1 /* 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * (c) UNIX System Laboratories, Inc. 5 * All or some portions of this file are derived from material licensed 6 * to the University of California by American Telephone and Telegraph 7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 8 * the permission of UNIX System Laboratories, Inc. 9 * Copyright (c) 2000-2001 Robert N. M. Watson. All rights reserved. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. All advertising materials mentioning features or use of this software 20 * must display the following acknowledgement: 21 * This product includes software developed by the University of 22 * California, Berkeley and its contributors. 23 * 4. Neither the name of the University nor the names of its contributors 24 * may be used to endorse or promote products derived from this software 25 * without specific prior written permission. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * 39 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 40 * $FreeBSD$ 41 */ 42 43 /* 44 * System calls related to processes and protection 45 */ 46 47 #include "opt_compat.h" 48 49 #include <sys/param.h> 50 #include <sys/systm.h> 51 #include <sys/acct.h> 52 #include <sys/kernel.h> 53 #include <sys/lock.h> 54 #include <sys/mutex.h> 55 #include <sys/proc.h> 56 #include <sys/sx.h> 57 #include <sys/sysproto.h> 58 #include <sys/jail.h> 59 #include <sys/malloc.h> 60 #include <sys/pioctl.h> 61 #include <sys/resourcevar.h> 62 #include <sys/sysctl.h> 63 64 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 65 66 SYSCTL_NODE(_kern, OID_AUTO, security, CTLFLAG_RW, 0, 67 "Kernel security policy"); 68 SYSCTL_NODE(_kern_security, OID_AUTO, bsd, CTLFLAG_RW, 0, 69 "BSD security policy"); 70 71 #ifndef _SYS_SYSPROTO_H_ 72 struct getpid_args { 73 int dummy; 74 }; 75 #endif 76 /* 77 * MPSAFE 78 */ 79 /* ARGSUSED */ 80 int 81 getpid(td, uap) 82 struct thread *td; 83 struct getpid_args *uap; 84 { 85 struct proc *p = td->td_proc; 86 int s; 87 88 s = mtx_lock_giant(kern_giant_proc); 89 td->td_retval[0] = p->p_pid; 90 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 91 PROC_LOCK(p); 92 td->td_retval[1] = p->p_pptr->p_pid; 93 PROC_UNLOCK(p); 94 #endif 95 mtx_unlock_giant(s); 96 return (0); 97 } 98 99 #ifndef _SYS_SYSPROTO_H_ 100 struct getppid_args { 101 int dummy; 102 }; 103 #endif 104 /* 105 * MPSAFE 106 */ 107 /* ARGSUSED */ 108 int 109 getppid(td, uap) 110 struct thread *td; 111 struct getppid_args *uap; 112 { 113 struct proc *p = td->td_proc; 114 int s; 115 116 s = mtx_lock_giant(kern_giant_proc); 117 PROC_LOCK(p); 118 td->td_retval[0] = p->p_pptr->p_pid; 119 PROC_UNLOCK(p); 120 mtx_unlock_giant(s); 121 return (0); 122 } 123 124 /* 125 * Get process group ID; note that POSIX getpgrp takes no parameter. 126 */ 127 #ifndef _SYS_SYSPROTO_H_ 128 struct getpgrp_args { 129 int dummy; 130 }; 131 #endif 132 /* 133 * MPSAFE 134 */ 135 int 136 getpgrp(td, uap) 137 struct thread *td; 138 struct getpgrp_args *uap; 139 { 140 struct proc *p = td->td_proc; 141 142 mtx_lock(&Giant); 143 td->td_retval[0] = p->p_pgrp->pg_id; 144 mtx_unlock(&Giant); 145 return (0); 146 } 147 148 /* Get an arbitary pid's process group id */ 149 #ifndef _SYS_SYSPROTO_H_ 150 struct getpgid_args { 151 pid_t pid; 152 }; 153 #endif 154 /* 155 * MPSAFE 156 */ 157 int 158 getpgid(td, uap) 159 struct thread *td; 160 struct getpgid_args *uap; 161 { 162 struct proc *p = td->td_proc; 163 struct proc *pt; 164 int error, s; 165 166 s = mtx_lock_giant(kern_giant_proc); 167 error = 0; 168 if (uap->pid == 0) 169 td->td_retval[0] = p->p_pgrp->pg_id; 170 else if ((pt = pfind(uap->pid)) == NULL) 171 error = ESRCH; 172 else { 173 error = p_cansee(p, pt); 174 if (error == 0) 175 td->td_retval[0] = pt->p_pgrp->pg_id; 176 PROC_UNLOCK(pt); 177 } 178 mtx_unlock_giant(s); 179 return (error); 180 } 181 182 /* 183 * Get an arbitary pid's session id. 184 */ 185 #ifndef _SYS_SYSPROTO_H_ 186 struct getsid_args { 187 pid_t pid; 188 }; 189 #endif 190 /* 191 * MPSAFE 192 */ 193 int 194 getsid(td, uap) 195 struct thread *td; 196 struct getsid_args *uap; 197 { 198 struct proc *p = td->td_proc; 199 struct proc *pt; 200 int error; 201 202 mtx_lock(&Giant); 203 error = 0; 204 if (uap->pid == 0) 205 td->td_retval[0] = p->p_session->s_sid; 206 else if ((pt = pfind(uap->pid)) == NULL) 207 error = ESRCH; 208 else { 209 error = p_cansee(p, pt); 210 if (error == 0) 211 td->td_retval[0] = pt->p_session->s_sid; 212 PROC_UNLOCK(pt); 213 } 214 mtx_unlock(&Giant); 215 return (error); 216 } 217 218 #ifndef _SYS_SYSPROTO_H_ 219 struct getuid_args { 220 int dummy; 221 }; 222 #endif 223 /* 224 * MPSAFE 225 */ 226 /* ARGSUSED */ 227 int 228 getuid(td, uap) 229 struct thread *td; 230 struct getuid_args *uap; 231 { 232 struct proc *p = td->td_proc; 233 234 mtx_lock(&Giant); 235 td->td_retval[0] = p->p_ucred->cr_ruid; 236 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 237 td->td_retval[1] = p->p_ucred->cr_uid; 238 #endif 239 mtx_unlock(&Giant); 240 return (0); 241 } 242 243 #ifndef _SYS_SYSPROTO_H_ 244 struct geteuid_args { 245 int dummy; 246 }; 247 #endif 248 /* 249 * MPSAFE 250 */ 251 /* ARGSUSED */ 252 int 253 geteuid(td, uap) 254 struct thread *td; 255 struct geteuid_args *uap; 256 { 257 mtx_lock(&Giant); 258 td->td_retval[0] = td->td_proc->p_ucred->cr_uid; 259 mtx_unlock(&Giant); 260 return (0); 261 } 262 263 #ifndef _SYS_SYSPROTO_H_ 264 struct getgid_args { 265 int dummy; 266 }; 267 #endif 268 /* 269 * MPSAFE 270 */ 271 /* ARGSUSED */ 272 int 273 getgid(td, uap) 274 struct thread *td; 275 struct getgid_args *uap; 276 { 277 struct proc *p = td->td_proc; 278 279 mtx_lock(&Giant); 280 td->td_retval[0] = p->p_ucred->cr_rgid; 281 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 282 td->td_retval[1] = p->p_ucred->cr_groups[0]; 283 #endif 284 mtx_unlock(&Giant); 285 return (0); 286 } 287 288 /* 289 * Get effective group ID. The "egid" is groups[0], and could be obtained 290 * via getgroups. This syscall exists because it is somewhat painful to do 291 * correctly in a library function. 292 */ 293 #ifndef _SYS_SYSPROTO_H_ 294 struct getegid_args { 295 int dummy; 296 }; 297 #endif 298 /* 299 * MPSAFE 300 */ 301 /* ARGSUSED */ 302 int 303 getegid(td, uap) 304 struct thread *td; 305 struct getegid_args *uap; 306 { 307 struct proc *p = td->td_proc; 308 309 mtx_lock(&Giant); 310 td->td_retval[0] = p->p_ucred->cr_groups[0]; 311 mtx_unlock(&Giant); 312 return (0); 313 } 314 315 #ifndef _SYS_SYSPROTO_H_ 316 struct getgroups_args { 317 u_int gidsetsize; 318 gid_t *gidset; 319 }; 320 #endif 321 /* 322 * MPSAFE 323 */ 324 int 325 getgroups(td, uap) 326 struct thread *td; 327 register struct getgroups_args *uap; 328 { 329 struct ucred *cred; 330 struct proc *p = td->td_proc; 331 u_int ngrp; 332 int error; 333 334 mtx_lock(&Giant); 335 error = 0; 336 cred = p->p_ucred; 337 if ((ngrp = uap->gidsetsize) == 0) { 338 td->td_retval[0] = cred->cr_ngroups; 339 goto done2; 340 } 341 if (ngrp < cred->cr_ngroups) { 342 error = EINVAL; 343 goto done2; 344 } 345 ngrp = cred->cr_ngroups; 346 if ((error = copyout((caddr_t)cred->cr_groups, 347 (caddr_t)uap->gidset, ngrp * sizeof(gid_t)))) 348 goto done2; 349 td->td_retval[0] = ngrp; 350 done2: 351 mtx_unlock(&Giant); 352 return (error); 353 } 354 355 #ifndef _SYS_SYSPROTO_H_ 356 struct setsid_args { 357 int dummy; 358 }; 359 #endif 360 /* 361 * MPSAFE 362 */ 363 /* ARGSUSED */ 364 int 365 setsid(td, uap) 366 register struct thread *td; 367 struct setsid_args *uap; 368 { 369 int error; 370 struct proc *p = td->td_proc; 371 372 mtx_lock(&Giant); 373 if (p->p_pgid == p->p_pid || pgfind(p->p_pid)) 374 error = EPERM; 375 else { 376 (void)enterpgrp(p, p->p_pid, 1); 377 td->td_retval[0] = p->p_pid; 378 error = 0; 379 } 380 mtx_unlock(&Giant); 381 return (error); 382 } 383 384 /* 385 * set process group (setpgid/old setpgrp) 386 * 387 * caller does setpgid(targpid, targpgid) 388 * 389 * pid must be caller or child of caller (ESRCH) 390 * if a child 391 * pid must be in same session (EPERM) 392 * pid can't have done an exec (EACCES) 393 * if pgid != pid 394 * there must exist some pid in same session having pgid (EPERM) 395 * pid must not be session leader (EPERM) 396 */ 397 #ifndef _SYS_SYSPROTO_H_ 398 struct setpgid_args { 399 int pid; /* target process id */ 400 int pgid; /* target pgrp id */ 401 }; 402 #endif 403 /* 404 * MPSAFE 405 */ 406 /* ARGSUSED */ 407 int 408 setpgid(td, uap) 409 struct thread *td; 410 register struct setpgid_args *uap; 411 { 412 struct proc *curp = td->td_proc; 413 register struct proc *targp; /* target process */ 414 register struct pgrp *pgrp; /* target pgrp */ 415 int error; 416 417 if (uap->pgid < 0) 418 return (EINVAL); 419 mtx_lock(&Giant); 420 sx_slock(&proctree_lock); 421 if (uap->pid != 0 && uap->pid != curp->p_pid) { 422 if ((targp = pfind(uap->pid)) == NULL || !inferior(targp)) { 423 if (targp) 424 PROC_UNLOCK(targp); 425 error = ESRCH; 426 goto done2; 427 } 428 if ((error = p_cansee(curproc, targp))) { 429 PROC_UNLOCK(targp); 430 goto done2; 431 } 432 if (targp->p_pgrp == NULL || 433 targp->p_session != curp->p_session) { 434 PROC_UNLOCK(targp); 435 error = EPERM; 436 goto done2; 437 } 438 if (targp->p_flag & P_EXEC) { 439 PROC_UNLOCK(targp); 440 error = EACCES; 441 goto done2; 442 } 443 } else { 444 targp = curp; 445 PROC_LOCK(curp); /* XXX: not needed */ 446 } 447 if (SESS_LEADER(targp)) { 448 PROC_UNLOCK(targp); 449 error = EPERM; 450 goto done2; 451 } 452 if (uap->pgid == 0) 453 uap->pgid = targp->p_pid; 454 else if (uap->pgid != targp->p_pid) { 455 if ((pgrp = pgfind(uap->pgid)) == 0 || 456 pgrp->pg_session != curp->p_session) { 457 PROC_UNLOCK(targp); 458 error = EPERM; 459 goto done2; 460 } 461 } 462 /* XXX: We should probably hold the lock across enterpgrp. */ 463 PROC_UNLOCK(targp); 464 error = enterpgrp(targp, uap->pgid, 0); 465 done2: 466 sx_sunlock(&proctree_lock); 467 mtx_unlock(&Giant); 468 return (error); 469 } 470 471 /* 472 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 473 * compatible. It says that setting the uid/gid to euid/egid is a special 474 * case of "appropriate privilege". Once the rules are expanded out, this 475 * basically means that setuid(nnn) sets all three id's, in all permitted 476 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 477 * does not set the saved id - this is dangerous for traditional BSD 478 * programs. For this reason, we *really* do not want to set 479 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 480 */ 481 #define POSIX_APPENDIX_B_4_2_2 482 483 #ifndef _SYS_SYSPROTO_H_ 484 struct setuid_args { 485 uid_t uid; 486 }; 487 #endif 488 /* 489 * MPSAFE 490 */ 491 /* ARGSUSED */ 492 int 493 setuid(td, uap) 494 struct thread *td; 495 struct setuid_args *uap; 496 { 497 struct proc *p = td->td_proc; 498 struct ucred *newcred, *oldcred; 499 uid_t uid; 500 int error; 501 502 uid = uap->uid; 503 mtx_lock(&Giant); 504 error = 0; 505 oldcred = p->p_ucred; 506 507 /* 508 * See if we have "permission" by POSIX 1003.1 rules. 509 * 510 * Note that setuid(geteuid()) is a special case of 511 * "appropriate privileges" in appendix B.4.2.2. We need 512 * to use this clause to be compatible with traditional BSD 513 * semantics. Basically, it means that "setuid(xx)" sets all 514 * three id's (assuming you have privs). 515 * 516 * Notes on the logic. We do things in three steps. 517 * 1: We determine if the euid is going to change, and do EPERM 518 * right away. We unconditionally change the euid later if this 519 * test is satisfied, simplifying that part of the logic. 520 * 2: We determine if the real and/or saved uids are going to 521 * change. Determined by compile options. 522 * 3: Change euid last. (after tests in #2 for "appropriate privs") 523 */ 524 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 525 #ifdef _POSIX_SAVED_IDS 526 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 527 #endif 528 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 529 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 530 #endif 531 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 532 goto done2; 533 534 newcred = crdup(oldcred); 535 #ifdef _POSIX_SAVED_IDS 536 /* 537 * Do we have "appropriate privileges" (are we root or uid == euid) 538 * If so, we are changing the real uid and/or saved uid. 539 */ 540 if ( 541 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 542 uid == oldcred->cr_uid || 543 #endif 544 suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */ 545 #endif 546 { 547 /* 548 * Set the real uid and transfer proc count to new user. 549 */ 550 if (uid != oldcred->cr_ruid) { 551 change_ruid(newcred, uid); 552 setsugid(p); 553 } 554 /* 555 * Set saved uid 556 * 557 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 558 * the security of seteuid() depends on it. B.4.2.2 says it 559 * is important that we should do this. 560 */ 561 if (uid != oldcred->cr_svuid) { 562 change_svuid(newcred, uid); 563 setsugid(p); 564 } 565 } 566 567 /* 568 * In all permitted cases, we are changing the euid. 569 * Copy credentials so other references do not see our changes. 570 */ 571 if (uid != oldcred->cr_uid) { 572 change_euid(newcred, uid); 573 setsugid(p); 574 } 575 p->p_ucred = newcred; 576 crfree(oldcred); 577 done2: 578 mtx_unlock(&Giant); 579 return (error); 580 } 581 582 #ifndef _SYS_SYSPROTO_H_ 583 struct seteuid_args { 584 uid_t euid; 585 }; 586 #endif 587 /* 588 * MPSAFE 589 */ 590 /* ARGSUSED */ 591 int 592 seteuid(td, uap) 593 struct thread *td; 594 struct seteuid_args *uap; 595 { 596 struct proc *p = td->td_proc; 597 struct ucred *newcred, *oldcred; 598 uid_t euid; 599 int error; 600 601 euid = uap->euid; 602 mtx_lock(&Giant); 603 error = 0; 604 oldcred = p->p_ucred; 605 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 606 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 607 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 608 goto done2; 609 /* 610 * Everything's okay, do it. Copy credentials so other references do 611 * not see our changes. 612 */ 613 newcred = crdup(oldcred); 614 if (oldcred->cr_uid != euid) { 615 change_euid(newcred, euid); 616 setsugid(p); 617 } 618 p->p_ucred = newcred; 619 crfree(oldcred); 620 done2: 621 mtx_unlock(&Giant); 622 return (error); 623 } 624 625 #ifndef _SYS_SYSPROTO_H_ 626 struct setgid_args { 627 gid_t gid; 628 }; 629 #endif 630 /* 631 * MPSAFE 632 */ 633 /* ARGSUSED */ 634 int 635 setgid(td, uap) 636 struct thread *td; 637 struct setgid_args *uap; 638 { 639 struct proc *p = td->td_proc; 640 struct ucred *newcred, *oldcred; 641 gid_t gid; 642 int error; 643 644 gid = uap->gid; 645 mtx_lock(&Giant); 646 error = 0; 647 oldcred = p->p_ucred; 648 649 /* 650 * See if we have "permission" by POSIX 1003.1 rules. 651 * 652 * Note that setgid(getegid()) is a special case of 653 * "appropriate privileges" in appendix B.4.2.2. We need 654 * to use this clause to be compatible with traditional BSD 655 * semantics. Basically, it means that "setgid(xx)" sets all 656 * three id's (assuming you have privs). 657 * 658 * For notes on the logic here, see setuid() above. 659 */ 660 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 661 #ifdef _POSIX_SAVED_IDS 662 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 663 #endif 664 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 665 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 666 #endif 667 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 668 goto done2; 669 670 newcred = crdup(oldcred); 671 #ifdef _POSIX_SAVED_IDS 672 /* 673 * Do we have "appropriate privileges" (are we root or gid == egid) 674 * If so, we are changing the real uid and saved gid. 675 */ 676 if ( 677 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 678 gid == oldcred->cr_groups[0] || 679 #endif 680 suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */ 681 #endif 682 { 683 /* 684 * Set real gid 685 */ 686 if (oldcred->cr_rgid != gid) { 687 change_rgid(newcred, gid); 688 setsugid(p); 689 } 690 /* 691 * Set saved gid 692 * 693 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 694 * the security of setegid() depends on it. B.4.2.2 says it 695 * is important that we should do this. 696 */ 697 if (oldcred->cr_svgid != gid) { 698 change_svgid(newcred, gid); 699 setsugid(p); 700 } 701 } 702 /* 703 * In all cases permitted cases, we are changing the egid. 704 * Copy credentials so other references do not see our changes. 705 */ 706 if (oldcred->cr_groups[0] != gid) { 707 change_egid(newcred, gid); 708 setsugid(p); 709 } 710 p->p_ucred = newcred; 711 crfree(oldcred); 712 done2: 713 mtx_unlock(&Giant); 714 return (error); 715 } 716 717 #ifndef _SYS_SYSPROTO_H_ 718 struct setegid_args { 719 gid_t egid; 720 }; 721 #endif 722 /* 723 * MPSAFE 724 */ 725 /* ARGSUSED */ 726 int 727 setegid(td, uap) 728 struct thread *td; 729 struct setegid_args *uap; 730 { 731 struct proc *p = td->td_proc; 732 struct ucred *newcred, *oldcred; 733 gid_t egid; 734 int error; 735 736 egid = uap->egid; 737 mtx_lock(&Giant); 738 error = 0; 739 oldcred = p->p_ucred; 740 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 741 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 742 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 743 goto done2; 744 newcred = crdup(oldcred); 745 if (oldcred->cr_groups[0] != egid) { 746 change_egid(newcred, egid); 747 setsugid(p); 748 } 749 p->p_ucred = newcred; 750 crfree(oldcred); 751 done2: 752 mtx_unlock(&Giant); 753 return (error); 754 } 755 756 #ifndef _SYS_SYSPROTO_H_ 757 struct setgroups_args { 758 u_int gidsetsize; 759 gid_t *gidset; 760 }; 761 #endif 762 /* 763 * MPSAFE 764 */ 765 /* ARGSUSED */ 766 int 767 setgroups(td, uap) 768 struct thread *td; 769 struct setgroups_args *uap; 770 { 771 struct proc *p = td->td_proc; 772 struct ucred *newcred, *oldcred; 773 u_int ngrp; 774 int error; 775 776 ngrp = uap->gidsetsize; 777 mtx_lock(&Giant); 778 oldcred = p->p_ucred; 779 if ((error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 780 goto done2; 781 if (ngrp > NGROUPS) { 782 error = EINVAL; 783 goto done2; 784 } 785 /* 786 * XXX A little bit lazy here. We could test if anything has 787 * changed before crcopy() and setting P_SUGID. 788 */ 789 newcred = crdup(oldcred); 790 if (ngrp < 1) { 791 /* 792 * setgroups(0, NULL) is a legitimate way of clearing the 793 * groups vector on non-BSD systems (which generally do not 794 * have the egid in the groups[0]). We risk security holes 795 * when running non-BSD software if we do not do the same. 796 */ 797 newcred->cr_ngroups = 1; 798 } else { 799 if ((error = copyin((caddr_t)uap->gidset, 800 (caddr_t)newcred->cr_groups, ngrp * sizeof(gid_t)))) { 801 crfree(newcred); 802 goto done2; 803 } 804 newcred->cr_ngroups = ngrp; 805 } 806 setsugid(p); 807 p->p_ucred = newcred; 808 crfree(oldcred); 809 done2: 810 mtx_unlock(&Giant); 811 return (error); 812 } 813 814 #ifndef _SYS_SYSPROTO_H_ 815 struct setreuid_args { 816 uid_t ruid; 817 uid_t euid; 818 }; 819 #endif 820 /* 821 * MPSAFE 822 */ 823 /* ARGSUSED */ 824 int 825 setreuid(td, uap) 826 register struct thread *td; 827 struct setreuid_args *uap; 828 { 829 struct proc *p = td->td_proc; 830 struct ucred *newcred, *oldcred; 831 uid_t euid, ruid; 832 int error; 833 834 euid = uap->euid; 835 ruid = uap->ruid; 836 mtx_lock(&Giant); 837 error = 0; 838 oldcred = p->p_ucred; 839 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 840 ruid != oldcred->cr_svuid) || 841 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 842 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 843 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 844 goto done2; 845 newcred = crdup(oldcred); 846 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 847 change_euid(newcred, euid); 848 setsugid(p); 849 } 850 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 851 change_ruid(newcred, ruid); 852 setsugid(p); 853 } 854 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 855 newcred->cr_svuid != newcred->cr_uid) { 856 change_svuid(newcred, newcred->cr_uid); 857 setsugid(p); 858 } 859 p->p_ucred = newcred; 860 crfree(oldcred); 861 done2: 862 mtx_unlock(&Giant); 863 return (error); 864 } 865 866 #ifndef _SYS_SYSPROTO_H_ 867 struct setregid_args { 868 gid_t rgid; 869 gid_t egid; 870 }; 871 #endif 872 /* 873 * MPSAFE 874 */ 875 /* ARGSUSED */ 876 int 877 setregid(td, uap) 878 register struct thread *td; 879 struct setregid_args *uap; 880 { 881 struct proc *p = td->td_proc; 882 struct ucred *newcred, *oldcred; 883 gid_t egid, rgid; 884 int error; 885 886 egid = uap->egid; 887 rgid = uap->rgid; 888 mtx_lock(&Giant); 889 error = 0; 890 oldcred = p->p_ucred; 891 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 892 rgid != oldcred->cr_svgid) || 893 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 894 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 895 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 896 goto done2; 897 newcred = crdup(oldcred); 898 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 899 change_egid(newcred, egid); 900 setsugid(p); 901 } 902 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 903 change_rgid(newcred, rgid); 904 setsugid(p); 905 } 906 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 907 newcred->cr_svgid != newcred->cr_groups[0]) { 908 change_svgid(newcred, newcred->cr_groups[0]); 909 setsugid(p); 910 } 911 p->p_ucred = newcred; 912 crfree(oldcred); 913 done2: 914 mtx_unlock(&Giant); 915 return (error); 916 } 917 918 /* 919 * setresuid(ruid, euid, suid) is like setreuid except control over the 920 * saved uid is explicit. 921 */ 922 923 #ifndef _SYS_SYSPROTO_H_ 924 struct setresuid_args { 925 uid_t ruid; 926 uid_t euid; 927 uid_t suid; 928 }; 929 #endif 930 /* 931 * MPSAFE 932 */ 933 /* ARGSUSED */ 934 int 935 setresuid(td, uap) 936 register struct thread *td; 937 struct setresuid_args *uap; 938 { 939 struct proc *p = td->td_proc; 940 struct ucred *newcred, *oldcred; 941 uid_t euid, ruid, suid; 942 int error; 943 944 euid = uap->euid; 945 ruid = uap->ruid; 946 suid = uap->suid; 947 mtx_lock(&Giant); 948 oldcred = p->p_ucred; 949 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 950 ruid != oldcred->cr_svuid && 951 ruid != oldcred->cr_uid) || 952 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 953 euid != oldcred->cr_svuid && 954 euid != oldcred->cr_uid) || 955 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 956 suid != oldcred->cr_svuid && 957 suid != oldcred->cr_uid)) && 958 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 959 goto done2; 960 newcred = crdup(oldcred); 961 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 962 change_euid(newcred, euid); 963 setsugid(p); 964 } 965 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 966 change_ruid(newcred, ruid); 967 setsugid(p); 968 } 969 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 970 change_svuid(newcred, suid); 971 setsugid(p); 972 } 973 p->p_ucred = newcred; 974 crfree(oldcred); 975 error = 0; 976 done2: 977 mtx_unlock(&Giant); 978 return (error); 979 } 980 981 /* 982 * setresgid(rgid, egid, sgid) is like setregid except control over the 983 * saved gid is explicit. 984 */ 985 986 #ifndef _SYS_SYSPROTO_H_ 987 struct setresgid_args { 988 gid_t rgid; 989 gid_t egid; 990 gid_t sgid; 991 }; 992 #endif 993 /* 994 * MPSAFE 995 */ 996 /* ARGSUSED */ 997 int 998 setresgid(td, uap) 999 register struct thread *td; 1000 struct setresgid_args *uap; 1001 { 1002 struct proc *p = td->td_proc; 1003 struct ucred *newcred, *oldcred; 1004 gid_t egid, rgid, sgid; 1005 int error; 1006 1007 egid = uap->egid; 1008 rgid = uap->rgid; 1009 sgid = uap->sgid; 1010 mtx_lock(&Giant); 1011 oldcred = p->p_ucred; 1012 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1013 rgid != oldcred->cr_svgid && 1014 rgid != oldcred->cr_groups[0]) || 1015 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1016 egid != oldcred->cr_svgid && 1017 egid != oldcred->cr_groups[0]) || 1018 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1019 sgid != oldcred->cr_svgid && 1020 sgid != oldcred->cr_groups[0])) && 1021 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 1022 goto done2; 1023 newcred = crdup(oldcred); 1024 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1025 change_egid(newcred, egid); 1026 setsugid(p); 1027 } 1028 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1029 change_rgid(newcred, rgid); 1030 setsugid(p); 1031 } 1032 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1033 change_svgid(newcred, sgid); 1034 setsugid(p); 1035 } 1036 p->p_ucred = newcred; 1037 crfree(oldcred); 1038 error = 0; 1039 done2: 1040 mtx_unlock(&Giant); 1041 return (error); 1042 } 1043 1044 #ifndef _SYS_SYSPROTO_H_ 1045 struct getresuid_args { 1046 uid_t *ruid; 1047 uid_t *euid; 1048 uid_t *suid; 1049 }; 1050 #endif 1051 /* 1052 * MPSAFE 1053 */ 1054 /* ARGSUSED */ 1055 int 1056 getresuid(td, uap) 1057 register struct thread *td; 1058 struct getresuid_args *uap; 1059 { 1060 struct ucred *cred; 1061 struct proc *p = td->td_proc; 1062 int error1 = 0, error2 = 0, error3 = 0; 1063 1064 mtx_lock(&Giant); 1065 cred = p->p_ucred; 1066 if (uap->ruid) 1067 error1 = copyout((caddr_t)&cred->cr_ruid, 1068 (caddr_t)uap->ruid, sizeof(cred->cr_ruid)); 1069 if (uap->euid) 1070 error2 = copyout((caddr_t)&cred->cr_uid, 1071 (caddr_t)uap->euid, sizeof(cred->cr_uid)); 1072 if (uap->suid) 1073 error3 = copyout((caddr_t)&cred->cr_svuid, 1074 (caddr_t)uap->suid, sizeof(cred->cr_svuid)); 1075 mtx_unlock(&Giant); 1076 return (error1 ? error1 : error2 ? error2 : error3); 1077 } 1078 1079 #ifndef _SYS_SYSPROTO_H_ 1080 struct getresgid_args { 1081 gid_t *rgid; 1082 gid_t *egid; 1083 gid_t *sgid; 1084 }; 1085 #endif 1086 /* 1087 * MPSAFE 1088 */ 1089 /* ARGSUSED */ 1090 int 1091 getresgid(td, uap) 1092 register struct thread *td; 1093 struct getresgid_args *uap; 1094 { 1095 struct ucred *cred; 1096 struct proc *p = td->td_proc; 1097 int error1 = 0, error2 = 0, error3 = 0; 1098 1099 mtx_lock(&Giant); 1100 cred = p->p_ucred; 1101 if (uap->rgid) 1102 error1 = copyout((caddr_t)&cred->cr_rgid, 1103 (caddr_t)uap->rgid, sizeof(cred->cr_rgid)); 1104 if (uap->egid) 1105 error2 = copyout((caddr_t)&cred->cr_groups[0], 1106 (caddr_t)uap->egid, sizeof(cred->cr_groups[0])); 1107 if (uap->sgid) 1108 error3 = copyout((caddr_t)&cred->cr_svgid, 1109 (caddr_t)uap->sgid, sizeof(cred->cr_svgid)); 1110 mtx_unlock(&Giant); 1111 return (error1 ? error1 : error2 ? error2 : error3); 1112 } 1113 1114 #ifndef _SYS_SYSPROTO_H_ 1115 struct issetugid_args { 1116 int dummy; 1117 }; 1118 #endif 1119 /* 1120 * NOT MPSAFE? 1121 */ 1122 /* ARGSUSED */ 1123 int 1124 issetugid(td, uap) 1125 register struct thread *td; 1126 struct issetugid_args *uap; 1127 { 1128 struct proc *p = td->td_proc; 1129 1130 /* 1131 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1132 * we use P_SUGID because we consider changing the owners as 1133 * "tainting" as well. 1134 * This is significant for procs that start as root and "become" 1135 * a user without an exec - programs cannot know *everything* 1136 * that libc *might* have put in their data segment. 1137 */ 1138 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1139 return (0); 1140 } 1141 1142 /* 1143 * MPSAFE 1144 */ 1145 int 1146 __setugid(td, uap) 1147 struct thread *td; 1148 struct __setugid_args *uap; 1149 { 1150 #ifdef REGRESSION 1151 int error; 1152 1153 mtx_lock(&Giant); 1154 error = 0; 1155 switch (uap->flag) { 1156 case 0: 1157 td->td_proc->p_flag &= ~P_SUGID; 1158 break; 1159 case 1: 1160 td->td_proc->p_flag |= P_SUGID; 1161 break; 1162 default: 1163 error = EINVAL; 1164 break; 1165 } 1166 mtx_unlock(&Giant); 1167 return (error); 1168 #else /* !REGRESSION */ 1169 1170 return (ENOSYS); 1171 #endif /* REGRESSION */ 1172 } 1173 1174 /* 1175 * Check if gid is a member of the group set. 1176 */ 1177 int 1178 groupmember(gid, cred) 1179 gid_t gid; 1180 struct ucred *cred; 1181 { 1182 register gid_t *gp; 1183 gid_t *egp; 1184 1185 egp = &(cred->cr_groups[cred->cr_ngroups]); 1186 for (gp = cred->cr_groups; gp < egp; gp++) 1187 if (*gp == gid) 1188 return (1); 1189 return (0); 1190 } 1191 1192 /* 1193 * `suser_enabled' (which can be set by the kern.security.suser_enabled 1194 * sysctl) determines whether the system 'super-user' policy is in effect. 1195 * If it is nonzero, an effective uid of 0 connotes special privilege, 1196 * overriding many mandatory and discretionary protections. If it is zero, 1197 * uid 0 is offered no special privilege in the kernel security policy. 1198 * Setting it to zero may seriously impact the functionality of many 1199 * existing userland programs, and should not be done without careful 1200 * consideration of the consequences. 1201 */ 1202 int suser_enabled = 1; 1203 SYSCTL_INT(_kern_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW, 1204 &suser_enabled, 0, "processes with uid 0 have privilege"); 1205 TUNABLE_INT("kern.security.bsd.suser_enabled", &suser_enabled); 1206 1207 /* 1208 * Test whether the specified credentials imply "super-user" privilege. 1209 * Return 0 or EPERM. 1210 */ 1211 int 1212 suser(p) 1213 struct proc *p; 1214 { 1215 1216 return (suser_xxx(0, p, 0)); 1217 } 1218 1219 /* 1220 * version for when the thread pointer is available and not the proc. 1221 * (saves having to include proc.h into every file that needs to do the change.) 1222 */ 1223 int 1224 suser_td(td) 1225 struct thread *td; 1226 { 1227 return (suser_xxx(0, td->td_proc, 0)); 1228 } 1229 1230 /* 1231 * wrapper to use if you have the thread on hand but not the proc. 1232 */ 1233 int 1234 suser_xxx_td(cred, td, flag) 1235 struct ucred *cred; 1236 struct thread *td; 1237 int flag; 1238 { 1239 return(suser_xxx(cred, td->td_proc, flag)); 1240 } 1241 1242 int 1243 suser_xxx(cred, proc, flag) 1244 struct ucred *cred; 1245 struct proc *proc; 1246 int flag; 1247 { 1248 if (!suser_enabled) 1249 return (EPERM); 1250 if (!cred && !proc) { 1251 printf("suser_xxx(): THINK!\n"); 1252 return (EPERM); 1253 } 1254 if (cred == NULL) 1255 cred = proc->p_ucred; 1256 if (cred->cr_uid != 0) 1257 return (EPERM); 1258 if (jailed(cred) && !(flag & PRISON_ROOT)) 1259 return (EPERM); 1260 return (0); 1261 } 1262 1263 /* 1264 * Test the active securelevel against a given level. securelevel_gt() 1265 * implements (securelevel > level). securelevel_ge() implements 1266 * (securelevel >= level). Note that the logic is inverted -- these 1267 * functions return EPERM on "success" and 0 on "failure". 1268 * 1269 * cr is permitted to be NULL for the time being, as there were some 1270 * existing securelevel checks that occurred without a process/credential 1271 * context. In the future this will be disallowed, so a kernel message 1272 * is displayed. 1273 */ 1274 int 1275 securelevel_gt(struct ucred *cr, int level) 1276 { 1277 int active_securelevel; 1278 1279 active_securelevel = securelevel; 1280 if (cr == NULL) 1281 printf("securelevel_gt: cr is NULL\n"); 1282 if (cr->cr_prison != NULL) { 1283 mtx_lock(&cr->cr_prison->pr_mtx); 1284 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1285 active_securelevel); 1286 mtx_unlock(&cr->cr_prison->pr_mtx); 1287 } 1288 return (active_securelevel > level ? EPERM : 0); 1289 } 1290 1291 int 1292 securelevel_ge(struct ucred *cr, int level) 1293 { 1294 int active_securelevel; 1295 1296 active_securelevel = securelevel; 1297 if (cr == NULL) 1298 printf("securelevel_gt: cr is NULL\n"); 1299 if (cr->cr_prison != NULL) { 1300 mtx_lock(&cr->cr_prison->pr_mtx); 1301 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1302 active_securelevel); 1303 mtx_unlock(&cr->cr_prison->pr_mtx); 1304 } 1305 return (active_securelevel >= level ? EPERM : 0); 1306 } 1307 1308 /* 1309 * 'see_other_uids' determines whether or not visibility of processes 1310 * and sockets with credentials holding different real uids is possible 1311 * using a variety of system MIBs. 1312 * XXX: data declarations should be together near the beginning of the file. 1313 */ 1314 static int see_other_uids = 1; 1315 SYSCTL_INT(_kern_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1316 &see_other_uids, 0, 1317 "Unprivileged processes may see subjects/objects with different real uid"); 1318 1319 /*- 1320 * Determine if u1 "can see" the subject specified by u2. 1321 * Returns: 0 for permitted, an errno value otherwise 1322 * Locks: none 1323 * References: *u1 and *u2 must not change during the call 1324 * u1 may equal u2, in which case only one reference is required 1325 */ 1326 int 1327 cr_cansee(struct ucred *u1, struct ucred *u2) 1328 { 1329 int error; 1330 1331 if ((error = prison_check(u1, u2))) 1332 return (error); 1333 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1334 if (suser_xxx(u1, NULL, PRISON_ROOT) != 0) 1335 return (ESRCH); 1336 } 1337 return (0); 1338 } 1339 1340 /*- 1341 * Determine if p1 "can see" the subject specified by p2. 1342 * Returns: 0 for permitted, an errno value otherwise 1343 * Locks: Sufficient locks to protect p1->p_ucred and p2->p_ucred must 1344 * be held. Normally, p1 will be curproc, and a lock must be held 1345 * for p2. 1346 * References: p1 and p2 must be valid for the lifetime of the call 1347 */ 1348 int 1349 p_cansee(struct proc *p1, struct proc *p2) 1350 { 1351 1352 /* Wrap cr_cansee() for all functionality. */ 1353 return (cr_cansee(p1->p_ucred, p2->p_ucred)); 1354 } 1355 1356 /*- 1357 * Determine whether p1 may deliver the specified signal to p2. 1358 * Returns: 0 for permitted, an errno value otherwise 1359 * Locks: Sufficient locks to protect various components of p1 and p2 1360 * must be held. Normally, p1 will be curproc, and a lock must 1361 * be held for p2. 1362 * References: p1 and p2 must be valid for the lifetime of the call 1363 */ 1364 int 1365 p_cansignal(struct proc *p1, struct proc *p2, int signum) 1366 { 1367 int error; 1368 1369 if (p1 == p2) 1370 return (0); 1371 1372 /* 1373 * Jail semantics limit the scope of signalling to p2 in the same 1374 * jail as p1, if p1 is in jail. 1375 */ 1376 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1377 return (error); 1378 1379 /* 1380 * UNIX signalling semantics require that processes in the same 1381 * session always be able to deliver SIGCONT to one another, 1382 * overriding the remaining protections. 1383 */ 1384 if (signum == SIGCONT && p1->p_session == p2->p_session) 1385 return (0); 1386 1387 /* 1388 * UNIX signal semantics depend on the status of the P_SUGID 1389 * bit on the target process. If the bit is set, then additional 1390 * restrictions are placed on the set of available signals. 1391 */ 1392 if (p2->p_flag & P_SUGID) { 1393 switch (signum) { 1394 case 0: 1395 case SIGKILL: 1396 case SIGINT: 1397 case SIGTERM: 1398 case SIGSTOP: 1399 case SIGTTIN: 1400 case SIGTTOU: 1401 case SIGTSTP: 1402 case SIGHUP: 1403 case SIGUSR1: 1404 case SIGUSR2: 1405 /* 1406 * Generally, permit job and terminal control 1407 * signals. 1408 */ 1409 break; 1410 default: 1411 /* Not permitted, privilege is required. */ 1412 error = suser_xxx(NULL, p1, PRISON_ROOT); 1413 if (error) 1414 return (error); 1415 } 1416 } 1417 1418 /* 1419 * Generally, the target credential's ruid or svuid must match the 1420 * subject credential's ruid or euid. 1421 */ 1422 if (p1->p_ucred->cr_ruid != p2->p_ucred->cr_ruid && 1423 p1->p_ucred->cr_ruid != p2->p_ucred->cr_svuid && 1424 p1->p_ucred->cr_uid != p2->p_ucred->cr_ruid && 1425 p1->p_ucred->cr_uid != p2->p_ucred->cr_svuid) { 1426 /* Not permitted, try privilege. */ 1427 error = suser_xxx(NULL, p1, PRISON_ROOT); 1428 if (error) 1429 return (error); 1430 } 1431 1432 return (0); 1433 } 1434 1435 /*- 1436 * Determine whether p1 may reschedule p2. 1437 * Returns: 0 for permitted, an errno value otherwise 1438 * Locks: Sufficient locks to protect various components of p1 and p2 1439 * must be held. Normally, p1 will be curproc, and a lock must 1440 * be held for p2. 1441 * References: p1 and p2 must be valid for the lifetime of the call 1442 */ 1443 int 1444 p_cansched(struct proc *p1, struct proc *p2) 1445 { 1446 int error; 1447 1448 if (p1 == p2) 1449 return (0); 1450 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1451 return (error); 1452 if (p1->p_ucred->cr_ruid == p2->p_ucred->cr_ruid) 1453 return (0); 1454 if (p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid) 1455 return (0); 1456 if (suser_xxx(0, p1, PRISON_ROOT) == 0) 1457 return (0); 1458 1459 #ifdef CAPABILITIES 1460 if (!cap_check(NULL, p1, CAP_SYS_NICE, PRISON_ROOT)) 1461 return (0); 1462 #endif 1463 1464 return (EPERM); 1465 } 1466 1467 /* 1468 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 1469 * unprivileged inter-process debugging services, including some procfs 1470 * functionality, ptrace(), and ktrace(). In the past, inter-process 1471 * debugging has been involved in a variety of security problems, and sites 1472 * not requiring the service might choose to disable it when hardening 1473 * systems. 1474 * 1475 * XXX: Should modifying and reading this variable require locking? 1476 * XXX: data declarations should be together near the beginning of the file. 1477 */ 1478 static int unprivileged_proc_debug = 1; 1479 SYSCTL_INT(_kern_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW, 1480 &unprivileged_proc_debug, 0, 1481 "Unprivileged processes may use process debugging facilities"); 1482 1483 /*- 1484 * Determine whether p1 may debug p2. 1485 * Returns: 0 for permitted, an errno value otherwise 1486 * Locks: Sufficient locks to protect various components of p1 and p2 1487 * must be held. Normally, p1 will be curproc, and a lock must 1488 * be held for p2. 1489 * References: p1 and p2 must be valid for the lifetime of the call 1490 */ 1491 int 1492 p_candebug(struct proc *p1, struct proc *p2) 1493 { 1494 int credentialchanged, error, grpsubset, i, uidsubset; 1495 1496 if (!unprivileged_proc_debug) { 1497 error = suser_xxx(NULL, p1, PRISON_ROOT); 1498 if (error) 1499 return (error); 1500 } 1501 if (p1 == p2) 1502 return (0); 1503 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1504 return (error); 1505 1506 /* 1507 * Is p2's group set a subset of p1's effective group set? This 1508 * includes p2's egid, group access list, rgid, and svgid. 1509 */ 1510 grpsubset = 1; 1511 for (i = 0; i < p2->p_ucred->cr_ngroups; i++) { 1512 if (!groupmember(p2->p_ucred->cr_groups[i], p1->p_ucred)) { 1513 grpsubset = 0; 1514 break; 1515 } 1516 } 1517 grpsubset = grpsubset && 1518 groupmember(p2->p_ucred->cr_rgid, p1->p_ucred) && 1519 groupmember(p2->p_ucred->cr_svgid, p1->p_ucred); 1520 1521 /* 1522 * Are the uids present in p2's credential equal to p1's 1523 * effective uid? This includes p2's euid, svuid, and ruid. 1524 */ 1525 uidsubset = (p1->p_ucred->cr_uid == p2->p_ucred->cr_uid && 1526 p1->p_ucred->cr_uid == p2->p_ucred->cr_svuid && 1527 p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid); 1528 1529 /* 1530 * Has the credential of the process changed since the last exec()? 1531 */ 1532 credentialchanged = (p2->p_flag & P_SUGID); 1533 1534 /* 1535 * If p2's gids aren't a subset, or the uids aren't a subset, 1536 * or the credential has changed, require appropriate privilege 1537 * for p1 to debug p2. For POSIX.1e capabilities, this will 1538 * require CAP_SYS_PTRACE. 1539 */ 1540 if (!grpsubset || !uidsubset || credentialchanged) { 1541 error = suser_xxx(NULL, p1, PRISON_ROOT); 1542 if (error) 1543 return (error); 1544 } 1545 1546 /* Can't trace init when securelevel > 0. */ 1547 if (p2 == initproc) { 1548 error = securelevel_gt(p1->p_ucred, 0); 1549 if (error) 1550 return (error); 1551 } 1552 1553 /* 1554 * Can't trace a process that's currently exec'ing. 1555 * XXX: Note, this is not a security policy decision, it's a 1556 * basic correctness/functionality decision. Therefore, this check 1557 * should be moved to the caller's of p_candebug(). 1558 */ 1559 if ((p2->p_flag & P_INEXEC) != 0) 1560 return (EAGAIN); 1561 1562 return (0); 1563 } 1564 1565 /* 1566 * Allocate a zeroed cred structure. 1567 */ 1568 struct ucred * 1569 crget() 1570 { 1571 register struct ucred *cr; 1572 1573 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 1574 cr->cr_ref = 1; 1575 mtx_init(&cr->cr_mtx, "ucred", MTX_DEF); 1576 return (cr); 1577 } 1578 1579 /* 1580 * Claim another reference to a ucred structure. 1581 */ 1582 struct ucred * 1583 crhold(cr) 1584 struct ucred *cr; 1585 { 1586 1587 mtx_lock(&cr->cr_mtx); 1588 cr->cr_ref++; 1589 mtx_unlock(&cr->cr_mtx); 1590 return (cr); 1591 } 1592 1593 /* 1594 * Free a cred structure. 1595 * Throws away space when ref count gets to 0. 1596 */ 1597 void 1598 crfree(cr) 1599 struct ucred *cr; 1600 { 1601 1602 mtx_lock(&cr->cr_mtx); 1603 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); 1604 if (--cr->cr_ref == 0) { 1605 mtx_destroy(&cr->cr_mtx); 1606 /* 1607 * Some callers of crget(), such as nfs_statfs(), 1608 * allocate a temporary credential, but don't 1609 * allocate a uidinfo structure. 1610 */ 1611 if (cr->cr_uidinfo != NULL) 1612 uifree(cr->cr_uidinfo); 1613 if (cr->cr_ruidinfo != NULL) 1614 uifree(cr->cr_ruidinfo); 1615 /* 1616 * Free a prison, if any. 1617 */ 1618 if (jailed(cr)) 1619 prison_free(cr->cr_prison); 1620 FREE((caddr_t)cr, M_CRED); 1621 } else 1622 mtx_unlock(&cr->cr_mtx); 1623 } 1624 1625 /* 1626 * Check to see if this ucred is shared. 1627 */ 1628 int 1629 crshared(cr) 1630 struct ucred *cr; 1631 { 1632 int shared; 1633 1634 mtx_lock(&cr->cr_mtx); 1635 shared = (cr->cr_ref > 1); 1636 mtx_unlock(&cr->cr_mtx); 1637 return (shared); 1638 } 1639 1640 /* 1641 * Copy a ucred's contents from a template. Does not block. 1642 */ 1643 void 1644 crcopy(dest, src) 1645 struct ucred *dest, *src; 1646 { 1647 1648 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred")); 1649 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 1650 (unsigned)((caddr_t)&src->cr_endcopy - 1651 (caddr_t)&src->cr_startcopy)); 1652 uihold(dest->cr_uidinfo); 1653 uihold(dest->cr_ruidinfo); 1654 if (jailed(dest)) 1655 prison_hold(dest->cr_prison); 1656 } 1657 1658 /* 1659 * Dup cred struct to a new held one. 1660 */ 1661 struct ucred * 1662 crdup(cr) 1663 struct ucred *cr; 1664 { 1665 struct ucred *newcr; 1666 1667 newcr = crget(); 1668 crcopy(newcr, cr); 1669 return (newcr); 1670 } 1671 1672 /* 1673 * Get login name, if available. 1674 */ 1675 #ifndef _SYS_SYSPROTO_H_ 1676 struct getlogin_args { 1677 char *namebuf; 1678 u_int namelen; 1679 }; 1680 #endif 1681 /* 1682 * MPSAFE 1683 */ 1684 /* ARGSUSED */ 1685 int 1686 getlogin(td, uap) 1687 struct thread *td; 1688 struct getlogin_args *uap; 1689 { 1690 int error; 1691 struct proc *p = td->td_proc; 1692 1693 mtx_lock(&Giant); 1694 if (uap->namelen > MAXLOGNAME) 1695 uap->namelen = MAXLOGNAME; 1696 error = copyout((caddr_t) p->p_pgrp->pg_session->s_login, 1697 (caddr_t) uap->namebuf, uap->namelen); 1698 mtx_unlock(&Giant); 1699 return(error); 1700 } 1701 1702 /* 1703 * Set login name. 1704 */ 1705 #ifndef _SYS_SYSPROTO_H_ 1706 struct setlogin_args { 1707 char *namebuf; 1708 }; 1709 #endif 1710 /* 1711 * MPSAFE 1712 */ 1713 /* ARGSUSED */ 1714 int 1715 setlogin(td, uap) 1716 struct thread *td; 1717 struct setlogin_args *uap; 1718 { 1719 struct proc *p = td->td_proc; 1720 int error; 1721 char logintmp[MAXLOGNAME]; 1722 1723 mtx_lock(&Giant); 1724 if ((error = suser_xxx(0, p, PRISON_ROOT)) != 0) 1725 goto done2; 1726 error = copyinstr((caddr_t) uap->namebuf, (caddr_t) logintmp, 1727 sizeof(logintmp), (size_t *)0); 1728 if (error == ENAMETOOLONG) 1729 error = EINVAL; 1730 else if (!error) 1731 (void)memcpy(p->p_pgrp->pg_session->s_login, logintmp, 1732 sizeof(logintmp)); 1733 done2: 1734 mtx_unlock(&Giant); 1735 return (error); 1736 } 1737 1738 void 1739 setsugid(p) 1740 struct proc *p; 1741 { 1742 p->p_flag |= P_SUGID; 1743 if (!(p->p_pfsflags & PF_ISUGID)) 1744 p->p_stops = 0; 1745 } 1746 1747 /*- 1748 * Change a process's effective uid. 1749 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 1750 * References: newcred must be an exclusive credential reference for the 1751 * duration of the call. 1752 */ 1753 void 1754 change_euid(newcred, euid) 1755 struct ucred *newcred; 1756 uid_t euid; 1757 { 1758 1759 newcred->cr_uid = euid; 1760 uifree(newcred->cr_uidinfo); 1761 newcred->cr_uidinfo = uifind(euid); 1762 } 1763 1764 /*- 1765 * Change a process's effective gid. 1766 * Side effects: newcred->cr_gid will be modified. 1767 * References: newcred must be an exclusive credential reference for the 1768 * duration of the call. 1769 */ 1770 void 1771 change_egid(newcred, egid) 1772 struct ucred *newcred; 1773 gid_t egid; 1774 { 1775 1776 newcred->cr_groups[0] = egid; 1777 } 1778 1779 /*- 1780 * Change a process's real uid. 1781 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 1782 * will be updated, and the old and new cr_ruidinfo proc 1783 * counts will be updated. 1784 * References: newcred must be an exclusive credential reference for the 1785 * duration of the call. 1786 */ 1787 void 1788 change_ruid(newcred, ruid) 1789 struct ucred *newcred; 1790 uid_t ruid; 1791 { 1792 1793 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 1794 newcred->cr_ruid = ruid; 1795 uifree(newcred->cr_ruidinfo); 1796 newcred->cr_ruidinfo = uifind(ruid); 1797 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 1798 } 1799 1800 /*- 1801 * Change a process's real gid. 1802 * Side effects: newcred->cr_rgid will be updated. 1803 * References: newcred must be an exclusive credential reference for the 1804 * duration of the call. 1805 */ 1806 void 1807 change_rgid(newcred, rgid) 1808 struct ucred *newcred; 1809 gid_t rgid; 1810 { 1811 1812 newcred->cr_rgid = rgid; 1813 } 1814 1815 /*- 1816 * Change a process's saved uid. 1817 * Side effects: newcred->cr_svuid will be updated. 1818 * References: newcred must be an exclusive credential reference for the 1819 * duration of the call. 1820 */ 1821 void 1822 change_svuid(newcred, svuid) 1823 struct ucred *newcred; 1824 uid_t svuid; 1825 { 1826 1827 newcred->cr_svuid = svuid; 1828 } 1829 1830 /*- 1831 * Change a process's saved gid. 1832 * Side effects: newcred->cr_svgid will be updated. 1833 * References: newcred must be an exclusive credential reference for the 1834 * duration of the call. 1835 */ 1836 void 1837 change_svgid(newcred, svgid) 1838 struct ucred *newcred; 1839 gid_t svgid; 1840 { 1841 1842 newcred->cr_svgid = svgid; 1843 } 1844