19454b2d8SWarner Losh /*- 2df8bae1dSRodney W. Grimes * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3ef08c420SRobert Watson * The Regents of the University of California. 4df8bae1dSRodney W. Grimes * (c) UNIX System Laboratories, Inc. 5ef08c420SRobert Watson * Copyright (c) 2000-2001 Robert N. M. Watson. 6ef08c420SRobert Watson * All rights reserved. 7ef08c420SRobert Watson * 8df8bae1dSRodney W. Grimes * All or some portions of this file are derived from material licensed 9df8bae1dSRodney W. Grimes * to the University of California by American Telephone and Telegraph 10df8bae1dSRodney W. Grimes * Co. or Unix System Laboratories, Inc. and are reproduced herein with 11df8bae1dSRodney W. Grimes * the permission of UNIX System Laboratories, Inc. 12df8bae1dSRodney W. Grimes * 13df8bae1dSRodney W. Grimes * Redistribution and use in source and binary forms, with or without 14df8bae1dSRodney W. Grimes * modification, are permitted provided that the following conditions 15df8bae1dSRodney W. Grimes * are met: 16df8bae1dSRodney W. Grimes * 1. Redistributions of source code must retain the above copyright 17df8bae1dSRodney W. Grimes * notice, this list of conditions and the following disclaimer. 18df8bae1dSRodney W. Grimes * 2. Redistributions in binary form must reproduce the above copyright 19df8bae1dSRodney W. Grimes * notice, this list of conditions and the following disclaimer in the 20df8bae1dSRodney W. Grimes * documentation and/or other materials provided with the distribution. 21df8bae1dSRodney W. Grimes * 4. Neither the name of the University nor the names of its contributors 22df8bae1dSRodney W. Grimes * may be used to endorse or promote products derived from this software 23df8bae1dSRodney W. Grimes * without specific prior written permission. 24df8bae1dSRodney W. Grimes * 25df8bae1dSRodney W. Grimes * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 26df8bae1dSRodney W. Grimes * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27df8bae1dSRodney W. Grimes * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28df8bae1dSRodney W. Grimes * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 29df8bae1dSRodney W. Grimes * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30df8bae1dSRodney W. Grimes * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31df8bae1dSRodney W. Grimes * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32df8bae1dSRodney W. Grimes * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33df8bae1dSRodney W. Grimes * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34df8bae1dSRodney W. Grimes * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35df8bae1dSRodney W. Grimes * SUCH DAMAGE. 36df8bae1dSRodney W. Grimes * 37df8bae1dSRodney W. Grimes * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 38df8bae1dSRodney W. Grimes */ 39df8bae1dSRodney W. Grimes 40df8bae1dSRodney W. Grimes /* 41df8bae1dSRodney W. Grimes * System calls related to processes and protection 42df8bae1dSRodney W. Grimes */ 43df8bae1dSRodney W. Grimes 44677b542eSDavid E. O'Brien #include <sys/cdefs.h> 45677b542eSDavid E. O'Brien __FBSDID("$FreeBSD$"); 46677b542eSDavid E. O'Brien 475591b823SEivind Eklund #include "opt_compat.h" 48f08ef6c5SBjoern A. Zeeb #include "opt_inet.h" 49f08ef6c5SBjoern A. Zeeb #include "opt_inet6.h" 505591b823SEivind Eklund 51df8bae1dSRodney W. Grimes #include <sys/param.h> 52df8bae1dSRodney W. Grimes #include <sys/systm.h> 53fb919e4dSMark Murray #include <sys/acct.h> 54df04411aSRobert Watson #include <sys/kdb.h> 551c5bb3eaSPeter Wemm #include <sys/kernel.h> 5698f03f90SJake Burkholder #include <sys/lock.h> 572bfc50bcSEdward Tomasz Napierala #include <sys/loginclass.h> 58f9d0d524SRobert Watson #include <sys/malloc.h> 59fb919e4dSMark Murray #include <sys/mutex.h> 607e9e371fSJohn Baldwin #include <sys/refcount.h> 615b29d6e9SJohn Baldwin #include <sys/sx.h> 62800c9408SRobert Watson #include <sys/priv.h> 63f591779bSSeigo Tanimura #include <sys/proc.h> 64fb919e4dSMark Murray #include <sys/sysproto.h> 65eb725b4eSRobert Watson #include <sys/jail.h> 66d5f81602SSean Eric Fagan #include <sys/pioctl.h> 67e4dcb704SEdward Tomasz Napierala #include <sys/racct.h> 68f535380cSDon Lewis #include <sys/resourcevar.h> 6929dc1288SRobert Watson #include <sys/socket.h> 7029dc1288SRobert Watson #include <sys/socketvar.h> 713cb83e71SJohn Baldwin #include <sys/syscallsubr.h> 72579f4eb4SRobert Watson #include <sys/sysctl.h> 73df8bae1dSRodney W. Grimes 74de5b1952SAlexander Leidinger #ifdef REGRESSION 75de5b1952SAlexander Leidinger FEATURE(regression, 76ca54e1aeSHiroki Sato "Kernel support for interfaces necessary for regression testing (SECURITY RISK!)"); 77de5b1952SAlexander Leidinger #endif 78de5b1952SAlexander Leidinger 79f08ef6c5SBjoern A. Zeeb #if defined(INET) || defined(INET6) 80f08ef6c5SBjoern A. Zeeb #include <netinet/in.h> 81f08ef6c5SBjoern A. Zeeb #include <netinet/in_pcb.h> 82f08ef6c5SBjoern A. Zeeb #endif 83f08ef6c5SBjoern A. Zeeb 842f8a46d5SWayne Salamon #include <security/audit/audit.h> 85aed55708SRobert Watson #include <security/mac/mac_framework.h> 862f8a46d5SWayne Salamon 87a1c995b6SPoul-Henning Kamp static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 88a1c995b6SPoul-Henning Kamp 895702e096SRobert Watson SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, "BSD security policy"); 9048713bdcSRobert Watson 91838d9858SBrooks Davis static void crextend(struct ucred *cr, int n); 92838d9858SBrooks Davis static void crsetgroups_locked(struct ucred *cr, int ngrp, 93838d9858SBrooks Davis gid_t *groups); 94838d9858SBrooks Davis 95d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 96ad7507e2SSteven Wallace struct getpid_args { 97df8bae1dSRodney W. Grimes int dummy; 98df8bae1dSRodney W. Grimes }; 99d2d3e875SBruce Evans #endif 100df8bae1dSRodney W. Grimes /* ARGSUSED */ 10126f9a767SRodney W. Grimes int 1028451d0ddSKip Macy sys_getpid(struct thread *td, struct getpid_args *uap) 103df8bae1dSRodney W. Grimes { 104b40ce416SJulian Elischer struct proc *p = td->td_proc; 105df8bae1dSRodney W. Grimes 106b40ce416SJulian Elischer td->td_retval[0] = p->p_pid; 1071930e303SPoul-Henning Kamp #if defined(COMPAT_43) 108abd386baSMateusz Guzik td->td_retval[1] = kern_getppid(td); 109df8bae1dSRodney W. Grimes #endif 110df8bae1dSRodney W. Grimes return (0); 111df8bae1dSRodney W. Grimes } 112df8bae1dSRodney W. Grimes 113d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 114ad7507e2SSteven Wallace struct getppid_args { 115ad7507e2SSteven Wallace int dummy; 116ad7507e2SSteven Wallace }; 117d2d3e875SBruce Evans #endif 118df8bae1dSRodney W. Grimes /* ARGSUSED */ 11926f9a767SRodney W. Grimes int 1208451d0ddSKip Macy sys_getppid(struct thread *td, struct getppid_args *uap) 121df8bae1dSRodney W. Grimes { 122abd386baSMateusz Guzik 123abd386baSMateusz Guzik td->td_retval[0] = kern_getppid(td); 124abd386baSMateusz Guzik return (0); 125abd386baSMateusz Guzik } 126abd386baSMateusz Guzik 127abd386baSMateusz Guzik int 128abd386baSMateusz Guzik kern_getppid(struct thread *td) 129abd386baSMateusz Guzik { 130b40ce416SJulian Elischer struct proc *p = td->td_proc; 131abd386baSMateusz Guzik struct proc *pp; 132abd386baSMateusz Guzik int ppid; 133df8bae1dSRodney W. Grimes 134bae3a80bSJohn Baldwin PROC_LOCK(p); 135abd386baSMateusz Guzik if (!(p->p_flag & P_TRACED)) { 136abd386baSMateusz Guzik ppid = p->p_pptr->p_pid; 137bae3a80bSJohn Baldwin PROC_UNLOCK(p); 138abd386baSMateusz Guzik } else { 139abd386baSMateusz Guzik PROC_UNLOCK(p); 140abd386baSMateusz Guzik sx_slock(&proctree_lock); 141abd386baSMateusz Guzik pp = proc_realparent(p); 142abd386baSMateusz Guzik ppid = pp->p_pid; 143abd386baSMateusz Guzik sx_sunlock(&proctree_lock); 144abd386baSMateusz Guzik } 145abd386baSMateusz Guzik 146abd386baSMateusz Guzik return (ppid); 147df8bae1dSRodney W. Grimes } 148df8bae1dSRodney W. Grimes 14936e9f877SMatthew Dillon /* 150eb725b4eSRobert Watson * Get process group ID; note that POSIX getpgrp takes no parameter. 15136e9f877SMatthew Dillon */ 152d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 153ad7507e2SSteven Wallace struct getpgrp_args { 154ad7507e2SSteven Wallace int dummy; 155ad7507e2SSteven Wallace }; 156d2d3e875SBruce Evans #endif 15726f9a767SRodney W. Grimes int 1588451d0ddSKip Macy sys_getpgrp(struct thread *td, struct getpgrp_args *uap) 159df8bae1dSRodney W. Grimes { 160b40ce416SJulian Elischer struct proc *p = td->td_proc; 161df8bae1dSRodney W. Grimes 162f591779bSSeigo Tanimura PROC_LOCK(p); 163b40ce416SJulian Elischer td->td_retval[0] = p->p_pgrp->pg_id; 164f591779bSSeigo Tanimura PROC_UNLOCK(p); 165df8bae1dSRodney W. Grimes return (0); 166df8bae1dSRodney W. Grimes } 167df8bae1dSRodney W. Grimes 1681a5018a0SPeter Wemm /* Get an arbitary pid's process group id */ 1691a5018a0SPeter Wemm #ifndef _SYS_SYSPROTO_H_ 1701a5018a0SPeter Wemm struct getpgid_args { 1711a5018a0SPeter Wemm pid_t pid; 1721a5018a0SPeter Wemm }; 1731a5018a0SPeter Wemm #endif 1741a5018a0SPeter Wemm int 1758451d0ddSKip Macy sys_getpgid(struct thread *td, struct getpgid_args *uap) 1761a5018a0SPeter Wemm { 177a70a2b74SJohn Baldwin struct proc *p; 178f2ae7368SJohn Baldwin int error; 17965de0c7aSDon Lewis 180f591779bSSeigo Tanimura if (uap->pid == 0) { 181a70a2b74SJohn Baldwin p = td->td_proc; 182f591779bSSeigo Tanimura PROC_LOCK(p); 183a70a2b74SJohn Baldwin } else { 184a70a2b74SJohn Baldwin p = pfind(uap->pid); 185a70a2b74SJohn Baldwin if (p == NULL) 186a70a2b74SJohn Baldwin return (ESRCH); 187a70a2b74SJohn Baldwin error = p_cansee(td, p); 188a70a2b74SJohn Baldwin if (error) { 189a70a2b74SJohn Baldwin PROC_UNLOCK(p); 190a70a2b74SJohn Baldwin return (error); 191a70a2b74SJohn Baldwin } 192a70a2b74SJohn Baldwin } 193b40ce416SJulian Elischer td->td_retval[0] = p->p_pgrp->pg_id; 194f591779bSSeigo Tanimura PROC_UNLOCK(p); 195a70a2b74SJohn Baldwin return (0); 1961a5018a0SPeter Wemm } 1971a5018a0SPeter Wemm 1981a5018a0SPeter Wemm /* 1991a5018a0SPeter Wemm * Get an arbitary pid's session id. 2001a5018a0SPeter Wemm */ 2011a5018a0SPeter Wemm #ifndef _SYS_SYSPROTO_H_ 2021a5018a0SPeter Wemm struct getsid_args { 2031a5018a0SPeter Wemm pid_t pid; 2041a5018a0SPeter Wemm }; 2051a5018a0SPeter Wemm #endif 2061a5018a0SPeter Wemm int 2078451d0ddSKip Macy sys_getsid(struct thread *td, struct getsid_args *uap) 2081a5018a0SPeter Wemm { 209a70a2b74SJohn Baldwin struct proc *p; 210eb725b4eSRobert Watson int error; 21165de0c7aSDon Lewis 212f591779bSSeigo Tanimura if (uap->pid == 0) { 213a70a2b74SJohn Baldwin p = td->td_proc; 214f591779bSSeigo Tanimura PROC_LOCK(p); 215a70a2b74SJohn Baldwin } else { 216a70a2b74SJohn Baldwin p = pfind(uap->pid); 217a70a2b74SJohn Baldwin if (p == NULL) 218a70a2b74SJohn Baldwin return (ESRCH); 219a70a2b74SJohn Baldwin error = p_cansee(td, p); 220a70a2b74SJohn Baldwin if (error) { 221a70a2b74SJohn Baldwin PROC_UNLOCK(p); 222a70a2b74SJohn Baldwin return (error); 223a70a2b74SJohn Baldwin } 224a70a2b74SJohn Baldwin } 225b40ce416SJulian Elischer td->td_retval[0] = p->p_session->s_sid; 226f591779bSSeigo Tanimura PROC_UNLOCK(p); 227a70a2b74SJohn Baldwin return (0); 2281a5018a0SPeter Wemm } 2291a5018a0SPeter Wemm 230d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 231ad7507e2SSteven Wallace struct getuid_args { 232ad7507e2SSteven Wallace int dummy; 233ad7507e2SSteven Wallace }; 234d2d3e875SBruce Evans #endif 235df8bae1dSRodney W. Grimes /* ARGSUSED */ 23626f9a767SRodney W. Grimes int 2378451d0ddSKip Macy sys_getuid(struct thread *td, struct getuid_args *uap) 238df8bae1dSRodney W. Grimes { 239df8bae1dSRodney W. Grimes 240d846883bSJohn Baldwin td->td_retval[0] = td->td_ucred->cr_ruid; 2411930e303SPoul-Henning Kamp #if defined(COMPAT_43) 242d846883bSJohn Baldwin td->td_retval[1] = td->td_ucred->cr_uid; 243df8bae1dSRodney W. Grimes #endif 244df8bae1dSRodney W. Grimes return (0); 245df8bae1dSRodney W. Grimes } 246df8bae1dSRodney W. Grimes 247d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 248ad7507e2SSteven Wallace struct geteuid_args { 249ad7507e2SSteven Wallace int dummy; 250ad7507e2SSteven Wallace }; 251d2d3e875SBruce Evans #endif 252df8bae1dSRodney W. Grimes /* ARGSUSED */ 25326f9a767SRodney W. Grimes int 2548451d0ddSKip Macy sys_geteuid(struct thread *td, struct geteuid_args *uap) 255df8bae1dSRodney W. Grimes { 256d846883bSJohn Baldwin 257d846883bSJohn Baldwin td->td_retval[0] = td->td_ucred->cr_uid; 258df8bae1dSRodney W. Grimes return (0); 259df8bae1dSRodney W. Grimes } 260df8bae1dSRodney W. Grimes 261d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 262ad7507e2SSteven Wallace struct getgid_args { 263ad7507e2SSteven Wallace int dummy; 264ad7507e2SSteven Wallace }; 265d2d3e875SBruce Evans #endif 266df8bae1dSRodney W. Grimes /* ARGSUSED */ 26726f9a767SRodney W. Grimes int 2688451d0ddSKip Macy sys_getgid(struct thread *td, struct getgid_args *uap) 269df8bae1dSRodney W. Grimes { 270df8bae1dSRodney W. Grimes 271d846883bSJohn Baldwin td->td_retval[0] = td->td_ucred->cr_rgid; 2721930e303SPoul-Henning Kamp #if defined(COMPAT_43) 273d846883bSJohn Baldwin td->td_retval[1] = td->td_ucred->cr_groups[0]; 274df8bae1dSRodney W. Grimes #endif 275df8bae1dSRodney W. Grimes return (0); 276df8bae1dSRodney W. Grimes } 277df8bae1dSRodney W. Grimes 278df8bae1dSRodney W. Grimes /* 279df8bae1dSRodney W. Grimes * Get effective group ID. The "egid" is groups[0], and could be obtained 280df8bae1dSRodney W. Grimes * via getgroups. This syscall exists because it is somewhat painful to do 281df8bae1dSRodney W. Grimes * correctly in a library function. 282df8bae1dSRodney W. Grimes */ 283d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 284ad7507e2SSteven Wallace struct getegid_args { 285ad7507e2SSteven Wallace int dummy; 286ad7507e2SSteven Wallace }; 287d2d3e875SBruce Evans #endif 288df8bae1dSRodney W. Grimes /* ARGSUSED */ 28926f9a767SRodney W. Grimes int 2908451d0ddSKip Macy sys_getegid(struct thread *td, struct getegid_args *uap) 291df8bae1dSRodney W. Grimes { 292df8bae1dSRodney W. Grimes 293d846883bSJohn Baldwin td->td_retval[0] = td->td_ucred->cr_groups[0]; 294df8bae1dSRodney W. Grimes return (0); 295df8bae1dSRodney W. Grimes } 296df8bae1dSRodney W. Grimes 297d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 298df8bae1dSRodney W. Grimes struct getgroups_args { 299df8bae1dSRodney W. Grimes u_int gidsetsize; 300df8bae1dSRodney W. Grimes gid_t *gidset; 301df8bae1dSRodney W. Grimes }; 302d2d3e875SBruce Evans #endif 30326f9a767SRodney W. Grimes int 3048451d0ddSKip Macy sys_getgroups(struct thread *td, register struct getgroups_args *uap) 305df8bae1dSRodney W. Grimes { 30607b384cbSMateusz Guzik struct ucred *cred; 307b1fc0ec1SRobert Watson u_int ngrp; 308eb725b4eSRobert Watson int error; 309df8bae1dSRodney W. Grimes 3103cb83e71SJohn Baldwin cred = td->td_ucred; 31107b384cbSMateusz Guzik ngrp = cred->cr_ngroups; 31207b384cbSMateusz Guzik 31307b384cbSMateusz Guzik if (uap->gidsetsize == 0) { 31407b384cbSMateusz Guzik error = 0; 31507b384cbSMateusz Guzik goto out; 3163cb83e71SJohn Baldwin } 31707b384cbSMateusz Guzik if (uap->gidsetsize < ngrp) 3183cb83e71SJohn Baldwin return (EINVAL); 31907b384cbSMateusz Guzik 32007b384cbSMateusz Guzik error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t)); 32107b384cbSMateusz Guzik out: 32207b384cbSMateusz Guzik td->td_retval[0] = ngrp; 32307b384cbSMateusz Guzik return (error); 3243cb83e71SJohn Baldwin } 3253cb83e71SJohn Baldwin 326d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 32782970b81SBruce Evans struct setsid_args { 328ad7507e2SSteven Wallace int dummy; 329ad7507e2SSteven Wallace }; 330d2d3e875SBruce Evans #endif 331df8bae1dSRodney W. Grimes /* ARGSUSED */ 33226f9a767SRodney W. Grimes int 3338451d0ddSKip Macy sys_setsid(register struct thread *td, struct setsid_args *uap) 334df8bae1dSRodney W. Grimes { 335f591779bSSeigo Tanimura struct pgrp *pgrp; 336835a82eeSMatthew Dillon int error; 337b40ce416SJulian Elischer struct proc *p = td->td_proc; 338f591779bSSeigo Tanimura struct pgrp *newpgrp; 339f591779bSSeigo Tanimura struct session *newsess; 340f591779bSSeigo Tanimura 341f591779bSSeigo Tanimura error = 0; 342f591779bSSeigo Tanimura pgrp = NULL; 343df8bae1dSRodney W. Grimes 3441ede983cSDag-Erling Smørgrav newpgrp = malloc(sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 3451ede983cSDag-Erling Smørgrav newsess = malloc(sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); 346f591779bSSeigo Tanimura 347c8b1829dSJohn Baldwin sx_xlock(&proctree_lock); 348f591779bSSeigo Tanimura 349f591779bSSeigo Tanimura if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { 350f591779bSSeigo Tanimura if (pgrp != NULL) 351f591779bSSeigo Tanimura PGRP_UNLOCK(pgrp); 352835a82eeSMatthew Dillon error = EPERM; 353f591779bSSeigo Tanimura } else { 354f591779bSSeigo Tanimura (void)enterpgrp(p, p->p_pid, newpgrp, newsess); 355b40ce416SJulian Elischer td->td_retval[0] = p->p_pid; 356c8b1829dSJohn Baldwin newpgrp = NULL; 357c8b1829dSJohn Baldwin newsess = NULL; 358df8bae1dSRodney W. Grimes } 359f591779bSSeigo Tanimura 360c8b1829dSJohn Baldwin sx_xunlock(&proctree_lock); 361f591779bSSeigo Tanimura 362c8b1829dSJohn Baldwin if (newpgrp != NULL) 3631ede983cSDag-Erling Smørgrav free(newpgrp, M_PGRP); 364c8b1829dSJohn Baldwin if (newsess != NULL) 3651ede983cSDag-Erling Smørgrav free(newsess, M_SESSION); 3661c2451c2SSeigo Tanimura 367c8b1829dSJohn Baldwin return (error); 368df8bae1dSRodney W. Grimes } 369df8bae1dSRodney W. Grimes 370df8bae1dSRodney W. Grimes /* 371df8bae1dSRodney W. Grimes * set process group (setpgid/old setpgrp) 372df8bae1dSRodney W. Grimes * 373df8bae1dSRodney W. Grimes * caller does setpgid(targpid, targpgid) 374df8bae1dSRodney W. Grimes * 375df8bae1dSRodney W. Grimes * pid must be caller or child of caller (ESRCH) 376df8bae1dSRodney W. Grimes * if a child 377df8bae1dSRodney W. Grimes * pid must be in same session (EPERM) 378df8bae1dSRodney W. Grimes * pid can't have done an exec (EACCES) 379df8bae1dSRodney W. Grimes * if pgid != pid 380df8bae1dSRodney W. Grimes * there must exist some pid in same session having pgid (EPERM) 381df8bae1dSRodney W. Grimes * pid must not be session leader (EPERM) 382df8bae1dSRodney W. Grimes */ 383d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 384df8bae1dSRodney W. Grimes struct setpgid_args { 385df8bae1dSRodney W. Grimes int pid; /* target process id */ 386df8bae1dSRodney W. Grimes int pgid; /* target pgrp id */ 387df8bae1dSRodney W. Grimes }; 388d2d3e875SBruce Evans #endif 389df8bae1dSRodney W. Grimes /* ARGSUSED */ 39026f9a767SRodney W. Grimes int 3918451d0ddSKip Macy sys_setpgid(struct thread *td, register struct setpgid_args *uap) 392df8bae1dSRodney W. Grimes { 393b40ce416SJulian Elischer struct proc *curp = td->td_proc; 394df8bae1dSRodney W. Grimes register struct proc *targp; /* target process */ 395df8bae1dSRodney W. Grimes register struct pgrp *pgrp; /* target pgrp */ 396eb9e5c1dSRobert Watson int error; 397f591779bSSeigo Tanimura struct pgrp *newpgrp; 398df8bae1dSRodney W. Grimes 39978f64bccSBruce Evans if (uap->pgid < 0) 40078f64bccSBruce Evans return (EINVAL); 401f591779bSSeigo Tanimura 402f591779bSSeigo Tanimura error = 0; 403f591779bSSeigo Tanimura 4041ede983cSDag-Erling Smørgrav newpgrp = malloc(sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 405f591779bSSeigo Tanimura 406c8b1829dSJohn Baldwin sx_xlock(&proctree_lock); 407df8bae1dSRodney W. Grimes if (uap->pid != 0 && uap->pid != curp->p_pid) { 408f591779bSSeigo Tanimura if ((targp = pfind(uap->pid)) == NULL) { 409835a82eeSMatthew Dillon error = ESRCH; 410c8b1829dSJohn Baldwin goto done; 41133a9ed9dSJohn Baldwin } 412f591779bSSeigo Tanimura if (!inferior(targp)) { 413f591779bSSeigo Tanimura PROC_UNLOCK(targp); 4142f932587SSeigo Tanimura error = ESRCH; 415c8b1829dSJohn Baldwin goto done; 416f591779bSSeigo Tanimura } 41771a057bcSRobert Watson if ((error = p_cansee(td, targp))) { 41833a9ed9dSJohn Baldwin PROC_UNLOCK(targp); 419c8b1829dSJohn Baldwin goto done; 42033a9ed9dSJohn Baldwin } 42133a9ed9dSJohn Baldwin if (targp->p_pgrp == NULL || 42233a9ed9dSJohn Baldwin targp->p_session != curp->p_session) { 42333a9ed9dSJohn Baldwin PROC_UNLOCK(targp); 424835a82eeSMatthew Dillon error = EPERM; 425c8b1829dSJohn Baldwin goto done; 42633a9ed9dSJohn Baldwin } 42733a9ed9dSJohn Baldwin if (targp->p_flag & P_EXEC) { 42833a9ed9dSJohn Baldwin PROC_UNLOCK(targp); 429835a82eeSMatthew Dillon error = EACCES; 430c8b1829dSJohn Baldwin goto done; 43133a9ed9dSJohn Baldwin } 43233a9ed9dSJohn Baldwin PROC_UNLOCK(targp); 433f591779bSSeigo Tanimura } else 434f591779bSSeigo Tanimura targp = curp; 435f591779bSSeigo Tanimura if (SESS_LEADER(targp)) { 436835a82eeSMatthew Dillon error = EPERM; 437c8b1829dSJohn Baldwin goto done; 43833a9ed9dSJohn Baldwin } 439eb725b4eSRobert Watson if (uap->pgid == 0) 440df8bae1dSRodney W. Grimes uap->pgid = targp->p_pid; 441a10d5f02SOlivier Houchard if ((pgrp = pgfind(uap->pgid)) == NULL) { 442f591779bSSeigo Tanimura if (uap->pgid == targp->p_pid) { 443a10d5f02SOlivier Houchard error = enterpgrp(targp, uap->pgid, newpgrp, 444a10d5f02SOlivier Houchard NULL); 445f591779bSSeigo Tanimura if (error == 0) 446f591779bSSeigo Tanimura newpgrp = NULL; 447a10d5f02SOlivier Houchard } else 448835a82eeSMatthew Dillon error = EPERM; 449a10d5f02SOlivier Houchard } else { 450f591779bSSeigo Tanimura if (pgrp == targp->p_pgrp) { 451f591779bSSeigo Tanimura PGRP_UNLOCK(pgrp); 452f591779bSSeigo Tanimura goto done; 45333a9ed9dSJohn Baldwin } 454a10d5f02SOlivier Houchard if (pgrp->pg_id != targp->p_pid && 455a10d5f02SOlivier Houchard pgrp->pg_session != curp->p_session) { 456a10d5f02SOlivier Houchard PGRP_UNLOCK(pgrp); 457a10d5f02SOlivier Houchard error = EPERM; 458a10d5f02SOlivier Houchard goto done; 459a10d5f02SOlivier Houchard } 460f591779bSSeigo Tanimura PGRP_UNLOCK(pgrp); 461f591779bSSeigo Tanimura error = enterthispgrp(targp, pgrp); 462f591779bSSeigo Tanimura } 463f591779bSSeigo Tanimura done: 464c8b1829dSJohn Baldwin sx_xunlock(&proctree_lock); 465c8b1829dSJohn Baldwin KASSERT((error == 0) || (newpgrp != NULL), 466c8b1829dSJohn Baldwin ("setpgid failed and newpgrp is NULL")); 4676041fa0aSSeigo Tanimura if (newpgrp != NULL) 4681ede983cSDag-Erling Smørgrav free(newpgrp, M_PGRP); 469835a82eeSMatthew Dillon return (error); 470df8bae1dSRodney W. Grimes } 471df8bae1dSRodney W. Grimes 472a08f4bf6SPeter Wemm /* 473a08f4bf6SPeter Wemm * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 4742fa72ea7SJeroen Ruigrok van der Werven * compatible. It says that setting the uid/gid to euid/egid is a special 475a08f4bf6SPeter Wemm * case of "appropriate privilege". Once the rules are expanded out, this 476a08f4bf6SPeter Wemm * basically means that setuid(nnn) sets all three id's, in all permitted 477a08f4bf6SPeter Wemm * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 478a08f4bf6SPeter Wemm * does not set the saved id - this is dangerous for traditional BSD 479a08f4bf6SPeter Wemm * programs. For this reason, we *really* do not want to set 480a08f4bf6SPeter Wemm * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 481a08f4bf6SPeter Wemm */ 482a08f4bf6SPeter Wemm #define POSIX_APPENDIX_B_4_2_2 483a08f4bf6SPeter Wemm 484d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 485df8bae1dSRodney W. Grimes struct setuid_args { 486df8bae1dSRodney W. Grimes uid_t uid; 487df8bae1dSRodney W. Grimes }; 488d2d3e875SBruce Evans #endif 489df8bae1dSRodney W. Grimes /* ARGSUSED */ 49026f9a767SRodney W. Grimes int 4918451d0ddSKip Macy sys_setuid(struct thread *td, struct setuid_args *uap) 492df8bae1dSRodney W. Grimes { 493b40ce416SJulian Elischer struct proc *p = td->td_proc; 494b1fc0ec1SRobert Watson struct ucred *newcred, *oldcred; 495b1fc0ec1SRobert Watson uid_t uid; 4961419eacbSAlfred Perlstein struct uidinfo *uip; 497eb725b4eSRobert Watson int error; 498df8bae1dSRodney W. Grimes 49907f3485dSJohn Baldwin uid = uap->uid; 50014961ba7SRobert Watson AUDIT_ARG_UID(uid); 50107f3485dSJohn Baldwin newcred = crget(); 5021419eacbSAlfred Perlstein uip = uifind(uid); 50307f3485dSJohn Baldwin PROC_LOCK(p); 504838d9858SBrooks Davis /* 505838d9858SBrooks Davis * Copy credentials so other references do not see our changes. 506838d9858SBrooks Davis */ 507838d9858SBrooks Davis oldcred = crcopysafe(p, newcred); 5085a92ee3cSRobert Watson 509030a28b3SRobert Watson #ifdef MAC 5106f6174a7SRobert Watson error = mac_cred_check_setuid(oldcred, uid); 511030a28b3SRobert Watson if (error) 512030a28b3SRobert Watson goto fail; 513030a28b3SRobert Watson #endif 514030a28b3SRobert Watson 515a08f4bf6SPeter Wemm /* 516a08f4bf6SPeter Wemm * See if we have "permission" by POSIX 1003.1 rules. 517a08f4bf6SPeter Wemm * 518a08f4bf6SPeter Wemm * Note that setuid(geteuid()) is a special case of 519a08f4bf6SPeter Wemm * "appropriate privileges" in appendix B.4.2.2. We need 5202fa72ea7SJeroen Ruigrok van der Werven * to use this clause to be compatible with traditional BSD 521a08f4bf6SPeter Wemm * semantics. Basically, it means that "setuid(xx)" sets all 522a08f4bf6SPeter Wemm * three id's (assuming you have privs). 523a08f4bf6SPeter Wemm * 524a08f4bf6SPeter Wemm * Notes on the logic. We do things in three steps. 525a08f4bf6SPeter Wemm * 1: We determine if the euid is going to change, and do EPERM 526a08f4bf6SPeter Wemm * right away. We unconditionally change the euid later if this 527a08f4bf6SPeter Wemm * test is satisfied, simplifying that part of the logic. 528eb725b4eSRobert Watson * 2: We determine if the real and/or saved uids are going to 529a08f4bf6SPeter Wemm * change. Determined by compile options. 530a08f4bf6SPeter Wemm * 3: Change euid last. (after tests in #2 for "appropriate privs") 531a08f4bf6SPeter Wemm */ 532b1fc0ec1SRobert Watson if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 5333f246666SAndrey A. Chernov #ifdef _POSIX_SAVED_IDS 534b1fc0ec1SRobert Watson uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 535a08f4bf6SPeter Wemm #endif 536a08f4bf6SPeter Wemm #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 537b1fc0ec1SRobert Watson uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 5383f246666SAndrey A. Chernov #endif 53932f9753cSRobert Watson (error = priv_check_cred(oldcred, PRIV_CRED_SETUID, 0)) != 0) 540030a28b3SRobert Watson goto fail; 541a08f4bf6SPeter Wemm 542a08f4bf6SPeter Wemm #ifdef _POSIX_SAVED_IDS 543df8bae1dSRodney W. Grimes /* 544a08f4bf6SPeter Wemm * Do we have "appropriate privileges" (are we root or uid == euid) 545a08f4bf6SPeter Wemm * If so, we are changing the real uid and/or saved uid. 546df8bae1dSRodney W. Grimes */ 5473f246666SAndrey A. Chernov if ( 548a08f4bf6SPeter Wemm #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 549b1fc0ec1SRobert Watson uid == oldcred->cr_uid || 5503f246666SAndrey A. Chernov #endif 551800c9408SRobert Watson /* We are using privs. */ 55232f9753cSRobert Watson priv_check_cred(oldcred, PRIV_CRED_SETUID, 0) == 0) 553a08f4bf6SPeter Wemm #endif 554a08f4bf6SPeter Wemm { 555a08f4bf6SPeter Wemm /* 556f535380cSDon Lewis * Set the real uid and transfer proc count to new user. 557a08f4bf6SPeter Wemm */ 558b1fc0ec1SRobert Watson if (uid != oldcred->cr_ruid) { 5591419eacbSAlfred Perlstein change_ruid(newcred, uip); 560f535380cSDon Lewis setsugid(p); 561d3cdb93dSAndrey A. Chernov } 562a08f4bf6SPeter Wemm /* 563a08f4bf6SPeter Wemm * Set saved uid 564a08f4bf6SPeter Wemm * 565a08f4bf6SPeter Wemm * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 566a08f4bf6SPeter Wemm * the security of seteuid() depends on it. B.4.2.2 says it 567a08f4bf6SPeter Wemm * is important that we should do this. 568a08f4bf6SPeter Wemm */ 569b1fc0ec1SRobert Watson if (uid != oldcred->cr_svuid) { 570b1fc0ec1SRobert Watson change_svuid(newcred, uid); 571d5f81602SSean Eric Fagan setsugid(p); 572a08f4bf6SPeter Wemm } 573a08f4bf6SPeter Wemm } 574a08f4bf6SPeter Wemm 575a08f4bf6SPeter Wemm /* 576a08f4bf6SPeter Wemm * In all permitted cases, we are changing the euid. 577a08f4bf6SPeter Wemm */ 578b1fc0ec1SRobert Watson if (uid != oldcred->cr_uid) { 5791419eacbSAlfred Perlstein change_euid(newcred, uip); 580d5f81602SSean Eric Fagan setsugid(p); 581a08f4bf6SPeter Wemm } 582b1fc0ec1SRobert Watson p->p_ucred = newcred; 58307f3485dSJohn Baldwin PROC_UNLOCK(p); 584e4dcb704SEdward Tomasz Napierala #ifdef RACCT 585e4dcb704SEdward Tomasz Napierala racct_proc_ucred_changed(p, oldcred, newcred); 586e4dcb704SEdward Tomasz Napierala #endif 5871419eacbSAlfred Perlstein uifree(uip); 588b1fc0ec1SRobert Watson crfree(oldcred); 58907f3485dSJohn Baldwin return (0); 590030a28b3SRobert Watson 591030a28b3SRobert Watson fail: 592030a28b3SRobert Watson PROC_UNLOCK(p); 593030a28b3SRobert Watson uifree(uip); 594030a28b3SRobert Watson crfree(newcred); 595030a28b3SRobert Watson return (error); 596df8bae1dSRodney W. Grimes } 597df8bae1dSRodney W. Grimes 598d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 599df8bae1dSRodney W. Grimes struct seteuid_args { 600df8bae1dSRodney W. Grimes uid_t euid; 601df8bae1dSRodney W. Grimes }; 602d2d3e875SBruce Evans #endif 603df8bae1dSRodney W. Grimes /* ARGSUSED */ 60426f9a767SRodney W. Grimes int 6058451d0ddSKip Macy sys_seteuid(struct thread *td, struct seteuid_args *uap) 606df8bae1dSRodney W. Grimes { 607b40ce416SJulian Elischer struct proc *p = td->td_proc; 608b1fc0ec1SRobert Watson struct ucred *newcred, *oldcred; 609b1fc0ec1SRobert Watson uid_t euid; 6101419eacbSAlfred Perlstein struct uidinfo *euip; 611eb725b4eSRobert Watson int error; 612df8bae1dSRodney W. Grimes 613df8bae1dSRodney W. Grimes euid = uap->euid; 61414961ba7SRobert Watson AUDIT_ARG_EUID(euid); 61507f3485dSJohn Baldwin newcred = crget(); 6161419eacbSAlfred Perlstein euip = uifind(euid); 61707f3485dSJohn Baldwin PROC_LOCK(p); 618838d9858SBrooks Davis /* 619838d9858SBrooks Davis * Copy credentials so other references do not see our changes. 620838d9858SBrooks Davis */ 621838d9858SBrooks Davis oldcred = crcopysafe(p, newcred); 622030a28b3SRobert Watson 623030a28b3SRobert Watson #ifdef MAC 6246f6174a7SRobert Watson error = mac_cred_check_seteuid(oldcred, euid); 625030a28b3SRobert Watson if (error) 626030a28b3SRobert Watson goto fail; 627030a28b3SRobert Watson #endif 628030a28b3SRobert Watson 629b1fc0ec1SRobert Watson if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 630b1fc0ec1SRobert Watson euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 63132f9753cSRobert Watson (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID, 0)) != 0) 632030a28b3SRobert Watson goto fail; 633030a28b3SRobert Watson 634df8bae1dSRodney W. Grimes /* 635838d9858SBrooks Davis * Everything's okay, do it. 636df8bae1dSRodney W. Grimes */ 637b1fc0ec1SRobert Watson if (oldcred->cr_uid != euid) { 6381419eacbSAlfred Perlstein change_euid(newcred, euip); 639d5f81602SSean Eric Fagan setsugid(p); 640229a15f0SPeter Wemm } 641b1fc0ec1SRobert Watson p->p_ucred = newcred; 64207f3485dSJohn Baldwin PROC_UNLOCK(p); 6431419eacbSAlfred Perlstein uifree(euip); 644b1fc0ec1SRobert Watson crfree(oldcred); 64507f3485dSJohn Baldwin return (0); 646030a28b3SRobert Watson 647030a28b3SRobert Watson fail: 648030a28b3SRobert Watson PROC_UNLOCK(p); 649030a28b3SRobert Watson uifree(euip); 650030a28b3SRobert Watson crfree(newcred); 651030a28b3SRobert Watson return (error); 652df8bae1dSRodney W. Grimes } 653df8bae1dSRodney W. Grimes 654d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 655df8bae1dSRodney W. Grimes struct setgid_args { 656df8bae1dSRodney W. Grimes gid_t gid; 657df8bae1dSRodney W. Grimes }; 658d2d3e875SBruce Evans #endif 659df8bae1dSRodney W. Grimes /* ARGSUSED */ 66026f9a767SRodney W. Grimes int 6618451d0ddSKip Macy sys_setgid(struct thread *td, struct setgid_args *uap) 662df8bae1dSRodney W. Grimes { 663b40ce416SJulian Elischer struct proc *p = td->td_proc; 664b1fc0ec1SRobert Watson struct ucred *newcred, *oldcred; 665b1fc0ec1SRobert Watson gid_t gid; 666eb725b4eSRobert Watson int error; 667df8bae1dSRodney W. Grimes 668b1fc0ec1SRobert Watson gid = uap->gid; 66914961ba7SRobert Watson AUDIT_ARG_GID(gid); 67007f3485dSJohn Baldwin newcred = crget(); 67107f3485dSJohn Baldwin PROC_LOCK(p); 672838d9858SBrooks Davis oldcred = crcopysafe(p, newcred); 6735a92ee3cSRobert Watson 674030a28b3SRobert Watson #ifdef MAC 6756f6174a7SRobert Watson error = mac_cred_check_setgid(oldcred, gid); 676030a28b3SRobert Watson if (error) 677030a28b3SRobert Watson goto fail; 678030a28b3SRobert Watson #endif 679030a28b3SRobert Watson 680a08f4bf6SPeter Wemm /* 681a08f4bf6SPeter Wemm * See if we have "permission" by POSIX 1003.1 rules. 682a08f4bf6SPeter Wemm * 683a08f4bf6SPeter Wemm * Note that setgid(getegid()) is a special case of 684a08f4bf6SPeter Wemm * "appropriate privileges" in appendix B.4.2.2. We need 6852fa72ea7SJeroen Ruigrok van der Werven * to use this clause to be compatible with traditional BSD 686a08f4bf6SPeter Wemm * semantics. Basically, it means that "setgid(xx)" sets all 687a08f4bf6SPeter Wemm * three id's (assuming you have privs). 688a08f4bf6SPeter Wemm * 689a08f4bf6SPeter Wemm * For notes on the logic here, see setuid() above. 690a08f4bf6SPeter Wemm */ 691b1fc0ec1SRobert Watson if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 6923f246666SAndrey A. Chernov #ifdef _POSIX_SAVED_IDS 693b1fc0ec1SRobert Watson gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 694a08f4bf6SPeter Wemm #endif 695a08f4bf6SPeter Wemm #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 696b1fc0ec1SRobert Watson gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 6973f246666SAndrey A. Chernov #endif 69832f9753cSRobert Watson (error = priv_check_cred(oldcred, PRIV_CRED_SETGID, 0)) != 0) 699030a28b3SRobert Watson goto fail; 700a08f4bf6SPeter Wemm 701a08f4bf6SPeter Wemm #ifdef _POSIX_SAVED_IDS 702a08f4bf6SPeter Wemm /* 703a08f4bf6SPeter Wemm * Do we have "appropriate privileges" (are we root or gid == egid) 704a08f4bf6SPeter Wemm * If so, we are changing the real uid and saved gid. 705a08f4bf6SPeter Wemm */ 706a08f4bf6SPeter Wemm if ( 707a08f4bf6SPeter Wemm #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 708b1fc0ec1SRobert Watson gid == oldcred->cr_groups[0] || 709a08f4bf6SPeter Wemm #endif 710800c9408SRobert Watson /* We are using privs. */ 71132f9753cSRobert Watson priv_check_cred(oldcred, PRIV_CRED_SETGID, 0) == 0) 712a08f4bf6SPeter Wemm #endif 713a08f4bf6SPeter Wemm { 714a08f4bf6SPeter Wemm /* 715a08f4bf6SPeter Wemm * Set real gid 716a08f4bf6SPeter Wemm */ 717b1fc0ec1SRobert Watson if (oldcred->cr_rgid != gid) { 718b1fc0ec1SRobert Watson change_rgid(newcred, gid); 719d5f81602SSean Eric Fagan setsugid(p); 720a08f4bf6SPeter Wemm } 721a08f4bf6SPeter Wemm /* 722a08f4bf6SPeter Wemm * Set saved gid 723a08f4bf6SPeter Wemm * 724a08f4bf6SPeter Wemm * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 725a08f4bf6SPeter Wemm * the security of setegid() depends on it. B.4.2.2 says it 726a08f4bf6SPeter Wemm * is important that we should do this. 727a08f4bf6SPeter Wemm */ 728b1fc0ec1SRobert Watson if (oldcred->cr_svgid != gid) { 729b1fc0ec1SRobert Watson change_svgid(newcred, gid); 730d5f81602SSean Eric Fagan setsugid(p); 731a08f4bf6SPeter Wemm } 732a08f4bf6SPeter Wemm } 733a08f4bf6SPeter Wemm /* 734a08f4bf6SPeter Wemm * In all cases permitted cases, we are changing the egid. 735a08f4bf6SPeter Wemm * Copy credentials so other references do not see our changes. 736a08f4bf6SPeter Wemm */ 737b1fc0ec1SRobert Watson if (oldcred->cr_groups[0] != gid) { 738b1fc0ec1SRobert Watson change_egid(newcred, gid); 739d5f81602SSean Eric Fagan setsugid(p); 740a08f4bf6SPeter Wemm } 741b1fc0ec1SRobert Watson p->p_ucred = newcred; 74207f3485dSJohn Baldwin PROC_UNLOCK(p); 743b1fc0ec1SRobert Watson crfree(oldcred); 74407f3485dSJohn Baldwin return (0); 745030a28b3SRobert Watson 746030a28b3SRobert Watson fail: 747030a28b3SRobert Watson PROC_UNLOCK(p); 748030a28b3SRobert Watson crfree(newcred); 749030a28b3SRobert Watson return (error); 750df8bae1dSRodney W. Grimes } 751df8bae1dSRodney W. Grimes 752d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 753df8bae1dSRodney W. Grimes struct setegid_args { 754df8bae1dSRodney W. Grimes gid_t egid; 755df8bae1dSRodney W. Grimes }; 756d2d3e875SBruce Evans #endif 757df8bae1dSRodney W. Grimes /* ARGSUSED */ 75826f9a767SRodney W. Grimes int 7598451d0ddSKip Macy sys_setegid(struct thread *td, struct setegid_args *uap) 760df8bae1dSRodney W. Grimes { 761b40ce416SJulian Elischer struct proc *p = td->td_proc; 762b1fc0ec1SRobert Watson struct ucred *newcred, *oldcred; 763b1fc0ec1SRobert Watson gid_t egid; 764eb725b4eSRobert Watson int error; 765df8bae1dSRodney W. Grimes 766df8bae1dSRodney W. Grimes egid = uap->egid; 76714961ba7SRobert Watson AUDIT_ARG_EGID(egid); 76807f3485dSJohn Baldwin newcred = crget(); 76907f3485dSJohn Baldwin PROC_LOCK(p); 770838d9858SBrooks Davis oldcred = crcopysafe(p, newcred); 771030a28b3SRobert Watson 772030a28b3SRobert Watson #ifdef MAC 7736f6174a7SRobert Watson error = mac_cred_check_setegid(oldcred, egid); 774030a28b3SRobert Watson if (error) 775030a28b3SRobert Watson goto fail; 776030a28b3SRobert Watson #endif 777030a28b3SRobert Watson 778b1fc0ec1SRobert Watson if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 779b1fc0ec1SRobert Watson egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 78032f9753cSRobert Watson (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID, 0)) != 0) 781030a28b3SRobert Watson goto fail; 782030a28b3SRobert Watson 783b1fc0ec1SRobert Watson if (oldcred->cr_groups[0] != egid) { 784b1fc0ec1SRobert Watson change_egid(newcred, egid); 785d5f81602SSean Eric Fagan setsugid(p); 786229a15f0SPeter Wemm } 787b1fc0ec1SRobert Watson p->p_ucred = newcred; 78807f3485dSJohn Baldwin PROC_UNLOCK(p); 789b1fc0ec1SRobert Watson crfree(oldcred); 79007f3485dSJohn Baldwin return (0); 791030a28b3SRobert Watson 792030a28b3SRobert Watson fail: 793030a28b3SRobert Watson PROC_UNLOCK(p); 794030a28b3SRobert Watson crfree(newcred); 795030a28b3SRobert Watson return (error); 796df8bae1dSRodney W. Grimes } 797df8bae1dSRodney W. Grimes 798d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 799df8bae1dSRodney W. Grimes struct setgroups_args { 800df8bae1dSRodney W. Grimes u_int gidsetsize; 801df8bae1dSRodney W. Grimes gid_t *gidset; 802df8bae1dSRodney W. Grimes }; 803d2d3e875SBruce Evans #endif 804df8bae1dSRodney W. Grimes /* ARGSUSED */ 80526f9a767SRodney W. Grimes int 8068451d0ddSKip Macy sys_setgroups(struct thread *td, struct setgroups_args *uap) 807df8bae1dSRodney W. Grimes { 80892b064f4SMateusz Guzik gid_t smallgroups[XU_NGROUPS]; 809*7e9a456aSMateusz Guzik gid_t *groups; 81092b064f4SMateusz Guzik u_int gidsetsize; 811df8bae1dSRodney W. Grimes int error; 812df8bae1dSRodney W. Grimes 81392b064f4SMateusz Guzik gidsetsize = uap->gidsetsize; 81492b064f4SMateusz Guzik if (gidsetsize > ngroups_max + 1) 8153cb83e71SJohn Baldwin return (EINVAL); 816*7e9a456aSMateusz Guzik 81792b064f4SMateusz Guzik if (gidsetsize > XU_NGROUPS) 81892b064f4SMateusz Guzik groups = malloc(gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK); 81992b064f4SMateusz Guzik else 82092b064f4SMateusz Guzik groups = smallgroups; 821*7e9a456aSMateusz Guzik 82292b064f4SMateusz Guzik error = copyin(uap->gidset, groups, gidsetsize * sizeof(gid_t)); 823*7e9a456aSMateusz Guzik if (error == 0) 82492b064f4SMateusz Guzik error = kern_setgroups(td, gidsetsize, groups); 825*7e9a456aSMateusz Guzik 82692b064f4SMateusz Guzik if (gidsetsize > XU_NGROUPS) 827838d9858SBrooks Davis free(groups, M_TEMP); 8283cb83e71SJohn Baldwin return (error); 8293cb83e71SJohn Baldwin } 8303cb83e71SJohn Baldwin 8313cb83e71SJohn Baldwin int 8323cb83e71SJohn Baldwin kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups) 8333cb83e71SJohn Baldwin { 8343cb83e71SJohn Baldwin struct proc *p = td->td_proc; 8353cb83e71SJohn Baldwin struct ucred *newcred, *oldcred; 8363cb83e71SJohn Baldwin int error; 8373cb83e71SJohn Baldwin 838*7e9a456aSMateusz Guzik MPASS(ngrp <= ngroups_max); 83914961ba7SRobert Watson AUDIT_ARG_GROUPSET(groups, ngrp); 84007f3485dSJohn Baldwin newcred = crget(); 841838d9858SBrooks Davis crextend(newcred, ngrp); 84207f3485dSJohn Baldwin PROC_LOCK(p); 843838d9858SBrooks Davis oldcred = crcopysafe(p, newcred); 844030a28b3SRobert Watson 845030a28b3SRobert Watson #ifdef MAC 8466f6174a7SRobert Watson error = mac_cred_check_setgroups(oldcred, ngrp, groups); 847030a28b3SRobert Watson if (error) 848030a28b3SRobert Watson goto fail; 849030a28b3SRobert Watson #endif 850030a28b3SRobert Watson 85132f9753cSRobert Watson error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS, 0); 852030a28b3SRobert Watson if (error) 853030a28b3SRobert Watson goto fail; 85407f3485dSJohn Baldwin 855*7e9a456aSMateusz Guzik if (ngrp == 0) { 8568a5d815aSPeter Wemm /* 8578a5d815aSPeter Wemm * setgroups(0, NULL) is a legitimate way of clearing the 8588a5d815aSPeter Wemm * groups vector on non-BSD systems (which generally do not 8598a5d815aSPeter Wemm * have the egid in the groups[0]). We risk security holes 8608a5d815aSPeter Wemm * when running non-BSD software if we do not do the same. 8618a5d815aSPeter Wemm */ 862b1fc0ec1SRobert Watson newcred->cr_ngroups = 1; 8638a5d815aSPeter Wemm } else { 864838d9858SBrooks Davis crsetgroups_locked(newcred, ngrp, groups); 8658a5d815aSPeter Wemm } 866d5f81602SSean Eric Fagan setsugid(p); 867b1fc0ec1SRobert Watson p->p_ucred = newcred; 86807f3485dSJohn Baldwin PROC_UNLOCK(p); 869b1fc0ec1SRobert Watson crfree(oldcred); 87007f3485dSJohn Baldwin return (0); 871030a28b3SRobert Watson 872030a28b3SRobert Watson fail: 873030a28b3SRobert Watson PROC_UNLOCK(p); 874030a28b3SRobert Watson crfree(newcred); 875030a28b3SRobert Watson return (error); 876df8bae1dSRodney W. Grimes } 877df8bae1dSRodney W. Grimes 878d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 879df8bae1dSRodney W. Grimes struct setreuid_args { 88000999cd6SAndrey A. Chernov uid_t ruid; 88100999cd6SAndrey A. Chernov uid_t euid; 882df8bae1dSRodney W. Grimes }; 883d2d3e875SBruce Evans #endif 884df8bae1dSRodney W. Grimes /* ARGSUSED */ 88526f9a767SRodney W. Grimes int 8868451d0ddSKip Macy sys_setreuid(register struct thread *td, struct setreuid_args *uap) 887df8bae1dSRodney W. Grimes { 888b40ce416SJulian Elischer struct proc *p = td->td_proc; 889b1fc0ec1SRobert Watson struct ucred *newcred, *oldcred; 890eb725b4eSRobert Watson uid_t euid, ruid; 8911419eacbSAlfred Perlstein struct uidinfo *euip, *ruip; 892eb725b4eSRobert Watson int error; 893df8bae1dSRodney W. Grimes 89400999cd6SAndrey A. Chernov euid = uap->euid; 895eb725b4eSRobert Watson ruid = uap->ruid; 89614961ba7SRobert Watson AUDIT_ARG_EUID(euid); 89714961ba7SRobert Watson AUDIT_ARG_RUID(ruid); 89807f3485dSJohn Baldwin newcred = crget(); 8991419eacbSAlfred Perlstein euip = uifind(euid); 9001419eacbSAlfred Perlstein ruip = uifind(ruid); 90107f3485dSJohn Baldwin PROC_LOCK(p); 902838d9858SBrooks Davis oldcred = crcopysafe(p, newcred); 903030a28b3SRobert Watson 904030a28b3SRobert Watson #ifdef MAC 9056f6174a7SRobert Watson error = mac_cred_check_setreuid(oldcred, ruid, euid); 906030a28b3SRobert Watson if (error) 907030a28b3SRobert Watson goto fail; 908030a28b3SRobert Watson #endif 909030a28b3SRobert Watson 910b1fc0ec1SRobert Watson if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 911b1fc0ec1SRobert Watson ruid != oldcred->cr_svuid) || 912b1fc0ec1SRobert Watson (euid != (uid_t)-1 && euid != oldcred->cr_uid && 913b1fc0ec1SRobert Watson euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 91432f9753cSRobert Watson (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID, 0)) != 0) 915030a28b3SRobert Watson goto fail; 916030a28b3SRobert Watson 917b1fc0ec1SRobert Watson if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 9181419eacbSAlfred Perlstein change_euid(newcred, euip); 919d5f81602SSean Eric Fagan setsugid(p); 920a89a5370SPeter Wemm } 921b1fc0ec1SRobert Watson if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 9221419eacbSAlfred Perlstein change_ruid(newcred, ruip); 923d5f81602SSean Eric Fagan setsugid(p); 92400999cd6SAndrey A. Chernov } 925b1fc0ec1SRobert Watson if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 926b1fc0ec1SRobert Watson newcred->cr_svuid != newcred->cr_uid) { 927b1fc0ec1SRobert Watson change_svuid(newcred, newcred->cr_uid); 928d5f81602SSean Eric Fagan setsugid(p); 929a89a5370SPeter Wemm } 930b1fc0ec1SRobert Watson p->p_ucred = newcred; 93107f3485dSJohn Baldwin PROC_UNLOCK(p); 932e4dcb704SEdward Tomasz Napierala #ifdef RACCT 933e4dcb704SEdward Tomasz Napierala racct_proc_ucred_changed(p, oldcred, newcred); 934e4dcb704SEdward Tomasz Napierala #endif 9351419eacbSAlfred Perlstein uifree(ruip); 9361419eacbSAlfred Perlstein uifree(euip); 937b1fc0ec1SRobert Watson crfree(oldcred); 93807f3485dSJohn Baldwin return (0); 939030a28b3SRobert Watson 940030a28b3SRobert Watson fail: 941030a28b3SRobert Watson PROC_UNLOCK(p); 942030a28b3SRobert Watson uifree(ruip); 943030a28b3SRobert Watson uifree(euip); 944030a28b3SRobert Watson crfree(newcred); 945030a28b3SRobert Watson return (error); 946df8bae1dSRodney W. Grimes } 947df8bae1dSRodney W. Grimes 948d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 949df8bae1dSRodney W. Grimes struct setregid_args { 95000999cd6SAndrey A. Chernov gid_t rgid; 95100999cd6SAndrey A. Chernov gid_t egid; 952df8bae1dSRodney W. Grimes }; 953d2d3e875SBruce Evans #endif 954df8bae1dSRodney W. Grimes /* ARGSUSED */ 95526f9a767SRodney W. Grimes int 9568451d0ddSKip Macy sys_setregid(register struct thread *td, struct setregid_args *uap) 957df8bae1dSRodney W. Grimes { 958b40ce416SJulian Elischer struct proc *p = td->td_proc; 959b1fc0ec1SRobert Watson struct ucred *newcred, *oldcred; 960eb725b4eSRobert Watson gid_t egid, rgid; 961eb725b4eSRobert Watson int error; 962df8bae1dSRodney W. Grimes 96300999cd6SAndrey A. Chernov egid = uap->egid; 964eb725b4eSRobert Watson rgid = uap->rgid; 96514961ba7SRobert Watson AUDIT_ARG_EGID(egid); 96614961ba7SRobert Watson AUDIT_ARG_RGID(rgid); 96707f3485dSJohn Baldwin newcred = crget(); 96807f3485dSJohn Baldwin PROC_LOCK(p); 969838d9858SBrooks Davis oldcred = crcopysafe(p, newcred); 970030a28b3SRobert Watson 971030a28b3SRobert Watson #ifdef MAC 9726f6174a7SRobert Watson error = mac_cred_check_setregid(oldcred, rgid, egid); 973030a28b3SRobert Watson if (error) 974030a28b3SRobert Watson goto fail; 975030a28b3SRobert Watson #endif 976030a28b3SRobert Watson 977b1fc0ec1SRobert Watson if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 978b1fc0ec1SRobert Watson rgid != oldcred->cr_svgid) || 979b1fc0ec1SRobert Watson (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 980b1fc0ec1SRobert Watson egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 98132f9753cSRobert Watson (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID, 0)) != 0) 982030a28b3SRobert Watson goto fail; 98307f3485dSJohn Baldwin 984b1fc0ec1SRobert Watson if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 985b1fc0ec1SRobert Watson change_egid(newcred, egid); 986d5f81602SSean Eric Fagan setsugid(p); 987a89a5370SPeter Wemm } 988b1fc0ec1SRobert Watson if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 989b1fc0ec1SRobert Watson change_rgid(newcred, rgid); 990d5f81602SSean Eric Fagan setsugid(p); 991a89a5370SPeter Wemm } 992b1fc0ec1SRobert Watson if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 993b1fc0ec1SRobert Watson newcred->cr_svgid != newcred->cr_groups[0]) { 994b1fc0ec1SRobert Watson change_svgid(newcred, newcred->cr_groups[0]); 995d5f81602SSean Eric Fagan setsugid(p); 996a89a5370SPeter Wemm } 9974589be70SRuslan Ermilov p->p_ucred = newcred; 99807f3485dSJohn Baldwin PROC_UNLOCK(p); 9994589be70SRuslan Ermilov crfree(oldcred); 100007f3485dSJohn Baldwin return (0); 1001030a28b3SRobert Watson 1002030a28b3SRobert Watson fail: 1003030a28b3SRobert Watson PROC_UNLOCK(p); 1004030a28b3SRobert Watson crfree(newcred); 1005030a28b3SRobert Watson return (error); 1006df8bae1dSRodney W. Grimes } 1007df8bae1dSRodney W. Grimes 10088ccd6334SPeter Wemm /* 1009873fbcd7SRobert Watson * setresuid(ruid, euid, suid) is like setreuid except control over the saved 1010873fbcd7SRobert Watson * uid is explicit. 10118ccd6334SPeter Wemm */ 10128ccd6334SPeter Wemm #ifndef _SYS_SYSPROTO_H_ 10138ccd6334SPeter Wemm struct setresuid_args { 10148ccd6334SPeter Wemm uid_t ruid; 10158ccd6334SPeter Wemm uid_t euid; 10168ccd6334SPeter Wemm uid_t suid; 10178ccd6334SPeter Wemm }; 10188ccd6334SPeter Wemm #endif 10198ccd6334SPeter Wemm /* ARGSUSED */ 10208ccd6334SPeter Wemm int 10218451d0ddSKip Macy sys_setresuid(register struct thread *td, struct setresuid_args *uap) 10228ccd6334SPeter Wemm { 1023b40ce416SJulian Elischer struct proc *p = td->td_proc; 1024b1fc0ec1SRobert Watson struct ucred *newcred, *oldcred; 1025eb725b4eSRobert Watson uid_t euid, ruid, suid; 10261419eacbSAlfred Perlstein struct uidinfo *euip, *ruip; 10278ccd6334SPeter Wemm int error; 10288ccd6334SPeter Wemm 10298ccd6334SPeter Wemm euid = uap->euid; 1030eb725b4eSRobert Watson ruid = uap->ruid; 10318ccd6334SPeter Wemm suid = uap->suid; 103214961ba7SRobert Watson AUDIT_ARG_EUID(euid); 103314961ba7SRobert Watson AUDIT_ARG_RUID(ruid); 103414961ba7SRobert Watson AUDIT_ARG_SUID(suid); 103507f3485dSJohn Baldwin newcred = crget(); 10361419eacbSAlfred Perlstein euip = uifind(euid); 10371419eacbSAlfred Perlstein ruip = uifind(ruid); 103807f3485dSJohn Baldwin PROC_LOCK(p); 1039838d9858SBrooks Davis oldcred = crcopysafe(p, newcred); 1040030a28b3SRobert Watson 1041030a28b3SRobert Watson #ifdef MAC 10426f6174a7SRobert Watson error = mac_cred_check_setresuid(oldcred, ruid, euid, suid); 1043030a28b3SRobert Watson if (error) 1044030a28b3SRobert Watson goto fail; 1045030a28b3SRobert Watson #endif 1046030a28b3SRobert Watson 1047b1fc0ec1SRobert Watson if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1048b1fc0ec1SRobert Watson ruid != oldcred->cr_svuid && 1049b1fc0ec1SRobert Watson ruid != oldcred->cr_uid) || 1050b1fc0ec1SRobert Watson (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 1051b1fc0ec1SRobert Watson euid != oldcred->cr_svuid && 1052b1fc0ec1SRobert Watson euid != oldcred->cr_uid) || 1053b1fc0ec1SRobert Watson (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 1054b1fc0ec1SRobert Watson suid != oldcred->cr_svuid && 1055b1fc0ec1SRobert Watson suid != oldcred->cr_uid)) && 105632f9753cSRobert Watson (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID, 0)) != 0) 1057030a28b3SRobert Watson goto fail; 105807f3485dSJohn Baldwin 1059b1fc0ec1SRobert Watson if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 10601419eacbSAlfred Perlstein change_euid(newcred, euip); 10618ccd6334SPeter Wemm setsugid(p); 10628ccd6334SPeter Wemm } 1063b1fc0ec1SRobert Watson if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 10641419eacbSAlfred Perlstein change_ruid(newcred, ruip); 10658ccd6334SPeter Wemm setsugid(p); 10668ccd6334SPeter Wemm } 1067b1fc0ec1SRobert Watson if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1068b1fc0ec1SRobert Watson change_svuid(newcred, suid); 10698ccd6334SPeter Wemm setsugid(p); 10708ccd6334SPeter Wemm } 1071b1fc0ec1SRobert Watson p->p_ucred = newcred; 107207f3485dSJohn Baldwin PROC_UNLOCK(p); 1073e4dcb704SEdward Tomasz Napierala #ifdef RACCT 1074e4dcb704SEdward Tomasz Napierala racct_proc_ucred_changed(p, oldcred, newcred); 1075e4dcb704SEdward Tomasz Napierala #endif 10761419eacbSAlfred Perlstein uifree(ruip); 10771419eacbSAlfred Perlstein uifree(euip); 1078b1fc0ec1SRobert Watson crfree(oldcred); 107907f3485dSJohn Baldwin return (0); 1080030a28b3SRobert Watson 1081030a28b3SRobert Watson fail: 1082030a28b3SRobert Watson PROC_UNLOCK(p); 1083030a28b3SRobert Watson uifree(ruip); 1084030a28b3SRobert Watson uifree(euip); 1085030a28b3SRobert Watson crfree(newcred); 1086030a28b3SRobert Watson return (error); 1087030a28b3SRobert Watson 10888ccd6334SPeter Wemm } 10898ccd6334SPeter Wemm 10908ccd6334SPeter Wemm /* 1091873fbcd7SRobert Watson * setresgid(rgid, egid, sgid) is like setregid except control over the saved 1092873fbcd7SRobert Watson * gid is explicit. 10938ccd6334SPeter Wemm */ 10948ccd6334SPeter Wemm #ifndef _SYS_SYSPROTO_H_ 10958ccd6334SPeter Wemm struct setresgid_args { 10968ccd6334SPeter Wemm gid_t rgid; 10978ccd6334SPeter Wemm gid_t egid; 10988ccd6334SPeter Wemm gid_t sgid; 10998ccd6334SPeter Wemm }; 11008ccd6334SPeter Wemm #endif 11018ccd6334SPeter Wemm /* ARGSUSED */ 11028ccd6334SPeter Wemm int 11038451d0ddSKip Macy sys_setresgid(register struct thread *td, struct setresgid_args *uap) 11048ccd6334SPeter Wemm { 1105b40ce416SJulian Elischer struct proc *p = td->td_proc; 1106b1fc0ec1SRobert Watson struct ucred *newcred, *oldcred; 1107eb725b4eSRobert Watson gid_t egid, rgid, sgid; 11088ccd6334SPeter Wemm int error; 11098ccd6334SPeter Wemm 11108ccd6334SPeter Wemm egid = uap->egid; 1111eb725b4eSRobert Watson rgid = uap->rgid; 11128ccd6334SPeter Wemm sgid = uap->sgid; 111314961ba7SRobert Watson AUDIT_ARG_EGID(egid); 111414961ba7SRobert Watson AUDIT_ARG_RGID(rgid); 111514961ba7SRobert Watson AUDIT_ARG_SGID(sgid); 111607f3485dSJohn Baldwin newcred = crget(); 111707f3485dSJohn Baldwin PROC_LOCK(p); 1118838d9858SBrooks Davis oldcred = crcopysafe(p, newcred); 1119030a28b3SRobert Watson 1120030a28b3SRobert Watson #ifdef MAC 11216f6174a7SRobert Watson error = mac_cred_check_setresgid(oldcred, rgid, egid, sgid); 1122030a28b3SRobert Watson if (error) 1123030a28b3SRobert Watson goto fail; 1124030a28b3SRobert Watson #endif 1125030a28b3SRobert Watson 1126b1fc0ec1SRobert Watson if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1127b1fc0ec1SRobert Watson rgid != oldcred->cr_svgid && 1128b1fc0ec1SRobert Watson rgid != oldcred->cr_groups[0]) || 1129b1fc0ec1SRobert Watson (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1130b1fc0ec1SRobert Watson egid != oldcred->cr_svgid && 1131b1fc0ec1SRobert Watson egid != oldcred->cr_groups[0]) || 1132b1fc0ec1SRobert Watson (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1133b1fc0ec1SRobert Watson sgid != oldcred->cr_svgid && 1134b1fc0ec1SRobert Watson sgid != oldcred->cr_groups[0])) && 113532f9753cSRobert Watson (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID, 0)) != 0) 1136030a28b3SRobert Watson goto fail; 113707f3485dSJohn Baldwin 1138b1fc0ec1SRobert Watson if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1139b1fc0ec1SRobert Watson change_egid(newcred, egid); 11408ccd6334SPeter Wemm setsugid(p); 11418ccd6334SPeter Wemm } 1142b1fc0ec1SRobert Watson if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1143b1fc0ec1SRobert Watson change_rgid(newcred, rgid); 11448ccd6334SPeter Wemm setsugid(p); 11458ccd6334SPeter Wemm } 1146b1fc0ec1SRobert Watson if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1147b1fc0ec1SRobert Watson change_svgid(newcred, sgid); 11488ccd6334SPeter Wemm setsugid(p); 11498ccd6334SPeter Wemm } 1150b1fc0ec1SRobert Watson p->p_ucred = newcred; 115107f3485dSJohn Baldwin PROC_UNLOCK(p); 1152b1fc0ec1SRobert Watson crfree(oldcred); 115307f3485dSJohn Baldwin return (0); 1154030a28b3SRobert Watson 1155030a28b3SRobert Watson fail: 1156030a28b3SRobert Watson PROC_UNLOCK(p); 1157030a28b3SRobert Watson crfree(newcred); 1158030a28b3SRobert Watson return (error); 11598ccd6334SPeter Wemm } 11608ccd6334SPeter Wemm 11618ccd6334SPeter Wemm #ifndef _SYS_SYSPROTO_H_ 11628ccd6334SPeter Wemm struct getresuid_args { 11638ccd6334SPeter Wemm uid_t *ruid; 11648ccd6334SPeter Wemm uid_t *euid; 11658ccd6334SPeter Wemm uid_t *suid; 11668ccd6334SPeter Wemm }; 11678ccd6334SPeter Wemm #endif 11688ccd6334SPeter Wemm /* ARGSUSED */ 11698ccd6334SPeter Wemm int 11708451d0ddSKip Macy sys_getresuid(register struct thread *td, struct getresuid_args *uap) 11718ccd6334SPeter Wemm { 1172835a82eeSMatthew Dillon struct ucred *cred; 11738ccd6334SPeter Wemm int error1 = 0, error2 = 0, error3 = 0; 11748ccd6334SPeter Wemm 1175d74ac681SMatthew Dillon cred = td->td_ucred; 11768ccd6334SPeter Wemm if (uap->ruid) 11777f05b035SAlfred Perlstein error1 = copyout(&cred->cr_ruid, 11787f05b035SAlfred Perlstein uap->ruid, sizeof(cred->cr_ruid)); 11798ccd6334SPeter Wemm if (uap->euid) 11807f05b035SAlfred Perlstein error2 = copyout(&cred->cr_uid, 11817f05b035SAlfred Perlstein uap->euid, sizeof(cred->cr_uid)); 11828ccd6334SPeter Wemm if (uap->suid) 11837f05b035SAlfred Perlstein error3 = copyout(&cred->cr_svuid, 11847f05b035SAlfred Perlstein uap->suid, sizeof(cred->cr_svuid)); 1185eb725b4eSRobert Watson return (error1 ? error1 : error2 ? error2 : error3); 11868ccd6334SPeter Wemm } 11878ccd6334SPeter Wemm 11888ccd6334SPeter Wemm #ifndef _SYS_SYSPROTO_H_ 11898ccd6334SPeter Wemm struct getresgid_args { 11908ccd6334SPeter Wemm gid_t *rgid; 11918ccd6334SPeter Wemm gid_t *egid; 11928ccd6334SPeter Wemm gid_t *sgid; 11938ccd6334SPeter Wemm }; 11948ccd6334SPeter Wemm #endif 11958ccd6334SPeter Wemm /* ARGSUSED */ 11968ccd6334SPeter Wemm int 11978451d0ddSKip Macy sys_getresgid(register struct thread *td, struct getresgid_args *uap) 11988ccd6334SPeter Wemm { 1199835a82eeSMatthew Dillon struct ucred *cred; 12008ccd6334SPeter Wemm int error1 = 0, error2 = 0, error3 = 0; 12018ccd6334SPeter Wemm 1202d74ac681SMatthew Dillon cred = td->td_ucred; 12038ccd6334SPeter Wemm if (uap->rgid) 12047f05b035SAlfred Perlstein error1 = copyout(&cred->cr_rgid, 12057f05b035SAlfred Perlstein uap->rgid, sizeof(cred->cr_rgid)); 12068ccd6334SPeter Wemm if (uap->egid) 12077f05b035SAlfred Perlstein error2 = copyout(&cred->cr_groups[0], 12087f05b035SAlfred Perlstein uap->egid, sizeof(cred->cr_groups[0])); 12098ccd6334SPeter Wemm if (uap->sgid) 12107f05b035SAlfred Perlstein error3 = copyout(&cred->cr_svgid, 12117f05b035SAlfred Perlstein uap->sgid, sizeof(cred->cr_svgid)); 1212eb725b4eSRobert Watson return (error1 ? error1 : error2 ? error2 : error3); 12138ccd6334SPeter Wemm } 12148ccd6334SPeter Wemm 1215b67cbc65SPeter Wemm #ifndef _SYS_SYSPROTO_H_ 1216b67cbc65SPeter Wemm struct issetugid_args { 1217b67cbc65SPeter Wemm int dummy; 1218b67cbc65SPeter Wemm }; 1219b67cbc65SPeter Wemm #endif 1220b67cbc65SPeter Wemm /* ARGSUSED */ 1221b67cbc65SPeter Wemm int 12228451d0ddSKip Macy sys_issetugid(register struct thread *td, struct issetugid_args *uap) 1223b67cbc65SPeter Wemm { 1224b40ce416SJulian Elischer struct proc *p = td->td_proc; 1225b40ce416SJulian Elischer 1226b67cbc65SPeter Wemm /* 1227b67cbc65SPeter Wemm * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1228b67cbc65SPeter Wemm * we use P_SUGID because we consider changing the owners as 1229b67cbc65SPeter Wemm * "tainting" as well. 1230b67cbc65SPeter Wemm * This is significant for procs that start as root and "become" 1231b67cbc65SPeter Wemm * a user without an exec - programs cannot know *everything* 1232b67cbc65SPeter Wemm * that libc *might* have put in their data segment. 1233b67cbc65SPeter Wemm */ 1234f591779bSSeigo Tanimura PROC_LOCK(p); 1235b40ce416SJulian Elischer td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1236f591779bSSeigo Tanimura PROC_UNLOCK(p); 1237b67cbc65SPeter Wemm return (0); 1238b67cbc65SPeter Wemm } 1239b67cbc65SPeter Wemm 1240130d0157SRobert Watson int 12418451d0ddSKip Macy sys___setugid(struct thread *td, struct __setugid_args *uap) 1242130d0157SRobert Watson { 1243130d0157SRobert Watson #ifdef REGRESSION 124407f3485dSJohn Baldwin struct proc *p; 1245835a82eeSMatthew Dillon 124607f3485dSJohn Baldwin p = td->td_proc; 1247130d0157SRobert Watson switch (uap->flag) { 1248130d0157SRobert Watson case 0: 124907f3485dSJohn Baldwin PROC_LOCK(p); 125007f3485dSJohn Baldwin p->p_flag &= ~P_SUGID; 125107f3485dSJohn Baldwin PROC_UNLOCK(p); 125207f3485dSJohn Baldwin return (0); 125307f3485dSJohn Baldwin case 1: 125407f3485dSJohn Baldwin PROC_LOCK(p); 125507f3485dSJohn Baldwin p->p_flag |= P_SUGID; 125607f3485dSJohn Baldwin PROC_UNLOCK(p); 125707f3485dSJohn Baldwin return (0); 125807f3485dSJohn Baldwin default: 125907f3485dSJohn Baldwin return (EINVAL); 126007f3485dSJohn Baldwin } 1261130d0157SRobert Watson #else /* !REGRESSION */ 1262eb725b4eSRobert Watson 1263130d0157SRobert Watson return (ENOSYS); 1264eb725b4eSRobert Watson #endif /* REGRESSION */ 1265130d0157SRobert Watson } 1266130d0157SRobert Watson 1267df8bae1dSRodney W. Grimes /* 1268df8bae1dSRodney W. Grimes * Check if gid is a member of the group set. 1269df8bae1dSRodney W. Grimes */ 127026f9a767SRodney W. Grimes int 12714c44ad8eSJohn Baldwin groupmember(gid_t gid, struct ucred *cred) 1272df8bae1dSRodney W. Grimes { 12737f92e578SBrooks Davis int l; 12747f92e578SBrooks Davis int h; 12757f92e578SBrooks Davis int m; 1276df8bae1dSRodney W. Grimes 12777f92e578SBrooks Davis if (cred->cr_groups[0] == gid) 1278df8bae1dSRodney W. Grimes return(1); 12797f92e578SBrooks Davis 12807f92e578SBrooks Davis /* 12817f92e578SBrooks Davis * If gid was not our primary group, perform a binary search 12827f92e578SBrooks Davis * of the supplemental groups. This is possible because we 12837f92e578SBrooks Davis * sort the groups in crsetgroups(). 12847f92e578SBrooks Davis */ 12857f92e578SBrooks Davis l = 1; 12867f92e578SBrooks Davis h = cred->cr_ngroups; 12877f92e578SBrooks Davis while (l < h) { 12887f92e578SBrooks Davis m = l + ((h - l) / 2); 12897f92e578SBrooks Davis if (cred->cr_groups[m] < gid) 12907f92e578SBrooks Davis l = m + 1; 12917f92e578SBrooks Davis else 12927f92e578SBrooks Davis h = m; 12937f92e578SBrooks Davis } 12947f92e578SBrooks Davis if ((l < cred->cr_ngroups) && (cred->cr_groups[l] == gid)) 12957f92e578SBrooks Davis return (1); 12967f92e578SBrooks Davis 1297df8bae1dSRodney W. Grimes return (0); 1298df8bae1dSRodney W. Grimes } 1299df8bae1dSRodney W. Grimes 13003b243b72SRobert Watson /* 1301eb725b4eSRobert Watson * Test the active securelevel against a given level. securelevel_gt() 1302eb725b4eSRobert Watson * implements (securelevel > level). securelevel_ge() implements 1303eb725b4eSRobert Watson * (securelevel >= level). Note that the logic is inverted -- these 1304eb725b4eSRobert Watson * functions return EPERM on "success" and 0 on "failure". 13053ca719f1SRobert Watson * 13060304c731SJamie Gritton * Due to care taken when setting the securelevel, we know that no jail will 13070304c731SJamie Gritton * be less secure that its parent (or the physical system), so it is sufficient 13080304c731SJamie Gritton * to test the current jail only. 13090304c731SJamie Gritton * 1310800c9408SRobert Watson * XXXRW: Possibly since this has to do with privilege, it should move to 1311800c9408SRobert Watson * kern_priv.c. 13123ca719f1SRobert Watson */ 13133ca719f1SRobert Watson int 13143ca719f1SRobert Watson securelevel_gt(struct ucred *cr, int level) 13153ca719f1SRobert Watson { 13163ca719f1SRobert Watson 13170304c731SJamie Gritton return (cr->cr_prison->pr_securelevel > level ? EPERM : 0); 13183ca719f1SRobert Watson } 13193ca719f1SRobert Watson 13203ca719f1SRobert Watson int 13213ca719f1SRobert Watson securelevel_ge(struct ucred *cr, int level) 13223ca719f1SRobert Watson { 13233ca719f1SRobert Watson 13240304c731SJamie Gritton return (cr->cr_prison->pr_securelevel >= level ? EPERM : 0); 13253ca719f1SRobert Watson } 13263ca719f1SRobert Watson 13278a7d8cc6SRobert Watson /* 1328e409590dSRobert Watson * 'see_other_uids' determines whether or not visibility of processes 1329eb725b4eSRobert Watson * and sockets with credentials holding different real uids is possible 133048713bdcSRobert Watson * using a variety of system MIBs. 1331eb725b4eSRobert Watson * XXX: data declarations should be together near the beginning of the file. 13328a7d8cc6SRobert Watson */ 1333e409590dSRobert Watson static int see_other_uids = 1; 1334d0615c64SAndrew R. Reiter SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1335eb725b4eSRobert Watson &see_other_uids, 0, 13368a7d8cc6SRobert Watson "Unprivileged processes may see subjects/objects with different real uid"); 13378a7d8cc6SRobert Watson 13381a996ed1SEdward Tomasz Napierala /*- 13391b350b45SRobert Watson * Determine if u1 "can see" the subject specified by u2, according to the 13401b350b45SRobert Watson * 'see_other_uids' policy. 13411b350b45SRobert Watson * Returns: 0 for permitted, ESRCH otherwise 13421b350b45SRobert Watson * Locks: none 13431b350b45SRobert Watson * References: *u1 and *u2 must not change during the call 13441b350b45SRobert Watson * u1 may equal u2, in which case only one reference is required 13451b350b45SRobert Watson */ 13461b350b45SRobert Watson static int 13471b350b45SRobert Watson cr_seeotheruids(struct ucred *u1, struct ucred *u2) 13481b350b45SRobert Watson { 13491b350b45SRobert Watson 13501b350b45SRobert Watson if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 135132f9753cSRobert Watson if (priv_check_cred(u1, PRIV_SEEOTHERUIDS, 0) != 0) 13521b350b45SRobert Watson return (ESRCH); 13531b350b45SRobert Watson } 13541b350b45SRobert Watson return (0); 13551b350b45SRobert Watson } 13561b350b45SRobert Watson 135764d19c2eSRobert Watson /* 135864d19c2eSRobert Watson * 'see_other_gids' determines whether or not visibility of processes 135964d19c2eSRobert Watson * and sockets with credentials holding different real gids is possible 136064d19c2eSRobert Watson * using a variety of system MIBs. 136164d19c2eSRobert Watson * XXX: data declarations should be together near the beginning of the file. 136264d19c2eSRobert Watson */ 136364d19c2eSRobert Watson static int see_other_gids = 1; 136464d19c2eSRobert Watson SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW, 136564d19c2eSRobert Watson &see_other_gids, 0, 136664d19c2eSRobert Watson "Unprivileged processes may see subjects/objects with different real gid"); 136764d19c2eSRobert Watson 136864d19c2eSRobert Watson /* 136964d19c2eSRobert Watson * Determine if u1 can "see" the subject specified by u2, according to the 137064d19c2eSRobert Watson * 'see_other_gids' policy. 137164d19c2eSRobert Watson * Returns: 0 for permitted, ESRCH otherwise 137264d19c2eSRobert Watson * Locks: none 137364d19c2eSRobert Watson * References: *u1 and *u2 must not change during the call 137464d19c2eSRobert Watson * u1 may equal u2, in which case only one reference is required 137564d19c2eSRobert Watson */ 137664d19c2eSRobert Watson static int 137764d19c2eSRobert Watson cr_seeothergids(struct ucred *u1, struct ucred *u2) 137864d19c2eSRobert Watson { 137964d19c2eSRobert Watson int i, match; 138064d19c2eSRobert Watson 138164d19c2eSRobert Watson if (!see_other_gids) { 138264d19c2eSRobert Watson match = 0; 138364d19c2eSRobert Watson for (i = 0; i < u1->cr_ngroups; i++) { 138464d19c2eSRobert Watson if (groupmember(u1->cr_groups[i], u2)) 138564d19c2eSRobert Watson match = 1; 138664d19c2eSRobert Watson if (match) 138764d19c2eSRobert Watson break; 138864d19c2eSRobert Watson } 138964d19c2eSRobert Watson if (!match) { 139032f9753cSRobert Watson if (priv_check_cred(u1, PRIV_SEEOTHERGIDS, 0) != 0) 139164d19c2eSRobert Watson return (ESRCH); 139264d19c2eSRobert Watson } 139364d19c2eSRobert Watson } 139464d19c2eSRobert Watson return (0); 139564d19c2eSRobert Watson } 139664d19c2eSRobert Watson 13971a996ed1SEdward Tomasz Napierala /*- 13987fd6a959SRobert Watson * Determine if u1 "can see" the subject specified by u2. 1399ed639720SRobert Watson * Returns: 0 for permitted, an errno value otherwise 1400ed639720SRobert Watson * Locks: none 1401eb725b4eSRobert Watson * References: *u1 and *u2 must not change during the call 1402ed639720SRobert Watson * u1 may equal u2, in which case only one reference is required 1403ed639720SRobert Watson */ 1404ed639720SRobert Watson int 140594088977SRobert Watson cr_cansee(struct ucred *u1, struct ucred *u2) 1406a9e0361bSPoul-Henning Kamp { 140791421ba2SRobert Watson int error; 1408a9e0361bSPoul-Henning Kamp 1409ed639720SRobert Watson if ((error = prison_check(u1, u2))) 141091421ba2SRobert Watson return (error); 14118a1d977dSRobert Watson #ifdef MAC 141230d239bcSRobert Watson if ((error = mac_cred_check_visible(u1, u2))) 14138a1d977dSRobert Watson return (error); 14148a1d977dSRobert Watson #endif 14151b350b45SRobert Watson if ((error = cr_seeotheruids(u1, u2))) 14161b350b45SRobert Watson return (error); 141764d19c2eSRobert Watson if ((error = cr_seeothergids(u1, u2))) 141864d19c2eSRobert Watson return (error); 1419387d2c03SRobert Watson return (0); 1420387d2c03SRobert Watson } 1421387d2c03SRobert Watson 14221a996ed1SEdward Tomasz Napierala /*- 1423f44d9e24SJohn Baldwin * Determine if td "can see" the subject specified by p. 14243b243b72SRobert Watson * Returns: 0 for permitted, an errno value otherwise 1425f44d9e24SJohn Baldwin * Locks: Sufficient locks to protect p->p_ucred must be held. td really 1426f44d9e24SJohn Baldwin * should be curthread. 1427f44d9e24SJohn Baldwin * References: td and p must be valid for the lifetime of the call 14283b243b72SRobert Watson */ 1429a0f75161SRobert Watson int 1430f44d9e24SJohn Baldwin p_cansee(struct thread *td, struct proc *p) 1431ed639720SRobert Watson { 1432ed639720SRobert Watson 143394088977SRobert Watson /* Wrap cr_cansee() for all functionality. */ 1434f44d9e24SJohn Baldwin KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1435f44d9e24SJohn Baldwin PROC_LOCK_ASSERT(p, MA_OWNED); 1436f44d9e24SJohn Baldwin return (cr_cansee(td->td_ucred, p->p_ucred)); 1437ed639720SRobert Watson } 1438ed639720SRobert Watson 143962c45ef4SRobert Watson /* 144062c45ef4SRobert Watson * 'conservative_signals' prevents the delivery of a broad class of 144162c45ef4SRobert Watson * signals by unprivileged processes to processes that have changed their 144262c45ef4SRobert Watson * credentials since the last invocation of execve(). This can prevent 144362c45ef4SRobert Watson * the leakage of cached information or retained privileges as a result 144462c45ef4SRobert Watson * of a common class of signal-related vulnerabilities. However, this 144562c45ef4SRobert Watson * may interfere with some applications that expect to be able to 144662c45ef4SRobert Watson * deliver these signals to peer processes after having given up 144762c45ef4SRobert Watson * privilege. 144862c45ef4SRobert Watson */ 144962c45ef4SRobert Watson static int conservative_signals = 1; 145062c45ef4SRobert Watson SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW, 145162c45ef4SRobert Watson &conservative_signals, 0, "Unprivileged processes prevented from " 145262c45ef4SRobert Watson "sending certain signals to processes whose credentials have changed"); 14531a996ed1SEdward Tomasz Napierala /*- 1454c83f8015SRobert Watson * Determine whether cred may deliver the specified signal to proc. 1455c83f8015SRobert Watson * Returns: 0 for permitted, an errno value otherwise. 1456c83f8015SRobert Watson * Locks: A lock must be held for proc. 1457c83f8015SRobert Watson * References: cred and proc must be valid for the lifetime of the call. 14584c5eb9c3SRobert Watson */ 14594c5eb9c3SRobert Watson int 14601a88a252SMaxim Sobolev cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 1461387d2c03SRobert Watson { 146291421ba2SRobert Watson int error; 1463387d2c03SRobert Watson 1464f44d9e24SJohn Baldwin PROC_LOCK_ASSERT(proc, MA_OWNED); 14654c5eb9c3SRobert Watson /* 1466c83f8015SRobert Watson * Jail semantics limit the scope of signalling to proc in the 1467c83f8015SRobert Watson * same jail as cred, if cred is in jail. 14684c5eb9c3SRobert Watson */ 1469c83f8015SRobert Watson error = prison_check(cred, proc->p_ucred); 1470c83f8015SRobert Watson if (error) 147191421ba2SRobert Watson return (error); 14728a1d977dSRobert Watson #ifdef MAC 147330d239bcSRobert Watson if ((error = mac_proc_check_signal(cred, proc, signum))) 14748a1d977dSRobert Watson return (error); 14758a1d977dSRobert Watson #endif 147664d19c2eSRobert Watson if ((error = cr_seeotheruids(cred, proc->p_ucred))) 147764d19c2eSRobert Watson return (error); 147864d19c2eSRobert Watson if ((error = cr_seeothergids(cred, proc->p_ucred))) 14791b350b45SRobert Watson return (error); 1480387d2c03SRobert Watson 1481387d2c03SRobert Watson /* 14823b243b72SRobert Watson * UNIX signal semantics depend on the status of the P_SUGID 14833b243b72SRobert Watson * bit on the target process. If the bit is set, then additional 14843b243b72SRobert Watson * restrictions are placed on the set of available signals. 14854c5eb9c3SRobert Watson */ 14861a88a252SMaxim Sobolev if (conservative_signals && (proc->p_flag & P_SUGID)) { 14874c5eb9c3SRobert Watson switch (signum) { 14884c5eb9c3SRobert Watson case 0: 14894c5eb9c3SRobert Watson case SIGKILL: 14904c5eb9c3SRobert Watson case SIGINT: 14914c5eb9c3SRobert Watson case SIGTERM: 149262c45ef4SRobert Watson case SIGALRM: 14934c5eb9c3SRobert Watson case SIGSTOP: 14944c5eb9c3SRobert Watson case SIGTTIN: 14954c5eb9c3SRobert Watson case SIGTTOU: 14964c5eb9c3SRobert Watson case SIGTSTP: 14974c5eb9c3SRobert Watson case SIGHUP: 14984c5eb9c3SRobert Watson case SIGUSR1: 14994c5eb9c3SRobert Watson case SIGUSR2: 15007fd6a959SRobert Watson /* 15017fd6a959SRobert Watson * Generally, permit job and terminal control 15027fd6a959SRobert Watson * signals. 15037fd6a959SRobert Watson */ 15044c5eb9c3SRobert Watson break; 15054c5eb9c3SRobert Watson default: 1506c83f8015SRobert Watson /* Not permitted without privilege. */ 150732f9753cSRobert Watson error = priv_check_cred(cred, PRIV_SIGNAL_SUGID, 0); 15084c5eb9c3SRobert Watson if (error) 15094c5eb9c3SRobert Watson return (error); 15104c5eb9c3SRobert Watson } 1511e9e7ff5bSRobert Watson } 1512e9e7ff5bSRobert Watson 15134c5eb9c3SRobert Watson /* 15143b243b72SRobert Watson * Generally, the target credential's ruid or svuid must match the 1515e9e7ff5bSRobert Watson * subject credential's ruid or euid. 15164c5eb9c3SRobert Watson */ 1517c83f8015SRobert Watson if (cred->cr_ruid != proc->p_ucred->cr_ruid && 1518c83f8015SRobert Watson cred->cr_ruid != proc->p_ucred->cr_svuid && 1519c83f8015SRobert Watson cred->cr_uid != proc->p_ucred->cr_ruid && 1520c83f8015SRobert Watson cred->cr_uid != proc->p_ucred->cr_svuid) { 152132f9753cSRobert Watson error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED, 0); 15224c5eb9c3SRobert Watson if (error) 15234c5eb9c3SRobert Watson return (error); 15244c5eb9c3SRobert Watson } 1525387d2c03SRobert Watson 1526387d2c03SRobert Watson return (0); 1527387d2c03SRobert Watson } 1528a9e0361bSPoul-Henning Kamp 15291a996ed1SEdward Tomasz Napierala /*- 1530f44d9e24SJohn Baldwin * Determine whether td may deliver the specified signal to p. 1531c83f8015SRobert Watson * Returns: 0 for permitted, an errno value otherwise 1532f44d9e24SJohn Baldwin * Locks: Sufficient locks to protect various components of td and p 1533f44d9e24SJohn Baldwin * must be held. td must be curthread, and a lock must be 1534f44d9e24SJohn Baldwin * held for p. 1535f44d9e24SJohn Baldwin * References: td and p must be valid for the lifetime of the call 1536c83f8015SRobert Watson */ 1537c83f8015SRobert Watson int 15381a88a252SMaxim Sobolev p_cansignal(struct thread *td, struct proc *p, int signum) 1539c83f8015SRobert Watson { 1540c83f8015SRobert Watson 1541f44d9e24SJohn Baldwin KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1542f44d9e24SJohn Baldwin PROC_LOCK_ASSERT(p, MA_OWNED); 1543f44d9e24SJohn Baldwin if (td->td_proc == p) 1544c83f8015SRobert Watson return (0); 1545c83f8015SRobert Watson 1546c83f8015SRobert Watson /* 1547c83f8015SRobert Watson * UNIX signalling semantics require that processes in the same 1548c83f8015SRobert Watson * session always be able to deliver SIGCONT to one another, 1549c83f8015SRobert Watson * overriding the remaining protections. 1550c83f8015SRobert Watson */ 1551f44d9e24SJohn Baldwin /* XXX: This will require an additional lock of some sort. */ 1552f44d9e24SJohn Baldwin if (signum == SIGCONT && td->td_proc->p_session == p->p_session) 1553c83f8015SRobert Watson return (0); 15544b178336SMaxim Sobolev /* 1555f9cd63d4SMaxim Sobolev * Some compat layers use SIGTHR and higher signals for 1556f9cd63d4SMaxim Sobolev * communication between different kernel threads of the same 1557f9cd63d4SMaxim Sobolev * process, so that they expect that it's always possible to 1558f9cd63d4SMaxim Sobolev * deliver them, even for suid applications where cr_cansignal() can 15594b178336SMaxim Sobolev * deny such ability for security consideration. It should be 15604b178336SMaxim Sobolev * pretty safe to do since the only way to create two processes 15614b178336SMaxim Sobolev * with the same p_leader is via rfork(2). 15624b178336SMaxim Sobolev */ 15632322a0a7SMaxim Sobolev if (td->td_proc->p_leader != NULL && signum >= SIGTHR && 15642322a0a7SMaxim Sobolev signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader) 15654b178336SMaxim Sobolev return (0); 1566c83f8015SRobert Watson 15671a88a252SMaxim Sobolev return (cr_cansignal(td->td_ucred, p, signum)); 1568c83f8015SRobert Watson } 1569c83f8015SRobert Watson 15701a996ed1SEdward Tomasz Napierala /*- 1571f44d9e24SJohn Baldwin * Determine whether td may reschedule p. 15727fd6a959SRobert Watson * Returns: 0 for permitted, an errno value otherwise 1573f44d9e24SJohn Baldwin * Locks: Sufficient locks to protect various components of td and p 1574f44d9e24SJohn Baldwin * must be held. td must be curthread, and a lock must 1575f44d9e24SJohn Baldwin * be held for p. 1576f44d9e24SJohn Baldwin * References: td and p must be valid for the lifetime of the call 15773b243b72SRobert Watson */ 1578a0f75161SRobert Watson int 1579f44d9e24SJohn Baldwin p_cansched(struct thread *td, struct proc *p) 1580387d2c03SRobert Watson { 158191421ba2SRobert Watson int error; 1582387d2c03SRobert Watson 1583f44d9e24SJohn Baldwin KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1584f44d9e24SJohn Baldwin PROC_LOCK_ASSERT(p, MA_OWNED); 1585f44d9e24SJohn Baldwin if (td->td_proc == p) 1586387d2c03SRobert Watson return (0); 1587f44d9e24SJohn Baldwin if ((error = prison_check(td->td_ucred, p->p_ucred))) 158891421ba2SRobert Watson return (error); 15898a1d977dSRobert Watson #ifdef MAC 159030d239bcSRobert Watson if ((error = mac_proc_check_sched(td->td_ucred, p))) 15918a1d977dSRobert Watson return (error); 15928a1d977dSRobert Watson #endif 1593f44d9e24SJohn Baldwin if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 15941b350b45SRobert Watson return (error); 159564d19c2eSRobert Watson if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) 159664d19c2eSRobert Watson return (error); 1597800c9408SRobert Watson if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid && 1598800c9408SRobert Watson td->td_ucred->cr_uid != p->p_ucred->cr_ruid) { 159932f9753cSRobert Watson error = priv_check(td, PRIV_SCHED_DIFFCRED); 1600800c9408SRobert Watson if (error) 1601800c9408SRobert Watson return (error); 1602800c9408SRobert Watson } 1603387d2c03SRobert Watson return (0); 1604387d2c03SRobert Watson } 1605387d2c03SRobert Watson 16063b243b72SRobert Watson /* 16075d476e73SRobert Watson * The 'unprivileged_proc_debug' flag may be used to disable a variety of 16085d476e73SRobert Watson * unprivileged inter-process debugging services, including some procfs 16095d476e73SRobert Watson * functionality, ptrace(), and ktrace(). In the past, inter-process 16105d476e73SRobert Watson * debugging has been involved in a variety of security problems, and sites 16115d476e73SRobert Watson * not requiring the service might choose to disable it when hardening 16125d476e73SRobert Watson * systems. 16133b243b72SRobert Watson * 16143b243b72SRobert Watson * XXX: Should modifying and reading this variable require locking? 1615eb725b4eSRobert Watson * XXX: data declarations should be together near the beginning of the file. 16163b243b72SRobert Watson */ 1617e409590dSRobert Watson static int unprivileged_proc_debug = 1; 1618d0615c64SAndrew R. Reiter SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW, 1619eb725b4eSRobert Watson &unprivileged_proc_debug, 0, 16200ef5652eSRobert Watson "Unprivileged processes may use process debugging facilities"); 16210ef5652eSRobert Watson 16221a996ed1SEdward Tomasz Napierala /*- 1623f44d9e24SJohn Baldwin * Determine whether td may debug p. 16247fd6a959SRobert Watson * Returns: 0 for permitted, an errno value otherwise 1625f44d9e24SJohn Baldwin * Locks: Sufficient locks to protect various components of td and p 1626f44d9e24SJohn Baldwin * must be held. td must be curthread, and a lock must 1627f44d9e24SJohn Baldwin * be held for p. 1628f44d9e24SJohn Baldwin * References: td and p must be valid for the lifetime of the call 16293b243b72SRobert Watson */ 1630a0f75161SRobert Watson int 1631f44d9e24SJohn Baldwin p_candebug(struct thread *td, struct proc *p) 1632387d2c03SRobert Watson { 1633eb725b4eSRobert Watson int credentialchanged, error, grpsubset, i, uidsubset; 1634387d2c03SRobert Watson 1635f44d9e24SJohn Baldwin KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1636f44d9e24SJohn Baldwin PROC_LOCK_ASSERT(p, MA_OWNED); 1637e409590dSRobert Watson if (!unprivileged_proc_debug) { 163832f9753cSRobert Watson error = priv_check(td, PRIV_DEBUG_UNPRIV); 163932d18604SRobert Watson if (error) 164032d18604SRobert Watson return (error); 164132d18604SRobert Watson } 1642f44d9e24SJohn Baldwin if (td->td_proc == p) 164323fad5b6SDag-Erling Smørgrav return (0); 1644f44d9e24SJohn Baldwin if ((error = prison_check(td->td_ucred, p->p_ucred))) 164591421ba2SRobert Watson return (error); 16468a1d977dSRobert Watson #ifdef MAC 164730d239bcSRobert Watson if ((error = mac_proc_check_debug(td->td_ucred, p))) 16488a1d977dSRobert Watson return (error); 16498a1d977dSRobert Watson #endif 1650f44d9e24SJohn Baldwin if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 16511b350b45SRobert Watson return (error); 165264d19c2eSRobert Watson if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) 165364d19c2eSRobert Watson return (error); 1654387d2c03SRobert Watson 16557fd6a959SRobert Watson /* 1656f44d9e24SJohn Baldwin * Is p's group set a subset of td's effective group set? This 1657f44d9e24SJohn Baldwin * includes p's egid, group access list, rgid, and svgid. 16587fd6a959SRobert Watson */ 1659db42a33dSRobert Watson grpsubset = 1; 1660f44d9e24SJohn Baldwin for (i = 0; i < p->p_ucred->cr_ngroups; i++) { 1661f44d9e24SJohn Baldwin if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) { 1662db42a33dSRobert Watson grpsubset = 0; 1663db42a33dSRobert Watson break; 1664db42a33dSRobert Watson } 1665db42a33dSRobert Watson } 1666db42a33dSRobert Watson grpsubset = grpsubset && 1667f44d9e24SJohn Baldwin groupmember(p->p_ucred->cr_rgid, td->td_ucred) && 1668f44d9e24SJohn Baldwin groupmember(p->p_ucred->cr_svgid, td->td_ucred); 1669db42a33dSRobert Watson 1670db42a33dSRobert Watson /* 1671f44d9e24SJohn Baldwin * Are the uids present in p's credential equal to td's 1672f44d9e24SJohn Baldwin * effective uid? This includes p's euid, svuid, and ruid. 1673db42a33dSRobert Watson */ 1674f44d9e24SJohn Baldwin uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid && 1675f44d9e24SJohn Baldwin td->td_ucred->cr_uid == p->p_ucred->cr_svuid && 1676f44d9e24SJohn Baldwin td->td_ucred->cr_uid == p->p_ucred->cr_ruid); 1677db42a33dSRobert Watson 1678db42a33dSRobert Watson /* 1679db42a33dSRobert Watson * Has the credential of the process changed since the last exec()? 1680db42a33dSRobert Watson */ 1681f44d9e24SJohn Baldwin credentialchanged = (p->p_flag & P_SUGID); 1682db42a33dSRobert Watson 1683db42a33dSRobert Watson /* 1684f44d9e24SJohn Baldwin * If p's gids aren't a subset, or the uids aren't a subset, 1685db42a33dSRobert Watson * or the credential has changed, require appropriate privilege 1686800c9408SRobert Watson * for td to debug p. 1687db42a33dSRobert Watson */ 1688800c9408SRobert Watson if (!grpsubset || !uidsubset) { 168932f9753cSRobert Watson error = priv_check(td, PRIV_DEBUG_DIFFCRED); 1690800c9408SRobert Watson if (error) 1691800c9408SRobert Watson return (error); 1692800c9408SRobert Watson } 1693800c9408SRobert Watson 1694800c9408SRobert Watson if (credentialchanged) { 169532f9753cSRobert Watson error = priv_check(td, PRIV_DEBUG_SUGID); 169632d18604SRobert Watson if (error) 1697387d2c03SRobert Watson return (error); 16987fd6a959SRobert Watson } 1699387d2c03SRobert Watson 1700eb725b4eSRobert Watson /* Can't trace init when securelevel > 0. */ 1701f44d9e24SJohn Baldwin if (p == initproc) { 1702f44d9e24SJohn Baldwin error = securelevel_gt(td->td_ucred, 0); 17033ca719f1SRobert Watson if (error) 17043ca719f1SRobert Watson return (error); 17053ca719f1SRobert Watson } 1706387d2c03SRobert Watson 17075fab7614SRobert Watson /* 17085fab7614SRobert Watson * Can't trace a process that's currently exec'ing. 1709800c9408SRobert Watson * 17105fab7614SRobert Watson * XXX: Note, this is not a security policy decision, it's a 17115fab7614SRobert Watson * basic correctness/functionality decision. Therefore, this check 17125fab7614SRobert Watson * should be moved to the caller's of p_candebug(). 17135fab7614SRobert Watson */ 1714f44d9e24SJohn Baldwin if ((p->p_flag & P_INEXEC) != 0) 1715af80b2c9SKonstantin Belousov return (EBUSY); 17169ca45e81SDag-Erling Smørgrav 1717387d2c03SRobert Watson return (0); 1718387d2c03SRobert Watson } 1719387d2c03SRobert Watson 17201a996ed1SEdward Tomasz Napierala /*- 172129dc1288SRobert Watson * Determine whether the subject represented by cred can "see" a socket. 172229dc1288SRobert Watson * Returns: 0 for permitted, ENOENT otherwise. 172329dc1288SRobert Watson */ 172429dc1288SRobert Watson int 172529dc1288SRobert Watson cr_canseesocket(struct ucred *cred, struct socket *so) 172629dc1288SRobert Watson { 172729dc1288SRobert Watson int error; 172829dc1288SRobert Watson 172929dc1288SRobert Watson error = prison_check(cred, so->so_cred); 173029dc1288SRobert Watson if (error) 173129dc1288SRobert Watson return (ENOENT); 17328a1d977dSRobert Watson #ifdef MAC 173330d239bcSRobert Watson error = mac_socket_check_visible(cred, so); 17348a1d977dSRobert Watson if (error) 17358a1d977dSRobert Watson return (error); 17368a1d977dSRobert Watson #endif 173729dc1288SRobert Watson if (cr_seeotheruids(cred, so->so_cred)) 173829dc1288SRobert Watson return (ENOENT); 173964d19c2eSRobert Watson if (cr_seeothergids(cred, so->so_cred)) 174064d19c2eSRobert Watson return (ENOENT); 174129dc1288SRobert Watson 174229dc1288SRobert Watson return (0); 174329dc1288SRobert Watson } 174429dc1288SRobert Watson 1745f08ef6c5SBjoern A. Zeeb #if defined(INET) || defined(INET6) 17461a996ed1SEdward Tomasz Napierala /*- 1747f08ef6c5SBjoern A. Zeeb * Determine whether the subject represented by cred can "see" a socket. 1748f08ef6c5SBjoern A. Zeeb * Returns: 0 for permitted, ENOENT otherwise. 1749f08ef6c5SBjoern A. Zeeb */ 1750f08ef6c5SBjoern A. Zeeb int 1751f08ef6c5SBjoern A. Zeeb cr_canseeinpcb(struct ucred *cred, struct inpcb *inp) 1752f08ef6c5SBjoern A. Zeeb { 1753f08ef6c5SBjoern A. Zeeb int error; 1754f08ef6c5SBjoern A. Zeeb 1755f08ef6c5SBjoern A. Zeeb error = prison_check(cred, inp->inp_cred); 1756f08ef6c5SBjoern A. Zeeb if (error) 1757f08ef6c5SBjoern A. Zeeb return (ENOENT); 1758f08ef6c5SBjoern A. Zeeb #ifdef MAC 1759f08ef6c5SBjoern A. Zeeb INP_LOCK_ASSERT(inp); 1760f08ef6c5SBjoern A. Zeeb error = mac_inpcb_check_visible(cred, inp); 1761f08ef6c5SBjoern A. Zeeb if (error) 1762f08ef6c5SBjoern A. Zeeb return (error); 1763f08ef6c5SBjoern A. Zeeb #endif 1764f08ef6c5SBjoern A. Zeeb if (cr_seeotheruids(cred, inp->inp_cred)) 1765f08ef6c5SBjoern A. Zeeb return (ENOENT); 1766f08ef6c5SBjoern A. Zeeb if (cr_seeothergids(cred, inp->inp_cred)) 1767f08ef6c5SBjoern A. Zeeb return (ENOENT); 1768f08ef6c5SBjoern A. Zeeb 1769f08ef6c5SBjoern A. Zeeb return (0); 1770f08ef6c5SBjoern A. Zeeb } 1771f08ef6c5SBjoern A. Zeeb #endif 1772f08ef6c5SBjoern A. Zeeb 17731a996ed1SEdward Tomasz Napierala /*- 1774babe9a2bSRobert Watson * Determine whether td can wait for the exit of p. 1775babe9a2bSRobert Watson * Returns: 0 for permitted, an errno value otherwise 1776babe9a2bSRobert Watson * Locks: Sufficient locks to protect various components of td and p 1777babe9a2bSRobert Watson * must be held. td must be curthread, and a lock must 1778babe9a2bSRobert Watson * be held for p. 1779babe9a2bSRobert Watson * References: td and p must be valid for the lifetime of the call 1780babe9a2bSRobert Watson 1781babe9a2bSRobert Watson */ 1782babe9a2bSRobert Watson int 1783babe9a2bSRobert Watson p_canwait(struct thread *td, struct proc *p) 1784babe9a2bSRobert Watson { 1785babe9a2bSRobert Watson int error; 1786babe9a2bSRobert Watson 1787babe9a2bSRobert Watson KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1788babe9a2bSRobert Watson PROC_LOCK_ASSERT(p, MA_OWNED); 17897afcbc18SJamie Gritton if ((error = prison_check(td->td_ucred, p->p_ucred))) 1790babe9a2bSRobert Watson return (error); 1791babe9a2bSRobert Watson #ifdef MAC 179230d239bcSRobert Watson if ((error = mac_proc_check_wait(td->td_ucred, p))) 1793babe9a2bSRobert Watson return (error); 1794babe9a2bSRobert Watson #endif 1795babe9a2bSRobert Watson #if 0 1796babe9a2bSRobert Watson /* XXXMAC: This could have odd effects on some shells. */ 1797babe9a2bSRobert Watson if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1798babe9a2bSRobert Watson return (error); 1799babe9a2bSRobert Watson #endif 1800babe9a2bSRobert Watson 1801babe9a2bSRobert Watson return (0); 1802babe9a2bSRobert Watson } 1803babe9a2bSRobert Watson 1804a9e0361bSPoul-Henning Kamp /* 1805df8bae1dSRodney W. Grimes * Allocate a zeroed cred structure. 1806df8bae1dSRodney W. Grimes */ 1807df8bae1dSRodney W. Grimes struct ucred * 18084c44ad8eSJohn Baldwin crget(void) 1809df8bae1dSRodney W. Grimes { 1810df8bae1dSRodney W. Grimes register struct ucred *cr; 1811df8bae1dSRodney W. Grimes 18121ede983cSDag-Erling Smørgrav cr = malloc(sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 18137e9e371fSJohn Baldwin refcount_init(&cr->cr_ref, 1); 1814faef5371SRobert Watson #ifdef AUDIT 1815faef5371SRobert Watson audit_cred_init(cr); 1816faef5371SRobert Watson #endif 181740244964SRobert Watson #ifdef MAC 181830d239bcSRobert Watson mac_cred_init(cr); 181940244964SRobert Watson #endif 1820838d9858SBrooks Davis crextend(cr, XU_NGROUPS); 1821df8bae1dSRodney W. Grimes return (cr); 1822df8bae1dSRodney W. Grimes } 1823df8bae1dSRodney W. Grimes 1824df8bae1dSRodney W. Grimes /* 18257fd6a959SRobert Watson * Claim another reference to a ucred structure. 18265c3f70d7SAlfred Perlstein */ 1827bd78ceceSJohn Baldwin struct ucred * 18284c44ad8eSJohn Baldwin crhold(struct ucred *cr) 18295c3f70d7SAlfred Perlstein { 18305c3f70d7SAlfred Perlstein 18317e9e371fSJohn Baldwin refcount_acquire(&cr->cr_ref); 1832bd78ceceSJohn Baldwin return (cr); 18335c3f70d7SAlfred Perlstein } 18345c3f70d7SAlfred Perlstein 18355c3f70d7SAlfred Perlstein /* 18360c14ff0eSRobert Watson * Free a cred structure. Throws away space when ref count gets to 0. 1837df8bae1dSRodney W. Grimes */ 183826f9a767SRodney W. Grimes void 18394c44ad8eSJohn Baldwin crfree(struct ucred *cr) 1840df8bae1dSRodney W. Grimes { 18411e5d626aSAlfred Perlstein 1842e04670b7SAlfred Perlstein KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); 18437e9e371fSJohn Baldwin KASSERT(cr->cr_ref != 0xdeadc0de, ("dangling reference to ucred")); 18447e9e371fSJohn Baldwin if (refcount_release(&cr->cr_ref)) { 1845f535380cSDon Lewis /* 1846f535380cSDon Lewis * Some callers of crget(), such as nfs_statfs(), 1847f535380cSDon Lewis * allocate a temporary credential, but don't 1848f535380cSDon Lewis * allocate a uidinfo structure. 1849f535380cSDon Lewis */ 1850f535380cSDon Lewis if (cr->cr_uidinfo != NULL) 1851f535380cSDon Lewis uifree(cr->cr_uidinfo); 1852823c224eSRobert Watson if (cr->cr_ruidinfo != NULL) 1853823c224eSRobert Watson uifree(cr->cr_ruidinfo); 185491421ba2SRobert Watson /* 185591421ba2SRobert Watson * Free a prison, if any. 185691421ba2SRobert Watson */ 18570304c731SJamie Gritton if (cr->cr_prison != NULL) 185891421ba2SRobert Watson prison_free(cr->cr_prison); 18592bfc50bcSEdward Tomasz Napierala if (cr->cr_loginclass != NULL) 18602bfc50bcSEdward Tomasz Napierala loginclass_free(cr->cr_loginclass); 1861faef5371SRobert Watson #ifdef AUDIT 1862faef5371SRobert Watson audit_cred_destroy(cr); 1863faef5371SRobert Watson #endif 186440244964SRobert Watson #ifdef MAC 186530d239bcSRobert Watson mac_cred_destroy(cr); 186640244964SRobert Watson #endif 1867838d9858SBrooks Davis free(cr->cr_groups, M_CRED); 18681ede983cSDag-Erling Smørgrav free(cr, M_CRED); 1869e1bca29fSMatthew Dillon } 1870df8bae1dSRodney W. Grimes } 1871df8bae1dSRodney W. Grimes 1872df8bae1dSRodney W. Grimes /* 1873bd78ceceSJohn Baldwin * Copy a ucred's contents from a template. Does not block. 1874bd78ceceSJohn Baldwin */ 1875bd78ceceSJohn Baldwin void 18764c44ad8eSJohn Baldwin crcopy(struct ucred *dest, struct ucred *src) 1877bd78ceceSJohn Baldwin { 1878bd78ceceSJohn Baldwin 187925108069SMateusz Guzik KASSERT(dest->cr_ref == 1, ("crcopy of shared ucred")); 1880bd78ceceSJohn Baldwin bcopy(&src->cr_startcopy, &dest->cr_startcopy, 1881bd78ceceSJohn Baldwin (unsigned)((caddr_t)&src->cr_endcopy - 1882bd78ceceSJohn Baldwin (caddr_t)&src->cr_startcopy)); 1883838d9858SBrooks Davis crsetgroups(dest, src->cr_ngroups, src->cr_groups); 1884bd78ceceSJohn Baldwin uihold(dest->cr_uidinfo); 1885bd78ceceSJohn Baldwin uihold(dest->cr_ruidinfo); 1886bd78ceceSJohn Baldwin prison_hold(dest->cr_prison); 18872bfc50bcSEdward Tomasz Napierala loginclass_hold(dest->cr_loginclass); 1888faef5371SRobert Watson #ifdef AUDIT 1889faef5371SRobert Watson audit_cred_copy(src, dest); 1890faef5371SRobert Watson #endif 189140244964SRobert Watson #ifdef MAC 189230d239bcSRobert Watson mac_cred_copy(src, dest); 189340244964SRobert Watson #endif 1894df8bae1dSRodney W. Grimes } 1895df8bae1dSRodney W. Grimes 1896df8bae1dSRodney W. Grimes /* 1897df8bae1dSRodney W. Grimes * Dup cred struct to a new held one. 1898df8bae1dSRodney W. Grimes */ 1899df8bae1dSRodney W. Grimes struct ucred * 19004c44ad8eSJohn Baldwin crdup(struct ucred *cr) 1901df8bae1dSRodney W. Grimes { 1902df8bae1dSRodney W. Grimes struct ucred *newcr; 1903df8bae1dSRodney W. Grimes 1904bd78ceceSJohn Baldwin newcr = crget(); 1905bd78ceceSJohn Baldwin crcopy(newcr, cr); 1906df8bae1dSRodney W. Grimes return (newcr); 1907df8bae1dSRodney W. Grimes } 1908df8bae1dSRodney W. Grimes 1909df8bae1dSRodney W. Grimes /* 191076183f34SDima Dorfman * Fill in a struct xucred based on a struct ucred. 191176183f34SDima Dorfman */ 191276183f34SDima Dorfman void 19134c44ad8eSJohn Baldwin cru2x(struct ucred *cr, struct xucred *xcr) 191476183f34SDima Dorfman { 1915838d9858SBrooks Davis int ngroups; 191676183f34SDima Dorfman 191776183f34SDima Dorfman bzero(xcr, sizeof(*xcr)); 191876183f34SDima Dorfman xcr->cr_version = XUCRED_VERSION; 191976183f34SDima Dorfman xcr->cr_uid = cr->cr_uid; 1920838d9858SBrooks Davis 1921838d9858SBrooks Davis ngroups = MIN(cr->cr_ngroups, XU_NGROUPS); 1922838d9858SBrooks Davis xcr->cr_ngroups = ngroups; 1923838d9858SBrooks Davis bcopy(cr->cr_groups, xcr->cr_groups, 1924838d9858SBrooks Davis ngroups * sizeof(*cr->cr_groups)); 192576183f34SDima Dorfman } 192676183f34SDima Dorfman 192776183f34SDima Dorfman /* 19280c14ff0eSRobert Watson * small routine to swap a thread's current ucred for the correct one taken 19290c14ff0eSRobert Watson * from the process. 19302eb927e2SJulian Elischer */ 19312eb927e2SJulian Elischer void 19322eb927e2SJulian Elischer cred_update_thread(struct thread *td) 19332eb927e2SJulian Elischer { 19342eb927e2SJulian Elischer struct proc *p; 193565e3406dSJohn Baldwin struct ucred *cred; 19362eb927e2SJulian Elischer 19372eb927e2SJulian Elischer p = td->td_proc; 193865e3406dSJohn Baldwin cred = td->td_ucred; 19392eb927e2SJulian Elischer PROC_LOCK(p); 19402eb927e2SJulian Elischer td->td_ucred = crhold(p->p_ucred); 19412eb927e2SJulian Elischer PROC_UNLOCK(p); 194265e3406dSJohn Baldwin if (cred != NULL) 194365e3406dSJohn Baldwin crfree(cred); 19442eb927e2SJulian Elischer } 19452eb927e2SJulian Elischer 1946838d9858SBrooks Davis struct ucred * 1947838d9858SBrooks Davis crcopysafe(struct proc *p, struct ucred *cr) 1948838d9858SBrooks Davis { 1949838d9858SBrooks Davis struct ucred *oldcred; 1950838d9858SBrooks Davis int groups; 1951838d9858SBrooks Davis 1952838d9858SBrooks Davis PROC_LOCK_ASSERT(p, MA_OWNED); 1953838d9858SBrooks Davis 1954838d9858SBrooks Davis oldcred = p->p_ucred; 1955838d9858SBrooks Davis while (cr->cr_agroups < oldcred->cr_agroups) { 1956838d9858SBrooks Davis groups = oldcred->cr_agroups; 1957838d9858SBrooks Davis PROC_UNLOCK(p); 1958838d9858SBrooks Davis crextend(cr, groups); 1959838d9858SBrooks Davis PROC_LOCK(p); 1960838d9858SBrooks Davis oldcred = p->p_ucred; 1961838d9858SBrooks Davis } 1962838d9858SBrooks Davis crcopy(cr, oldcred); 1963838d9858SBrooks Davis 1964838d9858SBrooks Davis return (oldcred); 1965838d9858SBrooks Davis } 1966838d9858SBrooks Davis 1967838d9858SBrooks Davis /* 1968838d9858SBrooks Davis * Extend the passed in credential to hold n items. 1969838d9858SBrooks Davis */ 1970838d9858SBrooks Davis static void 1971838d9858SBrooks Davis crextend(struct ucred *cr, int n) 1972838d9858SBrooks Davis { 1973838d9858SBrooks Davis int cnt; 1974838d9858SBrooks Davis 1975838d9858SBrooks Davis /* Truncate? */ 1976838d9858SBrooks Davis if (n <= cr->cr_agroups) 1977838d9858SBrooks Davis return; 1978838d9858SBrooks Davis 1979838d9858SBrooks Davis /* 1980838d9858SBrooks Davis * We extend by 2 each time since we're using a power of two 1981838d9858SBrooks Davis * allocator until we need enough groups to fill a page. 1982838d9858SBrooks Davis * Once we're allocating multiple pages, only allocate as many 1983838d9858SBrooks Davis * as we actually need. The case of processes needing a 1984838d9858SBrooks Davis * non-power of two number of pages seems more likely than 1985838d9858SBrooks Davis * a real world process that adds thousands of groups one at a 1986838d9858SBrooks Davis * time. 1987838d9858SBrooks Davis */ 1988838d9858SBrooks Davis if ( n < PAGE_SIZE / sizeof(gid_t) ) { 1989838d9858SBrooks Davis if (cr->cr_agroups == 0) 1990838d9858SBrooks Davis cnt = MINALLOCSIZE / sizeof(gid_t); 1991838d9858SBrooks Davis else 1992838d9858SBrooks Davis cnt = cr->cr_agroups * 2; 1993838d9858SBrooks Davis 1994838d9858SBrooks Davis while (cnt < n) 1995838d9858SBrooks Davis cnt *= 2; 1996838d9858SBrooks Davis } else 1997838d9858SBrooks Davis cnt = roundup2(n, PAGE_SIZE / sizeof(gid_t)); 1998838d9858SBrooks Davis 1999838d9858SBrooks Davis /* Free the old array. */ 2000838d9858SBrooks Davis if (cr->cr_groups) 2001838d9858SBrooks Davis free(cr->cr_groups, M_CRED); 2002838d9858SBrooks Davis 2003838d9858SBrooks Davis cr->cr_groups = malloc(cnt * sizeof(gid_t), M_CRED, M_WAITOK | M_ZERO); 2004838d9858SBrooks Davis cr->cr_agroups = cnt; 2005838d9858SBrooks Davis } 2006838d9858SBrooks Davis 2007838d9858SBrooks Davis /* 20087f92e578SBrooks Davis * Copy groups in to a credential, preserving any necessary invariants. 20097f92e578SBrooks Davis * Currently this includes the sorting of all supplemental gids. 20107f92e578SBrooks Davis * crextend() must have been called before hand to ensure sufficient 20117f92e578SBrooks Davis * space is available. 2012838d9858SBrooks Davis */ 2013838d9858SBrooks Davis static void 2014838d9858SBrooks Davis crsetgroups_locked(struct ucred *cr, int ngrp, gid_t *groups) 2015838d9858SBrooks Davis { 20167f92e578SBrooks Davis int i; 20177f92e578SBrooks Davis int j; 20187f92e578SBrooks Davis gid_t g; 2019838d9858SBrooks Davis 2020838d9858SBrooks Davis KASSERT(cr->cr_agroups >= ngrp, ("cr_ngroups is too small")); 2021838d9858SBrooks Davis 2022838d9858SBrooks Davis bcopy(groups, cr->cr_groups, ngrp * sizeof(gid_t)); 2023838d9858SBrooks Davis cr->cr_ngroups = ngrp; 20247f92e578SBrooks Davis 20257f92e578SBrooks Davis /* 20267f92e578SBrooks Davis * Sort all groups except cr_groups[0] to allow groupmember to 20277f92e578SBrooks Davis * perform a binary search. 20287f92e578SBrooks Davis * 20297f92e578SBrooks Davis * XXX: If large numbers of groups become common this should 20307f92e578SBrooks Davis * be replaced with shell sort like linux uses or possibly 20317f92e578SBrooks Davis * heap sort. 20327f92e578SBrooks Davis */ 20337f92e578SBrooks Davis for (i = 2; i < ngrp; i++) { 20347f92e578SBrooks Davis g = cr->cr_groups[i]; 20357f92e578SBrooks Davis for (j = i-1; j >= 1 && g < cr->cr_groups[j]; j--) 20367f92e578SBrooks Davis cr->cr_groups[j + 1] = cr->cr_groups[j]; 20377f92e578SBrooks Davis cr->cr_groups[j + 1] = g; 20387f92e578SBrooks Davis } 2039838d9858SBrooks Davis } 2040838d9858SBrooks Davis 2041838d9858SBrooks Davis /* 2042838d9858SBrooks Davis * Copy groups in to a credential after expanding it if required. 2043412f9500SBrooks Davis * Truncate the list to (ngroups_max + 1) if it is too large. 2044838d9858SBrooks Davis */ 2045838d9858SBrooks Davis void 2046838d9858SBrooks Davis crsetgroups(struct ucred *cr, int ngrp, gid_t *groups) 2047838d9858SBrooks Davis { 2048838d9858SBrooks Davis 2049412f9500SBrooks Davis if (ngrp > ngroups_max + 1) 2050412f9500SBrooks Davis ngrp = ngroups_max + 1; 2051838d9858SBrooks Davis 2052838d9858SBrooks Davis crextend(cr, ngrp); 2053838d9858SBrooks Davis crsetgroups_locked(cr, ngrp, groups); 2054838d9858SBrooks Davis } 2055838d9858SBrooks Davis 20562eb927e2SJulian Elischer /* 2057df8bae1dSRodney W. Grimes * Get login name, if available. 2058df8bae1dSRodney W. Grimes */ 2059d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 2060df8bae1dSRodney W. Grimes struct getlogin_args { 2061df8bae1dSRodney W. Grimes char *namebuf; 2062df8bae1dSRodney W. Grimes u_int namelen; 2063df8bae1dSRodney W. Grimes }; 2064d2d3e875SBruce Evans #endif 2065df8bae1dSRodney W. Grimes /* ARGSUSED */ 206626f9a767SRodney W. Grimes int 20678451d0ddSKip Macy sys_getlogin(struct thread *td, struct getlogin_args *uap) 2068df8bae1dSRodney W. Grimes { 2069835a82eeSMatthew Dillon int error; 2070f591779bSSeigo Tanimura char login[MAXLOGNAME]; 2071b40ce416SJulian Elischer struct proc *p = td->td_proc; 2072df8bae1dSRodney W. Grimes 207330cf3ac4SAndrey A. Chernov if (uap->namelen > MAXLOGNAME) 207453490b76SAndrey A. Chernov uap->namelen = MAXLOGNAME; 2075f591779bSSeigo Tanimura PROC_LOCK(p); 2076f591779bSSeigo Tanimura SESS_LOCK(p->p_session); 2077f591779bSSeigo Tanimura bcopy(p->p_session->s_login, login, uap->namelen); 2078f591779bSSeigo Tanimura SESS_UNLOCK(p->p_session); 2079f591779bSSeigo Tanimura PROC_UNLOCK(p); 20806f68699fSBaptiste Daroussin if (strlen(login) + 1 > uap->namelen) 20816f68699fSBaptiste Daroussin return (ERANGE); 20827f05b035SAlfred Perlstein error = copyout(login, uap->namebuf, uap->namelen); 2083835a82eeSMatthew Dillon return (error); 2084df8bae1dSRodney W. Grimes } 2085df8bae1dSRodney W. Grimes 2086df8bae1dSRodney W. Grimes /* 2087df8bae1dSRodney W. Grimes * Set login name. 2088df8bae1dSRodney W. Grimes */ 2089d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 2090df8bae1dSRodney W. Grimes struct setlogin_args { 2091df8bae1dSRodney W. Grimes char *namebuf; 2092df8bae1dSRodney W. Grimes }; 2093d2d3e875SBruce Evans #endif 2094df8bae1dSRodney W. Grimes /* ARGSUSED */ 209526f9a767SRodney W. Grimes int 20968451d0ddSKip Macy sys_setlogin(struct thread *td, struct setlogin_args *uap) 2097df8bae1dSRodney W. Grimes { 2098b40ce416SJulian Elischer struct proc *p = td->td_proc; 2099df8bae1dSRodney W. Grimes int error; 2100964ca0caSAndrey A. Chernov char logintmp[MAXLOGNAME]; 2101df8bae1dSRodney W. Grimes 210232f9753cSRobert Watson error = priv_check(td, PRIV_PROC_SETLOGIN); 210307f3485dSJohn Baldwin if (error) 210407f3485dSJohn Baldwin return (error); 21057f05b035SAlfred Perlstein error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); 2106eb725b4eSRobert Watson if (error == ENAMETOOLONG) 2107df8bae1dSRodney W. Grimes error = EINVAL; 2108f591779bSSeigo Tanimura else if (!error) { 2109f591779bSSeigo Tanimura PROC_LOCK(p); 2110f591779bSSeigo Tanimura SESS_LOCK(p->p_session); 2111f591779bSSeigo Tanimura (void) memcpy(p->p_session->s_login, logintmp, 2112964ca0caSAndrey A. Chernov sizeof(logintmp)); 2113f591779bSSeigo Tanimura SESS_UNLOCK(p->p_session); 2114f591779bSSeigo Tanimura PROC_UNLOCK(p); 2115f591779bSSeigo Tanimura } 2116df8bae1dSRodney W. Grimes return (error); 2117df8bae1dSRodney W. Grimes } 2118d5f81602SSean Eric Fagan 2119d5f81602SSean Eric Fagan void 21204c44ad8eSJohn Baldwin setsugid(struct proc *p) 2121d5f81602SSean Eric Fagan { 2122f2102dadSAlfred Perlstein 2123f2102dadSAlfred Perlstein PROC_LOCK_ASSERT(p, MA_OWNED); 2124d5f81602SSean Eric Fagan p->p_flag |= P_SUGID; 212589361835SSean Eric Fagan if (!(p->p_pfsflags & PF_ISUGID)) 2126d5f81602SSean Eric Fagan p->p_stops = 0; 2127d5f81602SSean Eric Fagan } 2128f535380cSDon Lewis 21291a996ed1SEdward Tomasz Napierala /*- 21307fd6a959SRobert Watson * Change a process's effective uid. 2131b1fc0ec1SRobert Watson * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 2132b1fc0ec1SRobert Watson * References: newcred must be an exclusive credential reference for the 2133b1fc0ec1SRobert Watson * duration of the call. 2134f535380cSDon Lewis */ 2135f535380cSDon Lewis void 21361419eacbSAlfred Perlstein change_euid(struct ucred *newcred, struct uidinfo *euip) 2137f535380cSDon Lewis { 2138f535380cSDon Lewis 21391419eacbSAlfred Perlstein newcred->cr_uid = euip->ui_uid; 21401419eacbSAlfred Perlstein uihold(euip); 2141b1fc0ec1SRobert Watson uifree(newcred->cr_uidinfo); 21421419eacbSAlfred Perlstein newcred->cr_uidinfo = euip; 2143f535380cSDon Lewis } 2144f535380cSDon Lewis 21451a996ed1SEdward Tomasz Napierala /*- 21467fd6a959SRobert Watson * Change a process's effective gid. 2147b1fc0ec1SRobert Watson * Side effects: newcred->cr_gid will be modified. 2148b1fc0ec1SRobert Watson * References: newcred must be an exclusive credential reference for the 2149b1fc0ec1SRobert Watson * duration of the call. 2150f535380cSDon Lewis */ 2151810bfc8eSAndrew Gallatin void 21524c44ad8eSJohn Baldwin change_egid(struct ucred *newcred, gid_t egid) 2153b1fc0ec1SRobert Watson { 2154b1fc0ec1SRobert Watson 2155b1fc0ec1SRobert Watson newcred->cr_groups[0] = egid; 2156b1fc0ec1SRobert Watson } 2157b1fc0ec1SRobert Watson 21581a996ed1SEdward Tomasz Napierala /*- 21597fd6a959SRobert Watson * Change a process's real uid. 2160b1fc0ec1SRobert Watson * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 2161b1fc0ec1SRobert Watson * will be updated, and the old and new cr_ruidinfo proc 2162b1fc0ec1SRobert Watson * counts will be updated. 2163b1fc0ec1SRobert Watson * References: newcred must be an exclusive credential reference for the 2164b1fc0ec1SRobert Watson * duration of the call. 2165b1fc0ec1SRobert Watson */ 2166b1fc0ec1SRobert Watson void 21671419eacbSAlfred Perlstein change_ruid(struct ucred *newcred, struct uidinfo *ruip) 2168f535380cSDon Lewis { 2169f535380cSDon Lewis 2170b1fc0ec1SRobert Watson (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 21711419eacbSAlfred Perlstein newcred->cr_ruid = ruip->ui_uid; 21721419eacbSAlfred Perlstein uihold(ruip); 2173b1fc0ec1SRobert Watson uifree(newcred->cr_ruidinfo); 21741419eacbSAlfred Perlstein newcred->cr_ruidinfo = ruip; 2175b1fc0ec1SRobert Watson (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 2176b1fc0ec1SRobert Watson } 2177b1fc0ec1SRobert Watson 21781a996ed1SEdward Tomasz Napierala /*- 21797fd6a959SRobert Watson * Change a process's real gid. 2180b1fc0ec1SRobert Watson * Side effects: newcred->cr_rgid will be updated. 2181b1fc0ec1SRobert Watson * References: newcred must be an exclusive credential reference for the 2182b1fc0ec1SRobert Watson * duration of the call. 2183b1fc0ec1SRobert Watson */ 2184b1fc0ec1SRobert Watson void 21854c44ad8eSJohn Baldwin change_rgid(struct ucred *newcred, gid_t rgid) 2186b1fc0ec1SRobert Watson { 2187b1fc0ec1SRobert Watson 2188b1fc0ec1SRobert Watson newcred->cr_rgid = rgid; 2189b1fc0ec1SRobert Watson } 2190b1fc0ec1SRobert Watson 21911a996ed1SEdward Tomasz Napierala /*- 21927fd6a959SRobert Watson * Change a process's saved uid. 2193b1fc0ec1SRobert Watson * Side effects: newcred->cr_svuid will be updated. 2194b1fc0ec1SRobert Watson * References: newcred must be an exclusive credential reference for the 2195b1fc0ec1SRobert Watson * duration of the call. 2196b1fc0ec1SRobert Watson */ 2197b1fc0ec1SRobert Watson void 21984c44ad8eSJohn Baldwin change_svuid(struct ucred *newcred, uid_t svuid) 2199b1fc0ec1SRobert Watson { 2200b1fc0ec1SRobert Watson 2201b1fc0ec1SRobert Watson newcred->cr_svuid = svuid; 2202b1fc0ec1SRobert Watson } 2203b1fc0ec1SRobert Watson 22041a996ed1SEdward Tomasz Napierala /*- 22057fd6a959SRobert Watson * Change a process's saved gid. 2206b1fc0ec1SRobert Watson * Side effects: newcred->cr_svgid will be updated. 2207b1fc0ec1SRobert Watson * References: newcred must be an exclusive credential reference for the 2208b1fc0ec1SRobert Watson * duration of the call. 2209b1fc0ec1SRobert Watson */ 2210b1fc0ec1SRobert Watson void 22114c44ad8eSJohn Baldwin change_svgid(struct ucred *newcred, gid_t svgid) 2212b1fc0ec1SRobert Watson { 2213b1fc0ec1SRobert Watson 2214b1fc0ec1SRobert Watson newcred->cr_svgid = svgid; 2215f535380cSDon Lewis } 2216