1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 5 * The Regents of the University of California. 6 * (c) UNIX System Laboratories, Inc. 7 * Copyright (c) 2000-2001 Robert N. M. Watson. 8 * All rights reserved. 9 * 10 * All or some portions of this file are derived from material licensed 11 * to the University of California by American Telephone and Telegraph 12 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 13 * the permission of UNIX System Laboratories, Inc. 14 * 15 * Redistribution and use in source and binary forms, with or without 16 * modification, are permitted provided that the following conditions 17 * are met: 18 * 1. Redistributions of source code must retain the above copyright 19 * notice, this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright 21 * notice, this list of conditions and the following disclaimer in the 22 * documentation and/or other materials provided with the distribution. 23 * 3. Neither the name of the University nor the names of its contributors 24 * may be used to endorse or promote products derived from this software 25 * without specific prior written permission. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 */ 39 40 /* 41 * System calls related to processes and protection 42 */ 43 44 #include <sys/cdefs.h> 45 #include "opt_inet.h" 46 #include "opt_inet6.h" 47 48 #include <sys/param.h> 49 #include <sys/systm.h> 50 #include <sys/acct.h> 51 #include <sys/kdb.h> 52 #include <sys/kernel.h> 53 #include <sys/libkern.h> 54 #include <sys/lock.h> 55 #include <sys/loginclass.h> 56 #include <sys/malloc.h> 57 #include <sys/mutex.h> 58 #include <sys/ptrace.h> 59 #include <sys/refcount.h> 60 #include <sys/sx.h> 61 #include <sys/priv.h> 62 #include <sys/proc.h> 63 #ifdef COMPAT_43 64 #include <sys/sysent.h> 65 #endif 66 #include <sys/sysproto.h> 67 #include <sys/jail.h> 68 #include <sys/racct.h> 69 #include <sys/rctl.h> 70 #include <sys/resourcevar.h> 71 #include <sys/socket.h> 72 #include <sys/socketvar.h> 73 #include <sys/syscallsubr.h> 74 #include <sys/sysctl.h> 75 76 #include <vm/uma.h> 77 78 #ifdef REGRESSION 79 FEATURE(regression, 80 "Kernel support for interfaces necessary for regression testing (SECURITY RISK!)"); 81 #endif 82 83 #include <security/audit/audit.h> 84 #include <security/mac/mac_framework.h> 85 86 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 87 88 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW | CTLFLAG_MPSAFE, 0, 89 "BSD security policy"); 90 91 static void crfree_final(struct ucred *cr); 92 93 static inline void 94 groups_check_positive_len(int ngrp) 95 { 96 MPASS2(ngrp >= 0, "negative number of groups"); 97 MPASS2(ngrp != 0, "at least one group expected (effective GID)"); 98 } 99 static inline void 100 groups_check_max_len(int ngrp) 101 { 102 MPASS2(ngrp <= ngroups_max + 1, "too many groups"); 103 } 104 105 static void groups_normalize(int *ngrp, gid_t *groups); 106 static void crsetgroups_internal(struct ucred *cr, int ngrp, 107 const gid_t *groups); 108 109 static int cr_canseeotheruids(struct ucred *u1, struct ucred *u2); 110 static int cr_canseeothergids(struct ucred *u1, struct ucred *u2); 111 static int cr_canseejailproc(struct ucred *u1, struct ucred *u2); 112 113 #ifndef _SYS_SYSPROTO_H_ 114 struct getpid_args { 115 int dummy; 116 }; 117 #endif 118 /* ARGSUSED */ 119 int 120 sys_getpid(struct thread *td, struct getpid_args *uap) 121 { 122 struct proc *p = td->td_proc; 123 124 td->td_retval[0] = p->p_pid; 125 #if defined(COMPAT_43) 126 if (SV_PROC_FLAG(p, SV_AOUT)) 127 td->td_retval[1] = kern_getppid(td); 128 #endif 129 return (0); 130 } 131 132 #ifndef _SYS_SYSPROTO_H_ 133 struct getppid_args { 134 int dummy; 135 }; 136 #endif 137 /* ARGSUSED */ 138 int 139 sys_getppid(struct thread *td, struct getppid_args *uap) 140 { 141 142 td->td_retval[0] = kern_getppid(td); 143 return (0); 144 } 145 146 int 147 kern_getppid(struct thread *td) 148 { 149 struct proc *p = td->td_proc; 150 151 return (p->p_oppid); 152 } 153 154 /* 155 * Get process group ID; note that POSIX getpgrp takes no parameter. 156 */ 157 #ifndef _SYS_SYSPROTO_H_ 158 struct getpgrp_args { 159 int dummy; 160 }; 161 #endif 162 int 163 sys_getpgrp(struct thread *td, struct getpgrp_args *uap) 164 { 165 struct proc *p = td->td_proc; 166 167 PROC_LOCK(p); 168 td->td_retval[0] = p->p_pgrp->pg_id; 169 PROC_UNLOCK(p); 170 return (0); 171 } 172 173 /* Get an arbitrary pid's process group id */ 174 #ifndef _SYS_SYSPROTO_H_ 175 struct getpgid_args { 176 pid_t pid; 177 }; 178 #endif 179 int 180 sys_getpgid(struct thread *td, struct getpgid_args *uap) 181 { 182 struct proc *p; 183 int error; 184 185 if (uap->pid == 0) { 186 p = td->td_proc; 187 PROC_LOCK(p); 188 } else { 189 p = pfind(uap->pid); 190 if (p == NULL) 191 return (ESRCH); 192 error = p_cansee(td, p); 193 if (error) { 194 PROC_UNLOCK(p); 195 return (error); 196 } 197 } 198 td->td_retval[0] = p->p_pgrp->pg_id; 199 PROC_UNLOCK(p); 200 return (0); 201 } 202 203 /* 204 * Get an arbitrary pid's session id. 205 */ 206 #ifndef _SYS_SYSPROTO_H_ 207 struct getsid_args { 208 pid_t pid; 209 }; 210 #endif 211 int 212 sys_getsid(struct thread *td, struct getsid_args *uap) 213 { 214 215 return (kern_getsid(td, uap->pid)); 216 } 217 218 int 219 kern_getsid(struct thread *td, pid_t pid) 220 { 221 struct proc *p; 222 int error; 223 224 if (pid == 0) { 225 p = td->td_proc; 226 PROC_LOCK(p); 227 } else { 228 p = pfind(pid); 229 if (p == NULL) 230 return (ESRCH); 231 error = p_cansee(td, p); 232 if (error) { 233 PROC_UNLOCK(p); 234 return (error); 235 } 236 } 237 td->td_retval[0] = p->p_session->s_sid; 238 PROC_UNLOCK(p); 239 return (0); 240 } 241 242 #ifndef _SYS_SYSPROTO_H_ 243 struct getuid_args { 244 int dummy; 245 }; 246 #endif 247 /* ARGSUSED */ 248 int 249 sys_getuid(struct thread *td, struct getuid_args *uap) 250 { 251 252 td->td_retval[0] = td->td_ucred->cr_ruid; 253 #if defined(COMPAT_43) 254 td->td_retval[1] = td->td_ucred->cr_uid; 255 #endif 256 return (0); 257 } 258 259 #ifndef _SYS_SYSPROTO_H_ 260 struct geteuid_args { 261 int dummy; 262 }; 263 #endif 264 /* ARGSUSED */ 265 int 266 sys_geteuid(struct thread *td, struct geteuid_args *uap) 267 { 268 269 td->td_retval[0] = td->td_ucred->cr_uid; 270 return (0); 271 } 272 273 #ifndef _SYS_SYSPROTO_H_ 274 struct getgid_args { 275 int dummy; 276 }; 277 #endif 278 /* ARGSUSED */ 279 int 280 sys_getgid(struct thread *td, struct getgid_args *uap) 281 { 282 283 td->td_retval[0] = td->td_ucred->cr_rgid; 284 #if defined(COMPAT_43) 285 td->td_retval[1] = td->td_ucred->cr_groups[0]; 286 #endif 287 return (0); 288 } 289 290 /* 291 * Get effective group ID. The "egid" is groups[0], and could be obtained 292 * via getgroups. This syscall exists because it is somewhat painful to do 293 * correctly in a library function. 294 */ 295 #ifndef _SYS_SYSPROTO_H_ 296 struct getegid_args { 297 int dummy; 298 }; 299 #endif 300 /* ARGSUSED */ 301 int 302 sys_getegid(struct thread *td, struct getegid_args *uap) 303 { 304 305 td->td_retval[0] = td->td_ucred->cr_groups[0]; 306 return (0); 307 } 308 309 #ifndef _SYS_SYSPROTO_H_ 310 struct getgroups_args { 311 int gidsetsize; 312 gid_t *gidset; 313 }; 314 #endif 315 int 316 sys_getgroups(struct thread *td, struct getgroups_args *uap) 317 { 318 struct ucred *cred; 319 int ngrp, error; 320 321 cred = td->td_ucred; 322 ngrp = cred->cr_ngroups; 323 324 if (uap->gidsetsize == 0) { 325 error = 0; 326 goto out; 327 } 328 if (uap->gidsetsize < ngrp) 329 return (EINVAL); 330 331 error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t)); 332 out: 333 td->td_retval[0] = ngrp; 334 return (error); 335 } 336 337 #ifndef _SYS_SYSPROTO_H_ 338 struct setsid_args { 339 int dummy; 340 }; 341 #endif 342 /* ARGSUSED */ 343 int 344 sys_setsid(struct thread *td, struct setsid_args *uap) 345 { 346 struct pgrp *pgrp; 347 int error; 348 struct proc *p = td->td_proc; 349 struct pgrp *newpgrp; 350 struct session *newsess; 351 352 pgrp = NULL; 353 354 newpgrp = uma_zalloc(pgrp_zone, M_WAITOK); 355 newsess = malloc(sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); 356 357 again: 358 error = 0; 359 sx_xlock(&proctree_lock); 360 361 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { 362 if (pgrp != NULL) 363 PGRP_UNLOCK(pgrp); 364 error = EPERM; 365 } else { 366 error = enterpgrp(p, p->p_pid, newpgrp, newsess); 367 if (error == ERESTART) 368 goto again; 369 MPASS(error == 0); 370 td->td_retval[0] = p->p_pid; 371 newpgrp = NULL; 372 newsess = NULL; 373 } 374 375 sx_xunlock(&proctree_lock); 376 377 uma_zfree(pgrp_zone, newpgrp); 378 free(newsess, M_SESSION); 379 380 return (error); 381 } 382 383 /* 384 * set process group (setpgid/old setpgrp) 385 * 386 * caller does setpgid(targpid, targpgid) 387 * 388 * pid must be caller or child of caller (ESRCH) 389 * if a child 390 * pid must be in same session (EPERM) 391 * pid can't have done an exec (EACCES) 392 * if pgid != pid 393 * there must exist some pid in same session having pgid (EPERM) 394 * pid must not be session leader (EPERM) 395 */ 396 #ifndef _SYS_SYSPROTO_H_ 397 struct setpgid_args { 398 int pid; /* target process id */ 399 int pgid; /* target pgrp id */ 400 }; 401 #endif 402 /* ARGSUSED */ 403 int 404 sys_setpgid(struct thread *td, struct setpgid_args *uap) 405 { 406 struct proc *curp = td->td_proc; 407 struct proc *targp; /* target process */ 408 struct pgrp *pgrp; /* target pgrp */ 409 int error; 410 struct pgrp *newpgrp; 411 412 if (uap->pgid < 0) 413 return (EINVAL); 414 415 newpgrp = uma_zalloc(pgrp_zone, M_WAITOK); 416 417 again: 418 error = 0; 419 420 sx_xlock(&proctree_lock); 421 if (uap->pid != 0 && uap->pid != curp->p_pid) { 422 if ((targp = pfind(uap->pid)) == NULL) { 423 error = ESRCH; 424 goto done; 425 } 426 if (!inferior(targp)) { 427 PROC_UNLOCK(targp); 428 error = ESRCH; 429 goto done; 430 } 431 if ((error = p_cansee(td, targp))) { 432 PROC_UNLOCK(targp); 433 goto done; 434 } 435 if (targp->p_pgrp == NULL || 436 targp->p_session != curp->p_session) { 437 PROC_UNLOCK(targp); 438 error = EPERM; 439 goto done; 440 } 441 if (targp->p_flag & P_EXEC) { 442 PROC_UNLOCK(targp); 443 error = EACCES; 444 goto done; 445 } 446 PROC_UNLOCK(targp); 447 } else 448 targp = curp; 449 if (SESS_LEADER(targp)) { 450 error = EPERM; 451 goto done; 452 } 453 if (uap->pgid == 0) 454 uap->pgid = targp->p_pid; 455 if ((pgrp = pgfind(uap->pgid)) == NULL) { 456 if (uap->pgid == targp->p_pid) { 457 error = enterpgrp(targp, uap->pgid, newpgrp, 458 NULL); 459 if (error == 0) 460 newpgrp = NULL; 461 } else 462 error = EPERM; 463 } else { 464 if (pgrp == targp->p_pgrp) { 465 PGRP_UNLOCK(pgrp); 466 goto done; 467 } 468 if (pgrp->pg_id != targp->p_pid && 469 pgrp->pg_session != curp->p_session) { 470 PGRP_UNLOCK(pgrp); 471 error = EPERM; 472 goto done; 473 } 474 PGRP_UNLOCK(pgrp); 475 error = enterthispgrp(targp, pgrp); 476 } 477 done: 478 KASSERT(error == 0 || newpgrp != NULL, 479 ("setpgid failed and newpgrp is NULL")); 480 if (error == ERESTART) 481 goto again; 482 sx_xunlock(&proctree_lock); 483 uma_zfree(pgrp_zone, newpgrp); 484 return (error); 485 } 486 487 /* 488 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 489 * compatible. It says that setting the uid/gid to euid/egid is a special 490 * case of "appropriate privilege". Once the rules are expanded out, this 491 * basically means that setuid(nnn) sets all three id's, in all permitted 492 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 493 * does not set the saved id - this is dangerous for traditional BSD 494 * programs. For this reason, we *really* do not want to set 495 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 496 */ 497 #define POSIX_APPENDIX_B_4_2_2 498 499 #ifndef _SYS_SYSPROTO_H_ 500 struct setuid_args { 501 uid_t uid; 502 }; 503 #endif 504 /* ARGSUSED */ 505 int 506 sys_setuid(struct thread *td, struct setuid_args *uap) 507 { 508 struct proc *p = td->td_proc; 509 struct ucred *newcred, *oldcred; 510 uid_t uid; 511 struct uidinfo *uip; 512 int error; 513 514 uid = uap->uid; 515 AUDIT_ARG_UID(uid); 516 newcred = crget(); 517 uip = uifind(uid); 518 PROC_LOCK(p); 519 /* 520 * Copy credentials so other references do not see our changes. 521 */ 522 oldcred = crcopysafe(p, newcred); 523 524 #ifdef MAC 525 error = mac_cred_check_setuid(oldcred, uid); 526 if (error) 527 goto fail; 528 #endif 529 530 /* 531 * See if we have "permission" by POSIX 1003.1 rules. 532 * 533 * Note that setuid(geteuid()) is a special case of 534 * "appropriate privileges" in appendix B.4.2.2. We need 535 * to use this clause to be compatible with traditional BSD 536 * semantics. Basically, it means that "setuid(xx)" sets all 537 * three id's (assuming you have privs). 538 * 539 * Notes on the logic. We do things in three steps. 540 * 1: We determine if the euid is going to change, and do EPERM 541 * right away. We unconditionally change the euid later if this 542 * test is satisfied, simplifying that part of the logic. 543 * 2: We determine if the real and/or saved uids are going to 544 * change. Determined by compile options. 545 * 3: Change euid last. (after tests in #2 for "appropriate privs") 546 */ 547 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 548 #ifdef _POSIX_SAVED_IDS 549 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 550 #endif 551 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 552 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 553 #endif 554 (error = priv_check_cred(oldcred, PRIV_CRED_SETUID)) != 0) 555 goto fail; 556 557 #ifdef _POSIX_SAVED_IDS 558 /* 559 * Do we have "appropriate privileges" (are we root or uid == euid) 560 * If so, we are changing the real uid and/or saved uid. 561 */ 562 if ( 563 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 564 uid == oldcred->cr_uid || 565 #endif 566 /* We are using privs. */ 567 priv_check_cred(oldcred, PRIV_CRED_SETUID) == 0) 568 #endif 569 { 570 /* 571 * Set the real uid and transfer proc count to new user. 572 */ 573 if (uid != oldcred->cr_ruid) { 574 change_ruid(newcred, uip); 575 setsugid(p); 576 } 577 /* 578 * Set saved uid 579 * 580 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 581 * the security of seteuid() depends on it. B.4.2.2 says it 582 * is important that we should do this. 583 */ 584 if (uid != oldcred->cr_svuid) { 585 change_svuid(newcred, uid); 586 setsugid(p); 587 } 588 } 589 590 /* 591 * In all permitted cases, we are changing the euid. 592 */ 593 if (uid != oldcred->cr_uid) { 594 change_euid(newcred, uip); 595 setsugid(p); 596 } 597 proc_set_cred(p, newcred); 598 #ifdef RACCT 599 racct_proc_ucred_changed(p, oldcred, newcred); 600 crhold(newcred); 601 #endif 602 PROC_UNLOCK(p); 603 #ifdef RCTL 604 rctl_proc_ucred_changed(p, newcred); 605 crfree(newcred); 606 #endif 607 uifree(uip); 608 crfree(oldcred); 609 return (0); 610 611 fail: 612 PROC_UNLOCK(p); 613 uifree(uip); 614 crfree(newcred); 615 return (error); 616 } 617 618 #ifndef _SYS_SYSPROTO_H_ 619 struct seteuid_args { 620 uid_t euid; 621 }; 622 #endif 623 /* ARGSUSED */ 624 int 625 sys_seteuid(struct thread *td, struct seteuid_args *uap) 626 { 627 struct proc *p = td->td_proc; 628 struct ucred *newcred, *oldcred; 629 uid_t euid; 630 struct uidinfo *euip; 631 int error; 632 633 euid = uap->euid; 634 AUDIT_ARG_EUID(euid); 635 newcred = crget(); 636 euip = uifind(euid); 637 PROC_LOCK(p); 638 /* 639 * Copy credentials so other references do not see our changes. 640 */ 641 oldcred = crcopysafe(p, newcred); 642 643 #ifdef MAC 644 error = mac_cred_check_seteuid(oldcred, euid); 645 if (error) 646 goto fail; 647 #endif 648 649 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 650 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 651 (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID)) != 0) 652 goto fail; 653 654 /* 655 * Everything's okay, do it. 656 */ 657 if (oldcred->cr_uid != euid) { 658 change_euid(newcred, euip); 659 setsugid(p); 660 } 661 proc_set_cred(p, newcred); 662 PROC_UNLOCK(p); 663 uifree(euip); 664 crfree(oldcred); 665 return (0); 666 667 fail: 668 PROC_UNLOCK(p); 669 uifree(euip); 670 crfree(newcred); 671 return (error); 672 } 673 674 #ifndef _SYS_SYSPROTO_H_ 675 struct setgid_args { 676 gid_t gid; 677 }; 678 #endif 679 /* ARGSUSED */ 680 int 681 sys_setgid(struct thread *td, struct setgid_args *uap) 682 { 683 struct proc *p = td->td_proc; 684 struct ucred *newcred, *oldcred; 685 gid_t gid; 686 int error; 687 688 gid = uap->gid; 689 AUDIT_ARG_GID(gid); 690 newcred = crget(); 691 PROC_LOCK(p); 692 oldcred = crcopysafe(p, newcred); 693 694 #ifdef MAC 695 error = mac_cred_check_setgid(oldcred, gid); 696 if (error) 697 goto fail; 698 #endif 699 700 /* 701 * See if we have "permission" by POSIX 1003.1 rules. 702 * 703 * Note that setgid(getegid()) is a special case of 704 * "appropriate privileges" in appendix B.4.2.2. We need 705 * to use this clause to be compatible with traditional BSD 706 * semantics. Basically, it means that "setgid(xx)" sets all 707 * three id's (assuming you have privs). 708 * 709 * For notes on the logic here, see setuid() above. 710 */ 711 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 712 #ifdef _POSIX_SAVED_IDS 713 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 714 #endif 715 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 716 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 717 #endif 718 (error = priv_check_cred(oldcred, PRIV_CRED_SETGID)) != 0) 719 goto fail; 720 721 #ifdef _POSIX_SAVED_IDS 722 /* 723 * Do we have "appropriate privileges" (are we root or gid == egid) 724 * If so, we are changing the real uid and saved gid. 725 */ 726 if ( 727 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 728 gid == oldcred->cr_groups[0] || 729 #endif 730 /* We are using privs. */ 731 priv_check_cred(oldcred, PRIV_CRED_SETGID) == 0) 732 #endif 733 { 734 /* 735 * Set real gid 736 */ 737 if (oldcred->cr_rgid != gid) { 738 change_rgid(newcred, gid); 739 setsugid(p); 740 } 741 /* 742 * Set saved gid 743 * 744 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 745 * the security of setegid() depends on it. B.4.2.2 says it 746 * is important that we should do this. 747 */ 748 if (oldcred->cr_svgid != gid) { 749 change_svgid(newcred, gid); 750 setsugid(p); 751 } 752 } 753 /* 754 * In all cases permitted cases, we are changing the egid. 755 * Copy credentials so other references do not see our changes. 756 */ 757 if (oldcred->cr_groups[0] != gid) { 758 change_egid(newcred, gid); 759 setsugid(p); 760 } 761 proc_set_cred(p, newcred); 762 PROC_UNLOCK(p); 763 crfree(oldcred); 764 return (0); 765 766 fail: 767 PROC_UNLOCK(p); 768 crfree(newcred); 769 return (error); 770 } 771 772 #ifndef _SYS_SYSPROTO_H_ 773 struct setegid_args { 774 gid_t egid; 775 }; 776 #endif 777 /* ARGSUSED */ 778 int 779 sys_setegid(struct thread *td, struct setegid_args *uap) 780 { 781 struct proc *p = td->td_proc; 782 struct ucred *newcred, *oldcred; 783 gid_t egid; 784 int error; 785 786 egid = uap->egid; 787 AUDIT_ARG_EGID(egid); 788 newcred = crget(); 789 PROC_LOCK(p); 790 oldcred = crcopysafe(p, newcred); 791 792 #ifdef MAC 793 error = mac_cred_check_setegid(oldcred, egid); 794 if (error) 795 goto fail; 796 #endif 797 798 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 799 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 800 (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID)) != 0) 801 goto fail; 802 803 if (oldcred->cr_groups[0] != egid) { 804 change_egid(newcred, egid); 805 setsugid(p); 806 } 807 proc_set_cred(p, newcred); 808 PROC_UNLOCK(p); 809 crfree(oldcred); 810 return (0); 811 812 fail: 813 PROC_UNLOCK(p); 814 crfree(newcred); 815 return (error); 816 } 817 818 #ifndef _SYS_SYSPROTO_H_ 819 struct setgroups_args { 820 int gidsetsize; 821 gid_t *gidset; 822 }; 823 #endif 824 /* ARGSUSED */ 825 int 826 sys_setgroups(struct thread *td, struct setgroups_args *uap) 827 { 828 gid_t smallgroups[CRED_SMALLGROUPS_NB]; 829 gid_t *groups; 830 int gidsetsize, error; 831 832 /* 833 * Sanity check size now to avoid passing too big a value to copyin(), 834 * even if kern_setgroups() will do it again. 835 * 836 * Ideally, the 'gidsetsize' argument should have been a 'u_int' (and it 837 * was, in this implementation, for a long time), but POSIX standardized 838 * getgroups() to take an 'int' and it would be quite entrapping to have 839 * setgroups() differ. 840 */ 841 gidsetsize = uap->gidsetsize; 842 if (gidsetsize > ngroups_max + 1 || gidsetsize < 0) 843 return (EINVAL); 844 845 if (gidsetsize > CRED_SMALLGROUPS_NB) 846 groups = malloc(gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK); 847 else 848 groups = smallgroups; 849 850 error = copyin(uap->gidset, groups, gidsetsize * sizeof(gid_t)); 851 if (error == 0) 852 error = kern_setgroups(td, &gidsetsize, groups); 853 854 if (groups != smallgroups) 855 free(groups, M_TEMP); 856 return (error); 857 } 858 859 static int 860 gidp_cmp(const void *p1, const void *p2) 861 { 862 const gid_t g1 = *(const gid_t *)p1; 863 const gid_t g2 = *(const gid_t *)p2; 864 865 return ((g1 > g2) - (g1 < g2)); 866 } 867 868 /* 869 * CAUTION: This function normalizes 'groups', possibly also changing the value 870 * of '*ngrpp' as a consequence. 871 */ 872 int 873 kern_setgroups(struct thread *td, int *ngrpp, gid_t *groups) 874 { 875 struct proc *p = td->td_proc; 876 struct ucred *newcred, *oldcred; 877 int ngrp, error; 878 879 ngrp = *ngrpp; 880 /* Sanity check size. */ 881 if (ngrp < 0 || ngrp > ngroups_max + 1) 882 return (EINVAL); 883 884 AUDIT_ARG_GROUPSET(groups, ngrp); 885 if (ngrp != 0) { 886 /* We allow and treat 0 specially below. */ 887 groups_normalize(ngrpp, groups); 888 ngrp = *ngrpp; 889 } 890 newcred = crget(); 891 if (ngrp != 0) 892 crextend(newcred, ngrp); 893 PROC_LOCK(p); 894 oldcred = crcopysafe(p, newcred); 895 896 #ifdef MAC 897 error = ngrp == 0 ? 898 /* If 'ngrp' is 0, we'll keep just the current effective GID. */ 899 mac_cred_check_setgroups(oldcred, 1, oldcred->cr_groups) : 900 mac_cred_check_setgroups(oldcred, ngrp, groups); 901 if (error) 902 goto fail; 903 #endif 904 905 error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS); 906 if (error) 907 goto fail; 908 909 if (ngrp == 0) { 910 /* 911 * setgroups(0, NULL) is a legitimate way of clearing the 912 * groups vector on non-BSD systems (which generally do not 913 * have the egid in the groups[0]). We risk security holes 914 * when running non-BSD software if we do not do the same. 915 */ 916 newcred->cr_ngroups = 1; 917 } else 918 crsetgroups_internal(newcred, ngrp, groups); 919 920 setsugid(p); 921 proc_set_cred(p, newcred); 922 PROC_UNLOCK(p); 923 crfree(oldcred); 924 return (0); 925 926 fail: 927 PROC_UNLOCK(p); 928 crfree(newcred); 929 return (error); 930 } 931 932 #ifndef _SYS_SYSPROTO_H_ 933 struct setreuid_args { 934 uid_t ruid; 935 uid_t euid; 936 }; 937 #endif 938 /* ARGSUSED */ 939 int 940 sys_setreuid(struct thread *td, struct setreuid_args *uap) 941 { 942 struct proc *p = td->td_proc; 943 struct ucred *newcred, *oldcred; 944 uid_t euid, ruid; 945 struct uidinfo *euip, *ruip; 946 int error; 947 948 euid = uap->euid; 949 ruid = uap->ruid; 950 AUDIT_ARG_EUID(euid); 951 AUDIT_ARG_RUID(ruid); 952 newcred = crget(); 953 euip = uifind(euid); 954 ruip = uifind(ruid); 955 PROC_LOCK(p); 956 oldcred = crcopysafe(p, newcred); 957 958 #ifdef MAC 959 error = mac_cred_check_setreuid(oldcred, ruid, euid); 960 if (error) 961 goto fail; 962 #endif 963 964 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 965 ruid != oldcred->cr_svuid) || 966 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 967 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 968 (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID)) != 0) 969 goto fail; 970 971 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 972 change_euid(newcred, euip); 973 setsugid(p); 974 } 975 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 976 change_ruid(newcred, ruip); 977 setsugid(p); 978 } 979 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 980 newcred->cr_svuid != newcred->cr_uid) { 981 change_svuid(newcred, newcred->cr_uid); 982 setsugid(p); 983 } 984 proc_set_cred(p, newcred); 985 #ifdef RACCT 986 racct_proc_ucred_changed(p, oldcred, newcred); 987 crhold(newcred); 988 #endif 989 PROC_UNLOCK(p); 990 #ifdef RCTL 991 rctl_proc_ucred_changed(p, newcred); 992 crfree(newcred); 993 #endif 994 uifree(ruip); 995 uifree(euip); 996 crfree(oldcred); 997 return (0); 998 999 fail: 1000 PROC_UNLOCK(p); 1001 uifree(ruip); 1002 uifree(euip); 1003 crfree(newcred); 1004 return (error); 1005 } 1006 1007 #ifndef _SYS_SYSPROTO_H_ 1008 struct setregid_args { 1009 gid_t rgid; 1010 gid_t egid; 1011 }; 1012 #endif 1013 /* ARGSUSED */ 1014 int 1015 sys_setregid(struct thread *td, struct setregid_args *uap) 1016 { 1017 struct proc *p = td->td_proc; 1018 struct ucred *newcred, *oldcred; 1019 gid_t egid, rgid; 1020 int error; 1021 1022 egid = uap->egid; 1023 rgid = uap->rgid; 1024 AUDIT_ARG_EGID(egid); 1025 AUDIT_ARG_RGID(rgid); 1026 newcred = crget(); 1027 PROC_LOCK(p); 1028 oldcred = crcopysafe(p, newcred); 1029 1030 #ifdef MAC 1031 error = mac_cred_check_setregid(oldcred, rgid, egid); 1032 if (error) 1033 goto fail; 1034 #endif 1035 1036 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1037 rgid != oldcred->cr_svgid) || 1038 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 1039 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 1040 (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID)) != 0) 1041 goto fail; 1042 1043 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1044 change_egid(newcred, egid); 1045 setsugid(p); 1046 } 1047 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1048 change_rgid(newcred, rgid); 1049 setsugid(p); 1050 } 1051 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 1052 newcred->cr_svgid != newcred->cr_groups[0]) { 1053 change_svgid(newcred, newcred->cr_groups[0]); 1054 setsugid(p); 1055 } 1056 proc_set_cred(p, newcred); 1057 PROC_UNLOCK(p); 1058 crfree(oldcred); 1059 return (0); 1060 1061 fail: 1062 PROC_UNLOCK(p); 1063 crfree(newcred); 1064 return (error); 1065 } 1066 1067 /* 1068 * setresuid(ruid, euid, suid) is like setreuid except control over the saved 1069 * uid is explicit. 1070 */ 1071 #ifndef _SYS_SYSPROTO_H_ 1072 struct setresuid_args { 1073 uid_t ruid; 1074 uid_t euid; 1075 uid_t suid; 1076 }; 1077 #endif 1078 /* ARGSUSED */ 1079 int 1080 sys_setresuid(struct thread *td, struct setresuid_args *uap) 1081 { 1082 struct proc *p = td->td_proc; 1083 struct ucred *newcred, *oldcred; 1084 uid_t euid, ruid, suid; 1085 struct uidinfo *euip, *ruip; 1086 int error; 1087 1088 euid = uap->euid; 1089 ruid = uap->ruid; 1090 suid = uap->suid; 1091 AUDIT_ARG_EUID(euid); 1092 AUDIT_ARG_RUID(ruid); 1093 AUDIT_ARG_SUID(suid); 1094 newcred = crget(); 1095 euip = uifind(euid); 1096 ruip = uifind(ruid); 1097 PROC_LOCK(p); 1098 oldcred = crcopysafe(p, newcred); 1099 1100 #ifdef MAC 1101 error = mac_cred_check_setresuid(oldcred, ruid, euid, suid); 1102 if (error) 1103 goto fail; 1104 #endif 1105 1106 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1107 ruid != oldcred->cr_svuid && 1108 ruid != oldcred->cr_uid) || 1109 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 1110 euid != oldcred->cr_svuid && 1111 euid != oldcred->cr_uid) || 1112 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 1113 suid != oldcred->cr_svuid && 1114 suid != oldcred->cr_uid)) && 1115 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID)) != 0) 1116 goto fail; 1117 1118 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1119 change_euid(newcred, euip); 1120 setsugid(p); 1121 } 1122 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1123 change_ruid(newcred, ruip); 1124 setsugid(p); 1125 } 1126 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1127 change_svuid(newcred, suid); 1128 setsugid(p); 1129 } 1130 proc_set_cred(p, newcred); 1131 #ifdef RACCT 1132 racct_proc_ucred_changed(p, oldcred, newcred); 1133 crhold(newcred); 1134 #endif 1135 PROC_UNLOCK(p); 1136 #ifdef RCTL 1137 rctl_proc_ucred_changed(p, newcred); 1138 crfree(newcred); 1139 #endif 1140 uifree(ruip); 1141 uifree(euip); 1142 crfree(oldcred); 1143 return (0); 1144 1145 fail: 1146 PROC_UNLOCK(p); 1147 uifree(ruip); 1148 uifree(euip); 1149 crfree(newcred); 1150 return (error); 1151 1152 } 1153 1154 /* 1155 * setresgid(rgid, egid, sgid) is like setregid except control over the saved 1156 * gid is explicit. 1157 */ 1158 #ifndef _SYS_SYSPROTO_H_ 1159 struct setresgid_args { 1160 gid_t rgid; 1161 gid_t egid; 1162 gid_t sgid; 1163 }; 1164 #endif 1165 /* ARGSUSED */ 1166 int 1167 sys_setresgid(struct thread *td, struct setresgid_args *uap) 1168 { 1169 struct proc *p = td->td_proc; 1170 struct ucred *newcred, *oldcred; 1171 gid_t egid, rgid, sgid; 1172 int error; 1173 1174 egid = uap->egid; 1175 rgid = uap->rgid; 1176 sgid = uap->sgid; 1177 AUDIT_ARG_EGID(egid); 1178 AUDIT_ARG_RGID(rgid); 1179 AUDIT_ARG_SGID(sgid); 1180 newcred = crget(); 1181 PROC_LOCK(p); 1182 oldcred = crcopysafe(p, newcred); 1183 1184 #ifdef MAC 1185 error = mac_cred_check_setresgid(oldcred, rgid, egid, sgid); 1186 if (error) 1187 goto fail; 1188 #endif 1189 1190 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1191 rgid != oldcred->cr_svgid && 1192 rgid != oldcred->cr_groups[0]) || 1193 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1194 egid != oldcred->cr_svgid && 1195 egid != oldcred->cr_groups[0]) || 1196 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1197 sgid != oldcred->cr_svgid && 1198 sgid != oldcred->cr_groups[0])) && 1199 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID)) != 0) 1200 goto fail; 1201 1202 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1203 change_egid(newcred, egid); 1204 setsugid(p); 1205 } 1206 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1207 change_rgid(newcred, rgid); 1208 setsugid(p); 1209 } 1210 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1211 change_svgid(newcred, sgid); 1212 setsugid(p); 1213 } 1214 proc_set_cred(p, newcred); 1215 PROC_UNLOCK(p); 1216 crfree(oldcred); 1217 return (0); 1218 1219 fail: 1220 PROC_UNLOCK(p); 1221 crfree(newcred); 1222 return (error); 1223 } 1224 1225 #ifndef _SYS_SYSPROTO_H_ 1226 struct getresuid_args { 1227 uid_t *ruid; 1228 uid_t *euid; 1229 uid_t *suid; 1230 }; 1231 #endif 1232 /* ARGSUSED */ 1233 int 1234 sys_getresuid(struct thread *td, struct getresuid_args *uap) 1235 { 1236 struct ucred *cred; 1237 int error1 = 0, error2 = 0, error3 = 0; 1238 1239 cred = td->td_ucred; 1240 if (uap->ruid) 1241 error1 = copyout(&cred->cr_ruid, 1242 uap->ruid, sizeof(cred->cr_ruid)); 1243 if (uap->euid) 1244 error2 = copyout(&cred->cr_uid, 1245 uap->euid, sizeof(cred->cr_uid)); 1246 if (uap->suid) 1247 error3 = copyout(&cred->cr_svuid, 1248 uap->suid, sizeof(cred->cr_svuid)); 1249 return (error1 ? error1 : error2 ? error2 : error3); 1250 } 1251 1252 #ifndef _SYS_SYSPROTO_H_ 1253 struct getresgid_args { 1254 gid_t *rgid; 1255 gid_t *egid; 1256 gid_t *sgid; 1257 }; 1258 #endif 1259 /* ARGSUSED */ 1260 int 1261 sys_getresgid(struct thread *td, struct getresgid_args *uap) 1262 { 1263 struct ucred *cred; 1264 int error1 = 0, error2 = 0, error3 = 0; 1265 1266 cred = td->td_ucred; 1267 if (uap->rgid) 1268 error1 = copyout(&cred->cr_rgid, 1269 uap->rgid, sizeof(cred->cr_rgid)); 1270 if (uap->egid) 1271 error2 = copyout(&cred->cr_groups[0], 1272 uap->egid, sizeof(cred->cr_groups[0])); 1273 if (uap->sgid) 1274 error3 = copyout(&cred->cr_svgid, 1275 uap->sgid, sizeof(cred->cr_svgid)); 1276 return (error1 ? error1 : error2 ? error2 : error3); 1277 } 1278 1279 #ifndef _SYS_SYSPROTO_H_ 1280 struct issetugid_args { 1281 int dummy; 1282 }; 1283 #endif 1284 /* ARGSUSED */ 1285 int 1286 sys_issetugid(struct thread *td, struct issetugid_args *uap) 1287 { 1288 struct proc *p = td->td_proc; 1289 1290 /* 1291 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1292 * we use P_SUGID because we consider changing the owners as 1293 * "tainting" as well. 1294 * This is significant for procs that start as root and "become" 1295 * a user without an exec - programs cannot know *everything* 1296 * that libc *might* have put in their data segment. 1297 */ 1298 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1299 return (0); 1300 } 1301 1302 int 1303 sys___setugid(struct thread *td, struct __setugid_args *uap) 1304 { 1305 #ifdef REGRESSION 1306 struct proc *p; 1307 1308 p = td->td_proc; 1309 switch (uap->flag) { 1310 case 0: 1311 PROC_LOCK(p); 1312 p->p_flag &= ~P_SUGID; 1313 PROC_UNLOCK(p); 1314 return (0); 1315 case 1: 1316 PROC_LOCK(p); 1317 p->p_flag |= P_SUGID; 1318 PROC_UNLOCK(p); 1319 return (0); 1320 default: 1321 return (EINVAL); 1322 } 1323 #else /* !REGRESSION */ 1324 1325 return (ENOSYS); 1326 #endif /* REGRESSION */ 1327 } 1328 1329 #ifdef INVARIANTS 1330 static void 1331 groups_check_normalized(int ngrp, const gid_t *groups) 1332 { 1333 gid_t prev_g; 1334 1335 groups_check_positive_len(ngrp); 1336 groups_check_max_len(ngrp); 1337 1338 if (ngrp == 1) 1339 return; 1340 1341 prev_g = groups[1]; 1342 for (int i = 2; i < ngrp; ++i) { 1343 const gid_t g = groups[i]; 1344 1345 if (prev_g >= g) 1346 panic("%s: groups[%d] (%u) >= groups[%d] (%u)", 1347 __func__, i - 1, prev_g, i, g); 1348 prev_g = g; 1349 } 1350 } 1351 #else 1352 #define groups_check_normalized(...) 1353 #endif 1354 1355 /* 1356 * Returns whether gid designates a supplementary group in cred. 1357 */ 1358 bool 1359 group_is_supplementary(const gid_t gid, const struct ucred *const cred) 1360 { 1361 1362 groups_check_normalized(cred->cr_ngroups, cred->cr_groups); 1363 1364 /* 1365 * Perform a binary search of the supplementary groups. This is 1366 * possible because we sort the groups in crsetgroups(). 1367 */ 1368 return (bsearch(&gid, cred->cr_groups + 1, cred->cr_ngroups - 1, 1369 sizeof(gid), gidp_cmp) != NULL); 1370 } 1371 1372 /* 1373 * Check if gid is a member of the (effective) group set (i.e., effective and 1374 * supplementary groups). 1375 */ 1376 bool 1377 groupmember(gid_t gid, const struct ucred *cred) 1378 { 1379 1380 groups_check_positive_len(cred->cr_ngroups); 1381 1382 if (gid == cred->cr_groups[0]) 1383 return (true); 1384 1385 return (group_is_supplementary(gid, cred)); 1386 } 1387 1388 /* 1389 * Check if gid is a member of the real group set (i.e., real and supplementary 1390 * groups). 1391 */ 1392 bool 1393 realgroupmember(gid_t gid, const struct ucred *cred) 1394 { 1395 /* 1396 * Although the equality test on 'cr_rgid' below doesn't access 1397 * 'cr_groups', we check for the latter's length here as we assume that, 1398 * if 'cr_ngroups' is 0, the passed 'struct ucred' is invalid, and 1399 * 'cr_rgid' may not have been filled. 1400 */ 1401 groups_check_positive_len(cred->cr_ngroups); 1402 1403 if (gid == cred->cr_rgid) 1404 return (true); 1405 1406 return (group_is_supplementary(gid, cred)); 1407 } 1408 1409 /* 1410 * Test the active securelevel against a given level. securelevel_gt() 1411 * implements (securelevel > level). securelevel_ge() implements 1412 * (securelevel >= level). Note that the logic is inverted -- these 1413 * functions return EPERM on "success" and 0 on "failure". 1414 * 1415 * Due to care taken when setting the securelevel, we know that no jail will 1416 * be less secure that its parent (or the physical system), so it is sufficient 1417 * to test the current jail only. 1418 * 1419 * XXXRW: Possibly since this has to do with privilege, it should move to 1420 * kern_priv.c. 1421 */ 1422 int 1423 securelevel_gt(struct ucred *cr, int level) 1424 { 1425 1426 return (cr->cr_prison->pr_securelevel > level ? EPERM : 0); 1427 } 1428 1429 int 1430 securelevel_ge(struct ucred *cr, int level) 1431 { 1432 1433 return (cr->cr_prison->pr_securelevel >= level ? EPERM : 0); 1434 } 1435 1436 /* 1437 * 'see_other_uids' determines whether or not visibility of processes 1438 * and sockets with credentials holding different real uids is possible 1439 * using a variety of system MIBs. 1440 * XXX: data declarations should be together near the beginning of the file. 1441 */ 1442 static int see_other_uids = 1; 1443 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1444 &see_other_uids, 0, 1445 "Unprivileged processes may see subjects/objects with different real uid"); 1446 1447 /*- 1448 * Determine if u1 "can see" the subject specified by u2, according to the 1449 * 'see_other_uids' policy. 1450 * Returns: 0 for permitted, ESRCH otherwise 1451 * Locks: none 1452 * References: *u1 and *u2 must not change during the call 1453 * u1 may equal u2, in which case only one reference is required 1454 */ 1455 static int 1456 cr_canseeotheruids(struct ucred *u1, struct ucred *u2) 1457 { 1458 1459 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1460 if (priv_check_cred(u1, PRIV_SEEOTHERUIDS) != 0) 1461 return (ESRCH); 1462 } 1463 return (0); 1464 } 1465 1466 /* 1467 * 'see_other_gids' determines whether or not visibility of processes 1468 * and sockets with credentials holding different real gids is possible 1469 * using a variety of system MIBs. 1470 * XXX: data declarations should be together near the beginning of the file. 1471 */ 1472 static int see_other_gids = 1; 1473 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW, 1474 &see_other_gids, 0, 1475 "Unprivileged processes may see subjects/objects with different real gid"); 1476 1477 /* 1478 * Determine if u1 can "see" the subject specified by u2, according to the 1479 * 'see_other_gids' policy. 1480 * Returns: 0 for permitted, ESRCH otherwise 1481 * Locks: none 1482 * References: *u1 and *u2 must not change during the call 1483 * u1 may equal u2, in which case only one reference is required 1484 */ 1485 static int 1486 cr_canseeothergids(struct ucred *u1, struct ucred *u2) 1487 { 1488 if (!see_other_gids) { 1489 if (realgroupmember(u1->cr_rgid, u2)) 1490 return (0); 1491 1492 for (int i = 1; i < u1->cr_ngroups; i++) 1493 if (realgroupmember(u1->cr_groups[i], u2)) 1494 return (0); 1495 1496 if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) != 0) 1497 return (ESRCH); 1498 } 1499 1500 return (0); 1501 } 1502 1503 /* 1504 * 'see_jail_proc' determines whether or not visibility of processes and 1505 * sockets with credentials holding different jail ids is possible using a 1506 * variety of system MIBs. 1507 * 1508 * XXX: data declarations should be together near the beginning of the file. 1509 */ 1510 1511 static int see_jail_proc = 1; 1512 SYSCTL_INT(_security_bsd, OID_AUTO, see_jail_proc, CTLFLAG_RW, 1513 &see_jail_proc, 0, 1514 "Unprivileged processes may see subjects/objects with different jail ids"); 1515 1516 /*- 1517 * Determine if u1 "can see" the subject specified by u2, according to the 1518 * 'see_jail_proc' policy. 1519 * Returns: 0 for permitted, ESRCH otherwise 1520 * Locks: none 1521 * References: *u1 and *u2 must not change during the call 1522 * u1 may equal u2, in which case only one reference is required 1523 */ 1524 static int 1525 cr_canseejailproc(struct ucred *u1, struct ucred *u2) 1526 { 1527 if (see_jail_proc || /* Policy deactivated. */ 1528 u1->cr_prison == u2->cr_prison || /* Same jail. */ 1529 priv_check_cred(u1, PRIV_SEEJAILPROC) == 0) /* Privileged. */ 1530 return (0); 1531 1532 return (ESRCH); 1533 } 1534 1535 /* 1536 * Helper for cr_cansee*() functions to abide by system-wide security.bsd.see_* 1537 * policies. Determines if u1 "can see" u2 according to these policies. 1538 * Returns: 0 for permitted, ESRCH otherwise 1539 */ 1540 int 1541 cr_bsd_visible(struct ucred *u1, struct ucred *u2) 1542 { 1543 int error; 1544 1545 error = cr_canseeotheruids(u1, u2); 1546 if (error != 0) 1547 return (error); 1548 error = cr_canseeothergids(u1, u2); 1549 if (error != 0) 1550 return (error); 1551 error = cr_canseejailproc(u1, u2); 1552 if (error != 0) 1553 return (error); 1554 return (0); 1555 } 1556 1557 /*- 1558 * Determine if u1 "can see" the subject specified by u2. 1559 * Returns: 0 for permitted, an errno value otherwise 1560 * Locks: none 1561 * References: *u1 and *u2 must not change during the call 1562 * u1 may equal u2, in which case only one reference is required 1563 */ 1564 int 1565 cr_cansee(struct ucred *u1, struct ucred *u2) 1566 { 1567 int error; 1568 1569 if ((error = prison_check(u1, u2))) 1570 return (error); 1571 #ifdef MAC 1572 if ((error = mac_cred_check_visible(u1, u2))) 1573 return (error); 1574 #endif 1575 if ((error = cr_bsd_visible(u1, u2))) 1576 return (error); 1577 return (0); 1578 } 1579 1580 /*- 1581 * Determine if td "can see" the subject specified by p. 1582 * Returns: 0 for permitted, an errno value otherwise 1583 * Locks: Sufficient locks to protect p->p_ucred must be held. td really 1584 * should be curthread. 1585 * References: td and p must be valid for the lifetime of the call 1586 */ 1587 int 1588 p_cansee(struct thread *td, struct proc *p) 1589 { 1590 /* Wrap cr_cansee() for all functionality. */ 1591 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1592 PROC_LOCK_ASSERT(p, MA_OWNED); 1593 1594 if (td->td_proc == p) 1595 return (0); 1596 return (cr_cansee(td->td_ucred, p->p_ucred)); 1597 } 1598 1599 /* 1600 * 'conservative_signals' prevents the delivery of a broad class of 1601 * signals by unprivileged processes to processes that have changed their 1602 * credentials since the last invocation of execve(). This can prevent 1603 * the leakage of cached information or retained privileges as a result 1604 * of a common class of signal-related vulnerabilities. However, this 1605 * may interfere with some applications that expect to be able to 1606 * deliver these signals to peer processes after having given up 1607 * privilege. 1608 */ 1609 static int conservative_signals = 1; 1610 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW, 1611 &conservative_signals, 0, "Unprivileged processes prevented from " 1612 "sending certain signals to processes whose credentials have changed"); 1613 /*- 1614 * Determine whether cred may deliver the specified signal to proc. 1615 * Returns: 0 for permitted, an errno value otherwise. 1616 * Locks: A lock must be held for proc. 1617 * References: cred and proc must be valid for the lifetime of the call. 1618 */ 1619 int 1620 cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 1621 { 1622 int error; 1623 1624 PROC_LOCK_ASSERT(proc, MA_OWNED); 1625 /* 1626 * Jail semantics limit the scope of signalling to proc in the 1627 * same jail as cred, if cred is in jail. 1628 */ 1629 error = prison_check(cred, proc->p_ucred); 1630 if (error) 1631 return (error); 1632 #ifdef MAC 1633 if ((error = mac_proc_check_signal(cred, proc, signum))) 1634 return (error); 1635 #endif 1636 if ((error = cr_bsd_visible(cred, proc->p_ucred))) 1637 return (error); 1638 1639 /* 1640 * UNIX signal semantics depend on the status of the P_SUGID 1641 * bit on the target process. If the bit is set, then additional 1642 * restrictions are placed on the set of available signals. 1643 */ 1644 if (conservative_signals && (proc->p_flag & P_SUGID)) { 1645 switch (signum) { 1646 case 0: 1647 case SIGKILL: 1648 case SIGINT: 1649 case SIGTERM: 1650 case SIGALRM: 1651 case SIGSTOP: 1652 case SIGTTIN: 1653 case SIGTTOU: 1654 case SIGTSTP: 1655 case SIGHUP: 1656 case SIGUSR1: 1657 case SIGUSR2: 1658 /* 1659 * Generally, permit job and terminal control 1660 * signals. 1661 */ 1662 break; 1663 default: 1664 /* Not permitted without privilege. */ 1665 error = priv_check_cred(cred, PRIV_SIGNAL_SUGID); 1666 if (error) 1667 return (error); 1668 } 1669 } 1670 1671 /* 1672 * Generally, the target credential's ruid or svuid must match the 1673 * subject credential's ruid or euid. 1674 */ 1675 if (cred->cr_ruid != proc->p_ucred->cr_ruid && 1676 cred->cr_ruid != proc->p_ucred->cr_svuid && 1677 cred->cr_uid != proc->p_ucred->cr_ruid && 1678 cred->cr_uid != proc->p_ucred->cr_svuid) { 1679 error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED); 1680 if (error) 1681 return (error); 1682 } 1683 1684 return (0); 1685 } 1686 1687 /*- 1688 * Determine whether td may deliver the specified signal to p. 1689 * Returns: 0 for permitted, an errno value otherwise 1690 * Locks: Sufficient locks to protect various components of td and p 1691 * must be held. td must be curthread, and a lock must be 1692 * held for p. 1693 * References: td and p must be valid for the lifetime of the call 1694 */ 1695 int 1696 p_cansignal(struct thread *td, struct proc *p, int signum) 1697 { 1698 1699 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1700 PROC_LOCK_ASSERT(p, MA_OWNED); 1701 if (td->td_proc == p) 1702 return (0); 1703 1704 /* 1705 * UNIX signalling semantics require that processes in the same 1706 * session always be able to deliver SIGCONT to one another, 1707 * overriding the remaining protections. 1708 */ 1709 /* XXX: This will require an additional lock of some sort. */ 1710 if (signum == SIGCONT && td->td_proc->p_session == p->p_session) 1711 return (0); 1712 /* 1713 * Some compat layers use SIGTHR and higher signals for 1714 * communication between different kernel threads of the same 1715 * process, so that they expect that it's always possible to 1716 * deliver them, even for suid applications where cr_cansignal() can 1717 * deny such ability for security consideration. It should be 1718 * pretty safe to do since the only way to create two processes 1719 * with the same p_leader is via rfork(2). 1720 */ 1721 if (td->td_proc->p_leader != NULL && signum >= SIGTHR && 1722 signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader) 1723 return (0); 1724 1725 return (cr_cansignal(td->td_ucred, p, signum)); 1726 } 1727 1728 /*- 1729 * Determine whether td may reschedule p. 1730 * Returns: 0 for permitted, an errno value otherwise 1731 * Locks: Sufficient locks to protect various components of td and p 1732 * must be held. td must be curthread, and a lock must 1733 * be held for p. 1734 * References: td and p must be valid for the lifetime of the call 1735 */ 1736 int 1737 p_cansched(struct thread *td, struct proc *p) 1738 { 1739 int error; 1740 1741 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1742 PROC_LOCK_ASSERT(p, MA_OWNED); 1743 if (td->td_proc == p) 1744 return (0); 1745 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1746 return (error); 1747 #ifdef MAC 1748 if ((error = mac_proc_check_sched(td->td_ucred, p))) 1749 return (error); 1750 #endif 1751 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) 1752 return (error); 1753 1754 if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid && 1755 td->td_ucred->cr_uid != p->p_ucred->cr_ruid) { 1756 error = priv_check(td, PRIV_SCHED_DIFFCRED); 1757 if (error) 1758 return (error); 1759 } 1760 return (0); 1761 } 1762 1763 /* 1764 * Handle getting or setting the prison's unprivileged_proc_debug 1765 * value. 1766 */ 1767 static int 1768 sysctl_unprivileged_proc_debug(SYSCTL_HANDLER_ARGS) 1769 { 1770 int error, val; 1771 1772 val = prison_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG); 1773 error = sysctl_handle_int(oidp, &val, 0, req); 1774 if (error != 0 || req->newptr == NULL) 1775 return (error); 1776 if (val != 0 && val != 1) 1777 return (EINVAL); 1778 prison_set_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG, val); 1779 return (0); 1780 } 1781 1782 /* 1783 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 1784 * unprivileged inter-process debugging services, including some procfs 1785 * functionality, ptrace(), and ktrace(). In the past, inter-process 1786 * debugging has been involved in a variety of security problems, and sites 1787 * not requiring the service might choose to disable it when hardening 1788 * systems. 1789 */ 1790 SYSCTL_PROC(_security_bsd, OID_AUTO, unprivileged_proc_debug, 1791 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_PRISON | CTLFLAG_SECURE | 1792 CTLFLAG_MPSAFE, 0, 0, sysctl_unprivileged_proc_debug, "I", 1793 "Unprivileged processes may use process debugging facilities"); 1794 1795 /*- 1796 * Determine whether td may debug p. 1797 * Returns: 0 for permitted, an errno value otherwise 1798 * Locks: Sufficient locks to protect various components of td and p 1799 * must be held. td must be curthread, and a lock must 1800 * be held for p. 1801 * References: td and p must be valid for the lifetime of the call 1802 */ 1803 int 1804 p_candebug(struct thread *td, struct proc *p) 1805 { 1806 int error, grpsubset, i, uidsubset; 1807 1808 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1809 PROC_LOCK_ASSERT(p, MA_OWNED); 1810 if (td->td_proc == p) 1811 return (0); 1812 if ((error = priv_check(td, PRIV_DEBUG_UNPRIV))) 1813 return (error); 1814 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1815 return (error); 1816 #ifdef MAC 1817 if ((error = mac_proc_check_debug(td->td_ucred, p))) 1818 return (error); 1819 #endif 1820 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) 1821 return (error); 1822 1823 /* 1824 * Is p's group set a subset of td's effective group set? This 1825 * includes p's egid, group access list, rgid, and svgid. 1826 */ 1827 grpsubset = 1; 1828 for (i = 0; i < p->p_ucred->cr_ngroups; i++) { 1829 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) { 1830 grpsubset = 0; 1831 break; 1832 } 1833 } 1834 grpsubset = grpsubset && 1835 groupmember(p->p_ucred->cr_rgid, td->td_ucred) && 1836 groupmember(p->p_ucred->cr_svgid, td->td_ucred); 1837 1838 /* 1839 * Are the uids present in p's credential equal to td's 1840 * effective uid? This includes p's euid, svuid, and ruid. 1841 */ 1842 uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid && 1843 td->td_ucred->cr_uid == p->p_ucred->cr_svuid && 1844 td->td_ucred->cr_uid == p->p_ucred->cr_ruid); 1845 1846 /* 1847 * If p's gids aren't a subset, or the uids aren't a subset, 1848 * or the credential has changed, require appropriate privilege 1849 * for td to debug p. 1850 */ 1851 if (!grpsubset || !uidsubset) { 1852 error = priv_check(td, PRIV_DEBUG_DIFFCRED); 1853 if (error) 1854 return (error); 1855 } 1856 1857 /* 1858 * Has the credential of the process changed since the last exec()? 1859 */ 1860 if ((p->p_flag & P_SUGID) != 0) { 1861 error = priv_check(td, PRIV_DEBUG_SUGID); 1862 if (error) 1863 return (error); 1864 } 1865 1866 /* Can't trace init when securelevel > 0. */ 1867 if (p == initproc) { 1868 error = securelevel_gt(td->td_ucred, 0); 1869 if (error) 1870 return (error); 1871 } 1872 1873 /* 1874 * Can't trace a process that's currently exec'ing. 1875 * 1876 * XXX: Note, this is not a security policy decision, it's a 1877 * basic correctness/functionality decision. Therefore, this check 1878 * should be moved to the caller's of p_candebug(). 1879 */ 1880 if ((p->p_flag & P_INEXEC) != 0) 1881 return (EBUSY); 1882 1883 /* Denied explicitly */ 1884 if ((p->p_flag2 & P2_NOTRACE) != 0) { 1885 error = priv_check(td, PRIV_DEBUG_DENIED); 1886 if (error != 0) 1887 return (error); 1888 } 1889 1890 return (0); 1891 } 1892 1893 /*- 1894 * Determine whether the subject represented by cred can "see" a socket. 1895 * Returns: 0 for permitted, ENOENT otherwise. 1896 */ 1897 int 1898 cr_canseesocket(struct ucred *cred, struct socket *so) 1899 { 1900 int error; 1901 1902 error = prison_check(cred, so->so_cred); 1903 if (error) 1904 return (ENOENT); 1905 #ifdef MAC 1906 error = mac_socket_check_visible(cred, so); 1907 if (error) 1908 return (error); 1909 #endif 1910 if (cr_bsd_visible(cred, so->so_cred)) 1911 return (ENOENT); 1912 1913 return (0); 1914 } 1915 1916 /*- 1917 * Determine whether td can wait for the exit of p. 1918 * Returns: 0 for permitted, an errno value otherwise 1919 * Locks: Sufficient locks to protect various components of td and p 1920 * must be held. td must be curthread, and a lock must 1921 * be held for p. 1922 * References: td and p must be valid for the lifetime of the call 1923 1924 */ 1925 int 1926 p_canwait(struct thread *td, struct proc *p) 1927 { 1928 int error; 1929 1930 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1931 PROC_LOCK_ASSERT(p, MA_OWNED); 1932 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1933 return (error); 1934 #ifdef MAC 1935 if ((error = mac_proc_check_wait(td->td_ucred, p))) 1936 return (error); 1937 #endif 1938 #if 0 1939 /* XXXMAC: This could have odd effects on some shells. */ 1940 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) 1941 return (error); 1942 #endif 1943 1944 return (0); 1945 } 1946 1947 /* 1948 * Credential management. 1949 * 1950 * struct ucred objects are rarely allocated but gain and lose references all 1951 * the time (e.g., on struct file alloc/dealloc) turning refcount updates into 1952 * a significant source of cache-line ping ponging. Common cases are worked 1953 * around by modifying thread-local counter instead if the cred to operate on 1954 * matches td_realucred. 1955 * 1956 * The counter is split into 2 parts: 1957 * - cr_users -- total count of all struct proc and struct thread objects 1958 * which have given cred in p_ucred and td_ucred respectively 1959 * - cr_ref -- the actual ref count, only valid if cr_users == 0 1960 * 1961 * If users == 0 then cr_ref behaves similarly to refcount(9), in particular if 1962 * the count reaches 0 the object is freeable. 1963 * If users > 0 and curthread->td_realucred == cred, then updates are performed 1964 * against td_ucredref. 1965 * In other cases updates are performed against cr_ref. 1966 * 1967 * Changing td_realucred into something else decrements cr_users and transfers 1968 * accumulated updates. 1969 */ 1970 struct ucred * 1971 crcowget(struct ucred *cr) 1972 { 1973 1974 mtx_lock(&cr->cr_mtx); 1975 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 1976 __func__, cr->cr_users, cr)); 1977 cr->cr_users++; 1978 cr->cr_ref++; 1979 mtx_unlock(&cr->cr_mtx); 1980 return (cr); 1981 } 1982 1983 static struct ucred * 1984 crunuse(struct thread *td) 1985 { 1986 struct ucred *cr, *crold; 1987 1988 MPASS(td->td_realucred == td->td_ucred); 1989 cr = td->td_realucred; 1990 mtx_lock(&cr->cr_mtx); 1991 cr->cr_ref += td->td_ucredref; 1992 td->td_ucredref = 0; 1993 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 1994 __func__, cr->cr_users, cr)); 1995 cr->cr_users--; 1996 if (cr->cr_users == 0) { 1997 KASSERT(cr->cr_ref > 0, ("%s: ref %ld not > 0 on cred %p", 1998 __func__, cr->cr_ref, cr)); 1999 crold = cr; 2000 } else { 2001 cr->cr_ref--; 2002 crold = NULL; 2003 } 2004 mtx_unlock(&cr->cr_mtx); 2005 td->td_realucred = NULL; 2006 return (crold); 2007 } 2008 2009 static void 2010 crunusebatch(struct ucred *cr, int users, int ref) 2011 { 2012 2013 KASSERT(users > 0, ("%s: passed users %d not > 0 ; cred %p", 2014 __func__, users, cr)); 2015 mtx_lock(&cr->cr_mtx); 2016 KASSERT(cr->cr_users >= users, ("%s: users %d not > %d on cred %p", 2017 __func__, cr->cr_users, users, cr)); 2018 cr->cr_users -= users; 2019 cr->cr_ref += ref; 2020 cr->cr_ref -= users; 2021 if (cr->cr_users > 0) { 2022 mtx_unlock(&cr->cr_mtx); 2023 return; 2024 } 2025 KASSERT(cr->cr_ref >= 0, ("%s: ref %ld not >= 0 on cred %p", 2026 __func__, cr->cr_ref, cr)); 2027 if (cr->cr_ref > 0) { 2028 mtx_unlock(&cr->cr_mtx); 2029 return; 2030 } 2031 crfree_final(cr); 2032 } 2033 2034 void 2035 crcowfree(struct thread *td) 2036 { 2037 struct ucred *cr; 2038 2039 cr = crunuse(td); 2040 if (cr != NULL) 2041 crfree(cr); 2042 } 2043 2044 struct ucred * 2045 crcowsync(void) 2046 { 2047 struct thread *td; 2048 struct proc *p; 2049 struct ucred *crnew, *crold; 2050 2051 td = curthread; 2052 p = td->td_proc; 2053 PROC_LOCK_ASSERT(p, MA_OWNED); 2054 2055 MPASS(td->td_realucred == td->td_ucred); 2056 if (td->td_realucred == p->p_ucred) 2057 return (NULL); 2058 2059 crnew = crcowget(p->p_ucred); 2060 crold = crunuse(td); 2061 td->td_realucred = crnew; 2062 td->td_ucred = td->td_realucred; 2063 return (crold); 2064 } 2065 2066 /* 2067 * Batching. 2068 */ 2069 void 2070 credbatch_add(struct credbatch *crb, struct thread *td) 2071 { 2072 struct ucred *cr; 2073 2074 MPASS(td->td_realucred != NULL); 2075 MPASS(td->td_realucred == td->td_ucred); 2076 MPASS(TD_GET_STATE(td) == TDS_INACTIVE); 2077 cr = td->td_realucred; 2078 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2079 __func__, cr->cr_users, cr)); 2080 if (crb->cred != cr) { 2081 if (crb->users > 0) { 2082 MPASS(crb->cred != NULL); 2083 crunusebatch(crb->cred, crb->users, crb->ref); 2084 crb->users = 0; 2085 crb->ref = 0; 2086 } 2087 } 2088 crb->cred = cr; 2089 crb->users++; 2090 crb->ref += td->td_ucredref; 2091 td->td_ucredref = 0; 2092 td->td_realucred = NULL; 2093 } 2094 2095 void 2096 credbatch_final(struct credbatch *crb) 2097 { 2098 2099 MPASS(crb->cred != NULL); 2100 MPASS(crb->users > 0); 2101 crunusebatch(crb->cred, crb->users, crb->ref); 2102 } 2103 2104 /* 2105 * Allocate a zeroed cred structure. 2106 */ 2107 struct ucred * 2108 crget(void) 2109 { 2110 struct ucred *cr; 2111 2112 cr = malloc(sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 2113 mtx_init(&cr->cr_mtx, "cred", NULL, MTX_DEF); 2114 cr->cr_ref = 1; 2115 #ifdef AUDIT 2116 audit_cred_init(cr); 2117 #endif 2118 #ifdef MAC 2119 mac_cred_init(cr); 2120 #endif 2121 cr->cr_groups = cr->cr_smallgroups; 2122 cr->cr_agroups = 2123 sizeof(cr->cr_smallgroups) / sizeof(cr->cr_smallgroups[0]); 2124 return (cr); 2125 } 2126 2127 /* 2128 * Claim another reference to a ucred structure. 2129 */ 2130 struct ucred * 2131 crhold(struct ucred *cr) 2132 { 2133 struct thread *td; 2134 2135 td = curthread; 2136 if (__predict_true(td->td_realucred == cr)) { 2137 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2138 __func__, cr->cr_users, cr)); 2139 td->td_ucredref++; 2140 return (cr); 2141 } 2142 mtx_lock(&cr->cr_mtx); 2143 cr->cr_ref++; 2144 mtx_unlock(&cr->cr_mtx); 2145 return (cr); 2146 } 2147 2148 /* 2149 * Free a cred structure. Throws away space when ref count gets to 0. 2150 */ 2151 void 2152 crfree(struct ucred *cr) 2153 { 2154 struct thread *td; 2155 2156 td = curthread; 2157 if (__predict_true(td->td_realucred == cr)) { 2158 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2159 __func__, cr->cr_users, cr)); 2160 td->td_ucredref--; 2161 return; 2162 } 2163 mtx_lock(&cr->cr_mtx); 2164 KASSERT(cr->cr_users >= 0, ("%s: users %d not >= 0 on cred %p", 2165 __func__, cr->cr_users, cr)); 2166 cr->cr_ref--; 2167 if (cr->cr_users > 0) { 2168 mtx_unlock(&cr->cr_mtx); 2169 return; 2170 } 2171 KASSERT(cr->cr_ref >= 0, ("%s: ref %ld not >= 0 on cred %p", 2172 __func__, cr->cr_ref, cr)); 2173 if (cr->cr_ref > 0) { 2174 mtx_unlock(&cr->cr_mtx); 2175 return; 2176 } 2177 crfree_final(cr); 2178 } 2179 2180 static void 2181 crfree_final(struct ucred *cr) 2182 { 2183 2184 KASSERT(cr->cr_users == 0, ("%s: users %d not == 0 on cred %p", 2185 __func__, cr->cr_users, cr)); 2186 KASSERT(cr->cr_ref == 0, ("%s: ref %ld not == 0 on cred %p", 2187 __func__, cr->cr_ref, cr)); 2188 2189 /* 2190 * Some callers of crget(), such as nfs_statfs(), allocate a temporary 2191 * credential, but don't allocate a uidinfo structure. 2192 */ 2193 if (cr->cr_uidinfo != NULL) 2194 uifree(cr->cr_uidinfo); 2195 if (cr->cr_ruidinfo != NULL) 2196 uifree(cr->cr_ruidinfo); 2197 if (cr->cr_prison != NULL) 2198 prison_free(cr->cr_prison); 2199 if (cr->cr_loginclass != NULL) 2200 loginclass_free(cr->cr_loginclass); 2201 #ifdef AUDIT 2202 audit_cred_destroy(cr); 2203 #endif 2204 #ifdef MAC 2205 mac_cred_destroy(cr); 2206 #endif 2207 mtx_destroy(&cr->cr_mtx); 2208 if (cr->cr_groups != cr->cr_smallgroups) 2209 free(cr->cr_groups, M_CRED); 2210 free(cr, M_CRED); 2211 } 2212 2213 /* 2214 * Copy a ucred's contents from a template. Does not block. 2215 */ 2216 void 2217 crcopy(struct ucred *dest, struct ucred *src) 2218 { 2219 2220 /* 2221 * Ideally, 'cr_ngroups' should be moved out of 'struct ucred''s bcopied 2222 * area, but this would break the ABI, so is deferred until there is 2223 * a compelling need to change it. 2224 */ 2225 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 2226 (unsigned)((caddr_t)&src->cr_endcopy - 2227 (caddr_t)&src->cr_startcopy)); 2228 dest->cr_flags = src->cr_flags; 2229 crsetgroups(dest, src->cr_ngroups, src->cr_groups); 2230 uihold(dest->cr_uidinfo); 2231 uihold(dest->cr_ruidinfo); 2232 prison_hold(dest->cr_prison); 2233 loginclass_hold(dest->cr_loginclass); 2234 #ifdef AUDIT 2235 audit_cred_copy(src, dest); 2236 #endif 2237 #ifdef MAC 2238 mac_cred_copy(src, dest); 2239 #endif 2240 } 2241 2242 /* 2243 * Dup cred struct to a new held one. 2244 */ 2245 struct ucred * 2246 crdup(struct ucred *cr) 2247 { 2248 struct ucred *newcr; 2249 2250 newcr = crget(); 2251 crcopy(newcr, cr); 2252 return (newcr); 2253 } 2254 2255 /* 2256 * Fill in a struct xucred based on a struct ucred. 2257 */ 2258 void 2259 cru2x(struct ucred *cr, struct xucred *xcr) 2260 { 2261 int ngroups; 2262 2263 bzero(xcr, sizeof(*xcr)); 2264 xcr->cr_version = XUCRED_VERSION; 2265 xcr->cr_uid = cr->cr_uid; 2266 2267 ngroups = MIN(cr->cr_ngroups, XU_NGROUPS); 2268 xcr->cr_ngroups = ngroups; 2269 bcopy(cr->cr_groups, xcr->cr_groups, 2270 ngroups * sizeof(*cr->cr_groups)); 2271 } 2272 2273 void 2274 cru2xt(struct thread *td, struct xucred *xcr) 2275 { 2276 2277 cru2x(td->td_ucred, xcr); 2278 xcr->cr_pid = td->td_proc->p_pid; 2279 } 2280 2281 /* 2282 * Change process credentials. 2283 * Callers are responsible for providing the reference for passed credentials 2284 * and for freeing old ones. 2285 * 2286 * Process has to be locked except when it does not have credentials (as it 2287 * should not be visible just yet) or when newcred is NULL (as this can be 2288 * only used when the process is about to be freed, at which point it should 2289 * not be visible anymore). 2290 */ 2291 void 2292 proc_set_cred(struct proc *p, struct ucred *newcred) 2293 { 2294 struct ucred *cr; 2295 2296 cr = p->p_ucred; 2297 MPASS(cr != NULL); 2298 PROC_LOCK_ASSERT(p, MA_OWNED); 2299 KASSERT(newcred->cr_users == 0, ("%s: users %d not 0 on cred %p", 2300 __func__, newcred->cr_users, newcred)); 2301 mtx_lock(&cr->cr_mtx); 2302 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2303 __func__, cr->cr_users, cr)); 2304 cr->cr_users--; 2305 mtx_unlock(&cr->cr_mtx); 2306 p->p_ucred = newcred; 2307 newcred->cr_users = 1; 2308 PROC_UPDATE_COW(p); 2309 } 2310 2311 void 2312 proc_unset_cred(struct proc *p) 2313 { 2314 struct ucred *cr; 2315 2316 MPASS(p->p_state == PRS_ZOMBIE || p->p_state == PRS_NEW); 2317 cr = p->p_ucred; 2318 p->p_ucred = NULL; 2319 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2320 __func__, cr->cr_users, cr)); 2321 mtx_lock(&cr->cr_mtx); 2322 cr->cr_users--; 2323 if (cr->cr_users == 0) 2324 KASSERT(cr->cr_ref > 0, ("%s: ref %ld not > 0 on cred %p", 2325 __func__, cr->cr_ref, cr)); 2326 mtx_unlock(&cr->cr_mtx); 2327 crfree(cr); 2328 } 2329 2330 struct ucred * 2331 crcopysafe(struct proc *p, struct ucred *cr) 2332 { 2333 struct ucred *oldcred; 2334 int groups; 2335 2336 PROC_LOCK_ASSERT(p, MA_OWNED); 2337 2338 oldcred = p->p_ucred; 2339 while (cr->cr_agroups < oldcred->cr_agroups) { 2340 groups = oldcred->cr_agroups; 2341 PROC_UNLOCK(p); 2342 crextend(cr, groups); 2343 PROC_LOCK(p); 2344 oldcred = p->p_ucred; 2345 } 2346 crcopy(cr, oldcred); 2347 2348 return (oldcred); 2349 } 2350 2351 /* 2352 * Extend the passed-in credentials to hold n groups. 2353 * 2354 * Must not be called after groups have been set. 2355 */ 2356 void 2357 crextend(struct ucred *cr, int n) 2358 { 2359 size_t nbytes; 2360 2361 MPASS2(cr->cr_ref == 1, "'cr_ref' must be 1 (referenced, unshared)"); 2362 MPASS2(cr->cr_ngroups == 0, "groups on 'cr' already set!"); 2363 groups_check_positive_len(n); 2364 groups_check_max_len(n); 2365 2366 if (n <= cr->cr_agroups) 2367 return; 2368 2369 nbytes = n * sizeof(gid_t); 2370 if (nbytes < n) 2371 panic("Too many groups (memory size overflow)! " 2372 "Computation of 'kern.ngroups' should have prevented this, " 2373 "please fix it. In the meantime, reduce 'kern.ngroups'."); 2374 2375 /* 2376 * We allocate a power of 2 larger than 'nbytes', except when that 2377 * exceeds PAGE_SIZE, in which case we allocate the right multiple of 2378 * pages. We assume PAGE_SIZE is a power of 2 (the call to roundup2() 2379 * below) but do not need to for sizeof(gid_t). 2380 */ 2381 if (nbytes < PAGE_SIZE) { 2382 if (!powerof2(nbytes)) 2383 /* fls*() return a bit index starting at 1. */ 2384 nbytes = 1 << flsl(nbytes); 2385 } else 2386 nbytes = roundup2(nbytes, PAGE_SIZE); 2387 2388 /* Free the old array. */ 2389 if (cr->cr_groups != cr->cr_smallgroups) 2390 free(cr->cr_groups, M_CRED); 2391 2392 cr->cr_groups = malloc(nbytes, M_CRED, M_WAITOK | M_ZERO); 2393 cr->cr_agroups = nbytes / sizeof(gid_t); 2394 } 2395 2396 /* 2397 * Normalizes a set of groups to be applied to a 'struct ucred'. 2398 * 2399 * The set of groups is an array that must comprise the effective GID as its 2400 * first element (so its length cannot be 0). 2401 * 2402 * Normalization ensures that elements after the first, which stand for the 2403 * supplementary groups, are sorted in ascending order and do not contain 2404 * duplicates. 2405 */ 2406 static void 2407 groups_normalize(int *ngrp, gid_t *groups) 2408 { 2409 gid_t prev_g; 2410 int ins_idx; 2411 2412 groups_check_positive_len(*ngrp); 2413 groups_check_max_len(*ngrp); 2414 2415 if (*ngrp == 1) 2416 return; 2417 2418 qsort(groups + 1, *ngrp - 1, sizeof(*groups), gidp_cmp); 2419 2420 /* Remove duplicates. */ 2421 prev_g = groups[1]; 2422 ins_idx = 2; 2423 for (int i = 2; i < *ngrp; ++i) { 2424 const gid_t g = groups[i]; 2425 2426 if (g != prev_g) { 2427 if (i != ins_idx) 2428 groups[ins_idx] = g; 2429 ++ins_idx; 2430 prev_g = g; 2431 } 2432 } 2433 *ngrp = ins_idx; 2434 2435 groups_check_normalized(*ngrp, groups); 2436 } 2437 2438 /* 2439 * Internal function copying groups into a credential. 2440 * 2441 * 'ngrp' must be strictly positive. Either the passed 'groups' array must have 2442 * been normalized in advance (see groups_normalize()), else it must be so 2443 * before the structure is to be used again. 2444 * 2445 * This function is suitable to be used under any lock (it doesn't take any lock 2446 * itself nor sleep, and in particular doesn't allocate memory). crextend() 2447 * must have been called beforehand to ensure sufficient space is available. 2448 * See also crsetgroups(), which handles that. 2449 */ 2450 static void 2451 crsetgroups_internal(struct ucred *cr, int ngrp, const gid_t *groups) 2452 { 2453 2454 MPASS2(cr->cr_ref == 1, "'cr_ref' must be 1 (referenced, unshared)"); 2455 MPASS2(cr->cr_agroups >= ngrp, "'cr_agroups' too small"); 2456 groups_check_positive_len(ngrp); 2457 2458 bcopy(groups, cr->cr_groups, ngrp * sizeof(gid_t)); 2459 cr->cr_ngroups = ngrp; 2460 } 2461 2462 /* 2463 * Copy groups in to a credential after expanding it if required. 2464 * 2465 * May sleep in order to allocate memory (except if, e.g., crextend() was called 2466 * before with 'ngrp' or greater). Truncates the list to (ngroups_max + 1) if 2467 * it is too large. Array 'groups' doesn't need to be sorted. 'ngrp' must be 2468 * strictly positive. 2469 */ 2470 void 2471 crsetgroups(struct ucred *cr, int ngrp, const gid_t *groups) 2472 { 2473 2474 if (ngrp > ngroups_max + 1) 2475 ngrp = ngroups_max + 1; 2476 /* 2477 * crextend() asserts that groups are not set, as it may allocate a new 2478 * backing storage without copying the content of the old one. Since we 2479 * are going to install a completely new set anyway, signal that we 2480 * consider the old ones thrown away. 2481 */ 2482 cr->cr_ngroups = 0; 2483 crextend(cr, ngrp); 2484 crsetgroups_internal(cr, ngrp, groups); 2485 groups_normalize(&cr->cr_ngroups, cr->cr_groups); 2486 } 2487 2488 /* 2489 * Same as crsetgroups() but accepts an empty groups array. 2490 * 2491 * This function ensures that an effective GID is always present in credentials. 2492 * An empty array is treated as a one-size one holding the passed effective GID 2493 * fallback. 2494 */ 2495 void 2496 crsetgroups_fallback(struct ucred *cr, int ngrp, const gid_t *groups, 2497 const gid_t fallback) 2498 { 2499 if (ngrp == 0) 2500 /* Shortcut. */ 2501 crsetgroups_internal(cr, 1, &fallback); 2502 else 2503 crsetgroups(cr, ngrp, groups); 2504 } 2505 2506 /* 2507 * Get login name, if available. 2508 */ 2509 #ifndef _SYS_SYSPROTO_H_ 2510 struct getlogin_args { 2511 char *namebuf; 2512 u_int namelen; 2513 }; 2514 #endif 2515 /* ARGSUSED */ 2516 int 2517 sys_getlogin(struct thread *td, struct getlogin_args *uap) 2518 { 2519 char login[MAXLOGNAME]; 2520 struct proc *p = td->td_proc; 2521 size_t len; 2522 2523 if (uap->namelen > MAXLOGNAME) 2524 uap->namelen = MAXLOGNAME; 2525 PROC_LOCK(p); 2526 SESS_LOCK(p->p_session); 2527 len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1; 2528 SESS_UNLOCK(p->p_session); 2529 PROC_UNLOCK(p); 2530 if (len > uap->namelen) 2531 return (ERANGE); 2532 return (copyout(login, uap->namebuf, len)); 2533 } 2534 2535 /* 2536 * Set login name. 2537 */ 2538 #ifndef _SYS_SYSPROTO_H_ 2539 struct setlogin_args { 2540 char *namebuf; 2541 }; 2542 #endif 2543 /* ARGSUSED */ 2544 int 2545 sys_setlogin(struct thread *td, struct setlogin_args *uap) 2546 { 2547 struct proc *p = td->td_proc; 2548 int error; 2549 char logintmp[MAXLOGNAME]; 2550 2551 CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp)); 2552 2553 error = priv_check(td, PRIV_PROC_SETLOGIN); 2554 if (error) 2555 return (error); 2556 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); 2557 if (error != 0) { 2558 if (error == ENAMETOOLONG) 2559 error = EINVAL; 2560 return (error); 2561 } 2562 AUDIT_ARG_LOGIN(logintmp); 2563 PROC_LOCK(p); 2564 SESS_LOCK(p->p_session); 2565 strcpy(p->p_session->s_login, logintmp); 2566 SESS_UNLOCK(p->p_session); 2567 PROC_UNLOCK(p); 2568 return (0); 2569 } 2570 2571 void 2572 setsugid(struct proc *p) 2573 { 2574 2575 PROC_LOCK_ASSERT(p, MA_OWNED); 2576 p->p_flag |= P_SUGID; 2577 } 2578 2579 /*- 2580 * Change a process's effective uid. 2581 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 2582 * References: newcred must be an exclusive credential reference for the 2583 * duration of the call. 2584 */ 2585 void 2586 change_euid(struct ucred *newcred, struct uidinfo *euip) 2587 { 2588 2589 newcred->cr_uid = euip->ui_uid; 2590 uihold(euip); 2591 uifree(newcred->cr_uidinfo); 2592 newcred->cr_uidinfo = euip; 2593 } 2594 2595 /*- 2596 * Change a process's effective gid. 2597 * Side effects: newcred->cr_gid will be modified. 2598 * References: newcred must be an exclusive credential reference for the 2599 * duration of the call. 2600 */ 2601 void 2602 change_egid(struct ucred *newcred, gid_t egid) 2603 { 2604 2605 newcred->cr_groups[0] = egid; 2606 } 2607 2608 /*- 2609 * Change a process's real uid. 2610 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 2611 * will be updated, and the old and new cr_ruidinfo proc 2612 * counts will be updated. 2613 * References: newcred must be an exclusive credential reference for the 2614 * duration of the call. 2615 */ 2616 void 2617 change_ruid(struct ucred *newcred, struct uidinfo *ruip) 2618 { 2619 2620 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 2621 newcred->cr_ruid = ruip->ui_uid; 2622 uihold(ruip); 2623 uifree(newcred->cr_ruidinfo); 2624 newcred->cr_ruidinfo = ruip; 2625 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 2626 } 2627 2628 /*- 2629 * Change a process's real gid. 2630 * Side effects: newcred->cr_rgid will be updated. 2631 * References: newcred must be an exclusive credential reference for the 2632 * duration of the call. 2633 */ 2634 void 2635 change_rgid(struct ucred *newcred, gid_t rgid) 2636 { 2637 2638 newcred->cr_rgid = rgid; 2639 } 2640 2641 /*- 2642 * Change a process's saved uid. 2643 * Side effects: newcred->cr_svuid will be updated. 2644 * References: newcred must be an exclusive credential reference for the 2645 * duration of the call. 2646 */ 2647 void 2648 change_svuid(struct ucred *newcred, uid_t svuid) 2649 { 2650 2651 newcred->cr_svuid = svuid; 2652 } 2653 2654 /*- 2655 * Change a process's saved gid. 2656 * Side effects: newcred->cr_svgid will be updated. 2657 * References: newcred must be an exclusive credential reference for the 2658 * duration of the call. 2659 */ 2660 void 2661 change_svgid(struct ucred *newcred, gid_t svgid) 2662 { 2663 2664 newcred->cr_svgid = svgid; 2665 } 2666 2667 bool allow_ptrace = true; 2668 SYSCTL_BOOL(_security_bsd, OID_AUTO, allow_ptrace, CTLFLAG_RWTUN, 2669 &allow_ptrace, 0, 2670 "Deny ptrace(2) use by returning ENOSYS"); 2671