1 /* 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * (c) UNIX System Laboratories, Inc. 5 * All or some portions of this file are derived from material licensed 6 * to the University of California by American Telephone and Telegraph 7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 8 * the permission of UNIX System Laboratories, Inc. 9 * Copyright (c) 2000-2001 Robert N. M. Watson. All rights reserved. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. All advertising materials mentioning features or use of this software 20 * must display the following acknowledgement: 21 * This product includes software developed by the University of 22 * California, Berkeley and its contributors. 23 * 4. Neither the name of the University nor the names of its contributors 24 * may be used to endorse or promote products derived from this software 25 * without specific prior written permission. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * 39 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 40 * $FreeBSD$ 41 */ 42 43 /* 44 * System calls related to processes and protection 45 */ 46 47 #include "opt_compat.h" 48 #include "opt_global.h" 49 50 #include <sys/param.h> 51 #include <sys/systm.h> 52 #include <sys/acct.h> 53 #include <sys/kernel.h> 54 #include <sys/lock.h> 55 #include <sys/mutex.h> 56 #include <sys/proc.h> 57 #include <sys/sx.h> 58 #include <sys/sysproto.h> 59 #include <sys/jail.h> 60 #include <sys/malloc.h> 61 #include <sys/pioctl.h> 62 #include <sys/resourcevar.h> 63 #include <sys/sysctl.h> 64 65 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 66 67 SYSCTL_NODE(_kern, OID_AUTO, security, CTLFLAG_RW, 0, 68 "Kernel security policy"); 69 SYSCTL_NODE(_kern_security, OID_AUTO, bsd, CTLFLAG_RW, 0, 70 "BSD security policy"); 71 72 #ifndef _SYS_SYSPROTO_H_ 73 struct getpid_args { 74 int dummy; 75 }; 76 #endif 77 /* 78 * MPSAFE 79 */ 80 /* ARGSUSED */ 81 int 82 getpid(td, uap) 83 struct thread *td; 84 struct getpid_args *uap; 85 { 86 struct proc *p = td->td_proc; 87 int s; 88 89 s = mtx_lock_giant(kern_giant_proc); 90 td->td_retval[0] = p->p_pid; 91 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 92 PROC_LOCK(p); 93 td->td_retval[1] = p->p_pptr->p_pid; 94 PROC_UNLOCK(p); 95 #endif 96 mtx_unlock_giant(s); 97 return (0); 98 } 99 100 #ifndef _SYS_SYSPROTO_H_ 101 struct getppid_args { 102 int dummy; 103 }; 104 #endif 105 /* 106 * MPSAFE 107 */ 108 /* ARGSUSED */ 109 int 110 getppid(td, uap) 111 struct thread *td; 112 struct getppid_args *uap; 113 { 114 struct proc *p = td->td_proc; 115 int s; 116 117 s = mtx_lock_giant(kern_giant_proc); 118 PROC_LOCK(p); 119 td->td_retval[0] = p->p_pptr->p_pid; 120 PROC_UNLOCK(p); 121 mtx_unlock_giant(s); 122 return (0); 123 } 124 125 /* 126 * Get process group ID; note that POSIX getpgrp takes no parameter. 127 */ 128 #ifndef _SYS_SYSPROTO_H_ 129 struct getpgrp_args { 130 int dummy; 131 }; 132 #endif 133 /* 134 * MPSAFE 135 */ 136 int 137 getpgrp(td, uap) 138 struct thread *td; 139 struct getpgrp_args *uap; 140 { 141 struct proc *p = td->td_proc; 142 143 mtx_lock(&Giant); 144 td->td_retval[0] = p->p_pgrp->pg_id; 145 mtx_unlock(&Giant); 146 return (0); 147 } 148 149 /* Get an arbitary pid's process group id */ 150 #ifndef _SYS_SYSPROTO_H_ 151 struct getpgid_args { 152 pid_t pid; 153 }; 154 #endif 155 /* 156 * MPSAFE 157 */ 158 int 159 getpgid(td, uap) 160 struct thread *td; 161 struct getpgid_args *uap; 162 { 163 struct proc *p = td->td_proc; 164 struct proc *pt; 165 int error, s; 166 167 s = mtx_lock_giant(kern_giant_proc); 168 error = 0; 169 if (uap->pid == 0) 170 td->td_retval[0] = p->p_pgrp->pg_id; 171 else if ((pt = pfind(uap->pid)) == NULL) 172 error = ESRCH; 173 else { 174 error = p_cansee(p, pt); 175 if (error == 0) 176 td->td_retval[0] = pt->p_pgrp->pg_id; 177 PROC_UNLOCK(pt); 178 } 179 mtx_unlock_giant(s); 180 return (error); 181 } 182 183 /* 184 * Get an arbitary pid's session id. 185 */ 186 #ifndef _SYS_SYSPROTO_H_ 187 struct getsid_args { 188 pid_t pid; 189 }; 190 #endif 191 /* 192 * MPSAFE 193 */ 194 int 195 getsid(td, uap) 196 struct thread *td; 197 struct getsid_args *uap; 198 { 199 struct proc *p = td->td_proc; 200 struct proc *pt; 201 int error; 202 203 mtx_lock(&Giant); 204 error = 0; 205 if (uap->pid == 0) 206 td->td_retval[0] = p->p_session->s_sid; 207 else if ((pt = pfind(uap->pid)) == NULL) 208 error = ESRCH; 209 else { 210 error = p_cansee(p, pt); 211 if (error == 0) 212 td->td_retval[0] = pt->p_session->s_sid; 213 PROC_UNLOCK(pt); 214 } 215 mtx_unlock(&Giant); 216 return (error); 217 } 218 219 #ifndef _SYS_SYSPROTO_H_ 220 struct getuid_args { 221 int dummy; 222 }; 223 #endif 224 /* 225 * MPSAFE 226 */ 227 /* ARGSUSED */ 228 int 229 getuid(td, uap) 230 struct thread *td; 231 struct getuid_args *uap; 232 { 233 struct proc *p = td->td_proc; 234 235 mtx_lock(&Giant); 236 td->td_retval[0] = p->p_ucred->cr_ruid; 237 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 238 td->td_retval[1] = p->p_ucred->cr_uid; 239 #endif 240 mtx_unlock(&Giant); 241 return (0); 242 } 243 244 #ifndef _SYS_SYSPROTO_H_ 245 struct geteuid_args { 246 int dummy; 247 }; 248 #endif 249 /* 250 * MPSAFE 251 */ 252 /* ARGSUSED */ 253 int 254 geteuid(td, uap) 255 struct thread *td; 256 struct geteuid_args *uap; 257 { 258 mtx_lock(&Giant); 259 td->td_retval[0] = td->td_proc->p_ucred->cr_uid; 260 mtx_unlock(&Giant); 261 return (0); 262 } 263 264 #ifndef _SYS_SYSPROTO_H_ 265 struct getgid_args { 266 int dummy; 267 }; 268 #endif 269 /* 270 * MPSAFE 271 */ 272 /* ARGSUSED */ 273 int 274 getgid(td, uap) 275 struct thread *td; 276 struct getgid_args *uap; 277 { 278 struct proc *p = td->td_proc; 279 280 mtx_lock(&Giant); 281 td->td_retval[0] = p->p_ucred->cr_rgid; 282 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 283 td->td_retval[1] = p->p_ucred->cr_groups[0]; 284 #endif 285 mtx_unlock(&Giant); 286 return (0); 287 } 288 289 /* 290 * Get effective group ID. The "egid" is groups[0], and could be obtained 291 * via getgroups. This syscall exists because it is somewhat painful to do 292 * correctly in a library function. 293 */ 294 #ifndef _SYS_SYSPROTO_H_ 295 struct getegid_args { 296 int dummy; 297 }; 298 #endif 299 /* 300 * MPSAFE 301 */ 302 /* ARGSUSED */ 303 int 304 getegid(td, uap) 305 struct thread *td; 306 struct getegid_args *uap; 307 { 308 struct proc *p = td->td_proc; 309 310 mtx_lock(&Giant); 311 td->td_retval[0] = p->p_ucred->cr_groups[0]; 312 mtx_unlock(&Giant); 313 return (0); 314 } 315 316 #ifndef _SYS_SYSPROTO_H_ 317 struct getgroups_args { 318 u_int gidsetsize; 319 gid_t *gidset; 320 }; 321 #endif 322 /* 323 * MPSAFE 324 */ 325 int 326 getgroups(td, uap) 327 struct thread *td; 328 register struct getgroups_args *uap; 329 { 330 struct ucred *cred; 331 struct proc *p = td->td_proc; 332 u_int ngrp; 333 int error; 334 335 mtx_lock(&Giant); 336 error = 0; 337 cred = p->p_ucred; 338 if ((ngrp = uap->gidsetsize) == 0) { 339 td->td_retval[0] = cred->cr_ngroups; 340 goto done2; 341 } 342 if (ngrp < cred->cr_ngroups) { 343 error = EINVAL; 344 goto done2; 345 } 346 ngrp = cred->cr_ngroups; 347 if ((error = copyout((caddr_t)cred->cr_groups, 348 (caddr_t)uap->gidset, ngrp * sizeof(gid_t)))) 349 goto done2; 350 td->td_retval[0] = ngrp; 351 done2: 352 mtx_unlock(&Giant); 353 return (error); 354 } 355 356 #ifndef _SYS_SYSPROTO_H_ 357 struct setsid_args { 358 int dummy; 359 }; 360 #endif 361 /* 362 * MPSAFE 363 */ 364 /* ARGSUSED */ 365 int 366 setsid(td, uap) 367 register struct thread *td; 368 struct setsid_args *uap; 369 { 370 int error; 371 struct proc *p = td->td_proc; 372 373 mtx_lock(&Giant); 374 if (p->p_pgid == p->p_pid || pgfind(p->p_pid)) 375 error = EPERM; 376 else { 377 (void)enterpgrp(p, p->p_pid, 1); 378 td->td_retval[0] = p->p_pid; 379 error = 0; 380 } 381 mtx_unlock(&Giant); 382 return (error); 383 } 384 385 /* 386 * set process group (setpgid/old setpgrp) 387 * 388 * caller does setpgid(targpid, targpgid) 389 * 390 * pid must be caller or child of caller (ESRCH) 391 * if a child 392 * pid must be in same session (EPERM) 393 * pid can't have done an exec (EACCES) 394 * if pgid != pid 395 * there must exist some pid in same session having pgid (EPERM) 396 * pid must not be session leader (EPERM) 397 */ 398 #ifndef _SYS_SYSPROTO_H_ 399 struct setpgid_args { 400 int pid; /* target process id */ 401 int pgid; /* target pgrp id */ 402 }; 403 #endif 404 /* 405 * MPSAFE 406 */ 407 /* ARGSUSED */ 408 int 409 setpgid(td, uap) 410 struct thread *td; 411 register struct setpgid_args *uap; 412 { 413 struct proc *curp = td->td_proc; 414 register struct proc *targp; /* target process */ 415 register struct pgrp *pgrp; /* target pgrp */ 416 int error; 417 418 if (uap->pgid < 0) 419 return (EINVAL); 420 mtx_lock(&Giant); 421 sx_slock(&proctree_lock); 422 if (uap->pid != 0 && uap->pid != curp->p_pid) { 423 if ((targp = pfind(uap->pid)) == NULL || !inferior(targp)) { 424 if (targp) 425 PROC_UNLOCK(targp); 426 error = ESRCH; 427 goto done2; 428 } 429 if ((error = p_cansee(curproc, targp))) { 430 PROC_UNLOCK(targp); 431 goto done2; 432 } 433 if (targp->p_pgrp == NULL || 434 targp->p_session != curp->p_session) { 435 PROC_UNLOCK(targp); 436 error = EPERM; 437 goto done2; 438 } 439 if (targp->p_flag & P_EXEC) { 440 PROC_UNLOCK(targp); 441 error = EACCES; 442 goto done2; 443 } 444 } else { 445 targp = curp; 446 PROC_LOCK(curp); /* XXX: not needed */ 447 } 448 if (SESS_LEADER(targp)) { 449 PROC_UNLOCK(targp); 450 error = EPERM; 451 goto done2; 452 } 453 if (uap->pgid == 0) 454 uap->pgid = targp->p_pid; 455 else if (uap->pgid != targp->p_pid) { 456 if ((pgrp = pgfind(uap->pgid)) == 0 || 457 pgrp->pg_session != curp->p_session) { 458 PROC_UNLOCK(targp); 459 error = EPERM; 460 goto done2; 461 } 462 } 463 /* XXX: We should probably hold the lock across enterpgrp. */ 464 PROC_UNLOCK(targp); 465 error = enterpgrp(targp, uap->pgid, 0); 466 done2: 467 sx_sunlock(&proctree_lock); 468 mtx_unlock(&Giant); 469 return (error); 470 } 471 472 /* 473 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 474 * compatible. It says that setting the uid/gid to euid/egid is a special 475 * case of "appropriate privilege". Once the rules are expanded out, this 476 * basically means that setuid(nnn) sets all three id's, in all permitted 477 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 478 * does not set the saved id - this is dangerous for traditional BSD 479 * programs. For this reason, we *really* do not want to set 480 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 481 */ 482 #define POSIX_APPENDIX_B_4_2_2 483 484 #ifndef _SYS_SYSPROTO_H_ 485 struct setuid_args { 486 uid_t uid; 487 }; 488 #endif 489 /* 490 * MPSAFE 491 */ 492 /* ARGSUSED */ 493 int 494 setuid(td, uap) 495 struct thread *td; 496 struct setuid_args *uap; 497 { 498 struct proc *p = td->td_proc; 499 struct ucred *newcred, *oldcred; 500 uid_t uid; 501 int error; 502 503 uid = uap->uid; 504 mtx_lock(&Giant); 505 error = 0; 506 oldcred = p->p_ucred; 507 /* 508 * See if we have "permission" by POSIX 1003.1 rules. 509 * 510 * Note that setuid(geteuid()) is a special case of 511 * "appropriate privileges" in appendix B.4.2.2. We need 512 * to use this clause to be compatible with traditional BSD 513 * semantics. Basically, it means that "setuid(xx)" sets all 514 * three id's (assuming you have privs). 515 * 516 * Notes on the logic. We do things in three steps. 517 * 1: We determine if the euid is going to change, and do EPERM 518 * right away. We unconditionally change the euid later if this 519 * test is satisfied, simplifying that part of the logic. 520 * 2: We determine if the real and/or saved uids are going to 521 * change. Determined by compile options. 522 * 3: Change euid last. (after tests in #2 for "appropriate privs") 523 */ 524 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 525 #ifdef _POSIX_SAVED_IDS 526 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 527 #endif 528 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 529 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 530 #endif 531 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 532 goto done2; 533 534 newcred = crdup(oldcred); 535 #ifdef _POSIX_SAVED_IDS 536 /* 537 * Do we have "appropriate privileges" (are we root or uid == euid) 538 * If so, we are changing the real uid and/or saved uid. 539 */ 540 if ( 541 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 542 uid == oldcred->cr_uid || 543 #endif 544 suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */ 545 #endif 546 { 547 /* 548 * Set the real uid and transfer proc count to new user. 549 */ 550 if (uid != oldcred->cr_ruid) { 551 change_ruid(newcred, uid); 552 setsugid(p); 553 } 554 /* 555 * Set saved uid 556 * 557 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 558 * the security of seteuid() depends on it. B.4.2.2 says it 559 * is important that we should do this. 560 */ 561 if (uid != oldcred->cr_svuid) { 562 change_svuid(newcred, uid); 563 setsugid(p); 564 } 565 } 566 567 /* 568 * In all permitted cases, we are changing the euid. 569 * Copy credentials so other references do not see our changes. 570 */ 571 if (uid != oldcred->cr_uid) { 572 change_euid(newcred, uid); 573 setsugid(p); 574 } 575 p->p_ucred = newcred; 576 crfree(oldcred); 577 done2: 578 mtx_unlock(&Giant); 579 return (error); 580 } 581 582 #ifndef _SYS_SYSPROTO_H_ 583 struct seteuid_args { 584 uid_t euid; 585 }; 586 #endif 587 /* 588 * MPSAFE 589 */ 590 /* ARGSUSED */ 591 int 592 seteuid(td, uap) 593 struct thread *td; 594 struct seteuid_args *uap; 595 { 596 struct proc *p = td->td_proc; 597 struct ucred *newcred, *oldcred; 598 uid_t euid; 599 int error; 600 601 euid = uap->euid; 602 mtx_lock(&Giant); 603 error = 0; 604 oldcred = p->p_ucred; 605 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 606 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 607 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 608 goto done2; 609 /* 610 * Everything's okay, do it. Copy credentials so other references do 611 * not see our changes. 612 */ 613 newcred = crdup(oldcred); 614 if (oldcred->cr_uid != euid) { 615 change_euid(newcred, euid); 616 setsugid(p); 617 } 618 p->p_ucred = newcred; 619 crfree(oldcred); 620 done2: 621 mtx_unlock(&Giant); 622 return (error); 623 } 624 625 #ifndef _SYS_SYSPROTO_H_ 626 struct setgid_args { 627 gid_t gid; 628 }; 629 #endif 630 /* 631 * MPSAFE 632 */ 633 /* ARGSUSED */ 634 int 635 setgid(td, uap) 636 struct thread *td; 637 struct setgid_args *uap; 638 { 639 struct proc *p = td->td_proc; 640 struct ucred *newcred, *oldcred; 641 gid_t gid; 642 int error; 643 644 gid = uap->gid; 645 mtx_lock(&Giant); 646 error = 0; 647 oldcred = p->p_ucred; 648 /* 649 * See if we have "permission" by POSIX 1003.1 rules. 650 * 651 * Note that setgid(getegid()) is a special case of 652 * "appropriate privileges" in appendix B.4.2.2. We need 653 * to use this clause to be compatible with traditional BSD 654 * semantics. Basically, it means that "setgid(xx)" sets all 655 * three id's (assuming you have privs). 656 * 657 * For notes on the logic here, see setuid() above. 658 */ 659 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 660 #ifdef _POSIX_SAVED_IDS 661 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 662 #endif 663 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 664 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 665 #endif 666 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 667 goto done2; 668 669 newcred = crdup(oldcred); 670 #ifdef _POSIX_SAVED_IDS 671 /* 672 * Do we have "appropriate privileges" (are we root or gid == egid) 673 * If so, we are changing the real uid and saved gid. 674 */ 675 if ( 676 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 677 gid == oldcred->cr_groups[0] || 678 #endif 679 suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */ 680 #endif 681 { 682 /* 683 * Set real gid 684 */ 685 if (oldcred->cr_rgid != gid) { 686 change_rgid(newcred, gid); 687 setsugid(p); 688 } 689 /* 690 * Set saved gid 691 * 692 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 693 * the security of setegid() depends on it. B.4.2.2 says it 694 * is important that we should do this. 695 */ 696 if (oldcred->cr_svgid != gid) { 697 change_svgid(newcred, gid); 698 setsugid(p); 699 } 700 } 701 /* 702 * In all cases permitted cases, we are changing the egid. 703 * Copy credentials so other references do not see our changes. 704 */ 705 if (oldcred->cr_groups[0] != gid) { 706 change_egid(newcred, gid); 707 setsugid(p); 708 } 709 p->p_ucred = newcred; 710 crfree(oldcred); 711 done2: 712 mtx_unlock(&Giant); 713 return (error); 714 } 715 716 #ifndef _SYS_SYSPROTO_H_ 717 struct setegid_args { 718 gid_t egid; 719 }; 720 #endif 721 /* 722 * MPSAFE 723 */ 724 /* ARGSUSED */ 725 int 726 setegid(td, uap) 727 struct thread *td; 728 struct setegid_args *uap; 729 { 730 struct proc *p = td->td_proc; 731 struct ucred *newcred, *oldcred; 732 gid_t egid; 733 int error; 734 735 egid = uap->egid; 736 mtx_lock(&Giant); 737 error = 0; 738 oldcred = p->p_ucred; 739 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 740 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 741 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 742 goto done2; 743 newcred = crdup(oldcred); 744 if (oldcred->cr_groups[0] != egid) { 745 change_egid(newcred, egid); 746 setsugid(p); 747 } 748 p->p_ucred = newcred; 749 crfree(oldcred); 750 done2: 751 mtx_unlock(&Giant); 752 return (error); 753 } 754 755 #ifndef _SYS_SYSPROTO_H_ 756 struct setgroups_args { 757 u_int gidsetsize; 758 gid_t *gidset; 759 }; 760 #endif 761 /* 762 * MPSAFE 763 */ 764 /* ARGSUSED */ 765 int 766 setgroups(td, uap) 767 struct thread *td; 768 struct setgroups_args *uap; 769 { 770 struct proc *p = td->td_proc; 771 struct ucred *newcred, *oldcred; 772 u_int ngrp; 773 int error; 774 775 ngrp = uap->gidsetsize; 776 mtx_lock(&Giant); 777 oldcred = p->p_ucred; 778 if ((error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 779 goto done2; 780 if (ngrp > NGROUPS) { 781 error = EINVAL; 782 goto done2; 783 } 784 /* 785 * XXX A little bit lazy here. We could test if anything has 786 * changed before crcopy() and setting P_SUGID. 787 */ 788 newcred = crdup(oldcred); 789 if (ngrp < 1) { 790 /* 791 * setgroups(0, NULL) is a legitimate way of clearing the 792 * groups vector on non-BSD systems (which generally do not 793 * have the egid in the groups[0]). We risk security holes 794 * when running non-BSD software if we do not do the same. 795 */ 796 newcred->cr_ngroups = 1; 797 } else { 798 if ((error = copyin((caddr_t)uap->gidset, 799 (caddr_t)newcred->cr_groups, ngrp * sizeof(gid_t)))) { 800 crfree(newcred); 801 goto done2; 802 } 803 newcred->cr_ngroups = ngrp; 804 } 805 setsugid(p); 806 p->p_ucred = newcred; 807 crfree(oldcred); 808 done2: 809 mtx_unlock(&Giant); 810 return (error); 811 } 812 813 #ifndef _SYS_SYSPROTO_H_ 814 struct setreuid_args { 815 uid_t ruid; 816 uid_t euid; 817 }; 818 #endif 819 /* 820 * MPSAFE 821 */ 822 /* ARGSUSED */ 823 int 824 setreuid(td, uap) 825 register struct thread *td; 826 struct setreuid_args *uap; 827 { 828 struct proc *p = td->td_proc; 829 struct ucred *newcred, *oldcred; 830 uid_t euid, ruid; 831 int error; 832 833 euid = uap->euid; 834 ruid = uap->ruid; 835 mtx_lock(&Giant); 836 error = 0; 837 oldcred = p->p_ucred; 838 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 839 ruid != oldcred->cr_svuid) || 840 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 841 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 842 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 843 goto done2; 844 newcred = crdup(oldcred); 845 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 846 change_euid(newcred, euid); 847 setsugid(p); 848 } 849 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 850 change_ruid(newcred, ruid); 851 setsugid(p); 852 } 853 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 854 newcred->cr_svuid != newcred->cr_uid) { 855 change_svuid(newcred, newcred->cr_uid); 856 setsugid(p); 857 } 858 p->p_ucred = newcred; 859 crfree(oldcred); 860 done2: 861 mtx_unlock(&Giant); 862 return (error); 863 } 864 865 #ifndef _SYS_SYSPROTO_H_ 866 struct setregid_args { 867 gid_t rgid; 868 gid_t egid; 869 }; 870 #endif 871 /* 872 * MPSAFE 873 */ 874 /* ARGSUSED */ 875 int 876 setregid(td, uap) 877 register struct thread *td; 878 struct setregid_args *uap; 879 { 880 struct proc *p = td->td_proc; 881 struct ucred *newcred, *oldcred; 882 gid_t egid, rgid; 883 int error; 884 885 egid = uap->egid; 886 rgid = uap->rgid; 887 mtx_lock(&Giant); 888 error = 0; 889 oldcred = p->p_ucred; 890 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 891 rgid != oldcred->cr_svgid) || 892 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 893 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 894 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 895 goto done2; 896 newcred = crdup(oldcred); 897 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 898 change_egid(newcred, egid); 899 setsugid(p); 900 } 901 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 902 change_rgid(newcred, rgid); 903 setsugid(p); 904 } 905 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 906 newcred->cr_svgid != newcred->cr_groups[0]) { 907 change_svgid(newcred, newcred->cr_groups[0]); 908 setsugid(p); 909 } 910 p->p_ucred = newcred; 911 crfree(oldcred); 912 done2: 913 mtx_unlock(&Giant); 914 return (error); 915 } 916 917 /* 918 * setresuid(ruid, euid, suid) is like setreuid except control over the 919 * saved uid is explicit. 920 */ 921 922 #ifndef _SYS_SYSPROTO_H_ 923 struct setresuid_args { 924 uid_t ruid; 925 uid_t euid; 926 uid_t suid; 927 }; 928 #endif 929 /* 930 * MPSAFE 931 */ 932 /* ARGSUSED */ 933 int 934 setresuid(td, uap) 935 register struct thread *td; 936 struct setresuid_args *uap; 937 { 938 struct proc *p = td->td_proc; 939 struct ucred *newcred, *oldcred; 940 uid_t euid, ruid, suid; 941 int error; 942 943 euid = uap->euid; 944 ruid = uap->ruid; 945 suid = uap->suid; 946 mtx_lock(&Giant); 947 oldcred = p->p_ucred; 948 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 949 ruid != oldcred->cr_svuid && 950 ruid != oldcred->cr_uid) || 951 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 952 euid != oldcred->cr_svuid && 953 euid != oldcred->cr_uid) || 954 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 955 suid != oldcred->cr_svuid && 956 suid != oldcred->cr_uid)) && 957 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 958 goto done2; 959 newcred = crdup(oldcred); 960 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 961 change_euid(newcred, euid); 962 setsugid(p); 963 } 964 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 965 change_ruid(newcred, ruid); 966 setsugid(p); 967 } 968 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 969 change_svuid(newcred, suid); 970 setsugid(p); 971 } 972 p->p_ucred = newcred; 973 crfree(oldcred); 974 error = 0; 975 done2: 976 mtx_unlock(&Giant); 977 return (error); 978 } 979 980 /* 981 * setresgid(rgid, egid, sgid) is like setregid except control over the 982 * saved gid is explicit. 983 */ 984 985 #ifndef _SYS_SYSPROTO_H_ 986 struct setresgid_args { 987 gid_t rgid; 988 gid_t egid; 989 gid_t sgid; 990 }; 991 #endif 992 /* 993 * MPSAFE 994 */ 995 /* ARGSUSED */ 996 int 997 setresgid(td, uap) 998 register struct thread *td; 999 struct setresgid_args *uap; 1000 { 1001 struct proc *p = td->td_proc; 1002 struct ucred *newcred, *oldcred; 1003 gid_t egid, rgid, sgid; 1004 int error; 1005 1006 egid = uap->egid; 1007 rgid = uap->rgid; 1008 sgid = uap->sgid; 1009 mtx_lock(&Giant); 1010 oldcred = p->p_ucred; 1011 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1012 rgid != oldcred->cr_svgid && 1013 rgid != oldcred->cr_groups[0]) || 1014 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1015 egid != oldcred->cr_svgid && 1016 egid != oldcred->cr_groups[0]) || 1017 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1018 sgid != oldcred->cr_svgid && 1019 sgid != oldcred->cr_groups[0])) && 1020 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) { 1021 goto done2; 1022 } 1023 newcred = crdup(oldcred); 1024 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1025 change_egid(newcred, egid); 1026 setsugid(p); 1027 } 1028 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1029 change_rgid(newcred, rgid); 1030 setsugid(p); 1031 } 1032 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1033 change_svgid(newcred, sgid); 1034 setsugid(p); 1035 } 1036 p->p_ucred = newcred; 1037 crfree(oldcred); 1038 error = 0; 1039 done2: 1040 mtx_unlock(&Giant); 1041 return (error); 1042 } 1043 1044 #ifndef _SYS_SYSPROTO_H_ 1045 struct getresuid_args { 1046 uid_t *ruid; 1047 uid_t *euid; 1048 uid_t *suid; 1049 }; 1050 #endif 1051 /* 1052 * MPSAFE 1053 */ 1054 /* ARGSUSED */ 1055 int 1056 getresuid(td, uap) 1057 register struct thread *td; 1058 struct getresuid_args *uap; 1059 { 1060 struct ucred *cred; 1061 struct proc *p = td->td_proc; 1062 int error1 = 0, error2 = 0, error3 = 0; 1063 1064 mtx_lock(&Giant); 1065 cred = p->p_ucred; 1066 if (uap->ruid) 1067 error1 = copyout((caddr_t)&cred->cr_ruid, 1068 (caddr_t)uap->ruid, sizeof(cred->cr_ruid)); 1069 if (uap->euid) 1070 error2 = copyout((caddr_t)&cred->cr_uid, 1071 (caddr_t)uap->euid, sizeof(cred->cr_uid)); 1072 if (uap->suid) 1073 error3 = copyout((caddr_t)&cred->cr_svuid, 1074 (caddr_t)uap->suid, sizeof(cred->cr_svuid)); 1075 mtx_unlock(&Giant); 1076 return (error1 ? error1 : error2 ? error2 : error3); 1077 } 1078 1079 #ifndef _SYS_SYSPROTO_H_ 1080 struct getresgid_args { 1081 gid_t *rgid; 1082 gid_t *egid; 1083 gid_t *sgid; 1084 }; 1085 #endif 1086 /* 1087 * MPSAFE 1088 */ 1089 /* ARGSUSED */ 1090 int 1091 getresgid(td, uap) 1092 register struct thread *td; 1093 struct getresgid_args *uap; 1094 { 1095 struct ucred *cred; 1096 struct proc *p = td->td_proc; 1097 int error1 = 0, error2 = 0, error3 = 0; 1098 1099 mtx_lock(&Giant); 1100 cred = p->p_ucred; 1101 if (uap->rgid) 1102 error1 = copyout((caddr_t)&cred->cr_rgid, 1103 (caddr_t)uap->rgid, sizeof(cred->cr_rgid)); 1104 if (uap->egid) 1105 error2 = copyout((caddr_t)&cred->cr_groups[0], 1106 (caddr_t)uap->egid, sizeof(cred->cr_groups[0])); 1107 if (uap->sgid) 1108 error3 = copyout((caddr_t)&cred->cr_svgid, 1109 (caddr_t)uap->sgid, sizeof(cred->cr_svgid)); 1110 mtx_unlock(&Giant); 1111 return (error1 ? error1 : error2 ? error2 : error3); 1112 } 1113 1114 #ifndef _SYS_SYSPROTO_H_ 1115 struct issetugid_args { 1116 int dummy; 1117 }; 1118 #endif 1119 /* 1120 * NOT MPSAFE? 1121 */ 1122 /* ARGSUSED */ 1123 int 1124 issetugid(td, uap) 1125 register struct thread *td; 1126 struct issetugid_args *uap; 1127 { 1128 struct proc *p = td->td_proc; 1129 1130 /* 1131 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1132 * we use P_SUGID because we consider changing the owners as 1133 * "tainting" as well. 1134 * This is significant for procs that start as root and "become" 1135 * a user without an exec - programs cannot know *everything* 1136 * that libc *might* have put in their data segment. 1137 */ 1138 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1139 return (0); 1140 } 1141 1142 /* 1143 * MPSAFE 1144 */ 1145 int 1146 __setugid(td, uap) 1147 struct thread *td; 1148 struct __setugid_args *uap; 1149 { 1150 #ifdef REGRESSION 1151 int error; 1152 1153 mtx_lock(&Giant); 1154 error = 0; 1155 switch (uap->flag) { 1156 case 0: 1157 td->td_proc->p_flag &= ~P_SUGID; 1158 break; 1159 case 1: 1160 td->td_proc->p_flag |= P_SUGID; 1161 break; 1162 default: 1163 error = EINVAL; 1164 break; 1165 } 1166 mtx_unlock(&Giant); 1167 return (error); 1168 #else /* !REGRESSION */ 1169 1170 return (ENOSYS); 1171 #endif /* REGRESSION */ 1172 } 1173 1174 /* 1175 * Check if gid is a member of the group set. 1176 */ 1177 int 1178 groupmember(gid, cred) 1179 gid_t gid; 1180 struct ucred *cred; 1181 { 1182 register gid_t *gp; 1183 gid_t *egp; 1184 1185 egp = &(cred->cr_groups[cred->cr_ngroups]); 1186 for (gp = cred->cr_groups; gp < egp; gp++) 1187 if (*gp == gid) 1188 return (1); 1189 return (0); 1190 } 1191 1192 /* 1193 * `suser_enabled' (which can be set by the kern.security.suser_enabled 1194 * sysctl) determines whether the system 'super-user' policy is in effect. 1195 * If it is nonzero, an effective uid of 0 connotes special privilege, 1196 * overriding many mandatory and discretionary protections. If it is zero, 1197 * uid 0 is offered no special privilege in the kernel security policy. 1198 * Setting it to zero may seriously impact the functionality of many 1199 * existing userland programs, and should not be done without careful 1200 * consideration of the consequences. 1201 */ 1202 int suser_enabled = 1; 1203 SYSCTL_INT(_kern_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW, 1204 &suser_enabled, 0, "processes with uid 0 have privilege"); 1205 1206 /* 1207 * Test whether the specified credentials imply "super-user" privilege. 1208 * Return 0 or EPERM. 1209 */ 1210 int 1211 suser(p) 1212 struct proc *p; 1213 { 1214 1215 return (suser_xxx(0, p, 0)); 1216 } 1217 1218 /* 1219 * version for when the thread pointer is available and not the proc. 1220 * (saves having to include proc.h into every file that needs to do the change.) 1221 */ 1222 int 1223 suser_td(td) 1224 struct thread *td; 1225 { 1226 return suser_xxx(0, td->td_proc, 0); 1227 } 1228 1229 /* 1230 * wrapper to use if you have the thread on hand but not the proc. 1231 */ 1232 int 1233 suser_xxx_td(cred, td, flag) 1234 struct ucred *cred; 1235 struct thread *td; 1236 int flag; 1237 { 1238 return(suser_xxx(cred, td->td_proc, flag)); 1239 } 1240 1241 int 1242 suser_xxx(cred, proc, flag) 1243 struct ucred *cred; 1244 struct proc *proc; 1245 int flag; 1246 { 1247 if (!suser_enabled) 1248 return (EPERM); 1249 if (!cred && !proc) { 1250 printf("suser_xxx(): THINK!\n"); 1251 return (EPERM); 1252 } 1253 if (cred == NULL) 1254 cred = proc->p_ucred; 1255 if (cred->cr_uid != 0) 1256 return (EPERM); 1257 if (jailed(cred) && !(flag & PRISON_ROOT)) 1258 return (EPERM); 1259 return (0); 1260 } 1261 1262 /* 1263 * Test the active securelevel against a given level. securelevel_gt() 1264 * implements (securelevel > level). securelevel_ge() implements 1265 * (securelevel >= level). Note that the logic is inverted -- these 1266 * functions return EPERM on "success" and 0 on "failure". 1267 * 1268 * cr is permitted to be NULL for the time being, as there were some 1269 * existing securelevel checks that occurred without a process/credential 1270 * context. In the future this will be disallowed, so a kernel message 1271 * is displayed. 1272 */ 1273 int 1274 securelevel_gt(struct ucred *cr, int level) 1275 { 1276 int active_securelevel; 1277 1278 active_securelevel = securelevel; 1279 if (cr == NULL) 1280 printf("securelevel_gt: cr is NULL\n"); 1281 if (cr->cr_prison != NULL) 1282 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1283 active_securelevel); 1284 return (active_securelevel > level ? EPERM : 0); 1285 } 1286 1287 int 1288 securelevel_ge(struct ucred *cr, int level) 1289 { 1290 int active_securelevel; 1291 1292 active_securelevel = securelevel; 1293 if (cr == NULL) 1294 printf("securelevel_gt: cr is NULL\n"); 1295 if (cr->cr_prison != NULL) 1296 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1297 active_securelevel); 1298 return (active_securelevel >= level ? EPERM : 0); 1299 } 1300 1301 /* 1302 * 'see_other_uids' determines whether or not visibility of processes 1303 * and sockets with credentials holding different real uids is possible 1304 * using a variety of system MIBs. 1305 * XXX: data declarations should be together near the beginning of the file. 1306 */ 1307 static int see_other_uids = 1; 1308 SYSCTL_INT(_kern_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1309 &see_other_uids, 0, 1310 "Unprivileged processes may see subjects/objects with different real uid"); 1311 1312 /*- 1313 * Determine if u1 "can see" the subject specified by u2. 1314 * Returns: 0 for permitted, an errno value otherwise 1315 * Locks: none 1316 * References: *u1 and *u2 must not change during the call 1317 * u1 may equal u2, in which case only one reference is required 1318 */ 1319 int 1320 cr_cansee(struct ucred *u1, struct ucred *u2) 1321 { 1322 int error; 1323 1324 if ((error = prison_check(u1, u2))) 1325 return (error); 1326 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1327 if (suser_xxx(u1, NULL, PRISON_ROOT) != 0) 1328 return (ESRCH); 1329 } 1330 return (0); 1331 } 1332 1333 /*- 1334 * Determine if p1 "can see" the subject specified by p2. 1335 * Returns: 0 for permitted, an errno value otherwise 1336 * Locks: Sufficient locks to protect p1->p_ucred and p2->p_ucred must 1337 * be held. Normally, p1 will be curproc, and a lock must be held 1338 * for p2. 1339 * References: p1 and p2 must be valid for the lifetime of the call 1340 */ 1341 int 1342 p_cansee(struct proc *p1, struct proc *p2) 1343 { 1344 1345 /* Wrap cr_cansee() for all functionality. */ 1346 return (cr_cansee(p1->p_ucred, p2->p_ucred)); 1347 } 1348 1349 /*- 1350 * Determine whether p1 may deliver the specified signal to p2. 1351 * Returns: 0 for permitted, an errno value otherwise 1352 * Locks: Sufficient locks to protect various components of p1 and p2 1353 * must be held. Normally, p1 will be curproc, and a lock must 1354 * be held for p2. 1355 * References: p1 and p2 must be valid for the lifetime of the call 1356 */ 1357 int 1358 p_cansignal(struct proc *p1, struct proc *p2, int signum) 1359 { 1360 int error; 1361 1362 if (p1 == p2) 1363 return (0); 1364 1365 /* 1366 * Jail semantics limit the scope of signalling to p2 in the same 1367 * jail as p1, if p1 is in jail. 1368 */ 1369 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1370 return (error); 1371 1372 /* 1373 * UNIX signalling semantics require that processes in the same 1374 * session always be able to deliver SIGCONT to one another, 1375 * overriding the remaining protections. 1376 */ 1377 if (signum == SIGCONT && p1->p_session == p2->p_session) 1378 return (0); 1379 1380 /* 1381 * UNIX signal semantics depend on the status of the P_SUGID 1382 * bit on the target process. If the bit is set, then additional 1383 * restrictions are placed on the set of available signals. 1384 */ 1385 if (p2->p_flag & P_SUGID) { 1386 switch (signum) { 1387 case 0: 1388 case SIGKILL: 1389 case SIGINT: 1390 case SIGTERM: 1391 case SIGSTOP: 1392 case SIGTTIN: 1393 case SIGTTOU: 1394 case SIGTSTP: 1395 case SIGHUP: 1396 case SIGUSR1: 1397 case SIGUSR2: 1398 /* 1399 * Generally, permit job and terminal control 1400 * signals. 1401 */ 1402 break; 1403 default: 1404 /* Not permitted, privilege is required. */ 1405 error = suser_xxx(NULL, p1, PRISON_ROOT); 1406 if (error) 1407 return (error); 1408 } 1409 } 1410 1411 /* 1412 * Generally, the target credential's ruid or svuid must match the 1413 * subject credential's ruid or euid. 1414 */ 1415 if (p1->p_ucred->cr_ruid != p2->p_ucred->cr_ruid && 1416 p1->p_ucred->cr_ruid != p2->p_ucred->cr_svuid && 1417 p1->p_ucred->cr_uid != p2->p_ucred->cr_ruid && 1418 p1->p_ucred->cr_uid != p2->p_ucred->cr_svuid) { 1419 /* Not permitted, try privilege. */ 1420 error = suser_xxx(NULL, p1, PRISON_ROOT); 1421 if (error) 1422 return (error); 1423 } 1424 1425 return (0); 1426 } 1427 1428 /*- 1429 * Determine whether p1 may reschedule p2. 1430 * Returns: 0 for permitted, an errno value otherwise 1431 * Locks: Sufficient locks to protect various components of p1 and p2 1432 * must be held. Normally, p1 will be curproc, and a lock must 1433 * be held for p2. 1434 * References: p1 and p2 must be valid for the lifetime of the call 1435 */ 1436 int 1437 p_cansched(struct proc *p1, struct proc *p2) 1438 { 1439 int error; 1440 1441 if (p1 == p2) 1442 return (0); 1443 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1444 return (error); 1445 if (p1->p_ucred->cr_ruid == p2->p_ucred->cr_ruid) 1446 return (0); 1447 if (p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid) 1448 return (0); 1449 if (suser_xxx(0, p1, PRISON_ROOT) == 0) 1450 return (0); 1451 1452 #ifdef CAPABILITIES 1453 if (!cap_check(NULL, p1, CAP_SYS_NICE, PRISON_ROOT)) 1454 return (0); 1455 #endif 1456 1457 return (EPERM); 1458 } 1459 1460 /* 1461 * The 'unprivileged_procdebug_permitted' flag may be used to disable 1462 * a variety of unprivileged inter-process debugging services, including 1463 * some procfs functionality, ptrace(), and ktrace(). In the past, 1464 * inter-process debugging has been involved in a variety of security 1465 * problems, and sites not requiring the service might choose to disable it 1466 * when hardening systems. 1467 * 1468 * XXX: Should modifying and reading this variable require locking? 1469 * XXX: data declarations should be together near the beginning of the file. 1470 */ 1471 static int unprivileged_proc_debug = 1; 1472 SYSCTL_INT(_kern_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW, 1473 &unprivileged_proc_debug, 0, 1474 "Unprivileged processes may use process debugging facilities"); 1475 1476 /*- 1477 * Determine whether p1 may debug p2. 1478 * Returns: 0 for permitted, an errno value otherwise 1479 * Locks: Sufficient locks to protect various components of p1 and p2 1480 * must be held. Normally, p1 will be curproc, and a lock must 1481 * be held for p2. 1482 * References: p1 and p2 must be valid for the lifetime of the call 1483 */ 1484 int 1485 p_candebug(struct proc *p1, struct proc *p2) 1486 { 1487 int credentialchanged, error, grpsubset, i, uidsubset; 1488 1489 if (!unprivileged_proc_debug) { 1490 error = suser_xxx(NULL, p1, PRISON_ROOT); 1491 if (error) 1492 return (error); 1493 } 1494 if (p1 == p2) 1495 return (0); 1496 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1497 return (error); 1498 1499 /* 1500 * Is p2's group set a subset of p1's effective group set? This 1501 * includes p2's egid, group access list, rgid, and svgid. 1502 */ 1503 grpsubset = 1; 1504 for (i = 0; i < p2->p_ucred->cr_ngroups; i++) { 1505 if (!groupmember(p2->p_ucred->cr_groups[i], p1->p_ucred)) { 1506 grpsubset = 0; 1507 break; 1508 } 1509 } 1510 grpsubset = grpsubset && 1511 groupmember(p2->p_ucred->cr_rgid, p1->p_ucred) && 1512 groupmember(p2->p_ucred->cr_svgid, p1->p_ucred); 1513 1514 /* 1515 * Are the uids present in p2's credential equal to p1's 1516 * effective uid? This includes p2's euid, svuid, and ruid. 1517 */ 1518 uidsubset = (p1->p_ucred->cr_uid == p2->p_ucred->cr_uid && 1519 p1->p_ucred->cr_uid == p2->p_ucred->cr_svuid && 1520 p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid); 1521 1522 /* 1523 * Has the credential of the process changed since the last exec()? 1524 */ 1525 credentialchanged = (p2->p_flag & P_SUGID); 1526 1527 /* 1528 * If p2's gids aren't a subset, or the uids aren't a subset, 1529 * or the credential has changed, require appropriate privilege 1530 * for p1 to debug p2. For POSIX.1e capabilities, this will 1531 * require CAP_SYS_PTRACE. 1532 */ 1533 if (!grpsubset || !uidsubset || credentialchanged) { 1534 error = suser_xxx(NULL, p1, PRISON_ROOT); 1535 if (error) 1536 return (error); 1537 } 1538 1539 /* Can't trace init when securelevel > 0. */ 1540 if (p2 == initproc) { 1541 error = securelevel_gt(p1->p_ucred, 0); 1542 if (error) 1543 return (error); 1544 } 1545 1546 /* 1547 * Can't trace a process that's currently exec'ing. 1548 * XXX: Note, this is not a security policy decision, it's a 1549 * basic correctness/functionality decision. Therefore, this check 1550 * should be moved to the caller's of p_candebug(). 1551 */ 1552 if ((p2->p_flag & P_INEXEC) != 0) 1553 return (EAGAIN); 1554 1555 return (0); 1556 } 1557 1558 /* 1559 * Allocate a zeroed cred structure. 1560 */ 1561 struct ucred * 1562 crget() 1563 { 1564 register struct ucred *cr; 1565 1566 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 1567 cr->cr_ref = 1; 1568 mtx_init(&cr->cr_mtx, "ucred", MTX_DEF); 1569 return (cr); 1570 } 1571 1572 /* 1573 * Claim another reference to a ucred structure. 1574 */ 1575 struct ucred * 1576 crhold(cr) 1577 struct ucred *cr; 1578 { 1579 1580 mtx_lock(&cr->cr_mtx); 1581 cr->cr_ref++; 1582 mtx_unlock(&cr->cr_mtx); 1583 return (cr); 1584 } 1585 1586 /* 1587 * Free a cred structure. 1588 * Throws away space when ref count gets to 0. 1589 */ 1590 void 1591 crfree(cr) 1592 struct ucred *cr; 1593 { 1594 1595 mtx_lock(&cr->cr_mtx); 1596 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); 1597 if (--cr->cr_ref == 0) { 1598 mtx_destroy(&cr->cr_mtx); 1599 /* 1600 * Some callers of crget(), such as nfs_statfs(), 1601 * allocate a temporary credential, but don't 1602 * allocate a uidinfo structure. 1603 */ 1604 if (cr->cr_uidinfo != NULL) 1605 uifree(cr->cr_uidinfo); 1606 if (cr->cr_ruidinfo != NULL) 1607 uifree(cr->cr_ruidinfo); 1608 /* 1609 * Free a prison, if any. 1610 */ 1611 if (jailed(cr)) 1612 prison_free(cr->cr_prison); 1613 FREE((caddr_t)cr, M_CRED); 1614 } else 1615 mtx_unlock(&cr->cr_mtx); 1616 } 1617 1618 /* 1619 * Check to see if this ucred is shared. 1620 */ 1621 int 1622 crshared(cr) 1623 struct ucred *cr; 1624 { 1625 int shared; 1626 1627 mtx_lock(&cr->cr_mtx); 1628 shared = (cr->cr_ref > 1); 1629 mtx_unlock(&cr->cr_mtx); 1630 return (shared); 1631 } 1632 1633 /* 1634 * Copy a ucred's contents from a template. Does not block. 1635 */ 1636 void 1637 crcopy(dest, src) 1638 struct ucred *dest, *src; 1639 { 1640 1641 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred")); 1642 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 1643 (unsigned)((caddr_t)&src->cr_endcopy - 1644 (caddr_t)&src->cr_startcopy)); 1645 uihold(dest->cr_uidinfo); 1646 uihold(dest->cr_ruidinfo); 1647 if (jailed(dest)) 1648 prison_hold(dest->cr_prison); 1649 } 1650 1651 /* 1652 * Dup cred struct to a new held one. 1653 */ 1654 struct ucred * 1655 crdup(cr) 1656 struct ucred *cr; 1657 { 1658 struct ucred *newcr; 1659 1660 newcr = crget(); 1661 crcopy(newcr, cr); 1662 return (newcr); 1663 } 1664 1665 /* 1666 * Get login name, if available. 1667 */ 1668 #ifndef _SYS_SYSPROTO_H_ 1669 struct getlogin_args { 1670 char *namebuf; 1671 u_int namelen; 1672 }; 1673 #endif 1674 /* 1675 * MPSAFE 1676 */ 1677 /* ARGSUSED */ 1678 int 1679 getlogin(td, uap) 1680 struct thread *td; 1681 struct getlogin_args *uap; 1682 { 1683 int error; 1684 struct proc *p = td->td_proc; 1685 1686 mtx_lock(&Giant); 1687 if (uap->namelen > MAXLOGNAME) 1688 uap->namelen = MAXLOGNAME; 1689 error = copyout((caddr_t) p->p_pgrp->pg_session->s_login, 1690 (caddr_t) uap->namebuf, uap->namelen); 1691 mtx_unlock(&Giant); 1692 return(error); 1693 } 1694 1695 /* 1696 * Set login name. 1697 */ 1698 #ifndef _SYS_SYSPROTO_H_ 1699 struct setlogin_args { 1700 char *namebuf; 1701 }; 1702 #endif 1703 /* 1704 * MPSAFE 1705 */ 1706 /* ARGSUSED */ 1707 int 1708 setlogin(td, uap) 1709 struct thread *td; 1710 struct setlogin_args *uap; 1711 { 1712 struct proc *p = td->td_proc; 1713 int error; 1714 char logintmp[MAXLOGNAME]; 1715 1716 mtx_lock(&Giant); 1717 if ((error = suser_xxx(0, p, PRISON_ROOT)) != 0) 1718 goto done2; 1719 error = copyinstr((caddr_t) uap->namebuf, (caddr_t) logintmp, 1720 sizeof(logintmp), (size_t *)0); 1721 if (error == ENAMETOOLONG) 1722 error = EINVAL; 1723 else if (!error) 1724 (void)memcpy(p->p_pgrp->pg_session->s_login, logintmp, 1725 sizeof(logintmp)); 1726 done2: 1727 mtx_unlock(&Giant); 1728 return (error); 1729 } 1730 1731 void 1732 setsugid(p) 1733 struct proc *p; 1734 { 1735 p->p_flag |= P_SUGID; 1736 if (!(p->p_pfsflags & PF_ISUGID)) 1737 p->p_stops = 0; 1738 } 1739 1740 /*- 1741 * Change a process's effective uid. 1742 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 1743 * References: newcred must be an exclusive credential reference for the 1744 * duration of the call. 1745 */ 1746 void 1747 change_euid(newcred, euid) 1748 struct ucred *newcred; 1749 uid_t euid; 1750 { 1751 1752 newcred->cr_uid = euid; 1753 uifree(newcred->cr_uidinfo); 1754 newcred->cr_uidinfo = uifind(euid); 1755 } 1756 1757 /*- 1758 * Change a process's effective gid. 1759 * Side effects: newcred->cr_gid will be modified. 1760 * References: newcred must be an exclusive credential reference for the 1761 * duration of the call. 1762 */ 1763 void 1764 change_egid(newcred, egid) 1765 struct ucred *newcred; 1766 gid_t egid; 1767 { 1768 1769 newcred->cr_groups[0] = egid; 1770 } 1771 1772 /*- 1773 * Change a process's real uid. 1774 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 1775 * will be updated, and the old and new cr_ruidinfo proc 1776 * counts will be updated. 1777 * References: newcred must be an exclusive credential reference for the 1778 * duration of the call. 1779 */ 1780 void 1781 change_ruid(newcred, ruid) 1782 struct ucred *newcred; 1783 uid_t ruid; 1784 { 1785 1786 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 1787 newcred->cr_ruid = ruid; 1788 uifree(newcred->cr_ruidinfo); 1789 newcred->cr_ruidinfo = uifind(ruid); 1790 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 1791 } 1792 1793 /*- 1794 * Change a process's real gid. 1795 * Side effects: newcred->cr_rgid will be updated. 1796 * References: newcred must be an exclusive credential reference for the 1797 * duration of the call. 1798 */ 1799 void 1800 change_rgid(newcred, rgid) 1801 struct ucred *newcred; 1802 gid_t rgid; 1803 { 1804 1805 newcred->cr_rgid = rgid; 1806 } 1807 1808 /*- 1809 * Change a process's saved uid. 1810 * Side effects: newcred->cr_svuid will be updated. 1811 * References: newcred must be an exclusive credential reference for the 1812 * duration of the call. 1813 */ 1814 void 1815 change_svuid(newcred, svuid) 1816 struct ucred *newcred; 1817 uid_t svuid; 1818 { 1819 1820 newcred->cr_svuid = svuid; 1821 } 1822 1823 /*- 1824 * Change a process's saved gid. 1825 * Side effects: newcred->cr_svgid will be updated. 1826 * References: newcred must be an exclusive credential reference for the 1827 * duration of the call. 1828 */ 1829 void 1830 change_svgid(newcred, svgid) 1831 struct ucred *newcred; 1832 gid_t svgid; 1833 { 1834 1835 newcred->cr_svgid = svgid; 1836 } 1837