1 /*
2  * Copyright (c) 2006 Chad Mynhier.
3  *
4  * Permission to use, copy, modify, and distribute this software for any
5  * purpose with or without fee is hereby granted, provided that the above
6  * copyright notice and this permission notice appear in all copies.
7  *
8  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15  */
16 
17 #include "config.h"
18 #include "includes.h"
19 
20 #ifdef USE_SOLARIS_PROCESS_CONTRACTS
21 
22 #include <sys/types.h>
23 #include <sys/stat.h>
24 #include <sys/param.h>
25 
26 #include <errno.h>
27 #ifdef HAVE_FCNTL_H
28 # include <fcntl.h>
29 #endif
30 #include <stdarg.h>
31 #include <string.h>
32 #include <unistd.h>
33 
34 #include <libcontract.h>
35 #include <sys/contract/process.h>
36 #include <sys/ctfs.h>
37 
38 #include "log.h"
39 
40 #define CT_TEMPLATE	CTFS_ROOT "/process/template"
41 #define CT_LATEST	CTFS_ROOT "/process/latest"
42 
43 static int tmpl_fd = -1;
44 
45 /* Lookup the latest process contract */
46 static ctid_t
get_active_process_contract_id(void)47 get_active_process_contract_id(void)
48 {
49 	int stat_fd;
50 	ctid_t ctid = -1;
51 	ct_stathdl_t stathdl;
52 
53 	if ((stat_fd = open64(CT_LATEST, O_RDONLY)) == -1) {
54 		error("%s: Error opening 'latest' process "
55 		    "contract: %s", __func__, strerror(errno));
56 		return -1;
57 	}
58 	if (ct_status_read(stat_fd, CTD_COMMON, &stathdl) != 0) {
59 		error("%s: Error reading process contract "
60 		    "status: %s", __func__, strerror(errno));
61 		goto out;
62 	}
63 	if ((ctid = ct_status_get_id(stathdl)) < 0) {
64 		error("%s: Error getting process contract id: %s",
65 		    __func__, strerror(errno));
66 		goto out;
67 	}
68 
69 	ct_status_free(stathdl);
70  out:
71 	close(stat_fd);
72 	return ctid;
73 }
74 
75 void
solaris_contract_pre_fork(void)76 solaris_contract_pre_fork(void)
77 {
78 	if ((tmpl_fd = open64(CT_TEMPLATE, O_RDWR)) == -1) {
79 		error("%s: open %s: %s", __func__,
80 		    CT_TEMPLATE, strerror(errno));
81 		return;
82 	}
83 
84 	debug2("%s: setting up process contract template on fd %d",
85 	    __func__, tmpl_fd);
86 
87 	/* First we set the template parameters and event sets. */
88 	if (ct_pr_tmpl_set_param(tmpl_fd, CT_PR_PGRPONLY) != 0) {
89 		error("%s: Error setting process contract parameter set "
90 		    "(pgrponly): %s", __func__, strerror(errno));
91 		goto fail;
92 	}
93 	if (ct_pr_tmpl_set_fatal(tmpl_fd, CT_PR_EV_HWERR) != 0) {
94 		error("%s: Error setting process contract template "
95 		    "fatal events: %s", __func__, strerror(errno));
96 		goto fail;
97 	}
98 	if (ct_tmpl_set_critical(tmpl_fd, 0) != 0) {
99 		error("%s: Error setting process contract template "
100 		    "critical events: %s", __func__, strerror(errno));
101 		goto fail;
102 	}
103 	if (ct_tmpl_set_informative(tmpl_fd, CT_PR_EV_HWERR) != 0) {
104 		error("%s: Error setting process contract template "
105 		    "informative events: %s", __func__, strerror(errno));
106 		goto fail;
107 	}
108 
109 	/* Now make this the active template for this process. */
110 	if (ct_tmpl_activate(tmpl_fd) != 0) {
111 		error("%s: Error activating process contract "
112 		    "template: %s", __func__, strerror(errno));
113 		goto fail;
114 	}
115 	return;
116 
117  fail:
118 	if (tmpl_fd != -1) {
119 		close(tmpl_fd);
120 		tmpl_fd = -1;
121 	}
122 }
123 
124 void
solaris_contract_post_fork_child()125 solaris_contract_post_fork_child()
126 {
127 	debug2("%s: clearing process contract template on fd %d",
128 	    __func__, tmpl_fd);
129 
130 	/* Clear the active template. */
131 	if (ct_tmpl_clear(tmpl_fd) != 0)
132 		error("%s: Error clearing active process contract "
133 		    "template: %s", __func__, strerror(errno));
134 
135 	close(tmpl_fd);
136 	tmpl_fd = -1;
137 }
138 
139 void
solaris_contract_post_fork_parent(pid_t pid)140 solaris_contract_post_fork_parent(pid_t pid)
141 {
142 	ctid_t ctid;
143 	char ctl_path[256];
144 	int r, ctl_fd = -1, stat_fd = -1;
145 
146 	debug2("%s: clearing template (fd %d)", __func__, tmpl_fd);
147 
148 	if (tmpl_fd == -1)
149 		return;
150 
151 	/* First clear the active template. */
152 	if ((r = ct_tmpl_clear(tmpl_fd)) != 0)
153 		error("%s: Error clearing active process contract "
154 		    "template: %s", __func__, strerror(errno));
155 
156 	close(tmpl_fd);
157 	tmpl_fd = -1;
158 
159 	/*
160 	 * If either the fork didn't succeed (pid < 0), or clearing
161 	 * th active contract failed (r != 0), then we have nothing
162 	 * more do.
163 	 */
164 	if (r != 0 || pid <= 0)
165 		return;
166 
167 	/* Now lookup and abandon the contract we've created. */
168 	ctid = get_active_process_contract_id();
169 
170 	debug2("%s: abandoning contract id %ld", __func__, ctid);
171 
172 	snprintf(ctl_path, sizeof(ctl_path),
173 	    CTFS_ROOT "/process/%ld/ctl", ctid);
174 	if ((ctl_fd = open64(ctl_path, O_WRONLY)) < 0) {
175 		error("%s: Error opening process contract "
176 		    "ctl file: %s", __func__, strerror(errno));
177 		goto fail;
178 	}
179 	if (ct_ctl_abandon(ctl_fd) < 0) {
180 		error("%s: Error abandoning process contract: %s",
181 		    __func__, strerror(errno));
182 		goto fail;
183 	}
184 	close(ctl_fd);
185 	return;
186 
187  fail:
188 	if (tmpl_fd != -1) {
189 		close(tmpl_fd);
190 		tmpl_fd = -1;
191 	}
192 	if (stat_fd != -1)
193 		close(stat_fd);
194 	if (ctl_fd != -1)
195 		close(ctl_fd);
196 }
197 #endif
198 
199 #ifdef USE_SOLARIS_PROJECTS
200 #include <sys/task.h>
201 #include <project.h>
202 
203 /*
204  * Get/set solaris default project.
205  * If we fail, just run along gracefully.
206  */
207 void
solaris_set_default_project(struct passwd * pw)208 solaris_set_default_project(struct passwd *pw)
209 {
210 	struct project  *defaultproject;
211 	struct project   tempproject;
212 	char buf[1024];
213 
214 	/* get default project, if we fail just return gracefully  */
215 	if ((defaultproject = getdefaultproj(pw->pw_name, &tempproject, &buf,
216 	    sizeof(buf))) != NULL) {
217 		/* set default project */
218 		if (setproject(defaultproject->pj_name, pw->pw_name,
219 		    TASK_NORMAL) != 0)
220 			debug("setproject(%s): %s", defaultproject->pj_name,
221 			    strerror(errno));
222 	} else {
223 		/* debug on getdefaultproj() error */
224 		debug("getdefaultproj(%s): %s", pw->pw_name, strerror(errno));
225 	}
226 }
227 #endif /* USE_SOLARIS_PROJECTS */
228 
229 #ifdef USE_SOLARIS_PRIVS
230 # ifdef HAVE_PRIV_H
231 #  include <priv.h>
232 # endif
233 
234 priv_set_t *
solaris_basic_privset(void)235 solaris_basic_privset(void)
236 {
237 	priv_set_t *pset;
238 
239 #ifdef HAVE_PRIV_BASICSET
240 	if ((pset = priv_allocset()) == NULL) {
241 		error("priv_allocset: %s", strerror(errno));
242 		return NULL;
243 	}
244 	priv_basicset(pset);
245 #else
246 	if ((pset = priv_str_to_set("basic", ",", NULL)) == NULL) {
247 		error("priv_str_to_set: %s", strerror(errno));
248 		return NULL;
249 	}
250 #endif
251 	return pset;
252 }
253 
254 void
solaris_drop_privs_pinfo_net_fork_exec(void)255 solaris_drop_privs_pinfo_net_fork_exec(void)
256 {
257 	priv_set_t *pset = NULL, *npset = NULL;
258 
259 	/*
260 	 * Note: this variant avoids dropping DAC filesystem rights, in case
261 	 * the process calling it is running as root and should have the
262 	 * ability to read/write/chown any file on the system.
263 	 *
264 	 * We start with the basic set, then *add* the DAC rights to it while
265 	 * taking away other parts of BASIC we don't need. Then we intersect
266 	 * this with our existing PERMITTED set. In this way we keep any
267 	 * DAC rights we had before, while otherwise reducing ourselves to
268 	 * the minimum set of privileges we need to proceed.
269 	 *
270 	 * This also means we drop any other parts of "root" that we don't
271 	 * need (e.g. the ability to kill any process, create new device nodes
272 	 * etc etc).
273 	 */
274 
275 	if ((pset = priv_allocset()) == NULL)
276 		fatal("priv_allocset: %s", strerror(errno));
277 	if ((npset = solaris_basic_privset()) == NULL)
278 		fatal("solaris_basic_privset: %s", strerror(errno));
279 
280 	if (priv_addset(npset, PRIV_FILE_CHOWN) != 0 ||
281 	    priv_addset(npset, PRIV_FILE_DAC_READ) != 0 ||
282 	    priv_addset(npset, PRIV_FILE_DAC_SEARCH) != 0 ||
283 	    priv_addset(npset, PRIV_FILE_DAC_WRITE) != 0 ||
284 	    priv_addset(npset, PRIV_FILE_OWNER) != 0)
285 		fatal("priv_addset: %s", strerror(errno));
286 
287 	if (priv_delset(npset, PRIV_FILE_LINK_ANY) != 0 ||
288 #ifdef PRIV_NET_ACCESS
289 	    priv_delset(npset, PRIV_NET_ACCESS) != 0 ||
290 #endif
291 	    priv_delset(npset, PRIV_PROC_EXEC) != 0 ||
292 	    priv_delset(npset, PRIV_PROC_FORK) != 0 ||
293 	    priv_delset(npset, PRIV_PROC_INFO) != 0 ||
294 	    priv_delset(npset, PRIV_PROC_SESSION) != 0)
295 		fatal("priv_delset: %s", strerror(errno));
296 
297 	if (getppriv(PRIV_PERMITTED, pset) != 0)
298 		fatal("getppriv: %s", strerror(errno));
299 
300 	priv_intersect(pset, npset);
301 
302 	if (setppriv(PRIV_SET, PRIV_PERMITTED, npset) != 0 ||
303 	    setppriv(PRIV_SET, PRIV_LIMIT, npset) != 0 ||
304 	    setppriv(PRIV_SET, PRIV_INHERITABLE, npset) != 0)
305 		fatal("setppriv: %s", strerror(errno));
306 
307 	priv_freeset(pset);
308 	priv_freeset(npset);
309 }
310 
311 void
solaris_drop_privs_root_pinfo_net(void)312 solaris_drop_privs_root_pinfo_net(void)
313 {
314 	priv_set_t *pset = NULL;
315 
316 	/* Start with "basic" and drop everything we don't need. */
317 	if ((pset = solaris_basic_privset()) == NULL)
318 		fatal("solaris_basic_privset: %s", strerror(errno));
319 
320 	if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 ||
321 #ifdef PRIV_NET_ACCESS
322 	    priv_delset(pset, PRIV_NET_ACCESS) != 0 ||
323 #endif
324 	    priv_delset(pset, PRIV_PROC_INFO) != 0 ||
325 	    priv_delset(pset, PRIV_PROC_SESSION) != 0)
326 		fatal("priv_delset: %s", strerror(errno));
327 
328 	if (setppriv(PRIV_SET, PRIV_PERMITTED, pset) != 0 ||
329 	    setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0 ||
330 	    setppriv(PRIV_SET, PRIV_INHERITABLE, pset) != 0)
331 		fatal("setppriv: %s", strerror(errno));
332 
333 	priv_freeset(pset);
334 }
335 
336 void
solaris_drop_privs_root_pinfo_net_exec(void)337 solaris_drop_privs_root_pinfo_net_exec(void)
338 {
339 	priv_set_t *pset = NULL;
340 
341 
342 	/* Start with "basic" and drop everything we don't need. */
343 	if ((pset = solaris_basic_privset()) == NULL)
344 		fatal("solaris_basic_privset: %s", strerror(errno));
345 
346 	if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 ||
347 #ifdef PRIV_NET_ACCESS
348 	    priv_delset(pset, PRIV_NET_ACCESS) != 0 ||
349 #endif
350 	    priv_delset(pset, PRIV_PROC_EXEC) != 0 ||
351 	    priv_delset(pset, PRIV_PROC_INFO) != 0 ||
352 	    priv_delset(pset, PRIV_PROC_SESSION) != 0)
353 		fatal("priv_delset: %s", strerror(errno));
354 
355 	if (setppriv(PRIV_SET, PRIV_PERMITTED, pset) != 0 ||
356 	    setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0 ||
357 	    setppriv(PRIV_SET, PRIV_INHERITABLE, pset) != 0)
358 		fatal("setppriv: %s", strerror(errno));
359 
360 	priv_freeset(pset);
361 }
362 
363 #endif
364