1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 5 * The Regents of the University of California. 6 * (c) UNIX System Laboratories, Inc. 7 * Copyright (c) 2000-2001 Robert N. M. Watson. 8 * All rights reserved. 9 * 10 * All or some portions of this file are derived from material licensed 11 * to the University of California by American Telephone and Telegraph 12 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 13 * the permission of UNIX System Laboratories, Inc. 14 * 15 * Redistribution and use in source and binary forms, with or without 16 * modification, are permitted provided that the following conditions 17 * are met: 18 * 1. Redistributions of source code must retain the above copyright 19 * notice, this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright 21 * notice, this list of conditions and the following disclaimer in the 22 * documentation and/or other materials provided with the distribution. 23 * 3. Neither the name of the University nor the names of its contributors 24 * may be used to endorse or promote products derived from this software 25 * without specific prior written permission. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 */ 39 40 /* 41 * System calls related to processes and protection 42 */ 43 44 #include <sys/cdefs.h> 45 #include "opt_inet.h" 46 #include "opt_inet6.h" 47 48 #include <sys/param.h> 49 #include <sys/systm.h> 50 #include <sys/abi_compat.h> 51 #include <sys/acct.h> 52 #include <sys/kdb.h> 53 #include <sys/kernel.h> 54 #include <sys/libkern.h> 55 #include <sys/lock.h> 56 #include <sys/loginclass.h> 57 #include <sys/malloc.h> 58 #include <sys/mutex.h> 59 #include <sys/ptrace.h> 60 #include <sys/refcount.h> 61 #include <sys/sx.h> 62 #include <sys/priv.h> 63 #include <sys/proc.h> 64 #ifdef COMPAT_43 65 #include <sys/sysent.h> 66 #endif 67 #include <sys/sysproto.h> 68 #include <sys/jail.h> 69 #include <sys/racct.h> 70 #include <sys/rctl.h> 71 #include <sys/resourcevar.h> 72 #include <sys/socket.h> 73 #include <sys/socketvar.h> 74 #include <sys/syscallsubr.h> 75 #include <sys/sysctl.h> 76 77 #ifdef MAC 78 #include <security/mac/mac_syscalls.h> 79 #endif 80 81 #include <vm/uma.h> 82 83 #ifdef REGRESSION 84 FEATURE(regression, 85 "Kernel support for interfaces necessary for regression testing (SECURITY RISK!)"); 86 #endif 87 88 #include <security/audit/audit.h> 89 #include <security/mac/mac_framework.h> 90 91 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 92 93 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW | CTLFLAG_MPSAFE, 0, 94 "BSD security policy"); 95 96 static void crfree_final(struct ucred *cr); 97 98 static inline void 99 groups_check_positive_len(int ngrp) 100 { 101 MPASS2(ngrp >= 0, "negative number of groups"); 102 } 103 static inline void 104 groups_check_max_len(int ngrp) 105 { 106 MPASS2(ngrp <= ngroups_max, "too many supplementary groups"); 107 } 108 109 static void groups_normalize(int *ngrp, gid_t *groups); 110 static void crsetgroups_internal(struct ucred *cr, int ngrp, 111 const gid_t *groups); 112 113 static int cr_canseeotheruids(struct ucred *u1, struct ucred *u2); 114 static int cr_canseeothergids(struct ucred *u1, struct ucred *u2); 115 static int cr_canseejailproc(struct ucred *u1, struct ucred *u2); 116 117 #ifndef _SYS_SYSPROTO_H_ 118 struct getpid_args { 119 int dummy; 120 }; 121 #endif 122 /* ARGSUSED */ 123 int 124 sys_getpid(struct thread *td, struct getpid_args *uap) 125 { 126 struct proc *p = td->td_proc; 127 128 td->td_retval[0] = p->p_pid; 129 #if defined(COMPAT_43) 130 if (SV_PROC_FLAG(p, SV_AOUT)) 131 td->td_retval[1] = kern_getppid(td); 132 #endif 133 return (0); 134 } 135 136 #ifndef _SYS_SYSPROTO_H_ 137 struct getppid_args { 138 int dummy; 139 }; 140 #endif 141 /* ARGSUSED */ 142 int 143 sys_getppid(struct thread *td, struct getppid_args *uap) 144 { 145 146 td->td_retval[0] = kern_getppid(td); 147 return (0); 148 } 149 150 int 151 kern_getppid(struct thread *td) 152 { 153 struct proc *p = td->td_proc; 154 155 return (p->p_oppid); 156 } 157 158 /* 159 * Get process group ID; note that POSIX getpgrp takes no parameter. 160 */ 161 #ifndef _SYS_SYSPROTO_H_ 162 struct getpgrp_args { 163 int dummy; 164 }; 165 #endif 166 int 167 sys_getpgrp(struct thread *td, struct getpgrp_args *uap) 168 { 169 struct proc *p = td->td_proc; 170 171 PROC_LOCK(p); 172 td->td_retval[0] = p->p_pgrp->pg_id; 173 PROC_UNLOCK(p); 174 return (0); 175 } 176 177 /* Get an arbitrary pid's process group id */ 178 #ifndef _SYS_SYSPROTO_H_ 179 struct getpgid_args { 180 pid_t pid; 181 }; 182 #endif 183 int 184 sys_getpgid(struct thread *td, struct getpgid_args *uap) 185 { 186 struct proc *p; 187 int error; 188 189 if (uap->pid == 0) { 190 p = td->td_proc; 191 PROC_LOCK(p); 192 } else { 193 p = pfind(uap->pid); 194 if (p == NULL) 195 return (ESRCH); 196 error = p_cansee(td, p); 197 if (error) { 198 PROC_UNLOCK(p); 199 return (error); 200 } 201 } 202 td->td_retval[0] = p->p_pgrp->pg_id; 203 PROC_UNLOCK(p); 204 return (0); 205 } 206 207 /* 208 * Get an arbitrary pid's session id. 209 */ 210 #ifndef _SYS_SYSPROTO_H_ 211 struct getsid_args { 212 pid_t pid; 213 }; 214 #endif 215 int 216 sys_getsid(struct thread *td, struct getsid_args *uap) 217 { 218 219 return (kern_getsid(td, uap->pid)); 220 } 221 222 int 223 kern_getsid(struct thread *td, pid_t pid) 224 { 225 struct proc *p; 226 int error; 227 228 if (pid == 0) { 229 p = td->td_proc; 230 PROC_LOCK(p); 231 } else { 232 p = pfind(pid); 233 if (p == NULL) 234 return (ESRCH); 235 error = p_cansee(td, p); 236 if (error) { 237 PROC_UNLOCK(p); 238 return (error); 239 } 240 } 241 td->td_retval[0] = p->p_session->s_sid; 242 PROC_UNLOCK(p); 243 return (0); 244 } 245 246 #ifndef _SYS_SYSPROTO_H_ 247 struct getuid_args { 248 int dummy; 249 }; 250 #endif 251 /* ARGSUSED */ 252 int 253 sys_getuid(struct thread *td, struct getuid_args *uap) 254 { 255 256 td->td_retval[0] = td->td_ucred->cr_ruid; 257 #if defined(COMPAT_43) 258 td->td_retval[1] = td->td_ucred->cr_uid; 259 #endif 260 return (0); 261 } 262 263 #ifndef _SYS_SYSPROTO_H_ 264 struct geteuid_args { 265 int dummy; 266 }; 267 #endif 268 /* ARGSUSED */ 269 int 270 sys_geteuid(struct thread *td, struct geteuid_args *uap) 271 { 272 273 td->td_retval[0] = td->td_ucred->cr_uid; 274 return (0); 275 } 276 277 #ifndef _SYS_SYSPROTO_H_ 278 struct getgid_args { 279 int dummy; 280 }; 281 #endif 282 /* ARGSUSED */ 283 int 284 sys_getgid(struct thread *td, struct getgid_args *uap) 285 { 286 287 td->td_retval[0] = td->td_ucred->cr_rgid; 288 #if defined(COMPAT_43) 289 td->td_retval[1] = td->td_ucred->cr_gid; 290 #endif 291 return (0); 292 } 293 294 #ifndef _SYS_SYSPROTO_H_ 295 struct getegid_args { 296 int dummy; 297 }; 298 #endif 299 /* ARGSUSED */ 300 int 301 sys_getegid(struct thread *td, struct getegid_args *uap) 302 { 303 304 td->td_retval[0] = td->td_ucred->cr_gid; 305 return (0); 306 } 307 308 #ifdef COMPAT_FREEBSD14 309 int 310 freebsd14_getgroups(struct thread *td, struct freebsd14_getgroups_args *uap) 311 { 312 struct ucred *cred; 313 int ngrp, error; 314 315 cred = td->td_ucred; 316 317 /* 318 * For FreeBSD < 15.0, we account for the egid being placed at the 319 * beginning of the group list prior to all supplementary groups. 320 */ 321 ngrp = cred->cr_ngroups + 1; 322 if (uap->gidsetsize == 0) { 323 error = 0; 324 goto out; 325 } else if (uap->gidsetsize < ngrp) { 326 return (EINVAL); 327 } 328 329 error = copyout(&cred->cr_gid, uap->gidset, sizeof(gid_t)); 330 if (error == 0) 331 error = copyout(cred->cr_groups, uap->gidset + 1, 332 (ngrp - 1) * sizeof(gid_t)); 333 334 out: 335 td->td_retval[0] = ngrp; 336 return (error); 337 338 } 339 #endif /* COMPAT_FREEBSD14 */ 340 341 #ifndef _SYS_SYSPROTO_H_ 342 struct getgroups_args { 343 int gidsetsize; 344 gid_t *gidset; 345 }; 346 #endif 347 int 348 sys_getgroups(struct thread *td, struct getgroups_args *uap) 349 { 350 struct ucred *cred; 351 int ngrp, error; 352 353 cred = td->td_ucred; 354 355 ngrp = cred->cr_ngroups; 356 if (uap->gidsetsize == 0) { 357 error = 0; 358 goto out; 359 } 360 if (uap->gidsetsize < ngrp) 361 return (EINVAL); 362 363 error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t)); 364 out: 365 td->td_retval[0] = ngrp; 366 return (error); 367 } 368 369 #ifndef _SYS_SYSPROTO_H_ 370 struct setsid_args { 371 int dummy; 372 }; 373 #endif 374 /* ARGSUSED */ 375 int 376 sys_setsid(struct thread *td, struct setsid_args *uap) 377 { 378 struct pgrp *pgrp; 379 int error; 380 struct proc *p = td->td_proc; 381 struct pgrp *newpgrp; 382 struct session *newsess; 383 384 pgrp = NULL; 385 386 newpgrp = uma_zalloc(pgrp_zone, M_WAITOK); 387 newsess = malloc(sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); 388 389 again: 390 error = 0; 391 sx_xlock(&proctree_lock); 392 393 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { 394 if (pgrp != NULL) 395 PGRP_UNLOCK(pgrp); 396 error = EPERM; 397 } else { 398 error = enterpgrp(p, p->p_pid, newpgrp, newsess); 399 if (error == ERESTART) 400 goto again; 401 MPASS(error == 0); 402 td->td_retval[0] = p->p_pid; 403 newpgrp = NULL; 404 newsess = NULL; 405 } 406 407 sx_xunlock(&proctree_lock); 408 409 uma_zfree(pgrp_zone, newpgrp); 410 free(newsess, M_SESSION); 411 412 return (error); 413 } 414 415 /* 416 * set process group (setpgid/old setpgrp) 417 * 418 * caller does setpgid(targpid, targpgid) 419 * 420 * pid must be caller or child of caller (ESRCH) 421 * if a child 422 * pid must be in same session (EPERM) 423 * pid can't have done an exec (EACCES) 424 * if pgid != pid 425 * there must exist some pid in same session having pgid (EPERM) 426 * pid must not be session leader (EPERM) 427 */ 428 #ifndef _SYS_SYSPROTO_H_ 429 struct setpgid_args { 430 int pid; /* target process id */ 431 int pgid; /* target pgrp id */ 432 }; 433 #endif 434 /* ARGSUSED */ 435 int 436 sys_setpgid(struct thread *td, struct setpgid_args *uap) 437 { 438 struct proc *curp = td->td_proc; 439 struct proc *targp; /* target process */ 440 struct pgrp *pgrp; /* target pgrp */ 441 int error; 442 struct pgrp *newpgrp; 443 444 if (uap->pgid < 0) 445 return (EINVAL); 446 447 newpgrp = uma_zalloc(pgrp_zone, M_WAITOK); 448 449 again: 450 error = 0; 451 452 sx_xlock(&proctree_lock); 453 if (uap->pid != 0 && uap->pid != curp->p_pid) { 454 if ((targp = pfind(uap->pid)) == NULL) { 455 error = ESRCH; 456 goto done; 457 } 458 if (!inferior(targp)) { 459 PROC_UNLOCK(targp); 460 error = ESRCH; 461 goto done; 462 } 463 if ((error = p_cansee(td, targp))) { 464 PROC_UNLOCK(targp); 465 goto done; 466 } 467 if (targp->p_pgrp == NULL || 468 targp->p_session != curp->p_session) { 469 PROC_UNLOCK(targp); 470 error = EPERM; 471 goto done; 472 } 473 if (targp->p_flag & P_EXEC) { 474 PROC_UNLOCK(targp); 475 error = EACCES; 476 goto done; 477 } 478 PROC_UNLOCK(targp); 479 } else 480 targp = curp; 481 if (SESS_LEADER(targp)) { 482 error = EPERM; 483 goto done; 484 } 485 if (uap->pgid == 0) 486 uap->pgid = targp->p_pid; 487 if ((pgrp = pgfind(uap->pgid)) == NULL) { 488 if (uap->pgid == targp->p_pid) { 489 error = enterpgrp(targp, uap->pgid, newpgrp, 490 NULL); 491 if (error == 0) 492 newpgrp = NULL; 493 } else 494 error = EPERM; 495 } else { 496 if (pgrp == targp->p_pgrp) { 497 PGRP_UNLOCK(pgrp); 498 goto done; 499 } 500 if (pgrp->pg_id != targp->p_pid && 501 pgrp->pg_session != curp->p_session) { 502 PGRP_UNLOCK(pgrp); 503 error = EPERM; 504 goto done; 505 } 506 PGRP_UNLOCK(pgrp); 507 error = enterthispgrp(targp, pgrp); 508 } 509 done: 510 KASSERT(error == 0 || newpgrp != NULL, 511 ("setpgid failed and newpgrp is NULL")); 512 if (error == ERESTART) 513 goto again; 514 sx_xunlock(&proctree_lock); 515 uma_zfree(pgrp_zone, newpgrp); 516 return (error); 517 } 518 519 static int 520 gidp_cmp(const void *p1, const void *p2) 521 { 522 const gid_t g1 = *(const gid_t *)p1; 523 const gid_t g2 = *(const gid_t *)p2; 524 525 return ((g1 > g2) - (g1 < g2)); 526 } 527 528 /* 529 * 'smallgroups' must be an (uninitialized) array of length CRED_SMALLGROUPS_NB. 530 * Always sets 'sc_supp_groups', either to a valid kernel-space groups array 531 * (which may or may not be 'smallgroups'), or NULL if SETCREDF_SUPP_GROUPS was 532 * not specified or there are too many groups, or a buffer containing garbage on 533 * copyin() failure. In the last two cases, 'sc_supp_groups_nb' is additionally 534 * set to 0 as a security measure. 'sc_supp_groups' must be freed (M_TEMP) if 535 * not equal to 'smallgroups' even on failure. 536 */ 537 static int 538 user_setcred_copyin_supp_groups(struct setcred *const wcred, 539 const u_int flags, gid_t *const smallgroups) 540 { 541 gid_t *groups; 542 int error; 543 544 if ((flags & SETCREDF_SUPP_GROUPS) == 0) { 545 error = 0; 546 goto reset_groups_exit; 547 } 548 549 /* 550 * Check the number of groups' limit right now in order to limit the 551 * amount of bytes to copy. 552 */ 553 if (wcred->sc_supp_groups_nb > ngroups_max) { 554 error = EINVAL; 555 goto reset_groups_exit; 556 } 557 558 groups = wcred->sc_supp_groups_nb <= CRED_SMALLGROUPS_NB ? 559 smallgroups : malloc(wcred->sc_supp_groups_nb * sizeof(gid_t), 560 M_TEMP, M_WAITOK); 561 error = copyin(wcred->sc_supp_groups, groups, 562 wcred->sc_supp_groups_nb * sizeof(gid_t)); 563 wcred->sc_supp_groups = groups; 564 565 if (error != 0) { 566 wcred->sc_supp_groups_nb = 0; 567 /* 568 * 'sc_supp_groups' must be freed by caller if not 569 * 'smallgroups'. 570 */ 571 return (error); 572 } 573 574 return (0); 575 576 reset_groups_exit: 577 wcred->sc_supp_groups_nb = 0; 578 wcred->sc_supp_groups = NULL; 579 return (error); 580 } 581 582 int 583 user_setcred(struct thread *td, const u_int flags, struct setcred *const wcred) 584 { 585 #ifdef MAC 586 struct mac mac; 587 /* Pointer to 'struct mac' or 'struct mac32'. */ 588 void *umac; 589 #endif 590 gid_t smallgroups[CRED_SMALLGROUPS_NB]; 591 int error; 592 593 /* 594 * As the only point of this wrapper function is to copyin() from 595 * userland, we only interpret the data pieces we need to perform this 596 * operation and defer further sanity checks to kern_setcred(), except 597 * that we redundantly check here that no unknown flags have been 598 * passed. 599 */ 600 if ((flags & ~SETCREDF_MASK) != 0) 601 return (EINVAL); 602 603 #ifdef MAC 604 umac = wcred->sc_label; 605 #endif 606 /* Also done on !MAC as a defensive measure. */ 607 wcred->sc_label = NULL; 608 609 /* 610 * Copy supplementary groups as needed. There is no specific 611 * alternative for 32-bit compatibility as 'gid_t' has the same size 612 * everywhere. 613 */ 614 error = user_setcred_copyin_supp_groups(wcred, flags, smallgroups); 615 if (error != 0) 616 goto free_groups; 617 618 #ifdef MAC 619 if ((flags & SETCREDF_MAC_LABEL) != 0) { 620 error = mac_label_copyin(umac, &mac, NULL); 621 if (error != 0) 622 goto free_groups; 623 wcred->sc_label = &mac; 624 } 625 #endif 626 627 error = kern_setcred(td, flags, wcred); 628 629 #ifdef MAC 630 if (wcred->sc_label != NULL) 631 free_copied_label(wcred->sc_label); 632 #endif 633 634 free_groups: 635 if (wcred->sc_supp_groups != smallgroups) 636 free(wcred->sc_supp_groups, M_TEMP); 637 638 return (error); 639 } 640 641 #ifndef _SYS_SYSPROTO_H_ 642 struct setcred_args { 643 u_int flags; /* Flags. */ 644 const struct setcred *wcred; 645 size_t size; /* Passed 'setcred' structure length. */ 646 }; 647 #endif 648 /* ARGSUSED */ 649 int 650 sys_setcred(struct thread *td, struct setcred_args *uap) 651 { 652 struct setcred wcred; 653 int error; 654 655 if (uap->size != sizeof(wcred)) 656 return (EINVAL); 657 error = copyin(uap->wcred, &wcred, sizeof(wcred)); 658 if (error != 0) 659 return (error); 660 return (user_setcred(td, uap->flags, &wcred)); 661 } 662 663 /* 664 * CAUTION: This function normalizes groups in 'wcred'. 665 */ 666 int 667 kern_setcred(struct thread *const td, const u_int flags, 668 struct setcred *const wcred) 669 { 670 struct proc *const p = td->td_proc; 671 struct ucred *new_cred, *old_cred, *to_free_cred = NULL; 672 struct uidinfo *uip = NULL, *ruip = NULL; 673 #ifdef MAC 674 void *mac_set_proc_data = NULL; 675 bool proc_label_set = false; 676 #endif 677 int error; 678 bool cred_set = false; 679 680 /* Bail out on unrecognized flags. */ 681 if (flags & ~SETCREDF_MASK) 682 return (EINVAL); 683 684 /* 685 * Part 1: We allocate and perform preparatory operations with no locks. 686 */ 687 688 if ((flags & SETCREDF_SUPP_GROUPS) != 0 && 689 wcred->sc_supp_groups_nb > ngroups_max) 690 return (EINVAL); 691 692 if (flags & SETCREDF_MAC_LABEL) { 693 #ifdef MAC 694 error = mac_set_proc_prepare(td, wcred->sc_label, 695 &mac_set_proc_data); 696 if (error != 0) 697 return (error); 698 #else 699 return (ENOTSUP); 700 #endif 701 } 702 703 if (flags & SETCREDF_UID) { 704 AUDIT_ARG_EUID(wcred->sc_uid); 705 uip = uifind(wcred->sc_uid); 706 } 707 if (flags & SETCREDF_RUID) { 708 AUDIT_ARG_RUID(wcred->sc_ruid); 709 ruip = uifind(wcred->sc_ruid); 710 } 711 if (flags & SETCREDF_SVUID) 712 AUDIT_ARG_SUID(wcred->sc_svuid); 713 714 if (flags & SETCREDF_GID) 715 AUDIT_ARG_EGID(wcred->sc_gid); 716 if (flags & SETCREDF_RGID) 717 AUDIT_ARG_RGID(wcred->sc_rgid); 718 if (flags & SETCREDF_SVGID) 719 AUDIT_ARG_SGID(wcred->sc_svgid); 720 if (flags & SETCREDF_SUPP_GROUPS) { 721 /* 722 * Output the raw supplementary groups array for better 723 * traceability. 724 */ 725 AUDIT_ARG_GROUPSET(wcred->sc_supp_groups, 726 wcred->sc_supp_groups_nb); 727 groups_normalize(&wcred->sc_supp_groups_nb, 728 wcred->sc_supp_groups); 729 } 730 731 /* 732 * We first completely build the new credentials and only then pass them 733 * to MAC along with the old ones so that modules can check whether the 734 * requested transition is allowed. 735 */ 736 new_cred = crget(); 737 to_free_cred = new_cred; 738 if (flags & SETCREDF_SUPP_GROUPS) 739 crextend(new_cred, wcred->sc_supp_groups_nb); 740 741 #ifdef MAC 742 mac_cred_setcred_enter(); 743 #endif 744 745 /* 746 * Part 2: We grab the process lock as to have a stable view of its 747 * current credentials, and prepare a copy of them with the requested 748 * changes applied under that lock. 749 */ 750 751 PROC_LOCK(p); 752 old_cred = crcopysafe(p, new_cred); 753 754 /* 755 * Change user IDs. 756 */ 757 if (flags & SETCREDF_UID) 758 change_euid(new_cred, uip); 759 if (flags & SETCREDF_RUID) 760 change_ruid(new_cred, ruip); 761 if (flags & SETCREDF_SVUID) 762 change_svuid(new_cred, wcred->sc_svuid); 763 764 /* 765 * Change groups. 766 */ 767 if (flags & SETCREDF_SUPP_GROUPS) 768 crsetgroups_internal(new_cred, wcred->sc_supp_groups_nb, 769 wcred->sc_supp_groups); 770 if (flags & SETCREDF_GID) 771 change_egid(new_cred, wcred->sc_gid); 772 if (flags & SETCREDF_RGID) 773 change_rgid(new_cred, wcred->sc_rgid); 774 if (flags & SETCREDF_SVGID) 775 change_svgid(new_cred, wcred->sc_svgid); 776 777 #ifdef MAC 778 /* 779 * Change the MAC label. 780 */ 781 if (flags & SETCREDF_MAC_LABEL) { 782 error = mac_set_proc_core(td, new_cred, mac_set_proc_data); 783 if (error != 0) 784 goto unlock_finish; 785 proc_label_set = true; 786 } 787 788 /* 789 * MAC security modules checks. 790 */ 791 error = mac_cred_check_setcred(flags, old_cred, new_cred); 792 if (error != 0) 793 goto unlock_finish; 794 #endif 795 /* 796 * Privilege check. 797 */ 798 error = priv_check_cred(old_cred, PRIV_CRED_SETCRED); 799 if (error != 0) 800 goto unlock_finish; 801 802 #ifdef RACCT 803 /* 804 * Hold a reference to 'new_cred', as we need to call some functions on 805 * it after proc_set_cred_enforce_proc_lim(). 806 */ 807 crhold(new_cred); 808 #endif 809 810 /* Set the new credentials. */ 811 cred_set = proc_set_cred_enforce_proc_lim(p, new_cred); 812 if (cred_set) { 813 setsugid(p); 814 #ifdef RACCT 815 /* Adjust RACCT counters. */ 816 racct_proc_ucred_changed(p, old_cred, new_cred); 817 #endif 818 to_free_cred = old_cred; 819 MPASS(error == 0); 820 } else { 821 #ifdef RACCT 822 /* Matches the crhold() just before the containing 'if'. */ 823 crfree(new_cred); 824 #endif 825 error = EAGAIN; 826 } 827 828 unlock_finish: 829 PROC_UNLOCK(p); 830 831 /* 832 * Part 3: After releasing the process lock, we perform cleanups and 833 * finishing operations. 834 */ 835 836 #ifdef RACCT 837 if (cred_set) { 838 #ifdef RCTL 839 rctl_proc_ucred_changed(p, new_cred); 840 #endif 841 /* Paired with the crhold() above. */ 842 crfree(new_cred); 843 } 844 #endif 845 846 #ifdef MAC 847 if (mac_set_proc_data != NULL) 848 mac_set_proc_finish(td, proc_label_set, mac_set_proc_data); 849 mac_cred_setcred_exit(); 850 #endif 851 crfree(to_free_cred); 852 if (uip != NULL) 853 uifree(uip); 854 if (ruip != NULL) 855 uifree(ruip); 856 857 return (error); 858 } 859 860 /* 861 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 862 * compatible. It says that setting the uid/gid to euid/egid is a special 863 * case of "appropriate privilege". Once the rules are expanded out, this 864 * basically means that setuid(nnn) sets all three id's, in all permitted 865 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 866 * does not set the saved id - this is dangerous for traditional BSD 867 * programs. For this reason, we *really* do not want to set 868 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 869 */ 870 #define POSIX_APPENDIX_B_4_2_2 871 872 #ifndef _SYS_SYSPROTO_H_ 873 struct setuid_args { 874 uid_t uid; 875 }; 876 #endif 877 /* ARGSUSED */ 878 int 879 sys_setuid(struct thread *td, struct setuid_args *uap) 880 { 881 struct proc *p = td->td_proc; 882 struct ucred *newcred, *oldcred; 883 uid_t uid; 884 struct uidinfo *uip; 885 int error; 886 887 uid = uap->uid; 888 AUDIT_ARG_UID(uid); 889 newcred = crget(); 890 uip = uifind(uid); 891 PROC_LOCK(p); 892 /* 893 * Copy credentials so other references do not see our changes. 894 */ 895 oldcred = crcopysafe(p, newcred); 896 897 #ifdef MAC 898 error = mac_cred_check_setuid(oldcred, uid); 899 if (error) 900 goto fail; 901 #endif 902 903 /* 904 * See if we have "permission" by POSIX 1003.1 rules. 905 * 906 * Note that setuid(geteuid()) is a special case of 907 * "appropriate privileges" in appendix B.4.2.2. We need 908 * to use this clause to be compatible with traditional BSD 909 * semantics. Basically, it means that "setuid(xx)" sets all 910 * three id's (assuming you have privs). 911 * 912 * Notes on the logic. We do things in three steps. 913 * 1: We determine if the euid is going to change, and do EPERM 914 * right away. We unconditionally change the euid later if this 915 * test is satisfied, simplifying that part of the logic. 916 * 2: We determine if the real and/or saved uids are going to 917 * change. Determined by compile options. 918 * 3: Change euid last. (after tests in #2 for "appropriate privs") 919 */ 920 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 921 #ifdef _POSIX_SAVED_IDS 922 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 923 #endif 924 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 925 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 926 #endif 927 (error = priv_check_cred(oldcred, PRIV_CRED_SETUID)) != 0) 928 goto fail; 929 930 #ifdef _POSIX_SAVED_IDS 931 /* 932 * Do we have "appropriate privileges" (are we root or uid == euid) 933 * If so, we are changing the real uid and/or saved uid. 934 */ 935 if ( 936 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 937 uid == oldcred->cr_uid || 938 #endif 939 /* We are using privs. */ 940 priv_check_cred(oldcred, PRIV_CRED_SETUID) == 0) 941 #endif 942 { 943 /* 944 * Set the real uid. 945 */ 946 if (uid != oldcred->cr_ruid) { 947 change_ruid(newcred, uip); 948 setsugid(p); 949 } 950 /* 951 * Set saved uid 952 * 953 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 954 * the security of seteuid() depends on it. B.4.2.2 says it 955 * is important that we should do this. 956 */ 957 if (uid != oldcred->cr_svuid) { 958 change_svuid(newcred, uid); 959 setsugid(p); 960 } 961 } 962 963 /* 964 * In all permitted cases, we are changing the euid. 965 */ 966 if (uid != oldcred->cr_uid) { 967 change_euid(newcred, uip); 968 setsugid(p); 969 } 970 971 #ifdef RACCT 972 racct_proc_ucred_changed(p, oldcred, newcred); 973 #endif 974 #ifdef RCTL 975 crhold(newcred); 976 #endif 977 /* 978 * Takes over 'newcred''s reference, so 'newcred' must not be used 979 * besides this point except on RCTL where we took an additional 980 * reference above. 981 */ 982 proc_set_cred(p, newcred); 983 PROC_UNLOCK(p); 984 #ifdef RCTL 985 rctl_proc_ucred_changed(p, newcred); 986 crfree(newcred); 987 #endif 988 uifree(uip); 989 crfree(oldcred); 990 return (0); 991 992 fail: 993 PROC_UNLOCK(p); 994 uifree(uip); 995 crfree(newcred); 996 return (error); 997 } 998 999 #ifndef _SYS_SYSPROTO_H_ 1000 struct seteuid_args { 1001 uid_t euid; 1002 }; 1003 #endif 1004 /* ARGSUSED */ 1005 int 1006 sys_seteuid(struct thread *td, struct seteuid_args *uap) 1007 { 1008 struct proc *p = td->td_proc; 1009 struct ucred *newcred, *oldcred; 1010 uid_t euid; 1011 struct uidinfo *euip; 1012 int error; 1013 1014 euid = uap->euid; 1015 AUDIT_ARG_EUID(euid); 1016 newcred = crget(); 1017 euip = uifind(euid); 1018 PROC_LOCK(p); 1019 /* 1020 * Copy credentials so other references do not see our changes. 1021 */ 1022 oldcred = crcopysafe(p, newcred); 1023 1024 #ifdef MAC 1025 error = mac_cred_check_seteuid(oldcred, euid); 1026 if (error) 1027 goto fail; 1028 #endif 1029 1030 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 1031 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 1032 (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID)) != 0) 1033 goto fail; 1034 1035 /* 1036 * Everything's okay, do it. 1037 */ 1038 if (oldcred->cr_uid != euid) { 1039 change_euid(newcred, euip); 1040 setsugid(p); 1041 } 1042 proc_set_cred(p, newcred); 1043 PROC_UNLOCK(p); 1044 uifree(euip); 1045 crfree(oldcred); 1046 return (0); 1047 1048 fail: 1049 PROC_UNLOCK(p); 1050 uifree(euip); 1051 crfree(newcred); 1052 return (error); 1053 } 1054 1055 #ifndef _SYS_SYSPROTO_H_ 1056 struct setgid_args { 1057 gid_t gid; 1058 }; 1059 #endif 1060 /* ARGSUSED */ 1061 int 1062 sys_setgid(struct thread *td, struct setgid_args *uap) 1063 { 1064 struct proc *p = td->td_proc; 1065 struct ucred *newcred, *oldcred; 1066 gid_t gid; 1067 int error; 1068 1069 gid = uap->gid; 1070 AUDIT_ARG_GID(gid); 1071 newcred = crget(); 1072 PROC_LOCK(p); 1073 oldcred = crcopysafe(p, newcred); 1074 1075 #ifdef MAC 1076 error = mac_cred_check_setgid(oldcred, gid); 1077 if (error) 1078 goto fail; 1079 #endif 1080 1081 /* 1082 * See if we have "permission" by POSIX 1003.1 rules. 1083 * 1084 * Note that setgid(getegid()) is a special case of 1085 * "appropriate privileges" in appendix B.4.2.2. We need 1086 * to use this clause to be compatible with traditional BSD 1087 * semantics. Basically, it means that "setgid(xx)" sets all 1088 * three id's (assuming you have privs). 1089 * 1090 * For notes on the logic here, see setuid() above. 1091 */ 1092 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 1093 #ifdef _POSIX_SAVED_IDS 1094 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 1095 #endif 1096 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 1097 gid != oldcred->cr_gid && /* allow setgid(getegid()) */ 1098 #endif 1099 (error = priv_check_cred(oldcred, PRIV_CRED_SETGID)) != 0) 1100 goto fail; 1101 1102 #ifdef _POSIX_SAVED_IDS 1103 /* 1104 * Do we have "appropriate privileges" (are we root or gid == egid) 1105 * If so, we are changing the real uid and saved gid. 1106 */ 1107 if ( 1108 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 1109 gid == oldcred->cr_gid || 1110 #endif 1111 /* We are using privs. */ 1112 priv_check_cred(oldcred, PRIV_CRED_SETGID) == 0) 1113 #endif 1114 { 1115 /* 1116 * Set real gid 1117 */ 1118 if (oldcred->cr_rgid != gid) { 1119 change_rgid(newcred, gid); 1120 setsugid(p); 1121 } 1122 /* 1123 * Set saved gid 1124 * 1125 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 1126 * the security of setegid() depends on it. B.4.2.2 says it 1127 * is important that we should do this. 1128 */ 1129 if (oldcred->cr_svgid != gid) { 1130 change_svgid(newcred, gid); 1131 setsugid(p); 1132 } 1133 } 1134 /* 1135 * In all cases permitted cases, we are changing the egid. 1136 * Copy credentials so other references do not see our changes. 1137 */ 1138 if (oldcred->cr_gid != gid) { 1139 change_egid(newcred, gid); 1140 setsugid(p); 1141 } 1142 proc_set_cred(p, newcred); 1143 PROC_UNLOCK(p); 1144 crfree(oldcred); 1145 return (0); 1146 1147 fail: 1148 PROC_UNLOCK(p); 1149 crfree(newcred); 1150 return (error); 1151 } 1152 1153 #ifndef _SYS_SYSPROTO_H_ 1154 struct setegid_args { 1155 gid_t egid; 1156 }; 1157 #endif 1158 /* ARGSUSED */ 1159 int 1160 sys_setegid(struct thread *td, struct setegid_args *uap) 1161 { 1162 struct proc *p = td->td_proc; 1163 struct ucred *newcred, *oldcred; 1164 gid_t egid; 1165 int error; 1166 1167 egid = uap->egid; 1168 AUDIT_ARG_EGID(egid); 1169 newcred = crget(); 1170 PROC_LOCK(p); 1171 oldcred = crcopysafe(p, newcred); 1172 1173 #ifdef MAC 1174 error = mac_cred_check_setegid(oldcred, egid); 1175 if (error) 1176 goto fail; 1177 #endif 1178 1179 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 1180 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 1181 (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID)) != 0) 1182 goto fail; 1183 1184 if (oldcred->cr_gid != egid) { 1185 change_egid(newcred, egid); 1186 setsugid(p); 1187 } 1188 proc_set_cred(p, newcred); 1189 PROC_UNLOCK(p); 1190 crfree(oldcred); 1191 return (0); 1192 1193 fail: 1194 PROC_UNLOCK(p); 1195 crfree(newcred); 1196 return (error); 1197 } 1198 1199 #ifdef COMPAT_FREEBSD14 1200 int 1201 freebsd14_setgroups(struct thread *td, struct freebsd14_setgroups_args *uap) 1202 { 1203 gid_t smallgroups[CRED_SMALLGROUPS_NB]; 1204 gid_t *groups; 1205 int gidsetsize, error; 1206 1207 /* 1208 * Before FreeBSD 15.0, we allow one more group to be supplied to 1209 * account for the egid appearing before the supplementary groups. This 1210 * may technically allow one more supplementary group for systems that 1211 * did use the default NGROUPS_MAX if we round it back up to 1024. 1212 */ 1213 gidsetsize = uap->gidsetsize; 1214 if (gidsetsize > ngroups_max + 1 || gidsetsize < 0) 1215 return (EINVAL); 1216 1217 if (gidsetsize > CRED_SMALLGROUPS_NB) 1218 groups = malloc(gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK); 1219 else 1220 groups = smallgroups; 1221 1222 error = copyin(uap->gidset, groups, gidsetsize * sizeof(gid_t)); 1223 if (error == 0) { 1224 int ngroups = gidsetsize > 0 ? gidsetsize - 1 /* egid */ : 0; 1225 1226 error = kern_setgroups(td, &ngroups, groups + 1); 1227 if (error == 0 && gidsetsize > 0) 1228 td->td_proc->p_ucred->cr_gid = groups[0]; 1229 } 1230 1231 if (groups != smallgroups) 1232 free(groups, M_TEMP); 1233 return (error); 1234 } 1235 #endif /* COMPAT_FREEBSD14 */ 1236 1237 #ifndef _SYS_SYSPROTO_H_ 1238 struct setgroups_args { 1239 int gidsetsize; 1240 gid_t *gidset; 1241 }; 1242 #endif 1243 /* ARGSUSED */ 1244 int 1245 sys_setgroups(struct thread *td, struct setgroups_args *uap) 1246 { 1247 gid_t smallgroups[CRED_SMALLGROUPS_NB]; 1248 gid_t *groups; 1249 int gidsetsize, error; 1250 1251 /* 1252 * Sanity check size now to avoid passing too big a value to copyin(), 1253 * even if kern_setgroups() will do it again. 1254 * 1255 * Ideally, the 'gidsetsize' argument should have been a 'u_int' (and it 1256 * was, in this implementation, for a long time), but POSIX standardized 1257 * getgroups() to take an 'int' and it would be quite entrapping to have 1258 * setgroups() differ. 1259 */ 1260 gidsetsize = uap->gidsetsize; 1261 if (gidsetsize > ngroups_max || gidsetsize < 0) 1262 return (EINVAL); 1263 1264 if (gidsetsize > CRED_SMALLGROUPS_NB) 1265 groups = malloc(gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK); 1266 else 1267 groups = smallgroups; 1268 1269 error = copyin(uap->gidset, groups, gidsetsize * sizeof(gid_t)); 1270 if (error == 0) 1271 error = kern_setgroups(td, &gidsetsize, groups); 1272 1273 if (groups != smallgroups) 1274 free(groups, M_TEMP); 1275 return (error); 1276 } 1277 1278 /* 1279 * CAUTION: This function normalizes 'groups', possibly also changing the value 1280 * of '*ngrpp' as a consequence. 1281 */ 1282 int 1283 kern_setgroups(struct thread *td, int *ngrpp, gid_t *groups) 1284 { 1285 struct proc *p = td->td_proc; 1286 struct ucred *newcred, *oldcred; 1287 int ngrp, error; 1288 1289 ngrp = *ngrpp; 1290 /* Sanity check size. */ 1291 if (ngrp < 0 || ngrp > ngroups_max) 1292 return (EINVAL); 1293 1294 AUDIT_ARG_GROUPSET(groups, ngrp); 1295 1296 groups_normalize(&ngrp, groups); 1297 *ngrpp = ngrp; 1298 1299 newcred = crget(); 1300 crextend(newcred, ngrp); 1301 PROC_LOCK(p); 1302 oldcred = crcopysafe(p, newcred); 1303 1304 #ifdef MAC 1305 /* 1306 * We pass NULL here explicitly if we don't have any supplementary 1307 * groups mostly for the sake of normalization, but also to avoid/detect 1308 * a situation where a MAC module has some assumption about the layout 1309 * of `groups` matching historical behavior. 1310 */ 1311 error = mac_cred_check_setgroups(oldcred, ngrp, 1312 ngrp == 0 ? NULL : groups); 1313 if (error) 1314 goto fail; 1315 #endif 1316 1317 error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS); 1318 if (error) 1319 goto fail; 1320 1321 crsetgroups_internal(newcred, ngrp, groups); 1322 setsugid(p); 1323 proc_set_cred(p, newcred); 1324 PROC_UNLOCK(p); 1325 crfree(oldcred); 1326 return (0); 1327 1328 fail: 1329 PROC_UNLOCK(p); 1330 crfree(newcred); 1331 return (error); 1332 } 1333 1334 #ifndef _SYS_SYSPROTO_H_ 1335 struct setreuid_args { 1336 uid_t ruid; 1337 uid_t euid; 1338 }; 1339 #endif 1340 /* ARGSUSED */ 1341 int 1342 sys_setreuid(struct thread *td, struct setreuid_args *uap) 1343 { 1344 struct proc *p = td->td_proc; 1345 struct ucred *newcred, *oldcred; 1346 uid_t euid, ruid; 1347 struct uidinfo *euip, *ruip; 1348 int error; 1349 1350 euid = uap->euid; 1351 ruid = uap->ruid; 1352 AUDIT_ARG_EUID(euid); 1353 AUDIT_ARG_RUID(ruid); 1354 newcred = crget(); 1355 euip = uifind(euid); 1356 ruip = uifind(ruid); 1357 PROC_LOCK(p); 1358 oldcred = crcopysafe(p, newcred); 1359 1360 #ifdef MAC 1361 error = mac_cred_check_setreuid(oldcred, ruid, euid); 1362 if (error) 1363 goto fail; 1364 #endif 1365 1366 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1367 ruid != oldcred->cr_svuid) || 1368 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 1369 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 1370 (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID)) != 0) 1371 goto fail; 1372 1373 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1374 change_euid(newcred, euip); 1375 setsugid(p); 1376 } 1377 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1378 change_ruid(newcred, ruip); 1379 setsugid(p); 1380 } 1381 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 1382 newcred->cr_svuid != newcred->cr_uid) { 1383 change_svuid(newcred, newcred->cr_uid); 1384 setsugid(p); 1385 } 1386 #ifdef RACCT 1387 racct_proc_ucred_changed(p, oldcred, newcred); 1388 #endif 1389 #ifdef RCTL 1390 crhold(newcred); 1391 #endif 1392 /* 1393 * Takes over 'newcred''s reference, so 'newcred' must not be used 1394 * besides this point except on RCTL where we took an additional 1395 * reference above. 1396 */ 1397 proc_set_cred(p, newcred); 1398 PROC_UNLOCK(p); 1399 #ifdef RCTL 1400 rctl_proc_ucred_changed(p, newcred); 1401 crfree(newcred); 1402 #endif 1403 uifree(ruip); 1404 uifree(euip); 1405 crfree(oldcred); 1406 return (0); 1407 1408 fail: 1409 PROC_UNLOCK(p); 1410 uifree(ruip); 1411 uifree(euip); 1412 crfree(newcred); 1413 return (error); 1414 } 1415 1416 #ifndef _SYS_SYSPROTO_H_ 1417 struct setregid_args { 1418 gid_t rgid; 1419 gid_t egid; 1420 }; 1421 #endif 1422 /* ARGSUSED */ 1423 int 1424 sys_setregid(struct thread *td, struct setregid_args *uap) 1425 { 1426 struct proc *p = td->td_proc; 1427 struct ucred *newcred, *oldcred; 1428 gid_t egid, rgid; 1429 int error; 1430 1431 egid = uap->egid; 1432 rgid = uap->rgid; 1433 AUDIT_ARG_EGID(egid); 1434 AUDIT_ARG_RGID(rgid); 1435 newcred = crget(); 1436 PROC_LOCK(p); 1437 oldcred = crcopysafe(p, newcred); 1438 1439 #ifdef MAC 1440 error = mac_cred_check_setregid(oldcred, rgid, egid); 1441 if (error) 1442 goto fail; 1443 #endif 1444 1445 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1446 rgid != oldcred->cr_svgid) || 1447 (egid != (gid_t)-1 && egid != oldcred->cr_gid && 1448 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 1449 (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID)) != 0) 1450 goto fail; 1451 1452 if (egid != (gid_t)-1 && oldcred->cr_gid != egid) { 1453 change_egid(newcred, egid); 1454 setsugid(p); 1455 } 1456 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1457 change_rgid(newcred, rgid); 1458 setsugid(p); 1459 } 1460 if ((rgid != (gid_t)-1 || newcred->cr_gid != newcred->cr_rgid) && 1461 newcred->cr_svgid != newcred->cr_gid) { 1462 change_svgid(newcred, newcred->cr_gid); 1463 setsugid(p); 1464 } 1465 proc_set_cred(p, newcred); 1466 PROC_UNLOCK(p); 1467 crfree(oldcred); 1468 return (0); 1469 1470 fail: 1471 PROC_UNLOCK(p); 1472 crfree(newcred); 1473 return (error); 1474 } 1475 1476 /* 1477 * setresuid(ruid, euid, suid) is like setreuid except control over the saved 1478 * uid is explicit. 1479 */ 1480 #ifndef _SYS_SYSPROTO_H_ 1481 struct setresuid_args { 1482 uid_t ruid; 1483 uid_t euid; 1484 uid_t suid; 1485 }; 1486 #endif 1487 /* ARGSUSED */ 1488 int 1489 sys_setresuid(struct thread *td, struct setresuid_args *uap) 1490 { 1491 struct proc *p = td->td_proc; 1492 struct ucred *newcred, *oldcred; 1493 uid_t euid, ruid, suid; 1494 struct uidinfo *euip, *ruip; 1495 int error; 1496 1497 euid = uap->euid; 1498 ruid = uap->ruid; 1499 suid = uap->suid; 1500 AUDIT_ARG_EUID(euid); 1501 AUDIT_ARG_RUID(ruid); 1502 AUDIT_ARG_SUID(suid); 1503 newcred = crget(); 1504 euip = uifind(euid); 1505 ruip = uifind(ruid); 1506 PROC_LOCK(p); 1507 oldcred = crcopysafe(p, newcred); 1508 1509 #ifdef MAC 1510 error = mac_cred_check_setresuid(oldcred, ruid, euid, suid); 1511 if (error) 1512 goto fail; 1513 #endif 1514 1515 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1516 ruid != oldcred->cr_svuid && 1517 ruid != oldcred->cr_uid) || 1518 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 1519 euid != oldcred->cr_svuid && 1520 euid != oldcred->cr_uid) || 1521 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 1522 suid != oldcred->cr_svuid && 1523 suid != oldcred->cr_uid)) && 1524 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID)) != 0) 1525 goto fail; 1526 1527 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1528 change_euid(newcred, euip); 1529 setsugid(p); 1530 } 1531 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1532 change_ruid(newcred, ruip); 1533 setsugid(p); 1534 } 1535 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1536 change_svuid(newcred, suid); 1537 setsugid(p); 1538 } 1539 #ifdef RACCT 1540 racct_proc_ucred_changed(p, oldcred, newcred); 1541 #endif 1542 #ifdef RCTL 1543 crhold(newcred); 1544 #endif 1545 /* 1546 * Takes over 'newcred''s reference, so 'newcred' must not be used 1547 * besides this point except on RCTL where we took an additional 1548 * reference above. 1549 */ 1550 proc_set_cred(p, newcred); 1551 PROC_UNLOCK(p); 1552 #ifdef RCTL 1553 rctl_proc_ucred_changed(p, newcred); 1554 crfree(newcred); 1555 #endif 1556 uifree(ruip); 1557 uifree(euip); 1558 crfree(oldcred); 1559 return (0); 1560 1561 fail: 1562 PROC_UNLOCK(p); 1563 uifree(ruip); 1564 uifree(euip); 1565 crfree(newcred); 1566 return (error); 1567 1568 } 1569 1570 /* 1571 * setresgid(rgid, egid, sgid) is like setregid except control over the saved 1572 * gid is explicit. 1573 */ 1574 #ifndef _SYS_SYSPROTO_H_ 1575 struct setresgid_args { 1576 gid_t rgid; 1577 gid_t egid; 1578 gid_t sgid; 1579 }; 1580 #endif 1581 /* ARGSUSED */ 1582 int 1583 sys_setresgid(struct thread *td, struct setresgid_args *uap) 1584 { 1585 struct proc *p = td->td_proc; 1586 struct ucred *newcred, *oldcred; 1587 gid_t egid, rgid, sgid; 1588 int error; 1589 1590 egid = uap->egid; 1591 rgid = uap->rgid; 1592 sgid = uap->sgid; 1593 AUDIT_ARG_EGID(egid); 1594 AUDIT_ARG_RGID(rgid); 1595 AUDIT_ARG_SGID(sgid); 1596 newcred = crget(); 1597 PROC_LOCK(p); 1598 oldcred = crcopysafe(p, newcred); 1599 1600 #ifdef MAC 1601 error = mac_cred_check_setresgid(oldcred, rgid, egid, sgid); 1602 if (error) 1603 goto fail; 1604 #endif 1605 1606 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1607 rgid != oldcred->cr_svgid && 1608 rgid != oldcred->cr_gid) || 1609 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1610 egid != oldcred->cr_svgid && 1611 egid != oldcred->cr_gid) || 1612 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1613 sgid != oldcred->cr_svgid && 1614 sgid != oldcred->cr_gid)) && 1615 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID)) != 0) 1616 goto fail; 1617 1618 if (egid != (gid_t)-1 && oldcred->cr_gid != egid) { 1619 change_egid(newcred, egid); 1620 setsugid(p); 1621 } 1622 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1623 change_rgid(newcred, rgid); 1624 setsugid(p); 1625 } 1626 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1627 change_svgid(newcred, sgid); 1628 setsugid(p); 1629 } 1630 proc_set_cred(p, newcred); 1631 PROC_UNLOCK(p); 1632 crfree(oldcred); 1633 return (0); 1634 1635 fail: 1636 PROC_UNLOCK(p); 1637 crfree(newcred); 1638 return (error); 1639 } 1640 1641 #ifndef _SYS_SYSPROTO_H_ 1642 struct getresuid_args { 1643 uid_t *ruid; 1644 uid_t *euid; 1645 uid_t *suid; 1646 }; 1647 #endif 1648 /* ARGSUSED */ 1649 int 1650 sys_getresuid(struct thread *td, struct getresuid_args *uap) 1651 { 1652 struct ucred *cred; 1653 int error1 = 0, error2 = 0, error3 = 0; 1654 1655 cred = td->td_ucred; 1656 if (uap->ruid) 1657 error1 = copyout(&cred->cr_ruid, 1658 uap->ruid, sizeof(cred->cr_ruid)); 1659 if (uap->euid) 1660 error2 = copyout(&cred->cr_uid, 1661 uap->euid, sizeof(cred->cr_uid)); 1662 if (uap->suid) 1663 error3 = copyout(&cred->cr_svuid, 1664 uap->suid, sizeof(cred->cr_svuid)); 1665 return (error1 ? error1 : error2 ? error2 : error3); 1666 } 1667 1668 #ifndef _SYS_SYSPROTO_H_ 1669 struct getresgid_args { 1670 gid_t *rgid; 1671 gid_t *egid; 1672 gid_t *sgid; 1673 }; 1674 #endif 1675 /* ARGSUSED */ 1676 int 1677 sys_getresgid(struct thread *td, struct getresgid_args *uap) 1678 { 1679 struct ucred *cred; 1680 int error1 = 0, error2 = 0, error3 = 0; 1681 1682 cred = td->td_ucred; 1683 if (uap->rgid) 1684 error1 = copyout(&cred->cr_rgid, 1685 uap->rgid, sizeof(cred->cr_rgid)); 1686 if (uap->egid) 1687 error2 = copyout(&cred->cr_gid, 1688 uap->egid, sizeof(cred->cr_gid)); 1689 if (uap->sgid) 1690 error3 = copyout(&cred->cr_svgid, 1691 uap->sgid, sizeof(cred->cr_svgid)); 1692 return (error1 ? error1 : error2 ? error2 : error3); 1693 } 1694 1695 #ifndef _SYS_SYSPROTO_H_ 1696 struct issetugid_args { 1697 int dummy; 1698 }; 1699 #endif 1700 /* ARGSUSED */ 1701 int 1702 sys_issetugid(struct thread *td, struct issetugid_args *uap) 1703 { 1704 struct proc *p = td->td_proc; 1705 1706 /* 1707 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1708 * we use P_SUGID because we consider changing the owners as 1709 * "tainting" as well. 1710 * This is significant for procs that start as root and "become" 1711 * a user without an exec - programs cannot know *everything* 1712 * that libc *might* have put in their data segment. 1713 */ 1714 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1715 return (0); 1716 } 1717 1718 int 1719 sys___setugid(struct thread *td, struct __setugid_args *uap) 1720 { 1721 #ifdef REGRESSION 1722 struct proc *p; 1723 1724 p = td->td_proc; 1725 switch (uap->flag) { 1726 case 0: 1727 PROC_LOCK(p); 1728 p->p_flag &= ~P_SUGID; 1729 PROC_UNLOCK(p); 1730 return (0); 1731 case 1: 1732 PROC_LOCK(p); 1733 p->p_flag |= P_SUGID; 1734 PROC_UNLOCK(p); 1735 return (0); 1736 default: 1737 return (EINVAL); 1738 } 1739 #else /* !REGRESSION */ 1740 1741 return (ENOSYS); 1742 #endif /* REGRESSION */ 1743 } 1744 1745 #ifdef INVARIANTS 1746 static void 1747 groups_check_normalized(int ngrp, const gid_t *groups) 1748 { 1749 gid_t prev_g; 1750 1751 groups_check_positive_len(ngrp); 1752 groups_check_max_len(ngrp); 1753 1754 if (ngrp <= 1) 1755 return; 1756 1757 prev_g = groups[0]; 1758 for (int i = 1; i < ngrp; ++i) { 1759 const gid_t g = groups[i]; 1760 1761 if (prev_g >= g) 1762 panic("%s: groups[%d] (%u) >= groups[%d] (%u)", 1763 __func__, i - 1, prev_g, i, g); 1764 prev_g = g; 1765 } 1766 } 1767 #else 1768 #define groups_check_normalized(...) 1769 #endif 1770 1771 /* 1772 * Returns whether gid designates a supplementary group in cred. 1773 */ 1774 bool 1775 group_is_supplementary(const gid_t gid, const struct ucred *const cred) 1776 { 1777 1778 groups_check_normalized(cred->cr_ngroups, cred->cr_groups); 1779 1780 /* 1781 * Perform a binary search of the supplementary groups. This is 1782 * possible because we sort the groups in crsetgroups(). 1783 */ 1784 return (bsearch(&gid, cred->cr_groups, cred->cr_ngroups, 1785 sizeof(gid), gidp_cmp) != NULL); 1786 } 1787 1788 /* 1789 * Check if gid is a member of the (effective) group set (i.e., effective and 1790 * supplementary groups). 1791 */ 1792 bool 1793 groupmember(gid_t gid, const struct ucred *cred) 1794 { 1795 1796 groups_check_positive_len(cred->cr_ngroups); 1797 1798 if (gid == cred->cr_gid) 1799 return (true); 1800 1801 return (group_is_supplementary(gid, cred)); 1802 } 1803 1804 /* 1805 * Check if gid is a member of the real group set (i.e., real and supplementary 1806 * groups). 1807 */ 1808 bool 1809 realgroupmember(gid_t gid, const struct ucred *cred) 1810 { 1811 groups_check_positive_len(cred->cr_ngroups); 1812 1813 if (gid == cred->cr_rgid) 1814 return (true); 1815 1816 return (group_is_supplementary(gid, cred)); 1817 } 1818 1819 /* 1820 * Test the active securelevel against a given level. securelevel_gt() 1821 * implements (securelevel > level). securelevel_ge() implements 1822 * (securelevel >= level). Note that the logic is inverted -- these 1823 * functions return EPERM on "success" and 0 on "failure". 1824 * 1825 * Due to care taken when setting the securelevel, we know that no jail will 1826 * be less secure that its parent (or the physical system), so it is sufficient 1827 * to test the current jail only. 1828 * 1829 * XXXRW: Possibly since this has to do with privilege, it should move to 1830 * kern_priv.c. 1831 */ 1832 int 1833 securelevel_gt(struct ucred *cr, int level) 1834 { 1835 1836 return (cr->cr_prison->pr_securelevel > level ? EPERM : 0); 1837 } 1838 1839 int 1840 securelevel_ge(struct ucred *cr, int level) 1841 { 1842 1843 return (cr->cr_prison->pr_securelevel >= level ? EPERM : 0); 1844 } 1845 1846 /* 1847 * 'see_other_uids' determines whether or not visibility of processes 1848 * and sockets with credentials holding different real uids is possible 1849 * using a variety of system MIBs. 1850 * XXX: data declarations should be together near the beginning of the file. 1851 */ 1852 static int see_other_uids = 1; 1853 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1854 &see_other_uids, 0, 1855 "Unprivileged processes may see subjects/objects with different real uid"); 1856 1857 /*- 1858 * Determine if u1 "can see" the subject specified by u2, according to the 1859 * 'see_other_uids' policy. 1860 * Returns: 0 for permitted, ESRCH otherwise 1861 * Locks: none 1862 * References: *u1 and *u2 must not change during the call 1863 * u1 may equal u2, in which case only one reference is required 1864 */ 1865 static int 1866 cr_canseeotheruids(struct ucred *u1, struct ucred *u2) 1867 { 1868 1869 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1870 if (priv_check_cred(u1, PRIV_SEEOTHERUIDS) != 0) 1871 return (ESRCH); 1872 } 1873 return (0); 1874 } 1875 1876 /* 1877 * 'see_other_gids' determines whether or not visibility of processes 1878 * and sockets with credentials holding different real gids is possible 1879 * using a variety of system MIBs. 1880 * XXX: data declarations should be together near the beginning of the file. 1881 */ 1882 static int see_other_gids = 1; 1883 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW, 1884 &see_other_gids, 0, 1885 "Unprivileged processes may see subjects/objects with different real gid"); 1886 1887 /* 1888 * Determine if u1 can "see" the subject specified by u2, according to the 1889 * 'see_other_gids' policy. 1890 * Returns: 0 for permitted, ESRCH otherwise 1891 * Locks: none 1892 * References: *u1 and *u2 must not change during the call 1893 * u1 may equal u2, in which case only one reference is required 1894 */ 1895 static int 1896 cr_canseeothergids(struct ucred *u1, struct ucred *u2) 1897 { 1898 if (see_other_gids) 1899 return (0); 1900 1901 /* Restriction in force. */ 1902 1903 if (realgroupmember(u1->cr_rgid, u2)) 1904 return (0); 1905 1906 for (int i = 0; i < u1->cr_ngroups; i++) 1907 if (realgroupmember(u1->cr_groups[i], u2)) 1908 return (0); 1909 1910 if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) == 0) 1911 return (0); 1912 1913 return (ESRCH); 1914 } 1915 1916 /* 1917 * 'see_jail_proc' determines whether or not visibility of processes and 1918 * sockets with credentials holding different jail ids is possible using a 1919 * variety of system MIBs. 1920 * 1921 * XXX: data declarations should be together near the beginning of the file. 1922 */ 1923 1924 static int see_jail_proc = 1; 1925 SYSCTL_INT(_security_bsd, OID_AUTO, see_jail_proc, CTLFLAG_RW, 1926 &see_jail_proc, 0, 1927 "Unprivileged processes may see subjects/objects with different jail ids"); 1928 1929 /*- 1930 * Determine if u1 "can see" the subject specified by u2, according to the 1931 * 'see_jail_proc' policy. 1932 * Returns: 0 for permitted, ESRCH otherwise 1933 * Locks: none 1934 * References: *u1 and *u2 must not change during the call 1935 * u1 may equal u2, in which case only one reference is required 1936 */ 1937 static int 1938 cr_canseejailproc(struct ucred *u1, struct ucred *u2) 1939 { 1940 if (see_jail_proc || /* Policy deactivated. */ 1941 u1->cr_prison == u2->cr_prison || /* Same jail. */ 1942 priv_check_cred(u1, PRIV_SEEJAILPROC) == 0) /* Privileged. */ 1943 return (0); 1944 1945 return (ESRCH); 1946 } 1947 1948 /* 1949 * Determine if u1 can tamper with the subject specified by u2, if they are in 1950 * different jails and 'unprivileged_parent_tampering' jail policy allows it. 1951 * 1952 * May be called if u1 and u2 are in the same jail, but it is expected that the 1953 * caller has already done a prison_check() prior to calling it. 1954 * 1955 * Returns: 0 for permitted, EPERM otherwise 1956 */ 1957 static int 1958 cr_can_tamper_with_subjail(struct ucred *u1, struct ucred *u2, int priv) 1959 { 1960 1961 MPASS(prison_check(u1, u2) == 0); 1962 if (u1->cr_prison == u2->cr_prison) 1963 return (0); 1964 1965 if (priv_check_cred(u1, priv) == 0) 1966 return (0); 1967 1968 /* 1969 * Jails do not maintain a distinct UID space, so process visibility is 1970 * all that would control an unprivileged process' ability to tamper 1971 * with a process in a subjail by default if we did not have the 1972 * allow.unprivileged_parent_tampering knob to restrict it by default. 1973 */ 1974 if (prison_allow(u2, PR_ALLOW_UNPRIV_PARENT_TAMPER)) 1975 return (0); 1976 1977 return (EPERM); 1978 } 1979 1980 /* 1981 * Helper for cr_cansee*() functions to abide by system-wide security.bsd.see_* 1982 * policies. Determines if u1 "can see" u2 according to these policies. 1983 * Returns: 0 for permitted, ESRCH otherwise 1984 */ 1985 int 1986 cr_bsd_visible(struct ucred *u1, struct ucred *u2) 1987 { 1988 int error; 1989 1990 error = cr_canseeotheruids(u1, u2); 1991 if (error != 0) 1992 return (error); 1993 error = cr_canseeothergids(u1, u2); 1994 if (error != 0) 1995 return (error); 1996 error = cr_canseejailproc(u1, u2); 1997 if (error != 0) 1998 return (error); 1999 return (0); 2000 } 2001 2002 /*- 2003 * Determine if u1 "can see" the subject specified by u2. 2004 * Returns: 0 for permitted, an errno value otherwise 2005 * Locks: none 2006 * References: *u1 and *u2 must not change during the call 2007 * u1 may equal u2, in which case only one reference is required 2008 */ 2009 int 2010 cr_cansee(struct ucred *u1, struct ucred *u2) 2011 { 2012 int error; 2013 2014 if ((error = prison_check(u1, u2))) 2015 return (error); 2016 #ifdef MAC 2017 if ((error = mac_cred_check_visible(u1, u2))) 2018 return (error); 2019 #endif 2020 if ((error = cr_bsd_visible(u1, u2))) 2021 return (error); 2022 return (0); 2023 } 2024 2025 /*- 2026 * Determine if td "can see" the subject specified by p. 2027 * Returns: 0 for permitted, an errno value otherwise 2028 * Locks: Sufficient locks to protect p->p_ucred must be held. td really 2029 * should be curthread. 2030 * References: td and p must be valid for the lifetime of the call 2031 */ 2032 int 2033 p_cansee(struct thread *td, struct proc *p) 2034 { 2035 /* Wrap cr_cansee() for all functionality. */ 2036 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2037 PROC_LOCK_ASSERT(p, MA_OWNED); 2038 2039 if (td->td_proc == p) 2040 return (0); 2041 return (cr_cansee(td->td_ucred, p->p_ucred)); 2042 } 2043 2044 /* 2045 * 'conservative_signals' prevents the delivery of a broad class of 2046 * signals by unprivileged processes to processes that have changed their 2047 * credentials since the last invocation of execve(). This can prevent 2048 * the leakage of cached information or retained privileges as a result 2049 * of a common class of signal-related vulnerabilities. However, this 2050 * may interfere with some applications that expect to be able to 2051 * deliver these signals to peer processes after having given up 2052 * privilege. 2053 */ 2054 static int conservative_signals = 1; 2055 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW, 2056 &conservative_signals, 0, "Unprivileged processes prevented from " 2057 "sending certain signals to processes whose credentials have changed"); 2058 /*- 2059 * Determine whether cred may deliver the specified signal to proc. 2060 * Returns: 0 for permitted, an errno value otherwise. 2061 * Locks: A lock must be held for proc. 2062 * References: cred and proc must be valid for the lifetime of the call. 2063 */ 2064 int 2065 cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 2066 { 2067 int error; 2068 2069 PROC_LOCK_ASSERT(proc, MA_OWNED); 2070 /* 2071 * Jail semantics limit the scope of signalling to proc in the 2072 * same jail as cred, if cred is in jail. 2073 */ 2074 error = prison_check(cred, proc->p_ucred); 2075 if (error) 2076 return (error); 2077 #ifdef MAC 2078 if ((error = mac_proc_check_signal(cred, proc, signum))) 2079 return (error); 2080 #endif 2081 if ((error = cr_bsd_visible(cred, proc->p_ucred))) 2082 return (error); 2083 2084 /* 2085 * UNIX signal semantics depend on the status of the P_SUGID 2086 * bit on the target process. If the bit is set, then additional 2087 * restrictions are placed on the set of available signals. 2088 */ 2089 if (conservative_signals && (proc->p_flag & P_SUGID)) { 2090 switch (signum) { 2091 case 0: 2092 case SIGKILL: 2093 case SIGINT: 2094 case SIGTERM: 2095 case SIGALRM: 2096 case SIGSTOP: 2097 case SIGTTIN: 2098 case SIGTTOU: 2099 case SIGTSTP: 2100 case SIGHUP: 2101 case SIGUSR1: 2102 case SIGUSR2: 2103 /* 2104 * Generally, permit job and terminal control 2105 * signals. 2106 */ 2107 break; 2108 default: 2109 /* Not permitted without privilege. */ 2110 error = priv_check_cred(cred, PRIV_SIGNAL_SUGID); 2111 if (error) 2112 return (error); 2113 } 2114 } 2115 2116 /* 2117 * Generally, the target credential's ruid or svuid must match the 2118 * subject credential's ruid or euid. 2119 */ 2120 if (cred->cr_ruid != proc->p_ucred->cr_ruid && 2121 cred->cr_ruid != proc->p_ucred->cr_svuid && 2122 cred->cr_uid != proc->p_ucred->cr_ruid && 2123 cred->cr_uid != proc->p_ucred->cr_svuid) { 2124 error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED); 2125 if (error) 2126 return (error); 2127 } 2128 2129 /* 2130 * At this point, the target may be in a different jail than the 2131 * subject -- the subject must be in a parent jail to the target, 2132 * whether it is prison0 or a subordinate of prison0 that has 2133 * children. Additional privileges are required to allow this, as 2134 * whether the creds are truly equivalent or not must be determined on 2135 * a case-by-case basis. 2136 */ 2137 error = cr_can_tamper_with_subjail(cred, proc->p_ucred, 2138 PRIV_SIGNAL_DIFFJAIL); 2139 if (error) 2140 return (error); 2141 2142 return (0); 2143 } 2144 2145 /*- 2146 * Determine whether td may deliver the specified signal to p. 2147 * Returns: 0 for permitted, an errno value otherwise 2148 * Locks: Sufficient locks to protect various components of td and p 2149 * must be held. td must be curthread, and a lock must be 2150 * held for p. 2151 * References: td and p must be valid for the lifetime of the call 2152 */ 2153 int 2154 p_cansignal(struct thread *td, struct proc *p, int signum) 2155 { 2156 2157 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2158 PROC_LOCK_ASSERT(p, MA_OWNED); 2159 if (td->td_proc == p) 2160 return (0); 2161 2162 /* 2163 * UNIX signalling semantics require that processes in the same 2164 * session always be able to deliver SIGCONT to one another, 2165 * overriding the remaining protections. 2166 */ 2167 /* XXX: This will require an additional lock of some sort. */ 2168 if (signum == SIGCONT && td->td_proc->p_session == p->p_session) 2169 return (0); 2170 /* 2171 * Some compat layers use SIGTHR and higher signals for 2172 * communication between different kernel threads of the same 2173 * process, so that they expect that it's always possible to 2174 * deliver them, even for suid applications where cr_cansignal() can 2175 * deny such ability for security consideration. It should be 2176 * pretty safe to do since the only way to create two processes 2177 * with the same p_leader is via rfork(2). 2178 */ 2179 if (td->td_proc->p_leader != NULL && signum >= SIGTHR && 2180 signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader) 2181 return (0); 2182 2183 return (cr_cansignal(td->td_ucred, p, signum)); 2184 } 2185 2186 /*- 2187 * Determine whether td may reschedule p. 2188 * Returns: 0 for permitted, an errno value otherwise 2189 * Locks: Sufficient locks to protect various components of td and p 2190 * must be held. td must be curthread, and a lock must 2191 * be held for p. 2192 * References: td and p must be valid for the lifetime of the call 2193 */ 2194 int 2195 p_cansched(struct thread *td, struct proc *p) 2196 { 2197 int error; 2198 2199 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2200 PROC_LOCK_ASSERT(p, MA_OWNED); 2201 if (td->td_proc == p) 2202 return (0); 2203 if ((error = prison_check(td->td_ucred, p->p_ucred))) 2204 return (error); 2205 #ifdef MAC 2206 if ((error = mac_proc_check_sched(td->td_ucred, p))) 2207 return (error); 2208 #endif 2209 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) 2210 return (error); 2211 2212 if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid && 2213 td->td_ucred->cr_uid != p->p_ucred->cr_ruid) { 2214 error = priv_check(td, PRIV_SCHED_DIFFCRED); 2215 if (error) 2216 return (error); 2217 } 2218 2219 error = cr_can_tamper_with_subjail(td->td_ucred, p->p_ucred, 2220 PRIV_SCHED_DIFFJAIL); 2221 if (error) 2222 return (error); 2223 2224 return (0); 2225 } 2226 2227 /* 2228 * Handle getting or setting the prison's unprivileged_proc_debug 2229 * value. 2230 */ 2231 static int 2232 sysctl_unprivileged_proc_debug(SYSCTL_HANDLER_ARGS) 2233 { 2234 int error, val; 2235 2236 val = prison_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG); 2237 error = sysctl_handle_int(oidp, &val, 0, req); 2238 if (error != 0 || req->newptr == NULL) 2239 return (error); 2240 if (val != 0 && val != 1) 2241 return (EINVAL); 2242 prison_set_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG, val); 2243 return (0); 2244 } 2245 2246 /* 2247 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 2248 * unprivileged inter-process debugging services, including some procfs 2249 * functionality, ptrace(), and ktrace(). In the past, inter-process 2250 * debugging has been involved in a variety of security problems, and sites 2251 * not requiring the service might choose to disable it when hardening 2252 * systems. 2253 */ 2254 SYSCTL_PROC(_security_bsd, OID_AUTO, unprivileged_proc_debug, 2255 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_PRISON | CTLFLAG_SECURE | 2256 CTLFLAG_MPSAFE, 0, 0, sysctl_unprivileged_proc_debug, "I", 2257 "Unprivileged processes may use process debugging facilities"); 2258 2259 /* 2260 * Return true if the object owner/group ids are subset of the active 2261 * credentials. 2262 */ 2263 bool 2264 cr_xids_subset(struct ucred *active_cred, struct ucred *obj_cred) 2265 { 2266 int i; 2267 bool grpsubset, uidsubset; 2268 2269 /* 2270 * Is p's group set a subset of td's effective group set? This 2271 * includes p's egid, group access list, rgid, and svgid. 2272 */ 2273 grpsubset = true; 2274 for (i = 0; i < obj_cred->cr_ngroups; i++) { 2275 if (!groupmember(obj_cred->cr_groups[i], active_cred)) { 2276 grpsubset = false; 2277 break; 2278 } 2279 } 2280 grpsubset = grpsubset && 2281 groupmember(obj_cred->cr_gid, active_cred) && 2282 groupmember(obj_cred->cr_rgid, active_cred) && 2283 groupmember(obj_cred->cr_svgid, active_cred); 2284 2285 /* 2286 * Are the uids present in obj_cred's credential equal to 2287 * active_cred's effective uid? This includes obj_cred's 2288 * euid, svuid, and ruid. 2289 */ 2290 uidsubset = (active_cred->cr_uid == obj_cred->cr_uid && 2291 active_cred->cr_uid == obj_cred->cr_svuid && 2292 active_cred->cr_uid == obj_cred->cr_ruid); 2293 2294 return (uidsubset && grpsubset); 2295 } 2296 2297 /*- 2298 * Determine whether td may debug p. 2299 * Returns: 0 for permitted, an errno value otherwise 2300 * Locks: Sufficient locks to protect various components of td and p 2301 * must be held. td must be curthread, and a lock must 2302 * be held for p. 2303 * References: td and p must be valid for the lifetime of the call 2304 */ 2305 int 2306 p_candebug(struct thread *td, struct proc *p) 2307 { 2308 int error; 2309 2310 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2311 PROC_LOCK_ASSERT(p, MA_OWNED); 2312 if (td->td_proc == p) 2313 return (0); 2314 if ((error = priv_check(td, PRIV_DEBUG_UNPRIV))) 2315 return (error); 2316 if ((error = prison_check(td->td_ucred, p->p_ucred))) 2317 return (error); 2318 #ifdef MAC 2319 if ((error = mac_proc_check_debug(td->td_ucred, p))) 2320 return (error); 2321 #endif 2322 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) 2323 return (error); 2324 2325 /* 2326 * If p's gids aren't a subset, or the uids aren't a subset, 2327 * or the credential has changed, require appropriate privilege 2328 * for td to debug p. 2329 */ 2330 if (!cr_xids_subset(td->td_ucred, p->p_ucred)) { 2331 error = priv_check(td, PRIV_DEBUG_DIFFCRED); 2332 if (error) 2333 return (error); 2334 } 2335 2336 /* 2337 * Has the credential of the process changed since the last exec()? 2338 */ 2339 if ((p->p_flag & P_SUGID) != 0) { 2340 error = priv_check(td, PRIV_DEBUG_SUGID); 2341 if (error) 2342 return (error); 2343 } 2344 2345 error = cr_can_tamper_with_subjail(td->td_ucred, p->p_ucred, 2346 PRIV_DEBUG_DIFFJAIL); 2347 if (error) 2348 return (error); 2349 2350 /* Can't trace init when securelevel > 0. */ 2351 if (p == initproc) { 2352 error = securelevel_gt(td->td_ucred, 0); 2353 if (error) 2354 return (error); 2355 } 2356 2357 /* 2358 * Can't trace a process that's currently exec'ing. 2359 * 2360 * XXX: Note, this is not a security policy decision, it's a 2361 * basic correctness/functionality decision. Therefore, this check 2362 * should be moved to the caller's of p_candebug(). 2363 */ 2364 if ((p->p_flag & P_INEXEC) != 0) 2365 return (EBUSY); 2366 2367 /* Denied explicitly */ 2368 if ((p->p_flag2 & P2_NOTRACE) != 0) { 2369 error = priv_check(td, PRIV_DEBUG_DENIED); 2370 if (error != 0) 2371 return (error); 2372 } 2373 2374 return (0); 2375 } 2376 2377 /*- 2378 * Determine whether the subject represented by cred can "see" a socket. 2379 * Returns: 0 for permitted, ENOENT otherwise. 2380 */ 2381 int 2382 cr_canseesocket(struct ucred *cred, struct socket *so) 2383 { 2384 int error; 2385 2386 error = prison_check(cred, so->so_cred); 2387 if (error) 2388 return (ENOENT); 2389 #ifdef MAC 2390 error = mac_socket_check_visible(cred, so); 2391 if (error) 2392 return (error); 2393 #endif 2394 if (cr_bsd_visible(cred, so->so_cred)) 2395 return (ENOENT); 2396 2397 return (0); 2398 } 2399 2400 /*- 2401 * Determine whether td can wait for the exit of p. 2402 * Returns: 0 for permitted, an errno value otherwise 2403 * Locks: Sufficient locks to protect various components of td and p 2404 * must be held. td must be curthread, and a lock must 2405 * be held for p. 2406 * References: td and p must be valid for the lifetime of the call 2407 2408 */ 2409 int 2410 p_canwait(struct thread *td, struct proc *p) 2411 { 2412 int error; 2413 2414 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2415 PROC_LOCK_ASSERT(p, MA_OWNED); 2416 if ((error = prison_check(td->td_ucred, p->p_ucred))) 2417 return (error); 2418 #ifdef MAC 2419 if ((error = mac_proc_check_wait(td->td_ucred, p))) 2420 return (error); 2421 #endif 2422 #if 0 2423 /* XXXMAC: This could have odd effects on some shells. */ 2424 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) 2425 return (error); 2426 #endif 2427 2428 return (0); 2429 } 2430 2431 /* 2432 * Credential management. 2433 * 2434 * struct ucred objects are rarely allocated but gain and lose references all 2435 * the time (e.g., on struct file alloc/dealloc) turning refcount updates into 2436 * a significant source of cache-line ping ponging. Common cases are worked 2437 * around by modifying thread-local counter instead if the cred to operate on 2438 * matches td_realucred. 2439 * 2440 * The counter is split into 2 parts: 2441 * - cr_users -- total count of all struct proc and struct thread objects 2442 * which have given cred in p_ucred and td_ucred respectively 2443 * - cr_ref -- the actual ref count, only valid if cr_users == 0 2444 * 2445 * If users == 0 then cr_ref behaves similarly to refcount(9), in particular if 2446 * the count reaches 0 the object is freeable. 2447 * If users > 0 and curthread->td_realucred == cred, then updates are performed 2448 * against td_ucredref. 2449 * In other cases updates are performed against cr_ref. 2450 * 2451 * Changing td_realucred into something else decrements cr_users and transfers 2452 * accumulated updates. 2453 */ 2454 struct ucred * 2455 crcowget(struct ucred *cr) 2456 { 2457 2458 mtx_lock(&cr->cr_mtx); 2459 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2460 __func__, cr->cr_users, cr)); 2461 cr->cr_users++; 2462 cr->cr_ref++; 2463 mtx_unlock(&cr->cr_mtx); 2464 return (cr); 2465 } 2466 2467 static struct ucred * 2468 crunuse(struct thread *td) 2469 { 2470 struct ucred *cr, *crold; 2471 2472 MPASS(td->td_realucred == td->td_ucred); 2473 cr = td->td_realucred; 2474 mtx_lock(&cr->cr_mtx); 2475 cr->cr_ref += td->td_ucredref; 2476 td->td_ucredref = 0; 2477 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2478 __func__, cr->cr_users, cr)); 2479 cr->cr_users--; 2480 if (cr->cr_users == 0) { 2481 KASSERT(cr->cr_ref > 0, ("%s: ref %ld not > 0 on cred %p", 2482 __func__, cr->cr_ref, cr)); 2483 crold = cr; 2484 } else { 2485 cr->cr_ref--; 2486 crold = NULL; 2487 } 2488 mtx_unlock(&cr->cr_mtx); 2489 td->td_realucred = NULL; 2490 return (crold); 2491 } 2492 2493 static void 2494 crunusebatch(struct ucred *cr, u_int users, long ref) 2495 { 2496 2497 KASSERT(users > 0, ("%s: passed users %d not > 0 ; cred %p", 2498 __func__, users, cr)); 2499 mtx_lock(&cr->cr_mtx); 2500 KASSERT(cr->cr_users >= users, ("%s: users %d not > %d on cred %p", 2501 __func__, cr->cr_users, users, cr)); 2502 cr->cr_users -= users; 2503 cr->cr_ref += ref; 2504 cr->cr_ref -= users; 2505 if (cr->cr_users > 0) { 2506 mtx_unlock(&cr->cr_mtx); 2507 return; 2508 } 2509 KASSERT(cr->cr_ref >= 0, ("%s: ref %ld not >= 0 on cred %p", 2510 __func__, cr->cr_ref, cr)); 2511 if (cr->cr_ref > 0) { 2512 mtx_unlock(&cr->cr_mtx); 2513 return; 2514 } 2515 crfree_final(cr); 2516 } 2517 2518 void 2519 crcowfree(struct thread *td) 2520 { 2521 struct ucred *cr; 2522 2523 cr = crunuse(td); 2524 if (cr != NULL) 2525 crfree(cr); 2526 } 2527 2528 struct ucred * 2529 crcowsync(void) 2530 { 2531 struct thread *td; 2532 struct proc *p; 2533 struct ucred *crnew, *crold; 2534 2535 td = curthread; 2536 p = td->td_proc; 2537 PROC_LOCK_ASSERT(p, MA_OWNED); 2538 2539 MPASS(td->td_realucred == td->td_ucred); 2540 if (td->td_realucred == p->p_ucred) 2541 return (NULL); 2542 2543 crnew = crcowget(p->p_ucred); 2544 crold = crunuse(td); 2545 td->td_realucred = crnew; 2546 td->td_ucred = td->td_realucred; 2547 return (crold); 2548 } 2549 2550 /* 2551 * Batching. 2552 */ 2553 void 2554 credbatch_add(struct credbatch *crb, struct thread *td) 2555 { 2556 struct ucred *cr; 2557 2558 MPASS(td->td_realucred != NULL); 2559 MPASS(td->td_realucred == td->td_ucred); 2560 MPASS(TD_GET_STATE(td) == TDS_INACTIVE); 2561 cr = td->td_realucred; 2562 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2563 __func__, cr->cr_users, cr)); 2564 if (crb->cred != cr) { 2565 if (crb->users > 0) { 2566 MPASS(crb->cred != NULL); 2567 crunusebatch(crb->cred, crb->users, crb->ref); 2568 crb->users = 0; 2569 crb->ref = 0; 2570 } 2571 } 2572 crb->cred = cr; 2573 crb->users++; 2574 crb->ref += td->td_ucredref; 2575 td->td_ucredref = 0; 2576 td->td_realucred = NULL; 2577 } 2578 2579 void 2580 credbatch_final(struct credbatch *crb) 2581 { 2582 2583 MPASS(crb->cred != NULL); 2584 MPASS(crb->users > 0); 2585 crunusebatch(crb->cred, crb->users, crb->ref); 2586 } 2587 2588 /* 2589 * Allocate a zeroed cred structure. 2590 */ 2591 struct ucred * 2592 crget(void) 2593 { 2594 struct ucred *cr; 2595 2596 cr = malloc(sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 2597 mtx_init(&cr->cr_mtx, "cred", NULL, MTX_DEF); 2598 cr->cr_ref = 1; 2599 #ifdef AUDIT 2600 audit_cred_init(cr); 2601 #endif 2602 #ifdef MAC 2603 mac_cred_init(cr); 2604 #endif 2605 cr->cr_groups = cr->cr_smallgroups; 2606 cr->cr_agroups = nitems(cr->cr_smallgroups); 2607 return (cr); 2608 } 2609 2610 /* 2611 * Claim another reference to a ucred structure. 2612 */ 2613 struct ucred * 2614 crhold(struct ucred *cr) 2615 { 2616 struct thread *td; 2617 2618 td = curthread; 2619 if (__predict_true(td->td_realucred == cr)) { 2620 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2621 __func__, cr->cr_users, cr)); 2622 td->td_ucredref++; 2623 return (cr); 2624 } 2625 mtx_lock(&cr->cr_mtx); 2626 cr->cr_ref++; 2627 mtx_unlock(&cr->cr_mtx); 2628 return (cr); 2629 } 2630 2631 /* 2632 * Free a cred structure. Throws away space when ref count gets to 0. 2633 */ 2634 void 2635 crfree(struct ucred *cr) 2636 { 2637 struct thread *td; 2638 2639 td = curthread; 2640 if (__predict_true(td->td_realucred == cr)) { 2641 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2642 __func__, cr->cr_users, cr)); 2643 td->td_ucredref--; 2644 return; 2645 } 2646 mtx_lock(&cr->cr_mtx); 2647 KASSERT(cr->cr_users >= 0, ("%s: users %d not >= 0 on cred %p", 2648 __func__, cr->cr_users, cr)); 2649 cr->cr_ref--; 2650 if (cr->cr_users > 0) { 2651 mtx_unlock(&cr->cr_mtx); 2652 return; 2653 } 2654 KASSERT(cr->cr_ref >= 0, ("%s: ref %ld not >= 0 on cred %p", 2655 __func__, cr->cr_ref, cr)); 2656 if (cr->cr_ref > 0) { 2657 mtx_unlock(&cr->cr_mtx); 2658 return; 2659 } 2660 crfree_final(cr); 2661 } 2662 2663 static void 2664 crfree_final(struct ucred *cr) 2665 { 2666 2667 KASSERT(cr->cr_users == 0, ("%s: users %d not == 0 on cred %p", 2668 __func__, cr->cr_users, cr)); 2669 KASSERT(cr->cr_ref == 0, ("%s: ref %ld not == 0 on cred %p", 2670 __func__, cr->cr_ref, cr)); 2671 2672 /* 2673 * Some callers of crget(), such as nfs_statfs(), allocate a temporary 2674 * credential, but don't allocate a uidinfo structure. 2675 */ 2676 if (cr->cr_uidinfo != NULL) 2677 uifree(cr->cr_uidinfo); 2678 if (cr->cr_ruidinfo != NULL) 2679 uifree(cr->cr_ruidinfo); 2680 if (cr->cr_prison != NULL) 2681 prison_free(cr->cr_prison); 2682 if (cr->cr_loginclass != NULL) 2683 loginclass_free(cr->cr_loginclass); 2684 #ifdef AUDIT 2685 audit_cred_destroy(cr); 2686 #endif 2687 #ifdef MAC 2688 mac_cred_destroy(cr); 2689 #endif 2690 mtx_destroy(&cr->cr_mtx); 2691 if (cr->cr_groups != cr->cr_smallgroups) 2692 free(cr->cr_groups, M_CRED); 2693 free(cr, M_CRED); 2694 } 2695 2696 /* 2697 * Copy a ucred's contents from a template. Does not block. 2698 */ 2699 void 2700 crcopy(struct ucred *dest, struct ucred *src) 2701 { 2702 2703 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 2704 (unsigned)((caddr_t)&src->cr_endcopy - 2705 (caddr_t)&src->cr_startcopy)); 2706 dest->cr_flags = src->cr_flags; 2707 crsetgroups(dest, src->cr_ngroups, src->cr_groups); 2708 uihold(dest->cr_uidinfo); 2709 uihold(dest->cr_ruidinfo); 2710 prison_hold(dest->cr_prison); 2711 loginclass_hold(dest->cr_loginclass); 2712 #ifdef AUDIT 2713 audit_cred_copy(src, dest); 2714 #endif 2715 #ifdef MAC 2716 mac_cred_copy(src, dest); 2717 #endif 2718 } 2719 2720 /* 2721 * Dup cred struct to a new held one. 2722 */ 2723 struct ucred * 2724 crdup(struct ucred *cr) 2725 { 2726 struct ucred *newcr; 2727 2728 newcr = crget(); 2729 crcopy(newcr, cr); 2730 return (newcr); 2731 } 2732 2733 /* 2734 * Fill in a struct xucred based on a struct ucred. 2735 */ 2736 void 2737 cru2x(struct ucred *cr, struct xucred *xcr) 2738 { 2739 int ngroups; 2740 2741 bzero(xcr, sizeof(*xcr)); 2742 xcr->cr_version = XUCRED_VERSION; 2743 xcr->cr_uid = cr->cr_uid; 2744 xcr->cr_gid = cr->cr_gid; 2745 2746 /* 2747 * We use a union to alias cr_gid to cr_groups[0] in the xucred, so 2748 * this is kind of ugly; cr_ngroups still includes the egid for our 2749 * purposes to avoid bumping the xucred version. 2750 */ 2751 ngroups = MIN(cr->cr_ngroups + 1, nitems(xcr->cr_groups)); 2752 xcr->cr_ngroups = ngroups; 2753 bcopy(cr->cr_groups, xcr->cr_sgroups, 2754 (ngroups - 1) * sizeof(*cr->cr_groups)); 2755 } 2756 2757 void 2758 cru2xt(struct thread *td, struct xucred *xcr) 2759 { 2760 2761 cru2x(td->td_ucred, xcr); 2762 xcr->cr_pid = td->td_proc->p_pid; 2763 } 2764 2765 /* 2766 * Change process credentials. 2767 * 2768 * Callers are responsible for providing the reference for passed credentials 2769 * and for freeing old ones. Calls chgproccnt() to correctly account the 2770 * current process to the proper real UID, if the latter has changed. Returns 2771 * whether the operation was successful. Failure can happen only on 2772 * 'enforce_proc_lim' being true and if no new process can be accounted to the 2773 * new real UID because of the current limit (see the inner comment for more 2774 * details) and the caller does not have privilege (PRIV_PROC_LIMIT) to override 2775 * that. In this case, the reference to 'newcred' is not taken over. 2776 */ 2777 static bool 2778 _proc_set_cred(struct proc *p, struct ucred *newcred, bool enforce_proc_lim) 2779 { 2780 struct ucred *const oldcred = p->p_ucred; 2781 2782 MPASS(oldcred != NULL); 2783 PROC_LOCK_ASSERT(p, MA_OWNED); 2784 2785 if (newcred->cr_ruidinfo != oldcred->cr_ruidinfo) { 2786 /* 2787 * XXXOC: This check is flawed but nonetheless the best we can 2788 * currently do as we don't really track limits per UID contrary 2789 * to what we pretend in setrlimit(2). Until this is reworked, 2790 * we just check here that the number of processes for our new 2791 * real UID doesn't exceed this process' process number limit 2792 * (which is meant to be associated with the current real UID). 2793 */ 2794 const int proccnt_changed = chgproccnt(newcred->cr_ruidinfo, 1, 2795 enforce_proc_lim ? lim_cur_proc(p, RLIMIT_NPROC) : 0); 2796 2797 if (!proccnt_changed) { 2798 if (priv_check_cred(oldcred, PRIV_PROC_LIMIT) != 0) 2799 return (false); 2800 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 2801 } 2802 } 2803 2804 mtx_lock(&oldcred->cr_mtx); 2805 KASSERT(oldcred->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2806 __func__, oldcred->cr_users, oldcred)); 2807 oldcred->cr_users--; 2808 mtx_unlock(&oldcred->cr_mtx); 2809 mtx_lock(&newcred->cr_mtx); 2810 newcred->cr_users++; 2811 mtx_unlock(&newcred->cr_mtx); 2812 p->p_ucred = newcred; 2813 PROC_UPDATE_COW(p); 2814 if (newcred->cr_ruidinfo != oldcred->cr_ruidinfo) 2815 (void)chgproccnt(oldcred->cr_ruidinfo, -1, 0); 2816 return (true); 2817 } 2818 2819 void 2820 proc_set_cred(struct proc *p, struct ucred *newcred) 2821 { 2822 bool success __diagused = _proc_set_cred(p, newcred, false); 2823 2824 MPASS(success); 2825 } 2826 2827 bool 2828 proc_set_cred_enforce_proc_lim(struct proc *p, struct ucred *newcred) 2829 { 2830 return (_proc_set_cred(p, newcred, true)); 2831 } 2832 2833 void 2834 proc_unset_cred(struct proc *p, bool decrement_proc_count) 2835 { 2836 struct ucred *cr; 2837 2838 MPASS(p->p_state == PRS_ZOMBIE || p->p_state == PRS_NEW); 2839 cr = p->p_ucred; 2840 p->p_ucred = NULL; 2841 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2842 __func__, cr->cr_users, cr)); 2843 mtx_lock(&cr->cr_mtx); 2844 cr->cr_users--; 2845 if (cr->cr_users == 0) 2846 KASSERT(cr->cr_ref > 0, ("%s: ref %ld not > 0 on cred %p", 2847 __func__, cr->cr_ref, cr)); 2848 mtx_unlock(&cr->cr_mtx); 2849 if (decrement_proc_count) 2850 (void)chgproccnt(cr->cr_ruidinfo, -1, 0); 2851 crfree(cr); 2852 } 2853 2854 struct ucred * 2855 crcopysafe(struct proc *p, struct ucred *cr) 2856 { 2857 struct ucred *oldcred; 2858 int groups; 2859 2860 PROC_LOCK_ASSERT(p, MA_OWNED); 2861 2862 oldcred = p->p_ucred; 2863 while (cr->cr_agroups < oldcred->cr_ngroups) { 2864 groups = oldcred->cr_ngroups; 2865 PROC_UNLOCK(p); 2866 crextend(cr, groups); 2867 PROC_LOCK(p); 2868 oldcred = p->p_ucred; 2869 } 2870 crcopy(cr, oldcred); 2871 2872 return (oldcred); 2873 } 2874 2875 /* 2876 * Extend the passed-in credentials to hold n groups. 2877 * 2878 * Must not be called after groups have been set. 2879 */ 2880 void 2881 crextend(struct ucred *cr, int n) 2882 { 2883 size_t nbytes; 2884 2885 MPASS2(cr->cr_ref == 1, "'cr_ref' must be 1 (referenced, unshared)"); 2886 MPASS2((cr->cr_flags & CRED_FLAG_GROUPSET) == 0, 2887 "groups on 'cr' already set!"); 2888 groups_check_positive_len(n); 2889 groups_check_max_len(n); 2890 2891 if (n <= cr->cr_agroups) 2892 return; 2893 2894 nbytes = n * sizeof(gid_t); 2895 if (nbytes < n) 2896 panic("Too many groups (memory size overflow)! " 2897 "Computation of 'kern.ngroups' should have prevented this, " 2898 "please fix it. In the meantime, reduce 'kern.ngroups'."); 2899 2900 /* 2901 * We allocate a power of 2 larger than 'nbytes', except when that 2902 * exceeds PAGE_SIZE, in which case we allocate the right multiple of 2903 * pages. We assume PAGE_SIZE is a power of 2 (the call to roundup2() 2904 * below) but do not need to for sizeof(gid_t). 2905 */ 2906 if (nbytes < PAGE_SIZE) { 2907 if (!powerof2(nbytes)) 2908 /* fls*() return a bit index starting at 1. */ 2909 nbytes = 1 << flsl(nbytes); 2910 } else 2911 nbytes = roundup2(nbytes, PAGE_SIZE); 2912 2913 /* Free the old array. */ 2914 if (cr->cr_groups != cr->cr_smallgroups) 2915 free(cr->cr_groups, M_CRED); 2916 2917 cr->cr_groups = malloc(nbytes, M_CRED, M_WAITOK | M_ZERO); 2918 cr->cr_agroups = nbytes / sizeof(gid_t); 2919 } 2920 2921 /* 2922 * Normalizes a set of groups to be applied to a 'struct ucred'. 2923 * 2924 * Normalization ensures that the supplementary groups are sorted in ascending 2925 * order and do not contain duplicates. This allows group_is_supplementary() to 2926 * do a binary search. 2927 */ 2928 static void 2929 groups_normalize(int *ngrp, gid_t *groups) 2930 { 2931 gid_t prev_g; 2932 int ins_idx; 2933 2934 groups_check_positive_len(*ngrp); 2935 groups_check_max_len(*ngrp); 2936 2937 if (*ngrp <= 1) 2938 return; 2939 2940 qsort(groups, *ngrp, sizeof(*groups), gidp_cmp); 2941 2942 /* Remove duplicates. */ 2943 prev_g = groups[0]; 2944 ins_idx = 1; 2945 for (int i = ins_idx; i < *ngrp; ++i) { 2946 const gid_t g = groups[i]; 2947 2948 if (g != prev_g) { 2949 if (i != ins_idx) 2950 groups[ins_idx] = g; 2951 ++ins_idx; 2952 prev_g = g; 2953 } 2954 } 2955 *ngrp = ins_idx; 2956 2957 groups_check_normalized(*ngrp, groups); 2958 } 2959 2960 /* 2961 * Internal function copying groups into a credential. 2962 * 2963 * 'ngrp' must be strictly positive. Either the passed 'groups' array must have 2964 * been normalized in advance (see groups_normalize()), else it must be so 2965 * before the structure is to be used again. 2966 * 2967 * This function is suitable to be used under any lock (it doesn't take any lock 2968 * itself nor sleep, and in particular doesn't allocate memory). crextend() 2969 * must have been called beforehand to ensure sufficient space is available. 2970 * See also crsetgroups(), which handles that. 2971 */ 2972 static void 2973 crsetgroups_internal(struct ucred *cr, int ngrp, const gid_t *groups) 2974 { 2975 2976 MPASS2(cr->cr_ref == 1, "'cr_ref' must be 1 (referenced, unshared)"); 2977 MPASS2(cr->cr_agroups >= ngrp, "'cr_agroups' too small"); 2978 groups_check_positive_len(ngrp); 2979 2980 bcopy(groups, cr->cr_groups, ngrp * sizeof(gid_t)); 2981 cr->cr_ngroups = ngrp; 2982 cr->cr_flags |= CRED_FLAG_GROUPSET; 2983 } 2984 2985 /* 2986 * Copy groups in to a credential after expanding it if required. 2987 * 2988 * May sleep in order to allocate memory (except if, e.g., crextend() was called 2989 * before with 'ngrp' or greater). Truncates the list to 'ngroups_max' if 2990 * it is too large. Array 'groups' doesn't need to be sorted. 'ngrp' must be 2991 * positive. 2992 */ 2993 void 2994 crsetgroups(struct ucred *cr, int ngrp, const gid_t *groups) 2995 { 2996 2997 if (ngrp > ngroups_max) 2998 ngrp = ngroups_max; 2999 cr->cr_ngroups = 0; 3000 if (ngrp == 0) { 3001 cr->cr_flags |= CRED_FLAG_GROUPSET; 3002 return; 3003 } 3004 3005 /* 3006 * crextend() asserts that groups are not set, as it may allocate a new 3007 * backing storage without copying the content of the old one. Since we 3008 * are going to install a completely new set anyway, signal that we 3009 * consider the old ones thrown away. 3010 */ 3011 cr->cr_flags &= ~CRED_FLAG_GROUPSET; 3012 3013 crextend(cr, ngrp); 3014 crsetgroups_internal(cr, ngrp, groups); 3015 groups_normalize(&cr->cr_ngroups, cr->cr_groups); 3016 } 3017 3018 /* 3019 * Same as crsetgroups() but sets the effective GID as well. 3020 * 3021 * This function ensures that an effective GID is always present in credentials. 3022 * An empty array will only set the effective GID to 'default_egid', while 3023 * a non-empty array will peel off groups[0] to set as the effective GID and use 3024 * the remainder, if any, as supplementary groups. 3025 */ 3026 void 3027 crsetgroups_and_egid(struct ucred *cr, int ngrp, const gid_t *groups, 3028 const gid_t default_egid) 3029 { 3030 if (ngrp == 0) { 3031 cr->cr_gid = default_egid; 3032 cr->cr_ngroups = 0; 3033 cr->cr_flags |= CRED_FLAG_GROUPSET; 3034 return; 3035 } 3036 3037 crsetgroups(cr, ngrp - 1, groups + 1); 3038 cr->cr_gid = groups[0]; 3039 } 3040 3041 /* 3042 * Get login name, if available. 3043 */ 3044 #ifndef _SYS_SYSPROTO_H_ 3045 struct getlogin_args { 3046 char *namebuf; 3047 u_int namelen; 3048 }; 3049 #endif 3050 /* ARGSUSED */ 3051 int 3052 sys_getlogin(struct thread *td, struct getlogin_args *uap) 3053 { 3054 char login[MAXLOGNAME]; 3055 struct proc *p = td->td_proc; 3056 size_t len; 3057 3058 if (uap->namelen > MAXLOGNAME) 3059 uap->namelen = MAXLOGNAME; 3060 PROC_LOCK(p); 3061 SESS_LOCK(p->p_session); 3062 len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1; 3063 SESS_UNLOCK(p->p_session); 3064 PROC_UNLOCK(p); 3065 if (len > uap->namelen) 3066 return (ERANGE); 3067 return (copyout(login, uap->namebuf, len)); 3068 } 3069 3070 /* 3071 * Set login name. 3072 */ 3073 #ifndef _SYS_SYSPROTO_H_ 3074 struct setlogin_args { 3075 char *namebuf; 3076 }; 3077 #endif 3078 /* ARGSUSED */ 3079 int 3080 sys_setlogin(struct thread *td, struct setlogin_args *uap) 3081 { 3082 struct proc *p = td->td_proc; 3083 int error; 3084 char logintmp[MAXLOGNAME]; 3085 3086 CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp)); 3087 3088 error = priv_check(td, PRIV_PROC_SETLOGIN); 3089 if (error) 3090 return (error); 3091 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); 3092 if (error != 0) { 3093 if (error == ENAMETOOLONG) 3094 error = EINVAL; 3095 return (error); 3096 } 3097 AUDIT_ARG_LOGIN(logintmp); 3098 PROC_LOCK(p); 3099 SESS_LOCK(p->p_session); 3100 strcpy(p->p_session->s_login, logintmp); 3101 SESS_UNLOCK(p->p_session); 3102 PROC_UNLOCK(p); 3103 return (0); 3104 } 3105 3106 void 3107 setsugid(struct proc *p) 3108 { 3109 3110 PROC_LOCK_ASSERT(p, MA_OWNED); 3111 p->p_flag |= P_SUGID; 3112 } 3113 3114 /*- 3115 * Change a process's effective uid. 3116 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 3117 * References: newcred must be an exclusive credential reference for the 3118 * duration of the call. 3119 */ 3120 void 3121 change_euid(struct ucred *newcred, struct uidinfo *euip) 3122 { 3123 3124 newcred->cr_uid = euip->ui_uid; 3125 uihold(euip); 3126 uifree(newcred->cr_uidinfo); 3127 newcred->cr_uidinfo = euip; 3128 } 3129 3130 /*- 3131 * Change a process's effective gid. 3132 * Side effects: newcred->cr_gid will be modified. 3133 * References: newcred must be an exclusive credential reference for the 3134 * duration of the call. 3135 */ 3136 void 3137 change_egid(struct ucred *newcred, gid_t egid) 3138 { 3139 3140 newcred->cr_gid = egid; 3141 } 3142 3143 /*- 3144 * Change a process's real uid. 3145 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 3146 * will be updated. 3147 * References: newcred must be an exclusive credential reference for the 3148 * duration of the call. 3149 */ 3150 void 3151 change_ruid(struct ucred *newcred, struct uidinfo *ruip) 3152 { 3153 3154 newcred->cr_ruid = ruip->ui_uid; 3155 uihold(ruip); 3156 uifree(newcred->cr_ruidinfo); 3157 newcred->cr_ruidinfo = ruip; 3158 } 3159 3160 /*- 3161 * Change a process's real gid. 3162 * Side effects: newcred->cr_rgid will be updated. 3163 * References: newcred must be an exclusive credential reference for the 3164 * duration of the call. 3165 */ 3166 void 3167 change_rgid(struct ucred *newcred, gid_t rgid) 3168 { 3169 3170 newcred->cr_rgid = rgid; 3171 } 3172 3173 /*- 3174 * Change a process's saved uid. 3175 * Side effects: newcred->cr_svuid will be updated. 3176 * References: newcred must be an exclusive credential reference for the 3177 * duration of the call. 3178 */ 3179 void 3180 change_svuid(struct ucred *newcred, uid_t svuid) 3181 { 3182 3183 newcred->cr_svuid = svuid; 3184 } 3185 3186 /*- 3187 * Change a process's saved gid. 3188 * Side effects: newcred->cr_svgid will be updated. 3189 * References: newcred must be an exclusive credential reference for the 3190 * duration of the call. 3191 */ 3192 void 3193 change_svgid(struct ucred *newcred, gid_t svgid) 3194 { 3195 3196 newcred->cr_svgid = svgid; 3197 } 3198 3199 bool allow_ptrace = true; 3200 SYSCTL_BOOL(_security_bsd, OID_AUTO, allow_ptrace, CTLFLAG_RWTUN, 3201 &allow_ptrace, 0, 3202 "Deny ptrace(2) use by returning ENOSYS"); 3203