root/src/dps8/dps8_priv.c

/* [previous][next][first][last][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. sunos_obtain_realtime_privileges
   1 /*
   2  * vim: filetype=c:tabstop=2:ai:expandtab
   3  * SPDX-License-Identifier: ICU
   4  * scspell-id: e86a7296-0066-11f0-aebb-80ee73e9b8e7
   5  *
   6  * ---------------------------------------------------------------------------
   7  *
   8  * Copyright (c) 2025 Jeffrey H. Johnson
   9  * Copyright (c) 2025 The DPS8M Development Team
  10  *
  11  * This software is made available under the terms of the ICU License.
  12  * See the LICENSE.md file at the top-level directory of this distribution.
  13  *
  14  * ---------------------------------------------------------------------------
  15  */
  16 
  17 /*
  18  * Security and privilege stuff
  19  *
  20  * Supported: SunOS (Solaris, illumos) only.
  21  *
  22  * sunos_obtain_realtime_privileges - On SunOS, tries to obtain privileges
  23  *     needed for real-time operations.  This requires privileges itself,
  24  *     so the binary should be made setuid root.  After privileges are
  25  *     obtained, all unnecessary privileges are dropped.  This should be
  26  *     called early from main so superuser privileges are given up quickly.
  27  *
  28  * Potentially we can extend these functions to support other systems.
  29  *
  30  * Linux with Landlock is a possible candidate, although Landlock support
  31  * is not enabled by default in any of the mainstream Linux distributions.
  32  *
  33  * NOTE: Not using libsir logging because this happens before sir_init!
  34  */
  35 
  36 #if defined(__sun) || defined(__illumos__)
  37 # include <errno.h>
  38 # include <priv.h>
  39 # include <stdbool.h>
  40 # include <stdint.h>
  41 # include <stdio.h>
  42 # include <stdlib.h>
  43 # include <string.h>
  44 # include <unistd.h>
  45 #endif
  46 
  47 /* SCP xstrerror_l */
  48 #if defined(NO_LOCALE)
  49 # define xstrerror_l strerror
  50 #else
  51 extern const char *xstrerror_l(int errnum);
  52 #endif
  53 
  54 /* sunos_obtain_realtime_privileges: try to obtain RT privileges */
  55 void
  56 sunos_obtain_realtime_privileges(void)
     /* [previous][next][first][last][top][bottom][index][help] */
  57 {
  58 #if defined(__sun) || defined(__illumos__)
  59   uid_t ruid = getuid();
  60 
  61   priv_set_t *basic = NULL;
  62   priv_set_t *desired = NULL;
  63 
  64   basic = priv_allocset();
  65   desired = priv_allocset();
  66 
  67   if (NULL != basic && NULL != desired) {
  68     priv_basicset(basic);
  69     priv_copyset(basic, desired);
  70 
  71     const char *wanted_privs[] = {
  72       PRIV_PROC_LOCK_MEMORY,
  73       PRIV_PROC_PRIOCNTL
  74     };
  75 
  76     for (size_t i = 0; i < sizeof(wanted_privs) / sizeof(wanted_privs[0]); i++) {
  77       if (-1 == priv_addset(desired, wanted_privs[i])) {
  78 # if defined(TESTING)
  79         (void)fprintf(stderr, "Unable to request %s: %s\r\n",
  80                       wanted_privs[i], xstrerror_l(errno));
  81 # else
  82         (void)desired; /*LINT*/
  83 # endif
  84       }
  85     }
  86 
  87 # if defined(TESTING)
  88     bool warn_changed = false;
  89 # endif
  90     if (-1 == setppriv(PRIV_SET, PRIV_PERMITTED, desired)) {
  91 # if defined(TESTING)
  92       (void)fprintf(stderr, "Unable to change permitted privilege set: %s\r\n",
  93                     xstrerror_l(errno));
  94       warn_changed = true;
  95 # else
  96       (void)desired; /*LINT*/
  97 # endif
  98     }
  99 
 100     if (-1 == setppriv(PRIV_SET, PRIV_INHERITABLE, desired)) {
 101 # if defined(TESTING)
 102       if (false == warn_changed) {
 103         (void)fprintf(stderr, "Unable to change inheritable privilege set: %s\r\n",
 104                       xstrerror_l(errno));
 105       }
 106 # else
 107       (void)desired; /*LINT*/
 108 # endif
 109     }
 110   }
 111 # if defined(TESTING)
 112   else {
 113     (void)fprintf(stderr, "Failed to allocate memory for privilege sets.\r\n");
 114   }
 115 # endif
 116 
 117   if (-1 == seteuid(ruid)) {
 118     (void)fprintf(stderr, "Unable to drop privileges from UID %d: %s\r\n",
 119                   geteuid(), xstrerror_l(errno));
 120     exit(EXIT_FAILURE);
 121   }
 122 
 123   if (NULL != basic && -1 == setppriv(PRIV_SET, PRIV_INHERITABLE, basic)) {
 124     (void)fprintf(stderr, "Unable to change inheritable privilege set: %s\r\n",
 125                   xstrerror_l(errno));
 126     priv_freeset(basic);
 127     priv_freeset(desired);
 128     exit(EXIT_FAILURE);
 129   }
 130 
 131   if (NULL != basic) {
 132     priv_freeset(basic);
 133   }
 134 
 135   if (NULL != desired) {
 136     priv_freeset(desired);
 137   }
 138 #else
 139   /* Not SunOS (Solaris, illumos): do nothing */
 140 #endif
 141 }
/* [previous][next][first][last][top][bottom][index][help] */