1 /* 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * Copyright (c) 2000-2001 Robert N. M. Watson. All rights reserved. 5 * (c) UNIX System Laboratories, Inc. 6 * 7 * All or some portions of this file are derived from material licensed 8 * to the University of California by American Telephone and Telegraph 9 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 10 * the permission of UNIX System Laboratories, Inc. 11 * 12 * Redistribution and use in source and binary forms, with or without 13 * modification, are permitted provided that the following conditions 14 * are met: 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, this list of conditions and the following disclaimer. 17 * 2. Redistributions in binary form must reproduce the above copyright 18 * notice, this list of conditions and the following disclaimer in the 19 * documentation and/or other materials provided with the distribution. 20 * 3. All advertising materials mentioning features or use of this software 21 * must display the following acknowledgement: 22 * This product includes software developed by the University of 23 * California, Berkeley and its contributors. 24 * 4. Neither the name of the University nor the names of its contributors 25 * may be used to endorse or promote products derived from this software 26 * without specific prior written permission. 27 * 28 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 29 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 30 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 31 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 32 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 33 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 34 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 35 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 36 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 37 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 38 * SUCH DAMAGE. 39 * 40 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 41 * $FreeBSD$ 42 */ 43 44 /* 45 * System calls related to processes and protection 46 */ 47 48 #include "opt_compat.h" 49 #include "opt_global.h" 50 51 #include <sys/param.h> 52 #include <sys/systm.h> 53 #include <sys/acct.h> 54 #include <sys/kernel.h> 55 #include <sys/lock.h> 56 #include <sys/mutex.h> 57 #include <sys/proc.h> 58 #include <sys/sx.h> 59 #include <sys/sysproto.h> 60 #include <sys/malloc.h> 61 #include <sys/pioctl.h> 62 #include <sys/resourcevar.h> 63 #include <sys/sysctl.h> 64 #include <sys/jail.h> 65 66 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 67 68 SYSCTL_NODE(_kern, OID_AUTO, security, CTLFLAG_RW, 0, 69 "Kernel security policy"); 70 71 #ifndef _SYS_SYSPROTO_H_ 72 struct getpid_args { 73 int dummy; 74 }; 75 #endif 76 77 /* 78 * getpid 79 */ 80 81 /* 82 * MPSAFE 83 */ 84 /* ARGSUSED */ 85 int 86 getpid(td, uap) 87 struct thread *td; 88 struct getpid_args *uap; 89 { 90 struct proc *p = td->td_proc; 91 int s; 92 93 s = mtx_lock_giant(kern_giant_proc); 94 td->td_retval[0] = p->p_pid; 95 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 96 PROC_LOCK(p); 97 td->td_retval[1] = p->p_pptr->p_pid; 98 PROC_UNLOCK(p); 99 #endif 100 mtx_unlock_giant(s); 101 return (0); 102 } 103 104 /* 105 * getppid 106 */ 107 108 #ifndef _SYS_SYSPROTO_H_ 109 struct getppid_args { 110 int dummy; 111 }; 112 #endif 113 /* 114 * MPSAFE 115 */ 116 /* ARGSUSED */ 117 int 118 getppid(td, uap) 119 struct thread *td; 120 struct getppid_args *uap; 121 { 122 struct proc *p = td->td_proc; 123 int s; 124 125 s = mtx_lock_giant(kern_giant_proc); 126 PROC_LOCK(p); 127 td->td_retval[0] = p->p_pptr->p_pid; 128 PROC_UNLOCK(p); 129 mtx_unlock_giant(s); 130 return (0); 131 } 132 133 /* 134 * Get process group ID; note that POSIX getpgrp takes no parameter 135 * 136 * MP SAFE 137 */ 138 #ifndef _SYS_SYSPROTO_H_ 139 struct getpgrp_args { 140 int dummy; 141 }; 142 #endif 143 /* 144 * MPSAFE 145 */ 146 int 147 getpgrp(td, uap) 148 struct thread *td; 149 struct getpgrp_args *uap; 150 { 151 struct proc *p = td->td_proc; 152 153 mtx_lock(&Giant); 154 td->td_retval[0] = p->p_pgrp->pg_id; 155 mtx_unlock(&Giant); 156 return (0); 157 } 158 159 /* Get an arbitary pid's process group id */ 160 #ifndef _SYS_SYSPROTO_H_ 161 struct getpgid_args { 162 pid_t pid; 163 }; 164 #endif 165 166 /* 167 * MPSAFE 168 */ 169 int 170 getpgid(td, uap) 171 struct thread *td; 172 struct getpgid_args *uap; 173 { 174 struct proc *p = td->td_proc; 175 struct proc *pt; 176 int error = 0; 177 int s; 178 179 s = mtx_lock_giant(kern_giant_proc); 180 if (uap->pid == 0) 181 td->td_retval[0] = p->p_pgrp->pg_id; 182 else if ((pt = pfind(uap->pid)) == NULL) 183 error = ESRCH; 184 else { 185 error = p_cansee(p, pt); 186 if (error == 0) 187 td->td_retval[0] = pt->p_pgrp->pg_id; 188 PROC_UNLOCK(pt); 189 } 190 mtx_unlock_giant(s); 191 return (error); 192 } 193 194 /* 195 * Get an arbitary pid's session id. 196 */ 197 #ifndef _SYS_SYSPROTO_H_ 198 struct getsid_args { 199 pid_t pid; 200 }; 201 #endif 202 203 /* 204 * MPSAFE 205 */ 206 int 207 getsid(td, uap) 208 struct thread *td; 209 struct getsid_args *uap; 210 { 211 struct proc *p = td->td_proc; 212 struct proc *pt; 213 int error = 0; 214 215 mtx_lock(&Giant); 216 if (uap->pid == 0) 217 td->td_retval[0] = p->p_session->s_sid; 218 else if ((pt = pfind(uap->pid)) == NULL) 219 error = ESRCH; 220 else { 221 error = p_cansee(p, pt); 222 if (error == 0) 223 td->td_retval[0] = pt->p_session->s_sid; 224 PROC_UNLOCK(pt); 225 } 226 mtx_unlock(&Giant); 227 return (error); 228 } 229 230 231 /* 232 * getuid() - MP SAFE 233 */ 234 #ifndef _SYS_SYSPROTO_H_ 235 struct getuid_args { 236 int dummy; 237 }; 238 #endif 239 240 /* 241 * MPSAFE 242 */ 243 /* ARGSUSED */ 244 int 245 getuid(td, uap) 246 struct thread *td; 247 struct getuid_args *uap; 248 { 249 struct proc *p = td->td_proc; 250 251 mtx_lock(&Giant); 252 td->td_retval[0] = p->p_ucred->cr_ruid; 253 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 254 td->td_retval[1] = p->p_ucred->cr_uid; 255 #endif 256 mtx_unlock(&Giant); 257 return (0); 258 } 259 260 /* 261 * geteuid() - MP SAFE 262 */ 263 #ifndef _SYS_SYSPROTO_H_ 264 struct geteuid_args { 265 int dummy; 266 }; 267 #endif 268 269 /* ARGSUSED */ 270 int 271 geteuid(td, uap) 272 struct thread *td; 273 struct geteuid_args *uap; 274 { 275 mtx_lock(&Giant); 276 td->td_retval[0] = td->td_proc->p_ucred->cr_uid; 277 mtx_unlock(&Giant); 278 return (0); 279 } 280 281 /* 282 * getgid() - MP SAFE 283 */ 284 #ifndef _SYS_SYSPROTO_H_ 285 struct getgid_args { 286 int dummy; 287 }; 288 #endif 289 290 /* 291 * MPSAFE 292 */ 293 /* ARGSUSED */ 294 int 295 getgid(td, uap) 296 struct thread *td; 297 struct getgid_args *uap; 298 { 299 struct proc *p = td->td_proc; 300 301 mtx_lock(&Giant); 302 td->td_retval[0] = p->p_ucred->cr_rgid; 303 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 304 td->td_retval[1] = p->p_ucred->cr_groups[0]; 305 #endif 306 mtx_unlock(&Giant); 307 return (0); 308 } 309 310 /* 311 * Get effective group ID. The "egid" is groups[0], and could be obtained 312 * via getgroups. This syscall exists because it is somewhat painful to do 313 * correctly in a library function. 314 */ 315 #ifndef _SYS_SYSPROTO_H_ 316 struct getegid_args { 317 int dummy; 318 }; 319 #endif 320 321 /* 322 * MPSAFE 323 */ 324 /* ARGSUSED */ 325 int 326 getegid(td, uap) 327 struct thread *td; 328 struct getegid_args *uap; 329 { 330 struct proc *p = td->td_proc; 331 332 mtx_lock(&Giant); 333 td->td_retval[0] = p->p_ucred->cr_groups[0]; 334 mtx_unlock(&Giant); 335 return (0); 336 } 337 338 #ifndef _SYS_SYSPROTO_H_ 339 struct getgroups_args { 340 u_int gidsetsize; 341 gid_t *gidset; 342 }; 343 #endif 344 /* 345 * MPSAFE 346 */ 347 int 348 getgroups(td, uap) 349 struct thread *td; 350 register struct getgroups_args *uap; 351 { 352 struct ucred *cred; 353 struct proc *p = td->td_proc; 354 u_int ngrp; 355 int error = 0; 356 357 mtx_lock(&Giant); 358 cred = p->p_ucred; 359 if ((ngrp = uap->gidsetsize) == 0) { 360 td->td_retval[0] = cred->cr_ngroups; 361 error = 0; 362 goto done2; 363 } 364 if (ngrp < cred->cr_ngroups) { 365 error = EINVAL; 366 goto done2; 367 } 368 ngrp = cred->cr_ngroups; 369 if ((error = copyout((caddr_t)cred->cr_groups, 370 (caddr_t)uap->gidset, ngrp * sizeof(gid_t)))) { 371 goto done2; 372 } 373 td->td_retval[0] = ngrp; 374 done2: 375 mtx_unlock(&Giant); 376 return (error); 377 } 378 379 #ifndef _SYS_SYSPROTO_H_ 380 struct setsid_args { 381 int dummy; 382 }; 383 #endif 384 385 /* 386 * MPSAFE 387 */ 388 /* ARGSUSED */ 389 int 390 setsid(td, uap) 391 register struct thread *td; 392 struct setsid_args *uap; 393 { 394 int error; 395 struct proc *p = td->td_proc; 396 397 mtx_lock(&Giant); 398 if (p->p_pgid == p->p_pid || pgfind(p->p_pid)) { 399 error = EPERM; 400 } else { 401 (void)enterpgrp(p, p->p_pid, 1); 402 td->td_retval[0] = p->p_pid; 403 error = 0; 404 } 405 mtx_unlock(&Giant); 406 return (error); 407 } 408 409 /* 410 * set process group (setpgid/old setpgrp) 411 * 412 * caller does setpgid(targpid, targpgid) 413 * 414 * pid must be caller or child of caller (ESRCH) 415 * if a child 416 * pid must be in same session (EPERM) 417 * pid can't have done an exec (EACCES) 418 * if pgid != pid 419 * there must exist some pid in same session having pgid (EPERM) 420 * pid must not be session leader (EPERM) 421 */ 422 #ifndef _SYS_SYSPROTO_H_ 423 struct setpgid_args { 424 int pid; /* target process id */ 425 int pgid; /* target pgrp id */ 426 }; 427 #endif 428 /* 429 * MPSAFE 430 */ 431 /* ARGSUSED */ 432 int 433 setpgid(td, uap) 434 struct thread *td; 435 register struct setpgid_args *uap; 436 { 437 struct proc *curp = td->td_proc; 438 register struct proc *targp; /* target process */ 439 register struct pgrp *pgrp; /* target pgrp */ 440 int error; 441 442 if (uap->pgid < 0) 443 return (EINVAL); 444 445 mtx_lock(&Giant); 446 447 sx_slock(&proctree_lock); 448 if (uap->pid != 0 && uap->pid != curp->p_pid) { 449 if ((targp = pfind(uap->pid)) == NULL || !inferior(targp)) { 450 if (targp) 451 PROC_UNLOCK(targp); 452 error = ESRCH; 453 goto done2; 454 } 455 if ((error = p_cansee(curproc, targp))) { 456 PROC_UNLOCK(targp); 457 goto done2; 458 } 459 if (targp->p_pgrp == NULL || 460 targp->p_session != curp->p_session) { 461 PROC_UNLOCK(targp); 462 error = EPERM; 463 goto done2; 464 } 465 if (targp->p_flag & P_EXEC) { 466 PROC_UNLOCK(targp); 467 error = EACCES; 468 goto done2; 469 } 470 } else { 471 targp = curp; 472 PROC_LOCK(curp); /* XXX: not needed */ 473 } 474 if (SESS_LEADER(targp)) { 475 PROC_UNLOCK(targp); 476 error = EPERM; 477 goto done2; 478 } 479 if (uap->pgid == 0) { 480 uap->pgid = targp->p_pid; 481 } else if (uap->pgid != targp->p_pid) { 482 if ((pgrp = pgfind(uap->pgid)) == 0 || 483 pgrp->pg_session != curp->p_session) { 484 PROC_UNLOCK(targp); 485 error = EPERM; 486 goto done2; 487 } 488 } 489 /* XXX: We should probably hold the lock across enterpgrp. */ 490 PROC_UNLOCK(targp); 491 error = enterpgrp(targp, uap->pgid, 0); 492 done2: 493 sx_sunlock(&proctree_lock); 494 mtx_unlock(&Giant); 495 return (error); 496 } 497 498 /* 499 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 500 * compatible. It says that setting the uid/gid to euid/egid is a special 501 * case of "appropriate privilege". Once the rules are expanded out, this 502 * basically means that setuid(nnn) sets all three id's, in all permitted 503 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 504 * does not set the saved id - this is dangerous for traditional BSD 505 * programs. For this reason, we *really* do not want to set 506 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 507 */ 508 #define POSIX_APPENDIX_B_4_2_2 509 510 #ifndef _SYS_SYSPROTO_H_ 511 struct setuid_args { 512 uid_t uid; 513 }; 514 #endif 515 /* 516 * MPSAFE 517 */ 518 /* ARGSUSED */ 519 int 520 setuid(td, uap) 521 struct thread *td; 522 struct setuid_args *uap; 523 { 524 struct proc *p = td->td_proc; 525 struct ucred *newcred, *oldcred; 526 uid_t uid; 527 int error = 0; 528 529 uid = uap->uid; 530 oldcred = p->p_ucred; 531 mtx_lock(&Giant); 532 533 /* 534 * See if we have "permission" by POSIX 1003.1 rules. 535 * 536 * Note that setuid(geteuid()) is a special case of 537 * "appropriate privileges" in appendix B.4.2.2. We need 538 * to use this clause to be compatible with traditional BSD 539 * semantics. Basically, it means that "setuid(xx)" sets all 540 * three id's (assuming you have privs). 541 * 542 * Notes on the logic. We do things in three steps. 543 * 1: We determine if the euid is going to change, and do EPERM 544 * right away. We unconditionally change the euid later if this 545 * test is satisfied, simplifying that part of the logic. 546 * 2: We determine if the real and/or saved uid's are going to 547 * change. Determined by compile options. 548 * 3: Change euid last. (after tests in #2 for "appropriate privs") 549 */ 550 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 551 #ifdef _POSIX_SAVED_IDS 552 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 553 #endif 554 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 555 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 556 #endif 557 (error = suser_xxx(oldcred, NULL, PRISON_ROOT))) 558 goto done2; 559 560 newcred = crdup(oldcred); 561 #ifdef _POSIX_SAVED_IDS 562 /* 563 * Do we have "appropriate privileges" (are we root or uid == euid) 564 * If so, we are changing the real uid and/or saved uid. 565 */ 566 if ( 567 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 568 uid == oldcred->cr_uid || 569 #endif 570 suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */ 571 #endif 572 { 573 /* 574 * Set the real uid and transfer proc count to new user. 575 */ 576 if (uid != oldcred->cr_ruid) { 577 change_ruid(newcred, uid); 578 setsugid(p); 579 } 580 /* 581 * Set saved uid 582 * 583 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 584 * the security of seteuid() depends on it. B.4.2.2 says it 585 * is important that we should do this. 586 */ 587 if (uid != oldcred->cr_svuid) { 588 change_svuid(newcred, uid); 589 setsugid(p); 590 } 591 } 592 593 /* 594 * In all permitted cases, we are changing the euid. 595 * Copy credentials so other references do not see our changes. 596 */ 597 if (uid != oldcred->cr_uid) { 598 change_euid(newcred, uid); 599 setsugid(p); 600 } 601 p->p_ucred = newcred; 602 crfree(oldcred); 603 done2: 604 mtx_unlock(&Giant); 605 return (error); 606 } 607 608 #ifndef _SYS_SYSPROTO_H_ 609 struct seteuid_args { 610 uid_t euid; 611 }; 612 #endif 613 /* 614 * MPSAFE 615 */ 616 /* ARGSUSED */ 617 int 618 seteuid(td, uap) 619 struct thread *td; 620 struct seteuid_args *uap; 621 { 622 struct proc *p = td->td_proc; 623 struct ucred *newcred, *oldcred; 624 uid_t euid; 625 int error = 0; 626 627 euid = uap->euid; 628 629 mtx_lock(&Giant); 630 oldcred = p->p_ucred; 631 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 632 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 633 (error = suser_xxx(oldcred, NULL, PRISON_ROOT))) { 634 goto done2; 635 } 636 /* 637 * Everything's okay, do it. Copy credentials so other references do 638 * not see our changes. 639 */ 640 newcred = crdup(oldcred); 641 if (oldcred->cr_uid != euid) { 642 change_euid(newcred, euid); 643 setsugid(p); 644 } 645 p->p_ucred = newcred; 646 crfree(oldcred); 647 done2: 648 mtx_unlock(&Giant); 649 return (error); 650 } 651 652 #ifndef _SYS_SYSPROTO_H_ 653 struct setgid_args { 654 gid_t gid; 655 }; 656 #endif 657 /* 658 * MPSAFE 659 */ 660 /* ARGSUSED */ 661 int 662 setgid(td, uap) 663 struct thread *td; 664 struct setgid_args *uap; 665 { 666 struct proc *p = td->td_proc; 667 struct ucred *newcred, *oldcred; 668 gid_t gid; 669 int error = 0; 670 671 gid = uap->gid; 672 673 mtx_lock(&Giant); 674 oldcred = p->p_ucred; 675 /* 676 * See if we have "permission" by POSIX 1003.1 rules. 677 * 678 * Note that setgid(getegid()) is a special case of 679 * "appropriate privileges" in appendix B.4.2.2. We need 680 * to use this clause to be compatible with traditional BSD 681 * semantics. Basically, it means that "setgid(xx)" sets all 682 * three id's (assuming you have privs). 683 * 684 * For notes on the logic here, see setuid() above. 685 */ 686 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 687 #ifdef _POSIX_SAVED_IDS 688 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 689 #endif 690 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 691 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 692 #endif 693 (error = suser_xxx(oldcred, NULL, PRISON_ROOT))) { 694 goto done2; 695 } 696 697 newcred = crdup(oldcred); 698 #ifdef _POSIX_SAVED_IDS 699 /* 700 * Do we have "appropriate privileges" (are we root or gid == egid) 701 * If so, we are changing the real uid and saved gid. 702 */ 703 if ( 704 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 705 gid == oldcred->cr_groups[0] || 706 #endif 707 suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */ 708 #endif 709 { 710 /* 711 * Set real gid 712 */ 713 if (oldcred->cr_rgid != gid) { 714 change_rgid(newcred, gid); 715 setsugid(p); 716 } 717 /* 718 * Set saved gid 719 * 720 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 721 * the security of setegid() depends on it. B.4.2.2 says it 722 * is important that we should do this. 723 */ 724 if (oldcred->cr_svgid != gid) { 725 change_svgid(newcred, gid); 726 setsugid(p); 727 } 728 } 729 /* 730 * In all cases permitted cases, we are changing the egid. 731 * Copy credentials so other references do not see our changes. 732 */ 733 if (oldcred->cr_groups[0] != gid) { 734 change_egid(newcred, gid); 735 setsugid(p); 736 } 737 p->p_ucred = newcred; 738 crfree(oldcred); 739 done2: 740 mtx_unlock(&Giant); 741 return (error); 742 } 743 744 #ifndef _SYS_SYSPROTO_H_ 745 struct setegid_args { 746 gid_t egid; 747 }; 748 #endif 749 /* 750 * MPSAFE 751 */ 752 /* ARGSUSED */ 753 int 754 setegid(td, uap) 755 struct thread *td; 756 struct setegid_args *uap; 757 { 758 struct proc *p = td->td_proc; 759 struct ucred *newcred, *oldcred; 760 gid_t egid; 761 int error = 0; 762 763 egid = uap->egid; 764 765 mtx_lock(&Giant); 766 oldcred = p->p_ucred; 767 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 768 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 769 (error = suser_xxx(oldcred, NULL, PRISON_ROOT))) { 770 goto done2; 771 } 772 newcred = crdup(oldcred); 773 if (oldcred->cr_groups[0] != egid) { 774 change_egid(newcred, egid); 775 setsugid(p); 776 } 777 p->p_ucred = newcred; 778 crfree(oldcred); 779 done2: 780 mtx_unlock(&Giant); 781 return (error); 782 } 783 784 #ifndef _SYS_SYSPROTO_H_ 785 struct setgroups_args { 786 u_int gidsetsize; 787 gid_t *gidset; 788 }; 789 #endif 790 /* 791 * MPSAFE 792 */ 793 /* ARGSUSED */ 794 int 795 setgroups(td, uap) 796 struct thread *td; 797 struct setgroups_args *uap; 798 { 799 struct proc *p = td->td_proc; 800 struct ucred *newcred, *oldcred; 801 u_int ngrp; 802 int error; 803 804 mtx_lock(&Giant); 805 806 ngrp = uap->gidsetsize; 807 oldcred = p->p_ucred; 808 if ((error = suser_xxx(oldcred, NULL, PRISON_ROOT))) 809 goto done2; 810 if (ngrp > NGROUPS) { 811 error = EINVAL; 812 goto done2; 813 } 814 /* 815 * XXX A little bit lazy here. We could test if anything has 816 * changed before crcopy() and setting P_SUGID. 817 */ 818 newcred = crdup(oldcred); 819 if (ngrp < 1) { 820 /* 821 * setgroups(0, NULL) is a legitimate way of clearing the 822 * groups vector on non-BSD systems (which generally do not 823 * have the egid in the groups[0]). We risk security holes 824 * when running non-BSD software if we do not do the same. 825 */ 826 newcred->cr_ngroups = 1; 827 } else { 828 if ((error = copyin((caddr_t)uap->gidset, 829 (caddr_t)newcred->cr_groups, ngrp * sizeof(gid_t)))) { 830 crfree(newcred); 831 goto done2; 832 } 833 newcred->cr_ngroups = ngrp; 834 } 835 setsugid(p); 836 p->p_ucred = newcred; 837 crfree(oldcred); 838 done2: 839 mtx_unlock(&Giant); 840 return (error); 841 } 842 843 #ifndef _SYS_SYSPROTO_H_ 844 struct setreuid_args { 845 uid_t ruid; 846 uid_t euid; 847 }; 848 #endif 849 /* 850 * MPSAFE 851 */ 852 /* ARGSUSED */ 853 int 854 setreuid(td, uap) 855 register struct thread *td; 856 struct setreuid_args *uap; 857 { 858 struct proc *p = td->td_proc; 859 struct ucred *newcred, *oldcred; 860 uid_t ruid, euid; 861 int error = 0; 862 863 ruid = uap->ruid; 864 euid = uap->euid; 865 866 mtx_lock(&Giant); 867 868 oldcred = p->p_ucred; 869 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 870 ruid != oldcred->cr_svuid) || 871 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 872 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 873 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) { 874 goto done2; 875 } 876 newcred = crdup(oldcred); 877 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 878 change_euid(newcred, euid); 879 setsugid(p); 880 } 881 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 882 change_ruid(newcred, ruid); 883 setsugid(p); 884 } 885 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 886 newcred->cr_svuid != newcred->cr_uid) { 887 change_svuid(newcred, newcred->cr_uid); 888 setsugid(p); 889 } 890 p->p_ucred = newcred; 891 crfree(oldcred); 892 done2: 893 mtx_unlock(&Giant); 894 return (error); 895 } 896 897 #ifndef _SYS_SYSPROTO_H_ 898 struct setregid_args { 899 gid_t rgid; 900 gid_t egid; 901 }; 902 #endif 903 /* 904 * MPSAFE 905 */ 906 /* ARGSUSED */ 907 int 908 setregid(td, uap) 909 register struct thread *td; 910 struct setregid_args *uap; 911 { 912 struct proc *p = td->td_proc; 913 struct ucred *newcred, *oldcred; 914 gid_t rgid, egid; 915 int error = 0; 916 917 rgid = uap->rgid; 918 egid = uap->egid; 919 920 mtx_lock(&Giant); 921 922 oldcred = p->p_ucred; 923 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 924 rgid != oldcred->cr_svgid) || 925 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 926 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 927 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) { 928 goto done2; 929 } 930 931 newcred = crdup(oldcred); 932 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 933 change_egid(newcred, egid); 934 setsugid(p); 935 } 936 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 937 change_rgid(newcred, rgid); 938 setsugid(p); 939 } 940 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 941 newcred->cr_svgid != newcred->cr_groups[0]) { 942 change_svgid(newcred, newcred->cr_groups[0]); 943 setsugid(p); 944 } 945 p->p_ucred = newcred; 946 crfree(oldcred); 947 done2: 948 mtx_unlock(&Giant); 949 return (error); 950 } 951 952 /* 953 * setresuid(ruid, euid, suid) is like setreuid except control over the 954 * saved uid is explicit. 955 */ 956 957 #ifndef _SYS_SYSPROTO_H_ 958 struct setresuid_args { 959 uid_t ruid; 960 uid_t euid; 961 uid_t suid; 962 }; 963 #endif 964 /* 965 * MPSAFE 966 */ 967 /* ARGSUSED */ 968 int 969 setresuid(td, uap) 970 register struct thread *td; 971 struct setresuid_args *uap; 972 { 973 struct proc *p = td->td_proc; 974 struct ucred *newcred, *oldcred; 975 uid_t ruid, euid, suid; 976 int error; 977 978 ruid = uap->ruid; 979 euid = uap->euid; 980 suid = uap->suid; 981 982 mtx_lock(&Giant); 983 oldcred = p->p_ucred; 984 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 985 ruid != oldcred->cr_svuid && 986 ruid != oldcred->cr_uid) || 987 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 988 euid != oldcred->cr_svuid && 989 euid != oldcred->cr_uid) || 990 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 991 suid != oldcred->cr_svuid && 992 suid != oldcred->cr_uid)) && 993 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) { 994 goto done2; 995 } 996 997 newcred = crdup(oldcred); 998 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 999 change_euid(newcred, euid); 1000 setsugid(p); 1001 } 1002 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1003 change_ruid(newcred, ruid); 1004 setsugid(p); 1005 } 1006 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1007 change_svuid(newcred, suid); 1008 setsugid(p); 1009 } 1010 p->p_ucred = newcred; 1011 crfree(oldcred); 1012 error = 0; 1013 done2: 1014 mtx_unlock(&Giant); 1015 return (error); 1016 } 1017 1018 /* 1019 * setresgid(rgid, egid, sgid) is like setregid except control over the 1020 * saved gid is explicit. 1021 */ 1022 1023 #ifndef _SYS_SYSPROTO_H_ 1024 struct setresgid_args { 1025 gid_t rgid; 1026 gid_t egid; 1027 gid_t sgid; 1028 }; 1029 #endif 1030 /* 1031 * MPSAFE 1032 */ 1033 /* ARGSUSED */ 1034 int 1035 setresgid(td, uap) 1036 register struct thread *td; 1037 struct setresgid_args *uap; 1038 { 1039 struct proc *p = td->td_proc; 1040 struct ucred *newcred, *oldcred; 1041 gid_t rgid, egid, sgid; 1042 int error; 1043 1044 rgid = uap->rgid; 1045 egid = uap->egid; 1046 sgid = uap->sgid; 1047 1048 mtx_lock(&Giant); 1049 oldcred = p->p_ucred; 1050 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1051 rgid != oldcred->cr_svgid && 1052 rgid != oldcred->cr_groups[0]) || 1053 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1054 egid != oldcred->cr_svgid && 1055 egid != oldcred->cr_groups[0]) || 1056 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1057 sgid != oldcred->cr_svgid && 1058 sgid != oldcred->cr_groups[0])) && 1059 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) { 1060 goto done2; 1061 } 1062 newcred = crdup(oldcred); 1063 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1064 change_egid(newcred, egid); 1065 setsugid(p); 1066 } 1067 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1068 change_rgid(newcred, rgid); 1069 setsugid(p); 1070 } 1071 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1072 change_svgid(newcred, sgid); 1073 setsugid(p); 1074 } 1075 p->p_ucred = newcred; 1076 crfree(oldcred); 1077 error = 0; 1078 done2: 1079 mtx_unlock(&Giant); 1080 return (error); 1081 } 1082 1083 #ifndef _SYS_SYSPROTO_H_ 1084 struct getresuid_args { 1085 uid_t *ruid; 1086 uid_t *euid; 1087 uid_t *suid; 1088 }; 1089 #endif 1090 /* 1091 * MPSAFE 1092 */ 1093 /* ARGSUSED */ 1094 int 1095 getresuid(td, uap) 1096 register struct thread *td; 1097 struct getresuid_args *uap; 1098 { 1099 struct ucred *cred; 1100 struct proc *p = td->td_proc; 1101 int error1 = 0, error2 = 0, error3 = 0; 1102 1103 mtx_lock(&Giant); 1104 cred = p->p_ucred; 1105 1106 if (uap->ruid) 1107 error1 = copyout((caddr_t)&cred->cr_ruid, 1108 (caddr_t)uap->ruid, sizeof(cred->cr_ruid)); 1109 if (uap->euid) 1110 error2 = copyout((caddr_t)&cred->cr_uid, 1111 (caddr_t)uap->euid, sizeof(cred->cr_uid)); 1112 if (uap->suid) 1113 error3 = copyout((caddr_t)&cred->cr_svuid, 1114 (caddr_t)uap->suid, sizeof(cred->cr_svuid)); 1115 mtx_unlock(&Giant); 1116 return error1 ? error1 : (error2 ? error2 : error3); 1117 } 1118 1119 #ifndef _SYS_SYSPROTO_H_ 1120 struct getresgid_args { 1121 gid_t *rgid; 1122 gid_t *egid; 1123 gid_t *sgid; 1124 }; 1125 #endif 1126 /* 1127 * MPSAFE 1128 */ 1129 /* ARGSUSED */ 1130 int 1131 getresgid(td, uap) 1132 register struct thread *td; 1133 struct getresgid_args *uap; 1134 { 1135 struct ucred *cred; 1136 struct proc *p = td->td_proc; 1137 int error1 = 0, error2 = 0, error3 = 0; 1138 1139 mtx_lock(&Giant); 1140 cred = p->p_ucred; 1141 1142 if (uap->rgid) 1143 error1 = copyout((caddr_t)&cred->cr_rgid, 1144 (caddr_t)uap->rgid, sizeof(cred->cr_rgid)); 1145 if (uap->egid) 1146 error2 = copyout((caddr_t)&cred->cr_groups[0], 1147 (caddr_t)uap->egid, sizeof(cred->cr_groups[0])); 1148 if (uap->sgid) 1149 error3 = copyout((caddr_t)&cred->cr_svgid, 1150 (caddr_t)uap->sgid, sizeof(cred->cr_svgid)); 1151 mtx_unlock(&Giant); 1152 return error1 ? error1 : (error2 ? error2 : error3); 1153 } 1154 1155 1156 #ifndef _SYS_SYSPROTO_H_ 1157 struct issetugid_args { 1158 int dummy; 1159 }; 1160 #endif 1161 /* ARGSUSED */ 1162 int 1163 issetugid(td, uap) 1164 register struct thread *td; 1165 struct issetugid_args *uap; 1166 { 1167 struct proc *p = td->td_proc; 1168 1169 /* 1170 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1171 * we use P_SUGID because we consider changing the owners as 1172 * "tainting" as well. 1173 * This is significant for procs that start as root and "become" 1174 * a user without an exec - programs cannot know *everything* 1175 * that libc *might* have put in their data segment. 1176 */ 1177 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1178 return (0); 1179 } 1180 1181 /* 1182 * MPSAFE 1183 */ 1184 int 1185 __setugid(td, uap) 1186 struct thread *td; 1187 struct __setugid_args *uap; 1188 { 1189 #ifdef REGRESSION 1190 int error = 0; 1191 1192 mtx_lock(&Giant); 1193 switch (uap->flag) { 1194 case 0: 1195 td->td_proc->p_flag &= ~P_SUGID; 1196 break; 1197 case 1: 1198 td->td_proc->p_flag |= P_SUGID; 1199 break; 1200 default: 1201 error = EINVAL; 1202 break; 1203 } 1204 mtx_unlock(&Giant); 1205 return (error); 1206 #else /* !REGRESSION */ 1207 return (ENOSYS); 1208 #endif /* !REGRESSION */ 1209 } 1210 1211 /* 1212 * Check if gid is a member of the group set. 1213 */ 1214 int 1215 groupmember(gid, cred) 1216 gid_t gid; 1217 struct ucred *cred; 1218 { 1219 register gid_t *gp; 1220 gid_t *egp; 1221 1222 egp = &(cred->cr_groups[cred->cr_ngroups]); 1223 for (gp = cred->cr_groups; gp < egp; gp++) 1224 if (*gp == gid) 1225 return (1); 1226 return (0); 1227 } 1228 1229 /* 1230 * `suser_enabled' (which can be set by the kern.security.suser_enabled 1231 * sysctl) determines whether the system 'super-user' policy is in effect. 1232 * If it is nonzero, an effective uid of 0 connotes special privilege, 1233 * overriding many mandatory and discretionary protections. If it is zero, 1234 * uid 0 is offered no special privilege in the kernel security policy. 1235 * Setting it to zero may seriously impact the functionality of many 1236 * existing userland programs, and should not be done without careful 1237 * consideration of the consequences. 1238 */ 1239 int suser_enabled = 1; 1240 SYSCTL_INT(_kern_security, OID_AUTO, suser_enabled, CTLFLAG_RW, 1241 &suser_enabled, 0, "processes with uid 0 have privilege"); 1242 1243 /* 1244 * Test whether the specified credentials imply "super-user" privilege. 1245 * Return 0 or EPERM. 1246 */ 1247 int 1248 suser(p) 1249 struct proc *p; 1250 { 1251 return suser_xxx(0, p, 0); 1252 } 1253 1254 /* 1255 * version for when the thread pointer is available and not the proc. 1256 * (saves having to include proc.h into every file that needs to do the change.) 1257 */ 1258 int 1259 suser_td(td) 1260 1261 struct thread *td; 1262 { 1263 return suser_xxx(0, td->td_proc, 0); 1264 } 1265 1266 /* 1267 * wrapper to use if you have the thread on hand but not the proc. 1268 */ 1269 int 1270 suser_xxx_td(cred, td, flag) 1271 struct ucred *cred; 1272 struct thread *td; 1273 int flag; 1274 { 1275 return(suser_xxx(cred, td->td_proc, flag)); 1276 } 1277 1278 int 1279 suser_xxx(cred, proc, flag) 1280 struct ucred *cred; 1281 struct proc *proc; 1282 int flag; 1283 { 1284 if (!suser_enabled) 1285 return (EPERM); 1286 if (!cred && !proc) { 1287 printf("suser_xxx(): THINK!\n"); 1288 return (EPERM); 1289 } 1290 if (!cred) 1291 cred = proc->p_ucred; 1292 if (cred->cr_uid != 0) 1293 return (EPERM); 1294 if (jailed(cred) && !(flag & PRISON_ROOT)) 1295 return (EPERM); 1296 return (0); 1297 } 1298 1299 /* 1300 * Test (local, globale) securelevel values against passed required 1301 * securelevel. _gt implements (level > securelevel), and _ge implements 1302 * (level >= securelevel). Returns 0 oer EPERM. 1303 * 1304 * cr is permitted to be NULL for the time being, as there were some 1305 * existing securelevel checks that occurred without a process/credential 1306 * context. In the future this will be disallowed, so a kernel 1307 * message is displayed. 1308 */ 1309 int 1310 securelevel_gt(struct ucred *cr, int level) 1311 { 1312 1313 if (cr == NULL) { 1314 printf("securelevel_gt: cr is NULL\n"); 1315 if (level > securelevel) 1316 return (0); 1317 else 1318 return (EPERM); 1319 } else if (cr->cr_prison == NULL) { 1320 if (level > securelevel) 1321 return (0); 1322 else 1323 return (EPERM); 1324 } else { 1325 if (level > imax(cr->cr_prison->pr_securelevel, securelevel)) 1326 return (0); 1327 else 1328 return (EPERM); 1329 } 1330 1331 } 1332 1333 int 1334 securelevel_ge(struct ucred *cr, int level) 1335 { 1336 1337 if (cr == NULL) { 1338 printf("securelevel_ge: cr is NULL\n"); 1339 if (level >= securelevel) 1340 return (0); 1341 else 1342 return (EPERM); 1343 } if (cr->cr_prison == NULL) { 1344 if (level >= securelevel) 1345 return (0); 1346 else 1347 return (EPERM); 1348 } else { 1349 if (level >= imax(cr->cr_prison->pr_securelevel, securelevel)) 1350 return (0); 1351 else 1352 return (EPERM); 1353 } 1354 } 1355 1356 /* 1357 * kern_security_seeotheruids_permitted determines whether or not visibility 1358 * of processes and sockets with credentials holding different real uid's 1359 * is possible using a variety of system MIBs. 1360 */ 1361 static int kern_security_seeotheruids_permitted = 1; 1362 SYSCTL_INT(_kern_security, OID_AUTO, seeotheruids_permitted, 1363 CTLFLAG_RW, &kern_security_seeotheruids_permitted, 0, 1364 "Unprivileged processes may see subjects/objects with different real uid"); 1365 1366 /*- 1367 * Determine if u1 "can see" the subject specified by u2. 1368 * Returns: 0 for permitted, an errno value otherwise 1369 * Locks: none 1370 * References: u1 and u2 must be immutable credentials 1371 * u1 and u2 must be valid for the lifetime of the call 1372 * u1 may equal u2, in which case only one reference is required 1373 */ 1374 int 1375 cr_cansee(struct ucred *u1, struct ucred *u2) 1376 { 1377 int error; 1378 1379 if ((error = prison_check(u1, u2))) 1380 return (error); 1381 if (!kern_security_seeotheruids_permitted && 1382 u1->cr_ruid != u2->cr_ruid) { 1383 if (suser_xxx(u1, NULL, PRISON_ROOT) != 0) 1384 return (ESRCH); 1385 } 1386 return (0); 1387 } 1388 1389 /*- 1390 * Determine if p1 "can see" the subject specified by p2. 1391 * Returns: 0 for permitted, an errno value otherwise 1392 * Locks: Sufficient locks to protect p1->p_ucred and p2->p_ucred must 1393 * be held. Normally, p1 will be curproc, and a lock must be held 1394 * for p2. 1395 * References: p1 and p2 must be valid for the lifetime of the call 1396 */ 1397 int 1398 p_cansee(struct proc *p1, struct proc *p2) 1399 { 1400 1401 /* Wrap cr_cansee() for all functionality. */ 1402 return (cr_cansee(p1->p_ucred, p2->p_ucred)); 1403 } 1404 1405 /*- 1406 * Determine whether p1 may deliver the specified signal to p2. 1407 * Returns: 0 for permitted, an errno value otherwise 1408 * Locks: Sufficient locks to protect various components of p1 and p2 1409 * must be held. Normally, p1 will be curproc, and a lock must 1410 * be held for p2. 1411 * References: p1 and p2 must be valid for the lifetime of the call 1412 */ 1413 int 1414 p_cansignal(struct proc *p1, struct proc *p2, int signum) 1415 { 1416 int error; 1417 1418 if (p1 == p2) 1419 return (0); 1420 1421 /* 1422 * Jail semantics limit the scope of signalling to p2 in the same 1423 * jail as p1, if p1 is in jail. 1424 */ 1425 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1426 return (error); 1427 1428 /* 1429 * UNIX signalling semantics require that processes in the same 1430 * session always be able to deliver SIGCONT to one another, 1431 * overriding the remaining protections. 1432 */ 1433 if (signum == SIGCONT && p1->p_session == p2->p_session) 1434 return (0); 1435 1436 /* 1437 * UNIX signal semantics depend on the status of the P_SUGID 1438 * bit on the target process. If the bit is set, then additional 1439 * restrictions are placed on the set of available signals. 1440 */ 1441 if (p2->p_flag & P_SUGID) { 1442 switch (signum) { 1443 case 0: 1444 case SIGKILL: 1445 case SIGINT: 1446 case SIGTERM: 1447 case SIGSTOP: 1448 case SIGTTIN: 1449 case SIGTTOU: 1450 case SIGTSTP: 1451 case SIGHUP: 1452 case SIGUSR1: 1453 case SIGUSR2: 1454 /* 1455 * Generally, permit job and terminal control 1456 * signals. 1457 */ 1458 break; 1459 default: 1460 /* Not permitted, privilege is required. */ 1461 error = suser_xxx(NULL, p1, PRISON_ROOT); 1462 if (error) 1463 return (error); 1464 } 1465 } 1466 1467 /* 1468 * Generally, the target credential's ruid or svuid must match the 1469 * subject credential's ruid or euid. 1470 */ 1471 if (p1->p_ucred->cr_ruid != p2->p_ucred->cr_ruid && 1472 p1->p_ucred->cr_ruid != p2->p_ucred->cr_svuid && 1473 p1->p_ucred->cr_uid != p2->p_ucred->cr_ruid && 1474 p1->p_ucred->cr_uid != p2->p_ucred->cr_svuid) { 1475 /* Not permitted, try privilege. */ 1476 error = suser_xxx(NULL, p1, PRISON_ROOT); 1477 if (error) 1478 return (error); 1479 } 1480 1481 return (0); 1482 } 1483 1484 /*- 1485 * Determine whether p1 may reschedule p2 1486 * Returns: 0 for permitted, an errno value otherwise 1487 * Locks: Sufficient locks to protect various components of p1 and p2 1488 * must be held. Normally, p1 will be curproc, and a lock must 1489 * be held for p2. 1490 * References: p1 and p2 must be valid for the lifetime of the call 1491 */ 1492 int 1493 p_cansched(struct proc *p1, struct proc *p2) 1494 { 1495 int error; 1496 1497 if (p1 == p2) 1498 return (0); 1499 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1500 return (error); 1501 if (p1->p_ucred->cr_ruid == p2->p_ucred->cr_ruid) 1502 return (0); 1503 if (p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid) 1504 return (0); 1505 if (suser_xxx(0, p1, PRISON_ROOT) == 0) 1506 return (0); 1507 1508 #ifdef CAPABILITIES 1509 if (!cap_check(NULL, p1, CAP_SYS_NICE, PRISON_ROOT)) 1510 return (0); 1511 #endif 1512 1513 return (EPERM); 1514 } 1515 1516 /* 1517 * The kern_unprivileged_procdebug_permitted flag may be used to disable 1518 * a variety of unprivileged inter-process debugging services, including 1519 * some procfs functionality, ptrace(), and ktrace(). In the past, 1520 * inter-process debugging has been involved in a variety of security 1521 * problems, and sites not requiring the service might choose to disable it 1522 * when hardening systems. 1523 * 1524 * XXX: Should modifying and reading this variable require locking? 1525 */ 1526 static int kern_unprivileged_procdebug_permitted = 1; 1527 SYSCTL_INT(_kern_security, OID_AUTO, unprivileged_procdebug_permitted, 1528 CTLFLAG_RW, &kern_unprivileged_procdebug_permitted, 0, 1529 "Unprivileged processes may use process debugging facilities"); 1530 1531 /*- 1532 * Determine whether p1 may debug p2. 1533 * Returns: 0 for permitted, an errno value otherwise 1534 * Locks: Sufficient locks to protect various components of p1 and p2 1535 * must be held. Normally, p1 will be curproc, and a lock must 1536 * be held for p2. 1537 * References: p1 and p2 must be valid for the lifetime of the call 1538 */ 1539 int 1540 p_candebug(struct proc *p1, struct proc *p2) 1541 { 1542 int error, i, grpsubset, uidsubset, credentialchanged; 1543 1544 if (!kern_unprivileged_procdebug_permitted) { 1545 error = suser_xxx(NULL, p1, PRISON_ROOT); 1546 if (error) 1547 return (error); 1548 } 1549 1550 if (p1 == p2) 1551 return (0); 1552 1553 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1554 return (error); 1555 1556 /* 1557 * Is p2's group set a subset of p1's effective group set? This 1558 * includes p2's egid, group access list, rgid, and svgid. 1559 */ 1560 grpsubset = 1; 1561 for (i = 0; i < p2->p_ucred->cr_ngroups; i++) { 1562 if (!groupmember(p2->p_ucred->cr_groups[i], p1->p_ucred)) { 1563 grpsubset = 0; 1564 break; 1565 } 1566 } 1567 grpsubset = grpsubset && 1568 groupmember(p2->p_ucred->cr_rgid, p1->p_ucred) && 1569 groupmember(p2->p_ucred->cr_svgid, p1->p_ucred); 1570 1571 /* 1572 * Are the uids present in p2's credential equal to p1's 1573 * effective uid? This includes p2's euid, svuid, and ruid. 1574 */ 1575 uidsubset = (p1->p_ucred->cr_uid == p2->p_ucred->cr_uid && 1576 p1->p_ucred->cr_uid == p2->p_ucred->cr_svuid && 1577 p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid); 1578 1579 /* 1580 * Has the credential of the process changed since the last exec()? 1581 */ 1582 credentialchanged = (p2->p_flag & P_SUGID); 1583 1584 /* 1585 * If p2's gids aren't a subset, or the uids aren't a subset, 1586 * or the credential has changed, require appropriate privilege 1587 * for p1 to debug p2. For POSIX.1e capabilities, this will 1588 * require CAP_SYS_PTRACE. 1589 */ 1590 if (!grpsubset || !uidsubset || credentialchanged) { 1591 error = suser_xxx(NULL, p1, PRISON_ROOT); 1592 if (error) 1593 return (error); 1594 } 1595 1596 /* can't trace init when securelevel > 0 */ 1597 if (p2->p_pid == 1) { 1598 error = securelevel_gt(p1->p_ucred, 0); 1599 if (error) 1600 return (error); 1601 } 1602 1603 /* 1604 * Can't trace a process that's currently exec'ing. 1605 * XXX: Note, this is not a security policy decision, it's a 1606 * basic correctness/functionality decision. Therefore, this check 1607 * should be moved to the caller's of p_candebug(). 1608 */ 1609 if ((p2->p_flag & P_INEXEC) != 0) 1610 return (EAGAIN); 1611 1612 return (0); 1613 } 1614 1615 /* 1616 * Allocate a zeroed cred structure. 1617 */ 1618 struct ucred * 1619 crget() 1620 { 1621 register struct ucred *cr; 1622 1623 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 1624 cr->cr_ref = 1; 1625 mtx_init(&cr->cr_mtx, "ucred", MTX_DEF); 1626 return (cr); 1627 } 1628 1629 /* 1630 * Claim another reference to a ucred structure. 1631 */ 1632 struct ucred * 1633 crhold(cr) 1634 struct ucred *cr; 1635 { 1636 1637 mtx_lock(&cr->cr_mtx); 1638 cr->cr_ref++; 1639 mtx_unlock(&cr->cr_mtx); 1640 return (cr); 1641 } 1642 1643 1644 /* 1645 * Free a cred structure. 1646 * Throws away space when ref count gets to 0. 1647 */ 1648 void 1649 crfree(cr) 1650 struct ucred *cr; 1651 { 1652 1653 mtx_lock(&cr->cr_mtx); 1654 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); 1655 if (--cr->cr_ref == 0) { 1656 mtx_destroy(&cr->cr_mtx); 1657 /* 1658 * Some callers of crget(), such as nfs_statfs(), 1659 * allocate a temporary credential, but don't 1660 * allocate a uidinfo structure. 1661 */ 1662 if (cr->cr_uidinfo != NULL) 1663 uifree(cr->cr_uidinfo); 1664 if (cr->cr_ruidinfo != NULL) 1665 uifree(cr->cr_ruidinfo); 1666 /* 1667 * Free a prison, if any. 1668 */ 1669 if (jailed(cr)) 1670 prison_free(cr->cr_prison); 1671 FREE((caddr_t)cr, M_CRED); 1672 } else { 1673 mtx_unlock(&cr->cr_mtx); 1674 } 1675 } 1676 1677 /* 1678 * Check to see if this ucred is shared. 1679 */ 1680 int 1681 crshared(cr) 1682 struct ucred *cr; 1683 { 1684 int shared; 1685 1686 mtx_lock(&cr->cr_mtx); 1687 shared = (cr->cr_ref > 1); 1688 mtx_unlock(&cr->cr_mtx); 1689 return (shared); 1690 } 1691 1692 /* 1693 * Copy a ucred's contents from a template. Does not block. 1694 */ 1695 void 1696 crcopy(dest, src) 1697 struct ucred *dest, *src; 1698 { 1699 1700 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred")); 1701 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 1702 (unsigned)((caddr_t)&src->cr_endcopy - 1703 (caddr_t)&src->cr_startcopy)); 1704 uihold(dest->cr_uidinfo); 1705 uihold(dest->cr_ruidinfo); 1706 if (jailed(dest)) 1707 prison_hold(dest->cr_prison); 1708 } 1709 1710 /* 1711 * Dup cred struct to a new held one. 1712 */ 1713 struct ucred * 1714 crdup(cr) 1715 struct ucred *cr; 1716 { 1717 struct ucred *newcr; 1718 1719 newcr = crget(); 1720 crcopy(newcr, cr); 1721 return (newcr); 1722 } 1723 1724 /* 1725 * Get login name, if available. 1726 */ 1727 #ifndef _SYS_SYSPROTO_H_ 1728 struct getlogin_args { 1729 char *namebuf; 1730 u_int namelen; 1731 }; 1732 #endif 1733 /* 1734 * MPSAFE 1735 */ 1736 /* ARGSUSED */ 1737 int 1738 getlogin(td, uap) 1739 struct thread *td; 1740 struct getlogin_args *uap; 1741 { 1742 int error; 1743 struct proc *p = td->td_proc; 1744 1745 mtx_lock(&Giant); 1746 if (uap->namelen > MAXLOGNAME) 1747 uap->namelen = MAXLOGNAME; 1748 error = copyout((caddr_t) p->p_pgrp->pg_session->s_login, 1749 (caddr_t) uap->namebuf, uap->namelen); 1750 mtx_unlock(&Giant); 1751 return(error); 1752 } 1753 1754 /* 1755 * Set login name. 1756 */ 1757 #ifndef _SYS_SYSPROTO_H_ 1758 struct setlogin_args { 1759 char *namebuf; 1760 }; 1761 #endif 1762 /* 1763 * MPSAFE 1764 */ 1765 /* ARGSUSED */ 1766 int 1767 setlogin(td, uap) 1768 struct thread *td; 1769 struct setlogin_args *uap; 1770 { 1771 struct proc *p = td->td_proc; 1772 int error; 1773 char logintmp[MAXLOGNAME]; 1774 1775 mtx_lock(&Giant); 1776 if ((error = suser_xxx(0, p, PRISON_ROOT))) 1777 goto done2; 1778 error = copyinstr((caddr_t) uap->namebuf, (caddr_t) logintmp, 1779 sizeof(logintmp), (size_t *)0); 1780 if (error == ENAMETOOLONG) { 1781 error = EINVAL; 1782 } else if (!error) { 1783 (void) memcpy(p->p_pgrp->pg_session->s_login, logintmp, 1784 sizeof(logintmp)); 1785 } 1786 done2: 1787 mtx_unlock(&Giant); 1788 return (error); 1789 } 1790 1791 void 1792 setsugid(p) 1793 struct proc *p; 1794 { 1795 p->p_flag |= P_SUGID; 1796 if (!(p->p_pfsflags & PF_ISUGID)) 1797 p->p_stops = 0; 1798 } 1799 1800 /*- 1801 * Change a process's effective uid. 1802 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 1803 * References: newcred must be an exclusive credential reference for the 1804 * duration of the call. 1805 */ 1806 void 1807 change_euid(newcred, euid) 1808 struct ucred *newcred; 1809 uid_t euid; 1810 { 1811 1812 newcred->cr_uid = euid; 1813 uifree(newcred->cr_uidinfo); 1814 newcred->cr_uidinfo = uifind(euid); 1815 } 1816 1817 /*- 1818 * Change a process's effective gid. 1819 * Side effects: newcred->cr_gid will be modified. 1820 * References: newcred must be an exclusive credential reference for the 1821 * duration of the call. 1822 */ 1823 void 1824 change_egid(newcred, egid) 1825 struct ucred *newcred; 1826 gid_t egid; 1827 { 1828 1829 newcred->cr_groups[0] = egid; 1830 } 1831 1832 /*- 1833 * Change a process's real uid. 1834 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 1835 * will be updated, and the old and new cr_ruidinfo proc 1836 * counts will be updated. 1837 * References: newcred must be an exclusive credential reference for the 1838 * duration of the call. 1839 */ 1840 void 1841 change_ruid(newcred, ruid) 1842 struct ucred *newcred; 1843 uid_t ruid; 1844 { 1845 1846 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 1847 newcred->cr_ruid = ruid; 1848 uifree(newcred->cr_ruidinfo); 1849 newcred->cr_ruidinfo = uifind(ruid); 1850 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 1851 } 1852 1853 /*- 1854 * Change a process's real gid. 1855 * Side effects: newcred->cr_rgid will be updated. 1856 * References: newcred must be an exclusive credential reference for the 1857 * duration of the call. 1858 */ 1859 void 1860 change_rgid(newcred, rgid) 1861 struct ucred *newcred; 1862 gid_t rgid; 1863 { 1864 1865 newcred->cr_rgid = rgid; 1866 } 1867 1868 /*- 1869 * Change a process's saved uid. 1870 * Side effects: newcred->cr_svuid will be updated. 1871 * References: newcred must be an exclusive credential reference for the 1872 * duration of the call. 1873 */ 1874 void 1875 change_svuid(newcred, svuid) 1876 struct ucred *newcred; 1877 uid_t svuid; 1878 { 1879 1880 newcred->cr_svuid = svuid; 1881 } 1882 1883 /*- 1884 * Change a process's saved gid. 1885 * Side effects: newcred->cr_svgid will be updated. 1886 * References: newcred must be an exclusive credential reference for the 1887 * duration of the call. 1888 */ 1889 void 1890 change_svgid(newcred, svgid) 1891 struct ucred *newcred; 1892 gid_t svgid; 1893 { 1894 1895 newcred->cr_svgid = svgid; 1896 } 1897