1 /* 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * (c) UNIX System Laboratories, Inc. 5 * All or some portions of this file are derived from material licensed 6 * to the University of California by American Telephone and Telegraph 7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 8 * the permission of UNIX System Laboratories, Inc. 9 * Copyright (c) 2000-2001 Robert N. M. Watson. All rights reserved. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. All advertising materials mentioning features or use of this software 20 * must display the following acknowledgement: 21 * This product includes software developed by the University of 22 * California, Berkeley and its contributors. 23 * 4. Neither the name of the University nor the names of its contributors 24 * may be used to endorse or promote products derived from this software 25 * without specific prior written permission. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * 39 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 40 * $FreeBSD$ 41 */ 42 43 /* 44 * System calls related to processes and protection 45 */ 46 47 #include "opt_compat.h" 48 49 #include <sys/param.h> 50 #include <sys/systm.h> 51 #include <sys/acct.h> 52 #include <sys/kernel.h> 53 #include <sys/lock.h> 54 #include <sys/malloc.h> 55 #include <sys/mutex.h> 56 #include <sys/sx.h> 57 #include <sys/proc.h> 58 #include <sys/sysproto.h> 59 #include <sys/jail.h> 60 #include <sys/pioctl.h> 61 #include <sys/resourcevar.h> 62 #include <sys/socket.h> 63 #include <sys/socketvar.h> 64 #include <sys/sysctl.h> 65 66 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 67 68 SYSCTL_DECL(_security); 69 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, 70 "BSD security policy"); 71 72 #ifndef _SYS_SYSPROTO_H_ 73 struct getpid_args { 74 int dummy; 75 }; 76 #endif 77 /* 78 * MPSAFE 79 */ 80 /* ARGSUSED */ 81 int 82 getpid(struct thread *td, struct getpid_args *uap) 83 { 84 struct proc *p = td->td_proc; 85 int s; 86 87 s = mtx_lock_giant(kern_giant_proc); 88 td->td_retval[0] = p->p_pid; 89 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 90 PROC_LOCK(p); 91 td->td_retval[1] = p->p_pptr->p_pid; 92 PROC_UNLOCK(p); 93 #endif 94 mtx_unlock_giant(s); 95 return (0); 96 } 97 98 #ifndef _SYS_SYSPROTO_H_ 99 struct getppid_args { 100 int dummy; 101 }; 102 #endif 103 /* 104 * MPSAFE 105 */ 106 /* ARGSUSED */ 107 int 108 getppid(struct thread *td, struct getppid_args *uap) 109 { 110 struct proc *p = td->td_proc; 111 int s; 112 113 s = mtx_lock_giant(kern_giant_proc); 114 PROC_LOCK(p); 115 td->td_retval[0] = p->p_pptr->p_pid; 116 PROC_UNLOCK(p); 117 mtx_unlock_giant(s); 118 return (0); 119 } 120 121 /* 122 * Get process group ID; note that POSIX getpgrp takes no parameter. 123 */ 124 #ifndef _SYS_SYSPROTO_H_ 125 struct getpgrp_args { 126 int dummy; 127 }; 128 #endif 129 /* 130 * MPSAFE 131 */ 132 int 133 getpgrp(struct thread *td, struct getpgrp_args *uap) 134 { 135 struct proc *p = td->td_proc; 136 int s; 137 138 s = mtx_lock_giant(kern_giant_proc); 139 PROC_LOCK(p); 140 td->td_retval[0] = p->p_pgrp->pg_id; 141 PROC_UNLOCK(p); 142 mtx_unlock_giant(s); 143 return (0); 144 } 145 146 /* Get an arbitary pid's process group id */ 147 #ifndef _SYS_SYSPROTO_H_ 148 struct getpgid_args { 149 pid_t pid; 150 }; 151 #endif 152 /* 153 * MPSAFE 154 */ 155 int 156 getpgid(struct thread *td, struct getpgid_args *uap) 157 { 158 struct proc *p = td->td_proc; 159 struct proc *pt; 160 int error; 161 162 mtx_lock(&Giant); 163 error = 0; 164 if (uap->pid == 0) { 165 PROC_LOCK(p); 166 td->td_retval[0] = p->p_pgrp->pg_id; 167 PROC_UNLOCK(p); 168 } else if ((pt = pfind(uap->pid)) == NULL) 169 error = ESRCH; 170 else { 171 error = p_cansee(td, pt); 172 if (error == 0) 173 td->td_retval[0] = pt->p_pgrp->pg_id; 174 PROC_UNLOCK(pt); 175 } 176 mtx_unlock(&Giant); 177 return (error); 178 } 179 180 /* 181 * Get an arbitary pid's session id. 182 */ 183 #ifndef _SYS_SYSPROTO_H_ 184 struct getsid_args { 185 pid_t pid; 186 }; 187 #endif 188 /* 189 * MPSAFE 190 */ 191 int 192 getsid(struct thread *td, struct getsid_args *uap) 193 { 194 struct proc *p = td->td_proc; 195 struct proc *pt; 196 int error; 197 198 mtx_lock(&Giant); 199 error = 0; 200 if (uap->pid == 0) { 201 PROC_LOCK(p); 202 td->td_retval[0] = p->p_session->s_sid; 203 PROC_UNLOCK(p); 204 } else if ((pt = pfind(uap->pid)) == NULL) 205 error = ESRCH; 206 else { 207 error = p_cansee(td, pt); 208 if (error == 0) 209 td->td_retval[0] = pt->p_session->s_sid; 210 PROC_UNLOCK(pt); 211 } 212 mtx_unlock(&Giant); 213 return (error); 214 } 215 216 #ifndef _SYS_SYSPROTO_H_ 217 struct getuid_args { 218 int dummy; 219 }; 220 #endif 221 /* 222 * MPSAFE 223 */ 224 /* ARGSUSED */ 225 int 226 getuid(struct thread *td, struct getuid_args *uap) 227 { 228 229 td->td_retval[0] = td->td_ucred->cr_ruid; 230 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 231 td->td_retval[1] = td->td_ucred->cr_uid; 232 #endif 233 return (0); 234 } 235 236 #ifndef _SYS_SYSPROTO_H_ 237 struct geteuid_args { 238 int dummy; 239 }; 240 #endif 241 /* 242 * MPSAFE 243 */ 244 /* ARGSUSED */ 245 int 246 geteuid(struct thread *td, struct geteuid_args *uap) 247 { 248 249 td->td_retval[0] = td->td_ucred->cr_uid; 250 return (0); 251 } 252 253 #ifndef _SYS_SYSPROTO_H_ 254 struct getgid_args { 255 int dummy; 256 }; 257 #endif 258 /* 259 * MPSAFE 260 */ 261 /* ARGSUSED */ 262 int 263 getgid(struct thread *td, struct getgid_args *uap) 264 { 265 266 td->td_retval[0] = td->td_ucred->cr_rgid; 267 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 268 td->td_retval[1] = td->td_ucred->cr_groups[0]; 269 #endif 270 return (0); 271 } 272 273 /* 274 * Get effective group ID. The "egid" is groups[0], and could be obtained 275 * via getgroups. This syscall exists because it is somewhat painful to do 276 * correctly in a library function. 277 */ 278 #ifndef _SYS_SYSPROTO_H_ 279 struct getegid_args { 280 int dummy; 281 }; 282 #endif 283 /* 284 * MPSAFE 285 */ 286 /* ARGSUSED */ 287 int 288 getegid(struct thread *td, struct getegid_args *uap) 289 { 290 291 td->td_retval[0] = td->td_ucred->cr_groups[0]; 292 return (0); 293 } 294 295 #ifndef _SYS_SYSPROTO_H_ 296 struct getgroups_args { 297 u_int gidsetsize; 298 gid_t *gidset; 299 }; 300 #endif 301 /* 302 * MPSAFE 303 */ 304 int 305 getgroups(struct thread *td, register struct getgroups_args *uap) 306 { 307 struct ucred *cred; 308 u_int ngrp; 309 int error; 310 311 cred = td->td_ucred; 312 if ((ngrp = uap->gidsetsize) == 0) { 313 td->td_retval[0] = cred->cr_ngroups; 314 return (0); 315 } 316 if (ngrp < cred->cr_ngroups) 317 return (EINVAL); 318 ngrp = cred->cr_ngroups; 319 error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t)); 320 if (error == 0) 321 td->td_retval[0] = ngrp; 322 return (error); 323 } 324 325 #ifndef _SYS_SYSPROTO_H_ 326 struct setsid_args { 327 int dummy; 328 }; 329 #endif 330 /* 331 * MPSAFE 332 */ 333 /* ARGSUSED */ 334 int 335 setsid(register struct thread *td, struct setsid_args *uap) 336 { 337 struct pgrp *pgrp; 338 int error; 339 struct proc *p = td->td_proc; 340 struct pgrp *newpgrp; 341 struct session *newsess; 342 343 error = 0; 344 pgrp = NULL; 345 346 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 347 MALLOC(newsess, struct session *, sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); 348 349 sx_xlock(&proctree_lock); 350 351 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { 352 if (pgrp != NULL) 353 PGRP_UNLOCK(pgrp); 354 error = EPERM; 355 } else { 356 (void)enterpgrp(p, p->p_pid, newpgrp, newsess); 357 td->td_retval[0] = p->p_pid; 358 newpgrp = NULL; 359 newsess = NULL; 360 } 361 362 sx_xunlock(&proctree_lock); 363 364 if (newpgrp != NULL) 365 FREE(newpgrp, M_PGRP); 366 if (newsess != NULL) 367 FREE(newsess, M_SESSION); 368 369 return (error); 370 } 371 372 /* 373 * set process group (setpgid/old setpgrp) 374 * 375 * caller does setpgid(targpid, targpgid) 376 * 377 * pid must be caller or child of caller (ESRCH) 378 * if a child 379 * pid must be in same session (EPERM) 380 * pid can't have done an exec (EACCES) 381 * if pgid != pid 382 * there must exist some pid in same session having pgid (EPERM) 383 * pid must not be session leader (EPERM) 384 */ 385 #ifndef _SYS_SYSPROTO_H_ 386 struct setpgid_args { 387 int pid; /* target process id */ 388 int pgid; /* target pgrp id */ 389 }; 390 #endif 391 /* 392 * MPSAFE 393 */ 394 /* ARGSUSED */ 395 int 396 setpgid(struct thread *td, register struct setpgid_args *uap) 397 { 398 struct proc *curp = td->td_proc; 399 register struct proc *targp; /* target process */ 400 register struct pgrp *pgrp; /* target pgrp */ 401 int error; 402 struct pgrp *newpgrp; 403 404 if (uap->pgid < 0) 405 return (EINVAL); 406 407 error = 0; 408 409 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 410 411 sx_xlock(&proctree_lock); 412 if (uap->pid != 0 && uap->pid != curp->p_pid) { 413 if ((targp = pfind(uap->pid)) == NULL) { 414 if (targp) 415 PROC_UNLOCK(targp); 416 error = ESRCH; 417 goto done; 418 } 419 if (!inferior(targp)) { 420 PROC_UNLOCK(targp); 421 error = ESRCH; 422 goto done; 423 } 424 if ((error = p_cansee(curthread, targp))) { 425 PROC_UNLOCK(targp); 426 goto done; 427 } 428 if (targp->p_pgrp == NULL || 429 targp->p_session != curp->p_session) { 430 PROC_UNLOCK(targp); 431 error = EPERM; 432 goto done; 433 } 434 if (targp->p_flag & P_EXEC) { 435 PROC_UNLOCK(targp); 436 error = EACCES; 437 goto done; 438 } 439 PROC_UNLOCK(targp); 440 } else 441 targp = curp; 442 if (SESS_LEADER(targp)) { 443 error = EPERM; 444 goto done; 445 } 446 if (uap->pgid == 0) 447 uap->pgid = targp->p_pid; 448 if (uap->pgid == targp->p_pid) { 449 if (targp->p_pgid == uap->pgid) 450 goto done; 451 error = enterpgrp(targp, uap->pgid, newpgrp, NULL); 452 if (error == 0) 453 newpgrp = NULL; 454 } else { 455 if ((pgrp = pgfind(uap->pgid)) == NULL || 456 pgrp->pg_session != curp->p_session) { 457 if (pgrp != NULL) 458 PGRP_UNLOCK(pgrp); 459 error = EPERM; 460 goto done; 461 } 462 if (pgrp == targp->p_pgrp) { 463 PGRP_UNLOCK(pgrp); 464 goto done; 465 } 466 PGRP_UNLOCK(pgrp); 467 error = enterthispgrp(targp, pgrp); 468 } 469 done: 470 sx_xunlock(&proctree_lock); 471 KASSERT((error == 0) || (newpgrp != NULL), 472 ("setpgid failed and newpgrp is NULL")); 473 if (newpgrp != NULL) 474 FREE(newpgrp, M_PGRP); 475 return (error); 476 } 477 478 /* 479 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 480 * compatible. It says that setting the uid/gid to euid/egid is a special 481 * case of "appropriate privilege". Once the rules are expanded out, this 482 * basically means that setuid(nnn) sets all three id's, in all permitted 483 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 484 * does not set the saved id - this is dangerous for traditional BSD 485 * programs. For this reason, we *really* do not want to set 486 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 487 */ 488 #define POSIX_APPENDIX_B_4_2_2 489 490 #ifndef _SYS_SYSPROTO_H_ 491 struct setuid_args { 492 uid_t uid; 493 }; 494 #endif 495 /* 496 * MPSAFE 497 */ 498 /* ARGSUSED */ 499 int 500 setuid(struct thread *td, struct setuid_args *uap) 501 { 502 struct proc *p = td->td_proc; 503 struct ucred *newcred, *oldcred; 504 uid_t uid; 505 struct uidinfo *uip; 506 int error; 507 508 mtx_lock(&Giant); 509 uid = uap->uid; 510 newcred = crget(); 511 uip = uifind(uid); 512 PROC_LOCK(p); 513 oldcred = p->p_ucred; 514 515 /* 516 * See if we have "permission" by POSIX 1003.1 rules. 517 * 518 * Note that setuid(geteuid()) is a special case of 519 * "appropriate privileges" in appendix B.4.2.2. We need 520 * to use this clause to be compatible with traditional BSD 521 * semantics. Basically, it means that "setuid(xx)" sets all 522 * three id's (assuming you have privs). 523 * 524 * Notes on the logic. We do things in three steps. 525 * 1: We determine if the euid is going to change, and do EPERM 526 * right away. We unconditionally change the euid later if this 527 * test is satisfied, simplifying that part of the logic. 528 * 2: We determine if the real and/or saved uids are going to 529 * change. Determined by compile options. 530 * 3: Change euid last. (after tests in #2 for "appropriate privs") 531 */ 532 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 533 #ifdef _POSIX_SAVED_IDS 534 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 535 #endif 536 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 537 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 538 #endif 539 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 540 PROC_UNLOCK(p); 541 uifree(uip); 542 crfree(newcred); 543 mtx_unlock(&Giant); 544 return (error); 545 } 546 547 /* 548 * Copy credentials so other references do not see our changes. 549 */ 550 crcopy(newcred, oldcred); 551 #ifdef _POSIX_SAVED_IDS 552 /* 553 * Do we have "appropriate privileges" (are we root or uid == euid) 554 * If so, we are changing the real uid and/or saved uid. 555 */ 556 if ( 557 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 558 uid == oldcred->cr_uid || 559 #endif 560 suser_cred(oldcred, PRISON_ROOT) == 0) /* we are using privs */ 561 #endif 562 { 563 /* 564 * Set the real uid and transfer proc count to new user. 565 */ 566 if (uid != oldcred->cr_ruid) { 567 change_ruid(newcred, uip); 568 setsugid(p); 569 } 570 /* 571 * Set saved uid 572 * 573 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 574 * the security of seteuid() depends on it. B.4.2.2 says it 575 * is important that we should do this. 576 */ 577 if (uid != oldcred->cr_svuid) { 578 change_svuid(newcred, uid); 579 setsugid(p); 580 } 581 } 582 583 /* 584 * In all permitted cases, we are changing the euid. 585 */ 586 if (uid != oldcred->cr_uid) { 587 change_euid(newcred, uip); 588 setsugid(p); 589 } 590 p->p_ucred = newcred; 591 PROC_UNLOCK(p); 592 uifree(uip); 593 crfree(oldcred); 594 mtx_unlock(&Giant); 595 return (0); 596 } 597 598 #ifndef _SYS_SYSPROTO_H_ 599 struct seteuid_args { 600 uid_t euid; 601 }; 602 #endif 603 /* 604 * MPSAFE 605 */ 606 /* ARGSUSED */ 607 int 608 seteuid(struct thread *td, struct seteuid_args *uap) 609 { 610 struct proc *p = td->td_proc; 611 struct ucred *newcred, *oldcred; 612 uid_t euid; 613 struct uidinfo *euip; 614 int error; 615 616 euid = uap->euid; 617 mtx_lock(&Giant); 618 newcred = crget(); 619 euip = uifind(euid); 620 PROC_LOCK(p); 621 oldcred = p->p_ucred; 622 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 623 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 624 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 625 PROC_UNLOCK(p); 626 uifree(euip); 627 crfree(newcred); 628 mtx_unlock(&Giant); 629 return (error); 630 } 631 /* 632 * Everything's okay, do it. Copy credentials so other references do 633 * not see our changes. 634 */ 635 crcopy(newcred, oldcred); 636 if (oldcred->cr_uid != euid) { 637 change_euid(newcred, euip); 638 setsugid(p); 639 } 640 p->p_ucred = newcred; 641 PROC_UNLOCK(p); 642 uifree(euip); 643 crfree(oldcred); 644 mtx_unlock(&Giant); 645 return (0); 646 } 647 648 #ifndef _SYS_SYSPROTO_H_ 649 struct setgid_args { 650 gid_t gid; 651 }; 652 #endif 653 /* 654 * MPSAFE 655 */ 656 /* ARGSUSED */ 657 int 658 setgid(struct thread *td, struct setgid_args *uap) 659 { 660 struct proc *p = td->td_proc; 661 struct ucred *newcred, *oldcred; 662 gid_t gid; 663 int error; 664 665 gid = uap->gid; 666 mtx_lock(&Giant); 667 newcred = crget(); 668 PROC_LOCK(p); 669 oldcred = p->p_ucred; 670 671 /* 672 * See if we have "permission" by POSIX 1003.1 rules. 673 * 674 * Note that setgid(getegid()) is a special case of 675 * "appropriate privileges" in appendix B.4.2.2. We need 676 * to use this clause to be compatible with traditional BSD 677 * semantics. Basically, it means that "setgid(xx)" sets all 678 * three id's (assuming you have privs). 679 * 680 * For notes on the logic here, see setuid() above. 681 */ 682 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 683 #ifdef _POSIX_SAVED_IDS 684 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 685 #endif 686 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 687 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 688 #endif 689 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 690 PROC_UNLOCK(p); 691 crfree(newcred); 692 mtx_unlock(&Giant); 693 return (error); 694 } 695 696 crcopy(newcred, oldcred); 697 #ifdef _POSIX_SAVED_IDS 698 /* 699 * Do we have "appropriate privileges" (are we root or gid == egid) 700 * If so, we are changing the real uid and saved gid. 701 */ 702 if ( 703 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 704 gid == oldcred->cr_groups[0] || 705 #endif 706 suser_cred(oldcred, PRISON_ROOT) == 0) /* we are using privs */ 707 #endif 708 { 709 /* 710 * Set real gid 711 */ 712 if (oldcred->cr_rgid != gid) { 713 change_rgid(newcred, gid); 714 setsugid(p); 715 } 716 /* 717 * Set saved gid 718 * 719 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 720 * the security of setegid() depends on it. B.4.2.2 says it 721 * is important that we should do this. 722 */ 723 if (oldcred->cr_svgid != gid) { 724 change_svgid(newcred, gid); 725 setsugid(p); 726 } 727 } 728 /* 729 * In all cases permitted cases, we are changing the egid. 730 * Copy credentials so other references do not see our changes. 731 */ 732 if (oldcred->cr_groups[0] != gid) { 733 change_egid(newcred, gid); 734 setsugid(p); 735 } 736 p->p_ucred = newcred; 737 PROC_UNLOCK(p); 738 crfree(oldcred); 739 mtx_unlock(&Giant); 740 return (0); 741 } 742 743 #ifndef _SYS_SYSPROTO_H_ 744 struct setegid_args { 745 gid_t egid; 746 }; 747 #endif 748 /* 749 * MPSAFE 750 */ 751 /* ARGSUSED */ 752 int 753 setegid(struct thread *td, struct setegid_args *uap) 754 { 755 struct proc *p = td->td_proc; 756 struct ucred *newcred, *oldcred; 757 gid_t egid; 758 int error; 759 760 egid = uap->egid; 761 mtx_lock(&Giant); 762 newcred = crget(); 763 PROC_LOCK(p); 764 oldcred = p->p_ucred; 765 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 766 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 767 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 768 PROC_UNLOCK(p); 769 crfree(newcred); 770 mtx_unlock(&Giant); 771 return (error); 772 } 773 crcopy(newcred, oldcred); 774 if (oldcred->cr_groups[0] != egid) { 775 change_egid(newcred, egid); 776 setsugid(p); 777 } 778 p->p_ucred = newcred; 779 PROC_UNLOCK(p); 780 crfree(oldcred); 781 mtx_unlock(&Giant); 782 return (0); 783 } 784 785 #ifndef _SYS_SYSPROTO_H_ 786 struct setgroups_args { 787 u_int gidsetsize; 788 gid_t *gidset; 789 }; 790 #endif 791 /* 792 * MPSAFE 793 */ 794 /* ARGSUSED */ 795 int 796 setgroups(struct thread *td, struct setgroups_args *uap) 797 { 798 struct proc *p = td->td_proc; 799 struct ucred *newcred, *tempcred, *oldcred; 800 u_int ngrp; 801 int error; 802 803 ngrp = uap->gidsetsize; 804 if (ngrp > NGROUPS) 805 return (EINVAL); 806 mtx_lock(&Giant); 807 tempcred = crget(); 808 error = copyin(uap->gidset, tempcred->cr_groups, ngrp * sizeof(gid_t)); 809 if (error != 0) { 810 crfree(tempcred); 811 mtx_unlock(&Giant); 812 return (error); 813 } 814 newcred = crget(); 815 PROC_LOCK(p); 816 oldcred = p->p_ucred; 817 error = suser_cred(oldcred, PRISON_ROOT); 818 if (error) { 819 PROC_UNLOCK(p); 820 crfree(newcred); 821 crfree(tempcred); 822 mtx_unlock(&Giant); 823 return (error); 824 } 825 826 /* 827 * XXX A little bit lazy here. We could test if anything has 828 * changed before crcopy() and setting P_SUGID. 829 */ 830 crcopy(newcred, oldcred); 831 if (ngrp < 1) { 832 /* 833 * setgroups(0, NULL) is a legitimate way of clearing the 834 * groups vector on non-BSD systems (which generally do not 835 * have the egid in the groups[0]). We risk security holes 836 * when running non-BSD software if we do not do the same. 837 */ 838 newcred->cr_ngroups = 1; 839 } else { 840 bcopy(tempcred->cr_groups, newcred->cr_groups, 841 ngrp * sizeof(gid_t)); 842 newcred->cr_ngroups = ngrp; 843 } 844 setsugid(p); 845 p->p_ucred = newcred; 846 PROC_UNLOCK(p); 847 crfree(tempcred); 848 crfree(oldcred); 849 mtx_unlock(&Giant); 850 return (0); 851 } 852 853 #ifndef _SYS_SYSPROTO_H_ 854 struct setreuid_args { 855 uid_t ruid; 856 uid_t euid; 857 }; 858 #endif 859 /* 860 * MPSAFE 861 */ 862 /* ARGSUSED */ 863 int 864 setreuid(register struct thread *td, struct setreuid_args *uap) 865 { 866 struct proc *p = td->td_proc; 867 struct ucred *newcred, *oldcred; 868 uid_t euid, ruid; 869 struct uidinfo *euip, *ruip; 870 int error; 871 872 euid = uap->euid; 873 ruid = uap->ruid; 874 mtx_lock(&Giant); 875 newcred = crget(); 876 euip = uifind(euid); 877 ruip = uifind(ruid); 878 PROC_LOCK(p); 879 oldcred = p->p_ucred; 880 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 881 ruid != oldcred->cr_svuid) || 882 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 883 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 884 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 885 PROC_UNLOCK(p); 886 uifree(ruip); 887 uifree(euip); 888 crfree(newcred); 889 mtx_unlock(&Giant); 890 return (error); 891 } 892 crcopy(newcred, oldcred); 893 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 894 change_euid(newcred, euip); 895 setsugid(p); 896 } 897 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 898 change_ruid(newcred, ruip); 899 setsugid(p); 900 } 901 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 902 newcred->cr_svuid != newcred->cr_uid) { 903 change_svuid(newcred, newcred->cr_uid); 904 setsugid(p); 905 } 906 p->p_ucred = newcred; 907 PROC_UNLOCK(p); 908 uifree(ruip); 909 uifree(euip); 910 crfree(oldcred); 911 mtx_unlock(&Giant); 912 return (0); 913 } 914 915 #ifndef _SYS_SYSPROTO_H_ 916 struct setregid_args { 917 gid_t rgid; 918 gid_t egid; 919 }; 920 #endif 921 /* 922 * MPSAFE 923 */ 924 /* ARGSUSED */ 925 int 926 setregid(register struct thread *td, struct setregid_args *uap) 927 { 928 struct proc *p = td->td_proc; 929 struct ucred *newcred, *oldcred; 930 gid_t egid, rgid; 931 int error; 932 933 egid = uap->egid; 934 rgid = uap->rgid; 935 mtx_lock(&Giant); 936 newcred = crget(); 937 PROC_LOCK(p); 938 oldcred = p->p_ucred; 939 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 940 rgid != oldcred->cr_svgid) || 941 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 942 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 943 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 944 PROC_UNLOCK(p); 945 crfree(newcred); 946 mtx_unlock(&Giant); 947 return (error); 948 } 949 950 crcopy(newcred, oldcred); 951 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 952 change_egid(newcred, egid); 953 setsugid(p); 954 } 955 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 956 change_rgid(newcred, rgid); 957 setsugid(p); 958 } 959 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 960 newcred->cr_svgid != newcred->cr_groups[0]) { 961 change_svgid(newcred, newcred->cr_groups[0]); 962 setsugid(p); 963 } 964 p->p_ucred = newcred; 965 PROC_UNLOCK(p); 966 crfree(oldcred); 967 mtx_unlock(&Giant); 968 return (0); 969 } 970 971 /* 972 * setresuid(ruid, euid, suid) is like setreuid except control over the 973 * saved uid is explicit. 974 */ 975 976 #ifndef _SYS_SYSPROTO_H_ 977 struct setresuid_args { 978 uid_t ruid; 979 uid_t euid; 980 uid_t suid; 981 }; 982 #endif 983 /* 984 * MPSAFE 985 */ 986 /* ARGSUSED */ 987 int 988 setresuid(register struct thread *td, struct setresuid_args *uap) 989 { 990 struct proc *p = td->td_proc; 991 struct ucred *newcred, *oldcred; 992 uid_t euid, ruid, suid; 993 struct uidinfo *euip, *ruip; 994 int error; 995 996 euid = uap->euid; 997 ruid = uap->ruid; 998 suid = uap->suid; 999 mtx_lock(&Giant); 1000 newcred = crget(); 1001 euip = uifind(euid); 1002 ruip = uifind(ruid); 1003 PROC_LOCK(p); 1004 oldcred = p->p_ucred; 1005 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1006 ruid != oldcred->cr_svuid && 1007 ruid != oldcred->cr_uid) || 1008 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 1009 euid != oldcred->cr_svuid && 1010 euid != oldcred->cr_uid) || 1011 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 1012 suid != oldcred->cr_svuid && 1013 suid != oldcred->cr_uid)) && 1014 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 1015 PROC_UNLOCK(p); 1016 uifree(ruip); 1017 uifree(euip); 1018 crfree(newcred); 1019 mtx_unlock(&Giant); 1020 return (error); 1021 } 1022 1023 crcopy(newcred, oldcred); 1024 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1025 change_euid(newcred, euip); 1026 setsugid(p); 1027 } 1028 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1029 change_ruid(newcred, ruip); 1030 setsugid(p); 1031 } 1032 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1033 change_svuid(newcred, suid); 1034 setsugid(p); 1035 } 1036 p->p_ucred = newcred; 1037 PROC_UNLOCK(p); 1038 uifree(ruip); 1039 uifree(euip); 1040 crfree(oldcred); 1041 mtx_unlock(&Giant); 1042 return (0); 1043 } 1044 1045 /* 1046 * setresgid(rgid, egid, sgid) is like setregid except control over the 1047 * saved gid is explicit. 1048 */ 1049 1050 #ifndef _SYS_SYSPROTO_H_ 1051 struct setresgid_args { 1052 gid_t rgid; 1053 gid_t egid; 1054 gid_t sgid; 1055 }; 1056 #endif 1057 /* 1058 * MPSAFE 1059 */ 1060 /* ARGSUSED */ 1061 int 1062 setresgid(register struct thread *td, struct setresgid_args *uap) 1063 { 1064 struct proc *p = td->td_proc; 1065 struct ucred *newcred, *oldcred; 1066 gid_t egid, rgid, sgid; 1067 int error; 1068 1069 egid = uap->egid; 1070 rgid = uap->rgid; 1071 sgid = uap->sgid; 1072 mtx_lock(&Giant); 1073 newcred = crget(); 1074 PROC_LOCK(p); 1075 oldcred = p->p_ucred; 1076 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1077 rgid != oldcred->cr_svgid && 1078 rgid != oldcred->cr_groups[0]) || 1079 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1080 egid != oldcred->cr_svgid && 1081 egid != oldcred->cr_groups[0]) || 1082 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1083 sgid != oldcred->cr_svgid && 1084 sgid != oldcred->cr_groups[0])) && 1085 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 1086 PROC_UNLOCK(p); 1087 crfree(newcred); 1088 mtx_unlock(&Giant); 1089 return (error); 1090 } 1091 1092 crcopy(newcred, oldcred); 1093 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1094 change_egid(newcred, egid); 1095 setsugid(p); 1096 } 1097 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1098 change_rgid(newcred, rgid); 1099 setsugid(p); 1100 } 1101 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1102 change_svgid(newcred, sgid); 1103 setsugid(p); 1104 } 1105 p->p_ucred = newcred; 1106 PROC_UNLOCK(p); 1107 crfree(oldcred); 1108 mtx_unlock(&Giant); 1109 return (0); 1110 } 1111 1112 #ifndef _SYS_SYSPROTO_H_ 1113 struct getresuid_args { 1114 uid_t *ruid; 1115 uid_t *euid; 1116 uid_t *suid; 1117 }; 1118 #endif 1119 /* 1120 * MPSAFE 1121 */ 1122 /* ARGSUSED */ 1123 int 1124 getresuid(register struct thread *td, struct getresuid_args *uap) 1125 { 1126 struct ucred *cred; 1127 int error1 = 0, error2 = 0, error3 = 0; 1128 1129 cred = td->td_ucred; 1130 if (uap->ruid) 1131 error1 = copyout(&cred->cr_ruid, 1132 uap->ruid, sizeof(cred->cr_ruid)); 1133 if (uap->euid) 1134 error2 = copyout(&cred->cr_uid, 1135 uap->euid, sizeof(cred->cr_uid)); 1136 if (uap->suid) 1137 error3 = copyout(&cred->cr_svuid, 1138 uap->suid, sizeof(cred->cr_svuid)); 1139 return (error1 ? error1 : error2 ? error2 : error3); 1140 } 1141 1142 #ifndef _SYS_SYSPROTO_H_ 1143 struct getresgid_args { 1144 gid_t *rgid; 1145 gid_t *egid; 1146 gid_t *sgid; 1147 }; 1148 #endif 1149 /* 1150 * MPSAFE 1151 */ 1152 /* ARGSUSED */ 1153 int 1154 getresgid(register struct thread *td, struct getresgid_args *uap) 1155 { 1156 struct ucred *cred; 1157 int error1 = 0, error2 = 0, error3 = 0; 1158 1159 cred = td->td_ucred; 1160 if (uap->rgid) 1161 error1 = copyout(&cred->cr_rgid, 1162 uap->rgid, sizeof(cred->cr_rgid)); 1163 if (uap->egid) 1164 error2 = copyout(&cred->cr_groups[0], 1165 uap->egid, sizeof(cred->cr_groups[0])); 1166 if (uap->sgid) 1167 error3 = copyout(&cred->cr_svgid, 1168 uap->sgid, sizeof(cred->cr_svgid)); 1169 return (error1 ? error1 : error2 ? error2 : error3); 1170 } 1171 1172 #ifndef _SYS_SYSPROTO_H_ 1173 struct issetugid_args { 1174 int dummy; 1175 }; 1176 #endif 1177 /* 1178 * NOT MPSAFE? 1179 */ 1180 /* ARGSUSED */ 1181 int 1182 issetugid(register struct thread *td, struct issetugid_args *uap) 1183 { 1184 struct proc *p = td->td_proc; 1185 1186 /* 1187 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1188 * we use P_SUGID because we consider changing the owners as 1189 * "tainting" as well. 1190 * This is significant for procs that start as root and "become" 1191 * a user without an exec - programs cannot know *everything* 1192 * that libc *might* have put in their data segment. 1193 */ 1194 PROC_LOCK(p); 1195 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1196 PROC_UNLOCK(p); 1197 return (0); 1198 } 1199 1200 /* 1201 * MPSAFE 1202 */ 1203 int 1204 __setugid(struct thread *td, struct __setugid_args *uap) 1205 { 1206 #ifdef REGRESSION 1207 struct proc *p; 1208 1209 p = td->td_proc; 1210 switch (uap->flag) { 1211 case 0: 1212 mtx_lock(&Giant); 1213 PROC_LOCK(p); 1214 p->p_flag &= ~P_SUGID; 1215 PROC_UNLOCK(p); 1216 mtx_unlock(&Giant); 1217 return (0); 1218 case 1: 1219 mtx_lock(&Giant); 1220 PROC_LOCK(p); 1221 p->p_flag |= P_SUGID; 1222 PROC_UNLOCK(p); 1223 mtx_unlock(&Giant); 1224 return (0); 1225 default: 1226 return (EINVAL); 1227 } 1228 #else /* !REGRESSION */ 1229 1230 return (ENOSYS); 1231 #endif /* REGRESSION */ 1232 } 1233 1234 /* 1235 * Check if gid is a member of the group set. 1236 * 1237 * MPSAFE (cred must be held) 1238 */ 1239 int 1240 groupmember(gid_t gid, struct ucred *cred) 1241 { 1242 register gid_t *gp; 1243 gid_t *egp; 1244 1245 egp = &(cred->cr_groups[cred->cr_ngroups]); 1246 for (gp = cred->cr_groups; gp < egp; gp++) 1247 if (*gp == gid) 1248 return (1); 1249 return (0); 1250 } 1251 1252 /* 1253 * `suser_enabled' (which can be set by the security.suser_enabled 1254 * sysctl) determines whether the system 'super-user' policy is in effect. 1255 * If it is nonzero, an effective uid of 0 connotes special privilege, 1256 * overriding many mandatory and discretionary protections. If it is zero, 1257 * uid 0 is offered no special privilege in the kernel security policy. 1258 * Setting it to zero may seriously impact the functionality of many 1259 * existing userland programs, and should not be done without careful 1260 * consideration of the consequences. 1261 */ 1262 int suser_enabled = 1; 1263 SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW, 1264 &suser_enabled, 0, "processes with uid 0 have privilege"); 1265 TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled); 1266 1267 /* 1268 * Test whether the specified credentials imply "super-user" privilege. 1269 * Return 0 or EPERM. The flag argument is currently used only to 1270 * specify jail interaction. 1271 */ 1272 int 1273 suser_cred(struct ucred *cred, int flag) 1274 { 1275 1276 if (!suser_enabled) 1277 return (EPERM); 1278 if (cred->cr_uid != 0) 1279 return (EPERM); 1280 if (jailed(cred) && !(flag & PRISON_ROOT)) 1281 return (EPERM); 1282 return (0); 1283 } 1284 1285 /* 1286 * Shortcut to hide contents of struct td and struct proc from the 1287 * caller, promoting binary compatibility. 1288 */ 1289 int 1290 suser(struct thread *td) 1291 { 1292 1293 return (suser_cred(td->td_ucred, 0)); 1294 } 1295 1296 /* 1297 * Test the active securelevel against a given level. securelevel_gt() 1298 * implements (securelevel > level). securelevel_ge() implements 1299 * (securelevel >= level). Note that the logic is inverted -- these 1300 * functions return EPERM on "success" and 0 on "failure". 1301 * 1302 * MPSAFE 1303 */ 1304 int 1305 securelevel_gt(struct ucred *cr, int level) 1306 { 1307 int active_securelevel; 1308 1309 active_securelevel = securelevel; 1310 KASSERT(cr != NULL, ("securelevel_gt: null cr")); 1311 if (cr->cr_prison != NULL) { 1312 mtx_lock(&cr->cr_prison->pr_mtx); 1313 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1314 active_securelevel); 1315 mtx_unlock(&cr->cr_prison->pr_mtx); 1316 } 1317 return (active_securelevel > level ? EPERM : 0); 1318 } 1319 1320 int 1321 securelevel_ge(struct ucred *cr, int level) 1322 { 1323 int active_securelevel; 1324 1325 active_securelevel = securelevel; 1326 KASSERT(cr != NULL, ("securelevel_ge: null cr")); 1327 if (cr->cr_prison != NULL) { 1328 mtx_lock(&cr->cr_prison->pr_mtx); 1329 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1330 active_securelevel); 1331 mtx_unlock(&cr->cr_prison->pr_mtx); 1332 } 1333 return (active_securelevel >= level ? EPERM : 0); 1334 } 1335 1336 /* 1337 * 'see_other_uids' determines whether or not visibility of processes 1338 * and sockets with credentials holding different real uids is possible 1339 * using a variety of system MIBs. 1340 * XXX: data declarations should be together near the beginning of the file. 1341 */ 1342 static int see_other_uids = 1; 1343 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1344 &see_other_uids, 0, 1345 "Unprivileged processes may see subjects/objects with different real uid"); 1346 1347 /*- 1348 * Determine if u1 "can see" the subject specified by u2, according to the 1349 * 'see_other_uids' policy. 1350 * Returns: 0 for permitted, ESRCH otherwise 1351 * Locks: none 1352 * References: *u1 and *u2 must not change during the call 1353 * u1 may equal u2, in which case only one reference is required 1354 */ 1355 static int 1356 cr_seeotheruids(struct ucred *u1, struct ucred *u2) 1357 { 1358 1359 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1360 if (suser_cred(u1, PRISON_ROOT) != 0) 1361 return (ESRCH); 1362 } 1363 return (0); 1364 } 1365 1366 /*- 1367 * Determine if u1 "can see" the subject specified by u2. 1368 * Returns: 0 for permitted, an errno value otherwise 1369 * Locks: none 1370 * References: *u1 and *u2 must not change during the call 1371 * u1 may equal u2, in which case only one reference is required 1372 */ 1373 int 1374 cr_cansee(struct ucred *u1, struct ucred *u2) 1375 { 1376 int error; 1377 1378 if ((error = prison_check(u1, u2))) 1379 return (error); 1380 if ((error = cr_seeotheruids(u1, u2))) 1381 return (error); 1382 return (0); 1383 } 1384 1385 /*- 1386 * Determine if td "can see" the subject specified by p. 1387 * Returns: 0 for permitted, an errno value otherwise 1388 * Locks: Sufficient locks to protect p->p_ucred must be held. td really 1389 * should be curthread. 1390 * References: td and p must be valid for the lifetime of the call 1391 */ 1392 int 1393 p_cansee(struct thread *td, struct proc *p) 1394 { 1395 1396 /* Wrap cr_cansee() for all functionality. */ 1397 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1398 PROC_LOCK_ASSERT(p, MA_OWNED); 1399 return (cr_cansee(td->td_ucred, p->p_ucred)); 1400 } 1401 1402 /*- 1403 * Determine whether cred may deliver the specified signal to proc. 1404 * Returns: 0 for permitted, an errno value otherwise. 1405 * Locks: A lock must be held for proc. 1406 * References: cred and proc must be valid for the lifetime of the call. 1407 */ 1408 int 1409 cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 1410 { 1411 int error; 1412 1413 PROC_LOCK_ASSERT(proc, MA_OWNED); 1414 /* 1415 * Jail semantics limit the scope of signalling to proc in the 1416 * same jail as cred, if cred is in jail. 1417 */ 1418 error = prison_check(cred, proc->p_ucred); 1419 if (error) 1420 return (error); 1421 error = cr_seeotheruids(cred, proc->p_ucred); 1422 if (error) 1423 return (error); 1424 1425 /* 1426 * UNIX signal semantics depend on the status of the P_SUGID 1427 * bit on the target process. If the bit is set, then additional 1428 * restrictions are placed on the set of available signals. 1429 */ 1430 if (proc->p_flag & P_SUGID) { 1431 switch (signum) { 1432 case 0: 1433 case SIGKILL: 1434 case SIGINT: 1435 case SIGTERM: 1436 case SIGSTOP: 1437 case SIGTTIN: 1438 case SIGTTOU: 1439 case SIGTSTP: 1440 case SIGHUP: 1441 case SIGUSR1: 1442 case SIGUSR2: 1443 /* 1444 * Generally, permit job and terminal control 1445 * signals. 1446 */ 1447 break; 1448 default: 1449 /* Not permitted without privilege. */ 1450 error = suser_cred(cred, PRISON_ROOT); 1451 if (error) 1452 return (error); 1453 } 1454 } 1455 1456 /* 1457 * Generally, the target credential's ruid or svuid must match the 1458 * subject credential's ruid or euid. 1459 */ 1460 if (cred->cr_ruid != proc->p_ucred->cr_ruid && 1461 cred->cr_ruid != proc->p_ucred->cr_svuid && 1462 cred->cr_uid != proc->p_ucred->cr_ruid && 1463 cred->cr_uid != proc->p_ucred->cr_svuid) { 1464 /* Not permitted without privilege. */ 1465 error = suser_cred(cred, PRISON_ROOT); 1466 if (error) 1467 return (error); 1468 } 1469 1470 return (0); 1471 } 1472 1473 1474 /*- 1475 * Determine whether td may deliver the specified signal to p. 1476 * Returns: 0 for permitted, an errno value otherwise 1477 * Locks: Sufficient locks to protect various components of td and p 1478 * must be held. td must be curthread, and a lock must be 1479 * held for p. 1480 * References: td and p must be valid for the lifetime of the call 1481 */ 1482 int 1483 p_cansignal(struct thread *td, struct proc *p, int signum) 1484 { 1485 1486 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1487 PROC_LOCK_ASSERT(p, MA_OWNED); 1488 if (td->td_proc == p) 1489 return (0); 1490 1491 /* 1492 * UNIX signalling semantics require that processes in the same 1493 * session always be able to deliver SIGCONT to one another, 1494 * overriding the remaining protections. 1495 */ 1496 /* XXX: This will require an additional lock of some sort. */ 1497 if (signum == SIGCONT && td->td_proc->p_session == p->p_session) 1498 return (0); 1499 1500 return (cr_cansignal(td->td_ucred, p, signum)); 1501 } 1502 1503 /*- 1504 * Determine whether td may reschedule p. 1505 * Returns: 0 for permitted, an errno value otherwise 1506 * Locks: Sufficient locks to protect various components of td and p 1507 * must be held. td must be curthread, and a lock must 1508 * be held for p. 1509 * References: td and p must be valid for the lifetime of the call 1510 */ 1511 int 1512 p_cansched(struct thread *td, struct proc *p) 1513 { 1514 int error; 1515 1516 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1517 PROC_LOCK_ASSERT(p, MA_OWNED); 1518 if (td->td_proc == p) 1519 return (0); 1520 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1521 return (error); 1522 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1523 return (error); 1524 if (td->td_ucred->cr_ruid == p->p_ucred->cr_ruid) 1525 return (0); 1526 if (td->td_ucred->cr_uid == p->p_ucred->cr_ruid) 1527 return (0); 1528 if (suser_cred(td->td_ucred, PRISON_ROOT) == 0) 1529 return (0); 1530 1531 #ifdef CAPABILITIES 1532 if (!cap_check(NULL, td, CAP_SYS_NICE, PRISON_ROOT)) 1533 return (0); 1534 #endif 1535 1536 return (EPERM); 1537 } 1538 1539 /* 1540 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 1541 * unprivileged inter-process debugging services, including some procfs 1542 * functionality, ptrace(), and ktrace(). In the past, inter-process 1543 * debugging has been involved in a variety of security problems, and sites 1544 * not requiring the service might choose to disable it when hardening 1545 * systems. 1546 * 1547 * XXX: Should modifying and reading this variable require locking? 1548 * XXX: data declarations should be together near the beginning of the file. 1549 */ 1550 static int unprivileged_proc_debug = 1; 1551 SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW, 1552 &unprivileged_proc_debug, 0, 1553 "Unprivileged processes may use process debugging facilities"); 1554 1555 /*- 1556 * Determine whether td may debug p. 1557 * Returns: 0 for permitted, an errno value otherwise 1558 * Locks: Sufficient locks to protect various components of td and p 1559 * must be held. td must be curthread, and a lock must 1560 * be held for p. 1561 * References: td and p must be valid for the lifetime of the call 1562 */ 1563 int 1564 p_candebug(struct thread *td, struct proc *p) 1565 { 1566 int credentialchanged, error, grpsubset, i, uidsubset; 1567 1568 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1569 PROC_LOCK_ASSERT(p, MA_OWNED); 1570 if (!unprivileged_proc_debug) { 1571 error = suser_cred(td->td_ucred, PRISON_ROOT); 1572 if (error) 1573 return (error); 1574 } 1575 if (td->td_proc == p) 1576 return (0); 1577 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1578 return (error); 1579 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1580 return (error); 1581 1582 /* 1583 * Is p's group set a subset of td's effective group set? This 1584 * includes p's egid, group access list, rgid, and svgid. 1585 */ 1586 grpsubset = 1; 1587 for (i = 0; i < p->p_ucred->cr_ngroups; i++) { 1588 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) { 1589 grpsubset = 0; 1590 break; 1591 } 1592 } 1593 grpsubset = grpsubset && 1594 groupmember(p->p_ucred->cr_rgid, td->td_ucred) && 1595 groupmember(p->p_ucred->cr_svgid, td->td_ucred); 1596 1597 /* 1598 * Are the uids present in p's credential equal to td's 1599 * effective uid? This includes p's euid, svuid, and ruid. 1600 */ 1601 uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid && 1602 td->td_ucred->cr_uid == p->p_ucred->cr_svuid && 1603 td->td_ucred->cr_uid == p->p_ucred->cr_ruid); 1604 1605 /* 1606 * Has the credential of the process changed since the last exec()? 1607 */ 1608 credentialchanged = (p->p_flag & P_SUGID); 1609 1610 /* 1611 * If p's gids aren't a subset, or the uids aren't a subset, 1612 * or the credential has changed, require appropriate privilege 1613 * for td to debug p. For POSIX.1e capabilities, this will 1614 * require CAP_SYS_PTRACE. 1615 */ 1616 if (!grpsubset || !uidsubset || credentialchanged) { 1617 error = suser_cred(td->td_ucred, PRISON_ROOT); 1618 if (error) 1619 return (error); 1620 } 1621 1622 /* Can't trace init when securelevel > 0. */ 1623 if (p == initproc) { 1624 error = securelevel_gt(td->td_ucred, 0); 1625 if (error) 1626 return (error); 1627 } 1628 1629 /* 1630 * Can't trace a process that's currently exec'ing. 1631 * XXX: Note, this is not a security policy decision, it's a 1632 * basic correctness/functionality decision. Therefore, this check 1633 * should be moved to the caller's of p_candebug(). 1634 */ 1635 if ((p->p_flag & P_INEXEC) != 0) 1636 return (EAGAIN); 1637 1638 return (0); 1639 } 1640 1641 /*- 1642 * Determine whether the subject represented by cred can "see" a socket. 1643 * Returns: 0 for permitted, ENOENT otherwise. 1644 */ 1645 int 1646 cr_canseesocket(struct ucred *cred, struct socket *so) 1647 { 1648 int error; 1649 1650 error = prison_check(cred, so->so_cred); 1651 if (error) 1652 return (ENOENT); 1653 if (cr_seeotheruids(cred, so->so_cred)) 1654 return (ENOENT); 1655 #ifdef MAC 1656 /* XXX: error = mac_cred_check_seesocket() here. */ 1657 #endif 1658 1659 return (0); 1660 } 1661 1662 /* 1663 * Allocate a zeroed cred structure. 1664 */ 1665 struct ucred * 1666 crget(void) 1667 { 1668 register struct ucred *cr; 1669 1670 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 1671 cr->cr_ref = 1; 1672 cr->cr_mtxp = mtx_pool_find(cr); 1673 return (cr); 1674 } 1675 1676 /* 1677 * Claim another reference to a ucred structure. 1678 */ 1679 struct ucred * 1680 crhold(struct ucred *cr) 1681 { 1682 1683 mtx_lock(cr->cr_mtxp); 1684 cr->cr_ref++; 1685 mtx_unlock(cr->cr_mtxp); 1686 return (cr); 1687 } 1688 1689 /* 1690 * Free a cred structure. 1691 * Throws away space when ref count gets to 0. 1692 */ 1693 void 1694 crfree(struct ucred *cr) 1695 { 1696 struct mtx *mtxp = cr->cr_mtxp; 1697 1698 mtx_lock(mtxp); 1699 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); 1700 if (--cr->cr_ref == 0) { 1701 /* 1702 * Some callers of crget(), such as nfs_statfs(), 1703 * allocate a temporary credential, but don't 1704 * allocate a uidinfo structure. 1705 */ 1706 mtx_unlock(mtxp); 1707 mtx_lock(&Giant); 1708 if (cr->cr_uidinfo != NULL) 1709 uifree(cr->cr_uidinfo); 1710 if (cr->cr_ruidinfo != NULL) 1711 uifree(cr->cr_ruidinfo); 1712 /* 1713 * Free a prison, if any. 1714 */ 1715 if (jailed(cr)) 1716 prison_free(cr->cr_prison); 1717 FREE(cr, M_CRED); 1718 mtx_unlock(&Giant); 1719 } else { 1720 mtx_unlock(mtxp); 1721 } 1722 } 1723 1724 /* 1725 * Check to see if this ucred is shared. 1726 */ 1727 int 1728 crshared(struct ucred *cr) 1729 { 1730 int shared; 1731 1732 mtx_lock(cr->cr_mtxp); 1733 shared = (cr->cr_ref > 1); 1734 mtx_unlock(cr->cr_mtxp); 1735 return (shared); 1736 } 1737 1738 /* 1739 * Copy a ucred's contents from a template. Does not block. 1740 */ 1741 void 1742 crcopy(struct ucred *dest, struct ucred *src) 1743 { 1744 1745 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred")); 1746 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 1747 (unsigned)((caddr_t)&src->cr_endcopy - 1748 (caddr_t)&src->cr_startcopy)); 1749 uihold(dest->cr_uidinfo); 1750 uihold(dest->cr_ruidinfo); 1751 if (jailed(dest)) 1752 prison_hold(dest->cr_prison); 1753 } 1754 1755 /* 1756 * Dup cred struct to a new held one. 1757 */ 1758 struct ucred * 1759 crdup(struct ucred *cr) 1760 { 1761 struct ucred *newcr; 1762 1763 newcr = crget(); 1764 crcopy(newcr, cr); 1765 return (newcr); 1766 } 1767 1768 #ifdef DIAGNOSTIC 1769 void 1770 cred_free_thread(struct thread *td) 1771 { 1772 struct ucred *cred; 1773 1774 cred = td->td_ucred; 1775 td->td_ucred = NULL; 1776 if (cred != NULL) 1777 crfree(cred); 1778 } 1779 #endif 1780 1781 /* 1782 * Fill in a struct xucred based on a struct ucred. 1783 */ 1784 void 1785 cru2x(struct ucred *cr, struct xucred *xcr) 1786 { 1787 1788 bzero(xcr, sizeof(*xcr)); 1789 xcr->cr_version = XUCRED_VERSION; 1790 xcr->cr_uid = cr->cr_uid; 1791 xcr->cr_ngroups = cr->cr_ngroups; 1792 bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups)); 1793 } 1794 1795 /* 1796 * small routine to swap a thread's current ucred for the correct one 1797 * taken from the process. 1798 */ 1799 void 1800 cred_update_thread(struct thread *td) 1801 { 1802 struct proc *p; 1803 struct ucred *cred; 1804 1805 p = td->td_proc; 1806 cred = td->td_ucred; 1807 mtx_lock(&Giant); 1808 PROC_LOCK(p); 1809 td->td_ucred = crhold(p->p_ucred); 1810 PROC_UNLOCK(p); 1811 if (cred != NULL) 1812 crfree(cred); 1813 mtx_unlock(&Giant); 1814 } 1815 1816 /* 1817 * Get login name, if available. 1818 */ 1819 #ifndef _SYS_SYSPROTO_H_ 1820 struct getlogin_args { 1821 char *namebuf; 1822 u_int namelen; 1823 }; 1824 #endif 1825 /* 1826 * MPSAFE 1827 */ 1828 /* ARGSUSED */ 1829 int 1830 getlogin(struct thread *td, struct getlogin_args *uap) 1831 { 1832 int error; 1833 char login[MAXLOGNAME]; 1834 struct proc *p = td->td_proc; 1835 1836 if (uap->namelen > MAXLOGNAME) 1837 uap->namelen = MAXLOGNAME; 1838 PROC_LOCK(p); 1839 SESS_LOCK(p->p_session); 1840 bcopy(p->p_session->s_login, login, uap->namelen); 1841 SESS_UNLOCK(p->p_session); 1842 PROC_UNLOCK(p); 1843 error = copyout(login, uap->namebuf, uap->namelen); 1844 return(error); 1845 } 1846 1847 /* 1848 * Set login name. 1849 */ 1850 #ifndef _SYS_SYSPROTO_H_ 1851 struct setlogin_args { 1852 char *namebuf; 1853 }; 1854 #endif 1855 /* 1856 * MPSAFE 1857 */ 1858 /* ARGSUSED */ 1859 int 1860 setlogin(struct thread *td, struct setlogin_args *uap) 1861 { 1862 struct proc *p = td->td_proc; 1863 int error; 1864 char logintmp[MAXLOGNAME]; 1865 1866 error = suser_cred(td->td_ucred, PRISON_ROOT); 1867 if (error) 1868 return (error); 1869 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); 1870 if (error == ENAMETOOLONG) 1871 error = EINVAL; 1872 else if (!error) { 1873 PROC_LOCK(p); 1874 SESS_LOCK(p->p_session); 1875 (void) memcpy(p->p_session->s_login, logintmp, 1876 sizeof(logintmp)); 1877 SESS_UNLOCK(p->p_session); 1878 PROC_UNLOCK(p); 1879 } 1880 return (error); 1881 } 1882 1883 void 1884 setsugid(struct proc *p) 1885 { 1886 1887 PROC_LOCK_ASSERT(p, MA_OWNED); 1888 p->p_flag |= P_SUGID; 1889 if (!(p->p_pfsflags & PF_ISUGID)) 1890 p->p_stops = 0; 1891 } 1892 1893 /*- 1894 * Change a process's effective uid. 1895 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 1896 * References: newcred must be an exclusive credential reference for the 1897 * duration of the call. 1898 */ 1899 void 1900 change_euid(struct ucred *newcred, struct uidinfo *euip) 1901 { 1902 1903 newcred->cr_uid = euip->ui_uid; 1904 uihold(euip); 1905 uifree(newcred->cr_uidinfo); 1906 newcred->cr_uidinfo = euip; 1907 } 1908 1909 /*- 1910 * Change a process's effective gid. 1911 * Side effects: newcred->cr_gid will be modified. 1912 * References: newcred must be an exclusive credential reference for the 1913 * duration of the call. 1914 */ 1915 void 1916 change_egid(struct ucred *newcred, gid_t egid) 1917 { 1918 1919 newcred->cr_groups[0] = egid; 1920 } 1921 1922 /*- 1923 * Change a process's real uid. 1924 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 1925 * will be updated, and the old and new cr_ruidinfo proc 1926 * counts will be updated. 1927 * References: newcred must be an exclusive credential reference for the 1928 * duration of the call. 1929 */ 1930 void 1931 change_ruid(struct ucred *newcred, struct uidinfo *ruip) 1932 { 1933 1934 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 1935 newcred->cr_ruid = ruip->ui_uid; 1936 uihold(ruip); 1937 uifree(newcred->cr_ruidinfo); 1938 newcred->cr_ruidinfo = ruip; 1939 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 1940 } 1941 1942 /*- 1943 * Change a process's real gid. 1944 * Side effects: newcred->cr_rgid will be updated. 1945 * References: newcred must be an exclusive credential reference for the 1946 * duration of the call. 1947 */ 1948 void 1949 change_rgid(struct ucred *newcred, gid_t rgid) 1950 { 1951 1952 newcred->cr_rgid = rgid; 1953 } 1954 1955 /*- 1956 * Change a process's saved uid. 1957 * Side effects: newcred->cr_svuid will be updated. 1958 * References: newcred must be an exclusive credential reference for the 1959 * duration of the call. 1960 */ 1961 void 1962 change_svuid(struct ucred *newcred, uid_t svuid) 1963 { 1964 1965 newcred->cr_svuid = svuid; 1966 } 1967 1968 /*- 1969 * Change a process's saved gid. 1970 * Side effects: newcred->cr_svgid will be updated. 1971 * References: newcred must be an exclusive credential reference for the 1972 * duration of the call. 1973 */ 1974 void 1975 change_svgid(struct ucred *newcred, gid_t svgid) 1976 { 1977 1978 newcred->cr_svgid = svgid; 1979 } 1980