Print this page
uts: add a concept of a 'default' set of privileges, separate from 'basic'
uts: give privilege macros more sensible names


  72 static boolean_t priv_valid(const cred_t *);
  73 
  74 priv_set_t priv_fullset;        /* set of all privileges */
  75 priv_set_t priv_unsafe; /* unsafe to exec set-uid root if these are not in L */
  76 
  77 /*
  78  * Privilege initialization functions.
  79  * Called from common/os/cred.c when cred_init is called.
  80  */
  81 
  82 void
  83 priv_init(void)
  84 {
  85 #ifdef DEBUG
  86         int alloc_test_priv = 1;
  87 #else
  88         int alloc_test_priv = priv_debug;
  89 #endif
  90         rw_init(&privinfo_lock, NULL, RW_DRIVER, NULL);
  91 
  92         PRIV_BASIC_ASSERT(priv_basic);
  93         PRIV_UNSAFE_ASSERT(&priv_unsafe);








  94         priv_fillset(&priv_fullset);
  95 
  96         /*
  97          * When booting with priv_debug set or in a DEBUG kernel, then we'll
  98          * add an additional basic privilege and we verify that it is always
  99          * present in E.
 100          */
 101         if (alloc_test_priv != 0 &&
 102             (priv_basic_test = priv_getbyname("basic_test", PRIV_ALLOC)) >= 0) {
 103                 priv_addset(priv_basic, priv_basic_test);

 104         }
 105 
 106         devpolicy_init();
 107 }
 108 
 109 /* Utility functions: privilege sets as opaque data types */
 110 
 111 /*
 112  * Guts of prgetprivsize.
 113  */
 114 int
 115 priv_prgetprivsize(prpriv_t *tmpl)
 116 {
 117         return (sizeof (prpriv_t) +
 118             PRIV_SETBYTES - sizeof (priv_chunk_t) +
 119             (tmpl ? tmpl->pr_infosize : priv_info->priv_infosize));
 120 }
 121 
 122 /*
 123  * Guts of prgetpriv.


 463 void
 464 priv_emptyset(priv_set_t *set)
 465 {
 466         bzero(set, sizeof (*set));
 467 }
 468 
 469 void
 470 priv_fillset(priv_set_t *set)
 471 {
 472         int i;
 473 
 474         /* memset? */
 475         for (i = 0; i < PRIV_SETSIZE; i++)
 476                 set->pbits[i] = ~(priv_chunk_t)0;
 477 }
 478 
 479 void
 480 priv_addset(priv_set_t *set, int priv)
 481 {
 482         ASSERT(priv >= 0 && priv < MAX_PRIVILEGE);
 483         __PRIV_ASSERT(set, priv);
 484 }
 485 
 486 void
 487 priv_delset(priv_set_t *set, int priv)
 488 {
 489         ASSERT(priv >= 0 && priv < MAX_PRIVILEGE);
 490         __PRIV_CLEAR(set, priv);
 491 }
 492 
 493 boolean_t
 494 priv_ismember(const priv_set_t *set, int priv)
 495 {
 496         ASSERT(priv >= 0 && priv < MAX_PRIVILEGE);
 497         return (__PRIV_ISASSERT(set, priv) ? B_TRUE : B_FALSE);
 498 }
 499 
 500 #define PRIV_TEST_BODY(test) \
 501         int i; \
 502 \
 503         for (i = 0; i < PRIV_SETSIZE; i++) \
 504                 if (!(test)) \
 505                         return (B_FALSE); \
 506 \
 507         return (B_TRUE)
 508 
 509 boolean_t
 510 priv_isequalset(const priv_set_t *a, const priv_set_t *b)
 511 {
 512         return ((boolean_t)(bcmp(a, b, sizeof (*a)) == 0));
 513 }
 514 
 515 boolean_t
 516 priv_isemptyset(const priv_set_t *set)
 517 {




  72 static boolean_t priv_valid(const cred_t *);
  73 
  74 priv_set_t priv_fullset;        /* set of all privileges */
  75 priv_set_t priv_unsafe; /* unsafe to exec set-uid root if these are not in L */
  76 
  77 /*
  78  * Privilege initialization functions.
  79  * Called from common/os/cred.c when cred_init is called.
  80  */
  81 
  82 void
  83 priv_init(void)
  84 {
  85 #ifdef DEBUG
  86         int alloc_test_priv = 1;
  87 #else
  88         int alloc_test_priv = priv_debug;
  89 #endif
  90         rw_init(&privinfo_lock, NULL, RW_DRIVER, NULL);
  91 
  92         PRIV_BASIC_ADDSET(priv_basic);
  93 
  94         /*
  95          * The "default" set is the basic privileges + any 'default'
  96          * privileges.  with no traditional unix connotations.
  97          */
  98         PRIV_BASIC_ADDSET(priv_default);
  99         PRIV_DEFAULT_ADDSET(priv_default);
 100 
 101         PRIV_UNSAFE_ADDSET(&priv_unsafe);
 102         priv_fillset(&priv_fullset);
 103 
 104         /*
 105          * When booting with priv_debug set or in a DEBUG kernel, then we'll
 106          * add an additional basic privilege and we verify that it is always
 107          * present in E.
 108          */
 109         if (alloc_test_priv != 0 &&
 110             (priv_basic_test = priv_getbyname("basic_test", PRIV_ALLOC)) >= 0) {
 111                 priv_addset(priv_basic, priv_basic_test);
 112                 priv_addset(priv_default, priv_basic_test);
 113         }
 114 
 115         devpolicy_init();
 116 }
 117 
 118 /* Utility functions: privilege sets as opaque data types */
 119 
 120 /*
 121  * Guts of prgetprivsize.
 122  */
 123 int
 124 priv_prgetprivsize(prpriv_t *tmpl)
 125 {
 126         return (sizeof (prpriv_t) +
 127             PRIV_SETBYTES - sizeof (priv_chunk_t) +
 128             (tmpl ? tmpl->pr_infosize : priv_info->priv_infosize));
 129 }
 130 
 131 /*
 132  * Guts of prgetpriv.


 472 void
 473 priv_emptyset(priv_set_t *set)
 474 {
 475         bzero(set, sizeof (*set));
 476 }
 477 
 478 void
 479 priv_fillset(priv_set_t *set)
 480 {
 481         int i;
 482 
 483         /* memset? */
 484         for (i = 0; i < PRIV_SETSIZE; i++)
 485                 set->pbits[i] = ~(priv_chunk_t)0;
 486 }
 487 
 488 void
 489 priv_addset(priv_set_t *set, int priv)
 490 {
 491         ASSERT(priv >= 0 && priv < MAX_PRIVILEGE);
 492         __PRIV_ADDSET(set, priv);
 493 }
 494 
 495 void
 496 priv_delset(priv_set_t *set, int priv)
 497 {
 498         ASSERT(priv >= 0 && priv < MAX_PRIVILEGE);
 499         __PRIV_DELSET(set, priv);
 500 }
 501 
 502 boolean_t
 503 priv_ismember(const priv_set_t *set, int priv)
 504 {
 505         ASSERT(priv >= 0 && priv < MAX_PRIVILEGE);
 506         return (__PRIV_ISMEMBER(set, priv) ? B_TRUE : B_FALSE);
 507 }
 508 
 509 #define PRIV_TEST_BODY(test) \
 510         int i; \
 511 \
 512         for (i = 0; i < PRIV_SETSIZE; i++) \
 513                 if (!(test)) \
 514                         return (B_FALSE); \
 515 \
 516         return (B_TRUE)
 517 
 518 boolean_t
 519 priv_isequalset(const priv_set_t *a, const priv_set_t *b)
 520 {
 521         return ((boolean_t)(bcmp(a, b, sizeof (*a)) == 0));
 522 }
 523 
 524 boolean_t
 525 priv_isemptyset(const priv_set_t *set)
 526 {