19454b2d8SWarner Losh /*- 2df8bae1dSRodney W. Grimes * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3ef08c420SRobert Watson * The Regents of the University of California. 4df8bae1dSRodney W. Grimes * (c) UNIX System Laboratories, Inc. 5ef08c420SRobert Watson * Copyright (c) 2000-2001 Robert N. M. Watson. 6ef08c420SRobert Watson * All rights reserved. 7ef08c420SRobert Watson * 8df8bae1dSRodney W. Grimes * All or some portions of this file are derived from material licensed 9df8bae1dSRodney W. Grimes * to the University of California by American Telephone and Telegraph 10df8bae1dSRodney W. Grimes * Co. or Unix System Laboratories, Inc. and are reproduced herein with 11df8bae1dSRodney W. Grimes * the permission of UNIX System Laboratories, Inc. 12df8bae1dSRodney W. Grimes * 13df8bae1dSRodney W. Grimes * Redistribution and use in source and binary forms, with or without 14df8bae1dSRodney W. Grimes * modification, are permitted provided that the following conditions 15df8bae1dSRodney W. Grimes * are met: 16df8bae1dSRodney W. Grimes * 1. Redistributions of source code must retain the above copyright 17df8bae1dSRodney W. Grimes * notice, this list of conditions and the following disclaimer. 18df8bae1dSRodney W. Grimes * 2. Redistributions in binary form must reproduce the above copyright 19df8bae1dSRodney W. Grimes * notice, this list of conditions and the following disclaimer in the 20df8bae1dSRodney W. Grimes * documentation and/or other materials provided with the distribution. 21df8bae1dSRodney W. Grimes * 4. Neither the name of the University nor the names of its contributors 22df8bae1dSRodney W. Grimes * may be used to endorse or promote products derived from this software 23df8bae1dSRodney W. Grimes * without specific prior written permission. 24df8bae1dSRodney W. Grimes * 25df8bae1dSRodney W. Grimes * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 26df8bae1dSRodney W. Grimes * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27df8bae1dSRodney W. Grimes * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28df8bae1dSRodney W. Grimes * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 29df8bae1dSRodney W. Grimes * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30df8bae1dSRodney W. Grimes * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31df8bae1dSRodney W. Grimes * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32df8bae1dSRodney W. Grimes * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33df8bae1dSRodney W. Grimes * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34df8bae1dSRodney W. Grimes * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35df8bae1dSRodney W. Grimes * SUCH DAMAGE. 36df8bae1dSRodney W. Grimes * 37df8bae1dSRodney W. Grimes * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 38df8bae1dSRodney W. Grimes */ 39df8bae1dSRodney W. Grimes 40df8bae1dSRodney W. Grimes /* 41df8bae1dSRodney W. Grimes * System calls related to processes and protection 42df8bae1dSRodney W. Grimes */ 43df8bae1dSRodney W. Grimes 44677b542eSDavid E. O'Brien #include <sys/cdefs.h> 45677b542eSDavid E. O'Brien __FBSDID("$FreeBSD$"); 46677b542eSDavid E. O'Brien 475591b823SEivind Eklund #include "opt_compat.h" 48f08ef6c5SBjoern A. Zeeb #include "opt_inet.h" 49f08ef6c5SBjoern A. Zeeb #include "opt_inet6.h" 505591b823SEivind Eklund 51df8bae1dSRodney W. Grimes #include <sys/param.h> 52df8bae1dSRodney W. Grimes #include <sys/systm.h> 53fb919e4dSMark Murray #include <sys/acct.h> 54df04411aSRobert Watson #include <sys/kdb.h> 551c5bb3eaSPeter Wemm #include <sys/kernel.h> 5698f03f90SJake Burkholder #include <sys/lock.h> 572bfc50bcSEdward Tomasz Napierala #include <sys/loginclass.h> 58f9d0d524SRobert Watson #include <sys/malloc.h> 59fb919e4dSMark Murray #include <sys/mutex.h> 607e9e371fSJohn Baldwin #include <sys/refcount.h> 615b29d6e9SJohn Baldwin #include <sys/sx.h> 62800c9408SRobert Watson #include <sys/priv.h> 63f591779bSSeigo Tanimura #include <sys/proc.h> 64fb919e4dSMark Murray #include <sys/sysproto.h> 65eb725b4eSRobert Watson #include <sys/jail.h> 66d5f81602SSean Eric Fagan #include <sys/pioctl.h> 67e4dcb704SEdward Tomasz Napierala #include <sys/racct.h> 68f535380cSDon Lewis #include <sys/resourcevar.h> 6929dc1288SRobert Watson #include <sys/socket.h> 7029dc1288SRobert Watson #include <sys/socketvar.h> 713cb83e71SJohn Baldwin #include <sys/syscallsubr.h> 72579f4eb4SRobert Watson #include <sys/sysctl.h> 73df8bae1dSRodney W. Grimes 74de5b1952SAlexander Leidinger #ifdef REGRESSION 75de5b1952SAlexander Leidinger FEATURE(regression, 76ca54e1aeSHiroki Sato "Kernel support for interfaces necessary for regression testing (SECURITY RISK!)"); 77de5b1952SAlexander Leidinger #endif 78de5b1952SAlexander Leidinger 792f8a46d5SWayne Salamon #include <security/audit/audit.h> 80aed55708SRobert Watson #include <security/mac/mac_framework.h> 812f8a46d5SWayne Salamon 82a1c995b6SPoul-Henning Kamp static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 83a1c995b6SPoul-Henning Kamp 845702e096SRobert Watson SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, "BSD security policy"); 8548713bdcSRobert Watson 86838d9858SBrooks Davis static void crsetgroups_locked(struct ucred *cr, int ngrp, 87838d9858SBrooks Davis gid_t *groups); 88838d9858SBrooks Davis 89d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 90ad7507e2SSteven Wallace struct getpid_args { 91df8bae1dSRodney W. Grimes int dummy; 92df8bae1dSRodney W. Grimes }; 93d2d3e875SBruce Evans #endif 94df8bae1dSRodney W. Grimes /* ARGSUSED */ 9526f9a767SRodney W. Grimes int 968451d0ddSKip Macy sys_getpid(struct thread *td, struct getpid_args *uap) 97df8bae1dSRodney W. Grimes { 98b40ce416SJulian Elischer struct proc *p = td->td_proc; 99df8bae1dSRodney W. Grimes 100b40ce416SJulian Elischer td->td_retval[0] = p->p_pid; 1011930e303SPoul-Henning Kamp #if defined(COMPAT_43) 102abd386baSMateusz Guzik td->td_retval[1] = kern_getppid(td); 103df8bae1dSRodney W. Grimes #endif 104df8bae1dSRodney W. Grimes return (0); 105df8bae1dSRodney W. Grimes } 106df8bae1dSRodney W. Grimes 107d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 108ad7507e2SSteven Wallace struct getppid_args { 109ad7507e2SSteven Wallace int dummy; 110ad7507e2SSteven Wallace }; 111d2d3e875SBruce Evans #endif 112df8bae1dSRodney W. Grimes /* ARGSUSED */ 11326f9a767SRodney W. Grimes int 1148451d0ddSKip Macy sys_getppid(struct thread *td, struct getppid_args *uap) 115df8bae1dSRodney W. Grimes { 116abd386baSMateusz Guzik 117abd386baSMateusz Guzik td->td_retval[0] = kern_getppid(td); 118abd386baSMateusz Guzik return (0); 119abd386baSMateusz Guzik } 120abd386baSMateusz Guzik 121abd386baSMateusz Guzik int 122abd386baSMateusz Guzik kern_getppid(struct thread *td) 123abd386baSMateusz Guzik { 124b40ce416SJulian Elischer struct proc *p = td->td_proc; 125abd386baSMateusz Guzik struct proc *pp; 126abd386baSMateusz Guzik int ppid; 127df8bae1dSRodney W. Grimes 128bae3a80bSJohn Baldwin PROC_LOCK(p); 129abd386baSMateusz Guzik if (!(p->p_flag & P_TRACED)) { 130abd386baSMateusz Guzik ppid = p->p_pptr->p_pid; 131bae3a80bSJohn Baldwin PROC_UNLOCK(p); 132abd386baSMateusz Guzik } else { 133abd386baSMateusz Guzik PROC_UNLOCK(p); 134abd386baSMateusz Guzik sx_slock(&proctree_lock); 135abd386baSMateusz Guzik pp = proc_realparent(p); 136abd386baSMateusz Guzik ppid = pp->p_pid; 137abd386baSMateusz Guzik sx_sunlock(&proctree_lock); 138abd386baSMateusz Guzik } 139abd386baSMateusz Guzik 140abd386baSMateusz Guzik return (ppid); 141df8bae1dSRodney W. Grimes } 142df8bae1dSRodney W. Grimes 14336e9f877SMatthew Dillon /* 144eb725b4eSRobert Watson * Get process group ID; note that POSIX getpgrp takes no parameter. 14536e9f877SMatthew Dillon */ 146d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 147ad7507e2SSteven Wallace struct getpgrp_args { 148ad7507e2SSteven Wallace int dummy; 149ad7507e2SSteven Wallace }; 150d2d3e875SBruce Evans #endif 15126f9a767SRodney W. Grimes int 1528451d0ddSKip Macy sys_getpgrp(struct thread *td, struct getpgrp_args *uap) 153df8bae1dSRodney W. Grimes { 154b40ce416SJulian Elischer struct proc *p = td->td_proc; 155df8bae1dSRodney W. Grimes 156f591779bSSeigo Tanimura PROC_LOCK(p); 157b40ce416SJulian Elischer td->td_retval[0] = p->p_pgrp->pg_id; 158f591779bSSeigo Tanimura PROC_UNLOCK(p); 159df8bae1dSRodney W. Grimes return (0); 160df8bae1dSRodney W. Grimes } 161df8bae1dSRodney W. Grimes 162e3043798SPedro F. Giffuni /* Get an arbitrary pid's process group id */ 1631a5018a0SPeter Wemm #ifndef _SYS_SYSPROTO_H_ 1641a5018a0SPeter Wemm struct getpgid_args { 1651a5018a0SPeter Wemm pid_t pid; 1661a5018a0SPeter Wemm }; 1671a5018a0SPeter Wemm #endif 1681a5018a0SPeter Wemm int 1698451d0ddSKip Macy sys_getpgid(struct thread *td, struct getpgid_args *uap) 1701a5018a0SPeter Wemm { 171a70a2b74SJohn Baldwin struct proc *p; 172f2ae7368SJohn Baldwin int error; 17365de0c7aSDon Lewis 174f591779bSSeigo Tanimura if (uap->pid == 0) { 175a70a2b74SJohn Baldwin p = td->td_proc; 176f591779bSSeigo Tanimura PROC_LOCK(p); 177a70a2b74SJohn Baldwin } else { 178a70a2b74SJohn Baldwin p = pfind(uap->pid); 179a70a2b74SJohn Baldwin if (p == NULL) 180a70a2b74SJohn Baldwin return (ESRCH); 181a70a2b74SJohn Baldwin error = p_cansee(td, p); 182a70a2b74SJohn Baldwin if (error) { 183a70a2b74SJohn Baldwin PROC_UNLOCK(p); 184a70a2b74SJohn Baldwin return (error); 185a70a2b74SJohn Baldwin } 186a70a2b74SJohn Baldwin } 187b40ce416SJulian Elischer td->td_retval[0] = p->p_pgrp->pg_id; 188f591779bSSeigo Tanimura PROC_UNLOCK(p); 189a70a2b74SJohn Baldwin return (0); 1901a5018a0SPeter Wemm } 1911a5018a0SPeter Wemm 1921a5018a0SPeter Wemm /* 193e3043798SPedro F. Giffuni * Get an arbitrary pid's session id. 1941a5018a0SPeter Wemm */ 1951a5018a0SPeter Wemm #ifndef _SYS_SYSPROTO_H_ 1961a5018a0SPeter Wemm struct getsid_args { 1971a5018a0SPeter Wemm pid_t pid; 1981a5018a0SPeter Wemm }; 1991a5018a0SPeter Wemm #endif 2001a5018a0SPeter Wemm int 2018451d0ddSKip Macy sys_getsid(struct thread *td, struct getsid_args *uap) 2021a5018a0SPeter Wemm { 203a70a2b74SJohn Baldwin struct proc *p; 204eb725b4eSRobert Watson int error; 20565de0c7aSDon Lewis 206f591779bSSeigo Tanimura if (uap->pid == 0) { 207a70a2b74SJohn Baldwin p = td->td_proc; 208f591779bSSeigo Tanimura PROC_LOCK(p); 209a70a2b74SJohn Baldwin } else { 210a70a2b74SJohn Baldwin p = pfind(uap->pid); 211a70a2b74SJohn Baldwin if (p == NULL) 212a70a2b74SJohn Baldwin return (ESRCH); 213a70a2b74SJohn Baldwin error = p_cansee(td, p); 214a70a2b74SJohn Baldwin if (error) { 215a70a2b74SJohn Baldwin PROC_UNLOCK(p); 216a70a2b74SJohn Baldwin return (error); 217a70a2b74SJohn Baldwin } 218a70a2b74SJohn Baldwin } 219b40ce416SJulian Elischer td->td_retval[0] = p->p_session->s_sid; 220f591779bSSeigo Tanimura PROC_UNLOCK(p); 221a70a2b74SJohn Baldwin return (0); 2221a5018a0SPeter Wemm } 2231a5018a0SPeter Wemm 224d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 225ad7507e2SSteven Wallace struct getuid_args { 226ad7507e2SSteven Wallace int dummy; 227ad7507e2SSteven Wallace }; 228d2d3e875SBruce Evans #endif 229df8bae1dSRodney W. Grimes /* ARGSUSED */ 23026f9a767SRodney W. Grimes int 2318451d0ddSKip Macy sys_getuid(struct thread *td, struct getuid_args *uap) 232df8bae1dSRodney W. Grimes { 233df8bae1dSRodney W. Grimes 234d846883bSJohn Baldwin td->td_retval[0] = td->td_ucred->cr_ruid; 2351930e303SPoul-Henning Kamp #if defined(COMPAT_43) 236d846883bSJohn Baldwin td->td_retval[1] = td->td_ucred->cr_uid; 237df8bae1dSRodney W. Grimes #endif 238df8bae1dSRodney W. Grimes return (0); 239df8bae1dSRodney W. Grimes } 240df8bae1dSRodney W. Grimes 241d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 242ad7507e2SSteven Wallace struct geteuid_args { 243ad7507e2SSteven Wallace int dummy; 244ad7507e2SSteven Wallace }; 245d2d3e875SBruce Evans #endif 246df8bae1dSRodney W. Grimes /* ARGSUSED */ 24726f9a767SRodney W. Grimes int 2488451d0ddSKip Macy sys_geteuid(struct thread *td, struct geteuid_args *uap) 249df8bae1dSRodney W. Grimes { 250d846883bSJohn Baldwin 251d846883bSJohn Baldwin td->td_retval[0] = td->td_ucred->cr_uid; 252df8bae1dSRodney W. Grimes return (0); 253df8bae1dSRodney W. Grimes } 254df8bae1dSRodney W. Grimes 255d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 256ad7507e2SSteven Wallace struct getgid_args { 257ad7507e2SSteven Wallace int dummy; 258ad7507e2SSteven Wallace }; 259d2d3e875SBruce Evans #endif 260df8bae1dSRodney W. Grimes /* ARGSUSED */ 26126f9a767SRodney W. Grimes int 2628451d0ddSKip Macy sys_getgid(struct thread *td, struct getgid_args *uap) 263df8bae1dSRodney W. Grimes { 264df8bae1dSRodney W. Grimes 265d846883bSJohn Baldwin td->td_retval[0] = td->td_ucred->cr_rgid; 2661930e303SPoul-Henning Kamp #if defined(COMPAT_43) 267d846883bSJohn Baldwin td->td_retval[1] = td->td_ucred->cr_groups[0]; 268df8bae1dSRodney W. Grimes #endif 269df8bae1dSRodney W. Grimes return (0); 270df8bae1dSRodney W. Grimes } 271df8bae1dSRodney W. Grimes 272df8bae1dSRodney W. Grimes /* 273df8bae1dSRodney W. Grimes * Get effective group ID. The "egid" is groups[0], and could be obtained 274df8bae1dSRodney W. Grimes * via getgroups. This syscall exists because it is somewhat painful to do 275df8bae1dSRodney W. Grimes * correctly in a library function. 276df8bae1dSRodney W. Grimes */ 277d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 278ad7507e2SSteven Wallace struct getegid_args { 279ad7507e2SSteven Wallace int dummy; 280ad7507e2SSteven Wallace }; 281d2d3e875SBruce Evans #endif 282df8bae1dSRodney W. Grimes /* ARGSUSED */ 28326f9a767SRodney W. Grimes int 2848451d0ddSKip Macy sys_getegid(struct thread *td, struct getegid_args *uap) 285df8bae1dSRodney W. Grimes { 286df8bae1dSRodney W. Grimes 287d846883bSJohn Baldwin td->td_retval[0] = td->td_ucred->cr_groups[0]; 288df8bae1dSRodney W. Grimes return (0); 289df8bae1dSRodney W. Grimes } 290df8bae1dSRodney W. Grimes 291d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 292df8bae1dSRodney W. Grimes struct getgroups_args { 293df8bae1dSRodney W. Grimes u_int gidsetsize; 294df8bae1dSRodney W. Grimes gid_t *gidset; 295df8bae1dSRodney W. Grimes }; 296d2d3e875SBruce Evans #endif 29726f9a767SRodney W. Grimes int 2988451d0ddSKip Macy sys_getgroups(struct thread *td, register struct getgroups_args *uap) 299df8bae1dSRodney W. Grimes { 30007b384cbSMateusz Guzik struct ucred *cred; 301b1fc0ec1SRobert Watson u_int ngrp; 302eb725b4eSRobert Watson int error; 303df8bae1dSRodney W. Grimes 3043cb83e71SJohn Baldwin cred = td->td_ucred; 30507b384cbSMateusz Guzik ngrp = cred->cr_ngroups; 30607b384cbSMateusz Guzik 30707b384cbSMateusz Guzik if (uap->gidsetsize == 0) { 30807b384cbSMateusz Guzik error = 0; 30907b384cbSMateusz Guzik goto out; 3103cb83e71SJohn Baldwin } 31107b384cbSMateusz Guzik if (uap->gidsetsize < ngrp) 3123cb83e71SJohn Baldwin return (EINVAL); 31307b384cbSMateusz Guzik 31407b384cbSMateusz Guzik error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t)); 31507b384cbSMateusz Guzik out: 31607b384cbSMateusz Guzik td->td_retval[0] = ngrp; 31707b384cbSMateusz Guzik return (error); 3183cb83e71SJohn Baldwin } 3193cb83e71SJohn Baldwin 320d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 32182970b81SBruce Evans struct setsid_args { 322ad7507e2SSteven Wallace int dummy; 323ad7507e2SSteven Wallace }; 324d2d3e875SBruce Evans #endif 325df8bae1dSRodney W. Grimes /* ARGSUSED */ 32626f9a767SRodney W. Grimes int 3278451d0ddSKip Macy sys_setsid(register struct thread *td, struct setsid_args *uap) 328df8bae1dSRodney W. Grimes { 329f591779bSSeigo Tanimura struct pgrp *pgrp; 330835a82eeSMatthew Dillon int error; 331b40ce416SJulian Elischer struct proc *p = td->td_proc; 332f591779bSSeigo Tanimura struct pgrp *newpgrp; 333f591779bSSeigo Tanimura struct session *newsess; 334f591779bSSeigo Tanimura 335f591779bSSeigo Tanimura error = 0; 336f591779bSSeigo Tanimura pgrp = NULL; 337df8bae1dSRodney W. Grimes 3381ede983cSDag-Erling Smørgrav newpgrp = malloc(sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 3391ede983cSDag-Erling Smørgrav newsess = malloc(sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); 340f591779bSSeigo Tanimura 341c8b1829dSJohn Baldwin sx_xlock(&proctree_lock); 342f591779bSSeigo Tanimura 343f591779bSSeigo Tanimura if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { 344f591779bSSeigo Tanimura if (pgrp != NULL) 345f591779bSSeigo Tanimura PGRP_UNLOCK(pgrp); 346835a82eeSMatthew Dillon error = EPERM; 347f591779bSSeigo Tanimura } else { 348f591779bSSeigo Tanimura (void)enterpgrp(p, p->p_pid, newpgrp, newsess); 349b40ce416SJulian Elischer td->td_retval[0] = p->p_pid; 350c8b1829dSJohn Baldwin newpgrp = NULL; 351c8b1829dSJohn Baldwin newsess = NULL; 352df8bae1dSRodney W. Grimes } 353f591779bSSeigo Tanimura 354c8b1829dSJohn Baldwin sx_xunlock(&proctree_lock); 355f591779bSSeigo Tanimura 356c8b1829dSJohn Baldwin if (newpgrp != NULL) 3571ede983cSDag-Erling Smørgrav free(newpgrp, M_PGRP); 358c8b1829dSJohn Baldwin if (newsess != NULL) 3591ede983cSDag-Erling Smørgrav free(newsess, M_SESSION); 3601c2451c2SSeigo Tanimura 361c8b1829dSJohn Baldwin return (error); 362df8bae1dSRodney W. Grimes } 363df8bae1dSRodney W. Grimes 364df8bae1dSRodney W. Grimes /* 365df8bae1dSRodney W. Grimes * set process group (setpgid/old setpgrp) 366df8bae1dSRodney W. Grimes * 367df8bae1dSRodney W. Grimes * caller does setpgid(targpid, targpgid) 368df8bae1dSRodney W. Grimes * 369df8bae1dSRodney W. Grimes * pid must be caller or child of caller (ESRCH) 370df8bae1dSRodney W. Grimes * if a child 371df8bae1dSRodney W. Grimes * pid must be in same session (EPERM) 372df8bae1dSRodney W. Grimes * pid can't have done an exec (EACCES) 373df8bae1dSRodney W. Grimes * if pgid != pid 374df8bae1dSRodney W. Grimes * there must exist some pid in same session having pgid (EPERM) 375df8bae1dSRodney W. Grimes * pid must not be session leader (EPERM) 376df8bae1dSRodney W. Grimes */ 377d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 378df8bae1dSRodney W. Grimes struct setpgid_args { 379df8bae1dSRodney W. Grimes int pid; /* target process id */ 380df8bae1dSRodney W. Grimes int pgid; /* target pgrp id */ 381df8bae1dSRodney W. Grimes }; 382d2d3e875SBruce Evans #endif 383df8bae1dSRodney W. Grimes /* ARGSUSED */ 38426f9a767SRodney W. Grimes int 3858451d0ddSKip Macy sys_setpgid(struct thread *td, register struct setpgid_args *uap) 386df8bae1dSRodney W. Grimes { 387b40ce416SJulian Elischer struct proc *curp = td->td_proc; 388df8bae1dSRodney W. Grimes register struct proc *targp; /* target process */ 389df8bae1dSRodney W. Grimes register struct pgrp *pgrp; /* target pgrp */ 390eb9e5c1dSRobert Watson int error; 391f591779bSSeigo Tanimura struct pgrp *newpgrp; 392df8bae1dSRodney W. Grimes 39378f64bccSBruce Evans if (uap->pgid < 0) 39478f64bccSBruce Evans return (EINVAL); 395f591779bSSeigo Tanimura 396f591779bSSeigo Tanimura error = 0; 397f591779bSSeigo Tanimura 3981ede983cSDag-Erling Smørgrav newpgrp = malloc(sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 399f591779bSSeigo Tanimura 400c8b1829dSJohn Baldwin sx_xlock(&proctree_lock); 401df8bae1dSRodney W. Grimes if (uap->pid != 0 && uap->pid != curp->p_pid) { 402f591779bSSeigo Tanimura if ((targp = pfind(uap->pid)) == NULL) { 403835a82eeSMatthew Dillon error = ESRCH; 404c8b1829dSJohn Baldwin goto done; 40533a9ed9dSJohn Baldwin } 406f591779bSSeigo Tanimura if (!inferior(targp)) { 407f591779bSSeigo Tanimura PROC_UNLOCK(targp); 4082f932587SSeigo Tanimura error = ESRCH; 409c8b1829dSJohn Baldwin goto done; 410f591779bSSeigo Tanimura } 41171a057bcSRobert Watson if ((error = p_cansee(td, targp))) { 41233a9ed9dSJohn Baldwin PROC_UNLOCK(targp); 413c8b1829dSJohn Baldwin goto done; 41433a9ed9dSJohn Baldwin } 41533a9ed9dSJohn Baldwin if (targp->p_pgrp == NULL || 41633a9ed9dSJohn Baldwin targp->p_session != curp->p_session) { 41733a9ed9dSJohn Baldwin PROC_UNLOCK(targp); 418835a82eeSMatthew Dillon error = EPERM; 419c8b1829dSJohn Baldwin goto done; 42033a9ed9dSJohn Baldwin } 42133a9ed9dSJohn Baldwin if (targp->p_flag & P_EXEC) { 42233a9ed9dSJohn Baldwin PROC_UNLOCK(targp); 423835a82eeSMatthew Dillon error = EACCES; 424c8b1829dSJohn Baldwin goto done; 42533a9ed9dSJohn Baldwin } 42633a9ed9dSJohn Baldwin PROC_UNLOCK(targp); 427f591779bSSeigo Tanimura } else 428f591779bSSeigo Tanimura targp = curp; 429f591779bSSeigo Tanimura if (SESS_LEADER(targp)) { 430835a82eeSMatthew Dillon error = EPERM; 431c8b1829dSJohn Baldwin goto done; 43233a9ed9dSJohn Baldwin } 433eb725b4eSRobert Watson if (uap->pgid == 0) 434df8bae1dSRodney W. Grimes uap->pgid = targp->p_pid; 435a10d5f02SOlivier Houchard if ((pgrp = pgfind(uap->pgid)) == NULL) { 436f591779bSSeigo Tanimura if (uap->pgid == targp->p_pid) { 437a10d5f02SOlivier Houchard error = enterpgrp(targp, uap->pgid, newpgrp, 438a10d5f02SOlivier Houchard NULL); 439f591779bSSeigo Tanimura if (error == 0) 440f591779bSSeigo Tanimura newpgrp = NULL; 441a10d5f02SOlivier Houchard } else 442835a82eeSMatthew Dillon error = EPERM; 443a10d5f02SOlivier Houchard } else { 444f591779bSSeigo Tanimura if (pgrp == targp->p_pgrp) { 445f591779bSSeigo Tanimura PGRP_UNLOCK(pgrp); 446f591779bSSeigo Tanimura goto done; 44733a9ed9dSJohn Baldwin } 448a10d5f02SOlivier Houchard if (pgrp->pg_id != targp->p_pid && 449a10d5f02SOlivier Houchard pgrp->pg_session != curp->p_session) { 450a10d5f02SOlivier Houchard PGRP_UNLOCK(pgrp); 451a10d5f02SOlivier Houchard error = EPERM; 452a10d5f02SOlivier Houchard goto done; 453a10d5f02SOlivier Houchard } 454f591779bSSeigo Tanimura PGRP_UNLOCK(pgrp); 455f591779bSSeigo Tanimura error = enterthispgrp(targp, pgrp); 456f591779bSSeigo Tanimura } 457f591779bSSeigo Tanimura done: 458c8b1829dSJohn Baldwin sx_xunlock(&proctree_lock); 459c8b1829dSJohn Baldwin KASSERT((error == 0) || (newpgrp != NULL), 460c8b1829dSJohn Baldwin ("setpgid failed and newpgrp is NULL")); 4616041fa0aSSeigo Tanimura if (newpgrp != NULL) 4621ede983cSDag-Erling Smørgrav free(newpgrp, M_PGRP); 463835a82eeSMatthew Dillon return (error); 464df8bae1dSRodney W. Grimes } 465df8bae1dSRodney W. Grimes 466a08f4bf6SPeter Wemm /* 467a08f4bf6SPeter Wemm * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 4682fa72ea7SJeroen Ruigrok van der Werven * compatible. It says that setting the uid/gid to euid/egid is a special 469a08f4bf6SPeter Wemm * case of "appropriate privilege". Once the rules are expanded out, this 470a08f4bf6SPeter Wemm * basically means that setuid(nnn) sets all three id's, in all permitted 471a08f4bf6SPeter Wemm * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 472a08f4bf6SPeter Wemm * does not set the saved id - this is dangerous for traditional BSD 473a08f4bf6SPeter Wemm * programs. For this reason, we *really* do not want to set 474a08f4bf6SPeter Wemm * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 475a08f4bf6SPeter Wemm */ 476a08f4bf6SPeter Wemm #define POSIX_APPENDIX_B_4_2_2 477a08f4bf6SPeter Wemm 478d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 479df8bae1dSRodney W. Grimes struct setuid_args { 480df8bae1dSRodney W. Grimes uid_t uid; 481df8bae1dSRodney W. Grimes }; 482d2d3e875SBruce Evans #endif 483df8bae1dSRodney W. Grimes /* ARGSUSED */ 48426f9a767SRodney W. Grimes int 4858451d0ddSKip Macy sys_setuid(struct thread *td, struct setuid_args *uap) 486df8bae1dSRodney W. Grimes { 487b40ce416SJulian Elischer struct proc *p = td->td_proc; 488b1fc0ec1SRobert Watson struct ucred *newcred, *oldcred; 489b1fc0ec1SRobert Watson uid_t uid; 4901419eacbSAlfred Perlstein struct uidinfo *uip; 491eb725b4eSRobert Watson int error; 492df8bae1dSRodney W. Grimes 49307f3485dSJohn Baldwin uid = uap->uid; 49414961ba7SRobert Watson AUDIT_ARG_UID(uid); 49507f3485dSJohn Baldwin newcred = crget(); 4961419eacbSAlfred Perlstein uip = uifind(uid); 49707f3485dSJohn Baldwin PROC_LOCK(p); 498838d9858SBrooks Davis /* 499838d9858SBrooks Davis * Copy credentials so other references do not see our changes. 500838d9858SBrooks Davis */ 501838d9858SBrooks Davis oldcred = crcopysafe(p, newcred); 5025a92ee3cSRobert Watson 503030a28b3SRobert Watson #ifdef MAC 5046f6174a7SRobert Watson error = mac_cred_check_setuid(oldcred, uid); 505030a28b3SRobert Watson if (error) 506030a28b3SRobert Watson goto fail; 507030a28b3SRobert Watson #endif 508030a28b3SRobert Watson 509a08f4bf6SPeter Wemm /* 510a08f4bf6SPeter Wemm * See if we have "permission" by POSIX 1003.1 rules. 511a08f4bf6SPeter Wemm * 512a08f4bf6SPeter Wemm * Note that setuid(geteuid()) is a special case of 513a08f4bf6SPeter Wemm * "appropriate privileges" in appendix B.4.2.2. We need 5142fa72ea7SJeroen Ruigrok van der Werven * to use this clause to be compatible with traditional BSD 515a08f4bf6SPeter Wemm * semantics. Basically, it means that "setuid(xx)" sets all 516a08f4bf6SPeter Wemm * three id's (assuming you have privs). 517a08f4bf6SPeter Wemm * 518a08f4bf6SPeter Wemm * Notes on the logic. We do things in three steps. 519a08f4bf6SPeter Wemm * 1: We determine if the euid is going to change, and do EPERM 520a08f4bf6SPeter Wemm * right away. We unconditionally change the euid later if this 521a08f4bf6SPeter Wemm * test is satisfied, simplifying that part of the logic. 522eb725b4eSRobert Watson * 2: We determine if the real and/or saved uids are going to 523a08f4bf6SPeter Wemm * change. Determined by compile options. 524a08f4bf6SPeter Wemm * 3: Change euid last. (after tests in #2 for "appropriate privs") 525a08f4bf6SPeter Wemm */ 526b1fc0ec1SRobert Watson if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 5273f246666SAndrey A. Chernov #ifdef _POSIX_SAVED_IDS 528b1fc0ec1SRobert Watson uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 529a08f4bf6SPeter Wemm #endif 530a08f4bf6SPeter Wemm #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 531b1fc0ec1SRobert Watson uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 5323f246666SAndrey A. Chernov #endif 53332f9753cSRobert Watson (error = priv_check_cred(oldcred, PRIV_CRED_SETUID, 0)) != 0) 534030a28b3SRobert Watson goto fail; 535a08f4bf6SPeter Wemm 536a08f4bf6SPeter Wemm #ifdef _POSIX_SAVED_IDS 537df8bae1dSRodney W. Grimes /* 538a08f4bf6SPeter Wemm * Do we have "appropriate privileges" (are we root or uid == euid) 539a08f4bf6SPeter Wemm * If so, we are changing the real uid and/or saved uid. 540df8bae1dSRodney W. Grimes */ 5413f246666SAndrey A. Chernov if ( 542a08f4bf6SPeter Wemm #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 543b1fc0ec1SRobert Watson uid == oldcred->cr_uid || 5443f246666SAndrey A. Chernov #endif 545800c9408SRobert Watson /* We are using privs. */ 54632f9753cSRobert Watson priv_check_cred(oldcred, PRIV_CRED_SETUID, 0) == 0) 547a08f4bf6SPeter Wemm #endif 548a08f4bf6SPeter Wemm { 549a08f4bf6SPeter Wemm /* 550f535380cSDon Lewis * Set the real uid and transfer proc count to new user. 551a08f4bf6SPeter Wemm */ 552b1fc0ec1SRobert Watson if (uid != oldcred->cr_ruid) { 5531419eacbSAlfred Perlstein change_ruid(newcred, uip); 554f535380cSDon Lewis setsugid(p); 555d3cdb93dSAndrey A. Chernov } 556a08f4bf6SPeter Wemm /* 557a08f4bf6SPeter Wemm * Set saved uid 558a08f4bf6SPeter Wemm * 559a08f4bf6SPeter Wemm * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 560a08f4bf6SPeter Wemm * the security of seteuid() depends on it. B.4.2.2 says it 561a08f4bf6SPeter Wemm * is important that we should do this. 562a08f4bf6SPeter Wemm */ 563b1fc0ec1SRobert Watson if (uid != oldcred->cr_svuid) { 564b1fc0ec1SRobert Watson change_svuid(newcred, uid); 565d5f81602SSean Eric Fagan setsugid(p); 566a08f4bf6SPeter Wemm } 567a08f4bf6SPeter Wemm } 568a08f4bf6SPeter Wemm 569a08f4bf6SPeter Wemm /* 570a08f4bf6SPeter Wemm * In all permitted cases, we are changing the euid. 571a08f4bf6SPeter Wemm */ 572b1fc0ec1SRobert Watson if (uid != oldcred->cr_uid) { 5731419eacbSAlfred Perlstein change_euid(newcred, uip); 574d5f81602SSean Eric Fagan setsugid(p); 575a08f4bf6SPeter Wemm } 576daf63fd2SMateusz Guzik proc_set_cred(p, newcred); 57707f3485dSJohn Baldwin PROC_UNLOCK(p); 578e4dcb704SEdward Tomasz Napierala #ifdef RACCT 579e4dcb704SEdward Tomasz Napierala racct_proc_ucred_changed(p, oldcred, newcred); 580e4dcb704SEdward Tomasz Napierala #endif 5811419eacbSAlfred Perlstein uifree(uip); 582b1fc0ec1SRobert Watson crfree(oldcred); 58307f3485dSJohn Baldwin return (0); 584030a28b3SRobert Watson 585030a28b3SRobert Watson fail: 586030a28b3SRobert Watson PROC_UNLOCK(p); 587030a28b3SRobert Watson uifree(uip); 588030a28b3SRobert Watson crfree(newcred); 589030a28b3SRobert Watson return (error); 590df8bae1dSRodney W. Grimes } 591df8bae1dSRodney W. Grimes 592d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 593df8bae1dSRodney W. Grimes struct seteuid_args { 594df8bae1dSRodney W. Grimes uid_t euid; 595df8bae1dSRodney W. Grimes }; 596d2d3e875SBruce Evans #endif 597df8bae1dSRodney W. Grimes /* ARGSUSED */ 59826f9a767SRodney W. Grimes int 5998451d0ddSKip Macy sys_seteuid(struct thread *td, struct seteuid_args *uap) 600df8bae1dSRodney W. Grimes { 601b40ce416SJulian Elischer struct proc *p = td->td_proc; 602b1fc0ec1SRobert Watson struct ucred *newcred, *oldcred; 603b1fc0ec1SRobert Watson uid_t euid; 6041419eacbSAlfred Perlstein struct uidinfo *euip; 605eb725b4eSRobert Watson int error; 606df8bae1dSRodney W. Grimes 607df8bae1dSRodney W. Grimes euid = uap->euid; 60814961ba7SRobert Watson AUDIT_ARG_EUID(euid); 60907f3485dSJohn Baldwin newcred = crget(); 6101419eacbSAlfred Perlstein euip = uifind(euid); 61107f3485dSJohn Baldwin PROC_LOCK(p); 612838d9858SBrooks Davis /* 613838d9858SBrooks Davis * Copy credentials so other references do not see our changes. 614838d9858SBrooks Davis */ 615838d9858SBrooks Davis oldcred = crcopysafe(p, newcred); 616030a28b3SRobert Watson 617030a28b3SRobert Watson #ifdef MAC 6186f6174a7SRobert Watson error = mac_cred_check_seteuid(oldcred, euid); 619030a28b3SRobert Watson if (error) 620030a28b3SRobert Watson goto fail; 621030a28b3SRobert Watson #endif 622030a28b3SRobert Watson 623b1fc0ec1SRobert Watson if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 624b1fc0ec1SRobert Watson euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 62532f9753cSRobert Watson (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID, 0)) != 0) 626030a28b3SRobert Watson goto fail; 627030a28b3SRobert Watson 628df8bae1dSRodney W. Grimes /* 629838d9858SBrooks Davis * Everything's okay, do it. 630df8bae1dSRodney W. Grimes */ 631b1fc0ec1SRobert Watson if (oldcred->cr_uid != euid) { 6321419eacbSAlfred Perlstein change_euid(newcred, euip); 633d5f81602SSean Eric Fagan setsugid(p); 634229a15f0SPeter Wemm } 635daf63fd2SMateusz Guzik proc_set_cred(p, newcred); 63607f3485dSJohn Baldwin PROC_UNLOCK(p); 6371419eacbSAlfred Perlstein uifree(euip); 638b1fc0ec1SRobert Watson crfree(oldcred); 63907f3485dSJohn Baldwin return (0); 640030a28b3SRobert Watson 641030a28b3SRobert Watson fail: 642030a28b3SRobert Watson PROC_UNLOCK(p); 643030a28b3SRobert Watson uifree(euip); 644030a28b3SRobert Watson crfree(newcred); 645030a28b3SRobert Watson return (error); 646df8bae1dSRodney W. Grimes } 647df8bae1dSRodney W. Grimes 648d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 649df8bae1dSRodney W. Grimes struct setgid_args { 650df8bae1dSRodney W. Grimes gid_t gid; 651df8bae1dSRodney W. Grimes }; 652d2d3e875SBruce Evans #endif 653df8bae1dSRodney W. Grimes /* ARGSUSED */ 65426f9a767SRodney W. Grimes int 6558451d0ddSKip Macy sys_setgid(struct thread *td, struct setgid_args *uap) 656df8bae1dSRodney W. Grimes { 657b40ce416SJulian Elischer struct proc *p = td->td_proc; 658b1fc0ec1SRobert Watson struct ucred *newcred, *oldcred; 659b1fc0ec1SRobert Watson gid_t gid; 660eb725b4eSRobert Watson int error; 661df8bae1dSRodney W. Grimes 662b1fc0ec1SRobert Watson gid = uap->gid; 66314961ba7SRobert Watson AUDIT_ARG_GID(gid); 66407f3485dSJohn Baldwin newcred = crget(); 66507f3485dSJohn Baldwin PROC_LOCK(p); 666838d9858SBrooks Davis oldcred = crcopysafe(p, newcred); 6675a92ee3cSRobert Watson 668030a28b3SRobert Watson #ifdef MAC 6696f6174a7SRobert Watson error = mac_cred_check_setgid(oldcred, gid); 670030a28b3SRobert Watson if (error) 671030a28b3SRobert Watson goto fail; 672030a28b3SRobert Watson #endif 673030a28b3SRobert Watson 674a08f4bf6SPeter Wemm /* 675a08f4bf6SPeter Wemm * See if we have "permission" by POSIX 1003.1 rules. 676a08f4bf6SPeter Wemm * 677a08f4bf6SPeter Wemm * Note that setgid(getegid()) is a special case of 678a08f4bf6SPeter Wemm * "appropriate privileges" in appendix B.4.2.2. We need 6792fa72ea7SJeroen Ruigrok van der Werven * to use this clause to be compatible with traditional BSD 680a08f4bf6SPeter Wemm * semantics. Basically, it means that "setgid(xx)" sets all 681a08f4bf6SPeter Wemm * three id's (assuming you have privs). 682a08f4bf6SPeter Wemm * 683a08f4bf6SPeter Wemm * For notes on the logic here, see setuid() above. 684a08f4bf6SPeter Wemm */ 685b1fc0ec1SRobert Watson if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 6863f246666SAndrey A. Chernov #ifdef _POSIX_SAVED_IDS 687b1fc0ec1SRobert Watson gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 688a08f4bf6SPeter Wemm #endif 689a08f4bf6SPeter Wemm #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 690b1fc0ec1SRobert Watson gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 6913f246666SAndrey A. Chernov #endif 69232f9753cSRobert Watson (error = priv_check_cred(oldcred, PRIV_CRED_SETGID, 0)) != 0) 693030a28b3SRobert Watson goto fail; 694a08f4bf6SPeter Wemm 695a08f4bf6SPeter Wemm #ifdef _POSIX_SAVED_IDS 696a08f4bf6SPeter Wemm /* 697a08f4bf6SPeter Wemm * Do we have "appropriate privileges" (are we root or gid == egid) 698a08f4bf6SPeter Wemm * If so, we are changing the real uid and saved gid. 699a08f4bf6SPeter Wemm */ 700a08f4bf6SPeter Wemm if ( 701a08f4bf6SPeter Wemm #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 702b1fc0ec1SRobert Watson gid == oldcred->cr_groups[0] || 703a08f4bf6SPeter Wemm #endif 704800c9408SRobert Watson /* We are using privs. */ 70532f9753cSRobert Watson priv_check_cred(oldcred, PRIV_CRED_SETGID, 0) == 0) 706a08f4bf6SPeter Wemm #endif 707a08f4bf6SPeter Wemm { 708a08f4bf6SPeter Wemm /* 709a08f4bf6SPeter Wemm * Set real gid 710a08f4bf6SPeter Wemm */ 711b1fc0ec1SRobert Watson if (oldcred->cr_rgid != gid) { 712b1fc0ec1SRobert Watson change_rgid(newcred, gid); 713d5f81602SSean Eric Fagan setsugid(p); 714a08f4bf6SPeter Wemm } 715a08f4bf6SPeter Wemm /* 716a08f4bf6SPeter Wemm * Set saved gid 717a08f4bf6SPeter Wemm * 718a08f4bf6SPeter Wemm * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 719a08f4bf6SPeter Wemm * the security of setegid() depends on it. B.4.2.2 says it 720a08f4bf6SPeter Wemm * is important that we should do this. 721a08f4bf6SPeter Wemm */ 722b1fc0ec1SRobert Watson if (oldcred->cr_svgid != gid) { 723b1fc0ec1SRobert Watson change_svgid(newcred, gid); 724d5f81602SSean Eric Fagan setsugid(p); 725a08f4bf6SPeter Wemm } 726a08f4bf6SPeter Wemm } 727a08f4bf6SPeter Wemm /* 728a08f4bf6SPeter Wemm * In all cases permitted cases, we are changing the egid. 729a08f4bf6SPeter Wemm * Copy credentials so other references do not see our changes. 730a08f4bf6SPeter Wemm */ 731b1fc0ec1SRobert Watson if (oldcred->cr_groups[0] != gid) { 732b1fc0ec1SRobert Watson change_egid(newcred, gid); 733d5f81602SSean Eric Fagan setsugid(p); 734a08f4bf6SPeter Wemm } 735daf63fd2SMateusz Guzik proc_set_cred(p, newcred); 73607f3485dSJohn Baldwin PROC_UNLOCK(p); 737b1fc0ec1SRobert Watson crfree(oldcred); 73807f3485dSJohn Baldwin return (0); 739030a28b3SRobert Watson 740030a28b3SRobert Watson fail: 741030a28b3SRobert Watson PROC_UNLOCK(p); 742030a28b3SRobert Watson crfree(newcred); 743030a28b3SRobert Watson return (error); 744df8bae1dSRodney W. Grimes } 745df8bae1dSRodney W. Grimes 746d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 747df8bae1dSRodney W. Grimes struct setegid_args { 748df8bae1dSRodney W. Grimes gid_t egid; 749df8bae1dSRodney W. Grimes }; 750d2d3e875SBruce Evans #endif 751df8bae1dSRodney W. Grimes /* ARGSUSED */ 75226f9a767SRodney W. Grimes int 7538451d0ddSKip Macy sys_setegid(struct thread *td, struct setegid_args *uap) 754df8bae1dSRodney W. Grimes { 755b40ce416SJulian Elischer struct proc *p = td->td_proc; 756b1fc0ec1SRobert Watson struct ucred *newcred, *oldcred; 757b1fc0ec1SRobert Watson gid_t egid; 758eb725b4eSRobert Watson int error; 759df8bae1dSRodney W. Grimes 760df8bae1dSRodney W. Grimes egid = uap->egid; 76114961ba7SRobert Watson AUDIT_ARG_EGID(egid); 76207f3485dSJohn Baldwin newcred = crget(); 76307f3485dSJohn Baldwin PROC_LOCK(p); 764838d9858SBrooks Davis oldcred = crcopysafe(p, newcred); 765030a28b3SRobert Watson 766030a28b3SRobert Watson #ifdef MAC 7676f6174a7SRobert Watson error = mac_cred_check_setegid(oldcred, egid); 768030a28b3SRobert Watson if (error) 769030a28b3SRobert Watson goto fail; 770030a28b3SRobert Watson #endif 771030a28b3SRobert Watson 772b1fc0ec1SRobert Watson if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 773b1fc0ec1SRobert Watson egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 77432f9753cSRobert Watson (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID, 0)) != 0) 775030a28b3SRobert Watson goto fail; 776030a28b3SRobert Watson 777b1fc0ec1SRobert Watson if (oldcred->cr_groups[0] != egid) { 778b1fc0ec1SRobert Watson change_egid(newcred, egid); 779d5f81602SSean Eric Fagan setsugid(p); 780229a15f0SPeter Wemm } 781daf63fd2SMateusz Guzik proc_set_cred(p, newcred); 78207f3485dSJohn Baldwin PROC_UNLOCK(p); 783b1fc0ec1SRobert Watson crfree(oldcred); 78407f3485dSJohn Baldwin return (0); 785030a28b3SRobert Watson 786030a28b3SRobert Watson fail: 787030a28b3SRobert Watson PROC_UNLOCK(p); 788030a28b3SRobert Watson crfree(newcred); 789030a28b3SRobert Watson return (error); 790df8bae1dSRodney W. Grimes } 791df8bae1dSRodney W. Grimes 792d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 793df8bae1dSRodney W. Grimes struct setgroups_args { 794df8bae1dSRodney W. Grimes u_int gidsetsize; 795df8bae1dSRodney W. Grimes gid_t *gidset; 796df8bae1dSRodney W. Grimes }; 797d2d3e875SBruce Evans #endif 798df8bae1dSRodney W. Grimes /* ARGSUSED */ 79926f9a767SRodney W. Grimes int 8008451d0ddSKip Macy sys_setgroups(struct thread *td, struct setgroups_args *uap) 801df8bae1dSRodney W. Grimes { 80292b064f4SMateusz Guzik gid_t smallgroups[XU_NGROUPS]; 8037e9a456aSMateusz Guzik gid_t *groups; 80492b064f4SMateusz Guzik u_int gidsetsize; 805df8bae1dSRodney W. Grimes int error; 806df8bae1dSRodney W. Grimes 80792b064f4SMateusz Guzik gidsetsize = uap->gidsetsize; 80892b064f4SMateusz Guzik if (gidsetsize > ngroups_max + 1) 8093cb83e71SJohn Baldwin return (EINVAL); 8107e9a456aSMateusz Guzik 81192b064f4SMateusz Guzik if (gidsetsize > XU_NGROUPS) 81292b064f4SMateusz Guzik groups = malloc(gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK); 81392b064f4SMateusz Guzik else 81492b064f4SMateusz Guzik groups = smallgroups; 8157e9a456aSMateusz Guzik 81692b064f4SMateusz Guzik error = copyin(uap->gidset, groups, gidsetsize * sizeof(gid_t)); 8177e9a456aSMateusz Guzik if (error == 0) 81892b064f4SMateusz Guzik error = kern_setgroups(td, gidsetsize, groups); 8197e9a456aSMateusz Guzik 82092b064f4SMateusz Guzik if (gidsetsize > XU_NGROUPS) 821838d9858SBrooks Davis free(groups, M_TEMP); 8223cb83e71SJohn Baldwin return (error); 8233cb83e71SJohn Baldwin } 8243cb83e71SJohn Baldwin 8253cb83e71SJohn Baldwin int 8263cb83e71SJohn Baldwin kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups) 8273cb83e71SJohn Baldwin { 8283cb83e71SJohn Baldwin struct proc *p = td->td_proc; 8293cb83e71SJohn Baldwin struct ucred *newcred, *oldcred; 8303cb83e71SJohn Baldwin int error; 8313cb83e71SJohn Baldwin 832b9063886SMateusz Guzik MPASS(ngrp <= ngroups_max + 1); 83314961ba7SRobert Watson AUDIT_ARG_GROUPSET(groups, ngrp); 83407f3485dSJohn Baldwin newcred = crget(); 835838d9858SBrooks Davis crextend(newcred, ngrp); 83607f3485dSJohn Baldwin PROC_LOCK(p); 837838d9858SBrooks Davis oldcred = crcopysafe(p, newcred); 838030a28b3SRobert Watson 839030a28b3SRobert Watson #ifdef MAC 8406f6174a7SRobert Watson error = mac_cred_check_setgroups(oldcred, ngrp, groups); 841030a28b3SRobert Watson if (error) 842030a28b3SRobert Watson goto fail; 843030a28b3SRobert Watson #endif 844030a28b3SRobert Watson 84532f9753cSRobert Watson error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS, 0); 846030a28b3SRobert Watson if (error) 847030a28b3SRobert Watson goto fail; 84807f3485dSJohn Baldwin 8497e9a456aSMateusz Guzik if (ngrp == 0) { 8508a5d815aSPeter Wemm /* 8518a5d815aSPeter Wemm * setgroups(0, NULL) is a legitimate way of clearing the 8528a5d815aSPeter Wemm * groups vector on non-BSD systems (which generally do not 8538a5d815aSPeter Wemm * have the egid in the groups[0]). We risk security holes 8548a5d815aSPeter Wemm * when running non-BSD software if we do not do the same. 8558a5d815aSPeter Wemm */ 856b1fc0ec1SRobert Watson newcred->cr_ngroups = 1; 8578a5d815aSPeter Wemm } else { 858838d9858SBrooks Davis crsetgroups_locked(newcred, ngrp, groups); 8598a5d815aSPeter Wemm } 860d5f81602SSean Eric Fagan setsugid(p); 861daf63fd2SMateusz Guzik proc_set_cred(p, newcred); 86207f3485dSJohn Baldwin PROC_UNLOCK(p); 863b1fc0ec1SRobert Watson crfree(oldcred); 86407f3485dSJohn Baldwin return (0); 865030a28b3SRobert Watson 866030a28b3SRobert Watson fail: 867030a28b3SRobert Watson PROC_UNLOCK(p); 868030a28b3SRobert Watson crfree(newcred); 869030a28b3SRobert Watson return (error); 870df8bae1dSRodney W. Grimes } 871df8bae1dSRodney W. Grimes 872d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 873df8bae1dSRodney W. Grimes struct setreuid_args { 87400999cd6SAndrey A. Chernov uid_t ruid; 87500999cd6SAndrey A. Chernov uid_t euid; 876df8bae1dSRodney W. Grimes }; 877d2d3e875SBruce Evans #endif 878df8bae1dSRodney W. Grimes /* ARGSUSED */ 87926f9a767SRodney W. Grimes int 8808451d0ddSKip Macy sys_setreuid(register struct thread *td, struct setreuid_args *uap) 881df8bae1dSRodney W. Grimes { 882b40ce416SJulian Elischer struct proc *p = td->td_proc; 883b1fc0ec1SRobert Watson struct ucred *newcred, *oldcred; 884eb725b4eSRobert Watson uid_t euid, ruid; 8851419eacbSAlfred Perlstein struct uidinfo *euip, *ruip; 886eb725b4eSRobert Watson int error; 887df8bae1dSRodney W. Grimes 88800999cd6SAndrey A. Chernov euid = uap->euid; 889eb725b4eSRobert Watson ruid = uap->ruid; 89014961ba7SRobert Watson AUDIT_ARG_EUID(euid); 89114961ba7SRobert Watson AUDIT_ARG_RUID(ruid); 89207f3485dSJohn Baldwin newcred = crget(); 8931419eacbSAlfred Perlstein euip = uifind(euid); 8941419eacbSAlfred Perlstein ruip = uifind(ruid); 89507f3485dSJohn Baldwin PROC_LOCK(p); 896838d9858SBrooks Davis oldcred = crcopysafe(p, newcred); 897030a28b3SRobert Watson 898030a28b3SRobert Watson #ifdef MAC 8996f6174a7SRobert Watson error = mac_cred_check_setreuid(oldcred, ruid, euid); 900030a28b3SRobert Watson if (error) 901030a28b3SRobert Watson goto fail; 902030a28b3SRobert Watson #endif 903030a28b3SRobert Watson 904b1fc0ec1SRobert Watson if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 905b1fc0ec1SRobert Watson ruid != oldcred->cr_svuid) || 906b1fc0ec1SRobert Watson (euid != (uid_t)-1 && euid != oldcred->cr_uid && 907b1fc0ec1SRobert Watson euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 90832f9753cSRobert Watson (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID, 0)) != 0) 909030a28b3SRobert Watson goto fail; 910030a28b3SRobert Watson 911b1fc0ec1SRobert Watson if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 9121419eacbSAlfred Perlstein change_euid(newcred, euip); 913d5f81602SSean Eric Fagan setsugid(p); 914a89a5370SPeter Wemm } 915b1fc0ec1SRobert Watson if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 9161419eacbSAlfred Perlstein change_ruid(newcred, ruip); 917d5f81602SSean Eric Fagan setsugid(p); 91800999cd6SAndrey A. Chernov } 919b1fc0ec1SRobert Watson if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 920b1fc0ec1SRobert Watson newcred->cr_svuid != newcred->cr_uid) { 921b1fc0ec1SRobert Watson change_svuid(newcred, newcred->cr_uid); 922d5f81602SSean Eric Fagan setsugid(p); 923a89a5370SPeter Wemm } 924daf63fd2SMateusz Guzik proc_set_cred(p, newcred); 92507f3485dSJohn Baldwin PROC_UNLOCK(p); 926e4dcb704SEdward Tomasz Napierala #ifdef RACCT 927e4dcb704SEdward Tomasz Napierala racct_proc_ucred_changed(p, oldcred, newcred); 928e4dcb704SEdward Tomasz Napierala #endif 9291419eacbSAlfred Perlstein uifree(ruip); 9301419eacbSAlfred Perlstein uifree(euip); 931b1fc0ec1SRobert Watson crfree(oldcred); 93207f3485dSJohn Baldwin return (0); 933030a28b3SRobert Watson 934030a28b3SRobert Watson fail: 935030a28b3SRobert Watson PROC_UNLOCK(p); 936030a28b3SRobert Watson uifree(ruip); 937030a28b3SRobert Watson uifree(euip); 938030a28b3SRobert Watson crfree(newcred); 939030a28b3SRobert Watson return (error); 940df8bae1dSRodney W. Grimes } 941df8bae1dSRodney W. Grimes 942d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 943df8bae1dSRodney W. Grimes struct setregid_args { 94400999cd6SAndrey A. Chernov gid_t rgid; 94500999cd6SAndrey A. Chernov gid_t egid; 946df8bae1dSRodney W. Grimes }; 947d2d3e875SBruce Evans #endif 948df8bae1dSRodney W. Grimes /* ARGSUSED */ 94926f9a767SRodney W. Grimes int 9508451d0ddSKip Macy sys_setregid(register struct thread *td, struct setregid_args *uap) 951df8bae1dSRodney W. Grimes { 952b40ce416SJulian Elischer struct proc *p = td->td_proc; 953b1fc0ec1SRobert Watson struct ucred *newcred, *oldcred; 954eb725b4eSRobert Watson gid_t egid, rgid; 955eb725b4eSRobert Watson int error; 956df8bae1dSRodney W. Grimes 95700999cd6SAndrey A. Chernov egid = uap->egid; 958eb725b4eSRobert Watson rgid = uap->rgid; 95914961ba7SRobert Watson AUDIT_ARG_EGID(egid); 96014961ba7SRobert Watson AUDIT_ARG_RGID(rgid); 96107f3485dSJohn Baldwin newcred = crget(); 96207f3485dSJohn Baldwin PROC_LOCK(p); 963838d9858SBrooks Davis oldcred = crcopysafe(p, newcred); 964030a28b3SRobert Watson 965030a28b3SRobert Watson #ifdef MAC 9666f6174a7SRobert Watson error = mac_cred_check_setregid(oldcred, rgid, egid); 967030a28b3SRobert Watson if (error) 968030a28b3SRobert Watson goto fail; 969030a28b3SRobert Watson #endif 970030a28b3SRobert Watson 971b1fc0ec1SRobert Watson if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 972b1fc0ec1SRobert Watson rgid != oldcred->cr_svgid) || 973b1fc0ec1SRobert Watson (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 974b1fc0ec1SRobert Watson egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 97532f9753cSRobert Watson (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID, 0)) != 0) 976030a28b3SRobert Watson goto fail; 97707f3485dSJohn Baldwin 978b1fc0ec1SRobert Watson if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 979b1fc0ec1SRobert Watson change_egid(newcred, egid); 980d5f81602SSean Eric Fagan setsugid(p); 981a89a5370SPeter Wemm } 982b1fc0ec1SRobert Watson if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 983b1fc0ec1SRobert Watson change_rgid(newcred, rgid); 984d5f81602SSean Eric Fagan setsugid(p); 985a89a5370SPeter Wemm } 986b1fc0ec1SRobert Watson if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 987b1fc0ec1SRobert Watson newcred->cr_svgid != newcred->cr_groups[0]) { 988b1fc0ec1SRobert Watson change_svgid(newcred, newcred->cr_groups[0]); 989d5f81602SSean Eric Fagan setsugid(p); 990a89a5370SPeter Wemm } 991daf63fd2SMateusz Guzik proc_set_cred(p, newcred); 99207f3485dSJohn Baldwin PROC_UNLOCK(p); 9934589be70SRuslan Ermilov crfree(oldcred); 99407f3485dSJohn Baldwin return (0); 995030a28b3SRobert Watson 996030a28b3SRobert Watson fail: 997030a28b3SRobert Watson PROC_UNLOCK(p); 998030a28b3SRobert Watson crfree(newcred); 999030a28b3SRobert Watson return (error); 1000df8bae1dSRodney W. Grimes } 1001df8bae1dSRodney W. Grimes 10028ccd6334SPeter Wemm /* 1003873fbcd7SRobert Watson * setresuid(ruid, euid, suid) is like setreuid except control over the saved 1004873fbcd7SRobert Watson * uid is explicit. 10058ccd6334SPeter Wemm */ 10068ccd6334SPeter Wemm #ifndef _SYS_SYSPROTO_H_ 10078ccd6334SPeter Wemm struct setresuid_args { 10088ccd6334SPeter Wemm uid_t ruid; 10098ccd6334SPeter Wemm uid_t euid; 10108ccd6334SPeter Wemm uid_t suid; 10118ccd6334SPeter Wemm }; 10128ccd6334SPeter Wemm #endif 10138ccd6334SPeter Wemm /* ARGSUSED */ 10148ccd6334SPeter Wemm int 10158451d0ddSKip Macy sys_setresuid(register struct thread *td, struct setresuid_args *uap) 10168ccd6334SPeter Wemm { 1017b40ce416SJulian Elischer struct proc *p = td->td_proc; 1018b1fc0ec1SRobert Watson struct ucred *newcred, *oldcred; 1019eb725b4eSRobert Watson uid_t euid, ruid, suid; 10201419eacbSAlfred Perlstein struct uidinfo *euip, *ruip; 10218ccd6334SPeter Wemm int error; 10228ccd6334SPeter Wemm 10238ccd6334SPeter Wemm euid = uap->euid; 1024eb725b4eSRobert Watson ruid = uap->ruid; 10258ccd6334SPeter Wemm suid = uap->suid; 102614961ba7SRobert Watson AUDIT_ARG_EUID(euid); 102714961ba7SRobert Watson AUDIT_ARG_RUID(ruid); 102814961ba7SRobert Watson AUDIT_ARG_SUID(suid); 102907f3485dSJohn Baldwin newcred = crget(); 10301419eacbSAlfred Perlstein euip = uifind(euid); 10311419eacbSAlfred Perlstein ruip = uifind(ruid); 103207f3485dSJohn Baldwin PROC_LOCK(p); 1033838d9858SBrooks Davis oldcred = crcopysafe(p, newcred); 1034030a28b3SRobert Watson 1035030a28b3SRobert Watson #ifdef MAC 10366f6174a7SRobert Watson error = mac_cred_check_setresuid(oldcred, ruid, euid, suid); 1037030a28b3SRobert Watson if (error) 1038030a28b3SRobert Watson goto fail; 1039030a28b3SRobert Watson #endif 1040030a28b3SRobert Watson 1041b1fc0ec1SRobert Watson if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1042b1fc0ec1SRobert Watson ruid != oldcred->cr_svuid && 1043b1fc0ec1SRobert Watson ruid != oldcred->cr_uid) || 1044b1fc0ec1SRobert Watson (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 1045b1fc0ec1SRobert Watson euid != oldcred->cr_svuid && 1046b1fc0ec1SRobert Watson euid != oldcred->cr_uid) || 1047b1fc0ec1SRobert Watson (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 1048b1fc0ec1SRobert Watson suid != oldcred->cr_svuid && 1049b1fc0ec1SRobert Watson suid != oldcred->cr_uid)) && 105032f9753cSRobert Watson (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID, 0)) != 0) 1051030a28b3SRobert Watson goto fail; 105207f3485dSJohn Baldwin 1053b1fc0ec1SRobert Watson if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 10541419eacbSAlfred Perlstein change_euid(newcred, euip); 10558ccd6334SPeter Wemm setsugid(p); 10568ccd6334SPeter Wemm } 1057b1fc0ec1SRobert Watson if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 10581419eacbSAlfred Perlstein change_ruid(newcred, ruip); 10598ccd6334SPeter Wemm setsugid(p); 10608ccd6334SPeter Wemm } 1061b1fc0ec1SRobert Watson if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1062b1fc0ec1SRobert Watson change_svuid(newcred, suid); 10638ccd6334SPeter Wemm setsugid(p); 10648ccd6334SPeter Wemm } 1065daf63fd2SMateusz Guzik proc_set_cred(p, newcred); 106607f3485dSJohn Baldwin PROC_UNLOCK(p); 1067e4dcb704SEdward Tomasz Napierala #ifdef RACCT 1068e4dcb704SEdward Tomasz Napierala racct_proc_ucred_changed(p, oldcred, newcred); 1069e4dcb704SEdward Tomasz Napierala #endif 10701419eacbSAlfred Perlstein uifree(ruip); 10711419eacbSAlfred Perlstein uifree(euip); 1072b1fc0ec1SRobert Watson crfree(oldcred); 107307f3485dSJohn Baldwin return (0); 1074030a28b3SRobert Watson 1075030a28b3SRobert Watson fail: 1076030a28b3SRobert Watson PROC_UNLOCK(p); 1077030a28b3SRobert Watson uifree(ruip); 1078030a28b3SRobert Watson uifree(euip); 1079030a28b3SRobert Watson crfree(newcred); 1080030a28b3SRobert Watson return (error); 1081030a28b3SRobert Watson 10828ccd6334SPeter Wemm } 10838ccd6334SPeter Wemm 10848ccd6334SPeter Wemm /* 1085873fbcd7SRobert Watson * setresgid(rgid, egid, sgid) is like setregid except control over the saved 1086873fbcd7SRobert Watson * gid is explicit. 10878ccd6334SPeter Wemm */ 10888ccd6334SPeter Wemm #ifndef _SYS_SYSPROTO_H_ 10898ccd6334SPeter Wemm struct setresgid_args { 10908ccd6334SPeter Wemm gid_t rgid; 10918ccd6334SPeter Wemm gid_t egid; 10928ccd6334SPeter Wemm gid_t sgid; 10938ccd6334SPeter Wemm }; 10948ccd6334SPeter Wemm #endif 10958ccd6334SPeter Wemm /* ARGSUSED */ 10968ccd6334SPeter Wemm int 10978451d0ddSKip Macy sys_setresgid(register struct thread *td, struct setresgid_args *uap) 10988ccd6334SPeter Wemm { 1099b40ce416SJulian Elischer struct proc *p = td->td_proc; 1100b1fc0ec1SRobert Watson struct ucred *newcred, *oldcred; 1101eb725b4eSRobert Watson gid_t egid, rgid, sgid; 11028ccd6334SPeter Wemm int error; 11038ccd6334SPeter Wemm 11048ccd6334SPeter Wemm egid = uap->egid; 1105eb725b4eSRobert Watson rgid = uap->rgid; 11068ccd6334SPeter Wemm sgid = uap->sgid; 110714961ba7SRobert Watson AUDIT_ARG_EGID(egid); 110814961ba7SRobert Watson AUDIT_ARG_RGID(rgid); 110914961ba7SRobert Watson AUDIT_ARG_SGID(sgid); 111007f3485dSJohn Baldwin newcred = crget(); 111107f3485dSJohn Baldwin PROC_LOCK(p); 1112838d9858SBrooks Davis oldcred = crcopysafe(p, newcred); 1113030a28b3SRobert Watson 1114030a28b3SRobert Watson #ifdef MAC 11156f6174a7SRobert Watson error = mac_cred_check_setresgid(oldcred, rgid, egid, sgid); 1116030a28b3SRobert Watson if (error) 1117030a28b3SRobert Watson goto fail; 1118030a28b3SRobert Watson #endif 1119030a28b3SRobert Watson 1120b1fc0ec1SRobert Watson if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1121b1fc0ec1SRobert Watson rgid != oldcred->cr_svgid && 1122b1fc0ec1SRobert Watson rgid != oldcred->cr_groups[0]) || 1123b1fc0ec1SRobert Watson (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1124b1fc0ec1SRobert Watson egid != oldcred->cr_svgid && 1125b1fc0ec1SRobert Watson egid != oldcred->cr_groups[0]) || 1126b1fc0ec1SRobert Watson (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1127b1fc0ec1SRobert Watson sgid != oldcred->cr_svgid && 1128b1fc0ec1SRobert Watson sgid != oldcred->cr_groups[0])) && 112932f9753cSRobert Watson (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID, 0)) != 0) 1130030a28b3SRobert Watson goto fail; 113107f3485dSJohn Baldwin 1132b1fc0ec1SRobert Watson if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1133b1fc0ec1SRobert Watson change_egid(newcred, egid); 11348ccd6334SPeter Wemm setsugid(p); 11358ccd6334SPeter Wemm } 1136b1fc0ec1SRobert Watson if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1137b1fc0ec1SRobert Watson change_rgid(newcred, rgid); 11388ccd6334SPeter Wemm setsugid(p); 11398ccd6334SPeter Wemm } 1140b1fc0ec1SRobert Watson if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1141b1fc0ec1SRobert Watson change_svgid(newcred, sgid); 11428ccd6334SPeter Wemm setsugid(p); 11438ccd6334SPeter Wemm } 1144daf63fd2SMateusz Guzik proc_set_cred(p, newcred); 114507f3485dSJohn Baldwin PROC_UNLOCK(p); 1146b1fc0ec1SRobert Watson crfree(oldcred); 114707f3485dSJohn Baldwin return (0); 1148030a28b3SRobert Watson 1149030a28b3SRobert Watson fail: 1150030a28b3SRobert Watson PROC_UNLOCK(p); 1151030a28b3SRobert Watson crfree(newcred); 1152030a28b3SRobert Watson return (error); 11538ccd6334SPeter Wemm } 11548ccd6334SPeter Wemm 11558ccd6334SPeter Wemm #ifndef _SYS_SYSPROTO_H_ 11568ccd6334SPeter Wemm struct getresuid_args { 11578ccd6334SPeter Wemm uid_t *ruid; 11588ccd6334SPeter Wemm uid_t *euid; 11598ccd6334SPeter Wemm uid_t *suid; 11608ccd6334SPeter Wemm }; 11618ccd6334SPeter Wemm #endif 11628ccd6334SPeter Wemm /* ARGSUSED */ 11638ccd6334SPeter Wemm int 11648451d0ddSKip Macy sys_getresuid(register struct thread *td, struct getresuid_args *uap) 11658ccd6334SPeter Wemm { 1166835a82eeSMatthew Dillon struct ucred *cred; 11678ccd6334SPeter Wemm int error1 = 0, error2 = 0, error3 = 0; 11688ccd6334SPeter Wemm 1169d74ac681SMatthew Dillon cred = td->td_ucred; 11708ccd6334SPeter Wemm if (uap->ruid) 11717f05b035SAlfred Perlstein error1 = copyout(&cred->cr_ruid, 11727f05b035SAlfred Perlstein uap->ruid, sizeof(cred->cr_ruid)); 11738ccd6334SPeter Wemm if (uap->euid) 11747f05b035SAlfred Perlstein error2 = copyout(&cred->cr_uid, 11757f05b035SAlfred Perlstein uap->euid, sizeof(cred->cr_uid)); 11768ccd6334SPeter Wemm if (uap->suid) 11777f05b035SAlfred Perlstein error3 = copyout(&cred->cr_svuid, 11787f05b035SAlfred Perlstein uap->suid, sizeof(cred->cr_svuid)); 1179eb725b4eSRobert Watson return (error1 ? error1 : error2 ? error2 : error3); 11808ccd6334SPeter Wemm } 11818ccd6334SPeter Wemm 11828ccd6334SPeter Wemm #ifndef _SYS_SYSPROTO_H_ 11838ccd6334SPeter Wemm struct getresgid_args { 11848ccd6334SPeter Wemm gid_t *rgid; 11858ccd6334SPeter Wemm gid_t *egid; 11868ccd6334SPeter Wemm gid_t *sgid; 11878ccd6334SPeter Wemm }; 11888ccd6334SPeter Wemm #endif 11898ccd6334SPeter Wemm /* ARGSUSED */ 11908ccd6334SPeter Wemm int 11918451d0ddSKip Macy sys_getresgid(register struct thread *td, struct getresgid_args *uap) 11928ccd6334SPeter Wemm { 1193835a82eeSMatthew Dillon struct ucred *cred; 11948ccd6334SPeter Wemm int error1 = 0, error2 = 0, error3 = 0; 11958ccd6334SPeter Wemm 1196d74ac681SMatthew Dillon cred = td->td_ucred; 11978ccd6334SPeter Wemm if (uap->rgid) 11987f05b035SAlfred Perlstein error1 = copyout(&cred->cr_rgid, 11997f05b035SAlfred Perlstein uap->rgid, sizeof(cred->cr_rgid)); 12008ccd6334SPeter Wemm if (uap->egid) 12017f05b035SAlfred Perlstein error2 = copyout(&cred->cr_groups[0], 12027f05b035SAlfred Perlstein uap->egid, sizeof(cred->cr_groups[0])); 12038ccd6334SPeter Wemm if (uap->sgid) 12047f05b035SAlfred Perlstein error3 = copyout(&cred->cr_svgid, 12057f05b035SAlfred Perlstein uap->sgid, sizeof(cred->cr_svgid)); 1206eb725b4eSRobert Watson return (error1 ? error1 : error2 ? error2 : error3); 12078ccd6334SPeter Wemm } 12088ccd6334SPeter Wemm 1209b67cbc65SPeter Wemm #ifndef _SYS_SYSPROTO_H_ 1210b67cbc65SPeter Wemm struct issetugid_args { 1211b67cbc65SPeter Wemm int dummy; 1212b67cbc65SPeter Wemm }; 1213b67cbc65SPeter Wemm #endif 1214b67cbc65SPeter Wemm /* ARGSUSED */ 1215b67cbc65SPeter Wemm int 12168451d0ddSKip Macy sys_issetugid(register struct thread *td, struct issetugid_args *uap) 1217b67cbc65SPeter Wemm { 1218b40ce416SJulian Elischer struct proc *p = td->td_proc; 1219b40ce416SJulian Elischer 1220b67cbc65SPeter Wemm /* 1221b67cbc65SPeter Wemm * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1222b67cbc65SPeter Wemm * we use P_SUGID because we consider changing the owners as 1223b67cbc65SPeter Wemm * "tainting" as well. 1224b67cbc65SPeter Wemm * This is significant for procs that start as root and "become" 1225b67cbc65SPeter Wemm * a user without an exec - programs cannot know *everything* 1226b67cbc65SPeter Wemm * that libc *might* have put in their data segment. 1227b67cbc65SPeter Wemm */ 1228f591779bSSeigo Tanimura PROC_LOCK(p); 1229b40ce416SJulian Elischer td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1230f591779bSSeigo Tanimura PROC_UNLOCK(p); 1231b67cbc65SPeter Wemm return (0); 1232b67cbc65SPeter Wemm } 1233b67cbc65SPeter Wemm 1234130d0157SRobert Watson int 12358451d0ddSKip Macy sys___setugid(struct thread *td, struct __setugid_args *uap) 1236130d0157SRobert Watson { 1237130d0157SRobert Watson #ifdef REGRESSION 123807f3485dSJohn Baldwin struct proc *p; 1239835a82eeSMatthew Dillon 124007f3485dSJohn Baldwin p = td->td_proc; 1241130d0157SRobert Watson switch (uap->flag) { 1242130d0157SRobert Watson case 0: 124307f3485dSJohn Baldwin PROC_LOCK(p); 124407f3485dSJohn Baldwin p->p_flag &= ~P_SUGID; 124507f3485dSJohn Baldwin PROC_UNLOCK(p); 124607f3485dSJohn Baldwin return (0); 124707f3485dSJohn Baldwin case 1: 124807f3485dSJohn Baldwin PROC_LOCK(p); 124907f3485dSJohn Baldwin p->p_flag |= P_SUGID; 125007f3485dSJohn Baldwin PROC_UNLOCK(p); 125107f3485dSJohn Baldwin return (0); 125207f3485dSJohn Baldwin default: 125307f3485dSJohn Baldwin return (EINVAL); 125407f3485dSJohn Baldwin } 1255130d0157SRobert Watson #else /* !REGRESSION */ 1256eb725b4eSRobert Watson 1257130d0157SRobert Watson return (ENOSYS); 1258eb725b4eSRobert Watson #endif /* REGRESSION */ 1259130d0157SRobert Watson } 1260130d0157SRobert Watson 1261df8bae1dSRodney W. Grimes /* 1262df8bae1dSRodney W. Grimes * Check if gid is a member of the group set. 1263df8bae1dSRodney W. Grimes */ 126426f9a767SRodney W. Grimes int 12654c44ad8eSJohn Baldwin groupmember(gid_t gid, struct ucred *cred) 1266df8bae1dSRodney W. Grimes { 12677f92e578SBrooks Davis int l; 12687f92e578SBrooks Davis int h; 12697f92e578SBrooks Davis int m; 1270df8bae1dSRodney W. Grimes 12717f92e578SBrooks Davis if (cred->cr_groups[0] == gid) 1272df8bae1dSRodney W. Grimes return(1); 12737f92e578SBrooks Davis 12747f92e578SBrooks Davis /* 12757f92e578SBrooks Davis * If gid was not our primary group, perform a binary search 12767f92e578SBrooks Davis * of the supplemental groups. This is possible because we 12777f92e578SBrooks Davis * sort the groups in crsetgroups(). 12787f92e578SBrooks Davis */ 12797f92e578SBrooks Davis l = 1; 12807f92e578SBrooks Davis h = cred->cr_ngroups; 12817f92e578SBrooks Davis while (l < h) { 12827f92e578SBrooks Davis m = l + ((h - l) / 2); 12837f92e578SBrooks Davis if (cred->cr_groups[m] < gid) 12847f92e578SBrooks Davis l = m + 1; 12857f92e578SBrooks Davis else 12867f92e578SBrooks Davis h = m; 12877f92e578SBrooks Davis } 12887f92e578SBrooks Davis if ((l < cred->cr_ngroups) && (cred->cr_groups[l] == gid)) 12897f92e578SBrooks Davis return (1); 12907f92e578SBrooks Davis 1291df8bae1dSRodney W. Grimes return (0); 1292df8bae1dSRodney W. Grimes } 1293df8bae1dSRodney W. Grimes 12943b243b72SRobert Watson /* 1295eb725b4eSRobert Watson * Test the active securelevel against a given level. securelevel_gt() 1296eb725b4eSRobert Watson * implements (securelevel > level). securelevel_ge() implements 1297eb725b4eSRobert Watson * (securelevel >= level). Note that the logic is inverted -- these 1298eb725b4eSRobert Watson * functions return EPERM on "success" and 0 on "failure". 12993ca719f1SRobert Watson * 13000304c731SJamie Gritton * Due to care taken when setting the securelevel, we know that no jail will 13010304c731SJamie Gritton * be less secure that its parent (or the physical system), so it is sufficient 13020304c731SJamie Gritton * to test the current jail only. 13030304c731SJamie Gritton * 1304800c9408SRobert Watson * XXXRW: Possibly since this has to do with privilege, it should move to 1305800c9408SRobert Watson * kern_priv.c. 13063ca719f1SRobert Watson */ 13073ca719f1SRobert Watson int 13083ca719f1SRobert Watson securelevel_gt(struct ucred *cr, int level) 13093ca719f1SRobert Watson { 13103ca719f1SRobert Watson 13110304c731SJamie Gritton return (cr->cr_prison->pr_securelevel > level ? EPERM : 0); 13123ca719f1SRobert Watson } 13133ca719f1SRobert Watson 13143ca719f1SRobert Watson int 13153ca719f1SRobert Watson securelevel_ge(struct ucred *cr, int level) 13163ca719f1SRobert Watson { 13173ca719f1SRobert Watson 13180304c731SJamie Gritton return (cr->cr_prison->pr_securelevel >= level ? EPERM : 0); 13193ca719f1SRobert Watson } 13203ca719f1SRobert Watson 13218a7d8cc6SRobert Watson /* 1322e409590dSRobert Watson * 'see_other_uids' determines whether or not visibility of processes 1323eb725b4eSRobert Watson * and sockets with credentials holding different real uids is possible 132448713bdcSRobert Watson * using a variety of system MIBs. 1325eb725b4eSRobert Watson * XXX: data declarations should be together near the beginning of the file. 13268a7d8cc6SRobert Watson */ 1327e409590dSRobert Watson static int see_other_uids = 1; 1328d0615c64SAndrew R. Reiter SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1329eb725b4eSRobert Watson &see_other_uids, 0, 13308a7d8cc6SRobert Watson "Unprivileged processes may see subjects/objects with different real uid"); 13318a7d8cc6SRobert Watson 13321a996ed1SEdward Tomasz Napierala /*- 13331b350b45SRobert Watson * Determine if u1 "can see" the subject specified by u2, according to the 13341b350b45SRobert Watson * 'see_other_uids' policy. 13351b350b45SRobert Watson * Returns: 0 for permitted, ESRCH otherwise 13361b350b45SRobert Watson * Locks: none 13371b350b45SRobert Watson * References: *u1 and *u2 must not change during the call 13381b350b45SRobert Watson * u1 may equal u2, in which case only one reference is required 13391b350b45SRobert Watson */ 13404ac21b4fSStephen J. Kiernan int 13414ac21b4fSStephen J. Kiernan cr_canseeotheruids(struct ucred *u1, struct ucred *u2) 13421b350b45SRobert Watson { 13431b350b45SRobert Watson 13441b350b45SRobert Watson if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 134532f9753cSRobert Watson if (priv_check_cred(u1, PRIV_SEEOTHERUIDS, 0) != 0) 13461b350b45SRobert Watson return (ESRCH); 13471b350b45SRobert Watson } 13481b350b45SRobert Watson return (0); 13491b350b45SRobert Watson } 13501b350b45SRobert Watson 135164d19c2eSRobert Watson /* 135264d19c2eSRobert Watson * 'see_other_gids' determines whether or not visibility of processes 135364d19c2eSRobert Watson * and sockets with credentials holding different real gids is possible 135464d19c2eSRobert Watson * using a variety of system MIBs. 135564d19c2eSRobert Watson * XXX: data declarations should be together near the beginning of the file. 135664d19c2eSRobert Watson */ 135764d19c2eSRobert Watson static int see_other_gids = 1; 135864d19c2eSRobert Watson SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW, 135964d19c2eSRobert Watson &see_other_gids, 0, 136064d19c2eSRobert Watson "Unprivileged processes may see subjects/objects with different real gid"); 136164d19c2eSRobert Watson 136264d19c2eSRobert Watson /* 136364d19c2eSRobert Watson * Determine if u1 can "see" the subject specified by u2, according to the 136464d19c2eSRobert Watson * 'see_other_gids' policy. 136564d19c2eSRobert Watson * Returns: 0 for permitted, ESRCH otherwise 136664d19c2eSRobert Watson * Locks: none 136764d19c2eSRobert Watson * References: *u1 and *u2 must not change during the call 136864d19c2eSRobert Watson * u1 may equal u2, in which case only one reference is required 136964d19c2eSRobert Watson */ 13704ac21b4fSStephen J. Kiernan int 13714ac21b4fSStephen J. Kiernan cr_canseeothergids(struct ucred *u1, struct ucred *u2) 137264d19c2eSRobert Watson { 137364d19c2eSRobert Watson int i, match; 137464d19c2eSRobert Watson 137564d19c2eSRobert Watson if (!see_other_gids) { 137664d19c2eSRobert Watson match = 0; 137764d19c2eSRobert Watson for (i = 0; i < u1->cr_ngroups; i++) { 137864d19c2eSRobert Watson if (groupmember(u1->cr_groups[i], u2)) 137964d19c2eSRobert Watson match = 1; 138064d19c2eSRobert Watson if (match) 138164d19c2eSRobert Watson break; 138264d19c2eSRobert Watson } 138364d19c2eSRobert Watson if (!match) { 138432f9753cSRobert Watson if (priv_check_cred(u1, PRIV_SEEOTHERGIDS, 0) != 0) 138564d19c2eSRobert Watson return (ESRCH); 138664d19c2eSRobert Watson } 138764d19c2eSRobert Watson } 138864d19c2eSRobert Watson return (0); 138964d19c2eSRobert Watson } 139064d19c2eSRobert Watson 13911a996ed1SEdward Tomasz Napierala /*- 13927fd6a959SRobert Watson * Determine if u1 "can see" the subject specified by u2. 1393ed639720SRobert Watson * Returns: 0 for permitted, an errno value otherwise 1394ed639720SRobert Watson * Locks: none 1395eb725b4eSRobert Watson * References: *u1 and *u2 must not change during the call 1396ed639720SRobert Watson * u1 may equal u2, in which case only one reference is required 1397ed639720SRobert Watson */ 1398ed639720SRobert Watson int 139994088977SRobert Watson cr_cansee(struct ucred *u1, struct ucred *u2) 1400a9e0361bSPoul-Henning Kamp { 140191421ba2SRobert Watson int error; 1402a9e0361bSPoul-Henning Kamp 1403ed639720SRobert Watson if ((error = prison_check(u1, u2))) 140491421ba2SRobert Watson return (error); 14058a1d977dSRobert Watson #ifdef MAC 140630d239bcSRobert Watson if ((error = mac_cred_check_visible(u1, u2))) 14078a1d977dSRobert Watson return (error); 14088a1d977dSRobert Watson #endif 14094ac21b4fSStephen J. Kiernan if ((error = cr_canseeotheruids(u1, u2))) 14101b350b45SRobert Watson return (error); 14114ac21b4fSStephen J. Kiernan if ((error = cr_canseeothergids(u1, u2))) 141264d19c2eSRobert Watson return (error); 1413387d2c03SRobert Watson return (0); 1414387d2c03SRobert Watson } 1415387d2c03SRobert Watson 14161a996ed1SEdward Tomasz Napierala /*- 1417f44d9e24SJohn Baldwin * Determine if td "can see" the subject specified by p. 14183b243b72SRobert Watson * Returns: 0 for permitted, an errno value otherwise 1419f44d9e24SJohn Baldwin * Locks: Sufficient locks to protect p->p_ucred must be held. td really 1420f44d9e24SJohn Baldwin * should be curthread. 1421f44d9e24SJohn Baldwin * References: td and p must be valid for the lifetime of the call 14223b243b72SRobert Watson */ 1423a0f75161SRobert Watson int 1424f44d9e24SJohn Baldwin p_cansee(struct thread *td, struct proc *p) 1425ed639720SRobert Watson { 1426ed639720SRobert Watson 142794088977SRobert Watson /* Wrap cr_cansee() for all functionality. */ 1428f44d9e24SJohn Baldwin KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1429f44d9e24SJohn Baldwin PROC_LOCK_ASSERT(p, MA_OWNED); 1430f44d9e24SJohn Baldwin return (cr_cansee(td->td_ucred, p->p_ucred)); 1431ed639720SRobert Watson } 1432ed639720SRobert Watson 143362c45ef4SRobert Watson /* 143462c45ef4SRobert Watson * 'conservative_signals' prevents the delivery of a broad class of 143562c45ef4SRobert Watson * signals by unprivileged processes to processes that have changed their 143662c45ef4SRobert Watson * credentials since the last invocation of execve(). This can prevent 143762c45ef4SRobert Watson * the leakage of cached information or retained privileges as a result 143862c45ef4SRobert Watson * of a common class of signal-related vulnerabilities. However, this 143962c45ef4SRobert Watson * may interfere with some applications that expect to be able to 144062c45ef4SRobert Watson * deliver these signals to peer processes after having given up 144162c45ef4SRobert Watson * privilege. 144262c45ef4SRobert Watson */ 144362c45ef4SRobert Watson static int conservative_signals = 1; 144462c45ef4SRobert Watson SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW, 144562c45ef4SRobert Watson &conservative_signals, 0, "Unprivileged processes prevented from " 144662c45ef4SRobert Watson "sending certain signals to processes whose credentials have changed"); 14471a996ed1SEdward Tomasz Napierala /*- 1448c83f8015SRobert Watson * Determine whether cred may deliver the specified signal to proc. 1449c83f8015SRobert Watson * Returns: 0 for permitted, an errno value otherwise. 1450c83f8015SRobert Watson * Locks: A lock must be held for proc. 1451c83f8015SRobert Watson * References: cred and proc must be valid for the lifetime of the call. 14524c5eb9c3SRobert Watson */ 14534c5eb9c3SRobert Watson int 14541a88a252SMaxim Sobolev cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 1455387d2c03SRobert Watson { 145691421ba2SRobert Watson int error; 1457387d2c03SRobert Watson 1458f44d9e24SJohn Baldwin PROC_LOCK_ASSERT(proc, MA_OWNED); 14594c5eb9c3SRobert Watson /* 1460c83f8015SRobert Watson * Jail semantics limit the scope of signalling to proc in the 1461c83f8015SRobert Watson * same jail as cred, if cred is in jail. 14624c5eb9c3SRobert Watson */ 1463c83f8015SRobert Watson error = prison_check(cred, proc->p_ucred); 1464c83f8015SRobert Watson if (error) 146591421ba2SRobert Watson return (error); 14668a1d977dSRobert Watson #ifdef MAC 146730d239bcSRobert Watson if ((error = mac_proc_check_signal(cred, proc, signum))) 14688a1d977dSRobert Watson return (error); 14698a1d977dSRobert Watson #endif 14704ac21b4fSStephen J. Kiernan if ((error = cr_canseeotheruids(cred, proc->p_ucred))) 147164d19c2eSRobert Watson return (error); 14724ac21b4fSStephen J. Kiernan if ((error = cr_canseeothergids(cred, proc->p_ucred))) 14731b350b45SRobert Watson return (error); 1474387d2c03SRobert Watson 1475387d2c03SRobert Watson /* 14763b243b72SRobert Watson * UNIX signal semantics depend on the status of the P_SUGID 14773b243b72SRobert Watson * bit on the target process. If the bit is set, then additional 14783b243b72SRobert Watson * restrictions are placed on the set of available signals. 14794c5eb9c3SRobert Watson */ 14801a88a252SMaxim Sobolev if (conservative_signals && (proc->p_flag & P_SUGID)) { 14814c5eb9c3SRobert Watson switch (signum) { 14824c5eb9c3SRobert Watson case 0: 14834c5eb9c3SRobert Watson case SIGKILL: 14844c5eb9c3SRobert Watson case SIGINT: 14854c5eb9c3SRobert Watson case SIGTERM: 148662c45ef4SRobert Watson case SIGALRM: 14874c5eb9c3SRobert Watson case SIGSTOP: 14884c5eb9c3SRobert Watson case SIGTTIN: 14894c5eb9c3SRobert Watson case SIGTTOU: 14904c5eb9c3SRobert Watson case SIGTSTP: 14914c5eb9c3SRobert Watson case SIGHUP: 14924c5eb9c3SRobert Watson case SIGUSR1: 14934c5eb9c3SRobert Watson case SIGUSR2: 14947fd6a959SRobert Watson /* 14957fd6a959SRobert Watson * Generally, permit job and terminal control 14967fd6a959SRobert Watson * signals. 14977fd6a959SRobert Watson */ 14984c5eb9c3SRobert Watson break; 14994c5eb9c3SRobert Watson default: 1500c83f8015SRobert Watson /* Not permitted without privilege. */ 150132f9753cSRobert Watson error = priv_check_cred(cred, PRIV_SIGNAL_SUGID, 0); 15024c5eb9c3SRobert Watson if (error) 15034c5eb9c3SRobert Watson return (error); 15044c5eb9c3SRobert Watson } 1505e9e7ff5bSRobert Watson } 1506e9e7ff5bSRobert Watson 15074c5eb9c3SRobert Watson /* 15083b243b72SRobert Watson * Generally, the target credential's ruid or svuid must match the 1509e9e7ff5bSRobert Watson * subject credential's ruid or euid. 15104c5eb9c3SRobert Watson */ 1511c83f8015SRobert Watson if (cred->cr_ruid != proc->p_ucred->cr_ruid && 1512c83f8015SRobert Watson cred->cr_ruid != proc->p_ucred->cr_svuid && 1513c83f8015SRobert Watson cred->cr_uid != proc->p_ucred->cr_ruid && 1514c83f8015SRobert Watson cred->cr_uid != proc->p_ucred->cr_svuid) { 151532f9753cSRobert Watson error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED, 0); 15164c5eb9c3SRobert Watson if (error) 15174c5eb9c3SRobert Watson return (error); 15184c5eb9c3SRobert Watson } 1519387d2c03SRobert Watson 1520387d2c03SRobert Watson return (0); 1521387d2c03SRobert Watson } 1522a9e0361bSPoul-Henning Kamp 15231a996ed1SEdward Tomasz Napierala /*- 1524f44d9e24SJohn Baldwin * Determine whether td may deliver the specified signal to p. 1525c83f8015SRobert Watson * Returns: 0 for permitted, an errno value otherwise 1526f44d9e24SJohn Baldwin * Locks: Sufficient locks to protect various components of td and p 1527f44d9e24SJohn Baldwin * must be held. td must be curthread, and a lock must be 1528f44d9e24SJohn Baldwin * held for p. 1529f44d9e24SJohn Baldwin * References: td and p must be valid for the lifetime of the call 1530c83f8015SRobert Watson */ 1531c83f8015SRobert Watson int 15321a88a252SMaxim Sobolev p_cansignal(struct thread *td, struct proc *p, int signum) 1533c83f8015SRobert Watson { 1534c83f8015SRobert Watson 1535f44d9e24SJohn Baldwin KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1536f44d9e24SJohn Baldwin PROC_LOCK_ASSERT(p, MA_OWNED); 1537f44d9e24SJohn Baldwin if (td->td_proc == p) 1538c83f8015SRobert Watson return (0); 1539c83f8015SRobert Watson 1540c83f8015SRobert Watson /* 1541c83f8015SRobert Watson * UNIX signalling semantics require that processes in the same 1542c83f8015SRobert Watson * session always be able to deliver SIGCONT to one another, 1543c83f8015SRobert Watson * overriding the remaining protections. 1544c83f8015SRobert Watson */ 1545f44d9e24SJohn Baldwin /* XXX: This will require an additional lock of some sort. */ 1546f44d9e24SJohn Baldwin if (signum == SIGCONT && td->td_proc->p_session == p->p_session) 1547c83f8015SRobert Watson return (0); 15484b178336SMaxim Sobolev /* 1549f9cd63d4SMaxim Sobolev * Some compat layers use SIGTHR and higher signals for 1550f9cd63d4SMaxim Sobolev * communication between different kernel threads of the same 1551f9cd63d4SMaxim Sobolev * process, so that they expect that it's always possible to 1552f9cd63d4SMaxim Sobolev * deliver them, even for suid applications where cr_cansignal() can 15534b178336SMaxim Sobolev * deny such ability for security consideration. It should be 15544b178336SMaxim Sobolev * pretty safe to do since the only way to create two processes 15554b178336SMaxim Sobolev * with the same p_leader is via rfork(2). 15564b178336SMaxim Sobolev */ 15572322a0a7SMaxim Sobolev if (td->td_proc->p_leader != NULL && signum >= SIGTHR && 15582322a0a7SMaxim Sobolev signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader) 15594b178336SMaxim Sobolev return (0); 1560c83f8015SRobert Watson 15611a88a252SMaxim Sobolev return (cr_cansignal(td->td_ucred, p, signum)); 1562c83f8015SRobert Watson } 1563c83f8015SRobert Watson 15641a996ed1SEdward Tomasz Napierala /*- 1565f44d9e24SJohn Baldwin * Determine whether td may reschedule p. 15667fd6a959SRobert Watson * Returns: 0 for permitted, an errno value otherwise 1567f44d9e24SJohn Baldwin * Locks: Sufficient locks to protect various components of td and p 1568f44d9e24SJohn Baldwin * must be held. td must be curthread, and a lock must 1569f44d9e24SJohn Baldwin * be held for p. 1570f44d9e24SJohn Baldwin * References: td and p must be valid for the lifetime of the call 15713b243b72SRobert Watson */ 1572a0f75161SRobert Watson int 1573f44d9e24SJohn Baldwin p_cansched(struct thread *td, struct proc *p) 1574387d2c03SRobert Watson { 157591421ba2SRobert Watson int error; 1576387d2c03SRobert Watson 1577f44d9e24SJohn Baldwin KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1578f44d9e24SJohn Baldwin PROC_LOCK_ASSERT(p, MA_OWNED); 1579f44d9e24SJohn Baldwin if (td->td_proc == p) 1580387d2c03SRobert Watson return (0); 1581f44d9e24SJohn Baldwin if ((error = prison_check(td->td_ucred, p->p_ucred))) 158291421ba2SRobert Watson return (error); 15838a1d977dSRobert Watson #ifdef MAC 158430d239bcSRobert Watson if ((error = mac_proc_check_sched(td->td_ucred, p))) 15858a1d977dSRobert Watson return (error); 15868a1d977dSRobert Watson #endif 15874ac21b4fSStephen J. Kiernan if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred))) 15881b350b45SRobert Watson return (error); 15894ac21b4fSStephen J. Kiernan if ((error = cr_canseeothergids(td->td_ucred, p->p_ucred))) 159064d19c2eSRobert Watson return (error); 1591800c9408SRobert Watson if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid && 1592800c9408SRobert Watson td->td_ucred->cr_uid != p->p_ucred->cr_ruid) { 159332f9753cSRobert Watson error = priv_check(td, PRIV_SCHED_DIFFCRED); 1594800c9408SRobert Watson if (error) 1595800c9408SRobert Watson return (error); 1596800c9408SRobert Watson } 1597387d2c03SRobert Watson return (0); 1598387d2c03SRobert Watson } 1599387d2c03SRobert Watson 16003b243b72SRobert Watson /* 16015d476e73SRobert Watson * The 'unprivileged_proc_debug' flag may be used to disable a variety of 16025d476e73SRobert Watson * unprivileged inter-process debugging services, including some procfs 16035d476e73SRobert Watson * functionality, ptrace(), and ktrace(). In the past, inter-process 16045d476e73SRobert Watson * debugging has been involved in a variety of security problems, and sites 16055d476e73SRobert Watson * not requiring the service might choose to disable it when hardening 16065d476e73SRobert Watson * systems. 16073b243b72SRobert Watson * 16083b243b72SRobert Watson * XXX: Should modifying and reading this variable require locking? 1609eb725b4eSRobert Watson * XXX: data declarations should be together near the beginning of the file. 16103b243b72SRobert Watson */ 1611e409590dSRobert Watson static int unprivileged_proc_debug = 1; 1612d0615c64SAndrew R. Reiter SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW, 1613eb725b4eSRobert Watson &unprivileged_proc_debug, 0, 16140ef5652eSRobert Watson "Unprivileged processes may use process debugging facilities"); 16150ef5652eSRobert Watson 16161a996ed1SEdward Tomasz Napierala /*- 1617f44d9e24SJohn Baldwin * Determine whether td may debug p. 16187fd6a959SRobert Watson * Returns: 0 for permitted, an errno value otherwise 1619f44d9e24SJohn Baldwin * Locks: Sufficient locks to protect various components of td and p 1620f44d9e24SJohn Baldwin * must be held. td must be curthread, and a lock must 1621f44d9e24SJohn Baldwin * be held for p. 1622f44d9e24SJohn Baldwin * References: td and p must be valid for the lifetime of the call 16233b243b72SRobert Watson */ 1624a0f75161SRobert Watson int 1625f44d9e24SJohn Baldwin p_candebug(struct thread *td, struct proc *p) 1626387d2c03SRobert Watson { 1627eb725b4eSRobert Watson int credentialchanged, error, grpsubset, i, uidsubset; 1628387d2c03SRobert Watson 1629f44d9e24SJohn Baldwin KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1630f44d9e24SJohn Baldwin PROC_LOCK_ASSERT(p, MA_OWNED); 1631e409590dSRobert Watson if (!unprivileged_proc_debug) { 163232f9753cSRobert Watson error = priv_check(td, PRIV_DEBUG_UNPRIV); 163332d18604SRobert Watson if (error) 163432d18604SRobert Watson return (error); 163532d18604SRobert Watson } 1636f44d9e24SJohn Baldwin if (td->td_proc == p) 163723fad5b6SDag-Erling Smørgrav return (0); 1638f44d9e24SJohn Baldwin if ((error = prison_check(td->td_ucred, p->p_ucred))) 163991421ba2SRobert Watson return (error); 16408a1d977dSRobert Watson #ifdef MAC 164130d239bcSRobert Watson if ((error = mac_proc_check_debug(td->td_ucred, p))) 16428a1d977dSRobert Watson return (error); 16438a1d977dSRobert Watson #endif 16444ac21b4fSStephen J. Kiernan if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred))) 16451b350b45SRobert Watson return (error); 16464ac21b4fSStephen J. Kiernan if ((error = cr_canseeothergids(td->td_ucred, p->p_ucred))) 164764d19c2eSRobert Watson return (error); 1648387d2c03SRobert Watson 16497fd6a959SRobert Watson /* 1650f44d9e24SJohn Baldwin * Is p's group set a subset of td's effective group set? This 1651f44d9e24SJohn Baldwin * includes p's egid, group access list, rgid, and svgid. 16527fd6a959SRobert Watson */ 1653db42a33dSRobert Watson grpsubset = 1; 1654f44d9e24SJohn Baldwin for (i = 0; i < p->p_ucred->cr_ngroups; i++) { 1655f44d9e24SJohn Baldwin if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) { 1656db42a33dSRobert Watson grpsubset = 0; 1657db42a33dSRobert Watson break; 1658db42a33dSRobert Watson } 1659db42a33dSRobert Watson } 1660db42a33dSRobert Watson grpsubset = grpsubset && 1661f44d9e24SJohn Baldwin groupmember(p->p_ucred->cr_rgid, td->td_ucred) && 1662f44d9e24SJohn Baldwin groupmember(p->p_ucred->cr_svgid, td->td_ucred); 1663db42a33dSRobert Watson 1664db42a33dSRobert Watson /* 1665f44d9e24SJohn Baldwin * Are the uids present in p's credential equal to td's 1666f44d9e24SJohn Baldwin * effective uid? This includes p's euid, svuid, and ruid. 1667db42a33dSRobert Watson */ 1668f44d9e24SJohn Baldwin uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid && 1669f44d9e24SJohn Baldwin td->td_ucred->cr_uid == p->p_ucred->cr_svuid && 1670f44d9e24SJohn Baldwin td->td_ucred->cr_uid == p->p_ucred->cr_ruid); 1671db42a33dSRobert Watson 1672db42a33dSRobert Watson /* 1673db42a33dSRobert Watson * Has the credential of the process changed since the last exec()? 1674db42a33dSRobert Watson */ 1675f44d9e24SJohn Baldwin credentialchanged = (p->p_flag & P_SUGID); 1676db42a33dSRobert Watson 1677db42a33dSRobert Watson /* 1678f44d9e24SJohn Baldwin * If p's gids aren't a subset, or the uids aren't a subset, 1679db42a33dSRobert Watson * or the credential has changed, require appropriate privilege 1680800c9408SRobert Watson * for td to debug p. 1681db42a33dSRobert Watson */ 1682800c9408SRobert Watson if (!grpsubset || !uidsubset) { 168332f9753cSRobert Watson error = priv_check(td, PRIV_DEBUG_DIFFCRED); 1684800c9408SRobert Watson if (error) 1685800c9408SRobert Watson return (error); 1686800c9408SRobert Watson } 1687800c9408SRobert Watson 1688800c9408SRobert Watson if (credentialchanged) { 168932f9753cSRobert Watson error = priv_check(td, PRIV_DEBUG_SUGID); 169032d18604SRobert Watson if (error) 1691387d2c03SRobert Watson return (error); 16927fd6a959SRobert Watson } 1693387d2c03SRobert Watson 1694eb725b4eSRobert Watson /* Can't trace init when securelevel > 0. */ 1695f44d9e24SJohn Baldwin if (p == initproc) { 1696f44d9e24SJohn Baldwin error = securelevel_gt(td->td_ucred, 0); 16973ca719f1SRobert Watson if (error) 16983ca719f1SRobert Watson return (error); 16993ca719f1SRobert Watson } 1700387d2c03SRobert Watson 17015fab7614SRobert Watson /* 17025fab7614SRobert Watson * Can't trace a process that's currently exec'ing. 1703800c9408SRobert Watson * 17045fab7614SRobert Watson * XXX: Note, this is not a security policy decision, it's a 17055fab7614SRobert Watson * basic correctness/functionality decision. Therefore, this check 17065fab7614SRobert Watson * should be moved to the caller's of p_candebug(). 17075fab7614SRobert Watson */ 1708f44d9e24SJohn Baldwin if ((p->p_flag & P_INEXEC) != 0) 1709af80b2c9SKonstantin Belousov return (EBUSY); 17109ca45e81SDag-Erling Smørgrav 1711677258f7SKonstantin Belousov /* Denied explicitely */ 1712677258f7SKonstantin Belousov if ((p->p_flag2 & P2_NOTRACE) != 0) { 1713677258f7SKonstantin Belousov error = priv_check(td, PRIV_DEBUG_DENIED); 1714677258f7SKonstantin Belousov if (error != 0) 1715677258f7SKonstantin Belousov return (error); 1716677258f7SKonstantin Belousov } 1717677258f7SKonstantin Belousov 1718387d2c03SRobert Watson return (0); 1719387d2c03SRobert Watson } 1720387d2c03SRobert Watson 17211a996ed1SEdward Tomasz Napierala /*- 172229dc1288SRobert Watson * Determine whether the subject represented by cred can "see" a socket. 172329dc1288SRobert Watson * Returns: 0 for permitted, ENOENT otherwise. 172429dc1288SRobert Watson */ 172529dc1288SRobert Watson int 172629dc1288SRobert Watson cr_canseesocket(struct ucred *cred, struct socket *so) 172729dc1288SRobert Watson { 172829dc1288SRobert Watson int error; 172929dc1288SRobert Watson 173029dc1288SRobert Watson error = prison_check(cred, so->so_cred); 173129dc1288SRobert Watson if (error) 173229dc1288SRobert Watson return (ENOENT); 17338a1d977dSRobert Watson #ifdef MAC 173430d239bcSRobert Watson error = mac_socket_check_visible(cred, so); 17358a1d977dSRobert Watson if (error) 17368a1d977dSRobert Watson return (error); 17378a1d977dSRobert Watson #endif 17384ac21b4fSStephen J. Kiernan if (cr_canseeotheruids(cred, so->so_cred)) 173929dc1288SRobert Watson return (ENOENT); 17404ac21b4fSStephen J. Kiernan if (cr_canseeothergids(cred, so->so_cred)) 174164d19c2eSRobert Watson return (ENOENT); 174229dc1288SRobert Watson 174329dc1288SRobert Watson return (0); 174429dc1288SRobert Watson } 174529dc1288SRobert Watson 17461a996ed1SEdward Tomasz Napierala /*- 1747babe9a2bSRobert Watson * Determine whether td can wait for the exit of p. 1748babe9a2bSRobert Watson * Returns: 0 for permitted, an errno value otherwise 1749babe9a2bSRobert Watson * Locks: Sufficient locks to protect various components of td and p 1750babe9a2bSRobert Watson * must be held. td must be curthread, and a lock must 1751babe9a2bSRobert Watson * be held for p. 1752babe9a2bSRobert Watson * References: td and p must be valid for the lifetime of the call 1753babe9a2bSRobert Watson 1754babe9a2bSRobert Watson */ 1755babe9a2bSRobert Watson int 1756babe9a2bSRobert Watson p_canwait(struct thread *td, struct proc *p) 1757babe9a2bSRobert Watson { 1758babe9a2bSRobert Watson int error; 1759babe9a2bSRobert Watson 1760babe9a2bSRobert Watson KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1761babe9a2bSRobert Watson PROC_LOCK_ASSERT(p, MA_OWNED); 17627afcbc18SJamie Gritton if ((error = prison_check(td->td_ucred, p->p_ucred))) 1763babe9a2bSRobert Watson return (error); 1764babe9a2bSRobert Watson #ifdef MAC 176530d239bcSRobert Watson if ((error = mac_proc_check_wait(td->td_ucred, p))) 1766babe9a2bSRobert Watson return (error); 1767babe9a2bSRobert Watson #endif 1768babe9a2bSRobert Watson #if 0 1769babe9a2bSRobert Watson /* XXXMAC: This could have odd effects on some shells. */ 17704ac21b4fSStephen J. Kiernan if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred))) 1771babe9a2bSRobert Watson return (error); 1772babe9a2bSRobert Watson #endif 1773babe9a2bSRobert Watson 1774babe9a2bSRobert Watson return (0); 1775babe9a2bSRobert Watson } 1776babe9a2bSRobert Watson 1777a9e0361bSPoul-Henning Kamp /* 1778df8bae1dSRodney W. Grimes * Allocate a zeroed cred structure. 1779df8bae1dSRodney W. Grimes */ 1780df8bae1dSRodney W. Grimes struct ucred * 17814c44ad8eSJohn Baldwin crget(void) 1782df8bae1dSRodney W. Grimes { 1783df8bae1dSRodney W. Grimes register struct ucred *cr; 1784df8bae1dSRodney W. Grimes 17851ede983cSDag-Erling Smørgrav cr = malloc(sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 17867e9e371fSJohn Baldwin refcount_init(&cr->cr_ref, 1); 1787faef5371SRobert Watson #ifdef AUDIT 1788faef5371SRobert Watson audit_cred_init(cr); 1789faef5371SRobert Watson #endif 179040244964SRobert Watson #ifdef MAC 179130d239bcSRobert Watson mac_cred_init(cr); 179240244964SRobert Watson #endif 1793a99500a9SMateusz Guzik cr->cr_groups = cr->cr_smallgroups; 1794a99500a9SMateusz Guzik cr->cr_agroups = 1795a99500a9SMateusz Guzik sizeof(cr->cr_smallgroups) / sizeof(cr->cr_smallgroups[0]); 1796df8bae1dSRodney W. Grimes return (cr); 1797df8bae1dSRodney W. Grimes } 1798df8bae1dSRodney W. Grimes 1799df8bae1dSRodney W. Grimes /* 18007fd6a959SRobert Watson * Claim another reference to a ucred structure. 18015c3f70d7SAlfred Perlstein */ 1802bd78ceceSJohn Baldwin struct ucred * 18034c44ad8eSJohn Baldwin crhold(struct ucred *cr) 18045c3f70d7SAlfred Perlstein { 18055c3f70d7SAlfred Perlstein 18067e9e371fSJohn Baldwin refcount_acquire(&cr->cr_ref); 1807bd78ceceSJohn Baldwin return (cr); 18085c3f70d7SAlfred Perlstein } 18095c3f70d7SAlfred Perlstein 18105c3f70d7SAlfred Perlstein /* 18110c14ff0eSRobert Watson * Free a cred structure. Throws away space when ref count gets to 0. 1812df8bae1dSRodney W. Grimes */ 181326f9a767SRodney W. Grimes void 18144c44ad8eSJohn Baldwin crfree(struct ucred *cr) 1815df8bae1dSRodney W. Grimes { 18161e5d626aSAlfred Perlstein 1817e04670b7SAlfred Perlstein KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); 18187e9e371fSJohn Baldwin KASSERT(cr->cr_ref != 0xdeadc0de, ("dangling reference to ucred")); 18197e9e371fSJohn Baldwin if (refcount_release(&cr->cr_ref)) { 1820f535380cSDon Lewis /* 1821f535380cSDon Lewis * Some callers of crget(), such as nfs_statfs(), 1822f535380cSDon Lewis * allocate a temporary credential, but don't 1823f535380cSDon Lewis * allocate a uidinfo structure. 1824f535380cSDon Lewis */ 1825f535380cSDon Lewis if (cr->cr_uidinfo != NULL) 1826f535380cSDon Lewis uifree(cr->cr_uidinfo); 1827823c224eSRobert Watson if (cr->cr_ruidinfo != NULL) 1828823c224eSRobert Watson uifree(cr->cr_ruidinfo); 182991421ba2SRobert Watson /* 183091421ba2SRobert Watson * Free a prison, if any. 183191421ba2SRobert Watson */ 18320304c731SJamie Gritton if (cr->cr_prison != NULL) 183391421ba2SRobert Watson prison_free(cr->cr_prison); 18342bfc50bcSEdward Tomasz Napierala if (cr->cr_loginclass != NULL) 18352bfc50bcSEdward Tomasz Napierala loginclass_free(cr->cr_loginclass); 1836faef5371SRobert Watson #ifdef AUDIT 1837faef5371SRobert Watson audit_cred_destroy(cr); 1838faef5371SRobert Watson #endif 183940244964SRobert Watson #ifdef MAC 184030d239bcSRobert Watson mac_cred_destroy(cr); 184140244964SRobert Watson #endif 1842a99500a9SMateusz Guzik if (cr->cr_groups != cr->cr_smallgroups) 1843838d9858SBrooks Davis free(cr->cr_groups, M_CRED); 18441ede983cSDag-Erling Smørgrav free(cr, M_CRED); 1845e1bca29fSMatthew Dillon } 1846df8bae1dSRodney W. Grimes } 1847df8bae1dSRodney W. Grimes 1848df8bae1dSRodney W. Grimes /* 1849bd78ceceSJohn Baldwin * Copy a ucred's contents from a template. Does not block. 1850bd78ceceSJohn Baldwin */ 1851bd78ceceSJohn Baldwin void 18524c44ad8eSJohn Baldwin crcopy(struct ucred *dest, struct ucred *src) 1853bd78ceceSJohn Baldwin { 1854bd78ceceSJohn Baldwin 185525108069SMateusz Guzik KASSERT(dest->cr_ref == 1, ("crcopy of shared ucred")); 1856bd78ceceSJohn Baldwin bcopy(&src->cr_startcopy, &dest->cr_startcopy, 1857bd78ceceSJohn Baldwin (unsigned)((caddr_t)&src->cr_endcopy - 1858bd78ceceSJohn Baldwin (caddr_t)&src->cr_startcopy)); 1859838d9858SBrooks Davis crsetgroups(dest, src->cr_ngroups, src->cr_groups); 1860bd78ceceSJohn Baldwin uihold(dest->cr_uidinfo); 1861bd78ceceSJohn Baldwin uihold(dest->cr_ruidinfo); 1862bd78ceceSJohn Baldwin prison_hold(dest->cr_prison); 18632bfc50bcSEdward Tomasz Napierala loginclass_hold(dest->cr_loginclass); 1864faef5371SRobert Watson #ifdef AUDIT 1865faef5371SRobert Watson audit_cred_copy(src, dest); 1866faef5371SRobert Watson #endif 186740244964SRobert Watson #ifdef MAC 186830d239bcSRobert Watson mac_cred_copy(src, dest); 186940244964SRobert Watson #endif 1870df8bae1dSRodney W. Grimes } 1871df8bae1dSRodney W. Grimes 1872df8bae1dSRodney W. Grimes /* 1873df8bae1dSRodney W. Grimes * Dup cred struct to a new held one. 1874df8bae1dSRodney W. Grimes */ 1875df8bae1dSRodney W. Grimes struct ucred * 18764c44ad8eSJohn Baldwin crdup(struct ucred *cr) 1877df8bae1dSRodney W. Grimes { 1878df8bae1dSRodney W. Grimes struct ucred *newcr; 1879df8bae1dSRodney W. Grimes 1880bd78ceceSJohn Baldwin newcr = crget(); 1881bd78ceceSJohn Baldwin crcopy(newcr, cr); 1882df8bae1dSRodney W. Grimes return (newcr); 1883df8bae1dSRodney W. Grimes } 1884df8bae1dSRodney W. Grimes 1885df8bae1dSRodney W. Grimes /* 188676183f34SDima Dorfman * Fill in a struct xucred based on a struct ucred. 188776183f34SDima Dorfman */ 188876183f34SDima Dorfman void 18894c44ad8eSJohn Baldwin cru2x(struct ucred *cr, struct xucred *xcr) 189076183f34SDima Dorfman { 1891838d9858SBrooks Davis int ngroups; 189276183f34SDima Dorfman 189376183f34SDima Dorfman bzero(xcr, sizeof(*xcr)); 189476183f34SDima Dorfman xcr->cr_version = XUCRED_VERSION; 189576183f34SDima Dorfman xcr->cr_uid = cr->cr_uid; 1896838d9858SBrooks Davis 1897838d9858SBrooks Davis ngroups = MIN(cr->cr_ngroups, XU_NGROUPS); 1898838d9858SBrooks Davis xcr->cr_ngroups = ngroups; 1899838d9858SBrooks Davis bcopy(cr->cr_groups, xcr->cr_groups, 1900838d9858SBrooks Davis ngroups * sizeof(*cr->cr_groups)); 190176183f34SDima Dorfman } 190276183f34SDima Dorfman 190376183f34SDima Dorfman /* 1904ffb34484SMateusz Guzik * Set initial process credentials. 1905ffb34484SMateusz Guzik * Callers are responsible for providing the reference for provided credentials. 1906ffb34484SMateusz Guzik */ 1907ffb34484SMateusz Guzik void 1908ffb34484SMateusz Guzik proc_set_cred_init(struct proc *p, struct ucred *newcred) 1909ffb34484SMateusz Guzik { 1910ffb34484SMateusz Guzik 1911ffb34484SMateusz Guzik p->p_ucred = newcred; 1912ffb34484SMateusz Guzik } 1913ffb34484SMateusz Guzik 1914ffb34484SMateusz Guzik /* 1915daf63fd2SMateusz Guzik * Change process credentials. 1916ffb34484SMateusz Guzik * Callers are responsible for providing the reference for passed credentials 1917daf63fd2SMateusz Guzik * and for freeing old ones. 1918daf63fd2SMateusz Guzik * 1919daf63fd2SMateusz Guzik * Process has to be locked except when it does not have credentials (as it 1920daf63fd2SMateusz Guzik * should not be visible just yet) or when newcred is NULL (as this can be 1921daf63fd2SMateusz Guzik * only used when the process is about to be freed, at which point it should 1922daf63fd2SMateusz Guzik * not be visible anymore). 1923daf63fd2SMateusz Guzik */ 1924daf63fd2SMateusz Guzik struct ucred * 1925daf63fd2SMateusz Guzik proc_set_cred(struct proc *p, struct ucred *newcred) 1926daf63fd2SMateusz Guzik { 1927daf63fd2SMateusz Guzik struct ucred *oldcred; 1928daf63fd2SMateusz Guzik 1929ffb34484SMateusz Guzik MPASS(p->p_ucred != NULL); 1930daf63fd2SMateusz Guzik if (newcred == NULL) 1931daf63fd2SMateusz Guzik MPASS(p->p_state == PRS_ZOMBIE); 1932ffb34484SMateusz Guzik else 1933daf63fd2SMateusz Guzik PROC_LOCK_ASSERT(p, MA_OWNED); 1934daf63fd2SMateusz Guzik 1935daf63fd2SMateusz Guzik oldcred = p->p_ucred; 1936daf63fd2SMateusz Guzik p->p_ucred = newcred; 19374ea6a9a2SMateusz Guzik if (newcred != NULL) 19384ea6a9a2SMateusz Guzik PROC_UPDATE_COW(p); 1939daf63fd2SMateusz Guzik return (oldcred); 1940daf63fd2SMateusz Guzik } 1941daf63fd2SMateusz Guzik 1942838d9858SBrooks Davis struct ucred * 1943838d9858SBrooks Davis crcopysafe(struct proc *p, struct ucred *cr) 1944838d9858SBrooks Davis { 1945838d9858SBrooks Davis struct ucred *oldcred; 1946838d9858SBrooks Davis int groups; 1947838d9858SBrooks Davis 1948838d9858SBrooks Davis PROC_LOCK_ASSERT(p, MA_OWNED); 1949838d9858SBrooks Davis 1950838d9858SBrooks Davis oldcred = p->p_ucred; 1951838d9858SBrooks Davis while (cr->cr_agroups < oldcred->cr_agroups) { 1952838d9858SBrooks Davis groups = oldcred->cr_agroups; 1953838d9858SBrooks Davis PROC_UNLOCK(p); 1954838d9858SBrooks Davis crextend(cr, groups); 1955838d9858SBrooks Davis PROC_LOCK(p); 1956838d9858SBrooks Davis oldcred = p->p_ucred; 1957838d9858SBrooks Davis } 1958838d9858SBrooks Davis crcopy(cr, oldcred); 1959838d9858SBrooks Davis 1960838d9858SBrooks Davis return (oldcred); 1961838d9858SBrooks Davis } 1962838d9858SBrooks Davis 1963838d9858SBrooks Davis /* 1964838d9858SBrooks Davis * Extend the passed in credential to hold n items. 1965838d9858SBrooks Davis */ 1966c8358c6eSGleb Smirnoff void 1967838d9858SBrooks Davis crextend(struct ucred *cr, int n) 1968838d9858SBrooks Davis { 1969838d9858SBrooks Davis int cnt; 1970838d9858SBrooks Davis 1971838d9858SBrooks Davis /* Truncate? */ 1972838d9858SBrooks Davis if (n <= cr->cr_agroups) 1973838d9858SBrooks Davis return; 1974838d9858SBrooks Davis 1975838d9858SBrooks Davis /* 1976838d9858SBrooks Davis * We extend by 2 each time since we're using a power of two 1977838d9858SBrooks Davis * allocator until we need enough groups to fill a page. 1978838d9858SBrooks Davis * Once we're allocating multiple pages, only allocate as many 1979838d9858SBrooks Davis * as we actually need. The case of processes needing a 1980838d9858SBrooks Davis * non-power of two number of pages seems more likely than 1981838d9858SBrooks Davis * a real world process that adds thousands of groups one at a 1982838d9858SBrooks Davis * time. 1983838d9858SBrooks Davis */ 1984838d9858SBrooks Davis if ( n < PAGE_SIZE / sizeof(gid_t) ) { 1985838d9858SBrooks Davis if (cr->cr_agroups == 0) 1986838d9858SBrooks Davis cnt = MINALLOCSIZE / sizeof(gid_t); 1987838d9858SBrooks Davis else 1988838d9858SBrooks Davis cnt = cr->cr_agroups * 2; 1989838d9858SBrooks Davis 1990838d9858SBrooks Davis while (cnt < n) 1991838d9858SBrooks Davis cnt *= 2; 1992838d9858SBrooks Davis } else 1993838d9858SBrooks Davis cnt = roundup2(n, PAGE_SIZE / sizeof(gid_t)); 1994838d9858SBrooks Davis 1995838d9858SBrooks Davis /* Free the old array. */ 1996a99500a9SMateusz Guzik if (cr->cr_groups != cr->cr_smallgroups) 1997838d9858SBrooks Davis free(cr->cr_groups, M_CRED); 1998838d9858SBrooks Davis 1999838d9858SBrooks Davis cr->cr_groups = malloc(cnt * sizeof(gid_t), M_CRED, M_WAITOK | M_ZERO); 2000838d9858SBrooks Davis cr->cr_agroups = cnt; 2001838d9858SBrooks Davis } 2002838d9858SBrooks Davis 2003838d9858SBrooks Davis /* 20047f92e578SBrooks Davis * Copy groups in to a credential, preserving any necessary invariants. 20057f92e578SBrooks Davis * Currently this includes the sorting of all supplemental gids. 20067f92e578SBrooks Davis * crextend() must have been called before hand to ensure sufficient 20077f92e578SBrooks Davis * space is available. 2008838d9858SBrooks Davis */ 2009838d9858SBrooks Davis static void 2010838d9858SBrooks Davis crsetgroups_locked(struct ucred *cr, int ngrp, gid_t *groups) 2011838d9858SBrooks Davis { 20127f92e578SBrooks Davis int i; 20137f92e578SBrooks Davis int j; 20147f92e578SBrooks Davis gid_t g; 2015838d9858SBrooks Davis 2016838d9858SBrooks Davis KASSERT(cr->cr_agroups >= ngrp, ("cr_ngroups is too small")); 2017838d9858SBrooks Davis 2018838d9858SBrooks Davis bcopy(groups, cr->cr_groups, ngrp * sizeof(gid_t)); 2019838d9858SBrooks Davis cr->cr_ngroups = ngrp; 20207f92e578SBrooks Davis 20217f92e578SBrooks Davis /* 20227f92e578SBrooks Davis * Sort all groups except cr_groups[0] to allow groupmember to 20237f92e578SBrooks Davis * perform a binary search. 20247f92e578SBrooks Davis * 20257f92e578SBrooks Davis * XXX: If large numbers of groups become common this should 20267f92e578SBrooks Davis * be replaced with shell sort like linux uses or possibly 20277f92e578SBrooks Davis * heap sort. 20287f92e578SBrooks Davis */ 20297f92e578SBrooks Davis for (i = 2; i < ngrp; i++) { 20307f92e578SBrooks Davis g = cr->cr_groups[i]; 20317f92e578SBrooks Davis for (j = i-1; j >= 1 && g < cr->cr_groups[j]; j--) 20327f92e578SBrooks Davis cr->cr_groups[j + 1] = cr->cr_groups[j]; 20337f92e578SBrooks Davis cr->cr_groups[j + 1] = g; 20347f92e578SBrooks Davis } 2035838d9858SBrooks Davis } 2036838d9858SBrooks Davis 2037838d9858SBrooks Davis /* 2038838d9858SBrooks Davis * Copy groups in to a credential after expanding it if required. 2039412f9500SBrooks Davis * Truncate the list to (ngroups_max + 1) if it is too large. 2040838d9858SBrooks Davis */ 2041838d9858SBrooks Davis void 2042838d9858SBrooks Davis crsetgroups(struct ucred *cr, int ngrp, gid_t *groups) 2043838d9858SBrooks Davis { 2044838d9858SBrooks Davis 2045412f9500SBrooks Davis if (ngrp > ngroups_max + 1) 2046412f9500SBrooks Davis ngrp = ngroups_max + 1; 2047838d9858SBrooks Davis 2048838d9858SBrooks Davis crextend(cr, ngrp); 2049838d9858SBrooks Davis crsetgroups_locked(cr, ngrp, groups); 2050838d9858SBrooks Davis } 2051838d9858SBrooks Davis 20522eb927e2SJulian Elischer /* 2053df8bae1dSRodney W. Grimes * Get login name, if available. 2054df8bae1dSRodney W. Grimes */ 2055d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 2056df8bae1dSRodney W. Grimes struct getlogin_args { 2057df8bae1dSRodney W. Grimes char *namebuf; 2058df8bae1dSRodney W. Grimes u_int namelen; 2059df8bae1dSRodney W. Grimes }; 2060d2d3e875SBruce Evans #endif 2061df8bae1dSRodney W. Grimes /* ARGSUSED */ 206226f9a767SRodney W. Grimes int 20638451d0ddSKip Macy sys_getlogin(struct thread *td, struct getlogin_args *uap) 2064df8bae1dSRodney W. Grimes { 2065f591779bSSeigo Tanimura char login[MAXLOGNAME]; 2066b40ce416SJulian Elischer struct proc *p = td->td_proc; 2067bccb6d5aSDag-Erling Smørgrav size_t len; 2068df8bae1dSRodney W. Grimes 206930cf3ac4SAndrey A. Chernov if (uap->namelen > MAXLOGNAME) 207053490b76SAndrey A. Chernov uap->namelen = MAXLOGNAME; 2071f591779bSSeigo Tanimura PROC_LOCK(p); 2072f591779bSSeigo Tanimura SESS_LOCK(p->p_session); 2073bccb6d5aSDag-Erling Smørgrav len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1; 2074f591779bSSeigo Tanimura SESS_UNLOCK(p->p_session); 2075f591779bSSeigo Tanimura PROC_UNLOCK(p); 2076bccb6d5aSDag-Erling Smørgrav if (len > uap->namelen) 20776f68699fSBaptiste Daroussin return (ERANGE); 2078bccb6d5aSDag-Erling Smørgrav return (copyout(login, uap->namebuf, len)); 2079df8bae1dSRodney W. Grimes } 2080df8bae1dSRodney W. Grimes 2081df8bae1dSRodney W. Grimes /* 2082df8bae1dSRodney W. Grimes * Set login name. 2083df8bae1dSRodney W. Grimes */ 2084d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 2085df8bae1dSRodney W. Grimes struct setlogin_args { 2086df8bae1dSRodney W. Grimes char *namebuf; 2087df8bae1dSRodney W. Grimes }; 2088d2d3e875SBruce Evans #endif 2089df8bae1dSRodney W. Grimes /* ARGSUSED */ 209026f9a767SRodney W. Grimes int 20918451d0ddSKip Macy sys_setlogin(struct thread *td, struct setlogin_args *uap) 2092df8bae1dSRodney W. Grimes { 2093b40ce416SJulian Elischer struct proc *p = td->td_proc; 2094df8bae1dSRodney W. Grimes int error; 2095964ca0caSAndrey A. Chernov char logintmp[MAXLOGNAME]; 2096df8bae1dSRodney W. Grimes 2097bccb6d5aSDag-Erling Smørgrav CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp)); 2098bccb6d5aSDag-Erling Smørgrav 209932f9753cSRobert Watson error = priv_check(td, PRIV_PROC_SETLOGIN); 210007f3485dSJohn Baldwin if (error) 210107f3485dSJohn Baldwin return (error); 21027f05b035SAlfred Perlstein error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); 2103bccb6d5aSDag-Erling Smørgrav if (error != 0) { 2104eb725b4eSRobert Watson if (error == ENAMETOOLONG) 2105df8bae1dSRodney W. Grimes error = EINVAL; 2106bccb6d5aSDag-Erling Smørgrav return (error); 2107bccb6d5aSDag-Erling Smørgrav } 2108*70a98c11SRobert Watson AUDIT_ARG_LOGIN(logintmp); 2109f591779bSSeigo Tanimura PROC_LOCK(p); 2110f591779bSSeigo Tanimura SESS_LOCK(p->p_session); 2111bccb6d5aSDag-Erling Smørgrav strcpy(p->p_session->s_login, logintmp); 2112f591779bSSeigo Tanimura SESS_UNLOCK(p->p_session); 2113f591779bSSeigo Tanimura PROC_UNLOCK(p); 2114bccb6d5aSDag-Erling Smørgrav return (0); 2115df8bae1dSRodney W. Grimes } 2116d5f81602SSean Eric Fagan 2117d5f81602SSean Eric Fagan void 21184c44ad8eSJohn Baldwin setsugid(struct proc *p) 2119d5f81602SSean Eric Fagan { 2120f2102dadSAlfred Perlstein 2121f2102dadSAlfred Perlstein PROC_LOCK_ASSERT(p, MA_OWNED); 2122d5f81602SSean Eric Fagan p->p_flag |= P_SUGID; 212389361835SSean Eric Fagan if (!(p->p_pfsflags & PF_ISUGID)) 2124d5f81602SSean Eric Fagan p->p_stops = 0; 2125d5f81602SSean Eric Fagan } 2126f535380cSDon Lewis 21271a996ed1SEdward Tomasz Napierala /*- 21287fd6a959SRobert Watson * Change a process's effective uid. 2129b1fc0ec1SRobert Watson * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 2130b1fc0ec1SRobert Watson * References: newcred must be an exclusive credential reference for the 2131b1fc0ec1SRobert Watson * duration of the call. 2132f535380cSDon Lewis */ 2133f535380cSDon Lewis void 21341419eacbSAlfred Perlstein change_euid(struct ucred *newcred, struct uidinfo *euip) 2135f535380cSDon Lewis { 2136f535380cSDon Lewis 21371419eacbSAlfred Perlstein newcred->cr_uid = euip->ui_uid; 21381419eacbSAlfred Perlstein uihold(euip); 2139b1fc0ec1SRobert Watson uifree(newcred->cr_uidinfo); 21401419eacbSAlfred Perlstein newcred->cr_uidinfo = euip; 2141f535380cSDon Lewis } 2142f535380cSDon Lewis 21431a996ed1SEdward Tomasz Napierala /*- 21447fd6a959SRobert Watson * Change a process's effective gid. 2145b1fc0ec1SRobert Watson * Side effects: newcred->cr_gid will be modified. 2146b1fc0ec1SRobert Watson * References: newcred must be an exclusive credential reference for the 2147b1fc0ec1SRobert Watson * duration of the call. 2148f535380cSDon Lewis */ 2149810bfc8eSAndrew Gallatin void 21504c44ad8eSJohn Baldwin change_egid(struct ucred *newcred, gid_t egid) 2151b1fc0ec1SRobert Watson { 2152b1fc0ec1SRobert Watson 2153b1fc0ec1SRobert Watson newcred->cr_groups[0] = egid; 2154b1fc0ec1SRobert Watson } 2155b1fc0ec1SRobert Watson 21561a996ed1SEdward Tomasz Napierala /*- 21577fd6a959SRobert Watson * Change a process's real uid. 2158b1fc0ec1SRobert Watson * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 2159b1fc0ec1SRobert Watson * will be updated, and the old and new cr_ruidinfo proc 2160b1fc0ec1SRobert Watson * counts will be updated. 2161b1fc0ec1SRobert Watson * References: newcred must be an exclusive credential reference for the 2162b1fc0ec1SRobert Watson * duration of the call. 2163b1fc0ec1SRobert Watson */ 2164b1fc0ec1SRobert Watson void 21651419eacbSAlfred Perlstein change_ruid(struct ucred *newcred, struct uidinfo *ruip) 2166f535380cSDon Lewis { 2167f535380cSDon Lewis 2168b1fc0ec1SRobert Watson (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 21691419eacbSAlfred Perlstein newcred->cr_ruid = ruip->ui_uid; 21701419eacbSAlfred Perlstein uihold(ruip); 2171b1fc0ec1SRobert Watson uifree(newcred->cr_ruidinfo); 21721419eacbSAlfred Perlstein newcred->cr_ruidinfo = ruip; 2173b1fc0ec1SRobert Watson (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 2174b1fc0ec1SRobert Watson } 2175b1fc0ec1SRobert Watson 21761a996ed1SEdward Tomasz Napierala /*- 21777fd6a959SRobert Watson * Change a process's real gid. 2178b1fc0ec1SRobert Watson * Side effects: newcred->cr_rgid will be updated. 2179b1fc0ec1SRobert Watson * References: newcred must be an exclusive credential reference for the 2180b1fc0ec1SRobert Watson * duration of the call. 2181b1fc0ec1SRobert Watson */ 2182b1fc0ec1SRobert Watson void 21834c44ad8eSJohn Baldwin change_rgid(struct ucred *newcred, gid_t rgid) 2184b1fc0ec1SRobert Watson { 2185b1fc0ec1SRobert Watson 2186b1fc0ec1SRobert Watson newcred->cr_rgid = rgid; 2187b1fc0ec1SRobert Watson } 2188b1fc0ec1SRobert Watson 21891a996ed1SEdward Tomasz Napierala /*- 21907fd6a959SRobert Watson * Change a process's saved uid. 2191b1fc0ec1SRobert Watson * Side effects: newcred->cr_svuid will be updated. 2192b1fc0ec1SRobert Watson * References: newcred must be an exclusive credential reference for the 2193b1fc0ec1SRobert Watson * duration of the call. 2194b1fc0ec1SRobert Watson */ 2195b1fc0ec1SRobert Watson void 21964c44ad8eSJohn Baldwin change_svuid(struct ucred *newcred, uid_t svuid) 2197b1fc0ec1SRobert Watson { 2198b1fc0ec1SRobert Watson 2199b1fc0ec1SRobert Watson newcred->cr_svuid = svuid; 2200b1fc0ec1SRobert Watson } 2201b1fc0ec1SRobert Watson 22021a996ed1SEdward Tomasz Napierala /*- 22037fd6a959SRobert Watson * Change a process's saved gid. 2204b1fc0ec1SRobert Watson * Side effects: newcred->cr_svgid will be updated. 2205b1fc0ec1SRobert Watson * References: newcred must be an exclusive credential reference for the 2206b1fc0ec1SRobert Watson * duration of the call. 2207b1fc0ec1SRobert Watson */ 2208b1fc0ec1SRobert Watson void 22094c44ad8eSJohn Baldwin change_svgid(struct ucred *newcred, gid_t svgid) 2210b1fc0ec1SRobert Watson { 2211b1fc0ec1SRobert Watson 2212b1fc0ec1SRobert Watson newcred->cr_svgid = svgid; 2213f535380cSDon Lewis } 2214