1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 /* 27 * Privilege implementation. 28 * 29 * This file provides the infrastructure for privilege sets and limits 30 * the number of files that requires to include <sys/cred_impl.h> and/or 31 * <sys/priv_impl.h>. 32 * 33 * The Solaris privilege mechanism has been designed in a 34 * future proof manner. While the kernel may use fixed size arrays 35 * and fixed bitmasks and bit values, the representation of those 36 * is kernel private. All external interfaces as well as K-to-K interfaces 37 * have been constructed in a manner to provide the maximum flexibility. 38 * 39 * There can be X privilege sets each containing Y 32 bit words. 40 * <X, Y> are constant for a kernel invocation. 41 * 42 * As a consequence, all privilege set manipulation happens in functions 43 * below. 44 * 45 */ 46 47 #include <sys/systm.h> 48 #include <sys/ddi.h> 49 #include <sys/kmem.h> 50 #include <sys/sunddi.h> 51 #include <sys/errno.h> 52 #include <sys/debug.h> 53 #include <sys/priv_impl.h> 54 #include <sys/procfs.h> 55 #include <sys/policy.h> 56 #include <sys/cred_impl.h> 57 #include <sys/devpolicy.h> 58 #include <sys/atomic.h> 59 60 /* 61 * Privilege name to number mapping table consists in the generated 62 * priv_const.c file. This lock protects against updates of the privilege 63 * names and counts; all other priv_info fields are read-only. 64 * The actual protected values are: 65 * global variable nprivs 66 * the priv_max field 67 * the priv_names field 68 * the priv names info item (cnt/strings) 69 */ 70 krwlock_t privinfo_lock; 71 72 static boolean_t priv_valid(const cred_t *); 73 74 priv_set_t priv_fullset; /* set of all privileges */ 75 priv_set_t priv_unsafe; /* unsafe to exec set-uid root if these are not in L */ 76 77 /* 78 * Privilege initialization functions. 79 * Called from common/os/cred.c when cred_init is called. 80 */ 81 82 void 83 priv_init(void) 84 { 85 #ifdef DEBUG 86 int alloc_test_priv = 1; 87 #else 88 int alloc_test_priv = priv_debug; 89 #endif 90 rw_init(&privinfo_lock, NULL, RW_DRIVER, NULL); 91 92 PRIV_BASIC_ADDSET(priv_basic); 93 PRIV_UNSAFE_ADDSET(&priv_unsafe); 94 priv_fillset(&priv_fullset); 95 96 /* 97 * When booting with priv_debug set or in a DEBUG kernel, then we'll 98 * add an additional basic privilege and we verify that it is always 99 * present in E. 100 */ 101 if (alloc_test_priv != 0 && 102 (priv_basic_test = priv_getbyname("basic_test", PRIV_ALLOC)) >= 0) { 103 priv_addset(priv_basic, priv_basic_test); 104 } 105 106 devpolicy_init(); 107 } 108 109 /* Utility functions: privilege sets as opaque data types */ 110 111 /* 112 * Guts of prgetprivsize. 113 */ 114 int 115 priv_prgetprivsize(prpriv_t *tmpl) 116 { 117 return (sizeof (prpriv_t) + 118 PRIV_SETBYTES - sizeof (priv_chunk_t) + 119 (tmpl ? tmpl->pr_infosize : priv_info->priv_infosize)); 120 } 121 122 /* 123 * Guts of prgetpriv. 124 */ 125 void 126 cred2prpriv(const cred_t *cp, prpriv_t *pr) 127 { 128 priv_set_t *psa; 129 int i; 130 131 pr->pr_nsets = PRIV_NSET; 132 pr->pr_setsize = PRIV_SETSIZE; 133 pr->pr_infosize = priv_info->priv_infosize; 134 135 psa = (priv_set_t *)pr->pr_sets; 136 137 for (i = 0; i < PRIV_NSET; i++) 138 psa[i] = *priv_getset(cp, i); 139 140 priv_getinfo(cp, (char *)pr + PRIV_PRPRIV_INFO_OFFSET(pr)); 141 } 142 143 /* 144 * Guts of pr_spriv: 145 * 146 * Set the privileges of a process. 147 * 148 * In order to set the privileges, the setting process will need to 149 * have those privileges in its effective set in order to prevent 150 * specially privileged processes to easily gain additional privileges. 151 * Pre-existing privileges can be retained. To change any privileges, 152 * PRIV_PROC_OWNER needs to be asserted. 153 * 154 * In formula: 155 * 156 * S' <= S || S' <= S + Ea 157 * 158 * the new set must either be subset of the old set or a subset of 159 * the oldset merged with the effective set of the acting process; or just: 160 * 161 * S' <= S + Ea 162 * 163 * It's not legal to grow the limit set this way. 164 * 165 */ 166 int 167 priv_pr_spriv(proc_t *p, prpriv_t *prpriv, const cred_t *cr) 168 { 169 cred_t *oldcred; 170 cred_t *newcred; 171 int i; 172 int err = EPERM; 173 cred_priv_t *cp, *ocp; 174 priv_set_t eset; 175 176 ASSERT(MUTEX_HELD(&p->p_lock)); 177 178 /* 179 * Set must have proper dimension; infosize must be absent 180 * or properly sized. 181 */ 182 if (prpriv->pr_nsets != PRIV_NSET || 183 prpriv->pr_setsize != PRIV_SETSIZE || 184 (prpriv->pr_infosize & (sizeof (uint32_t) - 1)) != 0 || 185 prpriv->pr_infosize > priv_info->priv_infosize || 186 prpriv->pr_infosize < 0) 187 return (EINVAL); 188 189 mutex_exit(&p->p_lock); 190 191 if (priv_proc_cred_perm(cr, p, &oldcred, VWRITE) != 0) { 192 mutex_enter(&p->p_lock); 193 return (EPERM); 194 } 195 196 newcred = crdup(oldcred); 197 198 /* Copy the privilege sets from prpriv to newcred */ 199 bcopy(prpriv->pr_sets, CR_PRIVSETS(newcred), PRIV_SETBYTES); 200 201 cp = &newcred->cr_priv; 202 ocp = &oldcred->cr_priv; 203 eset = CR_OEPRIV(cr); 204 205 priv_intersect(&CR_LPRIV(oldcred), &eset); 206 207 /* 208 * Verify the constraints laid out: 209 * for the limit set, we require that the new set is a subset 210 * of the old limit set. 211 * for all other sets, we require that the new set is either a 212 * subset of the old set or a subset of the intersection of 213 * the old limit set and the effective set of the acting process. 214 */ 215 for (i = 0; i < PRIV_NSET; i++) 216 if (!priv_issubset(&cp->crprivs[i], &ocp->crprivs[i]) && 217 (i == PRIV_LIMIT || !priv_issubset(&cp->crprivs[i], &eset))) 218 break; 219 220 crfree(oldcred); 221 222 if (i < PRIV_NSET || !priv_valid(newcred)) 223 goto err; 224 225 /* Load the settable privilege information */ 226 if (prpriv->pr_infosize > 0) { 227 char *x = (char *)prpriv + PRIV_PRPRIV_INFO_OFFSET(prpriv); 228 char *lastx = x + prpriv->pr_infosize; 229 230 while (x < lastx) { 231 priv_info_t *pi = (priv_info_t *)x; 232 priv_info_uint_t *pii; 233 234 switch (pi->priv_info_type) { 235 case PRIV_INFO_FLAGS: 236 pii = (priv_info_uint_t *)x; 237 if (pii->info.priv_info_size != sizeof (*pii)) { 238 err = EINVAL; 239 goto err; 240 } 241 CR_FLAGS(newcred) &= ~PRIV_USER; 242 CR_FLAGS(newcred) |= (pii->val & PRIV_USER); 243 break; 244 default: 245 err = EINVAL; 246 goto err; 247 } 248 /* Guarantee alignment and forward progress */ 249 if ((pi->priv_info_size & (sizeof (uint32_t) - 1)) || 250 pi->priv_info_size < sizeof (*pi) || 251 lastx - x > pi->priv_info_size) { 252 err = EINVAL; 253 goto err; 254 } 255 256 x += pi->priv_info_size; 257 } 258 } 259 260 /* 261 * We'll try to copy the privilege aware flag; but since the 262 * privileges sets are all individually set, they are set 263 * as if we're privilege aware. If PRIV_AWARE wasn't set 264 * or was explicitely unset, we need to set the flag and then 265 * try to get rid of it. 266 */ 267 if ((CR_FLAGS(newcred) & PRIV_AWARE) == 0) { 268 CR_FLAGS(newcred) |= PRIV_AWARE; 269 priv_adjust_PA(newcred); 270 } 271 272 mutex_enter(&p->p_crlock); 273 oldcred = p->p_cred; 274 p->p_cred = newcred; 275 mutex_exit(&p->p_crlock); 276 crfree(oldcred); 277 278 mutex_enter(&p->p_lock); 279 return (0); 280 281 err: 282 crfree(newcred); 283 mutex_enter(&p->p_lock); 284 return (err); 285 } 286 287 priv_impl_info_t 288 *priv_hold_implinfo(void) 289 { 290 rw_enter(&privinfo_lock, RW_READER); 291 return (priv_info); 292 } 293 294 void 295 priv_release_implinfo(void) 296 { 297 rw_exit(&privinfo_lock); 298 } 299 300 size_t 301 priv_get_implinfo_size(void) 302 { 303 return (privinfosize); 304 } 305 306 307 /* 308 * Return the nth privilege set 309 */ 310 const priv_set_t * 311 priv_getset(const cred_t *cr, int set) 312 { 313 ASSERT(PRIV_VALIDSET(set)); 314 315 if ((CR_FLAGS(cr) & PRIV_AWARE) == 0) 316 switch (set) { 317 case PRIV_EFFECTIVE: 318 return (&CR_OEPRIV(cr)); 319 case PRIV_PERMITTED: 320 return (&CR_OPPRIV(cr)); 321 } 322 return (&CR_PRIVS(cr)->crprivs[set]); 323 } 324 325 /* 326 * Buf must be allocated by caller and contain sufficient space to 327 * contain all additional info structures using priv_info.priv_infosize. 328 * The buffer must be properly aligned. 329 */ 330 /*ARGSUSED*/ 331 void 332 priv_getinfo(const cred_t *cr, void *buf) 333 { 334 struct priv_info_uint *ii; 335 336 ii = buf; 337 ii->val = CR_FLAGS(cr); 338 ii->info.priv_info_size = (uint32_t)sizeof (*ii); 339 ii->info.priv_info_type = PRIV_INFO_FLAGS; 340 } 341 342 int 343 priv_getbyname(const char *name, uint_t flag) 344 { 345 int i; 346 int wheld = 0; 347 int len; 348 char *p; 349 350 if (flag != 0 && flag != PRIV_ALLOC) 351 return (-EINVAL); 352 353 if (strncasecmp(name, "priv_", 5) == 0) 354 name += 5; 355 356 rw_enter(&privinfo_lock, RW_READER); 357 rescan: 358 for (i = 0; i < nprivs; i++) 359 if (strcasecmp(priv_names[i], name) == 0) { 360 rw_exit(&privinfo_lock); 361 return (i); 362 } 363 364 365 if (!wheld) { 366 if (!(flag & PRIV_ALLOC)) { 367 rw_exit(&privinfo_lock); 368 return (-EINVAL); 369 } 370 371 /* check length, validity and available space */ 372 len = strlen(name) + 1; 373 374 if (len > PRIVNAME_MAX) { 375 rw_exit(&privinfo_lock); 376 return (-ENAMETOOLONG); 377 } 378 379 for (p = (char *)name; *p != '\0'; p++) { 380 char c = *p; 381 382 if (!((c >= 'A' && c <= 'Z') || 383 (c >= 'a' && c <= 'z') || 384 (c >= '0' && c <= '9') || 385 c == '_')) { 386 rw_exit(&privinfo_lock); 387 return (-EINVAL); 388 } 389 } 390 391 if (!rw_tryupgrade(&privinfo_lock)) { 392 rw_exit(&privinfo_lock); 393 rw_enter(&privinfo_lock, RW_WRITER); 394 wheld = 1; 395 /* Someone may have added our privilege */ 396 goto rescan; 397 } 398 } 399 400 if (nprivs == MAX_PRIVILEGE || len + privbytes > maxprivbytes) { 401 rw_exit(&privinfo_lock); 402 return (-ENOMEM); 403 } 404 405 priv_names[i] = p = priv_str + privbytes; 406 407 bcopy(name, p, len); 408 409 /* make the priv_names[i] and privilege name globally visible */ 410 membar_producer(); 411 412 /* adjust priv count and bytes count */ 413 priv_ninfo->cnt = priv_info->priv_max = ++nprivs; 414 privbytes += len; 415 416 rw_exit(&privinfo_lock); 417 return (i); 418 } 419 420 /* 421 * We can't afford locking the privileges here because of the locations 422 * we call this from; so we make sure that the privileges table 423 * is visible to us; it is made visible before the value of nprivs is 424 * updated. 425 */ 426 const char * 427 priv_getbynum(int priv) 428 { 429 int maxpriv = nprivs; 430 431 membar_consumer(); 432 433 if (priv >= 0 && priv < maxpriv) 434 return (priv_names[priv]); 435 436 return (NULL); 437 } 438 439 const char * 440 priv_getsetbynum(int setno) 441 { 442 if (!PRIV_VALIDSET(setno)) 443 return (NULL); 444 445 return (priv_setnames[setno]); 446 } 447 448 /* 449 * Privilege sanity checking when setting: E <= P. 450 */ 451 static boolean_t 452 priv_valid(const cred_t *cr) 453 { 454 return (priv_issubset(&CR_EPRIV(cr), &CR_PPRIV(cr))); 455 } 456 457 /* 458 * Privilege manipulation functions 459 * 460 * Without knowing the details of the privilege set implementation, 461 * opaque pointers can be used to manipulate sets at will. 462 */ 463 void 464 priv_emptyset(priv_set_t *set) 465 { 466 bzero(set, sizeof (*set)); 467 } 468 469 void 470 priv_fillset(priv_set_t *set) 471 { 472 int i; 473 474 /* memset? */ 475 for (i = 0; i < PRIV_SETSIZE; i++) 476 set->pbits[i] = ~(priv_chunk_t)0; 477 } 478 479 void 480 priv_addset(priv_set_t *set, int priv) 481 { 482 ASSERT(priv >= 0 && priv < MAX_PRIVILEGE); 483 __PRIV_ADDSET(set, priv); 484 } 485 486 void 487 priv_delset(priv_set_t *set, int priv) 488 { 489 ASSERT(priv >= 0 && priv < MAX_PRIVILEGE); 490 __PRIV_DELSET(set, priv); 491 } 492 493 boolean_t 494 priv_ismember(const priv_set_t *set, int priv) 495 { 496 ASSERT(priv >= 0 && priv < MAX_PRIVILEGE); 497 return (__PRIV_ISMEMBER(set, priv) ? B_TRUE : B_FALSE); 498 } 499 500 #define PRIV_TEST_BODY(test) \ 501 int i; \ 502 \ 503 for (i = 0; i < PRIV_SETSIZE; i++) \ 504 if (!(test)) \ 505 return (B_FALSE); \ 506 \ 507 return (B_TRUE) 508 509 boolean_t 510 priv_isequalset(const priv_set_t *a, const priv_set_t *b) 511 { 512 return ((boolean_t)(bcmp(a, b, sizeof (*a)) == 0)); 513 } 514 515 boolean_t 516 priv_isemptyset(const priv_set_t *set) 517 { 518 PRIV_TEST_BODY(set->pbits[i] == 0); 519 } 520 521 boolean_t 522 priv_isfullset(const priv_set_t *set) 523 { 524 PRIV_TEST_BODY(set->pbits[i] == ~(priv_chunk_t)0); 525 } 526 527 /* 528 * Return true if a is a subset of b 529 */ 530 boolean_t 531 priv_issubset(const priv_set_t *a, const priv_set_t *b) 532 { 533 PRIV_TEST_BODY((a->pbits[i] | b->pbits[i]) == b->pbits[i]); 534 } 535 536 #define PRIV_CHANGE_BODY(a, op, b) \ 537 int i; \ 538 \ 539 for (i = 0; i < PRIV_SETSIZE; i++) \ 540 a->pbits[i] op b->pbits[i] 541 542 /* B = A ^ B */ 543 void 544 priv_intersect(const priv_set_t *a, priv_set_t *b) 545 { 546 /* CSTYLED */ 547 PRIV_CHANGE_BODY(b, &=, a); 548 } 549 550 /* B = A v B */ 551 void 552 priv_union(const priv_set_t *a, priv_set_t *b) 553 { 554 /* CSTYLED */ 555 PRIV_CHANGE_BODY(b, |=, a); 556 } 557 558 /* A = ! A */ 559 void 560 priv_inverse(priv_set_t *a) 561 { 562 PRIV_CHANGE_BODY(a, = ~, a); 563 } 564 565 /* 566 * Can the source cred act on the target credential? 567 * 568 * We will you allow to gain uids this way but not privileges. 569 */ 570 int 571 priv_proc_cred_perm(const cred_t *scr, proc_t *tp, cred_t **pcr, int mode) 572 { 573 const priv_set_t *eset; 574 int idsmatch; 575 cred_t *tcr; 576 int res = 0; 577 578 /* prevent the cred from going away */ 579 mutex_enter(&tp->p_crlock); 580 crhold(tcr = tp->p_cred); 581 mutex_exit(&tp->p_crlock); 582 583 if (scr == tcr && !(tp->p_flag & SNOCD)) 584 goto out; 585 586 idsmatch = (scr->cr_uid == tcr->cr_uid && 587 scr->cr_uid == tcr->cr_ruid && 588 scr->cr_uid == tcr->cr_suid && 589 scr->cr_gid == tcr->cr_gid && 590 scr->cr_gid == tcr->cr_rgid && 591 scr->cr_gid == tcr->cr_sgid && 592 !(tp->p_flag & SNOCD)); 593 594 /* 595 * Source credential must have the proc_zone privilege if referencing 596 * a process in another zone. 597 */ 598 if (scr->cr_zone != tcr->cr_zone && secpolicy_proc_zone(scr) != 0) { 599 res = EACCES; 600 goto out; 601 } 602 603 if (!(mode & VWRITE)) { 604 if (!idsmatch && secpolicy_proc_owner(scr, tcr, 0) != 0) 605 res = EACCES; 606 goto out; 607 } 608 609 /* 610 * For writing, the effective set of scr must dominate all sets of tcr, 611 * We test Pt <= Es (Et <= Pt so no need to test) and It <= Es 612 * The Limit set of scr must be a superset of the limitset of 613 * tcr. 614 */ 615 eset = &CR_OEPRIV(scr); 616 617 if (!priv_issubset(&CR_IPRIV(tcr), eset) || 618 !priv_issubset(&CR_OPPRIV(tcr), eset) || 619 !priv_issubset(&CR_LPRIV(tcr), &CR_LPRIV(scr)) || 620 !idsmatch && secpolicy_proc_owner(scr, tcr, mode) != 0) 621 res = EACCES; 622 623 out: 624 if (res == 0 && pcr != NULL) 625 *pcr = tcr; 626 else 627 crfree(tcr); 628 return (res); 629 } 630 631 /* 632 * Set the privilege aware bit, adding L to E/P if necessary. 633 * Each time we set it, we also clear PRIV_AWARE_RESET. 634 */ 635 void 636 priv_set_PA(cred_t *cr) 637 { 638 ASSERT(cr->cr_ref <= 2); 639 640 if ((CR_FLAGS(cr) & (PRIV_AWARE|PRIV_AWARE_RESET)) == PRIV_AWARE) 641 return; 642 643 CR_FLAGS(cr) |= PRIV_AWARE; 644 CR_FLAGS(cr) &= ~PRIV_AWARE_RESET; 645 646 if (cr->cr_uid == 0) 647 priv_union(&CR_LPRIV(cr), &CR_EPRIV(cr)); 648 649 if (cr->cr_uid == 0 || cr->cr_suid == 0 || cr->cr_ruid == 0) 650 priv_union(&CR_LPRIV(cr), &CR_PPRIV(cr)); 651 } 652 653 boolean_t 654 priv_can_clear_PA(const cred_t *cr) 655 { 656 /* 657 * We can clear PA in the following cases: 658 * 659 * None of the uids are 0. 660 * Any uid == 0 and P == L and (Euid != 0 or E == L) 661 */ 662 return ((cr->cr_suid != 0 && cr->cr_ruid != 0 && cr->cr_uid != 0) || 663 priv_isequalset(&CR_PPRIV(cr), &CR_LPRIV(cr)) && 664 (cr->cr_uid != 0 || priv_isequalset(&CR_EPRIV(cr), &CR_LPRIV(cr)))); 665 } 666 667 /* 668 * Clear privilege aware bit if it is an idempotent operation and by 669 * clearing it the process cannot get to uid 0 and all privileges. 670 * 671 * This function should be called with caution as it may cause "E" to be 672 * lost once a processes assumes euid 0 again. 673 */ 674 void 675 priv_adjust_PA(cred_t *cr) 676 { 677 ASSERT(cr->cr_ref <= 2); 678 679 if (!(CR_FLAGS(cr) & PRIV_AWARE) || 680 !priv_can_clear_PA(cr)) { 681 CR_FLAGS(cr) &= ~PRIV_AWARE_RESET; 682 return; 683 } 684 685 if (CR_FLAGS(cr) & PRIV_AWARE_INHERIT) 686 return; 687 688 /* 689 * We now need to adjust P/E in those cases when uids 690 * are zero; the rules are P' = I & L, E' = I & L; 691 * but since P = L and E = L, we can use P &= I, E &= I, 692 * depending on which uids are 0. 693 */ 694 if (cr->cr_suid == 0 || cr->cr_ruid == 0 || cr->cr_uid == 0) { 695 if (cr->cr_uid == 0) 696 priv_intersect(&CR_IPRIV(cr), &CR_EPRIV(cr)); 697 priv_intersect(&CR_IPRIV(cr), &CR_PPRIV(cr)); 698 } 699 700 CR_FLAGS(cr) &= ~(PRIV_AWARE|PRIV_AWARE_RESET); 701 } 702 703 /* 704 * Reset privilege aware bit if so requested by setting the PRIV_AWARE_RESET 705 * flag. 706 */ 707 void 708 priv_reset_PA(cred_t *cr, boolean_t finalize) 709 { 710 ASSERT(cr->cr_ref <= 2); 711 712 if ((CR_FLAGS(cr) & (PRIV_AWARE|PRIV_AWARE_RESET)) != 713 (PRIV_AWARE|PRIV_AWARE_RESET)) { 714 CR_FLAGS(cr) &= ~PRIV_AWARE_RESET; 715 return; 716 } 717 718 /* 719 * When PRIV_AWARE_RESET is enabled, any change of uids causes 720 * a change to the P and E sets. Bracketing with 721 * seteuid(0) ... seteuid(uid)/setreuid(-1, 0) .. setreuid(-1, uid) 722 * will cause the privilege sets "do the right thing.". 723 * When the change of the uid is "final", e.g., by using setuid(uid), 724 * or setreuid(uid, uid) or when the last set*uid() call causes all 725 * uids to be the same, we set P and E to I & L, like when you exec. 726 * We make an exception when all the uids are 0; this is required 727 * when we login as root as in that particular case we cannot 728 * make a distinction between seteuid(0) and seteuid(uid). 729 * We rely on seteuid/setreuid/setuid to tell us with the 730 * "finalize" argument that we no longer expect new uid changes, 731 * cf. setreuid(uid, uid) and setuid(uid). 732 */ 733 if (cr->cr_suid == cr->cr_ruid && cr->cr_suid == cr->cr_uid) { 734 if (finalize || cr->cr_uid != 0) { 735 CR_EPRIV(cr) = CR_IPRIV(cr); 736 priv_intersect(&CR_LPRIV(cr), &CR_EPRIV(cr)); 737 CR_PPRIV(cr) = CR_EPRIV(cr); 738 CR_FLAGS(cr) &= ~(PRIV_AWARE|PRIV_AWARE_RESET); 739 } else { 740 CR_EPRIV(cr) = CR_PPRIV(cr); 741 } 742 } else if (cr->cr_uid != 0 && (cr->cr_ruid == 0 || cr->cr_suid == 0)) { 743 CR_EPRIV(cr) = CR_IPRIV(cr); 744 priv_intersect(&CR_LPRIV(cr), &CR_EPRIV(cr)); 745 } 746 }