1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  23  * Use is subject to license terms.
  24  */
  25 
  26 /*
  27  * Privilege implementation.
  28  *
  29  * This file provides the infrastructure for privilege sets and limits
  30  * the number of files that requires to include <sys/cred_impl.h> and/or
  31  * <sys/priv_impl.h>.
  32  *
  33  * The Solaris privilege mechanism has been designed in a
  34  * future proof manner.  While the kernel may use fixed size arrays
  35  * and fixed bitmasks and bit values, the representation of those
  36  * is kernel private.  All external interfaces as well as K-to-K interfaces
  37  * have been constructed in a manner to provide the maximum flexibility.
  38  *
  39  * There can be X privilege sets each containing Y 32 bit words.
  40  * <X, Y> are constant for a kernel invocation.
  41  *
  42  * As a consequence, all privilege set manipulation happens in functions
  43  * below.
  44  *
  45  */
  46 
  47 #include <sys/systm.h>
  48 #include <sys/ddi.h>
  49 #include <sys/kmem.h>
  50 #include <sys/sunddi.h>
  51 #include <sys/errno.h>
  52 #include <sys/debug.h>
  53 #include <sys/priv_impl.h>
  54 #include <sys/procfs.h>
  55 #include <sys/policy.h>
  56 #include <sys/cred_impl.h>
  57 #include <sys/devpolicy.h>
  58 #include <sys/atomic.h>
  59 
  60 /*
  61  * Privilege name to number mapping table consists in the generated
  62  * priv_const.c file.  This lock protects against updates of the privilege
  63  * names and counts; all other priv_info fields are read-only.
  64  * The actual protected values are:
  65  *      global variable nprivs
  66  *      the priv_max field
  67  *      the priv_names field
  68  *      the priv names info item (cnt/strings)
  69  */
  70 krwlock_t privinfo_lock;
  71 
  72 static boolean_t priv_valid(const cred_t *);
  73 
  74 priv_set_t priv_fullset;        /* set of all privileges */
  75 priv_set_t priv_unsafe; /* unsafe to exec set-uid root if these are not in L */
  76 
  77 /*
  78  * Privilege initialization functions.
  79  * Called from common/os/cred.c when cred_init is called.
  80  */
  81 
  82 void
  83 priv_init(void)
  84 {
  85 #ifdef DEBUG
  86         int alloc_test_priv = 1;
  87 #else
  88         int alloc_test_priv = priv_debug;
  89 #endif
  90         rw_init(&privinfo_lock, NULL, RW_DRIVER, NULL);
  91 
  92         PRIV_BASIC_ADDSET(priv_basic);
  93 
  94         /*
  95          * The "default" set is the basic privileges + any 'default'
  96          * privileges.  with no traditional unix connotations.
  97          */
  98         PRIV_BASIC_ADDSET(priv_default);
  99         PRIV_DEFAULT_ADDSET(priv_default);
 100 
 101         PRIV_UNSAFE_ADDSET(&priv_unsafe);
 102         priv_fillset(&priv_fullset);
 103 
 104         /*
 105          * When booting with priv_debug set or in a DEBUG kernel, then we'll
 106          * add an additional basic privilege and we verify that it is always
 107          * present in E.
 108          */
 109         if (alloc_test_priv != 0 &&
 110             (priv_basic_test = priv_getbyname("basic_test", PRIV_ALLOC)) >= 0) {
 111                 priv_addset(priv_basic, priv_basic_test);
 112                 priv_addset(priv_default, priv_basic_test);
 113         }
 114 
 115         devpolicy_init();
 116 }
 117 
 118 /* Utility functions: privilege sets as opaque data types */
 119 
 120 /*
 121  * Guts of prgetprivsize.
 122  */
 123 int
 124 priv_prgetprivsize(prpriv_t *tmpl)
 125 {
 126         return (sizeof (prpriv_t) +
 127             PRIV_SETBYTES - sizeof (priv_chunk_t) +
 128             (tmpl ? tmpl->pr_infosize : priv_info->priv_infosize));
 129 }
 130 
 131 /*
 132  * Guts of prgetpriv.
 133  */
 134 void
 135 cred2prpriv(const cred_t *cp, prpriv_t *pr)
 136 {
 137         priv_set_t *psa;
 138         int i;
 139 
 140         pr->pr_nsets = PRIV_NSET;
 141         pr->pr_setsize = PRIV_SETSIZE;
 142         pr->pr_infosize = priv_info->priv_infosize;
 143 
 144         psa = (priv_set_t *)pr->pr_sets;
 145 
 146         for (i = 0; i < PRIV_NSET; i++)
 147                 psa[i] = *priv_getset(cp, i);
 148 
 149         priv_getinfo(cp, (char *)pr + PRIV_PRPRIV_INFO_OFFSET(pr));
 150 }
 151 
 152 /*
 153  * Guts of pr_spriv:
 154  *
 155  * Set the privileges of a process.
 156  *
 157  * In order to set the privileges, the setting process will need to
 158  * have those privileges in its effective set in order to prevent
 159  * specially privileged processes to easily gain additional privileges.
 160  * Pre-existing privileges can be retained.  To change any privileges,
 161  * PRIV_PROC_OWNER needs to be asserted.
 162  *
 163  * In formula:
 164  *
 165  *      S' <= S || S' <= S + Ea
 166  *
 167  * the new set must either be subset of the old set or a subset of
 168  * the oldset merged with the effective set of the acting process; or just:
 169  *
 170  *      S' <= S + Ea
 171  *
 172  * It's not legal to grow the limit set this way.
 173  *
 174  */
 175 int
 176 priv_pr_spriv(proc_t *p, prpriv_t *prpriv, const cred_t *cr)
 177 {
 178         cred_t *oldcred;
 179         cred_t *newcred;
 180         int i;
 181         int err = EPERM;
 182         cred_priv_t *cp, *ocp;
 183         priv_set_t eset;
 184 
 185         ASSERT(MUTEX_HELD(&p->p_lock));
 186 
 187         /*
 188          * Set must have proper dimension; infosize must be absent
 189          * or properly sized.
 190          */
 191         if (prpriv->pr_nsets != PRIV_NSET ||
 192             prpriv->pr_setsize != PRIV_SETSIZE ||
 193             (prpriv->pr_infosize & (sizeof (uint32_t) - 1)) != 0 ||
 194             prpriv->pr_infosize > priv_info->priv_infosize ||
 195             prpriv->pr_infosize < 0)
 196                 return (EINVAL);
 197 
 198         mutex_exit(&p->p_lock);
 199 
 200         if (priv_proc_cred_perm(cr, p, &oldcred, VWRITE) != 0) {
 201                 mutex_enter(&p->p_lock);
 202                 return (EPERM);
 203         }
 204 
 205         newcred = crdup(oldcred);
 206 
 207         /* Copy the privilege sets from prpriv to newcred */
 208         bcopy(prpriv->pr_sets, CR_PRIVSETS(newcred), PRIV_SETBYTES);
 209 
 210         cp = &newcred->cr_priv;
 211         ocp = &oldcred->cr_priv;
 212         eset = CR_OEPRIV(cr);
 213 
 214         priv_intersect(&CR_LPRIV(oldcred), &eset);
 215 
 216         /*
 217          * Verify the constraints laid out:
 218          * for the limit set, we require that the new set is a subset
 219          * of the old limit set.
 220          * for all other sets, we require that the new set is either a
 221          * subset of the old set or a subset of the intersection of
 222          * the old limit set and the effective set of the acting process.
 223          */
 224         for (i = 0; i < PRIV_NSET; i++)
 225                 if (!priv_issubset(&cp->crprivs[i], &ocp->crprivs[i]) &&
 226                     (i == PRIV_LIMIT || !priv_issubset(&cp->crprivs[i], &eset)))
 227                         break;
 228 
 229         crfree(oldcred);
 230 
 231         if (i < PRIV_NSET || !priv_valid(newcred))
 232                 goto err;
 233 
 234         /* Load the settable privilege information */
 235         if (prpriv->pr_infosize > 0) {
 236                 char *x = (char *)prpriv + PRIV_PRPRIV_INFO_OFFSET(prpriv);
 237                 char *lastx = x + prpriv->pr_infosize;
 238 
 239                 while (x < lastx) {
 240                         priv_info_t *pi = (priv_info_t *)x;
 241                         priv_info_uint_t *pii;
 242 
 243                         switch (pi->priv_info_type) {
 244                         case PRIV_INFO_FLAGS:
 245                                 pii = (priv_info_uint_t *)x;
 246                                 if (pii->info.priv_info_size != sizeof (*pii)) {
 247                                         err = EINVAL;
 248                                         goto err;
 249                                 }
 250                                 CR_FLAGS(newcred) &= ~PRIV_USER;
 251                                 CR_FLAGS(newcred) |= (pii->val & PRIV_USER);
 252                                 break;
 253                         default:
 254                                 err = EINVAL;
 255                                 goto err;
 256                         }
 257                         /* Guarantee alignment and forward progress */
 258                         if ((pi->priv_info_size & (sizeof (uint32_t) - 1)) ||
 259                             pi->priv_info_size < sizeof (*pi) ||
 260                             lastx - x > pi->priv_info_size) {
 261                                 err = EINVAL;
 262                                 goto err;
 263                         }
 264 
 265                         x += pi->priv_info_size;
 266                 }
 267         }
 268 
 269         /*
 270          * We'll try to copy the privilege aware flag; but since the
 271          * privileges sets are all individually set, they are set
 272          * as if we're privilege aware.  If PRIV_AWARE wasn't set
 273          * or was explicitely unset, we need to set the flag and then
 274          * try to get rid of it.
 275          */
 276         if ((CR_FLAGS(newcred) & PRIV_AWARE) == 0) {
 277                 CR_FLAGS(newcred) |= PRIV_AWARE;
 278                 priv_adjust_PA(newcred);
 279         }
 280 
 281         mutex_enter(&p->p_crlock);
 282         oldcred = p->p_cred;
 283         p->p_cred = newcred;
 284         mutex_exit(&p->p_crlock);
 285         crfree(oldcred);
 286 
 287         mutex_enter(&p->p_lock);
 288         return (0);
 289 
 290 err:
 291         crfree(newcred);
 292         mutex_enter(&p->p_lock);
 293         return (err);
 294 }
 295 
 296 priv_impl_info_t
 297 *priv_hold_implinfo(void)
 298 {
 299         rw_enter(&privinfo_lock, RW_READER);
 300         return (priv_info);
 301 }
 302 
 303 void
 304 priv_release_implinfo(void)
 305 {
 306         rw_exit(&privinfo_lock);
 307 }
 308 
 309 size_t
 310 priv_get_implinfo_size(void)
 311 {
 312         return (privinfosize);
 313 }
 314 
 315 
 316 /*
 317  * Return the nth privilege set
 318  */
 319 const priv_set_t *
 320 priv_getset(const cred_t *cr, int set)
 321 {
 322         ASSERT(PRIV_VALIDSET(set));
 323 
 324         if ((CR_FLAGS(cr) & PRIV_AWARE) == 0)
 325                 switch (set) {
 326                 case PRIV_EFFECTIVE:
 327                         return (&CR_OEPRIV(cr));
 328                 case PRIV_PERMITTED:
 329                         return (&CR_OPPRIV(cr));
 330                 }
 331         return (&CR_PRIVS(cr)->crprivs[set]);
 332 }
 333 
 334 /*
 335  * Buf must be allocated by caller and contain sufficient space to
 336  * contain all additional info structures using priv_info.priv_infosize.
 337  * The buffer must be properly aligned.
 338  */
 339 /*ARGSUSED*/
 340 void
 341 priv_getinfo(const cred_t *cr, void *buf)
 342 {
 343         struct priv_info_uint *ii;
 344 
 345         ii = buf;
 346         ii->val = CR_FLAGS(cr);
 347         ii->info.priv_info_size = (uint32_t)sizeof (*ii);
 348         ii->info.priv_info_type = PRIV_INFO_FLAGS;
 349 }
 350 
 351 int
 352 priv_getbyname(const char *name, uint_t flag)
 353 {
 354         int i;
 355         int wheld = 0;
 356         int len;
 357         char *p;
 358 
 359         if (flag != 0 && flag != PRIV_ALLOC)
 360                 return (-EINVAL);
 361 
 362         if (strncasecmp(name, "priv_", 5) == 0)
 363                 name += 5;
 364 
 365         rw_enter(&privinfo_lock, RW_READER);
 366 rescan:
 367         for (i = 0; i < nprivs; i++)
 368                 if (strcasecmp(priv_names[i], name) == 0) {
 369                         rw_exit(&privinfo_lock);
 370                         return (i);
 371                 }
 372 
 373 
 374         if (!wheld) {
 375                 if (!(flag & PRIV_ALLOC)) {
 376                         rw_exit(&privinfo_lock);
 377                         return (-EINVAL);
 378                 }
 379 
 380                 /* check length, validity and available space */
 381                 len = strlen(name) + 1;
 382 
 383                 if (len > PRIVNAME_MAX) {
 384                         rw_exit(&privinfo_lock);
 385                         return (-ENAMETOOLONG);
 386                 }
 387 
 388                 for (p = (char *)name; *p != '\0'; p++) {
 389                         char c = *p;
 390 
 391                         if (!((c >= 'A' && c <= 'Z') ||
 392                             (c >= 'a' && c <= 'z') ||
 393                             (c >= '0' && c <= '9') ||
 394                             c == '_')) {
 395                                 rw_exit(&privinfo_lock);
 396                                 return (-EINVAL);
 397                         }
 398                 }
 399 
 400                 if (!rw_tryupgrade(&privinfo_lock)) {
 401                         rw_exit(&privinfo_lock);
 402                         rw_enter(&privinfo_lock, RW_WRITER);
 403                         wheld = 1;
 404                         /* Someone may have added our privilege */
 405                         goto rescan;
 406                 }
 407         }
 408 
 409         if (nprivs == MAX_PRIVILEGE || len + privbytes > maxprivbytes) {
 410                 rw_exit(&privinfo_lock);
 411                 return (-ENOMEM);
 412         }
 413 
 414         priv_names[i] = p = priv_str + privbytes;
 415 
 416         bcopy(name, p, len);
 417 
 418         /* make the priv_names[i] and privilege name globally visible */
 419         membar_producer();
 420 
 421         /* adjust priv count and bytes count */
 422         priv_ninfo->cnt = priv_info->priv_max = ++nprivs;
 423         privbytes += len;
 424 
 425         rw_exit(&privinfo_lock);
 426         return (i);
 427 }
 428 
 429 /*
 430  * We can't afford locking the privileges here because of the locations
 431  * we call this from; so we make sure that the privileges table
 432  * is visible to us; it is made visible before the value of nprivs is
 433  * updated.
 434  */
 435 const char *
 436 priv_getbynum(int priv)
 437 {
 438         int maxpriv = nprivs;
 439 
 440         membar_consumer();
 441 
 442         if (priv >= 0 && priv < maxpriv)
 443                 return (priv_names[priv]);
 444 
 445         return (NULL);
 446 }
 447 
 448 const char *
 449 priv_getsetbynum(int setno)
 450 {
 451         if (!PRIV_VALIDSET(setno))
 452                 return (NULL);
 453 
 454         return (priv_setnames[setno]);
 455 }
 456 
 457 /*
 458  * Privilege sanity checking when setting: E <= P.
 459  */
 460 static boolean_t
 461 priv_valid(const cred_t *cr)
 462 {
 463         return (priv_issubset(&CR_EPRIV(cr), &CR_PPRIV(cr)));
 464 }
 465 
 466 /*
 467  * Privilege manipulation functions
 468  *
 469  * Without knowing the details of the privilege set implementation,
 470  * opaque pointers can be used to manipulate sets at will.
 471  */
 472 void
 473 priv_emptyset(priv_set_t *set)
 474 {
 475         bzero(set, sizeof (*set));
 476 }
 477 
 478 void
 479 priv_fillset(priv_set_t *set)
 480 {
 481         int i;
 482 
 483         /* memset? */
 484         for (i = 0; i < PRIV_SETSIZE; i++)
 485                 set->pbits[i] = ~(priv_chunk_t)0;
 486 }
 487 
 488 void
 489 priv_addset(priv_set_t *set, int priv)
 490 {
 491         ASSERT(priv >= 0 && priv < MAX_PRIVILEGE);
 492         __PRIV_ADDSET(set, priv);
 493 }
 494 
 495 void
 496 priv_delset(priv_set_t *set, int priv)
 497 {
 498         ASSERT(priv >= 0 && priv < MAX_PRIVILEGE);
 499         __PRIV_DELSET(set, priv);
 500 }
 501 
 502 boolean_t
 503 priv_ismember(const priv_set_t *set, int priv)
 504 {
 505         ASSERT(priv >= 0 && priv < MAX_PRIVILEGE);
 506         return (__PRIV_ISMEMBER(set, priv) ? B_TRUE : B_FALSE);
 507 }
 508 
 509 #define PRIV_TEST_BODY(test) \
 510         int i; \
 511 \
 512         for (i = 0; i < PRIV_SETSIZE; i++) \
 513                 if (!(test)) \
 514                         return (B_FALSE); \
 515 \
 516         return (B_TRUE)
 517 
 518 boolean_t
 519 priv_isequalset(const priv_set_t *a, const priv_set_t *b)
 520 {
 521         return ((boolean_t)(bcmp(a, b, sizeof (*a)) == 0));
 522 }
 523 
 524 boolean_t
 525 priv_isemptyset(const priv_set_t *set)
 526 {
 527         PRIV_TEST_BODY(set->pbits[i] == 0);
 528 }
 529 
 530 boolean_t
 531 priv_isfullset(const priv_set_t *set)
 532 {
 533         PRIV_TEST_BODY(set->pbits[i] == ~(priv_chunk_t)0);
 534 }
 535 
 536 /*
 537  * Return true if a is a subset of b
 538  */
 539 boolean_t
 540 priv_issubset(const priv_set_t *a, const priv_set_t *b)
 541 {
 542         PRIV_TEST_BODY((a->pbits[i] | b->pbits[i]) == b->pbits[i]);
 543 }
 544 
 545 #define PRIV_CHANGE_BODY(a, op, b) \
 546         int i; \
 547 \
 548         for (i = 0; i < PRIV_SETSIZE; i++) \
 549                 a->pbits[i] op b->pbits[i]
 550 
 551 /* B = A ^ B */
 552 void
 553 priv_intersect(const priv_set_t *a, priv_set_t *b)
 554 {
 555         /* CSTYLED */
 556         PRIV_CHANGE_BODY(b, &=, a);
 557 }
 558 
 559 /* B = A v B */
 560 void
 561 priv_union(const priv_set_t *a, priv_set_t *b)
 562 {
 563         /* CSTYLED */
 564         PRIV_CHANGE_BODY(b, |=, a);
 565 }
 566 
 567 /* A = ! A */
 568 void
 569 priv_inverse(priv_set_t *a)
 570 {
 571         PRIV_CHANGE_BODY(a, = ~, a);
 572 }
 573 
 574 /*
 575  * Can the source cred act on the target credential?
 576  *
 577  * We will you allow to gain uids this way but not privileges.
 578  */
 579 int
 580 priv_proc_cred_perm(const cred_t *scr, proc_t *tp, cred_t **pcr, int mode)
 581 {
 582         const priv_set_t *eset;
 583         int idsmatch;
 584         cred_t *tcr;
 585         int res = 0;
 586 
 587         /* prevent the cred from going away */
 588         mutex_enter(&tp->p_crlock);
 589         crhold(tcr = tp->p_cred);
 590         mutex_exit(&tp->p_crlock);
 591 
 592         if (scr == tcr && !(tp->p_flag & SNOCD))
 593                 goto out;
 594 
 595         idsmatch = (scr->cr_uid == tcr->cr_uid &&
 596             scr->cr_uid == tcr->cr_ruid &&
 597             scr->cr_uid == tcr->cr_suid &&
 598             scr->cr_gid == tcr->cr_gid &&
 599             scr->cr_gid == tcr->cr_rgid &&
 600             scr->cr_gid == tcr->cr_sgid &&
 601             !(tp->p_flag & SNOCD));
 602 
 603         /*
 604          * Source credential must have the proc_zone privilege if referencing
 605          * a process in another zone.
 606          */
 607         if (scr->cr_zone != tcr->cr_zone && secpolicy_proc_zone(scr) != 0) {
 608                 res = EACCES;
 609                 goto out;
 610         }
 611 
 612         if (!(mode & VWRITE)) {
 613                 if (!idsmatch && secpolicy_proc_owner(scr, tcr, 0) != 0)
 614                         res = EACCES;
 615                 goto out;
 616         }
 617 
 618         /*
 619          * For writing, the effective set of scr must dominate all sets of tcr,
 620          * We test Pt <= Es (Et <= Pt so no need to test) and It <= Es
 621          * The Limit set of scr must be a superset of the limitset of
 622          * tcr.
 623          */
 624         eset = &CR_OEPRIV(scr);
 625 
 626         if (!priv_issubset(&CR_IPRIV(tcr), eset) ||
 627             !priv_issubset(&CR_OPPRIV(tcr), eset) ||
 628             !priv_issubset(&CR_LPRIV(tcr), &CR_LPRIV(scr)) ||
 629             !idsmatch && secpolicy_proc_owner(scr, tcr, mode) != 0)
 630                 res = EACCES;
 631 
 632 out:
 633         if (res == 0 && pcr != NULL)
 634                 *pcr = tcr;
 635         else
 636                 crfree(tcr);
 637         return (res);
 638 }
 639 
 640 /*
 641  * Set the privilege aware bit, adding L to E/P if necessary.
 642  * Each time we set it, we also clear PRIV_AWARE_RESET.
 643  */
 644 void
 645 priv_set_PA(cred_t *cr)
 646 {
 647         ASSERT(cr->cr_ref <= 2);
 648 
 649         if ((CR_FLAGS(cr) & (PRIV_AWARE|PRIV_AWARE_RESET)) == PRIV_AWARE)
 650                 return;
 651 
 652         CR_FLAGS(cr) |= PRIV_AWARE;
 653         CR_FLAGS(cr) &= ~PRIV_AWARE_RESET;
 654 
 655         if (cr->cr_uid == 0)
 656                 priv_union(&CR_LPRIV(cr), &CR_EPRIV(cr));
 657 
 658         if (cr->cr_uid == 0 || cr->cr_suid == 0 || cr->cr_ruid == 0)
 659                 priv_union(&CR_LPRIV(cr), &CR_PPRIV(cr));
 660 }
 661 
 662 boolean_t
 663 priv_can_clear_PA(const cred_t *cr)
 664 {
 665         /*
 666          * We can clear PA in the following cases:
 667          *
 668          * None of the uids are 0.
 669          * Any uid == 0 and P == L and (Euid != 0 or E == L)
 670          */
 671         return ((cr->cr_suid != 0 && cr->cr_ruid != 0 && cr->cr_uid != 0) ||
 672             priv_isequalset(&CR_PPRIV(cr), &CR_LPRIV(cr)) &&
 673             (cr->cr_uid != 0 || priv_isequalset(&CR_EPRIV(cr), &CR_LPRIV(cr))));
 674 }
 675 
 676 /*
 677  * Clear privilege aware bit if it is an idempotent operation and by
 678  * clearing it the process cannot get to uid 0 and all privileges.
 679  *
 680  * This function should be called with caution as it may cause "E" to be
 681  * lost once a processes assumes euid 0 again.
 682  */
 683 void
 684 priv_adjust_PA(cred_t *cr)
 685 {
 686         ASSERT(cr->cr_ref <= 2);
 687 
 688         if (!(CR_FLAGS(cr) & PRIV_AWARE) ||
 689             !priv_can_clear_PA(cr)) {
 690                 CR_FLAGS(cr) &= ~PRIV_AWARE_RESET;
 691                 return;
 692         }
 693 
 694         if (CR_FLAGS(cr) & PRIV_AWARE_INHERIT)
 695                 return;
 696 
 697         /*
 698          * We now need to adjust P/E in those cases when uids
 699          * are zero; the rules are P' = I & L, E' = I & L;
 700          * but since P = L and E = L, we can use P &= I, E &= I,
 701          * depending on which uids are 0.
 702          */
 703         if (cr->cr_suid == 0 || cr->cr_ruid == 0 || cr->cr_uid == 0) {
 704                 if (cr->cr_uid == 0)
 705                         priv_intersect(&CR_IPRIV(cr), &CR_EPRIV(cr));
 706                 priv_intersect(&CR_IPRIV(cr), &CR_PPRIV(cr));
 707         }
 708 
 709         CR_FLAGS(cr) &= ~(PRIV_AWARE|PRIV_AWARE_RESET);
 710 }
 711 
 712 /*
 713  * Reset privilege aware bit if so requested by setting the PRIV_AWARE_RESET
 714  * flag.
 715  */
 716 void
 717 priv_reset_PA(cred_t *cr, boolean_t finalize)
 718 {
 719         ASSERT(cr->cr_ref <= 2);
 720 
 721         if ((CR_FLAGS(cr) & (PRIV_AWARE|PRIV_AWARE_RESET)) !=
 722             (PRIV_AWARE|PRIV_AWARE_RESET)) {
 723                 CR_FLAGS(cr) &= ~PRIV_AWARE_RESET;
 724                 return;
 725         }
 726 
 727         /*
 728          * When PRIV_AWARE_RESET is enabled, any change of uids causes
 729          * a change to the P and E sets.  Bracketing with
 730          * seteuid(0) ... seteuid(uid)/setreuid(-1, 0) .. setreuid(-1, uid)
 731          * will cause the privilege sets "do the right thing.".
 732          * When the change of the uid is "final", e.g., by using setuid(uid),
 733          * or setreuid(uid, uid) or when the last set*uid() call causes all
 734          * uids to be the same, we set P and E to I & L, like when you exec.
 735          * We make an exception when all the uids are 0; this is required
 736          * when we login as root as in that particular case we cannot
 737          * make a distinction between seteuid(0) and seteuid(uid).
 738          * We rely on seteuid/setreuid/setuid to tell us with the
 739          * "finalize" argument that we no longer expect new uid changes,
 740          * cf. setreuid(uid, uid) and setuid(uid).
 741          */
 742         if (cr->cr_suid == cr->cr_ruid && cr->cr_suid == cr->cr_uid) {
 743                 if (finalize || cr->cr_uid != 0) {
 744                         CR_EPRIV(cr) = CR_IPRIV(cr);
 745                         priv_intersect(&CR_LPRIV(cr), &CR_EPRIV(cr));
 746                         CR_PPRIV(cr) = CR_EPRIV(cr);
 747                         CR_FLAGS(cr) &= ~(PRIV_AWARE|PRIV_AWARE_RESET);
 748                 } else {
 749                         CR_EPRIV(cr) = CR_PPRIV(cr);
 750                 }
 751         } else if (cr->cr_uid != 0 && (cr->cr_ruid == 0 || cr->cr_suid == 0)) {
 752                 CR_EPRIV(cr) = CR_IPRIV(cr);
 753                 priv_intersect(&CR_LPRIV(cr), &CR_EPRIV(cr));
 754         }
 755 }