1 /*-
2 * SPDX-License-Identifier: BSD-3-Clause
3 *
4 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993
5 * The Regents of the University of California.
6 * (c) UNIX System Laboratories, Inc.
7 * Copyright (c) 2000-2001 Robert N. M. Watson.
8 * All rights reserved.
9 *
10 * All or some portions of this file are derived from material licensed
11 * to the University of California by American Telephone and Telegraph
12 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
13 * the permission of UNIX System Laboratories, Inc.
14 *
15 * Redistribution and use in source and binary forms, with or without
16 * modification, are permitted provided that the following conditions
17 * are met:
18 * 1. Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in the
22 * documentation and/or other materials provided with the distribution.
23 * 3. Neither the name of the University nor the names of its contributors
24 * may be used to endorse or promote products derived from this software
25 * without specific prior written permission.
26 *
27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 * SUCH DAMAGE.
38 */
39
40 /*
41 * System calls related to processes and protection
42 */
43
44 #include <sys/cdefs.h>
45 #include "opt_inet.h"
46 #include "opt_inet6.h"
47
48 #include <sys/param.h>
49 #include <sys/systm.h>
50 #include <sys/abi_compat.h>
51 #include <sys/acct.h>
52 #include <sys/kdb.h>
53 #include <sys/kernel.h>
54 #include <sys/libkern.h>
55 #include <sys/lock.h>
56 #include <sys/loginclass.h>
57 #include <sys/malloc.h>
58 #include <sys/mutex.h>
59 #include <sys/ptrace.h>
60 #include <sys/refcount.h>
61 #include <sys/sx.h>
62 #include <sys/priv.h>
63 #include <sys/proc.h>
64 #ifdef COMPAT_43
65 #include <sys/sysent.h>
66 #endif
67 #include <sys/sysproto.h>
68 #include <sys/jail.h>
69 #include <sys/racct.h>
70 #include <sys/rctl.h>
71 #include <sys/resourcevar.h>
72 #include <sys/socket.h>
73 #include <sys/socketvar.h>
74 #include <sys/syscallsubr.h>
75 #include <sys/sysctl.h>
76
77 #ifdef MAC
78 #include <security/mac/mac_syscalls.h>
79 #endif
80
81 #include <vm/uma.h>
82
83 #ifdef REGRESSION
84 FEATURE(regression,
85 "Kernel support for interfaces necessary for regression testing (SECURITY RISK!)");
86 #endif
87
88 #include <security/audit/audit.h>
89 #include <security/mac/mac_framework.h>
90
91 static MALLOC_DEFINE(M_CRED, "cred", "credentials");
92
93 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
94 "BSD security policy");
95
96 static void crfree_final(struct ucred *cr);
97
98 static inline void
groups_check_positive_len(int ngrp)99 groups_check_positive_len(int ngrp)
100 {
101 MPASS2(ngrp >= 0, "negative number of groups");
102 }
103 static inline void
groups_check_max_len(int ngrp)104 groups_check_max_len(int ngrp)
105 {
106 MPASS2(ngrp <= ngroups_max, "too many supplementary groups");
107 }
108
109 static void groups_normalize(int *ngrp, gid_t *groups);
110 static void crsetgroups_internal(struct ucred *cr, int ngrp,
111 const gid_t *groups);
112
113 static int cr_canseeotheruids(struct ucred *u1, struct ucred *u2);
114 static int cr_canseeothergids(struct ucred *u1, struct ucred *u2);
115 static int cr_canseejailproc(struct ucred *u1, struct ucred *u2);
116
117 #ifndef _SYS_SYSPROTO_H_
118 struct getpid_args {
119 int dummy;
120 };
121 #endif
122 /* ARGSUSED */
123 int
sys_getpid(struct thread * td,struct getpid_args * uap)124 sys_getpid(struct thread *td, struct getpid_args *uap)
125 {
126 struct proc *p = td->td_proc;
127
128 td->td_retval[0] = p->p_pid;
129 #if defined(COMPAT_43)
130 if (SV_PROC_FLAG(p, SV_AOUT))
131 td->td_retval[1] = kern_getppid(td);
132 #endif
133 return (0);
134 }
135
136 #ifndef _SYS_SYSPROTO_H_
137 struct getppid_args {
138 int dummy;
139 };
140 #endif
141 /* ARGSUSED */
142 int
sys_getppid(struct thread * td,struct getppid_args * uap)143 sys_getppid(struct thread *td, struct getppid_args *uap)
144 {
145
146 td->td_retval[0] = kern_getppid(td);
147 return (0);
148 }
149
150 int
kern_getppid(struct thread * td)151 kern_getppid(struct thread *td)
152 {
153 struct proc *p = td->td_proc;
154
155 return (p->p_oppid);
156 }
157
158 /*
159 * Get process group ID; note that POSIX getpgrp takes no parameter.
160 */
161 #ifndef _SYS_SYSPROTO_H_
162 struct getpgrp_args {
163 int dummy;
164 };
165 #endif
166 int
sys_getpgrp(struct thread * td,struct getpgrp_args * uap)167 sys_getpgrp(struct thread *td, struct getpgrp_args *uap)
168 {
169 struct proc *p = td->td_proc;
170
171 PROC_LOCK(p);
172 td->td_retval[0] = p->p_pgrp->pg_id;
173 PROC_UNLOCK(p);
174 return (0);
175 }
176
177 /* Get an arbitrary pid's process group id */
178 #ifndef _SYS_SYSPROTO_H_
179 struct getpgid_args {
180 pid_t pid;
181 };
182 #endif
183 int
sys_getpgid(struct thread * td,struct getpgid_args * uap)184 sys_getpgid(struct thread *td, struct getpgid_args *uap)
185 {
186 struct proc *p;
187 int error;
188
189 if (uap->pid == 0) {
190 p = td->td_proc;
191 PROC_LOCK(p);
192 } else {
193 p = pfind(uap->pid);
194 if (p == NULL)
195 return (ESRCH);
196 error = p_cansee(td, p);
197 if (error) {
198 PROC_UNLOCK(p);
199 return (error);
200 }
201 }
202 td->td_retval[0] = p->p_pgrp->pg_id;
203 PROC_UNLOCK(p);
204 return (0);
205 }
206
207 /*
208 * Get an arbitrary pid's session id.
209 */
210 #ifndef _SYS_SYSPROTO_H_
211 struct getsid_args {
212 pid_t pid;
213 };
214 #endif
215 int
sys_getsid(struct thread * td,struct getsid_args * uap)216 sys_getsid(struct thread *td, struct getsid_args *uap)
217 {
218
219 return (kern_getsid(td, uap->pid));
220 }
221
222 int
kern_getsid(struct thread * td,pid_t pid)223 kern_getsid(struct thread *td, pid_t pid)
224 {
225 struct proc *p;
226 int error;
227
228 if (pid == 0) {
229 p = td->td_proc;
230 PROC_LOCK(p);
231 } else {
232 p = pfind(pid);
233 if (p == NULL)
234 return (ESRCH);
235 error = p_cansee(td, p);
236 if (error) {
237 PROC_UNLOCK(p);
238 return (error);
239 }
240 }
241 td->td_retval[0] = p->p_session->s_sid;
242 PROC_UNLOCK(p);
243 return (0);
244 }
245
246 #ifndef _SYS_SYSPROTO_H_
247 struct getuid_args {
248 int dummy;
249 };
250 #endif
251 /* ARGSUSED */
252 int
sys_getuid(struct thread * td,struct getuid_args * uap)253 sys_getuid(struct thread *td, struct getuid_args *uap)
254 {
255
256 td->td_retval[0] = td->td_ucred->cr_ruid;
257 #if defined(COMPAT_43)
258 td->td_retval[1] = td->td_ucred->cr_uid;
259 #endif
260 return (0);
261 }
262
263 #ifndef _SYS_SYSPROTO_H_
264 struct geteuid_args {
265 int dummy;
266 };
267 #endif
268 /* ARGSUSED */
269 int
sys_geteuid(struct thread * td,struct geteuid_args * uap)270 sys_geteuid(struct thread *td, struct geteuid_args *uap)
271 {
272
273 td->td_retval[0] = td->td_ucred->cr_uid;
274 return (0);
275 }
276
277 #ifndef _SYS_SYSPROTO_H_
278 struct getgid_args {
279 int dummy;
280 };
281 #endif
282 /* ARGSUSED */
283 int
sys_getgid(struct thread * td,struct getgid_args * uap)284 sys_getgid(struct thread *td, struct getgid_args *uap)
285 {
286
287 td->td_retval[0] = td->td_ucred->cr_rgid;
288 #if defined(COMPAT_43)
289 td->td_retval[1] = td->td_ucred->cr_gid;
290 #endif
291 return (0);
292 }
293
294 #ifndef _SYS_SYSPROTO_H_
295 struct getegid_args {
296 int dummy;
297 };
298 #endif
299 /* ARGSUSED */
300 int
sys_getegid(struct thread * td,struct getegid_args * uap)301 sys_getegid(struct thread *td, struct getegid_args *uap)
302 {
303
304 td->td_retval[0] = td->td_ucred->cr_gid;
305 return (0);
306 }
307
308 #ifdef COMPAT_FREEBSD14
309 int
freebsd14_getgroups(struct thread * td,struct freebsd14_getgroups_args * uap)310 freebsd14_getgroups(struct thread *td, struct freebsd14_getgroups_args *uap)
311 {
312 struct ucred *cred;
313 int ngrp, error;
314
315 cred = td->td_ucred;
316
317 /*
318 * For FreeBSD < 15.0, we account for the egid being placed at the
319 * beginning of the group list prior to all supplementary groups.
320 */
321 ngrp = cred->cr_ngroups + 1;
322 if (uap->gidsetsize == 0) {
323 error = 0;
324 goto out;
325 } else if (uap->gidsetsize < ngrp) {
326 return (EINVAL);
327 }
328
329 error = copyout(&cred->cr_gid, uap->gidset, sizeof(gid_t));
330 if (error == 0)
331 error = copyout(cred->cr_groups, uap->gidset + 1,
332 (ngrp - 1) * sizeof(gid_t));
333
334 out:
335 td->td_retval[0] = ngrp;
336 return (error);
337
338 }
339 #endif /* COMPAT_FREEBSD14 */
340
341 #ifndef _SYS_SYSPROTO_H_
342 struct getgroups_args {
343 int gidsetsize;
344 gid_t *gidset;
345 };
346 #endif
347 int
sys_getgroups(struct thread * td,struct getgroups_args * uap)348 sys_getgroups(struct thread *td, struct getgroups_args *uap)
349 {
350 struct ucred *cred;
351 int ngrp, error;
352
353 cred = td->td_ucred;
354
355 ngrp = cred->cr_ngroups;
356 if (uap->gidsetsize == 0) {
357 error = 0;
358 goto out;
359 }
360 if (uap->gidsetsize < ngrp)
361 return (EINVAL);
362
363 error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t));
364 out:
365 td->td_retval[0] = ngrp;
366 return (error);
367 }
368
369 #ifndef _SYS_SYSPROTO_H_
370 struct setsid_args {
371 int dummy;
372 };
373 #endif
374 /* ARGSUSED */
375 int
sys_setsid(struct thread * td,struct setsid_args * uap)376 sys_setsid(struct thread *td, struct setsid_args *uap)
377 {
378 struct pgrp *pgrp;
379 int error;
380 struct proc *p = td->td_proc;
381 struct pgrp *newpgrp;
382 struct session *newsess;
383
384 pgrp = NULL;
385
386 newpgrp = uma_zalloc(pgrp_zone, M_WAITOK);
387 newsess = malloc(sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO);
388
389 again:
390 error = 0;
391 sx_xlock(&proctree_lock);
392
393 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) {
394 if (pgrp != NULL)
395 PGRP_UNLOCK(pgrp);
396 error = EPERM;
397 } else {
398 error = enterpgrp(p, p->p_pid, newpgrp, newsess);
399 if (error == ERESTART)
400 goto again;
401 MPASS(error == 0);
402 td->td_retval[0] = p->p_pid;
403 newpgrp = NULL;
404 newsess = NULL;
405 }
406
407 sx_xunlock(&proctree_lock);
408
409 uma_zfree(pgrp_zone, newpgrp);
410 free(newsess, M_SESSION);
411
412 return (error);
413 }
414
415 /*
416 * set process group (setpgid/old setpgrp)
417 *
418 * caller does setpgid(targpid, targpgid)
419 *
420 * pid must be caller or child of caller (ESRCH)
421 * if a child
422 * pid must be in same session (EPERM)
423 * pid can't have done an exec (EACCES)
424 * if pgid != pid
425 * there must exist some pid in same session having pgid (EPERM)
426 * pid must not be session leader (EPERM)
427 */
428 #ifndef _SYS_SYSPROTO_H_
429 struct setpgid_args {
430 int pid; /* target process id */
431 int pgid; /* target pgrp id */
432 };
433 #endif
434 /* ARGSUSED */
435 int
sys_setpgid(struct thread * td,struct setpgid_args * uap)436 sys_setpgid(struct thread *td, struct setpgid_args *uap)
437 {
438 struct proc *curp = td->td_proc;
439 struct proc *targp; /* target process */
440 struct pgrp *pgrp; /* target pgrp */
441 int error;
442 struct pgrp *newpgrp;
443
444 if (uap->pgid < 0)
445 return (EINVAL);
446
447 newpgrp = uma_zalloc(pgrp_zone, M_WAITOK);
448
449 again:
450 error = 0;
451
452 sx_xlock(&proctree_lock);
453 if (uap->pid != 0 && uap->pid != curp->p_pid) {
454 if ((targp = pfind(uap->pid)) == NULL) {
455 error = ESRCH;
456 goto done;
457 }
458 if (!inferior(targp)) {
459 PROC_UNLOCK(targp);
460 error = ESRCH;
461 goto done;
462 }
463 if ((error = p_cansee(td, targp))) {
464 PROC_UNLOCK(targp);
465 goto done;
466 }
467 if (targp->p_pgrp == NULL ||
468 targp->p_session != curp->p_session) {
469 PROC_UNLOCK(targp);
470 error = EPERM;
471 goto done;
472 }
473 if (targp->p_flag & P_EXEC) {
474 PROC_UNLOCK(targp);
475 error = EACCES;
476 goto done;
477 }
478 PROC_UNLOCK(targp);
479 } else
480 targp = curp;
481 if (SESS_LEADER(targp)) {
482 error = EPERM;
483 goto done;
484 }
485 if (uap->pgid == 0)
486 uap->pgid = targp->p_pid;
487 if ((pgrp = pgfind(uap->pgid)) == NULL) {
488 if (uap->pgid == targp->p_pid) {
489 error = enterpgrp(targp, uap->pgid, newpgrp,
490 NULL);
491 if (error == 0)
492 newpgrp = NULL;
493 } else
494 error = EPERM;
495 } else {
496 if (pgrp == targp->p_pgrp) {
497 PGRP_UNLOCK(pgrp);
498 goto done;
499 }
500 if (pgrp->pg_id != targp->p_pid &&
501 pgrp->pg_session != curp->p_session) {
502 PGRP_UNLOCK(pgrp);
503 error = EPERM;
504 goto done;
505 }
506 PGRP_UNLOCK(pgrp);
507 error = enterthispgrp(targp, pgrp);
508 }
509 done:
510 KASSERT(error == 0 || newpgrp != NULL,
511 ("setpgid failed and newpgrp is NULL"));
512 if (error == ERESTART)
513 goto again;
514 sx_xunlock(&proctree_lock);
515 uma_zfree(pgrp_zone, newpgrp);
516 return (error);
517 }
518
519 static int
gidp_cmp(const void * p1,const void * p2)520 gidp_cmp(const void *p1, const void *p2)
521 {
522 const gid_t g1 = *(const gid_t *)p1;
523 const gid_t g2 = *(const gid_t *)p2;
524
525 return ((g1 > g2) - (g1 < g2));
526 }
527
528 /*
529 * Final storage for supplementary groups will be returned via 'groups'.
530 * '*groups' must be NULL on input, and if not equal to 'smallgroups'
531 * on output, must be freed (M_TEMP) *even if* an error is returned.
532 */
533 static int
kern_setcred_copyin_supp_groups(struct setcred * const wcred,const u_int flags,gid_t * const smallgroups,gid_t ** const groups)534 kern_setcred_copyin_supp_groups(struct setcred *const wcred,
535 const u_int flags, gid_t *const smallgroups, gid_t **const groups)
536 {
537 MPASS(*groups == NULL);
538
539 if (flags & SETCREDF_SUPP_GROUPS) {
540 int error;
541
542 /*
543 * Check for the limit for number of groups right now in order
544 * to limit the amount of bytes to copy.
545 */
546 if (wcred->sc_supp_groups_nb > ngroups_max)
547 return (EINVAL);
548
549 /*
550 * Since we are going to be copying the supplementary groups
551 * from userland, make room also for the effective GID right
552 * now, to avoid having to allocate and copy again the
553 * supplementary groups.
554 */
555 *groups = wcred->sc_supp_groups_nb <= CRED_SMALLGROUPS_NB ?
556 smallgroups : malloc(wcred->sc_supp_groups_nb *
557 sizeof(*groups), M_TEMP, M_WAITOK);
558
559 error = copyin(wcred->sc_supp_groups, *groups,
560 wcred->sc_supp_groups_nb * sizeof(*groups));
561 if (error != 0)
562 return (error);
563 wcred->sc_supp_groups = *groups;
564 } else {
565 wcred->sc_supp_groups_nb = 0;
566 wcred->sc_supp_groups = NULL;
567 }
568
569 return (0);
570 }
571
572 int
user_setcred(struct thread * td,const u_int flags,const void * const uwcred,const size_t size,bool is_32bit)573 user_setcred(struct thread *td, const u_int flags,
574 const void *const uwcred, const size_t size, bool is_32bit)
575 {
576 struct setcred wcred;
577 #ifdef MAC
578 struct mac mac;
579 /* Pointer to 'struct mac' or 'struct mac32'. */
580 void *umac;
581 #endif
582 gid_t smallgroups[CRED_SMALLGROUPS_NB];
583 gid_t *groups = NULL;
584 int error;
585
586 /*
587 * As the only point of this wrapper function is to copyin() from
588 * userland, we only interpret the data pieces we need to perform this
589 * operation and defer further sanity checks to kern_setcred(), except
590 * that we redundantly check here that no unknown flags have been
591 * passed.
592 */
593 if ((flags & ~SETCREDF_MASK) != 0)
594 return (EINVAL);
595
596 #ifdef COMPAT_FREEBSD32
597 if (is_32bit) {
598 struct setcred32 wcred32;
599
600 if (size != sizeof(wcred32))
601 return (EINVAL);
602 error = copyin(uwcred, &wcred32, sizeof(wcred32));
603 if (error != 0)
604 return (error);
605 /* These fields have exactly the same sizes and positions. */
606 memcpy(&wcred, &wcred32, &wcred32.setcred32_copy_end -
607 &wcred32.setcred32_copy_start);
608 /* Remaining fields are pointers and need PTRIN*(). */
609 PTRIN_CP(wcred32, wcred, sc_supp_groups);
610 PTRIN_CP(wcred32, wcred, sc_label);
611 } else
612 #endif /* COMPAT_FREEBSD32 */
613 {
614 if (size != sizeof(wcred))
615 return (EINVAL);
616 error = copyin(uwcred, &wcred, sizeof(wcred));
617 if (error != 0)
618 return (error);
619 }
620 #ifdef MAC
621 umac = wcred.sc_label;
622 #endif
623 /* Also done on !MAC as a defensive measure. */
624 wcred.sc_label = NULL;
625
626 /*
627 * Copy supplementary groups as needed. There is no specific
628 * alternative for 32-bit compatibility as 'gid_t' has the same size
629 * everywhere.
630 */
631 error = kern_setcred_copyin_supp_groups(&wcred, flags, smallgroups,
632 &groups);
633 if (error != 0)
634 goto free_groups;
635
636 #ifdef MAC
637 if ((flags & SETCREDF_MAC_LABEL) != 0) {
638 #ifdef COMPAT_FREEBSD32
639 if (is_32bit)
640 error = mac_label_copyin32(umac, &mac, NULL);
641 else
642 #endif
643 error = mac_label_copyin(umac, &mac, NULL);
644 if (error != 0)
645 goto free_groups;
646 wcred.sc_label = &mac;
647 }
648 #endif
649
650 error = kern_setcred(td, flags, &wcred, groups);
651
652 #ifdef MAC
653 if (wcred.sc_label != NULL)
654 free_copied_label(wcred.sc_label);
655 #endif
656
657 free_groups:
658 if (groups != smallgroups)
659 free(groups, M_TEMP);
660
661 return (error);
662 }
663
664 #ifndef _SYS_SYSPROTO_H_
665 struct setcred_args {
666 u_int flags; /* Flags. */
667 const struct setcred *wcred;
668 size_t size; /* Passed 'setcred' structure length. */
669 };
670 #endif
671 /* ARGSUSED */
672 int
sys_setcred(struct thread * td,struct setcred_args * uap)673 sys_setcred(struct thread *td, struct setcred_args *uap)
674 {
675 return (user_setcred(td, uap->flags, uap->wcred, uap->size, false));
676 }
677
678 /*
679 * CAUTION: This function normalizes groups in 'wcred'.
680 *
681 * If 'preallocated_groups' is non-NULL, it must be an already allocated array
682 * of size 'wcred->sc_supp_groups_nb' containing the supplementary groups, and
683 * 'wcred->sc_supp_groups' then must point to it.
684 */
685 int
kern_setcred(struct thread * const td,const u_int flags,struct setcred * const wcred,gid_t * preallocated_groups)686 kern_setcred(struct thread *const td, const u_int flags,
687 struct setcred *const wcred, gid_t *preallocated_groups)
688 {
689 struct proc *const p = td->td_proc;
690 struct ucred *new_cred, *old_cred, *to_free_cred;
691 struct uidinfo *uip = NULL, *ruip = NULL;
692 #ifdef MAC
693 void *mac_set_proc_data = NULL;
694 bool proc_label_set = false;
695 #endif
696 gid_t *groups = NULL;
697 gid_t smallgroups[CRED_SMALLGROUPS_NB];
698 int error;
699 bool cred_set = false;
700
701 /* Bail out on unrecognized flags. */
702 if (flags & ~SETCREDF_MASK)
703 return (EINVAL);
704
705 /*
706 * Part 1: We allocate and perform preparatory operations with no locks.
707 */
708
709 if (flags & SETCREDF_SUPP_GROUPS) {
710 if (wcred->sc_supp_groups_nb > ngroups_max)
711 return (EINVAL);
712 if (preallocated_groups != NULL) {
713 groups = preallocated_groups;
714 MPASS(preallocated_groups == wcred->sc_supp_groups);
715 } else {
716 if (wcred->sc_supp_groups_nb <= CRED_SMALLGROUPS_NB)
717 groups = smallgroups;
718 else
719 groups = malloc(wcred->sc_supp_groups_nb *
720 sizeof(*groups), M_TEMP, M_WAITOK);
721 memcpy(groups, wcred->sc_supp_groups,
722 wcred->sc_supp_groups_nb * sizeof(*groups));
723 }
724 }
725
726 if (flags & SETCREDF_MAC_LABEL) {
727 #ifdef MAC
728 error = mac_set_proc_prepare(td, wcred->sc_label,
729 &mac_set_proc_data);
730 if (error != 0)
731 goto free_groups;
732 #else
733 error = ENOTSUP;
734 goto free_groups;
735 #endif
736 }
737
738 if (flags & SETCREDF_UID) {
739 AUDIT_ARG_EUID(wcred->sc_uid);
740 uip = uifind(wcred->sc_uid);
741 }
742 if (flags & SETCREDF_RUID) {
743 AUDIT_ARG_RUID(wcred->sc_ruid);
744 ruip = uifind(wcred->sc_ruid);
745 }
746 if (flags & SETCREDF_SVUID)
747 AUDIT_ARG_SUID(wcred->sc_svuid);
748
749 if (flags & SETCREDF_GID)
750 AUDIT_ARG_EGID(wcred->sc_gid);
751 if (flags & SETCREDF_RGID)
752 AUDIT_ARG_RGID(wcred->sc_rgid);
753 if (flags & SETCREDF_SVGID)
754 AUDIT_ARG_SGID(wcred->sc_svgid);
755 if (flags & SETCREDF_SUPP_GROUPS) {
756 /*
757 * Output the raw supplementary groups array for better
758 * traceability.
759 */
760 AUDIT_ARG_GROUPSET(groups, wcred->sc_supp_groups_nb);
761 groups_normalize(&wcred->sc_supp_groups_nb, groups);
762 }
763
764 /*
765 * We first completely build the new credentials and only then pass them
766 * to MAC along with the old ones so that modules can check whether the
767 * requested transition is allowed.
768 */
769 new_cred = crget();
770 to_free_cred = new_cred;
771 if (flags & SETCREDF_SUPP_GROUPS)
772 crextend(new_cred, wcred->sc_supp_groups_nb);
773
774 #ifdef MAC
775 mac_cred_setcred_enter();
776 #endif
777
778 /*
779 * Part 2: We grab the process lock as to have a stable view of its
780 * current credentials, and prepare a copy of them with the requested
781 * changes applied under that lock.
782 */
783
784 PROC_LOCK(p);
785 old_cred = crcopysafe(p, new_cred);
786
787 /*
788 * Change user IDs.
789 */
790 if (flags & SETCREDF_UID)
791 change_euid(new_cred, uip);
792 if (flags & SETCREDF_RUID)
793 change_ruid(new_cred, ruip);
794 if (flags & SETCREDF_SVUID)
795 change_svuid(new_cred, wcred->sc_svuid);
796
797 /*
798 * Change groups.
799 */
800 if (flags & SETCREDF_SUPP_GROUPS)
801 crsetgroups_internal(new_cred, wcred->sc_supp_groups_nb,
802 groups);
803 if (flags & SETCREDF_GID)
804 change_egid(new_cred, wcred->sc_gid);
805 if (flags & SETCREDF_RGID)
806 change_rgid(new_cred, wcred->sc_rgid);
807 if (flags & SETCREDF_SVGID)
808 change_svgid(new_cred, wcred->sc_svgid);
809
810 #ifdef MAC
811 /*
812 * Change the MAC label.
813 */
814 if (flags & SETCREDF_MAC_LABEL) {
815 error = mac_set_proc_core(td, new_cred, mac_set_proc_data);
816 if (error != 0)
817 goto unlock_finish;
818 proc_label_set = true;
819 }
820
821 /*
822 * MAC security modules checks.
823 */
824 error = mac_cred_check_setcred(flags, old_cred, new_cred);
825 if (error != 0)
826 goto unlock_finish;
827 #endif
828 /*
829 * Privilege check.
830 */
831 error = priv_check_cred(old_cred, PRIV_CRED_SETCRED);
832 if (error != 0)
833 goto unlock_finish;
834
835 #ifdef RACCT
836 /*
837 * Hold a reference to 'new_cred', as we need to call some functions on
838 * it after proc_set_cred_enforce_proc_lim().
839 */
840 crhold(new_cred);
841 #endif
842
843 /* Set the new credentials. */
844 cred_set = proc_set_cred_enforce_proc_lim(p, new_cred);
845 if (cred_set) {
846 setsugid(p);
847 #ifdef RACCT
848 /* Adjust RACCT counters. */
849 racct_proc_ucred_changed(p, old_cred, new_cred);
850 #endif
851 to_free_cred = old_cred;
852 MPASS(error == 0);
853 } else {
854 #ifdef RACCT
855 /* Matches the crhold() just before the containing 'if'. */
856 crfree(new_cred);
857 #endif
858 error = EAGAIN;
859 }
860
861 unlock_finish:
862 PROC_UNLOCK(p);
863
864 /*
865 * Part 3: After releasing the process lock, we perform cleanups and
866 * finishing operations.
867 */
868
869 #ifdef RACCT
870 if (cred_set) {
871 #ifdef RCTL
872 rctl_proc_ucred_changed(p, new_cred);
873 #endif
874 /* Paired with the crhold() above. */
875 crfree(new_cred);
876 }
877 #endif
878
879 #ifdef MAC
880 if (mac_set_proc_data != NULL)
881 mac_set_proc_finish(td, proc_label_set, mac_set_proc_data);
882 mac_cred_setcred_exit();
883 #endif
884 crfree(to_free_cred);
885 if (uip != NULL)
886 uifree(uip);
887 if (ruip != NULL)
888 uifree(ruip);
889 free_groups:
890 if (groups != preallocated_groups && groups != smallgroups)
891 free(groups, M_TEMP); /* Deals with 'groups' being NULL. */
892 return (error);
893 }
894
895 /*
896 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD
897 * compatible. It says that setting the uid/gid to euid/egid is a special
898 * case of "appropriate privilege". Once the rules are expanded out, this
899 * basically means that setuid(nnn) sets all three id's, in all permitted
900 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid())
901 * does not set the saved id - this is dangerous for traditional BSD
902 * programs. For this reason, we *really* do not want to set
903 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2.
904 */
905 #define POSIX_APPENDIX_B_4_2_2
906
907 #ifndef _SYS_SYSPROTO_H_
908 struct setuid_args {
909 uid_t uid;
910 };
911 #endif
912 /* ARGSUSED */
913 int
sys_setuid(struct thread * td,struct setuid_args * uap)914 sys_setuid(struct thread *td, struct setuid_args *uap)
915 {
916 struct proc *p = td->td_proc;
917 struct ucred *newcred, *oldcred;
918 uid_t uid;
919 struct uidinfo *uip;
920 int error;
921
922 uid = uap->uid;
923 AUDIT_ARG_UID(uid);
924 newcred = crget();
925 uip = uifind(uid);
926 PROC_LOCK(p);
927 /*
928 * Copy credentials so other references do not see our changes.
929 */
930 oldcred = crcopysafe(p, newcred);
931
932 #ifdef MAC
933 error = mac_cred_check_setuid(oldcred, uid);
934 if (error)
935 goto fail;
936 #endif
937
938 /*
939 * See if we have "permission" by POSIX 1003.1 rules.
940 *
941 * Note that setuid(geteuid()) is a special case of
942 * "appropriate privileges" in appendix B.4.2.2. We need
943 * to use this clause to be compatible with traditional BSD
944 * semantics. Basically, it means that "setuid(xx)" sets all
945 * three id's (assuming you have privs).
946 *
947 * Notes on the logic. We do things in three steps.
948 * 1: We determine if the euid is going to change, and do EPERM
949 * right away. We unconditionally change the euid later if this
950 * test is satisfied, simplifying that part of the logic.
951 * 2: We determine if the real and/or saved uids are going to
952 * change. Determined by compile options.
953 * 3: Change euid last. (after tests in #2 for "appropriate privs")
954 */
955 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */
956 #ifdef _POSIX_SAVED_IDS
957 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */
958 #endif
959 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
960 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */
961 #endif
962 (error = priv_check_cred(oldcred, PRIV_CRED_SETUID)) != 0)
963 goto fail;
964
965 #ifdef _POSIX_SAVED_IDS
966 /*
967 * Do we have "appropriate privileges" (are we root or uid == euid)
968 * If so, we are changing the real uid and/or saved uid.
969 */
970 if (
971 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */
972 uid == oldcred->cr_uid ||
973 #endif
974 /* We are using privs. */
975 priv_check_cred(oldcred, PRIV_CRED_SETUID) == 0)
976 #endif
977 {
978 /*
979 * Set the real uid.
980 */
981 if (uid != oldcred->cr_ruid) {
982 change_ruid(newcred, uip);
983 setsugid(p);
984 }
985 /*
986 * Set saved uid
987 *
988 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as
989 * the security of seteuid() depends on it. B.4.2.2 says it
990 * is important that we should do this.
991 */
992 if (uid != oldcred->cr_svuid) {
993 change_svuid(newcred, uid);
994 setsugid(p);
995 }
996 }
997
998 /*
999 * In all permitted cases, we are changing the euid.
1000 */
1001 if (uid != oldcred->cr_uid) {
1002 change_euid(newcred, uip);
1003 setsugid(p);
1004 }
1005
1006 #ifdef RACCT
1007 racct_proc_ucred_changed(p, oldcred, newcred);
1008 #endif
1009 #ifdef RCTL
1010 crhold(newcred);
1011 #endif
1012 /*
1013 * Takes over 'newcred''s reference, so 'newcred' must not be used
1014 * besides this point except on RCTL where we took an additional
1015 * reference above.
1016 */
1017 proc_set_cred(p, newcred);
1018 PROC_UNLOCK(p);
1019 #ifdef RCTL
1020 rctl_proc_ucred_changed(p, newcred);
1021 crfree(newcred);
1022 #endif
1023 uifree(uip);
1024 crfree(oldcred);
1025 return (0);
1026
1027 fail:
1028 PROC_UNLOCK(p);
1029 uifree(uip);
1030 crfree(newcred);
1031 return (error);
1032 }
1033
1034 #ifndef _SYS_SYSPROTO_H_
1035 struct seteuid_args {
1036 uid_t euid;
1037 };
1038 #endif
1039 /* ARGSUSED */
1040 int
sys_seteuid(struct thread * td,struct seteuid_args * uap)1041 sys_seteuid(struct thread *td, struct seteuid_args *uap)
1042 {
1043 struct proc *p = td->td_proc;
1044 struct ucred *newcred, *oldcred;
1045 uid_t euid;
1046 struct uidinfo *euip;
1047 int error;
1048
1049 euid = uap->euid;
1050 AUDIT_ARG_EUID(euid);
1051 newcred = crget();
1052 euip = uifind(euid);
1053 PROC_LOCK(p);
1054 /*
1055 * Copy credentials so other references do not see our changes.
1056 */
1057 oldcred = crcopysafe(p, newcred);
1058
1059 #ifdef MAC
1060 error = mac_cred_check_seteuid(oldcred, euid);
1061 if (error)
1062 goto fail;
1063 #endif
1064
1065 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */
1066 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */
1067 (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID)) != 0)
1068 goto fail;
1069
1070 /*
1071 * Everything's okay, do it.
1072 */
1073 if (oldcred->cr_uid != euid) {
1074 change_euid(newcred, euip);
1075 setsugid(p);
1076 }
1077 proc_set_cred(p, newcred);
1078 PROC_UNLOCK(p);
1079 uifree(euip);
1080 crfree(oldcred);
1081 return (0);
1082
1083 fail:
1084 PROC_UNLOCK(p);
1085 uifree(euip);
1086 crfree(newcred);
1087 return (error);
1088 }
1089
1090 #ifndef _SYS_SYSPROTO_H_
1091 struct setgid_args {
1092 gid_t gid;
1093 };
1094 #endif
1095 /* ARGSUSED */
1096 int
sys_setgid(struct thread * td,struct setgid_args * uap)1097 sys_setgid(struct thread *td, struct setgid_args *uap)
1098 {
1099 struct proc *p = td->td_proc;
1100 struct ucred *newcred, *oldcred;
1101 gid_t gid;
1102 int error;
1103
1104 gid = uap->gid;
1105 AUDIT_ARG_GID(gid);
1106 newcred = crget();
1107 PROC_LOCK(p);
1108 oldcred = crcopysafe(p, newcred);
1109
1110 #ifdef MAC
1111 error = mac_cred_check_setgid(oldcred, gid);
1112 if (error)
1113 goto fail;
1114 #endif
1115
1116 /*
1117 * See if we have "permission" by POSIX 1003.1 rules.
1118 *
1119 * Note that setgid(getegid()) is a special case of
1120 * "appropriate privileges" in appendix B.4.2.2. We need
1121 * to use this clause to be compatible with traditional BSD
1122 * semantics. Basically, it means that "setgid(xx)" sets all
1123 * three id's (assuming you have privs).
1124 *
1125 * For notes on the logic here, see setuid() above.
1126 */
1127 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */
1128 #ifdef _POSIX_SAVED_IDS
1129 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */
1130 #endif
1131 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
1132 gid != oldcred->cr_gid && /* allow setgid(getegid()) */
1133 #endif
1134 (error = priv_check_cred(oldcred, PRIV_CRED_SETGID)) != 0)
1135 goto fail;
1136
1137 #ifdef _POSIX_SAVED_IDS
1138 /*
1139 * Do we have "appropriate privileges" (are we root or gid == egid)
1140 * If so, we are changing the real uid and saved gid.
1141 */
1142 if (
1143 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */
1144 gid == oldcred->cr_gid ||
1145 #endif
1146 /* We are using privs. */
1147 priv_check_cred(oldcred, PRIV_CRED_SETGID) == 0)
1148 #endif
1149 {
1150 /*
1151 * Set real gid
1152 */
1153 if (oldcred->cr_rgid != gid) {
1154 change_rgid(newcred, gid);
1155 setsugid(p);
1156 }
1157 /*
1158 * Set saved gid
1159 *
1160 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as
1161 * the security of setegid() depends on it. B.4.2.2 says it
1162 * is important that we should do this.
1163 */
1164 if (oldcred->cr_svgid != gid) {
1165 change_svgid(newcred, gid);
1166 setsugid(p);
1167 }
1168 }
1169 /*
1170 * In all cases permitted cases, we are changing the egid.
1171 * Copy credentials so other references do not see our changes.
1172 */
1173 if (oldcred->cr_gid != gid) {
1174 change_egid(newcred, gid);
1175 setsugid(p);
1176 }
1177 proc_set_cred(p, newcred);
1178 PROC_UNLOCK(p);
1179 crfree(oldcred);
1180 return (0);
1181
1182 fail:
1183 PROC_UNLOCK(p);
1184 crfree(newcred);
1185 return (error);
1186 }
1187
1188 #ifndef _SYS_SYSPROTO_H_
1189 struct setegid_args {
1190 gid_t egid;
1191 };
1192 #endif
1193 /* ARGSUSED */
1194 int
sys_setegid(struct thread * td,struct setegid_args * uap)1195 sys_setegid(struct thread *td, struct setegid_args *uap)
1196 {
1197 struct proc *p = td->td_proc;
1198 struct ucred *newcred, *oldcred;
1199 gid_t egid;
1200 int error;
1201
1202 egid = uap->egid;
1203 AUDIT_ARG_EGID(egid);
1204 newcred = crget();
1205 PROC_LOCK(p);
1206 oldcred = crcopysafe(p, newcred);
1207
1208 #ifdef MAC
1209 error = mac_cred_check_setegid(oldcred, egid);
1210 if (error)
1211 goto fail;
1212 #endif
1213
1214 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */
1215 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */
1216 (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID)) != 0)
1217 goto fail;
1218
1219 if (oldcred->cr_gid != egid) {
1220 change_egid(newcred, egid);
1221 setsugid(p);
1222 }
1223 proc_set_cred(p, newcred);
1224 PROC_UNLOCK(p);
1225 crfree(oldcred);
1226 return (0);
1227
1228 fail:
1229 PROC_UNLOCK(p);
1230 crfree(newcred);
1231 return (error);
1232 }
1233
1234 #ifdef COMPAT_FREEBSD14
1235 int
freebsd14_setgroups(struct thread * td,struct freebsd14_setgroups_args * uap)1236 freebsd14_setgroups(struct thread *td, struct freebsd14_setgroups_args *uap)
1237 {
1238 gid_t smallgroups[CRED_SMALLGROUPS_NB];
1239 gid_t *groups;
1240 int gidsetsize, error;
1241
1242 /*
1243 * Before FreeBSD 15.0, we allow one more group to be supplied to
1244 * account for the egid appearing before the supplementary groups. This
1245 * may technically allow one more supplementary group for systems that
1246 * did use the default NGROUPS_MAX if we round it back up to 1024.
1247 */
1248 gidsetsize = uap->gidsetsize;
1249 if (gidsetsize > ngroups_max + 1 || gidsetsize < 0)
1250 return (EINVAL);
1251
1252 if (gidsetsize > CRED_SMALLGROUPS_NB)
1253 groups = malloc(gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK);
1254 else
1255 groups = smallgroups;
1256
1257 error = copyin(uap->gidset, groups, gidsetsize * sizeof(gid_t));
1258 if (error == 0) {
1259 int ngroups = gidsetsize > 0 ? gidsetsize - 1 /* egid */ : 0;
1260
1261 error = kern_setgroups(td, &ngroups, groups + 1);
1262 if (error == 0 && gidsetsize > 0)
1263 td->td_proc->p_ucred->cr_gid = groups[0];
1264 }
1265
1266 if (groups != smallgroups)
1267 free(groups, M_TEMP);
1268 return (error);
1269 }
1270 #endif /* COMPAT_FREEBSD14 */
1271
1272 #ifndef _SYS_SYSPROTO_H_
1273 struct setgroups_args {
1274 int gidsetsize;
1275 gid_t *gidset;
1276 };
1277 #endif
1278 /* ARGSUSED */
1279 int
sys_setgroups(struct thread * td,struct setgroups_args * uap)1280 sys_setgroups(struct thread *td, struct setgroups_args *uap)
1281 {
1282 gid_t smallgroups[CRED_SMALLGROUPS_NB];
1283 gid_t *groups;
1284 int gidsetsize, error;
1285
1286 /*
1287 * Sanity check size now to avoid passing too big a value to copyin(),
1288 * even if kern_setgroups() will do it again.
1289 *
1290 * Ideally, the 'gidsetsize' argument should have been a 'u_int' (and it
1291 * was, in this implementation, for a long time), but POSIX standardized
1292 * getgroups() to take an 'int' and it would be quite entrapping to have
1293 * setgroups() differ.
1294 */
1295 gidsetsize = uap->gidsetsize;
1296 if (gidsetsize > ngroups_max || gidsetsize < 0)
1297 return (EINVAL);
1298
1299 if (gidsetsize > CRED_SMALLGROUPS_NB)
1300 groups = malloc(gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK);
1301 else
1302 groups = smallgroups;
1303
1304 error = copyin(uap->gidset, groups, gidsetsize * sizeof(gid_t));
1305 if (error == 0)
1306 error = kern_setgroups(td, &gidsetsize, groups);
1307
1308 if (groups != smallgroups)
1309 free(groups, M_TEMP);
1310 return (error);
1311 }
1312
1313 /*
1314 * CAUTION: This function normalizes 'groups', possibly also changing the value
1315 * of '*ngrpp' as a consequence.
1316 */
1317 int
kern_setgroups(struct thread * td,int * ngrpp,gid_t * groups)1318 kern_setgroups(struct thread *td, int *ngrpp, gid_t *groups)
1319 {
1320 struct proc *p = td->td_proc;
1321 struct ucred *newcred, *oldcred;
1322 int ngrp, error;
1323
1324 ngrp = *ngrpp;
1325 /* Sanity check size. */
1326 if (ngrp < 0 || ngrp > ngroups_max)
1327 return (EINVAL);
1328
1329 AUDIT_ARG_GROUPSET(groups, ngrp);
1330
1331 groups_normalize(&ngrp, groups);
1332 *ngrpp = ngrp;
1333
1334 newcred = crget();
1335 crextend(newcred, ngrp);
1336 PROC_LOCK(p);
1337 oldcred = crcopysafe(p, newcred);
1338
1339 #ifdef MAC
1340 /*
1341 * We pass NULL here explicitly if we don't have any supplementary
1342 * groups mostly for the sake of normalization, but also to avoid/detect
1343 * a situation where a MAC module has some assumption about the layout
1344 * of `groups` matching historical behavior.
1345 */
1346 error = mac_cred_check_setgroups(oldcred, ngrp,
1347 ngrp == 0 ? NULL : groups);
1348 if (error)
1349 goto fail;
1350 #endif
1351
1352 error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS);
1353 if (error)
1354 goto fail;
1355
1356 crsetgroups_internal(newcred, ngrp, groups);
1357 setsugid(p);
1358 proc_set_cred(p, newcred);
1359 PROC_UNLOCK(p);
1360 crfree(oldcred);
1361 return (0);
1362
1363 fail:
1364 PROC_UNLOCK(p);
1365 crfree(newcred);
1366 return (error);
1367 }
1368
1369 #ifndef _SYS_SYSPROTO_H_
1370 struct setreuid_args {
1371 uid_t ruid;
1372 uid_t euid;
1373 };
1374 #endif
1375 /* ARGSUSED */
1376 int
sys_setreuid(struct thread * td,struct setreuid_args * uap)1377 sys_setreuid(struct thread *td, struct setreuid_args *uap)
1378 {
1379 struct proc *p = td->td_proc;
1380 struct ucred *newcred, *oldcred;
1381 uid_t euid, ruid;
1382 struct uidinfo *euip, *ruip;
1383 int error;
1384
1385 euid = uap->euid;
1386 ruid = uap->ruid;
1387 AUDIT_ARG_EUID(euid);
1388 AUDIT_ARG_RUID(ruid);
1389 newcred = crget();
1390 euip = uifind(euid);
1391 ruip = uifind(ruid);
1392 PROC_LOCK(p);
1393 oldcred = crcopysafe(p, newcred);
1394
1395 #ifdef MAC
1396 error = mac_cred_check_setreuid(oldcred, ruid, euid);
1397 if (error)
1398 goto fail;
1399 #endif
1400
1401 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
1402 ruid != oldcred->cr_svuid) ||
1403 (euid != (uid_t)-1 && euid != oldcred->cr_uid &&
1404 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) &&
1405 (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID)) != 0)
1406 goto fail;
1407
1408 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
1409 change_euid(newcred, euip);
1410 setsugid(p);
1411 }
1412 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
1413 change_ruid(newcred, ruip);
1414 setsugid(p);
1415 }
1416 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) &&
1417 newcred->cr_svuid != newcred->cr_uid) {
1418 change_svuid(newcred, newcred->cr_uid);
1419 setsugid(p);
1420 }
1421 #ifdef RACCT
1422 racct_proc_ucred_changed(p, oldcred, newcred);
1423 #endif
1424 #ifdef RCTL
1425 crhold(newcred);
1426 #endif
1427 /*
1428 * Takes over 'newcred''s reference, so 'newcred' must not be used
1429 * besides this point except on RCTL where we took an additional
1430 * reference above.
1431 */
1432 proc_set_cred(p, newcred);
1433 PROC_UNLOCK(p);
1434 #ifdef RCTL
1435 rctl_proc_ucred_changed(p, newcred);
1436 crfree(newcred);
1437 #endif
1438 uifree(ruip);
1439 uifree(euip);
1440 crfree(oldcred);
1441 return (0);
1442
1443 fail:
1444 PROC_UNLOCK(p);
1445 uifree(ruip);
1446 uifree(euip);
1447 crfree(newcred);
1448 return (error);
1449 }
1450
1451 #ifndef _SYS_SYSPROTO_H_
1452 struct setregid_args {
1453 gid_t rgid;
1454 gid_t egid;
1455 };
1456 #endif
1457 /* ARGSUSED */
1458 int
sys_setregid(struct thread * td,struct setregid_args * uap)1459 sys_setregid(struct thread *td, struct setregid_args *uap)
1460 {
1461 struct proc *p = td->td_proc;
1462 struct ucred *newcred, *oldcred;
1463 gid_t egid, rgid;
1464 int error;
1465
1466 egid = uap->egid;
1467 rgid = uap->rgid;
1468 AUDIT_ARG_EGID(egid);
1469 AUDIT_ARG_RGID(rgid);
1470 newcred = crget();
1471 PROC_LOCK(p);
1472 oldcred = crcopysafe(p, newcred);
1473
1474 #ifdef MAC
1475 error = mac_cred_check_setregid(oldcred, rgid, egid);
1476 if (error)
1477 goto fail;
1478 #endif
1479
1480 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
1481 rgid != oldcred->cr_svgid) ||
1482 (egid != (gid_t)-1 && egid != oldcred->cr_gid &&
1483 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) &&
1484 (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID)) != 0)
1485 goto fail;
1486
1487 if (egid != (gid_t)-1 && oldcred->cr_gid != egid) {
1488 change_egid(newcred, egid);
1489 setsugid(p);
1490 }
1491 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
1492 change_rgid(newcred, rgid);
1493 setsugid(p);
1494 }
1495 if ((rgid != (gid_t)-1 || newcred->cr_gid != newcred->cr_rgid) &&
1496 newcred->cr_svgid != newcred->cr_gid) {
1497 change_svgid(newcred, newcred->cr_gid);
1498 setsugid(p);
1499 }
1500 proc_set_cred(p, newcred);
1501 PROC_UNLOCK(p);
1502 crfree(oldcred);
1503 return (0);
1504
1505 fail:
1506 PROC_UNLOCK(p);
1507 crfree(newcred);
1508 return (error);
1509 }
1510
1511 /*
1512 * setresuid(ruid, euid, suid) is like setreuid except control over the saved
1513 * uid is explicit.
1514 */
1515 #ifndef _SYS_SYSPROTO_H_
1516 struct setresuid_args {
1517 uid_t ruid;
1518 uid_t euid;
1519 uid_t suid;
1520 };
1521 #endif
1522 /* ARGSUSED */
1523 int
sys_setresuid(struct thread * td,struct setresuid_args * uap)1524 sys_setresuid(struct thread *td, struct setresuid_args *uap)
1525 {
1526 struct proc *p = td->td_proc;
1527 struct ucred *newcred, *oldcred;
1528 uid_t euid, ruid, suid;
1529 struct uidinfo *euip, *ruip;
1530 int error;
1531
1532 euid = uap->euid;
1533 ruid = uap->ruid;
1534 suid = uap->suid;
1535 AUDIT_ARG_EUID(euid);
1536 AUDIT_ARG_RUID(ruid);
1537 AUDIT_ARG_SUID(suid);
1538 newcred = crget();
1539 euip = uifind(euid);
1540 ruip = uifind(ruid);
1541 PROC_LOCK(p);
1542 oldcred = crcopysafe(p, newcred);
1543
1544 #ifdef MAC
1545 error = mac_cred_check_setresuid(oldcred, ruid, euid, suid);
1546 if (error)
1547 goto fail;
1548 #endif
1549
1550 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
1551 ruid != oldcred->cr_svuid &&
1552 ruid != oldcred->cr_uid) ||
1553 (euid != (uid_t)-1 && euid != oldcred->cr_ruid &&
1554 euid != oldcred->cr_svuid &&
1555 euid != oldcred->cr_uid) ||
1556 (suid != (uid_t)-1 && suid != oldcred->cr_ruid &&
1557 suid != oldcred->cr_svuid &&
1558 suid != oldcred->cr_uid)) &&
1559 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID)) != 0)
1560 goto fail;
1561
1562 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
1563 change_euid(newcred, euip);
1564 setsugid(p);
1565 }
1566 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
1567 change_ruid(newcred, ruip);
1568 setsugid(p);
1569 }
1570 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) {
1571 change_svuid(newcred, suid);
1572 setsugid(p);
1573 }
1574 #ifdef RACCT
1575 racct_proc_ucred_changed(p, oldcred, newcred);
1576 #endif
1577 #ifdef RCTL
1578 crhold(newcred);
1579 #endif
1580 /*
1581 * Takes over 'newcred''s reference, so 'newcred' must not be used
1582 * besides this point except on RCTL where we took an additional
1583 * reference above.
1584 */
1585 proc_set_cred(p, newcred);
1586 PROC_UNLOCK(p);
1587 #ifdef RCTL
1588 rctl_proc_ucred_changed(p, newcred);
1589 crfree(newcred);
1590 #endif
1591 uifree(ruip);
1592 uifree(euip);
1593 crfree(oldcred);
1594 return (0);
1595
1596 fail:
1597 PROC_UNLOCK(p);
1598 uifree(ruip);
1599 uifree(euip);
1600 crfree(newcred);
1601 return (error);
1602
1603 }
1604
1605 /*
1606 * setresgid(rgid, egid, sgid) is like setregid except control over the saved
1607 * gid is explicit.
1608 */
1609 #ifndef _SYS_SYSPROTO_H_
1610 struct setresgid_args {
1611 gid_t rgid;
1612 gid_t egid;
1613 gid_t sgid;
1614 };
1615 #endif
1616 /* ARGSUSED */
1617 int
sys_setresgid(struct thread * td,struct setresgid_args * uap)1618 sys_setresgid(struct thread *td, struct setresgid_args *uap)
1619 {
1620 struct proc *p = td->td_proc;
1621 struct ucred *newcred, *oldcred;
1622 gid_t egid, rgid, sgid;
1623 int error;
1624
1625 egid = uap->egid;
1626 rgid = uap->rgid;
1627 sgid = uap->sgid;
1628 AUDIT_ARG_EGID(egid);
1629 AUDIT_ARG_RGID(rgid);
1630 AUDIT_ARG_SGID(sgid);
1631 newcred = crget();
1632 PROC_LOCK(p);
1633 oldcred = crcopysafe(p, newcred);
1634
1635 #ifdef MAC
1636 error = mac_cred_check_setresgid(oldcred, rgid, egid, sgid);
1637 if (error)
1638 goto fail;
1639 #endif
1640
1641 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
1642 rgid != oldcred->cr_svgid &&
1643 rgid != oldcred->cr_gid) ||
1644 (egid != (gid_t)-1 && egid != oldcred->cr_rgid &&
1645 egid != oldcred->cr_svgid &&
1646 egid != oldcred->cr_gid) ||
1647 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid &&
1648 sgid != oldcred->cr_svgid &&
1649 sgid != oldcred->cr_gid)) &&
1650 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID)) != 0)
1651 goto fail;
1652
1653 if (egid != (gid_t)-1 && oldcred->cr_gid != egid) {
1654 change_egid(newcred, egid);
1655 setsugid(p);
1656 }
1657 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
1658 change_rgid(newcred, rgid);
1659 setsugid(p);
1660 }
1661 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) {
1662 change_svgid(newcred, sgid);
1663 setsugid(p);
1664 }
1665 proc_set_cred(p, newcred);
1666 PROC_UNLOCK(p);
1667 crfree(oldcred);
1668 return (0);
1669
1670 fail:
1671 PROC_UNLOCK(p);
1672 crfree(newcred);
1673 return (error);
1674 }
1675
1676 #ifndef _SYS_SYSPROTO_H_
1677 struct getresuid_args {
1678 uid_t *ruid;
1679 uid_t *euid;
1680 uid_t *suid;
1681 };
1682 #endif
1683 /* ARGSUSED */
1684 int
sys_getresuid(struct thread * td,struct getresuid_args * uap)1685 sys_getresuid(struct thread *td, struct getresuid_args *uap)
1686 {
1687 struct ucred *cred;
1688 int error1 = 0, error2 = 0, error3 = 0;
1689
1690 cred = td->td_ucred;
1691 if (uap->ruid)
1692 error1 = copyout(&cred->cr_ruid,
1693 uap->ruid, sizeof(cred->cr_ruid));
1694 if (uap->euid)
1695 error2 = copyout(&cred->cr_uid,
1696 uap->euid, sizeof(cred->cr_uid));
1697 if (uap->suid)
1698 error3 = copyout(&cred->cr_svuid,
1699 uap->suid, sizeof(cred->cr_svuid));
1700 return (error1 ? error1 : error2 ? error2 : error3);
1701 }
1702
1703 #ifndef _SYS_SYSPROTO_H_
1704 struct getresgid_args {
1705 gid_t *rgid;
1706 gid_t *egid;
1707 gid_t *sgid;
1708 };
1709 #endif
1710 /* ARGSUSED */
1711 int
sys_getresgid(struct thread * td,struct getresgid_args * uap)1712 sys_getresgid(struct thread *td, struct getresgid_args *uap)
1713 {
1714 struct ucred *cred;
1715 int error1 = 0, error2 = 0, error3 = 0;
1716
1717 cred = td->td_ucred;
1718 if (uap->rgid)
1719 error1 = copyout(&cred->cr_rgid,
1720 uap->rgid, sizeof(cred->cr_rgid));
1721 if (uap->egid)
1722 error2 = copyout(&cred->cr_gid,
1723 uap->egid, sizeof(cred->cr_gid));
1724 if (uap->sgid)
1725 error3 = copyout(&cred->cr_svgid,
1726 uap->sgid, sizeof(cred->cr_svgid));
1727 return (error1 ? error1 : error2 ? error2 : error3);
1728 }
1729
1730 #ifndef _SYS_SYSPROTO_H_
1731 struct issetugid_args {
1732 int dummy;
1733 };
1734 #endif
1735 /* ARGSUSED */
1736 int
sys_issetugid(struct thread * td,struct issetugid_args * uap)1737 sys_issetugid(struct thread *td, struct issetugid_args *uap)
1738 {
1739 struct proc *p = td->td_proc;
1740
1741 /*
1742 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time,
1743 * we use P_SUGID because we consider changing the owners as
1744 * "tainting" as well.
1745 * This is significant for procs that start as root and "become"
1746 * a user without an exec - programs cannot know *everything*
1747 * that libc *might* have put in their data segment.
1748 */
1749 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0;
1750 return (0);
1751 }
1752
1753 int
sys___setugid(struct thread * td,struct __setugid_args * uap)1754 sys___setugid(struct thread *td, struct __setugid_args *uap)
1755 {
1756 #ifdef REGRESSION
1757 struct proc *p;
1758
1759 p = td->td_proc;
1760 switch (uap->flag) {
1761 case 0:
1762 PROC_LOCK(p);
1763 p->p_flag &= ~P_SUGID;
1764 PROC_UNLOCK(p);
1765 return (0);
1766 case 1:
1767 PROC_LOCK(p);
1768 p->p_flag |= P_SUGID;
1769 PROC_UNLOCK(p);
1770 return (0);
1771 default:
1772 return (EINVAL);
1773 }
1774 #else /* !REGRESSION */
1775
1776 return (ENOSYS);
1777 #endif /* REGRESSION */
1778 }
1779
1780 #ifdef INVARIANTS
1781 static void
groups_check_normalized(int ngrp,const gid_t * groups)1782 groups_check_normalized(int ngrp, const gid_t *groups)
1783 {
1784 gid_t prev_g;
1785
1786 groups_check_positive_len(ngrp);
1787 groups_check_max_len(ngrp);
1788
1789 if (ngrp <= 1)
1790 return;
1791
1792 prev_g = groups[0];
1793 for (int i = 1; i < ngrp; ++i) {
1794 const gid_t g = groups[i];
1795
1796 if (prev_g >= g)
1797 panic("%s: groups[%d] (%u) >= groups[%d] (%u)",
1798 __func__, i - 1, prev_g, i, g);
1799 prev_g = g;
1800 }
1801 }
1802 #else
1803 #define groups_check_normalized(...)
1804 #endif
1805
1806 /*
1807 * Returns whether gid designates a supplementary group in cred.
1808 */
1809 bool
group_is_supplementary(const gid_t gid,const struct ucred * const cred)1810 group_is_supplementary(const gid_t gid, const struct ucred *const cred)
1811 {
1812
1813 groups_check_normalized(cred->cr_ngroups, cred->cr_groups);
1814
1815 /*
1816 * Perform a binary search of the supplementary groups. This is
1817 * possible because we sort the groups in crsetgroups().
1818 */
1819 return (bsearch(&gid, cred->cr_groups, cred->cr_ngroups,
1820 sizeof(gid), gidp_cmp) != NULL);
1821 }
1822
1823 /*
1824 * Check if gid is a member of the (effective) group set (i.e., effective and
1825 * supplementary groups).
1826 */
1827 bool
groupmember(gid_t gid,const struct ucred * cred)1828 groupmember(gid_t gid, const struct ucred *cred)
1829 {
1830
1831 groups_check_positive_len(cred->cr_ngroups);
1832
1833 if (gid == cred->cr_gid)
1834 return (true);
1835
1836 return (group_is_supplementary(gid, cred));
1837 }
1838
1839 /*
1840 * Check if gid is a member of the real group set (i.e., real and supplementary
1841 * groups).
1842 */
1843 bool
realgroupmember(gid_t gid,const struct ucred * cred)1844 realgroupmember(gid_t gid, const struct ucred *cred)
1845 {
1846 groups_check_positive_len(cred->cr_ngroups);
1847
1848 if (gid == cred->cr_rgid)
1849 return (true);
1850
1851 return (group_is_supplementary(gid, cred));
1852 }
1853
1854 /*
1855 * Test the active securelevel against a given level. securelevel_gt()
1856 * implements (securelevel > level). securelevel_ge() implements
1857 * (securelevel >= level). Note that the logic is inverted -- these
1858 * functions return EPERM on "success" and 0 on "failure".
1859 *
1860 * Due to care taken when setting the securelevel, we know that no jail will
1861 * be less secure that its parent (or the physical system), so it is sufficient
1862 * to test the current jail only.
1863 *
1864 * XXXRW: Possibly since this has to do with privilege, it should move to
1865 * kern_priv.c.
1866 */
1867 int
securelevel_gt(struct ucred * cr,int level)1868 securelevel_gt(struct ucred *cr, int level)
1869 {
1870
1871 return (cr->cr_prison->pr_securelevel > level ? EPERM : 0);
1872 }
1873
1874 int
securelevel_ge(struct ucred * cr,int level)1875 securelevel_ge(struct ucred *cr, int level)
1876 {
1877
1878 return (cr->cr_prison->pr_securelevel >= level ? EPERM : 0);
1879 }
1880
1881 /*
1882 * 'see_other_uids' determines whether or not visibility of processes
1883 * and sockets with credentials holding different real uids is possible
1884 * using a variety of system MIBs.
1885 * XXX: data declarations should be together near the beginning of the file.
1886 */
1887 static int see_other_uids = 1;
1888 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW,
1889 &see_other_uids, 0,
1890 "Unprivileged processes may see subjects/objects with different real uid");
1891
1892 /*-
1893 * Determine if u1 "can see" the subject specified by u2, according to the
1894 * 'see_other_uids' policy.
1895 * Returns: 0 for permitted, ESRCH otherwise
1896 * Locks: none
1897 * References: *u1 and *u2 must not change during the call
1898 * u1 may equal u2, in which case only one reference is required
1899 */
1900 static int
cr_canseeotheruids(struct ucred * u1,struct ucred * u2)1901 cr_canseeotheruids(struct ucred *u1, struct ucred *u2)
1902 {
1903
1904 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) {
1905 if (priv_check_cred(u1, PRIV_SEEOTHERUIDS) != 0)
1906 return (ESRCH);
1907 }
1908 return (0);
1909 }
1910
1911 /*
1912 * 'see_other_gids' determines whether or not visibility of processes
1913 * and sockets with credentials holding different real gids is possible
1914 * using a variety of system MIBs.
1915 * XXX: data declarations should be together near the beginning of the file.
1916 */
1917 static int see_other_gids = 1;
1918 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW,
1919 &see_other_gids, 0,
1920 "Unprivileged processes may see subjects/objects with different real gid");
1921
1922 /*
1923 * Determine if u1 can "see" the subject specified by u2, according to the
1924 * 'see_other_gids' policy.
1925 * Returns: 0 for permitted, ESRCH otherwise
1926 * Locks: none
1927 * References: *u1 and *u2 must not change during the call
1928 * u1 may equal u2, in which case only one reference is required
1929 */
1930 static int
cr_canseeothergids(struct ucred * u1,struct ucred * u2)1931 cr_canseeothergids(struct ucred *u1, struct ucred *u2)
1932 {
1933 if (see_other_gids)
1934 return (0);
1935
1936 /* Restriction in force. */
1937
1938 if (realgroupmember(u1->cr_rgid, u2))
1939 return (0);
1940
1941 for (int i = 0; i < u1->cr_ngroups; i++)
1942 if (realgroupmember(u1->cr_groups[i], u2))
1943 return (0);
1944
1945 if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) == 0)
1946 return (0);
1947
1948 return (ESRCH);
1949 }
1950
1951 /*
1952 * 'see_jail_proc' determines whether or not visibility of processes and
1953 * sockets with credentials holding different jail ids is possible using a
1954 * variety of system MIBs.
1955 *
1956 * XXX: data declarations should be together near the beginning of the file.
1957 */
1958
1959 static int see_jail_proc = 1;
1960 SYSCTL_INT(_security_bsd, OID_AUTO, see_jail_proc, CTLFLAG_RW,
1961 &see_jail_proc, 0,
1962 "Unprivileged processes may see subjects/objects with different jail ids");
1963
1964 /*-
1965 * Determine if u1 "can see" the subject specified by u2, according to the
1966 * 'see_jail_proc' policy.
1967 * Returns: 0 for permitted, ESRCH otherwise
1968 * Locks: none
1969 * References: *u1 and *u2 must not change during the call
1970 * u1 may equal u2, in which case only one reference is required
1971 */
1972 static int
cr_canseejailproc(struct ucred * u1,struct ucred * u2)1973 cr_canseejailproc(struct ucred *u1, struct ucred *u2)
1974 {
1975 if (see_jail_proc || /* Policy deactivated. */
1976 u1->cr_prison == u2->cr_prison || /* Same jail. */
1977 priv_check_cred(u1, PRIV_SEEJAILPROC) == 0) /* Privileged. */
1978 return (0);
1979
1980 return (ESRCH);
1981 }
1982
1983 /*
1984 * Determine if u1 can tamper with the subject specified by u2, if they are in
1985 * different jails and 'unprivileged_parent_tampering' jail policy allows it.
1986 *
1987 * May be called if u1 and u2 are in the same jail, but it is expected that the
1988 * caller has already done a prison_check() prior to calling it.
1989 *
1990 * Returns: 0 for permitted, EPERM otherwise
1991 */
1992 static int
cr_can_tamper_with_subjail(struct ucred * u1,struct ucred * u2,int priv)1993 cr_can_tamper_with_subjail(struct ucred *u1, struct ucred *u2, int priv)
1994 {
1995
1996 MPASS(prison_check(u1, u2) == 0);
1997 if (u1->cr_prison == u2->cr_prison)
1998 return (0);
1999
2000 if (priv_check_cred(u1, priv) == 0)
2001 return (0);
2002
2003 /*
2004 * Jails do not maintain a distinct UID space, so process visibility is
2005 * all that would control an unprivileged process' ability to tamper
2006 * with a process in a subjail by default if we did not have the
2007 * allow.unprivileged_parent_tampering knob to restrict it by default.
2008 */
2009 if (prison_allow(u2, PR_ALLOW_UNPRIV_PARENT_TAMPER))
2010 return (0);
2011
2012 return (EPERM);
2013 }
2014
2015 /*
2016 * Helper for cr_cansee*() functions to abide by system-wide security.bsd.see_*
2017 * policies. Determines if u1 "can see" u2 according to these policies.
2018 * Returns: 0 for permitted, ESRCH otherwise
2019 */
2020 int
cr_bsd_visible(struct ucred * u1,struct ucred * u2)2021 cr_bsd_visible(struct ucred *u1, struct ucred *u2)
2022 {
2023 int error;
2024
2025 error = cr_canseeotheruids(u1, u2);
2026 if (error != 0)
2027 return (error);
2028 error = cr_canseeothergids(u1, u2);
2029 if (error != 0)
2030 return (error);
2031 error = cr_canseejailproc(u1, u2);
2032 if (error != 0)
2033 return (error);
2034 return (0);
2035 }
2036
2037 /*-
2038 * Determine if u1 "can see" the subject specified by u2.
2039 * Returns: 0 for permitted, an errno value otherwise
2040 * Locks: none
2041 * References: *u1 and *u2 must not change during the call
2042 * u1 may equal u2, in which case only one reference is required
2043 */
2044 int
cr_cansee(struct ucred * u1,struct ucred * u2)2045 cr_cansee(struct ucred *u1, struct ucred *u2)
2046 {
2047 int error;
2048
2049 if ((error = prison_check(u1, u2)))
2050 return (error);
2051 #ifdef MAC
2052 if ((error = mac_cred_check_visible(u1, u2)))
2053 return (error);
2054 #endif
2055 if ((error = cr_bsd_visible(u1, u2)))
2056 return (error);
2057 return (0);
2058 }
2059
2060 /*-
2061 * Determine if td "can see" the subject specified by p.
2062 * Returns: 0 for permitted, an errno value otherwise
2063 * Locks: Sufficient locks to protect p->p_ucred must be held. td really
2064 * should be curthread.
2065 * References: td and p must be valid for the lifetime of the call
2066 */
2067 int
p_cansee(struct thread * td,struct proc * p)2068 p_cansee(struct thread *td, struct proc *p)
2069 {
2070 /* Wrap cr_cansee() for all functionality. */
2071 KASSERT(td == curthread, ("%s: td not curthread", __func__));
2072 PROC_LOCK_ASSERT(p, MA_OWNED);
2073
2074 if (td->td_proc == p)
2075 return (0);
2076 return (cr_cansee(td->td_ucred, p->p_ucred));
2077 }
2078
2079 /*
2080 * 'conservative_signals' prevents the delivery of a broad class of
2081 * signals by unprivileged processes to processes that have changed their
2082 * credentials since the last invocation of execve(). This can prevent
2083 * the leakage of cached information or retained privileges as a result
2084 * of a common class of signal-related vulnerabilities. However, this
2085 * may interfere with some applications that expect to be able to
2086 * deliver these signals to peer processes after having given up
2087 * privilege.
2088 */
2089 static int conservative_signals = 1;
2090 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW,
2091 &conservative_signals, 0, "Unprivileged processes prevented from "
2092 "sending certain signals to processes whose credentials have changed");
2093 /*-
2094 * Determine whether cred may deliver the specified signal to proc.
2095 * Returns: 0 for permitted, an errno value otherwise.
2096 * Locks: A lock must be held for proc.
2097 * References: cred and proc must be valid for the lifetime of the call.
2098 */
2099 int
cr_cansignal(struct ucred * cred,struct proc * proc,int signum)2100 cr_cansignal(struct ucred *cred, struct proc *proc, int signum)
2101 {
2102 int error;
2103
2104 PROC_LOCK_ASSERT(proc, MA_OWNED);
2105 /*
2106 * Jail semantics limit the scope of signalling to proc in the
2107 * same jail as cred, if cred is in jail.
2108 */
2109 error = prison_check(cred, proc->p_ucred);
2110 if (error)
2111 return (error);
2112 #ifdef MAC
2113 if ((error = mac_proc_check_signal(cred, proc, signum)))
2114 return (error);
2115 #endif
2116 if ((error = cr_bsd_visible(cred, proc->p_ucred)))
2117 return (error);
2118
2119 /*
2120 * UNIX signal semantics depend on the status of the P_SUGID
2121 * bit on the target process. If the bit is set, then additional
2122 * restrictions are placed on the set of available signals.
2123 */
2124 if (conservative_signals && (proc->p_flag & P_SUGID)) {
2125 switch (signum) {
2126 case 0:
2127 case SIGKILL:
2128 case SIGINT:
2129 case SIGTERM:
2130 case SIGALRM:
2131 case SIGSTOP:
2132 case SIGTTIN:
2133 case SIGTTOU:
2134 case SIGTSTP:
2135 case SIGHUP:
2136 case SIGUSR1:
2137 case SIGUSR2:
2138 /*
2139 * Generally, permit job and terminal control
2140 * signals.
2141 */
2142 break;
2143 default:
2144 /* Not permitted without privilege. */
2145 error = priv_check_cred(cred, PRIV_SIGNAL_SUGID);
2146 if (error)
2147 return (error);
2148 }
2149 }
2150
2151 /*
2152 * Generally, the target credential's ruid or svuid must match the
2153 * subject credential's ruid or euid.
2154 */
2155 if (cred->cr_ruid != proc->p_ucred->cr_ruid &&
2156 cred->cr_ruid != proc->p_ucred->cr_svuid &&
2157 cred->cr_uid != proc->p_ucred->cr_ruid &&
2158 cred->cr_uid != proc->p_ucred->cr_svuid) {
2159 error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED);
2160 if (error)
2161 return (error);
2162 }
2163
2164 /*
2165 * At this point, the target may be in a different jail than the
2166 * subject -- the subject must be in a parent jail to the target,
2167 * whether it is prison0 or a subordinate of prison0 that has
2168 * children. Additional privileges are required to allow this, as
2169 * whether the creds are truly equivalent or not must be determined on
2170 * a case-by-case basis.
2171 */
2172 error = cr_can_tamper_with_subjail(cred, proc->p_ucred,
2173 PRIV_SIGNAL_DIFFJAIL);
2174 if (error)
2175 return (error);
2176
2177 return (0);
2178 }
2179
2180 /*-
2181 * Determine whether td may deliver the specified signal to p.
2182 * Returns: 0 for permitted, an errno value otherwise
2183 * Locks: Sufficient locks to protect various components of td and p
2184 * must be held. td must be curthread, and a lock must be
2185 * held for p.
2186 * References: td and p must be valid for the lifetime of the call
2187 */
2188 int
p_cansignal(struct thread * td,struct proc * p,int signum)2189 p_cansignal(struct thread *td, struct proc *p, int signum)
2190 {
2191
2192 KASSERT(td == curthread, ("%s: td not curthread", __func__));
2193 PROC_LOCK_ASSERT(p, MA_OWNED);
2194 if (td->td_proc == p)
2195 return (0);
2196
2197 /*
2198 * UNIX signalling semantics require that processes in the same
2199 * session always be able to deliver SIGCONT to one another,
2200 * overriding the remaining protections.
2201 */
2202 /* XXX: This will require an additional lock of some sort. */
2203 if (signum == SIGCONT && td->td_proc->p_session == p->p_session)
2204 return (0);
2205 /*
2206 * Some compat layers use SIGTHR and higher signals for
2207 * communication between different kernel threads of the same
2208 * process, so that they expect that it's always possible to
2209 * deliver them, even for suid applications where cr_cansignal() can
2210 * deny such ability for security consideration. It should be
2211 * pretty safe to do since the only way to create two processes
2212 * with the same p_leader is via rfork(2).
2213 */
2214 if (td->td_proc->p_leader != NULL && signum >= SIGTHR &&
2215 signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader)
2216 return (0);
2217
2218 return (cr_cansignal(td->td_ucred, p, signum));
2219 }
2220
2221 /*-
2222 * Determine whether td may reschedule p.
2223 * Returns: 0 for permitted, an errno value otherwise
2224 * Locks: Sufficient locks to protect various components of td and p
2225 * must be held. td must be curthread, and a lock must
2226 * be held for p.
2227 * References: td and p must be valid for the lifetime of the call
2228 */
2229 int
p_cansched(struct thread * td,struct proc * p)2230 p_cansched(struct thread *td, struct proc *p)
2231 {
2232 int error;
2233
2234 KASSERT(td == curthread, ("%s: td not curthread", __func__));
2235 PROC_LOCK_ASSERT(p, MA_OWNED);
2236 if (td->td_proc == p)
2237 return (0);
2238 if ((error = prison_check(td->td_ucred, p->p_ucred)))
2239 return (error);
2240 #ifdef MAC
2241 if ((error = mac_proc_check_sched(td->td_ucred, p)))
2242 return (error);
2243 #endif
2244 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
2245 return (error);
2246
2247 if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid &&
2248 td->td_ucred->cr_uid != p->p_ucred->cr_ruid) {
2249 error = priv_check(td, PRIV_SCHED_DIFFCRED);
2250 if (error)
2251 return (error);
2252 }
2253
2254 error = cr_can_tamper_with_subjail(td->td_ucred, p->p_ucred,
2255 PRIV_SCHED_DIFFJAIL);
2256 if (error)
2257 return (error);
2258
2259 return (0);
2260 }
2261
2262 /*
2263 * Handle getting or setting the prison's unprivileged_proc_debug
2264 * value.
2265 */
2266 static int
sysctl_unprivileged_proc_debug(SYSCTL_HANDLER_ARGS)2267 sysctl_unprivileged_proc_debug(SYSCTL_HANDLER_ARGS)
2268 {
2269 int error, val;
2270
2271 val = prison_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG);
2272 error = sysctl_handle_int(oidp, &val, 0, req);
2273 if (error != 0 || req->newptr == NULL)
2274 return (error);
2275 if (val != 0 && val != 1)
2276 return (EINVAL);
2277 prison_set_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG, val);
2278 return (0);
2279 }
2280
2281 /*
2282 * The 'unprivileged_proc_debug' flag may be used to disable a variety of
2283 * unprivileged inter-process debugging services, including some procfs
2284 * functionality, ptrace(), and ktrace(). In the past, inter-process
2285 * debugging has been involved in a variety of security problems, and sites
2286 * not requiring the service might choose to disable it when hardening
2287 * systems.
2288 */
2289 SYSCTL_PROC(_security_bsd, OID_AUTO, unprivileged_proc_debug,
2290 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_PRISON | CTLFLAG_SECURE |
2291 CTLFLAG_MPSAFE, 0, 0, sysctl_unprivileged_proc_debug, "I",
2292 "Unprivileged processes may use process debugging facilities");
2293
2294 /*
2295 * Return true if the object owner/group ids are subset of the active
2296 * credentials.
2297 */
2298 bool
cr_xids_subset(struct ucred * active_cred,struct ucred * obj_cred)2299 cr_xids_subset(struct ucred *active_cred, struct ucred *obj_cred)
2300 {
2301 int i;
2302 bool grpsubset, uidsubset;
2303
2304 /*
2305 * Is p's group set a subset of td's effective group set? This
2306 * includes p's egid, group access list, rgid, and svgid.
2307 */
2308 grpsubset = true;
2309 for (i = 0; i < obj_cred->cr_ngroups; i++) {
2310 if (!groupmember(obj_cred->cr_groups[i], active_cred)) {
2311 grpsubset = false;
2312 break;
2313 }
2314 }
2315 grpsubset = grpsubset &&
2316 groupmember(obj_cred->cr_gid, active_cred) &&
2317 groupmember(obj_cred->cr_rgid, active_cred) &&
2318 groupmember(obj_cred->cr_svgid, active_cred);
2319
2320 /*
2321 * Are the uids present in obj_cred's credential equal to
2322 * active_cred's effective uid? This includes obj_cred's
2323 * euid, svuid, and ruid.
2324 */
2325 uidsubset = (active_cred->cr_uid == obj_cred->cr_uid &&
2326 active_cred->cr_uid == obj_cred->cr_svuid &&
2327 active_cred->cr_uid == obj_cred->cr_ruid);
2328
2329 return (uidsubset && grpsubset);
2330 }
2331
2332 /*-
2333 * Determine whether td may debug p.
2334 * Returns: 0 for permitted, an errno value otherwise
2335 * Locks: Sufficient locks to protect various components of td and p
2336 * must be held. td must be curthread, and a lock must
2337 * be held for p.
2338 * References: td and p must be valid for the lifetime of the call
2339 */
2340 int
p_candebug(struct thread * td,struct proc * p)2341 p_candebug(struct thread *td, struct proc *p)
2342 {
2343 int error;
2344
2345 KASSERT(td == curthread, ("%s: td not curthread", __func__));
2346 PROC_LOCK_ASSERT(p, MA_OWNED);
2347 if (td->td_proc == p)
2348 return (0);
2349 if ((error = priv_check(td, PRIV_DEBUG_UNPRIV)))
2350 return (error);
2351 if ((error = prison_check(td->td_ucred, p->p_ucred)))
2352 return (error);
2353 #ifdef MAC
2354 if ((error = mac_proc_check_debug(td->td_ucred, p)))
2355 return (error);
2356 #endif
2357 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
2358 return (error);
2359
2360 /*
2361 * If p's gids aren't a subset, or the uids aren't a subset,
2362 * or the credential has changed, require appropriate privilege
2363 * for td to debug p.
2364 */
2365 if (!cr_xids_subset(td->td_ucred, p->p_ucred)) {
2366 error = priv_check(td, PRIV_DEBUG_DIFFCRED);
2367 if (error)
2368 return (error);
2369 }
2370
2371 /*
2372 * Has the credential of the process changed since the last exec()?
2373 */
2374 if ((p->p_flag & P_SUGID) != 0) {
2375 error = priv_check(td, PRIV_DEBUG_SUGID);
2376 if (error)
2377 return (error);
2378 }
2379
2380 error = cr_can_tamper_with_subjail(td->td_ucred, p->p_ucred,
2381 PRIV_DEBUG_DIFFJAIL);
2382 if (error)
2383 return (error);
2384
2385 /* Can't trace init when securelevel > 0. */
2386 if (p == initproc) {
2387 error = securelevel_gt(td->td_ucred, 0);
2388 if (error)
2389 return (error);
2390 }
2391
2392 /*
2393 * Can't trace a process that's currently exec'ing.
2394 *
2395 * XXX: Note, this is not a security policy decision, it's a
2396 * basic correctness/functionality decision. Therefore, this check
2397 * should be moved to the caller's of p_candebug().
2398 */
2399 if ((p->p_flag & P_INEXEC) != 0)
2400 return (EBUSY);
2401
2402 /* Denied explicitly */
2403 if ((p->p_flag2 & P2_NOTRACE) != 0) {
2404 error = priv_check(td, PRIV_DEBUG_DENIED);
2405 if (error != 0)
2406 return (error);
2407 }
2408
2409 return (0);
2410 }
2411
2412 /*-
2413 * Determine whether the subject represented by cred can "see" a socket.
2414 * Returns: 0 for permitted, ENOENT otherwise.
2415 */
2416 int
cr_canseesocket(struct ucred * cred,struct socket * so)2417 cr_canseesocket(struct ucred *cred, struct socket *so)
2418 {
2419 int error;
2420
2421 error = prison_check(cred, so->so_cred);
2422 if (error)
2423 return (ENOENT);
2424 #ifdef MAC
2425 error = mac_socket_check_visible(cred, so);
2426 if (error)
2427 return (error);
2428 #endif
2429 if (cr_bsd_visible(cred, so->so_cred))
2430 return (ENOENT);
2431
2432 return (0);
2433 }
2434
2435 /*-
2436 * Determine whether td can wait for the exit of p.
2437 * Returns: 0 for permitted, an errno value otherwise
2438 * Locks: Sufficient locks to protect various components of td and p
2439 * must be held. td must be curthread, and a lock must
2440 * be held for p.
2441 * References: td and p must be valid for the lifetime of the call
2442
2443 */
2444 int
p_canwait(struct thread * td,struct proc * p)2445 p_canwait(struct thread *td, struct proc *p)
2446 {
2447 int error;
2448
2449 KASSERT(td == curthread, ("%s: td not curthread", __func__));
2450 PROC_LOCK_ASSERT(p, MA_OWNED);
2451 if ((error = prison_check(td->td_ucred, p->p_ucred)))
2452 return (error);
2453 #ifdef MAC
2454 if ((error = mac_proc_check_wait(td->td_ucred, p)))
2455 return (error);
2456 #endif
2457 #if 0
2458 /* XXXMAC: This could have odd effects on some shells. */
2459 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
2460 return (error);
2461 #endif
2462
2463 return (0);
2464 }
2465
2466 /*
2467 * Credential management.
2468 *
2469 * struct ucred objects are rarely allocated but gain and lose references all
2470 * the time (e.g., on struct file alloc/dealloc) turning refcount updates into
2471 * a significant source of cache-line ping ponging. Common cases are worked
2472 * around by modifying thread-local counter instead if the cred to operate on
2473 * matches td_realucred.
2474 *
2475 * The counter is split into 2 parts:
2476 * - cr_users -- total count of all struct proc and struct thread objects
2477 * which have given cred in p_ucred and td_ucred respectively
2478 * - cr_ref -- the actual ref count, only valid if cr_users == 0
2479 *
2480 * If users == 0 then cr_ref behaves similarly to refcount(9), in particular if
2481 * the count reaches 0 the object is freeable.
2482 * If users > 0 and curthread->td_realucred == cred, then updates are performed
2483 * against td_ucredref.
2484 * In other cases updates are performed against cr_ref.
2485 *
2486 * Changing td_realucred into something else decrements cr_users and transfers
2487 * accumulated updates.
2488 */
2489 struct ucred *
crcowget(struct ucred * cr)2490 crcowget(struct ucred *cr)
2491 {
2492
2493 mtx_lock(&cr->cr_mtx);
2494 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2495 __func__, cr->cr_users, cr));
2496 cr->cr_users++;
2497 cr->cr_ref++;
2498 mtx_unlock(&cr->cr_mtx);
2499 return (cr);
2500 }
2501
2502 static struct ucred *
crunuse(struct thread * td)2503 crunuse(struct thread *td)
2504 {
2505 struct ucred *cr, *crold;
2506
2507 MPASS(td->td_realucred == td->td_ucred);
2508 cr = td->td_realucred;
2509 mtx_lock(&cr->cr_mtx);
2510 cr->cr_ref += td->td_ucredref;
2511 td->td_ucredref = 0;
2512 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2513 __func__, cr->cr_users, cr));
2514 cr->cr_users--;
2515 if (cr->cr_users == 0) {
2516 KASSERT(cr->cr_ref > 0, ("%s: ref %ld not > 0 on cred %p",
2517 __func__, cr->cr_ref, cr));
2518 crold = cr;
2519 } else {
2520 cr->cr_ref--;
2521 crold = NULL;
2522 }
2523 mtx_unlock(&cr->cr_mtx);
2524 td->td_realucred = NULL;
2525 return (crold);
2526 }
2527
2528 static void
crunusebatch(struct ucred * cr,u_int users,long ref)2529 crunusebatch(struct ucred *cr, u_int users, long ref)
2530 {
2531
2532 KASSERT(users > 0, ("%s: passed users %d not > 0 ; cred %p",
2533 __func__, users, cr));
2534 mtx_lock(&cr->cr_mtx);
2535 KASSERT(cr->cr_users >= users, ("%s: users %d not > %d on cred %p",
2536 __func__, cr->cr_users, users, cr));
2537 cr->cr_users -= users;
2538 cr->cr_ref += ref;
2539 cr->cr_ref -= users;
2540 if (cr->cr_users > 0) {
2541 mtx_unlock(&cr->cr_mtx);
2542 return;
2543 }
2544 KASSERT(cr->cr_ref >= 0, ("%s: ref %ld not >= 0 on cred %p",
2545 __func__, cr->cr_ref, cr));
2546 if (cr->cr_ref > 0) {
2547 mtx_unlock(&cr->cr_mtx);
2548 return;
2549 }
2550 crfree_final(cr);
2551 }
2552
2553 void
crcowfree(struct thread * td)2554 crcowfree(struct thread *td)
2555 {
2556 struct ucred *cr;
2557
2558 cr = crunuse(td);
2559 if (cr != NULL)
2560 crfree(cr);
2561 }
2562
2563 struct ucred *
crcowsync(void)2564 crcowsync(void)
2565 {
2566 struct thread *td;
2567 struct proc *p;
2568 struct ucred *crnew, *crold;
2569
2570 td = curthread;
2571 p = td->td_proc;
2572 PROC_LOCK_ASSERT(p, MA_OWNED);
2573
2574 MPASS(td->td_realucred == td->td_ucred);
2575 if (td->td_realucred == p->p_ucred)
2576 return (NULL);
2577
2578 crnew = crcowget(p->p_ucred);
2579 crold = crunuse(td);
2580 td->td_realucred = crnew;
2581 td->td_ucred = td->td_realucred;
2582 return (crold);
2583 }
2584
2585 /*
2586 * Batching.
2587 */
2588 void
credbatch_add(struct credbatch * crb,struct thread * td)2589 credbatch_add(struct credbatch *crb, struct thread *td)
2590 {
2591 struct ucred *cr;
2592
2593 MPASS(td->td_realucred != NULL);
2594 MPASS(td->td_realucred == td->td_ucred);
2595 MPASS(TD_GET_STATE(td) == TDS_INACTIVE);
2596 cr = td->td_realucred;
2597 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2598 __func__, cr->cr_users, cr));
2599 if (crb->cred != cr) {
2600 if (crb->users > 0) {
2601 MPASS(crb->cred != NULL);
2602 crunusebatch(crb->cred, crb->users, crb->ref);
2603 crb->users = 0;
2604 crb->ref = 0;
2605 }
2606 }
2607 crb->cred = cr;
2608 crb->users++;
2609 crb->ref += td->td_ucredref;
2610 td->td_ucredref = 0;
2611 td->td_realucred = NULL;
2612 }
2613
2614 void
credbatch_final(struct credbatch * crb)2615 credbatch_final(struct credbatch *crb)
2616 {
2617
2618 MPASS(crb->cred != NULL);
2619 MPASS(crb->users > 0);
2620 crunusebatch(crb->cred, crb->users, crb->ref);
2621 }
2622
2623 /*
2624 * Allocate a zeroed cred structure.
2625 */
2626 struct ucred *
crget(void)2627 crget(void)
2628 {
2629 struct ucred *cr;
2630
2631 cr = malloc(sizeof(*cr), M_CRED, M_WAITOK | M_ZERO);
2632 mtx_init(&cr->cr_mtx, "cred", NULL, MTX_DEF);
2633 cr->cr_ref = 1;
2634 #ifdef AUDIT
2635 audit_cred_init(cr);
2636 #endif
2637 #ifdef MAC
2638 mac_cred_init(cr);
2639 #endif
2640 cr->cr_groups = cr->cr_smallgroups;
2641 cr->cr_agroups = nitems(cr->cr_smallgroups);
2642 return (cr);
2643 }
2644
2645 /*
2646 * Claim another reference to a ucred structure.
2647 */
2648 struct ucred *
crhold(struct ucred * cr)2649 crhold(struct ucred *cr)
2650 {
2651 struct thread *td;
2652
2653 td = curthread;
2654 if (__predict_true(td->td_realucred == cr)) {
2655 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2656 __func__, cr->cr_users, cr));
2657 td->td_ucredref++;
2658 return (cr);
2659 }
2660 mtx_lock(&cr->cr_mtx);
2661 cr->cr_ref++;
2662 mtx_unlock(&cr->cr_mtx);
2663 return (cr);
2664 }
2665
2666 /*
2667 * Free a cred structure. Throws away space when ref count gets to 0.
2668 */
2669 void
crfree(struct ucred * cr)2670 crfree(struct ucred *cr)
2671 {
2672 struct thread *td;
2673
2674 td = curthread;
2675 if (__predict_true(td->td_realucred == cr)) {
2676 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2677 __func__, cr->cr_users, cr));
2678 td->td_ucredref--;
2679 return;
2680 }
2681 mtx_lock(&cr->cr_mtx);
2682 KASSERT(cr->cr_users >= 0, ("%s: users %d not >= 0 on cred %p",
2683 __func__, cr->cr_users, cr));
2684 cr->cr_ref--;
2685 if (cr->cr_users > 0) {
2686 mtx_unlock(&cr->cr_mtx);
2687 return;
2688 }
2689 KASSERT(cr->cr_ref >= 0, ("%s: ref %ld not >= 0 on cred %p",
2690 __func__, cr->cr_ref, cr));
2691 if (cr->cr_ref > 0) {
2692 mtx_unlock(&cr->cr_mtx);
2693 return;
2694 }
2695 crfree_final(cr);
2696 }
2697
2698 static void
crfree_final(struct ucred * cr)2699 crfree_final(struct ucred *cr)
2700 {
2701
2702 KASSERT(cr->cr_users == 0, ("%s: users %d not == 0 on cred %p",
2703 __func__, cr->cr_users, cr));
2704 KASSERT(cr->cr_ref == 0, ("%s: ref %ld not == 0 on cred %p",
2705 __func__, cr->cr_ref, cr));
2706
2707 /*
2708 * Some callers of crget(), such as nfs_statfs(), allocate a temporary
2709 * credential, but don't allocate a uidinfo structure.
2710 */
2711 if (cr->cr_uidinfo != NULL)
2712 uifree(cr->cr_uidinfo);
2713 if (cr->cr_ruidinfo != NULL)
2714 uifree(cr->cr_ruidinfo);
2715 if (cr->cr_prison != NULL)
2716 prison_free(cr->cr_prison);
2717 if (cr->cr_loginclass != NULL)
2718 loginclass_free(cr->cr_loginclass);
2719 #ifdef AUDIT
2720 audit_cred_destroy(cr);
2721 #endif
2722 #ifdef MAC
2723 mac_cred_destroy(cr);
2724 #endif
2725 mtx_destroy(&cr->cr_mtx);
2726 if (cr->cr_groups != cr->cr_smallgroups)
2727 free(cr->cr_groups, M_CRED);
2728 free(cr, M_CRED);
2729 }
2730
2731 /*
2732 * Copy a ucred's contents from a template. Does not block.
2733 */
2734 void
crcopy(struct ucred * dest,struct ucred * src)2735 crcopy(struct ucred *dest, struct ucred *src)
2736 {
2737
2738 bcopy(&src->cr_startcopy, &dest->cr_startcopy,
2739 (unsigned)((caddr_t)&src->cr_endcopy -
2740 (caddr_t)&src->cr_startcopy));
2741 dest->cr_flags = src->cr_flags;
2742 crsetgroups(dest, src->cr_ngroups, src->cr_groups);
2743 uihold(dest->cr_uidinfo);
2744 uihold(dest->cr_ruidinfo);
2745 prison_hold(dest->cr_prison);
2746 loginclass_hold(dest->cr_loginclass);
2747 #ifdef AUDIT
2748 audit_cred_copy(src, dest);
2749 #endif
2750 #ifdef MAC
2751 mac_cred_copy(src, dest);
2752 #endif
2753 }
2754
2755 /*
2756 * Dup cred struct to a new held one.
2757 */
2758 struct ucred *
crdup(struct ucred * cr)2759 crdup(struct ucred *cr)
2760 {
2761 struct ucred *newcr;
2762
2763 newcr = crget();
2764 crcopy(newcr, cr);
2765 return (newcr);
2766 }
2767
2768 /*
2769 * Fill in a struct xucred based on a struct ucred.
2770 */
2771 void
cru2x(struct ucred * cr,struct xucred * xcr)2772 cru2x(struct ucred *cr, struct xucred *xcr)
2773 {
2774 int ngroups;
2775
2776 bzero(xcr, sizeof(*xcr));
2777 xcr->cr_version = XUCRED_VERSION;
2778 xcr->cr_uid = cr->cr_uid;
2779 xcr->cr_gid = cr->cr_gid;
2780
2781 /*
2782 * We use a union to alias cr_gid to cr_groups[0] in the xucred, so
2783 * this is kind of ugly; cr_ngroups still includes the egid for our
2784 * purposes to avoid bumping the xucred version.
2785 */
2786 ngroups = MIN(cr->cr_ngroups + 1, nitems(xcr->cr_groups));
2787 xcr->cr_ngroups = ngroups;
2788 bcopy(cr->cr_groups, xcr->cr_sgroups,
2789 (ngroups - 1) * sizeof(*cr->cr_groups));
2790 }
2791
2792 void
cru2xt(struct thread * td,struct xucred * xcr)2793 cru2xt(struct thread *td, struct xucred *xcr)
2794 {
2795
2796 cru2x(td->td_ucred, xcr);
2797 xcr->cr_pid = td->td_proc->p_pid;
2798 }
2799
2800 /*
2801 * Change process credentials.
2802 *
2803 * Callers are responsible for providing the reference for passed credentials
2804 * and for freeing old ones. Calls chgproccnt() to correctly account the
2805 * current process to the proper real UID, if the latter has changed. Returns
2806 * whether the operation was successful. Failure can happen only on
2807 * 'enforce_proc_lim' being true and if no new process can be accounted to the
2808 * new real UID because of the current limit (see the inner comment for more
2809 * details) and the caller does not have privilege (PRIV_PROC_LIMIT) to override
2810 * that. In this case, the reference to 'newcred' is not taken over.
2811 */
2812 static bool
_proc_set_cred(struct proc * p,struct ucred * newcred,bool enforce_proc_lim)2813 _proc_set_cred(struct proc *p, struct ucred *newcred, bool enforce_proc_lim)
2814 {
2815 struct ucred *const oldcred = p->p_ucred;
2816
2817 MPASS(oldcred != NULL);
2818 PROC_LOCK_ASSERT(p, MA_OWNED);
2819
2820 if (newcred->cr_ruidinfo != oldcred->cr_ruidinfo) {
2821 /*
2822 * XXXOC: This check is flawed but nonetheless the best we can
2823 * currently do as we don't really track limits per UID contrary
2824 * to what we pretend in setrlimit(2). Until this is reworked,
2825 * we just check here that the number of processes for our new
2826 * real UID doesn't exceed this process' process number limit
2827 * (which is meant to be associated with the current real UID).
2828 */
2829 const int proccnt_changed = chgproccnt(newcred->cr_ruidinfo, 1,
2830 enforce_proc_lim ? lim_cur_proc(p, RLIMIT_NPROC) : 0);
2831
2832 if (!proccnt_changed) {
2833 if (priv_check_cred(oldcred, PRIV_PROC_LIMIT) != 0)
2834 return (false);
2835 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0);
2836 }
2837 }
2838
2839 mtx_lock(&oldcred->cr_mtx);
2840 KASSERT(oldcred->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2841 __func__, oldcred->cr_users, oldcred));
2842 oldcred->cr_users--;
2843 mtx_unlock(&oldcred->cr_mtx);
2844 mtx_lock(&newcred->cr_mtx);
2845 newcred->cr_users++;
2846 mtx_unlock(&newcred->cr_mtx);
2847 p->p_ucred = newcred;
2848 PROC_UPDATE_COW(p);
2849 if (newcred->cr_ruidinfo != oldcred->cr_ruidinfo)
2850 (void)chgproccnt(oldcred->cr_ruidinfo, -1, 0);
2851 return (true);
2852 }
2853
2854 void
proc_set_cred(struct proc * p,struct ucred * newcred)2855 proc_set_cred(struct proc *p, struct ucred *newcred)
2856 {
2857 bool success __diagused = _proc_set_cred(p, newcred, false);
2858
2859 MPASS(success);
2860 }
2861
2862 bool
proc_set_cred_enforce_proc_lim(struct proc * p,struct ucred * newcred)2863 proc_set_cred_enforce_proc_lim(struct proc *p, struct ucred *newcred)
2864 {
2865 return (_proc_set_cred(p, newcred, true));
2866 }
2867
2868 void
proc_unset_cred(struct proc * p,bool decrement_proc_count)2869 proc_unset_cred(struct proc *p, bool decrement_proc_count)
2870 {
2871 struct ucred *cr;
2872
2873 MPASS(p->p_state == PRS_ZOMBIE || p->p_state == PRS_NEW);
2874 cr = p->p_ucred;
2875 p->p_ucred = NULL;
2876 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2877 __func__, cr->cr_users, cr));
2878 mtx_lock(&cr->cr_mtx);
2879 cr->cr_users--;
2880 if (cr->cr_users == 0)
2881 KASSERT(cr->cr_ref > 0, ("%s: ref %ld not > 0 on cred %p",
2882 __func__, cr->cr_ref, cr));
2883 mtx_unlock(&cr->cr_mtx);
2884 if (decrement_proc_count)
2885 (void)chgproccnt(cr->cr_ruidinfo, -1, 0);
2886 crfree(cr);
2887 }
2888
2889 struct ucred *
crcopysafe(struct proc * p,struct ucred * cr)2890 crcopysafe(struct proc *p, struct ucred *cr)
2891 {
2892 struct ucred *oldcred;
2893 int groups;
2894
2895 PROC_LOCK_ASSERT(p, MA_OWNED);
2896
2897 oldcred = p->p_ucred;
2898 while (cr->cr_agroups < oldcred->cr_ngroups) {
2899 groups = oldcred->cr_ngroups;
2900 PROC_UNLOCK(p);
2901 crextend(cr, groups);
2902 PROC_LOCK(p);
2903 oldcred = p->p_ucred;
2904 }
2905 crcopy(cr, oldcred);
2906
2907 return (oldcred);
2908 }
2909
2910 /*
2911 * Extend the passed-in credentials to hold n groups.
2912 *
2913 * Must not be called after groups have been set.
2914 */
2915 void
crextend(struct ucred * cr,int n)2916 crextend(struct ucred *cr, int n)
2917 {
2918 size_t nbytes;
2919
2920 MPASS2(cr->cr_ref == 1, "'cr_ref' must be 1 (referenced, unshared)");
2921 MPASS2((cr->cr_flags & CRED_FLAG_GROUPSET) == 0,
2922 "groups on 'cr' already set!");
2923 groups_check_positive_len(n);
2924 groups_check_max_len(n);
2925
2926 if (n <= cr->cr_agroups)
2927 return;
2928
2929 nbytes = n * sizeof(gid_t);
2930 if (nbytes < n)
2931 panic("Too many groups (memory size overflow)! "
2932 "Computation of 'kern.ngroups' should have prevented this, "
2933 "please fix it. In the meantime, reduce 'kern.ngroups'.");
2934
2935 /*
2936 * We allocate a power of 2 larger than 'nbytes', except when that
2937 * exceeds PAGE_SIZE, in which case we allocate the right multiple of
2938 * pages. We assume PAGE_SIZE is a power of 2 (the call to roundup2()
2939 * below) but do not need to for sizeof(gid_t).
2940 */
2941 if (nbytes < PAGE_SIZE) {
2942 if (!powerof2(nbytes))
2943 /* fls*() return a bit index starting at 1. */
2944 nbytes = 1 << flsl(nbytes);
2945 } else
2946 nbytes = roundup2(nbytes, PAGE_SIZE);
2947
2948 /* Free the old array. */
2949 if (cr->cr_groups != cr->cr_smallgroups)
2950 free(cr->cr_groups, M_CRED);
2951
2952 cr->cr_groups = malloc(nbytes, M_CRED, M_WAITOK | M_ZERO);
2953 cr->cr_agroups = nbytes / sizeof(gid_t);
2954 }
2955
2956 /*
2957 * Normalizes a set of groups to be applied to a 'struct ucred'.
2958 *
2959 * Normalization ensures that the supplementary groups are sorted in ascending
2960 * order and do not contain duplicates. This allows group_is_supplementary() to
2961 * do a binary search.
2962 */
2963 static void
groups_normalize(int * ngrp,gid_t * groups)2964 groups_normalize(int *ngrp, gid_t *groups)
2965 {
2966 gid_t prev_g;
2967 int ins_idx;
2968
2969 groups_check_positive_len(*ngrp);
2970 groups_check_max_len(*ngrp);
2971
2972 if (*ngrp <= 1)
2973 return;
2974
2975 qsort(groups, *ngrp, sizeof(*groups), gidp_cmp);
2976
2977 /* Remove duplicates. */
2978 prev_g = groups[0];
2979 ins_idx = 1;
2980 for (int i = ins_idx; i < *ngrp; ++i) {
2981 const gid_t g = groups[i];
2982
2983 if (g != prev_g) {
2984 if (i != ins_idx)
2985 groups[ins_idx] = g;
2986 ++ins_idx;
2987 prev_g = g;
2988 }
2989 }
2990 *ngrp = ins_idx;
2991
2992 groups_check_normalized(*ngrp, groups);
2993 }
2994
2995 /*
2996 * Internal function copying groups into a credential.
2997 *
2998 * 'ngrp' must be strictly positive. Either the passed 'groups' array must have
2999 * been normalized in advance (see groups_normalize()), else it must be so
3000 * before the structure is to be used again.
3001 *
3002 * This function is suitable to be used under any lock (it doesn't take any lock
3003 * itself nor sleep, and in particular doesn't allocate memory). crextend()
3004 * must have been called beforehand to ensure sufficient space is available.
3005 * See also crsetgroups(), which handles that.
3006 */
3007 static void
crsetgroups_internal(struct ucred * cr,int ngrp,const gid_t * groups)3008 crsetgroups_internal(struct ucred *cr, int ngrp, const gid_t *groups)
3009 {
3010
3011 MPASS2(cr->cr_ref == 1, "'cr_ref' must be 1 (referenced, unshared)");
3012 MPASS2(cr->cr_agroups >= ngrp, "'cr_agroups' too small");
3013 groups_check_positive_len(ngrp);
3014
3015 bcopy(groups, cr->cr_groups, ngrp * sizeof(gid_t));
3016 cr->cr_ngroups = ngrp;
3017 cr->cr_flags |= CRED_FLAG_GROUPSET;
3018 }
3019
3020 /*
3021 * Copy groups in to a credential after expanding it if required.
3022 *
3023 * May sleep in order to allocate memory (except if, e.g., crextend() was called
3024 * before with 'ngrp' or greater). Truncates the list to 'ngroups_max' if
3025 * it is too large. Array 'groups' doesn't need to be sorted. 'ngrp' must be
3026 * positive.
3027 */
3028 void
crsetgroups(struct ucred * cr,int ngrp,const gid_t * groups)3029 crsetgroups(struct ucred *cr, int ngrp, const gid_t *groups)
3030 {
3031
3032 if (ngrp > ngroups_max)
3033 ngrp = ngroups_max;
3034 cr->cr_ngroups = 0;
3035 if (ngrp == 0) {
3036 cr->cr_flags |= CRED_FLAG_GROUPSET;
3037 return;
3038 }
3039
3040 /*
3041 * crextend() asserts that groups are not set, as it may allocate a new
3042 * backing storage without copying the content of the old one. Since we
3043 * are going to install a completely new set anyway, signal that we
3044 * consider the old ones thrown away.
3045 */
3046 cr->cr_flags &= ~CRED_FLAG_GROUPSET;
3047
3048 crextend(cr, ngrp);
3049 crsetgroups_internal(cr, ngrp, groups);
3050 groups_normalize(&cr->cr_ngroups, cr->cr_groups);
3051 }
3052
3053 /*
3054 * Same as crsetgroups() but sets the effective GID as well.
3055 *
3056 * This function ensures that an effective GID is always present in credentials.
3057 * An empty array will only set the effective GID to 'default_egid', while
3058 * a non-empty array will peel off groups[0] to set as the effective GID and use
3059 * the remainder, if any, as supplementary groups.
3060 */
3061 void
crsetgroups_and_egid(struct ucred * cr,int ngrp,const gid_t * groups,const gid_t default_egid)3062 crsetgroups_and_egid(struct ucred *cr, int ngrp, const gid_t *groups,
3063 const gid_t default_egid)
3064 {
3065 if (ngrp == 0) {
3066 cr->cr_gid = default_egid;
3067 cr->cr_ngroups = 0;
3068 cr->cr_flags |= CRED_FLAG_GROUPSET;
3069 return;
3070 }
3071
3072 crsetgroups(cr, ngrp - 1, groups + 1);
3073 cr->cr_gid = groups[0];
3074 }
3075
3076 /*
3077 * Get login name, if available.
3078 */
3079 #ifndef _SYS_SYSPROTO_H_
3080 struct getlogin_args {
3081 char *namebuf;
3082 u_int namelen;
3083 };
3084 #endif
3085 /* ARGSUSED */
3086 int
sys_getlogin(struct thread * td,struct getlogin_args * uap)3087 sys_getlogin(struct thread *td, struct getlogin_args *uap)
3088 {
3089 char login[MAXLOGNAME];
3090 struct proc *p = td->td_proc;
3091 size_t len;
3092
3093 if (uap->namelen > MAXLOGNAME)
3094 uap->namelen = MAXLOGNAME;
3095 PROC_LOCK(p);
3096 SESS_LOCK(p->p_session);
3097 len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1;
3098 SESS_UNLOCK(p->p_session);
3099 PROC_UNLOCK(p);
3100 if (len > uap->namelen)
3101 return (ERANGE);
3102 return (copyout(login, uap->namebuf, len));
3103 }
3104
3105 /*
3106 * Set login name.
3107 */
3108 #ifndef _SYS_SYSPROTO_H_
3109 struct setlogin_args {
3110 char *namebuf;
3111 };
3112 #endif
3113 /* ARGSUSED */
3114 int
sys_setlogin(struct thread * td,struct setlogin_args * uap)3115 sys_setlogin(struct thread *td, struct setlogin_args *uap)
3116 {
3117 struct proc *p = td->td_proc;
3118 int error;
3119 char logintmp[MAXLOGNAME];
3120
3121 CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp));
3122
3123 error = priv_check(td, PRIV_PROC_SETLOGIN);
3124 if (error)
3125 return (error);
3126 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
3127 if (error != 0) {
3128 if (error == ENAMETOOLONG)
3129 error = EINVAL;
3130 return (error);
3131 }
3132 AUDIT_ARG_LOGIN(logintmp);
3133 PROC_LOCK(p);
3134 SESS_LOCK(p->p_session);
3135 strcpy(p->p_session->s_login, logintmp);
3136 SESS_UNLOCK(p->p_session);
3137 PROC_UNLOCK(p);
3138 return (0);
3139 }
3140
3141 void
setsugid(struct proc * p)3142 setsugid(struct proc *p)
3143 {
3144
3145 PROC_LOCK_ASSERT(p, MA_OWNED);
3146 p->p_flag |= P_SUGID;
3147 }
3148
3149 /*-
3150 * Change a process's effective uid.
3151 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified.
3152 * References: newcred must be an exclusive credential reference for the
3153 * duration of the call.
3154 */
3155 void
change_euid(struct ucred * newcred,struct uidinfo * euip)3156 change_euid(struct ucred *newcred, struct uidinfo *euip)
3157 {
3158
3159 newcred->cr_uid = euip->ui_uid;
3160 uihold(euip);
3161 uifree(newcred->cr_uidinfo);
3162 newcred->cr_uidinfo = euip;
3163 }
3164
3165 /*-
3166 * Change a process's effective gid.
3167 * Side effects: newcred->cr_gid will be modified.
3168 * References: newcred must be an exclusive credential reference for the
3169 * duration of the call.
3170 */
3171 void
change_egid(struct ucred * newcred,gid_t egid)3172 change_egid(struct ucred *newcred, gid_t egid)
3173 {
3174
3175 newcred->cr_gid = egid;
3176 }
3177
3178 /*-
3179 * Change a process's real uid.
3180 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo
3181 * will be updated.
3182 * References: newcred must be an exclusive credential reference for the
3183 * duration of the call.
3184 */
3185 void
change_ruid(struct ucred * newcred,struct uidinfo * ruip)3186 change_ruid(struct ucred *newcred, struct uidinfo *ruip)
3187 {
3188
3189 newcred->cr_ruid = ruip->ui_uid;
3190 uihold(ruip);
3191 uifree(newcred->cr_ruidinfo);
3192 newcred->cr_ruidinfo = ruip;
3193 }
3194
3195 /*-
3196 * Change a process's real gid.
3197 * Side effects: newcred->cr_rgid will be updated.
3198 * References: newcred must be an exclusive credential reference for the
3199 * duration of the call.
3200 */
3201 void
change_rgid(struct ucred * newcred,gid_t rgid)3202 change_rgid(struct ucred *newcred, gid_t rgid)
3203 {
3204
3205 newcred->cr_rgid = rgid;
3206 }
3207
3208 /*-
3209 * Change a process's saved uid.
3210 * Side effects: newcred->cr_svuid will be updated.
3211 * References: newcred must be an exclusive credential reference for the
3212 * duration of the call.
3213 */
3214 void
change_svuid(struct ucred * newcred,uid_t svuid)3215 change_svuid(struct ucred *newcred, uid_t svuid)
3216 {
3217
3218 newcred->cr_svuid = svuid;
3219 }
3220
3221 /*-
3222 * Change a process's saved gid.
3223 * Side effects: newcred->cr_svgid will be updated.
3224 * References: newcred must be an exclusive credential reference for the
3225 * duration of the call.
3226 */
3227 void
change_svgid(struct ucred * newcred,gid_t svgid)3228 change_svgid(struct ucred *newcred, gid_t svgid)
3229 {
3230
3231 newcred->cr_svgid = svgid;
3232 }
3233
3234 bool allow_ptrace = true;
3235 SYSCTL_BOOL(_security_bsd, OID_AUTO, allow_ptrace, CTLFLAG_RWTUN,
3236 &allow_ptrace, 0,
3237 "Deny ptrace(2) use by returning ENOSYS");
3238