Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/syscall/ppriv.c
+++ new/usr/src/uts/common/syscall/ppriv.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 23 */
24 24
25 25 #include <sys/param.h>
26 26 #include <sys/types.h>
27 27 #include <sys/sysmacros.h>
28 28 #include <sys/systm.h>
29 29 #include <sys/cred_impl.h>
30 30 #include <sys/errno.h>
31 31 #include <sys/klpd.h>
32 32 #include <sys/proc.h>
33 33 #include <sys/priv_impl.h>
34 34 #include <sys/policy.h>
35 35 #include <sys/ddi.h>
36 36 #include <sys/thread.h>
37 37 #include <sys/cmn_err.h>
38 38 #include <c2/audit.h>
39 39
40 40 /*
41 41 * System call support for manipulating privileges.
42 42 *
43 43 *
44 44 * setppriv(2) - set process privilege set
45 45 * getppriv(2) - get process privilege set
46 46 * getprivimplinfo(2) - get process privilege implementation information
47 47 * setpflags(2) - set process (privilege) flags
48 48 * getpflags(2) - get process (privilege) flags
49 49 */
50 50
51 51 /*
52 52 * setppriv (priv_op_t, priv_ptype_t, priv_set_t)
53 53 */
54 54 static int
55 55 setppriv(priv_op_t op, priv_ptype_t type, priv_set_t *in_pset)
56 56 {
57 57 priv_set_t pset, *target;
58 58 cred_t *cr, *pcr;
59 59 proc_t *p;
60 60 boolean_t donocd = B_FALSE;
61 61
62 62 if (!PRIV_VALIDSET(type) || !PRIV_VALIDOP(op))
63 63 return (set_errno(EINVAL));
64 64
65 65 if (copyin(in_pset, &pset, sizeof (priv_set_t)))
66 66 return (set_errno(EFAULT));
67 67
68 68 p = ttoproc(curthread);
69 69 cr = cralloc();
70 70 mutex_enter(&p->p_crlock);
71 71
72 72 retry:
73 73 pcr = p->p_cred;
74 74
75 75 if (AU_AUDITING())
76 76 audit_setppriv(op, type, &pset, pcr);
77 77
78 78 /*
79 79 * Filter out unallowed request (bad op and bad type)
80 80 */
81 81 switch (op) {
82 82 case PRIV_ON:
83 83 case PRIV_SET:
84 84 /*
85 85 * Turning on privileges; the limit set cannot grow,
86 86 * other sets can but only as long as they remain subsets
87 87 * of P. Only immediately after exec holds that P <= L.
88 88 */
89 89 if (type == PRIV_LIMIT &&
90 90 !priv_issubset(&pset, &CR_LPRIV(pcr))) {
91 91 mutex_exit(&p->p_crlock);
92 92 crfree(cr);
93 93 return (set_errno(EPERM));
94 94 }
95 95 if (!priv_issubset(&pset, &CR_OPPRIV(pcr)) &&
96 96 !priv_issubset(&pset, priv_getset(pcr, type))) {
97 97 mutex_exit(&p->p_crlock);
98 98 /* Policy override should not grow beyond L either */
99 99 if (type != PRIV_INHERITABLE ||
100 100 !priv_issubset(&pset, &CR_LPRIV(pcr)) ||
101 101 secpolicy_require_privs(CRED(), &pset) != 0) {
102 102 crfree(cr);
103 103 return (set_errno(EPERM));
104 104 }
105 105 mutex_enter(&p->p_crlock);
106 106 if (pcr != p->p_cred)
107 107 goto retry;
108 108 donocd = B_TRUE;
109 109 }
110 110 break;
111 111
112 112 case PRIV_OFF:
113 113 /* PRIV_OFF is always allowed */
114 114 break;
115 115 }
116 116
117 117 /*
118 118 * OK! everything is cool.
119 119 * Do cred COW.
120 120 */
121 121 crcopy_to(pcr, cr);
122 122
123 123 /*
124 124 * If we change the effective, permitted or limit set, we attain
125 125 * "privilege awareness".
126 126 */
127 127 if (type != PRIV_INHERITABLE)
128 128 priv_set_PA(cr);
129 129
130 130 target = &(CR_PRIVS(cr)->crprivs[type]);
131 131
132 132 switch (op) {
133 133 case PRIV_ON:
134 134 priv_union(&pset, target);
135 135 break;
136 136 case PRIV_OFF:
137 137 priv_inverse(&pset);
138 138 priv_intersect(target, &pset);
139 139
140 140 /*
141 141 * Fall-thru to set target and change other process
142 142 * privilege sets.
143 143 */
144 144 /*FALLTHRU*/
145 145
146 146 case PRIV_SET:
147 147 *target = pset;
148 148
149 149 /*
150 150 * Take privileges no longer permitted out
151 151 * of other effective sets as well.
152 152 * Limit set is enforced at exec() time.
153 153 */
154 154 if (type == PRIV_PERMITTED)
155 155 priv_intersect(&pset, &CR_EPRIV(cr));
156 156 break;
157 157 }
158 158
159 159 /*
160 160 * When we give up privileges not in the inheritable set,
161 161 * set SNOCD if not already set; first we compute the
162 162 * privileges removed from P using Diff = (~P') & P
163 163 * and then we check whether the removed privileges are
164 164 * a subset of I. If we retain uid 0, all privileges
165 165 * are required anyway so don't set SNOCD.
166 166 */
167 167 if (type == PRIV_PERMITTED && (p->p_flag & SNOCD) == 0 &&
168 168 cr->cr_uid != 0 && cr->cr_ruid != 0 && cr->cr_suid != 0) {
169 169 priv_set_t diff = CR_OPPRIV(cr);
170 170 priv_inverse(&diff);
171 171 priv_intersect(&CR_OPPRIV(pcr), &diff);
172 172 donocd = !priv_issubset(&diff, &CR_IPRIV(cr));
173 173 }
174 174
175 175 p->p_cred = cr;
176 176 mutex_exit(&p->p_crlock);
177 177
178 178 if (donocd) {
179 179 mutex_enter(&p->p_lock);
|
↓ open down ↓ |
179 lines elided |
↑ open up ↑ |
180 180 p->p_flag |= SNOCD;
181 181 mutex_exit(&p->p_lock);
182 182 }
183 183
184 184 /*
185 185 * The basic_test privilege should not be removed from E;
186 186 * if that has happened, then some programmer typically set the E/P to
187 187 * empty. That is not portable.
188 188 */
189 189 if ((type == PRIV_EFFECTIVE || type == PRIV_PERMITTED) &&
190 - priv_basic_test >= 0 && !PRIV_ISASSERT(target, priv_basic_test)) {
190 + priv_basic_test >= 0 && !PRIV_ISMEMBER(target, priv_basic_test)) {
191 191 proc_t *p = curproc;
192 192 pid_t pid = p->p_pid;
193 193 char *fn = PTOU(p)->u_comm;
194 194
195 195 cmn_err(CE_WARN, "%s[%d]: setppriv: basic_test privilege "
196 196 "removed from E/P", fn, pid);
197 197 }
198 198
199 199 crset(p, cr); /* broadcast to process threads */
200 200
201 201 return (0);
202 202 }
203 203
204 204 /*
205 205 * getppriv (priv_ptype_t, priv_set_t *)
206 206 */
207 207 static int
208 208 getppriv(priv_ptype_t type, priv_set_t *pset)
209 209 {
210 210 if (!PRIV_VALIDSET(type))
211 211 return (set_errno(EINVAL));
212 212
213 213 if (copyout(priv_getset(CRED(), type), pset, sizeof (priv_set_t)) != 0)
214 214 return (set_errno(EFAULT));
215 215
216 216 return (0);
217 217 }
218 218
219 219 static int
220 220 getprivimplinfo(void *buf, size_t bufsize)
221 221 {
222 222 int err;
223 223
224 224 err = copyout(priv_hold_implinfo(), buf, min(bufsize, privinfosize));
225 225
226 226 priv_release_implinfo();
227 227
228 228 if (err)
229 229 return (set_errno(EFAULT));
230 230
231 231 return (0);
232 232 }
233 233
234 234 /*
235 235 * Set process flags in the given target cred. If NULL is specified, then
236 236 * CRED() is used; otherwise the cred is assumed to be modifiable (i.e. newly
237 237 * crdup'ed, or equivalent). Some flags are set in the proc rather than cred;
238 238 * for these, curproc is always used.
239 239 *
240 240 * For now we cheat: the flags are actually bit masks so we can simplify
241 241 * some; we do make sure that the arguments are valid, though.
242 242 */
243 243
244 244 int
245 245 setpflags(uint_t flag, uint_t val, cred_t *tcr)
246 246 {
247 247 cred_t *cr, *pcr;
248 248 proc_t *p = curproc;
249 249 uint_t newflags;
250 250 boolean_t use_curcred = (tcr == NULL);
251 251
252 252 if (val > 1 || (flag != PRIV_DEBUG && flag != PRIV_AWARE &&
253 253 flag != NET_MAC_AWARE && flag != NET_MAC_AWARE_INHERIT &&
254 254 flag != __PROC_PROTECT && flag != PRIV_XPOLICY &&
255 255 flag != PRIV_AWARE_RESET && flag != PRIV_PFEXEC)) {
256 256 return (EINVAL);
257 257 }
258 258
259 259 if (flag == __PROC_PROTECT) {
260 260 mutex_enter(&p->p_lock);
261 261 if (val == 0)
262 262 p->p_flag &= ~SNOCD;
263 263 else
264 264 p->p_flag |= SNOCD;
265 265 mutex_exit(&p->p_lock);
266 266 return (0);
267 267 }
268 268
269 269 if (use_curcred) {
270 270 cr = cralloc();
271 271 mutex_enter(&p->p_crlock);
272 272 pcr = p->p_cred;
273 273 } else {
274 274 cr = pcr = tcr;
275 275 }
276 276
277 277 newflags = CR_FLAGS(pcr);
278 278
279 279 if (val != 0) {
280 280 if (flag == PRIV_AWARE)
281 281 newflags &= ~PRIV_AWARE_RESET;
282 282 newflags |= flag;
283 283 } else {
284 284 newflags &= ~flag;
285 285 }
286 286
287 287 /* No change */
288 288 if (CR_FLAGS(pcr) == newflags) {
289 289 if (use_curcred) {
290 290 mutex_exit(&p->p_crlock);
291 291 crfree(cr);
292 292 }
293 293 return (0);
294 294 }
295 295
296 296 /*
297 297 * Setting either the NET_MAC_AWARE or NET_MAC_AWARE_INHERIT
298 298 * flags is a restricted operation.
299 299 *
300 300 * When invoked via the PRIVSYS_SETPFLAGS syscall
301 301 * we require that the current cred has the net_mac_aware
302 302 * privilege in its effective set.
303 303 *
304 304 * When called from within the kernel by label-aware
305 305 * services such as NFS, we don't require a privilege check.
306 306 *
307 307 */
308 308 if ((flag == NET_MAC_AWARE || flag == NET_MAC_AWARE_INHERIT) &&
309 309 (val == 1) && use_curcred) {
310 310 if (secpolicy_net_mac_aware(pcr) != 0) {
311 311 mutex_exit(&p->p_crlock);
312 312 crfree(cr);
313 313 return (EPERM);
314 314 }
315 315 }
316 316
317 317 /* Trying to unset PA; if we can't, return an error */
318 318 if (flag == PRIV_AWARE && val == 0 && !priv_can_clear_PA(pcr)) {
319 319 if (use_curcred) {
320 320 mutex_exit(&p->p_crlock);
321 321 crfree(cr);
322 322 }
323 323 return (EPERM);
324 324 }
325 325
326 326 /* Committed to changing the flag */
327 327 if (use_curcred)
328 328 crcopy_to(pcr, cr);
329 329 if (flag == PRIV_AWARE) {
330 330 if (val != 0)
331 331 priv_set_PA(cr);
332 332 else
333 333 priv_adjust_PA(cr);
334 334 } else {
335 335 CR_FLAGS(cr) = newflags;
336 336 }
337 337
338 338 /*
339 339 * Unsetting the flag has as side effect getting rid of
340 340 * the per-credential policy.
341 341 */
342 342 if (flag == PRIV_XPOLICY && val == 0)
343 343 crsetcrklpd(cr, NULL);
344 344
345 345 if (use_curcred) {
346 346 p->p_cred = cr;
347 347 mutex_exit(&p->p_crlock);
348 348 crset(p, cr);
349 349 }
350 350
351 351 return (0);
352 352 }
353 353
354 354 /*
355 355 * Getpflags. Currently only implements single bit flags.
356 356 */
357 357 uint_t
358 358 getpflags(uint_t flag, const cred_t *cr)
359 359 {
360 360 if (flag != PRIV_DEBUG && flag != PRIV_AWARE &&
361 361 flag != NET_MAC_AWARE && flag != NET_MAC_AWARE_INHERIT &&
362 362 flag != PRIV_XPOLICY && flag != PRIV_PFEXEC &&
363 363 flag != PRIV_AWARE_RESET)
364 364 return ((uint_t)-1);
365 365
366 366 return ((CR_FLAGS(cr) & flag) != 0);
367 367 }
368 368
369 369 /*
370 370 * Privilege system call entry point
371 371 */
372 372 int
373 373 privsys(int code, priv_op_t op, priv_ptype_t type, void *buf, size_t bufsize,
374 374 int itype)
375 375 {
376 376 int retv;
377 377 extern int issetugid(void);
378 378
379 379 switch (code) {
380 380 case PRIVSYS_SETPPRIV:
381 381 if (bufsize < sizeof (priv_set_t))
382 382 return (set_errno(ENOMEM));
383 383 return (setppriv(op, type, buf));
384 384 case PRIVSYS_GETPPRIV:
385 385 if (bufsize < sizeof (priv_set_t))
386 386 return (set_errno(ENOMEM));
387 387 return (getppriv(type, buf));
388 388 case PRIVSYS_GETIMPLINFO:
389 389 return (getprivimplinfo(buf, bufsize));
390 390 case PRIVSYS_SETPFLAGS:
391 391 retv = setpflags((uint_t)op, (uint_t)type, NULL);
392 392 return (retv != 0 ? set_errno(retv) : 0);
393 393 case PRIVSYS_GETPFLAGS:
394 394 retv = (int)getpflags((uint_t)op, CRED());
395 395 return (retv == -1 ? set_errno(EINVAL) : retv);
396 396 case PRIVSYS_ISSETUGID:
397 397 return (issetugid());
398 398 case PRIVSYS_KLPD_REG:
399 399 if (bufsize < sizeof (priv_set_t))
400 400 return (set_errno(ENOMEM));
401 401 return ((int)klpd_reg((int)op, (idtype_t)itype, (id_t)type,
402 402 buf));
403 403 case PRIVSYS_KLPD_UNREG:
404 404 return ((int)klpd_unreg((int)op, (idtype_t)itype, (id_t)type));
405 405 case PRIVSYS_PFEXEC_REG:
406 406 return ((int)pfexec_reg((int)op));
407 407 case PRIVSYS_PFEXEC_UNREG:
408 408 return ((int)pfexec_unreg((int)op));
409 409 }
410 410 return (set_errno(EINVAL));
411 411 }
412 412
413 413 #ifdef _SYSCALL32_IMPL
414 414 int
415 415 privsys32(int code, priv_op_t op, priv_ptype_t type, caddr32_t buf,
416 416 size32_t bufsize, int itype)
417 417 {
418 418 return (privsys(code, op, type, (void *)(uintptr_t)buf,
419 419 (size_t)bufsize, itype));
420 420 }
421 421 #endif
|
↓ open down ↓ |
221 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX