1 /*- 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. 4 * (c) UNIX System Laboratories, Inc. 5 * Copyright (c) 2000-2001 Robert N. M. Watson. 6 * All rights reserved. 7 * 8 * All or some portions of this file are derived from material licensed 9 * to the University of California by American Telephone and Telegraph 10 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 11 * the permission of UNIX System Laboratories, Inc. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 4. Neither the name of the University nor the names of its contributors 22 * may be used to endorse or promote products derived from this software 23 * without specific prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 * 37 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 38 */ 39 40 /* 41 * System calls related to processes and protection 42 */ 43 44 #include <sys/cdefs.h> 45 __FBSDID("$FreeBSD$"); 46 47 #include "opt_compat.h" 48 #include "opt_inet.h" 49 #include "opt_inet6.h" 50 #include "opt_mac.h" 51 52 #include <sys/param.h> 53 #include <sys/systm.h> 54 #include <sys/acct.h> 55 #include <sys/kdb.h> 56 #include <sys/kernel.h> 57 #include <sys/lock.h> 58 #include <sys/malloc.h> 59 #include <sys/mutex.h> 60 #include <sys/refcount.h> 61 #include <sys/sx.h> 62 #include <sys/priv.h> 63 #include <sys/proc.h> 64 #include <sys/sysproto.h> 65 #include <sys/jail.h> 66 #include <sys/pioctl.h> 67 #include <sys/resourcevar.h> 68 #include <sys/socket.h> 69 #include <sys/socketvar.h> 70 #include <sys/syscallsubr.h> 71 #include <sys/sysctl.h> 72 #include <sys/vimage.h> 73 74 #if defined(INET) || defined(INET6) 75 #include <netinet/in.h> 76 #include <netinet/in_pcb.h> 77 #endif 78 79 #include <security/audit/audit.h> 80 #include <security/mac/mac_framework.h> 81 82 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 83 84 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, "BSD security policy"); 85 86 #ifndef _SYS_SYSPROTO_H_ 87 struct getpid_args { 88 int dummy; 89 }; 90 #endif 91 /* ARGSUSED */ 92 int 93 getpid(struct thread *td, struct getpid_args *uap) 94 { 95 struct proc *p = td->td_proc; 96 97 td->td_retval[0] = p->p_pid; 98 #if defined(COMPAT_43) 99 PROC_LOCK(p); 100 td->td_retval[1] = p->p_pptr->p_pid; 101 PROC_UNLOCK(p); 102 #endif 103 return (0); 104 } 105 106 #ifndef _SYS_SYSPROTO_H_ 107 struct getppid_args { 108 int dummy; 109 }; 110 #endif 111 /* ARGSUSED */ 112 int 113 getppid(struct thread *td, struct getppid_args *uap) 114 { 115 struct proc *p = td->td_proc; 116 117 PROC_LOCK(p); 118 td->td_retval[0] = p->p_pptr->p_pid; 119 PROC_UNLOCK(p); 120 return (0); 121 } 122 123 /* 124 * Get process group ID; note that POSIX getpgrp takes no parameter. 125 */ 126 #ifndef _SYS_SYSPROTO_H_ 127 struct getpgrp_args { 128 int dummy; 129 }; 130 #endif 131 int 132 getpgrp(struct thread *td, struct getpgrp_args *uap) 133 { 134 struct proc *p = td->td_proc; 135 136 PROC_LOCK(p); 137 td->td_retval[0] = p->p_pgrp->pg_id; 138 PROC_UNLOCK(p); 139 return (0); 140 } 141 142 /* Get an arbitary pid's process group id */ 143 #ifndef _SYS_SYSPROTO_H_ 144 struct getpgid_args { 145 pid_t pid; 146 }; 147 #endif 148 int 149 getpgid(struct thread *td, struct getpgid_args *uap) 150 { 151 struct proc *p; 152 int error; 153 154 if (uap->pid == 0) { 155 p = td->td_proc; 156 PROC_LOCK(p); 157 } else { 158 p = pfind(uap->pid); 159 if (p == NULL) 160 return (ESRCH); 161 error = p_cansee(td, p); 162 if (error) { 163 PROC_UNLOCK(p); 164 return (error); 165 } 166 } 167 td->td_retval[0] = p->p_pgrp->pg_id; 168 PROC_UNLOCK(p); 169 return (0); 170 } 171 172 /* 173 * Get an arbitary pid's session id. 174 */ 175 #ifndef _SYS_SYSPROTO_H_ 176 struct getsid_args { 177 pid_t pid; 178 }; 179 #endif 180 int 181 getsid(struct thread *td, struct getsid_args *uap) 182 { 183 struct proc *p; 184 int error; 185 186 if (uap->pid == 0) { 187 p = td->td_proc; 188 PROC_LOCK(p); 189 } else { 190 p = pfind(uap->pid); 191 if (p == NULL) 192 return (ESRCH); 193 error = p_cansee(td, p); 194 if (error) { 195 PROC_UNLOCK(p); 196 return (error); 197 } 198 } 199 td->td_retval[0] = p->p_session->s_sid; 200 PROC_UNLOCK(p); 201 return (0); 202 } 203 204 #ifndef _SYS_SYSPROTO_H_ 205 struct getuid_args { 206 int dummy; 207 }; 208 #endif 209 /* ARGSUSED */ 210 int 211 getuid(struct thread *td, struct getuid_args *uap) 212 { 213 214 td->td_retval[0] = td->td_ucred->cr_ruid; 215 #if defined(COMPAT_43) 216 td->td_retval[1] = td->td_ucred->cr_uid; 217 #endif 218 return (0); 219 } 220 221 #ifndef _SYS_SYSPROTO_H_ 222 struct geteuid_args { 223 int dummy; 224 }; 225 #endif 226 /* ARGSUSED */ 227 int 228 geteuid(struct thread *td, struct geteuid_args *uap) 229 { 230 231 td->td_retval[0] = td->td_ucred->cr_uid; 232 return (0); 233 } 234 235 #ifndef _SYS_SYSPROTO_H_ 236 struct getgid_args { 237 int dummy; 238 }; 239 #endif 240 /* ARGSUSED */ 241 int 242 getgid(struct thread *td, struct getgid_args *uap) 243 { 244 245 td->td_retval[0] = td->td_ucred->cr_rgid; 246 #if defined(COMPAT_43) 247 td->td_retval[1] = td->td_ucred->cr_groups[0]; 248 #endif 249 return (0); 250 } 251 252 /* 253 * Get effective group ID. The "egid" is groups[0], and could be obtained 254 * via getgroups. This syscall exists because it is somewhat painful to do 255 * correctly in a library function. 256 */ 257 #ifndef _SYS_SYSPROTO_H_ 258 struct getegid_args { 259 int dummy; 260 }; 261 #endif 262 /* ARGSUSED */ 263 int 264 getegid(struct thread *td, struct getegid_args *uap) 265 { 266 267 td->td_retval[0] = td->td_ucred->cr_groups[0]; 268 return (0); 269 } 270 271 #ifndef _SYS_SYSPROTO_H_ 272 struct getgroups_args { 273 u_int gidsetsize; 274 gid_t *gidset; 275 }; 276 #endif 277 int 278 getgroups(struct thread *td, register struct getgroups_args *uap) 279 { 280 gid_t groups[NGROUPS]; 281 u_int ngrp; 282 int error; 283 284 ngrp = MIN(uap->gidsetsize, NGROUPS); 285 error = kern_getgroups(td, &ngrp, groups); 286 if (error) 287 return (error); 288 if (uap->gidsetsize > 0) 289 error = copyout(groups, uap->gidset, ngrp * sizeof(gid_t)); 290 if (error == 0) 291 td->td_retval[0] = ngrp; 292 return (error); 293 } 294 295 int 296 kern_getgroups(struct thread *td, u_int *ngrp, gid_t *groups) 297 { 298 struct ucred *cred; 299 300 cred = td->td_ucred; 301 if (*ngrp == 0) { 302 *ngrp = cred->cr_ngroups; 303 return (0); 304 } 305 if (*ngrp < cred->cr_ngroups) 306 return (EINVAL); 307 *ngrp = cred->cr_ngroups; 308 bcopy(cred->cr_groups, groups, *ngrp * sizeof(gid_t)); 309 return (0); 310 } 311 312 #ifndef _SYS_SYSPROTO_H_ 313 struct setsid_args { 314 int dummy; 315 }; 316 #endif 317 /* ARGSUSED */ 318 int 319 setsid(register struct thread *td, struct setsid_args *uap) 320 { 321 struct pgrp *pgrp; 322 int error; 323 struct proc *p = td->td_proc; 324 struct pgrp *newpgrp; 325 struct session *newsess; 326 327 error = 0; 328 pgrp = NULL; 329 330 newpgrp = malloc(sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 331 newsess = malloc(sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); 332 333 sx_xlock(&proctree_lock); 334 335 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { 336 if (pgrp != NULL) 337 PGRP_UNLOCK(pgrp); 338 error = EPERM; 339 } else { 340 (void)enterpgrp(p, p->p_pid, newpgrp, newsess); 341 td->td_retval[0] = p->p_pid; 342 newpgrp = NULL; 343 newsess = NULL; 344 } 345 346 sx_xunlock(&proctree_lock); 347 348 if (newpgrp != NULL) 349 free(newpgrp, M_PGRP); 350 if (newsess != NULL) 351 free(newsess, M_SESSION); 352 353 return (error); 354 } 355 356 /* 357 * set process group (setpgid/old setpgrp) 358 * 359 * caller does setpgid(targpid, targpgid) 360 * 361 * pid must be caller or child of caller (ESRCH) 362 * if a child 363 * pid must be in same session (EPERM) 364 * pid can't have done an exec (EACCES) 365 * if pgid != pid 366 * there must exist some pid in same session having pgid (EPERM) 367 * pid must not be session leader (EPERM) 368 */ 369 #ifndef _SYS_SYSPROTO_H_ 370 struct setpgid_args { 371 int pid; /* target process id */ 372 int pgid; /* target pgrp id */ 373 }; 374 #endif 375 /* ARGSUSED */ 376 int 377 setpgid(struct thread *td, register struct setpgid_args *uap) 378 { 379 struct proc *curp = td->td_proc; 380 register struct proc *targp; /* target process */ 381 register struct pgrp *pgrp; /* target pgrp */ 382 int error; 383 struct pgrp *newpgrp; 384 385 if (uap->pgid < 0) 386 return (EINVAL); 387 388 error = 0; 389 390 newpgrp = malloc(sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 391 392 sx_xlock(&proctree_lock); 393 if (uap->pid != 0 && uap->pid != curp->p_pid) { 394 if ((targp = pfind(uap->pid)) == NULL) { 395 error = ESRCH; 396 goto done; 397 } 398 if (!inferior(targp)) { 399 PROC_UNLOCK(targp); 400 error = ESRCH; 401 goto done; 402 } 403 if ((error = p_cansee(td, targp))) { 404 PROC_UNLOCK(targp); 405 goto done; 406 } 407 if (targp->p_pgrp == NULL || 408 targp->p_session != curp->p_session) { 409 PROC_UNLOCK(targp); 410 error = EPERM; 411 goto done; 412 } 413 if (targp->p_flag & P_EXEC) { 414 PROC_UNLOCK(targp); 415 error = EACCES; 416 goto done; 417 } 418 PROC_UNLOCK(targp); 419 } else 420 targp = curp; 421 if (SESS_LEADER(targp)) { 422 error = EPERM; 423 goto done; 424 } 425 if (uap->pgid == 0) 426 uap->pgid = targp->p_pid; 427 if ((pgrp = pgfind(uap->pgid)) == NULL) { 428 if (uap->pgid == targp->p_pid) { 429 error = enterpgrp(targp, uap->pgid, newpgrp, 430 NULL); 431 if (error == 0) 432 newpgrp = NULL; 433 } else 434 error = EPERM; 435 } else { 436 if (pgrp == targp->p_pgrp) { 437 PGRP_UNLOCK(pgrp); 438 goto done; 439 } 440 if (pgrp->pg_id != targp->p_pid && 441 pgrp->pg_session != curp->p_session) { 442 PGRP_UNLOCK(pgrp); 443 error = EPERM; 444 goto done; 445 } 446 PGRP_UNLOCK(pgrp); 447 error = enterthispgrp(targp, pgrp); 448 } 449 done: 450 sx_xunlock(&proctree_lock); 451 KASSERT((error == 0) || (newpgrp != NULL), 452 ("setpgid failed and newpgrp is NULL")); 453 if (newpgrp != NULL) 454 free(newpgrp, M_PGRP); 455 return (error); 456 } 457 458 /* 459 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 460 * compatible. It says that setting the uid/gid to euid/egid is a special 461 * case of "appropriate privilege". Once the rules are expanded out, this 462 * basically means that setuid(nnn) sets all three id's, in all permitted 463 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 464 * does not set the saved id - this is dangerous for traditional BSD 465 * programs. For this reason, we *really* do not want to set 466 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 467 */ 468 #define POSIX_APPENDIX_B_4_2_2 469 470 #ifndef _SYS_SYSPROTO_H_ 471 struct setuid_args { 472 uid_t uid; 473 }; 474 #endif 475 /* ARGSUSED */ 476 int 477 setuid(struct thread *td, struct setuid_args *uap) 478 { 479 struct proc *p = td->td_proc; 480 struct ucred *newcred, *oldcred; 481 uid_t uid; 482 struct uidinfo *uip; 483 int error; 484 485 uid = uap->uid; 486 AUDIT_ARG(uid, uid); 487 newcred = crget(); 488 uip = uifind(uid); 489 PROC_LOCK(p); 490 oldcred = p->p_ucred; 491 492 #ifdef MAC 493 error = mac_cred_check_setuid(oldcred, uid); 494 if (error) 495 goto fail; 496 #endif 497 498 /* 499 * See if we have "permission" by POSIX 1003.1 rules. 500 * 501 * Note that setuid(geteuid()) is a special case of 502 * "appropriate privileges" in appendix B.4.2.2. We need 503 * to use this clause to be compatible with traditional BSD 504 * semantics. Basically, it means that "setuid(xx)" sets all 505 * three id's (assuming you have privs). 506 * 507 * Notes on the logic. We do things in three steps. 508 * 1: We determine if the euid is going to change, and do EPERM 509 * right away. We unconditionally change the euid later if this 510 * test is satisfied, simplifying that part of the logic. 511 * 2: We determine if the real and/or saved uids are going to 512 * change. Determined by compile options. 513 * 3: Change euid last. (after tests in #2 for "appropriate privs") 514 */ 515 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 516 #ifdef _POSIX_SAVED_IDS 517 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 518 #endif 519 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 520 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 521 #endif 522 (error = priv_check_cred(oldcred, PRIV_CRED_SETUID, 0)) != 0) 523 goto fail; 524 525 /* 526 * Copy credentials so other references do not see our changes. 527 */ 528 crcopy(newcred, oldcred); 529 #ifdef _POSIX_SAVED_IDS 530 /* 531 * Do we have "appropriate privileges" (are we root or uid == euid) 532 * If so, we are changing the real uid and/or saved uid. 533 */ 534 if ( 535 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 536 uid == oldcred->cr_uid || 537 #endif 538 /* We are using privs. */ 539 priv_check_cred(oldcred, PRIV_CRED_SETUID, 0) == 0) 540 #endif 541 { 542 /* 543 * Set the real uid and transfer proc count to new user. 544 */ 545 if (uid != oldcred->cr_ruid) { 546 change_ruid(newcred, uip); 547 setsugid(p); 548 } 549 /* 550 * Set saved uid 551 * 552 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 553 * the security of seteuid() depends on it. B.4.2.2 says it 554 * is important that we should do this. 555 */ 556 if (uid != oldcred->cr_svuid) { 557 change_svuid(newcred, uid); 558 setsugid(p); 559 } 560 } 561 562 /* 563 * In all permitted cases, we are changing the euid. 564 */ 565 if (uid != oldcred->cr_uid) { 566 change_euid(newcred, uip); 567 setsugid(p); 568 } 569 p->p_ucred = newcred; 570 PROC_UNLOCK(p); 571 uifree(uip); 572 crfree(oldcred); 573 return (0); 574 575 fail: 576 PROC_UNLOCK(p); 577 uifree(uip); 578 crfree(newcred); 579 return (error); 580 } 581 582 #ifndef _SYS_SYSPROTO_H_ 583 struct seteuid_args { 584 uid_t euid; 585 }; 586 #endif 587 /* ARGSUSED */ 588 int 589 seteuid(struct thread *td, struct seteuid_args *uap) 590 { 591 struct proc *p = td->td_proc; 592 struct ucred *newcred, *oldcred; 593 uid_t euid; 594 struct uidinfo *euip; 595 int error; 596 597 euid = uap->euid; 598 AUDIT_ARG(euid, euid); 599 newcred = crget(); 600 euip = uifind(euid); 601 PROC_LOCK(p); 602 oldcred = p->p_ucred; 603 604 #ifdef MAC 605 error = mac_cred_check_seteuid(oldcred, euid); 606 if (error) 607 goto fail; 608 #endif 609 610 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 611 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 612 (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID, 0)) != 0) 613 goto fail; 614 615 /* 616 * Everything's okay, do it. Copy credentials so other references do 617 * not see our changes. 618 */ 619 crcopy(newcred, oldcred); 620 if (oldcred->cr_uid != euid) { 621 change_euid(newcred, euip); 622 setsugid(p); 623 } 624 p->p_ucred = newcred; 625 PROC_UNLOCK(p); 626 uifree(euip); 627 crfree(oldcred); 628 return (0); 629 630 fail: 631 PROC_UNLOCK(p); 632 uifree(euip); 633 crfree(newcred); 634 return (error); 635 } 636 637 #ifndef _SYS_SYSPROTO_H_ 638 struct setgid_args { 639 gid_t gid; 640 }; 641 #endif 642 /* ARGSUSED */ 643 int 644 setgid(struct thread *td, struct setgid_args *uap) 645 { 646 struct proc *p = td->td_proc; 647 struct ucred *newcred, *oldcred; 648 gid_t gid; 649 int error; 650 651 gid = uap->gid; 652 AUDIT_ARG(gid, gid); 653 newcred = crget(); 654 PROC_LOCK(p); 655 oldcred = p->p_ucred; 656 657 #ifdef MAC 658 error = mac_cred_check_setgid(oldcred, gid); 659 if (error) 660 goto fail; 661 #endif 662 663 /* 664 * See if we have "permission" by POSIX 1003.1 rules. 665 * 666 * Note that setgid(getegid()) is a special case of 667 * "appropriate privileges" in appendix B.4.2.2. We need 668 * to use this clause to be compatible with traditional BSD 669 * semantics. Basically, it means that "setgid(xx)" sets all 670 * three id's (assuming you have privs). 671 * 672 * For notes on the logic here, see setuid() above. 673 */ 674 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 675 #ifdef _POSIX_SAVED_IDS 676 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 677 #endif 678 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 679 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 680 #endif 681 (error = priv_check_cred(oldcred, PRIV_CRED_SETGID, 0)) != 0) 682 goto fail; 683 684 crcopy(newcred, oldcred); 685 #ifdef _POSIX_SAVED_IDS 686 /* 687 * Do we have "appropriate privileges" (are we root or gid == egid) 688 * If so, we are changing the real uid and saved gid. 689 */ 690 if ( 691 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 692 gid == oldcred->cr_groups[0] || 693 #endif 694 /* We are using privs. */ 695 priv_check_cred(oldcred, PRIV_CRED_SETGID, 0) == 0) 696 #endif 697 { 698 /* 699 * Set real gid 700 */ 701 if (oldcred->cr_rgid != gid) { 702 change_rgid(newcred, gid); 703 setsugid(p); 704 } 705 /* 706 * Set saved gid 707 * 708 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 709 * the security of setegid() depends on it. B.4.2.2 says it 710 * is important that we should do this. 711 */ 712 if (oldcred->cr_svgid != gid) { 713 change_svgid(newcred, gid); 714 setsugid(p); 715 } 716 } 717 /* 718 * In all cases permitted cases, we are changing the egid. 719 * Copy credentials so other references do not see our changes. 720 */ 721 if (oldcred->cr_groups[0] != gid) { 722 change_egid(newcred, gid); 723 setsugid(p); 724 } 725 p->p_ucred = newcred; 726 PROC_UNLOCK(p); 727 crfree(oldcred); 728 return (0); 729 730 fail: 731 PROC_UNLOCK(p); 732 crfree(newcred); 733 return (error); 734 } 735 736 #ifndef _SYS_SYSPROTO_H_ 737 struct setegid_args { 738 gid_t egid; 739 }; 740 #endif 741 /* ARGSUSED */ 742 int 743 setegid(struct thread *td, struct setegid_args *uap) 744 { 745 struct proc *p = td->td_proc; 746 struct ucred *newcred, *oldcred; 747 gid_t egid; 748 int error; 749 750 egid = uap->egid; 751 AUDIT_ARG(egid, egid); 752 newcred = crget(); 753 PROC_LOCK(p); 754 oldcred = p->p_ucred; 755 756 #ifdef MAC 757 error = mac_cred_check_setegid(oldcred, egid); 758 if (error) 759 goto fail; 760 #endif 761 762 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 763 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 764 (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID, 0)) != 0) 765 goto fail; 766 767 crcopy(newcred, oldcred); 768 if (oldcred->cr_groups[0] != egid) { 769 change_egid(newcred, egid); 770 setsugid(p); 771 } 772 p->p_ucred = newcred; 773 PROC_UNLOCK(p); 774 crfree(oldcred); 775 return (0); 776 777 fail: 778 PROC_UNLOCK(p); 779 crfree(newcred); 780 return (error); 781 } 782 783 #ifndef _SYS_SYSPROTO_H_ 784 struct setgroups_args { 785 u_int gidsetsize; 786 gid_t *gidset; 787 }; 788 #endif 789 /* ARGSUSED */ 790 int 791 setgroups(struct thread *td, struct setgroups_args *uap) 792 { 793 gid_t groups[NGROUPS]; 794 int error; 795 796 if (uap->gidsetsize > NGROUPS) 797 return (EINVAL); 798 error = copyin(uap->gidset, groups, uap->gidsetsize * sizeof(gid_t)); 799 if (error) 800 return (error); 801 return (kern_setgroups(td, uap->gidsetsize, groups)); 802 } 803 804 int 805 kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups) 806 { 807 struct proc *p = td->td_proc; 808 struct ucred *newcred, *oldcred; 809 int error; 810 811 if (ngrp > NGROUPS) 812 return (EINVAL); 813 AUDIT_ARG(groupset, groups, ngrp); 814 newcred = crget(); 815 PROC_LOCK(p); 816 oldcred = p->p_ucred; 817 818 #ifdef MAC 819 error = mac_cred_check_setgroups(oldcred, ngrp, groups); 820 if (error) 821 goto fail; 822 #endif 823 824 error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS, 0); 825 if (error) 826 goto fail; 827 828 /* 829 * XXX A little bit lazy here. We could test if anything has 830 * changed before crcopy() and setting P_SUGID. 831 */ 832 crcopy(newcred, oldcred); 833 if (ngrp < 1) { 834 /* 835 * setgroups(0, NULL) is a legitimate way of clearing the 836 * groups vector on non-BSD systems (which generally do not 837 * have the egid in the groups[0]). We risk security holes 838 * when running non-BSD software if we do not do the same. 839 */ 840 newcred->cr_ngroups = 1; 841 } else { 842 bcopy(groups, newcred->cr_groups, ngrp * sizeof(gid_t)); 843 newcred->cr_ngroups = ngrp; 844 } 845 setsugid(p); 846 p->p_ucred = newcred; 847 PROC_UNLOCK(p); 848 crfree(oldcred); 849 return (0); 850 851 fail: 852 PROC_UNLOCK(p); 853 crfree(newcred); 854 return (error); 855 } 856 857 #ifndef _SYS_SYSPROTO_H_ 858 struct setreuid_args { 859 uid_t ruid; 860 uid_t euid; 861 }; 862 #endif 863 /* ARGSUSED */ 864 int 865 setreuid(register struct thread *td, struct setreuid_args *uap) 866 { 867 struct proc *p = td->td_proc; 868 struct ucred *newcred, *oldcred; 869 uid_t euid, ruid; 870 struct uidinfo *euip, *ruip; 871 int error; 872 873 euid = uap->euid; 874 ruid = uap->ruid; 875 AUDIT_ARG(euid, euid); 876 AUDIT_ARG(ruid, ruid); 877 newcred = crget(); 878 euip = uifind(euid); 879 ruip = uifind(ruid); 880 PROC_LOCK(p); 881 oldcred = p->p_ucred; 882 883 #ifdef MAC 884 error = mac_cred_check_setreuid(oldcred, ruid, euid); 885 if (error) 886 goto fail; 887 #endif 888 889 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 890 ruid != oldcred->cr_svuid) || 891 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 892 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 893 (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID, 0)) != 0) 894 goto fail; 895 896 crcopy(newcred, oldcred); 897 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 898 change_euid(newcred, euip); 899 setsugid(p); 900 } 901 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 902 change_ruid(newcred, ruip); 903 setsugid(p); 904 } 905 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 906 newcred->cr_svuid != newcred->cr_uid) { 907 change_svuid(newcred, newcred->cr_uid); 908 setsugid(p); 909 } 910 p->p_ucred = newcred; 911 PROC_UNLOCK(p); 912 uifree(ruip); 913 uifree(euip); 914 crfree(oldcred); 915 return (0); 916 917 fail: 918 PROC_UNLOCK(p); 919 uifree(ruip); 920 uifree(euip); 921 crfree(newcred); 922 return (error); 923 } 924 925 #ifndef _SYS_SYSPROTO_H_ 926 struct setregid_args { 927 gid_t rgid; 928 gid_t egid; 929 }; 930 #endif 931 /* ARGSUSED */ 932 int 933 setregid(register struct thread *td, struct setregid_args *uap) 934 { 935 struct proc *p = td->td_proc; 936 struct ucred *newcred, *oldcred; 937 gid_t egid, rgid; 938 int error; 939 940 egid = uap->egid; 941 rgid = uap->rgid; 942 AUDIT_ARG(egid, egid); 943 AUDIT_ARG(rgid, rgid); 944 newcred = crget(); 945 PROC_LOCK(p); 946 oldcred = p->p_ucred; 947 948 #ifdef MAC 949 error = mac_cred_check_setregid(oldcred, rgid, egid); 950 if (error) 951 goto fail; 952 #endif 953 954 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 955 rgid != oldcred->cr_svgid) || 956 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 957 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 958 (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID, 0)) != 0) 959 goto fail; 960 961 crcopy(newcred, oldcred); 962 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 963 change_egid(newcred, egid); 964 setsugid(p); 965 } 966 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 967 change_rgid(newcred, rgid); 968 setsugid(p); 969 } 970 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 971 newcred->cr_svgid != newcred->cr_groups[0]) { 972 change_svgid(newcred, newcred->cr_groups[0]); 973 setsugid(p); 974 } 975 p->p_ucred = newcred; 976 PROC_UNLOCK(p); 977 crfree(oldcred); 978 return (0); 979 980 fail: 981 PROC_UNLOCK(p); 982 crfree(newcred); 983 return (error); 984 } 985 986 /* 987 * setresuid(ruid, euid, suid) is like setreuid except control over the saved 988 * uid is explicit. 989 */ 990 #ifndef _SYS_SYSPROTO_H_ 991 struct setresuid_args { 992 uid_t ruid; 993 uid_t euid; 994 uid_t suid; 995 }; 996 #endif 997 /* ARGSUSED */ 998 int 999 setresuid(register struct thread *td, struct setresuid_args *uap) 1000 { 1001 struct proc *p = td->td_proc; 1002 struct ucred *newcred, *oldcred; 1003 uid_t euid, ruid, suid; 1004 struct uidinfo *euip, *ruip; 1005 int error; 1006 1007 euid = uap->euid; 1008 ruid = uap->ruid; 1009 suid = uap->suid; 1010 AUDIT_ARG(euid, euid); 1011 AUDIT_ARG(ruid, ruid); 1012 AUDIT_ARG(suid, suid); 1013 newcred = crget(); 1014 euip = uifind(euid); 1015 ruip = uifind(ruid); 1016 PROC_LOCK(p); 1017 oldcred = p->p_ucred; 1018 1019 #ifdef MAC 1020 error = mac_cred_check_setresuid(oldcred, ruid, euid, suid); 1021 if (error) 1022 goto fail; 1023 #endif 1024 1025 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1026 ruid != oldcred->cr_svuid && 1027 ruid != oldcred->cr_uid) || 1028 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 1029 euid != oldcred->cr_svuid && 1030 euid != oldcred->cr_uid) || 1031 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 1032 suid != oldcred->cr_svuid && 1033 suid != oldcred->cr_uid)) && 1034 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID, 0)) != 0) 1035 goto fail; 1036 1037 crcopy(newcred, oldcred); 1038 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1039 change_euid(newcred, euip); 1040 setsugid(p); 1041 } 1042 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1043 change_ruid(newcred, ruip); 1044 setsugid(p); 1045 } 1046 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1047 change_svuid(newcred, suid); 1048 setsugid(p); 1049 } 1050 p->p_ucred = newcred; 1051 PROC_UNLOCK(p); 1052 uifree(ruip); 1053 uifree(euip); 1054 crfree(oldcred); 1055 return (0); 1056 1057 fail: 1058 PROC_UNLOCK(p); 1059 uifree(ruip); 1060 uifree(euip); 1061 crfree(newcred); 1062 return (error); 1063 1064 } 1065 1066 /* 1067 * setresgid(rgid, egid, sgid) is like setregid except control over the saved 1068 * gid is explicit. 1069 */ 1070 #ifndef _SYS_SYSPROTO_H_ 1071 struct setresgid_args { 1072 gid_t rgid; 1073 gid_t egid; 1074 gid_t sgid; 1075 }; 1076 #endif 1077 /* ARGSUSED */ 1078 int 1079 setresgid(register struct thread *td, struct setresgid_args *uap) 1080 { 1081 struct proc *p = td->td_proc; 1082 struct ucred *newcred, *oldcred; 1083 gid_t egid, rgid, sgid; 1084 int error; 1085 1086 egid = uap->egid; 1087 rgid = uap->rgid; 1088 sgid = uap->sgid; 1089 AUDIT_ARG(egid, egid); 1090 AUDIT_ARG(rgid, rgid); 1091 AUDIT_ARG(sgid, sgid); 1092 newcred = crget(); 1093 PROC_LOCK(p); 1094 oldcred = p->p_ucred; 1095 1096 #ifdef MAC 1097 error = mac_cred_check_setresgid(oldcred, rgid, egid, sgid); 1098 if (error) 1099 goto fail; 1100 #endif 1101 1102 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1103 rgid != oldcred->cr_svgid && 1104 rgid != oldcred->cr_groups[0]) || 1105 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1106 egid != oldcred->cr_svgid && 1107 egid != oldcred->cr_groups[0]) || 1108 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1109 sgid != oldcred->cr_svgid && 1110 sgid != oldcred->cr_groups[0])) && 1111 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID, 0)) != 0) 1112 goto fail; 1113 1114 crcopy(newcred, oldcred); 1115 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1116 change_egid(newcred, egid); 1117 setsugid(p); 1118 } 1119 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1120 change_rgid(newcred, rgid); 1121 setsugid(p); 1122 } 1123 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1124 change_svgid(newcred, sgid); 1125 setsugid(p); 1126 } 1127 p->p_ucred = newcred; 1128 PROC_UNLOCK(p); 1129 crfree(oldcred); 1130 return (0); 1131 1132 fail: 1133 PROC_UNLOCK(p); 1134 crfree(newcred); 1135 return (error); 1136 } 1137 1138 #ifndef _SYS_SYSPROTO_H_ 1139 struct getresuid_args { 1140 uid_t *ruid; 1141 uid_t *euid; 1142 uid_t *suid; 1143 }; 1144 #endif 1145 /* ARGSUSED */ 1146 int 1147 getresuid(register struct thread *td, struct getresuid_args *uap) 1148 { 1149 struct ucred *cred; 1150 int error1 = 0, error2 = 0, error3 = 0; 1151 1152 cred = td->td_ucred; 1153 if (uap->ruid) 1154 error1 = copyout(&cred->cr_ruid, 1155 uap->ruid, sizeof(cred->cr_ruid)); 1156 if (uap->euid) 1157 error2 = copyout(&cred->cr_uid, 1158 uap->euid, sizeof(cred->cr_uid)); 1159 if (uap->suid) 1160 error3 = copyout(&cred->cr_svuid, 1161 uap->suid, sizeof(cred->cr_svuid)); 1162 return (error1 ? error1 : error2 ? error2 : error3); 1163 } 1164 1165 #ifndef _SYS_SYSPROTO_H_ 1166 struct getresgid_args { 1167 gid_t *rgid; 1168 gid_t *egid; 1169 gid_t *sgid; 1170 }; 1171 #endif 1172 /* ARGSUSED */ 1173 int 1174 getresgid(register struct thread *td, struct getresgid_args *uap) 1175 { 1176 struct ucred *cred; 1177 int error1 = 0, error2 = 0, error3 = 0; 1178 1179 cred = td->td_ucred; 1180 if (uap->rgid) 1181 error1 = copyout(&cred->cr_rgid, 1182 uap->rgid, sizeof(cred->cr_rgid)); 1183 if (uap->egid) 1184 error2 = copyout(&cred->cr_groups[0], 1185 uap->egid, sizeof(cred->cr_groups[0])); 1186 if (uap->sgid) 1187 error3 = copyout(&cred->cr_svgid, 1188 uap->sgid, sizeof(cred->cr_svgid)); 1189 return (error1 ? error1 : error2 ? error2 : error3); 1190 } 1191 1192 #ifndef _SYS_SYSPROTO_H_ 1193 struct issetugid_args { 1194 int dummy; 1195 }; 1196 #endif 1197 /* ARGSUSED */ 1198 int 1199 issetugid(register struct thread *td, struct issetugid_args *uap) 1200 { 1201 struct proc *p = td->td_proc; 1202 1203 /* 1204 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1205 * we use P_SUGID because we consider changing the owners as 1206 * "tainting" as well. 1207 * This is significant for procs that start as root and "become" 1208 * a user without an exec - programs cannot know *everything* 1209 * that libc *might* have put in their data segment. 1210 */ 1211 PROC_LOCK(p); 1212 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1213 PROC_UNLOCK(p); 1214 return (0); 1215 } 1216 1217 int 1218 __setugid(struct thread *td, struct __setugid_args *uap) 1219 { 1220 #ifdef REGRESSION 1221 struct proc *p; 1222 1223 p = td->td_proc; 1224 switch (uap->flag) { 1225 case 0: 1226 PROC_LOCK(p); 1227 p->p_flag &= ~P_SUGID; 1228 PROC_UNLOCK(p); 1229 return (0); 1230 case 1: 1231 PROC_LOCK(p); 1232 p->p_flag |= P_SUGID; 1233 PROC_UNLOCK(p); 1234 return (0); 1235 default: 1236 return (EINVAL); 1237 } 1238 #else /* !REGRESSION */ 1239 1240 return (ENOSYS); 1241 #endif /* REGRESSION */ 1242 } 1243 1244 /* 1245 * Check if gid is a member of the group set. 1246 */ 1247 int 1248 groupmember(gid_t gid, struct ucred *cred) 1249 { 1250 register gid_t *gp; 1251 gid_t *egp; 1252 1253 egp = &(cred->cr_groups[cred->cr_ngroups]); 1254 for (gp = cred->cr_groups; gp < egp; gp++) 1255 if (*gp == gid) 1256 return (1); 1257 return (0); 1258 } 1259 1260 /* 1261 * Test the active securelevel against a given level. securelevel_gt() 1262 * implements (securelevel > level). securelevel_ge() implements 1263 * (securelevel >= level). Note that the logic is inverted -- these 1264 * functions return EPERM on "success" and 0 on "failure". 1265 * 1266 * Due to care taken when setting the securelevel, we know that no jail will 1267 * be less secure that its parent (or the physical system), so it is sufficient 1268 * to test the current jail only. 1269 * 1270 * XXXRW: Possibly since this has to do with privilege, it should move to 1271 * kern_priv.c. 1272 */ 1273 int 1274 securelevel_gt(struct ucred *cr, int level) 1275 { 1276 1277 return (cr->cr_prison->pr_securelevel > level ? EPERM : 0); 1278 } 1279 1280 int 1281 securelevel_ge(struct ucred *cr, int level) 1282 { 1283 1284 return (cr->cr_prison->pr_securelevel >= level ? EPERM : 0); 1285 } 1286 1287 /* 1288 * 'see_other_uids' determines whether or not visibility of processes 1289 * and sockets with credentials holding different real uids is possible 1290 * using a variety of system MIBs. 1291 * XXX: data declarations should be together near the beginning of the file. 1292 */ 1293 static int see_other_uids = 1; 1294 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1295 &see_other_uids, 0, 1296 "Unprivileged processes may see subjects/objects with different real uid"); 1297 1298 /*- 1299 * Determine if u1 "can see" the subject specified by u2, according to the 1300 * 'see_other_uids' policy. 1301 * Returns: 0 for permitted, ESRCH otherwise 1302 * Locks: none 1303 * References: *u1 and *u2 must not change during the call 1304 * u1 may equal u2, in which case only one reference is required 1305 */ 1306 static int 1307 cr_seeotheruids(struct ucred *u1, struct ucred *u2) 1308 { 1309 1310 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1311 if (priv_check_cred(u1, PRIV_SEEOTHERUIDS, 0) != 0) 1312 return (ESRCH); 1313 } 1314 return (0); 1315 } 1316 1317 /* 1318 * 'see_other_gids' determines whether or not visibility of processes 1319 * and sockets with credentials holding different real gids is possible 1320 * using a variety of system MIBs. 1321 * XXX: data declarations should be together near the beginning of the file. 1322 */ 1323 static int see_other_gids = 1; 1324 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW, 1325 &see_other_gids, 0, 1326 "Unprivileged processes may see subjects/objects with different real gid"); 1327 1328 /* 1329 * Determine if u1 can "see" the subject specified by u2, according to the 1330 * 'see_other_gids' policy. 1331 * Returns: 0 for permitted, ESRCH otherwise 1332 * Locks: none 1333 * References: *u1 and *u2 must not change during the call 1334 * u1 may equal u2, in which case only one reference is required 1335 */ 1336 static int 1337 cr_seeothergids(struct ucred *u1, struct ucred *u2) 1338 { 1339 int i, match; 1340 1341 if (!see_other_gids) { 1342 match = 0; 1343 for (i = 0; i < u1->cr_ngroups; i++) { 1344 if (groupmember(u1->cr_groups[i], u2)) 1345 match = 1; 1346 if (match) 1347 break; 1348 } 1349 if (!match) { 1350 if (priv_check_cred(u1, PRIV_SEEOTHERGIDS, 0) != 0) 1351 return (ESRCH); 1352 } 1353 } 1354 return (0); 1355 } 1356 1357 /*- 1358 * Determine if u1 "can see" the subject specified by u2. 1359 * Returns: 0 for permitted, an errno value otherwise 1360 * Locks: none 1361 * References: *u1 and *u2 must not change during the call 1362 * u1 may equal u2, in which case only one reference is required 1363 */ 1364 int 1365 cr_cansee(struct ucred *u1, struct ucred *u2) 1366 { 1367 int error; 1368 1369 if ((error = prison_check(u1, u2))) 1370 return (error); 1371 #ifdef MAC 1372 if ((error = mac_cred_check_visible(u1, u2))) 1373 return (error); 1374 #endif 1375 if ((error = cr_seeotheruids(u1, u2))) 1376 return (error); 1377 if ((error = cr_seeothergids(u1, u2))) 1378 return (error); 1379 return (0); 1380 } 1381 1382 /*- 1383 * Determine if td "can see" the subject specified by p. 1384 * Returns: 0 for permitted, an errno value otherwise 1385 * Locks: Sufficient locks to protect p->p_ucred must be held. td really 1386 * should be curthread. 1387 * References: td and p must be valid for the lifetime of the call 1388 */ 1389 int 1390 p_cansee(struct thread *td, struct proc *p) 1391 { 1392 1393 /* Wrap cr_cansee() for all functionality. */ 1394 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1395 PROC_LOCK_ASSERT(p, MA_OWNED); 1396 return (cr_cansee(td->td_ucred, p->p_ucred)); 1397 } 1398 1399 /* 1400 * 'conservative_signals' prevents the delivery of a broad class of 1401 * signals by unprivileged processes to processes that have changed their 1402 * credentials since the last invocation of execve(). This can prevent 1403 * the leakage of cached information or retained privileges as a result 1404 * of a common class of signal-related vulnerabilities. However, this 1405 * may interfere with some applications that expect to be able to 1406 * deliver these signals to peer processes after having given up 1407 * privilege. 1408 */ 1409 static int conservative_signals = 1; 1410 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW, 1411 &conservative_signals, 0, "Unprivileged processes prevented from " 1412 "sending certain signals to processes whose credentials have changed"); 1413 /*- 1414 * Determine whether cred may deliver the specified signal to proc. 1415 * Returns: 0 for permitted, an errno value otherwise. 1416 * Locks: A lock must be held for proc. 1417 * References: cred and proc must be valid for the lifetime of the call. 1418 */ 1419 int 1420 cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 1421 { 1422 int error; 1423 1424 PROC_LOCK_ASSERT(proc, MA_OWNED); 1425 /* 1426 * Jail semantics limit the scope of signalling to proc in the 1427 * same jail as cred, if cred is in jail. 1428 */ 1429 error = prison_check(cred, proc->p_ucred); 1430 if (error) 1431 return (error); 1432 #ifdef MAC 1433 if ((error = mac_proc_check_signal(cred, proc, signum))) 1434 return (error); 1435 #endif 1436 if ((error = cr_seeotheruids(cred, proc->p_ucred))) 1437 return (error); 1438 if ((error = cr_seeothergids(cred, proc->p_ucred))) 1439 return (error); 1440 1441 /* 1442 * UNIX signal semantics depend on the status of the P_SUGID 1443 * bit on the target process. If the bit is set, then additional 1444 * restrictions are placed on the set of available signals. 1445 */ 1446 if (conservative_signals && (proc->p_flag & P_SUGID)) { 1447 switch (signum) { 1448 case 0: 1449 case SIGKILL: 1450 case SIGINT: 1451 case SIGTERM: 1452 case SIGALRM: 1453 case SIGSTOP: 1454 case SIGTTIN: 1455 case SIGTTOU: 1456 case SIGTSTP: 1457 case SIGHUP: 1458 case SIGUSR1: 1459 case SIGUSR2: 1460 /* 1461 * Generally, permit job and terminal control 1462 * signals. 1463 */ 1464 break; 1465 default: 1466 /* Not permitted without privilege. */ 1467 error = priv_check_cred(cred, PRIV_SIGNAL_SUGID, 0); 1468 if (error) 1469 return (error); 1470 } 1471 } 1472 1473 /* 1474 * Generally, the target credential's ruid or svuid must match the 1475 * subject credential's ruid or euid. 1476 */ 1477 if (cred->cr_ruid != proc->p_ucred->cr_ruid && 1478 cred->cr_ruid != proc->p_ucred->cr_svuid && 1479 cred->cr_uid != proc->p_ucred->cr_ruid && 1480 cred->cr_uid != proc->p_ucred->cr_svuid) { 1481 error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED, 0); 1482 if (error) 1483 return (error); 1484 } 1485 1486 return (0); 1487 } 1488 1489 /*- 1490 * Determine whether td may deliver the specified signal to p. 1491 * Returns: 0 for permitted, an errno value otherwise 1492 * Locks: Sufficient locks to protect various components of td and p 1493 * must be held. td must be curthread, and a lock must be 1494 * held for p. 1495 * References: td and p must be valid for the lifetime of the call 1496 */ 1497 int 1498 p_cansignal(struct thread *td, struct proc *p, int signum) 1499 { 1500 1501 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1502 PROC_LOCK_ASSERT(p, MA_OWNED); 1503 if (td->td_proc == p) 1504 return (0); 1505 1506 /* 1507 * UNIX signalling semantics require that processes in the same 1508 * session always be able to deliver SIGCONT to one another, 1509 * overriding the remaining protections. 1510 */ 1511 /* XXX: This will require an additional lock of some sort. */ 1512 if (signum == SIGCONT && td->td_proc->p_session == p->p_session) 1513 return (0); 1514 /* 1515 * Some compat layers use SIGTHR and higher signals for 1516 * communication between different kernel threads of the same 1517 * process, so that they expect that it's always possible to 1518 * deliver them, even for suid applications where cr_cansignal() can 1519 * deny such ability for security consideration. It should be 1520 * pretty safe to do since the only way to create two processes 1521 * with the same p_leader is via rfork(2). 1522 */ 1523 if (td->td_proc->p_leader != NULL && signum >= SIGTHR && 1524 signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader) 1525 return (0); 1526 1527 return (cr_cansignal(td->td_ucred, p, signum)); 1528 } 1529 1530 /*- 1531 * Determine whether td may reschedule p. 1532 * Returns: 0 for permitted, an errno value otherwise 1533 * Locks: Sufficient locks to protect various components of td and p 1534 * must be held. td must be curthread, and a lock must 1535 * be held for p. 1536 * References: td and p must be valid for the lifetime of the call 1537 */ 1538 int 1539 p_cansched(struct thread *td, struct proc *p) 1540 { 1541 int error; 1542 1543 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1544 PROC_LOCK_ASSERT(p, MA_OWNED); 1545 if (td->td_proc == p) 1546 return (0); 1547 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1548 return (error); 1549 #ifdef MAC 1550 if ((error = mac_proc_check_sched(td->td_ucred, p))) 1551 return (error); 1552 #endif 1553 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1554 return (error); 1555 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) 1556 return (error); 1557 if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid && 1558 td->td_ucred->cr_uid != p->p_ucred->cr_ruid) { 1559 error = priv_check(td, PRIV_SCHED_DIFFCRED); 1560 if (error) 1561 return (error); 1562 } 1563 return (0); 1564 } 1565 1566 /* 1567 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 1568 * unprivileged inter-process debugging services, including some procfs 1569 * functionality, ptrace(), and ktrace(). In the past, inter-process 1570 * debugging has been involved in a variety of security problems, and sites 1571 * not requiring the service might choose to disable it when hardening 1572 * systems. 1573 * 1574 * XXX: Should modifying and reading this variable require locking? 1575 * XXX: data declarations should be together near the beginning of the file. 1576 */ 1577 static int unprivileged_proc_debug = 1; 1578 SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW, 1579 &unprivileged_proc_debug, 0, 1580 "Unprivileged processes may use process debugging facilities"); 1581 1582 /*- 1583 * Determine whether td may debug p. 1584 * Returns: 0 for permitted, an errno value otherwise 1585 * Locks: Sufficient locks to protect various components of td and p 1586 * must be held. td must be curthread, and a lock must 1587 * be held for p. 1588 * References: td and p must be valid for the lifetime of the call 1589 */ 1590 int 1591 p_candebug(struct thread *td, struct proc *p) 1592 { 1593 int credentialchanged, error, grpsubset, i, uidsubset; 1594 1595 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1596 PROC_LOCK_ASSERT(p, MA_OWNED); 1597 if (!unprivileged_proc_debug) { 1598 error = priv_check(td, PRIV_DEBUG_UNPRIV); 1599 if (error) 1600 return (error); 1601 } 1602 if (td->td_proc == p) 1603 return (0); 1604 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1605 return (error); 1606 #ifdef MAC 1607 if ((error = mac_proc_check_debug(td->td_ucred, p))) 1608 return (error); 1609 #endif 1610 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1611 return (error); 1612 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) 1613 return (error); 1614 1615 /* 1616 * Is p's group set a subset of td's effective group set? This 1617 * includes p's egid, group access list, rgid, and svgid. 1618 */ 1619 grpsubset = 1; 1620 for (i = 0; i < p->p_ucred->cr_ngroups; i++) { 1621 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) { 1622 grpsubset = 0; 1623 break; 1624 } 1625 } 1626 grpsubset = grpsubset && 1627 groupmember(p->p_ucred->cr_rgid, td->td_ucred) && 1628 groupmember(p->p_ucred->cr_svgid, td->td_ucred); 1629 1630 /* 1631 * Are the uids present in p's credential equal to td's 1632 * effective uid? This includes p's euid, svuid, and ruid. 1633 */ 1634 uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid && 1635 td->td_ucred->cr_uid == p->p_ucred->cr_svuid && 1636 td->td_ucred->cr_uid == p->p_ucred->cr_ruid); 1637 1638 /* 1639 * Has the credential of the process changed since the last exec()? 1640 */ 1641 credentialchanged = (p->p_flag & P_SUGID); 1642 1643 /* 1644 * If p's gids aren't a subset, or the uids aren't a subset, 1645 * or the credential has changed, require appropriate privilege 1646 * for td to debug p. 1647 */ 1648 if (!grpsubset || !uidsubset) { 1649 error = priv_check(td, PRIV_DEBUG_DIFFCRED); 1650 if (error) 1651 return (error); 1652 } 1653 1654 if (credentialchanged) { 1655 error = priv_check(td, PRIV_DEBUG_SUGID); 1656 if (error) 1657 return (error); 1658 } 1659 1660 /* Can't trace init when securelevel > 0. */ 1661 if (p == initproc) { 1662 error = securelevel_gt(td->td_ucred, 0); 1663 if (error) 1664 return (error); 1665 } 1666 1667 /* 1668 * Can't trace a process that's currently exec'ing. 1669 * 1670 * XXX: Note, this is not a security policy decision, it's a 1671 * basic correctness/functionality decision. Therefore, this check 1672 * should be moved to the caller's of p_candebug(). 1673 */ 1674 if ((p->p_flag & P_INEXEC) != 0) 1675 return (EBUSY); 1676 1677 return (0); 1678 } 1679 1680 /*- 1681 * Determine whether the subject represented by cred can "see" a socket. 1682 * Returns: 0 for permitted, ENOENT otherwise. 1683 */ 1684 int 1685 cr_canseesocket(struct ucred *cred, struct socket *so) 1686 { 1687 int error; 1688 1689 error = prison_check(cred, so->so_cred); 1690 if (error) 1691 return (ENOENT); 1692 #ifdef MAC 1693 error = mac_socket_check_visible(cred, so); 1694 if (error) 1695 return (error); 1696 #endif 1697 if (cr_seeotheruids(cred, so->so_cred)) 1698 return (ENOENT); 1699 if (cr_seeothergids(cred, so->so_cred)) 1700 return (ENOENT); 1701 1702 return (0); 1703 } 1704 1705 #if defined(INET) || defined(INET6) 1706 /*- 1707 * Determine whether the subject represented by cred can "see" a socket. 1708 * Returns: 0 for permitted, ENOENT otherwise. 1709 */ 1710 int 1711 cr_canseeinpcb(struct ucred *cred, struct inpcb *inp) 1712 { 1713 int error; 1714 1715 error = prison_check(cred, inp->inp_cred); 1716 if (error) 1717 return (ENOENT); 1718 #ifdef MAC 1719 INP_LOCK_ASSERT(inp); 1720 error = mac_inpcb_check_visible(cred, inp); 1721 if (error) 1722 return (error); 1723 #endif 1724 if (cr_seeotheruids(cred, inp->inp_cred)) 1725 return (ENOENT); 1726 if (cr_seeothergids(cred, inp->inp_cred)) 1727 return (ENOENT); 1728 1729 return (0); 1730 } 1731 #endif 1732 1733 /*- 1734 * Determine whether td can wait for the exit of p. 1735 * Returns: 0 for permitted, an errno value otherwise 1736 * Locks: Sufficient locks to protect various components of td and p 1737 * must be held. td must be curthread, and a lock must 1738 * be held for p. 1739 * References: td and p must be valid for the lifetime of the call 1740 1741 */ 1742 int 1743 p_canwait(struct thread *td, struct proc *p) 1744 { 1745 int error; 1746 1747 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1748 PROC_LOCK_ASSERT(p, MA_OWNED); 1749 if ( 1750 #ifdef VIMAGE /* XXX temporary until struct vimage goes away */ 1751 !vi_child_of(TD_TO_VIMAGE(td), P_TO_VIMAGE(p)) && 1752 #endif 1753 (error = prison_check(td->td_ucred, p->p_ucred))) 1754 return (error); 1755 #ifdef MAC 1756 if ((error = mac_proc_check_wait(td->td_ucred, p))) 1757 return (error); 1758 #endif 1759 #if 0 1760 /* XXXMAC: This could have odd effects on some shells. */ 1761 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1762 return (error); 1763 #endif 1764 1765 return (0); 1766 } 1767 1768 /* 1769 * Allocate a zeroed cred structure. 1770 */ 1771 struct ucred * 1772 crget(void) 1773 { 1774 register struct ucred *cr; 1775 1776 cr = malloc(sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 1777 refcount_init(&cr->cr_ref, 1); 1778 #ifdef AUDIT 1779 audit_cred_init(cr); 1780 #endif 1781 #ifdef MAC 1782 mac_cred_init(cr); 1783 #endif 1784 return (cr); 1785 } 1786 1787 /* 1788 * Claim another reference to a ucred structure. 1789 */ 1790 struct ucred * 1791 crhold(struct ucred *cr) 1792 { 1793 1794 refcount_acquire(&cr->cr_ref); 1795 return (cr); 1796 } 1797 1798 /* 1799 * Free a cred structure. Throws away space when ref count gets to 0. 1800 */ 1801 void 1802 crfree(struct ucred *cr) 1803 { 1804 1805 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); 1806 KASSERT(cr->cr_ref != 0xdeadc0de, ("dangling reference to ucred")); 1807 if (refcount_release(&cr->cr_ref)) { 1808 /* 1809 * Some callers of crget(), such as nfs_statfs(), 1810 * allocate a temporary credential, but don't 1811 * allocate a uidinfo structure. 1812 */ 1813 if (cr->cr_uidinfo != NULL) 1814 uifree(cr->cr_uidinfo); 1815 if (cr->cr_ruidinfo != NULL) 1816 uifree(cr->cr_ruidinfo); 1817 /* 1818 * Free a prison, if any. 1819 */ 1820 if (cr->cr_prison != NULL) 1821 prison_free(cr->cr_prison); 1822 #ifdef VIMAGE 1823 /* XXX TODO: find out why and when cr_vimage can be NULL here! */ 1824 if (cr->cr_vimage != NULL) 1825 refcount_release(&cr->cr_vimage->vi_ucredrefc); 1826 #endif 1827 #ifdef AUDIT 1828 audit_cred_destroy(cr); 1829 #endif 1830 #ifdef MAC 1831 mac_cred_destroy(cr); 1832 #endif 1833 free(cr, M_CRED); 1834 } 1835 } 1836 1837 /* 1838 * Check to see if this ucred is shared. 1839 */ 1840 int 1841 crshared(struct ucred *cr) 1842 { 1843 1844 return (cr->cr_ref > 1); 1845 } 1846 1847 /* 1848 * Copy a ucred's contents from a template. Does not block. 1849 */ 1850 void 1851 crcopy(struct ucred *dest, struct ucred *src) 1852 { 1853 1854 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred")); 1855 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 1856 (unsigned)((caddr_t)&src->cr_endcopy - 1857 (caddr_t)&src->cr_startcopy)); 1858 uihold(dest->cr_uidinfo); 1859 uihold(dest->cr_ruidinfo); 1860 prison_hold(dest->cr_prison); 1861 #ifdef VIMAGE 1862 KASSERT(src->cr_vimage != NULL, ("cr_vimage == NULL")); 1863 refcount_acquire(&dest->cr_vimage->vi_ucredrefc); 1864 #endif 1865 #ifdef AUDIT 1866 audit_cred_copy(src, dest); 1867 #endif 1868 #ifdef MAC 1869 mac_cred_copy(src, dest); 1870 #endif 1871 } 1872 1873 /* 1874 * Dup cred struct to a new held one. 1875 */ 1876 struct ucred * 1877 crdup(struct ucred *cr) 1878 { 1879 struct ucred *newcr; 1880 1881 newcr = crget(); 1882 crcopy(newcr, cr); 1883 return (newcr); 1884 } 1885 1886 /* 1887 * Fill in a struct xucred based on a struct ucred. 1888 */ 1889 void 1890 cru2x(struct ucred *cr, struct xucred *xcr) 1891 { 1892 1893 bzero(xcr, sizeof(*xcr)); 1894 xcr->cr_version = XUCRED_VERSION; 1895 xcr->cr_uid = cr->cr_uid; 1896 xcr->cr_ngroups = cr->cr_ngroups; 1897 bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups)); 1898 } 1899 1900 /* 1901 * small routine to swap a thread's current ucred for the correct one taken 1902 * from the process. 1903 */ 1904 void 1905 cred_update_thread(struct thread *td) 1906 { 1907 struct proc *p; 1908 struct ucred *cred; 1909 1910 p = td->td_proc; 1911 cred = td->td_ucred; 1912 PROC_LOCK(p); 1913 td->td_ucred = crhold(p->p_ucred); 1914 PROC_UNLOCK(p); 1915 if (cred != NULL) 1916 crfree(cred); 1917 } 1918 1919 /* 1920 * Get login name, if available. 1921 */ 1922 #ifndef _SYS_SYSPROTO_H_ 1923 struct getlogin_args { 1924 char *namebuf; 1925 u_int namelen; 1926 }; 1927 #endif 1928 /* ARGSUSED */ 1929 int 1930 getlogin(struct thread *td, struct getlogin_args *uap) 1931 { 1932 int error; 1933 char login[MAXLOGNAME]; 1934 struct proc *p = td->td_proc; 1935 1936 if (uap->namelen > MAXLOGNAME) 1937 uap->namelen = MAXLOGNAME; 1938 PROC_LOCK(p); 1939 SESS_LOCK(p->p_session); 1940 bcopy(p->p_session->s_login, login, uap->namelen); 1941 SESS_UNLOCK(p->p_session); 1942 PROC_UNLOCK(p); 1943 error = copyout(login, uap->namebuf, uap->namelen); 1944 return(error); 1945 } 1946 1947 /* 1948 * Set login name. 1949 */ 1950 #ifndef _SYS_SYSPROTO_H_ 1951 struct setlogin_args { 1952 char *namebuf; 1953 }; 1954 #endif 1955 /* ARGSUSED */ 1956 int 1957 setlogin(struct thread *td, struct setlogin_args *uap) 1958 { 1959 struct proc *p = td->td_proc; 1960 int error; 1961 char logintmp[MAXLOGNAME]; 1962 1963 error = priv_check(td, PRIV_PROC_SETLOGIN); 1964 if (error) 1965 return (error); 1966 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); 1967 if (error == ENAMETOOLONG) 1968 error = EINVAL; 1969 else if (!error) { 1970 PROC_LOCK(p); 1971 SESS_LOCK(p->p_session); 1972 (void) memcpy(p->p_session->s_login, logintmp, 1973 sizeof(logintmp)); 1974 SESS_UNLOCK(p->p_session); 1975 PROC_UNLOCK(p); 1976 } 1977 return (error); 1978 } 1979 1980 void 1981 setsugid(struct proc *p) 1982 { 1983 1984 PROC_LOCK_ASSERT(p, MA_OWNED); 1985 p->p_flag |= P_SUGID; 1986 if (!(p->p_pfsflags & PF_ISUGID)) 1987 p->p_stops = 0; 1988 } 1989 1990 /*- 1991 * Change a process's effective uid. 1992 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 1993 * References: newcred must be an exclusive credential reference for the 1994 * duration of the call. 1995 */ 1996 void 1997 change_euid(struct ucred *newcred, struct uidinfo *euip) 1998 { 1999 2000 newcred->cr_uid = euip->ui_uid; 2001 uihold(euip); 2002 uifree(newcred->cr_uidinfo); 2003 newcred->cr_uidinfo = euip; 2004 } 2005 2006 /*- 2007 * Change a process's effective gid. 2008 * Side effects: newcred->cr_gid will be modified. 2009 * References: newcred must be an exclusive credential reference for the 2010 * duration of the call. 2011 */ 2012 void 2013 change_egid(struct ucred *newcred, gid_t egid) 2014 { 2015 2016 newcred->cr_groups[0] = egid; 2017 } 2018 2019 /*- 2020 * Change a process's real uid. 2021 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 2022 * will be updated, and the old and new cr_ruidinfo proc 2023 * counts will be updated. 2024 * References: newcred must be an exclusive credential reference for the 2025 * duration of the call. 2026 */ 2027 void 2028 change_ruid(struct ucred *newcred, struct uidinfo *ruip) 2029 { 2030 2031 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 2032 newcred->cr_ruid = ruip->ui_uid; 2033 uihold(ruip); 2034 uifree(newcred->cr_ruidinfo); 2035 newcred->cr_ruidinfo = ruip; 2036 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 2037 } 2038 2039 /*- 2040 * Change a process's real gid. 2041 * Side effects: newcred->cr_rgid will be updated. 2042 * References: newcred must be an exclusive credential reference for the 2043 * duration of the call. 2044 */ 2045 void 2046 change_rgid(struct ucred *newcred, gid_t rgid) 2047 { 2048 2049 newcred->cr_rgid = rgid; 2050 } 2051 2052 /*- 2053 * Change a process's saved uid. 2054 * Side effects: newcred->cr_svuid will be updated. 2055 * References: newcred must be an exclusive credential reference for the 2056 * duration of the call. 2057 */ 2058 void 2059 change_svuid(struct ucred *newcred, uid_t svuid) 2060 { 2061 2062 newcred->cr_svuid = svuid; 2063 } 2064 2065 /*- 2066 * Change a process's saved gid. 2067 * Side effects: newcred->cr_svgid will be updated. 2068 * References: newcred must be an exclusive credential reference for the 2069 * duration of the call. 2070 */ 2071 void 2072 change_svgid(struct ucred *newcred, gid_t svgid) 2073 { 2074 2075 newcred->cr_svgid = svgid; 2076 } 2077