1 /* 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * Copyright (c) 2000-2001 Robert N. M. Watson. All rights reserved. 5 * (c) UNIX System Laboratories, Inc. 6 * 7 * All or some portions of this file are derived from material licensed 8 * to the University of California by American Telephone and Telegraph 9 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 10 * the permission of UNIX System Laboratories, Inc. 11 * 12 * Redistribution and use in source and binary forms, with or without 13 * modification, are permitted provided that the following conditions 14 * are met: 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, this list of conditions and the following disclaimer. 17 * 2. Redistributions in binary form must reproduce the above copyright 18 * notice, this list of conditions and the following disclaimer in the 19 * documentation and/or other materials provided with the distribution. 20 * 3. All advertising materials mentioning features or use of this software 21 * must display the following acknowledgement: 22 * This product includes software developed by the University of 23 * California, Berkeley and its contributors. 24 * 4. Neither the name of the University nor the names of its contributors 25 * may be used to endorse or promote products derived from this software 26 * without specific prior written permission. 27 * 28 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 29 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 30 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 31 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 32 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 33 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 34 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 35 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 36 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 37 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 38 * SUCH DAMAGE. 39 * 40 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 41 * $FreeBSD$ 42 */ 43 44 /* 45 * System calls related to processes and protection 46 */ 47 48 #include "opt_compat.h" 49 #include "opt_global.h" 50 51 #include <sys/param.h> 52 #include <sys/systm.h> 53 #include <sys/acct.h> 54 #include <sys/kernel.h> 55 #include <sys/lock.h> 56 #include <sys/mutex.h> 57 #include <sys/proc.h> 58 #include <sys/sysproto.h> 59 #include <sys/malloc.h> 60 #include <sys/pioctl.h> 61 #include <sys/resourcevar.h> 62 #include <sys/sysctl.h> 63 #include <sys/jail.h> 64 65 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 66 67 SYSCTL_NODE(_kern, OID_AUTO, security, CTLFLAG_RW, 0, 68 "Kernel security policy"); 69 70 #ifndef _SYS_SYSPROTO_H_ 71 struct getpid_args { 72 int dummy; 73 }; 74 #endif 75 76 /* 77 * getpid 78 */ 79 80 /* 81 * MPSAFE 82 */ 83 /* ARGSUSED */ 84 int 85 getpid(td, uap) 86 struct thread *td; 87 struct getpid_args *uap; 88 { 89 struct proc *p = td->td_proc; 90 int s; 91 92 s = mtx_lock_giant(kern_giant_proc); 93 td->td_retval[0] = p->p_pid; 94 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 95 PROC_LOCK(p); 96 td->td_retval[1] = p->p_pptr->p_pid; 97 PROC_UNLOCK(p); 98 #endif 99 mtx_unlock_giant(s); 100 return (0); 101 } 102 103 /* 104 * getppid 105 */ 106 107 #ifndef _SYS_SYSPROTO_H_ 108 struct getppid_args { 109 int dummy; 110 }; 111 #endif 112 /* 113 * MPSAFE 114 */ 115 /* ARGSUSED */ 116 int 117 getppid(td, uap) 118 struct thread *td; 119 struct getppid_args *uap; 120 { 121 struct proc *p = td->td_proc; 122 int s; 123 124 s = mtx_lock_giant(kern_giant_proc); 125 PROC_LOCK(p); 126 td->td_retval[0] = p->p_pptr->p_pid; 127 PROC_UNLOCK(p); 128 mtx_unlock_giant(s); 129 return (0); 130 } 131 132 /* 133 * Get process group ID; note that POSIX getpgrp takes no parameter 134 * 135 * MP SAFE 136 */ 137 #ifndef _SYS_SYSPROTO_H_ 138 struct getpgrp_args { 139 int dummy; 140 }; 141 #endif 142 /* 143 * MPSAFE 144 */ 145 int 146 getpgrp(td, uap) 147 struct thread *td; 148 struct getpgrp_args *uap; 149 { 150 struct proc *p = td->td_proc; 151 152 mtx_lock(&Giant); 153 td->td_retval[0] = p->p_pgrp->pg_id; 154 mtx_unlock(&Giant); 155 return (0); 156 } 157 158 /* Get an arbitary pid's process group id */ 159 #ifndef _SYS_SYSPROTO_H_ 160 struct getpgid_args { 161 pid_t pid; 162 }; 163 #endif 164 165 /* 166 * MPSAFE 167 */ 168 int 169 getpgid(td, uap) 170 struct thread *td; 171 struct getpgid_args *uap; 172 { 173 struct proc *p = td->td_proc; 174 struct proc *pt; 175 int error = 0; 176 int s; 177 178 s = mtx_lock_giant(kern_giant_proc); 179 if (uap->pid == 0) 180 td->td_retval[0] = p->p_pgrp->pg_id; 181 else if ((pt = pfind(uap->pid)) == NULL) 182 error = ESRCH; 183 else { 184 error = p_cansee(p, pt); 185 if (error == 0) 186 td->td_retval[0] = pt->p_pgrp->pg_id; 187 PROC_UNLOCK(pt); 188 } 189 mtx_unlock_giant(s); 190 return (error); 191 } 192 193 /* 194 * Get an arbitary pid's session id. 195 */ 196 #ifndef _SYS_SYSPROTO_H_ 197 struct getsid_args { 198 pid_t pid; 199 }; 200 #endif 201 202 /* 203 * MPSAFE 204 */ 205 int 206 getsid(td, uap) 207 struct thread *td; 208 struct getsid_args *uap; 209 { 210 struct proc *p = td->td_proc; 211 struct proc *pt; 212 int error = 0; 213 214 mtx_lock(&Giant); 215 if (uap->pid == 0) 216 td->td_retval[0] = p->p_session->s_sid; 217 else if ((pt = pfind(uap->pid)) == NULL) 218 error = ESRCH; 219 else { 220 error = p_cansee(p, pt); 221 if (error == 0) 222 td->td_retval[0] = pt->p_session->s_sid; 223 PROC_UNLOCK(pt); 224 } 225 mtx_unlock(&Giant); 226 return (error); 227 } 228 229 230 /* 231 * getuid() - MP SAFE 232 */ 233 #ifndef _SYS_SYSPROTO_H_ 234 struct getuid_args { 235 int dummy; 236 }; 237 #endif 238 239 /* 240 * MPSAFE 241 */ 242 /* ARGSUSED */ 243 int 244 getuid(td, uap) 245 struct thread *td; 246 struct getuid_args *uap; 247 { 248 struct proc *p = td->td_proc; 249 250 mtx_lock(&Giant); 251 td->td_retval[0] = p->p_ucred->cr_ruid; 252 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 253 td->td_retval[1] = p->p_ucred->cr_uid; 254 #endif 255 mtx_unlock(&Giant); 256 return (0); 257 } 258 259 /* 260 * geteuid() - MP SAFE 261 */ 262 #ifndef _SYS_SYSPROTO_H_ 263 struct geteuid_args { 264 int dummy; 265 }; 266 #endif 267 268 /* ARGSUSED */ 269 int 270 geteuid(td, uap) 271 struct thread *td; 272 struct geteuid_args *uap; 273 { 274 mtx_lock(&Giant); 275 td->td_retval[0] = td->td_proc->p_ucred->cr_uid; 276 mtx_unlock(&Giant); 277 return (0); 278 } 279 280 /* 281 * getgid() - MP SAFE 282 */ 283 #ifndef _SYS_SYSPROTO_H_ 284 struct getgid_args { 285 int dummy; 286 }; 287 #endif 288 289 /* 290 * MPSAFE 291 */ 292 /* ARGSUSED */ 293 int 294 getgid(td, uap) 295 struct thread *td; 296 struct getgid_args *uap; 297 { 298 struct proc *p = td->td_proc; 299 300 mtx_lock(&Giant); 301 td->td_retval[0] = p->p_ucred->cr_rgid; 302 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 303 td->td_retval[1] = p->p_ucred->cr_groups[0]; 304 #endif 305 mtx_unlock(&Giant); 306 return (0); 307 } 308 309 /* 310 * Get effective group ID. The "egid" is groups[0], and could be obtained 311 * via getgroups. This syscall exists because it is somewhat painful to do 312 * correctly in a library function. 313 */ 314 #ifndef _SYS_SYSPROTO_H_ 315 struct getegid_args { 316 int dummy; 317 }; 318 #endif 319 320 /* 321 * MPSAFE 322 */ 323 /* ARGSUSED */ 324 int 325 getegid(td, uap) 326 struct thread *td; 327 struct getegid_args *uap; 328 { 329 struct proc *p = td->td_proc; 330 331 mtx_lock(&Giant); 332 td->td_retval[0] = p->p_ucred->cr_groups[0]; 333 mtx_unlock(&Giant); 334 return (0); 335 } 336 337 #ifndef _SYS_SYSPROTO_H_ 338 struct getgroups_args { 339 u_int gidsetsize; 340 gid_t *gidset; 341 }; 342 #endif 343 /* 344 * MPSAFE 345 */ 346 int 347 getgroups(td, uap) 348 struct thread *td; 349 register struct getgroups_args *uap; 350 { 351 struct ucred *cred; 352 struct proc *p = td->td_proc; 353 u_int ngrp; 354 int error = 0; 355 356 mtx_lock(&Giant); 357 cred = p->p_ucred; 358 if ((ngrp = uap->gidsetsize) == 0) { 359 td->td_retval[0] = cred->cr_ngroups; 360 error = 0; 361 goto done2; 362 } 363 if (ngrp < cred->cr_ngroups) { 364 error = EINVAL; 365 goto done2; 366 } 367 ngrp = cred->cr_ngroups; 368 if ((error = copyout((caddr_t)cred->cr_groups, 369 (caddr_t)uap->gidset, ngrp * sizeof(gid_t)))) { 370 goto done2; 371 } 372 td->td_retval[0] = ngrp; 373 done2: 374 mtx_unlock(&Giant); 375 return (error); 376 } 377 378 #ifndef _SYS_SYSPROTO_H_ 379 struct setsid_args { 380 int dummy; 381 }; 382 #endif 383 384 /* 385 * MPSAFE 386 */ 387 /* ARGSUSED */ 388 int 389 setsid(td, uap) 390 register struct thread *td; 391 struct setsid_args *uap; 392 { 393 int error; 394 struct proc *p = td->td_proc; 395 396 mtx_lock(&Giant); 397 if (p->p_pgid == p->p_pid || pgfind(p->p_pid)) { 398 error = EPERM; 399 } else { 400 (void)enterpgrp(p, p->p_pid, 1); 401 td->td_retval[0] = p->p_pid; 402 error = 0; 403 } 404 mtx_unlock(&Giant); 405 return (error); 406 } 407 408 /* 409 * set process group (setpgid/old setpgrp) 410 * 411 * caller does setpgid(targpid, targpgid) 412 * 413 * pid must be caller or child of caller (ESRCH) 414 * if a child 415 * pid must be in same session (EPERM) 416 * pid can't have done an exec (EACCES) 417 * if pgid != pid 418 * there must exist some pid in same session having pgid (EPERM) 419 * pid must not be session leader (EPERM) 420 */ 421 #ifndef _SYS_SYSPROTO_H_ 422 struct setpgid_args { 423 int pid; /* target process id */ 424 int pgid; /* target pgrp id */ 425 }; 426 #endif 427 /* 428 * MPSAFE 429 */ 430 /* ARGSUSED */ 431 int 432 setpgid(td, uap) 433 struct thread *td; 434 register struct setpgid_args *uap; 435 { 436 struct proc *curp = td->td_proc; 437 register struct proc *targp; /* target process */ 438 register struct pgrp *pgrp; /* target pgrp */ 439 int error; 440 441 if (uap->pgid < 0) 442 return (EINVAL); 443 444 mtx_lock(&Giant); 445 446 if (uap->pid != 0 && uap->pid != curp->p_pid) { 447 if ((targp = pfind(uap->pid)) == NULL || !inferior(targp)) { 448 if (targp) 449 PROC_UNLOCK(targp); 450 error = ESRCH; 451 goto done2; 452 } 453 if ((error = p_cansee(curproc, targp))) { 454 PROC_UNLOCK(targp); 455 goto done2; 456 } 457 if (targp->p_pgrp == NULL || 458 targp->p_session != curp->p_session) { 459 PROC_UNLOCK(targp); 460 error = EPERM; 461 goto done2; 462 } 463 if (targp->p_flag & P_EXEC) { 464 PROC_UNLOCK(targp); 465 error = EACCES; 466 goto done2; 467 } 468 } else { 469 targp = curp; 470 PROC_LOCK(curp); /* XXX: not needed */ 471 } 472 if (SESS_LEADER(targp)) { 473 PROC_UNLOCK(targp); 474 error = EPERM; 475 goto done2; 476 } 477 if (uap->pgid == 0) { 478 uap->pgid = targp->p_pid; 479 } else if (uap->pgid != targp->p_pid) { 480 if ((pgrp = pgfind(uap->pgid)) == 0 || 481 pgrp->pg_session != curp->p_session) { 482 PROC_UNLOCK(targp); 483 error = EPERM; 484 goto done2; 485 } 486 } 487 /* XXX: We should probably hold the lock across enterpgrp. */ 488 PROC_UNLOCK(targp); 489 error = enterpgrp(targp, uap->pgid, 0); 490 done2: 491 mtx_unlock(&Giant); 492 return (error); 493 } 494 495 /* 496 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 497 * compatible. It says that setting the uid/gid to euid/egid is a special 498 * case of "appropriate privilege". Once the rules are expanded out, this 499 * basically means that setuid(nnn) sets all three id's, in all permitted 500 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 501 * does not set the saved id - this is dangerous for traditional BSD 502 * programs. For this reason, we *really* do not want to set 503 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 504 */ 505 #define POSIX_APPENDIX_B_4_2_2 506 507 #ifndef _SYS_SYSPROTO_H_ 508 struct setuid_args { 509 uid_t uid; 510 }; 511 #endif 512 /* 513 * MPSAFE 514 */ 515 /* ARGSUSED */ 516 int 517 setuid(td, uap) 518 struct thread *td; 519 struct setuid_args *uap; 520 { 521 struct proc *p = td->td_proc; 522 struct ucred *newcred, *oldcred; 523 uid_t uid; 524 int error = 0; 525 526 uid = uap->uid; 527 oldcred = p->p_ucred; 528 mtx_lock(&Giant); 529 530 /* 531 * See if we have "permission" by POSIX 1003.1 rules. 532 * 533 * Note that setuid(geteuid()) is a special case of 534 * "appropriate privileges" in appendix B.4.2.2. We need 535 * to use this clause to be compatible with traditional BSD 536 * semantics. Basically, it means that "setuid(xx)" sets all 537 * three id's (assuming you have privs). 538 * 539 * Notes on the logic. We do things in three steps. 540 * 1: We determine if the euid is going to change, and do EPERM 541 * right away. We unconditionally change the euid later if this 542 * test is satisfied, simplifying that part of the logic. 543 * 2: We determine if the real and/or saved uid's are going to 544 * change. Determined by compile options. 545 * 3: Change euid last. (after tests in #2 for "appropriate privs") 546 */ 547 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 548 #ifdef _POSIX_SAVED_IDS 549 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 550 #endif 551 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 552 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 553 #endif 554 (error = suser_xxx(oldcred, NULL, PRISON_ROOT))) 555 goto done2; 556 557 newcred = crdup(oldcred); 558 #ifdef _POSIX_SAVED_IDS 559 /* 560 * Do we have "appropriate privileges" (are we root or uid == euid) 561 * If so, we are changing the real uid and/or saved uid. 562 */ 563 if ( 564 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 565 uid == oldcred->cr_uid || 566 #endif 567 suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */ 568 #endif 569 { 570 /* 571 * Set the real uid and transfer proc count to new user. 572 */ 573 if (uid != oldcred->cr_ruid) { 574 change_ruid(newcred, uid); 575 setsugid(p); 576 } 577 /* 578 * Set saved uid 579 * 580 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 581 * the security of seteuid() depends on it. B.4.2.2 says it 582 * is important that we should do this. 583 */ 584 if (uid != oldcred->cr_svuid) { 585 change_svuid(newcred, uid); 586 setsugid(p); 587 } 588 } 589 590 /* 591 * In all permitted cases, we are changing the euid. 592 * Copy credentials so other references do not see our changes. 593 */ 594 if (uid != oldcred->cr_uid) { 595 change_euid(newcred, uid); 596 setsugid(p); 597 } 598 p->p_ucred = newcred; 599 crfree(oldcred); 600 done2: 601 mtx_unlock(&Giant); 602 return (error); 603 } 604 605 #ifndef _SYS_SYSPROTO_H_ 606 struct seteuid_args { 607 uid_t euid; 608 }; 609 #endif 610 /* 611 * MPSAFE 612 */ 613 /* ARGSUSED */ 614 int 615 seteuid(td, uap) 616 struct thread *td; 617 struct seteuid_args *uap; 618 { 619 struct proc *p = td->td_proc; 620 struct ucred *newcred, *oldcred; 621 uid_t euid; 622 int error = 0; 623 624 euid = uap->euid; 625 626 mtx_lock(&Giant); 627 oldcred = p->p_ucred; 628 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 629 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 630 (error = suser_xxx(oldcred, NULL, PRISON_ROOT))) { 631 goto done2; 632 } 633 /* 634 * Everything's okay, do it. Copy credentials so other references do 635 * not see our changes. 636 */ 637 newcred = crdup(oldcred); 638 if (oldcred->cr_uid != euid) { 639 change_euid(newcred, euid); 640 setsugid(p); 641 } 642 p->p_ucred = newcred; 643 crfree(oldcred); 644 done2: 645 mtx_unlock(&Giant); 646 return (error); 647 } 648 649 #ifndef _SYS_SYSPROTO_H_ 650 struct setgid_args { 651 gid_t gid; 652 }; 653 #endif 654 /* 655 * MPSAFE 656 */ 657 /* ARGSUSED */ 658 int 659 setgid(td, uap) 660 struct thread *td; 661 struct setgid_args *uap; 662 { 663 struct proc *p = td->td_proc; 664 struct ucred *newcred, *oldcred; 665 gid_t gid; 666 int error = 0; 667 668 gid = uap->gid; 669 670 mtx_lock(&Giant); 671 oldcred = p->p_ucred; 672 /* 673 * See if we have "permission" by POSIX 1003.1 rules. 674 * 675 * Note that setgid(getegid()) is a special case of 676 * "appropriate privileges" in appendix B.4.2.2. We need 677 * to use this clause to be compatible with traditional BSD 678 * semantics. Basically, it means that "setgid(xx)" sets all 679 * three id's (assuming you have privs). 680 * 681 * For notes on the logic here, see setuid() above. 682 */ 683 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 684 #ifdef _POSIX_SAVED_IDS 685 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 686 #endif 687 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 688 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 689 #endif 690 (error = suser_xxx(oldcred, NULL, PRISON_ROOT))) { 691 goto done2; 692 } 693 694 newcred = crdup(oldcred); 695 #ifdef _POSIX_SAVED_IDS 696 /* 697 * Do we have "appropriate privileges" (are we root or gid == egid) 698 * If so, we are changing the real uid and saved gid. 699 */ 700 if ( 701 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 702 gid == oldcred->cr_groups[0] || 703 #endif 704 suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */ 705 #endif 706 { 707 /* 708 * Set real gid 709 */ 710 if (oldcred->cr_rgid != gid) { 711 change_rgid(newcred, gid); 712 setsugid(p); 713 } 714 /* 715 * Set saved gid 716 * 717 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 718 * the security of setegid() depends on it. B.4.2.2 says it 719 * is important that we should do this. 720 */ 721 if (oldcred->cr_svgid != gid) { 722 change_svgid(newcred, gid); 723 setsugid(p); 724 } 725 } 726 /* 727 * In all cases permitted cases, we are changing the egid. 728 * Copy credentials so other references do not see our changes. 729 */ 730 if (oldcred->cr_groups[0] != gid) { 731 change_egid(newcred, gid); 732 setsugid(p); 733 } 734 p->p_ucred = newcred; 735 crfree(oldcred); 736 done2: 737 mtx_unlock(&Giant); 738 return (error); 739 } 740 741 #ifndef _SYS_SYSPROTO_H_ 742 struct setegid_args { 743 gid_t egid; 744 }; 745 #endif 746 /* 747 * MPSAFE 748 */ 749 /* ARGSUSED */ 750 int 751 setegid(td, uap) 752 struct thread *td; 753 struct setegid_args *uap; 754 { 755 struct proc *p = td->td_proc; 756 struct ucred *newcred, *oldcred; 757 gid_t egid; 758 int error = 0; 759 760 egid = uap->egid; 761 762 mtx_lock(&Giant); 763 oldcred = p->p_ucred; 764 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 765 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 766 (error = suser_xxx(oldcred, NULL, PRISON_ROOT))) { 767 goto done2; 768 } 769 newcred = crdup(oldcred); 770 if (oldcred->cr_groups[0] != egid) { 771 change_egid(newcred, egid); 772 setsugid(p); 773 } 774 p->p_ucred = newcred; 775 crfree(oldcred); 776 done2: 777 mtx_unlock(&Giant); 778 return (error); 779 } 780 781 #ifndef _SYS_SYSPROTO_H_ 782 struct setgroups_args { 783 u_int gidsetsize; 784 gid_t *gidset; 785 }; 786 #endif 787 /* 788 * MPSAFE 789 */ 790 /* ARGSUSED */ 791 int 792 setgroups(td, uap) 793 struct thread *td; 794 struct setgroups_args *uap; 795 { 796 struct proc *p = td->td_proc; 797 struct ucred *newcred, *oldcred; 798 u_int ngrp; 799 int error; 800 801 mtx_lock(&Giant); 802 803 ngrp = uap->gidsetsize; 804 oldcred = p->p_ucred; 805 if ((error = suser_xxx(oldcred, NULL, PRISON_ROOT))) 806 goto done2; 807 if (ngrp > NGROUPS) { 808 error = EINVAL; 809 goto done2; 810 } 811 /* 812 * XXX A little bit lazy here. We could test if anything has 813 * changed before crcopy() and setting P_SUGID. 814 */ 815 newcred = crdup(oldcred); 816 if (ngrp < 1) { 817 /* 818 * setgroups(0, NULL) is a legitimate way of clearing the 819 * groups vector on non-BSD systems (which generally do not 820 * have the egid in the groups[0]). We risk security holes 821 * when running non-BSD software if we do not do the same. 822 */ 823 newcred->cr_ngroups = 1; 824 } else { 825 if ((error = copyin((caddr_t)uap->gidset, 826 (caddr_t)newcred->cr_groups, ngrp * sizeof(gid_t)))) { 827 crfree(newcred); 828 goto done2; 829 } 830 newcred->cr_ngroups = ngrp; 831 } 832 setsugid(p); 833 p->p_ucred = newcred; 834 crfree(oldcred); 835 done2: 836 mtx_unlock(&Giant); 837 return (error); 838 } 839 840 #ifndef _SYS_SYSPROTO_H_ 841 struct setreuid_args { 842 uid_t ruid; 843 uid_t euid; 844 }; 845 #endif 846 /* 847 * MPSAFE 848 */ 849 /* ARGSUSED */ 850 int 851 setreuid(td, uap) 852 register struct thread *td; 853 struct setreuid_args *uap; 854 { 855 struct proc *p = td->td_proc; 856 struct ucred *newcred, *oldcred; 857 uid_t ruid, euid; 858 int error = 0; 859 860 ruid = uap->ruid; 861 euid = uap->euid; 862 863 mtx_lock(&Giant); 864 865 oldcred = p->p_ucred; 866 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 867 ruid != oldcred->cr_svuid) || 868 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 869 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 870 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) { 871 goto done2; 872 } 873 newcred = crdup(oldcred); 874 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 875 change_euid(newcred, euid); 876 setsugid(p); 877 } 878 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 879 change_ruid(newcred, ruid); 880 setsugid(p); 881 } 882 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 883 newcred->cr_svuid != newcred->cr_uid) { 884 change_svuid(newcred, newcred->cr_uid); 885 setsugid(p); 886 } 887 p->p_ucred = newcred; 888 crfree(oldcred); 889 done2: 890 mtx_unlock(&Giant); 891 return (error); 892 } 893 894 #ifndef _SYS_SYSPROTO_H_ 895 struct setregid_args { 896 gid_t rgid; 897 gid_t egid; 898 }; 899 #endif 900 /* 901 * MPSAFE 902 */ 903 /* ARGSUSED */ 904 int 905 setregid(td, uap) 906 register struct thread *td; 907 struct setregid_args *uap; 908 { 909 struct proc *p = td->td_proc; 910 struct ucred *newcred, *oldcred; 911 gid_t rgid, egid; 912 int error = 0; 913 914 rgid = uap->rgid; 915 egid = uap->egid; 916 917 mtx_lock(&Giant); 918 919 oldcred = p->p_ucred; 920 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 921 rgid != oldcred->cr_svgid) || 922 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 923 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 924 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) { 925 goto done2; 926 } 927 928 newcred = crdup(oldcred); 929 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 930 change_egid(newcred, egid); 931 setsugid(p); 932 } 933 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 934 change_rgid(newcred, rgid); 935 setsugid(p); 936 } 937 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 938 newcred->cr_svgid != newcred->cr_groups[0]) { 939 change_svgid(newcred, newcred->cr_groups[0]); 940 setsugid(p); 941 } 942 p->p_ucred = newcred; 943 crfree(oldcred); 944 done2: 945 mtx_unlock(&Giant); 946 return (error); 947 } 948 949 /* 950 * setresuid(ruid, euid, suid) is like setreuid except control over the 951 * saved uid is explicit. 952 */ 953 954 #ifndef _SYS_SYSPROTO_H_ 955 struct setresuid_args { 956 uid_t ruid; 957 uid_t euid; 958 uid_t suid; 959 }; 960 #endif 961 /* 962 * MPSAFE 963 */ 964 /* ARGSUSED */ 965 int 966 setresuid(td, uap) 967 register struct thread *td; 968 struct setresuid_args *uap; 969 { 970 struct proc *p = td->td_proc; 971 struct ucred *newcred, *oldcred; 972 uid_t ruid, euid, suid; 973 int error; 974 975 ruid = uap->ruid; 976 euid = uap->euid; 977 suid = uap->suid; 978 979 mtx_lock(&Giant); 980 oldcred = p->p_ucred; 981 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 982 ruid != oldcred->cr_svuid && 983 ruid != oldcred->cr_uid) || 984 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 985 euid != oldcred->cr_svuid && 986 euid != oldcred->cr_uid) || 987 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 988 suid != oldcred->cr_svuid && 989 suid != oldcred->cr_uid)) && 990 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) { 991 goto done2; 992 } 993 994 newcred = crdup(oldcred); 995 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 996 change_euid(newcred, euid); 997 setsugid(p); 998 } 999 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1000 change_ruid(newcred, ruid); 1001 setsugid(p); 1002 } 1003 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1004 change_svuid(newcred, suid); 1005 setsugid(p); 1006 } 1007 p->p_ucred = newcred; 1008 crfree(oldcred); 1009 error = 0; 1010 done2: 1011 mtx_unlock(&Giant); 1012 return (error); 1013 } 1014 1015 /* 1016 * setresgid(rgid, egid, sgid) is like setregid except control over the 1017 * saved gid is explicit. 1018 */ 1019 1020 #ifndef _SYS_SYSPROTO_H_ 1021 struct setresgid_args { 1022 gid_t rgid; 1023 gid_t egid; 1024 gid_t sgid; 1025 }; 1026 #endif 1027 /* 1028 * MPSAFE 1029 */ 1030 /* ARGSUSED */ 1031 int 1032 setresgid(td, uap) 1033 register struct thread *td; 1034 struct setresgid_args *uap; 1035 { 1036 struct proc *p = td->td_proc; 1037 struct ucred *newcred, *oldcred; 1038 gid_t rgid, egid, sgid; 1039 int error; 1040 1041 rgid = uap->rgid; 1042 egid = uap->egid; 1043 sgid = uap->sgid; 1044 1045 mtx_lock(&Giant); 1046 oldcred = p->p_ucred; 1047 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1048 rgid != oldcred->cr_svgid && 1049 rgid != oldcred->cr_groups[0]) || 1050 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1051 egid != oldcred->cr_svgid && 1052 egid != oldcred->cr_groups[0]) || 1053 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1054 sgid != oldcred->cr_svgid && 1055 sgid != oldcred->cr_groups[0])) && 1056 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) { 1057 goto done2; 1058 } 1059 newcred = crdup(oldcred); 1060 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1061 change_egid(newcred, egid); 1062 setsugid(p); 1063 } 1064 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1065 change_rgid(newcred, rgid); 1066 setsugid(p); 1067 } 1068 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1069 change_svgid(newcred, sgid); 1070 setsugid(p); 1071 } 1072 p->p_ucred = newcred; 1073 crfree(oldcred); 1074 error = 0; 1075 done2: 1076 mtx_unlock(&Giant); 1077 return (error); 1078 } 1079 1080 #ifndef _SYS_SYSPROTO_H_ 1081 struct getresuid_args { 1082 uid_t *ruid; 1083 uid_t *euid; 1084 uid_t *suid; 1085 }; 1086 #endif 1087 /* 1088 * MPSAFE 1089 */ 1090 /* ARGSUSED */ 1091 int 1092 getresuid(td, uap) 1093 register struct thread *td; 1094 struct getresuid_args *uap; 1095 { 1096 struct ucred *cred; 1097 struct proc *p = td->td_proc; 1098 int error1 = 0, error2 = 0, error3 = 0; 1099 1100 mtx_lock(&Giant); 1101 cred = p->p_ucred; 1102 1103 if (uap->ruid) 1104 error1 = copyout((caddr_t)&cred->cr_ruid, 1105 (caddr_t)uap->ruid, sizeof(cred->cr_ruid)); 1106 if (uap->euid) 1107 error2 = copyout((caddr_t)&cred->cr_uid, 1108 (caddr_t)uap->euid, sizeof(cred->cr_uid)); 1109 if (uap->suid) 1110 error3 = copyout((caddr_t)&cred->cr_svuid, 1111 (caddr_t)uap->suid, sizeof(cred->cr_svuid)); 1112 mtx_unlock(&Giant); 1113 return error1 ? error1 : (error2 ? error2 : error3); 1114 } 1115 1116 #ifndef _SYS_SYSPROTO_H_ 1117 struct getresgid_args { 1118 gid_t *rgid; 1119 gid_t *egid; 1120 gid_t *sgid; 1121 }; 1122 #endif 1123 /* 1124 * MPSAFE 1125 */ 1126 /* ARGSUSED */ 1127 int 1128 getresgid(td, uap) 1129 register struct thread *td; 1130 struct getresgid_args *uap; 1131 { 1132 struct ucred *cred; 1133 struct proc *p = td->td_proc; 1134 int error1 = 0, error2 = 0, error3 = 0; 1135 1136 mtx_lock(&Giant); 1137 cred = p->p_ucred; 1138 1139 if (uap->rgid) 1140 error1 = copyout((caddr_t)&cred->cr_rgid, 1141 (caddr_t)uap->rgid, sizeof(cred->cr_rgid)); 1142 if (uap->egid) 1143 error2 = copyout((caddr_t)&cred->cr_groups[0], 1144 (caddr_t)uap->egid, sizeof(cred->cr_groups[0])); 1145 if (uap->sgid) 1146 error3 = copyout((caddr_t)&cred->cr_svgid, 1147 (caddr_t)uap->sgid, sizeof(cred->cr_svgid)); 1148 mtx_unlock(&Giant); 1149 return error1 ? error1 : (error2 ? error2 : error3); 1150 } 1151 1152 1153 #ifndef _SYS_SYSPROTO_H_ 1154 struct issetugid_args { 1155 int dummy; 1156 }; 1157 #endif 1158 /* ARGSUSED */ 1159 int 1160 issetugid(td, uap) 1161 register struct thread *td; 1162 struct issetugid_args *uap; 1163 { 1164 struct proc *p = td->td_proc; 1165 1166 /* 1167 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1168 * we use P_SUGID because we consider changing the owners as 1169 * "tainting" as well. 1170 * This is significant for procs that start as root and "become" 1171 * a user without an exec - programs cannot know *everything* 1172 * that libc *might* have put in their data segment. 1173 */ 1174 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1175 return (0); 1176 } 1177 1178 /* 1179 * MPSAFE 1180 */ 1181 int 1182 __setugid(td, uap) 1183 struct thread *td; 1184 struct __setugid_args *uap; 1185 { 1186 #ifdef REGRESSION 1187 int error = 0; 1188 1189 mtx_lock(&Giant); 1190 switch (uap->flag) { 1191 case 0: 1192 td->td_proc->p_flag &= ~P_SUGID; 1193 break; 1194 case 1: 1195 td->td_proc->p_flag |= P_SUGID; 1196 break; 1197 default: 1198 error = EINVAL; 1199 break; 1200 } 1201 mtx_unlock(&Giant); 1202 return (error); 1203 #else /* !REGRESSION */ 1204 return (ENOSYS); 1205 #endif /* !REGRESSION */ 1206 } 1207 1208 /* 1209 * Check if gid is a member of the group set. 1210 */ 1211 int 1212 groupmember(gid, cred) 1213 gid_t gid; 1214 struct ucred *cred; 1215 { 1216 register gid_t *gp; 1217 gid_t *egp; 1218 1219 egp = &(cred->cr_groups[cred->cr_ngroups]); 1220 for (gp = cred->cr_groups; gp < egp; gp++) 1221 if (*gp == gid) 1222 return (1); 1223 return (0); 1224 } 1225 1226 /* 1227 * `suser_enabled' (which can be set by the kern.security.suser_enabled 1228 * sysctl) determines whether the system 'super-user' policy is in effect. 1229 * If it is nonzero, an effective uid of 0 connotes special privilege, 1230 * overriding many mandatory and discretionary protections. If it is zero, 1231 * uid 0 is offered no special privilege in the kernel security policy. 1232 * Setting it to zero may seriously impact the functionality of many 1233 * existing userland programs, and should not be done without careful 1234 * consideration of the consequences. 1235 */ 1236 int suser_enabled = 1; 1237 SYSCTL_INT(_kern_security, OID_AUTO, suser_enabled, CTLFLAG_RW, 1238 &suser_enabled, 0, "processes with uid 0 have privilege"); 1239 1240 /* 1241 * Test whether the specified credentials imply "super-user" privilege. 1242 * Return 0 or EPERM. 1243 */ 1244 int 1245 suser(p) 1246 struct proc *p; 1247 { 1248 return suser_xxx(0, p, 0); 1249 } 1250 1251 /* 1252 * version for when the thread pointer is available and not the proc. 1253 * (saves having to include proc.h into every file that needs to do the change.) 1254 */ 1255 int 1256 suser_td(td) 1257 1258 struct thread *td; 1259 { 1260 return suser_xxx(0, td->td_proc, 0); 1261 } 1262 1263 /* 1264 * wrapper to use if you have the thread on hand but not the proc. 1265 */ 1266 int 1267 suser_xxx_td(cred, td, flag) 1268 struct ucred *cred; 1269 struct thread *td; 1270 int flag; 1271 { 1272 return(suser_xxx(cred, td->td_proc, flag)); 1273 } 1274 1275 int 1276 suser_xxx(cred, proc, flag) 1277 struct ucred *cred; 1278 struct proc *proc; 1279 int flag; 1280 { 1281 if (!suser_enabled) 1282 return (EPERM); 1283 if (!cred && !proc) { 1284 printf("suser_xxx(): THINK!\n"); 1285 return (EPERM); 1286 } 1287 if (!cred) 1288 cred = proc->p_ucred; 1289 if (cred->cr_uid != 0) 1290 return (EPERM); 1291 if (jailed(cred) && !(flag & PRISON_ROOT)) 1292 return (EPERM); 1293 return (0); 1294 } 1295 1296 /* 1297 * Test (local, globale) securelevel values against passed required 1298 * securelevel. _gt implements (level > securelevel), and _ge implements 1299 * (level >= securelevel). Returns 0 oer EPERM. 1300 * 1301 * cr is permitted to be NULL for the time being, as there were some 1302 * existing securelevel checks that occurred without a process/credential 1303 * context. In the future this will be disallowed, so a kernel 1304 * message is displayed. 1305 */ 1306 int 1307 securelevel_gt(struct ucred *cr, int level) 1308 { 1309 1310 if (cr == NULL) { 1311 printf("securelevel_gt: cr is NULL\n"); 1312 if (level > securelevel) 1313 return (0); 1314 else 1315 return (EPERM); 1316 } else if (cr->cr_prison == NULL) { 1317 if (level > securelevel) 1318 return (0); 1319 else 1320 return (EPERM); 1321 } else { 1322 if (level > imax(cr->cr_prison->pr_securelevel, securelevel)) 1323 return (0); 1324 else 1325 return (EPERM); 1326 } 1327 1328 } 1329 1330 int 1331 securelevel_ge(struct ucred *cr, int level) 1332 { 1333 1334 if (cr == NULL) { 1335 printf("securelevel_ge: cr is NULL\n"); 1336 if (level >= securelevel) 1337 return (0); 1338 else 1339 return (EPERM); 1340 } if (cr->cr_prison == NULL) { 1341 if (level >= securelevel) 1342 return (0); 1343 else 1344 return (EPERM); 1345 } else { 1346 if (level >= imax(cr->cr_prison->pr_securelevel, securelevel)) 1347 return (0); 1348 else 1349 return (EPERM); 1350 } 1351 } 1352 1353 /* 1354 * kern_security_seeotheruids_permitted determines whether or not visibility 1355 * of processes and sockets with credentials holding different real uid's 1356 * is possible using a variety of system MIBs. 1357 */ 1358 static int kern_security_seeotheruids_permitted = 1; 1359 SYSCTL_INT(_kern_security, OID_AUTO, seeotheruids_permitted, 1360 CTLFLAG_RW, &kern_security_seeotheruids_permitted, 0, 1361 "Unprivileged processes may see subjects/objects with different real uid"); 1362 1363 /*- 1364 * Determine if u1 "can see" the subject specified by u2. 1365 * Returns: 0 for permitted, an errno value otherwise 1366 * Locks: none 1367 * References: u1 and u2 must be immutable credentials 1368 * u1 and u2 must be valid for the lifetime of the call 1369 * u1 may equal u2, in which case only one reference is required 1370 */ 1371 int 1372 cr_cansee(struct ucred *u1, struct ucred *u2) 1373 { 1374 int error; 1375 1376 if ((error = prison_check(u1, u2))) 1377 return (error); 1378 if (!kern_security_seeotheruids_permitted && 1379 u1->cr_ruid != u2->cr_ruid) { 1380 if (suser_xxx(u1, NULL, PRISON_ROOT) != 0) 1381 return (ESRCH); 1382 } 1383 return (0); 1384 } 1385 1386 /*- 1387 * Determine if p1 "can see" the subject specified by p2. 1388 * Returns: 0 for permitted, an errno value otherwise 1389 * Locks: Sufficient locks to protect p1->p_ucred and p2->p_ucred must 1390 * be held. Normally, p1 will be curproc, and a lock must be held 1391 * for p2. 1392 * References: p1 and p2 must be valid for the lifetime of the call 1393 */ 1394 int 1395 p_cansee(struct proc *p1, struct proc *p2) 1396 { 1397 1398 /* Wrap cr_cansee() for all functionality. */ 1399 return (cr_cansee(p1->p_ucred, p2->p_ucred)); 1400 } 1401 1402 /*- 1403 * Determine whether p1 may deliver the specified signal to p2. 1404 * Returns: 0 for permitted, an errno value otherwise 1405 * Locks: Sufficient locks to protect various components of p1 and p2 1406 * must be held. Normally, p1 will be curproc, and a lock must 1407 * be held for p2. 1408 * References: p1 and p2 must be valid for the lifetime of the call 1409 */ 1410 int 1411 p_cansignal(struct proc *p1, struct proc *p2, int signum) 1412 { 1413 int error; 1414 1415 if (p1 == p2) 1416 return (0); 1417 1418 /* 1419 * Jail semantics limit the scope of signalling to p2 in the same 1420 * jail as p1, if p1 is in jail. 1421 */ 1422 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1423 return (error); 1424 1425 /* 1426 * UNIX signalling semantics require that processes in the same 1427 * session always be able to deliver SIGCONT to one another, 1428 * overriding the remaining protections. 1429 */ 1430 if (signum == SIGCONT && p1->p_session == p2->p_session) 1431 return (0); 1432 1433 /* 1434 * UNIX signal semantics depend on the status of the P_SUGID 1435 * bit on the target process. If the bit is set, then additional 1436 * restrictions are placed on the set of available signals. 1437 */ 1438 if (p2->p_flag & P_SUGID) { 1439 switch (signum) { 1440 case 0: 1441 case SIGKILL: 1442 case SIGINT: 1443 case SIGTERM: 1444 case SIGSTOP: 1445 case SIGTTIN: 1446 case SIGTTOU: 1447 case SIGTSTP: 1448 case SIGHUP: 1449 case SIGUSR1: 1450 case SIGUSR2: 1451 /* 1452 * Generally, permit job and terminal control 1453 * signals. 1454 */ 1455 break; 1456 default: 1457 /* Not permitted, privilege is required. */ 1458 error = suser_xxx(NULL, p1, PRISON_ROOT); 1459 if (error) 1460 return (error); 1461 } 1462 } 1463 1464 /* 1465 * Generally, the target credential's ruid or svuid must match the 1466 * subject credential's ruid or euid. 1467 */ 1468 if (p1->p_ucred->cr_ruid != p2->p_ucred->cr_ruid && 1469 p1->p_ucred->cr_ruid != p2->p_ucred->cr_svuid && 1470 p1->p_ucred->cr_uid != p2->p_ucred->cr_ruid && 1471 p1->p_ucred->cr_uid != p2->p_ucred->cr_svuid) { 1472 /* Not permitted, try privilege. */ 1473 error = suser_xxx(NULL, p1, PRISON_ROOT); 1474 if (error) 1475 return (error); 1476 } 1477 1478 return (0); 1479 } 1480 1481 /*- 1482 * Determine whether p1 may reschedule p2 1483 * Returns: 0 for permitted, an errno value otherwise 1484 * Locks: Sufficient locks to protect various components of p1 and p2 1485 * must be held. Normally, p1 will be curproc, and a lock must 1486 * be held for p2. 1487 * References: p1 and p2 must be valid for the lifetime of the call 1488 */ 1489 int 1490 p_cansched(struct proc *p1, struct proc *p2) 1491 { 1492 int error; 1493 1494 if (p1 == p2) 1495 return (0); 1496 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1497 return (error); 1498 if (p1->p_ucred->cr_ruid == p2->p_ucred->cr_ruid) 1499 return (0); 1500 if (p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid) 1501 return (0); 1502 if (suser_xxx(0, p1, PRISON_ROOT) == 0) 1503 return (0); 1504 1505 #ifdef CAPABILITIES 1506 if (!cap_check(NULL, p1, CAP_SYS_NICE, PRISON_ROOT)) 1507 return (0); 1508 #endif 1509 1510 return (EPERM); 1511 } 1512 1513 /* 1514 * The kern_unprivileged_procdebug_permitted flag may be used to disable 1515 * a variety of unprivileged inter-process debugging services, including 1516 * some procfs functionality, ptrace(), and ktrace(). In the past, 1517 * inter-process debugging has been involved in a variety of security 1518 * problems, and sites not requiring the service might choose to disable it 1519 * when hardening systems. 1520 * 1521 * XXX: Should modifying and reading this variable require locking? 1522 */ 1523 static int kern_unprivileged_procdebug_permitted = 1; 1524 SYSCTL_INT(_kern_security, OID_AUTO, unprivileged_procdebug_permitted, 1525 CTLFLAG_RW, &kern_unprivileged_procdebug_permitted, 0, 1526 "Unprivileged processes may use process debugging facilities"); 1527 1528 /*- 1529 * Determine whether p1 may debug p2. 1530 * Returns: 0 for permitted, an errno value otherwise 1531 * Locks: Sufficient locks to protect various components of p1 and p2 1532 * must be held. Normally, p1 will be curproc, and a lock must 1533 * be held for p2. 1534 * References: p1 and p2 must be valid for the lifetime of the call 1535 */ 1536 int 1537 p_candebug(struct proc *p1, struct proc *p2) 1538 { 1539 int error, i, grpsubset, uidsubset, credentialchanged; 1540 1541 if (!kern_unprivileged_procdebug_permitted) { 1542 error = suser_xxx(NULL, p1, PRISON_ROOT); 1543 if (error) 1544 return (error); 1545 } 1546 1547 if (p1 == p2) 1548 return (0); 1549 1550 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1551 return (error); 1552 1553 /* 1554 * Is p2's group set a subset of p1's effective group set? This 1555 * includes p2's egid, group access list, rgid, and svgid. 1556 */ 1557 grpsubset = 1; 1558 for (i = 0; i < p2->p_ucred->cr_ngroups; i++) { 1559 if (!groupmember(p2->p_ucred->cr_groups[i], p1->p_ucred)) { 1560 grpsubset = 0; 1561 break; 1562 } 1563 } 1564 grpsubset = grpsubset && 1565 groupmember(p2->p_ucred->cr_rgid, p1->p_ucred) && 1566 groupmember(p2->p_ucred->cr_svgid, p1->p_ucred); 1567 1568 /* 1569 * Are the uids present in p2's credential equal to p1's 1570 * effective uid? This includes p2's euid, svuid, and ruid. 1571 */ 1572 uidsubset = (p1->p_ucred->cr_uid == p2->p_ucred->cr_uid && 1573 p1->p_ucred->cr_uid == p2->p_ucred->cr_svuid && 1574 p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid); 1575 1576 /* 1577 * Has the credential of the process changed since the last exec()? 1578 */ 1579 credentialchanged = (p2->p_flag & P_SUGID); 1580 1581 /* 1582 * If p2's gids aren't a subset, or the uids aren't a subset, 1583 * or the credential has changed, require appropriate privilege 1584 * for p1 to debug p2. For POSIX.1e capabilities, this will 1585 * require CAP_SYS_PTRACE. 1586 */ 1587 if (!grpsubset || !uidsubset || credentialchanged) { 1588 error = suser_xxx(NULL, p1, PRISON_ROOT); 1589 if (error) 1590 return (error); 1591 } 1592 1593 /* can't trace init when securelevel > 0 */ 1594 if (p2->p_pid == 1) { 1595 error = securelevel_gt(p1->p_ucred, 0); 1596 if (error) 1597 return (error); 1598 } 1599 1600 /* 1601 * Can't trace a process that's currently exec'ing. 1602 * XXX: Note, this is not a security policy decision, it's a 1603 * basic correctness/functionality decision. Therefore, this check 1604 * should be moved to the caller's of p_candebug(). 1605 */ 1606 if ((p2->p_flag & P_INEXEC) != 0) 1607 return (EAGAIN); 1608 1609 return (0); 1610 } 1611 1612 /* 1613 * Allocate a zeroed cred structure. 1614 */ 1615 struct ucred * 1616 crget() 1617 { 1618 register struct ucred *cr; 1619 1620 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 1621 cr->cr_ref = 1; 1622 mtx_init(&cr->cr_mtx, "ucred", MTX_DEF); 1623 return (cr); 1624 } 1625 1626 /* 1627 * Claim another reference to a ucred structure. 1628 */ 1629 struct ucred * 1630 crhold(cr) 1631 struct ucred *cr; 1632 { 1633 1634 mtx_lock(&cr->cr_mtx); 1635 cr->cr_ref++; 1636 mtx_unlock(&cr->cr_mtx); 1637 return (cr); 1638 } 1639 1640 1641 /* 1642 * Free a cred structure. 1643 * Throws away space when ref count gets to 0. 1644 */ 1645 void 1646 crfree(cr) 1647 struct ucred *cr; 1648 { 1649 1650 mtx_lock(&cr->cr_mtx); 1651 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); 1652 if (--cr->cr_ref == 0) { 1653 mtx_destroy(&cr->cr_mtx); 1654 /* 1655 * Some callers of crget(), such as nfs_statfs(), 1656 * allocate a temporary credential, but don't 1657 * allocate a uidinfo structure. 1658 */ 1659 if (cr->cr_uidinfo != NULL) 1660 uifree(cr->cr_uidinfo); 1661 if (cr->cr_ruidinfo != NULL) 1662 uifree(cr->cr_ruidinfo); 1663 /* 1664 * Free a prison, if any. 1665 */ 1666 if (jailed(cr)) 1667 prison_free(cr->cr_prison); 1668 FREE((caddr_t)cr, M_CRED); 1669 } else { 1670 mtx_unlock(&cr->cr_mtx); 1671 } 1672 } 1673 1674 /* 1675 * Check to see if this ucred is shared. 1676 */ 1677 int 1678 crshared(cr) 1679 struct ucred *cr; 1680 { 1681 int shared; 1682 1683 mtx_lock(&cr->cr_mtx); 1684 shared = (cr->cr_ref > 1); 1685 mtx_unlock(&cr->cr_mtx); 1686 return (shared); 1687 } 1688 1689 /* 1690 * Copy a ucred's contents from a template. Does not block. 1691 */ 1692 void 1693 crcopy(dest, src) 1694 struct ucred *dest, *src; 1695 { 1696 1697 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred")); 1698 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 1699 (unsigned)((caddr_t)&src->cr_endcopy - 1700 (caddr_t)&src->cr_startcopy)); 1701 uihold(dest->cr_uidinfo); 1702 uihold(dest->cr_ruidinfo); 1703 if (jailed(dest)) 1704 prison_hold(dest->cr_prison); 1705 } 1706 1707 /* 1708 * Dup cred struct to a new held one. 1709 */ 1710 struct ucred * 1711 crdup(cr) 1712 struct ucred *cr; 1713 { 1714 struct ucred *newcr; 1715 1716 newcr = crget(); 1717 crcopy(newcr, cr); 1718 return (newcr); 1719 } 1720 1721 /* 1722 * Get login name, if available. 1723 */ 1724 #ifndef _SYS_SYSPROTO_H_ 1725 struct getlogin_args { 1726 char *namebuf; 1727 u_int namelen; 1728 }; 1729 #endif 1730 /* 1731 * MPSAFE 1732 */ 1733 /* ARGSUSED */ 1734 int 1735 getlogin(td, uap) 1736 struct thread *td; 1737 struct getlogin_args *uap; 1738 { 1739 int error; 1740 struct proc *p = td->td_proc; 1741 1742 mtx_lock(&Giant); 1743 if (uap->namelen > MAXLOGNAME) 1744 uap->namelen = MAXLOGNAME; 1745 error = copyout((caddr_t) p->p_pgrp->pg_session->s_login, 1746 (caddr_t) uap->namebuf, uap->namelen); 1747 mtx_unlock(&Giant); 1748 return(error); 1749 } 1750 1751 /* 1752 * Set login name. 1753 */ 1754 #ifndef _SYS_SYSPROTO_H_ 1755 struct setlogin_args { 1756 char *namebuf; 1757 }; 1758 #endif 1759 /* 1760 * MPSAFE 1761 */ 1762 /* ARGSUSED */ 1763 int 1764 setlogin(td, uap) 1765 struct thread *td; 1766 struct setlogin_args *uap; 1767 { 1768 struct proc *p = td->td_proc; 1769 int error; 1770 char logintmp[MAXLOGNAME]; 1771 1772 mtx_lock(&Giant); 1773 if ((error = suser_xxx(0, p, PRISON_ROOT))) 1774 goto done2; 1775 error = copyinstr((caddr_t) uap->namebuf, (caddr_t) logintmp, 1776 sizeof(logintmp), (size_t *)0); 1777 if (error == ENAMETOOLONG) { 1778 error = EINVAL; 1779 } else if (!error) { 1780 (void) memcpy(p->p_pgrp->pg_session->s_login, logintmp, 1781 sizeof(logintmp)); 1782 } 1783 done2: 1784 mtx_unlock(&Giant); 1785 return (error); 1786 } 1787 1788 void 1789 setsugid(p) 1790 struct proc *p; 1791 { 1792 p->p_flag |= P_SUGID; 1793 if (!(p->p_pfsflags & PF_ISUGID)) 1794 p->p_stops = 0; 1795 } 1796 1797 /*- 1798 * Change a process's effective uid. 1799 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 1800 * References: newcred must be an exclusive credential reference for the 1801 * duration of the call. 1802 */ 1803 void 1804 change_euid(newcred, euid) 1805 struct ucred *newcred; 1806 uid_t euid; 1807 { 1808 1809 newcred->cr_uid = euid; 1810 uifree(newcred->cr_uidinfo); 1811 newcred->cr_uidinfo = uifind(euid); 1812 } 1813 1814 /*- 1815 * Change a process's effective gid. 1816 * Side effects: newcred->cr_gid will be modified. 1817 * References: newcred must be an exclusive credential reference for the 1818 * duration of the call. 1819 */ 1820 void 1821 change_egid(newcred, egid) 1822 struct ucred *newcred; 1823 gid_t egid; 1824 { 1825 1826 newcred->cr_groups[0] = egid; 1827 } 1828 1829 /*- 1830 * Change a process's real uid. 1831 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 1832 * will be updated, and the old and new cr_ruidinfo proc 1833 * counts will be updated. 1834 * References: newcred must be an exclusive credential reference for the 1835 * duration of the call. 1836 */ 1837 void 1838 change_ruid(newcred, ruid) 1839 struct ucred *newcred; 1840 uid_t ruid; 1841 { 1842 1843 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 1844 newcred->cr_ruid = ruid; 1845 uifree(newcred->cr_ruidinfo); 1846 newcred->cr_ruidinfo = uifind(ruid); 1847 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 1848 } 1849 1850 /*- 1851 * Change a process's real gid. 1852 * Side effects: newcred->cr_rgid will be updated. 1853 * References: newcred must be an exclusive credential reference for the 1854 * duration of the call. 1855 */ 1856 void 1857 change_rgid(newcred, rgid) 1858 struct ucred *newcred; 1859 gid_t rgid; 1860 { 1861 1862 newcred->cr_rgid = rgid; 1863 } 1864 1865 /*- 1866 * Change a process's saved uid. 1867 * Side effects: newcred->cr_svuid will be updated. 1868 * References: newcred must be an exclusive credential reference for the 1869 * duration of the call. 1870 */ 1871 void 1872 change_svuid(newcred, svuid) 1873 struct ucred *newcred; 1874 uid_t svuid; 1875 { 1876 1877 newcred->cr_svuid = svuid; 1878 } 1879 1880 /*- 1881 * Change a process's saved gid. 1882 * Side effects: newcred->cr_svgid will be updated. 1883 * References: newcred must be an exclusive credential reference for the 1884 * duration of the call. 1885 */ 1886 void 1887 change_svgid(newcred, svgid) 1888 struct ucred *newcred; 1889 gid_t svgid; 1890 { 1891 1892 newcred->cr_svgid = svgid; 1893 } 1894