1 /*-
2 * SPDX-License-Identifier: BSD-3-Clause
3 *
4 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993
5 * The Regents of the University of California.
6 * (c) UNIX System Laboratories, Inc.
7 * Copyright (c) 2000-2001 Robert N. M. Watson.
8 * All rights reserved.
9 *
10 * All or some portions of this file are derived from material licensed
11 * to the University of California by American Telephone and Telegraph
12 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
13 * the permission of UNIX System Laboratories, Inc.
14 *
15 * Redistribution and use in source and binary forms, with or without
16 * modification, are permitted provided that the following conditions
17 * are met:
18 * 1. Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in the
22 * documentation and/or other materials provided with the distribution.
23 * 3. Neither the name of the University nor the names of its contributors
24 * may be used to endorse or promote products derived from this software
25 * without specific prior written permission.
26 *
27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 * SUCH DAMAGE.
38 */
39
40 /*
41 * System calls related to processes and protection
42 */
43
44 #include <sys/cdefs.h>
45 #include "opt_inet.h"
46 #include "opt_inet6.h"
47
48 #include <sys/param.h>
49 #include <sys/systm.h>
50 #include <sys/abi_compat.h>
51 #include <sys/acct.h>
52 #include <sys/kdb.h>
53 #include <sys/kernel.h>
54 #include <sys/libkern.h>
55 #include <sys/lock.h>
56 #include <sys/loginclass.h>
57 #include <sys/malloc.h>
58 #include <sys/mutex.h>
59 #include <sys/ptrace.h>
60 #include <sys/refcount.h>
61 #include <sys/sx.h>
62 #include <sys/priv.h>
63 #include <sys/proc.h>
64 #ifdef COMPAT_43
65 #include <sys/sysent.h>
66 #endif
67 #include <sys/sysproto.h>
68 #include <sys/jail.h>
69 #include <sys/racct.h>
70 #include <sys/rctl.h>
71 #include <sys/resourcevar.h>
72 #include <sys/socket.h>
73 #include <sys/socketvar.h>
74 #include <sys/syscallsubr.h>
75 #include <sys/sysctl.h>
76
77 #ifdef MAC
78 #include <security/mac/mac_syscalls.h>
79 #endif
80
81 #include <vm/uma.h>
82
83 #ifdef REGRESSION
84 FEATURE(regression,
85 "Kernel support for interfaces necessary for regression testing (SECURITY RISK!)");
86 #endif
87
88 #include <security/audit/audit.h>
89 #include <security/mac/mac_framework.h>
90
91 static MALLOC_DEFINE(M_CRED, "cred", "credentials");
92
93 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
94 "BSD security policy");
95
96 static void crfree_final(struct ucred *cr);
97
98 static inline void
groups_check_positive_len(int ngrp)99 groups_check_positive_len(int ngrp)
100 {
101 MPASS2(ngrp >= 0, "negative number of groups");
102 }
103 static inline void
groups_check_max_len(int ngrp)104 groups_check_max_len(int ngrp)
105 {
106 MPASS2(ngrp <= ngroups_max, "too many supplementary groups");
107 }
108
109 static void groups_normalize(int *ngrp, gid_t *groups);
110 static void crsetgroups_internal(struct ucred *cr, int ngrp,
111 const gid_t *groups);
112
113 static int cr_canseeotheruids(struct ucred *u1, struct ucred *u2);
114 static int cr_canseeothergids(struct ucred *u1, struct ucred *u2);
115 static int cr_canseejailproc(struct ucred *u1, struct ucred *u2);
116
117 #ifndef _SYS_SYSPROTO_H_
118 struct getpid_args {
119 int dummy;
120 };
121 #endif
122 /* ARGSUSED */
123 int
sys_getpid(struct thread * td,struct getpid_args * uap)124 sys_getpid(struct thread *td, struct getpid_args *uap)
125 {
126 struct proc *p = td->td_proc;
127
128 td->td_retval[0] = p->p_pid;
129 #if defined(COMPAT_43)
130 if (SV_PROC_FLAG(p, SV_AOUT))
131 td->td_retval[1] = kern_getppid(td);
132 #endif
133 return (0);
134 }
135
136 #ifndef _SYS_SYSPROTO_H_
137 struct getppid_args {
138 int dummy;
139 };
140 #endif
141 /* ARGSUSED */
142 int
sys_getppid(struct thread * td,struct getppid_args * uap)143 sys_getppid(struct thread *td, struct getppid_args *uap)
144 {
145
146 td->td_retval[0] = kern_getppid(td);
147 return (0);
148 }
149
150 int
kern_getppid(struct thread * td)151 kern_getppid(struct thread *td)
152 {
153 struct proc *p = td->td_proc;
154
155 return (p->p_oppid);
156 }
157
158 /*
159 * Get process group ID; note that POSIX getpgrp takes no parameter.
160 */
161 #ifndef _SYS_SYSPROTO_H_
162 struct getpgrp_args {
163 int dummy;
164 };
165 #endif
166 int
sys_getpgrp(struct thread * td,struct getpgrp_args * uap)167 sys_getpgrp(struct thread *td, struct getpgrp_args *uap)
168 {
169 struct proc *p = td->td_proc;
170
171 PROC_LOCK(p);
172 td->td_retval[0] = p->p_pgrp->pg_id;
173 PROC_UNLOCK(p);
174 return (0);
175 }
176
177 /* Get an arbitrary pid's process group id */
178 #ifndef _SYS_SYSPROTO_H_
179 struct getpgid_args {
180 pid_t pid;
181 };
182 #endif
183 int
sys_getpgid(struct thread * td,struct getpgid_args * uap)184 sys_getpgid(struct thread *td, struct getpgid_args *uap)
185 {
186 struct proc *p;
187 int error;
188
189 if (uap->pid == 0) {
190 p = td->td_proc;
191 PROC_LOCK(p);
192 } else {
193 p = pfind(uap->pid);
194 if (p == NULL)
195 return (ESRCH);
196 error = p_cansee(td, p);
197 if (error) {
198 PROC_UNLOCK(p);
199 return (error);
200 }
201 }
202 td->td_retval[0] = p->p_pgrp->pg_id;
203 PROC_UNLOCK(p);
204 return (0);
205 }
206
207 /*
208 * Get an arbitrary pid's session id.
209 */
210 #ifndef _SYS_SYSPROTO_H_
211 struct getsid_args {
212 pid_t pid;
213 };
214 #endif
215 int
sys_getsid(struct thread * td,struct getsid_args * uap)216 sys_getsid(struct thread *td, struct getsid_args *uap)
217 {
218
219 return (kern_getsid(td, uap->pid));
220 }
221
222 int
kern_getsid(struct thread * td,pid_t pid)223 kern_getsid(struct thread *td, pid_t pid)
224 {
225 struct proc *p;
226 int error;
227
228 if (pid == 0) {
229 p = td->td_proc;
230 PROC_LOCK(p);
231 } else {
232 p = pfind(pid);
233 if (p == NULL)
234 return (ESRCH);
235 error = p_cansee(td, p);
236 if (error) {
237 PROC_UNLOCK(p);
238 return (error);
239 }
240 }
241 td->td_retval[0] = p->p_session->s_sid;
242 PROC_UNLOCK(p);
243 return (0);
244 }
245
246 #ifndef _SYS_SYSPROTO_H_
247 struct getuid_args {
248 int dummy;
249 };
250 #endif
251 /* ARGSUSED */
252 int
sys_getuid(struct thread * td,struct getuid_args * uap)253 sys_getuid(struct thread *td, struct getuid_args *uap)
254 {
255
256 td->td_retval[0] = td->td_ucred->cr_ruid;
257 #if defined(COMPAT_43)
258 td->td_retval[1] = td->td_ucred->cr_uid;
259 #endif
260 return (0);
261 }
262
263 #ifndef _SYS_SYSPROTO_H_
264 struct geteuid_args {
265 int dummy;
266 };
267 #endif
268 /* ARGSUSED */
269 int
sys_geteuid(struct thread * td,struct geteuid_args * uap)270 sys_geteuid(struct thread *td, struct geteuid_args *uap)
271 {
272
273 td->td_retval[0] = td->td_ucred->cr_uid;
274 return (0);
275 }
276
277 #ifndef _SYS_SYSPROTO_H_
278 struct getgid_args {
279 int dummy;
280 };
281 #endif
282 /* ARGSUSED */
283 int
sys_getgid(struct thread * td,struct getgid_args * uap)284 sys_getgid(struct thread *td, struct getgid_args *uap)
285 {
286
287 td->td_retval[0] = td->td_ucred->cr_rgid;
288 #if defined(COMPAT_43)
289 td->td_retval[1] = td->td_ucred->cr_gid;
290 #endif
291 return (0);
292 }
293
294 #ifndef _SYS_SYSPROTO_H_
295 struct getegid_args {
296 int dummy;
297 };
298 #endif
299 /* ARGSUSED */
300 int
sys_getegid(struct thread * td,struct getegid_args * uap)301 sys_getegid(struct thread *td, struct getegid_args *uap)
302 {
303
304 td->td_retval[0] = td->td_ucred->cr_gid;
305 return (0);
306 }
307
308 #ifdef COMPAT_FREEBSD14
309 int
freebsd14_getgroups(struct thread * td,struct freebsd14_getgroups_args * uap)310 freebsd14_getgroups(struct thread *td, struct freebsd14_getgroups_args *uap)
311 {
312 struct ucred *cred;
313 int ngrp, error;
314
315 cred = td->td_ucred;
316
317 /*
318 * For FreeBSD < 15.0, we account for the egid being placed at the
319 * beginning of the group list prior to all supplementary groups.
320 */
321 ngrp = cred->cr_ngroups + 1;
322 if (uap->gidsetsize == 0) {
323 error = 0;
324 goto out;
325 } else if (uap->gidsetsize < ngrp) {
326 return (EINVAL);
327 }
328
329 error = copyout(&cred->cr_gid, uap->gidset, sizeof(gid_t));
330 if (error == 0)
331 error = copyout(cred->cr_groups, uap->gidset + 1,
332 (ngrp - 1) * sizeof(gid_t));
333
334 out:
335 td->td_retval[0] = ngrp;
336 return (error);
337
338 }
339 #endif /* COMPAT_FREEBSD14 */
340
341 #ifndef _SYS_SYSPROTO_H_
342 struct getgroups_args {
343 int gidsetsize;
344 gid_t *gidset;
345 };
346 #endif
347 int
sys_getgroups(struct thread * td,struct getgroups_args * uap)348 sys_getgroups(struct thread *td, struct getgroups_args *uap)
349 {
350 struct ucred *cred;
351 int ngrp, error;
352
353 cred = td->td_ucred;
354
355 ngrp = cred->cr_ngroups;
356 if (uap->gidsetsize == 0) {
357 error = 0;
358 goto out;
359 }
360 if (uap->gidsetsize < ngrp)
361 return (EINVAL);
362
363 error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t));
364 out:
365 td->td_retval[0] = ngrp;
366 return (error);
367 }
368
369 #ifndef _SYS_SYSPROTO_H_
370 struct setsid_args {
371 int dummy;
372 };
373 #endif
374 /* ARGSUSED */
375 int
sys_setsid(struct thread * td,struct setsid_args * uap)376 sys_setsid(struct thread *td, struct setsid_args *uap)
377 {
378 struct pgrp *pgrp;
379 int error;
380 struct proc *p = td->td_proc;
381 struct pgrp *newpgrp;
382 struct session *newsess;
383
384 pgrp = NULL;
385
386 newpgrp = uma_zalloc(pgrp_zone, M_WAITOK);
387 newsess = malloc(sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO);
388
389 again:
390 error = 0;
391 sx_xlock(&proctree_lock);
392
393 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) {
394 if (pgrp != NULL)
395 PGRP_UNLOCK(pgrp);
396 error = EPERM;
397 } else {
398 error = enterpgrp(p, p->p_pid, newpgrp, newsess);
399 if (error == ERESTART)
400 goto again;
401 MPASS(error == 0);
402 td->td_retval[0] = p->p_pid;
403 newpgrp = NULL;
404 newsess = NULL;
405 }
406
407 sx_xunlock(&proctree_lock);
408
409 uma_zfree(pgrp_zone, newpgrp);
410 free(newsess, M_SESSION);
411
412 return (error);
413 }
414
415 /*
416 * set process group (setpgid/old setpgrp)
417 *
418 * caller does setpgid(targpid, targpgid)
419 *
420 * pid must be caller or child of caller (ESRCH)
421 * if a child
422 * pid must be in same session (EPERM)
423 * pid can't have done an exec (EACCES)
424 * if pgid != pid
425 * there must exist some pid in same session having pgid (EPERM)
426 * pid must not be session leader (EPERM)
427 */
428 #ifndef _SYS_SYSPROTO_H_
429 struct setpgid_args {
430 int pid; /* target process id */
431 int pgid; /* target pgrp id */
432 };
433 #endif
434 /* ARGSUSED */
435 int
sys_setpgid(struct thread * td,struct setpgid_args * uap)436 sys_setpgid(struct thread *td, struct setpgid_args *uap)
437 {
438 struct proc *curp = td->td_proc;
439 struct proc *targp; /* target process */
440 struct pgrp *pgrp; /* target pgrp */
441 int error;
442 struct pgrp *newpgrp;
443
444 if (uap->pgid < 0)
445 return (EINVAL);
446
447 newpgrp = uma_zalloc(pgrp_zone, M_WAITOK);
448
449 again:
450 error = 0;
451
452 sx_xlock(&proctree_lock);
453 if (uap->pid != 0 && uap->pid != curp->p_pid) {
454 if ((targp = pfind(uap->pid)) == NULL) {
455 error = ESRCH;
456 goto done;
457 }
458 if (!inferior(targp)) {
459 PROC_UNLOCK(targp);
460 error = ESRCH;
461 goto done;
462 }
463 if ((error = p_cansee(td, targp))) {
464 PROC_UNLOCK(targp);
465 goto done;
466 }
467 if (targp->p_pgrp == NULL ||
468 targp->p_session != curp->p_session) {
469 PROC_UNLOCK(targp);
470 error = EPERM;
471 goto done;
472 }
473 if (targp->p_flag & P_EXEC) {
474 PROC_UNLOCK(targp);
475 error = EACCES;
476 goto done;
477 }
478 PROC_UNLOCK(targp);
479 } else
480 targp = curp;
481 if (SESS_LEADER(targp)) {
482 error = EPERM;
483 goto done;
484 }
485 if (uap->pgid == 0)
486 uap->pgid = targp->p_pid;
487 if ((pgrp = pgfind(uap->pgid)) == NULL) {
488 if (uap->pgid == targp->p_pid) {
489 error = enterpgrp(targp, uap->pgid, newpgrp,
490 NULL);
491 if (error == 0)
492 newpgrp = NULL;
493 } else
494 error = EPERM;
495 } else {
496 if (pgrp == targp->p_pgrp) {
497 PGRP_UNLOCK(pgrp);
498 goto done;
499 }
500 if (pgrp->pg_id != targp->p_pid &&
501 pgrp->pg_session != curp->p_session) {
502 PGRP_UNLOCK(pgrp);
503 error = EPERM;
504 goto done;
505 }
506 PGRP_UNLOCK(pgrp);
507 error = enterthispgrp(targp, pgrp);
508 }
509 done:
510 KASSERT(error == 0 || newpgrp != NULL,
511 ("setpgid failed and newpgrp is NULL"));
512 if (error == ERESTART)
513 goto again;
514 sx_xunlock(&proctree_lock);
515 uma_zfree(pgrp_zone, newpgrp);
516 return (error);
517 }
518
519 static int
gidp_cmp(const void * p1,const void * p2)520 gidp_cmp(const void *p1, const void *p2)
521 {
522 const gid_t g1 = *(const gid_t *)p1;
523 const gid_t g2 = *(const gid_t *)p2;
524
525 return ((g1 > g2) - (g1 < g2));
526 }
527
528 /*
529 * 'smallgroups' must be an (uninitialized) array of length CRED_SMALLGROUPS_NB.
530 * Always sets 'sc_supp_groups', either to a valid kernel-space groups array
531 * (which may or may not be 'smallgroups'), or NULL if SETCREDF_SUPP_GROUPS was
532 * not specified or there are too many groups, or a buffer containing garbage on
533 * copyin() failure. In the last two cases, 'sc_supp_groups_nb' is additionally
534 * set to 0 as a security measure. 'sc_supp_groups' must be freed (M_TEMP) if
535 * not equal to 'smallgroups' even on failure.
536 */
537 static int
user_setcred_copyin_supp_groups(struct setcred * const wcred,const u_int flags,gid_t * const smallgroups)538 user_setcred_copyin_supp_groups(struct setcred *const wcred,
539 const u_int flags, gid_t *const smallgroups)
540 {
541 gid_t *groups;
542 int error;
543
544 if ((flags & SETCREDF_SUPP_GROUPS) == 0) {
545 error = 0;
546 goto reset_groups_exit;
547 }
548
549 /*
550 * Check the number of groups' limit right now in order to limit the
551 * amount of bytes to copy.
552 */
553 if (wcred->sc_supp_groups_nb > ngroups_max) {
554 error = EINVAL;
555 goto reset_groups_exit;
556 }
557
558 groups = wcred->sc_supp_groups_nb <= CRED_SMALLGROUPS_NB ?
559 smallgroups : malloc(wcred->sc_supp_groups_nb * sizeof(gid_t),
560 M_TEMP, M_WAITOK);
561 error = copyin(wcred->sc_supp_groups, groups,
562 wcred->sc_supp_groups_nb * sizeof(gid_t));
563 wcred->sc_supp_groups = groups;
564
565 if (error != 0) {
566 wcred->sc_supp_groups_nb = 0;
567 /*
568 * 'sc_supp_groups' must be freed by caller if not
569 * 'smallgroups'.
570 */
571 return (error);
572 }
573
574 return (0);
575
576 reset_groups_exit:
577 wcred->sc_supp_groups_nb = 0;
578 wcred->sc_supp_groups = NULL;
579 return (error);
580 }
581
582 int
user_setcred(struct thread * td,const u_int flags,struct setcred * const wcred)583 user_setcred(struct thread *td, const u_int flags, struct setcred *const wcred)
584 {
585 #ifdef MAC
586 struct mac mac;
587 /* Pointer to 'struct mac' or 'struct mac32'. */
588 void *umac;
589 #endif
590 gid_t smallgroups[CRED_SMALLGROUPS_NB];
591 int error;
592
593 /*
594 * As the only point of this wrapper function is to copyin() from
595 * userland, we only interpret the data pieces we need to perform this
596 * operation and defer further sanity checks to kern_setcred(), except
597 * that we redundantly check here that no unknown flags have been
598 * passed.
599 */
600 if ((flags & ~SETCREDF_MASK) != 0)
601 return (EINVAL);
602
603 #ifdef MAC
604 umac = wcred->sc_label;
605 #endif
606 /* Also done on !MAC as a defensive measure. */
607 wcred->sc_label = NULL;
608
609 /*
610 * Copy supplementary groups as needed. There is no specific
611 * alternative for 32-bit compatibility as 'gid_t' has the same size
612 * everywhere.
613 */
614 error = user_setcred_copyin_supp_groups(wcred, flags, smallgroups);
615 if (error != 0)
616 goto free_groups;
617
618 #ifdef MAC
619 if ((flags & SETCREDF_MAC_LABEL) != 0) {
620 error = mac_label_copyin(umac, &mac, NULL);
621 if (error != 0)
622 goto free_groups;
623 wcred->sc_label = &mac;
624 }
625 #endif
626
627 error = kern_setcred(td, flags, wcred);
628
629 #ifdef MAC
630 if (wcred->sc_label != NULL)
631 free_copied_label(wcred->sc_label);
632 #endif
633
634 free_groups:
635 if (wcred->sc_supp_groups != smallgroups)
636 free(wcred->sc_supp_groups, M_TEMP);
637
638 return (error);
639 }
640
641 #ifndef _SYS_SYSPROTO_H_
642 struct setcred_args {
643 u_int flags; /* Flags. */
644 const struct setcred *wcred;
645 size_t size; /* Passed 'setcred' structure length. */
646 };
647 #endif
648 /* ARGSUSED */
649 int
sys_setcred(struct thread * td,struct setcred_args * uap)650 sys_setcred(struct thread *td, struct setcred_args *uap)
651 {
652 struct setcred wcred;
653 int error;
654
655 if (uap->size != sizeof(wcred))
656 return (EINVAL);
657 error = copyin(uap->wcred, &wcred, sizeof(wcred));
658 if (error != 0)
659 return (error);
660 return (user_setcred(td, uap->flags, &wcred));
661 }
662
663 /*
664 * CAUTION: This function normalizes groups in 'wcred'.
665 */
666 int
kern_setcred(struct thread * const td,const u_int flags,struct setcred * const wcred)667 kern_setcred(struct thread *const td, const u_int flags,
668 struct setcred *const wcred)
669 {
670 struct proc *const p = td->td_proc;
671 struct ucred *new_cred, *old_cred, *to_free_cred = NULL;
672 struct uidinfo *uip = NULL, *ruip = NULL;
673 #ifdef MAC
674 void *mac_set_proc_data = NULL;
675 bool proc_label_set = false;
676 #endif
677 int error;
678 bool cred_set = false;
679
680 /* Bail out on unrecognized flags. */
681 if (flags & ~SETCREDF_MASK)
682 return (EINVAL);
683
684 /*
685 * Part 1: We allocate and perform preparatory operations with no locks.
686 */
687
688 if ((flags & SETCREDF_SUPP_GROUPS) != 0 &&
689 wcred->sc_supp_groups_nb > ngroups_max)
690 return (EINVAL);
691
692 if (flags & SETCREDF_MAC_LABEL) {
693 #ifdef MAC
694 error = mac_set_proc_prepare(td, wcred->sc_label,
695 &mac_set_proc_data);
696 if (error != 0)
697 return (error);
698 #else
699 return (ENOTSUP);
700 #endif
701 }
702
703 if (flags & SETCREDF_UID) {
704 AUDIT_ARG_EUID(wcred->sc_uid);
705 uip = uifind(wcred->sc_uid);
706 }
707 if (flags & SETCREDF_RUID) {
708 AUDIT_ARG_RUID(wcred->sc_ruid);
709 ruip = uifind(wcred->sc_ruid);
710 }
711 if (flags & SETCREDF_SVUID)
712 AUDIT_ARG_SUID(wcred->sc_svuid);
713
714 if (flags & SETCREDF_GID)
715 AUDIT_ARG_EGID(wcred->sc_gid);
716 if (flags & SETCREDF_RGID)
717 AUDIT_ARG_RGID(wcred->sc_rgid);
718 if (flags & SETCREDF_SVGID)
719 AUDIT_ARG_SGID(wcred->sc_svgid);
720 if (flags & SETCREDF_SUPP_GROUPS) {
721 /*
722 * Output the raw supplementary groups array for better
723 * traceability.
724 */
725 AUDIT_ARG_GROUPSET(wcred->sc_supp_groups,
726 wcred->sc_supp_groups_nb);
727 groups_normalize(&wcred->sc_supp_groups_nb,
728 wcred->sc_supp_groups);
729 }
730
731 /*
732 * We first completely build the new credentials and only then pass them
733 * to MAC along with the old ones so that modules can check whether the
734 * requested transition is allowed.
735 */
736 new_cred = crget();
737 to_free_cred = new_cred;
738 if (flags & SETCREDF_SUPP_GROUPS)
739 crextend(new_cred, wcred->sc_supp_groups_nb);
740
741 #ifdef MAC
742 mac_cred_setcred_enter();
743 #endif
744
745 /*
746 * Part 2: We grab the process lock as to have a stable view of its
747 * current credentials, and prepare a copy of them with the requested
748 * changes applied under that lock.
749 */
750
751 PROC_LOCK(p);
752 old_cred = crcopysafe(p, new_cred);
753
754 /*
755 * Change user IDs.
756 */
757 if (flags & SETCREDF_UID)
758 change_euid(new_cred, uip);
759 if (flags & SETCREDF_RUID)
760 change_ruid(new_cred, ruip);
761 if (flags & SETCREDF_SVUID)
762 change_svuid(new_cred, wcred->sc_svuid);
763
764 /*
765 * Change groups.
766 */
767 if (flags & SETCREDF_SUPP_GROUPS)
768 crsetgroups_internal(new_cred, wcred->sc_supp_groups_nb,
769 wcred->sc_supp_groups);
770 if (flags & SETCREDF_GID)
771 change_egid(new_cred, wcred->sc_gid);
772 if (flags & SETCREDF_RGID)
773 change_rgid(new_cred, wcred->sc_rgid);
774 if (flags & SETCREDF_SVGID)
775 change_svgid(new_cred, wcred->sc_svgid);
776
777 #ifdef MAC
778 /*
779 * Change the MAC label.
780 */
781 if (flags & SETCREDF_MAC_LABEL) {
782 error = mac_set_proc_core(td, new_cred, mac_set_proc_data);
783 if (error != 0)
784 goto unlock_finish;
785 proc_label_set = true;
786 }
787
788 /*
789 * MAC security modules checks.
790 */
791 error = mac_cred_check_setcred(flags, old_cred, new_cred);
792 if (error != 0)
793 goto unlock_finish;
794 #endif
795 /*
796 * Privilege check.
797 */
798 error = priv_check_cred(old_cred, PRIV_CRED_SETCRED);
799 if (error != 0)
800 goto unlock_finish;
801
802 #ifdef RACCT
803 /*
804 * Hold a reference to 'new_cred', as we need to call some functions on
805 * it after proc_set_cred_enforce_proc_lim().
806 */
807 crhold(new_cred);
808 #endif
809
810 /* Set the new credentials. */
811 cred_set = proc_set_cred_enforce_proc_lim(p, new_cred);
812 if (cred_set) {
813 setsugid(p);
814 #ifdef RACCT
815 /* Adjust RACCT counters. */
816 racct_proc_ucred_changed(p, old_cred, new_cred);
817 #endif
818 to_free_cred = old_cred;
819 MPASS(error == 0);
820 } else {
821 #ifdef RACCT
822 /* Matches the crhold() just before the containing 'if'. */
823 crfree(new_cred);
824 #endif
825 error = EAGAIN;
826 }
827
828 unlock_finish:
829 PROC_UNLOCK(p);
830
831 /*
832 * Part 3: After releasing the process lock, we perform cleanups and
833 * finishing operations.
834 */
835
836 #ifdef RACCT
837 if (cred_set) {
838 #ifdef RCTL
839 rctl_proc_ucred_changed(p, new_cred);
840 #endif
841 /* Paired with the crhold() above. */
842 crfree(new_cred);
843 }
844 #endif
845
846 #ifdef MAC
847 if (mac_set_proc_data != NULL)
848 mac_set_proc_finish(td, proc_label_set, mac_set_proc_data);
849 mac_cred_setcred_exit();
850 #endif
851 crfree(to_free_cred);
852 if (uip != NULL)
853 uifree(uip);
854 if (ruip != NULL)
855 uifree(ruip);
856
857 return (error);
858 }
859
860 /*
861 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD
862 * compatible. It says that setting the uid/gid to euid/egid is a special
863 * case of "appropriate privilege". Once the rules are expanded out, this
864 * basically means that setuid(nnn) sets all three id's, in all permitted
865 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid())
866 * does not set the saved id - this is dangerous for traditional BSD
867 * programs. For this reason, we *really* do not want to set
868 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2.
869 */
870 #define POSIX_APPENDIX_B_4_2_2
871
872 #ifndef _SYS_SYSPROTO_H_
873 struct setuid_args {
874 uid_t uid;
875 };
876 #endif
877 /* ARGSUSED */
878 int
sys_setuid(struct thread * td,struct setuid_args * uap)879 sys_setuid(struct thread *td, struct setuid_args *uap)
880 {
881 struct proc *p = td->td_proc;
882 struct ucred *newcred, *oldcred;
883 uid_t uid;
884 struct uidinfo *uip;
885 int error;
886
887 uid = uap->uid;
888 AUDIT_ARG_UID(uid);
889 newcred = crget();
890 uip = uifind(uid);
891 PROC_LOCK(p);
892 /*
893 * Copy credentials so other references do not see our changes.
894 */
895 oldcred = crcopysafe(p, newcred);
896
897 #ifdef MAC
898 error = mac_cred_check_setuid(oldcred, uid);
899 if (error)
900 goto fail;
901 #endif
902
903 /*
904 * See if we have "permission" by POSIX 1003.1 rules.
905 *
906 * Note that setuid(geteuid()) is a special case of
907 * "appropriate privileges" in appendix B.4.2.2. We need
908 * to use this clause to be compatible with traditional BSD
909 * semantics. Basically, it means that "setuid(xx)" sets all
910 * three id's (assuming you have privs).
911 *
912 * Notes on the logic. We do things in three steps.
913 * 1: We determine if the euid is going to change, and do EPERM
914 * right away. We unconditionally change the euid later if this
915 * test is satisfied, simplifying that part of the logic.
916 * 2: We determine if the real and/or saved uids are going to
917 * change. Determined by compile options.
918 * 3: Change euid last. (after tests in #2 for "appropriate privs")
919 */
920 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */
921 #ifdef _POSIX_SAVED_IDS
922 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */
923 #endif
924 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
925 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */
926 #endif
927 (error = priv_check_cred(oldcred, PRIV_CRED_SETUID)) != 0)
928 goto fail;
929
930 #ifdef _POSIX_SAVED_IDS
931 /*
932 * Do we have "appropriate privileges" (are we root or uid == euid)
933 * If so, we are changing the real uid and/or saved uid.
934 */
935 if (
936 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */
937 uid == oldcred->cr_uid ||
938 #endif
939 /* We are using privs. */
940 priv_check_cred(oldcred, PRIV_CRED_SETUID) == 0)
941 #endif
942 {
943 /*
944 * Set the real uid.
945 */
946 if (uid != oldcred->cr_ruid) {
947 change_ruid(newcred, uip);
948 setsugid(p);
949 }
950 /*
951 * Set saved uid
952 *
953 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as
954 * the security of seteuid() depends on it. B.4.2.2 says it
955 * is important that we should do this.
956 */
957 if (uid != oldcred->cr_svuid) {
958 change_svuid(newcred, uid);
959 setsugid(p);
960 }
961 }
962
963 /*
964 * In all permitted cases, we are changing the euid.
965 */
966 if (uid != oldcred->cr_uid) {
967 change_euid(newcred, uip);
968 setsugid(p);
969 }
970
971 #ifdef RACCT
972 racct_proc_ucred_changed(p, oldcred, newcred);
973 #endif
974 #ifdef RCTL
975 crhold(newcred);
976 #endif
977 /*
978 * Takes over 'newcred''s reference, so 'newcred' must not be used
979 * besides this point except on RCTL where we took an additional
980 * reference above.
981 */
982 proc_set_cred(p, newcred);
983 PROC_UNLOCK(p);
984 #ifdef RCTL
985 rctl_proc_ucred_changed(p, newcred);
986 crfree(newcred);
987 #endif
988 uifree(uip);
989 crfree(oldcred);
990 return (0);
991
992 fail:
993 PROC_UNLOCK(p);
994 uifree(uip);
995 crfree(newcred);
996 return (error);
997 }
998
999 #ifndef _SYS_SYSPROTO_H_
1000 struct seteuid_args {
1001 uid_t euid;
1002 };
1003 #endif
1004 /* ARGSUSED */
1005 int
sys_seteuid(struct thread * td,struct seteuid_args * uap)1006 sys_seteuid(struct thread *td, struct seteuid_args *uap)
1007 {
1008 struct proc *p = td->td_proc;
1009 struct ucred *newcred, *oldcred;
1010 uid_t euid;
1011 struct uidinfo *euip;
1012 int error;
1013
1014 euid = uap->euid;
1015 AUDIT_ARG_EUID(euid);
1016 newcred = crget();
1017 euip = uifind(euid);
1018 PROC_LOCK(p);
1019 /*
1020 * Copy credentials so other references do not see our changes.
1021 */
1022 oldcred = crcopysafe(p, newcred);
1023
1024 #ifdef MAC
1025 error = mac_cred_check_seteuid(oldcred, euid);
1026 if (error)
1027 goto fail;
1028 #endif
1029
1030 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */
1031 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */
1032 (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID)) != 0)
1033 goto fail;
1034
1035 /*
1036 * Everything's okay, do it.
1037 */
1038 if (oldcred->cr_uid != euid) {
1039 change_euid(newcred, euip);
1040 setsugid(p);
1041 }
1042 proc_set_cred(p, newcred);
1043 PROC_UNLOCK(p);
1044 uifree(euip);
1045 crfree(oldcred);
1046 return (0);
1047
1048 fail:
1049 PROC_UNLOCK(p);
1050 uifree(euip);
1051 crfree(newcred);
1052 return (error);
1053 }
1054
1055 #ifndef _SYS_SYSPROTO_H_
1056 struct setgid_args {
1057 gid_t gid;
1058 };
1059 #endif
1060 /* ARGSUSED */
1061 int
sys_setgid(struct thread * td,struct setgid_args * uap)1062 sys_setgid(struct thread *td, struct setgid_args *uap)
1063 {
1064 struct proc *p = td->td_proc;
1065 struct ucred *newcred, *oldcred;
1066 gid_t gid;
1067 int error;
1068
1069 gid = uap->gid;
1070 AUDIT_ARG_GID(gid);
1071 newcred = crget();
1072 PROC_LOCK(p);
1073 oldcred = crcopysafe(p, newcred);
1074
1075 #ifdef MAC
1076 error = mac_cred_check_setgid(oldcred, gid);
1077 if (error)
1078 goto fail;
1079 #endif
1080
1081 /*
1082 * See if we have "permission" by POSIX 1003.1 rules.
1083 *
1084 * Note that setgid(getegid()) is a special case of
1085 * "appropriate privileges" in appendix B.4.2.2. We need
1086 * to use this clause to be compatible with traditional BSD
1087 * semantics. Basically, it means that "setgid(xx)" sets all
1088 * three id's (assuming you have privs).
1089 *
1090 * For notes on the logic here, see setuid() above.
1091 */
1092 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */
1093 #ifdef _POSIX_SAVED_IDS
1094 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */
1095 #endif
1096 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
1097 gid != oldcred->cr_gid && /* allow setgid(getegid()) */
1098 #endif
1099 (error = priv_check_cred(oldcred, PRIV_CRED_SETGID)) != 0)
1100 goto fail;
1101
1102 #ifdef _POSIX_SAVED_IDS
1103 /*
1104 * Do we have "appropriate privileges" (are we root or gid == egid)
1105 * If so, we are changing the real uid and saved gid.
1106 */
1107 if (
1108 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */
1109 gid == oldcred->cr_gid ||
1110 #endif
1111 /* We are using privs. */
1112 priv_check_cred(oldcred, PRIV_CRED_SETGID) == 0)
1113 #endif
1114 {
1115 /*
1116 * Set real gid
1117 */
1118 if (oldcred->cr_rgid != gid) {
1119 change_rgid(newcred, gid);
1120 setsugid(p);
1121 }
1122 /*
1123 * Set saved gid
1124 *
1125 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as
1126 * the security of setegid() depends on it. B.4.2.2 says it
1127 * is important that we should do this.
1128 */
1129 if (oldcred->cr_svgid != gid) {
1130 change_svgid(newcred, gid);
1131 setsugid(p);
1132 }
1133 }
1134 /*
1135 * In all cases permitted cases, we are changing the egid.
1136 * Copy credentials so other references do not see our changes.
1137 */
1138 if (oldcred->cr_gid != gid) {
1139 change_egid(newcred, gid);
1140 setsugid(p);
1141 }
1142 proc_set_cred(p, newcred);
1143 PROC_UNLOCK(p);
1144 crfree(oldcred);
1145 return (0);
1146
1147 fail:
1148 PROC_UNLOCK(p);
1149 crfree(newcred);
1150 return (error);
1151 }
1152
1153 #ifndef _SYS_SYSPROTO_H_
1154 struct setegid_args {
1155 gid_t egid;
1156 };
1157 #endif
1158 /* ARGSUSED */
1159 int
sys_setegid(struct thread * td,struct setegid_args * uap)1160 sys_setegid(struct thread *td, struct setegid_args *uap)
1161 {
1162 struct proc *p = td->td_proc;
1163 struct ucred *newcred, *oldcred;
1164 gid_t egid;
1165 int error;
1166
1167 egid = uap->egid;
1168 AUDIT_ARG_EGID(egid);
1169 newcred = crget();
1170 PROC_LOCK(p);
1171 oldcred = crcopysafe(p, newcred);
1172
1173 #ifdef MAC
1174 error = mac_cred_check_setegid(oldcred, egid);
1175 if (error)
1176 goto fail;
1177 #endif
1178
1179 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */
1180 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */
1181 (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID)) != 0)
1182 goto fail;
1183
1184 if (oldcred->cr_gid != egid) {
1185 change_egid(newcred, egid);
1186 setsugid(p);
1187 }
1188 proc_set_cred(p, newcred);
1189 PROC_UNLOCK(p);
1190 crfree(oldcred);
1191 return (0);
1192
1193 fail:
1194 PROC_UNLOCK(p);
1195 crfree(newcred);
1196 return (error);
1197 }
1198
1199 #ifdef COMPAT_FREEBSD14
1200 int
freebsd14_setgroups(struct thread * td,struct freebsd14_setgroups_args * uap)1201 freebsd14_setgroups(struct thread *td, struct freebsd14_setgroups_args *uap)
1202 {
1203 gid_t smallgroups[CRED_SMALLGROUPS_NB];
1204 gid_t *groups;
1205 int gidsetsize, error;
1206
1207 /*
1208 * Before FreeBSD 15.0, we allow one more group to be supplied to
1209 * account for the egid appearing before the supplementary groups. This
1210 * may technically allow one more supplementary group for systems that
1211 * did use the default NGROUPS_MAX if we round it back up to 1024.
1212 */
1213 gidsetsize = uap->gidsetsize;
1214 if (gidsetsize > ngroups_max + 1 || gidsetsize < 0)
1215 return (EINVAL);
1216
1217 if (gidsetsize > CRED_SMALLGROUPS_NB)
1218 groups = malloc(gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK);
1219 else
1220 groups = smallgroups;
1221
1222 error = copyin(uap->gidset, groups, gidsetsize * sizeof(gid_t));
1223 if (error == 0) {
1224 int ngroups = gidsetsize > 0 ? gidsetsize - 1 /* egid */ : 0;
1225
1226 error = kern_setgroups(td, &ngroups, groups + 1);
1227 if (error == 0 && gidsetsize > 0)
1228 td->td_proc->p_ucred->cr_gid = groups[0];
1229 }
1230
1231 if (groups != smallgroups)
1232 free(groups, M_TEMP);
1233 return (error);
1234 }
1235 #endif /* COMPAT_FREEBSD14 */
1236
1237 #ifndef _SYS_SYSPROTO_H_
1238 struct setgroups_args {
1239 int gidsetsize;
1240 gid_t *gidset;
1241 };
1242 #endif
1243 /* ARGSUSED */
1244 int
sys_setgroups(struct thread * td,struct setgroups_args * uap)1245 sys_setgroups(struct thread *td, struct setgroups_args *uap)
1246 {
1247 gid_t smallgroups[CRED_SMALLGROUPS_NB];
1248 gid_t *groups;
1249 int gidsetsize, error;
1250
1251 /*
1252 * Sanity check size now to avoid passing too big a value to copyin(),
1253 * even if kern_setgroups() will do it again.
1254 *
1255 * Ideally, the 'gidsetsize' argument should have been a 'u_int' (and it
1256 * was, in this implementation, for a long time), but POSIX standardized
1257 * getgroups() to take an 'int' and it would be quite entrapping to have
1258 * setgroups() differ.
1259 */
1260 gidsetsize = uap->gidsetsize;
1261 if (gidsetsize > ngroups_max || gidsetsize < 0)
1262 return (EINVAL);
1263
1264 if (gidsetsize > CRED_SMALLGROUPS_NB)
1265 groups = malloc(gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK);
1266 else
1267 groups = smallgroups;
1268
1269 error = copyin(uap->gidset, groups, gidsetsize * sizeof(gid_t));
1270 if (error == 0)
1271 error = kern_setgroups(td, &gidsetsize, groups);
1272
1273 if (groups != smallgroups)
1274 free(groups, M_TEMP);
1275 return (error);
1276 }
1277
1278 /*
1279 * CAUTION: This function normalizes 'groups', possibly also changing the value
1280 * of '*ngrpp' as a consequence.
1281 */
1282 int
kern_setgroups(struct thread * td,int * ngrpp,gid_t * groups)1283 kern_setgroups(struct thread *td, int *ngrpp, gid_t *groups)
1284 {
1285 struct proc *p = td->td_proc;
1286 struct ucred *newcred, *oldcred;
1287 int ngrp, error;
1288
1289 ngrp = *ngrpp;
1290 /* Sanity check size. */
1291 if (ngrp < 0 || ngrp > ngroups_max)
1292 return (EINVAL);
1293
1294 AUDIT_ARG_GROUPSET(groups, ngrp);
1295
1296 groups_normalize(&ngrp, groups);
1297 *ngrpp = ngrp;
1298
1299 newcred = crget();
1300 crextend(newcred, ngrp);
1301 PROC_LOCK(p);
1302 oldcred = crcopysafe(p, newcred);
1303
1304 #ifdef MAC
1305 /*
1306 * We pass NULL here explicitly if we don't have any supplementary
1307 * groups mostly for the sake of normalization, but also to avoid/detect
1308 * a situation where a MAC module has some assumption about the layout
1309 * of `groups` matching historical behavior.
1310 */
1311 error = mac_cred_check_setgroups(oldcred, ngrp,
1312 ngrp == 0 ? NULL : groups);
1313 if (error)
1314 goto fail;
1315 #endif
1316
1317 error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS);
1318 if (error)
1319 goto fail;
1320
1321 crsetgroups_internal(newcred, ngrp, groups);
1322 setsugid(p);
1323 proc_set_cred(p, newcred);
1324 PROC_UNLOCK(p);
1325 crfree(oldcred);
1326 return (0);
1327
1328 fail:
1329 PROC_UNLOCK(p);
1330 crfree(newcred);
1331 return (error);
1332 }
1333
1334 #ifndef _SYS_SYSPROTO_H_
1335 struct setreuid_args {
1336 uid_t ruid;
1337 uid_t euid;
1338 };
1339 #endif
1340 /* ARGSUSED */
1341 int
sys_setreuid(struct thread * td,struct setreuid_args * uap)1342 sys_setreuid(struct thread *td, struct setreuid_args *uap)
1343 {
1344 struct proc *p = td->td_proc;
1345 struct ucred *newcred, *oldcred;
1346 uid_t euid, ruid;
1347 struct uidinfo *euip, *ruip;
1348 int error;
1349
1350 euid = uap->euid;
1351 ruid = uap->ruid;
1352 AUDIT_ARG_EUID(euid);
1353 AUDIT_ARG_RUID(ruid);
1354 newcred = crget();
1355 euip = uifind(euid);
1356 ruip = uifind(ruid);
1357 PROC_LOCK(p);
1358 oldcred = crcopysafe(p, newcred);
1359
1360 #ifdef MAC
1361 error = mac_cred_check_setreuid(oldcred, ruid, euid);
1362 if (error)
1363 goto fail;
1364 #endif
1365
1366 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
1367 ruid != oldcred->cr_svuid) ||
1368 (euid != (uid_t)-1 && euid != oldcred->cr_uid &&
1369 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) &&
1370 (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID)) != 0)
1371 goto fail;
1372
1373 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
1374 change_euid(newcred, euip);
1375 setsugid(p);
1376 }
1377 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
1378 change_ruid(newcred, ruip);
1379 setsugid(p);
1380 }
1381 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) &&
1382 newcred->cr_svuid != newcred->cr_uid) {
1383 change_svuid(newcred, newcred->cr_uid);
1384 setsugid(p);
1385 }
1386 #ifdef RACCT
1387 racct_proc_ucred_changed(p, oldcred, newcred);
1388 #endif
1389 #ifdef RCTL
1390 crhold(newcred);
1391 #endif
1392 /*
1393 * Takes over 'newcred''s reference, so 'newcred' must not be used
1394 * besides this point except on RCTL where we took an additional
1395 * reference above.
1396 */
1397 proc_set_cred(p, newcred);
1398 PROC_UNLOCK(p);
1399 #ifdef RCTL
1400 rctl_proc_ucred_changed(p, newcred);
1401 crfree(newcred);
1402 #endif
1403 uifree(ruip);
1404 uifree(euip);
1405 crfree(oldcred);
1406 return (0);
1407
1408 fail:
1409 PROC_UNLOCK(p);
1410 uifree(ruip);
1411 uifree(euip);
1412 crfree(newcred);
1413 return (error);
1414 }
1415
1416 #ifndef _SYS_SYSPROTO_H_
1417 struct setregid_args {
1418 gid_t rgid;
1419 gid_t egid;
1420 };
1421 #endif
1422 /* ARGSUSED */
1423 int
sys_setregid(struct thread * td,struct setregid_args * uap)1424 sys_setregid(struct thread *td, struct setregid_args *uap)
1425 {
1426 struct proc *p = td->td_proc;
1427 struct ucred *newcred, *oldcred;
1428 gid_t egid, rgid;
1429 int error;
1430
1431 egid = uap->egid;
1432 rgid = uap->rgid;
1433 AUDIT_ARG_EGID(egid);
1434 AUDIT_ARG_RGID(rgid);
1435 newcred = crget();
1436 PROC_LOCK(p);
1437 oldcred = crcopysafe(p, newcred);
1438
1439 #ifdef MAC
1440 error = mac_cred_check_setregid(oldcred, rgid, egid);
1441 if (error)
1442 goto fail;
1443 #endif
1444
1445 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
1446 rgid != oldcred->cr_svgid) ||
1447 (egid != (gid_t)-1 && egid != oldcred->cr_gid &&
1448 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) &&
1449 (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID)) != 0)
1450 goto fail;
1451
1452 if (egid != (gid_t)-1 && oldcred->cr_gid != egid) {
1453 change_egid(newcred, egid);
1454 setsugid(p);
1455 }
1456 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
1457 change_rgid(newcred, rgid);
1458 setsugid(p);
1459 }
1460 if ((rgid != (gid_t)-1 || newcred->cr_gid != newcred->cr_rgid) &&
1461 newcred->cr_svgid != newcred->cr_gid) {
1462 change_svgid(newcred, newcred->cr_gid);
1463 setsugid(p);
1464 }
1465 proc_set_cred(p, newcred);
1466 PROC_UNLOCK(p);
1467 crfree(oldcred);
1468 return (0);
1469
1470 fail:
1471 PROC_UNLOCK(p);
1472 crfree(newcred);
1473 return (error);
1474 }
1475
1476 /*
1477 * setresuid(ruid, euid, suid) is like setreuid except control over the saved
1478 * uid is explicit.
1479 */
1480 #ifndef _SYS_SYSPROTO_H_
1481 struct setresuid_args {
1482 uid_t ruid;
1483 uid_t euid;
1484 uid_t suid;
1485 };
1486 #endif
1487 /* ARGSUSED */
1488 int
sys_setresuid(struct thread * td,struct setresuid_args * uap)1489 sys_setresuid(struct thread *td, struct setresuid_args *uap)
1490 {
1491 struct proc *p = td->td_proc;
1492 struct ucred *newcred, *oldcred;
1493 uid_t euid, ruid, suid;
1494 struct uidinfo *euip, *ruip;
1495 int error;
1496
1497 euid = uap->euid;
1498 ruid = uap->ruid;
1499 suid = uap->suid;
1500 AUDIT_ARG_EUID(euid);
1501 AUDIT_ARG_RUID(ruid);
1502 AUDIT_ARG_SUID(suid);
1503 newcred = crget();
1504 euip = uifind(euid);
1505 ruip = uifind(ruid);
1506 PROC_LOCK(p);
1507 oldcred = crcopysafe(p, newcred);
1508
1509 #ifdef MAC
1510 error = mac_cred_check_setresuid(oldcred, ruid, euid, suid);
1511 if (error)
1512 goto fail;
1513 #endif
1514
1515 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
1516 ruid != oldcred->cr_svuid &&
1517 ruid != oldcred->cr_uid) ||
1518 (euid != (uid_t)-1 && euid != oldcred->cr_ruid &&
1519 euid != oldcred->cr_svuid &&
1520 euid != oldcred->cr_uid) ||
1521 (suid != (uid_t)-1 && suid != oldcred->cr_ruid &&
1522 suid != oldcred->cr_svuid &&
1523 suid != oldcred->cr_uid)) &&
1524 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID)) != 0)
1525 goto fail;
1526
1527 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
1528 change_euid(newcred, euip);
1529 setsugid(p);
1530 }
1531 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
1532 change_ruid(newcred, ruip);
1533 setsugid(p);
1534 }
1535 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) {
1536 change_svuid(newcred, suid);
1537 setsugid(p);
1538 }
1539 #ifdef RACCT
1540 racct_proc_ucred_changed(p, oldcred, newcred);
1541 #endif
1542 #ifdef RCTL
1543 crhold(newcred);
1544 #endif
1545 /*
1546 * Takes over 'newcred''s reference, so 'newcred' must not be used
1547 * besides this point except on RCTL where we took an additional
1548 * reference above.
1549 */
1550 proc_set_cred(p, newcred);
1551 PROC_UNLOCK(p);
1552 #ifdef RCTL
1553 rctl_proc_ucred_changed(p, newcred);
1554 crfree(newcred);
1555 #endif
1556 uifree(ruip);
1557 uifree(euip);
1558 crfree(oldcred);
1559 return (0);
1560
1561 fail:
1562 PROC_UNLOCK(p);
1563 uifree(ruip);
1564 uifree(euip);
1565 crfree(newcred);
1566 return (error);
1567
1568 }
1569
1570 /*
1571 * setresgid(rgid, egid, sgid) is like setregid except control over the saved
1572 * gid is explicit.
1573 */
1574 #ifndef _SYS_SYSPROTO_H_
1575 struct setresgid_args {
1576 gid_t rgid;
1577 gid_t egid;
1578 gid_t sgid;
1579 };
1580 #endif
1581 /* ARGSUSED */
1582 int
sys_setresgid(struct thread * td,struct setresgid_args * uap)1583 sys_setresgid(struct thread *td, struct setresgid_args *uap)
1584 {
1585 struct proc *p = td->td_proc;
1586 struct ucred *newcred, *oldcred;
1587 gid_t egid, rgid, sgid;
1588 int error;
1589
1590 egid = uap->egid;
1591 rgid = uap->rgid;
1592 sgid = uap->sgid;
1593 AUDIT_ARG_EGID(egid);
1594 AUDIT_ARG_RGID(rgid);
1595 AUDIT_ARG_SGID(sgid);
1596 newcred = crget();
1597 PROC_LOCK(p);
1598 oldcred = crcopysafe(p, newcred);
1599
1600 #ifdef MAC
1601 error = mac_cred_check_setresgid(oldcred, rgid, egid, sgid);
1602 if (error)
1603 goto fail;
1604 #endif
1605
1606 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
1607 rgid != oldcred->cr_svgid &&
1608 rgid != oldcred->cr_gid) ||
1609 (egid != (gid_t)-1 && egid != oldcred->cr_rgid &&
1610 egid != oldcred->cr_svgid &&
1611 egid != oldcred->cr_gid) ||
1612 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid &&
1613 sgid != oldcred->cr_svgid &&
1614 sgid != oldcred->cr_gid)) &&
1615 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID)) != 0)
1616 goto fail;
1617
1618 if (egid != (gid_t)-1 && oldcred->cr_gid != egid) {
1619 change_egid(newcred, egid);
1620 setsugid(p);
1621 }
1622 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
1623 change_rgid(newcred, rgid);
1624 setsugid(p);
1625 }
1626 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) {
1627 change_svgid(newcred, sgid);
1628 setsugid(p);
1629 }
1630 proc_set_cred(p, newcred);
1631 PROC_UNLOCK(p);
1632 crfree(oldcred);
1633 return (0);
1634
1635 fail:
1636 PROC_UNLOCK(p);
1637 crfree(newcred);
1638 return (error);
1639 }
1640
1641 #ifndef _SYS_SYSPROTO_H_
1642 struct getresuid_args {
1643 uid_t *ruid;
1644 uid_t *euid;
1645 uid_t *suid;
1646 };
1647 #endif
1648 /* ARGSUSED */
1649 int
sys_getresuid(struct thread * td,struct getresuid_args * uap)1650 sys_getresuid(struct thread *td, struct getresuid_args *uap)
1651 {
1652 struct ucred *cred;
1653 int error1 = 0, error2 = 0, error3 = 0;
1654
1655 cred = td->td_ucred;
1656 if (uap->ruid)
1657 error1 = copyout(&cred->cr_ruid,
1658 uap->ruid, sizeof(cred->cr_ruid));
1659 if (uap->euid)
1660 error2 = copyout(&cred->cr_uid,
1661 uap->euid, sizeof(cred->cr_uid));
1662 if (uap->suid)
1663 error3 = copyout(&cred->cr_svuid,
1664 uap->suid, sizeof(cred->cr_svuid));
1665 return (error1 ? error1 : error2 ? error2 : error3);
1666 }
1667
1668 #ifndef _SYS_SYSPROTO_H_
1669 struct getresgid_args {
1670 gid_t *rgid;
1671 gid_t *egid;
1672 gid_t *sgid;
1673 };
1674 #endif
1675 /* ARGSUSED */
1676 int
sys_getresgid(struct thread * td,struct getresgid_args * uap)1677 sys_getresgid(struct thread *td, struct getresgid_args *uap)
1678 {
1679 struct ucred *cred;
1680 int error1 = 0, error2 = 0, error3 = 0;
1681
1682 cred = td->td_ucred;
1683 if (uap->rgid)
1684 error1 = copyout(&cred->cr_rgid,
1685 uap->rgid, sizeof(cred->cr_rgid));
1686 if (uap->egid)
1687 error2 = copyout(&cred->cr_gid,
1688 uap->egid, sizeof(cred->cr_gid));
1689 if (uap->sgid)
1690 error3 = copyout(&cred->cr_svgid,
1691 uap->sgid, sizeof(cred->cr_svgid));
1692 return (error1 ? error1 : error2 ? error2 : error3);
1693 }
1694
1695 #ifndef _SYS_SYSPROTO_H_
1696 struct issetugid_args {
1697 int dummy;
1698 };
1699 #endif
1700 /* ARGSUSED */
1701 int
sys_issetugid(struct thread * td,struct issetugid_args * uap)1702 sys_issetugid(struct thread *td, struct issetugid_args *uap)
1703 {
1704 struct proc *p = td->td_proc;
1705
1706 /*
1707 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time,
1708 * we use P_SUGID because we consider changing the owners as
1709 * "tainting" as well.
1710 * This is significant for procs that start as root and "become"
1711 * a user without an exec - programs cannot know *everything*
1712 * that libc *might* have put in their data segment.
1713 */
1714 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0;
1715 return (0);
1716 }
1717
1718 int
sys___setugid(struct thread * td,struct __setugid_args * uap)1719 sys___setugid(struct thread *td, struct __setugid_args *uap)
1720 {
1721 #ifdef REGRESSION
1722 struct proc *p;
1723
1724 p = td->td_proc;
1725 switch (uap->flag) {
1726 case 0:
1727 PROC_LOCK(p);
1728 p->p_flag &= ~P_SUGID;
1729 PROC_UNLOCK(p);
1730 return (0);
1731 case 1:
1732 PROC_LOCK(p);
1733 p->p_flag |= P_SUGID;
1734 PROC_UNLOCK(p);
1735 return (0);
1736 default:
1737 return (EINVAL);
1738 }
1739 #else /* !REGRESSION */
1740
1741 return (ENOSYS);
1742 #endif /* REGRESSION */
1743 }
1744
1745 #ifdef INVARIANTS
1746 static void
groups_check_normalized(int ngrp,const gid_t * groups)1747 groups_check_normalized(int ngrp, const gid_t *groups)
1748 {
1749 gid_t prev_g;
1750
1751 groups_check_positive_len(ngrp);
1752 groups_check_max_len(ngrp);
1753
1754 if (ngrp <= 1)
1755 return;
1756
1757 prev_g = groups[0];
1758 for (int i = 1; i < ngrp; ++i) {
1759 const gid_t g = groups[i];
1760
1761 if (prev_g >= g)
1762 panic("%s: groups[%d] (%u) >= groups[%d] (%u)",
1763 __func__, i - 1, prev_g, i, g);
1764 prev_g = g;
1765 }
1766 }
1767 #else
1768 #define groups_check_normalized(...)
1769 #endif
1770
1771 /*
1772 * Returns whether gid designates a supplementary group in cred.
1773 */
1774 bool
group_is_supplementary(const gid_t gid,const struct ucred * const cred)1775 group_is_supplementary(const gid_t gid, const struct ucred *const cred)
1776 {
1777
1778 groups_check_normalized(cred->cr_ngroups, cred->cr_groups);
1779
1780 /*
1781 * Perform a binary search of the supplementary groups. This is
1782 * possible because we sort the groups in crsetgroups().
1783 */
1784 return (bsearch(&gid, cred->cr_groups, cred->cr_ngroups,
1785 sizeof(gid), gidp_cmp) != NULL);
1786 }
1787
1788 /*
1789 * Check if gid is a member of the (effective) group set (i.e., effective and
1790 * supplementary groups).
1791 */
1792 bool
groupmember(gid_t gid,const struct ucred * cred)1793 groupmember(gid_t gid, const struct ucred *cred)
1794 {
1795
1796 groups_check_positive_len(cred->cr_ngroups);
1797
1798 if (gid == cred->cr_gid)
1799 return (true);
1800
1801 return (group_is_supplementary(gid, cred));
1802 }
1803
1804 /*
1805 * Check if gid is a member of the real group set (i.e., real and supplementary
1806 * groups).
1807 */
1808 bool
realgroupmember(gid_t gid,const struct ucred * cred)1809 realgroupmember(gid_t gid, const struct ucred *cred)
1810 {
1811 groups_check_positive_len(cred->cr_ngroups);
1812
1813 if (gid == cred->cr_rgid)
1814 return (true);
1815
1816 return (group_is_supplementary(gid, cred));
1817 }
1818
1819 /*
1820 * Test the active securelevel against a given level. securelevel_gt()
1821 * implements (securelevel > level). securelevel_ge() implements
1822 * (securelevel >= level). Note that the logic is inverted -- these
1823 * functions return EPERM on "success" and 0 on "failure".
1824 *
1825 * Due to care taken when setting the securelevel, we know that no jail will
1826 * be less secure that its parent (or the physical system), so it is sufficient
1827 * to test the current jail only.
1828 *
1829 * XXXRW: Possibly since this has to do with privilege, it should move to
1830 * kern_priv.c.
1831 */
1832 int
securelevel_gt(struct ucred * cr,int level)1833 securelevel_gt(struct ucred *cr, int level)
1834 {
1835
1836 return (cr->cr_prison->pr_securelevel > level ? EPERM : 0);
1837 }
1838
1839 int
securelevel_ge(struct ucred * cr,int level)1840 securelevel_ge(struct ucred *cr, int level)
1841 {
1842
1843 return (cr->cr_prison->pr_securelevel >= level ? EPERM : 0);
1844 }
1845
1846 /*
1847 * 'see_other_uids' determines whether or not visibility of processes
1848 * and sockets with credentials holding different real uids is possible
1849 * using a variety of system MIBs.
1850 * XXX: data declarations should be together near the beginning of the file.
1851 */
1852 static int see_other_uids = 1;
1853 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW,
1854 &see_other_uids, 0,
1855 "Unprivileged processes may see subjects/objects with different real uid");
1856
1857 /*-
1858 * Determine if u1 "can see" the subject specified by u2, according to the
1859 * 'see_other_uids' policy.
1860 * Returns: 0 for permitted, ESRCH otherwise
1861 * Locks: none
1862 * References: *u1 and *u2 must not change during the call
1863 * u1 may equal u2, in which case only one reference is required
1864 */
1865 static int
cr_canseeotheruids(struct ucred * u1,struct ucred * u2)1866 cr_canseeotheruids(struct ucred *u1, struct ucred *u2)
1867 {
1868
1869 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) {
1870 if (priv_check_cred(u1, PRIV_SEEOTHERUIDS) != 0)
1871 return (ESRCH);
1872 }
1873 return (0);
1874 }
1875
1876 /*
1877 * 'see_other_gids' determines whether or not visibility of processes
1878 * and sockets with credentials holding different real gids is possible
1879 * using a variety of system MIBs.
1880 * XXX: data declarations should be together near the beginning of the file.
1881 */
1882 static int see_other_gids = 1;
1883 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW,
1884 &see_other_gids, 0,
1885 "Unprivileged processes may see subjects/objects with different real gid");
1886
1887 /*
1888 * Determine if u1 can "see" the subject specified by u2, according to the
1889 * 'see_other_gids' policy.
1890 * Returns: 0 for permitted, ESRCH otherwise
1891 * Locks: none
1892 * References: *u1 and *u2 must not change during the call
1893 * u1 may equal u2, in which case only one reference is required
1894 */
1895 static int
cr_canseeothergids(struct ucred * u1,struct ucred * u2)1896 cr_canseeothergids(struct ucred *u1, struct ucred *u2)
1897 {
1898 if (see_other_gids)
1899 return (0);
1900
1901 /* Restriction in force. */
1902
1903 if (realgroupmember(u1->cr_rgid, u2))
1904 return (0);
1905
1906 for (int i = 0; i < u1->cr_ngroups; i++)
1907 if (realgroupmember(u1->cr_groups[i], u2))
1908 return (0);
1909
1910 if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) == 0)
1911 return (0);
1912
1913 return (ESRCH);
1914 }
1915
1916 /*
1917 * 'see_jail_proc' determines whether or not visibility of processes and
1918 * sockets with credentials holding different jail ids is possible using a
1919 * variety of system MIBs.
1920 *
1921 * XXX: data declarations should be together near the beginning of the file.
1922 */
1923
1924 static int see_jail_proc = 1;
1925 SYSCTL_INT(_security_bsd, OID_AUTO, see_jail_proc, CTLFLAG_RW,
1926 &see_jail_proc, 0,
1927 "Unprivileged processes may see subjects/objects with different jail ids");
1928
1929 /*-
1930 * Determine if u1 "can see" the subject specified by u2, according to the
1931 * 'see_jail_proc' policy.
1932 * Returns: 0 for permitted, ESRCH otherwise
1933 * Locks: none
1934 * References: *u1 and *u2 must not change during the call
1935 * u1 may equal u2, in which case only one reference is required
1936 */
1937 static int
cr_canseejailproc(struct ucred * u1,struct ucred * u2)1938 cr_canseejailproc(struct ucred *u1, struct ucred *u2)
1939 {
1940 if (see_jail_proc || /* Policy deactivated. */
1941 u1->cr_prison == u2->cr_prison || /* Same jail. */
1942 priv_check_cred(u1, PRIV_SEEJAILPROC) == 0) /* Privileged. */
1943 return (0);
1944
1945 return (ESRCH);
1946 }
1947
1948 /*
1949 * Determine if u1 can tamper with the subject specified by u2, if they are in
1950 * different jails and 'unprivileged_parent_tampering' jail policy allows it.
1951 *
1952 * May be called if u1 and u2 are in the same jail, but it is expected that the
1953 * caller has already done a prison_check() prior to calling it.
1954 *
1955 * Returns: 0 for permitted, EPERM otherwise
1956 */
1957 static int
cr_can_tamper_with_subjail(struct ucred * u1,struct ucred * u2,int priv)1958 cr_can_tamper_with_subjail(struct ucred *u1, struct ucred *u2, int priv)
1959 {
1960
1961 MPASS(prison_check(u1, u2) == 0);
1962 if (u1->cr_prison == u2->cr_prison)
1963 return (0);
1964
1965 if (priv_check_cred(u1, priv) == 0)
1966 return (0);
1967
1968 /*
1969 * Jails do not maintain a distinct UID space, so process visibility is
1970 * all that would control an unprivileged process' ability to tamper
1971 * with a process in a subjail by default if we did not have the
1972 * allow.unprivileged_parent_tampering knob to restrict it by default.
1973 */
1974 if (prison_allow(u2, PR_ALLOW_UNPRIV_PARENT_TAMPER))
1975 return (0);
1976
1977 return (EPERM);
1978 }
1979
1980 /*
1981 * Helper for cr_cansee*() functions to abide by system-wide security.bsd.see_*
1982 * policies. Determines if u1 "can see" u2 according to these policies.
1983 * Returns: 0 for permitted, ESRCH otherwise
1984 */
1985 int
cr_bsd_visible(struct ucred * u1,struct ucred * u2)1986 cr_bsd_visible(struct ucred *u1, struct ucred *u2)
1987 {
1988 int error;
1989
1990 error = cr_canseeotheruids(u1, u2);
1991 if (error != 0)
1992 return (error);
1993 error = cr_canseeothergids(u1, u2);
1994 if (error != 0)
1995 return (error);
1996 error = cr_canseejailproc(u1, u2);
1997 if (error != 0)
1998 return (error);
1999 return (0);
2000 }
2001
2002 /*-
2003 * Determine if u1 "can see" the subject specified by u2.
2004 * Returns: 0 for permitted, an errno value otherwise
2005 * Locks: none
2006 * References: *u1 and *u2 must not change during the call
2007 * u1 may equal u2, in which case only one reference is required
2008 */
2009 int
cr_cansee(struct ucred * u1,struct ucred * u2)2010 cr_cansee(struct ucred *u1, struct ucred *u2)
2011 {
2012 int error;
2013
2014 if ((error = prison_check(u1, u2)))
2015 return (error);
2016 #ifdef MAC
2017 if ((error = mac_cred_check_visible(u1, u2)))
2018 return (error);
2019 #endif
2020 if ((error = cr_bsd_visible(u1, u2)))
2021 return (error);
2022 return (0);
2023 }
2024
2025 /*-
2026 * Determine if td "can see" the subject specified by p.
2027 * Returns: 0 for permitted, an errno value otherwise
2028 * Locks: Sufficient locks to protect p->p_ucred must be held. td really
2029 * should be curthread.
2030 * References: td and p must be valid for the lifetime of the call
2031 */
2032 int
p_cansee(struct thread * td,struct proc * p)2033 p_cansee(struct thread *td, struct proc *p)
2034 {
2035 /* Wrap cr_cansee() for all functionality. */
2036 KASSERT(td == curthread, ("%s: td not curthread", __func__));
2037 PROC_LOCK_ASSERT(p, MA_OWNED);
2038
2039 if (td->td_proc == p)
2040 return (0);
2041 return (cr_cansee(td->td_ucred, p->p_ucred));
2042 }
2043
2044 /*
2045 * 'conservative_signals' prevents the delivery of a broad class of
2046 * signals by unprivileged processes to processes that have changed their
2047 * credentials since the last invocation of execve(). This can prevent
2048 * the leakage of cached information or retained privileges as a result
2049 * of a common class of signal-related vulnerabilities. However, this
2050 * may interfere with some applications that expect to be able to
2051 * deliver these signals to peer processes after having given up
2052 * privilege.
2053 */
2054 static int conservative_signals = 1;
2055 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW,
2056 &conservative_signals, 0, "Unprivileged processes prevented from "
2057 "sending certain signals to processes whose credentials have changed");
2058 /*-
2059 * Determine whether cred may deliver the specified signal to proc.
2060 * Returns: 0 for permitted, an errno value otherwise.
2061 * Locks: A lock must be held for proc.
2062 * References: cred and proc must be valid for the lifetime of the call.
2063 */
2064 int
cr_cansignal(struct ucred * cred,struct proc * proc,int signum)2065 cr_cansignal(struct ucred *cred, struct proc *proc, int signum)
2066 {
2067 int error;
2068
2069 PROC_LOCK_ASSERT(proc, MA_OWNED);
2070 /*
2071 * Jail semantics limit the scope of signalling to proc in the
2072 * same jail as cred, if cred is in jail.
2073 */
2074 error = prison_check(cred, proc->p_ucred);
2075 if (error)
2076 return (error);
2077 #ifdef MAC
2078 if ((error = mac_proc_check_signal(cred, proc, signum)))
2079 return (error);
2080 #endif
2081 if ((error = cr_bsd_visible(cred, proc->p_ucred)))
2082 return (error);
2083
2084 /*
2085 * UNIX signal semantics depend on the status of the P_SUGID
2086 * bit on the target process. If the bit is set, then additional
2087 * restrictions are placed on the set of available signals.
2088 */
2089 if (conservative_signals && (proc->p_flag & P_SUGID)) {
2090 switch (signum) {
2091 case 0:
2092 case SIGKILL:
2093 case SIGINT:
2094 case SIGTERM:
2095 case SIGALRM:
2096 case SIGSTOP:
2097 case SIGTTIN:
2098 case SIGTTOU:
2099 case SIGTSTP:
2100 case SIGHUP:
2101 case SIGUSR1:
2102 case SIGUSR2:
2103 /*
2104 * Generally, permit job and terminal control
2105 * signals.
2106 */
2107 break;
2108 default:
2109 /* Not permitted without privilege. */
2110 error = priv_check_cred(cred, PRIV_SIGNAL_SUGID);
2111 if (error)
2112 return (error);
2113 }
2114 }
2115
2116 /*
2117 * Generally, the target credential's ruid or svuid must match the
2118 * subject credential's ruid or euid.
2119 */
2120 if (cred->cr_ruid != proc->p_ucred->cr_ruid &&
2121 cred->cr_ruid != proc->p_ucred->cr_svuid &&
2122 cred->cr_uid != proc->p_ucred->cr_ruid &&
2123 cred->cr_uid != proc->p_ucred->cr_svuid) {
2124 error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED);
2125 if (error)
2126 return (error);
2127 }
2128
2129 /*
2130 * At this point, the target may be in a different jail than the
2131 * subject -- the subject must be in a parent jail to the target,
2132 * whether it is prison0 or a subordinate of prison0 that has
2133 * children. Additional privileges are required to allow this, as
2134 * whether the creds are truly equivalent or not must be determined on
2135 * a case-by-case basis.
2136 */
2137 error = cr_can_tamper_with_subjail(cred, proc->p_ucred,
2138 PRIV_SIGNAL_DIFFJAIL);
2139 if (error)
2140 return (error);
2141
2142 return (0);
2143 }
2144
2145 /*-
2146 * Determine whether td may deliver the specified signal to p.
2147 * Returns: 0 for permitted, an errno value otherwise
2148 * Locks: Sufficient locks to protect various components of td and p
2149 * must be held. td must be curthread, and a lock must be
2150 * held for p.
2151 * References: td and p must be valid for the lifetime of the call
2152 */
2153 int
p_cansignal(struct thread * td,struct proc * p,int signum)2154 p_cansignal(struct thread *td, struct proc *p, int signum)
2155 {
2156
2157 KASSERT(td == curthread, ("%s: td not curthread", __func__));
2158 PROC_LOCK_ASSERT(p, MA_OWNED);
2159 if (td->td_proc == p)
2160 return (0);
2161
2162 /*
2163 * UNIX signalling semantics require that processes in the same
2164 * session always be able to deliver SIGCONT to one another,
2165 * overriding the remaining protections.
2166 */
2167 /* XXX: This will require an additional lock of some sort. */
2168 if (signum == SIGCONT && td->td_proc->p_session == p->p_session)
2169 return (0);
2170 /*
2171 * Some compat layers use SIGTHR and higher signals for
2172 * communication between different kernel threads of the same
2173 * process, so that they expect that it's always possible to
2174 * deliver them, even for suid applications where cr_cansignal() can
2175 * deny such ability for security consideration. It should be
2176 * pretty safe to do since the only way to create two processes
2177 * with the same p_leader is via rfork(2).
2178 */
2179 if (td->td_proc->p_leader != NULL && signum >= SIGTHR &&
2180 signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader)
2181 return (0);
2182
2183 return (cr_cansignal(td->td_ucred, p, signum));
2184 }
2185
2186 /*-
2187 * Determine whether td may reschedule p.
2188 * Returns: 0 for permitted, an errno value otherwise
2189 * Locks: Sufficient locks to protect various components of td and p
2190 * must be held. td must be curthread, and a lock must
2191 * be held for p.
2192 * References: td and p must be valid for the lifetime of the call
2193 */
2194 int
p_cansched(struct thread * td,struct proc * p)2195 p_cansched(struct thread *td, struct proc *p)
2196 {
2197 int error;
2198
2199 KASSERT(td == curthread, ("%s: td not curthread", __func__));
2200 PROC_LOCK_ASSERT(p, MA_OWNED);
2201 if (td->td_proc == p)
2202 return (0);
2203 if ((error = prison_check(td->td_ucred, p->p_ucred)))
2204 return (error);
2205 #ifdef MAC
2206 if ((error = mac_proc_check_sched(td->td_ucred, p)))
2207 return (error);
2208 #endif
2209 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
2210 return (error);
2211
2212 if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid &&
2213 td->td_ucred->cr_uid != p->p_ucred->cr_ruid) {
2214 error = priv_check(td, PRIV_SCHED_DIFFCRED);
2215 if (error)
2216 return (error);
2217 }
2218
2219 error = cr_can_tamper_with_subjail(td->td_ucred, p->p_ucred,
2220 PRIV_SCHED_DIFFJAIL);
2221 if (error)
2222 return (error);
2223
2224 return (0);
2225 }
2226
2227 /*
2228 * Handle getting or setting the prison's unprivileged_proc_debug
2229 * value.
2230 */
2231 static int
sysctl_unprivileged_proc_debug(SYSCTL_HANDLER_ARGS)2232 sysctl_unprivileged_proc_debug(SYSCTL_HANDLER_ARGS)
2233 {
2234 int error, val;
2235
2236 val = prison_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG);
2237 error = sysctl_handle_int(oidp, &val, 0, req);
2238 if (error != 0 || req->newptr == NULL)
2239 return (error);
2240 if (val != 0 && val != 1)
2241 return (EINVAL);
2242 prison_set_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG, val);
2243 return (0);
2244 }
2245
2246 /*
2247 * The 'unprivileged_proc_debug' flag may be used to disable a variety of
2248 * unprivileged inter-process debugging services, including some procfs
2249 * functionality, ptrace(), and ktrace(). In the past, inter-process
2250 * debugging has been involved in a variety of security problems, and sites
2251 * not requiring the service might choose to disable it when hardening
2252 * systems.
2253 */
2254 SYSCTL_PROC(_security_bsd, OID_AUTO, unprivileged_proc_debug,
2255 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_PRISON | CTLFLAG_SECURE |
2256 CTLFLAG_MPSAFE, 0, 0, sysctl_unprivileged_proc_debug, "I",
2257 "Unprivileged processes may use process debugging facilities");
2258
2259 /*
2260 * Return true if the object owner/group ids are subset of the active
2261 * credentials.
2262 */
2263 bool
cr_xids_subset(struct ucred * active_cred,struct ucred * obj_cred)2264 cr_xids_subset(struct ucred *active_cred, struct ucred *obj_cred)
2265 {
2266 int i;
2267 bool grpsubset, uidsubset;
2268
2269 /*
2270 * Is p's group set a subset of td's effective group set? This
2271 * includes p's egid, group access list, rgid, and svgid.
2272 */
2273 grpsubset = true;
2274 for (i = 0; i < obj_cred->cr_ngroups; i++) {
2275 if (!groupmember(obj_cred->cr_groups[i], active_cred)) {
2276 grpsubset = false;
2277 break;
2278 }
2279 }
2280 grpsubset = grpsubset &&
2281 groupmember(obj_cred->cr_gid, active_cred) &&
2282 groupmember(obj_cred->cr_rgid, active_cred) &&
2283 groupmember(obj_cred->cr_svgid, active_cred);
2284
2285 /*
2286 * Are the uids present in obj_cred's credential equal to
2287 * active_cred's effective uid? This includes obj_cred's
2288 * euid, svuid, and ruid.
2289 */
2290 uidsubset = (active_cred->cr_uid == obj_cred->cr_uid &&
2291 active_cred->cr_uid == obj_cred->cr_svuid &&
2292 active_cred->cr_uid == obj_cred->cr_ruid);
2293
2294 return (uidsubset && grpsubset);
2295 }
2296
2297 /*-
2298 * Determine whether td may debug p.
2299 * Returns: 0 for permitted, an errno value otherwise
2300 * Locks: Sufficient locks to protect various components of td and p
2301 * must be held. td must be curthread, and a lock must
2302 * be held for p.
2303 * References: td and p must be valid for the lifetime of the call
2304 */
2305 int
p_candebug(struct thread * td,struct proc * p)2306 p_candebug(struct thread *td, struct proc *p)
2307 {
2308 int error;
2309
2310 KASSERT(td == curthread, ("%s: td not curthread", __func__));
2311 PROC_LOCK_ASSERT(p, MA_OWNED);
2312 if (td->td_proc == p)
2313 return (0);
2314 if ((error = priv_check(td, PRIV_DEBUG_UNPRIV)))
2315 return (error);
2316 if ((error = prison_check(td->td_ucred, p->p_ucred)))
2317 return (error);
2318 #ifdef MAC
2319 if ((error = mac_proc_check_debug(td->td_ucred, p)))
2320 return (error);
2321 #endif
2322 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
2323 return (error);
2324
2325 /*
2326 * If p's gids aren't a subset, or the uids aren't a subset,
2327 * or the credential has changed, require appropriate privilege
2328 * for td to debug p.
2329 */
2330 if (!cr_xids_subset(td->td_ucred, p->p_ucred)) {
2331 error = priv_check(td, PRIV_DEBUG_DIFFCRED);
2332 if (error)
2333 return (error);
2334 }
2335
2336 /*
2337 * Has the credential of the process changed since the last exec()?
2338 */
2339 if ((p->p_flag & P_SUGID) != 0) {
2340 error = priv_check(td, PRIV_DEBUG_SUGID);
2341 if (error)
2342 return (error);
2343 }
2344
2345 error = cr_can_tamper_with_subjail(td->td_ucred, p->p_ucred,
2346 PRIV_DEBUG_DIFFJAIL);
2347 if (error)
2348 return (error);
2349
2350 /* Can't trace init when securelevel > 0. */
2351 if (p == initproc) {
2352 error = securelevel_gt(td->td_ucred, 0);
2353 if (error)
2354 return (error);
2355 }
2356
2357 /*
2358 * Can't trace a process that's currently exec'ing.
2359 *
2360 * XXX: Note, this is not a security policy decision, it's a
2361 * basic correctness/functionality decision. Therefore, this check
2362 * should be moved to the caller's of p_candebug().
2363 */
2364 if ((p->p_flag & P_INEXEC) != 0)
2365 return (EBUSY);
2366
2367 /* Denied explicitly */
2368 if ((p->p_flag2 & P2_NOTRACE) != 0) {
2369 error = priv_check(td, PRIV_DEBUG_DENIED);
2370 if (error != 0)
2371 return (error);
2372 }
2373
2374 return (0);
2375 }
2376
2377 /*-
2378 * Determine whether the subject represented by cred can "see" a socket.
2379 * Returns: 0 for permitted, ENOENT otherwise.
2380 */
2381 int
cr_canseesocket(struct ucred * cred,struct socket * so)2382 cr_canseesocket(struct ucred *cred, struct socket *so)
2383 {
2384 int error;
2385
2386 error = prison_check(cred, so->so_cred);
2387 if (error)
2388 return (ENOENT);
2389 #ifdef MAC
2390 error = mac_socket_check_visible(cred, so);
2391 if (error)
2392 return (error);
2393 #endif
2394 if (cr_bsd_visible(cred, so->so_cred))
2395 return (ENOENT);
2396
2397 return (0);
2398 }
2399
2400 /*-
2401 * Determine whether td can wait for the exit of p.
2402 * Returns: 0 for permitted, an errno value otherwise
2403 * Locks: Sufficient locks to protect various components of td and p
2404 * must be held. td must be curthread, and a lock must
2405 * be held for p.
2406 * References: td and p must be valid for the lifetime of the call
2407
2408 */
2409 int
p_canwait(struct thread * td,struct proc * p)2410 p_canwait(struct thread *td, struct proc *p)
2411 {
2412 int error;
2413
2414 KASSERT(td == curthread, ("%s: td not curthread", __func__));
2415 PROC_LOCK_ASSERT(p, MA_OWNED);
2416 if ((error = prison_check(td->td_ucred, p->p_ucred)))
2417 return (error);
2418 #ifdef MAC
2419 if ((error = mac_proc_check_wait(td->td_ucred, p)))
2420 return (error);
2421 #endif
2422 #if 0
2423 /* XXXMAC: This could have odd effects on some shells. */
2424 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
2425 return (error);
2426 #endif
2427
2428 return (0);
2429 }
2430
2431 /*
2432 * Credential management.
2433 *
2434 * struct ucred objects are rarely allocated but gain and lose references all
2435 * the time (e.g., on struct file alloc/dealloc) turning refcount updates into
2436 * a significant source of cache-line ping ponging. Common cases are worked
2437 * around by modifying thread-local counter instead if the cred to operate on
2438 * matches td_realucred.
2439 *
2440 * The counter is split into 2 parts:
2441 * - cr_users -- total count of all struct proc and struct thread objects
2442 * which have given cred in p_ucred and td_ucred respectively
2443 * - cr_ref -- the actual ref count, only valid if cr_users == 0
2444 *
2445 * If users == 0 then cr_ref behaves similarly to refcount(9), in particular if
2446 * the count reaches 0 the object is freeable.
2447 * If users > 0 and curthread->td_realucred == cred, then updates are performed
2448 * against td_ucredref.
2449 * In other cases updates are performed against cr_ref.
2450 *
2451 * Changing td_realucred into something else decrements cr_users and transfers
2452 * accumulated updates.
2453 */
2454 struct ucred *
crcowget(struct ucred * cr)2455 crcowget(struct ucred *cr)
2456 {
2457
2458 mtx_lock(&cr->cr_mtx);
2459 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2460 __func__, cr->cr_users, cr));
2461 cr->cr_users++;
2462 cr->cr_ref++;
2463 mtx_unlock(&cr->cr_mtx);
2464 return (cr);
2465 }
2466
2467 static struct ucred *
crunuse(struct thread * td)2468 crunuse(struct thread *td)
2469 {
2470 struct ucred *cr, *crold;
2471
2472 MPASS(td->td_realucred == td->td_ucred);
2473 cr = td->td_realucred;
2474 mtx_lock(&cr->cr_mtx);
2475 cr->cr_ref += td->td_ucredref;
2476 td->td_ucredref = 0;
2477 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2478 __func__, cr->cr_users, cr));
2479 cr->cr_users--;
2480 if (cr->cr_users == 0) {
2481 KASSERT(cr->cr_ref > 0, ("%s: ref %ld not > 0 on cred %p",
2482 __func__, cr->cr_ref, cr));
2483 crold = cr;
2484 } else {
2485 cr->cr_ref--;
2486 crold = NULL;
2487 }
2488 mtx_unlock(&cr->cr_mtx);
2489 td->td_realucred = NULL;
2490 return (crold);
2491 }
2492
2493 static void
crunusebatch(struct ucred * cr,u_int users,long ref)2494 crunusebatch(struct ucred *cr, u_int users, long ref)
2495 {
2496
2497 KASSERT(users > 0, ("%s: passed users %d not > 0 ; cred %p",
2498 __func__, users, cr));
2499 mtx_lock(&cr->cr_mtx);
2500 KASSERT(cr->cr_users >= users, ("%s: users %d not > %d on cred %p",
2501 __func__, cr->cr_users, users, cr));
2502 cr->cr_users -= users;
2503 cr->cr_ref += ref;
2504 cr->cr_ref -= users;
2505 if (cr->cr_users > 0) {
2506 mtx_unlock(&cr->cr_mtx);
2507 return;
2508 }
2509 KASSERT(cr->cr_ref >= 0, ("%s: ref %ld not >= 0 on cred %p",
2510 __func__, cr->cr_ref, cr));
2511 if (cr->cr_ref > 0) {
2512 mtx_unlock(&cr->cr_mtx);
2513 return;
2514 }
2515 crfree_final(cr);
2516 }
2517
2518 void
crcowfree(struct thread * td)2519 crcowfree(struct thread *td)
2520 {
2521 struct ucred *cr;
2522
2523 cr = crunuse(td);
2524 if (cr != NULL)
2525 crfree(cr);
2526 }
2527
2528 struct ucred *
crcowsync(void)2529 crcowsync(void)
2530 {
2531 struct thread *td;
2532 struct proc *p;
2533 struct ucred *crnew, *crold;
2534
2535 td = curthread;
2536 p = td->td_proc;
2537 PROC_LOCK_ASSERT(p, MA_OWNED);
2538
2539 MPASS(td->td_realucred == td->td_ucred);
2540 if (td->td_realucred == p->p_ucred)
2541 return (NULL);
2542
2543 crnew = crcowget(p->p_ucred);
2544 crold = crunuse(td);
2545 td->td_realucred = crnew;
2546 td->td_ucred = td->td_realucred;
2547 return (crold);
2548 }
2549
2550 /*
2551 * Batching.
2552 */
2553 void
credbatch_add(struct credbatch * crb,struct thread * td)2554 credbatch_add(struct credbatch *crb, struct thread *td)
2555 {
2556 struct ucred *cr;
2557
2558 MPASS(td->td_realucred != NULL);
2559 MPASS(td->td_realucred == td->td_ucred);
2560 MPASS(TD_GET_STATE(td) == TDS_INACTIVE);
2561 cr = td->td_realucred;
2562 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2563 __func__, cr->cr_users, cr));
2564 if (crb->cred != cr) {
2565 if (crb->users > 0) {
2566 MPASS(crb->cred != NULL);
2567 crunusebatch(crb->cred, crb->users, crb->ref);
2568 crb->users = 0;
2569 crb->ref = 0;
2570 }
2571 }
2572 crb->cred = cr;
2573 crb->users++;
2574 crb->ref += td->td_ucredref;
2575 td->td_ucredref = 0;
2576 td->td_realucred = NULL;
2577 }
2578
2579 void
credbatch_final(struct credbatch * crb)2580 credbatch_final(struct credbatch *crb)
2581 {
2582
2583 MPASS(crb->cred != NULL);
2584 MPASS(crb->users > 0);
2585 crunusebatch(crb->cred, crb->users, crb->ref);
2586 }
2587
2588 /*
2589 * Allocate a zeroed cred structure.
2590 */
2591 struct ucred *
crget(void)2592 crget(void)
2593 {
2594 struct ucred *cr;
2595
2596 cr = malloc(sizeof(*cr), M_CRED, M_WAITOK | M_ZERO);
2597 mtx_init(&cr->cr_mtx, "cred", NULL, MTX_DEF);
2598 cr->cr_ref = 1;
2599 #ifdef AUDIT
2600 audit_cred_init(cr);
2601 #endif
2602 #ifdef MAC
2603 mac_cred_init(cr);
2604 #endif
2605 cr->cr_groups = cr->cr_smallgroups;
2606 cr->cr_agroups = nitems(cr->cr_smallgroups);
2607 return (cr);
2608 }
2609
2610 /*
2611 * Claim another reference to a ucred structure.
2612 */
2613 struct ucred *
crhold(struct ucred * cr)2614 crhold(struct ucred *cr)
2615 {
2616 struct thread *td;
2617
2618 td = curthread;
2619 if (__predict_true(td->td_realucred == cr)) {
2620 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2621 __func__, cr->cr_users, cr));
2622 td->td_ucredref++;
2623 return (cr);
2624 }
2625 mtx_lock(&cr->cr_mtx);
2626 cr->cr_ref++;
2627 mtx_unlock(&cr->cr_mtx);
2628 return (cr);
2629 }
2630
2631 /*
2632 * Free a cred structure. Throws away space when ref count gets to 0.
2633 */
2634 void
crfree(struct ucred * cr)2635 crfree(struct ucred *cr)
2636 {
2637 struct thread *td;
2638
2639 td = curthread;
2640 if (__predict_true(td->td_realucred == cr)) {
2641 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2642 __func__, cr->cr_users, cr));
2643 td->td_ucredref--;
2644 return;
2645 }
2646 mtx_lock(&cr->cr_mtx);
2647 KASSERT(cr->cr_users >= 0, ("%s: users %d not >= 0 on cred %p",
2648 __func__, cr->cr_users, cr));
2649 cr->cr_ref--;
2650 if (cr->cr_users > 0) {
2651 mtx_unlock(&cr->cr_mtx);
2652 return;
2653 }
2654 KASSERT(cr->cr_ref >= 0, ("%s: ref %ld not >= 0 on cred %p",
2655 __func__, cr->cr_ref, cr));
2656 if (cr->cr_ref > 0) {
2657 mtx_unlock(&cr->cr_mtx);
2658 return;
2659 }
2660 crfree_final(cr);
2661 }
2662
2663 static void
crfree_final(struct ucred * cr)2664 crfree_final(struct ucred *cr)
2665 {
2666
2667 KASSERT(cr->cr_users == 0, ("%s: users %d not == 0 on cred %p",
2668 __func__, cr->cr_users, cr));
2669 KASSERT(cr->cr_ref == 0, ("%s: ref %ld not == 0 on cred %p",
2670 __func__, cr->cr_ref, cr));
2671
2672 /*
2673 * Some callers of crget(), such as nfs_statfs(), allocate a temporary
2674 * credential, but don't allocate a uidinfo structure.
2675 */
2676 if (cr->cr_uidinfo != NULL)
2677 uifree(cr->cr_uidinfo);
2678 if (cr->cr_ruidinfo != NULL)
2679 uifree(cr->cr_ruidinfo);
2680 if (cr->cr_prison != NULL)
2681 prison_free(cr->cr_prison);
2682 if (cr->cr_loginclass != NULL)
2683 loginclass_free(cr->cr_loginclass);
2684 #ifdef AUDIT
2685 audit_cred_destroy(cr);
2686 #endif
2687 #ifdef MAC
2688 mac_cred_destroy(cr);
2689 #endif
2690 mtx_destroy(&cr->cr_mtx);
2691 if (cr->cr_groups != cr->cr_smallgroups)
2692 free(cr->cr_groups, M_CRED);
2693 free(cr, M_CRED);
2694 }
2695
2696 /*
2697 * Copy a ucred's contents from a template. Does not block.
2698 */
2699 void
crcopy(struct ucred * dest,struct ucred * src)2700 crcopy(struct ucred *dest, struct ucred *src)
2701 {
2702
2703 bcopy(&src->cr_startcopy, &dest->cr_startcopy,
2704 (unsigned)((caddr_t)&src->cr_endcopy -
2705 (caddr_t)&src->cr_startcopy));
2706 dest->cr_flags = src->cr_flags;
2707 crsetgroups(dest, src->cr_ngroups, src->cr_groups);
2708 uihold(dest->cr_uidinfo);
2709 uihold(dest->cr_ruidinfo);
2710 prison_hold(dest->cr_prison);
2711 loginclass_hold(dest->cr_loginclass);
2712 #ifdef AUDIT
2713 audit_cred_copy(src, dest);
2714 #endif
2715 #ifdef MAC
2716 mac_cred_copy(src, dest);
2717 #endif
2718 }
2719
2720 /*
2721 * Dup cred struct to a new held one.
2722 */
2723 struct ucred *
crdup(struct ucred * cr)2724 crdup(struct ucred *cr)
2725 {
2726 struct ucred *newcr;
2727
2728 newcr = crget();
2729 crcopy(newcr, cr);
2730 return (newcr);
2731 }
2732
2733 /*
2734 * Fill in a struct xucred based on a struct ucred.
2735 */
2736 void
cru2x(struct ucred * cr,struct xucred * xcr)2737 cru2x(struct ucred *cr, struct xucred *xcr)
2738 {
2739 int ngroups;
2740
2741 bzero(xcr, sizeof(*xcr));
2742 xcr->cr_version = XUCRED_VERSION;
2743 xcr->cr_uid = cr->cr_uid;
2744 xcr->cr_gid = cr->cr_gid;
2745
2746 /*
2747 * We use a union to alias cr_gid to cr_groups[0] in the xucred, so
2748 * this is kind of ugly; cr_ngroups still includes the egid for our
2749 * purposes to avoid bumping the xucred version.
2750 */
2751 ngroups = MIN(cr->cr_ngroups + 1, nitems(xcr->cr_groups));
2752 xcr->cr_ngroups = ngroups;
2753 bcopy(cr->cr_groups, xcr->cr_sgroups,
2754 (ngroups - 1) * sizeof(*cr->cr_groups));
2755 }
2756
2757 void
cru2xt(struct thread * td,struct xucred * xcr)2758 cru2xt(struct thread *td, struct xucred *xcr)
2759 {
2760
2761 cru2x(td->td_ucred, xcr);
2762 xcr->cr_pid = td->td_proc->p_pid;
2763 }
2764
2765 /*
2766 * Change process credentials.
2767 *
2768 * Callers are responsible for providing the reference for passed credentials
2769 * and for freeing old ones. Calls chgproccnt() to correctly account the
2770 * current process to the proper real UID, if the latter has changed. Returns
2771 * whether the operation was successful. Failure can happen only on
2772 * 'enforce_proc_lim' being true and if no new process can be accounted to the
2773 * new real UID because of the current limit (see the inner comment for more
2774 * details) and the caller does not have privilege (PRIV_PROC_LIMIT) to override
2775 * that. In this case, the reference to 'newcred' is not taken over.
2776 */
2777 static bool
_proc_set_cred(struct proc * p,struct ucred * newcred,bool enforce_proc_lim)2778 _proc_set_cred(struct proc *p, struct ucred *newcred, bool enforce_proc_lim)
2779 {
2780 struct ucred *const oldcred = p->p_ucred;
2781
2782 MPASS(oldcred != NULL);
2783 PROC_LOCK_ASSERT(p, MA_OWNED);
2784
2785 if (newcred->cr_ruidinfo != oldcred->cr_ruidinfo) {
2786 /*
2787 * XXXOC: This check is flawed but nonetheless the best we can
2788 * currently do as we don't really track limits per UID contrary
2789 * to what we pretend in setrlimit(2). Until this is reworked,
2790 * we just check here that the number of processes for our new
2791 * real UID doesn't exceed this process' process number limit
2792 * (which is meant to be associated with the current real UID).
2793 */
2794 const int proccnt_changed = chgproccnt(newcred->cr_ruidinfo, 1,
2795 enforce_proc_lim ? lim_cur_proc(p, RLIMIT_NPROC) : 0);
2796
2797 if (!proccnt_changed) {
2798 if (priv_check_cred(oldcred, PRIV_PROC_LIMIT) != 0)
2799 return (false);
2800 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0);
2801 }
2802 }
2803
2804 mtx_lock(&oldcred->cr_mtx);
2805 KASSERT(oldcred->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2806 __func__, oldcred->cr_users, oldcred));
2807 oldcred->cr_users--;
2808 mtx_unlock(&oldcred->cr_mtx);
2809 mtx_lock(&newcred->cr_mtx);
2810 newcred->cr_users++;
2811 mtx_unlock(&newcred->cr_mtx);
2812 p->p_ucred = newcred;
2813 PROC_UPDATE_COW(p);
2814 if (newcred->cr_ruidinfo != oldcred->cr_ruidinfo)
2815 (void)chgproccnt(oldcred->cr_ruidinfo, -1, 0);
2816 return (true);
2817 }
2818
2819 void
proc_set_cred(struct proc * p,struct ucred * newcred)2820 proc_set_cred(struct proc *p, struct ucred *newcred)
2821 {
2822 bool success __diagused = _proc_set_cred(p, newcred, false);
2823
2824 MPASS(success);
2825 }
2826
2827 bool
proc_set_cred_enforce_proc_lim(struct proc * p,struct ucred * newcred)2828 proc_set_cred_enforce_proc_lim(struct proc *p, struct ucred *newcred)
2829 {
2830 return (_proc_set_cred(p, newcred, true));
2831 }
2832
2833 void
proc_unset_cred(struct proc * p,bool decrement_proc_count)2834 proc_unset_cred(struct proc *p, bool decrement_proc_count)
2835 {
2836 struct ucred *cr;
2837
2838 MPASS(p->p_state == PRS_ZOMBIE || p->p_state == PRS_NEW);
2839 cr = p->p_ucred;
2840 p->p_ucred = NULL;
2841 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2842 __func__, cr->cr_users, cr));
2843 mtx_lock(&cr->cr_mtx);
2844 cr->cr_users--;
2845 if (cr->cr_users == 0)
2846 KASSERT(cr->cr_ref > 0, ("%s: ref %ld not > 0 on cred %p",
2847 __func__, cr->cr_ref, cr));
2848 mtx_unlock(&cr->cr_mtx);
2849 if (decrement_proc_count)
2850 (void)chgproccnt(cr->cr_ruidinfo, -1, 0);
2851 crfree(cr);
2852 }
2853
2854 struct ucred *
crcopysafe(struct proc * p,struct ucred * cr)2855 crcopysafe(struct proc *p, struct ucred *cr)
2856 {
2857 struct ucred *oldcred;
2858 int groups;
2859
2860 PROC_LOCK_ASSERT(p, MA_OWNED);
2861
2862 oldcred = p->p_ucred;
2863 while (cr->cr_agroups < oldcred->cr_ngroups) {
2864 groups = oldcred->cr_ngroups;
2865 PROC_UNLOCK(p);
2866 crextend(cr, groups);
2867 PROC_LOCK(p);
2868 oldcred = p->p_ucred;
2869 }
2870 crcopy(cr, oldcred);
2871
2872 return (oldcred);
2873 }
2874
2875 /*
2876 * Extend the passed-in credentials to hold n groups.
2877 *
2878 * Must not be called after groups have been set.
2879 */
2880 void
crextend(struct ucred * cr,int n)2881 crextend(struct ucred *cr, int n)
2882 {
2883 size_t nbytes;
2884
2885 MPASS2(cr->cr_ref == 1, "'cr_ref' must be 1 (referenced, unshared)");
2886 MPASS2((cr->cr_flags & CRED_FLAG_GROUPSET) == 0,
2887 "groups on 'cr' already set!");
2888 groups_check_positive_len(n);
2889 groups_check_max_len(n);
2890
2891 if (n <= cr->cr_agroups)
2892 return;
2893
2894 nbytes = n * sizeof(gid_t);
2895 if (nbytes < n)
2896 panic("Too many groups (memory size overflow)! "
2897 "Computation of 'kern.ngroups' should have prevented this, "
2898 "please fix it. In the meantime, reduce 'kern.ngroups'.");
2899
2900 /*
2901 * We allocate a power of 2 larger than 'nbytes', except when that
2902 * exceeds PAGE_SIZE, in which case we allocate the right multiple of
2903 * pages. We assume PAGE_SIZE is a power of 2 (the call to roundup2()
2904 * below) but do not need to for sizeof(gid_t).
2905 */
2906 if (nbytes < PAGE_SIZE) {
2907 if (!powerof2(nbytes))
2908 /* fls*() return a bit index starting at 1. */
2909 nbytes = 1 << flsl(nbytes);
2910 } else
2911 nbytes = roundup2(nbytes, PAGE_SIZE);
2912
2913 /* Free the old array. */
2914 if (cr->cr_groups != cr->cr_smallgroups)
2915 free(cr->cr_groups, M_CRED);
2916
2917 cr->cr_groups = malloc(nbytes, M_CRED, M_WAITOK | M_ZERO);
2918 cr->cr_agroups = nbytes / sizeof(gid_t);
2919 }
2920
2921 /*
2922 * Normalizes a set of groups to be applied to a 'struct ucred'.
2923 *
2924 * Normalization ensures that the supplementary groups are sorted in ascending
2925 * order and do not contain duplicates. This allows group_is_supplementary() to
2926 * do a binary search.
2927 */
2928 static void
groups_normalize(int * ngrp,gid_t * groups)2929 groups_normalize(int *ngrp, gid_t *groups)
2930 {
2931 gid_t prev_g;
2932 int ins_idx;
2933
2934 groups_check_positive_len(*ngrp);
2935 groups_check_max_len(*ngrp);
2936
2937 if (*ngrp <= 1)
2938 return;
2939
2940 qsort(groups, *ngrp, sizeof(*groups), gidp_cmp);
2941
2942 /* Remove duplicates. */
2943 prev_g = groups[0];
2944 ins_idx = 1;
2945 for (int i = ins_idx; i < *ngrp; ++i) {
2946 const gid_t g = groups[i];
2947
2948 if (g != prev_g) {
2949 if (i != ins_idx)
2950 groups[ins_idx] = g;
2951 ++ins_idx;
2952 prev_g = g;
2953 }
2954 }
2955 *ngrp = ins_idx;
2956
2957 groups_check_normalized(*ngrp, groups);
2958 }
2959
2960 /*
2961 * Internal function copying groups into a credential.
2962 *
2963 * 'ngrp' must be strictly positive. Either the passed 'groups' array must have
2964 * been normalized in advance (see groups_normalize()), else it must be so
2965 * before the structure is to be used again.
2966 *
2967 * This function is suitable to be used under any lock (it doesn't take any lock
2968 * itself nor sleep, and in particular doesn't allocate memory). crextend()
2969 * must have been called beforehand to ensure sufficient space is available.
2970 * See also crsetgroups(), which handles that.
2971 */
2972 static void
crsetgroups_internal(struct ucred * cr,int ngrp,const gid_t * groups)2973 crsetgroups_internal(struct ucred *cr, int ngrp, const gid_t *groups)
2974 {
2975
2976 MPASS2(cr->cr_ref == 1, "'cr_ref' must be 1 (referenced, unshared)");
2977 MPASS2(cr->cr_agroups >= ngrp, "'cr_agroups' too small");
2978 groups_check_positive_len(ngrp);
2979
2980 bcopy(groups, cr->cr_groups, ngrp * sizeof(gid_t));
2981 cr->cr_ngroups = ngrp;
2982 cr->cr_flags |= CRED_FLAG_GROUPSET;
2983 }
2984
2985 /*
2986 * Copy groups in to a credential after expanding it if required.
2987 *
2988 * May sleep in order to allocate memory (except if, e.g., crextend() was called
2989 * before with 'ngrp' or greater). Truncates the list to 'ngroups_max' if
2990 * it is too large. Array 'groups' doesn't need to be sorted. 'ngrp' must be
2991 * positive.
2992 */
2993 void
crsetgroups(struct ucred * cr,int ngrp,const gid_t * groups)2994 crsetgroups(struct ucred *cr, int ngrp, const gid_t *groups)
2995 {
2996
2997 if (ngrp > ngroups_max)
2998 ngrp = ngroups_max;
2999 cr->cr_ngroups = 0;
3000 if (ngrp == 0) {
3001 cr->cr_flags |= CRED_FLAG_GROUPSET;
3002 return;
3003 }
3004
3005 /*
3006 * crextend() asserts that groups are not set, as it may allocate a new
3007 * backing storage without copying the content of the old one. Since we
3008 * are going to install a completely new set anyway, signal that we
3009 * consider the old ones thrown away.
3010 */
3011 cr->cr_flags &= ~CRED_FLAG_GROUPSET;
3012
3013 crextend(cr, ngrp);
3014 crsetgroups_internal(cr, ngrp, groups);
3015 groups_normalize(&cr->cr_ngroups, cr->cr_groups);
3016 }
3017
3018 /*
3019 * Same as crsetgroups() but sets the effective GID as well.
3020 *
3021 * This function ensures that an effective GID is always present in credentials.
3022 * An empty array will only set the effective GID to 'default_egid', while
3023 * a non-empty array will peel off groups[0] to set as the effective GID and use
3024 * the remainder, if any, as supplementary groups.
3025 */
3026 void
crsetgroups_and_egid(struct ucred * cr,int ngrp,const gid_t * groups,const gid_t default_egid)3027 crsetgroups_and_egid(struct ucred *cr, int ngrp, const gid_t *groups,
3028 const gid_t default_egid)
3029 {
3030 if (ngrp == 0) {
3031 cr->cr_gid = default_egid;
3032 cr->cr_ngroups = 0;
3033 cr->cr_flags |= CRED_FLAG_GROUPSET;
3034 return;
3035 }
3036
3037 crsetgroups(cr, ngrp - 1, groups + 1);
3038 cr->cr_gid = groups[0];
3039 }
3040
3041 /*
3042 * Get login name, if available.
3043 */
3044 #ifndef _SYS_SYSPROTO_H_
3045 struct getlogin_args {
3046 char *namebuf;
3047 u_int namelen;
3048 };
3049 #endif
3050 /* ARGSUSED */
3051 int
sys_getlogin(struct thread * td,struct getlogin_args * uap)3052 sys_getlogin(struct thread *td, struct getlogin_args *uap)
3053 {
3054 char login[MAXLOGNAME];
3055 struct proc *p = td->td_proc;
3056 size_t len;
3057
3058 if (uap->namelen > MAXLOGNAME)
3059 uap->namelen = MAXLOGNAME;
3060 PROC_LOCK(p);
3061 SESS_LOCK(p->p_session);
3062 len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1;
3063 SESS_UNLOCK(p->p_session);
3064 PROC_UNLOCK(p);
3065 if (len > uap->namelen)
3066 return (ERANGE);
3067 return (copyout(login, uap->namebuf, len));
3068 }
3069
3070 /*
3071 * Set login name.
3072 */
3073 #ifndef _SYS_SYSPROTO_H_
3074 struct setlogin_args {
3075 char *namebuf;
3076 };
3077 #endif
3078 /* ARGSUSED */
3079 int
sys_setlogin(struct thread * td,struct setlogin_args * uap)3080 sys_setlogin(struct thread *td, struct setlogin_args *uap)
3081 {
3082 struct proc *p = td->td_proc;
3083 int error;
3084 char logintmp[MAXLOGNAME];
3085
3086 CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp));
3087
3088 error = priv_check(td, PRIV_PROC_SETLOGIN);
3089 if (error)
3090 return (error);
3091 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
3092 if (error != 0) {
3093 if (error == ENAMETOOLONG)
3094 error = EINVAL;
3095 return (error);
3096 }
3097 AUDIT_ARG_LOGIN(logintmp);
3098 PROC_LOCK(p);
3099 SESS_LOCK(p->p_session);
3100 strcpy(p->p_session->s_login, logintmp);
3101 SESS_UNLOCK(p->p_session);
3102 PROC_UNLOCK(p);
3103 return (0);
3104 }
3105
3106 void
setsugid(struct proc * p)3107 setsugid(struct proc *p)
3108 {
3109
3110 PROC_LOCK_ASSERT(p, MA_OWNED);
3111 p->p_flag |= P_SUGID;
3112 }
3113
3114 /*-
3115 * Change a process's effective uid.
3116 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified.
3117 * References: newcred must be an exclusive credential reference for the
3118 * duration of the call.
3119 */
3120 void
change_euid(struct ucred * newcred,struct uidinfo * euip)3121 change_euid(struct ucred *newcred, struct uidinfo *euip)
3122 {
3123
3124 newcred->cr_uid = euip->ui_uid;
3125 uihold(euip);
3126 uifree(newcred->cr_uidinfo);
3127 newcred->cr_uidinfo = euip;
3128 }
3129
3130 /*-
3131 * Change a process's effective gid.
3132 * Side effects: newcred->cr_gid will be modified.
3133 * References: newcred must be an exclusive credential reference for the
3134 * duration of the call.
3135 */
3136 void
change_egid(struct ucred * newcred,gid_t egid)3137 change_egid(struct ucred *newcred, gid_t egid)
3138 {
3139
3140 newcred->cr_gid = egid;
3141 }
3142
3143 /*-
3144 * Change a process's real uid.
3145 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo
3146 * will be updated.
3147 * References: newcred must be an exclusive credential reference for the
3148 * duration of the call.
3149 */
3150 void
change_ruid(struct ucred * newcred,struct uidinfo * ruip)3151 change_ruid(struct ucred *newcred, struct uidinfo *ruip)
3152 {
3153
3154 newcred->cr_ruid = ruip->ui_uid;
3155 uihold(ruip);
3156 uifree(newcred->cr_ruidinfo);
3157 newcred->cr_ruidinfo = ruip;
3158 }
3159
3160 /*-
3161 * Change a process's real gid.
3162 * Side effects: newcred->cr_rgid will be updated.
3163 * References: newcred must be an exclusive credential reference for the
3164 * duration of the call.
3165 */
3166 void
change_rgid(struct ucred * newcred,gid_t rgid)3167 change_rgid(struct ucred *newcred, gid_t rgid)
3168 {
3169
3170 newcred->cr_rgid = rgid;
3171 }
3172
3173 /*-
3174 * Change a process's saved uid.
3175 * Side effects: newcred->cr_svuid will be updated.
3176 * References: newcred must be an exclusive credential reference for the
3177 * duration of the call.
3178 */
3179 void
change_svuid(struct ucred * newcred,uid_t svuid)3180 change_svuid(struct ucred *newcred, uid_t svuid)
3181 {
3182
3183 newcred->cr_svuid = svuid;
3184 }
3185
3186 /*-
3187 * Change a process's saved gid.
3188 * Side effects: newcred->cr_svgid will be updated.
3189 * References: newcred must be an exclusive credential reference for the
3190 * duration of the call.
3191 */
3192 void
change_svgid(struct ucred * newcred,gid_t svgid)3193 change_svgid(struct ucred *newcred, gid_t svgid)
3194 {
3195
3196 newcred->cr_svgid = svgid;
3197 }
3198
3199 bool allow_ptrace = true;
3200 SYSCTL_BOOL(_security_bsd, OID_AUTO, allow_ptrace, CTLFLAG_RWTUN,
3201 &allow_ptrace, 0,
3202 "Deny ptrace(2) use by returning ENOSYS");
3203