kernel/syscall/ppriv.c

   1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
  23  */
  24
  25 #include <sys/param.h>
  26 #include <sys/types.h>
  27 #include <sys/sysmacros.h>
  28 #include <sys/systm.h>
  29 #include <sys/cred_impl.h>
  30 #include <sys/errno.h>
  31 #include <sys/pathname.h>
  32 #include <sys/klpd.h>
  33 #include <sys/proc.h>
  34 #include <sys/priv_impl.h>
  35 #include <sys/policy.h>
  36 #include <sys/ddi.h>
  37 #include <sys/thread.h>
  38 #include <sys/cmn_err.h>
  39 #include <c2/audit.h>
  40
  41 /*
  42  * System call support for manipulating privileges.
  43  *
  44  *
  45  * setppriv(2) - set process privilege set
  46  * getppriv(2) - get process privilege set
  47  * getprivimplinfo(2) - get process privilege implementation information
  48  * setpflags(2) - set process (privilege) flags
  49  * getpflags(2) - get process (privilege) flags
  50  */
  51
  52 /*
  53  * setppriv (priv_op_t, priv_ptype_t, priv_set_t)
  54  */
  55 static int
  56 setppriv(priv_op_t op, priv_ptype_t type, priv_set_t *in_pset)
  57 {
  58         priv_set_t      pset, *target;
  59         cred_t          *cr, *pcr;
  60         proc_t          *p;
  61         boolean_t       donocd = B_FALSE;
  62
  63         if (!PRIV_VALIDSET(type) || !PRIV_VALIDOP(op))
  64                 return (set_errno(EINVAL));
  65
  66         if (copyin(in_pset, &pset, sizeof (priv_set_t)))
  67                 return (set_errno(EFAULT));
  68
  69         p = ttoproc(curthread);
  70         cr = cralloc();
  71         mutex_enter(&p->p_crlock);
  72
  73 retry:
  74         pcr = p->p_cred;
  75
  76         if (AU_AUDITING())
  77                 audit_setppriv(op, type, &pset, pcr);
  78
  79         /*
  80          * Filter out unallowed request (bad op and bad type)
  81          */
  82         switch (op) {
  83         case PRIV_ON:
  84         case PRIV_SET:
  85                 /*
  86                  * Turning on privileges; the limit set cannot grow,
  87                  * other sets can but only as long as they remain subsets
  88                  * of P.  Only immediately after exec holds that P <= L.
  89                  */
  90                 if (type == PRIV_LIMIT &&
  91                     !priv_issubset(&pset, &CR_LPRIV(pcr))) {
  92                         mutex_exit(&p->p_crlock);
  93                         crfree(cr);
  94                         return (set_errno(EPERM));
  95                 }
  96                 if (!priv_issubset(&pset, &CR_OPPRIV(pcr)) &&
  97                     !priv_issubset(&pset, priv_getset(pcr, type))) {
  98                         mutex_exit(&p->p_crlock);
  99                         /* Policy override should not grow beyond L either */
 100                         if (type != PRIV_INHERITABLE ||
 101                             !priv_issubset(&pset, &CR_LPRIV(pcr)) ||
 102                             secpolicy_require_privs(CRED(), &pset) != 0) {
 103                                 crfree(cr);
 104                                 return (set_errno(EPERM));
 105                         }
 106                         mutex_enter(&p->p_crlock);
 107                         if (pcr != p->p_cred)
 108                                 goto retry;
 109                         donocd = B_TRUE;
 110                 }
 111                 break;
 112
 113         case PRIV_OFF:
 114                 /* PRIV_OFF is always allowed */
 115                 break;
 116         }
 117
 118         /*
 119          * OK! everything is cool.
 120          * Do cred COW.
 121          */
 122         crcopy_to(pcr, cr);
 123
 124         /*
 125          * If we change the effective, permitted or limit set, we attain
 126          * "privilege awareness".
 127          */
 128         if (type != PRIV_INHERITABLE)
 129                 priv_set_PA(cr);
 130
 131         target = &(CR_PRIVS(cr)->crprivs[type]);
 132
 133         switch (op) {
 134         case PRIV_ON:
 135                 priv_union(&pset, target);
 136                 break;
 137         case PRIV_OFF:
 138                 priv_inverse(&pset);
 139                 priv_intersect(target, &pset);
 140
 141                 /*
 142                  * Fall-thru to set target and change other process
 143                  * privilege sets.
 144                  */
 145                 /*FALLTHRU*/
 146
 147         case PRIV_SET:
 148                 *target = pset;
 149
 150                 /*
 151                  * Take privileges no longer permitted out
 152                  * of other effective sets as well.
 153                  * Limit set is enforced at exec() time.
 154                  */
 155                 if (type == PRIV_PERMITTED)
 156                         priv_intersect(&pset, &CR_EPRIV(cr));
 157                 break;
 158         }
 159
 160         /*
 161          * When we give up privileges not in the inheritable set,
 162          * set SNOCD if not already set; first we compute the
 163          * privileges removed from P using Diff = (~P') & P
 164          * and then we check whether the removed privileges are
 165          * a subset of I.  If we retain uid 0, all privileges
 166          * are required anyway so don't set SNOCD.
 167          */
 168         if (type == PRIV_PERMITTED && (p->p_flag & SNOCD) == 0 &&
 169             cr->cr_uid != 0 && cr->cr_ruid != 0 && cr->cr_suid != 0) {
 170                 priv_set_t diff = CR_OPPRIV(cr);
 171                 priv_inverse(&diff);
 172                 priv_intersect(&CR_OPPRIV(pcr), &diff);
 173                 donocd = !priv_issubset(&diff, &CR_IPRIV(cr));
 174         }
 175
 176         p->p_cred = cr;
 177         mutex_exit(&p->p_crlock);
 178
 179         if (donocd) {
 180                 mutex_enter(&p->p_lock);
 181                 p->p_flag |= SNOCD;
 182                 mutex_exit(&p->p_lock);
 183         }
 184
 185         /*
 186          * The basic_test privilege should not be removed from E;
 187          * if that has happened, then some programmer typically set the E/P to
 188          * empty. That is not portable.
 189          */
 190         if ((type == PRIV_EFFECTIVE || type == PRIV_PERMITTED) &&
 191             priv_basic_test >= 0 && !PRIV_ISMEMBER(target, priv_basic_test)) {
 192                 proc_t *p = curproc;
 193                 pid_t pid = p->p_pid;
 194                 char *fn = PTOU(p)->u_comm;
 195
 196                 cmn_err(CE_WARN, "%s[%d]: setppriv: basic_test privilege "
 197                     "removed from E/P", fn, pid);
 198         }
 199
 200         crset(p, cr);           /* broadcast to process threads */
 201
 202         return (0);
 203 }
 204
 205 /*
 206  * getppriv (priv_ptype_t, priv_set_t *)
 207  */
 208 static int
 209 getppriv(priv_ptype_t type, priv_set_t *pset)
 210 {
 211         if (!PRIV_VALIDSET(type))
 212                 return (set_errno(EINVAL));
 213
 214         if (copyout(priv_getset(CRED(), type), pset, sizeof (priv_set_t)) != 0)
 215                 return (set_errno(EFAULT));
 216
 217         return (0);
 218 }
 219
 220 static int
 221 getprivimplinfo(void *buf, size_t bufsize)
 222 {
 223         int err;
 224
 225         err = copyout(priv_hold_implinfo(), buf, min(bufsize, privinfosize));
 226
 227         priv_release_implinfo();
 228
 229         if (err)
 230                 return (set_errno(EFAULT));
 231
 232         return (0);
 233 }
 234
 235 /*
 236  * Set process flags in the given target cred.  If NULL is specified, then
 237  * CRED() is used; otherwise the cred is assumed to be modifiable (i.e. newly
 238  * crdup'ed, or equivalent).  Some flags are set in the proc rather than cred;
 239  * for these, curproc is always used.
 240  *
 241  * For now we cheat: the flags are actually bit masks so we can simplify
 242  * some; we do make sure that the arguments are valid, though.
 243  */
 244
 245 int
 246 setpflags(uint_t flag, uint_t val, cred_t *tcr)
 247 {
 248         cred_t *cr, *pcr;
 249         proc_t *p = curproc;
 250         uint_t newflags;
 251         boolean_t use_curcred = (tcr == NULL);
 252
 253         if (val > 1 || (flag != PRIV_DEBUG && flag != PRIV_AWARE &&
 254             flag != __PROC_PROTECT && flag != PRIV_XPOLICY &&
 255             flag != PRIV_AWARE_RESET && flag != PRIV_PFEXEC)) {
 256                 return (EINVAL);
 257         }
 258
 259         if (flag == __PROC_PROTECT) {
 260                 mutex_enter(&p->p_lock);
 261                 if (val == 0)
 262                         p->p_flag &= ~SNOCD;
 263                 else
 264                         p->p_flag |= SNOCD;
 265                 mutex_exit(&p->p_lock);
 266                 return (0);
 267         }
 268
 269         if (use_curcred) {
 270                 cr = cralloc();
 271                 mutex_enter(&p->p_crlock);
 272                 pcr = p->p_cred;
 273         } else {
 274                 cr = pcr = tcr;
 275         }
 276
 277         newflags = CR_FLAGS(pcr);
 278
 279         if (val != 0) {
 280                 if (flag == PRIV_AWARE)
 281                         newflags &= ~PRIV_AWARE_RESET;
 282                 newflags |= flag;
 283         } else {
 284                 newflags &= ~flag;
 285         }
 286
 287         /* No change */
 288         if (CR_FLAGS(pcr) == newflags) {
 289                 if (use_curcred) {
 290                         mutex_exit(&p->p_crlock);
 291                         crfree(cr);
 292                 }
 293                 return (0);
 294         }
 295
 296         /* Trying to unset PA; if we can't, return an error */
 297         if (flag == PRIV_AWARE && val == 0 && !priv_can_clear_PA(pcr)) {
 298                 if (use_curcred) {
 299                         mutex_exit(&p->p_crlock);
 300                         crfree(cr);
 301                 }
 302                 return (EPERM);
 303         }
 304
 305         /* Committed to changing the flag */
 306         if (use_curcred)
 307                 crcopy_to(pcr, cr);
 308         if (flag == PRIV_AWARE) {
 309                 if (val != 0)
 310                         priv_set_PA(cr);
 311                 else
 312                         priv_adjust_PA(cr);
 313         } else {
 314                 CR_FLAGS(cr) = newflags;
 315         }
 316
 317         /*
 318          * Unsetting the flag has as side effect getting rid of
 319          * the per-credential policy.
 320          */
 321         if (flag == PRIV_XPOLICY && val == 0)
 322                 crsetcrklpd(cr, NULL);
 323
 324         if (use_curcred) {
 325                 p->p_cred = cr;
 326                 mutex_exit(&p->p_crlock);
 327                 crset(p, cr);
 328         }
 329
 330         return (0);
 331 }
 332
 333 /*
 334  * Getpflags.  Currently only implements single bit flags.
 335  */
 336 uint_t
 337 getpflags(uint_t flag, const cred_t *cr)
 338 {
 339         if (flag != PRIV_DEBUG && flag != PRIV_AWARE &&
 340             flag != PRIV_XPOLICY && flag != PRIV_PFEXEC &&
 341             flag != PRIV_AWARE_RESET)
 342                 return ((uint_t)-1);
 343
 344         return ((CR_FLAGS(cr) & flag) != 0);
 345 }
 346
 347 /*
 348  * Privilege system call entry point
 349  */
 350 int
 351 privsys(int code, priv_op_t op, priv_ptype_t type, void *buf, size_t bufsize,
 352     int itype)
 353 {
 354         int retv;
 355         extern int issetugid(void);
 356
 357         switch (code) {
 358         case PRIVSYS_SETPPRIV:
 359                 if (bufsize < sizeof (priv_set_t))
 360                         return (set_errno(ENOMEM));
 361                 return (setppriv(op, type, buf));
 362         case PRIVSYS_GETPPRIV:
 363                 if (bufsize < sizeof (priv_set_t))
 364                         return (set_errno(ENOMEM));
 365                 return (getppriv(type, buf));
 366         case PRIVSYS_GETIMPLINFO:
 367                 return (getprivimplinfo(buf, bufsize));
 368         case PRIVSYS_SETPFLAGS:
 369                 retv = setpflags((uint_t)op, (uint_t)type, NULL);
 370                 return (retv != 0 ? set_errno(retv) : 0);
 371         case PRIVSYS_GETPFLAGS:
 372                 retv = (int)getpflags((uint_t)op, CRED());
 373                 return (retv == -1 ? set_errno(EINVAL) : retv);
 374         case PRIVSYS_ISSETUGID:
 375                 return (issetugid());
 376         case PRIVSYS_KLPD_REG:
 377                 if (bufsize < sizeof (priv_set_t))
 378                         return (set_errno(ENOMEM));
 379                 return ((int)klpd_reg((int)op, (idtype_t)itype, (id_t)type,
 380                     buf));
 381         case PRIVSYS_KLPD_UNREG:
 382                 return ((int)klpd_unreg((int)op, (idtype_t)itype, (id_t)type));
 383         case PRIVSYS_PFEXEC_REG:
 384                 return ((int)pfexec_reg((int)op));
 385         case PRIVSYS_PFEXEC_UNREG:
 386                 return ((int)pfexec_unreg((int)op));
 387         }
 388         return (set_errno(EINVAL));
 389 }
 390
 391 #ifdef _SYSCALL32_IMPL
 392 int
 393 privsys32(int code, priv_op_t op, priv_ptype_t type, caddr32_t buf,
 394     size32_t bufsize, int itype)
 395 {
 396         return (privsys(code, op, type, (void *)(uintptr_t)buf,
 397             (size_t)bufsize, itype));
 398 }
 399 #endif