Print this page
uts: add a concept of a 'default' set of privileges, separate from 'basic'
uts: give privilege macros more sensible names
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/os/privs.awk
+++ new/usr/src/uts/common/os/privs.awk
1 1 #
2 2 # Copyright 2005 Sun Microsystems, Inc. All rights reserved.
3 3 # Use is subject to license terms.
4 4 #
5 5 # CDDL HEADER START
6 6 #
7 7 # The contents of this file are subject to the terms of the
8 8 # Common Development and Distribution License, Version 1.0 only
9 9 # (the "License"). You may not use this file except in compliance
10 10 # with the License.
11 11 #
12 12 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
13 13 # or http://www.opensolaris.org/os/licensing.
14 14 # See the License for the specific language governing permissions
15 15 # and limitations under the License.
16 16 #
17 17 # When distributing Covered Code, include this CDDL HEADER in each
18 18 # file and include the License file at usr/src/OPENSOLARIS.LICENSE.
19 19 # If applicable, add the following below this CDDL HEADER, with the
20 20 # fields enclosed by brackets "[]" replaced with your own identifying
21 21 # information: Portions Copyright [yyyy] [name of copyright owner]
22 22 #
23 23 # CDDL HEADER END
24 24 #
25 25 #ident "%Z%%M% %I% %E% SMI"
26 26 #
27 27 # This file generates three different C files:
28 28 #
29 29 # <sys/priv_const.h>
30 30 # An implementation private set of manifest integer constant
31 31 # for privileges and privilege sets and manifest constants for
32 32 # set size, number of sets, number of privileges
33 33 #
34 34 # os/priv_const.c
35 35 # A C source file containing the set names, privilege names
36 36 # arrays for the name <-> number mappings
37 37 #
38 38 # <sys/priv_names.h>
39 39 # A public header file containing the PRIV_* defines
40 40 # that map to strings; these are for convenience.
41 41 # (it's easy to misspell a string, harder to misspell a
42 42 # manifest constant)
43 43 #
44 44 # /etc/security/priv_names
45 45 # A privilege name to explanation mapping.
46 46 #
47 47 #
48 48 # The files are output on the awk variable privhfile, pubhfile, cfile,
49 49 # and pnamesfile respectively
50 50 #
51 51 # The input file should contain a standard Sun comment and ident string
52 52 # which is copied verbatim and lines of
53 53 #
54 54 # [keyword] privilege PRIV_<privilege>
55 55 # set PRIV_<set>
56 56 #
57 57 # Which are converted to privileges and privilege sets
58 58 #
59 59
60 60
61 61 BEGIN {
62 62 # Number of privileges read
63 63 npriv = 0
64 64
65 65 # Number of privilege sets
66 66 nset = 0
67 67
68 68 # Length of all strings concatenated, including \0
69 69 privbytes = 0
70 70 setbytes = 0
71 71
72 72 # Number of reserved privilege slots
73 73 slack = 10
74 74
75 75 privhcmt = \
76 76 " * Privilege constant definitions; these constants are subject to\n" \
77 77 " * change, including renumbering, without notice and should not be\n" \
78 78 " * used in any code. Privilege names must be used instead.\n" \
79 79 " * Privileges and privilege sets must not be stored in binary\n" \
80 80 " * form; privileges and privileges sets must be converted to\n" \
81 81 " * textual representation before being committed to persistent store."
82 82
83 83 ccmt = \
84 84 " * Privilege name table and size definitions."
85 85
86 86 pubhcmt = \
87 87 " * Privilege constant definitions. Privileges and privilege sets\n" \
88 88 " * are only known by name and should be mapped at runtime."
89 89
90 90 pnamescmt = \
91 91 "#\n" \
92 92 "# Privilege name explanation file\n" \
93 93 "# The format of entries is a privilege name starting at the\n" \
94 94 "# beginning of a line directly folowed by a new line followed\n" \
95 95 "# by several lines of texts starting with white space terminated\n" \
96 96 "# by a line with a single newline or not starting with white space\n" \
97 97 "#\n"
98 98 }
99 99
|
↓ open down ↓ |
99 lines elided |
↑ open up ↑ |
100 100 #
101 101 # Privilege strings are represented as lower case strings;
102 102 # PRIV_ is stripped from the strings.
103 103 #
104 104 /^([A-Za-z]* )?privilege / {
105 105 if (NF == 3) {
106 106 key = toupper($1)
107 107 priv = toupper($3)
108 108 if (set[key] != "")
109 109 set[key] = set[key] ";"
110 - set[key] = set[key] "\\\n\t\tPRIV_ASSERT((set), " priv ")"
110 + set[key] = set[key] "\\\n\t\tPRIV_ADDSET((set), " priv ")"
111 111 } else {
112 112 priv = toupper($2);
113 113 }
114 114 privs[npriv] = tolower(substr(priv, 6));
115 115 inset = 0
116 116 inpriv = 1
117 117
118 118 privind[npriv] = privbytes;
119 119
120 120 tabs = (32 - length(priv) - 1)/8
121 121 # length + \0 - PRIV_
122 122 privbytes += length(priv) - 4
123 123 pdef[npriv] = "#define\t" priv substr("\t\t\t\t\t", 1, tabs)
124 124
125 125 npriv++
126 126 next
127 127 }
128 128
129 129 #
130 130 # Set strings are represented as strings with an initial cap;
131 131 # PRIV_ is stripped from the strings.
132 132 #
133 133 /^set / {
134 134 $2 = toupper($2)
135 135 sets[nset] = toupper(substr($2, 6, 1)) tolower(substr($2, 7));
136 136 inset = 1
137 137 inpriv = 0
138 138
139 139 setind[nset] = setbytes
140 140
141 141 # length + \0 - PRIV_
142 142 setbytes += length($2) - 4
143 143 tabs = (32 - length($2) - 1)/8
144 144 sdef[nset] = "#define\t" $2 substr("\t\t\t\t\t", 1, tabs)
145 145
146 146 nset++
147 147 next
148 148 }
149 149
150 150 /INSERT COMMENT/ {
151 151 acmt = " *\n * THIS FILE WAS GENERATED; DO NOT EDIT"
152 152 if (cfile) {
153 153 print ccmt > cfile
154 154 print acmt > cfile
155 155 }
156 156 if (privhfile) {
157 157 print privhcmt > privhfile
158 158 print acmt > privhfile
159 159 }
160 160 if (pubhfile) {
161 161 print pubhcmt > pubhfile
162 162 print acmt > pubhfile
163 163 }
164 164 next
165 165 }
166 166 /^#pragma/ {
167 167 pragma = $0;
168 168 if (pnamesfile) {
169 169 print "#" substr($0, 9) > pnamesfile
170 170 }
171 171 next;
172 172 }
173 173
174 174 /^#/ && ! /^#pragma/{
175 175 # Comments, ignore
176 176 next
177 177 }
178 178
179 179 {
180 180 #
181 181 # Comments describing privileges and sets follow the definitions.
182 182 #
183 183 if (inset || inpriv) {
184 184 sub("^[ ]*", "")
185 185 sub("[ ]*$", "")
186 186 if (/^$/) next;
187 187 }
188 188 if (inset) {
189 189 setcmt[nset - 1] = setcmt[nset - 1] " * " $0 "\n"
190 190 next
191 191 } else if (inpriv) {
192 192 sub("^[ ]*", "")
193 193 privcmt[npriv - 1] = privcmt[npriv - 1] " * " $0 "\n"
194 194 privncmt[npriv - 1] = privncmt[npriv - 1] "\t" $0 "\n"
195 195 next
196 196 }
197 197
198 198 if (cfile)
199 199 print > cfile
200 200 if (privhfile)
201 201 print > privhfile
202 202 if (pubhfile)
203 203 print > pubhfile
204 204 if (pnamesfile) {
205 205 sub("^/\\*", "#")
206 206 sub("^ \\*/", "")
207 207 sub("^ \\*", "#")
208 208 if (/^$/) next;
209 209 print > pnamesfile
210 210 }
211 211 }
212 212
213 213 END {
214 214
215 215 if (!pubhfile && !privhfile && !cfile && !pnamesfile) {
216 216 print "Output file parameter not set" > "/dev/stderr"
217 217 exit 1
218 218 }
219 219
220 220 setsize = int((npriv + slack)/(8 * 4)) + 1
221 221 maxnpriv = setsize * 8 * 4
222 222 # Assume allocated privileges are on average "NSDQ" bytes larger.
223 223 maxprivbytes = int((privbytes / npriv + 5.5)) * (maxnpriv - npriv)
224 224 maxprivbytes += privbytes
225 225
226 226 if (cfile) {
227 227 print "\n" > cfile
228 228 print pragma "\n"> cfile
229 229 print "#include <sys/types.h>" > cfile
230 230 print "#include <sys/priv_const.h>" > cfile
231 231 print "#include <sys/priv_impl.h>" > cfile
232 232 print "#include <sys/priv.h>" > cfile
233 233 print "#include <sys/sysmacros.h>" > cfile
234 234 print "\n" > cfile
235 235 #
236 236 # Create the entire priv info structure here.
237 237 # When adding privileges, the kernel needs to update
238 238 # too many fields as the number of privileges is kept in
239 239 # many places.
240 240 #
241 241 print \
|
↓ open down ↓ |
121 lines elided |
↑ open up ↑ |
242 242 "static struct _info {\n" \
243 243 " priv_impl_info_t impl_info;\n" \
244 244 " priv_info_t settype;\n" \
245 245 " int nsets;\n" \
246 246 " const char sets[" setbytes "];\n" \
247 247 " priv_info_t privtype;\n" \
248 248 " int nprivs;\n" \
249 249 " char privs[" maxprivbytes "];\n" \
250 250 " priv_info_t sysset;\n" \
251 251 " priv_set_t basicset;\n" \
252 + " priv_info_t defset;\n" \
253 + " priv_set_t defaultset;\n" \
252 254 "} info = {\n" \
253 255 " { sizeof (priv_impl_info_t), 0, PRIV_NSET, " \
254 256 "PRIV_SETSIZE, " npriv ",\n" \
255 257 "\t\tsizeof (priv_info_uint_t),\n" \
256 258 "\t\tsizeof (info) - sizeof (info.impl_info)},\n" \
257 259 " { PRIV_INFO_SETNAMES,\n" \
258 260 " offsetof(struct _info, privtype) - " \
259 261 "offsetof(struct _info, settype)},\n\tPRIV_NSET," > cfile
260 262
261 263 sep = "\t\""
262 264 len = 9;
263 265 for (i = 0; i < nset; i++) {
264 266 if (len + length(sets[i]) > 80) {
265 267 sep = "\\0\"\n\t\""
266 268 len = 9
267 269 }
268 270 printf sep sets[i] > cfile
269 271 len += length(sets[i]) + length(sep);
270 272 sep = "\\0"
271 273 }
272 274 print "\\0\"," > cfile
273 275
274 276 print "\t{ PRIV_INFO_PRIVNAMES,\n\t " \
275 277 "offsetof(struct _info, sysset) - " \
276 278 "offsetof(struct _info, privtype)},\n\t" npriv "," \
277 279 > cfile
278 280
279 281 sep = "\t\""
280 282 len = 9;
281 283 for (i = 0; i < npriv; i++) {
|
↓ open down ↓ |
20 lines elided |
↑ open up ↑ |
282 284 if (len + length(privs[i]) > 80) {
283 285 sep = "\\0\"\n\t\""
284 286 len = 9
285 287 }
286 288 printf sep privs[i] > cfile
287 289 len += length(privs[i]) + length(sep);
288 290 sep = "\\0"
289 291 }
290 292 print "\\0\"," > cfile
291 293
292 - print "\t{ PRIV_INFO_BASICPRIVS, sizeof (info) - " \
293 - "offsetof(struct _info, sysset)}," > cfile
294 + print "\t{ PRIV_INFO_BASICPRIVS, offsetof (struct _info, defset) - " \
295 + "offsetof(struct _info, sysset)}," > cfile
296 + print "\t{ 0 },\n" > cfile
297 + print "\t{ PRIV_INFO_DEFAULTPRIVS, sizeof (info) - " \
298 + "offsetof(struct _info, defset)}" > cfile
294 299
295 300 print "};\n" > cfile
296 301
297 302 print "\nconst char *priv_names[" maxnpriv "] =\n{" > cfile
298 303 for (i = 0; i < npriv; i++)
299 304 print "\t&info.privs[" privind[i] "]," > cfile
300 305
301 306 print "};\n" > cfile
302 307
303 308 print "\nconst char *priv_setnames[" nset "] =\n{" > cfile
304 309 for (i = 0; i < nset; i++)
|
↓ open down ↓ |
1 lines elided |
↑ open up ↑ |
305 310 print "\t&info.sets[" setind[i] "]," > cfile
306 311
307 312 print "};\n" > cfile
308 313
309 314 print "int nprivs = " npriv ";" > cfile
310 315 print "int privbytes = " privbytes ";" > cfile
311 316 print "int maxprivbytes = " maxprivbytes ";" > cfile
312 317 print "size_t privinfosize = sizeof (info);" > cfile
313 318 print "char *priv_str = info.privs;" > cfile
314 319 print "priv_set_t *priv_basic = &info.basicset;" > cfile
320 + print "priv_set_t *priv_default = &info.defaultset;" > cfile
315 321 print "priv_impl_info_t *priv_info = &info.impl_info;" > cfile
316 322 print "priv_info_names_t *priv_ninfo = " \
317 323 "(priv_info_names_t *)&info.privtype;" > cfile
318 324 close(cfile)
319 325 }
320 326
321 327 # Kernel private
322 328 if (privhfile) {
323 329 print "#ifndef _SYS_PRIV_CONST_H" > privhfile
324 330 print "#define\t_SYS_PRIV_CONST_H\n" > privhfile
325 331 print pragma "\n"> privhfile
326 332 print "\n#include <sys/types.h>\n\n" > privhfile
327 333 print "#ifdef __cplusplus\nextern \"C\" {\n#endif\n" > privhfile
328 334
329 335 print "#if defined(_KERNEL) || defined(_KMEMUSER)" > privhfile
330 336 print "#define\tPRIV_NSET\t\t\t " nset > privhfile
331 337 print "#define\tPRIV_SETSIZE\t\t\t " setsize > privhfile
332 338 print "#endif\n\n#ifdef _KERNEL" > privhfile
|
↓ open down ↓ |
8 lines elided |
↑ open up ↑ |
333 339 print "#define\t__PRIV_CONST_IMPL\n" > privhfile
334 340 print "extern const char *priv_names[];" > privhfile
335 341 print "extern const char *priv_setnames[];" > privhfile
336 342
337 343 print "extern int nprivs;" > privhfile
338 344 print "extern int privbytes;" > privhfile
339 345 print "extern int maxprivbytes;" > privhfile
340 346 print "extern size_t privinfosize;" > privhfile
341 347 print "extern char *priv_str;" > privhfile
342 348 print "extern struct priv_set *priv_basic;" > privhfile
349 + print "extern struct priv_set *priv_default;" > privhfile
343 350 print "extern struct priv_impl_info *priv_info;" > privhfile
344 351 print "extern struct priv_info_names *priv_ninfo;" > privhfile
345 352
346 353 print "\n/* Privileges */" > privhfile
347 354
348 355 for (i = 0; i < npriv; i++)
349 356 print pdef[i] sprintf("%3d", i) > privhfile
350 357
351 358 print "\n/* Privilege sets */" > privhfile
352 359 for (i = 0; i < nset; i++)
353 360 print sdef[i] sprintf("%3d", i) > privhfile
354 361
355 362 print "\n#define\tMAX_PRIVILEGE\t\t\t " setsize * 32 \
356 363 > privhfile
357 364
358 365 # Special privilege categories.
359 366 for (s in set)
360 - print "\n#define\tPRIV_" s "_ASSERT(set)" set[s] \
367 + print "\n#define\tPRIV_" s "_ADDSET(set)" set[s] \
361 368 > privhfile
362 369
363 370 print "\n#endif /* _KERNEL */" > privhfile
364 371 print "\n#ifdef __cplusplus\n}\n#endif" > privhfile
365 372 print "\n#endif /* _SYS_PRIV_CONST_H */" > privhfile
366 373 close(privhfile)
367 374 }
368 375
369 376 if (pubhfile) {
370 377 cast="((const char *)"
371 378 print "#ifndef _SYS_PRIV_NAMES_H" > pubhfile
372 379 print "#define\t_SYS_PRIV_NAMES_H\n" > pubhfile
373 380
374 381 print pragma "\n" > pubhfile
375 382 print "#ifdef __cplusplus\nextern \"C\" {\n#endif\n" > pubhfile
376 383
377 384 print "#ifndef __PRIV_CONST_IMPL" > pubhfile
378 385 print "/*\n * Privilege names\n */" > pubhfile
379 386 for (i = 0; i < npriv; i++) {
380 387 print "/*\n" privcmt[i] " */" > pubhfile
381 388 print pdef[i] cast "\"" privs[i] "\")\n" > pubhfile
382 389 }
383 390
384 391 print "" > pubhfile
385 392
386 393 print "/*\n * Privilege set names\n */" > pubhfile
387 394 for (i = 0; i < nset; i++) {
388 395 print "/*\n" setcmt[i] " */" > pubhfile
389 396 print sdef[i] cast "\"" sets[i] "\")\n" > pubhfile
390 397 }
391 398
392 399 print "\n#endif /* __PRIV_CONST_IMPL */" > pubhfile
393 400 print "\n#ifdef __cplusplus\n}\n#endif" > pubhfile
394 401 print "\n#endif /* _SYS_PRIV_NAMES_H */" > pubhfile
395 402 close(pubhfile)
396 403 }
397 404
398 405 if (pnamesfile) {
399 406 print pnamescmt > pnamesfile
400 407 for (i = 0; i < npriv; i++) {
401 408 print privs[i] > pnamesfile
402 409 print privncmt[i] > pnamesfile
403 410 }
404 411 }
405 412
406 413 }
|
↓ open down ↓ |
36 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX