10Sstevel@tonic-gate /*
20Sstevel@tonic-gate * CDDL HEADER START
30Sstevel@tonic-gate *
40Sstevel@tonic-gate * The contents of this file are subject to the terms of the
51676Sjpk * Common Development and Distribution License (the "License").
61676Sjpk * You may not use this file except in compliance with the License.
70Sstevel@tonic-gate *
80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing.
100Sstevel@tonic-gate * See the License for the specific language governing permissions
110Sstevel@tonic-gate * and limitations under the License.
120Sstevel@tonic-gate *
130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each
140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the
160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying
170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner]
180Sstevel@tonic-gate *
190Sstevel@tonic-gate * CDDL HEADER END
200Sstevel@tonic-gate */
210Sstevel@tonic-gate /*
22*12273SCasper.Dik@Sun.COM * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
230Sstevel@tonic-gate *
240Sstevel@tonic-gate * Program to examine or set process privileges.
250Sstevel@tonic-gate */
260Sstevel@tonic-gate
270Sstevel@tonic-gate #include <stdio.h>
281914Scasper #include <stdio_ext.h>
290Sstevel@tonic-gate #include <stdlib.h>
300Sstevel@tonic-gate #include <unistd.h>
310Sstevel@tonic-gate #include <fcntl.h>
320Sstevel@tonic-gate #include <string.h>
330Sstevel@tonic-gate #include <limits.h>
340Sstevel@tonic-gate #include <sys/types.h>
350Sstevel@tonic-gate #include <libproc.h>
360Sstevel@tonic-gate #include <priv.h>
370Sstevel@tonic-gate #include <errno.h>
380Sstevel@tonic-gate #include <ctype.h>
390Sstevel@tonic-gate
400Sstevel@tonic-gate #include <locale.h>
410Sstevel@tonic-gate #include <langinfo.h>
420Sstevel@tonic-gate
430Sstevel@tonic-gate static int look(char *);
440Sstevel@tonic-gate static void perr(char *);
450Sstevel@tonic-gate static void usage(void);
460Sstevel@tonic-gate static void loadprivinfo(void);
470Sstevel@tonic-gate static int parsespec(const char *);
480Sstevel@tonic-gate static void privupdate(prpriv_t *, const char *);
490Sstevel@tonic-gate static void privupdate_self(void);
500Sstevel@tonic-gate static int dumppriv(char **);
510Sstevel@tonic-gate static void flags2str(uint_t);
520Sstevel@tonic-gate
530Sstevel@tonic-gate static char *command;
540Sstevel@tonic-gate static char *procname;
550Sstevel@tonic-gate static boolean_t verb = B_FALSE;
560Sstevel@tonic-gate static boolean_t set = B_FALSE;
570Sstevel@tonic-gate static boolean_t exec = B_FALSE;
580Sstevel@tonic-gate static boolean_t Don = B_FALSE;
590Sstevel@tonic-gate static boolean_t Doff = B_FALSE;
600Sstevel@tonic-gate static boolean_t list = B_FALSE;
611676Sjpk static boolean_t mac_aware = B_FALSE;
62*12273SCasper.Dik@Sun.COM static boolean_t pfexec = B_FALSE;
636134Scasper static boolean_t xpol = B_FALSE;
640Sstevel@tonic-gate static int mode = PRIV_STR_PORT;
650Sstevel@tonic-gate
660Sstevel@tonic-gate int
main(int argc,char ** argv)670Sstevel@tonic-gate main(int argc, char **argv)
680Sstevel@tonic-gate {
690Sstevel@tonic-gate int rc = 0;
700Sstevel@tonic-gate int opt;
710Sstevel@tonic-gate struct rlimit rlim;
720Sstevel@tonic-gate
730Sstevel@tonic-gate (void) setlocale(LC_ALL, "");
740Sstevel@tonic-gate (void) textdomain(TEXT_DOMAIN);
750Sstevel@tonic-gate
760Sstevel@tonic-gate if ((command = strrchr(argv[0], '/')) != NULL)
770Sstevel@tonic-gate command++;
780Sstevel@tonic-gate else
790Sstevel@tonic-gate command = argv[0];
800Sstevel@tonic-gate
81*12273SCasper.Dik@Sun.COM while ((opt = getopt(argc, argv, "lDMNPevs:xS")) != EOF) {
820Sstevel@tonic-gate switch (opt) {
830Sstevel@tonic-gate case 'l':
840Sstevel@tonic-gate list = B_TRUE;
850Sstevel@tonic-gate break;
860Sstevel@tonic-gate case 'D':
870Sstevel@tonic-gate set = B_TRUE;
880Sstevel@tonic-gate Don = B_TRUE;
890Sstevel@tonic-gate break;
901676Sjpk case 'M':
911676Sjpk mac_aware = B_TRUE;
921676Sjpk break;
930Sstevel@tonic-gate case 'N':
940Sstevel@tonic-gate set = B_TRUE;
950Sstevel@tonic-gate Doff = B_TRUE;
960Sstevel@tonic-gate break;
97*12273SCasper.Dik@Sun.COM case 'P':
98*12273SCasper.Dik@Sun.COM set = B_TRUE;
99*12273SCasper.Dik@Sun.COM pfexec = B_TRUE;
100*12273SCasper.Dik@Sun.COM break;
1010Sstevel@tonic-gate case 'e':
1020Sstevel@tonic-gate exec = B_TRUE;
1030Sstevel@tonic-gate break;
1040Sstevel@tonic-gate case 'S':
1050Sstevel@tonic-gate mode = PRIV_STR_SHORT;
1060Sstevel@tonic-gate break;
1070Sstevel@tonic-gate case 'v':
1080Sstevel@tonic-gate verb = B_TRUE;
1090Sstevel@tonic-gate mode = PRIV_STR_LIT;
1100Sstevel@tonic-gate break;
1110Sstevel@tonic-gate case 's':
1120Sstevel@tonic-gate set = B_TRUE;
1130Sstevel@tonic-gate if ((rc = parsespec(optarg)) != 0)
1140Sstevel@tonic-gate return (rc);
1150Sstevel@tonic-gate break;
1166134Scasper case 'x':
1176134Scasper set = B_TRUE;
1186134Scasper xpol = B_TRUE;
1196134Scasper break;
1200Sstevel@tonic-gate default:
1210Sstevel@tonic-gate usage();
1220Sstevel@tonic-gate /*NOTREACHED*/
1230Sstevel@tonic-gate }
1240Sstevel@tonic-gate }
1250Sstevel@tonic-gate
1260Sstevel@tonic-gate argc -= optind;
1270Sstevel@tonic-gate argv += optind;
1280Sstevel@tonic-gate
1291676Sjpk if ((argc < 1 && !list) || Doff && Don || list && (set || exec) ||
1301676Sjpk (mac_aware && !exec))
1310Sstevel@tonic-gate usage();
1320Sstevel@tonic-gate
1330Sstevel@tonic-gate /*
1340Sstevel@tonic-gate * Make sure we'll have enough file descriptors to handle a target
1350Sstevel@tonic-gate * that has many many mappings.
1360Sstevel@tonic-gate */
1370Sstevel@tonic-gate if (getrlimit(RLIMIT_NOFILE, &rlim) == 0) {
1380Sstevel@tonic-gate rlim.rlim_cur = rlim.rlim_max;
1390Sstevel@tonic-gate (void) setrlimit(RLIMIT_NOFILE, &rlim);
1401914Scasper (void) enable_extended_FILE_stdio(-1, -1);
1410Sstevel@tonic-gate }
1420Sstevel@tonic-gate
1430Sstevel@tonic-gate if (exec) {
1440Sstevel@tonic-gate privupdate_self();
1450Sstevel@tonic-gate rc = execvp(argv[0], &argv[0]);
1460Sstevel@tonic-gate (void) fprintf(stderr, "%s: %s: %s\n", command, argv[0],
1476134Scasper strerror(errno));
1480Sstevel@tonic-gate } else if (list) {
1490Sstevel@tonic-gate rc = dumppriv(argv);
1500Sstevel@tonic-gate } else {
1510Sstevel@tonic-gate while (argc-- > 0)
1520Sstevel@tonic-gate rc += look(*argv++);
1530Sstevel@tonic-gate }
1540Sstevel@tonic-gate
1550Sstevel@tonic-gate return (rc);
1560Sstevel@tonic-gate }
1570Sstevel@tonic-gate
1580Sstevel@tonic-gate static int
look(char * arg)1590Sstevel@tonic-gate look(char *arg)
1600Sstevel@tonic-gate {
1610Sstevel@tonic-gate static size_t pprivsz = sizeof (prpriv_t);
1620Sstevel@tonic-gate static prpriv_t *ppriv;
1630Sstevel@tonic-gate
1640Sstevel@tonic-gate struct ps_prochandle *Pr;
1650Sstevel@tonic-gate int gcode;
1660Sstevel@tonic-gate size_t sz;
1670Sstevel@tonic-gate void *pdata;
1680Sstevel@tonic-gate char *x;
1690Sstevel@tonic-gate int i;
1700Sstevel@tonic-gate boolean_t nodata;
1710Sstevel@tonic-gate
1720Sstevel@tonic-gate procname = arg; /* for perr() */
1730Sstevel@tonic-gate
1740Sstevel@tonic-gate if ((Pr = proc_arg_grab(arg, set ? PR_ARG_PIDS : PR_ARG_ANY,
1750Sstevel@tonic-gate PGRAB_RETAIN | PGRAB_FORCE | (set ? 0 : PGRAB_RDONLY) |
1760Sstevel@tonic-gate PGRAB_NOSTOP, &gcode)) == NULL) {
1770Sstevel@tonic-gate (void) fprintf(stderr, "%s: cannot examine %s: %s\n",
1780Sstevel@tonic-gate command, arg, Pgrab_error(gcode));
1790Sstevel@tonic-gate return (1);
1800Sstevel@tonic-gate }
1810Sstevel@tonic-gate
1820Sstevel@tonic-gate if (ppriv == NULL)
1830Sstevel@tonic-gate ppriv = malloc(pprivsz);
1840Sstevel@tonic-gate
1850Sstevel@tonic-gate if (Ppriv(Pr, ppriv, pprivsz) == -1) {
1860Sstevel@tonic-gate perr(command);
1870Sstevel@tonic-gate Prelease(Pr, 0);
1880Sstevel@tonic-gate return (1);
1890Sstevel@tonic-gate }
1900Sstevel@tonic-gate
1910Sstevel@tonic-gate sz = PRIV_PRPRIV_SIZE(ppriv);
1920Sstevel@tonic-gate
1930Sstevel@tonic-gate /*
1940Sstevel@tonic-gate * The ppriv fields are unsigned and may overflow, so check them
1950Sstevel@tonic-gate * separately. Size must be word aligned, so check that too.
1960Sstevel@tonic-gate * Make sure size is "smallish" too.
1970Sstevel@tonic-gate */
1980Sstevel@tonic-gate if ((sz & 3) || ppriv->pr_nsets == 0 ||
1990Sstevel@tonic-gate sz / ppriv->pr_nsets < ppriv->pr_setsize ||
2000Sstevel@tonic-gate ppriv->pr_infosize > sz || sz > 1024 * 1024) {
2010Sstevel@tonic-gate (void) fprintf(stderr,
2026134Scasper "%s: %s: bad PRNOTES section, size = %lx\n",
2036134Scasper command, arg, (long)sz);
2040Sstevel@tonic-gate Prelease(Pr, 0);
2050Sstevel@tonic-gate return (1);
2060Sstevel@tonic-gate }
2070Sstevel@tonic-gate
2080Sstevel@tonic-gate if (sz > pprivsz) {
2090Sstevel@tonic-gate ppriv = realloc(ppriv, sz);
2100Sstevel@tonic-gate
2110Sstevel@tonic-gate if (ppriv == NULL || Ppriv(Pr, ppriv, sz) != sz) {
2120Sstevel@tonic-gate perr(command);
2130Sstevel@tonic-gate Prelease(Pr, 0);
2140Sstevel@tonic-gate return (1);
2150Sstevel@tonic-gate }
2160Sstevel@tonic-gate pprivsz = sz;
2170Sstevel@tonic-gate }
2180Sstevel@tonic-gate
2190Sstevel@tonic-gate if (set) {
2200Sstevel@tonic-gate privupdate(ppriv, arg);
2210Sstevel@tonic-gate if (Psetpriv(Pr, ppriv) != 0) {
2220Sstevel@tonic-gate perr(command);
2230Sstevel@tonic-gate Prelease(Pr, 0);
2240Sstevel@tonic-gate return (1);
2250Sstevel@tonic-gate }
2260Sstevel@tonic-gate Prelease(Pr, 0);
2270Sstevel@tonic-gate return (0);
2280Sstevel@tonic-gate }
2290Sstevel@tonic-gate
2300Sstevel@tonic-gate if (Pstate(Pr) == PS_DEAD) {
2310Sstevel@tonic-gate (void) printf("core '%s' of %d:\t%.70s\n",
2320Sstevel@tonic-gate arg, (int)Ppsinfo(Pr)->pr_pid, Ppsinfo(Pr)->pr_psargs);
2330Sstevel@tonic-gate pdata = Pprivinfo(Pr);
2340Sstevel@tonic-gate nodata = Pstate(Pr) == PS_DEAD && pdata == NULL;
2350Sstevel@tonic-gate } else {
2360Sstevel@tonic-gate (void) printf("%d:\t%.70s\n",
2370Sstevel@tonic-gate (int)Ppsinfo(Pr)->pr_pid, Ppsinfo(Pr)->pr_psargs);
2380Sstevel@tonic-gate pdata = NULL;
2390Sstevel@tonic-gate nodata = B_FALSE;
2400Sstevel@tonic-gate }
2410Sstevel@tonic-gate
2420Sstevel@tonic-gate x = (char *)ppriv + sz - ppriv->pr_infosize;
2430Sstevel@tonic-gate while (x < (char *)ppriv + sz) {
2440Sstevel@tonic-gate /* LINTED: alignment */
2450Sstevel@tonic-gate priv_info_t *pi = (priv_info_t *)x;
2460Sstevel@tonic-gate priv_info_uint_t *pii;
2470Sstevel@tonic-gate
2480Sstevel@tonic-gate switch (pi->priv_info_type) {
2490Sstevel@tonic-gate case PRIV_INFO_FLAGS:
2500Sstevel@tonic-gate /* LINTED: alignment */
2510Sstevel@tonic-gate pii = (priv_info_uint_t *)x;
2520Sstevel@tonic-gate (void) printf("flags =");
2530Sstevel@tonic-gate flags2str(pii->val);
2540Sstevel@tonic-gate (void) putchar('\n');
2550Sstevel@tonic-gate break;
2560Sstevel@tonic-gate default:
2570Sstevel@tonic-gate (void) fprintf(stderr, "%s: unknown priv_info: %d\n",
2586134Scasper arg, pi->priv_info_type);
2590Sstevel@tonic-gate break;
2600Sstevel@tonic-gate }
2610Sstevel@tonic-gate if (pi->priv_info_size > ppriv->pr_infosize ||
2620Sstevel@tonic-gate pi->priv_info_size <= sizeof (priv_info_t) ||
2630Sstevel@tonic-gate (pi->priv_info_size & 3) != 0) {
2640Sstevel@tonic-gate (void) fprintf(stderr, "%s: bad priv_info_size: %u\n",
2656134Scasper arg, pi->priv_info_size);
2660Sstevel@tonic-gate break;
2670Sstevel@tonic-gate }
2680Sstevel@tonic-gate x += pi->priv_info_size;
2690Sstevel@tonic-gate }
2700Sstevel@tonic-gate
2710Sstevel@tonic-gate for (i = 0; i < ppriv->pr_nsets; i++) {
2720Sstevel@tonic-gate extern const char *__priv_getsetbynum(const void *, int);
2736134Scasper const char *setnm = pdata ? __priv_getsetbynum(pdata, i) :
2746134Scasper priv_getsetbynum(i);
2756134Scasper priv_chunk_t *pc =
2766134Scasper (priv_chunk_t *)&ppriv->pr_sets[ppriv->pr_setsize * i];
2770Sstevel@tonic-gate
2780Sstevel@tonic-gate
2790Sstevel@tonic-gate (void) printf("\t%c: ", setnm && !nodata ? *setnm : '?');
2800Sstevel@tonic-gate if (!nodata) {
2810Sstevel@tonic-gate extern char *__priv_set_to_str(void *,
2826134Scasper const priv_set_t *, char, int);
2830Sstevel@tonic-gate priv_set_t *pset = (priv_set_t *)pc;
2840Sstevel@tonic-gate
2850Sstevel@tonic-gate char *s;
2860Sstevel@tonic-gate
2870Sstevel@tonic-gate if (pdata)
2880Sstevel@tonic-gate s = __priv_set_to_str(pdata, pset, ',', mode);
2890Sstevel@tonic-gate else
2900Sstevel@tonic-gate s = priv_set_to_str(pset, ',', mode);
2910Sstevel@tonic-gate (void) puts(s);
2920Sstevel@tonic-gate free(s);
2930Sstevel@tonic-gate } else {
2940Sstevel@tonic-gate int j;
2950Sstevel@tonic-gate for (j = 0; j < ppriv->pr_setsize; j++)
2960Sstevel@tonic-gate (void) printf("%08x", pc[j]);
2970Sstevel@tonic-gate (void) putchar('\n');
2980Sstevel@tonic-gate }
2990Sstevel@tonic-gate }
3000Sstevel@tonic-gate Prelease(Pr, 0);
3010Sstevel@tonic-gate return (0);
3020Sstevel@tonic-gate }
3030Sstevel@tonic-gate
3040Sstevel@tonic-gate static void
fatal(const char * s)3050Sstevel@tonic-gate fatal(const char *s)
3060Sstevel@tonic-gate {
3070Sstevel@tonic-gate (void) fprintf(stderr, "%s: %s: %s\n", command, s, strerror(errno));
3080Sstevel@tonic-gate exit(3);
3090Sstevel@tonic-gate }
3100Sstevel@tonic-gate
3110Sstevel@tonic-gate static void
perr(char * s)3120Sstevel@tonic-gate perr(char *s)
3130Sstevel@tonic-gate {
3140Sstevel@tonic-gate int err = errno;
3150Sstevel@tonic-gate
3160Sstevel@tonic-gate if (s != NULL)
3170Sstevel@tonic-gate (void) fprintf(stderr, "%s: ", procname);
3180Sstevel@tonic-gate else
3190Sstevel@tonic-gate s = procname;
3200Sstevel@tonic-gate
3210Sstevel@tonic-gate errno = err;
3220Sstevel@tonic-gate perror(s);
3230Sstevel@tonic-gate }
3240Sstevel@tonic-gate
3250Sstevel@tonic-gate static void
usage(void)3260Sstevel@tonic-gate usage(void)
3270Sstevel@tonic-gate {
3280Sstevel@tonic-gate (void) fprintf(stderr,
3290Sstevel@tonic-gate "usage:\t%s [-v] [-S] [-D|-N] [-s spec] { pid | core } ...\n"
3301676Sjpk "\t%s -e [-D|-N] [-M] [-s spec] cmd [args ...]\n"
3310Sstevel@tonic-gate "\t%s -l [-v] [privilege ...]\n"
3320Sstevel@tonic-gate " (report, set or list process privileges)\n", command,
3330Sstevel@tonic-gate command, command);
3340Sstevel@tonic-gate exit(2);
3350Sstevel@tonic-gate /*NOTREACHED*/
3360Sstevel@tonic-gate }
3370Sstevel@tonic-gate
3380Sstevel@tonic-gate /*
3390Sstevel@tonic-gate * Parse the privilege bits to add and/or remove from
3400Sstevel@tonic-gate * a privilege set.
3410Sstevel@tonic-gate *
3420Sstevel@tonic-gate * [EPIL][+-=]priv,priv,priv
3430Sstevel@tonic-gate */
3440Sstevel@tonic-gate
3450Sstevel@tonic-gate static int
strindex(char c,const char * str)3460Sstevel@tonic-gate strindex(char c, const char *str)
3470Sstevel@tonic-gate {
3480Sstevel@tonic-gate const char *s;
3490Sstevel@tonic-gate
3500Sstevel@tonic-gate if (islower(c))
3510Sstevel@tonic-gate c = toupper(c);
3520Sstevel@tonic-gate
3530Sstevel@tonic-gate s = strchr(str, c);
3540Sstevel@tonic-gate
3550Sstevel@tonic-gate if (s == NULL)
3560Sstevel@tonic-gate return (-1);
3570Sstevel@tonic-gate else
3580Sstevel@tonic-gate return (s - str);
3590Sstevel@tonic-gate }
3600Sstevel@tonic-gate
3610Sstevel@tonic-gate static void
badspec(const char * spec)3620Sstevel@tonic-gate badspec(const char *spec)
3630Sstevel@tonic-gate {
3640Sstevel@tonic-gate (void) fprintf(stderr, "%s: bad privilege specification: \"%s\"\n",
3656134Scasper command, spec);
3660Sstevel@tonic-gate exit(3);
3670Sstevel@tonic-gate /*NOTREACHED*/
3680Sstevel@tonic-gate }
3690Sstevel@tonic-gate
3700Sstevel@tonic-gate /*
3710Sstevel@tonic-gate * For each set, you can set either add and/or
3720Sstevel@tonic-gate * remove or you can set assign.
3730Sstevel@tonic-gate */
3740Sstevel@tonic-gate static priv_set_t **rem, **add, **assign;
3750Sstevel@tonic-gate static const priv_impl_info_t *pri = NULL;
3760Sstevel@tonic-gate static char *sets;
3770Sstevel@tonic-gate
3780Sstevel@tonic-gate static void
loadprivinfo(void)3790Sstevel@tonic-gate loadprivinfo(void)
3800Sstevel@tonic-gate {
3810Sstevel@tonic-gate int i;
3820Sstevel@tonic-gate
3830Sstevel@tonic-gate if (pri != NULL)
3840Sstevel@tonic-gate return;
3850Sstevel@tonic-gate
3860Sstevel@tonic-gate pri = getprivimplinfo();
3870Sstevel@tonic-gate
3880Sstevel@tonic-gate if (pri == NULL)
3890Sstevel@tonic-gate fatal("getprivimplinfo");
3900Sstevel@tonic-gate
3910Sstevel@tonic-gate sets = malloc(pri->priv_nsets + 1);
3920Sstevel@tonic-gate if (sets == NULL)
3930Sstevel@tonic-gate fatal("malloc");
3940Sstevel@tonic-gate
3950Sstevel@tonic-gate for (i = 0; i < pri->priv_nsets; i++) {
3960Sstevel@tonic-gate sets[i] = *priv_getsetbynum(i);
3970Sstevel@tonic-gate if (islower(sets[i]))
3980Sstevel@tonic-gate sets[i] = toupper(sets[i]);
3990Sstevel@tonic-gate }
4000Sstevel@tonic-gate
4010Sstevel@tonic-gate sets[pri->priv_nsets] = '\0';
4020Sstevel@tonic-gate
4030Sstevel@tonic-gate rem = calloc(pri->priv_nsets, sizeof (priv_set_t *));
4040Sstevel@tonic-gate add = calloc(pri->priv_nsets, sizeof (priv_set_t *));
4050Sstevel@tonic-gate assign = calloc(pri->priv_nsets, sizeof (priv_set_t *));
4060Sstevel@tonic-gate if (rem == NULL || add == NULL || assign == NULL)
4070Sstevel@tonic-gate fatal("calloc");
4080Sstevel@tonic-gate }
4090Sstevel@tonic-gate
4100Sstevel@tonic-gate static int
parsespec(const char * spec)4110Sstevel@tonic-gate parsespec(const char *spec)
4120Sstevel@tonic-gate {
4130Sstevel@tonic-gate char *p;
4140Sstevel@tonic-gate const char *q;
4150Sstevel@tonic-gate int count;
4160Sstevel@tonic-gate priv_set_t ***toupd;
4170Sstevel@tonic-gate priv_set_t *upd;
4180Sstevel@tonic-gate int i;
4190Sstevel@tonic-gate boolean_t freeupd = B_TRUE;
4200Sstevel@tonic-gate
4210Sstevel@tonic-gate if (pri == NULL)
4220Sstevel@tonic-gate loadprivinfo();
4230Sstevel@tonic-gate
4240Sstevel@tonic-gate p = strpbrk(spec, "+-=");
4250Sstevel@tonic-gate
4260Sstevel@tonic-gate if (p == NULL || p - spec > pri->priv_nsets)
4270Sstevel@tonic-gate badspec(spec);
4280Sstevel@tonic-gate
4290Sstevel@tonic-gate if (p[1] == '\0' || (upd = priv_str_to_set(p + 1, ",", NULL)) == NULL)
4300Sstevel@tonic-gate badspec(p + 1);
4310Sstevel@tonic-gate
4320Sstevel@tonic-gate count = p - spec;
4330Sstevel@tonic-gate switch (*p) {
4340Sstevel@tonic-gate case '+':
4350Sstevel@tonic-gate toupd = &add;
4360Sstevel@tonic-gate break;
4370Sstevel@tonic-gate case '-':
4380Sstevel@tonic-gate toupd = &rem;
4390Sstevel@tonic-gate priv_inverse(upd);
4400Sstevel@tonic-gate break;
4410Sstevel@tonic-gate case '=':
4420Sstevel@tonic-gate toupd = &assign;
4430Sstevel@tonic-gate break;
4440Sstevel@tonic-gate }
4450Sstevel@tonic-gate
4460Sstevel@tonic-gate /* Update all sets? */
4470Sstevel@tonic-gate if (count == 0 || *spec == 'a' || *spec == 'A') {
4480Sstevel@tonic-gate count = pri->priv_nsets;
4490Sstevel@tonic-gate q = sets;
4500Sstevel@tonic-gate } else
4510Sstevel@tonic-gate q = spec;
4520Sstevel@tonic-gate
4530Sstevel@tonic-gate for (i = 0; i < count; i++) {
4540Sstevel@tonic-gate int ind = strindex(q[i], sets);
4550Sstevel@tonic-gate
4560Sstevel@tonic-gate if (ind == -1)
4570Sstevel@tonic-gate badspec(spec);
4580Sstevel@tonic-gate
4590Sstevel@tonic-gate /* Assign is mutually exclusive with add/remove and itself */
4600Sstevel@tonic-gate if (((toupd == &rem || toupd == &add) && assign[ind] != NULL) ||
4610Sstevel@tonic-gate (toupd == &assign && (assign[ind] != NULL ||
4626134Scasper rem[ind] != NULL || add[ind] != NULL))) {
4630Sstevel@tonic-gate (void) fprintf(stderr, "%s: conflicting spec: %s\n",
4646134Scasper command, spec);
4650Sstevel@tonic-gate exit(1);
4660Sstevel@tonic-gate }
4670Sstevel@tonic-gate if ((*toupd)[ind] != NULL) {
4680Sstevel@tonic-gate if (*p == '-')
4690Sstevel@tonic-gate priv_intersect(upd, (*toupd)[ind]);
4700Sstevel@tonic-gate else
4710Sstevel@tonic-gate priv_union(upd, (*toupd)[ind]);
4720Sstevel@tonic-gate } else {
4730Sstevel@tonic-gate (*toupd)[ind] = upd;
4740Sstevel@tonic-gate freeupd = B_FALSE;
4750Sstevel@tonic-gate }
4760Sstevel@tonic-gate }
4770Sstevel@tonic-gate if (freeupd)
4780Sstevel@tonic-gate priv_freeset(upd);
4790Sstevel@tonic-gate return (0);
4800Sstevel@tonic-gate }
4810Sstevel@tonic-gate
4820Sstevel@tonic-gate static void
privupdate(prpriv_t * pr,const char * arg)4830Sstevel@tonic-gate privupdate(prpriv_t *pr, const char *arg)
4840Sstevel@tonic-gate {
4850Sstevel@tonic-gate int i;
4860Sstevel@tonic-gate
4870Sstevel@tonic-gate if (sets != NULL) {
4880Sstevel@tonic-gate for (i = 0; i < pri->priv_nsets; i++) {
4890Sstevel@tonic-gate priv_set_t *target =
4906134Scasper (priv_set_t *)&pr->pr_sets[pr->pr_setsize * i];
4910Sstevel@tonic-gate if (rem[i] != NULL)
4920Sstevel@tonic-gate priv_intersect(rem[i], target);
4930Sstevel@tonic-gate if (add[i] != NULL)
4940Sstevel@tonic-gate priv_union(add[i], target);
4950Sstevel@tonic-gate if (assign[i] != NULL)
4960Sstevel@tonic-gate priv_copyset(assign[i], target);
4970Sstevel@tonic-gate }
4980Sstevel@tonic-gate }
4990Sstevel@tonic-gate
500*12273SCasper.Dik@Sun.COM if (Doff || Don || pfexec || xpol) {
5010Sstevel@tonic-gate priv_info_uint_t *pii;
5020Sstevel@tonic-gate int sz = PRIV_PRPRIV_SIZE(pr);
5030Sstevel@tonic-gate char *x = (char *)pr + PRIV_PRPRIV_INFO_OFFSET(pr);
5040Sstevel@tonic-gate uint32_t fl = 0;
5050Sstevel@tonic-gate
5060Sstevel@tonic-gate while (x < (char *)pr + sz) {
5070Sstevel@tonic-gate /* LINTED: alignment */
5080Sstevel@tonic-gate priv_info_t *pi = (priv_info_t *)x;
5090Sstevel@tonic-gate
5100Sstevel@tonic-gate if (pi->priv_info_type == PRIV_INFO_FLAGS) {
5110Sstevel@tonic-gate /* LINTED: alignment */
5120Sstevel@tonic-gate pii = (priv_info_uint_t *)x;
5130Sstevel@tonic-gate fl = pii->val;
5140Sstevel@tonic-gate goto done;
5150Sstevel@tonic-gate }
5160Sstevel@tonic-gate if (pi->priv_info_size > pr->pr_infosize ||
5170Sstevel@tonic-gate pi->priv_info_size <= sizeof (priv_info_t) ||
5180Sstevel@tonic-gate (pi->priv_info_size & 3) != 0)
5190Sstevel@tonic-gate break;
5200Sstevel@tonic-gate x += pi->priv_info_size;
5210Sstevel@tonic-gate }
5220Sstevel@tonic-gate (void) fprintf(stderr,
5236134Scasper "%s: cannot find privilege flags to set\n", arg);
5240Sstevel@tonic-gate pr->pr_infosize = 0;
5250Sstevel@tonic-gate return;
5260Sstevel@tonic-gate done:
5270Sstevel@tonic-gate
5280Sstevel@tonic-gate pr->pr_infosize = sizeof (priv_info_uint_t);
5290Sstevel@tonic-gate /* LINTED: alignment */
5300Sstevel@tonic-gate pii = (priv_info_uint_t *)
5316134Scasper ((char *)pr + PRIV_PRPRIV_INFO_OFFSET(pr));
5320Sstevel@tonic-gate
5330Sstevel@tonic-gate if (Don)
5340Sstevel@tonic-gate fl |= PRIV_DEBUG;
5356134Scasper if (Doff)
5360Sstevel@tonic-gate fl &= ~PRIV_DEBUG;
537*12273SCasper.Dik@Sun.COM if (pfexec)
538*12273SCasper.Dik@Sun.COM fl |= PRIV_PFEXEC;
5396134Scasper if (xpol)
5406134Scasper fl |= PRIV_XPOLICY;
5410Sstevel@tonic-gate
5420Sstevel@tonic-gate pii->info.priv_info_size = sizeof (*pii);
5430Sstevel@tonic-gate pii->info.priv_info_type = PRIV_INFO_FLAGS;
5440Sstevel@tonic-gate pii->val = fl;
5450Sstevel@tonic-gate } else {
5460Sstevel@tonic-gate pr->pr_infosize = 0;
5470Sstevel@tonic-gate }
5480Sstevel@tonic-gate }
5490Sstevel@tonic-gate
5500Sstevel@tonic-gate static void
privupdate_self(void)5510Sstevel@tonic-gate privupdate_self(void)
5520Sstevel@tonic-gate {
5530Sstevel@tonic-gate int set;
5540Sstevel@tonic-gate
5551676Sjpk if (mac_aware) {
5561676Sjpk if (setpflags(NET_MAC_AWARE, 1) != 0)
5571676Sjpk fatal("setpflags(NET_MAC_AWARE)");
5581676Sjpk if (setpflags(NET_MAC_AWARE_INHERIT, 1) != 0)
5591676Sjpk fatal("setpflags(NET_MAC_AWARE_INHERIT)");
5601676Sjpk }
561*12273SCasper.Dik@Sun.COM if (pfexec) {
562*12273SCasper.Dik@Sun.COM if (setpflags(PRIV_PFEXEC, 1) != 0)
563*12273SCasper.Dik@Sun.COM fatal("setpflags(PRIV_PFEXEC)");
564*12273SCasper.Dik@Sun.COM }
5651676Sjpk
5660Sstevel@tonic-gate if (sets != NULL) {
5670Sstevel@tonic-gate priv_set_t *target = priv_allocset();
5680Sstevel@tonic-gate
5690Sstevel@tonic-gate if (target == NULL)
5700Sstevel@tonic-gate fatal("priv_allocet");
5710Sstevel@tonic-gate
5720Sstevel@tonic-gate set = priv_getsetbyname(PRIV_INHERITABLE);
5730Sstevel@tonic-gate if (rem[set] != NULL || add[set] != NULL ||
5740Sstevel@tonic-gate assign[set] != NULL) {
5750Sstevel@tonic-gate (void) getppriv(PRIV_INHERITABLE, target);
5760Sstevel@tonic-gate if (rem[set] != NULL)
5770Sstevel@tonic-gate priv_intersect(rem[set], target);
5780Sstevel@tonic-gate if (add[set] != NULL)
5790Sstevel@tonic-gate priv_union(add[set], target);
5800Sstevel@tonic-gate if (assign[set] != NULL)
5810Sstevel@tonic-gate priv_copyset(assign[set], target);
5820Sstevel@tonic-gate if (setppriv(PRIV_SET, PRIV_INHERITABLE, target) != 0)
5830Sstevel@tonic-gate fatal("setppriv(Inheritable)");
5840Sstevel@tonic-gate }
5850Sstevel@tonic-gate set = priv_getsetbyname(PRIV_LIMIT);
5860Sstevel@tonic-gate if (rem[set] != NULL || add[set] != NULL ||
5870Sstevel@tonic-gate assign[set] != NULL) {
5880Sstevel@tonic-gate (void) getppriv(PRIV_LIMIT, target);
5890Sstevel@tonic-gate if (rem[set] != NULL)
5900Sstevel@tonic-gate priv_intersect(rem[set], target);
5910Sstevel@tonic-gate if (add[set] != NULL)
5920Sstevel@tonic-gate priv_union(add[set], target);
5930Sstevel@tonic-gate if (assign[set] != NULL)
5940Sstevel@tonic-gate priv_copyset(assign[set], target);
5950Sstevel@tonic-gate if (setppriv(PRIV_SET, PRIV_LIMIT, target) != 0)
5960Sstevel@tonic-gate fatal("setppriv(Limit)");
5970Sstevel@tonic-gate }
5980Sstevel@tonic-gate priv_freeset(target);
5990Sstevel@tonic-gate }
6000Sstevel@tonic-gate
6010Sstevel@tonic-gate if (Doff || Don)
6020Sstevel@tonic-gate (void) setpflags(PRIV_DEBUG, Don ? 1 : 0);
6036134Scasper if (xpol)
6046134Scasper (void) setpflags(PRIV_XPOLICY, 1);
605*12273SCasper.Dik@Sun.COM if (pfexec)
606*12273SCasper.Dik@Sun.COM (void) setpflags(PRIV_PFEXEC, 1);
6070Sstevel@tonic-gate }
6080Sstevel@tonic-gate
6090Sstevel@tonic-gate static int
dopriv(const char * p)6100Sstevel@tonic-gate dopriv(const char *p)
6110Sstevel@tonic-gate {
6120Sstevel@tonic-gate (void) puts(p);
6130Sstevel@tonic-gate if (verb) {
6140Sstevel@tonic-gate char *text = priv_gettext(p);
6150Sstevel@tonic-gate char *p, *q;
6160Sstevel@tonic-gate if (text == NULL)
6170Sstevel@tonic-gate return (1);
6182550Ssayama for (p = text; q = strchr(p, '\n'); p = q + 1) {
6192550Ssayama *q = '\0';
6202550Ssayama (void) printf("\t%s\n", p);
6212550Ssayama }
6220Sstevel@tonic-gate free(text);
6230Sstevel@tonic-gate }
6240Sstevel@tonic-gate return (0);
6250Sstevel@tonic-gate }
6260Sstevel@tonic-gate
6270Sstevel@tonic-gate static int
dumppriv(char ** argv)6280Sstevel@tonic-gate dumppriv(char **argv)
6290Sstevel@tonic-gate {
6300Sstevel@tonic-gate int rc = 0;
6310Sstevel@tonic-gate const char *pname;
6320Sstevel@tonic-gate int i;
6330Sstevel@tonic-gate
6340Sstevel@tonic-gate if (argv[0] == NULL) {
6350Sstevel@tonic-gate for (i = 0; ((pname = priv_getbynum(i++)) != NULL); )
6360Sstevel@tonic-gate rc += dopriv(pname);
6370Sstevel@tonic-gate } else {
6380Sstevel@tonic-gate for (; *argv; argv++) {
6390Sstevel@tonic-gate priv_set_t *pset = priv_str_to_set(*argv, ",", NULL);
6400Sstevel@tonic-gate
6410Sstevel@tonic-gate if (pset == NULL) {
6420Sstevel@tonic-gate (void) fprintf(stderr, "%s: %s: bad privilege"
6430Sstevel@tonic-gate " list\n", command, *argv);
6440Sstevel@tonic-gate rc++;
6450Sstevel@tonic-gate continue;
6460Sstevel@tonic-gate }
6470Sstevel@tonic-gate for (i = 0; ((pname = priv_getbynum(i++)) != NULL); )
6480Sstevel@tonic-gate if (priv_ismember(pset, pname))
6490Sstevel@tonic-gate rc += dopriv(pname);
6500Sstevel@tonic-gate }
6510Sstevel@tonic-gate }
6520Sstevel@tonic-gate return (rc);
6530Sstevel@tonic-gate }
6540Sstevel@tonic-gate
6550Sstevel@tonic-gate static struct {
6560Sstevel@tonic-gate int flag;
6570Sstevel@tonic-gate char *name;
6580Sstevel@tonic-gate } flags[] = {
6590Sstevel@tonic-gate { PRIV_DEBUG, "PRIV_DEBUG" },
6600Sstevel@tonic-gate { PRIV_AWARE, "PRIV_AWARE" },
6610Sstevel@tonic-gate { PRIV_AWARE_INHERIT, "PRIV_AWARE_INHERIT" },
6629799SCasper.Dik@Sun.COM { PRIV_AWARE_RESET, "PRIV_AWARE_RESET" },
6636134Scasper { PRIV_XPOLICY, "PRIV_XPOLICY" },
664*12273SCasper.Dik@Sun.COM { PRIV_PFEXEC, "PRIV_PFEXEC" },
6656134Scasper { NET_MAC_AWARE, "NET_MAC_AWARE" },
6666134Scasper { NET_MAC_AWARE_INHERIT, "NET_MAC_AWARE_INHERIT" },
6670Sstevel@tonic-gate };
6680Sstevel@tonic-gate
6690Sstevel@tonic-gate /*
6700Sstevel@tonic-gate * Print flags preceeded by a space.
6710Sstevel@tonic-gate */
6720Sstevel@tonic-gate static void
flags2str(uint_t pflags)6730Sstevel@tonic-gate flags2str(uint_t pflags)
6740Sstevel@tonic-gate {
6750Sstevel@tonic-gate char c = ' ';
6760Sstevel@tonic-gate int i;
6770Sstevel@tonic-gate
6780Sstevel@tonic-gate if (pflags == 0) {
6790Sstevel@tonic-gate (void) fputs(" <none>", stdout);
6800Sstevel@tonic-gate return;
6810Sstevel@tonic-gate }
6820Sstevel@tonic-gate for (i = 0; i < sizeof (flags)/sizeof (flags[0]) && pflags != 0; i++) {
6830Sstevel@tonic-gate if ((pflags & flags[i].flag) != 0) {
6840Sstevel@tonic-gate (void) printf("%c%s", c, flags[i].name);
6850Sstevel@tonic-gate pflags &= ~flags[i].flag;
6860Sstevel@tonic-gate c = '|';
6870Sstevel@tonic-gate }
6880Sstevel@tonic-gate }
6890Sstevel@tonic-gate if (pflags != 0)
6900Sstevel@tonic-gate (void) printf("%c<0x%x>", c, pflags);
6910Sstevel@tonic-gate }
692