1 /*- 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * (c) UNIX System Laboratories, Inc. 5 * All or some portions of this file are derived from material licensed 6 * to the University of California by American Telephone and Telegraph 7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 8 * the permission of UNIX System Laboratories, Inc. 9 * Copyright (c) 2000-2001 Robert N. M. Watson. All rights reserved. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 4. Neither the name of the University nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 * 35 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 36 */ 37 38 /* 39 * System calls related to processes and protection 40 */ 41 42 #include <sys/cdefs.h> 43 __FBSDID("$FreeBSD$"); 44 45 #include "opt_compat.h" 46 #include "opt_mac.h" 47 48 #include <sys/param.h> 49 #include <sys/systm.h> 50 #include <sys/acct.h> 51 #include <sys/kdb.h> 52 #include <sys/kernel.h> 53 #include <sys/lock.h> 54 #include <sys/mac.h> 55 #include <sys/malloc.h> 56 #include <sys/mutex.h> 57 #include <sys/refcount.h> 58 #include <sys/sx.h> 59 #include <sys/proc.h> 60 #include <sys/sysproto.h> 61 #include <sys/jail.h> 62 #include <sys/pioctl.h> 63 #include <sys/resourcevar.h> 64 #include <sys/socket.h> 65 #include <sys/socketvar.h> 66 #include <sys/syscallsubr.h> 67 #include <sys/sysctl.h> 68 69 #include <security/audit/audit.h> 70 71 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 72 73 SYSCTL_DECL(_security); 74 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, 75 "BSD security policy"); 76 77 #ifndef _SYS_SYSPROTO_H_ 78 struct getpid_args { 79 int dummy; 80 }; 81 #endif 82 /* 83 * MPSAFE 84 */ 85 /* ARGSUSED */ 86 int 87 getpid(struct thread *td, struct getpid_args *uap) 88 { 89 struct proc *p = td->td_proc; 90 91 td->td_retval[0] = p->p_pid; 92 #if defined(COMPAT_43) 93 PROC_LOCK(p); 94 td->td_retval[1] = p->p_pptr->p_pid; 95 PROC_UNLOCK(p); 96 #endif 97 return (0); 98 } 99 100 #ifndef _SYS_SYSPROTO_H_ 101 struct getppid_args { 102 int dummy; 103 }; 104 #endif 105 /* 106 * MPSAFE 107 */ 108 /* ARGSUSED */ 109 int 110 getppid(struct thread *td, struct getppid_args *uap) 111 { 112 struct proc *p = td->td_proc; 113 114 PROC_LOCK(p); 115 td->td_retval[0] = p->p_pptr->p_pid; 116 PROC_UNLOCK(p); 117 return (0); 118 } 119 120 /* 121 * Get process group ID; note that POSIX getpgrp takes no parameter. 122 */ 123 #ifndef _SYS_SYSPROTO_H_ 124 struct getpgrp_args { 125 int dummy; 126 }; 127 #endif 128 /* 129 * MPSAFE 130 */ 131 int 132 getpgrp(struct thread *td, struct getpgrp_args *uap) 133 { 134 struct proc *p = td->td_proc; 135 136 PROC_LOCK(p); 137 td->td_retval[0] = p->p_pgrp->pg_id; 138 PROC_UNLOCK(p); 139 return (0); 140 } 141 142 /* Get an arbitary pid's process group id */ 143 #ifndef _SYS_SYSPROTO_H_ 144 struct getpgid_args { 145 pid_t pid; 146 }; 147 #endif 148 /* 149 * MPSAFE 150 */ 151 int 152 getpgid(struct thread *td, struct getpgid_args *uap) 153 { 154 struct proc *p; 155 int error; 156 157 if (uap->pid == 0) { 158 p = td->td_proc; 159 PROC_LOCK(p); 160 } else { 161 p = pfind(uap->pid); 162 if (p == NULL) 163 return (ESRCH); 164 error = p_cansee(td, p); 165 if (error) { 166 PROC_UNLOCK(p); 167 return (error); 168 } 169 } 170 td->td_retval[0] = p->p_pgrp->pg_id; 171 PROC_UNLOCK(p); 172 return (0); 173 } 174 175 /* 176 * Get an arbitary pid's session id. 177 */ 178 #ifndef _SYS_SYSPROTO_H_ 179 struct getsid_args { 180 pid_t pid; 181 }; 182 #endif 183 /* 184 * MPSAFE 185 */ 186 int 187 getsid(struct thread *td, struct getsid_args *uap) 188 { 189 struct proc *p; 190 int error; 191 192 if (uap->pid == 0) { 193 p = td->td_proc; 194 PROC_LOCK(p); 195 } else { 196 p = pfind(uap->pid); 197 if (p == NULL) 198 return (ESRCH); 199 error = p_cansee(td, p); 200 if (error) { 201 PROC_UNLOCK(p); 202 return (error); 203 } 204 } 205 td->td_retval[0] = p->p_session->s_sid; 206 PROC_UNLOCK(p); 207 return (0); 208 } 209 210 #ifndef _SYS_SYSPROTO_H_ 211 struct getuid_args { 212 int dummy; 213 }; 214 #endif 215 /* 216 * MPSAFE 217 */ 218 /* ARGSUSED */ 219 int 220 getuid(struct thread *td, struct getuid_args *uap) 221 { 222 223 td->td_retval[0] = td->td_ucred->cr_ruid; 224 #if defined(COMPAT_43) 225 td->td_retval[1] = td->td_ucred->cr_uid; 226 #endif 227 return (0); 228 } 229 230 #ifndef _SYS_SYSPROTO_H_ 231 struct geteuid_args { 232 int dummy; 233 }; 234 #endif 235 /* 236 * MPSAFE 237 */ 238 /* ARGSUSED */ 239 int 240 geteuid(struct thread *td, struct geteuid_args *uap) 241 { 242 243 td->td_retval[0] = td->td_ucred->cr_uid; 244 return (0); 245 } 246 247 #ifndef _SYS_SYSPROTO_H_ 248 struct getgid_args { 249 int dummy; 250 }; 251 #endif 252 /* 253 * MPSAFE 254 */ 255 /* ARGSUSED */ 256 int 257 getgid(struct thread *td, struct getgid_args *uap) 258 { 259 260 td->td_retval[0] = td->td_ucred->cr_rgid; 261 #if defined(COMPAT_43) 262 td->td_retval[1] = td->td_ucred->cr_groups[0]; 263 #endif 264 return (0); 265 } 266 267 /* 268 * Get effective group ID. The "egid" is groups[0], and could be obtained 269 * via getgroups. This syscall exists because it is somewhat painful to do 270 * correctly in a library function. 271 */ 272 #ifndef _SYS_SYSPROTO_H_ 273 struct getegid_args { 274 int dummy; 275 }; 276 #endif 277 /* 278 * MPSAFE 279 */ 280 /* ARGSUSED */ 281 int 282 getegid(struct thread *td, struct getegid_args *uap) 283 { 284 285 td->td_retval[0] = td->td_ucred->cr_groups[0]; 286 return (0); 287 } 288 289 #ifndef _SYS_SYSPROTO_H_ 290 struct getgroups_args { 291 u_int gidsetsize; 292 gid_t *gidset; 293 }; 294 #endif 295 /* 296 * MPSAFE 297 */ 298 int 299 getgroups(struct thread *td, register struct getgroups_args *uap) 300 { 301 gid_t groups[NGROUPS]; 302 u_int ngrp; 303 int error; 304 305 ngrp = MIN(uap->gidsetsize, NGROUPS); 306 error = kern_getgroups(td, &ngrp, groups); 307 if (error) 308 return (error); 309 if (uap->gidsetsize > 0) 310 error = copyout(groups, uap->gidset, ngrp * sizeof(gid_t)); 311 if (error == 0) 312 td->td_retval[0] = ngrp; 313 return (error); 314 } 315 316 int 317 kern_getgroups(struct thread *td, u_int *ngrp, gid_t *groups) 318 { 319 struct ucred *cred; 320 321 cred = td->td_ucred; 322 if (*ngrp == 0) { 323 *ngrp = cred->cr_ngroups; 324 return (0); 325 } 326 if (*ngrp < cred->cr_ngroups) 327 return (EINVAL); 328 *ngrp = cred->cr_ngroups; 329 bcopy(cred->cr_groups, groups, *ngrp * sizeof(gid_t)); 330 return (0); 331 } 332 333 #ifndef _SYS_SYSPROTO_H_ 334 struct setsid_args { 335 int dummy; 336 }; 337 #endif 338 /* 339 * MPSAFE 340 */ 341 /* ARGSUSED */ 342 int 343 setsid(register struct thread *td, struct setsid_args *uap) 344 { 345 struct pgrp *pgrp; 346 int error; 347 struct proc *p = td->td_proc; 348 struct pgrp *newpgrp; 349 struct session *newsess; 350 351 error = 0; 352 pgrp = NULL; 353 354 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 355 MALLOC(newsess, struct session *, sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); 356 357 sx_xlock(&proctree_lock); 358 359 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { 360 if (pgrp != NULL) 361 PGRP_UNLOCK(pgrp); 362 error = EPERM; 363 } else { 364 (void)enterpgrp(p, p->p_pid, newpgrp, newsess); 365 td->td_retval[0] = p->p_pid; 366 newpgrp = NULL; 367 newsess = NULL; 368 } 369 370 sx_xunlock(&proctree_lock); 371 372 if (newpgrp != NULL) 373 FREE(newpgrp, M_PGRP); 374 if (newsess != NULL) 375 FREE(newsess, M_SESSION); 376 377 return (error); 378 } 379 380 /* 381 * set process group (setpgid/old setpgrp) 382 * 383 * caller does setpgid(targpid, targpgid) 384 * 385 * pid must be caller or child of caller (ESRCH) 386 * if a child 387 * pid must be in same session (EPERM) 388 * pid can't have done an exec (EACCES) 389 * if pgid != pid 390 * there must exist some pid in same session having pgid (EPERM) 391 * pid must not be session leader (EPERM) 392 */ 393 #ifndef _SYS_SYSPROTO_H_ 394 struct setpgid_args { 395 int pid; /* target process id */ 396 int pgid; /* target pgrp id */ 397 }; 398 #endif 399 /* 400 * MPSAFE 401 */ 402 /* ARGSUSED */ 403 int 404 setpgid(struct thread *td, register struct setpgid_args *uap) 405 { 406 struct proc *curp = td->td_proc; 407 register struct proc *targp; /* target process */ 408 register struct pgrp *pgrp; /* target pgrp */ 409 int error; 410 struct pgrp *newpgrp; 411 412 if (uap->pgid < 0) 413 return (EINVAL); 414 415 error = 0; 416 417 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 418 419 sx_xlock(&proctree_lock); 420 if (uap->pid != 0 && uap->pid != curp->p_pid) { 421 if ((targp = pfind(uap->pid)) == NULL) { 422 error = ESRCH; 423 goto done; 424 } 425 if (!inferior(targp)) { 426 PROC_UNLOCK(targp); 427 error = ESRCH; 428 goto done; 429 } 430 if ((error = p_cansee(td, targp))) { 431 PROC_UNLOCK(targp); 432 goto done; 433 } 434 if (targp->p_pgrp == NULL || 435 targp->p_session != curp->p_session) { 436 PROC_UNLOCK(targp); 437 error = EPERM; 438 goto done; 439 } 440 if (targp->p_flag & P_EXEC) { 441 PROC_UNLOCK(targp); 442 error = EACCES; 443 goto done; 444 } 445 PROC_UNLOCK(targp); 446 } else 447 targp = curp; 448 if (SESS_LEADER(targp)) { 449 error = EPERM; 450 goto done; 451 } 452 if (uap->pgid == 0) 453 uap->pgid = targp->p_pid; 454 if ((pgrp = pgfind(uap->pgid)) == NULL) { 455 if (uap->pgid == targp->p_pid) { 456 error = enterpgrp(targp, uap->pgid, newpgrp, 457 NULL); 458 if (error == 0) 459 newpgrp = NULL; 460 } else 461 error = EPERM; 462 } else { 463 if (pgrp == targp->p_pgrp) { 464 PGRP_UNLOCK(pgrp); 465 goto done; 466 } 467 if (pgrp->pg_id != targp->p_pid && 468 pgrp->pg_session != curp->p_session) { 469 PGRP_UNLOCK(pgrp); 470 error = EPERM; 471 goto done; 472 } 473 PGRP_UNLOCK(pgrp); 474 error = enterthispgrp(targp, pgrp); 475 } 476 done: 477 sx_xunlock(&proctree_lock); 478 KASSERT((error == 0) || (newpgrp != NULL), 479 ("setpgid failed and newpgrp is NULL")); 480 if (newpgrp != NULL) 481 FREE(newpgrp, M_PGRP); 482 return (error); 483 } 484 485 /* 486 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 487 * compatible. It says that setting the uid/gid to euid/egid is a special 488 * case of "appropriate privilege". Once the rules are expanded out, this 489 * basically means that setuid(nnn) sets all three id's, in all permitted 490 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 491 * does not set the saved id - this is dangerous for traditional BSD 492 * programs. For this reason, we *really* do not want to set 493 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 494 */ 495 #define POSIX_APPENDIX_B_4_2_2 496 497 #ifndef _SYS_SYSPROTO_H_ 498 struct setuid_args { 499 uid_t uid; 500 }; 501 #endif 502 /* 503 * MPSAFE 504 */ 505 /* ARGSUSED */ 506 int 507 setuid(struct thread *td, struct setuid_args *uap) 508 { 509 struct proc *p = td->td_proc; 510 struct ucred *newcred, *oldcred; 511 uid_t uid; 512 struct uidinfo *uip; 513 int error; 514 515 uid = uap->uid; 516 AUDIT_ARG(uid, uid); 517 newcred = crget(); 518 uip = uifind(uid); 519 PROC_LOCK(p); 520 oldcred = p->p_ucred; 521 522 #ifdef MAC 523 error = mac_check_proc_setuid(p, oldcred, uid); 524 if (error) 525 goto fail; 526 #endif 527 528 /* 529 * See if we have "permission" by POSIX 1003.1 rules. 530 * 531 * Note that setuid(geteuid()) is a special case of 532 * "appropriate privileges" in appendix B.4.2.2. We need 533 * to use this clause to be compatible with traditional BSD 534 * semantics. Basically, it means that "setuid(xx)" sets all 535 * three id's (assuming you have privs). 536 * 537 * Notes on the logic. We do things in three steps. 538 * 1: We determine if the euid is going to change, and do EPERM 539 * right away. We unconditionally change the euid later if this 540 * test is satisfied, simplifying that part of the logic. 541 * 2: We determine if the real and/or saved uids are going to 542 * change. Determined by compile options. 543 * 3: Change euid last. (after tests in #2 for "appropriate privs") 544 */ 545 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 546 #ifdef _POSIX_SAVED_IDS 547 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 548 #endif 549 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 550 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 551 #endif 552 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) 553 goto fail; 554 555 /* 556 * Copy credentials so other references do not see our changes. 557 */ 558 crcopy(newcred, oldcred); 559 #ifdef _POSIX_SAVED_IDS 560 /* 561 * Do we have "appropriate privileges" (are we root or uid == euid) 562 * If so, we are changing the real uid and/or saved uid. 563 */ 564 if ( 565 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 566 uid == oldcred->cr_uid || 567 #endif 568 suser_cred(oldcred, SUSER_ALLOWJAIL) == 0) /* we are using privs */ 569 #endif 570 { 571 /* 572 * Set the real uid and transfer proc count to new user. 573 */ 574 if (uid != oldcred->cr_ruid) { 575 change_ruid(newcred, uip); 576 setsugid(p); 577 } 578 /* 579 * Set saved uid 580 * 581 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 582 * the security of seteuid() depends on it. B.4.2.2 says it 583 * is important that we should do this. 584 */ 585 if (uid != oldcred->cr_svuid) { 586 change_svuid(newcred, uid); 587 setsugid(p); 588 } 589 } 590 591 /* 592 * In all permitted cases, we are changing the euid. 593 */ 594 if (uid != oldcred->cr_uid) { 595 change_euid(newcred, uip); 596 setsugid(p); 597 } 598 p->p_ucred = newcred; 599 PROC_UNLOCK(p); 600 uifree(uip); 601 crfree(oldcred); 602 return (0); 603 604 fail: 605 PROC_UNLOCK(p); 606 uifree(uip); 607 crfree(newcred); 608 return (error); 609 } 610 611 #ifndef _SYS_SYSPROTO_H_ 612 struct seteuid_args { 613 uid_t euid; 614 }; 615 #endif 616 /* 617 * MPSAFE 618 */ 619 /* ARGSUSED */ 620 int 621 seteuid(struct thread *td, struct seteuid_args *uap) 622 { 623 struct proc *p = td->td_proc; 624 struct ucred *newcred, *oldcred; 625 uid_t euid; 626 struct uidinfo *euip; 627 int error; 628 629 euid = uap->euid; 630 AUDIT_ARG(euid, euid); 631 newcred = crget(); 632 euip = uifind(euid); 633 PROC_LOCK(p); 634 oldcred = p->p_ucred; 635 636 #ifdef MAC 637 error = mac_check_proc_seteuid(p, oldcred, euid); 638 if (error) 639 goto fail; 640 #endif 641 642 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 643 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 644 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) 645 goto fail; 646 647 /* 648 * Everything's okay, do it. Copy credentials so other references do 649 * not see our changes. 650 */ 651 crcopy(newcred, oldcred); 652 if (oldcred->cr_uid != euid) { 653 change_euid(newcred, euip); 654 setsugid(p); 655 } 656 p->p_ucred = newcred; 657 PROC_UNLOCK(p); 658 uifree(euip); 659 crfree(oldcred); 660 return (0); 661 662 fail: 663 PROC_UNLOCK(p); 664 uifree(euip); 665 crfree(newcred); 666 return (error); 667 } 668 669 #ifndef _SYS_SYSPROTO_H_ 670 struct setgid_args { 671 gid_t gid; 672 }; 673 #endif 674 /* 675 * MPSAFE 676 */ 677 /* ARGSUSED */ 678 int 679 setgid(struct thread *td, struct setgid_args *uap) 680 { 681 struct proc *p = td->td_proc; 682 struct ucred *newcred, *oldcred; 683 gid_t gid; 684 int error; 685 686 gid = uap->gid; 687 AUDIT_ARG(gid, gid); 688 newcred = crget(); 689 PROC_LOCK(p); 690 oldcred = p->p_ucred; 691 692 #ifdef MAC 693 error = mac_check_proc_setgid(p, oldcred, gid); 694 if (error) 695 goto fail; 696 #endif 697 698 /* 699 * See if we have "permission" by POSIX 1003.1 rules. 700 * 701 * Note that setgid(getegid()) is a special case of 702 * "appropriate privileges" in appendix B.4.2.2. We need 703 * to use this clause to be compatible with traditional BSD 704 * semantics. Basically, it means that "setgid(xx)" sets all 705 * three id's (assuming you have privs). 706 * 707 * For notes on the logic here, see setuid() above. 708 */ 709 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 710 #ifdef _POSIX_SAVED_IDS 711 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 712 #endif 713 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 714 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 715 #endif 716 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) 717 goto fail; 718 719 crcopy(newcred, oldcred); 720 #ifdef _POSIX_SAVED_IDS 721 /* 722 * Do we have "appropriate privileges" (are we root or gid == egid) 723 * If so, we are changing the real uid and saved gid. 724 */ 725 if ( 726 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 727 gid == oldcred->cr_groups[0] || 728 #endif 729 suser_cred(oldcred, SUSER_ALLOWJAIL) == 0) /* we are using privs */ 730 #endif 731 { 732 /* 733 * Set real gid 734 */ 735 if (oldcred->cr_rgid != gid) { 736 change_rgid(newcred, gid); 737 setsugid(p); 738 } 739 /* 740 * Set saved gid 741 * 742 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 743 * the security of setegid() depends on it. B.4.2.2 says it 744 * is important that we should do this. 745 */ 746 if (oldcred->cr_svgid != gid) { 747 change_svgid(newcred, gid); 748 setsugid(p); 749 } 750 } 751 /* 752 * In all cases permitted cases, we are changing the egid. 753 * Copy credentials so other references do not see our changes. 754 */ 755 if (oldcred->cr_groups[0] != gid) { 756 change_egid(newcred, gid); 757 setsugid(p); 758 } 759 p->p_ucred = newcred; 760 PROC_UNLOCK(p); 761 crfree(oldcred); 762 return (0); 763 764 fail: 765 PROC_UNLOCK(p); 766 crfree(newcred); 767 return (error); 768 } 769 770 #ifndef _SYS_SYSPROTO_H_ 771 struct setegid_args { 772 gid_t egid; 773 }; 774 #endif 775 /* 776 * MPSAFE 777 */ 778 /* ARGSUSED */ 779 int 780 setegid(struct thread *td, struct setegid_args *uap) 781 { 782 struct proc *p = td->td_proc; 783 struct ucred *newcred, *oldcred; 784 gid_t egid; 785 int error; 786 787 egid = uap->egid; 788 AUDIT_ARG(egid, egid); 789 newcred = crget(); 790 PROC_LOCK(p); 791 oldcred = p->p_ucred; 792 793 #ifdef MAC 794 error = mac_check_proc_setegid(p, oldcred, egid); 795 if (error) 796 goto fail; 797 #endif 798 799 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 800 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 801 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) 802 goto fail; 803 804 crcopy(newcred, oldcred); 805 if (oldcred->cr_groups[0] != egid) { 806 change_egid(newcred, egid); 807 setsugid(p); 808 } 809 p->p_ucred = newcred; 810 PROC_UNLOCK(p); 811 crfree(oldcred); 812 return (0); 813 814 fail: 815 PROC_UNLOCK(p); 816 crfree(newcred); 817 return (error); 818 } 819 820 #ifndef _SYS_SYSPROTO_H_ 821 struct setgroups_args { 822 u_int gidsetsize; 823 gid_t *gidset; 824 }; 825 #endif 826 /* 827 * MPSAFE 828 */ 829 /* ARGSUSED */ 830 int 831 setgroups(struct thread *td, struct setgroups_args *uap) 832 { 833 gid_t groups[NGROUPS]; 834 int error; 835 836 if (uap->gidsetsize > NGROUPS) 837 return (EINVAL); 838 error = copyin(uap->gidset, groups, uap->gidsetsize * sizeof(gid_t)); 839 if (error) 840 return (error); 841 return (kern_setgroups(td, uap->gidsetsize, groups)); 842 } 843 844 int 845 kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups) 846 { 847 struct proc *p = td->td_proc; 848 struct ucred *newcred, *oldcred; 849 int error; 850 851 if (ngrp > NGROUPS) 852 return (EINVAL); 853 AUDIT_ARG(groupset, groups, ngrp); 854 newcred = crget(); 855 PROC_LOCK(p); 856 oldcred = p->p_ucred; 857 858 #ifdef MAC 859 error = mac_check_proc_setgroups(p, oldcred, ngrp, groups); 860 if (error) 861 goto fail; 862 #endif 863 864 error = suser_cred(oldcred, SUSER_ALLOWJAIL); 865 if (error) 866 goto fail; 867 868 /* 869 * XXX A little bit lazy here. We could test if anything has 870 * changed before crcopy() and setting P_SUGID. 871 */ 872 crcopy(newcred, oldcred); 873 if (ngrp < 1) { 874 /* 875 * setgroups(0, NULL) is a legitimate way of clearing the 876 * groups vector on non-BSD systems (which generally do not 877 * have the egid in the groups[0]). We risk security holes 878 * when running non-BSD software if we do not do the same. 879 */ 880 newcred->cr_ngroups = 1; 881 } else { 882 bcopy(groups, newcred->cr_groups, ngrp * sizeof(gid_t)); 883 newcred->cr_ngroups = ngrp; 884 } 885 setsugid(p); 886 p->p_ucred = newcred; 887 PROC_UNLOCK(p); 888 crfree(oldcred); 889 return (0); 890 891 fail: 892 PROC_UNLOCK(p); 893 crfree(newcred); 894 return (error); 895 } 896 897 #ifndef _SYS_SYSPROTO_H_ 898 struct setreuid_args { 899 uid_t ruid; 900 uid_t euid; 901 }; 902 #endif 903 /* 904 * MPSAFE 905 */ 906 /* ARGSUSED */ 907 int 908 setreuid(register struct thread *td, struct setreuid_args *uap) 909 { 910 struct proc *p = td->td_proc; 911 struct ucred *newcred, *oldcred; 912 uid_t euid, ruid; 913 struct uidinfo *euip, *ruip; 914 int error; 915 916 euid = uap->euid; 917 ruid = uap->ruid; 918 AUDIT_ARG(euid, euid); 919 AUDIT_ARG(ruid, ruid); 920 newcred = crget(); 921 euip = uifind(euid); 922 ruip = uifind(ruid); 923 PROC_LOCK(p); 924 oldcred = p->p_ucred; 925 926 #ifdef MAC 927 error = mac_check_proc_setreuid(p, oldcred, ruid, euid); 928 if (error) 929 goto fail; 930 #endif 931 932 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 933 ruid != oldcred->cr_svuid) || 934 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 935 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 936 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) 937 goto fail; 938 939 crcopy(newcred, oldcred); 940 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 941 change_euid(newcred, euip); 942 setsugid(p); 943 } 944 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 945 change_ruid(newcred, ruip); 946 setsugid(p); 947 } 948 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 949 newcred->cr_svuid != newcred->cr_uid) { 950 change_svuid(newcred, newcred->cr_uid); 951 setsugid(p); 952 } 953 p->p_ucred = newcred; 954 PROC_UNLOCK(p); 955 uifree(ruip); 956 uifree(euip); 957 crfree(oldcred); 958 return (0); 959 960 fail: 961 PROC_UNLOCK(p); 962 uifree(ruip); 963 uifree(euip); 964 crfree(newcred); 965 return (error); 966 } 967 968 #ifndef _SYS_SYSPROTO_H_ 969 struct setregid_args { 970 gid_t rgid; 971 gid_t egid; 972 }; 973 #endif 974 /* 975 * MPSAFE 976 */ 977 /* ARGSUSED */ 978 int 979 setregid(register struct thread *td, struct setregid_args *uap) 980 { 981 struct proc *p = td->td_proc; 982 struct ucred *newcred, *oldcred; 983 gid_t egid, rgid; 984 int error; 985 986 egid = uap->egid; 987 rgid = uap->rgid; 988 AUDIT_ARG(egid, egid); 989 AUDIT_ARG(rgid, rgid); 990 newcred = crget(); 991 PROC_LOCK(p); 992 oldcred = p->p_ucred; 993 994 #ifdef MAC 995 error = mac_check_proc_setregid(p, oldcred, rgid, egid); 996 if (error) 997 goto fail; 998 #endif 999 1000 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1001 rgid != oldcred->cr_svgid) || 1002 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 1003 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 1004 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) 1005 goto fail; 1006 1007 crcopy(newcred, oldcred); 1008 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1009 change_egid(newcred, egid); 1010 setsugid(p); 1011 } 1012 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1013 change_rgid(newcred, rgid); 1014 setsugid(p); 1015 } 1016 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 1017 newcred->cr_svgid != newcred->cr_groups[0]) { 1018 change_svgid(newcred, newcred->cr_groups[0]); 1019 setsugid(p); 1020 } 1021 p->p_ucred = newcred; 1022 PROC_UNLOCK(p); 1023 crfree(oldcred); 1024 return (0); 1025 1026 fail: 1027 PROC_UNLOCK(p); 1028 crfree(newcred); 1029 return (error); 1030 } 1031 1032 /* 1033 * setresuid(ruid, euid, suid) is like setreuid except control over the 1034 * saved uid is explicit. 1035 */ 1036 1037 #ifndef _SYS_SYSPROTO_H_ 1038 struct setresuid_args { 1039 uid_t ruid; 1040 uid_t euid; 1041 uid_t suid; 1042 }; 1043 #endif 1044 /* 1045 * MPSAFE 1046 */ 1047 /* ARGSUSED */ 1048 int 1049 setresuid(register struct thread *td, struct setresuid_args *uap) 1050 { 1051 struct proc *p = td->td_proc; 1052 struct ucred *newcred, *oldcred; 1053 uid_t euid, ruid, suid; 1054 struct uidinfo *euip, *ruip; 1055 int error; 1056 1057 euid = uap->euid; 1058 ruid = uap->ruid; 1059 suid = uap->suid; 1060 AUDIT_ARG(euid, euid); 1061 AUDIT_ARG(ruid, ruid); 1062 AUDIT_ARG(suid, suid); 1063 newcred = crget(); 1064 euip = uifind(euid); 1065 ruip = uifind(ruid); 1066 PROC_LOCK(p); 1067 oldcred = p->p_ucred; 1068 1069 #ifdef MAC 1070 error = mac_check_proc_setresuid(p, oldcred, ruid, euid, suid); 1071 if (error) 1072 goto fail; 1073 #endif 1074 1075 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1076 ruid != oldcred->cr_svuid && 1077 ruid != oldcred->cr_uid) || 1078 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 1079 euid != oldcred->cr_svuid && 1080 euid != oldcred->cr_uid) || 1081 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 1082 suid != oldcred->cr_svuid && 1083 suid != oldcred->cr_uid)) && 1084 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) 1085 goto fail; 1086 1087 crcopy(newcred, oldcred); 1088 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1089 change_euid(newcred, euip); 1090 setsugid(p); 1091 } 1092 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1093 change_ruid(newcred, ruip); 1094 setsugid(p); 1095 } 1096 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1097 change_svuid(newcred, suid); 1098 setsugid(p); 1099 } 1100 p->p_ucred = newcred; 1101 PROC_UNLOCK(p); 1102 uifree(ruip); 1103 uifree(euip); 1104 crfree(oldcred); 1105 return (0); 1106 1107 fail: 1108 PROC_UNLOCK(p); 1109 uifree(ruip); 1110 uifree(euip); 1111 crfree(newcred); 1112 return (error); 1113 1114 } 1115 1116 /* 1117 * setresgid(rgid, egid, sgid) is like setregid except control over the 1118 * saved gid is explicit. 1119 */ 1120 1121 #ifndef _SYS_SYSPROTO_H_ 1122 struct setresgid_args { 1123 gid_t rgid; 1124 gid_t egid; 1125 gid_t sgid; 1126 }; 1127 #endif 1128 /* 1129 * MPSAFE 1130 */ 1131 /* ARGSUSED */ 1132 int 1133 setresgid(register struct thread *td, struct setresgid_args *uap) 1134 { 1135 struct proc *p = td->td_proc; 1136 struct ucred *newcred, *oldcred; 1137 gid_t egid, rgid, sgid; 1138 int error; 1139 1140 egid = uap->egid; 1141 rgid = uap->rgid; 1142 sgid = uap->sgid; 1143 AUDIT_ARG(egid, egid); 1144 AUDIT_ARG(rgid, rgid); 1145 AUDIT_ARG(sgid, sgid); 1146 newcred = crget(); 1147 PROC_LOCK(p); 1148 oldcred = p->p_ucred; 1149 1150 #ifdef MAC 1151 error = mac_check_proc_setresgid(p, oldcred, rgid, egid, sgid); 1152 if (error) 1153 goto fail; 1154 #endif 1155 1156 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1157 rgid != oldcred->cr_svgid && 1158 rgid != oldcred->cr_groups[0]) || 1159 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1160 egid != oldcred->cr_svgid && 1161 egid != oldcred->cr_groups[0]) || 1162 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1163 sgid != oldcred->cr_svgid && 1164 sgid != oldcred->cr_groups[0])) && 1165 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) 1166 goto fail; 1167 1168 crcopy(newcred, oldcred); 1169 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1170 change_egid(newcred, egid); 1171 setsugid(p); 1172 } 1173 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1174 change_rgid(newcred, rgid); 1175 setsugid(p); 1176 } 1177 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1178 change_svgid(newcred, sgid); 1179 setsugid(p); 1180 } 1181 p->p_ucred = newcred; 1182 PROC_UNLOCK(p); 1183 crfree(oldcred); 1184 return (0); 1185 1186 fail: 1187 PROC_UNLOCK(p); 1188 crfree(newcred); 1189 return (error); 1190 } 1191 1192 #ifndef _SYS_SYSPROTO_H_ 1193 struct getresuid_args { 1194 uid_t *ruid; 1195 uid_t *euid; 1196 uid_t *suid; 1197 }; 1198 #endif 1199 /* 1200 * MPSAFE 1201 */ 1202 /* ARGSUSED */ 1203 int 1204 getresuid(register struct thread *td, struct getresuid_args *uap) 1205 { 1206 struct ucred *cred; 1207 int error1 = 0, error2 = 0, error3 = 0; 1208 1209 cred = td->td_ucred; 1210 if (uap->ruid) 1211 error1 = copyout(&cred->cr_ruid, 1212 uap->ruid, sizeof(cred->cr_ruid)); 1213 if (uap->euid) 1214 error2 = copyout(&cred->cr_uid, 1215 uap->euid, sizeof(cred->cr_uid)); 1216 if (uap->suid) 1217 error3 = copyout(&cred->cr_svuid, 1218 uap->suid, sizeof(cred->cr_svuid)); 1219 return (error1 ? error1 : error2 ? error2 : error3); 1220 } 1221 1222 #ifndef _SYS_SYSPROTO_H_ 1223 struct getresgid_args { 1224 gid_t *rgid; 1225 gid_t *egid; 1226 gid_t *sgid; 1227 }; 1228 #endif 1229 /* 1230 * MPSAFE 1231 */ 1232 /* ARGSUSED */ 1233 int 1234 getresgid(register struct thread *td, struct getresgid_args *uap) 1235 { 1236 struct ucred *cred; 1237 int error1 = 0, error2 = 0, error3 = 0; 1238 1239 cred = td->td_ucred; 1240 if (uap->rgid) 1241 error1 = copyout(&cred->cr_rgid, 1242 uap->rgid, sizeof(cred->cr_rgid)); 1243 if (uap->egid) 1244 error2 = copyout(&cred->cr_groups[0], 1245 uap->egid, sizeof(cred->cr_groups[0])); 1246 if (uap->sgid) 1247 error3 = copyout(&cred->cr_svgid, 1248 uap->sgid, sizeof(cred->cr_svgid)); 1249 return (error1 ? error1 : error2 ? error2 : error3); 1250 } 1251 1252 #ifndef _SYS_SYSPROTO_H_ 1253 struct issetugid_args { 1254 int dummy; 1255 }; 1256 #endif 1257 /* 1258 * MPSAFE 1259 */ 1260 /* ARGSUSED */ 1261 int 1262 issetugid(register struct thread *td, struct issetugid_args *uap) 1263 { 1264 struct proc *p = td->td_proc; 1265 1266 /* 1267 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1268 * we use P_SUGID because we consider changing the owners as 1269 * "tainting" as well. 1270 * This is significant for procs that start as root and "become" 1271 * a user without an exec - programs cannot know *everything* 1272 * that libc *might* have put in their data segment. 1273 */ 1274 PROC_LOCK(p); 1275 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1276 PROC_UNLOCK(p); 1277 return (0); 1278 } 1279 1280 /* 1281 * MPSAFE 1282 */ 1283 int 1284 __setugid(struct thread *td, struct __setugid_args *uap) 1285 { 1286 #ifdef REGRESSION 1287 struct proc *p; 1288 1289 p = td->td_proc; 1290 switch (uap->flag) { 1291 case 0: 1292 PROC_LOCK(p); 1293 p->p_flag &= ~P_SUGID; 1294 PROC_UNLOCK(p); 1295 return (0); 1296 case 1: 1297 PROC_LOCK(p); 1298 p->p_flag |= P_SUGID; 1299 PROC_UNLOCK(p); 1300 return (0); 1301 default: 1302 return (EINVAL); 1303 } 1304 #else /* !REGRESSION */ 1305 1306 return (ENOSYS); 1307 #endif /* REGRESSION */ 1308 } 1309 1310 /* 1311 * Check if gid is a member of the group set. 1312 * 1313 * MPSAFE (cred must be held) 1314 */ 1315 int 1316 groupmember(gid_t gid, struct ucred *cred) 1317 { 1318 register gid_t *gp; 1319 gid_t *egp; 1320 1321 egp = &(cred->cr_groups[cred->cr_ngroups]); 1322 for (gp = cred->cr_groups; gp < egp; gp++) 1323 if (*gp == gid) 1324 return (1); 1325 return (0); 1326 } 1327 1328 /* 1329 * `suser_enabled' (which can be set by the security.suser_enabled 1330 * sysctl) determines whether the system 'super-user' policy is in effect. 1331 * If it is nonzero, an effective uid of 0 connotes special privilege, 1332 * overriding many mandatory and discretionary protections. If it is zero, 1333 * uid 0 is offered no special privilege in the kernel security policy. 1334 * Setting it to zero may seriously impact the functionality of many 1335 * existing userland programs, and should not be done without careful 1336 * consideration of the consequences. 1337 */ 1338 int suser_enabled = 1; 1339 SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW, 1340 &suser_enabled, 0, "processes with uid 0 have privilege"); 1341 TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled); 1342 1343 /* 1344 * Test whether the specified credentials imply "super-user" privilege. 1345 * Return 0 or EPERM. 1346 */ 1347 int 1348 suser_cred(struct ucred *cred, int flag) 1349 { 1350 1351 if (!suser_enabled) 1352 return (EPERM); 1353 if (((flag & SUSER_RUID) ? cred->cr_ruid : cred->cr_uid) != 0) 1354 return (EPERM); 1355 if (jailed(cred) && !(flag & SUSER_ALLOWJAIL)) 1356 return (EPERM); 1357 return (0); 1358 } 1359 1360 /* 1361 * Shortcut to hide contents of struct td and struct proc from the 1362 * caller, promoting binary compatibility. 1363 */ 1364 int 1365 suser(struct thread *td) 1366 { 1367 1368 #ifdef INVARIANTS 1369 if (td != curthread) { 1370 printf("suser: thread %p (%d %s) != curthread %p (%d %s)\n", 1371 td, td->td_proc->p_pid, td->td_proc->p_comm, 1372 curthread, curthread->td_proc->p_pid, 1373 curthread->td_proc->p_comm); 1374 #ifdef KDB 1375 kdb_backtrace(); 1376 #endif 1377 } 1378 #endif 1379 return (suser_cred(td->td_ucred, 0)); 1380 } 1381 1382 /* 1383 * Test the active securelevel against a given level. securelevel_gt() 1384 * implements (securelevel > level). securelevel_ge() implements 1385 * (securelevel >= level). Note that the logic is inverted -- these 1386 * functions return EPERM on "success" and 0 on "failure". 1387 * 1388 * MPSAFE 1389 */ 1390 int 1391 securelevel_gt(struct ucred *cr, int level) 1392 { 1393 int active_securelevel; 1394 1395 active_securelevel = securelevel; 1396 KASSERT(cr != NULL, ("securelevel_gt: null cr")); 1397 if (cr->cr_prison != NULL) 1398 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1399 active_securelevel); 1400 return (active_securelevel > level ? EPERM : 0); 1401 } 1402 1403 int 1404 securelevel_ge(struct ucred *cr, int level) 1405 { 1406 int active_securelevel; 1407 1408 active_securelevel = securelevel; 1409 KASSERT(cr != NULL, ("securelevel_ge: null cr")); 1410 if (cr->cr_prison != NULL) 1411 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1412 active_securelevel); 1413 return (active_securelevel >= level ? EPERM : 0); 1414 } 1415 1416 /* 1417 * 'see_other_uids' determines whether or not visibility of processes 1418 * and sockets with credentials holding different real uids is possible 1419 * using a variety of system MIBs. 1420 * XXX: data declarations should be together near the beginning of the file. 1421 */ 1422 static int see_other_uids = 1; 1423 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1424 &see_other_uids, 0, 1425 "Unprivileged processes may see subjects/objects with different real uid"); 1426 1427 /*- 1428 * Determine if u1 "can see" the subject specified by u2, according to the 1429 * 'see_other_uids' policy. 1430 * Returns: 0 for permitted, ESRCH otherwise 1431 * Locks: none 1432 * References: *u1 and *u2 must not change during the call 1433 * u1 may equal u2, in which case only one reference is required 1434 */ 1435 static int 1436 cr_seeotheruids(struct ucred *u1, struct ucred *u2) 1437 { 1438 1439 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1440 if (suser_cred(u1, SUSER_ALLOWJAIL) != 0) 1441 return (ESRCH); 1442 } 1443 return (0); 1444 } 1445 1446 /* 1447 * 'see_other_gids' determines whether or not visibility of processes 1448 * and sockets with credentials holding different real gids is possible 1449 * using a variety of system MIBs. 1450 * XXX: data declarations should be together near the beginning of the file. 1451 */ 1452 static int see_other_gids = 1; 1453 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW, 1454 &see_other_gids, 0, 1455 "Unprivileged processes may see subjects/objects with different real gid"); 1456 1457 /* 1458 * Determine if u1 can "see" the subject specified by u2, according to the 1459 * 'see_other_gids' policy. 1460 * Returns: 0 for permitted, ESRCH otherwise 1461 * Locks: none 1462 * References: *u1 and *u2 must not change during the call 1463 * u1 may equal u2, in which case only one reference is required 1464 */ 1465 static int 1466 cr_seeothergids(struct ucred *u1, struct ucred *u2) 1467 { 1468 int i, match; 1469 1470 if (!see_other_gids) { 1471 match = 0; 1472 for (i = 0; i < u1->cr_ngroups; i++) { 1473 if (groupmember(u1->cr_groups[i], u2)) 1474 match = 1; 1475 if (match) 1476 break; 1477 } 1478 if (!match) { 1479 if (suser_cred(u1, SUSER_ALLOWJAIL) != 0) 1480 return (ESRCH); 1481 } 1482 } 1483 return (0); 1484 } 1485 1486 /*- 1487 * Determine if u1 "can see" the subject specified by u2. 1488 * Returns: 0 for permitted, an errno value otherwise 1489 * Locks: none 1490 * References: *u1 and *u2 must not change during the call 1491 * u1 may equal u2, in which case only one reference is required 1492 */ 1493 int 1494 cr_cansee(struct ucred *u1, struct ucred *u2) 1495 { 1496 int error; 1497 1498 if ((error = prison_check(u1, u2))) 1499 return (error); 1500 #ifdef MAC 1501 if ((error = mac_check_cred_visible(u1, u2))) 1502 return (error); 1503 #endif 1504 if ((error = cr_seeotheruids(u1, u2))) 1505 return (error); 1506 if ((error = cr_seeothergids(u1, u2))) 1507 return (error); 1508 return (0); 1509 } 1510 1511 /*- 1512 * Determine if td "can see" the subject specified by p. 1513 * Returns: 0 for permitted, an errno value otherwise 1514 * Locks: Sufficient locks to protect p->p_ucred must be held. td really 1515 * should be curthread. 1516 * References: td and p must be valid for the lifetime of the call 1517 */ 1518 int 1519 p_cansee(struct thread *td, struct proc *p) 1520 { 1521 1522 /* Wrap cr_cansee() for all functionality. */ 1523 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1524 PROC_LOCK_ASSERT(p, MA_OWNED); 1525 return (cr_cansee(td->td_ucred, p->p_ucred)); 1526 } 1527 1528 /* 1529 * 'conservative_signals' prevents the delivery of a broad class of 1530 * signals by unprivileged processes to processes that have changed their 1531 * credentials since the last invocation of execve(). This can prevent 1532 * the leakage of cached information or retained privileges as a result 1533 * of a common class of signal-related vulnerabilities. However, this 1534 * may interfere with some applications that expect to be able to 1535 * deliver these signals to peer processes after having given up 1536 * privilege. 1537 */ 1538 static int conservative_signals = 1; 1539 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW, 1540 &conservative_signals, 0, "Unprivileged processes prevented from " 1541 "sending certain signals to processes whose credentials have changed"); 1542 /*- 1543 * Determine whether cred may deliver the specified signal to proc. 1544 * Returns: 0 for permitted, an errno value otherwise. 1545 * Locks: A lock must be held for proc. 1546 * References: cred and proc must be valid for the lifetime of the call. 1547 */ 1548 int 1549 cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 1550 { 1551 int error; 1552 1553 PROC_LOCK_ASSERT(proc, MA_OWNED); 1554 /* 1555 * Jail semantics limit the scope of signalling to proc in the 1556 * same jail as cred, if cred is in jail. 1557 */ 1558 error = prison_check(cred, proc->p_ucred); 1559 if (error) 1560 return (error); 1561 #ifdef MAC 1562 if ((error = mac_check_proc_signal(cred, proc, signum))) 1563 return (error); 1564 #endif 1565 if ((error = cr_seeotheruids(cred, proc->p_ucred))) 1566 return (error); 1567 if ((error = cr_seeothergids(cred, proc->p_ucred))) 1568 return (error); 1569 1570 /* 1571 * UNIX signal semantics depend on the status of the P_SUGID 1572 * bit on the target process. If the bit is set, then additional 1573 * restrictions are placed on the set of available signals. 1574 */ 1575 if (conservative_signals && (proc->p_flag & P_SUGID)) { 1576 switch (signum) { 1577 case 0: 1578 case SIGKILL: 1579 case SIGINT: 1580 case SIGTERM: 1581 case SIGALRM: 1582 case SIGSTOP: 1583 case SIGTTIN: 1584 case SIGTTOU: 1585 case SIGTSTP: 1586 case SIGHUP: 1587 case SIGUSR1: 1588 case SIGUSR2: 1589 /* 1590 * Generally, permit job and terminal control 1591 * signals. 1592 */ 1593 break; 1594 default: 1595 /* Not permitted without privilege. */ 1596 error = suser_cred(cred, SUSER_ALLOWJAIL); 1597 if (error) 1598 return (error); 1599 } 1600 } 1601 1602 /* 1603 * Generally, the target credential's ruid or svuid must match the 1604 * subject credential's ruid or euid. 1605 */ 1606 if (cred->cr_ruid != proc->p_ucred->cr_ruid && 1607 cred->cr_ruid != proc->p_ucred->cr_svuid && 1608 cred->cr_uid != proc->p_ucred->cr_ruid && 1609 cred->cr_uid != proc->p_ucred->cr_svuid) { 1610 /* Not permitted without privilege. */ 1611 error = suser_cred(cred, SUSER_ALLOWJAIL); 1612 if (error) 1613 return (error); 1614 } 1615 1616 return (0); 1617 } 1618 1619 1620 /*- 1621 * Determine whether td may deliver the specified signal to p. 1622 * Returns: 0 for permitted, an errno value otherwise 1623 * Locks: Sufficient locks to protect various components of td and p 1624 * must be held. td must be curthread, and a lock must be 1625 * held for p. 1626 * References: td and p must be valid for the lifetime of the call 1627 */ 1628 int 1629 p_cansignal(struct thread *td, struct proc *p, int signum) 1630 { 1631 1632 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1633 PROC_LOCK_ASSERT(p, MA_OWNED); 1634 if (td->td_proc == p) 1635 return (0); 1636 1637 /* 1638 * UNIX signalling semantics require that processes in the same 1639 * session always be able to deliver SIGCONT to one another, 1640 * overriding the remaining protections. 1641 */ 1642 /* XXX: This will require an additional lock of some sort. */ 1643 if (signum == SIGCONT && td->td_proc->p_session == p->p_session) 1644 return (0); 1645 /* 1646 * Some compat layers use SIGTHR and higher signals for 1647 * communication between different kernel threads of the same 1648 * process, so that they expect that it's always possible to 1649 * deliver them, even for suid applications where cr_cansignal() can 1650 * deny such ability for security consideration. It should be 1651 * pretty safe to do since the only way to create two processes 1652 * with the same p_leader is via rfork(2). 1653 */ 1654 if (td->td_proc->p_leader != NULL && signum >= SIGTHR && 1655 signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader) 1656 return (0); 1657 1658 return (cr_cansignal(td->td_ucred, p, signum)); 1659 } 1660 1661 /*- 1662 * Determine whether td may reschedule p. 1663 * Returns: 0 for permitted, an errno value otherwise 1664 * Locks: Sufficient locks to protect various components of td and p 1665 * must be held. td must be curthread, and a lock must 1666 * be held for p. 1667 * References: td and p must be valid for the lifetime of the call 1668 */ 1669 int 1670 p_cansched(struct thread *td, struct proc *p) 1671 { 1672 int error; 1673 1674 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1675 PROC_LOCK_ASSERT(p, MA_OWNED); 1676 if (td->td_proc == p) 1677 return (0); 1678 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1679 return (error); 1680 #ifdef MAC 1681 if ((error = mac_check_proc_sched(td->td_ucred, p))) 1682 return (error); 1683 #endif 1684 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1685 return (error); 1686 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) 1687 return (error); 1688 if (td->td_ucred->cr_ruid == p->p_ucred->cr_ruid) 1689 return (0); 1690 if (td->td_ucred->cr_uid == p->p_ucred->cr_ruid) 1691 return (0); 1692 if (suser_cred(td->td_ucred, SUSER_ALLOWJAIL) == 0) 1693 return (0); 1694 1695 #ifdef CAPABILITIES 1696 if (!cap_check(NULL, td, CAP_SYS_NICE, SUSER_ALLOWJAIL)) 1697 return (0); 1698 #endif 1699 1700 return (EPERM); 1701 } 1702 1703 /* 1704 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 1705 * unprivileged inter-process debugging services, including some procfs 1706 * functionality, ptrace(), and ktrace(). In the past, inter-process 1707 * debugging has been involved in a variety of security problems, and sites 1708 * not requiring the service might choose to disable it when hardening 1709 * systems. 1710 * 1711 * XXX: Should modifying and reading this variable require locking? 1712 * XXX: data declarations should be together near the beginning of the file. 1713 */ 1714 static int unprivileged_proc_debug = 1; 1715 SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW, 1716 &unprivileged_proc_debug, 0, 1717 "Unprivileged processes may use process debugging facilities"); 1718 1719 /*- 1720 * Determine whether td may debug p. 1721 * Returns: 0 for permitted, an errno value otherwise 1722 * Locks: Sufficient locks to protect various components of td and p 1723 * must be held. td must be curthread, and a lock must 1724 * be held for p. 1725 * References: td and p must be valid for the lifetime of the call 1726 */ 1727 int 1728 p_candebug(struct thread *td, struct proc *p) 1729 { 1730 int credentialchanged, error, grpsubset, i, uidsubset; 1731 1732 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1733 PROC_LOCK_ASSERT(p, MA_OWNED); 1734 if (!unprivileged_proc_debug) { 1735 error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); 1736 if (error) 1737 return (error); 1738 } 1739 if (td->td_proc == p) 1740 return (0); 1741 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1742 return (error); 1743 #ifdef MAC 1744 if ((error = mac_check_proc_debug(td->td_ucred, p))) 1745 return (error); 1746 #endif 1747 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1748 return (error); 1749 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) 1750 return (error); 1751 1752 /* 1753 * Is p's group set a subset of td's effective group set? This 1754 * includes p's egid, group access list, rgid, and svgid. 1755 */ 1756 grpsubset = 1; 1757 for (i = 0; i < p->p_ucred->cr_ngroups; i++) { 1758 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) { 1759 grpsubset = 0; 1760 break; 1761 } 1762 } 1763 grpsubset = grpsubset && 1764 groupmember(p->p_ucred->cr_rgid, td->td_ucred) && 1765 groupmember(p->p_ucred->cr_svgid, td->td_ucred); 1766 1767 /* 1768 * Are the uids present in p's credential equal to td's 1769 * effective uid? This includes p's euid, svuid, and ruid. 1770 */ 1771 uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid && 1772 td->td_ucred->cr_uid == p->p_ucred->cr_svuid && 1773 td->td_ucred->cr_uid == p->p_ucred->cr_ruid); 1774 1775 /* 1776 * Has the credential of the process changed since the last exec()? 1777 */ 1778 credentialchanged = (p->p_flag & P_SUGID); 1779 1780 /* 1781 * If p's gids aren't a subset, or the uids aren't a subset, 1782 * or the credential has changed, require appropriate privilege 1783 * for td to debug p. For POSIX.1e capabilities, this will 1784 * require CAP_SYS_PTRACE. 1785 */ 1786 if (!grpsubset || !uidsubset || credentialchanged) { 1787 error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); 1788 if (error) 1789 return (error); 1790 } 1791 1792 /* Can't trace init when securelevel > 0. */ 1793 if (p == initproc) { 1794 error = securelevel_gt(td->td_ucred, 0); 1795 if (error) 1796 return (error); 1797 } 1798 1799 /* 1800 * Can't trace a process that's currently exec'ing. 1801 * XXX: Note, this is not a security policy decision, it's a 1802 * basic correctness/functionality decision. Therefore, this check 1803 * should be moved to the caller's of p_candebug(). 1804 */ 1805 if ((p->p_flag & P_INEXEC) != 0) 1806 return (EAGAIN); 1807 1808 return (0); 1809 } 1810 1811 /*- 1812 * Determine whether the subject represented by cred can "see" a socket. 1813 * Returns: 0 for permitted, ENOENT otherwise. 1814 */ 1815 int 1816 cr_canseesocket(struct ucred *cred, struct socket *so) 1817 { 1818 int error; 1819 1820 error = prison_check(cred, so->so_cred); 1821 if (error) 1822 return (ENOENT); 1823 #ifdef MAC 1824 SOCK_LOCK(so); 1825 error = mac_check_socket_visible(cred, so); 1826 SOCK_UNLOCK(so); 1827 if (error) 1828 return (error); 1829 #endif 1830 if (cr_seeotheruids(cred, so->so_cred)) 1831 return (ENOENT); 1832 if (cr_seeothergids(cred, so->so_cred)) 1833 return (ENOENT); 1834 1835 return (0); 1836 } 1837 1838 /*- 1839 * Determine whether td can wait for the exit of p. 1840 * Returns: 0 for permitted, an errno value otherwise 1841 * Locks: Sufficient locks to protect various components of td and p 1842 * must be held. td must be curthread, and a lock must 1843 * be held for p. 1844 * References: td and p must be valid for the lifetime of the call 1845 1846 */ 1847 int 1848 p_canwait(struct thread *td, struct proc *p) 1849 { 1850 int error; 1851 1852 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1853 PROC_LOCK_ASSERT(p, MA_OWNED); 1854 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1855 return (error); 1856 #ifdef MAC 1857 if ((error = mac_check_proc_wait(td->td_ucred, p))) 1858 return (error); 1859 #endif 1860 #if 0 1861 /* XXXMAC: This could have odd effects on some shells. */ 1862 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1863 return (error); 1864 #endif 1865 1866 return (0); 1867 } 1868 1869 /* 1870 * Allocate a zeroed cred structure. 1871 * MPSAFE 1872 */ 1873 struct ucred * 1874 crget(void) 1875 { 1876 register struct ucred *cr; 1877 1878 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 1879 refcount_init(&cr->cr_ref, 1); 1880 #ifdef MAC 1881 mac_init_cred(cr); 1882 #endif 1883 return (cr); 1884 } 1885 1886 /* 1887 * Claim another reference to a ucred structure. 1888 * MPSAFE 1889 */ 1890 struct ucred * 1891 crhold(struct ucred *cr) 1892 { 1893 1894 refcount_acquire(&cr->cr_ref); 1895 return (cr); 1896 } 1897 1898 /* 1899 * Free a cred structure. 1900 * Throws away space when ref count gets to 0. 1901 * MPSAFE 1902 */ 1903 void 1904 crfree(struct ucred *cr) 1905 { 1906 1907 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); 1908 KASSERT(cr->cr_ref != 0xdeadc0de, ("dangling reference to ucred")); 1909 if (refcount_release(&cr->cr_ref)) { 1910 /* 1911 * Some callers of crget(), such as nfs_statfs(), 1912 * allocate a temporary credential, but don't 1913 * allocate a uidinfo structure. 1914 */ 1915 if (cr->cr_uidinfo != NULL) 1916 uifree(cr->cr_uidinfo); 1917 if (cr->cr_ruidinfo != NULL) 1918 uifree(cr->cr_ruidinfo); 1919 /* 1920 * Free a prison, if any. 1921 */ 1922 if (jailed(cr)) 1923 prison_free(cr->cr_prison); 1924 #ifdef MAC 1925 mac_destroy_cred(cr); 1926 #endif 1927 FREE(cr, M_CRED); 1928 } 1929 } 1930 1931 /* 1932 * Check to see if this ucred is shared. 1933 * MPSAFE 1934 */ 1935 int 1936 crshared(struct ucred *cr) 1937 { 1938 1939 return (cr->cr_ref > 1); 1940 } 1941 1942 /* 1943 * Copy a ucred's contents from a template. Does not block. 1944 * MPSAFE 1945 */ 1946 void 1947 crcopy(struct ucred *dest, struct ucred *src) 1948 { 1949 1950 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred")); 1951 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 1952 (unsigned)((caddr_t)&src->cr_endcopy - 1953 (caddr_t)&src->cr_startcopy)); 1954 uihold(dest->cr_uidinfo); 1955 uihold(dest->cr_ruidinfo); 1956 if (jailed(dest)) 1957 prison_hold(dest->cr_prison); 1958 #ifdef MAC 1959 mac_copy_cred(src, dest); 1960 #endif 1961 } 1962 1963 /* 1964 * Dup cred struct to a new held one. 1965 * MPSAFE 1966 */ 1967 struct ucred * 1968 crdup(struct ucred *cr) 1969 { 1970 struct ucred *newcr; 1971 1972 newcr = crget(); 1973 crcopy(newcr, cr); 1974 return (newcr); 1975 } 1976 1977 /* 1978 * Fill in a struct xucred based on a struct ucred. 1979 * MPSAFE 1980 */ 1981 void 1982 cru2x(struct ucred *cr, struct xucred *xcr) 1983 { 1984 1985 bzero(xcr, sizeof(*xcr)); 1986 xcr->cr_version = XUCRED_VERSION; 1987 xcr->cr_uid = cr->cr_uid; 1988 xcr->cr_ngroups = cr->cr_ngroups; 1989 bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups)); 1990 } 1991 1992 /* 1993 * small routine to swap a thread's current ucred for the correct one 1994 * taken from the process. 1995 * MPSAFE 1996 */ 1997 void 1998 cred_update_thread(struct thread *td) 1999 { 2000 struct proc *p; 2001 struct ucred *cred; 2002 2003 p = td->td_proc; 2004 cred = td->td_ucred; 2005 PROC_LOCK(p); 2006 td->td_ucred = crhold(p->p_ucred); 2007 PROC_UNLOCK(p); 2008 if (cred != NULL) 2009 crfree(cred); 2010 } 2011 2012 /* 2013 * Get login name, if available. 2014 */ 2015 #ifndef _SYS_SYSPROTO_H_ 2016 struct getlogin_args { 2017 char *namebuf; 2018 u_int namelen; 2019 }; 2020 #endif 2021 /* 2022 * MPSAFE 2023 */ 2024 /* ARGSUSED */ 2025 int 2026 getlogin(struct thread *td, struct getlogin_args *uap) 2027 { 2028 int error; 2029 char login[MAXLOGNAME]; 2030 struct proc *p = td->td_proc; 2031 2032 if (uap->namelen > MAXLOGNAME) 2033 uap->namelen = MAXLOGNAME; 2034 PROC_LOCK(p); 2035 SESS_LOCK(p->p_session); 2036 bcopy(p->p_session->s_login, login, uap->namelen); 2037 SESS_UNLOCK(p->p_session); 2038 PROC_UNLOCK(p); 2039 error = copyout(login, uap->namebuf, uap->namelen); 2040 return(error); 2041 } 2042 2043 /* 2044 * Set login name. 2045 */ 2046 #ifndef _SYS_SYSPROTO_H_ 2047 struct setlogin_args { 2048 char *namebuf; 2049 }; 2050 #endif 2051 /* 2052 * MPSAFE 2053 */ 2054 /* ARGSUSED */ 2055 int 2056 setlogin(struct thread *td, struct setlogin_args *uap) 2057 { 2058 struct proc *p = td->td_proc; 2059 int error; 2060 char logintmp[MAXLOGNAME]; 2061 2062 error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); 2063 if (error) 2064 return (error); 2065 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); 2066 if (error == ENAMETOOLONG) 2067 error = EINVAL; 2068 else if (!error) { 2069 PROC_LOCK(p); 2070 SESS_LOCK(p->p_session); 2071 (void) memcpy(p->p_session->s_login, logintmp, 2072 sizeof(logintmp)); 2073 SESS_UNLOCK(p->p_session); 2074 PROC_UNLOCK(p); 2075 } 2076 return (error); 2077 } 2078 2079 void 2080 setsugid(struct proc *p) 2081 { 2082 2083 PROC_LOCK_ASSERT(p, MA_OWNED); 2084 p->p_flag |= P_SUGID; 2085 if (!(p->p_pfsflags & PF_ISUGID)) 2086 p->p_stops = 0; 2087 } 2088 2089 /*- 2090 * Change a process's effective uid. 2091 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 2092 * References: newcred must be an exclusive credential reference for the 2093 * duration of the call. 2094 */ 2095 void 2096 change_euid(struct ucred *newcred, struct uidinfo *euip) 2097 { 2098 2099 newcred->cr_uid = euip->ui_uid; 2100 uihold(euip); 2101 uifree(newcred->cr_uidinfo); 2102 newcred->cr_uidinfo = euip; 2103 } 2104 2105 /*- 2106 * Change a process's effective gid. 2107 * Side effects: newcred->cr_gid will be modified. 2108 * References: newcred must be an exclusive credential reference for the 2109 * duration of the call. 2110 */ 2111 void 2112 change_egid(struct ucred *newcred, gid_t egid) 2113 { 2114 2115 newcred->cr_groups[0] = egid; 2116 } 2117 2118 /*- 2119 * Change a process's real uid. 2120 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 2121 * will be updated, and the old and new cr_ruidinfo proc 2122 * counts will be updated. 2123 * References: newcred must be an exclusive credential reference for the 2124 * duration of the call. 2125 */ 2126 void 2127 change_ruid(struct ucred *newcred, struct uidinfo *ruip) 2128 { 2129 2130 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 2131 newcred->cr_ruid = ruip->ui_uid; 2132 uihold(ruip); 2133 uifree(newcred->cr_ruidinfo); 2134 newcred->cr_ruidinfo = ruip; 2135 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 2136 } 2137 2138 /*- 2139 * Change a process's real gid. 2140 * Side effects: newcred->cr_rgid will be updated. 2141 * References: newcred must be an exclusive credential reference for the 2142 * duration of the call. 2143 */ 2144 void 2145 change_rgid(struct ucred *newcred, gid_t rgid) 2146 { 2147 2148 newcred->cr_rgid = rgid; 2149 } 2150 2151 /*- 2152 * Change a process's saved uid. 2153 * Side effects: newcred->cr_svuid will be updated. 2154 * References: newcred must be an exclusive credential reference for the 2155 * duration of the call. 2156 */ 2157 void 2158 change_svuid(struct ucred *newcred, uid_t svuid) 2159 { 2160 2161 newcred->cr_svuid = svuid; 2162 } 2163 2164 /*- 2165 * Change a process's saved gid. 2166 * Side effects: newcred->cr_svgid will be updated. 2167 * References: newcred must be an exclusive credential reference for the 2168 * duration of the call. 2169 */ 2170 void 2171 change_svgid(struct ucred *newcred, gid_t svgid) 2172 { 2173 2174 newcred->cr_svgid = svgid; 2175 } 2176