1 /* 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * (c) UNIX System Laboratories, Inc. 5 * All or some portions of this file are derived from material licensed 6 * to the University of California by American Telephone and Telegraph 7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 8 * the permission of UNIX System Laboratories, Inc. 9 * Copyright (c) 2000-2001 Robert N. M. Watson. All rights reserved. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 4. Neither the name of the University nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 * 35 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 36 */ 37 38 /* 39 * System calls related to processes and protection 40 */ 41 42 #include <sys/cdefs.h> 43 __FBSDID("$FreeBSD$"); 44 45 #include "opt_compat.h" 46 #include "opt_mac.h" 47 48 #include <sys/param.h> 49 #include <sys/systm.h> 50 #include <sys/acct.h> 51 #include <sys/kernel.h> 52 #include <sys/lock.h> 53 #include <sys/mac.h> 54 #include <sys/malloc.h> 55 #include <sys/mutex.h> 56 #include <sys/sx.h> 57 #include <sys/proc.h> 58 #include <sys/sysproto.h> 59 #include <sys/jail.h> 60 #include <sys/pioctl.h> 61 #include <sys/resourcevar.h> 62 #include <sys/socket.h> 63 #include <sys/socketvar.h> 64 #include <sys/sysctl.h> 65 66 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 67 68 SYSCTL_DECL(_security); 69 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, 70 "BSD security policy"); 71 72 #ifndef _SYS_SYSPROTO_H_ 73 struct getpid_args { 74 int dummy; 75 }; 76 #endif 77 /* 78 * MPSAFE 79 */ 80 /* ARGSUSED */ 81 int 82 getpid(struct thread *td, struct getpid_args *uap) 83 { 84 struct proc *p = td->td_proc; 85 86 td->td_retval[0] = p->p_pid; 87 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 88 PROC_LOCK(p); 89 td->td_retval[1] = p->p_pptr->p_pid; 90 PROC_UNLOCK(p); 91 #endif 92 return (0); 93 } 94 95 #ifndef _SYS_SYSPROTO_H_ 96 struct getppid_args { 97 int dummy; 98 }; 99 #endif 100 /* 101 * MPSAFE 102 */ 103 /* ARGSUSED */ 104 int 105 getppid(struct thread *td, struct getppid_args *uap) 106 { 107 struct proc *p = td->td_proc; 108 109 PROC_LOCK(p); 110 td->td_retval[0] = p->p_pptr->p_pid; 111 PROC_UNLOCK(p); 112 return (0); 113 } 114 115 /* 116 * Get process group ID; note that POSIX getpgrp takes no parameter. 117 */ 118 #ifndef _SYS_SYSPROTO_H_ 119 struct getpgrp_args { 120 int dummy; 121 }; 122 #endif 123 /* 124 * MPSAFE 125 */ 126 int 127 getpgrp(struct thread *td, struct getpgrp_args *uap) 128 { 129 struct proc *p = td->td_proc; 130 131 PROC_LOCK(p); 132 td->td_retval[0] = p->p_pgrp->pg_id; 133 PROC_UNLOCK(p); 134 return (0); 135 } 136 137 /* Get an arbitary pid's process group id */ 138 #ifndef _SYS_SYSPROTO_H_ 139 struct getpgid_args { 140 pid_t pid; 141 }; 142 #endif 143 /* 144 * MPSAFE 145 */ 146 int 147 getpgid(struct thread *td, struct getpgid_args *uap) 148 { 149 struct proc *p; 150 int error; 151 152 if (uap->pid == 0) { 153 p = td->td_proc; 154 PROC_LOCK(p); 155 } else { 156 p = pfind(uap->pid); 157 if (p == NULL) 158 return (ESRCH); 159 error = p_cansee(td, p); 160 if (error) { 161 PROC_UNLOCK(p); 162 return (error); 163 } 164 } 165 td->td_retval[0] = p->p_pgrp->pg_id; 166 PROC_UNLOCK(p); 167 return (0); 168 } 169 170 /* 171 * Get an arbitary pid's session id. 172 */ 173 #ifndef _SYS_SYSPROTO_H_ 174 struct getsid_args { 175 pid_t pid; 176 }; 177 #endif 178 /* 179 * MPSAFE 180 */ 181 int 182 getsid(struct thread *td, struct getsid_args *uap) 183 { 184 struct proc *p; 185 int error; 186 187 if (uap->pid == 0) { 188 p = td->td_proc; 189 PROC_LOCK(p); 190 } else { 191 p = pfind(uap->pid); 192 if (p == NULL) 193 return (ESRCH); 194 error = p_cansee(td, p); 195 if (error) { 196 PROC_UNLOCK(p); 197 return (error); 198 } 199 } 200 td->td_retval[0] = p->p_session->s_sid; 201 PROC_UNLOCK(p); 202 return (0); 203 } 204 205 #ifndef _SYS_SYSPROTO_H_ 206 struct getuid_args { 207 int dummy; 208 }; 209 #endif 210 /* 211 * MPSAFE 212 */ 213 /* ARGSUSED */ 214 int 215 getuid(struct thread *td, struct getuid_args *uap) 216 { 217 218 td->td_retval[0] = td->td_ucred->cr_ruid; 219 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 220 td->td_retval[1] = td->td_ucred->cr_uid; 221 #endif 222 return (0); 223 } 224 225 #ifndef _SYS_SYSPROTO_H_ 226 struct geteuid_args { 227 int dummy; 228 }; 229 #endif 230 /* 231 * MPSAFE 232 */ 233 /* ARGSUSED */ 234 int 235 geteuid(struct thread *td, struct geteuid_args *uap) 236 { 237 238 td->td_retval[0] = td->td_ucred->cr_uid; 239 return (0); 240 } 241 242 #ifndef _SYS_SYSPROTO_H_ 243 struct getgid_args { 244 int dummy; 245 }; 246 #endif 247 /* 248 * MPSAFE 249 */ 250 /* ARGSUSED */ 251 int 252 getgid(struct thread *td, struct getgid_args *uap) 253 { 254 255 td->td_retval[0] = td->td_ucred->cr_rgid; 256 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 257 td->td_retval[1] = td->td_ucred->cr_groups[0]; 258 #endif 259 return (0); 260 } 261 262 /* 263 * Get effective group ID. The "egid" is groups[0], and could be obtained 264 * via getgroups. This syscall exists because it is somewhat painful to do 265 * correctly in a library function. 266 */ 267 #ifndef _SYS_SYSPROTO_H_ 268 struct getegid_args { 269 int dummy; 270 }; 271 #endif 272 /* 273 * MPSAFE 274 */ 275 /* ARGSUSED */ 276 int 277 getegid(struct thread *td, struct getegid_args *uap) 278 { 279 280 td->td_retval[0] = td->td_ucred->cr_groups[0]; 281 return (0); 282 } 283 284 #ifndef _SYS_SYSPROTO_H_ 285 struct getgroups_args { 286 u_int gidsetsize; 287 gid_t *gidset; 288 }; 289 #endif 290 /* 291 * MPSAFE 292 */ 293 int 294 getgroups(struct thread *td, register struct getgroups_args *uap) 295 { 296 struct ucred *cred; 297 u_int ngrp; 298 int error; 299 300 cred = td->td_ucred; 301 if ((ngrp = uap->gidsetsize) == 0) { 302 td->td_retval[0] = cred->cr_ngroups; 303 return (0); 304 } 305 if (ngrp < cred->cr_ngroups) 306 return (EINVAL); 307 ngrp = cred->cr_ngroups; 308 error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t)); 309 if (error == 0) 310 td->td_retval[0] = ngrp; 311 return (error); 312 } 313 314 #ifndef _SYS_SYSPROTO_H_ 315 struct setsid_args { 316 int dummy; 317 }; 318 #endif 319 /* 320 * MPSAFE 321 */ 322 /* ARGSUSED */ 323 int 324 setsid(register struct thread *td, struct setsid_args *uap) 325 { 326 struct pgrp *pgrp; 327 int error; 328 struct proc *p = td->td_proc; 329 struct pgrp *newpgrp; 330 struct session *newsess; 331 332 error = 0; 333 pgrp = NULL; 334 335 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 336 MALLOC(newsess, struct session *, sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); 337 338 sx_xlock(&proctree_lock); 339 340 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { 341 if (pgrp != NULL) 342 PGRP_UNLOCK(pgrp); 343 error = EPERM; 344 } else { 345 (void)enterpgrp(p, p->p_pid, newpgrp, newsess); 346 td->td_retval[0] = p->p_pid; 347 newpgrp = NULL; 348 newsess = NULL; 349 } 350 351 sx_xunlock(&proctree_lock); 352 353 if (newpgrp != NULL) 354 FREE(newpgrp, M_PGRP); 355 if (newsess != NULL) 356 FREE(newsess, M_SESSION); 357 358 return (error); 359 } 360 361 /* 362 * set process group (setpgid/old setpgrp) 363 * 364 * caller does setpgid(targpid, targpgid) 365 * 366 * pid must be caller or child of caller (ESRCH) 367 * if a child 368 * pid must be in same session (EPERM) 369 * pid can't have done an exec (EACCES) 370 * if pgid != pid 371 * there must exist some pid in same session having pgid (EPERM) 372 * pid must not be session leader (EPERM) 373 */ 374 #ifndef _SYS_SYSPROTO_H_ 375 struct setpgid_args { 376 int pid; /* target process id */ 377 int pgid; /* target pgrp id */ 378 }; 379 #endif 380 /* 381 * MPSAFE 382 */ 383 /* ARGSUSED */ 384 int 385 setpgid(struct thread *td, register struct setpgid_args *uap) 386 { 387 struct proc *curp = td->td_proc; 388 register struct proc *targp; /* target process */ 389 register struct pgrp *pgrp; /* target pgrp */ 390 int error; 391 struct pgrp *newpgrp; 392 393 if (uap->pgid < 0) 394 return (EINVAL); 395 396 error = 0; 397 398 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 399 400 sx_xlock(&proctree_lock); 401 if (uap->pid != 0 && uap->pid != curp->p_pid) { 402 if ((targp = pfind(uap->pid)) == NULL) { 403 error = ESRCH; 404 goto done; 405 } 406 if (!inferior(targp)) { 407 PROC_UNLOCK(targp); 408 error = ESRCH; 409 goto done; 410 } 411 if ((error = p_cansee(curthread, targp))) { 412 PROC_UNLOCK(targp); 413 goto done; 414 } 415 if (targp->p_pgrp == NULL || 416 targp->p_session != curp->p_session) { 417 PROC_UNLOCK(targp); 418 error = EPERM; 419 goto done; 420 } 421 if (targp->p_flag & P_EXEC) { 422 PROC_UNLOCK(targp); 423 error = EACCES; 424 goto done; 425 } 426 PROC_UNLOCK(targp); 427 } else 428 targp = curp; 429 if (SESS_LEADER(targp)) { 430 error = EPERM; 431 goto done; 432 } 433 if (uap->pgid == 0) 434 uap->pgid = targp->p_pid; 435 if ((pgrp = pgfind(uap->pgid)) == NULL) { 436 if (uap->pgid == targp->p_pid) { 437 error = enterpgrp(targp, uap->pgid, newpgrp, 438 NULL); 439 if (error == 0) 440 newpgrp = NULL; 441 } else 442 error = EPERM; 443 } else { 444 if (pgrp == targp->p_pgrp) { 445 PGRP_UNLOCK(pgrp); 446 goto done; 447 } 448 if (pgrp->pg_id != targp->p_pid && 449 pgrp->pg_session != curp->p_session) { 450 PGRP_UNLOCK(pgrp); 451 error = EPERM; 452 goto done; 453 } 454 PGRP_UNLOCK(pgrp); 455 error = enterthispgrp(targp, pgrp); 456 } 457 done: 458 sx_xunlock(&proctree_lock); 459 KASSERT((error == 0) || (newpgrp != NULL), 460 ("setpgid failed and newpgrp is NULL")); 461 if (newpgrp != NULL) 462 FREE(newpgrp, M_PGRP); 463 return (error); 464 } 465 466 /* 467 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 468 * compatible. It says that setting the uid/gid to euid/egid is a special 469 * case of "appropriate privilege". Once the rules are expanded out, this 470 * basically means that setuid(nnn) sets all three id's, in all permitted 471 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 472 * does not set the saved id - this is dangerous for traditional BSD 473 * programs. For this reason, we *really* do not want to set 474 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 475 */ 476 #define POSIX_APPENDIX_B_4_2_2 477 478 #ifndef _SYS_SYSPROTO_H_ 479 struct setuid_args { 480 uid_t uid; 481 }; 482 #endif 483 /* 484 * MPSAFE 485 */ 486 /* ARGSUSED */ 487 int 488 setuid(struct thread *td, struct setuid_args *uap) 489 { 490 struct proc *p = td->td_proc; 491 struct ucred *newcred, *oldcred; 492 uid_t uid; 493 struct uidinfo *uip; 494 int error; 495 496 uid = uap->uid; 497 newcred = crget(); 498 uip = uifind(uid); 499 PROC_LOCK(p); 500 oldcred = p->p_ucred; 501 502 /* 503 * See if we have "permission" by POSIX 1003.1 rules. 504 * 505 * Note that setuid(geteuid()) is a special case of 506 * "appropriate privileges" in appendix B.4.2.2. We need 507 * to use this clause to be compatible with traditional BSD 508 * semantics. Basically, it means that "setuid(xx)" sets all 509 * three id's (assuming you have privs). 510 * 511 * Notes on the logic. We do things in three steps. 512 * 1: We determine if the euid is going to change, and do EPERM 513 * right away. We unconditionally change the euid later if this 514 * test is satisfied, simplifying that part of the logic. 515 * 2: We determine if the real and/or saved uids are going to 516 * change. Determined by compile options. 517 * 3: Change euid last. (after tests in #2 for "appropriate privs") 518 */ 519 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 520 #ifdef _POSIX_SAVED_IDS 521 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 522 #endif 523 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 524 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 525 #endif 526 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 527 PROC_UNLOCK(p); 528 uifree(uip); 529 crfree(newcred); 530 return (error); 531 } 532 533 /* 534 * Copy credentials so other references do not see our changes. 535 */ 536 crcopy(newcred, oldcred); 537 #ifdef _POSIX_SAVED_IDS 538 /* 539 * Do we have "appropriate privileges" (are we root or uid == euid) 540 * If so, we are changing the real uid and/or saved uid. 541 */ 542 if ( 543 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 544 uid == oldcred->cr_uid || 545 #endif 546 suser_cred(oldcred, PRISON_ROOT) == 0) /* we are using privs */ 547 #endif 548 { 549 /* 550 * Set the real uid and transfer proc count to new user. 551 */ 552 if (uid != oldcred->cr_ruid) { 553 change_ruid(newcred, uip); 554 setsugid(p); 555 } 556 /* 557 * Set saved uid 558 * 559 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 560 * the security of seteuid() depends on it. B.4.2.2 says it 561 * is important that we should do this. 562 */ 563 if (uid != oldcred->cr_svuid) { 564 change_svuid(newcred, uid); 565 setsugid(p); 566 } 567 } 568 569 /* 570 * In all permitted cases, we are changing the euid. 571 */ 572 if (uid != oldcred->cr_uid) { 573 change_euid(newcred, uip); 574 setsugid(p); 575 } 576 p->p_ucred = newcred; 577 PROC_UNLOCK(p); 578 uifree(uip); 579 crfree(oldcred); 580 return (0); 581 } 582 583 #ifndef _SYS_SYSPROTO_H_ 584 struct seteuid_args { 585 uid_t euid; 586 }; 587 #endif 588 /* 589 * MPSAFE 590 */ 591 /* ARGSUSED */ 592 int 593 seteuid(struct thread *td, struct seteuid_args *uap) 594 { 595 struct proc *p = td->td_proc; 596 struct ucred *newcred, *oldcred; 597 uid_t euid; 598 struct uidinfo *euip; 599 int error; 600 601 euid = uap->euid; 602 newcred = crget(); 603 euip = uifind(euid); 604 PROC_LOCK(p); 605 oldcred = p->p_ucred; 606 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 607 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 608 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 609 PROC_UNLOCK(p); 610 uifree(euip); 611 crfree(newcred); 612 return (error); 613 } 614 /* 615 * Everything's okay, do it. Copy credentials so other references do 616 * not see our changes. 617 */ 618 crcopy(newcred, oldcred); 619 if (oldcred->cr_uid != euid) { 620 change_euid(newcred, euip); 621 setsugid(p); 622 } 623 p->p_ucred = newcred; 624 PROC_UNLOCK(p); 625 uifree(euip); 626 crfree(oldcred); 627 return (0); 628 } 629 630 #ifndef _SYS_SYSPROTO_H_ 631 struct setgid_args { 632 gid_t gid; 633 }; 634 #endif 635 /* 636 * MPSAFE 637 */ 638 /* ARGSUSED */ 639 int 640 setgid(struct thread *td, struct setgid_args *uap) 641 { 642 struct proc *p = td->td_proc; 643 struct ucred *newcred, *oldcred; 644 gid_t gid; 645 int error; 646 647 gid = uap->gid; 648 newcred = crget(); 649 PROC_LOCK(p); 650 oldcred = p->p_ucred; 651 652 /* 653 * See if we have "permission" by POSIX 1003.1 rules. 654 * 655 * Note that setgid(getegid()) is a special case of 656 * "appropriate privileges" in appendix B.4.2.2. We need 657 * to use this clause to be compatible with traditional BSD 658 * semantics. Basically, it means that "setgid(xx)" sets all 659 * three id's (assuming you have privs). 660 * 661 * For notes on the logic here, see setuid() above. 662 */ 663 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 664 #ifdef _POSIX_SAVED_IDS 665 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 666 #endif 667 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 668 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 669 #endif 670 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 671 PROC_UNLOCK(p); 672 crfree(newcred); 673 return (error); 674 } 675 676 crcopy(newcred, oldcred); 677 #ifdef _POSIX_SAVED_IDS 678 /* 679 * Do we have "appropriate privileges" (are we root or gid == egid) 680 * If so, we are changing the real uid and saved gid. 681 */ 682 if ( 683 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 684 gid == oldcred->cr_groups[0] || 685 #endif 686 suser_cred(oldcred, PRISON_ROOT) == 0) /* we are using privs */ 687 #endif 688 { 689 /* 690 * Set real gid 691 */ 692 if (oldcred->cr_rgid != gid) { 693 change_rgid(newcred, gid); 694 setsugid(p); 695 } 696 /* 697 * Set saved gid 698 * 699 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 700 * the security of setegid() depends on it. B.4.2.2 says it 701 * is important that we should do this. 702 */ 703 if (oldcred->cr_svgid != gid) { 704 change_svgid(newcred, gid); 705 setsugid(p); 706 } 707 } 708 /* 709 * In all cases permitted cases, we are changing the egid. 710 * Copy credentials so other references do not see our changes. 711 */ 712 if (oldcred->cr_groups[0] != gid) { 713 change_egid(newcred, gid); 714 setsugid(p); 715 } 716 p->p_ucred = newcred; 717 PROC_UNLOCK(p); 718 crfree(oldcred); 719 return (0); 720 } 721 722 #ifndef _SYS_SYSPROTO_H_ 723 struct setegid_args { 724 gid_t egid; 725 }; 726 #endif 727 /* 728 * MPSAFE 729 */ 730 /* ARGSUSED */ 731 int 732 setegid(struct thread *td, struct setegid_args *uap) 733 { 734 struct proc *p = td->td_proc; 735 struct ucred *newcred, *oldcred; 736 gid_t egid; 737 int error; 738 739 egid = uap->egid; 740 newcred = crget(); 741 PROC_LOCK(p); 742 oldcred = p->p_ucred; 743 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 744 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 745 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 746 PROC_UNLOCK(p); 747 crfree(newcred); 748 return (error); 749 } 750 crcopy(newcred, oldcred); 751 if (oldcred->cr_groups[0] != egid) { 752 change_egid(newcred, egid); 753 setsugid(p); 754 } 755 p->p_ucred = newcred; 756 PROC_UNLOCK(p); 757 crfree(oldcred); 758 return (0); 759 } 760 761 #ifndef _SYS_SYSPROTO_H_ 762 struct setgroups_args { 763 u_int gidsetsize; 764 gid_t *gidset; 765 }; 766 #endif 767 /* 768 * MPSAFE 769 */ 770 /* ARGSUSED */ 771 int 772 setgroups(struct thread *td, struct setgroups_args *uap) 773 { 774 struct proc *p = td->td_proc; 775 struct ucred *newcred, *tempcred, *oldcred; 776 u_int ngrp; 777 int error; 778 779 ngrp = uap->gidsetsize; 780 if (ngrp > NGROUPS) 781 return (EINVAL); 782 tempcred = crget(); 783 error = copyin(uap->gidset, tempcred->cr_groups, ngrp * sizeof(gid_t)); 784 if (error != 0) { 785 crfree(tempcred); 786 return (error); 787 } 788 newcred = crget(); 789 PROC_LOCK(p); 790 oldcred = p->p_ucred; 791 error = suser_cred(oldcred, PRISON_ROOT); 792 if (error) { 793 PROC_UNLOCK(p); 794 crfree(newcred); 795 crfree(tempcred); 796 return (error); 797 } 798 799 /* 800 * XXX A little bit lazy here. We could test if anything has 801 * changed before crcopy() and setting P_SUGID. 802 */ 803 crcopy(newcred, oldcred); 804 if (ngrp < 1) { 805 /* 806 * setgroups(0, NULL) is a legitimate way of clearing the 807 * groups vector on non-BSD systems (which generally do not 808 * have the egid in the groups[0]). We risk security holes 809 * when running non-BSD software if we do not do the same. 810 */ 811 newcred->cr_ngroups = 1; 812 } else { 813 bcopy(tempcred->cr_groups, newcred->cr_groups, 814 ngrp * sizeof(gid_t)); 815 newcred->cr_ngroups = ngrp; 816 } 817 setsugid(p); 818 p->p_ucred = newcred; 819 PROC_UNLOCK(p); 820 crfree(tempcred); 821 crfree(oldcred); 822 return (0); 823 } 824 825 #ifndef _SYS_SYSPROTO_H_ 826 struct setreuid_args { 827 uid_t ruid; 828 uid_t euid; 829 }; 830 #endif 831 /* 832 * MPSAFE 833 */ 834 /* ARGSUSED */ 835 int 836 setreuid(register struct thread *td, struct setreuid_args *uap) 837 { 838 struct proc *p = td->td_proc; 839 struct ucred *newcred, *oldcred; 840 uid_t euid, ruid; 841 struct uidinfo *euip, *ruip; 842 int error; 843 844 euid = uap->euid; 845 ruid = uap->ruid; 846 newcred = crget(); 847 euip = uifind(euid); 848 ruip = uifind(ruid); 849 PROC_LOCK(p); 850 oldcred = p->p_ucred; 851 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 852 ruid != oldcred->cr_svuid) || 853 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 854 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 855 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 856 PROC_UNLOCK(p); 857 uifree(ruip); 858 uifree(euip); 859 crfree(newcred); 860 return (error); 861 } 862 crcopy(newcred, oldcred); 863 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 864 change_euid(newcred, euip); 865 setsugid(p); 866 } 867 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 868 change_ruid(newcred, ruip); 869 setsugid(p); 870 } 871 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 872 newcred->cr_svuid != newcred->cr_uid) { 873 change_svuid(newcred, newcred->cr_uid); 874 setsugid(p); 875 } 876 p->p_ucred = newcred; 877 PROC_UNLOCK(p); 878 uifree(ruip); 879 uifree(euip); 880 crfree(oldcred); 881 return (0); 882 } 883 884 #ifndef _SYS_SYSPROTO_H_ 885 struct setregid_args { 886 gid_t rgid; 887 gid_t egid; 888 }; 889 #endif 890 /* 891 * MPSAFE 892 */ 893 /* ARGSUSED */ 894 int 895 setregid(register struct thread *td, struct setregid_args *uap) 896 { 897 struct proc *p = td->td_proc; 898 struct ucred *newcred, *oldcred; 899 gid_t egid, rgid; 900 int error; 901 902 egid = uap->egid; 903 rgid = uap->rgid; 904 newcred = crget(); 905 PROC_LOCK(p); 906 oldcred = p->p_ucred; 907 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 908 rgid != oldcred->cr_svgid) || 909 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 910 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 911 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 912 PROC_UNLOCK(p); 913 crfree(newcred); 914 return (error); 915 } 916 917 crcopy(newcred, oldcred); 918 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 919 change_egid(newcred, egid); 920 setsugid(p); 921 } 922 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 923 change_rgid(newcred, rgid); 924 setsugid(p); 925 } 926 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 927 newcred->cr_svgid != newcred->cr_groups[0]) { 928 change_svgid(newcred, newcred->cr_groups[0]); 929 setsugid(p); 930 } 931 p->p_ucred = newcred; 932 PROC_UNLOCK(p); 933 crfree(oldcred); 934 return (0); 935 } 936 937 /* 938 * setresuid(ruid, euid, suid) is like setreuid except control over the 939 * saved uid is explicit. 940 */ 941 942 #ifndef _SYS_SYSPROTO_H_ 943 struct setresuid_args { 944 uid_t ruid; 945 uid_t euid; 946 uid_t suid; 947 }; 948 #endif 949 /* 950 * MPSAFE 951 */ 952 /* ARGSUSED */ 953 int 954 setresuid(register struct thread *td, struct setresuid_args *uap) 955 { 956 struct proc *p = td->td_proc; 957 struct ucred *newcred, *oldcred; 958 uid_t euid, ruid, suid; 959 struct uidinfo *euip, *ruip; 960 int error; 961 962 euid = uap->euid; 963 ruid = uap->ruid; 964 suid = uap->suid; 965 newcred = crget(); 966 euip = uifind(euid); 967 ruip = uifind(ruid); 968 PROC_LOCK(p); 969 oldcred = p->p_ucred; 970 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 971 ruid != oldcred->cr_svuid && 972 ruid != oldcred->cr_uid) || 973 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 974 euid != oldcred->cr_svuid && 975 euid != oldcred->cr_uid) || 976 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 977 suid != oldcred->cr_svuid && 978 suid != oldcred->cr_uid)) && 979 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 980 PROC_UNLOCK(p); 981 uifree(ruip); 982 uifree(euip); 983 crfree(newcred); 984 return (error); 985 } 986 987 crcopy(newcred, oldcred); 988 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 989 change_euid(newcred, euip); 990 setsugid(p); 991 } 992 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 993 change_ruid(newcred, ruip); 994 setsugid(p); 995 } 996 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 997 change_svuid(newcred, suid); 998 setsugid(p); 999 } 1000 p->p_ucred = newcred; 1001 PROC_UNLOCK(p); 1002 uifree(ruip); 1003 uifree(euip); 1004 crfree(oldcred); 1005 return (0); 1006 } 1007 1008 /* 1009 * setresgid(rgid, egid, sgid) is like setregid except control over the 1010 * saved gid is explicit. 1011 */ 1012 1013 #ifndef _SYS_SYSPROTO_H_ 1014 struct setresgid_args { 1015 gid_t rgid; 1016 gid_t egid; 1017 gid_t sgid; 1018 }; 1019 #endif 1020 /* 1021 * MPSAFE 1022 */ 1023 /* ARGSUSED */ 1024 int 1025 setresgid(register struct thread *td, struct setresgid_args *uap) 1026 { 1027 struct proc *p = td->td_proc; 1028 struct ucred *newcred, *oldcred; 1029 gid_t egid, rgid, sgid; 1030 int error; 1031 1032 egid = uap->egid; 1033 rgid = uap->rgid; 1034 sgid = uap->sgid; 1035 newcred = crget(); 1036 PROC_LOCK(p); 1037 oldcred = p->p_ucred; 1038 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1039 rgid != oldcred->cr_svgid && 1040 rgid != oldcred->cr_groups[0]) || 1041 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1042 egid != oldcred->cr_svgid && 1043 egid != oldcred->cr_groups[0]) || 1044 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1045 sgid != oldcred->cr_svgid && 1046 sgid != oldcred->cr_groups[0])) && 1047 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 1048 PROC_UNLOCK(p); 1049 crfree(newcred); 1050 return (error); 1051 } 1052 1053 crcopy(newcred, oldcred); 1054 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1055 change_egid(newcred, egid); 1056 setsugid(p); 1057 } 1058 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1059 change_rgid(newcred, rgid); 1060 setsugid(p); 1061 } 1062 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1063 change_svgid(newcred, sgid); 1064 setsugid(p); 1065 } 1066 p->p_ucred = newcred; 1067 PROC_UNLOCK(p); 1068 crfree(oldcred); 1069 return (0); 1070 } 1071 1072 #ifndef _SYS_SYSPROTO_H_ 1073 struct getresuid_args { 1074 uid_t *ruid; 1075 uid_t *euid; 1076 uid_t *suid; 1077 }; 1078 #endif 1079 /* 1080 * MPSAFE 1081 */ 1082 /* ARGSUSED */ 1083 int 1084 getresuid(register struct thread *td, struct getresuid_args *uap) 1085 { 1086 struct ucred *cred; 1087 int error1 = 0, error2 = 0, error3 = 0; 1088 1089 cred = td->td_ucred; 1090 if (uap->ruid) 1091 error1 = copyout(&cred->cr_ruid, 1092 uap->ruid, sizeof(cred->cr_ruid)); 1093 if (uap->euid) 1094 error2 = copyout(&cred->cr_uid, 1095 uap->euid, sizeof(cred->cr_uid)); 1096 if (uap->suid) 1097 error3 = copyout(&cred->cr_svuid, 1098 uap->suid, sizeof(cred->cr_svuid)); 1099 return (error1 ? error1 : error2 ? error2 : error3); 1100 } 1101 1102 #ifndef _SYS_SYSPROTO_H_ 1103 struct getresgid_args { 1104 gid_t *rgid; 1105 gid_t *egid; 1106 gid_t *sgid; 1107 }; 1108 #endif 1109 /* 1110 * MPSAFE 1111 */ 1112 /* ARGSUSED */ 1113 int 1114 getresgid(register struct thread *td, struct getresgid_args *uap) 1115 { 1116 struct ucred *cred; 1117 int error1 = 0, error2 = 0, error3 = 0; 1118 1119 cred = td->td_ucred; 1120 if (uap->rgid) 1121 error1 = copyout(&cred->cr_rgid, 1122 uap->rgid, sizeof(cred->cr_rgid)); 1123 if (uap->egid) 1124 error2 = copyout(&cred->cr_groups[0], 1125 uap->egid, sizeof(cred->cr_groups[0])); 1126 if (uap->sgid) 1127 error3 = copyout(&cred->cr_svgid, 1128 uap->sgid, sizeof(cred->cr_svgid)); 1129 return (error1 ? error1 : error2 ? error2 : error3); 1130 } 1131 1132 #ifndef _SYS_SYSPROTO_H_ 1133 struct issetugid_args { 1134 int dummy; 1135 }; 1136 #endif 1137 /* 1138 * MPSAFE 1139 */ 1140 /* ARGSUSED */ 1141 int 1142 issetugid(register struct thread *td, struct issetugid_args *uap) 1143 { 1144 struct proc *p = td->td_proc; 1145 1146 /* 1147 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1148 * we use P_SUGID because we consider changing the owners as 1149 * "tainting" as well. 1150 * This is significant for procs that start as root and "become" 1151 * a user without an exec - programs cannot know *everything* 1152 * that libc *might* have put in their data segment. 1153 */ 1154 PROC_LOCK(p); 1155 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1156 PROC_UNLOCK(p); 1157 return (0); 1158 } 1159 1160 /* 1161 * MPSAFE 1162 */ 1163 int 1164 __setugid(struct thread *td, struct __setugid_args *uap) 1165 { 1166 #ifdef REGRESSION 1167 struct proc *p; 1168 1169 p = td->td_proc; 1170 switch (uap->flag) { 1171 case 0: 1172 PROC_LOCK(p); 1173 p->p_flag &= ~P_SUGID; 1174 PROC_UNLOCK(p); 1175 return (0); 1176 case 1: 1177 PROC_LOCK(p); 1178 p->p_flag |= P_SUGID; 1179 PROC_UNLOCK(p); 1180 return (0); 1181 default: 1182 return (EINVAL); 1183 } 1184 #else /* !REGRESSION */ 1185 1186 return (ENOSYS); 1187 #endif /* REGRESSION */ 1188 } 1189 1190 /* 1191 * Check if gid is a member of the group set. 1192 * 1193 * MPSAFE (cred must be held) 1194 */ 1195 int 1196 groupmember(gid_t gid, struct ucred *cred) 1197 { 1198 register gid_t *gp; 1199 gid_t *egp; 1200 1201 egp = &(cred->cr_groups[cred->cr_ngroups]); 1202 for (gp = cred->cr_groups; gp < egp; gp++) 1203 if (*gp == gid) 1204 return (1); 1205 return (0); 1206 } 1207 1208 /* 1209 * `suser_enabled' (which can be set by the security.suser_enabled 1210 * sysctl) determines whether the system 'super-user' policy is in effect. 1211 * If it is nonzero, an effective uid of 0 connotes special privilege, 1212 * overriding many mandatory and discretionary protections. If it is zero, 1213 * uid 0 is offered no special privilege in the kernel security policy. 1214 * Setting it to zero may seriously impact the functionality of many 1215 * existing userland programs, and should not be done without careful 1216 * consideration of the consequences. 1217 */ 1218 int suser_enabled = 1; 1219 SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW, 1220 &suser_enabled, 0, "processes with uid 0 have privilege"); 1221 TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled); 1222 1223 /* 1224 * Test whether the specified credentials imply "super-user" privilege. 1225 * Return 0 or EPERM. The flag argument is currently used only to 1226 * specify jail interaction. 1227 */ 1228 int 1229 suser_cred(struct ucred *cred, int flag) 1230 { 1231 1232 if (!suser_enabled) 1233 return (EPERM); 1234 if (cred->cr_uid != 0) 1235 return (EPERM); 1236 if (jailed(cred) && !(flag & PRISON_ROOT)) 1237 return (EPERM); 1238 return (0); 1239 } 1240 1241 /* 1242 * Shortcut to hide contents of struct td and struct proc from the 1243 * caller, promoting binary compatibility. 1244 */ 1245 int 1246 suser(struct thread *td) 1247 { 1248 1249 return (suser_cred(td->td_ucred, 0)); 1250 } 1251 1252 /* 1253 * Test the active securelevel against a given level. securelevel_gt() 1254 * implements (securelevel > level). securelevel_ge() implements 1255 * (securelevel >= level). Note that the logic is inverted -- these 1256 * functions return EPERM on "success" and 0 on "failure". 1257 * 1258 * MPSAFE 1259 */ 1260 int 1261 securelevel_gt(struct ucred *cr, int level) 1262 { 1263 int active_securelevel; 1264 1265 active_securelevel = securelevel; 1266 KASSERT(cr != NULL, ("securelevel_gt: null cr")); 1267 if (cr->cr_prison != NULL) { 1268 mtx_lock(&cr->cr_prison->pr_mtx); 1269 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1270 active_securelevel); 1271 mtx_unlock(&cr->cr_prison->pr_mtx); 1272 } 1273 return (active_securelevel > level ? EPERM : 0); 1274 } 1275 1276 int 1277 securelevel_ge(struct ucred *cr, int level) 1278 { 1279 int active_securelevel; 1280 1281 active_securelevel = securelevel; 1282 KASSERT(cr != NULL, ("securelevel_ge: null cr")); 1283 if (cr->cr_prison != NULL) { 1284 mtx_lock(&cr->cr_prison->pr_mtx); 1285 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1286 active_securelevel); 1287 mtx_unlock(&cr->cr_prison->pr_mtx); 1288 } 1289 return (active_securelevel >= level ? EPERM : 0); 1290 } 1291 1292 /* 1293 * 'see_other_uids' determines whether or not visibility of processes 1294 * and sockets with credentials holding different real uids is possible 1295 * using a variety of system MIBs. 1296 * XXX: data declarations should be together near the beginning of the file. 1297 */ 1298 static int see_other_uids = 1; 1299 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1300 &see_other_uids, 0, 1301 "Unprivileged processes may see subjects/objects with different real uid"); 1302 1303 /*- 1304 * Determine if u1 "can see" the subject specified by u2, according to the 1305 * 'see_other_uids' policy. 1306 * Returns: 0 for permitted, ESRCH otherwise 1307 * Locks: none 1308 * References: *u1 and *u2 must not change during the call 1309 * u1 may equal u2, in which case only one reference is required 1310 */ 1311 static int 1312 cr_seeotheruids(struct ucred *u1, struct ucred *u2) 1313 { 1314 1315 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1316 if (suser_cred(u1, PRISON_ROOT) != 0) 1317 return (ESRCH); 1318 } 1319 return (0); 1320 } 1321 1322 /* 1323 * 'see_other_gids' determines whether or not visibility of processes 1324 * and sockets with credentials holding different real gids is possible 1325 * using a variety of system MIBs. 1326 * XXX: data declarations should be together near the beginning of the file. 1327 */ 1328 static int see_other_gids = 1; 1329 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW, 1330 &see_other_gids, 0, 1331 "Unprivileged processes may see subjects/objects with different real gid"); 1332 1333 /* 1334 * Determine if u1 can "see" the subject specified by u2, according to the 1335 * 'see_other_gids' policy. 1336 * Returns: 0 for permitted, ESRCH otherwise 1337 * Locks: none 1338 * References: *u1 and *u2 must not change during the call 1339 * u1 may equal u2, in which case only one reference is required 1340 */ 1341 static int 1342 cr_seeothergids(struct ucred *u1, struct ucred *u2) 1343 { 1344 int i, match; 1345 1346 if (!see_other_gids) { 1347 match = 0; 1348 for (i = 0; i < u1->cr_ngroups; i++) { 1349 if (groupmember(u1->cr_groups[i], u2)) 1350 match = 1; 1351 if (match) 1352 break; 1353 } 1354 if (!match) { 1355 if (suser_cred(u1, PRISON_ROOT) != 0) 1356 return (ESRCH); 1357 } 1358 } 1359 return (0); 1360 } 1361 1362 /*- 1363 * Determine if u1 "can see" the subject specified by u2. 1364 * Returns: 0 for permitted, an errno value otherwise 1365 * Locks: none 1366 * References: *u1 and *u2 must not change during the call 1367 * u1 may equal u2, in which case only one reference is required 1368 */ 1369 int 1370 cr_cansee(struct ucred *u1, struct ucred *u2) 1371 { 1372 int error; 1373 1374 if ((error = prison_check(u1, u2))) 1375 return (error); 1376 #ifdef MAC 1377 if ((error = mac_check_cred_visible(u1, u2))) 1378 return (error); 1379 #endif 1380 if ((error = cr_seeotheruids(u1, u2))) 1381 return (error); 1382 if ((error = cr_seeothergids(u1, u2))) 1383 return (error); 1384 return (0); 1385 } 1386 1387 /*- 1388 * Determine if td "can see" the subject specified by p. 1389 * Returns: 0 for permitted, an errno value otherwise 1390 * Locks: Sufficient locks to protect p->p_ucred must be held. td really 1391 * should be curthread. 1392 * References: td and p must be valid for the lifetime of the call 1393 */ 1394 int 1395 p_cansee(struct thread *td, struct proc *p) 1396 { 1397 1398 /* Wrap cr_cansee() for all functionality. */ 1399 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1400 PROC_LOCK_ASSERT(p, MA_OWNED); 1401 return (cr_cansee(td->td_ucred, p->p_ucred)); 1402 } 1403 1404 /* 1405 * 'conservative_signals' prevents the delivery of a broad class of 1406 * signals by unprivileged processes to processes that have changed their 1407 * credentials since the last invocation of execve(). This can prevent 1408 * the leakage of cached information or retained privileges as a result 1409 * of a common class of signal-related vulnerabilities. However, this 1410 * may interfere with some applications that expect to be able to 1411 * deliver these signals to peer processes after having given up 1412 * privilege. 1413 */ 1414 static int conservative_signals = 1; 1415 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW, 1416 &conservative_signals, 0, "Unprivileged processes prevented from " 1417 "sending certain signals to processes whose credentials have changed"); 1418 /*- 1419 * Determine whether cred may deliver the specified signal to proc. 1420 * Returns: 0 for permitted, an errno value otherwise. 1421 * Locks: A lock must be held for proc. 1422 * References: cred and proc must be valid for the lifetime of the call. 1423 */ 1424 int 1425 cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 1426 { 1427 int error; 1428 1429 PROC_LOCK_ASSERT(proc, MA_OWNED); 1430 /* 1431 * Jail semantics limit the scope of signalling to proc in the 1432 * same jail as cred, if cred is in jail. 1433 */ 1434 error = prison_check(cred, proc->p_ucred); 1435 if (error) 1436 return (error); 1437 #ifdef MAC 1438 if ((error = mac_check_proc_signal(cred, proc, signum))) 1439 return (error); 1440 #endif 1441 if ((error = cr_seeotheruids(cred, proc->p_ucred))) 1442 return (error); 1443 if ((error = cr_seeothergids(cred, proc->p_ucred))) 1444 return (error); 1445 1446 /* 1447 * UNIX signal semantics depend on the status of the P_SUGID 1448 * bit on the target process. If the bit is set, then additional 1449 * restrictions are placed on the set of available signals. 1450 */ 1451 if (conservative_signals && (proc->p_flag & P_SUGID)) { 1452 switch (signum) { 1453 case 0: 1454 case SIGKILL: 1455 case SIGINT: 1456 case SIGTERM: 1457 case SIGALRM: 1458 case SIGSTOP: 1459 case SIGTTIN: 1460 case SIGTTOU: 1461 case SIGTSTP: 1462 case SIGHUP: 1463 case SIGUSR1: 1464 case SIGUSR2: 1465 /* 1466 * Generally, permit job and terminal control 1467 * signals. 1468 */ 1469 break; 1470 default: 1471 /* Not permitted without privilege. */ 1472 error = suser_cred(cred, PRISON_ROOT); 1473 if (error) 1474 return (error); 1475 } 1476 } 1477 1478 /* 1479 * Generally, the target credential's ruid or svuid must match the 1480 * subject credential's ruid or euid. 1481 */ 1482 if (cred->cr_ruid != proc->p_ucred->cr_ruid && 1483 cred->cr_ruid != proc->p_ucred->cr_svuid && 1484 cred->cr_uid != proc->p_ucred->cr_ruid && 1485 cred->cr_uid != proc->p_ucred->cr_svuid) { 1486 /* Not permitted without privilege. */ 1487 error = suser_cred(cred, PRISON_ROOT); 1488 if (error) 1489 return (error); 1490 } 1491 1492 return (0); 1493 } 1494 1495 1496 /*- 1497 * Determine whether td may deliver the specified signal to p. 1498 * Returns: 0 for permitted, an errno value otherwise 1499 * Locks: Sufficient locks to protect various components of td and p 1500 * must be held. td must be curthread, and a lock must be 1501 * held for p. 1502 * References: td and p must be valid for the lifetime of the call 1503 */ 1504 int 1505 p_cansignal(struct thread *td, struct proc *p, int signum) 1506 { 1507 1508 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1509 PROC_LOCK_ASSERT(p, MA_OWNED); 1510 if (td->td_proc == p) 1511 return (0); 1512 1513 /* 1514 * UNIX signalling semantics require that processes in the same 1515 * session always be able to deliver SIGCONT to one another, 1516 * overriding the remaining protections. 1517 */ 1518 /* XXX: This will require an additional lock of some sort. */ 1519 if (signum == SIGCONT && td->td_proc->p_session == p->p_session) 1520 return (0); 1521 1522 return (cr_cansignal(td->td_ucred, p, signum)); 1523 } 1524 1525 /*- 1526 * Determine whether td may reschedule p. 1527 * Returns: 0 for permitted, an errno value otherwise 1528 * Locks: Sufficient locks to protect various components of td and p 1529 * must be held. td must be curthread, and a lock must 1530 * be held for p. 1531 * References: td and p must be valid for the lifetime of the call 1532 */ 1533 int 1534 p_cansched(struct thread *td, struct proc *p) 1535 { 1536 int error; 1537 1538 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1539 PROC_LOCK_ASSERT(p, MA_OWNED); 1540 if (td->td_proc == p) 1541 return (0); 1542 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1543 return (error); 1544 #ifdef MAC 1545 if ((error = mac_check_proc_sched(td->td_ucred, p))) 1546 return (error); 1547 #endif 1548 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1549 return (error); 1550 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) 1551 return (error); 1552 if (td->td_ucred->cr_ruid == p->p_ucred->cr_ruid) 1553 return (0); 1554 if (td->td_ucred->cr_uid == p->p_ucred->cr_ruid) 1555 return (0); 1556 if (suser_cred(td->td_ucred, PRISON_ROOT) == 0) 1557 return (0); 1558 1559 #ifdef CAPABILITIES 1560 if (!cap_check(NULL, td, CAP_SYS_NICE, PRISON_ROOT)) 1561 return (0); 1562 #endif 1563 1564 return (EPERM); 1565 } 1566 1567 /* 1568 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 1569 * unprivileged inter-process debugging services, including some procfs 1570 * functionality, ptrace(), and ktrace(). In the past, inter-process 1571 * debugging has been involved in a variety of security problems, and sites 1572 * not requiring the service might choose to disable it when hardening 1573 * systems. 1574 * 1575 * XXX: Should modifying and reading this variable require locking? 1576 * XXX: data declarations should be together near the beginning of the file. 1577 */ 1578 static int unprivileged_proc_debug = 1; 1579 SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW, 1580 &unprivileged_proc_debug, 0, 1581 "Unprivileged processes may use process debugging facilities"); 1582 1583 /*- 1584 * Determine whether td may debug p. 1585 * Returns: 0 for permitted, an errno value otherwise 1586 * Locks: Sufficient locks to protect various components of td and p 1587 * must be held. td must be curthread, and a lock must 1588 * be held for p. 1589 * References: td and p must be valid for the lifetime of the call 1590 */ 1591 int 1592 p_candebug(struct thread *td, struct proc *p) 1593 { 1594 int credentialchanged, error, grpsubset, i, uidsubset; 1595 1596 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1597 PROC_LOCK_ASSERT(p, MA_OWNED); 1598 if (!unprivileged_proc_debug) { 1599 error = suser_cred(td->td_ucred, PRISON_ROOT); 1600 if (error) 1601 return (error); 1602 } 1603 if (td->td_proc == p) 1604 return (0); 1605 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1606 return (error); 1607 #ifdef MAC 1608 if ((error = mac_check_proc_debug(td->td_ucred, p))) 1609 return (error); 1610 #endif 1611 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1612 return (error); 1613 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) 1614 return (error); 1615 1616 /* 1617 * Is p's group set a subset of td's effective group set? This 1618 * includes p's egid, group access list, rgid, and svgid. 1619 */ 1620 grpsubset = 1; 1621 for (i = 0; i < p->p_ucred->cr_ngroups; i++) { 1622 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) { 1623 grpsubset = 0; 1624 break; 1625 } 1626 } 1627 grpsubset = grpsubset && 1628 groupmember(p->p_ucred->cr_rgid, td->td_ucred) && 1629 groupmember(p->p_ucred->cr_svgid, td->td_ucred); 1630 1631 /* 1632 * Are the uids present in p's credential equal to td's 1633 * effective uid? This includes p's euid, svuid, and ruid. 1634 */ 1635 uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid && 1636 td->td_ucred->cr_uid == p->p_ucred->cr_svuid && 1637 td->td_ucred->cr_uid == p->p_ucred->cr_ruid); 1638 1639 /* 1640 * Has the credential of the process changed since the last exec()? 1641 */ 1642 credentialchanged = (p->p_flag & P_SUGID); 1643 1644 /* 1645 * If p's gids aren't a subset, or the uids aren't a subset, 1646 * or the credential has changed, require appropriate privilege 1647 * for td to debug p. For POSIX.1e capabilities, this will 1648 * require CAP_SYS_PTRACE. 1649 */ 1650 if (!grpsubset || !uidsubset || credentialchanged) { 1651 error = suser_cred(td->td_ucred, PRISON_ROOT); 1652 if (error) 1653 return (error); 1654 } 1655 1656 /* Can't trace init when securelevel > 0. */ 1657 if (p == initproc) { 1658 error = securelevel_gt(td->td_ucred, 0); 1659 if (error) 1660 return (error); 1661 } 1662 1663 /* 1664 * Can't trace a process that's currently exec'ing. 1665 * XXX: Note, this is not a security policy decision, it's a 1666 * basic correctness/functionality decision. Therefore, this check 1667 * should be moved to the caller's of p_candebug(). 1668 */ 1669 if ((p->p_flag & P_INEXEC) != 0) 1670 return (EAGAIN); 1671 1672 return (0); 1673 } 1674 1675 /*- 1676 * Determine whether the subject represented by cred can "see" a socket. 1677 * Returns: 0 for permitted, ENOENT otherwise. 1678 */ 1679 int 1680 cr_canseesocket(struct ucred *cred, struct socket *so) 1681 { 1682 int error; 1683 1684 error = prison_check(cred, so->so_cred); 1685 if (error) 1686 return (ENOENT); 1687 #ifdef MAC 1688 error = mac_check_socket_visible(cred, so); 1689 if (error) 1690 return (error); 1691 #endif 1692 if (cr_seeotheruids(cred, so->so_cred)) 1693 return (ENOENT); 1694 if (cr_seeothergids(cred, so->so_cred)) 1695 return (ENOENT); 1696 1697 return (0); 1698 } 1699 1700 /* 1701 * Allocate a zeroed cred structure. 1702 * MPSAFE 1703 */ 1704 struct ucred * 1705 crget(void) 1706 { 1707 register struct ucred *cr; 1708 1709 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 1710 cr->cr_ref = 1; 1711 cr->cr_mtxp = mtx_pool_find(mtxpool_sleep, cr); 1712 #ifdef MAC 1713 mac_init_cred(cr); 1714 #endif 1715 return (cr); 1716 } 1717 1718 /* 1719 * Claim another reference to a ucred structure. 1720 * MPSAFE 1721 */ 1722 struct ucred * 1723 crhold(struct ucred *cr) 1724 { 1725 1726 mtx_lock(cr->cr_mtxp); 1727 cr->cr_ref++; 1728 mtx_unlock(cr->cr_mtxp); 1729 return (cr); 1730 } 1731 1732 /* 1733 * Free a cred structure. 1734 * Throws away space when ref count gets to 0. 1735 * MPSAFE 1736 */ 1737 void 1738 crfree(struct ucred *cr) 1739 { 1740 struct mtx *mtxp = cr->cr_mtxp; 1741 1742 mtx_lock(mtxp); 1743 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); 1744 if (--cr->cr_ref == 0) { 1745 mtx_unlock(mtxp); 1746 /* 1747 * Some callers of crget(), such as nfs_statfs(), 1748 * allocate a temporary credential, but don't 1749 * allocate a uidinfo structure. 1750 */ 1751 if (cr->cr_uidinfo != NULL) 1752 uifree(cr->cr_uidinfo); 1753 if (cr->cr_ruidinfo != NULL) 1754 uifree(cr->cr_ruidinfo); 1755 /* 1756 * Free a prison, if any. 1757 */ 1758 if (jailed(cr)) 1759 prison_free(cr->cr_prison); 1760 #ifdef MAC 1761 mac_destroy_cred(cr); 1762 #endif 1763 FREE(cr, M_CRED); 1764 } else { 1765 mtx_unlock(mtxp); 1766 } 1767 } 1768 1769 /* 1770 * Check to see if this ucred is shared. 1771 * MPSAFE 1772 */ 1773 int 1774 crshared(struct ucred *cr) 1775 { 1776 int shared; 1777 1778 mtx_lock(cr->cr_mtxp); 1779 shared = (cr->cr_ref > 1); 1780 mtx_unlock(cr->cr_mtxp); 1781 return (shared); 1782 } 1783 1784 /* 1785 * Copy a ucred's contents from a template. Does not block. 1786 * MPSAFE 1787 */ 1788 void 1789 crcopy(struct ucred *dest, struct ucred *src) 1790 { 1791 1792 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred")); 1793 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 1794 (unsigned)((caddr_t)&src->cr_endcopy - 1795 (caddr_t)&src->cr_startcopy)); 1796 uihold(dest->cr_uidinfo); 1797 uihold(dest->cr_ruidinfo); 1798 if (jailed(dest)) 1799 prison_hold(dest->cr_prison); 1800 #ifdef MAC 1801 mac_copy_cred(src, dest); 1802 #endif 1803 } 1804 1805 /* 1806 * Dup cred struct to a new held one. 1807 * MPSAFE 1808 */ 1809 struct ucred * 1810 crdup(struct ucred *cr) 1811 { 1812 struct ucred *newcr; 1813 1814 newcr = crget(); 1815 crcopy(newcr, cr); 1816 return (newcr); 1817 } 1818 1819 #ifdef DIAGNOSTIC 1820 void 1821 cred_free_thread(struct thread *td) 1822 { 1823 struct ucred *cred; 1824 1825 cred = td->td_ucred; 1826 td->td_ucred = NULL; 1827 if (cred != NULL) 1828 crfree(cred); 1829 } 1830 #endif 1831 1832 /* 1833 * Fill in a struct xucred based on a struct ucred. 1834 * MPSAFE 1835 */ 1836 void 1837 cru2x(struct ucred *cr, struct xucred *xcr) 1838 { 1839 1840 bzero(xcr, sizeof(*xcr)); 1841 xcr->cr_version = XUCRED_VERSION; 1842 xcr->cr_uid = cr->cr_uid; 1843 xcr->cr_ngroups = cr->cr_ngroups; 1844 bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups)); 1845 } 1846 1847 /* 1848 * small routine to swap a thread's current ucred for the correct one 1849 * taken from the process. 1850 * MPSAFE 1851 */ 1852 void 1853 cred_update_thread(struct thread *td) 1854 { 1855 struct proc *p; 1856 struct ucred *cred; 1857 1858 p = td->td_proc; 1859 cred = td->td_ucred; 1860 PROC_LOCK(p); 1861 td->td_ucred = crhold(p->p_ucred); 1862 PROC_UNLOCK(p); 1863 if (cred != NULL) 1864 crfree(cred); 1865 } 1866 1867 /* 1868 * Get login name, if available. 1869 */ 1870 #ifndef _SYS_SYSPROTO_H_ 1871 struct getlogin_args { 1872 char *namebuf; 1873 u_int namelen; 1874 }; 1875 #endif 1876 /* 1877 * MPSAFE 1878 */ 1879 /* ARGSUSED */ 1880 int 1881 getlogin(struct thread *td, struct getlogin_args *uap) 1882 { 1883 int error; 1884 char login[MAXLOGNAME]; 1885 struct proc *p = td->td_proc; 1886 1887 if (uap->namelen > MAXLOGNAME) 1888 uap->namelen = MAXLOGNAME; 1889 PROC_LOCK(p); 1890 SESS_LOCK(p->p_session); 1891 bcopy(p->p_session->s_login, login, uap->namelen); 1892 SESS_UNLOCK(p->p_session); 1893 PROC_UNLOCK(p); 1894 error = copyout(login, uap->namebuf, uap->namelen); 1895 return(error); 1896 } 1897 1898 /* 1899 * Set login name. 1900 */ 1901 #ifndef _SYS_SYSPROTO_H_ 1902 struct setlogin_args { 1903 char *namebuf; 1904 }; 1905 #endif 1906 /* 1907 * MPSAFE 1908 */ 1909 /* ARGSUSED */ 1910 int 1911 setlogin(struct thread *td, struct setlogin_args *uap) 1912 { 1913 struct proc *p = td->td_proc; 1914 int error; 1915 char logintmp[MAXLOGNAME]; 1916 1917 error = suser_cred(td->td_ucred, PRISON_ROOT); 1918 if (error) 1919 return (error); 1920 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); 1921 if (error == ENAMETOOLONG) 1922 error = EINVAL; 1923 else if (!error) { 1924 PROC_LOCK(p); 1925 SESS_LOCK(p->p_session); 1926 (void) memcpy(p->p_session->s_login, logintmp, 1927 sizeof(logintmp)); 1928 SESS_UNLOCK(p->p_session); 1929 PROC_UNLOCK(p); 1930 } 1931 return (error); 1932 } 1933 1934 void 1935 setsugid(struct proc *p) 1936 { 1937 1938 PROC_LOCK_ASSERT(p, MA_OWNED); 1939 p->p_flag |= P_SUGID; 1940 if (!(p->p_pfsflags & PF_ISUGID)) 1941 p->p_stops = 0; 1942 } 1943 1944 /*- 1945 * Change a process's effective uid. 1946 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 1947 * References: newcred must be an exclusive credential reference for the 1948 * duration of the call. 1949 */ 1950 void 1951 change_euid(struct ucred *newcred, struct uidinfo *euip) 1952 { 1953 1954 newcred->cr_uid = euip->ui_uid; 1955 uihold(euip); 1956 uifree(newcred->cr_uidinfo); 1957 newcred->cr_uidinfo = euip; 1958 } 1959 1960 /*- 1961 * Change a process's effective gid. 1962 * Side effects: newcred->cr_gid will be modified. 1963 * References: newcred must be an exclusive credential reference for the 1964 * duration of the call. 1965 */ 1966 void 1967 change_egid(struct ucred *newcred, gid_t egid) 1968 { 1969 1970 newcred->cr_groups[0] = egid; 1971 } 1972 1973 /*- 1974 * Change a process's real uid. 1975 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 1976 * will be updated, and the old and new cr_ruidinfo proc 1977 * counts will be updated. 1978 * References: newcred must be an exclusive credential reference for the 1979 * duration of the call. 1980 */ 1981 void 1982 change_ruid(struct ucred *newcred, struct uidinfo *ruip) 1983 { 1984 1985 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 1986 newcred->cr_ruid = ruip->ui_uid; 1987 uihold(ruip); 1988 uifree(newcred->cr_ruidinfo); 1989 newcred->cr_ruidinfo = ruip; 1990 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 1991 } 1992 1993 /*- 1994 * Change a process's real gid. 1995 * Side effects: newcred->cr_rgid will be updated. 1996 * References: newcred must be an exclusive credential reference for the 1997 * duration of the call. 1998 */ 1999 void 2000 change_rgid(struct ucred *newcred, gid_t rgid) 2001 { 2002 2003 newcred->cr_rgid = rgid; 2004 } 2005 2006 /*- 2007 * Change a process's saved uid. 2008 * Side effects: newcred->cr_svuid will be updated. 2009 * References: newcred must be an exclusive credential reference for the 2010 * duration of the call. 2011 */ 2012 void 2013 change_svuid(struct ucred *newcred, uid_t svuid) 2014 { 2015 2016 newcred->cr_svuid = svuid; 2017 } 2018 2019 /*- 2020 * Change a process's saved gid. 2021 * Side effects: newcred->cr_svgid will be updated. 2022 * References: newcred must be an exclusive credential reference for the 2023 * duration of the call. 2024 */ 2025 void 2026 change_svgid(struct ucred *newcred, gid_t svgid) 2027 { 2028 2029 newcred->cr_svgid = svgid; 2030 } 2031