| blob | ccde6e5af5f465a246240607c5d4c7adfcfa5dcd |
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 */
26 /*
27 * Privilege implementation.
28 *
29 * This file provides the infrastructure for privilege sets and limits
30 * the number of files that requires to include <sys/cred_impl.h> and/or
31 * <sys/priv_impl.h>.
32 *
33 * The Solaris privilege mechanism has been designed in a
34 * future proof manner. While the kernel may use fixed size arrays
35 * and fixed bitmasks and bit values, the representation of those
36 * is kernel private. All external interfaces as well as K-to-K interfaces
37 * have been constructed in a manner to provide the maximum flexibility.
38 *
39 * There can be X privilege sets each containing Y 32 bit words.
40 * <X, Y> are constant for a kernel invocation.
41 *
42 * As a consequence, all privilege set manipulation happens in functions
43 * below.
44 *
45 */
47 #include <sys/systm.h>
48 #include <sys/ddi.h>
49 #include <sys/kmem.h>
50 #include <sys/sunddi.h>
51 #include <sys/errno.h>
52 #include <sys/debug.h>
53 #include <sys/priv_impl.h>
54 #include <sys/procfs.h>
55 #include <sys/policy.h>
56 #include <sys/cred_impl.h>
57 #include <sys/devpolicy.h>
58 #include <sys/atomic.h>
60 /*
61 * Privilege name to number mapping table consists in the generated
62 * priv_const.c file. This lock protects against updates of the privilege
63 * names and counts; all other priv_info fields are read-only.
64 * The actual protected values are:
65 * global variable nprivs
66 * the priv_max field
67 * the priv_names field
68 * the priv names info item (cnt/strings)
69 */
70 krwlock_t privinfo_lock;
77 /*
78 * Privilege initialization functions.
79 * Called from common/os/cred.c when cred_init is called.
80 */
82 void
84 {
85 #ifdef DEBUG
87 #else
89 #endif
96 /*
97 * When booting with priv_debug set or in a DEBUG kernel, then we'll
98 * add an additional basic privilege and we verify that it is always
99 * present in E.
100 */
104 }
107 }
109 /* Utility functions: privilege sets as opaque data types */
111 /*
112 * Guts of prgetprivsize.
113 */
114 int
116 {
120 }
122 /*
123 * Guts of prgetpriv.
124 */
125 void
127 {
141 }
143 /*
144 * Guts of pr_spriv:
145 *
146 * Set the privileges of a process.
147 *
148 * In order to set the privileges, the setting process will need to
149 * have those privileges in its effective set in order to prevent
150 * specially privileged processes to easily gain additional privileges.
151 * Pre-existing privileges can be retained. To change any privileges,
152 * PRIV_PROC_OWNER needs to be asserted.
153 *
154 * In formula:
155 *
156 * S' <= S || S' <= S + Ea
157 *
158 * the new set must either be subset of the old set or a subset of
159 * the oldset merged with the effective set of the acting process; or just:
160 *
161 * S' <= S + Ea
162 *
163 * It's not legal to grow the limit set this way.
164 *
165 */
166 int
168 {
174 priv_set_t eset;
178 /*
179 * Set must have proper dimension; infosize must be absent
180 * or properly sized.
181 */
194 }
198 /* Copy the privilege sets from prpriv to newcred */
207 /*
208 * Verify the constraints laid out:
209 * for the limit set, we require that the new set is a subset
210 * of the old limit set.
211 * for all other sets, we require that the new set is either a
212 * subset of the old set or a subset of the intersection of
213 * the old limit set and the effective set of the acting process.
214 */
225 /* Load the settable privilege information */
240 }
247 }
248 /* Guarantee alignment and forward progress */
254 }
257 }
258 }
260 /*
261 * We'll try to copy the privilege aware flag; but since the
262 * privileges sets are all individually set, they are set
263 * as if we're privilege aware. If PRIV_AWARE wasn't set
264 * or was explicitely unset, we need to set the flag and then
265 * try to get rid of it.
266 */
270 }
281 err:
285 }
287 priv_impl_info_t
289 {
292 }
294 void
296 {
298 }
300 size_t
302 {
304 }
307 /*
308 * Return the nth privilege set
309 */
312 {
321 }
323 }
325 /*
326 * Buf must be allocated by caller and contain sufficient space to
327 * contain all additional info structures using priv_info.priv_infosize.
328 * The buffer must be properly aligned.
329 */
330 /*ARGSUSED*/
331 void
333 {
340 }
342 int
344 {
357 rescan:
362 }
369 }
371 /* check length, validity and available space */
377 }
388 }
389 }
395 /* Someone may have added our privilege */
397 }
398 }
403 }
409 /* make the priv_names[i] and privilege name globally visible */
412 /* adjust priv count and bytes count */
418 }
420 /*
421 * We can't afford locking the privileges here because of the locations
422 * we call this from; so we make sure that the privileges table
423 * is visible to us; it is made visible before the value of nprivs is
424 * updated.
425 */
428 {
437 }
441 {
446 }
448 /*
449 * Privilege sanity checking when setting: E <= P.
450 */
451 static boolean_t
453 {
455 }
457 /*
458 * Privilege manipulation functions
459 *
460 * Without knowing the details of the privilege set implementation,
461 * opaque pointers can be used to manipulate sets at will.
462 */
463 void
465 {
467 }
469 void
471 {
474 /* memset? */
477 }
479 void
481 {
484 }
486 void
488 {
491 }
493 boolean_t
495 {
498 }
500 #define PRIV_TEST_BODY(test) \
501 int i; \
502 \
503 for (i = 0; i < PRIV_SETSIZE; i++) \
504 if (!(test)) \
505 return (B_FALSE); \
506 \
507 return (B_TRUE)
509 boolean_t
511 {
513 }
515 boolean_t
517 {
519 }
521 boolean_t
523 {
525 }
527 /*
528 * Return true if a is a subset of b
529 */
530 boolean_t
532 {
534 }
536 #define PRIV_CHANGE_BODY(a, op, b) \
537 int i; \
538 \
539 for (i = 0; i < PRIV_SETSIZE; i++) \
540 a->pbits[i] op b->pbits[i]
542 /* B = A ^ B */
543 void
545 {
546 /* CSTYLED */
548 }
550 /* B = A v B */
551 void
553 {
554 /* CSTYLED */
556 }
558 /* A = ! A */
559 void
561 {
563 }
565 /*
566 * Can the source cred act on the target credential?
567 *
568 * We will you allow to gain uids this way but not privileges.
569 */
570 int
572 {
578 /* prevent the cred from going away */
594 /*
595 * Source credential must have the proc_zone privilege if referencing
596 * a process in another zone.
597 */
601 }
607 }
609 /*
610 * For writing, the effective set of scr must dominate all sets of tcr,
611 * We test Pt <= Es (Et <= Pt so no need to test) and It <= Es
612 * The Limit set of scr must be a superset of the limitset of
613 * tcr.
614 */
623 out:
626 else
629 }
631 /*
632 * Set the privilege aware bit, adding L to E/P if necessary.
633 * Each time we set it, we also clear PRIV_AWARE_RESET.
634 */
635 void
637 {
651 }
653 boolean_t
655 {
656 /*
657 * We can clear PA in the following cases:
658 *
659 * None of the uids are 0.
660 * Any uid == 0 and P == L and (Euid != 0 or E == L)
661 */
665 }
667 /*
668 * Clear privilege aware bit if it is an idempotent operation and by
669 * clearing it the process cannot get to uid 0 and all privileges.
670 *
671 * This function should be called with caution as it may cause "E" to be
672 * lost once a processes assumes euid 0 again.
673 */
674 void
676 {
683 }
688 /*
689 * We now need to adjust P/E in those cases when uids
690 * are zero; the rules are P' = I & L, E' = I & L;
691 * but since P = L and E = L, we can use P &= I, E &= I,
692 * depending on which uids are 0.
693 */
698 }
701 }
703 /*
704 * Reset privilege aware bit if so requested by setting the PRIV_AWARE_RESET
705 * flag.
706 */
707 void
709 {
716 }
718 /*
719 * When PRIV_AWARE_RESET is enabled, any change of uids causes
720 * a change to the P and E sets. Bracketing with
721 * seteuid(0) ... seteuid(uid)/setreuid(-1, 0) .. setreuid(-1, uid)
722 * will cause the privilege sets "do the right thing.".
723 * When the change of the uid is "final", e.g., by using setuid(uid),
724 * or setreuid(uid, uid) or when the last set*uid() call causes all
725 * uids to be the same, we set P and E to I & L, like when you exec.
726 * We make an exception when all the uids are 0; this is required
727 * when we login as root as in that particular case we cannot
728 * make a distinction between seteuid(0) and seteuid(uid).
729 * We rely on seteuid/setreuid/setuid to tell us with the
730 * "finalize" argument that we no longer expect new uid changes,
731 * cf. setreuid(uid, uid) and setuid(uid).
732 */
741 }
745 }
746 }