1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 5 * The Regents of the University of California. 6 * (c) UNIX System Laboratories, Inc. 7 * Copyright (c) 2000-2001 Robert N. M. Watson. 8 * All rights reserved. 9 * Copyright (c) 2024-2025 The FreeBSD Foundation 10 * 11 * Portions of this software were developed by Olivier Certner 12 * <olce@FreeBSD.org> at Kumacom SARL under sponsorship from the FreeBSD 13 * Foundation. 14 * 15 * All or some portions of this file are derived from material licensed 16 * to the University of California by American Telephone and Telegraph 17 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 18 * the permission of UNIX System Laboratories, Inc. 19 * 20 * Redistribution and use in source and binary forms, with or without 21 * modification, are permitted provided that the following conditions 22 * are met: 23 * 1. Redistributions of source code must retain the above copyright 24 * notice, this list of conditions and the following disclaimer. 25 * 2. Redistributions in binary form must reproduce the above copyright 26 * notice, this list of conditions and the following disclaimer in the 27 * documentation and/or other materials provided with the distribution. 28 * 3. Neither the name of the University nor the names of its contributors 29 * may be used to endorse or promote products derived from this software 30 * without specific prior written permission. 31 * 32 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 33 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 34 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 35 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 36 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 37 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 38 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 39 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 40 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 41 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 42 * SUCH DAMAGE. 43 */ 44 45 /* 46 * System calls related to processes and protection 47 */ 48 49 #include <sys/cdefs.h> 50 #include "opt_inet.h" 51 #include "opt_inet6.h" 52 53 #include <sys/param.h> 54 #include <sys/systm.h> 55 #include <sys/abi_compat.h> 56 #include <sys/acct.h> 57 #include <sys/imgact.h> 58 #include <sys/kdb.h> 59 #include <sys/kernel.h> 60 #include <sys/libkern.h> 61 #include <sys/lock.h> 62 #include <sys/loginclass.h> 63 #include <sys/malloc.h> 64 #include <sys/mutex.h> 65 #include <sys/ptrace.h> 66 #include <sys/refcount.h> 67 #include <sys/sx.h> 68 #include <sys/priv.h> 69 #include <sys/proc.h> 70 #ifdef COMPAT_43 71 #include <sys/sysent.h> 72 #endif 73 #include <sys/sysproto.h> 74 #include <sys/jail.h> 75 #include <sys/racct.h> 76 #include <sys/rctl.h> 77 #include <sys/resourcevar.h> 78 #include <sys/socket.h> 79 #include <sys/socketvar.h> 80 #include <sys/syscallsubr.h> 81 #include <sys/sysctl.h> 82 83 #ifdef MAC 84 #include <security/mac/mac_syscalls.h> 85 #endif 86 87 #include <vm/uma.h> 88 89 #ifdef REGRESSION 90 FEATURE(regression, 91 "Kernel support for interfaces necessary for regression testing (SECURITY RISK!)"); 92 #endif 93 94 #include <security/audit/audit.h> 95 #include <security/mac/mac_framework.h> 96 97 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 98 99 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW | CTLFLAG_MPSAFE, 0, 100 "BSD security policy"); 101 102 static void crfree_final(struct ucred *cr); 103 104 static inline void 105 groups_check_positive_len(int ngrp) 106 { 107 MPASS2(ngrp >= 0, "negative number of groups"); 108 } 109 static inline void 110 groups_check_max_len(int ngrp) 111 { 112 MPASS2(ngrp <= ngroups_max, "too many supplementary groups"); 113 } 114 115 static void groups_normalize(int *ngrp, gid_t *groups); 116 static void crsetgroups_internal(struct ucred *cr, int ngrp, 117 const gid_t *groups); 118 119 static int cr_canseeotheruids(struct ucred *u1, struct ucred *u2); 120 static int cr_canseeothergids(struct ucred *u1, struct ucred *u2); 121 static int cr_canseejailproc(struct ucred *u1, struct ucred *u2); 122 123 #ifndef _SYS_SYSPROTO_H_ 124 struct getpid_args { 125 int dummy; 126 }; 127 #endif 128 /* ARGSUSED */ 129 int 130 sys_getpid(struct thread *td, struct getpid_args *uap) 131 { 132 struct proc *p = td->td_proc; 133 134 td->td_retval[0] = p->p_pid; 135 #if defined(COMPAT_43) 136 if (SV_PROC_FLAG(p, SV_AOUT)) 137 td->td_retval[1] = kern_getppid(td); 138 #endif 139 return (0); 140 } 141 142 #ifndef _SYS_SYSPROTO_H_ 143 struct getppid_args { 144 int dummy; 145 }; 146 #endif 147 /* ARGSUSED */ 148 int 149 sys_getppid(struct thread *td, struct getppid_args *uap) 150 { 151 152 td->td_retval[0] = kern_getppid(td); 153 return (0); 154 } 155 156 int 157 kern_getppid(struct thread *td) 158 { 159 struct proc *p = td->td_proc; 160 161 return (p->p_oppid); 162 } 163 164 /* 165 * Get process group ID; note that POSIX getpgrp takes no parameter. 166 */ 167 #ifndef _SYS_SYSPROTO_H_ 168 struct getpgrp_args { 169 int dummy; 170 }; 171 #endif 172 int 173 sys_getpgrp(struct thread *td, struct getpgrp_args *uap) 174 { 175 struct proc *p = td->td_proc; 176 177 PROC_LOCK(p); 178 td->td_retval[0] = p->p_pgrp->pg_id; 179 PROC_UNLOCK(p); 180 return (0); 181 } 182 183 /* Get an arbitrary pid's process group id */ 184 #ifndef _SYS_SYSPROTO_H_ 185 struct getpgid_args { 186 pid_t pid; 187 }; 188 #endif 189 int 190 sys_getpgid(struct thread *td, struct getpgid_args *uap) 191 { 192 struct proc *p; 193 int error; 194 195 if (uap->pid == 0) { 196 p = td->td_proc; 197 PROC_LOCK(p); 198 } else { 199 p = pfind(uap->pid); 200 if (p == NULL) 201 return (ESRCH); 202 error = p_cansee(td, p); 203 if (error) { 204 PROC_UNLOCK(p); 205 return (error); 206 } 207 } 208 td->td_retval[0] = p->p_pgrp->pg_id; 209 PROC_UNLOCK(p); 210 return (0); 211 } 212 213 /* 214 * Get an arbitrary pid's session id. 215 */ 216 #ifndef _SYS_SYSPROTO_H_ 217 struct getsid_args { 218 pid_t pid; 219 }; 220 #endif 221 int 222 sys_getsid(struct thread *td, struct getsid_args *uap) 223 { 224 225 return (kern_getsid(td, uap->pid)); 226 } 227 228 int 229 kern_getsid(struct thread *td, pid_t pid) 230 { 231 struct proc *p; 232 int error; 233 234 if (pid == 0) { 235 p = td->td_proc; 236 PROC_LOCK(p); 237 } else { 238 p = pfind(pid); 239 if (p == NULL) 240 return (ESRCH); 241 error = p_cansee(td, p); 242 if (error) { 243 PROC_UNLOCK(p); 244 return (error); 245 } 246 } 247 td->td_retval[0] = p->p_session->s_sid; 248 PROC_UNLOCK(p); 249 return (0); 250 } 251 252 #ifndef _SYS_SYSPROTO_H_ 253 struct getuid_args { 254 int dummy; 255 }; 256 #endif 257 /* ARGSUSED */ 258 int 259 sys_getuid(struct thread *td, struct getuid_args *uap) 260 { 261 262 td->td_retval[0] = td->td_ucred->cr_ruid; 263 #if defined(COMPAT_43) 264 td->td_retval[1] = td->td_ucred->cr_uid; 265 #endif 266 return (0); 267 } 268 269 #ifndef _SYS_SYSPROTO_H_ 270 struct geteuid_args { 271 int dummy; 272 }; 273 #endif 274 /* ARGSUSED */ 275 int 276 sys_geteuid(struct thread *td, struct geteuid_args *uap) 277 { 278 279 td->td_retval[0] = td->td_ucred->cr_uid; 280 return (0); 281 } 282 283 #ifndef _SYS_SYSPROTO_H_ 284 struct getgid_args { 285 int dummy; 286 }; 287 #endif 288 /* ARGSUSED */ 289 int 290 sys_getgid(struct thread *td, struct getgid_args *uap) 291 { 292 293 td->td_retval[0] = td->td_ucred->cr_rgid; 294 #if defined(COMPAT_43) 295 td->td_retval[1] = td->td_ucred->cr_gid; 296 #endif 297 return (0); 298 } 299 300 #ifndef _SYS_SYSPROTO_H_ 301 struct getegid_args { 302 int dummy; 303 }; 304 #endif 305 /* ARGSUSED */ 306 int 307 sys_getegid(struct thread *td, struct getegid_args *uap) 308 { 309 310 td->td_retval[0] = td->td_ucred->cr_gid; 311 return (0); 312 } 313 314 #ifdef COMPAT_FREEBSD14 315 int 316 freebsd14_getgroups(struct thread *td, struct freebsd14_getgroups_args *uap) 317 { 318 struct ucred *cred; 319 int ngrp, error; 320 321 cred = td->td_ucred; 322 323 /* 324 * For FreeBSD < 15.0, we account for the egid being placed at the 325 * beginning of the group list prior to all supplementary groups. 326 */ 327 ngrp = cred->cr_ngroups + 1; 328 if (uap->gidsetsize == 0) { 329 error = 0; 330 goto out; 331 } else if (uap->gidsetsize < ngrp) { 332 return (EINVAL); 333 } 334 335 error = copyout(&cred->cr_gid, uap->gidset, sizeof(gid_t)); 336 if (error == 0) 337 error = copyout(cred->cr_groups, uap->gidset + 1, 338 (ngrp - 1) * sizeof(gid_t)); 339 340 out: 341 td->td_retval[0] = ngrp; 342 return (error); 343 344 } 345 #endif /* COMPAT_FREEBSD14 */ 346 347 #ifndef _SYS_SYSPROTO_H_ 348 struct getgroups_args { 349 int gidsetsize; 350 gid_t *gidset; 351 }; 352 #endif 353 int 354 sys_getgroups(struct thread *td, struct getgroups_args *uap) 355 { 356 struct ucred *cred; 357 int ngrp, error; 358 359 cred = td->td_ucred; 360 361 ngrp = cred->cr_ngroups; 362 if (uap->gidsetsize == 0) { 363 error = 0; 364 goto out; 365 } 366 if (uap->gidsetsize < ngrp) 367 return (EINVAL); 368 369 error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t)); 370 out: 371 td->td_retval[0] = ngrp; 372 return (error); 373 } 374 375 #ifndef _SYS_SYSPROTO_H_ 376 struct setsid_args { 377 int dummy; 378 }; 379 #endif 380 /* ARGSUSED */ 381 int 382 sys_setsid(struct thread *td, struct setsid_args *uap) 383 { 384 struct pgrp *pgrp; 385 int error; 386 struct proc *p = td->td_proc; 387 struct pgrp *newpgrp; 388 struct session *newsess; 389 390 pgrp = NULL; 391 392 newpgrp = uma_zalloc(pgrp_zone, M_WAITOK); 393 newsess = malloc(sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); 394 395 again: 396 error = 0; 397 sx_xlock(&proctree_lock); 398 399 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { 400 if (pgrp != NULL) 401 PGRP_UNLOCK(pgrp); 402 error = EPERM; 403 } else { 404 error = enterpgrp(p, p->p_pid, newpgrp, newsess); 405 if (error == ERESTART) 406 goto again; 407 MPASS(error == 0); 408 td->td_retval[0] = p->p_pid; 409 newpgrp = NULL; 410 newsess = NULL; 411 } 412 413 sx_xunlock(&proctree_lock); 414 415 uma_zfree(pgrp_zone, newpgrp); 416 free(newsess, M_SESSION); 417 418 return (error); 419 } 420 421 /* 422 * set process group (setpgid/old setpgrp) 423 * 424 * caller does setpgid(targpid, targpgid) 425 * 426 * pid must be caller or child of caller (ESRCH) 427 * if a child 428 * pid must be in same session (EPERM) 429 * pid can't have done an exec (EACCES) 430 * if pgid != pid 431 * there must exist some pid in same session having pgid (EPERM) 432 * pid must not be session leader (EPERM) 433 */ 434 #ifndef _SYS_SYSPROTO_H_ 435 struct setpgid_args { 436 int pid; /* target process id */ 437 int pgid; /* target pgrp id */ 438 }; 439 #endif 440 /* ARGSUSED */ 441 int 442 sys_setpgid(struct thread *td, struct setpgid_args *uap) 443 { 444 struct proc *curp = td->td_proc; 445 struct proc *targp; /* target process */ 446 struct pgrp *pgrp; /* target pgrp */ 447 int error; 448 struct pgrp *newpgrp; 449 450 if (uap->pgid < 0) 451 return (EINVAL); 452 453 newpgrp = uma_zalloc(pgrp_zone, M_WAITOK); 454 455 again: 456 error = 0; 457 458 sx_xlock(&proctree_lock); 459 if (uap->pid != 0 && uap->pid != curp->p_pid) { 460 if ((targp = pfind(uap->pid)) == NULL) { 461 error = ESRCH; 462 goto done; 463 } 464 if (!inferior(targp)) { 465 PROC_UNLOCK(targp); 466 error = ESRCH; 467 goto done; 468 } 469 if ((error = p_cansee(td, targp))) { 470 PROC_UNLOCK(targp); 471 goto done; 472 } 473 if (targp->p_pgrp == NULL || 474 targp->p_session != curp->p_session) { 475 PROC_UNLOCK(targp); 476 error = EPERM; 477 goto done; 478 } 479 if (targp->p_flag & P_EXEC) { 480 PROC_UNLOCK(targp); 481 error = EACCES; 482 goto done; 483 } 484 PROC_UNLOCK(targp); 485 } else 486 targp = curp; 487 if (SESS_LEADER(targp)) { 488 error = EPERM; 489 goto done; 490 } 491 if (uap->pgid == 0) 492 uap->pgid = targp->p_pid; 493 if ((pgrp = pgfind(uap->pgid)) == NULL) { 494 if (uap->pgid == targp->p_pid) { 495 error = enterpgrp(targp, uap->pgid, newpgrp, 496 NULL); 497 if (error == 0) 498 newpgrp = NULL; 499 } else 500 error = EPERM; 501 } else { 502 if (pgrp == targp->p_pgrp) { 503 PGRP_UNLOCK(pgrp); 504 goto done; 505 } 506 if (pgrp->pg_id != targp->p_pid && 507 pgrp->pg_session != curp->p_session) { 508 PGRP_UNLOCK(pgrp); 509 error = EPERM; 510 goto done; 511 } 512 PGRP_UNLOCK(pgrp); 513 error = enterthispgrp(targp, pgrp); 514 } 515 done: 516 KASSERT(error == 0 || newpgrp != NULL, 517 ("setpgid failed and newpgrp is NULL")); 518 if (error == ERESTART) 519 goto again; 520 sx_xunlock(&proctree_lock); 521 uma_zfree(pgrp_zone, newpgrp); 522 return (error); 523 } 524 525 static int 526 gidp_cmp(const void *p1, const void *p2) 527 { 528 const gid_t g1 = *(const gid_t *)p1; 529 const gid_t g2 = *(const gid_t *)p2; 530 531 return ((g1 > g2) - (g1 < g2)); 532 } 533 534 /* 535 * 'smallgroups' must be an (uninitialized) array of length CRED_SMALLGROUPS_NB. 536 * Always sets 'sc_supp_groups', either to a valid kernel-space groups array 537 * (which may or may not be 'smallgroups'), or NULL if SETCREDF_SUPP_GROUPS was 538 * not specified or there are too many groups, or a buffer containing garbage on 539 * copyin() failure. In the last two cases, 'sc_supp_groups_nb' is additionally 540 * set to 0 as a security measure. 'sc_supp_groups' must be freed (M_TEMP) if 541 * not equal to 'smallgroups' even on failure. 542 */ 543 static int 544 user_setcred_copyin_supp_groups(struct setcred *const wcred, 545 const u_int flags, gid_t *const smallgroups) 546 { 547 gid_t *groups; 548 int error; 549 550 if ((flags & SETCREDF_SUPP_GROUPS) == 0) { 551 error = 0; 552 goto reset_groups_exit; 553 } 554 555 /* 556 * Check the number of groups' limit right now in order to limit the 557 * amount of bytes to copy. 558 */ 559 if (wcred->sc_supp_groups_nb > ngroups_max) { 560 error = EINVAL; 561 goto reset_groups_exit; 562 } 563 564 groups = wcred->sc_supp_groups_nb <= CRED_SMALLGROUPS_NB ? 565 smallgroups : malloc(wcred->sc_supp_groups_nb * sizeof(gid_t), 566 M_TEMP, M_WAITOK); 567 error = copyin(wcred->sc_supp_groups, groups, 568 wcred->sc_supp_groups_nb * sizeof(gid_t)); 569 wcred->sc_supp_groups = groups; 570 571 if (error != 0) { 572 wcred->sc_supp_groups_nb = 0; 573 /* 574 * 'sc_supp_groups' must be freed by caller if not 575 * 'smallgroups'. 576 */ 577 return (error); 578 } 579 580 return (0); 581 582 reset_groups_exit: 583 wcred->sc_supp_groups_nb = 0; 584 wcred->sc_supp_groups = NULL; 585 return (error); 586 } 587 588 int 589 user_setcred(struct thread *td, const u_int flags, struct setcred *const wcred) 590 { 591 #ifdef MAC 592 struct mac mac; 593 /* Pointer to 'struct mac' or 'struct mac32'. */ 594 void *umac; 595 #endif 596 gid_t smallgroups[CRED_SMALLGROUPS_NB]; 597 int error; 598 599 /* 600 * As the only point of this wrapper function is to copyin() from 601 * userland, we only interpret the data pieces we need to perform this 602 * operation and defer further sanity checks to kern_setcred(), except 603 * that we redundantly check here that no unknown flags have been 604 * passed. 605 */ 606 if ((flags & ~SETCREDF_MASK) != 0) 607 return (EINVAL); 608 609 #ifdef MAC 610 umac = wcred->sc_label; 611 #endif 612 /* Also done on !MAC as a defensive measure. */ 613 wcred->sc_label = NULL; 614 615 /* 616 * Copy supplementary groups as needed. There is no specific 617 * alternative for 32-bit compatibility as 'gid_t' has the same size 618 * everywhere. 619 */ 620 error = user_setcred_copyin_supp_groups(wcred, flags, smallgroups); 621 if (error != 0) 622 goto free_groups; 623 624 #ifdef MAC 625 if ((flags & SETCREDF_MAC_LABEL) != 0) { 626 error = mac_label_copyin(umac, &mac, NULL); 627 if (error != 0) 628 goto free_groups; 629 wcred->sc_label = &mac; 630 } 631 #endif 632 633 error = kern_setcred(td, flags, wcred); 634 635 #ifdef MAC 636 if (wcred->sc_label != NULL) 637 free_copied_label(wcred->sc_label); 638 #endif 639 640 free_groups: 641 if (wcred->sc_supp_groups != smallgroups) 642 free(wcred->sc_supp_groups, M_TEMP); 643 644 return (error); 645 } 646 647 #ifndef _SYS_SYSPROTO_H_ 648 struct setcred_args { 649 u_int flags; /* Flags. */ 650 const struct setcred *wcred; 651 size_t size; /* Passed 'setcred' structure length. */ 652 }; 653 #endif 654 /* ARGSUSED */ 655 int 656 sys_setcred(struct thread *td, struct setcred_args *uap) 657 { 658 struct setcred wcred; 659 int error; 660 661 if (uap->size != sizeof(wcred)) 662 return (EINVAL); 663 error = copyin(uap->wcred, &wcred, sizeof(wcred)); 664 if (error != 0) 665 return (error); 666 return (user_setcred(td, uap->flags, &wcred)); 667 } 668 669 /* 670 * CAUTION: This function normalizes groups in 'wcred'. 671 */ 672 int 673 kern_setcred(struct thread *const td, const u_int flags, 674 struct setcred *const wcred) 675 { 676 struct proc *const p = td->td_proc; 677 struct ucred *new_cred, *old_cred, *to_free_cred = NULL; 678 struct uidinfo *uip = NULL, *ruip = NULL; 679 #ifdef MAC 680 void *mac_set_proc_data = NULL; 681 bool proc_label_set = false; 682 #endif 683 int error; 684 bool cred_set = false; 685 686 /* Bail out on unrecognized flags. */ 687 if (flags & ~SETCREDF_MASK) 688 return (EINVAL); 689 690 /* 691 * Part 1: We allocate and perform preparatory operations with no locks. 692 */ 693 694 if ((flags & SETCREDF_SUPP_GROUPS) != 0 && 695 wcred->sc_supp_groups_nb > ngroups_max) 696 return (EINVAL); 697 698 if (flags & SETCREDF_MAC_LABEL) { 699 #ifdef MAC 700 error = mac_set_proc_prepare(td, wcred->sc_label, 701 &mac_set_proc_data); 702 if (error != 0) 703 return (error); 704 #else 705 return (ENOTSUP); 706 #endif 707 } 708 709 if (flags & SETCREDF_UID) { 710 AUDIT_ARG_EUID(wcred->sc_uid); 711 uip = uifind(wcred->sc_uid); 712 } 713 if (flags & SETCREDF_RUID) { 714 AUDIT_ARG_RUID(wcred->sc_ruid); 715 ruip = uifind(wcred->sc_ruid); 716 } 717 if (flags & SETCREDF_SVUID) 718 AUDIT_ARG_SUID(wcred->sc_svuid); 719 720 if (flags & SETCREDF_GID) 721 AUDIT_ARG_EGID(wcred->sc_gid); 722 if (flags & SETCREDF_RGID) 723 AUDIT_ARG_RGID(wcred->sc_rgid); 724 if (flags & SETCREDF_SVGID) 725 AUDIT_ARG_SGID(wcred->sc_svgid); 726 if (flags & SETCREDF_SUPP_GROUPS) { 727 /* 728 * Output the raw supplementary groups array for better 729 * traceability. 730 */ 731 AUDIT_ARG_GROUPSET(wcred->sc_supp_groups, 732 wcred->sc_supp_groups_nb); 733 groups_normalize(&wcred->sc_supp_groups_nb, 734 wcred->sc_supp_groups); 735 } 736 737 /* 738 * We first completely build the new credentials and only then pass them 739 * to MAC along with the old ones so that modules can check whether the 740 * requested transition is allowed. 741 */ 742 new_cred = crget(); 743 to_free_cred = new_cred; 744 if (flags & SETCREDF_SUPP_GROUPS) 745 crextend(new_cred, wcred->sc_supp_groups_nb); 746 747 #ifdef MAC 748 mac_cred_setcred_enter(); 749 #endif 750 751 /* 752 * Part 2: We grab the process lock as to have a stable view of its 753 * current credentials, and prepare a copy of them with the requested 754 * changes applied under that lock. 755 */ 756 757 PROC_LOCK(p); 758 old_cred = crcopysafe(p, new_cred); 759 760 /* 761 * Change user IDs. 762 */ 763 if (flags & SETCREDF_UID) 764 change_euid(new_cred, uip); 765 if (flags & SETCREDF_RUID) 766 change_ruid(new_cred, ruip); 767 if (flags & SETCREDF_SVUID) 768 change_svuid(new_cred, wcred->sc_svuid); 769 770 /* 771 * Change groups. 772 */ 773 if (flags & SETCREDF_SUPP_GROUPS) 774 crsetgroups_internal(new_cred, wcred->sc_supp_groups_nb, 775 wcred->sc_supp_groups); 776 if (flags & SETCREDF_GID) 777 change_egid(new_cred, wcred->sc_gid); 778 if (flags & SETCREDF_RGID) 779 change_rgid(new_cred, wcred->sc_rgid); 780 if (flags & SETCREDF_SVGID) 781 change_svgid(new_cred, wcred->sc_svgid); 782 783 #ifdef MAC 784 /* 785 * Change the MAC label. 786 */ 787 if (flags & SETCREDF_MAC_LABEL) { 788 error = mac_set_proc_core(td, new_cred, mac_set_proc_data); 789 if (error != 0) 790 goto unlock_finish; 791 proc_label_set = true; 792 } 793 794 /* 795 * MAC security modules checks. 796 */ 797 error = mac_cred_check_setcred(flags, old_cred, new_cred); 798 if (error != 0) 799 goto unlock_finish; 800 #endif 801 /* 802 * Privilege check. 803 */ 804 error = priv_check_cred(old_cred, PRIV_CRED_SETCRED); 805 if (error != 0) 806 goto unlock_finish; 807 808 #ifdef RACCT 809 /* 810 * Hold a reference to 'new_cred', as we need to call some functions on 811 * it after proc_set_cred_enforce_proc_lim(). 812 */ 813 crhold(new_cred); 814 #endif 815 816 /* Set the new credentials. */ 817 cred_set = proc_set_cred_enforce_proc_lim(p, new_cred); 818 if (cred_set) { 819 setsugid(p); 820 #ifdef RACCT 821 /* Adjust RACCT counters. */ 822 racct_proc_ucred_changed(p, old_cred, new_cred); 823 #endif 824 to_free_cred = old_cred; 825 MPASS(error == 0); 826 } else { 827 #ifdef RACCT 828 /* Matches the crhold() just before the containing 'if'. */ 829 crfree(new_cred); 830 #endif 831 error = EAGAIN; 832 } 833 834 unlock_finish: 835 PROC_UNLOCK(p); 836 837 /* 838 * Part 3: After releasing the process lock, we perform cleanups and 839 * finishing operations. 840 */ 841 842 #ifdef RACCT 843 if (cred_set) { 844 #ifdef RCTL 845 rctl_proc_ucred_changed(p, new_cred); 846 #endif 847 /* Paired with the crhold() above. */ 848 crfree(new_cred); 849 } 850 #endif 851 852 #ifdef MAC 853 if (mac_set_proc_data != NULL) 854 mac_set_proc_finish(td, proc_label_set, mac_set_proc_data); 855 mac_cred_setcred_exit(); 856 #endif 857 crfree(to_free_cred); 858 if (uip != NULL) 859 uifree(uip); 860 if (ruip != NULL) 861 uifree(ruip); 862 863 return (error); 864 } 865 866 /* 867 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 868 * compatible. It says that setting the uid/gid to euid/egid is a special 869 * case of "appropriate privilege". Once the rules are expanded out, this 870 * basically means that setuid(nnn) sets all three id's, in all permitted 871 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 872 * does not set the saved id - this is dangerous for traditional BSD 873 * programs. For this reason, we *really* do not want to set 874 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 875 */ 876 #define POSIX_APPENDIX_B_4_2_2 877 878 #ifndef _SYS_SYSPROTO_H_ 879 struct setuid_args { 880 uid_t uid; 881 }; 882 #endif 883 /* ARGSUSED */ 884 int 885 sys_setuid(struct thread *td, struct setuid_args *uap) 886 { 887 struct proc *p = td->td_proc; 888 struct ucred *newcred, *oldcred; 889 uid_t uid; 890 struct uidinfo *uip; 891 int error; 892 893 uid = uap->uid; 894 AUDIT_ARG_UID(uid); 895 newcred = crget(); 896 uip = uifind(uid); 897 PROC_LOCK(p); 898 /* 899 * Copy credentials so other references do not see our changes. 900 */ 901 oldcred = crcopysafe(p, newcred); 902 903 #ifdef MAC 904 error = mac_cred_check_setuid(oldcred, uid); 905 if (error) 906 goto fail; 907 #endif 908 909 /* 910 * See if we have "permission" by POSIX 1003.1 rules. 911 * 912 * Note that setuid(geteuid()) is a special case of 913 * "appropriate privileges" in appendix B.4.2.2. We need 914 * to use this clause to be compatible with traditional BSD 915 * semantics. Basically, it means that "setuid(xx)" sets all 916 * three id's (assuming you have privs). 917 * 918 * Notes on the logic. We do things in three steps. 919 * 1: We determine if the euid is going to change, and do EPERM 920 * right away. We unconditionally change the euid later if this 921 * test is satisfied, simplifying that part of the logic. 922 * 2: We determine if the real and/or saved uids are going to 923 * change. Determined by compile options. 924 * 3: Change euid last. (after tests in #2 for "appropriate privs") 925 */ 926 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 927 #ifdef _POSIX_SAVED_IDS 928 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 929 #endif 930 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 931 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 932 #endif 933 (error = priv_check_cred(oldcred, PRIV_CRED_SETUID)) != 0) 934 goto fail; 935 936 #ifdef _POSIX_SAVED_IDS 937 /* 938 * Do we have "appropriate privileges" (are we root or uid == euid) 939 * If so, we are changing the real uid and/or saved uid. 940 */ 941 if ( 942 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 943 uid == oldcred->cr_uid || 944 #endif 945 /* We are using privs. */ 946 priv_check_cred(oldcred, PRIV_CRED_SETUID) == 0) 947 #endif 948 { 949 /* 950 * Set the real uid. 951 */ 952 if (uid != oldcred->cr_ruid) { 953 change_ruid(newcred, uip); 954 setsugid(p); 955 } 956 /* 957 * Set saved uid 958 * 959 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 960 * the security of seteuid() depends on it. B.4.2.2 says it 961 * is important that we should do this. 962 */ 963 if (uid != oldcred->cr_svuid) { 964 change_svuid(newcred, uid); 965 setsugid(p); 966 } 967 } 968 969 /* 970 * In all permitted cases, we are changing the euid. 971 */ 972 if (uid != oldcred->cr_uid) { 973 change_euid(newcred, uip); 974 setsugid(p); 975 } 976 977 #ifdef RACCT 978 racct_proc_ucred_changed(p, oldcred, newcred); 979 #endif 980 #ifdef RCTL 981 crhold(newcred); 982 #endif 983 /* 984 * Takes over 'newcred''s reference, so 'newcred' must not be used 985 * besides this point except on RCTL where we took an additional 986 * reference above. 987 */ 988 proc_set_cred(p, newcred); 989 PROC_UNLOCK(p); 990 #ifdef RCTL 991 rctl_proc_ucred_changed(p, newcred); 992 crfree(newcred); 993 #endif 994 uifree(uip); 995 crfree(oldcred); 996 return (0); 997 998 fail: 999 PROC_UNLOCK(p); 1000 uifree(uip); 1001 crfree(newcred); 1002 return (error); 1003 } 1004 1005 #ifndef _SYS_SYSPROTO_H_ 1006 struct seteuid_args { 1007 uid_t euid; 1008 }; 1009 #endif 1010 /* ARGSUSED */ 1011 int 1012 sys_seteuid(struct thread *td, struct seteuid_args *uap) 1013 { 1014 struct proc *p = td->td_proc; 1015 struct ucred *newcred, *oldcred; 1016 uid_t euid; 1017 struct uidinfo *euip; 1018 int error; 1019 1020 euid = uap->euid; 1021 AUDIT_ARG_EUID(euid); 1022 newcred = crget(); 1023 euip = uifind(euid); 1024 PROC_LOCK(p); 1025 execve_block_pass(td); 1026 1027 /* 1028 * Copy credentials so other references do not see our changes. 1029 */ 1030 oldcred = crcopysafe(p, newcred); 1031 1032 #ifdef MAC 1033 error = mac_cred_check_seteuid(oldcred, euid); 1034 if (error) 1035 goto fail; 1036 #endif 1037 1038 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 1039 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 1040 (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID)) != 0) 1041 goto fail; 1042 1043 /* 1044 * Everything's okay, do it. 1045 */ 1046 if (oldcred->cr_uid != euid) { 1047 change_euid(newcred, euip); 1048 setsugid(p); 1049 } 1050 proc_set_cred(p, newcred); 1051 PROC_UNLOCK(p); 1052 uifree(euip); 1053 crfree(oldcred); 1054 return (0); 1055 1056 fail: 1057 PROC_UNLOCK(p); 1058 uifree(euip); 1059 crfree(newcred); 1060 return (error); 1061 } 1062 1063 #ifndef _SYS_SYSPROTO_H_ 1064 struct setgid_args { 1065 gid_t gid; 1066 }; 1067 #endif 1068 /* ARGSUSED */ 1069 int 1070 sys_setgid(struct thread *td, struct setgid_args *uap) 1071 { 1072 struct proc *p = td->td_proc; 1073 struct ucred *newcred, *oldcred; 1074 gid_t gid; 1075 int error; 1076 1077 gid = uap->gid; 1078 AUDIT_ARG_GID(gid); 1079 newcred = crget(); 1080 PROC_LOCK(p); 1081 execve_block_pass(td); 1082 oldcred = crcopysafe(p, newcred); 1083 1084 #ifdef MAC 1085 error = mac_cred_check_setgid(oldcred, gid); 1086 if (error) 1087 goto fail; 1088 #endif 1089 1090 /* 1091 * See if we have "permission" by POSIX 1003.1 rules. 1092 * 1093 * Note that setgid(getegid()) is a special case of 1094 * "appropriate privileges" in appendix B.4.2.2. We need 1095 * to use this clause to be compatible with traditional BSD 1096 * semantics. Basically, it means that "setgid(xx)" sets all 1097 * three id's (assuming you have privs). 1098 * 1099 * For notes on the logic here, see setuid() above. 1100 */ 1101 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 1102 #ifdef _POSIX_SAVED_IDS 1103 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 1104 #endif 1105 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 1106 gid != oldcred->cr_gid && /* allow setgid(getegid()) */ 1107 #endif 1108 (error = priv_check_cred(oldcred, PRIV_CRED_SETGID)) != 0) 1109 goto fail; 1110 1111 #ifdef _POSIX_SAVED_IDS 1112 /* 1113 * Do we have "appropriate privileges" (are we root or gid == egid) 1114 * If so, we are changing the real uid and saved gid. 1115 */ 1116 if ( 1117 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 1118 gid == oldcred->cr_gid || 1119 #endif 1120 /* We are using privs. */ 1121 priv_check_cred(oldcred, PRIV_CRED_SETGID) == 0) 1122 #endif 1123 { 1124 /* 1125 * Set real gid 1126 */ 1127 if (oldcred->cr_rgid != gid) { 1128 change_rgid(newcred, gid); 1129 setsugid(p); 1130 } 1131 /* 1132 * Set saved gid 1133 * 1134 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 1135 * the security of setegid() depends on it. B.4.2.2 says it 1136 * is important that we should do this. 1137 */ 1138 if (oldcred->cr_svgid != gid) { 1139 change_svgid(newcred, gid); 1140 setsugid(p); 1141 } 1142 } 1143 /* 1144 * In all cases permitted cases, we are changing the egid. 1145 * Copy credentials so other references do not see our changes. 1146 */ 1147 if (oldcred->cr_gid != gid) { 1148 change_egid(newcred, gid); 1149 setsugid(p); 1150 } 1151 proc_set_cred(p, newcred); 1152 PROC_UNLOCK(p); 1153 crfree(oldcred); 1154 return (0); 1155 1156 fail: 1157 PROC_UNLOCK(p); 1158 crfree(newcred); 1159 return (error); 1160 } 1161 1162 #ifndef _SYS_SYSPROTO_H_ 1163 struct setegid_args { 1164 gid_t egid; 1165 }; 1166 #endif 1167 /* ARGSUSED */ 1168 int 1169 sys_setegid(struct thread *td, struct setegid_args *uap) 1170 { 1171 struct proc *p = td->td_proc; 1172 struct ucred *newcred, *oldcred; 1173 gid_t egid; 1174 int error; 1175 1176 egid = uap->egid; 1177 AUDIT_ARG_EGID(egid); 1178 newcred = crget(); 1179 PROC_LOCK(p); 1180 execve_block_pass(td); 1181 oldcred = crcopysafe(p, newcred); 1182 1183 #ifdef MAC 1184 error = mac_cred_check_setegid(oldcred, egid); 1185 if (error) 1186 goto fail; 1187 #endif 1188 1189 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 1190 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 1191 (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID)) != 0) 1192 goto fail; 1193 1194 if (oldcred->cr_gid != egid) { 1195 change_egid(newcred, egid); 1196 setsugid(p); 1197 } 1198 proc_set_cred(p, newcred); 1199 PROC_UNLOCK(p); 1200 crfree(oldcred); 1201 return (0); 1202 1203 fail: 1204 PROC_UNLOCK(p); 1205 crfree(newcred); 1206 return (error); 1207 } 1208 1209 #ifdef COMPAT_FREEBSD14 1210 int 1211 freebsd14_setgroups(struct thread *td, struct freebsd14_setgroups_args *uap) 1212 { 1213 gid_t smallgroups[CRED_SMALLGROUPS_NB]; 1214 gid_t *groups; 1215 int gidsetsize, error; 1216 1217 /* 1218 * Before FreeBSD 15.0, we allow one more group to be supplied to 1219 * account for the egid appearing before the supplementary groups. This 1220 * may technically allow one more supplementary group for systems that 1221 * did use the default NGROUPS_MAX if we round it back up to 1024. 1222 */ 1223 gidsetsize = uap->gidsetsize; 1224 if (gidsetsize > ngroups_max + 1 || gidsetsize < 0) 1225 return (EINVAL); 1226 1227 if (gidsetsize > CRED_SMALLGROUPS_NB) 1228 groups = malloc(gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK); 1229 else 1230 groups = smallgroups; 1231 1232 error = copyin(uap->gidset, groups, gidsetsize * sizeof(gid_t)); 1233 if (error == 0) { 1234 int ngroups = gidsetsize > 0 ? gidsetsize - 1 /* egid */ : 0; 1235 1236 error = kern_setgroups(td, &ngroups, groups + 1); 1237 if (error == 0 && gidsetsize > 0) 1238 td->td_proc->p_ucred->cr_gid = groups[0]; 1239 } 1240 1241 if (groups != smallgroups) 1242 free(groups, M_TEMP); 1243 return (error); 1244 } 1245 #endif /* COMPAT_FREEBSD14 */ 1246 1247 #ifndef _SYS_SYSPROTO_H_ 1248 struct setgroups_args { 1249 int gidsetsize; 1250 gid_t *gidset; 1251 }; 1252 #endif 1253 /* ARGSUSED */ 1254 int 1255 sys_setgroups(struct thread *td, struct setgroups_args *uap) 1256 { 1257 gid_t smallgroups[CRED_SMALLGROUPS_NB]; 1258 gid_t *groups; 1259 int gidsetsize, error; 1260 1261 /* 1262 * Sanity check size now to avoid passing too big a value to copyin(), 1263 * even if kern_setgroups() will do it again. 1264 * 1265 * Ideally, the 'gidsetsize' argument should have been a 'u_int' (and it 1266 * was, in this implementation, for a long time), but POSIX standardized 1267 * getgroups() to take an 'int' and it would be quite entrapping to have 1268 * setgroups() differ. 1269 */ 1270 gidsetsize = uap->gidsetsize; 1271 if (gidsetsize > ngroups_max || gidsetsize < 0) 1272 return (EINVAL); 1273 1274 if (gidsetsize > CRED_SMALLGROUPS_NB) 1275 groups = malloc(gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK); 1276 else 1277 groups = smallgroups; 1278 1279 error = copyin(uap->gidset, groups, gidsetsize * sizeof(gid_t)); 1280 if (error == 0) 1281 error = kern_setgroups(td, &gidsetsize, groups); 1282 1283 if (groups != smallgroups) 1284 free(groups, M_TEMP); 1285 return (error); 1286 } 1287 1288 /* 1289 * CAUTION: This function normalizes 'groups', possibly also changing the value 1290 * of '*ngrpp' as a consequence. 1291 */ 1292 int 1293 kern_setgroups(struct thread *td, int *ngrpp, gid_t *groups) 1294 { 1295 struct proc *p = td->td_proc; 1296 struct ucred *newcred, *oldcred; 1297 int ngrp, error; 1298 1299 ngrp = *ngrpp; 1300 /* Sanity check size. */ 1301 if (ngrp < 0 || ngrp > ngroups_max) 1302 return (EINVAL); 1303 1304 AUDIT_ARG_GROUPSET(groups, ngrp); 1305 1306 groups_normalize(&ngrp, groups); 1307 *ngrpp = ngrp; 1308 1309 newcred = crget(); 1310 crextend(newcred, ngrp); 1311 PROC_LOCK(p); 1312 execve_block_pass(td); 1313 oldcred = crcopysafe(p, newcred); 1314 1315 #ifdef MAC 1316 /* 1317 * We pass NULL here explicitly if we don't have any supplementary 1318 * groups mostly for the sake of normalization, but also to avoid/detect 1319 * a situation where a MAC module has some assumption about the layout 1320 * of `groups` matching historical behavior. 1321 */ 1322 error = mac_cred_check_setgroups(oldcred, ngrp, 1323 ngrp == 0 ? NULL : groups); 1324 if (error) 1325 goto fail; 1326 #endif 1327 1328 error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS); 1329 if (error) 1330 goto fail; 1331 1332 crsetgroups_internal(newcred, ngrp, groups); 1333 setsugid(p); 1334 proc_set_cred(p, newcred); 1335 PROC_UNLOCK(p); 1336 crfree(oldcred); 1337 return (0); 1338 1339 fail: 1340 PROC_UNLOCK(p); 1341 crfree(newcred); 1342 return (error); 1343 } 1344 1345 #ifndef _SYS_SYSPROTO_H_ 1346 struct setreuid_args { 1347 uid_t ruid; 1348 uid_t euid; 1349 }; 1350 #endif 1351 /* ARGSUSED */ 1352 int 1353 sys_setreuid(struct thread *td, struct setreuid_args *uap) 1354 { 1355 struct proc *p = td->td_proc; 1356 struct ucred *newcred, *oldcred; 1357 uid_t euid, ruid; 1358 struct uidinfo *euip, *ruip; 1359 int error; 1360 1361 euid = uap->euid; 1362 ruid = uap->ruid; 1363 AUDIT_ARG_EUID(euid); 1364 AUDIT_ARG_RUID(ruid); 1365 newcred = crget(); 1366 euip = uifind(euid); 1367 ruip = uifind(ruid); 1368 PROC_LOCK(p); 1369 execve_block_pass(td); 1370 oldcred = crcopysafe(p, newcred); 1371 1372 #ifdef MAC 1373 error = mac_cred_check_setreuid(oldcred, ruid, euid); 1374 if (error) 1375 goto fail; 1376 #endif 1377 1378 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1379 ruid != oldcred->cr_svuid) || 1380 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 1381 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 1382 (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID)) != 0) 1383 goto fail; 1384 1385 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1386 change_euid(newcred, euip); 1387 setsugid(p); 1388 } 1389 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1390 change_ruid(newcred, ruip); 1391 setsugid(p); 1392 } 1393 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 1394 newcred->cr_svuid != newcred->cr_uid) { 1395 change_svuid(newcred, newcred->cr_uid); 1396 setsugid(p); 1397 } 1398 #ifdef RACCT 1399 racct_proc_ucred_changed(p, oldcred, newcred); 1400 #endif 1401 #ifdef RCTL 1402 crhold(newcred); 1403 #endif 1404 /* 1405 * Takes over 'newcred''s reference, so 'newcred' must not be used 1406 * besides this point except on RCTL where we took an additional 1407 * reference above. 1408 */ 1409 proc_set_cred(p, newcred); 1410 PROC_UNLOCK(p); 1411 #ifdef RCTL 1412 rctl_proc_ucred_changed(p, newcred); 1413 crfree(newcred); 1414 #endif 1415 uifree(ruip); 1416 uifree(euip); 1417 crfree(oldcred); 1418 return (0); 1419 1420 fail: 1421 PROC_UNLOCK(p); 1422 uifree(ruip); 1423 uifree(euip); 1424 crfree(newcred); 1425 return (error); 1426 } 1427 1428 #ifndef _SYS_SYSPROTO_H_ 1429 struct setregid_args { 1430 gid_t rgid; 1431 gid_t egid; 1432 }; 1433 #endif 1434 /* ARGSUSED */ 1435 int 1436 sys_setregid(struct thread *td, struct setregid_args *uap) 1437 { 1438 struct proc *p = td->td_proc; 1439 struct ucred *newcred, *oldcred; 1440 gid_t egid, rgid; 1441 int error; 1442 1443 egid = uap->egid; 1444 rgid = uap->rgid; 1445 AUDIT_ARG_EGID(egid); 1446 AUDIT_ARG_RGID(rgid); 1447 newcred = crget(); 1448 PROC_LOCK(p); 1449 execve_block_pass(td); 1450 oldcred = crcopysafe(p, newcred); 1451 1452 #ifdef MAC 1453 error = mac_cred_check_setregid(oldcred, rgid, egid); 1454 if (error) 1455 goto fail; 1456 #endif 1457 1458 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1459 rgid != oldcred->cr_svgid) || 1460 (egid != (gid_t)-1 && egid != oldcred->cr_gid && 1461 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 1462 (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID)) != 0) 1463 goto fail; 1464 1465 if (egid != (gid_t)-1 && oldcred->cr_gid != egid) { 1466 change_egid(newcred, egid); 1467 setsugid(p); 1468 } 1469 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1470 change_rgid(newcred, rgid); 1471 setsugid(p); 1472 } 1473 if ((rgid != (gid_t)-1 || newcred->cr_gid != newcred->cr_rgid) && 1474 newcred->cr_svgid != newcred->cr_gid) { 1475 change_svgid(newcred, newcred->cr_gid); 1476 setsugid(p); 1477 } 1478 proc_set_cred(p, newcred); 1479 PROC_UNLOCK(p); 1480 crfree(oldcred); 1481 return (0); 1482 1483 fail: 1484 PROC_UNLOCK(p); 1485 crfree(newcred); 1486 return (error); 1487 } 1488 1489 /* 1490 * setresuid(ruid, euid, suid) is like setreuid except control over the saved 1491 * uid is explicit. 1492 */ 1493 #ifndef _SYS_SYSPROTO_H_ 1494 struct setresuid_args { 1495 uid_t ruid; 1496 uid_t euid; 1497 uid_t suid; 1498 }; 1499 #endif 1500 /* ARGSUSED */ 1501 int 1502 sys_setresuid(struct thread *td, struct setresuid_args *uap) 1503 { 1504 struct proc *p = td->td_proc; 1505 struct ucred *newcred, *oldcred; 1506 uid_t euid, ruid, suid; 1507 struct uidinfo *euip, *ruip; 1508 int error; 1509 1510 euid = uap->euid; 1511 ruid = uap->ruid; 1512 suid = uap->suid; 1513 AUDIT_ARG_EUID(euid); 1514 AUDIT_ARG_RUID(ruid); 1515 AUDIT_ARG_SUID(suid); 1516 newcred = crget(); 1517 euip = uifind(euid); 1518 ruip = uifind(ruid); 1519 PROC_LOCK(p); 1520 execve_block_pass(td); 1521 oldcred = crcopysafe(p, newcred); 1522 1523 #ifdef MAC 1524 error = mac_cred_check_setresuid(oldcred, ruid, euid, suid); 1525 if (error) 1526 goto fail; 1527 #endif 1528 1529 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1530 ruid != oldcred->cr_svuid && 1531 ruid != oldcred->cr_uid) || 1532 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 1533 euid != oldcred->cr_svuid && 1534 euid != oldcred->cr_uid) || 1535 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 1536 suid != oldcred->cr_svuid && 1537 suid != oldcred->cr_uid)) && 1538 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID)) != 0) 1539 goto fail; 1540 1541 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1542 change_euid(newcred, euip); 1543 setsugid(p); 1544 } 1545 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1546 change_ruid(newcred, ruip); 1547 setsugid(p); 1548 } 1549 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1550 change_svuid(newcred, suid); 1551 setsugid(p); 1552 } 1553 #ifdef RACCT 1554 racct_proc_ucred_changed(p, oldcred, newcred); 1555 #endif 1556 #ifdef RCTL 1557 crhold(newcred); 1558 #endif 1559 /* 1560 * Takes over 'newcred''s reference, so 'newcred' must not be used 1561 * besides this point except on RCTL where we took an additional 1562 * reference above. 1563 */ 1564 proc_set_cred(p, newcred); 1565 PROC_UNLOCK(p); 1566 #ifdef RCTL 1567 rctl_proc_ucred_changed(p, newcred); 1568 crfree(newcred); 1569 #endif 1570 uifree(ruip); 1571 uifree(euip); 1572 crfree(oldcred); 1573 return (0); 1574 1575 fail: 1576 PROC_UNLOCK(p); 1577 uifree(ruip); 1578 uifree(euip); 1579 crfree(newcred); 1580 return (error); 1581 1582 } 1583 1584 /* 1585 * setresgid(rgid, egid, sgid) is like setregid except control over the saved 1586 * gid is explicit. 1587 */ 1588 #ifndef _SYS_SYSPROTO_H_ 1589 struct setresgid_args { 1590 gid_t rgid; 1591 gid_t egid; 1592 gid_t sgid; 1593 }; 1594 #endif 1595 /* ARGSUSED */ 1596 int 1597 sys_setresgid(struct thread *td, struct setresgid_args *uap) 1598 { 1599 struct proc *p = td->td_proc; 1600 struct ucred *newcred, *oldcred; 1601 gid_t egid, rgid, sgid; 1602 int error; 1603 1604 egid = uap->egid; 1605 rgid = uap->rgid; 1606 sgid = uap->sgid; 1607 AUDIT_ARG_EGID(egid); 1608 AUDIT_ARG_RGID(rgid); 1609 AUDIT_ARG_SGID(sgid); 1610 newcred = crget(); 1611 PROC_LOCK(p); 1612 execve_block_pass(td); 1613 oldcred = crcopysafe(p, newcred); 1614 1615 #ifdef MAC 1616 error = mac_cred_check_setresgid(oldcred, rgid, egid, sgid); 1617 if (error) 1618 goto fail; 1619 #endif 1620 1621 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1622 rgid != oldcred->cr_svgid && 1623 rgid != oldcred->cr_gid) || 1624 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1625 egid != oldcred->cr_svgid && 1626 egid != oldcred->cr_gid) || 1627 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1628 sgid != oldcred->cr_svgid && 1629 sgid != oldcred->cr_gid)) && 1630 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID)) != 0) 1631 goto fail; 1632 1633 if (egid != (gid_t)-1 && oldcred->cr_gid != egid) { 1634 change_egid(newcred, egid); 1635 setsugid(p); 1636 } 1637 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1638 change_rgid(newcred, rgid); 1639 setsugid(p); 1640 } 1641 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1642 change_svgid(newcred, sgid); 1643 setsugid(p); 1644 } 1645 proc_set_cred(p, newcred); 1646 PROC_UNLOCK(p); 1647 crfree(oldcred); 1648 return (0); 1649 1650 fail: 1651 PROC_UNLOCK(p); 1652 crfree(newcred); 1653 return (error); 1654 } 1655 1656 #ifndef _SYS_SYSPROTO_H_ 1657 struct getresuid_args { 1658 uid_t *ruid; 1659 uid_t *euid; 1660 uid_t *suid; 1661 }; 1662 #endif 1663 /* ARGSUSED */ 1664 int 1665 sys_getresuid(struct thread *td, struct getresuid_args *uap) 1666 { 1667 struct ucred *cred; 1668 int error1 = 0, error2 = 0, error3 = 0; 1669 1670 cred = td->td_ucred; 1671 if (uap->ruid) 1672 error1 = copyout(&cred->cr_ruid, 1673 uap->ruid, sizeof(cred->cr_ruid)); 1674 if (uap->euid) 1675 error2 = copyout(&cred->cr_uid, 1676 uap->euid, sizeof(cred->cr_uid)); 1677 if (uap->suid) 1678 error3 = copyout(&cred->cr_svuid, 1679 uap->suid, sizeof(cred->cr_svuid)); 1680 return (error1 ? error1 : error2 ? error2 : error3); 1681 } 1682 1683 #ifndef _SYS_SYSPROTO_H_ 1684 struct getresgid_args { 1685 gid_t *rgid; 1686 gid_t *egid; 1687 gid_t *sgid; 1688 }; 1689 #endif 1690 /* ARGSUSED */ 1691 int 1692 sys_getresgid(struct thread *td, struct getresgid_args *uap) 1693 { 1694 struct ucred *cred; 1695 int error1 = 0, error2 = 0, error3 = 0; 1696 1697 cred = td->td_ucred; 1698 if (uap->rgid) 1699 error1 = copyout(&cred->cr_rgid, 1700 uap->rgid, sizeof(cred->cr_rgid)); 1701 if (uap->egid) 1702 error2 = copyout(&cred->cr_gid, 1703 uap->egid, sizeof(cred->cr_gid)); 1704 if (uap->sgid) 1705 error3 = copyout(&cred->cr_svgid, 1706 uap->sgid, sizeof(cred->cr_svgid)); 1707 return (error1 ? error1 : error2 ? error2 : error3); 1708 } 1709 1710 #ifndef _SYS_SYSPROTO_H_ 1711 struct issetugid_args { 1712 int dummy; 1713 }; 1714 #endif 1715 /* ARGSUSED */ 1716 int 1717 sys_issetugid(struct thread *td, struct issetugid_args *uap) 1718 { 1719 struct proc *p = td->td_proc; 1720 1721 /* 1722 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1723 * we use P_SUGID because we consider changing the owners as 1724 * "tainting" as well. 1725 * This is significant for procs that start as root and "become" 1726 * a user without an exec - programs cannot know *everything* 1727 * that libc *might* have put in their data segment. 1728 */ 1729 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1730 return (0); 1731 } 1732 1733 int 1734 sys___setugid(struct thread *td, struct __setugid_args *uap) 1735 { 1736 #ifdef REGRESSION 1737 struct proc *p; 1738 1739 p = td->td_proc; 1740 switch (uap->flag) { 1741 case 0: 1742 PROC_LOCK(p); 1743 p->p_flag &= ~P_SUGID; 1744 PROC_UNLOCK(p); 1745 return (0); 1746 case 1: 1747 PROC_LOCK(p); 1748 p->p_flag |= P_SUGID; 1749 PROC_UNLOCK(p); 1750 return (0); 1751 default: 1752 return (EINVAL); 1753 } 1754 #else /* !REGRESSION */ 1755 1756 return (ENOSYS); 1757 #endif /* REGRESSION */ 1758 } 1759 1760 #ifdef INVARIANTS 1761 static void 1762 groups_check_normalized(int ngrp, const gid_t *groups) 1763 { 1764 gid_t prev_g; 1765 1766 groups_check_positive_len(ngrp); 1767 groups_check_max_len(ngrp); 1768 1769 if (ngrp <= 1) 1770 return; 1771 1772 prev_g = groups[0]; 1773 for (int i = 1; i < ngrp; ++i) { 1774 const gid_t g = groups[i]; 1775 1776 if (prev_g >= g) 1777 panic("%s: groups[%d] (%u) >= groups[%d] (%u)", 1778 __func__, i - 1, prev_g, i, g); 1779 prev_g = g; 1780 } 1781 } 1782 #else 1783 #define groups_check_normalized(...) 1784 #endif 1785 1786 /* 1787 * Returns whether gid designates a supplementary group in cred. 1788 */ 1789 bool 1790 group_is_supplementary(const gid_t gid, const struct ucred *const cred) 1791 { 1792 1793 groups_check_normalized(cred->cr_ngroups, cred->cr_groups); 1794 1795 /* 1796 * Perform a binary search of the supplementary groups. This is 1797 * possible because we sort the groups in crsetgroups(). 1798 */ 1799 return (bsearch(&gid, cred->cr_groups, cred->cr_ngroups, 1800 sizeof(gid), gidp_cmp) != NULL); 1801 } 1802 1803 /* 1804 * Check if gid is a member of the (effective) group set (i.e., effective and 1805 * supplementary groups). 1806 */ 1807 bool 1808 groupmember(gid_t gid, const struct ucred *cred) 1809 { 1810 1811 groups_check_positive_len(cred->cr_ngroups); 1812 1813 if (gid == cred->cr_gid) 1814 return (true); 1815 1816 return (group_is_supplementary(gid, cred)); 1817 } 1818 1819 /* 1820 * Check if gid is a member of the real group set (i.e., real and supplementary 1821 * groups). 1822 */ 1823 bool 1824 realgroupmember(gid_t gid, const struct ucred *cred) 1825 { 1826 groups_check_positive_len(cred->cr_ngroups); 1827 1828 if (gid == cred->cr_rgid) 1829 return (true); 1830 1831 return (group_is_supplementary(gid, cred)); 1832 } 1833 1834 /* 1835 * Test the active securelevel against a given level. securelevel_gt() 1836 * implements (securelevel > level). securelevel_ge() implements 1837 * (securelevel >= level). Note that the logic is inverted -- these 1838 * functions return EPERM on "success" and 0 on "failure". 1839 * 1840 * Due to care taken when setting the securelevel, we know that no jail will 1841 * be less secure that its parent (or the physical system), so it is sufficient 1842 * to test the current jail only. 1843 * 1844 * XXXRW: Possibly since this has to do with privilege, it should move to 1845 * kern_priv.c. 1846 */ 1847 int 1848 securelevel_gt(struct ucred *cr, int level) 1849 { 1850 1851 return (cr->cr_prison->pr_securelevel > level ? EPERM : 0); 1852 } 1853 1854 int 1855 securelevel_ge(struct ucred *cr, int level) 1856 { 1857 1858 return (cr->cr_prison->pr_securelevel >= level ? EPERM : 0); 1859 } 1860 1861 /* 1862 * 'see_other_uids' determines whether or not visibility of processes 1863 * and sockets with credentials holding different real uids is possible 1864 * using a variety of system MIBs. 1865 * XXX: data declarations should be together near the beginning of the file. 1866 */ 1867 static int see_other_uids = 1; 1868 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1869 &see_other_uids, 0, 1870 "Unprivileged processes may see subjects/objects with different real uid"); 1871 1872 /*- 1873 * Determine if u1 "can see" the subject specified by u2, according to the 1874 * 'see_other_uids' policy. 1875 * Returns: 0 for permitted, ESRCH otherwise 1876 * Locks: none 1877 * References: *u1 and *u2 must not change during the call 1878 * u1 may equal u2, in which case only one reference is required 1879 */ 1880 static int 1881 cr_canseeotheruids(struct ucred *u1, struct ucred *u2) 1882 { 1883 1884 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1885 if (priv_check_cred(u1, PRIV_SEEOTHERUIDS) != 0) 1886 return (ESRCH); 1887 } 1888 return (0); 1889 } 1890 1891 /* 1892 * 'see_other_gids' determines whether or not visibility of processes 1893 * and sockets with credentials holding different real gids is possible 1894 * using a variety of system MIBs. 1895 * XXX: data declarations should be together near the beginning of the file. 1896 */ 1897 static int see_other_gids = 1; 1898 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW, 1899 &see_other_gids, 0, 1900 "Unprivileged processes may see subjects/objects with different real gid"); 1901 1902 /* 1903 * Determine if u1 can "see" the subject specified by u2, according to the 1904 * 'see_other_gids' policy. 1905 * Returns: 0 for permitted, ESRCH otherwise 1906 * Locks: none 1907 * References: *u1 and *u2 must not change during the call 1908 * u1 may equal u2, in which case only one reference is required 1909 */ 1910 static int 1911 cr_canseeothergids(struct ucred *u1, struct ucred *u2) 1912 { 1913 if (see_other_gids) 1914 return (0); 1915 1916 /* Restriction in force. */ 1917 1918 if (realgroupmember(u1->cr_rgid, u2)) 1919 return (0); 1920 1921 for (int i = 0; i < u1->cr_ngroups; i++) 1922 if (realgroupmember(u1->cr_groups[i], u2)) 1923 return (0); 1924 1925 if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) == 0) 1926 return (0); 1927 1928 return (ESRCH); 1929 } 1930 1931 /* 1932 * 'see_jail_proc' determines whether or not visibility of processes and 1933 * sockets with credentials holding different jail ids is possible using a 1934 * variety of system MIBs. 1935 * 1936 * XXX: data declarations should be together near the beginning of the file. 1937 */ 1938 1939 static int see_jail_proc = 1; 1940 SYSCTL_INT(_security_bsd, OID_AUTO, see_jail_proc, CTLFLAG_RW, 1941 &see_jail_proc, 0, 1942 "Unprivileged processes may see subjects/objects with different jail ids"); 1943 1944 /*- 1945 * Determine if u1 "can see" the subject specified by u2, according to the 1946 * 'see_jail_proc' policy. 1947 * Returns: 0 for permitted, ESRCH otherwise 1948 * Locks: none 1949 * References: *u1 and *u2 must not change during the call 1950 * u1 may equal u2, in which case only one reference is required 1951 */ 1952 static int 1953 cr_canseejailproc(struct ucred *u1, struct ucred *u2) 1954 { 1955 if (see_jail_proc || /* Policy deactivated. */ 1956 u1->cr_prison == u2->cr_prison || /* Same jail. */ 1957 priv_check_cred(u1, PRIV_SEEJAILPROC) == 0) /* Privileged. */ 1958 return (0); 1959 1960 return (ESRCH); 1961 } 1962 1963 /* 1964 * Determine if u1 can tamper with the subject specified by u2, if they are in 1965 * different jails and 'unprivileged_parent_tampering' jail policy allows it. 1966 * 1967 * May be called if u1 and u2 are in the same jail, but it is expected that the 1968 * caller has already done a prison_check() prior to calling it. 1969 * 1970 * Returns: 0 for permitted, EPERM otherwise 1971 */ 1972 static int 1973 cr_can_tamper_with_subjail(struct ucred *u1, struct ucred *u2, int priv) 1974 { 1975 1976 MPASS(prison_check(u1, u2) == 0); 1977 if (u1->cr_prison == u2->cr_prison) 1978 return (0); 1979 1980 if (priv_check_cred(u1, priv) == 0) 1981 return (0); 1982 1983 /* 1984 * Jails do not maintain a distinct UID space, so process visibility is 1985 * all that would control an unprivileged process' ability to tamper 1986 * with a process in a subjail by default if we did not have the 1987 * allow.unprivileged_parent_tampering knob to restrict it by default. 1988 */ 1989 if (prison_allow(u2, PR_ALLOW_UNPRIV_PARENT_TAMPER)) 1990 return (0); 1991 1992 return (EPERM); 1993 } 1994 1995 /* 1996 * Helper for cr_cansee*() functions to abide by system-wide security.bsd.see_* 1997 * policies. Determines if u1 "can see" u2 according to these policies. 1998 * Returns: 0 for permitted, ESRCH otherwise 1999 */ 2000 int 2001 cr_bsd_visible(struct ucred *u1, struct ucred *u2) 2002 { 2003 int error; 2004 2005 error = cr_canseeotheruids(u1, u2); 2006 if (error != 0) 2007 return (error); 2008 error = cr_canseeothergids(u1, u2); 2009 if (error != 0) 2010 return (error); 2011 error = cr_canseejailproc(u1, u2); 2012 if (error != 0) 2013 return (error); 2014 return (0); 2015 } 2016 2017 /*- 2018 * Determine if u1 "can see" the subject specified by u2. 2019 * Returns: 0 for permitted, an errno value otherwise 2020 * Locks: none 2021 * References: *u1 and *u2 must not change during the call 2022 * u1 may equal u2, in which case only one reference is required 2023 */ 2024 int 2025 cr_cansee(struct ucred *u1, struct ucred *u2) 2026 { 2027 int error; 2028 2029 if ((error = prison_check(u1, u2))) 2030 return (error); 2031 #ifdef MAC 2032 if ((error = mac_cred_check_visible(u1, u2))) 2033 return (error); 2034 #endif 2035 if ((error = cr_bsd_visible(u1, u2))) 2036 return (error); 2037 return (0); 2038 } 2039 2040 /*- 2041 * Determine if td "can see" the subject specified by p. 2042 * Returns: 0 for permitted, an errno value otherwise 2043 * Locks: Sufficient locks to protect p->p_ucred must be held. td really 2044 * should be curthread. 2045 * References: td and p must be valid for the lifetime of the call 2046 */ 2047 int 2048 p_cansee(struct thread *td, struct proc *p) 2049 { 2050 /* Wrap cr_cansee() for all functionality. */ 2051 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2052 PROC_LOCK_ASSERT(p, MA_OWNED); 2053 2054 if (td->td_proc == p) 2055 return (0); 2056 return (cr_cansee(td->td_ucred, p->p_ucred)); 2057 } 2058 2059 /* 2060 * 'conservative_signals' prevents the delivery of a broad class of 2061 * signals by unprivileged processes to processes that have changed their 2062 * credentials since the last invocation of execve(). This can prevent 2063 * the leakage of cached information or retained privileges as a result 2064 * of a common class of signal-related vulnerabilities. However, this 2065 * may interfere with some applications that expect to be able to 2066 * deliver these signals to peer processes after having given up 2067 * privilege. 2068 */ 2069 static int conservative_signals = 1; 2070 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW, 2071 &conservative_signals, 0, "Unprivileged processes prevented from " 2072 "sending certain signals to processes whose credentials have changed"); 2073 /*- 2074 * Determine whether cred may deliver the specified signal to proc. 2075 * Returns: 0 for permitted, an errno value otherwise. 2076 * Locks: A lock must be held for proc. 2077 * References: cred and proc must be valid for the lifetime of the call. 2078 */ 2079 int 2080 cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 2081 { 2082 int error; 2083 2084 PROC_LOCK_ASSERT(proc, MA_OWNED); 2085 /* 2086 * Jail semantics limit the scope of signalling to proc in the 2087 * same jail as cred, if cred is in jail. 2088 */ 2089 error = prison_check(cred, proc->p_ucred); 2090 if (error) 2091 return (error); 2092 #ifdef MAC 2093 if ((error = mac_proc_check_signal(cred, proc, signum))) 2094 return (error); 2095 #endif 2096 if ((error = cr_bsd_visible(cred, proc->p_ucred))) 2097 return (error); 2098 2099 /* 2100 * UNIX signal semantics depend on the status of the P_SUGID 2101 * bit on the target process. If the bit is set, then additional 2102 * restrictions are placed on the set of available signals. 2103 */ 2104 if (conservative_signals && (proc->p_flag & P_SUGID)) { 2105 switch (signum) { 2106 case 0: 2107 case SIGKILL: 2108 case SIGINT: 2109 case SIGTERM: 2110 case SIGALRM: 2111 case SIGSTOP: 2112 case SIGTTIN: 2113 case SIGTTOU: 2114 case SIGTSTP: 2115 case SIGHUP: 2116 case SIGUSR1: 2117 case SIGUSR2: 2118 /* 2119 * Generally, permit job and terminal control 2120 * signals. 2121 */ 2122 break; 2123 default: 2124 /* Not permitted without privilege. */ 2125 error = priv_check_cred(cred, PRIV_SIGNAL_SUGID); 2126 if (error) 2127 return (error); 2128 } 2129 } 2130 2131 /* 2132 * Generally, the target credential's ruid or svuid must match the 2133 * subject credential's ruid or euid. 2134 */ 2135 if (cred->cr_ruid != proc->p_ucred->cr_ruid && 2136 cred->cr_ruid != proc->p_ucred->cr_svuid && 2137 cred->cr_uid != proc->p_ucred->cr_ruid && 2138 cred->cr_uid != proc->p_ucred->cr_svuid) { 2139 error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED); 2140 if (error) 2141 return (error); 2142 } 2143 2144 /* 2145 * At this point, the target may be in a different jail than the 2146 * subject -- the subject must be in a parent jail to the target, 2147 * whether it is prison0 or a subordinate of prison0 that has 2148 * children. Additional privileges are required to allow this, as 2149 * whether the creds are truly equivalent or not must be determined on 2150 * a case-by-case basis. 2151 */ 2152 error = cr_can_tamper_with_subjail(cred, proc->p_ucred, 2153 PRIV_SIGNAL_DIFFJAIL); 2154 if (error) 2155 return (error); 2156 2157 return (0); 2158 } 2159 2160 /*- 2161 * Determine whether td may deliver the specified signal to p. 2162 * Returns: 0 for permitted, an errno value otherwise 2163 * Locks: Sufficient locks to protect various components of td and p 2164 * must be held. td must be curthread, and a lock must be 2165 * held for p. 2166 * References: td and p must be valid for the lifetime of the call 2167 */ 2168 int 2169 p_cansignal(struct thread *td, struct proc *p, int signum) 2170 { 2171 2172 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2173 PROC_LOCK_ASSERT(p, MA_OWNED); 2174 if (td->td_proc == p) 2175 return (0); 2176 2177 /* 2178 * UNIX signalling semantics require that processes in the same 2179 * session always be able to deliver SIGCONT to one another, 2180 * overriding the remaining protections. 2181 */ 2182 /* XXX: This will require an additional lock of some sort. */ 2183 if (signum == SIGCONT && td->td_proc->p_session == p->p_session) 2184 return (0); 2185 /* 2186 * Some compat layers use SIGTHR and higher signals for 2187 * communication between different kernel threads of the same 2188 * process, so that they expect that it's always possible to 2189 * deliver them, even for suid applications where cr_cansignal() can 2190 * deny such ability for security consideration. It should be 2191 * pretty safe to do since the only way to create two processes 2192 * with the same p_leader is via rfork(2). 2193 */ 2194 if (td->td_proc->p_leader != NULL && signum >= SIGTHR && 2195 signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader) 2196 return (0); 2197 2198 return (cr_cansignal(td->td_ucred, p, signum)); 2199 } 2200 2201 /*- 2202 * Determine whether td may reschedule p. 2203 * Returns: 0 for permitted, an errno value otherwise 2204 * Locks: Sufficient locks to protect various components of td and p 2205 * must be held. td must be curthread, and a lock must 2206 * be held for p. 2207 * References: td and p must be valid for the lifetime of the call 2208 */ 2209 int 2210 p_cansched(struct thread *td, struct proc *p) 2211 { 2212 int error; 2213 2214 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2215 PROC_LOCK_ASSERT(p, MA_OWNED); 2216 if (td->td_proc == p) 2217 return (0); 2218 if ((error = prison_check(td->td_ucred, p->p_ucred))) 2219 return (error); 2220 #ifdef MAC 2221 if ((error = mac_proc_check_sched(td->td_ucred, p))) 2222 return (error); 2223 #endif 2224 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) 2225 return (error); 2226 2227 if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid && 2228 td->td_ucred->cr_uid != p->p_ucred->cr_ruid) { 2229 error = priv_check(td, PRIV_SCHED_DIFFCRED); 2230 if (error) 2231 return (error); 2232 } 2233 2234 error = cr_can_tamper_with_subjail(td->td_ucred, p->p_ucred, 2235 PRIV_SCHED_DIFFJAIL); 2236 if (error) 2237 return (error); 2238 2239 return (0); 2240 } 2241 2242 /* 2243 * Handle getting or setting the prison's unprivileged_proc_debug 2244 * value. 2245 */ 2246 static int 2247 sysctl_unprivileged_proc_debug(SYSCTL_HANDLER_ARGS) 2248 { 2249 int error, val; 2250 2251 val = prison_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG); 2252 error = sysctl_handle_int(oidp, &val, 0, req); 2253 if (error != 0 || req->newptr == NULL) 2254 return (error); 2255 if (val != 0 && val != 1) 2256 return (EINVAL); 2257 prison_set_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG, val); 2258 return (0); 2259 } 2260 2261 /* 2262 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 2263 * unprivileged inter-process debugging services, including some procfs 2264 * functionality, ptrace(), and ktrace(). In the past, inter-process 2265 * debugging has been involved in a variety of security problems, and sites 2266 * not requiring the service might choose to disable it when hardening 2267 * systems. 2268 */ 2269 SYSCTL_PROC(_security_bsd, OID_AUTO, unprivileged_proc_debug, 2270 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_PRISON | CTLFLAG_SECURE | 2271 CTLFLAG_MPSAFE, 0, 0, sysctl_unprivileged_proc_debug, "I", 2272 "Unprivileged processes may use process debugging facilities"); 2273 2274 /* 2275 * Return true if the object owner/group ids are subset of the active 2276 * credentials. 2277 */ 2278 bool 2279 cr_xids_subset(struct ucred *active_cred, struct ucred *obj_cred) 2280 { 2281 int i; 2282 bool grpsubset, uidsubset; 2283 2284 /* 2285 * Is p's group set a subset of td's effective group set? This 2286 * includes p's egid, group access list, rgid, and svgid. 2287 */ 2288 grpsubset = true; 2289 for (i = 0; i < obj_cred->cr_ngroups; i++) { 2290 if (!groupmember(obj_cred->cr_groups[i], active_cred)) { 2291 grpsubset = false; 2292 break; 2293 } 2294 } 2295 grpsubset = grpsubset && 2296 groupmember(obj_cred->cr_gid, active_cred) && 2297 groupmember(obj_cred->cr_rgid, active_cred) && 2298 groupmember(obj_cred->cr_svgid, active_cred); 2299 2300 /* 2301 * Are the uids present in obj_cred's credential equal to 2302 * active_cred's effective uid? This includes obj_cred's 2303 * euid, svuid, and ruid. 2304 */ 2305 uidsubset = (active_cred->cr_uid == obj_cred->cr_uid && 2306 active_cred->cr_uid == obj_cred->cr_svuid && 2307 active_cred->cr_uid == obj_cred->cr_ruid); 2308 2309 return (uidsubset && grpsubset); 2310 } 2311 2312 /*- 2313 * Determine whether td may debug p. 2314 * Returns: 0 for permitted, an errno value otherwise 2315 * Locks: Sufficient locks to protect various components of td and p 2316 * must be held. td must be curthread, and a lock must 2317 * be held for p. 2318 * References: td and p must be valid for the lifetime of the call 2319 */ 2320 int 2321 p_candebug(struct thread *td, struct proc *p) 2322 { 2323 int error; 2324 2325 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2326 PROC_LOCK_ASSERT(p, MA_OWNED); 2327 if (td->td_proc == p) 2328 return (0); 2329 if ((error = priv_check(td, PRIV_DEBUG_UNPRIV))) 2330 return (error); 2331 if ((error = prison_check(td->td_ucred, p->p_ucred))) 2332 return (error); 2333 #ifdef MAC 2334 if ((error = mac_proc_check_debug(td->td_ucred, p))) 2335 return (error); 2336 #endif 2337 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) 2338 return (error); 2339 2340 /* 2341 * If p's gids aren't a subset, or the uids aren't a subset, 2342 * or the credential has changed, require appropriate privilege 2343 * for td to debug p. 2344 */ 2345 if (!cr_xids_subset(td->td_ucred, p->p_ucred)) { 2346 error = priv_check(td, PRIV_DEBUG_DIFFCRED); 2347 if (error) 2348 return (error); 2349 } 2350 2351 /* 2352 * Has the credential of the process changed since the last exec()? 2353 */ 2354 if ((p->p_flag & P_SUGID) != 0) { 2355 error = priv_check(td, PRIV_DEBUG_SUGID); 2356 if (error) 2357 return (error); 2358 } 2359 2360 error = cr_can_tamper_with_subjail(td->td_ucred, p->p_ucred, 2361 PRIV_DEBUG_DIFFJAIL); 2362 if (error) 2363 return (error); 2364 2365 /* Can't trace init when securelevel > 0. */ 2366 if (p == initproc) { 2367 error = securelevel_gt(td->td_ucred, 0); 2368 if (error) 2369 return (error); 2370 } 2371 2372 /* 2373 * Can't trace a process that's currently exec'ing. Otherwise 2374 * the process vmspace might change, and the target might be 2375 * loading a setugid image. The execve_block(9) and 2376 * proc_vmspace_ref(9) allow to get the stable credentials and 2377 * vmspace reference. 2378 */ 2379 if ((p->p_flag & P_INEXEC) != 0) 2380 return (EBUSY); 2381 2382 /* Denied explicitly */ 2383 if ((p->p_flag2 & P2_NOTRACE) != 0) { 2384 error = priv_check(td, PRIV_DEBUG_DENIED); 2385 if (error != 0) 2386 return (error); 2387 } 2388 2389 return (0); 2390 } 2391 2392 /*- 2393 * Determine whether the subject represented by cred can "see" a socket. 2394 * Returns: 0 for permitted, ENOENT otherwise. 2395 */ 2396 int 2397 cr_canseesocket(struct ucred *cred, struct socket *so) 2398 { 2399 int error; 2400 2401 error = prison_check(cred, so->so_cred); 2402 if (error) 2403 return (ENOENT); 2404 #ifdef MAC 2405 error = mac_socket_check_visible(cred, so); 2406 if (error) 2407 return (error); 2408 #endif 2409 if (cr_bsd_visible(cred, so->so_cred)) 2410 return (ENOENT); 2411 2412 return (0); 2413 } 2414 2415 /*- 2416 * Determine whether td can wait for the exit of p. 2417 * Returns: 0 for permitted, an errno value otherwise 2418 * Locks: Sufficient locks to protect various components of td and p 2419 * must be held. td must be curthread, and a lock must 2420 * be held for p. 2421 * References: td and p must be valid for the lifetime of the call 2422 2423 */ 2424 int 2425 p_canwait(struct thread *td, struct proc *p) 2426 { 2427 int error; 2428 2429 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2430 PROC_LOCK_ASSERT(p, MA_OWNED); 2431 if ((error = prison_check(td->td_ucred, p->p_ucred))) 2432 return (error); 2433 #ifdef MAC 2434 if ((error = mac_proc_check_wait(td->td_ucred, p))) 2435 return (error); 2436 #endif 2437 #if 0 2438 /* XXXMAC: This could have odd effects on some shells. */ 2439 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) 2440 return (error); 2441 #endif 2442 2443 return (0); 2444 } 2445 2446 /* 2447 * Credential management. 2448 * 2449 * struct ucred objects are rarely allocated but gain and lose references all 2450 * the time (e.g., on struct file alloc/dealloc) turning refcount updates into 2451 * a significant source of cache-line ping ponging. Common cases are worked 2452 * around by modifying thread-local counter instead if the cred to operate on 2453 * matches td_realucred. 2454 * 2455 * The counter is split into 2 parts: 2456 * - cr_users -- total count of all struct proc and struct thread objects 2457 * which have given cred in p_ucred and td_ucred respectively 2458 * - cr_ref -- the actual ref count, only valid if cr_users == 0 2459 * 2460 * If users == 0 then cr_ref behaves similarly to refcount(9), in particular if 2461 * the count reaches 0 the object is freeable. 2462 * If users > 0 and curthread->td_realucred == cred, then updates are performed 2463 * against td_ucredref. 2464 * In other cases updates are performed against cr_ref. 2465 * 2466 * Changing td_realucred into something else decrements cr_users and transfers 2467 * accumulated updates. 2468 */ 2469 struct ucred * 2470 crcowget(struct ucred *cr) 2471 { 2472 2473 mtx_lock(&cr->cr_mtx); 2474 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2475 __func__, cr->cr_users, cr)); 2476 cr->cr_users++; 2477 cr->cr_ref++; 2478 mtx_unlock(&cr->cr_mtx); 2479 return (cr); 2480 } 2481 2482 static struct ucred * 2483 crunuse(struct thread *td) 2484 { 2485 struct ucred *cr, *crold; 2486 2487 MPASS(td->td_realucred == td->td_ucred); 2488 cr = td->td_realucred; 2489 mtx_lock(&cr->cr_mtx); 2490 cr->cr_ref += td->td_ucredref; 2491 td->td_ucredref = 0; 2492 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2493 __func__, cr->cr_users, cr)); 2494 cr->cr_users--; 2495 if (cr->cr_users == 0) { 2496 KASSERT(cr->cr_ref > 0, ("%s: ref %ld not > 0 on cred %p", 2497 __func__, cr->cr_ref, cr)); 2498 crold = cr; 2499 } else { 2500 cr->cr_ref--; 2501 crold = NULL; 2502 } 2503 mtx_unlock(&cr->cr_mtx); 2504 td->td_realucred = NULL; 2505 return (crold); 2506 } 2507 2508 static void 2509 crunusebatch(struct ucred *cr, u_int users, long ref) 2510 { 2511 2512 KASSERT(users > 0, ("%s: passed users %d not > 0 ; cred %p", 2513 __func__, users, cr)); 2514 mtx_lock(&cr->cr_mtx); 2515 KASSERT(cr->cr_users >= users, ("%s: users %d not > %d on cred %p", 2516 __func__, cr->cr_users, users, cr)); 2517 cr->cr_users -= users; 2518 cr->cr_ref += ref; 2519 cr->cr_ref -= users; 2520 if (cr->cr_users > 0) { 2521 mtx_unlock(&cr->cr_mtx); 2522 return; 2523 } 2524 KASSERT(cr->cr_ref >= 0, ("%s: ref %ld not >= 0 on cred %p", 2525 __func__, cr->cr_ref, cr)); 2526 if (cr->cr_ref > 0) { 2527 mtx_unlock(&cr->cr_mtx); 2528 return; 2529 } 2530 crfree_final(cr); 2531 } 2532 2533 void 2534 crcowfree(struct thread *td) 2535 { 2536 struct ucred *cr; 2537 2538 cr = crunuse(td); 2539 if (cr != NULL) 2540 crfree(cr); 2541 } 2542 2543 struct ucred * 2544 crcowsync(void) 2545 { 2546 struct thread *td; 2547 struct proc *p; 2548 struct ucred *crnew, *crold; 2549 2550 td = curthread; 2551 p = td->td_proc; 2552 PROC_LOCK_ASSERT(p, MA_OWNED); 2553 2554 MPASS(td->td_realucred == td->td_ucred); 2555 if (td->td_realucred == p->p_ucred) 2556 return (NULL); 2557 2558 crnew = crcowget(p->p_ucred); 2559 crold = crunuse(td); 2560 td->td_realucred = crnew; 2561 td->td_ucred = td->td_realucred; 2562 return (crold); 2563 } 2564 2565 /* 2566 * Batching. 2567 */ 2568 void 2569 credbatch_add(struct credbatch *crb, struct thread *td) 2570 { 2571 struct ucred *cr; 2572 2573 MPASS(td->td_realucred != NULL); 2574 MPASS(td->td_realucred == td->td_ucred); 2575 MPASS(TD_GET_STATE(td) == TDS_INACTIVE); 2576 cr = td->td_realucred; 2577 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2578 __func__, cr->cr_users, cr)); 2579 if (crb->cred != cr) { 2580 if (crb->users > 0) { 2581 MPASS(crb->cred != NULL); 2582 crunusebatch(crb->cred, crb->users, crb->ref); 2583 crb->users = 0; 2584 crb->ref = 0; 2585 } 2586 } 2587 crb->cred = cr; 2588 crb->users++; 2589 crb->ref += td->td_ucredref; 2590 td->td_ucredref = 0; 2591 td->td_realucred = NULL; 2592 } 2593 2594 void 2595 credbatch_final(struct credbatch *crb) 2596 { 2597 2598 MPASS(crb->cred != NULL); 2599 MPASS(crb->users > 0); 2600 crunusebatch(crb->cred, crb->users, crb->ref); 2601 } 2602 2603 /* 2604 * Allocate a zeroed cred structure. 2605 */ 2606 struct ucred * 2607 crget(void) 2608 { 2609 struct ucred *cr; 2610 2611 cr = malloc(sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 2612 mtx_init(&cr->cr_mtx, "cred", NULL, MTX_DEF); 2613 cr->cr_ref = 1; 2614 #ifdef AUDIT 2615 audit_cred_init(cr); 2616 #endif 2617 #ifdef MAC 2618 mac_cred_init(cr); 2619 #endif 2620 cr->cr_groups = cr->cr_smallgroups; 2621 cr->cr_agroups = nitems(cr->cr_smallgroups); 2622 return (cr); 2623 } 2624 2625 /* 2626 * Claim another reference to a ucred structure. 2627 */ 2628 struct ucred * 2629 crhold(struct ucred *cr) 2630 { 2631 struct thread *td; 2632 2633 td = curthread; 2634 if (__predict_true(td->td_realucred == cr)) { 2635 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2636 __func__, cr->cr_users, cr)); 2637 td->td_ucredref++; 2638 return (cr); 2639 } 2640 mtx_lock(&cr->cr_mtx); 2641 cr->cr_ref++; 2642 mtx_unlock(&cr->cr_mtx); 2643 return (cr); 2644 } 2645 2646 /* 2647 * Free a cred structure. Throws away space when ref count gets to 0. 2648 */ 2649 void 2650 crfree(struct ucred *cr) 2651 { 2652 struct thread *td; 2653 2654 td = curthread; 2655 if (__predict_true(td->td_realucred == cr)) { 2656 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2657 __func__, cr->cr_users, cr)); 2658 td->td_ucredref--; 2659 return; 2660 } 2661 mtx_lock(&cr->cr_mtx); 2662 KASSERT(cr->cr_users >= 0, ("%s: users %d not >= 0 on cred %p", 2663 __func__, cr->cr_users, cr)); 2664 cr->cr_ref--; 2665 if (cr->cr_users > 0) { 2666 mtx_unlock(&cr->cr_mtx); 2667 return; 2668 } 2669 KASSERT(cr->cr_ref >= 0, ("%s: ref %ld not >= 0 on cred %p", 2670 __func__, cr->cr_ref, cr)); 2671 if (cr->cr_ref > 0) { 2672 mtx_unlock(&cr->cr_mtx); 2673 return; 2674 } 2675 crfree_final(cr); 2676 } 2677 2678 static void 2679 crfree_final(struct ucred *cr) 2680 { 2681 2682 KASSERT(cr->cr_users == 0, ("%s: users %d not == 0 on cred %p", 2683 __func__, cr->cr_users, cr)); 2684 KASSERT(cr->cr_ref == 0, ("%s: ref %ld not == 0 on cred %p", 2685 __func__, cr->cr_ref, cr)); 2686 2687 /* 2688 * Some callers of crget(), such as nfs_statfs(), allocate a temporary 2689 * credential, but don't allocate a uidinfo structure. 2690 */ 2691 if (cr->cr_uidinfo != NULL) 2692 uifree(cr->cr_uidinfo); 2693 if (cr->cr_ruidinfo != NULL) 2694 uifree(cr->cr_ruidinfo); 2695 if (cr->cr_prison != NULL) 2696 prison_free(cr->cr_prison); 2697 if (cr->cr_loginclass != NULL) 2698 loginclass_free(cr->cr_loginclass); 2699 #ifdef AUDIT 2700 audit_cred_destroy(cr); 2701 #endif 2702 #ifdef MAC 2703 mac_cred_destroy(cr); 2704 #endif 2705 mtx_destroy(&cr->cr_mtx); 2706 if (cr->cr_groups != cr->cr_smallgroups) 2707 free(cr->cr_groups, M_CRED); 2708 free(cr, M_CRED); 2709 } 2710 2711 /* 2712 * Copy a ucred's contents from a template. Does not block. 2713 */ 2714 void 2715 crcopy(struct ucred *dest, struct ucred *src) 2716 { 2717 2718 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 2719 (unsigned)((caddr_t)&src->cr_endcopy - 2720 (caddr_t)&src->cr_startcopy)); 2721 dest->cr_flags = src->cr_flags; 2722 crsetgroups(dest, src->cr_ngroups, src->cr_groups); 2723 uihold(dest->cr_uidinfo); 2724 uihold(dest->cr_ruidinfo); 2725 prison_hold(dest->cr_prison); 2726 loginclass_hold(dest->cr_loginclass); 2727 #ifdef AUDIT 2728 audit_cred_copy(src, dest); 2729 #endif 2730 #ifdef MAC 2731 mac_cred_copy(src, dest); 2732 #endif 2733 } 2734 2735 /* 2736 * Dup cred struct to a new held one. 2737 */ 2738 struct ucred * 2739 crdup(struct ucred *cr) 2740 { 2741 struct ucred *newcr; 2742 2743 newcr = crget(); 2744 crcopy(newcr, cr); 2745 return (newcr); 2746 } 2747 2748 /* 2749 * Fill in a struct xucred based on a struct ucred. 2750 */ 2751 void 2752 cru2x(struct ucred *cr, struct xucred *xcr) 2753 { 2754 int ngroups; 2755 2756 bzero(xcr, sizeof(*xcr)); 2757 xcr->cr_version = XUCRED_VERSION; 2758 xcr->cr_uid = cr->cr_uid; 2759 xcr->cr_gid = cr->cr_gid; 2760 2761 /* 2762 * We use a union to alias cr_gid to cr_groups[0] in the xucred, so 2763 * this is kind of ugly; cr_ngroups still includes the egid for our 2764 * purposes to avoid bumping the xucred version. 2765 */ 2766 ngroups = MIN(cr->cr_ngroups + 1, nitems(xcr->cr_groups)); 2767 xcr->cr_ngroups = ngroups; 2768 bcopy(cr->cr_groups, xcr->cr_sgroups, 2769 (ngroups - 1) * sizeof(*cr->cr_groups)); 2770 } 2771 2772 void 2773 cru2xt(struct thread *td, struct xucred *xcr) 2774 { 2775 2776 cru2x(td->td_ucred, xcr); 2777 xcr->cr_pid = td->td_proc->p_pid; 2778 } 2779 2780 /* 2781 * Change process credentials. 2782 * 2783 * Callers are responsible for providing the reference for passed credentials 2784 * and for freeing old ones. Calls chgproccnt() to correctly account the 2785 * current process to the proper real UID, if the latter has changed. Returns 2786 * whether the operation was successful. Failure can happen only on 2787 * 'enforce_proc_lim' being true and if no new process can be accounted to the 2788 * new real UID because of the current limit (see the inner comment for more 2789 * details) and the caller does not have privilege (PRIV_PROC_LIMIT) to override 2790 * that. In this case, the reference to 'newcred' is not taken over. 2791 */ 2792 static bool 2793 _proc_set_cred(struct proc *p, struct ucred *newcred, bool enforce_proc_lim) 2794 { 2795 struct ucred *const oldcred = p->p_ucred; 2796 2797 MPASS(oldcred != NULL); 2798 PROC_LOCK_ASSERT(p, MA_OWNED); 2799 2800 if (newcred->cr_ruidinfo != oldcred->cr_ruidinfo) { 2801 /* 2802 * XXXOC: This check is flawed but nonetheless the best we can 2803 * currently do as we don't really track limits per UID contrary 2804 * to what we pretend in setrlimit(2). Until this is reworked, 2805 * we just check here that the number of processes for our new 2806 * real UID doesn't exceed this process' process number limit 2807 * (which is meant to be associated with the current real UID). 2808 */ 2809 const int proccnt_changed = chgproccnt(newcred->cr_ruidinfo, 1, 2810 enforce_proc_lim ? lim_cur_proc(p, RLIMIT_NPROC) : 0); 2811 2812 if (!proccnt_changed) { 2813 if (priv_check_cred(oldcred, PRIV_PROC_LIMIT) != 0) 2814 return (false); 2815 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 2816 } 2817 } 2818 2819 mtx_lock(&oldcred->cr_mtx); 2820 KASSERT(oldcred->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2821 __func__, oldcred->cr_users, oldcred)); 2822 oldcred->cr_users--; 2823 mtx_unlock(&oldcred->cr_mtx); 2824 mtx_lock(&newcred->cr_mtx); 2825 newcred->cr_users++; 2826 mtx_unlock(&newcred->cr_mtx); 2827 p->p_ucred = newcred; 2828 PROC_UPDATE_COW(p); 2829 if (newcred->cr_ruidinfo != oldcred->cr_ruidinfo) 2830 (void)chgproccnt(oldcred->cr_ruidinfo, -1, 0); 2831 return (true); 2832 } 2833 2834 void 2835 proc_set_cred(struct proc *p, struct ucred *newcred) 2836 { 2837 bool success __diagused = _proc_set_cred(p, newcred, false); 2838 2839 MPASS(success); 2840 } 2841 2842 bool 2843 proc_set_cred_enforce_proc_lim(struct proc *p, struct ucred *newcred) 2844 { 2845 return (_proc_set_cred(p, newcred, true)); 2846 } 2847 2848 void 2849 proc_unset_cred(struct proc *p, bool decrement_proc_count) 2850 { 2851 struct ucred *cr; 2852 2853 MPASS(p->p_state == PRS_ZOMBIE || p->p_state == PRS_NEW); 2854 cr = p->p_ucred; 2855 p->p_ucred = NULL; 2856 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2857 __func__, cr->cr_users, cr)); 2858 mtx_lock(&cr->cr_mtx); 2859 cr->cr_users--; 2860 if (cr->cr_users == 0) 2861 KASSERT(cr->cr_ref > 0, ("%s: ref %ld not > 0 on cred %p", 2862 __func__, cr->cr_ref, cr)); 2863 mtx_unlock(&cr->cr_mtx); 2864 if (decrement_proc_count) 2865 (void)chgproccnt(cr->cr_ruidinfo, -1, 0); 2866 crfree(cr); 2867 } 2868 2869 struct ucred * 2870 crcopysafe(struct proc *p, struct ucred *cr) 2871 { 2872 struct ucred *oldcred; 2873 int groups; 2874 2875 PROC_LOCK_ASSERT(p, MA_OWNED); 2876 2877 oldcred = p->p_ucred; 2878 while (cr->cr_agroups < oldcred->cr_ngroups) { 2879 groups = oldcred->cr_ngroups; 2880 PROC_UNLOCK(p); 2881 crextend(cr, groups); 2882 PROC_LOCK(p); 2883 oldcred = p->p_ucred; 2884 } 2885 crcopy(cr, oldcred); 2886 2887 return (oldcred); 2888 } 2889 2890 /* 2891 * Extend the passed-in credentials to hold n groups. 2892 * 2893 * Must not be called after groups have been set. 2894 */ 2895 void 2896 crextend(struct ucred *cr, int n) 2897 { 2898 size_t nbytes; 2899 2900 MPASS2(cr->cr_ref == 1, "'cr_ref' must be 1 (referenced, unshared)"); 2901 MPASS2((cr->cr_flags & CRED_FLAG_GROUPSET) == 0, 2902 "groups on 'cr' already set!"); 2903 groups_check_positive_len(n); 2904 groups_check_max_len(n); 2905 2906 if (n <= cr->cr_agroups) 2907 return; 2908 2909 nbytes = n * sizeof(gid_t); 2910 if (nbytes < n) 2911 panic("Too many groups (memory size overflow)! " 2912 "Computation of 'kern.ngroups' should have prevented this, " 2913 "please fix it. In the meantime, reduce 'kern.ngroups'."); 2914 2915 /* 2916 * We allocate a power of 2 larger than 'nbytes', except when that 2917 * exceeds PAGE_SIZE, in which case we allocate the right multiple of 2918 * pages. We assume PAGE_SIZE is a power of 2 (the call to roundup2() 2919 * below) but do not need to for sizeof(gid_t). 2920 */ 2921 if (nbytes < PAGE_SIZE) { 2922 if (!powerof2(nbytes)) 2923 /* fls*() return a bit index starting at 1. */ 2924 nbytes = 1 << flsl(nbytes); 2925 } else 2926 nbytes = roundup2(nbytes, PAGE_SIZE); 2927 2928 /* Free the old array. */ 2929 if (cr->cr_groups != cr->cr_smallgroups) 2930 free(cr->cr_groups, M_CRED); 2931 2932 cr->cr_groups = malloc(nbytes, M_CRED, M_WAITOK | M_ZERO); 2933 cr->cr_agroups = nbytes / sizeof(gid_t); 2934 } 2935 2936 /* 2937 * Normalizes a set of groups to be applied to a 'struct ucred'. 2938 * 2939 * Normalization ensures that the supplementary groups are sorted in ascending 2940 * order and do not contain duplicates. This allows group_is_supplementary() to 2941 * do a binary search. 2942 */ 2943 static void 2944 groups_normalize(int *ngrp, gid_t *groups) 2945 { 2946 gid_t prev_g; 2947 int ins_idx; 2948 2949 groups_check_positive_len(*ngrp); 2950 groups_check_max_len(*ngrp); 2951 2952 if (*ngrp <= 1) 2953 return; 2954 2955 qsort(groups, *ngrp, sizeof(*groups), gidp_cmp); 2956 2957 /* Remove duplicates. */ 2958 prev_g = groups[0]; 2959 ins_idx = 1; 2960 for (int i = ins_idx; i < *ngrp; ++i) { 2961 const gid_t g = groups[i]; 2962 2963 if (g != prev_g) { 2964 if (i != ins_idx) 2965 groups[ins_idx] = g; 2966 ++ins_idx; 2967 prev_g = g; 2968 } 2969 } 2970 *ngrp = ins_idx; 2971 2972 groups_check_normalized(*ngrp, groups); 2973 } 2974 2975 /* 2976 * Internal function copying groups into a credential. 2977 * 2978 * 'ngrp' must be strictly positive. Either the passed 'groups' array must have 2979 * been normalized in advance (see groups_normalize()), else it must be so 2980 * before the structure is to be used again. 2981 * 2982 * This function is suitable to be used under any lock (it doesn't take any lock 2983 * itself nor sleep, and in particular doesn't allocate memory). crextend() 2984 * must have been called beforehand to ensure sufficient space is available. 2985 * See also crsetgroups(), which handles that. 2986 */ 2987 static void 2988 crsetgroups_internal(struct ucred *cr, int ngrp, const gid_t *groups) 2989 { 2990 2991 MPASS2(cr->cr_ref == 1, "'cr_ref' must be 1 (referenced, unshared)"); 2992 MPASS2(cr->cr_agroups >= ngrp, "'cr_agroups' too small"); 2993 groups_check_positive_len(ngrp); 2994 2995 bcopy(groups, cr->cr_groups, ngrp * sizeof(gid_t)); 2996 cr->cr_ngroups = ngrp; 2997 cr->cr_flags |= CRED_FLAG_GROUPSET; 2998 } 2999 3000 /* 3001 * Copy groups in to a credential after expanding it if required. 3002 * 3003 * May sleep in order to allocate memory (except if, e.g., crextend() was called 3004 * before with 'ngrp' or greater). Truncates the list to 'ngroups_max' if 3005 * it is too large. Array 'groups' doesn't need to be sorted. 'ngrp' must be 3006 * positive. 3007 */ 3008 void 3009 crsetgroups(struct ucred *cr, int ngrp, const gid_t *groups) 3010 { 3011 3012 if (ngrp > ngroups_max) 3013 ngrp = ngroups_max; 3014 cr->cr_ngroups = 0; 3015 if (ngrp == 0) { 3016 cr->cr_flags |= CRED_FLAG_GROUPSET; 3017 return; 3018 } 3019 3020 /* 3021 * crextend() asserts that groups are not set, as it may allocate a new 3022 * backing storage without copying the content of the old one. Since we 3023 * are going to install a completely new set anyway, signal that we 3024 * consider the old ones thrown away. 3025 */ 3026 cr->cr_flags &= ~CRED_FLAG_GROUPSET; 3027 3028 crextend(cr, ngrp); 3029 crsetgroups_internal(cr, ngrp, groups); 3030 groups_normalize(&cr->cr_ngroups, cr->cr_groups); 3031 } 3032 3033 /* 3034 * Same as crsetgroups() but sets the effective GID as well. 3035 * 3036 * This function ensures that an effective GID is always present in credentials. 3037 * An empty array will only set the effective GID to 'default_egid', while 3038 * a non-empty array will peel off groups[0] to set as the effective GID and use 3039 * the remainder, if any, as supplementary groups. 3040 */ 3041 void 3042 crsetgroups_and_egid(struct ucred *cr, int ngrp, const gid_t *groups, 3043 const gid_t default_egid) 3044 { 3045 if (ngrp == 0) { 3046 cr->cr_gid = default_egid; 3047 cr->cr_ngroups = 0; 3048 cr->cr_flags |= CRED_FLAG_GROUPSET; 3049 return; 3050 } 3051 3052 crsetgroups(cr, ngrp - 1, groups + 1); 3053 cr->cr_gid = groups[0]; 3054 } 3055 3056 /* 3057 * Get login name, if available. 3058 */ 3059 #ifndef _SYS_SYSPROTO_H_ 3060 struct getlogin_args { 3061 char *namebuf; 3062 u_int namelen; 3063 }; 3064 #endif 3065 /* ARGSUSED */ 3066 int 3067 sys_getlogin(struct thread *td, struct getlogin_args *uap) 3068 { 3069 char login[MAXLOGNAME]; 3070 struct proc *p = td->td_proc; 3071 size_t len; 3072 3073 if (uap->namelen > MAXLOGNAME) 3074 uap->namelen = MAXLOGNAME; 3075 PROC_LOCK(p); 3076 SESS_LOCK(p->p_session); 3077 len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1; 3078 SESS_UNLOCK(p->p_session); 3079 PROC_UNLOCK(p); 3080 if (len > uap->namelen) 3081 return (ERANGE); 3082 return (copyout(login, uap->namebuf, len)); 3083 } 3084 3085 /* 3086 * Set login name. 3087 */ 3088 #ifndef _SYS_SYSPROTO_H_ 3089 struct setlogin_args { 3090 char *namebuf; 3091 }; 3092 #endif 3093 /* ARGSUSED */ 3094 int 3095 sys_setlogin(struct thread *td, struct setlogin_args *uap) 3096 { 3097 struct proc *p = td->td_proc; 3098 int error; 3099 char logintmp[MAXLOGNAME]; 3100 3101 CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp)); 3102 3103 error = priv_check(td, PRIV_PROC_SETLOGIN); 3104 if (error) 3105 return (error); 3106 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); 3107 if (error != 0) { 3108 if (error == ENAMETOOLONG) 3109 error = EINVAL; 3110 return (error); 3111 } 3112 AUDIT_ARG_LOGIN(logintmp); 3113 PROC_LOCK(p); 3114 SESS_LOCK(p->p_session); 3115 strcpy(p->p_session->s_login, logintmp); 3116 SESS_UNLOCK(p->p_session); 3117 PROC_UNLOCK(p); 3118 return (0); 3119 } 3120 3121 void 3122 setsugid(struct proc *p) 3123 { 3124 3125 PROC_LOCK_ASSERT(p, MA_OWNED); 3126 p->p_flag |= P_SUGID; 3127 } 3128 3129 /*- 3130 * Change a process's effective uid. 3131 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 3132 * References: newcred must be an exclusive credential reference for the 3133 * duration of the call. 3134 */ 3135 void 3136 change_euid(struct ucred *newcred, struct uidinfo *euip) 3137 { 3138 3139 newcred->cr_uid = euip->ui_uid; 3140 uihold(euip); 3141 uifree(newcred->cr_uidinfo); 3142 newcred->cr_uidinfo = euip; 3143 } 3144 3145 /*- 3146 * Change a process's effective gid. 3147 * Side effects: newcred->cr_gid will be modified. 3148 * References: newcred must be an exclusive credential reference for the 3149 * duration of the call. 3150 */ 3151 void 3152 change_egid(struct ucred *newcred, gid_t egid) 3153 { 3154 3155 newcred->cr_gid = egid; 3156 } 3157 3158 /*- 3159 * Change a process's real uid. 3160 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 3161 * will be updated. 3162 * References: newcred must be an exclusive credential reference for the 3163 * duration of the call. 3164 */ 3165 void 3166 change_ruid(struct ucred *newcred, struct uidinfo *ruip) 3167 { 3168 3169 newcred->cr_ruid = ruip->ui_uid; 3170 uihold(ruip); 3171 uifree(newcred->cr_ruidinfo); 3172 newcred->cr_ruidinfo = ruip; 3173 } 3174 3175 /*- 3176 * Change a process's real gid. 3177 * Side effects: newcred->cr_rgid will be updated. 3178 * References: newcred must be an exclusive credential reference for the 3179 * duration of the call. 3180 */ 3181 void 3182 change_rgid(struct ucred *newcred, gid_t rgid) 3183 { 3184 3185 newcred->cr_rgid = rgid; 3186 } 3187 3188 /*- 3189 * Change a process's saved uid. 3190 * Side effects: newcred->cr_svuid will be updated. 3191 * References: newcred must be an exclusive credential reference for the 3192 * duration of the call. 3193 */ 3194 void 3195 change_svuid(struct ucred *newcred, uid_t svuid) 3196 { 3197 3198 newcred->cr_svuid = svuid; 3199 } 3200 3201 /*- 3202 * Change a process's saved gid. 3203 * Side effects: newcred->cr_svgid will be updated. 3204 * References: newcred must be an exclusive credential reference for the 3205 * duration of the call. 3206 */ 3207 void 3208 change_svgid(struct ucred *newcred, gid_t svgid) 3209 { 3210 3211 newcred->cr_svgid = svgid; 3212 } 3213 3214 bool allow_ptrace = true; 3215 SYSCTL_BOOL(_security_bsd, OID_AUTO, allow_ptrace, CTLFLAG_RWTUN, 3216 &allow_ptrace, 0, 3217 "Deny ptrace(2) use by returning ENOSYS"); 3218