1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
  23  */
  24 
  25 #include <sys/param.h>
  26 #include <sys/types.h>
  27 #include <sys/sysmacros.h>
  28 #include <sys/systm.h>
  29 #include <sys/cred_impl.h>
  30 #include <sys/errno.h>
  31 #include <sys/klpd.h>
  32 #include <sys/proc.h>
  33 #include <sys/priv_impl.h>
  34 #include <sys/policy.h>
  35 #include <sys/ddi.h>
  36 #include <sys/thread.h>
  37 #include <sys/cmn_err.h>
  38 #include <c2/audit.h>
  39 
  40 /*
  41  * System call support for manipulating privileges.
  42  *
  43  *
  44  * setppriv(2) - set process privilege set
  45  * getppriv(2) - get process privilege set
  46  * getprivimplinfo(2) - get process privilege implementation information
  47  * setpflags(2) - set process (privilege) flags
  48  * getpflags(2) - get process (privilege) flags
  49  */
  50 
  51 /*
  52  * setppriv (priv_op_t, priv_ptype_t, priv_set_t)
  53  */
  54 static int
  55 setppriv(priv_op_t op, priv_ptype_t type, priv_set_t *in_pset)
  56 {
  57         priv_set_t      pset, *target;
  58         cred_t          *cr, *pcr;
  59         proc_t          *p;
  60         boolean_t       donocd = B_FALSE;
  61 
  62         if (!PRIV_VALIDSET(type) || !PRIV_VALIDOP(op))
  63                 return (set_errno(EINVAL));
  64 
  65         if (copyin(in_pset, &pset, sizeof (priv_set_t)))
  66                 return (set_errno(EFAULT));
  67 
  68         p = ttoproc(curthread);
  69         cr = cralloc();
  70         mutex_enter(&p->p_crlock);
  71 
  72 retry:
  73         pcr = p->p_cred;
  74 
  75         if (AU_AUDITING())
  76                 audit_setppriv(op, type, &pset, pcr);
  77 
  78         /*
  79          * Filter out unallowed request (bad op and bad type)
  80          */
  81         switch (op) {
  82         case PRIV_ON:
  83         case PRIV_SET:
  84                 /*
  85                  * Turning on privileges; the limit set cannot grow,
  86                  * other sets can but only as long as they remain subsets
  87                  * of P.  Only immediately after exec holds that P <= L.
  88                  */
  89                 if (type == PRIV_LIMIT &&
  90                     !priv_issubset(&pset, &CR_LPRIV(pcr))) {
  91                         mutex_exit(&p->p_crlock);
  92                         crfree(cr);
  93                         return (set_errno(EPERM));
  94                 }
  95                 if (!priv_issubset(&pset, &CR_OPPRIV(pcr)) &&
  96                     !priv_issubset(&pset, priv_getset(pcr, type))) {
  97                         mutex_exit(&p->p_crlock);
  98                         /* Policy override should not grow beyond L either */
  99                         if (type != PRIV_INHERITABLE ||
 100                             !priv_issubset(&pset, &CR_LPRIV(pcr)) ||
 101                             secpolicy_require_privs(CRED(), &pset) != 0) {
 102                                 crfree(cr);
 103                                 return (set_errno(EPERM));
 104                         }
 105                         mutex_enter(&p->p_crlock);
 106                         if (pcr != p->p_cred)
 107                                 goto retry;
 108                         donocd = B_TRUE;
 109                 }
 110                 break;
 111 
 112         case PRIV_OFF:
 113                 /* PRIV_OFF is always allowed */
 114                 break;
 115         }
 116 
 117         /*
 118          * OK! everything is cool.
 119          * Do cred COW.
 120          */
 121         crcopy_to(pcr, cr);
 122 
 123         /*
 124          * If we change the effective, permitted or limit set, we attain
 125          * "privilege awareness".
 126          */
 127         if (type != PRIV_INHERITABLE)
 128                 priv_set_PA(cr);
 129 
 130         target = &(CR_PRIVS(cr)->crprivs[type]);
 131 
 132         switch (op) {
 133         case PRIV_ON:
 134                 priv_union(&pset, target);
 135                 break;
 136         case PRIV_OFF:
 137                 priv_inverse(&pset);
 138                 priv_intersect(target, &pset);
 139 
 140                 /*
 141                  * Fall-thru to set target and change other process
 142                  * privilege sets.
 143                  */
 144                 /*FALLTHRU*/
 145 
 146         case PRIV_SET:
 147                 *target = pset;
 148 
 149                 /*
 150                  * Take privileges no longer permitted out
 151                  * of other effective sets as well.
 152                  * Limit set is enforced at exec() time.
 153                  */
 154                 if (type == PRIV_PERMITTED)
 155                         priv_intersect(&pset, &CR_EPRIV(cr));
 156                 break;
 157         }
 158 
 159         /*
 160          * When we give up privileges not in the inheritable set,
 161          * set SNOCD if not already set; first we compute the
 162          * privileges removed from P using Diff = (~P') & P
 163          * and then we check whether the removed privileges are
 164          * a subset of I.  If we retain uid 0, all privileges
 165          * are required anyway so don't set SNOCD.
 166          */
 167         if (type == PRIV_PERMITTED && (p->p_flag & SNOCD) == 0 &&
 168             cr->cr_uid != 0 && cr->cr_ruid != 0 && cr->cr_suid != 0) {
 169                 priv_set_t diff = CR_OPPRIV(cr);
 170                 priv_inverse(&diff);
 171                 priv_intersect(&CR_OPPRIV(pcr), &diff);
 172                 donocd = !priv_issubset(&diff, &CR_IPRIV(cr));
 173         }
 174 
 175         p->p_cred = cr;
 176         mutex_exit(&p->p_crlock);
 177 
 178         if (donocd) {
 179                 mutex_enter(&p->p_lock);
 180                 p->p_flag |= SNOCD;
 181                 mutex_exit(&p->p_lock);
 182         }
 183 
 184         /*
 185          * The basic_test privilege should not be removed from E;
 186          * if that has happened, then some programmer typically set the E/P to
 187          * empty. That is not portable.
 188          */
 189         if ((type == PRIV_EFFECTIVE || type == PRIV_PERMITTED) &&
 190             priv_basic_test >= 0 && !PRIV_ISASSERT(target, priv_basic_test)) {
 191                 proc_t *p = curproc;
 192                 pid_t pid = p->p_pid;
 193                 char *fn = PTOU(p)->u_comm;
 194 
 195                 cmn_err(CE_WARN, "%s[%d]: setppriv: basic_test privilege "
 196                     "removed from E/P", fn, pid);
 197         }
 198 
 199         crset(p, cr);           /* broadcast to process threads */
 200 
 201         return (0);
 202 }
 203 
 204 /*
 205  * getppriv (priv_ptype_t, priv_set_t *)
 206  */
 207 static int
 208 getppriv(priv_ptype_t type, priv_set_t *pset)
 209 {
 210         if (!PRIV_VALIDSET(type))
 211                 return (set_errno(EINVAL));
 212 
 213         if (copyout(priv_getset(CRED(), type), pset, sizeof (priv_set_t)) != 0)
 214                 return (set_errno(EFAULT));
 215 
 216         return (0);
 217 }
 218 
 219 static int
 220 getprivimplinfo(void *buf, size_t bufsize)
 221 {
 222         int err;
 223 
 224         err = copyout(priv_hold_implinfo(), buf, min(bufsize, privinfosize));
 225 
 226         priv_release_implinfo();
 227 
 228         if (err)
 229                 return (set_errno(EFAULT));
 230 
 231         return (0);
 232 }
 233 
 234 /*
 235  * Set process flags in the given target cred.  If NULL is specified, then
 236  * CRED() is used; otherwise the cred is assumed to be modifiable (i.e. newly
 237  * crdup'ed, or equivalent).  Some flags are set in the proc rather than cred;
 238  * for these, curproc is always used.
 239  *
 240  * For now we cheat: the flags are actually bit masks so we can simplify
 241  * some; we do make sure that the arguments are valid, though.
 242  */
 243 
 244 int
 245 setpflags(uint_t flag, uint_t val, cred_t *tcr)
 246 {
 247         cred_t *cr, *pcr;
 248         proc_t *p = curproc;
 249         uint_t newflags;
 250         boolean_t use_curcred = (tcr == NULL);
 251 
 252         if (val > 1 || (flag != PRIV_DEBUG && flag != PRIV_AWARE &&
 253             flag != NET_MAC_AWARE && flag != NET_MAC_AWARE_INHERIT &&
 254             flag != __PROC_PROTECT && flag != PRIV_XPOLICY &&
 255             flag != PRIV_AWARE_RESET && flag != PRIV_PFEXEC)) {
 256                 return (EINVAL);
 257         }
 258 
 259         if (flag == __PROC_PROTECT) {
 260                 mutex_enter(&p->p_lock);
 261                 if (val == 0)
 262                         p->p_flag &= ~SNOCD;
 263                 else
 264                         p->p_flag |= SNOCD;
 265                 mutex_exit(&p->p_lock);
 266                 return (0);
 267         }
 268 
 269         if (use_curcred) {
 270                 cr = cralloc();
 271                 mutex_enter(&p->p_crlock);
 272                 pcr = p->p_cred;
 273         } else {
 274                 cr = pcr = tcr;
 275         }
 276 
 277         newflags = CR_FLAGS(pcr);
 278 
 279         if (val != 0) {
 280                 if (flag == PRIV_AWARE)
 281                         newflags &= ~PRIV_AWARE_RESET;
 282                 newflags |= flag;
 283         } else {
 284                 newflags &= ~flag;
 285         }
 286 
 287         /* No change */
 288         if (CR_FLAGS(pcr) == newflags) {
 289                 if (use_curcred) {
 290                         mutex_exit(&p->p_crlock);
 291                         crfree(cr);
 292                 }
 293                 return (0);
 294         }
 295 
 296         /*
 297          * Setting either the NET_MAC_AWARE or NET_MAC_AWARE_INHERIT
 298          * flags is a restricted operation.
 299          *
 300          * When invoked via the PRIVSYS_SETPFLAGS syscall
 301          * we require that the current cred has the net_mac_aware
 302          * privilege in its effective set.
 303          *
 304          * When called from within the kernel by label-aware
 305          * services such as NFS, we don't require a privilege check.
 306          *
 307          */
 308         if ((flag == NET_MAC_AWARE || flag == NET_MAC_AWARE_INHERIT) &&
 309             (val == 1) && use_curcred) {
 310                 if (secpolicy_net_mac_aware(pcr) != 0) {
 311                         mutex_exit(&p->p_crlock);
 312                         crfree(cr);
 313                         return (EPERM);
 314                 }
 315         }
 316 
 317         /* Trying to unset PA; if we can't, return an error */
 318         if (flag == PRIV_AWARE && val == 0 && !priv_can_clear_PA(pcr)) {
 319                 if (use_curcred) {
 320                         mutex_exit(&p->p_crlock);
 321                         crfree(cr);
 322                 }
 323                 return (EPERM);
 324         }
 325 
 326         /* Committed to changing the flag */
 327         if (use_curcred)
 328                 crcopy_to(pcr, cr);
 329         if (flag == PRIV_AWARE) {
 330                 if (val != 0)
 331                         priv_set_PA(cr);
 332                 else
 333                         priv_adjust_PA(cr);
 334         } else {
 335                 CR_FLAGS(cr) = newflags;
 336         }
 337 
 338         /*
 339          * Unsetting the flag has as side effect getting rid of
 340          * the per-credential policy.
 341          */
 342         if (flag == PRIV_XPOLICY && val == 0)
 343                 crsetcrklpd(cr, NULL);
 344 
 345         if (use_curcred) {
 346                 p->p_cred = cr;
 347                 mutex_exit(&p->p_crlock);
 348                 crset(p, cr);
 349         }
 350 
 351         return (0);
 352 }
 353 
 354 /*
 355  * Getpflags.  Currently only implements single bit flags.
 356  */
 357 uint_t
 358 getpflags(uint_t flag, const cred_t *cr)
 359 {
 360         if (flag != PRIV_DEBUG && flag != PRIV_AWARE &&
 361             flag != NET_MAC_AWARE && flag != NET_MAC_AWARE_INHERIT &&
 362             flag != PRIV_XPOLICY && flag != PRIV_PFEXEC &&
 363             flag != PRIV_AWARE_RESET)
 364                 return ((uint_t)-1);
 365 
 366         return ((CR_FLAGS(cr) & flag) != 0);
 367 }
 368 
 369 /*
 370  * Privilege system call entry point
 371  */
 372 int
 373 privsys(int code, priv_op_t op, priv_ptype_t type, void *buf, size_t bufsize,
 374     int itype)
 375 {
 376         int retv;
 377         extern int issetugid(void);
 378 
 379         switch (code) {
 380         case PRIVSYS_SETPPRIV:
 381                 if (bufsize < sizeof (priv_set_t))
 382                         return (set_errno(ENOMEM));
 383                 return (setppriv(op, type, buf));
 384         case PRIVSYS_GETPPRIV:
 385                 if (bufsize < sizeof (priv_set_t))
 386                         return (set_errno(ENOMEM));
 387                 return (getppriv(type, buf));
 388         case PRIVSYS_GETIMPLINFO:
 389                 return (getprivimplinfo(buf, bufsize));
 390         case PRIVSYS_SETPFLAGS:
 391                 retv = setpflags((uint_t)op, (uint_t)type, NULL);
 392                 return (retv != 0 ? set_errno(retv) : 0);
 393         case PRIVSYS_GETPFLAGS:
 394                 retv = (int)getpflags((uint_t)op, CRED());
 395                 return (retv == -1 ? set_errno(EINVAL) : retv);
 396         case PRIVSYS_ISSETUGID:
 397                 return (issetugid());
 398         case PRIVSYS_KLPD_REG:
 399                 if (bufsize < sizeof (priv_set_t))
 400                         return (set_errno(ENOMEM));
 401                 return ((int)klpd_reg((int)op, (idtype_t)itype, (id_t)type,
 402                     buf));
 403         case PRIVSYS_KLPD_UNREG:
 404                 return ((int)klpd_unreg((int)op, (idtype_t)itype, (id_t)type));
 405         case PRIVSYS_PFEXEC_REG:
 406                 return ((int)pfexec_reg((int)op));
 407         case PRIVSYS_PFEXEC_UNREG:
 408                 return ((int)pfexec_unreg((int)op));
 409         }
 410         return (set_errno(EINVAL));
 411 }
 412 
 413 #ifdef _SYSCALL32_IMPL
 414 int
 415 privsys32(int code, priv_op_t op, priv_ptype_t type, caddr32_t buf,
 416     size32_t bufsize, int itype)
 417 {
 418         return (privsys(code, op, type, (void *)(uintptr_t)buf,
 419             (size_t)bufsize, itype));
 420 }
 421 #endif