blob: 0e89dc3261d76e9610564170cc14fc3b819112dd [file] [log] [blame]
/*
* Copyright (c) 2006 Chad Mynhier.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "config.h"
#include "includes.h"
#ifdef USE_SOLARIS_PROCESS_CONTRACTS
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/param.h>
#include <errno.h>
#ifdef HAVE_FCNTL_H
# include <fcntl.h>
#endif
#include <stdarg.h>
#include <string.h>
#include <unistd.h>
#include <libcontract.h>
#include <sys/contract/process.h>
#include <sys/ctfs.h>
#include "log.h"
#define CT_TEMPLATE CTFS_ROOT "/process/template"
#define CT_LATEST CTFS_ROOT "/process/latest"
static int tmpl_fd = -1;
/* Lookup the latest process contract */
static ctid_t
get_active_process_contract_id(void)
{
int stat_fd;
ctid_t ctid = -1;
ct_stathdl_t stathdl;
if ((stat_fd = open64(CT_LATEST, O_RDONLY)) == -1) {
error("%s: Error opening 'latest' process "
"contract: %s", __func__, strerror(errno));
return -1;
}
if (ct_status_read(stat_fd, CTD_COMMON, &stathdl) != 0) {
error("%s: Error reading process contract "
"status: %s", __func__, strerror(errno));
goto out;
}
if ((ctid = ct_status_get_id(stathdl)) < 0) {
error("%s: Error getting process contract id: %s",
__func__, strerror(errno));
goto out;
}
ct_status_free(stathdl);
out:
close(stat_fd);
return ctid;
}
void
solaris_contract_pre_fork(void)
{
if ((tmpl_fd = open64(CT_TEMPLATE, O_RDWR)) == -1) {
error("%s: open %s: %s", __func__,
CT_TEMPLATE, strerror(errno));
return;
}
debug2("%s: setting up process contract template on fd %d",
__func__, tmpl_fd);
/* First we set the template parameters and event sets. */
if (ct_pr_tmpl_set_param(tmpl_fd, CT_PR_PGRPONLY) != 0) {
error("%s: Error setting process contract parameter set "
"(pgrponly): %s", __func__, strerror(errno));
goto fail;
}
if (ct_pr_tmpl_set_fatal(tmpl_fd, CT_PR_EV_HWERR) != 0) {
error("%s: Error setting process contract template "
"fatal events: %s", __func__, strerror(errno));
goto fail;
}
if (ct_tmpl_set_critical(tmpl_fd, 0) != 0) {
error("%s: Error setting process contract template "
"critical events: %s", __func__, strerror(errno));
goto fail;
}
if (ct_tmpl_set_informative(tmpl_fd, CT_PR_EV_HWERR) != 0) {
error("%s: Error setting process contract template "
"informative events: %s", __func__, strerror(errno));
goto fail;
}
/* Now make this the active template for this process. */
if (ct_tmpl_activate(tmpl_fd) != 0) {
error("%s: Error activating process contract "
"template: %s", __func__, strerror(errno));
goto fail;
}
return;
fail:
if (tmpl_fd != -1) {
close(tmpl_fd);
tmpl_fd = -1;
}
}
void
solaris_contract_post_fork_child()
{
debug2("%s: clearing process contract template on fd %d",
__func__, tmpl_fd);
/* Clear the active template. */
if (ct_tmpl_clear(tmpl_fd) != 0)
error("%s: Error clearing active process contract "
"template: %s", __func__, strerror(errno));
close(tmpl_fd);
tmpl_fd = -1;
}
void
solaris_contract_post_fork_parent(pid_t pid)
{
ctid_t ctid;
char ctl_path[256];
int r, ctl_fd = -1, stat_fd = -1;
debug2("%s: clearing template (fd %d)", __func__, tmpl_fd);
if (tmpl_fd == -1)
return;
/* First clear the active template. */
if ((r = ct_tmpl_clear(tmpl_fd)) != 0)
error("%s: Error clearing active process contract "
"template: %s", __func__, strerror(errno));
close(tmpl_fd);
tmpl_fd = -1;
/*
* If either the fork didn't succeed (pid < 0), or clearing
* th active contract failed (r != 0), then we have nothing
* more do.
*/
if (r != 0 || pid <= 0)
return;
/* Now lookup and abandon the contract we've created. */
ctid = get_active_process_contract_id();
debug2("%s: abandoning contract id %ld", __func__, ctid);
snprintf(ctl_path, sizeof(ctl_path),
CTFS_ROOT "/process/%ld/ctl", ctid);
if ((ctl_fd = open64(ctl_path, O_WRONLY)) < 0) {
error("%s: Error opening process contract "
"ctl file: %s", __func__, strerror(errno));
goto fail;
}
if (ct_ctl_abandon(ctl_fd) < 0) {
error("%s: Error abandoning process contract: %s",
__func__, strerror(errno));
goto fail;
}
close(ctl_fd);
return;
fail:
if (tmpl_fd != -1) {
close(tmpl_fd);
tmpl_fd = -1;
}
if (stat_fd != -1)
close(stat_fd);
if (ctl_fd != -1)
close(ctl_fd);
}
#endif
#ifdef USE_SOLARIS_PROJECTS
#include <sys/task.h>
#include <project.h>
/*
* Get/set solaris default project.
* If we fail, just run along gracefully.
*/
void
solaris_set_default_project(struct passwd *pw)
{
struct project *defaultproject;
struct project tempproject;
char buf[1024];
/* get default project, if we fail just return gracefully */
if ((defaultproject = getdefaultproj(pw->pw_name, &tempproject, &buf,
sizeof(buf))) != NULL) {
/* set default project */
if (setproject(defaultproject->pj_name, pw->pw_name,
TASK_NORMAL) != 0)
debug("setproject(%s): %s", defaultproject->pj_name,
strerror(errno));
} else {
/* debug on getdefaultproj() error */
debug("getdefaultproj(%s): %s", pw->pw_name, strerror(errno));
}
}
#endif /* USE_SOLARIS_PROJECTS */
#ifdef USE_SOLARIS_PRIVS
# ifdef HAVE_PRIV_H
# include <priv.h>
# endif
priv_set_t *
solaris_basic_privset(void)
{
priv_set_t *pset;
#ifdef HAVE_PRIV_BASICSET
if ((pset = priv_allocset()) == NULL) {
error("priv_allocset: %s", strerror(errno));
return NULL;
}
priv_basicset(pset);
#else
if ((pset = priv_str_to_set("basic", ",", NULL)) == NULL) {
error("priv_str_to_set: %s", strerror(errno));
return NULL;
}
#endif
return pset;
}
void
solaris_drop_privs_pinfo_net_fork_exec(void)
{
priv_set_t *pset = NULL, *npset = NULL;
/*
* Note: this variant avoids dropping DAC filesystem rights, in case
* the process calling it is running as root and should have the
* ability to read/write/chown any file on the system.
*
* We start with the basic set, then *add* the DAC rights to it while
* taking away other parts of BASIC we don't need. Then we intersect
* this with our existing PERMITTED set. In this way we keep any
* DAC rights we had before, while otherwise reducing ourselves to
* the minimum set of privileges we need to proceed.
*
* This also means we drop any other parts of "root" that we don't
* need (e.g. the ability to kill any process, create new device nodes
* etc etc).
*/
if ((pset = priv_allocset()) == NULL)
fatal("priv_allocset: %s", strerror(errno));
if ((npset = solaris_basic_privset()) == NULL)
fatal("solaris_basic_privset: %s", strerror(errno));
if (priv_addset(npset, PRIV_FILE_CHOWN) != 0 ||
priv_addset(npset, PRIV_FILE_DAC_READ) != 0 ||
priv_addset(npset, PRIV_FILE_DAC_SEARCH) != 0 ||
priv_addset(npset, PRIV_FILE_DAC_WRITE) != 0 ||
priv_addset(npset, PRIV_FILE_OWNER) != 0)
fatal("priv_addset: %s", strerror(errno));
if (priv_delset(npset, PRIV_FILE_LINK_ANY) != 0 ||
#ifdef PRIV_NET_ACCESS
priv_delset(npset, PRIV_NET_ACCESS) != 0 ||
#endif
priv_delset(npset, PRIV_PROC_EXEC) != 0 ||
priv_delset(npset, PRIV_PROC_FORK) != 0 ||
priv_delset(npset, PRIV_PROC_INFO) != 0 ||
priv_delset(npset, PRIV_PROC_SESSION) != 0)
fatal("priv_delset: %s", strerror(errno));
if (getppriv(PRIV_PERMITTED, pset) != 0)
fatal("getppriv: %s", strerror(errno));
priv_intersect(pset, npset);
if (setppriv(PRIV_SET, PRIV_PERMITTED, npset) != 0 ||
setppriv(PRIV_SET, PRIV_LIMIT, npset) != 0 ||
setppriv(PRIV_SET, PRIV_INHERITABLE, npset) != 0)
fatal("setppriv: %s", strerror(errno));
priv_freeset(pset);
priv_freeset(npset);
}
void
solaris_drop_privs_root_pinfo_net(void)
{
priv_set_t *pset = NULL;
/* Start with "basic" and drop everything we don't need. */
if ((pset = solaris_basic_privset()) == NULL)
fatal("solaris_basic_privset: %s", strerror(errno));
if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 ||
#ifdef PRIV_NET_ACCESS
priv_delset(pset, PRIV_NET_ACCESS) != 0 ||
#endif
priv_delset(pset, PRIV_PROC_INFO) != 0 ||
priv_delset(pset, PRIV_PROC_SESSION) != 0)
fatal("priv_delset: %s", strerror(errno));
if (setppriv(PRIV_SET, PRIV_PERMITTED, pset) != 0 ||
setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0 ||
setppriv(PRIV_SET, PRIV_INHERITABLE, pset) != 0)
fatal("setppriv: %s", strerror(errno));
priv_freeset(pset);
}
void
solaris_drop_privs_root_pinfo_net_exec(void)
{
priv_set_t *pset = NULL;
/* Start with "basic" and drop everything we don't need. */
if ((pset = solaris_basic_privset()) == NULL)
fatal("solaris_basic_privset: %s", strerror(errno));
if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 ||
#ifdef PRIV_NET_ACCESS
priv_delset(pset, PRIV_NET_ACCESS) != 0 ||
#endif
priv_delset(pset, PRIV_PROC_EXEC) != 0 ||
priv_delset(pset, PRIV_PROC_INFO) != 0 ||
priv_delset(pset, PRIV_PROC_SESSION) != 0)
fatal("priv_delset: %s", strerror(errno));
if (setppriv(PRIV_SET, PRIV_PERMITTED, pset) != 0 ||
setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0 ||
setppriv(PRIV_SET, PRIV_INHERITABLE, pset) != 0)
fatal("setppriv: %s", strerror(errno));
priv_freeset(pset);
}
#endif