/*
* Initialize the device policy code
*/
void
devpolicy_init(void)
{
rw_init(&policyrw, NULL, RW_DRIVER, NULL);
mutex_init(&policymutex, NULL, MUTEX_DRIVER, NULL);
/* The mutex is held here in order to satisfy the ASSERT in dpget() */
mutex_enter(&policymutex);
nullpolicy = dpget();
dfltpolicy = dpget();
netpolicy = dpget();
/*
* Initially, we refuse access to all devices except
* to processes with all privileges.
*/
priv_fillset(&dfltpolicy->dp_rdp);
priv_fillset(&dfltpolicy->dp_wrp);
totitems = 1;
devplcy_gen++;
mutex_exit(&policymutex);
/* initialize default network privilege */
priv_emptyset(&netpolicy->dp_rdp);
priv_emptyset(&netpolicy->dp_wrp);
priv_addset(&netpolicy->dp_rdp, PRIV_NET_RAWACCESS);
priv_addset(&netpolicy->dp_wrp, PRIV_NET_RAWACCESS);
}
void
priv_init(void)
{
#ifdef DEBUG
int alloc_test_priv = 1;
#else
int alloc_test_priv = priv_debug;
#endif
rw_init(&privinfo_lock, NULL, RW_DRIVER, NULL);
PRIV_BASIC_ASSERT(priv_basic);
PRIV_UNSAFE_ASSERT(&priv_unsafe);
priv_fillset(&priv_fullset);
/*
* When booting with priv_debug set or in a DEBUG kernel, then we'll
* add an additional basic privilege and we verify that it is always
* present in E.
*/
if (alloc_test_priv != 0 &&
(priv_basic_test = priv_getbyname("basic_test", PRIV_ALLOC)) >= 0) {
priv_addset(priv_basic, priv_basic_test);
}
devpolicy_init();
}
/*
* Interface to effectively set the PRIV_ALL for
* a credential; this interface does no security checks and is
* intended for kernel (file)servers to extend the user credentials
* to be ALL, like either kcred or zcred.
*/
void
crset_zone_privall(cred_t *cr)
{
zone_t *zone = crgetzone(cr);
priv_fillset(&CR_LPRIV(cr));
CR_EPRIV(cr) = CR_PPRIV(cr) = CR_IPRIV(cr) = CR_LPRIV(cr);
priv_intersect(zone->zone_privset, &CR_LPRIV(cr));
priv_intersect(zone->zone_privset, &CR_EPRIV(cr));
priv_intersect(zone->zone_privset, &CR_IPRIV(cr));
priv_intersect(zone->zone_privset, &CR_PPRIV(cr));
}
static void
priv_str_to_set(const char *priv_name, priv_set_t *priv_set)
{
if (priv_name == NULL || strcmp(priv_name, "none") == 0) {
priv_emptyset(priv_set);
} else if (strcmp(priv_name, "all") == 0) {
priv_fillset(priv_set);
} else {
int priv;
priv = priv_getbyname(priv_name, PRIV_ALLOC);
if (priv < 0) {
cmn_err(CE_WARN, "fail to allocate privilege: %s",
priv_name);
return;
}
priv_emptyset(priv_set);
priv_addset(priv_set, priv);
}
}
priv_set_t *priv_str_to_set (const char *buf, const char *sep,
const char **endptr)
{
/* Take a copy of the string since strtok_r will modify it. */
char *str = strdup (buf);
if (!str)
return NULL;
priv_set_t *set = priv_allocset ();
if (!set)
{
free (str);
return NULL;
}
priv_emptyset (set);
const priv_data_t *data = __priv_parse_data_cached ();
if (!data)
return NULL;
priv_set_t *basic = data->pd_basicprivs;
char *saveptr;
char *priv = strtok_r (str, sep, &saveptr);
if (!priv)
return set;
do
{
if (strcmp (priv, "basic") == 0 && basic)
priv_union (basic, set);
else if (strcmp (priv, "all") == 0)
priv_fillset (set);
else if (strcmp (priv, "none") == 0)
priv_emptyset (set);
else if (strcmp (priv, "zone") == 0)
{
priv_set_t *zone = priv_allocset ();
if (!zone)
goto inval;
if (zone_getattr (getzoneid (), ZONE_ATTR_PRIVSET,
zone, __PRIVSETSIZE) == 0)
priv_union (zone, set);
priv_freeset (zone);
}
else
{
int negate = *str == '-' || *str == '!';
if (negate)
str++;
int res;
if (negate)
res = priv_delset (set, str);
else
res = priv_addset (set, str);
if (res == -1)
goto inval;
}
}
while ((priv = strtok_r (NULL, sep, &saveptr))) ;
free (str);
return set;
inval:
priv_freeset (set);
free (str);
__set_errno (EINVAL);
return NULL;
}
void
cred_init(void)
{
priv_init();
crsize = sizeof (cred_t);
if (get_c2audit_load() > 0) {
#ifdef _LP64
/* assure audit context is 64-bit aligned */
audoff = (crsize +
sizeof (int64_t) - 1) & ~(sizeof (int64_t) - 1);
#else /* _LP64 */
audoff = crsize;
#endif /* _LP64 */
crsize = audoff + sizeof (auditinfo_addr_t);
crsize = (crsize + sizeof (int) - 1) & ~(sizeof (int) - 1);
}
cred_cache = kmem_cache_create("cred_cache", crsize, 0,
NULL, NULL, NULL, NULL, NULL, 0);
/*
* dummycr is used to copy initial state for creds.
*/
dummycr = cralloc();
bzero(dummycr, crsize);
dummycr->cr_ref = 1;
dummycr->cr_uid = (uid_t)-1;
dummycr->cr_gid = (gid_t)-1;
dummycr->cr_ruid = (uid_t)-1;
dummycr->cr_rgid = (gid_t)-1;
dummycr->cr_suid = (uid_t)-1;
dummycr->cr_sgid = (gid_t)-1;
/*
* kcred is used by anything that needs all privileges; it's
* also the template used for crget as it has all the compatible
* sets filled in.
*/
kcred = cralloc();
bzero(kcred, crsize);
kcred->cr_ref = 1;
/* kcred is never freed, so we don't need zone_cred_hold here */
kcred->cr_zone = &zone0;
priv_fillset(&CR_LPRIV(kcred));
CR_IPRIV(kcred) = *priv_basic;
/* Not a basic privilege, if chown is not restricted add it to I0 */
if (!rstchown)
priv_addset(&CR_IPRIV(kcred), PRIV_FILE_CHOWN_SELF);
/* Basic privilege, if link is restricted remove it from I0 */
if (rstlink)
priv_delset(&CR_IPRIV(kcred), PRIV_FILE_LINK_ANY);
CR_EPRIV(kcred) = CR_PPRIV(kcred) = CR_IPRIV(kcred);
CR_FLAGS(kcred) = NET_MAC_AWARE;
/*
* Set up credentials of p0.
*/
ttoproc(curthread)->p_cred = kcred;
curthread->t_cred = kcred;
ucredsize = UCRED_SIZE;
mutex_init(&ephemeral_zone_mutex, NULL, MUTEX_DEFAULT, NULL);
zone_key_create(&ephemeral_zone_key, NULL, NULL, destroy_ephemeral_zsd);
}
