/*
* Interface to effectively set the PRIV_ALL for
* a credential; this interface does no security checks and is
* intended for kernel (file)servers to extend the user credentials
* to be ALL, like either kcred or zcred.
*/
void
crset_zone_privall(cred_t *cr)
{
zone_t *zone = crgetzone(cr);
priv_fillset(&CR_LPRIV(cr));
CR_EPRIV(cr) = CR_PPRIV(cr) = CR_IPRIV(cr) = CR_LPRIV(cr);
priv_intersect(zone->zone_privset, &CR_LPRIV(cr));
priv_intersect(zone->zone_privset, &CR_EPRIV(cr));
priv_intersect(zone->zone_privset, &CR_IPRIV(cr));
priv_intersect(zone->zone_privset, &CR_PPRIV(cr));
}
/*
* setppriv (priv_op_t, priv_ptype_t, priv_set_t)
*/
static int
setppriv(priv_op_t op, priv_ptype_t type, priv_set_t *in_pset)
{
priv_set_t pset, *target;
cred_t *cr, *pcr;
proc_t *p;
boolean_t donocd = B_FALSE;
if (!PRIV_VALIDSET(type) || !PRIV_VALIDOP(op))
return (set_errno(EINVAL));
if (copyin(in_pset, &pset, sizeof (priv_set_t)))
return (set_errno(EFAULT));
p = ttoproc(curthread);
cr = cralloc();
mutex_enter(&p->p_crlock);
retry:
pcr = p->p_cred;
if (AU_AUDITING())
audit_setppriv(op, type, &pset, pcr);
/*
* Filter out unallowed request (bad op and bad type)
*/
switch (op) {
case PRIV_ON:
case PRIV_SET:
/*
* Turning on privileges; the limit set cannot grow,
* other sets can but only as long as they remain subsets
* of P. Only immediately after exec holds that P <= L.
*/
if (type == PRIV_LIMIT &&
!priv_issubset(&pset, &CR_LPRIV(pcr))) {
mutex_exit(&p->p_crlock);
crfree(cr);
return (set_errno(EPERM));
}
if (!priv_issubset(&pset, &CR_OPPRIV(pcr)) &&
!priv_issubset(&pset, priv_getset(pcr, type))) {
mutex_exit(&p->p_crlock);
/* Policy override should not grow beyond L either */
if (type != PRIV_INHERITABLE ||
!priv_issubset(&pset, &CR_LPRIV(pcr)) ||
secpolicy_require_privs(CRED(), &pset) != 0) {
crfree(cr);
return (set_errno(EPERM));
}
mutex_enter(&p->p_crlock);
if (pcr != p->p_cred)
goto retry;
donocd = B_TRUE;
}
break;
case PRIV_OFF:
/* PRIV_OFF is always allowed */
break;
}
/*
* OK! everything is cool.
* Do cred COW.
*/
crcopy_to(pcr, cr);
/*
* If we change the effective, permitted or limit set, we attain
* "privilege awareness".
*/
if (type != PRIV_INHERITABLE)
priv_set_PA(cr);
target = &(CR_PRIVS(cr)->crprivs[type]);
switch (op) {
case PRIV_ON:
priv_union(&pset, target);
break;
case PRIV_OFF:
priv_inverse(&pset);
priv_intersect(target, &pset);
/*
* Fall-thru to set target and change other process
* privilege sets.
*/
/*FALLTHRU*/
case PRIV_SET:
*target = pset;
/*
* Take privileges no longer permitted out
* of other effective sets as well.
* Limit set is enforced at exec() time.
*/
if (type == PRIV_PERMITTED)
priv_intersect(&pset, &CR_EPRIV(cr));
break;
}
/*
* When we give up privileges not in the inheritable set,
* set SNOCD if not already set; first we compute the
* privileges removed from P using Diff = (~P') & P
* and then we check whether the removed privileges are
* a subset of I. If we retain uid 0, all privileges
* are required anyway so don't set SNOCD.
*/
if (type == PRIV_PERMITTED && (p->p_flag & SNOCD) == 0 &&
cr->cr_uid != 0 && cr->cr_ruid != 0 && cr->cr_suid != 0) {
priv_set_t diff = CR_OPPRIV(cr);
priv_inverse(&diff);
priv_intersect(&CR_OPPRIV(pcr), &diff);
donocd = !priv_issubset(&diff, &CR_IPRIV(cr));
}
p->p_cred = cr;
mutex_exit(&p->p_crlock);
if (donocd) {
mutex_enter(&p->p_lock);
p->p_flag |= SNOCD;
mutex_exit(&p->p_lock);
}
/*
* The basic_test privilege should not be removed from E;
* if that has happened, then some programmer typically set the E/P to
* empty. That is not portable.
*/
if ((type == PRIV_EFFECTIVE || type == PRIV_PERMITTED) &&
priv_basic_test >= 0 && !PRIV_ISASSERT(target, priv_basic_test)) {
proc_t *p = curproc;
pid_t pid = p->p_pid;
char *fn = PTOU(p)->u_comm;
cmn_err(CE_WARN, "%s[%d]: setppriv: basic_test privilege "
"removed from E/P", fn, pid);
}
crset(p, cr); /* broadcast to process threads */
return (0);
}
void
cred_init(void)
{
priv_init();
crsize = sizeof (cred_t);
if (get_c2audit_load() > 0) {
#ifdef _LP64
/* assure audit context is 64-bit aligned */
audoff = (crsize +
sizeof (int64_t) - 1) & ~(sizeof (int64_t) - 1);
#else /* _LP64 */
audoff = crsize;
#endif /* _LP64 */
crsize = audoff + sizeof (auditinfo_addr_t);
crsize = (crsize + sizeof (int) - 1) & ~(sizeof (int) - 1);
}
cred_cache = kmem_cache_create("cred_cache", crsize, 0,
NULL, NULL, NULL, NULL, NULL, 0);
/*
* dummycr is used to copy initial state for creds.
*/
dummycr = cralloc();
bzero(dummycr, crsize);
dummycr->cr_ref = 1;
dummycr->cr_uid = (uid_t)-1;
dummycr->cr_gid = (gid_t)-1;
dummycr->cr_ruid = (uid_t)-1;
dummycr->cr_rgid = (gid_t)-1;
dummycr->cr_suid = (uid_t)-1;
dummycr->cr_sgid = (gid_t)-1;
/*
* kcred is used by anything that needs all privileges; it's
* also the template used for crget as it has all the compatible
* sets filled in.
*/
kcred = cralloc();
bzero(kcred, crsize);
kcred->cr_ref = 1;
/* kcred is never freed, so we don't need zone_cred_hold here */
kcred->cr_zone = &zone0;
priv_fillset(&CR_LPRIV(kcred));
CR_IPRIV(kcred) = *priv_basic;
/* Not a basic privilege, if chown is not restricted add it to I0 */
if (!rstchown)
priv_addset(&CR_IPRIV(kcred), PRIV_FILE_CHOWN_SELF);
/* Basic privilege, if link is restricted remove it from I0 */
if (rstlink)
priv_delset(&CR_IPRIV(kcred), PRIV_FILE_LINK_ANY);
CR_EPRIV(kcred) = CR_PPRIV(kcred) = CR_IPRIV(kcred);
CR_FLAGS(kcred) = NET_MAC_AWARE;
/*
* Set up credentials of p0.
*/
ttoproc(curthread)->p_cred = kcred;
curthread->t_cred = kcred;
ucredsize = UCRED_SIZE;
mutex_init(&ephemeral_zone_mutex, NULL, MUTEX_DEFAULT, NULL);
zone_key_create(&ephemeral_zone_key, NULL, NULL, destroy_ephemeral_zsd);
}