1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 5 * The Regents of the University of California. 6 * (c) UNIX System Laboratories, Inc. 7 * Copyright (c) 2000-2001 Robert N. M. Watson. 8 * All rights reserved. 9 * 10 * All or some portions of this file are derived from material licensed 11 * to the University of California by American Telephone and Telegraph 12 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 13 * the permission of UNIX System Laboratories, Inc. 14 * 15 * Redistribution and use in source and binary forms, with or without 16 * modification, are permitted provided that the following conditions 17 * are met: 18 * 1. Redistributions of source code must retain the above copyright 19 * notice, this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright 21 * notice, this list of conditions and the following disclaimer in the 22 * documentation and/or other materials provided with the distribution. 23 * 3. Neither the name of the University nor the names of its contributors 24 * may be used to endorse or promote products derived from this software 25 * without specific prior written permission. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 */ 39 40 /* 41 * System calls related to processes and protection 42 */ 43 44 #include <sys/cdefs.h> 45 #include "opt_inet.h" 46 #include "opt_inet6.h" 47 48 #include <sys/param.h> 49 #include <sys/systm.h> 50 #include <sys/abi_compat.h> 51 #include <sys/acct.h> 52 #include <sys/kdb.h> 53 #include <sys/kernel.h> 54 #include <sys/libkern.h> 55 #include <sys/lock.h> 56 #include <sys/loginclass.h> 57 #include <sys/malloc.h> 58 #include <sys/mutex.h> 59 #include <sys/ptrace.h> 60 #include <sys/refcount.h> 61 #include <sys/sx.h> 62 #include <sys/priv.h> 63 #include <sys/proc.h> 64 #ifdef COMPAT_43 65 #include <sys/sysent.h> 66 #endif 67 #include <sys/sysproto.h> 68 #include <sys/jail.h> 69 #include <sys/racct.h> 70 #include <sys/rctl.h> 71 #include <sys/resourcevar.h> 72 #include <sys/socket.h> 73 #include <sys/socketvar.h> 74 #include <sys/syscallsubr.h> 75 #include <sys/sysctl.h> 76 77 #ifdef MAC 78 #include <security/mac/mac_syscalls.h> 79 #endif 80 81 #include <vm/uma.h> 82 83 #ifdef REGRESSION 84 FEATURE(regression, 85 "Kernel support for interfaces necessary for regression testing (SECURITY RISK!)"); 86 #endif 87 88 #include <security/audit/audit.h> 89 #include <security/mac/mac_framework.h> 90 91 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 92 93 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW | CTLFLAG_MPSAFE, 0, 94 "BSD security policy"); 95 96 static void crfree_final(struct ucred *cr); 97 98 static inline void 99 groups_check_positive_len(int ngrp) 100 { 101 MPASS2(ngrp >= 0, "negative number of groups"); 102 } 103 static inline void 104 groups_check_max_len(int ngrp) 105 { 106 MPASS2(ngrp <= ngroups_max, "too many supplementary groups"); 107 } 108 109 static void groups_normalize(int *ngrp, gid_t *groups); 110 static void crsetgroups_internal(struct ucred *cr, int ngrp, 111 const gid_t *groups); 112 113 static int cr_canseeotheruids(struct ucred *u1, struct ucred *u2); 114 static int cr_canseeothergids(struct ucred *u1, struct ucred *u2); 115 static int cr_canseejailproc(struct ucred *u1, struct ucred *u2); 116 117 #ifndef _SYS_SYSPROTO_H_ 118 struct getpid_args { 119 int dummy; 120 }; 121 #endif 122 /* ARGSUSED */ 123 int 124 sys_getpid(struct thread *td, struct getpid_args *uap) 125 { 126 struct proc *p = td->td_proc; 127 128 td->td_retval[0] = p->p_pid; 129 #if defined(COMPAT_43) 130 if (SV_PROC_FLAG(p, SV_AOUT)) 131 td->td_retval[1] = kern_getppid(td); 132 #endif 133 return (0); 134 } 135 136 #ifndef _SYS_SYSPROTO_H_ 137 struct getppid_args { 138 int dummy; 139 }; 140 #endif 141 /* ARGSUSED */ 142 int 143 sys_getppid(struct thread *td, struct getppid_args *uap) 144 { 145 146 td->td_retval[0] = kern_getppid(td); 147 return (0); 148 } 149 150 int 151 kern_getppid(struct thread *td) 152 { 153 struct proc *p = td->td_proc; 154 155 return (p->p_oppid); 156 } 157 158 /* 159 * Get process group ID; note that POSIX getpgrp takes no parameter. 160 */ 161 #ifndef _SYS_SYSPROTO_H_ 162 struct getpgrp_args { 163 int dummy; 164 }; 165 #endif 166 int 167 sys_getpgrp(struct thread *td, struct getpgrp_args *uap) 168 { 169 struct proc *p = td->td_proc; 170 171 PROC_LOCK(p); 172 td->td_retval[0] = p->p_pgrp->pg_id; 173 PROC_UNLOCK(p); 174 return (0); 175 } 176 177 /* Get an arbitrary pid's process group id */ 178 #ifndef _SYS_SYSPROTO_H_ 179 struct getpgid_args { 180 pid_t pid; 181 }; 182 #endif 183 int 184 sys_getpgid(struct thread *td, struct getpgid_args *uap) 185 { 186 struct proc *p; 187 int error; 188 189 if (uap->pid == 0) { 190 p = td->td_proc; 191 PROC_LOCK(p); 192 } else { 193 p = pfind(uap->pid); 194 if (p == NULL) 195 return (ESRCH); 196 error = p_cansee(td, p); 197 if (error) { 198 PROC_UNLOCK(p); 199 return (error); 200 } 201 } 202 td->td_retval[0] = p->p_pgrp->pg_id; 203 PROC_UNLOCK(p); 204 return (0); 205 } 206 207 /* 208 * Get an arbitrary pid's session id. 209 */ 210 #ifndef _SYS_SYSPROTO_H_ 211 struct getsid_args { 212 pid_t pid; 213 }; 214 #endif 215 int 216 sys_getsid(struct thread *td, struct getsid_args *uap) 217 { 218 219 return (kern_getsid(td, uap->pid)); 220 } 221 222 int 223 kern_getsid(struct thread *td, pid_t pid) 224 { 225 struct proc *p; 226 int error; 227 228 if (pid == 0) { 229 p = td->td_proc; 230 PROC_LOCK(p); 231 } else { 232 p = pfind(pid); 233 if (p == NULL) 234 return (ESRCH); 235 error = p_cansee(td, p); 236 if (error) { 237 PROC_UNLOCK(p); 238 return (error); 239 } 240 } 241 td->td_retval[0] = p->p_session->s_sid; 242 PROC_UNLOCK(p); 243 return (0); 244 } 245 246 #ifndef _SYS_SYSPROTO_H_ 247 struct getuid_args { 248 int dummy; 249 }; 250 #endif 251 /* ARGSUSED */ 252 int 253 sys_getuid(struct thread *td, struct getuid_args *uap) 254 { 255 256 td->td_retval[0] = td->td_ucred->cr_ruid; 257 #if defined(COMPAT_43) 258 td->td_retval[1] = td->td_ucred->cr_uid; 259 #endif 260 return (0); 261 } 262 263 #ifndef _SYS_SYSPROTO_H_ 264 struct geteuid_args { 265 int dummy; 266 }; 267 #endif 268 /* ARGSUSED */ 269 int 270 sys_geteuid(struct thread *td, struct geteuid_args *uap) 271 { 272 273 td->td_retval[0] = td->td_ucred->cr_uid; 274 return (0); 275 } 276 277 #ifndef _SYS_SYSPROTO_H_ 278 struct getgid_args { 279 int dummy; 280 }; 281 #endif 282 /* ARGSUSED */ 283 int 284 sys_getgid(struct thread *td, struct getgid_args *uap) 285 { 286 287 td->td_retval[0] = td->td_ucred->cr_rgid; 288 #if defined(COMPAT_43) 289 td->td_retval[1] = td->td_ucred->cr_gid; 290 #endif 291 return (0); 292 } 293 294 #ifndef _SYS_SYSPROTO_H_ 295 struct getegid_args { 296 int dummy; 297 }; 298 #endif 299 /* ARGSUSED */ 300 int 301 sys_getegid(struct thread *td, struct getegid_args *uap) 302 { 303 304 td->td_retval[0] = td->td_ucred->cr_gid; 305 return (0); 306 } 307 308 #ifdef COMPAT_FREEBSD14 309 int 310 freebsd14_getgroups(struct thread *td, struct freebsd14_getgroups_args *uap) 311 { 312 struct ucred *cred; 313 int ngrp, error; 314 315 cred = td->td_ucred; 316 317 /* 318 * For FreeBSD < 15.0, we account for the egid being placed at the 319 * beginning of the group list prior to all supplementary groups. 320 */ 321 ngrp = cred->cr_ngroups + 1; 322 if (uap->gidsetsize == 0) { 323 error = 0; 324 goto out; 325 } else if (uap->gidsetsize < ngrp) { 326 return (EINVAL); 327 } 328 329 error = copyout(&cred->cr_gid, uap->gidset, sizeof(gid_t)); 330 if (error == 0) 331 error = copyout(cred->cr_groups, uap->gidset + 1, 332 (ngrp - 1) * sizeof(gid_t)); 333 334 out: 335 td->td_retval[0] = ngrp; 336 return (error); 337 338 } 339 #endif /* COMPAT_FREEBSD14 */ 340 341 #ifndef _SYS_SYSPROTO_H_ 342 struct getgroups_args { 343 int gidsetsize; 344 gid_t *gidset; 345 }; 346 #endif 347 int 348 sys_getgroups(struct thread *td, struct getgroups_args *uap) 349 { 350 struct ucred *cred; 351 int ngrp, error; 352 353 cred = td->td_ucred; 354 355 ngrp = cred->cr_ngroups; 356 if (uap->gidsetsize == 0) { 357 error = 0; 358 goto out; 359 } 360 if (uap->gidsetsize < ngrp) 361 return (EINVAL); 362 363 error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t)); 364 out: 365 td->td_retval[0] = ngrp; 366 return (error); 367 } 368 369 #ifndef _SYS_SYSPROTO_H_ 370 struct setsid_args { 371 int dummy; 372 }; 373 #endif 374 /* ARGSUSED */ 375 int 376 sys_setsid(struct thread *td, struct setsid_args *uap) 377 { 378 struct pgrp *pgrp; 379 int error; 380 struct proc *p = td->td_proc; 381 struct pgrp *newpgrp; 382 struct session *newsess; 383 384 pgrp = NULL; 385 386 newpgrp = uma_zalloc(pgrp_zone, M_WAITOK); 387 newsess = malloc(sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); 388 389 again: 390 error = 0; 391 sx_xlock(&proctree_lock); 392 393 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { 394 if (pgrp != NULL) 395 PGRP_UNLOCK(pgrp); 396 error = EPERM; 397 } else { 398 error = enterpgrp(p, p->p_pid, newpgrp, newsess); 399 if (error == ERESTART) 400 goto again; 401 MPASS(error == 0); 402 td->td_retval[0] = p->p_pid; 403 newpgrp = NULL; 404 newsess = NULL; 405 } 406 407 sx_xunlock(&proctree_lock); 408 409 uma_zfree(pgrp_zone, newpgrp); 410 free(newsess, M_SESSION); 411 412 return (error); 413 } 414 415 /* 416 * set process group (setpgid/old setpgrp) 417 * 418 * caller does setpgid(targpid, targpgid) 419 * 420 * pid must be caller or child of caller (ESRCH) 421 * if a child 422 * pid must be in same session (EPERM) 423 * pid can't have done an exec (EACCES) 424 * if pgid != pid 425 * there must exist some pid in same session having pgid (EPERM) 426 * pid must not be session leader (EPERM) 427 */ 428 #ifndef _SYS_SYSPROTO_H_ 429 struct setpgid_args { 430 int pid; /* target process id */ 431 int pgid; /* target pgrp id */ 432 }; 433 #endif 434 /* ARGSUSED */ 435 int 436 sys_setpgid(struct thread *td, struct setpgid_args *uap) 437 { 438 struct proc *curp = td->td_proc; 439 struct proc *targp; /* target process */ 440 struct pgrp *pgrp; /* target pgrp */ 441 int error; 442 struct pgrp *newpgrp; 443 444 if (uap->pgid < 0) 445 return (EINVAL); 446 447 newpgrp = uma_zalloc(pgrp_zone, M_WAITOK); 448 449 again: 450 error = 0; 451 452 sx_xlock(&proctree_lock); 453 if (uap->pid != 0 && uap->pid != curp->p_pid) { 454 if ((targp = pfind(uap->pid)) == NULL) { 455 error = ESRCH; 456 goto done; 457 } 458 if (!inferior(targp)) { 459 PROC_UNLOCK(targp); 460 error = ESRCH; 461 goto done; 462 } 463 if ((error = p_cansee(td, targp))) { 464 PROC_UNLOCK(targp); 465 goto done; 466 } 467 if (targp->p_pgrp == NULL || 468 targp->p_session != curp->p_session) { 469 PROC_UNLOCK(targp); 470 error = EPERM; 471 goto done; 472 } 473 if (targp->p_flag & P_EXEC) { 474 PROC_UNLOCK(targp); 475 error = EACCES; 476 goto done; 477 } 478 PROC_UNLOCK(targp); 479 } else 480 targp = curp; 481 if (SESS_LEADER(targp)) { 482 error = EPERM; 483 goto done; 484 } 485 if (uap->pgid == 0) 486 uap->pgid = targp->p_pid; 487 if ((pgrp = pgfind(uap->pgid)) == NULL) { 488 if (uap->pgid == targp->p_pid) { 489 error = enterpgrp(targp, uap->pgid, newpgrp, 490 NULL); 491 if (error == 0) 492 newpgrp = NULL; 493 } else 494 error = EPERM; 495 } else { 496 if (pgrp == targp->p_pgrp) { 497 PGRP_UNLOCK(pgrp); 498 goto done; 499 } 500 if (pgrp->pg_id != targp->p_pid && 501 pgrp->pg_session != curp->p_session) { 502 PGRP_UNLOCK(pgrp); 503 error = EPERM; 504 goto done; 505 } 506 PGRP_UNLOCK(pgrp); 507 error = enterthispgrp(targp, pgrp); 508 } 509 done: 510 KASSERT(error == 0 || newpgrp != NULL, 511 ("setpgid failed and newpgrp is NULL")); 512 if (error == ERESTART) 513 goto again; 514 sx_xunlock(&proctree_lock); 515 uma_zfree(pgrp_zone, newpgrp); 516 return (error); 517 } 518 519 static int 520 gidp_cmp(const void *p1, const void *p2) 521 { 522 const gid_t g1 = *(const gid_t *)p1; 523 const gid_t g2 = *(const gid_t *)p2; 524 525 return ((g1 > g2) - (g1 < g2)); 526 } 527 528 /* 529 * Final storage for supplementary groups will be returned via 'groups'. 530 * '*groups' must be NULL on input, and if not equal to 'smallgroups' 531 * on output, must be freed (M_TEMP) *even if* an error is returned. 532 */ 533 static int 534 kern_setcred_copyin_supp_groups(struct setcred *const wcred, 535 const u_int flags, gid_t *const smallgroups, gid_t **const groups) 536 { 537 MPASS(*groups == NULL); 538 539 if (flags & SETCREDF_SUPP_GROUPS) { 540 int error; 541 542 /* 543 * Check for the limit for number of groups right now in order 544 * to limit the amount of bytes to copy. 545 */ 546 if (wcred->sc_supp_groups_nb > ngroups_max) 547 return (EINVAL); 548 549 /* 550 * Since we are going to be copying the supplementary groups 551 * from userland, make room also for the effective GID right 552 * now, to avoid having to allocate and copy again the 553 * supplementary groups. 554 */ 555 *groups = wcred->sc_supp_groups_nb <= CRED_SMALLGROUPS_NB ? 556 smallgroups : malloc(wcred->sc_supp_groups_nb * 557 sizeof(*groups), M_TEMP, M_WAITOK); 558 559 error = copyin(wcred->sc_supp_groups, *groups, 560 wcred->sc_supp_groups_nb * sizeof(*groups)); 561 if (error != 0) 562 return (error); 563 wcred->sc_supp_groups = *groups; 564 } else { 565 wcred->sc_supp_groups_nb = 0; 566 wcred->sc_supp_groups = NULL; 567 } 568 569 return (0); 570 } 571 572 int 573 user_setcred(struct thread *td, const u_int flags, 574 const void *const uwcred, const size_t size, bool is_32bit) 575 { 576 struct setcred wcred; 577 #ifdef MAC 578 struct mac mac; 579 /* Pointer to 'struct mac' or 'struct mac32'. */ 580 void *umac; 581 #endif 582 gid_t smallgroups[CRED_SMALLGROUPS_NB]; 583 gid_t *groups = NULL; 584 int error; 585 586 /* 587 * As the only point of this wrapper function is to copyin() from 588 * userland, we only interpret the data pieces we need to perform this 589 * operation and defer further sanity checks to kern_setcred(), except 590 * that we redundantly check here that no unknown flags have been 591 * passed. 592 */ 593 if ((flags & ~SETCREDF_MASK) != 0) 594 return (EINVAL); 595 596 #ifdef COMPAT_FREEBSD32 597 if (is_32bit) { 598 struct setcred32 wcred32; 599 600 if (size != sizeof(wcred32)) 601 return (EINVAL); 602 error = copyin(uwcred, &wcred32, sizeof(wcred32)); 603 if (error != 0) 604 return (error); 605 /* These fields have exactly the same sizes and positions. */ 606 memcpy(&wcred, &wcred32, &wcred32.setcred32_copy_end - 607 &wcred32.setcred32_copy_start); 608 /* Remaining fields are pointers and need PTRIN*(). */ 609 PTRIN_CP(wcred32, wcred, sc_supp_groups); 610 PTRIN_CP(wcred32, wcred, sc_label); 611 } else 612 #endif /* COMPAT_FREEBSD32 */ 613 { 614 if (size != sizeof(wcred)) 615 return (EINVAL); 616 error = copyin(uwcred, &wcred, sizeof(wcred)); 617 if (error != 0) 618 return (error); 619 } 620 #ifdef MAC 621 umac = wcred.sc_label; 622 #endif 623 /* Also done on !MAC as a defensive measure. */ 624 wcred.sc_label = NULL; 625 626 /* 627 * Copy supplementary groups as needed. There is no specific 628 * alternative for 32-bit compatibility as 'gid_t' has the same size 629 * everywhere. 630 */ 631 error = kern_setcred_copyin_supp_groups(&wcred, flags, smallgroups, 632 &groups); 633 if (error != 0) 634 goto free_groups; 635 636 #ifdef MAC 637 if ((flags & SETCREDF_MAC_LABEL) != 0) { 638 #ifdef COMPAT_FREEBSD32 639 if (is_32bit) 640 error = mac_label_copyin32(umac, &mac, NULL); 641 else 642 #endif 643 error = mac_label_copyin(umac, &mac, NULL); 644 if (error != 0) 645 goto free_groups; 646 wcred.sc_label = &mac; 647 } 648 #endif 649 650 error = kern_setcred(td, flags, &wcred, groups); 651 652 #ifdef MAC 653 if (wcred.sc_label != NULL) 654 free_copied_label(wcred.sc_label); 655 #endif 656 657 free_groups: 658 if (groups != smallgroups) 659 free(groups, M_TEMP); 660 661 return (error); 662 } 663 664 #ifndef _SYS_SYSPROTO_H_ 665 struct setcred_args { 666 u_int flags; /* Flags. */ 667 const struct setcred *wcred; 668 size_t size; /* Passed 'setcred' structure length. */ 669 }; 670 #endif 671 /* ARGSUSED */ 672 int 673 sys_setcred(struct thread *td, struct setcred_args *uap) 674 { 675 return (user_setcred(td, uap->flags, uap->wcred, uap->size, false)); 676 } 677 678 /* 679 * CAUTION: This function normalizes groups in 'wcred'. 680 * 681 * If 'preallocated_groups' is non-NULL, it must be an already allocated array 682 * of size 'wcred->sc_supp_groups_nb' containing the supplementary groups, and 683 * 'wcred->sc_supp_groups' then must point to it. 684 */ 685 int 686 kern_setcred(struct thread *const td, const u_int flags, 687 struct setcred *const wcred, gid_t *preallocated_groups) 688 { 689 struct proc *const p = td->td_proc; 690 struct ucred *new_cred, *old_cred, *to_free_cred; 691 struct uidinfo *uip = NULL, *ruip = NULL; 692 #ifdef MAC 693 void *mac_set_proc_data = NULL; 694 bool proc_label_set = false; 695 #endif 696 gid_t *groups = NULL; 697 gid_t smallgroups[CRED_SMALLGROUPS_NB]; 698 int error; 699 bool cred_set = false; 700 701 /* Bail out on unrecognized flags. */ 702 if (flags & ~SETCREDF_MASK) 703 return (EINVAL); 704 705 /* 706 * Part 1: We allocate and perform preparatory operations with no locks. 707 */ 708 709 if (flags & SETCREDF_SUPP_GROUPS) { 710 if (wcred->sc_supp_groups_nb > ngroups_max) 711 return (EINVAL); 712 if (preallocated_groups != NULL) { 713 groups = preallocated_groups; 714 MPASS(preallocated_groups == wcred->sc_supp_groups); 715 } else { 716 if (wcred->sc_supp_groups_nb <= CRED_SMALLGROUPS_NB) 717 groups = smallgroups; 718 else 719 groups = malloc(wcred->sc_supp_groups_nb * 720 sizeof(*groups), M_TEMP, M_WAITOK); 721 memcpy(groups, wcred->sc_supp_groups, 722 wcred->sc_supp_groups_nb * sizeof(*groups)); 723 } 724 } 725 726 if (flags & SETCREDF_MAC_LABEL) { 727 #ifdef MAC 728 error = mac_set_proc_prepare(td, wcred->sc_label, 729 &mac_set_proc_data); 730 if (error != 0) 731 goto free_groups; 732 #else 733 error = ENOTSUP; 734 goto free_groups; 735 #endif 736 } 737 738 if (flags & SETCREDF_UID) { 739 AUDIT_ARG_EUID(wcred->sc_uid); 740 uip = uifind(wcred->sc_uid); 741 } 742 if (flags & SETCREDF_RUID) { 743 AUDIT_ARG_RUID(wcred->sc_ruid); 744 ruip = uifind(wcred->sc_ruid); 745 } 746 if (flags & SETCREDF_SVUID) 747 AUDIT_ARG_SUID(wcred->sc_svuid); 748 749 if (flags & SETCREDF_GID) 750 AUDIT_ARG_EGID(wcred->sc_gid); 751 if (flags & SETCREDF_RGID) 752 AUDIT_ARG_RGID(wcred->sc_rgid); 753 if (flags & SETCREDF_SVGID) 754 AUDIT_ARG_SGID(wcred->sc_svgid); 755 if (flags & SETCREDF_SUPP_GROUPS) { 756 /* 757 * Output the raw supplementary groups array for better 758 * traceability. 759 */ 760 AUDIT_ARG_GROUPSET(groups, wcred->sc_supp_groups_nb); 761 groups_normalize(&wcred->sc_supp_groups_nb, groups); 762 } 763 764 /* 765 * We first completely build the new credentials and only then pass them 766 * to MAC along with the old ones so that modules can check whether the 767 * requested transition is allowed. 768 */ 769 new_cred = crget(); 770 to_free_cred = new_cred; 771 if (flags & SETCREDF_SUPP_GROUPS) 772 crextend(new_cred, wcred->sc_supp_groups_nb); 773 774 #ifdef MAC 775 mac_cred_setcred_enter(); 776 #endif 777 778 /* 779 * Part 2: We grab the process lock as to have a stable view of its 780 * current credentials, and prepare a copy of them with the requested 781 * changes applied under that lock. 782 */ 783 784 PROC_LOCK(p); 785 old_cred = crcopysafe(p, new_cred); 786 787 /* 788 * Change user IDs. 789 */ 790 if (flags & SETCREDF_UID) 791 change_euid(new_cred, uip); 792 if (flags & SETCREDF_RUID) 793 change_ruid(new_cred, ruip); 794 if (flags & SETCREDF_SVUID) 795 change_svuid(new_cred, wcred->sc_svuid); 796 797 /* 798 * Change groups. 799 */ 800 if (flags & SETCREDF_SUPP_GROUPS) 801 crsetgroups_internal(new_cred, wcred->sc_supp_groups_nb, 802 groups); 803 if (flags & SETCREDF_GID) 804 change_egid(new_cred, wcred->sc_gid); 805 if (flags & SETCREDF_RGID) 806 change_rgid(new_cred, wcred->sc_rgid); 807 if (flags & SETCREDF_SVGID) 808 change_svgid(new_cred, wcred->sc_svgid); 809 810 #ifdef MAC 811 /* 812 * Change the MAC label. 813 */ 814 if (flags & SETCREDF_MAC_LABEL) { 815 error = mac_set_proc_core(td, new_cred, mac_set_proc_data); 816 if (error != 0) 817 goto unlock_finish; 818 proc_label_set = true; 819 } 820 821 /* 822 * MAC security modules checks. 823 */ 824 error = mac_cred_check_setcred(flags, old_cred, new_cred); 825 if (error != 0) 826 goto unlock_finish; 827 #endif 828 /* 829 * Privilege check. 830 */ 831 error = priv_check_cred(old_cred, PRIV_CRED_SETCRED); 832 if (error != 0) 833 goto unlock_finish; 834 835 /* 836 * Set the new credentials, noting that they have changed. 837 */ 838 cred_set = proc_set_cred_enforce_proc_lim(p, new_cred); 839 if (cred_set) { 840 setsugid(p); 841 to_free_cred = old_cred; 842 #ifdef RACCT 843 racct_proc_ucred_changed(p, old_cred, new_cred); 844 #endif 845 #ifdef RCTL 846 crhold(new_cred); 847 #endif 848 MPASS(error == 0); 849 } else 850 error = EAGAIN; 851 852 unlock_finish: 853 PROC_UNLOCK(p); 854 855 /* 856 * Part 3: After releasing the process lock, we perform cleanups and 857 * finishing operations. 858 */ 859 860 #ifdef RCTL 861 if (cred_set) { 862 rctl_proc_ucred_changed(p, new_cred); 863 /* Paired with the crhold() just above. */ 864 crfree(new_cred); 865 } 866 #endif 867 868 #ifdef MAC 869 if (mac_set_proc_data != NULL) 870 mac_set_proc_finish(td, proc_label_set, mac_set_proc_data); 871 mac_cred_setcred_exit(); 872 #endif 873 crfree(to_free_cred); 874 if (uip != NULL) 875 uifree(uip); 876 if (ruip != NULL) 877 uifree(ruip); 878 free_groups: 879 if (groups != preallocated_groups && groups != smallgroups) 880 free(groups, M_TEMP); /* Deals with 'groups' being NULL. */ 881 return (error); 882 } 883 884 /* 885 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 886 * compatible. It says that setting the uid/gid to euid/egid is a special 887 * case of "appropriate privilege". Once the rules are expanded out, this 888 * basically means that setuid(nnn) sets all three id's, in all permitted 889 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 890 * does not set the saved id - this is dangerous for traditional BSD 891 * programs. For this reason, we *really* do not want to set 892 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 893 */ 894 #define POSIX_APPENDIX_B_4_2_2 895 896 #ifndef _SYS_SYSPROTO_H_ 897 struct setuid_args { 898 uid_t uid; 899 }; 900 #endif 901 /* ARGSUSED */ 902 int 903 sys_setuid(struct thread *td, struct setuid_args *uap) 904 { 905 struct proc *p = td->td_proc; 906 struct ucred *newcred, *oldcred; 907 uid_t uid; 908 struct uidinfo *uip; 909 int error; 910 911 uid = uap->uid; 912 AUDIT_ARG_UID(uid); 913 newcred = crget(); 914 uip = uifind(uid); 915 PROC_LOCK(p); 916 /* 917 * Copy credentials so other references do not see our changes. 918 */ 919 oldcred = crcopysafe(p, newcred); 920 921 #ifdef MAC 922 error = mac_cred_check_setuid(oldcred, uid); 923 if (error) 924 goto fail; 925 #endif 926 927 /* 928 * See if we have "permission" by POSIX 1003.1 rules. 929 * 930 * Note that setuid(geteuid()) is a special case of 931 * "appropriate privileges" in appendix B.4.2.2. We need 932 * to use this clause to be compatible with traditional BSD 933 * semantics. Basically, it means that "setuid(xx)" sets all 934 * three id's (assuming you have privs). 935 * 936 * Notes on the logic. We do things in three steps. 937 * 1: We determine if the euid is going to change, and do EPERM 938 * right away. We unconditionally change the euid later if this 939 * test is satisfied, simplifying that part of the logic. 940 * 2: We determine if the real and/or saved uids are going to 941 * change. Determined by compile options. 942 * 3: Change euid last. (after tests in #2 for "appropriate privs") 943 */ 944 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 945 #ifdef _POSIX_SAVED_IDS 946 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 947 #endif 948 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 949 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 950 #endif 951 (error = priv_check_cred(oldcred, PRIV_CRED_SETUID)) != 0) 952 goto fail; 953 954 #ifdef _POSIX_SAVED_IDS 955 /* 956 * Do we have "appropriate privileges" (are we root or uid == euid) 957 * If so, we are changing the real uid and/or saved uid. 958 */ 959 if ( 960 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 961 uid == oldcred->cr_uid || 962 #endif 963 /* We are using privs. */ 964 priv_check_cred(oldcred, PRIV_CRED_SETUID) == 0) 965 #endif 966 { 967 /* 968 * Set the real uid. 969 */ 970 if (uid != oldcred->cr_ruid) { 971 change_ruid(newcred, uip); 972 setsugid(p); 973 } 974 /* 975 * Set saved uid 976 * 977 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 978 * the security of seteuid() depends on it. B.4.2.2 says it 979 * is important that we should do this. 980 */ 981 if (uid != oldcred->cr_svuid) { 982 change_svuid(newcred, uid); 983 setsugid(p); 984 } 985 } 986 987 /* 988 * In all permitted cases, we are changing the euid. 989 */ 990 if (uid != oldcred->cr_uid) { 991 change_euid(newcred, uip); 992 setsugid(p); 993 } 994 /* 995 * This also transfers the proc count to the new user. 996 */ 997 proc_set_cred(p, newcred); 998 #ifdef RACCT 999 racct_proc_ucred_changed(p, oldcred, newcred); 1000 #endif 1001 #ifdef RCTL 1002 crhold(newcred); 1003 #endif 1004 PROC_UNLOCK(p); 1005 #ifdef RCTL 1006 rctl_proc_ucred_changed(p, newcred); 1007 crfree(newcred); 1008 #endif 1009 uifree(uip); 1010 crfree(oldcred); 1011 return (0); 1012 1013 fail: 1014 PROC_UNLOCK(p); 1015 uifree(uip); 1016 crfree(newcred); 1017 return (error); 1018 } 1019 1020 #ifndef _SYS_SYSPROTO_H_ 1021 struct seteuid_args { 1022 uid_t euid; 1023 }; 1024 #endif 1025 /* ARGSUSED */ 1026 int 1027 sys_seteuid(struct thread *td, struct seteuid_args *uap) 1028 { 1029 struct proc *p = td->td_proc; 1030 struct ucred *newcred, *oldcred; 1031 uid_t euid; 1032 struct uidinfo *euip; 1033 int error; 1034 1035 euid = uap->euid; 1036 AUDIT_ARG_EUID(euid); 1037 newcred = crget(); 1038 euip = uifind(euid); 1039 PROC_LOCK(p); 1040 /* 1041 * Copy credentials so other references do not see our changes. 1042 */ 1043 oldcred = crcopysafe(p, newcred); 1044 1045 #ifdef MAC 1046 error = mac_cred_check_seteuid(oldcred, euid); 1047 if (error) 1048 goto fail; 1049 #endif 1050 1051 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 1052 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 1053 (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID)) != 0) 1054 goto fail; 1055 1056 /* 1057 * Everything's okay, do it. 1058 */ 1059 if (oldcred->cr_uid != euid) { 1060 change_euid(newcred, euip); 1061 setsugid(p); 1062 } 1063 proc_set_cred(p, newcred); 1064 PROC_UNLOCK(p); 1065 uifree(euip); 1066 crfree(oldcred); 1067 return (0); 1068 1069 fail: 1070 PROC_UNLOCK(p); 1071 uifree(euip); 1072 crfree(newcred); 1073 return (error); 1074 } 1075 1076 #ifndef _SYS_SYSPROTO_H_ 1077 struct setgid_args { 1078 gid_t gid; 1079 }; 1080 #endif 1081 /* ARGSUSED */ 1082 int 1083 sys_setgid(struct thread *td, struct setgid_args *uap) 1084 { 1085 struct proc *p = td->td_proc; 1086 struct ucred *newcred, *oldcred; 1087 gid_t gid; 1088 int error; 1089 1090 gid = uap->gid; 1091 AUDIT_ARG_GID(gid); 1092 newcred = crget(); 1093 PROC_LOCK(p); 1094 oldcred = crcopysafe(p, newcred); 1095 1096 #ifdef MAC 1097 error = mac_cred_check_setgid(oldcred, gid); 1098 if (error) 1099 goto fail; 1100 #endif 1101 1102 /* 1103 * See if we have "permission" by POSIX 1003.1 rules. 1104 * 1105 * Note that setgid(getegid()) is a special case of 1106 * "appropriate privileges" in appendix B.4.2.2. We need 1107 * to use this clause to be compatible with traditional BSD 1108 * semantics. Basically, it means that "setgid(xx)" sets all 1109 * three id's (assuming you have privs). 1110 * 1111 * For notes on the logic here, see setuid() above. 1112 */ 1113 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 1114 #ifdef _POSIX_SAVED_IDS 1115 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 1116 #endif 1117 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 1118 gid != oldcred->cr_gid && /* allow setgid(getegid()) */ 1119 #endif 1120 (error = priv_check_cred(oldcred, PRIV_CRED_SETGID)) != 0) 1121 goto fail; 1122 1123 #ifdef _POSIX_SAVED_IDS 1124 /* 1125 * Do we have "appropriate privileges" (are we root or gid == egid) 1126 * If so, we are changing the real uid and saved gid. 1127 */ 1128 if ( 1129 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 1130 gid == oldcred->cr_gid || 1131 #endif 1132 /* We are using privs. */ 1133 priv_check_cred(oldcred, PRIV_CRED_SETGID) == 0) 1134 #endif 1135 { 1136 /* 1137 * Set real gid 1138 */ 1139 if (oldcred->cr_rgid != gid) { 1140 change_rgid(newcred, gid); 1141 setsugid(p); 1142 } 1143 /* 1144 * Set saved gid 1145 * 1146 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 1147 * the security of setegid() depends on it. B.4.2.2 says it 1148 * is important that we should do this. 1149 */ 1150 if (oldcred->cr_svgid != gid) { 1151 change_svgid(newcred, gid); 1152 setsugid(p); 1153 } 1154 } 1155 /* 1156 * In all cases permitted cases, we are changing the egid. 1157 * Copy credentials so other references do not see our changes. 1158 */ 1159 if (oldcred->cr_gid != gid) { 1160 change_egid(newcred, gid); 1161 setsugid(p); 1162 } 1163 proc_set_cred(p, newcred); 1164 PROC_UNLOCK(p); 1165 crfree(oldcred); 1166 return (0); 1167 1168 fail: 1169 PROC_UNLOCK(p); 1170 crfree(newcred); 1171 return (error); 1172 } 1173 1174 #ifndef _SYS_SYSPROTO_H_ 1175 struct setegid_args { 1176 gid_t egid; 1177 }; 1178 #endif 1179 /* ARGSUSED */ 1180 int 1181 sys_setegid(struct thread *td, struct setegid_args *uap) 1182 { 1183 struct proc *p = td->td_proc; 1184 struct ucred *newcred, *oldcred; 1185 gid_t egid; 1186 int error; 1187 1188 egid = uap->egid; 1189 AUDIT_ARG_EGID(egid); 1190 newcred = crget(); 1191 PROC_LOCK(p); 1192 oldcred = crcopysafe(p, newcred); 1193 1194 #ifdef MAC 1195 error = mac_cred_check_setegid(oldcred, egid); 1196 if (error) 1197 goto fail; 1198 #endif 1199 1200 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 1201 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 1202 (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID)) != 0) 1203 goto fail; 1204 1205 if (oldcred->cr_gid != egid) { 1206 change_egid(newcred, egid); 1207 setsugid(p); 1208 } 1209 proc_set_cred(p, newcred); 1210 PROC_UNLOCK(p); 1211 crfree(oldcred); 1212 return (0); 1213 1214 fail: 1215 PROC_UNLOCK(p); 1216 crfree(newcred); 1217 return (error); 1218 } 1219 1220 #ifdef COMPAT_FREEBSD14 1221 int 1222 freebsd14_setgroups(struct thread *td, struct freebsd14_setgroups_args *uap) 1223 { 1224 gid_t smallgroups[CRED_SMALLGROUPS_NB]; 1225 gid_t *groups; 1226 int gidsetsize, error; 1227 1228 /* 1229 * Before FreeBSD 15.0, we allow one more group to be supplied to 1230 * account for the egid appearing before the supplementary groups. This 1231 * may technically allow one more supplementary group for systems that 1232 * did use the default NGROUPS_MAX if we round it back up to 1024. 1233 */ 1234 gidsetsize = uap->gidsetsize; 1235 if (gidsetsize > ngroups_max + 1 || gidsetsize < 0) 1236 return (EINVAL); 1237 1238 if (gidsetsize > CRED_SMALLGROUPS_NB) 1239 groups = malloc(gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK); 1240 else 1241 groups = smallgroups; 1242 1243 error = copyin(uap->gidset, groups, gidsetsize * sizeof(gid_t)); 1244 if (error == 0) { 1245 int ngroups = gidsetsize > 0 ? gidsetsize - 1 /* egid */ : 0; 1246 1247 error = kern_setgroups(td, &ngroups, groups + 1); 1248 if (error == 0 && gidsetsize > 0) 1249 td->td_proc->p_ucred->cr_gid = groups[0]; 1250 } 1251 1252 if (groups != smallgroups) 1253 free(groups, M_TEMP); 1254 return (error); 1255 } 1256 #endif /* COMPAT_FREEBSD14 */ 1257 1258 #ifndef _SYS_SYSPROTO_H_ 1259 struct setgroups_args { 1260 int gidsetsize; 1261 gid_t *gidset; 1262 }; 1263 #endif 1264 /* ARGSUSED */ 1265 int 1266 sys_setgroups(struct thread *td, struct setgroups_args *uap) 1267 { 1268 gid_t smallgroups[CRED_SMALLGROUPS_NB]; 1269 gid_t *groups; 1270 int gidsetsize, error; 1271 1272 /* 1273 * Sanity check size now to avoid passing too big a value to copyin(), 1274 * even if kern_setgroups() will do it again. 1275 * 1276 * Ideally, the 'gidsetsize' argument should have been a 'u_int' (and it 1277 * was, in this implementation, for a long time), but POSIX standardized 1278 * getgroups() to take an 'int' and it would be quite entrapping to have 1279 * setgroups() differ. 1280 */ 1281 gidsetsize = uap->gidsetsize; 1282 if (gidsetsize > ngroups_max || gidsetsize < 0) 1283 return (EINVAL); 1284 1285 if (gidsetsize > CRED_SMALLGROUPS_NB) 1286 groups = malloc(gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK); 1287 else 1288 groups = smallgroups; 1289 1290 error = copyin(uap->gidset, groups, gidsetsize * sizeof(gid_t)); 1291 if (error == 0) 1292 error = kern_setgroups(td, &gidsetsize, groups); 1293 1294 if (groups != smallgroups) 1295 free(groups, M_TEMP); 1296 return (error); 1297 } 1298 1299 /* 1300 * CAUTION: This function normalizes 'groups', possibly also changing the value 1301 * of '*ngrpp' as a consequence. 1302 */ 1303 int 1304 kern_setgroups(struct thread *td, int *ngrpp, gid_t *groups) 1305 { 1306 struct proc *p = td->td_proc; 1307 struct ucred *newcred, *oldcred; 1308 int ngrp, error; 1309 1310 ngrp = *ngrpp; 1311 /* Sanity check size. */ 1312 if (ngrp < 0 || ngrp > ngroups_max) 1313 return (EINVAL); 1314 1315 AUDIT_ARG_GROUPSET(groups, ngrp); 1316 1317 groups_normalize(&ngrp, groups); 1318 *ngrpp = ngrp; 1319 1320 newcred = crget(); 1321 crextend(newcred, ngrp); 1322 PROC_LOCK(p); 1323 oldcred = crcopysafe(p, newcred); 1324 1325 #ifdef MAC 1326 /* 1327 * We pass NULL here explicitly if we don't have any supplementary 1328 * groups mostly for the sake of normalization, but also to avoid/detect 1329 * a situation where a MAC module has some assumption about the layout 1330 * of `groups` matching historical behavior. 1331 */ 1332 error = mac_cred_check_setgroups(oldcred, ngrp, 1333 ngrp == 0 ? NULL : groups); 1334 if (error) 1335 goto fail; 1336 #endif 1337 1338 error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS); 1339 if (error) 1340 goto fail; 1341 1342 crsetgroups_internal(newcred, ngrp, groups); 1343 setsugid(p); 1344 proc_set_cred(p, newcred); 1345 PROC_UNLOCK(p); 1346 crfree(oldcred); 1347 return (0); 1348 1349 fail: 1350 PROC_UNLOCK(p); 1351 crfree(newcred); 1352 return (error); 1353 } 1354 1355 #ifndef _SYS_SYSPROTO_H_ 1356 struct setreuid_args { 1357 uid_t ruid; 1358 uid_t euid; 1359 }; 1360 #endif 1361 /* ARGSUSED */ 1362 int 1363 sys_setreuid(struct thread *td, struct setreuid_args *uap) 1364 { 1365 struct proc *p = td->td_proc; 1366 struct ucred *newcred, *oldcred; 1367 uid_t euid, ruid; 1368 struct uidinfo *euip, *ruip; 1369 int error; 1370 1371 euid = uap->euid; 1372 ruid = uap->ruid; 1373 AUDIT_ARG_EUID(euid); 1374 AUDIT_ARG_RUID(ruid); 1375 newcred = crget(); 1376 euip = uifind(euid); 1377 ruip = uifind(ruid); 1378 PROC_LOCK(p); 1379 oldcred = crcopysafe(p, newcred); 1380 1381 #ifdef MAC 1382 error = mac_cred_check_setreuid(oldcred, ruid, euid); 1383 if (error) 1384 goto fail; 1385 #endif 1386 1387 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1388 ruid != oldcred->cr_svuid) || 1389 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 1390 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 1391 (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID)) != 0) 1392 goto fail; 1393 1394 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1395 change_euid(newcred, euip); 1396 setsugid(p); 1397 } 1398 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1399 change_ruid(newcred, ruip); 1400 setsugid(p); 1401 } 1402 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 1403 newcred->cr_svuid != newcred->cr_uid) { 1404 change_svuid(newcred, newcred->cr_uid); 1405 setsugid(p); 1406 } 1407 proc_set_cred(p, newcred); 1408 #ifdef RACCT 1409 racct_proc_ucred_changed(p, oldcred, newcred); 1410 #endif 1411 #ifdef RCTL 1412 crhold(newcred); 1413 #endif 1414 PROC_UNLOCK(p); 1415 #ifdef RCTL 1416 rctl_proc_ucred_changed(p, newcred); 1417 crfree(newcred); 1418 #endif 1419 uifree(ruip); 1420 uifree(euip); 1421 crfree(oldcred); 1422 return (0); 1423 1424 fail: 1425 PROC_UNLOCK(p); 1426 uifree(ruip); 1427 uifree(euip); 1428 crfree(newcred); 1429 return (error); 1430 } 1431 1432 #ifndef _SYS_SYSPROTO_H_ 1433 struct setregid_args { 1434 gid_t rgid; 1435 gid_t egid; 1436 }; 1437 #endif 1438 /* ARGSUSED */ 1439 int 1440 sys_setregid(struct thread *td, struct setregid_args *uap) 1441 { 1442 struct proc *p = td->td_proc; 1443 struct ucred *newcred, *oldcred; 1444 gid_t egid, rgid; 1445 int error; 1446 1447 egid = uap->egid; 1448 rgid = uap->rgid; 1449 AUDIT_ARG_EGID(egid); 1450 AUDIT_ARG_RGID(rgid); 1451 newcred = crget(); 1452 PROC_LOCK(p); 1453 oldcred = crcopysafe(p, newcred); 1454 1455 #ifdef MAC 1456 error = mac_cred_check_setregid(oldcred, rgid, egid); 1457 if (error) 1458 goto fail; 1459 #endif 1460 1461 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1462 rgid != oldcred->cr_svgid) || 1463 (egid != (gid_t)-1 && egid != oldcred->cr_gid && 1464 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 1465 (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID)) != 0) 1466 goto fail; 1467 1468 if (egid != (gid_t)-1 && oldcred->cr_gid != egid) { 1469 change_egid(newcred, egid); 1470 setsugid(p); 1471 } 1472 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1473 change_rgid(newcred, rgid); 1474 setsugid(p); 1475 } 1476 if ((rgid != (gid_t)-1 || newcred->cr_gid != newcred->cr_rgid) && 1477 newcred->cr_svgid != newcred->cr_gid) { 1478 change_svgid(newcred, newcred->cr_gid); 1479 setsugid(p); 1480 } 1481 proc_set_cred(p, newcred); 1482 PROC_UNLOCK(p); 1483 crfree(oldcred); 1484 return (0); 1485 1486 fail: 1487 PROC_UNLOCK(p); 1488 crfree(newcred); 1489 return (error); 1490 } 1491 1492 /* 1493 * setresuid(ruid, euid, suid) is like setreuid except control over the saved 1494 * uid is explicit. 1495 */ 1496 #ifndef _SYS_SYSPROTO_H_ 1497 struct setresuid_args { 1498 uid_t ruid; 1499 uid_t euid; 1500 uid_t suid; 1501 }; 1502 #endif 1503 /* ARGSUSED */ 1504 int 1505 sys_setresuid(struct thread *td, struct setresuid_args *uap) 1506 { 1507 struct proc *p = td->td_proc; 1508 struct ucred *newcred, *oldcred; 1509 uid_t euid, ruid, suid; 1510 struct uidinfo *euip, *ruip; 1511 int error; 1512 1513 euid = uap->euid; 1514 ruid = uap->ruid; 1515 suid = uap->suid; 1516 AUDIT_ARG_EUID(euid); 1517 AUDIT_ARG_RUID(ruid); 1518 AUDIT_ARG_SUID(suid); 1519 newcred = crget(); 1520 euip = uifind(euid); 1521 ruip = uifind(ruid); 1522 PROC_LOCK(p); 1523 oldcred = crcopysafe(p, newcred); 1524 1525 #ifdef MAC 1526 error = mac_cred_check_setresuid(oldcred, ruid, euid, suid); 1527 if (error) 1528 goto fail; 1529 #endif 1530 1531 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1532 ruid != oldcred->cr_svuid && 1533 ruid != oldcred->cr_uid) || 1534 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 1535 euid != oldcred->cr_svuid && 1536 euid != oldcred->cr_uid) || 1537 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 1538 suid != oldcred->cr_svuid && 1539 suid != oldcred->cr_uid)) && 1540 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID)) != 0) 1541 goto fail; 1542 1543 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1544 change_euid(newcred, euip); 1545 setsugid(p); 1546 } 1547 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1548 change_ruid(newcred, ruip); 1549 setsugid(p); 1550 } 1551 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1552 change_svuid(newcred, suid); 1553 setsugid(p); 1554 } 1555 proc_set_cred(p, newcred); 1556 #ifdef RACCT 1557 racct_proc_ucred_changed(p, oldcred, newcred); 1558 #endif 1559 #ifdef RCTL 1560 crhold(newcred); 1561 #endif 1562 PROC_UNLOCK(p); 1563 #ifdef RCTL 1564 rctl_proc_ucred_changed(p, newcred); 1565 crfree(newcred); 1566 #endif 1567 uifree(ruip); 1568 uifree(euip); 1569 crfree(oldcred); 1570 return (0); 1571 1572 fail: 1573 PROC_UNLOCK(p); 1574 uifree(ruip); 1575 uifree(euip); 1576 crfree(newcred); 1577 return (error); 1578 1579 } 1580 1581 /* 1582 * setresgid(rgid, egid, sgid) is like setregid except control over the saved 1583 * gid is explicit. 1584 */ 1585 #ifndef _SYS_SYSPROTO_H_ 1586 struct setresgid_args { 1587 gid_t rgid; 1588 gid_t egid; 1589 gid_t sgid; 1590 }; 1591 #endif 1592 /* ARGSUSED */ 1593 int 1594 sys_setresgid(struct thread *td, struct setresgid_args *uap) 1595 { 1596 struct proc *p = td->td_proc; 1597 struct ucred *newcred, *oldcred; 1598 gid_t egid, rgid, sgid; 1599 int error; 1600 1601 egid = uap->egid; 1602 rgid = uap->rgid; 1603 sgid = uap->sgid; 1604 AUDIT_ARG_EGID(egid); 1605 AUDIT_ARG_RGID(rgid); 1606 AUDIT_ARG_SGID(sgid); 1607 newcred = crget(); 1608 PROC_LOCK(p); 1609 oldcred = crcopysafe(p, newcred); 1610 1611 #ifdef MAC 1612 error = mac_cred_check_setresgid(oldcred, rgid, egid, sgid); 1613 if (error) 1614 goto fail; 1615 #endif 1616 1617 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1618 rgid != oldcred->cr_svgid && 1619 rgid != oldcred->cr_gid) || 1620 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1621 egid != oldcred->cr_svgid && 1622 egid != oldcred->cr_gid) || 1623 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1624 sgid != oldcred->cr_svgid && 1625 sgid != oldcred->cr_gid)) && 1626 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID)) != 0) 1627 goto fail; 1628 1629 if (egid != (gid_t)-1 && oldcred->cr_gid != egid) { 1630 change_egid(newcred, egid); 1631 setsugid(p); 1632 } 1633 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1634 change_rgid(newcred, rgid); 1635 setsugid(p); 1636 } 1637 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1638 change_svgid(newcred, sgid); 1639 setsugid(p); 1640 } 1641 proc_set_cred(p, newcred); 1642 PROC_UNLOCK(p); 1643 crfree(oldcred); 1644 return (0); 1645 1646 fail: 1647 PROC_UNLOCK(p); 1648 crfree(newcred); 1649 return (error); 1650 } 1651 1652 #ifndef _SYS_SYSPROTO_H_ 1653 struct getresuid_args { 1654 uid_t *ruid; 1655 uid_t *euid; 1656 uid_t *suid; 1657 }; 1658 #endif 1659 /* ARGSUSED */ 1660 int 1661 sys_getresuid(struct thread *td, struct getresuid_args *uap) 1662 { 1663 struct ucred *cred; 1664 int error1 = 0, error2 = 0, error3 = 0; 1665 1666 cred = td->td_ucred; 1667 if (uap->ruid) 1668 error1 = copyout(&cred->cr_ruid, 1669 uap->ruid, sizeof(cred->cr_ruid)); 1670 if (uap->euid) 1671 error2 = copyout(&cred->cr_uid, 1672 uap->euid, sizeof(cred->cr_uid)); 1673 if (uap->suid) 1674 error3 = copyout(&cred->cr_svuid, 1675 uap->suid, sizeof(cred->cr_svuid)); 1676 return (error1 ? error1 : error2 ? error2 : error3); 1677 } 1678 1679 #ifndef _SYS_SYSPROTO_H_ 1680 struct getresgid_args { 1681 gid_t *rgid; 1682 gid_t *egid; 1683 gid_t *sgid; 1684 }; 1685 #endif 1686 /* ARGSUSED */ 1687 int 1688 sys_getresgid(struct thread *td, struct getresgid_args *uap) 1689 { 1690 struct ucred *cred; 1691 int error1 = 0, error2 = 0, error3 = 0; 1692 1693 cred = td->td_ucred; 1694 if (uap->rgid) 1695 error1 = copyout(&cred->cr_rgid, 1696 uap->rgid, sizeof(cred->cr_rgid)); 1697 if (uap->egid) 1698 error2 = copyout(&cred->cr_gid, 1699 uap->egid, sizeof(cred->cr_gid)); 1700 if (uap->sgid) 1701 error3 = copyout(&cred->cr_svgid, 1702 uap->sgid, sizeof(cred->cr_svgid)); 1703 return (error1 ? error1 : error2 ? error2 : error3); 1704 } 1705 1706 #ifndef _SYS_SYSPROTO_H_ 1707 struct issetugid_args { 1708 int dummy; 1709 }; 1710 #endif 1711 /* ARGSUSED */ 1712 int 1713 sys_issetugid(struct thread *td, struct issetugid_args *uap) 1714 { 1715 struct proc *p = td->td_proc; 1716 1717 /* 1718 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1719 * we use P_SUGID because we consider changing the owners as 1720 * "tainting" as well. 1721 * This is significant for procs that start as root and "become" 1722 * a user without an exec - programs cannot know *everything* 1723 * that libc *might* have put in their data segment. 1724 */ 1725 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1726 return (0); 1727 } 1728 1729 int 1730 sys___setugid(struct thread *td, struct __setugid_args *uap) 1731 { 1732 #ifdef REGRESSION 1733 struct proc *p; 1734 1735 p = td->td_proc; 1736 switch (uap->flag) { 1737 case 0: 1738 PROC_LOCK(p); 1739 p->p_flag &= ~P_SUGID; 1740 PROC_UNLOCK(p); 1741 return (0); 1742 case 1: 1743 PROC_LOCK(p); 1744 p->p_flag |= P_SUGID; 1745 PROC_UNLOCK(p); 1746 return (0); 1747 default: 1748 return (EINVAL); 1749 } 1750 #else /* !REGRESSION */ 1751 1752 return (ENOSYS); 1753 #endif /* REGRESSION */ 1754 } 1755 1756 #ifdef INVARIANTS 1757 static void 1758 groups_check_normalized(int ngrp, const gid_t *groups) 1759 { 1760 gid_t prev_g; 1761 1762 groups_check_positive_len(ngrp); 1763 groups_check_max_len(ngrp); 1764 1765 if (ngrp <= 1) 1766 return; 1767 1768 prev_g = groups[0]; 1769 for (int i = 1; i < ngrp; ++i) { 1770 const gid_t g = groups[i]; 1771 1772 if (prev_g >= g) 1773 panic("%s: groups[%d] (%u) >= groups[%d] (%u)", 1774 __func__, i - 1, prev_g, i, g); 1775 prev_g = g; 1776 } 1777 } 1778 #else 1779 #define groups_check_normalized(...) 1780 #endif 1781 1782 /* 1783 * Returns whether gid designates a supplementary group in cred. 1784 */ 1785 bool 1786 group_is_supplementary(const gid_t gid, const struct ucred *const cred) 1787 { 1788 1789 groups_check_normalized(cred->cr_ngroups, cred->cr_groups); 1790 1791 /* 1792 * Perform a binary search of the supplementary groups. This is 1793 * possible because we sort the groups in crsetgroups(). 1794 */ 1795 return (bsearch(&gid, cred->cr_groups, cred->cr_ngroups, 1796 sizeof(gid), gidp_cmp) != NULL); 1797 } 1798 1799 /* 1800 * Check if gid is a member of the (effective) group set (i.e., effective and 1801 * supplementary groups). 1802 */ 1803 bool 1804 groupmember(gid_t gid, const struct ucred *cred) 1805 { 1806 1807 groups_check_positive_len(cred->cr_ngroups); 1808 1809 if (gid == cred->cr_gid) 1810 return (true); 1811 1812 return (group_is_supplementary(gid, cred)); 1813 } 1814 1815 /* 1816 * Check if gid is a member of the real group set (i.e., real and supplementary 1817 * groups). 1818 */ 1819 bool 1820 realgroupmember(gid_t gid, const struct ucred *cred) 1821 { 1822 groups_check_positive_len(cred->cr_ngroups); 1823 1824 if (gid == cred->cr_rgid) 1825 return (true); 1826 1827 return (group_is_supplementary(gid, cred)); 1828 } 1829 1830 /* 1831 * Test the active securelevel against a given level. securelevel_gt() 1832 * implements (securelevel > level). securelevel_ge() implements 1833 * (securelevel >= level). Note that the logic is inverted -- these 1834 * functions return EPERM on "success" and 0 on "failure". 1835 * 1836 * Due to care taken when setting the securelevel, we know that no jail will 1837 * be less secure that its parent (or the physical system), so it is sufficient 1838 * to test the current jail only. 1839 * 1840 * XXXRW: Possibly since this has to do with privilege, it should move to 1841 * kern_priv.c. 1842 */ 1843 int 1844 securelevel_gt(struct ucred *cr, int level) 1845 { 1846 1847 return (cr->cr_prison->pr_securelevel > level ? EPERM : 0); 1848 } 1849 1850 int 1851 securelevel_ge(struct ucred *cr, int level) 1852 { 1853 1854 return (cr->cr_prison->pr_securelevel >= level ? EPERM : 0); 1855 } 1856 1857 /* 1858 * 'see_other_uids' determines whether or not visibility of processes 1859 * and sockets with credentials holding different real uids is possible 1860 * using a variety of system MIBs. 1861 * XXX: data declarations should be together near the beginning of the file. 1862 */ 1863 static int see_other_uids = 1; 1864 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1865 &see_other_uids, 0, 1866 "Unprivileged processes may see subjects/objects with different real uid"); 1867 1868 /*- 1869 * Determine if u1 "can see" the subject specified by u2, according to the 1870 * 'see_other_uids' policy. 1871 * Returns: 0 for permitted, ESRCH otherwise 1872 * Locks: none 1873 * References: *u1 and *u2 must not change during the call 1874 * u1 may equal u2, in which case only one reference is required 1875 */ 1876 static int 1877 cr_canseeotheruids(struct ucred *u1, struct ucred *u2) 1878 { 1879 1880 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1881 if (priv_check_cred(u1, PRIV_SEEOTHERUIDS) != 0) 1882 return (ESRCH); 1883 } 1884 return (0); 1885 } 1886 1887 /* 1888 * 'see_other_gids' determines whether or not visibility of processes 1889 * and sockets with credentials holding different real gids is possible 1890 * using a variety of system MIBs. 1891 * XXX: data declarations should be together near the beginning of the file. 1892 */ 1893 static int see_other_gids = 1; 1894 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW, 1895 &see_other_gids, 0, 1896 "Unprivileged processes may see subjects/objects with different real gid"); 1897 1898 /* 1899 * Determine if u1 can "see" the subject specified by u2, according to the 1900 * 'see_other_gids' policy. 1901 * Returns: 0 for permitted, ESRCH otherwise 1902 * Locks: none 1903 * References: *u1 and *u2 must not change during the call 1904 * u1 may equal u2, in which case only one reference is required 1905 */ 1906 static int 1907 cr_canseeothergids(struct ucred *u1, struct ucred *u2) 1908 { 1909 if (see_other_gids) 1910 return (0); 1911 1912 /* Restriction in force. */ 1913 1914 if (realgroupmember(u1->cr_rgid, u2)) 1915 return (0); 1916 1917 for (int i = 0; i < u1->cr_ngroups; i++) 1918 if (realgroupmember(u1->cr_groups[i], u2)) 1919 return (0); 1920 1921 if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) == 0) 1922 return (0); 1923 1924 return (ESRCH); 1925 } 1926 1927 /* 1928 * 'see_jail_proc' determines whether or not visibility of processes and 1929 * sockets with credentials holding different jail ids is possible using a 1930 * variety of system MIBs. 1931 * 1932 * XXX: data declarations should be together near the beginning of the file. 1933 */ 1934 1935 static int see_jail_proc = 1; 1936 SYSCTL_INT(_security_bsd, OID_AUTO, see_jail_proc, CTLFLAG_RW, 1937 &see_jail_proc, 0, 1938 "Unprivileged processes may see subjects/objects with different jail ids"); 1939 1940 /*- 1941 * Determine if u1 "can see" the subject specified by u2, according to the 1942 * 'see_jail_proc' policy. 1943 * Returns: 0 for permitted, ESRCH otherwise 1944 * Locks: none 1945 * References: *u1 and *u2 must not change during the call 1946 * u1 may equal u2, in which case only one reference is required 1947 */ 1948 static int 1949 cr_canseejailproc(struct ucred *u1, struct ucred *u2) 1950 { 1951 if (see_jail_proc || /* Policy deactivated. */ 1952 u1->cr_prison == u2->cr_prison || /* Same jail. */ 1953 priv_check_cred(u1, PRIV_SEEJAILPROC) == 0) /* Privileged. */ 1954 return (0); 1955 1956 return (ESRCH); 1957 } 1958 1959 /* 1960 * Determine if u1 can tamper with the subject specified by u2, if they are in 1961 * different jails and 'unprivileged_parent_tampering' jail policy allows it. 1962 * 1963 * May be called if u1 and u2 are in the same jail, but it is expected that the 1964 * caller has already done a prison_check() prior to calling it. 1965 * 1966 * Returns: 0 for permitted, EPERM otherwise 1967 */ 1968 static int 1969 cr_can_tamper_with_subjail(struct ucred *u1, struct ucred *u2, int priv) 1970 { 1971 1972 MPASS(prison_check(u1, u2) == 0); 1973 if (u1->cr_prison == u2->cr_prison) 1974 return (0); 1975 1976 if (priv_check_cred(u1, priv) == 0) 1977 return (0); 1978 1979 /* 1980 * Jails do not maintain a distinct UID space, so process visibility is 1981 * all that would control an unprivileged process' ability to tamper 1982 * with a process in a subjail by default if we did not have the 1983 * allow.unprivileged_parent_tampering knob to restrict it by default. 1984 */ 1985 if (prison_allow(u2, PR_ALLOW_UNPRIV_PARENT_TAMPER)) 1986 return (0); 1987 1988 return (EPERM); 1989 } 1990 1991 /* 1992 * Helper for cr_cansee*() functions to abide by system-wide security.bsd.see_* 1993 * policies. Determines if u1 "can see" u2 according to these policies. 1994 * Returns: 0 for permitted, ESRCH otherwise 1995 */ 1996 int 1997 cr_bsd_visible(struct ucred *u1, struct ucred *u2) 1998 { 1999 int error; 2000 2001 error = cr_canseeotheruids(u1, u2); 2002 if (error != 0) 2003 return (error); 2004 error = cr_canseeothergids(u1, u2); 2005 if (error != 0) 2006 return (error); 2007 error = cr_canseejailproc(u1, u2); 2008 if (error != 0) 2009 return (error); 2010 return (0); 2011 } 2012 2013 /*- 2014 * Determine if u1 "can see" the subject specified by u2. 2015 * Returns: 0 for permitted, an errno value otherwise 2016 * Locks: none 2017 * References: *u1 and *u2 must not change during the call 2018 * u1 may equal u2, in which case only one reference is required 2019 */ 2020 int 2021 cr_cansee(struct ucred *u1, struct ucred *u2) 2022 { 2023 int error; 2024 2025 if ((error = prison_check(u1, u2))) 2026 return (error); 2027 #ifdef MAC 2028 if ((error = mac_cred_check_visible(u1, u2))) 2029 return (error); 2030 #endif 2031 if ((error = cr_bsd_visible(u1, u2))) 2032 return (error); 2033 return (0); 2034 } 2035 2036 /*- 2037 * Determine if td "can see" the subject specified by p. 2038 * Returns: 0 for permitted, an errno value otherwise 2039 * Locks: Sufficient locks to protect p->p_ucred must be held. td really 2040 * should be curthread. 2041 * References: td and p must be valid for the lifetime of the call 2042 */ 2043 int 2044 p_cansee(struct thread *td, struct proc *p) 2045 { 2046 /* Wrap cr_cansee() for all functionality. */ 2047 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2048 PROC_LOCK_ASSERT(p, MA_OWNED); 2049 2050 if (td->td_proc == p) 2051 return (0); 2052 return (cr_cansee(td->td_ucred, p->p_ucred)); 2053 } 2054 2055 /* 2056 * 'conservative_signals' prevents the delivery of a broad class of 2057 * signals by unprivileged processes to processes that have changed their 2058 * credentials since the last invocation of execve(). This can prevent 2059 * the leakage of cached information or retained privileges as a result 2060 * of a common class of signal-related vulnerabilities. However, this 2061 * may interfere with some applications that expect to be able to 2062 * deliver these signals to peer processes after having given up 2063 * privilege. 2064 */ 2065 static int conservative_signals = 1; 2066 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW, 2067 &conservative_signals, 0, "Unprivileged processes prevented from " 2068 "sending certain signals to processes whose credentials have changed"); 2069 /*- 2070 * Determine whether cred may deliver the specified signal to proc. 2071 * Returns: 0 for permitted, an errno value otherwise. 2072 * Locks: A lock must be held for proc. 2073 * References: cred and proc must be valid for the lifetime of the call. 2074 */ 2075 int 2076 cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 2077 { 2078 int error; 2079 2080 PROC_LOCK_ASSERT(proc, MA_OWNED); 2081 /* 2082 * Jail semantics limit the scope of signalling to proc in the 2083 * same jail as cred, if cred is in jail. 2084 */ 2085 error = prison_check(cred, proc->p_ucred); 2086 if (error) 2087 return (error); 2088 #ifdef MAC 2089 if ((error = mac_proc_check_signal(cred, proc, signum))) 2090 return (error); 2091 #endif 2092 if ((error = cr_bsd_visible(cred, proc->p_ucred))) 2093 return (error); 2094 2095 /* 2096 * UNIX signal semantics depend on the status of the P_SUGID 2097 * bit on the target process. If the bit is set, then additional 2098 * restrictions are placed on the set of available signals. 2099 */ 2100 if (conservative_signals && (proc->p_flag & P_SUGID)) { 2101 switch (signum) { 2102 case 0: 2103 case SIGKILL: 2104 case SIGINT: 2105 case SIGTERM: 2106 case SIGALRM: 2107 case SIGSTOP: 2108 case SIGTTIN: 2109 case SIGTTOU: 2110 case SIGTSTP: 2111 case SIGHUP: 2112 case SIGUSR1: 2113 case SIGUSR2: 2114 /* 2115 * Generally, permit job and terminal control 2116 * signals. 2117 */ 2118 break; 2119 default: 2120 /* Not permitted without privilege. */ 2121 error = priv_check_cred(cred, PRIV_SIGNAL_SUGID); 2122 if (error) 2123 return (error); 2124 } 2125 } 2126 2127 /* 2128 * Generally, the target credential's ruid or svuid must match the 2129 * subject credential's ruid or euid. 2130 */ 2131 if (cred->cr_ruid != proc->p_ucred->cr_ruid && 2132 cred->cr_ruid != proc->p_ucred->cr_svuid && 2133 cred->cr_uid != proc->p_ucred->cr_ruid && 2134 cred->cr_uid != proc->p_ucred->cr_svuid) { 2135 error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED); 2136 if (error) 2137 return (error); 2138 } 2139 2140 /* 2141 * At this point, the target may be in a different jail than the 2142 * subject -- the subject must be in a parent jail to the target, 2143 * whether it is prison0 or a subordinate of prison0 that has 2144 * children. Additional privileges are required to allow this, as 2145 * whether the creds are truly equivalent or not must be determined on 2146 * a case-by-case basis. 2147 */ 2148 error = cr_can_tamper_with_subjail(cred, proc->p_ucred, 2149 PRIV_SIGNAL_DIFFJAIL); 2150 if (error) 2151 return (error); 2152 2153 return (0); 2154 } 2155 2156 /*- 2157 * Determine whether td may deliver the specified signal to p. 2158 * Returns: 0 for permitted, an errno value otherwise 2159 * Locks: Sufficient locks to protect various components of td and p 2160 * must be held. td must be curthread, and a lock must be 2161 * held for p. 2162 * References: td and p must be valid for the lifetime of the call 2163 */ 2164 int 2165 p_cansignal(struct thread *td, struct proc *p, int signum) 2166 { 2167 2168 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2169 PROC_LOCK_ASSERT(p, MA_OWNED); 2170 if (td->td_proc == p) 2171 return (0); 2172 2173 /* 2174 * UNIX signalling semantics require that processes in the same 2175 * session always be able to deliver SIGCONT to one another, 2176 * overriding the remaining protections. 2177 */ 2178 /* XXX: This will require an additional lock of some sort. */ 2179 if (signum == SIGCONT && td->td_proc->p_session == p->p_session) 2180 return (0); 2181 /* 2182 * Some compat layers use SIGTHR and higher signals for 2183 * communication between different kernel threads of the same 2184 * process, so that they expect that it's always possible to 2185 * deliver them, even for suid applications where cr_cansignal() can 2186 * deny such ability for security consideration. It should be 2187 * pretty safe to do since the only way to create two processes 2188 * with the same p_leader is via rfork(2). 2189 */ 2190 if (td->td_proc->p_leader != NULL && signum >= SIGTHR && 2191 signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader) 2192 return (0); 2193 2194 return (cr_cansignal(td->td_ucred, p, signum)); 2195 } 2196 2197 /*- 2198 * Determine whether td may reschedule p. 2199 * Returns: 0 for permitted, an errno value otherwise 2200 * Locks: Sufficient locks to protect various components of td and p 2201 * must be held. td must be curthread, and a lock must 2202 * be held for p. 2203 * References: td and p must be valid for the lifetime of the call 2204 */ 2205 int 2206 p_cansched(struct thread *td, struct proc *p) 2207 { 2208 int error; 2209 2210 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2211 PROC_LOCK_ASSERT(p, MA_OWNED); 2212 if (td->td_proc == p) 2213 return (0); 2214 if ((error = prison_check(td->td_ucred, p->p_ucred))) 2215 return (error); 2216 #ifdef MAC 2217 if ((error = mac_proc_check_sched(td->td_ucred, p))) 2218 return (error); 2219 #endif 2220 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) 2221 return (error); 2222 2223 if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid && 2224 td->td_ucred->cr_uid != p->p_ucred->cr_ruid) { 2225 error = priv_check(td, PRIV_SCHED_DIFFCRED); 2226 if (error) 2227 return (error); 2228 } 2229 2230 error = cr_can_tamper_with_subjail(td->td_ucred, p->p_ucred, 2231 PRIV_SCHED_DIFFJAIL); 2232 if (error) 2233 return (error); 2234 2235 return (0); 2236 } 2237 2238 /* 2239 * Handle getting or setting the prison's unprivileged_proc_debug 2240 * value. 2241 */ 2242 static int 2243 sysctl_unprivileged_proc_debug(SYSCTL_HANDLER_ARGS) 2244 { 2245 int error, val; 2246 2247 val = prison_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG); 2248 error = sysctl_handle_int(oidp, &val, 0, req); 2249 if (error != 0 || req->newptr == NULL) 2250 return (error); 2251 if (val != 0 && val != 1) 2252 return (EINVAL); 2253 prison_set_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG, val); 2254 return (0); 2255 } 2256 2257 /* 2258 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 2259 * unprivileged inter-process debugging services, including some procfs 2260 * functionality, ptrace(), and ktrace(). In the past, inter-process 2261 * debugging has been involved in a variety of security problems, and sites 2262 * not requiring the service might choose to disable it when hardening 2263 * systems. 2264 */ 2265 SYSCTL_PROC(_security_bsd, OID_AUTO, unprivileged_proc_debug, 2266 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_PRISON | CTLFLAG_SECURE | 2267 CTLFLAG_MPSAFE, 0, 0, sysctl_unprivileged_proc_debug, "I", 2268 "Unprivileged processes may use process debugging facilities"); 2269 2270 /* 2271 * Return true if the object owner/group ids are subset of the active 2272 * credentials. 2273 */ 2274 bool 2275 cr_xids_subset(struct ucred *active_cred, struct ucred *obj_cred) 2276 { 2277 int i; 2278 bool grpsubset, uidsubset; 2279 2280 /* 2281 * Is p's group set a subset of td's effective group set? This 2282 * includes p's egid, group access list, rgid, and svgid. 2283 */ 2284 grpsubset = true; 2285 for (i = 0; i < obj_cred->cr_ngroups; i++) { 2286 if (!groupmember(obj_cred->cr_groups[i], active_cred)) { 2287 grpsubset = false; 2288 break; 2289 } 2290 } 2291 grpsubset = grpsubset && 2292 groupmember(obj_cred->cr_gid, active_cred) && 2293 groupmember(obj_cred->cr_rgid, active_cred) && 2294 groupmember(obj_cred->cr_svgid, active_cred); 2295 2296 /* 2297 * Are the uids present in obj_cred's credential equal to 2298 * active_cred's effective uid? This includes obj_cred's 2299 * euid, svuid, and ruid. 2300 */ 2301 uidsubset = (active_cred->cr_uid == obj_cred->cr_uid && 2302 active_cred->cr_uid == obj_cred->cr_svuid && 2303 active_cred->cr_uid == obj_cred->cr_ruid); 2304 2305 return (uidsubset && grpsubset); 2306 } 2307 2308 /*- 2309 * Determine whether td may debug p. 2310 * Returns: 0 for permitted, an errno value otherwise 2311 * Locks: Sufficient locks to protect various components of td and p 2312 * must be held. td must be curthread, and a lock must 2313 * be held for p. 2314 * References: td and p must be valid for the lifetime of the call 2315 */ 2316 int 2317 p_candebug(struct thread *td, struct proc *p) 2318 { 2319 int error; 2320 2321 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2322 PROC_LOCK_ASSERT(p, MA_OWNED); 2323 if (td->td_proc == p) 2324 return (0); 2325 if ((error = priv_check(td, PRIV_DEBUG_UNPRIV))) 2326 return (error); 2327 if ((error = prison_check(td->td_ucred, p->p_ucred))) 2328 return (error); 2329 #ifdef MAC 2330 if ((error = mac_proc_check_debug(td->td_ucred, p))) 2331 return (error); 2332 #endif 2333 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) 2334 return (error); 2335 2336 /* 2337 * If p's gids aren't a subset, or the uids aren't a subset, 2338 * or the credential has changed, require appropriate privilege 2339 * for td to debug p. 2340 */ 2341 if (!cr_xids_subset(td->td_ucred, p->p_ucred)) { 2342 error = priv_check(td, PRIV_DEBUG_DIFFCRED); 2343 if (error) 2344 return (error); 2345 } 2346 2347 /* 2348 * Has the credential of the process changed since the last exec()? 2349 */ 2350 if ((p->p_flag & P_SUGID) != 0) { 2351 error = priv_check(td, PRIV_DEBUG_SUGID); 2352 if (error) 2353 return (error); 2354 } 2355 2356 error = cr_can_tamper_with_subjail(td->td_ucred, p->p_ucred, 2357 PRIV_DEBUG_DIFFJAIL); 2358 if (error) 2359 return (error); 2360 2361 /* Can't trace init when securelevel > 0. */ 2362 if (p == initproc) { 2363 error = securelevel_gt(td->td_ucred, 0); 2364 if (error) 2365 return (error); 2366 } 2367 2368 /* 2369 * Can't trace a process that's currently exec'ing. 2370 * 2371 * XXX: Note, this is not a security policy decision, it's a 2372 * basic correctness/functionality decision. Therefore, this check 2373 * should be moved to the caller's of p_candebug(). 2374 */ 2375 if ((p->p_flag & P_INEXEC) != 0) 2376 return (EBUSY); 2377 2378 /* Denied explicitly */ 2379 if ((p->p_flag2 & P2_NOTRACE) != 0) { 2380 error = priv_check(td, PRIV_DEBUG_DENIED); 2381 if (error != 0) 2382 return (error); 2383 } 2384 2385 return (0); 2386 } 2387 2388 /*- 2389 * Determine whether the subject represented by cred can "see" a socket. 2390 * Returns: 0 for permitted, ENOENT otherwise. 2391 */ 2392 int 2393 cr_canseesocket(struct ucred *cred, struct socket *so) 2394 { 2395 int error; 2396 2397 error = prison_check(cred, so->so_cred); 2398 if (error) 2399 return (ENOENT); 2400 #ifdef MAC 2401 error = mac_socket_check_visible(cred, so); 2402 if (error) 2403 return (error); 2404 #endif 2405 if (cr_bsd_visible(cred, so->so_cred)) 2406 return (ENOENT); 2407 2408 return (0); 2409 } 2410 2411 /*- 2412 * Determine whether td can wait for the exit of p. 2413 * Returns: 0 for permitted, an errno value otherwise 2414 * Locks: Sufficient locks to protect various components of td and p 2415 * must be held. td must be curthread, and a lock must 2416 * be held for p. 2417 * References: td and p must be valid for the lifetime of the call 2418 2419 */ 2420 int 2421 p_canwait(struct thread *td, struct proc *p) 2422 { 2423 int error; 2424 2425 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2426 PROC_LOCK_ASSERT(p, MA_OWNED); 2427 if ((error = prison_check(td->td_ucred, p->p_ucred))) 2428 return (error); 2429 #ifdef MAC 2430 if ((error = mac_proc_check_wait(td->td_ucred, p))) 2431 return (error); 2432 #endif 2433 #if 0 2434 /* XXXMAC: This could have odd effects on some shells. */ 2435 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) 2436 return (error); 2437 #endif 2438 2439 return (0); 2440 } 2441 2442 /* 2443 * Credential management. 2444 * 2445 * struct ucred objects are rarely allocated but gain and lose references all 2446 * the time (e.g., on struct file alloc/dealloc) turning refcount updates into 2447 * a significant source of cache-line ping ponging. Common cases are worked 2448 * around by modifying thread-local counter instead if the cred to operate on 2449 * matches td_realucred. 2450 * 2451 * The counter is split into 2 parts: 2452 * - cr_users -- total count of all struct proc and struct thread objects 2453 * which have given cred in p_ucred and td_ucred respectively 2454 * - cr_ref -- the actual ref count, only valid if cr_users == 0 2455 * 2456 * If users == 0 then cr_ref behaves similarly to refcount(9), in particular if 2457 * the count reaches 0 the object is freeable. 2458 * If users > 0 and curthread->td_realucred == cred, then updates are performed 2459 * against td_ucredref. 2460 * In other cases updates are performed against cr_ref. 2461 * 2462 * Changing td_realucred into something else decrements cr_users and transfers 2463 * accumulated updates. 2464 */ 2465 struct ucred * 2466 crcowget(struct ucred *cr) 2467 { 2468 2469 mtx_lock(&cr->cr_mtx); 2470 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2471 __func__, cr->cr_users, cr)); 2472 cr->cr_users++; 2473 cr->cr_ref++; 2474 mtx_unlock(&cr->cr_mtx); 2475 return (cr); 2476 } 2477 2478 static struct ucred * 2479 crunuse(struct thread *td) 2480 { 2481 struct ucred *cr, *crold; 2482 2483 MPASS(td->td_realucred == td->td_ucred); 2484 cr = td->td_realucred; 2485 mtx_lock(&cr->cr_mtx); 2486 cr->cr_ref += td->td_ucredref; 2487 td->td_ucredref = 0; 2488 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2489 __func__, cr->cr_users, cr)); 2490 cr->cr_users--; 2491 if (cr->cr_users == 0) { 2492 KASSERT(cr->cr_ref > 0, ("%s: ref %ld not > 0 on cred %p", 2493 __func__, cr->cr_ref, cr)); 2494 crold = cr; 2495 } else { 2496 cr->cr_ref--; 2497 crold = NULL; 2498 } 2499 mtx_unlock(&cr->cr_mtx); 2500 td->td_realucred = NULL; 2501 return (crold); 2502 } 2503 2504 static void 2505 crunusebatch(struct ucred *cr, u_int users, long ref) 2506 { 2507 2508 KASSERT(users > 0, ("%s: passed users %d not > 0 ; cred %p", 2509 __func__, users, cr)); 2510 mtx_lock(&cr->cr_mtx); 2511 KASSERT(cr->cr_users >= users, ("%s: users %d not > %d on cred %p", 2512 __func__, cr->cr_users, users, cr)); 2513 cr->cr_users -= users; 2514 cr->cr_ref += ref; 2515 cr->cr_ref -= users; 2516 if (cr->cr_users > 0) { 2517 mtx_unlock(&cr->cr_mtx); 2518 return; 2519 } 2520 KASSERT(cr->cr_ref >= 0, ("%s: ref %ld not >= 0 on cred %p", 2521 __func__, cr->cr_ref, cr)); 2522 if (cr->cr_ref > 0) { 2523 mtx_unlock(&cr->cr_mtx); 2524 return; 2525 } 2526 crfree_final(cr); 2527 } 2528 2529 void 2530 crcowfree(struct thread *td) 2531 { 2532 struct ucred *cr; 2533 2534 cr = crunuse(td); 2535 if (cr != NULL) 2536 crfree(cr); 2537 } 2538 2539 struct ucred * 2540 crcowsync(void) 2541 { 2542 struct thread *td; 2543 struct proc *p; 2544 struct ucred *crnew, *crold; 2545 2546 td = curthread; 2547 p = td->td_proc; 2548 PROC_LOCK_ASSERT(p, MA_OWNED); 2549 2550 MPASS(td->td_realucred == td->td_ucred); 2551 if (td->td_realucred == p->p_ucred) 2552 return (NULL); 2553 2554 crnew = crcowget(p->p_ucred); 2555 crold = crunuse(td); 2556 td->td_realucred = crnew; 2557 td->td_ucred = td->td_realucred; 2558 return (crold); 2559 } 2560 2561 /* 2562 * Batching. 2563 */ 2564 void 2565 credbatch_add(struct credbatch *crb, struct thread *td) 2566 { 2567 struct ucred *cr; 2568 2569 MPASS(td->td_realucred != NULL); 2570 MPASS(td->td_realucred == td->td_ucred); 2571 MPASS(TD_GET_STATE(td) == TDS_INACTIVE); 2572 cr = td->td_realucred; 2573 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2574 __func__, cr->cr_users, cr)); 2575 if (crb->cred != cr) { 2576 if (crb->users > 0) { 2577 MPASS(crb->cred != NULL); 2578 crunusebatch(crb->cred, crb->users, crb->ref); 2579 crb->users = 0; 2580 crb->ref = 0; 2581 } 2582 } 2583 crb->cred = cr; 2584 crb->users++; 2585 crb->ref += td->td_ucredref; 2586 td->td_ucredref = 0; 2587 td->td_realucred = NULL; 2588 } 2589 2590 void 2591 credbatch_final(struct credbatch *crb) 2592 { 2593 2594 MPASS(crb->cred != NULL); 2595 MPASS(crb->users > 0); 2596 crunusebatch(crb->cred, crb->users, crb->ref); 2597 } 2598 2599 /* 2600 * Allocate a zeroed cred structure. 2601 */ 2602 struct ucred * 2603 crget(void) 2604 { 2605 struct ucred *cr; 2606 2607 cr = malloc(sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 2608 mtx_init(&cr->cr_mtx, "cred", NULL, MTX_DEF); 2609 cr->cr_ref = 1; 2610 #ifdef AUDIT 2611 audit_cred_init(cr); 2612 #endif 2613 #ifdef MAC 2614 mac_cred_init(cr); 2615 #endif 2616 cr->cr_groups = cr->cr_smallgroups; 2617 cr->cr_agroups = nitems(cr->cr_smallgroups); 2618 return (cr); 2619 } 2620 2621 /* 2622 * Claim another reference to a ucred structure. 2623 */ 2624 struct ucred * 2625 crhold(struct ucred *cr) 2626 { 2627 struct thread *td; 2628 2629 td = curthread; 2630 if (__predict_true(td->td_realucred == cr)) { 2631 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2632 __func__, cr->cr_users, cr)); 2633 td->td_ucredref++; 2634 return (cr); 2635 } 2636 mtx_lock(&cr->cr_mtx); 2637 cr->cr_ref++; 2638 mtx_unlock(&cr->cr_mtx); 2639 return (cr); 2640 } 2641 2642 /* 2643 * Free a cred structure. Throws away space when ref count gets to 0. 2644 */ 2645 void 2646 crfree(struct ucred *cr) 2647 { 2648 struct thread *td; 2649 2650 td = curthread; 2651 if (__predict_true(td->td_realucred == cr)) { 2652 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2653 __func__, cr->cr_users, cr)); 2654 td->td_ucredref--; 2655 return; 2656 } 2657 mtx_lock(&cr->cr_mtx); 2658 KASSERT(cr->cr_users >= 0, ("%s: users %d not >= 0 on cred %p", 2659 __func__, cr->cr_users, cr)); 2660 cr->cr_ref--; 2661 if (cr->cr_users > 0) { 2662 mtx_unlock(&cr->cr_mtx); 2663 return; 2664 } 2665 KASSERT(cr->cr_ref >= 0, ("%s: ref %ld not >= 0 on cred %p", 2666 __func__, cr->cr_ref, cr)); 2667 if (cr->cr_ref > 0) { 2668 mtx_unlock(&cr->cr_mtx); 2669 return; 2670 } 2671 crfree_final(cr); 2672 } 2673 2674 static void 2675 crfree_final(struct ucred *cr) 2676 { 2677 2678 KASSERT(cr->cr_users == 0, ("%s: users %d not == 0 on cred %p", 2679 __func__, cr->cr_users, cr)); 2680 KASSERT(cr->cr_ref == 0, ("%s: ref %ld not == 0 on cred %p", 2681 __func__, cr->cr_ref, cr)); 2682 2683 /* 2684 * Some callers of crget(), such as nfs_statfs(), allocate a temporary 2685 * credential, but don't allocate a uidinfo structure. 2686 */ 2687 if (cr->cr_uidinfo != NULL) 2688 uifree(cr->cr_uidinfo); 2689 if (cr->cr_ruidinfo != NULL) 2690 uifree(cr->cr_ruidinfo); 2691 if (cr->cr_prison != NULL) 2692 prison_free(cr->cr_prison); 2693 if (cr->cr_loginclass != NULL) 2694 loginclass_free(cr->cr_loginclass); 2695 #ifdef AUDIT 2696 audit_cred_destroy(cr); 2697 #endif 2698 #ifdef MAC 2699 mac_cred_destroy(cr); 2700 #endif 2701 mtx_destroy(&cr->cr_mtx); 2702 if (cr->cr_groups != cr->cr_smallgroups) 2703 free(cr->cr_groups, M_CRED); 2704 free(cr, M_CRED); 2705 } 2706 2707 /* 2708 * Copy a ucred's contents from a template. Does not block. 2709 */ 2710 void 2711 crcopy(struct ucred *dest, struct ucred *src) 2712 { 2713 2714 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 2715 (unsigned)((caddr_t)&src->cr_endcopy - 2716 (caddr_t)&src->cr_startcopy)); 2717 dest->cr_flags = src->cr_flags; 2718 crsetgroups(dest, src->cr_ngroups, src->cr_groups); 2719 uihold(dest->cr_uidinfo); 2720 uihold(dest->cr_ruidinfo); 2721 prison_hold(dest->cr_prison); 2722 loginclass_hold(dest->cr_loginclass); 2723 #ifdef AUDIT 2724 audit_cred_copy(src, dest); 2725 #endif 2726 #ifdef MAC 2727 mac_cred_copy(src, dest); 2728 #endif 2729 } 2730 2731 /* 2732 * Dup cred struct to a new held one. 2733 */ 2734 struct ucred * 2735 crdup(struct ucred *cr) 2736 { 2737 struct ucred *newcr; 2738 2739 newcr = crget(); 2740 crcopy(newcr, cr); 2741 return (newcr); 2742 } 2743 2744 /* 2745 * Fill in a struct xucred based on a struct ucred. 2746 */ 2747 void 2748 cru2x(struct ucred *cr, struct xucred *xcr) 2749 { 2750 int ngroups; 2751 2752 bzero(xcr, sizeof(*xcr)); 2753 xcr->cr_version = XUCRED_VERSION; 2754 xcr->cr_uid = cr->cr_uid; 2755 xcr->cr_gid = cr->cr_gid; 2756 2757 /* 2758 * We use a union to alias cr_gid to cr_groups[0] in the xucred, so 2759 * this is kind of ugly; cr_ngroups still includes the egid for our 2760 * purposes to avoid bumping the xucred version. 2761 */ 2762 ngroups = MIN(cr->cr_ngroups + 1, nitems(xcr->cr_groups)); 2763 xcr->cr_ngroups = ngroups; 2764 bcopy(cr->cr_groups, xcr->cr_sgroups, 2765 (ngroups - 1) * sizeof(*cr->cr_groups)); 2766 } 2767 2768 void 2769 cru2xt(struct thread *td, struct xucred *xcr) 2770 { 2771 2772 cru2x(td->td_ucred, xcr); 2773 xcr->cr_pid = td->td_proc->p_pid; 2774 } 2775 2776 /* 2777 * Change process credentials. 2778 * 2779 * Callers are responsible for providing the reference for passed credentials 2780 * and for freeing old ones. Calls chgproccnt() to correctly account the 2781 * current process to the proper real UID, if the latter has changed. Returns 2782 * whether the operation was successful. Failure can happen only on 2783 * 'enforce_proc_lim' being true and if no new process can be accounted to the 2784 * new real UID because of the current limit (see the inner comment for more 2785 * details) and the caller does not have privilege (PRIV_PROC_LIMIT) to override 2786 * that. 2787 */ 2788 static bool 2789 _proc_set_cred(struct proc *p, struct ucred *newcred, bool enforce_proc_lim) 2790 { 2791 struct ucred *const oldcred = p->p_ucred; 2792 2793 MPASS(oldcred != NULL); 2794 PROC_LOCK_ASSERT(p, MA_OWNED); 2795 KASSERT(newcred->cr_users == 0, ("%s: users %d not 0 on cred %p", 2796 __func__, newcred->cr_users, newcred)); 2797 KASSERT(newcred->cr_ref == 1, ("%s: ref %ld not 1 on cred %p", 2798 __func__, newcred->cr_ref, newcred)); 2799 2800 if (newcred->cr_ruidinfo != oldcred->cr_ruidinfo) { 2801 /* 2802 * XXXOC: This check is flawed but nonetheless the best we can 2803 * currently do as we don't really track limits per UID contrary 2804 * to what we pretend in setrlimit(2). Until this is reworked, 2805 * we just check here that the number of processes for our new 2806 * real UID doesn't exceed this process' process number limit 2807 * (which is meant to be associated with the current real UID). 2808 */ 2809 const int proccnt_changed = chgproccnt(newcred->cr_ruidinfo, 1, 2810 enforce_proc_lim ? lim_cur_proc(p, RLIMIT_NPROC) : 0); 2811 2812 if (!proccnt_changed) { 2813 if (priv_check_cred(oldcred, PRIV_PROC_LIMIT) != 0) 2814 return (false); 2815 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 2816 } 2817 } 2818 2819 mtx_lock(&oldcred->cr_mtx); 2820 KASSERT(oldcred->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2821 __func__, oldcred->cr_users, oldcred)); 2822 oldcred->cr_users--; 2823 mtx_unlock(&oldcred->cr_mtx); 2824 p->p_ucred = newcred; 2825 newcred->cr_users = 1; 2826 PROC_UPDATE_COW(p); 2827 if (newcred->cr_ruidinfo != oldcred->cr_ruidinfo) 2828 (void)chgproccnt(oldcred->cr_ruidinfo, -1, 0); 2829 return (true); 2830 } 2831 2832 void 2833 proc_set_cred(struct proc *p, struct ucred *newcred) 2834 { 2835 bool success __diagused = _proc_set_cred(p, newcred, false); 2836 2837 MPASS(success); 2838 } 2839 2840 bool 2841 proc_set_cred_enforce_proc_lim(struct proc *p, struct ucred *newcred) 2842 { 2843 return (_proc_set_cred(p, newcred, true)); 2844 } 2845 2846 void 2847 proc_unset_cred(struct proc *p, bool decrement_proc_count) 2848 { 2849 struct ucred *cr; 2850 2851 MPASS(p->p_state == PRS_ZOMBIE || p->p_state == PRS_NEW); 2852 cr = p->p_ucred; 2853 p->p_ucred = NULL; 2854 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2855 __func__, cr->cr_users, cr)); 2856 mtx_lock(&cr->cr_mtx); 2857 cr->cr_users--; 2858 if (cr->cr_users == 0) 2859 KASSERT(cr->cr_ref > 0, ("%s: ref %ld not > 0 on cred %p", 2860 __func__, cr->cr_ref, cr)); 2861 mtx_unlock(&cr->cr_mtx); 2862 if (decrement_proc_count) 2863 (void)chgproccnt(cr->cr_ruidinfo, -1, 0); 2864 crfree(cr); 2865 } 2866 2867 struct ucred * 2868 crcopysafe(struct proc *p, struct ucred *cr) 2869 { 2870 struct ucred *oldcred; 2871 int groups; 2872 2873 PROC_LOCK_ASSERT(p, MA_OWNED); 2874 2875 oldcred = p->p_ucred; 2876 while (cr->cr_agroups < oldcred->cr_ngroups) { 2877 groups = oldcred->cr_ngroups; 2878 PROC_UNLOCK(p); 2879 crextend(cr, groups); 2880 PROC_LOCK(p); 2881 oldcred = p->p_ucred; 2882 } 2883 crcopy(cr, oldcred); 2884 2885 return (oldcred); 2886 } 2887 2888 /* 2889 * Extend the passed-in credentials to hold n groups. 2890 * 2891 * Must not be called after groups have been set. 2892 */ 2893 void 2894 crextend(struct ucred *cr, int n) 2895 { 2896 size_t nbytes; 2897 2898 MPASS2(cr->cr_ref == 1, "'cr_ref' must be 1 (referenced, unshared)"); 2899 MPASS2((cr->cr_flags & CRED_FLAG_GROUPSET) == 0, 2900 "groups on 'cr' already set!"); 2901 groups_check_positive_len(n); 2902 groups_check_max_len(n); 2903 2904 if (n <= cr->cr_agroups) 2905 return; 2906 2907 nbytes = n * sizeof(gid_t); 2908 if (nbytes < n) 2909 panic("Too many groups (memory size overflow)! " 2910 "Computation of 'kern.ngroups' should have prevented this, " 2911 "please fix it. In the meantime, reduce 'kern.ngroups'."); 2912 2913 /* 2914 * We allocate a power of 2 larger than 'nbytes', except when that 2915 * exceeds PAGE_SIZE, in which case we allocate the right multiple of 2916 * pages. We assume PAGE_SIZE is a power of 2 (the call to roundup2() 2917 * below) but do not need to for sizeof(gid_t). 2918 */ 2919 if (nbytes < PAGE_SIZE) { 2920 if (!powerof2(nbytes)) 2921 /* fls*() return a bit index starting at 1. */ 2922 nbytes = 1 << flsl(nbytes); 2923 } else 2924 nbytes = roundup2(nbytes, PAGE_SIZE); 2925 2926 /* Free the old array. */ 2927 if (cr->cr_groups != cr->cr_smallgroups) 2928 free(cr->cr_groups, M_CRED); 2929 2930 cr->cr_groups = malloc(nbytes, M_CRED, M_WAITOK | M_ZERO); 2931 cr->cr_agroups = nbytes / sizeof(gid_t); 2932 } 2933 2934 /* 2935 * Normalizes a set of groups to be applied to a 'struct ucred'. 2936 * 2937 * Normalization ensures that the supplementary groups are sorted in ascending 2938 * order and do not contain duplicates. This allows group_is_supplementary() to 2939 * do a binary search. 2940 */ 2941 static void 2942 groups_normalize(int *ngrp, gid_t *groups) 2943 { 2944 gid_t prev_g; 2945 int ins_idx; 2946 2947 groups_check_positive_len(*ngrp); 2948 groups_check_max_len(*ngrp); 2949 2950 if (*ngrp <= 1) 2951 return; 2952 2953 qsort(groups, *ngrp, sizeof(*groups), gidp_cmp); 2954 2955 /* Remove duplicates. */ 2956 prev_g = groups[0]; 2957 ins_idx = 1; 2958 for (int i = ins_idx; i < *ngrp; ++i) { 2959 const gid_t g = groups[i]; 2960 2961 if (g != prev_g) { 2962 if (i != ins_idx) 2963 groups[ins_idx] = g; 2964 ++ins_idx; 2965 prev_g = g; 2966 } 2967 } 2968 *ngrp = ins_idx; 2969 2970 groups_check_normalized(*ngrp, groups); 2971 } 2972 2973 /* 2974 * Internal function copying groups into a credential. 2975 * 2976 * 'ngrp' must be strictly positive. Either the passed 'groups' array must have 2977 * been normalized in advance (see groups_normalize()), else it must be so 2978 * before the structure is to be used again. 2979 * 2980 * This function is suitable to be used under any lock (it doesn't take any lock 2981 * itself nor sleep, and in particular doesn't allocate memory). crextend() 2982 * must have been called beforehand to ensure sufficient space is available. 2983 * See also crsetgroups(), which handles that. 2984 */ 2985 static void 2986 crsetgroups_internal(struct ucred *cr, int ngrp, const gid_t *groups) 2987 { 2988 2989 MPASS2(cr->cr_ref == 1, "'cr_ref' must be 1 (referenced, unshared)"); 2990 MPASS2(cr->cr_agroups >= ngrp, "'cr_agroups' too small"); 2991 groups_check_positive_len(ngrp); 2992 2993 bcopy(groups, cr->cr_groups, ngrp * sizeof(gid_t)); 2994 cr->cr_ngroups = ngrp; 2995 cr->cr_flags |= CRED_FLAG_GROUPSET; 2996 } 2997 2998 /* 2999 * Copy groups in to a credential after expanding it if required. 3000 * 3001 * May sleep in order to allocate memory (except if, e.g., crextend() was called 3002 * before with 'ngrp' or greater). Truncates the list to 'ngroups_max' if 3003 * it is too large. Array 'groups' doesn't need to be sorted. 'ngrp' must be 3004 * positive. 3005 */ 3006 void 3007 crsetgroups(struct ucred *cr, int ngrp, const gid_t *groups) 3008 { 3009 3010 if (ngrp > ngroups_max) 3011 ngrp = ngroups_max; 3012 cr->cr_ngroups = 0; 3013 if (ngrp == 0) { 3014 cr->cr_flags |= CRED_FLAG_GROUPSET; 3015 return; 3016 } 3017 3018 /* 3019 * crextend() asserts that groups are not set, as it may allocate a new 3020 * backing storage without copying the content of the old one. Since we 3021 * are going to install a completely new set anyway, signal that we 3022 * consider the old ones thrown away. 3023 */ 3024 cr->cr_flags &= ~CRED_FLAG_GROUPSET; 3025 3026 crextend(cr, ngrp); 3027 crsetgroups_internal(cr, ngrp, groups); 3028 groups_normalize(&cr->cr_ngroups, cr->cr_groups); 3029 } 3030 3031 /* 3032 * Same as crsetgroups() but sets the effective GID as well. 3033 * 3034 * This function ensures that an effective GID is always present in credentials. 3035 * An empty array will only set the effective GID to 'default_egid', while 3036 * a non-empty array will peel off groups[0] to set as the effective GID and use 3037 * the remainder, if any, as supplementary groups. 3038 */ 3039 void 3040 crsetgroups_and_egid(struct ucred *cr, int ngrp, const gid_t *groups, 3041 const gid_t default_egid) 3042 { 3043 if (ngrp == 0) { 3044 cr->cr_gid = default_egid; 3045 cr->cr_ngroups = 0; 3046 cr->cr_flags |= CRED_FLAG_GROUPSET; 3047 return; 3048 } 3049 3050 crsetgroups(cr, ngrp - 1, groups + 1); 3051 cr->cr_gid = groups[0]; 3052 } 3053 3054 /* 3055 * Get login name, if available. 3056 */ 3057 #ifndef _SYS_SYSPROTO_H_ 3058 struct getlogin_args { 3059 char *namebuf; 3060 u_int namelen; 3061 }; 3062 #endif 3063 /* ARGSUSED */ 3064 int 3065 sys_getlogin(struct thread *td, struct getlogin_args *uap) 3066 { 3067 char login[MAXLOGNAME]; 3068 struct proc *p = td->td_proc; 3069 size_t len; 3070 3071 if (uap->namelen > MAXLOGNAME) 3072 uap->namelen = MAXLOGNAME; 3073 PROC_LOCK(p); 3074 SESS_LOCK(p->p_session); 3075 len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1; 3076 SESS_UNLOCK(p->p_session); 3077 PROC_UNLOCK(p); 3078 if (len > uap->namelen) 3079 return (ERANGE); 3080 return (copyout(login, uap->namebuf, len)); 3081 } 3082 3083 /* 3084 * Set login name. 3085 */ 3086 #ifndef _SYS_SYSPROTO_H_ 3087 struct setlogin_args { 3088 char *namebuf; 3089 }; 3090 #endif 3091 /* ARGSUSED */ 3092 int 3093 sys_setlogin(struct thread *td, struct setlogin_args *uap) 3094 { 3095 struct proc *p = td->td_proc; 3096 int error; 3097 char logintmp[MAXLOGNAME]; 3098 3099 CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp)); 3100 3101 error = priv_check(td, PRIV_PROC_SETLOGIN); 3102 if (error) 3103 return (error); 3104 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); 3105 if (error != 0) { 3106 if (error == ENAMETOOLONG) 3107 error = EINVAL; 3108 return (error); 3109 } 3110 AUDIT_ARG_LOGIN(logintmp); 3111 PROC_LOCK(p); 3112 SESS_LOCK(p->p_session); 3113 strcpy(p->p_session->s_login, logintmp); 3114 SESS_UNLOCK(p->p_session); 3115 PROC_UNLOCK(p); 3116 return (0); 3117 } 3118 3119 void 3120 setsugid(struct proc *p) 3121 { 3122 3123 PROC_LOCK_ASSERT(p, MA_OWNED); 3124 p->p_flag |= P_SUGID; 3125 } 3126 3127 /*- 3128 * Change a process's effective uid. 3129 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 3130 * References: newcred must be an exclusive credential reference for the 3131 * duration of the call. 3132 */ 3133 void 3134 change_euid(struct ucred *newcred, struct uidinfo *euip) 3135 { 3136 3137 newcred->cr_uid = euip->ui_uid; 3138 uihold(euip); 3139 uifree(newcred->cr_uidinfo); 3140 newcred->cr_uidinfo = euip; 3141 } 3142 3143 /*- 3144 * Change a process's effective gid. 3145 * Side effects: newcred->cr_gid will be modified. 3146 * References: newcred must be an exclusive credential reference for the 3147 * duration of the call. 3148 */ 3149 void 3150 change_egid(struct ucred *newcred, gid_t egid) 3151 { 3152 3153 newcred->cr_gid = egid; 3154 } 3155 3156 /*- 3157 * Change a process's real uid. 3158 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 3159 * will be updated. 3160 * References: newcred must be an exclusive credential reference for the 3161 * duration of the call. 3162 */ 3163 void 3164 change_ruid(struct ucred *newcred, struct uidinfo *ruip) 3165 { 3166 3167 newcred->cr_ruid = ruip->ui_uid; 3168 uihold(ruip); 3169 uifree(newcred->cr_ruidinfo); 3170 newcred->cr_ruidinfo = ruip; 3171 } 3172 3173 /*- 3174 * Change a process's real gid. 3175 * Side effects: newcred->cr_rgid will be updated. 3176 * References: newcred must be an exclusive credential reference for the 3177 * duration of the call. 3178 */ 3179 void 3180 change_rgid(struct ucred *newcred, gid_t rgid) 3181 { 3182 3183 newcred->cr_rgid = rgid; 3184 } 3185 3186 /*- 3187 * Change a process's saved uid. 3188 * Side effects: newcred->cr_svuid will be updated. 3189 * References: newcred must be an exclusive credential reference for the 3190 * duration of the call. 3191 */ 3192 void 3193 change_svuid(struct ucred *newcred, uid_t svuid) 3194 { 3195 3196 newcred->cr_svuid = svuid; 3197 } 3198 3199 /*- 3200 * Change a process's saved gid. 3201 * Side effects: newcred->cr_svgid will be updated. 3202 * References: newcred must be an exclusive credential reference for the 3203 * duration of the call. 3204 */ 3205 void 3206 change_svgid(struct ucred *newcred, gid_t svgid) 3207 { 3208 3209 newcred->cr_svgid = svgid; 3210 } 3211 3212 bool allow_ptrace = true; 3213 SYSCTL_BOOL(_security_bsd, OID_AUTO, allow_ptrace, CTLFLAG_RWTUN, 3214 &allow_ptrace, 0, 3215 "Deny ptrace(2) use by returning ENOSYS"); 3216