1 /* 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * Copyright (c) 2000-2001 Robert N. M. Watson. All rights reserved. 5 * (c) UNIX System Laboratories, Inc. 6 * 7 * All or some portions of this file are derived from material licensed 8 * to the University of California by American Telephone and Telegraph 9 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 10 * the permission of UNIX System Laboratories, Inc. 11 * 12 * Redistribution and use in source and binary forms, with or without 13 * modification, are permitted provided that the following conditions 14 * are met: 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, this list of conditions and the following disclaimer. 17 * 2. Redistributions in binary form must reproduce the above copyright 18 * notice, this list of conditions and the following disclaimer in the 19 * documentation and/or other materials provided with the distribution. 20 * 3. All advertising materials mentioning features or use of this software 21 * must display the following acknowledgement: 22 * This product includes software developed by the University of 23 * California, Berkeley and its contributors. 24 * 4. Neither the name of the University nor the names of its contributors 25 * may be used to endorse or promote products derived from this software 26 * without specific prior written permission. 27 * 28 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 29 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 30 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 31 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 32 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 33 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 34 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 35 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 36 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 37 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 38 * SUCH DAMAGE. 39 * 40 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 41 * $FreeBSD$ 42 */ 43 44 /* 45 * System calls related to processes and protection 46 */ 47 48 #include "opt_compat.h" 49 #include "opt_global.h" 50 51 #include <sys/param.h> 52 #include <sys/systm.h> 53 #include <sys/acct.h> 54 #include <sys/kernel.h> 55 #include <sys/lock.h> 56 #include <sys/mutex.h> 57 #include <sys/proc.h> 58 #include <sys/sx.h> 59 #include <sys/sysproto.h> 60 #include <sys/malloc.h> 61 #include <sys/pioctl.h> 62 #include <sys/resourcevar.h> 63 #include <sys/sysctl.h> 64 #include <sys/jail.h> 65 66 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 67 68 SYSCTL_NODE(_kern, OID_AUTO, security, CTLFLAG_RW, 0, 69 "Kernel security policy"); 70 71 SYSCTL_NODE(_kern_security, OID_AUTO, bsd, CTLFLAG_RW, 0, 72 "BSD security policy"); 73 74 #ifndef _SYS_SYSPROTO_H_ 75 struct getpid_args { 76 int dummy; 77 }; 78 #endif 79 80 /* 81 * getpid 82 */ 83 84 /* 85 * MPSAFE 86 */ 87 /* ARGSUSED */ 88 int 89 getpid(td, uap) 90 struct thread *td; 91 struct getpid_args *uap; 92 { 93 struct proc *p = td->td_proc; 94 int s; 95 96 s = mtx_lock_giant(kern_giant_proc); 97 td->td_retval[0] = p->p_pid; 98 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 99 PROC_LOCK(p); 100 td->td_retval[1] = p->p_pptr->p_pid; 101 PROC_UNLOCK(p); 102 #endif 103 mtx_unlock_giant(s); 104 return (0); 105 } 106 107 /* 108 * getppid 109 */ 110 111 #ifndef _SYS_SYSPROTO_H_ 112 struct getppid_args { 113 int dummy; 114 }; 115 #endif 116 /* 117 * MPSAFE 118 */ 119 /* ARGSUSED */ 120 int 121 getppid(td, uap) 122 struct thread *td; 123 struct getppid_args *uap; 124 { 125 struct proc *p = td->td_proc; 126 int s; 127 128 s = mtx_lock_giant(kern_giant_proc); 129 PROC_LOCK(p); 130 td->td_retval[0] = p->p_pptr->p_pid; 131 PROC_UNLOCK(p); 132 mtx_unlock_giant(s); 133 return (0); 134 } 135 136 /* 137 * Get process group ID; note that POSIX getpgrp takes no parameter 138 * 139 * MP SAFE 140 */ 141 #ifndef _SYS_SYSPROTO_H_ 142 struct getpgrp_args { 143 int dummy; 144 }; 145 #endif 146 /* 147 * MPSAFE 148 */ 149 int 150 getpgrp(td, uap) 151 struct thread *td; 152 struct getpgrp_args *uap; 153 { 154 struct proc *p = td->td_proc; 155 156 mtx_lock(&Giant); 157 td->td_retval[0] = p->p_pgrp->pg_id; 158 mtx_unlock(&Giant); 159 return (0); 160 } 161 162 /* Get an arbitary pid's process group id */ 163 #ifndef _SYS_SYSPROTO_H_ 164 struct getpgid_args { 165 pid_t pid; 166 }; 167 #endif 168 169 /* 170 * MPSAFE 171 */ 172 int 173 getpgid(td, uap) 174 struct thread *td; 175 struct getpgid_args *uap; 176 { 177 struct proc *p = td->td_proc; 178 struct proc *pt; 179 int error = 0; 180 int s; 181 182 s = mtx_lock_giant(kern_giant_proc); 183 if (uap->pid == 0) 184 td->td_retval[0] = p->p_pgrp->pg_id; 185 else if ((pt = pfind(uap->pid)) == NULL) 186 error = ESRCH; 187 else { 188 error = p_cansee(p, pt); 189 if (error == 0) 190 td->td_retval[0] = pt->p_pgrp->pg_id; 191 PROC_UNLOCK(pt); 192 } 193 mtx_unlock_giant(s); 194 return (error); 195 } 196 197 /* 198 * Get an arbitary pid's session id. 199 */ 200 #ifndef _SYS_SYSPROTO_H_ 201 struct getsid_args { 202 pid_t pid; 203 }; 204 #endif 205 206 /* 207 * MPSAFE 208 */ 209 int 210 getsid(td, uap) 211 struct thread *td; 212 struct getsid_args *uap; 213 { 214 struct proc *p = td->td_proc; 215 struct proc *pt; 216 int error = 0; 217 218 mtx_lock(&Giant); 219 if (uap->pid == 0) 220 td->td_retval[0] = p->p_session->s_sid; 221 else if ((pt = pfind(uap->pid)) == NULL) 222 error = ESRCH; 223 else { 224 error = p_cansee(p, pt); 225 if (error == 0) 226 td->td_retval[0] = pt->p_session->s_sid; 227 PROC_UNLOCK(pt); 228 } 229 mtx_unlock(&Giant); 230 return (error); 231 } 232 233 234 /* 235 * getuid() - MP SAFE 236 */ 237 #ifndef _SYS_SYSPROTO_H_ 238 struct getuid_args { 239 int dummy; 240 }; 241 #endif 242 243 /* 244 * MPSAFE 245 */ 246 /* ARGSUSED */ 247 int 248 getuid(td, uap) 249 struct thread *td; 250 struct getuid_args *uap; 251 { 252 struct proc *p = td->td_proc; 253 254 mtx_lock(&Giant); 255 td->td_retval[0] = p->p_ucred->cr_ruid; 256 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 257 td->td_retval[1] = p->p_ucred->cr_uid; 258 #endif 259 mtx_unlock(&Giant); 260 return (0); 261 } 262 263 /* 264 * geteuid() - MP SAFE 265 */ 266 #ifndef _SYS_SYSPROTO_H_ 267 struct geteuid_args { 268 int dummy; 269 }; 270 #endif 271 272 /* ARGSUSED */ 273 int 274 geteuid(td, uap) 275 struct thread *td; 276 struct geteuid_args *uap; 277 { 278 mtx_lock(&Giant); 279 td->td_retval[0] = td->td_proc->p_ucred->cr_uid; 280 mtx_unlock(&Giant); 281 return (0); 282 } 283 284 /* 285 * getgid() - MP SAFE 286 */ 287 #ifndef _SYS_SYSPROTO_H_ 288 struct getgid_args { 289 int dummy; 290 }; 291 #endif 292 293 /* 294 * MPSAFE 295 */ 296 /* ARGSUSED */ 297 int 298 getgid(td, uap) 299 struct thread *td; 300 struct getgid_args *uap; 301 { 302 struct proc *p = td->td_proc; 303 304 mtx_lock(&Giant); 305 td->td_retval[0] = p->p_ucred->cr_rgid; 306 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 307 td->td_retval[1] = p->p_ucred->cr_groups[0]; 308 #endif 309 mtx_unlock(&Giant); 310 return (0); 311 } 312 313 /* 314 * Get effective group ID. The "egid" is groups[0], and could be obtained 315 * via getgroups. This syscall exists because it is somewhat painful to do 316 * correctly in a library function. 317 */ 318 #ifndef _SYS_SYSPROTO_H_ 319 struct getegid_args { 320 int dummy; 321 }; 322 #endif 323 324 /* 325 * MPSAFE 326 */ 327 /* ARGSUSED */ 328 int 329 getegid(td, uap) 330 struct thread *td; 331 struct getegid_args *uap; 332 { 333 struct proc *p = td->td_proc; 334 335 mtx_lock(&Giant); 336 td->td_retval[0] = p->p_ucred->cr_groups[0]; 337 mtx_unlock(&Giant); 338 return (0); 339 } 340 341 #ifndef _SYS_SYSPROTO_H_ 342 struct getgroups_args { 343 u_int gidsetsize; 344 gid_t *gidset; 345 }; 346 #endif 347 /* 348 * MPSAFE 349 */ 350 int 351 getgroups(td, uap) 352 struct thread *td; 353 register struct getgroups_args *uap; 354 { 355 struct ucred *cred; 356 struct proc *p = td->td_proc; 357 u_int ngrp; 358 int error = 0; 359 360 mtx_lock(&Giant); 361 cred = p->p_ucred; 362 if ((ngrp = uap->gidsetsize) == 0) { 363 td->td_retval[0] = cred->cr_ngroups; 364 error = 0; 365 goto done2; 366 } 367 if (ngrp < cred->cr_ngroups) { 368 error = EINVAL; 369 goto done2; 370 } 371 ngrp = cred->cr_ngroups; 372 if ((error = copyout((caddr_t)cred->cr_groups, 373 (caddr_t)uap->gidset, ngrp * sizeof(gid_t)))) { 374 goto done2; 375 } 376 td->td_retval[0] = ngrp; 377 done2: 378 mtx_unlock(&Giant); 379 return (error); 380 } 381 382 #ifndef _SYS_SYSPROTO_H_ 383 struct setsid_args { 384 int dummy; 385 }; 386 #endif 387 388 /* 389 * MPSAFE 390 */ 391 /* ARGSUSED */ 392 int 393 setsid(td, uap) 394 register struct thread *td; 395 struct setsid_args *uap; 396 { 397 int error; 398 struct proc *p = td->td_proc; 399 400 mtx_lock(&Giant); 401 if (p->p_pgid == p->p_pid || pgfind(p->p_pid)) { 402 error = EPERM; 403 } else { 404 (void)enterpgrp(p, p->p_pid, 1); 405 td->td_retval[0] = p->p_pid; 406 error = 0; 407 } 408 mtx_unlock(&Giant); 409 return (error); 410 } 411 412 /* 413 * set process group (setpgid/old setpgrp) 414 * 415 * caller does setpgid(targpid, targpgid) 416 * 417 * pid must be caller or child of caller (ESRCH) 418 * if a child 419 * pid must be in same session (EPERM) 420 * pid can't have done an exec (EACCES) 421 * if pgid != pid 422 * there must exist some pid in same session having pgid (EPERM) 423 * pid must not be session leader (EPERM) 424 */ 425 #ifndef _SYS_SYSPROTO_H_ 426 struct setpgid_args { 427 int pid; /* target process id */ 428 int pgid; /* target pgrp id */ 429 }; 430 #endif 431 /* 432 * MPSAFE 433 */ 434 /* ARGSUSED */ 435 int 436 setpgid(td, uap) 437 struct thread *td; 438 register struct setpgid_args *uap; 439 { 440 struct proc *curp = td->td_proc; 441 register struct proc *targp; /* target process */ 442 register struct pgrp *pgrp; /* target pgrp */ 443 int error; 444 445 if (uap->pgid < 0) 446 return (EINVAL); 447 448 mtx_lock(&Giant); 449 450 sx_slock(&proctree_lock); 451 if (uap->pid != 0 && uap->pid != curp->p_pid) { 452 if ((targp = pfind(uap->pid)) == NULL || !inferior(targp)) { 453 if (targp) 454 PROC_UNLOCK(targp); 455 error = ESRCH; 456 goto done2; 457 } 458 if ((error = p_cansee(curproc, targp))) { 459 PROC_UNLOCK(targp); 460 goto done2; 461 } 462 if (targp->p_pgrp == NULL || 463 targp->p_session != curp->p_session) { 464 PROC_UNLOCK(targp); 465 error = EPERM; 466 goto done2; 467 } 468 if (targp->p_flag & P_EXEC) { 469 PROC_UNLOCK(targp); 470 error = EACCES; 471 goto done2; 472 } 473 } else { 474 targp = curp; 475 PROC_LOCK(curp); /* XXX: not needed */ 476 } 477 if (SESS_LEADER(targp)) { 478 PROC_UNLOCK(targp); 479 error = EPERM; 480 goto done2; 481 } 482 if (uap->pgid == 0) { 483 uap->pgid = targp->p_pid; 484 } else if (uap->pgid != targp->p_pid) { 485 if ((pgrp = pgfind(uap->pgid)) == 0 || 486 pgrp->pg_session != curp->p_session) { 487 PROC_UNLOCK(targp); 488 error = EPERM; 489 goto done2; 490 } 491 } 492 /* XXX: We should probably hold the lock across enterpgrp. */ 493 PROC_UNLOCK(targp); 494 error = enterpgrp(targp, uap->pgid, 0); 495 done2: 496 sx_sunlock(&proctree_lock); 497 mtx_unlock(&Giant); 498 return (error); 499 } 500 501 /* 502 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 503 * compatible. It says that setting the uid/gid to euid/egid is a special 504 * case of "appropriate privilege". Once the rules are expanded out, this 505 * basically means that setuid(nnn) sets all three id's, in all permitted 506 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 507 * does not set the saved id - this is dangerous for traditional BSD 508 * programs. For this reason, we *really* do not want to set 509 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 510 */ 511 #define POSIX_APPENDIX_B_4_2_2 512 513 #ifndef _SYS_SYSPROTO_H_ 514 struct setuid_args { 515 uid_t uid; 516 }; 517 #endif 518 /* 519 * MPSAFE 520 */ 521 /* ARGSUSED */ 522 int 523 setuid(td, uap) 524 struct thread *td; 525 struct setuid_args *uap; 526 { 527 struct proc *p = td->td_proc; 528 struct ucred *newcred, *oldcred; 529 uid_t uid; 530 int error = 0; 531 532 uid = uap->uid; 533 oldcred = p->p_ucred; 534 mtx_lock(&Giant); 535 536 /* 537 * See if we have "permission" by POSIX 1003.1 rules. 538 * 539 * Note that setuid(geteuid()) is a special case of 540 * "appropriate privileges" in appendix B.4.2.2. We need 541 * to use this clause to be compatible with traditional BSD 542 * semantics. Basically, it means that "setuid(xx)" sets all 543 * three id's (assuming you have privs). 544 * 545 * Notes on the logic. We do things in three steps. 546 * 1: We determine if the euid is going to change, and do EPERM 547 * right away. We unconditionally change the euid later if this 548 * test is satisfied, simplifying that part of the logic. 549 * 2: We determine if the real and/or saved uid's are going to 550 * change. Determined by compile options. 551 * 3: Change euid last. (after tests in #2 for "appropriate privs") 552 */ 553 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 554 #ifdef _POSIX_SAVED_IDS 555 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 556 #endif 557 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 558 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 559 #endif 560 (error = suser_xxx(oldcred, NULL, PRISON_ROOT))) 561 goto done2; 562 563 newcred = crdup(oldcred); 564 #ifdef _POSIX_SAVED_IDS 565 /* 566 * Do we have "appropriate privileges" (are we root or uid == euid) 567 * If so, we are changing the real uid and/or saved uid. 568 */ 569 if ( 570 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 571 uid == oldcred->cr_uid || 572 #endif 573 suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */ 574 #endif 575 { 576 /* 577 * Set the real uid and transfer proc count to new user. 578 */ 579 if (uid != oldcred->cr_ruid) { 580 change_ruid(newcred, uid); 581 setsugid(p); 582 } 583 /* 584 * Set saved uid 585 * 586 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 587 * the security of seteuid() depends on it. B.4.2.2 says it 588 * is important that we should do this. 589 */ 590 if (uid != oldcred->cr_svuid) { 591 change_svuid(newcred, uid); 592 setsugid(p); 593 } 594 } 595 596 /* 597 * In all permitted cases, we are changing the euid. 598 * Copy credentials so other references do not see our changes. 599 */ 600 if (uid != oldcred->cr_uid) { 601 change_euid(newcred, uid); 602 setsugid(p); 603 } 604 p->p_ucred = newcred; 605 crfree(oldcred); 606 done2: 607 mtx_unlock(&Giant); 608 return (error); 609 } 610 611 #ifndef _SYS_SYSPROTO_H_ 612 struct seteuid_args { 613 uid_t euid; 614 }; 615 #endif 616 /* 617 * MPSAFE 618 */ 619 /* ARGSUSED */ 620 int 621 seteuid(td, uap) 622 struct thread *td; 623 struct seteuid_args *uap; 624 { 625 struct proc *p = td->td_proc; 626 struct ucred *newcred, *oldcred; 627 uid_t euid; 628 int error = 0; 629 630 euid = uap->euid; 631 632 mtx_lock(&Giant); 633 oldcred = p->p_ucred; 634 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 635 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 636 (error = suser_xxx(oldcred, NULL, PRISON_ROOT))) { 637 goto done2; 638 } 639 /* 640 * Everything's okay, do it. Copy credentials so other references do 641 * not see our changes. 642 */ 643 newcred = crdup(oldcred); 644 if (oldcred->cr_uid != euid) { 645 change_euid(newcred, euid); 646 setsugid(p); 647 } 648 p->p_ucred = newcred; 649 crfree(oldcred); 650 done2: 651 mtx_unlock(&Giant); 652 return (error); 653 } 654 655 #ifndef _SYS_SYSPROTO_H_ 656 struct setgid_args { 657 gid_t gid; 658 }; 659 #endif 660 /* 661 * MPSAFE 662 */ 663 /* ARGSUSED */ 664 int 665 setgid(td, uap) 666 struct thread *td; 667 struct setgid_args *uap; 668 { 669 struct proc *p = td->td_proc; 670 struct ucred *newcred, *oldcred; 671 gid_t gid; 672 int error = 0; 673 674 gid = uap->gid; 675 676 mtx_lock(&Giant); 677 oldcred = p->p_ucred; 678 /* 679 * See if we have "permission" by POSIX 1003.1 rules. 680 * 681 * Note that setgid(getegid()) is a special case of 682 * "appropriate privileges" in appendix B.4.2.2. We need 683 * to use this clause to be compatible with traditional BSD 684 * semantics. Basically, it means that "setgid(xx)" sets all 685 * three id's (assuming you have privs). 686 * 687 * For notes on the logic here, see setuid() above. 688 */ 689 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 690 #ifdef _POSIX_SAVED_IDS 691 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 692 #endif 693 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 694 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 695 #endif 696 (error = suser_xxx(oldcred, NULL, PRISON_ROOT))) { 697 goto done2; 698 } 699 700 newcred = crdup(oldcred); 701 #ifdef _POSIX_SAVED_IDS 702 /* 703 * Do we have "appropriate privileges" (are we root or gid == egid) 704 * If so, we are changing the real uid and saved gid. 705 */ 706 if ( 707 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 708 gid == oldcred->cr_groups[0] || 709 #endif 710 suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */ 711 #endif 712 { 713 /* 714 * Set real gid 715 */ 716 if (oldcred->cr_rgid != gid) { 717 change_rgid(newcred, gid); 718 setsugid(p); 719 } 720 /* 721 * Set saved gid 722 * 723 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 724 * the security of setegid() depends on it. B.4.2.2 says it 725 * is important that we should do this. 726 */ 727 if (oldcred->cr_svgid != gid) { 728 change_svgid(newcred, gid); 729 setsugid(p); 730 } 731 } 732 /* 733 * In all cases permitted cases, we are changing the egid. 734 * Copy credentials so other references do not see our changes. 735 */ 736 if (oldcred->cr_groups[0] != gid) { 737 change_egid(newcred, gid); 738 setsugid(p); 739 } 740 p->p_ucred = newcred; 741 crfree(oldcred); 742 done2: 743 mtx_unlock(&Giant); 744 return (error); 745 } 746 747 #ifndef _SYS_SYSPROTO_H_ 748 struct setegid_args { 749 gid_t egid; 750 }; 751 #endif 752 /* 753 * MPSAFE 754 */ 755 /* ARGSUSED */ 756 int 757 setegid(td, uap) 758 struct thread *td; 759 struct setegid_args *uap; 760 { 761 struct proc *p = td->td_proc; 762 struct ucred *newcred, *oldcred; 763 gid_t egid; 764 int error = 0; 765 766 egid = uap->egid; 767 768 mtx_lock(&Giant); 769 oldcred = p->p_ucred; 770 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 771 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 772 (error = suser_xxx(oldcred, NULL, PRISON_ROOT))) { 773 goto done2; 774 } 775 newcred = crdup(oldcred); 776 if (oldcred->cr_groups[0] != egid) { 777 change_egid(newcred, egid); 778 setsugid(p); 779 } 780 p->p_ucred = newcred; 781 crfree(oldcred); 782 done2: 783 mtx_unlock(&Giant); 784 return (error); 785 } 786 787 #ifndef _SYS_SYSPROTO_H_ 788 struct setgroups_args { 789 u_int gidsetsize; 790 gid_t *gidset; 791 }; 792 #endif 793 /* 794 * MPSAFE 795 */ 796 /* ARGSUSED */ 797 int 798 setgroups(td, uap) 799 struct thread *td; 800 struct setgroups_args *uap; 801 { 802 struct proc *p = td->td_proc; 803 struct ucred *newcred, *oldcred; 804 u_int ngrp; 805 int error; 806 807 mtx_lock(&Giant); 808 809 ngrp = uap->gidsetsize; 810 oldcred = p->p_ucred; 811 if ((error = suser_xxx(oldcred, NULL, PRISON_ROOT))) 812 goto done2; 813 if (ngrp > NGROUPS) { 814 error = EINVAL; 815 goto done2; 816 } 817 /* 818 * XXX A little bit lazy here. We could test if anything has 819 * changed before crcopy() and setting P_SUGID. 820 */ 821 newcred = crdup(oldcred); 822 if (ngrp < 1) { 823 /* 824 * setgroups(0, NULL) is a legitimate way of clearing the 825 * groups vector on non-BSD systems (which generally do not 826 * have the egid in the groups[0]). We risk security holes 827 * when running non-BSD software if we do not do the same. 828 */ 829 newcred->cr_ngroups = 1; 830 } else { 831 if ((error = copyin((caddr_t)uap->gidset, 832 (caddr_t)newcred->cr_groups, ngrp * sizeof(gid_t)))) { 833 crfree(newcred); 834 goto done2; 835 } 836 newcred->cr_ngroups = ngrp; 837 } 838 setsugid(p); 839 p->p_ucred = newcred; 840 crfree(oldcred); 841 done2: 842 mtx_unlock(&Giant); 843 return (error); 844 } 845 846 #ifndef _SYS_SYSPROTO_H_ 847 struct setreuid_args { 848 uid_t ruid; 849 uid_t euid; 850 }; 851 #endif 852 /* 853 * MPSAFE 854 */ 855 /* ARGSUSED */ 856 int 857 setreuid(td, uap) 858 register struct thread *td; 859 struct setreuid_args *uap; 860 { 861 struct proc *p = td->td_proc; 862 struct ucred *newcred, *oldcred; 863 uid_t ruid, euid; 864 int error = 0; 865 866 ruid = uap->ruid; 867 euid = uap->euid; 868 869 mtx_lock(&Giant); 870 871 oldcred = p->p_ucred; 872 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 873 ruid != oldcred->cr_svuid) || 874 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 875 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 876 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) { 877 goto done2; 878 } 879 newcred = crdup(oldcred); 880 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 881 change_euid(newcred, euid); 882 setsugid(p); 883 } 884 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 885 change_ruid(newcred, ruid); 886 setsugid(p); 887 } 888 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 889 newcred->cr_svuid != newcred->cr_uid) { 890 change_svuid(newcred, newcred->cr_uid); 891 setsugid(p); 892 } 893 p->p_ucred = newcred; 894 crfree(oldcred); 895 done2: 896 mtx_unlock(&Giant); 897 return (error); 898 } 899 900 #ifndef _SYS_SYSPROTO_H_ 901 struct setregid_args { 902 gid_t rgid; 903 gid_t egid; 904 }; 905 #endif 906 /* 907 * MPSAFE 908 */ 909 /* ARGSUSED */ 910 int 911 setregid(td, uap) 912 register struct thread *td; 913 struct setregid_args *uap; 914 { 915 struct proc *p = td->td_proc; 916 struct ucred *newcred, *oldcred; 917 gid_t rgid, egid; 918 int error = 0; 919 920 rgid = uap->rgid; 921 egid = uap->egid; 922 923 mtx_lock(&Giant); 924 925 oldcred = p->p_ucred; 926 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 927 rgid != oldcred->cr_svgid) || 928 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 929 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 930 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) { 931 goto done2; 932 } 933 934 newcred = crdup(oldcred); 935 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 936 change_egid(newcred, egid); 937 setsugid(p); 938 } 939 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 940 change_rgid(newcred, rgid); 941 setsugid(p); 942 } 943 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 944 newcred->cr_svgid != newcred->cr_groups[0]) { 945 change_svgid(newcred, newcred->cr_groups[0]); 946 setsugid(p); 947 } 948 p->p_ucred = newcred; 949 crfree(oldcred); 950 done2: 951 mtx_unlock(&Giant); 952 return (error); 953 } 954 955 /* 956 * setresuid(ruid, euid, suid) is like setreuid except control over the 957 * saved uid is explicit. 958 */ 959 960 #ifndef _SYS_SYSPROTO_H_ 961 struct setresuid_args { 962 uid_t ruid; 963 uid_t euid; 964 uid_t suid; 965 }; 966 #endif 967 /* 968 * MPSAFE 969 */ 970 /* ARGSUSED */ 971 int 972 setresuid(td, uap) 973 register struct thread *td; 974 struct setresuid_args *uap; 975 { 976 struct proc *p = td->td_proc; 977 struct ucred *newcred, *oldcred; 978 uid_t ruid, euid, suid; 979 int error; 980 981 ruid = uap->ruid; 982 euid = uap->euid; 983 suid = uap->suid; 984 985 mtx_lock(&Giant); 986 oldcred = p->p_ucred; 987 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 988 ruid != oldcred->cr_svuid && 989 ruid != oldcred->cr_uid) || 990 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 991 euid != oldcred->cr_svuid && 992 euid != oldcred->cr_uid) || 993 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 994 suid != oldcred->cr_svuid && 995 suid != oldcred->cr_uid)) && 996 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) { 997 goto done2; 998 } 999 1000 newcred = crdup(oldcred); 1001 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1002 change_euid(newcred, euid); 1003 setsugid(p); 1004 } 1005 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1006 change_ruid(newcred, ruid); 1007 setsugid(p); 1008 } 1009 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1010 change_svuid(newcred, suid); 1011 setsugid(p); 1012 } 1013 p->p_ucred = newcred; 1014 crfree(oldcred); 1015 error = 0; 1016 done2: 1017 mtx_unlock(&Giant); 1018 return (error); 1019 } 1020 1021 /* 1022 * setresgid(rgid, egid, sgid) is like setregid except control over the 1023 * saved gid is explicit. 1024 */ 1025 1026 #ifndef _SYS_SYSPROTO_H_ 1027 struct setresgid_args { 1028 gid_t rgid; 1029 gid_t egid; 1030 gid_t sgid; 1031 }; 1032 #endif 1033 /* 1034 * MPSAFE 1035 */ 1036 /* ARGSUSED */ 1037 int 1038 setresgid(td, uap) 1039 register struct thread *td; 1040 struct setresgid_args *uap; 1041 { 1042 struct proc *p = td->td_proc; 1043 struct ucred *newcred, *oldcred; 1044 gid_t rgid, egid, sgid; 1045 int error; 1046 1047 rgid = uap->rgid; 1048 egid = uap->egid; 1049 sgid = uap->sgid; 1050 1051 mtx_lock(&Giant); 1052 oldcred = p->p_ucred; 1053 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1054 rgid != oldcred->cr_svgid && 1055 rgid != oldcred->cr_groups[0]) || 1056 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1057 egid != oldcred->cr_svgid && 1058 egid != oldcred->cr_groups[0]) || 1059 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1060 sgid != oldcred->cr_svgid && 1061 sgid != oldcred->cr_groups[0])) && 1062 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) { 1063 goto done2; 1064 } 1065 newcred = crdup(oldcred); 1066 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1067 change_egid(newcred, egid); 1068 setsugid(p); 1069 } 1070 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1071 change_rgid(newcred, rgid); 1072 setsugid(p); 1073 } 1074 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1075 change_svgid(newcred, sgid); 1076 setsugid(p); 1077 } 1078 p->p_ucred = newcred; 1079 crfree(oldcred); 1080 error = 0; 1081 done2: 1082 mtx_unlock(&Giant); 1083 return (error); 1084 } 1085 1086 #ifndef _SYS_SYSPROTO_H_ 1087 struct getresuid_args { 1088 uid_t *ruid; 1089 uid_t *euid; 1090 uid_t *suid; 1091 }; 1092 #endif 1093 /* 1094 * MPSAFE 1095 */ 1096 /* ARGSUSED */ 1097 int 1098 getresuid(td, uap) 1099 register struct thread *td; 1100 struct getresuid_args *uap; 1101 { 1102 struct ucred *cred; 1103 struct proc *p = td->td_proc; 1104 int error1 = 0, error2 = 0, error3 = 0; 1105 1106 mtx_lock(&Giant); 1107 cred = p->p_ucred; 1108 1109 if (uap->ruid) 1110 error1 = copyout((caddr_t)&cred->cr_ruid, 1111 (caddr_t)uap->ruid, sizeof(cred->cr_ruid)); 1112 if (uap->euid) 1113 error2 = copyout((caddr_t)&cred->cr_uid, 1114 (caddr_t)uap->euid, sizeof(cred->cr_uid)); 1115 if (uap->suid) 1116 error3 = copyout((caddr_t)&cred->cr_svuid, 1117 (caddr_t)uap->suid, sizeof(cred->cr_svuid)); 1118 mtx_unlock(&Giant); 1119 return error1 ? error1 : (error2 ? error2 : error3); 1120 } 1121 1122 #ifndef _SYS_SYSPROTO_H_ 1123 struct getresgid_args { 1124 gid_t *rgid; 1125 gid_t *egid; 1126 gid_t *sgid; 1127 }; 1128 #endif 1129 /* 1130 * MPSAFE 1131 */ 1132 /* ARGSUSED */ 1133 int 1134 getresgid(td, uap) 1135 register struct thread *td; 1136 struct getresgid_args *uap; 1137 { 1138 struct ucred *cred; 1139 struct proc *p = td->td_proc; 1140 int error1 = 0, error2 = 0, error3 = 0; 1141 1142 mtx_lock(&Giant); 1143 cred = p->p_ucred; 1144 1145 if (uap->rgid) 1146 error1 = copyout((caddr_t)&cred->cr_rgid, 1147 (caddr_t)uap->rgid, sizeof(cred->cr_rgid)); 1148 if (uap->egid) 1149 error2 = copyout((caddr_t)&cred->cr_groups[0], 1150 (caddr_t)uap->egid, sizeof(cred->cr_groups[0])); 1151 if (uap->sgid) 1152 error3 = copyout((caddr_t)&cred->cr_svgid, 1153 (caddr_t)uap->sgid, sizeof(cred->cr_svgid)); 1154 mtx_unlock(&Giant); 1155 return error1 ? error1 : (error2 ? error2 : error3); 1156 } 1157 1158 1159 #ifndef _SYS_SYSPROTO_H_ 1160 struct issetugid_args { 1161 int dummy; 1162 }; 1163 #endif 1164 /* ARGSUSED */ 1165 int 1166 issetugid(td, uap) 1167 register struct thread *td; 1168 struct issetugid_args *uap; 1169 { 1170 struct proc *p = td->td_proc; 1171 1172 /* 1173 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1174 * we use P_SUGID because we consider changing the owners as 1175 * "tainting" as well. 1176 * This is significant for procs that start as root and "become" 1177 * a user without an exec - programs cannot know *everything* 1178 * that libc *might* have put in their data segment. 1179 */ 1180 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1181 return (0); 1182 } 1183 1184 /* 1185 * MPSAFE 1186 */ 1187 int 1188 __setugid(td, uap) 1189 struct thread *td; 1190 struct __setugid_args *uap; 1191 { 1192 #ifdef REGRESSION 1193 int error = 0; 1194 1195 mtx_lock(&Giant); 1196 switch (uap->flag) { 1197 case 0: 1198 td->td_proc->p_flag &= ~P_SUGID; 1199 break; 1200 case 1: 1201 td->td_proc->p_flag |= P_SUGID; 1202 break; 1203 default: 1204 error = EINVAL; 1205 break; 1206 } 1207 mtx_unlock(&Giant); 1208 return (error); 1209 #else /* !REGRESSION */ 1210 return (ENOSYS); 1211 #endif /* !REGRESSION */ 1212 } 1213 1214 /* 1215 * Check if gid is a member of the group set. 1216 */ 1217 int 1218 groupmember(gid, cred) 1219 gid_t gid; 1220 struct ucred *cred; 1221 { 1222 register gid_t *gp; 1223 gid_t *egp; 1224 1225 egp = &(cred->cr_groups[cred->cr_ngroups]); 1226 for (gp = cred->cr_groups; gp < egp; gp++) 1227 if (*gp == gid) 1228 return (1); 1229 return (0); 1230 } 1231 1232 /* 1233 * `suser_enabled' (which can be set by the kern.security.suser_enabled 1234 * sysctl) determines whether the system 'super-user' policy is in effect. 1235 * If it is nonzero, an effective uid of 0 connotes special privilege, 1236 * overriding many mandatory and discretionary protections. If it is zero, 1237 * uid 0 is offered no special privilege in the kernel security policy. 1238 * Setting it to zero may seriously impact the functionality of many 1239 * existing userland programs, and should not be done without careful 1240 * consideration of the consequences. 1241 */ 1242 int suser_enabled = 1; 1243 SYSCTL_INT(_kern_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW, 1244 &suser_enabled, 0, "processes with uid 0 have privilege"); 1245 1246 /* 1247 * Test whether the specified credentials imply "super-user" privilege. 1248 * Return 0 or EPERM. 1249 */ 1250 int 1251 suser(p) 1252 struct proc *p; 1253 { 1254 return suser_xxx(0, p, 0); 1255 } 1256 1257 /* 1258 * version for when the thread pointer is available and not the proc. 1259 * (saves having to include proc.h into every file that needs to do the change.) 1260 */ 1261 int 1262 suser_td(td) 1263 1264 struct thread *td; 1265 { 1266 return suser_xxx(0, td->td_proc, 0); 1267 } 1268 1269 /* 1270 * wrapper to use if you have the thread on hand but not the proc. 1271 */ 1272 int 1273 suser_xxx_td(cred, td, flag) 1274 struct ucred *cred; 1275 struct thread *td; 1276 int flag; 1277 { 1278 return(suser_xxx(cred, td->td_proc, flag)); 1279 } 1280 1281 int 1282 suser_xxx(cred, proc, flag) 1283 struct ucred *cred; 1284 struct proc *proc; 1285 int flag; 1286 { 1287 if (!suser_enabled) 1288 return (EPERM); 1289 if (!cred && !proc) { 1290 printf("suser_xxx(): THINK!\n"); 1291 return (EPERM); 1292 } 1293 if (!cred) 1294 cred = proc->p_ucred; 1295 if (cred->cr_uid != 0) 1296 return (EPERM); 1297 if (jailed(cred) && !(flag & PRISON_ROOT)) 1298 return (EPERM); 1299 return (0); 1300 } 1301 1302 /* 1303 * Test (local, globale) securelevel values against passed required 1304 * securelevel. _gt implements (level > securelevel), and _ge implements 1305 * (level >= securelevel). Returns 0 oer EPERM. 1306 * 1307 * cr is permitted to be NULL for the time being, as there were some 1308 * existing securelevel checks that occurred without a process/credential 1309 * context. In the future this will be disallowed, so a kernel 1310 * message is displayed. 1311 */ 1312 int 1313 securelevel_gt(struct ucred *cr, int level) 1314 { 1315 1316 if (cr == NULL) { 1317 printf("securelevel_gt: cr is NULL\n"); 1318 if (level > securelevel) 1319 return (0); 1320 else 1321 return (EPERM); 1322 } else if (cr->cr_prison == NULL) { 1323 if (level > securelevel) 1324 return (0); 1325 else 1326 return (EPERM); 1327 } else { 1328 if (level > imax(cr->cr_prison->pr_securelevel, securelevel)) 1329 return (0); 1330 else 1331 return (EPERM); 1332 } 1333 1334 } 1335 1336 int 1337 securelevel_ge(struct ucred *cr, int level) 1338 { 1339 1340 if (cr == NULL) { 1341 printf("securelevel_ge: cr is NULL\n"); 1342 if (level >= securelevel) 1343 return (0); 1344 else 1345 return (EPERM); 1346 } if (cr->cr_prison == NULL) { 1347 if (level >= securelevel) 1348 return (0); 1349 else 1350 return (EPERM); 1351 } else { 1352 if (level >= imax(cr->cr_prison->pr_securelevel, securelevel)) 1353 return (0); 1354 else 1355 return (EPERM); 1356 } 1357 } 1358 1359 /* 1360 * 'seeotheruids_permitted' determines whether or not visibility of processes 1361 * and sockets with credentials holding different real uid's is possible 1362 * using a variety of system MIBs. 1363 */ 1364 static int seeotheruids_permitted = 1; 1365 SYSCTL_INT(_kern_security_bsd, OID_AUTO, seeotheruids_permitted, 1366 CTLFLAG_RW, &seeotheruids_permitted, 0, 1367 "Unprivileged processes may see subjects/objects with different real uid"); 1368 1369 /*- 1370 * Determine if u1 "can see" the subject specified by u2. 1371 * Returns: 0 for permitted, an errno value otherwise 1372 * Locks: none 1373 * References: u1 and u2 must be immutable credentials 1374 * u1 and u2 must be valid for the lifetime of the call 1375 * u1 may equal u2, in which case only one reference is required 1376 */ 1377 int 1378 cr_cansee(struct ucred *u1, struct ucred *u2) 1379 { 1380 int error; 1381 1382 if ((error = prison_check(u1, u2))) 1383 return (error); 1384 if (!seeotheruids_permitted && u1->cr_ruid != u2->cr_ruid) { 1385 if (suser_xxx(u1, NULL, PRISON_ROOT) != 0) 1386 return (ESRCH); 1387 } 1388 return (0); 1389 } 1390 1391 /*- 1392 * Determine if p1 "can see" the subject specified by p2. 1393 * Returns: 0 for permitted, an errno value otherwise 1394 * Locks: Sufficient locks to protect p1->p_ucred and p2->p_ucred must 1395 * be held. Normally, p1 will be curproc, and a lock must be held 1396 * for p2. 1397 * References: p1 and p2 must be valid for the lifetime of the call 1398 */ 1399 int 1400 p_cansee(struct proc *p1, struct proc *p2) 1401 { 1402 1403 /* Wrap cr_cansee() for all functionality. */ 1404 return (cr_cansee(p1->p_ucred, p2->p_ucred)); 1405 } 1406 1407 /*- 1408 * Determine whether p1 may deliver the specified signal to p2. 1409 * Returns: 0 for permitted, an errno value otherwise 1410 * Locks: Sufficient locks to protect various components of p1 and p2 1411 * must be held. Normally, p1 will be curproc, and a lock must 1412 * be held for p2. 1413 * References: p1 and p2 must be valid for the lifetime of the call 1414 */ 1415 int 1416 p_cansignal(struct proc *p1, struct proc *p2, int signum) 1417 { 1418 int error; 1419 1420 if (p1 == p2) 1421 return (0); 1422 1423 /* 1424 * Jail semantics limit the scope of signalling to p2 in the same 1425 * jail as p1, if p1 is in jail. 1426 */ 1427 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1428 return (error); 1429 1430 /* 1431 * UNIX signalling semantics require that processes in the same 1432 * session always be able to deliver SIGCONT to one another, 1433 * overriding the remaining protections. 1434 */ 1435 if (signum == SIGCONT && p1->p_session == p2->p_session) 1436 return (0); 1437 1438 /* 1439 * UNIX signal semantics depend on the status of the P_SUGID 1440 * bit on the target process. If the bit is set, then additional 1441 * restrictions are placed on the set of available signals. 1442 */ 1443 if (p2->p_flag & P_SUGID) { 1444 switch (signum) { 1445 case 0: 1446 case SIGKILL: 1447 case SIGINT: 1448 case SIGTERM: 1449 case SIGSTOP: 1450 case SIGTTIN: 1451 case SIGTTOU: 1452 case SIGTSTP: 1453 case SIGHUP: 1454 case SIGUSR1: 1455 case SIGUSR2: 1456 /* 1457 * Generally, permit job and terminal control 1458 * signals. 1459 */ 1460 break; 1461 default: 1462 /* Not permitted, privilege is required. */ 1463 error = suser_xxx(NULL, p1, PRISON_ROOT); 1464 if (error) 1465 return (error); 1466 } 1467 } 1468 1469 /* 1470 * Generally, the target credential's ruid or svuid must match the 1471 * subject credential's ruid or euid. 1472 */ 1473 if (p1->p_ucred->cr_ruid != p2->p_ucred->cr_ruid && 1474 p1->p_ucred->cr_ruid != p2->p_ucred->cr_svuid && 1475 p1->p_ucred->cr_uid != p2->p_ucred->cr_ruid && 1476 p1->p_ucred->cr_uid != p2->p_ucred->cr_svuid) { 1477 /* Not permitted, try privilege. */ 1478 error = suser_xxx(NULL, p1, PRISON_ROOT); 1479 if (error) 1480 return (error); 1481 } 1482 1483 return (0); 1484 } 1485 1486 /*- 1487 * Determine whether p1 may reschedule p2 1488 * Returns: 0 for permitted, an errno value otherwise 1489 * Locks: Sufficient locks to protect various components of p1 and p2 1490 * must be held. Normally, p1 will be curproc, and a lock must 1491 * be held for p2. 1492 * References: p1 and p2 must be valid for the lifetime of the call 1493 */ 1494 int 1495 p_cansched(struct proc *p1, struct proc *p2) 1496 { 1497 int error; 1498 1499 if (p1 == p2) 1500 return (0); 1501 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1502 return (error); 1503 if (p1->p_ucred->cr_ruid == p2->p_ucred->cr_ruid) 1504 return (0); 1505 if (p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid) 1506 return (0); 1507 if (suser_xxx(0, p1, PRISON_ROOT) == 0) 1508 return (0); 1509 1510 #ifdef CAPABILITIES 1511 if (!cap_check(NULL, p1, CAP_SYS_NICE, PRISON_ROOT)) 1512 return (0); 1513 #endif 1514 1515 return (EPERM); 1516 } 1517 1518 /* 1519 * The 'unprivileged_procdebug_permitted' flag may be used to disable 1520 * a variety of unprivileged inter-process debugging services, including 1521 * some procfs functionality, ptrace(), and ktrace(). In the past, 1522 * inter-process debugging has been involved in a variety of security 1523 * problems, and sites not requiring the service might choose to disable it 1524 * when hardening systems. 1525 * 1526 * XXX: Should modifying and reading this variable require locking? 1527 */ 1528 static int unprivileged_procdebug_permitted = 1; 1529 SYSCTL_INT(_kern_security_bsd, OID_AUTO, unprivileged_procdebug_permitted, 1530 CTLFLAG_RW, &unprivileged_procdebug_permitted, 0, 1531 "Unprivileged processes may use process debugging facilities"); 1532 1533 /*- 1534 * Determine whether p1 may debug p2. 1535 * Returns: 0 for permitted, an errno value otherwise 1536 * Locks: Sufficient locks to protect various components of p1 and p2 1537 * must be held. Normally, p1 will be curproc, and a lock must 1538 * be held for p2. 1539 * References: p1 and p2 must be valid for the lifetime of the call 1540 */ 1541 int 1542 p_candebug(struct proc *p1, struct proc *p2) 1543 { 1544 int error, i, grpsubset, uidsubset, credentialchanged; 1545 1546 if (!unprivileged_procdebug_permitted) { 1547 error = suser_xxx(NULL, p1, PRISON_ROOT); 1548 if (error) 1549 return (error); 1550 } 1551 1552 if (p1 == p2) 1553 return (0); 1554 1555 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1556 return (error); 1557 1558 /* 1559 * Is p2's group set a subset of p1's effective group set? This 1560 * includes p2's egid, group access list, rgid, and svgid. 1561 */ 1562 grpsubset = 1; 1563 for (i = 0; i < p2->p_ucred->cr_ngroups; i++) { 1564 if (!groupmember(p2->p_ucred->cr_groups[i], p1->p_ucred)) { 1565 grpsubset = 0; 1566 break; 1567 } 1568 } 1569 grpsubset = grpsubset && 1570 groupmember(p2->p_ucred->cr_rgid, p1->p_ucred) && 1571 groupmember(p2->p_ucred->cr_svgid, p1->p_ucred); 1572 1573 /* 1574 * Are the uids present in p2's credential equal to p1's 1575 * effective uid? This includes p2's euid, svuid, and ruid. 1576 */ 1577 uidsubset = (p1->p_ucred->cr_uid == p2->p_ucred->cr_uid && 1578 p1->p_ucred->cr_uid == p2->p_ucred->cr_svuid && 1579 p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid); 1580 1581 /* 1582 * Has the credential of the process changed since the last exec()? 1583 */ 1584 credentialchanged = (p2->p_flag & P_SUGID); 1585 1586 /* 1587 * If p2's gids aren't a subset, or the uids aren't a subset, 1588 * or the credential has changed, require appropriate privilege 1589 * for p1 to debug p2. For POSIX.1e capabilities, this will 1590 * require CAP_SYS_PTRACE. 1591 */ 1592 if (!grpsubset || !uidsubset || credentialchanged) { 1593 error = suser_xxx(NULL, p1, PRISON_ROOT); 1594 if (error) 1595 return (error); 1596 } 1597 1598 /* can't trace init when securelevel > 0 */ 1599 if (p2->p_pid == 1) { 1600 error = securelevel_gt(p1->p_ucred, 0); 1601 if (error) 1602 return (error); 1603 } 1604 1605 /* 1606 * Can't trace a process that's currently exec'ing. 1607 * XXX: Note, this is not a security policy decision, it's a 1608 * basic correctness/functionality decision. Therefore, this check 1609 * should be moved to the caller's of p_candebug(). 1610 */ 1611 if ((p2->p_flag & P_INEXEC) != 0) 1612 return (EAGAIN); 1613 1614 return (0); 1615 } 1616 1617 /* 1618 * Allocate a zeroed cred structure. 1619 */ 1620 struct ucred * 1621 crget() 1622 { 1623 register struct ucred *cr; 1624 1625 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 1626 cr->cr_ref = 1; 1627 mtx_init(&cr->cr_mtx, "ucred", MTX_DEF); 1628 return (cr); 1629 } 1630 1631 /* 1632 * Claim another reference to a ucred structure. 1633 */ 1634 struct ucred * 1635 crhold(cr) 1636 struct ucred *cr; 1637 { 1638 1639 mtx_lock(&cr->cr_mtx); 1640 cr->cr_ref++; 1641 mtx_unlock(&cr->cr_mtx); 1642 return (cr); 1643 } 1644 1645 1646 /* 1647 * Free a cred structure. 1648 * Throws away space when ref count gets to 0. 1649 */ 1650 void 1651 crfree(cr) 1652 struct ucred *cr; 1653 { 1654 1655 mtx_lock(&cr->cr_mtx); 1656 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); 1657 if (--cr->cr_ref == 0) { 1658 mtx_destroy(&cr->cr_mtx); 1659 /* 1660 * Some callers of crget(), such as nfs_statfs(), 1661 * allocate a temporary credential, but don't 1662 * allocate a uidinfo structure. 1663 */ 1664 if (cr->cr_uidinfo != NULL) 1665 uifree(cr->cr_uidinfo); 1666 if (cr->cr_ruidinfo != NULL) 1667 uifree(cr->cr_ruidinfo); 1668 /* 1669 * Free a prison, if any. 1670 */ 1671 if (jailed(cr)) 1672 prison_free(cr->cr_prison); 1673 FREE((caddr_t)cr, M_CRED); 1674 } else { 1675 mtx_unlock(&cr->cr_mtx); 1676 } 1677 } 1678 1679 /* 1680 * Check to see if this ucred is shared. 1681 */ 1682 int 1683 crshared(cr) 1684 struct ucred *cr; 1685 { 1686 int shared; 1687 1688 mtx_lock(&cr->cr_mtx); 1689 shared = (cr->cr_ref > 1); 1690 mtx_unlock(&cr->cr_mtx); 1691 return (shared); 1692 } 1693 1694 /* 1695 * Copy a ucred's contents from a template. Does not block. 1696 */ 1697 void 1698 crcopy(dest, src) 1699 struct ucred *dest, *src; 1700 { 1701 1702 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred")); 1703 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 1704 (unsigned)((caddr_t)&src->cr_endcopy - 1705 (caddr_t)&src->cr_startcopy)); 1706 uihold(dest->cr_uidinfo); 1707 uihold(dest->cr_ruidinfo); 1708 if (jailed(dest)) 1709 prison_hold(dest->cr_prison); 1710 } 1711 1712 /* 1713 * Dup cred struct to a new held one. 1714 */ 1715 struct ucred * 1716 crdup(cr) 1717 struct ucred *cr; 1718 { 1719 struct ucred *newcr; 1720 1721 newcr = crget(); 1722 crcopy(newcr, cr); 1723 return (newcr); 1724 } 1725 1726 /* 1727 * Get login name, if available. 1728 */ 1729 #ifndef _SYS_SYSPROTO_H_ 1730 struct getlogin_args { 1731 char *namebuf; 1732 u_int namelen; 1733 }; 1734 #endif 1735 /* 1736 * MPSAFE 1737 */ 1738 /* ARGSUSED */ 1739 int 1740 getlogin(td, uap) 1741 struct thread *td; 1742 struct getlogin_args *uap; 1743 { 1744 int error; 1745 struct proc *p = td->td_proc; 1746 1747 mtx_lock(&Giant); 1748 if (uap->namelen > MAXLOGNAME) 1749 uap->namelen = MAXLOGNAME; 1750 error = copyout((caddr_t) p->p_pgrp->pg_session->s_login, 1751 (caddr_t) uap->namebuf, uap->namelen); 1752 mtx_unlock(&Giant); 1753 return(error); 1754 } 1755 1756 /* 1757 * Set login name. 1758 */ 1759 #ifndef _SYS_SYSPROTO_H_ 1760 struct setlogin_args { 1761 char *namebuf; 1762 }; 1763 #endif 1764 /* 1765 * MPSAFE 1766 */ 1767 /* ARGSUSED */ 1768 int 1769 setlogin(td, uap) 1770 struct thread *td; 1771 struct setlogin_args *uap; 1772 { 1773 struct proc *p = td->td_proc; 1774 int error; 1775 char logintmp[MAXLOGNAME]; 1776 1777 mtx_lock(&Giant); 1778 if ((error = suser_xxx(0, p, PRISON_ROOT))) 1779 goto done2; 1780 error = copyinstr((caddr_t) uap->namebuf, (caddr_t) logintmp, 1781 sizeof(logintmp), (size_t *)0); 1782 if (error == ENAMETOOLONG) { 1783 error = EINVAL; 1784 } else if (!error) { 1785 (void) memcpy(p->p_pgrp->pg_session->s_login, logintmp, 1786 sizeof(logintmp)); 1787 } 1788 done2: 1789 mtx_unlock(&Giant); 1790 return (error); 1791 } 1792 1793 void 1794 setsugid(p) 1795 struct proc *p; 1796 { 1797 p->p_flag |= P_SUGID; 1798 if (!(p->p_pfsflags & PF_ISUGID)) 1799 p->p_stops = 0; 1800 } 1801 1802 /*- 1803 * Change a process's effective uid. 1804 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 1805 * References: newcred must be an exclusive credential reference for the 1806 * duration of the call. 1807 */ 1808 void 1809 change_euid(newcred, euid) 1810 struct ucred *newcred; 1811 uid_t euid; 1812 { 1813 1814 newcred->cr_uid = euid; 1815 uifree(newcred->cr_uidinfo); 1816 newcred->cr_uidinfo = uifind(euid); 1817 } 1818 1819 /*- 1820 * Change a process's effective gid. 1821 * Side effects: newcred->cr_gid will be modified. 1822 * References: newcred must be an exclusive credential reference for the 1823 * duration of the call. 1824 */ 1825 void 1826 change_egid(newcred, egid) 1827 struct ucred *newcred; 1828 gid_t egid; 1829 { 1830 1831 newcred->cr_groups[0] = egid; 1832 } 1833 1834 /*- 1835 * Change a process's real uid. 1836 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 1837 * will be updated, and the old and new cr_ruidinfo proc 1838 * counts will be updated. 1839 * References: newcred must be an exclusive credential reference for the 1840 * duration of the call. 1841 */ 1842 void 1843 change_ruid(newcred, ruid) 1844 struct ucred *newcred; 1845 uid_t ruid; 1846 { 1847 1848 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 1849 newcred->cr_ruid = ruid; 1850 uifree(newcred->cr_ruidinfo); 1851 newcred->cr_ruidinfo = uifind(ruid); 1852 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 1853 } 1854 1855 /*- 1856 * Change a process's real gid. 1857 * Side effects: newcred->cr_rgid will be updated. 1858 * References: newcred must be an exclusive credential reference for the 1859 * duration of the call. 1860 */ 1861 void 1862 change_rgid(newcred, rgid) 1863 struct ucred *newcred; 1864 gid_t rgid; 1865 { 1866 1867 newcred->cr_rgid = rgid; 1868 } 1869 1870 /*- 1871 * Change a process's saved uid. 1872 * Side effects: newcred->cr_svuid will be updated. 1873 * References: newcred must be an exclusive credential reference for the 1874 * duration of the call. 1875 */ 1876 void 1877 change_svuid(newcred, svuid) 1878 struct ucred *newcred; 1879 uid_t svuid; 1880 { 1881 1882 newcred->cr_svuid = svuid; 1883 } 1884 1885 /*- 1886 * Change a process's saved gid. 1887 * Side effects: newcred->cr_svgid will be updated. 1888 * References: newcred must be an exclusive credential reference for the 1889 * duration of the call. 1890 */ 1891 void 1892 change_svgid(newcred, svgid) 1893 struct ucred *newcred; 1894 gid_t svgid; 1895 { 1896 1897 newcred->cr_svgid = svgid; 1898 } 1899