1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 5 * The Regents of the University of California. 6 * (c) UNIX System Laboratories, Inc. 7 * Copyright (c) 2000-2001 Robert N. M. Watson. 8 * All rights reserved. 9 * 10 * All or some portions of this file are derived from material licensed 11 * to the University of California by American Telephone and Telegraph 12 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 13 * the permission of UNIX System Laboratories, Inc. 14 * 15 * Redistribution and use in source and binary forms, with or without 16 * modification, are permitted provided that the following conditions 17 * are met: 18 * 1. Redistributions of source code must retain the above copyright 19 * notice, this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright 21 * notice, this list of conditions and the following disclaimer in the 22 * documentation and/or other materials provided with the distribution. 23 * 3. Neither the name of the University nor the names of its contributors 24 * may be used to endorse or promote products derived from this software 25 * without specific prior written permission. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * 39 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 40 */ 41 42 /* 43 * System calls related to processes and protection 44 */ 45 46 #include <sys/cdefs.h> 47 __FBSDID("$FreeBSD$"); 48 49 #include "opt_inet.h" 50 #include "opt_inet6.h" 51 52 #include <sys/param.h> 53 #include <sys/systm.h> 54 #include <sys/acct.h> 55 #include <sys/kdb.h> 56 #include <sys/kernel.h> 57 #include <sys/lock.h> 58 #include <sys/loginclass.h> 59 #include <sys/malloc.h> 60 #include <sys/mutex.h> 61 #include <sys/refcount.h> 62 #include <sys/sx.h> 63 #include <sys/priv.h> 64 #include <sys/proc.h> 65 #include <sys/sysent.h> 66 #include <sys/sysproto.h> 67 #include <sys/jail.h> 68 #include <sys/pioctl.h> 69 #include <sys/racct.h> 70 #include <sys/rctl.h> 71 #include <sys/resourcevar.h> 72 #include <sys/socket.h> 73 #include <sys/socketvar.h> 74 #include <sys/syscallsubr.h> 75 #include <sys/sysctl.h> 76 77 #ifdef REGRESSION 78 FEATURE(regression, 79 "Kernel support for interfaces necessary for regression testing (SECURITY RISK!)"); 80 #endif 81 82 #include <security/audit/audit.h> 83 #include <security/mac/mac_framework.h> 84 85 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 86 87 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, "BSD security policy"); 88 89 static void crsetgroups_locked(struct ucred *cr, int ngrp, 90 gid_t *groups); 91 92 #ifndef _SYS_SYSPROTO_H_ 93 struct getpid_args { 94 int dummy; 95 }; 96 #endif 97 /* ARGSUSED */ 98 int 99 sys_getpid(struct thread *td, struct getpid_args *uap) 100 { 101 struct proc *p = td->td_proc; 102 103 td->td_retval[0] = p->p_pid; 104 #if defined(COMPAT_43) 105 if (SV_PROC_FLAG(p, SV_AOUT)) 106 td->td_retval[1] = kern_getppid(td); 107 #endif 108 return (0); 109 } 110 111 #ifndef _SYS_SYSPROTO_H_ 112 struct getppid_args { 113 int dummy; 114 }; 115 #endif 116 /* ARGSUSED */ 117 int 118 sys_getppid(struct thread *td, struct getppid_args *uap) 119 { 120 121 td->td_retval[0] = kern_getppid(td); 122 return (0); 123 } 124 125 int 126 kern_getppid(struct thread *td) 127 { 128 struct proc *p = td->td_proc; 129 130 return (p->p_oppid); 131 } 132 133 /* 134 * Get process group ID; note that POSIX getpgrp takes no parameter. 135 */ 136 #ifndef _SYS_SYSPROTO_H_ 137 struct getpgrp_args { 138 int dummy; 139 }; 140 #endif 141 int 142 sys_getpgrp(struct thread *td, struct getpgrp_args *uap) 143 { 144 struct proc *p = td->td_proc; 145 146 PROC_LOCK(p); 147 td->td_retval[0] = p->p_pgrp->pg_id; 148 PROC_UNLOCK(p); 149 return (0); 150 } 151 152 /* Get an arbitrary pid's process group id */ 153 #ifndef _SYS_SYSPROTO_H_ 154 struct getpgid_args { 155 pid_t pid; 156 }; 157 #endif 158 int 159 sys_getpgid(struct thread *td, struct getpgid_args *uap) 160 { 161 struct proc *p; 162 int error; 163 164 if (uap->pid == 0) { 165 p = td->td_proc; 166 PROC_LOCK(p); 167 } else { 168 p = pfind(uap->pid); 169 if (p == NULL) 170 return (ESRCH); 171 error = p_cansee(td, p); 172 if (error) { 173 PROC_UNLOCK(p); 174 return (error); 175 } 176 } 177 td->td_retval[0] = p->p_pgrp->pg_id; 178 PROC_UNLOCK(p); 179 return (0); 180 } 181 182 /* 183 * Get an arbitrary pid's session id. 184 */ 185 #ifndef _SYS_SYSPROTO_H_ 186 struct getsid_args { 187 pid_t pid; 188 }; 189 #endif 190 int 191 sys_getsid(struct thread *td, struct getsid_args *uap) 192 { 193 struct proc *p; 194 int error; 195 196 if (uap->pid == 0) { 197 p = td->td_proc; 198 PROC_LOCK(p); 199 } else { 200 p = pfind(uap->pid); 201 if (p == NULL) 202 return (ESRCH); 203 error = p_cansee(td, p); 204 if (error) { 205 PROC_UNLOCK(p); 206 return (error); 207 } 208 } 209 td->td_retval[0] = p->p_session->s_sid; 210 PROC_UNLOCK(p); 211 return (0); 212 } 213 214 #ifndef _SYS_SYSPROTO_H_ 215 struct getuid_args { 216 int dummy; 217 }; 218 #endif 219 /* ARGSUSED */ 220 int 221 sys_getuid(struct thread *td, struct getuid_args *uap) 222 { 223 224 td->td_retval[0] = td->td_ucred->cr_ruid; 225 #if defined(COMPAT_43) 226 td->td_retval[1] = td->td_ucred->cr_uid; 227 #endif 228 return (0); 229 } 230 231 #ifndef _SYS_SYSPROTO_H_ 232 struct geteuid_args { 233 int dummy; 234 }; 235 #endif 236 /* ARGSUSED */ 237 int 238 sys_geteuid(struct thread *td, struct geteuid_args *uap) 239 { 240 241 td->td_retval[0] = td->td_ucred->cr_uid; 242 return (0); 243 } 244 245 #ifndef _SYS_SYSPROTO_H_ 246 struct getgid_args { 247 int dummy; 248 }; 249 #endif 250 /* ARGSUSED */ 251 int 252 sys_getgid(struct thread *td, struct getgid_args *uap) 253 { 254 255 td->td_retval[0] = td->td_ucred->cr_rgid; 256 #if defined(COMPAT_43) 257 td->td_retval[1] = td->td_ucred->cr_groups[0]; 258 #endif 259 return (0); 260 } 261 262 /* 263 * Get effective group ID. The "egid" is groups[0], and could be obtained 264 * via getgroups. This syscall exists because it is somewhat painful to do 265 * correctly in a library function. 266 */ 267 #ifndef _SYS_SYSPROTO_H_ 268 struct getegid_args { 269 int dummy; 270 }; 271 #endif 272 /* ARGSUSED */ 273 int 274 sys_getegid(struct thread *td, struct getegid_args *uap) 275 { 276 277 td->td_retval[0] = td->td_ucred->cr_groups[0]; 278 return (0); 279 } 280 281 #ifndef _SYS_SYSPROTO_H_ 282 struct getgroups_args { 283 u_int gidsetsize; 284 gid_t *gidset; 285 }; 286 #endif 287 int 288 sys_getgroups(struct thread *td, struct getgroups_args *uap) 289 { 290 struct ucred *cred; 291 u_int ngrp; 292 int error; 293 294 cred = td->td_ucred; 295 ngrp = cred->cr_ngroups; 296 297 if (uap->gidsetsize == 0) { 298 error = 0; 299 goto out; 300 } 301 if (uap->gidsetsize < ngrp) 302 return (EINVAL); 303 304 error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t)); 305 out: 306 td->td_retval[0] = ngrp; 307 return (error); 308 } 309 310 #ifndef _SYS_SYSPROTO_H_ 311 struct setsid_args { 312 int dummy; 313 }; 314 #endif 315 /* ARGSUSED */ 316 int 317 sys_setsid(struct thread *td, struct setsid_args *uap) 318 { 319 struct pgrp *pgrp; 320 int error; 321 struct proc *p = td->td_proc; 322 struct pgrp *newpgrp; 323 struct session *newsess; 324 325 error = 0; 326 pgrp = NULL; 327 328 newpgrp = malloc(sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 329 newsess = malloc(sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); 330 331 sx_xlock(&proctree_lock); 332 333 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { 334 if (pgrp != NULL) 335 PGRP_UNLOCK(pgrp); 336 error = EPERM; 337 } else { 338 (void)enterpgrp(p, p->p_pid, newpgrp, newsess); 339 td->td_retval[0] = p->p_pid; 340 newpgrp = NULL; 341 newsess = NULL; 342 } 343 344 sx_xunlock(&proctree_lock); 345 346 if (newpgrp != NULL) 347 free(newpgrp, M_PGRP); 348 if (newsess != NULL) 349 free(newsess, M_SESSION); 350 351 return (error); 352 } 353 354 /* 355 * set process group (setpgid/old setpgrp) 356 * 357 * caller does setpgid(targpid, targpgid) 358 * 359 * pid must be caller or child of caller (ESRCH) 360 * if a child 361 * pid must be in same session (EPERM) 362 * pid can't have done an exec (EACCES) 363 * if pgid != pid 364 * there must exist some pid in same session having pgid (EPERM) 365 * pid must not be session leader (EPERM) 366 */ 367 #ifndef _SYS_SYSPROTO_H_ 368 struct setpgid_args { 369 int pid; /* target process id */ 370 int pgid; /* target pgrp id */ 371 }; 372 #endif 373 /* ARGSUSED */ 374 int 375 sys_setpgid(struct thread *td, struct setpgid_args *uap) 376 { 377 struct proc *curp = td->td_proc; 378 struct proc *targp; /* target process */ 379 struct pgrp *pgrp; /* target pgrp */ 380 int error; 381 struct pgrp *newpgrp; 382 383 if (uap->pgid < 0) 384 return (EINVAL); 385 386 error = 0; 387 388 newpgrp = malloc(sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 389 390 sx_xlock(&proctree_lock); 391 if (uap->pid != 0 && uap->pid != curp->p_pid) { 392 if ((targp = pfind(uap->pid)) == NULL) { 393 error = ESRCH; 394 goto done; 395 } 396 if (!inferior(targp)) { 397 PROC_UNLOCK(targp); 398 error = ESRCH; 399 goto done; 400 } 401 if ((error = p_cansee(td, targp))) { 402 PROC_UNLOCK(targp); 403 goto done; 404 } 405 if (targp->p_pgrp == NULL || 406 targp->p_session != curp->p_session) { 407 PROC_UNLOCK(targp); 408 error = EPERM; 409 goto done; 410 } 411 if (targp->p_flag & P_EXEC) { 412 PROC_UNLOCK(targp); 413 error = EACCES; 414 goto done; 415 } 416 PROC_UNLOCK(targp); 417 } else 418 targp = curp; 419 if (SESS_LEADER(targp)) { 420 error = EPERM; 421 goto done; 422 } 423 if (uap->pgid == 0) 424 uap->pgid = targp->p_pid; 425 if ((pgrp = pgfind(uap->pgid)) == NULL) { 426 if (uap->pgid == targp->p_pid) { 427 error = enterpgrp(targp, uap->pgid, newpgrp, 428 NULL); 429 if (error == 0) 430 newpgrp = NULL; 431 } else 432 error = EPERM; 433 } else { 434 if (pgrp == targp->p_pgrp) { 435 PGRP_UNLOCK(pgrp); 436 goto done; 437 } 438 if (pgrp->pg_id != targp->p_pid && 439 pgrp->pg_session != curp->p_session) { 440 PGRP_UNLOCK(pgrp); 441 error = EPERM; 442 goto done; 443 } 444 PGRP_UNLOCK(pgrp); 445 error = enterthispgrp(targp, pgrp); 446 } 447 done: 448 sx_xunlock(&proctree_lock); 449 KASSERT((error == 0) || (newpgrp != NULL), 450 ("setpgid failed and newpgrp is NULL")); 451 if (newpgrp != NULL) 452 free(newpgrp, M_PGRP); 453 return (error); 454 } 455 456 /* 457 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 458 * compatible. It says that setting the uid/gid to euid/egid is a special 459 * case of "appropriate privilege". Once the rules are expanded out, this 460 * basically means that setuid(nnn) sets all three id's, in all permitted 461 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 462 * does not set the saved id - this is dangerous for traditional BSD 463 * programs. For this reason, we *really* do not want to set 464 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 465 */ 466 #define POSIX_APPENDIX_B_4_2_2 467 468 #ifndef _SYS_SYSPROTO_H_ 469 struct setuid_args { 470 uid_t uid; 471 }; 472 #endif 473 /* ARGSUSED */ 474 int 475 sys_setuid(struct thread *td, struct setuid_args *uap) 476 { 477 struct proc *p = td->td_proc; 478 struct ucred *newcred, *oldcred; 479 uid_t uid; 480 struct uidinfo *uip; 481 int error; 482 483 uid = uap->uid; 484 AUDIT_ARG_UID(uid); 485 newcred = crget(); 486 uip = uifind(uid); 487 PROC_LOCK(p); 488 /* 489 * Copy credentials so other references do not see our changes. 490 */ 491 oldcred = crcopysafe(p, newcred); 492 493 #ifdef MAC 494 error = mac_cred_check_setuid(oldcred, uid); 495 if (error) 496 goto fail; 497 #endif 498 499 /* 500 * See if we have "permission" by POSIX 1003.1 rules. 501 * 502 * Note that setuid(geteuid()) is a special case of 503 * "appropriate privileges" in appendix B.4.2.2. We need 504 * to use this clause to be compatible with traditional BSD 505 * semantics. Basically, it means that "setuid(xx)" sets all 506 * three id's (assuming you have privs). 507 * 508 * Notes on the logic. We do things in three steps. 509 * 1: We determine if the euid is going to change, and do EPERM 510 * right away. We unconditionally change the euid later if this 511 * test is satisfied, simplifying that part of the logic. 512 * 2: We determine if the real and/or saved uids are going to 513 * change. Determined by compile options. 514 * 3: Change euid last. (after tests in #2 for "appropriate privs") 515 */ 516 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 517 #ifdef _POSIX_SAVED_IDS 518 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 519 #endif 520 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 521 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 522 #endif 523 (error = priv_check_cred(oldcred, PRIV_CRED_SETUID)) != 0) 524 goto fail; 525 526 #ifdef _POSIX_SAVED_IDS 527 /* 528 * Do we have "appropriate privileges" (are we root or uid == euid) 529 * If so, we are changing the real uid and/or saved uid. 530 */ 531 if ( 532 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 533 uid == oldcred->cr_uid || 534 #endif 535 /* We are using privs. */ 536 priv_check_cred(oldcred, PRIV_CRED_SETUID) == 0) 537 #endif 538 { 539 /* 540 * Set the real uid and transfer proc count to new user. 541 */ 542 if (uid != oldcred->cr_ruid) { 543 change_ruid(newcred, uip); 544 setsugid(p); 545 } 546 /* 547 * Set saved uid 548 * 549 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 550 * the security of seteuid() depends on it. B.4.2.2 says it 551 * is important that we should do this. 552 */ 553 if (uid != oldcred->cr_svuid) { 554 change_svuid(newcred, uid); 555 setsugid(p); 556 } 557 } 558 559 /* 560 * In all permitted cases, we are changing the euid. 561 */ 562 if (uid != oldcred->cr_uid) { 563 change_euid(newcred, uip); 564 setsugid(p); 565 } 566 proc_set_cred(p, newcred); 567 #ifdef RACCT 568 racct_proc_ucred_changed(p, oldcred, newcred); 569 crhold(newcred); 570 #endif 571 PROC_UNLOCK(p); 572 #ifdef RCTL 573 rctl_proc_ucred_changed(p, newcred); 574 crfree(newcred); 575 #endif 576 uifree(uip); 577 crfree(oldcred); 578 return (0); 579 580 fail: 581 PROC_UNLOCK(p); 582 uifree(uip); 583 crfree(newcred); 584 return (error); 585 } 586 587 #ifndef _SYS_SYSPROTO_H_ 588 struct seteuid_args { 589 uid_t euid; 590 }; 591 #endif 592 /* ARGSUSED */ 593 int 594 sys_seteuid(struct thread *td, struct seteuid_args *uap) 595 { 596 struct proc *p = td->td_proc; 597 struct ucred *newcred, *oldcred; 598 uid_t euid; 599 struct uidinfo *euip; 600 int error; 601 602 euid = uap->euid; 603 AUDIT_ARG_EUID(euid); 604 newcred = crget(); 605 euip = uifind(euid); 606 PROC_LOCK(p); 607 /* 608 * Copy credentials so other references do not see our changes. 609 */ 610 oldcred = crcopysafe(p, newcred); 611 612 #ifdef MAC 613 error = mac_cred_check_seteuid(oldcred, euid); 614 if (error) 615 goto fail; 616 #endif 617 618 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 619 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 620 (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID)) != 0) 621 goto fail; 622 623 /* 624 * Everything's okay, do it. 625 */ 626 if (oldcred->cr_uid != euid) { 627 change_euid(newcred, euip); 628 setsugid(p); 629 } 630 proc_set_cred(p, newcred); 631 PROC_UNLOCK(p); 632 uifree(euip); 633 crfree(oldcred); 634 return (0); 635 636 fail: 637 PROC_UNLOCK(p); 638 uifree(euip); 639 crfree(newcred); 640 return (error); 641 } 642 643 #ifndef _SYS_SYSPROTO_H_ 644 struct setgid_args { 645 gid_t gid; 646 }; 647 #endif 648 /* ARGSUSED */ 649 int 650 sys_setgid(struct thread *td, struct setgid_args *uap) 651 { 652 struct proc *p = td->td_proc; 653 struct ucred *newcred, *oldcred; 654 gid_t gid; 655 int error; 656 657 gid = uap->gid; 658 AUDIT_ARG_GID(gid); 659 newcred = crget(); 660 PROC_LOCK(p); 661 oldcred = crcopysafe(p, newcred); 662 663 #ifdef MAC 664 error = mac_cred_check_setgid(oldcred, gid); 665 if (error) 666 goto fail; 667 #endif 668 669 /* 670 * See if we have "permission" by POSIX 1003.1 rules. 671 * 672 * Note that setgid(getegid()) is a special case of 673 * "appropriate privileges" in appendix B.4.2.2. We need 674 * to use this clause to be compatible with traditional BSD 675 * semantics. Basically, it means that "setgid(xx)" sets all 676 * three id's (assuming you have privs). 677 * 678 * For notes on the logic here, see setuid() above. 679 */ 680 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 681 #ifdef _POSIX_SAVED_IDS 682 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 683 #endif 684 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 685 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 686 #endif 687 (error = priv_check_cred(oldcred, PRIV_CRED_SETGID)) != 0) 688 goto fail; 689 690 #ifdef _POSIX_SAVED_IDS 691 /* 692 * Do we have "appropriate privileges" (are we root or gid == egid) 693 * If so, we are changing the real uid and saved gid. 694 */ 695 if ( 696 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 697 gid == oldcred->cr_groups[0] || 698 #endif 699 /* We are using privs. */ 700 priv_check_cred(oldcred, PRIV_CRED_SETGID) == 0) 701 #endif 702 { 703 /* 704 * Set real gid 705 */ 706 if (oldcred->cr_rgid != gid) { 707 change_rgid(newcred, gid); 708 setsugid(p); 709 } 710 /* 711 * Set saved gid 712 * 713 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 714 * the security of setegid() depends on it. B.4.2.2 says it 715 * is important that we should do this. 716 */ 717 if (oldcred->cr_svgid != gid) { 718 change_svgid(newcred, gid); 719 setsugid(p); 720 } 721 } 722 /* 723 * In all cases permitted cases, we are changing the egid. 724 * Copy credentials so other references do not see our changes. 725 */ 726 if (oldcred->cr_groups[0] != gid) { 727 change_egid(newcred, gid); 728 setsugid(p); 729 } 730 proc_set_cred(p, newcred); 731 PROC_UNLOCK(p); 732 crfree(oldcred); 733 return (0); 734 735 fail: 736 PROC_UNLOCK(p); 737 crfree(newcred); 738 return (error); 739 } 740 741 #ifndef _SYS_SYSPROTO_H_ 742 struct setegid_args { 743 gid_t egid; 744 }; 745 #endif 746 /* ARGSUSED */ 747 int 748 sys_setegid(struct thread *td, struct setegid_args *uap) 749 { 750 struct proc *p = td->td_proc; 751 struct ucred *newcred, *oldcred; 752 gid_t egid; 753 int error; 754 755 egid = uap->egid; 756 AUDIT_ARG_EGID(egid); 757 newcred = crget(); 758 PROC_LOCK(p); 759 oldcred = crcopysafe(p, newcred); 760 761 #ifdef MAC 762 error = mac_cred_check_setegid(oldcred, egid); 763 if (error) 764 goto fail; 765 #endif 766 767 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 768 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 769 (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID)) != 0) 770 goto fail; 771 772 if (oldcred->cr_groups[0] != egid) { 773 change_egid(newcred, egid); 774 setsugid(p); 775 } 776 proc_set_cred(p, newcred); 777 PROC_UNLOCK(p); 778 crfree(oldcred); 779 return (0); 780 781 fail: 782 PROC_UNLOCK(p); 783 crfree(newcred); 784 return (error); 785 } 786 787 #ifndef _SYS_SYSPROTO_H_ 788 struct setgroups_args { 789 u_int gidsetsize; 790 gid_t *gidset; 791 }; 792 #endif 793 /* ARGSUSED */ 794 int 795 sys_setgroups(struct thread *td, struct setgroups_args *uap) 796 { 797 gid_t smallgroups[XU_NGROUPS]; 798 gid_t *groups; 799 u_int gidsetsize; 800 int error; 801 802 gidsetsize = uap->gidsetsize; 803 if (gidsetsize > ngroups_max + 1) 804 return (EINVAL); 805 806 if (gidsetsize > XU_NGROUPS) 807 groups = malloc(gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK); 808 else 809 groups = smallgroups; 810 811 error = copyin(uap->gidset, groups, gidsetsize * sizeof(gid_t)); 812 if (error == 0) 813 error = kern_setgroups(td, gidsetsize, groups); 814 815 if (gidsetsize > XU_NGROUPS) 816 free(groups, M_TEMP); 817 return (error); 818 } 819 820 int 821 kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups) 822 { 823 struct proc *p = td->td_proc; 824 struct ucred *newcred, *oldcred; 825 int error; 826 827 MPASS(ngrp <= ngroups_max + 1); 828 AUDIT_ARG_GROUPSET(groups, ngrp); 829 newcred = crget(); 830 crextend(newcred, ngrp); 831 PROC_LOCK(p); 832 oldcred = crcopysafe(p, newcred); 833 834 #ifdef MAC 835 error = mac_cred_check_setgroups(oldcred, ngrp, groups); 836 if (error) 837 goto fail; 838 #endif 839 840 error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS); 841 if (error) 842 goto fail; 843 844 if (ngrp == 0) { 845 /* 846 * setgroups(0, NULL) is a legitimate way of clearing the 847 * groups vector on non-BSD systems (which generally do not 848 * have the egid in the groups[0]). We risk security holes 849 * when running non-BSD software if we do not do the same. 850 */ 851 newcred->cr_ngroups = 1; 852 } else { 853 crsetgroups_locked(newcred, ngrp, groups); 854 } 855 setsugid(p); 856 proc_set_cred(p, newcred); 857 PROC_UNLOCK(p); 858 crfree(oldcred); 859 return (0); 860 861 fail: 862 PROC_UNLOCK(p); 863 crfree(newcred); 864 return (error); 865 } 866 867 #ifndef _SYS_SYSPROTO_H_ 868 struct setreuid_args { 869 uid_t ruid; 870 uid_t euid; 871 }; 872 #endif 873 /* ARGSUSED */ 874 int 875 sys_setreuid(struct thread *td, struct setreuid_args *uap) 876 { 877 struct proc *p = td->td_proc; 878 struct ucred *newcred, *oldcred; 879 uid_t euid, ruid; 880 struct uidinfo *euip, *ruip; 881 int error; 882 883 euid = uap->euid; 884 ruid = uap->ruid; 885 AUDIT_ARG_EUID(euid); 886 AUDIT_ARG_RUID(ruid); 887 newcred = crget(); 888 euip = uifind(euid); 889 ruip = uifind(ruid); 890 PROC_LOCK(p); 891 oldcred = crcopysafe(p, newcred); 892 893 #ifdef MAC 894 error = mac_cred_check_setreuid(oldcred, ruid, euid); 895 if (error) 896 goto fail; 897 #endif 898 899 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 900 ruid != oldcred->cr_svuid) || 901 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 902 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 903 (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID)) != 0) 904 goto fail; 905 906 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 907 change_euid(newcred, euip); 908 setsugid(p); 909 } 910 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 911 change_ruid(newcred, ruip); 912 setsugid(p); 913 } 914 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 915 newcred->cr_svuid != newcred->cr_uid) { 916 change_svuid(newcred, newcred->cr_uid); 917 setsugid(p); 918 } 919 proc_set_cred(p, newcred); 920 #ifdef RACCT 921 racct_proc_ucred_changed(p, oldcred, newcred); 922 crhold(newcred); 923 #endif 924 PROC_UNLOCK(p); 925 #ifdef RCTL 926 rctl_proc_ucred_changed(p, newcred); 927 crfree(newcred); 928 #endif 929 uifree(ruip); 930 uifree(euip); 931 crfree(oldcred); 932 return (0); 933 934 fail: 935 PROC_UNLOCK(p); 936 uifree(ruip); 937 uifree(euip); 938 crfree(newcred); 939 return (error); 940 } 941 942 #ifndef _SYS_SYSPROTO_H_ 943 struct setregid_args { 944 gid_t rgid; 945 gid_t egid; 946 }; 947 #endif 948 /* ARGSUSED */ 949 int 950 sys_setregid(struct thread *td, struct setregid_args *uap) 951 { 952 struct proc *p = td->td_proc; 953 struct ucred *newcred, *oldcred; 954 gid_t egid, rgid; 955 int error; 956 957 egid = uap->egid; 958 rgid = uap->rgid; 959 AUDIT_ARG_EGID(egid); 960 AUDIT_ARG_RGID(rgid); 961 newcred = crget(); 962 PROC_LOCK(p); 963 oldcred = crcopysafe(p, newcred); 964 965 #ifdef MAC 966 error = mac_cred_check_setregid(oldcred, rgid, egid); 967 if (error) 968 goto fail; 969 #endif 970 971 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 972 rgid != oldcred->cr_svgid) || 973 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 974 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 975 (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID)) != 0) 976 goto fail; 977 978 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 979 change_egid(newcred, egid); 980 setsugid(p); 981 } 982 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 983 change_rgid(newcred, rgid); 984 setsugid(p); 985 } 986 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 987 newcred->cr_svgid != newcred->cr_groups[0]) { 988 change_svgid(newcred, newcred->cr_groups[0]); 989 setsugid(p); 990 } 991 proc_set_cred(p, newcred); 992 PROC_UNLOCK(p); 993 crfree(oldcred); 994 return (0); 995 996 fail: 997 PROC_UNLOCK(p); 998 crfree(newcred); 999 return (error); 1000 } 1001 1002 /* 1003 * setresuid(ruid, euid, suid) is like setreuid except control over the saved 1004 * uid is explicit. 1005 */ 1006 #ifndef _SYS_SYSPROTO_H_ 1007 struct setresuid_args { 1008 uid_t ruid; 1009 uid_t euid; 1010 uid_t suid; 1011 }; 1012 #endif 1013 /* ARGSUSED */ 1014 int 1015 sys_setresuid(struct thread *td, struct setresuid_args *uap) 1016 { 1017 struct proc *p = td->td_proc; 1018 struct ucred *newcred, *oldcred; 1019 uid_t euid, ruid, suid; 1020 struct uidinfo *euip, *ruip; 1021 int error; 1022 1023 euid = uap->euid; 1024 ruid = uap->ruid; 1025 suid = uap->suid; 1026 AUDIT_ARG_EUID(euid); 1027 AUDIT_ARG_RUID(ruid); 1028 AUDIT_ARG_SUID(suid); 1029 newcred = crget(); 1030 euip = uifind(euid); 1031 ruip = uifind(ruid); 1032 PROC_LOCK(p); 1033 oldcred = crcopysafe(p, newcred); 1034 1035 #ifdef MAC 1036 error = mac_cred_check_setresuid(oldcred, ruid, euid, suid); 1037 if (error) 1038 goto fail; 1039 #endif 1040 1041 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1042 ruid != oldcred->cr_svuid && 1043 ruid != oldcred->cr_uid) || 1044 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 1045 euid != oldcred->cr_svuid && 1046 euid != oldcred->cr_uid) || 1047 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 1048 suid != oldcred->cr_svuid && 1049 suid != oldcred->cr_uid)) && 1050 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID)) != 0) 1051 goto fail; 1052 1053 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1054 change_euid(newcred, euip); 1055 setsugid(p); 1056 } 1057 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1058 change_ruid(newcred, ruip); 1059 setsugid(p); 1060 } 1061 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1062 change_svuid(newcred, suid); 1063 setsugid(p); 1064 } 1065 proc_set_cred(p, newcred); 1066 #ifdef RACCT 1067 racct_proc_ucred_changed(p, oldcred, newcred); 1068 crhold(newcred); 1069 #endif 1070 PROC_UNLOCK(p); 1071 #ifdef RCTL 1072 rctl_proc_ucred_changed(p, newcred); 1073 crfree(newcred); 1074 #endif 1075 uifree(ruip); 1076 uifree(euip); 1077 crfree(oldcred); 1078 return (0); 1079 1080 fail: 1081 PROC_UNLOCK(p); 1082 uifree(ruip); 1083 uifree(euip); 1084 crfree(newcred); 1085 return (error); 1086 1087 } 1088 1089 /* 1090 * setresgid(rgid, egid, sgid) is like setregid except control over the saved 1091 * gid is explicit. 1092 */ 1093 #ifndef _SYS_SYSPROTO_H_ 1094 struct setresgid_args { 1095 gid_t rgid; 1096 gid_t egid; 1097 gid_t sgid; 1098 }; 1099 #endif 1100 /* ARGSUSED */ 1101 int 1102 sys_setresgid(struct thread *td, struct setresgid_args *uap) 1103 { 1104 struct proc *p = td->td_proc; 1105 struct ucred *newcred, *oldcred; 1106 gid_t egid, rgid, sgid; 1107 int error; 1108 1109 egid = uap->egid; 1110 rgid = uap->rgid; 1111 sgid = uap->sgid; 1112 AUDIT_ARG_EGID(egid); 1113 AUDIT_ARG_RGID(rgid); 1114 AUDIT_ARG_SGID(sgid); 1115 newcred = crget(); 1116 PROC_LOCK(p); 1117 oldcred = crcopysafe(p, newcred); 1118 1119 #ifdef MAC 1120 error = mac_cred_check_setresgid(oldcred, rgid, egid, sgid); 1121 if (error) 1122 goto fail; 1123 #endif 1124 1125 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1126 rgid != oldcred->cr_svgid && 1127 rgid != oldcred->cr_groups[0]) || 1128 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1129 egid != oldcred->cr_svgid && 1130 egid != oldcred->cr_groups[0]) || 1131 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1132 sgid != oldcred->cr_svgid && 1133 sgid != oldcred->cr_groups[0])) && 1134 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID)) != 0) 1135 goto fail; 1136 1137 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1138 change_egid(newcred, egid); 1139 setsugid(p); 1140 } 1141 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1142 change_rgid(newcred, rgid); 1143 setsugid(p); 1144 } 1145 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1146 change_svgid(newcred, sgid); 1147 setsugid(p); 1148 } 1149 proc_set_cred(p, newcred); 1150 PROC_UNLOCK(p); 1151 crfree(oldcred); 1152 return (0); 1153 1154 fail: 1155 PROC_UNLOCK(p); 1156 crfree(newcred); 1157 return (error); 1158 } 1159 1160 #ifndef _SYS_SYSPROTO_H_ 1161 struct getresuid_args { 1162 uid_t *ruid; 1163 uid_t *euid; 1164 uid_t *suid; 1165 }; 1166 #endif 1167 /* ARGSUSED */ 1168 int 1169 sys_getresuid(struct thread *td, struct getresuid_args *uap) 1170 { 1171 struct ucred *cred; 1172 int error1 = 0, error2 = 0, error3 = 0; 1173 1174 cred = td->td_ucred; 1175 if (uap->ruid) 1176 error1 = copyout(&cred->cr_ruid, 1177 uap->ruid, sizeof(cred->cr_ruid)); 1178 if (uap->euid) 1179 error2 = copyout(&cred->cr_uid, 1180 uap->euid, sizeof(cred->cr_uid)); 1181 if (uap->suid) 1182 error3 = copyout(&cred->cr_svuid, 1183 uap->suid, sizeof(cred->cr_svuid)); 1184 return (error1 ? error1 : error2 ? error2 : error3); 1185 } 1186 1187 #ifndef _SYS_SYSPROTO_H_ 1188 struct getresgid_args { 1189 gid_t *rgid; 1190 gid_t *egid; 1191 gid_t *sgid; 1192 }; 1193 #endif 1194 /* ARGSUSED */ 1195 int 1196 sys_getresgid(struct thread *td, struct getresgid_args *uap) 1197 { 1198 struct ucred *cred; 1199 int error1 = 0, error2 = 0, error3 = 0; 1200 1201 cred = td->td_ucred; 1202 if (uap->rgid) 1203 error1 = copyout(&cred->cr_rgid, 1204 uap->rgid, sizeof(cred->cr_rgid)); 1205 if (uap->egid) 1206 error2 = copyout(&cred->cr_groups[0], 1207 uap->egid, sizeof(cred->cr_groups[0])); 1208 if (uap->sgid) 1209 error3 = copyout(&cred->cr_svgid, 1210 uap->sgid, sizeof(cred->cr_svgid)); 1211 return (error1 ? error1 : error2 ? error2 : error3); 1212 } 1213 1214 #ifndef _SYS_SYSPROTO_H_ 1215 struct issetugid_args { 1216 int dummy; 1217 }; 1218 #endif 1219 /* ARGSUSED */ 1220 int 1221 sys_issetugid(struct thread *td, struct issetugid_args *uap) 1222 { 1223 struct proc *p = td->td_proc; 1224 1225 /* 1226 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1227 * we use P_SUGID because we consider changing the owners as 1228 * "tainting" as well. 1229 * This is significant for procs that start as root and "become" 1230 * a user without an exec - programs cannot know *everything* 1231 * that libc *might* have put in their data segment. 1232 */ 1233 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1234 return (0); 1235 } 1236 1237 int 1238 sys___setugid(struct thread *td, struct __setugid_args *uap) 1239 { 1240 #ifdef REGRESSION 1241 struct proc *p; 1242 1243 p = td->td_proc; 1244 switch (uap->flag) { 1245 case 0: 1246 PROC_LOCK(p); 1247 p->p_flag &= ~P_SUGID; 1248 PROC_UNLOCK(p); 1249 return (0); 1250 case 1: 1251 PROC_LOCK(p); 1252 p->p_flag |= P_SUGID; 1253 PROC_UNLOCK(p); 1254 return (0); 1255 default: 1256 return (EINVAL); 1257 } 1258 #else /* !REGRESSION */ 1259 1260 return (ENOSYS); 1261 #endif /* REGRESSION */ 1262 } 1263 1264 /* 1265 * Check if gid is a member of the group set. 1266 */ 1267 int 1268 groupmember(gid_t gid, struct ucred *cred) 1269 { 1270 int l; 1271 int h; 1272 int m; 1273 1274 if (cred->cr_groups[0] == gid) 1275 return(1); 1276 1277 /* 1278 * If gid was not our primary group, perform a binary search 1279 * of the supplemental groups. This is possible because we 1280 * sort the groups in crsetgroups(). 1281 */ 1282 l = 1; 1283 h = cred->cr_ngroups; 1284 while (l < h) { 1285 m = l + ((h - l) / 2); 1286 if (cred->cr_groups[m] < gid) 1287 l = m + 1; 1288 else 1289 h = m; 1290 } 1291 if ((l < cred->cr_ngroups) && (cred->cr_groups[l] == gid)) 1292 return (1); 1293 1294 return (0); 1295 } 1296 1297 /* 1298 * Test the active securelevel against a given level. securelevel_gt() 1299 * implements (securelevel > level). securelevel_ge() implements 1300 * (securelevel >= level). Note that the logic is inverted -- these 1301 * functions return EPERM on "success" and 0 on "failure". 1302 * 1303 * Due to care taken when setting the securelevel, we know that no jail will 1304 * be less secure that its parent (or the physical system), so it is sufficient 1305 * to test the current jail only. 1306 * 1307 * XXXRW: Possibly since this has to do with privilege, it should move to 1308 * kern_priv.c. 1309 */ 1310 int 1311 securelevel_gt(struct ucred *cr, int level) 1312 { 1313 1314 return (cr->cr_prison->pr_securelevel > level ? EPERM : 0); 1315 } 1316 1317 int 1318 securelevel_ge(struct ucred *cr, int level) 1319 { 1320 1321 return (cr->cr_prison->pr_securelevel >= level ? EPERM : 0); 1322 } 1323 1324 /* 1325 * 'see_other_uids' determines whether or not visibility of processes 1326 * and sockets with credentials holding different real uids is possible 1327 * using a variety of system MIBs. 1328 * XXX: data declarations should be together near the beginning of the file. 1329 */ 1330 static int see_other_uids = 1; 1331 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1332 &see_other_uids, 0, 1333 "Unprivileged processes may see subjects/objects with different real uid"); 1334 1335 /*- 1336 * Determine if u1 "can see" the subject specified by u2, according to the 1337 * 'see_other_uids' policy. 1338 * Returns: 0 for permitted, ESRCH otherwise 1339 * Locks: none 1340 * References: *u1 and *u2 must not change during the call 1341 * u1 may equal u2, in which case only one reference is required 1342 */ 1343 int 1344 cr_canseeotheruids(struct ucred *u1, struct ucred *u2) 1345 { 1346 1347 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1348 if (priv_check_cred(u1, PRIV_SEEOTHERUIDS) != 0) 1349 return (ESRCH); 1350 } 1351 return (0); 1352 } 1353 1354 /* 1355 * 'see_other_gids' determines whether or not visibility of processes 1356 * and sockets with credentials holding different real gids is possible 1357 * using a variety of system MIBs. 1358 * XXX: data declarations should be together near the beginning of the file. 1359 */ 1360 static int see_other_gids = 1; 1361 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW, 1362 &see_other_gids, 0, 1363 "Unprivileged processes may see subjects/objects with different real gid"); 1364 1365 /* 1366 * Determine if u1 can "see" the subject specified by u2, according to the 1367 * 'see_other_gids' policy. 1368 * Returns: 0 for permitted, ESRCH otherwise 1369 * Locks: none 1370 * References: *u1 and *u2 must not change during the call 1371 * u1 may equal u2, in which case only one reference is required 1372 */ 1373 int 1374 cr_canseeothergids(struct ucred *u1, struct ucred *u2) 1375 { 1376 int i, match; 1377 1378 if (!see_other_gids) { 1379 match = 0; 1380 for (i = 0; i < u1->cr_ngroups; i++) { 1381 if (groupmember(u1->cr_groups[i], u2)) 1382 match = 1; 1383 if (match) 1384 break; 1385 } 1386 if (!match) { 1387 if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) != 0) 1388 return (ESRCH); 1389 } 1390 } 1391 return (0); 1392 } 1393 1394 /* 1395 * 'see_jail_proc' determines whether or not visibility of processes and 1396 * sockets with credentials holding different jail ids is possible using a 1397 * variety of system MIBs. 1398 * 1399 * XXX: data declarations should be together near the beginning of the file. 1400 */ 1401 1402 static int see_jail_proc = 1; 1403 SYSCTL_INT(_security_bsd, OID_AUTO, see_jail_proc, CTLFLAG_RW, 1404 &see_jail_proc, 0, 1405 "Unprivileged processes may see subjects/objects with different jail ids"); 1406 1407 /*- 1408 * Determine if u1 "can see" the subject specified by u2, according to the 1409 * 'see_jail_proc' policy. 1410 * Returns: 0 for permitted, ESRCH otherwise 1411 * Locks: none 1412 * References: *u1 and *u2 must not change during the call 1413 * u1 may equal u2, in which case only one reference is required 1414 */ 1415 int 1416 cr_canseejailproc(struct ucred *u1, struct ucred *u2) 1417 { 1418 if (u1->cr_uid == 0) 1419 return (0); 1420 return (!see_jail_proc && u1->cr_prison != u2->cr_prison ? ESRCH : 0); 1421 } 1422 1423 /*- 1424 * Determine if u1 "can see" the subject specified by u2. 1425 * Returns: 0 for permitted, an errno value otherwise 1426 * Locks: none 1427 * References: *u1 and *u2 must not change during the call 1428 * u1 may equal u2, in which case only one reference is required 1429 */ 1430 int 1431 cr_cansee(struct ucred *u1, struct ucred *u2) 1432 { 1433 int error; 1434 1435 if ((error = prison_check(u1, u2))) 1436 return (error); 1437 #ifdef MAC 1438 if ((error = mac_cred_check_visible(u1, u2))) 1439 return (error); 1440 #endif 1441 if ((error = cr_canseeotheruids(u1, u2))) 1442 return (error); 1443 if ((error = cr_canseeothergids(u1, u2))) 1444 return (error); 1445 if ((error = cr_canseejailproc(u1, u2))) 1446 return (error); 1447 return (0); 1448 } 1449 1450 /*- 1451 * Determine if td "can see" the subject specified by p. 1452 * Returns: 0 for permitted, an errno value otherwise 1453 * Locks: Sufficient locks to protect p->p_ucred must be held. td really 1454 * should be curthread. 1455 * References: td and p must be valid for the lifetime of the call 1456 */ 1457 int 1458 p_cansee(struct thread *td, struct proc *p) 1459 { 1460 1461 /* Wrap cr_cansee() for all functionality. */ 1462 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1463 PROC_LOCK_ASSERT(p, MA_OWNED); 1464 return (cr_cansee(td->td_ucred, p->p_ucred)); 1465 } 1466 1467 /* 1468 * 'conservative_signals' prevents the delivery of a broad class of 1469 * signals by unprivileged processes to processes that have changed their 1470 * credentials since the last invocation of execve(). This can prevent 1471 * the leakage of cached information or retained privileges as a result 1472 * of a common class of signal-related vulnerabilities. However, this 1473 * may interfere with some applications that expect to be able to 1474 * deliver these signals to peer processes after having given up 1475 * privilege. 1476 */ 1477 static int conservative_signals = 1; 1478 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW, 1479 &conservative_signals, 0, "Unprivileged processes prevented from " 1480 "sending certain signals to processes whose credentials have changed"); 1481 /*- 1482 * Determine whether cred may deliver the specified signal to proc. 1483 * Returns: 0 for permitted, an errno value otherwise. 1484 * Locks: A lock must be held for proc. 1485 * References: cred and proc must be valid for the lifetime of the call. 1486 */ 1487 int 1488 cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 1489 { 1490 int error; 1491 1492 PROC_LOCK_ASSERT(proc, MA_OWNED); 1493 /* 1494 * Jail semantics limit the scope of signalling to proc in the 1495 * same jail as cred, if cred is in jail. 1496 */ 1497 error = prison_check(cred, proc->p_ucred); 1498 if (error) 1499 return (error); 1500 #ifdef MAC 1501 if ((error = mac_proc_check_signal(cred, proc, signum))) 1502 return (error); 1503 #endif 1504 if ((error = cr_canseeotheruids(cred, proc->p_ucred))) 1505 return (error); 1506 if ((error = cr_canseeothergids(cred, proc->p_ucred))) 1507 return (error); 1508 1509 /* 1510 * UNIX signal semantics depend on the status of the P_SUGID 1511 * bit on the target process. If the bit is set, then additional 1512 * restrictions are placed on the set of available signals. 1513 */ 1514 if (conservative_signals && (proc->p_flag & P_SUGID)) { 1515 switch (signum) { 1516 case 0: 1517 case SIGKILL: 1518 case SIGINT: 1519 case SIGTERM: 1520 case SIGALRM: 1521 case SIGSTOP: 1522 case SIGTTIN: 1523 case SIGTTOU: 1524 case SIGTSTP: 1525 case SIGHUP: 1526 case SIGUSR1: 1527 case SIGUSR2: 1528 /* 1529 * Generally, permit job and terminal control 1530 * signals. 1531 */ 1532 break; 1533 default: 1534 /* Not permitted without privilege. */ 1535 error = priv_check_cred(cred, PRIV_SIGNAL_SUGID); 1536 if (error) 1537 return (error); 1538 } 1539 } 1540 1541 /* 1542 * Generally, the target credential's ruid or svuid must match the 1543 * subject credential's ruid or euid. 1544 */ 1545 if (cred->cr_ruid != proc->p_ucred->cr_ruid && 1546 cred->cr_ruid != proc->p_ucred->cr_svuid && 1547 cred->cr_uid != proc->p_ucred->cr_ruid && 1548 cred->cr_uid != proc->p_ucred->cr_svuid) { 1549 error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED); 1550 if (error) 1551 return (error); 1552 } 1553 1554 return (0); 1555 } 1556 1557 /*- 1558 * Determine whether td may deliver the specified signal to p. 1559 * Returns: 0 for permitted, an errno value otherwise 1560 * Locks: Sufficient locks to protect various components of td and p 1561 * must be held. td must be curthread, and a lock must be 1562 * held for p. 1563 * References: td and p must be valid for the lifetime of the call 1564 */ 1565 int 1566 p_cansignal(struct thread *td, struct proc *p, int signum) 1567 { 1568 1569 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1570 PROC_LOCK_ASSERT(p, MA_OWNED); 1571 if (td->td_proc == p) 1572 return (0); 1573 1574 /* 1575 * UNIX signalling semantics require that processes in the same 1576 * session always be able to deliver SIGCONT to one another, 1577 * overriding the remaining protections. 1578 */ 1579 /* XXX: This will require an additional lock of some sort. */ 1580 if (signum == SIGCONT && td->td_proc->p_session == p->p_session) 1581 return (0); 1582 /* 1583 * Some compat layers use SIGTHR and higher signals for 1584 * communication between different kernel threads of the same 1585 * process, so that they expect that it's always possible to 1586 * deliver them, even for suid applications where cr_cansignal() can 1587 * deny such ability for security consideration. It should be 1588 * pretty safe to do since the only way to create two processes 1589 * with the same p_leader is via rfork(2). 1590 */ 1591 if (td->td_proc->p_leader != NULL && signum >= SIGTHR && 1592 signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader) 1593 return (0); 1594 1595 return (cr_cansignal(td->td_ucred, p, signum)); 1596 } 1597 1598 /*- 1599 * Determine whether td may reschedule p. 1600 * Returns: 0 for permitted, an errno value otherwise 1601 * Locks: Sufficient locks to protect various components of td and p 1602 * must be held. td must be curthread, and a lock must 1603 * be held for p. 1604 * References: td and p must be valid for the lifetime of the call 1605 */ 1606 int 1607 p_cansched(struct thread *td, struct proc *p) 1608 { 1609 int error; 1610 1611 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1612 PROC_LOCK_ASSERT(p, MA_OWNED); 1613 if (td->td_proc == p) 1614 return (0); 1615 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1616 return (error); 1617 #ifdef MAC 1618 if ((error = mac_proc_check_sched(td->td_ucred, p))) 1619 return (error); 1620 #endif 1621 if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred))) 1622 return (error); 1623 if ((error = cr_canseeothergids(td->td_ucred, p->p_ucred))) 1624 return (error); 1625 if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid && 1626 td->td_ucred->cr_uid != p->p_ucred->cr_ruid) { 1627 error = priv_check(td, PRIV_SCHED_DIFFCRED); 1628 if (error) 1629 return (error); 1630 } 1631 return (0); 1632 } 1633 1634 /* 1635 * Handle getting or setting the prison's unprivileged_proc_debug 1636 * value. 1637 */ 1638 static int 1639 sysctl_unprivileged_proc_debug(SYSCTL_HANDLER_ARGS) 1640 { 1641 struct prison *pr; 1642 int error, val; 1643 1644 val = prison_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG) != 0; 1645 error = sysctl_handle_int(oidp, &val, 0, req); 1646 if (error != 0 || req->newptr == NULL) 1647 return (error); 1648 pr = req->td->td_ucred->cr_prison; 1649 mtx_lock(&pr->pr_mtx); 1650 switch (val) { 1651 case 0: 1652 pr->pr_allow &= ~(PR_ALLOW_UNPRIV_DEBUG); 1653 break; 1654 case 1: 1655 pr->pr_allow |= PR_ALLOW_UNPRIV_DEBUG; 1656 break; 1657 default: 1658 error = EINVAL; 1659 } 1660 mtx_unlock(&pr->pr_mtx); 1661 1662 return (error); 1663 } 1664 1665 /* 1666 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 1667 * unprivileged inter-process debugging services, including some procfs 1668 * functionality, ptrace(), and ktrace(). In the past, inter-process 1669 * debugging has been involved in a variety of security problems, and sites 1670 * not requiring the service might choose to disable it when hardening 1671 * systems. 1672 */ 1673 SYSCTL_PROC(_security_bsd, OID_AUTO, unprivileged_proc_debug, 1674 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_PRISON | CTLFLAG_SECURE, 0, 0, 1675 sysctl_unprivileged_proc_debug, "I", 1676 "Unprivileged processes may use process debugging facilities"); 1677 1678 /*- 1679 * Determine whether td may debug p. 1680 * Returns: 0 for permitted, an errno value otherwise 1681 * Locks: Sufficient locks to protect various components of td and p 1682 * must be held. td must be curthread, and a lock must 1683 * be held for p. 1684 * References: td and p must be valid for the lifetime of the call 1685 */ 1686 int 1687 p_candebug(struct thread *td, struct proc *p) 1688 { 1689 int credentialchanged, error, grpsubset, i, uidsubset; 1690 1691 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1692 PROC_LOCK_ASSERT(p, MA_OWNED); 1693 if ((error = priv_check(td, PRIV_DEBUG_UNPRIV))) 1694 return (error); 1695 if (td->td_proc == p) 1696 return (0); 1697 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1698 return (error); 1699 #ifdef MAC 1700 if ((error = mac_proc_check_debug(td->td_ucred, p))) 1701 return (error); 1702 #endif 1703 if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred))) 1704 return (error); 1705 if ((error = cr_canseeothergids(td->td_ucred, p->p_ucred))) 1706 return (error); 1707 1708 /* 1709 * Is p's group set a subset of td's effective group set? This 1710 * includes p's egid, group access list, rgid, and svgid. 1711 */ 1712 grpsubset = 1; 1713 for (i = 0; i < p->p_ucred->cr_ngroups; i++) { 1714 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) { 1715 grpsubset = 0; 1716 break; 1717 } 1718 } 1719 grpsubset = grpsubset && 1720 groupmember(p->p_ucred->cr_rgid, td->td_ucred) && 1721 groupmember(p->p_ucred->cr_svgid, td->td_ucred); 1722 1723 /* 1724 * Are the uids present in p's credential equal to td's 1725 * effective uid? This includes p's euid, svuid, and ruid. 1726 */ 1727 uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid && 1728 td->td_ucred->cr_uid == p->p_ucred->cr_svuid && 1729 td->td_ucred->cr_uid == p->p_ucred->cr_ruid); 1730 1731 /* 1732 * Has the credential of the process changed since the last exec()? 1733 */ 1734 credentialchanged = (p->p_flag & P_SUGID); 1735 1736 /* 1737 * If p's gids aren't a subset, or the uids aren't a subset, 1738 * or the credential has changed, require appropriate privilege 1739 * for td to debug p. 1740 */ 1741 if (!grpsubset || !uidsubset) { 1742 error = priv_check(td, PRIV_DEBUG_DIFFCRED); 1743 if (error) 1744 return (error); 1745 } 1746 1747 if (credentialchanged) { 1748 error = priv_check(td, PRIV_DEBUG_SUGID); 1749 if (error) 1750 return (error); 1751 } 1752 1753 /* Can't trace init when securelevel > 0. */ 1754 if (p == initproc) { 1755 error = securelevel_gt(td->td_ucred, 0); 1756 if (error) 1757 return (error); 1758 } 1759 1760 /* 1761 * Can't trace a process that's currently exec'ing. 1762 * 1763 * XXX: Note, this is not a security policy decision, it's a 1764 * basic correctness/functionality decision. Therefore, this check 1765 * should be moved to the caller's of p_candebug(). 1766 */ 1767 if ((p->p_flag & P_INEXEC) != 0) 1768 return (EBUSY); 1769 1770 /* Denied explicitely */ 1771 if ((p->p_flag2 & P2_NOTRACE) != 0) { 1772 error = priv_check(td, PRIV_DEBUG_DENIED); 1773 if (error != 0) 1774 return (error); 1775 } 1776 1777 return (0); 1778 } 1779 1780 /*- 1781 * Determine whether the subject represented by cred can "see" a socket. 1782 * Returns: 0 for permitted, ENOENT otherwise. 1783 */ 1784 int 1785 cr_canseesocket(struct ucred *cred, struct socket *so) 1786 { 1787 int error; 1788 1789 error = prison_check(cred, so->so_cred); 1790 if (error) 1791 return (ENOENT); 1792 #ifdef MAC 1793 error = mac_socket_check_visible(cred, so); 1794 if (error) 1795 return (error); 1796 #endif 1797 if (cr_canseeotheruids(cred, so->so_cred)) 1798 return (ENOENT); 1799 if (cr_canseeothergids(cred, so->so_cred)) 1800 return (ENOENT); 1801 1802 return (0); 1803 } 1804 1805 /*- 1806 * Determine whether td can wait for the exit of p. 1807 * Returns: 0 for permitted, an errno value otherwise 1808 * Locks: Sufficient locks to protect various components of td and p 1809 * must be held. td must be curthread, and a lock must 1810 * be held for p. 1811 * References: td and p must be valid for the lifetime of the call 1812 1813 */ 1814 int 1815 p_canwait(struct thread *td, struct proc *p) 1816 { 1817 int error; 1818 1819 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1820 PROC_LOCK_ASSERT(p, MA_OWNED); 1821 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1822 return (error); 1823 #ifdef MAC 1824 if ((error = mac_proc_check_wait(td->td_ucred, p))) 1825 return (error); 1826 #endif 1827 #if 0 1828 /* XXXMAC: This could have odd effects on some shells. */ 1829 if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred))) 1830 return (error); 1831 #endif 1832 1833 return (0); 1834 } 1835 1836 /* 1837 * Allocate a zeroed cred structure. 1838 */ 1839 struct ucred * 1840 crget(void) 1841 { 1842 struct ucred *cr; 1843 1844 cr = malloc(sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 1845 refcount_init(&cr->cr_ref, 1); 1846 #ifdef AUDIT 1847 audit_cred_init(cr); 1848 #endif 1849 #ifdef MAC 1850 mac_cred_init(cr); 1851 #endif 1852 cr->cr_groups = cr->cr_smallgroups; 1853 cr->cr_agroups = 1854 sizeof(cr->cr_smallgroups) / sizeof(cr->cr_smallgroups[0]); 1855 return (cr); 1856 } 1857 1858 /* 1859 * Claim another reference to a ucred structure. 1860 */ 1861 struct ucred * 1862 crhold(struct ucred *cr) 1863 { 1864 1865 refcount_acquire(&cr->cr_ref); 1866 return (cr); 1867 } 1868 1869 /* 1870 * Free a cred structure. Throws away space when ref count gets to 0. 1871 */ 1872 void 1873 crfree(struct ucred *cr) 1874 { 1875 1876 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); 1877 KASSERT(cr->cr_ref != 0xdeadc0de, ("dangling reference to ucred")); 1878 if (refcount_release(&cr->cr_ref)) { 1879 /* 1880 * Some callers of crget(), such as nfs_statfs(), 1881 * allocate a temporary credential, but don't 1882 * allocate a uidinfo structure. 1883 */ 1884 if (cr->cr_uidinfo != NULL) 1885 uifree(cr->cr_uidinfo); 1886 if (cr->cr_ruidinfo != NULL) 1887 uifree(cr->cr_ruidinfo); 1888 /* 1889 * Free a prison, if any. 1890 */ 1891 if (cr->cr_prison != NULL) 1892 prison_free(cr->cr_prison); 1893 if (cr->cr_loginclass != NULL) 1894 loginclass_free(cr->cr_loginclass); 1895 #ifdef AUDIT 1896 audit_cred_destroy(cr); 1897 #endif 1898 #ifdef MAC 1899 mac_cred_destroy(cr); 1900 #endif 1901 if (cr->cr_groups != cr->cr_smallgroups) 1902 free(cr->cr_groups, M_CRED); 1903 free(cr, M_CRED); 1904 } 1905 } 1906 1907 /* 1908 * Copy a ucred's contents from a template. Does not block. 1909 */ 1910 void 1911 crcopy(struct ucred *dest, struct ucred *src) 1912 { 1913 1914 KASSERT(dest->cr_ref == 1, ("crcopy of shared ucred")); 1915 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 1916 (unsigned)((caddr_t)&src->cr_endcopy - 1917 (caddr_t)&src->cr_startcopy)); 1918 crsetgroups(dest, src->cr_ngroups, src->cr_groups); 1919 uihold(dest->cr_uidinfo); 1920 uihold(dest->cr_ruidinfo); 1921 prison_hold(dest->cr_prison); 1922 loginclass_hold(dest->cr_loginclass); 1923 #ifdef AUDIT 1924 audit_cred_copy(src, dest); 1925 #endif 1926 #ifdef MAC 1927 mac_cred_copy(src, dest); 1928 #endif 1929 } 1930 1931 /* 1932 * Dup cred struct to a new held one. 1933 */ 1934 struct ucred * 1935 crdup(struct ucred *cr) 1936 { 1937 struct ucred *newcr; 1938 1939 newcr = crget(); 1940 crcopy(newcr, cr); 1941 return (newcr); 1942 } 1943 1944 /* 1945 * Fill in a struct xucred based on a struct ucred. 1946 */ 1947 void 1948 cru2x(struct ucred *cr, struct xucred *xcr) 1949 { 1950 int ngroups; 1951 1952 bzero(xcr, sizeof(*xcr)); 1953 xcr->cr_version = XUCRED_VERSION; 1954 xcr->cr_uid = cr->cr_uid; 1955 1956 ngroups = MIN(cr->cr_ngroups, XU_NGROUPS); 1957 xcr->cr_ngroups = ngroups; 1958 bcopy(cr->cr_groups, xcr->cr_groups, 1959 ngroups * sizeof(*cr->cr_groups)); 1960 } 1961 1962 void 1963 cru2xt(struct thread *td, struct xucred *xcr) 1964 { 1965 1966 cru2x(td->td_ucred, xcr); 1967 xcr->cr_pid = td->td_proc->p_pid; 1968 } 1969 1970 /* 1971 * Set initial process credentials. 1972 * Callers are responsible for providing the reference for provided credentials. 1973 */ 1974 void 1975 proc_set_cred_init(struct proc *p, struct ucred *newcred) 1976 { 1977 1978 p->p_ucred = newcred; 1979 } 1980 1981 /* 1982 * Change process credentials. 1983 * Callers are responsible for providing the reference for passed credentials 1984 * and for freeing old ones. 1985 * 1986 * Process has to be locked except when it does not have credentials (as it 1987 * should not be visible just yet) or when newcred is NULL (as this can be 1988 * only used when the process is about to be freed, at which point it should 1989 * not be visible anymore). 1990 */ 1991 struct ucred * 1992 proc_set_cred(struct proc *p, struct ucred *newcred) 1993 { 1994 struct ucred *oldcred; 1995 1996 MPASS(p->p_ucred != NULL); 1997 if (newcred == NULL) 1998 MPASS(p->p_state == PRS_ZOMBIE); 1999 else 2000 PROC_LOCK_ASSERT(p, MA_OWNED); 2001 2002 oldcred = p->p_ucred; 2003 p->p_ucred = newcred; 2004 if (newcred != NULL) 2005 PROC_UPDATE_COW(p); 2006 return (oldcred); 2007 } 2008 2009 struct ucred * 2010 crcopysafe(struct proc *p, struct ucred *cr) 2011 { 2012 struct ucred *oldcred; 2013 int groups; 2014 2015 PROC_LOCK_ASSERT(p, MA_OWNED); 2016 2017 oldcred = p->p_ucred; 2018 while (cr->cr_agroups < oldcred->cr_agroups) { 2019 groups = oldcred->cr_agroups; 2020 PROC_UNLOCK(p); 2021 crextend(cr, groups); 2022 PROC_LOCK(p); 2023 oldcred = p->p_ucred; 2024 } 2025 crcopy(cr, oldcred); 2026 2027 return (oldcred); 2028 } 2029 2030 /* 2031 * Extend the passed in credential to hold n items. 2032 */ 2033 void 2034 crextend(struct ucred *cr, int n) 2035 { 2036 int cnt; 2037 2038 /* Truncate? */ 2039 if (n <= cr->cr_agroups) 2040 return; 2041 2042 /* 2043 * We extend by 2 each time since we're using a power of two 2044 * allocator until we need enough groups to fill a page. 2045 * Once we're allocating multiple pages, only allocate as many 2046 * as we actually need. The case of processes needing a 2047 * non-power of two number of pages seems more likely than 2048 * a real world process that adds thousands of groups one at a 2049 * time. 2050 */ 2051 if ( n < PAGE_SIZE / sizeof(gid_t) ) { 2052 if (cr->cr_agroups == 0) 2053 cnt = MINALLOCSIZE / sizeof(gid_t); 2054 else 2055 cnt = cr->cr_agroups * 2; 2056 2057 while (cnt < n) 2058 cnt *= 2; 2059 } else 2060 cnt = roundup2(n, PAGE_SIZE / sizeof(gid_t)); 2061 2062 /* Free the old array. */ 2063 if (cr->cr_groups != cr->cr_smallgroups) 2064 free(cr->cr_groups, M_CRED); 2065 2066 cr->cr_groups = malloc(cnt * sizeof(gid_t), M_CRED, M_WAITOK | M_ZERO); 2067 cr->cr_agroups = cnt; 2068 } 2069 2070 /* 2071 * Copy groups in to a credential, preserving any necessary invariants. 2072 * Currently this includes the sorting of all supplemental gids. 2073 * crextend() must have been called before hand to ensure sufficient 2074 * space is available. 2075 */ 2076 static void 2077 crsetgroups_locked(struct ucred *cr, int ngrp, gid_t *groups) 2078 { 2079 int i; 2080 int j; 2081 gid_t g; 2082 2083 KASSERT(cr->cr_agroups >= ngrp, ("cr_ngroups is too small")); 2084 2085 bcopy(groups, cr->cr_groups, ngrp * sizeof(gid_t)); 2086 cr->cr_ngroups = ngrp; 2087 2088 /* 2089 * Sort all groups except cr_groups[0] to allow groupmember to 2090 * perform a binary search. 2091 * 2092 * XXX: If large numbers of groups become common this should 2093 * be replaced with shell sort like linux uses or possibly 2094 * heap sort. 2095 */ 2096 for (i = 2; i < ngrp; i++) { 2097 g = cr->cr_groups[i]; 2098 for (j = i-1; j >= 1 && g < cr->cr_groups[j]; j--) 2099 cr->cr_groups[j + 1] = cr->cr_groups[j]; 2100 cr->cr_groups[j + 1] = g; 2101 } 2102 } 2103 2104 /* 2105 * Copy groups in to a credential after expanding it if required. 2106 * Truncate the list to (ngroups_max + 1) if it is too large. 2107 */ 2108 void 2109 crsetgroups(struct ucred *cr, int ngrp, gid_t *groups) 2110 { 2111 2112 if (ngrp > ngroups_max + 1) 2113 ngrp = ngroups_max + 1; 2114 2115 crextend(cr, ngrp); 2116 crsetgroups_locked(cr, ngrp, groups); 2117 } 2118 2119 /* 2120 * Get login name, if available. 2121 */ 2122 #ifndef _SYS_SYSPROTO_H_ 2123 struct getlogin_args { 2124 char *namebuf; 2125 u_int namelen; 2126 }; 2127 #endif 2128 /* ARGSUSED */ 2129 int 2130 sys_getlogin(struct thread *td, struct getlogin_args *uap) 2131 { 2132 char login[MAXLOGNAME]; 2133 struct proc *p = td->td_proc; 2134 size_t len; 2135 2136 if (uap->namelen > MAXLOGNAME) 2137 uap->namelen = MAXLOGNAME; 2138 PROC_LOCK(p); 2139 SESS_LOCK(p->p_session); 2140 len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1; 2141 SESS_UNLOCK(p->p_session); 2142 PROC_UNLOCK(p); 2143 if (len > uap->namelen) 2144 return (ERANGE); 2145 return (copyout(login, uap->namebuf, len)); 2146 } 2147 2148 /* 2149 * Set login name. 2150 */ 2151 #ifndef _SYS_SYSPROTO_H_ 2152 struct setlogin_args { 2153 char *namebuf; 2154 }; 2155 #endif 2156 /* ARGSUSED */ 2157 int 2158 sys_setlogin(struct thread *td, struct setlogin_args *uap) 2159 { 2160 struct proc *p = td->td_proc; 2161 int error; 2162 char logintmp[MAXLOGNAME]; 2163 2164 CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp)); 2165 2166 error = priv_check(td, PRIV_PROC_SETLOGIN); 2167 if (error) 2168 return (error); 2169 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); 2170 if (error != 0) { 2171 if (error == ENAMETOOLONG) 2172 error = EINVAL; 2173 return (error); 2174 } 2175 AUDIT_ARG_LOGIN(logintmp); 2176 PROC_LOCK(p); 2177 SESS_LOCK(p->p_session); 2178 strcpy(p->p_session->s_login, logintmp); 2179 SESS_UNLOCK(p->p_session); 2180 PROC_UNLOCK(p); 2181 return (0); 2182 } 2183 2184 void 2185 setsugid(struct proc *p) 2186 { 2187 2188 PROC_LOCK_ASSERT(p, MA_OWNED); 2189 p->p_flag |= P_SUGID; 2190 if (!(p->p_pfsflags & PF_ISUGID)) 2191 p->p_stops = 0; 2192 } 2193 2194 /*- 2195 * Change a process's effective uid. 2196 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 2197 * References: newcred must be an exclusive credential reference for the 2198 * duration of the call. 2199 */ 2200 void 2201 change_euid(struct ucred *newcred, struct uidinfo *euip) 2202 { 2203 2204 newcred->cr_uid = euip->ui_uid; 2205 uihold(euip); 2206 uifree(newcred->cr_uidinfo); 2207 newcred->cr_uidinfo = euip; 2208 } 2209 2210 /*- 2211 * Change a process's effective gid. 2212 * Side effects: newcred->cr_gid will be modified. 2213 * References: newcred must be an exclusive credential reference for the 2214 * duration of the call. 2215 */ 2216 void 2217 change_egid(struct ucred *newcred, gid_t egid) 2218 { 2219 2220 newcred->cr_groups[0] = egid; 2221 } 2222 2223 /*- 2224 * Change a process's real uid. 2225 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 2226 * will be updated, and the old and new cr_ruidinfo proc 2227 * counts will be updated. 2228 * References: newcred must be an exclusive credential reference for the 2229 * duration of the call. 2230 */ 2231 void 2232 change_ruid(struct ucred *newcred, struct uidinfo *ruip) 2233 { 2234 2235 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 2236 newcred->cr_ruid = ruip->ui_uid; 2237 uihold(ruip); 2238 uifree(newcred->cr_ruidinfo); 2239 newcred->cr_ruidinfo = ruip; 2240 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 2241 } 2242 2243 /*- 2244 * Change a process's real gid. 2245 * Side effects: newcred->cr_rgid will be updated. 2246 * References: newcred must be an exclusive credential reference for the 2247 * duration of the call. 2248 */ 2249 void 2250 change_rgid(struct ucred *newcred, gid_t rgid) 2251 { 2252 2253 newcred->cr_rgid = rgid; 2254 } 2255 2256 /*- 2257 * Change a process's saved uid. 2258 * Side effects: newcred->cr_svuid will be updated. 2259 * References: newcred must be an exclusive credential reference for the 2260 * duration of the call. 2261 */ 2262 void 2263 change_svuid(struct ucred *newcred, uid_t svuid) 2264 { 2265 2266 newcred->cr_svuid = svuid; 2267 } 2268 2269 /*- 2270 * Change a process's saved gid. 2271 * Side effects: newcred->cr_svgid will be updated. 2272 * References: newcred must be an exclusive credential reference for the 2273 * duration of the call. 2274 */ 2275 void 2276 change_svgid(struct ucred *newcred, gid_t svgid) 2277 { 2278 2279 newcred->cr_svgid = svgid; 2280 } 2281