1 /*-
2 * SPDX-License-Identifier: BSD-3-Clause
3 *
4 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993
5 * The Regents of the University of California.
6 * (c) UNIX System Laboratories, Inc.
7 * Copyright (c) 2000-2001 Robert N. M. Watson.
8 * All rights reserved.
9 *
10 * All or some portions of this file are derived from material licensed
11 * to the University of California by American Telephone and Telegraph
12 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
13 * the permission of UNIX System Laboratories, Inc.
14 *
15 * Redistribution and use in source and binary forms, with or without
16 * modification, are permitted provided that the following conditions
17 * are met:
18 * 1. Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in the
22 * documentation and/or other materials provided with the distribution.
23 * 3. Neither the name of the University nor the names of its contributors
24 * may be used to endorse or promote products derived from this software
25 * without specific prior written permission.
26 *
27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 * SUCH DAMAGE.
38 */
39
40 /*
41 * System calls related to processes and protection
42 */
43
44 #include <sys/cdefs.h>
45 #include "opt_inet.h"
46 #include "opt_inet6.h"
47
48 #include <sys/param.h>
49 #include <sys/systm.h>
50 #include <sys/acct.h>
51 #include <sys/kdb.h>
52 #include <sys/kernel.h>
53 #include <sys/libkern.h>
54 #include <sys/lock.h>
55 #include <sys/loginclass.h>
56 #include <sys/malloc.h>
57 #include <sys/mutex.h>
58 #include <sys/ptrace.h>
59 #include <sys/refcount.h>
60 #include <sys/sx.h>
61 #include <sys/priv.h>
62 #include <sys/proc.h>
63 #ifdef COMPAT_43
64 #include <sys/sysent.h>
65 #endif
66 #include <sys/sysproto.h>
67 #include <sys/jail.h>
68 #include <sys/racct.h>
69 #include <sys/rctl.h>
70 #include <sys/resourcevar.h>
71 #include <sys/socket.h>
72 #include <sys/socketvar.h>
73 #include <sys/syscallsubr.h>
74 #include <sys/sysctl.h>
75
76 #include <vm/uma.h>
77
78 #ifdef REGRESSION
79 FEATURE(regression,
80 "Kernel support for interfaces necessary for regression testing (SECURITY RISK!)");
81 #endif
82
83 #include <security/audit/audit.h>
84 #include <security/mac/mac_framework.h>
85
86 static MALLOC_DEFINE(M_CRED, "cred", "credentials");
87
88 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
89 "BSD security policy");
90
91 static void crfree_final(struct ucred *cr);
92
93 static inline void
groups_check_positive_len(int ngrp)94 groups_check_positive_len(int ngrp)
95 {
96 MPASS2(ngrp >= 0, "negative number of groups");
97 MPASS2(ngrp != 0, "at least one group expected (effective GID)");
98 }
99 static inline void
groups_check_max_len(int ngrp)100 groups_check_max_len(int ngrp)
101 {
102 MPASS2(ngrp <= ngroups_max + 1, "too many groups");
103 }
104
105 static void groups_normalize(int *ngrp, gid_t *groups);
106 static void crsetgroups_internal(struct ucred *cr, int ngrp,
107 const gid_t *groups);
108
109 static int cr_canseeotheruids(struct ucred *u1, struct ucred *u2);
110 static int cr_canseeothergids(struct ucred *u1, struct ucred *u2);
111 static int cr_canseejailproc(struct ucred *u1, struct ucred *u2);
112
113 #ifndef _SYS_SYSPROTO_H_
114 struct getpid_args {
115 int dummy;
116 };
117 #endif
118 /* ARGSUSED */
119 int
sys_getpid(struct thread * td,struct getpid_args * uap)120 sys_getpid(struct thread *td, struct getpid_args *uap)
121 {
122 struct proc *p = td->td_proc;
123
124 td->td_retval[0] = p->p_pid;
125 #if defined(COMPAT_43)
126 if (SV_PROC_FLAG(p, SV_AOUT))
127 td->td_retval[1] = kern_getppid(td);
128 #endif
129 return (0);
130 }
131
132 #ifndef _SYS_SYSPROTO_H_
133 struct getppid_args {
134 int dummy;
135 };
136 #endif
137 /* ARGSUSED */
138 int
sys_getppid(struct thread * td,struct getppid_args * uap)139 sys_getppid(struct thread *td, struct getppid_args *uap)
140 {
141
142 td->td_retval[0] = kern_getppid(td);
143 return (0);
144 }
145
146 int
kern_getppid(struct thread * td)147 kern_getppid(struct thread *td)
148 {
149 struct proc *p = td->td_proc;
150
151 return (p->p_oppid);
152 }
153
154 /*
155 * Get process group ID; note that POSIX getpgrp takes no parameter.
156 */
157 #ifndef _SYS_SYSPROTO_H_
158 struct getpgrp_args {
159 int dummy;
160 };
161 #endif
162 int
sys_getpgrp(struct thread * td,struct getpgrp_args * uap)163 sys_getpgrp(struct thread *td, struct getpgrp_args *uap)
164 {
165 struct proc *p = td->td_proc;
166
167 PROC_LOCK(p);
168 td->td_retval[0] = p->p_pgrp->pg_id;
169 PROC_UNLOCK(p);
170 return (0);
171 }
172
173 /* Get an arbitrary pid's process group id */
174 #ifndef _SYS_SYSPROTO_H_
175 struct getpgid_args {
176 pid_t pid;
177 };
178 #endif
179 int
sys_getpgid(struct thread * td,struct getpgid_args * uap)180 sys_getpgid(struct thread *td, struct getpgid_args *uap)
181 {
182 struct proc *p;
183 int error;
184
185 if (uap->pid == 0) {
186 p = td->td_proc;
187 PROC_LOCK(p);
188 } else {
189 p = pfind(uap->pid);
190 if (p == NULL)
191 return (ESRCH);
192 error = p_cansee(td, p);
193 if (error) {
194 PROC_UNLOCK(p);
195 return (error);
196 }
197 }
198 td->td_retval[0] = p->p_pgrp->pg_id;
199 PROC_UNLOCK(p);
200 return (0);
201 }
202
203 /*
204 * Get an arbitrary pid's session id.
205 */
206 #ifndef _SYS_SYSPROTO_H_
207 struct getsid_args {
208 pid_t pid;
209 };
210 #endif
211 int
sys_getsid(struct thread * td,struct getsid_args * uap)212 sys_getsid(struct thread *td, struct getsid_args *uap)
213 {
214
215 return (kern_getsid(td, uap->pid));
216 }
217
218 int
kern_getsid(struct thread * td,pid_t pid)219 kern_getsid(struct thread *td, pid_t pid)
220 {
221 struct proc *p;
222 int error;
223
224 if (pid == 0) {
225 p = td->td_proc;
226 PROC_LOCK(p);
227 } else {
228 p = pfind(pid);
229 if (p == NULL)
230 return (ESRCH);
231 error = p_cansee(td, p);
232 if (error) {
233 PROC_UNLOCK(p);
234 return (error);
235 }
236 }
237 td->td_retval[0] = p->p_session->s_sid;
238 PROC_UNLOCK(p);
239 return (0);
240 }
241
242 #ifndef _SYS_SYSPROTO_H_
243 struct getuid_args {
244 int dummy;
245 };
246 #endif
247 /* ARGSUSED */
248 int
sys_getuid(struct thread * td,struct getuid_args * uap)249 sys_getuid(struct thread *td, struct getuid_args *uap)
250 {
251
252 td->td_retval[0] = td->td_ucred->cr_ruid;
253 #if defined(COMPAT_43)
254 td->td_retval[1] = td->td_ucred->cr_uid;
255 #endif
256 return (0);
257 }
258
259 #ifndef _SYS_SYSPROTO_H_
260 struct geteuid_args {
261 int dummy;
262 };
263 #endif
264 /* ARGSUSED */
265 int
sys_geteuid(struct thread * td,struct geteuid_args * uap)266 sys_geteuid(struct thread *td, struct geteuid_args *uap)
267 {
268
269 td->td_retval[0] = td->td_ucred->cr_uid;
270 return (0);
271 }
272
273 #ifndef _SYS_SYSPROTO_H_
274 struct getgid_args {
275 int dummy;
276 };
277 #endif
278 /* ARGSUSED */
279 int
sys_getgid(struct thread * td,struct getgid_args * uap)280 sys_getgid(struct thread *td, struct getgid_args *uap)
281 {
282
283 td->td_retval[0] = td->td_ucred->cr_rgid;
284 #if defined(COMPAT_43)
285 td->td_retval[1] = td->td_ucred->cr_groups[0];
286 #endif
287 return (0);
288 }
289
290 /*
291 * Get effective group ID. The "egid" is groups[0], and could be obtained
292 * via getgroups. This syscall exists because it is somewhat painful to do
293 * correctly in a library function.
294 */
295 #ifndef _SYS_SYSPROTO_H_
296 struct getegid_args {
297 int dummy;
298 };
299 #endif
300 /* ARGSUSED */
301 int
sys_getegid(struct thread * td,struct getegid_args * uap)302 sys_getegid(struct thread *td, struct getegid_args *uap)
303 {
304
305 td->td_retval[0] = td->td_ucred->cr_groups[0];
306 return (0);
307 }
308
309 #ifndef _SYS_SYSPROTO_H_
310 struct getgroups_args {
311 int gidsetsize;
312 gid_t *gidset;
313 };
314 #endif
315 int
sys_getgroups(struct thread * td,struct getgroups_args * uap)316 sys_getgroups(struct thread *td, struct getgroups_args *uap)
317 {
318 struct ucred *cred;
319 int ngrp, error;
320
321 cred = td->td_ucred;
322 ngrp = cred->cr_ngroups;
323
324 if (uap->gidsetsize == 0) {
325 error = 0;
326 goto out;
327 }
328 if (uap->gidsetsize < ngrp)
329 return (EINVAL);
330
331 error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t));
332 out:
333 td->td_retval[0] = ngrp;
334 return (error);
335 }
336
337 #ifndef _SYS_SYSPROTO_H_
338 struct setsid_args {
339 int dummy;
340 };
341 #endif
342 /* ARGSUSED */
343 int
sys_setsid(struct thread * td,struct setsid_args * uap)344 sys_setsid(struct thread *td, struct setsid_args *uap)
345 {
346 struct pgrp *pgrp;
347 int error;
348 struct proc *p = td->td_proc;
349 struct pgrp *newpgrp;
350 struct session *newsess;
351
352 pgrp = NULL;
353
354 newpgrp = uma_zalloc(pgrp_zone, M_WAITOK);
355 newsess = malloc(sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO);
356
357 again:
358 error = 0;
359 sx_xlock(&proctree_lock);
360
361 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) {
362 if (pgrp != NULL)
363 PGRP_UNLOCK(pgrp);
364 error = EPERM;
365 } else {
366 error = enterpgrp(p, p->p_pid, newpgrp, newsess);
367 if (error == ERESTART)
368 goto again;
369 MPASS(error == 0);
370 td->td_retval[0] = p->p_pid;
371 newpgrp = NULL;
372 newsess = NULL;
373 }
374
375 sx_xunlock(&proctree_lock);
376
377 uma_zfree(pgrp_zone, newpgrp);
378 free(newsess, M_SESSION);
379
380 return (error);
381 }
382
383 /*
384 * set process group (setpgid/old setpgrp)
385 *
386 * caller does setpgid(targpid, targpgid)
387 *
388 * pid must be caller or child of caller (ESRCH)
389 * if a child
390 * pid must be in same session (EPERM)
391 * pid can't have done an exec (EACCES)
392 * if pgid != pid
393 * there must exist some pid in same session having pgid (EPERM)
394 * pid must not be session leader (EPERM)
395 */
396 #ifndef _SYS_SYSPROTO_H_
397 struct setpgid_args {
398 int pid; /* target process id */
399 int pgid; /* target pgrp id */
400 };
401 #endif
402 /* ARGSUSED */
403 int
sys_setpgid(struct thread * td,struct setpgid_args * uap)404 sys_setpgid(struct thread *td, struct setpgid_args *uap)
405 {
406 struct proc *curp = td->td_proc;
407 struct proc *targp; /* target process */
408 struct pgrp *pgrp; /* target pgrp */
409 int error;
410 struct pgrp *newpgrp;
411
412 if (uap->pgid < 0)
413 return (EINVAL);
414
415 newpgrp = uma_zalloc(pgrp_zone, M_WAITOK);
416
417 again:
418 error = 0;
419
420 sx_xlock(&proctree_lock);
421 if (uap->pid != 0 && uap->pid != curp->p_pid) {
422 if ((targp = pfind(uap->pid)) == NULL) {
423 error = ESRCH;
424 goto done;
425 }
426 if (!inferior(targp)) {
427 PROC_UNLOCK(targp);
428 error = ESRCH;
429 goto done;
430 }
431 if ((error = p_cansee(td, targp))) {
432 PROC_UNLOCK(targp);
433 goto done;
434 }
435 if (targp->p_pgrp == NULL ||
436 targp->p_session != curp->p_session) {
437 PROC_UNLOCK(targp);
438 error = EPERM;
439 goto done;
440 }
441 if (targp->p_flag & P_EXEC) {
442 PROC_UNLOCK(targp);
443 error = EACCES;
444 goto done;
445 }
446 PROC_UNLOCK(targp);
447 } else
448 targp = curp;
449 if (SESS_LEADER(targp)) {
450 error = EPERM;
451 goto done;
452 }
453 if (uap->pgid == 0)
454 uap->pgid = targp->p_pid;
455 if ((pgrp = pgfind(uap->pgid)) == NULL) {
456 if (uap->pgid == targp->p_pid) {
457 error = enterpgrp(targp, uap->pgid, newpgrp,
458 NULL);
459 if (error == 0)
460 newpgrp = NULL;
461 } else
462 error = EPERM;
463 } else {
464 if (pgrp == targp->p_pgrp) {
465 PGRP_UNLOCK(pgrp);
466 goto done;
467 }
468 if (pgrp->pg_id != targp->p_pid &&
469 pgrp->pg_session != curp->p_session) {
470 PGRP_UNLOCK(pgrp);
471 error = EPERM;
472 goto done;
473 }
474 PGRP_UNLOCK(pgrp);
475 error = enterthispgrp(targp, pgrp);
476 }
477 done:
478 KASSERT(error == 0 || newpgrp != NULL,
479 ("setpgid failed and newpgrp is NULL"));
480 if (error == ERESTART)
481 goto again;
482 sx_xunlock(&proctree_lock);
483 uma_zfree(pgrp_zone, newpgrp);
484 return (error);
485 }
486
487 /*
488 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD
489 * compatible. It says that setting the uid/gid to euid/egid is a special
490 * case of "appropriate privilege". Once the rules are expanded out, this
491 * basically means that setuid(nnn) sets all three id's, in all permitted
492 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid())
493 * does not set the saved id - this is dangerous for traditional BSD
494 * programs. For this reason, we *really* do not want to set
495 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2.
496 */
497 #define POSIX_APPENDIX_B_4_2_2
498
499 #ifndef _SYS_SYSPROTO_H_
500 struct setuid_args {
501 uid_t uid;
502 };
503 #endif
504 /* ARGSUSED */
505 int
sys_setuid(struct thread * td,struct setuid_args * uap)506 sys_setuid(struct thread *td, struct setuid_args *uap)
507 {
508 struct proc *p = td->td_proc;
509 struct ucred *newcred, *oldcred;
510 uid_t uid;
511 struct uidinfo *uip;
512 int error;
513
514 uid = uap->uid;
515 AUDIT_ARG_UID(uid);
516 newcred = crget();
517 uip = uifind(uid);
518 PROC_LOCK(p);
519 /*
520 * Copy credentials so other references do not see our changes.
521 */
522 oldcred = crcopysafe(p, newcred);
523
524 #ifdef MAC
525 error = mac_cred_check_setuid(oldcred, uid);
526 if (error)
527 goto fail;
528 #endif
529
530 /*
531 * See if we have "permission" by POSIX 1003.1 rules.
532 *
533 * Note that setuid(geteuid()) is a special case of
534 * "appropriate privileges" in appendix B.4.2.2. We need
535 * to use this clause to be compatible with traditional BSD
536 * semantics. Basically, it means that "setuid(xx)" sets all
537 * three id's (assuming you have privs).
538 *
539 * Notes on the logic. We do things in three steps.
540 * 1: We determine if the euid is going to change, and do EPERM
541 * right away. We unconditionally change the euid later if this
542 * test is satisfied, simplifying that part of the logic.
543 * 2: We determine if the real and/or saved uids are going to
544 * change. Determined by compile options.
545 * 3: Change euid last. (after tests in #2 for "appropriate privs")
546 */
547 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */
548 #ifdef _POSIX_SAVED_IDS
549 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */
550 #endif
551 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
552 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */
553 #endif
554 (error = priv_check_cred(oldcred, PRIV_CRED_SETUID)) != 0)
555 goto fail;
556
557 #ifdef _POSIX_SAVED_IDS
558 /*
559 * Do we have "appropriate privileges" (are we root or uid == euid)
560 * If so, we are changing the real uid and/or saved uid.
561 */
562 if (
563 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */
564 uid == oldcred->cr_uid ||
565 #endif
566 /* We are using privs. */
567 priv_check_cred(oldcred, PRIV_CRED_SETUID) == 0)
568 #endif
569 {
570 /*
571 * Set the real uid and transfer proc count to new user.
572 */
573 if (uid != oldcred->cr_ruid) {
574 change_ruid(newcred, uip);
575 setsugid(p);
576 }
577 /*
578 * Set saved uid
579 *
580 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as
581 * the security of seteuid() depends on it. B.4.2.2 says it
582 * is important that we should do this.
583 */
584 if (uid != oldcred->cr_svuid) {
585 change_svuid(newcred, uid);
586 setsugid(p);
587 }
588 }
589
590 /*
591 * In all permitted cases, we are changing the euid.
592 */
593 if (uid != oldcred->cr_uid) {
594 change_euid(newcred, uip);
595 setsugid(p);
596 }
597 proc_set_cred(p, newcred);
598 #ifdef RACCT
599 racct_proc_ucred_changed(p, oldcred, newcred);
600 crhold(newcred);
601 #endif
602 PROC_UNLOCK(p);
603 #ifdef RCTL
604 rctl_proc_ucred_changed(p, newcred);
605 crfree(newcred);
606 #endif
607 uifree(uip);
608 crfree(oldcred);
609 return (0);
610
611 fail:
612 PROC_UNLOCK(p);
613 uifree(uip);
614 crfree(newcred);
615 return (error);
616 }
617
618 #ifndef _SYS_SYSPROTO_H_
619 struct seteuid_args {
620 uid_t euid;
621 };
622 #endif
623 /* ARGSUSED */
624 int
sys_seteuid(struct thread * td,struct seteuid_args * uap)625 sys_seteuid(struct thread *td, struct seteuid_args *uap)
626 {
627 struct proc *p = td->td_proc;
628 struct ucred *newcred, *oldcred;
629 uid_t euid;
630 struct uidinfo *euip;
631 int error;
632
633 euid = uap->euid;
634 AUDIT_ARG_EUID(euid);
635 newcred = crget();
636 euip = uifind(euid);
637 PROC_LOCK(p);
638 /*
639 * Copy credentials so other references do not see our changes.
640 */
641 oldcred = crcopysafe(p, newcred);
642
643 #ifdef MAC
644 error = mac_cred_check_seteuid(oldcred, euid);
645 if (error)
646 goto fail;
647 #endif
648
649 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */
650 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */
651 (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID)) != 0)
652 goto fail;
653
654 /*
655 * Everything's okay, do it.
656 */
657 if (oldcred->cr_uid != euid) {
658 change_euid(newcred, euip);
659 setsugid(p);
660 }
661 proc_set_cred(p, newcred);
662 PROC_UNLOCK(p);
663 uifree(euip);
664 crfree(oldcred);
665 return (0);
666
667 fail:
668 PROC_UNLOCK(p);
669 uifree(euip);
670 crfree(newcred);
671 return (error);
672 }
673
674 #ifndef _SYS_SYSPROTO_H_
675 struct setgid_args {
676 gid_t gid;
677 };
678 #endif
679 /* ARGSUSED */
680 int
sys_setgid(struct thread * td,struct setgid_args * uap)681 sys_setgid(struct thread *td, struct setgid_args *uap)
682 {
683 struct proc *p = td->td_proc;
684 struct ucred *newcred, *oldcred;
685 gid_t gid;
686 int error;
687
688 gid = uap->gid;
689 AUDIT_ARG_GID(gid);
690 newcred = crget();
691 PROC_LOCK(p);
692 oldcred = crcopysafe(p, newcred);
693
694 #ifdef MAC
695 error = mac_cred_check_setgid(oldcred, gid);
696 if (error)
697 goto fail;
698 #endif
699
700 /*
701 * See if we have "permission" by POSIX 1003.1 rules.
702 *
703 * Note that setgid(getegid()) is a special case of
704 * "appropriate privileges" in appendix B.4.2.2. We need
705 * to use this clause to be compatible with traditional BSD
706 * semantics. Basically, it means that "setgid(xx)" sets all
707 * three id's (assuming you have privs).
708 *
709 * For notes on the logic here, see setuid() above.
710 */
711 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */
712 #ifdef _POSIX_SAVED_IDS
713 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */
714 #endif
715 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
716 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */
717 #endif
718 (error = priv_check_cred(oldcred, PRIV_CRED_SETGID)) != 0)
719 goto fail;
720
721 #ifdef _POSIX_SAVED_IDS
722 /*
723 * Do we have "appropriate privileges" (are we root or gid == egid)
724 * If so, we are changing the real uid and saved gid.
725 */
726 if (
727 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */
728 gid == oldcred->cr_groups[0] ||
729 #endif
730 /* We are using privs. */
731 priv_check_cred(oldcred, PRIV_CRED_SETGID) == 0)
732 #endif
733 {
734 /*
735 * Set real gid
736 */
737 if (oldcred->cr_rgid != gid) {
738 change_rgid(newcred, gid);
739 setsugid(p);
740 }
741 /*
742 * Set saved gid
743 *
744 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as
745 * the security of setegid() depends on it. B.4.2.2 says it
746 * is important that we should do this.
747 */
748 if (oldcred->cr_svgid != gid) {
749 change_svgid(newcred, gid);
750 setsugid(p);
751 }
752 }
753 /*
754 * In all cases permitted cases, we are changing the egid.
755 * Copy credentials so other references do not see our changes.
756 */
757 if (oldcred->cr_groups[0] != gid) {
758 change_egid(newcred, gid);
759 setsugid(p);
760 }
761 proc_set_cred(p, newcred);
762 PROC_UNLOCK(p);
763 crfree(oldcred);
764 return (0);
765
766 fail:
767 PROC_UNLOCK(p);
768 crfree(newcred);
769 return (error);
770 }
771
772 #ifndef _SYS_SYSPROTO_H_
773 struct setegid_args {
774 gid_t egid;
775 };
776 #endif
777 /* ARGSUSED */
778 int
sys_setegid(struct thread * td,struct setegid_args * uap)779 sys_setegid(struct thread *td, struct setegid_args *uap)
780 {
781 struct proc *p = td->td_proc;
782 struct ucred *newcred, *oldcred;
783 gid_t egid;
784 int error;
785
786 egid = uap->egid;
787 AUDIT_ARG_EGID(egid);
788 newcred = crget();
789 PROC_LOCK(p);
790 oldcred = crcopysafe(p, newcred);
791
792 #ifdef MAC
793 error = mac_cred_check_setegid(oldcred, egid);
794 if (error)
795 goto fail;
796 #endif
797
798 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */
799 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */
800 (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID)) != 0)
801 goto fail;
802
803 if (oldcred->cr_groups[0] != egid) {
804 change_egid(newcred, egid);
805 setsugid(p);
806 }
807 proc_set_cred(p, newcred);
808 PROC_UNLOCK(p);
809 crfree(oldcred);
810 return (0);
811
812 fail:
813 PROC_UNLOCK(p);
814 crfree(newcred);
815 return (error);
816 }
817
818 #ifndef _SYS_SYSPROTO_H_
819 struct setgroups_args {
820 int gidsetsize;
821 gid_t *gidset;
822 };
823 #endif
824 /* ARGSUSED */
825 int
sys_setgroups(struct thread * td,struct setgroups_args * uap)826 sys_setgroups(struct thread *td, struct setgroups_args *uap)
827 {
828 gid_t smallgroups[CRED_SMALLGROUPS_NB];
829 gid_t *groups;
830 int gidsetsize, error;
831
832 /*
833 * Sanity check size now to avoid passing too big a value to copyin(),
834 * even if kern_setgroups() will do it again.
835 *
836 * Ideally, the 'gidsetsize' argument should have been a 'u_int' (and it
837 * was, in this implementation, for a long time), but POSIX standardized
838 * getgroups() to take an 'int' and it would be quite entrapping to have
839 * setgroups() differ.
840 */
841 gidsetsize = uap->gidsetsize;
842 if (gidsetsize > ngroups_max + 1 || gidsetsize < 0)
843 return (EINVAL);
844
845 if (gidsetsize > CRED_SMALLGROUPS_NB)
846 groups = malloc(gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK);
847 else
848 groups = smallgroups;
849
850 error = copyin(uap->gidset, groups, gidsetsize * sizeof(gid_t));
851 if (error == 0)
852 error = kern_setgroups(td, &gidsetsize, groups);
853
854 if (groups != smallgroups)
855 free(groups, M_TEMP);
856 return (error);
857 }
858
859 static int
gidp_cmp(const void * p1,const void * p2)860 gidp_cmp(const void *p1, const void *p2)
861 {
862 const gid_t g1 = *(const gid_t *)p1;
863 const gid_t g2 = *(const gid_t *)p2;
864
865 return ((g1 > g2) - (g1 < g2));
866 }
867
868 /*
869 * CAUTION: This function normalizes 'groups', possibly also changing the value
870 * of '*ngrpp' as a consequence.
871 */
872 int
kern_setgroups(struct thread * td,int * ngrpp,gid_t * groups)873 kern_setgroups(struct thread *td, int *ngrpp, gid_t *groups)
874 {
875 struct proc *p = td->td_proc;
876 struct ucred *newcred, *oldcred;
877 int ngrp, error;
878
879 ngrp = *ngrpp;
880 /* Sanity check size. */
881 if (ngrp < 0 || ngrp > ngroups_max + 1)
882 return (EINVAL);
883
884 AUDIT_ARG_GROUPSET(groups, ngrp);
885 if (ngrp != 0) {
886 /* We allow and treat 0 specially below. */
887 groups_normalize(ngrpp, groups);
888 ngrp = *ngrpp;
889 }
890 newcred = crget();
891 if (ngrp != 0)
892 crextend(newcred, ngrp);
893 PROC_LOCK(p);
894 oldcred = crcopysafe(p, newcred);
895
896 #ifdef MAC
897 error = ngrp == 0 ?
898 /* If 'ngrp' is 0, we'll keep just the current effective GID. */
899 mac_cred_check_setgroups(oldcred, 1, oldcred->cr_groups) :
900 mac_cred_check_setgroups(oldcred, ngrp, groups);
901 if (error)
902 goto fail;
903 #endif
904
905 error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS);
906 if (error)
907 goto fail;
908
909 if (ngrp == 0) {
910 /*
911 * setgroups(0, NULL) is a legitimate way of clearing the
912 * groups vector on non-BSD systems (which generally do not
913 * have the egid in the groups[0]). We risk security holes
914 * when running non-BSD software if we do not do the same.
915 */
916 newcred->cr_ngroups = 1;
917 } else
918 crsetgroups_internal(newcred, ngrp, groups);
919
920 setsugid(p);
921 proc_set_cred(p, newcred);
922 PROC_UNLOCK(p);
923 crfree(oldcred);
924 return (0);
925
926 fail:
927 PROC_UNLOCK(p);
928 crfree(newcred);
929 return (error);
930 }
931
932 #ifndef _SYS_SYSPROTO_H_
933 struct setreuid_args {
934 uid_t ruid;
935 uid_t euid;
936 };
937 #endif
938 /* ARGSUSED */
939 int
sys_setreuid(struct thread * td,struct setreuid_args * uap)940 sys_setreuid(struct thread *td, struct setreuid_args *uap)
941 {
942 struct proc *p = td->td_proc;
943 struct ucred *newcred, *oldcred;
944 uid_t euid, ruid;
945 struct uidinfo *euip, *ruip;
946 int error;
947
948 euid = uap->euid;
949 ruid = uap->ruid;
950 AUDIT_ARG_EUID(euid);
951 AUDIT_ARG_RUID(ruid);
952 newcred = crget();
953 euip = uifind(euid);
954 ruip = uifind(ruid);
955 PROC_LOCK(p);
956 oldcred = crcopysafe(p, newcred);
957
958 #ifdef MAC
959 error = mac_cred_check_setreuid(oldcred, ruid, euid);
960 if (error)
961 goto fail;
962 #endif
963
964 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
965 ruid != oldcred->cr_svuid) ||
966 (euid != (uid_t)-1 && euid != oldcred->cr_uid &&
967 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) &&
968 (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID)) != 0)
969 goto fail;
970
971 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
972 change_euid(newcred, euip);
973 setsugid(p);
974 }
975 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
976 change_ruid(newcred, ruip);
977 setsugid(p);
978 }
979 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) &&
980 newcred->cr_svuid != newcred->cr_uid) {
981 change_svuid(newcred, newcred->cr_uid);
982 setsugid(p);
983 }
984 proc_set_cred(p, newcred);
985 #ifdef RACCT
986 racct_proc_ucred_changed(p, oldcred, newcred);
987 crhold(newcred);
988 #endif
989 PROC_UNLOCK(p);
990 #ifdef RCTL
991 rctl_proc_ucred_changed(p, newcred);
992 crfree(newcred);
993 #endif
994 uifree(ruip);
995 uifree(euip);
996 crfree(oldcred);
997 return (0);
998
999 fail:
1000 PROC_UNLOCK(p);
1001 uifree(ruip);
1002 uifree(euip);
1003 crfree(newcred);
1004 return (error);
1005 }
1006
1007 #ifndef _SYS_SYSPROTO_H_
1008 struct setregid_args {
1009 gid_t rgid;
1010 gid_t egid;
1011 };
1012 #endif
1013 /* ARGSUSED */
1014 int
sys_setregid(struct thread * td,struct setregid_args * uap)1015 sys_setregid(struct thread *td, struct setregid_args *uap)
1016 {
1017 struct proc *p = td->td_proc;
1018 struct ucred *newcred, *oldcred;
1019 gid_t egid, rgid;
1020 int error;
1021
1022 egid = uap->egid;
1023 rgid = uap->rgid;
1024 AUDIT_ARG_EGID(egid);
1025 AUDIT_ARG_RGID(rgid);
1026 newcred = crget();
1027 PROC_LOCK(p);
1028 oldcred = crcopysafe(p, newcred);
1029
1030 #ifdef MAC
1031 error = mac_cred_check_setregid(oldcred, rgid, egid);
1032 if (error)
1033 goto fail;
1034 #endif
1035
1036 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
1037 rgid != oldcred->cr_svgid) ||
1038 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] &&
1039 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) &&
1040 (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID)) != 0)
1041 goto fail;
1042
1043 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
1044 change_egid(newcred, egid);
1045 setsugid(p);
1046 }
1047 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
1048 change_rgid(newcred, rgid);
1049 setsugid(p);
1050 }
1051 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) &&
1052 newcred->cr_svgid != newcred->cr_groups[0]) {
1053 change_svgid(newcred, newcred->cr_groups[0]);
1054 setsugid(p);
1055 }
1056 proc_set_cred(p, newcred);
1057 PROC_UNLOCK(p);
1058 crfree(oldcred);
1059 return (0);
1060
1061 fail:
1062 PROC_UNLOCK(p);
1063 crfree(newcred);
1064 return (error);
1065 }
1066
1067 /*
1068 * setresuid(ruid, euid, suid) is like setreuid except control over the saved
1069 * uid is explicit.
1070 */
1071 #ifndef _SYS_SYSPROTO_H_
1072 struct setresuid_args {
1073 uid_t ruid;
1074 uid_t euid;
1075 uid_t suid;
1076 };
1077 #endif
1078 /* ARGSUSED */
1079 int
sys_setresuid(struct thread * td,struct setresuid_args * uap)1080 sys_setresuid(struct thread *td, struct setresuid_args *uap)
1081 {
1082 struct proc *p = td->td_proc;
1083 struct ucred *newcred, *oldcred;
1084 uid_t euid, ruid, suid;
1085 struct uidinfo *euip, *ruip;
1086 int error;
1087
1088 euid = uap->euid;
1089 ruid = uap->ruid;
1090 suid = uap->suid;
1091 AUDIT_ARG_EUID(euid);
1092 AUDIT_ARG_RUID(ruid);
1093 AUDIT_ARG_SUID(suid);
1094 newcred = crget();
1095 euip = uifind(euid);
1096 ruip = uifind(ruid);
1097 PROC_LOCK(p);
1098 oldcred = crcopysafe(p, newcred);
1099
1100 #ifdef MAC
1101 error = mac_cred_check_setresuid(oldcred, ruid, euid, suid);
1102 if (error)
1103 goto fail;
1104 #endif
1105
1106 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
1107 ruid != oldcred->cr_svuid &&
1108 ruid != oldcred->cr_uid) ||
1109 (euid != (uid_t)-1 && euid != oldcred->cr_ruid &&
1110 euid != oldcred->cr_svuid &&
1111 euid != oldcred->cr_uid) ||
1112 (suid != (uid_t)-1 && suid != oldcred->cr_ruid &&
1113 suid != oldcred->cr_svuid &&
1114 suid != oldcred->cr_uid)) &&
1115 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID)) != 0)
1116 goto fail;
1117
1118 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
1119 change_euid(newcred, euip);
1120 setsugid(p);
1121 }
1122 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
1123 change_ruid(newcred, ruip);
1124 setsugid(p);
1125 }
1126 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) {
1127 change_svuid(newcred, suid);
1128 setsugid(p);
1129 }
1130 proc_set_cred(p, newcred);
1131 #ifdef RACCT
1132 racct_proc_ucred_changed(p, oldcred, newcred);
1133 crhold(newcred);
1134 #endif
1135 PROC_UNLOCK(p);
1136 #ifdef RCTL
1137 rctl_proc_ucred_changed(p, newcred);
1138 crfree(newcred);
1139 #endif
1140 uifree(ruip);
1141 uifree(euip);
1142 crfree(oldcred);
1143 return (0);
1144
1145 fail:
1146 PROC_UNLOCK(p);
1147 uifree(ruip);
1148 uifree(euip);
1149 crfree(newcred);
1150 return (error);
1151
1152 }
1153
1154 /*
1155 * setresgid(rgid, egid, sgid) is like setregid except control over the saved
1156 * gid is explicit.
1157 */
1158 #ifndef _SYS_SYSPROTO_H_
1159 struct setresgid_args {
1160 gid_t rgid;
1161 gid_t egid;
1162 gid_t sgid;
1163 };
1164 #endif
1165 /* ARGSUSED */
1166 int
sys_setresgid(struct thread * td,struct setresgid_args * uap)1167 sys_setresgid(struct thread *td, struct setresgid_args *uap)
1168 {
1169 struct proc *p = td->td_proc;
1170 struct ucred *newcred, *oldcred;
1171 gid_t egid, rgid, sgid;
1172 int error;
1173
1174 egid = uap->egid;
1175 rgid = uap->rgid;
1176 sgid = uap->sgid;
1177 AUDIT_ARG_EGID(egid);
1178 AUDIT_ARG_RGID(rgid);
1179 AUDIT_ARG_SGID(sgid);
1180 newcred = crget();
1181 PROC_LOCK(p);
1182 oldcred = crcopysafe(p, newcred);
1183
1184 #ifdef MAC
1185 error = mac_cred_check_setresgid(oldcred, rgid, egid, sgid);
1186 if (error)
1187 goto fail;
1188 #endif
1189
1190 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
1191 rgid != oldcred->cr_svgid &&
1192 rgid != oldcred->cr_groups[0]) ||
1193 (egid != (gid_t)-1 && egid != oldcred->cr_rgid &&
1194 egid != oldcred->cr_svgid &&
1195 egid != oldcred->cr_groups[0]) ||
1196 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid &&
1197 sgid != oldcred->cr_svgid &&
1198 sgid != oldcred->cr_groups[0])) &&
1199 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID)) != 0)
1200 goto fail;
1201
1202 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
1203 change_egid(newcred, egid);
1204 setsugid(p);
1205 }
1206 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
1207 change_rgid(newcred, rgid);
1208 setsugid(p);
1209 }
1210 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) {
1211 change_svgid(newcred, sgid);
1212 setsugid(p);
1213 }
1214 proc_set_cred(p, newcred);
1215 PROC_UNLOCK(p);
1216 crfree(oldcred);
1217 return (0);
1218
1219 fail:
1220 PROC_UNLOCK(p);
1221 crfree(newcred);
1222 return (error);
1223 }
1224
1225 #ifndef _SYS_SYSPROTO_H_
1226 struct getresuid_args {
1227 uid_t *ruid;
1228 uid_t *euid;
1229 uid_t *suid;
1230 };
1231 #endif
1232 /* ARGSUSED */
1233 int
sys_getresuid(struct thread * td,struct getresuid_args * uap)1234 sys_getresuid(struct thread *td, struct getresuid_args *uap)
1235 {
1236 struct ucred *cred;
1237 int error1 = 0, error2 = 0, error3 = 0;
1238
1239 cred = td->td_ucred;
1240 if (uap->ruid)
1241 error1 = copyout(&cred->cr_ruid,
1242 uap->ruid, sizeof(cred->cr_ruid));
1243 if (uap->euid)
1244 error2 = copyout(&cred->cr_uid,
1245 uap->euid, sizeof(cred->cr_uid));
1246 if (uap->suid)
1247 error3 = copyout(&cred->cr_svuid,
1248 uap->suid, sizeof(cred->cr_svuid));
1249 return (error1 ? error1 : error2 ? error2 : error3);
1250 }
1251
1252 #ifndef _SYS_SYSPROTO_H_
1253 struct getresgid_args {
1254 gid_t *rgid;
1255 gid_t *egid;
1256 gid_t *sgid;
1257 };
1258 #endif
1259 /* ARGSUSED */
1260 int
sys_getresgid(struct thread * td,struct getresgid_args * uap)1261 sys_getresgid(struct thread *td, struct getresgid_args *uap)
1262 {
1263 struct ucred *cred;
1264 int error1 = 0, error2 = 0, error3 = 0;
1265
1266 cred = td->td_ucred;
1267 if (uap->rgid)
1268 error1 = copyout(&cred->cr_rgid,
1269 uap->rgid, sizeof(cred->cr_rgid));
1270 if (uap->egid)
1271 error2 = copyout(&cred->cr_groups[0],
1272 uap->egid, sizeof(cred->cr_groups[0]));
1273 if (uap->sgid)
1274 error3 = copyout(&cred->cr_svgid,
1275 uap->sgid, sizeof(cred->cr_svgid));
1276 return (error1 ? error1 : error2 ? error2 : error3);
1277 }
1278
1279 #ifndef _SYS_SYSPROTO_H_
1280 struct issetugid_args {
1281 int dummy;
1282 };
1283 #endif
1284 /* ARGSUSED */
1285 int
sys_issetugid(struct thread * td,struct issetugid_args * uap)1286 sys_issetugid(struct thread *td, struct issetugid_args *uap)
1287 {
1288 struct proc *p = td->td_proc;
1289
1290 /*
1291 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time,
1292 * we use P_SUGID because we consider changing the owners as
1293 * "tainting" as well.
1294 * This is significant for procs that start as root and "become"
1295 * a user without an exec - programs cannot know *everything*
1296 * that libc *might* have put in their data segment.
1297 */
1298 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0;
1299 return (0);
1300 }
1301
1302 int
sys___setugid(struct thread * td,struct __setugid_args * uap)1303 sys___setugid(struct thread *td, struct __setugid_args *uap)
1304 {
1305 #ifdef REGRESSION
1306 struct proc *p;
1307
1308 p = td->td_proc;
1309 switch (uap->flag) {
1310 case 0:
1311 PROC_LOCK(p);
1312 p->p_flag &= ~P_SUGID;
1313 PROC_UNLOCK(p);
1314 return (0);
1315 case 1:
1316 PROC_LOCK(p);
1317 p->p_flag |= P_SUGID;
1318 PROC_UNLOCK(p);
1319 return (0);
1320 default:
1321 return (EINVAL);
1322 }
1323 #else /* !REGRESSION */
1324
1325 return (ENOSYS);
1326 #endif /* REGRESSION */
1327 }
1328
1329 #ifdef INVARIANTS
1330 static void
groups_check_normalized(int ngrp,const gid_t * groups)1331 groups_check_normalized(int ngrp, const gid_t *groups)
1332 {
1333 gid_t prev_g;
1334
1335 groups_check_positive_len(ngrp);
1336 groups_check_max_len(ngrp);
1337
1338 if (ngrp == 1)
1339 return;
1340
1341 prev_g = groups[1];
1342 for (int i = 2; i < ngrp; ++i) {
1343 const gid_t g = groups[i];
1344
1345 if (prev_g >= g)
1346 panic("%s: groups[%d] (%u) >= groups[%d] (%u)",
1347 __func__, i - 1, prev_g, i, g);
1348 prev_g = g;
1349 }
1350 }
1351 #else
1352 #define groups_check_normalized(...)
1353 #endif
1354
1355 /*
1356 * Returns whether gid designates a supplementary group in cred.
1357 */
1358 bool
group_is_supplementary(const gid_t gid,const struct ucred * const cred)1359 group_is_supplementary(const gid_t gid, const struct ucred *const cred)
1360 {
1361
1362 groups_check_normalized(cred->cr_ngroups, cred->cr_groups);
1363
1364 /*
1365 * Perform a binary search of the supplementary groups. This is
1366 * possible because we sort the groups in crsetgroups().
1367 */
1368 return (bsearch(&gid, cred->cr_groups + 1, cred->cr_ngroups - 1,
1369 sizeof(gid), gidp_cmp) != NULL);
1370 }
1371
1372 /*
1373 * Check if gid is a member of the (effective) group set (i.e., effective and
1374 * supplementary groups).
1375 */
1376 bool
groupmember(gid_t gid,const struct ucred * cred)1377 groupmember(gid_t gid, const struct ucred *cred)
1378 {
1379
1380 groups_check_positive_len(cred->cr_ngroups);
1381
1382 if (gid == cred->cr_groups[0])
1383 return (true);
1384
1385 return (group_is_supplementary(gid, cred));
1386 }
1387
1388 /*
1389 * Check if gid is a member of the real group set (i.e., real and supplementary
1390 * groups).
1391 */
1392 bool
realgroupmember(gid_t gid,const struct ucred * cred)1393 realgroupmember(gid_t gid, const struct ucred *cred)
1394 {
1395 /*
1396 * Although the equality test on 'cr_rgid' below doesn't access
1397 * 'cr_groups', we check for the latter's length here as we assume that,
1398 * if 'cr_ngroups' is 0, the passed 'struct ucred' is invalid, and
1399 * 'cr_rgid' may not have been filled.
1400 */
1401 groups_check_positive_len(cred->cr_ngroups);
1402
1403 if (gid == cred->cr_rgid)
1404 return (true);
1405
1406 return (group_is_supplementary(gid, cred));
1407 }
1408
1409 /*
1410 * Test the active securelevel against a given level. securelevel_gt()
1411 * implements (securelevel > level). securelevel_ge() implements
1412 * (securelevel >= level). Note that the logic is inverted -- these
1413 * functions return EPERM on "success" and 0 on "failure".
1414 *
1415 * Due to care taken when setting the securelevel, we know that no jail will
1416 * be less secure that its parent (or the physical system), so it is sufficient
1417 * to test the current jail only.
1418 *
1419 * XXXRW: Possibly since this has to do with privilege, it should move to
1420 * kern_priv.c.
1421 */
1422 int
securelevel_gt(struct ucred * cr,int level)1423 securelevel_gt(struct ucred *cr, int level)
1424 {
1425
1426 return (cr->cr_prison->pr_securelevel > level ? EPERM : 0);
1427 }
1428
1429 int
securelevel_ge(struct ucred * cr,int level)1430 securelevel_ge(struct ucred *cr, int level)
1431 {
1432
1433 return (cr->cr_prison->pr_securelevel >= level ? EPERM : 0);
1434 }
1435
1436 /*
1437 * 'see_other_uids' determines whether or not visibility of processes
1438 * and sockets with credentials holding different real uids is possible
1439 * using a variety of system MIBs.
1440 * XXX: data declarations should be together near the beginning of the file.
1441 */
1442 static int see_other_uids = 1;
1443 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW,
1444 &see_other_uids, 0,
1445 "Unprivileged processes may see subjects/objects with different real uid");
1446
1447 /*-
1448 * Determine if u1 "can see" the subject specified by u2, according to the
1449 * 'see_other_uids' policy.
1450 * Returns: 0 for permitted, ESRCH otherwise
1451 * Locks: none
1452 * References: *u1 and *u2 must not change during the call
1453 * u1 may equal u2, in which case only one reference is required
1454 */
1455 static int
cr_canseeotheruids(struct ucred * u1,struct ucred * u2)1456 cr_canseeotheruids(struct ucred *u1, struct ucred *u2)
1457 {
1458
1459 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) {
1460 if (priv_check_cred(u1, PRIV_SEEOTHERUIDS) != 0)
1461 return (ESRCH);
1462 }
1463 return (0);
1464 }
1465
1466 /*
1467 * 'see_other_gids' determines whether or not visibility of processes
1468 * and sockets with credentials holding different real gids is possible
1469 * using a variety of system MIBs.
1470 * XXX: data declarations should be together near the beginning of the file.
1471 */
1472 static int see_other_gids = 1;
1473 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW,
1474 &see_other_gids, 0,
1475 "Unprivileged processes may see subjects/objects with different real gid");
1476
1477 /*
1478 * Determine if u1 can "see" the subject specified by u2, according to the
1479 * 'see_other_gids' policy.
1480 * Returns: 0 for permitted, ESRCH otherwise
1481 * Locks: none
1482 * References: *u1 and *u2 must not change during the call
1483 * u1 may equal u2, in which case only one reference is required
1484 */
1485 static int
cr_canseeothergids(struct ucred * u1,struct ucred * u2)1486 cr_canseeothergids(struct ucred *u1, struct ucred *u2)
1487 {
1488 if (!see_other_gids) {
1489 if (realgroupmember(u1->cr_rgid, u2))
1490 return (0);
1491
1492 for (int i = 1; i < u1->cr_ngroups; i++)
1493 if (realgroupmember(u1->cr_groups[i], u2))
1494 return (0);
1495
1496 if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) != 0)
1497 return (ESRCH);
1498 }
1499
1500 return (0);
1501 }
1502
1503 /*
1504 * 'see_jail_proc' determines whether or not visibility of processes and
1505 * sockets with credentials holding different jail ids is possible using a
1506 * variety of system MIBs.
1507 *
1508 * XXX: data declarations should be together near the beginning of the file.
1509 */
1510
1511 static int see_jail_proc = 1;
1512 SYSCTL_INT(_security_bsd, OID_AUTO, see_jail_proc, CTLFLAG_RW,
1513 &see_jail_proc, 0,
1514 "Unprivileged processes may see subjects/objects with different jail ids");
1515
1516 /*-
1517 * Determine if u1 "can see" the subject specified by u2, according to the
1518 * 'see_jail_proc' policy.
1519 * Returns: 0 for permitted, ESRCH otherwise
1520 * Locks: none
1521 * References: *u1 and *u2 must not change during the call
1522 * u1 may equal u2, in which case only one reference is required
1523 */
1524 static int
cr_canseejailproc(struct ucred * u1,struct ucred * u2)1525 cr_canseejailproc(struct ucred *u1, struct ucred *u2)
1526 {
1527 if (see_jail_proc || /* Policy deactivated. */
1528 u1->cr_prison == u2->cr_prison || /* Same jail. */
1529 priv_check_cred(u1, PRIV_SEEJAILPROC) == 0) /* Privileged. */
1530 return (0);
1531
1532 return (ESRCH);
1533 }
1534
1535 /*
1536 * Helper for cr_cansee*() functions to abide by system-wide security.bsd.see_*
1537 * policies. Determines if u1 "can see" u2 according to these policies.
1538 * Returns: 0 for permitted, ESRCH otherwise
1539 */
1540 int
cr_bsd_visible(struct ucred * u1,struct ucred * u2)1541 cr_bsd_visible(struct ucred *u1, struct ucred *u2)
1542 {
1543 int error;
1544
1545 error = cr_canseeotheruids(u1, u2);
1546 if (error != 0)
1547 return (error);
1548 error = cr_canseeothergids(u1, u2);
1549 if (error != 0)
1550 return (error);
1551 error = cr_canseejailproc(u1, u2);
1552 if (error != 0)
1553 return (error);
1554 return (0);
1555 }
1556
1557 /*-
1558 * Determine if u1 "can see" the subject specified by u2.
1559 * Returns: 0 for permitted, an errno value otherwise
1560 * Locks: none
1561 * References: *u1 and *u2 must not change during the call
1562 * u1 may equal u2, in which case only one reference is required
1563 */
1564 int
cr_cansee(struct ucred * u1,struct ucred * u2)1565 cr_cansee(struct ucred *u1, struct ucred *u2)
1566 {
1567 int error;
1568
1569 if ((error = prison_check(u1, u2)))
1570 return (error);
1571 #ifdef MAC
1572 if ((error = mac_cred_check_visible(u1, u2)))
1573 return (error);
1574 #endif
1575 if ((error = cr_bsd_visible(u1, u2)))
1576 return (error);
1577 return (0);
1578 }
1579
1580 /*-
1581 * Determine if td "can see" the subject specified by p.
1582 * Returns: 0 for permitted, an errno value otherwise
1583 * Locks: Sufficient locks to protect p->p_ucred must be held. td really
1584 * should be curthread.
1585 * References: td and p must be valid for the lifetime of the call
1586 */
1587 int
p_cansee(struct thread * td,struct proc * p)1588 p_cansee(struct thread *td, struct proc *p)
1589 {
1590 /* Wrap cr_cansee() for all functionality. */
1591 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1592 PROC_LOCK_ASSERT(p, MA_OWNED);
1593
1594 if (td->td_proc == p)
1595 return (0);
1596 return (cr_cansee(td->td_ucred, p->p_ucred));
1597 }
1598
1599 /*
1600 * 'conservative_signals' prevents the delivery of a broad class of
1601 * signals by unprivileged processes to processes that have changed their
1602 * credentials since the last invocation of execve(). This can prevent
1603 * the leakage of cached information or retained privileges as a result
1604 * of a common class of signal-related vulnerabilities. However, this
1605 * may interfere with some applications that expect to be able to
1606 * deliver these signals to peer processes after having given up
1607 * privilege.
1608 */
1609 static int conservative_signals = 1;
1610 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW,
1611 &conservative_signals, 0, "Unprivileged processes prevented from "
1612 "sending certain signals to processes whose credentials have changed");
1613 /*-
1614 * Determine whether cred may deliver the specified signal to proc.
1615 * Returns: 0 for permitted, an errno value otherwise.
1616 * Locks: A lock must be held for proc.
1617 * References: cred and proc must be valid for the lifetime of the call.
1618 */
1619 int
cr_cansignal(struct ucred * cred,struct proc * proc,int signum)1620 cr_cansignal(struct ucred *cred, struct proc *proc, int signum)
1621 {
1622 int error;
1623
1624 PROC_LOCK_ASSERT(proc, MA_OWNED);
1625 /*
1626 * Jail semantics limit the scope of signalling to proc in the
1627 * same jail as cred, if cred is in jail.
1628 */
1629 error = prison_check(cred, proc->p_ucred);
1630 if (error)
1631 return (error);
1632 #ifdef MAC
1633 if ((error = mac_proc_check_signal(cred, proc, signum)))
1634 return (error);
1635 #endif
1636 if ((error = cr_bsd_visible(cred, proc->p_ucred)))
1637 return (error);
1638
1639 /*
1640 * UNIX signal semantics depend on the status of the P_SUGID
1641 * bit on the target process. If the bit is set, then additional
1642 * restrictions are placed on the set of available signals.
1643 */
1644 if (conservative_signals && (proc->p_flag & P_SUGID)) {
1645 switch (signum) {
1646 case 0:
1647 case SIGKILL:
1648 case SIGINT:
1649 case SIGTERM:
1650 case SIGALRM:
1651 case SIGSTOP:
1652 case SIGTTIN:
1653 case SIGTTOU:
1654 case SIGTSTP:
1655 case SIGHUP:
1656 case SIGUSR1:
1657 case SIGUSR2:
1658 /*
1659 * Generally, permit job and terminal control
1660 * signals.
1661 */
1662 break;
1663 default:
1664 /* Not permitted without privilege. */
1665 error = priv_check_cred(cred, PRIV_SIGNAL_SUGID);
1666 if (error)
1667 return (error);
1668 }
1669 }
1670
1671 /*
1672 * Generally, the target credential's ruid or svuid must match the
1673 * subject credential's ruid or euid.
1674 */
1675 if (cred->cr_ruid != proc->p_ucred->cr_ruid &&
1676 cred->cr_ruid != proc->p_ucred->cr_svuid &&
1677 cred->cr_uid != proc->p_ucred->cr_ruid &&
1678 cred->cr_uid != proc->p_ucred->cr_svuid) {
1679 error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED);
1680 if (error)
1681 return (error);
1682 }
1683
1684 return (0);
1685 }
1686
1687 /*-
1688 * Determine whether td may deliver the specified signal to p.
1689 * Returns: 0 for permitted, an errno value otherwise
1690 * Locks: Sufficient locks to protect various components of td and p
1691 * must be held. td must be curthread, and a lock must be
1692 * held for p.
1693 * References: td and p must be valid for the lifetime of the call
1694 */
1695 int
p_cansignal(struct thread * td,struct proc * p,int signum)1696 p_cansignal(struct thread *td, struct proc *p, int signum)
1697 {
1698
1699 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1700 PROC_LOCK_ASSERT(p, MA_OWNED);
1701 if (td->td_proc == p)
1702 return (0);
1703
1704 /*
1705 * UNIX signalling semantics require that processes in the same
1706 * session always be able to deliver SIGCONT to one another,
1707 * overriding the remaining protections.
1708 */
1709 /* XXX: This will require an additional lock of some sort. */
1710 if (signum == SIGCONT && td->td_proc->p_session == p->p_session)
1711 return (0);
1712 /*
1713 * Some compat layers use SIGTHR and higher signals for
1714 * communication between different kernel threads of the same
1715 * process, so that they expect that it's always possible to
1716 * deliver them, even for suid applications where cr_cansignal() can
1717 * deny such ability for security consideration. It should be
1718 * pretty safe to do since the only way to create two processes
1719 * with the same p_leader is via rfork(2).
1720 */
1721 if (td->td_proc->p_leader != NULL && signum >= SIGTHR &&
1722 signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader)
1723 return (0);
1724
1725 return (cr_cansignal(td->td_ucred, p, signum));
1726 }
1727
1728 /*-
1729 * Determine whether td may reschedule p.
1730 * Returns: 0 for permitted, an errno value otherwise
1731 * Locks: Sufficient locks to protect various components of td and p
1732 * must be held. td must be curthread, and a lock must
1733 * be held for p.
1734 * References: td and p must be valid for the lifetime of the call
1735 */
1736 int
p_cansched(struct thread * td,struct proc * p)1737 p_cansched(struct thread *td, struct proc *p)
1738 {
1739 int error;
1740
1741 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1742 PROC_LOCK_ASSERT(p, MA_OWNED);
1743 if (td->td_proc == p)
1744 return (0);
1745 if ((error = prison_check(td->td_ucred, p->p_ucred)))
1746 return (error);
1747 #ifdef MAC
1748 if ((error = mac_proc_check_sched(td->td_ucred, p)))
1749 return (error);
1750 #endif
1751 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
1752 return (error);
1753
1754 if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid &&
1755 td->td_ucred->cr_uid != p->p_ucred->cr_ruid) {
1756 error = priv_check(td, PRIV_SCHED_DIFFCRED);
1757 if (error)
1758 return (error);
1759 }
1760 return (0);
1761 }
1762
1763 /*
1764 * Handle getting or setting the prison's unprivileged_proc_debug
1765 * value.
1766 */
1767 static int
sysctl_unprivileged_proc_debug(SYSCTL_HANDLER_ARGS)1768 sysctl_unprivileged_proc_debug(SYSCTL_HANDLER_ARGS)
1769 {
1770 int error, val;
1771
1772 val = prison_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG);
1773 error = sysctl_handle_int(oidp, &val, 0, req);
1774 if (error != 0 || req->newptr == NULL)
1775 return (error);
1776 if (val != 0 && val != 1)
1777 return (EINVAL);
1778 prison_set_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG, val);
1779 return (0);
1780 }
1781
1782 /*
1783 * The 'unprivileged_proc_debug' flag may be used to disable a variety of
1784 * unprivileged inter-process debugging services, including some procfs
1785 * functionality, ptrace(), and ktrace(). In the past, inter-process
1786 * debugging has been involved in a variety of security problems, and sites
1787 * not requiring the service might choose to disable it when hardening
1788 * systems.
1789 */
1790 SYSCTL_PROC(_security_bsd, OID_AUTO, unprivileged_proc_debug,
1791 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_PRISON | CTLFLAG_SECURE |
1792 CTLFLAG_MPSAFE, 0, 0, sysctl_unprivileged_proc_debug, "I",
1793 "Unprivileged processes may use process debugging facilities");
1794
1795 /*-
1796 * Determine whether td may debug p.
1797 * Returns: 0 for permitted, an errno value otherwise
1798 * Locks: Sufficient locks to protect various components of td and p
1799 * must be held. td must be curthread, and a lock must
1800 * be held for p.
1801 * References: td and p must be valid for the lifetime of the call
1802 */
1803 int
p_candebug(struct thread * td,struct proc * p)1804 p_candebug(struct thread *td, struct proc *p)
1805 {
1806 int error, grpsubset, i, uidsubset;
1807
1808 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1809 PROC_LOCK_ASSERT(p, MA_OWNED);
1810 if (td->td_proc == p)
1811 return (0);
1812 if ((error = priv_check(td, PRIV_DEBUG_UNPRIV)))
1813 return (error);
1814 if ((error = prison_check(td->td_ucred, p->p_ucred)))
1815 return (error);
1816 #ifdef MAC
1817 if ((error = mac_proc_check_debug(td->td_ucred, p)))
1818 return (error);
1819 #endif
1820 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
1821 return (error);
1822
1823 /*
1824 * Is p's group set a subset of td's effective group set? This
1825 * includes p's egid, group access list, rgid, and svgid.
1826 */
1827 grpsubset = 1;
1828 for (i = 0; i < p->p_ucred->cr_ngroups; i++) {
1829 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) {
1830 grpsubset = 0;
1831 break;
1832 }
1833 }
1834 grpsubset = grpsubset &&
1835 groupmember(p->p_ucred->cr_rgid, td->td_ucred) &&
1836 groupmember(p->p_ucred->cr_svgid, td->td_ucred);
1837
1838 /*
1839 * Are the uids present in p's credential equal to td's
1840 * effective uid? This includes p's euid, svuid, and ruid.
1841 */
1842 uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid &&
1843 td->td_ucred->cr_uid == p->p_ucred->cr_svuid &&
1844 td->td_ucred->cr_uid == p->p_ucred->cr_ruid);
1845
1846 /*
1847 * If p's gids aren't a subset, or the uids aren't a subset,
1848 * or the credential has changed, require appropriate privilege
1849 * for td to debug p.
1850 */
1851 if (!grpsubset || !uidsubset) {
1852 error = priv_check(td, PRIV_DEBUG_DIFFCRED);
1853 if (error)
1854 return (error);
1855 }
1856
1857 /*
1858 * Has the credential of the process changed since the last exec()?
1859 */
1860 if ((p->p_flag & P_SUGID) != 0) {
1861 error = priv_check(td, PRIV_DEBUG_SUGID);
1862 if (error)
1863 return (error);
1864 }
1865
1866 /* Can't trace init when securelevel > 0. */
1867 if (p == initproc) {
1868 error = securelevel_gt(td->td_ucred, 0);
1869 if (error)
1870 return (error);
1871 }
1872
1873 /*
1874 * Can't trace a process that's currently exec'ing.
1875 *
1876 * XXX: Note, this is not a security policy decision, it's a
1877 * basic correctness/functionality decision. Therefore, this check
1878 * should be moved to the caller's of p_candebug().
1879 */
1880 if ((p->p_flag & P_INEXEC) != 0)
1881 return (EBUSY);
1882
1883 /* Denied explicitly */
1884 if ((p->p_flag2 & P2_NOTRACE) != 0) {
1885 error = priv_check(td, PRIV_DEBUG_DENIED);
1886 if (error != 0)
1887 return (error);
1888 }
1889
1890 return (0);
1891 }
1892
1893 /*-
1894 * Determine whether the subject represented by cred can "see" a socket.
1895 * Returns: 0 for permitted, ENOENT otherwise.
1896 */
1897 int
cr_canseesocket(struct ucred * cred,struct socket * so)1898 cr_canseesocket(struct ucred *cred, struct socket *so)
1899 {
1900 int error;
1901
1902 error = prison_check(cred, so->so_cred);
1903 if (error)
1904 return (ENOENT);
1905 #ifdef MAC
1906 error = mac_socket_check_visible(cred, so);
1907 if (error)
1908 return (error);
1909 #endif
1910 if (cr_bsd_visible(cred, so->so_cred))
1911 return (ENOENT);
1912
1913 return (0);
1914 }
1915
1916 /*-
1917 * Determine whether td can wait for the exit of p.
1918 * Returns: 0 for permitted, an errno value otherwise
1919 * Locks: Sufficient locks to protect various components of td and p
1920 * must be held. td must be curthread, and a lock must
1921 * be held for p.
1922 * References: td and p must be valid for the lifetime of the call
1923
1924 */
1925 int
p_canwait(struct thread * td,struct proc * p)1926 p_canwait(struct thread *td, struct proc *p)
1927 {
1928 int error;
1929
1930 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1931 PROC_LOCK_ASSERT(p, MA_OWNED);
1932 if ((error = prison_check(td->td_ucred, p->p_ucred)))
1933 return (error);
1934 #ifdef MAC
1935 if ((error = mac_proc_check_wait(td->td_ucred, p)))
1936 return (error);
1937 #endif
1938 #if 0
1939 /* XXXMAC: This could have odd effects on some shells. */
1940 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
1941 return (error);
1942 #endif
1943
1944 return (0);
1945 }
1946
1947 /*
1948 * Credential management.
1949 *
1950 * struct ucred objects are rarely allocated but gain and lose references all
1951 * the time (e.g., on struct file alloc/dealloc) turning refcount updates into
1952 * a significant source of cache-line ping ponging. Common cases are worked
1953 * around by modifying thread-local counter instead if the cred to operate on
1954 * matches td_realucred.
1955 *
1956 * The counter is split into 2 parts:
1957 * - cr_users -- total count of all struct proc and struct thread objects
1958 * which have given cred in p_ucred and td_ucred respectively
1959 * - cr_ref -- the actual ref count, only valid if cr_users == 0
1960 *
1961 * If users == 0 then cr_ref behaves similarly to refcount(9), in particular if
1962 * the count reaches 0 the object is freeable.
1963 * If users > 0 and curthread->td_realucred == cred, then updates are performed
1964 * against td_ucredref.
1965 * In other cases updates are performed against cr_ref.
1966 *
1967 * Changing td_realucred into something else decrements cr_users and transfers
1968 * accumulated updates.
1969 */
1970 struct ucred *
crcowget(struct ucred * cr)1971 crcowget(struct ucred *cr)
1972 {
1973
1974 mtx_lock(&cr->cr_mtx);
1975 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
1976 __func__, cr->cr_users, cr));
1977 cr->cr_users++;
1978 cr->cr_ref++;
1979 mtx_unlock(&cr->cr_mtx);
1980 return (cr);
1981 }
1982
1983 static struct ucred *
crunuse(struct thread * td)1984 crunuse(struct thread *td)
1985 {
1986 struct ucred *cr, *crold;
1987
1988 MPASS(td->td_realucred == td->td_ucred);
1989 cr = td->td_realucred;
1990 mtx_lock(&cr->cr_mtx);
1991 cr->cr_ref += td->td_ucredref;
1992 td->td_ucredref = 0;
1993 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
1994 __func__, cr->cr_users, cr));
1995 cr->cr_users--;
1996 if (cr->cr_users == 0) {
1997 KASSERT(cr->cr_ref > 0, ("%s: ref %ld not > 0 on cred %p",
1998 __func__, cr->cr_ref, cr));
1999 crold = cr;
2000 } else {
2001 cr->cr_ref--;
2002 crold = NULL;
2003 }
2004 mtx_unlock(&cr->cr_mtx);
2005 td->td_realucred = NULL;
2006 return (crold);
2007 }
2008
2009 static void
crunusebatch(struct ucred * cr,int users,int ref)2010 crunusebatch(struct ucred *cr, int users, int ref)
2011 {
2012
2013 KASSERT(users > 0, ("%s: passed users %d not > 0 ; cred %p",
2014 __func__, users, cr));
2015 mtx_lock(&cr->cr_mtx);
2016 KASSERT(cr->cr_users >= users, ("%s: users %d not > %d on cred %p",
2017 __func__, cr->cr_users, users, cr));
2018 cr->cr_users -= users;
2019 cr->cr_ref += ref;
2020 cr->cr_ref -= users;
2021 if (cr->cr_users > 0) {
2022 mtx_unlock(&cr->cr_mtx);
2023 return;
2024 }
2025 KASSERT(cr->cr_ref >= 0, ("%s: ref %ld not >= 0 on cred %p",
2026 __func__, cr->cr_ref, cr));
2027 if (cr->cr_ref > 0) {
2028 mtx_unlock(&cr->cr_mtx);
2029 return;
2030 }
2031 crfree_final(cr);
2032 }
2033
2034 void
crcowfree(struct thread * td)2035 crcowfree(struct thread *td)
2036 {
2037 struct ucred *cr;
2038
2039 cr = crunuse(td);
2040 if (cr != NULL)
2041 crfree(cr);
2042 }
2043
2044 struct ucred *
crcowsync(void)2045 crcowsync(void)
2046 {
2047 struct thread *td;
2048 struct proc *p;
2049 struct ucred *crnew, *crold;
2050
2051 td = curthread;
2052 p = td->td_proc;
2053 PROC_LOCK_ASSERT(p, MA_OWNED);
2054
2055 MPASS(td->td_realucred == td->td_ucred);
2056 if (td->td_realucred == p->p_ucred)
2057 return (NULL);
2058
2059 crnew = crcowget(p->p_ucred);
2060 crold = crunuse(td);
2061 td->td_realucred = crnew;
2062 td->td_ucred = td->td_realucred;
2063 return (crold);
2064 }
2065
2066 /*
2067 * Batching.
2068 */
2069 void
credbatch_add(struct credbatch * crb,struct thread * td)2070 credbatch_add(struct credbatch *crb, struct thread *td)
2071 {
2072 struct ucred *cr;
2073
2074 MPASS(td->td_realucred != NULL);
2075 MPASS(td->td_realucred == td->td_ucred);
2076 MPASS(TD_GET_STATE(td) == TDS_INACTIVE);
2077 cr = td->td_realucred;
2078 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2079 __func__, cr->cr_users, cr));
2080 if (crb->cred != cr) {
2081 if (crb->users > 0) {
2082 MPASS(crb->cred != NULL);
2083 crunusebatch(crb->cred, crb->users, crb->ref);
2084 crb->users = 0;
2085 crb->ref = 0;
2086 }
2087 }
2088 crb->cred = cr;
2089 crb->users++;
2090 crb->ref += td->td_ucredref;
2091 td->td_ucredref = 0;
2092 td->td_realucred = NULL;
2093 }
2094
2095 void
credbatch_final(struct credbatch * crb)2096 credbatch_final(struct credbatch *crb)
2097 {
2098
2099 MPASS(crb->cred != NULL);
2100 MPASS(crb->users > 0);
2101 crunusebatch(crb->cred, crb->users, crb->ref);
2102 }
2103
2104 /*
2105 * Allocate a zeroed cred structure.
2106 */
2107 struct ucred *
crget(void)2108 crget(void)
2109 {
2110 struct ucred *cr;
2111
2112 cr = malloc(sizeof(*cr), M_CRED, M_WAITOK | M_ZERO);
2113 mtx_init(&cr->cr_mtx, "cred", NULL, MTX_DEF);
2114 cr->cr_ref = 1;
2115 #ifdef AUDIT
2116 audit_cred_init(cr);
2117 #endif
2118 #ifdef MAC
2119 mac_cred_init(cr);
2120 #endif
2121 cr->cr_groups = cr->cr_smallgroups;
2122 cr->cr_agroups =
2123 sizeof(cr->cr_smallgroups) / sizeof(cr->cr_smallgroups[0]);
2124 return (cr);
2125 }
2126
2127 /*
2128 * Claim another reference to a ucred structure.
2129 */
2130 struct ucred *
crhold(struct ucred * cr)2131 crhold(struct ucred *cr)
2132 {
2133 struct thread *td;
2134
2135 td = curthread;
2136 if (__predict_true(td->td_realucred == cr)) {
2137 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2138 __func__, cr->cr_users, cr));
2139 td->td_ucredref++;
2140 return (cr);
2141 }
2142 mtx_lock(&cr->cr_mtx);
2143 cr->cr_ref++;
2144 mtx_unlock(&cr->cr_mtx);
2145 return (cr);
2146 }
2147
2148 /*
2149 * Free a cred structure. Throws away space when ref count gets to 0.
2150 */
2151 void
crfree(struct ucred * cr)2152 crfree(struct ucred *cr)
2153 {
2154 struct thread *td;
2155
2156 td = curthread;
2157 if (__predict_true(td->td_realucred == cr)) {
2158 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2159 __func__, cr->cr_users, cr));
2160 td->td_ucredref--;
2161 return;
2162 }
2163 mtx_lock(&cr->cr_mtx);
2164 KASSERT(cr->cr_users >= 0, ("%s: users %d not >= 0 on cred %p",
2165 __func__, cr->cr_users, cr));
2166 cr->cr_ref--;
2167 if (cr->cr_users > 0) {
2168 mtx_unlock(&cr->cr_mtx);
2169 return;
2170 }
2171 KASSERT(cr->cr_ref >= 0, ("%s: ref %ld not >= 0 on cred %p",
2172 __func__, cr->cr_ref, cr));
2173 if (cr->cr_ref > 0) {
2174 mtx_unlock(&cr->cr_mtx);
2175 return;
2176 }
2177 crfree_final(cr);
2178 }
2179
2180 static void
crfree_final(struct ucred * cr)2181 crfree_final(struct ucred *cr)
2182 {
2183
2184 KASSERT(cr->cr_users == 0, ("%s: users %d not == 0 on cred %p",
2185 __func__, cr->cr_users, cr));
2186 KASSERT(cr->cr_ref == 0, ("%s: ref %ld not == 0 on cred %p",
2187 __func__, cr->cr_ref, cr));
2188
2189 /*
2190 * Some callers of crget(), such as nfs_statfs(), allocate a temporary
2191 * credential, but don't allocate a uidinfo structure.
2192 */
2193 if (cr->cr_uidinfo != NULL)
2194 uifree(cr->cr_uidinfo);
2195 if (cr->cr_ruidinfo != NULL)
2196 uifree(cr->cr_ruidinfo);
2197 if (cr->cr_prison != NULL)
2198 prison_free(cr->cr_prison);
2199 if (cr->cr_loginclass != NULL)
2200 loginclass_free(cr->cr_loginclass);
2201 #ifdef AUDIT
2202 audit_cred_destroy(cr);
2203 #endif
2204 #ifdef MAC
2205 mac_cred_destroy(cr);
2206 #endif
2207 mtx_destroy(&cr->cr_mtx);
2208 if (cr->cr_groups != cr->cr_smallgroups)
2209 free(cr->cr_groups, M_CRED);
2210 free(cr, M_CRED);
2211 }
2212
2213 /*
2214 * Copy a ucred's contents from a template. Does not block.
2215 */
2216 void
crcopy(struct ucred * dest,struct ucred * src)2217 crcopy(struct ucred *dest, struct ucred *src)
2218 {
2219
2220 /*
2221 * Ideally, 'cr_ngroups' should be moved out of 'struct ucred''s bcopied
2222 * area, but this would break the ABI, so is deferred until there is
2223 * a compelling need to change it.
2224 */
2225 bcopy(&src->cr_startcopy, &dest->cr_startcopy,
2226 (unsigned)((caddr_t)&src->cr_endcopy -
2227 (caddr_t)&src->cr_startcopy));
2228 dest->cr_flags = src->cr_flags;
2229 crsetgroups(dest, src->cr_ngroups, src->cr_groups);
2230 uihold(dest->cr_uidinfo);
2231 uihold(dest->cr_ruidinfo);
2232 prison_hold(dest->cr_prison);
2233 loginclass_hold(dest->cr_loginclass);
2234 #ifdef AUDIT
2235 audit_cred_copy(src, dest);
2236 #endif
2237 #ifdef MAC
2238 mac_cred_copy(src, dest);
2239 #endif
2240 }
2241
2242 /*
2243 * Dup cred struct to a new held one.
2244 */
2245 struct ucred *
crdup(struct ucred * cr)2246 crdup(struct ucred *cr)
2247 {
2248 struct ucred *newcr;
2249
2250 newcr = crget();
2251 crcopy(newcr, cr);
2252 return (newcr);
2253 }
2254
2255 /*
2256 * Fill in a struct xucred based on a struct ucred.
2257 */
2258 void
cru2x(struct ucred * cr,struct xucred * xcr)2259 cru2x(struct ucred *cr, struct xucred *xcr)
2260 {
2261 int ngroups;
2262
2263 bzero(xcr, sizeof(*xcr));
2264 xcr->cr_version = XUCRED_VERSION;
2265 xcr->cr_uid = cr->cr_uid;
2266
2267 ngroups = MIN(cr->cr_ngroups, XU_NGROUPS);
2268 xcr->cr_ngroups = ngroups;
2269 bcopy(cr->cr_groups, xcr->cr_groups,
2270 ngroups * sizeof(*cr->cr_groups));
2271 }
2272
2273 void
cru2xt(struct thread * td,struct xucred * xcr)2274 cru2xt(struct thread *td, struct xucred *xcr)
2275 {
2276
2277 cru2x(td->td_ucred, xcr);
2278 xcr->cr_pid = td->td_proc->p_pid;
2279 }
2280
2281 /*
2282 * Change process credentials.
2283 * Callers are responsible for providing the reference for passed credentials
2284 * and for freeing old ones.
2285 *
2286 * Process has to be locked except when it does not have credentials (as it
2287 * should not be visible just yet) or when newcred is NULL (as this can be
2288 * only used when the process is about to be freed, at which point it should
2289 * not be visible anymore).
2290 */
2291 void
proc_set_cred(struct proc * p,struct ucred * newcred)2292 proc_set_cred(struct proc *p, struct ucred *newcred)
2293 {
2294 struct ucred *cr;
2295
2296 cr = p->p_ucred;
2297 MPASS(cr != NULL);
2298 PROC_LOCK_ASSERT(p, MA_OWNED);
2299 KASSERT(newcred->cr_users == 0, ("%s: users %d not 0 on cred %p",
2300 __func__, newcred->cr_users, newcred));
2301 mtx_lock(&cr->cr_mtx);
2302 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2303 __func__, cr->cr_users, cr));
2304 cr->cr_users--;
2305 mtx_unlock(&cr->cr_mtx);
2306 p->p_ucred = newcred;
2307 newcred->cr_users = 1;
2308 PROC_UPDATE_COW(p);
2309 }
2310
2311 void
proc_unset_cred(struct proc * p)2312 proc_unset_cred(struct proc *p)
2313 {
2314 struct ucred *cr;
2315
2316 MPASS(p->p_state == PRS_ZOMBIE || p->p_state == PRS_NEW);
2317 cr = p->p_ucred;
2318 p->p_ucred = NULL;
2319 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2320 __func__, cr->cr_users, cr));
2321 mtx_lock(&cr->cr_mtx);
2322 cr->cr_users--;
2323 if (cr->cr_users == 0)
2324 KASSERT(cr->cr_ref > 0, ("%s: ref %ld not > 0 on cred %p",
2325 __func__, cr->cr_ref, cr));
2326 mtx_unlock(&cr->cr_mtx);
2327 crfree(cr);
2328 }
2329
2330 struct ucred *
crcopysafe(struct proc * p,struct ucred * cr)2331 crcopysafe(struct proc *p, struct ucred *cr)
2332 {
2333 struct ucred *oldcred;
2334 int groups;
2335
2336 PROC_LOCK_ASSERT(p, MA_OWNED);
2337
2338 oldcred = p->p_ucred;
2339 while (cr->cr_agroups < oldcred->cr_agroups) {
2340 groups = oldcred->cr_agroups;
2341 PROC_UNLOCK(p);
2342 crextend(cr, groups);
2343 PROC_LOCK(p);
2344 oldcred = p->p_ucred;
2345 }
2346 crcopy(cr, oldcred);
2347
2348 return (oldcred);
2349 }
2350
2351 /*
2352 * Extend the passed-in credentials to hold n groups.
2353 *
2354 * Must not be called after groups have been set.
2355 */
2356 void
crextend(struct ucred * cr,int n)2357 crextend(struct ucred *cr, int n)
2358 {
2359 size_t nbytes;
2360
2361 MPASS2(cr->cr_ref == 1, "'cr_ref' must be 1 (referenced, unshared)");
2362 MPASS2(cr->cr_ngroups == 0, "groups on 'cr' already set!");
2363 groups_check_positive_len(n);
2364 groups_check_max_len(n);
2365
2366 if (n <= cr->cr_agroups)
2367 return;
2368
2369 nbytes = n * sizeof(gid_t);
2370 if (nbytes < n)
2371 panic("Too many groups (memory size overflow)! "
2372 "Computation of 'kern.ngroups' should have prevented this, "
2373 "please fix it. In the meantime, reduce 'kern.ngroups'.");
2374
2375 /*
2376 * We allocate a power of 2 larger than 'nbytes', except when that
2377 * exceeds PAGE_SIZE, in which case we allocate the right multiple of
2378 * pages. We assume PAGE_SIZE is a power of 2 (the call to roundup2()
2379 * below) but do not need to for sizeof(gid_t).
2380 */
2381 if (nbytes < PAGE_SIZE) {
2382 if (!powerof2(nbytes))
2383 /* fls*() return a bit index starting at 1. */
2384 nbytes = 1 << flsl(nbytes);
2385 } else
2386 nbytes = roundup2(nbytes, PAGE_SIZE);
2387
2388 /* Free the old array. */
2389 if (cr->cr_groups != cr->cr_smallgroups)
2390 free(cr->cr_groups, M_CRED);
2391
2392 cr->cr_groups = malloc(nbytes, M_CRED, M_WAITOK | M_ZERO);
2393 cr->cr_agroups = nbytes / sizeof(gid_t);
2394 }
2395
2396 /*
2397 * Normalizes a set of groups to be applied to a 'struct ucred'.
2398 *
2399 * The set of groups is an array that must comprise the effective GID as its
2400 * first element (so its length cannot be 0).
2401 *
2402 * Normalization ensures that elements after the first, which stand for the
2403 * supplementary groups, are sorted in ascending order and do not contain
2404 * duplicates.
2405 */
2406 static void
groups_normalize(int * ngrp,gid_t * groups)2407 groups_normalize(int *ngrp, gid_t *groups)
2408 {
2409 gid_t prev_g;
2410 int ins_idx;
2411
2412 groups_check_positive_len(*ngrp);
2413 groups_check_max_len(*ngrp);
2414
2415 if (*ngrp == 1)
2416 return;
2417
2418 qsort(groups + 1, *ngrp - 1, sizeof(*groups), gidp_cmp);
2419
2420 /* Remove duplicates. */
2421 prev_g = groups[1];
2422 ins_idx = 2;
2423 for (int i = 2; i < *ngrp; ++i) {
2424 const gid_t g = groups[i];
2425
2426 if (g != prev_g) {
2427 if (i != ins_idx)
2428 groups[ins_idx] = g;
2429 ++ins_idx;
2430 prev_g = g;
2431 }
2432 }
2433 *ngrp = ins_idx;
2434
2435 groups_check_normalized(*ngrp, groups);
2436 }
2437
2438 /*
2439 * Internal function copying groups into a credential.
2440 *
2441 * 'ngrp' must be strictly positive. Either the passed 'groups' array must have
2442 * been normalized in advance (see groups_normalize()), else it must be so
2443 * before the structure is to be used again.
2444 *
2445 * This function is suitable to be used under any lock (it doesn't take any lock
2446 * itself nor sleep, and in particular doesn't allocate memory). crextend()
2447 * must have been called beforehand to ensure sufficient space is available.
2448 * See also crsetgroups(), which handles that.
2449 */
2450 static void
crsetgroups_internal(struct ucred * cr,int ngrp,const gid_t * groups)2451 crsetgroups_internal(struct ucred *cr, int ngrp, const gid_t *groups)
2452 {
2453
2454 MPASS2(cr->cr_ref == 1, "'cr_ref' must be 1 (referenced, unshared)");
2455 MPASS2(cr->cr_agroups >= ngrp, "'cr_agroups' too small");
2456 groups_check_positive_len(ngrp);
2457
2458 bcopy(groups, cr->cr_groups, ngrp * sizeof(gid_t));
2459 cr->cr_ngroups = ngrp;
2460 }
2461
2462 /*
2463 * Copy groups in to a credential after expanding it if required.
2464 *
2465 * May sleep in order to allocate memory (except if, e.g., crextend() was called
2466 * before with 'ngrp' or greater). Truncates the list to (ngroups_max + 1) if
2467 * it is too large. Array 'groups' doesn't need to be sorted. 'ngrp' must be
2468 * strictly positive.
2469 */
2470 void
crsetgroups(struct ucred * cr,int ngrp,const gid_t * groups)2471 crsetgroups(struct ucred *cr, int ngrp, const gid_t *groups)
2472 {
2473
2474 if (ngrp > ngroups_max + 1)
2475 ngrp = ngroups_max + 1;
2476 /*
2477 * crextend() asserts that groups are not set, as it may allocate a new
2478 * backing storage without copying the content of the old one. Since we
2479 * are going to install a completely new set anyway, signal that we
2480 * consider the old ones thrown away.
2481 */
2482 cr->cr_ngroups = 0;
2483 crextend(cr, ngrp);
2484 crsetgroups_internal(cr, ngrp, groups);
2485 groups_normalize(&cr->cr_ngroups, cr->cr_groups);
2486 }
2487
2488 /*
2489 * Same as crsetgroups() but accepts an empty groups array.
2490 *
2491 * This function ensures that an effective GID is always present in credentials.
2492 * An empty array is treated as a one-size one holding the passed effective GID
2493 * fallback.
2494 */
2495 void
crsetgroups_fallback(struct ucred * cr,int ngrp,const gid_t * groups,const gid_t fallback)2496 crsetgroups_fallback(struct ucred *cr, int ngrp, const gid_t *groups,
2497 const gid_t fallback)
2498 {
2499 if (ngrp == 0)
2500 /* Shortcut. */
2501 crsetgroups_internal(cr, 1, &fallback);
2502 else
2503 crsetgroups(cr, ngrp, groups);
2504 }
2505
2506 /*
2507 * Get login name, if available.
2508 */
2509 #ifndef _SYS_SYSPROTO_H_
2510 struct getlogin_args {
2511 char *namebuf;
2512 u_int namelen;
2513 };
2514 #endif
2515 /* ARGSUSED */
2516 int
sys_getlogin(struct thread * td,struct getlogin_args * uap)2517 sys_getlogin(struct thread *td, struct getlogin_args *uap)
2518 {
2519 char login[MAXLOGNAME];
2520 struct proc *p = td->td_proc;
2521 size_t len;
2522
2523 if (uap->namelen > MAXLOGNAME)
2524 uap->namelen = MAXLOGNAME;
2525 PROC_LOCK(p);
2526 SESS_LOCK(p->p_session);
2527 len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1;
2528 SESS_UNLOCK(p->p_session);
2529 PROC_UNLOCK(p);
2530 if (len > uap->namelen)
2531 return (ERANGE);
2532 return (copyout(login, uap->namebuf, len));
2533 }
2534
2535 /*
2536 * Set login name.
2537 */
2538 #ifndef _SYS_SYSPROTO_H_
2539 struct setlogin_args {
2540 char *namebuf;
2541 };
2542 #endif
2543 /* ARGSUSED */
2544 int
sys_setlogin(struct thread * td,struct setlogin_args * uap)2545 sys_setlogin(struct thread *td, struct setlogin_args *uap)
2546 {
2547 struct proc *p = td->td_proc;
2548 int error;
2549 char logintmp[MAXLOGNAME];
2550
2551 CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp));
2552
2553 error = priv_check(td, PRIV_PROC_SETLOGIN);
2554 if (error)
2555 return (error);
2556 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
2557 if (error != 0) {
2558 if (error == ENAMETOOLONG)
2559 error = EINVAL;
2560 return (error);
2561 }
2562 AUDIT_ARG_LOGIN(logintmp);
2563 PROC_LOCK(p);
2564 SESS_LOCK(p->p_session);
2565 strcpy(p->p_session->s_login, logintmp);
2566 SESS_UNLOCK(p->p_session);
2567 PROC_UNLOCK(p);
2568 return (0);
2569 }
2570
2571 void
setsugid(struct proc * p)2572 setsugid(struct proc *p)
2573 {
2574
2575 PROC_LOCK_ASSERT(p, MA_OWNED);
2576 p->p_flag |= P_SUGID;
2577 }
2578
2579 /*-
2580 * Change a process's effective uid.
2581 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified.
2582 * References: newcred must be an exclusive credential reference for the
2583 * duration of the call.
2584 */
2585 void
change_euid(struct ucred * newcred,struct uidinfo * euip)2586 change_euid(struct ucred *newcred, struct uidinfo *euip)
2587 {
2588
2589 newcred->cr_uid = euip->ui_uid;
2590 uihold(euip);
2591 uifree(newcred->cr_uidinfo);
2592 newcred->cr_uidinfo = euip;
2593 }
2594
2595 /*-
2596 * Change a process's effective gid.
2597 * Side effects: newcred->cr_gid will be modified.
2598 * References: newcred must be an exclusive credential reference for the
2599 * duration of the call.
2600 */
2601 void
change_egid(struct ucred * newcred,gid_t egid)2602 change_egid(struct ucred *newcred, gid_t egid)
2603 {
2604
2605 newcred->cr_groups[0] = egid;
2606 }
2607
2608 /*-
2609 * Change a process's real uid.
2610 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo
2611 * will be updated, and the old and new cr_ruidinfo proc
2612 * counts will be updated.
2613 * References: newcred must be an exclusive credential reference for the
2614 * duration of the call.
2615 */
2616 void
change_ruid(struct ucred * newcred,struct uidinfo * ruip)2617 change_ruid(struct ucred *newcred, struct uidinfo *ruip)
2618 {
2619
2620 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0);
2621 newcred->cr_ruid = ruip->ui_uid;
2622 uihold(ruip);
2623 uifree(newcred->cr_ruidinfo);
2624 newcred->cr_ruidinfo = ruip;
2625 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0);
2626 }
2627
2628 /*-
2629 * Change a process's real gid.
2630 * Side effects: newcred->cr_rgid will be updated.
2631 * References: newcred must be an exclusive credential reference for the
2632 * duration of the call.
2633 */
2634 void
change_rgid(struct ucred * newcred,gid_t rgid)2635 change_rgid(struct ucred *newcred, gid_t rgid)
2636 {
2637
2638 newcred->cr_rgid = rgid;
2639 }
2640
2641 /*-
2642 * Change a process's saved uid.
2643 * Side effects: newcred->cr_svuid will be updated.
2644 * References: newcred must be an exclusive credential reference for the
2645 * duration of the call.
2646 */
2647 void
change_svuid(struct ucred * newcred,uid_t svuid)2648 change_svuid(struct ucred *newcred, uid_t svuid)
2649 {
2650
2651 newcred->cr_svuid = svuid;
2652 }
2653
2654 /*-
2655 * Change a process's saved gid.
2656 * Side effects: newcred->cr_svgid will be updated.
2657 * References: newcred must be an exclusive credential reference for the
2658 * duration of the call.
2659 */
2660 void
change_svgid(struct ucred * newcred,gid_t svgid)2661 change_svgid(struct ucred *newcred, gid_t svgid)
2662 {
2663
2664 newcred->cr_svgid = svgid;
2665 }
2666
2667 bool allow_ptrace = true;
2668 SYSCTL_BOOL(_security_bsd, OID_AUTO, allow_ptrace, CTLFLAG_RWTUN,
2669 &allow_ptrace, 0,
2670 "Deny ptrace(2) use by returning ENOSYS");
2671