1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 5 * The Regents of the University of California. 6 * (c) UNIX System Laboratories, Inc. 7 * Copyright (c) 2000-2001 Robert N. M. Watson. 8 * All rights reserved. 9 * 10 * All or some portions of this file are derived from material licensed 11 * to the University of California by American Telephone and Telegraph 12 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 13 * the permission of UNIX System Laboratories, Inc. 14 * 15 * Redistribution and use in source and binary forms, with or without 16 * modification, are permitted provided that the following conditions 17 * are met: 18 * 1. Redistributions of source code must retain the above copyright 19 * notice, this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright 21 * notice, this list of conditions and the following disclaimer in the 22 * documentation and/or other materials provided with the distribution. 23 * 3. Neither the name of the University nor the names of its contributors 24 * may be used to endorse or promote products derived from this software 25 * without specific prior written permission. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 */ 39 40 /* 41 * System calls related to processes and protection 42 */ 43 44 #include <sys/cdefs.h> 45 #include "opt_inet.h" 46 #include "opt_inet6.h" 47 48 #include <sys/param.h> 49 #include <sys/systm.h> 50 #include <sys/abi_compat.h> 51 #include <sys/acct.h> 52 #include <sys/kdb.h> 53 #include <sys/kernel.h> 54 #include <sys/libkern.h> 55 #include <sys/lock.h> 56 #include <sys/loginclass.h> 57 #include <sys/malloc.h> 58 #include <sys/mutex.h> 59 #include <sys/ptrace.h> 60 #include <sys/refcount.h> 61 #include <sys/sx.h> 62 #include <sys/priv.h> 63 #include <sys/proc.h> 64 #ifdef COMPAT_43 65 #include <sys/sysent.h> 66 #endif 67 #include <sys/sysproto.h> 68 #include <sys/jail.h> 69 #include <sys/racct.h> 70 #include <sys/rctl.h> 71 #include <sys/resourcevar.h> 72 #include <sys/socket.h> 73 #include <sys/socketvar.h> 74 #include <sys/syscallsubr.h> 75 #include <sys/sysctl.h> 76 77 #ifdef MAC 78 #include <security/mac/mac_syscalls.h> 79 #endif 80 81 #include <vm/uma.h> 82 83 #ifdef REGRESSION 84 FEATURE(regression, 85 "Kernel support for interfaces necessary for regression testing (SECURITY RISK!)"); 86 #endif 87 88 #include <security/audit/audit.h> 89 #include <security/mac/mac_framework.h> 90 91 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 92 93 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW | CTLFLAG_MPSAFE, 0, 94 "BSD security policy"); 95 96 static void crfree_final(struct ucred *cr); 97 98 static inline void 99 groups_check_positive_len(int ngrp) 100 { 101 MPASS2(ngrp >= 0, "negative number of groups"); 102 } 103 static inline void 104 groups_check_max_len(int ngrp) 105 { 106 MPASS2(ngrp <= ngroups_max, "too many supplementary groups"); 107 } 108 109 static void groups_normalize(int *ngrp, gid_t *groups); 110 static void crsetgroups_internal(struct ucred *cr, int ngrp, 111 const gid_t *groups); 112 113 static int cr_canseeotheruids(struct ucred *u1, struct ucred *u2); 114 static int cr_canseeothergids(struct ucred *u1, struct ucred *u2); 115 static int cr_canseejailproc(struct ucred *u1, struct ucred *u2); 116 117 #ifndef _SYS_SYSPROTO_H_ 118 struct getpid_args { 119 int dummy; 120 }; 121 #endif 122 /* ARGSUSED */ 123 int 124 sys_getpid(struct thread *td, struct getpid_args *uap) 125 { 126 struct proc *p = td->td_proc; 127 128 td->td_retval[0] = p->p_pid; 129 #if defined(COMPAT_43) 130 if (SV_PROC_FLAG(p, SV_AOUT)) 131 td->td_retval[1] = kern_getppid(td); 132 #endif 133 return (0); 134 } 135 136 #ifndef _SYS_SYSPROTO_H_ 137 struct getppid_args { 138 int dummy; 139 }; 140 #endif 141 /* ARGSUSED */ 142 int 143 sys_getppid(struct thread *td, struct getppid_args *uap) 144 { 145 146 td->td_retval[0] = kern_getppid(td); 147 return (0); 148 } 149 150 int 151 kern_getppid(struct thread *td) 152 { 153 struct proc *p = td->td_proc; 154 155 return (p->p_oppid); 156 } 157 158 /* 159 * Get process group ID; note that POSIX getpgrp takes no parameter. 160 */ 161 #ifndef _SYS_SYSPROTO_H_ 162 struct getpgrp_args { 163 int dummy; 164 }; 165 #endif 166 int 167 sys_getpgrp(struct thread *td, struct getpgrp_args *uap) 168 { 169 struct proc *p = td->td_proc; 170 171 PROC_LOCK(p); 172 td->td_retval[0] = p->p_pgrp->pg_id; 173 PROC_UNLOCK(p); 174 return (0); 175 } 176 177 /* Get an arbitrary pid's process group id */ 178 #ifndef _SYS_SYSPROTO_H_ 179 struct getpgid_args { 180 pid_t pid; 181 }; 182 #endif 183 int 184 sys_getpgid(struct thread *td, struct getpgid_args *uap) 185 { 186 struct proc *p; 187 int error; 188 189 if (uap->pid == 0) { 190 p = td->td_proc; 191 PROC_LOCK(p); 192 } else { 193 p = pfind(uap->pid); 194 if (p == NULL) 195 return (ESRCH); 196 error = p_cansee(td, p); 197 if (error) { 198 PROC_UNLOCK(p); 199 return (error); 200 } 201 } 202 td->td_retval[0] = p->p_pgrp->pg_id; 203 PROC_UNLOCK(p); 204 return (0); 205 } 206 207 /* 208 * Get an arbitrary pid's session id. 209 */ 210 #ifndef _SYS_SYSPROTO_H_ 211 struct getsid_args { 212 pid_t pid; 213 }; 214 #endif 215 int 216 sys_getsid(struct thread *td, struct getsid_args *uap) 217 { 218 219 return (kern_getsid(td, uap->pid)); 220 } 221 222 int 223 kern_getsid(struct thread *td, pid_t pid) 224 { 225 struct proc *p; 226 int error; 227 228 if (pid == 0) { 229 p = td->td_proc; 230 PROC_LOCK(p); 231 } else { 232 p = pfind(pid); 233 if (p == NULL) 234 return (ESRCH); 235 error = p_cansee(td, p); 236 if (error) { 237 PROC_UNLOCK(p); 238 return (error); 239 } 240 } 241 td->td_retval[0] = p->p_session->s_sid; 242 PROC_UNLOCK(p); 243 return (0); 244 } 245 246 #ifndef _SYS_SYSPROTO_H_ 247 struct getuid_args { 248 int dummy; 249 }; 250 #endif 251 /* ARGSUSED */ 252 int 253 sys_getuid(struct thread *td, struct getuid_args *uap) 254 { 255 256 td->td_retval[0] = td->td_ucred->cr_ruid; 257 #if defined(COMPAT_43) 258 td->td_retval[1] = td->td_ucred->cr_uid; 259 #endif 260 return (0); 261 } 262 263 #ifndef _SYS_SYSPROTO_H_ 264 struct geteuid_args { 265 int dummy; 266 }; 267 #endif 268 /* ARGSUSED */ 269 int 270 sys_geteuid(struct thread *td, struct geteuid_args *uap) 271 { 272 273 td->td_retval[0] = td->td_ucred->cr_uid; 274 return (0); 275 } 276 277 #ifndef _SYS_SYSPROTO_H_ 278 struct getgid_args { 279 int dummy; 280 }; 281 #endif 282 /* ARGSUSED */ 283 int 284 sys_getgid(struct thread *td, struct getgid_args *uap) 285 { 286 287 td->td_retval[0] = td->td_ucred->cr_rgid; 288 #if defined(COMPAT_43) 289 td->td_retval[1] = td->td_ucred->cr_gid; 290 #endif 291 return (0); 292 } 293 294 /* 295 * Get effective group ID. The "egid" is groups[0], and could be obtained 296 * via getgroups. This syscall exists because it is somewhat painful to do 297 * correctly in a library function. 298 */ 299 #ifndef _SYS_SYSPROTO_H_ 300 struct getegid_args { 301 int dummy; 302 }; 303 #endif 304 /* ARGSUSED */ 305 int 306 sys_getegid(struct thread *td, struct getegid_args *uap) 307 { 308 309 td->td_retval[0] = td->td_ucred->cr_gid; 310 return (0); 311 } 312 313 #ifdef COMPAT_FREEBSD14 314 int 315 freebsd14_getgroups(struct thread *td, struct freebsd14_getgroups_args *uap) 316 { 317 struct ucred *cred; 318 int ngrp, error; 319 320 cred = td->td_ucred; 321 322 /* 323 * For FreeBSD < 15.0, we account for the egid being placed at the 324 * beginning of the group list prior to all supplementary groups. 325 */ 326 ngrp = cred->cr_ngroups + 1; 327 if (uap->gidsetsize == 0) { 328 error = 0; 329 goto out; 330 } else if (uap->gidsetsize < ngrp) { 331 return (EINVAL); 332 } 333 334 error = copyout(&cred->cr_gid, uap->gidset, sizeof(gid_t)); 335 if (error == 0) 336 error = copyout(cred->cr_groups, uap->gidset + 1, 337 (ngrp - 1) * sizeof(gid_t)); 338 339 out: 340 td->td_retval[0] = ngrp; 341 return (error); 342 343 } 344 #endif /* COMPAT_FREEBSD14 */ 345 346 #ifndef _SYS_SYSPROTO_H_ 347 struct getgroups_args { 348 int gidsetsize; 349 gid_t *gidset; 350 }; 351 #endif 352 int 353 sys_getgroups(struct thread *td, struct getgroups_args *uap) 354 { 355 struct ucred *cred; 356 int ngrp, error; 357 358 cred = td->td_ucred; 359 360 ngrp = cred->cr_ngroups; 361 if (uap->gidsetsize == 0) { 362 error = 0; 363 goto out; 364 } 365 if (uap->gidsetsize < ngrp) 366 return (EINVAL); 367 368 error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t)); 369 out: 370 td->td_retval[0] = ngrp; 371 return (error); 372 } 373 374 #ifndef _SYS_SYSPROTO_H_ 375 struct setsid_args { 376 int dummy; 377 }; 378 #endif 379 /* ARGSUSED */ 380 int 381 sys_setsid(struct thread *td, struct setsid_args *uap) 382 { 383 struct pgrp *pgrp; 384 int error; 385 struct proc *p = td->td_proc; 386 struct pgrp *newpgrp; 387 struct session *newsess; 388 389 pgrp = NULL; 390 391 newpgrp = uma_zalloc(pgrp_zone, M_WAITOK); 392 newsess = malloc(sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); 393 394 again: 395 error = 0; 396 sx_xlock(&proctree_lock); 397 398 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { 399 if (pgrp != NULL) 400 PGRP_UNLOCK(pgrp); 401 error = EPERM; 402 } else { 403 error = enterpgrp(p, p->p_pid, newpgrp, newsess); 404 if (error == ERESTART) 405 goto again; 406 MPASS(error == 0); 407 td->td_retval[0] = p->p_pid; 408 newpgrp = NULL; 409 newsess = NULL; 410 } 411 412 sx_xunlock(&proctree_lock); 413 414 uma_zfree(pgrp_zone, newpgrp); 415 free(newsess, M_SESSION); 416 417 return (error); 418 } 419 420 /* 421 * set process group (setpgid/old setpgrp) 422 * 423 * caller does setpgid(targpid, targpgid) 424 * 425 * pid must be caller or child of caller (ESRCH) 426 * if a child 427 * pid must be in same session (EPERM) 428 * pid can't have done an exec (EACCES) 429 * if pgid != pid 430 * there must exist some pid in same session having pgid (EPERM) 431 * pid must not be session leader (EPERM) 432 */ 433 #ifndef _SYS_SYSPROTO_H_ 434 struct setpgid_args { 435 int pid; /* target process id */ 436 int pgid; /* target pgrp id */ 437 }; 438 #endif 439 /* ARGSUSED */ 440 int 441 sys_setpgid(struct thread *td, struct setpgid_args *uap) 442 { 443 struct proc *curp = td->td_proc; 444 struct proc *targp; /* target process */ 445 struct pgrp *pgrp; /* target pgrp */ 446 int error; 447 struct pgrp *newpgrp; 448 449 if (uap->pgid < 0) 450 return (EINVAL); 451 452 newpgrp = uma_zalloc(pgrp_zone, M_WAITOK); 453 454 again: 455 error = 0; 456 457 sx_xlock(&proctree_lock); 458 if (uap->pid != 0 && uap->pid != curp->p_pid) { 459 if ((targp = pfind(uap->pid)) == NULL) { 460 error = ESRCH; 461 goto done; 462 } 463 if (!inferior(targp)) { 464 PROC_UNLOCK(targp); 465 error = ESRCH; 466 goto done; 467 } 468 if ((error = p_cansee(td, targp))) { 469 PROC_UNLOCK(targp); 470 goto done; 471 } 472 if (targp->p_pgrp == NULL || 473 targp->p_session != curp->p_session) { 474 PROC_UNLOCK(targp); 475 error = EPERM; 476 goto done; 477 } 478 if (targp->p_flag & P_EXEC) { 479 PROC_UNLOCK(targp); 480 error = EACCES; 481 goto done; 482 } 483 PROC_UNLOCK(targp); 484 } else 485 targp = curp; 486 if (SESS_LEADER(targp)) { 487 error = EPERM; 488 goto done; 489 } 490 if (uap->pgid == 0) 491 uap->pgid = targp->p_pid; 492 if ((pgrp = pgfind(uap->pgid)) == NULL) { 493 if (uap->pgid == targp->p_pid) { 494 error = enterpgrp(targp, uap->pgid, newpgrp, 495 NULL); 496 if (error == 0) 497 newpgrp = NULL; 498 } else 499 error = EPERM; 500 } else { 501 if (pgrp == targp->p_pgrp) { 502 PGRP_UNLOCK(pgrp); 503 goto done; 504 } 505 if (pgrp->pg_id != targp->p_pid && 506 pgrp->pg_session != curp->p_session) { 507 PGRP_UNLOCK(pgrp); 508 error = EPERM; 509 goto done; 510 } 511 PGRP_UNLOCK(pgrp); 512 error = enterthispgrp(targp, pgrp); 513 } 514 done: 515 KASSERT(error == 0 || newpgrp != NULL, 516 ("setpgid failed and newpgrp is NULL")); 517 if (error == ERESTART) 518 goto again; 519 sx_xunlock(&proctree_lock); 520 uma_zfree(pgrp_zone, newpgrp); 521 return (error); 522 } 523 524 static int 525 gidp_cmp(const void *p1, const void *p2) 526 { 527 const gid_t g1 = *(const gid_t *)p1; 528 const gid_t g2 = *(const gid_t *)p2; 529 530 return ((g1 > g2) - (g1 < g2)); 531 } 532 533 /* 534 * Final storage for supplementary groups will be returned via 'groups'. 535 * '*groups' must be NULL on input, and if not equal to 'smallgroups' 536 * on output, must be freed (M_TEMP) *even if* an error is returned. 537 */ 538 static int 539 kern_setcred_copyin_supp_groups(struct setcred *const wcred, 540 const u_int flags, gid_t *const smallgroups, gid_t **const groups) 541 { 542 MPASS(*groups == NULL); 543 544 if (flags & SETCREDF_SUPP_GROUPS) { 545 int error; 546 547 /* 548 * Check for the limit for number of groups right now in order 549 * to limit the amount of bytes to copy. 550 */ 551 if (wcred->sc_supp_groups_nb > ngroups_max) 552 return (EINVAL); 553 554 /* 555 * Since we are going to be copying the supplementary groups 556 * from userland, make room also for the effective GID right 557 * now, to avoid having to allocate and copy again the 558 * supplementary groups. 559 */ 560 *groups = wcred->sc_supp_groups_nb <= CRED_SMALLGROUPS_NB ? 561 smallgroups : malloc(wcred->sc_supp_groups_nb * 562 sizeof(*groups), M_TEMP, M_WAITOK); 563 564 error = copyin(wcred->sc_supp_groups, *groups, 565 wcred->sc_supp_groups_nb * sizeof(*groups)); 566 if (error != 0) 567 return (error); 568 wcred->sc_supp_groups = *groups; 569 } else { 570 wcred->sc_supp_groups_nb = 0; 571 wcred->sc_supp_groups = NULL; 572 } 573 574 return (0); 575 } 576 577 int 578 user_setcred(struct thread *td, const u_int flags, 579 const void *const uwcred, const size_t size, bool is_32bit) 580 { 581 struct setcred wcred; 582 #ifdef MAC 583 struct mac mac; 584 /* Pointer to 'struct mac' or 'struct mac32'. */ 585 void *umac; 586 #endif 587 gid_t smallgroups[CRED_SMALLGROUPS_NB]; 588 gid_t *groups = NULL; 589 int error; 590 591 /* 592 * As the only point of this wrapper function is to copyin() from 593 * userland, we only interpret the data pieces we need to perform this 594 * operation and defer further sanity checks to kern_setcred(), except 595 * that we redundantly check here that no unknown flags have been 596 * passed. 597 */ 598 if ((flags & ~SETCREDF_MASK) != 0) 599 return (EINVAL); 600 601 #ifdef COMPAT_FREEBSD32 602 if (is_32bit) { 603 struct setcred32 wcred32; 604 605 if (size != sizeof(wcred32)) 606 return (EINVAL); 607 error = copyin(uwcred, &wcred32, sizeof(wcred32)); 608 if (error != 0) 609 return (error); 610 /* These fields have exactly the same sizes and positions. */ 611 memcpy(&wcred, &wcred32, &wcred32.setcred32_copy_end - 612 &wcred32.setcred32_copy_start); 613 /* Remaining fields are pointers and need PTRIN*(). */ 614 PTRIN_CP(wcred32, wcred, sc_supp_groups); 615 PTRIN_CP(wcred32, wcred, sc_label); 616 } else 617 #endif /* COMPAT_FREEBSD32 */ 618 { 619 if (size != sizeof(wcred)) 620 return (EINVAL); 621 error = copyin(uwcred, &wcred, sizeof(wcred)); 622 if (error != 0) 623 return (error); 624 } 625 #ifdef MAC 626 umac = wcred.sc_label; 627 #endif 628 /* Also done on !MAC as a defensive measure. */ 629 wcred.sc_label = NULL; 630 631 /* 632 * Copy supplementary groups as needed. There is no specific 633 * alternative for 32-bit compatibility as 'gid_t' has the same size 634 * everywhere. 635 */ 636 error = kern_setcred_copyin_supp_groups(&wcred, flags, smallgroups, 637 &groups); 638 if (error != 0) 639 goto free_groups; 640 641 #ifdef MAC 642 if ((flags & SETCREDF_MAC_LABEL) != 0) { 643 #ifdef COMPAT_FREEBSD32 644 if (is_32bit) 645 error = mac_label_copyin32(umac, &mac, NULL); 646 else 647 #endif 648 error = mac_label_copyin(umac, &mac, NULL); 649 if (error != 0) 650 goto free_groups; 651 wcred.sc_label = &mac; 652 } 653 #endif 654 655 error = kern_setcred(td, flags, &wcred, groups); 656 657 #ifdef MAC 658 if (wcred.sc_label != NULL) 659 free_copied_label(wcred.sc_label); 660 #endif 661 662 free_groups: 663 if (groups != smallgroups) 664 free(groups, M_TEMP); 665 666 return (error); 667 } 668 669 #ifndef _SYS_SYSPROTO_H_ 670 struct setcred_args { 671 u_int flags; /* Flags. */ 672 const struct setcred *wcred; 673 size_t size; /* Passed 'setcred' structure length. */ 674 }; 675 #endif 676 /* ARGSUSED */ 677 int 678 sys_setcred(struct thread *td, struct setcred_args *uap) 679 { 680 return (user_setcred(td, uap->flags, uap->wcred, uap->size, false)); 681 } 682 683 /* 684 * CAUTION: This function normalizes groups in 'wcred'. 685 * 686 * If 'preallocated_groups' is non-NULL, it must be an already allocated array 687 * of size 'wcred->sc_supp_groups_nb' containing the supplementary groups, and 688 * 'wcred->sc_supp_groups' then must point to it. 689 */ 690 int 691 kern_setcred(struct thread *const td, const u_int flags, 692 struct setcred *const wcred, gid_t *preallocated_groups) 693 { 694 struct proc *const p = td->td_proc; 695 struct ucred *new_cred, *old_cred, *to_free_cred; 696 struct uidinfo *uip = NULL, *ruip = NULL; 697 #ifdef MAC 698 void *mac_set_proc_data = NULL; 699 bool proc_label_set = false; 700 #endif 701 gid_t *groups = NULL; 702 gid_t smallgroups[CRED_SMALLGROUPS_NB]; 703 int error; 704 bool cred_set; 705 706 /* Bail out on unrecognized flags. */ 707 if (flags & ~SETCREDF_MASK) 708 return (EINVAL); 709 710 /* 711 * Part 1: We allocate and perform preparatory operations with no locks. 712 */ 713 714 if (flags & SETCREDF_SUPP_GROUPS) { 715 if (wcred->sc_supp_groups_nb > ngroups_max) 716 return (EINVAL); 717 if (preallocated_groups != NULL) { 718 groups = preallocated_groups; 719 MPASS(preallocated_groups == wcred->sc_supp_groups); 720 } else { 721 if (wcred->sc_supp_groups_nb <= CRED_SMALLGROUPS_NB) 722 groups = smallgroups; 723 else 724 groups = malloc(wcred->sc_supp_groups_nb * 725 sizeof(*groups), M_TEMP, M_WAITOK); 726 memcpy(groups, wcred->sc_supp_groups, 727 wcred->sc_supp_groups_nb * sizeof(*groups)); 728 } 729 } 730 731 if (flags & SETCREDF_MAC_LABEL) { 732 #ifdef MAC 733 error = mac_set_proc_prepare(td, wcred->sc_label, 734 &mac_set_proc_data); 735 if (error != 0) 736 goto free_groups; 737 #else 738 error = ENOTSUP; 739 goto free_groups; 740 #endif 741 } 742 743 if (flags & SETCREDF_UID) { 744 AUDIT_ARG_EUID(wcred->sc_uid); 745 uip = uifind(wcred->sc_uid); 746 } 747 if (flags & SETCREDF_RUID) { 748 AUDIT_ARG_RUID(wcred->sc_ruid); 749 ruip = uifind(wcred->sc_ruid); 750 } 751 if (flags & SETCREDF_SVUID) 752 AUDIT_ARG_SUID(wcred->sc_svuid); 753 754 if (flags & SETCREDF_GID) 755 AUDIT_ARG_EGID(wcred->sc_gid); 756 if (flags & SETCREDF_RGID) 757 AUDIT_ARG_RGID(wcred->sc_rgid); 758 if (flags & SETCREDF_SVGID) 759 AUDIT_ARG_SGID(wcred->sc_svgid); 760 if (flags & SETCREDF_SUPP_GROUPS) { 761 /* 762 * Output the raw supplementary groups array for better 763 * traceability. 764 */ 765 AUDIT_ARG_GROUPSET(groups, wcred->sc_supp_groups_nb); 766 groups_normalize(&wcred->sc_supp_groups_nb, groups); 767 } 768 769 /* 770 * We first completely build the new credentials and only then pass them 771 * to MAC along with the old ones so that modules can check whether the 772 * requested transition is allowed. 773 */ 774 new_cred = crget(); 775 to_free_cred = new_cred; 776 if (flags & SETCREDF_SUPP_GROUPS) 777 crextend(new_cred, wcred->sc_supp_groups_nb); 778 779 #ifdef MAC 780 mac_cred_setcred_enter(); 781 #endif 782 783 /* 784 * Part 2: We grab the process lock as to have a stable view of its 785 * current credentials, and prepare a copy of them with the requested 786 * changes applied under that lock. 787 */ 788 789 PROC_LOCK(p); 790 old_cred = crcopysafe(p, new_cred); 791 792 /* 793 * Change user IDs. 794 */ 795 if (flags & SETCREDF_UID) 796 change_euid(new_cred, uip); 797 if (flags & SETCREDF_RUID) 798 change_ruid(new_cred, ruip); 799 if (flags & SETCREDF_SVUID) 800 change_svuid(new_cred, wcred->sc_svuid); 801 802 /* 803 * Change groups. 804 */ 805 if (flags & SETCREDF_SUPP_GROUPS) 806 crsetgroups_internal(new_cred, wcred->sc_supp_groups_nb, 807 groups); 808 if (flags & SETCREDF_GID) 809 change_egid(new_cred, wcred->sc_gid); 810 if (flags & SETCREDF_RGID) 811 change_rgid(new_cred, wcred->sc_rgid); 812 if (flags & SETCREDF_SVGID) 813 change_svgid(new_cred, wcred->sc_svgid); 814 815 #ifdef MAC 816 /* 817 * Change the MAC label. 818 */ 819 if (flags & SETCREDF_MAC_LABEL) { 820 error = mac_set_proc_core(td, new_cred, mac_set_proc_data); 821 if (error != 0) 822 goto unlock_finish; 823 proc_label_set = true; 824 } 825 826 /* 827 * MAC security modules checks. 828 */ 829 error = mac_cred_check_setcred(flags, old_cred, new_cred); 830 if (error != 0) 831 goto unlock_finish; 832 #endif 833 /* 834 * Privilege check. 835 */ 836 error = priv_check_cred(old_cred, PRIV_CRED_SETCRED); 837 if (error != 0) 838 goto unlock_finish; 839 840 /* 841 * Set the new credentials, noting that they have changed. 842 */ 843 cred_set = proc_set_cred_enforce_proc_lim(p, new_cred); 844 if (cred_set) { 845 setsugid(p); 846 to_free_cred = old_cred; 847 MPASS(error == 0); 848 } else 849 error = EAGAIN; 850 851 unlock_finish: 852 PROC_UNLOCK(p); 853 /* 854 * Part 3: After releasing the process lock, we perform cleanups and 855 * finishing operations. 856 */ 857 858 #ifdef MAC 859 if (mac_set_proc_data != NULL) 860 mac_set_proc_finish(td, proc_label_set, mac_set_proc_data); 861 mac_cred_setcred_exit(); 862 #endif 863 crfree(to_free_cred); 864 if (uip != NULL) 865 uifree(uip); 866 if (ruip != NULL) 867 uifree(ruip); 868 free_groups: 869 if (groups != preallocated_groups && groups != smallgroups) 870 free(groups, M_TEMP); /* Deals with 'groups' being NULL. */ 871 return (error); 872 } 873 874 /* 875 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 876 * compatible. It says that setting the uid/gid to euid/egid is a special 877 * case of "appropriate privilege". Once the rules are expanded out, this 878 * basically means that setuid(nnn) sets all three id's, in all permitted 879 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 880 * does not set the saved id - this is dangerous for traditional BSD 881 * programs. For this reason, we *really* do not want to set 882 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 883 */ 884 #define POSIX_APPENDIX_B_4_2_2 885 886 #ifndef _SYS_SYSPROTO_H_ 887 struct setuid_args { 888 uid_t uid; 889 }; 890 #endif 891 /* ARGSUSED */ 892 int 893 sys_setuid(struct thread *td, struct setuid_args *uap) 894 { 895 struct proc *p = td->td_proc; 896 struct ucred *newcred, *oldcred; 897 uid_t uid; 898 struct uidinfo *uip; 899 int error; 900 901 uid = uap->uid; 902 AUDIT_ARG_UID(uid); 903 newcred = crget(); 904 uip = uifind(uid); 905 PROC_LOCK(p); 906 /* 907 * Copy credentials so other references do not see our changes. 908 */ 909 oldcred = crcopysafe(p, newcred); 910 911 #ifdef MAC 912 error = mac_cred_check_setuid(oldcred, uid); 913 if (error) 914 goto fail; 915 #endif 916 917 /* 918 * See if we have "permission" by POSIX 1003.1 rules. 919 * 920 * Note that setuid(geteuid()) is a special case of 921 * "appropriate privileges" in appendix B.4.2.2. We need 922 * to use this clause to be compatible with traditional BSD 923 * semantics. Basically, it means that "setuid(xx)" sets all 924 * three id's (assuming you have privs). 925 * 926 * Notes on the logic. We do things in three steps. 927 * 1: We determine if the euid is going to change, and do EPERM 928 * right away. We unconditionally change the euid later if this 929 * test is satisfied, simplifying that part of the logic. 930 * 2: We determine if the real and/or saved uids are going to 931 * change. Determined by compile options. 932 * 3: Change euid last. (after tests in #2 for "appropriate privs") 933 */ 934 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 935 #ifdef _POSIX_SAVED_IDS 936 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 937 #endif 938 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 939 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 940 #endif 941 (error = priv_check_cred(oldcred, PRIV_CRED_SETUID)) != 0) 942 goto fail; 943 944 #ifdef _POSIX_SAVED_IDS 945 /* 946 * Do we have "appropriate privileges" (are we root or uid == euid) 947 * If so, we are changing the real uid and/or saved uid. 948 */ 949 if ( 950 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 951 uid == oldcred->cr_uid || 952 #endif 953 /* We are using privs. */ 954 priv_check_cred(oldcred, PRIV_CRED_SETUID) == 0) 955 #endif 956 { 957 /* 958 * Set the real uid. 959 */ 960 if (uid != oldcred->cr_ruid) { 961 change_ruid(newcred, uip); 962 setsugid(p); 963 } 964 /* 965 * Set saved uid 966 * 967 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 968 * the security of seteuid() depends on it. B.4.2.2 says it 969 * is important that we should do this. 970 */ 971 if (uid != oldcred->cr_svuid) { 972 change_svuid(newcred, uid); 973 setsugid(p); 974 } 975 } 976 977 /* 978 * In all permitted cases, we are changing the euid. 979 */ 980 if (uid != oldcred->cr_uid) { 981 change_euid(newcred, uip); 982 setsugid(p); 983 } 984 /* 985 * This also transfers the proc count to the new user. 986 */ 987 proc_set_cred(p, newcred); 988 #ifdef RACCT 989 racct_proc_ucred_changed(p, oldcred, newcred); 990 crhold(newcred); 991 #endif 992 PROC_UNLOCK(p); 993 #ifdef RCTL 994 rctl_proc_ucred_changed(p, newcred); 995 crfree(newcred); 996 #endif 997 uifree(uip); 998 crfree(oldcred); 999 return (0); 1000 1001 fail: 1002 PROC_UNLOCK(p); 1003 uifree(uip); 1004 crfree(newcred); 1005 return (error); 1006 } 1007 1008 #ifndef _SYS_SYSPROTO_H_ 1009 struct seteuid_args { 1010 uid_t euid; 1011 }; 1012 #endif 1013 /* ARGSUSED */ 1014 int 1015 sys_seteuid(struct thread *td, struct seteuid_args *uap) 1016 { 1017 struct proc *p = td->td_proc; 1018 struct ucred *newcred, *oldcred; 1019 uid_t euid; 1020 struct uidinfo *euip; 1021 int error; 1022 1023 euid = uap->euid; 1024 AUDIT_ARG_EUID(euid); 1025 newcred = crget(); 1026 euip = uifind(euid); 1027 PROC_LOCK(p); 1028 /* 1029 * Copy credentials so other references do not see our changes. 1030 */ 1031 oldcred = crcopysafe(p, newcred); 1032 1033 #ifdef MAC 1034 error = mac_cred_check_seteuid(oldcred, euid); 1035 if (error) 1036 goto fail; 1037 #endif 1038 1039 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 1040 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 1041 (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID)) != 0) 1042 goto fail; 1043 1044 /* 1045 * Everything's okay, do it. 1046 */ 1047 if (oldcred->cr_uid != euid) { 1048 change_euid(newcred, euip); 1049 setsugid(p); 1050 } 1051 proc_set_cred(p, newcred); 1052 PROC_UNLOCK(p); 1053 uifree(euip); 1054 crfree(oldcred); 1055 return (0); 1056 1057 fail: 1058 PROC_UNLOCK(p); 1059 uifree(euip); 1060 crfree(newcred); 1061 return (error); 1062 } 1063 1064 #ifndef _SYS_SYSPROTO_H_ 1065 struct setgid_args { 1066 gid_t gid; 1067 }; 1068 #endif 1069 /* ARGSUSED */ 1070 int 1071 sys_setgid(struct thread *td, struct setgid_args *uap) 1072 { 1073 struct proc *p = td->td_proc; 1074 struct ucred *newcred, *oldcred; 1075 gid_t gid; 1076 int error; 1077 1078 gid = uap->gid; 1079 AUDIT_ARG_GID(gid); 1080 newcred = crget(); 1081 PROC_LOCK(p); 1082 oldcred = crcopysafe(p, newcred); 1083 1084 #ifdef MAC 1085 error = mac_cred_check_setgid(oldcred, gid); 1086 if (error) 1087 goto fail; 1088 #endif 1089 1090 /* 1091 * See if we have "permission" by POSIX 1003.1 rules. 1092 * 1093 * Note that setgid(getegid()) is a special case of 1094 * "appropriate privileges" in appendix B.4.2.2. We need 1095 * to use this clause to be compatible with traditional BSD 1096 * semantics. Basically, it means that "setgid(xx)" sets all 1097 * three id's (assuming you have privs). 1098 * 1099 * For notes on the logic here, see setuid() above. 1100 */ 1101 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 1102 #ifdef _POSIX_SAVED_IDS 1103 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 1104 #endif 1105 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 1106 gid != oldcred->cr_gid && /* allow setgid(getegid()) */ 1107 #endif 1108 (error = priv_check_cred(oldcred, PRIV_CRED_SETGID)) != 0) 1109 goto fail; 1110 1111 #ifdef _POSIX_SAVED_IDS 1112 /* 1113 * Do we have "appropriate privileges" (are we root or gid == egid) 1114 * If so, we are changing the real uid and saved gid. 1115 */ 1116 if ( 1117 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 1118 gid == oldcred->cr_gid || 1119 #endif 1120 /* We are using privs. */ 1121 priv_check_cred(oldcred, PRIV_CRED_SETGID) == 0) 1122 #endif 1123 { 1124 /* 1125 * Set real gid 1126 */ 1127 if (oldcred->cr_rgid != gid) { 1128 change_rgid(newcred, gid); 1129 setsugid(p); 1130 } 1131 /* 1132 * Set saved gid 1133 * 1134 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 1135 * the security of setegid() depends on it. B.4.2.2 says it 1136 * is important that we should do this. 1137 */ 1138 if (oldcred->cr_svgid != gid) { 1139 change_svgid(newcred, gid); 1140 setsugid(p); 1141 } 1142 } 1143 /* 1144 * In all cases permitted cases, we are changing the egid. 1145 * Copy credentials so other references do not see our changes. 1146 */ 1147 if (oldcred->cr_gid != gid) { 1148 change_egid(newcred, gid); 1149 setsugid(p); 1150 } 1151 proc_set_cred(p, newcred); 1152 PROC_UNLOCK(p); 1153 crfree(oldcred); 1154 return (0); 1155 1156 fail: 1157 PROC_UNLOCK(p); 1158 crfree(newcred); 1159 return (error); 1160 } 1161 1162 #ifndef _SYS_SYSPROTO_H_ 1163 struct setegid_args { 1164 gid_t egid; 1165 }; 1166 #endif 1167 /* ARGSUSED */ 1168 int 1169 sys_setegid(struct thread *td, struct setegid_args *uap) 1170 { 1171 struct proc *p = td->td_proc; 1172 struct ucred *newcred, *oldcred; 1173 gid_t egid; 1174 int error; 1175 1176 egid = uap->egid; 1177 AUDIT_ARG_EGID(egid); 1178 newcred = crget(); 1179 PROC_LOCK(p); 1180 oldcred = crcopysafe(p, newcred); 1181 1182 #ifdef MAC 1183 error = mac_cred_check_setegid(oldcred, egid); 1184 if (error) 1185 goto fail; 1186 #endif 1187 1188 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 1189 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 1190 (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID)) != 0) 1191 goto fail; 1192 1193 if (oldcred->cr_gid != egid) { 1194 change_egid(newcred, egid); 1195 setsugid(p); 1196 } 1197 proc_set_cred(p, newcred); 1198 PROC_UNLOCK(p); 1199 crfree(oldcred); 1200 return (0); 1201 1202 fail: 1203 PROC_UNLOCK(p); 1204 crfree(newcred); 1205 return (error); 1206 } 1207 1208 #ifdef COMPAT_FREEBSD14 1209 int 1210 freebsd14_setgroups(struct thread *td, struct freebsd14_setgroups_args *uap) 1211 { 1212 gid_t smallgroups[CRED_SMALLGROUPS_NB]; 1213 gid_t *groups; 1214 int gidsetsize, error; 1215 1216 /* 1217 * Before FreeBSD 15.0, we allow one more group to be supplied to 1218 * account for the egid appearing before the supplementary groups. This 1219 * may technically allow one more supplementary group for systems that 1220 * did use the default NGROUPS_MAX if we round it back up to 1024. 1221 */ 1222 gidsetsize = uap->gidsetsize; 1223 if (gidsetsize > ngroups_max + 1 || gidsetsize < 0) 1224 return (EINVAL); 1225 1226 if (gidsetsize > CRED_SMALLGROUPS_NB) 1227 groups = malloc(gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK); 1228 else 1229 groups = smallgroups; 1230 1231 error = copyin(uap->gidset, groups, gidsetsize * sizeof(gid_t)); 1232 if (error == 0) { 1233 int ngroups = gidsetsize > 0 ? gidsetsize - 1 /* egid */ : 0; 1234 1235 error = kern_setgroups(td, &ngroups, groups + 1); 1236 if (error == 0 && gidsetsize > 0) 1237 td->td_proc->p_ucred->cr_gid = groups[0]; 1238 } 1239 1240 if (groups != smallgroups) 1241 free(groups, M_TEMP); 1242 return (error); 1243 } 1244 #endif /* COMPAT_FREEBSD14 */ 1245 1246 #ifndef _SYS_SYSPROTO_H_ 1247 struct setgroups_args { 1248 int gidsetsize; 1249 gid_t *gidset; 1250 }; 1251 #endif 1252 /* ARGSUSED */ 1253 int 1254 sys_setgroups(struct thread *td, struct setgroups_args *uap) 1255 { 1256 gid_t smallgroups[CRED_SMALLGROUPS_NB]; 1257 gid_t *groups; 1258 int gidsetsize, error; 1259 1260 /* 1261 * Sanity check size now to avoid passing too big a value to copyin(), 1262 * even if kern_setgroups() will do it again. 1263 * 1264 * Ideally, the 'gidsetsize' argument should have been a 'u_int' (and it 1265 * was, in this implementation, for a long time), but POSIX standardized 1266 * getgroups() to take an 'int' and it would be quite entrapping to have 1267 * setgroups() differ. 1268 */ 1269 gidsetsize = uap->gidsetsize; 1270 if (gidsetsize > ngroups_max || gidsetsize < 0) 1271 return (EINVAL); 1272 1273 if (gidsetsize > CRED_SMALLGROUPS_NB) 1274 groups = malloc(gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK); 1275 else 1276 groups = smallgroups; 1277 1278 error = copyin(uap->gidset, groups, gidsetsize * sizeof(gid_t)); 1279 if (error == 0) 1280 error = kern_setgroups(td, &gidsetsize, groups); 1281 1282 if (groups != smallgroups) 1283 free(groups, M_TEMP); 1284 return (error); 1285 } 1286 1287 /* 1288 * CAUTION: This function normalizes 'groups', possibly also changing the value 1289 * of '*ngrpp' as a consequence. 1290 */ 1291 int 1292 kern_setgroups(struct thread *td, int *ngrpp, gid_t *groups) 1293 { 1294 struct proc *p = td->td_proc; 1295 struct ucred *newcred, *oldcred; 1296 int ngrp, error; 1297 1298 ngrp = *ngrpp; 1299 /* Sanity check size. */ 1300 if (ngrp < 0 || ngrp > ngroups_max) 1301 return (EINVAL); 1302 1303 AUDIT_ARG_GROUPSET(groups, ngrp); 1304 1305 groups_normalize(&ngrp, groups); 1306 *ngrpp = ngrp; 1307 1308 newcred = crget(); 1309 crextend(newcred, ngrp); 1310 PROC_LOCK(p); 1311 oldcred = crcopysafe(p, newcred); 1312 1313 #ifdef MAC 1314 /* 1315 * We pass NULL here explicitly if we don't have any supplementary 1316 * groups mostly for the sake of normalization, but also to avoid/detect 1317 * a situation where a MAC module has some assumption about the layout 1318 * of `groups` matching historical behavior. 1319 */ 1320 error = mac_cred_check_setgroups(oldcred, ngrp, 1321 ngrp == 0 ? NULL : groups); 1322 if (error) 1323 goto fail; 1324 #endif 1325 1326 error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS); 1327 if (error) 1328 goto fail; 1329 1330 crsetgroups_internal(newcred, ngrp, groups); 1331 setsugid(p); 1332 proc_set_cred(p, newcred); 1333 PROC_UNLOCK(p); 1334 crfree(oldcred); 1335 return (0); 1336 1337 fail: 1338 PROC_UNLOCK(p); 1339 crfree(newcred); 1340 return (error); 1341 } 1342 1343 #ifndef _SYS_SYSPROTO_H_ 1344 struct setreuid_args { 1345 uid_t ruid; 1346 uid_t euid; 1347 }; 1348 #endif 1349 /* ARGSUSED */ 1350 int 1351 sys_setreuid(struct thread *td, struct setreuid_args *uap) 1352 { 1353 struct proc *p = td->td_proc; 1354 struct ucred *newcred, *oldcred; 1355 uid_t euid, ruid; 1356 struct uidinfo *euip, *ruip; 1357 int error; 1358 1359 euid = uap->euid; 1360 ruid = uap->ruid; 1361 AUDIT_ARG_EUID(euid); 1362 AUDIT_ARG_RUID(ruid); 1363 newcred = crget(); 1364 euip = uifind(euid); 1365 ruip = uifind(ruid); 1366 PROC_LOCK(p); 1367 oldcred = crcopysafe(p, newcred); 1368 1369 #ifdef MAC 1370 error = mac_cred_check_setreuid(oldcred, ruid, euid); 1371 if (error) 1372 goto fail; 1373 #endif 1374 1375 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1376 ruid != oldcred->cr_svuid) || 1377 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 1378 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 1379 (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID)) != 0) 1380 goto fail; 1381 1382 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1383 change_euid(newcred, euip); 1384 setsugid(p); 1385 } 1386 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1387 change_ruid(newcred, ruip); 1388 setsugid(p); 1389 } 1390 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 1391 newcred->cr_svuid != newcred->cr_uid) { 1392 change_svuid(newcred, newcred->cr_uid); 1393 setsugid(p); 1394 } 1395 proc_set_cred(p, newcred); 1396 #ifdef RACCT 1397 racct_proc_ucred_changed(p, oldcred, newcred); 1398 crhold(newcred); 1399 #endif 1400 PROC_UNLOCK(p); 1401 #ifdef RCTL 1402 rctl_proc_ucred_changed(p, newcred); 1403 crfree(newcred); 1404 #endif 1405 uifree(ruip); 1406 uifree(euip); 1407 crfree(oldcred); 1408 return (0); 1409 1410 fail: 1411 PROC_UNLOCK(p); 1412 uifree(ruip); 1413 uifree(euip); 1414 crfree(newcred); 1415 return (error); 1416 } 1417 1418 #ifndef _SYS_SYSPROTO_H_ 1419 struct setregid_args { 1420 gid_t rgid; 1421 gid_t egid; 1422 }; 1423 #endif 1424 /* ARGSUSED */ 1425 int 1426 sys_setregid(struct thread *td, struct setregid_args *uap) 1427 { 1428 struct proc *p = td->td_proc; 1429 struct ucred *newcred, *oldcred; 1430 gid_t egid, rgid; 1431 int error; 1432 1433 egid = uap->egid; 1434 rgid = uap->rgid; 1435 AUDIT_ARG_EGID(egid); 1436 AUDIT_ARG_RGID(rgid); 1437 newcred = crget(); 1438 PROC_LOCK(p); 1439 oldcred = crcopysafe(p, newcred); 1440 1441 #ifdef MAC 1442 error = mac_cred_check_setregid(oldcred, rgid, egid); 1443 if (error) 1444 goto fail; 1445 #endif 1446 1447 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1448 rgid != oldcred->cr_svgid) || 1449 (egid != (gid_t)-1 && egid != oldcred->cr_gid && 1450 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 1451 (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID)) != 0) 1452 goto fail; 1453 1454 if (egid != (gid_t)-1 && oldcred->cr_gid != egid) { 1455 change_egid(newcred, egid); 1456 setsugid(p); 1457 } 1458 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1459 change_rgid(newcred, rgid); 1460 setsugid(p); 1461 } 1462 if ((rgid != (gid_t)-1 || newcred->cr_gid != newcred->cr_rgid) && 1463 newcred->cr_svgid != newcred->cr_gid) { 1464 change_svgid(newcred, newcred->cr_gid); 1465 setsugid(p); 1466 } 1467 proc_set_cred(p, newcred); 1468 PROC_UNLOCK(p); 1469 crfree(oldcred); 1470 return (0); 1471 1472 fail: 1473 PROC_UNLOCK(p); 1474 crfree(newcred); 1475 return (error); 1476 } 1477 1478 /* 1479 * setresuid(ruid, euid, suid) is like setreuid except control over the saved 1480 * uid is explicit. 1481 */ 1482 #ifndef _SYS_SYSPROTO_H_ 1483 struct setresuid_args { 1484 uid_t ruid; 1485 uid_t euid; 1486 uid_t suid; 1487 }; 1488 #endif 1489 /* ARGSUSED */ 1490 int 1491 sys_setresuid(struct thread *td, struct setresuid_args *uap) 1492 { 1493 struct proc *p = td->td_proc; 1494 struct ucred *newcred, *oldcred; 1495 uid_t euid, ruid, suid; 1496 struct uidinfo *euip, *ruip; 1497 int error; 1498 1499 euid = uap->euid; 1500 ruid = uap->ruid; 1501 suid = uap->suid; 1502 AUDIT_ARG_EUID(euid); 1503 AUDIT_ARG_RUID(ruid); 1504 AUDIT_ARG_SUID(suid); 1505 newcred = crget(); 1506 euip = uifind(euid); 1507 ruip = uifind(ruid); 1508 PROC_LOCK(p); 1509 oldcred = crcopysafe(p, newcred); 1510 1511 #ifdef MAC 1512 error = mac_cred_check_setresuid(oldcred, ruid, euid, suid); 1513 if (error) 1514 goto fail; 1515 #endif 1516 1517 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1518 ruid != oldcred->cr_svuid && 1519 ruid != oldcred->cr_uid) || 1520 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 1521 euid != oldcred->cr_svuid && 1522 euid != oldcred->cr_uid) || 1523 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 1524 suid != oldcred->cr_svuid && 1525 suid != oldcred->cr_uid)) && 1526 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID)) != 0) 1527 goto fail; 1528 1529 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1530 change_euid(newcred, euip); 1531 setsugid(p); 1532 } 1533 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1534 change_ruid(newcred, ruip); 1535 setsugid(p); 1536 } 1537 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1538 change_svuid(newcred, suid); 1539 setsugid(p); 1540 } 1541 proc_set_cred(p, newcred); 1542 #ifdef RACCT 1543 racct_proc_ucred_changed(p, oldcred, newcred); 1544 crhold(newcred); 1545 #endif 1546 PROC_UNLOCK(p); 1547 #ifdef RCTL 1548 rctl_proc_ucred_changed(p, newcred); 1549 crfree(newcred); 1550 #endif 1551 uifree(ruip); 1552 uifree(euip); 1553 crfree(oldcred); 1554 return (0); 1555 1556 fail: 1557 PROC_UNLOCK(p); 1558 uifree(ruip); 1559 uifree(euip); 1560 crfree(newcred); 1561 return (error); 1562 1563 } 1564 1565 /* 1566 * setresgid(rgid, egid, sgid) is like setregid except control over the saved 1567 * gid is explicit. 1568 */ 1569 #ifndef _SYS_SYSPROTO_H_ 1570 struct setresgid_args { 1571 gid_t rgid; 1572 gid_t egid; 1573 gid_t sgid; 1574 }; 1575 #endif 1576 /* ARGSUSED */ 1577 int 1578 sys_setresgid(struct thread *td, struct setresgid_args *uap) 1579 { 1580 struct proc *p = td->td_proc; 1581 struct ucred *newcred, *oldcred; 1582 gid_t egid, rgid, sgid; 1583 int error; 1584 1585 egid = uap->egid; 1586 rgid = uap->rgid; 1587 sgid = uap->sgid; 1588 AUDIT_ARG_EGID(egid); 1589 AUDIT_ARG_RGID(rgid); 1590 AUDIT_ARG_SGID(sgid); 1591 newcred = crget(); 1592 PROC_LOCK(p); 1593 oldcred = crcopysafe(p, newcred); 1594 1595 #ifdef MAC 1596 error = mac_cred_check_setresgid(oldcred, rgid, egid, sgid); 1597 if (error) 1598 goto fail; 1599 #endif 1600 1601 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1602 rgid != oldcred->cr_svgid && 1603 rgid != oldcred->cr_gid) || 1604 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1605 egid != oldcred->cr_svgid && 1606 egid != oldcred->cr_gid) || 1607 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1608 sgid != oldcred->cr_svgid && 1609 sgid != oldcred->cr_gid)) && 1610 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID)) != 0) 1611 goto fail; 1612 1613 if (egid != (gid_t)-1 && oldcred->cr_gid != egid) { 1614 change_egid(newcred, egid); 1615 setsugid(p); 1616 } 1617 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1618 change_rgid(newcred, rgid); 1619 setsugid(p); 1620 } 1621 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1622 change_svgid(newcred, sgid); 1623 setsugid(p); 1624 } 1625 proc_set_cred(p, newcred); 1626 PROC_UNLOCK(p); 1627 crfree(oldcred); 1628 return (0); 1629 1630 fail: 1631 PROC_UNLOCK(p); 1632 crfree(newcred); 1633 return (error); 1634 } 1635 1636 #ifndef _SYS_SYSPROTO_H_ 1637 struct getresuid_args { 1638 uid_t *ruid; 1639 uid_t *euid; 1640 uid_t *suid; 1641 }; 1642 #endif 1643 /* ARGSUSED */ 1644 int 1645 sys_getresuid(struct thread *td, struct getresuid_args *uap) 1646 { 1647 struct ucred *cred; 1648 int error1 = 0, error2 = 0, error3 = 0; 1649 1650 cred = td->td_ucred; 1651 if (uap->ruid) 1652 error1 = copyout(&cred->cr_ruid, 1653 uap->ruid, sizeof(cred->cr_ruid)); 1654 if (uap->euid) 1655 error2 = copyout(&cred->cr_uid, 1656 uap->euid, sizeof(cred->cr_uid)); 1657 if (uap->suid) 1658 error3 = copyout(&cred->cr_svuid, 1659 uap->suid, sizeof(cred->cr_svuid)); 1660 return (error1 ? error1 : error2 ? error2 : error3); 1661 } 1662 1663 #ifndef _SYS_SYSPROTO_H_ 1664 struct getresgid_args { 1665 gid_t *rgid; 1666 gid_t *egid; 1667 gid_t *sgid; 1668 }; 1669 #endif 1670 /* ARGSUSED */ 1671 int 1672 sys_getresgid(struct thread *td, struct getresgid_args *uap) 1673 { 1674 struct ucred *cred; 1675 int error1 = 0, error2 = 0, error3 = 0; 1676 1677 cred = td->td_ucred; 1678 if (uap->rgid) 1679 error1 = copyout(&cred->cr_rgid, 1680 uap->rgid, sizeof(cred->cr_rgid)); 1681 if (uap->egid) 1682 error2 = copyout(&cred->cr_gid, 1683 uap->egid, sizeof(cred->cr_gid)); 1684 if (uap->sgid) 1685 error3 = copyout(&cred->cr_svgid, 1686 uap->sgid, sizeof(cred->cr_svgid)); 1687 return (error1 ? error1 : error2 ? error2 : error3); 1688 } 1689 1690 #ifndef _SYS_SYSPROTO_H_ 1691 struct issetugid_args { 1692 int dummy; 1693 }; 1694 #endif 1695 /* ARGSUSED */ 1696 int 1697 sys_issetugid(struct thread *td, struct issetugid_args *uap) 1698 { 1699 struct proc *p = td->td_proc; 1700 1701 /* 1702 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1703 * we use P_SUGID because we consider changing the owners as 1704 * "tainting" as well. 1705 * This is significant for procs that start as root and "become" 1706 * a user without an exec - programs cannot know *everything* 1707 * that libc *might* have put in their data segment. 1708 */ 1709 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1710 return (0); 1711 } 1712 1713 int 1714 sys___setugid(struct thread *td, struct __setugid_args *uap) 1715 { 1716 #ifdef REGRESSION 1717 struct proc *p; 1718 1719 p = td->td_proc; 1720 switch (uap->flag) { 1721 case 0: 1722 PROC_LOCK(p); 1723 p->p_flag &= ~P_SUGID; 1724 PROC_UNLOCK(p); 1725 return (0); 1726 case 1: 1727 PROC_LOCK(p); 1728 p->p_flag |= P_SUGID; 1729 PROC_UNLOCK(p); 1730 return (0); 1731 default: 1732 return (EINVAL); 1733 } 1734 #else /* !REGRESSION */ 1735 1736 return (ENOSYS); 1737 #endif /* REGRESSION */ 1738 } 1739 1740 #ifdef INVARIANTS 1741 static void 1742 groups_check_normalized(int ngrp, const gid_t *groups) 1743 { 1744 gid_t prev_g; 1745 1746 groups_check_positive_len(ngrp); 1747 groups_check_max_len(ngrp); 1748 1749 if (ngrp <= 1) 1750 return; 1751 1752 prev_g = groups[0]; 1753 for (int i = 1; i < ngrp; ++i) { 1754 const gid_t g = groups[i]; 1755 1756 if (prev_g >= g) 1757 panic("%s: groups[%d] (%u) >= groups[%d] (%u)", 1758 __func__, i - 1, prev_g, i, g); 1759 prev_g = g; 1760 } 1761 } 1762 #else 1763 #define groups_check_normalized(...) 1764 #endif 1765 1766 /* 1767 * Returns whether gid designates a supplementary group in cred. 1768 */ 1769 bool 1770 group_is_supplementary(const gid_t gid, const struct ucred *const cred) 1771 { 1772 1773 groups_check_normalized(cred->cr_ngroups, cred->cr_groups); 1774 1775 /* 1776 * Perform a binary search of the supplementary groups. This is 1777 * possible because we sort the groups in crsetgroups(). 1778 */ 1779 return (bsearch(&gid, cred->cr_groups, cred->cr_ngroups, 1780 sizeof(gid), gidp_cmp) != NULL); 1781 } 1782 1783 /* 1784 * Check if gid is a member of the (effective) group set (i.e., effective and 1785 * supplementary groups). 1786 */ 1787 bool 1788 groupmember(gid_t gid, const struct ucred *cred) 1789 { 1790 1791 groups_check_positive_len(cred->cr_ngroups); 1792 1793 if (gid == cred->cr_gid) 1794 return (true); 1795 1796 return (group_is_supplementary(gid, cred)); 1797 } 1798 1799 /* 1800 * Check if gid is a member of the real group set (i.e., real and supplementary 1801 * groups). 1802 */ 1803 bool 1804 realgroupmember(gid_t gid, const struct ucred *cred) 1805 { 1806 /* 1807 * Although the equality test on 'cr_rgid' below doesn't access 1808 * 'cr_groups', we check for the latter's length here as we assume that, 1809 * if 'cr_ngroups' is 0, the passed 'struct ucred' is invalid, and 1810 * 'cr_rgid' may not have been filled. 1811 */ 1812 groups_check_positive_len(cred->cr_ngroups); 1813 1814 if (gid == cred->cr_rgid) 1815 return (true); 1816 1817 return (group_is_supplementary(gid, cred)); 1818 } 1819 1820 /* 1821 * Test the active securelevel against a given level. securelevel_gt() 1822 * implements (securelevel > level). securelevel_ge() implements 1823 * (securelevel >= level). Note that the logic is inverted -- these 1824 * functions return EPERM on "success" and 0 on "failure". 1825 * 1826 * Due to care taken when setting the securelevel, we know that no jail will 1827 * be less secure that its parent (or the physical system), so it is sufficient 1828 * to test the current jail only. 1829 * 1830 * XXXRW: Possibly since this has to do with privilege, it should move to 1831 * kern_priv.c. 1832 */ 1833 int 1834 securelevel_gt(struct ucred *cr, int level) 1835 { 1836 1837 return (cr->cr_prison->pr_securelevel > level ? EPERM : 0); 1838 } 1839 1840 int 1841 securelevel_ge(struct ucred *cr, int level) 1842 { 1843 1844 return (cr->cr_prison->pr_securelevel >= level ? EPERM : 0); 1845 } 1846 1847 /* 1848 * 'see_other_uids' determines whether or not visibility of processes 1849 * and sockets with credentials holding different real uids is possible 1850 * using a variety of system MIBs. 1851 * XXX: data declarations should be together near the beginning of the file. 1852 */ 1853 static int see_other_uids = 1; 1854 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1855 &see_other_uids, 0, 1856 "Unprivileged processes may see subjects/objects with different real uid"); 1857 1858 /*- 1859 * Determine if u1 "can see" the subject specified by u2, according to the 1860 * 'see_other_uids' policy. 1861 * Returns: 0 for permitted, ESRCH otherwise 1862 * Locks: none 1863 * References: *u1 and *u2 must not change during the call 1864 * u1 may equal u2, in which case only one reference is required 1865 */ 1866 static int 1867 cr_canseeotheruids(struct ucred *u1, struct ucred *u2) 1868 { 1869 1870 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1871 if (priv_check_cred(u1, PRIV_SEEOTHERUIDS) != 0) 1872 return (ESRCH); 1873 } 1874 return (0); 1875 } 1876 1877 /* 1878 * 'see_other_gids' determines whether or not visibility of processes 1879 * and sockets with credentials holding different real gids is possible 1880 * using a variety of system MIBs. 1881 * XXX: data declarations should be together near the beginning of the file. 1882 */ 1883 static int see_other_gids = 1; 1884 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW, 1885 &see_other_gids, 0, 1886 "Unprivileged processes may see subjects/objects with different real gid"); 1887 1888 /* 1889 * Determine if u1 can "see" the subject specified by u2, according to the 1890 * 'see_other_gids' policy. 1891 * Returns: 0 for permitted, ESRCH otherwise 1892 * Locks: none 1893 * References: *u1 and *u2 must not change during the call 1894 * u1 may equal u2, in which case only one reference is required 1895 */ 1896 static int 1897 cr_canseeothergids(struct ucred *u1, struct ucred *u2) 1898 { 1899 if (!see_other_gids) { 1900 if (realgroupmember(u1->cr_rgid, u2)) 1901 return (0); 1902 1903 for (int i = 1; i < u1->cr_ngroups; i++) 1904 if (realgroupmember(u1->cr_groups[i], u2)) 1905 return (0); 1906 1907 if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) != 0) 1908 return (ESRCH); 1909 } 1910 1911 return (0); 1912 } 1913 1914 /* 1915 * 'see_jail_proc' determines whether or not visibility of processes and 1916 * sockets with credentials holding different jail ids is possible using a 1917 * variety of system MIBs. 1918 * 1919 * XXX: data declarations should be together near the beginning of the file. 1920 */ 1921 1922 static int see_jail_proc = 1; 1923 SYSCTL_INT(_security_bsd, OID_AUTO, see_jail_proc, CTLFLAG_RW, 1924 &see_jail_proc, 0, 1925 "Unprivileged processes may see subjects/objects with different jail ids"); 1926 1927 /*- 1928 * Determine if u1 "can see" the subject specified by u2, according to the 1929 * 'see_jail_proc' policy. 1930 * Returns: 0 for permitted, ESRCH otherwise 1931 * Locks: none 1932 * References: *u1 and *u2 must not change during the call 1933 * u1 may equal u2, in which case only one reference is required 1934 */ 1935 static int 1936 cr_canseejailproc(struct ucred *u1, struct ucred *u2) 1937 { 1938 if (see_jail_proc || /* Policy deactivated. */ 1939 u1->cr_prison == u2->cr_prison || /* Same jail. */ 1940 priv_check_cred(u1, PRIV_SEEJAILPROC) == 0) /* Privileged. */ 1941 return (0); 1942 1943 return (ESRCH); 1944 } 1945 1946 /* 1947 * Determine if u1 can tamper with the subject specified by u2, if they are in 1948 * different jails and 'unprivileged_parent_tampering' jail policy allows it. 1949 * 1950 * May be called if u1 and u2 are in the same jail, but it is expected that the 1951 * caller has already done a prison_check() prior to calling it. 1952 * 1953 * Returns: 0 for permitted, EPERM otherwise 1954 */ 1955 static int 1956 cr_can_tamper_with_subjail(struct ucred *u1, struct ucred *u2, int priv) 1957 { 1958 1959 MPASS(prison_check(u1, u2) == 0); 1960 if (u1->cr_prison == u2->cr_prison) 1961 return (0); 1962 1963 if (priv_check_cred(u1, priv) == 0) 1964 return (0); 1965 1966 /* 1967 * Jails do not maintain a distinct UID space, so process visibility is 1968 * all that would control an unprivileged process' ability to tamper 1969 * with a process in a subjail by default if we did not have the 1970 * allow.unprivileged_parent_tampering knob to restrict it by default. 1971 */ 1972 if (prison_allow(u2, PR_ALLOW_UNPRIV_PARENT_TAMPER)) 1973 return (0); 1974 1975 return (EPERM); 1976 } 1977 1978 /* 1979 * Helper for cr_cansee*() functions to abide by system-wide security.bsd.see_* 1980 * policies. Determines if u1 "can see" u2 according to these policies. 1981 * Returns: 0 for permitted, ESRCH otherwise 1982 */ 1983 int 1984 cr_bsd_visible(struct ucred *u1, struct ucred *u2) 1985 { 1986 int error; 1987 1988 error = cr_canseeotheruids(u1, u2); 1989 if (error != 0) 1990 return (error); 1991 error = cr_canseeothergids(u1, u2); 1992 if (error != 0) 1993 return (error); 1994 error = cr_canseejailproc(u1, u2); 1995 if (error != 0) 1996 return (error); 1997 return (0); 1998 } 1999 2000 /*- 2001 * Determine if u1 "can see" the subject specified by u2. 2002 * Returns: 0 for permitted, an errno value otherwise 2003 * Locks: none 2004 * References: *u1 and *u2 must not change during the call 2005 * u1 may equal u2, in which case only one reference is required 2006 */ 2007 int 2008 cr_cansee(struct ucred *u1, struct ucred *u2) 2009 { 2010 int error; 2011 2012 if ((error = prison_check(u1, u2))) 2013 return (error); 2014 #ifdef MAC 2015 if ((error = mac_cred_check_visible(u1, u2))) 2016 return (error); 2017 #endif 2018 if ((error = cr_bsd_visible(u1, u2))) 2019 return (error); 2020 return (0); 2021 } 2022 2023 /*- 2024 * Determine if td "can see" the subject specified by p. 2025 * Returns: 0 for permitted, an errno value otherwise 2026 * Locks: Sufficient locks to protect p->p_ucred must be held. td really 2027 * should be curthread. 2028 * References: td and p must be valid for the lifetime of the call 2029 */ 2030 int 2031 p_cansee(struct thread *td, struct proc *p) 2032 { 2033 /* Wrap cr_cansee() for all functionality. */ 2034 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2035 PROC_LOCK_ASSERT(p, MA_OWNED); 2036 2037 if (td->td_proc == p) 2038 return (0); 2039 return (cr_cansee(td->td_ucred, p->p_ucred)); 2040 } 2041 2042 /* 2043 * 'conservative_signals' prevents the delivery of a broad class of 2044 * signals by unprivileged processes to processes that have changed their 2045 * credentials since the last invocation of execve(). This can prevent 2046 * the leakage of cached information or retained privileges as a result 2047 * of a common class of signal-related vulnerabilities. However, this 2048 * may interfere with some applications that expect to be able to 2049 * deliver these signals to peer processes after having given up 2050 * privilege. 2051 */ 2052 static int conservative_signals = 1; 2053 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW, 2054 &conservative_signals, 0, "Unprivileged processes prevented from " 2055 "sending certain signals to processes whose credentials have changed"); 2056 /*- 2057 * Determine whether cred may deliver the specified signal to proc. 2058 * Returns: 0 for permitted, an errno value otherwise. 2059 * Locks: A lock must be held for proc. 2060 * References: cred and proc must be valid for the lifetime of the call. 2061 */ 2062 int 2063 cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 2064 { 2065 int error; 2066 2067 PROC_LOCK_ASSERT(proc, MA_OWNED); 2068 /* 2069 * Jail semantics limit the scope of signalling to proc in the 2070 * same jail as cred, if cred is in jail. 2071 */ 2072 error = prison_check(cred, proc->p_ucred); 2073 if (error) 2074 return (error); 2075 #ifdef MAC 2076 if ((error = mac_proc_check_signal(cred, proc, signum))) 2077 return (error); 2078 #endif 2079 if ((error = cr_bsd_visible(cred, proc->p_ucred))) 2080 return (error); 2081 2082 /* 2083 * UNIX signal semantics depend on the status of the P_SUGID 2084 * bit on the target process. If the bit is set, then additional 2085 * restrictions are placed on the set of available signals. 2086 */ 2087 if (conservative_signals && (proc->p_flag & P_SUGID)) { 2088 switch (signum) { 2089 case 0: 2090 case SIGKILL: 2091 case SIGINT: 2092 case SIGTERM: 2093 case SIGALRM: 2094 case SIGSTOP: 2095 case SIGTTIN: 2096 case SIGTTOU: 2097 case SIGTSTP: 2098 case SIGHUP: 2099 case SIGUSR1: 2100 case SIGUSR2: 2101 /* 2102 * Generally, permit job and terminal control 2103 * signals. 2104 */ 2105 break; 2106 default: 2107 /* Not permitted without privilege. */ 2108 error = priv_check_cred(cred, PRIV_SIGNAL_SUGID); 2109 if (error) 2110 return (error); 2111 } 2112 } 2113 2114 /* 2115 * Generally, the target credential's ruid or svuid must match the 2116 * subject credential's ruid or euid. 2117 */ 2118 if (cred->cr_ruid != proc->p_ucred->cr_ruid && 2119 cred->cr_ruid != proc->p_ucred->cr_svuid && 2120 cred->cr_uid != proc->p_ucred->cr_ruid && 2121 cred->cr_uid != proc->p_ucred->cr_svuid) { 2122 error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED); 2123 if (error) 2124 return (error); 2125 } 2126 2127 /* 2128 * At this point, the target may be in a different jail than the 2129 * subject -- the subject must be in a parent jail to the target, 2130 * whether it is prison0 or a subordinate of prison0 that has 2131 * children. Additional privileges are required to allow this, as 2132 * whether the creds are truly equivalent or not must be determined on 2133 * a case-by-case basis. 2134 */ 2135 error = cr_can_tamper_with_subjail(cred, proc->p_ucred, 2136 PRIV_SIGNAL_DIFFJAIL); 2137 if (error) 2138 return (error); 2139 2140 return (0); 2141 } 2142 2143 /*- 2144 * Determine whether td may deliver the specified signal to p. 2145 * Returns: 0 for permitted, an errno value otherwise 2146 * Locks: Sufficient locks to protect various components of td and p 2147 * must be held. td must be curthread, and a lock must be 2148 * held for p. 2149 * References: td and p must be valid for the lifetime of the call 2150 */ 2151 int 2152 p_cansignal(struct thread *td, struct proc *p, int signum) 2153 { 2154 2155 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2156 PROC_LOCK_ASSERT(p, MA_OWNED); 2157 if (td->td_proc == p) 2158 return (0); 2159 2160 /* 2161 * UNIX signalling semantics require that processes in the same 2162 * session always be able to deliver SIGCONT to one another, 2163 * overriding the remaining protections. 2164 */ 2165 /* XXX: This will require an additional lock of some sort. */ 2166 if (signum == SIGCONT && td->td_proc->p_session == p->p_session) 2167 return (0); 2168 /* 2169 * Some compat layers use SIGTHR and higher signals for 2170 * communication between different kernel threads of the same 2171 * process, so that they expect that it's always possible to 2172 * deliver them, even for suid applications where cr_cansignal() can 2173 * deny such ability for security consideration. It should be 2174 * pretty safe to do since the only way to create two processes 2175 * with the same p_leader is via rfork(2). 2176 */ 2177 if (td->td_proc->p_leader != NULL && signum >= SIGTHR && 2178 signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader) 2179 return (0); 2180 2181 return (cr_cansignal(td->td_ucred, p, signum)); 2182 } 2183 2184 /*- 2185 * Determine whether td may reschedule p. 2186 * Returns: 0 for permitted, an errno value otherwise 2187 * Locks: Sufficient locks to protect various components of td and p 2188 * must be held. td must be curthread, and a lock must 2189 * be held for p. 2190 * References: td and p must be valid for the lifetime of the call 2191 */ 2192 int 2193 p_cansched(struct thread *td, struct proc *p) 2194 { 2195 int error; 2196 2197 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2198 PROC_LOCK_ASSERT(p, MA_OWNED); 2199 if (td->td_proc == p) 2200 return (0); 2201 if ((error = prison_check(td->td_ucred, p->p_ucred))) 2202 return (error); 2203 #ifdef MAC 2204 if ((error = mac_proc_check_sched(td->td_ucred, p))) 2205 return (error); 2206 #endif 2207 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) 2208 return (error); 2209 2210 if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid && 2211 td->td_ucred->cr_uid != p->p_ucred->cr_ruid) { 2212 error = priv_check(td, PRIV_SCHED_DIFFCRED); 2213 if (error) 2214 return (error); 2215 } 2216 2217 error = cr_can_tamper_with_subjail(td->td_ucred, p->p_ucred, 2218 PRIV_SCHED_DIFFJAIL); 2219 if (error) 2220 return (error); 2221 2222 return (0); 2223 } 2224 2225 /* 2226 * Handle getting or setting the prison's unprivileged_proc_debug 2227 * value. 2228 */ 2229 static int 2230 sysctl_unprivileged_proc_debug(SYSCTL_HANDLER_ARGS) 2231 { 2232 int error, val; 2233 2234 val = prison_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG); 2235 error = sysctl_handle_int(oidp, &val, 0, req); 2236 if (error != 0 || req->newptr == NULL) 2237 return (error); 2238 if (val != 0 && val != 1) 2239 return (EINVAL); 2240 prison_set_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG, val); 2241 return (0); 2242 } 2243 2244 /* 2245 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 2246 * unprivileged inter-process debugging services, including some procfs 2247 * functionality, ptrace(), and ktrace(). In the past, inter-process 2248 * debugging has been involved in a variety of security problems, and sites 2249 * not requiring the service might choose to disable it when hardening 2250 * systems. 2251 */ 2252 SYSCTL_PROC(_security_bsd, OID_AUTO, unprivileged_proc_debug, 2253 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_PRISON | CTLFLAG_SECURE | 2254 CTLFLAG_MPSAFE, 0, 0, sysctl_unprivileged_proc_debug, "I", 2255 "Unprivileged processes may use process debugging facilities"); 2256 2257 /* 2258 * Return true if the object owner/group ids are subset of the active 2259 * credentials. 2260 */ 2261 bool 2262 cr_xids_subset(struct ucred *active_cred, struct ucred *obj_cred) 2263 { 2264 int i; 2265 bool grpsubset, uidsubset; 2266 2267 /* 2268 * Is p's group set a subset of td's effective group set? This 2269 * includes p's egid, group access list, rgid, and svgid. 2270 */ 2271 grpsubset = true; 2272 for (i = 0; i < obj_cred->cr_ngroups; i++) { 2273 if (!groupmember(obj_cred->cr_groups[i], active_cred)) { 2274 grpsubset = false; 2275 break; 2276 } 2277 } 2278 grpsubset = grpsubset && 2279 groupmember(obj_cred->cr_rgid, active_cred) && 2280 groupmember(obj_cred->cr_svgid, active_cred); 2281 2282 /* 2283 * Are the uids present in obj_cred's credential equal to 2284 * active_cred's effective uid? This includes obj_cred's 2285 * euid, svuid, and ruid. 2286 */ 2287 uidsubset = (active_cred->cr_uid == obj_cred->cr_uid && 2288 active_cred->cr_uid == obj_cred->cr_svuid && 2289 active_cred->cr_uid == obj_cred->cr_ruid); 2290 2291 return (uidsubset && grpsubset); 2292 } 2293 2294 /*- 2295 * Determine whether td may debug p. 2296 * Returns: 0 for permitted, an errno value otherwise 2297 * Locks: Sufficient locks to protect various components of td and p 2298 * must be held. td must be curthread, and a lock must 2299 * be held for p. 2300 * References: td and p must be valid for the lifetime of the call 2301 */ 2302 int 2303 p_candebug(struct thread *td, struct proc *p) 2304 { 2305 int error; 2306 2307 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2308 PROC_LOCK_ASSERT(p, MA_OWNED); 2309 if (td->td_proc == p) 2310 return (0); 2311 if ((error = priv_check(td, PRIV_DEBUG_UNPRIV))) 2312 return (error); 2313 if ((error = prison_check(td->td_ucred, p->p_ucred))) 2314 return (error); 2315 #ifdef MAC 2316 if ((error = mac_proc_check_debug(td->td_ucred, p))) 2317 return (error); 2318 #endif 2319 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) 2320 return (error); 2321 2322 /* 2323 * If p's gids aren't a subset, or the uids aren't a subset, 2324 * or the credential has changed, require appropriate privilege 2325 * for td to debug p. 2326 */ 2327 if (!cr_xids_subset(td->td_ucred, p->p_ucred)) { 2328 error = priv_check(td, PRIV_DEBUG_DIFFCRED); 2329 if (error) 2330 return (error); 2331 } 2332 2333 /* 2334 * Has the credential of the process changed since the last exec()? 2335 */ 2336 if ((p->p_flag & P_SUGID) != 0) { 2337 error = priv_check(td, PRIV_DEBUG_SUGID); 2338 if (error) 2339 return (error); 2340 } 2341 2342 error = cr_can_tamper_with_subjail(td->td_ucred, p->p_ucred, 2343 PRIV_DEBUG_DIFFJAIL); 2344 if (error) 2345 return (error); 2346 2347 /* Can't trace init when securelevel > 0. */ 2348 if (p == initproc) { 2349 error = securelevel_gt(td->td_ucred, 0); 2350 if (error) 2351 return (error); 2352 } 2353 2354 /* 2355 * Can't trace a process that's currently exec'ing. 2356 * 2357 * XXX: Note, this is not a security policy decision, it's a 2358 * basic correctness/functionality decision. Therefore, this check 2359 * should be moved to the caller's of p_candebug(). 2360 */ 2361 if ((p->p_flag & P_INEXEC) != 0) 2362 return (EBUSY); 2363 2364 /* Denied explicitly */ 2365 if ((p->p_flag2 & P2_NOTRACE) != 0) { 2366 error = priv_check(td, PRIV_DEBUG_DENIED); 2367 if (error != 0) 2368 return (error); 2369 } 2370 2371 return (0); 2372 } 2373 2374 /*- 2375 * Determine whether the subject represented by cred can "see" a socket. 2376 * Returns: 0 for permitted, ENOENT otherwise. 2377 */ 2378 int 2379 cr_canseesocket(struct ucred *cred, struct socket *so) 2380 { 2381 int error; 2382 2383 error = prison_check(cred, so->so_cred); 2384 if (error) 2385 return (ENOENT); 2386 #ifdef MAC 2387 error = mac_socket_check_visible(cred, so); 2388 if (error) 2389 return (error); 2390 #endif 2391 if (cr_bsd_visible(cred, so->so_cred)) 2392 return (ENOENT); 2393 2394 return (0); 2395 } 2396 2397 /*- 2398 * Determine whether td can wait for the exit of p. 2399 * Returns: 0 for permitted, an errno value otherwise 2400 * Locks: Sufficient locks to protect various components of td and p 2401 * must be held. td must be curthread, and a lock must 2402 * be held for p. 2403 * References: td and p must be valid for the lifetime of the call 2404 2405 */ 2406 int 2407 p_canwait(struct thread *td, struct proc *p) 2408 { 2409 int error; 2410 2411 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2412 PROC_LOCK_ASSERT(p, MA_OWNED); 2413 if ((error = prison_check(td->td_ucred, p->p_ucred))) 2414 return (error); 2415 #ifdef MAC 2416 if ((error = mac_proc_check_wait(td->td_ucred, p))) 2417 return (error); 2418 #endif 2419 #if 0 2420 /* XXXMAC: This could have odd effects on some shells. */ 2421 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) 2422 return (error); 2423 #endif 2424 2425 return (0); 2426 } 2427 2428 /* 2429 * Credential management. 2430 * 2431 * struct ucred objects are rarely allocated but gain and lose references all 2432 * the time (e.g., on struct file alloc/dealloc) turning refcount updates into 2433 * a significant source of cache-line ping ponging. Common cases are worked 2434 * around by modifying thread-local counter instead if the cred to operate on 2435 * matches td_realucred. 2436 * 2437 * The counter is split into 2 parts: 2438 * - cr_users -- total count of all struct proc and struct thread objects 2439 * which have given cred in p_ucred and td_ucred respectively 2440 * - cr_ref -- the actual ref count, only valid if cr_users == 0 2441 * 2442 * If users == 0 then cr_ref behaves similarly to refcount(9), in particular if 2443 * the count reaches 0 the object is freeable. 2444 * If users > 0 and curthread->td_realucred == cred, then updates are performed 2445 * against td_ucredref. 2446 * In other cases updates are performed against cr_ref. 2447 * 2448 * Changing td_realucred into something else decrements cr_users and transfers 2449 * accumulated updates. 2450 */ 2451 struct ucred * 2452 crcowget(struct ucred *cr) 2453 { 2454 2455 mtx_lock(&cr->cr_mtx); 2456 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2457 __func__, cr->cr_users, cr)); 2458 cr->cr_users++; 2459 cr->cr_ref++; 2460 mtx_unlock(&cr->cr_mtx); 2461 return (cr); 2462 } 2463 2464 static struct ucred * 2465 crunuse(struct thread *td) 2466 { 2467 struct ucred *cr, *crold; 2468 2469 MPASS(td->td_realucred == td->td_ucred); 2470 cr = td->td_realucred; 2471 mtx_lock(&cr->cr_mtx); 2472 cr->cr_ref += td->td_ucredref; 2473 td->td_ucredref = 0; 2474 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2475 __func__, cr->cr_users, cr)); 2476 cr->cr_users--; 2477 if (cr->cr_users == 0) { 2478 KASSERT(cr->cr_ref > 0, ("%s: ref %ld not > 0 on cred %p", 2479 __func__, cr->cr_ref, cr)); 2480 crold = cr; 2481 } else { 2482 cr->cr_ref--; 2483 crold = NULL; 2484 } 2485 mtx_unlock(&cr->cr_mtx); 2486 td->td_realucred = NULL; 2487 return (crold); 2488 } 2489 2490 static void 2491 crunusebatch(struct ucred *cr, u_int users, long ref) 2492 { 2493 2494 KASSERT(users > 0, ("%s: passed users %d not > 0 ; cred %p", 2495 __func__, users, cr)); 2496 mtx_lock(&cr->cr_mtx); 2497 KASSERT(cr->cr_users >= users, ("%s: users %d not > %d on cred %p", 2498 __func__, cr->cr_users, users, cr)); 2499 cr->cr_users -= users; 2500 cr->cr_ref += ref; 2501 cr->cr_ref -= users; 2502 if (cr->cr_users > 0) { 2503 mtx_unlock(&cr->cr_mtx); 2504 return; 2505 } 2506 KASSERT(cr->cr_ref >= 0, ("%s: ref %ld not >= 0 on cred %p", 2507 __func__, cr->cr_ref, cr)); 2508 if (cr->cr_ref > 0) { 2509 mtx_unlock(&cr->cr_mtx); 2510 return; 2511 } 2512 crfree_final(cr); 2513 } 2514 2515 void 2516 crcowfree(struct thread *td) 2517 { 2518 struct ucred *cr; 2519 2520 cr = crunuse(td); 2521 if (cr != NULL) 2522 crfree(cr); 2523 } 2524 2525 struct ucred * 2526 crcowsync(void) 2527 { 2528 struct thread *td; 2529 struct proc *p; 2530 struct ucred *crnew, *crold; 2531 2532 td = curthread; 2533 p = td->td_proc; 2534 PROC_LOCK_ASSERT(p, MA_OWNED); 2535 2536 MPASS(td->td_realucred == td->td_ucred); 2537 if (td->td_realucred == p->p_ucred) 2538 return (NULL); 2539 2540 crnew = crcowget(p->p_ucred); 2541 crold = crunuse(td); 2542 td->td_realucred = crnew; 2543 td->td_ucred = td->td_realucred; 2544 return (crold); 2545 } 2546 2547 /* 2548 * Batching. 2549 */ 2550 void 2551 credbatch_add(struct credbatch *crb, struct thread *td) 2552 { 2553 struct ucred *cr; 2554 2555 MPASS(td->td_realucred != NULL); 2556 MPASS(td->td_realucred == td->td_ucred); 2557 MPASS(TD_GET_STATE(td) == TDS_INACTIVE); 2558 cr = td->td_realucred; 2559 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2560 __func__, cr->cr_users, cr)); 2561 if (crb->cred != cr) { 2562 if (crb->users > 0) { 2563 MPASS(crb->cred != NULL); 2564 crunusebatch(crb->cred, crb->users, crb->ref); 2565 crb->users = 0; 2566 crb->ref = 0; 2567 } 2568 } 2569 crb->cred = cr; 2570 crb->users++; 2571 crb->ref += td->td_ucredref; 2572 td->td_ucredref = 0; 2573 td->td_realucred = NULL; 2574 } 2575 2576 void 2577 credbatch_final(struct credbatch *crb) 2578 { 2579 2580 MPASS(crb->cred != NULL); 2581 MPASS(crb->users > 0); 2582 crunusebatch(crb->cred, crb->users, crb->ref); 2583 } 2584 2585 /* 2586 * Allocate a zeroed cred structure. 2587 */ 2588 struct ucred * 2589 crget(void) 2590 { 2591 struct ucred *cr; 2592 2593 cr = malloc(sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 2594 mtx_init(&cr->cr_mtx, "cred", NULL, MTX_DEF); 2595 cr->cr_ref = 1; 2596 #ifdef AUDIT 2597 audit_cred_init(cr); 2598 #endif 2599 #ifdef MAC 2600 mac_cred_init(cr); 2601 #endif 2602 cr->cr_groups = cr->cr_smallgroups; 2603 cr->cr_agroups = nitems(cr->cr_smallgroups); 2604 return (cr); 2605 } 2606 2607 /* 2608 * Claim another reference to a ucred structure. 2609 */ 2610 struct ucred * 2611 crhold(struct ucred *cr) 2612 { 2613 struct thread *td; 2614 2615 td = curthread; 2616 if (__predict_true(td->td_realucred == cr)) { 2617 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2618 __func__, cr->cr_users, cr)); 2619 td->td_ucredref++; 2620 return (cr); 2621 } 2622 mtx_lock(&cr->cr_mtx); 2623 cr->cr_ref++; 2624 mtx_unlock(&cr->cr_mtx); 2625 return (cr); 2626 } 2627 2628 /* 2629 * Free a cred structure. Throws away space when ref count gets to 0. 2630 */ 2631 void 2632 crfree(struct ucred *cr) 2633 { 2634 struct thread *td; 2635 2636 td = curthread; 2637 if (__predict_true(td->td_realucred == cr)) { 2638 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2639 __func__, cr->cr_users, cr)); 2640 td->td_ucredref--; 2641 return; 2642 } 2643 mtx_lock(&cr->cr_mtx); 2644 KASSERT(cr->cr_users >= 0, ("%s: users %d not >= 0 on cred %p", 2645 __func__, cr->cr_users, cr)); 2646 cr->cr_ref--; 2647 if (cr->cr_users > 0) { 2648 mtx_unlock(&cr->cr_mtx); 2649 return; 2650 } 2651 KASSERT(cr->cr_ref >= 0, ("%s: ref %ld not >= 0 on cred %p", 2652 __func__, cr->cr_ref, cr)); 2653 if (cr->cr_ref > 0) { 2654 mtx_unlock(&cr->cr_mtx); 2655 return; 2656 } 2657 crfree_final(cr); 2658 } 2659 2660 static void 2661 crfree_final(struct ucred *cr) 2662 { 2663 2664 KASSERT(cr->cr_users == 0, ("%s: users %d not == 0 on cred %p", 2665 __func__, cr->cr_users, cr)); 2666 KASSERT(cr->cr_ref == 0, ("%s: ref %ld not == 0 on cred %p", 2667 __func__, cr->cr_ref, cr)); 2668 2669 /* 2670 * Some callers of crget(), such as nfs_statfs(), allocate a temporary 2671 * credential, but don't allocate a uidinfo structure. 2672 */ 2673 if (cr->cr_uidinfo != NULL) 2674 uifree(cr->cr_uidinfo); 2675 if (cr->cr_ruidinfo != NULL) 2676 uifree(cr->cr_ruidinfo); 2677 if (cr->cr_prison != NULL) 2678 prison_free(cr->cr_prison); 2679 if (cr->cr_loginclass != NULL) 2680 loginclass_free(cr->cr_loginclass); 2681 #ifdef AUDIT 2682 audit_cred_destroy(cr); 2683 #endif 2684 #ifdef MAC 2685 mac_cred_destroy(cr); 2686 #endif 2687 mtx_destroy(&cr->cr_mtx); 2688 if (cr->cr_groups != cr->cr_smallgroups) 2689 free(cr->cr_groups, M_CRED); 2690 free(cr, M_CRED); 2691 } 2692 2693 /* 2694 * Copy a ucred's contents from a template. Does not block. 2695 */ 2696 void 2697 crcopy(struct ucred *dest, struct ucred *src) 2698 { 2699 2700 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 2701 (unsigned)((caddr_t)&src->cr_endcopy - 2702 (caddr_t)&src->cr_startcopy)); 2703 dest->cr_flags = src->cr_flags; 2704 crsetgroups(dest, src->cr_ngroups, src->cr_groups); 2705 uihold(dest->cr_uidinfo); 2706 uihold(dest->cr_ruidinfo); 2707 prison_hold(dest->cr_prison); 2708 loginclass_hold(dest->cr_loginclass); 2709 #ifdef AUDIT 2710 audit_cred_copy(src, dest); 2711 #endif 2712 #ifdef MAC 2713 mac_cred_copy(src, dest); 2714 #endif 2715 } 2716 2717 /* 2718 * Dup cred struct to a new held one. 2719 */ 2720 struct ucred * 2721 crdup(struct ucred *cr) 2722 { 2723 struct ucred *newcr; 2724 2725 newcr = crget(); 2726 crcopy(newcr, cr); 2727 return (newcr); 2728 } 2729 2730 /* 2731 * Fill in a struct xucred based on a struct ucred. 2732 */ 2733 void 2734 cru2x(struct ucred *cr, struct xucred *xcr) 2735 { 2736 int ngroups; 2737 2738 bzero(xcr, sizeof(*xcr)); 2739 xcr->cr_version = XUCRED_VERSION; 2740 xcr->cr_uid = cr->cr_uid; 2741 xcr->cr_gid = cr->cr_gid; 2742 2743 /* 2744 * We use a union to alias cr_gid to cr_groups[0] in the xucred, so 2745 * this is kind of ugly; cr_ngroups still includes the egid for our 2746 * purposes to avoid bumping the xucred version. 2747 */ 2748 ngroups = MIN(cr->cr_ngroups + 1, nitems(xcr->cr_groups)); 2749 xcr->cr_ngroups = ngroups; 2750 bcopy(cr->cr_groups, xcr->cr_sgroups, 2751 (ngroups - 1) * sizeof(*cr->cr_groups)); 2752 } 2753 2754 void 2755 cru2xt(struct thread *td, struct xucred *xcr) 2756 { 2757 2758 cru2x(td->td_ucred, xcr); 2759 xcr->cr_pid = td->td_proc->p_pid; 2760 } 2761 2762 /* 2763 * Change process credentials. 2764 * 2765 * Callers are responsible for providing the reference for passed credentials 2766 * and for freeing old ones. Calls chgproccnt() to correctly account the 2767 * current process to the proper real UID, if the latter has changed. Returns 2768 * whether the operation was successful. Failure can happen only on 2769 * 'enforce_proc_lim' being true and if no new process can be accounted to the 2770 * new real UID because of the current limit (see the inner comment for more 2771 * details) and the caller does not have privilege (PRIV_PROC_LIMIT) to override 2772 * that. 2773 */ 2774 static bool 2775 _proc_set_cred(struct proc *p, struct ucred *newcred, bool enforce_proc_lim) 2776 { 2777 struct ucred *const oldcred = p->p_ucred; 2778 2779 MPASS(oldcred != NULL); 2780 PROC_LOCK_ASSERT(p, MA_OWNED); 2781 KASSERT(newcred->cr_users == 0, ("%s: users %d not 0 on cred %p", 2782 __func__, newcred->cr_users, newcred)); 2783 KASSERT(newcred->cr_ref == 1, ("%s: ref %ld not 1 on cred %p", 2784 __func__, newcred->cr_ref, newcred)); 2785 2786 if (newcred->cr_ruidinfo != oldcred->cr_ruidinfo) { 2787 /* 2788 * XXXOC: This check is flawed but nonetheless the best we can 2789 * currently do as we don't really track limits per UID contrary 2790 * to what we pretend in setrlimit(2). Until this is reworked, 2791 * we just check here that the number of processes for our new 2792 * real UID doesn't exceed this process' process number limit 2793 * (which is meant to be associated with the current real UID). 2794 */ 2795 const int proccnt_changed = chgproccnt(newcred->cr_ruidinfo, 1, 2796 enforce_proc_lim ? lim_cur_proc(p, RLIMIT_NPROC) : 0); 2797 2798 if (!proccnt_changed) { 2799 if (priv_check_cred(oldcred, PRIV_PROC_LIMIT) != 0) 2800 return (false); 2801 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 2802 } 2803 } 2804 2805 mtx_lock(&oldcred->cr_mtx); 2806 KASSERT(oldcred->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2807 __func__, oldcred->cr_users, oldcred)); 2808 oldcred->cr_users--; 2809 mtx_unlock(&oldcred->cr_mtx); 2810 p->p_ucred = newcred; 2811 newcred->cr_users = 1; 2812 PROC_UPDATE_COW(p); 2813 if (newcred->cr_ruidinfo != oldcred->cr_ruidinfo) 2814 (void)chgproccnt(oldcred->cr_ruidinfo, -1, 0); 2815 return (true); 2816 } 2817 2818 void 2819 proc_set_cred(struct proc *p, struct ucred *newcred) 2820 { 2821 bool success __diagused = _proc_set_cred(p, newcred, false); 2822 2823 MPASS(success); 2824 } 2825 2826 bool 2827 proc_set_cred_enforce_proc_lim(struct proc *p, struct ucred *newcred) 2828 { 2829 return (_proc_set_cred(p, newcred, true)); 2830 } 2831 2832 void 2833 proc_unset_cred(struct proc *p, bool decrement_proc_count) 2834 { 2835 struct ucred *cr; 2836 2837 MPASS(p->p_state == PRS_ZOMBIE || p->p_state == PRS_NEW); 2838 cr = p->p_ucred; 2839 p->p_ucred = NULL; 2840 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2841 __func__, cr->cr_users, cr)); 2842 mtx_lock(&cr->cr_mtx); 2843 cr->cr_users--; 2844 if (cr->cr_users == 0) 2845 KASSERT(cr->cr_ref > 0, ("%s: ref %ld not > 0 on cred %p", 2846 __func__, cr->cr_ref, cr)); 2847 mtx_unlock(&cr->cr_mtx); 2848 if (decrement_proc_count) 2849 (void)chgproccnt(cr->cr_ruidinfo, -1, 0); 2850 crfree(cr); 2851 } 2852 2853 struct ucred * 2854 crcopysafe(struct proc *p, struct ucred *cr) 2855 { 2856 struct ucred *oldcred; 2857 int groups; 2858 2859 PROC_LOCK_ASSERT(p, MA_OWNED); 2860 2861 oldcred = p->p_ucred; 2862 while (cr->cr_agroups < oldcred->cr_ngroups) { 2863 groups = oldcred->cr_ngroups; 2864 PROC_UNLOCK(p); 2865 crextend(cr, groups); 2866 PROC_LOCK(p); 2867 oldcred = p->p_ucred; 2868 } 2869 crcopy(cr, oldcred); 2870 2871 return (oldcred); 2872 } 2873 2874 /* 2875 * Extend the passed-in credentials to hold n groups. 2876 * 2877 * Must not be called after groups have been set. 2878 */ 2879 void 2880 crextend(struct ucred *cr, int n) 2881 { 2882 size_t nbytes; 2883 2884 MPASS2(cr->cr_ref == 1, "'cr_ref' must be 1 (referenced, unshared)"); 2885 MPASS2((cr->cr_flags & CRED_FLAG_GROUPSET) == 0, 2886 "groups on 'cr' already set!"); 2887 groups_check_positive_len(n); 2888 groups_check_max_len(n); 2889 2890 if (n <= cr->cr_agroups) 2891 return; 2892 2893 nbytes = n * sizeof(gid_t); 2894 if (nbytes < n) 2895 panic("Too many groups (memory size overflow)! " 2896 "Computation of 'kern.ngroups' should have prevented this, " 2897 "please fix it. In the meantime, reduce 'kern.ngroups'."); 2898 2899 /* 2900 * We allocate a power of 2 larger than 'nbytes', except when that 2901 * exceeds PAGE_SIZE, in which case we allocate the right multiple of 2902 * pages. We assume PAGE_SIZE is a power of 2 (the call to roundup2() 2903 * below) but do not need to for sizeof(gid_t). 2904 */ 2905 if (nbytes < PAGE_SIZE) { 2906 if (!powerof2(nbytes)) 2907 /* fls*() return a bit index starting at 1. */ 2908 nbytes = 1 << flsl(nbytes); 2909 } else 2910 nbytes = roundup2(nbytes, PAGE_SIZE); 2911 2912 /* Free the old array. */ 2913 if (cr->cr_groups != cr->cr_smallgroups) 2914 free(cr->cr_groups, M_CRED); 2915 2916 cr->cr_groups = malloc(nbytes, M_CRED, M_WAITOK | M_ZERO); 2917 cr->cr_agroups = nbytes / sizeof(gid_t); 2918 } 2919 2920 /* 2921 * Normalizes a set of groups to be applied to a 'struct ucred'. 2922 * 2923 * Normalization ensures that the supplementary groups are sorted in ascending 2924 * order and do not contain duplicates. This allows group_is_supplementary 2925 * to do a binary search. 2926 */ 2927 static void 2928 groups_normalize(int *ngrp, gid_t *groups) 2929 { 2930 gid_t prev_g; 2931 int ins_idx; 2932 2933 groups_check_positive_len(*ngrp); 2934 groups_check_max_len(*ngrp); 2935 2936 if (*ngrp <= 1) 2937 return; 2938 2939 qsort(groups, *ngrp, sizeof(*groups), gidp_cmp); 2940 2941 /* Remove duplicates. */ 2942 prev_g = groups[0]; 2943 ins_idx = 1; 2944 for (int i = ins_idx; i < *ngrp; ++i) { 2945 const gid_t g = groups[i]; 2946 2947 if (g != prev_g) { 2948 if (i != ins_idx) 2949 groups[ins_idx] = g; 2950 ++ins_idx; 2951 prev_g = g; 2952 } 2953 } 2954 *ngrp = ins_idx; 2955 2956 groups_check_normalized(*ngrp, groups); 2957 } 2958 2959 /* 2960 * Internal function copying groups into a credential. 2961 * 2962 * 'ngrp' must be strictly positive. Either the passed 'groups' array must have 2963 * been normalized in advance (see groups_normalize()), else it must be so 2964 * before the structure is to be used again. 2965 * 2966 * This function is suitable to be used under any lock (it doesn't take any lock 2967 * itself nor sleep, and in particular doesn't allocate memory). crextend() 2968 * must have been called beforehand to ensure sufficient space is available. 2969 * See also crsetgroups(), which handles that. 2970 */ 2971 static void 2972 crsetgroups_internal(struct ucred *cr, int ngrp, const gid_t *groups) 2973 { 2974 2975 MPASS2(cr->cr_ref == 1, "'cr_ref' must be 1 (referenced, unshared)"); 2976 MPASS2(cr->cr_agroups >= ngrp, "'cr_agroups' too small"); 2977 groups_check_positive_len(ngrp); 2978 2979 bcopy(groups, cr->cr_groups, ngrp * sizeof(gid_t)); 2980 cr->cr_ngroups = ngrp; 2981 cr->cr_flags |= CRED_FLAG_GROUPSET; 2982 } 2983 2984 /* 2985 * Copy groups in to a credential after expanding it if required. 2986 * 2987 * May sleep in order to allocate memory (except if, e.g., crextend() was called 2988 * before with 'ngrp' or greater). Truncates the list to ngroups_max if 2989 * it is too large. Array 'groups' doesn't need to be sorted. 'ngrp' must be 2990 * strictly positive. 2991 */ 2992 void 2993 crsetgroups(struct ucred *cr, int ngrp, const gid_t *groups) 2994 { 2995 2996 if (ngrp > ngroups_max) 2997 ngrp = ngroups_max; 2998 cr->cr_ngroups = 0; 2999 if (ngrp == 0) { 3000 cr->cr_flags |= CRED_FLAG_GROUPSET; 3001 return; 3002 } 3003 3004 /* 3005 * crextend() asserts that groups are not set, as it may allocate a new 3006 * backing storage without copying the content of the old one. Since we 3007 * are going to install a completely new set anyway, signal that we 3008 * consider the old ones thrown away. 3009 */ 3010 cr->cr_flags &= ~CRED_FLAG_GROUPSET; 3011 3012 crextend(cr, ngrp); 3013 crsetgroups_internal(cr, ngrp, groups); 3014 groups_normalize(&cr->cr_ngroups, cr->cr_groups); 3015 } 3016 3017 /* 3018 * Same as crsetgroups() but sets the effective GID as well. 3019 * 3020 * This function ensures that an effective GID is always present in credentials. 3021 * An empty array will only set the effective GID to the default_egid, while a 3022 * non-empty array will peel off groups[0] to set as the effective GID and use 3023 * the remainder, if any, as supplementary groups. 3024 */ 3025 void 3026 crsetgroups_and_egid(struct ucred *cr, int ngrp, const gid_t *groups, 3027 const gid_t default_egid) 3028 { 3029 if (ngrp == 0) { 3030 cr->cr_gid = default_egid; 3031 cr->cr_ngroups = 0; 3032 cr->cr_flags |= CRED_FLAG_GROUPSET; 3033 return; 3034 } 3035 3036 crsetgroups(cr, ngrp - 1, groups + 1); 3037 cr->cr_gid = groups[0]; 3038 } 3039 3040 /* 3041 * Get login name, if available. 3042 */ 3043 #ifndef _SYS_SYSPROTO_H_ 3044 struct getlogin_args { 3045 char *namebuf; 3046 u_int namelen; 3047 }; 3048 #endif 3049 /* ARGSUSED */ 3050 int 3051 sys_getlogin(struct thread *td, struct getlogin_args *uap) 3052 { 3053 char login[MAXLOGNAME]; 3054 struct proc *p = td->td_proc; 3055 size_t len; 3056 3057 if (uap->namelen > MAXLOGNAME) 3058 uap->namelen = MAXLOGNAME; 3059 PROC_LOCK(p); 3060 SESS_LOCK(p->p_session); 3061 len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1; 3062 SESS_UNLOCK(p->p_session); 3063 PROC_UNLOCK(p); 3064 if (len > uap->namelen) 3065 return (ERANGE); 3066 return (copyout(login, uap->namebuf, len)); 3067 } 3068 3069 /* 3070 * Set login name. 3071 */ 3072 #ifndef _SYS_SYSPROTO_H_ 3073 struct setlogin_args { 3074 char *namebuf; 3075 }; 3076 #endif 3077 /* ARGSUSED */ 3078 int 3079 sys_setlogin(struct thread *td, struct setlogin_args *uap) 3080 { 3081 struct proc *p = td->td_proc; 3082 int error; 3083 char logintmp[MAXLOGNAME]; 3084 3085 CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp)); 3086 3087 error = priv_check(td, PRIV_PROC_SETLOGIN); 3088 if (error) 3089 return (error); 3090 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); 3091 if (error != 0) { 3092 if (error == ENAMETOOLONG) 3093 error = EINVAL; 3094 return (error); 3095 } 3096 AUDIT_ARG_LOGIN(logintmp); 3097 PROC_LOCK(p); 3098 SESS_LOCK(p->p_session); 3099 strcpy(p->p_session->s_login, logintmp); 3100 SESS_UNLOCK(p->p_session); 3101 PROC_UNLOCK(p); 3102 return (0); 3103 } 3104 3105 void 3106 setsugid(struct proc *p) 3107 { 3108 3109 PROC_LOCK_ASSERT(p, MA_OWNED); 3110 p->p_flag |= P_SUGID; 3111 } 3112 3113 /*- 3114 * Change a process's effective uid. 3115 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 3116 * References: newcred must be an exclusive credential reference for the 3117 * duration of the call. 3118 */ 3119 void 3120 change_euid(struct ucred *newcred, struct uidinfo *euip) 3121 { 3122 3123 newcred->cr_uid = euip->ui_uid; 3124 uihold(euip); 3125 uifree(newcred->cr_uidinfo); 3126 newcred->cr_uidinfo = euip; 3127 } 3128 3129 /*- 3130 * Change a process's effective gid. 3131 * Side effects: newcred->cr_gid will be modified. 3132 * References: newcred must be an exclusive credential reference for the 3133 * duration of the call. 3134 */ 3135 void 3136 change_egid(struct ucred *newcred, gid_t egid) 3137 { 3138 3139 newcred->cr_gid = egid; 3140 } 3141 3142 /*- 3143 * Change a process's real uid. 3144 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 3145 * will be updated. 3146 * References: newcred must be an exclusive credential reference for the 3147 * duration of the call. 3148 */ 3149 void 3150 change_ruid(struct ucred *newcred, struct uidinfo *ruip) 3151 { 3152 3153 newcred->cr_ruid = ruip->ui_uid; 3154 uihold(ruip); 3155 uifree(newcred->cr_ruidinfo); 3156 newcred->cr_ruidinfo = ruip; 3157 } 3158 3159 /*- 3160 * Change a process's real gid. 3161 * Side effects: newcred->cr_rgid will be updated. 3162 * References: newcred must be an exclusive credential reference for the 3163 * duration of the call. 3164 */ 3165 void 3166 change_rgid(struct ucred *newcred, gid_t rgid) 3167 { 3168 3169 newcred->cr_rgid = rgid; 3170 } 3171 3172 /*- 3173 * Change a process's saved uid. 3174 * Side effects: newcred->cr_svuid will be updated. 3175 * References: newcred must be an exclusive credential reference for the 3176 * duration of the call. 3177 */ 3178 void 3179 change_svuid(struct ucred *newcred, uid_t svuid) 3180 { 3181 3182 newcred->cr_svuid = svuid; 3183 } 3184 3185 /*- 3186 * Change a process's saved gid. 3187 * Side effects: newcred->cr_svgid will be updated. 3188 * References: newcred must be an exclusive credential reference for the 3189 * duration of the call. 3190 */ 3191 void 3192 change_svgid(struct ucred *newcred, gid_t svgid) 3193 { 3194 3195 newcred->cr_svgid = svgid; 3196 } 3197 3198 bool allow_ptrace = true; 3199 SYSCTL_BOOL(_security_bsd, OID_AUTO, allow_ptrace, CTLFLAG_RWTUN, 3200 &allow_ptrace, 0, 3201 "Deny ptrace(2) use by returning ENOSYS"); 3202