 return (0);
1287 }
1288
1289 /*
1290 * Interface to effectively set the PRIV_ALL for
1291 * a credential; this interface does no security checks and is
1292 * intended for kernel (file)servers to extend the user credentials
1293 * to be ALL, like either kcred or zcred.
1294 */
1295 void
1296 crset_zone_privall(cred_t *cr)
1297 {
1298 zone_t *zone = crgetzone(cr);
1299
1300 priv_fillset(&CR_LPRIV(cr));
1301 CR_EPRIV(cr) = CR_PPRIV(cr) = CR_IPRIV(cr) = CR_LPRIV(cr);
1302 priv_intersect(zone->zone_privset, &CR_LPRIV(cr));
1303 priv_intersect(zone->zone_privset, &CR_EPRIV(cr));
1304 priv_intersect(zone->zone_privset, &CR_IPRIV(cr));
1305 priv_intersect(zone->zone_privset, &CR_PPRIV(cr));
1306 }
1307
1308 struct credklpd *
1309 crgetcrklpd(const cred_t *cr)
1310 {
1311 return (cr->cr_klpd);
1312 }
1313
1314 void
1315 crsetcrklpd(cred_t *cr, struct credklpd *crklpd)
1316 {
1317 ASSERT(cr->cr_ref <= 2);
1318
1319 if (cr->cr_klpd != NULL)
1320 crklpd_rele(cr->cr_klpd);
1321 cr->cr_klpd = crklpd;
1322 }
1323
1324 credgrp_t *
1325 crgrpcopyin(int n, gid_t *gidset)
1326 {
1327 credgrp_t *mem;
1328 size_t sz = CREDGRPSZ(n);
1329
1330 ASSERT(n > 0);
1331
1332 mem = kmem_alloc(sz, KM_SLEEP);
1333
1334 if (copyin(gidset, mem->crg_groups, sizeof (gid_t) * n)) {
1335 kmem_free(mem, sz);
1336 return (NULL);
1337 }
1338 mem->crg_ref = 1;
1339 mem->crg_ngroups = n;
1340 qsort(mem->crg_groups, n, sizeof (gid_t), gidcmp);
1341 return (mem);
1342 }
1343
1344 const gid_t *
1345 crgetggroups(const credgrp_t *grps)
1346 {
1347 return (grps->crg_groups);
1348 }
1349
1350 void
1351 crsetcredgrp(cred_t *cr, credgrp_t *grps)
1352 {
1353 ASSERT(cr->cr_ref <= 2);
1354
1355 if (cr->cr_grps != NULL)
1356 crgrprele(cr->cr_grps);
1357
1358 cr->cr_grps = grps;
1359 }
1360
1361 void
1362 crgrprele(credgrp_t *grps)
1363 {
1364 if (atomic_dec_32_nv(&grps->crg_ref) == 0)
1365 kmem_free(grps, CREDGRPSZ(grps->crg_ngroups));
1366 }
1367
1368 static void
1369 crgrphold(credgrp_t *grps)
1370 {
1371 atomic_inc_32(&grps->crg_ref);
1372 }
Unleashed OS