1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 5 * The Regents of the University of California. 6 * (c) UNIX System Laboratories, Inc. 7 * Copyright (c) 2000-2001 Robert N. M. Watson. 8 * All rights reserved. 9 * 10 * All or some portions of this file are derived from material licensed 11 * to the University of California by American Telephone and Telegraph 12 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 13 * the permission of UNIX System Laboratories, Inc. 14 * 15 * Redistribution and use in source and binary forms, with or without 16 * modification, are permitted provided that the following conditions 17 * are met: 18 * 1. Redistributions of source code must retain the above copyright 19 * notice, this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright 21 * notice, this list of conditions and the following disclaimer in the 22 * documentation and/or other materials provided with the distribution. 23 * 3. Neither the name of the University nor the names of its contributors 24 * may be used to endorse or promote products derived from this software 25 * without specific prior written permission. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 */ 39 40 /* 41 * System calls related to processes and protection 42 */ 43 44 #include <sys/cdefs.h> 45 #include "opt_inet.h" 46 #include "opt_inet6.h" 47 48 #include <sys/param.h> 49 #include <sys/systm.h> 50 #include <sys/abi_compat.h> 51 #include <sys/acct.h> 52 #include <sys/kdb.h> 53 #include <sys/kernel.h> 54 #include <sys/libkern.h> 55 #include <sys/lock.h> 56 #include <sys/loginclass.h> 57 #include <sys/malloc.h> 58 #include <sys/mutex.h> 59 #include <sys/ptrace.h> 60 #include <sys/refcount.h> 61 #include <sys/sx.h> 62 #include <sys/priv.h> 63 #include <sys/proc.h> 64 #ifdef COMPAT_43 65 #include <sys/sysent.h> 66 #endif 67 #include <sys/sysproto.h> 68 #include <sys/jail.h> 69 #include <sys/racct.h> 70 #include <sys/rctl.h> 71 #include <sys/resourcevar.h> 72 #include <sys/socket.h> 73 #include <sys/socketvar.h> 74 #include <sys/syscallsubr.h> 75 #include <sys/sysctl.h> 76 77 #ifdef MAC 78 #include <security/mac/mac_syscalls.h> 79 #endif 80 81 #include <vm/uma.h> 82 83 #ifdef REGRESSION 84 FEATURE(regression, 85 "Kernel support for interfaces necessary for regression testing (SECURITY RISK!)"); 86 #endif 87 88 #include <security/audit/audit.h> 89 #include <security/mac/mac_framework.h> 90 91 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 92 93 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW | CTLFLAG_MPSAFE, 0, 94 "BSD security policy"); 95 96 static void crfree_final(struct ucred *cr); 97 98 static inline void 99 groups_check_positive_len(int ngrp) 100 { 101 MPASS2(ngrp >= 0, "negative number of groups"); 102 MPASS2(ngrp != 0, "at least one group expected (effective GID)"); 103 } 104 static inline void 105 groups_check_max_len(int ngrp) 106 { 107 MPASS2(ngrp <= ngroups_max + 1, "too many groups"); 108 } 109 110 static void groups_normalize(int *ngrp, gid_t *groups); 111 static void crsetgroups_internal(struct ucred *cr, int ngrp, 112 const gid_t *groups); 113 114 static int cr_canseeotheruids(struct ucred *u1, struct ucred *u2); 115 static int cr_canseeothergids(struct ucred *u1, struct ucred *u2); 116 static int cr_canseejailproc(struct ucred *u1, struct ucred *u2); 117 118 #ifndef _SYS_SYSPROTO_H_ 119 struct getpid_args { 120 int dummy; 121 }; 122 #endif 123 /* ARGSUSED */ 124 int 125 sys_getpid(struct thread *td, struct getpid_args *uap) 126 { 127 struct proc *p = td->td_proc; 128 129 td->td_retval[0] = p->p_pid; 130 #if defined(COMPAT_43) 131 if (SV_PROC_FLAG(p, SV_AOUT)) 132 td->td_retval[1] = kern_getppid(td); 133 #endif 134 return (0); 135 } 136 137 #ifndef _SYS_SYSPROTO_H_ 138 struct getppid_args { 139 int dummy; 140 }; 141 #endif 142 /* ARGSUSED */ 143 int 144 sys_getppid(struct thread *td, struct getppid_args *uap) 145 { 146 147 td->td_retval[0] = kern_getppid(td); 148 return (0); 149 } 150 151 int 152 kern_getppid(struct thread *td) 153 { 154 struct proc *p = td->td_proc; 155 156 return (p->p_oppid); 157 } 158 159 /* 160 * Get process group ID; note that POSIX getpgrp takes no parameter. 161 */ 162 #ifndef _SYS_SYSPROTO_H_ 163 struct getpgrp_args { 164 int dummy; 165 }; 166 #endif 167 int 168 sys_getpgrp(struct thread *td, struct getpgrp_args *uap) 169 { 170 struct proc *p = td->td_proc; 171 172 PROC_LOCK(p); 173 td->td_retval[0] = p->p_pgrp->pg_id; 174 PROC_UNLOCK(p); 175 return (0); 176 } 177 178 /* Get an arbitrary pid's process group id */ 179 #ifndef _SYS_SYSPROTO_H_ 180 struct getpgid_args { 181 pid_t pid; 182 }; 183 #endif 184 int 185 sys_getpgid(struct thread *td, struct getpgid_args *uap) 186 { 187 struct proc *p; 188 int error; 189 190 if (uap->pid == 0) { 191 p = td->td_proc; 192 PROC_LOCK(p); 193 } else { 194 p = pfind(uap->pid); 195 if (p == NULL) 196 return (ESRCH); 197 error = p_cansee(td, p); 198 if (error) { 199 PROC_UNLOCK(p); 200 return (error); 201 } 202 } 203 td->td_retval[0] = p->p_pgrp->pg_id; 204 PROC_UNLOCK(p); 205 return (0); 206 } 207 208 /* 209 * Get an arbitrary pid's session id. 210 */ 211 #ifndef _SYS_SYSPROTO_H_ 212 struct getsid_args { 213 pid_t pid; 214 }; 215 #endif 216 int 217 sys_getsid(struct thread *td, struct getsid_args *uap) 218 { 219 220 return (kern_getsid(td, uap->pid)); 221 } 222 223 int 224 kern_getsid(struct thread *td, pid_t pid) 225 { 226 struct proc *p; 227 int error; 228 229 if (pid == 0) { 230 p = td->td_proc; 231 PROC_LOCK(p); 232 } else { 233 p = pfind(pid); 234 if (p == NULL) 235 return (ESRCH); 236 error = p_cansee(td, p); 237 if (error) { 238 PROC_UNLOCK(p); 239 return (error); 240 } 241 } 242 td->td_retval[0] = p->p_session->s_sid; 243 PROC_UNLOCK(p); 244 return (0); 245 } 246 247 #ifndef _SYS_SYSPROTO_H_ 248 struct getuid_args { 249 int dummy; 250 }; 251 #endif 252 /* ARGSUSED */ 253 int 254 sys_getuid(struct thread *td, struct getuid_args *uap) 255 { 256 257 td->td_retval[0] = td->td_ucred->cr_ruid; 258 #if defined(COMPAT_43) 259 td->td_retval[1] = td->td_ucred->cr_uid; 260 #endif 261 return (0); 262 } 263 264 #ifndef _SYS_SYSPROTO_H_ 265 struct geteuid_args { 266 int dummy; 267 }; 268 #endif 269 /* ARGSUSED */ 270 int 271 sys_geteuid(struct thread *td, struct geteuid_args *uap) 272 { 273 274 td->td_retval[0] = td->td_ucred->cr_uid; 275 return (0); 276 } 277 278 #ifndef _SYS_SYSPROTO_H_ 279 struct getgid_args { 280 int dummy; 281 }; 282 #endif 283 /* ARGSUSED */ 284 int 285 sys_getgid(struct thread *td, struct getgid_args *uap) 286 { 287 288 td->td_retval[0] = td->td_ucred->cr_rgid; 289 #if defined(COMPAT_43) 290 td->td_retval[1] = td->td_ucred->cr_groups[0]; 291 #endif 292 return (0); 293 } 294 295 /* 296 * Get effective group ID. The "egid" is groups[0], and could be obtained 297 * via getgroups. This syscall exists because it is somewhat painful to do 298 * correctly in a library function. 299 */ 300 #ifndef _SYS_SYSPROTO_H_ 301 struct getegid_args { 302 int dummy; 303 }; 304 #endif 305 /* ARGSUSED */ 306 int 307 sys_getegid(struct thread *td, struct getegid_args *uap) 308 { 309 310 td->td_retval[0] = td->td_ucred->cr_groups[0]; 311 return (0); 312 } 313 314 #ifndef _SYS_SYSPROTO_H_ 315 struct getgroups_args { 316 int gidsetsize; 317 gid_t *gidset; 318 }; 319 #endif 320 int 321 sys_getgroups(struct thread *td, struct getgroups_args *uap) 322 { 323 struct ucred *cred; 324 int ngrp, error; 325 326 cred = td->td_ucred; 327 ngrp = cred->cr_ngroups; 328 329 if (uap->gidsetsize == 0) { 330 error = 0; 331 goto out; 332 } 333 if (uap->gidsetsize < ngrp) 334 return (EINVAL); 335 336 error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t)); 337 out: 338 td->td_retval[0] = ngrp; 339 return (error); 340 } 341 342 #ifndef _SYS_SYSPROTO_H_ 343 struct setsid_args { 344 int dummy; 345 }; 346 #endif 347 /* ARGSUSED */ 348 int 349 sys_setsid(struct thread *td, struct setsid_args *uap) 350 { 351 struct pgrp *pgrp; 352 int error; 353 struct proc *p = td->td_proc; 354 struct pgrp *newpgrp; 355 struct session *newsess; 356 357 pgrp = NULL; 358 359 newpgrp = uma_zalloc(pgrp_zone, M_WAITOK); 360 newsess = malloc(sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); 361 362 again: 363 error = 0; 364 sx_xlock(&proctree_lock); 365 366 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { 367 if (pgrp != NULL) 368 PGRP_UNLOCK(pgrp); 369 error = EPERM; 370 } else { 371 error = enterpgrp(p, p->p_pid, newpgrp, newsess); 372 if (error == ERESTART) 373 goto again; 374 MPASS(error == 0); 375 td->td_retval[0] = p->p_pid; 376 newpgrp = NULL; 377 newsess = NULL; 378 } 379 380 sx_xunlock(&proctree_lock); 381 382 uma_zfree(pgrp_zone, newpgrp); 383 free(newsess, M_SESSION); 384 385 return (error); 386 } 387 388 /* 389 * set process group (setpgid/old setpgrp) 390 * 391 * caller does setpgid(targpid, targpgid) 392 * 393 * pid must be caller or child of caller (ESRCH) 394 * if a child 395 * pid must be in same session (EPERM) 396 * pid can't have done an exec (EACCES) 397 * if pgid != pid 398 * there must exist some pid in same session having pgid (EPERM) 399 * pid must not be session leader (EPERM) 400 */ 401 #ifndef _SYS_SYSPROTO_H_ 402 struct setpgid_args { 403 int pid; /* target process id */ 404 int pgid; /* target pgrp id */ 405 }; 406 #endif 407 /* ARGSUSED */ 408 int 409 sys_setpgid(struct thread *td, struct setpgid_args *uap) 410 { 411 struct proc *curp = td->td_proc; 412 struct proc *targp; /* target process */ 413 struct pgrp *pgrp; /* target pgrp */ 414 int error; 415 struct pgrp *newpgrp; 416 417 if (uap->pgid < 0) 418 return (EINVAL); 419 420 newpgrp = uma_zalloc(pgrp_zone, M_WAITOK); 421 422 again: 423 error = 0; 424 425 sx_xlock(&proctree_lock); 426 if (uap->pid != 0 && uap->pid != curp->p_pid) { 427 if ((targp = pfind(uap->pid)) == NULL) { 428 error = ESRCH; 429 goto done; 430 } 431 if (!inferior(targp)) { 432 PROC_UNLOCK(targp); 433 error = ESRCH; 434 goto done; 435 } 436 if ((error = p_cansee(td, targp))) { 437 PROC_UNLOCK(targp); 438 goto done; 439 } 440 if (targp->p_pgrp == NULL || 441 targp->p_session != curp->p_session) { 442 PROC_UNLOCK(targp); 443 error = EPERM; 444 goto done; 445 } 446 if (targp->p_flag & P_EXEC) { 447 PROC_UNLOCK(targp); 448 error = EACCES; 449 goto done; 450 } 451 PROC_UNLOCK(targp); 452 } else 453 targp = curp; 454 if (SESS_LEADER(targp)) { 455 error = EPERM; 456 goto done; 457 } 458 if (uap->pgid == 0) 459 uap->pgid = targp->p_pid; 460 if ((pgrp = pgfind(uap->pgid)) == NULL) { 461 if (uap->pgid == targp->p_pid) { 462 error = enterpgrp(targp, uap->pgid, newpgrp, 463 NULL); 464 if (error == 0) 465 newpgrp = NULL; 466 } else 467 error = EPERM; 468 } else { 469 if (pgrp == targp->p_pgrp) { 470 PGRP_UNLOCK(pgrp); 471 goto done; 472 } 473 if (pgrp->pg_id != targp->p_pid && 474 pgrp->pg_session != curp->p_session) { 475 PGRP_UNLOCK(pgrp); 476 error = EPERM; 477 goto done; 478 } 479 PGRP_UNLOCK(pgrp); 480 error = enterthispgrp(targp, pgrp); 481 } 482 done: 483 KASSERT(error == 0 || newpgrp != NULL, 484 ("setpgid failed and newpgrp is NULL")); 485 if (error == ERESTART) 486 goto again; 487 sx_xunlock(&proctree_lock); 488 uma_zfree(pgrp_zone, newpgrp); 489 return (error); 490 } 491 492 static int 493 gidp_cmp(const void *p1, const void *p2) 494 { 495 const gid_t g1 = *(const gid_t *)p1; 496 const gid_t g2 = *(const gid_t *)p2; 497 498 return ((g1 > g2) - (g1 < g2)); 499 } 500 501 /* 502 * Final storage for groups (including the effective GID) will be returned via 503 * 'groups'. '*groups' must be NULL on input, and if not equal to 'smallgroups' 504 * on output, must be freed (M_TEMP) *even if* an error is returned. 505 */ 506 static int 507 kern_setcred_copyin_supp_groups(struct setcred *const wcred, 508 const u_int flags, gid_t *const smallgroups, gid_t **const groups) 509 { 510 MPASS(*groups == NULL); 511 512 if (flags & SETCREDF_SUPP_GROUPS) { 513 int error; 514 515 /* 516 * Check for the limit for number of groups right now in order 517 * to limit the amount of bytes to copy. 518 */ 519 if (wcred->sc_supp_groups_nb > ngroups_max) 520 return (EINVAL); 521 522 /* 523 * Since we are going to be copying the supplementary groups 524 * from userland, make room also for the effective GID right 525 * now, to avoid having to allocate and copy again the 526 * supplementary groups. 527 */ 528 *groups = wcred->sc_supp_groups_nb < CRED_SMALLGROUPS_NB ? 529 smallgroups : malloc((wcred->sc_supp_groups_nb + 1) * 530 sizeof(*groups), M_TEMP, M_WAITOK); 531 532 error = copyin(wcred->sc_supp_groups, *groups + 1, 533 wcred->sc_supp_groups_nb * sizeof(*groups)); 534 if (error != 0) 535 return (error); 536 wcred->sc_supp_groups = *groups + 1; 537 } else { 538 wcred->sc_supp_groups_nb = 0; 539 wcred->sc_supp_groups = NULL; 540 } 541 542 return (0); 543 } 544 545 int 546 user_setcred(struct thread *td, const u_int flags, 547 const void *const uwcred, const size_t size, bool is_32bit) 548 { 549 struct setcred wcred; 550 #ifdef MAC 551 struct mac mac; 552 /* Pointer to 'struct mac' or 'struct mac32'. */ 553 void *umac; 554 #endif 555 gid_t smallgroups[CRED_SMALLGROUPS_NB]; 556 gid_t *groups = NULL; 557 int error; 558 559 /* 560 * As the only point of this wrapper function is to copyin() from 561 * userland, we only interpret the data pieces we need to perform this 562 * operation and defer further sanity checks to kern_setcred(), except 563 * that we redundantly check here that no unknown flags have been 564 * passed. 565 */ 566 if ((flags & ~SETCREDF_MASK) != 0) 567 return (EINVAL); 568 569 #ifdef COMPAT_FREEBSD32 570 if (is_32bit) { 571 struct setcred32 wcred32; 572 573 if (size != sizeof(wcred32)) 574 return (EINVAL); 575 error = copyin(uwcred, &wcred32, sizeof(wcred32)); 576 if (error != 0) 577 return (error); 578 /* These fields have exactly the same sizes and positions. */ 579 memcpy(&wcred, &wcred32, &wcred32.setcred32_copy_end - 580 &wcred32.setcred32_copy_start); 581 /* Remaining fields are pointers and need PTRIN*(). */ 582 PTRIN_CP(wcred32, wcred, sc_supp_groups); 583 PTRIN_CP(wcred32, wcred, sc_label); 584 } else 585 #endif /* COMPAT_FREEBSD32 */ 586 { 587 if (size != sizeof(wcred)) 588 return (EINVAL); 589 error = copyin(uwcred, &wcred, sizeof(wcred)); 590 if (error != 0) 591 return (error); 592 } 593 #ifdef MAC 594 umac = wcred.sc_label; 595 #endif 596 /* Also done on !MAC as a defensive measure. */ 597 wcred.sc_label = NULL; 598 599 /* 600 * Copy supplementary groups as needed. There is no specific 601 * alternative for 32-bit compatibility as 'gid_t' has the same size 602 * everywhere. 603 */ 604 error = kern_setcred_copyin_supp_groups(&wcred, flags, smallgroups, 605 &groups); 606 if (error != 0) 607 goto free_groups; 608 609 #ifdef MAC 610 if ((flags & SETCREDF_MAC_LABEL) != 0) { 611 #ifdef COMPAT_FREEBSD32 612 if (is_32bit) 613 error = mac_label_copyin32(umac, &mac, NULL); 614 else 615 #endif 616 error = mac_label_copyin(umac, &mac, NULL); 617 if (error != 0) 618 goto free_groups; 619 wcred.sc_label = &mac; 620 } 621 #endif 622 623 error = kern_setcred(td, flags, &wcred, groups); 624 625 #ifdef MAC 626 if (wcred.sc_label != NULL) 627 free_copied_label(wcred.sc_label); 628 #endif 629 630 free_groups: 631 if (groups != smallgroups) 632 free(groups, M_TEMP); 633 634 return (error); 635 } 636 637 #ifndef _SYS_SYSPROTO_H_ 638 struct setcred_args { 639 u_int flags; /* Flags. */ 640 const struct setcred *wcred; 641 size_t size; /* Passed 'setcred' structure length. */ 642 }; 643 #endif 644 /* ARGSUSED */ 645 int 646 sys_setcred(struct thread *td, struct setcred_args *uap) 647 { 648 return (user_setcred(td, uap->flags, uap->wcred, uap->size, false)); 649 } 650 651 /* 652 * CAUTION: This function normalizes groups in 'wcred'. 653 * 654 * If 'preallocated_groups' is non-NULL, it must be an already allocated array 655 * of size 'wcred->sc_supp_groups_nb + 1', with the supplementary groups 656 * starting at index 1, and 'wcred->sc_supp_groups' then must point to the first 657 * supplementary group. 658 */ 659 int 660 kern_setcred(struct thread *const td, const u_int flags, 661 struct setcred *const wcred, gid_t *preallocated_groups) 662 { 663 struct proc *const p = td->td_proc; 664 struct ucred *new_cred, *old_cred, *to_free_cred; 665 struct uidinfo *uip = NULL, *ruip = NULL; 666 #ifdef MAC 667 void *mac_set_proc_data = NULL; 668 bool proc_label_set = false; 669 #endif 670 gid_t *groups = NULL; 671 gid_t smallgroups[CRED_SMALLGROUPS_NB]; 672 int error; 673 bool cred_set; 674 675 /* Bail out on unrecognized flags. */ 676 if (flags & ~SETCREDF_MASK) 677 return (EINVAL); 678 679 /* 680 * Part 1: We allocate and perform preparatory operations with no locks. 681 */ 682 683 if (flags & SETCREDF_SUPP_GROUPS) { 684 if (wcred->sc_supp_groups_nb > ngroups_max) 685 return (EINVAL); 686 if (preallocated_groups != NULL) { 687 groups = preallocated_groups; 688 MPASS(preallocated_groups + 1 == wcred->sc_supp_groups); 689 } else { 690 groups = wcred->sc_supp_groups_nb < CRED_SMALLGROUPS_NB ? 691 smallgroups : 692 malloc((wcred->sc_supp_groups_nb + 1) * 693 sizeof(*groups), M_TEMP, M_WAITOK); 694 memcpy(groups + 1, wcred->sc_supp_groups, 695 wcred->sc_supp_groups_nb * sizeof(*groups)); 696 } 697 } 698 699 if (flags & SETCREDF_MAC_LABEL) { 700 #ifdef MAC 701 error = mac_set_proc_prepare(td, wcred->sc_label, 702 &mac_set_proc_data); 703 if (error != 0) 704 goto free_groups; 705 #else 706 error = ENOTSUP; 707 goto free_groups; 708 #endif 709 } 710 711 if (flags & SETCREDF_UID) { 712 AUDIT_ARG_EUID(wcred->sc_uid); 713 uip = uifind(wcred->sc_uid); 714 } 715 if (flags & SETCREDF_RUID) { 716 AUDIT_ARG_RUID(wcred->sc_ruid); 717 ruip = uifind(wcred->sc_ruid); 718 } 719 if (flags & SETCREDF_SVUID) 720 AUDIT_ARG_SUID(wcred->sc_svuid); 721 722 if (flags & SETCREDF_GID) 723 AUDIT_ARG_EGID(wcred->sc_gid); 724 if (flags & SETCREDF_RGID) 725 AUDIT_ARG_RGID(wcred->sc_rgid); 726 if (flags & SETCREDF_SVGID) 727 AUDIT_ARG_SGID(wcred->sc_svgid); 728 if (flags & SETCREDF_SUPP_GROUPS) { 729 int ngrp = wcred->sc_supp_groups_nb; 730 731 /* 732 * Output the raw supplementary groups array for better 733 * traceability. 734 */ 735 AUDIT_ARG_GROUPSET(groups + 1, ngrp); 736 ++ngrp; 737 groups_normalize(&ngrp, groups); 738 wcred->sc_supp_groups_nb = ngrp - 1; 739 } 740 741 /* 742 * We first completely build the new credentials and only then pass them 743 * to MAC along with the old ones so that modules can check whether the 744 * requested transition is allowed. 745 */ 746 new_cred = crget(); 747 to_free_cred = new_cred; 748 if (flags & SETCREDF_SUPP_GROUPS) 749 crextend(new_cred, wcred->sc_supp_groups_nb + 1); 750 751 #ifdef MAC 752 mac_cred_setcred_enter(); 753 #endif 754 755 /* 756 * Part 2: We grab the process lock as to have a stable view of its 757 * current credentials, and prepare a copy of them with the requested 758 * changes applied under that lock. 759 */ 760 761 PROC_LOCK(p); 762 old_cred = crcopysafe(p, new_cred); 763 764 /* 765 * Change user IDs. 766 */ 767 if (flags & SETCREDF_UID) 768 change_euid(new_cred, uip); 769 if (flags & SETCREDF_RUID) 770 change_ruid(new_cred, ruip); 771 if (flags & SETCREDF_SVUID) 772 change_svuid(new_cred, wcred->sc_svuid); 773 774 /* 775 * Change groups. 776 * 777 * crsetgroups_internal() changes both the effective and supplementary 778 * ones. 779 */ 780 if (flags & SETCREDF_SUPP_GROUPS) { 781 groups[0] = flags & SETCREDF_GID ? wcred->sc_gid : 782 new_cred->cr_gid; 783 crsetgroups_internal(new_cred, wcred->sc_supp_groups_nb + 1, 784 groups); 785 } else if (flags & SETCREDF_GID) 786 change_egid(new_cred, wcred->sc_gid); 787 if (flags & SETCREDF_RGID) 788 change_rgid(new_cred, wcred->sc_rgid); 789 if (flags & SETCREDF_SVGID) 790 change_svgid(new_cred, wcred->sc_svgid); 791 792 #ifdef MAC 793 /* 794 * Change the MAC label. 795 */ 796 if (flags & SETCREDF_MAC_LABEL) { 797 error = mac_set_proc_core(td, new_cred, mac_set_proc_data); 798 if (error != 0) 799 goto unlock_finish; 800 proc_label_set = true; 801 } 802 803 /* 804 * MAC security modules checks. 805 */ 806 error = mac_cred_check_setcred(flags, old_cred, new_cred); 807 if (error != 0) 808 goto unlock_finish; 809 #endif 810 /* 811 * Privilege check. 812 */ 813 error = priv_check_cred(old_cred, PRIV_CRED_SETCRED); 814 if (error != 0) 815 goto unlock_finish; 816 817 /* 818 * Set the new credentials, noting that they have changed. 819 */ 820 cred_set = proc_set_cred_enforce_proc_lim(p, new_cred); 821 if (cred_set) { 822 setsugid(p); 823 to_free_cred = old_cred; 824 MPASS(error == 0); 825 } else 826 error = EAGAIN; 827 828 unlock_finish: 829 PROC_UNLOCK(p); 830 /* 831 * Part 3: After releasing the process lock, we perform cleanups and 832 * finishing operations. 833 */ 834 835 #ifdef MAC 836 if (mac_set_proc_data != NULL) 837 mac_set_proc_finish(td, proc_label_set, mac_set_proc_data); 838 mac_cred_setcred_exit(); 839 #endif 840 crfree(to_free_cred); 841 if (uip != NULL) 842 uifree(uip); 843 if (ruip != NULL) 844 uifree(ruip); 845 free_groups: 846 if (groups != preallocated_groups && groups != smallgroups) 847 free(groups, M_TEMP); /* Deals with 'groups' being NULL. */ 848 return (error); 849 } 850 851 /* 852 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 853 * compatible. It says that setting the uid/gid to euid/egid is a special 854 * case of "appropriate privilege". Once the rules are expanded out, this 855 * basically means that setuid(nnn) sets all three id's, in all permitted 856 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 857 * does not set the saved id - this is dangerous for traditional BSD 858 * programs. For this reason, we *really* do not want to set 859 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 860 */ 861 #define POSIX_APPENDIX_B_4_2_2 862 863 #ifndef _SYS_SYSPROTO_H_ 864 struct setuid_args { 865 uid_t uid; 866 }; 867 #endif 868 /* ARGSUSED */ 869 int 870 sys_setuid(struct thread *td, struct setuid_args *uap) 871 { 872 struct proc *p = td->td_proc; 873 struct ucred *newcred, *oldcred; 874 uid_t uid; 875 struct uidinfo *uip; 876 int error; 877 878 uid = uap->uid; 879 AUDIT_ARG_UID(uid); 880 newcred = crget(); 881 uip = uifind(uid); 882 PROC_LOCK(p); 883 /* 884 * Copy credentials so other references do not see our changes. 885 */ 886 oldcred = crcopysafe(p, newcred); 887 888 #ifdef MAC 889 error = mac_cred_check_setuid(oldcred, uid); 890 if (error) 891 goto fail; 892 #endif 893 894 /* 895 * See if we have "permission" by POSIX 1003.1 rules. 896 * 897 * Note that setuid(geteuid()) is a special case of 898 * "appropriate privileges" in appendix B.4.2.2. We need 899 * to use this clause to be compatible with traditional BSD 900 * semantics. Basically, it means that "setuid(xx)" sets all 901 * three id's (assuming you have privs). 902 * 903 * Notes on the logic. We do things in three steps. 904 * 1: We determine if the euid is going to change, and do EPERM 905 * right away. We unconditionally change the euid later if this 906 * test is satisfied, simplifying that part of the logic. 907 * 2: We determine if the real and/or saved uids are going to 908 * change. Determined by compile options. 909 * 3: Change euid last. (after tests in #2 for "appropriate privs") 910 */ 911 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 912 #ifdef _POSIX_SAVED_IDS 913 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 914 #endif 915 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 916 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 917 #endif 918 (error = priv_check_cred(oldcred, PRIV_CRED_SETUID)) != 0) 919 goto fail; 920 921 #ifdef _POSIX_SAVED_IDS 922 /* 923 * Do we have "appropriate privileges" (are we root or uid == euid) 924 * If so, we are changing the real uid and/or saved uid. 925 */ 926 if ( 927 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 928 uid == oldcred->cr_uid || 929 #endif 930 /* We are using privs. */ 931 priv_check_cred(oldcred, PRIV_CRED_SETUID) == 0) 932 #endif 933 { 934 /* 935 * Set the real uid. 936 */ 937 if (uid != oldcred->cr_ruid) { 938 change_ruid(newcred, uip); 939 setsugid(p); 940 } 941 /* 942 * Set saved uid 943 * 944 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 945 * the security of seteuid() depends on it. B.4.2.2 says it 946 * is important that we should do this. 947 */ 948 if (uid != oldcred->cr_svuid) { 949 change_svuid(newcred, uid); 950 setsugid(p); 951 } 952 } 953 954 /* 955 * In all permitted cases, we are changing the euid. 956 */ 957 if (uid != oldcred->cr_uid) { 958 change_euid(newcred, uip); 959 setsugid(p); 960 } 961 /* 962 * This also transfers the proc count to the new user. 963 */ 964 proc_set_cred(p, newcred); 965 #ifdef RACCT 966 racct_proc_ucred_changed(p, oldcred, newcred); 967 crhold(newcred); 968 #endif 969 PROC_UNLOCK(p); 970 #ifdef RCTL 971 rctl_proc_ucred_changed(p, newcred); 972 crfree(newcred); 973 #endif 974 uifree(uip); 975 crfree(oldcred); 976 return (0); 977 978 fail: 979 PROC_UNLOCK(p); 980 uifree(uip); 981 crfree(newcred); 982 return (error); 983 } 984 985 #ifndef _SYS_SYSPROTO_H_ 986 struct seteuid_args { 987 uid_t euid; 988 }; 989 #endif 990 /* ARGSUSED */ 991 int 992 sys_seteuid(struct thread *td, struct seteuid_args *uap) 993 { 994 struct proc *p = td->td_proc; 995 struct ucred *newcred, *oldcred; 996 uid_t euid; 997 struct uidinfo *euip; 998 int error; 999 1000 euid = uap->euid; 1001 AUDIT_ARG_EUID(euid); 1002 newcred = crget(); 1003 euip = uifind(euid); 1004 PROC_LOCK(p); 1005 /* 1006 * Copy credentials so other references do not see our changes. 1007 */ 1008 oldcred = crcopysafe(p, newcred); 1009 1010 #ifdef MAC 1011 error = mac_cred_check_seteuid(oldcred, euid); 1012 if (error) 1013 goto fail; 1014 #endif 1015 1016 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 1017 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 1018 (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID)) != 0) 1019 goto fail; 1020 1021 /* 1022 * Everything's okay, do it. 1023 */ 1024 if (oldcred->cr_uid != euid) { 1025 change_euid(newcred, euip); 1026 setsugid(p); 1027 } 1028 proc_set_cred(p, newcred); 1029 PROC_UNLOCK(p); 1030 uifree(euip); 1031 crfree(oldcred); 1032 return (0); 1033 1034 fail: 1035 PROC_UNLOCK(p); 1036 uifree(euip); 1037 crfree(newcred); 1038 return (error); 1039 } 1040 1041 #ifndef _SYS_SYSPROTO_H_ 1042 struct setgid_args { 1043 gid_t gid; 1044 }; 1045 #endif 1046 /* ARGSUSED */ 1047 int 1048 sys_setgid(struct thread *td, struct setgid_args *uap) 1049 { 1050 struct proc *p = td->td_proc; 1051 struct ucred *newcred, *oldcred; 1052 gid_t gid; 1053 int error; 1054 1055 gid = uap->gid; 1056 AUDIT_ARG_GID(gid); 1057 newcred = crget(); 1058 PROC_LOCK(p); 1059 oldcred = crcopysafe(p, newcred); 1060 1061 #ifdef MAC 1062 error = mac_cred_check_setgid(oldcred, gid); 1063 if (error) 1064 goto fail; 1065 #endif 1066 1067 /* 1068 * See if we have "permission" by POSIX 1003.1 rules. 1069 * 1070 * Note that setgid(getegid()) is a special case of 1071 * "appropriate privileges" in appendix B.4.2.2. We need 1072 * to use this clause to be compatible with traditional BSD 1073 * semantics. Basically, it means that "setgid(xx)" sets all 1074 * three id's (assuming you have privs). 1075 * 1076 * For notes on the logic here, see setuid() above. 1077 */ 1078 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 1079 #ifdef _POSIX_SAVED_IDS 1080 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 1081 #endif 1082 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 1083 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 1084 #endif 1085 (error = priv_check_cred(oldcred, PRIV_CRED_SETGID)) != 0) 1086 goto fail; 1087 1088 #ifdef _POSIX_SAVED_IDS 1089 /* 1090 * Do we have "appropriate privileges" (are we root or gid == egid) 1091 * If so, we are changing the real uid and saved gid. 1092 */ 1093 if ( 1094 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 1095 gid == oldcred->cr_groups[0] || 1096 #endif 1097 /* We are using privs. */ 1098 priv_check_cred(oldcred, PRIV_CRED_SETGID) == 0) 1099 #endif 1100 { 1101 /* 1102 * Set real gid 1103 */ 1104 if (oldcred->cr_rgid != gid) { 1105 change_rgid(newcred, gid); 1106 setsugid(p); 1107 } 1108 /* 1109 * Set saved gid 1110 * 1111 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 1112 * the security of setegid() depends on it. B.4.2.2 says it 1113 * is important that we should do this. 1114 */ 1115 if (oldcred->cr_svgid != gid) { 1116 change_svgid(newcred, gid); 1117 setsugid(p); 1118 } 1119 } 1120 /* 1121 * In all cases permitted cases, we are changing the egid. 1122 * Copy credentials so other references do not see our changes. 1123 */ 1124 if (oldcred->cr_groups[0] != gid) { 1125 change_egid(newcred, gid); 1126 setsugid(p); 1127 } 1128 proc_set_cred(p, newcred); 1129 PROC_UNLOCK(p); 1130 crfree(oldcred); 1131 return (0); 1132 1133 fail: 1134 PROC_UNLOCK(p); 1135 crfree(newcred); 1136 return (error); 1137 } 1138 1139 #ifndef _SYS_SYSPROTO_H_ 1140 struct setegid_args { 1141 gid_t egid; 1142 }; 1143 #endif 1144 /* ARGSUSED */ 1145 int 1146 sys_setegid(struct thread *td, struct setegid_args *uap) 1147 { 1148 struct proc *p = td->td_proc; 1149 struct ucred *newcred, *oldcred; 1150 gid_t egid; 1151 int error; 1152 1153 egid = uap->egid; 1154 AUDIT_ARG_EGID(egid); 1155 newcred = crget(); 1156 PROC_LOCK(p); 1157 oldcred = crcopysafe(p, newcred); 1158 1159 #ifdef MAC 1160 error = mac_cred_check_setegid(oldcred, egid); 1161 if (error) 1162 goto fail; 1163 #endif 1164 1165 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 1166 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 1167 (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID)) != 0) 1168 goto fail; 1169 1170 if (oldcred->cr_groups[0] != egid) { 1171 change_egid(newcred, egid); 1172 setsugid(p); 1173 } 1174 proc_set_cred(p, newcred); 1175 PROC_UNLOCK(p); 1176 crfree(oldcred); 1177 return (0); 1178 1179 fail: 1180 PROC_UNLOCK(p); 1181 crfree(newcred); 1182 return (error); 1183 } 1184 1185 #ifndef _SYS_SYSPROTO_H_ 1186 struct setgroups_args { 1187 int gidsetsize; 1188 gid_t *gidset; 1189 }; 1190 #endif 1191 /* ARGSUSED */ 1192 int 1193 sys_setgroups(struct thread *td, struct setgroups_args *uap) 1194 { 1195 gid_t smallgroups[CRED_SMALLGROUPS_NB]; 1196 gid_t *groups; 1197 int gidsetsize, error; 1198 1199 /* 1200 * Sanity check size now to avoid passing too big a value to copyin(), 1201 * even if kern_setgroups() will do it again. 1202 * 1203 * Ideally, the 'gidsetsize' argument should have been a 'u_int' (and it 1204 * was, in this implementation, for a long time), but POSIX standardized 1205 * getgroups() to take an 'int' and it would be quite entrapping to have 1206 * setgroups() differ. 1207 */ 1208 gidsetsize = uap->gidsetsize; 1209 if (gidsetsize > ngroups_max + 1 || gidsetsize < 0) 1210 return (EINVAL); 1211 1212 if (gidsetsize > CRED_SMALLGROUPS_NB) 1213 groups = malloc(gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK); 1214 else 1215 groups = smallgroups; 1216 1217 error = copyin(uap->gidset, groups, gidsetsize * sizeof(gid_t)); 1218 if (error == 0) 1219 error = kern_setgroups(td, &gidsetsize, groups); 1220 1221 if (groups != smallgroups) 1222 free(groups, M_TEMP); 1223 return (error); 1224 } 1225 1226 /* 1227 * CAUTION: This function normalizes 'groups', possibly also changing the value 1228 * of '*ngrpp' as a consequence. 1229 */ 1230 int 1231 kern_setgroups(struct thread *td, int *ngrpp, gid_t *groups) 1232 { 1233 struct proc *p = td->td_proc; 1234 struct ucred *newcred, *oldcred; 1235 int ngrp, error; 1236 1237 ngrp = *ngrpp; 1238 /* Sanity check size. */ 1239 if (ngrp < 0 || ngrp > ngroups_max + 1) 1240 return (EINVAL); 1241 1242 AUDIT_ARG_GROUPSET(groups, ngrp); 1243 if (ngrp != 0) { 1244 /* We allow and treat 0 specially below. */ 1245 groups_normalize(ngrpp, groups); 1246 ngrp = *ngrpp; 1247 } 1248 newcred = crget(); 1249 if (ngrp != 0) 1250 crextend(newcred, ngrp); 1251 PROC_LOCK(p); 1252 oldcred = crcopysafe(p, newcred); 1253 1254 #ifdef MAC 1255 error = ngrp == 0 ? 1256 /* If 'ngrp' is 0, we'll keep just the current effective GID. */ 1257 mac_cred_check_setgroups(oldcred, 1, oldcred->cr_groups) : 1258 mac_cred_check_setgroups(oldcred, ngrp, groups); 1259 if (error) 1260 goto fail; 1261 #endif 1262 1263 error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS); 1264 if (error) 1265 goto fail; 1266 1267 if (ngrp == 0) { 1268 /* 1269 * setgroups(0, NULL) is a legitimate way of clearing the 1270 * groups vector on non-BSD systems (which generally do not 1271 * have the egid in the groups[0]). We risk security holes 1272 * when running non-BSD software if we do not do the same. 1273 */ 1274 newcred->cr_ngroups = 1; 1275 } else 1276 crsetgroups_internal(newcred, ngrp, groups); 1277 1278 setsugid(p); 1279 proc_set_cred(p, newcred); 1280 PROC_UNLOCK(p); 1281 crfree(oldcred); 1282 return (0); 1283 1284 fail: 1285 PROC_UNLOCK(p); 1286 crfree(newcred); 1287 return (error); 1288 } 1289 1290 #ifndef _SYS_SYSPROTO_H_ 1291 struct setreuid_args { 1292 uid_t ruid; 1293 uid_t euid; 1294 }; 1295 #endif 1296 /* ARGSUSED */ 1297 int 1298 sys_setreuid(struct thread *td, struct setreuid_args *uap) 1299 { 1300 struct proc *p = td->td_proc; 1301 struct ucred *newcred, *oldcred; 1302 uid_t euid, ruid; 1303 struct uidinfo *euip, *ruip; 1304 int error; 1305 1306 euid = uap->euid; 1307 ruid = uap->ruid; 1308 AUDIT_ARG_EUID(euid); 1309 AUDIT_ARG_RUID(ruid); 1310 newcred = crget(); 1311 euip = uifind(euid); 1312 ruip = uifind(ruid); 1313 PROC_LOCK(p); 1314 oldcred = crcopysafe(p, newcred); 1315 1316 #ifdef MAC 1317 error = mac_cred_check_setreuid(oldcred, ruid, euid); 1318 if (error) 1319 goto fail; 1320 #endif 1321 1322 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1323 ruid != oldcred->cr_svuid) || 1324 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 1325 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 1326 (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID)) != 0) 1327 goto fail; 1328 1329 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1330 change_euid(newcred, euip); 1331 setsugid(p); 1332 } 1333 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1334 change_ruid(newcred, ruip); 1335 setsugid(p); 1336 } 1337 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 1338 newcred->cr_svuid != newcred->cr_uid) { 1339 change_svuid(newcred, newcred->cr_uid); 1340 setsugid(p); 1341 } 1342 proc_set_cred(p, newcred); 1343 #ifdef RACCT 1344 racct_proc_ucred_changed(p, oldcred, newcred); 1345 crhold(newcred); 1346 #endif 1347 PROC_UNLOCK(p); 1348 #ifdef RCTL 1349 rctl_proc_ucred_changed(p, newcred); 1350 crfree(newcred); 1351 #endif 1352 uifree(ruip); 1353 uifree(euip); 1354 crfree(oldcred); 1355 return (0); 1356 1357 fail: 1358 PROC_UNLOCK(p); 1359 uifree(ruip); 1360 uifree(euip); 1361 crfree(newcred); 1362 return (error); 1363 } 1364 1365 #ifndef _SYS_SYSPROTO_H_ 1366 struct setregid_args { 1367 gid_t rgid; 1368 gid_t egid; 1369 }; 1370 #endif 1371 /* ARGSUSED */ 1372 int 1373 sys_setregid(struct thread *td, struct setregid_args *uap) 1374 { 1375 struct proc *p = td->td_proc; 1376 struct ucred *newcred, *oldcred; 1377 gid_t egid, rgid; 1378 int error; 1379 1380 egid = uap->egid; 1381 rgid = uap->rgid; 1382 AUDIT_ARG_EGID(egid); 1383 AUDIT_ARG_RGID(rgid); 1384 newcred = crget(); 1385 PROC_LOCK(p); 1386 oldcred = crcopysafe(p, newcred); 1387 1388 #ifdef MAC 1389 error = mac_cred_check_setregid(oldcred, rgid, egid); 1390 if (error) 1391 goto fail; 1392 #endif 1393 1394 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1395 rgid != oldcred->cr_svgid) || 1396 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 1397 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 1398 (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID)) != 0) 1399 goto fail; 1400 1401 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1402 change_egid(newcred, egid); 1403 setsugid(p); 1404 } 1405 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1406 change_rgid(newcred, rgid); 1407 setsugid(p); 1408 } 1409 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 1410 newcred->cr_svgid != newcred->cr_groups[0]) { 1411 change_svgid(newcred, newcred->cr_groups[0]); 1412 setsugid(p); 1413 } 1414 proc_set_cred(p, newcred); 1415 PROC_UNLOCK(p); 1416 crfree(oldcred); 1417 return (0); 1418 1419 fail: 1420 PROC_UNLOCK(p); 1421 crfree(newcred); 1422 return (error); 1423 } 1424 1425 /* 1426 * setresuid(ruid, euid, suid) is like setreuid except control over the saved 1427 * uid is explicit. 1428 */ 1429 #ifndef _SYS_SYSPROTO_H_ 1430 struct setresuid_args { 1431 uid_t ruid; 1432 uid_t euid; 1433 uid_t suid; 1434 }; 1435 #endif 1436 /* ARGSUSED */ 1437 int 1438 sys_setresuid(struct thread *td, struct setresuid_args *uap) 1439 { 1440 struct proc *p = td->td_proc; 1441 struct ucred *newcred, *oldcred; 1442 uid_t euid, ruid, suid; 1443 struct uidinfo *euip, *ruip; 1444 int error; 1445 1446 euid = uap->euid; 1447 ruid = uap->ruid; 1448 suid = uap->suid; 1449 AUDIT_ARG_EUID(euid); 1450 AUDIT_ARG_RUID(ruid); 1451 AUDIT_ARG_SUID(suid); 1452 newcred = crget(); 1453 euip = uifind(euid); 1454 ruip = uifind(ruid); 1455 PROC_LOCK(p); 1456 oldcred = crcopysafe(p, newcred); 1457 1458 #ifdef MAC 1459 error = mac_cred_check_setresuid(oldcred, ruid, euid, suid); 1460 if (error) 1461 goto fail; 1462 #endif 1463 1464 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1465 ruid != oldcred->cr_svuid && 1466 ruid != oldcred->cr_uid) || 1467 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 1468 euid != oldcred->cr_svuid && 1469 euid != oldcred->cr_uid) || 1470 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 1471 suid != oldcred->cr_svuid && 1472 suid != oldcred->cr_uid)) && 1473 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID)) != 0) 1474 goto fail; 1475 1476 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1477 change_euid(newcred, euip); 1478 setsugid(p); 1479 } 1480 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1481 change_ruid(newcred, ruip); 1482 setsugid(p); 1483 } 1484 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1485 change_svuid(newcred, suid); 1486 setsugid(p); 1487 } 1488 proc_set_cred(p, newcred); 1489 #ifdef RACCT 1490 racct_proc_ucred_changed(p, oldcred, newcred); 1491 crhold(newcred); 1492 #endif 1493 PROC_UNLOCK(p); 1494 #ifdef RCTL 1495 rctl_proc_ucred_changed(p, newcred); 1496 crfree(newcred); 1497 #endif 1498 uifree(ruip); 1499 uifree(euip); 1500 crfree(oldcred); 1501 return (0); 1502 1503 fail: 1504 PROC_UNLOCK(p); 1505 uifree(ruip); 1506 uifree(euip); 1507 crfree(newcred); 1508 return (error); 1509 1510 } 1511 1512 /* 1513 * setresgid(rgid, egid, sgid) is like setregid except control over the saved 1514 * gid is explicit. 1515 */ 1516 #ifndef _SYS_SYSPROTO_H_ 1517 struct setresgid_args { 1518 gid_t rgid; 1519 gid_t egid; 1520 gid_t sgid; 1521 }; 1522 #endif 1523 /* ARGSUSED */ 1524 int 1525 sys_setresgid(struct thread *td, struct setresgid_args *uap) 1526 { 1527 struct proc *p = td->td_proc; 1528 struct ucred *newcred, *oldcred; 1529 gid_t egid, rgid, sgid; 1530 int error; 1531 1532 egid = uap->egid; 1533 rgid = uap->rgid; 1534 sgid = uap->sgid; 1535 AUDIT_ARG_EGID(egid); 1536 AUDIT_ARG_RGID(rgid); 1537 AUDIT_ARG_SGID(sgid); 1538 newcred = crget(); 1539 PROC_LOCK(p); 1540 oldcred = crcopysafe(p, newcred); 1541 1542 #ifdef MAC 1543 error = mac_cred_check_setresgid(oldcred, rgid, egid, sgid); 1544 if (error) 1545 goto fail; 1546 #endif 1547 1548 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1549 rgid != oldcred->cr_svgid && 1550 rgid != oldcred->cr_groups[0]) || 1551 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1552 egid != oldcred->cr_svgid && 1553 egid != oldcred->cr_groups[0]) || 1554 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1555 sgid != oldcred->cr_svgid && 1556 sgid != oldcred->cr_groups[0])) && 1557 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID)) != 0) 1558 goto fail; 1559 1560 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1561 change_egid(newcred, egid); 1562 setsugid(p); 1563 } 1564 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1565 change_rgid(newcred, rgid); 1566 setsugid(p); 1567 } 1568 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1569 change_svgid(newcred, sgid); 1570 setsugid(p); 1571 } 1572 proc_set_cred(p, newcred); 1573 PROC_UNLOCK(p); 1574 crfree(oldcred); 1575 return (0); 1576 1577 fail: 1578 PROC_UNLOCK(p); 1579 crfree(newcred); 1580 return (error); 1581 } 1582 1583 #ifndef _SYS_SYSPROTO_H_ 1584 struct getresuid_args { 1585 uid_t *ruid; 1586 uid_t *euid; 1587 uid_t *suid; 1588 }; 1589 #endif 1590 /* ARGSUSED */ 1591 int 1592 sys_getresuid(struct thread *td, struct getresuid_args *uap) 1593 { 1594 struct ucred *cred; 1595 int error1 = 0, error2 = 0, error3 = 0; 1596 1597 cred = td->td_ucred; 1598 if (uap->ruid) 1599 error1 = copyout(&cred->cr_ruid, 1600 uap->ruid, sizeof(cred->cr_ruid)); 1601 if (uap->euid) 1602 error2 = copyout(&cred->cr_uid, 1603 uap->euid, sizeof(cred->cr_uid)); 1604 if (uap->suid) 1605 error3 = copyout(&cred->cr_svuid, 1606 uap->suid, sizeof(cred->cr_svuid)); 1607 return (error1 ? error1 : error2 ? error2 : error3); 1608 } 1609 1610 #ifndef _SYS_SYSPROTO_H_ 1611 struct getresgid_args { 1612 gid_t *rgid; 1613 gid_t *egid; 1614 gid_t *sgid; 1615 }; 1616 #endif 1617 /* ARGSUSED */ 1618 int 1619 sys_getresgid(struct thread *td, struct getresgid_args *uap) 1620 { 1621 struct ucred *cred; 1622 int error1 = 0, error2 = 0, error3 = 0; 1623 1624 cred = td->td_ucred; 1625 if (uap->rgid) 1626 error1 = copyout(&cred->cr_rgid, 1627 uap->rgid, sizeof(cred->cr_rgid)); 1628 if (uap->egid) 1629 error2 = copyout(&cred->cr_groups[0], 1630 uap->egid, sizeof(cred->cr_groups[0])); 1631 if (uap->sgid) 1632 error3 = copyout(&cred->cr_svgid, 1633 uap->sgid, sizeof(cred->cr_svgid)); 1634 return (error1 ? error1 : error2 ? error2 : error3); 1635 } 1636 1637 #ifndef _SYS_SYSPROTO_H_ 1638 struct issetugid_args { 1639 int dummy; 1640 }; 1641 #endif 1642 /* ARGSUSED */ 1643 int 1644 sys_issetugid(struct thread *td, struct issetugid_args *uap) 1645 { 1646 struct proc *p = td->td_proc; 1647 1648 /* 1649 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1650 * we use P_SUGID because we consider changing the owners as 1651 * "tainting" as well. 1652 * This is significant for procs that start as root and "become" 1653 * a user without an exec - programs cannot know *everything* 1654 * that libc *might* have put in their data segment. 1655 */ 1656 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1657 return (0); 1658 } 1659 1660 int 1661 sys___setugid(struct thread *td, struct __setugid_args *uap) 1662 { 1663 #ifdef REGRESSION 1664 struct proc *p; 1665 1666 p = td->td_proc; 1667 switch (uap->flag) { 1668 case 0: 1669 PROC_LOCK(p); 1670 p->p_flag &= ~P_SUGID; 1671 PROC_UNLOCK(p); 1672 return (0); 1673 case 1: 1674 PROC_LOCK(p); 1675 p->p_flag |= P_SUGID; 1676 PROC_UNLOCK(p); 1677 return (0); 1678 default: 1679 return (EINVAL); 1680 } 1681 #else /* !REGRESSION */ 1682 1683 return (ENOSYS); 1684 #endif /* REGRESSION */ 1685 } 1686 1687 #ifdef INVARIANTS 1688 static void 1689 groups_check_normalized(int ngrp, const gid_t *groups) 1690 { 1691 gid_t prev_g; 1692 1693 groups_check_positive_len(ngrp); 1694 groups_check_max_len(ngrp); 1695 1696 if (ngrp == 1) 1697 return; 1698 1699 prev_g = groups[1]; 1700 for (int i = 2; i < ngrp; ++i) { 1701 const gid_t g = groups[i]; 1702 1703 if (prev_g >= g) 1704 panic("%s: groups[%d] (%u) >= groups[%d] (%u)", 1705 __func__, i - 1, prev_g, i, g); 1706 prev_g = g; 1707 } 1708 } 1709 #else 1710 #define groups_check_normalized(...) 1711 #endif 1712 1713 /* 1714 * Returns whether gid designates a supplementary group in cred. 1715 */ 1716 bool 1717 group_is_supplementary(const gid_t gid, const struct ucred *const cred) 1718 { 1719 1720 groups_check_normalized(cred->cr_ngroups, cred->cr_groups); 1721 1722 /* 1723 * Perform a binary search of the supplementary groups. This is 1724 * possible because we sort the groups in crsetgroups(). 1725 */ 1726 return (bsearch(&gid, cred->cr_groups + 1, cred->cr_ngroups - 1, 1727 sizeof(gid), gidp_cmp) != NULL); 1728 } 1729 1730 /* 1731 * Check if gid is a member of the (effective) group set (i.e., effective and 1732 * supplementary groups). 1733 */ 1734 bool 1735 groupmember(gid_t gid, const struct ucred *cred) 1736 { 1737 1738 groups_check_positive_len(cred->cr_ngroups); 1739 1740 if (gid == cred->cr_groups[0]) 1741 return (true); 1742 1743 return (group_is_supplementary(gid, cred)); 1744 } 1745 1746 /* 1747 * Check if gid is a member of the real group set (i.e., real and supplementary 1748 * groups). 1749 */ 1750 bool 1751 realgroupmember(gid_t gid, const struct ucred *cred) 1752 { 1753 /* 1754 * Although the equality test on 'cr_rgid' below doesn't access 1755 * 'cr_groups', we check for the latter's length here as we assume that, 1756 * if 'cr_ngroups' is 0, the passed 'struct ucred' is invalid, and 1757 * 'cr_rgid' may not have been filled. 1758 */ 1759 groups_check_positive_len(cred->cr_ngroups); 1760 1761 if (gid == cred->cr_rgid) 1762 return (true); 1763 1764 return (group_is_supplementary(gid, cred)); 1765 } 1766 1767 /* 1768 * Test the active securelevel against a given level. securelevel_gt() 1769 * implements (securelevel > level). securelevel_ge() implements 1770 * (securelevel >= level). Note that the logic is inverted -- these 1771 * functions return EPERM on "success" and 0 on "failure". 1772 * 1773 * Due to care taken when setting the securelevel, we know that no jail will 1774 * be less secure that its parent (or the physical system), so it is sufficient 1775 * to test the current jail only. 1776 * 1777 * XXXRW: Possibly since this has to do with privilege, it should move to 1778 * kern_priv.c. 1779 */ 1780 int 1781 securelevel_gt(struct ucred *cr, int level) 1782 { 1783 1784 return (cr->cr_prison->pr_securelevel > level ? EPERM : 0); 1785 } 1786 1787 int 1788 securelevel_ge(struct ucred *cr, int level) 1789 { 1790 1791 return (cr->cr_prison->pr_securelevel >= level ? EPERM : 0); 1792 } 1793 1794 /* 1795 * 'see_other_uids' determines whether or not visibility of processes 1796 * and sockets with credentials holding different real uids is possible 1797 * using a variety of system MIBs. 1798 * XXX: data declarations should be together near the beginning of the file. 1799 */ 1800 static int see_other_uids = 1; 1801 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1802 &see_other_uids, 0, 1803 "Unprivileged processes may see subjects/objects with different real uid"); 1804 1805 /*- 1806 * Determine if u1 "can see" the subject specified by u2, according to the 1807 * 'see_other_uids' policy. 1808 * Returns: 0 for permitted, ESRCH otherwise 1809 * Locks: none 1810 * References: *u1 and *u2 must not change during the call 1811 * u1 may equal u2, in which case only one reference is required 1812 */ 1813 static int 1814 cr_canseeotheruids(struct ucred *u1, struct ucred *u2) 1815 { 1816 1817 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1818 if (priv_check_cred(u1, PRIV_SEEOTHERUIDS) != 0) 1819 return (ESRCH); 1820 } 1821 return (0); 1822 } 1823 1824 /* 1825 * 'see_other_gids' determines whether or not visibility of processes 1826 * and sockets with credentials holding different real gids is possible 1827 * using a variety of system MIBs. 1828 * XXX: data declarations should be together near the beginning of the file. 1829 */ 1830 static int see_other_gids = 1; 1831 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW, 1832 &see_other_gids, 0, 1833 "Unprivileged processes may see subjects/objects with different real gid"); 1834 1835 /* 1836 * Determine if u1 can "see" the subject specified by u2, according to the 1837 * 'see_other_gids' policy. 1838 * Returns: 0 for permitted, ESRCH otherwise 1839 * Locks: none 1840 * References: *u1 and *u2 must not change during the call 1841 * u1 may equal u2, in which case only one reference is required 1842 */ 1843 static int 1844 cr_canseeothergids(struct ucred *u1, struct ucred *u2) 1845 { 1846 if (!see_other_gids) { 1847 if (realgroupmember(u1->cr_rgid, u2)) 1848 return (0); 1849 1850 for (int i = 1; i < u1->cr_ngroups; i++) 1851 if (realgroupmember(u1->cr_groups[i], u2)) 1852 return (0); 1853 1854 if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) != 0) 1855 return (ESRCH); 1856 } 1857 1858 return (0); 1859 } 1860 1861 /* 1862 * 'see_jail_proc' determines whether or not visibility of processes and 1863 * sockets with credentials holding different jail ids is possible using a 1864 * variety of system MIBs. 1865 * 1866 * XXX: data declarations should be together near the beginning of the file. 1867 */ 1868 1869 static int see_jail_proc = 1; 1870 SYSCTL_INT(_security_bsd, OID_AUTO, see_jail_proc, CTLFLAG_RW, 1871 &see_jail_proc, 0, 1872 "Unprivileged processes may see subjects/objects with different jail ids"); 1873 1874 /*- 1875 * Determine if u1 "can see" the subject specified by u2, according to the 1876 * 'see_jail_proc' policy. 1877 * Returns: 0 for permitted, ESRCH otherwise 1878 * Locks: none 1879 * References: *u1 and *u2 must not change during the call 1880 * u1 may equal u2, in which case only one reference is required 1881 */ 1882 static int 1883 cr_canseejailproc(struct ucred *u1, struct ucred *u2) 1884 { 1885 if (see_jail_proc || /* Policy deactivated. */ 1886 u1->cr_prison == u2->cr_prison || /* Same jail. */ 1887 priv_check_cred(u1, PRIV_SEEJAILPROC) == 0) /* Privileged. */ 1888 return (0); 1889 1890 return (ESRCH); 1891 } 1892 1893 /* 1894 * Helper for cr_cansee*() functions to abide by system-wide security.bsd.see_* 1895 * policies. Determines if u1 "can see" u2 according to these policies. 1896 * Returns: 0 for permitted, ESRCH otherwise 1897 */ 1898 int 1899 cr_bsd_visible(struct ucred *u1, struct ucred *u2) 1900 { 1901 int error; 1902 1903 error = cr_canseeotheruids(u1, u2); 1904 if (error != 0) 1905 return (error); 1906 error = cr_canseeothergids(u1, u2); 1907 if (error != 0) 1908 return (error); 1909 error = cr_canseejailproc(u1, u2); 1910 if (error != 0) 1911 return (error); 1912 return (0); 1913 } 1914 1915 /*- 1916 * Determine if u1 "can see" the subject specified by u2. 1917 * Returns: 0 for permitted, an errno value otherwise 1918 * Locks: none 1919 * References: *u1 and *u2 must not change during the call 1920 * u1 may equal u2, in which case only one reference is required 1921 */ 1922 int 1923 cr_cansee(struct ucred *u1, struct ucred *u2) 1924 { 1925 int error; 1926 1927 if ((error = prison_check(u1, u2))) 1928 return (error); 1929 #ifdef MAC 1930 if ((error = mac_cred_check_visible(u1, u2))) 1931 return (error); 1932 #endif 1933 if ((error = cr_bsd_visible(u1, u2))) 1934 return (error); 1935 return (0); 1936 } 1937 1938 /*- 1939 * Determine if td "can see" the subject specified by p. 1940 * Returns: 0 for permitted, an errno value otherwise 1941 * Locks: Sufficient locks to protect p->p_ucred must be held. td really 1942 * should be curthread. 1943 * References: td and p must be valid for the lifetime of the call 1944 */ 1945 int 1946 p_cansee(struct thread *td, struct proc *p) 1947 { 1948 /* Wrap cr_cansee() for all functionality. */ 1949 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1950 PROC_LOCK_ASSERT(p, MA_OWNED); 1951 1952 if (td->td_proc == p) 1953 return (0); 1954 return (cr_cansee(td->td_ucred, p->p_ucred)); 1955 } 1956 1957 /* 1958 * 'conservative_signals' prevents the delivery of a broad class of 1959 * signals by unprivileged processes to processes that have changed their 1960 * credentials since the last invocation of execve(). This can prevent 1961 * the leakage of cached information or retained privileges as a result 1962 * of a common class of signal-related vulnerabilities. However, this 1963 * may interfere with some applications that expect to be able to 1964 * deliver these signals to peer processes after having given up 1965 * privilege. 1966 */ 1967 static int conservative_signals = 1; 1968 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW, 1969 &conservative_signals, 0, "Unprivileged processes prevented from " 1970 "sending certain signals to processes whose credentials have changed"); 1971 /*- 1972 * Determine whether cred may deliver the specified signal to proc. 1973 * Returns: 0 for permitted, an errno value otherwise. 1974 * Locks: A lock must be held for proc. 1975 * References: cred and proc must be valid for the lifetime of the call. 1976 */ 1977 int 1978 cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 1979 { 1980 int error; 1981 1982 PROC_LOCK_ASSERT(proc, MA_OWNED); 1983 /* 1984 * Jail semantics limit the scope of signalling to proc in the 1985 * same jail as cred, if cred is in jail. 1986 */ 1987 error = prison_check(cred, proc->p_ucred); 1988 if (error) 1989 return (error); 1990 #ifdef MAC 1991 if ((error = mac_proc_check_signal(cred, proc, signum))) 1992 return (error); 1993 #endif 1994 if ((error = cr_bsd_visible(cred, proc->p_ucred))) 1995 return (error); 1996 1997 /* 1998 * UNIX signal semantics depend on the status of the P_SUGID 1999 * bit on the target process. If the bit is set, then additional 2000 * restrictions are placed on the set of available signals. 2001 */ 2002 if (conservative_signals && (proc->p_flag & P_SUGID)) { 2003 switch (signum) { 2004 case 0: 2005 case SIGKILL: 2006 case SIGINT: 2007 case SIGTERM: 2008 case SIGALRM: 2009 case SIGSTOP: 2010 case SIGTTIN: 2011 case SIGTTOU: 2012 case SIGTSTP: 2013 case SIGHUP: 2014 case SIGUSR1: 2015 case SIGUSR2: 2016 /* 2017 * Generally, permit job and terminal control 2018 * signals. 2019 */ 2020 break; 2021 default: 2022 /* Not permitted without privilege. */ 2023 error = priv_check_cred(cred, PRIV_SIGNAL_SUGID); 2024 if (error) 2025 return (error); 2026 } 2027 } 2028 2029 /* 2030 * Generally, the target credential's ruid or svuid must match the 2031 * subject credential's ruid or euid. 2032 */ 2033 if (cred->cr_ruid != proc->p_ucred->cr_ruid && 2034 cred->cr_ruid != proc->p_ucred->cr_svuid && 2035 cred->cr_uid != proc->p_ucred->cr_ruid && 2036 cred->cr_uid != proc->p_ucred->cr_svuid) { 2037 error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED); 2038 if (error) 2039 return (error); 2040 } 2041 2042 return (0); 2043 } 2044 2045 /*- 2046 * Determine whether td may deliver the specified signal to p. 2047 * Returns: 0 for permitted, an errno value otherwise 2048 * Locks: Sufficient locks to protect various components of td and p 2049 * must be held. td must be curthread, and a lock must be 2050 * held for p. 2051 * References: td and p must be valid for the lifetime of the call 2052 */ 2053 int 2054 p_cansignal(struct thread *td, struct proc *p, int signum) 2055 { 2056 2057 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2058 PROC_LOCK_ASSERT(p, MA_OWNED); 2059 if (td->td_proc == p) 2060 return (0); 2061 2062 /* 2063 * UNIX signalling semantics require that processes in the same 2064 * session always be able to deliver SIGCONT to one another, 2065 * overriding the remaining protections. 2066 */ 2067 /* XXX: This will require an additional lock of some sort. */ 2068 if (signum == SIGCONT && td->td_proc->p_session == p->p_session) 2069 return (0); 2070 /* 2071 * Some compat layers use SIGTHR and higher signals for 2072 * communication between different kernel threads of the same 2073 * process, so that they expect that it's always possible to 2074 * deliver them, even for suid applications where cr_cansignal() can 2075 * deny such ability for security consideration. It should be 2076 * pretty safe to do since the only way to create two processes 2077 * with the same p_leader is via rfork(2). 2078 */ 2079 if (td->td_proc->p_leader != NULL && signum >= SIGTHR && 2080 signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader) 2081 return (0); 2082 2083 return (cr_cansignal(td->td_ucred, p, signum)); 2084 } 2085 2086 /*- 2087 * Determine whether td may reschedule p. 2088 * Returns: 0 for permitted, an errno value otherwise 2089 * Locks: Sufficient locks to protect various components of td and p 2090 * must be held. td must be curthread, and a lock must 2091 * be held for p. 2092 * References: td and p must be valid for the lifetime of the call 2093 */ 2094 int 2095 p_cansched(struct thread *td, struct proc *p) 2096 { 2097 int error; 2098 2099 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2100 PROC_LOCK_ASSERT(p, MA_OWNED); 2101 if (td->td_proc == p) 2102 return (0); 2103 if ((error = prison_check(td->td_ucred, p->p_ucred))) 2104 return (error); 2105 #ifdef MAC 2106 if ((error = mac_proc_check_sched(td->td_ucred, p))) 2107 return (error); 2108 #endif 2109 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) 2110 return (error); 2111 2112 if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid && 2113 td->td_ucred->cr_uid != p->p_ucred->cr_ruid) { 2114 error = priv_check(td, PRIV_SCHED_DIFFCRED); 2115 if (error) 2116 return (error); 2117 } 2118 return (0); 2119 } 2120 2121 /* 2122 * Handle getting or setting the prison's unprivileged_proc_debug 2123 * value. 2124 */ 2125 static int 2126 sysctl_unprivileged_proc_debug(SYSCTL_HANDLER_ARGS) 2127 { 2128 int error, val; 2129 2130 val = prison_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG); 2131 error = sysctl_handle_int(oidp, &val, 0, req); 2132 if (error != 0 || req->newptr == NULL) 2133 return (error); 2134 if (val != 0 && val != 1) 2135 return (EINVAL); 2136 prison_set_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG, val); 2137 return (0); 2138 } 2139 2140 /* 2141 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 2142 * unprivileged inter-process debugging services, including some procfs 2143 * functionality, ptrace(), and ktrace(). In the past, inter-process 2144 * debugging has been involved in a variety of security problems, and sites 2145 * not requiring the service might choose to disable it when hardening 2146 * systems. 2147 */ 2148 SYSCTL_PROC(_security_bsd, OID_AUTO, unprivileged_proc_debug, 2149 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_PRISON | CTLFLAG_SECURE | 2150 CTLFLAG_MPSAFE, 0, 0, sysctl_unprivileged_proc_debug, "I", 2151 "Unprivileged processes may use process debugging facilities"); 2152 2153 /*- 2154 * Determine whether td may debug p. 2155 * Returns: 0 for permitted, an errno value otherwise 2156 * Locks: Sufficient locks to protect various components of td and p 2157 * must be held. td must be curthread, and a lock must 2158 * be held for p. 2159 * References: td and p must be valid for the lifetime of the call 2160 */ 2161 int 2162 p_candebug(struct thread *td, struct proc *p) 2163 { 2164 int error, grpsubset, i, uidsubset; 2165 2166 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2167 PROC_LOCK_ASSERT(p, MA_OWNED); 2168 if (td->td_proc == p) 2169 return (0); 2170 if ((error = priv_check(td, PRIV_DEBUG_UNPRIV))) 2171 return (error); 2172 if ((error = prison_check(td->td_ucred, p->p_ucred))) 2173 return (error); 2174 #ifdef MAC 2175 if ((error = mac_proc_check_debug(td->td_ucred, p))) 2176 return (error); 2177 #endif 2178 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) 2179 return (error); 2180 2181 /* 2182 * Is p's group set a subset of td's effective group set? This 2183 * includes p's egid, group access list, rgid, and svgid. 2184 */ 2185 grpsubset = 1; 2186 for (i = 0; i < p->p_ucred->cr_ngroups; i++) { 2187 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) { 2188 grpsubset = 0; 2189 break; 2190 } 2191 } 2192 grpsubset = grpsubset && 2193 groupmember(p->p_ucred->cr_rgid, td->td_ucred) && 2194 groupmember(p->p_ucred->cr_svgid, td->td_ucred); 2195 2196 /* 2197 * Are the uids present in p's credential equal to td's 2198 * effective uid? This includes p's euid, svuid, and ruid. 2199 */ 2200 uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid && 2201 td->td_ucred->cr_uid == p->p_ucred->cr_svuid && 2202 td->td_ucred->cr_uid == p->p_ucred->cr_ruid); 2203 2204 /* 2205 * If p's gids aren't a subset, or the uids aren't a subset, 2206 * or the credential has changed, require appropriate privilege 2207 * for td to debug p. 2208 */ 2209 if (!grpsubset || !uidsubset) { 2210 error = priv_check(td, PRIV_DEBUG_DIFFCRED); 2211 if (error) 2212 return (error); 2213 } 2214 2215 /* 2216 * Has the credential of the process changed since the last exec()? 2217 */ 2218 if ((p->p_flag & P_SUGID) != 0) { 2219 error = priv_check(td, PRIV_DEBUG_SUGID); 2220 if (error) 2221 return (error); 2222 } 2223 2224 /* Can't trace init when securelevel > 0. */ 2225 if (p == initproc) { 2226 error = securelevel_gt(td->td_ucred, 0); 2227 if (error) 2228 return (error); 2229 } 2230 2231 /* 2232 * Can't trace a process that's currently exec'ing. 2233 * 2234 * XXX: Note, this is not a security policy decision, it's a 2235 * basic correctness/functionality decision. Therefore, this check 2236 * should be moved to the caller's of p_candebug(). 2237 */ 2238 if ((p->p_flag & P_INEXEC) != 0) 2239 return (EBUSY); 2240 2241 /* Denied explicitly */ 2242 if ((p->p_flag2 & P2_NOTRACE) != 0) { 2243 error = priv_check(td, PRIV_DEBUG_DENIED); 2244 if (error != 0) 2245 return (error); 2246 } 2247 2248 return (0); 2249 } 2250 2251 /*- 2252 * Determine whether the subject represented by cred can "see" a socket. 2253 * Returns: 0 for permitted, ENOENT otherwise. 2254 */ 2255 int 2256 cr_canseesocket(struct ucred *cred, struct socket *so) 2257 { 2258 int error; 2259 2260 error = prison_check(cred, so->so_cred); 2261 if (error) 2262 return (ENOENT); 2263 #ifdef MAC 2264 error = mac_socket_check_visible(cred, so); 2265 if (error) 2266 return (error); 2267 #endif 2268 if (cr_bsd_visible(cred, so->so_cred)) 2269 return (ENOENT); 2270 2271 return (0); 2272 } 2273 2274 /*- 2275 * Determine whether td can wait for the exit of p. 2276 * Returns: 0 for permitted, an errno value otherwise 2277 * Locks: Sufficient locks to protect various components of td and p 2278 * must be held. td must be curthread, and a lock must 2279 * be held for p. 2280 * References: td and p must be valid for the lifetime of the call 2281 2282 */ 2283 int 2284 p_canwait(struct thread *td, struct proc *p) 2285 { 2286 int error; 2287 2288 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2289 PROC_LOCK_ASSERT(p, MA_OWNED); 2290 if ((error = prison_check(td->td_ucred, p->p_ucred))) 2291 return (error); 2292 #ifdef MAC 2293 if ((error = mac_proc_check_wait(td->td_ucred, p))) 2294 return (error); 2295 #endif 2296 #if 0 2297 /* XXXMAC: This could have odd effects on some shells. */ 2298 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) 2299 return (error); 2300 #endif 2301 2302 return (0); 2303 } 2304 2305 /* 2306 * Credential management. 2307 * 2308 * struct ucred objects are rarely allocated but gain and lose references all 2309 * the time (e.g., on struct file alloc/dealloc) turning refcount updates into 2310 * a significant source of cache-line ping ponging. Common cases are worked 2311 * around by modifying thread-local counter instead if the cred to operate on 2312 * matches td_realucred. 2313 * 2314 * The counter is split into 2 parts: 2315 * - cr_users -- total count of all struct proc and struct thread objects 2316 * which have given cred in p_ucred and td_ucred respectively 2317 * - cr_ref -- the actual ref count, only valid if cr_users == 0 2318 * 2319 * If users == 0 then cr_ref behaves similarly to refcount(9), in particular if 2320 * the count reaches 0 the object is freeable. 2321 * If users > 0 and curthread->td_realucred == cred, then updates are performed 2322 * against td_ucredref. 2323 * In other cases updates are performed against cr_ref. 2324 * 2325 * Changing td_realucred into something else decrements cr_users and transfers 2326 * accumulated updates. 2327 */ 2328 struct ucred * 2329 crcowget(struct ucred *cr) 2330 { 2331 2332 mtx_lock(&cr->cr_mtx); 2333 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2334 __func__, cr->cr_users, cr)); 2335 cr->cr_users++; 2336 cr->cr_ref++; 2337 mtx_unlock(&cr->cr_mtx); 2338 return (cr); 2339 } 2340 2341 static struct ucred * 2342 crunuse(struct thread *td) 2343 { 2344 struct ucred *cr, *crold; 2345 2346 MPASS(td->td_realucred == td->td_ucred); 2347 cr = td->td_realucred; 2348 mtx_lock(&cr->cr_mtx); 2349 cr->cr_ref += td->td_ucredref; 2350 td->td_ucredref = 0; 2351 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2352 __func__, cr->cr_users, cr)); 2353 cr->cr_users--; 2354 if (cr->cr_users == 0) { 2355 KASSERT(cr->cr_ref > 0, ("%s: ref %ld not > 0 on cred %p", 2356 __func__, cr->cr_ref, cr)); 2357 crold = cr; 2358 } else { 2359 cr->cr_ref--; 2360 crold = NULL; 2361 } 2362 mtx_unlock(&cr->cr_mtx); 2363 td->td_realucred = NULL; 2364 return (crold); 2365 } 2366 2367 static void 2368 crunusebatch(struct ucred *cr, int users, int ref) 2369 { 2370 2371 KASSERT(users > 0, ("%s: passed users %d not > 0 ; cred %p", 2372 __func__, users, cr)); 2373 mtx_lock(&cr->cr_mtx); 2374 KASSERT(cr->cr_users >= users, ("%s: users %d not > %d on cred %p", 2375 __func__, cr->cr_users, users, cr)); 2376 cr->cr_users -= users; 2377 cr->cr_ref += ref; 2378 cr->cr_ref -= users; 2379 if (cr->cr_users > 0) { 2380 mtx_unlock(&cr->cr_mtx); 2381 return; 2382 } 2383 KASSERT(cr->cr_ref >= 0, ("%s: ref %ld not >= 0 on cred %p", 2384 __func__, cr->cr_ref, cr)); 2385 if (cr->cr_ref > 0) { 2386 mtx_unlock(&cr->cr_mtx); 2387 return; 2388 } 2389 crfree_final(cr); 2390 } 2391 2392 void 2393 crcowfree(struct thread *td) 2394 { 2395 struct ucred *cr; 2396 2397 cr = crunuse(td); 2398 if (cr != NULL) 2399 crfree(cr); 2400 } 2401 2402 struct ucred * 2403 crcowsync(void) 2404 { 2405 struct thread *td; 2406 struct proc *p; 2407 struct ucred *crnew, *crold; 2408 2409 td = curthread; 2410 p = td->td_proc; 2411 PROC_LOCK_ASSERT(p, MA_OWNED); 2412 2413 MPASS(td->td_realucred == td->td_ucred); 2414 if (td->td_realucred == p->p_ucred) 2415 return (NULL); 2416 2417 crnew = crcowget(p->p_ucred); 2418 crold = crunuse(td); 2419 td->td_realucred = crnew; 2420 td->td_ucred = td->td_realucred; 2421 return (crold); 2422 } 2423 2424 /* 2425 * Batching. 2426 */ 2427 void 2428 credbatch_add(struct credbatch *crb, struct thread *td) 2429 { 2430 struct ucred *cr; 2431 2432 MPASS(td->td_realucred != NULL); 2433 MPASS(td->td_realucred == td->td_ucred); 2434 MPASS(TD_GET_STATE(td) == TDS_INACTIVE); 2435 cr = td->td_realucred; 2436 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2437 __func__, cr->cr_users, cr)); 2438 if (crb->cred != cr) { 2439 if (crb->users > 0) { 2440 MPASS(crb->cred != NULL); 2441 crunusebatch(crb->cred, crb->users, crb->ref); 2442 crb->users = 0; 2443 crb->ref = 0; 2444 } 2445 } 2446 crb->cred = cr; 2447 crb->users++; 2448 crb->ref += td->td_ucredref; 2449 td->td_ucredref = 0; 2450 td->td_realucred = NULL; 2451 } 2452 2453 void 2454 credbatch_final(struct credbatch *crb) 2455 { 2456 2457 MPASS(crb->cred != NULL); 2458 MPASS(crb->users > 0); 2459 crunusebatch(crb->cred, crb->users, crb->ref); 2460 } 2461 2462 /* 2463 * Allocate a zeroed cred structure. 2464 */ 2465 struct ucred * 2466 crget(void) 2467 { 2468 struct ucred *cr; 2469 2470 cr = malloc(sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 2471 mtx_init(&cr->cr_mtx, "cred", NULL, MTX_DEF); 2472 cr->cr_ref = 1; 2473 #ifdef AUDIT 2474 audit_cred_init(cr); 2475 #endif 2476 #ifdef MAC 2477 mac_cred_init(cr); 2478 #endif 2479 cr->cr_groups = cr->cr_smallgroups; 2480 cr->cr_agroups = nitems(cr->cr_smallgroups); 2481 return (cr); 2482 } 2483 2484 /* 2485 * Claim another reference to a ucred structure. 2486 */ 2487 struct ucred * 2488 crhold(struct ucred *cr) 2489 { 2490 struct thread *td; 2491 2492 td = curthread; 2493 if (__predict_true(td->td_realucred == cr)) { 2494 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2495 __func__, cr->cr_users, cr)); 2496 td->td_ucredref++; 2497 return (cr); 2498 } 2499 mtx_lock(&cr->cr_mtx); 2500 cr->cr_ref++; 2501 mtx_unlock(&cr->cr_mtx); 2502 return (cr); 2503 } 2504 2505 /* 2506 * Free a cred structure. Throws away space when ref count gets to 0. 2507 */ 2508 void 2509 crfree(struct ucred *cr) 2510 { 2511 struct thread *td; 2512 2513 td = curthread; 2514 if (__predict_true(td->td_realucred == cr)) { 2515 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2516 __func__, cr->cr_users, cr)); 2517 td->td_ucredref--; 2518 return; 2519 } 2520 mtx_lock(&cr->cr_mtx); 2521 KASSERT(cr->cr_users >= 0, ("%s: users %d not >= 0 on cred %p", 2522 __func__, cr->cr_users, cr)); 2523 cr->cr_ref--; 2524 if (cr->cr_users > 0) { 2525 mtx_unlock(&cr->cr_mtx); 2526 return; 2527 } 2528 KASSERT(cr->cr_ref >= 0, ("%s: ref %ld not >= 0 on cred %p", 2529 __func__, cr->cr_ref, cr)); 2530 if (cr->cr_ref > 0) { 2531 mtx_unlock(&cr->cr_mtx); 2532 return; 2533 } 2534 crfree_final(cr); 2535 } 2536 2537 static void 2538 crfree_final(struct ucred *cr) 2539 { 2540 2541 KASSERT(cr->cr_users == 0, ("%s: users %d not == 0 on cred %p", 2542 __func__, cr->cr_users, cr)); 2543 KASSERT(cr->cr_ref == 0, ("%s: ref %ld not == 0 on cred %p", 2544 __func__, cr->cr_ref, cr)); 2545 2546 /* 2547 * Some callers of crget(), such as nfs_statfs(), allocate a temporary 2548 * credential, but don't allocate a uidinfo structure. 2549 */ 2550 if (cr->cr_uidinfo != NULL) 2551 uifree(cr->cr_uidinfo); 2552 if (cr->cr_ruidinfo != NULL) 2553 uifree(cr->cr_ruidinfo); 2554 if (cr->cr_prison != NULL) 2555 prison_free(cr->cr_prison); 2556 if (cr->cr_loginclass != NULL) 2557 loginclass_free(cr->cr_loginclass); 2558 #ifdef AUDIT 2559 audit_cred_destroy(cr); 2560 #endif 2561 #ifdef MAC 2562 mac_cred_destroy(cr); 2563 #endif 2564 mtx_destroy(&cr->cr_mtx); 2565 if (cr->cr_groups != cr->cr_smallgroups) 2566 free(cr->cr_groups, M_CRED); 2567 free(cr, M_CRED); 2568 } 2569 2570 /* 2571 * Copy a ucred's contents from a template. Does not block. 2572 */ 2573 void 2574 crcopy(struct ucred *dest, struct ucred *src) 2575 { 2576 2577 /* 2578 * Ideally, 'cr_ngroups' should be moved out of 'struct ucred''s bcopied 2579 * area, but this would break the ABI, so is deferred until there is 2580 * a compelling need to change it. 2581 */ 2582 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 2583 (unsigned)((caddr_t)&src->cr_endcopy - 2584 (caddr_t)&src->cr_startcopy)); 2585 dest->cr_flags = src->cr_flags; 2586 crsetgroups(dest, src->cr_ngroups, src->cr_groups); 2587 uihold(dest->cr_uidinfo); 2588 uihold(dest->cr_ruidinfo); 2589 prison_hold(dest->cr_prison); 2590 loginclass_hold(dest->cr_loginclass); 2591 #ifdef AUDIT 2592 audit_cred_copy(src, dest); 2593 #endif 2594 #ifdef MAC 2595 mac_cred_copy(src, dest); 2596 #endif 2597 } 2598 2599 /* 2600 * Dup cred struct to a new held one. 2601 */ 2602 struct ucred * 2603 crdup(struct ucred *cr) 2604 { 2605 struct ucred *newcr; 2606 2607 newcr = crget(); 2608 crcopy(newcr, cr); 2609 return (newcr); 2610 } 2611 2612 /* 2613 * Fill in a struct xucred based on a struct ucred. 2614 */ 2615 void 2616 cru2x(struct ucred *cr, struct xucred *xcr) 2617 { 2618 int ngroups; 2619 2620 bzero(xcr, sizeof(*xcr)); 2621 xcr->cr_version = XUCRED_VERSION; 2622 xcr->cr_uid = cr->cr_uid; 2623 2624 ngroups = MIN(cr->cr_ngroups, XU_NGROUPS); 2625 xcr->cr_ngroups = ngroups; 2626 bcopy(cr->cr_groups, xcr->cr_groups, 2627 ngroups * sizeof(*cr->cr_groups)); 2628 } 2629 2630 void 2631 cru2xt(struct thread *td, struct xucred *xcr) 2632 { 2633 2634 cru2x(td->td_ucred, xcr); 2635 xcr->cr_pid = td->td_proc->p_pid; 2636 } 2637 2638 /* 2639 * Change process credentials. 2640 * 2641 * Callers are responsible for providing the reference for passed credentials 2642 * and for freeing old ones. Calls chgproccnt() to correctly account the 2643 * current process to the proper real UID, if the latter has changed. Returns 2644 * whether the operation was successful. Failure can happen only on 2645 * 'enforce_proc_lim' being true and if no new process can be accounted to the 2646 * new real UID because of the current limit (see the inner comment for more 2647 * details) and the caller does not have privilege (PRIV_PROC_LIMIT) to override 2648 * that. 2649 */ 2650 static bool 2651 _proc_set_cred(struct proc *p, struct ucred *newcred, bool enforce_proc_lim) 2652 { 2653 struct ucred *const oldcred = p->p_ucred; 2654 2655 MPASS(oldcred != NULL); 2656 PROC_LOCK_ASSERT(p, MA_OWNED); 2657 KASSERT(newcred->cr_users == 0, ("%s: users %d not 0 on cred %p", 2658 __func__, newcred->cr_users, newcred)); 2659 KASSERT(newcred->cr_ref == 1, ("%s: ref %ld not 1 on cred %p", 2660 __func__, newcred->cr_ref, newcred)); 2661 2662 if (newcred->cr_ruidinfo != oldcred->cr_ruidinfo) { 2663 /* 2664 * XXXOC: This check is flawed but nonetheless the best we can 2665 * currently do as we don't really track limits per UID contrary 2666 * to what we pretend in setrlimit(2). Until this is reworked, 2667 * we just check here that the number of processes for our new 2668 * real UID doesn't exceed this process' process number limit 2669 * (which is meant to be associated with the current real UID). 2670 */ 2671 const int proccnt_changed = chgproccnt(newcred->cr_ruidinfo, 1, 2672 enforce_proc_lim ? lim_cur_proc(p, RLIMIT_NPROC) : 0); 2673 2674 if (!proccnt_changed) { 2675 if (priv_check_cred(oldcred, PRIV_PROC_LIMIT) != 0) 2676 return (false); 2677 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 2678 } 2679 } 2680 2681 mtx_lock(&oldcred->cr_mtx); 2682 KASSERT(oldcred->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2683 __func__, oldcred->cr_users, oldcred)); 2684 oldcred->cr_users--; 2685 mtx_unlock(&oldcred->cr_mtx); 2686 p->p_ucred = newcred; 2687 newcred->cr_users = 1; 2688 PROC_UPDATE_COW(p); 2689 if (newcred->cr_ruidinfo != oldcred->cr_ruidinfo) 2690 (void)chgproccnt(oldcred->cr_ruidinfo, -1, 0); 2691 return (true); 2692 } 2693 2694 void 2695 proc_set_cred(struct proc *p, struct ucred *newcred) 2696 { 2697 bool success = _proc_set_cred(p, newcred, false); 2698 2699 MPASS(success); 2700 } 2701 2702 bool 2703 proc_set_cred_enforce_proc_lim(struct proc *p, struct ucred *newcred) 2704 { 2705 return (_proc_set_cred(p, newcred, true)); 2706 } 2707 2708 void 2709 proc_unset_cred(struct proc *p, bool decrement_proc_count) 2710 { 2711 struct ucred *cr; 2712 2713 MPASS(p->p_state == PRS_ZOMBIE || p->p_state == PRS_NEW); 2714 cr = p->p_ucred; 2715 p->p_ucred = NULL; 2716 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2717 __func__, cr->cr_users, cr)); 2718 mtx_lock(&cr->cr_mtx); 2719 cr->cr_users--; 2720 if (cr->cr_users == 0) 2721 KASSERT(cr->cr_ref > 0, ("%s: ref %ld not > 0 on cred %p", 2722 __func__, cr->cr_ref, cr)); 2723 mtx_unlock(&cr->cr_mtx); 2724 if (decrement_proc_count) 2725 (void)chgproccnt(cr->cr_ruidinfo, -1, 0); 2726 crfree(cr); 2727 } 2728 2729 struct ucred * 2730 crcopysafe(struct proc *p, struct ucred *cr) 2731 { 2732 struct ucred *oldcred; 2733 int groups; 2734 2735 PROC_LOCK_ASSERT(p, MA_OWNED); 2736 2737 oldcred = p->p_ucred; 2738 while (cr->cr_agroups < oldcred->cr_agroups) { 2739 groups = oldcred->cr_agroups; 2740 PROC_UNLOCK(p); 2741 crextend(cr, groups); 2742 PROC_LOCK(p); 2743 oldcred = p->p_ucred; 2744 } 2745 crcopy(cr, oldcred); 2746 2747 return (oldcred); 2748 } 2749 2750 /* 2751 * Extend the passed-in credentials to hold n groups. 2752 * 2753 * Must not be called after groups have been set. 2754 */ 2755 void 2756 crextend(struct ucred *cr, int n) 2757 { 2758 size_t nbytes; 2759 2760 MPASS2(cr->cr_ref == 1, "'cr_ref' must be 1 (referenced, unshared)"); 2761 MPASS2(cr->cr_ngroups == 0, "groups on 'cr' already set!"); 2762 groups_check_positive_len(n); 2763 groups_check_max_len(n); 2764 2765 if (n <= cr->cr_agroups) 2766 return; 2767 2768 nbytes = n * sizeof(gid_t); 2769 if (nbytes < n) 2770 panic("Too many groups (memory size overflow)! " 2771 "Computation of 'kern.ngroups' should have prevented this, " 2772 "please fix it. In the meantime, reduce 'kern.ngroups'."); 2773 2774 /* 2775 * We allocate a power of 2 larger than 'nbytes', except when that 2776 * exceeds PAGE_SIZE, in which case we allocate the right multiple of 2777 * pages. We assume PAGE_SIZE is a power of 2 (the call to roundup2() 2778 * below) but do not need to for sizeof(gid_t). 2779 */ 2780 if (nbytes < PAGE_SIZE) { 2781 if (!powerof2(nbytes)) 2782 /* fls*() return a bit index starting at 1. */ 2783 nbytes = 1 << flsl(nbytes); 2784 } else 2785 nbytes = roundup2(nbytes, PAGE_SIZE); 2786 2787 /* Free the old array. */ 2788 if (cr->cr_groups != cr->cr_smallgroups) 2789 free(cr->cr_groups, M_CRED); 2790 2791 cr->cr_groups = malloc(nbytes, M_CRED, M_WAITOK | M_ZERO); 2792 cr->cr_agroups = nbytes / sizeof(gid_t); 2793 } 2794 2795 /* 2796 * Normalizes a set of groups to be applied to a 'struct ucred'. 2797 * 2798 * The set of groups is an array that must comprise the effective GID as its 2799 * first element (so its length cannot be 0). 2800 * 2801 * Normalization ensures that elements after the first, which stand for the 2802 * supplementary groups, are sorted in ascending order and do not contain 2803 * duplicates. 2804 */ 2805 static void 2806 groups_normalize(int *ngrp, gid_t *groups) 2807 { 2808 gid_t prev_g; 2809 int ins_idx; 2810 2811 groups_check_positive_len(*ngrp); 2812 groups_check_max_len(*ngrp); 2813 2814 if (*ngrp == 1) 2815 return; 2816 2817 qsort(groups + 1, *ngrp - 1, sizeof(*groups), gidp_cmp); 2818 2819 /* Remove duplicates. */ 2820 prev_g = groups[1]; 2821 ins_idx = 2; 2822 for (int i = 2; i < *ngrp; ++i) { 2823 const gid_t g = groups[i]; 2824 2825 if (g != prev_g) { 2826 if (i != ins_idx) 2827 groups[ins_idx] = g; 2828 ++ins_idx; 2829 prev_g = g; 2830 } 2831 } 2832 *ngrp = ins_idx; 2833 2834 groups_check_normalized(*ngrp, groups); 2835 } 2836 2837 /* 2838 * Internal function copying groups into a credential. 2839 * 2840 * 'ngrp' must be strictly positive. Either the passed 'groups' array must have 2841 * been normalized in advance (see groups_normalize()), else it must be so 2842 * before the structure is to be used again. 2843 * 2844 * This function is suitable to be used under any lock (it doesn't take any lock 2845 * itself nor sleep, and in particular doesn't allocate memory). crextend() 2846 * must have been called beforehand to ensure sufficient space is available. 2847 * See also crsetgroups(), which handles that. 2848 */ 2849 static void 2850 crsetgroups_internal(struct ucred *cr, int ngrp, const gid_t *groups) 2851 { 2852 2853 MPASS2(cr->cr_ref == 1, "'cr_ref' must be 1 (referenced, unshared)"); 2854 MPASS2(cr->cr_agroups >= ngrp, "'cr_agroups' too small"); 2855 groups_check_positive_len(ngrp); 2856 2857 bcopy(groups, cr->cr_groups, ngrp * sizeof(gid_t)); 2858 cr->cr_ngroups = ngrp; 2859 } 2860 2861 /* 2862 * Copy groups in to a credential after expanding it if required. 2863 * 2864 * May sleep in order to allocate memory (except if, e.g., crextend() was called 2865 * before with 'ngrp' or greater). Truncates the list to (ngroups_max + 1) if 2866 * it is too large. Array 'groups' doesn't need to be sorted. 'ngrp' must be 2867 * strictly positive. 2868 */ 2869 void 2870 crsetgroups(struct ucred *cr, int ngrp, const gid_t *groups) 2871 { 2872 2873 if (ngrp > ngroups_max + 1) 2874 ngrp = ngroups_max + 1; 2875 /* 2876 * crextend() asserts that groups are not set, as it may allocate a new 2877 * backing storage without copying the content of the old one. Since we 2878 * are going to install a completely new set anyway, signal that we 2879 * consider the old ones thrown away. 2880 */ 2881 cr->cr_ngroups = 0; 2882 crextend(cr, ngrp); 2883 crsetgroups_internal(cr, ngrp, groups); 2884 groups_normalize(&cr->cr_ngroups, cr->cr_groups); 2885 } 2886 2887 /* 2888 * Same as crsetgroups() but accepts an empty groups array. 2889 * 2890 * This function ensures that an effective GID is always present in credentials. 2891 * An empty array is treated as a one-size one holding the passed effective GID 2892 * fallback. 2893 */ 2894 void 2895 crsetgroups_fallback(struct ucred *cr, int ngrp, const gid_t *groups, 2896 const gid_t fallback) 2897 { 2898 if (ngrp == 0) 2899 /* Shortcut. */ 2900 crsetgroups_internal(cr, 1, &fallback); 2901 else 2902 crsetgroups(cr, ngrp, groups); 2903 } 2904 2905 /* 2906 * Get login name, if available. 2907 */ 2908 #ifndef _SYS_SYSPROTO_H_ 2909 struct getlogin_args { 2910 char *namebuf; 2911 u_int namelen; 2912 }; 2913 #endif 2914 /* ARGSUSED */ 2915 int 2916 sys_getlogin(struct thread *td, struct getlogin_args *uap) 2917 { 2918 char login[MAXLOGNAME]; 2919 struct proc *p = td->td_proc; 2920 size_t len; 2921 2922 if (uap->namelen > MAXLOGNAME) 2923 uap->namelen = MAXLOGNAME; 2924 PROC_LOCK(p); 2925 SESS_LOCK(p->p_session); 2926 len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1; 2927 SESS_UNLOCK(p->p_session); 2928 PROC_UNLOCK(p); 2929 if (len > uap->namelen) 2930 return (ERANGE); 2931 return (copyout(login, uap->namebuf, len)); 2932 } 2933 2934 /* 2935 * Set login name. 2936 */ 2937 #ifndef _SYS_SYSPROTO_H_ 2938 struct setlogin_args { 2939 char *namebuf; 2940 }; 2941 #endif 2942 /* ARGSUSED */ 2943 int 2944 sys_setlogin(struct thread *td, struct setlogin_args *uap) 2945 { 2946 struct proc *p = td->td_proc; 2947 int error; 2948 char logintmp[MAXLOGNAME]; 2949 2950 CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp)); 2951 2952 error = priv_check(td, PRIV_PROC_SETLOGIN); 2953 if (error) 2954 return (error); 2955 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); 2956 if (error != 0) { 2957 if (error == ENAMETOOLONG) 2958 error = EINVAL; 2959 return (error); 2960 } 2961 AUDIT_ARG_LOGIN(logintmp); 2962 PROC_LOCK(p); 2963 SESS_LOCK(p->p_session); 2964 strcpy(p->p_session->s_login, logintmp); 2965 SESS_UNLOCK(p->p_session); 2966 PROC_UNLOCK(p); 2967 return (0); 2968 } 2969 2970 void 2971 setsugid(struct proc *p) 2972 { 2973 2974 PROC_LOCK_ASSERT(p, MA_OWNED); 2975 p->p_flag |= P_SUGID; 2976 } 2977 2978 /*- 2979 * Change a process's effective uid. 2980 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 2981 * References: newcred must be an exclusive credential reference for the 2982 * duration of the call. 2983 */ 2984 void 2985 change_euid(struct ucred *newcred, struct uidinfo *euip) 2986 { 2987 2988 newcred->cr_uid = euip->ui_uid; 2989 uihold(euip); 2990 uifree(newcred->cr_uidinfo); 2991 newcred->cr_uidinfo = euip; 2992 } 2993 2994 /*- 2995 * Change a process's effective gid. 2996 * Side effects: newcred->cr_gid will be modified. 2997 * References: newcred must be an exclusive credential reference for the 2998 * duration of the call. 2999 */ 3000 void 3001 change_egid(struct ucred *newcred, gid_t egid) 3002 { 3003 3004 newcred->cr_groups[0] = egid; 3005 } 3006 3007 /*- 3008 * Change a process's real uid. 3009 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 3010 * will be updated. 3011 * References: newcred must be an exclusive credential reference for the 3012 * duration of the call. 3013 */ 3014 void 3015 change_ruid(struct ucred *newcred, struct uidinfo *ruip) 3016 { 3017 3018 newcred->cr_ruid = ruip->ui_uid; 3019 uihold(ruip); 3020 uifree(newcred->cr_ruidinfo); 3021 newcred->cr_ruidinfo = ruip; 3022 } 3023 3024 /*- 3025 * Change a process's real gid. 3026 * Side effects: newcred->cr_rgid will be updated. 3027 * References: newcred must be an exclusive credential reference for the 3028 * duration of the call. 3029 */ 3030 void 3031 change_rgid(struct ucred *newcred, gid_t rgid) 3032 { 3033 3034 newcred->cr_rgid = rgid; 3035 } 3036 3037 /*- 3038 * Change a process's saved uid. 3039 * Side effects: newcred->cr_svuid will be updated. 3040 * References: newcred must be an exclusive credential reference for the 3041 * duration of the call. 3042 */ 3043 void 3044 change_svuid(struct ucred *newcred, uid_t svuid) 3045 { 3046 3047 newcred->cr_svuid = svuid; 3048 } 3049 3050 /*- 3051 * Change a process's saved gid. 3052 * Side effects: newcred->cr_svgid will be updated. 3053 * References: newcred must be an exclusive credential reference for the 3054 * duration of the call. 3055 */ 3056 void 3057 change_svgid(struct ucred *newcred, gid_t svgid) 3058 { 3059 3060 newcred->cr_svgid = svgid; 3061 } 3062 3063 bool allow_ptrace = true; 3064 SYSCTL_BOOL(_security_bsd, OID_AUTO, allow_ptrace, CTLFLAG_RWTUN, 3065 &allow_ptrace, 0, 3066 "Deny ptrace(2) use by returning ENOSYS"); 3067