xref: /freebsd/sys/kern/kern_prot.c (revision 6990ffd8a95caaba6858ad44ff1b3157d1efba8f)
1 /*
2  * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993
3  *	The Regents of the University of California.  All rights reserved.
4  * Copyright (c) 2000, 2001 Robert N. M. Watson.  All rights reserved.
5  * (c) UNIX System Laboratories, Inc.
6  * All or some portions of this file are derived from material licensed
7  * to the University of California by American Telephone and Telegraph
8  * Co. or Unix System Laboratories, Inc. and are reproduced herein with
9  * the permission of UNIX System Laboratories, Inc.
10  *
11  * Redistribution and use in source and binary forms, with or without
12  * modification, are permitted provided that the following conditions
13  * are met:
14  * 1. Redistributions of source code must retain the above copyright
15  *    notice, this list of conditions and the following disclaimer.
16  * 2. Redistributions in binary form must reproduce the above copyright
17  *    notice, this list of conditions and the following disclaimer in the
18  *    documentation and/or other materials provided with the distribution.
19  * 3. All advertising materials mentioning features or use of this software
20  *    must display the following acknowledgement:
21  *	This product includes software developed by the University of
22  *	California, Berkeley and its contributors.
23  * 4. Neither the name of the University nor the names of its contributors
24  *    may be used to endorse or promote products derived from this software
25  *    without specific prior written permission.
26  *
27  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
28  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
29  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
30  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
31  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
32  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
33  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
35  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
36  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37  * SUCH DAMAGE.
38  *
39  *	@(#)kern_prot.c	8.6 (Berkeley) 1/21/94
40  * $FreeBSD$
41  */
42 
43 /*
44  * System calls related to processes and protection
45  */
46 
47 #include "opt_compat.h"
48 #include "opt_global.h"
49 
50 #include <sys/param.h>
51 #include <sys/systm.h>
52 #include <sys/acct.h>
53 #include <sys/kernel.h>
54 #include <sys/lock.h>
55 #include <sys/mutex.h>
56 #include <sys/proc.h>
57 #include <sys/sysproto.h>
58 #include <sys/malloc.h>
59 #include <sys/pioctl.h>
60 #include <sys/resourcevar.h>
61 #include <sys/sysctl.h>
62 #include <sys/jail.h>
63 
64 static MALLOC_DEFINE(M_CRED, "cred", "credentials");
65 
66 SYSCTL_NODE(_kern, OID_AUTO, security, CTLFLAG_RW, 0,
67     "Kernel security policy");
68 
69 #ifndef _SYS_SYSPROTO_H_
70 struct getpid_args {
71 	int	dummy;
72 };
73 #endif
74 
75 /*
76  * getpid
77  */
78 
79 /*
80  * MPSAFE
81  */
82 /* ARGSUSED */
83 int
84 getpid(td, uap)
85 	struct thread *td;
86 	struct getpid_args *uap;
87 {
88 	struct proc *p = td->td_proc;
89 
90 	mtx_lock(&Giant);
91 	td->td_retval[0] = p->p_pid;
92 #if defined(COMPAT_43) || defined(COMPAT_SUNOS)
93 	PROC_LOCK(p);
94 	td->td_retval[1] = p->p_pptr->p_pid;
95 	PROC_UNLOCK(p);
96 #endif
97 	mtx_unlock(&Giant);
98 	return (0);
99 }
100 
101 /*
102  * getppid
103  */
104 
105 #ifndef _SYS_SYSPROTO_H_
106 struct getppid_args {
107         int     dummy;
108 };
109 #endif
110 /*
111  * MPSAFE
112  */
113 /* ARGSUSED */
114 int
115 getppid(td, uap)
116 	struct thread *td;
117 	struct getppid_args *uap;
118 {
119 	struct proc *p = td->td_proc;
120 
121 	mtx_lock(&Giant);
122 	PROC_LOCK(p);
123 	td->td_retval[0] = p->p_pptr->p_pid;
124 	PROC_UNLOCK(p);
125 	mtx_unlock(&Giant);
126 	return (0);
127 }
128 
129 /*
130  * Get process group ID; note that POSIX getpgrp takes no parameter
131  *
132  * MP SAFE
133  */
134 #ifndef _SYS_SYSPROTO_H_
135 struct getpgrp_args {
136         int     dummy;
137 };
138 #endif
139 /*
140  * MPSAFE
141  */
142 int
143 getpgrp(td, uap)
144 	struct thread *td;
145 	struct getpgrp_args *uap;
146 {
147 	struct proc *p = td->td_proc;
148 
149 	mtx_lock(&Giant);
150 	td->td_retval[0] = p->p_pgrp->pg_id;
151 	mtx_unlock(&Giant);
152 	return (0);
153 }
154 
155 /* Get an arbitary pid's process group id */
156 #ifndef _SYS_SYSPROTO_H_
157 struct getpgid_args {
158 	pid_t	pid;
159 };
160 #endif
161 
162 /*
163  * MPSAFE
164  */
165 int
166 getpgid(td, uap)
167 	struct thread *td;
168 	struct getpgid_args *uap;
169 {
170 	struct proc *p = td->td_proc;
171 	struct proc *pt;
172 	int error = 0;
173 
174 	mtx_lock(&Giant);
175 	if (uap->pid == 0)
176 		td->td_retval[0] = p->p_pgrp->pg_id;
177 	else {
178 		if ((pt = pfind(uap->pid)) == NULL) {
179 			error = ESRCH;
180 			goto done2;
181 		}
182 		if ((error = p_cansee(p, pt))) {
183 			PROC_UNLOCK(pt);
184 			goto done2;
185 		}
186 		td->td_retval[0] = pt->p_pgrp->pg_id;
187 		PROC_UNLOCK(pt);
188 	}
189 done2:
190 	mtx_unlock(&Giant);
191 	return (error);
192 }
193 
194 /*
195  * Get an arbitary pid's session id.
196  */
197 #ifndef _SYS_SYSPROTO_H_
198 struct getsid_args {
199 	pid_t	pid;
200 };
201 #endif
202 
203 /*
204  * MPSAFE
205  */
206 int
207 getsid(td, uap)
208 	struct thread *td;
209 	struct getsid_args *uap;
210 {
211 	struct proc *p = td->td_proc;
212 	struct proc *pt;
213 	int error = 0;
214 
215 	mtx_lock(&Giant);
216 	if (uap->pid == 0) {
217 		td->td_retval[0] = p->p_session->s_sid;
218 	} else {
219 		if ((pt = pfind(uap->pid)) == NULL) {
220 			error = ESRCH;
221 			goto done2;
222 		}
223 		if ((error = p_cansee(p, pt))) {
224 			PROC_UNLOCK(pt);
225 			goto done2;
226 		}
227 		td->td_retval[0] = pt->p_session->s_sid;
228 		PROC_UNLOCK(pt);
229 	}
230 done2:
231 	mtx_unlock(&Giant);
232 	return (error);
233 }
234 
235 
236 /*
237  * getuid() - MP SAFE
238  */
239 #ifndef _SYS_SYSPROTO_H_
240 struct getuid_args {
241         int     dummy;
242 };
243 #endif
244 
245 /*
246  * MPSAFE
247  */
248 /* ARGSUSED */
249 int
250 getuid(td, uap)
251 	struct thread *td;
252 	struct getuid_args *uap;
253 {
254 	struct proc *p = td->td_proc;
255 
256 	mtx_lock(&Giant);
257 	td->td_retval[0] = p->p_ucred->cr_ruid;
258 #if defined(COMPAT_43) || defined(COMPAT_SUNOS)
259 	td->td_retval[1] = p->p_ucred->cr_uid;
260 #endif
261 	mtx_unlock(&Giant);
262 	return (0);
263 }
264 
265 /*
266  * geteuid() - MP SAFE
267  */
268 #ifndef _SYS_SYSPROTO_H_
269 struct geteuid_args {
270         int     dummy;
271 };
272 #endif
273 
274 /* ARGSUSED */
275 int
276 geteuid(td, uap)
277 	struct thread *td;
278 	struct geteuid_args *uap;
279 {
280 	mtx_lock(&Giant);
281 	td->td_retval[0] = td->td_proc->p_ucred->cr_uid;
282 	mtx_unlock(&Giant);
283 	return (0);
284 }
285 
286 /*
287  * getgid() - MP SAFE
288  */
289 #ifndef _SYS_SYSPROTO_H_
290 struct getgid_args {
291         int     dummy;
292 };
293 #endif
294 
295 /*
296  * MPSAFE
297  */
298 /* ARGSUSED */
299 int
300 getgid(td, uap)
301 	struct thread *td;
302 	struct getgid_args *uap;
303 {
304 	struct proc *p = td->td_proc;
305 
306 	mtx_lock(&Giant);
307 	td->td_retval[0] = p->p_ucred->cr_rgid;
308 #if defined(COMPAT_43) || defined(COMPAT_SUNOS)
309 	td->td_retval[1] = p->p_ucred->cr_groups[0];
310 #endif
311 	mtx_unlock(&Giant);
312 	return (0);
313 }
314 
315 /*
316  * Get effective group ID.  The "egid" is groups[0], and could be obtained
317  * via getgroups.  This syscall exists because it is somewhat painful to do
318  * correctly in a library function.
319  */
320 #ifndef _SYS_SYSPROTO_H_
321 struct getegid_args {
322         int     dummy;
323 };
324 #endif
325 
326 /*
327  * MPSAFE
328  */
329 /* ARGSUSED */
330 int
331 getegid(td, uap)
332 	struct thread *td;
333 	struct getegid_args *uap;
334 {
335 	struct proc *p = td->td_proc;
336 
337 	mtx_lock(&Giant);
338 	td->td_retval[0] = p->p_ucred->cr_groups[0];
339 	mtx_unlock(&Giant);
340 	return (0);
341 }
342 
343 #ifndef _SYS_SYSPROTO_H_
344 struct getgroups_args {
345 	u_int	gidsetsize;
346 	gid_t	*gidset;
347 };
348 #endif
349 /*
350  * MPSAFE
351  */
352 int
353 getgroups(td, uap)
354 	struct thread *td;
355 	register struct	getgroups_args *uap;
356 {
357 	struct ucred *cred;
358 	struct proc *p = td->td_proc;
359 	u_int ngrp;
360 	int error = 0;
361 
362 	mtx_lock(&Giant);
363 	cred = p->p_ucred;
364 	if ((ngrp = uap->gidsetsize) == 0) {
365 		td->td_retval[0] = cred->cr_ngroups;
366 		error = 0;
367 		goto done2;
368 	}
369 	if (ngrp < cred->cr_ngroups) {
370 		error = EINVAL;
371 		goto done2;
372 	}
373 	ngrp = cred->cr_ngroups;
374 	if ((error = copyout((caddr_t)cred->cr_groups,
375 	    (caddr_t)uap->gidset, ngrp * sizeof(gid_t)))) {
376 		goto done2;
377 	}
378 	td->td_retval[0] = ngrp;
379 done2:
380 	mtx_unlock(&Giant);
381 	return (error);
382 }
383 
384 #ifndef _SYS_SYSPROTO_H_
385 struct setsid_args {
386         int     dummy;
387 };
388 #endif
389 
390 /*
391  * MPSAFE
392  */
393 /* ARGSUSED */
394 int
395 setsid(td, uap)
396 	register struct thread *td;
397 	struct setsid_args *uap;
398 {
399 	int error;
400 	struct proc *p = td->td_proc;
401 
402 	mtx_lock(&Giant);
403 	if (p->p_pgid == p->p_pid || pgfind(p->p_pid)) {
404 		error = EPERM;
405 	} else {
406 		(void)enterpgrp(p, p->p_pid, 1);
407 		td->td_retval[0] = p->p_pid;
408 		error = 0;
409 	}
410 	mtx_unlock(&Giant);
411 	return (error);
412 }
413 
414 /*
415  * set process group (setpgid/old setpgrp)
416  *
417  * caller does setpgid(targpid, targpgid)
418  *
419  * pid must be caller or child of caller (ESRCH)
420  * if a child
421  *	pid must be in same session (EPERM)
422  *	pid can't have done an exec (EACCES)
423  * if pgid != pid
424  * 	there must exist some pid in same session having pgid (EPERM)
425  * pid must not be session leader (EPERM)
426  */
427 #ifndef _SYS_SYSPROTO_H_
428 struct setpgid_args {
429 	int	pid;	/* target process id */
430 	int	pgid;	/* target pgrp id */
431 };
432 #endif
433 /*
434  * MPSAFE
435  */
436 /* ARGSUSED */
437 int
438 setpgid(td, uap)
439 	struct thread *td;
440 	register struct setpgid_args *uap;
441 {
442 	struct proc *curp = td->td_proc;
443 	register struct proc *targp;		/* target process */
444 	register struct pgrp *pgrp;		/* target pgrp */
445 	int error;
446 
447 	if (uap->pgid < 0)
448 		return (EINVAL);
449 
450 	mtx_lock(&Giant);
451 
452 	if (uap->pid != 0 && uap->pid != curp->p_pid) {
453 		if ((targp = pfind(uap->pid)) == NULL || !inferior(targp)) {
454 			if (targp)
455 				PROC_UNLOCK(targp);
456 			error = ESRCH;
457 			goto done2;
458 		}
459 		if ((error = p_cansee(curproc, targp))) {
460 			PROC_UNLOCK(targp);
461 			goto done2;
462 		}
463 		if (targp->p_pgrp == NULL ||
464 		    targp->p_session != curp->p_session) {
465 			PROC_UNLOCK(targp);
466 			error = EPERM;
467 			goto done2;
468 		}
469 		if (targp->p_flag & P_EXEC) {
470 			PROC_UNLOCK(targp);
471 			error = EACCES;
472 			goto done2;
473 		}
474 	} else {
475 		targp = curp;
476 		PROC_LOCK(curp);	/* XXX: not needed */
477 	}
478 	if (SESS_LEADER(targp)) {
479 		PROC_UNLOCK(targp);
480 		error = EPERM;
481 		goto done2;
482 	}
483 	if (uap->pgid == 0) {
484 		uap->pgid = targp->p_pid;
485 	} else if (uap->pgid != targp->p_pid) {
486 		if ((pgrp = pgfind(uap->pgid)) == 0 ||
487 	            pgrp->pg_session != curp->p_session) {
488 			PROC_UNLOCK(targp);
489 			error = EPERM;
490 			goto done2;
491 		}
492 	}
493 	/* XXX: We should probably hold the lock across enterpgrp. */
494 	PROC_UNLOCK(targp);
495 	error = enterpgrp(targp, uap->pgid, 0);
496 done2:
497 	mtx_unlock(&Giant);
498 	return (error);
499 }
500 
501 /*
502  * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD
503  * compatible.  It says that setting the uid/gid to euid/egid is a special
504  * case of "appropriate privilege".  Once the rules are expanded out, this
505  * basically means that setuid(nnn) sets all three id's, in all permitted
506  * cases unless _POSIX_SAVED_IDS is enabled.  In that case, setuid(getuid())
507  * does not set the saved id - this is dangerous for traditional BSD
508  * programs.  For this reason, we *really* do not want to set
509  * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2.
510  */
511 #define POSIX_APPENDIX_B_4_2_2
512 
513 #ifndef _SYS_SYSPROTO_H_
514 struct setuid_args {
515 	uid_t	uid;
516 };
517 #endif
518 /*
519  * MPSAFE
520  */
521 /* ARGSUSED */
522 int
523 setuid(td, uap)
524 	struct thread *td;
525 	struct setuid_args *uap;
526 {
527 	struct proc *p = td->td_proc;
528 	struct ucred *newcred, *oldcred;
529 	uid_t uid;
530 	int error = 0;
531 
532 	uid = uap->uid;
533 	oldcred = p->p_ucred;
534 	mtx_lock(&Giant);
535 
536 	/*
537 	 * See if we have "permission" by POSIX 1003.1 rules.
538 	 *
539 	 * Note that setuid(geteuid()) is a special case of
540 	 * "appropriate privileges" in appendix B.4.2.2.  We need
541 	 * to use this clause to be compatible with traditional BSD
542 	 * semantics.  Basically, it means that "setuid(xx)" sets all
543 	 * three id's (assuming you have privs).
544 	 *
545 	 * Notes on the logic.  We do things in three steps.
546 	 * 1: We determine if the euid is going to change, and do EPERM
547 	 *    right away.  We unconditionally change the euid later if this
548 	 *    test is satisfied, simplifying that part of the logic.
549 	 * 2: We determine if the real and/or saved uid's are going to
550 	 *    change.  Determined by compile options.
551 	 * 3: Change euid last. (after tests in #2 for "appropriate privs")
552 	 */
553 	if (uid != oldcred->cr_ruid &&		/* allow setuid(getuid()) */
554 #ifdef _POSIX_SAVED_IDS
555 	    uid != oldcred->cr_svuid &&		/* allow setuid(saved gid) */
556 #endif
557 #ifdef POSIX_APPENDIX_B_4_2_2	/* Use BSD-compat clause from B.4.2.2 */
558 	    uid != oldcred->cr_uid &&		/* allow setuid(geteuid()) */
559 #endif
560 	    (error = suser_xxx(oldcred, NULL, PRISON_ROOT)))
561 		goto done2;
562 
563 	newcred = crdup(oldcred);
564 #ifdef _POSIX_SAVED_IDS
565 	/*
566 	 * Do we have "appropriate privileges" (are we root or uid == euid)
567 	 * If so, we are changing the real uid and/or saved uid.
568 	 */
569 	if (
570 #ifdef POSIX_APPENDIX_B_4_2_2	/* Use the clause from B.4.2.2 */
571 	    uid == oldcred->cr_uid ||
572 #endif
573 	    suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */
574 #endif
575 	{
576 		/*
577 		 * Set the real uid and transfer proc count to new user.
578 		 */
579 		if (uid != oldcred->cr_ruid) {
580 			change_ruid(newcred, uid);
581 			setsugid(p);
582 		}
583 		/*
584 		 * Set saved uid
585 		 *
586 		 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as
587 		 * the security of seteuid() depends on it.  B.4.2.2 says it
588 		 * is important that we should do this.
589 		 */
590 		if (uid != oldcred->cr_svuid) {
591 			change_svuid(newcred, uid);
592 			setsugid(p);
593 		}
594 	}
595 
596 	/*
597 	 * In all permitted cases, we are changing the euid.
598 	 * Copy credentials so other references do not see our changes.
599 	 */
600 	if (uid != oldcred->cr_uid) {
601 		change_euid(newcred, uid);
602 		setsugid(p);
603 	}
604 	p->p_ucred = newcred;
605 	crfree(oldcred);
606 done2:
607 	mtx_unlock(&Giant);
608 	return (error);
609 }
610 
611 #ifndef _SYS_SYSPROTO_H_
612 struct seteuid_args {
613 	uid_t	euid;
614 };
615 #endif
616 /*
617  * MPSAFE
618  */
619 /* ARGSUSED */
620 int
621 seteuid(td, uap)
622 	struct thread *td;
623 	struct seteuid_args *uap;
624 {
625 	struct proc *p = td->td_proc;
626 	struct ucred *newcred, *oldcred;
627 	uid_t euid;
628 	int error = 0;
629 
630 	euid = uap->euid;
631 
632 	mtx_lock(&Giant);
633 	oldcred = p->p_ucred;
634 	if (euid != oldcred->cr_ruid &&		/* allow seteuid(getuid()) */
635 	    euid != oldcred->cr_svuid &&	/* allow seteuid(saved uid) */
636 	    (error = suser_xxx(oldcred, NULL, PRISON_ROOT))) {
637 		goto done2;
638 	}
639 	/*
640 	 * Everything's okay, do it.  Copy credentials so other references do
641 	 * not see our changes.
642 	 */
643 	newcred = crdup(oldcred);
644 	if (oldcred->cr_uid != euid) {
645 		change_euid(newcred, euid);
646 		setsugid(p);
647 	}
648 	p->p_ucred = newcred;
649 	crfree(oldcred);
650 done2:
651 	mtx_unlock(&Giant);
652 	return (error);
653 }
654 
655 #ifndef _SYS_SYSPROTO_H_
656 struct setgid_args {
657 	gid_t	gid;
658 };
659 #endif
660 /*
661  * MPSAFE
662  */
663 /* ARGSUSED */
664 int
665 setgid(td, uap)
666 	struct thread *td;
667 	struct setgid_args *uap;
668 {
669 	struct proc *p = td->td_proc;
670 	struct ucred *newcred, *oldcred;
671 	gid_t gid;
672 	int error = 0;
673 
674 	gid = uap->gid;
675 
676 	mtx_lock(&Giant);
677 	oldcred = p->p_ucred;
678 	/*
679 	 * See if we have "permission" by POSIX 1003.1 rules.
680 	 *
681 	 * Note that setgid(getegid()) is a special case of
682 	 * "appropriate privileges" in appendix B.4.2.2.  We need
683 	 * to use this clause to be compatible with traditional BSD
684 	 * semantics.  Basically, it means that "setgid(xx)" sets all
685 	 * three id's (assuming you have privs).
686 	 *
687 	 * For notes on the logic here, see setuid() above.
688 	 */
689 	if (gid != oldcred->cr_rgid &&		/* allow setgid(getgid()) */
690 #ifdef _POSIX_SAVED_IDS
691 	    gid != oldcred->cr_svgid &&		/* allow setgid(saved gid) */
692 #endif
693 #ifdef POSIX_APPENDIX_B_4_2_2	/* Use BSD-compat clause from B.4.2.2 */
694 	    gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */
695 #endif
696 	    (error = suser_xxx(oldcred, NULL, PRISON_ROOT))) {
697 		goto done2;
698 	}
699 
700 	newcred = crdup(oldcred);
701 #ifdef _POSIX_SAVED_IDS
702 	/*
703 	 * Do we have "appropriate privileges" (are we root or gid == egid)
704 	 * If so, we are changing the real uid and saved gid.
705 	 */
706 	if (
707 #ifdef POSIX_APPENDIX_B_4_2_2	/* use the clause from B.4.2.2 */
708 	    gid == oldcred->cr_groups[0] ||
709 #endif
710 	    suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */
711 #endif
712 	{
713 		/*
714 		 * Set real gid
715 		 */
716 		if (oldcred->cr_rgid != gid) {
717 			change_rgid(newcred, gid);
718 			setsugid(p);
719 		}
720 		/*
721 		 * Set saved gid
722 		 *
723 		 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as
724 		 * the security of setegid() depends on it.  B.4.2.2 says it
725 		 * is important that we should do this.
726 		 */
727 		if (oldcred->cr_svgid != gid) {
728 			change_svgid(newcred, gid);
729 			setsugid(p);
730 		}
731 	}
732 	/*
733 	 * In all cases permitted cases, we are changing the egid.
734 	 * Copy credentials so other references do not see our changes.
735 	 */
736 	if (oldcred->cr_groups[0] != gid) {
737 		change_egid(newcred, gid);
738 		setsugid(p);
739 	}
740 	p->p_ucred = newcred;
741 	crfree(oldcred);
742 done2:
743 	mtx_unlock(&Giant);
744 	return (error);
745 }
746 
747 #ifndef _SYS_SYSPROTO_H_
748 struct setegid_args {
749 	gid_t	egid;
750 };
751 #endif
752 /*
753  * MPSAFE
754  */
755 /* ARGSUSED */
756 int
757 setegid(td, uap)
758 	struct thread *td;
759 	struct setegid_args *uap;
760 {
761 	struct proc *p = td->td_proc;
762 	struct ucred *newcred, *oldcred;
763 	gid_t egid;
764 	int error = 0;
765 
766 	egid = uap->egid;
767 
768 	mtx_lock(&Giant);
769 	oldcred = p->p_ucred;
770 	if (egid != oldcred->cr_rgid &&		/* allow setegid(getgid()) */
771 	    egid != oldcred->cr_svgid &&	/* allow setegid(saved gid) */
772 	    (error = suser_xxx(oldcred, NULL, PRISON_ROOT))) {
773 		goto done2;
774 	}
775 	newcred = crdup(oldcred);
776 	if (oldcred->cr_groups[0] != egid) {
777 		change_egid(newcred, egid);
778 		setsugid(p);
779 	}
780 	p->p_ucred = newcred;
781 	crfree(oldcred);
782 done2:
783 	mtx_unlock(&Giant);
784 	return (error);
785 }
786 
787 #ifndef _SYS_SYSPROTO_H_
788 struct setgroups_args {
789 	u_int	gidsetsize;
790 	gid_t	*gidset;
791 };
792 #endif
793 /*
794  * MPSAFE
795  */
796 /* ARGSUSED */
797 int
798 setgroups(td, uap)
799 	struct thread *td;
800 	struct setgroups_args *uap;
801 {
802 	struct proc *p = td->td_proc;
803 	struct ucred *newcred, *oldcred;
804 	u_int ngrp;
805 	int error;
806 
807 	mtx_lock(&Giant);
808 
809 	ngrp = uap->gidsetsize;
810 	oldcred = p->p_ucred;
811 	if ((error = suser_xxx(oldcred, NULL, PRISON_ROOT)))
812 		goto done2;
813 	if (ngrp > NGROUPS) {
814 		error = EINVAL;
815 		goto done2;
816 	}
817 	/*
818 	 * XXX A little bit lazy here.  We could test if anything has
819 	 * changed before crcopy() and setting P_SUGID.
820 	 */
821 	newcred = crdup(oldcred);
822 	if (ngrp < 1) {
823 		/*
824 		 * setgroups(0, NULL) is a legitimate way of clearing the
825 		 * groups vector on non-BSD systems (which generally do not
826 		 * have the egid in the groups[0]).  We risk security holes
827 		 * when running non-BSD software if we do not do the same.
828 		 */
829 		newcred->cr_ngroups = 1;
830 	} else {
831 		if ((error = copyin((caddr_t)uap->gidset,
832 		    (caddr_t)newcred->cr_groups, ngrp * sizeof(gid_t)))) {
833 			crfree(newcred);
834 			goto done2;
835 		}
836 		newcred->cr_ngroups = ngrp;
837 	}
838 	setsugid(p);
839 	p->p_ucred = newcred;
840 	crfree(oldcred);
841 done2:
842 	mtx_unlock(&Giant);
843 	return (error);
844 }
845 
846 #ifndef _SYS_SYSPROTO_H_
847 struct setreuid_args {
848 	uid_t	ruid;
849 	uid_t	euid;
850 };
851 #endif
852 /*
853  * MPSAFE
854  */
855 /* ARGSUSED */
856 int
857 setreuid(td, uap)
858 	register struct thread *td;
859 	struct setreuid_args *uap;
860 {
861 	struct proc *p = td->td_proc;
862 	struct ucred *newcred, *oldcred;
863 	uid_t ruid, euid;
864 	int error = 0;
865 
866 	ruid = uap->ruid;
867 	euid = uap->euid;
868 
869 	mtx_lock(&Giant);
870 
871 	oldcred = p->p_ucred;
872 	if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
873 	      ruid != oldcred->cr_svuid) ||
874 	     (euid != (uid_t)-1 && euid != oldcred->cr_uid &&
875 	      euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) &&
876 	    (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) {
877 		goto done2;
878 	}
879 	newcred = crdup(oldcred);
880 	if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
881 		change_euid(newcred, euid);
882 		setsugid(p);
883 	}
884 	if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
885 		change_ruid(newcred, ruid);
886 		setsugid(p);
887 	}
888 	if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) &&
889 	    newcred->cr_svuid != newcred->cr_uid) {
890 		change_svuid(newcred, newcred->cr_uid);
891 		setsugid(p);
892 	}
893 	p->p_ucred = newcred;
894 	crfree(oldcred);
895 done2:
896 	mtx_unlock(&Giant);
897 	return (error);
898 }
899 
900 #ifndef _SYS_SYSPROTO_H_
901 struct setregid_args {
902 	gid_t	rgid;
903 	gid_t	egid;
904 };
905 #endif
906 /*
907  * MPSAFE
908  */
909 /* ARGSUSED */
910 int
911 setregid(td, uap)
912 	register struct thread *td;
913 	struct setregid_args *uap;
914 {
915 	struct proc *p = td->td_proc;
916 	struct ucred *newcred, *oldcred;
917 	gid_t rgid, egid;
918 	int error = 0;
919 
920 	rgid = uap->rgid;
921 	egid = uap->egid;
922 
923 	mtx_lock(&Giant);
924 
925 	oldcred = p->p_ucred;
926 	if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
927 	    rgid != oldcred->cr_svgid) ||
928 	     (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] &&
929 	     egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) &&
930 	    (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) {
931 		goto done2;
932 	}
933 
934 	newcred = crdup(oldcred);
935 	if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
936 		change_egid(newcred, egid);
937 		setsugid(p);
938 	}
939 	if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
940 		change_rgid(newcred, rgid);
941 		setsugid(p);
942 	}
943 	if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) &&
944 	    newcred->cr_svgid != newcred->cr_groups[0]) {
945 		change_svgid(newcred, newcred->cr_groups[0]);
946 		setsugid(p);
947 	}
948 	p->p_ucred = newcred;
949 	crfree(oldcred);
950 done2:
951 	mtx_unlock(&Giant);
952 	return (error);
953 }
954 
955 /*
956  * setresuid(ruid, euid, suid) is like setreuid except control over the
957  * saved uid is explicit.
958  */
959 
960 #ifndef _SYS_SYSPROTO_H_
961 struct setresuid_args {
962 	uid_t	ruid;
963 	uid_t	euid;
964 	uid_t	suid;
965 };
966 #endif
967 /*
968  * MPSAFE
969  */
970 /* ARGSUSED */
971 int
972 setresuid(td, uap)
973 	register struct thread *td;
974 	struct setresuid_args *uap;
975 {
976 	struct proc *p = td->td_proc;
977 	struct ucred *newcred, *oldcred;
978 	uid_t ruid, euid, suid;
979 	int error;
980 
981 	ruid = uap->ruid;
982 	euid = uap->euid;
983 	suid = uap->suid;
984 
985 	mtx_lock(&Giant);
986 	oldcred = p->p_ucred;
987 	if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
988 	     ruid != oldcred->cr_svuid &&
989 	      ruid != oldcred->cr_uid) ||
990 	     (euid != (uid_t)-1 && euid != oldcred->cr_ruid &&
991 	    euid != oldcred->cr_svuid &&
992 	      euid != oldcred->cr_uid) ||
993 	     (suid != (uid_t)-1 && suid != oldcred->cr_ruid &&
994 	    suid != oldcred->cr_svuid &&
995 	      suid != oldcred->cr_uid)) &&
996 	    (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) {
997 		goto done2;
998 	}
999 
1000 	newcred = crdup(oldcred);
1001 	if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
1002 		change_euid(newcred, euid);
1003 		setsugid(p);
1004 	}
1005 	if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
1006 		change_ruid(newcred, ruid);
1007 		setsugid(p);
1008 	}
1009 	if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) {
1010 		change_svuid(newcred, suid);
1011 		setsugid(p);
1012 	}
1013 	p->p_ucred = newcred;
1014 	crfree(oldcred);
1015 	error = 0;
1016 done2:
1017 	mtx_unlock(&Giant);
1018 	return (error);
1019 }
1020 
1021 /*
1022  * setresgid(rgid, egid, sgid) is like setregid except control over the
1023  * saved gid is explicit.
1024  */
1025 
1026 #ifndef _SYS_SYSPROTO_H_
1027 struct setresgid_args {
1028 	gid_t	rgid;
1029 	gid_t	egid;
1030 	gid_t	sgid;
1031 };
1032 #endif
1033 /*
1034  * MPSAFE
1035  */
1036 /* ARGSUSED */
1037 int
1038 setresgid(td, uap)
1039 	register struct thread *td;
1040 	struct setresgid_args *uap;
1041 {
1042 	struct proc *p = td->td_proc;
1043 	struct ucred *newcred, *oldcred;
1044 	gid_t rgid, egid, sgid;
1045 	int error;
1046 
1047 	rgid = uap->rgid;
1048 	egid = uap->egid;
1049 	sgid = uap->sgid;
1050 
1051 	mtx_lock(&Giant);
1052 	oldcred = p->p_ucred;
1053 	if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
1054 	      rgid != oldcred->cr_svgid &&
1055 	      rgid != oldcred->cr_groups[0]) ||
1056 	     (egid != (gid_t)-1 && egid != oldcred->cr_rgid &&
1057 	      egid != oldcred->cr_svgid &&
1058 	      egid != oldcred->cr_groups[0]) ||
1059 	     (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid &&
1060 	      sgid != oldcred->cr_svgid &&
1061 	      sgid != oldcred->cr_groups[0])) &&
1062 	    (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) {
1063 		goto done2;
1064 	}
1065 	newcred = crdup(oldcred);
1066 	if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
1067 		change_egid(newcred, egid);
1068 		setsugid(p);
1069 	}
1070 	if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
1071 		change_rgid(newcred, rgid);
1072 		setsugid(p);
1073 	}
1074 	if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) {
1075 		change_svgid(newcred, sgid);
1076 		setsugid(p);
1077 	}
1078 	p->p_ucred = newcred;
1079 	crfree(oldcred);
1080 	error = 0;
1081 done2:
1082 	mtx_unlock(&Giant);
1083 	return (error);
1084 }
1085 
1086 #ifndef _SYS_SYSPROTO_H_
1087 struct getresuid_args {
1088 	uid_t	*ruid;
1089 	uid_t	*euid;
1090 	uid_t	*suid;
1091 };
1092 #endif
1093 /*
1094  * MPSAFE
1095  */
1096 /* ARGSUSED */
1097 int
1098 getresuid(td, uap)
1099 	register struct thread *td;
1100 	struct getresuid_args *uap;
1101 {
1102 	struct ucred *cred;
1103 	struct proc *p = td->td_proc;
1104 	int error1 = 0, error2 = 0, error3 = 0;
1105 
1106 	mtx_lock(&Giant);
1107 	cred = p->p_ucred;
1108 
1109 	if (uap->ruid)
1110 		error1 = copyout((caddr_t)&cred->cr_ruid,
1111 		    (caddr_t)uap->ruid, sizeof(cred->cr_ruid));
1112 	if (uap->euid)
1113 		error2 = copyout((caddr_t)&cred->cr_uid,
1114 		    (caddr_t)uap->euid, sizeof(cred->cr_uid));
1115 	if (uap->suid)
1116 		error3 = copyout((caddr_t)&cred->cr_svuid,
1117 		    (caddr_t)uap->suid, sizeof(cred->cr_svuid));
1118 	mtx_unlock(&Giant);
1119 	return error1 ? error1 : (error2 ? error2 : error3);
1120 }
1121 
1122 #ifndef _SYS_SYSPROTO_H_
1123 struct getresgid_args {
1124 	gid_t	*rgid;
1125 	gid_t	*egid;
1126 	gid_t	*sgid;
1127 };
1128 #endif
1129 /*
1130  * MPSAFE
1131  */
1132 /* ARGSUSED */
1133 int
1134 getresgid(td, uap)
1135 	register struct thread *td;
1136 	struct getresgid_args *uap;
1137 {
1138 	struct ucred *cred;
1139 	struct proc *p = td->td_proc;
1140 	int error1 = 0, error2 = 0, error3 = 0;
1141 
1142 	mtx_lock(&Giant);
1143 	cred = p->p_ucred;
1144 
1145 	if (uap->rgid)
1146 		error1 = copyout((caddr_t)&cred->cr_rgid,
1147 		    (caddr_t)uap->rgid, sizeof(cred->cr_rgid));
1148 	if (uap->egid)
1149 		error2 = copyout((caddr_t)&cred->cr_groups[0],
1150 		    (caddr_t)uap->egid, sizeof(cred->cr_groups[0]));
1151 	if (uap->sgid)
1152 		error3 = copyout((caddr_t)&cred->cr_svgid,
1153 		    (caddr_t)uap->sgid, sizeof(cred->cr_svgid));
1154 	mtx_unlock(&Giant);
1155 	return error1 ? error1 : (error2 ? error2 : error3);
1156 }
1157 
1158 
1159 #ifndef _SYS_SYSPROTO_H_
1160 struct issetugid_args {
1161 	int dummy;
1162 };
1163 #endif
1164 /* ARGSUSED */
1165 int
1166 issetugid(td, uap)
1167 	register struct thread *td;
1168 	struct issetugid_args *uap;
1169 {
1170 	struct proc *p = td->td_proc;
1171 
1172 	/*
1173 	 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time,
1174 	 * we use P_SUGID because we consider changing the owners as
1175 	 * "tainting" as well.
1176 	 * This is significant for procs that start as root and "become"
1177 	 * a user without an exec - programs cannot know *everything*
1178 	 * that libc *might* have put in their data segment.
1179 	 */
1180 	td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0;
1181 	return (0);
1182 }
1183 
1184 /*
1185  * MPSAFE
1186  */
1187 int
1188 __setugid(td, uap)
1189 	struct thread *td;
1190 	struct __setugid_args *uap;
1191 {
1192 #ifdef REGRESSION
1193 	int error = 0;
1194 
1195 	mtx_lock(&Giant);
1196 	switch (uap->flag) {
1197 	case 0:
1198 		td->td_proc->p_flag &= ~P_SUGID;
1199 		break;
1200 	case 1:
1201 		td->td_proc->p_flag |= P_SUGID;
1202 		break;
1203 	default:
1204 		error = EINVAL;
1205 		break;
1206 	}
1207 	mtx_unlock(&Giant);
1208 	return (error);
1209 #else /* !REGRESSION */
1210 	return (ENOSYS);
1211 #endif /* !REGRESSION */
1212 }
1213 
1214 /*
1215  * Check if gid is a member of the group set.
1216  */
1217 int
1218 groupmember(gid, cred)
1219 	gid_t gid;
1220 	struct ucred *cred;
1221 {
1222 	register gid_t *gp;
1223 	gid_t *egp;
1224 
1225 	egp = &(cred->cr_groups[cred->cr_ngroups]);
1226 	for (gp = cred->cr_groups; gp < egp; gp++)
1227 		if (*gp == gid)
1228 			return (1);
1229 	return (0);
1230 }
1231 
1232 /*
1233  * `suser_enabled' (which can be set by the kern.security.suser_enabled
1234  * sysctl) determines whether the system 'super-user' policy is in effect.
1235  * If it is nonzero, an effective uid of 0 connotes special privilege,
1236  * overriding many mandatory and discretionary protections.  If it is zero,
1237  * uid 0 is offered no special privilege in the kernel security policy.
1238  * Setting it to zero may seriously impact the functionality of many
1239  * existing userland programs, and should not be done without careful
1240  * consideration of the consequences.
1241  */
1242 int	suser_enabled = 1;
1243 SYSCTL_INT(_kern_security, OID_AUTO, suser_enabled, CTLFLAG_RW,
1244     &suser_enabled, 0, "processes with uid 0 have privilege");
1245 
1246 /*
1247  * Test whether the specified credentials imply "super-user" privilege.
1248  * Return 0 or EPERM.
1249  */
1250 int
1251 suser(p)
1252 	struct proc *p;
1253 {
1254 	return suser_xxx(0, p, 0);
1255 }
1256 
1257 /*
1258  * version for when the thread pointer is available and not the proc.
1259  * (saves having to include proc.h into every file that needs to do the change.)
1260  */
1261 int
1262 suser_td(td)
1263 
1264 	struct thread *td;
1265 {
1266 	return suser_xxx(0, td->td_proc, 0);
1267 }
1268 
1269 /*
1270  * wrapper to use if you have the thread on hand but not the proc.
1271  */
1272 int
1273 suser_xxx_td(cred, td, flag)
1274 	struct ucred *cred;
1275 	struct thread *td;
1276 	int flag;
1277 {
1278 	return(suser_xxx(cred, td->td_proc, flag));
1279 }
1280 
1281 int
1282 suser_xxx(cred, proc, flag)
1283 	struct ucred *cred;
1284 	struct proc *proc;
1285 	int flag;
1286 {
1287 	if (!suser_enabled)
1288 		return (EPERM);
1289 	if (!cred && !proc) {
1290 		printf("suser_xxx(): THINK!\n");
1291 		return (EPERM);
1292 	}
1293 	if (!cred)
1294 		cred = proc->p_ucred;
1295 	if (cred->cr_uid != 0)
1296 		return (EPERM);
1297 	if (jailed(cred) && !(flag & PRISON_ROOT))
1298 		return (EPERM);
1299 	return (0);
1300 }
1301 
1302 /*-
1303  * Determine if u1 "can see" the subject specified by u2.
1304  * Returns: 0 for permitted, an errno value otherwise
1305  * Locks: none
1306  * References: u1 and u2 must be immutable credentials
1307  *             u1 and u2 must be valid for the lifetime of the call
1308  *             u1 may equal u2, in which case only one reference is required
1309  */
1310 int
1311 u_cansee(struct ucred *u1, struct ucred *u2)
1312 {
1313 	int error;
1314 
1315 	if ((error = prison_check(u1, u2)))
1316 		return (error);
1317 	if (!ps_showallprocs && u1->cr_ruid != u2->cr_ruid) {
1318 		if (suser_xxx(u1, NULL, PRISON_ROOT) != 0)
1319 			return (ESRCH);
1320 	}
1321 	return (0);
1322 }
1323 
1324 /*-
1325  * Determine if p1 "can see" the subject specified by p2.
1326  * Returns: 0 for permitted, an errno value otherwise
1327  * Locks: Sufficient locks to protect p1->p_ucred and p2->p_ucred must
1328  *        be held.  Normally, p1 will be curproc, and a lock must be held
1329  *        for p2.
1330  * References: p1 and p2 must be valid for the lifetime of the call
1331  */
1332 int
1333 p_cansee(struct proc *p1, struct proc *p2)
1334 {
1335 
1336 	/* Wrap u_cansee() for all functionality. */
1337 	return (u_cansee(p1->p_ucred, p2->p_ucred));
1338 }
1339 
1340 /*-
1341  * Determine whether p1 may deliver the specified signal to p2.
1342  * Returns: 0 for permitted, an errno value otherwise
1343  * Locks: Sufficient locks to protect various components of p1 and p2
1344  *        must be held.  Normally, p1 will be curproc, and a lock must
1345  *        be held for p2.
1346  * References: p1 and p2 must be valid for the lifetime of the call
1347  */
1348 int
1349 p_cansignal(struct proc *p1, struct proc *p2, int signum)
1350 {
1351 	int error;
1352 
1353 	if (p1 == p2)
1354 		return (0);
1355 
1356 	/*
1357 	 * Jail semantics limit the scope of signalling to p2 in the same
1358 	 * jail as p1, if p1 is in jail.
1359 	 */
1360 	if ((error = prison_check(p1->p_ucred, p2->p_ucred)))
1361 		return (error);
1362 
1363 	/*
1364 	 * UNIX signalling semantics require that processes in the same
1365 	 * session always be able to deliver SIGCONT to one another,
1366 	 * overriding the remaining protections.
1367 	 */
1368 	if (signum == SIGCONT && p1->p_session == p2->p_session)
1369 		return (0);
1370 
1371 	/*
1372 	 * UNIX signal semantics depend on the status of the P_SUGID
1373 	 * bit on the target process.  If the bit is set, then additional
1374 	 * restrictions are placed on the set of available signals.
1375 	 */
1376 	if (p2->p_flag & P_SUGID) {
1377 		switch (signum) {
1378 		case 0:
1379 		case SIGKILL:
1380 		case SIGINT:
1381 		case SIGTERM:
1382 		case SIGSTOP:
1383 		case SIGTTIN:
1384 		case SIGTTOU:
1385 		case SIGTSTP:
1386 		case SIGHUP:
1387 		case SIGUSR1:
1388 		case SIGUSR2:
1389 			/*
1390 			 * Generally, permit job and terminal control
1391 			 * signals.
1392 			 */
1393 			break;
1394 		default:
1395 			/* Not permitted, privilege is required. */
1396 			error = suser_xxx(NULL, p1, PRISON_ROOT);
1397 			if (error)
1398 				return (error);
1399 		}
1400 	}
1401 
1402 	/*
1403 	 * Generally, the target credential's ruid or svuid must match the
1404 	 * subject credential's ruid or euid.
1405 	 */
1406 	if (p1->p_ucred->cr_ruid != p2->p_ucred->cr_ruid &&
1407 	    p1->p_ucred->cr_ruid != p2->p_ucred->cr_svuid &&
1408 	    p1->p_ucred->cr_uid != p2->p_ucred->cr_ruid &&
1409 	    p1->p_ucred->cr_uid != p2->p_ucred->cr_svuid) {
1410 		/* Not permitted, try privilege. */
1411 		error = suser_xxx(NULL, p1, PRISON_ROOT);
1412 		if (error)
1413 			return (error);
1414 	}
1415 
1416         return (0);
1417 }
1418 
1419 /*-
1420  * Determine whether p1 may reschedule p2
1421  * Returns: 0 for permitted, an errno value otherwise
1422  * Locks: Sufficient locks to protect various components of p1 and p2
1423  *        must be held.  Normally, p1 will be curproc, and a lock must
1424  *        be held for p2.
1425  * References: p1 and p2 must be valid for the lifetime of the call
1426  */
1427 int
1428 p_cansched(struct proc *p1, struct proc *p2)
1429 {
1430 	int error;
1431 
1432 	if (p1 == p2)
1433 		return (0);
1434 	if ((error = prison_check(p1->p_ucred, p2->p_ucred)))
1435 		return (error);
1436 	if (p1->p_ucred->cr_ruid == p2->p_ucred->cr_ruid)
1437 		return (0);
1438 	if (p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid)
1439 		return (0);
1440 	if (suser_xxx(0, p1, PRISON_ROOT) == 0)
1441 		return (0);
1442 
1443 #ifdef CAPABILITIES
1444 	if (!cap_check_xxx(0, p1, CAP_SYS_NICE, PRISON_ROOT))
1445 		return (0);
1446 #endif
1447 
1448 	return (EPERM);
1449 }
1450 
1451 /*
1452  * The kern_unprivileged_procdebug_permitted flag may be used to disable
1453  * a variety of unprivileged inter-process debugging services, including
1454  * some procfs functionality, ptrace(), and ktrace().  In the past,
1455  * inter-process debugging has been involved in a variety of security
1456  * problems, and sites not requiring the service might choose to disable it
1457  * when hardening systems.
1458  *
1459  * XXX: Should modifying and reading this variable require locking?
1460  */
1461 static int	kern_unprivileged_procdebug_permitted = 1;
1462 SYSCTL_INT(_kern_security, OID_AUTO, unprivileged_procdebug_permitted,
1463     CTLFLAG_RW, &kern_unprivileged_procdebug_permitted, 0,
1464     "Unprivileged processes may use process debugging facilities");
1465 
1466 /*-
1467  * Determine whether p1 may debug p2.
1468  * Returns: 0 for permitted, an errno value otherwise
1469  * Locks: Sufficient locks to protect various components of p1 and p2
1470  *        must be held.  Normally, p1 will be curproc, and a lock must
1471  *        be held for p2.
1472  * References: p1 and p2 must be valid for the lifetime of the call
1473  */
1474 int
1475 p_candebug(struct proc *p1, struct proc *p2)
1476 {
1477 	int error;
1478 
1479 	if ((error = prison_check(p1->p_ucred, p2->p_ucred)))
1480 		return (error);
1481 
1482 	/*
1483 	 * Not owned by you, has done setuid (unless you're root).
1484 	 * XXX add a CAP_SYS_PTRACE here?
1485 	 */
1486 	if (p1->p_ucred->cr_uid != p2->p_ucred->cr_uid ||
1487 	    p1->p_ucred->cr_uid != p2->p_ucred->cr_svuid ||
1488 	    p1->p_ucred->cr_uid != p2->p_ucred->cr_ruid ||
1489 	    p2->p_flag & P_SUGID || !kern_unprivileged_procdebug_permitted) {
1490 		if ((error = suser_xxx(0, p1, PRISON_ROOT)) != 0)
1491 			return (error);
1492 	}
1493 
1494 	/* Can't trace init when securelevel > 0. */
1495 	if (securelevel > 0 && p2->p_pid == 1)
1496 		return (EPERM);
1497 
1498 	return (0);
1499 }
1500 
1501 /*
1502  * Allocate a zeroed cred structure.
1503  */
1504 struct ucred *
1505 crget()
1506 {
1507 	register struct ucred *cr;
1508 
1509 	MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK|M_ZERO);
1510 	cr->cr_ref = 1;
1511 	mtx_init(&cr->cr_mtx, "ucred", MTX_DEF);
1512 	return (cr);
1513 }
1514 
1515 /*
1516  * Claim another reference to a ucred structure.
1517  */
1518 void
1519 crhold(cr)
1520 	struct ucred *cr;
1521 {
1522 
1523 	mtx_lock(&cr->cr_mtx);
1524 	cr->cr_ref++;
1525 	mtx_unlock(&(cr)->cr_mtx);
1526 }
1527 
1528 
1529 /*
1530  * Free a cred structure.
1531  * Throws away space when ref count gets to 0.
1532  */
1533 void
1534 crfree(cr)
1535 	struct ucred *cr;
1536 {
1537 
1538 	mtx_lock(&cr->cr_mtx);
1539 	KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref));
1540 	if (--cr->cr_ref == 0) {
1541 		mtx_destroy(&cr->cr_mtx);
1542 		/*
1543 		 * Some callers of crget(), such as nfs_statfs(),
1544 		 * allocate a temporary credential, but don't
1545 		 * allocate a uidinfo structure.
1546 		 */
1547 		if (cr->cr_uidinfo != NULL)
1548 			uifree(cr->cr_uidinfo);
1549 		if (cr->cr_ruidinfo != NULL)
1550 			uifree(cr->cr_ruidinfo);
1551 		/*
1552 		 * Free a prison, if any.
1553 		 */
1554 		if (jailed(cr))
1555 			prison_free(cr->cr_prison);
1556 		FREE((caddr_t)cr, M_CRED);
1557 	} else {
1558 		mtx_unlock(&cr->cr_mtx);
1559 	}
1560 }
1561 
1562 /*
1563  * Copy cred structure to a new one and free the old one.
1564  */
1565 struct ucred *
1566 crcopy(cr)
1567 	struct ucred *cr;
1568 {
1569 	struct ucred *newcr;
1570 
1571 	mtx_lock(&cr->cr_mtx);
1572 	if (cr->cr_ref == 1) {
1573 		mtx_unlock(&cr->cr_mtx);
1574 		return (cr);
1575 	}
1576 	mtx_unlock(&cr->cr_mtx);
1577 	newcr = crdup(cr);
1578 	crfree(cr);
1579 	return (newcr);
1580 }
1581 
1582 /*
1583  * Dup cred struct to a new held one.
1584  */
1585 struct ucred *
1586 crdup(cr)
1587 	struct ucred *cr;
1588 {
1589 	struct ucred *newcr;
1590 
1591 	MALLOC(newcr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK);
1592 	*newcr = *cr;
1593 	mtx_init(&newcr->cr_mtx, "ucred", MTX_DEF);
1594 	uihold(newcr->cr_uidinfo);
1595 	uihold(newcr->cr_ruidinfo);
1596 	if (jailed(newcr))
1597 		prison_hold(newcr->cr_prison);
1598 	newcr->cr_ref = 1;
1599 	return (newcr);
1600 }
1601 
1602 /*
1603  * Get login name, if available.
1604  */
1605 #ifndef _SYS_SYSPROTO_H_
1606 struct getlogin_args {
1607 	char	*namebuf;
1608 	u_int	namelen;
1609 };
1610 #endif
1611 /*
1612  * MPSAFE
1613  */
1614 /* ARGSUSED */
1615 int
1616 getlogin(td, uap)
1617 	struct thread *td;
1618 	struct getlogin_args *uap;
1619 {
1620 	int error;
1621 	struct proc *p = td->td_proc;
1622 
1623 	mtx_lock(&Giant);
1624 	if (uap->namelen > MAXLOGNAME)
1625 		uap->namelen = MAXLOGNAME;
1626 	error = copyout((caddr_t) p->p_pgrp->pg_session->s_login,
1627 	    (caddr_t) uap->namebuf, uap->namelen);
1628 	mtx_unlock(&Giant);
1629 	return(error);
1630 }
1631 
1632 /*
1633  * Set login name.
1634  */
1635 #ifndef _SYS_SYSPROTO_H_
1636 struct setlogin_args {
1637 	char	*namebuf;
1638 };
1639 #endif
1640 /*
1641  * MPSAFE
1642  */
1643 /* ARGSUSED */
1644 int
1645 setlogin(td, uap)
1646 	struct thread *td;
1647 	struct setlogin_args *uap;
1648 {
1649 	struct proc *p = td->td_proc;
1650 	int error;
1651 	char logintmp[MAXLOGNAME];
1652 
1653 	mtx_lock(&Giant);
1654 	if ((error = suser_xxx(0, p, PRISON_ROOT)))
1655 		goto done2;
1656 	error = copyinstr((caddr_t) uap->namebuf, (caddr_t) logintmp,
1657 	    sizeof(logintmp), (size_t *)0);
1658 	if (error == ENAMETOOLONG) {
1659 		error = EINVAL;
1660 	} else if (!error) {
1661 		(void) memcpy(p->p_pgrp->pg_session->s_login, logintmp,
1662 		    sizeof(logintmp));
1663 	}
1664 done2:
1665 	mtx_unlock(&Giant);
1666 	return (error);
1667 }
1668 
1669 void
1670 setsugid(p)
1671 	struct proc *p;
1672 {
1673 	p->p_flag |= P_SUGID;
1674 	if (!(p->p_pfsflags & PF_ISUGID))
1675 		p->p_stops = 0;
1676 }
1677 
1678 /*-
1679  * Change a process's effective uid.
1680  * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified.
1681  * References: newcred must be an exclusive credential reference for the
1682  *             duration of the call.
1683  */
1684 void
1685 change_euid(newcred, euid)
1686 	struct ucred *newcred;
1687 	uid_t euid;
1688 {
1689 
1690 	newcred->cr_uid = euid;
1691 	uifree(newcred->cr_uidinfo);
1692 	newcred->cr_uidinfo = uifind(euid);
1693 }
1694 
1695 /*-
1696  * Change a process's effective gid.
1697  * Side effects: newcred->cr_gid will be modified.
1698  * References: newcred must be an exclusive credential reference for the
1699  *             duration of the call.
1700  */
1701 void
1702 change_egid(newcred, egid)
1703 	struct ucred *newcred;
1704 	gid_t egid;
1705 {
1706 
1707 	newcred->cr_groups[0] = egid;
1708 }
1709 
1710 /*-
1711  * Change a process's real uid.
1712  * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo
1713  *               will be updated, and the old and new cr_ruidinfo proc
1714  *               counts will be updated.
1715  * References: newcred must be an exclusive credential reference for the
1716  *             duration of the call.
1717  */
1718 void
1719 change_ruid(newcred, ruid)
1720 	struct ucred *newcred;
1721 	uid_t ruid;
1722 {
1723 
1724 	(void)chgproccnt(newcred->cr_ruidinfo, -1, 0);
1725 	newcred->cr_ruid = ruid;
1726 	uifree(newcred->cr_ruidinfo);
1727 	newcred->cr_ruidinfo = uifind(ruid);
1728 	(void)chgproccnt(newcred->cr_ruidinfo, 1, 0);
1729 }
1730 
1731 /*-
1732  * Change a process's real gid.
1733  * Side effects: newcred->cr_rgid will be updated.
1734  * References: newcred must be an exclusive credential reference for the
1735  *             duration of the call.
1736  */
1737 void
1738 change_rgid(newcred, rgid)
1739 	struct ucred *newcred;
1740 	gid_t rgid;
1741 {
1742 
1743 	newcred->cr_rgid = rgid;
1744 }
1745 
1746 /*-
1747  * Change a process's saved uid.
1748  * Side effects: newcred->cr_svuid will be updated.
1749  * References: newcred must be an exclusive credential reference for the
1750  *             duration of the call.
1751  */
1752 void
1753 change_svuid(newcred, svuid)
1754 	struct ucred *newcred;
1755 	uid_t svuid;
1756 {
1757 
1758 	newcred->cr_svuid = svuid;
1759 }
1760 
1761 /*-
1762  * Change a process's saved gid.
1763  * Side effects: newcred->cr_svgid will be updated.
1764  * References: newcred must be an exclusive credential reference for the
1765  *             duration of the call.
1766  */
1767 void
1768 change_svgid(newcred, svgid)
1769 	struct ucred *newcred;
1770 	gid_t svgid;
1771 {
1772 
1773 	newcred->cr_svgid = svgid;
1774 }
1775