1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 */
25
26 /*
27 * Privilege implementation.
28 *
29 * This file provides the infrastructure for privilege sets and limits
30 * the number of files that requires to include <sys/cred_impl.h> and/or
31 * <sys/priv_impl.h>.
32 *
33 * The Solaris privilege mechanism has been designed in a
34 * future proof manner. While the kernel may use fixed size arrays
35 * and fixed bitmasks and bit values, the representation of those
36 * is kernel private. All external interfaces as well as K-to-K interfaces
37 * have been constructed in a manner to provide the maximum flexibility.
38 *
39 * There can be X privilege sets each containing Y 32 bit words.
40 * <X, Y> are constant for a kernel invocation.
41 *
42 * As a consequence, all privilege set manipulation happens in functions
43 * below.
44 *
45 */
46
47 #include <sys/systm.h>
48 #include <sys/ddi.h>
49 #include <sys/kmem.h>
50 #include <sys/sunddi.h>
51 #include <sys/errno.h>
52 #include <sys/debug.h>
53 #include <sys/priv_impl.h>
54 #include <sys/procfs.h>
55 #include <sys/policy.h>
56 #include <sys/cred_impl.h>
57 #include <sys/devpolicy.h>
58 #include <sys/atomic.h>
59
60 /*
61 * Privilege name to number mapping table consists in the generated
62 * priv_const.c file. This lock protects against updates of the privilege
63 * names and counts; all other priv_info fields are read-only.
64 * The actual protected values are:
65 * global variable nprivs
66 * the priv_max field
67 * the priv_names field
68 * the priv names info item (cnt/strings)
69 */
70 krwlock_t privinfo_lock;
71
72 static boolean_t priv_valid(const cred_t *);
73
74 priv_set_t priv_fullset; /* set of all privileges */
75 priv_set_t priv_unsafe; /* unsafe to exec set-uid root if these are not in L */
76
77 /*
78 * Privilege initialization functions.
79 * Called from common/os/cred.c when cred_init is called.
80 */
81
82 void
83 priv_init(void)
84 {
85 #ifdef DEBUG
86 int alloc_test_priv = 1;
87 #else
88 int alloc_test_priv = priv_debug;
89 #endif
90 rw_init(&privinfo_lock, NULL, RW_DRIVER, NULL);
91
92 PRIV_BASIC_ADDSET(priv_basic);
93
94 /*
95 * The "default" set is the basic privileges + any 'default'
96 * privileges. with no traditional unix connotations.
97 */
98 PRIV_BASIC_ADDSET(priv_default);
99 PRIV_DEFAULT_ADDSET(priv_default);
100
101 PRIV_UNSAFE_ADDSET(&priv_unsafe);
102 priv_fillset(&priv_fullset);
103
104 /*
105 * When booting with priv_debug set or in a DEBUG kernel, then we'll
106 * add an additional basic privilege and we verify that it is always
107 * present in E.
108 */
109 if (alloc_test_priv != 0 &&
110 (priv_basic_test = priv_getbyname("basic_test", PRIV_ALLOC)) >= 0) {
111 priv_addset(priv_basic, priv_basic_test);
112 priv_addset(priv_default, priv_basic_test);
113 }
114
115 devpolicy_init();
116 }
117
118 /* Utility functions: privilege sets as opaque data types */
119
120 /*
121 * Guts of prgetprivsize.
122 */
123 int
124 priv_prgetprivsize(prpriv_t *tmpl)
125 {
126 return (sizeof (prpriv_t) +
127 PRIV_SETBYTES - sizeof (priv_chunk_t) +
128 (tmpl ? tmpl->pr_infosize : priv_info->priv_infosize));
129 }
130
131 /*
132 * Guts of prgetpriv.
133 */
134 void
135 cred2prpriv(const cred_t *cp, prpriv_t *pr)
136 {
137 priv_set_t *psa;
138 int i;
139
140 pr->pr_nsets = PRIV_NSET;
141 pr->pr_setsize = PRIV_SETSIZE;
142 pr->pr_infosize = priv_info->priv_infosize;
143
144 psa = (priv_set_t *)pr->pr_sets;
145
146 for (i = 0; i < PRIV_NSET; i++)
147 psa[i] = *priv_getset(cp, i);
148
149 priv_getinfo(cp, (char *)pr + PRIV_PRPRIV_INFO_OFFSET(pr));
150 }
151
152 /*
153 * Guts of pr_spriv:
154 *
155 * Set the privileges of a process.
156 *
157 * In order to set the privileges, the setting process will need to
158 * have those privileges in its effective set in order to prevent
159 * specially privileged processes to easily gain additional privileges.
160 * Pre-existing privileges can be retained. To change any privileges,
161 * PRIV_PROC_OWNER needs to be asserted.
162 *
163 * In formula:
164 *
165 * S' <= S || S' <= S + Ea
166 *
167 * the new set must either be subset of the old set or a subset of
168 * the oldset merged with the effective set of the acting process; or just:
169 *
170 * S' <= S + Ea
171 *
172 * It's not legal to grow the limit set this way.
173 *
174 */
175 int
176 priv_pr_spriv(proc_t *p, prpriv_t *prpriv, const cred_t *cr)
177 {
178 cred_t *oldcred;
179 cred_t *newcred;
180 int i;
181 int err = EPERM;
182 cred_priv_t *cp, *ocp;
183 priv_set_t eset;
184
185 ASSERT(MUTEX_HELD(&p->p_lock));
186
187 /*
188 * Set must have proper dimension; infosize must be absent
189 * or properly sized.
190 */
191 if (prpriv->pr_nsets != PRIV_NSET ||
192 prpriv->pr_setsize != PRIV_SETSIZE ||
193 (prpriv->pr_infosize & (sizeof (uint32_t) - 1)) != 0 ||
194 prpriv->pr_infosize > priv_info->priv_infosize ||
195 prpriv->pr_infosize < 0)
196 return (EINVAL);
197
198 mutex_exit(&p->p_lock);
199
200 if (priv_proc_cred_perm(cr, p, &oldcred, VWRITE) != 0) {
201 mutex_enter(&p->p_lock);
202 return (EPERM);
203 }
204
205 newcred = crdup(oldcred);
206
207 /* Copy the privilege sets from prpriv to newcred */
208 bcopy(prpriv->pr_sets, CR_PRIVSETS(newcred), PRIV_SETBYTES);
209
210 cp = &newcred->cr_priv;
211 ocp = &oldcred->cr_priv;
212 eset = CR_OEPRIV(cr);
213
214 priv_intersect(&CR_LPRIV(oldcred), &eset);
215
216 /*
217 * Verify the constraints laid out:
218 * for the limit set, we require that the new set is a subset
219 * of the old limit set.
220 * for all other sets, we require that the new set is either a
221 * subset of the old set or a subset of the intersection of
222 * the old limit set and the effective set of the acting process.
223 */
224 for (i = 0; i < PRIV_NSET; i++)
225 if (!priv_issubset(&cp->crprivs[i], &ocp->crprivs[i]) &&
226 (i == PRIV_LIMIT || !priv_issubset(&cp->crprivs[i], &eset)))
227 break;
228
229 crfree(oldcred);
230
231 if (i < PRIV_NSET || !priv_valid(newcred))
232 goto err;
233
234 /* Load the settable privilege information */
235 if (prpriv->pr_infosize > 0) {
236 char *x = (char *)prpriv + PRIV_PRPRIV_INFO_OFFSET(prpriv);
237 char *lastx = x + prpriv->pr_infosize;
238
239 while (x < lastx) {
240 priv_info_t *pi = (priv_info_t *)x;
241 priv_info_uint_t *pii;
242
243 switch (pi->priv_info_type) {
244 case PRIV_INFO_FLAGS:
245 pii = (priv_info_uint_t *)x;
246 if (pii->info.priv_info_size != sizeof (*pii)) {
247 err = EINVAL;
248 goto err;
249 }
250 CR_FLAGS(newcred) &= ~PRIV_USER;
251 CR_FLAGS(newcred) |= (pii->val & PRIV_USER);
252 break;
253 default:
254 err = EINVAL;
255 goto err;
256 }
257 /* Guarantee alignment and forward progress */
258 if ((pi->priv_info_size & (sizeof (uint32_t) - 1)) ||
259 pi->priv_info_size < sizeof (*pi) ||
260 lastx - x > pi->priv_info_size) {
261 err = EINVAL;
262 goto err;
263 }
264
265 x += pi->priv_info_size;
266 }
267 }
268
269 /*
270 * We'll try to copy the privilege aware flag; but since the
271 * privileges sets are all individually set, they are set
272 * as if we're privilege aware. If PRIV_AWARE wasn't set
273 * or was explicitely unset, we need to set the flag and then
274 * try to get rid of it.
275 */
276 if ((CR_FLAGS(newcred) & PRIV_AWARE) == 0) {
277 CR_FLAGS(newcred) |= PRIV_AWARE;
278 priv_adjust_PA(newcred);
279 }
280
281 mutex_enter(&p->p_crlock);
282 oldcred = p->p_cred;
283 p->p_cred = newcred;
284 mutex_exit(&p->p_crlock);
285 crfree(oldcred);
286
287 mutex_enter(&p->p_lock);
288 return (0);
289
290 err:
291 crfree(newcred);
292 mutex_enter(&p->p_lock);
293 return (err);
294 }
295
296 priv_impl_info_t
297 *priv_hold_implinfo(void)
298 {
299 rw_enter(&privinfo_lock, RW_READER);
300 return (priv_info);
301 }
302
303 void
304 priv_release_implinfo(void)
305 {
306 rw_exit(&privinfo_lock);
307 }
308
309 size_t
310 priv_get_implinfo_size(void)
311 {
312 return (privinfosize);
313 }
314
315
316 /*
317 * Return the nth privilege set
318 */
319 const priv_set_t *
320 priv_getset(const cred_t *cr, int set)
321 {
322 ASSERT(PRIV_VALIDSET(set));
323
324 if ((CR_FLAGS(cr) & PRIV_AWARE) == 0)
325 switch (set) {
326 case PRIV_EFFECTIVE:
327 return (&CR_OEPRIV(cr));
328 case PRIV_PERMITTED:
329 return (&CR_OPPRIV(cr));
330 }
331 return (&CR_PRIVS(cr)->crprivs[set]);
332 }
333
334 /*
335 * Buf must be allocated by caller and contain sufficient space to
336 * contain all additional info structures using priv_info.priv_infosize.
337 * The buffer must be properly aligned.
338 */
339 /*ARGSUSED*/
340 void
341 priv_getinfo(const cred_t *cr, void *buf)
342 {
343 struct priv_info_uint *ii;
344
345 ii = buf;
346 ii->val = CR_FLAGS(cr);
347 ii->info.priv_info_size = (uint32_t)sizeof (*ii);
348 ii->info.priv_info_type = PRIV_INFO_FLAGS;
349 }
350
351 int
352 priv_getbyname(const char *name, uint_t flag)
353 {
354 int i;
355 int wheld = 0;
356 int len;
357 char *p;
358
359 if (flag != 0 && flag != PRIV_ALLOC)
360 return (-EINVAL);
361
362 if (strncasecmp(name, "priv_", 5) == 0)
363 name += 5;
364
365 rw_enter(&privinfo_lock, RW_READER);
366 rescan:
367 for (i = 0; i < nprivs; i++)
368 if (strcasecmp(priv_names[i], name) == 0) {
369 rw_exit(&privinfo_lock);
370 return (i);
371 }
372
373
374 if (!wheld) {
375 if (!(flag & PRIV_ALLOC)) {
376 rw_exit(&privinfo_lock);
377 return (-EINVAL);
378 }
379
380 /* check length, validity and available space */
381 len = strlen(name) + 1;
382
383 if (len > PRIVNAME_MAX) {
384 rw_exit(&privinfo_lock);
385 return (-ENAMETOOLONG);
386 }
387
388 for (p = (char *)name; *p != '\0'; p++) {
389 char c = *p;
390
391 if (!((c >= 'A' && c <= 'Z') ||
392 (c >= 'a' && c <= 'z') ||
393 (c >= '0' && c <= '9') ||
394 c == '_')) {
395 rw_exit(&privinfo_lock);
396 return (-EINVAL);
397 }
398 }
399
400 if (!rw_tryupgrade(&privinfo_lock)) {
401 rw_exit(&privinfo_lock);
402 rw_enter(&privinfo_lock, RW_WRITER);
403 wheld = 1;
404 /* Someone may have added our privilege */
405 goto rescan;
406 }
407 }
408
409 if (nprivs == MAX_PRIVILEGE || len + privbytes > maxprivbytes) {
410 rw_exit(&privinfo_lock);
411 return (-ENOMEM);
412 }
413
414 priv_names[i] = p = priv_str + privbytes;
415
416 bcopy(name, p, len);
417
418 /* make the priv_names[i] and privilege name globally visible */
419 membar_producer();
420
421 /* adjust priv count and bytes count */
422 priv_ninfo->cnt = priv_info->priv_max = ++nprivs;
423 privbytes += len;
424
425 rw_exit(&privinfo_lock);
426 return (i);
427 }
428
429 /*
430 * We can't afford locking the privileges here because of the locations
431 * we call this from; so we make sure that the privileges table
432 * is visible to us; it is made visible before the value of nprivs is
433 * updated.
434 */
435 const char *
436 priv_getbynum(int priv)
437 {
438 int maxpriv = nprivs;
439
440 membar_consumer();
441
442 if (priv >= 0 && priv < maxpriv)
443 return (priv_names[priv]);
444
445 return (NULL);
446 }
447
448 const char *
449 priv_getsetbynum(int setno)
450 {
451 if (!PRIV_VALIDSET(setno))
452 return (NULL);
453
454 return (priv_setnames[setno]);
455 }
456
457 /*
458 * Privilege sanity checking when setting: E <= P.
459 */
460 static boolean_t
461 priv_valid(const cred_t *cr)
462 {
463 return (priv_issubset(&CR_EPRIV(cr), &CR_PPRIV(cr)));
464 }
465
466 /*
467 * Privilege manipulation functions
468 *
469 * Without knowing the details of the privilege set implementation,
470 * opaque pointers can be used to manipulate sets at will.
471 */
472 void
473 priv_emptyset(priv_set_t *set)
474 {
475 bzero(set, sizeof (*set));
476 }
477
478 void
479 priv_fillset(priv_set_t *set)
480 {
481 int i;
482
483 /* memset? */
484 for (i = 0; i < PRIV_SETSIZE; i++)
485 set->pbits[i] = ~(priv_chunk_t)0;
486 }
487
488 void
489 priv_addset(priv_set_t *set, int priv)
490 {
491 ASSERT(priv >= 0 && priv < MAX_PRIVILEGE);
492 __PRIV_ADDSET(set, priv);
493 }
494
495 void
496 priv_delset(priv_set_t *set, int priv)
497 {
498 ASSERT(priv >= 0 && priv < MAX_PRIVILEGE);
499 __PRIV_DELSET(set, priv);
500 }
501
502 boolean_t
503 priv_ismember(const priv_set_t *set, int priv)
504 {
505 ASSERT(priv >= 0 && priv < MAX_PRIVILEGE);
506 return (__PRIV_ISMEMBER(set, priv) ? B_TRUE : B_FALSE);
507 }
508
509 #define PRIV_TEST_BODY(test) \
510 int i; \
511 \
512 for (i = 0; i < PRIV_SETSIZE; i++) \
513 if (!(test)) \
514 return (B_FALSE); \
515 \
516 return (B_TRUE)
517
518 boolean_t
519 priv_isequalset(const priv_set_t *a, const priv_set_t *b)
520 {
521 return ((boolean_t)(bcmp(a, b, sizeof (*a)) == 0));
522 }
523
524 boolean_t
525 priv_isemptyset(const priv_set_t *set)
526 {
527 PRIV_TEST_BODY(set->pbits[i] == 0);
528 }
529
530 boolean_t
531 priv_isfullset(const priv_set_t *set)
532 {
533 PRIV_TEST_BODY(set->pbits[i] == ~(priv_chunk_t)0);
534 }
535
536 /*
537 * Return true if a is a subset of b
538 */
539 boolean_t
540 priv_issubset(const priv_set_t *a, const priv_set_t *b)
541 {
542 PRIV_TEST_BODY((a->pbits[i] | b->pbits[i]) == b->pbits[i]);
543 }
544
545 #define PRIV_CHANGE_BODY(a, op, b) \
546 int i; \
547 \
548 for (i = 0; i < PRIV_SETSIZE; i++) \
549 a->pbits[i] op b->pbits[i]
550
551 /* B = A ^ B */
552 void
553 priv_intersect(const priv_set_t *a, priv_set_t *b)
554 {
555 /* CSTYLED */
556 PRIV_CHANGE_BODY(b, &=, a);
557 }
558
559 /* B = A v B */
560 void
561 priv_union(const priv_set_t *a, priv_set_t *b)
562 {
563 /* CSTYLED */
564 PRIV_CHANGE_BODY(b, |=, a);
565 }
566
567 /* A = ! A */
568 void
569 priv_inverse(priv_set_t *a)
570 {
571 PRIV_CHANGE_BODY(a, = ~, a);
572 }
573
574 /*
575 * Can the source cred act on the target credential?
576 *
577 * We will you allow to gain uids this way but not privileges.
578 */
579 int
580 priv_proc_cred_perm(const cred_t *scr, proc_t *tp, cred_t **pcr, int mode)
581 {
582 const priv_set_t *eset;
583 int idsmatch;
584 cred_t *tcr;
585 int res = 0;
586
587 /* prevent the cred from going away */
588 mutex_enter(&tp->p_crlock);
589 crhold(tcr = tp->p_cred);
590 mutex_exit(&tp->p_crlock);
591
592 if (scr == tcr && !(tp->p_flag & SNOCD))
593 goto out;
594
595 idsmatch = (scr->cr_uid == tcr->cr_uid &&
596 scr->cr_uid == tcr->cr_ruid &&
597 scr->cr_uid == tcr->cr_suid &&
598 scr->cr_gid == tcr->cr_gid &&
599 scr->cr_gid == tcr->cr_rgid &&
600 scr->cr_gid == tcr->cr_sgid &&
601 !(tp->p_flag & SNOCD));
602
603 /*
604 * Source credential must have the proc_zone privilege if referencing
605 * a process in another zone.
606 */
607 if (scr->cr_zone != tcr->cr_zone && secpolicy_proc_zone(scr) != 0) {
608 res = EACCES;
609 goto out;
610 }
611
612 if (!(mode & VWRITE)) {
613 if (!idsmatch && secpolicy_proc_owner(scr, tcr, 0) != 0)
614 res = EACCES;
615 goto out;
616 }
617
618 /*
619 * For writing, the effective set of scr must dominate all sets of tcr,
620 * We test Pt <= Es (Et <= Pt so no need to test) and It <= Es
621 * The Limit set of scr must be a superset of the limitset of
622 * tcr.
623 */
624 eset = &CR_OEPRIV(scr);
625
626 if (!priv_issubset(&CR_IPRIV(tcr), eset) ||
627 !priv_issubset(&CR_OPPRIV(tcr), eset) ||
628 !priv_issubset(&CR_LPRIV(tcr), &CR_LPRIV(scr)) ||
629 !idsmatch && secpolicy_proc_owner(scr, tcr, mode) != 0)
630 res = EACCES;
631
632 out:
633 if (res == 0 && pcr != NULL)
634 *pcr = tcr;
635 else
636 crfree(tcr);
637 return (res);
638 }
639
640 /*
641 * Set the privilege aware bit, adding L to E/P if necessary.
642 * Each time we set it, we also clear PRIV_AWARE_RESET.
643 */
644 void
645 priv_set_PA(cred_t *cr)
646 {
647 ASSERT(cr->cr_ref <= 2);
648
649 if ((CR_FLAGS(cr) & (PRIV_AWARE|PRIV_AWARE_RESET)) == PRIV_AWARE)
650 return;
651
652 CR_FLAGS(cr) |= PRIV_AWARE;
653 CR_FLAGS(cr) &= ~PRIV_AWARE_RESET;
654
655 if (cr->cr_uid == 0)
656 priv_union(&CR_LPRIV(cr), &CR_EPRIV(cr));
657
658 if (cr->cr_uid == 0 || cr->cr_suid == 0 || cr->cr_ruid == 0)
659 priv_union(&CR_LPRIV(cr), &CR_PPRIV(cr));
660 }
661
662 boolean_t
663 priv_can_clear_PA(const cred_t *cr)
664 {
665 /*
666 * We can clear PA in the following cases:
667 *
668 * None of the uids are 0.
669 * Any uid == 0 and P == L and (Euid != 0 or E == L)
670 */
671 return ((cr->cr_suid != 0 && cr->cr_ruid != 0 && cr->cr_uid != 0) ||
672 priv_isequalset(&CR_PPRIV(cr), &CR_LPRIV(cr)) &&
673 (cr->cr_uid != 0 || priv_isequalset(&CR_EPRIV(cr), &CR_LPRIV(cr))));
674 }
675
676 /*
677 * Clear privilege aware bit if it is an idempotent operation and by
678 * clearing it the process cannot get to uid 0 and all privileges.
679 *
680 * This function should be called with caution as it may cause "E" to be
681 * lost once a processes assumes euid 0 again.
682 */
683 void
684 priv_adjust_PA(cred_t *cr)
685 {
686 ASSERT(cr->cr_ref <= 2);
687
688 if (!(CR_FLAGS(cr) & PRIV_AWARE) ||
689 !priv_can_clear_PA(cr)) {
690 CR_FLAGS(cr) &= ~PRIV_AWARE_RESET;
691 return;
692 }
693
694 if (CR_FLAGS(cr) & PRIV_AWARE_INHERIT)
695 return;
696
697 /*
698 * We now need to adjust P/E in those cases when uids
699 * are zero; the rules are P' = I & L, E' = I & L;
700 * but since P = L and E = L, we can use P &= I, E &= I,
701 * depending on which uids are 0.
702 */
703 if (cr->cr_suid == 0 || cr->cr_ruid == 0 || cr->cr_uid == 0) {
704 if (cr->cr_uid == 0)
705 priv_intersect(&CR_IPRIV(cr), &CR_EPRIV(cr));
706 priv_intersect(&CR_IPRIV(cr), &CR_PPRIV(cr));
707 }
708
709 CR_FLAGS(cr) &= ~(PRIV_AWARE|PRIV_AWARE_RESET);
710 }
711
712 /*
713 * Reset privilege aware bit if so requested by setting the PRIV_AWARE_RESET
714 * flag.
715 */
716 void
717 priv_reset_PA(cred_t *cr, boolean_t finalize)
718 {
719 ASSERT(cr->cr_ref <= 2);
720
721 if ((CR_FLAGS(cr) & (PRIV_AWARE|PRIV_AWARE_RESET)) !=
722 (PRIV_AWARE|PRIV_AWARE_RESET)) {
723 CR_FLAGS(cr) &= ~PRIV_AWARE_RESET;
724 return;
725 }
726
727 /*
728 * When PRIV_AWARE_RESET is enabled, any change of uids causes
729 * a change to the P and E sets. Bracketing with
730 * seteuid(0) ... seteuid(uid)/setreuid(-1, 0) .. setreuid(-1, uid)
731 * will cause the privilege sets "do the right thing.".
732 * When the change of the uid is "final", e.g., by using setuid(uid),
733 * or setreuid(uid, uid) or when the last set*uid() call causes all
734 * uids to be the same, we set P and E to I & L, like when you exec.
735 * We make an exception when all the uids are 0; this is required
736 * when we login as root as in that particular case we cannot
737 * make a distinction between seteuid(0) and seteuid(uid).
738 * We rely on seteuid/setreuid/setuid to tell us with the
739 * "finalize" argument that we no longer expect new uid changes,
740 * cf. setreuid(uid, uid) and setuid(uid).
741 */
742 if (cr->cr_suid == cr->cr_ruid && cr->cr_suid == cr->cr_uid) {
743 if (finalize || cr->cr_uid != 0) {
744 CR_EPRIV(cr) = CR_IPRIV(cr);
745 priv_intersect(&CR_LPRIV(cr), &CR_EPRIV(cr));
746 CR_PPRIV(cr) = CR_EPRIV(cr);
747 CR_FLAGS(cr) &= ~(PRIV_AWARE|PRIV_AWARE_RESET);
748 } else {
749 CR_EPRIV(cr) = CR_PPRIV(cr);
750 }
751 } else if (cr->cr_uid != 0 && (cr->cr_ruid == 0 || cr->cr_suid == 0)) {
752 CR_EPRIV(cr) = CR_IPRIV(cr);
753 priv_intersect(&CR_LPRIV(cr), &CR_EPRIV(cr));
754 }
755 }