static void
privupdate_self(void)
{
int set;
if (mac_aware) {
if (setpflags(NET_MAC_AWARE, 1) != 0)
fatal("setpflags(NET_MAC_AWARE)");
if (setpflags(NET_MAC_AWARE_INHERIT, 1) != 0)
fatal("setpflags(NET_MAC_AWARE_INHERIT)");
}
if (pfexec) {
if (setpflags(PRIV_PFEXEC, 1) != 0)
fatal("setpflags(PRIV_PFEXEC)");
}
if (sets != NULL) {
priv_set_t *target = priv_allocset();
if (target == NULL)
fatal("priv_allocet");
set = priv_getsetbyname(PRIV_INHERITABLE);
if (rem[set] != NULL || add[set] != NULL ||
assign[set] != NULL) {
(void) getppriv(PRIV_INHERITABLE, target);
if (rem[set] != NULL)
priv_intersect(rem[set], target);
if (add[set] != NULL)
priv_union(add[set], target);
if (assign[set] != NULL)
priv_copyset(assign[set], target);
if (setppriv(PRIV_SET, PRIV_INHERITABLE, target) != 0)
fatal("setppriv(Inheritable)");
}
set = priv_getsetbyname(PRIV_LIMIT);
if (rem[set] != NULL || add[set] != NULL ||
assign[set] != NULL) {
(void) getppriv(PRIV_LIMIT, target);
if (rem[set] != NULL)
priv_intersect(rem[set], target);
if (add[set] != NULL)
priv_union(add[set], target);
if (assign[set] != NULL)
priv_copyset(assign[set], target);
if (setppriv(PRIV_SET, PRIV_LIMIT, target) != 0)
fatal("setppriv(Limit)");
}
priv_freeset(target);
}
if (Doff || Don)
(void) setpflags(PRIV_DEBUG, Don ? 1 : 0);
if (xpol)
(void) setpflags(PRIV_XPOLICY, 1);
if (pfexec)
(void) setpflags(PRIV_PFEXEC, 1);
}
static void
vjs_waive(enum jail_gen_e jge)
{
priv_set_t *effective, *inheritable, *permitted, *limited;
if (!(effective = priv_allocset()) ||
!(inheritable = priv_allocset()) ||
!(permitted = priv_allocset()) ||
!(limited = priv_allocset())) {
MGT_complain(C_SECURITY,
"Solaris Jail warning: "
" vjs_waive - priv_allocset failed: errno=%d (%s)",
errno, strerror(errno));
return;
}
/*
* inheritable and effective are distinct sets
* effective is a subset of permitted
* limit is the union of all
*/
priv_emptyset(inheritable);
vjs_add_inheritable(inheritable, jge);
priv_emptyset(effective);
vjs_add_effective(effective, jge);
priv_copyset(effective, permitted);
vjs_add_permitted(permitted, jge);
priv_copyset(inheritable, limited);
priv_union(permitted, limited);
/*
* invert the sets and clear privileges such that setppriv will always
* succeed
*/
priv_inverse(limited);
priv_inverse(permitted);
priv_inverse(effective);
priv_inverse(inheritable);
AZ(setppriv(PRIV_OFF, PRIV_LIMIT, limited));
AZ(setppriv(PRIV_OFF, PRIV_PERMITTED, permitted));
AZ(setppriv(PRIV_OFF, PRIV_EFFECTIVE, effective));
AZ(setppriv(PRIV_OFF, PRIV_INHERITABLE, inheritable));
priv_freeset(limited);
priv_freeset(permitted);
priv_freeset(effective);
priv_freeset(inheritable);
}
static int privileges_drop_first(apr_pool_t *pool, server_rec *s)
{
/* We need to set privileges before mod_unixd,
* 'cos otherwise setuid will wipe our privilege to do so
*/
priv_cfg *spcfg;
server_rec *sp;
priv_set_t *ppriv = priv_allocset();
/* compute ppriv from the union of all the vhosts plus setid */
priv_copyset(priv_setid, ppriv);
for (sp = s; sp != NULL; sp=sp->next) {
spcfg = ap_get_module_config(sp->module_config, &privileges_module);
priv_union(spcfg->priv, ppriv);
}
PDROP_CHECK(setppriv(PRIV_SET, PRIV_PERMITTED, ppriv))
PDROP_CHECK(setppriv(PRIV_SET, PRIV_EFFECTIVE, ppriv))
priv_freeset(ppriv);
return OK;
}
/*
* setppriv (priv_op_t, priv_ptype_t, priv_set_t)
*/
static int
setppriv(priv_op_t op, priv_ptype_t type, priv_set_t *in_pset)
{
priv_set_t pset, *target;
cred_t *cr, *pcr;
proc_t *p;
boolean_t donocd = B_FALSE;
if (!PRIV_VALIDSET(type) || !PRIV_VALIDOP(op))
return (set_errno(EINVAL));
if (copyin(in_pset, &pset, sizeof (priv_set_t)))
return (set_errno(EFAULT));
p = ttoproc(curthread);
cr = cralloc();
mutex_enter(&p->p_crlock);
retry:
pcr = p->p_cred;
if (AU_AUDITING())
audit_setppriv(op, type, &pset, pcr);
/*
* Filter out unallowed request (bad op and bad type)
*/
switch (op) {
case PRIV_ON:
case PRIV_SET:
/*
* Turning on privileges; the limit set cannot grow,
* other sets can but only as long as they remain subsets
* of P. Only immediately after exec holds that P <= L.
*/
if (type == PRIV_LIMIT &&
!priv_issubset(&pset, &CR_LPRIV(pcr))) {
mutex_exit(&p->p_crlock);
crfree(cr);
return (set_errno(EPERM));
}
if (!priv_issubset(&pset, &CR_OPPRIV(pcr)) &&
!priv_issubset(&pset, priv_getset(pcr, type))) {
mutex_exit(&p->p_crlock);
/* Policy override should not grow beyond L either */
if (type != PRIV_INHERITABLE ||
!priv_issubset(&pset, &CR_LPRIV(pcr)) ||
secpolicy_require_privs(CRED(), &pset) != 0) {
crfree(cr);
return (set_errno(EPERM));
}
mutex_enter(&p->p_crlock);
if (pcr != p->p_cred)
goto retry;
donocd = B_TRUE;
}
break;
case PRIV_OFF:
/* PRIV_OFF is always allowed */
break;
}
/*
* OK! everything is cool.
* Do cred COW.
*/
crcopy_to(pcr, cr);
/*
* If we change the effective, permitted or limit set, we attain
* "privilege awareness".
*/
if (type != PRIV_INHERITABLE)
priv_set_PA(cr);
target = &(CR_PRIVS(cr)->crprivs[type]);
switch (op) {
case PRIV_ON:
priv_union(&pset, target);
break;
case PRIV_OFF:
priv_inverse(&pset);
priv_intersect(target, &pset);
/*
* Fall-thru to set target and change other process
* privilege sets.
*/
/*FALLTHRU*/
case PRIV_SET:
*target = pset;
/*
* Take privileges no longer permitted out
* of other effective sets as well.
* Limit set is enforced at exec() time.
*/
if (type == PRIV_PERMITTED)
priv_intersect(&pset, &CR_EPRIV(cr));
break;
}
/*
* When we give up privileges not in the inheritable set,
* set SNOCD if not already set; first we compute the
* privileges removed from P using Diff = (~P') & P
* and then we check whether the removed privileges are
* a subset of I. If we retain uid 0, all privileges
* are required anyway so don't set SNOCD.
*/
if (type == PRIV_PERMITTED && (p->p_flag & SNOCD) == 0 &&
cr->cr_uid != 0 && cr->cr_ruid != 0 && cr->cr_suid != 0) {
priv_set_t diff = CR_OPPRIV(cr);
priv_inverse(&diff);
priv_intersect(&CR_OPPRIV(pcr), &diff);
donocd = !priv_issubset(&diff, &CR_IPRIV(cr));
}
p->p_cred = cr;
mutex_exit(&p->p_crlock);
if (donocd) {
mutex_enter(&p->p_lock);
p->p_flag |= SNOCD;
mutex_exit(&p->p_lock);
}
/*
* The basic_test privilege should not be removed from E;
* if that has happened, then some programmer typically set the E/P to
* empty. That is not portable.
*/
if ((type == PRIV_EFFECTIVE || type == PRIV_PERMITTED) &&
priv_basic_test >= 0 && !PRIV_ISASSERT(target, priv_basic_test)) {
proc_t *p = curproc;
pid_t pid = p->p_pid;
char *fn = PTOU(p)->u_comm;
cmn_err(CE_WARN, "%s[%d]: setppriv: basic_test privilege "
"removed from E/P", fn, pid);
}
crset(p, cr); /* broadcast to process threads */
return (0);
}
priv_set_t *priv_str_to_set (const char *buf, const char *sep,
const char **endptr)
{
/* Take a copy of the string since strtok_r will modify it. */
char *str = strdup (buf);
if (!str)
return NULL;
priv_set_t *set = priv_allocset ();
if (!set)
{
free (str);
return NULL;
}
priv_emptyset (set);
const priv_data_t *data = __priv_parse_data_cached ();
if (!data)
return NULL;
priv_set_t *basic = data->pd_basicprivs;
char *saveptr;
char *priv = strtok_r (str, sep, &saveptr);
if (!priv)
return set;
do
{
if (strcmp (priv, "basic") == 0 && basic)
priv_union (basic, set);
else if (strcmp (priv, "all") == 0)
priv_fillset (set);
else if (strcmp (priv, "none") == 0)
priv_emptyset (set);
else if (strcmp (priv, "zone") == 0)
{
priv_set_t *zone = priv_allocset ();
if (!zone)
goto inval;
if (zone_getattr (getzoneid (), ZONE_ATTR_PRIVSET,
zone, __PRIVSETSIZE) == 0)
priv_union (zone, set);
priv_freeset (zone);
}
else
{
int negate = *str == '-' || *str == '!';
if (negate)
str++;
int res;
if (negate)
res = priv_delset (set, str);
else
res = priv_addset (set, str);
if (res == -1)
goto inval;
}
}
while ((priv = strtok_r (NULL, sep, &saveptr))) ;
free (str);
return set;
inval:
priv_freeset (set);
free (str);
__set_errno (EINVAL);
return NULL;
}
/* Specify what privileges an suid root binary needs. */
int __init_suid_priv (int flags, ...)
{
int res = 0;
priv_set_t *permit = NULL, *inherit = NULL, *scratch = NULL;
/* Check flags. */
if (flags != PU_LIMITPRIVS && flags != PU_CLEARLIMITSET)
return -1;
/* We can only initialize once. */
if (__suidset)
return -1;
/* Do nothing if we are running as root but not setuid root. */
uid_t uid = getuid ();
uid_t euid = geteuid ();
if (uid == 0 && euid == 0)
return 0;
/* Allocate a scratch set. */
scratch = priv_allocset ();
if (!scratch)
goto error;
/* Get the basic set. */
const priv_data_t *pd = __priv_parse_data_cached ();
if (!pd)
goto error;
priv_set_t *basic = pd->pd_basicprivs;
/* Get the inherited set. */
inherit = priv_allocset ();
if (!inherit)
goto error;
if (getppriv (PRIV_INHERITABLE, inherit) != 0)
goto error;
/* Get the permitted set. */
permit = priv_allocset ();
if (!permit)
goto error;
if (getppriv (PRIV_PERMITTED, permit) != 0)
goto error;
/* Get passed privileges. */
__suidset = priv_allocset ();
if (!__suidset)
goto error;
priv_emptyset (__suidset);
va_list ap;
va_start (ap, flags);
const char *priv;
while ((priv = va_arg (ap, const char *)))
if (priv_addset (__suidset, priv) != 0)
goto error;
/* Make sure that the passed privileges are a subset of the current
permitted privileges. */
if (priv_issubset (__suidset, permit) != _B_TRUE)
goto error;
/* Set the effective privileges to the inherited ones. */
if (setppriv (PRIV_SET, PRIV_EFFECTIVE, inherit) != 0)
goto error;
/* Set the permitted privileges to those currently permitted privileges in
set of the ones passed in, the inherited ones, and the basic set. */
priv_copyset (__suidset, scratch);
priv_union (inherit, scratch);
if (basic)
priv_union (basic, scratch);
priv_intersect (permit, scratch);
if (setppriv (PRIV_SET, PRIV_PERMITTED, scratch) != 0)
goto error;
/* Check if we need to set the limit set. */
if (flags & PU_CLEARLIMITSET)
{
priv_emptyset (scratch);
if (setppriv (PRIV_SET, PRIV_LIMIT, scratch) != 0)
goto error;
}
else if (flags & PU_LIMITPRIVS)
{
if (setppriv (PRIV_SET, PRIV_LIMIT, scratch) != 0)
goto error;
}
/* Change the uid to the caller's uid if we're setuid root. */
if (euid == 0 && setreuid (uid, uid) != 0)
goto error;
goto out;
error:
res = -1;
if (__suidset)
{
priv_freeset (__suidset);
__suidset = NULL;
}
if (euid == 0)
setreuid (uid, uid);
out:
priv_freeset (permit);
priv_freeset (inherit);
priv_freeset (scratch);
return res;
}
static void
privupdate(prpriv_t *pr, const char *arg)
{
int i;
if (sets != NULL) {
for (i = 0; i < pri->priv_nsets; i++) {
priv_set_t *target =
(priv_set_t *)&pr->pr_sets[pr->pr_setsize * i];
if (rem[i] != NULL)
priv_intersect(rem[i], target);
if (add[i] != NULL)
priv_union(add[i], target);
if (assign[i] != NULL)
priv_copyset(assign[i], target);
}
}
if (Doff || Don || pfexec || xpol) {
priv_info_uint_t *pii;
int sz = PRIV_PRPRIV_SIZE(pr);
char *x = (char *)pr + PRIV_PRPRIV_INFO_OFFSET(pr);
uint32_t fl = 0;
while (x < (char *)pr + sz) {
/* LINTED: alignment */
priv_info_t *pi = (priv_info_t *)x;
if (pi->priv_info_type == PRIV_INFO_FLAGS) {
/* LINTED: alignment */
pii = (priv_info_uint_t *)x;
fl = pii->val;
goto done;
}
if (pi->priv_info_size > pr->pr_infosize ||
pi->priv_info_size <= sizeof (priv_info_t) ||
(pi->priv_info_size & 3) != 0)
break;
x += pi->priv_info_size;
}
(void) fprintf(stderr,
"%s: cannot find privilege flags to set\n", arg);
pr->pr_infosize = 0;
return;
done:
pr->pr_infosize = sizeof (priv_info_uint_t);
/* LINTED: alignment */
pii = (priv_info_uint_t *)
((char *)pr + PRIV_PRPRIV_INFO_OFFSET(pr));
if (Don)
fl |= PRIV_DEBUG;
if (Doff)
fl &= ~PRIV_DEBUG;
if (pfexec)
fl |= PRIV_PFEXEC;
if (xpol)
fl |= PRIV_XPOLICY;
pii->info.priv_info_size = sizeof (*pii);
pii->info.priv_info_type = PRIV_INFO_FLAGS;
pii->val = fl;
} else {
pr->pr_infosize = 0;
}
}
static int
parsespec(const char *spec)
{
char *p;
const char *q;
int count;
priv_set_t ***toupd;
priv_set_t *upd;
int i;
boolean_t freeupd = B_TRUE;
if (pri == NULL)
loadprivinfo();
p = strpbrk(spec, "+-=");
if (p == NULL || p - spec > pri->priv_nsets)
badspec(spec);
if (p[1] == '\0' || (upd = priv_str_to_set(p + 1, ",", NULL)) == NULL)
badspec(p + 1);
count = p - spec;
switch (*p) {
case '+':
toupd = &add;
break;
case '-':
toupd = &rem;
priv_inverse(upd);
break;
case '=':
toupd = &assign;
break;
}
/* Update all sets? */
if (count == 0 || *spec == 'a' || *spec == 'A') {
count = pri->priv_nsets;
q = sets;
} else
q = spec;
for (i = 0; i < count; i++) {
int ind = strindex(q[i], sets);
if (ind == -1)
badspec(spec);
/* Assign is mutually exclusive with add/remove and itself */
if (((toupd == &rem || toupd == &add) && assign[ind] != NULL) ||
(toupd == &assign && (assign[ind] != NULL ||
rem[ind] != NULL || add[ind] != NULL))) {
(void) fprintf(stderr, "%s: conflicting spec: %s\n",
command, spec);
exit(1);
}
if ((*toupd)[ind] != NULL) {
if (*p == '-')
priv_intersect(upd, (*toupd)[ind]);
else
priv_union(upd, (*toupd)[ind]);
} else {
(*toupd)[ind] = upd;
freeupd = B_FALSE;
}
}
if (freeupd)
priv_freeset(upd);
return (0);
}
