summaryrefslogtreecommitdiff
path: root/usr/src/uts/common/os
diff options
context:
space:
mode:
Diffstat (limited to 'usr/src/uts/common/os')
-rw-r--r--usr/src/uts/common/os/cred.c86
-rw-r--r--usr/src/uts/common/os/exec.c14
-rw-r--r--usr/src/uts/common/os/klpd.c722
-rw-r--r--usr/src/uts/common/os/policy.c161
-rw-r--r--usr/src/uts/common/os/project.c8
-rw-r--r--usr/src/uts/common/os/sysent.c6
6 files changed, 936 insertions, 61 deletions
diff --git a/usr/src/uts/common/os/cred.c b/usr/src/uts/common/os/cred.c
index 7b3709de38..b0bf2cb36a 100644
--- a/usr/src/uts/common/os/cred.c
+++ b/usr/src/uts/common/os/cred.c
@@ -62,6 +62,7 @@
#include <sys/tsol/label.h>
#include <sys/sid.h>
#include <sys/idmap.h>
+#include <sys/klpd.h>
#include <sys/varargs.h>
@@ -132,6 +133,9 @@ get_ephemeral_zsd(zone_t *zone)
return (eph_zsd);
}
+static cred_t *crdup_flags(cred_t *, int);
+static cred_t *cralloc_flags(int);
+
/*
* This function is called when a zone is destroyed
*/
@@ -236,17 +240,28 @@ cred_init(void)
/*
* Allocate (nearly) uninitialized cred_t.
*/
-cred_t *
-cralloc(void)
+static cred_t *
+cralloc_flags(int flgs)
{
- cred_t *cr = kmem_cache_alloc(cred_cache, KM_SLEEP);
+ cred_t *cr = kmem_cache_alloc(cred_cache, flgs);
+
+ if (cr == NULL)
+ return (NULL);
+
cr->cr_ref = 1; /* So we can crfree() */
cr->cr_zone = NULL;
cr->cr_label = NULL;
cr->cr_ksid = NULL;
+ cr->cr_klpd = NULL;
return (cr);
}
+cred_t *
+cralloc(void)
+{
+ return (cralloc_flags(KM_SLEEP));
+}
+
/*
* As cralloc but prepared for ksid change (if appropriate).
*/
@@ -273,6 +288,7 @@ crget(void)
zone_cred_hold(cr->cr_zone);
if (cr->cr_label)
label_hold(cr->cr_label);
+ ASSERT(cr->cr_klpd == NULL);
return (cr);
}
@@ -337,6 +353,8 @@ crfree(cred_t *cr)
ASSERT(cr != kcred);
if (cr->cr_label)
label_rele(cr->cr_label);
+ if (cr->cr_klpd)
+ crklpd_rele(cr->cr_klpd);
if (cr->cr_zone)
zone_cred_rele(cr->cr_zone);
if (cr->cr_ksid)
@@ -360,9 +378,11 @@ crcopy(cred_t *cr)
if (newcr->cr_zone)
zone_cred_hold(newcr->cr_zone);
if (newcr->cr_label)
- label_hold(cr->cr_label);
+ label_hold(newcr->cr_label);
if (newcr->cr_ksid)
- kcrsid_hold(cr->cr_ksid);
+ kcrsid_hold(newcr->cr_ksid);
+ if (newcr->cr_klpd)
+ crklpd_hold(newcr->cr_klpd);
crfree(cr);
newcr->cr_ref = 2; /* caller gets two references */
return (newcr);
@@ -385,6 +405,8 @@ crcopy_to(cred_t *oldcr, cred_t *newcr)
zone_cred_hold(newcr->cr_zone);
if (newcr->cr_label)
label_hold(newcr->cr_label);
+ if (newcr->cr_klpd)
+ crklpd_hold(newcr->cr_klpd);
if (nkcr) {
newcr->cr_ksid = nkcr;
kcrsidcopy_to(oldcr->cr_ksid, newcr->cr_ksid);
@@ -398,23 +420,35 @@ crcopy_to(cred_t *oldcr, cred_t *newcr)
* Dup a cred struct to a new held one.
* The old cred is not freed.
*/
-cred_t *
-crdup(cred_t *cr)
+static cred_t *
+crdup_flags(cred_t *cr, int flgs)
{
cred_t *newcr;
- newcr = cralloc();
+ newcr = cralloc_flags(flgs);
+
+ if (newcr == NULL)
+ return (NULL);
+
bcopy(cr, newcr, crsize);
if (newcr->cr_zone)
zone_cred_hold(newcr->cr_zone);
if (newcr->cr_label)
label_hold(newcr->cr_label);
+ if (newcr->cr_klpd)
+ crklpd_hold(newcr->cr_klpd);
if (newcr->cr_ksid)
kcrsid_hold(newcr->cr_ksid);
newcr->cr_ref = 1;
return (newcr);
}
+cred_t *
+crdup(cred_t *cr)
+{
+ return (crdup_flags(cr, KM_SLEEP));
+}
+
/*
* Dup a cred struct to a new held one.
* The old cred is not freed.
@@ -431,6 +465,8 @@ crdup_to(cred_t *oldcr, cred_t *newcr)
zone_cred_hold(newcr->cr_zone);
if (newcr->cr_label)
label_hold(newcr->cr_label);
+ if (newcr->cr_klpd)
+ crklpd_hold(newcr->cr_klpd);
if (nkcr) {
newcr->cr_ksid = nkcr;
kcrsidcopy_to(oldcr->cr_ksid, newcr->cr_ksid);
@@ -531,7 +567,7 @@ hasprocperm(const cred_t *tcrp, const cred_t *scrp)
* This interface replaces hasprocperm; it works like hasprocperm but
* additionally returns success if the proc_t's match
* It is the preferred interface for most uses.
- * And it will acquire pcrlock itself, so it assert's that it shouldn't
+ * And it will acquire p_crlock itself, so it assert's that it shouldn't
* be held.
*/
int
@@ -549,9 +585,10 @@ prochasprocperm(proc_t *tp, proc_t *sp, const cred_t *scrp)
return (0);
mutex_enter(&tp->p_crlock);
- tcrp = tp->p_cred;
- rets = hasprocperm(tcrp, scrp);
+ crhold(tcrp = tp->p_cred);
mutex_exit(&tp->p_crlock);
+ rets = hasprocperm(tcrp, scrp);
+ crfree(tcrp);
return (rets);
}
@@ -972,8 +1009,7 @@ newcred_from_bslabel(bslabel_t *blabel, uint32_t doi, int flags)
cred_t *cr = NULL;
if (lbl != NULL) {
- if ((cr = kmem_cache_alloc(cred_cache, flags)) != NULL) {
- bcopy(dummycr, cr, crsize);
+ if ((cr = crdup_flags(dummycr, flags)) != NULL) {
cr->cr_label = lbl;
} else {
label_rele(lbl);
@@ -995,12 +1031,10 @@ copycred_from_bslabel(cred_t *cr, bslabel_t *blabel, uint32_t doi, int flags)
cred_t *newcr = NULL;
if (lbl != NULL) {
- if ((newcr = kmem_cache_alloc(cred_cache, flags)) != NULL) {
- bcopy(cr, newcr, crsize);
- if (newcr->cr_zone)
- zone_cred_hold(newcr->cr_zone);
+ if ((newcr = crdup_flags(cr, flags)) != NULL) {
+ if (newcr->cr_label != NULL)
+ label_rele(newcr->cr_label);
newcr->cr_label = lbl;
- newcr->cr_ref = 1;
} else {
label_rele(lbl);
}
@@ -1245,3 +1279,19 @@ crsetpriv(cred_t *cr, ...)
va_end(ap);
return (0);
}
+
+struct credklpd *
+crgetcrklpd(const cred_t *cr)
+{
+ return (cr->cr_klpd);
+}
+
+void
+crsetcrklpd(cred_t *cr, struct credklpd *crklpd)
+{
+ ASSERT(cr->cr_ref <= 2);
+
+ if (cr->cr_klpd != NULL)
+ crklpd_rele(cr->cr_klpd);
+ cr->cr_klpd = crklpd;
+}
diff --git a/usr/src/uts/common/os/exec.c b/usr/src/uts/common/os/exec.c
index 9ac97c3146..1162410939 100644
--- a/usr/src/uts/common/os/exec.c
+++ b/usr/src/uts/common/os/exec.c
@@ -19,7 +19,7 @@
* CDDL HEADER END
*/
/*
- * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -145,9 +145,6 @@ exec_common(const char *fname, const char **argp, const char **envp,
if (curthread == p->p_agenttp)
return (ENOTSUP);
- if ((error = secpolicy_basic_exec(CRED())) != 0)
- return (error);
-
if (brand_action != EBA_NONE) {
/*
* Brand actions are not supported for processes that are not
@@ -229,6 +226,15 @@ exec_common(const char *fname, const char **argp, const char **envp,
goto out;
}
+ if ((error = secpolicy_basic_exec(CRED(), vp)) != 0) {
+ if (dir != NULL)
+ VN_RELE(dir);
+ pn_free(&resolvepn);
+ pn_free(&pn);
+ VN_RELE(vp);
+ goto out;
+ }
+
/*
* We do not allow executing files in attribute directories.
* We test this by determining whether the resolved path
diff --git a/usr/src/uts/common/os/klpd.c b/usr/src/uts/common/os/klpd.c
new file mode 100644
index 0000000000..dc22fc5c41
--- /dev/null
+++ b/usr/src/uts/common/os/klpd.c
@@ -0,0 +1,722 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+
+/*
+ * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#pragma ident "%Z%%M% %I% %E% SMI"
+
+#include <sys/atomic.h>
+#include <sys/door.h>
+#include <sys/proc.h>
+#include <sys/cred_impl.h>
+#include <sys/policy.h>
+#include <sys/priv.h>
+#include <sys/klpd.h>
+#include <sys/errno.h>
+#include <sys/kmem.h>
+#include <sys/project.h>
+#include <sys/systm.h>
+#include <sys/sysmacros.h>
+#include <sys/pathname.h>
+#include <sys/varargs.h>
+#include <sys/zone.h>
+#include <netinet/in.h>
+
+#define ROUNDUP(a, n) (((a) + ((n) - 1)) & ~((n) - 1))
+
+static kmutex_t klpd_mutex;
+
+typedef struct klpd_reg {
+ struct klpd_reg *klpd_next;
+ struct klpd_reg **klpd_refp;
+ door_handle_t klpd_door;
+ pid_t klpd_door_pid;
+ priv_set_t klpd_pset;
+ cred_t *klpd_cred;
+ int klpd_indel; /* Disabled */
+ uint32_t klpd_ref;
+} klpd_reg_t;
+
+
+/*
+ * This data structure hangs off the credential of a process; the
+ * credential is finalized and cannot be changed; but this structure
+ * can be changed when a new door server for the particular group
+ * needs to be registered. It is refcounted and shared between
+ * processes with common ancestry.
+ *
+ * The reference count is atomically updated.
+ *
+ * But the registration probably needs to be updated under a lock.
+ */
+typedef struct credklpd {
+ kmutex_t crkl_lock;
+ klpd_reg_t *crkl_reg;
+ uint32_t crkl_ref;
+} credklpd_t;
+
+klpd_reg_t *klpd_list;
+
+static void klpd_unlink(klpd_reg_t *);
+static int klpd_unreg_dh(door_handle_t);
+
+static credklpd_t *crklpd_alloc(void);
+
+void crklpd_setreg(credklpd_t *, klpd_reg_t *);
+
+extern size_t max_vnode_path;
+
+void
+klpd_rele(klpd_reg_t *p)
+{
+ if (atomic_add_32_nv(&p->klpd_ref, -1) == 0) {
+ if (p->klpd_refp != NULL)
+ klpd_unlink(p);
+ if (p->klpd_cred != NULL)
+ crfree(p->klpd_cred);
+ door_ki_rele(p->klpd_door);
+ kmem_free(p, sizeof (*p));
+ }
+}
+
+/*
+ * In order to be able to walk the lists, we can't unlink the entry
+ * until the reference count drops to 0. If we remove it too soon,
+ * list walkers will terminate when they happen to call a now orphaned
+ * entry.
+ */
+static klpd_reg_t *
+klpd_rele_next(klpd_reg_t *p)
+{
+ klpd_reg_t *r = p->klpd_next;
+
+ klpd_rele(p);
+ return (r);
+}
+
+
+static void
+klpd_hold(klpd_reg_t *p)
+{
+ atomic_add_32(&p->klpd_ref, 1);
+}
+
+/*
+ * Remove registration from where it is registered. Returns next in list.
+ */
+static void
+klpd_unlink(klpd_reg_t *p)
+{
+ ASSERT(p->klpd_refp == NULL || *p->klpd_refp == p);
+
+ if (p->klpd_refp != NULL)
+ *p->klpd_refp = p->klpd_next;
+
+ if (p->klpd_next != NULL)
+ p->klpd_next->klpd_refp = p->klpd_refp;
+ p->klpd_refp = NULL;
+}
+
+/*
+ * Remove the head of the klpd list and decrement its refcnt.
+ * The lock guarding the list should be held; this function is
+ * called when we are sure we want to remove the entry from the
+ * list but not so sure that the reference count has dropped back to
+ * 1 and is specifically intended to remove the non-list variants.
+ */
+void
+klpd_remove(klpd_reg_t **pp)
+{
+ klpd_reg_t *p = *pp;
+ if (p == NULL)
+ return;
+ ASSERT(p->klpd_next == NULL);
+ klpd_unlink(p);
+ klpd_rele(p);
+}
+
+/*
+ * Link new entry in list. The Boolean argument specifies whether this
+ * list can contain only a single item or multiple items.
+ * Returns the entry which needs to be released if single is B_TRUE.
+ */
+static klpd_reg_t *
+klpd_link(klpd_reg_t *p, klpd_reg_t **listp, boolean_t single)
+{
+ klpd_reg_t *old = *listp;
+
+ ASSERT(p->klpd_ref == 1);
+
+ ASSERT(old == NULL || *old->klpd_refp == old);
+ p->klpd_refp = listp;
+ p->klpd_next = single ? NULL : old;
+ *listp = p;
+ if (old != NULL) {
+ if (single) {
+ ASSERT(old->klpd_next == NULL);
+ old->klpd_refp = NULL;
+ return (old);
+ } else
+ old->klpd_refp = &p->klpd_next;
+ }
+ return (NULL);
+}
+
+/*
+ * The typical call consists of:
+ * - priv_set_t
+ * - some integer data (type, value)
+ * for now, it's just one bit.
+ */
+static klpd_head_t *
+klpd_marshall(klpd_reg_t *p, const priv_set_t *rq, va_list ap)
+{
+ char *comp;
+ uint_t type;
+ vnode_t *vp;
+ size_t len = sizeof (priv_set_t) + sizeof (klpd_head_t);
+ size_t plen, clen;
+ int proto;
+
+ klpd_arg_t *kap = NULL;
+ klpd_head_t *khp;
+
+ type = va_arg(ap, uint_t);
+ switch (type) {
+ case KLPDARG_NOMORE:
+ khp = kmem_zalloc(len, KM_SLEEP);
+ khp->klh_argoff = 0;
+ break;
+ case KLPDARG_VNODE:
+ len += offsetof(klpd_arg_t, kla_str);
+ vp = va_arg(ap, vnode_t *);
+ if (vp == NULL)
+ return (NULL);
+
+ comp = va_arg(ap, char *);
+
+ if (comp != NULL && *comp != '\0')
+ clen = strlen(comp) + 1;
+ else
+ clen = 0;
+
+ len += ROUNDUP(MAXPATHLEN, sizeof (uint_t));
+ khp = kmem_zalloc(len, KM_SLEEP);
+
+ khp->klh_argoff = sizeof (klpd_head_t) + sizeof (priv_set_t);
+ kap = KLH_ARG(khp);
+
+ if (vnodetopath(crgetzone(p->klpd_cred)->zone_rootvp,
+ vp, kap->kla_str, MAXPATHLEN, p->klpd_cred) != 0) {
+ kmem_free(khp, len);
+ return (NULL);
+ }
+ if (clen != 0) {
+ plen = strlen(kap->kla_str);
+ if (plen + clen + 1 >= MAXPATHLEN) {
+ kmem_free(khp, len);
+ return (NULL);
+ }
+ /* Don't make root into a double "/" */
+ if (plen <= 2)
+ plen = 0;
+ kap->kla_str[plen] = '/';
+ bcopy(comp, &kap->kla_str[plen + 1], clen);
+ }
+ break;
+ case KLPDARG_PORT:
+ proto = va_arg(ap, int);
+ switch (proto) {
+ case IPPROTO_TCP: type = KLPDARG_TCPPORT;
+ break;
+ case IPPROTO_UDP: type = KLPDARG_UDPPORT;
+ break;
+ case IPPROTO_SCTP: type = KLPDARG_SCTPPORT;
+ break;
+ case PROTO_SDP: type = KLPDARG_SDPPORT;
+ break;
+ }
+ /* FALLTHROUGH */
+ case KLPDARG_INT:
+ case KLPDARG_TCPPORT:
+ case KLPDARG_UDPPORT:
+ case KLPDARG_SCTPPORT:
+ case KLPDARG_SDPPORT:
+ len += sizeof (*kap);
+ khp = kmem_zalloc(len, KM_SLEEP);
+ khp->klh_argoff = sizeof (klpd_head_t) + sizeof (priv_set_t);
+ kap = KLH_ARG(khp);
+ kap->kla_int = va_arg(ap, int);
+ break;
+ default:
+ return (NULL);
+ }
+ khp->klh_vers = KLPDCALL_VERS;
+ khp->klh_len = len;
+ khp->klh_privoff = sizeof (*khp);
+ *KLH_PRIVSET(khp) = *rq;
+ if (kap != NULL) {
+ kap->kla_type = type;
+ kap->kla_dlen = len - khp->klh_argoff;
+ }
+ return (khp);
+}
+
+static int
+klpd_do_call(klpd_reg_t *p, const priv_set_t *req, va_list ap)
+{
+ door_arg_t da;
+ int res;
+ int dres;
+ klpd_head_t *klh;
+
+ if (p->klpd_door_pid == curproc->p_pid)
+ return (-1);
+
+ klh = klpd_marshall(p, req, ap);
+
+ if (klh == NULL)
+ return (-1);
+
+ da.data_ptr = (char *)klh;
+ da.data_size = klh->klh_len;
+ da.desc_ptr = NULL;
+ da.desc_num = 0;
+ da.rbuf = (char *)&res;
+ da.rsize = sizeof (res);
+
+ while ((dres = door_ki_upcall(p->klpd_door, &da)) != 0) {
+ switch (dres) {
+ case EAGAIN:
+ delay(1);
+ continue;
+ case EINVAL:
+ case EBADF:
+ /* Bad door, don't call it again. */
+ (void) klpd_unreg_dh(p->klpd_door);
+ /* FALLTHROUGH */
+ case EINTR:
+ /* Pending signal, nothing we can do. */
+ /* FALLTHROUGH */
+ default:
+ kmem_free(klh, klh->klh_len);
+ return (-1);
+ }
+ }
+ kmem_free(klh, klh->klh_len);
+ /* Bogus return value, must be a failure */
+ if (da.rbuf != (char *)&res) {
+ kmem_free(da.rbuf, da.rsize);
+ return (-1);
+ }
+ return (res);
+}
+
+uint32_t klpd_bad_locks;
+
+int
+klpd_call(const cred_t *cr, const priv_set_t *req, va_list ap)
+{
+ klpd_reg_t *p;
+ int rv = -1;
+ credklpd_t *ckp;
+ zone_t *ckzone;
+
+ /*
+ * These locks must not be held when this code is called;
+ * callbacks to userland with these locks held will result
+ * in issues. That said, the code at the call sides was
+ * restructured not to call with any of the locks held and
+ * no policies operate by default on most processes.
+ */
+ if (mutex_owned(&pidlock) || mutex_owned(&curproc->p_lock) ||
+ mutex_owned(&curproc->p_crlock)) {
+ atomic_add_32(&klpd_bad_locks, 1);
+ return (-1);
+ }
+
+ /*
+ * Enforce the limit set for the call process (still).
+ */
+ if (!priv_issubset(req, &CR_LPRIV(cr)))
+ return (-1);
+
+ /* Try 1: get the credential specific klpd */
+ if ((ckp = crgetcrklpd(cr)) != NULL) {
+ mutex_enter(&ckp->crkl_lock);
+ if ((p = ckp->crkl_reg) != NULL &&
+ p->klpd_indel == 0 &&
+ priv_issubset(req, &p->klpd_pset)) {
+ klpd_hold(p);
+ mutex_exit(&ckp->crkl_lock);
+ rv = klpd_do_call(p, req, ap);
+ mutex_enter(&ckp->crkl_lock);
+ klpd_rele(p);
+ mutex_exit(&ckp->crkl_lock);
+ if (rv != -1)
+ return (rv == 0 ? 0 : -1);
+ } else {
+ mutex_exit(&ckp->crkl_lock);
+ }
+ }
+
+ /* Try 2: get the project specific klpd */
+ mutex_enter(&klpd_mutex);
+
+ if ((p = curproj->kpj_klpd) != NULL) {
+ klpd_hold(p);
+ mutex_exit(&klpd_mutex);
+ if (p->klpd_indel == 0 &&
+ priv_issubset(req, &p->klpd_pset)) {
+ rv = klpd_do_call(p, req, ap);
+ }
+ mutex_enter(&klpd_mutex);
+ klpd_rele(p);
+ mutex_exit(&klpd_mutex);
+
+ if (rv != -1)
+ return (rv == 0 ? 0 : -1);
+ } else {
+ mutex_exit(&klpd_mutex);
+ }
+
+ /* Try 3: get the global klpd list */
+ ckzone = crgetzone(cr);
+ mutex_enter(&klpd_mutex);
+
+ for (p = klpd_list; p != NULL; ) {
+ zone_t *kkzone = crgetzone(p->klpd_cred);
+ if ((kkzone == &zone0 || kkzone == ckzone) &&
+ p->klpd_indel == 0 &&
+ priv_issubset(req, &p->klpd_pset)) {
+ klpd_hold(p);
+ mutex_exit(&klpd_mutex);
+ rv = klpd_do_call(p, req, ap);
+ mutex_enter(&klpd_mutex);
+
+ p = klpd_rele_next(p);
+
+ if (rv != -1)
+ break;
+ } else {
+ p = p->klpd_next;
+ }
+ }
+ mutex_exit(&klpd_mutex);
+ return (rv == 0 ? 0 : -1);
+}
+
+/*
+ * Register the klpd.
+ * If the pid_t passed in is positive, update the registration for
+ * the specific process; that is only possible if the process already
+ * has a registration on it. This change of registration will affect
+ * all processes which share common ancestry.
+ *
+ * MY_PID (pid 0) can be used to create or change the context for
+ * the current process, typically done after fork().
+ *
+ * A negative value can be used to register a klpd globally.
+ *
+ * The per-credential klpd needs to be cleaned up when entering
+ * a zone or unsetting the flag.
+ */
+int
+klpd_reg(int did, idtype_t type, id_t id, priv_set_t *psetbuf)
+{
+ cred_t *cr = CRED();
+ door_handle_t dh;
+ klpd_reg_t *kpd;
+ priv_set_t pset;
+ door_info_t di;
+ credklpd_t *ckp = NULL;
+ pid_t pid = -1;
+ projid_t proj = -1;
+ kproject_t *kpp = NULL;
+
+ if (CR_FLAGS(cr) & PRIV_XPOLICY)
+ return (set_errno(EINVAL));
+
+ if (copyin(psetbuf, &pset, sizeof (priv_set_t)))
+ return (set_errno(EFAULT));
+
+ if (!priv_issubset(&pset, &CR_OEPRIV(cr)))
+ return (set_errno(EPERM));
+
+ switch (type) {
+ case P_PID:
+ pid = (pid_t)id;
+ if (pid == P_MYPID)
+ pid = curproc->p_pid;
+ if (pid == curproc->p_pid)
+ ckp = crklpd_alloc();
+ break;
+ case P_PROJID:
+ proj = (projid_t)id;
+ kpp = project_hold_by_id(proj, crgetzone(cr),
+ PROJECT_HOLD_FIND);
+ if (kpp == NULL)
+ return (set_errno(ESRCH));
+ break;
+ default:
+ return (set_errno(ENOTSUP));
+ }
+
+
+ /*
+ * Verify the door passed in; it must be a door and we won't
+ * allow processes to be called on their own behalf.
+ */
+ dh = door_ki_lookup(did);
+ if (dh == NULL || door_ki_info(dh, &di) != 0) {
+ if (ckp != NULL)
+ crklpd_rele(ckp);
+ if (kpp != NULL)
+ project_rele(kpp);
+ return (set_errno(EBADF));
+ }
+ if (type == P_PID && pid == di.di_target) {
+ if (ckp != NULL)
+ crklpd_rele(ckp);
+ ASSERT(kpp == NULL);
+ return (set_errno(EINVAL));
+ }
+
+ kpd = kmem_zalloc(sizeof (*kpd), KM_SLEEP);
+ crhold(kpd->klpd_cred = cr);
+ kpd->klpd_door = dh;
+ kpd->klpd_door_pid = di.di_target;
+ kpd->klpd_ref = 1;
+ kpd->klpd_pset = pset;
+
+ if (kpp != NULL) {
+ mutex_enter(&klpd_mutex);
+ kpd = klpd_link(kpd, &kpp->kpj_klpd, B_TRUE);
+ mutex_exit(&klpd_mutex);
+ if (kpd != NULL)
+ klpd_rele(kpd);
+ project_rele(kpp);
+ } else if ((int)pid < 0) {
+ /* Global daemon */
+ mutex_enter(&klpd_mutex);
+ (void) klpd_link(kpd, &klpd_list, B_FALSE);
+ mutex_exit(&klpd_mutex);
+ } else if (pid == curproc->p_pid) {
+ proc_t *p = curproc;
+ cred_t *newcr = cralloc();
+
+ /* No need to lock, sole reference to ckp */
+ kpd = klpd_link(kpd, &ckp->crkl_reg, B_TRUE);
+
+ if (kpd != NULL)
+ klpd_rele(kpd);
+
+ mutex_enter(&p->p_crlock);
+ cr = p->p_cred;
+ crdup_to(cr, newcr);
+ crsetcrklpd(newcr, ckp);
+ p->p_cred = newcr; /* Already held for p_cred */
+
+ crhold(newcr); /* Hold once for the current thread */
+ mutex_exit(&p->p_crlock);
+ crfree(cr); /* One for the p_cred */
+ crset(p, newcr);
+ } else {
+ proc_t *p;
+ cred_t *pcr;
+ mutex_enter(&pidlock);
+ p = prfind(pid);
+ if (p == NULL || !prochasprocperm(p, curproc, CRED())) {
+ mutex_exit(&pidlock);
+ klpd_rele(kpd);
+ return (set_errno(p == NULL ? ESRCH : EPERM));
+ }
+ mutex_enter(&p->p_crlock);
+ crhold(pcr = p->p_cred);
+ mutex_exit(&pidlock);
+ mutex_exit(&p->p_crlock);
+ /*
+ * We're going to update the credential's ckp in place;
+ * this requires that it exists.
+ */
+ ckp = crgetcrklpd(pcr);
+ if (ckp == NULL) {
+ crfree(pcr);
+ klpd_rele(kpd);
+ return (set_errno(EINVAL));
+ }
+ crklpd_setreg(ckp, kpd);
+ crfree(pcr);
+ }
+
+ return (0);
+}
+
+static int
+klpd_unreg_dh(door_handle_t dh)
+{
+ klpd_reg_t *p;
+
+ mutex_enter(&klpd_mutex);
+ for (p = klpd_list; p != NULL; p = p->klpd_next) {
+ if (p->klpd_door == dh)
+ break;
+ }
+ if (p == NULL) {
+ mutex_exit(&klpd_mutex);
+ return (EINVAL);
+ }
+ if (p->klpd_indel != 0) {
+ mutex_exit(&klpd_mutex);
+ return (EAGAIN);
+ }
+ p->klpd_indel = 1;
+ klpd_rele(p);
+ mutex_exit(&klpd_mutex);
+ return (0);
+}
+
+int
+klpd_unreg(int did, idtype_t type, id_t id)
+{
+ door_handle_t dh;
+ int res = 0;
+ proc_t *p;
+ pid_t pid;
+ projid_t proj;
+ kproject_t *kpp = NULL;
+ credklpd_t *ckp;
+
+ switch (type) {
+ case P_PID:
+ pid = (pid_t)id;
+ break;
+ case P_PROJID:
+ proj = (projid_t)id;
+ kpp = project_hold_by_id(proj, crgetzone(CRED()),
+ PROJECT_HOLD_FIND);
+ if (kpp == NULL)
+ return (set_errno(ESRCH));
+ break;
+ default:
+ return (set_errno(ENOTSUP));
+ }
+
+ dh = door_ki_lookup(did);
+ if (dh == NULL) {
+ if (kpp != NULL)
+ project_rele(kpp);
+ return (set_errno(EINVAL));
+ }
+
+ if (kpp != NULL) {
+ mutex_enter(&klpd_mutex);
+ if (kpp->kpj_klpd == NULL)
+ res = ESRCH;
+ else
+ klpd_remove(&kpp->kpj_klpd);
+ mutex_exit(&klpd_mutex);
+ project_rele(kpp);
+ goto out;
+ } else if ((int)pid > 0) {
+ mutex_enter(&pidlock);
+ p = prfind(pid);
+ if (p == NULL) {
+ mutex_exit(&pidlock);
+ door_ki_rele(dh);
+ return (set_errno(ESRCH));
+ }
+ mutex_enter(&p->p_crlock);
+ mutex_exit(&pidlock);
+ } else if (pid == 0) {
+ p = curproc;
+ mutex_enter(&p->p_crlock);
+ } else {
+ res = klpd_unreg_dh(dh);
+ goto out;
+ }
+
+ ckp = crgetcrklpd(p->p_cred);
+ if (ckp != NULL) {
+ crklpd_setreg(ckp, NULL);
+ } else {
+ res = ESRCH;
+ }
+ mutex_exit(&p->p_crlock);
+
+out:
+ door_ki_rele(dh);
+
+ if (res != 0)
+ return (set_errno(res));
+ return (0);
+}
+
+void
+crklpd_hold(credklpd_t *crkpd)
+{
+ atomic_add_32(&crkpd->crkl_ref, 1);
+}
+
+void
+crklpd_rele(credklpd_t *crkpd)
+{
+ if (atomic_add_32_nv(&crkpd->crkl_ref, -1) == 0) {
+ if (crkpd->crkl_reg != NULL)
+ klpd_rele(crkpd->crkl_reg);
+ mutex_destroy(&crkpd->crkl_lock);
+ kmem_free(crkpd, sizeof (*crkpd));
+ }
+}
+
+static credklpd_t *
+crklpd_alloc(void)
+{
+ credklpd_t *res = kmem_alloc(sizeof (*res), KM_SLEEP);
+
+ mutex_init(&res->crkl_lock, NULL, MUTEX_DEFAULT, NULL);
+ res->crkl_ref = 1;
+ res->crkl_reg = NULL;
+
+ return (res);
+}
+
+void
+crklpd_setreg(credklpd_t *crk, klpd_reg_t *new)
+{
+ klpd_reg_t *old;
+
+ mutex_enter(&crk->crkl_lock);
+ if (new == NULL) {
+ old = crk->crkl_reg;
+ if (old != NULL)
+ klpd_unlink(old);
+ } else {
+ old = klpd_link(new, &crk->crkl_reg, B_TRUE);
+ }
+ mutex_exit(&crk->crkl_lock);
+
+ if (old != NULL)
+ klpd_rele(old);
+}
diff --git a/usr/src/uts/common/os/policy.c b/usr/src/uts/common/os/policy.c
index 32c67b710f..2333681763 100644
--- a/usr/src/uts/common/os/policy.c
+++ b/usr/src/uts/common/os/policy.c
@@ -47,6 +47,7 @@
#include <sys/devpolicy.h>
#include <c2/audit.h>
#include <sys/varargs.h>
+#include <sys/klpd.h>
#include <sys/modctl.h>
#include <sys/disp.h>
#include <sys/zone.h>
@@ -147,20 +148,25 @@ int priv_debug = 0;
PRIV_ISASSERT(&CR_OEPRIV(cr), pr))
/*
- * Policy checking functions
+ * Policy checking functions.
*
- * In future, these will migrate to several files when policy
- * becomes more or less pluggable.
- *
- * For now, there's only one policy and this is it.
+ * All of the system's policy should be implemented here.
+ */
+
+/*
+ * Private functions which take an additional va_list argument to
+ * implement an object specific policy override.
*/
+static int priv_policy_ap(const cred_t *, int, boolean_t, int,
+ const char *, va_list);
+static int priv_policy_va(const cred_t *, int, boolean_t, int,
+ const char *, ...);
/*
* Generic policy calls
*
* The "bottom" functions of policy control
*/
-
static char *
mprintf(const char *fmt, ...)
{
@@ -299,13 +305,51 @@ priv_policy_errmsg(const cred_t *cr, int priv, const char *msg)
cr->cr_uid, curthread->t_sysnum, msg, sym, off);
curthread->t_post_sys = 1;
- } else {
+ }
+ if (priv_debug) {
cmn_err(CE_NOTE, fmt, cmd, me->p_pid, pname, cr->cr_uid,
curthread->t_sysnum, msg, sym, off);
}
}
/*
+ * Override the policy, if appropriate. Return 0 if the external
+ * policy engine approves.
+ */
+static int
+priv_policy_override(const cred_t *cr, int priv, boolean_t allzone, va_list ap)
+{
+ priv_set_t set;
+ int ret;
+
+ if (!(CR_FLAGS(cr) & PRIV_XPOLICY))
+ return (-1);
+
+ if (priv == PRIV_ALL) {
+ priv_fillset(&set);
+ } else if (allzone) {
+ set = *ZONEPRIVS(cr);
+ } else {
+ priv_emptyset(&set);
+ priv_addset(&set, priv);
+ }
+ ret = klpd_call(cr, &set, ap);
+ return (ret);
+}
+
+static int
+priv_policy_override_set(const cred_t *cr, const priv_set_t *req, ...)
+{
+ va_list ap;
+
+ if (CR_FLAGS(cr) & PRIV_XPOLICY) {
+ va_start(ap, req);
+ return (klpd_call(cr, req, ap));
+ }
+ return (-1);
+}
+
+/*
* Audit failure, log error message.
*/
static void
@@ -328,15 +372,17 @@ priv_policy_err(const cred_t *cr, int priv, boolean_t allzone, const char *msg)
}
/*
- * priv_policy()
+ * priv_policy_ap()
* return 0 or error.
* See block comment above for a description of "priv" and "allzone" usage.
*/
-int
-priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err,
- const char *msg)
+static int
+priv_policy_ap(const cred_t *cr, int priv, boolean_t allzone, int err,
+ const char *msg, va_list ap)
{
- if (HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) {
+ if ((HAS_PRIVILEGE(cr, priv) && (!allzone || HAS_ALLZONEPRIVS(cr))) ||
+ (!servicing_interrupt() &&
+ priv_policy_override(cr, priv, allzone, ap) == 0)) {
if ((allzone || priv == PRIV_ALL ||
!PRIV_ISASSERT(priv_basic, priv)) &&
!servicing_interrupt()) {
@@ -351,10 +397,30 @@ priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err,
/* Failure audited in this procedure */
priv_policy_err(cr, priv, allzone, msg);
}
-
return (err);
}
+int
+priv_policy_va(const cred_t *cr, int priv, boolean_t allzone, int err,
+ const char *msg, ...)
+{
+ int ret;
+ va_list ap;
+
+ va_start(ap, msg);
+ ret = priv_policy_ap(cr, priv, allzone, err, msg, ap);
+ va_end(ap);
+
+ return (ret);
+}
+
+int
+priv_policy(const cred_t *cr, int priv, boolean_t allzone, int err,
+ const char *msg)
+{
+ return (priv_policy_va(cr, priv, allzone, err, msg, KLPDARG_NOMORE));
+}
+
/*
* Return B_TRUE for sufficient privileges, B_FALSE for insufficient privileges.
*/
@@ -410,6 +476,9 @@ secpolicy_require_set(const cred_t *cr, const priv_set_t *req, const char *msg)
return (0);
}
+ if (priv_policy_override_set(cr, req, KLPDARG_NOMORE) == 0)
+ return (0);
+
if (req == PRIV_FULLSET || priv_isfullset(req)) {
priv_policy_err(cr, PRIV_ALL, B_FALSE, msg);
return (EACCES);
@@ -475,7 +544,7 @@ secpolicy_setpriority(const cred_t *cr)
* order.
*/
int
-secpolicy_net_privaddr(const cred_t *cr, in_port_t port)
+secpolicy_net_privaddr(const cred_t *cr, in_port_t port, int proto)
{
char *reason;
int priv;
@@ -510,7 +579,8 @@ secpolicy_net_privaddr(const cred_t *cr, in_port_t port)
}
- return (PRIV_POLICY(cr, priv, B_FALSE, EACCES, reason));
+ return (priv_policy_va(cr, priv, B_FALSE, EACCES, reason,
+ KLPDARG_PORT, (int)proto, (int)port, KLPDARG_NOMORE));
}
/*
@@ -519,8 +589,7 @@ secpolicy_net_privaddr(const cred_t *cr, in_port_t port)
int
secpolicy_net_bindmlp(const cred_t *cr)
{
- return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES,
- NULL));
+ return (PRIV_POLICY(cr, PRIV_NET_BINDMLP, B_FALSE, EACCES, NULL));
}
/*
@@ -530,8 +599,7 @@ secpolicy_net_bindmlp(const cred_t *cr)
int
secpolicy_net_mac_aware(const cred_t *cr)
{
- return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES,
- NULL));
+ return (PRIV_POLICY(cr, PRIV_NET_MAC_AWARE, B_FALSE, EACCES, NULL));
}
/*
@@ -559,7 +627,8 @@ secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp,
if (mounting)
*needoptcheck = B_FALSE;
- return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, allzone, EPERM, NULL));
+ return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
+ NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE));
}
/*
@@ -611,7 +680,8 @@ secpolicy_fs_common(cred_t *cr, vnode_t *mvp, const vfs_t *vfsp,
return (EACCES);
}
}
- return (PRIV_POLICY(cr, PRIV_SYS_MOUNT, allzone, EPERM, NULL));
+ return (priv_policy_va(cr, PRIV_SYS_MOUNT, allzone, EPERM,
+ NULL, KLPDARG_VNODE, mvp, (char *)NULL, KLPDARG_NOMORE));
}
void
@@ -764,9 +834,11 @@ secpolicy_fs_linkdir(const cred_t *cr, const vfs_t *vfsp)
int
secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode)
{
- if ((mode & VREAD) &&
- PRIV_POLICY(cr, PRIV_FILE_DAC_READ, B_FALSE, EACCES, NULL) != 0)
+ if ((mode & VREAD) && priv_policy_va(cr, PRIV_FILE_DAC_READ, B_FALSE,
+ EACCES, NULL, KLPDARG_VNODE, vp, (char *)NULL,
+ KLPDARG_NOMORE) != 0) {
return (EACCES);
+ }
if (mode & VWRITE) {
boolean_t allzone;
@@ -775,23 +847,22 @@ secpolicy_vnode_access(const cred_t *cr, vnode_t *vp, uid_t owner, mode_t mode)
allzone = B_TRUE;
else
allzone = B_FALSE;
- if (PRIV_POLICY(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES, NULL)
- != 0)
+ if (priv_policy_va(cr, PRIV_FILE_DAC_WRITE, allzone, EACCES,
+ NULL, KLPDARG_VNODE, vp, (char *)NULL,
+ KLPDARG_NOMORE) != 0) {
return (EACCES);
+ }
}
if (mode & VEXEC) {
/*
* Directories use file_dac_search to override the execute bit.
*/
- vtype_t vtype = vp->v_type;
+ int p = vp->v_type == VDIR ? PRIV_FILE_DAC_SEARCH :
+ PRIV_FILE_DAC_EXECUTE;
- if (vtype == VDIR)
- return (PRIV_POLICY(cr, PRIV_FILE_DAC_SEARCH, B_FALSE,
- EACCES, NULL));
- else
- return (PRIV_POLICY(cr, PRIV_FILE_DAC_EXECUTE, B_FALSE,
- EACCES, NULL));
+ return (priv_policy_va(cr, p, B_FALSE, EACCES, NULL,
+ KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
}
return (0);
}
@@ -1725,9 +1796,10 @@ secpolicy_tasksys(const cred_t *cr)
* Basic privilege checks.
*/
int
-secpolicy_basic_exec(const cred_t *cr)
+secpolicy_basic_exec(const cred_t *cr, vnode_t *vp)
{
- return (PRIV_POLICY(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL));
+ return (priv_policy_va(cr, PRIV_PROC_EXEC, B_FALSE, EPERM, NULL,
+ KLPDARG_VNODE, vp, (char *)NULL, KLPDARG_NOMORE));
}
int
@@ -2065,6 +2137,27 @@ secpolicy_sadopen(const cred_t *credp)
return (secpolicy_require_set(credp, &pset, "devpolicy"));
}
+
+/*
+ * Add privileges to a particular privilege set; this is called when the
+ * current sets of privileges are not sufficient. I.e., we should always
+ * call the policy override functions from here.
+ * What we are allowed to have is in the Observed Permitted set; so
+ * we compute the difference between that and the newset.
+ */
+int
+secpolicy_require_privs(const cred_t *cr, const priv_set_t *nset)
+{
+ priv_set_t rqd;
+
+ rqd = CR_OPPRIV(cr);
+
+ priv_inverse(&rqd);
+ priv_intersect(nset, &rqd);
+
+ return (secpolicy_require_set(cr, &rqd, NULL));
+}
+
/*
* secpolicy_smb
*
diff --git a/usr/src/uts/common/os/project.c b/usr/src/uts/common/os/project.c
index e19f1959bc..7d10ec9370 100644
--- a/usr/src/uts/common/os/project.c
+++ b/usr/src/uts/common/os/project.c
@@ -19,7 +19,7 @@
* CDDL HEADER END
*/
/*
- * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -42,6 +42,7 @@
#include <sys/task.h>
#include <sys/zone.h>
#include <sys/cpucaps.h>
+#include <sys/klpd.h>
int project_hash_size = 64;
static kmutex_t project_hash_lock;
@@ -359,11 +360,14 @@ project_rele(kproject_t *p)
rctl_set_free(p->kpj_rctls);
project_kstat_delete(p);
+ if (p->kpj_klpd != NULL)
+ klpd_remove(&p->kpj_klpd);
+
if (mod_hash_destroy(projects_hash, (mod_hash_key_t)p))
panic("unable to delete project %d zone %d", p->kpj_id,
p->kpj_zoneid);
- }
+ }
mutex_exit(&project_hash_lock);
}
diff --git a/usr/src/uts/common/os/sysent.c b/usr/src/uts/common/os/sysent.c
index b6d097b585..eeb3b7edde 100644
--- a/usr/src/uts/common/os/sysent.c
+++ b/usr/src/uts/common/os/sysent.c
@@ -21,7 +21,7 @@
/* ONC_PLUS EXTRACT START */
/*
- * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -533,7 +533,7 @@ struct sysent sysent[NSYSCALL] =
/* 81 */ IF_LP64(
SYSENT_CI("getdents", getdents64, 3),
SYSENT_CI("getdents", getdents32, 3)),
- /* 82 */ SYSENT_CI("privsys", privsys, 5),
+ /* 82 */ SYSENT_CI("privsys", privsys, 6),
/* 83 */ SYSENT_CI("ucredsys", ucredsys, 3),
/* 84 */ SYSENT_CI("sysfs", sysfs, 3),
/* 85 */ SYSENT_CI("getmsg", getmsg, 4),
@@ -930,7 +930,7 @@ struct sysent sysent32[NSYSCALL] =
/* 79 */ SYSENT_CI("rmdir", rmdir, 1),
/* 80 */ SYSENT_CI("mkdir", mkdir, 2),
/* 81 */ SYSENT_CI("getdents", getdents32, 3),
- /* 82 */ SYSENT_CI("privsys", privsys32, 5),
+ /* 82 */ SYSENT_CI("privsys", privsys32, 6),
/* 83 */ SYSENT_CI("ucredsys", ucredsys32, 3),
/* 84 */ SYSENT_CI("sysfs", sysfs, 3),
/* 85 */ SYSENT_CI("getmsg", getmsg32, 4),
generated by cgit v1.2.3 (git 2.46.0) at 2025-12-10 20:51:13 +0000