xref: /freebsd/sys/kern/kern_prot.c (revision 41466b50c1d5bfd1cf6adaae547a579a75d7c04e)
1 /*
2  * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993
3  *	The Regents of the University of California.  All rights reserved.
4  * Copyright (c) 2000, 2001 Robert N. M. Watson.  All rights reserved.
5  * (c) UNIX System Laboratories, Inc.
6  * All or some portions of this file are derived from material licensed
7  * to the University of California by American Telephone and Telegraph
8  * Co. or Unix System Laboratories, Inc. and are reproduced herein with
9  * the permission of UNIX System Laboratories, Inc.
10  *
11  * Redistribution and use in source and binary forms, with or without
12  * modification, are permitted provided that the following conditions
13  * are met:
14  * 1. Redistributions of source code must retain the above copyright
15  *    notice, this list of conditions and the following disclaimer.
16  * 2. Redistributions in binary form must reproduce the above copyright
17  *    notice, this list of conditions and the following disclaimer in the
18  *    documentation and/or other materials provided with the distribution.
19  * 3. All advertising materials mentioning features or use of this software
20  *    must display the following acknowledgement:
21  *	This product includes software developed by the University of
22  *	California, Berkeley and its contributors.
23  * 4. Neither the name of the University nor the names of its contributors
24  *    may be used to endorse or promote products derived from this software
25  *    without specific prior written permission.
26  *
27  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
28  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
29  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
30  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
31  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
32  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
33  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
35  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
36  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37  * SUCH DAMAGE.
38  *
39  *	@(#)kern_prot.c	8.6 (Berkeley) 1/21/94
40  * $FreeBSD$
41  */
42 
43 /*
44  * System calls related to processes and protection
45  */
46 
47 #include "opt_compat.h"
48 #include "opt_global.h"
49 
50 #include <sys/param.h>
51 #include <sys/systm.h>
52 #include <sys/acct.h>
53 #include <sys/kernel.h>
54 #include <sys/lock.h>
55 #include <sys/mutex.h>
56 #include <sys/proc.h>
57 #include <sys/sysproto.h>
58 #include <sys/malloc.h>
59 #include <sys/pioctl.h>
60 #include <sys/resourcevar.h>
61 #include <sys/sysctl.h>
62 #include <sys/jail.h>
63 
64 static MALLOC_DEFINE(M_CRED, "cred", "credentials");
65 
66 SYSCTL_NODE(_kern, OID_AUTO, security, CTLFLAG_RW, 0,
67     "Kernel security policy");
68 
69 #ifndef _SYS_SYSPROTO_H_
70 struct getpid_args {
71 	int	dummy;
72 };
73 #endif
74 
75 /*
76  * getpid
77  */
78 
79 /*
80  * MPSAFE
81  */
82 /* ARGSUSED */
83 int
84 getpid(td, uap)
85 	struct thread *td;
86 	struct getpid_args *uap;
87 {
88 	struct proc *p = td->td_proc;
89 	int s;
90 
91 	s = mtx_lock_giant(kern_giant_proc);
92 	td->td_retval[0] = p->p_pid;
93 #if defined(COMPAT_43) || defined(COMPAT_SUNOS)
94 	PROC_LOCK(p);
95 	td->td_retval[1] = p->p_pptr->p_pid;
96 	PROC_UNLOCK(p);
97 #endif
98 	mtx_unlock_giant(s);
99 	return (0);
100 }
101 
102 /*
103  * getppid
104  */
105 
106 #ifndef _SYS_SYSPROTO_H_
107 struct getppid_args {
108         int     dummy;
109 };
110 #endif
111 /*
112  * MPSAFE
113  */
114 /* ARGSUSED */
115 int
116 getppid(td, uap)
117 	struct thread *td;
118 	struct getppid_args *uap;
119 {
120 	struct proc *p = td->td_proc;
121 	int s;
122 
123 	s = mtx_lock_giant(kern_giant_proc);
124 	PROC_LOCK(p);
125 	td->td_retval[0] = p->p_pptr->p_pid;
126 	PROC_UNLOCK(p);
127 	mtx_unlock_giant(s);
128 	return (0);
129 }
130 
131 /*
132  * Get process group ID; note that POSIX getpgrp takes no parameter
133  *
134  * MP SAFE
135  */
136 #ifndef _SYS_SYSPROTO_H_
137 struct getpgrp_args {
138         int     dummy;
139 };
140 #endif
141 /*
142  * MPSAFE
143  */
144 int
145 getpgrp(td, uap)
146 	struct thread *td;
147 	struct getpgrp_args *uap;
148 {
149 	struct proc *p = td->td_proc;
150 
151 	mtx_lock(&Giant);
152 	td->td_retval[0] = p->p_pgrp->pg_id;
153 	mtx_unlock(&Giant);
154 	return (0);
155 }
156 
157 /* Get an arbitary pid's process group id */
158 #ifndef _SYS_SYSPROTO_H_
159 struct getpgid_args {
160 	pid_t	pid;
161 };
162 #endif
163 
164 /*
165  * MPSAFE
166  */
167 int
168 getpgid(td, uap)
169 	struct thread *td;
170 	struct getpgid_args *uap;
171 {
172 	struct proc *p = td->td_proc;
173 	struct proc *pt;
174 	int error = 0;
175 	int s;
176 
177 	s = mtx_lock_giant(kern_giant_proc);
178 	if (uap->pid == 0)
179 		td->td_retval[0] = p->p_pgrp->pg_id;
180 	else if ((pt = pfind(uap->pid)) == NULL)
181 		error = ESRCH;
182 	else {
183 		error = p_cansee(p, pt);
184 		if (error == 0)
185 			td->td_retval[0] = pt->p_pgrp->pg_id;
186 		PROC_UNLOCK(pt);
187 	}
188 	mtx_unlock_giant(s);
189 	return (error);
190 }
191 
192 /*
193  * Get an arbitary pid's session id.
194  */
195 #ifndef _SYS_SYSPROTO_H_
196 struct getsid_args {
197 	pid_t	pid;
198 };
199 #endif
200 
201 /*
202  * MPSAFE
203  */
204 int
205 getsid(td, uap)
206 	struct thread *td;
207 	struct getsid_args *uap;
208 {
209 	struct proc *p = td->td_proc;
210 	struct proc *pt;
211 	int error = 0;
212 
213 	mtx_lock(&Giant);
214 	if (uap->pid == 0)
215 		td->td_retval[0] = p->p_session->s_sid;
216 	else if ((pt = pfind(uap->pid)) == NULL)
217 		error = ESRCH;
218 	else {
219 		error = p_cansee(p, pt);
220 		if (error == 0)
221 			td->td_retval[0] = pt->p_session->s_sid;
222 		PROC_UNLOCK(pt);
223 	}
224 	mtx_unlock(&Giant);
225 	return (error);
226 }
227 
228 
229 /*
230  * getuid() - MP SAFE
231  */
232 #ifndef _SYS_SYSPROTO_H_
233 struct getuid_args {
234         int     dummy;
235 };
236 #endif
237 
238 /*
239  * MPSAFE
240  */
241 /* ARGSUSED */
242 int
243 getuid(td, uap)
244 	struct thread *td;
245 	struct getuid_args *uap;
246 {
247 	struct proc *p = td->td_proc;
248 
249 	mtx_lock(&Giant);
250 	td->td_retval[0] = p->p_ucred->cr_ruid;
251 #if defined(COMPAT_43) || defined(COMPAT_SUNOS)
252 	td->td_retval[1] = p->p_ucred->cr_uid;
253 #endif
254 	mtx_unlock(&Giant);
255 	return (0);
256 }
257 
258 /*
259  * geteuid() - MP SAFE
260  */
261 #ifndef _SYS_SYSPROTO_H_
262 struct geteuid_args {
263         int     dummy;
264 };
265 #endif
266 
267 /* ARGSUSED */
268 int
269 geteuid(td, uap)
270 	struct thread *td;
271 	struct geteuid_args *uap;
272 {
273 	mtx_lock(&Giant);
274 	td->td_retval[0] = td->td_proc->p_ucred->cr_uid;
275 	mtx_unlock(&Giant);
276 	return (0);
277 }
278 
279 /*
280  * getgid() - MP SAFE
281  */
282 #ifndef _SYS_SYSPROTO_H_
283 struct getgid_args {
284         int     dummy;
285 };
286 #endif
287 
288 /*
289  * MPSAFE
290  */
291 /* ARGSUSED */
292 int
293 getgid(td, uap)
294 	struct thread *td;
295 	struct getgid_args *uap;
296 {
297 	struct proc *p = td->td_proc;
298 
299 	mtx_lock(&Giant);
300 	td->td_retval[0] = p->p_ucred->cr_rgid;
301 #if defined(COMPAT_43) || defined(COMPAT_SUNOS)
302 	td->td_retval[1] = p->p_ucred->cr_groups[0];
303 #endif
304 	mtx_unlock(&Giant);
305 	return (0);
306 }
307 
308 /*
309  * Get effective group ID.  The "egid" is groups[0], and could be obtained
310  * via getgroups.  This syscall exists because it is somewhat painful to do
311  * correctly in a library function.
312  */
313 #ifndef _SYS_SYSPROTO_H_
314 struct getegid_args {
315         int     dummy;
316 };
317 #endif
318 
319 /*
320  * MPSAFE
321  */
322 /* ARGSUSED */
323 int
324 getegid(td, uap)
325 	struct thread *td;
326 	struct getegid_args *uap;
327 {
328 	struct proc *p = td->td_proc;
329 
330 	mtx_lock(&Giant);
331 	td->td_retval[0] = p->p_ucred->cr_groups[0];
332 	mtx_unlock(&Giant);
333 	return (0);
334 }
335 
336 #ifndef _SYS_SYSPROTO_H_
337 struct getgroups_args {
338 	u_int	gidsetsize;
339 	gid_t	*gidset;
340 };
341 #endif
342 /*
343  * MPSAFE
344  */
345 int
346 getgroups(td, uap)
347 	struct thread *td;
348 	register struct	getgroups_args *uap;
349 {
350 	struct ucred *cred;
351 	struct proc *p = td->td_proc;
352 	u_int ngrp;
353 	int error = 0;
354 
355 	mtx_lock(&Giant);
356 	cred = p->p_ucred;
357 	if ((ngrp = uap->gidsetsize) == 0) {
358 		td->td_retval[0] = cred->cr_ngroups;
359 		error = 0;
360 		goto done2;
361 	}
362 	if (ngrp < cred->cr_ngroups) {
363 		error = EINVAL;
364 		goto done2;
365 	}
366 	ngrp = cred->cr_ngroups;
367 	if ((error = copyout((caddr_t)cred->cr_groups,
368 	    (caddr_t)uap->gidset, ngrp * sizeof(gid_t)))) {
369 		goto done2;
370 	}
371 	td->td_retval[0] = ngrp;
372 done2:
373 	mtx_unlock(&Giant);
374 	return (error);
375 }
376 
377 #ifndef _SYS_SYSPROTO_H_
378 struct setsid_args {
379         int     dummy;
380 };
381 #endif
382 
383 /*
384  * MPSAFE
385  */
386 /* ARGSUSED */
387 int
388 setsid(td, uap)
389 	register struct thread *td;
390 	struct setsid_args *uap;
391 {
392 	int error;
393 	struct proc *p = td->td_proc;
394 
395 	mtx_lock(&Giant);
396 	if (p->p_pgid == p->p_pid || pgfind(p->p_pid)) {
397 		error = EPERM;
398 	} else {
399 		(void)enterpgrp(p, p->p_pid, 1);
400 		td->td_retval[0] = p->p_pid;
401 		error = 0;
402 	}
403 	mtx_unlock(&Giant);
404 	return (error);
405 }
406 
407 /*
408  * set process group (setpgid/old setpgrp)
409  *
410  * caller does setpgid(targpid, targpgid)
411  *
412  * pid must be caller or child of caller (ESRCH)
413  * if a child
414  *	pid must be in same session (EPERM)
415  *	pid can't have done an exec (EACCES)
416  * if pgid != pid
417  * 	there must exist some pid in same session having pgid (EPERM)
418  * pid must not be session leader (EPERM)
419  */
420 #ifndef _SYS_SYSPROTO_H_
421 struct setpgid_args {
422 	int	pid;	/* target process id */
423 	int	pgid;	/* target pgrp id */
424 };
425 #endif
426 /*
427  * MPSAFE
428  */
429 /* ARGSUSED */
430 int
431 setpgid(td, uap)
432 	struct thread *td;
433 	register struct setpgid_args *uap;
434 {
435 	struct proc *curp = td->td_proc;
436 	register struct proc *targp;		/* target process */
437 	register struct pgrp *pgrp;		/* target pgrp */
438 	int error;
439 
440 	if (uap->pgid < 0)
441 		return (EINVAL);
442 
443 	mtx_lock(&Giant);
444 
445 	if (uap->pid != 0 && uap->pid != curp->p_pid) {
446 		if ((targp = pfind(uap->pid)) == NULL || !inferior(targp)) {
447 			if (targp)
448 				PROC_UNLOCK(targp);
449 			error = ESRCH;
450 			goto done2;
451 		}
452 		if ((error = p_cansee(curproc, targp))) {
453 			PROC_UNLOCK(targp);
454 			goto done2;
455 		}
456 		if (targp->p_pgrp == NULL ||
457 		    targp->p_session != curp->p_session) {
458 			PROC_UNLOCK(targp);
459 			error = EPERM;
460 			goto done2;
461 		}
462 		if (targp->p_flag & P_EXEC) {
463 			PROC_UNLOCK(targp);
464 			error = EACCES;
465 			goto done2;
466 		}
467 	} else {
468 		targp = curp;
469 		PROC_LOCK(curp);	/* XXX: not needed */
470 	}
471 	if (SESS_LEADER(targp)) {
472 		PROC_UNLOCK(targp);
473 		error = EPERM;
474 		goto done2;
475 	}
476 	if (uap->pgid == 0) {
477 		uap->pgid = targp->p_pid;
478 	} else if (uap->pgid != targp->p_pid) {
479 		if ((pgrp = pgfind(uap->pgid)) == 0 ||
480 	            pgrp->pg_session != curp->p_session) {
481 			PROC_UNLOCK(targp);
482 			error = EPERM;
483 			goto done2;
484 		}
485 	}
486 	/* XXX: We should probably hold the lock across enterpgrp. */
487 	PROC_UNLOCK(targp);
488 	error = enterpgrp(targp, uap->pgid, 0);
489 done2:
490 	mtx_unlock(&Giant);
491 	return (error);
492 }
493 
494 /*
495  * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD
496  * compatible.  It says that setting the uid/gid to euid/egid is a special
497  * case of "appropriate privilege".  Once the rules are expanded out, this
498  * basically means that setuid(nnn) sets all three id's, in all permitted
499  * cases unless _POSIX_SAVED_IDS is enabled.  In that case, setuid(getuid())
500  * does not set the saved id - this is dangerous for traditional BSD
501  * programs.  For this reason, we *really* do not want to set
502  * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2.
503  */
504 #define POSIX_APPENDIX_B_4_2_2
505 
506 #ifndef _SYS_SYSPROTO_H_
507 struct setuid_args {
508 	uid_t	uid;
509 };
510 #endif
511 /*
512  * MPSAFE
513  */
514 /* ARGSUSED */
515 int
516 setuid(td, uap)
517 	struct thread *td;
518 	struct setuid_args *uap;
519 {
520 	struct proc *p = td->td_proc;
521 	struct ucred *newcred, *oldcred;
522 	uid_t uid;
523 	int error = 0;
524 
525 	uid = uap->uid;
526 	oldcred = p->p_ucred;
527 	mtx_lock(&Giant);
528 
529 	/*
530 	 * See if we have "permission" by POSIX 1003.1 rules.
531 	 *
532 	 * Note that setuid(geteuid()) is a special case of
533 	 * "appropriate privileges" in appendix B.4.2.2.  We need
534 	 * to use this clause to be compatible with traditional BSD
535 	 * semantics.  Basically, it means that "setuid(xx)" sets all
536 	 * three id's (assuming you have privs).
537 	 *
538 	 * Notes on the logic.  We do things in three steps.
539 	 * 1: We determine if the euid is going to change, and do EPERM
540 	 *    right away.  We unconditionally change the euid later if this
541 	 *    test is satisfied, simplifying that part of the logic.
542 	 * 2: We determine if the real and/or saved uid's are going to
543 	 *    change.  Determined by compile options.
544 	 * 3: Change euid last. (after tests in #2 for "appropriate privs")
545 	 */
546 	if (uid != oldcred->cr_ruid &&		/* allow setuid(getuid()) */
547 #ifdef _POSIX_SAVED_IDS
548 	    uid != oldcred->cr_svuid &&		/* allow setuid(saved gid) */
549 #endif
550 #ifdef POSIX_APPENDIX_B_4_2_2	/* Use BSD-compat clause from B.4.2.2 */
551 	    uid != oldcred->cr_uid &&		/* allow setuid(geteuid()) */
552 #endif
553 	    (error = suser_xxx(oldcred, NULL, PRISON_ROOT)))
554 		goto done2;
555 
556 	newcred = crdup(oldcred);
557 #ifdef _POSIX_SAVED_IDS
558 	/*
559 	 * Do we have "appropriate privileges" (are we root or uid == euid)
560 	 * If so, we are changing the real uid and/or saved uid.
561 	 */
562 	if (
563 #ifdef POSIX_APPENDIX_B_4_2_2	/* Use the clause from B.4.2.2 */
564 	    uid == oldcred->cr_uid ||
565 #endif
566 	    suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */
567 #endif
568 	{
569 		/*
570 		 * Set the real uid and transfer proc count to new user.
571 		 */
572 		if (uid != oldcred->cr_ruid) {
573 			change_ruid(newcred, uid);
574 			setsugid(p);
575 		}
576 		/*
577 		 * Set saved uid
578 		 *
579 		 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as
580 		 * the security of seteuid() depends on it.  B.4.2.2 says it
581 		 * is important that we should do this.
582 		 */
583 		if (uid != oldcred->cr_svuid) {
584 			change_svuid(newcred, uid);
585 			setsugid(p);
586 		}
587 	}
588 
589 	/*
590 	 * In all permitted cases, we are changing the euid.
591 	 * Copy credentials so other references do not see our changes.
592 	 */
593 	if (uid != oldcred->cr_uid) {
594 		change_euid(newcred, uid);
595 		setsugid(p);
596 	}
597 	p->p_ucred = newcred;
598 	crfree(oldcred);
599 done2:
600 	mtx_unlock(&Giant);
601 	return (error);
602 }
603 
604 #ifndef _SYS_SYSPROTO_H_
605 struct seteuid_args {
606 	uid_t	euid;
607 };
608 #endif
609 /*
610  * MPSAFE
611  */
612 /* ARGSUSED */
613 int
614 seteuid(td, uap)
615 	struct thread *td;
616 	struct seteuid_args *uap;
617 {
618 	struct proc *p = td->td_proc;
619 	struct ucred *newcred, *oldcred;
620 	uid_t euid;
621 	int error = 0;
622 
623 	euid = uap->euid;
624 
625 	mtx_lock(&Giant);
626 	oldcred = p->p_ucred;
627 	if (euid != oldcred->cr_ruid &&		/* allow seteuid(getuid()) */
628 	    euid != oldcred->cr_svuid &&	/* allow seteuid(saved uid) */
629 	    (error = suser_xxx(oldcred, NULL, PRISON_ROOT))) {
630 		goto done2;
631 	}
632 	/*
633 	 * Everything's okay, do it.  Copy credentials so other references do
634 	 * not see our changes.
635 	 */
636 	newcred = crdup(oldcred);
637 	if (oldcred->cr_uid != euid) {
638 		change_euid(newcred, euid);
639 		setsugid(p);
640 	}
641 	p->p_ucred = newcred;
642 	crfree(oldcred);
643 done2:
644 	mtx_unlock(&Giant);
645 	return (error);
646 }
647 
648 #ifndef _SYS_SYSPROTO_H_
649 struct setgid_args {
650 	gid_t	gid;
651 };
652 #endif
653 /*
654  * MPSAFE
655  */
656 /* ARGSUSED */
657 int
658 setgid(td, uap)
659 	struct thread *td;
660 	struct setgid_args *uap;
661 {
662 	struct proc *p = td->td_proc;
663 	struct ucred *newcred, *oldcred;
664 	gid_t gid;
665 	int error = 0;
666 
667 	gid = uap->gid;
668 
669 	mtx_lock(&Giant);
670 	oldcred = p->p_ucred;
671 	/*
672 	 * See if we have "permission" by POSIX 1003.1 rules.
673 	 *
674 	 * Note that setgid(getegid()) is a special case of
675 	 * "appropriate privileges" in appendix B.4.2.2.  We need
676 	 * to use this clause to be compatible with traditional BSD
677 	 * semantics.  Basically, it means that "setgid(xx)" sets all
678 	 * three id's (assuming you have privs).
679 	 *
680 	 * For notes on the logic here, see setuid() above.
681 	 */
682 	if (gid != oldcred->cr_rgid &&		/* allow setgid(getgid()) */
683 #ifdef _POSIX_SAVED_IDS
684 	    gid != oldcred->cr_svgid &&		/* allow setgid(saved gid) */
685 #endif
686 #ifdef POSIX_APPENDIX_B_4_2_2	/* Use BSD-compat clause from B.4.2.2 */
687 	    gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */
688 #endif
689 	    (error = suser_xxx(oldcred, NULL, PRISON_ROOT))) {
690 		goto done2;
691 	}
692 
693 	newcred = crdup(oldcred);
694 #ifdef _POSIX_SAVED_IDS
695 	/*
696 	 * Do we have "appropriate privileges" (are we root or gid == egid)
697 	 * If so, we are changing the real uid and saved gid.
698 	 */
699 	if (
700 #ifdef POSIX_APPENDIX_B_4_2_2	/* use the clause from B.4.2.2 */
701 	    gid == oldcred->cr_groups[0] ||
702 #endif
703 	    suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */
704 #endif
705 	{
706 		/*
707 		 * Set real gid
708 		 */
709 		if (oldcred->cr_rgid != gid) {
710 			change_rgid(newcred, gid);
711 			setsugid(p);
712 		}
713 		/*
714 		 * Set saved gid
715 		 *
716 		 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as
717 		 * the security of setegid() depends on it.  B.4.2.2 says it
718 		 * is important that we should do this.
719 		 */
720 		if (oldcred->cr_svgid != gid) {
721 			change_svgid(newcred, gid);
722 			setsugid(p);
723 		}
724 	}
725 	/*
726 	 * In all cases permitted cases, we are changing the egid.
727 	 * Copy credentials so other references do not see our changes.
728 	 */
729 	if (oldcred->cr_groups[0] != gid) {
730 		change_egid(newcred, gid);
731 		setsugid(p);
732 	}
733 	p->p_ucred = newcred;
734 	crfree(oldcred);
735 done2:
736 	mtx_unlock(&Giant);
737 	return (error);
738 }
739 
740 #ifndef _SYS_SYSPROTO_H_
741 struct setegid_args {
742 	gid_t	egid;
743 };
744 #endif
745 /*
746  * MPSAFE
747  */
748 /* ARGSUSED */
749 int
750 setegid(td, uap)
751 	struct thread *td;
752 	struct setegid_args *uap;
753 {
754 	struct proc *p = td->td_proc;
755 	struct ucred *newcred, *oldcred;
756 	gid_t egid;
757 	int error = 0;
758 
759 	egid = uap->egid;
760 
761 	mtx_lock(&Giant);
762 	oldcred = p->p_ucred;
763 	if (egid != oldcred->cr_rgid &&		/* allow setegid(getgid()) */
764 	    egid != oldcred->cr_svgid &&	/* allow setegid(saved gid) */
765 	    (error = suser_xxx(oldcred, NULL, PRISON_ROOT))) {
766 		goto done2;
767 	}
768 	newcred = crdup(oldcred);
769 	if (oldcred->cr_groups[0] != egid) {
770 		change_egid(newcred, egid);
771 		setsugid(p);
772 	}
773 	p->p_ucred = newcred;
774 	crfree(oldcred);
775 done2:
776 	mtx_unlock(&Giant);
777 	return (error);
778 }
779 
780 #ifndef _SYS_SYSPROTO_H_
781 struct setgroups_args {
782 	u_int	gidsetsize;
783 	gid_t	*gidset;
784 };
785 #endif
786 /*
787  * MPSAFE
788  */
789 /* ARGSUSED */
790 int
791 setgroups(td, uap)
792 	struct thread *td;
793 	struct setgroups_args *uap;
794 {
795 	struct proc *p = td->td_proc;
796 	struct ucred *newcred, *oldcred;
797 	u_int ngrp;
798 	int error;
799 
800 	mtx_lock(&Giant);
801 
802 	ngrp = uap->gidsetsize;
803 	oldcred = p->p_ucred;
804 	if ((error = suser_xxx(oldcred, NULL, PRISON_ROOT)))
805 		goto done2;
806 	if (ngrp > NGROUPS) {
807 		error = EINVAL;
808 		goto done2;
809 	}
810 	/*
811 	 * XXX A little bit lazy here.  We could test if anything has
812 	 * changed before crcopy() and setting P_SUGID.
813 	 */
814 	newcred = crdup(oldcred);
815 	if (ngrp < 1) {
816 		/*
817 		 * setgroups(0, NULL) is a legitimate way of clearing the
818 		 * groups vector on non-BSD systems (which generally do not
819 		 * have the egid in the groups[0]).  We risk security holes
820 		 * when running non-BSD software if we do not do the same.
821 		 */
822 		newcred->cr_ngroups = 1;
823 	} else {
824 		if ((error = copyin((caddr_t)uap->gidset,
825 		    (caddr_t)newcred->cr_groups, ngrp * sizeof(gid_t)))) {
826 			crfree(newcred);
827 			goto done2;
828 		}
829 		newcred->cr_ngroups = ngrp;
830 	}
831 	setsugid(p);
832 	p->p_ucred = newcred;
833 	crfree(oldcred);
834 done2:
835 	mtx_unlock(&Giant);
836 	return (error);
837 }
838 
839 #ifndef _SYS_SYSPROTO_H_
840 struct setreuid_args {
841 	uid_t	ruid;
842 	uid_t	euid;
843 };
844 #endif
845 /*
846  * MPSAFE
847  */
848 /* ARGSUSED */
849 int
850 setreuid(td, uap)
851 	register struct thread *td;
852 	struct setreuid_args *uap;
853 {
854 	struct proc *p = td->td_proc;
855 	struct ucred *newcred, *oldcred;
856 	uid_t ruid, euid;
857 	int error = 0;
858 
859 	ruid = uap->ruid;
860 	euid = uap->euid;
861 
862 	mtx_lock(&Giant);
863 
864 	oldcred = p->p_ucred;
865 	if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
866 	      ruid != oldcred->cr_svuid) ||
867 	     (euid != (uid_t)-1 && euid != oldcred->cr_uid &&
868 	      euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) &&
869 	    (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) {
870 		goto done2;
871 	}
872 	newcred = crdup(oldcred);
873 	if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
874 		change_euid(newcred, euid);
875 		setsugid(p);
876 	}
877 	if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
878 		change_ruid(newcred, ruid);
879 		setsugid(p);
880 	}
881 	if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) &&
882 	    newcred->cr_svuid != newcred->cr_uid) {
883 		change_svuid(newcred, newcred->cr_uid);
884 		setsugid(p);
885 	}
886 	p->p_ucred = newcred;
887 	crfree(oldcred);
888 done2:
889 	mtx_unlock(&Giant);
890 	return (error);
891 }
892 
893 #ifndef _SYS_SYSPROTO_H_
894 struct setregid_args {
895 	gid_t	rgid;
896 	gid_t	egid;
897 };
898 #endif
899 /*
900  * MPSAFE
901  */
902 /* ARGSUSED */
903 int
904 setregid(td, uap)
905 	register struct thread *td;
906 	struct setregid_args *uap;
907 {
908 	struct proc *p = td->td_proc;
909 	struct ucred *newcred, *oldcred;
910 	gid_t rgid, egid;
911 	int error = 0;
912 
913 	rgid = uap->rgid;
914 	egid = uap->egid;
915 
916 	mtx_lock(&Giant);
917 
918 	oldcred = p->p_ucred;
919 	if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
920 	    rgid != oldcred->cr_svgid) ||
921 	     (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] &&
922 	     egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) &&
923 	    (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) {
924 		goto done2;
925 	}
926 
927 	newcred = crdup(oldcred);
928 	if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
929 		change_egid(newcred, egid);
930 		setsugid(p);
931 	}
932 	if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
933 		change_rgid(newcred, rgid);
934 		setsugid(p);
935 	}
936 	if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) &&
937 	    newcred->cr_svgid != newcred->cr_groups[0]) {
938 		change_svgid(newcred, newcred->cr_groups[0]);
939 		setsugid(p);
940 	}
941 	p->p_ucred = newcred;
942 	crfree(oldcred);
943 done2:
944 	mtx_unlock(&Giant);
945 	return (error);
946 }
947 
948 /*
949  * setresuid(ruid, euid, suid) is like setreuid except control over the
950  * saved uid is explicit.
951  */
952 
953 #ifndef _SYS_SYSPROTO_H_
954 struct setresuid_args {
955 	uid_t	ruid;
956 	uid_t	euid;
957 	uid_t	suid;
958 };
959 #endif
960 /*
961  * MPSAFE
962  */
963 /* ARGSUSED */
964 int
965 setresuid(td, uap)
966 	register struct thread *td;
967 	struct setresuid_args *uap;
968 {
969 	struct proc *p = td->td_proc;
970 	struct ucred *newcred, *oldcred;
971 	uid_t ruid, euid, suid;
972 	int error;
973 
974 	ruid = uap->ruid;
975 	euid = uap->euid;
976 	suid = uap->suid;
977 
978 	mtx_lock(&Giant);
979 	oldcred = p->p_ucred;
980 	if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
981 	     ruid != oldcred->cr_svuid &&
982 	      ruid != oldcred->cr_uid) ||
983 	     (euid != (uid_t)-1 && euid != oldcred->cr_ruid &&
984 	    euid != oldcred->cr_svuid &&
985 	      euid != oldcred->cr_uid) ||
986 	     (suid != (uid_t)-1 && suid != oldcred->cr_ruid &&
987 	    suid != oldcred->cr_svuid &&
988 	      suid != oldcred->cr_uid)) &&
989 	    (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) {
990 		goto done2;
991 	}
992 
993 	newcred = crdup(oldcred);
994 	if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
995 		change_euid(newcred, euid);
996 		setsugid(p);
997 	}
998 	if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
999 		change_ruid(newcred, ruid);
1000 		setsugid(p);
1001 	}
1002 	if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) {
1003 		change_svuid(newcred, suid);
1004 		setsugid(p);
1005 	}
1006 	p->p_ucred = newcred;
1007 	crfree(oldcred);
1008 	error = 0;
1009 done2:
1010 	mtx_unlock(&Giant);
1011 	return (error);
1012 }
1013 
1014 /*
1015  * setresgid(rgid, egid, sgid) is like setregid except control over the
1016  * saved gid is explicit.
1017  */
1018 
1019 #ifndef _SYS_SYSPROTO_H_
1020 struct setresgid_args {
1021 	gid_t	rgid;
1022 	gid_t	egid;
1023 	gid_t	sgid;
1024 };
1025 #endif
1026 /*
1027  * MPSAFE
1028  */
1029 /* ARGSUSED */
1030 int
1031 setresgid(td, uap)
1032 	register struct thread *td;
1033 	struct setresgid_args *uap;
1034 {
1035 	struct proc *p = td->td_proc;
1036 	struct ucred *newcred, *oldcred;
1037 	gid_t rgid, egid, sgid;
1038 	int error;
1039 
1040 	rgid = uap->rgid;
1041 	egid = uap->egid;
1042 	sgid = uap->sgid;
1043 
1044 	mtx_lock(&Giant);
1045 	oldcred = p->p_ucred;
1046 	if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
1047 	      rgid != oldcred->cr_svgid &&
1048 	      rgid != oldcred->cr_groups[0]) ||
1049 	     (egid != (gid_t)-1 && egid != oldcred->cr_rgid &&
1050 	      egid != oldcred->cr_svgid &&
1051 	      egid != oldcred->cr_groups[0]) ||
1052 	     (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid &&
1053 	      sgid != oldcred->cr_svgid &&
1054 	      sgid != oldcred->cr_groups[0])) &&
1055 	    (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) {
1056 		goto done2;
1057 	}
1058 	newcred = crdup(oldcred);
1059 	if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
1060 		change_egid(newcred, egid);
1061 		setsugid(p);
1062 	}
1063 	if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
1064 		change_rgid(newcred, rgid);
1065 		setsugid(p);
1066 	}
1067 	if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) {
1068 		change_svgid(newcred, sgid);
1069 		setsugid(p);
1070 	}
1071 	p->p_ucred = newcred;
1072 	crfree(oldcred);
1073 	error = 0;
1074 done2:
1075 	mtx_unlock(&Giant);
1076 	return (error);
1077 }
1078 
1079 #ifndef _SYS_SYSPROTO_H_
1080 struct getresuid_args {
1081 	uid_t	*ruid;
1082 	uid_t	*euid;
1083 	uid_t	*suid;
1084 };
1085 #endif
1086 /*
1087  * MPSAFE
1088  */
1089 /* ARGSUSED */
1090 int
1091 getresuid(td, uap)
1092 	register struct thread *td;
1093 	struct getresuid_args *uap;
1094 {
1095 	struct ucred *cred;
1096 	struct proc *p = td->td_proc;
1097 	int error1 = 0, error2 = 0, error3 = 0;
1098 
1099 	mtx_lock(&Giant);
1100 	cred = p->p_ucred;
1101 
1102 	if (uap->ruid)
1103 		error1 = copyout((caddr_t)&cred->cr_ruid,
1104 		    (caddr_t)uap->ruid, sizeof(cred->cr_ruid));
1105 	if (uap->euid)
1106 		error2 = copyout((caddr_t)&cred->cr_uid,
1107 		    (caddr_t)uap->euid, sizeof(cred->cr_uid));
1108 	if (uap->suid)
1109 		error3 = copyout((caddr_t)&cred->cr_svuid,
1110 		    (caddr_t)uap->suid, sizeof(cred->cr_svuid));
1111 	mtx_unlock(&Giant);
1112 	return error1 ? error1 : (error2 ? error2 : error3);
1113 }
1114 
1115 #ifndef _SYS_SYSPROTO_H_
1116 struct getresgid_args {
1117 	gid_t	*rgid;
1118 	gid_t	*egid;
1119 	gid_t	*sgid;
1120 };
1121 #endif
1122 /*
1123  * MPSAFE
1124  */
1125 /* ARGSUSED */
1126 int
1127 getresgid(td, uap)
1128 	register struct thread *td;
1129 	struct getresgid_args *uap;
1130 {
1131 	struct ucred *cred;
1132 	struct proc *p = td->td_proc;
1133 	int error1 = 0, error2 = 0, error3 = 0;
1134 
1135 	mtx_lock(&Giant);
1136 	cred = p->p_ucred;
1137 
1138 	if (uap->rgid)
1139 		error1 = copyout((caddr_t)&cred->cr_rgid,
1140 		    (caddr_t)uap->rgid, sizeof(cred->cr_rgid));
1141 	if (uap->egid)
1142 		error2 = copyout((caddr_t)&cred->cr_groups[0],
1143 		    (caddr_t)uap->egid, sizeof(cred->cr_groups[0]));
1144 	if (uap->sgid)
1145 		error3 = copyout((caddr_t)&cred->cr_svgid,
1146 		    (caddr_t)uap->sgid, sizeof(cred->cr_svgid));
1147 	mtx_unlock(&Giant);
1148 	return error1 ? error1 : (error2 ? error2 : error3);
1149 }
1150 
1151 
1152 #ifndef _SYS_SYSPROTO_H_
1153 struct issetugid_args {
1154 	int dummy;
1155 };
1156 #endif
1157 /* ARGSUSED */
1158 int
1159 issetugid(td, uap)
1160 	register struct thread *td;
1161 	struct issetugid_args *uap;
1162 {
1163 	struct proc *p = td->td_proc;
1164 
1165 	/*
1166 	 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time,
1167 	 * we use P_SUGID because we consider changing the owners as
1168 	 * "tainting" as well.
1169 	 * This is significant for procs that start as root and "become"
1170 	 * a user without an exec - programs cannot know *everything*
1171 	 * that libc *might* have put in their data segment.
1172 	 */
1173 	td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0;
1174 	return (0);
1175 }
1176 
1177 /*
1178  * MPSAFE
1179  */
1180 int
1181 __setugid(td, uap)
1182 	struct thread *td;
1183 	struct __setugid_args *uap;
1184 {
1185 #ifdef REGRESSION
1186 	int error = 0;
1187 
1188 	mtx_lock(&Giant);
1189 	switch (uap->flag) {
1190 	case 0:
1191 		td->td_proc->p_flag &= ~P_SUGID;
1192 		break;
1193 	case 1:
1194 		td->td_proc->p_flag |= P_SUGID;
1195 		break;
1196 	default:
1197 		error = EINVAL;
1198 		break;
1199 	}
1200 	mtx_unlock(&Giant);
1201 	return (error);
1202 #else /* !REGRESSION */
1203 	return (ENOSYS);
1204 #endif /* !REGRESSION */
1205 }
1206 
1207 /*
1208  * Check if gid is a member of the group set.
1209  */
1210 int
1211 groupmember(gid, cred)
1212 	gid_t gid;
1213 	struct ucred *cred;
1214 {
1215 	register gid_t *gp;
1216 	gid_t *egp;
1217 
1218 	egp = &(cred->cr_groups[cred->cr_ngroups]);
1219 	for (gp = cred->cr_groups; gp < egp; gp++)
1220 		if (*gp == gid)
1221 			return (1);
1222 	return (0);
1223 }
1224 
1225 /*
1226  * `suser_enabled' (which can be set by the kern.security.suser_enabled
1227  * sysctl) determines whether the system 'super-user' policy is in effect.
1228  * If it is nonzero, an effective uid of 0 connotes special privilege,
1229  * overriding many mandatory and discretionary protections.  If it is zero,
1230  * uid 0 is offered no special privilege in the kernel security policy.
1231  * Setting it to zero may seriously impact the functionality of many
1232  * existing userland programs, and should not be done without careful
1233  * consideration of the consequences.
1234  */
1235 int	suser_enabled = 1;
1236 SYSCTL_INT(_kern_security, OID_AUTO, suser_enabled, CTLFLAG_RW,
1237     &suser_enabled, 0, "processes with uid 0 have privilege");
1238 
1239 /*
1240  * Test whether the specified credentials imply "super-user" privilege.
1241  * Return 0 or EPERM.
1242  */
1243 int
1244 suser(p)
1245 	struct proc *p;
1246 {
1247 	return suser_xxx(0, p, 0);
1248 }
1249 
1250 /*
1251  * version for when the thread pointer is available and not the proc.
1252  * (saves having to include proc.h into every file that needs to do the change.)
1253  */
1254 int
1255 suser_td(td)
1256 
1257 	struct thread *td;
1258 {
1259 	return suser_xxx(0, td->td_proc, 0);
1260 }
1261 
1262 /*
1263  * wrapper to use if you have the thread on hand but not the proc.
1264  */
1265 int
1266 suser_xxx_td(cred, td, flag)
1267 	struct ucred *cred;
1268 	struct thread *td;
1269 	int flag;
1270 {
1271 	return(suser_xxx(cred, td->td_proc, flag));
1272 }
1273 
1274 int
1275 suser_xxx(cred, proc, flag)
1276 	struct ucred *cred;
1277 	struct proc *proc;
1278 	int flag;
1279 {
1280 	if (!suser_enabled)
1281 		return (EPERM);
1282 	if (!cred && !proc) {
1283 		printf("suser_xxx(): THINK!\n");
1284 		return (EPERM);
1285 	}
1286 	if (!cred)
1287 		cred = proc->p_ucred;
1288 	if (cred->cr_uid != 0)
1289 		return (EPERM);
1290 	if (jailed(cred) && !(flag & PRISON_ROOT))
1291 		return (EPERM);
1292 	return (0);
1293 }
1294 
1295 /*
1296  * Test (local, globale) securelevel values against passed required
1297  * securelevel.  _gt implements (level > securelevel), and _ge implements
1298  * (level >= securelevel).  Returns 0 oer EPERM.
1299  *
1300  * cr is permitted to be NULL for the time being, as there were some
1301  * existing securelevel checks that occurred without a process/credential
1302  * context.  In the future this will be disallowed, so a kernel
1303  * message is displayed.
1304  */
1305 int
1306 securelevel_gt(struct ucred *cr, int level)
1307 {
1308 
1309 	if (cr == NULL) {
1310 		printf("securelevel_gt: cr is NULL\n");
1311 		if (level > securelevel)
1312 			return (0);
1313 		else
1314 			return (EPERM);
1315 	} else if (cr->cr_prison == NULL) {
1316 		if (level > securelevel)
1317 			return (0);
1318 		else
1319 			return (EPERM);
1320 	} else {
1321 		if (level > imax(cr->cr_prison->pr_securelevel, securelevel))
1322 			return (0);
1323 		else
1324 			return (EPERM);
1325 	}
1326 
1327 }
1328 
1329 int
1330 securelevel_ge(struct ucred *cr, int level)
1331 {
1332 
1333 	if (cr == NULL) {
1334 		printf("securelevel_ge: cr is NULL\n");
1335 		if (level >= securelevel)
1336 			return (0);
1337 		else
1338 			return (EPERM);
1339 	} if (cr->cr_prison == NULL) {
1340 		if (level >= securelevel)
1341 			return (0);
1342 		else
1343 			return (EPERM);
1344 	} else {
1345 		if (level >= imax(cr->cr_prison->pr_securelevel, securelevel))
1346 			return (0);
1347 		else
1348 			return (EPERM);
1349 	}
1350 }
1351 
1352 /*
1353  * kern_security_seeotheruids_permitted determines whether or not visibility
1354  * of processes and sockets with credentials holding different real uid's
1355  * is possible using a variety of system MIBs.
1356  */
1357 static int	kern_security_seeotheruids_permitted = 1;
1358 SYSCTL_INT(_kern_security, OID_AUTO, seeotheruids_permitted,
1359     CTLFLAG_RW, &kern_security_seeotheruids_permitted, 0,
1360     "Unprivileged processes may see subjects/objects with different real uid");
1361 
1362 /*-
1363  * Determine if u1 "can see" the subject specified by u2.
1364  * Returns: 0 for permitted, an errno value otherwise
1365  * Locks: none
1366  * References: u1 and u2 must be immutable credentials
1367  *             u1 and u2 must be valid for the lifetime of the call
1368  *             u1 may equal u2, in which case only one reference is required
1369  */
1370 int
1371 cr_cansee(struct ucred *u1, struct ucred *u2)
1372 {
1373 	int error;
1374 
1375 	if ((error = prison_check(u1, u2)))
1376 		return (error);
1377 	if (!kern_security_seeotheruids_permitted &&
1378 	    u1->cr_ruid != u2->cr_ruid) {
1379 		if (suser_xxx(u1, NULL, PRISON_ROOT) != 0)
1380 			return (ESRCH);
1381 	}
1382 	return (0);
1383 }
1384 
1385 /*-
1386  * Determine if p1 "can see" the subject specified by p2.
1387  * Returns: 0 for permitted, an errno value otherwise
1388  * Locks: Sufficient locks to protect p1->p_ucred and p2->p_ucred must
1389  *        be held.  Normally, p1 will be curproc, and a lock must be held
1390  *        for p2.
1391  * References: p1 and p2 must be valid for the lifetime of the call
1392  */
1393 int
1394 p_cansee(struct proc *p1, struct proc *p2)
1395 {
1396 
1397 	/* Wrap cr_cansee() for all functionality. */
1398 	return (cr_cansee(p1->p_ucred, p2->p_ucred));
1399 }
1400 
1401 /*-
1402  * Determine whether p1 may deliver the specified signal to p2.
1403  * Returns: 0 for permitted, an errno value otherwise
1404  * Locks: Sufficient locks to protect various components of p1 and p2
1405  *        must be held.  Normally, p1 will be curproc, and a lock must
1406  *        be held for p2.
1407  * References: p1 and p2 must be valid for the lifetime of the call
1408  */
1409 int
1410 p_cansignal(struct proc *p1, struct proc *p2, int signum)
1411 {
1412 	int error;
1413 
1414 	if (p1 == p2)
1415 		return (0);
1416 
1417 	/*
1418 	 * Jail semantics limit the scope of signalling to p2 in the same
1419 	 * jail as p1, if p1 is in jail.
1420 	 */
1421 	if ((error = prison_check(p1->p_ucred, p2->p_ucred)))
1422 		return (error);
1423 
1424 	/*
1425 	 * UNIX signalling semantics require that processes in the same
1426 	 * session always be able to deliver SIGCONT to one another,
1427 	 * overriding the remaining protections.
1428 	 */
1429 	if (signum == SIGCONT && p1->p_session == p2->p_session)
1430 		return (0);
1431 
1432 	/*
1433 	 * UNIX signal semantics depend on the status of the P_SUGID
1434 	 * bit on the target process.  If the bit is set, then additional
1435 	 * restrictions are placed on the set of available signals.
1436 	 */
1437 	if (p2->p_flag & P_SUGID) {
1438 		switch (signum) {
1439 		case 0:
1440 		case SIGKILL:
1441 		case SIGINT:
1442 		case SIGTERM:
1443 		case SIGSTOP:
1444 		case SIGTTIN:
1445 		case SIGTTOU:
1446 		case SIGTSTP:
1447 		case SIGHUP:
1448 		case SIGUSR1:
1449 		case SIGUSR2:
1450 			/*
1451 			 * Generally, permit job and terminal control
1452 			 * signals.
1453 			 */
1454 			break;
1455 		default:
1456 			/* Not permitted, privilege is required. */
1457 			error = suser_xxx(NULL, p1, PRISON_ROOT);
1458 			if (error)
1459 				return (error);
1460 		}
1461 	}
1462 
1463 	/*
1464 	 * Generally, the target credential's ruid or svuid must match the
1465 	 * subject credential's ruid or euid.
1466 	 */
1467 	if (p1->p_ucred->cr_ruid != p2->p_ucred->cr_ruid &&
1468 	    p1->p_ucred->cr_ruid != p2->p_ucred->cr_svuid &&
1469 	    p1->p_ucred->cr_uid != p2->p_ucred->cr_ruid &&
1470 	    p1->p_ucred->cr_uid != p2->p_ucred->cr_svuid) {
1471 		/* Not permitted, try privilege. */
1472 		error = suser_xxx(NULL, p1, PRISON_ROOT);
1473 		if (error)
1474 			return (error);
1475 	}
1476 
1477         return (0);
1478 }
1479 
1480 /*-
1481  * Determine whether p1 may reschedule p2
1482  * Returns: 0 for permitted, an errno value otherwise
1483  * Locks: Sufficient locks to protect various components of p1 and p2
1484  *        must be held.  Normally, p1 will be curproc, and a lock must
1485  *        be held for p2.
1486  * References: p1 and p2 must be valid for the lifetime of the call
1487  */
1488 int
1489 p_cansched(struct proc *p1, struct proc *p2)
1490 {
1491 	int error;
1492 
1493 	if (p1 == p2)
1494 		return (0);
1495 	if ((error = prison_check(p1->p_ucred, p2->p_ucred)))
1496 		return (error);
1497 	if (p1->p_ucred->cr_ruid == p2->p_ucred->cr_ruid)
1498 		return (0);
1499 	if (p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid)
1500 		return (0);
1501 	if (suser_xxx(0, p1, PRISON_ROOT) == 0)
1502 		return (0);
1503 
1504 #ifdef CAPABILITIES
1505 	if (!cap_check_xxx(0, p1, CAP_SYS_NICE, PRISON_ROOT))
1506 		return (0);
1507 #endif
1508 
1509 	return (EPERM);
1510 }
1511 
1512 /*
1513  * The kern_unprivileged_procdebug_permitted flag may be used to disable
1514  * a variety of unprivileged inter-process debugging services, including
1515  * some procfs functionality, ptrace(), and ktrace().  In the past,
1516  * inter-process debugging has been involved in a variety of security
1517  * problems, and sites not requiring the service might choose to disable it
1518  * when hardening systems.
1519  *
1520  * XXX: Should modifying and reading this variable require locking?
1521  */
1522 static int	kern_unprivileged_procdebug_permitted = 1;
1523 SYSCTL_INT(_kern_security, OID_AUTO, unprivileged_procdebug_permitted,
1524     CTLFLAG_RW, &kern_unprivileged_procdebug_permitted, 0,
1525     "Unprivileged processes may use process debugging facilities");
1526 
1527 /*-
1528  * Determine whether p1 may debug p2.
1529  * Returns: 0 for permitted, an errno value otherwise
1530  * Locks: Sufficient locks to protect various components of p1 and p2
1531  *        must be held.  Normally, p1 will be curproc, and a lock must
1532  *        be held for p2.
1533  * References: p1 and p2 must be valid for the lifetime of the call
1534  */
1535 int
1536 p_candebug(struct proc *p1, struct proc *p2)
1537 {
1538 	int error;
1539 
1540 	if (!kern_unprivileged_procdebug_permitted) {
1541 		error = suser_xxx(NULL, p1, PRISON_ROOT);
1542 		if (error)
1543 			return (error);
1544 	}
1545 
1546 	if (p1 == p2)
1547 		return (0);
1548 
1549 	if ((error = prison_check(p1->p_ucred, p2->p_ucred)))
1550 		return (error);
1551 
1552 	/*
1553 	 * Not owned by you, has done setuid (unless you're root).
1554 	 * XXX add a CAP_SYS_PTRACE here?
1555 	 */
1556 	if (p1->p_ucred->cr_uid != p2->p_ucred->cr_uid ||
1557 	    p1->p_ucred->cr_uid != p2->p_ucred->cr_svuid ||
1558 	    p1->p_ucred->cr_uid != p2->p_ucred->cr_ruid ||
1559 	    p2->p_flag & P_SUGID) {
1560 		error = suser_xxx(NULL, p1, PRISON_ROOT);
1561 		if (error)
1562 			return (error);
1563 	}
1564 
1565 	/* can't trace init when securelevel > 0 */
1566 	if (p2->p_pid == 1) {
1567 		error = securelevel_gt(p1->p_ucred, 0);
1568 		if (error)
1569 			return (error);
1570 	}
1571 
1572 	/* can't trace a process that's currently exec'ing */
1573 	if ((p2->p_flag & P_INEXEC) != 0)
1574 		return (EAGAIN);
1575 
1576 	return (0);
1577 }
1578 
1579 /*
1580  * Allocate a zeroed cred structure.
1581  */
1582 struct ucred *
1583 crget()
1584 {
1585 	register struct ucred *cr;
1586 
1587 	MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO);
1588 	cr->cr_ref = 1;
1589 	mtx_init(&cr->cr_mtx, "ucred", MTX_DEF);
1590 	return (cr);
1591 }
1592 
1593 /*
1594  * Claim another reference to a ucred structure.
1595  */
1596 struct ucred *
1597 crhold(cr)
1598 	struct ucred *cr;
1599 {
1600 
1601 	mtx_lock(&cr->cr_mtx);
1602 	cr->cr_ref++;
1603 	mtx_unlock(&cr->cr_mtx);
1604 	return (cr);
1605 }
1606 
1607 
1608 /*
1609  * Free a cred structure.
1610  * Throws away space when ref count gets to 0.
1611  */
1612 void
1613 crfree(cr)
1614 	struct ucred *cr;
1615 {
1616 
1617 	mtx_lock(&cr->cr_mtx);
1618 	KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref));
1619 	if (--cr->cr_ref == 0) {
1620 		mtx_destroy(&cr->cr_mtx);
1621 		/*
1622 		 * Some callers of crget(), such as nfs_statfs(),
1623 		 * allocate a temporary credential, but don't
1624 		 * allocate a uidinfo structure.
1625 		 */
1626 		if (cr->cr_uidinfo != NULL)
1627 			uifree(cr->cr_uidinfo);
1628 		if (cr->cr_ruidinfo != NULL)
1629 			uifree(cr->cr_ruidinfo);
1630 		/*
1631 		 * Free a prison, if any.
1632 		 */
1633 		if (jailed(cr))
1634 			prison_free(cr->cr_prison);
1635 		FREE((caddr_t)cr, M_CRED);
1636 	} else {
1637 		mtx_unlock(&cr->cr_mtx);
1638 	}
1639 }
1640 
1641 /*
1642  * Check to see if this ucred is shared.
1643  */
1644 int
1645 crshared(cr)
1646 	struct ucred *cr;
1647 {
1648 	int shared;
1649 
1650 	mtx_lock(&cr->cr_mtx);
1651 	shared = (cr->cr_ref > 1);
1652 	mtx_unlock(&cr->cr_mtx);
1653 	return (shared);
1654 }
1655 
1656 /*
1657  * Copy a ucred's contents from a template.  Does not block.
1658  */
1659 void
1660 crcopy(dest, src)
1661 	struct ucred *dest, *src;
1662 {
1663 
1664 	KASSERT(crshared(dest) == 0, ("crcopy of shared ucred"));
1665 	bcopy(&src->cr_startcopy, &dest->cr_startcopy,
1666 	    (unsigned)((caddr_t)&src->cr_endcopy -
1667 		(caddr_t)&src->cr_startcopy));
1668 	uihold(dest->cr_uidinfo);
1669 	uihold(dest->cr_ruidinfo);
1670 	if (jailed(dest))
1671 		prison_hold(dest->cr_prison);
1672 }
1673 
1674 /*
1675  * Dup cred struct to a new held one.
1676  */
1677 struct ucred *
1678 crdup(cr)
1679 	struct ucred *cr;
1680 {
1681 	struct ucred *newcr;
1682 
1683 	newcr = crget();
1684 	crcopy(newcr, cr);
1685 	return (newcr);
1686 }
1687 
1688 /*
1689  * Get login name, if available.
1690  */
1691 #ifndef _SYS_SYSPROTO_H_
1692 struct getlogin_args {
1693 	char	*namebuf;
1694 	u_int	namelen;
1695 };
1696 #endif
1697 /*
1698  * MPSAFE
1699  */
1700 /* ARGSUSED */
1701 int
1702 getlogin(td, uap)
1703 	struct thread *td;
1704 	struct getlogin_args *uap;
1705 {
1706 	int error;
1707 	struct proc *p = td->td_proc;
1708 
1709 	mtx_lock(&Giant);
1710 	if (uap->namelen > MAXLOGNAME)
1711 		uap->namelen = MAXLOGNAME;
1712 	error = copyout((caddr_t) p->p_pgrp->pg_session->s_login,
1713 	    (caddr_t) uap->namebuf, uap->namelen);
1714 	mtx_unlock(&Giant);
1715 	return(error);
1716 }
1717 
1718 /*
1719  * Set login name.
1720  */
1721 #ifndef _SYS_SYSPROTO_H_
1722 struct setlogin_args {
1723 	char	*namebuf;
1724 };
1725 #endif
1726 /*
1727  * MPSAFE
1728  */
1729 /* ARGSUSED */
1730 int
1731 setlogin(td, uap)
1732 	struct thread *td;
1733 	struct setlogin_args *uap;
1734 {
1735 	struct proc *p = td->td_proc;
1736 	int error;
1737 	char logintmp[MAXLOGNAME];
1738 
1739 	mtx_lock(&Giant);
1740 	if ((error = suser_xxx(0, p, PRISON_ROOT)))
1741 		goto done2;
1742 	error = copyinstr((caddr_t) uap->namebuf, (caddr_t) logintmp,
1743 	    sizeof(logintmp), (size_t *)0);
1744 	if (error == ENAMETOOLONG) {
1745 		error = EINVAL;
1746 	} else if (!error) {
1747 		(void) memcpy(p->p_pgrp->pg_session->s_login, logintmp,
1748 		    sizeof(logintmp));
1749 	}
1750 done2:
1751 	mtx_unlock(&Giant);
1752 	return (error);
1753 }
1754 
1755 void
1756 setsugid(p)
1757 	struct proc *p;
1758 {
1759 	p->p_flag |= P_SUGID;
1760 	if (!(p->p_pfsflags & PF_ISUGID))
1761 		p->p_stops = 0;
1762 }
1763 
1764 /*-
1765  * Change a process's effective uid.
1766  * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified.
1767  * References: newcred must be an exclusive credential reference for the
1768  *             duration of the call.
1769  */
1770 void
1771 change_euid(newcred, euid)
1772 	struct ucred *newcred;
1773 	uid_t euid;
1774 {
1775 
1776 	newcred->cr_uid = euid;
1777 	uifree(newcred->cr_uidinfo);
1778 	newcred->cr_uidinfo = uifind(euid);
1779 }
1780 
1781 /*-
1782  * Change a process's effective gid.
1783  * Side effects: newcred->cr_gid will be modified.
1784  * References: newcred must be an exclusive credential reference for the
1785  *             duration of the call.
1786  */
1787 void
1788 change_egid(newcred, egid)
1789 	struct ucred *newcred;
1790 	gid_t egid;
1791 {
1792 
1793 	newcred->cr_groups[0] = egid;
1794 }
1795 
1796 /*-
1797  * Change a process's real uid.
1798  * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo
1799  *               will be updated, and the old and new cr_ruidinfo proc
1800  *               counts will be updated.
1801  * References: newcred must be an exclusive credential reference for the
1802  *             duration of the call.
1803  */
1804 void
1805 change_ruid(newcred, ruid)
1806 	struct ucred *newcred;
1807 	uid_t ruid;
1808 {
1809 
1810 	(void)chgproccnt(newcred->cr_ruidinfo, -1, 0);
1811 	newcred->cr_ruid = ruid;
1812 	uifree(newcred->cr_ruidinfo);
1813 	newcred->cr_ruidinfo = uifind(ruid);
1814 	(void)chgproccnt(newcred->cr_ruidinfo, 1, 0);
1815 }
1816 
1817 /*-
1818  * Change a process's real gid.
1819  * Side effects: newcred->cr_rgid will be updated.
1820  * References: newcred must be an exclusive credential reference for the
1821  *             duration of the call.
1822  */
1823 void
1824 change_rgid(newcred, rgid)
1825 	struct ucred *newcred;
1826 	gid_t rgid;
1827 {
1828 
1829 	newcred->cr_rgid = rgid;
1830 }
1831 
1832 /*-
1833  * Change a process's saved uid.
1834  * Side effects: newcred->cr_svuid will be updated.
1835  * References: newcred must be an exclusive credential reference for the
1836  *             duration of the call.
1837  */
1838 void
1839 change_svuid(newcred, svuid)
1840 	struct ucred *newcred;
1841 	uid_t svuid;
1842 {
1843 
1844 	newcred->cr_svuid = svuid;
1845 }
1846 
1847 /*-
1848  * Change a process's saved gid.
1849  * Side effects: newcred->cr_svgid will be updated.
1850  * References: newcred must be an exclusive credential reference for the
1851  *             duration of the call.
1852  */
1853 void
1854 change_svgid(newcred, svgid)
1855 	struct ucred *newcred;
1856 	gid_t svgid;
1857 {
1858 
1859 	newcred->cr_svgid = svgid;
1860 }
1861