Print this page
uts: add a concept of a 'default' set of privileges, separate from 'basic'
uts: give privilege macros more sensible names
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/os/priv.c
+++ new/usr/src/uts/common/os/priv.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 23 * Use is subject to license terms.
24 24 */
25 25
26 26 /*
27 27 * Privilege implementation.
28 28 *
29 29 * This file provides the infrastructure for privilege sets and limits
30 30 * the number of files that requires to include <sys/cred_impl.h> and/or
31 31 * <sys/priv_impl.h>.
32 32 *
33 33 * The Solaris privilege mechanism has been designed in a
34 34 * future proof manner. While the kernel may use fixed size arrays
35 35 * and fixed bitmasks and bit values, the representation of those
36 36 * is kernel private. All external interfaces as well as K-to-K interfaces
37 37 * have been constructed in a manner to provide the maximum flexibility.
38 38 *
39 39 * There can be X privilege sets each containing Y 32 bit words.
40 40 * <X, Y> are constant for a kernel invocation.
41 41 *
42 42 * As a consequence, all privilege set manipulation happens in functions
43 43 * below.
44 44 *
45 45 */
46 46
47 47 #include <sys/systm.h>
48 48 #include <sys/ddi.h>
49 49 #include <sys/kmem.h>
50 50 #include <sys/sunddi.h>
51 51 #include <sys/errno.h>
52 52 #include <sys/debug.h>
53 53 #include <sys/priv_impl.h>
54 54 #include <sys/procfs.h>
55 55 #include <sys/policy.h>
56 56 #include <sys/cred_impl.h>
57 57 #include <sys/devpolicy.h>
58 58 #include <sys/atomic.h>
59 59
60 60 /*
61 61 * Privilege name to number mapping table consists in the generated
62 62 * priv_const.c file. This lock protects against updates of the privilege
63 63 * names and counts; all other priv_info fields are read-only.
64 64 * The actual protected values are:
65 65 * global variable nprivs
66 66 * the priv_max field
67 67 * the priv_names field
68 68 * the priv names info item (cnt/strings)
69 69 */
70 70 krwlock_t privinfo_lock;
71 71
72 72 static boolean_t priv_valid(const cred_t *);
73 73
74 74 priv_set_t priv_fullset; /* set of all privileges */
75 75 priv_set_t priv_unsafe; /* unsafe to exec set-uid root if these are not in L */
76 76
77 77 /*
78 78 * Privilege initialization functions.
79 79 * Called from common/os/cred.c when cred_init is called.
80 80 */
81 81
|
↓ open down ↓ |
81 lines elided |
↑ open up ↑ |
82 82 void
83 83 priv_init(void)
84 84 {
85 85 #ifdef DEBUG
86 86 int alloc_test_priv = 1;
87 87 #else
88 88 int alloc_test_priv = priv_debug;
89 89 #endif
90 90 rw_init(&privinfo_lock, NULL, RW_DRIVER, NULL);
91 91
92 - PRIV_BASIC_ASSERT(priv_basic);
93 - PRIV_UNSAFE_ASSERT(&priv_unsafe);
92 + PRIV_BASIC_ADDSET(priv_basic);
93 +
94 + /*
95 + * The "default" set is the basic privileges + any 'default'
96 + * privileges. with no traditional unix connotations.
97 + */
98 + PRIV_BASIC_ADDSET(priv_default);
99 + PRIV_DEFAULT_ADDSET(priv_default);
100 +
101 + PRIV_UNSAFE_ADDSET(&priv_unsafe);
94 102 priv_fillset(&priv_fullset);
95 103
96 104 /*
97 105 * When booting with priv_debug set or in a DEBUG kernel, then we'll
98 106 * add an additional basic privilege and we verify that it is always
99 107 * present in E.
100 108 */
101 109 if (alloc_test_priv != 0 &&
102 110 (priv_basic_test = priv_getbyname("basic_test", PRIV_ALLOC)) >= 0) {
103 111 priv_addset(priv_basic, priv_basic_test);
112 + priv_addset(priv_default, priv_basic_test);
104 113 }
105 114
106 115 devpolicy_init();
107 116 }
108 117
109 118 /* Utility functions: privilege sets as opaque data types */
110 119
111 120 /*
112 121 * Guts of prgetprivsize.
113 122 */
114 123 int
115 124 priv_prgetprivsize(prpriv_t *tmpl)
116 125 {
117 126 return (sizeof (prpriv_t) +
118 127 PRIV_SETBYTES - sizeof (priv_chunk_t) +
119 128 (tmpl ? tmpl->pr_infosize : priv_info->priv_infosize));
120 129 }
121 130
122 131 /*
123 132 * Guts of prgetpriv.
124 133 */
125 134 void
126 135 cred2prpriv(const cred_t *cp, prpriv_t *pr)
127 136 {
128 137 priv_set_t *psa;
129 138 int i;
130 139
131 140 pr->pr_nsets = PRIV_NSET;
132 141 pr->pr_setsize = PRIV_SETSIZE;
133 142 pr->pr_infosize = priv_info->priv_infosize;
134 143
135 144 psa = (priv_set_t *)pr->pr_sets;
136 145
137 146 for (i = 0; i < PRIV_NSET; i++)
138 147 psa[i] = *priv_getset(cp, i);
139 148
140 149 priv_getinfo(cp, (char *)pr + PRIV_PRPRIV_INFO_OFFSET(pr));
141 150 }
142 151
143 152 /*
144 153 * Guts of pr_spriv:
145 154 *
146 155 * Set the privileges of a process.
147 156 *
148 157 * In order to set the privileges, the setting process will need to
149 158 * have those privileges in its effective set in order to prevent
150 159 * specially privileged processes to easily gain additional privileges.
151 160 * Pre-existing privileges can be retained. To change any privileges,
152 161 * PRIV_PROC_OWNER needs to be asserted.
153 162 *
154 163 * In formula:
155 164 *
156 165 * S' <= S || S' <= S + Ea
157 166 *
158 167 * the new set must either be subset of the old set or a subset of
159 168 * the oldset merged with the effective set of the acting process; or just:
160 169 *
161 170 * S' <= S + Ea
162 171 *
163 172 * It's not legal to grow the limit set this way.
164 173 *
165 174 */
166 175 int
167 176 priv_pr_spriv(proc_t *p, prpriv_t *prpriv, const cred_t *cr)
168 177 {
169 178 cred_t *oldcred;
170 179 cred_t *newcred;
171 180 int i;
172 181 int err = EPERM;
173 182 cred_priv_t *cp, *ocp;
174 183 priv_set_t eset;
175 184
176 185 ASSERT(MUTEX_HELD(&p->p_lock));
177 186
178 187 /*
179 188 * Set must have proper dimension; infosize must be absent
180 189 * or properly sized.
181 190 */
182 191 if (prpriv->pr_nsets != PRIV_NSET ||
183 192 prpriv->pr_setsize != PRIV_SETSIZE ||
184 193 (prpriv->pr_infosize & (sizeof (uint32_t) - 1)) != 0 ||
185 194 prpriv->pr_infosize > priv_info->priv_infosize ||
186 195 prpriv->pr_infosize < 0)
187 196 return (EINVAL);
188 197
189 198 mutex_exit(&p->p_lock);
190 199
191 200 if (priv_proc_cred_perm(cr, p, &oldcred, VWRITE) != 0) {
192 201 mutex_enter(&p->p_lock);
193 202 return (EPERM);
194 203 }
195 204
196 205 newcred = crdup(oldcred);
197 206
198 207 /* Copy the privilege sets from prpriv to newcred */
199 208 bcopy(prpriv->pr_sets, CR_PRIVSETS(newcred), PRIV_SETBYTES);
200 209
201 210 cp = &newcred->cr_priv;
202 211 ocp = &oldcred->cr_priv;
203 212 eset = CR_OEPRIV(cr);
204 213
205 214 priv_intersect(&CR_LPRIV(oldcred), &eset);
206 215
207 216 /*
208 217 * Verify the constraints laid out:
209 218 * for the limit set, we require that the new set is a subset
210 219 * of the old limit set.
211 220 * for all other sets, we require that the new set is either a
212 221 * subset of the old set or a subset of the intersection of
213 222 * the old limit set and the effective set of the acting process.
214 223 */
215 224 for (i = 0; i < PRIV_NSET; i++)
216 225 if (!priv_issubset(&cp->crprivs[i], &ocp->crprivs[i]) &&
217 226 (i == PRIV_LIMIT || !priv_issubset(&cp->crprivs[i], &eset)))
218 227 break;
219 228
220 229 crfree(oldcred);
221 230
222 231 if (i < PRIV_NSET || !priv_valid(newcred))
223 232 goto err;
224 233
225 234 /* Load the settable privilege information */
226 235 if (prpriv->pr_infosize > 0) {
227 236 char *x = (char *)prpriv + PRIV_PRPRIV_INFO_OFFSET(prpriv);
228 237 char *lastx = x + prpriv->pr_infosize;
229 238
230 239 while (x < lastx) {
231 240 priv_info_t *pi = (priv_info_t *)x;
232 241 priv_info_uint_t *pii;
233 242
234 243 switch (pi->priv_info_type) {
235 244 case PRIV_INFO_FLAGS:
236 245 pii = (priv_info_uint_t *)x;
237 246 if (pii->info.priv_info_size != sizeof (*pii)) {
238 247 err = EINVAL;
239 248 goto err;
240 249 }
241 250 CR_FLAGS(newcred) &= ~PRIV_USER;
242 251 CR_FLAGS(newcred) |= (pii->val & PRIV_USER);
243 252 break;
244 253 default:
245 254 err = EINVAL;
246 255 goto err;
247 256 }
248 257 /* Guarantee alignment and forward progress */
249 258 if ((pi->priv_info_size & (sizeof (uint32_t) - 1)) ||
250 259 pi->priv_info_size < sizeof (*pi) ||
251 260 lastx - x > pi->priv_info_size) {
252 261 err = EINVAL;
253 262 goto err;
254 263 }
255 264
256 265 x += pi->priv_info_size;
257 266 }
258 267 }
259 268
260 269 /*
261 270 * We'll try to copy the privilege aware flag; but since the
262 271 * privileges sets are all individually set, they are set
263 272 * as if we're privilege aware. If PRIV_AWARE wasn't set
264 273 * or was explicitely unset, we need to set the flag and then
265 274 * try to get rid of it.
266 275 */
267 276 if ((CR_FLAGS(newcred) & PRIV_AWARE) == 0) {
268 277 CR_FLAGS(newcred) |= PRIV_AWARE;
269 278 priv_adjust_PA(newcred);
270 279 }
271 280
272 281 mutex_enter(&p->p_crlock);
273 282 oldcred = p->p_cred;
274 283 p->p_cred = newcred;
275 284 mutex_exit(&p->p_crlock);
276 285 crfree(oldcred);
277 286
278 287 mutex_enter(&p->p_lock);
279 288 return (0);
280 289
281 290 err:
282 291 crfree(newcred);
283 292 mutex_enter(&p->p_lock);
284 293 return (err);
285 294 }
286 295
287 296 priv_impl_info_t
288 297 *priv_hold_implinfo(void)
289 298 {
290 299 rw_enter(&privinfo_lock, RW_READER);
291 300 return (priv_info);
292 301 }
293 302
294 303 void
295 304 priv_release_implinfo(void)
296 305 {
297 306 rw_exit(&privinfo_lock);
298 307 }
299 308
300 309 size_t
301 310 priv_get_implinfo_size(void)
302 311 {
303 312 return (privinfosize);
304 313 }
305 314
306 315
307 316 /*
308 317 * Return the nth privilege set
309 318 */
310 319 const priv_set_t *
311 320 priv_getset(const cred_t *cr, int set)
312 321 {
313 322 ASSERT(PRIV_VALIDSET(set));
314 323
315 324 if ((CR_FLAGS(cr) & PRIV_AWARE) == 0)
316 325 switch (set) {
317 326 case PRIV_EFFECTIVE:
318 327 return (&CR_OEPRIV(cr));
319 328 case PRIV_PERMITTED:
320 329 return (&CR_OPPRIV(cr));
321 330 }
322 331 return (&CR_PRIVS(cr)->crprivs[set]);
323 332 }
324 333
325 334 /*
326 335 * Buf must be allocated by caller and contain sufficient space to
327 336 * contain all additional info structures using priv_info.priv_infosize.
328 337 * The buffer must be properly aligned.
329 338 */
330 339 /*ARGSUSED*/
331 340 void
332 341 priv_getinfo(const cred_t *cr, void *buf)
333 342 {
334 343 struct priv_info_uint *ii;
335 344
336 345 ii = buf;
337 346 ii->val = CR_FLAGS(cr);
338 347 ii->info.priv_info_size = (uint32_t)sizeof (*ii);
339 348 ii->info.priv_info_type = PRIV_INFO_FLAGS;
340 349 }
341 350
342 351 int
343 352 priv_getbyname(const char *name, uint_t flag)
344 353 {
345 354 int i;
346 355 int wheld = 0;
347 356 int len;
348 357 char *p;
349 358
350 359 if (flag != 0 && flag != PRIV_ALLOC)
351 360 return (-EINVAL);
352 361
353 362 if (strncasecmp(name, "priv_", 5) == 0)
354 363 name += 5;
355 364
356 365 rw_enter(&privinfo_lock, RW_READER);
357 366 rescan:
358 367 for (i = 0; i < nprivs; i++)
359 368 if (strcasecmp(priv_names[i], name) == 0) {
360 369 rw_exit(&privinfo_lock);
361 370 return (i);
362 371 }
363 372
364 373
365 374 if (!wheld) {
366 375 if (!(flag & PRIV_ALLOC)) {
367 376 rw_exit(&privinfo_lock);
368 377 return (-EINVAL);
369 378 }
370 379
371 380 /* check length, validity and available space */
372 381 len = strlen(name) + 1;
373 382
374 383 if (len > PRIVNAME_MAX) {
375 384 rw_exit(&privinfo_lock);
376 385 return (-ENAMETOOLONG);
377 386 }
378 387
379 388 for (p = (char *)name; *p != '\0'; p++) {
380 389 char c = *p;
381 390
382 391 if (!((c >= 'A' && c <= 'Z') ||
383 392 (c >= 'a' && c <= 'z') ||
384 393 (c >= '0' && c <= '9') ||
385 394 c == '_')) {
386 395 rw_exit(&privinfo_lock);
387 396 return (-EINVAL);
388 397 }
389 398 }
390 399
391 400 if (!rw_tryupgrade(&privinfo_lock)) {
392 401 rw_exit(&privinfo_lock);
393 402 rw_enter(&privinfo_lock, RW_WRITER);
394 403 wheld = 1;
395 404 /* Someone may have added our privilege */
396 405 goto rescan;
397 406 }
398 407 }
399 408
400 409 if (nprivs == MAX_PRIVILEGE || len + privbytes > maxprivbytes) {
401 410 rw_exit(&privinfo_lock);
402 411 return (-ENOMEM);
403 412 }
404 413
405 414 priv_names[i] = p = priv_str + privbytes;
406 415
407 416 bcopy(name, p, len);
408 417
409 418 /* make the priv_names[i] and privilege name globally visible */
410 419 membar_producer();
411 420
412 421 /* adjust priv count and bytes count */
413 422 priv_ninfo->cnt = priv_info->priv_max = ++nprivs;
414 423 privbytes += len;
415 424
416 425 rw_exit(&privinfo_lock);
417 426 return (i);
418 427 }
419 428
420 429 /*
421 430 * We can't afford locking the privileges here because of the locations
422 431 * we call this from; so we make sure that the privileges table
423 432 * is visible to us; it is made visible before the value of nprivs is
424 433 * updated.
425 434 */
426 435 const char *
427 436 priv_getbynum(int priv)
428 437 {
429 438 int maxpriv = nprivs;
430 439
431 440 membar_consumer();
432 441
433 442 if (priv >= 0 && priv < maxpriv)
434 443 return (priv_names[priv]);
435 444
436 445 return (NULL);
437 446 }
438 447
439 448 const char *
440 449 priv_getsetbynum(int setno)
441 450 {
442 451 if (!PRIV_VALIDSET(setno))
443 452 return (NULL);
444 453
445 454 return (priv_setnames[setno]);
446 455 }
447 456
448 457 /*
449 458 * Privilege sanity checking when setting: E <= P.
450 459 */
451 460 static boolean_t
452 461 priv_valid(const cred_t *cr)
453 462 {
454 463 return (priv_issubset(&CR_EPRIV(cr), &CR_PPRIV(cr)));
455 464 }
456 465
457 466 /*
458 467 * Privilege manipulation functions
459 468 *
460 469 * Without knowing the details of the privilege set implementation,
461 470 * opaque pointers can be used to manipulate sets at will.
462 471 */
463 472 void
464 473 priv_emptyset(priv_set_t *set)
465 474 {
466 475 bzero(set, sizeof (*set));
467 476 }
468 477
469 478 void
470 479 priv_fillset(priv_set_t *set)
471 480 {
472 481 int i;
|
↓ open down ↓ |
359 lines elided |
↑ open up ↑ |
473 482
474 483 /* memset? */
475 484 for (i = 0; i < PRIV_SETSIZE; i++)
476 485 set->pbits[i] = ~(priv_chunk_t)0;
477 486 }
478 487
479 488 void
480 489 priv_addset(priv_set_t *set, int priv)
481 490 {
482 491 ASSERT(priv >= 0 && priv < MAX_PRIVILEGE);
483 - __PRIV_ASSERT(set, priv);
492 + __PRIV_ADDSET(set, priv);
484 493 }
485 494
486 495 void
487 496 priv_delset(priv_set_t *set, int priv)
488 497 {
489 498 ASSERT(priv >= 0 && priv < MAX_PRIVILEGE);
490 - __PRIV_CLEAR(set, priv);
499 + __PRIV_DELSET(set, priv);
491 500 }
492 501
493 502 boolean_t
494 503 priv_ismember(const priv_set_t *set, int priv)
495 504 {
496 505 ASSERT(priv >= 0 && priv < MAX_PRIVILEGE);
497 - return (__PRIV_ISASSERT(set, priv) ? B_TRUE : B_FALSE);
506 + return (__PRIV_ISMEMBER(set, priv) ? B_TRUE : B_FALSE);
498 507 }
499 508
500 509 #define PRIV_TEST_BODY(test) \
501 510 int i; \
502 511 \
503 512 for (i = 0; i < PRIV_SETSIZE; i++) \
504 513 if (!(test)) \
505 514 return (B_FALSE); \
506 515 \
507 516 return (B_TRUE)
508 517
509 518 boolean_t
510 519 priv_isequalset(const priv_set_t *a, const priv_set_t *b)
511 520 {
512 521 return ((boolean_t)(bcmp(a, b, sizeof (*a)) == 0));
513 522 }
514 523
515 524 boolean_t
516 525 priv_isemptyset(const priv_set_t *set)
517 526 {
518 527 PRIV_TEST_BODY(set->pbits[i] == 0);
519 528 }
520 529
521 530 boolean_t
522 531 priv_isfullset(const priv_set_t *set)
523 532 {
524 533 PRIV_TEST_BODY(set->pbits[i] == ~(priv_chunk_t)0);
525 534 }
526 535
527 536 /*
528 537 * Return true if a is a subset of b
529 538 */
530 539 boolean_t
531 540 priv_issubset(const priv_set_t *a, const priv_set_t *b)
532 541 {
533 542 PRIV_TEST_BODY((a->pbits[i] | b->pbits[i]) == b->pbits[i]);
534 543 }
535 544
536 545 #define PRIV_CHANGE_BODY(a, op, b) \
537 546 int i; \
538 547 \
539 548 for (i = 0; i < PRIV_SETSIZE; i++) \
540 549 a->pbits[i] op b->pbits[i]
541 550
542 551 /* B = A ^ B */
543 552 void
544 553 priv_intersect(const priv_set_t *a, priv_set_t *b)
545 554 {
546 555 /* CSTYLED */
547 556 PRIV_CHANGE_BODY(b, &=, a);
548 557 }
549 558
550 559 /* B = A v B */
551 560 void
552 561 priv_union(const priv_set_t *a, priv_set_t *b)
553 562 {
554 563 /* CSTYLED */
555 564 PRIV_CHANGE_BODY(b, |=, a);
556 565 }
557 566
558 567 /* A = ! A */
559 568 void
560 569 priv_inverse(priv_set_t *a)
561 570 {
562 571 PRIV_CHANGE_BODY(a, = ~, a);
563 572 }
564 573
565 574 /*
566 575 * Can the source cred act on the target credential?
567 576 *
568 577 * We will you allow to gain uids this way but not privileges.
569 578 */
570 579 int
571 580 priv_proc_cred_perm(const cred_t *scr, proc_t *tp, cred_t **pcr, int mode)
572 581 {
573 582 const priv_set_t *eset;
574 583 int idsmatch;
575 584 cred_t *tcr;
576 585 int res = 0;
577 586
578 587 /* prevent the cred from going away */
579 588 mutex_enter(&tp->p_crlock);
580 589 crhold(tcr = tp->p_cred);
581 590 mutex_exit(&tp->p_crlock);
582 591
583 592 if (scr == tcr && !(tp->p_flag & SNOCD))
584 593 goto out;
585 594
586 595 idsmatch = (scr->cr_uid == tcr->cr_uid &&
587 596 scr->cr_uid == tcr->cr_ruid &&
588 597 scr->cr_uid == tcr->cr_suid &&
589 598 scr->cr_gid == tcr->cr_gid &&
590 599 scr->cr_gid == tcr->cr_rgid &&
591 600 scr->cr_gid == tcr->cr_sgid &&
592 601 !(tp->p_flag & SNOCD));
593 602
594 603 /*
595 604 * Source credential must have the proc_zone privilege if referencing
596 605 * a process in another zone.
597 606 */
598 607 if (scr->cr_zone != tcr->cr_zone && secpolicy_proc_zone(scr) != 0) {
599 608 res = EACCES;
600 609 goto out;
601 610 }
602 611
603 612 if (!(mode & VWRITE)) {
604 613 if (!idsmatch && secpolicy_proc_owner(scr, tcr, 0) != 0)
605 614 res = EACCES;
606 615 goto out;
607 616 }
608 617
609 618 /*
610 619 * For writing, the effective set of scr must dominate all sets of tcr,
611 620 * We test Pt <= Es (Et <= Pt so no need to test) and It <= Es
612 621 * The Limit set of scr must be a superset of the limitset of
613 622 * tcr.
614 623 */
615 624 eset = &CR_OEPRIV(scr);
616 625
617 626 if (!priv_issubset(&CR_IPRIV(tcr), eset) ||
618 627 !priv_issubset(&CR_OPPRIV(tcr), eset) ||
619 628 !priv_issubset(&CR_LPRIV(tcr), &CR_LPRIV(scr)) ||
620 629 !idsmatch && secpolicy_proc_owner(scr, tcr, mode) != 0)
621 630 res = EACCES;
622 631
623 632 out:
624 633 if (res == 0 && pcr != NULL)
625 634 *pcr = tcr;
626 635 else
627 636 crfree(tcr);
628 637 return (res);
629 638 }
630 639
631 640 /*
632 641 * Set the privilege aware bit, adding L to E/P if necessary.
633 642 * Each time we set it, we also clear PRIV_AWARE_RESET.
634 643 */
635 644 void
636 645 priv_set_PA(cred_t *cr)
637 646 {
638 647 ASSERT(cr->cr_ref <= 2);
639 648
640 649 if ((CR_FLAGS(cr) & (PRIV_AWARE|PRIV_AWARE_RESET)) == PRIV_AWARE)
641 650 return;
642 651
643 652 CR_FLAGS(cr) |= PRIV_AWARE;
644 653 CR_FLAGS(cr) &= ~PRIV_AWARE_RESET;
645 654
646 655 if (cr->cr_uid == 0)
647 656 priv_union(&CR_LPRIV(cr), &CR_EPRIV(cr));
648 657
649 658 if (cr->cr_uid == 0 || cr->cr_suid == 0 || cr->cr_ruid == 0)
650 659 priv_union(&CR_LPRIV(cr), &CR_PPRIV(cr));
651 660 }
652 661
653 662 boolean_t
654 663 priv_can_clear_PA(const cred_t *cr)
655 664 {
656 665 /*
657 666 * We can clear PA in the following cases:
658 667 *
659 668 * None of the uids are 0.
660 669 * Any uid == 0 and P == L and (Euid != 0 or E == L)
661 670 */
662 671 return ((cr->cr_suid != 0 && cr->cr_ruid != 0 && cr->cr_uid != 0) ||
663 672 priv_isequalset(&CR_PPRIV(cr), &CR_LPRIV(cr)) &&
664 673 (cr->cr_uid != 0 || priv_isequalset(&CR_EPRIV(cr), &CR_LPRIV(cr))));
665 674 }
666 675
667 676 /*
668 677 * Clear privilege aware bit if it is an idempotent operation and by
669 678 * clearing it the process cannot get to uid 0 and all privileges.
670 679 *
671 680 * This function should be called with caution as it may cause "E" to be
672 681 * lost once a processes assumes euid 0 again.
673 682 */
674 683 void
675 684 priv_adjust_PA(cred_t *cr)
676 685 {
677 686 ASSERT(cr->cr_ref <= 2);
678 687
679 688 if (!(CR_FLAGS(cr) & PRIV_AWARE) ||
680 689 !priv_can_clear_PA(cr)) {
681 690 CR_FLAGS(cr) &= ~PRIV_AWARE_RESET;
682 691 return;
683 692 }
684 693
685 694 if (CR_FLAGS(cr) & PRIV_AWARE_INHERIT)
686 695 return;
687 696
688 697 /*
689 698 * We now need to adjust P/E in those cases when uids
690 699 * are zero; the rules are P' = I & L, E' = I & L;
691 700 * but since P = L and E = L, we can use P &= I, E &= I,
692 701 * depending on which uids are 0.
693 702 */
694 703 if (cr->cr_suid == 0 || cr->cr_ruid == 0 || cr->cr_uid == 0) {
695 704 if (cr->cr_uid == 0)
696 705 priv_intersect(&CR_IPRIV(cr), &CR_EPRIV(cr));
697 706 priv_intersect(&CR_IPRIV(cr), &CR_PPRIV(cr));
698 707 }
699 708
700 709 CR_FLAGS(cr) &= ~(PRIV_AWARE|PRIV_AWARE_RESET);
701 710 }
702 711
703 712 /*
704 713 * Reset privilege aware bit if so requested by setting the PRIV_AWARE_RESET
705 714 * flag.
706 715 */
707 716 void
708 717 priv_reset_PA(cred_t *cr, boolean_t finalize)
709 718 {
710 719 ASSERT(cr->cr_ref <= 2);
711 720
712 721 if ((CR_FLAGS(cr) & (PRIV_AWARE|PRIV_AWARE_RESET)) !=
713 722 (PRIV_AWARE|PRIV_AWARE_RESET)) {
714 723 CR_FLAGS(cr) &= ~PRIV_AWARE_RESET;
715 724 return;
716 725 }
717 726
718 727 /*
719 728 * When PRIV_AWARE_RESET is enabled, any change of uids causes
720 729 * a change to the P and E sets. Bracketing with
721 730 * seteuid(0) ... seteuid(uid)/setreuid(-1, 0) .. setreuid(-1, uid)
722 731 * will cause the privilege sets "do the right thing.".
723 732 * When the change of the uid is "final", e.g., by using setuid(uid),
724 733 * or setreuid(uid, uid) or when the last set*uid() call causes all
725 734 * uids to be the same, we set P and E to I & L, like when you exec.
726 735 * We make an exception when all the uids are 0; this is required
727 736 * when we login as root as in that particular case we cannot
728 737 * make a distinction between seteuid(0) and seteuid(uid).
729 738 * We rely on seteuid/setreuid/setuid to tell us with the
730 739 * "finalize" argument that we no longer expect new uid changes,
731 740 * cf. setreuid(uid, uid) and setuid(uid).
732 741 */
733 742 if (cr->cr_suid == cr->cr_ruid && cr->cr_suid == cr->cr_uid) {
734 743 if (finalize || cr->cr_uid != 0) {
735 744 CR_EPRIV(cr) = CR_IPRIV(cr);
736 745 priv_intersect(&CR_LPRIV(cr), &CR_EPRIV(cr));
737 746 CR_PPRIV(cr) = CR_EPRIV(cr);
738 747 CR_FLAGS(cr) &= ~(PRIV_AWARE|PRIV_AWARE_RESET);
739 748 } else {
740 749 CR_EPRIV(cr) = CR_PPRIV(cr);
741 750 }
742 751 } else if (cr->cr_uid != 0 && (cr->cr_ruid == 0 || cr->cr_suid == 0)) {
743 752 CR_EPRIV(cr) = CR_IPRIV(cr);
744 753 priv_intersect(&CR_LPRIV(cr), &CR_EPRIV(cr));
745 754 }
746 755 }
|
↓ open down ↓ |
239 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX