kernel/syscall/psecflags.c

   1 /*
   2  * This file and its contents are supplied under the terms of the
   3  * Common Development and Distribution License ("CDDL"), version 1.0.
   4  * You may only use this file in accordance with the terms of version
   5  * 1.0 of the CDDL.
   6  *
   7  * A full copy of the text of the CDDL should have accompanied this
   8  * source.  A copy of the CDDL is also available via the Internet at
   9  * http://www.illumos.org/license/CDDL.
  10  */
  11
  12 /* Copyright 2015, Richard Lowe. */
  13
  14 #include <sys/ddi.h>
  15 #include <sys/errno.h>
  16 #include <sys/policy.h>
  17 #include <sys/proc.h>
  18 #include <sys/procset.h>
  19 #include <sys/systm.h>
  20 #include <sys/types.h>
  21
  22 struct psdargs {
  23         psecflagwhich_t which;
  24         const secflagdelta_t *delta;
  25 };
  26
  27 void
  28 secflags_apply_delta(secflagset_t *set, const secflagdelta_t *delta)
  29 {
  30         if (delta->psd_ass_active) {
  31                 secflags_copy(set, &delta->psd_assign);
  32         } else {
  33                 if (!secflags_isempty(delta->psd_add)) {
  34                         secflags_union(set, &delta->psd_add);
  35                 }
  36                 if (!secflags_isempty(delta->psd_rem)) {
  37                         secflags_difference(set, &delta->psd_rem);
  38                 }
  39         }
  40 }
  41
  42
  43 static int
  44 psecdo(proc_t *p, struct psdargs *args)
  45 {
  46         secflagset_t *set;
  47         int ret = 0;
  48
  49         mutex_enter(&p->p_lock);
  50
  51         if (secpolicy_psecflags(CRED(), p, curproc) != 0) {
  52                 ret = EPERM;
  53                 goto out;
  54         }
  55
  56         ASSERT(args->which != PSF_EFFECTIVE);
  57
  58         if (!psecflags_validate_delta(&p->p_secflags, args->delta)) {
  59                 ret = EINVAL;
  60                 goto out;
  61         }
  62
  63         switch (args->which) {
  64         case PSF_INHERIT:
  65                 set = &p->p_secflags.psf_inherit;
  66                 break;
  67         case PSF_LOWER:
  68                 set = &p->p_secflags.psf_lower;
  69                 break;
  70         case PSF_UPPER:
  71                 set = &p->p_secflags.psf_upper;
  72                 break;
  73         }
  74
  75         secflags_apply_delta(set, args->delta);
  76
  77         /*
  78          * Add any flag now in the lower that is not in the inheritable.
  79          */
  80         secflags_union(&p->p_secflags.psf_inherit, &p->p_secflags.psf_lower);
  81
  82 out:
  83         mutex_exit(&p->p_lock);
  84         return (ret);
  85 }
  86
  87 int
  88 psecflags(procset_t *psp, psecflagwhich_t which, secflagdelta_t *ap)
  89 {
  90         procset_t procset;
  91         secflagdelta_t args;
  92         int rv = 0;
  93         struct psdargs psd = {
  94                 .which = which,
  95         };
  96
  97         /* Can never change the effective flags */
  98         if (psd.which == PSF_EFFECTIVE)
  99                 return (EINVAL);
 100
 101         if (copyin(psp, &procset, sizeof (procset)) != 0)
 102                 return (set_errno(EFAULT));
 103
 104         if (copyin(ap, &args, sizeof (secflagdelta_t)) != 0)
 105                 return (set_errno(EFAULT));
 106
 107         psd.delta = &args;
 108
 109         /* secflags are per-process, procset must be in terms of processes */
 110         if ((procset.p_lidtype == P_LWPID) ||
 111             (procset.p_ridtype == P_LWPID))
 112                 return (set_errno(EINVAL));
 113
 114         rv = dotoprocs(&procset, psecdo, (caddr_t)&psd);
 115
 116         return (rv ? set_errno(rv) : 0);
 117 }