/* * Initialize the device policy code */ void devpolicy_init(void) { rw_init(&policyrw, NULL, RW_DRIVER, NULL); mutex_init(&policymutex, NULL, MUTEX_DRIVER, NULL); /* The mutex is held here in order to satisfy the ASSERT in dpget() */ mutex_enter(&policymutex); nullpolicy = dpget(); dfltpolicy = dpget(); netpolicy = dpget(); /* * Initially, we refuse access to all devices except * to processes with all privileges. */ priv_fillset(&dfltpolicy->dp_rdp); priv_fillset(&dfltpolicy->dp_wrp); totitems = 1; devplcy_gen++; mutex_exit(&policymutex); /* initialize default network privilege */ priv_emptyset(&netpolicy->dp_rdp); priv_emptyset(&netpolicy->dp_wrp); priv_addset(&netpolicy->dp_rdp, PRIV_NET_RAWACCESS); priv_addset(&netpolicy->dp_wrp, PRIV_NET_RAWACCESS); }
void priv_init(void) { #ifdef DEBUG int alloc_test_priv = 1; #else int alloc_test_priv = priv_debug; #endif rw_init(&privinfo_lock, NULL, RW_DRIVER, NULL); PRIV_BASIC_ASSERT(priv_basic); PRIV_UNSAFE_ASSERT(&priv_unsafe); priv_fillset(&priv_fullset); /* * When booting with priv_debug set or in a DEBUG kernel, then we'll * add an additional basic privilege and we verify that it is always * present in E. */ if (alloc_test_priv != 0 && (priv_basic_test = priv_getbyname("basic_test", PRIV_ALLOC)) >= 0) { priv_addset(priv_basic, priv_basic_test); } devpolicy_init(); }
/* * Interface to effectively set the PRIV_ALL for * a credential; this interface does no security checks and is * intended for kernel (file)servers to extend the user credentials * to be ALL, like either kcred or zcred. */ void crset_zone_privall(cred_t *cr) { zone_t *zone = crgetzone(cr); priv_fillset(&CR_LPRIV(cr)); CR_EPRIV(cr) = CR_PPRIV(cr) = CR_IPRIV(cr) = CR_LPRIV(cr); priv_intersect(zone->zone_privset, &CR_LPRIV(cr)); priv_intersect(zone->zone_privset, &CR_EPRIV(cr)); priv_intersect(zone->zone_privset, &CR_IPRIV(cr)); priv_intersect(zone->zone_privset, &CR_PPRIV(cr)); }
static void priv_str_to_set(const char *priv_name, priv_set_t *priv_set) { if (priv_name == NULL || strcmp(priv_name, "none") == 0) { priv_emptyset(priv_set); } else if (strcmp(priv_name, "all") == 0) { priv_fillset(priv_set); } else { int priv; priv = priv_getbyname(priv_name, PRIV_ALLOC); if (priv < 0) { cmn_err(CE_WARN, "fail to allocate privilege: %s", priv_name); return; } priv_emptyset(priv_set); priv_addset(priv_set, priv); } }
priv_set_t *priv_str_to_set (const char *buf, const char *sep, const char **endptr) { /* Take a copy of the string since strtok_r will modify it. */ char *str = strdup (buf); if (!str) return NULL; priv_set_t *set = priv_allocset (); if (!set) { free (str); return NULL; } priv_emptyset (set); const priv_data_t *data = __priv_parse_data_cached (); if (!data) return NULL; priv_set_t *basic = data->pd_basicprivs; char *saveptr; char *priv = strtok_r (str, sep, &saveptr); if (!priv) return set; do { if (strcmp (priv, "basic") == 0 && basic) priv_union (basic, set); else if (strcmp (priv, "all") == 0) priv_fillset (set); else if (strcmp (priv, "none") == 0) priv_emptyset (set); else if (strcmp (priv, "zone") == 0) { priv_set_t *zone = priv_allocset (); if (!zone) goto inval; if (zone_getattr (getzoneid (), ZONE_ATTR_PRIVSET, zone, __PRIVSETSIZE) == 0) priv_union (zone, set); priv_freeset (zone); } else { int negate = *str == '-' || *str == '!'; if (negate) str++; int res; if (negate) res = priv_delset (set, str); else res = priv_addset (set, str); if (res == -1) goto inval; } } while ((priv = strtok_r (NULL, sep, &saveptr))) ; free (str); return set; inval: priv_freeset (set); free (str); __set_errno (EINVAL); return NULL; }
void cred_init(void) { priv_init(); crsize = sizeof (cred_t); if (get_c2audit_load() > 0) { #ifdef _LP64 /* assure audit context is 64-bit aligned */ audoff = (crsize + sizeof (int64_t) - 1) & ~(sizeof (int64_t) - 1); #else /* _LP64 */ audoff = crsize; #endif /* _LP64 */ crsize = audoff + sizeof (auditinfo_addr_t); crsize = (crsize + sizeof (int) - 1) & ~(sizeof (int) - 1); } cred_cache = kmem_cache_create("cred_cache", crsize, 0, NULL, NULL, NULL, NULL, NULL, 0); /* * dummycr is used to copy initial state for creds. */ dummycr = cralloc(); bzero(dummycr, crsize); dummycr->cr_ref = 1; dummycr->cr_uid = (uid_t)-1; dummycr->cr_gid = (gid_t)-1; dummycr->cr_ruid = (uid_t)-1; dummycr->cr_rgid = (gid_t)-1; dummycr->cr_suid = (uid_t)-1; dummycr->cr_sgid = (gid_t)-1; /* * kcred is used by anything that needs all privileges; it's * also the template used for crget as it has all the compatible * sets filled in. */ kcred = cralloc(); bzero(kcred, crsize); kcred->cr_ref = 1; /* kcred is never freed, so we don't need zone_cred_hold here */ kcred->cr_zone = &zone0; priv_fillset(&CR_LPRIV(kcred)); CR_IPRIV(kcred) = *priv_basic; /* Not a basic privilege, if chown is not restricted add it to I0 */ if (!rstchown) priv_addset(&CR_IPRIV(kcred), PRIV_FILE_CHOWN_SELF); /* Basic privilege, if link is restricted remove it from I0 */ if (rstlink) priv_delset(&CR_IPRIV(kcred), PRIV_FILE_LINK_ANY); CR_EPRIV(kcred) = CR_PPRIV(kcred) = CR_IPRIV(kcred); CR_FLAGS(kcred) = NET_MAC_AWARE; /* * Set up credentials of p0. */ ttoproc(curthread)->p_cred = kcred; curthread->t_cred = kcred; ucredsize = UCRED_SIZE; mutex_init(&ephemeral_zone_mutex, NULL, MUTEX_DEFAULT, NULL); zone_key_create(&ephemeral_zone_key, NULL, NULL, destroy_ephemeral_zsd); }