1 /*- 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * (c) UNIX System Laboratories, Inc. 5 * All or some portions of this file are derived from material licensed 6 * to the University of California by American Telephone and Telegraph 7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 8 * the permission of UNIX System Laboratories, Inc. 9 * Copyright (c) 2000-2001 Robert N. M. Watson. All rights reserved. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 4. Neither the name of the University nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 * 35 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 36 */ 37 38 /* 39 * System calls related to processes and protection 40 */ 41 42 #include <sys/cdefs.h> 43 __FBSDID("$FreeBSD$"); 44 45 #include "opt_compat.h" 46 #include "opt_mac.h" 47 48 #include <sys/param.h> 49 #include <sys/systm.h> 50 #include <sys/acct.h> 51 #include <sys/kdb.h> 52 #include <sys/kernel.h> 53 #include <sys/lock.h> 54 #include <sys/mac.h> 55 #include <sys/malloc.h> 56 #include <sys/mutex.h> 57 #include <sys/refcount.h> 58 #include <sys/sx.h> 59 #include <sys/proc.h> 60 #include <sys/sysproto.h> 61 #include <sys/jail.h> 62 #include <sys/pioctl.h> 63 #include <sys/resourcevar.h> 64 #include <sys/socket.h> 65 #include <sys/socketvar.h> 66 #include <sys/sysctl.h> 67 68 #include <security/audit/audit.h> 69 70 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 71 72 SYSCTL_DECL(_security); 73 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, 74 "BSD security policy"); 75 76 #ifndef _SYS_SYSPROTO_H_ 77 struct getpid_args { 78 int dummy; 79 }; 80 #endif 81 /* 82 * MPSAFE 83 */ 84 /* ARGSUSED */ 85 int 86 getpid(struct thread *td, struct getpid_args *uap) 87 { 88 struct proc *p = td->td_proc; 89 90 td->td_retval[0] = p->p_pid; 91 #if defined(COMPAT_43) 92 PROC_LOCK(p); 93 td->td_retval[1] = p->p_pptr->p_pid; 94 PROC_UNLOCK(p); 95 #endif 96 return (0); 97 } 98 99 #ifndef _SYS_SYSPROTO_H_ 100 struct getppid_args { 101 int dummy; 102 }; 103 #endif 104 /* 105 * MPSAFE 106 */ 107 /* ARGSUSED */ 108 int 109 getppid(struct thread *td, struct getppid_args *uap) 110 { 111 struct proc *p = td->td_proc; 112 113 PROC_LOCK(p); 114 td->td_retval[0] = p->p_pptr->p_pid; 115 PROC_UNLOCK(p); 116 return (0); 117 } 118 119 /* 120 * Get process group ID; note that POSIX getpgrp takes no parameter. 121 */ 122 #ifndef _SYS_SYSPROTO_H_ 123 struct getpgrp_args { 124 int dummy; 125 }; 126 #endif 127 /* 128 * MPSAFE 129 */ 130 int 131 getpgrp(struct thread *td, struct getpgrp_args *uap) 132 { 133 struct proc *p = td->td_proc; 134 135 PROC_LOCK(p); 136 td->td_retval[0] = p->p_pgrp->pg_id; 137 PROC_UNLOCK(p); 138 return (0); 139 } 140 141 /* Get an arbitary pid's process group id */ 142 #ifndef _SYS_SYSPROTO_H_ 143 struct getpgid_args { 144 pid_t pid; 145 }; 146 #endif 147 /* 148 * MPSAFE 149 */ 150 int 151 getpgid(struct thread *td, struct getpgid_args *uap) 152 { 153 struct proc *p; 154 int error; 155 156 if (uap->pid == 0) { 157 p = td->td_proc; 158 PROC_LOCK(p); 159 } else { 160 p = pfind(uap->pid); 161 if (p == NULL) 162 return (ESRCH); 163 error = p_cansee(td, p); 164 if (error) { 165 PROC_UNLOCK(p); 166 return (error); 167 } 168 } 169 td->td_retval[0] = p->p_pgrp->pg_id; 170 PROC_UNLOCK(p); 171 return (0); 172 } 173 174 /* 175 * Get an arbitary pid's session id. 176 */ 177 #ifndef _SYS_SYSPROTO_H_ 178 struct getsid_args { 179 pid_t pid; 180 }; 181 #endif 182 /* 183 * MPSAFE 184 */ 185 int 186 getsid(struct thread *td, struct getsid_args *uap) 187 { 188 struct proc *p; 189 int error; 190 191 if (uap->pid == 0) { 192 p = td->td_proc; 193 PROC_LOCK(p); 194 } else { 195 p = pfind(uap->pid); 196 if (p == NULL) 197 return (ESRCH); 198 error = p_cansee(td, p); 199 if (error) { 200 PROC_UNLOCK(p); 201 return (error); 202 } 203 } 204 td->td_retval[0] = p->p_session->s_sid; 205 PROC_UNLOCK(p); 206 return (0); 207 } 208 209 #ifndef _SYS_SYSPROTO_H_ 210 struct getuid_args { 211 int dummy; 212 }; 213 #endif 214 /* 215 * MPSAFE 216 */ 217 /* ARGSUSED */ 218 int 219 getuid(struct thread *td, struct getuid_args *uap) 220 { 221 222 td->td_retval[0] = td->td_ucred->cr_ruid; 223 #if defined(COMPAT_43) 224 td->td_retval[1] = td->td_ucred->cr_uid; 225 #endif 226 return (0); 227 } 228 229 #ifndef _SYS_SYSPROTO_H_ 230 struct geteuid_args { 231 int dummy; 232 }; 233 #endif 234 /* 235 * MPSAFE 236 */ 237 /* ARGSUSED */ 238 int 239 geteuid(struct thread *td, struct geteuid_args *uap) 240 { 241 242 td->td_retval[0] = td->td_ucred->cr_uid; 243 return (0); 244 } 245 246 #ifndef _SYS_SYSPROTO_H_ 247 struct getgid_args { 248 int dummy; 249 }; 250 #endif 251 /* 252 * MPSAFE 253 */ 254 /* ARGSUSED */ 255 int 256 getgid(struct thread *td, struct getgid_args *uap) 257 { 258 259 td->td_retval[0] = td->td_ucred->cr_rgid; 260 #if defined(COMPAT_43) 261 td->td_retval[1] = td->td_ucred->cr_groups[0]; 262 #endif 263 return (0); 264 } 265 266 /* 267 * Get effective group ID. The "egid" is groups[0], and could be obtained 268 * via getgroups. This syscall exists because it is somewhat painful to do 269 * correctly in a library function. 270 */ 271 #ifndef _SYS_SYSPROTO_H_ 272 struct getegid_args { 273 int dummy; 274 }; 275 #endif 276 /* 277 * MPSAFE 278 */ 279 /* ARGSUSED */ 280 int 281 getegid(struct thread *td, struct getegid_args *uap) 282 { 283 284 td->td_retval[0] = td->td_ucred->cr_groups[0]; 285 return (0); 286 } 287 288 #ifndef _SYS_SYSPROTO_H_ 289 struct getgroups_args { 290 u_int gidsetsize; 291 gid_t *gidset; 292 }; 293 #endif 294 /* 295 * MPSAFE 296 */ 297 int 298 getgroups(struct thread *td, register struct getgroups_args *uap) 299 { 300 struct ucred *cred; 301 u_int ngrp; 302 int error; 303 304 cred = td->td_ucred; 305 if ((ngrp = uap->gidsetsize) == 0) { 306 td->td_retval[0] = cred->cr_ngroups; 307 return (0); 308 } 309 if (ngrp < cred->cr_ngroups) 310 return (EINVAL); 311 ngrp = cred->cr_ngroups; 312 error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t)); 313 if (error == 0) 314 td->td_retval[0] = ngrp; 315 return (error); 316 } 317 318 #ifndef _SYS_SYSPROTO_H_ 319 struct setsid_args { 320 int dummy; 321 }; 322 #endif 323 /* 324 * MPSAFE 325 */ 326 /* ARGSUSED */ 327 int 328 setsid(register struct thread *td, struct setsid_args *uap) 329 { 330 struct pgrp *pgrp; 331 int error; 332 struct proc *p = td->td_proc; 333 struct pgrp *newpgrp; 334 struct session *newsess; 335 336 error = 0; 337 pgrp = NULL; 338 339 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 340 MALLOC(newsess, struct session *, sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); 341 342 sx_xlock(&proctree_lock); 343 344 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { 345 if (pgrp != NULL) 346 PGRP_UNLOCK(pgrp); 347 error = EPERM; 348 } else { 349 (void)enterpgrp(p, p->p_pid, newpgrp, newsess); 350 td->td_retval[0] = p->p_pid; 351 newpgrp = NULL; 352 newsess = NULL; 353 } 354 355 sx_xunlock(&proctree_lock); 356 357 if (newpgrp != NULL) 358 FREE(newpgrp, M_PGRP); 359 if (newsess != NULL) 360 FREE(newsess, M_SESSION); 361 362 return (error); 363 } 364 365 /* 366 * set process group (setpgid/old setpgrp) 367 * 368 * caller does setpgid(targpid, targpgid) 369 * 370 * pid must be caller or child of caller (ESRCH) 371 * if a child 372 * pid must be in same session (EPERM) 373 * pid can't have done an exec (EACCES) 374 * if pgid != pid 375 * there must exist some pid in same session having pgid (EPERM) 376 * pid must not be session leader (EPERM) 377 */ 378 #ifndef _SYS_SYSPROTO_H_ 379 struct setpgid_args { 380 int pid; /* target process id */ 381 int pgid; /* target pgrp id */ 382 }; 383 #endif 384 /* 385 * MPSAFE 386 */ 387 /* ARGSUSED */ 388 int 389 setpgid(struct thread *td, register struct setpgid_args *uap) 390 { 391 struct proc *curp = td->td_proc; 392 register struct proc *targp; /* target process */ 393 register struct pgrp *pgrp; /* target pgrp */ 394 int error; 395 struct pgrp *newpgrp; 396 397 if (uap->pgid < 0) 398 return (EINVAL); 399 400 error = 0; 401 402 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 403 404 sx_xlock(&proctree_lock); 405 if (uap->pid != 0 && uap->pid != curp->p_pid) { 406 if ((targp = pfind(uap->pid)) == NULL) { 407 error = ESRCH; 408 goto done; 409 } 410 if (!inferior(targp)) { 411 PROC_UNLOCK(targp); 412 error = ESRCH; 413 goto done; 414 } 415 if ((error = p_cansee(td, targp))) { 416 PROC_UNLOCK(targp); 417 goto done; 418 } 419 if (targp->p_pgrp == NULL || 420 targp->p_session != curp->p_session) { 421 PROC_UNLOCK(targp); 422 error = EPERM; 423 goto done; 424 } 425 if (targp->p_flag & P_EXEC) { 426 PROC_UNLOCK(targp); 427 error = EACCES; 428 goto done; 429 } 430 PROC_UNLOCK(targp); 431 } else 432 targp = curp; 433 if (SESS_LEADER(targp)) { 434 error = EPERM; 435 goto done; 436 } 437 if (uap->pgid == 0) 438 uap->pgid = targp->p_pid; 439 if ((pgrp = pgfind(uap->pgid)) == NULL) { 440 if (uap->pgid == targp->p_pid) { 441 error = enterpgrp(targp, uap->pgid, newpgrp, 442 NULL); 443 if (error == 0) 444 newpgrp = NULL; 445 } else 446 error = EPERM; 447 } else { 448 if (pgrp == targp->p_pgrp) { 449 PGRP_UNLOCK(pgrp); 450 goto done; 451 } 452 if (pgrp->pg_id != targp->p_pid && 453 pgrp->pg_session != curp->p_session) { 454 PGRP_UNLOCK(pgrp); 455 error = EPERM; 456 goto done; 457 } 458 PGRP_UNLOCK(pgrp); 459 error = enterthispgrp(targp, pgrp); 460 } 461 done: 462 sx_xunlock(&proctree_lock); 463 KASSERT((error == 0) || (newpgrp != NULL), 464 ("setpgid failed and newpgrp is NULL")); 465 if (newpgrp != NULL) 466 FREE(newpgrp, M_PGRP); 467 return (error); 468 } 469 470 /* 471 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 472 * compatible. It says that setting the uid/gid to euid/egid is a special 473 * case of "appropriate privilege". Once the rules are expanded out, this 474 * basically means that setuid(nnn) sets all three id's, in all permitted 475 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 476 * does not set the saved id - this is dangerous for traditional BSD 477 * programs. For this reason, we *really* do not want to set 478 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 479 */ 480 #define POSIX_APPENDIX_B_4_2_2 481 482 #ifndef _SYS_SYSPROTO_H_ 483 struct setuid_args { 484 uid_t uid; 485 }; 486 #endif 487 /* 488 * MPSAFE 489 */ 490 /* ARGSUSED */ 491 int 492 setuid(struct thread *td, struct setuid_args *uap) 493 { 494 struct proc *p = td->td_proc; 495 struct ucred *newcred, *oldcred; 496 uid_t uid; 497 struct uidinfo *uip; 498 int error; 499 500 uid = uap->uid; 501 AUDIT_ARG(uid, uid); 502 newcred = crget(); 503 uip = uifind(uid); 504 PROC_LOCK(p); 505 oldcred = p->p_ucred; 506 507 #ifdef MAC 508 error = mac_check_proc_setuid(p, oldcred, uid); 509 if (error) 510 goto fail; 511 #endif 512 513 /* 514 * See if we have "permission" by POSIX 1003.1 rules. 515 * 516 * Note that setuid(geteuid()) is a special case of 517 * "appropriate privileges" in appendix B.4.2.2. We need 518 * to use this clause to be compatible with traditional BSD 519 * semantics. Basically, it means that "setuid(xx)" sets all 520 * three id's (assuming you have privs). 521 * 522 * Notes on the logic. We do things in three steps. 523 * 1: We determine if the euid is going to change, and do EPERM 524 * right away. We unconditionally change the euid later if this 525 * test is satisfied, simplifying that part of the logic. 526 * 2: We determine if the real and/or saved uids are going to 527 * change. Determined by compile options. 528 * 3: Change euid last. (after tests in #2 for "appropriate privs") 529 */ 530 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 531 #ifdef _POSIX_SAVED_IDS 532 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 533 #endif 534 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 535 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 536 #endif 537 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) 538 goto fail; 539 540 /* 541 * Copy credentials so other references do not see our changes. 542 */ 543 crcopy(newcred, oldcred); 544 #ifdef _POSIX_SAVED_IDS 545 /* 546 * Do we have "appropriate privileges" (are we root or uid == euid) 547 * If so, we are changing the real uid and/or saved uid. 548 */ 549 if ( 550 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 551 uid == oldcred->cr_uid || 552 #endif 553 suser_cred(oldcred, SUSER_ALLOWJAIL) == 0) /* we are using privs */ 554 #endif 555 { 556 /* 557 * Set the real uid and transfer proc count to new user. 558 */ 559 if (uid != oldcred->cr_ruid) { 560 change_ruid(newcred, uip); 561 setsugid(p); 562 } 563 /* 564 * Set saved uid 565 * 566 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 567 * the security of seteuid() depends on it. B.4.2.2 says it 568 * is important that we should do this. 569 */ 570 if (uid != oldcred->cr_svuid) { 571 change_svuid(newcred, uid); 572 setsugid(p); 573 } 574 } 575 576 /* 577 * In all permitted cases, we are changing the euid. 578 */ 579 if (uid != oldcred->cr_uid) { 580 change_euid(newcred, uip); 581 setsugid(p); 582 } 583 p->p_ucred = newcred; 584 PROC_UNLOCK(p); 585 uifree(uip); 586 crfree(oldcred); 587 return (0); 588 589 fail: 590 PROC_UNLOCK(p); 591 uifree(uip); 592 crfree(newcred); 593 return (error); 594 } 595 596 #ifndef _SYS_SYSPROTO_H_ 597 struct seteuid_args { 598 uid_t euid; 599 }; 600 #endif 601 /* 602 * MPSAFE 603 */ 604 /* ARGSUSED */ 605 int 606 seteuid(struct thread *td, struct seteuid_args *uap) 607 { 608 struct proc *p = td->td_proc; 609 struct ucred *newcred, *oldcred; 610 uid_t euid; 611 struct uidinfo *euip; 612 int error; 613 614 euid = uap->euid; 615 AUDIT_ARG(euid, euid); 616 newcred = crget(); 617 euip = uifind(euid); 618 PROC_LOCK(p); 619 oldcred = p->p_ucred; 620 621 #ifdef MAC 622 error = mac_check_proc_seteuid(p, oldcred, euid); 623 if (error) 624 goto fail; 625 #endif 626 627 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 628 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 629 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) 630 goto fail; 631 632 /* 633 * Everything's okay, do it. Copy credentials so other references do 634 * not see our changes. 635 */ 636 crcopy(newcred, oldcred); 637 if (oldcred->cr_uid != euid) { 638 change_euid(newcred, euip); 639 setsugid(p); 640 } 641 p->p_ucred = newcred; 642 PROC_UNLOCK(p); 643 uifree(euip); 644 crfree(oldcred); 645 return (0); 646 647 fail: 648 PROC_UNLOCK(p); 649 uifree(euip); 650 crfree(newcred); 651 return (error); 652 } 653 654 #ifndef _SYS_SYSPROTO_H_ 655 struct setgid_args { 656 gid_t gid; 657 }; 658 #endif 659 /* 660 * MPSAFE 661 */ 662 /* ARGSUSED */ 663 int 664 setgid(struct thread *td, struct setgid_args *uap) 665 { 666 struct proc *p = td->td_proc; 667 struct ucred *newcred, *oldcred; 668 gid_t gid; 669 int error; 670 671 gid = uap->gid; 672 AUDIT_ARG(gid, gid); 673 newcred = crget(); 674 PROC_LOCK(p); 675 oldcred = p->p_ucred; 676 677 #ifdef MAC 678 error = mac_check_proc_setgid(p, oldcred, gid); 679 if (error) 680 goto fail; 681 #endif 682 683 /* 684 * See if we have "permission" by POSIX 1003.1 rules. 685 * 686 * Note that setgid(getegid()) is a special case of 687 * "appropriate privileges" in appendix B.4.2.2. We need 688 * to use this clause to be compatible with traditional BSD 689 * semantics. Basically, it means that "setgid(xx)" sets all 690 * three id's (assuming you have privs). 691 * 692 * For notes on the logic here, see setuid() above. 693 */ 694 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 695 #ifdef _POSIX_SAVED_IDS 696 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 697 #endif 698 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 699 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 700 #endif 701 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) 702 goto fail; 703 704 crcopy(newcred, oldcred); 705 #ifdef _POSIX_SAVED_IDS 706 /* 707 * Do we have "appropriate privileges" (are we root or gid == egid) 708 * If so, we are changing the real uid and saved gid. 709 */ 710 if ( 711 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 712 gid == oldcred->cr_groups[0] || 713 #endif 714 suser_cred(oldcred, SUSER_ALLOWJAIL) == 0) /* we are using privs */ 715 #endif 716 { 717 /* 718 * Set real gid 719 */ 720 if (oldcred->cr_rgid != gid) { 721 change_rgid(newcred, gid); 722 setsugid(p); 723 } 724 /* 725 * Set saved gid 726 * 727 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 728 * the security of setegid() depends on it. B.4.2.2 says it 729 * is important that we should do this. 730 */ 731 if (oldcred->cr_svgid != gid) { 732 change_svgid(newcred, gid); 733 setsugid(p); 734 } 735 } 736 /* 737 * In all cases permitted cases, we are changing the egid. 738 * Copy credentials so other references do not see our changes. 739 */ 740 if (oldcred->cr_groups[0] != gid) { 741 change_egid(newcred, gid); 742 setsugid(p); 743 } 744 p->p_ucred = newcred; 745 PROC_UNLOCK(p); 746 crfree(oldcred); 747 return (0); 748 749 fail: 750 PROC_UNLOCK(p); 751 crfree(newcred); 752 return (error); 753 } 754 755 #ifndef _SYS_SYSPROTO_H_ 756 struct setegid_args { 757 gid_t egid; 758 }; 759 #endif 760 /* 761 * MPSAFE 762 */ 763 /* ARGSUSED */ 764 int 765 setegid(struct thread *td, struct setegid_args *uap) 766 { 767 struct proc *p = td->td_proc; 768 struct ucred *newcred, *oldcred; 769 gid_t egid; 770 int error; 771 772 egid = uap->egid; 773 AUDIT_ARG(egid, egid); 774 newcred = crget(); 775 PROC_LOCK(p); 776 oldcred = p->p_ucred; 777 778 #ifdef MAC 779 error = mac_check_proc_setegid(p, oldcred, egid); 780 if (error) 781 goto fail; 782 #endif 783 784 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 785 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 786 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) 787 goto fail; 788 789 crcopy(newcred, oldcred); 790 if (oldcred->cr_groups[0] != egid) { 791 change_egid(newcred, egid); 792 setsugid(p); 793 } 794 p->p_ucred = newcred; 795 PROC_UNLOCK(p); 796 crfree(oldcred); 797 return (0); 798 799 fail: 800 PROC_UNLOCK(p); 801 crfree(newcred); 802 return (error); 803 } 804 805 #ifndef _SYS_SYSPROTO_H_ 806 struct setgroups_args { 807 u_int gidsetsize; 808 gid_t *gidset; 809 }; 810 #endif 811 /* 812 * MPSAFE 813 */ 814 /* ARGSUSED */ 815 int 816 setgroups(struct thread *td, struct setgroups_args *uap) 817 { 818 struct proc *p = td->td_proc; 819 struct ucred *newcred, *tempcred, *oldcred; 820 u_int ngrp; 821 int error; 822 823 ngrp = uap->gidsetsize; 824 if (ngrp > NGROUPS) 825 return (EINVAL); 826 tempcred = crget(); 827 error = copyin(uap->gidset, tempcred->cr_groups, ngrp * sizeof(gid_t)); 828 if (error != 0) { 829 crfree(tempcred); 830 return (error); 831 } 832 AUDIT_ARG(groupset, tempcred->cr_groups, ngrp); 833 newcred = crget(); 834 PROC_LOCK(p); 835 oldcred = p->p_ucred; 836 837 #ifdef MAC 838 error = mac_check_proc_setgroups(p, oldcred, ngrp, 839 tempcred->cr_groups); 840 if (error) 841 goto fail; 842 #endif 843 844 error = suser_cred(oldcred, SUSER_ALLOWJAIL); 845 if (error) 846 goto fail; 847 848 /* 849 * XXX A little bit lazy here. We could test if anything has 850 * changed before crcopy() and setting P_SUGID. 851 */ 852 crcopy(newcred, oldcred); 853 if (ngrp < 1) { 854 /* 855 * setgroups(0, NULL) is a legitimate way of clearing the 856 * groups vector on non-BSD systems (which generally do not 857 * have the egid in the groups[0]). We risk security holes 858 * when running non-BSD software if we do not do the same. 859 */ 860 newcred->cr_ngroups = 1; 861 } else { 862 bcopy(tempcred->cr_groups, newcred->cr_groups, 863 ngrp * sizeof(gid_t)); 864 newcred->cr_ngroups = ngrp; 865 } 866 setsugid(p); 867 p->p_ucred = newcred; 868 PROC_UNLOCK(p); 869 crfree(tempcred); 870 crfree(oldcred); 871 return (0); 872 873 fail: 874 PROC_UNLOCK(p); 875 crfree(newcred); 876 crfree(tempcred); 877 return (error); 878 } 879 880 #ifndef _SYS_SYSPROTO_H_ 881 struct setreuid_args { 882 uid_t ruid; 883 uid_t euid; 884 }; 885 #endif 886 /* 887 * MPSAFE 888 */ 889 /* ARGSUSED */ 890 int 891 setreuid(register struct thread *td, struct setreuid_args *uap) 892 { 893 struct proc *p = td->td_proc; 894 struct ucred *newcred, *oldcred; 895 uid_t euid, ruid; 896 struct uidinfo *euip, *ruip; 897 int error; 898 899 euid = uap->euid; 900 ruid = uap->ruid; 901 AUDIT_ARG(euid, euid); 902 AUDIT_ARG(ruid, ruid); 903 newcred = crget(); 904 euip = uifind(euid); 905 ruip = uifind(ruid); 906 PROC_LOCK(p); 907 oldcred = p->p_ucred; 908 909 #ifdef MAC 910 error = mac_check_proc_setreuid(p, oldcred, ruid, euid); 911 if (error) 912 goto fail; 913 #endif 914 915 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 916 ruid != oldcred->cr_svuid) || 917 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 918 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 919 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) 920 goto fail; 921 922 crcopy(newcred, oldcred); 923 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 924 change_euid(newcred, euip); 925 setsugid(p); 926 } 927 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 928 change_ruid(newcred, ruip); 929 setsugid(p); 930 } 931 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 932 newcred->cr_svuid != newcred->cr_uid) { 933 change_svuid(newcred, newcred->cr_uid); 934 setsugid(p); 935 } 936 p->p_ucred = newcred; 937 PROC_UNLOCK(p); 938 uifree(ruip); 939 uifree(euip); 940 crfree(oldcred); 941 return (0); 942 943 fail: 944 PROC_UNLOCK(p); 945 uifree(ruip); 946 uifree(euip); 947 crfree(newcred); 948 return (error); 949 } 950 951 #ifndef _SYS_SYSPROTO_H_ 952 struct setregid_args { 953 gid_t rgid; 954 gid_t egid; 955 }; 956 #endif 957 /* 958 * MPSAFE 959 */ 960 /* ARGSUSED */ 961 int 962 setregid(register struct thread *td, struct setregid_args *uap) 963 { 964 struct proc *p = td->td_proc; 965 struct ucred *newcred, *oldcred; 966 gid_t egid, rgid; 967 int error; 968 969 egid = uap->egid; 970 rgid = uap->rgid; 971 AUDIT_ARG(egid, egid); 972 AUDIT_ARG(rgid, rgid); 973 newcred = crget(); 974 PROC_LOCK(p); 975 oldcred = p->p_ucred; 976 977 #ifdef MAC 978 error = mac_check_proc_setregid(p, oldcred, rgid, egid); 979 if (error) 980 goto fail; 981 #endif 982 983 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 984 rgid != oldcred->cr_svgid) || 985 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 986 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 987 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) 988 goto fail; 989 990 crcopy(newcred, oldcred); 991 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 992 change_egid(newcred, egid); 993 setsugid(p); 994 } 995 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 996 change_rgid(newcred, rgid); 997 setsugid(p); 998 } 999 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 1000 newcred->cr_svgid != newcred->cr_groups[0]) { 1001 change_svgid(newcred, newcred->cr_groups[0]); 1002 setsugid(p); 1003 } 1004 p->p_ucred = newcred; 1005 PROC_UNLOCK(p); 1006 crfree(oldcred); 1007 return (0); 1008 1009 fail: 1010 PROC_UNLOCK(p); 1011 crfree(newcred); 1012 return (error); 1013 } 1014 1015 /* 1016 * setresuid(ruid, euid, suid) is like setreuid except control over the 1017 * saved uid is explicit. 1018 */ 1019 1020 #ifndef _SYS_SYSPROTO_H_ 1021 struct setresuid_args { 1022 uid_t ruid; 1023 uid_t euid; 1024 uid_t suid; 1025 }; 1026 #endif 1027 /* 1028 * MPSAFE 1029 */ 1030 /* ARGSUSED */ 1031 int 1032 setresuid(register struct thread *td, struct setresuid_args *uap) 1033 { 1034 struct proc *p = td->td_proc; 1035 struct ucred *newcred, *oldcred; 1036 uid_t euid, ruid, suid; 1037 struct uidinfo *euip, *ruip; 1038 int error; 1039 1040 euid = uap->euid; 1041 ruid = uap->ruid; 1042 suid = uap->suid; 1043 AUDIT_ARG(euid, euid); 1044 AUDIT_ARG(ruid, ruid); 1045 AUDIT_ARG(suid, suid); 1046 newcred = crget(); 1047 euip = uifind(euid); 1048 ruip = uifind(ruid); 1049 PROC_LOCK(p); 1050 oldcred = p->p_ucred; 1051 1052 #ifdef MAC 1053 error = mac_check_proc_setresuid(p, oldcred, ruid, euid, suid); 1054 if (error) 1055 goto fail; 1056 #endif 1057 1058 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1059 ruid != oldcred->cr_svuid && 1060 ruid != oldcred->cr_uid) || 1061 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 1062 euid != oldcred->cr_svuid && 1063 euid != oldcred->cr_uid) || 1064 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 1065 suid != oldcred->cr_svuid && 1066 suid != oldcred->cr_uid)) && 1067 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) 1068 goto fail; 1069 1070 crcopy(newcred, oldcred); 1071 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1072 change_euid(newcred, euip); 1073 setsugid(p); 1074 } 1075 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1076 change_ruid(newcred, ruip); 1077 setsugid(p); 1078 } 1079 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1080 change_svuid(newcred, suid); 1081 setsugid(p); 1082 } 1083 p->p_ucred = newcred; 1084 PROC_UNLOCK(p); 1085 uifree(ruip); 1086 uifree(euip); 1087 crfree(oldcred); 1088 return (0); 1089 1090 fail: 1091 PROC_UNLOCK(p); 1092 uifree(ruip); 1093 uifree(euip); 1094 crfree(newcred); 1095 return (error); 1096 1097 } 1098 1099 /* 1100 * setresgid(rgid, egid, sgid) is like setregid except control over the 1101 * saved gid is explicit. 1102 */ 1103 1104 #ifndef _SYS_SYSPROTO_H_ 1105 struct setresgid_args { 1106 gid_t rgid; 1107 gid_t egid; 1108 gid_t sgid; 1109 }; 1110 #endif 1111 /* 1112 * MPSAFE 1113 */ 1114 /* ARGSUSED */ 1115 int 1116 setresgid(register struct thread *td, struct setresgid_args *uap) 1117 { 1118 struct proc *p = td->td_proc; 1119 struct ucred *newcred, *oldcred; 1120 gid_t egid, rgid, sgid; 1121 int error; 1122 1123 egid = uap->egid; 1124 rgid = uap->rgid; 1125 sgid = uap->sgid; 1126 AUDIT_ARG(egid, egid); 1127 AUDIT_ARG(rgid, rgid); 1128 AUDIT_ARG(sgid, sgid); 1129 newcred = crget(); 1130 PROC_LOCK(p); 1131 oldcred = p->p_ucred; 1132 1133 #ifdef MAC 1134 error = mac_check_proc_setresgid(p, oldcred, rgid, egid, sgid); 1135 if (error) 1136 goto fail; 1137 #endif 1138 1139 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1140 rgid != oldcred->cr_svgid && 1141 rgid != oldcred->cr_groups[0]) || 1142 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1143 egid != oldcred->cr_svgid && 1144 egid != oldcred->cr_groups[0]) || 1145 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1146 sgid != oldcred->cr_svgid && 1147 sgid != oldcred->cr_groups[0])) && 1148 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) 1149 goto fail; 1150 1151 crcopy(newcred, oldcred); 1152 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1153 change_egid(newcred, egid); 1154 setsugid(p); 1155 } 1156 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1157 change_rgid(newcred, rgid); 1158 setsugid(p); 1159 } 1160 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1161 change_svgid(newcred, sgid); 1162 setsugid(p); 1163 } 1164 p->p_ucred = newcred; 1165 PROC_UNLOCK(p); 1166 crfree(oldcred); 1167 return (0); 1168 1169 fail: 1170 PROC_UNLOCK(p); 1171 crfree(newcred); 1172 return (error); 1173 } 1174 1175 #ifndef _SYS_SYSPROTO_H_ 1176 struct getresuid_args { 1177 uid_t *ruid; 1178 uid_t *euid; 1179 uid_t *suid; 1180 }; 1181 #endif 1182 /* 1183 * MPSAFE 1184 */ 1185 /* ARGSUSED */ 1186 int 1187 getresuid(register struct thread *td, struct getresuid_args *uap) 1188 { 1189 struct ucred *cred; 1190 int error1 = 0, error2 = 0, error3 = 0; 1191 1192 cred = td->td_ucred; 1193 if (uap->ruid) 1194 error1 = copyout(&cred->cr_ruid, 1195 uap->ruid, sizeof(cred->cr_ruid)); 1196 if (uap->euid) 1197 error2 = copyout(&cred->cr_uid, 1198 uap->euid, sizeof(cred->cr_uid)); 1199 if (uap->suid) 1200 error3 = copyout(&cred->cr_svuid, 1201 uap->suid, sizeof(cred->cr_svuid)); 1202 return (error1 ? error1 : error2 ? error2 : error3); 1203 } 1204 1205 #ifndef _SYS_SYSPROTO_H_ 1206 struct getresgid_args { 1207 gid_t *rgid; 1208 gid_t *egid; 1209 gid_t *sgid; 1210 }; 1211 #endif 1212 /* 1213 * MPSAFE 1214 */ 1215 /* ARGSUSED */ 1216 int 1217 getresgid(register struct thread *td, struct getresgid_args *uap) 1218 { 1219 struct ucred *cred; 1220 int error1 = 0, error2 = 0, error3 = 0; 1221 1222 cred = td->td_ucred; 1223 if (uap->rgid) 1224 error1 = copyout(&cred->cr_rgid, 1225 uap->rgid, sizeof(cred->cr_rgid)); 1226 if (uap->egid) 1227 error2 = copyout(&cred->cr_groups[0], 1228 uap->egid, sizeof(cred->cr_groups[0])); 1229 if (uap->sgid) 1230 error3 = copyout(&cred->cr_svgid, 1231 uap->sgid, sizeof(cred->cr_svgid)); 1232 return (error1 ? error1 : error2 ? error2 : error3); 1233 } 1234 1235 #ifndef _SYS_SYSPROTO_H_ 1236 struct issetugid_args { 1237 int dummy; 1238 }; 1239 #endif 1240 /* 1241 * MPSAFE 1242 */ 1243 /* ARGSUSED */ 1244 int 1245 issetugid(register struct thread *td, struct issetugid_args *uap) 1246 { 1247 struct proc *p = td->td_proc; 1248 1249 /* 1250 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1251 * we use P_SUGID because we consider changing the owners as 1252 * "tainting" as well. 1253 * This is significant for procs that start as root and "become" 1254 * a user without an exec - programs cannot know *everything* 1255 * that libc *might* have put in their data segment. 1256 */ 1257 PROC_LOCK(p); 1258 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1259 PROC_UNLOCK(p); 1260 return (0); 1261 } 1262 1263 /* 1264 * MPSAFE 1265 */ 1266 int 1267 __setugid(struct thread *td, struct __setugid_args *uap) 1268 { 1269 #ifdef REGRESSION 1270 struct proc *p; 1271 1272 p = td->td_proc; 1273 switch (uap->flag) { 1274 case 0: 1275 PROC_LOCK(p); 1276 p->p_flag &= ~P_SUGID; 1277 PROC_UNLOCK(p); 1278 return (0); 1279 case 1: 1280 PROC_LOCK(p); 1281 p->p_flag |= P_SUGID; 1282 PROC_UNLOCK(p); 1283 return (0); 1284 default: 1285 return (EINVAL); 1286 } 1287 #else /* !REGRESSION */ 1288 1289 return (ENOSYS); 1290 #endif /* REGRESSION */ 1291 } 1292 1293 /* 1294 * Check if gid is a member of the group set. 1295 * 1296 * MPSAFE (cred must be held) 1297 */ 1298 int 1299 groupmember(gid_t gid, struct ucred *cred) 1300 { 1301 register gid_t *gp; 1302 gid_t *egp; 1303 1304 egp = &(cred->cr_groups[cred->cr_ngroups]); 1305 for (gp = cred->cr_groups; gp < egp; gp++) 1306 if (*gp == gid) 1307 return (1); 1308 return (0); 1309 } 1310 1311 /* 1312 * `suser_enabled' (which can be set by the security.suser_enabled 1313 * sysctl) determines whether the system 'super-user' policy is in effect. 1314 * If it is nonzero, an effective uid of 0 connotes special privilege, 1315 * overriding many mandatory and discretionary protections. If it is zero, 1316 * uid 0 is offered no special privilege in the kernel security policy. 1317 * Setting it to zero may seriously impact the functionality of many 1318 * existing userland programs, and should not be done without careful 1319 * consideration of the consequences. 1320 */ 1321 int suser_enabled = 1; 1322 SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW, 1323 &suser_enabled, 0, "processes with uid 0 have privilege"); 1324 TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled); 1325 1326 /* 1327 * Test whether the specified credentials imply "super-user" privilege. 1328 * Return 0 or EPERM. 1329 */ 1330 int 1331 suser_cred(struct ucred *cred, int flag) 1332 { 1333 1334 if (!suser_enabled) 1335 return (EPERM); 1336 if (((flag & SUSER_RUID) ? cred->cr_ruid : cred->cr_uid) != 0) 1337 return (EPERM); 1338 if (jailed(cred) && !(flag & SUSER_ALLOWJAIL)) 1339 return (EPERM); 1340 return (0); 1341 } 1342 1343 /* 1344 * Shortcut to hide contents of struct td and struct proc from the 1345 * caller, promoting binary compatibility. 1346 */ 1347 int 1348 suser(struct thread *td) 1349 { 1350 1351 #ifdef INVARIANTS 1352 if (td != curthread) { 1353 printf("suser: thread %p (%d %s) != curthread %p (%d %s)\n", 1354 td, td->td_proc->p_pid, td->td_proc->p_comm, 1355 curthread, curthread->td_proc->p_pid, 1356 curthread->td_proc->p_comm); 1357 #ifdef KDB 1358 kdb_backtrace(); 1359 #endif 1360 } 1361 #endif 1362 return (suser_cred(td->td_ucred, 0)); 1363 } 1364 1365 /* 1366 * Test the active securelevel against a given level. securelevel_gt() 1367 * implements (securelevel > level). securelevel_ge() implements 1368 * (securelevel >= level). Note that the logic is inverted -- these 1369 * functions return EPERM on "success" and 0 on "failure". 1370 * 1371 * MPSAFE 1372 */ 1373 int 1374 securelevel_gt(struct ucred *cr, int level) 1375 { 1376 int active_securelevel; 1377 1378 active_securelevel = securelevel; 1379 KASSERT(cr != NULL, ("securelevel_gt: null cr")); 1380 if (cr->cr_prison != NULL) 1381 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1382 active_securelevel); 1383 return (active_securelevel > level ? EPERM : 0); 1384 } 1385 1386 int 1387 securelevel_ge(struct ucred *cr, int level) 1388 { 1389 int active_securelevel; 1390 1391 active_securelevel = securelevel; 1392 KASSERT(cr != NULL, ("securelevel_ge: null cr")); 1393 if (cr->cr_prison != NULL) 1394 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1395 active_securelevel); 1396 return (active_securelevel >= level ? EPERM : 0); 1397 } 1398 1399 /* 1400 * 'see_other_uids' determines whether or not visibility of processes 1401 * and sockets with credentials holding different real uids is possible 1402 * using a variety of system MIBs. 1403 * XXX: data declarations should be together near the beginning of the file. 1404 */ 1405 static int see_other_uids = 1; 1406 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1407 &see_other_uids, 0, 1408 "Unprivileged processes may see subjects/objects with different real uid"); 1409 1410 /*- 1411 * Determine if u1 "can see" the subject specified by u2, according to the 1412 * 'see_other_uids' policy. 1413 * Returns: 0 for permitted, ESRCH otherwise 1414 * Locks: none 1415 * References: *u1 and *u2 must not change during the call 1416 * u1 may equal u2, in which case only one reference is required 1417 */ 1418 static int 1419 cr_seeotheruids(struct ucred *u1, struct ucred *u2) 1420 { 1421 1422 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1423 if (suser_cred(u1, SUSER_ALLOWJAIL) != 0) 1424 return (ESRCH); 1425 } 1426 return (0); 1427 } 1428 1429 /* 1430 * 'see_other_gids' determines whether or not visibility of processes 1431 * and sockets with credentials holding different real gids is possible 1432 * using a variety of system MIBs. 1433 * XXX: data declarations should be together near the beginning of the file. 1434 */ 1435 static int see_other_gids = 1; 1436 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW, 1437 &see_other_gids, 0, 1438 "Unprivileged processes may see subjects/objects with different real gid"); 1439 1440 /* 1441 * Determine if u1 can "see" the subject specified by u2, according to the 1442 * 'see_other_gids' policy. 1443 * Returns: 0 for permitted, ESRCH otherwise 1444 * Locks: none 1445 * References: *u1 and *u2 must not change during the call 1446 * u1 may equal u2, in which case only one reference is required 1447 */ 1448 static int 1449 cr_seeothergids(struct ucred *u1, struct ucred *u2) 1450 { 1451 int i, match; 1452 1453 if (!see_other_gids) { 1454 match = 0; 1455 for (i = 0; i < u1->cr_ngroups; i++) { 1456 if (groupmember(u1->cr_groups[i], u2)) 1457 match = 1; 1458 if (match) 1459 break; 1460 } 1461 if (!match) { 1462 if (suser_cred(u1, SUSER_ALLOWJAIL) != 0) 1463 return (ESRCH); 1464 } 1465 } 1466 return (0); 1467 } 1468 1469 /*- 1470 * Determine if u1 "can see" the subject specified by u2. 1471 * Returns: 0 for permitted, an errno value otherwise 1472 * Locks: none 1473 * References: *u1 and *u2 must not change during the call 1474 * u1 may equal u2, in which case only one reference is required 1475 */ 1476 int 1477 cr_cansee(struct ucred *u1, struct ucred *u2) 1478 { 1479 int error; 1480 1481 if ((error = prison_check(u1, u2))) 1482 return (error); 1483 #ifdef MAC 1484 if ((error = mac_check_cred_visible(u1, u2))) 1485 return (error); 1486 #endif 1487 if ((error = cr_seeotheruids(u1, u2))) 1488 return (error); 1489 if ((error = cr_seeothergids(u1, u2))) 1490 return (error); 1491 return (0); 1492 } 1493 1494 /*- 1495 * Determine if td "can see" the subject specified by p. 1496 * Returns: 0 for permitted, an errno value otherwise 1497 * Locks: Sufficient locks to protect p->p_ucred must be held. td really 1498 * should be curthread. 1499 * References: td and p must be valid for the lifetime of the call 1500 */ 1501 int 1502 p_cansee(struct thread *td, struct proc *p) 1503 { 1504 1505 /* Wrap cr_cansee() for all functionality. */ 1506 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1507 PROC_LOCK_ASSERT(p, MA_OWNED); 1508 return (cr_cansee(td->td_ucred, p->p_ucred)); 1509 } 1510 1511 /* 1512 * 'conservative_signals' prevents the delivery of a broad class of 1513 * signals by unprivileged processes to processes that have changed their 1514 * credentials since the last invocation of execve(). This can prevent 1515 * the leakage of cached information or retained privileges as a result 1516 * of a common class of signal-related vulnerabilities. However, this 1517 * may interfere with some applications that expect to be able to 1518 * deliver these signals to peer processes after having given up 1519 * privilege. 1520 */ 1521 static int conservative_signals = 1; 1522 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW, 1523 &conservative_signals, 0, "Unprivileged processes prevented from " 1524 "sending certain signals to processes whose credentials have changed"); 1525 /*- 1526 * Determine whether cred may deliver the specified signal to proc. 1527 * Returns: 0 for permitted, an errno value otherwise. 1528 * Locks: A lock must be held for proc. 1529 * References: cred and proc must be valid for the lifetime of the call. 1530 */ 1531 int 1532 cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 1533 { 1534 int error; 1535 1536 PROC_LOCK_ASSERT(proc, MA_OWNED); 1537 /* 1538 * Jail semantics limit the scope of signalling to proc in the 1539 * same jail as cred, if cred is in jail. 1540 */ 1541 error = prison_check(cred, proc->p_ucred); 1542 if (error) 1543 return (error); 1544 #ifdef MAC 1545 if ((error = mac_check_proc_signal(cred, proc, signum))) 1546 return (error); 1547 #endif 1548 if ((error = cr_seeotheruids(cred, proc->p_ucred))) 1549 return (error); 1550 if ((error = cr_seeothergids(cred, proc->p_ucred))) 1551 return (error); 1552 1553 /* 1554 * UNIX signal semantics depend on the status of the P_SUGID 1555 * bit on the target process. If the bit is set, then additional 1556 * restrictions are placed on the set of available signals. 1557 */ 1558 if (conservative_signals && (proc->p_flag & P_SUGID)) { 1559 switch (signum) { 1560 case 0: 1561 case SIGKILL: 1562 case SIGINT: 1563 case SIGTERM: 1564 case SIGALRM: 1565 case SIGSTOP: 1566 case SIGTTIN: 1567 case SIGTTOU: 1568 case SIGTSTP: 1569 case SIGHUP: 1570 case SIGUSR1: 1571 case SIGUSR2: 1572 /* 1573 * Generally, permit job and terminal control 1574 * signals. 1575 */ 1576 break; 1577 default: 1578 /* Not permitted without privilege. */ 1579 error = suser_cred(cred, SUSER_ALLOWJAIL); 1580 if (error) 1581 return (error); 1582 } 1583 } 1584 1585 /* 1586 * Generally, the target credential's ruid or svuid must match the 1587 * subject credential's ruid or euid. 1588 */ 1589 if (cred->cr_ruid != proc->p_ucred->cr_ruid && 1590 cred->cr_ruid != proc->p_ucred->cr_svuid && 1591 cred->cr_uid != proc->p_ucred->cr_ruid && 1592 cred->cr_uid != proc->p_ucred->cr_svuid) { 1593 /* Not permitted without privilege. */ 1594 error = suser_cred(cred, SUSER_ALLOWJAIL); 1595 if (error) 1596 return (error); 1597 } 1598 1599 return (0); 1600 } 1601 1602 1603 /*- 1604 * Determine whether td may deliver the specified signal to p. 1605 * Returns: 0 for permitted, an errno value otherwise 1606 * Locks: Sufficient locks to protect various components of td and p 1607 * must be held. td must be curthread, and a lock must be 1608 * held for p. 1609 * References: td and p must be valid for the lifetime of the call 1610 */ 1611 int 1612 p_cansignal(struct thread *td, struct proc *p, int signum) 1613 { 1614 1615 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1616 PROC_LOCK_ASSERT(p, MA_OWNED); 1617 if (td->td_proc == p) 1618 return (0); 1619 1620 /* 1621 * UNIX signalling semantics require that processes in the same 1622 * session always be able to deliver SIGCONT to one another, 1623 * overriding the remaining protections. 1624 */ 1625 /* XXX: This will require an additional lock of some sort. */ 1626 if (signum == SIGCONT && td->td_proc->p_session == p->p_session) 1627 return (0); 1628 /* 1629 * Some compat layers use SIGTHR and higher signals for 1630 * communication between different kernel threads of the same 1631 * process, so that they expect that it's always possible to 1632 * deliver them, even for suid applications where cr_cansignal() can 1633 * deny such ability for security consideration. It should be 1634 * pretty safe to do since the only way to create two processes 1635 * with the same p_leader is via rfork(2). 1636 */ 1637 if (td->td_proc->p_leader != NULL && signum >= SIGTHR && 1638 signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader) 1639 return (0); 1640 1641 return (cr_cansignal(td->td_ucred, p, signum)); 1642 } 1643 1644 /*- 1645 * Determine whether td may reschedule p. 1646 * Returns: 0 for permitted, an errno value otherwise 1647 * Locks: Sufficient locks to protect various components of td and p 1648 * must be held. td must be curthread, and a lock must 1649 * be held for p. 1650 * References: td and p must be valid for the lifetime of the call 1651 */ 1652 int 1653 p_cansched(struct thread *td, struct proc *p) 1654 { 1655 int error; 1656 1657 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1658 PROC_LOCK_ASSERT(p, MA_OWNED); 1659 if (td->td_proc == p) 1660 return (0); 1661 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1662 return (error); 1663 #ifdef MAC 1664 if ((error = mac_check_proc_sched(td->td_ucred, p))) 1665 return (error); 1666 #endif 1667 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1668 return (error); 1669 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) 1670 return (error); 1671 if (td->td_ucred->cr_ruid == p->p_ucred->cr_ruid) 1672 return (0); 1673 if (td->td_ucred->cr_uid == p->p_ucred->cr_ruid) 1674 return (0); 1675 if (suser_cred(td->td_ucred, SUSER_ALLOWJAIL) == 0) 1676 return (0); 1677 1678 #ifdef CAPABILITIES 1679 if (!cap_check(NULL, td, CAP_SYS_NICE, SUSER_ALLOWJAIL)) 1680 return (0); 1681 #endif 1682 1683 return (EPERM); 1684 } 1685 1686 /* 1687 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 1688 * unprivileged inter-process debugging services, including some procfs 1689 * functionality, ptrace(), and ktrace(). In the past, inter-process 1690 * debugging has been involved in a variety of security problems, and sites 1691 * not requiring the service might choose to disable it when hardening 1692 * systems. 1693 * 1694 * XXX: Should modifying and reading this variable require locking? 1695 * XXX: data declarations should be together near the beginning of the file. 1696 */ 1697 static int unprivileged_proc_debug = 1; 1698 SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW, 1699 &unprivileged_proc_debug, 0, 1700 "Unprivileged processes may use process debugging facilities"); 1701 1702 /*- 1703 * Determine whether td may debug p. 1704 * Returns: 0 for permitted, an errno value otherwise 1705 * Locks: Sufficient locks to protect various components of td and p 1706 * must be held. td must be curthread, and a lock must 1707 * be held for p. 1708 * References: td and p must be valid for the lifetime of the call 1709 */ 1710 int 1711 p_candebug(struct thread *td, struct proc *p) 1712 { 1713 int credentialchanged, error, grpsubset, i, uidsubset; 1714 1715 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1716 PROC_LOCK_ASSERT(p, MA_OWNED); 1717 if (!unprivileged_proc_debug) { 1718 error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); 1719 if (error) 1720 return (error); 1721 } 1722 if (td->td_proc == p) 1723 return (0); 1724 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1725 return (error); 1726 #ifdef MAC 1727 if ((error = mac_check_proc_debug(td->td_ucred, p))) 1728 return (error); 1729 #endif 1730 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1731 return (error); 1732 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) 1733 return (error); 1734 1735 /* 1736 * Is p's group set a subset of td's effective group set? This 1737 * includes p's egid, group access list, rgid, and svgid. 1738 */ 1739 grpsubset = 1; 1740 for (i = 0; i < p->p_ucred->cr_ngroups; i++) { 1741 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) { 1742 grpsubset = 0; 1743 break; 1744 } 1745 } 1746 grpsubset = grpsubset && 1747 groupmember(p->p_ucred->cr_rgid, td->td_ucred) && 1748 groupmember(p->p_ucred->cr_svgid, td->td_ucred); 1749 1750 /* 1751 * Are the uids present in p's credential equal to td's 1752 * effective uid? This includes p's euid, svuid, and ruid. 1753 */ 1754 uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid && 1755 td->td_ucred->cr_uid == p->p_ucred->cr_svuid && 1756 td->td_ucred->cr_uid == p->p_ucred->cr_ruid); 1757 1758 /* 1759 * Has the credential of the process changed since the last exec()? 1760 */ 1761 credentialchanged = (p->p_flag & P_SUGID); 1762 1763 /* 1764 * If p's gids aren't a subset, or the uids aren't a subset, 1765 * or the credential has changed, require appropriate privilege 1766 * for td to debug p. For POSIX.1e capabilities, this will 1767 * require CAP_SYS_PTRACE. 1768 */ 1769 if (!grpsubset || !uidsubset || credentialchanged) { 1770 error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); 1771 if (error) 1772 return (error); 1773 } 1774 1775 /* Can't trace init when securelevel > 0. */ 1776 if (p == initproc) { 1777 error = securelevel_gt(td->td_ucred, 0); 1778 if (error) 1779 return (error); 1780 } 1781 1782 /* 1783 * Can't trace a process that's currently exec'ing. 1784 * XXX: Note, this is not a security policy decision, it's a 1785 * basic correctness/functionality decision. Therefore, this check 1786 * should be moved to the caller's of p_candebug(). 1787 */ 1788 if ((p->p_flag & P_INEXEC) != 0) 1789 return (EAGAIN); 1790 1791 return (0); 1792 } 1793 1794 /*- 1795 * Determine whether the subject represented by cred can "see" a socket. 1796 * Returns: 0 for permitted, ENOENT otherwise. 1797 */ 1798 int 1799 cr_canseesocket(struct ucred *cred, struct socket *so) 1800 { 1801 int error; 1802 1803 error = prison_check(cred, so->so_cred); 1804 if (error) 1805 return (ENOENT); 1806 #ifdef MAC 1807 SOCK_LOCK(so); 1808 error = mac_check_socket_visible(cred, so); 1809 SOCK_UNLOCK(so); 1810 if (error) 1811 return (error); 1812 #endif 1813 if (cr_seeotheruids(cred, so->so_cred)) 1814 return (ENOENT); 1815 if (cr_seeothergids(cred, so->so_cred)) 1816 return (ENOENT); 1817 1818 return (0); 1819 } 1820 1821 /*- 1822 * Determine whether td can wait for the exit of p. 1823 * Returns: 0 for permitted, an errno value otherwise 1824 * Locks: Sufficient locks to protect various components of td and p 1825 * must be held. td must be curthread, and a lock must 1826 * be held for p. 1827 * References: td and p must be valid for the lifetime of the call 1828 1829 */ 1830 int 1831 p_canwait(struct thread *td, struct proc *p) 1832 { 1833 int error; 1834 1835 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1836 PROC_LOCK_ASSERT(p, MA_OWNED); 1837 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1838 return (error); 1839 #ifdef MAC 1840 if ((error = mac_check_proc_wait(td->td_ucred, p))) 1841 return (error); 1842 #endif 1843 #if 0 1844 /* XXXMAC: This could have odd effects on some shells. */ 1845 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1846 return (error); 1847 #endif 1848 1849 return (0); 1850 } 1851 1852 /* 1853 * Allocate a zeroed cred structure. 1854 * MPSAFE 1855 */ 1856 struct ucred * 1857 crget(void) 1858 { 1859 register struct ucred *cr; 1860 1861 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 1862 refcount_init(&cr->cr_ref, 1); 1863 #ifdef MAC 1864 mac_init_cred(cr); 1865 #endif 1866 return (cr); 1867 } 1868 1869 /* 1870 * Claim another reference to a ucred structure. 1871 * MPSAFE 1872 */ 1873 struct ucred * 1874 crhold(struct ucred *cr) 1875 { 1876 1877 refcount_acquire(&cr->cr_ref); 1878 return (cr); 1879 } 1880 1881 /* 1882 * Free a cred structure. 1883 * Throws away space when ref count gets to 0. 1884 * MPSAFE 1885 */ 1886 void 1887 crfree(struct ucred *cr) 1888 { 1889 1890 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); 1891 KASSERT(cr->cr_ref != 0xdeadc0de, ("dangling reference to ucred")); 1892 if (refcount_release(&cr->cr_ref)) { 1893 /* 1894 * Some callers of crget(), such as nfs_statfs(), 1895 * allocate a temporary credential, but don't 1896 * allocate a uidinfo structure. 1897 */ 1898 if (cr->cr_uidinfo != NULL) 1899 uifree(cr->cr_uidinfo); 1900 if (cr->cr_ruidinfo != NULL) 1901 uifree(cr->cr_ruidinfo); 1902 /* 1903 * Free a prison, if any. 1904 */ 1905 if (jailed(cr)) 1906 prison_free(cr->cr_prison); 1907 #ifdef MAC 1908 mac_destroy_cred(cr); 1909 #endif 1910 FREE(cr, M_CRED); 1911 } 1912 } 1913 1914 /* 1915 * Check to see if this ucred is shared. 1916 * MPSAFE 1917 */ 1918 int 1919 crshared(struct ucred *cr) 1920 { 1921 1922 return (cr->cr_ref > 1); 1923 } 1924 1925 /* 1926 * Copy a ucred's contents from a template. Does not block. 1927 * MPSAFE 1928 */ 1929 void 1930 crcopy(struct ucred *dest, struct ucred *src) 1931 { 1932 1933 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred")); 1934 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 1935 (unsigned)((caddr_t)&src->cr_endcopy - 1936 (caddr_t)&src->cr_startcopy)); 1937 uihold(dest->cr_uidinfo); 1938 uihold(dest->cr_ruidinfo); 1939 if (jailed(dest)) 1940 prison_hold(dest->cr_prison); 1941 #ifdef MAC 1942 mac_copy_cred(src, dest); 1943 #endif 1944 } 1945 1946 /* 1947 * Dup cred struct to a new held one. 1948 * MPSAFE 1949 */ 1950 struct ucred * 1951 crdup(struct ucred *cr) 1952 { 1953 struct ucred *newcr; 1954 1955 newcr = crget(); 1956 crcopy(newcr, cr); 1957 return (newcr); 1958 } 1959 1960 /* 1961 * Fill in a struct xucred based on a struct ucred. 1962 * MPSAFE 1963 */ 1964 void 1965 cru2x(struct ucred *cr, struct xucred *xcr) 1966 { 1967 1968 bzero(xcr, sizeof(*xcr)); 1969 xcr->cr_version = XUCRED_VERSION; 1970 xcr->cr_uid = cr->cr_uid; 1971 xcr->cr_ngroups = cr->cr_ngroups; 1972 bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups)); 1973 } 1974 1975 /* 1976 * small routine to swap a thread's current ucred for the correct one 1977 * taken from the process. 1978 * MPSAFE 1979 */ 1980 void 1981 cred_update_thread(struct thread *td) 1982 { 1983 struct proc *p; 1984 struct ucred *cred; 1985 1986 p = td->td_proc; 1987 cred = td->td_ucred; 1988 PROC_LOCK(p); 1989 td->td_ucred = crhold(p->p_ucred); 1990 PROC_UNLOCK(p); 1991 if (cred != NULL) 1992 crfree(cred); 1993 } 1994 1995 /* 1996 * Get login name, if available. 1997 */ 1998 #ifndef _SYS_SYSPROTO_H_ 1999 struct getlogin_args { 2000 char *namebuf; 2001 u_int namelen; 2002 }; 2003 #endif 2004 /* 2005 * MPSAFE 2006 */ 2007 /* ARGSUSED */ 2008 int 2009 getlogin(struct thread *td, struct getlogin_args *uap) 2010 { 2011 int error; 2012 char login[MAXLOGNAME]; 2013 struct proc *p = td->td_proc; 2014 2015 if (uap->namelen > MAXLOGNAME) 2016 uap->namelen = MAXLOGNAME; 2017 PROC_LOCK(p); 2018 SESS_LOCK(p->p_session); 2019 bcopy(p->p_session->s_login, login, uap->namelen); 2020 SESS_UNLOCK(p->p_session); 2021 PROC_UNLOCK(p); 2022 error = copyout(login, uap->namebuf, uap->namelen); 2023 return(error); 2024 } 2025 2026 /* 2027 * Set login name. 2028 */ 2029 #ifndef _SYS_SYSPROTO_H_ 2030 struct setlogin_args { 2031 char *namebuf; 2032 }; 2033 #endif 2034 /* 2035 * MPSAFE 2036 */ 2037 /* ARGSUSED */ 2038 int 2039 setlogin(struct thread *td, struct setlogin_args *uap) 2040 { 2041 struct proc *p = td->td_proc; 2042 int error; 2043 char logintmp[MAXLOGNAME]; 2044 2045 error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); 2046 if (error) 2047 return (error); 2048 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); 2049 if (error == ENAMETOOLONG) 2050 error = EINVAL; 2051 else if (!error) { 2052 PROC_LOCK(p); 2053 SESS_LOCK(p->p_session); 2054 (void) memcpy(p->p_session->s_login, logintmp, 2055 sizeof(logintmp)); 2056 SESS_UNLOCK(p->p_session); 2057 PROC_UNLOCK(p); 2058 } 2059 return (error); 2060 } 2061 2062 void 2063 setsugid(struct proc *p) 2064 { 2065 2066 PROC_LOCK_ASSERT(p, MA_OWNED); 2067 p->p_flag |= P_SUGID; 2068 if (!(p->p_pfsflags & PF_ISUGID)) 2069 p->p_stops = 0; 2070 } 2071 2072 /*- 2073 * Change a process's effective uid. 2074 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 2075 * References: newcred must be an exclusive credential reference for the 2076 * duration of the call. 2077 */ 2078 void 2079 change_euid(struct ucred *newcred, struct uidinfo *euip) 2080 { 2081 2082 newcred->cr_uid = euip->ui_uid; 2083 uihold(euip); 2084 uifree(newcred->cr_uidinfo); 2085 newcred->cr_uidinfo = euip; 2086 } 2087 2088 /*- 2089 * Change a process's effective gid. 2090 * Side effects: newcred->cr_gid will be modified. 2091 * References: newcred must be an exclusive credential reference for the 2092 * duration of the call. 2093 */ 2094 void 2095 change_egid(struct ucred *newcred, gid_t egid) 2096 { 2097 2098 newcred->cr_groups[0] = egid; 2099 } 2100 2101 /*- 2102 * Change a process's real uid. 2103 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 2104 * will be updated, and the old and new cr_ruidinfo proc 2105 * counts will be updated. 2106 * References: newcred must be an exclusive credential reference for the 2107 * duration of the call. 2108 */ 2109 void 2110 change_ruid(struct ucred *newcred, struct uidinfo *ruip) 2111 { 2112 2113 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 2114 newcred->cr_ruid = ruip->ui_uid; 2115 uihold(ruip); 2116 uifree(newcred->cr_ruidinfo); 2117 newcred->cr_ruidinfo = ruip; 2118 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 2119 } 2120 2121 /*- 2122 * Change a process's real gid. 2123 * Side effects: newcred->cr_rgid will be updated. 2124 * References: newcred must be an exclusive credential reference for the 2125 * duration of the call. 2126 */ 2127 void 2128 change_rgid(struct ucred *newcred, gid_t rgid) 2129 { 2130 2131 newcred->cr_rgid = rgid; 2132 } 2133 2134 /*- 2135 * Change a process's saved uid. 2136 * Side effects: newcred->cr_svuid will be updated. 2137 * References: newcred must be an exclusive credential reference for the 2138 * duration of the call. 2139 */ 2140 void 2141 change_svuid(struct ucred *newcred, uid_t svuid) 2142 { 2143 2144 newcred->cr_svuid = svuid; 2145 } 2146 2147 /*- 2148 * Change a process's saved gid. 2149 * Side effects: newcred->cr_svgid will be updated. 2150 * References: newcred must be an exclusive credential reference for the 2151 * duration of the call. 2152 */ 2153 void 2154 change_svgid(struct ucred *newcred, gid_t svgid) 2155 { 2156 2157 newcred->cr_svgid = svgid; 2158 } 2159