1 /*
2  * Copyright (c) 2006 Chad Mynhier.
3  *
4  * Permission to use, copy, modify, and distribute this software for any
5  * purpose with or without fee is hereby granted, provided that the above
6  * copyright notice and this permission notice appear in all copies.
7  *
8  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15  */
16 
17 #include "config.h"
18 #include "includes.h"
19 
20 #include <sys/types.h>
21 #include <sys/stat.h>
22 
23 #include <errno.h>
24 #ifdef HAVE_FCNTL_H
25 # include <fcntl.h>
26 #endif
27 #include <stdarg.h>
28 #include <string.h>
29 #include <unistd.h>
30 
31 #include "log.h"
32 
33 #ifdef USE_SOLARIS_PROCESS_CONTRACTS
34 
35 #include <libcontract.h>
36 #include <sys/contract/process.h>
37 #include <sys/ctfs.h>
38 
39 #define CT_TEMPLATE	CTFS_ROOT "/process/template"
40 #define CT_LATEST	CTFS_ROOT "/process/latest"
41 
42 static int tmpl_fd = -1;
43 
44 /* Lookup the latest process contract */
45 static ctid_t
46 get_active_process_contract_id(void)
47 {
48 	int stat_fd;
49 	ctid_t ctid = -1;
50 	ct_stathdl_t stathdl;
51 
52 	if ((stat_fd = open64(CT_LATEST, O_RDONLY)) == -1) {
53 		error("%s: Error opening 'latest' process "
54 		    "contract: %s", __func__, strerror(errno));
55 		return -1;
56 	}
57 	if (ct_status_read(stat_fd, CTD_COMMON, &stathdl) != 0) {
58 		error("%s: Error reading process contract "
59 		    "status: %s", __func__, strerror(errno));
60 		goto out;
61 	}
62 	if ((ctid = ct_status_get_id(stathdl)) < 0) {
63 		error("%s: Error getting process contract id: %s",
64 		    __func__, strerror(errno));
65 		goto out;
66 	}
67 
68 	ct_status_free(stathdl);
69  out:
70 	close(stat_fd);
71 	return ctid;
72 }
73 
74 void
75 solaris_contract_pre_fork(void)
76 {
77 	if ((tmpl_fd = open64(CT_TEMPLATE, O_RDWR)) == -1) {
78 		error("%s: open %s: %s", __func__,
79 		    CT_TEMPLATE, strerror(errno));
80 		return;
81 	}
82 
83 	debug2("%s: setting up process contract template on fd %d",
84 	    __func__, tmpl_fd);
85 
86 	/* First we set the template parameters and event sets. */
87 	if (ct_pr_tmpl_set_param(tmpl_fd, CT_PR_PGRPONLY) != 0) {
88 		error("%s: Error setting process contract parameter set "
89 		    "(pgrponly): %s", __func__, strerror(errno));
90 		goto fail;
91 	}
92 	if (ct_pr_tmpl_set_fatal(tmpl_fd, CT_PR_EV_HWERR) != 0) {
93 		error("%s: Error setting process contract template "
94 		    "fatal events: %s", __func__, strerror(errno));
95 		goto fail;
96 	}
97 	if (ct_tmpl_set_critical(tmpl_fd, 0) != 0) {
98 		error("%s: Error setting process contract template "
99 		    "critical events: %s", __func__, strerror(errno));
100 		goto fail;
101 	}
102 	if (ct_tmpl_set_informative(tmpl_fd, CT_PR_EV_HWERR) != 0) {
103 		error("%s: Error setting process contract template "
104 		    "informative events: %s", __func__, strerror(errno));
105 		goto fail;
106 	}
107 
108 	/* Now make this the active template for this process. */
109 	if (ct_tmpl_activate(tmpl_fd) != 0) {
110 		error("%s: Error activating process contract "
111 		    "template: %s", __func__, strerror(errno));
112 		goto fail;
113 	}
114 	return;
115 
116  fail:
117 	if (tmpl_fd != -1) {
118 		close(tmpl_fd);
119 		tmpl_fd = -1;
120 	}
121 }
122 
123 void
124 solaris_contract_post_fork_child()
125 {
126 	debug2("%s: clearing process contract template on fd %d",
127 	    __func__, tmpl_fd);
128 
129 	/* Clear the active template. */
130 	if (ct_tmpl_clear(tmpl_fd) != 0)
131 		error("%s: Error clearing active process contract "
132 		    "template: %s", __func__, strerror(errno));
133 
134 	close(tmpl_fd);
135 	tmpl_fd = -1;
136 }
137 
138 void
139 solaris_contract_post_fork_parent(pid_t pid)
140 {
141 	ctid_t ctid;
142 	char ctl_path[256];
143 	int r, ctl_fd = -1, stat_fd = -1;
144 
145 	debug2("%s: clearing template (fd %d)", __func__, tmpl_fd);
146 
147 	if (tmpl_fd == -1)
148 		return;
149 
150 	/* First clear the active template. */
151 	if ((r = ct_tmpl_clear(tmpl_fd)) != 0)
152 		error("%s: Error clearing active process contract "
153 		    "template: %s", __func__, strerror(errno));
154 
155 	close(tmpl_fd);
156 	tmpl_fd = -1;
157 
158 	/*
159 	 * If either the fork didn't succeed (pid < 0), or clearing
160 	 * th active contract failed (r != 0), then we have nothing
161 	 * more do.
162 	 */
163 	if (r != 0 || pid <= 0)
164 		return;
165 
166 	/* Now lookup and abandon the contract we've created. */
167 	ctid = get_active_process_contract_id();
168 
169 	debug2("%s: abandoning contract id %ld", __func__, ctid);
170 
171 	snprintf(ctl_path, sizeof(ctl_path),
172 	    CTFS_ROOT "/process/%ld/ctl", ctid);
173 	if ((ctl_fd = open64(ctl_path, O_WRONLY)) < 0) {
174 		error("%s: Error opening process contract "
175 		    "ctl file: %s", __func__, strerror(errno));
176 		goto fail;
177 	}
178 	if (ct_ctl_abandon(ctl_fd) < 0) {
179 		error("%s: Error abandoning process contract: %s",
180 		    __func__, strerror(errno));
181 		goto fail;
182 	}
183 	close(ctl_fd);
184 	return;
185 
186  fail:
187 	if (tmpl_fd != -1) {
188 		close(tmpl_fd);
189 		tmpl_fd = -1;
190 	}
191 	if (stat_fd != -1)
192 		close(stat_fd);
193 	if (ctl_fd != -1)
194 		close(ctl_fd);
195 }
196 #endif
197 
198 #ifdef USE_SOLARIS_PROJECTS
199 #include <sys/task.h>
200 #include <project.h>
201 
202 /*
203  * Get/set solaris default project.
204  * If we fail, just run along gracefully.
205  */
206 void
207 solaris_set_default_project(struct passwd *pw)
208 {
209 	struct project  *defaultproject;
210 	struct project   tempproject;
211 	char buf[1024];
212 
213 	/* get default project, if we fail just return gracefully  */
214 	if ((defaultproject = getdefaultproj(pw->pw_name, &tempproject, &buf,
215 	    sizeof(buf))) != NULL) {
216 		/* set default project */
217 		if (setproject(defaultproject->pj_name, pw->pw_name,
218 		    TASK_NORMAL) != 0)
219 			debug("setproject(%s): %s", defaultproject->pj_name,
220 			    strerror(errno));
221 	} else {
222 		/* debug on getdefaultproj() error */
223 		debug("getdefaultproj(%s): %s", pw->pw_name, strerror(errno));
224 	}
225 }
226 #endif /* USE_SOLARIS_PROJECTS */
227 
228 #ifdef USE_SOLARIS_PRIVS
229 # ifdef HAVE_PRIV_H
230 #  include <priv.h>
231 # endif
232 
233 priv_set_t *
234 solaris_basic_privset(void)
235 {
236 	priv_set_t *pset;
237 
238 #ifdef HAVE_PRIV_BASICSET
239 	if ((pset = priv_allocset()) == NULL) {
240 		error("priv_allocset: %s", strerror(errno));
241 		return NULL;
242 	}
243 	priv_basicset(pset);
244 #else
245 	if ((pset = priv_str_to_set("basic", ",", NULL)) == NULL) {
246 		error("priv_str_to_set: %s", strerror(errno));
247 		return NULL;
248 	}
249 #endif
250 	return pset;
251 }
252 
253 void
254 solaris_drop_privs_pinfo_net_fork_exec(void)
255 {
256 	priv_set_t *pset = NULL, *npset = NULL;
257 
258 	/*
259 	 * Note: this variant avoids dropping DAC filesystem rights, in case
260 	 * the process calling it is running as root and should have the
261 	 * ability to read/write/chown any file on the system.
262 	 *
263 	 * We start with the basic set, then *add* the DAC rights to it while
264 	 * taking away other parts of BASIC we don't need. Then we intersect
265 	 * this with our existing PERMITTED set. In this way we keep any
266 	 * DAC rights we had before, while otherwise reducing ourselves to
267 	 * the minimum set of privileges we need to proceed.
268 	 *
269 	 * This also means we drop any other parts of "root" that we don't
270 	 * need (e.g. the ability to kill any process, create new device nodes
271 	 * etc etc).
272 	 */
273 
274 	if ((pset = priv_allocset()) == NULL)
275 		fatal("priv_allocset: %s", strerror(errno));
276 	if ((npset = solaris_basic_privset()) == NULL)
277 		fatal("solaris_basic_privset: %s", strerror(errno));
278 
279 	if (priv_addset(npset, PRIV_FILE_CHOWN) != 0 ||
280 	    priv_addset(npset, PRIV_FILE_DAC_READ) != 0 ||
281 	    priv_addset(npset, PRIV_FILE_DAC_SEARCH) != 0 ||
282 	    priv_addset(npset, PRIV_FILE_DAC_WRITE) != 0 ||
283 	    priv_addset(npset, PRIV_FILE_OWNER) != 0)
284 		fatal("priv_addset: %s", strerror(errno));
285 
286 	if (priv_delset(npset, PRIV_PROC_EXEC) != 0 ||
287 #ifdef PRIV_NET_ACCESS
288 	    priv_delset(npset, PRIV_NET_ACCESS) != 0 ||
289 #endif
290 	    priv_delset(npset, PRIV_PROC_FORK) != 0 ||
291 	    priv_delset(npset, PRIV_PROC_INFO) != 0 ||
292 	    priv_delset(npset, PRIV_PROC_SESSION) != 0)
293 		fatal("priv_delset: %s", strerror(errno));
294 
295 #ifdef PRIV_XPOLICY
296 	/*
297 	 * It is possible that the user has an extended policy
298 	 * in place; the LIMIT set restricts the extended policy
299 	 * and so should not be restricted.
300 	 * PRIV_XPOLICY is newly defined in Solaris 11 though the extended
301 	 * policy was not implemented until Solaris 11.1.
302 	 */
303 	if (getpflags(PRIV_XPOLICY) == 1) {
304 		if (getppriv(PRIV_LIMIT, pset) != 0)
305 			fatal("getppriv: %s", strerror(errno));
306 		priv_intersect(pset, npset);
307 		if (setppriv(PRIV_SET, PRIV_LIMIT, npset) != 0)
308 			fatal("setppriv: %s", strerror(errno));
309 	} else
310 #endif
311 	{
312 		/* Cannot exec, so we can kill the limit set. */
313 		priv_emptyset(pset);
314 		if (setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0)
315 			fatal("setppriv: %s", strerror(errno));
316 	}
317 
318 	if (getppriv(PRIV_PERMITTED, pset) != 0)
319 		fatal("getppriv: %s", strerror(errno));
320 
321 	priv_intersect(pset, npset);
322 
323 	if (setppriv(PRIV_SET, PRIV_PERMITTED, npset) != 0 ||
324 	    setppriv(PRIV_SET, PRIV_INHERITABLE, npset) != 0)
325 		fatal("setppriv: %s", strerror(errno));
326 
327 	priv_freeset(pset);
328 	priv_freeset(npset);
329 }
330 
331 void
332 solaris_drop_privs_root_pinfo_net(void)
333 {
334 	priv_set_t *pset = NULL;
335 
336 	/* Start with "basic" and drop everything we don't need. */
337 	if ((pset = solaris_basic_privset()) == NULL)
338 		fatal("solaris_basic_privset: %s", strerror(errno));
339 
340 	if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 ||
341 #ifdef PRIV_NET_ACCESS
342 	    priv_delset(pset, PRIV_NET_ACCESS) != 0 ||
343 #endif
344 	    priv_delset(pset, PRIV_PROC_INFO) != 0 ||
345 	    priv_delset(pset, PRIV_PROC_SESSION) != 0)
346 		fatal("priv_delset: %s", strerror(errno));
347 
348 	if (setppriv(PRIV_SET, PRIV_PERMITTED, pset) != 0 ||
349 	    setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0 ||
350 	    setppriv(PRIV_SET, PRIV_INHERITABLE, pset) != 0)
351 		fatal("setppriv: %s", strerror(errno));
352 
353 	priv_freeset(pset);
354 }
355 
356 void
357 solaris_drop_privs_root_pinfo_net_exec(void)
358 {
359 	priv_set_t *pset = NULL;
360 
361 
362 	/* Start with "basic" and drop everything we don't need. */
363 	if ((pset = solaris_basic_privset()) == NULL)
364 		fatal("solaris_basic_privset: %s", strerror(errno));
365 
366 	if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 ||
367 #ifdef PRIV_NET_ACCESS
368 	    priv_delset(pset, PRIV_NET_ACCESS) != 0 ||
369 #endif
370 	    priv_delset(pset, PRIV_PROC_EXEC) != 0 ||
371 	    priv_delset(pset, PRIV_PROC_INFO) != 0)
372 		fatal("priv_delset: %s", strerror(errno));
373 
374 	if (setppriv(PRIV_SET, PRIV_PERMITTED, pset) != 0 ||
375 	    setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0 ||
376 	    setppriv(PRIV_SET, PRIV_INHERITABLE, pset) != 0)
377 		fatal("setppriv: %s", strerror(errno));
378 
379 	priv_freeset(pset);
380 }
381 
382 #endif
383