1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21/*
22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 */
24
25#include <sys/param.h>
26#include <sys/types.h>
27#include <sys/sysmacros.h>
28#include <sys/systm.h>
29#include <sys/cred_impl.h>
30#include <sys/errno.h>
31#include <sys/klpd.h>
32#include <sys/proc.h>
33#include <sys/priv_impl.h>
34#include <sys/policy.h>
35#include <sys/ddi.h>
36#include <sys/thread.h>
37#include <sys/cmn_err.h>
38#include <c2/audit.h>
39
40/*
41 * System call support for manipulating privileges.
42 *
43 *
44 * setppriv(2) - set process privilege set
45 * getppriv(2) - get process privilege set
46 * getprivimplinfo(2) - get process privilege implementation information
47 * setpflags(2) - set process (privilege) flags
48 * getpflags(2) - get process (privilege) flags
49 */
50
51/*
52 * setppriv (priv_op_t, priv_ptype_t, priv_set_t)
53 */
54static int
55setppriv(priv_op_t op, priv_ptype_t type, priv_set_t *in_pset)
56{
57	priv_set_t	pset, *target;
58	cred_t		*cr, *pcr;
59	proc_t		*p;
60	boolean_t	donocd = B_FALSE;
61
62	if (!PRIV_VALIDSET(type) || !PRIV_VALIDOP(op))
63		return (set_errno(EINVAL));
64
65	if (copyin(in_pset, &pset, sizeof (priv_set_t)))
66		return (set_errno(EFAULT));
67
68	p = ttoproc(curthread);
69	cr = cralloc();
70	mutex_enter(&p->p_crlock);
71
72retry:
73	pcr = p->p_cred;
74
75	if (AU_AUDITING())
76		audit_setppriv(op, type, &pset, pcr);
77
78	/*
79	 * Filter out unallowed request (bad op and bad type)
80	 */
81	switch (op) {
82	case PRIV_ON:
83	case PRIV_SET:
84		/*
85		 * Turning on privileges; the limit set cannot grow,
86		 * other sets can but only as long as they remain subsets
87		 * of P.  Only immediately after exec holds that P <= L.
88		 */
89		if (type == PRIV_LIMIT &&
90		    !priv_issubset(&pset, &CR_LPRIV(pcr))) {
91			mutex_exit(&p->p_crlock);
92			crfree(cr);
93			return (set_errno(EPERM));
94		}
95		if (!priv_issubset(&pset, &CR_OPPRIV(pcr)) &&
96		    !priv_issubset(&pset, priv_getset(pcr, type))) {
97			mutex_exit(&p->p_crlock);
98			/* Policy override should not grow beyond L either */
99			if (type != PRIV_INHERITABLE ||
100			    !priv_issubset(&pset, &CR_LPRIV(pcr)) ||
101			    secpolicy_require_privs(CRED(), &pset) != 0) {
102				crfree(cr);
103				return (set_errno(EPERM));
104			}
105			mutex_enter(&p->p_crlock);
106			if (pcr != p->p_cred)
107				goto retry;
108			donocd = B_TRUE;
109		}
110		break;
111
112	case PRIV_OFF:
113		/* PRIV_OFF is always allowed */
114		break;
115	}
116
117	/*
118	 * OK! everything is cool.
119	 * Do cred COW.
120	 */
121	crcopy_to(pcr, cr);
122
123	/*
124	 * If we change the effective, permitted or limit set, we attain
125	 * "privilege awareness".
126	 */
127	if (type != PRIV_INHERITABLE)
128		priv_set_PA(cr);
129
130	target = &(CR_PRIVS(cr)->crprivs[type]);
131
132	switch (op) {
133	case PRIV_ON:
134		priv_union(&pset, target);
135		break;
136	case PRIV_OFF:
137		priv_inverse(&pset);
138		priv_intersect(target, &pset);
139
140		/*
141		 * Fall-thru to set target and change other process
142		 * privilege sets.
143		 */
144		/*FALLTHRU*/
145
146	case PRIV_SET:
147		*target = pset;
148
149		/*
150		 * Take privileges no longer permitted out
151		 * of other effective sets as well.
152		 * Limit set is enforced at exec() time.
153		 */
154		if (type == PRIV_PERMITTED)
155			priv_intersect(&pset, &CR_EPRIV(cr));
156		break;
157	}
158
159	/*
160	 * When we give up privileges not in the inheritable set,
161	 * set SNOCD if not already set; first we compute the
162	 * privileges removed from P using Diff = (~P') & P
163	 * and then we check whether the removed privileges are
164	 * a subset of I.  If we retain uid 0, all privileges
165	 * are required anyway so don't set SNOCD.
166	 */
167	if (type == PRIV_PERMITTED && (p->p_flag & SNOCD) == 0 &&
168	    cr->cr_uid != 0 && cr->cr_ruid != 0 && cr->cr_suid != 0) {
169		priv_set_t diff = CR_OPPRIV(cr);
170		priv_inverse(&diff);
171		priv_intersect(&CR_OPPRIV(pcr), &diff);
172		donocd = !priv_issubset(&diff, &CR_IPRIV(cr));
173	}
174
175	p->p_cred = cr;
176	mutex_exit(&p->p_crlock);
177
178	if (donocd) {
179		mutex_enter(&p->p_lock);
180		p->p_flag |= SNOCD;
181		mutex_exit(&p->p_lock);
182	}
183
184	/*
185	 * The basic_test privilege should not be removed from E;
186	 * if that has happened, then some programmer typically set the E/P to
187	 * empty. That is not portable.
188	 */
189	if ((type == PRIV_EFFECTIVE || type == PRIV_PERMITTED) &&
190	    priv_basic_test >= 0 && !PRIV_ISASSERT(target, priv_basic_test)) {
191		proc_t *p = curproc;
192		pid_t pid = p->p_pid;
193		char *fn = PTOU(p)->u_comm;
194
195		cmn_err(CE_WARN, "%s[%d]: setppriv: basic_test privilege "
196		    "removed from E/P", fn, pid);
197	}
198
199	crset(p, cr);		/* broadcast to process threads */
200
201	return (0);
202}
203
204/*
205 * getppriv (priv_ptype_t, priv_set_t *)
206 */
207static int
208getppriv(priv_ptype_t type, priv_set_t *pset)
209{
210	if (!PRIV_VALIDSET(type))
211		return (set_errno(EINVAL));
212
213	if (copyout(priv_getset(CRED(), type), pset, sizeof (priv_set_t)) != 0)
214		return (set_errno(EFAULT));
215
216	return (0);
217}
218
219static int
220getprivimplinfo(void *buf, size_t bufsize)
221{
222	int err;
223
224	err = copyout(priv_hold_implinfo(), buf, min(bufsize, privinfosize));
225
226	priv_release_implinfo();
227
228	if (err)
229		return (set_errno(EFAULT));
230
231	return (0);
232}
233
234/*
235 * Set process flags in the given target cred.  If NULL is specified, then
236 * CRED() is used; otherwise the cred is assumed to be modifiable (i.e. newly
237 * crdup'ed, or equivalent).  Some flags are set in the proc rather than cred;
238 * for these, curproc is always used.
239 *
240 * For now we cheat: the flags are actually bit masks so we can simplify
241 * some; we do make sure that the arguments are valid, though.
242 */
243
244int
245setpflags(uint_t flag, uint_t val, cred_t *tcr)
246{
247	cred_t *cr, *pcr;
248	proc_t *p = curproc;
249	uint_t newflags;
250	boolean_t use_curcred = (tcr == NULL);
251
252	if (val > 1 || (flag != PRIV_DEBUG && flag != PRIV_AWARE &&
253	    flag != NET_MAC_AWARE && flag != NET_MAC_AWARE_INHERIT &&
254	    flag != __PROC_PROTECT && flag != PRIV_XPOLICY &&
255	    flag != PRIV_AWARE_RESET && flag != PRIV_PFEXEC)) {
256		return (EINVAL);
257	}
258
259	if (flag == __PROC_PROTECT) {
260		mutex_enter(&p->p_lock);
261		if (val == 0)
262			p->p_flag &= ~SNOCD;
263		else
264			p->p_flag |= SNOCD;
265		mutex_exit(&p->p_lock);
266		return (0);
267	}
268
269	if (use_curcred) {
270		cr = cralloc();
271		mutex_enter(&p->p_crlock);
272		pcr = p->p_cred;
273	} else {
274		cr = pcr = tcr;
275	}
276
277	newflags = CR_FLAGS(pcr);
278
279	if (val != 0) {
280		if (flag == PRIV_AWARE)
281			newflags &= ~PRIV_AWARE_RESET;
282		newflags |= flag;
283	} else {
284		newflags &= ~flag;
285	}
286
287	/* No change */
288	if (CR_FLAGS(pcr) == newflags) {
289		if (use_curcred) {
290			mutex_exit(&p->p_crlock);
291			crfree(cr);
292		}
293		return (0);
294	}
295
296	/*
297	 * Setting either the NET_MAC_AWARE or NET_MAC_AWARE_INHERIT
298	 * flags is a restricted operation.
299	 *
300	 * When invoked via the PRIVSYS_SETPFLAGS syscall
301	 * we require that the current cred has the net_mac_aware
302	 * privilege in its effective set.
303	 *
304	 * When called from within the kernel by label-aware
305	 * services such as NFS, we don't require a privilege check.
306	 *
307	 */
308	if ((flag == NET_MAC_AWARE || flag == NET_MAC_AWARE_INHERIT) &&
309	    (val == 1) && use_curcred) {
310		if (secpolicy_net_mac_aware(pcr) != 0) {
311			mutex_exit(&p->p_crlock);
312			crfree(cr);
313			return (EPERM);
314		}
315	}
316
317	/* Trying to unset PA; if we can't, return an error */
318	if (flag == PRIV_AWARE && val == 0 && !priv_can_clear_PA(pcr)) {
319		if (use_curcred) {
320			mutex_exit(&p->p_crlock);
321			crfree(cr);
322		}
323		return (EPERM);
324	}
325
326	/* Committed to changing the flag */
327	if (use_curcred)
328		crcopy_to(pcr, cr);
329	if (flag == PRIV_AWARE) {
330		if (val != 0)
331			priv_set_PA(cr);
332		else
333			priv_adjust_PA(cr);
334	} else {
335		CR_FLAGS(cr) = newflags;
336	}
337
338	/*
339	 * Unsetting the flag has as side effect getting rid of
340	 * the per-credential policy.
341	 */
342	if (flag == PRIV_XPOLICY && val == 0)
343		crsetcrklpd(cr, NULL);
344
345	if (use_curcred) {
346		p->p_cred = cr;
347		mutex_exit(&p->p_crlock);
348		crset(p, cr);
349	}
350
351	return (0);
352}
353
354/*
355 * Getpflags.  Currently only implements single bit flags.
356 */
357uint_t
358getpflags(uint_t flag, const cred_t *cr)
359{
360	if (flag != PRIV_DEBUG && flag != PRIV_AWARE &&
361	    flag != NET_MAC_AWARE && flag != NET_MAC_AWARE_INHERIT &&
362	    flag != PRIV_XPOLICY && flag != PRIV_PFEXEC &&
363	    flag != PRIV_AWARE_RESET)
364		return ((uint_t)-1);
365
366	return ((CR_FLAGS(cr) & flag) != 0);
367}
368
369/*
370 * Privilege system call entry point
371 */
372int
373privsys(int code, priv_op_t op, priv_ptype_t type, void *buf, size_t bufsize,
374    int itype)
375{
376	int retv;
377	extern int issetugid(void);
378
379	switch (code) {
380	case PRIVSYS_SETPPRIV:
381		if (bufsize < sizeof (priv_set_t))
382			return (set_errno(ENOMEM));
383		return (setppriv(op, type, buf));
384	case PRIVSYS_GETPPRIV:
385		if (bufsize < sizeof (priv_set_t))
386			return (set_errno(ENOMEM));
387		return (getppriv(type, buf));
388	case PRIVSYS_GETIMPLINFO:
389		return (getprivimplinfo(buf, bufsize));
390	case PRIVSYS_SETPFLAGS:
391		retv = setpflags((uint_t)op, (uint_t)type, NULL);
392		return (retv != 0 ? set_errno(retv) : 0);
393	case PRIVSYS_GETPFLAGS:
394		retv = (int)getpflags((uint_t)op, CRED());
395		return (retv == -1 ? set_errno(EINVAL) : retv);
396	case PRIVSYS_ISSETUGID:
397		return (issetugid());
398	case PRIVSYS_KLPD_REG:
399		if (bufsize < sizeof (priv_set_t))
400			return (set_errno(ENOMEM));
401		return ((int)klpd_reg((int)op, (idtype_t)itype, (id_t)type,
402		    buf));
403	case PRIVSYS_KLPD_UNREG:
404		return ((int)klpd_unreg((int)op, (idtype_t)itype, (id_t)type));
405	case PRIVSYS_PFEXEC_REG:
406		return ((int)pfexec_reg((int)op));
407	case PRIVSYS_PFEXEC_UNREG:
408		return ((int)pfexec_unreg((int)op));
409	}
410	return (set_errno(EINVAL));
411}
412
413#ifdef _SYSCALL32_IMPL
414int
415privsys32(int code, priv_op_t op, priv_ptype_t type, caddr32_t buf,
416    size32_t bufsize, int itype)
417{
418	return (privsys(code, op, type, (void *)(uintptr_t)buf,
419	    (size_t)bufsize, itype));
420}
421#endif
422