1 /* 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * (c) UNIX System Laboratories, Inc. 5 * All or some portions of this file are derived from material licensed 6 * to the University of California by American Telephone and Telegraph 7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 8 * the permission of UNIX System Laboratories, Inc. 9 * Copyright (c) 2000-2001 Robert N. M. Watson. All rights reserved. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. All advertising materials mentioning features or use of this software 20 * must display the following acknowledgement: 21 * This product includes software developed by the University of 22 * California, Berkeley and its contributors. 23 * 4. Neither the name of the University nor the names of its contributors 24 * may be used to endorse or promote products derived from this software 25 * without specific prior written permission. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * 39 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 40 * $FreeBSD$ 41 */ 42 43 /* 44 * System calls related to processes and protection 45 */ 46 47 #include "opt_compat.h" 48 49 #include <sys/param.h> 50 #include <sys/systm.h> 51 #include <sys/acct.h> 52 #include <sys/kernel.h> 53 #include <sys/lock.h> 54 #include <sys/malloc.h> 55 #include <sys/mutex.h> 56 #include <sys/sx.h> 57 #include <sys/proc.h> 58 #include <sys/sysproto.h> 59 #include <sys/jail.h> 60 #include <sys/pioctl.h> 61 #include <sys/resourcevar.h> 62 #include <sys/sysctl.h> 63 64 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 65 66 SYSCTL_DECL(_security); 67 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, 68 "BSD security policy"); 69 70 #ifndef _SYS_SYSPROTO_H_ 71 struct getpid_args { 72 int dummy; 73 }; 74 #endif 75 /* 76 * MPSAFE 77 */ 78 /* ARGSUSED */ 79 int 80 getpid(td, uap) 81 struct thread *td; 82 struct getpid_args *uap; 83 { 84 struct proc *p = td->td_proc; 85 int s; 86 87 s = mtx_lock_giant(kern_giant_proc); 88 td->td_retval[0] = p->p_pid; 89 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 90 PROC_LOCK(p); 91 td->td_retval[1] = p->p_pptr->p_pid; 92 PROC_UNLOCK(p); 93 #endif 94 mtx_unlock_giant(s); 95 return (0); 96 } 97 98 #ifndef _SYS_SYSPROTO_H_ 99 struct getppid_args { 100 int dummy; 101 }; 102 #endif 103 /* 104 * MPSAFE 105 */ 106 /* ARGSUSED */ 107 int 108 getppid(td, uap) 109 struct thread *td; 110 struct getppid_args *uap; 111 { 112 struct proc *p = td->td_proc; 113 int s; 114 115 s = mtx_lock_giant(kern_giant_proc); 116 PROC_LOCK(p); 117 td->td_retval[0] = p->p_pptr->p_pid; 118 PROC_UNLOCK(p); 119 mtx_unlock_giant(s); 120 return (0); 121 } 122 123 /* 124 * Get process group ID; note that POSIX getpgrp takes no parameter. 125 */ 126 #ifndef _SYS_SYSPROTO_H_ 127 struct getpgrp_args { 128 int dummy; 129 }; 130 #endif 131 /* 132 * MPSAFE 133 */ 134 int 135 getpgrp(td, uap) 136 struct thread *td; 137 struct getpgrp_args *uap; 138 { 139 struct proc *p = td->td_proc; 140 int s; 141 142 s = mtx_lock_giant(kern_giant_proc); 143 PROC_LOCK(p); 144 td->td_retval[0] = p->p_pgrp->pg_id; 145 PROC_UNLOCK(p); 146 mtx_unlock_giant(s); 147 return (0); 148 } 149 150 /* Get an arbitary pid's process group id */ 151 #ifndef _SYS_SYSPROTO_H_ 152 struct getpgid_args { 153 pid_t pid; 154 }; 155 #endif 156 /* 157 * MPSAFE 158 */ 159 int 160 getpgid(td, uap) 161 struct thread *td; 162 struct getpgid_args *uap; 163 { 164 struct proc *p = td->td_proc; 165 struct proc *pt; 166 int error, s; 167 168 s = mtx_lock_giant(kern_giant_proc); 169 error = 0; 170 if (uap->pid == 0) { 171 PROC_LOCK(p); 172 td->td_retval[0] = p->p_pgrp->pg_id; 173 PROC_UNLOCK(p); 174 } else if ((pt = pfind(uap->pid)) == NULL) 175 error = ESRCH; 176 else { 177 error = p_cansee(p, pt); 178 if (error == 0) 179 td->td_retval[0] = pt->p_pgrp->pg_id; 180 PROC_UNLOCK(pt); 181 } 182 mtx_unlock_giant(s); 183 return (error); 184 } 185 186 /* 187 * Get an arbitary pid's session id. 188 */ 189 #ifndef _SYS_SYSPROTO_H_ 190 struct getsid_args { 191 pid_t pid; 192 }; 193 #endif 194 /* 195 * MPSAFE 196 */ 197 int 198 getsid(td, uap) 199 struct thread *td; 200 struct getsid_args *uap; 201 { 202 struct proc *p = td->td_proc; 203 struct proc *pt; 204 int error; 205 int s; 206 207 s = mtx_lock_giant(kern_giant_proc); 208 error = 0; 209 if (uap->pid == 0) { 210 PROC_LOCK(p); 211 td->td_retval[0] = p->p_session->s_sid; 212 PROC_UNLOCK(p); 213 } else if ((pt = pfind(uap->pid)) == NULL) 214 error = ESRCH; 215 else { 216 error = p_cansee(p, pt); 217 if (error == 0) 218 td->td_retval[0] = pt->p_session->s_sid; 219 PROC_UNLOCK(pt); 220 } 221 mtx_unlock_giant(s); 222 return (error); 223 } 224 225 #ifndef _SYS_SYSPROTO_H_ 226 struct getuid_args { 227 int dummy; 228 }; 229 #endif 230 /* 231 * MPSAFE 232 */ 233 /* ARGSUSED */ 234 int 235 getuid(td, uap) 236 struct thread *td; 237 struct getuid_args *uap; 238 { 239 struct proc *p = td->td_proc; 240 241 mtx_lock(&Giant); 242 td->td_retval[0] = p->p_ucred->cr_ruid; 243 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 244 td->td_retval[1] = p->p_ucred->cr_uid; 245 #endif 246 mtx_unlock(&Giant); 247 return (0); 248 } 249 250 #ifndef _SYS_SYSPROTO_H_ 251 struct geteuid_args { 252 int dummy; 253 }; 254 #endif 255 /* 256 * MPSAFE 257 */ 258 /* ARGSUSED */ 259 int 260 geteuid(td, uap) 261 struct thread *td; 262 struct geteuid_args *uap; 263 { 264 mtx_lock(&Giant); 265 td->td_retval[0] = td->td_proc->p_ucred->cr_uid; 266 mtx_unlock(&Giant); 267 return (0); 268 } 269 270 #ifndef _SYS_SYSPROTO_H_ 271 struct getgid_args { 272 int dummy; 273 }; 274 #endif 275 /* 276 * MPSAFE 277 */ 278 /* ARGSUSED */ 279 int 280 getgid(td, uap) 281 struct thread *td; 282 struct getgid_args *uap; 283 { 284 struct proc *p = td->td_proc; 285 286 mtx_lock(&Giant); 287 td->td_retval[0] = p->p_ucred->cr_rgid; 288 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 289 td->td_retval[1] = p->p_ucred->cr_groups[0]; 290 #endif 291 mtx_unlock(&Giant); 292 return (0); 293 } 294 295 /* 296 * Get effective group ID. The "egid" is groups[0], and could be obtained 297 * via getgroups. This syscall exists because it is somewhat painful to do 298 * correctly in a library function. 299 */ 300 #ifndef _SYS_SYSPROTO_H_ 301 struct getegid_args { 302 int dummy; 303 }; 304 #endif 305 /* 306 * MPSAFE 307 */ 308 /* ARGSUSED */ 309 int 310 getegid(td, uap) 311 struct thread *td; 312 struct getegid_args *uap; 313 { 314 struct proc *p = td->td_proc; 315 316 mtx_lock(&Giant); 317 td->td_retval[0] = p->p_ucred->cr_groups[0]; 318 mtx_unlock(&Giant); 319 return (0); 320 } 321 322 #ifndef _SYS_SYSPROTO_H_ 323 struct getgroups_args { 324 u_int gidsetsize; 325 gid_t *gidset; 326 }; 327 #endif 328 /* 329 * MPSAFE 330 */ 331 int 332 getgroups(td, uap) 333 struct thread *td; 334 register struct getgroups_args *uap; 335 { 336 struct ucred *cred; 337 struct proc *p = td->td_proc; 338 u_int ngrp; 339 int error; 340 341 mtx_lock(&Giant); 342 error = 0; 343 cred = p->p_ucred; 344 if ((ngrp = uap->gidsetsize) == 0) { 345 td->td_retval[0] = cred->cr_ngroups; 346 goto done2; 347 } 348 if (ngrp < cred->cr_ngroups) { 349 error = EINVAL; 350 goto done2; 351 } 352 ngrp = cred->cr_ngroups; 353 if ((error = copyout((caddr_t)cred->cr_groups, 354 (caddr_t)uap->gidset, ngrp * sizeof(gid_t)))) 355 goto done2; 356 td->td_retval[0] = ngrp; 357 done2: 358 mtx_unlock(&Giant); 359 return (error); 360 } 361 362 #ifndef _SYS_SYSPROTO_H_ 363 struct setsid_args { 364 int dummy; 365 }; 366 #endif 367 /* 368 * MPSAFE 369 */ 370 /* ARGSUSED */ 371 int 372 setsid(td, uap) 373 register struct thread *td; 374 struct setsid_args *uap; 375 { 376 struct pgrp *pgrp; 377 int error; 378 struct proc *p = td->td_proc; 379 struct pgrp *newpgrp; 380 struct session *newsess; 381 382 error = 0; 383 pgrp = NULL; 384 385 mtx_lock(&Giant); 386 387 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 388 MALLOC(newsess, struct session *, sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); 389 390 PGRPSESS_XLOCK(); 391 392 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { 393 if (pgrp != NULL) 394 PGRP_UNLOCK(pgrp); 395 error = EPERM; 396 goto fail; 397 } else { 398 (void)enterpgrp(p, p->p_pid, newpgrp, newsess); 399 td->td_retval[0] = p->p_pid; 400 error = 0; 401 } 402 PGRPSESS_XUNLOCK(); 403 mtx_unlock(&Giant); 404 return (0); 405 406 fail: 407 PGRPSESS_XUNLOCK(); 408 409 FREE(newpgrp, M_PGRP); 410 FREE(newsess, M_SESSION); 411 412 mtx_unlock(&Giant); 413 return (0); 414 } 415 416 /* 417 * set process group (setpgid/old setpgrp) 418 * 419 * caller does setpgid(targpid, targpgid) 420 * 421 * pid must be caller or child of caller (ESRCH) 422 * if a child 423 * pid must be in same session (EPERM) 424 * pid can't have done an exec (EACCES) 425 * if pgid != pid 426 * there must exist some pid in same session having pgid (EPERM) 427 * pid must not be session leader (EPERM) 428 */ 429 #ifndef _SYS_SYSPROTO_H_ 430 struct setpgid_args { 431 int pid; /* target process id */ 432 int pgid; /* target pgrp id */ 433 }; 434 #endif 435 /* 436 * MPSAFE 437 */ 438 /* ARGSUSED */ 439 int 440 setpgid(td, uap) 441 struct thread *td; 442 register struct setpgid_args *uap; 443 { 444 struct proc *curp = td->td_proc; 445 register struct proc *targp; /* target process */ 446 register struct pgrp *pgrp; /* target pgrp */ 447 int error; 448 struct pgrp *newpgrp; 449 450 if (uap->pgid < 0) 451 return (EINVAL); 452 453 error = 0; 454 455 mtx_lock(&Giant); 456 457 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 458 459 PGRPSESS_XLOCK(); 460 461 if (uap->pid != 0 && uap->pid != curp->p_pid) { 462 sx_slock(&proctree_lock); 463 if ((targp = pfind(uap->pid)) == NULL) { 464 if (targp) 465 PROC_UNLOCK(targp); 466 sx_sunlock(&proctree_lock); 467 error = ESRCH; 468 goto fail; 469 } 470 if (!inferior(targp)) { 471 PROC_UNLOCK(targp); 472 sx_sunlock(&proctree_lock); 473 error = ESRCH; 474 goto fail; 475 } 476 sx_sunlock(&proctree_lock); 477 if ((error = p_cansee(curproc, targp))) { 478 PROC_UNLOCK(targp); 479 goto fail; 480 } 481 if (targp->p_pgrp == NULL || 482 targp->p_session != curp->p_session) { 483 PROC_UNLOCK(targp); 484 error = EPERM; 485 goto fail; 486 } 487 if (targp->p_flag & P_EXEC) { 488 PROC_UNLOCK(targp); 489 error = EACCES; 490 goto fail; 491 } 492 PROC_UNLOCK(targp); 493 } else 494 targp = curp; 495 if (SESS_LEADER(targp)) { 496 error = EPERM; 497 goto fail; 498 } 499 if (uap->pgid == 0) 500 uap->pgid = targp->p_pid; 501 if (uap->pgid == targp->p_pid) { 502 if (targp->p_pgid == uap->pgid) 503 goto done; 504 error = enterpgrp(targp, uap->pgid, newpgrp, NULL); 505 if (error == 0) 506 newpgrp = NULL; 507 } else { 508 if ((pgrp = pgfind(uap->pgid)) == NULL || 509 pgrp->pg_session != curp->p_session) { 510 if (pgrp != NULL) 511 PGRP_UNLOCK(pgrp); 512 error = EPERM; 513 goto fail; 514 } 515 if (pgrp == targp->p_pgrp) { 516 PGRP_UNLOCK(pgrp); 517 goto done; 518 } 519 PGRP_UNLOCK(pgrp); 520 error = enterthispgrp(targp, pgrp); 521 } 522 done: 523 PGRPSESS_XUNLOCK(); 524 if (newpgrp != NULL) 525 FREE(newpgrp, M_PGRP); 526 mtx_unlock(&Giant); 527 return (0); 528 529 fail: 530 PGRPSESS_XUNLOCK(); 531 532 KASSERT(newpgrp != NULL, ("setpgid failed and newpgrp is null.")); 533 KASSERT(error != 0, ("setpgid successfully failed?")); 534 FREE(newpgrp, M_PGRP); 535 536 mtx_unlock(&Giant); 537 return (error); 538 } 539 540 /* 541 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 542 * compatible. It says that setting the uid/gid to euid/egid is a special 543 * case of "appropriate privilege". Once the rules are expanded out, this 544 * basically means that setuid(nnn) sets all three id's, in all permitted 545 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 546 * does not set the saved id - this is dangerous for traditional BSD 547 * programs. For this reason, we *really* do not want to set 548 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 549 */ 550 #define POSIX_APPENDIX_B_4_2_2 551 552 #ifndef _SYS_SYSPROTO_H_ 553 struct setuid_args { 554 uid_t uid; 555 }; 556 #endif 557 /* 558 * MPSAFE 559 */ 560 /* ARGSUSED */ 561 int 562 setuid(td, uap) 563 struct thread *td; 564 struct setuid_args *uap; 565 { 566 struct proc *p = td->td_proc; 567 struct ucred *newcred, *oldcred; 568 uid_t uid; 569 int error; 570 571 uid = uap->uid; 572 mtx_lock(&Giant); 573 error = 0; 574 oldcred = p->p_ucred; 575 576 /* 577 * See if we have "permission" by POSIX 1003.1 rules. 578 * 579 * Note that setuid(geteuid()) is a special case of 580 * "appropriate privileges" in appendix B.4.2.2. We need 581 * to use this clause to be compatible with traditional BSD 582 * semantics. Basically, it means that "setuid(xx)" sets all 583 * three id's (assuming you have privs). 584 * 585 * Notes on the logic. We do things in three steps. 586 * 1: We determine if the euid is going to change, and do EPERM 587 * right away. We unconditionally change the euid later if this 588 * test is satisfied, simplifying that part of the logic. 589 * 2: We determine if the real and/or saved uids are going to 590 * change. Determined by compile options. 591 * 3: Change euid last. (after tests in #2 for "appropriate privs") 592 */ 593 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 594 #ifdef _POSIX_SAVED_IDS 595 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 596 #endif 597 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 598 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 599 #endif 600 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 601 goto done2; 602 603 newcred = crdup(oldcred); 604 #ifdef _POSIX_SAVED_IDS 605 /* 606 * Do we have "appropriate privileges" (are we root or uid == euid) 607 * If so, we are changing the real uid and/or saved uid. 608 */ 609 if ( 610 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 611 uid == oldcred->cr_uid || 612 #endif 613 suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */ 614 #endif 615 { 616 /* 617 * Set the real uid and transfer proc count to new user. 618 */ 619 if (uid != oldcred->cr_ruid) { 620 change_ruid(newcred, uid); 621 setsugid(p); 622 } 623 /* 624 * Set saved uid 625 * 626 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 627 * the security of seteuid() depends on it. B.4.2.2 says it 628 * is important that we should do this. 629 */ 630 if (uid != oldcred->cr_svuid) { 631 change_svuid(newcred, uid); 632 setsugid(p); 633 } 634 } 635 636 /* 637 * In all permitted cases, we are changing the euid. 638 * Copy credentials so other references do not see our changes. 639 */ 640 if (uid != oldcred->cr_uid) { 641 change_euid(newcred, uid); 642 setsugid(p); 643 } 644 p->p_ucred = newcred; 645 crfree(oldcred); 646 done2: 647 mtx_unlock(&Giant); 648 return (error); 649 } 650 651 #ifndef _SYS_SYSPROTO_H_ 652 struct seteuid_args { 653 uid_t euid; 654 }; 655 #endif 656 /* 657 * MPSAFE 658 */ 659 /* ARGSUSED */ 660 int 661 seteuid(td, uap) 662 struct thread *td; 663 struct seteuid_args *uap; 664 { 665 struct proc *p = td->td_proc; 666 struct ucred *newcred, *oldcred; 667 uid_t euid; 668 int error; 669 670 euid = uap->euid; 671 mtx_lock(&Giant); 672 error = 0; 673 oldcred = p->p_ucred; 674 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 675 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 676 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 677 goto done2; 678 /* 679 * Everything's okay, do it. Copy credentials so other references do 680 * not see our changes. 681 */ 682 newcred = crdup(oldcred); 683 if (oldcred->cr_uid != euid) { 684 change_euid(newcred, euid); 685 setsugid(p); 686 } 687 p->p_ucred = newcred; 688 crfree(oldcred); 689 done2: 690 mtx_unlock(&Giant); 691 return (error); 692 } 693 694 #ifndef _SYS_SYSPROTO_H_ 695 struct setgid_args { 696 gid_t gid; 697 }; 698 #endif 699 /* 700 * MPSAFE 701 */ 702 /* ARGSUSED */ 703 int 704 setgid(td, uap) 705 struct thread *td; 706 struct setgid_args *uap; 707 { 708 struct proc *p = td->td_proc; 709 struct ucred *newcred, *oldcred; 710 gid_t gid; 711 int error; 712 713 gid = uap->gid; 714 mtx_lock(&Giant); 715 error = 0; 716 oldcred = p->p_ucred; 717 718 /* 719 * See if we have "permission" by POSIX 1003.1 rules. 720 * 721 * Note that setgid(getegid()) is a special case of 722 * "appropriate privileges" in appendix B.4.2.2. We need 723 * to use this clause to be compatible with traditional BSD 724 * semantics. Basically, it means that "setgid(xx)" sets all 725 * three id's (assuming you have privs). 726 * 727 * For notes on the logic here, see setuid() above. 728 */ 729 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 730 #ifdef _POSIX_SAVED_IDS 731 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 732 #endif 733 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 734 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 735 #endif 736 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 737 goto done2; 738 739 newcred = crdup(oldcred); 740 #ifdef _POSIX_SAVED_IDS 741 /* 742 * Do we have "appropriate privileges" (are we root or gid == egid) 743 * If so, we are changing the real uid and saved gid. 744 */ 745 if ( 746 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 747 gid == oldcred->cr_groups[0] || 748 #endif 749 suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */ 750 #endif 751 { 752 /* 753 * Set real gid 754 */ 755 if (oldcred->cr_rgid != gid) { 756 change_rgid(newcred, gid); 757 setsugid(p); 758 } 759 /* 760 * Set saved gid 761 * 762 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 763 * the security of setegid() depends on it. B.4.2.2 says it 764 * is important that we should do this. 765 */ 766 if (oldcred->cr_svgid != gid) { 767 change_svgid(newcred, gid); 768 setsugid(p); 769 } 770 } 771 /* 772 * In all cases permitted cases, we are changing the egid. 773 * Copy credentials so other references do not see our changes. 774 */ 775 if (oldcred->cr_groups[0] != gid) { 776 change_egid(newcred, gid); 777 setsugid(p); 778 } 779 p->p_ucred = newcred; 780 crfree(oldcred); 781 done2: 782 mtx_unlock(&Giant); 783 return (error); 784 } 785 786 #ifndef _SYS_SYSPROTO_H_ 787 struct setegid_args { 788 gid_t egid; 789 }; 790 #endif 791 /* 792 * MPSAFE 793 */ 794 /* ARGSUSED */ 795 int 796 setegid(td, uap) 797 struct thread *td; 798 struct setegid_args *uap; 799 { 800 struct proc *p = td->td_proc; 801 struct ucred *newcred, *oldcred; 802 gid_t egid; 803 int error; 804 805 egid = uap->egid; 806 mtx_lock(&Giant); 807 error = 0; 808 oldcred = p->p_ucred; 809 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 810 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 811 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 812 goto done2; 813 newcred = crdup(oldcred); 814 if (oldcred->cr_groups[0] != egid) { 815 change_egid(newcred, egid); 816 setsugid(p); 817 } 818 p->p_ucred = newcred; 819 crfree(oldcred); 820 done2: 821 mtx_unlock(&Giant); 822 return (error); 823 } 824 825 #ifndef _SYS_SYSPROTO_H_ 826 struct setgroups_args { 827 u_int gidsetsize; 828 gid_t *gidset; 829 }; 830 #endif 831 /* 832 * MPSAFE 833 */ 834 /* ARGSUSED */ 835 int 836 setgroups(td, uap) 837 struct thread *td; 838 struct setgroups_args *uap; 839 { 840 struct proc *p = td->td_proc; 841 struct ucred *newcred, *oldcred; 842 u_int ngrp; 843 int error; 844 845 ngrp = uap->gidsetsize; 846 mtx_lock(&Giant); 847 oldcred = p->p_ucred; 848 if ((error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 849 goto done2; 850 if (ngrp > NGROUPS) { 851 error = EINVAL; 852 goto done2; 853 } 854 /* 855 * XXX A little bit lazy here. We could test if anything has 856 * changed before crcopy() and setting P_SUGID. 857 */ 858 newcred = crdup(oldcred); 859 if (ngrp < 1) { 860 /* 861 * setgroups(0, NULL) is a legitimate way of clearing the 862 * groups vector on non-BSD systems (which generally do not 863 * have the egid in the groups[0]). We risk security holes 864 * when running non-BSD software if we do not do the same. 865 */ 866 newcred->cr_ngroups = 1; 867 } else { 868 if ((error = copyin((caddr_t)uap->gidset, 869 (caddr_t)newcred->cr_groups, ngrp * sizeof(gid_t)))) { 870 crfree(newcred); 871 goto done2; 872 } 873 newcred->cr_ngroups = ngrp; 874 } 875 setsugid(p); 876 p->p_ucred = newcred; 877 crfree(oldcred); 878 done2: 879 mtx_unlock(&Giant); 880 return (error); 881 } 882 883 #ifndef _SYS_SYSPROTO_H_ 884 struct setreuid_args { 885 uid_t ruid; 886 uid_t euid; 887 }; 888 #endif 889 /* 890 * MPSAFE 891 */ 892 /* ARGSUSED */ 893 int 894 setreuid(td, uap) 895 register struct thread *td; 896 struct setreuid_args *uap; 897 { 898 struct proc *p = td->td_proc; 899 struct ucred *newcred, *oldcred; 900 uid_t euid, ruid; 901 int error; 902 903 euid = uap->euid; 904 ruid = uap->ruid; 905 mtx_lock(&Giant); 906 error = 0; 907 oldcred = p->p_ucred; 908 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 909 ruid != oldcred->cr_svuid) || 910 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 911 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 912 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 913 goto done2; 914 newcred = crdup(oldcred); 915 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 916 change_euid(newcred, euid); 917 setsugid(p); 918 } 919 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 920 change_ruid(newcred, ruid); 921 setsugid(p); 922 } 923 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 924 newcred->cr_svuid != newcred->cr_uid) { 925 change_svuid(newcred, newcred->cr_uid); 926 setsugid(p); 927 } 928 p->p_ucred = newcred; 929 crfree(oldcred); 930 done2: 931 mtx_unlock(&Giant); 932 return (error); 933 } 934 935 #ifndef _SYS_SYSPROTO_H_ 936 struct setregid_args { 937 gid_t rgid; 938 gid_t egid; 939 }; 940 #endif 941 /* 942 * MPSAFE 943 */ 944 /* ARGSUSED */ 945 int 946 setregid(td, uap) 947 register struct thread *td; 948 struct setregid_args *uap; 949 { 950 struct proc *p = td->td_proc; 951 struct ucred *newcred, *oldcred; 952 gid_t egid, rgid; 953 int error; 954 955 egid = uap->egid; 956 rgid = uap->rgid; 957 mtx_lock(&Giant); 958 error = 0; 959 oldcred = p->p_ucred; 960 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 961 rgid != oldcred->cr_svgid) || 962 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 963 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 964 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 965 goto done2; 966 newcred = crdup(oldcred); 967 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 968 change_egid(newcred, egid); 969 setsugid(p); 970 } 971 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 972 change_rgid(newcred, rgid); 973 setsugid(p); 974 } 975 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 976 newcred->cr_svgid != newcred->cr_groups[0]) { 977 change_svgid(newcred, newcred->cr_groups[0]); 978 setsugid(p); 979 } 980 p->p_ucred = newcred; 981 crfree(oldcred); 982 done2: 983 mtx_unlock(&Giant); 984 return (error); 985 } 986 987 /* 988 * setresuid(ruid, euid, suid) is like setreuid except control over the 989 * saved uid is explicit. 990 */ 991 992 #ifndef _SYS_SYSPROTO_H_ 993 struct setresuid_args { 994 uid_t ruid; 995 uid_t euid; 996 uid_t suid; 997 }; 998 #endif 999 /* 1000 * MPSAFE 1001 */ 1002 /* ARGSUSED */ 1003 int 1004 setresuid(td, uap) 1005 register struct thread *td; 1006 struct setresuid_args *uap; 1007 { 1008 struct proc *p = td->td_proc; 1009 struct ucred *newcred, *oldcred; 1010 uid_t euid, ruid, suid; 1011 int error; 1012 1013 euid = uap->euid; 1014 ruid = uap->ruid; 1015 suid = uap->suid; 1016 mtx_lock(&Giant); 1017 oldcred = p->p_ucred; 1018 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1019 ruid != oldcred->cr_svuid && 1020 ruid != oldcred->cr_uid) || 1021 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 1022 euid != oldcred->cr_svuid && 1023 euid != oldcred->cr_uid) || 1024 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 1025 suid != oldcred->cr_svuid && 1026 suid != oldcred->cr_uid)) && 1027 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 1028 goto done2; 1029 newcred = crdup(oldcred); 1030 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1031 change_euid(newcred, euid); 1032 setsugid(p); 1033 } 1034 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1035 change_ruid(newcred, ruid); 1036 setsugid(p); 1037 } 1038 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1039 change_svuid(newcred, suid); 1040 setsugid(p); 1041 } 1042 p->p_ucred = newcred; 1043 crfree(oldcred); 1044 error = 0; 1045 done2: 1046 mtx_unlock(&Giant); 1047 return (error); 1048 } 1049 1050 /* 1051 * setresgid(rgid, egid, sgid) is like setregid except control over the 1052 * saved gid is explicit. 1053 */ 1054 1055 #ifndef _SYS_SYSPROTO_H_ 1056 struct setresgid_args { 1057 gid_t rgid; 1058 gid_t egid; 1059 gid_t sgid; 1060 }; 1061 #endif 1062 /* 1063 * MPSAFE 1064 */ 1065 /* ARGSUSED */ 1066 int 1067 setresgid(td, uap) 1068 register struct thread *td; 1069 struct setresgid_args *uap; 1070 { 1071 struct proc *p = td->td_proc; 1072 struct ucred *newcred, *oldcred; 1073 gid_t egid, rgid, sgid; 1074 int error; 1075 1076 egid = uap->egid; 1077 rgid = uap->rgid; 1078 sgid = uap->sgid; 1079 mtx_lock(&Giant); 1080 oldcred = p->p_ucred; 1081 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1082 rgid != oldcred->cr_svgid && 1083 rgid != oldcred->cr_groups[0]) || 1084 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1085 egid != oldcred->cr_svgid && 1086 egid != oldcred->cr_groups[0]) || 1087 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1088 sgid != oldcred->cr_svgid && 1089 sgid != oldcred->cr_groups[0])) && 1090 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 1091 goto done2; 1092 newcred = crdup(oldcred); 1093 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1094 change_egid(newcred, egid); 1095 setsugid(p); 1096 } 1097 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1098 change_rgid(newcred, rgid); 1099 setsugid(p); 1100 } 1101 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1102 change_svgid(newcred, sgid); 1103 setsugid(p); 1104 } 1105 p->p_ucred = newcred; 1106 crfree(oldcred); 1107 error = 0; 1108 done2: 1109 mtx_unlock(&Giant); 1110 return (error); 1111 } 1112 1113 #ifndef _SYS_SYSPROTO_H_ 1114 struct getresuid_args { 1115 uid_t *ruid; 1116 uid_t *euid; 1117 uid_t *suid; 1118 }; 1119 #endif 1120 /* 1121 * MPSAFE 1122 */ 1123 /* ARGSUSED */ 1124 int 1125 getresuid(td, uap) 1126 register struct thread *td; 1127 struct getresuid_args *uap; 1128 { 1129 struct ucred *cred; 1130 struct proc *p = td->td_proc; 1131 int error1 = 0, error2 = 0, error3 = 0; 1132 1133 mtx_lock(&Giant); 1134 cred = p->p_ucred; 1135 if (uap->ruid) 1136 error1 = copyout((caddr_t)&cred->cr_ruid, 1137 (caddr_t)uap->ruid, sizeof(cred->cr_ruid)); 1138 if (uap->euid) 1139 error2 = copyout((caddr_t)&cred->cr_uid, 1140 (caddr_t)uap->euid, sizeof(cred->cr_uid)); 1141 if (uap->suid) 1142 error3 = copyout((caddr_t)&cred->cr_svuid, 1143 (caddr_t)uap->suid, sizeof(cred->cr_svuid)); 1144 mtx_unlock(&Giant); 1145 return (error1 ? error1 : error2 ? error2 : error3); 1146 } 1147 1148 #ifndef _SYS_SYSPROTO_H_ 1149 struct getresgid_args { 1150 gid_t *rgid; 1151 gid_t *egid; 1152 gid_t *sgid; 1153 }; 1154 #endif 1155 /* 1156 * MPSAFE 1157 */ 1158 /* ARGSUSED */ 1159 int 1160 getresgid(td, uap) 1161 register struct thread *td; 1162 struct getresgid_args *uap; 1163 { 1164 struct ucred *cred; 1165 struct proc *p = td->td_proc; 1166 int error1 = 0, error2 = 0, error3 = 0; 1167 1168 mtx_lock(&Giant); 1169 cred = p->p_ucred; 1170 if (uap->rgid) 1171 error1 = copyout((caddr_t)&cred->cr_rgid, 1172 (caddr_t)uap->rgid, sizeof(cred->cr_rgid)); 1173 if (uap->egid) 1174 error2 = copyout((caddr_t)&cred->cr_groups[0], 1175 (caddr_t)uap->egid, sizeof(cred->cr_groups[0])); 1176 if (uap->sgid) 1177 error3 = copyout((caddr_t)&cred->cr_svgid, 1178 (caddr_t)uap->sgid, sizeof(cred->cr_svgid)); 1179 mtx_unlock(&Giant); 1180 return (error1 ? error1 : error2 ? error2 : error3); 1181 } 1182 1183 #ifndef _SYS_SYSPROTO_H_ 1184 struct issetugid_args { 1185 int dummy; 1186 }; 1187 #endif 1188 /* 1189 * NOT MPSAFE? 1190 */ 1191 /* ARGSUSED */ 1192 int 1193 issetugid(td, uap) 1194 register struct thread *td; 1195 struct issetugid_args *uap; 1196 { 1197 struct proc *p = td->td_proc; 1198 1199 /* 1200 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1201 * we use P_SUGID because we consider changing the owners as 1202 * "tainting" as well. 1203 * This is significant for procs that start as root and "become" 1204 * a user without an exec - programs cannot know *everything* 1205 * that libc *might* have put in their data segment. 1206 */ 1207 PROC_LOCK(p); 1208 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1209 PROC_UNLOCK(p); 1210 return (0); 1211 } 1212 1213 /* 1214 * MPSAFE 1215 */ 1216 int 1217 __setugid(td, uap) 1218 struct thread *td; 1219 struct __setugid_args *uap; 1220 { 1221 #ifdef REGRESSION 1222 int error; 1223 1224 mtx_lock(&Giant); 1225 error = 0; 1226 switch (uap->flag) { 1227 case 0: 1228 PROC_LOCK(td->td_proc); 1229 td->td_proc->p_flag &= ~P_SUGID; 1230 PROC_UNLOCK(td->td_proc); 1231 break; 1232 case 1: 1233 PROC_LOCK(td->td_proc); 1234 td->td_proc->p_flag |= P_SUGID; 1235 PROC_UNLOCK(td->td_proc); 1236 break; 1237 default: 1238 error = EINVAL; 1239 break; 1240 } 1241 mtx_unlock(&Giant); 1242 return (error); 1243 #else /* !REGRESSION */ 1244 1245 return (ENOSYS); 1246 #endif /* REGRESSION */ 1247 } 1248 1249 /* 1250 * Check if gid is a member of the group set. 1251 */ 1252 int 1253 groupmember(gid, cred) 1254 gid_t gid; 1255 struct ucred *cred; 1256 { 1257 register gid_t *gp; 1258 gid_t *egp; 1259 1260 egp = &(cred->cr_groups[cred->cr_ngroups]); 1261 for (gp = cred->cr_groups; gp < egp; gp++) 1262 if (*gp == gid) 1263 return (1); 1264 return (0); 1265 } 1266 1267 /* 1268 * `suser_enabled' (which can be set by the security.suser_enabled 1269 * sysctl) determines whether the system 'super-user' policy is in effect. 1270 * If it is nonzero, an effective uid of 0 connotes special privilege, 1271 * overriding many mandatory and discretionary protections. If it is zero, 1272 * uid 0 is offered no special privilege in the kernel security policy. 1273 * Setting it to zero may seriously impact the functionality of many 1274 * existing userland programs, and should not be done without careful 1275 * consideration of the consequences. 1276 */ 1277 int suser_enabled = 1; 1278 SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW, 1279 &suser_enabled, 0, "processes with uid 0 have privilege"); 1280 TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled); 1281 1282 /* 1283 * Test whether the specified credentials imply "super-user" privilege. 1284 * Return 0 or EPERM. 1285 */ 1286 int 1287 suser(p) 1288 struct proc *p; 1289 { 1290 1291 return (suser_xxx(0, p, 0)); 1292 } 1293 1294 /* 1295 * version for when the thread pointer is available and not the proc. 1296 * (saves having to include proc.h into every file that needs to do the change.) 1297 */ 1298 int 1299 suser_td(td) 1300 struct thread *td; 1301 { 1302 return (suser_xxx(0, td->td_proc, 0)); 1303 } 1304 1305 /* 1306 * wrapper to use if you have the thread on hand but not the proc. 1307 */ 1308 int 1309 suser_xxx_td(cred, td, flag) 1310 struct ucred *cred; 1311 struct thread *td; 1312 int flag; 1313 { 1314 return(suser_xxx(cred, td->td_proc, flag)); 1315 } 1316 1317 int 1318 suser_xxx(cred, proc, flag) 1319 struct ucred *cred; 1320 struct proc *proc; 1321 int flag; 1322 { 1323 if (!suser_enabled) 1324 return (EPERM); 1325 if (!cred && !proc) { 1326 printf("suser_xxx(): THINK!\n"); 1327 return (EPERM); 1328 } 1329 if (cred == NULL) 1330 cred = proc->p_ucred; 1331 if (cred->cr_uid != 0) 1332 return (EPERM); 1333 if (jailed(cred) && !(flag & PRISON_ROOT)) 1334 return (EPERM); 1335 return (0); 1336 } 1337 1338 /* 1339 * Test the active securelevel against a given level. securelevel_gt() 1340 * implements (securelevel > level). securelevel_ge() implements 1341 * (securelevel >= level). Note that the logic is inverted -- these 1342 * functions return EPERM on "success" and 0 on "failure". 1343 * 1344 * cr is permitted to be NULL for the time being, as there were some 1345 * existing securelevel checks that occurred without a process/credential 1346 * context. In the future this will be disallowed, so a kernel message 1347 * is displayed. 1348 */ 1349 int 1350 securelevel_gt(struct ucred *cr, int level) 1351 { 1352 int active_securelevel; 1353 1354 active_securelevel = securelevel; 1355 if (cr == NULL) 1356 printf("securelevel_gt: cr is NULL\n"); 1357 if (cr->cr_prison != NULL) { 1358 mtx_lock(&cr->cr_prison->pr_mtx); 1359 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1360 active_securelevel); 1361 mtx_unlock(&cr->cr_prison->pr_mtx); 1362 } 1363 return (active_securelevel > level ? EPERM : 0); 1364 } 1365 1366 int 1367 securelevel_ge(struct ucred *cr, int level) 1368 { 1369 int active_securelevel; 1370 1371 active_securelevel = securelevel; 1372 if (cr == NULL) 1373 printf("securelevel_gt: cr is NULL\n"); 1374 if (cr->cr_prison != NULL) { 1375 mtx_lock(&cr->cr_prison->pr_mtx); 1376 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1377 active_securelevel); 1378 mtx_unlock(&cr->cr_prison->pr_mtx); 1379 } 1380 return (active_securelevel >= level ? EPERM : 0); 1381 } 1382 1383 /* 1384 * 'see_other_uids' determines whether or not visibility of processes 1385 * and sockets with credentials holding different real uids is possible 1386 * using a variety of system MIBs. 1387 * XXX: data declarations should be together near the beginning of the file. 1388 */ 1389 static int see_other_uids = 1; 1390 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1391 &see_other_uids, 0, 1392 "Unprivileged processes may see subjects/objects with different real uid"); 1393 1394 /*- 1395 * Determine if u1 "can see" the subject specified by u2. 1396 * Returns: 0 for permitted, an errno value otherwise 1397 * Locks: none 1398 * References: *u1 and *u2 must not change during the call 1399 * u1 may equal u2, in which case only one reference is required 1400 */ 1401 int 1402 cr_cansee(struct ucred *u1, struct ucred *u2) 1403 { 1404 int error; 1405 1406 if ((error = prison_check(u1, u2))) 1407 return (error); 1408 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1409 if (suser_xxx(u1, NULL, PRISON_ROOT) != 0) 1410 return (ESRCH); 1411 } 1412 return (0); 1413 } 1414 1415 /*- 1416 * Determine if p1 "can see" the subject specified by p2. 1417 * Returns: 0 for permitted, an errno value otherwise 1418 * Locks: Sufficient locks to protect p1->p_ucred and p2->p_ucred must 1419 * be held. Normally, p1 will be curproc, and a lock must be held 1420 * for p2. 1421 * References: p1 and p2 must be valid for the lifetime of the call 1422 */ 1423 int 1424 p_cansee(struct proc *p1, struct proc *p2) 1425 { 1426 1427 /* Wrap cr_cansee() for all functionality. */ 1428 return (cr_cansee(p1->p_ucred, p2->p_ucred)); 1429 } 1430 1431 /*- 1432 * Determine whether cred may deliver the specified signal to proc. 1433 * Returns: 0 for permitted, an errno value otherwise. 1434 * Locks: A lock must be held for proc. 1435 * References: cred and proc must be valid for the lifetime of the call. 1436 */ 1437 int 1438 cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 1439 { 1440 int error; 1441 1442 /* 1443 * Jail semantics limit the scope of signalling to proc in the 1444 * same jail as cred, if cred is in jail. 1445 */ 1446 error = prison_check(cred, proc->p_ucred); 1447 if (error) 1448 return (error); 1449 1450 /* 1451 * UNIX signal semantics depend on the status of the P_SUGID 1452 * bit on the target process. If the bit is set, then additional 1453 * restrictions are placed on the set of available signals. 1454 */ 1455 if (proc->p_flag & P_SUGID) { 1456 switch (signum) { 1457 case 0: 1458 case SIGKILL: 1459 case SIGINT: 1460 case SIGTERM: 1461 case SIGSTOP: 1462 case SIGTTIN: 1463 case SIGTTOU: 1464 case SIGTSTP: 1465 case SIGHUP: 1466 case SIGUSR1: 1467 case SIGUSR2: 1468 /* 1469 * Generally, permit job and terminal control 1470 * signals. 1471 */ 1472 break; 1473 default: 1474 /* Not permitted without privilege. */ 1475 error = suser_xxx(cred, NULL, PRISON_ROOT); 1476 if (error) 1477 return (error); 1478 } 1479 } 1480 1481 /* 1482 * Generally, the target credential's ruid or svuid must match the 1483 * subject credential's ruid or euid. 1484 */ 1485 if (cred->cr_ruid != proc->p_ucred->cr_ruid && 1486 cred->cr_ruid != proc->p_ucred->cr_svuid && 1487 cred->cr_uid != proc->p_ucred->cr_ruid && 1488 cred->cr_uid != proc->p_ucred->cr_svuid) { 1489 /* Not permitted without privilege. */ 1490 error = suser_xxx(cred, NULL, PRISON_ROOT); 1491 if (error) 1492 return (error); 1493 } 1494 1495 return (0); 1496 } 1497 1498 1499 /*- 1500 * Determine whether p1 may deliver the specified signal to p2. 1501 * Returns: 0 for permitted, an errno value otherwise 1502 * Locks: Sufficient locks to protect various components of p1 and p2 1503 * must be held. Normally, p1 will be curproc, and a lock must 1504 * be held for p2. 1505 * References: p1 and p2 must be valid for the lifetime of the call 1506 */ 1507 int 1508 p_cansignal(struct proc *p1, struct proc *p2, int signum) 1509 { 1510 1511 if (p1 == p2) 1512 return (0); 1513 1514 /* 1515 * UNIX signalling semantics require that processes in the same 1516 * session always be able to deliver SIGCONT to one another, 1517 * overriding the remaining protections. 1518 */ 1519 if (signum == SIGCONT && p1->p_session == p2->p_session) 1520 return (0); 1521 1522 return (cr_cansignal(p1->p_ucred, p2, signum)); 1523 } 1524 1525 /*- 1526 * Determine whether p1 may reschedule p2. 1527 * Returns: 0 for permitted, an errno value otherwise 1528 * Locks: Sufficient locks to protect various components of p1 and p2 1529 * must be held. Normally, p1 will be curproc, and a lock must 1530 * be held for p2. 1531 * References: p1 and p2 must be valid for the lifetime of the call 1532 */ 1533 int 1534 p_cansched(struct proc *p1, struct proc *p2) 1535 { 1536 int error; 1537 1538 if (p1 == p2) 1539 return (0); 1540 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1541 return (error); 1542 if (p1->p_ucred->cr_ruid == p2->p_ucred->cr_ruid) 1543 return (0); 1544 if (p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid) 1545 return (0); 1546 if (suser_xxx(0, p1, PRISON_ROOT) == 0) 1547 return (0); 1548 1549 #ifdef CAPABILITIES 1550 if (!cap_check(NULL, p1, CAP_SYS_NICE, PRISON_ROOT)) 1551 return (0); 1552 #endif 1553 1554 return (EPERM); 1555 } 1556 1557 /* 1558 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 1559 * unprivileged inter-process debugging services, including some procfs 1560 * functionality, ptrace(), and ktrace(). In the past, inter-process 1561 * debugging has been involved in a variety of security problems, and sites 1562 * not requiring the service might choose to disable it when hardening 1563 * systems. 1564 * 1565 * XXX: Should modifying and reading this variable require locking? 1566 * XXX: data declarations should be together near the beginning of the file. 1567 */ 1568 static int unprivileged_proc_debug = 1; 1569 SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW, 1570 &unprivileged_proc_debug, 0, 1571 "Unprivileged processes may use process debugging facilities"); 1572 1573 /*- 1574 * Determine whether p1 may debug p2. 1575 * Returns: 0 for permitted, an errno value otherwise 1576 * Locks: Sufficient locks to protect various components of p1 and p2 1577 * must be held. Normally, p1 will be curproc, and a lock must 1578 * be held for p2. 1579 * References: p1 and p2 must be valid for the lifetime of the call 1580 */ 1581 int 1582 p_candebug(struct proc *p1, struct proc *p2) 1583 { 1584 int credentialchanged, error, grpsubset, i, uidsubset; 1585 1586 if (!unprivileged_proc_debug) { 1587 error = suser_xxx(NULL, p1, PRISON_ROOT); 1588 if (error) 1589 return (error); 1590 } 1591 if (p1 == p2) 1592 return (0); 1593 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1594 return (error); 1595 1596 /* 1597 * Is p2's group set a subset of p1's effective group set? This 1598 * includes p2's egid, group access list, rgid, and svgid. 1599 */ 1600 grpsubset = 1; 1601 for (i = 0; i < p2->p_ucred->cr_ngroups; i++) { 1602 if (!groupmember(p2->p_ucred->cr_groups[i], p1->p_ucred)) { 1603 grpsubset = 0; 1604 break; 1605 } 1606 } 1607 grpsubset = grpsubset && 1608 groupmember(p2->p_ucred->cr_rgid, p1->p_ucred) && 1609 groupmember(p2->p_ucred->cr_svgid, p1->p_ucred); 1610 1611 /* 1612 * Are the uids present in p2's credential equal to p1's 1613 * effective uid? This includes p2's euid, svuid, and ruid. 1614 */ 1615 uidsubset = (p1->p_ucred->cr_uid == p2->p_ucred->cr_uid && 1616 p1->p_ucred->cr_uid == p2->p_ucred->cr_svuid && 1617 p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid); 1618 1619 /* 1620 * Has the credential of the process changed since the last exec()? 1621 */ 1622 credentialchanged = (p2->p_flag & P_SUGID); 1623 1624 /* 1625 * If p2's gids aren't a subset, or the uids aren't a subset, 1626 * or the credential has changed, require appropriate privilege 1627 * for p1 to debug p2. For POSIX.1e capabilities, this will 1628 * require CAP_SYS_PTRACE. 1629 */ 1630 if (!grpsubset || !uidsubset || credentialchanged) { 1631 error = suser_xxx(NULL, p1, PRISON_ROOT); 1632 if (error) 1633 return (error); 1634 } 1635 1636 /* Can't trace init when securelevel > 0. */ 1637 if (p2 == initproc) { 1638 error = securelevel_gt(p1->p_ucred, 0); 1639 if (error) 1640 return (error); 1641 } 1642 1643 /* 1644 * Can't trace a process that's currently exec'ing. 1645 * XXX: Note, this is not a security policy decision, it's a 1646 * basic correctness/functionality decision. Therefore, this check 1647 * should be moved to the caller's of p_candebug(). 1648 */ 1649 if ((p2->p_flag & P_INEXEC) != 0) 1650 return (EAGAIN); 1651 1652 return (0); 1653 } 1654 1655 /* 1656 * Allocate a zeroed cred structure. 1657 */ 1658 struct ucred * 1659 crget() 1660 { 1661 register struct ucred *cr; 1662 1663 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 1664 cr->cr_ref = 1; 1665 cr->cr_mtxp = mtx_pool_find(cr); 1666 return (cr); 1667 } 1668 1669 /* 1670 * Claim another reference to a ucred structure. 1671 */ 1672 struct ucred * 1673 crhold(cr) 1674 struct ucred *cr; 1675 { 1676 1677 mtx_lock(cr->cr_mtxp); 1678 cr->cr_ref++; 1679 mtx_unlock(cr->cr_mtxp); 1680 return (cr); 1681 } 1682 1683 /* 1684 * Free a cred structure. 1685 * Throws away space when ref count gets to 0. 1686 */ 1687 void 1688 crfree(cr) 1689 struct ucred *cr; 1690 { 1691 struct mtx *mtxp = cr->cr_mtxp; 1692 1693 mtx_lock(mtxp); 1694 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); 1695 if (--cr->cr_ref == 0) { 1696 /* 1697 * Some callers of crget(), such as nfs_statfs(), 1698 * allocate a temporary credential, but don't 1699 * allocate a uidinfo structure. 1700 */ 1701 mtx_unlock(mtxp); 1702 if (cr->cr_uidinfo != NULL) 1703 uifree(cr->cr_uidinfo); 1704 if (cr->cr_ruidinfo != NULL) 1705 uifree(cr->cr_ruidinfo); 1706 /* 1707 * Free a prison, if any. 1708 */ 1709 if (jailed(cr)) 1710 prison_free(cr->cr_prison); 1711 FREE((caddr_t)cr, M_CRED); 1712 } else { 1713 mtx_unlock(mtxp); 1714 } 1715 } 1716 1717 /* 1718 * Check to see if this ucred is shared. 1719 */ 1720 int 1721 crshared(cr) 1722 struct ucred *cr; 1723 { 1724 int shared; 1725 1726 mtx_lock(cr->cr_mtxp); 1727 shared = (cr->cr_ref > 1); 1728 mtx_unlock(cr->cr_mtxp); 1729 return (shared); 1730 } 1731 1732 /* 1733 * Copy a ucred's contents from a template. Does not block. 1734 */ 1735 void 1736 crcopy(dest, src) 1737 struct ucred *dest, *src; 1738 { 1739 1740 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred")); 1741 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 1742 (unsigned)((caddr_t)&src->cr_endcopy - 1743 (caddr_t)&src->cr_startcopy)); 1744 uihold(dest->cr_uidinfo); 1745 uihold(dest->cr_ruidinfo); 1746 if (jailed(dest)) 1747 prison_hold(dest->cr_prison); 1748 } 1749 1750 /* 1751 * Dup cred struct to a new held one. 1752 */ 1753 struct ucred * 1754 crdup(cr) 1755 struct ucred *cr; 1756 { 1757 struct ucred *newcr; 1758 1759 newcr = crget(); 1760 crcopy(newcr, cr); 1761 return (newcr); 1762 } 1763 1764 /* 1765 * Fill in a struct xucred based on a struct ucred. 1766 */ 1767 void 1768 cru2x(cr, xcr) 1769 struct ucred *cr; 1770 struct xucred *xcr; 1771 { 1772 1773 bzero(xcr, sizeof(*xcr)); 1774 xcr->cr_version = XUCRED_VERSION; 1775 xcr->cr_uid = cr->cr_uid; 1776 xcr->cr_ngroups = cr->cr_ngroups; 1777 bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups)); 1778 } 1779 1780 /* 1781 * small routine to swap a thread's current ucred for the correct one 1782 * taken from the process. 1783 */ 1784 void 1785 cred_update_thread(struct thread *td) 1786 { 1787 struct proc *p; 1788 struct ucred *cred; 1789 1790 p = td->td_proc; 1791 cred = td->td_ucred; 1792 mtx_lock(&Giant); 1793 PROC_LOCK(p); 1794 td->td_ucred = crhold(p->p_ucred); 1795 PROC_UNLOCK(p); 1796 if (cred != NULL) 1797 crfree(cred); 1798 mtx_unlock(&Giant); 1799 } 1800 1801 /* 1802 * Get login name, if available. 1803 */ 1804 #ifndef _SYS_SYSPROTO_H_ 1805 struct getlogin_args { 1806 char *namebuf; 1807 u_int namelen; 1808 }; 1809 #endif 1810 /* 1811 * MPSAFE 1812 */ 1813 /* ARGSUSED */ 1814 int 1815 getlogin(td, uap) 1816 struct thread *td; 1817 struct getlogin_args *uap; 1818 { 1819 int error; 1820 char login[MAXLOGNAME]; 1821 struct proc *p = td->td_proc; 1822 1823 mtx_lock(&Giant); 1824 if (uap->namelen > MAXLOGNAME) 1825 uap->namelen = MAXLOGNAME; 1826 PROC_LOCK(p); 1827 SESS_LOCK(p->p_session); 1828 bcopy(p->p_session->s_login, login, uap->namelen); 1829 SESS_UNLOCK(p->p_session); 1830 PROC_UNLOCK(p); 1831 error = copyout((caddr_t) login, (caddr_t) uap->namebuf, uap->namelen); 1832 mtx_unlock(&Giant); 1833 return(error); 1834 } 1835 1836 /* 1837 * Set login name. 1838 */ 1839 #ifndef _SYS_SYSPROTO_H_ 1840 struct setlogin_args { 1841 char *namebuf; 1842 }; 1843 #endif 1844 /* 1845 * MPSAFE 1846 */ 1847 /* ARGSUSED */ 1848 int 1849 setlogin(td, uap) 1850 struct thread *td; 1851 struct setlogin_args *uap; 1852 { 1853 struct proc *p = td->td_proc; 1854 int error; 1855 char logintmp[MAXLOGNAME]; 1856 1857 mtx_lock(&Giant); 1858 if ((error = suser_xxx(0, p, PRISON_ROOT)) != 0) 1859 goto done2; 1860 error = copyinstr((caddr_t) uap->namebuf, (caddr_t) logintmp, 1861 sizeof(logintmp), (size_t *)0); 1862 if (error == ENAMETOOLONG) 1863 error = EINVAL; 1864 else if (!error) { 1865 PGRPSESS_XLOCK(); 1866 PROC_LOCK(p); 1867 SESS_LOCK(p->p_session); 1868 (void) memcpy(p->p_session->s_login, logintmp, 1869 sizeof(logintmp)); 1870 SESS_UNLOCK(p->p_session); 1871 PROC_UNLOCK(p); 1872 PGRPSESS_XUNLOCK(); 1873 } 1874 done2: 1875 mtx_unlock(&Giant); 1876 return (error); 1877 } 1878 1879 void 1880 setsugid(p) 1881 struct proc *p; 1882 { 1883 p->p_flag |= P_SUGID; 1884 if (!(p->p_pfsflags & PF_ISUGID)) 1885 p->p_stops = 0; 1886 } 1887 1888 /*- 1889 * Change a process's effective uid. 1890 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 1891 * References: newcred must be an exclusive credential reference for the 1892 * duration of the call. 1893 */ 1894 void 1895 change_euid(newcred, euid) 1896 struct ucred *newcred; 1897 uid_t euid; 1898 { 1899 1900 newcred->cr_uid = euid; 1901 uifree(newcred->cr_uidinfo); 1902 newcred->cr_uidinfo = uifind(euid); 1903 } 1904 1905 /*- 1906 * Change a process's effective gid. 1907 * Side effects: newcred->cr_gid will be modified. 1908 * References: newcred must be an exclusive credential reference for the 1909 * duration of the call. 1910 */ 1911 void 1912 change_egid(newcred, egid) 1913 struct ucred *newcred; 1914 gid_t egid; 1915 { 1916 1917 newcred->cr_groups[0] = egid; 1918 } 1919 1920 /*- 1921 * Change a process's real uid. 1922 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 1923 * will be updated, and the old and new cr_ruidinfo proc 1924 * counts will be updated. 1925 * References: newcred must be an exclusive credential reference for the 1926 * duration of the call. 1927 */ 1928 void 1929 change_ruid(newcred, ruid) 1930 struct ucred *newcred; 1931 uid_t ruid; 1932 { 1933 1934 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 1935 newcred->cr_ruid = ruid; 1936 uifree(newcred->cr_ruidinfo); 1937 newcred->cr_ruidinfo = uifind(ruid); 1938 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 1939 } 1940 1941 /*- 1942 * Change a process's real gid. 1943 * Side effects: newcred->cr_rgid will be updated. 1944 * References: newcred must be an exclusive credential reference for the 1945 * duration of the call. 1946 */ 1947 void 1948 change_rgid(newcred, rgid) 1949 struct ucred *newcred; 1950 gid_t rgid; 1951 { 1952 1953 newcred->cr_rgid = rgid; 1954 } 1955 1956 /*- 1957 * Change a process's saved uid. 1958 * Side effects: newcred->cr_svuid will be updated. 1959 * References: newcred must be an exclusive credential reference for the 1960 * duration of the call. 1961 */ 1962 void 1963 change_svuid(newcred, svuid) 1964 struct ucred *newcred; 1965 uid_t svuid; 1966 { 1967 1968 newcred->cr_svuid = svuid; 1969 } 1970 1971 /*- 1972 * Change a process's saved gid. 1973 * Side effects: newcred->cr_svgid will be updated. 1974 * References: newcred must be an exclusive credential reference for the 1975 * duration of the call. 1976 */ 1977 void 1978 change_svgid(newcred, svgid) 1979 struct ucred *newcred; 1980 gid_t svgid; 1981 { 1982 1983 newcred->cr_svgid = svgid; 1984 } 1985