1 /*- 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * (c) UNIX System Laboratories, Inc. 5 * All or some portions of this file are derived from material licensed 6 * to the University of California by American Telephone and Telegraph 7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 8 * the permission of UNIX System Laboratories, Inc. 9 * Copyright (c) 2000-2001 Robert N. M. Watson. All rights reserved. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 4. Neither the name of the University nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 * 35 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 36 */ 37 38 /* 39 * System calls related to processes and protection 40 */ 41 42 #include <sys/cdefs.h> 43 __FBSDID("$FreeBSD$"); 44 45 #include "opt_compat.h" 46 #include "opt_mac.h" 47 48 #include <sys/param.h> 49 #include <sys/systm.h> 50 #include <sys/acct.h> 51 #include <sys/kdb.h> 52 #include <sys/kernel.h> 53 #include <sys/lock.h> 54 #include <sys/mac.h> 55 #include <sys/malloc.h> 56 #include <sys/mutex.h> 57 #include <sys/refcount.h> 58 #include <sys/sx.h> 59 #include <sys/proc.h> 60 #include <sys/sysproto.h> 61 #include <sys/jail.h> 62 #include <sys/pioctl.h> 63 #include <sys/resourcevar.h> 64 #include <sys/socket.h> 65 #include <sys/socketvar.h> 66 #include <sys/syscallsubr.h> 67 #include <sys/sysctl.h> 68 69 #include <security/audit/audit.h> 70 71 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 72 73 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, "BSD security policy"); 74 75 #ifndef _SYS_SYSPROTO_H_ 76 struct getpid_args { 77 int dummy; 78 }; 79 #endif 80 /* 81 * MPSAFE 82 */ 83 /* ARGSUSED */ 84 int 85 getpid(struct thread *td, struct getpid_args *uap) 86 { 87 struct proc *p = td->td_proc; 88 89 td->td_retval[0] = p->p_pid; 90 #if defined(COMPAT_43) 91 PROC_LOCK(p); 92 td->td_retval[1] = p->p_pptr->p_pid; 93 PROC_UNLOCK(p); 94 #endif 95 return (0); 96 } 97 98 #ifndef _SYS_SYSPROTO_H_ 99 struct getppid_args { 100 int dummy; 101 }; 102 #endif 103 /* 104 * MPSAFE 105 */ 106 /* ARGSUSED */ 107 int 108 getppid(struct thread *td, struct getppid_args *uap) 109 { 110 struct proc *p = td->td_proc; 111 112 PROC_LOCK(p); 113 td->td_retval[0] = p->p_pptr->p_pid; 114 PROC_UNLOCK(p); 115 return (0); 116 } 117 118 /* 119 * Get process group ID; note that POSIX getpgrp takes no parameter. 120 */ 121 #ifndef _SYS_SYSPROTO_H_ 122 struct getpgrp_args { 123 int dummy; 124 }; 125 #endif 126 /* 127 * MPSAFE 128 */ 129 int 130 getpgrp(struct thread *td, struct getpgrp_args *uap) 131 { 132 struct proc *p = td->td_proc; 133 134 PROC_LOCK(p); 135 td->td_retval[0] = p->p_pgrp->pg_id; 136 PROC_UNLOCK(p); 137 return (0); 138 } 139 140 /* Get an arbitary pid's process group id */ 141 #ifndef _SYS_SYSPROTO_H_ 142 struct getpgid_args { 143 pid_t pid; 144 }; 145 #endif 146 /* 147 * MPSAFE 148 */ 149 int 150 getpgid(struct thread *td, struct getpgid_args *uap) 151 { 152 struct proc *p; 153 int error; 154 155 if (uap->pid == 0) { 156 p = td->td_proc; 157 PROC_LOCK(p); 158 } else { 159 p = pfind(uap->pid); 160 if (p == NULL) 161 return (ESRCH); 162 error = p_cansee(td, p); 163 if (error) { 164 PROC_UNLOCK(p); 165 return (error); 166 } 167 } 168 td->td_retval[0] = p->p_pgrp->pg_id; 169 PROC_UNLOCK(p); 170 return (0); 171 } 172 173 /* 174 * Get an arbitary pid's session id. 175 */ 176 #ifndef _SYS_SYSPROTO_H_ 177 struct getsid_args { 178 pid_t pid; 179 }; 180 #endif 181 /* 182 * MPSAFE 183 */ 184 int 185 getsid(struct thread *td, struct getsid_args *uap) 186 { 187 struct proc *p; 188 int error; 189 190 if (uap->pid == 0) { 191 p = td->td_proc; 192 PROC_LOCK(p); 193 } else { 194 p = pfind(uap->pid); 195 if (p == NULL) 196 return (ESRCH); 197 error = p_cansee(td, p); 198 if (error) { 199 PROC_UNLOCK(p); 200 return (error); 201 } 202 } 203 td->td_retval[0] = p->p_session->s_sid; 204 PROC_UNLOCK(p); 205 return (0); 206 } 207 208 #ifndef _SYS_SYSPROTO_H_ 209 struct getuid_args { 210 int dummy; 211 }; 212 #endif 213 /* 214 * MPSAFE 215 */ 216 /* ARGSUSED */ 217 int 218 getuid(struct thread *td, struct getuid_args *uap) 219 { 220 221 td->td_retval[0] = td->td_ucred->cr_ruid; 222 #if defined(COMPAT_43) 223 td->td_retval[1] = td->td_ucred->cr_uid; 224 #endif 225 return (0); 226 } 227 228 #ifndef _SYS_SYSPROTO_H_ 229 struct geteuid_args { 230 int dummy; 231 }; 232 #endif 233 /* 234 * MPSAFE 235 */ 236 /* ARGSUSED */ 237 int 238 geteuid(struct thread *td, struct geteuid_args *uap) 239 { 240 241 td->td_retval[0] = td->td_ucred->cr_uid; 242 return (0); 243 } 244 245 #ifndef _SYS_SYSPROTO_H_ 246 struct getgid_args { 247 int dummy; 248 }; 249 #endif 250 /* 251 * MPSAFE 252 */ 253 /* ARGSUSED */ 254 int 255 getgid(struct thread *td, struct getgid_args *uap) 256 { 257 258 td->td_retval[0] = td->td_ucred->cr_rgid; 259 #if defined(COMPAT_43) 260 td->td_retval[1] = td->td_ucred->cr_groups[0]; 261 #endif 262 return (0); 263 } 264 265 /* 266 * Get effective group ID. The "egid" is groups[0], and could be obtained 267 * via getgroups. This syscall exists because it is somewhat painful to do 268 * correctly in a library function. 269 */ 270 #ifndef _SYS_SYSPROTO_H_ 271 struct getegid_args { 272 int dummy; 273 }; 274 #endif 275 /* 276 * MPSAFE 277 */ 278 /* ARGSUSED */ 279 int 280 getegid(struct thread *td, struct getegid_args *uap) 281 { 282 283 td->td_retval[0] = td->td_ucred->cr_groups[0]; 284 return (0); 285 } 286 287 #ifndef _SYS_SYSPROTO_H_ 288 struct getgroups_args { 289 u_int gidsetsize; 290 gid_t *gidset; 291 }; 292 #endif 293 /* 294 * MPSAFE 295 */ 296 int 297 getgroups(struct thread *td, register struct getgroups_args *uap) 298 { 299 gid_t groups[NGROUPS]; 300 u_int ngrp; 301 int error; 302 303 ngrp = MIN(uap->gidsetsize, NGROUPS); 304 error = kern_getgroups(td, &ngrp, groups); 305 if (error) 306 return (error); 307 if (uap->gidsetsize > 0) 308 error = copyout(groups, uap->gidset, ngrp * sizeof(gid_t)); 309 if (error == 0) 310 td->td_retval[0] = ngrp; 311 return (error); 312 } 313 314 int 315 kern_getgroups(struct thread *td, u_int *ngrp, gid_t *groups) 316 { 317 struct ucred *cred; 318 319 cred = td->td_ucred; 320 if (*ngrp == 0) { 321 *ngrp = cred->cr_ngroups; 322 return (0); 323 } 324 if (*ngrp < cred->cr_ngroups) 325 return (EINVAL); 326 *ngrp = cred->cr_ngroups; 327 bcopy(cred->cr_groups, groups, *ngrp * sizeof(gid_t)); 328 return (0); 329 } 330 331 #ifndef _SYS_SYSPROTO_H_ 332 struct setsid_args { 333 int dummy; 334 }; 335 #endif 336 /* 337 * MPSAFE 338 */ 339 /* ARGSUSED */ 340 int 341 setsid(register struct thread *td, struct setsid_args *uap) 342 { 343 struct pgrp *pgrp; 344 int error; 345 struct proc *p = td->td_proc; 346 struct pgrp *newpgrp; 347 struct session *newsess; 348 349 error = 0; 350 pgrp = NULL; 351 352 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 353 MALLOC(newsess, struct session *, sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); 354 355 sx_xlock(&proctree_lock); 356 357 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { 358 if (pgrp != NULL) 359 PGRP_UNLOCK(pgrp); 360 error = EPERM; 361 } else { 362 (void)enterpgrp(p, p->p_pid, newpgrp, newsess); 363 td->td_retval[0] = p->p_pid; 364 newpgrp = NULL; 365 newsess = NULL; 366 } 367 368 sx_xunlock(&proctree_lock); 369 370 if (newpgrp != NULL) 371 FREE(newpgrp, M_PGRP); 372 if (newsess != NULL) 373 FREE(newsess, M_SESSION); 374 375 return (error); 376 } 377 378 /* 379 * set process group (setpgid/old setpgrp) 380 * 381 * caller does setpgid(targpid, targpgid) 382 * 383 * pid must be caller or child of caller (ESRCH) 384 * if a child 385 * pid must be in same session (EPERM) 386 * pid can't have done an exec (EACCES) 387 * if pgid != pid 388 * there must exist some pid in same session having pgid (EPERM) 389 * pid must not be session leader (EPERM) 390 */ 391 #ifndef _SYS_SYSPROTO_H_ 392 struct setpgid_args { 393 int pid; /* target process id */ 394 int pgid; /* target pgrp id */ 395 }; 396 #endif 397 /* 398 * MPSAFE 399 */ 400 /* ARGSUSED */ 401 int 402 setpgid(struct thread *td, register struct setpgid_args *uap) 403 { 404 struct proc *curp = td->td_proc; 405 register struct proc *targp; /* target process */ 406 register struct pgrp *pgrp; /* target pgrp */ 407 int error; 408 struct pgrp *newpgrp; 409 410 if (uap->pgid < 0) 411 return (EINVAL); 412 413 error = 0; 414 415 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 416 417 sx_xlock(&proctree_lock); 418 if (uap->pid != 0 && uap->pid != curp->p_pid) { 419 if ((targp = pfind(uap->pid)) == NULL) { 420 error = ESRCH; 421 goto done; 422 } 423 if (!inferior(targp)) { 424 PROC_UNLOCK(targp); 425 error = ESRCH; 426 goto done; 427 } 428 if ((error = p_cansee(td, targp))) { 429 PROC_UNLOCK(targp); 430 goto done; 431 } 432 if (targp->p_pgrp == NULL || 433 targp->p_session != curp->p_session) { 434 PROC_UNLOCK(targp); 435 error = EPERM; 436 goto done; 437 } 438 if (targp->p_flag & P_EXEC) { 439 PROC_UNLOCK(targp); 440 error = EACCES; 441 goto done; 442 } 443 PROC_UNLOCK(targp); 444 } else 445 targp = curp; 446 if (SESS_LEADER(targp)) { 447 error = EPERM; 448 goto done; 449 } 450 if (uap->pgid == 0) 451 uap->pgid = targp->p_pid; 452 if ((pgrp = pgfind(uap->pgid)) == NULL) { 453 if (uap->pgid == targp->p_pid) { 454 error = enterpgrp(targp, uap->pgid, newpgrp, 455 NULL); 456 if (error == 0) 457 newpgrp = NULL; 458 } else 459 error = EPERM; 460 } else { 461 if (pgrp == targp->p_pgrp) { 462 PGRP_UNLOCK(pgrp); 463 goto done; 464 } 465 if (pgrp->pg_id != targp->p_pid && 466 pgrp->pg_session != curp->p_session) { 467 PGRP_UNLOCK(pgrp); 468 error = EPERM; 469 goto done; 470 } 471 PGRP_UNLOCK(pgrp); 472 error = enterthispgrp(targp, pgrp); 473 } 474 done: 475 sx_xunlock(&proctree_lock); 476 KASSERT((error == 0) || (newpgrp != NULL), 477 ("setpgid failed and newpgrp is NULL")); 478 if (newpgrp != NULL) 479 FREE(newpgrp, M_PGRP); 480 return (error); 481 } 482 483 /* 484 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 485 * compatible. It says that setting the uid/gid to euid/egid is a special 486 * case of "appropriate privilege". Once the rules are expanded out, this 487 * basically means that setuid(nnn) sets all three id's, in all permitted 488 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 489 * does not set the saved id - this is dangerous for traditional BSD 490 * programs. For this reason, we *really* do not want to set 491 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 492 */ 493 #define POSIX_APPENDIX_B_4_2_2 494 495 #ifndef _SYS_SYSPROTO_H_ 496 struct setuid_args { 497 uid_t uid; 498 }; 499 #endif 500 /* 501 * MPSAFE 502 */ 503 /* ARGSUSED */ 504 int 505 setuid(struct thread *td, struct setuid_args *uap) 506 { 507 struct proc *p = td->td_proc; 508 struct ucred *newcred, *oldcred; 509 uid_t uid; 510 struct uidinfo *uip; 511 int error; 512 513 uid = uap->uid; 514 AUDIT_ARG(uid, uid); 515 newcred = crget(); 516 uip = uifind(uid); 517 PROC_LOCK(p); 518 oldcred = p->p_ucred; 519 520 #ifdef MAC 521 error = mac_check_proc_setuid(p, oldcred, uid); 522 if (error) 523 goto fail; 524 #endif 525 526 /* 527 * See if we have "permission" by POSIX 1003.1 rules. 528 * 529 * Note that setuid(geteuid()) is a special case of 530 * "appropriate privileges" in appendix B.4.2.2. We need 531 * to use this clause to be compatible with traditional BSD 532 * semantics. Basically, it means that "setuid(xx)" sets all 533 * three id's (assuming you have privs). 534 * 535 * Notes on the logic. We do things in three steps. 536 * 1: We determine if the euid is going to change, and do EPERM 537 * right away. We unconditionally change the euid later if this 538 * test is satisfied, simplifying that part of the logic. 539 * 2: We determine if the real and/or saved uids are going to 540 * change. Determined by compile options. 541 * 3: Change euid last. (after tests in #2 for "appropriate privs") 542 */ 543 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 544 #ifdef _POSIX_SAVED_IDS 545 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 546 #endif 547 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 548 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 549 #endif 550 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) 551 goto fail; 552 553 /* 554 * Copy credentials so other references do not see our changes. 555 */ 556 crcopy(newcred, oldcred); 557 #ifdef _POSIX_SAVED_IDS 558 /* 559 * Do we have "appropriate privileges" (are we root or uid == euid) 560 * If so, we are changing the real uid and/or saved uid. 561 */ 562 if ( 563 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 564 uid == oldcred->cr_uid || 565 #endif 566 suser_cred(oldcred, SUSER_ALLOWJAIL) == 0) /* we are using privs */ 567 #endif 568 { 569 /* 570 * Set the real uid and transfer proc count to new user. 571 */ 572 if (uid != oldcred->cr_ruid) { 573 change_ruid(newcred, uip); 574 setsugid(p); 575 } 576 /* 577 * Set saved uid 578 * 579 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 580 * the security of seteuid() depends on it. B.4.2.2 says it 581 * is important that we should do this. 582 */ 583 if (uid != oldcred->cr_svuid) { 584 change_svuid(newcred, uid); 585 setsugid(p); 586 } 587 } 588 589 /* 590 * In all permitted cases, we are changing the euid. 591 */ 592 if (uid != oldcred->cr_uid) { 593 change_euid(newcred, uip); 594 setsugid(p); 595 } 596 p->p_ucred = newcred; 597 PROC_UNLOCK(p); 598 uifree(uip); 599 crfree(oldcred); 600 return (0); 601 602 fail: 603 PROC_UNLOCK(p); 604 uifree(uip); 605 crfree(newcred); 606 return (error); 607 } 608 609 #ifndef _SYS_SYSPROTO_H_ 610 struct seteuid_args { 611 uid_t euid; 612 }; 613 #endif 614 /* 615 * MPSAFE 616 */ 617 /* ARGSUSED */ 618 int 619 seteuid(struct thread *td, struct seteuid_args *uap) 620 { 621 struct proc *p = td->td_proc; 622 struct ucred *newcred, *oldcred; 623 uid_t euid; 624 struct uidinfo *euip; 625 int error; 626 627 euid = uap->euid; 628 AUDIT_ARG(euid, euid); 629 newcred = crget(); 630 euip = uifind(euid); 631 PROC_LOCK(p); 632 oldcred = p->p_ucred; 633 634 #ifdef MAC 635 error = mac_check_proc_seteuid(p, oldcred, euid); 636 if (error) 637 goto fail; 638 #endif 639 640 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 641 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 642 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) 643 goto fail; 644 645 /* 646 * Everything's okay, do it. Copy credentials so other references do 647 * not see our changes. 648 */ 649 crcopy(newcred, oldcred); 650 if (oldcred->cr_uid != euid) { 651 change_euid(newcred, euip); 652 setsugid(p); 653 } 654 p->p_ucred = newcred; 655 PROC_UNLOCK(p); 656 uifree(euip); 657 crfree(oldcred); 658 return (0); 659 660 fail: 661 PROC_UNLOCK(p); 662 uifree(euip); 663 crfree(newcred); 664 return (error); 665 } 666 667 #ifndef _SYS_SYSPROTO_H_ 668 struct setgid_args { 669 gid_t gid; 670 }; 671 #endif 672 /* 673 * MPSAFE 674 */ 675 /* ARGSUSED */ 676 int 677 setgid(struct thread *td, struct setgid_args *uap) 678 { 679 struct proc *p = td->td_proc; 680 struct ucred *newcred, *oldcred; 681 gid_t gid; 682 int error; 683 684 gid = uap->gid; 685 AUDIT_ARG(gid, gid); 686 newcred = crget(); 687 PROC_LOCK(p); 688 oldcred = p->p_ucred; 689 690 #ifdef MAC 691 error = mac_check_proc_setgid(p, oldcred, gid); 692 if (error) 693 goto fail; 694 #endif 695 696 /* 697 * See if we have "permission" by POSIX 1003.1 rules. 698 * 699 * Note that setgid(getegid()) is a special case of 700 * "appropriate privileges" in appendix B.4.2.2. We need 701 * to use this clause to be compatible with traditional BSD 702 * semantics. Basically, it means that "setgid(xx)" sets all 703 * three id's (assuming you have privs). 704 * 705 * For notes on the logic here, see setuid() above. 706 */ 707 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 708 #ifdef _POSIX_SAVED_IDS 709 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 710 #endif 711 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 712 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 713 #endif 714 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) 715 goto fail; 716 717 crcopy(newcred, oldcred); 718 #ifdef _POSIX_SAVED_IDS 719 /* 720 * Do we have "appropriate privileges" (are we root or gid == egid) 721 * If so, we are changing the real uid and saved gid. 722 */ 723 if ( 724 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 725 gid == oldcred->cr_groups[0] || 726 #endif 727 suser_cred(oldcred, SUSER_ALLOWJAIL) == 0) /* we are using privs */ 728 #endif 729 { 730 /* 731 * Set real gid 732 */ 733 if (oldcred->cr_rgid != gid) { 734 change_rgid(newcred, gid); 735 setsugid(p); 736 } 737 /* 738 * Set saved gid 739 * 740 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 741 * the security of setegid() depends on it. B.4.2.2 says it 742 * is important that we should do this. 743 */ 744 if (oldcred->cr_svgid != gid) { 745 change_svgid(newcred, gid); 746 setsugid(p); 747 } 748 } 749 /* 750 * In all cases permitted cases, we are changing the egid. 751 * Copy credentials so other references do not see our changes. 752 */ 753 if (oldcred->cr_groups[0] != gid) { 754 change_egid(newcred, gid); 755 setsugid(p); 756 } 757 p->p_ucred = newcred; 758 PROC_UNLOCK(p); 759 crfree(oldcred); 760 return (0); 761 762 fail: 763 PROC_UNLOCK(p); 764 crfree(newcred); 765 return (error); 766 } 767 768 #ifndef _SYS_SYSPROTO_H_ 769 struct setegid_args { 770 gid_t egid; 771 }; 772 #endif 773 /* 774 * MPSAFE 775 */ 776 /* ARGSUSED */ 777 int 778 setegid(struct thread *td, struct setegid_args *uap) 779 { 780 struct proc *p = td->td_proc; 781 struct ucred *newcred, *oldcred; 782 gid_t egid; 783 int error; 784 785 egid = uap->egid; 786 AUDIT_ARG(egid, egid); 787 newcred = crget(); 788 PROC_LOCK(p); 789 oldcred = p->p_ucred; 790 791 #ifdef MAC 792 error = mac_check_proc_setegid(p, oldcred, egid); 793 if (error) 794 goto fail; 795 #endif 796 797 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 798 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 799 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) 800 goto fail; 801 802 crcopy(newcred, oldcred); 803 if (oldcred->cr_groups[0] != egid) { 804 change_egid(newcred, egid); 805 setsugid(p); 806 } 807 p->p_ucred = newcred; 808 PROC_UNLOCK(p); 809 crfree(oldcred); 810 return (0); 811 812 fail: 813 PROC_UNLOCK(p); 814 crfree(newcred); 815 return (error); 816 } 817 818 #ifndef _SYS_SYSPROTO_H_ 819 struct setgroups_args { 820 u_int gidsetsize; 821 gid_t *gidset; 822 }; 823 #endif 824 /* 825 * MPSAFE 826 */ 827 /* ARGSUSED */ 828 int 829 setgroups(struct thread *td, struct setgroups_args *uap) 830 { 831 gid_t groups[NGROUPS]; 832 int error; 833 834 if (uap->gidsetsize > NGROUPS) 835 return (EINVAL); 836 error = copyin(uap->gidset, groups, uap->gidsetsize * sizeof(gid_t)); 837 if (error) 838 return (error); 839 return (kern_setgroups(td, uap->gidsetsize, groups)); 840 } 841 842 int 843 kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups) 844 { 845 struct proc *p = td->td_proc; 846 struct ucred *newcred, *oldcred; 847 int error; 848 849 if (ngrp > NGROUPS) 850 return (EINVAL); 851 AUDIT_ARG(groupset, groups, ngrp); 852 newcred = crget(); 853 PROC_LOCK(p); 854 oldcred = p->p_ucred; 855 856 #ifdef MAC 857 error = mac_check_proc_setgroups(p, oldcred, ngrp, groups); 858 if (error) 859 goto fail; 860 #endif 861 862 error = suser_cred(oldcred, SUSER_ALLOWJAIL); 863 if (error) 864 goto fail; 865 866 /* 867 * XXX A little bit lazy here. We could test if anything has 868 * changed before crcopy() and setting P_SUGID. 869 */ 870 crcopy(newcred, oldcred); 871 if (ngrp < 1) { 872 /* 873 * setgroups(0, NULL) is a legitimate way of clearing the 874 * groups vector on non-BSD systems (which generally do not 875 * have the egid in the groups[0]). We risk security holes 876 * when running non-BSD software if we do not do the same. 877 */ 878 newcred->cr_ngroups = 1; 879 } else { 880 bcopy(groups, newcred->cr_groups, ngrp * sizeof(gid_t)); 881 newcred->cr_ngroups = ngrp; 882 } 883 setsugid(p); 884 p->p_ucred = newcred; 885 PROC_UNLOCK(p); 886 crfree(oldcred); 887 return (0); 888 889 fail: 890 PROC_UNLOCK(p); 891 crfree(newcred); 892 return (error); 893 } 894 895 #ifndef _SYS_SYSPROTO_H_ 896 struct setreuid_args { 897 uid_t ruid; 898 uid_t euid; 899 }; 900 #endif 901 /* 902 * MPSAFE 903 */ 904 /* ARGSUSED */ 905 int 906 setreuid(register struct thread *td, struct setreuid_args *uap) 907 { 908 struct proc *p = td->td_proc; 909 struct ucred *newcred, *oldcred; 910 uid_t euid, ruid; 911 struct uidinfo *euip, *ruip; 912 int error; 913 914 euid = uap->euid; 915 ruid = uap->ruid; 916 AUDIT_ARG(euid, euid); 917 AUDIT_ARG(ruid, ruid); 918 newcred = crget(); 919 euip = uifind(euid); 920 ruip = uifind(ruid); 921 PROC_LOCK(p); 922 oldcred = p->p_ucred; 923 924 #ifdef MAC 925 error = mac_check_proc_setreuid(p, oldcred, ruid, euid); 926 if (error) 927 goto fail; 928 #endif 929 930 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 931 ruid != oldcred->cr_svuid) || 932 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 933 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 934 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) 935 goto fail; 936 937 crcopy(newcred, oldcred); 938 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 939 change_euid(newcred, euip); 940 setsugid(p); 941 } 942 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 943 change_ruid(newcred, ruip); 944 setsugid(p); 945 } 946 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 947 newcred->cr_svuid != newcred->cr_uid) { 948 change_svuid(newcred, newcred->cr_uid); 949 setsugid(p); 950 } 951 p->p_ucred = newcred; 952 PROC_UNLOCK(p); 953 uifree(ruip); 954 uifree(euip); 955 crfree(oldcred); 956 return (0); 957 958 fail: 959 PROC_UNLOCK(p); 960 uifree(ruip); 961 uifree(euip); 962 crfree(newcred); 963 return (error); 964 } 965 966 #ifndef _SYS_SYSPROTO_H_ 967 struct setregid_args { 968 gid_t rgid; 969 gid_t egid; 970 }; 971 #endif 972 /* 973 * MPSAFE 974 */ 975 /* ARGSUSED */ 976 int 977 setregid(register struct thread *td, struct setregid_args *uap) 978 { 979 struct proc *p = td->td_proc; 980 struct ucred *newcred, *oldcred; 981 gid_t egid, rgid; 982 int error; 983 984 egid = uap->egid; 985 rgid = uap->rgid; 986 AUDIT_ARG(egid, egid); 987 AUDIT_ARG(rgid, rgid); 988 newcred = crget(); 989 PROC_LOCK(p); 990 oldcred = p->p_ucred; 991 992 #ifdef MAC 993 error = mac_check_proc_setregid(p, oldcred, rgid, egid); 994 if (error) 995 goto fail; 996 #endif 997 998 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 999 rgid != oldcred->cr_svgid) || 1000 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 1001 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 1002 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) 1003 goto fail; 1004 1005 crcopy(newcred, oldcred); 1006 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1007 change_egid(newcred, egid); 1008 setsugid(p); 1009 } 1010 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1011 change_rgid(newcred, rgid); 1012 setsugid(p); 1013 } 1014 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 1015 newcred->cr_svgid != newcred->cr_groups[0]) { 1016 change_svgid(newcred, newcred->cr_groups[0]); 1017 setsugid(p); 1018 } 1019 p->p_ucred = newcred; 1020 PROC_UNLOCK(p); 1021 crfree(oldcred); 1022 return (0); 1023 1024 fail: 1025 PROC_UNLOCK(p); 1026 crfree(newcred); 1027 return (error); 1028 } 1029 1030 /* 1031 * setresuid(ruid, euid, suid) is like setreuid except control over the 1032 * saved uid is explicit. 1033 */ 1034 1035 #ifndef _SYS_SYSPROTO_H_ 1036 struct setresuid_args { 1037 uid_t ruid; 1038 uid_t euid; 1039 uid_t suid; 1040 }; 1041 #endif 1042 /* 1043 * MPSAFE 1044 */ 1045 /* ARGSUSED */ 1046 int 1047 setresuid(register struct thread *td, struct setresuid_args *uap) 1048 { 1049 struct proc *p = td->td_proc; 1050 struct ucred *newcred, *oldcred; 1051 uid_t euid, ruid, suid; 1052 struct uidinfo *euip, *ruip; 1053 int error; 1054 1055 euid = uap->euid; 1056 ruid = uap->ruid; 1057 suid = uap->suid; 1058 AUDIT_ARG(euid, euid); 1059 AUDIT_ARG(ruid, ruid); 1060 AUDIT_ARG(suid, suid); 1061 newcred = crget(); 1062 euip = uifind(euid); 1063 ruip = uifind(ruid); 1064 PROC_LOCK(p); 1065 oldcred = p->p_ucred; 1066 1067 #ifdef MAC 1068 error = mac_check_proc_setresuid(p, oldcred, ruid, euid, suid); 1069 if (error) 1070 goto fail; 1071 #endif 1072 1073 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1074 ruid != oldcred->cr_svuid && 1075 ruid != oldcred->cr_uid) || 1076 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 1077 euid != oldcred->cr_svuid && 1078 euid != oldcred->cr_uid) || 1079 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 1080 suid != oldcred->cr_svuid && 1081 suid != oldcred->cr_uid)) && 1082 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) 1083 goto fail; 1084 1085 crcopy(newcred, oldcred); 1086 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1087 change_euid(newcred, euip); 1088 setsugid(p); 1089 } 1090 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1091 change_ruid(newcred, ruip); 1092 setsugid(p); 1093 } 1094 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1095 change_svuid(newcred, suid); 1096 setsugid(p); 1097 } 1098 p->p_ucred = newcred; 1099 PROC_UNLOCK(p); 1100 uifree(ruip); 1101 uifree(euip); 1102 crfree(oldcred); 1103 return (0); 1104 1105 fail: 1106 PROC_UNLOCK(p); 1107 uifree(ruip); 1108 uifree(euip); 1109 crfree(newcred); 1110 return (error); 1111 1112 } 1113 1114 /* 1115 * setresgid(rgid, egid, sgid) is like setregid except control over the 1116 * saved gid is explicit. 1117 */ 1118 1119 #ifndef _SYS_SYSPROTO_H_ 1120 struct setresgid_args { 1121 gid_t rgid; 1122 gid_t egid; 1123 gid_t sgid; 1124 }; 1125 #endif 1126 /* 1127 * MPSAFE 1128 */ 1129 /* ARGSUSED */ 1130 int 1131 setresgid(register struct thread *td, struct setresgid_args *uap) 1132 { 1133 struct proc *p = td->td_proc; 1134 struct ucred *newcred, *oldcred; 1135 gid_t egid, rgid, sgid; 1136 int error; 1137 1138 egid = uap->egid; 1139 rgid = uap->rgid; 1140 sgid = uap->sgid; 1141 AUDIT_ARG(egid, egid); 1142 AUDIT_ARG(rgid, rgid); 1143 AUDIT_ARG(sgid, sgid); 1144 newcred = crget(); 1145 PROC_LOCK(p); 1146 oldcred = p->p_ucred; 1147 1148 #ifdef MAC 1149 error = mac_check_proc_setresgid(p, oldcred, rgid, egid, sgid); 1150 if (error) 1151 goto fail; 1152 #endif 1153 1154 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1155 rgid != oldcred->cr_svgid && 1156 rgid != oldcred->cr_groups[0]) || 1157 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1158 egid != oldcred->cr_svgid && 1159 egid != oldcred->cr_groups[0]) || 1160 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1161 sgid != oldcred->cr_svgid && 1162 sgid != oldcred->cr_groups[0])) && 1163 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) 1164 goto fail; 1165 1166 crcopy(newcred, oldcred); 1167 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1168 change_egid(newcred, egid); 1169 setsugid(p); 1170 } 1171 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1172 change_rgid(newcred, rgid); 1173 setsugid(p); 1174 } 1175 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1176 change_svgid(newcred, sgid); 1177 setsugid(p); 1178 } 1179 p->p_ucred = newcred; 1180 PROC_UNLOCK(p); 1181 crfree(oldcred); 1182 return (0); 1183 1184 fail: 1185 PROC_UNLOCK(p); 1186 crfree(newcred); 1187 return (error); 1188 } 1189 1190 #ifndef _SYS_SYSPROTO_H_ 1191 struct getresuid_args { 1192 uid_t *ruid; 1193 uid_t *euid; 1194 uid_t *suid; 1195 }; 1196 #endif 1197 /* 1198 * MPSAFE 1199 */ 1200 /* ARGSUSED */ 1201 int 1202 getresuid(register struct thread *td, struct getresuid_args *uap) 1203 { 1204 struct ucred *cred; 1205 int error1 = 0, error2 = 0, error3 = 0; 1206 1207 cred = td->td_ucred; 1208 if (uap->ruid) 1209 error1 = copyout(&cred->cr_ruid, 1210 uap->ruid, sizeof(cred->cr_ruid)); 1211 if (uap->euid) 1212 error2 = copyout(&cred->cr_uid, 1213 uap->euid, sizeof(cred->cr_uid)); 1214 if (uap->suid) 1215 error3 = copyout(&cred->cr_svuid, 1216 uap->suid, sizeof(cred->cr_svuid)); 1217 return (error1 ? error1 : error2 ? error2 : error3); 1218 } 1219 1220 #ifndef _SYS_SYSPROTO_H_ 1221 struct getresgid_args { 1222 gid_t *rgid; 1223 gid_t *egid; 1224 gid_t *sgid; 1225 }; 1226 #endif 1227 /* 1228 * MPSAFE 1229 */ 1230 /* ARGSUSED */ 1231 int 1232 getresgid(register struct thread *td, struct getresgid_args *uap) 1233 { 1234 struct ucred *cred; 1235 int error1 = 0, error2 = 0, error3 = 0; 1236 1237 cred = td->td_ucred; 1238 if (uap->rgid) 1239 error1 = copyout(&cred->cr_rgid, 1240 uap->rgid, sizeof(cred->cr_rgid)); 1241 if (uap->egid) 1242 error2 = copyout(&cred->cr_groups[0], 1243 uap->egid, sizeof(cred->cr_groups[0])); 1244 if (uap->sgid) 1245 error3 = copyout(&cred->cr_svgid, 1246 uap->sgid, sizeof(cred->cr_svgid)); 1247 return (error1 ? error1 : error2 ? error2 : error3); 1248 } 1249 1250 #ifndef _SYS_SYSPROTO_H_ 1251 struct issetugid_args { 1252 int dummy; 1253 }; 1254 #endif 1255 /* 1256 * MPSAFE 1257 */ 1258 /* ARGSUSED */ 1259 int 1260 issetugid(register struct thread *td, struct issetugid_args *uap) 1261 { 1262 struct proc *p = td->td_proc; 1263 1264 /* 1265 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1266 * we use P_SUGID because we consider changing the owners as 1267 * "tainting" as well. 1268 * This is significant for procs that start as root and "become" 1269 * a user without an exec - programs cannot know *everything* 1270 * that libc *might* have put in their data segment. 1271 */ 1272 PROC_LOCK(p); 1273 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1274 PROC_UNLOCK(p); 1275 return (0); 1276 } 1277 1278 /* 1279 * MPSAFE 1280 */ 1281 int 1282 __setugid(struct thread *td, struct __setugid_args *uap) 1283 { 1284 #ifdef REGRESSION 1285 struct proc *p; 1286 1287 p = td->td_proc; 1288 switch (uap->flag) { 1289 case 0: 1290 PROC_LOCK(p); 1291 p->p_flag &= ~P_SUGID; 1292 PROC_UNLOCK(p); 1293 return (0); 1294 case 1: 1295 PROC_LOCK(p); 1296 p->p_flag |= P_SUGID; 1297 PROC_UNLOCK(p); 1298 return (0); 1299 default: 1300 return (EINVAL); 1301 } 1302 #else /* !REGRESSION */ 1303 1304 return (ENOSYS); 1305 #endif /* REGRESSION */ 1306 } 1307 1308 /* 1309 * Check if gid is a member of the group set. 1310 * 1311 * MPSAFE (cred must be held) 1312 */ 1313 int 1314 groupmember(gid_t gid, struct ucred *cred) 1315 { 1316 register gid_t *gp; 1317 gid_t *egp; 1318 1319 egp = &(cred->cr_groups[cred->cr_ngroups]); 1320 for (gp = cred->cr_groups; gp < egp; gp++) 1321 if (*gp == gid) 1322 return (1); 1323 return (0); 1324 } 1325 1326 /* 1327 * `suser_enabled' (which can be set by the security.suser_enabled 1328 * sysctl) determines whether the system 'super-user' policy is in effect. 1329 * If it is nonzero, an effective uid of 0 connotes special privilege, 1330 * overriding many mandatory and discretionary protections. If it is zero, 1331 * uid 0 is offered no special privilege in the kernel security policy. 1332 * Setting it to zero may seriously impact the functionality of many 1333 * existing userland programs, and should not be done without careful 1334 * consideration of the consequences. 1335 */ 1336 int suser_enabled = 1; 1337 SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW, 1338 &suser_enabled, 0, "processes with uid 0 have privilege"); 1339 TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled); 1340 1341 /* 1342 * Test whether the specified credentials imply "super-user" privilege. 1343 * Return 0 or EPERM. 1344 */ 1345 int 1346 suser_cred(struct ucred *cred, int flag) 1347 { 1348 1349 if (!suser_enabled) 1350 return (EPERM); 1351 if (((flag & SUSER_RUID) ? cred->cr_ruid : cred->cr_uid) != 0) 1352 return (EPERM); 1353 if (jailed(cred) && !(flag & SUSER_ALLOWJAIL)) 1354 return (EPERM); 1355 return (0); 1356 } 1357 1358 /* 1359 * Shortcut to hide contents of struct td and struct proc from the 1360 * caller, promoting binary compatibility. 1361 */ 1362 int 1363 suser(struct thread *td) 1364 { 1365 1366 #ifdef INVARIANTS 1367 if (td != curthread) { 1368 printf("suser: thread %p (%d %s) != curthread %p (%d %s)\n", 1369 td, td->td_proc->p_pid, td->td_proc->p_comm, 1370 curthread, curthread->td_proc->p_pid, 1371 curthread->td_proc->p_comm); 1372 #ifdef KDB 1373 kdb_backtrace(); 1374 #endif 1375 } 1376 #endif 1377 return (suser_cred(td->td_ucred, 0)); 1378 } 1379 1380 /* 1381 * Test the active securelevel against a given level. securelevel_gt() 1382 * implements (securelevel > level). securelevel_ge() implements 1383 * (securelevel >= level). Note that the logic is inverted -- these 1384 * functions return EPERM on "success" and 0 on "failure". 1385 * 1386 * MPSAFE 1387 */ 1388 int 1389 securelevel_gt(struct ucred *cr, int level) 1390 { 1391 int active_securelevel; 1392 1393 active_securelevel = securelevel; 1394 KASSERT(cr != NULL, ("securelevel_gt: null cr")); 1395 if (cr->cr_prison != NULL) 1396 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1397 active_securelevel); 1398 return (active_securelevel > level ? EPERM : 0); 1399 } 1400 1401 int 1402 securelevel_ge(struct ucred *cr, int level) 1403 { 1404 int active_securelevel; 1405 1406 active_securelevel = securelevel; 1407 KASSERT(cr != NULL, ("securelevel_ge: null cr")); 1408 if (cr->cr_prison != NULL) 1409 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1410 active_securelevel); 1411 return (active_securelevel >= level ? EPERM : 0); 1412 } 1413 1414 /* 1415 * 'see_other_uids' determines whether or not visibility of processes 1416 * and sockets with credentials holding different real uids is possible 1417 * using a variety of system MIBs. 1418 * XXX: data declarations should be together near the beginning of the file. 1419 */ 1420 static int see_other_uids = 1; 1421 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1422 &see_other_uids, 0, 1423 "Unprivileged processes may see subjects/objects with different real uid"); 1424 1425 /*- 1426 * Determine if u1 "can see" the subject specified by u2, according to the 1427 * 'see_other_uids' policy. 1428 * Returns: 0 for permitted, ESRCH otherwise 1429 * Locks: none 1430 * References: *u1 and *u2 must not change during the call 1431 * u1 may equal u2, in which case only one reference is required 1432 */ 1433 static int 1434 cr_seeotheruids(struct ucred *u1, struct ucred *u2) 1435 { 1436 1437 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1438 if (suser_cred(u1, SUSER_ALLOWJAIL) != 0) 1439 return (ESRCH); 1440 } 1441 return (0); 1442 } 1443 1444 /* 1445 * 'see_other_gids' determines whether or not visibility of processes 1446 * and sockets with credentials holding different real gids is possible 1447 * using a variety of system MIBs. 1448 * XXX: data declarations should be together near the beginning of the file. 1449 */ 1450 static int see_other_gids = 1; 1451 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW, 1452 &see_other_gids, 0, 1453 "Unprivileged processes may see subjects/objects with different real gid"); 1454 1455 /* 1456 * Determine if u1 can "see" the subject specified by u2, according to the 1457 * 'see_other_gids' policy. 1458 * Returns: 0 for permitted, ESRCH otherwise 1459 * Locks: none 1460 * References: *u1 and *u2 must not change during the call 1461 * u1 may equal u2, in which case only one reference is required 1462 */ 1463 static int 1464 cr_seeothergids(struct ucred *u1, struct ucred *u2) 1465 { 1466 int i, match; 1467 1468 if (!see_other_gids) { 1469 match = 0; 1470 for (i = 0; i < u1->cr_ngroups; i++) { 1471 if (groupmember(u1->cr_groups[i], u2)) 1472 match = 1; 1473 if (match) 1474 break; 1475 } 1476 if (!match) { 1477 if (suser_cred(u1, SUSER_ALLOWJAIL) != 0) 1478 return (ESRCH); 1479 } 1480 } 1481 return (0); 1482 } 1483 1484 /*- 1485 * Determine if u1 "can see" the subject specified by u2. 1486 * Returns: 0 for permitted, an errno value otherwise 1487 * Locks: none 1488 * References: *u1 and *u2 must not change during the call 1489 * u1 may equal u2, in which case only one reference is required 1490 */ 1491 int 1492 cr_cansee(struct ucred *u1, struct ucred *u2) 1493 { 1494 int error; 1495 1496 if ((error = prison_check(u1, u2))) 1497 return (error); 1498 #ifdef MAC 1499 if ((error = mac_check_cred_visible(u1, u2))) 1500 return (error); 1501 #endif 1502 if ((error = cr_seeotheruids(u1, u2))) 1503 return (error); 1504 if ((error = cr_seeothergids(u1, u2))) 1505 return (error); 1506 return (0); 1507 } 1508 1509 /*- 1510 * Determine if td "can see" the subject specified by p. 1511 * Returns: 0 for permitted, an errno value otherwise 1512 * Locks: Sufficient locks to protect p->p_ucred must be held. td really 1513 * should be curthread. 1514 * References: td and p must be valid for the lifetime of the call 1515 */ 1516 int 1517 p_cansee(struct thread *td, struct proc *p) 1518 { 1519 1520 /* Wrap cr_cansee() for all functionality. */ 1521 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1522 PROC_LOCK_ASSERT(p, MA_OWNED); 1523 return (cr_cansee(td->td_ucred, p->p_ucred)); 1524 } 1525 1526 /* 1527 * 'conservative_signals' prevents the delivery of a broad class of 1528 * signals by unprivileged processes to processes that have changed their 1529 * credentials since the last invocation of execve(). This can prevent 1530 * the leakage of cached information or retained privileges as a result 1531 * of a common class of signal-related vulnerabilities. However, this 1532 * may interfere with some applications that expect to be able to 1533 * deliver these signals to peer processes after having given up 1534 * privilege. 1535 */ 1536 static int conservative_signals = 1; 1537 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW, 1538 &conservative_signals, 0, "Unprivileged processes prevented from " 1539 "sending certain signals to processes whose credentials have changed"); 1540 /*- 1541 * Determine whether cred may deliver the specified signal to proc. 1542 * Returns: 0 for permitted, an errno value otherwise. 1543 * Locks: A lock must be held for proc. 1544 * References: cred and proc must be valid for the lifetime of the call. 1545 */ 1546 int 1547 cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 1548 { 1549 int error; 1550 1551 PROC_LOCK_ASSERT(proc, MA_OWNED); 1552 /* 1553 * Jail semantics limit the scope of signalling to proc in the 1554 * same jail as cred, if cred is in jail. 1555 */ 1556 error = prison_check(cred, proc->p_ucred); 1557 if (error) 1558 return (error); 1559 #ifdef MAC 1560 if ((error = mac_check_proc_signal(cred, proc, signum))) 1561 return (error); 1562 #endif 1563 if ((error = cr_seeotheruids(cred, proc->p_ucred))) 1564 return (error); 1565 if ((error = cr_seeothergids(cred, proc->p_ucred))) 1566 return (error); 1567 1568 /* 1569 * UNIX signal semantics depend on the status of the P_SUGID 1570 * bit on the target process. If the bit is set, then additional 1571 * restrictions are placed on the set of available signals. 1572 */ 1573 if (conservative_signals && (proc->p_flag & P_SUGID)) { 1574 switch (signum) { 1575 case 0: 1576 case SIGKILL: 1577 case SIGINT: 1578 case SIGTERM: 1579 case SIGALRM: 1580 case SIGSTOP: 1581 case SIGTTIN: 1582 case SIGTTOU: 1583 case SIGTSTP: 1584 case SIGHUP: 1585 case SIGUSR1: 1586 case SIGUSR2: 1587 /* 1588 * Generally, permit job and terminal control 1589 * signals. 1590 */ 1591 break; 1592 default: 1593 /* Not permitted without privilege. */ 1594 error = suser_cred(cred, SUSER_ALLOWJAIL); 1595 if (error) 1596 return (error); 1597 } 1598 } 1599 1600 /* 1601 * Generally, the target credential's ruid or svuid must match the 1602 * subject credential's ruid or euid. 1603 */ 1604 if (cred->cr_ruid != proc->p_ucred->cr_ruid && 1605 cred->cr_ruid != proc->p_ucred->cr_svuid && 1606 cred->cr_uid != proc->p_ucred->cr_ruid && 1607 cred->cr_uid != proc->p_ucred->cr_svuid) { 1608 /* Not permitted without privilege. */ 1609 error = suser_cred(cred, SUSER_ALLOWJAIL); 1610 if (error) 1611 return (error); 1612 } 1613 1614 return (0); 1615 } 1616 1617 1618 /*- 1619 * Determine whether td may deliver the specified signal to p. 1620 * Returns: 0 for permitted, an errno value otherwise 1621 * Locks: Sufficient locks to protect various components of td and p 1622 * must be held. td must be curthread, and a lock must be 1623 * held for p. 1624 * References: td and p must be valid for the lifetime of the call 1625 */ 1626 int 1627 p_cansignal(struct thread *td, struct proc *p, int signum) 1628 { 1629 1630 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1631 PROC_LOCK_ASSERT(p, MA_OWNED); 1632 if (td->td_proc == p) 1633 return (0); 1634 1635 /* 1636 * UNIX signalling semantics require that processes in the same 1637 * session always be able to deliver SIGCONT to one another, 1638 * overriding the remaining protections. 1639 */ 1640 /* XXX: This will require an additional lock of some sort. */ 1641 if (signum == SIGCONT && td->td_proc->p_session == p->p_session) 1642 return (0); 1643 /* 1644 * Some compat layers use SIGTHR and higher signals for 1645 * communication between different kernel threads of the same 1646 * process, so that they expect that it's always possible to 1647 * deliver them, even for suid applications where cr_cansignal() can 1648 * deny such ability for security consideration. It should be 1649 * pretty safe to do since the only way to create two processes 1650 * with the same p_leader is via rfork(2). 1651 */ 1652 if (td->td_proc->p_leader != NULL && signum >= SIGTHR && 1653 signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader) 1654 return (0); 1655 1656 return (cr_cansignal(td->td_ucred, p, signum)); 1657 } 1658 1659 /*- 1660 * Determine whether td may reschedule p. 1661 * Returns: 0 for permitted, an errno value otherwise 1662 * Locks: Sufficient locks to protect various components of td and p 1663 * must be held. td must be curthread, and a lock must 1664 * be held for p. 1665 * References: td and p must be valid for the lifetime of the call 1666 */ 1667 int 1668 p_cansched(struct thread *td, struct proc *p) 1669 { 1670 int error; 1671 1672 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1673 PROC_LOCK_ASSERT(p, MA_OWNED); 1674 if (td->td_proc == p) 1675 return (0); 1676 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1677 return (error); 1678 #ifdef MAC 1679 if ((error = mac_check_proc_sched(td->td_ucred, p))) 1680 return (error); 1681 #endif 1682 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1683 return (error); 1684 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) 1685 return (error); 1686 if (td->td_ucred->cr_ruid == p->p_ucred->cr_ruid) 1687 return (0); 1688 if (td->td_ucred->cr_uid == p->p_ucred->cr_ruid) 1689 return (0); 1690 if (suser_cred(td->td_ucred, SUSER_ALLOWJAIL) == 0) 1691 return (0); 1692 1693 #ifdef CAPABILITIES 1694 if (!cap_check(NULL, td, CAP_SYS_NICE, SUSER_ALLOWJAIL)) 1695 return (0); 1696 #endif 1697 1698 return (EPERM); 1699 } 1700 1701 /* 1702 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 1703 * unprivileged inter-process debugging services, including some procfs 1704 * functionality, ptrace(), and ktrace(). In the past, inter-process 1705 * debugging has been involved in a variety of security problems, and sites 1706 * not requiring the service might choose to disable it when hardening 1707 * systems. 1708 * 1709 * XXX: Should modifying and reading this variable require locking? 1710 * XXX: data declarations should be together near the beginning of the file. 1711 */ 1712 static int unprivileged_proc_debug = 1; 1713 SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW, 1714 &unprivileged_proc_debug, 0, 1715 "Unprivileged processes may use process debugging facilities"); 1716 1717 /*- 1718 * Determine whether td may debug p. 1719 * Returns: 0 for permitted, an errno value otherwise 1720 * Locks: Sufficient locks to protect various components of td and p 1721 * must be held. td must be curthread, and a lock must 1722 * be held for p. 1723 * References: td and p must be valid for the lifetime of the call 1724 */ 1725 int 1726 p_candebug(struct thread *td, struct proc *p) 1727 { 1728 int credentialchanged, error, grpsubset, i, uidsubset; 1729 1730 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1731 PROC_LOCK_ASSERT(p, MA_OWNED); 1732 if (!unprivileged_proc_debug) { 1733 error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); 1734 if (error) 1735 return (error); 1736 } 1737 if (td->td_proc == p) 1738 return (0); 1739 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1740 return (error); 1741 #ifdef MAC 1742 if ((error = mac_check_proc_debug(td->td_ucred, p))) 1743 return (error); 1744 #endif 1745 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1746 return (error); 1747 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) 1748 return (error); 1749 1750 /* 1751 * Is p's group set a subset of td's effective group set? This 1752 * includes p's egid, group access list, rgid, and svgid. 1753 */ 1754 grpsubset = 1; 1755 for (i = 0; i < p->p_ucred->cr_ngroups; i++) { 1756 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) { 1757 grpsubset = 0; 1758 break; 1759 } 1760 } 1761 grpsubset = grpsubset && 1762 groupmember(p->p_ucred->cr_rgid, td->td_ucred) && 1763 groupmember(p->p_ucred->cr_svgid, td->td_ucred); 1764 1765 /* 1766 * Are the uids present in p's credential equal to td's 1767 * effective uid? This includes p's euid, svuid, and ruid. 1768 */ 1769 uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid && 1770 td->td_ucred->cr_uid == p->p_ucred->cr_svuid && 1771 td->td_ucred->cr_uid == p->p_ucred->cr_ruid); 1772 1773 /* 1774 * Has the credential of the process changed since the last exec()? 1775 */ 1776 credentialchanged = (p->p_flag & P_SUGID); 1777 1778 /* 1779 * If p's gids aren't a subset, or the uids aren't a subset, 1780 * or the credential has changed, require appropriate privilege 1781 * for td to debug p. For POSIX.1e capabilities, this will 1782 * require CAP_SYS_PTRACE. 1783 */ 1784 if (!grpsubset || !uidsubset || credentialchanged) { 1785 error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); 1786 if (error) 1787 return (error); 1788 } 1789 1790 /* Can't trace init when securelevel > 0. */ 1791 if (p == initproc) { 1792 error = securelevel_gt(td->td_ucred, 0); 1793 if (error) 1794 return (error); 1795 } 1796 1797 /* 1798 * Can't trace a process that's currently exec'ing. 1799 * XXX: Note, this is not a security policy decision, it's a 1800 * basic correctness/functionality decision. Therefore, this check 1801 * should be moved to the caller's of p_candebug(). 1802 */ 1803 if ((p->p_flag & P_INEXEC) != 0) 1804 return (EAGAIN); 1805 1806 return (0); 1807 } 1808 1809 /*- 1810 * Determine whether the subject represented by cred can "see" a socket. 1811 * Returns: 0 for permitted, ENOENT otherwise. 1812 */ 1813 int 1814 cr_canseesocket(struct ucred *cred, struct socket *so) 1815 { 1816 int error; 1817 1818 error = prison_check(cred, so->so_cred); 1819 if (error) 1820 return (ENOENT); 1821 #ifdef MAC 1822 SOCK_LOCK(so); 1823 error = mac_check_socket_visible(cred, so); 1824 SOCK_UNLOCK(so); 1825 if (error) 1826 return (error); 1827 #endif 1828 if (cr_seeotheruids(cred, so->so_cred)) 1829 return (ENOENT); 1830 if (cr_seeothergids(cred, so->so_cred)) 1831 return (ENOENT); 1832 1833 return (0); 1834 } 1835 1836 /*- 1837 * Determine whether td can wait for the exit of p. 1838 * Returns: 0 for permitted, an errno value otherwise 1839 * Locks: Sufficient locks to protect various components of td and p 1840 * must be held. td must be curthread, and a lock must 1841 * be held for p. 1842 * References: td and p must be valid for the lifetime of the call 1843 1844 */ 1845 int 1846 p_canwait(struct thread *td, struct proc *p) 1847 { 1848 int error; 1849 1850 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1851 PROC_LOCK_ASSERT(p, MA_OWNED); 1852 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1853 return (error); 1854 #ifdef MAC 1855 if ((error = mac_check_proc_wait(td->td_ucred, p))) 1856 return (error); 1857 #endif 1858 #if 0 1859 /* XXXMAC: This could have odd effects on some shells. */ 1860 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1861 return (error); 1862 #endif 1863 1864 return (0); 1865 } 1866 1867 /* 1868 * Allocate a zeroed cred structure. 1869 * MPSAFE 1870 */ 1871 struct ucred * 1872 crget(void) 1873 { 1874 register struct ucred *cr; 1875 1876 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 1877 refcount_init(&cr->cr_ref, 1); 1878 #ifdef MAC 1879 mac_init_cred(cr); 1880 #endif 1881 return (cr); 1882 } 1883 1884 /* 1885 * Claim another reference to a ucred structure. 1886 * MPSAFE 1887 */ 1888 struct ucred * 1889 crhold(struct ucred *cr) 1890 { 1891 1892 refcount_acquire(&cr->cr_ref); 1893 return (cr); 1894 } 1895 1896 /* 1897 * Free a cred structure. 1898 * Throws away space when ref count gets to 0. 1899 * MPSAFE 1900 */ 1901 void 1902 crfree(struct ucred *cr) 1903 { 1904 1905 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); 1906 KASSERT(cr->cr_ref != 0xdeadc0de, ("dangling reference to ucred")); 1907 if (refcount_release(&cr->cr_ref)) { 1908 /* 1909 * Some callers of crget(), such as nfs_statfs(), 1910 * allocate a temporary credential, but don't 1911 * allocate a uidinfo structure. 1912 */ 1913 if (cr->cr_uidinfo != NULL) 1914 uifree(cr->cr_uidinfo); 1915 if (cr->cr_ruidinfo != NULL) 1916 uifree(cr->cr_ruidinfo); 1917 /* 1918 * Free a prison, if any. 1919 */ 1920 if (jailed(cr)) 1921 prison_free(cr->cr_prison); 1922 #ifdef MAC 1923 mac_destroy_cred(cr); 1924 #endif 1925 FREE(cr, M_CRED); 1926 } 1927 } 1928 1929 /* 1930 * Check to see if this ucred is shared. 1931 * MPSAFE 1932 */ 1933 int 1934 crshared(struct ucred *cr) 1935 { 1936 1937 return (cr->cr_ref > 1); 1938 } 1939 1940 /* 1941 * Copy a ucred's contents from a template. Does not block. 1942 * MPSAFE 1943 */ 1944 void 1945 crcopy(struct ucred *dest, struct ucred *src) 1946 { 1947 1948 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred")); 1949 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 1950 (unsigned)((caddr_t)&src->cr_endcopy - 1951 (caddr_t)&src->cr_startcopy)); 1952 uihold(dest->cr_uidinfo); 1953 uihold(dest->cr_ruidinfo); 1954 if (jailed(dest)) 1955 prison_hold(dest->cr_prison); 1956 #ifdef MAC 1957 mac_copy_cred(src, dest); 1958 #endif 1959 } 1960 1961 /* 1962 * Dup cred struct to a new held one. 1963 * MPSAFE 1964 */ 1965 struct ucred * 1966 crdup(struct ucred *cr) 1967 { 1968 struct ucred *newcr; 1969 1970 newcr = crget(); 1971 crcopy(newcr, cr); 1972 return (newcr); 1973 } 1974 1975 /* 1976 * Fill in a struct xucred based on a struct ucred. 1977 * MPSAFE 1978 */ 1979 void 1980 cru2x(struct ucred *cr, struct xucred *xcr) 1981 { 1982 1983 bzero(xcr, sizeof(*xcr)); 1984 xcr->cr_version = XUCRED_VERSION; 1985 xcr->cr_uid = cr->cr_uid; 1986 xcr->cr_ngroups = cr->cr_ngroups; 1987 bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups)); 1988 } 1989 1990 /* 1991 * small routine to swap a thread's current ucred for the correct one 1992 * taken from the process. 1993 * MPSAFE 1994 */ 1995 void 1996 cred_update_thread(struct thread *td) 1997 { 1998 struct proc *p; 1999 struct ucred *cred; 2000 2001 p = td->td_proc; 2002 cred = td->td_ucred; 2003 PROC_LOCK(p); 2004 td->td_ucred = crhold(p->p_ucred); 2005 PROC_UNLOCK(p); 2006 if (cred != NULL) 2007 crfree(cred); 2008 } 2009 2010 /* 2011 * Get login name, if available. 2012 */ 2013 #ifndef _SYS_SYSPROTO_H_ 2014 struct getlogin_args { 2015 char *namebuf; 2016 u_int namelen; 2017 }; 2018 #endif 2019 /* 2020 * MPSAFE 2021 */ 2022 /* ARGSUSED */ 2023 int 2024 getlogin(struct thread *td, struct getlogin_args *uap) 2025 { 2026 int error; 2027 char login[MAXLOGNAME]; 2028 struct proc *p = td->td_proc; 2029 2030 if (uap->namelen > MAXLOGNAME) 2031 uap->namelen = MAXLOGNAME; 2032 PROC_LOCK(p); 2033 SESS_LOCK(p->p_session); 2034 bcopy(p->p_session->s_login, login, uap->namelen); 2035 SESS_UNLOCK(p->p_session); 2036 PROC_UNLOCK(p); 2037 error = copyout(login, uap->namebuf, uap->namelen); 2038 return(error); 2039 } 2040 2041 /* 2042 * Set login name. 2043 */ 2044 #ifndef _SYS_SYSPROTO_H_ 2045 struct setlogin_args { 2046 char *namebuf; 2047 }; 2048 #endif 2049 /* 2050 * MPSAFE 2051 */ 2052 /* ARGSUSED */ 2053 int 2054 setlogin(struct thread *td, struct setlogin_args *uap) 2055 { 2056 struct proc *p = td->td_proc; 2057 int error; 2058 char logintmp[MAXLOGNAME]; 2059 2060 error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); 2061 if (error) 2062 return (error); 2063 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); 2064 if (error == ENAMETOOLONG) 2065 error = EINVAL; 2066 else if (!error) { 2067 PROC_LOCK(p); 2068 SESS_LOCK(p->p_session); 2069 (void) memcpy(p->p_session->s_login, logintmp, 2070 sizeof(logintmp)); 2071 SESS_UNLOCK(p->p_session); 2072 PROC_UNLOCK(p); 2073 } 2074 return (error); 2075 } 2076 2077 void 2078 setsugid(struct proc *p) 2079 { 2080 2081 PROC_LOCK_ASSERT(p, MA_OWNED); 2082 p->p_flag |= P_SUGID; 2083 if (!(p->p_pfsflags & PF_ISUGID)) 2084 p->p_stops = 0; 2085 } 2086 2087 /*- 2088 * Change a process's effective uid. 2089 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 2090 * References: newcred must be an exclusive credential reference for the 2091 * duration of the call. 2092 */ 2093 void 2094 change_euid(struct ucred *newcred, struct uidinfo *euip) 2095 { 2096 2097 newcred->cr_uid = euip->ui_uid; 2098 uihold(euip); 2099 uifree(newcred->cr_uidinfo); 2100 newcred->cr_uidinfo = euip; 2101 } 2102 2103 /*- 2104 * Change a process's effective gid. 2105 * Side effects: newcred->cr_gid will be modified. 2106 * References: newcred must be an exclusive credential reference for the 2107 * duration of the call. 2108 */ 2109 void 2110 change_egid(struct ucred *newcred, gid_t egid) 2111 { 2112 2113 newcred->cr_groups[0] = egid; 2114 } 2115 2116 /*- 2117 * Change a process's real uid. 2118 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 2119 * will be updated, and the old and new cr_ruidinfo proc 2120 * counts will be updated. 2121 * References: newcred must be an exclusive credential reference for the 2122 * duration of the call. 2123 */ 2124 void 2125 change_ruid(struct ucred *newcred, struct uidinfo *ruip) 2126 { 2127 2128 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 2129 newcred->cr_ruid = ruip->ui_uid; 2130 uihold(ruip); 2131 uifree(newcred->cr_ruidinfo); 2132 newcred->cr_ruidinfo = ruip; 2133 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 2134 } 2135 2136 /*- 2137 * Change a process's real gid. 2138 * Side effects: newcred->cr_rgid will be updated. 2139 * References: newcred must be an exclusive credential reference for the 2140 * duration of the call. 2141 */ 2142 void 2143 change_rgid(struct ucred *newcred, gid_t rgid) 2144 { 2145 2146 newcred->cr_rgid = rgid; 2147 } 2148 2149 /*- 2150 * Change a process's saved uid. 2151 * Side effects: newcred->cr_svuid will be updated. 2152 * References: newcred must be an exclusive credential reference for the 2153 * duration of the call. 2154 */ 2155 void 2156 change_svuid(struct ucred *newcred, uid_t svuid) 2157 { 2158 2159 newcred->cr_svuid = svuid; 2160 } 2161 2162 /*- 2163 * Change a process's saved gid. 2164 * Side effects: newcred->cr_svgid will be updated. 2165 * References: newcred must be an exclusive credential reference for the 2166 * duration of the call. 2167 */ 2168 void 2169 change_svgid(struct ucred *newcred, gid_t svgid) 2170 { 2171 2172 newcred->cr_svgid = svgid; 2173 } 2174