1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 5 * The Regents of the University of California. 6 * (c) UNIX System Laboratories, Inc. 7 * Copyright (c) 2000-2001 Robert N. M. Watson. 8 * All rights reserved. 9 * 10 * All or some portions of this file are derived from material licensed 11 * to the University of California by American Telephone and Telegraph 12 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 13 * the permission of UNIX System Laboratories, Inc. 14 * 15 * Redistribution and use in source and binary forms, with or without 16 * modification, are permitted provided that the following conditions 17 * are met: 18 * 1. Redistributions of source code must retain the above copyright 19 * notice, this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright 21 * notice, this list of conditions and the following disclaimer in the 22 * documentation and/or other materials provided with the distribution. 23 * 3. Neither the name of the University nor the names of its contributors 24 * may be used to endorse or promote products derived from this software 25 * without specific prior written permission. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * 39 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 40 */ 41 42 /* 43 * System calls related to processes and protection 44 */ 45 46 #include <sys/cdefs.h> 47 __FBSDID("$FreeBSD$"); 48 49 #include "opt_inet.h" 50 #include "opt_inet6.h" 51 52 #include <sys/param.h> 53 #include <sys/systm.h> 54 #include <sys/acct.h> 55 #include <sys/kdb.h> 56 #include <sys/kernel.h> 57 #include <sys/lock.h> 58 #include <sys/loginclass.h> 59 #include <sys/malloc.h> 60 #include <sys/mutex.h> 61 #include <sys/ptrace.h> 62 #include <sys/refcount.h> 63 #include <sys/sx.h> 64 #include <sys/priv.h> 65 #include <sys/proc.h> 66 #include <sys/sysent.h> 67 #include <sys/sysproto.h> 68 #include <sys/jail.h> 69 #include <sys/racct.h> 70 #include <sys/rctl.h> 71 #include <sys/resourcevar.h> 72 #include <sys/socket.h> 73 #include <sys/socketvar.h> 74 #include <sys/syscallsubr.h> 75 #include <sys/sysctl.h> 76 77 #ifdef REGRESSION 78 FEATURE(regression, 79 "Kernel support for interfaces necessary for regression testing (SECURITY RISK!)"); 80 #endif 81 82 #include <security/audit/audit.h> 83 #include <security/mac/mac_framework.h> 84 85 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 86 87 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW | CTLFLAG_MPSAFE, 0, 88 "BSD security policy"); 89 90 static void crfree_final(struct ucred *cr); 91 static void crsetgroups_locked(struct ucred *cr, int ngrp, 92 gid_t *groups); 93 94 #ifndef _SYS_SYSPROTO_H_ 95 struct getpid_args { 96 int dummy; 97 }; 98 #endif 99 /* ARGSUSED */ 100 int 101 sys_getpid(struct thread *td, struct getpid_args *uap) 102 { 103 struct proc *p = td->td_proc; 104 105 td->td_retval[0] = p->p_pid; 106 #if defined(COMPAT_43) 107 if (SV_PROC_FLAG(p, SV_AOUT)) 108 td->td_retval[1] = kern_getppid(td); 109 #endif 110 return (0); 111 } 112 113 #ifndef _SYS_SYSPROTO_H_ 114 struct getppid_args { 115 int dummy; 116 }; 117 #endif 118 /* ARGSUSED */ 119 int 120 sys_getppid(struct thread *td, struct getppid_args *uap) 121 { 122 123 td->td_retval[0] = kern_getppid(td); 124 return (0); 125 } 126 127 int 128 kern_getppid(struct thread *td) 129 { 130 struct proc *p = td->td_proc; 131 132 return (p->p_oppid); 133 } 134 135 /* 136 * Get process group ID; note that POSIX getpgrp takes no parameter. 137 */ 138 #ifndef _SYS_SYSPROTO_H_ 139 struct getpgrp_args { 140 int dummy; 141 }; 142 #endif 143 int 144 sys_getpgrp(struct thread *td, struct getpgrp_args *uap) 145 { 146 struct proc *p = td->td_proc; 147 148 PROC_LOCK(p); 149 td->td_retval[0] = p->p_pgrp->pg_id; 150 PROC_UNLOCK(p); 151 return (0); 152 } 153 154 /* Get an arbitrary pid's process group id */ 155 #ifndef _SYS_SYSPROTO_H_ 156 struct getpgid_args { 157 pid_t pid; 158 }; 159 #endif 160 int 161 sys_getpgid(struct thread *td, struct getpgid_args *uap) 162 { 163 struct proc *p; 164 int error; 165 166 if (uap->pid == 0) { 167 p = td->td_proc; 168 PROC_LOCK(p); 169 } else { 170 p = pfind(uap->pid); 171 if (p == NULL) 172 return (ESRCH); 173 error = p_cansee(td, p); 174 if (error) { 175 PROC_UNLOCK(p); 176 return (error); 177 } 178 } 179 td->td_retval[0] = p->p_pgrp->pg_id; 180 PROC_UNLOCK(p); 181 return (0); 182 } 183 184 /* 185 * Get an arbitrary pid's session id. 186 */ 187 #ifndef _SYS_SYSPROTO_H_ 188 struct getsid_args { 189 pid_t pid; 190 }; 191 #endif 192 int 193 sys_getsid(struct thread *td, struct getsid_args *uap) 194 { 195 196 return (kern_getsid(td, uap->pid)); 197 } 198 199 int 200 kern_getsid(struct thread *td, pid_t pid) 201 { 202 struct proc *p; 203 int error; 204 205 if (pid == 0) { 206 p = td->td_proc; 207 PROC_LOCK(p); 208 } else { 209 p = pfind(pid); 210 if (p == NULL) 211 return (ESRCH); 212 error = p_cansee(td, p); 213 if (error) { 214 PROC_UNLOCK(p); 215 return (error); 216 } 217 } 218 td->td_retval[0] = p->p_session->s_sid; 219 PROC_UNLOCK(p); 220 return (0); 221 } 222 223 #ifndef _SYS_SYSPROTO_H_ 224 struct getuid_args { 225 int dummy; 226 }; 227 #endif 228 /* ARGSUSED */ 229 int 230 sys_getuid(struct thread *td, struct getuid_args *uap) 231 { 232 233 td->td_retval[0] = td->td_ucred->cr_ruid; 234 #if defined(COMPAT_43) 235 td->td_retval[1] = td->td_ucred->cr_uid; 236 #endif 237 return (0); 238 } 239 240 #ifndef _SYS_SYSPROTO_H_ 241 struct geteuid_args { 242 int dummy; 243 }; 244 #endif 245 /* ARGSUSED */ 246 int 247 sys_geteuid(struct thread *td, struct geteuid_args *uap) 248 { 249 250 td->td_retval[0] = td->td_ucred->cr_uid; 251 return (0); 252 } 253 254 #ifndef _SYS_SYSPROTO_H_ 255 struct getgid_args { 256 int dummy; 257 }; 258 #endif 259 /* ARGSUSED */ 260 int 261 sys_getgid(struct thread *td, struct getgid_args *uap) 262 { 263 264 td->td_retval[0] = td->td_ucred->cr_rgid; 265 #if defined(COMPAT_43) 266 td->td_retval[1] = td->td_ucred->cr_groups[0]; 267 #endif 268 return (0); 269 } 270 271 /* 272 * Get effective group ID. The "egid" is groups[0], and could be obtained 273 * via getgroups. This syscall exists because it is somewhat painful to do 274 * correctly in a library function. 275 */ 276 #ifndef _SYS_SYSPROTO_H_ 277 struct getegid_args { 278 int dummy; 279 }; 280 #endif 281 /* ARGSUSED */ 282 int 283 sys_getegid(struct thread *td, struct getegid_args *uap) 284 { 285 286 td->td_retval[0] = td->td_ucred->cr_groups[0]; 287 return (0); 288 } 289 290 #ifndef _SYS_SYSPROTO_H_ 291 struct getgroups_args { 292 int gidsetsize; 293 gid_t *gidset; 294 }; 295 #endif 296 int 297 sys_getgroups(struct thread *td, struct getgroups_args *uap) 298 { 299 struct ucred *cred; 300 int ngrp, error; 301 302 cred = td->td_ucred; 303 ngrp = cred->cr_ngroups; 304 305 if (uap->gidsetsize == 0) { 306 error = 0; 307 goto out; 308 } 309 if (uap->gidsetsize < ngrp) 310 return (EINVAL); 311 312 error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t)); 313 out: 314 td->td_retval[0] = ngrp; 315 return (error); 316 } 317 318 #ifndef _SYS_SYSPROTO_H_ 319 struct setsid_args { 320 int dummy; 321 }; 322 #endif 323 /* ARGSUSED */ 324 int 325 sys_setsid(struct thread *td, struct setsid_args *uap) 326 { 327 struct pgrp *pgrp; 328 int error; 329 struct proc *p = td->td_proc; 330 struct pgrp *newpgrp; 331 struct session *newsess; 332 333 error = 0; 334 pgrp = NULL; 335 336 newpgrp = uma_zalloc(pgrp_zone, M_WAITOK); 337 newsess = malloc(sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); 338 339 sx_xlock(&proctree_lock); 340 341 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { 342 if (pgrp != NULL) 343 PGRP_UNLOCK(pgrp); 344 error = EPERM; 345 } else { 346 (void)enterpgrp(p, p->p_pid, newpgrp, newsess); 347 td->td_retval[0] = p->p_pid; 348 newpgrp = NULL; 349 newsess = NULL; 350 } 351 352 sx_xunlock(&proctree_lock); 353 354 uma_zfree(pgrp_zone, newpgrp); 355 free(newsess, M_SESSION); 356 357 return (error); 358 } 359 360 /* 361 * set process group (setpgid/old setpgrp) 362 * 363 * caller does setpgid(targpid, targpgid) 364 * 365 * pid must be caller or child of caller (ESRCH) 366 * if a child 367 * pid must be in same session (EPERM) 368 * pid can't have done an exec (EACCES) 369 * if pgid != pid 370 * there must exist some pid in same session having pgid (EPERM) 371 * pid must not be session leader (EPERM) 372 */ 373 #ifndef _SYS_SYSPROTO_H_ 374 struct setpgid_args { 375 int pid; /* target process id */ 376 int pgid; /* target pgrp id */ 377 }; 378 #endif 379 /* ARGSUSED */ 380 int 381 sys_setpgid(struct thread *td, struct setpgid_args *uap) 382 { 383 struct proc *curp = td->td_proc; 384 struct proc *targp; /* target process */ 385 struct pgrp *pgrp; /* target pgrp */ 386 int error; 387 struct pgrp *newpgrp; 388 389 if (uap->pgid < 0) 390 return (EINVAL); 391 392 error = 0; 393 394 newpgrp = uma_zalloc(pgrp_zone, M_WAITOK); 395 396 sx_xlock(&proctree_lock); 397 if (uap->pid != 0 && uap->pid != curp->p_pid) { 398 if ((targp = pfind(uap->pid)) == NULL) { 399 error = ESRCH; 400 goto done; 401 } 402 if (!inferior(targp)) { 403 PROC_UNLOCK(targp); 404 error = ESRCH; 405 goto done; 406 } 407 if ((error = p_cansee(td, targp))) { 408 PROC_UNLOCK(targp); 409 goto done; 410 } 411 if (targp->p_pgrp == NULL || 412 targp->p_session != curp->p_session) { 413 PROC_UNLOCK(targp); 414 error = EPERM; 415 goto done; 416 } 417 if (targp->p_flag & P_EXEC) { 418 PROC_UNLOCK(targp); 419 error = EACCES; 420 goto done; 421 } 422 PROC_UNLOCK(targp); 423 } else 424 targp = curp; 425 if (SESS_LEADER(targp)) { 426 error = EPERM; 427 goto done; 428 } 429 if (uap->pgid == 0) 430 uap->pgid = targp->p_pid; 431 if ((pgrp = pgfind(uap->pgid)) == NULL) { 432 if (uap->pgid == targp->p_pid) { 433 error = enterpgrp(targp, uap->pgid, newpgrp, 434 NULL); 435 if (error == 0) 436 newpgrp = NULL; 437 } else 438 error = EPERM; 439 } else { 440 if (pgrp == targp->p_pgrp) { 441 PGRP_UNLOCK(pgrp); 442 goto done; 443 } 444 if (pgrp->pg_id != targp->p_pid && 445 pgrp->pg_session != curp->p_session) { 446 PGRP_UNLOCK(pgrp); 447 error = EPERM; 448 goto done; 449 } 450 PGRP_UNLOCK(pgrp); 451 error = enterthispgrp(targp, pgrp); 452 } 453 done: 454 sx_xunlock(&proctree_lock); 455 KASSERT((error == 0) || (newpgrp != NULL), 456 ("setpgid failed and newpgrp is NULL")); 457 uma_zfree(pgrp_zone, newpgrp); 458 return (error); 459 } 460 461 /* 462 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 463 * compatible. It says that setting the uid/gid to euid/egid is a special 464 * case of "appropriate privilege". Once the rules are expanded out, this 465 * basically means that setuid(nnn) sets all three id's, in all permitted 466 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 467 * does not set the saved id - this is dangerous for traditional BSD 468 * programs. For this reason, we *really* do not want to set 469 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 470 */ 471 #define POSIX_APPENDIX_B_4_2_2 472 473 #ifndef _SYS_SYSPROTO_H_ 474 struct setuid_args { 475 uid_t uid; 476 }; 477 #endif 478 /* ARGSUSED */ 479 int 480 sys_setuid(struct thread *td, struct setuid_args *uap) 481 { 482 struct proc *p = td->td_proc; 483 struct ucred *newcred, *oldcred; 484 uid_t uid; 485 struct uidinfo *uip; 486 int error; 487 488 uid = uap->uid; 489 AUDIT_ARG_UID(uid); 490 newcred = crget(); 491 uip = uifind(uid); 492 PROC_LOCK(p); 493 /* 494 * Copy credentials so other references do not see our changes. 495 */ 496 oldcred = crcopysafe(p, newcred); 497 498 #ifdef MAC 499 error = mac_cred_check_setuid(oldcred, uid); 500 if (error) 501 goto fail; 502 #endif 503 504 /* 505 * See if we have "permission" by POSIX 1003.1 rules. 506 * 507 * Note that setuid(geteuid()) is a special case of 508 * "appropriate privileges" in appendix B.4.2.2. We need 509 * to use this clause to be compatible with traditional BSD 510 * semantics. Basically, it means that "setuid(xx)" sets all 511 * three id's (assuming you have privs). 512 * 513 * Notes on the logic. We do things in three steps. 514 * 1: We determine if the euid is going to change, and do EPERM 515 * right away. We unconditionally change the euid later if this 516 * test is satisfied, simplifying that part of the logic. 517 * 2: We determine if the real and/or saved uids are going to 518 * change. Determined by compile options. 519 * 3: Change euid last. (after tests in #2 for "appropriate privs") 520 */ 521 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 522 #ifdef _POSIX_SAVED_IDS 523 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 524 #endif 525 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 526 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 527 #endif 528 (error = priv_check_cred(oldcred, PRIV_CRED_SETUID)) != 0) 529 goto fail; 530 531 #ifdef _POSIX_SAVED_IDS 532 /* 533 * Do we have "appropriate privileges" (are we root or uid == euid) 534 * If so, we are changing the real uid and/or saved uid. 535 */ 536 if ( 537 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 538 uid == oldcred->cr_uid || 539 #endif 540 /* We are using privs. */ 541 priv_check_cred(oldcred, PRIV_CRED_SETUID) == 0) 542 #endif 543 { 544 /* 545 * Set the real uid and transfer proc count to new user. 546 */ 547 if (uid != oldcred->cr_ruid) { 548 change_ruid(newcred, uip); 549 setsugid(p); 550 } 551 /* 552 * Set saved uid 553 * 554 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 555 * the security of seteuid() depends on it. B.4.2.2 says it 556 * is important that we should do this. 557 */ 558 if (uid != oldcred->cr_svuid) { 559 change_svuid(newcred, uid); 560 setsugid(p); 561 } 562 } 563 564 /* 565 * In all permitted cases, we are changing the euid. 566 */ 567 if (uid != oldcred->cr_uid) { 568 change_euid(newcred, uip); 569 setsugid(p); 570 } 571 proc_set_cred(p, newcred); 572 #ifdef RACCT 573 racct_proc_ucred_changed(p, oldcred, newcred); 574 crhold(newcred); 575 #endif 576 PROC_UNLOCK(p); 577 #ifdef RCTL 578 rctl_proc_ucred_changed(p, newcred); 579 crfree(newcred); 580 #endif 581 uifree(uip); 582 crfree(oldcred); 583 return (0); 584 585 fail: 586 PROC_UNLOCK(p); 587 uifree(uip); 588 crfree(newcred); 589 return (error); 590 } 591 592 #ifndef _SYS_SYSPROTO_H_ 593 struct seteuid_args { 594 uid_t euid; 595 }; 596 #endif 597 /* ARGSUSED */ 598 int 599 sys_seteuid(struct thread *td, struct seteuid_args *uap) 600 { 601 struct proc *p = td->td_proc; 602 struct ucred *newcred, *oldcred; 603 uid_t euid; 604 struct uidinfo *euip; 605 int error; 606 607 euid = uap->euid; 608 AUDIT_ARG_EUID(euid); 609 newcred = crget(); 610 euip = uifind(euid); 611 PROC_LOCK(p); 612 /* 613 * Copy credentials so other references do not see our changes. 614 */ 615 oldcred = crcopysafe(p, newcred); 616 617 #ifdef MAC 618 error = mac_cred_check_seteuid(oldcred, euid); 619 if (error) 620 goto fail; 621 #endif 622 623 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 624 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 625 (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID)) != 0) 626 goto fail; 627 628 /* 629 * Everything's okay, do it. 630 */ 631 if (oldcred->cr_uid != euid) { 632 change_euid(newcred, euip); 633 setsugid(p); 634 } 635 proc_set_cred(p, newcred); 636 PROC_UNLOCK(p); 637 uifree(euip); 638 crfree(oldcred); 639 return (0); 640 641 fail: 642 PROC_UNLOCK(p); 643 uifree(euip); 644 crfree(newcred); 645 return (error); 646 } 647 648 #ifndef _SYS_SYSPROTO_H_ 649 struct setgid_args { 650 gid_t gid; 651 }; 652 #endif 653 /* ARGSUSED */ 654 int 655 sys_setgid(struct thread *td, struct setgid_args *uap) 656 { 657 struct proc *p = td->td_proc; 658 struct ucred *newcred, *oldcred; 659 gid_t gid; 660 int error; 661 662 gid = uap->gid; 663 AUDIT_ARG_GID(gid); 664 newcred = crget(); 665 PROC_LOCK(p); 666 oldcred = crcopysafe(p, newcred); 667 668 #ifdef MAC 669 error = mac_cred_check_setgid(oldcred, gid); 670 if (error) 671 goto fail; 672 #endif 673 674 /* 675 * See if we have "permission" by POSIX 1003.1 rules. 676 * 677 * Note that setgid(getegid()) is a special case of 678 * "appropriate privileges" in appendix B.4.2.2. We need 679 * to use this clause to be compatible with traditional BSD 680 * semantics. Basically, it means that "setgid(xx)" sets all 681 * three id's (assuming you have privs). 682 * 683 * For notes on the logic here, see setuid() above. 684 */ 685 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 686 #ifdef _POSIX_SAVED_IDS 687 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 688 #endif 689 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 690 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 691 #endif 692 (error = priv_check_cred(oldcred, PRIV_CRED_SETGID)) != 0) 693 goto fail; 694 695 #ifdef _POSIX_SAVED_IDS 696 /* 697 * Do we have "appropriate privileges" (are we root or gid == egid) 698 * If so, we are changing the real uid and saved gid. 699 */ 700 if ( 701 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 702 gid == oldcred->cr_groups[0] || 703 #endif 704 /* We are using privs. */ 705 priv_check_cred(oldcred, PRIV_CRED_SETGID) == 0) 706 #endif 707 { 708 /* 709 * Set real gid 710 */ 711 if (oldcred->cr_rgid != gid) { 712 change_rgid(newcred, gid); 713 setsugid(p); 714 } 715 /* 716 * Set saved gid 717 * 718 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 719 * the security of setegid() depends on it. B.4.2.2 says it 720 * is important that we should do this. 721 */ 722 if (oldcred->cr_svgid != gid) { 723 change_svgid(newcred, gid); 724 setsugid(p); 725 } 726 } 727 /* 728 * In all cases permitted cases, we are changing the egid. 729 * Copy credentials so other references do not see our changes. 730 */ 731 if (oldcred->cr_groups[0] != gid) { 732 change_egid(newcred, gid); 733 setsugid(p); 734 } 735 proc_set_cred(p, newcred); 736 PROC_UNLOCK(p); 737 crfree(oldcred); 738 return (0); 739 740 fail: 741 PROC_UNLOCK(p); 742 crfree(newcred); 743 return (error); 744 } 745 746 #ifndef _SYS_SYSPROTO_H_ 747 struct setegid_args { 748 gid_t egid; 749 }; 750 #endif 751 /* ARGSUSED */ 752 int 753 sys_setegid(struct thread *td, struct setegid_args *uap) 754 { 755 struct proc *p = td->td_proc; 756 struct ucred *newcred, *oldcred; 757 gid_t egid; 758 int error; 759 760 egid = uap->egid; 761 AUDIT_ARG_EGID(egid); 762 newcred = crget(); 763 PROC_LOCK(p); 764 oldcred = crcopysafe(p, newcred); 765 766 #ifdef MAC 767 error = mac_cred_check_setegid(oldcred, egid); 768 if (error) 769 goto fail; 770 #endif 771 772 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 773 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 774 (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID)) != 0) 775 goto fail; 776 777 if (oldcred->cr_groups[0] != egid) { 778 change_egid(newcred, egid); 779 setsugid(p); 780 } 781 proc_set_cred(p, newcred); 782 PROC_UNLOCK(p); 783 crfree(oldcred); 784 return (0); 785 786 fail: 787 PROC_UNLOCK(p); 788 crfree(newcred); 789 return (error); 790 } 791 792 #ifndef _SYS_SYSPROTO_H_ 793 struct setgroups_args { 794 int gidsetsize; 795 gid_t *gidset; 796 }; 797 #endif 798 /* ARGSUSED */ 799 int 800 sys_setgroups(struct thread *td, struct setgroups_args *uap) 801 { 802 gid_t smallgroups[XU_NGROUPS]; 803 gid_t *groups; 804 int gidsetsize, error; 805 806 gidsetsize = uap->gidsetsize; 807 if (gidsetsize > ngroups_max + 1 || gidsetsize < 0) 808 return (EINVAL); 809 810 if (gidsetsize > XU_NGROUPS) 811 groups = malloc(gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK); 812 else 813 groups = smallgroups; 814 815 error = copyin(uap->gidset, groups, gidsetsize * sizeof(gid_t)); 816 if (error == 0) 817 error = kern_setgroups(td, gidsetsize, groups); 818 819 if (gidsetsize > XU_NGROUPS) 820 free(groups, M_TEMP); 821 return (error); 822 } 823 824 int 825 kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups) 826 { 827 struct proc *p = td->td_proc; 828 struct ucred *newcred, *oldcred; 829 int error; 830 831 MPASS(ngrp <= ngroups_max + 1); 832 AUDIT_ARG_GROUPSET(groups, ngrp); 833 newcred = crget(); 834 crextend(newcred, ngrp); 835 PROC_LOCK(p); 836 oldcred = crcopysafe(p, newcred); 837 838 #ifdef MAC 839 error = mac_cred_check_setgroups(oldcred, ngrp, groups); 840 if (error) 841 goto fail; 842 #endif 843 844 error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS); 845 if (error) 846 goto fail; 847 848 if (ngrp == 0) { 849 /* 850 * setgroups(0, NULL) is a legitimate way of clearing the 851 * groups vector on non-BSD systems (which generally do not 852 * have the egid in the groups[0]). We risk security holes 853 * when running non-BSD software if we do not do the same. 854 */ 855 newcred->cr_ngroups = 1; 856 } else { 857 crsetgroups_locked(newcred, ngrp, groups); 858 } 859 setsugid(p); 860 proc_set_cred(p, newcred); 861 PROC_UNLOCK(p); 862 crfree(oldcred); 863 return (0); 864 865 fail: 866 PROC_UNLOCK(p); 867 crfree(newcred); 868 return (error); 869 } 870 871 #ifndef _SYS_SYSPROTO_H_ 872 struct setreuid_args { 873 uid_t ruid; 874 uid_t euid; 875 }; 876 #endif 877 /* ARGSUSED */ 878 int 879 sys_setreuid(struct thread *td, struct setreuid_args *uap) 880 { 881 struct proc *p = td->td_proc; 882 struct ucred *newcred, *oldcred; 883 uid_t euid, ruid; 884 struct uidinfo *euip, *ruip; 885 int error; 886 887 euid = uap->euid; 888 ruid = uap->ruid; 889 AUDIT_ARG_EUID(euid); 890 AUDIT_ARG_RUID(ruid); 891 newcred = crget(); 892 euip = uifind(euid); 893 ruip = uifind(ruid); 894 PROC_LOCK(p); 895 oldcred = crcopysafe(p, newcred); 896 897 #ifdef MAC 898 error = mac_cred_check_setreuid(oldcred, ruid, euid); 899 if (error) 900 goto fail; 901 #endif 902 903 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 904 ruid != oldcred->cr_svuid) || 905 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 906 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 907 (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID)) != 0) 908 goto fail; 909 910 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 911 change_euid(newcred, euip); 912 setsugid(p); 913 } 914 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 915 change_ruid(newcred, ruip); 916 setsugid(p); 917 } 918 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 919 newcred->cr_svuid != newcred->cr_uid) { 920 change_svuid(newcred, newcred->cr_uid); 921 setsugid(p); 922 } 923 proc_set_cred(p, newcred); 924 #ifdef RACCT 925 racct_proc_ucred_changed(p, oldcred, newcred); 926 crhold(newcred); 927 #endif 928 PROC_UNLOCK(p); 929 #ifdef RCTL 930 rctl_proc_ucred_changed(p, newcred); 931 crfree(newcred); 932 #endif 933 uifree(ruip); 934 uifree(euip); 935 crfree(oldcred); 936 return (0); 937 938 fail: 939 PROC_UNLOCK(p); 940 uifree(ruip); 941 uifree(euip); 942 crfree(newcred); 943 return (error); 944 } 945 946 #ifndef _SYS_SYSPROTO_H_ 947 struct setregid_args { 948 gid_t rgid; 949 gid_t egid; 950 }; 951 #endif 952 /* ARGSUSED */ 953 int 954 sys_setregid(struct thread *td, struct setregid_args *uap) 955 { 956 struct proc *p = td->td_proc; 957 struct ucred *newcred, *oldcred; 958 gid_t egid, rgid; 959 int error; 960 961 egid = uap->egid; 962 rgid = uap->rgid; 963 AUDIT_ARG_EGID(egid); 964 AUDIT_ARG_RGID(rgid); 965 newcred = crget(); 966 PROC_LOCK(p); 967 oldcred = crcopysafe(p, newcred); 968 969 #ifdef MAC 970 error = mac_cred_check_setregid(oldcred, rgid, egid); 971 if (error) 972 goto fail; 973 #endif 974 975 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 976 rgid != oldcred->cr_svgid) || 977 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 978 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 979 (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID)) != 0) 980 goto fail; 981 982 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 983 change_egid(newcred, egid); 984 setsugid(p); 985 } 986 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 987 change_rgid(newcred, rgid); 988 setsugid(p); 989 } 990 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 991 newcred->cr_svgid != newcred->cr_groups[0]) { 992 change_svgid(newcred, newcred->cr_groups[0]); 993 setsugid(p); 994 } 995 proc_set_cred(p, newcred); 996 PROC_UNLOCK(p); 997 crfree(oldcred); 998 return (0); 999 1000 fail: 1001 PROC_UNLOCK(p); 1002 crfree(newcred); 1003 return (error); 1004 } 1005 1006 /* 1007 * setresuid(ruid, euid, suid) is like setreuid except control over the saved 1008 * uid is explicit. 1009 */ 1010 #ifndef _SYS_SYSPROTO_H_ 1011 struct setresuid_args { 1012 uid_t ruid; 1013 uid_t euid; 1014 uid_t suid; 1015 }; 1016 #endif 1017 /* ARGSUSED */ 1018 int 1019 sys_setresuid(struct thread *td, struct setresuid_args *uap) 1020 { 1021 struct proc *p = td->td_proc; 1022 struct ucred *newcred, *oldcred; 1023 uid_t euid, ruid, suid; 1024 struct uidinfo *euip, *ruip; 1025 int error; 1026 1027 euid = uap->euid; 1028 ruid = uap->ruid; 1029 suid = uap->suid; 1030 AUDIT_ARG_EUID(euid); 1031 AUDIT_ARG_RUID(ruid); 1032 AUDIT_ARG_SUID(suid); 1033 newcred = crget(); 1034 euip = uifind(euid); 1035 ruip = uifind(ruid); 1036 PROC_LOCK(p); 1037 oldcred = crcopysafe(p, newcred); 1038 1039 #ifdef MAC 1040 error = mac_cred_check_setresuid(oldcred, ruid, euid, suid); 1041 if (error) 1042 goto fail; 1043 #endif 1044 1045 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1046 ruid != oldcred->cr_svuid && 1047 ruid != oldcred->cr_uid) || 1048 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 1049 euid != oldcred->cr_svuid && 1050 euid != oldcred->cr_uid) || 1051 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 1052 suid != oldcred->cr_svuid && 1053 suid != oldcred->cr_uid)) && 1054 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID)) != 0) 1055 goto fail; 1056 1057 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1058 change_euid(newcred, euip); 1059 setsugid(p); 1060 } 1061 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1062 change_ruid(newcred, ruip); 1063 setsugid(p); 1064 } 1065 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1066 change_svuid(newcred, suid); 1067 setsugid(p); 1068 } 1069 proc_set_cred(p, newcred); 1070 #ifdef RACCT 1071 racct_proc_ucred_changed(p, oldcred, newcred); 1072 crhold(newcred); 1073 #endif 1074 PROC_UNLOCK(p); 1075 #ifdef RCTL 1076 rctl_proc_ucred_changed(p, newcred); 1077 crfree(newcred); 1078 #endif 1079 uifree(ruip); 1080 uifree(euip); 1081 crfree(oldcred); 1082 return (0); 1083 1084 fail: 1085 PROC_UNLOCK(p); 1086 uifree(ruip); 1087 uifree(euip); 1088 crfree(newcred); 1089 return (error); 1090 1091 } 1092 1093 /* 1094 * setresgid(rgid, egid, sgid) is like setregid except control over the saved 1095 * gid is explicit. 1096 */ 1097 #ifndef _SYS_SYSPROTO_H_ 1098 struct setresgid_args { 1099 gid_t rgid; 1100 gid_t egid; 1101 gid_t sgid; 1102 }; 1103 #endif 1104 /* ARGSUSED */ 1105 int 1106 sys_setresgid(struct thread *td, struct setresgid_args *uap) 1107 { 1108 struct proc *p = td->td_proc; 1109 struct ucred *newcred, *oldcred; 1110 gid_t egid, rgid, sgid; 1111 int error; 1112 1113 egid = uap->egid; 1114 rgid = uap->rgid; 1115 sgid = uap->sgid; 1116 AUDIT_ARG_EGID(egid); 1117 AUDIT_ARG_RGID(rgid); 1118 AUDIT_ARG_SGID(sgid); 1119 newcred = crget(); 1120 PROC_LOCK(p); 1121 oldcred = crcopysafe(p, newcred); 1122 1123 #ifdef MAC 1124 error = mac_cred_check_setresgid(oldcred, rgid, egid, sgid); 1125 if (error) 1126 goto fail; 1127 #endif 1128 1129 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1130 rgid != oldcred->cr_svgid && 1131 rgid != oldcred->cr_groups[0]) || 1132 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1133 egid != oldcred->cr_svgid && 1134 egid != oldcred->cr_groups[0]) || 1135 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1136 sgid != oldcred->cr_svgid && 1137 sgid != oldcred->cr_groups[0])) && 1138 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID)) != 0) 1139 goto fail; 1140 1141 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1142 change_egid(newcred, egid); 1143 setsugid(p); 1144 } 1145 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1146 change_rgid(newcred, rgid); 1147 setsugid(p); 1148 } 1149 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1150 change_svgid(newcred, sgid); 1151 setsugid(p); 1152 } 1153 proc_set_cred(p, newcred); 1154 PROC_UNLOCK(p); 1155 crfree(oldcred); 1156 return (0); 1157 1158 fail: 1159 PROC_UNLOCK(p); 1160 crfree(newcred); 1161 return (error); 1162 } 1163 1164 #ifndef _SYS_SYSPROTO_H_ 1165 struct getresuid_args { 1166 uid_t *ruid; 1167 uid_t *euid; 1168 uid_t *suid; 1169 }; 1170 #endif 1171 /* ARGSUSED */ 1172 int 1173 sys_getresuid(struct thread *td, struct getresuid_args *uap) 1174 { 1175 struct ucred *cred; 1176 int error1 = 0, error2 = 0, error3 = 0; 1177 1178 cred = td->td_ucred; 1179 if (uap->ruid) 1180 error1 = copyout(&cred->cr_ruid, 1181 uap->ruid, sizeof(cred->cr_ruid)); 1182 if (uap->euid) 1183 error2 = copyout(&cred->cr_uid, 1184 uap->euid, sizeof(cred->cr_uid)); 1185 if (uap->suid) 1186 error3 = copyout(&cred->cr_svuid, 1187 uap->suid, sizeof(cred->cr_svuid)); 1188 return (error1 ? error1 : error2 ? error2 : error3); 1189 } 1190 1191 #ifndef _SYS_SYSPROTO_H_ 1192 struct getresgid_args { 1193 gid_t *rgid; 1194 gid_t *egid; 1195 gid_t *sgid; 1196 }; 1197 #endif 1198 /* ARGSUSED */ 1199 int 1200 sys_getresgid(struct thread *td, struct getresgid_args *uap) 1201 { 1202 struct ucred *cred; 1203 int error1 = 0, error2 = 0, error3 = 0; 1204 1205 cred = td->td_ucred; 1206 if (uap->rgid) 1207 error1 = copyout(&cred->cr_rgid, 1208 uap->rgid, sizeof(cred->cr_rgid)); 1209 if (uap->egid) 1210 error2 = copyout(&cred->cr_groups[0], 1211 uap->egid, sizeof(cred->cr_groups[0])); 1212 if (uap->sgid) 1213 error3 = copyout(&cred->cr_svgid, 1214 uap->sgid, sizeof(cred->cr_svgid)); 1215 return (error1 ? error1 : error2 ? error2 : error3); 1216 } 1217 1218 #ifndef _SYS_SYSPROTO_H_ 1219 struct issetugid_args { 1220 int dummy; 1221 }; 1222 #endif 1223 /* ARGSUSED */ 1224 int 1225 sys_issetugid(struct thread *td, struct issetugid_args *uap) 1226 { 1227 struct proc *p = td->td_proc; 1228 1229 /* 1230 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1231 * we use P_SUGID because we consider changing the owners as 1232 * "tainting" as well. 1233 * This is significant for procs that start as root and "become" 1234 * a user without an exec - programs cannot know *everything* 1235 * that libc *might* have put in their data segment. 1236 */ 1237 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1238 return (0); 1239 } 1240 1241 int 1242 sys___setugid(struct thread *td, struct __setugid_args *uap) 1243 { 1244 #ifdef REGRESSION 1245 struct proc *p; 1246 1247 p = td->td_proc; 1248 switch (uap->flag) { 1249 case 0: 1250 PROC_LOCK(p); 1251 p->p_flag &= ~P_SUGID; 1252 PROC_UNLOCK(p); 1253 return (0); 1254 case 1: 1255 PROC_LOCK(p); 1256 p->p_flag |= P_SUGID; 1257 PROC_UNLOCK(p); 1258 return (0); 1259 default: 1260 return (EINVAL); 1261 } 1262 #else /* !REGRESSION */ 1263 1264 return (ENOSYS); 1265 #endif /* REGRESSION */ 1266 } 1267 1268 /* 1269 * Check if gid is a member of the group set. 1270 */ 1271 int 1272 groupmember(gid_t gid, struct ucred *cred) 1273 { 1274 int l; 1275 int h; 1276 int m; 1277 1278 if (cred->cr_groups[0] == gid) 1279 return(1); 1280 1281 /* 1282 * If gid was not our primary group, perform a binary search 1283 * of the supplemental groups. This is possible because we 1284 * sort the groups in crsetgroups(). 1285 */ 1286 l = 1; 1287 h = cred->cr_ngroups; 1288 while (l < h) { 1289 m = l + ((h - l) / 2); 1290 if (cred->cr_groups[m] < gid) 1291 l = m + 1; 1292 else 1293 h = m; 1294 } 1295 if ((l < cred->cr_ngroups) && (cred->cr_groups[l] == gid)) 1296 return (1); 1297 1298 return (0); 1299 } 1300 1301 /* 1302 * Test the active securelevel against a given level. securelevel_gt() 1303 * implements (securelevel > level). securelevel_ge() implements 1304 * (securelevel >= level). Note that the logic is inverted -- these 1305 * functions return EPERM on "success" and 0 on "failure". 1306 * 1307 * Due to care taken when setting the securelevel, we know that no jail will 1308 * be less secure that its parent (or the physical system), so it is sufficient 1309 * to test the current jail only. 1310 * 1311 * XXXRW: Possibly since this has to do with privilege, it should move to 1312 * kern_priv.c. 1313 */ 1314 int 1315 securelevel_gt(struct ucred *cr, int level) 1316 { 1317 1318 return (cr->cr_prison->pr_securelevel > level ? EPERM : 0); 1319 } 1320 1321 int 1322 securelevel_ge(struct ucred *cr, int level) 1323 { 1324 1325 return (cr->cr_prison->pr_securelevel >= level ? EPERM : 0); 1326 } 1327 1328 /* 1329 * 'see_other_uids' determines whether or not visibility of processes 1330 * and sockets with credentials holding different real uids is possible 1331 * using a variety of system MIBs. 1332 * XXX: data declarations should be together near the beginning of the file. 1333 */ 1334 static int see_other_uids = 1; 1335 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1336 &see_other_uids, 0, 1337 "Unprivileged processes may see subjects/objects with different real uid"); 1338 1339 /*- 1340 * Determine if u1 "can see" the subject specified by u2, according to the 1341 * 'see_other_uids' policy. 1342 * Returns: 0 for permitted, ESRCH otherwise 1343 * Locks: none 1344 * References: *u1 and *u2 must not change during the call 1345 * u1 may equal u2, in which case only one reference is required 1346 */ 1347 int 1348 cr_canseeotheruids(struct ucred *u1, struct ucred *u2) 1349 { 1350 1351 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1352 if (priv_check_cred(u1, PRIV_SEEOTHERUIDS) != 0) 1353 return (ESRCH); 1354 } 1355 return (0); 1356 } 1357 1358 /* 1359 * 'see_other_gids' determines whether or not visibility of processes 1360 * and sockets with credentials holding different real gids is possible 1361 * using a variety of system MIBs. 1362 * XXX: data declarations should be together near the beginning of the file. 1363 */ 1364 static int see_other_gids = 1; 1365 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW, 1366 &see_other_gids, 0, 1367 "Unprivileged processes may see subjects/objects with different real gid"); 1368 1369 /* 1370 * Determine if u1 can "see" the subject specified by u2, according to the 1371 * 'see_other_gids' policy. 1372 * Returns: 0 for permitted, ESRCH otherwise 1373 * Locks: none 1374 * References: *u1 and *u2 must not change during the call 1375 * u1 may equal u2, in which case only one reference is required 1376 */ 1377 int 1378 cr_canseeothergids(struct ucred *u1, struct ucred *u2) 1379 { 1380 int i, match; 1381 1382 if (!see_other_gids) { 1383 match = 0; 1384 for (i = 0; i < u1->cr_ngroups; i++) { 1385 if (groupmember(u1->cr_groups[i], u2)) 1386 match = 1; 1387 if (match) 1388 break; 1389 } 1390 if (!match) { 1391 if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) != 0) 1392 return (ESRCH); 1393 } 1394 } 1395 return (0); 1396 } 1397 1398 /* 1399 * 'see_jail_proc' determines whether or not visibility of processes and 1400 * sockets with credentials holding different jail ids is possible using a 1401 * variety of system MIBs. 1402 * 1403 * XXX: data declarations should be together near the beginning of the file. 1404 */ 1405 1406 static int see_jail_proc = 1; 1407 SYSCTL_INT(_security_bsd, OID_AUTO, see_jail_proc, CTLFLAG_RW, 1408 &see_jail_proc, 0, 1409 "Unprivileged processes may see subjects/objects with different jail ids"); 1410 1411 /*- 1412 * Determine if u1 "can see" the subject specified by u2, according to the 1413 * 'see_jail_proc' policy. 1414 * Returns: 0 for permitted, ESRCH otherwise 1415 * Locks: none 1416 * References: *u1 and *u2 must not change during the call 1417 * u1 may equal u2, in which case only one reference is required 1418 */ 1419 int 1420 cr_canseejailproc(struct ucred *u1, struct ucred *u2) 1421 { 1422 if (u1->cr_uid == 0) 1423 return (0); 1424 return (!see_jail_proc && u1->cr_prison != u2->cr_prison ? ESRCH : 0); 1425 } 1426 1427 /*- 1428 * Determine if u1 "can see" the subject specified by u2. 1429 * Returns: 0 for permitted, an errno value otherwise 1430 * Locks: none 1431 * References: *u1 and *u2 must not change during the call 1432 * u1 may equal u2, in which case only one reference is required 1433 */ 1434 int 1435 cr_cansee(struct ucred *u1, struct ucred *u2) 1436 { 1437 int error; 1438 1439 if ((error = prison_check(u1, u2))) 1440 return (error); 1441 #ifdef MAC 1442 if ((error = mac_cred_check_visible(u1, u2))) 1443 return (error); 1444 #endif 1445 if ((error = cr_canseeotheruids(u1, u2))) 1446 return (error); 1447 if ((error = cr_canseeothergids(u1, u2))) 1448 return (error); 1449 if ((error = cr_canseejailproc(u1, u2))) 1450 return (error); 1451 return (0); 1452 } 1453 1454 /*- 1455 * Determine if td "can see" the subject specified by p. 1456 * Returns: 0 for permitted, an errno value otherwise 1457 * Locks: Sufficient locks to protect p->p_ucred must be held. td really 1458 * should be curthread. 1459 * References: td and p must be valid for the lifetime of the call 1460 */ 1461 int 1462 p_cansee(struct thread *td, struct proc *p) 1463 { 1464 /* Wrap cr_cansee() for all functionality. */ 1465 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1466 PROC_LOCK_ASSERT(p, MA_OWNED); 1467 1468 if (td->td_proc == p) 1469 return (0); 1470 return (cr_cansee(td->td_ucred, p->p_ucred)); 1471 } 1472 1473 /* 1474 * 'conservative_signals' prevents the delivery of a broad class of 1475 * signals by unprivileged processes to processes that have changed their 1476 * credentials since the last invocation of execve(). This can prevent 1477 * the leakage of cached information or retained privileges as a result 1478 * of a common class of signal-related vulnerabilities. However, this 1479 * may interfere with some applications that expect to be able to 1480 * deliver these signals to peer processes after having given up 1481 * privilege. 1482 */ 1483 static int conservative_signals = 1; 1484 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW, 1485 &conservative_signals, 0, "Unprivileged processes prevented from " 1486 "sending certain signals to processes whose credentials have changed"); 1487 /*- 1488 * Determine whether cred may deliver the specified signal to proc. 1489 * Returns: 0 for permitted, an errno value otherwise. 1490 * Locks: A lock must be held for proc. 1491 * References: cred and proc must be valid for the lifetime of the call. 1492 */ 1493 int 1494 cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 1495 { 1496 int error; 1497 1498 PROC_LOCK_ASSERT(proc, MA_OWNED); 1499 /* 1500 * Jail semantics limit the scope of signalling to proc in the 1501 * same jail as cred, if cred is in jail. 1502 */ 1503 error = prison_check(cred, proc->p_ucred); 1504 if (error) 1505 return (error); 1506 #ifdef MAC 1507 if ((error = mac_proc_check_signal(cred, proc, signum))) 1508 return (error); 1509 #endif 1510 if ((error = cr_canseeotheruids(cred, proc->p_ucred))) 1511 return (error); 1512 if ((error = cr_canseeothergids(cred, proc->p_ucred))) 1513 return (error); 1514 1515 /* 1516 * UNIX signal semantics depend on the status of the P_SUGID 1517 * bit on the target process. If the bit is set, then additional 1518 * restrictions are placed on the set of available signals. 1519 */ 1520 if (conservative_signals && (proc->p_flag & P_SUGID)) { 1521 switch (signum) { 1522 case 0: 1523 case SIGKILL: 1524 case SIGINT: 1525 case SIGTERM: 1526 case SIGALRM: 1527 case SIGSTOP: 1528 case SIGTTIN: 1529 case SIGTTOU: 1530 case SIGTSTP: 1531 case SIGHUP: 1532 case SIGUSR1: 1533 case SIGUSR2: 1534 /* 1535 * Generally, permit job and terminal control 1536 * signals. 1537 */ 1538 break; 1539 default: 1540 /* Not permitted without privilege. */ 1541 error = priv_check_cred(cred, PRIV_SIGNAL_SUGID); 1542 if (error) 1543 return (error); 1544 } 1545 } 1546 1547 /* 1548 * Generally, the target credential's ruid or svuid must match the 1549 * subject credential's ruid or euid. 1550 */ 1551 if (cred->cr_ruid != proc->p_ucred->cr_ruid && 1552 cred->cr_ruid != proc->p_ucred->cr_svuid && 1553 cred->cr_uid != proc->p_ucred->cr_ruid && 1554 cred->cr_uid != proc->p_ucred->cr_svuid) { 1555 error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED); 1556 if (error) 1557 return (error); 1558 } 1559 1560 return (0); 1561 } 1562 1563 /*- 1564 * Determine whether td may deliver the specified signal to p. 1565 * Returns: 0 for permitted, an errno value otherwise 1566 * Locks: Sufficient locks to protect various components of td and p 1567 * must be held. td must be curthread, and a lock must be 1568 * held for p. 1569 * References: td and p must be valid for the lifetime of the call 1570 */ 1571 int 1572 p_cansignal(struct thread *td, struct proc *p, int signum) 1573 { 1574 1575 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1576 PROC_LOCK_ASSERT(p, MA_OWNED); 1577 if (td->td_proc == p) 1578 return (0); 1579 1580 /* 1581 * UNIX signalling semantics require that processes in the same 1582 * session always be able to deliver SIGCONT to one another, 1583 * overriding the remaining protections. 1584 */ 1585 /* XXX: This will require an additional lock of some sort. */ 1586 if (signum == SIGCONT && td->td_proc->p_session == p->p_session) 1587 return (0); 1588 /* 1589 * Some compat layers use SIGTHR and higher signals for 1590 * communication between different kernel threads of the same 1591 * process, so that they expect that it's always possible to 1592 * deliver them, even for suid applications where cr_cansignal() can 1593 * deny such ability for security consideration. It should be 1594 * pretty safe to do since the only way to create two processes 1595 * with the same p_leader is via rfork(2). 1596 */ 1597 if (td->td_proc->p_leader != NULL && signum >= SIGTHR && 1598 signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader) 1599 return (0); 1600 1601 return (cr_cansignal(td->td_ucred, p, signum)); 1602 } 1603 1604 /*- 1605 * Determine whether td may reschedule p. 1606 * Returns: 0 for permitted, an errno value otherwise 1607 * Locks: Sufficient locks to protect various components of td and p 1608 * must be held. td must be curthread, and a lock must 1609 * be held for p. 1610 * References: td and p must be valid for the lifetime of the call 1611 */ 1612 int 1613 p_cansched(struct thread *td, struct proc *p) 1614 { 1615 int error; 1616 1617 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1618 PROC_LOCK_ASSERT(p, MA_OWNED); 1619 if (td->td_proc == p) 1620 return (0); 1621 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1622 return (error); 1623 #ifdef MAC 1624 if ((error = mac_proc_check_sched(td->td_ucred, p))) 1625 return (error); 1626 #endif 1627 if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred))) 1628 return (error); 1629 if ((error = cr_canseeothergids(td->td_ucred, p->p_ucred))) 1630 return (error); 1631 if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid && 1632 td->td_ucred->cr_uid != p->p_ucred->cr_ruid) { 1633 error = priv_check(td, PRIV_SCHED_DIFFCRED); 1634 if (error) 1635 return (error); 1636 } 1637 return (0); 1638 } 1639 1640 /* 1641 * Handle getting or setting the prison's unprivileged_proc_debug 1642 * value. 1643 */ 1644 static int 1645 sysctl_unprivileged_proc_debug(SYSCTL_HANDLER_ARGS) 1646 { 1647 int error, val; 1648 1649 val = prison_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG); 1650 error = sysctl_handle_int(oidp, &val, 0, req); 1651 if (error != 0 || req->newptr == NULL) 1652 return (error); 1653 if (val != 0 && val != 1) 1654 return (EINVAL); 1655 prison_set_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG, val); 1656 return (0); 1657 } 1658 1659 /* 1660 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 1661 * unprivileged inter-process debugging services, including some procfs 1662 * functionality, ptrace(), and ktrace(). In the past, inter-process 1663 * debugging has been involved in a variety of security problems, and sites 1664 * not requiring the service might choose to disable it when hardening 1665 * systems. 1666 */ 1667 SYSCTL_PROC(_security_bsd, OID_AUTO, unprivileged_proc_debug, 1668 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_PRISON | CTLFLAG_SECURE | 1669 CTLFLAG_MPSAFE, 0, 0, sysctl_unprivileged_proc_debug, "I", 1670 "Unprivileged processes may use process debugging facilities"); 1671 1672 /*- 1673 * Determine whether td may debug p. 1674 * Returns: 0 for permitted, an errno value otherwise 1675 * Locks: Sufficient locks to protect various components of td and p 1676 * must be held. td must be curthread, and a lock must 1677 * be held for p. 1678 * References: td and p must be valid for the lifetime of the call 1679 */ 1680 int 1681 p_candebug(struct thread *td, struct proc *p) 1682 { 1683 int credentialchanged, error, grpsubset, i, uidsubset; 1684 1685 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1686 PROC_LOCK_ASSERT(p, MA_OWNED); 1687 if (td->td_proc == p) 1688 return (0); 1689 if ((error = priv_check(td, PRIV_DEBUG_UNPRIV))) 1690 return (error); 1691 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1692 return (error); 1693 #ifdef MAC 1694 if ((error = mac_proc_check_debug(td->td_ucred, p))) 1695 return (error); 1696 #endif 1697 if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred))) 1698 return (error); 1699 if ((error = cr_canseeothergids(td->td_ucred, p->p_ucred))) 1700 return (error); 1701 1702 /* 1703 * Is p's group set a subset of td's effective group set? This 1704 * includes p's egid, group access list, rgid, and svgid. 1705 */ 1706 grpsubset = 1; 1707 for (i = 0; i < p->p_ucred->cr_ngroups; i++) { 1708 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) { 1709 grpsubset = 0; 1710 break; 1711 } 1712 } 1713 grpsubset = grpsubset && 1714 groupmember(p->p_ucred->cr_rgid, td->td_ucred) && 1715 groupmember(p->p_ucred->cr_svgid, td->td_ucred); 1716 1717 /* 1718 * Are the uids present in p's credential equal to td's 1719 * effective uid? This includes p's euid, svuid, and ruid. 1720 */ 1721 uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid && 1722 td->td_ucred->cr_uid == p->p_ucred->cr_svuid && 1723 td->td_ucred->cr_uid == p->p_ucred->cr_ruid); 1724 1725 /* 1726 * Has the credential of the process changed since the last exec()? 1727 */ 1728 credentialchanged = (p->p_flag & P_SUGID); 1729 1730 /* 1731 * If p's gids aren't a subset, or the uids aren't a subset, 1732 * or the credential has changed, require appropriate privilege 1733 * for td to debug p. 1734 */ 1735 if (!grpsubset || !uidsubset) { 1736 error = priv_check(td, PRIV_DEBUG_DIFFCRED); 1737 if (error) 1738 return (error); 1739 } 1740 1741 if (credentialchanged) { 1742 error = priv_check(td, PRIV_DEBUG_SUGID); 1743 if (error) 1744 return (error); 1745 } 1746 1747 /* Can't trace init when securelevel > 0. */ 1748 if (p == initproc) { 1749 error = securelevel_gt(td->td_ucred, 0); 1750 if (error) 1751 return (error); 1752 } 1753 1754 /* 1755 * Can't trace a process that's currently exec'ing. 1756 * 1757 * XXX: Note, this is not a security policy decision, it's a 1758 * basic correctness/functionality decision. Therefore, this check 1759 * should be moved to the caller's of p_candebug(). 1760 */ 1761 if ((p->p_flag & P_INEXEC) != 0) 1762 return (EBUSY); 1763 1764 /* Denied explicitly */ 1765 if ((p->p_flag2 & P2_NOTRACE) != 0) { 1766 error = priv_check(td, PRIV_DEBUG_DENIED); 1767 if (error != 0) 1768 return (error); 1769 } 1770 1771 return (0); 1772 } 1773 1774 /*- 1775 * Determine whether the subject represented by cred can "see" a socket. 1776 * Returns: 0 for permitted, ENOENT otherwise. 1777 */ 1778 int 1779 cr_canseesocket(struct ucred *cred, struct socket *so) 1780 { 1781 int error; 1782 1783 error = prison_check(cred, so->so_cred); 1784 if (error) 1785 return (ENOENT); 1786 #ifdef MAC 1787 error = mac_socket_check_visible(cred, so); 1788 if (error) 1789 return (error); 1790 #endif 1791 if (cr_canseeotheruids(cred, so->so_cred)) 1792 return (ENOENT); 1793 if (cr_canseeothergids(cred, so->so_cred)) 1794 return (ENOENT); 1795 1796 return (0); 1797 } 1798 1799 /*- 1800 * Determine whether td can wait for the exit of p. 1801 * Returns: 0 for permitted, an errno value otherwise 1802 * Locks: Sufficient locks to protect various components of td and p 1803 * must be held. td must be curthread, and a lock must 1804 * be held for p. 1805 * References: td and p must be valid for the lifetime of the call 1806 1807 */ 1808 int 1809 p_canwait(struct thread *td, struct proc *p) 1810 { 1811 int error; 1812 1813 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1814 PROC_LOCK_ASSERT(p, MA_OWNED); 1815 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1816 return (error); 1817 #ifdef MAC 1818 if ((error = mac_proc_check_wait(td->td_ucred, p))) 1819 return (error); 1820 #endif 1821 #if 0 1822 /* XXXMAC: This could have odd effects on some shells. */ 1823 if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred))) 1824 return (error); 1825 #endif 1826 1827 return (0); 1828 } 1829 1830 /* 1831 * Credential management. 1832 * 1833 * struct ucred objects are rarely allocated but gain and lose references all 1834 * the time (e.g., on struct file alloc/dealloc) turning refcount updates into 1835 * a significant source of cache-line ping ponging. Common cases are worked 1836 * around by modifying thread-local counter instead if the cred to operate on 1837 * matches td_realucred. 1838 * 1839 * The counter is split into 2 parts: 1840 * - cr_users -- total count of all struct proc and struct thread objects 1841 * which have given cred in p_ucred and td_ucred respectively 1842 * - cr_ref -- the actual ref count, only valid if cr_users == 0 1843 * 1844 * If users == 0 then cr_ref behaves similarly to refcount(9), in particular if 1845 * the count reaches 0 the object is freeable. 1846 * If users > 0 and curthread->td_realucred == cred, then updates are performed 1847 * against td_ucredref. 1848 * In other cases updates are performed against cr_ref. 1849 * 1850 * Changing td_realucred into something else decrements cr_users and transfers 1851 * accumulated updates. 1852 */ 1853 struct ucred * 1854 crcowget(struct ucred *cr) 1855 { 1856 1857 mtx_lock(&cr->cr_mtx); 1858 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 1859 __func__, cr->cr_users, cr)); 1860 cr->cr_users++; 1861 cr->cr_ref++; 1862 mtx_unlock(&cr->cr_mtx); 1863 return (cr); 1864 } 1865 1866 static struct ucred * 1867 crunuse(struct thread *td) 1868 { 1869 struct ucred *cr, *crold; 1870 1871 MPASS(td->td_realucred == td->td_ucred); 1872 cr = td->td_realucred; 1873 mtx_lock(&cr->cr_mtx); 1874 cr->cr_ref += td->td_ucredref; 1875 td->td_ucredref = 0; 1876 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 1877 __func__, cr->cr_users, cr)); 1878 cr->cr_users--; 1879 if (cr->cr_users == 0) { 1880 KASSERT(cr->cr_ref > 0, ("%s: ref %d not > 0 on cred %p", 1881 __func__, cr->cr_ref, cr)); 1882 crold = cr; 1883 } else { 1884 cr->cr_ref--; 1885 crold = NULL; 1886 } 1887 mtx_unlock(&cr->cr_mtx); 1888 td->td_realucred = NULL; 1889 return (crold); 1890 } 1891 1892 static void 1893 crunusebatch(struct ucred *cr, int users, int ref) 1894 { 1895 1896 KASSERT(users > 0, ("%s: passed users %d not > 0 ; cred %p", 1897 __func__, users, cr)); 1898 mtx_lock(&cr->cr_mtx); 1899 KASSERT(cr->cr_users >= users, ("%s: users %d not > %d on cred %p", 1900 __func__, cr->cr_users, users, cr)); 1901 cr->cr_users -= users; 1902 cr->cr_ref += ref; 1903 cr->cr_ref -= users; 1904 if (cr->cr_users > 0) { 1905 mtx_unlock(&cr->cr_mtx); 1906 return; 1907 } 1908 KASSERT(cr->cr_ref >= 0, ("%s: ref %d not >= 0 on cred %p", 1909 __func__, cr->cr_ref, cr)); 1910 if (cr->cr_ref > 0) { 1911 mtx_unlock(&cr->cr_mtx); 1912 return; 1913 } 1914 crfree_final(cr); 1915 } 1916 1917 void 1918 crcowfree(struct thread *td) 1919 { 1920 struct ucred *cr; 1921 1922 cr = crunuse(td); 1923 if (cr != NULL) 1924 crfree(cr); 1925 } 1926 1927 struct ucred * 1928 crcowsync(void) 1929 { 1930 struct thread *td; 1931 struct proc *p; 1932 struct ucred *crnew, *crold; 1933 1934 td = curthread; 1935 p = td->td_proc; 1936 PROC_LOCK_ASSERT(p, MA_OWNED); 1937 1938 MPASS(td->td_realucred == td->td_ucred); 1939 if (td->td_realucred == p->p_ucred) 1940 return (NULL); 1941 1942 crnew = crcowget(p->p_ucred); 1943 crold = crunuse(td); 1944 td->td_realucred = crnew; 1945 td->td_ucred = td->td_realucred; 1946 return (crold); 1947 } 1948 1949 /* 1950 * Batching. 1951 */ 1952 void 1953 credbatch_add(struct credbatch *crb, struct thread *td) 1954 { 1955 struct ucred *cr; 1956 1957 MPASS(td->td_realucred != NULL); 1958 MPASS(td->td_realucred == td->td_ucred); 1959 MPASS(TD_GET_STATE(td) == TDS_INACTIVE); 1960 cr = td->td_realucred; 1961 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 1962 __func__, cr->cr_users, cr)); 1963 if (crb->cred != cr) { 1964 if (crb->users > 0) { 1965 MPASS(crb->cred != NULL); 1966 crunusebatch(crb->cred, crb->users, crb->ref); 1967 crb->users = 0; 1968 crb->ref = 0; 1969 } 1970 } 1971 crb->cred = cr; 1972 crb->users++; 1973 crb->ref += td->td_ucredref; 1974 td->td_ucredref = 0; 1975 td->td_realucred = NULL; 1976 } 1977 1978 void 1979 credbatch_final(struct credbatch *crb) 1980 { 1981 1982 MPASS(crb->cred != NULL); 1983 MPASS(crb->users > 0); 1984 crunusebatch(crb->cred, crb->users, crb->ref); 1985 } 1986 1987 /* 1988 * Allocate a zeroed cred structure. 1989 */ 1990 struct ucred * 1991 crget(void) 1992 { 1993 struct ucred *cr; 1994 1995 cr = malloc(sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 1996 mtx_init(&cr->cr_mtx, "cred", NULL, MTX_DEF); 1997 cr->cr_ref = 1; 1998 #ifdef AUDIT 1999 audit_cred_init(cr); 2000 #endif 2001 #ifdef MAC 2002 mac_cred_init(cr); 2003 #endif 2004 cr->cr_groups = cr->cr_smallgroups; 2005 cr->cr_agroups = 2006 sizeof(cr->cr_smallgroups) / sizeof(cr->cr_smallgroups[0]); 2007 return (cr); 2008 } 2009 2010 /* 2011 * Claim another reference to a ucred structure. 2012 */ 2013 struct ucred * 2014 crhold(struct ucred *cr) 2015 { 2016 struct thread *td; 2017 2018 td = curthread; 2019 if (__predict_true(td->td_realucred == cr)) { 2020 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2021 __func__, cr->cr_users, cr)); 2022 td->td_ucredref++; 2023 return (cr); 2024 } 2025 mtx_lock(&cr->cr_mtx); 2026 cr->cr_ref++; 2027 mtx_unlock(&cr->cr_mtx); 2028 return (cr); 2029 } 2030 2031 /* 2032 * Free a cred structure. Throws away space when ref count gets to 0. 2033 */ 2034 void 2035 crfree(struct ucred *cr) 2036 { 2037 struct thread *td; 2038 2039 td = curthread; 2040 if (__predict_true(td->td_realucred == cr)) { 2041 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2042 __func__, cr->cr_users, cr)); 2043 td->td_ucredref--; 2044 return; 2045 } 2046 mtx_lock(&cr->cr_mtx); 2047 KASSERT(cr->cr_users >= 0, ("%s: users %d not >= 0 on cred %p", 2048 __func__, cr->cr_users, cr)); 2049 cr->cr_ref--; 2050 if (cr->cr_users > 0) { 2051 mtx_unlock(&cr->cr_mtx); 2052 return; 2053 } 2054 KASSERT(cr->cr_ref >= 0, ("%s: ref %d not >= 0 on cred %p", 2055 __func__, cr->cr_ref, cr)); 2056 if (cr->cr_ref > 0) { 2057 mtx_unlock(&cr->cr_mtx); 2058 return; 2059 } 2060 crfree_final(cr); 2061 } 2062 2063 static void 2064 crfree_final(struct ucred *cr) 2065 { 2066 2067 KASSERT(cr->cr_users == 0, ("%s: users %d not == 0 on cred %p", 2068 __func__, cr->cr_users, cr)); 2069 KASSERT(cr->cr_ref == 0, ("%s: ref %d not == 0 on cred %p", 2070 __func__, cr->cr_ref, cr)); 2071 2072 /* 2073 * Some callers of crget(), such as nfs_statfs(), allocate a temporary 2074 * credential, but don't allocate a uidinfo structure. 2075 */ 2076 if (cr->cr_uidinfo != NULL) 2077 uifree(cr->cr_uidinfo); 2078 if (cr->cr_ruidinfo != NULL) 2079 uifree(cr->cr_ruidinfo); 2080 if (cr->cr_prison != NULL) 2081 prison_free(cr->cr_prison); 2082 if (cr->cr_loginclass != NULL) 2083 loginclass_free(cr->cr_loginclass); 2084 #ifdef AUDIT 2085 audit_cred_destroy(cr); 2086 #endif 2087 #ifdef MAC 2088 mac_cred_destroy(cr); 2089 #endif 2090 mtx_destroy(&cr->cr_mtx); 2091 if (cr->cr_groups != cr->cr_smallgroups) 2092 free(cr->cr_groups, M_CRED); 2093 free(cr, M_CRED); 2094 } 2095 2096 /* 2097 * Copy a ucred's contents from a template. Does not block. 2098 */ 2099 void 2100 crcopy(struct ucred *dest, struct ucred *src) 2101 { 2102 2103 KASSERT(dest->cr_ref == 1, ("crcopy of shared ucred")); 2104 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 2105 (unsigned)((caddr_t)&src->cr_endcopy - 2106 (caddr_t)&src->cr_startcopy)); 2107 crsetgroups(dest, src->cr_ngroups, src->cr_groups); 2108 uihold(dest->cr_uidinfo); 2109 uihold(dest->cr_ruidinfo); 2110 prison_hold(dest->cr_prison); 2111 loginclass_hold(dest->cr_loginclass); 2112 #ifdef AUDIT 2113 audit_cred_copy(src, dest); 2114 #endif 2115 #ifdef MAC 2116 mac_cred_copy(src, dest); 2117 #endif 2118 } 2119 2120 /* 2121 * Dup cred struct to a new held one. 2122 */ 2123 struct ucred * 2124 crdup(struct ucred *cr) 2125 { 2126 struct ucred *newcr; 2127 2128 newcr = crget(); 2129 crcopy(newcr, cr); 2130 return (newcr); 2131 } 2132 2133 /* 2134 * Fill in a struct xucred based on a struct ucred. 2135 */ 2136 void 2137 cru2x(struct ucred *cr, struct xucred *xcr) 2138 { 2139 int ngroups; 2140 2141 bzero(xcr, sizeof(*xcr)); 2142 xcr->cr_version = XUCRED_VERSION; 2143 xcr->cr_uid = cr->cr_uid; 2144 2145 ngroups = MIN(cr->cr_ngroups, XU_NGROUPS); 2146 xcr->cr_ngroups = ngroups; 2147 bcopy(cr->cr_groups, xcr->cr_groups, 2148 ngroups * sizeof(*cr->cr_groups)); 2149 } 2150 2151 void 2152 cru2xt(struct thread *td, struct xucred *xcr) 2153 { 2154 2155 cru2x(td->td_ucred, xcr); 2156 xcr->cr_pid = td->td_proc->p_pid; 2157 } 2158 2159 /* 2160 * Set initial process credentials. 2161 * Callers are responsible for providing the reference for provided credentials. 2162 */ 2163 void 2164 proc_set_cred_init(struct proc *p, struct ucred *newcred) 2165 { 2166 2167 p->p_ucred = crcowget(newcred); 2168 } 2169 2170 /* 2171 * Change process credentials. 2172 * Callers are responsible for providing the reference for passed credentials 2173 * and for freeing old ones. 2174 * 2175 * Process has to be locked except when it does not have credentials (as it 2176 * should not be visible just yet) or when newcred is NULL (as this can be 2177 * only used when the process is about to be freed, at which point it should 2178 * not be visible anymore). 2179 */ 2180 void 2181 proc_set_cred(struct proc *p, struct ucred *newcred) 2182 { 2183 struct ucred *cr; 2184 2185 cr = p->p_ucred; 2186 MPASS(cr != NULL); 2187 PROC_LOCK_ASSERT(p, MA_OWNED); 2188 KASSERT(newcred->cr_users == 0, ("%s: users %d not 0 on cred %p", 2189 __func__, newcred->cr_users, newcred)); 2190 mtx_lock(&cr->cr_mtx); 2191 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2192 __func__, cr->cr_users, cr)); 2193 cr->cr_users--; 2194 mtx_unlock(&cr->cr_mtx); 2195 p->p_ucred = newcred; 2196 newcred->cr_users = 1; 2197 PROC_UPDATE_COW(p); 2198 } 2199 2200 void 2201 proc_unset_cred(struct proc *p) 2202 { 2203 struct ucred *cr; 2204 2205 MPASS(p->p_state == PRS_ZOMBIE || p->p_state == PRS_NEW); 2206 cr = p->p_ucred; 2207 p->p_ucred = NULL; 2208 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2209 __func__, cr->cr_users, cr)); 2210 mtx_lock(&cr->cr_mtx); 2211 cr->cr_users--; 2212 if (cr->cr_users == 0) 2213 KASSERT(cr->cr_ref > 0, ("%s: ref %d not > 0 on cred %p", 2214 __func__, cr->cr_ref, cr)); 2215 mtx_unlock(&cr->cr_mtx); 2216 crfree(cr); 2217 } 2218 2219 struct ucred * 2220 crcopysafe(struct proc *p, struct ucred *cr) 2221 { 2222 struct ucred *oldcred; 2223 int groups; 2224 2225 PROC_LOCK_ASSERT(p, MA_OWNED); 2226 2227 oldcred = p->p_ucred; 2228 while (cr->cr_agroups < oldcred->cr_agroups) { 2229 groups = oldcred->cr_agroups; 2230 PROC_UNLOCK(p); 2231 crextend(cr, groups); 2232 PROC_LOCK(p); 2233 oldcred = p->p_ucred; 2234 } 2235 crcopy(cr, oldcred); 2236 2237 return (oldcred); 2238 } 2239 2240 /* 2241 * Extend the passed in credential to hold n items. 2242 */ 2243 void 2244 crextend(struct ucred *cr, int n) 2245 { 2246 int cnt; 2247 2248 /* Truncate? */ 2249 if (n <= cr->cr_agroups) 2250 return; 2251 2252 /* 2253 * We extend by 2 each time since we're using a power of two 2254 * allocator until we need enough groups to fill a page. 2255 * Once we're allocating multiple pages, only allocate as many 2256 * as we actually need. The case of processes needing a 2257 * non-power of two number of pages seems more likely than 2258 * a real world process that adds thousands of groups one at a 2259 * time. 2260 */ 2261 if ( n < PAGE_SIZE / sizeof(gid_t) ) { 2262 if (cr->cr_agroups == 0) 2263 cnt = MAX(1, MINALLOCSIZE / sizeof(gid_t)); 2264 else 2265 cnt = cr->cr_agroups * 2; 2266 2267 while (cnt < n) 2268 cnt *= 2; 2269 } else 2270 cnt = roundup2(n, PAGE_SIZE / sizeof(gid_t)); 2271 2272 /* Free the old array. */ 2273 if (cr->cr_groups != cr->cr_smallgroups) 2274 free(cr->cr_groups, M_CRED); 2275 2276 cr->cr_groups = malloc(cnt * sizeof(gid_t), M_CRED, M_WAITOK | M_ZERO); 2277 cr->cr_agroups = cnt; 2278 } 2279 2280 /* 2281 * Copy groups in to a credential, preserving any necessary invariants. 2282 * Currently this includes the sorting of all supplemental gids. 2283 * crextend() must have been called before hand to ensure sufficient 2284 * space is available. 2285 */ 2286 static void 2287 crsetgroups_locked(struct ucred *cr, int ngrp, gid_t *groups) 2288 { 2289 int i; 2290 int j; 2291 gid_t g; 2292 2293 KASSERT(cr->cr_agroups >= ngrp, ("cr_ngroups is too small")); 2294 2295 bcopy(groups, cr->cr_groups, ngrp * sizeof(gid_t)); 2296 cr->cr_ngroups = ngrp; 2297 2298 /* 2299 * Sort all groups except cr_groups[0] to allow groupmember to 2300 * perform a binary search. 2301 * 2302 * XXX: If large numbers of groups become common this should 2303 * be replaced with shell sort like linux uses or possibly 2304 * heap sort. 2305 */ 2306 for (i = 2; i < ngrp; i++) { 2307 g = cr->cr_groups[i]; 2308 for (j = i-1; j >= 1 && g < cr->cr_groups[j]; j--) 2309 cr->cr_groups[j + 1] = cr->cr_groups[j]; 2310 cr->cr_groups[j + 1] = g; 2311 } 2312 } 2313 2314 /* 2315 * Copy groups in to a credential after expanding it if required. 2316 * Truncate the list to (ngroups_max + 1) if it is too large. 2317 */ 2318 void 2319 crsetgroups(struct ucred *cr, int ngrp, gid_t *groups) 2320 { 2321 2322 if (ngrp > ngroups_max + 1) 2323 ngrp = ngroups_max + 1; 2324 2325 crextend(cr, ngrp); 2326 crsetgroups_locked(cr, ngrp, groups); 2327 } 2328 2329 /* 2330 * Get login name, if available. 2331 */ 2332 #ifndef _SYS_SYSPROTO_H_ 2333 struct getlogin_args { 2334 char *namebuf; 2335 u_int namelen; 2336 }; 2337 #endif 2338 /* ARGSUSED */ 2339 int 2340 sys_getlogin(struct thread *td, struct getlogin_args *uap) 2341 { 2342 char login[MAXLOGNAME]; 2343 struct proc *p = td->td_proc; 2344 size_t len; 2345 2346 if (uap->namelen > MAXLOGNAME) 2347 uap->namelen = MAXLOGNAME; 2348 PROC_LOCK(p); 2349 SESS_LOCK(p->p_session); 2350 len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1; 2351 SESS_UNLOCK(p->p_session); 2352 PROC_UNLOCK(p); 2353 if (len > uap->namelen) 2354 return (ERANGE); 2355 return (copyout(login, uap->namebuf, len)); 2356 } 2357 2358 /* 2359 * Set login name. 2360 */ 2361 #ifndef _SYS_SYSPROTO_H_ 2362 struct setlogin_args { 2363 char *namebuf; 2364 }; 2365 #endif 2366 /* ARGSUSED */ 2367 int 2368 sys_setlogin(struct thread *td, struct setlogin_args *uap) 2369 { 2370 struct proc *p = td->td_proc; 2371 int error; 2372 char logintmp[MAXLOGNAME]; 2373 2374 CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp)); 2375 2376 error = priv_check(td, PRIV_PROC_SETLOGIN); 2377 if (error) 2378 return (error); 2379 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); 2380 if (error != 0) { 2381 if (error == ENAMETOOLONG) 2382 error = EINVAL; 2383 return (error); 2384 } 2385 AUDIT_ARG_LOGIN(logintmp); 2386 PROC_LOCK(p); 2387 SESS_LOCK(p->p_session); 2388 strcpy(p->p_session->s_login, logintmp); 2389 SESS_UNLOCK(p->p_session); 2390 PROC_UNLOCK(p); 2391 return (0); 2392 } 2393 2394 void 2395 setsugid(struct proc *p) 2396 { 2397 2398 PROC_LOCK_ASSERT(p, MA_OWNED); 2399 p->p_flag |= P_SUGID; 2400 } 2401 2402 /*- 2403 * Change a process's effective uid. 2404 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 2405 * References: newcred must be an exclusive credential reference for the 2406 * duration of the call. 2407 */ 2408 void 2409 change_euid(struct ucred *newcred, struct uidinfo *euip) 2410 { 2411 2412 newcred->cr_uid = euip->ui_uid; 2413 uihold(euip); 2414 uifree(newcred->cr_uidinfo); 2415 newcred->cr_uidinfo = euip; 2416 } 2417 2418 /*- 2419 * Change a process's effective gid. 2420 * Side effects: newcred->cr_gid will be modified. 2421 * References: newcred must be an exclusive credential reference for the 2422 * duration of the call. 2423 */ 2424 void 2425 change_egid(struct ucred *newcred, gid_t egid) 2426 { 2427 2428 newcred->cr_groups[0] = egid; 2429 } 2430 2431 /*- 2432 * Change a process's real uid. 2433 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 2434 * will be updated, and the old and new cr_ruidinfo proc 2435 * counts will be updated. 2436 * References: newcred must be an exclusive credential reference for the 2437 * duration of the call. 2438 */ 2439 void 2440 change_ruid(struct ucred *newcred, struct uidinfo *ruip) 2441 { 2442 2443 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 2444 newcred->cr_ruid = ruip->ui_uid; 2445 uihold(ruip); 2446 uifree(newcred->cr_ruidinfo); 2447 newcred->cr_ruidinfo = ruip; 2448 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 2449 } 2450 2451 /*- 2452 * Change a process's real gid. 2453 * Side effects: newcred->cr_rgid will be updated. 2454 * References: newcred must be an exclusive credential reference for the 2455 * duration of the call. 2456 */ 2457 void 2458 change_rgid(struct ucred *newcred, gid_t rgid) 2459 { 2460 2461 newcred->cr_rgid = rgid; 2462 } 2463 2464 /*- 2465 * Change a process's saved uid. 2466 * Side effects: newcred->cr_svuid will be updated. 2467 * References: newcred must be an exclusive credential reference for the 2468 * duration of the call. 2469 */ 2470 void 2471 change_svuid(struct ucred *newcred, uid_t svuid) 2472 { 2473 2474 newcred->cr_svuid = svuid; 2475 } 2476 2477 /*- 2478 * Change a process's saved gid. 2479 * Side effects: newcred->cr_svgid will be updated. 2480 * References: newcred must be an exclusive credential reference for the 2481 * duration of the call. 2482 */ 2483 void 2484 change_svgid(struct ucred *newcred, gid_t svgid) 2485 { 2486 2487 newcred->cr_svgid = svgid; 2488 } 2489 2490 bool allow_ptrace = true; 2491 SYSCTL_BOOL(_security_bsd, OID_AUTO, allow_ptrace, CTLFLAG_RWTUN, 2492 &allow_ptrace, 0, 2493 "Deny ptrace(2) use by returning ENOSYS"); 2494