From Jim.Grisanzio at Sun.COM Wed May 13 20:17:20 2009 From: Jim.Grisanzio at Sun.COM (Jim Grisanzio) Date: Thu, 14 May 2009 12:17:20 +0900 Subject: [cpg-discuss] test Message-ID: <4A0B8D40.1090109@sun.com> test From Nicolas.Williams at sun.com Wed May 13 21:10:36 2009 From: Nicolas.Williams at sun.com (Nicolas Williams) Date: Wed, 13 May 2009 23:10:36 -0500 Subject: [cpg-discuss] Status Message-ID: <20090514041036.GL29258@Sun.COM> I'm currently working on addressing inception review comments about the system calls. Next I'll write a blurb about how a Linux keyring API could be implemented on top of CPGs (and point out that Linux keyrings are not sufficiently like aprocess group mechanism, which we need for audio and other things). Next I'll work on addressing the comments about the ARC materials overall. Then I'll go back to the code. I will post a new cpg_change(2) manpage soon. Nico -- From gdamore at opensolaris.org Wed May 13 21:27:02 2009 From: gdamore at opensolaris.org (Garrett D'Amore) Date: Wed, 13 May 2009 21:27:02 -0700 Subject: [cpg-discuss] Status In-Reply-To: <20090514041036.GL29258@Sun.COM> References: <20090514041036.GL29258@Sun.COM> Message-ID: <4A0B9D96.4050006@opensolaris.org> Nicolas Williams wrote: > I'm currently working on addressing inception review comments about the > system calls. Next I'll write a blurb about how a Linux keyring API > could be implemented on top of CPGs (and point out that Linux keyrings > are not sufficiently like aprocess group mechanism, which we need for > audio and other things). Next I'll work on addressing the comments > about the ARC materials overall. > > Then I'll go back to the code. > > I will post a new cpg_change(2) manpage soon. > > Nico > Okay, thanks. I'll be working on this stuff more next week, once I figure out how best I can help. Right now I'm working some other side projects while I catch my breath post-boomer phase I. :-) -- Garrett From Nicolas.Williams at sun.com Fri May 22 09:37:46 2009 From: Nicolas.Williams at sun.com (Nicolas Williams) Date: Fri, 22 May 2009 11:37:46 -0500 Subject: [cpg-discuss] Update of cpg_change(2) design Message-ID: <20090522163746.GY29258@Sun.COM> Below is the cpg_change(2) design tweak that I've been tinkering with. It addresses comments on atomicity and "classes" of CPG types a first class concept, among others. It also makes privileges configurable per-CPG type and removes any references to PRIV_PROC_AUDIT. Comments? Credentials Process Groups CPG_CHANGE(2) NAME cpg_change - Manipulate Credentials Process Groups SYNOPSIS cc [ flag... ] file... -lcpg [ library... ] #include int cpg_type_reg(const char *name, const char *classes, uint32_t semantics, cpg_privs_t *privs); int cpg_type_unreg(const char *name); int cpg_type_list(char *name, uint32_t *semantics, cpg_privs_t *privs, int *more); int cpg_reg_door(char *name, int door_fd, int events); int cpg_change(pid_t victim, const char *leave, const char *join_new, const char *join_existing, pid_t like_pid, int flags); int cpg_change_byid(pid_t victim, int flags, uint64_t *leave, uint64_t *join_new, uint64_t *join_existing); int cpg_getid(const char *name, pid_t pid, uint64_t *); int cpg_owner(const char *name, pid_t pid, uid_t *uid); int cpg_owner_byid(uint64_t cpg_id, uid_t *uid); int cpg_chown(const char *name, pid_t pid, uid_t uid); int cpg_chown_byid(uint64_t cpg_id, uid_t uid); int cpg_getuserdata(const char *name, pid_t pid, char *udata); int cpg_setuserdata(const char *name, pid_t pid, const char *udata); int cpg_getuserdata_byid(uint64_t cpg_id, char *udata); int cpg_setuserdata_byid(uint64_t cpg_id, const char *udata); DESCRIPTION Credentials Process Groups (CPGs) allow one to create arbitrary process group types. Each CPG type has a name and a set of semantics flags associated with it, and each CPG type may be a member of one or more classes of CPG types. A process can be in at most one CPG for any given CPG type. CPGs are referenced from open file references as well as from processes, so that a CPG remains in existence as long as any processes are members of it or as long as there exist open file references where the file was opened by a process that was a member of that CPG. There are three types of operations related to CPGS that are provided by these system calls: operations on CPG types (registration, unregistration, enumeration, ...), operations on CPG memberships (join, part a process from a CPG, create a new CPG and join a process to it), and operations on CPGs themselves (e.g., get/set various data). SunOS 5.11 Last change: 2009-05-22 1 Credentials Process Groups CPG_CHANGE(2) Use cpg_type_reg() to register a new CPG type with the given name, in CPG classes, and with semantics. CPG type names start with a lower-case US-ASCII letter and must consist of printable US-ASCII characters. CPG type names are normally allocated by Sun, however, names of the form type-name at domainname may be used without prior approval from Sun, with a domainname that the developer is associated with as the domainname. The optional classes argument is a comma-separated string of CPG type classes. CPG class names start with an upper-case US-ASCII letter and consist of printable US-ASCII characters. Finally, the optional privs argument declares a privilege that is required for each of various operations on CPGs or on processes' CPG memberships; these are described below. The special CPG type class "Unclassed" refers to all CPG types which are not declared as members of any classes. Other well-known classes are described below. cpg_type_reg() may be called multiple times for the same CPG type. Each re-registration simply updates the semantics, classes and privs of the CPG type. Each zone has its own, independent CPG type and class namespace. Use cpg_type_unreg() to unregister a CPG type. Unregistering a CPG type causes that CPG type to no longer be available for new CPGs. cpg_type_unreg() does not block; any existing CPGs of the given type remain as they are until no longer referenced. However, a CPG type cannot be re- registered after being unregistered until all existing CPGs of that type empty. Use cpg_type_list() to list CPG types. For the first call set *more equal to -1, call it repeatedly until *more equals 0. If no CPG types are registered cpg_type_list() will return 0, set *more to 0 and name[0] to '\0'. The order in which CPG types are listed is significant: it reflects the order in which they were originally registered. Use cpg_reg_door() to register a door in a zone. The kernel will upcall that door to report that a CPG has no more references to it from either any process or any open file reference. There can be only one such door per CPG type in any given zone. The upcall will have the following data: a 64-bit event ID (see below), followed by a 64-bit CPG ID, followed by any user-provided data that may have been associated with that CPG (see cpg_setuserdata() below), followed by optional data (see below). The events of interest to the door server are listed in the events bitmask argument (see below). To unregister this door simply close SunOS 5.11 Last change: 2009-05-22 2 Credentials Process Groups CPG_CHANGE(2) the door server file descriptor. Event IDs for door upcalls include: 0x0000000000000000 A new CPG has been created. 0x0000000000000001 The user-data of a CPG has been changed. 0x00000000000000002 No processes remain that are members of this CPG. 0x00000000000000003 No references remain to this CPG from any open files nor are any processes members of it. 0x00000000000000004-0x0000000000000FFFF Reserved for future allocation. all others Custom event codes for kernel-land consumers. Any additional door call argument data will be specific to the consumer that did the upcall. These event codes can be 8-byte US-ASCII strings cast to 64-bit integers. Bits for the events bitmask: CPG_EV_CREATE If set then CPG creation events are of interest. CPG_EV_SETUDATA If set then CPG user-data modification events are of interest. CPG_EV_EMPTY If set then CPG emptiness events are of interest. CPG_EV_UNREF If set then CPG unreferenced events are of interest. CPG_EV_CUSTOM If set then custom events are of interest. The remaining CPG system calls deal with CPG membership and CPG attributes. There are two ways to refer to a CPG: by {CPG type name, process ID} and by CPG ID. CPG IDs are 64-bit unsigned integers. Use cpg_change() to manage the victim process' CPG memberships for the CPG types/classes given by leave, join_new and join_existing. All CPGs of types/classes SunOS 5.11 Last change: 2009-05-22 3 Credentials Process Groups CPG_CHANGE(2) listed in leave will be parted. New CPGs for all types/classes listed in join_new will be joined. The victim will be joined to the CPGs of types/classes listed in join_existing that the like_pid process is a member of (or, if it isn't, then the victim will be parted from them). If there is any overlap between the three sets of types/classes then join_new takes precedence over join_existing, which in turn takes precedence over leave. The changes are atomic -- all happen, or not at all -- unless the CPG_F_ALL_PERMITTED flag is used, in which case any requrested CPG changes which are disallowed will be ignored. The leave, join_new and join_existing arguments of cpg_change() are comma-separated lists of CPG types and classes, and they are optional (at least one must be provided; the others may be NULL). The cpg_change_byid() system call is just like cpg_change(), but instead of selecting CPGs to leave or join, or CPG types for which to join new CPGs, by type name, cpg_change_byid() selects them by CPG ID. CPGs to leave and join are identified by the leave and join_existing arguments, which are pointers to an array of CPG IDs, terminated by a 0-valued ID. The types of CPGs for which to create and join new ones are identified by the CPG IDs referred to by join_new (also a pointer to a zero-terminated array of CPG IDs). The flags argument of cpg_change_byid() has the same meaning as for cpg_change(). See below for flags descriptions. Use cpg_owner() and cpg_owner_byid() to get the UID that owns a CPG. Use cpg_chown() and cpg_chown_byid() to set the UID that owns a CPG. Use cpg_setuserdata() and cpg_setuserdata_byid() to associate a short character string with a CPG. This string can be up to CPG_MAX_USER_DATA (64) bytes long, including NUL. Use cpg_getuserdata() and cpg_getuserdata_byid() to retrieve the user data string associated with a CPG. This system call will copy said string to the buffer pointed to by udata, which must be at least CPG_MAX_USER_DATA (64) bytes long. The value of CPG_MAX_USER_DATA can be obtaiqned using the _SC_CPG_MAX_USER_DATA sysconf(3C). SunOS 5.11 Last change: 2009-05-22 4 Credentials Process Groups CPG_CHANGE(2) The following are pre-defined CPG type classes: Login Login application processes are placed in new CPGs of this class when a user logs in. See pam_unix_cred(5). ControllingDevice CPG types of this class are used to track controlling device associations of a process, much like controlling ttys. This class should be used for audio devices, display devices, etcetera. CryptographicCredentials CPG types of this class are used to associate cryptographic credentials of a user with the user's processes. CPG types of this class should also be members of the "Login" CPG type class. AuthorizationCookie CPG types of this class are used to associate non-cryptographic, "cookie"-like user credentials, such as X11 display authorization cookie files. All The "All" class includes all CPG types. Unclassed All CPG types with unspecified class(es) are in the "Unclassed" class. The following are the flags accepted by cpg_change(): CPG_F_ALL_PERMITTED If CPG_F_ALL_PERMITTED is set then cpg_change() and cpg_change_byid() will skip any CPG types which disallow the given operation. Normally cpg_change() and cpg_change_byid() will leave the victim process' CPG memberships unchanged if permission would be denied for the given operation on one or more of the memberships of the given types. The CPG type semantics flags are: CPG_S_DISTINGUISH_CRED Processes with process credentials that differ only with respect to membership in CPGs whose semantics include this flag will be treated as having distinct process credentials by the kernel private function crcmp(). This flag should be set for CPG types that are in the "CryptographicCredentials" class, if the credentials associated with such CPGs can be used by, for example, the NFS, CIFS or other clients implemented in the kernel. (Some such clients use crcmp() to compare SunOS 5.11 Last change: 2009-05-22 5 Credentials Process Groups CPG_CHANGE(2) process credentials that are associated with client state obtained with user cryptographic credentials.) The cpg_privs_t typedef is a structure with the following fields: int cpg_privs_vers; priv_t priv_to_create; priv_t priv_to_clear; priv_t priv_to_leave; priv_t priv_to_join; priv_t priv_to_getid_by_owner_member; priv_t priv_to_getid_by_other_member; priv_t priv_to_getid_by_owner; priv_t priv_to_getid_by_other; priv_t priv_to_getowner_by_owner_member; priv_t priv_to_getowner_by_other_member; priv_t priv_to_getowner_by_owner; priv_t priv_to_getowner_by_other; priv_t priv_to_getudata_by_owner_member; priv_t priv_to_getudata_by_other_member; priv_t priv_to_getudata_by_owner; priv_t priv_to_getudata_by_other; priv_t priv_to_setowner_by_owner; priv_t priv_to_setowner_by_other; priv_t priv_to_setudata_by_owner; priv_t priv_to_setudata_by_other; The cpg_privs_vers field must be set to 1 at this time. The priv_to_* fields must be set to "", "all", "zone" or the name of a single privilege (see privileges(5)). If set to "" then no additional privileges will be required in order to perform the associated operation in the specific context. If set to "all" then all privileges will be required in order to perform the associated operation. If set to "zone" then all zone privileges will be required in order to perform the associated operation. If set to the name of a privilege (see priv_getbyname(3C)) then that privilege will be required to perform the associated operation. If set to NULL or if privs is NULL then a default value will be used. The operation and context associated with a given priv_to_* field is self-evident from the field names, specifically: priv_to_create, priv_to_clear, priv_to_leave, priv_to_join These apply to the CPG creation, parting without joining another CPG of this type, parting to join another CPG of this type, and joining a CPG of this type. The caller must also separately have permission or privilege to modify the victim process -- see the PRIV_PROC_OWNER privilege in privileges(5). SunOS 5.11 Last change: 2009-05-22 6 Credentials Process Groups CPG_CHANGE(2) Default: "". priv_to_get*_by_owner_member These apply to the getid, getowner and getudata operations on CPGs of this type, by processes that are members of the CPG in question and whose effective UID is the same as the owner of the CPG in question. Default: "". priv_to_get*_by_other_member These apply to the getid, getowner and getudata operations on CPGs of this type, by processes that are members of the CPG in question and whose effective UID is different from the owner of the CPG in question. Default: "zone". priv_to_*_by_owner These apply to the getid, getowner, getudata, setowner and setudata operations on CPGs of this type, by processes that are members of the CPG in question and whose effective UID is the same as the owner of the CPG in question. Default: "proc_owner". priv_to_*_by_other These apply to the getid, getowner, getudata, setowner and setudata operations on CPGs of this type, by processes that are members of the CPG in question and whose effective UID is different from the owner of the CPG in question. Default: "zone". RETURN VALUES Upon successful completion, 0 is returned. Otherwise, -1 is returned, errno is set to indicate the error, and the file times will not be affected. ERRORS The CPG functions will fail if: EINVAL The given CPG type name has not been registered, the given flags or semantics are not recognized. ESRCH No process exists with the given process ID . EFAULT SunOS 5.11 Last change: 2009-05-22 7 Credentials Process Groups CPG_CHANGE(2) One or more of the pointers pointed to illegal addresses. ENOENT The given CPG does not exist. EBADF The given file descriptor is invalid or not a door file descriptor. EPERM Permission denied. EACCES Access denied. EEXIST The given CPG type existed before, has been unregistered, and there still exist CPGs of that type. NOTES The CPG type "krb5" will be registered by the svc:/system/cpg/krb5:default service. pam_krb5(5) will associate Kerberos V credentials with a login process' CPG of type "krb5". There can be up to _CONFIG_NCPGROUPS CPG types. Use sysconf(3C) to get the current value of _CONFIG_NCPGROUPS. _CONFIG_NCPGROUPS can only be set at boot time by setting ncpgroups_max via /etc/system. ATTRIBUTES See attributes(5) for descriptions of the following attri- butes: ____________________________________________________________ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | |_____________________________|_____________________________| | Interface Stability | Uncommitted | |_____________________________|_____________________________| | MT-Level | Async-Signal-Safe | |_____________________________|_____________________________| SEE ALSO intro(2), sysconf(3C), system(4), privileges(5), pam_unix_cred(5), pam_krb5(5), login(1), su(1), attributes(5) SunOS 5.11 Last change: 2009-05-22 8