Home | History | Annotate | Download | only in syscall
      1 /*
      2  * CDDL HEADER START
      3  *
      4  * The contents of this file are subject to the terms of the
      5  * Common Development and Distribution License (the "License").
      6  * You may not use this file except in compliance with the License.
      7  *
      8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
      9  * or http://www.opensolaris.org/os/licensing.
     10  * See the License for the specific language governing permissions
     11  * and limitations under the License.
     12  *
     13  * When distributing Covered Code, include this CDDL HEADER in each
     14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
     15  * If applicable, add the following below this CDDL HEADER, with the
     16  * fields enclosed by brackets "[]" replaced with your own identifying
     17  * information: Portions Copyright [yyyy] [name of copyright owner]
     18  *
     19  * CDDL HEADER END
     20  */
     21 /*
     22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
     23  * Use is subject to license terms.
     24  */
     25 
     26 #include <sys/param.h>
     27 #include <sys/types.h>
     28 #include <sys/sysmacros.h>
     29 #include <sys/systm.h>
     30 #include <sys/cred_impl.h>
     31 #include <sys/errno.h>
     32 #include <sys/klpd.h>
     33 #include <sys/proc.h>
     34 #include <sys/priv_impl.h>
     35 #include <sys/policy.h>
     36 #include <sys/ddi.h>
     37 #include <sys/thread.h>
     38 #include <c2/audit.h>
     39 
     40 /*
     41  * System call support for manipulating privileges.
     42  *
     43  *
     44  * setppriv(2) - set process privilege set
     45  * getppriv(2) - get process privilege set
     46  * getprivimplinfo(2) - get process privilege implementation information
     47  * setpflags(2) - set process (privilege) flags
     48  * getpflags(2) - get process (privilege) flags
     49  */
     50 
     51 /*
     52  * setppriv (priv_op_t, priv_ptype_t, priv_set_t)
     53  */
     54 static int
     55 setppriv(priv_op_t op, priv_ptype_t type, priv_set_t *in_pset)
     56 {
     57 	priv_set_t	pset, *target;
     58 	cred_t		*cr, *pcr;
     59 	proc_t		*p;
     60 	boolean_t	donocd = B_FALSE;
     61 
     62 	if (!PRIV_VALIDSET(type) || !PRIV_VALIDOP(op))
     63 		return (set_errno(EINVAL));
     64 
     65 	if (copyin(in_pset, &pset, sizeof (priv_set_t)))
     66 		return (set_errno(EFAULT));
     67 
     68 	p = ttoproc(curthread);
     69 	cr = cralloc();
     70 	mutex_enter(&p->p_crlock);
     71 
     72 retry:
     73 	pcr = p->p_cred;
     74 
     75 	if (audit_active)
     76 		audit_setppriv(op, type, &pset, pcr);
     77 
     78 	/*
     79 	 * Filter out unallowed request (bad op and bad type)
     80 	 */
     81 	switch (op) {
     82 	case PRIV_ON:
     83 	case PRIV_SET:
     84 		/*
     85 		 * Turning on privileges; the limit set cannot grow,
     86 		 * other sets can but only as long as they remain subsets
     87 		 * of P.  Only immediately after exec holds that P <= L.
     88 		 */
     89 		if (type == PRIV_LIMIT &&
     90 		    !priv_issubset(&pset, &CR_LPRIV(pcr))) {
     91 			mutex_exit(&p->p_crlock);
     92 			crfree(cr);
     93 			return (set_errno(EPERM));
     94 		}
     95 		if (!priv_issubset(&pset, &CR_OPPRIV(pcr)) &&
     96 		    !priv_issubset(&pset, priv_getset(pcr, type))) {
     97 			mutex_exit(&p->p_crlock);
     98 			/* Policy override should not grow beyond L either */
     99 			if (type != PRIV_INHERITABLE ||
    100 			    !priv_issubset(&pset, &CR_LPRIV(pcr)) ||
    101 			    secpolicy_require_privs(CRED(), &pset) != 0) {
    102 				crfree(cr);
    103 				return (set_errno(EPERM));
    104 			}
    105 			mutex_enter(&p->p_crlock);
    106 			if (pcr != p->p_cred)
    107 				goto retry;
    108 			donocd = B_TRUE;
    109 		}
    110 		break;
    111 
    112 	case PRIV_OFF:
    113 		/* PRIV_OFF is always allowed */
    114 		break;
    115 	}
    116 
    117 	/*
    118 	 * OK! everything is cool.
    119 	 * Do cred COW.
    120 	 */
    121 	crcopy_to(pcr, cr);
    122 
    123 	/*
    124 	 * If we change the effective, permitted or limit set, we attain
    125 	 * "privilege awareness".
    126 	 */
    127 	if (type != PRIV_INHERITABLE)
    128 		priv_set_PA(cr);
    129 
    130 	target = &(CR_PRIVS(cr)->crprivs[type]);
    131 
    132 	switch (op) {
    133 	case PRIV_ON:
    134 		priv_union(&pset, target);
    135 		break;
    136 	case PRIV_OFF:
    137 		priv_inverse(&pset);
    138 		priv_intersect(target, &pset);
    139 
    140 		/*
    141 		 * Fall-thru to set target and change other process
    142 		 * privilege sets.
    143 		 */
    144 		/*FALLTHRU*/
    145 
    146 	case PRIV_SET:
    147 		*target = pset;
    148 
    149 		/*
    150 		 * Take privileges no longer permitted out
    151 		 * of other effective sets as well.
    152 		 * Limit set is enforced at exec() time.
    153 		 */
    154 		if (type == PRIV_PERMITTED)
    155 			priv_intersect(&pset, &CR_EPRIV(cr));
    156 		break;
    157 	}
    158 
    159 	/*
    160 	 * When we give up privileges not in the inheritable set,
    161 	 * set SNOCD if not already set; first we compute the
    162 	 * privileges removed from P using Diff = (~P') & P
    163 	 * and then we check whether the removed privileges are
    164 	 * a subset of I.  If we retain uid 0, all privileges
    165 	 * are required anyway so don't set SNOCD.
    166 	 */
    167 	if (type == PRIV_PERMITTED && (p->p_flag & SNOCD) == 0 &&
    168 	    cr->cr_uid != 0 && cr->cr_ruid != 0 && cr->cr_suid != 0) {
    169 		priv_set_t diff = CR_OPPRIV(cr);
    170 		priv_inverse(&diff);
    171 		priv_intersect(&CR_OPPRIV(pcr), &diff);
    172 		donocd = !priv_issubset(&diff, &CR_IPRIV(cr));
    173 	}
    174 
    175 	p->p_cred = cr;
    176 	mutex_exit(&p->p_crlock);
    177 
    178 	if (donocd) {
    179 		mutex_enter(&p->p_lock);
    180 		p->p_flag |= SNOCD;
    181 		mutex_exit(&p->p_lock);
    182 	}
    183 
    184 	crset(p, cr);		/* broadcast to process threads */
    185 
    186 	return (0);
    187 }
    188 
    189 /*
    190  * getppriv (priv_ptype_t, priv_set_t *)
    191  */
    192 static int
    193 getppriv(priv_ptype_t type, priv_set_t *pset)
    194 {
    195 	if (!PRIV_VALIDSET(type))
    196 		return (set_errno(EINVAL));
    197 
    198 	if (copyout(priv_getset(CRED(), type), pset, sizeof (priv_set_t)) != 0)
    199 		return (set_errno(EFAULT));
    200 
    201 	return (0);
    202 }
    203 
    204 static int
    205 getprivimplinfo(void *buf, size_t bufsize)
    206 {
    207 	int err;
    208 
    209 	err = copyout(priv_hold_implinfo(), buf, min(bufsize, privinfosize));
    210 
    211 	priv_release_implinfo();
    212 
    213 	if (err)
    214 		return (set_errno(EFAULT));
    215 
    216 	return (0);
    217 }
    218 
    219 /*
    220  * Set process flags in the given target cred.  If NULL is specified, then
    221  * CRED() is used; otherwise the cred is assumed to be modifiable (i.e. newly
    222  * crdup'ed, or equivalent).  Some flags are set in the proc rather than cred;
    223  * for these, curproc is always used.
    224  *
    225  * For now we cheat: the flags are actually bit masks so we can simplify
    226  * some; we do make sure that the arguments are valid, though.
    227  */
    228 
    229 int
    230 setpflags(uint_t flag, uint_t val, cred_t *tcr)
    231 {
    232 	cred_t *cr, *pcr;
    233 	proc_t *p = curproc;
    234 	uint_t newflags;
    235 	boolean_t use_curcred = (tcr == NULL);
    236 
    237 	if (val > 1 || (flag != PRIV_DEBUG && flag != PRIV_AWARE &&
    238 	    flag != NET_MAC_AWARE && flag != NET_MAC_AWARE_INHERIT &&
    239 	    flag != __PROC_PROTECT && flag != PRIV_XPOLICY &&
    240 	    flag != PRIV_AWARE_RESET)) {
    241 		return (EINVAL);
    242 	}
    243 
    244 	if (flag == __PROC_PROTECT) {
    245 		mutex_enter(&p->p_lock);
    246 		if (val == 0)
    247 			p->p_flag &= ~SNOCD;
    248 		else
    249 			p->p_flag |= SNOCD;
    250 		mutex_exit(&p->p_lock);
    251 		return (0);
    252 	}
    253 
    254 	if (use_curcred) {
    255 		cr = cralloc();
    256 		mutex_enter(&p->p_crlock);
    257 		pcr = p->p_cred;
    258 	} else {
    259 		cr = pcr = tcr;
    260 	}
    261 
    262 	newflags = CR_FLAGS(pcr);
    263 
    264 	if (val != 0) {
    265 		if (flag == PRIV_AWARE)
    266 			newflags &= ~PRIV_AWARE_RESET;
    267 		newflags |= flag;
    268 	} else {
    269 		newflags &= ~flag;
    270 	}
    271 
    272 	/* No change */
    273 	if (CR_FLAGS(pcr) == newflags) {
    274 		if (use_curcred) {
    275 			mutex_exit(&p->p_crlock);
    276 			crfree(cr);
    277 		}
    278 		return (0);
    279 	}
    280 
    281 	/*
    282 	 * Setting either the NET_MAC_AWARE or NET_MAC_AWARE_INHERIT
    283 	 * flags is a restricted operation.
    284 	 *
    285 	 * When invoked via the PRIVSYS_SETPFLAGS syscall
    286 	 * we require that the current cred has the net_mac_aware
    287 	 * privilege in its effective set.
    288 	 *
    289 	 * When called from within the kernel by label-aware
    290 	 * services such as NFS, we don't require a privilege check.
    291 	 *
    292 	 */
    293 	if ((flag == NET_MAC_AWARE || flag == NET_MAC_AWARE_INHERIT) &&
    294 	    (val == 1) && use_curcred) {
    295 		if (secpolicy_net_mac_aware(pcr) != 0) {
    296 			mutex_exit(&p->p_crlock);
    297 			crfree(cr);
    298 			return (EPERM);
    299 		}
    300 	}
    301 
    302 	/* Trying to unset PA; if we can't, return an error */
    303 	if (flag == PRIV_AWARE && val == 0 && !priv_can_clear_PA(pcr)) {
    304 		if (use_curcred) {
    305 			mutex_exit(&p->p_crlock);
    306 			crfree(cr);
    307 		}
    308 		return (EPERM);
    309 	}
    310 
    311 	/* Committed to changing the flag */
    312 	if (use_curcred)
    313 		crcopy_to(pcr, cr);
    314 	if (flag == PRIV_AWARE) {
    315 		if (val != 0)
    316 			priv_set_PA(cr);
    317 		else
    318 			priv_adjust_PA(cr);
    319 	} else {
    320 		CR_FLAGS(cr) = newflags;
    321 	}
    322 
    323 	/*
    324 	 * Unsetting the flag has as side effect getting rid of
    325 	 * the per-credential policy.
    326 	 */
    327 	if (flag == PRIV_XPOLICY && val == 0)
    328 		crsetcrklpd(cr, NULL);
    329 
    330 	if (use_curcred) {
    331 		p->p_cred = cr;
    332 		mutex_exit(&p->p_crlock);
    333 		crset(p, cr);
    334 	}
    335 
    336 	return (0);
    337 }
    338 
    339 /*
    340  * Getpflags.  Currently only implements single bit flags.
    341  */
    342 uint_t
    343 getpflags(uint_t flag, const cred_t *cr)
    344 {
    345 	if (flag != PRIV_DEBUG && flag != PRIV_AWARE &&
    346 	    flag != NET_MAC_AWARE && flag != NET_MAC_AWARE_INHERIT &&
    347 	    flag != PRIV_XPOLICY && flag != PRIV_AWARE_RESET)
    348 		return ((uint_t)-1);
    349 
    350 	return ((CR_FLAGS(cr) & flag) != 0);
    351 }
    352 
    353 /*
    354  * Privilege system call entry point
    355  */
    356 int
    357 privsys(int code, priv_op_t op, priv_ptype_t type, void *buf, size_t bufsize,
    358     int itype)
    359 {
    360 	int retv;
    361 	extern int issetugid(void);
    362 
    363 	switch (code) {
    364 	case PRIVSYS_SETPPRIV:
    365 		if (bufsize < sizeof (priv_set_t))
    366 			return (set_errno(ENOMEM));
    367 		return (setppriv(op, type, buf));
    368 	case PRIVSYS_GETPPRIV:
    369 		if (bufsize < sizeof (priv_set_t))
    370 			return (set_errno(ENOMEM));
    371 		return (getppriv(type, buf));
    372 	case PRIVSYS_GETIMPLINFO:
    373 		return (getprivimplinfo(buf, bufsize));
    374 	case PRIVSYS_SETPFLAGS:
    375 		retv = setpflags((uint_t)op, (uint_t)type, NULL);
    376 		return (retv != 0 ? set_errno(retv) : 0);
    377 	case PRIVSYS_GETPFLAGS:
    378 		retv = (int)getpflags((uint_t)op, CRED());
    379 		return (retv == -1 ? set_errno(EINVAL) : retv);
    380 	case PRIVSYS_ISSETUGID:
    381 		return (issetugid());
    382 	case PRIVSYS_KLPD_REG:
    383 		if (bufsize < sizeof (priv_set_t))
    384 			return (set_errno(ENOMEM));
    385 		return ((int)klpd_reg((int)op, (idtype_t)itype, (id_t)type,
    386 		    buf));
    387 	case PRIVSYS_KLPD_UNREG:
    388 		return ((int)klpd_unreg((int)op, (idtype_t)itype, (id_t)type));
    389 	}
    390 	return (set_errno(EINVAL));
    391 }
    392 
    393 #ifdef _SYSCALL32_IMPL
    394 int
    395 privsys32(int code, priv_op_t op, priv_ptype_t type, caddr32_t buf,
    396     size32_t bufsize, int itype)
    397 {
    398 	return (privsys(code, op, type, (void *)(uintptr_t)buf,
    399 	    (size_t)bufsize, itype));
    400 }
    401 #endif
    402