kern: adopt the cr_gid macro for cr_groups[0] more widely

A future change may split cr_gid out of cr_groups[0] so that there's a
cleaner separation between the supplemental groups and the effective

kern: adopt the cr_gid macro for cr_groups[0] more widely

A future change may split cr_gid out of cr_groups[0] so that there's a
cleaner separation between the supplemental groups and the effective
group. Do the mechanical conversion where we can, and drop some
comments where we need further work because some assumptions about
cr_gid == cr_groups[0] have been made.

This should not be a functional change, but downstreams and other
out-of-tree code are advised to investigate their usage of cr_groups
sooner rather than later, as a future change will render assumptions
about these two being equivalent harmful.

Reviewed by: asomers, kib, olce
Differential Revision: https://reviews.freebsd.org/D51153

show more ...

kern_prot: extract code to check that active ids are superset of obj ids

Export it as a helper cr_xids_subset().

Reviewed by: markj
Sponsored by: NVidia networking
Differential revision: https://re

kern_prot: extract code to check that active ids are superset of obj ids

Export it as a helper cr_xids_subset().

Reviewed by: markj
Sponsored by: NVidia networking
Differential revision: https://reviews.freebsd.org/D50653

show more ...

cred: fix struct credbatch to use long for refcount

This structure collects count from multiple cred structures. Of course it
can't use a smaller type.

PR: 283747
Reviewed by: olce, mjg, markj

cred: fix struct credbatch to use long for refcount

This structure collects count from multiple cred structures. Of course it
can't use a smaller type.

PR: 283747
Reviewed by: olce, mjg, markj
Differential Revision: https://reviews.freebsd.org/D49562
Fixes: 37337709d3334f32650ba3a7c529fa013ed5e1f2

show more ...

proc_set_cred(): Fix compilation of GENERIC-NODEBUG

Approved by: mark (mentor)
Fixes: d2be7ed63aff ("cred: proc_set_cred(), proc_unset_cred(): Update user's process count")

New setcred() system call and associated MAC hooks

This new system call allows to set all necessary credentials of
a process in one go: Effective, real and saved UIDs, effective, real and
saved GIDs

New setcred() system call and associated MAC hooks

This new system call allows to set all necessary credentials of
a process in one go: Effective, real and saved UIDs, effective, real and
saved GIDs, supplementary groups and the MAC label. Its advantage over
standard credential-setting system calls (such as setuid(), seteuid(),
etc.) is that it enables MAC modules, such as MAC/do, to restrict the
set of credentials some process may gain in a fine-grained manner.

Traditionally, credential changes rely on setuid binaries that call
multiple credential system calls and in a specific order (setuid() must
be last, so as to remain root for all other credential-setting calls,
which would otherwise fail with insufficient privileges). This
piecewise approach causes the process to transiently hold credentials
that are neither the original nor the final ones. For the kernel to
enforce that only certain transitions of credentials are allowed, either
these possibly non-compliant transient states have to disappear (by
setting all relevant attributes in one go), or the kernel must delay
setting or checking the new credentials. Delaying setting credentials
could be done, e.g., by having some mode where the standard system calls
contribute to building new credentials but without committing them. It
could be started and ended by a special system call. Delaying checking
could mean that, e.g., the kernel only verifies the credentials
transition at the next non-credential-setting system call (we just
mention this possibility for completeness, but are certainly not
endorsing it).

We chose the simpler approach of a new system call, as we don't expect
the set of credentials one can set to change often. It has the
advantages that the traditional system calls' code doesn't have to be
changed and that we can establish a special MAC protocol for it, by
having some cleanup function called just before returning (this is
a requirement for MAC/do), without disturbing the existing ones.

The mac_cred_check_setcred() hook is passed the flags received by
setcred() (including the version) and both the old and new kernel's
'struct ucred' instead of 'struct setcred' as this should simplify
evolving existing hooks as the 'struct setcred' structure evolves. The
mac_cred_setcred_enter() and mac_cred_setcred_exit() hooks are always
called by pairs around potential calls to mac_cred_check_setcred().
They allow MAC modules to allocate/free data they may need in their
mac_cred_check_setcred() hook, as the latter is called under the current
process' lock, rendering sleepable allocations impossible. MAC/do is
going to leverage these in a subsequent commit. A scheme where
mac_cred_check_setcred() could return ERESTART was considered but is
incompatible with proper composition of MAC modules.

While here, add missing includes and declarations for standalone
inclusion of <sys/ucred.h> both from kernel and userspace (for the
latter, it has been working thanks to <bsm/audit.h> already including
<sys/types.h>).

Reviewed by: brooks
Approved by: markj (mentor)
Relnotes: yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47618

show more ...

cred: proc_set_cred(), proc_unset_cred(): Update user's process count

As a process really changes credentials at the moment proc_set_cred() or
proc_unset_cred() is called, these functions are the pr

cred: proc_set_cred(), proc_unset_cred(): Update user's process count

As a process really changes credentials at the moment proc_set_cred() or
proc_unset_cred() is called, these functions are the proper locations to
perform the update of the new and old real users' process count (using
chgproccnt()).

Before this change, change_ruid() instead would perform that update,
although it operates only on a passed credential which is a priori not
tied to the calling process (or not to any process at all). This was
arguably a flaw of commit b1fc0ec1a7a49ded, r77183, based on its commit
message, and in particular the portion "(...) In each case, the call now
acts on a credential not a process (...)".

Fixing this makes using change_ruid() more natural when building
candidate credentials that in the end are not applied to a process,
e.g., because of some intervening privilege check. Also, it removes
a hack around this unwanted process count change in unionfs.

We also introduce the new proc_set_cred_enforce_proc_lim() so that
callers can respect the per-user process limit, and will use it for the
upcoming setcred(). We plan to change all callers of proc_set_cred() to
call this new function instead at some point. In the meantime, both
proc_set_cred() and the new function will coexist.

As detailed in some proc_set_cred_enforce_proc_lim()'s comment, checking
against the process limit is currently flawed as the kernel doesn't
really maintain the number of processes per UID (besides RLIMIT_NPROC,
this in fact also applies to RLIMIT_KQUEUES, RLIMIT_NPTS, RLIMIT_SBSIZE
and RLIMIT_SWAP). The applied limit is currently that of the old real
UID. Root (or a process granted with PRIV_PROC_LIMIT) is not subject to
this limit.

Approved by: markj (mentor)
Fixes: b1fc0ec1a7a49ded
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46923

show more ...

cred: proc_set_cred(): Remove obsolete comments

These have been obsoleted since they were first written (in commit
"cred: add proc_set_cred helper", daf63fd2f9a8d040, r280130) by some
subsequent com

cred: proc_set_cred(): Remove obsolete comments

These have been obsoleted since they were first written (in commit
"cred: add proc_set_cred helper", daf63fd2f9a8d040, r280130) by some
subsequent commits ("proc: refactor clearing credentials into
proc_unset_cred", 5a90435ccfed8e1e, r361448; "cred: distribute reference
count per thread", 1724c563e62fa800, r361993).

No functional change.

Approved by: markj (mentor)
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46922

show more ...

cred: crget(): Compute initial 'cr_agroups' with nitems()

No functional change (intended).

Reviewed by: mhorne, emaste
Approved by: markj (mentor)
MFC after: 5 days
Sponsored by: The F

cred: crget(): Compute initial 'cr_agroups' with nitems()

No functional change (intended).

Reviewed by: mhorne, emaste
Approved by: markj (mentor)
MFC after: 5 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46910

show more ...

cred: crsetgroups(): Throw away old groups before crextend()

Now that crextend() asserts that groups are not set (rightfully so,
since it may change the backing storage without copying the content o

cred: crsetgroups(): Throw away old groups before crextend()

Now that crextend() asserts that groups are not set (rightfully so,
since it may change the backing storage without copying the content of
the old one), have crsetgroups() throw away the old groups before
calling it, as it installs an entirely new set anyway.

This allows to reuse unshared credentials by resetting their groups set,
as NFS exports actually do.

Reported by: cy
Tested by: cy
Fixes: ea26c0e79752 ("cred: crextend(): Harden, simplify")
Pointy hat to: olce

While here, as I forgot these credits in commit 77d652b4b472 ("nfs:
Fallback to GID_NOGROUP on no groups"):
Tested by: cy, David Wolfskill (panics caused by mountd(8))
Tested by: kib (MINIMAL/custom kernel compile breakup)

show more ...

cred: groupmember(): Remove tolerance for empty 'cr_groups'

This tolerance had been introduced in commit caa309c8811d ("nfsd: Fix
handling of credentials with cr_ngroups == 0", on 2024/10/21).

Now

cred: groupmember(): Remove tolerance for empty 'cr_groups'

This tolerance had been introduced in commit caa309c8811d ("nfsd: Fix
handling of credentials with cr_ngroups == 0", on 2024/10/21).

Now that NFS has been modified in the previous commit (cfbe7a62dc62,
"nfs, rpc: Ensure kernel credentials have at least one group") to rule
out credentials with empty 'cr_groups' (and thus, no 'cr_gid'), remove
it back.

This basically reverts the above-mentioned commit except for the not
directly related modifications it contains, which are still valid.

Discussed with: rmacklem (by mail)
Approved by: markj (mentor)
MFC after: 3 days

show more ...

cred: New crsetgroups_fallback()

Similar to crsetgroups(), but allows an empty group array in input,
treating it like a one-element array containing the passed fallback
group.

Approved by: markj

cred: New crsetgroups_fallback()

Similar to crsetgroups(), but allows an empty group array in input,
treating it like a one-element array containing the passed fallback
group.

Approved by: markj (mentor)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D46917

show more ...

cred: crextend(): Harden, simplify

Harden by adding more assertions, and a plain panic in case of an
unrepresentable size for the groups array (this can never happen after
the change of the 'kern.ng

cred: crextend(): Harden, simplify

Harden by adding more assertions, and a plain panic in case of an
unrepresentable size for the groups array (this can never happen after
the change of the 'kern.ngroups' computation to impose some not too high
maximum value a few commits ago). Fix an impact in kern_setgroups().

Simplify by removing the iterative process whose purpose is actually to
determine the closest power of two that is greater than the wanted
number of bytes. Using the proper target quantity (number of bytes)
incidentally helps with eliminating divisions (and the reliance on
sizeof(gid_t) being a power of two).

Reviewed by: mhorne (older version)
Approved by: markj (mentor)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D46915

show more ...

cred: groupmember() and co.: Sanity check cred's groups (INVARIANTS)

Leverage the normalization check functions introduced in the previous
commit in all public-facing groups search functions to catc

cred: groupmember() and co.: Sanity check cred's groups (INVARIANTS)

Leverage the normalization check functions introduced in the previous
commit in all public-facing groups search functions to catch programming
errors early.

Approved by: markj (mentor)
MFC after: 3 days

show more ...

cred: crsetgroups(): Improve and factor out groups normalization

The groups array has been sorted (not including the first element, which
is always the effective GID) to enable performing a binary s

cred: crsetgroups(): Improve and factor out groups normalization

The groups array has been sorted (not including the first element, which
is always the effective GID) to enable performing a binary search for
determining if some group is part of the supplementary groups set.

Factor out this sorting operation into an internal normalization
function (groups_normalize()), adding to it the removal of duplicates
after the sort.

Separating groups normalization code allows to perform it in advance,
and in particular before calling MAC hooks which need the groups array
to be sorted to perform better. This also enables sorting input arrays
ahead of acquiring the process lock (which is not necessary for this
operation).

kern_setgroups() has been changed accordingly, so MAC modules
implementing the mac_cred_check_setgroups() hook now can assume
a normalized groups array (and also that it has at least one element, as
if kern_setgroups() is passed no groups, the hook is called with an
array of one element being the current effective GID, as this is
effectively the effect of such a call to kern_setgroups()). Further
commits introducing the setcred() system call and associated MAC hooks
will also guarantee a normalized groups array to MAC modules
implementing these hooks.

Rename crsetgroups_locked() into crsetgroups_internal(), as it is no
more "locked" than crsetgroups() itself. However, it can be called
under any lock (as needed), whereas the second may sleep to allocate
memory. Update their herald comments to make that explicit.

In passing, using qsort() instead of the old open-coded insertion sort
(in crsetgroups_locked()) fixes the performance concern about the latter
when using a large number of groups. Also, our qsort() falls back to
insertion sort for small arrays and in case the array is likely to be
mostly sorted, so this shouldn't cause concerns for the small number of
groups common case.

While here, add assertions in inner modification routines to check that
the passed credentials object has a reference count of exactly 1 (in
particular, it must not be shared). Remove a redundant one from some
outer routine.

Reviewed by: mhorne
Approved by: markj (mentor)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D46914

show more ...

cred: kern_setgroups(): Internally use int as number of groups' type

sys_setgroups() (and sys_getgroups()) was changed in commit "kern: fail
getgroup and setgroup with negative int" (4bc2174a1b48) t

cred: kern_setgroups(): Internally use int as number of groups' type

sys_setgroups() (and sys_getgroups()) was changed in commit "kern: fail
getgroup and setgroup with negative int" (4bc2174a1b48) to take the
number of groups as an 'int' (for sys_getgroups(), POSIX mandates this
change; for sys_setgroups(), which it does not standardize, it's
arguably for consistency).

All our internal APIs related to groups on 'struct ucred', as well as
related members on the latter, treat that number as an 'int' as well
(and not a 'u_int').

Consequently, to avoid surprises, change kern_setgroups() to behave the
same, and fix audit_arg_groupset() accordingly. With that change,
everything is handled with signed integers internally.

Update sanity checks accordingly.

Reviewed by: mhorne
Approved by: markj (mentor)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D46912

show more ...

cred: Separate constant for the number of inlined groups

CRED_SMALLGROUPS_NB now holds the number of inlined groups in field
'cr_smallgroups'. XU_NGROUPS stays the number of groups allowed in
'stru

cred: Separate constant for the number of inlined groups

CRED_SMALLGROUPS_NB now holds the number of inlined groups in field
'cr_smallgroups'. XU_NGROUPS stays the number of groups allowed in
'struct xucred'. The first is an implementation detail, while the
second is part of a public interface. All mentions of XU_NGROUPS in the
tree have been reviewed and only those concerning the implementation
detail have been changed to use CRED_SMALLGROUPS_NB (they were all in
'kern_prot.c').

No functional change, as CRED_SMALLGROUPS_NB is set to 16, the same
value as XU_NGROUPS.

Reviewed by: mhorne (slightly different version)
Approved by: markj (mentor)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D46911

show more ...

cred: Make group_is_supplementary() public; New group_is_primary()

Reviewed by: mhorne
Approved by: markj (mentor)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D4

cred: Make group_is_supplementary() public; New group_is_primary()

Reviewed by: mhorne
Approved by: markj (mentor)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D46908

show more ...

cred: group_is_supplementary(): Use bsearch()

This makes that function use a more efficient version of binary search
instead, and removes one more hand-rolled binary search code from the
tree (and t

cred: group_is_supplementary(): Use bsearch()

This makes that function use a more efficient version of binary search
instead, and removes one more hand-rolled binary search code from the
tree (and the kernel binary).

Reviewed by: mhorne, emaste
Approved by: markj (mentor)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D46907

show more ...

cred: Constify signature of groupmember() and realgroupmember()

Reviewed by emaste
Approved by: markj (mentor)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D47343

cred: supplementary_group_member() => group_is_supplementary()

The new name seems more immediately descriptive.

While here, constify its signature ('struct ucred' isn't modified).

While here, repl

cred: supplementary_group_member() => group_is_supplementary()

The new name seems more immediately descriptive.

While here, constify its signature ('struct ucred' isn't modified).

While here, replace "supplemental" => "supplementary" in some comments.

No functional change (intended).

Reviewed by: mhorne, emaste
Approved by: markj (mentor)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D46906

show more ...

nfsd: Fix handling of credentials with cr_ngroups == 0

There has been a documented case in the exports(5) man
page forever, which specifies that the -maproot or -mapall
may have a single user entry,

nfsd: Fix handling of credentials with cr_ngroups == 0

There has been a documented case in the exports(5) man
page forever, which specifies that the -maproot or -mapall
may have a single user entry, followed by a ':'.
This case is defined as specifying no groups (aka cr_ngroups == 0).

This patch fixes the NFS server so that it handles this case correctly.

After MFC'ng this patch to stable/13 and stable/14, I propose that
this unusual case be deprecated and no longer allowed in FreeBSD15.
At that point, this patch can be reverted.

Reviewed by: brooks
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D47204

show more ...

Reduce reliance on sys/sysproto.h pollution

Add sys/errno.h, sys/malloc.h, sys/queue.h, and vm/uma.h as needed.

sys/sysproto.h currently includes sys/acl.h which currently includes
sys/param.h, sys

Reduce reliance on sys/sysproto.h pollution

Add sys/errno.h, sys/malloc.h, sys/queue.h, and vm/uma.h as needed.

sys/sysproto.h currently includes sys/acl.h which currently includes
sys/param.h, sys/queue.h, and vm/uma.h which in turn bring in
sys/errno.h sys/malloc.h.

Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D44465

show more ...

cr_bsd_visible(): Style fixes

Explicitly test for non-zero return codes.

Separate assignment and testing of 'error' in distinct lines.

Reviewed by: emaste, kib
Approved by: e

cr_bsd_visible(): Style fixes

Explicitly test for non-zero return codes.

Separate assignment and testing of 'error' in distinct lines.

Reviewed by: emaste, kib
Approved by: emaste (mentor)
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D43335

show more ...

sys: Remove ancient SCCS tags.

Remove ancient SCCS tags from the tree, automated scripting, with two
minor fixup to keep things compiling. All the common forms in the tree
were removed with a perl s

sys: Remove ancient SCCS tags.

Remove ancient SCCS tags from the tree, automated scripting, with two
minor fixup to keep things compiling. All the common forms in the tree
were removed with a perl script.

Sponsored by: Netflix

show more ...

Open-code proc_set_cred_init()

This function is to be called only when initializing a new process (so,
'proc0' and at fork), and not in any other circumstances. Setting the
process' 'p_ucred' field

Open-code proc_set_cred_init()

This function is to be called only when initializing a new process (so,
'proc0' and at fork), and not in any other circumstances. Setting the
process' 'p_ucred' field to the result of crcowget() on the original
credentials is the only thing it does, hiding the fact that the process'
'p_ucred' field is crushed by the call. Moreover, most of the code it
executes is already encapsulated in crcowget().

To prevent misuse and improve code readability, just remove this
function and replace it with a direct assignment to 'p_ucred'.

Reviewed by: markj (earlier version), kib
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D42255

show more ...