1 /* 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * (c) UNIX System Laboratories, Inc. 5 * All or some portions of this file are derived from material licensed 6 * to the University of California by American Telephone and Telegraph 7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 8 * the permission of UNIX System Laboratories, Inc. 9 * Copyright (c) 2000-2001 Robert N. M. Watson. All rights reserved. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. All advertising materials mentioning features or use of this software 20 * must display the following acknowledgement: 21 * This product includes software developed by the University of 22 * California, Berkeley and its contributors. 23 * 4. Neither the name of the University nor the names of its contributors 24 * may be used to endorse or promote products derived from this software 25 * without specific prior written permission. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * 39 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 40 * $FreeBSD$ 41 */ 42 43 /* 44 * System calls related to processes and protection 45 */ 46 47 #include "opt_compat.h" 48 49 #include <sys/param.h> 50 #include <sys/systm.h> 51 #include <sys/acct.h> 52 #include <sys/kernel.h> 53 #include <sys/lock.h> 54 #include <sys/malloc.h> 55 #include <sys/mutex.h> 56 #include <sys/sx.h> 57 #include <sys/proc.h> 58 #include <sys/sysproto.h> 59 #include <sys/jail.h> 60 #include <sys/pioctl.h> 61 #include <sys/resourcevar.h> 62 #include <sys/socket.h> 63 #include <sys/socketvar.h> 64 #include <sys/sysctl.h> 65 66 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 67 68 SYSCTL_DECL(_security); 69 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, 70 "BSD security policy"); 71 72 #ifndef _SYS_SYSPROTO_H_ 73 struct getpid_args { 74 int dummy; 75 }; 76 #endif 77 /* 78 * MPSAFE 79 */ 80 /* ARGSUSED */ 81 int 82 getpid(td, uap) 83 struct thread *td; 84 struct getpid_args *uap; 85 { 86 struct proc *p = td->td_proc; 87 int s; 88 89 s = mtx_lock_giant(kern_giant_proc); 90 td->td_retval[0] = p->p_pid; 91 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 92 PROC_LOCK(p); 93 td->td_retval[1] = p->p_pptr->p_pid; 94 PROC_UNLOCK(p); 95 #endif 96 mtx_unlock_giant(s); 97 return (0); 98 } 99 100 #ifndef _SYS_SYSPROTO_H_ 101 struct getppid_args { 102 int dummy; 103 }; 104 #endif 105 /* 106 * MPSAFE 107 */ 108 /* ARGSUSED */ 109 int 110 getppid(td, uap) 111 struct thread *td; 112 struct getppid_args *uap; 113 { 114 struct proc *p = td->td_proc; 115 int s; 116 117 s = mtx_lock_giant(kern_giant_proc); 118 PROC_LOCK(p); 119 td->td_retval[0] = p->p_pptr->p_pid; 120 PROC_UNLOCK(p); 121 mtx_unlock_giant(s); 122 return (0); 123 } 124 125 /* 126 * Get process group ID; note that POSIX getpgrp takes no parameter. 127 */ 128 #ifndef _SYS_SYSPROTO_H_ 129 struct getpgrp_args { 130 int dummy; 131 }; 132 #endif 133 /* 134 * MPSAFE 135 */ 136 int 137 getpgrp(td, uap) 138 struct thread *td; 139 struct getpgrp_args *uap; 140 { 141 struct proc *p = td->td_proc; 142 int s; 143 144 s = mtx_lock_giant(kern_giant_proc); 145 PROC_LOCK(p); 146 td->td_retval[0] = p->p_pgrp->pg_id; 147 PROC_UNLOCK(p); 148 mtx_unlock_giant(s); 149 return (0); 150 } 151 152 /* Get an arbitary pid's process group id */ 153 #ifndef _SYS_SYSPROTO_H_ 154 struct getpgid_args { 155 pid_t pid; 156 }; 157 #endif 158 /* 159 * MPSAFE 160 */ 161 int 162 getpgid(td, uap) 163 struct thread *td; 164 struct getpgid_args *uap; 165 { 166 struct proc *p = td->td_proc; 167 struct proc *pt; 168 int error; 169 170 mtx_lock(&Giant); 171 error = 0; 172 if (uap->pid == 0) { 173 PROC_LOCK(p); 174 td->td_retval[0] = p->p_pgrp->pg_id; 175 PROC_UNLOCK(p); 176 } else if ((pt = pfind(uap->pid)) == NULL) 177 error = ESRCH; 178 else { 179 error = p_cansee(p, pt); 180 if (error == 0) 181 td->td_retval[0] = pt->p_pgrp->pg_id; 182 PROC_UNLOCK(pt); 183 } 184 mtx_unlock(&Giant); 185 return (error); 186 } 187 188 /* 189 * Get an arbitary pid's session id. 190 */ 191 #ifndef _SYS_SYSPROTO_H_ 192 struct getsid_args { 193 pid_t pid; 194 }; 195 #endif 196 /* 197 * MPSAFE 198 */ 199 int 200 getsid(td, uap) 201 struct thread *td; 202 struct getsid_args *uap; 203 { 204 struct proc *p = td->td_proc; 205 struct proc *pt; 206 int error; 207 208 mtx_lock(&Giant); 209 error = 0; 210 if (uap->pid == 0) { 211 PROC_LOCK(p); 212 td->td_retval[0] = p->p_session->s_sid; 213 PROC_UNLOCK(p); 214 } else if ((pt = pfind(uap->pid)) == NULL) 215 error = ESRCH; 216 else { 217 error = p_cansee(p, pt); 218 if (error == 0) 219 td->td_retval[0] = pt->p_session->s_sid; 220 PROC_UNLOCK(pt); 221 } 222 mtx_unlock(&Giant); 223 return (error); 224 } 225 226 #ifndef _SYS_SYSPROTO_H_ 227 struct getuid_args { 228 int dummy; 229 }; 230 #endif 231 /* 232 * MPSAFE 233 */ 234 /* ARGSUSED */ 235 int 236 getuid(td, uap) 237 struct thread *td; 238 struct getuid_args *uap; 239 { 240 241 td->td_retval[0] = td->td_ucred->cr_ruid; 242 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 243 td->td_retval[1] = td->td_ucred->cr_uid; 244 #endif 245 return (0); 246 } 247 248 #ifndef _SYS_SYSPROTO_H_ 249 struct geteuid_args { 250 int dummy; 251 }; 252 #endif 253 /* 254 * MPSAFE 255 */ 256 /* ARGSUSED */ 257 int 258 geteuid(td, uap) 259 struct thread *td; 260 struct geteuid_args *uap; 261 { 262 263 td->td_retval[0] = td->td_ucred->cr_uid; 264 return (0); 265 } 266 267 #ifndef _SYS_SYSPROTO_H_ 268 struct getgid_args { 269 int dummy; 270 }; 271 #endif 272 /* 273 * MPSAFE 274 */ 275 /* ARGSUSED */ 276 int 277 getgid(td, uap) 278 struct thread *td; 279 struct getgid_args *uap; 280 { 281 282 td->td_retval[0] = td->td_ucred->cr_rgid; 283 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 284 td->td_retval[1] = td->td_ucred->cr_groups[0]; 285 #endif 286 return (0); 287 } 288 289 /* 290 * Get effective group ID. The "egid" is groups[0], and could be obtained 291 * via getgroups. This syscall exists because it is somewhat painful to do 292 * correctly in a library function. 293 */ 294 #ifndef _SYS_SYSPROTO_H_ 295 struct getegid_args { 296 int dummy; 297 }; 298 #endif 299 /* 300 * MPSAFE 301 */ 302 /* ARGSUSED */ 303 int 304 getegid(td, uap) 305 struct thread *td; 306 struct getegid_args *uap; 307 { 308 309 td->td_retval[0] = td->td_ucred->cr_groups[0]; 310 return (0); 311 } 312 313 #ifndef _SYS_SYSPROTO_H_ 314 struct getgroups_args { 315 u_int gidsetsize; 316 gid_t *gidset; 317 }; 318 #endif 319 /* 320 * MPSAFE 321 */ 322 int 323 getgroups(td, uap) 324 struct thread *td; 325 register struct getgroups_args *uap; 326 { 327 struct ucred *cred; 328 u_int ngrp; 329 int error; 330 331 cred = td->td_ucred; 332 if ((ngrp = uap->gidsetsize) == 0) { 333 td->td_retval[0] = cred->cr_ngroups; 334 return (0); 335 } 336 if (ngrp < cred->cr_ngroups) 337 return (EINVAL); 338 ngrp = cred->cr_ngroups; 339 error = copyout((caddr_t)cred->cr_groups, (caddr_t)uap->gidset, 340 ngrp * sizeof(gid_t)); 341 if (error) 342 return (error); 343 td->td_retval[0] = ngrp; 344 return (0); 345 } 346 347 #ifndef _SYS_SYSPROTO_H_ 348 struct setsid_args { 349 int dummy; 350 }; 351 #endif 352 /* 353 * MPSAFE 354 */ 355 /* ARGSUSED */ 356 int 357 setsid(td, uap) 358 register struct thread *td; 359 struct setsid_args *uap; 360 { 361 struct pgrp *pgrp; 362 int error; 363 struct proc *p = td->td_proc; 364 struct pgrp *newpgrp; 365 struct session *newsess; 366 367 error = 0; 368 pgrp = NULL; 369 370 mtx_lock(&Giant); 371 372 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 373 MALLOC(newsess, struct session *, sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); 374 375 PGRPSESS_XLOCK(); 376 377 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { 378 if (pgrp != NULL) 379 PGRP_UNLOCK(pgrp); 380 error = EPERM; 381 goto fail; 382 } else { 383 (void)enterpgrp(p, p->p_pid, newpgrp, newsess); 384 td->td_retval[0] = p->p_pid; 385 error = 0; 386 } 387 PGRPSESS_XUNLOCK(); 388 mtx_unlock(&Giant); 389 return (0); 390 391 fail: 392 PGRPSESS_XUNLOCK(); 393 394 FREE(newpgrp, M_PGRP); 395 FREE(newsess, M_SESSION); 396 397 mtx_unlock(&Giant); 398 return (0); 399 } 400 401 /* 402 * set process group (setpgid/old setpgrp) 403 * 404 * caller does setpgid(targpid, targpgid) 405 * 406 * pid must be caller or child of caller (ESRCH) 407 * if a child 408 * pid must be in same session (EPERM) 409 * pid can't have done an exec (EACCES) 410 * if pgid != pid 411 * there must exist some pid in same session having pgid (EPERM) 412 * pid must not be session leader (EPERM) 413 */ 414 #ifndef _SYS_SYSPROTO_H_ 415 struct setpgid_args { 416 int pid; /* target process id */ 417 int pgid; /* target pgrp id */ 418 }; 419 #endif 420 /* 421 * MPSAFE 422 */ 423 /* ARGSUSED */ 424 int 425 setpgid(td, uap) 426 struct thread *td; 427 register struct setpgid_args *uap; 428 { 429 struct proc *curp = td->td_proc; 430 register struct proc *targp; /* target process */ 431 register struct pgrp *pgrp; /* target pgrp */ 432 int error; 433 struct pgrp *newpgrp; 434 435 if (uap->pgid < 0) 436 return (EINVAL); 437 438 error = 0; 439 440 mtx_lock(&Giant); 441 442 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 443 444 PGRPSESS_XLOCK(); 445 446 if (uap->pid != 0 && uap->pid != curp->p_pid) { 447 sx_slock(&proctree_lock); 448 if ((targp = pfind(uap->pid)) == NULL) { 449 if (targp) 450 PROC_UNLOCK(targp); 451 sx_sunlock(&proctree_lock); 452 error = ESRCH; 453 goto fail; 454 } 455 if (!inferior(targp)) { 456 PROC_UNLOCK(targp); 457 sx_sunlock(&proctree_lock); 458 error = ESRCH; 459 goto fail; 460 } 461 sx_sunlock(&proctree_lock); 462 if ((error = p_cansee(curproc, targp))) { 463 PROC_UNLOCK(targp); 464 goto fail; 465 } 466 if (targp->p_pgrp == NULL || 467 targp->p_session != curp->p_session) { 468 PROC_UNLOCK(targp); 469 error = EPERM; 470 goto fail; 471 } 472 if (targp->p_flag & P_EXEC) { 473 PROC_UNLOCK(targp); 474 error = EACCES; 475 goto fail; 476 } 477 PROC_UNLOCK(targp); 478 } else 479 targp = curp; 480 if (SESS_LEADER(targp)) { 481 error = EPERM; 482 goto fail; 483 } 484 if (uap->pgid == 0) 485 uap->pgid = targp->p_pid; 486 if (uap->pgid == targp->p_pid) { 487 if (targp->p_pgid == uap->pgid) 488 goto done; 489 error = enterpgrp(targp, uap->pgid, newpgrp, NULL); 490 if (error == 0) 491 newpgrp = NULL; 492 } else { 493 if ((pgrp = pgfind(uap->pgid)) == NULL || 494 pgrp->pg_session != curp->p_session) { 495 if (pgrp != NULL) 496 PGRP_UNLOCK(pgrp); 497 error = EPERM; 498 goto fail; 499 } 500 if (pgrp == targp->p_pgrp) { 501 PGRP_UNLOCK(pgrp); 502 goto done; 503 } 504 PGRP_UNLOCK(pgrp); 505 error = enterthispgrp(targp, pgrp); 506 } 507 done: 508 PGRPSESS_XUNLOCK(); 509 if (newpgrp != NULL) 510 FREE(newpgrp, M_PGRP); 511 mtx_unlock(&Giant); 512 return (0); 513 514 fail: 515 PGRPSESS_XUNLOCK(); 516 517 KASSERT(newpgrp != NULL, ("setpgid failed and newpgrp is null.")); 518 KASSERT(error != 0, ("setpgid successfully failed?")); 519 FREE(newpgrp, M_PGRP); 520 521 mtx_unlock(&Giant); 522 return (error); 523 } 524 525 /* 526 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 527 * compatible. It says that setting the uid/gid to euid/egid is a special 528 * case of "appropriate privilege". Once the rules are expanded out, this 529 * basically means that setuid(nnn) sets all three id's, in all permitted 530 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 531 * does not set the saved id - this is dangerous for traditional BSD 532 * programs. For this reason, we *really* do not want to set 533 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 534 */ 535 #define POSIX_APPENDIX_B_4_2_2 536 537 #ifndef _SYS_SYSPROTO_H_ 538 struct setuid_args { 539 uid_t uid; 540 }; 541 #endif 542 /* 543 * MPSAFE 544 */ 545 /* ARGSUSED */ 546 int 547 setuid(td, uap) 548 struct thread *td; 549 struct setuid_args *uap; 550 { 551 struct proc *p = td->td_proc; 552 struct ucred *newcred, *oldcred; 553 uid_t uid; 554 int error; 555 556 uid = uap->uid; 557 mtx_lock(&Giant); 558 error = 0; 559 oldcred = p->p_ucred; 560 561 /* 562 * See if we have "permission" by POSIX 1003.1 rules. 563 * 564 * Note that setuid(geteuid()) is a special case of 565 * "appropriate privileges" in appendix B.4.2.2. We need 566 * to use this clause to be compatible with traditional BSD 567 * semantics. Basically, it means that "setuid(xx)" sets all 568 * three id's (assuming you have privs). 569 * 570 * Notes on the logic. We do things in three steps. 571 * 1: We determine if the euid is going to change, and do EPERM 572 * right away. We unconditionally change the euid later if this 573 * test is satisfied, simplifying that part of the logic. 574 * 2: We determine if the real and/or saved uids are going to 575 * change. Determined by compile options. 576 * 3: Change euid last. (after tests in #2 for "appropriate privs") 577 */ 578 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 579 #ifdef _POSIX_SAVED_IDS 580 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 581 #endif 582 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 583 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 584 #endif 585 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 586 goto done2; 587 588 newcred = crdup(oldcred); 589 #ifdef _POSIX_SAVED_IDS 590 /* 591 * Do we have "appropriate privileges" (are we root or uid == euid) 592 * If so, we are changing the real uid and/or saved uid. 593 */ 594 if ( 595 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 596 uid == oldcred->cr_uid || 597 #endif 598 suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */ 599 #endif 600 { 601 /* 602 * Set the real uid and transfer proc count to new user. 603 */ 604 if (uid != oldcred->cr_ruid) { 605 change_ruid(newcred, uid); 606 setsugid(p); 607 } 608 /* 609 * Set saved uid 610 * 611 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 612 * the security of seteuid() depends on it. B.4.2.2 says it 613 * is important that we should do this. 614 */ 615 if (uid != oldcred->cr_svuid) { 616 change_svuid(newcred, uid); 617 setsugid(p); 618 } 619 } 620 621 /* 622 * In all permitted cases, we are changing the euid. 623 * Copy credentials so other references do not see our changes. 624 */ 625 if (uid != oldcred->cr_uid) { 626 change_euid(newcred, uid); 627 setsugid(p); 628 } 629 p->p_ucred = newcred; 630 crfree(oldcred); 631 done2: 632 mtx_unlock(&Giant); 633 return (error); 634 } 635 636 #ifndef _SYS_SYSPROTO_H_ 637 struct seteuid_args { 638 uid_t euid; 639 }; 640 #endif 641 /* 642 * MPSAFE 643 */ 644 /* ARGSUSED */ 645 int 646 seteuid(td, uap) 647 struct thread *td; 648 struct seteuid_args *uap; 649 { 650 struct proc *p = td->td_proc; 651 struct ucred *newcred, *oldcred; 652 uid_t euid; 653 int error; 654 655 euid = uap->euid; 656 mtx_lock(&Giant); 657 error = 0; 658 oldcred = p->p_ucred; 659 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 660 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 661 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 662 goto done2; 663 /* 664 * Everything's okay, do it. Copy credentials so other references do 665 * not see our changes. 666 */ 667 newcred = crdup(oldcred); 668 if (oldcred->cr_uid != euid) { 669 change_euid(newcred, euid); 670 setsugid(p); 671 } 672 p->p_ucred = newcred; 673 crfree(oldcred); 674 done2: 675 mtx_unlock(&Giant); 676 return (error); 677 } 678 679 #ifndef _SYS_SYSPROTO_H_ 680 struct setgid_args { 681 gid_t gid; 682 }; 683 #endif 684 /* 685 * MPSAFE 686 */ 687 /* ARGSUSED */ 688 int 689 setgid(td, uap) 690 struct thread *td; 691 struct setgid_args *uap; 692 { 693 struct proc *p = td->td_proc; 694 struct ucred *newcred, *oldcred; 695 gid_t gid; 696 int error; 697 698 gid = uap->gid; 699 mtx_lock(&Giant); 700 error = 0; 701 oldcred = p->p_ucred; 702 703 /* 704 * See if we have "permission" by POSIX 1003.1 rules. 705 * 706 * Note that setgid(getegid()) is a special case of 707 * "appropriate privileges" in appendix B.4.2.2. We need 708 * to use this clause to be compatible with traditional BSD 709 * semantics. Basically, it means that "setgid(xx)" sets all 710 * three id's (assuming you have privs). 711 * 712 * For notes on the logic here, see setuid() above. 713 */ 714 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 715 #ifdef _POSIX_SAVED_IDS 716 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 717 #endif 718 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 719 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 720 #endif 721 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 722 goto done2; 723 724 newcred = crdup(oldcred); 725 #ifdef _POSIX_SAVED_IDS 726 /* 727 * Do we have "appropriate privileges" (are we root or gid == egid) 728 * If so, we are changing the real uid and saved gid. 729 */ 730 if ( 731 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 732 gid == oldcred->cr_groups[0] || 733 #endif 734 suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */ 735 #endif 736 { 737 /* 738 * Set real gid 739 */ 740 if (oldcred->cr_rgid != gid) { 741 change_rgid(newcred, gid); 742 setsugid(p); 743 } 744 /* 745 * Set saved gid 746 * 747 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 748 * the security of setegid() depends on it. B.4.2.2 says it 749 * is important that we should do this. 750 */ 751 if (oldcred->cr_svgid != gid) { 752 change_svgid(newcred, gid); 753 setsugid(p); 754 } 755 } 756 /* 757 * In all cases permitted cases, we are changing the egid. 758 * Copy credentials so other references do not see our changes. 759 */ 760 if (oldcred->cr_groups[0] != gid) { 761 change_egid(newcred, gid); 762 setsugid(p); 763 } 764 p->p_ucred = newcred; 765 crfree(oldcred); 766 done2: 767 mtx_unlock(&Giant); 768 return (error); 769 } 770 771 #ifndef _SYS_SYSPROTO_H_ 772 struct setegid_args { 773 gid_t egid; 774 }; 775 #endif 776 /* 777 * MPSAFE 778 */ 779 /* ARGSUSED */ 780 int 781 setegid(td, uap) 782 struct thread *td; 783 struct setegid_args *uap; 784 { 785 struct proc *p = td->td_proc; 786 struct ucred *newcred, *oldcred; 787 gid_t egid; 788 int error; 789 790 egid = uap->egid; 791 mtx_lock(&Giant); 792 error = 0; 793 oldcred = p->p_ucred; 794 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 795 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 796 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 797 goto done2; 798 newcred = crdup(oldcred); 799 if (oldcred->cr_groups[0] != egid) { 800 change_egid(newcred, egid); 801 setsugid(p); 802 } 803 p->p_ucred = newcred; 804 crfree(oldcred); 805 done2: 806 mtx_unlock(&Giant); 807 return (error); 808 } 809 810 #ifndef _SYS_SYSPROTO_H_ 811 struct setgroups_args { 812 u_int gidsetsize; 813 gid_t *gidset; 814 }; 815 #endif 816 /* 817 * MPSAFE 818 */ 819 /* ARGSUSED */ 820 int 821 setgroups(td, uap) 822 struct thread *td; 823 struct setgroups_args *uap; 824 { 825 struct proc *p = td->td_proc; 826 struct ucred *newcred, *oldcred; 827 u_int ngrp; 828 int error; 829 830 ngrp = uap->gidsetsize; 831 mtx_lock(&Giant); 832 oldcred = p->p_ucred; 833 if ((error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 834 goto done2; 835 if (ngrp > NGROUPS) { 836 error = EINVAL; 837 goto done2; 838 } 839 /* 840 * XXX A little bit lazy here. We could test if anything has 841 * changed before crcopy() and setting P_SUGID. 842 */ 843 newcred = crdup(oldcred); 844 if (ngrp < 1) { 845 /* 846 * setgroups(0, NULL) is a legitimate way of clearing the 847 * groups vector on non-BSD systems (which generally do not 848 * have the egid in the groups[0]). We risk security holes 849 * when running non-BSD software if we do not do the same. 850 */ 851 newcred->cr_ngroups = 1; 852 } else { 853 if ((error = copyin((caddr_t)uap->gidset, 854 (caddr_t)newcred->cr_groups, ngrp * sizeof(gid_t)))) { 855 crfree(newcred); 856 goto done2; 857 } 858 newcred->cr_ngroups = ngrp; 859 } 860 setsugid(p); 861 p->p_ucred = newcred; 862 crfree(oldcred); 863 done2: 864 mtx_unlock(&Giant); 865 return (error); 866 } 867 868 #ifndef _SYS_SYSPROTO_H_ 869 struct setreuid_args { 870 uid_t ruid; 871 uid_t euid; 872 }; 873 #endif 874 /* 875 * MPSAFE 876 */ 877 /* ARGSUSED */ 878 int 879 setreuid(td, uap) 880 register struct thread *td; 881 struct setreuid_args *uap; 882 { 883 struct proc *p = td->td_proc; 884 struct ucred *newcred, *oldcred; 885 uid_t euid, ruid; 886 int error; 887 888 euid = uap->euid; 889 ruid = uap->ruid; 890 mtx_lock(&Giant); 891 error = 0; 892 oldcred = p->p_ucred; 893 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 894 ruid != oldcred->cr_svuid) || 895 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 896 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 897 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 898 goto done2; 899 newcred = crdup(oldcred); 900 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 901 change_euid(newcred, euid); 902 setsugid(p); 903 } 904 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 905 change_ruid(newcred, ruid); 906 setsugid(p); 907 } 908 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 909 newcred->cr_svuid != newcred->cr_uid) { 910 change_svuid(newcred, newcred->cr_uid); 911 setsugid(p); 912 } 913 p->p_ucred = newcred; 914 crfree(oldcred); 915 done2: 916 mtx_unlock(&Giant); 917 return (error); 918 } 919 920 #ifndef _SYS_SYSPROTO_H_ 921 struct setregid_args { 922 gid_t rgid; 923 gid_t egid; 924 }; 925 #endif 926 /* 927 * MPSAFE 928 */ 929 /* ARGSUSED */ 930 int 931 setregid(td, uap) 932 register struct thread *td; 933 struct setregid_args *uap; 934 { 935 struct proc *p = td->td_proc; 936 struct ucred *newcred, *oldcred; 937 gid_t egid, rgid; 938 int error; 939 940 egid = uap->egid; 941 rgid = uap->rgid; 942 mtx_lock(&Giant); 943 error = 0; 944 oldcred = p->p_ucred; 945 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 946 rgid != oldcred->cr_svgid) || 947 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 948 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 949 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 950 goto done2; 951 newcred = crdup(oldcred); 952 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 953 change_egid(newcred, egid); 954 setsugid(p); 955 } 956 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 957 change_rgid(newcred, rgid); 958 setsugid(p); 959 } 960 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 961 newcred->cr_svgid != newcred->cr_groups[0]) { 962 change_svgid(newcred, newcred->cr_groups[0]); 963 setsugid(p); 964 } 965 p->p_ucred = newcred; 966 crfree(oldcred); 967 done2: 968 mtx_unlock(&Giant); 969 return (error); 970 } 971 972 /* 973 * setresuid(ruid, euid, suid) is like setreuid except control over the 974 * saved uid is explicit. 975 */ 976 977 #ifndef _SYS_SYSPROTO_H_ 978 struct setresuid_args { 979 uid_t ruid; 980 uid_t euid; 981 uid_t suid; 982 }; 983 #endif 984 /* 985 * MPSAFE 986 */ 987 /* ARGSUSED */ 988 int 989 setresuid(td, uap) 990 register struct thread *td; 991 struct setresuid_args *uap; 992 { 993 struct proc *p = td->td_proc; 994 struct ucred *newcred, *oldcred; 995 uid_t euid, ruid, suid; 996 int error; 997 998 euid = uap->euid; 999 ruid = uap->ruid; 1000 suid = uap->suid; 1001 mtx_lock(&Giant); 1002 oldcred = p->p_ucred; 1003 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1004 ruid != oldcred->cr_svuid && 1005 ruid != oldcred->cr_uid) || 1006 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 1007 euid != oldcred->cr_svuid && 1008 euid != oldcred->cr_uid) || 1009 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 1010 suid != oldcred->cr_svuid && 1011 suid != oldcred->cr_uid)) && 1012 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 1013 goto done2; 1014 newcred = crdup(oldcred); 1015 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1016 change_euid(newcred, euid); 1017 setsugid(p); 1018 } 1019 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1020 change_ruid(newcred, ruid); 1021 setsugid(p); 1022 } 1023 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1024 change_svuid(newcred, suid); 1025 setsugid(p); 1026 } 1027 p->p_ucred = newcred; 1028 crfree(oldcred); 1029 error = 0; 1030 done2: 1031 mtx_unlock(&Giant); 1032 return (error); 1033 } 1034 1035 /* 1036 * setresgid(rgid, egid, sgid) is like setregid except control over the 1037 * saved gid is explicit. 1038 */ 1039 1040 #ifndef _SYS_SYSPROTO_H_ 1041 struct setresgid_args { 1042 gid_t rgid; 1043 gid_t egid; 1044 gid_t sgid; 1045 }; 1046 #endif 1047 /* 1048 * MPSAFE 1049 */ 1050 /* ARGSUSED */ 1051 int 1052 setresgid(td, uap) 1053 register struct thread *td; 1054 struct setresgid_args *uap; 1055 { 1056 struct proc *p = td->td_proc; 1057 struct ucred *newcred, *oldcred; 1058 gid_t egid, rgid, sgid; 1059 int error; 1060 1061 egid = uap->egid; 1062 rgid = uap->rgid; 1063 sgid = uap->sgid; 1064 mtx_lock(&Giant); 1065 oldcred = p->p_ucred; 1066 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1067 rgid != oldcred->cr_svgid && 1068 rgid != oldcred->cr_groups[0]) || 1069 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1070 egid != oldcred->cr_svgid && 1071 egid != oldcred->cr_groups[0]) || 1072 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1073 sgid != oldcred->cr_svgid && 1074 sgid != oldcred->cr_groups[0])) && 1075 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 1076 goto done2; 1077 newcred = crdup(oldcred); 1078 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1079 change_egid(newcred, egid); 1080 setsugid(p); 1081 } 1082 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1083 change_rgid(newcred, rgid); 1084 setsugid(p); 1085 } 1086 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1087 change_svgid(newcred, sgid); 1088 setsugid(p); 1089 } 1090 p->p_ucred = newcred; 1091 crfree(oldcred); 1092 error = 0; 1093 done2: 1094 mtx_unlock(&Giant); 1095 return (error); 1096 } 1097 1098 #ifndef _SYS_SYSPROTO_H_ 1099 struct getresuid_args { 1100 uid_t *ruid; 1101 uid_t *euid; 1102 uid_t *suid; 1103 }; 1104 #endif 1105 /* 1106 * MPSAFE 1107 */ 1108 /* ARGSUSED */ 1109 int 1110 getresuid(td, uap) 1111 register struct thread *td; 1112 struct getresuid_args *uap; 1113 { 1114 struct ucred *cred; 1115 struct proc *p = td->td_proc; 1116 int error1 = 0, error2 = 0, error3 = 0; 1117 1118 mtx_lock(&Giant); 1119 cred = p->p_ucred; 1120 if (uap->ruid) 1121 error1 = copyout((caddr_t)&cred->cr_ruid, 1122 (caddr_t)uap->ruid, sizeof(cred->cr_ruid)); 1123 if (uap->euid) 1124 error2 = copyout((caddr_t)&cred->cr_uid, 1125 (caddr_t)uap->euid, sizeof(cred->cr_uid)); 1126 if (uap->suid) 1127 error3 = copyout((caddr_t)&cred->cr_svuid, 1128 (caddr_t)uap->suid, sizeof(cred->cr_svuid)); 1129 mtx_unlock(&Giant); 1130 return (error1 ? error1 : error2 ? error2 : error3); 1131 } 1132 1133 #ifndef _SYS_SYSPROTO_H_ 1134 struct getresgid_args { 1135 gid_t *rgid; 1136 gid_t *egid; 1137 gid_t *sgid; 1138 }; 1139 #endif 1140 /* 1141 * MPSAFE 1142 */ 1143 /* ARGSUSED */ 1144 int 1145 getresgid(td, uap) 1146 register struct thread *td; 1147 struct getresgid_args *uap; 1148 { 1149 struct ucred *cred; 1150 struct proc *p = td->td_proc; 1151 int error1 = 0, error2 = 0, error3 = 0; 1152 1153 mtx_lock(&Giant); 1154 cred = p->p_ucred; 1155 if (uap->rgid) 1156 error1 = copyout((caddr_t)&cred->cr_rgid, 1157 (caddr_t)uap->rgid, sizeof(cred->cr_rgid)); 1158 if (uap->egid) 1159 error2 = copyout((caddr_t)&cred->cr_groups[0], 1160 (caddr_t)uap->egid, sizeof(cred->cr_groups[0])); 1161 if (uap->sgid) 1162 error3 = copyout((caddr_t)&cred->cr_svgid, 1163 (caddr_t)uap->sgid, sizeof(cred->cr_svgid)); 1164 mtx_unlock(&Giant); 1165 return (error1 ? error1 : error2 ? error2 : error3); 1166 } 1167 1168 #ifndef _SYS_SYSPROTO_H_ 1169 struct issetugid_args { 1170 int dummy; 1171 }; 1172 #endif 1173 /* 1174 * NOT MPSAFE? 1175 */ 1176 /* ARGSUSED */ 1177 int 1178 issetugid(td, uap) 1179 register struct thread *td; 1180 struct issetugid_args *uap; 1181 { 1182 struct proc *p = td->td_proc; 1183 1184 /* 1185 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1186 * we use P_SUGID because we consider changing the owners as 1187 * "tainting" as well. 1188 * This is significant for procs that start as root and "become" 1189 * a user without an exec - programs cannot know *everything* 1190 * that libc *might* have put in their data segment. 1191 */ 1192 PROC_LOCK(p); 1193 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1194 PROC_UNLOCK(p); 1195 return (0); 1196 } 1197 1198 /* 1199 * MPSAFE 1200 */ 1201 int 1202 __setugid(td, uap) 1203 struct thread *td; 1204 struct __setugid_args *uap; 1205 { 1206 #ifdef REGRESSION 1207 int error; 1208 1209 mtx_lock(&Giant); 1210 error = 0; 1211 switch (uap->flag) { 1212 case 0: 1213 PROC_LOCK(td->td_proc); 1214 td->td_proc->p_flag &= ~P_SUGID; 1215 PROC_UNLOCK(td->td_proc); 1216 break; 1217 case 1: 1218 PROC_LOCK(td->td_proc); 1219 td->td_proc->p_flag |= P_SUGID; 1220 PROC_UNLOCK(td->td_proc); 1221 break; 1222 default: 1223 error = EINVAL; 1224 break; 1225 } 1226 mtx_unlock(&Giant); 1227 return (error); 1228 #else /* !REGRESSION */ 1229 1230 return (ENOSYS); 1231 #endif /* REGRESSION */ 1232 } 1233 1234 /* 1235 * Check if gid is a member of the group set. 1236 */ 1237 int 1238 groupmember(gid, cred) 1239 gid_t gid; 1240 struct ucred *cred; 1241 { 1242 register gid_t *gp; 1243 gid_t *egp; 1244 1245 egp = &(cred->cr_groups[cred->cr_ngroups]); 1246 for (gp = cred->cr_groups; gp < egp; gp++) 1247 if (*gp == gid) 1248 return (1); 1249 return (0); 1250 } 1251 1252 /* 1253 * `suser_enabled' (which can be set by the security.suser_enabled 1254 * sysctl) determines whether the system 'super-user' policy is in effect. 1255 * If it is nonzero, an effective uid of 0 connotes special privilege, 1256 * overriding many mandatory and discretionary protections. If it is zero, 1257 * uid 0 is offered no special privilege in the kernel security policy. 1258 * Setting it to zero may seriously impact the functionality of many 1259 * existing userland programs, and should not be done without careful 1260 * consideration of the consequences. 1261 */ 1262 int suser_enabled = 1; 1263 SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW, 1264 &suser_enabled, 0, "processes with uid 0 have privilege"); 1265 TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled); 1266 1267 /* 1268 * Test whether the specified credentials imply "super-user" privilege. 1269 * Return 0 or EPERM. 1270 */ 1271 int 1272 suser(p) 1273 struct proc *p; 1274 { 1275 1276 return (suser_xxx(0, p, 0)); 1277 } 1278 1279 /* 1280 * version for when the thread pointer is available and not the proc. 1281 * (saves having to include proc.h into every file that needs to do the change.) 1282 */ 1283 int 1284 suser_td(td) 1285 struct thread *td; 1286 { 1287 return (suser_xxx(0, td->td_proc, 0)); 1288 } 1289 1290 /* 1291 * wrapper to use if you have the thread on hand but not the proc. 1292 */ 1293 int 1294 suser_xxx_td(cred, td, flag) 1295 struct ucred *cred; 1296 struct thread *td; 1297 int flag; 1298 { 1299 return(suser_xxx(cred, td->td_proc, flag)); 1300 } 1301 1302 int 1303 suser_xxx(cred, proc, flag) 1304 struct ucred *cred; 1305 struct proc *proc; 1306 int flag; 1307 { 1308 if (!suser_enabled) 1309 return (EPERM); 1310 if (!cred && !proc) { 1311 printf("suser_xxx(): THINK!\n"); 1312 return (EPERM); 1313 } 1314 if (cred == NULL) 1315 cred = proc->p_ucred; 1316 if (cred->cr_uid != 0) 1317 return (EPERM); 1318 if (jailed(cred) && !(flag & PRISON_ROOT)) 1319 return (EPERM); 1320 return (0); 1321 } 1322 1323 /* 1324 * Test the active securelevel against a given level. securelevel_gt() 1325 * implements (securelevel > level). securelevel_ge() implements 1326 * (securelevel >= level). Note that the logic is inverted -- these 1327 * functions return EPERM on "success" and 0 on "failure". 1328 * 1329 * cr is permitted to be NULL for the time being, as there were some 1330 * existing securelevel checks that occurred without a process/credential 1331 * context. In the future this will be disallowed, so a kernel message 1332 * is displayed. 1333 */ 1334 int 1335 securelevel_gt(struct ucred *cr, int level) 1336 { 1337 int active_securelevel; 1338 1339 active_securelevel = securelevel; 1340 if (cr == NULL) 1341 panic("securelevel_gt: cr is NULL\n"); 1342 if (cr->cr_prison != NULL) { 1343 mtx_lock(&cr->cr_prison->pr_mtx); 1344 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1345 active_securelevel); 1346 mtx_unlock(&cr->cr_prison->pr_mtx); 1347 } 1348 return (active_securelevel > level ? EPERM : 0); 1349 } 1350 1351 int 1352 securelevel_ge(struct ucred *cr, int level) 1353 { 1354 int active_securelevel; 1355 1356 active_securelevel = securelevel; 1357 if (cr == NULL) 1358 panic("securelevel_gt: cr is NULL\n"); 1359 if (cr->cr_prison != NULL) { 1360 mtx_lock(&cr->cr_prison->pr_mtx); 1361 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1362 active_securelevel); 1363 mtx_unlock(&cr->cr_prison->pr_mtx); 1364 } 1365 return (active_securelevel >= level ? EPERM : 0); 1366 } 1367 1368 /* 1369 * 'see_other_uids' determines whether or not visibility of processes 1370 * and sockets with credentials holding different real uids is possible 1371 * using a variety of system MIBs. 1372 * XXX: data declarations should be together near the beginning of the file. 1373 */ 1374 static int see_other_uids = 1; 1375 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1376 &see_other_uids, 0, 1377 "Unprivileged processes may see subjects/objects with different real uid"); 1378 1379 /*- 1380 * Determine if u1 "can see" the subject specified by u2, according to the 1381 * 'see_other_uids' policy. 1382 * Returns: 0 for permitted, ESRCH otherwise 1383 * Locks: none 1384 * References: *u1 and *u2 must not change during the call 1385 * u1 may equal u2, in which case only one reference is required 1386 */ 1387 static int 1388 cr_seeotheruids(struct ucred *u1, struct ucred *u2) 1389 { 1390 1391 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1392 if (suser_xxx(u1, NULL, PRISON_ROOT) != 0) 1393 return (ESRCH); 1394 } 1395 return (0); 1396 } 1397 1398 /*- 1399 * Determine if u1 "can see" the subject specified by u2. 1400 * Returns: 0 for permitted, an errno value otherwise 1401 * Locks: none 1402 * References: *u1 and *u2 must not change during the call 1403 * u1 may equal u2, in which case only one reference is required 1404 */ 1405 int 1406 cr_cansee(struct ucred *u1, struct ucred *u2) 1407 { 1408 int error; 1409 1410 if ((error = prison_check(u1, u2))) 1411 return (error); 1412 if ((error = cr_seeotheruids(u1, u2))) 1413 return (error); 1414 return (0); 1415 } 1416 1417 /*- 1418 * Determine if p1 "can see" the subject specified by p2. 1419 * Returns: 0 for permitted, an errno value otherwise 1420 * Locks: Sufficient locks to protect p1->p_ucred and p2->p_ucred must 1421 * be held. Normally, p1 will be curproc, and a lock must be held 1422 * for p2. 1423 * References: p1 and p2 must be valid for the lifetime of the call 1424 */ 1425 int 1426 p_cansee(struct proc *p1, struct proc *p2) 1427 { 1428 1429 /* Wrap cr_cansee() for all functionality. */ 1430 return (cr_cansee(p1->p_ucred, p2->p_ucred)); 1431 } 1432 1433 /*- 1434 * Determine whether cred may deliver the specified signal to proc. 1435 * Returns: 0 for permitted, an errno value otherwise. 1436 * Locks: A lock must be held for proc. 1437 * References: cred and proc must be valid for the lifetime of the call. 1438 */ 1439 int 1440 cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 1441 { 1442 int error; 1443 1444 /* 1445 * Jail semantics limit the scope of signalling to proc in the 1446 * same jail as cred, if cred is in jail. 1447 */ 1448 error = prison_check(cred, proc->p_ucred); 1449 if (error) 1450 return (error); 1451 error = cr_seeotheruids(cred, proc->p_ucred); 1452 if (error) 1453 return (error); 1454 1455 /* 1456 * UNIX signal semantics depend on the status of the P_SUGID 1457 * bit on the target process. If the bit is set, then additional 1458 * restrictions are placed on the set of available signals. 1459 */ 1460 if (proc->p_flag & P_SUGID) { 1461 switch (signum) { 1462 case 0: 1463 case SIGKILL: 1464 case SIGINT: 1465 case SIGTERM: 1466 case SIGSTOP: 1467 case SIGTTIN: 1468 case SIGTTOU: 1469 case SIGTSTP: 1470 case SIGHUP: 1471 case SIGUSR1: 1472 case SIGUSR2: 1473 /* 1474 * Generally, permit job and terminal control 1475 * signals. 1476 */ 1477 break; 1478 default: 1479 /* Not permitted without privilege. */ 1480 error = suser_xxx(cred, NULL, PRISON_ROOT); 1481 if (error) 1482 return (error); 1483 } 1484 } 1485 1486 /* 1487 * Generally, the target credential's ruid or svuid must match the 1488 * subject credential's ruid or euid. 1489 */ 1490 if (cred->cr_ruid != proc->p_ucred->cr_ruid && 1491 cred->cr_ruid != proc->p_ucred->cr_svuid && 1492 cred->cr_uid != proc->p_ucred->cr_ruid && 1493 cred->cr_uid != proc->p_ucred->cr_svuid) { 1494 /* Not permitted without privilege. */ 1495 error = suser_xxx(cred, NULL, PRISON_ROOT); 1496 if (error) 1497 return (error); 1498 } 1499 1500 return (0); 1501 } 1502 1503 1504 /*- 1505 * Determine whether p1 may deliver the specified signal to p2. 1506 * Returns: 0 for permitted, an errno value otherwise 1507 * Locks: Sufficient locks to protect various components of p1 and p2 1508 * must be held. Normally, p1 will be curproc, and a lock must 1509 * be held for p2. 1510 * References: p1 and p2 must be valid for the lifetime of the call 1511 */ 1512 int 1513 p_cansignal(struct proc *p1, struct proc *p2, int signum) 1514 { 1515 1516 if (p1 == p2) 1517 return (0); 1518 1519 /* 1520 * UNIX signalling semantics require that processes in the same 1521 * session always be able to deliver SIGCONT to one another, 1522 * overriding the remaining protections. 1523 */ 1524 if (signum == SIGCONT && p1->p_session == p2->p_session) 1525 return (0); 1526 1527 return (cr_cansignal(p1->p_ucred, p2, signum)); 1528 } 1529 1530 /*- 1531 * Determine whether p1 may reschedule p2. 1532 * Returns: 0 for permitted, an errno value otherwise 1533 * Locks: Sufficient locks to protect various components of p1 and p2 1534 * must be held. Normally, p1 will be curproc, and a lock must 1535 * be held for p2. 1536 * References: p1 and p2 must be valid for the lifetime of the call 1537 */ 1538 int 1539 p_cansched(struct proc *p1, struct proc *p2) 1540 { 1541 int error; 1542 1543 if (p1 == p2) 1544 return (0); 1545 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1546 return (error); 1547 if ((error = cr_seeotheruids(p1->p_ucred, p2->p_ucred))) 1548 return (error); 1549 if (p1->p_ucred->cr_ruid == p2->p_ucred->cr_ruid) 1550 return (0); 1551 if (p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid) 1552 return (0); 1553 if (suser_xxx(0, p1, PRISON_ROOT) == 0) 1554 return (0); 1555 1556 #ifdef CAPABILITIES 1557 if (!cap_check(NULL, p1, CAP_SYS_NICE, PRISON_ROOT)) 1558 return (0); 1559 #endif 1560 1561 return (EPERM); 1562 } 1563 1564 /* 1565 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 1566 * unprivileged inter-process debugging services, including some procfs 1567 * functionality, ptrace(), and ktrace(). In the past, inter-process 1568 * debugging has been involved in a variety of security problems, and sites 1569 * not requiring the service might choose to disable it when hardening 1570 * systems. 1571 * 1572 * XXX: Should modifying and reading this variable require locking? 1573 * XXX: data declarations should be together near the beginning of the file. 1574 */ 1575 static int unprivileged_proc_debug = 1; 1576 SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW, 1577 &unprivileged_proc_debug, 0, 1578 "Unprivileged processes may use process debugging facilities"); 1579 1580 /*- 1581 * Determine whether p1 may debug p2. 1582 * Returns: 0 for permitted, an errno value otherwise 1583 * Locks: Sufficient locks to protect various components of p1 and p2 1584 * must be held. Normally, p1 will be curproc, and a lock must 1585 * be held for p2. 1586 * References: p1 and p2 must be valid for the lifetime of the call 1587 */ 1588 int 1589 p_candebug(struct proc *p1, struct proc *p2) 1590 { 1591 int credentialchanged, error, grpsubset, i, uidsubset; 1592 1593 if (!unprivileged_proc_debug) { 1594 error = suser_xxx(NULL, p1, PRISON_ROOT); 1595 if (error) 1596 return (error); 1597 } 1598 if (p1 == p2) 1599 return (0); 1600 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1601 return (error); 1602 if ((error = cr_seeotheruids(p1->p_ucred, p2->p_ucred))) 1603 return (error); 1604 1605 /* 1606 * Is p2's group set a subset of p1's effective group set? This 1607 * includes p2's egid, group access list, rgid, and svgid. 1608 */ 1609 grpsubset = 1; 1610 for (i = 0; i < p2->p_ucred->cr_ngroups; i++) { 1611 if (!groupmember(p2->p_ucred->cr_groups[i], p1->p_ucred)) { 1612 grpsubset = 0; 1613 break; 1614 } 1615 } 1616 grpsubset = grpsubset && 1617 groupmember(p2->p_ucred->cr_rgid, p1->p_ucred) && 1618 groupmember(p2->p_ucred->cr_svgid, p1->p_ucred); 1619 1620 /* 1621 * Are the uids present in p2's credential equal to p1's 1622 * effective uid? This includes p2's euid, svuid, and ruid. 1623 */ 1624 uidsubset = (p1->p_ucred->cr_uid == p2->p_ucred->cr_uid && 1625 p1->p_ucred->cr_uid == p2->p_ucred->cr_svuid && 1626 p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid); 1627 1628 /* 1629 * Has the credential of the process changed since the last exec()? 1630 */ 1631 credentialchanged = (p2->p_flag & P_SUGID); 1632 1633 /* 1634 * If p2's gids aren't a subset, or the uids aren't a subset, 1635 * or the credential has changed, require appropriate privilege 1636 * for p1 to debug p2. For POSIX.1e capabilities, this will 1637 * require CAP_SYS_PTRACE. 1638 */ 1639 if (!grpsubset || !uidsubset || credentialchanged) { 1640 error = suser_xxx(NULL, p1, PRISON_ROOT); 1641 if (error) 1642 return (error); 1643 } 1644 1645 /* Can't trace init when securelevel > 0. */ 1646 if (p2 == initproc) { 1647 error = securelevel_gt(p1->p_ucred, 0); 1648 if (error) 1649 return (error); 1650 } 1651 1652 /* 1653 * Can't trace a process that's currently exec'ing. 1654 * XXX: Note, this is not a security policy decision, it's a 1655 * basic correctness/functionality decision. Therefore, this check 1656 * should be moved to the caller's of p_candebug(). 1657 */ 1658 if ((p2->p_flag & P_INEXEC) != 0) 1659 return (EAGAIN); 1660 1661 return (0); 1662 } 1663 1664 /*- 1665 * Determine whether the subject represented by cred can "see" a socket. 1666 * Returns: 0 for permitted, ENOENT otherwise. 1667 */ 1668 int 1669 cr_canseesocket(struct ucred *cred, struct socket *so) 1670 { 1671 int error; 1672 1673 error = prison_check(cred, so->so_cred); 1674 if (error) 1675 return (ENOENT); 1676 if (cr_seeotheruids(cred, so->so_cred)) 1677 return (ENOENT); 1678 #ifdef MAC 1679 /* XXX: error = mac_cred_check_seesocket() here. */ 1680 #endif 1681 1682 return (0); 1683 } 1684 1685 /* 1686 * Allocate a zeroed cred structure. 1687 */ 1688 struct ucred * 1689 crget() 1690 { 1691 register struct ucred *cr; 1692 1693 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 1694 cr->cr_ref = 1; 1695 cr->cr_mtxp = mtx_pool_find(cr); 1696 return (cr); 1697 } 1698 1699 /* 1700 * Claim another reference to a ucred structure. 1701 */ 1702 struct ucred * 1703 crhold(cr) 1704 struct ucred *cr; 1705 { 1706 1707 mtx_lock(cr->cr_mtxp); 1708 cr->cr_ref++; 1709 mtx_unlock(cr->cr_mtxp); 1710 return (cr); 1711 } 1712 1713 /* 1714 * Free a cred structure. 1715 * Throws away space when ref count gets to 0. 1716 */ 1717 void 1718 crfree(cr) 1719 struct ucred *cr; 1720 { 1721 struct mtx *mtxp = cr->cr_mtxp; 1722 1723 mtx_lock(mtxp); 1724 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); 1725 if (--cr->cr_ref == 0) { 1726 /* 1727 * Some callers of crget(), such as nfs_statfs(), 1728 * allocate a temporary credential, but don't 1729 * allocate a uidinfo structure. 1730 */ 1731 mtx_unlock(mtxp); 1732 mtx_lock(&Giant); 1733 if (cr->cr_uidinfo != NULL) 1734 uifree(cr->cr_uidinfo); 1735 if (cr->cr_ruidinfo != NULL) 1736 uifree(cr->cr_ruidinfo); 1737 /* 1738 * Free a prison, if any. 1739 */ 1740 if (jailed(cr)) 1741 prison_free(cr->cr_prison); 1742 FREE((caddr_t)cr, M_CRED); 1743 mtx_unlock(&Giant); 1744 } else { 1745 mtx_unlock(mtxp); 1746 } 1747 } 1748 1749 /* 1750 * Check to see if this ucred is shared. 1751 */ 1752 int 1753 crshared(cr) 1754 struct ucred *cr; 1755 { 1756 int shared; 1757 1758 mtx_lock(cr->cr_mtxp); 1759 shared = (cr->cr_ref > 1); 1760 mtx_unlock(cr->cr_mtxp); 1761 return (shared); 1762 } 1763 1764 /* 1765 * Copy a ucred's contents from a template. Does not block. 1766 */ 1767 void 1768 crcopy(dest, src) 1769 struct ucred *dest, *src; 1770 { 1771 1772 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred")); 1773 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 1774 (unsigned)((caddr_t)&src->cr_endcopy - 1775 (caddr_t)&src->cr_startcopy)); 1776 uihold(dest->cr_uidinfo); 1777 uihold(dest->cr_ruidinfo); 1778 if (jailed(dest)) 1779 prison_hold(dest->cr_prison); 1780 } 1781 1782 /* 1783 * Dup cred struct to a new held one. 1784 */ 1785 struct ucred * 1786 crdup(cr) 1787 struct ucred *cr; 1788 { 1789 struct ucred *newcr; 1790 1791 newcr = crget(); 1792 crcopy(newcr, cr); 1793 return (newcr); 1794 } 1795 1796 #ifdef DIAGNOSTIC 1797 void 1798 cred_free_thread(struct thread *td) 1799 { 1800 struct ucred *cred; 1801 1802 cred = td->td_ucred; 1803 td->td_ucred = NULL; 1804 if (cred != NULL) 1805 crfree(cred); 1806 } 1807 #endif 1808 1809 /* 1810 * Fill in a struct xucred based on a struct ucred. 1811 */ 1812 void 1813 cru2x(cr, xcr) 1814 struct ucred *cr; 1815 struct xucred *xcr; 1816 { 1817 1818 bzero(xcr, sizeof(*xcr)); 1819 xcr->cr_version = XUCRED_VERSION; 1820 xcr->cr_uid = cr->cr_uid; 1821 xcr->cr_ngroups = cr->cr_ngroups; 1822 bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups)); 1823 } 1824 1825 /* 1826 * small routine to swap a thread's current ucred for the correct one 1827 * taken from the process. 1828 */ 1829 void 1830 cred_update_thread(struct thread *td) 1831 { 1832 struct proc *p; 1833 struct ucred *cred; 1834 1835 p = td->td_proc; 1836 cred = td->td_ucred; 1837 mtx_lock(&Giant); 1838 PROC_LOCK(p); 1839 td->td_ucred = crhold(p->p_ucred); 1840 PROC_UNLOCK(p); 1841 if (cred != NULL) 1842 crfree(cred); 1843 mtx_unlock(&Giant); 1844 } 1845 1846 /* 1847 * Get login name, if available. 1848 */ 1849 #ifndef _SYS_SYSPROTO_H_ 1850 struct getlogin_args { 1851 char *namebuf; 1852 u_int namelen; 1853 }; 1854 #endif 1855 /* 1856 * MPSAFE 1857 */ 1858 /* ARGSUSED */ 1859 int 1860 getlogin(td, uap) 1861 struct thread *td; 1862 struct getlogin_args *uap; 1863 { 1864 int error; 1865 char login[MAXLOGNAME]; 1866 struct proc *p = td->td_proc; 1867 1868 mtx_lock(&Giant); 1869 if (uap->namelen > MAXLOGNAME) 1870 uap->namelen = MAXLOGNAME; 1871 PROC_LOCK(p); 1872 SESS_LOCK(p->p_session); 1873 bcopy(p->p_session->s_login, login, uap->namelen); 1874 SESS_UNLOCK(p->p_session); 1875 PROC_UNLOCK(p); 1876 error = copyout((caddr_t) login, (caddr_t) uap->namebuf, uap->namelen); 1877 mtx_unlock(&Giant); 1878 return(error); 1879 } 1880 1881 /* 1882 * Set login name. 1883 */ 1884 #ifndef _SYS_SYSPROTO_H_ 1885 struct setlogin_args { 1886 char *namebuf; 1887 }; 1888 #endif 1889 /* 1890 * MPSAFE 1891 */ 1892 /* ARGSUSED */ 1893 int 1894 setlogin(td, uap) 1895 struct thread *td; 1896 struct setlogin_args *uap; 1897 { 1898 struct proc *p = td->td_proc; 1899 int error; 1900 char logintmp[MAXLOGNAME]; 1901 1902 mtx_lock(&Giant); 1903 if ((error = suser_xxx(0, p, PRISON_ROOT)) != 0) 1904 goto done2; 1905 error = copyinstr((caddr_t) uap->namebuf, (caddr_t) logintmp, 1906 sizeof(logintmp), (size_t *)0); 1907 if (error == ENAMETOOLONG) 1908 error = EINVAL; 1909 else if (!error) { 1910 PROC_LOCK(p); 1911 SESS_LOCK(p->p_session); 1912 (void) memcpy(p->p_session->s_login, logintmp, 1913 sizeof(logintmp)); 1914 SESS_UNLOCK(p->p_session); 1915 PROC_UNLOCK(p); 1916 } 1917 done2: 1918 mtx_unlock(&Giant); 1919 return (error); 1920 } 1921 1922 void 1923 setsugid(p) 1924 struct proc *p; 1925 { 1926 p->p_flag |= P_SUGID; 1927 if (!(p->p_pfsflags & PF_ISUGID)) 1928 p->p_stops = 0; 1929 } 1930 1931 /*- 1932 * Change a process's effective uid. 1933 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 1934 * References: newcred must be an exclusive credential reference for the 1935 * duration of the call. 1936 */ 1937 void 1938 change_euid(newcred, euid) 1939 struct ucred *newcred; 1940 uid_t euid; 1941 { 1942 1943 newcred->cr_uid = euid; 1944 uifree(newcred->cr_uidinfo); 1945 newcred->cr_uidinfo = uifind(euid); 1946 } 1947 1948 /*- 1949 * Change a process's effective gid. 1950 * Side effects: newcred->cr_gid will be modified. 1951 * References: newcred must be an exclusive credential reference for the 1952 * duration of the call. 1953 */ 1954 void 1955 change_egid(newcred, egid) 1956 struct ucred *newcred; 1957 gid_t egid; 1958 { 1959 1960 newcred->cr_groups[0] = egid; 1961 } 1962 1963 /*- 1964 * Change a process's real uid. 1965 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 1966 * will be updated, and the old and new cr_ruidinfo proc 1967 * counts will be updated. 1968 * References: newcred must be an exclusive credential reference for the 1969 * duration of the call. 1970 */ 1971 void 1972 change_ruid(newcred, ruid) 1973 struct ucred *newcred; 1974 uid_t ruid; 1975 { 1976 1977 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 1978 newcred->cr_ruid = ruid; 1979 uifree(newcred->cr_ruidinfo); 1980 newcred->cr_ruidinfo = uifind(ruid); 1981 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 1982 } 1983 1984 /*- 1985 * Change a process's real gid. 1986 * Side effects: newcred->cr_rgid will be updated. 1987 * References: newcred must be an exclusive credential reference for the 1988 * duration of the call. 1989 */ 1990 void 1991 change_rgid(newcred, rgid) 1992 struct ucred *newcred; 1993 gid_t rgid; 1994 { 1995 1996 newcred->cr_rgid = rgid; 1997 } 1998 1999 /*- 2000 * Change a process's saved uid. 2001 * Side effects: newcred->cr_svuid will be updated. 2002 * References: newcred must be an exclusive credential reference for the 2003 * duration of the call. 2004 */ 2005 void 2006 change_svuid(newcred, svuid) 2007 struct ucred *newcred; 2008 uid_t svuid; 2009 { 2010 2011 newcred->cr_svuid = svuid; 2012 } 2013 2014 /*- 2015 * Change a process's saved gid. 2016 * Side effects: newcred->cr_svgid will be updated. 2017 * References: newcred must be an exclusive credential reference for the 2018 * duration of the call. 2019 */ 2020 void 2021 change_svgid(newcred, svgid) 2022 struct ucred *newcred; 2023 gid_t svgid; 2024 { 2025 2026 newcred->cr_svgid = svgid; 2027 } 2028