1 /*-
2 * SPDX-License-Identifier: BSD-3-Clause
3 *
4 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993
5 * The Regents of the University of California.
6 * (c) UNIX System Laboratories, Inc.
7 * Copyright (c) 2000-2001 Robert N. M. Watson.
8 * All rights reserved.
9 * Copyright (c) 2024-2025 The FreeBSD Foundation
10 *
11 * Portions of this software were developed by Olivier Certner
12 * <olce@FreeBSD.org> at Kumacom SARL under sponsorship from the FreeBSD
13 * Foundation.
14 *
15 * All or some portions of this file are derived from material licensed
16 * to the University of California by American Telephone and Telegraph
17 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
18 * the permission of UNIX System Laboratories, Inc.
19 *
20 * Redistribution and use in source and binary forms, with or without
21 * modification, are permitted provided that the following conditions
22 * are met:
23 * 1. Redistributions of source code must retain the above copyright
24 * notice, this list of conditions and the following disclaimer.
25 * 2. Redistributions in binary form must reproduce the above copyright
26 * notice, this list of conditions and the following disclaimer in the
27 * documentation and/or other materials provided with the distribution.
28 * 3. Neither the name of the University nor the names of its contributors
29 * may be used to endorse or promote products derived from this software
30 * without specific prior written permission.
31 *
32 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
33 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
34 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
35 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
36 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
37 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
38 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
39 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
40 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
41 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
42 * SUCH DAMAGE.
43 */
44
45 /*
46 * System calls related to processes and protection
47 */
48
49 #include <sys/cdefs.h>
50 #include "opt_inet.h"
51 #include "opt_inet6.h"
52
53 #include <sys/param.h>
54 #include <sys/systm.h>
55 #include <sys/abi_compat.h>
56 #include <sys/acct.h>
57 #include <sys/imgact.h>
58 #include <sys/kdb.h>
59 #include <sys/kernel.h>
60 #include <sys/libkern.h>
61 #include <sys/lock.h>
62 #include <sys/loginclass.h>
63 #include <sys/malloc.h>
64 #include <sys/mutex.h>
65 #include <sys/ptrace.h>
66 #include <sys/refcount.h>
67 #include <sys/sx.h>
68 #include <sys/priv.h>
69 #include <sys/proc.h>
70 #ifdef COMPAT_43
71 #include <sys/sysent.h>
72 #endif
73 #include <sys/sysproto.h>
74 #include <sys/jail.h>
75 #include <sys/racct.h>
76 #include <sys/rctl.h>
77 #include <sys/resourcevar.h>
78 #include <sys/socket.h>
79 #include <sys/socketvar.h>
80 #include <sys/syscallsubr.h>
81 #include <sys/sysctl.h>
82
83 #ifdef MAC
84 #include <security/mac/mac_syscalls.h>
85 #endif
86
87 #include <vm/uma.h>
88
89 #ifdef REGRESSION
90 FEATURE(regression,
91 "Kernel support for interfaces necessary for regression testing (SECURITY RISK!)");
92 #endif
93
94 #include <security/audit/audit.h>
95 #include <security/mac/mac_framework.h>
96
97 static MALLOC_DEFINE(M_CRED, "cred", "credentials");
98
99 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
100 "BSD security policy");
101
102 static void crfree_final(struct ucred *cr);
103
104 static inline void
groups_check_positive_len(int ngrp)105 groups_check_positive_len(int ngrp)
106 {
107 MPASS2(ngrp >= 0, "negative number of groups");
108 }
109 static inline void
groups_check_max_len(int ngrp)110 groups_check_max_len(int ngrp)
111 {
112 MPASS2(ngrp <= ngroups_max, "too many supplementary groups");
113 }
114
115 static void groups_normalize(int *ngrp, gid_t *groups);
116 static void crsetgroups_internal(struct ucred *cr, int ngrp,
117 const gid_t *groups);
118
119 static int cr_canseeotheruids(struct ucred *u1, struct ucred *u2);
120 static int cr_canseeothergids(struct ucred *u1, struct ucred *u2);
121 static int cr_canseejailproc(struct ucred *u1, struct ucred *u2);
122
123 #ifndef _SYS_SYSPROTO_H_
124 struct getpid_args {
125 int dummy;
126 };
127 #endif
128 /* ARGSUSED */
129 int
sys_getpid(struct thread * td,struct getpid_args * uap)130 sys_getpid(struct thread *td, struct getpid_args *uap)
131 {
132 struct proc *p = td->td_proc;
133
134 td->td_retval[0] = p->p_pid;
135 #if defined(COMPAT_43)
136 if (SV_PROC_FLAG(p, SV_AOUT))
137 td->td_retval[1] = kern_getppid(td);
138 #endif
139 return (0);
140 }
141
142 #ifndef _SYS_SYSPROTO_H_
143 struct getppid_args {
144 int dummy;
145 };
146 #endif
147 /* ARGSUSED */
148 int
sys_getppid(struct thread * td,struct getppid_args * uap)149 sys_getppid(struct thread *td, struct getppid_args *uap)
150 {
151
152 td->td_retval[0] = kern_getppid(td);
153 return (0);
154 }
155
156 int
kern_getppid(struct thread * td)157 kern_getppid(struct thread *td)
158 {
159 struct proc *p = td->td_proc;
160
161 return (p->p_oppid);
162 }
163
164 /*
165 * Get process group ID; note that POSIX getpgrp takes no parameter.
166 */
167 #ifndef _SYS_SYSPROTO_H_
168 struct getpgrp_args {
169 int dummy;
170 };
171 #endif
172 int
sys_getpgrp(struct thread * td,struct getpgrp_args * uap)173 sys_getpgrp(struct thread *td, struct getpgrp_args *uap)
174 {
175 struct proc *p = td->td_proc;
176
177 PROC_LOCK(p);
178 td->td_retval[0] = p->p_pgrp->pg_id;
179 PROC_UNLOCK(p);
180 return (0);
181 }
182
183 /* Get an arbitrary pid's process group id */
184 #ifndef _SYS_SYSPROTO_H_
185 struct getpgid_args {
186 pid_t pid;
187 };
188 #endif
189 int
sys_getpgid(struct thread * td,struct getpgid_args * uap)190 sys_getpgid(struct thread *td, struct getpgid_args *uap)
191 {
192 struct proc *p;
193 int error;
194
195 if (uap->pid == 0) {
196 p = td->td_proc;
197 PROC_LOCK(p);
198 } else {
199 p = pfind(uap->pid);
200 if (p == NULL)
201 return (ESRCH);
202 error = p_cansee(td, p);
203 if (error) {
204 PROC_UNLOCK(p);
205 return (error);
206 }
207 }
208 td->td_retval[0] = p->p_pgrp->pg_id;
209 PROC_UNLOCK(p);
210 return (0);
211 }
212
213 /*
214 * Get an arbitrary pid's session id.
215 */
216 #ifndef _SYS_SYSPROTO_H_
217 struct getsid_args {
218 pid_t pid;
219 };
220 #endif
221 int
sys_getsid(struct thread * td,struct getsid_args * uap)222 sys_getsid(struct thread *td, struct getsid_args *uap)
223 {
224
225 return (kern_getsid(td, uap->pid));
226 }
227
228 int
kern_getsid(struct thread * td,pid_t pid)229 kern_getsid(struct thread *td, pid_t pid)
230 {
231 struct proc *p;
232 int error;
233
234 if (pid == 0) {
235 p = td->td_proc;
236 PROC_LOCK(p);
237 } else {
238 p = pfind(pid);
239 if (p == NULL)
240 return (ESRCH);
241 error = p_cansee(td, p);
242 if (error) {
243 PROC_UNLOCK(p);
244 return (error);
245 }
246 }
247 td->td_retval[0] = p->p_session->s_sid;
248 PROC_UNLOCK(p);
249 return (0);
250 }
251
252 #ifndef _SYS_SYSPROTO_H_
253 struct getuid_args {
254 int dummy;
255 };
256 #endif
257 /* ARGSUSED */
258 int
sys_getuid(struct thread * td,struct getuid_args * uap)259 sys_getuid(struct thread *td, struct getuid_args *uap)
260 {
261
262 td->td_retval[0] = td->td_ucred->cr_ruid;
263 #if defined(COMPAT_43)
264 td->td_retval[1] = td->td_ucred->cr_uid;
265 #endif
266 return (0);
267 }
268
269 #ifndef _SYS_SYSPROTO_H_
270 struct geteuid_args {
271 int dummy;
272 };
273 #endif
274 /* ARGSUSED */
275 int
sys_geteuid(struct thread * td,struct geteuid_args * uap)276 sys_geteuid(struct thread *td, struct geteuid_args *uap)
277 {
278
279 td->td_retval[0] = td->td_ucred->cr_uid;
280 return (0);
281 }
282
283 #ifndef _SYS_SYSPROTO_H_
284 struct getgid_args {
285 int dummy;
286 };
287 #endif
288 /* ARGSUSED */
289 int
sys_getgid(struct thread * td,struct getgid_args * uap)290 sys_getgid(struct thread *td, struct getgid_args *uap)
291 {
292
293 td->td_retval[0] = td->td_ucred->cr_rgid;
294 #if defined(COMPAT_43)
295 td->td_retval[1] = td->td_ucred->cr_gid;
296 #endif
297 return (0);
298 }
299
300 #ifndef _SYS_SYSPROTO_H_
301 struct getegid_args {
302 int dummy;
303 };
304 #endif
305 /* ARGSUSED */
306 int
sys_getegid(struct thread * td,struct getegid_args * uap)307 sys_getegid(struct thread *td, struct getegid_args *uap)
308 {
309
310 td->td_retval[0] = td->td_ucred->cr_gid;
311 return (0);
312 }
313
314 #ifdef COMPAT_FREEBSD14
315 int
freebsd14_getgroups(struct thread * td,struct freebsd14_getgroups_args * uap)316 freebsd14_getgroups(struct thread *td, struct freebsd14_getgroups_args *uap)
317 {
318 struct ucred *cred;
319 int ngrp, error;
320
321 cred = td->td_ucred;
322
323 /*
324 * For FreeBSD < 15.0, we account for the egid being placed at the
325 * beginning of the group list prior to all supplementary groups.
326 */
327 ngrp = cred->cr_ngroups + 1;
328 if (uap->gidsetsize == 0) {
329 error = 0;
330 goto out;
331 } else if (uap->gidsetsize < ngrp) {
332 return (EINVAL);
333 }
334
335 error = copyout(&cred->cr_gid, uap->gidset, sizeof(gid_t));
336 if (error == 0)
337 error = copyout(cred->cr_groups, uap->gidset + 1,
338 (ngrp - 1) * sizeof(gid_t));
339
340 out:
341 td->td_retval[0] = ngrp;
342 return (error);
343
344 }
345 #endif /* COMPAT_FREEBSD14 */
346
347 #ifndef _SYS_SYSPROTO_H_
348 struct getgroups_args {
349 int gidsetsize;
350 gid_t *gidset;
351 };
352 #endif
353 int
sys_getgroups(struct thread * td,struct getgroups_args * uap)354 sys_getgroups(struct thread *td, struct getgroups_args *uap)
355 {
356 struct ucred *cred;
357 int ngrp, error;
358
359 cred = td->td_ucred;
360
361 ngrp = cred->cr_ngroups;
362 if (uap->gidsetsize == 0) {
363 error = 0;
364 goto out;
365 }
366 if (uap->gidsetsize < ngrp)
367 return (EINVAL);
368
369 error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t));
370 out:
371 td->td_retval[0] = ngrp;
372 return (error);
373 }
374
375 #ifndef _SYS_SYSPROTO_H_
376 struct setsid_args {
377 int dummy;
378 };
379 #endif
380 /* ARGSUSED */
381 int
sys_setsid(struct thread * td,struct setsid_args * uap)382 sys_setsid(struct thread *td, struct setsid_args *uap)
383 {
384 struct pgrp *pgrp;
385 int error;
386 struct proc *p = td->td_proc;
387 struct pgrp *newpgrp;
388 struct session *newsess;
389
390 pgrp = NULL;
391
392 newpgrp = uma_zalloc(pgrp_zone, M_WAITOK);
393 newsess = malloc(sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO);
394
395 again:
396 error = 0;
397 sx_xlock(&proctree_lock);
398
399 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) {
400 if (pgrp != NULL)
401 PGRP_UNLOCK(pgrp);
402 error = EPERM;
403 } else {
404 error = enterpgrp(p, p->p_pid, newpgrp, newsess);
405 if (error == ERESTART)
406 goto again;
407 MPASS(error == 0);
408 td->td_retval[0] = p->p_pid;
409 newpgrp = NULL;
410 newsess = NULL;
411 }
412
413 sx_xunlock(&proctree_lock);
414
415 uma_zfree(pgrp_zone, newpgrp);
416 free(newsess, M_SESSION);
417
418 return (error);
419 }
420
421 /*
422 * set process group (setpgid/old setpgrp)
423 *
424 * caller does setpgid(targpid, targpgid)
425 *
426 * pid must be caller or child of caller (ESRCH)
427 * if a child
428 * pid must be in same session (EPERM)
429 * pid can't have done an exec (EACCES)
430 * if pgid != pid
431 * there must exist some pid in same session having pgid (EPERM)
432 * pid must not be session leader (EPERM)
433 */
434 #ifndef _SYS_SYSPROTO_H_
435 struct setpgid_args {
436 int pid; /* target process id */
437 int pgid; /* target pgrp id */
438 };
439 #endif
440 /* ARGSUSED */
441 int
sys_setpgid(struct thread * td,struct setpgid_args * uap)442 sys_setpgid(struct thread *td, struct setpgid_args *uap)
443 {
444 struct proc *curp = td->td_proc;
445 struct proc *targp; /* target process */
446 struct pgrp *pgrp; /* target pgrp */
447 int error;
448 struct pgrp *newpgrp;
449
450 if (uap->pgid < 0)
451 return (EINVAL);
452
453 newpgrp = uma_zalloc(pgrp_zone, M_WAITOK);
454
455 again:
456 error = 0;
457
458 sx_xlock(&proctree_lock);
459 if (uap->pid != 0 && uap->pid != curp->p_pid) {
460 if ((targp = pfind(uap->pid)) == NULL) {
461 error = ESRCH;
462 goto done;
463 }
464 if (!inferior(targp)) {
465 PROC_UNLOCK(targp);
466 error = ESRCH;
467 goto done;
468 }
469 if ((error = p_cansee(td, targp))) {
470 PROC_UNLOCK(targp);
471 goto done;
472 }
473 if (targp->p_pgrp == NULL ||
474 targp->p_session != curp->p_session) {
475 PROC_UNLOCK(targp);
476 error = EPERM;
477 goto done;
478 }
479 if (targp->p_flag & P_EXEC) {
480 PROC_UNLOCK(targp);
481 error = EACCES;
482 goto done;
483 }
484 PROC_UNLOCK(targp);
485 } else
486 targp = curp;
487 if (SESS_LEADER(targp)) {
488 error = EPERM;
489 goto done;
490 }
491 if (uap->pgid == 0)
492 uap->pgid = targp->p_pid;
493 if ((pgrp = pgfind(uap->pgid)) == NULL) {
494 if (uap->pgid == targp->p_pid) {
495 error = enterpgrp(targp, uap->pgid, newpgrp,
496 NULL);
497 if (error == 0)
498 newpgrp = NULL;
499 } else
500 error = EPERM;
501 } else {
502 if (pgrp == targp->p_pgrp) {
503 PGRP_UNLOCK(pgrp);
504 goto done;
505 }
506 if (pgrp->pg_id != targp->p_pid &&
507 pgrp->pg_session != curp->p_session) {
508 PGRP_UNLOCK(pgrp);
509 error = EPERM;
510 goto done;
511 }
512 PGRP_UNLOCK(pgrp);
513 error = enterthispgrp(targp, pgrp);
514 }
515 done:
516 KASSERT(error == 0 || newpgrp != NULL,
517 ("setpgid failed and newpgrp is NULL"));
518 if (error == ERESTART)
519 goto again;
520 sx_xunlock(&proctree_lock);
521 uma_zfree(pgrp_zone, newpgrp);
522 return (error);
523 }
524
525 static int
gidp_cmp(const void * p1,const void * p2)526 gidp_cmp(const void *p1, const void *p2)
527 {
528 const gid_t g1 = *(const gid_t *)p1;
529 const gid_t g2 = *(const gid_t *)p2;
530
531 return ((g1 > g2) - (g1 < g2));
532 }
533
534 /*
535 * 'smallgroups' must be an (uninitialized) array of length CRED_SMALLGROUPS_NB.
536 * Always sets 'sc_supp_groups', either to a valid kernel-space groups array
537 * (which may or may not be 'smallgroups'), or NULL if SETCREDF_SUPP_GROUPS was
538 * not specified or there are too many groups, or a buffer containing garbage on
539 * copyin() failure. In the last two cases, 'sc_supp_groups_nb' is additionally
540 * set to 0 as a security measure. 'sc_supp_groups' must be freed (M_TEMP) if
541 * not equal to 'smallgroups' even on failure.
542 */
543 static int
user_setcred_copyin_supp_groups(struct setcred * const wcred,const u_int flags,gid_t * const smallgroups)544 user_setcred_copyin_supp_groups(struct setcred *const wcred,
545 const u_int flags, gid_t *const smallgroups)
546 {
547 gid_t *groups;
548 int error;
549
550 if ((flags & SETCREDF_SUPP_GROUPS) == 0) {
551 error = 0;
552 goto reset_groups_exit;
553 }
554
555 /*
556 * Check the number of groups' limit right now in order to limit the
557 * amount of bytes to copy.
558 */
559 if (wcred->sc_supp_groups_nb > ngroups_max) {
560 error = EINVAL;
561 goto reset_groups_exit;
562 }
563
564 groups = wcred->sc_supp_groups_nb <= CRED_SMALLGROUPS_NB ?
565 smallgroups : malloc(wcred->sc_supp_groups_nb * sizeof(gid_t),
566 M_TEMP, M_WAITOK);
567 error = copyin(wcred->sc_supp_groups, groups,
568 wcred->sc_supp_groups_nb * sizeof(gid_t));
569 wcred->sc_supp_groups = groups;
570
571 if (error != 0) {
572 wcred->sc_supp_groups_nb = 0;
573 /*
574 * 'sc_supp_groups' must be freed by caller if not
575 * 'smallgroups'.
576 */
577 return (error);
578 }
579
580 return (0);
581
582 reset_groups_exit:
583 wcred->sc_supp_groups_nb = 0;
584 wcred->sc_supp_groups = NULL;
585 return (error);
586 }
587
588 int
user_setcred(struct thread * td,const u_int flags,struct setcred * const wcred)589 user_setcred(struct thread *td, const u_int flags, struct setcred *const wcred)
590 {
591 #ifdef MAC
592 struct mac mac;
593 /* Pointer to 'struct mac' or 'struct mac32'. */
594 void *umac;
595 #endif
596 gid_t smallgroups[CRED_SMALLGROUPS_NB];
597 int error;
598
599 /*
600 * As the only point of this wrapper function is to copyin() from
601 * userland, we only interpret the data pieces we need to perform this
602 * operation and defer further sanity checks to kern_setcred(), except
603 * that we redundantly check here that no unknown flags have been
604 * passed.
605 */
606 if ((flags & ~SETCREDF_MASK) != 0)
607 return (EINVAL);
608
609 #ifdef MAC
610 umac = wcred->sc_label;
611 #endif
612 /* Also done on !MAC as a defensive measure. */
613 wcred->sc_label = NULL;
614
615 /*
616 * Copy supplementary groups as needed. There is no specific
617 * alternative for 32-bit compatibility as 'gid_t' has the same size
618 * everywhere.
619 */
620 error = user_setcred_copyin_supp_groups(wcred, flags, smallgroups);
621 if (error != 0)
622 goto free_groups;
623
624 #ifdef MAC
625 if ((flags & SETCREDF_MAC_LABEL) != 0) {
626 error = mac_label_copyin(umac, &mac, NULL);
627 if (error != 0)
628 goto free_groups;
629 wcred->sc_label = &mac;
630 }
631 #endif
632
633 error = kern_setcred(td, flags, wcred);
634
635 #ifdef MAC
636 if (wcred->sc_label != NULL)
637 free_copied_label(wcred->sc_label);
638 #endif
639
640 free_groups:
641 if (wcred->sc_supp_groups != smallgroups)
642 free(wcred->sc_supp_groups, M_TEMP);
643
644 return (error);
645 }
646
647 #ifndef _SYS_SYSPROTO_H_
648 struct setcred_args {
649 u_int flags; /* Flags. */
650 const struct setcred *wcred;
651 size_t size; /* Passed 'setcred' structure length. */
652 };
653 #endif
654 /* ARGSUSED */
655 int
sys_setcred(struct thread * td,struct setcred_args * uap)656 sys_setcred(struct thread *td, struct setcred_args *uap)
657 {
658 struct setcred wcred;
659 int error;
660
661 if (uap->size != sizeof(wcred))
662 return (EINVAL);
663 error = copyin(uap->wcred, &wcred, sizeof(wcred));
664 if (error != 0)
665 return (error);
666 return (user_setcred(td, uap->flags, &wcred));
667 }
668
669 /*
670 * CAUTION: This function normalizes groups in 'wcred'.
671 */
672 int
kern_setcred(struct thread * const td,const u_int flags,struct setcred * const wcred)673 kern_setcred(struct thread *const td, const u_int flags,
674 struct setcred *const wcred)
675 {
676 struct proc *const p = td->td_proc;
677 struct ucred *new_cred, *old_cred, *to_free_cred = NULL;
678 struct uidinfo *uip = NULL, *ruip = NULL;
679 #ifdef MAC
680 void *mac_set_proc_data = NULL;
681 bool proc_label_set = false;
682 #endif
683 int error;
684 bool cred_set = false;
685
686 /* Bail out on unrecognized flags. */
687 if (flags & ~SETCREDF_MASK)
688 return (EINVAL);
689
690 /*
691 * Part 1: We allocate and perform preparatory operations with no locks.
692 */
693
694 if ((flags & SETCREDF_SUPP_GROUPS) != 0 &&
695 wcred->sc_supp_groups_nb > ngroups_max)
696 return (EINVAL);
697
698 if (flags & SETCREDF_MAC_LABEL) {
699 #ifdef MAC
700 error = mac_set_proc_prepare(td, wcred->sc_label,
701 &mac_set_proc_data);
702 if (error != 0)
703 return (error);
704 #else
705 return (ENOTSUP);
706 #endif
707 }
708
709 if (flags & SETCREDF_UID) {
710 AUDIT_ARG_EUID(wcred->sc_uid);
711 uip = uifind(wcred->sc_uid);
712 }
713 if (flags & SETCREDF_RUID) {
714 AUDIT_ARG_RUID(wcred->sc_ruid);
715 ruip = uifind(wcred->sc_ruid);
716 }
717 if (flags & SETCREDF_SVUID)
718 AUDIT_ARG_SUID(wcred->sc_svuid);
719
720 if (flags & SETCREDF_GID)
721 AUDIT_ARG_EGID(wcred->sc_gid);
722 if (flags & SETCREDF_RGID)
723 AUDIT_ARG_RGID(wcred->sc_rgid);
724 if (flags & SETCREDF_SVGID)
725 AUDIT_ARG_SGID(wcred->sc_svgid);
726 if (flags & SETCREDF_SUPP_GROUPS) {
727 /*
728 * Output the raw supplementary groups array for better
729 * traceability.
730 */
731 AUDIT_ARG_GROUPSET(wcred->sc_supp_groups,
732 wcred->sc_supp_groups_nb);
733 groups_normalize(&wcred->sc_supp_groups_nb,
734 wcred->sc_supp_groups);
735 }
736
737 /*
738 * We first completely build the new credentials and only then pass them
739 * to MAC along with the old ones so that modules can check whether the
740 * requested transition is allowed.
741 */
742 new_cred = crget();
743 to_free_cred = new_cred;
744 if (flags & SETCREDF_SUPP_GROUPS)
745 crextend(new_cred, wcred->sc_supp_groups_nb);
746
747 #ifdef MAC
748 mac_cred_setcred_enter();
749 #endif
750
751 /*
752 * Part 2: We grab the process lock as to have a stable view of its
753 * current credentials, and prepare a copy of them with the requested
754 * changes applied under that lock.
755 */
756
757 PROC_LOCK(p);
758 old_cred = crcopysafe(p, new_cred);
759
760 /*
761 * Change user IDs.
762 */
763 if (flags & SETCREDF_UID)
764 change_euid(new_cred, uip);
765 if (flags & SETCREDF_RUID)
766 change_ruid(new_cred, ruip);
767 if (flags & SETCREDF_SVUID)
768 change_svuid(new_cred, wcred->sc_svuid);
769
770 /*
771 * Change groups.
772 */
773 if (flags & SETCREDF_SUPP_GROUPS)
774 crsetgroups_internal(new_cred, wcred->sc_supp_groups_nb,
775 wcred->sc_supp_groups);
776 if (flags & SETCREDF_GID)
777 change_egid(new_cred, wcred->sc_gid);
778 if (flags & SETCREDF_RGID)
779 change_rgid(new_cred, wcred->sc_rgid);
780 if (flags & SETCREDF_SVGID)
781 change_svgid(new_cred, wcred->sc_svgid);
782
783 #ifdef MAC
784 /*
785 * Change the MAC label.
786 */
787 if (flags & SETCREDF_MAC_LABEL) {
788 error = mac_set_proc_core(td, new_cred, mac_set_proc_data);
789 if (error != 0)
790 goto unlock_finish;
791 proc_label_set = true;
792 }
793
794 /*
795 * MAC security modules checks.
796 */
797 error = mac_cred_check_setcred(flags, old_cred, new_cred);
798 if (error != 0)
799 goto unlock_finish;
800 #endif
801 /*
802 * Privilege check.
803 */
804 error = priv_check_cred(old_cred, PRIV_CRED_SETCRED);
805 if (error != 0)
806 goto unlock_finish;
807
808 #ifdef RACCT
809 /*
810 * Hold a reference to 'new_cred', as we need to call some functions on
811 * it after proc_set_cred_enforce_proc_lim().
812 */
813 crhold(new_cred);
814 #endif
815
816 /* Set the new credentials. */
817 cred_set = proc_set_cred_enforce_proc_lim(p, new_cred);
818 if (cred_set) {
819 setsugid(p);
820 #ifdef RACCT
821 /* Adjust RACCT counters. */
822 racct_proc_ucred_changed(p, old_cred, new_cred);
823 #endif
824 to_free_cred = old_cred;
825 MPASS(error == 0);
826 } else {
827 #ifdef RACCT
828 /* Matches the crhold() just before the containing 'if'. */
829 crfree(new_cred);
830 #endif
831 error = EAGAIN;
832 }
833
834 unlock_finish:
835 PROC_UNLOCK(p);
836
837 /*
838 * Part 3: After releasing the process lock, we perform cleanups and
839 * finishing operations.
840 */
841
842 #ifdef RACCT
843 if (cred_set) {
844 #ifdef RCTL
845 rctl_proc_ucred_changed(p, new_cred);
846 #endif
847 /* Paired with the crhold() above. */
848 crfree(new_cred);
849 }
850 #endif
851
852 #ifdef MAC
853 if (mac_set_proc_data != NULL)
854 mac_set_proc_finish(td, proc_label_set, mac_set_proc_data);
855 mac_cred_setcred_exit();
856 #endif
857 crfree(to_free_cred);
858 if (uip != NULL)
859 uifree(uip);
860 if (ruip != NULL)
861 uifree(ruip);
862
863 return (error);
864 }
865
866 /*
867 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD
868 * compatible. It says that setting the uid/gid to euid/egid is a special
869 * case of "appropriate privilege". Once the rules are expanded out, this
870 * basically means that setuid(nnn) sets all three id's, in all permitted
871 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid())
872 * does not set the saved id - this is dangerous for traditional BSD
873 * programs. For this reason, we *really* do not want to set
874 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2.
875 */
876 #define POSIX_APPENDIX_B_4_2_2
877
878 #ifndef _SYS_SYSPROTO_H_
879 struct setuid_args {
880 uid_t uid;
881 };
882 #endif
883 /* ARGSUSED */
884 int
sys_setuid(struct thread * td,struct setuid_args * uap)885 sys_setuid(struct thread *td, struct setuid_args *uap)
886 {
887 struct proc *p = td->td_proc;
888 struct ucred *newcred, *oldcred;
889 uid_t uid;
890 struct uidinfo *uip;
891 int error;
892
893 uid = uap->uid;
894 AUDIT_ARG_UID(uid);
895 newcred = crget();
896 uip = uifind(uid);
897 PROC_LOCK(p);
898 /*
899 * Copy credentials so other references do not see our changes.
900 */
901 oldcred = crcopysafe(p, newcred);
902
903 #ifdef MAC
904 error = mac_cred_check_setuid(oldcred, uid);
905 if (error)
906 goto fail;
907 #endif
908
909 /*
910 * See if we have "permission" by POSIX 1003.1 rules.
911 *
912 * Note that setuid(geteuid()) is a special case of
913 * "appropriate privileges" in appendix B.4.2.2. We need
914 * to use this clause to be compatible with traditional BSD
915 * semantics. Basically, it means that "setuid(xx)" sets all
916 * three id's (assuming you have privs).
917 *
918 * Notes on the logic. We do things in three steps.
919 * 1: We determine if the euid is going to change, and do EPERM
920 * right away. We unconditionally change the euid later if this
921 * test is satisfied, simplifying that part of the logic.
922 * 2: We determine if the real and/or saved uids are going to
923 * change. Determined by compile options.
924 * 3: Change euid last. (after tests in #2 for "appropriate privs")
925 */
926 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */
927 #ifdef _POSIX_SAVED_IDS
928 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */
929 #endif
930 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
931 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */
932 #endif
933 (error = priv_check_cred(oldcred, PRIV_CRED_SETUID)) != 0)
934 goto fail;
935
936 #ifdef _POSIX_SAVED_IDS
937 /*
938 * Do we have "appropriate privileges" (are we root or uid == euid)
939 * If so, we are changing the real uid and/or saved uid.
940 */
941 if (
942 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */
943 uid == oldcred->cr_uid ||
944 #endif
945 /* We are using privs. */
946 priv_check_cred(oldcred, PRIV_CRED_SETUID) == 0)
947 #endif
948 {
949 /*
950 * Set the real uid.
951 */
952 if (uid != oldcred->cr_ruid) {
953 change_ruid(newcred, uip);
954 setsugid(p);
955 }
956 /*
957 * Set saved uid
958 *
959 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as
960 * the security of seteuid() depends on it. B.4.2.2 says it
961 * is important that we should do this.
962 */
963 if (uid != oldcred->cr_svuid) {
964 change_svuid(newcred, uid);
965 setsugid(p);
966 }
967 }
968
969 /*
970 * In all permitted cases, we are changing the euid.
971 */
972 if (uid != oldcred->cr_uid) {
973 change_euid(newcred, uip);
974 setsugid(p);
975 }
976
977 #ifdef RACCT
978 racct_proc_ucred_changed(p, oldcred, newcred);
979 #endif
980 #ifdef RCTL
981 crhold(newcred);
982 #endif
983 /*
984 * Takes over 'newcred''s reference, so 'newcred' must not be used
985 * besides this point except on RCTL where we took an additional
986 * reference above.
987 */
988 proc_set_cred(p, newcred);
989 PROC_UNLOCK(p);
990 #ifdef RCTL
991 rctl_proc_ucred_changed(p, newcred);
992 crfree(newcred);
993 #endif
994 uifree(uip);
995 crfree(oldcred);
996 return (0);
997
998 fail:
999 PROC_UNLOCK(p);
1000 uifree(uip);
1001 crfree(newcred);
1002 return (error);
1003 }
1004
1005 #ifndef _SYS_SYSPROTO_H_
1006 struct seteuid_args {
1007 uid_t euid;
1008 };
1009 #endif
1010 /* ARGSUSED */
1011 int
sys_seteuid(struct thread * td,struct seteuid_args * uap)1012 sys_seteuid(struct thread *td, struct seteuid_args *uap)
1013 {
1014 struct proc *p = td->td_proc;
1015 struct ucred *newcred, *oldcred;
1016 uid_t euid;
1017 struct uidinfo *euip;
1018 int error;
1019
1020 euid = uap->euid;
1021 AUDIT_ARG_EUID(euid);
1022 newcred = crget();
1023 euip = uifind(euid);
1024 PROC_LOCK(p);
1025 execve_block_pass(td);
1026
1027 /*
1028 * Copy credentials so other references do not see our changes.
1029 */
1030 oldcred = crcopysafe(p, newcred);
1031
1032 #ifdef MAC
1033 error = mac_cred_check_seteuid(oldcred, euid);
1034 if (error)
1035 goto fail;
1036 #endif
1037
1038 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */
1039 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */
1040 (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID)) != 0)
1041 goto fail;
1042
1043 /*
1044 * Everything's okay, do it.
1045 */
1046 if (oldcred->cr_uid != euid) {
1047 change_euid(newcred, euip);
1048 setsugid(p);
1049 }
1050 proc_set_cred(p, newcred);
1051 PROC_UNLOCK(p);
1052 uifree(euip);
1053 crfree(oldcred);
1054 return (0);
1055
1056 fail:
1057 PROC_UNLOCK(p);
1058 uifree(euip);
1059 crfree(newcred);
1060 return (error);
1061 }
1062
1063 #ifndef _SYS_SYSPROTO_H_
1064 struct setgid_args {
1065 gid_t gid;
1066 };
1067 #endif
1068 /* ARGSUSED */
1069 int
sys_setgid(struct thread * td,struct setgid_args * uap)1070 sys_setgid(struct thread *td, struct setgid_args *uap)
1071 {
1072 struct proc *p = td->td_proc;
1073 struct ucred *newcred, *oldcred;
1074 gid_t gid;
1075 int error;
1076
1077 gid = uap->gid;
1078 AUDIT_ARG_GID(gid);
1079 newcred = crget();
1080 PROC_LOCK(p);
1081 execve_block_pass(td);
1082 oldcred = crcopysafe(p, newcred);
1083
1084 #ifdef MAC
1085 error = mac_cred_check_setgid(oldcred, gid);
1086 if (error)
1087 goto fail;
1088 #endif
1089
1090 /*
1091 * See if we have "permission" by POSIX 1003.1 rules.
1092 *
1093 * Note that setgid(getegid()) is a special case of
1094 * "appropriate privileges" in appendix B.4.2.2. We need
1095 * to use this clause to be compatible with traditional BSD
1096 * semantics. Basically, it means that "setgid(xx)" sets all
1097 * three id's (assuming you have privs).
1098 *
1099 * For notes on the logic here, see setuid() above.
1100 */
1101 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */
1102 #ifdef _POSIX_SAVED_IDS
1103 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */
1104 #endif
1105 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
1106 gid != oldcred->cr_gid && /* allow setgid(getegid()) */
1107 #endif
1108 (error = priv_check_cred(oldcred, PRIV_CRED_SETGID)) != 0)
1109 goto fail;
1110
1111 #ifdef _POSIX_SAVED_IDS
1112 /*
1113 * Do we have "appropriate privileges" (are we root or gid == egid)
1114 * If so, we are changing the real uid and saved gid.
1115 */
1116 if (
1117 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */
1118 gid == oldcred->cr_gid ||
1119 #endif
1120 /* We are using privs. */
1121 priv_check_cred(oldcred, PRIV_CRED_SETGID) == 0)
1122 #endif
1123 {
1124 /*
1125 * Set real gid
1126 */
1127 if (oldcred->cr_rgid != gid) {
1128 change_rgid(newcred, gid);
1129 setsugid(p);
1130 }
1131 /*
1132 * Set saved gid
1133 *
1134 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as
1135 * the security of setegid() depends on it. B.4.2.2 says it
1136 * is important that we should do this.
1137 */
1138 if (oldcred->cr_svgid != gid) {
1139 change_svgid(newcred, gid);
1140 setsugid(p);
1141 }
1142 }
1143 /*
1144 * In all cases permitted cases, we are changing the egid.
1145 * Copy credentials so other references do not see our changes.
1146 */
1147 if (oldcred->cr_gid != gid) {
1148 change_egid(newcred, gid);
1149 setsugid(p);
1150 }
1151 proc_set_cred(p, newcred);
1152 PROC_UNLOCK(p);
1153 crfree(oldcred);
1154 return (0);
1155
1156 fail:
1157 PROC_UNLOCK(p);
1158 crfree(newcred);
1159 return (error);
1160 }
1161
1162 #ifndef _SYS_SYSPROTO_H_
1163 struct setegid_args {
1164 gid_t egid;
1165 };
1166 #endif
1167 /* ARGSUSED */
1168 int
sys_setegid(struct thread * td,struct setegid_args * uap)1169 sys_setegid(struct thread *td, struct setegid_args *uap)
1170 {
1171 struct proc *p = td->td_proc;
1172 struct ucred *newcred, *oldcred;
1173 gid_t egid;
1174 int error;
1175
1176 egid = uap->egid;
1177 AUDIT_ARG_EGID(egid);
1178 newcred = crget();
1179 PROC_LOCK(p);
1180 execve_block_pass(td);
1181 oldcred = crcopysafe(p, newcred);
1182
1183 #ifdef MAC
1184 error = mac_cred_check_setegid(oldcred, egid);
1185 if (error)
1186 goto fail;
1187 #endif
1188
1189 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */
1190 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */
1191 (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID)) != 0)
1192 goto fail;
1193
1194 if (oldcred->cr_gid != egid) {
1195 change_egid(newcred, egid);
1196 setsugid(p);
1197 }
1198 proc_set_cred(p, newcred);
1199 PROC_UNLOCK(p);
1200 crfree(oldcred);
1201 return (0);
1202
1203 fail:
1204 PROC_UNLOCK(p);
1205 crfree(newcred);
1206 return (error);
1207 }
1208
1209 #ifdef COMPAT_FREEBSD14
1210 int
freebsd14_setgroups(struct thread * td,struct freebsd14_setgroups_args * uap)1211 freebsd14_setgroups(struct thread *td, struct freebsd14_setgroups_args *uap)
1212 {
1213 gid_t smallgroups[CRED_SMALLGROUPS_NB];
1214 gid_t *groups;
1215 int gidsetsize, error;
1216
1217 /*
1218 * Before FreeBSD 15.0, we allow one more group to be supplied to
1219 * account for the egid appearing before the supplementary groups. This
1220 * may technically allow one more supplementary group for systems that
1221 * did use the default NGROUPS_MAX if we round it back up to 1024.
1222 */
1223 gidsetsize = uap->gidsetsize;
1224 if (gidsetsize > ngroups_max + 1 || gidsetsize < 0)
1225 return (EINVAL);
1226
1227 if (gidsetsize > CRED_SMALLGROUPS_NB)
1228 groups = malloc(gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK);
1229 else
1230 groups = smallgroups;
1231
1232 error = copyin(uap->gidset, groups, gidsetsize * sizeof(gid_t));
1233 if (error == 0) {
1234 int ngroups = gidsetsize > 0 ? gidsetsize - 1 /* egid */ : 0;
1235
1236 error = kern_setgroups(td, &ngroups, groups + 1);
1237 if (error == 0 && gidsetsize > 0)
1238 td->td_proc->p_ucred->cr_gid = groups[0];
1239 }
1240
1241 if (groups != smallgroups)
1242 free(groups, M_TEMP);
1243 return (error);
1244 }
1245 #endif /* COMPAT_FREEBSD14 */
1246
1247 #ifndef _SYS_SYSPROTO_H_
1248 struct setgroups_args {
1249 int gidsetsize;
1250 gid_t *gidset;
1251 };
1252 #endif
1253 /* ARGSUSED */
1254 int
sys_setgroups(struct thread * td,struct setgroups_args * uap)1255 sys_setgroups(struct thread *td, struct setgroups_args *uap)
1256 {
1257 gid_t smallgroups[CRED_SMALLGROUPS_NB];
1258 gid_t *groups;
1259 int gidsetsize, error;
1260
1261 /*
1262 * Sanity check size now to avoid passing too big a value to copyin(),
1263 * even if kern_setgroups() will do it again.
1264 *
1265 * Ideally, the 'gidsetsize' argument should have been a 'u_int' (and it
1266 * was, in this implementation, for a long time), but POSIX standardized
1267 * getgroups() to take an 'int' and it would be quite entrapping to have
1268 * setgroups() differ.
1269 */
1270 gidsetsize = uap->gidsetsize;
1271 if (gidsetsize > ngroups_max || gidsetsize < 0)
1272 return (EINVAL);
1273
1274 if (gidsetsize > CRED_SMALLGROUPS_NB)
1275 groups = malloc(gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK);
1276 else
1277 groups = smallgroups;
1278
1279 error = copyin(uap->gidset, groups, gidsetsize * sizeof(gid_t));
1280 if (error == 0)
1281 error = kern_setgroups(td, &gidsetsize, groups);
1282
1283 if (groups != smallgroups)
1284 free(groups, M_TEMP);
1285 return (error);
1286 }
1287
1288 /*
1289 * CAUTION: This function normalizes 'groups', possibly also changing the value
1290 * of '*ngrpp' as a consequence.
1291 */
1292 int
kern_setgroups(struct thread * td,int * ngrpp,gid_t * groups)1293 kern_setgroups(struct thread *td, int *ngrpp, gid_t *groups)
1294 {
1295 struct proc *p = td->td_proc;
1296 struct ucred *newcred, *oldcred;
1297 int ngrp, error;
1298
1299 ngrp = *ngrpp;
1300 /* Sanity check size. */
1301 if (ngrp < 0 || ngrp > ngroups_max)
1302 return (EINVAL);
1303
1304 AUDIT_ARG_GROUPSET(groups, ngrp);
1305
1306 groups_normalize(&ngrp, groups);
1307 *ngrpp = ngrp;
1308
1309 newcred = crget();
1310 crextend(newcred, ngrp);
1311 PROC_LOCK(p);
1312 execve_block_pass(td);
1313 oldcred = crcopysafe(p, newcred);
1314
1315 #ifdef MAC
1316 /*
1317 * We pass NULL here explicitly if we don't have any supplementary
1318 * groups mostly for the sake of normalization, but also to avoid/detect
1319 * a situation where a MAC module has some assumption about the layout
1320 * of `groups` matching historical behavior.
1321 */
1322 error = mac_cred_check_setgroups(oldcred, ngrp,
1323 ngrp == 0 ? NULL : groups);
1324 if (error)
1325 goto fail;
1326 #endif
1327
1328 error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS);
1329 if (error)
1330 goto fail;
1331
1332 crsetgroups_internal(newcred, ngrp, groups);
1333 setsugid(p);
1334 proc_set_cred(p, newcred);
1335 PROC_UNLOCK(p);
1336 crfree(oldcred);
1337 return (0);
1338
1339 fail:
1340 PROC_UNLOCK(p);
1341 crfree(newcred);
1342 return (error);
1343 }
1344
1345 #ifndef _SYS_SYSPROTO_H_
1346 struct setreuid_args {
1347 uid_t ruid;
1348 uid_t euid;
1349 };
1350 #endif
1351 /* ARGSUSED */
1352 int
sys_setreuid(struct thread * td,struct setreuid_args * uap)1353 sys_setreuid(struct thread *td, struct setreuid_args *uap)
1354 {
1355 struct proc *p = td->td_proc;
1356 struct ucred *newcred, *oldcred;
1357 uid_t euid, ruid;
1358 struct uidinfo *euip, *ruip;
1359 int error;
1360
1361 euid = uap->euid;
1362 ruid = uap->ruid;
1363 AUDIT_ARG_EUID(euid);
1364 AUDIT_ARG_RUID(ruid);
1365 newcred = crget();
1366 euip = uifind(euid);
1367 ruip = uifind(ruid);
1368 PROC_LOCK(p);
1369 execve_block_pass(td);
1370 oldcred = crcopysafe(p, newcred);
1371
1372 #ifdef MAC
1373 error = mac_cred_check_setreuid(oldcred, ruid, euid);
1374 if (error)
1375 goto fail;
1376 #endif
1377
1378 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
1379 ruid != oldcred->cr_svuid) ||
1380 (euid != (uid_t)-1 && euid != oldcred->cr_uid &&
1381 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) &&
1382 (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID)) != 0)
1383 goto fail;
1384
1385 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
1386 change_euid(newcred, euip);
1387 setsugid(p);
1388 }
1389 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
1390 change_ruid(newcred, ruip);
1391 setsugid(p);
1392 }
1393 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) &&
1394 newcred->cr_svuid != newcred->cr_uid) {
1395 change_svuid(newcred, newcred->cr_uid);
1396 setsugid(p);
1397 }
1398 #ifdef RACCT
1399 racct_proc_ucred_changed(p, oldcred, newcred);
1400 #endif
1401 #ifdef RCTL
1402 crhold(newcred);
1403 #endif
1404 /*
1405 * Takes over 'newcred''s reference, so 'newcred' must not be used
1406 * besides this point except on RCTL where we took an additional
1407 * reference above.
1408 */
1409 proc_set_cred(p, newcred);
1410 PROC_UNLOCK(p);
1411 #ifdef RCTL
1412 rctl_proc_ucred_changed(p, newcred);
1413 crfree(newcred);
1414 #endif
1415 uifree(ruip);
1416 uifree(euip);
1417 crfree(oldcred);
1418 return (0);
1419
1420 fail:
1421 PROC_UNLOCK(p);
1422 uifree(ruip);
1423 uifree(euip);
1424 crfree(newcred);
1425 return (error);
1426 }
1427
1428 #ifndef _SYS_SYSPROTO_H_
1429 struct setregid_args {
1430 gid_t rgid;
1431 gid_t egid;
1432 };
1433 #endif
1434 /* ARGSUSED */
1435 int
sys_setregid(struct thread * td,struct setregid_args * uap)1436 sys_setregid(struct thread *td, struct setregid_args *uap)
1437 {
1438 struct proc *p = td->td_proc;
1439 struct ucred *newcred, *oldcred;
1440 gid_t egid, rgid;
1441 int error;
1442
1443 egid = uap->egid;
1444 rgid = uap->rgid;
1445 AUDIT_ARG_EGID(egid);
1446 AUDIT_ARG_RGID(rgid);
1447 newcred = crget();
1448 PROC_LOCK(p);
1449 execve_block_pass(td);
1450 oldcred = crcopysafe(p, newcred);
1451
1452 #ifdef MAC
1453 error = mac_cred_check_setregid(oldcred, rgid, egid);
1454 if (error)
1455 goto fail;
1456 #endif
1457
1458 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
1459 rgid != oldcred->cr_svgid) ||
1460 (egid != (gid_t)-1 && egid != oldcred->cr_gid &&
1461 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) &&
1462 (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID)) != 0)
1463 goto fail;
1464
1465 if (egid != (gid_t)-1 && oldcred->cr_gid != egid) {
1466 change_egid(newcred, egid);
1467 setsugid(p);
1468 }
1469 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
1470 change_rgid(newcred, rgid);
1471 setsugid(p);
1472 }
1473 if ((rgid != (gid_t)-1 || newcred->cr_gid != newcred->cr_rgid) &&
1474 newcred->cr_svgid != newcred->cr_gid) {
1475 change_svgid(newcred, newcred->cr_gid);
1476 setsugid(p);
1477 }
1478 proc_set_cred(p, newcred);
1479 PROC_UNLOCK(p);
1480 crfree(oldcred);
1481 return (0);
1482
1483 fail:
1484 PROC_UNLOCK(p);
1485 crfree(newcred);
1486 return (error);
1487 }
1488
1489 /*
1490 * setresuid(ruid, euid, suid) is like setreuid except control over the saved
1491 * uid is explicit.
1492 */
1493 #ifndef _SYS_SYSPROTO_H_
1494 struct setresuid_args {
1495 uid_t ruid;
1496 uid_t euid;
1497 uid_t suid;
1498 };
1499 #endif
1500 /* ARGSUSED */
1501 int
sys_setresuid(struct thread * td,struct setresuid_args * uap)1502 sys_setresuid(struct thread *td, struct setresuid_args *uap)
1503 {
1504 struct proc *p = td->td_proc;
1505 struct ucred *newcred, *oldcred;
1506 uid_t euid, ruid, suid;
1507 struct uidinfo *euip, *ruip;
1508 int error;
1509
1510 euid = uap->euid;
1511 ruid = uap->ruid;
1512 suid = uap->suid;
1513 AUDIT_ARG_EUID(euid);
1514 AUDIT_ARG_RUID(ruid);
1515 AUDIT_ARG_SUID(suid);
1516 newcred = crget();
1517 euip = uifind(euid);
1518 ruip = uifind(ruid);
1519 PROC_LOCK(p);
1520 execve_block_pass(td);
1521 oldcred = crcopysafe(p, newcred);
1522
1523 #ifdef MAC
1524 error = mac_cred_check_setresuid(oldcred, ruid, euid, suid);
1525 if (error)
1526 goto fail;
1527 #endif
1528
1529 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
1530 ruid != oldcred->cr_svuid &&
1531 ruid != oldcred->cr_uid) ||
1532 (euid != (uid_t)-1 && euid != oldcred->cr_ruid &&
1533 euid != oldcred->cr_svuid &&
1534 euid != oldcred->cr_uid) ||
1535 (suid != (uid_t)-1 && suid != oldcred->cr_ruid &&
1536 suid != oldcred->cr_svuid &&
1537 suid != oldcred->cr_uid)) &&
1538 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID)) != 0)
1539 goto fail;
1540
1541 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
1542 change_euid(newcred, euip);
1543 setsugid(p);
1544 }
1545 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
1546 change_ruid(newcred, ruip);
1547 setsugid(p);
1548 }
1549 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) {
1550 change_svuid(newcred, suid);
1551 setsugid(p);
1552 }
1553 #ifdef RACCT
1554 racct_proc_ucred_changed(p, oldcred, newcred);
1555 #endif
1556 #ifdef RCTL
1557 crhold(newcred);
1558 #endif
1559 /*
1560 * Takes over 'newcred''s reference, so 'newcred' must not be used
1561 * besides this point except on RCTL where we took an additional
1562 * reference above.
1563 */
1564 proc_set_cred(p, newcred);
1565 PROC_UNLOCK(p);
1566 #ifdef RCTL
1567 rctl_proc_ucred_changed(p, newcred);
1568 crfree(newcred);
1569 #endif
1570 uifree(ruip);
1571 uifree(euip);
1572 crfree(oldcred);
1573 return (0);
1574
1575 fail:
1576 PROC_UNLOCK(p);
1577 uifree(ruip);
1578 uifree(euip);
1579 crfree(newcred);
1580 return (error);
1581
1582 }
1583
1584 /*
1585 * setresgid(rgid, egid, sgid) is like setregid except control over the saved
1586 * gid is explicit.
1587 */
1588 #ifndef _SYS_SYSPROTO_H_
1589 struct setresgid_args {
1590 gid_t rgid;
1591 gid_t egid;
1592 gid_t sgid;
1593 };
1594 #endif
1595 /* ARGSUSED */
1596 int
sys_setresgid(struct thread * td,struct setresgid_args * uap)1597 sys_setresgid(struct thread *td, struct setresgid_args *uap)
1598 {
1599 struct proc *p = td->td_proc;
1600 struct ucred *newcred, *oldcred;
1601 gid_t egid, rgid, sgid;
1602 int error;
1603
1604 egid = uap->egid;
1605 rgid = uap->rgid;
1606 sgid = uap->sgid;
1607 AUDIT_ARG_EGID(egid);
1608 AUDIT_ARG_RGID(rgid);
1609 AUDIT_ARG_SGID(sgid);
1610 newcred = crget();
1611 PROC_LOCK(p);
1612 execve_block_pass(td);
1613 oldcred = crcopysafe(p, newcred);
1614
1615 #ifdef MAC
1616 error = mac_cred_check_setresgid(oldcred, rgid, egid, sgid);
1617 if (error)
1618 goto fail;
1619 #endif
1620
1621 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
1622 rgid != oldcred->cr_svgid &&
1623 rgid != oldcred->cr_gid) ||
1624 (egid != (gid_t)-1 && egid != oldcred->cr_rgid &&
1625 egid != oldcred->cr_svgid &&
1626 egid != oldcred->cr_gid) ||
1627 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid &&
1628 sgid != oldcred->cr_svgid &&
1629 sgid != oldcred->cr_gid)) &&
1630 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID)) != 0)
1631 goto fail;
1632
1633 if (egid != (gid_t)-1 && oldcred->cr_gid != egid) {
1634 change_egid(newcred, egid);
1635 setsugid(p);
1636 }
1637 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
1638 change_rgid(newcred, rgid);
1639 setsugid(p);
1640 }
1641 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) {
1642 change_svgid(newcred, sgid);
1643 setsugid(p);
1644 }
1645 proc_set_cred(p, newcred);
1646 PROC_UNLOCK(p);
1647 crfree(oldcred);
1648 return (0);
1649
1650 fail:
1651 PROC_UNLOCK(p);
1652 crfree(newcred);
1653 return (error);
1654 }
1655
1656 #ifndef _SYS_SYSPROTO_H_
1657 struct getresuid_args {
1658 uid_t *ruid;
1659 uid_t *euid;
1660 uid_t *suid;
1661 };
1662 #endif
1663 /* ARGSUSED */
1664 int
sys_getresuid(struct thread * td,struct getresuid_args * uap)1665 sys_getresuid(struct thread *td, struct getresuid_args *uap)
1666 {
1667 struct ucred *cred;
1668 int error1 = 0, error2 = 0, error3 = 0;
1669
1670 cred = td->td_ucred;
1671 if (uap->ruid)
1672 error1 = copyout(&cred->cr_ruid,
1673 uap->ruid, sizeof(cred->cr_ruid));
1674 if (uap->euid)
1675 error2 = copyout(&cred->cr_uid,
1676 uap->euid, sizeof(cred->cr_uid));
1677 if (uap->suid)
1678 error3 = copyout(&cred->cr_svuid,
1679 uap->suid, sizeof(cred->cr_svuid));
1680 return (error1 ? error1 : error2 ? error2 : error3);
1681 }
1682
1683 #ifndef _SYS_SYSPROTO_H_
1684 struct getresgid_args {
1685 gid_t *rgid;
1686 gid_t *egid;
1687 gid_t *sgid;
1688 };
1689 #endif
1690 /* ARGSUSED */
1691 int
sys_getresgid(struct thread * td,struct getresgid_args * uap)1692 sys_getresgid(struct thread *td, struct getresgid_args *uap)
1693 {
1694 struct ucred *cred;
1695 int error1 = 0, error2 = 0, error3 = 0;
1696
1697 cred = td->td_ucred;
1698 if (uap->rgid)
1699 error1 = copyout(&cred->cr_rgid,
1700 uap->rgid, sizeof(cred->cr_rgid));
1701 if (uap->egid)
1702 error2 = copyout(&cred->cr_gid,
1703 uap->egid, sizeof(cred->cr_gid));
1704 if (uap->sgid)
1705 error3 = copyout(&cred->cr_svgid,
1706 uap->sgid, sizeof(cred->cr_svgid));
1707 return (error1 ? error1 : error2 ? error2 : error3);
1708 }
1709
1710 #ifndef _SYS_SYSPROTO_H_
1711 struct issetugid_args {
1712 int dummy;
1713 };
1714 #endif
1715 /* ARGSUSED */
1716 int
sys_issetugid(struct thread * td,struct issetugid_args * uap)1717 sys_issetugid(struct thread *td, struct issetugid_args *uap)
1718 {
1719 struct proc *p = td->td_proc;
1720
1721 /*
1722 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time,
1723 * we use P_SUGID because we consider changing the owners as
1724 * "tainting" as well.
1725 * This is significant for procs that start as root and "become"
1726 * a user without an exec - programs cannot know *everything*
1727 * that libc *might* have put in their data segment.
1728 */
1729 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0;
1730 return (0);
1731 }
1732
1733 int
sys___setugid(struct thread * td,struct __setugid_args * uap)1734 sys___setugid(struct thread *td, struct __setugid_args *uap)
1735 {
1736 #ifdef REGRESSION
1737 struct proc *p;
1738
1739 p = td->td_proc;
1740 switch (uap->flag) {
1741 case 0:
1742 PROC_LOCK(p);
1743 p->p_flag &= ~P_SUGID;
1744 PROC_UNLOCK(p);
1745 return (0);
1746 case 1:
1747 PROC_LOCK(p);
1748 p->p_flag |= P_SUGID;
1749 PROC_UNLOCK(p);
1750 return (0);
1751 default:
1752 return (EINVAL);
1753 }
1754 #else /* !REGRESSION */
1755
1756 return (ENOSYS);
1757 #endif /* REGRESSION */
1758 }
1759
1760 #ifdef INVARIANTS
1761 static void
groups_check_normalized(int ngrp,const gid_t * groups)1762 groups_check_normalized(int ngrp, const gid_t *groups)
1763 {
1764 gid_t prev_g;
1765
1766 groups_check_positive_len(ngrp);
1767 groups_check_max_len(ngrp);
1768
1769 if (ngrp <= 1)
1770 return;
1771
1772 prev_g = groups[0];
1773 for (int i = 1; i < ngrp; ++i) {
1774 const gid_t g = groups[i];
1775
1776 if (prev_g >= g)
1777 panic("%s: groups[%d] (%u) >= groups[%d] (%u)",
1778 __func__, i - 1, prev_g, i, g);
1779 prev_g = g;
1780 }
1781 }
1782 #else
1783 #define groups_check_normalized(...)
1784 #endif
1785
1786 /*
1787 * Returns whether gid designates a supplementary group in cred.
1788 */
1789 bool
group_is_supplementary(const gid_t gid,const struct ucred * const cred)1790 group_is_supplementary(const gid_t gid, const struct ucred *const cred)
1791 {
1792
1793 groups_check_normalized(cred->cr_ngroups, cred->cr_groups);
1794
1795 /*
1796 * Perform a binary search of the supplementary groups. This is
1797 * possible because we sort the groups in crsetgroups().
1798 */
1799 return (bsearch(&gid, cred->cr_groups, cred->cr_ngroups,
1800 sizeof(gid), gidp_cmp) != NULL);
1801 }
1802
1803 /*
1804 * Check if gid is a member of the (effective) group set (i.e., effective and
1805 * supplementary groups).
1806 */
1807 bool
groupmember(gid_t gid,const struct ucred * cred)1808 groupmember(gid_t gid, const struct ucred *cred)
1809 {
1810
1811 groups_check_positive_len(cred->cr_ngroups);
1812
1813 if (gid == cred->cr_gid)
1814 return (true);
1815
1816 return (group_is_supplementary(gid, cred));
1817 }
1818
1819 /*
1820 * Check if gid is a member of the real group set (i.e., real and supplementary
1821 * groups).
1822 */
1823 bool
realgroupmember(gid_t gid,const struct ucred * cred)1824 realgroupmember(gid_t gid, const struct ucred *cred)
1825 {
1826 groups_check_positive_len(cred->cr_ngroups);
1827
1828 if (gid == cred->cr_rgid)
1829 return (true);
1830
1831 return (group_is_supplementary(gid, cred));
1832 }
1833
1834 /*
1835 * Test the active securelevel against a given level. securelevel_gt()
1836 * implements (securelevel > level). securelevel_ge() implements
1837 * (securelevel >= level). Note that the logic is inverted -- these
1838 * functions return EPERM on "success" and 0 on "failure".
1839 *
1840 * Due to care taken when setting the securelevel, we know that no jail will
1841 * be less secure that its parent (or the physical system), so it is sufficient
1842 * to test the current jail only.
1843 *
1844 * XXXRW: Possibly since this has to do with privilege, it should move to
1845 * kern_priv.c.
1846 */
1847 int
securelevel_gt(struct ucred * cr,int level)1848 securelevel_gt(struct ucred *cr, int level)
1849 {
1850
1851 return (cr->cr_prison->pr_securelevel > level ? EPERM : 0);
1852 }
1853
1854 int
securelevel_ge(struct ucred * cr,int level)1855 securelevel_ge(struct ucred *cr, int level)
1856 {
1857
1858 return (cr->cr_prison->pr_securelevel >= level ? EPERM : 0);
1859 }
1860
1861 /*
1862 * 'see_other_uids' determines whether or not visibility of processes
1863 * and sockets with credentials holding different real uids is possible
1864 * using a variety of system MIBs.
1865 * XXX: data declarations should be together near the beginning of the file.
1866 */
1867 static int see_other_uids = 1;
1868 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW,
1869 &see_other_uids, 0,
1870 "Unprivileged processes may see subjects/objects with different real uid");
1871
1872 /*-
1873 * Determine if u1 "can see" the subject specified by u2, according to the
1874 * 'see_other_uids' policy.
1875 * Returns: 0 for permitted, ESRCH otherwise
1876 * Locks: none
1877 * References: *u1 and *u2 must not change during the call
1878 * u1 may equal u2, in which case only one reference is required
1879 */
1880 static int
cr_canseeotheruids(struct ucred * u1,struct ucred * u2)1881 cr_canseeotheruids(struct ucred *u1, struct ucred *u2)
1882 {
1883
1884 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) {
1885 if (priv_check_cred(u1, PRIV_SEEOTHERUIDS) != 0)
1886 return (ESRCH);
1887 }
1888 return (0);
1889 }
1890
1891 /*
1892 * 'see_other_gids' determines whether or not visibility of processes
1893 * and sockets with credentials holding different real gids is possible
1894 * using a variety of system MIBs.
1895 * XXX: data declarations should be together near the beginning of the file.
1896 */
1897 static int see_other_gids = 1;
1898 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW,
1899 &see_other_gids, 0,
1900 "Unprivileged processes may see subjects/objects with different real gid");
1901
1902 /*
1903 * Determine if u1 can "see" the subject specified by u2, according to the
1904 * 'see_other_gids' policy.
1905 * Returns: 0 for permitted, ESRCH otherwise
1906 * Locks: none
1907 * References: *u1 and *u2 must not change during the call
1908 * u1 may equal u2, in which case only one reference is required
1909 */
1910 static int
cr_canseeothergids(struct ucred * u1,struct ucred * u2)1911 cr_canseeothergids(struct ucred *u1, struct ucred *u2)
1912 {
1913 if (see_other_gids)
1914 return (0);
1915
1916 /* Restriction in force. */
1917
1918 if (realgroupmember(u1->cr_rgid, u2))
1919 return (0);
1920
1921 for (int i = 0; i < u1->cr_ngroups; i++)
1922 if (realgroupmember(u1->cr_groups[i], u2))
1923 return (0);
1924
1925 if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) == 0)
1926 return (0);
1927
1928 return (ESRCH);
1929 }
1930
1931 /*
1932 * 'see_jail_proc' determines whether or not visibility of processes and
1933 * sockets with credentials holding different jail ids is possible using a
1934 * variety of system MIBs.
1935 *
1936 * XXX: data declarations should be together near the beginning of the file.
1937 */
1938
1939 static int see_jail_proc = 1;
1940 SYSCTL_INT(_security_bsd, OID_AUTO, see_jail_proc, CTLFLAG_RW,
1941 &see_jail_proc, 0,
1942 "Unprivileged processes may see subjects/objects with different jail ids");
1943
1944 /*-
1945 * Determine if u1 "can see" the subject specified by u2, according to the
1946 * 'see_jail_proc' policy.
1947 * Returns: 0 for permitted, ESRCH otherwise
1948 * Locks: none
1949 * References: *u1 and *u2 must not change during the call
1950 * u1 may equal u2, in which case only one reference is required
1951 */
1952 static int
cr_canseejailproc(struct ucred * u1,struct ucred * u2)1953 cr_canseejailproc(struct ucred *u1, struct ucred *u2)
1954 {
1955 if (see_jail_proc || /* Policy deactivated. */
1956 u1->cr_prison == u2->cr_prison || /* Same jail. */
1957 priv_check_cred(u1, PRIV_SEEJAILPROC) == 0) /* Privileged. */
1958 return (0);
1959
1960 return (ESRCH);
1961 }
1962
1963 /*
1964 * Determine if u1 can tamper with the subject specified by u2, if they are in
1965 * different jails and 'unprivileged_parent_tampering' jail policy allows it.
1966 *
1967 * May be called if u1 and u2 are in the same jail, but it is expected that the
1968 * caller has already done a prison_check() prior to calling it.
1969 *
1970 * Returns: 0 for permitted, EPERM otherwise
1971 */
1972 static int
cr_can_tamper_with_subjail(struct ucred * u1,struct ucred * u2,int priv)1973 cr_can_tamper_with_subjail(struct ucred *u1, struct ucred *u2, int priv)
1974 {
1975
1976 MPASS(prison_check(u1, u2) == 0);
1977 if (u1->cr_prison == u2->cr_prison)
1978 return (0);
1979
1980 if (priv_check_cred(u1, priv) == 0)
1981 return (0);
1982
1983 /*
1984 * Jails do not maintain a distinct UID space, so process visibility is
1985 * all that would control an unprivileged process' ability to tamper
1986 * with a process in a subjail by default if we did not have the
1987 * allow.unprivileged_parent_tampering knob to restrict it by default.
1988 */
1989 if (prison_allow(u2, PR_ALLOW_UNPRIV_PARENT_TAMPER))
1990 return (0);
1991
1992 return (EPERM);
1993 }
1994
1995 /*
1996 * Helper for cr_cansee*() functions to abide by system-wide security.bsd.see_*
1997 * policies. Determines if u1 "can see" u2 according to these policies.
1998 * Returns: 0 for permitted, ESRCH otherwise
1999 */
2000 int
cr_bsd_visible(struct ucred * u1,struct ucred * u2)2001 cr_bsd_visible(struct ucred *u1, struct ucred *u2)
2002 {
2003 int error;
2004
2005 error = cr_canseeotheruids(u1, u2);
2006 if (error != 0)
2007 return (error);
2008 error = cr_canseeothergids(u1, u2);
2009 if (error != 0)
2010 return (error);
2011 error = cr_canseejailproc(u1, u2);
2012 if (error != 0)
2013 return (error);
2014 return (0);
2015 }
2016
2017 /*-
2018 * Determine if u1 "can see" the subject specified by u2.
2019 * Returns: 0 for permitted, an errno value otherwise
2020 * Locks: none
2021 * References: *u1 and *u2 must not change during the call
2022 * u1 may equal u2, in which case only one reference is required
2023 */
2024 int
cr_cansee(struct ucred * u1,struct ucred * u2)2025 cr_cansee(struct ucred *u1, struct ucred *u2)
2026 {
2027 int error;
2028
2029 if ((error = prison_check(u1, u2)))
2030 return (error);
2031 #ifdef MAC
2032 if ((error = mac_cred_check_visible(u1, u2)))
2033 return (error);
2034 #endif
2035 if ((error = cr_bsd_visible(u1, u2)))
2036 return (error);
2037 return (0);
2038 }
2039
2040 /*-
2041 * Determine if td "can see" the subject specified by p.
2042 * Returns: 0 for permitted, an errno value otherwise
2043 * Locks: Sufficient locks to protect p->p_ucred must be held. td really
2044 * should be curthread.
2045 * References: td and p must be valid for the lifetime of the call
2046 */
2047 int
p_cansee(struct thread * td,struct proc * p)2048 p_cansee(struct thread *td, struct proc *p)
2049 {
2050 /* Wrap cr_cansee() for all functionality. */
2051 KASSERT(td == curthread, ("%s: td not curthread", __func__));
2052 PROC_LOCK_ASSERT(p, MA_OWNED);
2053
2054 if (td->td_proc == p)
2055 return (0);
2056 return (cr_cansee(td->td_ucred, p->p_ucred));
2057 }
2058
2059 /*
2060 * 'conservative_signals' prevents the delivery of a broad class of
2061 * signals by unprivileged processes to processes that have changed their
2062 * credentials since the last invocation of execve(). This can prevent
2063 * the leakage of cached information or retained privileges as a result
2064 * of a common class of signal-related vulnerabilities. However, this
2065 * may interfere with some applications that expect to be able to
2066 * deliver these signals to peer processes after having given up
2067 * privilege.
2068 */
2069 static int conservative_signals = 1;
2070 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW,
2071 &conservative_signals, 0, "Unprivileged processes prevented from "
2072 "sending certain signals to processes whose credentials have changed");
2073 /*-
2074 * Determine whether cred may deliver the specified signal to proc.
2075 * Returns: 0 for permitted, an errno value otherwise.
2076 * Locks: A lock must be held for proc.
2077 * References: cred and proc must be valid for the lifetime of the call.
2078 */
2079 int
cr_cansignal(struct ucred * cred,struct proc * proc,int signum)2080 cr_cansignal(struct ucred *cred, struct proc *proc, int signum)
2081 {
2082 int error;
2083
2084 PROC_LOCK_ASSERT(proc, MA_OWNED);
2085 /*
2086 * Jail semantics limit the scope of signalling to proc in the
2087 * same jail as cred, if cred is in jail.
2088 */
2089 error = prison_check(cred, proc->p_ucred);
2090 if (error)
2091 return (error);
2092 #ifdef MAC
2093 if ((error = mac_proc_check_signal(cred, proc, signum)))
2094 return (error);
2095 #endif
2096 if ((error = cr_bsd_visible(cred, proc->p_ucred)))
2097 return (error);
2098
2099 /*
2100 * UNIX signal semantics depend on the status of the P_SUGID
2101 * bit on the target process. If the bit is set, then additional
2102 * restrictions are placed on the set of available signals.
2103 */
2104 if (conservative_signals && (proc->p_flag & P_SUGID)) {
2105 switch (signum) {
2106 case 0:
2107 case SIGKILL:
2108 case SIGINT:
2109 case SIGTERM:
2110 case SIGALRM:
2111 case SIGSTOP:
2112 case SIGTTIN:
2113 case SIGTTOU:
2114 case SIGTSTP:
2115 case SIGHUP:
2116 case SIGUSR1:
2117 case SIGUSR2:
2118 /*
2119 * Generally, permit job and terminal control
2120 * signals.
2121 */
2122 break;
2123 default:
2124 /* Not permitted without privilege. */
2125 error = priv_check_cred(cred, PRIV_SIGNAL_SUGID);
2126 if (error)
2127 return (error);
2128 }
2129 }
2130
2131 /*
2132 * Generally, the target credential's ruid or svuid must match the
2133 * subject credential's ruid or euid.
2134 */
2135 if (cred->cr_ruid != proc->p_ucred->cr_ruid &&
2136 cred->cr_ruid != proc->p_ucred->cr_svuid &&
2137 cred->cr_uid != proc->p_ucred->cr_ruid &&
2138 cred->cr_uid != proc->p_ucred->cr_svuid) {
2139 error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED);
2140 if (error)
2141 return (error);
2142 }
2143
2144 /*
2145 * At this point, the target may be in a different jail than the
2146 * subject -- the subject must be in a parent jail to the target,
2147 * whether it is prison0 or a subordinate of prison0 that has
2148 * children. Additional privileges are required to allow this, as
2149 * whether the creds are truly equivalent or not must be determined on
2150 * a case-by-case basis.
2151 */
2152 error = cr_can_tamper_with_subjail(cred, proc->p_ucred,
2153 PRIV_SIGNAL_DIFFJAIL);
2154 if (error)
2155 return (error);
2156
2157 return (0);
2158 }
2159
2160 /*-
2161 * Determine whether td may deliver the specified signal to p.
2162 * Returns: 0 for permitted, an errno value otherwise
2163 * Locks: Sufficient locks to protect various components of td and p
2164 * must be held. td must be curthread, and a lock must be
2165 * held for p.
2166 * References: td and p must be valid for the lifetime of the call
2167 */
2168 int
p_cansignal(struct thread * td,struct proc * p,int signum)2169 p_cansignal(struct thread *td, struct proc *p, int signum)
2170 {
2171
2172 KASSERT(td == curthread, ("%s: td not curthread", __func__));
2173 PROC_LOCK_ASSERT(p, MA_OWNED);
2174 if (td->td_proc == p)
2175 return (0);
2176
2177 /*
2178 * UNIX signalling semantics require that processes in the same
2179 * session always be able to deliver SIGCONT to one another,
2180 * overriding the remaining protections.
2181 */
2182 /* XXX: This will require an additional lock of some sort. */
2183 if (signum == SIGCONT && td->td_proc->p_session == p->p_session)
2184 return (0);
2185 /*
2186 * Some compat layers use SIGTHR and higher signals for
2187 * communication between different kernel threads of the same
2188 * process, so that they expect that it's always possible to
2189 * deliver them, even for suid applications where cr_cansignal() can
2190 * deny such ability for security consideration. It should be
2191 * pretty safe to do since the only way to create two processes
2192 * with the same p_leader is via rfork(2).
2193 */
2194 if (td->td_proc->p_leader != NULL && signum >= SIGTHR &&
2195 signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader)
2196 return (0);
2197
2198 return (cr_cansignal(td->td_ucred, p, signum));
2199 }
2200
2201 /*-
2202 * Determine whether td may reschedule p.
2203 * Returns: 0 for permitted, an errno value otherwise
2204 * Locks: Sufficient locks to protect various components of td and p
2205 * must be held. td must be curthread, and a lock must
2206 * be held for p.
2207 * References: td and p must be valid for the lifetime of the call
2208 */
2209 int
p_cansched(struct thread * td,struct proc * p)2210 p_cansched(struct thread *td, struct proc *p)
2211 {
2212 int error;
2213
2214 KASSERT(td == curthread, ("%s: td not curthread", __func__));
2215 PROC_LOCK_ASSERT(p, MA_OWNED);
2216 if (td->td_proc == p)
2217 return (0);
2218 if ((error = prison_check(td->td_ucred, p->p_ucred)))
2219 return (error);
2220 #ifdef MAC
2221 if ((error = mac_proc_check_sched(td->td_ucred, p)))
2222 return (error);
2223 #endif
2224 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
2225 return (error);
2226
2227 if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid &&
2228 td->td_ucred->cr_uid != p->p_ucred->cr_ruid) {
2229 error = priv_check(td, PRIV_SCHED_DIFFCRED);
2230 if (error)
2231 return (error);
2232 }
2233
2234 error = cr_can_tamper_with_subjail(td->td_ucred, p->p_ucred,
2235 PRIV_SCHED_DIFFJAIL);
2236 if (error)
2237 return (error);
2238
2239 return (0);
2240 }
2241
2242 /*
2243 * Handle getting or setting the prison's unprivileged_proc_debug
2244 * value.
2245 */
2246 static int
sysctl_unprivileged_proc_debug(SYSCTL_HANDLER_ARGS)2247 sysctl_unprivileged_proc_debug(SYSCTL_HANDLER_ARGS)
2248 {
2249 int error, val;
2250
2251 val = prison_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG);
2252 error = sysctl_handle_int(oidp, &val, 0, req);
2253 if (error != 0 || req->newptr == NULL)
2254 return (error);
2255 if (val != 0 && val != 1)
2256 return (EINVAL);
2257 prison_set_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG, val);
2258 return (0);
2259 }
2260
2261 /*
2262 * The 'unprivileged_proc_debug' flag may be used to disable a variety of
2263 * unprivileged inter-process debugging services, including some procfs
2264 * functionality, ptrace(), and ktrace(). In the past, inter-process
2265 * debugging has been involved in a variety of security problems, and sites
2266 * not requiring the service might choose to disable it when hardening
2267 * systems.
2268 */
2269 SYSCTL_PROC(_security_bsd, OID_AUTO, unprivileged_proc_debug,
2270 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_PRISON | CTLFLAG_SECURE |
2271 CTLFLAG_MPSAFE, 0, 0, sysctl_unprivileged_proc_debug, "I",
2272 "Unprivileged processes may use process debugging facilities");
2273
2274 /*
2275 * Return true if the object owner/group ids are subset of the active
2276 * credentials.
2277 */
2278 bool
cr_xids_subset(struct ucred * active_cred,struct ucred * obj_cred)2279 cr_xids_subset(struct ucred *active_cred, struct ucred *obj_cred)
2280 {
2281 int i;
2282 bool grpsubset, uidsubset;
2283
2284 /*
2285 * Is p's group set a subset of td's effective group set? This
2286 * includes p's egid, group access list, rgid, and svgid.
2287 */
2288 grpsubset = true;
2289 for (i = 0; i < obj_cred->cr_ngroups; i++) {
2290 if (!groupmember(obj_cred->cr_groups[i], active_cred)) {
2291 grpsubset = false;
2292 break;
2293 }
2294 }
2295 grpsubset = grpsubset &&
2296 groupmember(obj_cred->cr_gid, active_cred) &&
2297 groupmember(obj_cred->cr_rgid, active_cred) &&
2298 groupmember(obj_cred->cr_svgid, active_cred);
2299
2300 /*
2301 * Are the uids present in obj_cred's credential equal to
2302 * active_cred's effective uid? This includes obj_cred's
2303 * euid, svuid, and ruid.
2304 */
2305 uidsubset = (active_cred->cr_uid == obj_cred->cr_uid &&
2306 active_cred->cr_uid == obj_cred->cr_svuid &&
2307 active_cred->cr_uid == obj_cred->cr_ruid);
2308
2309 return (uidsubset && grpsubset);
2310 }
2311
2312 /*-
2313 * Determine whether td may debug p.
2314 * Returns: 0 for permitted, an errno value otherwise
2315 * Locks: Sufficient locks to protect various components of td and p
2316 * must be held. td must be curthread, and a lock must
2317 * be held for p.
2318 * References: td and p must be valid for the lifetime of the call
2319 */
2320 int
p_candebug(struct thread * td,struct proc * p)2321 p_candebug(struct thread *td, struct proc *p)
2322 {
2323 int error;
2324
2325 KASSERT(td == curthread, ("%s: td not curthread", __func__));
2326 PROC_LOCK_ASSERT(p, MA_OWNED);
2327 if (td->td_proc == p)
2328 return (0);
2329 if ((error = priv_check(td, PRIV_DEBUG_UNPRIV)))
2330 return (error);
2331 if ((error = prison_check(td->td_ucred, p->p_ucred)))
2332 return (error);
2333 #ifdef MAC
2334 if ((error = mac_proc_check_debug(td->td_ucred, p)))
2335 return (error);
2336 #endif
2337 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
2338 return (error);
2339
2340 /*
2341 * If p's gids aren't a subset, or the uids aren't a subset,
2342 * or the credential has changed, require appropriate privilege
2343 * for td to debug p.
2344 */
2345 if (!cr_xids_subset(td->td_ucred, p->p_ucred)) {
2346 error = priv_check(td, PRIV_DEBUG_DIFFCRED);
2347 if (error)
2348 return (error);
2349 }
2350
2351 /*
2352 * Has the credential of the process changed since the last exec()?
2353 */
2354 if ((p->p_flag & P_SUGID) != 0) {
2355 error = priv_check(td, PRIV_DEBUG_SUGID);
2356 if (error)
2357 return (error);
2358 }
2359
2360 error = cr_can_tamper_with_subjail(td->td_ucred, p->p_ucred,
2361 PRIV_DEBUG_DIFFJAIL);
2362 if (error)
2363 return (error);
2364
2365 /* Can't trace init when securelevel > 0. */
2366 if (p == initproc) {
2367 error = securelevel_gt(td->td_ucred, 0);
2368 if (error)
2369 return (error);
2370 }
2371
2372 /*
2373 * Can't trace a process that's currently exec'ing. Otherwise
2374 * the process vmspace might change, and the target might be
2375 * loading a setugid image. The execve_block(9) and
2376 * proc_vmspace_ref(9) allow to get the stable credentials and
2377 * vmspace reference.
2378 */
2379 if ((p->p_flag & P_INEXEC) != 0)
2380 return (EBUSY);
2381
2382 /* Denied explicitly */
2383 if ((p->p_flag2 & P2_NOTRACE) != 0) {
2384 error = priv_check(td, PRIV_DEBUG_DENIED);
2385 if (error != 0)
2386 return (error);
2387 }
2388
2389 return (0);
2390 }
2391
2392 /*-
2393 * Determine whether the subject represented by cred can "see" a socket.
2394 * Returns: 0 for permitted, ENOENT otherwise.
2395 */
2396 int
cr_canseesocket(struct ucred * cred,struct socket * so)2397 cr_canseesocket(struct ucred *cred, struct socket *so)
2398 {
2399 int error;
2400
2401 error = prison_check(cred, so->so_cred);
2402 if (error)
2403 return (ENOENT);
2404 #ifdef MAC
2405 error = mac_socket_check_visible(cred, so);
2406 if (error)
2407 return (error);
2408 #endif
2409 if (cr_bsd_visible(cred, so->so_cred))
2410 return (ENOENT);
2411
2412 return (0);
2413 }
2414
2415 /*-
2416 * Determine whether td can wait for the exit of p.
2417 * Returns: 0 for permitted, an errno value otherwise
2418 * Locks: Sufficient locks to protect various components of td and p
2419 * must be held. td must be curthread, and a lock must
2420 * be held for p.
2421 * References: td and p must be valid for the lifetime of the call
2422
2423 */
2424 int
p_canwait(struct thread * td,struct proc * p)2425 p_canwait(struct thread *td, struct proc *p)
2426 {
2427 int error;
2428
2429 KASSERT(td == curthread, ("%s: td not curthread", __func__));
2430 PROC_LOCK_ASSERT(p, MA_OWNED);
2431 if ((error = prison_check(td->td_ucred, p->p_ucred)))
2432 return (error);
2433 #ifdef MAC
2434 if ((error = mac_proc_check_wait(td->td_ucred, p)))
2435 return (error);
2436 #endif
2437 #if 0
2438 /* XXXMAC: This could have odd effects on some shells. */
2439 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
2440 return (error);
2441 #endif
2442
2443 return (0);
2444 }
2445
2446 /*
2447 * Credential management.
2448 *
2449 * struct ucred objects are rarely allocated but gain and lose references all
2450 * the time (e.g., on struct file alloc/dealloc) turning refcount updates into
2451 * a significant source of cache-line ping ponging. Common cases are worked
2452 * around by modifying thread-local counter instead if the cred to operate on
2453 * matches td_realucred.
2454 *
2455 * The counter is split into 2 parts:
2456 * - cr_users -- total count of all struct proc and struct thread objects
2457 * which have given cred in p_ucred and td_ucred respectively
2458 * - cr_ref -- the actual ref count, only valid if cr_users == 0
2459 *
2460 * If users == 0 then cr_ref behaves similarly to refcount(9), in particular if
2461 * the count reaches 0 the object is freeable.
2462 * If users > 0 and curthread->td_realucred == cred, then updates are performed
2463 * against td_ucredref.
2464 * In other cases updates are performed against cr_ref.
2465 *
2466 * Changing td_realucred into something else decrements cr_users and transfers
2467 * accumulated updates.
2468 */
2469 struct ucred *
crcowget(struct ucred * cr)2470 crcowget(struct ucred *cr)
2471 {
2472
2473 mtx_lock(&cr->cr_mtx);
2474 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2475 __func__, cr->cr_users, cr));
2476 cr->cr_users++;
2477 cr->cr_ref++;
2478 mtx_unlock(&cr->cr_mtx);
2479 return (cr);
2480 }
2481
2482 static struct ucred *
crunuse(struct thread * td)2483 crunuse(struct thread *td)
2484 {
2485 struct ucred *cr, *crold;
2486
2487 MPASS(td->td_realucred == td->td_ucred);
2488 cr = td->td_realucred;
2489 mtx_lock(&cr->cr_mtx);
2490 cr->cr_ref += td->td_ucredref;
2491 td->td_ucredref = 0;
2492 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2493 __func__, cr->cr_users, cr));
2494 cr->cr_users--;
2495 if (cr->cr_users == 0) {
2496 KASSERT(cr->cr_ref > 0, ("%s: ref %ld not > 0 on cred %p",
2497 __func__, cr->cr_ref, cr));
2498 crold = cr;
2499 } else {
2500 cr->cr_ref--;
2501 crold = NULL;
2502 }
2503 mtx_unlock(&cr->cr_mtx);
2504 td->td_realucred = NULL;
2505 return (crold);
2506 }
2507
2508 static void
crunusebatch(struct ucred * cr,u_int users,long ref)2509 crunusebatch(struct ucred *cr, u_int users, long ref)
2510 {
2511
2512 KASSERT(users > 0, ("%s: passed users %d not > 0 ; cred %p",
2513 __func__, users, cr));
2514 mtx_lock(&cr->cr_mtx);
2515 KASSERT(cr->cr_users >= users, ("%s: users %d not > %d on cred %p",
2516 __func__, cr->cr_users, users, cr));
2517 cr->cr_users -= users;
2518 cr->cr_ref += ref;
2519 cr->cr_ref -= users;
2520 if (cr->cr_users > 0) {
2521 mtx_unlock(&cr->cr_mtx);
2522 return;
2523 }
2524 KASSERT(cr->cr_ref >= 0, ("%s: ref %ld not >= 0 on cred %p",
2525 __func__, cr->cr_ref, cr));
2526 if (cr->cr_ref > 0) {
2527 mtx_unlock(&cr->cr_mtx);
2528 return;
2529 }
2530 crfree_final(cr);
2531 }
2532
2533 void
crcowfree(struct thread * td)2534 crcowfree(struct thread *td)
2535 {
2536 struct ucred *cr;
2537
2538 cr = crunuse(td);
2539 if (cr != NULL)
2540 crfree(cr);
2541 }
2542
2543 struct ucred *
crcowsync(void)2544 crcowsync(void)
2545 {
2546 struct thread *td;
2547 struct proc *p;
2548 struct ucred *crnew, *crold;
2549
2550 td = curthread;
2551 p = td->td_proc;
2552 PROC_LOCK_ASSERT(p, MA_OWNED);
2553
2554 MPASS(td->td_realucred == td->td_ucred);
2555 if (td->td_realucred == p->p_ucred)
2556 return (NULL);
2557
2558 crnew = crcowget(p->p_ucred);
2559 crold = crunuse(td);
2560 td->td_realucred = crnew;
2561 td->td_ucred = td->td_realucred;
2562 return (crold);
2563 }
2564
2565 /*
2566 * Batching.
2567 */
2568 void
credbatch_add(struct credbatch * crb,struct thread * td)2569 credbatch_add(struct credbatch *crb, struct thread *td)
2570 {
2571 struct ucred *cr;
2572
2573 MPASS(td->td_realucred != NULL);
2574 MPASS(td->td_realucred == td->td_ucred);
2575 MPASS(TD_GET_STATE(td) == TDS_INACTIVE);
2576 cr = td->td_realucred;
2577 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2578 __func__, cr->cr_users, cr));
2579 if (crb->cred != cr) {
2580 if (crb->users > 0) {
2581 MPASS(crb->cred != NULL);
2582 crunusebatch(crb->cred, crb->users, crb->ref);
2583 crb->users = 0;
2584 crb->ref = 0;
2585 }
2586 }
2587 crb->cred = cr;
2588 crb->users++;
2589 crb->ref += td->td_ucredref;
2590 td->td_ucredref = 0;
2591 td->td_realucred = NULL;
2592 }
2593
2594 void
credbatch_final(struct credbatch * crb)2595 credbatch_final(struct credbatch *crb)
2596 {
2597
2598 MPASS(crb->cred != NULL);
2599 MPASS(crb->users > 0);
2600 crunusebatch(crb->cred, crb->users, crb->ref);
2601 }
2602
2603 /*
2604 * Allocate a zeroed cred structure.
2605 */
2606 struct ucred *
crget(void)2607 crget(void)
2608 {
2609 struct ucred *cr;
2610
2611 cr = malloc(sizeof(*cr), M_CRED, M_WAITOK | M_ZERO);
2612 mtx_init(&cr->cr_mtx, "cred", NULL, MTX_DEF);
2613 cr->cr_ref = 1;
2614 #ifdef AUDIT
2615 audit_cred_init(cr);
2616 #endif
2617 #ifdef MAC
2618 mac_cred_init(cr);
2619 #endif
2620 cr->cr_groups = cr->cr_smallgroups;
2621 cr->cr_agroups = nitems(cr->cr_smallgroups);
2622 return (cr);
2623 }
2624
2625 /*
2626 * Claim another reference to a ucred structure.
2627 */
2628 struct ucred *
crhold(struct ucred * cr)2629 crhold(struct ucred *cr)
2630 {
2631 struct thread *td;
2632
2633 td = curthread;
2634 if (__predict_true(td->td_realucred == cr)) {
2635 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2636 __func__, cr->cr_users, cr));
2637 td->td_ucredref++;
2638 return (cr);
2639 }
2640 mtx_lock(&cr->cr_mtx);
2641 cr->cr_ref++;
2642 mtx_unlock(&cr->cr_mtx);
2643 return (cr);
2644 }
2645
2646 /*
2647 * Free a cred structure. Throws away space when ref count gets to 0.
2648 */
2649 void
crfree(struct ucred * cr)2650 crfree(struct ucred *cr)
2651 {
2652 struct thread *td;
2653
2654 td = curthread;
2655 if (__predict_true(td->td_realucred == cr)) {
2656 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2657 __func__, cr->cr_users, cr));
2658 td->td_ucredref--;
2659 return;
2660 }
2661 mtx_lock(&cr->cr_mtx);
2662 KASSERT(cr->cr_users >= 0, ("%s: users %d not >= 0 on cred %p",
2663 __func__, cr->cr_users, cr));
2664 cr->cr_ref--;
2665 if (cr->cr_users > 0) {
2666 mtx_unlock(&cr->cr_mtx);
2667 return;
2668 }
2669 KASSERT(cr->cr_ref >= 0, ("%s: ref %ld not >= 0 on cred %p",
2670 __func__, cr->cr_ref, cr));
2671 if (cr->cr_ref > 0) {
2672 mtx_unlock(&cr->cr_mtx);
2673 return;
2674 }
2675 crfree_final(cr);
2676 }
2677
2678 static void
crfree_final(struct ucred * cr)2679 crfree_final(struct ucred *cr)
2680 {
2681
2682 KASSERT(cr->cr_users == 0, ("%s: users %d not == 0 on cred %p",
2683 __func__, cr->cr_users, cr));
2684 KASSERT(cr->cr_ref == 0, ("%s: ref %ld not == 0 on cred %p",
2685 __func__, cr->cr_ref, cr));
2686
2687 /*
2688 * Some callers of crget(), such as nfs_statfs(), allocate a temporary
2689 * credential, but don't allocate a uidinfo structure.
2690 */
2691 if (cr->cr_uidinfo != NULL)
2692 uifree(cr->cr_uidinfo);
2693 if (cr->cr_ruidinfo != NULL)
2694 uifree(cr->cr_ruidinfo);
2695 if (cr->cr_prison != NULL)
2696 prison_free(cr->cr_prison);
2697 if (cr->cr_loginclass != NULL)
2698 loginclass_free(cr->cr_loginclass);
2699 #ifdef AUDIT
2700 audit_cred_destroy(cr);
2701 #endif
2702 #ifdef MAC
2703 mac_cred_destroy(cr);
2704 #endif
2705 mtx_destroy(&cr->cr_mtx);
2706 if (cr->cr_groups != cr->cr_smallgroups)
2707 free(cr->cr_groups, M_CRED);
2708 free(cr, M_CRED);
2709 }
2710
2711 /*
2712 * Copy a ucred's contents from a template. Does not block.
2713 */
2714 void
crcopy(struct ucred * dest,struct ucred * src)2715 crcopy(struct ucred *dest, struct ucred *src)
2716 {
2717
2718 bcopy(&src->cr_startcopy, &dest->cr_startcopy,
2719 (unsigned)((caddr_t)&src->cr_endcopy -
2720 (caddr_t)&src->cr_startcopy));
2721 dest->cr_flags = src->cr_flags;
2722 crsetgroups(dest, src->cr_ngroups, src->cr_groups);
2723 uihold(dest->cr_uidinfo);
2724 uihold(dest->cr_ruidinfo);
2725 prison_hold(dest->cr_prison);
2726 loginclass_hold(dest->cr_loginclass);
2727 #ifdef AUDIT
2728 audit_cred_copy(src, dest);
2729 #endif
2730 #ifdef MAC
2731 mac_cred_copy(src, dest);
2732 #endif
2733 }
2734
2735 /*
2736 * Dup cred struct to a new held one.
2737 */
2738 struct ucred *
crdup(struct ucred * cr)2739 crdup(struct ucred *cr)
2740 {
2741 struct ucred *newcr;
2742
2743 newcr = crget();
2744 crcopy(newcr, cr);
2745 return (newcr);
2746 }
2747
2748 /*
2749 * Fill in a struct xucred based on a struct ucred.
2750 */
2751 void
cru2x(struct ucred * cr,struct xucred * xcr)2752 cru2x(struct ucred *cr, struct xucred *xcr)
2753 {
2754 int ngroups;
2755
2756 bzero(xcr, sizeof(*xcr));
2757 xcr->cr_version = XUCRED_VERSION;
2758 xcr->cr_uid = cr->cr_uid;
2759 xcr->cr_gid = cr->cr_gid;
2760
2761 /*
2762 * We use a union to alias cr_gid to cr_groups[0] in the xucred, so
2763 * this is kind of ugly; cr_ngroups still includes the egid for our
2764 * purposes to avoid bumping the xucred version.
2765 */
2766 ngroups = MIN(cr->cr_ngroups + 1, nitems(xcr->cr_groups));
2767 xcr->cr_ngroups = ngroups;
2768 bcopy(cr->cr_groups, xcr->cr_sgroups,
2769 (ngroups - 1) * sizeof(*cr->cr_groups));
2770 }
2771
2772 void
cru2xt(struct thread * td,struct xucred * xcr)2773 cru2xt(struct thread *td, struct xucred *xcr)
2774 {
2775
2776 cru2x(td->td_ucred, xcr);
2777 xcr->cr_pid = td->td_proc->p_pid;
2778 }
2779
2780 /*
2781 * Change process credentials.
2782 *
2783 * Callers are responsible for providing the reference for passed credentials
2784 * and for freeing old ones. Calls chgproccnt() to correctly account the
2785 * current process to the proper real UID, if the latter has changed. Returns
2786 * whether the operation was successful. Failure can happen only on
2787 * 'enforce_proc_lim' being true and if no new process can be accounted to the
2788 * new real UID because of the current limit (see the inner comment for more
2789 * details) and the caller does not have privilege (PRIV_PROC_LIMIT) to override
2790 * that. In this case, the reference to 'newcred' is not taken over.
2791 */
2792 static bool
_proc_set_cred(struct proc * p,struct ucred * newcred,bool enforce_proc_lim)2793 _proc_set_cred(struct proc *p, struct ucred *newcred, bool enforce_proc_lim)
2794 {
2795 struct ucred *const oldcred = p->p_ucred;
2796
2797 MPASS(oldcred != NULL);
2798 PROC_LOCK_ASSERT(p, MA_OWNED);
2799
2800 if (newcred->cr_ruidinfo != oldcred->cr_ruidinfo) {
2801 /*
2802 * XXXOC: This check is flawed but nonetheless the best we can
2803 * currently do as we don't really track limits per UID contrary
2804 * to what we pretend in setrlimit(2). Until this is reworked,
2805 * we just check here that the number of processes for our new
2806 * real UID doesn't exceed this process' process number limit
2807 * (which is meant to be associated with the current real UID).
2808 */
2809 const int proccnt_changed = chgproccnt(newcred->cr_ruidinfo, 1,
2810 enforce_proc_lim ? lim_cur_proc(p, RLIMIT_NPROC) : 0);
2811
2812 if (!proccnt_changed) {
2813 if (priv_check_cred(oldcred, PRIV_PROC_LIMIT) != 0)
2814 return (false);
2815 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0);
2816 }
2817 }
2818
2819 mtx_lock(&oldcred->cr_mtx);
2820 KASSERT(oldcred->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2821 __func__, oldcred->cr_users, oldcred));
2822 oldcred->cr_users--;
2823 mtx_unlock(&oldcred->cr_mtx);
2824 mtx_lock(&newcred->cr_mtx);
2825 newcred->cr_users++;
2826 mtx_unlock(&newcred->cr_mtx);
2827 p->p_ucred = newcred;
2828 PROC_UPDATE_COW(p);
2829 if (newcred->cr_ruidinfo != oldcred->cr_ruidinfo)
2830 (void)chgproccnt(oldcred->cr_ruidinfo, -1, 0);
2831 return (true);
2832 }
2833
2834 void
proc_set_cred(struct proc * p,struct ucred * newcred)2835 proc_set_cred(struct proc *p, struct ucred *newcred)
2836 {
2837 bool success __diagused = _proc_set_cred(p, newcred, false);
2838
2839 MPASS(success);
2840 }
2841
2842 bool
proc_set_cred_enforce_proc_lim(struct proc * p,struct ucred * newcred)2843 proc_set_cred_enforce_proc_lim(struct proc *p, struct ucred *newcred)
2844 {
2845 return (_proc_set_cred(p, newcred, true));
2846 }
2847
2848 void
proc_unset_cred(struct proc * p,bool decrement_proc_count)2849 proc_unset_cred(struct proc *p, bool decrement_proc_count)
2850 {
2851 struct ucred *cr;
2852
2853 MPASS(p->p_state == PRS_ZOMBIE || p->p_state == PRS_NEW);
2854 cr = p->p_ucred;
2855 p->p_ucred = NULL;
2856 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2857 __func__, cr->cr_users, cr));
2858 mtx_lock(&cr->cr_mtx);
2859 cr->cr_users--;
2860 if (cr->cr_users == 0)
2861 KASSERT(cr->cr_ref > 0, ("%s: ref %ld not > 0 on cred %p",
2862 __func__, cr->cr_ref, cr));
2863 mtx_unlock(&cr->cr_mtx);
2864 if (decrement_proc_count)
2865 (void)chgproccnt(cr->cr_ruidinfo, -1, 0);
2866 crfree(cr);
2867 }
2868
2869 struct ucred *
crcopysafe(struct proc * p,struct ucred * cr)2870 crcopysafe(struct proc *p, struct ucred *cr)
2871 {
2872 struct ucred *oldcred;
2873 int groups;
2874
2875 PROC_LOCK_ASSERT(p, MA_OWNED);
2876
2877 oldcred = p->p_ucred;
2878 while (cr->cr_agroups < oldcred->cr_ngroups) {
2879 groups = oldcred->cr_ngroups;
2880 PROC_UNLOCK(p);
2881 crextend(cr, groups);
2882 PROC_LOCK(p);
2883 oldcred = p->p_ucred;
2884 }
2885 crcopy(cr, oldcred);
2886
2887 return (oldcred);
2888 }
2889
2890 /*
2891 * Extend the passed-in credentials to hold n groups.
2892 *
2893 * Must not be called after groups have been set.
2894 */
2895 void
crextend(struct ucred * cr,int n)2896 crextend(struct ucred *cr, int n)
2897 {
2898 size_t nbytes;
2899
2900 MPASS2(cr->cr_ref == 1, "'cr_ref' must be 1 (referenced, unshared)");
2901 MPASS2((cr->cr_flags & CRED_FLAG_GROUPSET) == 0,
2902 "groups on 'cr' already set!");
2903 groups_check_positive_len(n);
2904 groups_check_max_len(n);
2905
2906 if (n <= cr->cr_agroups)
2907 return;
2908
2909 nbytes = n * sizeof(gid_t);
2910 if (nbytes < n)
2911 panic("Too many groups (memory size overflow)! "
2912 "Computation of 'kern.ngroups' should have prevented this, "
2913 "please fix it. In the meantime, reduce 'kern.ngroups'.");
2914
2915 /*
2916 * We allocate a power of 2 larger than 'nbytes', except when that
2917 * exceeds PAGE_SIZE, in which case we allocate the right multiple of
2918 * pages. We assume PAGE_SIZE is a power of 2 (the call to roundup2()
2919 * below) but do not need to for sizeof(gid_t).
2920 */
2921 if (nbytes < PAGE_SIZE) {
2922 if (!powerof2(nbytes))
2923 /* fls*() return a bit index starting at 1. */
2924 nbytes = 1 << flsl(nbytes);
2925 } else
2926 nbytes = roundup2(nbytes, PAGE_SIZE);
2927
2928 /* Free the old array. */
2929 if (cr->cr_groups != cr->cr_smallgroups)
2930 free(cr->cr_groups, M_CRED);
2931
2932 cr->cr_groups = malloc(nbytes, M_CRED, M_WAITOK | M_ZERO);
2933 cr->cr_agroups = nbytes / sizeof(gid_t);
2934 }
2935
2936 /*
2937 * Normalizes a set of groups to be applied to a 'struct ucred'.
2938 *
2939 * Normalization ensures that the supplementary groups are sorted in ascending
2940 * order and do not contain duplicates. This allows group_is_supplementary() to
2941 * do a binary search.
2942 */
2943 static void
groups_normalize(int * ngrp,gid_t * groups)2944 groups_normalize(int *ngrp, gid_t *groups)
2945 {
2946 gid_t prev_g;
2947 int ins_idx;
2948
2949 groups_check_positive_len(*ngrp);
2950 groups_check_max_len(*ngrp);
2951
2952 if (*ngrp <= 1)
2953 return;
2954
2955 qsort(groups, *ngrp, sizeof(*groups), gidp_cmp);
2956
2957 /* Remove duplicates. */
2958 prev_g = groups[0];
2959 ins_idx = 1;
2960 for (int i = ins_idx; i < *ngrp; ++i) {
2961 const gid_t g = groups[i];
2962
2963 if (g != prev_g) {
2964 if (i != ins_idx)
2965 groups[ins_idx] = g;
2966 ++ins_idx;
2967 prev_g = g;
2968 }
2969 }
2970 *ngrp = ins_idx;
2971
2972 groups_check_normalized(*ngrp, groups);
2973 }
2974
2975 /*
2976 * Internal function copying groups into a credential.
2977 *
2978 * 'ngrp' must be strictly positive. Either the passed 'groups' array must have
2979 * been normalized in advance (see groups_normalize()), else it must be so
2980 * before the structure is to be used again.
2981 *
2982 * This function is suitable to be used under any lock (it doesn't take any lock
2983 * itself nor sleep, and in particular doesn't allocate memory). crextend()
2984 * must have been called beforehand to ensure sufficient space is available.
2985 * See also crsetgroups(), which handles that.
2986 */
2987 static void
crsetgroups_internal(struct ucred * cr,int ngrp,const gid_t * groups)2988 crsetgroups_internal(struct ucred *cr, int ngrp, const gid_t *groups)
2989 {
2990
2991 MPASS2(cr->cr_ref == 1, "'cr_ref' must be 1 (referenced, unshared)");
2992 MPASS2(cr->cr_agroups >= ngrp, "'cr_agroups' too small");
2993 groups_check_positive_len(ngrp);
2994
2995 bcopy(groups, cr->cr_groups, ngrp * sizeof(gid_t));
2996 cr->cr_ngroups = ngrp;
2997 cr->cr_flags |= CRED_FLAG_GROUPSET;
2998 }
2999
3000 /*
3001 * Copy groups in to a credential after expanding it if required.
3002 *
3003 * May sleep in order to allocate memory (except if, e.g., crextend() was called
3004 * before with 'ngrp' or greater). Truncates the list to 'ngroups_max' if
3005 * it is too large. Array 'groups' doesn't need to be sorted. 'ngrp' must be
3006 * positive.
3007 */
3008 void
crsetgroups(struct ucred * cr,int ngrp,const gid_t * groups)3009 crsetgroups(struct ucred *cr, int ngrp, const gid_t *groups)
3010 {
3011
3012 if (ngrp > ngroups_max)
3013 ngrp = ngroups_max;
3014 cr->cr_ngroups = 0;
3015 if (ngrp == 0) {
3016 cr->cr_flags |= CRED_FLAG_GROUPSET;
3017 return;
3018 }
3019
3020 /*
3021 * crextend() asserts that groups are not set, as it may allocate a new
3022 * backing storage without copying the content of the old one. Since we
3023 * are going to install a completely new set anyway, signal that we
3024 * consider the old ones thrown away.
3025 */
3026 cr->cr_flags &= ~CRED_FLAG_GROUPSET;
3027
3028 crextend(cr, ngrp);
3029 crsetgroups_internal(cr, ngrp, groups);
3030 groups_normalize(&cr->cr_ngroups, cr->cr_groups);
3031 }
3032
3033 /*
3034 * Same as crsetgroups() but sets the effective GID as well.
3035 *
3036 * This function ensures that an effective GID is always present in credentials.
3037 * An empty array will only set the effective GID to 'default_egid', while
3038 * a non-empty array will peel off groups[0] to set as the effective GID and use
3039 * the remainder, if any, as supplementary groups.
3040 */
3041 void
crsetgroups_and_egid(struct ucred * cr,int ngrp,const gid_t * groups,const gid_t default_egid)3042 crsetgroups_and_egid(struct ucred *cr, int ngrp, const gid_t *groups,
3043 const gid_t default_egid)
3044 {
3045 if (ngrp == 0) {
3046 cr->cr_gid = default_egid;
3047 cr->cr_ngroups = 0;
3048 cr->cr_flags |= CRED_FLAG_GROUPSET;
3049 return;
3050 }
3051
3052 crsetgroups(cr, ngrp - 1, groups + 1);
3053 cr->cr_gid = groups[0];
3054 }
3055
3056 /*
3057 * Get login name, if available.
3058 */
3059 #ifndef _SYS_SYSPROTO_H_
3060 struct getlogin_args {
3061 char *namebuf;
3062 u_int namelen;
3063 };
3064 #endif
3065 /* ARGSUSED */
3066 int
sys_getlogin(struct thread * td,struct getlogin_args * uap)3067 sys_getlogin(struct thread *td, struct getlogin_args *uap)
3068 {
3069 char login[MAXLOGNAME];
3070 struct proc *p = td->td_proc;
3071 size_t len;
3072
3073 if (uap->namelen > MAXLOGNAME)
3074 uap->namelen = MAXLOGNAME;
3075 PROC_LOCK(p);
3076 SESS_LOCK(p->p_session);
3077 len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1;
3078 SESS_UNLOCK(p->p_session);
3079 PROC_UNLOCK(p);
3080 if (len > uap->namelen)
3081 return (ERANGE);
3082 return (copyout(login, uap->namebuf, len));
3083 }
3084
3085 /*
3086 * Set login name.
3087 */
3088 #ifndef _SYS_SYSPROTO_H_
3089 struct setlogin_args {
3090 char *namebuf;
3091 };
3092 #endif
3093 /* ARGSUSED */
3094 int
sys_setlogin(struct thread * td,struct setlogin_args * uap)3095 sys_setlogin(struct thread *td, struct setlogin_args *uap)
3096 {
3097 struct proc *p = td->td_proc;
3098 int error;
3099 char logintmp[MAXLOGNAME];
3100
3101 CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp));
3102
3103 error = priv_check(td, PRIV_PROC_SETLOGIN);
3104 if (error)
3105 return (error);
3106 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
3107 if (error != 0) {
3108 if (error == ENAMETOOLONG)
3109 error = EINVAL;
3110 return (error);
3111 }
3112 AUDIT_ARG_LOGIN(logintmp);
3113 PROC_LOCK(p);
3114 SESS_LOCK(p->p_session);
3115 strcpy(p->p_session->s_login, logintmp);
3116 SESS_UNLOCK(p->p_session);
3117 PROC_UNLOCK(p);
3118 return (0);
3119 }
3120
3121 void
setsugid(struct proc * p)3122 setsugid(struct proc *p)
3123 {
3124
3125 PROC_LOCK_ASSERT(p, MA_OWNED);
3126 p->p_flag |= P_SUGID;
3127 }
3128
3129 /*-
3130 * Change a process's effective uid.
3131 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified.
3132 * References: newcred must be an exclusive credential reference for the
3133 * duration of the call.
3134 */
3135 void
change_euid(struct ucred * newcred,struct uidinfo * euip)3136 change_euid(struct ucred *newcred, struct uidinfo *euip)
3137 {
3138
3139 newcred->cr_uid = euip->ui_uid;
3140 uihold(euip);
3141 uifree(newcred->cr_uidinfo);
3142 newcred->cr_uidinfo = euip;
3143 }
3144
3145 /*-
3146 * Change a process's effective gid.
3147 * Side effects: newcred->cr_gid will be modified.
3148 * References: newcred must be an exclusive credential reference for the
3149 * duration of the call.
3150 */
3151 void
change_egid(struct ucred * newcred,gid_t egid)3152 change_egid(struct ucred *newcred, gid_t egid)
3153 {
3154
3155 newcred->cr_gid = egid;
3156 }
3157
3158 /*-
3159 * Change a process's real uid.
3160 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo
3161 * will be updated.
3162 * References: newcred must be an exclusive credential reference for the
3163 * duration of the call.
3164 */
3165 void
change_ruid(struct ucred * newcred,struct uidinfo * ruip)3166 change_ruid(struct ucred *newcred, struct uidinfo *ruip)
3167 {
3168
3169 newcred->cr_ruid = ruip->ui_uid;
3170 uihold(ruip);
3171 uifree(newcred->cr_ruidinfo);
3172 newcred->cr_ruidinfo = ruip;
3173 }
3174
3175 /*-
3176 * Change a process's real gid.
3177 * Side effects: newcred->cr_rgid will be updated.
3178 * References: newcred must be an exclusive credential reference for the
3179 * duration of the call.
3180 */
3181 void
change_rgid(struct ucred * newcred,gid_t rgid)3182 change_rgid(struct ucred *newcred, gid_t rgid)
3183 {
3184
3185 newcred->cr_rgid = rgid;
3186 }
3187
3188 /*-
3189 * Change a process's saved uid.
3190 * Side effects: newcred->cr_svuid will be updated.
3191 * References: newcred must be an exclusive credential reference for the
3192 * duration of the call.
3193 */
3194 void
change_svuid(struct ucred * newcred,uid_t svuid)3195 change_svuid(struct ucred *newcred, uid_t svuid)
3196 {
3197
3198 newcred->cr_svuid = svuid;
3199 }
3200
3201 /*-
3202 * Change a process's saved gid.
3203 * Side effects: newcred->cr_svgid will be updated.
3204 * References: newcred must be an exclusive credential reference for the
3205 * duration of the call.
3206 */
3207 void
change_svgid(struct ucred * newcred,gid_t svgid)3208 change_svgid(struct ucred *newcred, gid_t svgid)
3209 {
3210
3211 newcred->cr_svgid = svgid;
3212 }
3213
3214 bool allow_ptrace = true;
3215 SYSCTL_BOOL(_security_bsd, OID_AUTO, allow_ptrace, CTLFLAG_RWTUN,
3216 &allow_ptrace, 0,
3217 "Deny ptrace(2) use by returning ENOSYS");
3218