/* * Interface to effectively set the PRIV_ALL for * a credential; this interface does no security checks and is * intended for kernel (file)servers to extend the user credentials * to be ALL, like either kcred or zcred. */ void crset_zone_privall(cred_t *cr) { zone_t *zone = crgetzone(cr); priv_fillset(&CR_LPRIV(cr)); CR_EPRIV(cr) = CR_PPRIV(cr) = CR_IPRIV(cr) = CR_LPRIV(cr); priv_intersect(zone->zone_privset, &CR_LPRIV(cr)); priv_intersect(zone->zone_privset, &CR_EPRIV(cr)); priv_intersect(zone->zone_privset, &CR_IPRIV(cr)); priv_intersect(zone->zone_privset, &CR_PPRIV(cr)); }
/* * Interface to set the effective and permitted privileges for * a credential; this interface does no security checks and is * intended for kernel (file)servers creating credentials with * specific privileges. */ int crsetpriv(cred_t *cr, ...) { va_list ap; const char *privnm; ASSERT(cr->cr_ref <= 2); priv_set_PA(cr); va_start(ap, cr); while ((privnm = va_arg(ap, const char *)) != NULL) { int priv = priv_getbyname(privnm, 0); if (priv < 0) return (-1); priv_addset(&CR_PPRIV(cr), priv); priv_addset(&CR_EPRIV(cr), priv); } priv_adjust_PA(cr); va_end(ap); return (0); }
/* * Privilege sanity checking when setting: E <= P. */ static boolean_t priv_valid(const cred_t *cr) { return (priv_issubset(&CR_EPRIV(cr), &CR_PPRIV(cr))); }
void cred_init(void) { priv_init(); crsize = sizeof (cred_t); if (get_c2audit_load() > 0) { #ifdef _LP64 /* assure audit context is 64-bit aligned */ audoff = (crsize + sizeof (int64_t) - 1) & ~(sizeof (int64_t) - 1); #else /* _LP64 */ audoff = crsize; #endif /* _LP64 */ crsize = audoff + sizeof (auditinfo_addr_t); crsize = (crsize + sizeof (int) - 1) & ~(sizeof (int) - 1); } cred_cache = kmem_cache_create("cred_cache", crsize, 0, NULL, NULL, NULL, NULL, NULL, 0); /* * dummycr is used to copy initial state for creds. */ dummycr = cralloc(); bzero(dummycr, crsize); dummycr->cr_ref = 1; dummycr->cr_uid = (uid_t)-1; dummycr->cr_gid = (gid_t)-1; dummycr->cr_ruid = (uid_t)-1; dummycr->cr_rgid = (gid_t)-1; dummycr->cr_suid = (uid_t)-1; dummycr->cr_sgid = (gid_t)-1; /* * kcred is used by anything that needs all privileges; it's * also the template used for crget as it has all the compatible * sets filled in. */ kcred = cralloc(); bzero(kcred, crsize); kcred->cr_ref = 1; /* kcred is never freed, so we don't need zone_cred_hold here */ kcred->cr_zone = &zone0; priv_fillset(&CR_LPRIV(kcred)); CR_IPRIV(kcred) = *priv_basic; /* Not a basic privilege, if chown is not restricted add it to I0 */ if (!rstchown) priv_addset(&CR_IPRIV(kcred), PRIV_FILE_CHOWN_SELF); /* Basic privilege, if link is restricted remove it from I0 */ if (rstlink) priv_delset(&CR_IPRIV(kcred), PRIV_FILE_LINK_ANY); CR_EPRIV(kcred) = CR_PPRIV(kcred) = CR_IPRIV(kcred); CR_FLAGS(kcred) = NET_MAC_AWARE; /* * Set up credentials of p0. */ ttoproc(curthread)->p_cred = kcred; curthread->t_cred = kcred; ucredsize = UCRED_SIZE; mutex_init(&ephemeral_zone_mutex, NULL, MUTEX_DEFAULT, NULL); zone_key_create(&ephemeral_zone_key, NULL, NULL, destroy_ephemeral_zsd); }