Drop privileges when running on Solaris

1 files changed, 43 insertions, 0 deletions

diff --git a/solaris_priv.c b/solaris_priv.c
new file mode 100644
index 0000000..c730eb2
--- /dev/null
+++ b/solaris_priv.c
@@ -0,0 +1,43 @@
+#include <stdlib.h>
+#include <priv.h>
+#include <stdio.h>
+
+/*
+ * this section of code will drop all (Solaris) privileges including
+ * those normally granted to all userland process (basic privileges). The
+ * effect of this is that after running this code, the process will not able
+ * to fork(), exec(), etc.  See privileges(5) for more information.
+ */
+void drop_privileges() {
+   priv_set_t *privs = priv_str_to_set("basic", ",", NULL);
+
+   if (privs == NULL) {
+      perror("priv_str_to_set");
+      exit(EXIT_FAILURE);
+   }
+
+   (void)priv_delset(privs, PRIV_FILE_LINK_ANY);
+   (void)priv_delset(privs, PRIV_PROC_EXEC);
+   (void)priv_delset(privs, PRIV_PROC_FORK);
+   (void)priv_delset(privs, PRIV_PROC_INFO);
+   (void)priv_delset(privs, PRIV_PROC_SESSION);
+
+   if (setppriv(PRIV_SET, PRIV_PERMITTED, privs) != 0) {
+      perror("setppriv(PRIV_SET, PRIV_PERMITTED)");
+      exit(EXIT_FAILURE);
+   }
+
+   priv_emptyset(privs);
+
+   if (setppriv(PRIV_SET, PRIV_INHERITABLE, privs) != 0) {
+      perror("setppriv(PRIV_SET, PRIV_INHERITABLE)");
+      exit(EXIT_FAILURE);
+   }
+
+   if (setppriv(PRIV_SET, PRIV_LIMIT, privs) != 0) {
+      perror("setppriv(PRIV_SET, PRIV_LIMIT)");
+      exit(EXIT_FAILURE);
+   }
+
+   priv_freeset(privs);
+}