1 /*- 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. 4 * (c) UNIX System Laboratories, Inc. 5 * Copyright (c) 2000-2001 Robert N. M. Watson. 6 * All rights reserved. 7 * 8 * All or some portions of this file are derived from material licensed 9 * to the University of California by American Telephone and Telegraph 10 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 11 * the permission of UNIX System Laboratories, Inc. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 4. Neither the name of the University nor the names of its contributors 22 * may be used to endorse or promote products derived from this software 23 * without specific prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 * 37 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 38 */ 39 40 /* 41 * System calls related to processes and protection 42 */ 43 44 #include <sys/cdefs.h> 45 __FBSDID("$FreeBSD$"); 46 47 #include "opt_compat.h" 48 #include "opt_inet.h" 49 #include "opt_inet6.h" 50 #include "opt_mac.h" 51 52 #include <sys/param.h> 53 #include <sys/systm.h> 54 #include <sys/acct.h> 55 #include <sys/kdb.h> 56 #include <sys/kernel.h> 57 #include <sys/lock.h> 58 #include <sys/malloc.h> 59 #include <sys/mutex.h> 60 #include <sys/refcount.h> 61 #include <sys/sx.h> 62 #include <sys/priv.h> 63 #include <sys/proc.h> 64 #include <sys/sysproto.h> 65 #include <sys/jail.h> 66 #include <sys/pioctl.h> 67 #include <sys/resourcevar.h> 68 #include <sys/socket.h> 69 #include <sys/socketvar.h> 70 #include <sys/syscallsubr.h> 71 #include <sys/sysctl.h> 72 #include <sys/vimage.h> 73 74 #if defined(INET) || defined(INET6) 75 #include <netinet/in.h> 76 #include <netinet/in_pcb.h> 77 #endif 78 79 #include <security/audit/audit.h> 80 #include <security/mac/mac_framework.h> 81 82 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 83 84 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, "BSD security policy"); 85 86 #ifndef _SYS_SYSPROTO_H_ 87 struct getpid_args { 88 int dummy; 89 }; 90 #endif 91 /* ARGSUSED */ 92 int 93 getpid(struct thread *td, struct getpid_args *uap) 94 { 95 struct proc *p = td->td_proc; 96 97 td->td_retval[0] = p->p_pid; 98 #if defined(COMPAT_43) 99 PROC_LOCK(p); 100 td->td_retval[1] = p->p_pptr->p_pid; 101 PROC_UNLOCK(p); 102 #endif 103 return (0); 104 } 105 106 #ifndef _SYS_SYSPROTO_H_ 107 struct getppid_args { 108 int dummy; 109 }; 110 #endif 111 /* ARGSUSED */ 112 int 113 getppid(struct thread *td, struct getppid_args *uap) 114 { 115 struct proc *p = td->td_proc; 116 117 PROC_LOCK(p); 118 td->td_retval[0] = p->p_pptr->p_pid; 119 PROC_UNLOCK(p); 120 return (0); 121 } 122 123 /* 124 * Get process group ID; note that POSIX getpgrp takes no parameter. 125 */ 126 #ifndef _SYS_SYSPROTO_H_ 127 struct getpgrp_args { 128 int dummy; 129 }; 130 #endif 131 int 132 getpgrp(struct thread *td, struct getpgrp_args *uap) 133 { 134 struct proc *p = td->td_proc; 135 136 PROC_LOCK(p); 137 td->td_retval[0] = p->p_pgrp->pg_id; 138 PROC_UNLOCK(p); 139 return (0); 140 } 141 142 /* Get an arbitary pid's process group id */ 143 #ifndef _SYS_SYSPROTO_H_ 144 struct getpgid_args { 145 pid_t pid; 146 }; 147 #endif 148 int 149 getpgid(struct thread *td, struct getpgid_args *uap) 150 { 151 struct proc *p; 152 int error; 153 154 if (uap->pid == 0) { 155 p = td->td_proc; 156 PROC_LOCK(p); 157 } else { 158 p = pfind(uap->pid); 159 if (p == NULL) 160 return (ESRCH); 161 error = p_cansee(td, p); 162 if (error) { 163 PROC_UNLOCK(p); 164 return (error); 165 } 166 } 167 td->td_retval[0] = p->p_pgrp->pg_id; 168 PROC_UNLOCK(p); 169 return (0); 170 } 171 172 /* 173 * Get an arbitary pid's session id. 174 */ 175 #ifndef _SYS_SYSPROTO_H_ 176 struct getsid_args { 177 pid_t pid; 178 }; 179 #endif 180 int 181 getsid(struct thread *td, struct getsid_args *uap) 182 { 183 struct proc *p; 184 int error; 185 186 if (uap->pid == 0) { 187 p = td->td_proc; 188 PROC_LOCK(p); 189 } else { 190 p = pfind(uap->pid); 191 if (p == NULL) 192 return (ESRCH); 193 error = p_cansee(td, p); 194 if (error) { 195 PROC_UNLOCK(p); 196 return (error); 197 } 198 } 199 td->td_retval[0] = p->p_session->s_sid; 200 PROC_UNLOCK(p); 201 return (0); 202 } 203 204 #ifndef _SYS_SYSPROTO_H_ 205 struct getuid_args { 206 int dummy; 207 }; 208 #endif 209 /* ARGSUSED */ 210 int 211 getuid(struct thread *td, struct getuid_args *uap) 212 { 213 214 td->td_retval[0] = td->td_ucred->cr_ruid; 215 #if defined(COMPAT_43) 216 td->td_retval[1] = td->td_ucred->cr_uid; 217 #endif 218 return (0); 219 } 220 221 #ifndef _SYS_SYSPROTO_H_ 222 struct geteuid_args { 223 int dummy; 224 }; 225 #endif 226 /* ARGSUSED */ 227 int 228 geteuid(struct thread *td, struct geteuid_args *uap) 229 { 230 231 td->td_retval[0] = td->td_ucred->cr_uid; 232 return (0); 233 } 234 235 #ifndef _SYS_SYSPROTO_H_ 236 struct getgid_args { 237 int dummy; 238 }; 239 #endif 240 /* ARGSUSED */ 241 int 242 getgid(struct thread *td, struct getgid_args *uap) 243 { 244 245 td->td_retval[0] = td->td_ucred->cr_rgid; 246 #if defined(COMPAT_43) 247 td->td_retval[1] = td->td_ucred->cr_groups[0]; 248 #endif 249 return (0); 250 } 251 252 /* 253 * Get effective group ID. The "egid" is groups[0], and could be obtained 254 * via getgroups. This syscall exists because it is somewhat painful to do 255 * correctly in a library function. 256 */ 257 #ifndef _SYS_SYSPROTO_H_ 258 struct getegid_args { 259 int dummy; 260 }; 261 #endif 262 /* ARGSUSED */ 263 int 264 getegid(struct thread *td, struct getegid_args *uap) 265 { 266 267 td->td_retval[0] = td->td_ucred->cr_groups[0]; 268 return (0); 269 } 270 271 #ifndef _SYS_SYSPROTO_H_ 272 struct getgroups_args { 273 u_int gidsetsize; 274 gid_t *gidset; 275 }; 276 #endif 277 int 278 getgroups(struct thread *td, register struct getgroups_args *uap) 279 { 280 gid_t groups[NGROUPS]; 281 u_int ngrp; 282 int error; 283 284 ngrp = MIN(uap->gidsetsize, NGROUPS); 285 error = kern_getgroups(td, &ngrp, groups); 286 if (error) 287 return (error); 288 if (uap->gidsetsize > 0) 289 error = copyout(groups, uap->gidset, ngrp * sizeof(gid_t)); 290 if (error == 0) 291 td->td_retval[0] = ngrp; 292 return (error); 293 } 294 295 int 296 kern_getgroups(struct thread *td, u_int *ngrp, gid_t *groups) 297 { 298 struct ucred *cred; 299 300 cred = td->td_ucred; 301 if (*ngrp == 0) { 302 *ngrp = cred->cr_ngroups; 303 return (0); 304 } 305 if (*ngrp < cred->cr_ngroups) 306 return (EINVAL); 307 *ngrp = cred->cr_ngroups; 308 bcopy(cred->cr_groups, groups, *ngrp * sizeof(gid_t)); 309 return (0); 310 } 311 312 #ifndef _SYS_SYSPROTO_H_ 313 struct setsid_args { 314 int dummy; 315 }; 316 #endif 317 /* ARGSUSED */ 318 int 319 setsid(register struct thread *td, struct setsid_args *uap) 320 { 321 struct pgrp *pgrp; 322 int error; 323 struct proc *p = td->td_proc; 324 struct pgrp *newpgrp; 325 struct session *newsess; 326 327 error = 0; 328 pgrp = NULL; 329 330 newpgrp = malloc(sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 331 newsess = malloc(sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); 332 333 sx_xlock(&proctree_lock); 334 335 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { 336 if (pgrp != NULL) 337 PGRP_UNLOCK(pgrp); 338 error = EPERM; 339 } else { 340 (void)enterpgrp(p, p->p_pid, newpgrp, newsess); 341 td->td_retval[0] = p->p_pid; 342 newpgrp = NULL; 343 newsess = NULL; 344 } 345 346 sx_xunlock(&proctree_lock); 347 348 if (newpgrp != NULL) 349 free(newpgrp, M_PGRP); 350 if (newsess != NULL) 351 free(newsess, M_SESSION); 352 353 return (error); 354 } 355 356 /* 357 * set process group (setpgid/old setpgrp) 358 * 359 * caller does setpgid(targpid, targpgid) 360 * 361 * pid must be caller or child of caller (ESRCH) 362 * if a child 363 * pid must be in same session (EPERM) 364 * pid can't have done an exec (EACCES) 365 * if pgid != pid 366 * there must exist some pid in same session having pgid (EPERM) 367 * pid must not be session leader (EPERM) 368 */ 369 #ifndef _SYS_SYSPROTO_H_ 370 struct setpgid_args { 371 int pid; /* target process id */ 372 int pgid; /* target pgrp id */ 373 }; 374 #endif 375 /* ARGSUSED */ 376 int 377 setpgid(struct thread *td, register struct setpgid_args *uap) 378 { 379 struct proc *curp = td->td_proc; 380 register struct proc *targp; /* target process */ 381 register struct pgrp *pgrp; /* target pgrp */ 382 int error; 383 struct pgrp *newpgrp; 384 385 if (uap->pgid < 0) 386 return (EINVAL); 387 388 error = 0; 389 390 newpgrp = malloc(sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 391 392 sx_xlock(&proctree_lock); 393 if (uap->pid != 0 && uap->pid != curp->p_pid) { 394 if ((targp = pfind(uap->pid)) == NULL) { 395 error = ESRCH; 396 goto done; 397 } 398 if (!inferior(targp)) { 399 PROC_UNLOCK(targp); 400 error = ESRCH; 401 goto done; 402 } 403 if ((error = p_cansee(td, targp))) { 404 PROC_UNLOCK(targp); 405 goto done; 406 } 407 if (targp->p_pgrp == NULL || 408 targp->p_session != curp->p_session) { 409 PROC_UNLOCK(targp); 410 error = EPERM; 411 goto done; 412 } 413 if (targp->p_flag & P_EXEC) { 414 PROC_UNLOCK(targp); 415 error = EACCES; 416 goto done; 417 } 418 PROC_UNLOCK(targp); 419 } else 420 targp = curp; 421 if (SESS_LEADER(targp)) { 422 error = EPERM; 423 goto done; 424 } 425 if (uap->pgid == 0) 426 uap->pgid = targp->p_pid; 427 if ((pgrp = pgfind(uap->pgid)) == NULL) { 428 if (uap->pgid == targp->p_pid) { 429 error = enterpgrp(targp, uap->pgid, newpgrp, 430 NULL); 431 if (error == 0) 432 newpgrp = NULL; 433 } else 434 error = EPERM; 435 } else { 436 if (pgrp == targp->p_pgrp) { 437 PGRP_UNLOCK(pgrp); 438 goto done; 439 } 440 if (pgrp->pg_id != targp->p_pid && 441 pgrp->pg_session != curp->p_session) { 442 PGRP_UNLOCK(pgrp); 443 error = EPERM; 444 goto done; 445 } 446 PGRP_UNLOCK(pgrp); 447 error = enterthispgrp(targp, pgrp); 448 } 449 done: 450 sx_xunlock(&proctree_lock); 451 KASSERT((error == 0) || (newpgrp != NULL), 452 ("setpgid failed and newpgrp is NULL")); 453 if (newpgrp != NULL) 454 free(newpgrp, M_PGRP); 455 return (error); 456 } 457 458 /* 459 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 460 * compatible. It says that setting the uid/gid to euid/egid is a special 461 * case of "appropriate privilege". Once the rules are expanded out, this 462 * basically means that setuid(nnn) sets all three id's, in all permitted 463 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 464 * does not set the saved id - this is dangerous for traditional BSD 465 * programs. For this reason, we *really* do not want to set 466 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 467 */ 468 #define POSIX_APPENDIX_B_4_2_2 469 470 #ifndef _SYS_SYSPROTO_H_ 471 struct setuid_args { 472 uid_t uid; 473 }; 474 #endif 475 /* ARGSUSED */ 476 int 477 setuid(struct thread *td, struct setuid_args *uap) 478 { 479 struct proc *p = td->td_proc; 480 struct ucred *newcred, *oldcred; 481 uid_t uid; 482 struct uidinfo *uip; 483 int error; 484 485 uid = uap->uid; 486 AUDIT_ARG(uid, uid); 487 newcred = crget(); 488 uip = uifind(uid); 489 PROC_LOCK(p); 490 oldcred = p->p_ucred; 491 492 #ifdef MAC 493 error = mac_cred_check_setuid(oldcred, uid); 494 if (error) 495 goto fail; 496 #endif 497 498 /* 499 * See if we have "permission" by POSIX 1003.1 rules. 500 * 501 * Note that setuid(geteuid()) is a special case of 502 * "appropriate privileges" in appendix B.4.2.2. We need 503 * to use this clause to be compatible with traditional BSD 504 * semantics. Basically, it means that "setuid(xx)" sets all 505 * three id's (assuming you have privs). 506 * 507 * Notes on the logic. We do things in three steps. 508 * 1: We determine if the euid is going to change, and do EPERM 509 * right away. We unconditionally change the euid later if this 510 * test is satisfied, simplifying that part of the logic. 511 * 2: We determine if the real and/or saved uids are going to 512 * change. Determined by compile options. 513 * 3: Change euid last. (after tests in #2 for "appropriate privs") 514 */ 515 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 516 #ifdef _POSIX_SAVED_IDS 517 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 518 #endif 519 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 520 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 521 #endif 522 (error = priv_check_cred(oldcred, PRIV_CRED_SETUID, 0)) != 0) 523 goto fail; 524 525 /* 526 * Copy credentials so other references do not see our changes. 527 */ 528 crcopy(newcred, oldcred); 529 #ifdef _POSIX_SAVED_IDS 530 /* 531 * Do we have "appropriate privileges" (are we root or uid == euid) 532 * If so, we are changing the real uid and/or saved uid. 533 */ 534 if ( 535 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 536 uid == oldcred->cr_uid || 537 #endif 538 /* We are using privs. */ 539 priv_check_cred(oldcred, PRIV_CRED_SETUID, 0) == 0) 540 #endif 541 { 542 /* 543 * Set the real uid and transfer proc count to new user. 544 */ 545 if (uid != oldcred->cr_ruid) { 546 change_ruid(newcred, uip); 547 setsugid(p); 548 } 549 /* 550 * Set saved uid 551 * 552 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 553 * the security of seteuid() depends on it. B.4.2.2 says it 554 * is important that we should do this. 555 */ 556 if (uid != oldcred->cr_svuid) { 557 change_svuid(newcred, uid); 558 setsugid(p); 559 } 560 } 561 562 /* 563 * In all permitted cases, we are changing the euid. 564 */ 565 if (uid != oldcred->cr_uid) { 566 change_euid(newcred, uip); 567 setsugid(p); 568 } 569 p->p_ucred = newcred; 570 PROC_UNLOCK(p); 571 uifree(uip); 572 crfree(oldcred); 573 return (0); 574 575 fail: 576 PROC_UNLOCK(p); 577 uifree(uip); 578 crfree(newcred); 579 return (error); 580 } 581 582 #ifndef _SYS_SYSPROTO_H_ 583 struct seteuid_args { 584 uid_t euid; 585 }; 586 #endif 587 /* ARGSUSED */ 588 int 589 seteuid(struct thread *td, struct seteuid_args *uap) 590 { 591 struct proc *p = td->td_proc; 592 struct ucred *newcred, *oldcred; 593 uid_t euid; 594 struct uidinfo *euip; 595 int error; 596 597 euid = uap->euid; 598 AUDIT_ARG(euid, euid); 599 newcred = crget(); 600 euip = uifind(euid); 601 PROC_LOCK(p); 602 oldcred = p->p_ucred; 603 604 #ifdef MAC 605 error = mac_cred_check_seteuid(oldcred, euid); 606 if (error) 607 goto fail; 608 #endif 609 610 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 611 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 612 (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID, 0)) != 0) 613 goto fail; 614 615 /* 616 * Everything's okay, do it. Copy credentials so other references do 617 * not see our changes. 618 */ 619 crcopy(newcred, oldcred); 620 if (oldcred->cr_uid != euid) { 621 change_euid(newcred, euip); 622 setsugid(p); 623 } 624 p->p_ucred = newcred; 625 PROC_UNLOCK(p); 626 uifree(euip); 627 crfree(oldcred); 628 return (0); 629 630 fail: 631 PROC_UNLOCK(p); 632 uifree(euip); 633 crfree(newcred); 634 return (error); 635 } 636 637 #ifndef _SYS_SYSPROTO_H_ 638 struct setgid_args { 639 gid_t gid; 640 }; 641 #endif 642 /* ARGSUSED */ 643 int 644 setgid(struct thread *td, struct setgid_args *uap) 645 { 646 struct proc *p = td->td_proc; 647 struct ucred *newcred, *oldcred; 648 gid_t gid; 649 int error; 650 651 gid = uap->gid; 652 AUDIT_ARG(gid, gid); 653 newcred = crget(); 654 PROC_LOCK(p); 655 oldcred = p->p_ucred; 656 657 #ifdef MAC 658 error = mac_cred_check_setgid(oldcred, gid); 659 if (error) 660 goto fail; 661 #endif 662 663 /* 664 * See if we have "permission" by POSIX 1003.1 rules. 665 * 666 * Note that setgid(getegid()) is a special case of 667 * "appropriate privileges" in appendix B.4.2.2. We need 668 * to use this clause to be compatible with traditional BSD 669 * semantics. Basically, it means that "setgid(xx)" sets all 670 * three id's (assuming you have privs). 671 * 672 * For notes on the logic here, see setuid() above. 673 */ 674 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 675 #ifdef _POSIX_SAVED_IDS 676 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 677 #endif 678 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 679 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 680 #endif 681 (error = priv_check_cred(oldcred, PRIV_CRED_SETGID, 0)) != 0) 682 goto fail; 683 684 crcopy(newcred, oldcred); 685 #ifdef _POSIX_SAVED_IDS 686 /* 687 * Do we have "appropriate privileges" (are we root or gid == egid) 688 * If so, we are changing the real uid and saved gid. 689 */ 690 if ( 691 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 692 gid == oldcred->cr_groups[0] || 693 #endif 694 /* We are using privs. */ 695 priv_check_cred(oldcred, PRIV_CRED_SETGID, 0) == 0) 696 #endif 697 { 698 /* 699 * Set real gid 700 */ 701 if (oldcred->cr_rgid != gid) { 702 change_rgid(newcred, gid); 703 setsugid(p); 704 } 705 /* 706 * Set saved gid 707 * 708 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 709 * the security of setegid() depends on it. B.4.2.2 says it 710 * is important that we should do this. 711 */ 712 if (oldcred->cr_svgid != gid) { 713 change_svgid(newcred, gid); 714 setsugid(p); 715 } 716 } 717 /* 718 * In all cases permitted cases, we are changing the egid. 719 * Copy credentials so other references do not see our changes. 720 */ 721 if (oldcred->cr_groups[0] != gid) { 722 change_egid(newcred, gid); 723 setsugid(p); 724 } 725 p->p_ucred = newcred; 726 PROC_UNLOCK(p); 727 crfree(oldcred); 728 return (0); 729 730 fail: 731 PROC_UNLOCK(p); 732 crfree(newcred); 733 return (error); 734 } 735 736 #ifndef _SYS_SYSPROTO_H_ 737 struct setegid_args { 738 gid_t egid; 739 }; 740 #endif 741 /* ARGSUSED */ 742 int 743 setegid(struct thread *td, struct setegid_args *uap) 744 { 745 struct proc *p = td->td_proc; 746 struct ucred *newcred, *oldcred; 747 gid_t egid; 748 int error; 749 750 egid = uap->egid; 751 AUDIT_ARG(egid, egid); 752 newcred = crget(); 753 PROC_LOCK(p); 754 oldcred = p->p_ucred; 755 756 #ifdef MAC 757 error = mac_cred_check_setegid(oldcred, egid); 758 if (error) 759 goto fail; 760 #endif 761 762 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 763 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 764 (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID, 0)) != 0) 765 goto fail; 766 767 crcopy(newcred, oldcred); 768 if (oldcred->cr_groups[0] != egid) { 769 change_egid(newcred, egid); 770 setsugid(p); 771 } 772 p->p_ucred = newcred; 773 PROC_UNLOCK(p); 774 crfree(oldcred); 775 return (0); 776 777 fail: 778 PROC_UNLOCK(p); 779 crfree(newcred); 780 return (error); 781 } 782 783 #ifndef _SYS_SYSPROTO_H_ 784 struct setgroups_args { 785 u_int gidsetsize; 786 gid_t *gidset; 787 }; 788 #endif 789 /* ARGSUSED */ 790 int 791 setgroups(struct thread *td, struct setgroups_args *uap) 792 { 793 gid_t groups[NGROUPS]; 794 int error; 795 796 if (uap->gidsetsize > NGROUPS) 797 return (EINVAL); 798 error = copyin(uap->gidset, groups, uap->gidsetsize * sizeof(gid_t)); 799 if (error) 800 return (error); 801 return (kern_setgroups(td, uap->gidsetsize, groups)); 802 } 803 804 int 805 kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups) 806 { 807 struct proc *p = td->td_proc; 808 struct ucred *newcred, *oldcred; 809 int error; 810 811 if (ngrp > NGROUPS) 812 return (EINVAL); 813 AUDIT_ARG(groupset, groups, ngrp); 814 newcred = crget(); 815 PROC_LOCK(p); 816 oldcred = p->p_ucred; 817 818 #ifdef MAC 819 error = mac_cred_check_setgroups(oldcred, ngrp, groups); 820 if (error) 821 goto fail; 822 #endif 823 824 error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS, 0); 825 if (error) 826 goto fail; 827 828 /* 829 * XXX A little bit lazy here. We could test if anything has 830 * changed before crcopy() and setting P_SUGID. 831 */ 832 crcopy(newcred, oldcred); 833 if (ngrp < 1) { 834 /* 835 * setgroups(0, NULL) is a legitimate way of clearing the 836 * groups vector on non-BSD systems (which generally do not 837 * have the egid in the groups[0]). We risk security holes 838 * when running non-BSD software if we do not do the same. 839 */ 840 newcred->cr_ngroups = 1; 841 } else { 842 bcopy(groups, newcred->cr_groups, ngrp * sizeof(gid_t)); 843 newcred->cr_ngroups = ngrp; 844 } 845 setsugid(p); 846 p->p_ucred = newcred; 847 PROC_UNLOCK(p); 848 crfree(oldcred); 849 return (0); 850 851 fail: 852 PROC_UNLOCK(p); 853 crfree(newcred); 854 return (error); 855 } 856 857 #ifndef _SYS_SYSPROTO_H_ 858 struct setreuid_args { 859 uid_t ruid; 860 uid_t euid; 861 }; 862 #endif 863 /* ARGSUSED */ 864 int 865 setreuid(register struct thread *td, struct setreuid_args *uap) 866 { 867 struct proc *p = td->td_proc; 868 struct ucred *newcred, *oldcred; 869 uid_t euid, ruid; 870 struct uidinfo *euip, *ruip; 871 int error; 872 873 euid = uap->euid; 874 ruid = uap->ruid; 875 AUDIT_ARG(euid, euid); 876 AUDIT_ARG(ruid, ruid); 877 newcred = crget(); 878 euip = uifind(euid); 879 ruip = uifind(ruid); 880 PROC_LOCK(p); 881 oldcred = p->p_ucred; 882 883 #ifdef MAC 884 error = mac_cred_check_setreuid(oldcred, ruid, euid); 885 if (error) 886 goto fail; 887 #endif 888 889 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 890 ruid != oldcred->cr_svuid) || 891 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 892 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 893 (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID, 0)) != 0) 894 goto fail; 895 896 crcopy(newcred, oldcred); 897 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 898 change_euid(newcred, euip); 899 setsugid(p); 900 } 901 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 902 change_ruid(newcred, ruip); 903 setsugid(p); 904 } 905 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 906 newcred->cr_svuid != newcred->cr_uid) { 907 change_svuid(newcred, newcred->cr_uid); 908 setsugid(p); 909 } 910 p->p_ucred = newcred; 911 PROC_UNLOCK(p); 912 uifree(ruip); 913 uifree(euip); 914 crfree(oldcred); 915 return (0); 916 917 fail: 918 PROC_UNLOCK(p); 919 uifree(ruip); 920 uifree(euip); 921 crfree(newcred); 922 return (error); 923 } 924 925 #ifndef _SYS_SYSPROTO_H_ 926 struct setregid_args { 927 gid_t rgid; 928 gid_t egid; 929 }; 930 #endif 931 /* ARGSUSED */ 932 int 933 setregid(register struct thread *td, struct setregid_args *uap) 934 { 935 struct proc *p = td->td_proc; 936 struct ucred *newcred, *oldcred; 937 gid_t egid, rgid; 938 int error; 939 940 egid = uap->egid; 941 rgid = uap->rgid; 942 AUDIT_ARG(egid, egid); 943 AUDIT_ARG(rgid, rgid); 944 newcred = crget(); 945 PROC_LOCK(p); 946 oldcred = p->p_ucred; 947 948 #ifdef MAC 949 error = mac_cred_check_setregid(oldcred, rgid, egid); 950 if (error) 951 goto fail; 952 #endif 953 954 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 955 rgid != oldcred->cr_svgid) || 956 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 957 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 958 (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID, 0)) != 0) 959 goto fail; 960 961 crcopy(newcred, oldcred); 962 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 963 change_egid(newcred, egid); 964 setsugid(p); 965 } 966 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 967 change_rgid(newcred, rgid); 968 setsugid(p); 969 } 970 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 971 newcred->cr_svgid != newcred->cr_groups[0]) { 972 change_svgid(newcred, newcred->cr_groups[0]); 973 setsugid(p); 974 } 975 p->p_ucred = newcred; 976 PROC_UNLOCK(p); 977 crfree(oldcred); 978 return (0); 979 980 fail: 981 PROC_UNLOCK(p); 982 crfree(newcred); 983 return (error); 984 } 985 986 /* 987 * setresuid(ruid, euid, suid) is like setreuid except control over the saved 988 * uid is explicit. 989 */ 990 #ifndef _SYS_SYSPROTO_H_ 991 struct setresuid_args { 992 uid_t ruid; 993 uid_t euid; 994 uid_t suid; 995 }; 996 #endif 997 /* ARGSUSED */ 998 int 999 setresuid(register struct thread *td, struct setresuid_args *uap) 1000 { 1001 struct proc *p = td->td_proc; 1002 struct ucred *newcred, *oldcred; 1003 uid_t euid, ruid, suid; 1004 struct uidinfo *euip, *ruip; 1005 int error; 1006 1007 euid = uap->euid; 1008 ruid = uap->ruid; 1009 suid = uap->suid; 1010 AUDIT_ARG(euid, euid); 1011 AUDIT_ARG(ruid, ruid); 1012 AUDIT_ARG(suid, suid); 1013 newcred = crget(); 1014 euip = uifind(euid); 1015 ruip = uifind(ruid); 1016 PROC_LOCK(p); 1017 oldcred = p->p_ucred; 1018 1019 #ifdef MAC 1020 error = mac_cred_check_setresuid(oldcred, ruid, euid, suid); 1021 if (error) 1022 goto fail; 1023 #endif 1024 1025 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1026 ruid != oldcred->cr_svuid && 1027 ruid != oldcred->cr_uid) || 1028 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 1029 euid != oldcred->cr_svuid && 1030 euid != oldcred->cr_uid) || 1031 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 1032 suid != oldcred->cr_svuid && 1033 suid != oldcred->cr_uid)) && 1034 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID, 0)) != 0) 1035 goto fail; 1036 1037 crcopy(newcred, oldcred); 1038 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1039 change_euid(newcred, euip); 1040 setsugid(p); 1041 } 1042 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1043 change_ruid(newcred, ruip); 1044 setsugid(p); 1045 } 1046 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1047 change_svuid(newcred, suid); 1048 setsugid(p); 1049 } 1050 p->p_ucred = newcred; 1051 PROC_UNLOCK(p); 1052 uifree(ruip); 1053 uifree(euip); 1054 crfree(oldcred); 1055 return (0); 1056 1057 fail: 1058 PROC_UNLOCK(p); 1059 uifree(ruip); 1060 uifree(euip); 1061 crfree(newcred); 1062 return (error); 1063 1064 } 1065 1066 /* 1067 * setresgid(rgid, egid, sgid) is like setregid except control over the saved 1068 * gid is explicit. 1069 */ 1070 #ifndef _SYS_SYSPROTO_H_ 1071 struct setresgid_args { 1072 gid_t rgid; 1073 gid_t egid; 1074 gid_t sgid; 1075 }; 1076 #endif 1077 /* ARGSUSED */ 1078 int 1079 setresgid(register struct thread *td, struct setresgid_args *uap) 1080 { 1081 struct proc *p = td->td_proc; 1082 struct ucred *newcred, *oldcred; 1083 gid_t egid, rgid, sgid; 1084 int error; 1085 1086 egid = uap->egid; 1087 rgid = uap->rgid; 1088 sgid = uap->sgid; 1089 AUDIT_ARG(egid, egid); 1090 AUDIT_ARG(rgid, rgid); 1091 AUDIT_ARG(sgid, sgid); 1092 newcred = crget(); 1093 PROC_LOCK(p); 1094 oldcred = p->p_ucred; 1095 1096 #ifdef MAC 1097 error = mac_cred_check_setresgid(oldcred, rgid, egid, sgid); 1098 if (error) 1099 goto fail; 1100 #endif 1101 1102 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1103 rgid != oldcred->cr_svgid && 1104 rgid != oldcred->cr_groups[0]) || 1105 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1106 egid != oldcred->cr_svgid && 1107 egid != oldcred->cr_groups[0]) || 1108 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1109 sgid != oldcred->cr_svgid && 1110 sgid != oldcred->cr_groups[0])) && 1111 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID, 0)) != 0) 1112 goto fail; 1113 1114 crcopy(newcred, oldcred); 1115 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1116 change_egid(newcred, egid); 1117 setsugid(p); 1118 } 1119 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1120 change_rgid(newcred, rgid); 1121 setsugid(p); 1122 } 1123 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1124 change_svgid(newcred, sgid); 1125 setsugid(p); 1126 } 1127 p->p_ucred = newcred; 1128 PROC_UNLOCK(p); 1129 crfree(oldcred); 1130 return (0); 1131 1132 fail: 1133 PROC_UNLOCK(p); 1134 crfree(newcred); 1135 return (error); 1136 } 1137 1138 #ifndef _SYS_SYSPROTO_H_ 1139 struct getresuid_args { 1140 uid_t *ruid; 1141 uid_t *euid; 1142 uid_t *suid; 1143 }; 1144 #endif 1145 /* ARGSUSED */ 1146 int 1147 getresuid(register struct thread *td, struct getresuid_args *uap) 1148 { 1149 struct ucred *cred; 1150 int error1 = 0, error2 = 0, error3 = 0; 1151 1152 cred = td->td_ucred; 1153 if (uap->ruid) 1154 error1 = copyout(&cred->cr_ruid, 1155 uap->ruid, sizeof(cred->cr_ruid)); 1156 if (uap->euid) 1157 error2 = copyout(&cred->cr_uid, 1158 uap->euid, sizeof(cred->cr_uid)); 1159 if (uap->suid) 1160 error3 = copyout(&cred->cr_svuid, 1161 uap->suid, sizeof(cred->cr_svuid)); 1162 return (error1 ? error1 : error2 ? error2 : error3); 1163 } 1164 1165 #ifndef _SYS_SYSPROTO_H_ 1166 struct getresgid_args { 1167 gid_t *rgid; 1168 gid_t *egid; 1169 gid_t *sgid; 1170 }; 1171 #endif 1172 /* ARGSUSED */ 1173 int 1174 getresgid(register struct thread *td, struct getresgid_args *uap) 1175 { 1176 struct ucred *cred; 1177 int error1 = 0, error2 = 0, error3 = 0; 1178 1179 cred = td->td_ucred; 1180 if (uap->rgid) 1181 error1 = copyout(&cred->cr_rgid, 1182 uap->rgid, sizeof(cred->cr_rgid)); 1183 if (uap->egid) 1184 error2 = copyout(&cred->cr_groups[0], 1185 uap->egid, sizeof(cred->cr_groups[0])); 1186 if (uap->sgid) 1187 error3 = copyout(&cred->cr_svgid, 1188 uap->sgid, sizeof(cred->cr_svgid)); 1189 return (error1 ? error1 : error2 ? error2 : error3); 1190 } 1191 1192 #ifndef _SYS_SYSPROTO_H_ 1193 struct issetugid_args { 1194 int dummy; 1195 }; 1196 #endif 1197 /* ARGSUSED */ 1198 int 1199 issetugid(register struct thread *td, struct issetugid_args *uap) 1200 { 1201 struct proc *p = td->td_proc; 1202 1203 /* 1204 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1205 * we use P_SUGID because we consider changing the owners as 1206 * "tainting" as well. 1207 * This is significant for procs that start as root and "become" 1208 * a user without an exec - programs cannot know *everything* 1209 * that libc *might* have put in their data segment. 1210 */ 1211 PROC_LOCK(p); 1212 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1213 PROC_UNLOCK(p); 1214 return (0); 1215 } 1216 1217 int 1218 __setugid(struct thread *td, struct __setugid_args *uap) 1219 { 1220 #ifdef REGRESSION 1221 struct proc *p; 1222 1223 p = td->td_proc; 1224 switch (uap->flag) { 1225 case 0: 1226 PROC_LOCK(p); 1227 p->p_flag &= ~P_SUGID; 1228 PROC_UNLOCK(p); 1229 return (0); 1230 case 1: 1231 PROC_LOCK(p); 1232 p->p_flag |= P_SUGID; 1233 PROC_UNLOCK(p); 1234 return (0); 1235 default: 1236 return (EINVAL); 1237 } 1238 #else /* !REGRESSION */ 1239 1240 return (ENOSYS); 1241 #endif /* REGRESSION */ 1242 } 1243 1244 /* 1245 * Check if gid is a member of the group set. 1246 */ 1247 int 1248 groupmember(gid_t gid, struct ucred *cred) 1249 { 1250 register gid_t *gp; 1251 gid_t *egp; 1252 1253 egp = &(cred->cr_groups[cred->cr_ngroups]); 1254 for (gp = cred->cr_groups; gp < egp; gp++) 1255 if (*gp == gid) 1256 return (1); 1257 return (0); 1258 } 1259 1260 /* 1261 * Test the active securelevel against a given level. securelevel_gt() 1262 * implements (securelevel > level). securelevel_ge() implements 1263 * (securelevel >= level). Note that the logic is inverted -- these 1264 * functions return EPERM on "success" and 0 on "failure". 1265 * 1266 * XXXRW: Possibly since this has to do with privilege, it should move to 1267 * kern_priv.c. 1268 */ 1269 int 1270 securelevel_gt(struct ucred *cr, int level) 1271 { 1272 int active_securelevel; 1273 1274 active_securelevel = securelevel; 1275 KASSERT(cr != NULL, ("securelevel_gt: null cr")); 1276 if (cr->cr_prison != NULL) 1277 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1278 active_securelevel); 1279 return (active_securelevel > level ? EPERM : 0); 1280 } 1281 1282 int 1283 securelevel_ge(struct ucred *cr, int level) 1284 { 1285 int active_securelevel; 1286 1287 active_securelevel = securelevel; 1288 KASSERT(cr != NULL, ("securelevel_ge: null cr")); 1289 if (cr->cr_prison != NULL) 1290 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1291 active_securelevel); 1292 return (active_securelevel >= level ? EPERM : 0); 1293 } 1294 1295 /* 1296 * 'see_other_uids' determines whether or not visibility of processes 1297 * and sockets with credentials holding different real uids is possible 1298 * using a variety of system MIBs. 1299 * XXX: data declarations should be together near the beginning of the file. 1300 */ 1301 static int see_other_uids = 1; 1302 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1303 &see_other_uids, 0, 1304 "Unprivileged processes may see subjects/objects with different real uid"); 1305 1306 /*- 1307 * Determine if u1 "can see" the subject specified by u2, according to the 1308 * 'see_other_uids' policy. 1309 * Returns: 0 for permitted, ESRCH otherwise 1310 * Locks: none 1311 * References: *u1 and *u2 must not change during the call 1312 * u1 may equal u2, in which case only one reference is required 1313 */ 1314 static int 1315 cr_seeotheruids(struct ucred *u1, struct ucred *u2) 1316 { 1317 1318 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1319 if (priv_check_cred(u1, PRIV_SEEOTHERUIDS, 0) != 0) 1320 return (ESRCH); 1321 } 1322 return (0); 1323 } 1324 1325 /* 1326 * 'see_other_gids' determines whether or not visibility of processes 1327 * and sockets with credentials holding different real gids is possible 1328 * using a variety of system MIBs. 1329 * XXX: data declarations should be together near the beginning of the file. 1330 */ 1331 static int see_other_gids = 1; 1332 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW, 1333 &see_other_gids, 0, 1334 "Unprivileged processes may see subjects/objects with different real gid"); 1335 1336 /* 1337 * Determine if u1 can "see" the subject specified by u2, according to the 1338 * 'see_other_gids' policy. 1339 * Returns: 0 for permitted, ESRCH otherwise 1340 * Locks: none 1341 * References: *u1 and *u2 must not change during the call 1342 * u1 may equal u2, in which case only one reference is required 1343 */ 1344 static int 1345 cr_seeothergids(struct ucred *u1, struct ucred *u2) 1346 { 1347 int i, match; 1348 1349 if (!see_other_gids) { 1350 match = 0; 1351 for (i = 0; i < u1->cr_ngroups; i++) { 1352 if (groupmember(u1->cr_groups[i], u2)) 1353 match = 1; 1354 if (match) 1355 break; 1356 } 1357 if (!match) { 1358 if (priv_check_cred(u1, PRIV_SEEOTHERGIDS, 0) != 0) 1359 return (ESRCH); 1360 } 1361 } 1362 return (0); 1363 } 1364 1365 /*- 1366 * Determine if u1 "can see" the subject specified by u2. 1367 * Returns: 0 for permitted, an errno value otherwise 1368 * Locks: none 1369 * References: *u1 and *u2 must not change during the call 1370 * u1 may equal u2, in which case only one reference is required 1371 */ 1372 int 1373 cr_cansee(struct ucred *u1, struct ucred *u2) 1374 { 1375 int error; 1376 1377 if ((error = prison_check(u1, u2))) 1378 return (error); 1379 #ifdef MAC 1380 if ((error = mac_cred_check_visible(u1, u2))) 1381 return (error); 1382 #endif 1383 if ((error = cr_seeotheruids(u1, u2))) 1384 return (error); 1385 if ((error = cr_seeothergids(u1, u2))) 1386 return (error); 1387 return (0); 1388 } 1389 1390 /*- 1391 * Determine if td "can see" the subject specified by p. 1392 * Returns: 0 for permitted, an errno value otherwise 1393 * Locks: Sufficient locks to protect p->p_ucred must be held. td really 1394 * should be curthread. 1395 * References: td and p must be valid for the lifetime of the call 1396 */ 1397 int 1398 p_cansee(struct thread *td, struct proc *p) 1399 { 1400 1401 /* Wrap cr_cansee() for all functionality. */ 1402 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1403 PROC_LOCK_ASSERT(p, MA_OWNED); 1404 return (cr_cansee(td->td_ucred, p->p_ucred)); 1405 } 1406 1407 /* 1408 * 'conservative_signals' prevents the delivery of a broad class of 1409 * signals by unprivileged processes to processes that have changed their 1410 * credentials since the last invocation of execve(). This can prevent 1411 * the leakage of cached information or retained privileges as a result 1412 * of a common class of signal-related vulnerabilities. However, this 1413 * may interfere with some applications that expect to be able to 1414 * deliver these signals to peer processes after having given up 1415 * privilege. 1416 */ 1417 static int conservative_signals = 1; 1418 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW, 1419 &conservative_signals, 0, "Unprivileged processes prevented from " 1420 "sending certain signals to processes whose credentials have changed"); 1421 /*- 1422 * Determine whether cred may deliver the specified signal to proc. 1423 * Returns: 0 for permitted, an errno value otherwise. 1424 * Locks: A lock must be held for proc. 1425 * References: cred and proc must be valid for the lifetime of the call. 1426 */ 1427 int 1428 cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 1429 { 1430 int error; 1431 1432 PROC_LOCK_ASSERT(proc, MA_OWNED); 1433 /* 1434 * Jail semantics limit the scope of signalling to proc in the 1435 * same jail as cred, if cred is in jail. 1436 */ 1437 error = prison_check(cred, proc->p_ucred); 1438 if (error) 1439 return (error); 1440 #ifdef MAC 1441 if ((error = mac_proc_check_signal(cred, proc, signum))) 1442 return (error); 1443 #endif 1444 if ((error = cr_seeotheruids(cred, proc->p_ucred))) 1445 return (error); 1446 if ((error = cr_seeothergids(cred, proc->p_ucred))) 1447 return (error); 1448 1449 /* 1450 * UNIX signal semantics depend on the status of the P_SUGID 1451 * bit on the target process. If the bit is set, then additional 1452 * restrictions are placed on the set of available signals. 1453 */ 1454 if (conservative_signals && (proc->p_flag & P_SUGID)) { 1455 switch (signum) { 1456 case 0: 1457 case SIGKILL: 1458 case SIGINT: 1459 case SIGTERM: 1460 case SIGALRM: 1461 case SIGSTOP: 1462 case SIGTTIN: 1463 case SIGTTOU: 1464 case SIGTSTP: 1465 case SIGHUP: 1466 case SIGUSR1: 1467 case SIGUSR2: 1468 /* 1469 * Generally, permit job and terminal control 1470 * signals. 1471 */ 1472 break; 1473 default: 1474 /* Not permitted without privilege. */ 1475 error = priv_check_cred(cred, PRIV_SIGNAL_SUGID, 0); 1476 if (error) 1477 return (error); 1478 } 1479 } 1480 1481 /* 1482 * Generally, the target credential's ruid or svuid must match the 1483 * subject credential's ruid or euid. 1484 */ 1485 if (cred->cr_ruid != proc->p_ucred->cr_ruid && 1486 cred->cr_ruid != proc->p_ucred->cr_svuid && 1487 cred->cr_uid != proc->p_ucred->cr_ruid && 1488 cred->cr_uid != proc->p_ucred->cr_svuid) { 1489 error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED, 0); 1490 if (error) 1491 return (error); 1492 } 1493 1494 return (0); 1495 } 1496 1497 /*- 1498 * Determine whether td may deliver the specified signal to p. 1499 * Returns: 0 for permitted, an errno value otherwise 1500 * Locks: Sufficient locks to protect various components of td and p 1501 * must be held. td must be curthread, and a lock must be 1502 * held for p. 1503 * References: td and p must be valid for the lifetime of the call 1504 */ 1505 int 1506 p_cansignal(struct thread *td, struct proc *p, int signum) 1507 { 1508 1509 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1510 PROC_LOCK_ASSERT(p, MA_OWNED); 1511 if (td->td_proc == p) 1512 return (0); 1513 1514 /* 1515 * UNIX signalling semantics require that processes in the same 1516 * session always be able to deliver SIGCONT to one another, 1517 * overriding the remaining protections. 1518 */ 1519 /* XXX: This will require an additional lock of some sort. */ 1520 if (signum == SIGCONT && td->td_proc->p_session == p->p_session) 1521 return (0); 1522 /* 1523 * Some compat layers use SIGTHR and higher signals for 1524 * communication between different kernel threads of the same 1525 * process, so that they expect that it's always possible to 1526 * deliver them, even for suid applications where cr_cansignal() can 1527 * deny such ability for security consideration. It should be 1528 * pretty safe to do since the only way to create two processes 1529 * with the same p_leader is via rfork(2). 1530 */ 1531 if (td->td_proc->p_leader != NULL && signum >= SIGTHR && 1532 signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader) 1533 return (0); 1534 1535 return (cr_cansignal(td->td_ucred, p, signum)); 1536 } 1537 1538 /*- 1539 * Determine whether td may reschedule p. 1540 * Returns: 0 for permitted, an errno value otherwise 1541 * Locks: Sufficient locks to protect various components of td and p 1542 * must be held. td must be curthread, and a lock must 1543 * be held for p. 1544 * References: td and p must be valid for the lifetime of the call 1545 */ 1546 int 1547 p_cansched(struct thread *td, struct proc *p) 1548 { 1549 int error; 1550 1551 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1552 PROC_LOCK_ASSERT(p, MA_OWNED); 1553 if (td->td_proc == p) 1554 return (0); 1555 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1556 return (error); 1557 #ifdef MAC 1558 if ((error = mac_proc_check_sched(td->td_ucred, p))) 1559 return (error); 1560 #endif 1561 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1562 return (error); 1563 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) 1564 return (error); 1565 if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid && 1566 td->td_ucred->cr_uid != p->p_ucred->cr_ruid) { 1567 error = priv_check(td, PRIV_SCHED_DIFFCRED); 1568 if (error) 1569 return (error); 1570 } 1571 return (0); 1572 } 1573 1574 /* 1575 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 1576 * unprivileged inter-process debugging services, including some procfs 1577 * functionality, ptrace(), and ktrace(). In the past, inter-process 1578 * debugging has been involved in a variety of security problems, and sites 1579 * not requiring the service might choose to disable it when hardening 1580 * systems. 1581 * 1582 * XXX: Should modifying and reading this variable require locking? 1583 * XXX: data declarations should be together near the beginning of the file. 1584 */ 1585 static int unprivileged_proc_debug = 1; 1586 SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW, 1587 &unprivileged_proc_debug, 0, 1588 "Unprivileged processes may use process debugging facilities"); 1589 1590 /*- 1591 * Determine whether td may debug p. 1592 * Returns: 0 for permitted, an errno value otherwise 1593 * Locks: Sufficient locks to protect various components of td and p 1594 * must be held. td must be curthread, and a lock must 1595 * be held for p. 1596 * References: td and p must be valid for the lifetime of the call 1597 */ 1598 int 1599 p_candebug(struct thread *td, struct proc *p) 1600 { 1601 int credentialchanged, error, grpsubset, i, uidsubset; 1602 1603 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1604 PROC_LOCK_ASSERT(p, MA_OWNED); 1605 if (!unprivileged_proc_debug) { 1606 error = priv_check(td, PRIV_DEBUG_UNPRIV); 1607 if (error) 1608 return (error); 1609 } 1610 if (td->td_proc == p) 1611 return (0); 1612 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1613 return (error); 1614 #ifdef MAC 1615 if ((error = mac_proc_check_debug(td->td_ucred, p))) 1616 return (error); 1617 #endif 1618 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1619 return (error); 1620 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) 1621 return (error); 1622 1623 /* 1624 * Is p's group set a subset of td's effective group set? This 1625 * includes p's egid, group access list, rgid, and svgid. 1626 */ 1627 grpsubset = 1; 1628 for (i = 0; i < p->p_ucred->cr_ngroups; i++) { 1629 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) { 1630 grpsubset = 0; 1631 break; 1632 } 1633 } 1634 grpsubset = grpsubset && 1635 groupmember(p->p_ucred->cr_rgid, td->td_ucred) && 1636 groupmember(p->p_ucred->cr_svgid, td->td_ucred); 1637 1638 /* 1639 * Are the uids present in p's credential equal to td's 1640 * effective uid? This includes p's euid, svuid, and ruid. 1641 */ 1642 uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid && 1643 td->td_ucred->cr_uid == p->p_ucred->cr_svuid && 1644 td->td_ucred->cr_uid == p->p_ucred->cr_ruid); 1645 1646 /* 1647 * Has the credential of the process changed since the last exec()? 1648 */ 1649 credentialchanged = (p->p_flag & P_SUGID); 1650 1651 /* 1652 * If p's gids aren't a subset, or the uids aren't a subset, 1653 * or the credential has changed, require appropriate privilege 1654 * for td to debug p. 1655 */ 1656 if (!grpsubset || !uidsubset) { 1657 error = priv_check(td, PRIV_DEBUG_DIFFCRED); 1658 if (error) 1659 return (error); 1660 } 1661 1662 if (credentialchanged) { 1663 error = priv_check(td, PRIV_DEBUG_SUGID); 1664 if (error) 1665 return (error); 1666 } 1667 1668 /* Can't trace init when securelevel > 0. */ 1669 if (p == initproc) { 1670 error = securelevel_gt(td->td_ucred, 0); 1671 if (error) 1672 return (error); 1673 } 1674 1675 /* 1676 * Can't trace a process that's currently exec'ing. 1677 * 1678 * XXX: Note, this is not a security policy decision, it's a 1679 * basic correctness/functionality decision. Therefore, this check 1680 * should be moved to the caller's of p_candebug(). 1681 */ 1682 if ((p->p_flag & P_INEXEC) != 0) 1683 return (EBUSY); 1684 1685 return (0); 1686 } 1687 1688 /*- 1689 * Determine whether the subject represented by cred can "see" a socket. 1690 * Returns: 0 for permitted, ENOENT otherwise. 1691 */ 1692 int 1693 cr_canseesocket(struct ucred *cred, struct socket *so) 1694 { 1695 int error; 1696 1697 error = prison_check(cred, so->so_cred); 1698 if (error) 1699 return (ENOENT); 1700 #ifdef MAC 1701 SOCK_LOCK(so); 1702 error = mac_socket_check_visible(cred, so); 1703 SOCK_UNLOCK(so); 1704 if (error) 1705 return (error); 1706 #endif 1707 if (cr_seeotheruids(cred, so->so_cred)) 1708 return (ENOENT); 1709 if (cr_seeothergids(cred, so->so_cred)) 1710 return (ENOENT); 1711 1712 return (0); 1713 } 1714 1715 #if defined(INET) || defined(INET6) 1716 /*- 1717 * Determine whether the subject represented by cred can "see" a socket. 1718 * Returns: 0 for permitted, ENOENT otherwise. 1719 */ 1720 int 1721 cr_canseeinpcb(struct ucred *cred, struct inpcb *inp) 1722 { 1723 int error; 1724 1725 error = prison_check(cred, inp->inp_cred); 1726 if (error) 1727 return (ENOENT); 1728 #ifdef MAC 1729 INP_LOCK_ASSERT(inp); 1730 error = mac_inpcb_check_visible(cred, inp); 1731 if (error) 1732 return (error); 1733 #endif 1734 if (cr_seeotheruids(cred, inp->inp_cred)) 1735 return (ENOENT); 1736 if (cr_seeothergids(cred, inp->inp_cred)) 1737 return (ENOENT); 1738 1739 return (0); 1740 } 1741 #endif 1742 1743 /*- 1744 * Determine whether td can wait for the exit of p. 1745 * Returns: 0 for permitted, an errno value otherwise 1746 * Locks: Sufficient locks to protect various components of td and p 1747 * must be held. td must be curthread, and a lock must 1748 * be held for p. 1749 * References: td and p must be valid for the lifetime of the call 1750 1751 */ 1752 int 1753 p_canwait(struct thread *td, struct proc *p) 1754 { 1755 int error; 1756 1757 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1758 PROC_LOCK_ASSERT(p, MA_OWNED); 1759 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1760 return (error); 1761 #ifdef MAC 1762 if ((error = mac_proc_check_wait(td->td_ucred, p))) 1763 return (error); 1764 #endif 1765 #if 0 1766 /* XXXMAC: This could have odd effects on some shells. */ 1767 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1768 return (error); 1769 #endif 1770 1771 return (0); 1772 } 1773 1774 /* 1775 * Allocate a zeroed cred structure. 1776 */ 1777 struct ucred * 1778 crget(void) 1779 { 1780 register struct ucred *cr; 1781 1782 cr = malloc(sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 1783 refcount_init(&cr->cr_ref, 1); 1784 #ifdef AUDIT 1785 audit_cred_init(cr); 1786 #endif 1787 #ifdef MAC 1788 mac_cred_init(cr); 1789 #endif 1790 return (cr); 1791 } 1792 1793 /* 1794 * Claim another reference to a ucred structure. 1795 */ 1796 struct ucred * 1797 crhold(struct ucred *cr) 1798 { 1799 1800 refcount_acquire(&cr->cr_ref); 1801 return (cr); 1802 } 1803 1804 /* 1805 * Free a cred structure. Throws away space when ref count gets to 0. 1806 */ 1807 void 1808 crfree(struct ucred *cr) 1809 { 1810 1811 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); 1812 KASSERT(cr->cr_ref != 0xdeadc0de, ("dangling reference to ucred")); 1813 if (refcount_release(&cr->cr_ref)) { 1814 /* 1815 * Some callers of crget(), such as nfs_statfs(), 1816 * allocate a temporary credential, but don't 1817 * allocate a uidinfo structure. 1818 */ 1819 if (cr->cr_uidinfo != NULL) 1820 uifree(cr->cr_uidinfo); 1821 if (cr->cr_ruidinfo != NULL) 1822 uifree(cr->cr_ruidinfo); 1823 /* 1824 * Free a prison, if any. 1825 */ 1826 if (jailed(cr)) 1827 prison_free(cr->cr_prison); 1828 #ifdef VIMAGE 1829 /* XXX TODO: find out why and when cr_vimage can be NULL here! */ 1830 if (cr->cr_vimage != NULL) 1831 refcount_release(&cr->cr_vimage->vi_ucredrefc); 1832 #endif 1833 #ifdef AUDIT 1834 audit_cred_destroy(cr); 1835 #endif 1836 #ifdef MAC 1837 mac_cred_destroy(cr); 1838 #endif 1839 free(cr, M_CRED); 1840 } 1841 } 1842 1843 /* 1844 * Check to see if this ucred is shared. 1845 */ 1846 int 1847 crshared(struct ucred *cr) 1848 { 1849 1850 return (cr->cr_ref > 1); 1851 } 1852 1853 /* 1854 * Copy a ucred's contents from a template. Does not block. 1855 */ 1856 void 1857 crcopy(struct ucred *dest, struct ucred *src) 1858 { 1859 1860 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred")); 1861 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 1862 (unsigned)((caddr_t)&src->cr_endcopy - 1863 (caddr_t)&src->cr_startcopy)); 1864 uihold(dest->cr_uidinfo); 1865 uihold(dest->cr_ruidinfo); 1866 if (jailed(dest)) 1867 prison_hold(dest->cr_prison); 1868 #ifdef VIMAGE 1869 KASSERT(src->cr_vimage != NULL, ("cr_vimage == NULL")); 1870 refcount_acquire(&dest->cr_vimage->vi_ucredrefc); 1871 #endif 1872 #ifdef AUDIT 1873 audit_cred_copy(src, dest); 1874 #endif 1875 #ifdef MAC 1876 mac_cred_copy(src, dest); 1877 #endif 1878 } 1879 1880 /* 1881 * Dup cred struct to a new held one. 1882 */ 1883 struct ucred * 1884 crdup(struct ucred *cr) 1885 { 1886 struct ucred *newcr; 1887 1888 newcr = crget(); 1889 crcopy(newcr, cr); 1890 return (newcr); 1891 } 1892 1893 /* 1894 * Fill in a struct xucred based on a struct ucred. 1895 */ 1896 void 1897 cru2x(struct ucred *cr, struct xucred *xcr) 1898 { 1899 1900 bzero(xcr, sizeof(*xcr)); 1901 xcr->cr_version = XUCRED_VERSION; 1902 xcr->cr_uid = cr->cr_uid; 1903 xcr->cr_ngroups = cr->cr_ngroups; 1904 bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups)); 1905 } 1906 1907 /* 1908 * small routine to swap a thread's current ucred for the correct one taken 1909 * from the process. 1910 */ 1911 void 1912 cred_update_thread(struct thread *td) 1913 { 1914 struct proc *p; 1915 struct ucred *cred; 1916 1917 p = td->td_proc; 1918 cred = td->td_ucred; 1919 PROC_LOCK(p); 1920 td->td_ucred = crhold(p->p_ucred); 1921 PROC_UNLOCK(p); 1922 if (cred != NULL) 1923 crfree(cred); 1924 } 1925 1926 /* 1927 * Get login name, if available. 1928 */ 1929 #ifndef _SYS_SYSPROTO_H_ 1930 struct getlogin_args { 1931 char *namebuf; 1932 u_int namelen; 1933 }; 1934 #endif 1935 /* ARGSUSED */ 1936 int 1937 getlogin(struct thread *td, struct getlogin_args *uap) 1938 { 1939 int error; 1940 char login[MAXLOGNAME]; 1941 struct proc *p = td->td_proc; 1942 1943 if (uap->namelen > MAXLOGNAME) 1944 uap->namelen = MAXLOGNAME; 1945 PROC_LOCK(p); 1946 SESS_LOCK(p->p_session); 1947 bcopy(p->p_session->s_login, login, uap->namelen); 1948 SESS_UNLOCK(p->p_session); 1949 PROC_UNLOCK(p); 1950 error = copyout(login, uap->namebuf, uap->namelen); 1951 return(error); 1952 } 1953 1954 /* 1955 * Set login name. 1956 */ 1957 #ifndef _SYS_SYSPROTO_H_ 1958 struct setlogin_args { 1959 char *namebuf; 1960 }; 1961 #endif 1962 /* ARGSUSED */ 1963 int 1964 setlogin(struct thread *td, struct setlogin_args *uap) 1965 { 1966 struct proc *p = td->td_proc; 1967 int error; 1968 char logintmp[MAXLOGNAME]; 1969 1970 error = priv_check(td, PRIV_PROC_SETLOGIN); 1971 if (error) 1972 return (error); 1973 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); 1974 if (error == ENAMETOOLONG) 1975 error = EINVAL; 1976 else if (!error) { 1977 PROC_LOCK(p); 1978 SESS_LOCK(p->p_session); 1979 (void) memcpy(p->p_session->s_login, logintmp, 1980 sizeof(logintmp)); 1981 SESS_UNLOCK(p->p_session); 1982 PROC_UNLOCK(p); 1983 } 1984 return (error); 1985 } 1986 1987 void 1988 setsugid(struct proc *p) 1989 { 1990 1991 PROC_LOCK_ASSERT(p, MA_OWNED); 1992 p->p_flag |= P_SUGID; 1993 if (!(p->p_pfsflags & PF_ISUGID)) 1994 p->p_stops = 0; 1995 } 1996 1997 /*- 1998 * Change a process's effective uid. 1999 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 2000 * References: newcred must be an exclusive credential reference for the 2001 * duration of the call. 2002 */ 2003 void 2004 change_euid(struct ucred *newcred, struct uidinfo *euip) 2005 { 2006 2007 newcred->cr_uid = euip->ui_uid; 2008 uihold(euip); 2009 uifree(newcred->cr_uidinfo); 2010 newcred->cr_uidinfo = euip; 2011 } 2012 2013 /*- 2014 * Change a process's effective gid. 2015 * Side effects: newcred->cr_gid will be modified. 2016 * References: newcred must be an exclusive credential reference for the 2017 * duration of the call. 2018 */ 2019 void 2020 change_egid(struct ucred *newcred, gid_t egid) 2021 { 2022 2023 newcred->cr_groups[0] = egid; 2024 } 2025 2026 /*- 2027 * Change a process's real uid. 2028 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 2029 * will be updated, and the old and new cr_ruidinfo proc 2030 * counts will be updated. 2031 * References: newcred must be an exclusive credential reference for the 2032 * duration of the call. 2033 */ 2034 void 2035 change_ruid(struct ucred *newcred, struct uidinfo *ruip) 2036 { 2037 2038 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 2039 newcred->cr_ruid = ruip->ui_uid; 2040 uihold(ruip); 2041 uifree(newcred->cr_ruidinfo); 2042 newcred->cr_ruidinfo = ruip; 2043 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 2044 } 2045 2046 /*- 2047 * Change a process's real gid. 2048 * Side effects: newcred->cr_rgid will be updated. 2049 * References: newcred must be an exclusive credential reference for the 2050 * duration of the call. 2051 */ 2052 void 2053 change_rgid(struct ucred *newcred, gid_t rgid) 2054 { 2055 2056 newcred->cr_rgid = rgid; 2057 } 2058 2059 /*- 2060 * Change a process's saved uid. 2061 * Side effects: newcred->cr_svuid will be updated. 2062 * References: newcred must be an exclusive credential reference for the 2063 * duration of the call. 2064 */ 2065 void 2066 change_svuid(struct ucred *newcred, uid_t svuid) 2067 { 2068 2069 newcred->cr_svuid = svuid; 2070 } 2071 2072 /*- 2073 * Change a process's saved gid. 2074 * Side effects: newcred->cr_svgid will be updated. 2075 * References: newcred must be an exclusive credential reference for the 2076 * duration of the call. 2077 */ 2078 void 2079 change_svgid(struct ucred *newcred, gid_t svgid) 2080 { 2081 2082 newcred->cr_svgid = svgid; 2083 } 2084