1 /* 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * (c) UNIX System Laboratories, Inc. 5 * All or some portions of this file are derived from material licensed 6 * to the University of California by American Telephone and Telegraph 7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 8 * the permission of UNIX System Laboratories, Inc. 9 * Copyright (c) 2000-2001 Robert N. M. Watson. All rights reserved. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. All advertising materials mentioning features or use of this software 20 * must display the following acknowledgement: 21 * This product includes software developed by the University of 22 * California, Berkeley and its contributors. 23 * 4. Neither the name of the University nor the names of its contributors 24 * may be used to endorse or promote products derived from this software 25 * without specific prior written permission. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * 39 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 40 * $FreeBSD$ 41 */ 42 43 /* 44 * System calls related to processes and protection 45 */ 46 47 #include "opt_compat.h" 48 49 #include <sys/param.h> 50 #include <sys/systm.h> 51 #include <sys/acct.h> 52 #include <sys/kernel.h> 53 #include <sys/lock.h> 54 #include <sys/malloc.h> 55 #include <sys/mutex.h> 56 #include <sys/sx.h> 57 #include <sys/proc.h> 58 #include <sys/sysproto.h> 59 #include <sys/jail.h> 60 #include <sys/pioctl.h> 61 #include <sys/resourcevar.h> 62 #include <sys/sysctl.h> 63 64 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 65 66 SYSCTL_DECL(_security); 67 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, 68 "BSD security policy"); 69 70 #ifndef _SYS_SYSPROTO_H_ 71 struct getpid_args { 72 int dummy; 73 }; 74 #endif 75 /* 76 * MPSAFE 77 */ 78 /* ARGSUSED */ 79 int 80 getpid(td, uap) 81 struct thread *td; 82 struct getpid_args *uap; 83 { 84 struct proc *p = td->td_proc; 85 int s; 86 87 s = mtx_lock_giant(kern_giant_proc); 88 td->td_retval[0] = p->p_pid; 89 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 90 PROC_LOCK(p); 91 td->td_retval[1] = p->p_pptr->p_pid; 92 PROC_UNLOCK(p); 93 #endif 94 mtx_unlock_giant(s); 95 return (0); 96 } 97 98 #ifndef _SYS_SYSPROTO_H_ 99 struct getppid_args { 100 int dummy; 101 }; 102 #endif 103 /* 104 * MPSAFE 105 */ 106 /* ARGSUSED */ 107 int 108 getppid(td, uap) 109 struct thread *td; 110 struct getppid_args *uap; 111 { 112 struct proc *p = td->td_proc; 113 int s; 114 115 s = mtx_lock_giant(kern_giant_proc); 116 PROC_LOCK(p); 117 td->td_retval[0] = p->p_pptr->p_pid; 118 PROC_UNLOCK(p); 119 mtx_unlock_giant(s); 120 return (0); 121 } 122 123 /* 124 * Get process group ID; note that POSIX getpgrp takes no parameter. 125 */ 126 #ifndef _SYS_SYSPROTO_H_ 127 struct getpgrp_args { 128 int dummy; 129 }; 130 #endif 131 /* 132 * MPSAFE 133 */ 134 int 135 getpgrp(td, uap) 136 struct thread *td; 137 struct getpgrp_args *uap; 138 { 139 struct proc *p = td->td_proc; 140 int s; 141 142 s = mtx_lock_giant(kern_giant_proc); 143 PROC_LOCK(p); 144 td->td_retval[0] = p->p_pgrp->pg_id; 145 PROC_UNLOCK(p); 146 mtx_unlock_giant(s); 147 return (0); 148 } 149 150 /* Get an arbitary pid's process group id */ 151 #ifndef _SYS_SYSPROTO_H_ 152 struct getpgid_args { 153 pid_t pid; 154 }; 155 #endif 156 /* 157 * MPSAFE 158 */ 159 int 160 getpgid(td, uap) 161 struct thread *td; 162 struct getpgid_args *uap; 163 { 164 struct proc *p = td->td_proc; 165 struct proc *pt; 166 int error, s; 167 168 s = mtx_lock_giant(kern_giant_proc); 169 error = 0; 170 if (uap->pid == 0) { 171 PROC_LOCK(p); 172 td->td_retval[0] = p->p_pgrp->pg_id; 173 PROC_UNLOCK(p); 174 } else if ((pt = pfind(uap->pid)) == NULL) 175 error = ESRCH; 176 else { 177 error = p_cansee(p, pt); 178 if (error == 0) 179 td->td_retval[0] = pt->p_pgrp->pg_id; 180 PROC_UNLOCK(pt); 181 } 182 mtx_unlock_giant(s); 183 return (error); 184 } 185 186 /* 187 * Get an arbitary pid's session id. 188 */ 189 #ifndef _SYS_SYSPROTO_H_ 190 struct getsid_args { 191 pid_t pid; 192 }; 193 #endif 194 /* 195 * MPSAFE 196 */ 197 int 198 getsid(td, uap) 199 struct thread *td; 200 struct getsid_args *uap; 201 { 202 struct proc *p = td->td_proc; 203 struct proc *pt; 204 int error; 205 int s; 206 207 s = mtx_lock_giant(kern_giant_proc); 208 error = 0; 209 if (uap->pid == 0) { 210 PROC_LOCK(p); 211 td->td_retval[0] = p->p_session->s_sid; 212 PROC_UNLOCK(p); 213 } else if ((pt = pfind(uap->pid)) == NULL) 214 error = ESRCH; 215 else { 216 error = p_cansee(p, pt); 217 if (error == 0) 218 td->td_retval[0] = pt->p_session->s_sid; 219 PROC_UNLOCK(pt); 220 } 221 mtx_unlock_giant(s); 222 return (error); 223 } 224 225 #ifndef _SYS_SYSPROTO_H_ 226 struct getuid_args { 227 int dummy; 228 }; 229 #endif 230 /* 231 * MPSAFE 232 */ 233 /* ARGSUSED */ 234 int 235 getuid(td, uap) 236 struct thread *td; 237 struct getuid_args *uap; 238 { 239 struct proc *p = td->td_proc; 240 241 mtx_lock(&Giant); 242 td->td_retval[0] = p->p_ucred->cr_ruid; 243 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 244 td->td_retval[1] = p->p_ucred->cr_uid; 245 #endif 246 mtx_unlock(&Giant); 247 return (0); 248 } 249 250 #ifndef _SYS_SYSPROTO_H_ 251 struct geteuid_args { 252 int dummy; 253 }; 254 #endif 255 /* 256 * MPSAFE 257 */ 258 /* ARGSUSED */ 259 int 260 geteuid(td, uap) 261 struct thread *td; 262 struct geteuid_args *uap; 263 { 264 mtx_lock(&Giant); 265 td->td_retval[0] = td->td_proc->p_ucred->cr_uid; 266 mtx_unlock(&Giant); 267 return (0); 268 } 269 270 #ifndef _SYS_SYSPROTO_H_ 271 struct getgid_args { 272 int dummy; 273 }; 274 #endif 275 /* 276 * MPSAFE 277 */ 278 /* ARGSUSED */ 279 int 280 getgid(td, uap) 281 struct thread *td; 282 struct getgid_args *uap; 283 { 284 struct proc *p = td->td_proc; 285 286 mtx_lock(&Giant); 287 td->td_retval[0] = p->p_ucred->cr_rgid; 288 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 289 td->td_retval[1] = p->p_ucred->cr_groups[0]; 290 #endif 291 mtx_unlock(&Giant); 292 return (0); 293 } 294 295 /* 296 * Get effective group ID. The "egid" is groups[0], and could be obtained 297 * via getgroups. This syscall exists because it is somewhat painful to do 298 * correctly in a library function. 299 */ 300 #ifndef _SYS_SYSPROTO_H_ 301 struct getegid_args { 302 int dummy; 303 }; 304 #endif 305 /* 306 * MPSAFE 307 */ 308 /* ARGSUSED */ 309 int 310 getegid(td, uap) 311 struct thread *td; 312 struct getegid_args *uap; 313 { 314 struct proc *p = td->td_proc; 315 316 mtx_lock(&Giant); 317 td->td_retval[0] = p->p_ucred->cr_groups[0]; 318 mtx_unlock(&Giant); 319 return (0); 320 } 321 322 #ifndef _SYS_SYSPROTO_H_ 323 struct getgroups_args { 324 u_int gidsetsize; 325 gid_t *gidset; 326 }; 327 #endif 328 /* 329 * MPSAFE 330 */ 331 int 332 getgroups(td, uap) 333 struct thread *td; 334 register struct getgroups_args *uap; 335 { 336 struct ucred *cred; 337 struct proc *p = td->td_proc; 338 u_int ngrp; 339 int error; 340 341 mtx_lock(&Giant); 342 error = 0; 343 cred = p->p_ucred; 344 if ((ngrp = uap->gidsetsize) == 0) { 345 td->td_retval[0] = cred->cr_ngroups; 346 goto done2; 347 } 348 if (ngrp < cred->cr_ngroups) { 349 error = EINVAL; 350 goto done2; 351 } 352 ngrp = cred->cr_ngroups; 353 if ((error = copyout((caddr_t)cred->cr_groups, 354 (caddr_t)uap->gidset, ngrp * sizeof(gid_t)))) 355 goto done2; 356 td->td_retval[0] = ngrp; 357 done2: 358 mtx_unlock(&Giant); 359 return (error); 360 } 361 362 #ifndef _SYS_SYSPROTO_H_ 363 struct setsid_args { 364 int dummy; 365 }; 366 #endif 367 /* 368 * MPSAFE 369 */ 370 /* ARGSUSED */ 371 int 372 setsid(td, uap) 373 register struct thread *td; 374 struct setsid_args *uap; 375 { 376 struct pgrp *pgrp; 377 int error; 378 struct proc *p = td->td_proc; 379 struct pgrp *newpgrp; 380 struct session *newsess; 381 382 error = 0; 383 pgrp = NULL; 384 385 mtx_lock(&Giant); 386 387 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 388 MALLOC(newsess, struct session *, sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); 389 390 PGRPSESS_XLOCK(); 391 392 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { 393 if (pgrp != NULL) 394 PGRP_UNLOCK(pgrp); 395 error = EPERM; 396 goto fail; 397 } else { 398 (void)enterpgrp(p, p->p_pid, newpgrp, newsess); 399 td->td_retval[0] = p->p_pid; 400 error = 0; 401 } 402 PGRPSESS_XUNLOCK(); 403 mtx_unlock(&Giant); 404 return (0); 405 406 fail: 407 PGRPSESS_XUNLOCK(); 408 409 FREE(newpgrp, M_PGRP); 410 FREE(newsess, M_SESSION); 411 412 mtx_unlock(&Giant); 413 return (0); 414 } 415 416 /* 417 * set process group (setpgid/old setpgrp) 418 * 419 * caller does setpgid(targpid, targpgid) 420 * 421 * pid must be caller or child of caller (ESRCH) 422 * if a child 423 * pid must be in same session (EPERM) 424 * pid can't have done an exec (EACCES) 425 * if pgid != pid 426 * there must exist some pid in same session having pgid (EPERM) 427 * pid must not be session leader (EPERM) 428 */ 429 #ifndef _SYS_SYSPROTO_H_ 430 struct setpgid_args { 431 int pid; /* target process id */ 432 int pgid; /* target pgrp id */ 433 }; 434 #endif 435 /* 436 * MPSAFE 437 */ 438 /* ARGSUSED */ 439 int 440 setpgid(td, uap) 441 struct thread *td; 442 register struct setpgid_args *uap; 443 { 444 struct proc *curp = td->td_proc; 445 register struct proc *targp; /* target process */ 446 register struct pgrp *pgrp; /* target pgrp */ 447 int error; 448 struct pgrp *newpgrp; 449 450 if (uap->pgid < 0) 451 return (EINVAL); 452 453 error = 0; 454 455 mtx_lock(&Giant); 456 457 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 458 459 PGRPSESS_XLOCK(); 460 461 if (uap->pid != 0 && uap->pid != curp->p_pid) { 462 sx_slock(&proctree_lock); 463 if ((targp = pfind(uap->pid)) == NULL) { 464 if (targp) 465 PROC_UNLOCK(targp); 466 sx_sunlock(&proctree_lock); 467 error = ESRCH; 468 goto fail; 469 } 470 if (!inferior(targp)) { 471 PROC_UNLOCK(targp); 472 sx_sunlock(&proctree_lock); 473 error = ESRCH; 474 goto fail; 475 } 476 sx_sunlock(&proctree_lock); 477 if ((error = p_cansee(curproc, targp))) { 478 PROC_UNLOCK(targp); 479 goto fail; 480 } 481 if (targp->p_pgrp == NULL || 482 targp->p_session != curp->p_session) { 483 PROC_UNLOCK(targp); 484 error = EPERM; 485 goto fail; 486 } 487 if (targp->p_flag & P_EXEC) { 488 PROC_UNLOCK(targp); 489 error = EACCES; 490 goto fail; 491 } 492 PROC_UNLOCK(targp); 493 } else 494 targp = curp; 495 if (SESS_LEADER(targp)) { 496 error = EPERM; 497 goto fail; 498 } 499 if (uap->pgid == 0) 500 uap->pgid = targp->p_pid; 501 if (uap->pgid == targp->p_pid) { 502 if (targp->p_pgid == uap->pgid) 503 goto done; 504 error = enterpgrp(targp, uap->pgid, newpgrp, NULL); 505 if (error == 0) 506 newpgrp = NULL; 507 } else { 508 if ((pgrp = pgfind(uap->pgid)) == NULL || 509 pgrp->pg_session != curp->p_session) { 510 if (pgrp != NULL) 511 PGRP_UNLOCK(pgrp); 512 error = EPERM; 513 goto fail; 514 } 515 if (pgrp == targp->p_pgrp) { 516 PGRP_UNLOCK(pgrp); 517 goto done; 518 } 519 PGRP_UNLOCK(pgrp); 520 error = enterthispgrp(targp, pgrp); 521 } 522 done: 523 PGRPSESS_XUNLOCK(); 524 if (newpgrp != NULL) 525 FREE(newpgrp, M_PGRP); 526 mtx_unlock(&Giant); 527 return (0); 528 529 fail: 530 PGRPSESS_XUNLOCK(); 531 532 KASSERT(newpgrp != NULL, ("setpgid failed and newpgrp is null.")); 533 KASSERT(error != 0, ("setpgid successfully failed?")); 534 FREE(newpgrp, M_PGRP); 535 536 mtx_unlock(&Giant); 537 return (error); 538 } 539 540 /* 541 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 542 * compatible. It says that setting the uid/gid to euid/egid is a special 543 * case of "appropriate privilege". Once the rules are expanded out, this 544 * basically means that setuid(nnn) sets all three id's, in all permitted 545 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 546 * does not set the saved id - this is dangerous for traditional BSD 547 * programs. For this reason, we *really* do not want to set 548 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 549 */ 550 #define POSIX_APPENDIX_B_4_2_2 551 552 #ifndef _SYS_SYSPROTO_H_ 553 struct setuid_args { 554 uid_t uid; 555 }; 556 #endif 557 /* 558 * MPSAFE 559 */ 560 /* ARGSUSED */ 561 int 562 setuid(td, uap) 563 struct thread *td; 564 struct setuid_args *uap; 565 { 566 struct proc *p = td->td_proc; 567 struct ucred *newcred, *oldcred; 568 uid_t uid; 569 int error; 570 571 uid = uap->uid; 572 mtx_lock(&Giant); 573 error = 0; 574 oldcred = p->p_ucred; 575 576 /* 577 * See if we have "permission" by POSIX 1003.1 rules. 578 * 579 * Note that setuid(geteuid()) is a special case of 580 * "appropriate privileges" in appendix B.4.2.2. We need 581 * to use this clause to be compatible with traditional BSD 582 * semantics. Basically, it means that "setuid(xx)" sets all 583 * three id's (assuming you have privs). 584 * 585 * Notes on the logic. We do things in three steps. 586 * 1: We determine if the euid is going to change, and do EPERM 587 * right away. We unconditionally change the euid later if this 588 * test is satisfied, simplifying that part of the logic. 589 * 2: We determine if the real and/or saved uids are going to 590 * change. Determined by compile options. 591 * 3: Change euid last. (after tests in #2 for "appropriate privs") 592 */ 593 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 594 #ifdef _POSIX_SAVED_IDS 595 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 596 #endif 597 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 598 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 599 #endif 600 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 601 goto done2; 602 603 newcred = crdup(oldcred); 604 #ifdef _POSIX_SAVED_IDS 605 /* 606 * Do we have "appropriate privileges" (are we root or uid == euid) 607 * If so, we are changing the real uid and/or saved uid. 608 */ 609 if ( 610 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 611 uid == oldcred->cr_uid || 612 #endif 613 suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */ 614 #endif 615 { 616 /* 617 * Set the real uid and transfer proc count to new user. 618 */ 619 if (uid != oldcred->cr_ruid) { 620 change_ruid(newcred, uid); 621 setsugid(p); 622 } 623 /* 624 * Set saved uid 625 * 626 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 627 * the security of seteuid() depends on it. B.4.2.2 says it 628 * is important that we should do this. 629 */ 630 if (uid != oldcred->cr_svuid) { 631 change_svuid(newcred, uid); 632 setsugid(p); 633 } 634 } 635 636 /* 637 * In all permitted cases, we are changing the euid. 638 * Copy credentials so other references do not see our changes. 639 */ 640 if (uid != oldcred->cr_uid) { 641 change_euid(newcred, uid); 642 setsugid(p); 643 } 644 p->p_ucred = newcred; 645 crfree(oldcred); 646 done2: 647 mtx_unlock(&Giant); 648 return (error); 649 } 650 651 #ifndef _SYS_SYSPROTO_H_ 652 struct seteuid_args { 653 uid_t euid; 654 }; 655 #endif 656 /* 657 * MPSAFE 658 */ 659 /* ARGSUSED */ 660 int 661 seteuid(td, uap) 662 struct thread *td; 663 struct seteuid_args *uap; 664 { 665 struct proc *p = td->td_proc; 666 struct ucred *newcred, *oldcred; 667 uid_t euid; 668 int error; 669 670 euid = uap->euid; 671 mtx_lock(&Giant); 672 error = 0; 673 oldcred = p->p_ucred; 674 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 675 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 676 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 677 goto done2; 678 /* 679 * Everything's okay, do it. Copy credentials so other references do 680 * not see our changes. 681 */ 682 newcred = crdup(oldcred); 683 if (oldcred->cr_uid != euid) { 684 change_euid(newcred, euid); 685 setsugid(p); 686 } 687 p->p_ucred = newcred; 688 crfree(oldcred); 689 done2: 690 mtx_unlock(&Giant); 691 return (error); 692 } 693 694 #ifndef _SYS_SYSPROTO_H_ 695 struct setgid_args { 696 gid_t gid; 697 }; 698 #endif 699 /* 700 * MPSAFE 701 */ 702 /* ARGSUSED */ 703 int 704 setgid(td, uap) 705 struct thread *td; 706 struct setgid_args *uap; 707 { 708 struct proc *p = td->td_proc; 709 struct ucred *newcred, *oldcred; 710 gid_t gid; 711 int error; 712 713 gid = uap->gid; 714 mtx_lock(&Giant); 715 error = 0; 716 oldcred = p->p_ucred; 717 718 /* 719 * See if we have "permission" by POSIX 1003.1 rules. 720 * 721 * Note that setgid(getegid()) is a special case of 722 * "appropriate privileges" in appendix B.4.2.2. We need 723 * to use this clause to be compatible with traditional BSD 724 * semantics. Basically, it means that "setgid(xx)" sets all 725 * three id's (assuming you have privs). 726 * 727 * For notes on the logic here, see setuid() above. 728 */ 729 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 730 #ifdef _POSIX_SAVED_IDS 731 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 732 #endif 733 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 734 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 735 #endif 736 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 737 goto done2; 738 739 newcred = crdup(oldcred); 740 #ifdef _POSIX_SAVED_IDS 741 /* 742 * Do we have "appropriate privileges" (are we root or gid == egid) 743 * If so, we are changing the real uid and saved gid. 744 */ 745 if ( 746 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 747 gid == oldcred->cr_groups[0] || 748 #endif 749 suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */ 750 #endif 751 { 752 /* 753 * Set real gid 754 */ 755 if (oldcred->cr_rgid != gid) { 756 change_rgid(newcred, gid); 757 setsugid(p); 758 } 759 /* 760 * Set saved gid 761 * 762 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 763 * the security of setegid() depends on it. B.4.2.2 says it 764 * is important that we should do this. 765 */ 766 if (oldcred->cr_svgid != gid) { 767 change_svgid(newcred, gid); 768 setsugid(p); 769 } 770 } 771 /* 772 * In all cases permitted cases, we are changing the egid. 773 * Copy credentials so other references do not see our changes. 774 */ 775 if (oldcred->cr_groups[0] != gid) { 776 change_egid(newcred, gid); 777 setsugid(p); 778 } 779 p->p_ucred = newcred; 780 crfree(oldcred); 781 done2: 782 mtx_unlock(&Giant); 783 return (error); 784 } 785 786 #ifndef _SYS_SYSPROTO_H_ 787 struct setegid_args { 788 gid_t egid; 789 }; 790 #endif 791 /* 792 * MPSAFE 793 */ 794 /* ARGSUSED */ 795 int 796 setegid(td, uap) 797 struct thread *td; 798 struct setegid_args *uap; 799 { 800 struct proc *p = td->td_proc; 801 struct ucred *newcred, *oldcred; 802 gid_t egid; 803 int error; 804 805 egid = uap->egid; 806 mtx_lock(&Giant); 807 error = 0; 808 oldcred = p->p_ucred; 809 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 810 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 811 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 812 goto done2; 813 newcred = crdup(oldcred); 814 if (oldcred->cr_groups[0] != egid) { 815 change_egid(newcred, egid); 816 setsugid(p); 817 } 818 p->p_ucred = newcred; 819 crfree(oldcred); 820 done2: 821 mtx_unlock(&Giant); 822 return (error); 823 } 824 825 #ifndef _SYS_SYSPROTO_H_ 826 struct setgroups_args { 827 u_int gidsetsize; 828 gid_t *gidset; 829 }; 830 #endif 831 /* 832 * MPSAFE 833 */ 834 /* ARGSUSED */ 835 int 836 setgroups(td, uap) 837 struct thread *td; 838 struct setgroups_args *uap; 839 { 840 struct proc *p = td->td_proc; 841 struct ucred *newcred, *oldcred; 842 u_int ngrp; 843 int error; 844 845 ngrp = uap->gidsetsize; 846 mtx_lock(&Giant); 847 oldcred = p->p_ucred; 848 if ((error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 849 goto done2; 850 if (ngrp > NGROUPS) { 851 error = EINVAL; 852 goto done2; 853 } 854 /* 855 * XXX A little bit lazy here. We could test if anything has 856 * changed before crcopy() and setting P_SUGID. 857 */ 858 newcred = crdup(oldcred); 859 if (ngrp < 1) { 860 /* 861 * setgroups(0, NULL) is a legitimate way of clearing the 862 * groups vector on non-BSD systems (which generally do not 863 * have the egid in the groups[0]). We risk security holes 864 * when running non-BSD software if we do not do the same. 865 */ 866 newcred->cr_ngroups = 1; 867 } else { 868 if ((error = copyin((caddr_t)uap->gidset, 869 (caddr_t)newcred->cr_groups, ngrp * sizeof(gid_t)))) { 870 crfree(newcred); 871 goto done2; 872 } 873 newcred->cr_ngroups = ngrp; 874 } 875 setsugid(p); 876 p->p_ucred = newcred; 877 crfree(oldcred); 878 done2: 879 mtx_unlock(&Giant); 880 return (error); 881 } 882 883 #ifndef _SYS_SYSPROTO_H_ 884 struct setreuid_args { 885 uid_t ruid; 886 uid_t euid; 887 }; 888 #endif 889 /* 890 * MPSAFE 891 */ 892 /* ARGSUSED */ 893 int 894 setreuid(td, uap) 895 register struct thread *td; 896 struct setreuid_args *uap; 897 { 898 struct proc *p = td->td_proc; 899 struct ucred *newcred, *oldcred; 900 uid_t euid, ruid; 901 int error; 902 903 euid = uap->euid; 904 ruid = uap->ruid; 905 mtx_lock(&Giant); 906 error = 0; 907 oldcred = p->p_ucred; 908 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 909 ruid != oldcred->cr_svuid) || 910 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 911 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 912 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 913 goto done2; 914 newcred = crdup(oldcred); 915 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 916 change_euid(newcred, euid); 917 setsugid(p); 918 } 919 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 920 change_ruid(newcred, ruid); 921 setsugid(p); 922 } 923 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 924 newcred->cr_svuid != newcred->cr_uid) { 925 change_svuid(newcred, newcred->cr_uid); 926 setsugid(p); 927 } 928 p->p_ucred = newcred; 929 crfree(oldcred); 930 done2: 931 mtx_unlock(&Giant); 932 return (error); 933 } 934 935 #ifndef _SYS_SYSPROTO_H_ 936 struct setregid_args { 937 gid_t rgid; 938 gid_t egid; 939 }; 940 #endif 941 /* 942 * MPSAFE 943 */ 944 /* ARGSUSED */ 945 int 946 setregid(td, uap) 947 register struct thread *td; 948 struct setregid_args *uap; 949 { 950 struct proc *p = td->td_proc; 951 struct ucred *newcred, *oldcred; 952 gid_t egid, rgid; 953 int error; 954 955 egid = uap->egid; 956 rgid = uap->rgid; 957 mtx_lock(&Giant); 958 error = 0; 959 oldcred = p->p_ucred; 960 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 961 rgid != oldcred->cr_svgid) || 962 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 963 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 964 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 965 goto done2; 966 newcred = crdup(oldcred); 967 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 968 change_egid(newcred, egid); 969 setsugid(p); 970 } 971 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 972 change_rgid(newcred, rgid); 973 setsugid(p); 974 } 975 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 976 newcred->cr_svgid != newcred->cr_groups[0]) { 977 change_svgid(newcred, newcred->cr_groups[0]); 978 setsugid(p); 979 } 980 p->p_ucred = newcred; 981 crfree(oldcred); 982 done2: 983 mtx_unlock(&Giant); 984 return (error); 985 } 986 987 /* 988 * setresuid(ruid, euid, suid) is like setreuid except control over the 989 * saved uid is explicit. 990 */ 991 992 #ifndef _SYS_SYSPROTO_H_ 993 struct setresuid_args { 994 uid_t ruid; 995 uid_t euid; 996 uid_t suid; 997 }; 998 #endif 999 /* 1000 * MPSAFE 1001 */ 1002 /* ARGSUSED */ 1003 int 1004 setresuid(td, uap) 1005 register struct thread *td; 1006 struct setresuid_args *uap; 1007 { 1008 struct proc *p = td->td_proc; 1009 struct ucred *newcred, *oldcred; 1010 uid_t euid, ruid, suid; 1011 int error; 1012 1013 euid = uap->euid; 1014 ruid = uap->ruid; 1015 suid = uap->suid; 1016 mtx_lock(&Giant); 1017 oldcred = p->p_ucred; 1018 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1019 ruid != oldcred->cr_svuid && 1020 ruid != oldcred->cr_uid) || 1021 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 1022 euid != oldcred->cr_svuid && 1023 euid != oldcred->cr_uid) || 1024 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 1025 suid != oldcred->cr_svuid && 1026 suid != oldcred->cr_uid)) && 1027 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 1028 goto done2; 1029 newcred = crdup(oldcred); 1030 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1031 change_euid(newcred, euid); 1032 setsugid(p); 1033 } 1034 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1035 change_ruid(newcred, ruid); 1036 setsugid(p); 1037 } 1038 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1039 change_svuid(newcred, suid); 1040 setsugid(p); 1041 } 1042 p->p_ucred = newcred; 1043 crfree(oldcred); 1044 error = 0; 1045 done2: 1046 mtx_unlock(&Giant); 1047 return (error); 1048 } 1049 1050 /* 1051 * setresgid(rgid, egid, sgid) is like setregid except control over the 1052 * saved gid is explicit. 1053 */ 1054 1055 #ifndef _SYS_SYSPROTO_H_ 1056 struct setresgid_args { 1057 gid_t rgid; 1058 gid_t egid; 1059 gid_t sgid; 1060 }; 1061 #endif 1062 /* 1063 * MPSAFE 1064 */ 1065 /* ARGSUSED */ 1066 int 1067 setresgid(td, uap) 1068 register struct thread *td; 1069 struct setresgid_args *uap; 1070 { 1071 struct proc *p = td->td_proc; 1072 struct ucred *newcred, *oldcred; 1073 gid_t egid, rgid, sgid; 1074 int error; 1075 1076 egid = uap->egid; 1077 rgid = uap->rgid; 1078 sgid = uap->sgid; 1079 mtx_lock(&Giant); 1080 oldcred = p->p_ucred; 1081 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1082 rgid != oldcred->cr_svgid && 1083 rgid != oldcred->cr_groups[0]) || 1084 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1085 egid != oldcred->cr_svgid && 1086 egid != oldcred->cr_groups[0]) || 1087 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1088 sgid != oldcred->cr_svgid && 1089 sgid != oldcred->cr_groups[0])) && 1090 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 1091 goto done2; 1092 newcred = crdup(oldcred); 1093 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1094 change_egid(newcred, egid); 1095 setsugid(p); 1096 } 1097 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1098 change_rgid(newcred, rgid); 1099 setsugid(p); 1100 } 1101 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1102 change_svgid(newcred, sgid); 1103 setsugid(p); 1104 } 1105 p->p_ucred = newcred; 1106 crfree(oldcred); 1107 error = 0; 1108 done2: 1109 mtx_unlock(&Giant); 1110 return (error); 1111 } 1112 1113 #ifndef _SYS_SYSPROTO_H_ 1114 struct getresuid_args { 1115 uid_t *ruid; 1116 uid_t *euid; 1117 uid_t *suid; 1118 }; 1119 #endif 1120 /* 1121 * MPSAFE 1122 */ 1123 /* ARGSUSED */ 1124 int 1125 getresuid(td, uap) 1126 register struct thread *td; 1127 struct getresuid_args *uap; 1128 { 1129 struct ucred *cred; 1130 struct proc *p = td->td_proc; 1131 int error1 = 0, error2 = 0, error3 = 0; 1132 1133 mtx_lock(&Giant); 1134 cred = p->p_ucred; 1135 if (uap->ruid) 1136 error1 = copyout((caddr_t)&cred->cr_ruid, 1137 (caddr_t)uap->ruid, sizeof(cred->cr_ruid)); 1138 if (uap->euid) 1139 error2 = copyout((caddr_t)&cred->cr_uid, 1140 (caddr_t)uap->euid, sizeof(cred->cr_uid)); 1141 if (uap->suid) 1142 error3 = copyout((caddr_t)&cred->cr_svuid, 1143 (caddr_t)uap->suid, sizeof(cred->cr_svuid)); 1144 mtx_unlock(&Giant); 1145 return (error1 ? error1 : error2 ? error2 : error3); 1146 } 1147 1148 #ifndef _SYS_SYSPROTO_H_ 1149 struct getresgid_args { 1150 gid_t *rgid; 1151 gid_t *egid; 1152 gid_t *sgid; 1153 }; 1154 #endif 1155 /* 1156 * MPSAFE 1157 */ 1158 /* ARGSUSED */ 1159 int 1160 getresgid(td, uap) 1161 register struct thread *td; 1162 struct getresgid_args *uap; 1163 { 1164 struct ucred *cred; 1165 struct proc *p = td->td_proc; 1166 int error1 = 0, error2 = 0, error3 = 0; 1167 1168 mtx_lock(&Giant); 1169 cred = p->p_ucred; 1170 if (uap->rgid) 1171 error1 = copyout((caddr_t)&cred->cr_rgid, 1172 (caddr_t)uap->rgid, sizeof(cred->cr_rgid)); 1173 if (uap->egid) 1174 error2 = copyout((caddr_t)&cred->cr_groups[0], 1175 (caddr_t)uap->egid, sizeof(cred->cr_groups[0])); 1176 if (uap->sgid) 1177 error3 = copyout((caddr_t)&cred->cr_svgid, 1178 (caddr_t)uap->sgid, sizeof(cred->cr_svgid)); 1179 mtx_unlock(&Giant); 1180 return (error1 ? error1 : error2 ? error2 : error3); 1181 } 1182 1183 #ifndef _SYS_SYSPROTO_H_ 1184 struct issetugid_args { 1185 int dummy; 1186 }; 1187 #endif 1188 /* 1189 * NOT MPSAFE? 1190 */ 1191 /* ARGSUSED */ 1192 int 1193 issetugid(td, uap) 1194 register struct thread *td; 1195 struct issetugid_args *uap; 1196 { 1197 struct proc *p = td->td_proc; 1198 1199 /* 1200 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1201 * we use P_SUGID because we consider changing the owners as 1202 * "tainting" as well. 1203 * This is significant for procs that start as root and "become" 1204 * a user without an exec - programs cannot know *everything* 1205 * that libc *might* have put in their data segment. 1206 */ 1207 PROC_LOCK(p); 1208 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1209 PROC_UNLOCK(p); 1210 return (0); 1211 } 1212 1213 /* 1214 * MPSAFE 1215 */ 1216 int 1217 __setugid(td, uap) 1218 struct thread *td; 1219 struct __setugid_args *uap; 1220 { 1221 #ifdef REGRESSION 1222 int error; 1223 1224 mtx_lock(&Giant); 1225 error = 0; 1226 switch (uap->flag) { 1227 case 0: 1228 PROC_LOCK(td->td_proc); 1229 td->td_proc->p_flag &= ~P_SUGID; 1230 PROC_UNLOCK(td->td_proc); 1231 break; 1232 case 1: 1233 PROC_LOCK(td->td_proc); 1234 td->td_proc->p_flag |= P_SUGID; 1235 PROC_UNLOCK(td->td_proc); 1236 break; 1237 default: 1238 error = EINVAL; 1239 break; 1240 } 1241 mtx_unlock(&Giant); 1242 return (error); 1243 #else /* !REGRESSION */ 1244 1245 return (ENOSYS); 1246 #endif /* REGRESSION */ 1247 } 1248 1249 /* 1250 * Check if gid is a member of the group set. 1251 */ 1252 int 1253 groupmember(gid, cred) 1254 gid_t gid; 1255 struct ucred *cred; 1256 { 1257 register gid_t *gp; 1258 gid_t *egp; 1259 1260 egp = &(cred->cr_groups[cred->cr_ngroups]); 1261 for (gp = cred->cr_groups; gp < egp; gp++) 1262 if (*gp == gid) 1263 return (1); 1264 return (0); 1265 } 1266 1267 /* 1268 * `suser_enabled' (which can be set by the security.suser_enabled 1269 * sysctl) determines whether the system 'super-user' policy is in effect. 1270 * If it is nonzero, an effective uid of 0 connotes special privilege, 1271 * overriding many mandatory and discretionary protections. If it is zero, 1272 * uid 0 is offered no special privilege in the kernel security policy. 1273 * Setting it to zero may seriously impact the functionality of many 1274 * existing userland programs, and should not be done without careful 1275 * consideration of the consequences. 1276 */ 1277 int suser_enabled = 1; 1278 SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW, 1279 &suser_enabled, 0, "processes with uid 0 have privilege"); 1280 TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled); 1281 1282 /* 1283 * Test whether the specified credentials imply "super-user" privilege. 1284 * Return 0 or EPERM. 1285 */ 1286 int 1287 suser(p) 1288 struct proc *p; 1289 { 1290 1291 return (suser_xxx(0, p, 0)); 1292 } 1293 1294 /* 1295 * version for when the thread pointer is available and not the proc. 1296 * (saves having to include proc.h into every file that needs to do the change.) 1297 */ 1298 int 1299 suser_td(td) 1300 struct thread *td; 1301 { 1302 return (suser_xxx(0, td->td_proc, 0)); 1303 } 1304 1305 /* 1306 * wrapper to use if you have the thread on hand but not the proc. 1307 */ 1308 int 1309 suser_xxx_td(cred, td, flag) 1310 struct ucred *cred; 1311 struct thread *td; 1312 int flag; 1313 { 1314 return(suser_xxx(cred, td->td_proc, flag)); 1315 } 1316 1317 int 1318 suser_xxx(cred, proc, flag) 1319 struct ucred *cred; 1320 struct proc *proc; 1321 int flag; 1322 { 1323 if (!suser_enabled) 1324 return (EPERM); 1325 if (!cred && !proc) { 1326 printf("suser_xxx(): THINK!\n"); 1327 return (EPERM); 1328 } 1329 if (cred == NULL) 1330 cred = proc->p_ucred; 1331 if (cred->cr_uid != 0) 1332 return (EPERM); 1333 if (jailed(cred) && !(flag & PRISON_ROOT)) 1334 return (EPERM); 1335 return (0); 1336 } 1337 1338 /* 1339 * Test the active securelevel against a given level. securelevel_gt() 1340 * implements (securelevel > level). securelevel_ge() implements 1341 * (securelevel >= level). Note that the logic is inverted -- these 1342 * functions return EPERM on "success" and 0 on "failure". 1343 * 1344 * cr is permitted to be NULL for the time being, as there were some 1345 * existing securelevel checks that occurred without a process/credential 1346 * context. In the future this will be disallowed, so a kernel message 1347 * is displayed. 1348 */ 1349 int 1350 securelevel_gt(struct ucred *cr, int level) 1351 { 1352 int active_securelevel; 1353 1354 active_securelevel = securelevel; 1355 if (cr == NULL) 1356 printf("securelevel_gt: cr is NULL\n"); 1357 if (cr->cr_prison != NULL) { 1358 mtx_lock(&cr->cr_prison->pr_mtx); 1359 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1360 active_securelevel); 1361 mtx_unlock(&cr->cr_prison->pr_mtx); 1362 } 1363 return (active_securelevel > level ? EPERM : 0); 1364 } 1365 1366 int 1367 securelevel_ge(struct ucred *cr, int level) 1368 { 1369 int active_securelevel; 1370 1371 active_securelevel = securelevel; 1372 if (cr == NULL) 1373 printf("securelevel_gt: cr is NULL\n"); 1374 if (cr->cr_prison != NULL) { 1375 mtx_lock(&cr->cr_prison->pr_mtx); 1376 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1377 active_securelevel); 1378 mtx_unlock(&cr->cr_prison->pr_mtx); 1379 } 1380 return (active_securelevel >= level ? EPERM : 0); 1381 } 1382 1383 /* 1384 * 'see_other_uids' determines whether or not visibility of processes 1385 * and sockets with credentials holding different real uids is possible 1386 * using a variety of system MIBs. 1387 * XXX: data declarations should be together near the beginning of the file. 1388 */ 1389 static int see_other_uids = 1; 1390 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1391 &see_other_uids, 0, 1392 "Unprivileged processes may see subjects/objects with different real uid"); 1393 1394 /*- 1395 * Determine if u1 "can see" the subject specified by u2, according to the 1396 * 'see_other_uids' policy. 1397 * Returns: 0 for permitted, ESRCH otherwise 1398 * Locks: none 1399 * References: *u1 and *u2 must not change during the call 1400 * u1 may equal u2, in which case only one reference is required 1401 */ 1402 static int 1403 cr_seeotheruids(struct ucred *u1, struct ucred *u2) 1404 { 1405 1406 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1407 if (suser_xxx(u1, NULL, PRISON_ROOT) != 0) 1408 return (ESRCH); 1409 } 1410 return (0); 1411 } 1412 1413 /*- 1414 * Determine if u1 "can see" the subject specified by u2. 1415 * Returns: 0 for permitted, an errno value otherwise 1416 * Locks: none 1417 * References: *u1 and *u2 must not change during the call 1418 * u1 may equal u2, in which case only one reference is required 1419 */ 1420 int 1421 cr_cansee(struct ucred *u1, struct ucred *u2) 1422 { 1423 int error; 1424 1425 if ((error = prison_check(u1, u2))) 1426 return (error); 1427 if ((error = cr_seeotheruids(u1, u2))) 1428 return (error); 1429 return (0); 1430 } 1431 1432 /*- 1433 * Determine if p1 "can see" the subject specified by p2. 1434 * Returns: 0 for permitted, an errno value otherwise 1435 * Locks: Sufficient locks to protect p1->p_ucred and p2->p_ucred must 1436 * be held. Normally, p1 will be curproc, and a lock must be held 1437 * for p2. 1438 * References: p1 and p2 must be valid for the lifetime of the call 1439 */ 1440 int 1441 p_cansee(struct proc *p1, struct proc *p2) 1442 { 1443 1444 /* Wrap cr_cansee() for all functionality. */ 1445 return (cr_cansee(p1->p_ucred, p2->p_ucred)); 1446 } 1447 1448 /*- 1449 * Determine whether cred may deliver the specified signal to proc. 1450 * Returns: 0 for permitted, an errno value otherwise. 1451 * Locks: A lock must be held for proc. 1452 * References: cred and proc must be valid for the lifetime of the call. 1453 */ 1454 int 1455 cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 1456 { 1457 int error; 1458 1459 /* 1460 * Jail semantics limit the scope of signalling to proc in the 1461 * same jail as cred, if cred is in jail. 1462 */ 1463 error = prison_check(cred, proc->p_ucred); 1464 if (error) 1465 return (error); 1466 error = cr_seeotheruids(cred, proc->p_ucred); 1467 if (error) 1468 return (error); 1469 1470 /* 1471 * UNIX signal semantics depend on the status of the P_SUGID 1472 * bit on the target process. If the bit is set, then additional 1473 * restrictions are placed on the set of available signals. 1474 */ 1475 if (proc->p_flag & P_SUGID) { 1476 switch (signum) { 1477 case 0: 1478 case SIGKILL: 1479 case SIGINT: 1480 case SIGTERM: 1481 case SIGSTOP: 1482 case SIGTTIN: 1483 case SIGTTOU: 1484 case SIGTSTP: 1485 case SIGHUP: 1486 case SIGUSR1: 1487 case SIGUSR2: 1488 /* 1489 * Generally, permit job and terminal control 1490 * signals. 1491 */ 1492 break; 1493 default: 1494 /* Not permitted without privilege. */ 1495 error = suser_xxx(cred, NULL, PRISON_ROOT); 1496 if (error) 1497 return (error); 1498 } 1499 } 1500 1501 /* 1502 * Generally, the target credential's ruid or svuid must match the 1503 * subject credential's ruid or euid. 1504 */ 1505 if (cred->cr_ruid != proc->p_ucred->cr_ruid && 1506 cred->cr_ruid != proc->p_ucred->cr_svuid && 1507 cred->cr_uid != proc->p_ucred->cr_ruid && 1508 cred->cr_uid != proc->p_ucred->cr_svuid) { 1509 /* Not permitted without privilege. */ 1510 error = suser_xxx(cred, NULL, PRISON_ROOT); 1511 if (error) 1512 return (error); 1513 } 1514 1515 return (0); 1516 } 1517 1518 1519 /*- 1520 * Determine whether p1 may deliver the specified signal to p2. 1521 * Returns: 0 for permitted, an errno value otherwise 1522 * Locks: Sufficient locks to protect various components of p1 and p2 1523 * must be held. Normally, p1 will be curproc, and a lock must 1524 * be held for p2. 1525 * References: p1 and p2 must be valid for the lifetime of the call 1526 */ 1527 int 1528 p_cansignal(struct proc *p1, struct proc *p2, int signum) 1529 { 1530 1531 if (p1 == p2) 1532 return (0); 1533 1534 /* 1535 * UNIX signalling semantics require that processes in the same 1536 * session always be able to deliver SIGCONT to one another, 1537 * overriding the remaining protections. 1538 */ 1539 if (signum == SIGCONT && p1->p_session == p2->p_session) 1540 return (0); 1541 1542 return (cr_cansignal(p1->p_ucred, p2, signum)); 1543 } 1544 1545 /*- 1546 * Determine whether p1 may reschedule p2. 1547 * Returns: 0 for permitted, an errno value otherwise 1548 * Locks: Sufficient locks to protect various components of p1 and p2 1549 * must be held. Normally, p1 will be curproc, and a lock must 1550 * be held for p2. 1551 * References: p1 and p2 must be valid for the lifetime of the call 1552 */ 1553 int 1554 p_cansched(struct proc *p1, struct proc *p2) 1555 { 1556 int error; 1557 1558 if (p1 == p2) 1559 return (0); 1560 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1561 return (error); 1562 if ((error = cr_seeotheruids(p1->p_ucred, p2->p_ucred))) 1563 return (error); 1564 if (p1->p_ucred->cr_ruid == p2->p_ucred->cr_ruid) 1565 return (0); 1566 if (p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid) 1567 return (0); 1568 if (suser_xxx(0, p1, PRISON_ROOT) == 0) 1569 return (0); 1570 1571 #ifdef CAPABILITIES 1572 if (!cap_check(NULL, p1, CAP_SYS_NICE, PRISON_ROOT)) 1573 return (0); 1574 #endif 1575 1576 return (EPERM); 1577 } 1578 1579 /* 1580 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 1581 * unprivileged inter-process debugging services, including some procfs 1582 * functionality, ptrace(), and ktrace(). In the past, inter-process 1583 * debugging has been involved in a variety of security problems, and sites 1584 * not requiring the service might choose to disable it when hardening 1585 * systems. 1586 * 1587 * XXX: Should modifying and reading this variable require locking? 1588 * XXX: data declarations should be together near the beginning of the file. 1589 */ 1590 static int unprivileged_proc_debug = 1; 1591 SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW, 1592 &unprivileged_proc_debug, 0, 1593 "Unprivileged processes may use process debugging facilities"); 1594 1595 /*- 1596 * Determine whether p1 may debug p2. 1597 * Returns: 0 for permitted, an errno value otherwise 1598 * Locks: Sufficient locks to protect various components of p1 and p2 1599 * must be held. Normally, p1 will be curproc, and a lock must 1600 * be held for p2. 1601 * References: p1 and p2 must be valid for the lifetime of the call 1602 */ 1603 int 1604 p_candebug(struct proc *p1, struct proc *p2) 1605 { 1606 int credentialchanged, error, grpsubset, i, uidsubset; 1607 1608 if (!unprivileged_proc_debug) { 1609 error = suser_xxx(NULL, p1, PRISON_ROOT); 1610 if (error) 1611 return (error); 1612 } 1613 if (p1 == p2) 1614 return (0); 1615 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1616 return (error); 1617 if ((error = cr_seeotheruids(p1->p_ucred, p2->p_ucred))) 1618 return (error); 1619 1620 /* 1621 * Is p2's group set a subset of p1's effective group set? This 1622 * includes p2's egid, group access list, rgid, and svgid. 1623 */ 1624 grpsubset = 1; 1625 for (i = 0; i < p2->p_ucred->cr_ngroups; i++) { 1626 if (!groupmember(p2->p_ucred->cr_groups[i], p1->p_ucred)) { 1627 grpsubset = 0; 1628 break; 1629 } 1630 } 1631 grpsubset = grpsubset && 1632 groupmember(p2->p_ucred->cr_rgid, p1->p_ucred) && 1633 groupmember(p2->p_ucred->cr_svgid, p1->p_ucred); 1634 1635 /* 1636 * Are the uids present in p2's credential equal to p1's 1637 * effective uid? This includes p2's euid, svuid, and ruid. 1638 */ 1639 uidsubset = (p1->p_ucred->cr_uid == p2->p_ucred->cr_uid && 1640 p1->p_ucred->cr_uid == p2->p_ucred->cr_svuid && 1641 p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid); 1642 1643 /* 1644 * Has the credential of the process changed since the last exec()? 1645 */ 1646 credentialchanged = (p2->p_flag & P_SUGID); 1647 1648 /* 1649 * If p2's gids aren't a subset, or the uids aren't a subset, 1650 * or the credential has changed, require appropriate privilege 1651 * for p1 to debug p2. For POSIX.1e capabilities, this will 1652 * require CAP_SYS_PTRACE. 1653 */ 1654 if (!grpsubset || !uidsubset || credentialchanged) { 1655 error = suser_xxx(NULL, p1, PRISON_ROOT); 1656 if (error) 1657 return (error); 1658 } 1659 1660 /* Can't trace init when securelevel > 0. */ 1661 if (p2 == initproc) { 1662 error = securelevel_gt(p1->p_ucred, 0); 1663 if (error) 1664 return (error); 1665 } 1666 1667 /* 1668 * Can't trace a process that's currently exec'ing. 1669 * XXX: Note, this is not a security policy decision, it's a 1670 * basic correctness/functionality decision. Therefore, this check 1671 * should be moved to the caller's of p_candebug(). 1672 */ 1673 if ((p2->p_flag & P_INEXEC) != 0) 1674 return (EAGAIN); 1675 1676 return (0); 1677 } 1678 1679 /* 1680 * Allocate a zeroed cred structure. 1681 */ 1682 struct ucred * 1683 crget() 1684 { 1685 register struct ucred *cr; 1686 1687 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 1688 cr->cr_ref = 1; 1689 cr->cr_mtxp = mtx_pool_find(cr); 1690 return (cr); 1691 } 1692 1693 /* 1694 * Claim another reference to a ucred structure. 1695 */ 1696 struct ucred * 1697 crhold(cr) 1698 struct ucred *cr; 1699 { 1700 1701 mtx_lock(cr->cr_mtxp); 1702 cr->cr_ref++; 1703 mtx_unlock(cr->cr_mtxp); 1704 return (cr); 1705 } 1706 1707 /* 1708 * Free a cred structure. 1709 * Throws away space when ref count gets to 0. 1710 */ 1711 void 1712 crfree(cr) 1713 struct ucred *cr; 1714 { 1715 struct mtx *mtxp = cr->cr_mtxp; 1716 1717 mtx_lock(mtxp); 1718 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); 1719 if (--cr->cr_ref == 0) { 1720 /* 1721 * Some callers of crget(), such as nfs_statfs(), 1722 * allocate a temporary credential, but don't 1723 * allocate a uidinfo structure. 1724 */ 1725 mtx_unlock(mtxp); 1726 mtx_lock(&Giant); 1727 if (cr->cr_uidinfo != NULL) 1728 uifree(cr->cr_uidinfo); 1729 if (cr->cr_ruidinfo != NULL) 1730 uifree(cr->cr_ruidinfo); 1731 /* 1732 * Free a prison, if any. 1733 */ 1734 if (jailed(cr)) 1735 prison_free(cr->cr_prison); 1736 FREE((caddr_t)cr, M_CRED); 1737 mtx_unlock(&Giant); 1738 } else { 1739 mtx_unlock(mtxp); 1740 } 1741 } 1742 1743 /* 1744 * Check to see if this ucred is shared. 1745 */ 1746 int 1747 crshared(cr) 1748 struct ucred *cr; 1749 { 1750 int shared; 1751 1752 mtx_lock(cr->cr_mtxp); 1753 shared = (cr->cr_ref > 1); 1754 mtx_unlock(cr->cr_mtxp); 1755 return (shared); 1756 } 1757 1758 /* 1759 * Copy a ucred's contents from a template. Does not block. 1760 */ 1761 void 1762 crcopy(dest, src) 1763 struct ucred *dest, *src; 1764 { 1765 1766 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred")); 1767 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 1768 (unsigned)((caddr_t)&src->cr_endcopy - 1769 (caddr_t)&src->cr_startcopy)); 1770 uihold(dest->cr_uidinfo); 1771 uihold(dest->cr_ruidinfo); 1772 if (jailed(dest)) 1773 prison_hold(dest->cr_prison); 1774 } 1775 1776 /* 1777 * Dup cred struct to a new held one. 1778 */ 1779 struct ucred * 1780 crdup(cr) 1781 struct ucred *cr; 1782 { 1783 struct ucred *newcr; 1784 1785 newcr = crget(); 1786 crcopy(newcr, cr); 1787 return (newcr); 1788 } 1789 1790 #ifdef DIAGNOSTIC 1791 void 1792 cred_free_thread(struct thread *td) 1793 { 1794 struct ucred *cred; 1795 1796 cred = td->td_ucred; 1797 td->td_ucred = NULL; 1798 if (cred != NULL) 1799 crfree(cred); 1800 } 1801 #endif 1802 1803 /* 1804 * Fill in a struct xucred based on a struct ucred. 1805 */ 1806 void 1807 cru2x(cr, xcr) 1808 struct ucred *cr; 1809 struct xucred *xcr; 1810 { 1811 1812 bzero(xcr, sizeof(*xcr)); 1813 xcr->cr_version = XUCRED_VERSION; 1814 xcr->cr_uid = cr->cr_uid; 1815 xcr->cr_ngroups = cr->cr_ngroups; 1816 bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups)); 1817 } 1818 1819 /* 1820 * small routine to swap a thread's current ucred for the correct one 1821 * taken from the process. 1822 */ 1823 void 1824 cred_update_thread(struct thread *td) 1825 { 1826 struct proc *p; 1827 struct ucred *cred; 1828 1829 p = td->td_proc; 1830 cred = td->td_ucred; 1831 mtx_lock(&Giant); 1832 PROC_LOCK(p); 1833 td->td_ucred = crhold(p->p_ucred); 1834 PROC_UNLOCK(p); 1835 if (cred != NULL) 1836 crfree(cred); 1837 mtx_unlock(&Giant); 1838 } 1839 1840 /* 1841 * Get login name, if available. 1842 */ 1843 #ifndef _SYS_SYSPROTO_H_ 1844 struct getlogin_args { 1845 char *namebuf; 1846 u_int namelen; 1847 }; 1848 #endif 1849 /* 1850 * MPSAFE 1851 */ 1852 /* ARGSUSED */ 1853 int 1854 getlogin(td, uap) 1855 struct thread *td; 1856 struct getlogin_args *uap; 1857 { 1858 int error; 1859 char login[MAXLOGNAME]; 1860 struct proc *p = td->td_proc; 1861 1862 mtx_lock(&Giant); 1863 if (uap->namelen > MAXLOGNAME) 1864 uap->namelen = MAXLOGNAME; 1865 PROC_LOCK(p); 1866 SESS_LOCK(p->p_session); 1867 bcopy(p->p_session->s_login, login, uap->namelen); 1868 SESS_UNLOCK(p->p_session); 1869 PROC_UNLOCK(p); 1870 error = copyout((caddr_t) login, (caddr_t) uap->namebuf, uap->namelen); 1871 mtx_unlock(&Giant); 1872 return(error); 1873 } 1874 1875 /* 1876 * Set login name. 1877 */ 1878 #ifndef _SYS_SYSPROTO_H_ 1879 struct setlogin_args { 1880 char *namebuf; 1881 }; 1882 #endif 1883 /* 1884 * MPSAFE 1885 */ 1886 /* ARGSUSED */ 1887 int 1888 setlogin(td, uap) 1889 struct thread *td; 1890 struct setlogin_args *uap; 1891 { 1892 struct proc *p = td->td_proc; 1893 int error; 1894 char logintmp[MAXLOGNAME]; 1895 1896 mtx_lock(&Giant); 1897 if ((error = suser_xxx(0, p, PRISON_ROOT)) != 0) 1898 goto done2; 1899 error = copyinstr((caddr_t) uap->namebuf, (caddr_t) logintmp, 1900 sizeof(logintmp), (size_t *)0); 1901 if (error == ENAMETOOLONG) 1902 error = EINVAL; 1903 else if (!error) { 1904 PROC_LOCK(p); 1905 SESS_LOCK(p->p_session); 1906 (void) memcpy(p->p_session->s_login, logintmp, 1907 sizeof(logintmp)); 1908 SESS_UNLOCK(p->p_session); 1909 PROC_UNLOCK(p); 1910 } 1911 done2: 1912 mtx_unlock(&Giant); 1913 return (error); 1914 } 1915 1916 void 1917 setsugid(p) 1918 struct proc *p; 1919 { 1920 p->p_flag |= P_SUGID; 1921 if (!(p->p_pfsflags & PF_ISUGID)) 1922 p->p_stops = 0; 1923 } 1924 1925 /*- 1926 * Change a process's effective uid. 1927 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 1928 * References: newcred must be an exclusive credential reference for the 1929 * duration of the call. 1930 */ 1931 void 1932 change_euid(newcred, euid) 1933 struct ucred *newcred; 1934 uid_t euid; 1935 { 1936 1937 newcred->cr_uid = euid; 1938 uifree(newcred->cr_uidinfo); 1939 newcred->cr_uidinfo = uifind(euid); 1940 } 1941 1942 /*- 1943 * Change a process's effective gid. 1944 * Side effects: newcred->cr_gid will be modified. 1945 * References: newcred must be an exclusive credential reference for the 1946 * duration of the call. 1947 */ 1948 void 1949 change_egid(newcred, egid) 1950 struct ucred *newcred; 1951 gid_t egid; 1952 { 1953 1954 newcred->cr_groups[0] = egid; 1955 } 1956 1957 /*- 1958 * Change a process's real uid. 1959 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 1960 * will be updated, and the old and new cr_ruidinfo proc 1961 * counts will be updated. 1962 * References: newcred must be an exclusive credential reference for the 1963 * duration of the call. 1964 */ 1965 void 1966 change_ruid(newcred, ruid) 1967 struct ucred *newcred; 1968 uid_t ruid; 1969 { 1970 1971 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 1972 newcred->cr_ruid = ruid; 1973 uifree(newcred->cr_ruidinfo); 1974 newcred->cr_ruidinfo = uifind(ruid); 1975 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 1976 } 1977 1978 /*- 1979 * Change a process's real gid. 1980 * Side effects: newcred->cr_rgid will be updated. 1981 * References: newcred must be an exclusive credential reference for the 1982 * duration of the call. 1983 */ 1984 void 1985 change_rgid(newcred, rgid) 1986 struct ucred *newcred; 1987 gid_t rgid; 1988 { 1989 1990 newcred->cr_rgid = rgid; 1991 } 1992 1993 /*- 1994 * Change a process's saved uid. 1995 * Side effects: newcred->cr_svuid will be updated. 1996 * References: newcred must be an exclusive credential reference for the 1997 * duration of the call. 1998 */ 1999 void 2000 change_svuid(newcred, svuid) 2001 struct ucred *newcred; 2002 uid_t svuid; 2003 { 2004 2005 newcred->cr_svuid = svuid; 2006 } 2007 2008 /*- 2009 * Change a process's saved gid. 2010 * Side effects: newcred->cr_svgid will be updated. 2011 * References: newcred must be an exclusive credential reference for the 2012 * duration of the call. 2013 */ 2014 void 2015 change_svgid(newcred, svgid) 2016 struct ucred *newcred; 2017 gid_t svgid; 2018 { 2019 2020 newcred->cr_svgid = svgid; 2021 } 2022