/*
* Interface to effectively set the PRIV_ALL for
* a credential; this interface does no security checks and is
* intended for kernel (file)servers to extend the user credentials
* to be ALL, like either kcred or zcred.
*/
void
crset_zone_privall(cred_t *cr)
{
zone_t *zone = crgetzone(cr);
priv_fillset(&CR_LPRIV(cr));
CR_EPRIV(cr) = CR_PPRIV(cr) = CR_IPRIV(cr) = CR_LPRIV(cr);
priv_intersect(zone->zone_privset, &CR_LPRIV(cr));
priv_intersect(zone->zone_privset, &CR_EPRIV(cr));
priv_intersect(zone->zone_privset, &CR_IPRIV(cr));
priv_intersect(zone->zone_privset, &CR_PPRIV(cr));
}
/*
* Interface to set the effective and permitted privileges for
* a credential; this interface does no security checks and is
* intended for kernel (file)servers creating credentials with
* specific privileges.
*/
int
crsetpriv(cred_t *cr, ...)
{
va_list ap;
const char *privnm;
ASSERT(cr->cr_ref <= 2);
priv_set_PA(cr);
va_start(ap, cr);
while ((privnm = va_arg(ap, const char *)) != NULL) {
int priv = priv_getbyname(privnm, 0);
if (priv < 0)
return (-1);
priv_addset(&CR_PPRIV(cr), priv);
priv_addset(&CR_EPRIV(cr), priv);
}
priv_adjust_PA(cr);
va_end(ap);
return (0);
}
/*
* Privilege sanity checking when setting: E <= P.
*/
static boolean_t
priv_valid(const cred_t *cr)
{
return (priv_issubset(&CR_EPRIV(cr), &CR_PPRIV(cr)));
}
void
cred_init(void)
{
priv_init();
crsize = sizeof (cred_t);
if (get_c2audit_load() > 0) {
#ifdef _LP64
/* assure audit context is 64-bit aligned */
audoff = (crsize +
sizeof (int64_t) - 1) & ~(sizeof (int64_t) - 1);
#else /* _LP64 */
audoff = crsize;
#endif /* _LP64 */
crsize = audoff + sizeof (auditinfo_addr_t);
crsize = (crsize + sizeof (int) - 1) & ~(sizeof (int) - 1);
}
cred_cache = kmem_cache_create("cred_cache", crsize, 0,
NULL, NULL, NULL, NULL, NULL, 0);
/*
* dummycr is used to copy initial state for creds.
*/
dummycr = cralloc();
bzero(dummycr, crsize);
dummycr->cr_ref = 1;
dummycr->cr_uid = (uid_t)-1;
dummycr->cr_gid = (gid_t)-1;
dummycr->cr_ruid = (uid_t)-1;
dummycr->cr_rgid = (gid_t)-1;
dummycr->cr_suid = (uid_t)-1;
dummycr->cr_sgid = (gid_t)-1;
/*
* kcred is used by anything that needs all privileges; it's
* also the template used for crget as it has all the compatible
* sets filled in.
*/
kcred = cralloc();
bzero(kcred, crsize);
kcred->cr_ref = 1;
/* kcred is never freed, so we don't need zone_cred_hold here */
kcred->cr_zone = &zone0;
priv_fillset(&CR_LPRIV(kcred));
CR_IPRIV(kcred) = *priv_basic;
/* Not a basic privilege, if chown is not restricted add it to I0 */
if (!rstchown)
priv_addset(&CR_IPRIV(kcred), PRIV_FILE_CHOWN_SELF);
/* Basic privilege, if link is restricted remove it from I0 */
if (rstlink)
priv_delset(&CR_IPRIV(kcred), PRIV_FILE_LINK_ANY);
CR_EPRIV(kcred) = CR_PPRIV(kcred) = CR_IPRIV(kcred);
CR_FLAGS(kcred) = NET_MAC_AWARE;
/*
* Set up credentials of p0.
*/
ttoproc(curthread)->p_cred = kcred;
curthread->t_cred = kcred;
ucredsize = UCRED_SIZE;
mutex_init(&ephemeral_zone_mutex, NULL, MUTEX_DEFAULT, NULL);
zone_key_create(&ephemeral_zone_key, NULL, NULL, destroy_ephemeral_zsd);
}
