port-solaris.c revision 296781 
1/* $Id: port-solaris.c,v 1.4 2010/11/05 01:03:05 dtucker Exp $ */
2
3/*
4 * Copyright (c) 2006 Chad Mynhier.
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19#include "config.h"
20#include "includes.h"
21
22#ifdef USE_SOLARIS_PROCESS_CONTRACTS
23
24#include <sys/types.h>
25#include <sys/stat.h>
26#include <sys/param.h>
27
28#include <errno.h>
29#ifdef HAVE_FCNTL_H
30# include <fcntl.h>
31#endif
32#include <stdarg.h>
33#include <string.h>
34#include <unistd.h>
35
36#include <libcontract.h>
37#include <sys/contract/process.h>
38#include <sys/ctfs.h>
39
40#include "log.h"
41
42#define CT_TEMPLATE	CTFS_ROOT "/process/template"
43#define CT_LATEST	CTFS_ROOT "/process/latest"
44
45static int tmpl_fd = -1;
46
47/* Lookup the latest process contract */
48static ctid_t
49get_active_process_contract_id(void)
50{
51	int stat_fd;
52	ctid_t ctid = -1;
53	ct_stathdl_t stathdl;
54
55	if ((stat_fd = open64(CT_LATEST, O_RDONLY)) == -1) {
56		error("%s: Error opening 'latest' process "
57		    "contract: %s", __func__, strerror(errno));
58		return -1;
59	}
60	if (ct_status_read(stat_fd, CTD_COMMON, &stathdl) != 0) {
61		error("%s: Error reading process contract "
62		    "status: %s", __func__, strerror(errno));
63		goto out;
64	}
65	if ((ctid = ct_status_get_id(stathdl)) < 0) {
66		error("%s: Error getting process contract id: %s",
67		    __func__, strerror(errno));
68		goto out;
69	}
70
71	ct_status_free(stathdl);
72 out:
73	close(stat_fd);
74	return ctid;
75}
76
77void
78solaris_contract_pre_fork(void)
79{
80	if ((tmpl_fd = open64(CT_TEMPLATE, O_RDWR)) == -1) {
81		error("%s: open %s: %s", __func__,
82		    CT_TEMPLATE, strerror(errno));
83		return;
84	}
85
86	debug2("%s: setting up process contract template on fd %d",
87	    __func__, tmpl_fd);
88
89	/* First we set the template parameters and event sets. */
90	if (ct_pr_tmpl_set_param(tmpl_fd, CT_PR_PGRPONLY) != 0) {
91		error("%s: Error setting process contract parameter set "
92		    "(pgrponly): %s", __func__, strerror(errno));
93		goto fail;
94	}
95	if (ct_pr_tmpl_set_fatal(tmpl_fd, CT_PR_EV_HWERR) != 0) {
96		error("%s: Error setting process contract template "
97		    "fatal events: %s", __func__, strerror(errno));
98		goto fail;
99	}
100	if (ct_tmpl_set_critical(tmpl_fd, 0) != 0) {
101		error("%s: Error setting process contract template "
102		    "critical events: %s", __func__, strerror(errno));
103		goto fail;
104	}
105	if (ct_tmpl_set_informative(tmpl_fd, CT_PR_EV_HWERR) != 0) {
106		error("%s: Error setting process contract template "
107		    "informative events: %s", __func__, strerror(errno));
108		goto fail;
109	}
110
111	/* Now make this the active template for this process. */
112	if (ct_tmpl_activate(tmpl_fd) != 0) {
113		error("%s: Error activating process contract "
114		    "template: %s", __func__, strerror(errno));
115		goto fail;
116	}
117	return;
118
119 fail:
120	if (tmpl_fd != -1) {
121		close(tmpl_fd);
122		tmpl_fd = -1;
123	}
124}
125
126void
127solaris_contract_post_fork_child()
128{
129	debug2("%s: clearing process contract template on fd %d",
130	    __func__, tmpl_fd);
131
132	/* Clear the active template. */
133	if (ct_tmpl_clear(tmpl_fd) != 0)
134		error("%s: Error clearing active process contract "
135		    "template: %s", __func__, strerror(errno));
136
137	close(tmpl_fd);
138	tmpl_fd = -1;
139}
140
141void
142solaris_contract_post_fork_parent(pid_t pid)
143{
144	ctid_t ctid;
145	char ctl_path[256];
146	int r, ctl_fd = -1, stat_fd = -1;
147
148	debug2("%s: clearing template (fd %d)", __func__, tmpl_fd);
149
150	if (tmpl_fd == -1)
151		return;
152
153	/* First clear the active template. */
154	if ((r = ct_tmpl_clear(tmpl_fd)) != 0)
155		error("%s: Error clearing active process contract "
156		    "template: %s", __func__, strerror(errno));
157
158	close(tmpl_fd);
159	tmpl_fd = -1;
160
161	/*
162	 * If either the fork didn't succeed (pid < 0), or clearing
163	 * th active contract failed (r != 0), then we have nothing
164	 * more do.
165	 */
166	if (r != 0 || pid <= 0)
167		return;
168
169	/* Now lookup and abandon the contract we've created. */
170	ctid = get_active_process_contract_id();
171
172	debug2("%s: abandoning contract id %ld", __func__, ctid);
173
174	snprintf(ctl_path, sizeof(ctl_path),
175	    CTFS_ROOT "/process/%ld/ctl", ctid);
176	if ((ctl_fd = open64(ctl_path, O_WRONLY)) < 0) {
177		error("%s: Error opening process contract "
178		    "ctl file: %s", __func__, strerror(errno));
179		goto fail;
180	}
181	if (ct_ctl_abandon(ctl_fd) < 0) {
182		error("%s: Error abandoning process contract: %s",
183		    __func__, strerror(errno));
184		goto fail;
185	}
186	close(ctl_fd);
187	return;
188
189 fail:
190	if (tmpl_fd != -1) {
191		close(tmpl_fd);
192		tmpl_fd = -1;
193	}
194	if (stat_fd != -1)
195		close(stat_fd);
196	if (ctl_fd != -1)
197		close(ctl_fd);
198}
199#endif
200
201#ifdef USE_SOLARIS_PROJECTS
202#include <sys/task.h>
203#include <project.h>
204
205/*
206 * Get/set solaris default project.
207 * If we fail, just run along gracefully.
208 */
209void
210solaris_set_default_project(struct passwd *pw)
211{
212	struct project  *defaultproject;
213	struct project   tempproject;
214	char buf[1024];
215
216	/* get default project, if we fail just return gracefully  */
217	if ((defaultproject = getdefaultproj(pw->pw_name, &tempproject, &buf,
218	    sizeof(buf))) > 0) {
219		/* set default project */
220		if (setproject(defaultproject->pj_name, pw->pw_name,
221		    TASK_NORMAL) != 0)
222			debug("setproject(%s): %s", defaultproject->pj_name,
223			    strerror(errno));
224	} else {
225		/* debug on getdefaultproj() error */
226		debug("getdefaultproj(%s): %s", pw->pw_name, strerror(errno));
227	}
228}
229#endif /* USE_SOLARIS_PROJECTS */
230
231#ifdef USE_SOLARIS_PRIVS
232# ifdef HAVE_PRIV_H
233#  include <priv.h>
234# endif
235
236priv_set_t *
237solaris_basic_privset(void)
238{
239	priv_set_t *pset;
240
241#ifdef HAVE_PRIV_BASICSET
242	if ((pset = priv_allocset()) == NULL) {
243		error("priv_allocset: %s", strerror(errno));
244		return NULL;
245	}
246	priv_basicset(pset);
247#else
248	if ((pset = priv_str_to_set("basic", ",", NULL)) == NULL) {
249		error("priv_str_to_set: %s", strerror(errno));
250		return NULL;
251	}
252#endif
253	return pset;
254}
255
256void
257solaris_drop_privs_pinfo_net_fork_exec(void)
258{
259	priv_set_t *pset = NULL, *npset = NULL;
260
261	/*
262	 * Note: this variant avoids dropping DAC filesystem rights, in case
263	 * the process calling it is running as root and should have the
264	 * ability to read/write/chown any file on the system.
265	 *
266	 * We start with the basic set, then *add* the DAC rights to it while
267	 * taking away other parts of BASIC we don't need. Then we intersect
268	 * this with our existing PERMITTED set. In this way we keep any
269	 * DAC rights we had before, while otherwise reducing ourselves to
270	 * the minimum set of privileges we need to proceed.
271	 *
272	 * This also means we drop any other parts of "root" that we don't
273	 * need (e.g. the ability to kill any process, create new device nodes
274	 * etc etc).
275	 */
276
277	if ((pset = priv_allocset()) == NULL)
278		fatal("priv_allocset: %s", strerror(errno));
279	if ((npset = solaris_basic_privset()) == NULL)
280		fatal("solaris_basic_privset: %s", strerror(errno));
281
282	if (priv_addset(npset, PRIV_FILE_CHOWN) != 0 ||
283	    priv_addset(npset, PRIV_FILE_DAC_READ) != 0 ||
284	    priv_addset(npset, PRIV_FILE_DAC_SEARCH) != 0 ||
285	    priv_addset(npset, PRIV_FILE_DAC_WRITE) != 0 ||
286	    priv_addset(npset, PRIV_FILE_OWNER) != 0)
287		fatal("priv_addset: %s", strerror(errno));
288
289	if (priv_delset(npset, PRIV_FILE_LINK_ANY) != 0 ||
290#ifdef PRIV_NET_ACCESS
291	    priv_delset(npset, PRIV_NET_ACCESS) != 0 ||
292#endif
293	    priv_delset(npset, PRIV_PROC_EXEC) != 0 ||
294	    priv_delset(npset, PRIV_PROC_FORK) != 0 ||
295	    priv_delset(npset, PRIV_PROC_INFO) != 0 ||
296	    priv_delset(npset, PRIV_PROC_SESSION) != 0)
297		fatal("priv_delset: %s", strerror(errno));
298
299	if (getppriv(PRIV_PERMITTED, pset) != 0)
300		fatal("getppriv: %s", strerror(errno));
301
302	priv_intersect(pset, npset);
303
304	if (setppriv(PRIV_SET, PRIV_PERMITTED, npset) != 0 ||
305	    setppriv(PRIV_SET, PRIV_LIMIT, npset) != 0 ||
306	    setppriv(PRIV_SET, PRIV_INHERITABLE, npset) != 0)
307		fatal("setppriv: %s", strerror(errno));
308
309	priv_freeset(pset);
310	priv_freeset(npset);
311}
312
313void
314solaris_drop_privs_root_pinfo_net(void)
315{
316	priv_set_t *pset = NULL;
317
318	/* Start with "basic" and drop everything we don't need. */
319	if ((pset = solaris_basic_privset()) == NULL)
320		fatal("solaris_basic_privset: %s", strerror(errno));
321
322	if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 ||
323#ifdef PRIV_NET_ACCESS
324	    priv_delset(pset, PRIV_NET_ACCESS) != 0 ||
325#endif
326	    priv_delset(pset, PRIV_PROC_INFO) != 0 ||
327	    priv_delset(pset, PRIV_PROC_SESSION) != 0)
328		fatal("priv_delset: %s", strerror(errno));
329
330	if (setppriv(PRIV_SET, PRIV_PERMITTED, pset) != 0 ||
331	    setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0 ||
332	    setppriv(PRIV_SET, PRIV_INHERITABLE, pset) != 0)
333		fatal("setppriv: %s", strerror(errno));
334
335	priv_freeset(pset);
336}
337
338void
339solaris_drop_privs_root_pinfo_net_exec(void)
340{
341	priv_set_t *pset = NULL;
342
343
344	/* Start with "basic" and drop everything we don't need. */
345	if ((pset = solaris_basic_privset()) == NULL)
346		fatal("solaris_basic_privset: %s", strerror(errno));
347
348	if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 ||
349#ifdef PRIV_NET_ACCESS
350	    priv_delset(pset, PRIV_NET_ACCESS) != 0 ||
351#endif
352	    priv_delset(pset, PRIV_PROC_EXEC) != 0 ||
353	    priv_delset(pset, PRIV_PROC_INFO) != 0 ||
354	    priv_delset(pset, PRIV_PROC_SESSION) != 0)
355		fatal("priv_delset: %s", strerror(errno));
356
357	if (setppriv(PRIV_SET, PRIV_PERMITTED, pset) != 0 ||
358	    setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0 ||
359	    setppriv(PRIV_SET, PRIV_INHERITABLE, pset) != 0)
360		fatal("setppriv: %s", strerror(errno));
361
362	priv_freeset(pset);
363}
364
365#endif
366