5.5.5. System Call InterfacesThe privilege system defines a number of new system calls; getprivinfo(2) returns a self-describing data structure that contains the parameters of the privilege implementation on the currently running kernel. These parameters include the number of privilege sets, the names of the privilege sets, the size of each privilege set, the names of all privileges, and other systemwide information. The privilege set size is specified in units of priv_chunk_t, and the virtual privilege state definition looks like this: priv_chunk_t privs[info.priv_nsets][info.priv_setsize] Even though additional privileges can be allocated later, the data structure returned has a fixed size. That way, it can be kept at the same location by libc, thus obviating the need for locking out accesses to those parts of the structure that are fixed by the implementation, that is, all characteristics of the implementation except for the number of privileges and the names of the privileges added later. The system include file <sys/priv.h> defines the main data structures used. The priv_impl_info objects can be extended by one or more objects with a priv info header that contains length and size. The basic type used throughout is uint32_t, which is a convenient type with the same size in each compilation environment. This approach relieves the implementation of most of the 32- and 64-bit conversion chores. typedef struct priv_impl_info { uint32_t priv_headersize; /* sizeof (priv_impl_info) */ uint32_t priv_flags; /* additional flags */ uint32_t priv_nsets; /* number of priv sets */ uint32_t priv_setsize; /* size in priv_chunk_t */ uint32_t priv_max; /* highest actual valid priv */ uint32_t priv_infosize; /* Per proc. additional info */ uint32_t priv_globalinfosize; /* Per system info */ } priv_impl_info_t; /* * Header of the privilege info data structure; multiple structures can * follow the privilege sets and priv_impl_info structures. */ typedef struct priv_info { uint32_t priv_info_type; uint32_t priv_info_size; } priv_info_t; typedef struct priv_info_uint { priv_info_t info; uint_t val; } priv_info_uint_t; /* * Global privilege set information item; the actual size of the array is * {priv_setsize}. */ typedef struct priv_info_set { priv_info_t info; priv_chunk_t set[1]; } priv_info_set_t; /* * names[1] is a place holder which can contain multiple NUL terminated, * non-empty strings. */ typedef struct priv_info_names { priv_info_t info; int cnt; /* number of strings */ char names[1]; /* "string1\0string2\0 ..stringN\0" */ } priv_info_names_t; /* * Privilege information types. */ #define PRIV_INFO_SETNAMES 0x0001 #define PRIV_INFO_PRIVNAMES 0x0002 #define PRIV_INFO_BASICPRIVS 0x0003 #define PRIV_INFO_FLAGS 0x0004 The system calls setppriv(2) and getppriv(2) allow a process to change and inspect its privilege sets. The system calls setpflags(2) and getpflags(2) allow a process to change and inspect the process flags such as pas and db. The system call modctl() is extended with a number of subcodes to allow the device configuration command devfsadm(1m) to install the device policy and to allow the allocation of additional privileges. It, too, is subject to escalation of privilege prevention in that only processes with all privileges asserted can change the device policy. |