1 /* 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * Copyright (c) 2000, 2001 Robert N. M. Watson. All rights reserved. 5 * (c) UNIX System Laboratories, Inc. 6 * All or some portions of this file are derived from material licensed 7 * to the University of California by American Telephone and Telegraph 8 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 9 * the permission of UNIX System Laboratories, Inc. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. All advertising materials mentioning features or use of this software 20 * must display the following acknowledgement: 21 * This product includes software developed by the University of 22 * California, Berkeley and its contributors. 23 * 4. Neither the name of the University nor the names of its contributors 24 * may be used to endorse or promote products derived from this software 25 * without specific prior written permission. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * 39 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 40 * $FreeBSD$ 41 */ 42 43 /* 44 * System calls related to processes and protection 45 */ 46 47 #include "opt_compat.h" 48 #include "opt_global.h" 49 50 #include <sys/param.h> 51 #include <sys/systm.h> 52 #include <sys/acct.h> 53 #include <sys/kernel.h> 54 #include <sys/lock.h> 55 #include <sys/mutex.h> 56 #include <sys/proc.h> 57 #include <sys/sysproto.h> 58 #include <sys/malloc.h> 59 #include <sys/pioctl.h> 60 #include <sys/resourcevar.h> 61 #include <sys/sysctl.h> 62 #include <sys/jail.h> 63 64 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 65 66 SYSCTL_NODE(_kern, OID_AUTO, security, CTLFLAG_RW, 0, 67 "Kernel security policy"); 68 69 #ifndef _SYS_SYSPROTO_H_ 70 struct getpid_args { 71 int dummy; 72 }; 73 #endif 74 75 /* 76 * getpid 77 */ 78 79 /* 80 * MPSAFE 81 */ 82 /* ARGSUSED */ 83 int 84 getpid(td, uap) 85 struct thread *td; 86 struct getpid_args *uap; 87 { 88 struct proc *p = td->td_proc; 89 int s; 90 91 s = mtx_lock_giant(kern_giant_proc); 92 td->td_retval[0] = p->p_pid; 93 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 94 PROC_LOCK(p); 95 td->td_retval[1] = p->p_pptr->p_pid; 96 PROC_UNLOCK(p); 97 #endif 98 mtx_unlock_giant(s); 99 return (0); 100 } 101 102 /* 103 * getppid 104 */ 105 106 #ifndef _SYS_SYSPROTO_H_ 107 struct getppid_args { 108 int dummy; 109 }; 110 #endif 111 /* 112 * MPSAFE 113 */ 114 /* ARGSUSED */ 115 int 116 getppid(td, uap) 117 struct thread *td; 118 struct getppid_args *uap; 119 { 120 struct proc *p = td->td_proc; 121 int s; 122 123 s = mtx_lock_giant(kern_giant_proc); 124 PROC_LOCK(p); 125 td->td_retval[0] = p->p_pptr->p_pid; 126 PROC_UNLOCK(p); 127 mtx_unlock_giant(s); 128 return (0); 129 } 130 131 /* 132 * Get process group ID; note that POSIX getpgrp takes no parameter 133 * 134 * MP SAFE 135 */ 136 #ifndef _SYS_SYSPROTO_H_ 137 struct getpgrp_args { 138 int dummy; 139 }; 140 #endif 141 /* 142 * MPSAFE 143 */ 144 int 145 getpgrp(td, uap) 146 struct thread *td; 147 struct getpgrp_args *uap; 148 { 149 struct proc *p = td->td_proc; 150 151 mtx_lock(&Giant); 152 td->td_retval[0] = p->p_pgrp->pg_id; 153 mtx_unlock(&Giant); 154 return (0); 155 } 156 157 /* Get an arbitary pid's process group id */ 158 #ifndef _SYS_SYSPROTO_H_ 159 struct getpgid_args { 160 pid_t pid; 161 }; 162 #endif 163 164 /* 165 * MPSAFE 166 */ 167 int 168 getpgid(td, uap) 169 struct thread *td; 170 struct getpgid_args *uap; 171 { 172 struct proc *p = td->td_proc; 173 struct proc *pt; 174 int error = 0; 175 int s; 176 177 s = mtx_lock_giant(kern_giant_proc); 178 if (uap->pid == 0) 179 td->td_retval[0] = p->p_pgrp->pg_id; 180 else if ((pt = pfind(uap->pid)) == NULL) 181 error = ESRCH; 182 else { 183 error = p_cansee(p, pt); 184 if (error == 0) 185 td->td_retval[0] = pt->p_pgrp->pg_id; 186 PROC_UNLOCK(pt); 187 } 188 mtx_unlock_giant(s); 189 return (error); 190 } 191 192 /* 193 * Get an arbitary pid's session id. 194 */ 195 #ifndef _SYS_SYSPROTO_H_ 196 struct getsid_args { 197 pid_t pid; 198 }; 199 #endif 200 201 /* 202 * MPSAFE 203 */ 204 int 205 getsid(td, uap) 206 struct thread *td; 207 struct getsid_args *uap; 208 { 209 struct proc *p = td->td_proc; 210 struct proc *pt; 211 int error = 0; 212 213 mtx_lock(&Giant); 214 if (uap->pid == 0) 215 td->td_retval[0] = p->p_session->s_sid; 216 else if ((pt = pfind(uap->pid)) == NULL) 217 error = ESRCH; 218 else { 219 error = p_cansee(p, pt); 220 if (error == 0) 221 td->td_retval[0] = pt->p_session->s_sid; 222 PROC_UNLOCK(pt); 223 } 224 mtx_unlock(&Giant); 225 return (error); 226 } 227 228 229 /* 230 * getuid() - MP SAFE 231 */ 232 #ifndef _SYS_SYSPROTO_H_ 233 struct getuid_args { 234 int dummy; 235 }; 236 #endif 237 238 /* 239 * MPSAFE 240 */ 241 /* ARGSUSED */ 242 int 243 getuid(td, uap) 244 struct thread *td; 245 struct getuid_args *uap; 246 { 247 struct proc *p = td->td_proc; 248 249 mtx_lock(&Giant); 250 td->td_retval[0] = p->p_ucred->cr_ruid; 251 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 252 td->td_retval[1] = p->p_ucred->cr_uid; 253 #endif 254 mtx_unlock(&Giant); 255 return (0); 256 } 257 258 /* 259 * geteuid() - MP SAFE 260 */ 261 #ifndef _SYS_SYSPROTO_H_ 262 struct geteuid_args { 263 int dummy; 264 }; 265 #endif 266 267 /* ARGSUSED */ 268 int 269 geteuid(td, uap) 270 struct thread *td; 271 struct geteuid_args *uap; 272 { 273 mtx_lock(&Giant); 274 td->td_retval[0] = td->td_proc->p_ucred->cr_uid; 275 mtx_unlock(&Giant); 276 return (0); 277 } 278 279 /* 280 * getgid() - MP SAFE 281 */ 282 #ifndef _SYS_SYSPROTO_H_ 283 struct getgid_args { 284 int dummy; 285 }; 286 #endif 287 288 /* 289 * MPSAFE 290 */ 291 /* ARGSUSED */ 292 int 293 getgid(td, uap) 294 struct thread *td; 295 struct getgid_args *uap; 296 { 297 struct proc *p = td->td_proc; 298 299 mtx_lock(&Giant); 300 td->td_retval[0] = p->p_ucred->cr_rgid; 301 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 302 td->td_retval[1] = p->p_ucred->cr_groups[0]; 303 #endif 304 mtx_unlock(&Giant); 305 return (0); 306 } 307 308 /* 309 * Get effective group ID. The "egid" is groups[0], and could be obtained 310 * via getgroups. This syscall exists because it is somewhat painful to do 311 * correctly in a library function. 312 */ 313 #ifndef _SYS_SYSPROTO_H_ 314 struct getegid_args { 315 int dummy; 316 }; 317 #endif 318 319 /* 320 * MPSAFE 321 */ 322 /* ARGSUSED */ 323 int 324 getegid(td, uap) 325 struct thread *td; 326 struct getegid_args *uap; 327 { 328 struct proc *p = td->td_proc; 329 330 mtx_lock(&Giant); 331 td->td_retval[0] = p->p_ucred->cr_groups[0]; 332 mtx_unlock(&Giant); 333 return (0); 334 } 335 336 #ifndef _SYS_SYSPROTO_H_ 337 struct getgroups_args { 338 u_int gidsetsize; 339 gid_t *gidset; 340 }; 341 #endif 342 /* 343 * MPSAFE 344 */ 345 int 346 getgroups(td, uap) 347 struct thread *td; 348 register struct getgroups_args *uap; 349 { 350 struct ucred *cred; 351 struct proc *p = td->td_proc; 352 u_int ngrp; 353 int error = 0; 354 355 mtx_lock(&Giant); 356 cred = p->p_ucred; 357 if ((ngrp = uap->gidsetsize) == 0) { 358 td->td_retval[0] = cred->cr_ngroups; 359 error = 0; 360 goto done2; 361 } 362 if (ngrp < cred->cr_ngroups) { 363 error = EINVAL; 364 goto done2; 365 } 366 ngrp = cred->cr_ngroups; 367 if ((error = copyout((caddr_t)cred->cr_groups, 368 (caddr_t)uap->gidset, ngrp * sizeof(gid_t)))) { 369 goto done2; 370 } 371 td->td_retval[0] = ngrp; 372 done2: 373 mtx_unlock(&Giant); 374 return (error); 375 } 376 377 #ifndef _SYS_SYSPROTO_H_ 378 struct setsid_args { 379 int dummy; 380 }; 381 #endif 382 383 /* 384 * MPSAFE 385 */ 386 /* ARGSUSED */ 387 int 388 setsid(td, uap) 389 register struct thread *td; 390 struct setsid_args *uap; 391 { 392 int error; 393 struct proc *p = td->td_proc; 394 395 mtx_lock(&Giant); 396 if (p->p_pgid == p->p_pid || pgfind(p->p_pid)) { 397 error = EPERM; 398 } else { 399 (void)enterpgrp(p, p->p_pid, 1); 400 td->td_retval[0] = p->p_pid; 401 error = 0; 402 } 403 mtx_unlock(&Giant); 404 return (error); 405 } 406 407 /* 408 * set process group (setpgid/old setpgrp) 409 * 410 * caller does setpgid(targpid, targpgid) 411 * 412 * pid must be caller or child of caller (ESRCH) 413 * if a child 414 * pid must be in same session (EPERM) 415 * pid can't have done an exec (EACCES) 416 * if pgid != pid 417 * there must exist some pid in same session having pgid (EPERM) 418 * pid must not be session leader (EPERM) 419 */ 420 #ifndef _SYS_SYSPROTO_H_ 421 struct setpgid_args { 422 int pid; /* target process id */ 423 int pgid; /* target pgrp id */ 424 }; 425 #endif 426 /* 427 * MPSAFE 428 */ 429 /* ARGSUSED */ 430 int 431 setpgid(td, uap) 432 struct thread *td; 433 register struct setpgid_args *uap; 434 { 435 struct proc *curp = td->td_proc; 436 register struct proc *targp; /* target process */ 437 register struct pgrp *pgrp; /* target pgrp */ 438 int error; 439 440 if (uap->pgid < 0) 441 return (EINVAL); 442 443 mtx_lock(&Giant); 444 445 if (uap->pid != 0 && uap->pid != curp->p_pid) { 446 if ((targp = pfind(uap->pid)) == NULL || !inferior(targp)) { 447 if (targp) 448 PROC_UNLOCK(targp); 449 error = ESRCH; 450 goto done2; 451 } 452 if ((error = p_cansee(curproc, targp))) { 453 PROC_UNLOCK(targp); 454 goto done2; 455 } 456 if (targp->p_pgrp == NULL || 457 targp->p_session != curp->p_session) { 458 PROC_UNLOCK(targp); 459 error = EPERM; 460 goto done2; 461 } 462 if (targp->p_flag & P_EXEC) { 463 PROC_UNLOCK(targp); 464 error = EACCES; 465 goto done2; 466 } 467 } else { 468 targp = curp; 469 PROC_LOCK(curp); /* XXX: not needed */ 470 } 471 if (SESS_LEADER(targp)) { 472 PROC_UNLOCK(targp); 473 error = EPERM; 474 goto done2; 475 } 476 if (uap->pgid == 0) { 477 uap->pgid = targp->p_pid; 478 } else if (uap->pgid != targp->p_pid) { 479 if ((pgrp = pgfind(uap->pgid)) == 0 || 480 pgrp->pg_session != curp->p_session) { 481 PROC_UNLOCK(targp); 482 error = EPERM; 483 goto done2; 484 } 485 } 486 /* XXX: We should probably hold the lock across enterpgrp. */ 487 PROC_UNLOCK(targp); 488 error = enterpgrp(targp, uap->pgid, 0); 489 done2: 490 mtx_unlock(&Giant); 491 return (error); 492 } 493 494 /* 495 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 496 * compatible. It says that setting the uid/gid to euid/egid is a special 497 * case of "appropriate privilege". Once the rules are expanded out, this 498 * basically means that setuid(nnn) sets all three id's, in all permitted 499 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 500 * does not set the saved id - this is dangerous for traditional BSD 501 * programs. For this reason, we *really* do not want to set 502 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 503 */ 504 #define POSIX_APPENDIX_B_4_2_2 505 506 #ifndef _SYS_SYSPROTO_H_ 507 struct setuid_args { 508 uid_t uid; 509 }; 510 #endif 511 /* 512 * MPSAFE 513 */ 514 /* ARGSUSED */ 515 int 516 setuid(td, uap) 517 struct thread *td; 518 struct setuid_args *uap; 519 { 520 struct proc *p = td->td_proc; 521 struct ucred *newcred, *oldcred; 522 uid_t uid; 523 int error = 0; 524 525 uid = uap->uid; 526 oldcred = p->p_ucred; 527 mtx_lock(&Giant); 528 529 /* 530 * See if we have "permission" by POSIX 1003.1 rules. 531 * 532 * Note that setuid(geteuid()) is a special case of 533 * "appropriate privileges" in appendix B.4.2.2. We need 534 * to use this clause to be compatible with traditional BSD 535 * semantics. Basically, it means that "setuid(xx)" sets all 536 * three id's (assuming you have privs). 537 * 538 * Notes on the logic. We do things in three steps. 539 * 1: We determine if the euid is going to change, and do EPERM 540 * right away. We unconditionally change the euid later if this 541 * test is satisfied, simplifying that part of the logic. 542 * 2: We determine if the real and/or saved uid's are going to 543 * change. Determined by compile options. 544 * 3: Change euid last. (after tests in #2 for "appropriate privs") 545 */ 546 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 547 #ifdef _POSIX_SAVED_IDS 548 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 549 #endif 550 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 551 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 552 #endif 553 (error = suser_xxx(oldcred, NULL, PRISON_ROOT))) 554 goto done2; 555 556 newcred = crdup(oldcred); 557 #ifdef _POSIX_SAVED_IDS 558 /* 559 * Do we have "appropriate privileges" (are we root or uid == euid) 560 * If so, we are changing the real uid and/or saved uid. 561 */ 562 if ( 563 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 564 uid == oldcred->cr_uid || 565 #endif 566 suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */ 567 #endif 568 { 569 /* 570 * Set the real uid and transfer proc count to new user. 571 */ 572 if (uid != oldcred->cr_ruid) { 573 change_ruid(newcred, uid); 574 setsugid(p); 575 } 576 /* 577 * Set saved uid 578 * 579 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 580 * the security of seteuid() depends on it. B.4.2.2 says it 581 * is important that we should do this. 582 */ 583 if (uid != oldcred->cr_svuid) { 584 change_svuid(newcred, uid); 585 setsugid(p); 586 } 587 } 588 589 /* 590 * In all permitted cases, we are changing the euid. 591 * Copy credentials so other references do not see our changes. 592 */ 593 if (uid != oldcred->cr_uid) { 594 change_euid(newcred, uid); 595 setsugid(p); 596 } 597 p->p_ucred = newcred; 598 crfree(oldcred); 599 done2: 600 mtx_unlock(&Giant); 601 return (error); 602 } 603 604 #ifndef _SYS_SYSPROTO_H_ 605 struct seteuid_args { 606 uid_t euid; 607 }; 608 #endif 609 /* 610 * MPSAFE 611 */ 612 /* ARGSUSED */ 613 int 614 seteuid(td, uap) 615 struct thread *td; 616 struct seteuid_args *uap; 617 { 618 struct proc *p = td->td_proc; 619 struct ucred *newcred, *oldcred; 620 uid_t euid; 621 int error = 0; 622 623 euid = uap->euid; 624 625 mtx_lock(&Giant); 626 oldcred = p->p_ucred; 627 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 628 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 629 (error = suser_xxx(oldcred, NULL, PRISON_ROOT))) { 630 goto done2; 631 } 632 /* 633 * Everything's okay, do it. Copy credentials so other references do 634 * not see our changes. 635 */ 636 newcred = crdup(oldcred); 637 if (oldcred->cr_uid != euid) { 638 change_euid(newcred, euid); 639 setsugid(p); 640 } 641 p->p_ucred = newcred; 642 crfree(oldcred); 643 done2: 644 mtx_unlock(&Giant); 645 return (error); 646 } 647 648 #ifndef _SYS_SYSPROTO_H_ 649 struct setgid_args { 650 gid_t gid; 651 }; 652 #endif 653 /* 654 * MPSAFE 655 */ 656 /* ARGSUSED */ 657 int 658 setgid(td, uap) 659 struct thread *td; 660 struct setgid_args *uap; 661 { 662 struct proc *p = td->td_proc; 663 struct ucred *newcred, *oldcred; 664 gid_t gid; 665 int error = 0; 666 667 gid = uap->gid; 668 669 mtx_lock(&Giant); 670 oldcred = p->p_ucred; 671 /* 672 * See if we have "permission" by POSIX 1003.1 rules. 673 * 674 * Note that setgid(getegid()) is a special case of 675 * "appropriate privileges" in appendix B.4.2.2. We need 676 * to use this clause to be compatible with traditional BSD 677 * semantics. Basically, it means that "setgid(xx)" sets all 678 * three id's (assuming you have privs). 679 * 680 * For notes on the logic here, see setuid() above. 681 */ 682 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 683 #ifdef _POSIX_SAVED_IDS 684 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 685 #endif 686 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 687 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 688 #endif 689 (error = suser_xxx(oldcred, NULL, PRISON_ROOT))) { 690 goto done2; 691 } 692 693 newcred = crdup(oldcred); 694 #ifdef _POSIX_SAVED_IDS 695 /* 696 * Do we have "appropriate privileges" (are we root or gid == egid) 697 * If so, we are changing the real uid and saved gid. 698 */ 699 if ( 700 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 701 gid == oldcred->cr_groups[0] || 702 #endif 703 suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */ 704 #endif 705 { 706 /* 707 * Set real gid 708 */ 709 if (oldcred->cr_rgid != gid) { 710 change_rgid(newcred, gid); 711 setsugid(p); 712 } 713 /* 714 * Set saved gid 715 * 716 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 717 * the security of setegid() depends on it. B.4.2.2 says it 718 * is important that we should do this. 719 */ 720 if (oldcred->cr_svgid != gid) { 721 change_svgid(newcred, gid); 722 setsugid(p); 723 } 724 } 725 /* 726 * In all cases permitted cases, we are changing the egid. 727 * Copy credentials so other references do not see our changes. 728 */ 729 if (oldcred->cr_groups[0] != gid) { 730 change_egid(newcred, gid); 731 setsugid(p); 732 } 733 p->p_ucred = newcred; 734 crfree(oldcred); 735 done2: 736 mtx_unlock(&Giant); 737 return (error); 738 } 739 740 #ifndef _SYS_SYSPROTO_H_ 741 struct setegid_args { 742 gid_t egid; 743 }; 744 #endif 745 /* 746 * MPSAFE 747 */ 748 /* ARGSUSED */ 749 int 750 setegid(td, uap) 751 struct thread *td; 752 struct setegid_args *uap; 753 { 754 struct proc *p = td->td_proc; 755 struct ucred *newcred, *oldcred; 756 gid_t egid; 757 int error = 0; 758 759 egid = uap->egid; 760 761 mtx_lock(&Giant); 762 oldcred = p->p_ucred; 763 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 764 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 765 (error = suser_xxx(oldcred, NULL, PRISON_ROOT))) { 766 goto done2; 767 } 768 newcred = crdup(oldcred); 769 if (oldcred->cr_groups[0] != egid) { 770 change_egid(newcred, egid); 771 setsugid(p); 772 } 773 p->p_ucred = newcred; 774 crfree(oldcred); 775 done2: 776 mtx_unlock(&Giant); 777 return (error); 778 } 779 780 #ifndef _SYS_SYSPROTO_H_ 781 struct setgroups_args { 782 u_int gidsetsize; 783 gid_t *gidset; 784 }; 785 #endif 786 /* 787 * MPSAFE 788 */ 789 /* ARGSUSED */ 790 int 791 setgroups(td, uap) 792 struct thread *td; 793 struct setgroups_args *uap; 794 { 795 struct proc *p = td->td_proc; 796 struct ucred *newcred, *oldcred; 797 u_int ngrp; 798 int error; 799 800 mtx_lock(&Giant); 801 802 ngrp = uap->gidsetsize; 803 oldcred = p->p_ucred; 804 if ((error = suser_xxx(oldcred, NULL, PRISON_ROOT))) 805 goto done2; 806 if (ngrp > NGROUPS) { 807 error = EINVAL; 808 goto done2; 809 } 810 /* 811 * XXX A little bit lazy here. We could test if anything has 812 * changed before crcopy() and setting P_SUGID. 813 */ 814 newcred = crdup(oldcred); 815 if (ngrp < 1) { 816 /* 817 * setgroups(0, NULL) is a legitimate way of clearing the 818 * groups vector on non-BSD systems (which generally do not 819 * have the egid in the groups[0]). We risk security holes 820 * when running non-BSD software if we do not do the same. 821 */ 822 newcred->cr_ngroups = 1; 823 } else { 824 if ((error = copyin((caddr_t)uap->gidset, 825 (caddr_t)newcred->cr_groups, ngrp * sizeof(gid_t)))) { 826 crfree(newcred); 827 goto done2; 828 } 829 newcred->cr_ngroups = ngrp; 830 } 831 setsugid(p); 832 p->p_ucred = newcred; 833 crfree(oldcred); 834 done2: 835 mtx_unlock(&Giant); 836 return (error); 837 } 838 839 #ifndef _SYS_SYSPROTO_H_ 840 struct setreuid_args { 841 uid_t ruid; 842 uid_t euid; 843 }; 844 #endif 845 /* 846 * MPSAFE 847 */ 848 /* ARGSUSED */ 849 int 850 setreuid(td, uap) 851 register struct thread *td; 852 struct setreuid_args *uap; 853 { 854 struct proc *p = td->td_proc; 855 struct ucred *newcred, *oldcred; 856 uid_t ruid, euid; 857 int error = 0; 858 859 ruid = uap->ruid; 860 euid = uap->euid; 861 862 mtx_lock(&Giant); 863 864 oldcred = p->p_ucred; 865 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 866 ruid != oldcred->cr_svuid) || 867 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 868 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 869 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) { 870 goto done2; 871 } 872 newcred = crdup(oldcred); 873 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 874 change_euid(newcred, euid); 875 setsugid(p); 876 } 877 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 878 change_ruid(newcred, ruid); 879 setsugid(p); 880 } 881 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 882 newcred->cr_svuid != newcred->cr_uid) { 883 change_svuid(newcred, newcred->cr_uid); 884 setsugid(p); 885 } 886 p->p_ucred = newcred; 887 crfree(oldcred); 888 done2: 889 mtx_unlock(&Giant); 890 return (error); 891 } 892 893 #ifndef _SYS_SYSPROTO_H_ 894 struct setregid_args { 895 gid_t rgid; 896 gid_t egid; 897 }; 898 #endif 899 /* 900 * MPSAFE 901 */ 902 /* ARGSUSED */ 903 int 904 setregid(td, uap) 905 register struct thread *td; 906 struct setregid_args *uap; 907 { 908 struct proc *p = td->td_proc; 909 struct ucred *newcred, *oldcred; 910 gid_t rgid, egid; 911 int error = 0; 912 913 rgid = uap->rgid; 914 egid = uap->egid; 915 916 mtx_lock(&Giant); 917 918 oldcred = p->p_ucred; 919 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 920 rgid != oldcred->cr_svgid) || 921 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 922 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 923 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) { 924 goto done2; 925 } 926 927 newcred = crdup(oldcred); 928 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 929 change_egid(newcred, egid); 930 setsugid(p); 931 } 932 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 933 change_rgid(newcred, rgid); 934 setsugid(p); 935 } 936 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 937 newcred->cr_svgid != newcred->cr_groups[0]) { 938 change_svgid(newcred, newcred->cr_groups[0]); 939 setsugid(p); 940 } 941 p->p_ucred = newcred; 942 crfree(oldcred); 943 done2: 944 mtx_unlock(&Giant); 945 return (error); 946 } 947 948 /* 949 * setresuid(ruid, euid, suid) is like setreuid except control over the 950 * saved uid is explicit. 951 */ 952 953 #ifndef _SYS_SYSPROTO_H_ 954 struct setresuid_args { 955 uid_t ruid; 956 uid_t euid; 957 uid_t suid; 958 }; 959 #endif 960 /* 961 * MPSAFE 962 */ 963 /* ARGSUSED */ 964 int 965 setresuid(td, uap) 966 register struct thread *td; 967 struct setresuid_args *uap; 968 { 969 struct proc *p = td->td_proc; 970 struct ucred *newcred, *oldcred; 971 uid_t ruid, euid, suid; 972 int error; 973 974 ruid = uap->ruid; 975 euid = uap->euid; 976 suid = uap->suid; 977 978 mtx_lock(&Giant); 979 oldcred = p->p_ucred; 980 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 981 ruid != oldcred->cr_svuid && 982 ruid != oldcred->cr_uid) || 983 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 984 euid != oldcred->cr_svuid && 985 euid != oldcred->cr_uid) || 986 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 987 suid != oldcred->cr_svuid && 988 suid != oldcred->cr_uid)) && 989 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) { 990 goto done2; 991 } 992 993 newcred = crdup(oldcred); 994 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 995 change_euid(newcred, euid); 996 setsugid(p); 997 } 998 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 999 change_ruid(newcred, ruid); 1000 setsugid(p); 1001 } 1002 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1003 change_svuid(newcred, suid); 1004 setsugid(p); 1005 } 1006 p->p_ucred = newcred; 1007 crfree(oldcred); 1008 error = 0; 1009 done2: 1010 mtx_unlock(&Giant); 1011 return (error); 1012 } 1013 1014 /* 1015 * setresgid(rgid, egid, sgid) is like setregid except control over the 1016 * saved gid is explicit. 1017 */ 1018 1019 #ifndef _SYS_SYSPROTO_H_ 1020 struct setresgid_args { 1021 gid_t rgid; 1022 gid_t egid; 1023 gid_t sgid; 1024 }; 1025 #endif 1026 /* 1027 * MPSAFE 1028 */ 1029 /* ARGSUSED */ 1030 int 1031 setresgid(td, uap) 1032 register struct thread *td; 1033 struct setresgid_args *uap; 1034 { 1035 struct proc *p = td->td_proc; 1036 struct ucred *newcred, *oldcred; 1037 gid_t rgid, egid, sgid; 1038 int error; 1039 1040 rgid = uap->rgid; 1041 egid = uap->egid; 1042 sgid = uap->sgid; 1043 1044 mtx_lock(&Giant); 1045 oldcred = p->p_ucred; 1046 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1047 rgid != oldcred->cr_svgid && 1048 rgid != oldcred->cr_groups[0]) || 1049 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1050 egid != oldcred->cr_svgid && 1051 egid != oldcred->cr_groups[0]) || 1052 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1053 sgid != oldcred->cr_svgid && 1054 sgid != oldcred->cr_groups[0])) && 1055 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) { 1056 goto done2; 1057 } 1058 newcred = crdup(oldcred); 1059 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1060 change_egid(newcred, egid); 1061 setsugid(p); 1062 } 1063 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1064 change_rgid(newcred, rgid); 1065 setsugid(p); 1066 } 1067 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1068 change_svgid(newcred, sgid); 1069 setsugid(p); 1070 } 1071 p->p_ucred = newcred; 1072 crfree(oldcred); 1073 error = 0; 1074 done2: 1075 mtx_unlock(&Giant); 1076 return (error); 1077 } 1078 1079 #ifndef _SYS_SYSPROTO_H_ 1080 struct getresuid_args { 1081 uid_t *ruid; 1082 uid_t *euid; 1083 uid_t *suid; 1084 }; 1085 #endif 1086 /* 1087 * MPSAFE 1088 */ 1089 /* ARGSUSED */ 1090 int 1091 getresuid(td, uap) 1092 register struct thread *td; 1093 struct getresuid_args *uap; 1094 { 1095 struct ucred *cred; 1096 struct proc *p = td->td_proc; 1097 int error1 = 0, error2 = 0, error3 = 0; 1098 1099 mtx_lock(&Giant); 1100 cred = p->p_ucred; 1101 1102 if (uap->ruid) 1103 error1 = copyout((caddr_t)&cred->cr_ruid, 1104 (caddr_t)uap->ruid, sizeof(cred->cr_ruid)); 1105 if (uap->euid) 1106 error2 = copyout((caddr_t)&cred->cr_uid, 1107 (caddr_t)uap->euid, sizeof(cred->cr_uid)); 1108 if (uap->suid) 1109 error3 = copyout((caddr_t)&cred->cr_svuid, 1110 (caddr_t)uap->suid, sizeof(cred->cr_svuid)); 1111 mtx_unlock(&Giant); 1112 return error1 ? error1 : (error2 ? error2 : error3); 1113 } 1114 1115 #ifndef _SYS_SYSPROTO_H_ 1116 struct getresgid_args { 1117 gid_t *rgid; 1118 gid_t *egid; 1119 gid_t *sgid; 1120 }; 1121 #endif 1122 /* 1123 * MPSAFE 1124 */ 1125 /* ARGSUSED */ 1126 int 1127 getresgid(td, uap) 1128 register struct thread *td; 1129 struct getresgid_args *uap; 1130 { 1131 struct ucred *cred; 1132 struct proc *p = td->td_proc; 1133 int error1 = 0, error2 = 0, error3 = 0; 1134 1135 mtx_lock(&Giant); 1136 cred = p->p_ucred; 1137 1138 if (uap->rgid) 1139 error1 = copyout((caddr_t)&cred->cr_rgid, 1140 (caddr_t)uap->rgid, sizeof(cred->cr_rgid)); 1141 if (uap->egid) 1142 error2 = copyout((caddr_t)&cred->cr_groups[0], 1143 (caddr_t)uap->egid, sizeof(cred->cr_groups[0])); 1144 if (uap->sgid) 1145 error3 = copyout((caddr_t)&cred->cr_svgid, 1146 (caddr_t)uap->sgid, sizeof(cred->cr_svgid)); 1147 mtx_unlock(&Giant); 1148 return error1 ? error1 : (error2 ? error2 : error3); 1149 } 1150 1151 1152 #ifndef _SYS_SYSPROTO_H_ 1153 struct issetugid_args { 1154 int dummy; 1155 }; 1156 #endif 1157 /* ARGSUSED */ 1158 int 1159 issetugid(td, uap) 1160 register struct thread *td; 1161 struct issetugid_args *uap; 1162 { 1163 struct proc *p = td->td_proc; 1164 1165 /* 1166 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1167 * we use P_SUGID because we consider changing the owners as 1168 * "tainting" as well. 1169 * This is significant for procs that start as root and "become" 1170 * a user without an exec - programs cannot know *everything* 1171 * that libc *might* have put in their data segment. 1172 */ 1173 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1174 return (0); 1175 } 1176 1177 /* 1178 * MPSAFE 1179 */ 1180 int 1181 __setugid(td, uap) 1182 struct thread *td; 1183 struct __setugid_args *uap; 1184 { 1185 #ifdef REGRESSION 1186 int error = 0; 1187 1188 mtx_lock(&Giant); 1189 switch (uap->flag) { 1190 case 0: 1191 td->td_proc->p_flag &= ~P_SUGID; 1192 break; 1193 case 1: 1194 td->td_proc->p_flag |= P_SUGID; 1195 break; 1196 default: 1197 error = EINVAL; 1198 break; 1199 } 1200 mtx_unlock(&Giant); 1201 return (error); 1202 #else /* !REGRESSION */ 1203 return (ENOSYS); 1204 #endif /* !REGRESSION */ 1205 } 1206 1207 /* 1208 * Check if gid is a member of the group set. 1209 */ 1210 int 1211 groupmember(gid, cred) 1212 gid_t gid; 1213 struct ucred *cred; 1214 { 1215 register gid_t *gp; 1216 gid_t *egp; 1217 1218 egp = &(cred->cr_groups[cred->cr_ngroups]); 1219 for (gp = cred->cr_groups; gp < egp; gp++) 1220 if (*gp == gid) 1221 return (1); 1222 return (0); 1223 } 1224 1225 /* 1226 * `suser_enabled' (which can be set by the kern.security.suser_enabled 1227 * sysctl) determines whether the system 'super-user' policy is in effect. 1228 * If it is nonzero, an effective uid of 0 connotes special privilege, 1229 * overriding many mandatory and discretionary protections. If it is zero, 1230 * uid 0 is offered no special privilege in the kernel security policy. 1231 * Setting it to zero may seriously impact the functionality of many 1232 * existing userland programs, and should not be done without careful 1233 * consideration of the consequences. 1234 */ 1235 int suser_enabled = 1; 1236 SYSCTL_INT(_kern_security, OID_AUTO, suser_enabled, CTLFLAG_RW, 1237 &suser_enabled, 0, "processes with uid 0 have privilege"); 1238 1239 /* 1240 * Test whether the specified credentials imply "super-user" privilege. 1241 * Return 0 or EPERM. 1242 */ 1243 int 1244 suser(p) 1245 struct proc *p; 1246 { 1247 return suser_xxx(0, p, 0); 1248 } 1249 1250 /* 1251 * version for when the thread pointer is available and not the proc. 1252 * (saves having to include proc.h into every file that needs to do the change.) 1253 */ 1254 int 1255 suser_td(td) 1256 1257 struct thread *td; 1258 { 1259 return suser_xxx(0, td->td_proc, 0); 1260 } 1261 1262 /* 1263 * wrapper to use if you have the thread on hand but not the proc. 1264 */ 1265 int 1266 suser_xxx_td(cred, td, flag) 1267 struct ucred *cred; 1268 struct thread *td; 1269 int flag; 1270 { 1271 return(suser_xxx(cred, td->td_proc, flag)); 1272 } 1273 1274 int 1275 suser_xxx(cred, proc, flag) 1276 struct ucred *cred; 1277 struct proc *proc; 1278 int flag; 1279 { 1280 if (!suser_enabled) 1281 return (EPERM); 1282 if (!cred && !proc) { 1283 printf("suser_xxx(): THINK!\n"); 1284 return (EPERM); 1285 } 1286 if (!cred) 1287 cred = proc->p_ucred; 1288 if (cred->cr_uid != 0) 1289 return (EPERM); 1290 if (jailed(cred) && !(flag & PRISON_ROOT)) 1291 return (EPERM); 1292 return (0); 1293 } 1294 1295 /* 1296 * Test (local, globale) securelevel values against passed required 1297 * securelevel. _gt implements (level > securelevel), and _ge implements 1298 * (level >= securelevel). Returns 0 oer EPERM. 1299 * 1300 * cr is permitted to be NULL for the time being, as there were some 1301 * existing securelevel checks that occurred without a process/credential 1302 * context. In the future this will be disallowed, so a kernel 1303 * message is displayed. 1304 */ 1305 int 1306 securelevel_gt(struct ucred *cr, int level) 1307 { 1308 1309 if (cr == NULL) { 1310 printf("securelevel_gt: cr is NULL\n"); 1311 if (level > securelevel) 1312 return (0); 1313 else 1314 return (EPERM); 1315 } else if (cr->cr_prison == NULL) { 1316 if (level > securelevel) 1317 return (0); 1318 else 1319 return (EPERM); 1320 } else { 1321 if (level > imax(cr->cr_prison->pr_securelevel, securelevel)) 1322 return (0); 1323 else 1324 return (EPERM); 1325 } 1326 1327 } 1328 1329 int 1330 securelevel_ge(struct ucred *cr, int level) 1331 { 1332 1333 if (cr == NULL) { 1334 printf("securelevel_ge: cr is NULL\n"); 1335 if (level >= securelevel) 1336 return (0); 1337 else 1338 return (EPERM); 1339 } if (cr->cr_prison == NULL) { 1340 if (level >= securelevel) 1341 return (0); 1342 else 1343 return (EPERM); 1344 } else { 1345 if (level >= imax(cr->cr_prison->pr_securelevel, securelevel)) 1346 return (0); 1347 else 1348 return (EPERM); 1349 } 1350 } 1351 1352 /* 1353 * kern_security_seeotheruids_permitted determines whether or not visibility 1354 * of processes and sockets with credentials holding different real uid's 1355 * is possible using a variety of system MIBs. 1356 */ 1357 static int kern_security_seeotheruids_permitted = 1; 1358 SYSCTL_INT(_kern_security, OID_AUTO, seeotheruids_permitted, 1359 CTLFLAG_RW, &kern_security_seeotheruids_permitted, 0, 1360 "Unprivileged processes may see subjects/objects with different real uid"); 1361 1362 /*- 1363 * Determine if u1 "can see" the subject specified by u2. 1364 * Returns: 0 for permitted, an errno value otherwise 1365 * Locks: none 1366 * References: u1 and u2 must be immutable credentials 1367 * u1 and u2 must be valid for the lifetime of the call 1368 * u1 may equal u2, in which case only one reference is required 1369 */ 1370 int 1371 cr_cansee(struct ucred *u1, struct ucred *u2) 1372 { 1373 int error; 1374 1375 if ((error = prison_check(u1, u2))) 1376 return (error); 1377 if (!kern_security_seeotheruids_permitted && 1378 u1->cr_ruid != u2->cr_ruid) { 1379 if (suser_xxx(u1, NULL, PRISON_ROOT) != 0) 1380 return (ESRCH); 1381 } 1382 return (0); 1383 } 1384 1385 /*- 1386 * Determine if p1 "can see" the subject specified by p2. 1387 * Returns: 0 for permitted, an errno value otherwise 1388 * Locks: Sufficient locks to protect p1->p_ucred and p2->p_ucred must 1389 * be held. Normally, p1 will be curproc, and a lock must be held 1390 * for p2. 1391 * References: p1 and p2 must be valid for the lifetime of the call 1392 */ 1393 int 1394 p_cansee(struct proc *p1, struct proc *p2) 1395 { 1396 1397 /* Wrap cr_cansee() for all functionality. */ 1398 return (cr_cansee(p1->p_ucred, p2->p_ucred)); 1399 } 1400 1401 /*- 1402 * Determine whether p1 may deliver the specified signal to p2. 1403 * Returns: 0 for permitted, an errno value otherwise 1404 * Locks: Sufficient locks to protect various components of p1 and p2 1405 * must be held. Normally, p1 will be curproc, and a lock must 1406 * be held for p2. 1407 * References: p1 and p2 must be valid for the lifetime of the call 1408 */ 1409 int 1410 p_cansignal(struct proc *p1, struct proc *p2, int signum) 1411 { 1412 int error; 1413 1414 if (p1 == p2) 1415 return (0); 1416 1417 /* 1418 * Jail semantics limit the scope of signalling to p2 in the same 1419 * jail as p1, if p1 is in jail. 1420 */ 1421 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1422 return (error); 1423 1424 /* 1425 * UNIX signalling semantics require that processes in the same 1426 * session always be able to deliver SIGCONT to one another, 1427 * overriding the remaining protections. 1428 */ 1429 if (signum == SIGCONT && p1->p_session == p2->p_session) 1430 return (0); 1431 1432 /* 1433 * UNIX signal semantics depend on the status of the P_SUGID 1434 * bit on the target process. If the bit is set, then additional 1435 * restrictions are placed on the set of available signals. 1436 */ 1437 if (p2->p_flag & P_SUGID) { 1438 switch (signum) { 1439 case 0: 1440 case SIGKILL: 1441 case SIGINT: 1442 case SIGTERM: 1443 case SIGSTOP: 1444 case SIGTTIN: 1445 case SIGTTOU: 1446 case SIGTSTP: 1447 case SIGHUP: 1448 case SIGUSR1: 1449 case SIGUSR2: 1450 /* 1451 * Generally, permit job and terminal control 1452 * signals. 1453 */ 1454 break; 1455 default: 1456 /* Not permitted, privilege is required. */ 1457 error = suser_xxx(NULL, p1, PRISON_ROOT); 1458 if (error) 1459 return (error); 1460 } 1461 } 1462 1463 /* 1464 * Generally, the target credential's ruid or svuid must match the 1465 * subject credential's ruid or euid. 1466 */ 1467 if (p1->p_ucred->cr_ruid != p2->p_ucred->cr_ruid && 1468 p1->p_ucred->cr_ruid != p2->p_ucred->cr_svuid && 1469 p1->p_ucred->cr_uid != p2->p_ucred->cr_ruid && 1470 p1->p_ucred->cr_uid != p2->p_ucred->cr_svuid) { 1471 /* Not permitted, try privilege. */ 1472 error = suser_xxx(NULL, p1, PRISON_ROOT); 1473 if (error) 1474 return (error); 1475 } 1476 1477 return (0); 1478 } 1479 1480 /*- 1481 * Determine whether p1 may reschedule p2 1482 * Returns: 0 for permitted, an errno value otherwise 1483 * Locks: Sufficient locks to protect various components of p1 and p2 1484 * must be held. Normally, p1 will be curproc, and a lock must 1485 * be held for p2. 1486 * References: p1 and p2 must be valid for the lifetime of the call 1487 */ 1488 int 1489 p_cansched(struct proc *p1, struct proc *p2) 1490 { 1491 int error; 1492 1493 if (p1 == p2) 1494 return (0); 1495 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1496 return (error); 1497 if (p1->p_ucred->cr_ruid == p2->p_ucred->cr_ruid) 1498 return (0); 1499 if (p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid) 1500 return (0); 1501 if (suser_xxx(0, p1, PRISON_ROOT) == 0) 1502 return (0); 1503 1504 #ifdef CAPABILITIES 1505 if (!cap_check_xxx(0, p1, CAP_SYS_NICE, PRISON_ROOT)) 1506 return (0); 1507 #endif 1508 1509 return (EPERM); 1510 } 1511 1512 /* 1513 * The kern_unprivileged_procdebug_permitted flag may be used to disable 1514 * a variety of unprivileged inter-process debugging services, including 1515 * some procfs functionality, ptrace(), and ktrace(). In the past, 1516 * inter-process debugging has been involved in a variety of security 1517 * problems, and sites not requiring the service might choose to disable it 1518 * when hardening systems. 1519 * 1520 * XXX: Should modifying and reading this variable require locking? 1521 */ 1522 static int kern_unprivileged_procdebug_permitted = 1; 1523 SYSCTL_INT(_kern_security, OID_AUTO, unprivileged_procdebug_permitted, 1524 CTLFLAG_RW, &kern_unprivileged_procdebug_permitted, 0, 1525 "Unprivileged processes may use process debugging facilities"); 1526 1527 /*- 1528 * Determine whether p1 may debug p2. 1529 * Returns: 0 for permitted, an errno value otherwise 1530 * Locks: Sufficient locks to protect various components of p1 and p2 1531 * must be held. Normally, p1 will be curproc, and a lock must 1532 * be held for p2. 1533 * References: p1 and p2 must be valid for the lifetime of the call 1534 */ 1535 int 1536 p_candebug(struct proc *p1, struct proc *p2) 1537 { 1538 int error; 1539 1540 if (!kern_unprivileged_procdebug_permitted) { 1541 error = suser_xxx(NULL, p1, PRISON_ROOT); 1542 if (error) 1543 return (error); 1544 } 1545 1546 if (p1 == p2) 1547 return (0); 1548 1549 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1550 return (error); 1551 1552 /* 1553 * Not owned by you, has done setuid (unless you're root). 1554 * XXX add a CAP_SYS_PTRACE here? 1555 */ 1556 if (p1->p_ucred->cr_uid != p2->p_ucred->cr_uid || 1557 p1->p_ucred->cr_uid != p2->p_ucred->cr_svuid || 1558 p1->p_ucred->cr_uid != p2->p_ucred->cr_ruid || 1559 p2->p_flag & P_SUGID) { 1560 error = suser_xxx(NULL, p1, PRISON_ROOT); 1561 if (error) 1562 return (error); 1563 } 1564 1565 /* can't trace init when securelevel > 0 */ 1566 if (p2->p_pid == 1) { 1567 error = securelevel_gt(p1->p_ucred, 0); 1568 if (error) 1569 return (error); 1570 } 1571 1572 /* can't trace a process that's currently exec'ing */ 1573 if ((p2->p_flag & P_INEXEC) != 0) 1574 return (EAGAIN); 1575 1576 return (0); 1577 } 1578 1579 /* 1580 * Allocate a zeroed cred structure. 1581 */ 1582 struct ucred * 1583 crget() 1584 { 1585 register struct ucred *cr; 1586 1587 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 1588 cr->cr_ref = 1; 1589 mtx_init(&cr->cr_mtx, "ucred", MTX_DEF); 1590 return (cr); 1591 } 1592 1593 /* 1594 * Claim another reference to a ucred structure. 1595 */ 1596 struct ucred * 1597 crhold(cr) 1598 struct ucred *cr; 1599 { 1600 1601 mtx_lock(&cr->cr_mtx); 1602 cr->cr_ref++; 1603 mtx_unlock(&cr->cr_mtx); 1604 return (cr); 1605 } 1606 1607 1608 /* 1609 * Free a cred structure. 1610 * Throws away space when ref count gets to 0. 1611 */ 1612 void 1613 crfree(cr) 1614 struct ucred *cr; 1615 { 1616 1617 mtx_lock(&cr->cr_mtx); 1618 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); 1619 if (--cr->cr_ref == 0) { 1620 mtx_destroy(&cr->cr_mtx); 1621 /* 1622 * Some callers of crget(), such as nfs_statfs(), 1623 * allocate a temporary credential, but don't 1624 * allocate a uidinfo structure. 1625 */ 1626 if (cr->cr_uidinfo != NULL) 1627 uifree(cr->cr_uidinfo); 1628 if (cr->cr_ruidinfo != NULL) 1629 uifree(cr->cr_ruidinfo); 1630 /* 1631 * Free a prison, if any. 1632 */ 1633 if (jailed(cr)) 1634 prison_free(cr->cr_prison); 1635 FREE((caddr_t)cr, M_CRED); 1636 } else { 1637 mtx_unlock(&cr->cr_mtx); 1638 } 1639 } 1640 1641 /* 1642 * Check to see if this ucred is shared. 1643 */ 1644 int 1645 crshared(cr) 1646 struct ucred *cr; 1647 { 1648 int shared; 1649 1650 mtx_lock(&cr->cr_mtx); 1651 shared = (cr->cr_ref > 1); 1652 mtx_unlock(&cr->cr_mtx); 1653 return (shared); 1654 } 1655 1656 /* 1657 * Copy a ucred's contents from a template. Does not block. 1658 */ 1659 void 1660 crcopy(dest, src) 1661 struct ucred *dest, *src; 1662 { 1663 1664 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred")); 1665 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 1666 (unsigned)((caddr_t)&src->cr_endcopy - 1667 (caddr_t)&src->cr_startcopy)); 1668 uihold(dest->cr_uidinfo); 1669 uihold(dest->cr_ruidinfo); 1670 if (jailed(dest)) 1671 prison_hold(dest->cr_prison); 1672 } 1673 1674 /* 1675 * Dup cred struct to a new held one. 1676 */ 1677 struct ucred * 1678 crdup(cr) 1679 struct ucred *cr; 1680 { 1681 struct ucred *newcr; 1682 1683 newcr = crget(); 1684 crcopy(newcr, cr); 1685 return (newcr); 1686 } 1687 1688 /* 1689 * Get login name, if available. 1690 */ 1691 #ifndef _SYS_SYSPROTO_H_ 1692 struct getlogin_args { 1693 char *namebuf; 1694 u_int namelen; 1695 }; 1696 #endif 1697 /* 1698 * MPSAFE 1699 */ 1700 /* ARGSUSED */ 1701 int 1702 getlogin(td, uap) 1703 struct thread *td; 1704 struct getlogin_args *uap; 1705 { 1706 int error; 1707 struct proc *p = td->td_proc; 1708 1709 mtx_lock(&Giant); 1710 if (uap->namelen > MAXLOGNAME) 1711 uap->namelen = MAXLOGNAME; 1712 error = copyout((caddr_t) p->p_pgrp->pg_session->s_login, 1713 (caddr_t) uap->namebuf, uap->namelen); 1714 mtx_unlock(&Giant); 1715 return(error); 1716 } 1717 1718 /* 1719 * Set login name. 1720 */ 1721 #ifndef _SYS_SYSPROTO_H_ 1722 struct setlogin_args { 1723 char *namebuf; 1724 }; 1725 #endif 1726 /* 1727 * MPSAFE 1728 */ 1729 /* ARGSUSED */ 1730 int 1731 setlogin(td, uap) 1732 struct thread *td; 1733 struct setlogin_args *uap; 1734 { 1735 struct proc *p = td->td_proc; 1736 int error; 1737 char logintmp[MAXLOGNAME]; 1738 1739 mtx_lock(&Giant); 1740 if ((error = suser_xxx(0, p, PRISON_ROOT))) 1741 goto done2; 1742 error = copyinstr((caddr_t) uap->namebuf, (caddr_t) logintmp, 1743 sizeof(logintmp), (size_t *)0); 1744 if (error == ENAMETOOLONG) { 1745 error = EINVAL; 1746 } else if (!error) { 1747 (void) memcpy(p->p_pgrp->pg_session->s_login, logintmp, 1748 sizeof(logintmp)); 1749 } 1750 done2: 1751 mtx_unlock(&Giant); 1752 return (error); 1753 } 1754 1755 void 1756 setsugid(p) 1757 struct proc *p; 1758 { 1759 p->p_flag |= P_SUGID; 1760 if (!(p->p_pfsflags & PF_ISUGID)) 1761 p->p_stops = 0; 1762 } 1763 1764 /*- 1765 * Change a process's effective uid. 1766 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 1767 * References: newcred must be an exclusive credential reference for the 1768 * duration of the call. 1769 */ 1770 void 1771 change_euid(newcred, euid) 1772 struct ucred *newcred; 1773 uid_t euid; 1774 { 1775 1776 newcred->cr_uid = euid; 1777 uifree(newcred->cr_uidinfo); 1778 newcred->cr_uidinfo = uifind(euid); 1779 } 1780 1781 /*- 1782 * Change a process's effective gid. 1783 * Side effects: newcred->cr_gid will be modified. 1784 * References: newcred must be an exclusive credential reference for the 1785 * duration of the call. 1786 */ 1787 void 1788 change_egid(newcred, egid) 1789 struct ucred *newcred; 1790 gid_t egid; 1791 { 1792 1793 newcred->cr_groups[0] = egid; 1794 } 1795 1796 /*- 1797 * Change a process's real uid. 1798 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 1799 * will be updated, and the old and new cr_ruidinfo proc 1800 * counts will be updated. 1801 * References: newcred must be an exclusive credential reference for the 1802 * duration of the call. 1803 */ 1804 void 1805 change_ruid(newcred, ruid) 1806 struct ucred *newcred; 1807 uid_t ruid; 1808 { 1809 1810 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 1811 newcred->cr_ruid = ruid; 1812 uifree(newcred->cr_ruidinfo); 1813 newcred->cr_ruidinfo = uifind(ruid); 1814 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 1815 } 1816 1817 /*- 1818 * Change a process's real gid. 1819 * Side effects: newcred->cr_rgid will be updated. 1820 * References: newcred must be an exclusive credential reference for the 1821 * duration of the call. 1822 */ 1823 void 1824 change_rgid(newcred, rgid) 1825 struct ucred *newcred; 1826 gid_t rgid; 1827 { 1828 1829 newcred->cr_rgid = rgid; 1830 } 1831 1832 /*- 1833 * Change a process's saved uid. 1834 * Side effects: newcred->cr_svuid will be updated. 1835 * References: newcred must be an exclusive credential reference for the 1836 * duration of the call. 1837 */ 1838 void 1839 change_svuid(newcred, svuid) 1840 struct ucred *newcred; 1841 uid_t svuid; 1842 { 1843 1844 newcred->cr_svuid = svuid; 1845 } 1846 1847 /*- 1848 * Change a process's saved gid. 1849 * Side effects: newcred->cr_svgid will be updated. 1850 * References: newcred must be an exclusive credential reference for the 1851 * duration of the call. 1852 */ 1853 void 1854 change_svgid(newcred, svgid) 1855 struct ucred *newcred; 1856 gid_t svgid; 1857 { 1858 1859 newcred->cr_svgid = svgid; 1860 } 1861