1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 5 * The Regents of the University of California. 6 * (c) UNIX System Laboratories, Inc. 7 * Copyright (c) 2000-2001 Robert N. M. Watson. 8 * All rights reserved. 9 * 10 * All or some portions of this file are derived from material licensed 11 * to the University of California by American Telephone and Telegraph 12 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 13 * the permission of UNIX System Laboratories, Inc. 14 * 15 * Redistribution and use in source and binary forms, with or without 16 * modification, are permitted provided that the following conditions 17 * are met: 18 * 1. Redistributions of source code must retain the above copyright 19 * notice, this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright 21 * notice, this list of conditions and the following disclaimer in the 22 * documentation and/or other materials provided with the distribution. 23 * 3. Neither the name of the University nor the names of its contributors 24 * may be used to endorse or promote products derived from this software 25 * without specific prior written permission. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 */ 39 40 /* 41 * System calls related to processes and protection 42 */ 43 44 #include <sys/cdefs.h> 45 #include "opt_inet.h" 46 #include "opt_inet6.h" 47 48 #include <sys/param.h> 49 #include <sys/systm.h> 50 #include <sys/abi_compat.h> 51 #include <sys/acct.h> 52 #include <sys/kdb.h> 53 #include <sys/kernel.h> 54 #include <sys/libkern.h> 55 #include <sys/lock.h> 56 #include <sys/loginclass.h> 57 #include <sys/malloc.h> 58 #include <sys/mutex.h> 59 #include <sys/ptrace.h> 60 #include <sys/refcount.h> 61 #include <sys/sx.h> 62 #include <sys/priv.h> 63 #include <sys/proc.h> 64 #ifdef COMPAT_43 65 #include <sys/sysent.h> 66 #endif 67 #include <sys/sysproto.h> 68 #include <sys/jail.h> 69 #include <sys/racct.h> 70 #include <sys/rctl.h> 71 #include <sys/resourcevar.h> 72 #include <sys/socket.h> 73 #include <sys/socketvar.h> 74 #include <sys/syscallsubr.h> 75 #include <sys/sysctl.h> 76 77 #ifdef MAC 78 #include <security/mac/mac_syscalls.h> 79 #endif 80 81 #include <vm/uma.h> 82 83 #ifdef REGRESSION 84 FEATURE(regression, 85 "Kernel support for interfaces necessary for regression testing (SECURITY RISK!)"); 86 #endif 87 88 #include <security/audit/audit.h> 89 #include <security/mac/mac_framework.h> 90 91 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 92 93 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW | CTLFLAG_MPSAFE, 0, 94 "BSD security policy"); 95 96 static void crfree_final(struct ucred *cr); 97 98 static inline void 99 groups_check_positive_len(int ngrp) 100 { 101 MPASS2(ngrp >= 0, "negative number of groups"); 102 } 103 static inline void 104 groups_check_max_len(int ngrp) 105 { 106 MPASS2(ngrp <= ngroups_max, "too many supplementary groups"); 107 } 108 109 static void groups_normalize(int *ngrp, gid_t *groups); 110 static void crsetgroups_internal(struct ucred *cr, int ngrp, 111 const gid_t *groups); 112 113 static int cr_canseeotheruids(struct ucred *u1, struct ucred *u2); 114 static int cr_canseeothergids(struct ucred *u1, struct ucred *u2); 115 static int cr_canseejailproc(struct ucred *u1, struct ucred *u2); 116 117 #ifndef _SYS_SYSPROTO_H_ 118 struct getpid_args { 119 int dummy; 120 }; 121 #endif 122 /* ARGSUSED */ 123 int 124 sys_getpid(struct thread *td, struct getpid_args *uap) 125 { 126 struct proc *p = td->td_proc; 127 128 td->td_retval[0] = p->p_pid; 129 #if defined(COMPAT_43) 130 if (SV_PROC_FLAG(p, SV_AOUT)) 131 td->td_retval[1] = kern_getppid(td); 132 #endif 133 return (0); 134 } 135 136 #ifndef _SYS_SYSPROTO_H_ 137 struct getppid_args { 138 int dummy; 139 }; 140 #endif 141 /* ARGSUSED */ 142 int 143 sys_getppid(struct thread *td, struct getppid_args *uap) 144 { 145 146 td->td_retval[0] = kern_getppid(td); 147 return (0); 148 } 149 150 int 151 kern_getppid(struct thread *td) 152 { 153 struct proc *p = td->td_proc; 154 155 return (p->p_oppid); 156 } 157 158 /* 159 * Get process group ID; note that POSIX getpgrp takes no parameter. 160 */ 161 #ifndef _SYS_SYSPROTO_H_ 162 struct getpgrp_args { 163 int dummy; 164 }; 165 #endif 166 int 167 sys_getpgrp(struct thread *td, struct getpgrp_args *uap) 168 { 169 struct proc *p = td->td_proc; 170 171 PROC_LOCK(p); 172 td->td_retval[0] = p->p_pgrp->pg_id; 173 PROC_UNLOCK(p); 174 return (0); 175 } 176 177 /* Get an arbitrary pid's process group id */ 178 #ifndef _SYS_SYSPROTO_H_ 179 struct getpgid_args { 180 pid_t pid; 181 }; 182 #endif 183 int 184 sys_getpgid(struct thread *td, struct getpgid_args *uap) 185 { 186 struct proc *p; 187 int error; 188 189 if (uap->pid == 0) { 190 p = td->td_proc; 191 PROC_LOCK(p); 192 } else { 193 p = pfind(uap->pid); 194 if (p == NULL) 195 return (ESRCH); 196 error = p_cansee(td, p); 197 if (error) { 198 PROC_UNLOCK(p); 199 return (error); 200 } 201 } 202 td->td_retval[0] = p->p_pgrp->pg_id; 203 PROC_UNLOCK(p); 204 return (0); 205 } 206 207 /* 208 * Get an arbitrary pid's session id. 209 */ 210 #ifndef _SYS_SYSPROTO_H_ 211 struct getsid_args { 212 pid_t pid; 213 }; 214 #endif 215 int 216 sys_getsid(struct thread *td, struct getsid_args *uap) 217 { 218 219 return (kern_getsid(td, uap->pid)); 220 } 221 222 int 223 kern_getsid(struct thread *td, pid_t pid) 224 { 225 struct proc *p; 226 int error; 227 228 if (pid == 0) { 229 p = td->td_proc; 230 PROC_LOCK(p); 231 } else { 232 p = pfind(pid); 233 if (p == NULL) 234 return (ESRCH); 235 error = p_cansee(td, p); 236 if (error) { 237 PROC_UNLOCK(p); 238 return (error); 239 } 240 } 241 td->td_retval[0] = p->p_session->s_sid; 242 PROC_UNLOCK(p); 243 return (0); 244 } 245 246 #ifndef _SYS_SYSPROTO_H_ 247 struct getuid_args { 248 int dummy; 249 }; 250 #endif 251 /* ARGSUSED */ 252 int 253 sys_getuid(struct thread *td, struct getuid_args *uap) 254 { 255 256 td->td_retval[0] = td->td_ucred->cr_ruid; 257 #if defined(COMPAT_43) 258 td->td_retval[1] = td->td_ucred->cr_uid; 259 #endif 260 return (0); 261 } 262 263 #ifndef _SYS_SYSPROTO_H_ 264 struct geteuid_args { 265 int dummy; 266 }; 267 #endif 268 /* ARGSUSED */ 269 int 270 sys_geteuid(struct thread *td, struct geteuid_args *uap) 271 { 272 273 td->td_retval[0] = td->td_ucred->cr_uid; 274 return (0); 275 } 276 277 #ifndef _SYS_SYSPROTO_H_ 278 struct getgid_args { 279 int dummy; 280 }; 281 #endif 282 /* ARGSUSED */ 283 int 284 sys_getgid(struct thread *td, struct getgid_args *uap) 285 { 286 287 td->td_retval[0] = td->td_ucred->cr_rgid; 288 #if defined(COMPAT_43) 289 td->td_retval[1] = td->td_ucred->cr_gid; 290 #endif 291 return (0); 292 } 293 294 #ifndef _SYS_SYSPROTO_H_ 295 struct getegid_args { 296 int dummy; 297 }; 298 #endif 299 /* ARGSUSED */ 300 int 301 sys_getegid(struct thread *td, struct getegid_args *uap) 302 { 303 304 td->td_retval[0] = td->td_ucred->cr_gid; 305 return (0); 306 } 307 308 #ifdef COMPAT_FREEBSD14 309 int 310 freebsd14_getgroups(struct thread *td, struct freebsd14_getgroups_args *uap) 311 { 312 struct ucred *cred; 313 int ngrp, error; 314 315 cred = td->td_ucred; 316 317 /* 318 * For FreeBSD < 15.0, we account for the egid being placed at the 319 * beginning of the group list prior to all supplementary groups. 320 */ 321 ngrp = cred->cr_ngroups + 1; 322 if (uap->gidsetsize == 0) { 323 error = 0; 324 goto out; 325 } else if (uap->gidsetsize < ngrp) { 326 return (EINVAL); 327 } 328 329 error = copyout(&cred->cr_gid, uap->gidset, sizeof(gid_t)); 330 if (error == 0) 331 error = copyout(cred->cr_groups, uap->gidset + 1, 332 (ngrp - 1) * sizeof(gid_t)); 333 334 out: 335 td->td_retval[0] = ngrp; 336 return (error); 337 338 } 339 #endif /* COMPAT_FREEBSD14 */ 340 341 #ifndef _SYS_SYSPROTO_H_ 342 struct getgroups_args { 343 int gidsetsize; 344 gid_t *gidset; 345 }; 346 #endif 347 int 348 sys_getgroups(struct thread *td, struct getgroups_args *uap) 349 { 350 struct ucred *cred; 351 int ngrp, error; 352 353 cred = td->td_ucred; 354 355 ngrp = cred->cr_ngroups; 356 if (uap->gidsetsize == 0) { 357 error = 0; 358 goto out; 359 } 360 if (uap->gidsetsize < ngrp) 361 return (EINVAL); 362 363 error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t)); 364 out: 365 td->td_retval[0] = ngrp; 366 return (error); 367 } 368 369 #ifndef _SYS_SYSPROTO_H_ 370 struct setsid_args { 371 int dummy; 372 }; 373 #endif 374 /* ARGSUSED */ 375 int 376 sys_setsid(struct thread *td, struct setsid_args *uap) 377 { 378 struct pgrp *pgrp; 379 int error; 380 struct proc *p = td->td_proc; 381 struct pgrp *newpgrp; 382 struct session *newsess; 383 384 pgrp = NULL; 385 386 newpgrp = uma_zalloc(pgrp_zone, M_WAITOK); 387 newsess = malloc(sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); 388 389 again: 390 error = 0; 391 sx_xlock(&proctree_lock); 392 393 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { 394 if (pgrp != NULL) 395 PGRP_UNLOCK(pgrp); 396 error = EPERM; 397 } else { 398 error = enterpgrp(p, p->p_pid, newpgrp, newsess); 399 if (error == ERESTART) 400 goto again; 401 MPASS(error == 0); 402 td->td_retval[0] = p->p_pid; 403 newpgrp = NULL; 404 newsess = NULL; 405 } 406 407 sx_xunlock(&proctree_lock); 408 409 uma_zfree(pgrp_zone, newpgrp); 410 free(newsess, M_SESSION); 411 412 return (error); 413 } 414 415 /* 416 * set process group (setpgid/old setpgrp) 417 * 418 * caller does setpgid(targpid, targpgid) 419 * 420 * pid must be caller or child of caller (ESRCH) 421 * if a child 422 * pid must be in same session (EPERM) 423 * pid can't have done an exec (EACCES) 424 * if pgid != pid 425 * there must exist some pid in same session having pgid (EPERM) 426 * pid must not be session leader (EPERM) 427 */ 428 #ifndef _SYS_SYSPROTO_H_ 429 struct setpgid_args { 430 int pid; /* target process id */ 431 int pgid; /* target pgrp id */ 432 }; 433 #endif 434 /* ARGSUSED */ 435 int 436 sys_setpgid(struct thread *td, struct setpgid_args *uap) 437 { 438 struct proc *curp = td->td_proc; 439 struct proc *targp; /* target process */ 440 struct pgrp *pgrp; /* target pgrp */ 441 int error; 442 struct pgrp *newpgrp; 443 444 if (uap->pgid < 0) 445 return (EINVAL); 446 447 newpgrp = uma_zalloc(pgrp_zone, M_WAITOK); 448 449 again: 450 error = 0; 451 452 sx_xlock(&proctree_lock); 453 if (uap->pid != 0 && uap->pid != curp->p_pid) { 454 if ((targp = pfind(uap->pid)) == NULL) { 455 error = ESRCH; 456 goto done; 457 } 458 if (!inferior(targp)) { 459 PROC_UNLOCK(targp); 460 error = ESRCH; 461 goto done; 462 } 463 if ((error = p_cansee(td, targp))) { 464 PROC_UNLOCK(targp); 465 goto done; 466 } 467 if (targp->p_pgrp == NULL || 468 targp->p_session != curp->p_session) { 469 PROC_UNLOCK(targp); 470 error = EPERM; 471 goto done; 472 } 473 if (targp->p_flag & P_EXEC) { 474 PROC_UNLOCK(targp); 475 error = EACCES; 476 goto done; 477 } 478 PROC_UNLOCK(targp); 479 } else 480 targp = curp; 481 if (SESS_LEADER(targp)) { 482 error = EPERM; 483 goto done; 484 } 485 if (uap->pgid == 0) 486 uap->pgid = targp->p_pid; 487 if ((pgrp = pgfind(uap->pgid)) == NULL) { 488 if (uap->pgid == targp->p_pid) { 489 error = enterpgrp(targp, uap->pgid, newpgrp, 490 NULL); 491 if (error == 0) 492 newpgrp = NULL; 493 } else 494 error = EPERM; 495 } else { 496 if (pgrp == targp->p_pgrp) { 497 PGRP_UNLOCK(pgrp); 498 goto done; 499 } 500 if (pgrp->pg_id != targp->p_pid && 501 pgrp->pg_session != curp->p_session) { 502 PGRP_UNLOCK(pgrp); 503 error = EPERM; 504 goto done; 505 } 506 PGRP_UNLOCK(pgrp); 507 error = enterthispgrp(targp, pgrp); 508 } 509 done: 510 KASSERT(error == 0 || newpgrp != NULL, 511 ("setpgid failed and newpgrp is NULL")); 512 if (error == ERESTART) 513 goto again; 514 sx_xunlock(&proctree_lock); 515 uma_zfree(pgrp_zone, newpgrp); 516 return (error); 517 } 518 519 static int 520 gidp_cmp(const void *p1, const void *p2) 521 { 522 const gid_t g1 = *(const gid_t *)p1; 523 const gid_t g2 = *(const gid_t *)p2; 524 525 return ((g1 > g2) - (g1 < g2)); 526 } 527 528 /* 529 * Final storage for supplementary groups will be returned via 'groups'. 530 * '*groups' must be NULL on input, and if not equal to 'smallgroups' 531 * on output, must be freed (M_TEMP) *even if* an error is returned. 532 */ 533 static int 534 kern_setcred_copyin_supp_groups(struct setcred *const wcred, 535 const u_int flags, gid_t *const smallgroups, gid_t **const groups) 536 { 537 MPASS(*groups == NULL); 538 539 if (flags & SETCREDF_SUPP_GROUPS) { 540 int error; 541 542 /* 543 * Check for the limit for number of groups right now in order 544 * to limit the amount of bytes to copy. 545 */ 546 if (wcred->sc_supp_groups_nb > ngroups_max) 547 return (EINVAL); 548 549 /* 550 * Since we are going to be copying the supplementary groups 551 * from userland, make room also for the effective GID right 552 * now, to avoid having to allocate and copy again the 553 * supplementary groups. 554 */ 555 *groups = wcred->sc_supp_groups_nb <= CRED_SMALLGROUPS_NB ? 556 smallgroups : malloc(wcred->sc_supp_groups_nb * 557 sizeof(*groups), M_TEMP, M_WAITOK); 558 559 error = copyin(wcred->sc_supp_groups, *groups, 560 wcred->sc_supp_groups_nb * sizeof(*groups)); 561 if (error != 0) 562 return (error); 563 wcred->sc_supp_groups = *groups; 564 } else { 565 wcred->sc_supp_groups_nb = 0; 566 wcred->sc_supp_groups = NULL; 567 } 568 569 return (0); 570 } 571 572 int 573 user_setcred(struct thread *td, const u_int flags, 574 const void *const uwcred, const size_t size, bool is_32bit) 575 { 576 struct setcred wcred; 577 #ifdef MAC 578 struct mac mac; 579 /* Pointer to 'struct mac' or 'struct mac32'. */ 580 void *umac; 581 #endif 582 gid_t smallgroups[CRED_SMALLGROUPS_NB]; 583 gid_t *groups = NULL; 584 int error; 585 586 /* 587 * As the only point of this wrapper function is to copyin() from 588 * userland, we only interpret the data pieces we need to perform this 589 * operation and defer further sanity checks to kern_setcred(), except 590 * that we redundantly check here that no unknown flags have been 591 * passed. 592 */ 593 if ((flags & ~SETCREDF_MASK) != 0) 594 return (EINVAL); 595 596 #ifdef COMPAT_FREEBSD32 597 if (is_32bit) { 598 struct setcred32 wcred32; 599 600 if (size != sizeof(wcred32)) 601 return (EINVAL); 602 error = copyin(uwcred, &wcred32, sizeof(wcred32)); 603 if (error != 0) 604 return (error); 605 /* These fields have exactly the same sizes and positions. */ 606 memcpy(&wcred, &wcred32, __rangeof(struct setcred32, 607 setcred32_copy_start, setcred32_copy_end)); 608 /* Remaining fields are pointers and need PTRIN*(). */ 609 PTRIN_CP(wcred32, wcred, sc_supp_groups); 610 PTRIN_CP(wcred32, wcred, sc_label); 611 } else 612 #endif /* COMPAT_FREEBSD32 */ 613 { 614 if (size != sizeof(wcred)) 615 return (EINVAL); 616 error = copyin(uwcred, &wcred, sizeof(wcred)); 617 if (error != 0) 618 return (error); 619 } 620 #ifdef MAC 621 umac = wcred.sc_label; 622 #endif 623 /* Also done on !MAC as a defensive measure. */ 624 wcred.sc_label = NULL; 625 626 /* 627 * Copy supplementary groups as needed. There is no specific 628 * alternative for 32-bit compatibility as 'gid_t' has the same size 629 * everywhere. 630 */ 631 error = kern_setcred_copyin_supp_groups(&wcred, flags, smallgroups, 632 &groups); 633 if (error != 0) 634 goto free_groups; 635 636 #ifdef MAC 637 if ((flags & SETCREDF_MAC_LABEL) != 0) { 638 #ifdef COMPAT_FREEBSD32 639 if (is_32bit) 640 error = mac_label_copyin32(umac, &mac, NULL); 641 else 642 #endif 643 error = mac_label_copyin(umac, &mac, NULL); 644 if (error != 0) 645 goto free_groups; 646 wcred.sc_label = &mac; 647 } 648 #endif 649 650 error = kern_setcred(td, flags, &wcred, groups); 651 652 #ifdef MAC 653 if (wcred.sc_label != NULL) 654 free_copied_label(wcred.sc_label); 655 #endif 656 657 free_groups: 658 if (groups != smallgroups) 659 free(groups, M_TEMP); 660 661 return (error); 662 } 663 664 #ifndef _SYS_SYSPROTO_H_ 665 struct setcred_args { 666 u_int flags; /* Flags. */ 667 const struct setcred *wcred; 668 size_t size; /* Passed 'setcred' structure length. */ 669 }; 670 #endif 671 /* ARGSUSED */ 672 int 673 sys_setcred(struct thread *td, struct setcred_args *uap) 674 { 675 return (user_setcred(td, uap->flags, uap->wcred, uap->size, false)); 676 } 677 678 /* 679 * CAUTION: This function normalizes groups in 'wcred'. 680 * 681 * If 'preallocated_groups' is non-NULL, it must be an already allocated array 682 * of size 'wcred->sc_supp_groups_nb' containing the supplementary groups, and 683 * 'wcred->sc_supp_groups' then must point to it. 684 */ 685 int 686 kern_setcred(struct thread *const td, const u_int flags, 687 struct setcred *const wcred, gid_t *preallocated_groups) 688 { 689 struct proc *const p = td->td_proc; 690 struct ucred *new_cred, *old_cred, *to_free_cred; 691 struct uidinfo *uip = NULL, *ruip = NULL; 692 #ifdef MAC 693 void *mac_set_proc_data = NULL; 694 bool proc_label_set = false; 695 #endif 696 gid_t *groups = NULL; 697 gid_t smallgroups[CRED_SMALLGROUPS_NB]; 698 int error; 699 bool cred_set = false; 700 701 /* Bail out on unrecognized flags. */ 702 if (flags & ~SETCREDF_MASK) 703 return (EINVAL); 704 705 /* 706 * Part 1: We allocate and perform preparatory operations with no locks. 707 */ 708 709 if (flags & SETCREDF_SUPP_GROUPS) { 710 if (wcred->sc_supp_groups_nb > ngroups_max) 711 return (EINVAL); 712 if (preallocated_groups != NULL) { 713 groups = preallocated_groups; 714 MPASS(preallocated_groups == wcred->sc_supp_groups); 715 } else { 716 if (wcred->sc_supp_groups_nb <= CRED_SMALLGROUPS_NB) 717 groups = smallgroups; 718 else 719 groups = malloc(wcred->sc_supp_groups_nb * 720 sizeof(*groups), M_TEMP, M_WAITOK); 721 memcpy(groups, wcred->sc_supp_groups, 722 wcred->sc_supp_groups_nb * sizeof(*groups)); 723 } 724 } 725 726 if (flags & SETCREDF_MAC_LABEL) { 727 #ifdef MAC 728 error = mac_set_proc_prepare(td, wcred->sc_label, 729 &mac_set_proc_data); 730 if (error != 0) 731 goto free_groups; 732 #else 733 error = ENOTSUP; 734 goto free_groups; 735 #endif 736 } 737 738 if (flags & SETCREDF_UID) { 739 AUDIT_ARG_EUID(wcred->sc_uid); 740 uip = uifind(wcred->sc_uid); 741 } 742 if (flags & SETCREDF_RUID) { 743 AUDIT_ARG_RUID(wcred->sc_ruid); 744 ruip = uifind(wcred->sc_ruid); 745 } 746 if (flags & SETCREDF_SVUID) 747 AUDIT_ARG_SUID(wcred->sc_svuid); 748 749 if (flags & SETCREDF_GID) 750 AUDIT_ARG_EGID(wcred->sc_gid); 751 if (flags & SETCREDF_RGID) 752 AUDIT_ARG_RGID(wcred->sc_rgid); 753 if (flags & SETCREDF_SVGID) 754 AUDIT_ARG_SGID(wcred->sc_svgid); 755 if (flags & SETCREDF_SUPP_GROUPS) { 756 /* 757 * Output the raw supplementary groups array for better 758 * traceability. 759 */ 760 AUDIT_ARG_GROUPSET(groups, wcred->sc_supp_groups_nb); 761 groups_normalize(&wcred->sc_supp_groups_nb, groups); 762 } 763 764 /* 765 * We first completely build the new credentials and only then pass them 766 * to MAC along with the old ones so that modules can check whether the 767 * requested transition is allowed. 768 */ 769 new_cred = crget(); 770 to_free_cred = new_cred; 771 if (flags & SETCREDF_SUPP_GROUPS) 772 crextend(new_cred, wcred->sc_supp_groups_nb); 773 774 #ifdef MAC 775 mac_cred_setcred_enter(); 776 #endif 777 778 /* 779 * Part 2: We grab the process lock as to have a stable view of its 780 * current credentials, and prepare a copy of them with the requested 781 * changes applied under that lock. 782 */ 783 784 PROC_LOCK(p); 785 old_cred = crcopysafe(p, new_cred); 786 787 /* 788 * Change user IDs. 789 */ 790 if (flags & SETCREDF_UID) 791 change_euid(new_cred, uip); 792 if (flags & SETCREDF_RUID) 793 change_ruid(new_cred, ruip); 794 if (flags & SETCREDF_SVUID) 795 change_svuid(new_cred, wcred->sc_svuid); 796 797 /* 798 * Change groups. 799 */ 800 if (flags & SETCREDF_SUPP_GROUPS) 801 crsetgroups_internal(new_cred, wcred->sc_supp_groups_nb, 802 groups); 803 if (flags & SETCREDF_GID) 804 change_egid(new_cred, wcred->sc_gid); 805 if (flags & SETCREDF_RGID) 806 change_rgid(new_cred, wcred->sc_rgid); 807 if (flags & SETCREDF_SVGID) 808 change_svgid(new_cred, wcred->sc_svgid); 809 810 #ifdef MAC 811 /* 812 * Change the MAC label. 813 */ 814 if (flags & SETCREDF_MAC_LABEL) { 815 error = mac_set_proc_core(td, new_cred, mac_set_proc_data); 816 if (error != 0) 817 goto unlock_finish; 818 proc_label_set = true; 819 } 820 821 /* 822 * MAC security modules checks. 823 */ 824 error = mac_cred_check_setcred(flags, old_cred, new_cred); 825 if (error != 0) 826 goto unlock_finish; 827 #endif 828 /* 829 * Privilege check. 830 */ 831 error = priv_check_cred(old_cred, PRIV_CRED_SETCRED); 832 if (error != 0) 833 goto unlock_finish; 834 835 #ifdef RACCT 836 /* 837 * Hold a reference to 'new_cred', as we need to call some functions on 838 * it after proc_set_cred_enforce_proc_lim(). 839 */ 840 crhold(new_cred); 841 #endif 842 843 /* Set the new credentials. */ 844 cred_set = proc_set_cred_enforce_proc_lim(p, new_cred); 845 if (cred_set) { 846 setsugid(p); 847 #ifdef RACCT 848 /* Adjust RACCT counters. */ 849 racct_proc_ucred_changed(p, old_cred, new_cred); 850 #endif 851 to_free_cred = old_cred; 852 MPASS(error == 0); 853 } else { 854 #ifdef RACCT 855 /* Matches the crhold() just before the containing 'if'. */ 856 crfree(new_cred); 857 #endif 858 error = EAGAIN; 859 } 860 861 unlock_finish: 862 PROC_UNLOCK(p); 863 864 /* 865 * Part 3: After releasing the process lock, we perform cleanups and 866 * finishing operations. 867 */ 868 869 #ifdef RACCT 870 if (cred_set) { 871 #ifdef RCTL 872 rctl_proc_ucred_changed(p, new_cred); 873 #endif 874 /* Paired with the crhold() above. */ 875 crfree(new_cred); 876 } 877 #endif 878 879 #ifdef MAC 880 if (mac_set_proc_data != NULL) 881 mac_set_proc_finish(td, proc_label_set, mac_set_proc_data); 882 mac_cred_setcred_exit(); 883 #endif 884 crfree(to_free_cred); 885 if (uip != NULL) 886 uifree(uip); 887 if (ruip != NULL) 888 uifree(ruip); 889 free_groups: 890 if (groups != preallocated_groups && groups != smallgroups) 891 free(groups, M_TEMP); /* Deals with 'groups' being NULL. */ 892 return (error); 893 } 894 895 /* 896 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 897 * compatible. It says that setting the uid/gid to euid/egid is a special 898 * case of "appropriate privilege". Once the rules are expanded out, this 899 * basically means that setuid(nnn) sets all three id's, in all permitted 900 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 901 * does not set the saved id - this is dangerous for traditional BSD 902 * programs. For this reason, we *really* do not want to set 903 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 904 */ 905 #define POSIX_APPENDIX_B_4_2_2 906 907 #ifndef _SYS_SYSPROTO_H_ 908 struct setuid_args { 909 uid_t uid; 910 }; 911 #endif 912 /* ARGSUSED */ 913 int 914 sys_setuid(struct thread *td, struct setuid_args *uap) 915 { 916 struct proc *p = td->td_proc; 917 struct ucred *newcred, *oldcred; 918 uid_t uid; 919 struct uidinfo *uip; 920 int error; 921 922 uid = uap->uid; 923 AUDIT_ARG_UID(uid); 924 newcred = crget(); 925 uip = uifind(uid); 926 PROC_LOCK(p); 927 /* 928 * Copy credentials so other references do not see our changes. 929 */ 930 oldcred = crcopysafe(p, newcred); 931 932 #ifdef MAC 933 error = mac_cred_check_setuid(oldcred, uid); 934 if (error) 935 goto fail; 936 #endif 937 938 /* 939 * See if we have "permission" by POSIX 1003.1 rules. 940 * 941 * Note that setuid(geteuid()) is a special case of 942 * "appropriate privileges" in appendix B.4.2.2. We need 943 * to use this clause to be compatible with traditional BSD 944 * semantics. Basically, it means that "setuid(xx)" sets all 945 * three id's (assuming you have privs). 946 * 947 * Notes on the logic. We do things in three steps. 948 * 1: We determine if the euid is going to change, and do EPERM 949 * right away. We unconditionally change the euid later if this 950 * test is satisfied, simplifying that part of the logic. 951 * 2: We determine if the real and/or saved uids are going to 952 * change. Determined by compile options. 953 * 3: Change euid last. (after tests in #2 for "appropriate privs") 954 */ 955 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 956 #ifdef _POSIX_SAVED_IDS 957 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 958 #endif 959 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 960 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 961 #endif 962 (error = priv_check_cred(oldcred, PRIV_CRED_SETUID)) != 0) 963 goto fail; 964 965 #ifdef _POSIX_SAVED_IDS 966 /* 967 * Do we have "appropriate privileges" (are we root or uid == euid) 968 * If so, we are changing the real uid and/or saved uid. 969 */ 970 if ( 971 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 972 uid == oldcred->cr_uid || 973 #endif 974 /* We are using privs. */ 975 priv_check_cred(oldcred, PRIV_CRED_SETUID) == 0) 976 #endif 977 { 978 /* 979 * Set the real uid. 980 */ 981 if (uid != oldcred->cr_ruid) { 982 change_ruid(newcred, uip); 983 setsugid(p); 984 } 985 /* 986 * Set saved uid 987 * 988 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 989 * the security of seteuid() depends on it. B.4.2.2 says it 990 * is important that we should do this. 991 */ 992 if (uid != oldcred->cr_svuid) { 993 change_svuid(newcred, uid); 994 setsugid(p); 995 } 996 } 997 998 /* 999 * In all permitted cases, we are changing the euid. 1000 */ 1001 if (uid != oldcred->cr_uid) { 1002 change_euid(newcred, uip); 1003 setsugid(p); 1004 } 1005 1006 #ifdef RACCT 1007 racct_proc_ucred_changed(p, oldcred, newcred); 1008 #endif 1009 #ifdef RCTL 1010 crhold(newcred); 1011 #endif 1012 /* 1013 * Takes over 'newcred''s reference, so 'newcred' must not be used 1014 * besides this point except on RCTL where we took an additional 1015 * reference above. 1016 */ 1017 proc_set_cred(p, newcred); 1018 PROC_UNLOCK(p); 1019 #ifdef RCTL 1020 rctl_proc_ucred_changed(p, newcred); 1021 crfree(newcred); 1022 #endif 1023 uifree(uip); 1024 crfree(oldcred); 1025 return (0); 1026 1027 fail: 1028 PROC_UNLOCK(p); 1029 uifree(uip); 1030 crfree(newcred); 1031 return (error); 1032 } 1033 1034 #ifndef _SYS_SYSPROTO_H_ 1035 struct seteuid_args { 1036 uid_t euid; 1037 }; 1038 #endif 1039 /* ARGSUSED */ 1040 int 1041 sys_seteuid(struct thread *td, struct seteuid_args *uap) 1042 { 1043 struct proc *p = td->td_proc; 1044 struct ucred *newcred, *oldcred; 1045 uid_t euid; 1046 struct uidinfo *euip; 1047 int error; 1048 1049 euid = uap->euid; 1050 AUDIT_ARG_EUID(euid); 1051 newcred = crget(); 1052 euip = uifind(euid); 1053 PROC_LOCK(p); 1054 /* 1055 * Copy credentials so other references do not see our changes. 1056 */ 1057 oldcred = crcopysafe(p, newcred); 1058 1059 #ifdef MAC 1060 error = mac_cred_check_seteuid(oldcred, euid); 1061 if (error) 1062 goto fail; 1063 #endif 1064 1065 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 1066 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 1067 (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID)) != 0) 1068 goto fail; 1069 1070 /* 1071 * Everything's okay, do it. 1072 */ 1073 if (oldcred->cr_uid != euid) { 1074 change_euid(newcred, euip); 1075 setsugid(p); 1076 } 1077 proc_set_cred(p, newcred); 1078 PROC_UNLOCK(p); 1079 uifree(euip); 1080 crfree(oldcred); 1081 return (0); 1082 1083 fail: 1084 PROC_UNLOCK(p); 1085 uifree(euip); 1086 crfree(newcred); 1087 return (error); 1088 } 1089 1090 #ifndef _SYS_SYSPROTO_H_ 1091 struct setgid_args { 1092 gid_t gid; 1093 }; 1094 #endif 1095 /* ARGSUSED */ 1096 int 1097 sys_setgid(struct thread *td, struct setgid_args *uap) 1098 { 1099 struct proc *p = td->td_proc; 1100 struct ucred *newcred, *oldcred; 1101 gid_t gid; 1102 int error; 1103 1104 gid = uap->gid; 1105 AUDIT_ARG_GID(gid); 1106 newcred = crget(); 1107 PROC_LOCK(p); 1108 oldcred = crcopysafe(p, newcred); 1109 1110 #ifdef MAC 1111 error = mac_cred_check_setgid(oldcred, gid); 1112 if (error) 1113 goto fail; 1114 #endif 1115 1116 /* 1117 * See if we have "permission" by POSIX 1003.1 rules. 1118 * 1119 * Note that setgid(getegid()) is a special case of 1120 * "appropriate privileges" in appendix B.4.2.2. We need 1121 * to use this clause to be compatible with traditional BSD 1122 * semantics. Basically, it means that "setgid(xx)" sets all 1123 * three id's (assuming you have privs). 1124 * 1125 * For notes on the logic here, see setuid() above. 1126 */ 1127 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 1128 #ifdef _POSIX_SAVED_IDS 1129 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 1130 #endif 1131 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 1132 gid != oldcred->cr_gid && /* allow setgid(getegid()) */ 1133 #endif 1134 (error = priv_check_cred(oldcred, PRIV_CRED_SETGID)) != 0) 1135 goto fail; 1136 1137 #ifdef _POSIX_SAVED_IDS 1138 /* 1139 * Do we have "appropriate privileges" (are we root or gid == egid) 1140 * If so, we are changing the real uid and saved gid. 1141 */ 1142 if ( 1143 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 1144 gid == oldcred->cr_gid || 1145 #endif 1146 /* We are using privs. */ 1147 priv_check_cred(oldcred, PRIV_CRED_SETGID) == 0) 1148 #endif 1149 { 1150 /* 1151 * Set real gid 1152 */ 1153 if (oldcred->cr_rgid != gid) { 1154 change_rgid(newcred, gid); 1155 setsugid(p); 1156 } 1157 /* 1158 * Set saved gid 1159 * 1160 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 1161 * the security of setegid() depends on it. B.4.2.2 says it 1162 * is important that we should do this. 1163 */ 1164 if (oldcred->cr_svgid != gid) { 1165 change_svgid(newcred, gid); 1166 setsugid(p); 1167 } 1168 } 1169 /* 1170 * In all cases permitted cases, we are changing the egid. 1171 * Copy credentials so other references do not see our changes. 1172 */ 1173 if (oldcred->cr_gid != gid) { 1174 change_egid(newcred, gid); 1175 setsugid(p); 1176 } 1177 proc_set_cred(p, newcred); 1178 PROC_UNLOCK(p); 1179 crfree(oldcred); 1180 return (0); 1181 1182 fail: 1183 PROC_UNLOCK(p); 1184 crfree(newcred); 1185 return (error); 1186 } 1187 1188 #ifndef _SYS_SYSPROTO_H_ 1189 struct setegid_args { 1190 gid_t egid; 1191 }; 1192 #endif 1193 /* ARGSUSED */ 1194 int 1195 sys_setegid(struct thread *td, struct setegid_args *uap) 1196 { 1197 struct proc *p = td->td_proc; 1198 struct ucred *newcred, *oldcred; 1199 gid_t egid; 1200 int error; 1201 1202 egid = uap->egid; 1203 AUDIT_ARG_EGID(egid); 1204 newcred = crget(); 1205 PROC_LOCK(p); 1206 oldcred = crcopysafe(p, newcred); 1207 1208 #ifdef MAC 1209 error = mac_cred_check_setegid(oldcred, egid); 1210 if (error) 1211 goto fail; 1212 #endif 1213 1214 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 1215 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 1216 (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID)) != 0) 1217 goto fail; 1218 1219 if (oldcred->cr_gid != egid) { 1220 change_egid(newcred, egid); 1221 setsugid(p); 1222 } 1223 proc_set_cred(p, newcred); 1224 PROC_UNLOCK(p); 1225 crfree(oldcred); 1226 return (0); 1227 1228 fail: 1229 PROC_UNLOCK(p); 1230 crfree(newcred); 1231 return (error); 1232 } 1233 1234 #ifdef COMPAT_FREEBSD14 1235 int 1236 freebsd14_setgroups(struct thread *td, struct freebsd14_setgroups_args *uap) 1237 { 1238 gid_t smallgroups[CRED_SMALLGROUPS_NB]; 1239 gid_t *groups; 1240 int gidsetsize, error; 1241 1242 /* 1243 * Before FreeBSD 15.0, we allow one more group to be supplied to 1244 * account for the egid appearing before the supplementary groups. This 1245 * may technically allow one more supplementary group for systems that 1246 * did use the default NGROUPS_MAX if we round it back up to 1024. 1247 */ 1248 gidsetsize = uap->gidsetsize; 1249 if (gidsetsize > ngroups_max + 1 || gidsetsize < 0) 1250 return (EINVAL); 1251 1252 if (gidsetsize > CRED_SMALLGROUPS_NB) 1253 groups = malloc(gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK); 1254 else 1255 groups = smallgroups; 1256 1257 error = copyin(uap->gidset, groups, gidsetsize * sizeof(gid_t)); 1258 if (error == 0) { 1259 int ngroups = gidsetsize > 0 ? gidsetsize - 1 /* egid */ : 0; 1260 1261 error = kern_setgroups(td, &ngroups, groups + 1); 1262 if (error == 0 && gidsetsize > 0) 1263 td->td_proc->p_ucred->cr_gid = groups[0]; 1264 } 1265 1266 if (groups != smallgroups) 1267 free(groups, M_TEMP); 1268 return (error); 1269 } 1270 #endif /* COMPAT_FREEBSD14 */ 1271 1272 #ifndef _SYS_SYSPROTO_H_ 1273 struct setgroups_args { 1274 int gidsetsize; 1275 gid_t *gidset; 1276 }; 1277 #endif 1278 /* ARGSUSED */ 1279 int 1280 sys_setgroups(struct thread *td, struct setgroups_args *uap) 1281 { 1282 gid_t smallgroups[CRED_SMALLGROUPS_NB]; 1283 gid_t *groups; 1284 int gidsetsize, error; 1285 1286 /* 1287 * Sanity check size now to avoid passing too big a value to copyin(), 1288 * even if kern_setgroups() will do it again. 1289 * 1290 * Ideally, the 'gidsetsize' argument should have been a 'u_int' (and it 1291 * was, in this implementation, for a long time), but POSIX standardized 1292 * getgroups() to take an 'int' and it would be quite entrapping to have 1293 * setgroups() differ. 1294 */ 1295 gidsetsize = uap->gidsetsize; 1296 if (gidsetsize > ngroups_max || gidsetsize < 0) 1297 return (EINVAL); 1298 1299 if (gidsetsize > CRED_SMALLGROUPS_NB) 1300 groups = malloc(gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK); 1301 else 1302 groups = smallgroups; 1303 1304 error = copyin(uap->gidset, groups, gidsetsize * sizeof(gid_t)); 1305 if (error == 0) 1306 error = kern_setgroups(td, &gidsetsize, groups); 1307 1308 if (groups != smallgroups) 1309 free(groups, M_TEMP); 1310 return (error); 1311 } 1312 1313 /* 1314 * CAUTION: This function normalizes 'groups', possibly also changing the value 1315 * of '*ngrpp' as a consequence. 1316 */ 1317 int 1318 kern_setgroups(struct thread *td, int *ngrpp, gid_t *groups) 1319 { 1320 struct proc *p = td->td_proc; 1321 struct ucred *newcred, *oldcred; 1322 int ngrp, error; 1323 1324 ngrp = *ngrpp; 1325 /* Sanity check size. */ 1326 if (ngrp < 0 || ngrp > ngroups_max) 1327 return (EINVAL); 1328 1329 AUDIT_ARG_GROUPSET(groups, ngrp); 1330 1331 groups_normalize(&ngrp, groups); 1332 *ngrpp = ngrp; 1333 1334 newcred = crget(); 1335 crextend(newcred, ngrp); 1336 PROC_LOCK(p); 1337 oldcred = crcopysafe(p, newcred); 1338 1339 #ifdef MAC 1340 /* 1341 * We pass NULL here explicitly if we don't have any supplementary 1342 * groups mostly for the sake of normalization, but also to avoid/detect 1343 * a situation where a MAC module has some assumption about the layout 1344 * of `groups` matching historical behavior. 1345 */ 1346 error = mac_cred_check_setgroups(oldcred, ngrp, 1347 ngrp == 0 ? NULL : groups); 1348 if (error) 1349 goto fail; 1350 #endif 1351 1352 error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS); 1353 if (error) 1354 goto fail; 1355 1356 crsetgroups_internal(newcred, ngrp, groups); 1357 setsugid(p); 1358 proc_set_cred(p, newcred); 1359 PROC_UNLOCK(p); 1360 crfree(oldcred); 1361 return (0); 1362 1363 fail: 1364 PROC_UNLOCK(p); 1365 crfree(newcred); 1366 return (error); 1367 } 1368 1369 #ifndef _SYS_SYSPROTO_H_ 1370 struct setreuid_args { 1371 uid_t ruid; 1372 uid_t euid; 1373 }; 1374 #endif 1375 /* ARGSUSED */ 1376 int 1377 sys_setreuid(struct thread *td, struct setreuid_args *uap) 1378 { 1379 struct proc *p = td->td_proc; 1380 struct ucred *newcred, *oldcred; 1381 uid_t euid, ruid; 1382 struct uidinfo *euip, *ruip; 1383 int error; 1384 1385 euid = uap->euid; 1386 ruid = uap->ruid; 1387 AUDIT_ARG_EUID(euid); 1388 AUDIT_ARG_RUID(ruid); 1389 newcred = crget(); 1390 euip = uifind(euid); 1391 ruip = uifind(ruid); 1392 PROC_LOCK(p); 1393 oldcred = crcopysafe(p, newcred); 1394 1395 #ifdef MAC 1396 error = mac_cred_check_setreuid(oldcred, ruid, euid); 1397 if (error) 1398 goto fail; 1399 #endif 1400 1401 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1402 ruid != oldcred->cr_svuid) || 1403 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 1404 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 1405 (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID)) != 0) 1406 goto fail; 1407 1408 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1409 change_euid(newcred, euip); 1410 setsugid(p); 1411 } 1412 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1413 change_ruid(newcred, ruip); 1414 setsugid(p); 1415 } 1416 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 1417 newcred->cr_svuid != newcred->cr_uid) { 1418 change_svuid(newcred, newcred->cr_uid); 1419 setsugid(p); 1420 } 1421 #ifdef RACCT 1422 racct_proc_ucred_changed(p, oldcred, newcred); 1423 #endif 1424 #ifdef RCTL 1425 crhold(newcred); 1426 #endif 1427 /* 1428 * Takes over 'newcred''s reference, so 'newcred' must not be used 1429 * besides this point except on RCTL where we took an additional 1430 * reference above. 1431 */ 1432 proc_set_cred(p, newcred); 1433 PROC_UNLOCK(p); 1434 #ifdef RCTL 1435 rctl_proc_ucred_changed(p, newcred); 1436 crfree(newcred); 1437 #endif 1438 uifree(ruip); 1439 uifree(euip); 1440 crfree(oldcred); 1441 return (0); 1442 1443 fail: 1444 PROC_UNLOCK(p); 1445 uifree(ruip); 1446 uifree(euip); 1447 crfree(newcred); 1448 return (error); 1449 } 1450 1451 #ifndef _SYS_SYSPROTO_H_ 1452 struct setregid_args { 1453 gid_t rgid; 1454 gid_t egid; 1455 }; 1456 #endif 1457 /* ARGSUSED */ 1458 int 1459 sys_setregid(struct thread *td, struct setregid_args *uap) 1460 { 1461 struct proc *p = td->td_proc; 1462 struct ucred *newcred, *oldcred; 1463 gid_t egid, rgid; 1464 int error; 1465 1466 egid = uap->egid; 1467 rgid = uap->rgid; 1468 AUDIT_ARG_EGID(egid); 1469 AUDIT_ARG_RGID(rgid); 1470 newcred = crget(); 1471 PROC_LOCK(p); 1472 oldcred = crcopysafe(p, newcred); 1473 1474 #ifdef MAC 1475 error = mac_cred_check_setregid(oldcred, rgid, egid); 1476 if (error) 1477 goto fail; 1478 #endif 1479 1480 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1481 rgid != oldcred->cr_svgid) || 1482 (egid != (gid_t)-1 && egid != oldcred->cr_gid && 1483 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 1484 (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID)) != 0) 1485 goto fail; 1486 1487 if (egid != (gid_t)-1 && oldcred->cr_gid != egid) { 1488 change_egid(newcred, egid); 1489 setsugid(p); 1490 } 1491 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1492 change_rgid(newcred, rgid); 1493 setsugid(p); 1494 } 1495 if ((rgid != (gid_t)-1 || newcred->cr_gid != newcred->cr_rgid) && 1496 newcred->cr_svgid != newcred->cr_gid) { 1497 change_svgid(newcred, newcred->cr_gid); 1498 setsugid(p); 1499 } 1500 proc_set_cred(p, newcred); 1501 PROC_UNLOCK(p); 1502 crfree(oldcred); 1503 return (0); 1504 1505 fail: 1506 PROC_UNLOCK(p); 1507 crfree(newcred); 1508 return (error); 1509 } 1510 1511 /* 1512 * setresuid(ruid, euid, suid) is like setreuid except control over the saved 1513 * uid is explicit. 1514 */ 1515 #ifndef _SYS_SYSPROTO_H_ 1516 struct setresuid_args { 1517 uid_t ruid; 1518 uid_t euid; 1519 uid_t suid; 1520 }; 1521 #endif 1522 /* ARGSUSED */ 1523 int 1524 sys_setresuid(struct thread *td, struct setresuid_args *uap) 1525 { 1526 struct proc *p = td->td_proc; 1527 struct ucred *newcred, *oldcred; 1528 uid_t euid, ruid, suid; 1529 struct uidinfo *euip, *ruip; 1530 int error; 1531 1532 euid = uap->euid; 1533 ruid = uap->ruid; 1534 suid = uap->suid; 1535 AUDIT_ARG_EUID(euid); 1536 AUDIT_ARG_RUID(ruid); 1537 AUDIT_ARG_SUID(suid); 1538 newcred = crget(); 1539 euip = uifind(euid); 1540 ruip = uifind(ruid); 1541 PROC_LOCK(p); 1542 oldcred = crcopysafe(p, newcred); 1543 1544 #ifdef MAC 1545 error = mac_cred_check_setresuid(oldcred, ruid, euid, suid); 1546 if (error) 1547 goto fail; 1548 #endif 1549 1550 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1551 ruid != oldcred->cr_svuid && 1552 ruid != oldcred->cr_uid) || 1553 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 1554 euid != oldcred->cr_svuid && 1555 euid != oldcred->cr_uid) || 1556 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 1557 suid != oldcred->cr_svuid && 1558 suid != oldcred->cr_uid)) && 1559 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID)) != 0) 1560 goto fail; 1561 1562 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1563 change_euid(newcred, euip); 1564 setsugid(p); 1565 } 1566 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1567 change_ruid(newcred, ruip); 1568 setsugid(p); 1569 } 1570 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1571 change_svuid(newcred, suid); 1572 setsugid(p); 1573 } 1574 #ifdef RACCT 1575 racct_proc_ucred_changed(p, oldcred, newcred); 1576 #endif 1577 #ifdef RCTL 1578 crhold(newcred); 1579 #endif 1580 /* 1581 * Takes over 'newcred''s reference, so 'newcred' must not be used 1582 * besides this point except on RCTL where we took an additional 1583 * reference above. 1584 */ 1585 proc_set_cred(p, newcred); 1586 PROC_UNLOCK(p); 1587 #ifdef RCTL 1588 rctl_proc_ucred_changed(p, newcred); 1589 crfree(newcred); 1590 #endif 1591 uifree(ruip); 1592 uifree(euip); 1593 crfree(oldcred); 1594 return (0); 1595 1596 fail: 1597 PROC_UNLOCK(p); 1598 uifree(ruip); 1599 uifree(euip); 1600 crfree(newcred); 1601 return (error); 1602 1603 } 1604 1605 /* 1606 * setresgid(rgid, egid, sgid) is like setregid except control over the saved 1607 * gid is explicit. 1608 */ 1609 #ifndef _SYS_SYSPROTO_H_ 1610 struct setresgid_args { 1611 gid_t rgid; 1612 gid_t egid; 1613 gid_t sgid; 1614 }; 1615 #endif 1616 /* ARGSUSED */ 1617 int 1618 sys_setresgid(struct thread *td, struct setresgid_args *uap) 1619 { 1620 struct proc *p = td->td_proc; 1621 struct ucred *newcred, *oldcred; 1622 gid_t egid, rgid, sgid; 1623 int error; 1624 1625 egid = uap->egid; 1626 rgid = uap->rgid; 1627 sgid = uap->sgid; 1628 AUDIT_ARG_EGID(egid); 1629 AUDIT_ARG_RGID(rgid); 1630 AUDIT_ARG_SGID(sgid); 1631 newcred = crget(); 1632 PROC_LOCK(p); 1633 oldcred = crcopysafe(p, newcred); 1634 1635 #ifdef MAC 1636 error = mac_cred_check_setresgid(oldcred, rgid, egid, sgid); 1637 if (error) 1638 goto fail; 1639 #endif 1640 1641 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1642 rgid != oldcred->cr_svgid && 1643 rgid != oldcred->cr_gid) || 1644 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1645 egid != oldcred->cr_svgid && 1646 egid != oldcred->cr_gid) || 1647 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1648 sgid != oldcred->cr_svgid && 1649 sgid != oldcred->cr_gid)) && 1650 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID)) != 0) 1651 goto fail; 1652 1653 if (egid != (gid_t)-1 && oldcred->cr_gid != egid) { 1654 change_egid(newcred, egid); 1655 setsugid(p); 1656 } 1657 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1658 change_rgid(newcred, rgid); 1659 setsugid(p); 1660 } 1661 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1662 change_svgid(newcred, sgid); 1663 setsugid(p); 1664 } 1665 proc_set_cred(p, newcred); 1666 PROC_UNLOCK(p); 1667 crfree(oldcred); 1668 return (0); 1669 1670 fail: 1671 PROC_UNLOCK(p); 1672 crfree(newcred); 1673 return (error); 1674 } 1675 1676 #ifndef _SYS_SYSPROTO_H_ 1677 struct getresuid_args { 1678 uid_t *ruid; 1679 uid_t *euid; 1680 uid_t *suid; 1681 }; 1682 #endif 1683 /* ARGSUSED */ 1684 int 1685 sys_getresuid(struct thread *td, struct getresuid_args *uap) 1686 { 1687 struct ucred *cred; 1688 int error1 = 0, error2 = 0, error3 = 0; 1689 1690 cred = td->td_ucred; 1691 if (uap->ruid) 1692 error1 = copyout(&cred->cr_ruid, 1693 uap->ruid, sizeof(cred->cr_ruid)); 1694 if (uap->euid) 1695 error2 = copyout(&cred->cr_uid, 1696 uap->euid, sizeof(cred->cr_uid)); 1697 if (uap->suid) 1698 error3 = copyout(&cred->cr_svuid, 1699 uap->suid, sizeof(cred->cr_svuid)); 1700 return (error1 ? error1 : error2 ? error2 : error3); 1701 } 1702 1703 #ifndef _SYS_SYSPROTO_H_ 1704 struct getresgid_args { 1705 gid_t *rgid; 1706 gid_t *egid; 1707 gid_t *sgid; 1708 }; 1709 #endif 1710 /* ARGSUSED */ 1711 int 1712 sys_getresgid(struct thread *td, struct getresgid_args *uap) 1713 { 1714 struct ucred *cred; 1715 int error1 = 0, error2 = 0, error3 = 0; 1716 1717 cred = td->td_ucred; 1718 if (uap->rgid) 1719 error1 = copyout(&cred->cr_rgid, 1720 uap->rgid, sizeof(cred->cr_rgid)); 1721 if (uap->egid) 1722 error2 = copyout(&cred->cr_gid, 1723 uap->egid, sizeof(cred->cr_gid)); 1724 if (uap->sgid) 1725 error3 = copyout(&cred->cr_svgid, 1726 uap->sgid, sizeof(cred->cr_svgid)); 1727 return (error1 ? error1 : error2 ? error2 : error3); 1728 } 1729 1730 #ifndef _SYS_SYSPROTO_H_ 1731 struct issetugid_args { 1732 int dummy; 1733 }; 1734 #endif 1735 /* ARGSUSED */ 1736 int 1737 sys_issetugid(struct thread *td, struct issetugid_args *uap) 1738 { 1739 struct proc *p = td->td_proc; 1740 1741 /* 1742 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1743 * we use P_SUGID because we consider changing the owners as 1744 * "tainting" as well. 1745 * This is significant for procs that start as root and "become" 1746 * a user without an exec - programs cannot know *everything* 1747 * that libc *might* have put in their data segment. 1748 */ 1749 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1750 return (0); 1751 } 1752 1753 int 1754 sys___setugid(struct thread *td, struct __setugid_args *uap) 1755 { 1756 #ifdef REGRESSION 1757 struct proc *p; 1758 1759 p = td->td_proc; 1760 switch (uap->flag) { 1761 case 0: 1762 PROC_LOCK(p); 1763 p->p_flag &= ~P_SUGID; 1764 PROC_UNLOCK(p); 1765 return (0); 1766 case 1: 1767 PROC_LOCK(p); 1768 p->p_flag |= P_SUGID; 1769 PROC_UNLOCK(p); 1770 return (0); 1771 default: 1772 return (EINVAL); 1773 } 1774 #else /* !REGRESSION */ 1775 1776 return (ENOSYS); 1777 #endif /* REGRESSION */ 1778 } 1779 1780 #ifdef INVARIANTS 1781 static void 1782 groups_check_normalized(int ngrp, const gid_t *groups) 1783 { 1784 gid_t prev_g; 1785 1786 groups_check_positive_len(ngrp); 1787 groups_check_max_len(ngrp); 1788 1789 if (ngrp <= 1) 1790 return; 1791 1792 prev_g = groups[0]; 1793 for (int i = 1; i < ngrp; ++i) { 1794 const gid_t g = groups[i]; 1795 1796 if (prev_g >= g) 1797 panic("%s: groups[%d] (%u) >= groups[%d] (%u)", 1798 __func__, i - 1, prev_g, i, g); 1799 prev_g = g; 1800 } 1801 } 1802 #else 1803 #define groups_check_normalized(...) 1804 #endif 1805 1806 /* 1807 * Returns whether gid designates a supplementary group in cred. 1808 */ 1809 bool 1810 group_is_supplementary(const gid_t gid, const struct ucred *const cred) 1811 { 1812 1813 groups_check_normalized(cred->cr_ngroups, cred->cr_groups); 1814 1815 /* 1816 * Perform a binary search of the supplementary groups. This is 1817 * possible because we sort the groups in crsetgroups(). 1818 */ 1819 return (bsearch(&gid, cred->cr_groups, cred->cr_ngroups, 1820 sizeof(gid), gidp_cmp) != NULL); 1821 } 1822 1823 /* 1824 * Check if gid is a member of the (effective) group set (i.e., effective and 1825 * supplementary groups). 1826 */ 1827 bool 1828 groupmember(gid_t gid, const struct ucred *cred) 1829 { 1830 1831 groups_check_positive_len(cred->cr_ngroups); 1832 1833 if (gid == cred->cr_gid) 1834 return (true); 1835 1836 return (group_is_supplementary(gid, cred)); 1837 } 1838 1839 /* 1840 * Check if gid is a member of the real group set (i.e., real and supplementary 1841 * groups). 1842 */ 1843 bool 1844 realgroupmember(gid_t gid, const struct ucred *cred) 1845 { 1846 groups_check_positive_len(cred->cr_ngroups); 1847 1848 if (gid == cred->cr_rgid) 1849 return (true); 1850 1851 return (group_is_supplementary(gid, cred)); 1852 } 1853 1854 /* 1855 * Test the active securelevel against a given level. securelevel_gt() 1856 * implements (securelevel > level). securelevel_ge() implements 1857 * (securelevel >= level). Note that the logic is inverted -- these 1858 * functions return EPERM on "success" and 0 on "failure". 1859 * 1860 * Due to care taken when setting the securelevel, we know that no jail will 1861 * be less secure that its parent (or the physical system), so it is sufficient 1862 * to test the current jail only. 1863 * 1864 * XXXRW: Possibly since this has to do with privilege, it should move to 1865 * kern_priv.c. 1866 */ 1867 int 1868 securelevel_gt(struct ucred *cr, int level) 1869 { 1870 1871 return (cr->cr_prison->pr_securelevel > level ? EPERM : 0); 1872 } 1873 1874 int 1875 securelevel_ge(struct ucred *cr, int level) 1876 { 1877 1878 return (cr->cr_prison->pr_securelevel >= level ? EPERM : 0); 1879 } 1880 1881 /* 1882 * 'see_other_uids' determines whether or not visibility of processes 1883 * and sockets with credentials holding different real uids is possible 1884 * using a variety of system MIBs. 1885 * XXX: data declarations should be together near the beginning of the file. 1886 */ 1887 static int see_other_uids = 1; 1888 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1889 &see_other_uids, 0, 1890 "Unprivileged processes may see subjects/objects with different real uid"); 1891 1892 /*- 1893 * Determine if u1 "can see" the subject specified by u2, according to the 1894 * 'see_other_uids' policy. 1895 * Returns: 0 for permitted, ESRCH otherwise 1896 * Locks: none 1897 * References: *u1 and *u2 must not change during the call 1898 * u1 may equal u2, in which case only one reference is required 1899 */ 1900 static int 1901 cr_canseeotheruids(struct ucred *u1, struct ucred *u2) 1902 { 1903 1904 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1905 if (priv_check_cred(u1, PRIV_SEEOTHERUIDS) != 0) 1906 return (ESRCH); 1907 } 1908 return (0); 1909 } 1910 1911 /* 1912 * 'see_other_gids' determines whether or not visibility of processes 1913 * and sockets with credentials holding different real gids is possible 1914 * using a variety of system MIBs. 1915 * XXX: data declarations should be together near the beginning of the file. 1916 */ 1917 static int see_other_gids = 1; 1918 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW, 1919 &see_other_gids, 0, 1920 "Unprivileged processes may see subjects/objects with different real gid"); 1921 1922 /* 1923 * Determine if u1 can "see" the subject specified by u2, according to the 1924 * 'see_other_gids' policy. 1925 * Returns: 0 for permitted, ESRCH otherwise 1926 * Locks: none 1927 * References: *u1 and *u2 must not change during the call 1928 * u1 may equal u2, in which case only one reference is required 1929 */ 1930 static int 1931 cr_canseeothergids(struct ucred *u1, struct ucred *u2) 1932 { 1933 if (see_other_gids) 1934 return (0); 1935 1936 /* Restriction in force. */ 1937 1938 if (realgroupmember(u1->cr_rgid, u2)) 1939 return (0); 1940 1941 for (int i = 0; i < u1->cr_ngroups; i++) 1942 if (realgroupmember(u1->cr_groups[i], u2)) 1943 return (0); 1944 1945 if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) == 0) 1946 return (0); 1947 1948 return (ESRCH); 1949 } 1950 1951 /* 1952 * 'see_jail_proc' determines whether or not visibility of processes and 1953 * sockets with credentials holding different jail ids is possible using a 1954 * variety of system MIBs. 1955 * 1956 * XXX: data declarations should be together near the beginning of the file. 1957 */ 1958 1959 static int see_jail_proc = 1; 1960 SYSCTL_INT(_security_bsd, OID_AUTO, see_jail_proc, CTLFLAG_RW, 1961 &see_jail_proc, 0, 1962 "Unprivileged processes may see subjects/objects with different jail ids"); 1963 1964 /*- 1965 * Determine if u1 "can see" the subject specified by u2, according to the 1966 * 'see_jail_proc' policy. 1967 * Returns: 0 for permitted, ESRCH otherwise 1968 * Locks: none 1969 * References: *u1 and *u2 must not change during the call 1970 * u1 may equal u2, in which case only one reference is required 1971 */ 1972 static int 1973 cr_canseejailproc(struct ucred *u1, struct ucred *u2) 1974 { 1975 if (see_jail_proc || /* Policy deactivated. */ 1976 u1->cr_prison == u2->cr_prison || /* Same jail. */ 1977 priv_check_cred(u1, PRIV_SEEJAILPROC) == 0) /* Privileged. */ 1978 return (0); 1979 1980 return (ESRCH); 1981 } 1982 1983 /* 1984 * Determine if u1 can tamper with the subject specified by u2, if they are in 1985 * different jails and 'unprivileged_parent_tampering' jail policy allows it. 1986 * 1987 * May be called if u1 and u2 are in the same jail, but it is expected that the 1988 * caller has already done a prison_check() prior to calling it. 1989 * 1990 * Returns: 0 for permitted, EPERM otherwise 1991 */ 1992 static int 1993 cr_can_tamper_with_subjail(struct ucred *u1, struct ucred *u2, int priv) 1994 { 1995 1996 MPASS(prison_check(u1, u2) == 0); 1997 if (u1->cr_prison == u2->cr_prison) 1998 return (0); 1999 2000 if (priv_check_cred(u1, priv) == 0) 2001 return (0); 2002 2003 /* 2004 * Jails do not maintain a distinct UID space, so process visibility is 2005 * all that would control an unprivileged process' ability to tamper 2006 * with a process in a subjail by default if we did not have the 2007 * allow.unprivileged_parent_tampering knob to restrict it by default. 2008 */ 2009 if (prison_allow(u2, PR_ALLOW_UNPRIV_PARENT_TAMPER)) 2010 return (0); 2011 2012 return (EPERM); 2013 } 2014 2015 /* 2016 * Helper for cr_cansee*() functions to abide by system-wide security.bsd.see_* 2017 * policies. Determines if u1 "can see" u2 according to these policies. 2018 * Returns: 0 for permitted, ESRCH otherwise 2019 */ 2020 int 2021 cr_bsd_visible(struct ucred *u1, struct ucred *u2) 2022 { 2023 int error; 2024 2025 error = cr_canseeotheruids(u1, u2); 2026 if (error != 0) 2027 return (error); 2028 error = cr_canseeothergids(u1, u2); 2029 if (error != 0) 2030 return (error); 2031 error = cr_canseejailproc(u1, u2); 2032 if (error != 0) 2033 return (error); 2034 return (0); 2035 } 2036 2037 /*- 2038 * Determine if u1 "can see" the subject specified by u2. 2039 * Returns: 0 for permitted, an errno value otherwise 2040 * Locks: none 2041 * References: *u1 and *u2 must not change during the call 2042 * u1 may equal u2, in which case only one reference is required 2043 */ 2044 int 2045 cr_cansee(struct ucred *u1, struct ucred *u2) 2046 { 2047 int error; 2048 2049 if ((error = prison_check(u1, u2))) 2050 return (error); 2051 #ifdef MAC 2052 if ((error = mac_cred_check_visible(u1, u2))) 2053 return (error); 2054 #endif 2055 if ((error = cr_bsd_visible(u1, u2))) 2056 return (error); 2057 return (0); 2058 } 2059 2060 /*- 2061 * Determine if td "can see" the subject specified by p. 2062 * Returns: 0 for permitted, an errno value otherwise 2063 * Locks: Sufficient locks to protect p->p_ucred must be held. td really 2064 * should be curthread. 2065 * References: td and p must be valid for the lifetime of the call 2066 */ 2067 int 2068 p_cansee(struct thread *td, struct proc *p) 2069 { 2070 /* Wrap cr_cansee() for all functionality. */ 2071 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2072 PROC_LOCK_ASSERT(p, MA_OWNED); 2073 2074 if (td->td_proc == p) 2075 return (0); 2076 return (cr_cansee(td->td_ucred, p->p_ucred)); 2077 } 2078 2079 /* 2080 * 'conservative_signals' prevents the delivery of a broad class of 2081 * signals by unprivileged processes to processes that have changed their 2082 * credentials since the last invocation of execve(). This can prevent 2083 * the leakage of cached information or retained privileges as a result 2084 * of a common class of signal-related vulnerabilities. However, this 2085 * may interfere with some applications that expect to be able to 2086 * deliver these signals to peer processes after having given up 2087 * privilege. 2088 */ 2089 static int conservative_signals = 1; 2090 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW, 2091 &conservative_signals, 0, "Unprivileged processes prevented from " 2092 "sending certain signals to processes whose credentials have changed"); 2093 /*- 2094 * Determine whether cred may deliver the specified signal to proc. 2095 * Returns: 0 for permitted, an errno value otherwise. 2096 * Locks: A lock must be held for proc. 2097 * References: cred and proc must be valid for the lifetime of the call. 2098 */ 2099 int 2100 cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 2101 { 2102 int error; 2103 2104 PROC_LOCK_ASSERT(proc, MA_OWNED); 2105 /* 2106 * Jail semantics limit the scope of signalling to proc in the 2107 * same jail as cred, if cred is in jail. 2108 */ 2109 error = prison_check(cred, proc->p_ucred); 2110 if (error) 2111 return (error); 2112 #ifdef MAC 2113 if ((error = mac_proc_check_signal(cred, proc, signum))) 2114 return (error); 2115 #endif 2116 if ((error = cr_bsd_visible(cred, proc->p_ucred))) 2117 return (error); 2118 2119 /* 2120 * UNIX signal semantics depend on the status of the P_SUGID 2121 * bit on the target process. If the bit is set, then additional 2122 * restrictions are placed on the set of available signals. 2123 */ 2124 if (conservative_signals && (proc->p_flag & P_SUGID)) { 2125 switch (signum) { 2126 case 0: 2127 case SIGKILL: 2128 case SIGINT: 2129 case SIGTERM: 2130 case SIGALRM: 2131 case SIGSTOP: 2132 case SIGTTIN: 2133 case SIGTTOU: 2134 case SIGTSTP: 2135 case SIGHUP: 2136 case SIGUSR1: 2137 case SIGUSR2: 2138 /* 2139 * Generally, permit job and terminal control 2140 * signals. 2141 */ 2142 break; 2143 default: 2144 /* Not permitted without privilege. */ 2145 error = priv_check_cred(cred, PRIV_SIGNAL_SUGID); 2146 if (error) 2147 return (error); 2148 } 2149 } 2150 2151 /* 2152 * Generally, the target credential's ruid or svuid must match the 2153 * subject credential's ruid or euid. 2154 */ 2155 if (cred->cr_ruid != proc->p_ucred->cr_ruid && 2156 cred->cr_ruid != proc->p_ucred->cr_svuid && 2157 cred->cr_uid != proc->p_ucred->cr_ruid && 2158 cred->cr_uid != proc->p_ucred->cr_svuid) { 2159 error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED); 2160 if (error) 2161 return (error); 2162 } 2163 2164 /* 2165 * At this point, the target may be in a different jail than the 2166 * subject -- the subject must be in a parent jail to the target, 2167 * whether it is prison0 or a subordinate of prison0 that has 2168 * children. Additional privileges are required to allow this, as 2169 * whether the creds are truly equivalent or not must be determined on 2170 * a case-by-case basis. 2171 */ 2172 error = cr_can_tamper_with_subjail(cred, proc->p_ucred, 2173 PRIV_SIGNAL_DIFFJAIL); 2174 if (error) 2175 return (error); 2176 2177 return (0); 2178 } 2179 2180 /*- 2181 * Determine whether td may deliver the specified signal to p. 2182 * Returns: 0 for permitted, an errno value otherwise 2183 * Locks: Sufficient locks to protect various components of td and p 2184 * must be held. td must be curthread, and a lock must be 2185 * held for p. 2186 * References: td and p must be valid for the lifetime of the call 2187 */ 2188 int 2189 p_cansignal(struct thread *td, struct proc *p, int signum) 2190 { 2191 2192 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2193 PROC_LOCK_ASSERT(p, MA_OWNED); 2194 if (td->td_proc == p) 2195 return (0); 2196 2197 /* 2198 * UNIX signalling semantics require that processes in the same 2199 * session always be able to deliver SIGCONT to one another, 2200 * overriding the remaining protections. 2201 */ 2202 /* XXX: This will require an additional lock of some sort. */ 2203 if (signum == SIGCONT && td->td_proc->p_session == p->p_session) 2204 return (0); 2205 /* 2206 * Some compat layers use SIGTHR and higher signals for 2207 * communication between different kernel threads of the same 2208 * process, so that they expect that it's always possible to 2209 * deliver them, even for suid applications where cr_cansignal() can 2210 * deny such ability for security consideration. It should be 2211 * pretty safe to do since the only way to create two processes 2212 * with the same p_leader is via rfork(2). 2213 */ 2214 if (td->td_proc->p_leader != NULL && signum >= SIGTHR && 2215 signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader) 2216 return (0); 2217 2218 return (cr_cansignal(td->td_ucred, p, signum)); 2219 } 2220 2221 /*- 2222 * Determine whether td may reschedule p. 2223 * Returns: 0 for permitted, an errno value otherwise 2224 * Locks: Sufficient locks to protect various components of td and p 2225 * must be held. td must be curthread, and a lock must 2226 * be held for p. 2227 * References: td and p must be valid for the lifetime of the call 2228 */ 2229 int 2230 p_cansched(struct thread *td, struct proc *p) 2231 { 2232 int error; 2233 2234 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2235 PROC_LOCK_ASSERT(p, MA_OWNED); 2236 if (td->td_proc == p) 2237 return (0); 2238 if ((error = prison_check(td->td_ucred, p->p_ucred))) 2239 return (error); 2240 #ifdef MAC 2241 if ((error = mac_proc_check_sched(td->td_ucred, p))) 2242 return (error); 2243 #endif 2244 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) 2245 return (error); 2246 2247 if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid && 2248 td->td_ucred->cr_uid != p->p_ucred->cr_ruid) { 2249 error = priv_check(td, PRIV_SCHED_DIFFCRED); 2250 if (error) 2251 return (error); 2252 } 2253 2254 error = cr_can_tamper_with_subjail(td->td_ucred, p->p_ucred, 2255 PRIV_SCHED_DIFFJAIL); 2256 if (error) 2257 return (error); 2258 2259 return (0); 2260 } 2261 2262 /* 2263 * Handle getting or setting the prison's unprivileged_proc_debug 2264 * value. 2265 */ 2266 static int 2267 sysctl_unprivileged_proc_debug(SYSCTL_HANDLER_ARGS) 2268 { 2269 int error, val; 2270 2271 val = prison_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG); 2272 error = sysctl_handle_int(oidp, &val, 0, req); 2273 if (error != 0 || req->newptr == NULL) 2274 return (error); 2275 if (val != 0 && val != 1) 2276 return (EINVAL); 2277 prison_set_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG, val); 2278 return (0); 2279 } 2280 2281 /* 2282 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 2283 * unprivileged inter-process debugging services, including some procfs 2284 * functionality, ptrace(), and ktrace(). In the past, inter-process 2285 * debugging has been involved in a variety of security problems, and sites 2286 * not requiring the service might choose to disable it when hardening 2287 * systems. 2288 */ 2289 SYSCTL_PROC(_security_bsd, OID_AUTO, unprivileged_proc_debug, 2290 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_PRISON | CTLFLAG_SECURE | 2291 CTLFLAG_MPSAFE, 0, 0, sysctl_unprivileged_proc_debug, "I", 2292 "Unprivileged processes may use process debugging facilities"); 2293 2294 /* 2295 * Return true if the object owner/group ids are subset of the active 2296 * credentials. 2297 */ 2298 bool 2299 cr_xids_subset(struct ucred *active_cred, struct ucred *obj_cred) 2300 { 2301 int i; 2302 bool grpsubset, uidsubset; 2303 2304 /* 2305 * Is p's group set a subset of td's effective group set? This 2306 * includes p's egid, group access list, rgid, and svgid. 2307 */ 2308 grpsubset = true; 2309 for (i = 0; i < obj_cred->cr_ngroups; i++) { 2310 if (!groupmember(obj_cred->cr_groups[i], active_cred)) { 2311 grpsubset = false; 2312 break; 2313 } 2314 } 2315 grpsubset = grpsubset && 2316 groupmember(obj_cred->cr_gid, active_cred) && 2317 groupmember(obj_cred->cr_rgid, active_cred) && 2318 groupmember(obj_cred->cr_svgid, active_cred); 2319 2320 /* 2321 * Are the uids present in obj_cred's credential equal to 2322 * active_cred's effective uid? This includes obj_cred's 2323 * euid, svuid, and ruid. 2324 */ 2325 uidsubset = (active_cred->cr_uid == obj_cred->cr_uid && 2326 active_cred->cr_uid == obj_cred->cr_svuid && 2327 active_cred->cr_uid == obj_cred->cr_ruid); 2328 2329 return (uidsubset && grpsubset); 2330 } 2331 2332 /*- 2333 * Determine whether td may debug p. 2334 * Returns: 0 for permitted, an errno value otherwise 2335 * Locks: Sufficient locks to protect various components of td and p 2336 * must be held. td must be curthread, and a lock must 2337 * be held for p. 2338 * References: td and p must be valid for the lifetime of the call 2339 */ 2340 int 2341 p_candebug(struct thread *td, struct proc *p) 2342 { 2343 int error; 2344 2345 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2346 PROC_LOCK_ASSERT(p, MA_OWNED); 2347 if (td->td_proc == p) 2348 return (0); 2349 if ((error = priv_check(td, PRIV_DEBUG_UNPRIV))) 2350 return (error); 2351 if ((error = prison_check(td->td_ucred, p->p_ucred))) 2352 return (error); 2353 #ifdef MAC 2354 if ((error = mac_proc_check_debug(td->td_ucred, p))) 2355 return (error); 2356 #endif 2357 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) 2358 return (error); 2359 2360 /* 2361 * If p's gids aren't a subset, or the uids aren't a subset, 2362 * or the credential has changed, require appropriate privilege 2363 * for td to debug p. 2364 */ 2365 if (!cr_xids_subset(td->td_ucred, p->p_ucred)) { 2366 error = priv_check(td, PRIV_DEBUG_DIFFCRED); 2367 if (error) 2368 return (error); 2369 } 2370 2371 /* 2372 * Has the credential of the process changed since the last exec()? 2373 */ 2374 if ((p->p_flag & P_SUGID) != 0) { 2375 error = priv_check(td, PRIV_DEBUG_SUGID); 2376 if (error) 2377 return (error); 2378 } 2379 2380 error = cr_can_tamper_with_subjail(td->td_ucred, p->p_ucred, 2381 PRIV_DEBUG_DIFFJAIL); 2382 if (error) 2383 return (error); 2384 2385 /* Can't trace init when securelevel > 0. */ 2386 if (p == initproc) { 2387 error = securelevel_gt(td->td_ucred, 0); 2388 if (error) 2389 return (error); 2390 } 2391 2392 /* 2393 * Can't trace a process that's currently exec'ing. 2394 * 2395 * XXX: Note, this is not a security policy decision, it's a 2396 * basic correctness/functionality decision. Therefore, this check 2397 * should be moved to the caller's of p_candebug(). 2398 */ 2399 if ((p->p_flag & P_INEXEC) != 0) 2400 return (EBUSY); 2401 2402 /* Denied explicitly */ 2403 if ((p->p_flag2 & P2_NOTRACE) != 0) { 2404 error = priv_check(td, PRIV_DEBUG_DENIED); 2405 if (error != 0) 2406 return (error); 2407 } 2408 2409 return (0); 2410 } 2411 2412 /*- 2413 * Determine whether the subject represented by cred can "see" a socket. 2414 * Returns: 0 for permitted, ENOENT otherwise. 2415 */ 2416 int 2417 cr_canseesocket(struct ucred *cred, struct socket *so) 2418 { 2419 int error; 2420 2421 error = prison_check(cred, so->so_cred); 2422 if (error) 2423 return (ENOENT); 2424 #ifdef MAC 2425 error = mac_socket_check_visible(cred, so); 2426 if (error) 2427 return (error); 2428 #endif 2429 if (cr_bsd_visible(cred, so->so_cred)) 2430 return (ENOENT); 2431 2432 return (0); 2433 } 2434 2435 /*- 2436 * Determine whether td can wait for the exit of p. 2437 * Returns: 0 for permitted, an errno value otherwise 2438 * Locks: Sufficient locks to protect various components of td and p 2439 * must be held. td must be curthread, and a lock must 2440 * be held for p. 2441 * References: td and p must be valid for the lifetime of the call 2442 2443 */ 2444 int 2445 p_canwait(struct thread *td, struct proc *p) 2446 { 2447 int error; 2448 2449 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2450 PROC_LOCK_ASSERT(p, MA_OWNED); 2451 if ((error = prison_check(td->td_ucred, p->p_ucred))) 2452 return (error); 2453 #ifdef MAC 2454 if ((error = mac_proc_check_wait(td->td_ucred, p))) 2455 return (error); 2456 #endif 2457 #if 0 2458 /* XXXMAC: This could have odd effects on some shells. */ 2459 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) 2460 return (error); 2461 #endif 2462 2463 return (0); 2464 } 2465 2466 /* 2467 * Credential management. 2468 * 2469 * struct ucred objects are rarely allocated but gain and lose references all 2470 * the time (e.g., on struct file alloc/dealloc) turning refcount updates into 2471 * a significant source of cache-line ping ponging. Common cases are worked 2472 * around by modifying thread-local counter instead if the cred to operate on 2473 * matches td_realucred. 2474 * 2475 * The counter is split into 2 parts: 2476 * - cr_users -- total count of all struct proc and struct thread objects 2477 * which have given cred in p_ucred and td_ucred respectively 2478 * - cr_ref -- the actual ref count, only valid if cr_users == 0 2479 * 2480 * If users == 0 then cr_ref behaves similarly to refcount(9), in particular if 2481 * the count reaches 0 the object is freeable. 2482 * If users > 0 and curthread->td_realucred == cred, then updates are performed 2483 * against td_ucredref. 2484 * In other cases updates are performed against cr_ref. 2485 * 2486 * Changing td_realucred into something else decrements cr_users and transfers 2487 * accumulated updates. 2488 */ 2489 struct ucred * 2490 crcowget(struct ucred *cr) 2491 { 2492 2493 mtx_lock(&cr->cr_mtx); 2494 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2495 __func__, cr->cr_users, cr)); 2496 cr->cr_users++; 2497 cr->cr_ref++; 2498 mtx_unlock(&cr->cr_mtx); 2499 return (cr); 2500 } 2501 2502 static struct ucred * 2503 crunuse(struct thread *td) 2504 { 2505 struct ucred *cr, *crold; 2506 2507 MPASS(td->td_realucred == td->td_ucred); 2508 cr = td->td_realucred; 2509 mtx_lock(&cr->cr_mtx); 2510 cr->cr_ref += td->td_ucredref; 2511 td->td_ucredref = 0; 2512 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2513 __func__, cr->cr_users, cr)); 2514 cr->cr_users--; 2515 if (cr->cr_users == 0) { 2516 KASSERT(cr->cr_ref > 0, ("%s: ref %ld not > 0 on cred %p", 2517 __func__, cr->cr_ref, cr)); 2518 crold = cr; 2519 } else { 2520 cr->cr_ref--; 2521 crold = NULL; 2522 } 2523 mtx_unlock(&cr->cr_mtx); 2524 td->td_realucred = NULL; 2525 return (crold); 2526 } 2527 2528 static void 2529 crunusebatch(struct ucred *cr, u_int users, long ref) 2530 { 2531 2532 KASSERT(users > 0, ("%s: passed users %d not > 0 ; cred %p", 2533 __func__, users, cr)); 2534 mtx_lock(&cr->cr_mtx); 2535 KASSERT(cr->cr_users >= users, ("%s: users %d not > %d on cred %p", 2536 __func__, cr->cr_users, users, cr)); 2537 cr->cr_users -= users; 2538 cr->cr_ref += ref; 2539 cr->cr_ref -= users; 2540 if (cr->cr_users > 0) { 2541 mtx_unlock(&cr->cr_mtx); 2542 return; 2543 } 2544 KASSERT(cr->cr_ref >= 0, ("%s: ref %ld not >= 0 on cred %p", 2545 __func__, cr->cr_ref, cr)); 2546 if (cr->cr_ref > 0) { 2547 mtx_unlock(&cr->cr_mtx); 2548 return; 2549 } 2550 crfree_final(cr); 2551 } 2552 2553 void 2554 crcowfree(struct thread *td) 2555 { 2556 struct ucred *cr; 2557 2558 cr = crunuse(td); 2559 if (cr != NULL) 2560 crfree(cr); 2561 } 2562 2563 struct ucred * 2564 crcowsync(void) 2565 { 2566 struct thread *td; 2567 struct proc *p; 2568 struct ucred *crnew, *crold; 2569 2570 td = curthread; 2571 p = td->td_proc; 2572 PROC_LOCK_ASSERT(p, MA_OWNED); 2573 2574 MPASS(td->td_realucred == td->td_ucred); 2575 if (td->td_realucred == p->p_ucred) 2576 return (NULL); 2577 2578 crnew = crcowget(p->p_ucred); 2579 crold = crunuse(td); 2580 td->td_realucred = crnew; 2581 td->td_ucred = td->td_realucred; 2582 return (crold); 2583 } 2584 2585 /* 2586 * Batching. 2587 */ 2588 void 2589 credbatch_add(struct credbatch *crb, struct thread *td) 2590 { 2591 struct ucred *cr; 2592 2593 MPASS(td->td_realucred != NULL); 2594 MPASS(td->td_realucred == td->td_ucred); 2595 MPASS(TD_GET_STATE(td) == TDS_INACTIVE); 2596 cr = td->td_realucred; 2597 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2598 __func__, cr->cr_users, cr)); 2599 if (crb->cred != cr) { 2600 if (crb->users > 0) { 2601 MPASS(crb->cred != NULL); 2602 crunusebatch(crb->cred, crb->users, crb->ref); 2603 crb->users = 0; 2604 crb->ref = 0; 2605 } 2606 } 2607 crb->cred = cr; 2608 crb->users++; 2609 crb->ref += td->td_ucredref; 2610 td->td_ucredref = 0; 2611 td->td_realucred = NULL; 2612 } 2613 2614 void 2615 credbatch_final(struct credbatch *crb) 2616 { 2617 2618 MPASS(crb->cred != NULL); 2619 MPASS(crb->users > 0); 2620 crunusebatch(crb->cred, crb->users, crb->ref); 2621 } 2622 2623 /* 2624 * Allocate a zeroed cred structure. 2625 */ 2626 struct ucred * 2627 crget(void) 2628 { 2629 struct ucred *cr; 2630 2631 cr = malloc(sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 2632 mtx_init(&cr->cr_mtx, "cred", NULL, MTX_DEF); 2633 cr->cr_ref = 1; 2634 #ifdef AUDIT 2635 audit_cred_init(cr); 2636 #endif 2637 #ifdef MAC 2638 mac_cred_init(cr); 2639 #endif 2640 cr->cr_groups = cr->cr_smallgroups; 2641 cr->cr_agroups = nitems(cr->cr_smallgroups); 2642 return (cr); 2643 } 2644 2645 /* 2646 * Claim another reference to a ucred structure. 2647 */ 2648 struct ucred * 2649 crhold(struct ucred *cr) 2650 { 2651 struct thread *td; 2652 2653 td = curthread; 2654 if (__predict_true(td->td_realucred == cr)) { 2655 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2656 __func__, cr->cr_users, cr)); 2657 td->td_ucredref++; 2658 return (cr); 2659 } 2660 mtx_lock(&cr->cr_mtx); 2661 cr->cr_ref++; 2662 mtx_unlock(&cr->cr_mtx); 2663 return (cr); 2664 } 2665 2666 /* 2667 * Free a cred structure. Throws away space when ref count gets to 0. 2668 */ 2669 void 2670 crfree(struct ucred *cr) 2671 { 2672 struct thread *td; 2673 2674 td = curthread; 2675 if (__predict_true(td->td_realucred == cr)) { 2676 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2677 __func__, cr->cr_users, cr)); 2678 td->td_ucredref--; 2679 return; 2680 } 2681 mtx_lock(&cr->cr_mtx); 2682 KASSERT(cr->cr_users >= 0, ("%s: users %d not >= 0 on cred %p", 2683 __func__, cr->cr_users, cr)); 2684 cr->cr_ref--; 2685 if (cr->cr_users > 0) { 2686 mtx_unlock(&cr->cr_mtx); 2687 return; 2688 } 2689 KASSERT(cr->cr_ref >= 0, ("%s: ref %ld not >= 0 on cred %p", 2690 __func__, cr->cr_ref, cr)); 2691 if (cr->cr_ref > 0) { 2692 mtx_unlock(&cr->cr_mtx); 2693 return; 2694 } 2695 crfree_final(cr); 2696 } 2697 2698 static void 2699 crfree_final(struct ucred *cr) 2700 { 2701 2702 KASSERT(cr->cr_users == 0, ("%s: users %d not == 0 on cred %p", 2703 __func__, cr->cr_users, cr)); 2704 KASSERT(cr->cr_ref == 0, ("%s: ref %ld not == 0 on cred %p", 2705 __func__, cr->cr_ref, cr)); 2706 2707 /* 2708 * Some callers of crget(), such as nfs_statfs(), allocate a temporary 2709 * credential, but don't allocate a uidinfo structure. 2710 */ 2711 if (cr->cr_uidinfo != NULL) 2712 uifree(cr->cr_uidinfo); 2713 if (cr->cr_ruidinfo != NULL) 2714 uifree(cr->cr_ruidinfo); 2715 if (cr->cr_prison != NULL) 2716 prison_free(cr->cr_prison); 2717 if (cr->cr_loginclass != NULL) 2718 loginclass_free(cr->cr_loginclass); 2719 #ifdef AUDIT 2720 audit_cred_destroy(cr); 2721 #endif 2722 #ifdef MAC 2723 mac_cred_destroy(cr); 2724 #endif 2725 mtx_destroy(&cr->cr_mtx); 2726 if (cr->cr_groups != cr->cr_smallgroups) 2727 free(cr->cr_groups, M_CRED); 2728 free(cr, M_CRED); 2729 } 2730 2731 /* 2732 * Copy a ucred's contents from a template. Does not block. 2733 */ 2734 void 2735 crcopy(struct ucred *dest, struct ucred *src) 2736 { 2737 2738 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 2739 (unsigned)((caddr_t)&src->cr_endcopy - 2740 (caddr_t)&src->cr_startcopy)); 2741 dest->cr_flags = src->cr_flags; 2742 crsetgroups(dest, src->cr_ngroups, src->cr_groups); 2743 uihold(dest->cr_uidinfo); 2744 uihold(dest->cr_ruidinfo); 2745 prison_hold(dest->cr_prison); 2746 loginclass_hold(dest->cr_loginclass); 2747 #ifdef AUDIT 2748 audit_cred_copy(src, dest); 2749 #endif 2750 #ifdef MAC 2751 mac_cred_copy(src, dest); 2752 #endif 2753 } 2754 2755 /* 2756 * Dup cred struct to a new held one. 2757 */ 2758 struct ucred * 2759 crdup(struct ucred *cr) 2760 { 2761 struct ucred *newcr; 2762 2763 newcr = crget(); 2764 crcopy(newcr, cr); 2765 return (newcr); 2766 } 2767 2768 /* 2769 * Fill in a struct xucred based on a struct ucred. 2770 */ 2771 void 2772 cru2x(struct ucred *cr, struct xucred *xcr) 2773 { 2774 int ngroups; 2775 2776 bzero(xcr, sizeof(*xcr)); 2777 xcr->cr_version = XUCRED_VERSION; 2778 xcr->cr_uid = cr->cr_uid; 2779 xcr->cr_gid = cr->cr_gid; 2780 2781 /* 2782 * We use a union to alias cr_gid to cr_groups[0] in the xucred, so 2783 * this is kind of ugly; cr_ngroups still includes the egid for our 2784 * purposes to avoid bumping the xucred version. 2785 */ 2786 ngroups = MIN(cr->cr_ngroups + 1, nitems(xcr->cr_groups)); 2787 xcr->cr_ngroups = ngroups; 2788 bcopy(cr->cr_groups, xcr->cr_sgroups, 2789 (ngroups - 1) * sizeof(*cr->cr_groups)); 2790 } 2791 2792 void 2793 cru2xt(struct thread *td, struct xucred *xcr) 2794 { 2795 2796 cru2x(td->td_ucred, xcr); 2797 xcr->cr_pid = td->td_proc->p_pid; 2798 } 2799 2800 /* 2801 * Change process credentials. 2802 * 2803 * Callers are responsible for providing the reference for passed credentials 2804 * and for freeing old ones. Calls chgproccnt() to correctly account the 2805 * current process to the proper real UID, if the latter has changed. Returns 2806 * whether the operation was successful. Failure can happen only on 2807 * 'enforce_proc_lim' being true and if no new process can be accounted to the 2808 * new real UID because of the current limit (see the inner comment for more 2809 * details) and the caller does not have privilege (PRIV_PROC_LIMIT) to override 2810 * that. In this case, the reference to 'newcred' is not taken over. 2811 */ 2812 static bool 2813 _proc_set_cred(struct proc *p, struct ucred *newcred, bool enforce_proc_lim) 2814 { 2815 struct ucred *const oldcred = p->p_ucred; 2816 2817 MPASS(oldcred != NULL); 2818 PROC_LOCK_ASSERT(p, MA_OWNED); 2819 2820 if (newcred->cr_ruidinfo != oldcred->cr_ruidinfo) { 2821 /* 2822 * XXXOC: This check is flawed but nonetheless the best we can 2823 * currently do as we don't really track limits per UID contrary 2824 * to what we pretend in setrlimit(2). Until this is reworked, 2825 * we just check here that the number of processes for our new 2826 * real UID doesn't exceed this process' process number limit 2827 * (which is meant to be associated with the current real UID). 2828 */ 2829 const int proccnt_changed = chgproccnt(newcred->cr_ruidinfo, 1, 2830 enforce_proc_lim ? lim_cur_proc(p, RLIMIT_NPROC) : 0); 2831 2832 if (!proccnt_changed) { 2833 if (priv_check_cred(oldcred, PRIV_PROC_LIMIT) != 0) 2834 return (false); 2835 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 2836 } 2837 } 2838 2839 mtx_lock(&oldcred->cr_mtx); 2840 KASSERT(oldcred->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2841 __func__, oldcred->cr_users, oldcred)); 2842 oldcred->cr_users--; 2843 mtx_unlock(&oldcred->cr_mtx); 2844 mtx_lock(&newcred->cr_mtx); 2845 newcred->cr_users++; 2846 mtx_unlock(&newcred->cr_mtx); 2847 p->p_ucred = newcred; 2848 PROC_UPDATE_COW(p); 2849 if (newcred->cr_ruidinfo != oldcred->cr_ruidinfo) 2850 (void)chgproccnt(oldcred->cr_ruidinfo, -1, 0); 2851 return (true); 2852 } 2853 2854 void 2855 proc_set_cred(struct proc *p, struct ucred *newcred) 2856 { 2857 bool success __diagused = _proc_set_cred(p, newcred, false); 2858 2859 MPASS(success); 2860 } 2861 2862 bool 2863 proc_set_cred_enforce_proc_lim(struct proc *p, struct ucred *newcred) 2864 { 2865 return (_proc_set_cred(p, newcred, true)); 2866 } 2867 2868 void 2869 proc_unset_cred(struct proc *p, bool decrement_proc_count) 2870 { 2871 struct ucred *cr; 2872 2873 MPASS(p->p_state == PRS_ZOMBIE || p->p_state == PRS_NEW); 2874 cr = p->p_ucred; 2875 p->p_ucred = NULL; 2876 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2877 __func__, cr->cr_users, cr)); 2878 mtx_lock(&cr->cr_mtx); 2879 cr->cr_users--; 2880 if (cr->cr_users == 0) 2881 KASSERT(cr->cr_ref > 0, ("%s: ref %ld not > 0 on cred %p", 2882 __func__, cr->cr_ref, cr)); 2883 mtx_unlock(&cr->cr_mtx); 2884 if (decrement_proc_count) 2885 (void)chgproccnt(cr->cr_ruidinfo, -1, 0); 2886 crfree(cr); 2887 } 2888 2889 struct ucred * 2890 crcopysafe(struct proc *p, struct ucred *cr) 2891 { 2892 struct ucred *oldcred; 2893 int groups; 2894 2895 PROC_LOCK_ASSERT(p, MA_OWNED); 2896 2897 oldcred = p->p_ucred; 2898 while (cr->cr_agroups < oldcred->cr_ngroups) { 2899 groups = oldcred->cr_ngroups; 2900 PROC_UNLOCK(p); 2901 crextend(cr, groups); 2902 PROC_LOCK(p); 2903 oldcred = p->p_ucred; 2904 } 2905 crcopy(cr, oldcred); 2906 2907 return (oldcred); 2908 } 2909 2910 /* 2911 * Extend the passed-in credentials to hold n groups. 2912 * 2913 * Must not be called after groups have been set. 2914 */ 2915 void 2916 crextend(struct ucred *cr, int n) 2917 { 2918 size_t nbytes; 2919 2920 MPASS2(cr->cr_ref == 1, "'cr_ref' must be 1 (referenced, unshared)"); 2921 MPASS2((cr->cr_flags & CRED_FLAG_GROUPSET) == 0, 2922 "groups on 'cr' already set!"); 2923 groups_check_positive_len(n); 2924 groups_check_max_len(n); 2925 2926 if (n <= cr->cr_agroups) 2927 return; 2928 2929 nbytes = n * sizeof(gid_t); 2930 if (nbytes < n) 2931 panic("Too many groups (memory size overflow)! " 2932 "Computation of 'kern.ngroups' should have prevented this, " 2933 "please fix it. In the meantime, reduce 'kern.ngroups'."); 2934 2935 /* 2936 * We allocate a power of 2 larger than 'nbytes', except when that 2937 * exceeds PAGE_SIZE, in which case we allocate the right multiple of 2938 * pages. We assume PAGE_SIZE is a power of 2 (the call to roundup2() 2939 * below) but do not need to for sizeof(gid_t). 2940 */ 2941 if (nbytes < PAGE_SIZE) { 2942 if (!powerof2(nbytes)) 2943 /* fls*() return a bit index starting at 1. */ 2944 nbytes = 1 << flsl(nbytes); 2945 } else 2946 nbytes = roundup2(nbytes, PAGE_SIZE); 2947 2948 /* Free the old array. */ 2949 if (cr->cr_groups != cr->cr_smallgroups) 2950 free(cr->cr_groups, M_CRED); 2951 2952 cr->cr_groups = malloc(nbytes, M_CRED, M_WAITOK | M_ZERO); 2953 cr->cr_agroups = nbytes / sizeof(gid_t); 2954 } 2955 2956 /* 2957 * Normalizes a set of groups to be applied to a 'struct ucred'. 2958 * 2959 * Normalization ensures that the supplementary groups are sorted in ascending 2960 * order and do not contain duplicates. This allows group_is_supplementary() to 2961 * do a binary search. 2962 */ 2963 static void 2964 groups_normalize(int *ngrp, gid_t *groups) 2965 { 2966 gid_t prev_g; 2967 int ins_idx; 2968 2969 groups_check_positive_len(*ngrp); 2970 groups_check_max_len(*ngrp); 2971 2972 if (*ngrp <= 1) 2973 return; 2974 2975 qsort(groups, *ngrp, sizeof(*groups), gidp_cmp); 2976 2977 /* Remove duplicates. */ 2978 prev_g = groups[0]; 2979 ins_idx = 1; 2980 for (int i = ins_idx; i < *ngrp; ++i) { 2981 const gid_t g = groups[i]; 2982 2983 if (g != prev_g) { 2984 if (i != ins_idx) 2985 groups[ins_idx] = g; 2986 ++ins_idx; 2987 prev_g = g; 2988 } 2989 } 2990 *ngrp = ins_idx; 2991 2992 groups_check_normalized(*ngrp, groups); 2993 } 2994 2995 /* 2996 * Internal function copying groups into a credential. 2997 * 2998 * 'ngrp' must be strictly positive. Either the passed 'groups' array must have 2999 * been normalized in advance (see groups_normalize()), else it must be so 3000 * before the structure is to be used again. 3001 * 3002 * This function is suitable to be used under any lock (it doesn't take any lock 3003 * itself nor sleep, and in particular doesn't allocate memory). crextend() 3004 * must have been called beforehand to ensure sufficient space is available. 3005 * See also crsetgroups(), which handles that. 3006 */ 3007 static void 3008 crsetgroups_internal(struct ucred *cr, int ngrp, const gid_t *groups) 3009 { 3010 3011 MPASS2(cr->cr_ref == 1, "'cr_ref' must be 1 (referenced, unshared)"); 3012 MPASS2(cr->cr_agroups >= ngrp, "'cr_agroups' too small"); 3013 groups_check_positive_len(ngrp); 3014 3015 bcopy(groups, cr->cr_groups, ngrp * sizeof(gid_t)); 3016 cr->cr_ngroups = ngrp; 3017 cr->cr_flags |= CRED_FLAG_GROUPSET; 3018 } 3019 3020 /* 3021 * Copy groups in to a credential after expanding it if required. 3022 * 3023 * May sleep in order to allocate memory (except if, e.g., crextend() was called 3024 * before with 'ngrp' or greater). Truncates the list to 'ngroups_max' if 3025 * it is too large. Array 'groups' doesn't need to be sorted. 'ngrp' must be 3026 * positive. 3027 */ 3028 void 3029 crsetgroups(struct ucred *cr, int ngrp, const gid_t *groups) 3030 { 3031 3032 if (ngrp > ngroups_max) 3033 ngrp = ngroups_max; 3034 cr->cr_ngroups = 0; 3035 if (ngrp == 0) { 3036 cr->cr_flags |= CRED_FLAG_GROUPSET; 3037 return; 3038 } 3039 3040 /* 3041 * crextend() asserts that groups are not set, as it may allocate a new 3042 * backing storage without copying the content of the old one. Since we 3043 * are going to install a completely new set anyway, signal that we 3044 * consider the old ones thrown away. 3045 */ 3046 cr->cr_flags &= ~CRED_FLAG_GROUPSET; 3047 3048 crextend(cr, ngrp); 3049 crsetgroups_internal(cr, ngrp, groups); 3050 groups_normalize(&cr->cr_ngroups, cr->cr_groups); 3051 } 3052 3053 /* 3054 * Same as crsetgroups() but sets the effective GID as well. 3055 * 3056 * This function ensures that an effective GID is always present in credentials. 3057 * An empty array will only set the effective GID to 'default_egid', while 3058 * a non-empty array will peel off groups[0] to set as the effective GID and use 3059 * the remainder, if any, as supplementary groups. 3060 */ 3061 void 3062 crsetgroups_and_egid(struct ucred *cr, int ngrp, const gid_t *groups, 3063 const gid_t default_egid) 3064 { 3065 if (ngrp == 0) { 3066 cr->cr_gid = default_egid; 3067 cr->cr_ngroups = 0; 3068 cr->cr_flags |= CRED_FLAG_GROUPSET; 3069 return; 3070 } 3071 3072 crsetgroups(cr, ngrp - 1, groups + 1); 3073 cr->cr_gid = groups[0]; 3074 } 3075 3076 /* 3077 * Get login name, if available. 3078 */ 3079 #ifndef _SYS_SYSPROTO_H_ 3080 struct getlogin_args { 3081 char *namebuf; 3082 u_int namelen; 3083 }; 3084 #endif 3085 /* ARGSUSED */ 3086 int 3087 sys_getlogin(struct thread *td, struct getlogin_args *uap) 3088 { 3089 char login[MAXLOGNAME]; 3090 struct proc *p = td->td_proc; 3091 size_t len; 3092 3093 if (uap->namelen > MAXLOGNAME) 3094 uap->namelen = MAXLOGNAME; 3095 PROC_LOCK(p); 3096 SESS_LOCK(p->p_session); 3097 len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1; 3098 SESS_UNLOCK(p->p_session); 3099 PROC_UNLOCK(p); 3100 if (len > uap->namelen) 3101 return (ERANGE); 3102 return (copyout(login, uap->namebuf, len)); 3103 } 3104 3105 /* 3106 * Set login name. 3107 */ 3108 #ifndef _SYS_SYSPROTO_H_ 3109 struct setlogin_args { 3110 char *namebuf; 3111 }; 3112 #endif 3113 /* ARGSUSED */ 3114 int 3115 sys_setlogin(struct thread *td, struct setlogin_args *uap) 3116 { 3117 struct proc *p = td->td_proc; 3118 int error; 3119 char logintmp[MAXLOGNAME]; 3120 3121 CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp)); 3122 3123 error = priv_check(td, PRIV_PROC_SETLOGIN); 3124 if (error) 3125 return (error); 3126 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); 3127 if (error != 0) { 3128 if (error == ENAMETOOLONG) 3129 error = EINVAL; 3130 return (error); 3131 } 3132 AUDIT_ARG_LOGIN(logintmp); 3133 PROC_LOCK(p); 3134 SESS_LOCK(p->p_session); 3135 strcpy(p->p_session->s_login, logintmp); 3136 SESS_UNLOCK(p->p_session); 3137 PROC_UNLOCK(p); 3138 return (0); 3139 } 3140 3141 void 3142 setsugid(struct proc *p) 3143 { 3144 3145 PROC_LOCK_ASSERT(p, MA_OWNED); 3146 p->p_flag |= P_SUGID; 3147 } 3148 3149 /*- 3150 * Change a process's effective uid. 3151 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 3152 * References: newcred must be an exclusive credential reference for the 3153 * duration of the call. 3154 */ 3155 void 3156 change_euid(struct ucred *newcred, struct uidinfo *euip) 3157 { 3158 3159 newcred->cr_uid = euip->ui_uid; 3160 uihold(euip); 3161 uifree(newcred->cr_uidinfo); 3162 newcred->cr_uidinfo = euip; 3163 } 3164 3165 /*- 3166 * Change a process's effective gid. 3167 * Side effects: newcred->cr_gid will be modified. 3168 * References: newcred must be an exclusive credential reference for the 3169 * duration of the call. 3170 */ 3171 void 3172 change_egid(struct ucred *newcred, gid_t egid) 3173 { 3174 3175 newcred->cr_gid = egid; 3176 } 3177 3178 /*- 3179 * Change a process's real uid. 3180 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 3181 * will be updated. 3182 * References: newcred must be an exclusive credential reference for the 3183 * duration of the call. 3184 */ 3185 void 3186 change_ruid(struct ucred *newcred, struct uidinfo *ruip) 3187 { 3188 3189 newcred->cr_ruid = ruip->ui_uid; 3190 uihold(ruip); 3191 uifree(newcred->cr_ruidinfo); 3192 newcred->cr_ruidinfo = ruip; 3193 } 3194 3195 /*- 3196 * Change a process's real gid. 3197 * Side effects: newcred->cr_rgid will be updated. 3198 * References: newcred must be an exclusive credential reference for the 3199 * duration of the call. 3200 */ 3201 void 3202 change_rgid(struct ucred *newcred, gid_t rgid) 3203 { 3204 3205 newcred->cr_rgid = rgid; 3206 } 3207 3208 /*- 3209 * Change a process's saved uid. 3210 * Side effects: newcred->cr_svuid will be updated. 3211 * References: newcred must be an exclusive credential reference for the 3212 * duration of the call. 3213 */ 3214 void 3215 change_svuid(struct ucred *newcred, uid_t svuid) 3216 { 3217 3218 newcred->cr_svuid = svuid; 3219 } 3220 3221 /*- 3222 * Change a process's saved gid. 3223 * Side effects: newcred->cr_svgid will be updated. 3224 * References: newcred must be an exclusive credential reference for the 3225 * duration of the call. 3226 */ 3227 void 3228 change_svgid(struct ucred *newcred, gid_t svgid) 3229 { 3230 3231 newcred->cr_svgid = svgid; 3232 } 3233 3234 bool allow_ptrace = true; 3235 SYSCTL_BOOL(_security_bsd, OID_AUTO, allow_ptrace, CTLFLAG_RWTUN, 3236 &allow_ptrace, 0, 3237 "Deny ptrace(2) use by returning ENOSYS"); 3238