1 /* 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * (c) UNIX System Laboratories, Inc. 5 * All or some portions of this file are derived from material licensed 6 * to the University of California by American Telephone and Telegraph 7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 8 * the permission of UNIX System Laboratories, Inc. 9 * Copyright (c) 2000-2001 Robert N. M. Watson. All rights reserved. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. All advertising materials mentioning features or use of this software 20 * must display the following acknowledgement: 21 * This product includes software developed by the University of 22 * California, Berkeley and its contributors. 23 * 4. Neither the name of the University nor the names of its contributors 24 * may be used to endorse or promote products derived from this software 25 * without specific prior written permission. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * 39 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 40 */ 41 42 /* 43 * System calls related to processes and protection 44 */ 45 46 #include <sys/cdefs.h> 47 __FBSDID("$FreeBSD$"); 48 49 #include "opt_compat.h" 50 #include "opt_mac.h" 51 52 #include <sys/param.h> 53 #include <sys/systm.h> 54 #include <sys/acct.h> 55 #include <sys/kernel.h> 56 #include <sys/lock.h> 57 #include <sys/mac.h> 58 #include <sys/malloc.h> 59 #include <sys/mutex.h> 60 #include <sys/sx.h> 61 #include <sys/proc.h> 62 #include <sys/sysproto.h> 63 #include <sys/jail.h> 64 #include <sys/pioctl.h> 65 #include <sys/resourcevar.h> 66 #include <sys/socket.h> 67 #include <sys/socketvar.h> 68 #include <sys/sysctl.h> 69 70 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 71 72 SYSCTL_DECL(_security); 73 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, 74 "BSD security policy"); 75 76 #ifndef _SYS_SYSPROTO_H_ 77 struct getpid_args { 78 int dummy; 79 }; 80 #endif 81 /* 82 * MPSAFE 83 */ 84 /* ARGSUSED */ 85 int 86 getpid(struct thread *td, struct getpid_args *uap) 87 { 88 struct proc *p = td->td_proc; 89 90 td->td_retval[0] = p->p_pid; 91 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 92 PROC_LOCK(p); 93 td->td_retval[1] = p->p_pptr->p_pid; 94 PROC_UNLOCK(p); 95 #endif 96 return (0); 97 } 98 99 #ifndef _SYS_SYSPROTO_H_ 100 struct getppid_args { 101 int dummy; 102 }; 103 #endif 104 /* 105 * MPSAFE 106 */ 107 /* ARGSUSED */ 108 int 109 getppid(struct thread *td, struct getppid_args *uap) 110 { 111 struct proc *p = td->td_proc; 112 113 PROC_LOCK(p); 114 td->td_retval[0] = p->p_pptr->p_pid; 115 PROC_UNLOCK(p); 116 return (0); 117 } 118 119 /* 120 * Get process group ID; note that POSIX getpgrp takes no parameter. 121 */ 122 #ifndef _SYS_SYSPROTO_H_ 123 struct getpgrp_args { 124 int dummy; 125 }; 126 #endif 127 /* 128 * MPSAFE 129 */ 130 int 131 getpgrp(struct thread *td, struct getpgrp_args *uap) 132 { 133 struct proc *p = td->td_proc; 134 135 PROC_LOCK(p); 136 td->td_retval[0] = p->p_pgrp->pg_id; 137 PROC_UNLOCK(p); 138 return (0); 139 } 140 141 /* Get an arbitary pid's process group id */ 142 #ifndef _SYS_SYSPROTO_H_ 143 struct getpgid_args { 144 pid_t pid; 145 }; 146 #endif 147 /* 148 * MPSAFE 149 */ 150 int 151 getpgid(struct thread *td, struct getpgid_args *uap) 152 { 153 struct proc *p; 154 int error; 155 156 if (uap->pid == 0) { 157 p = td->td_proc; 158 PROC_LOCK(p); 159 } else { 160 p = pfind(uap->pid); 161 if (p == NULL) 162 return (ESRCH); 163 error = p_cansee(td, p); 164 if (error) { 165 PROC_UNLOCK(p); 166 return (error); 167 } 168 } 169 td->td_retval[0] = p->p_pgrp->pg_id; 170 PROC_UNLOCK(p); 171 return (0); 172 } 173 174 /* 175 * Get an arbitary pid's session id. 176 */ 177 #ifndef _SYS_SYSPROTO_H_ 178 struct getsid_args { 179 pid_t pid; 180 }; 181 #endif 182 /* 183 * MPSAFE 184 */ 185 int 186 getsid(struct thread *td, struct getsid_args *uap) 187 { 188 struct proc *p; 189 int error; 190 191 if (uap->pid == 0) { 192 p = td->td_proc; 193 PROC_LOCK(p); 194 } else { 195 p = pfind(uap->pid); 196 if (p == NULL) 197 return (ESRCH); 198 error = p_cansee(td, p); 199 if (error) { 200 PROC_UNLOCK(p); 201 return (error); 202 } 203 } 204 td->td_retval[0] = p->p_session->s_sid; 205 PROC_UNLOCK(p); 206 return (0); 207 } 208 209 #ifndef _SYS_SYSPROTO_H_ 210 struct getuid_args { 211 int dummy; 212 }; 213 #endif 214 /* 215 * MPSAFE 216 */ 217 /* ARGSUSED */ 218 int 219 getuid(struct thread *td, struct getuid_args *uap) 220 { 221 222 td->td_retval[0] = td->td_ucred->cr_ruid; 223 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 224 td->td_retval[1] = td->td_ucred->cr_uid; 225 #endif 226 return (0); 227 } 228 229 #ifndef _SYS_SYSPROTO_H_ 230 struct geteuid_args { 231 int dummy; 232 }; 233 #endif 234 /* 235 * MPSAFE 236 */ 237 /* ARGSUSED */ 238 int 239 geteuid(struct thread *td, struct geteuid_args *uap) 240 { 241 242 td->td_retval[0] = td->td_ucred->cr_uid; 243 return (0); 244 } 245 246 #ifndef _SYS_SYSPROTO_H_ 247 struct getgid_args { 248 int dummy; 249 }; 250 #endif 251 /* 252 * MPSAFE 253 */ 254 /* ARGSUSED */ 255 int 256 getgid(struct thread *td, struct getgid_args *uap) 257 { 258 259 td->td_retval[0] = td->td_ucred->cr_rgid; 260 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 261 td->td_retval[1] = td->td_ucred->cr_groups[0]; 262 #endif 263 return (0); 264 } 265 266 /* 267 * Get effective group ID. The "egid" is groups[0], and could be obtained 268 * via getgroups. This syscall exists because it is somewhat painful to do 269 * correctly in a library function. 270 */ 271 #ifndef _SYS_SYSPROTO_H_ 272 struct getegid_args { 273 int dummy; 274 }; 275 #endif 276 /* 277 * MPSAFE 278 */ 279 /* ARGSUSED */ 280 int 281 getegid(struct thread *td, struct getegid_args *uap) 282 { 283 284 td->td_retval[0] = td->td_ucred->cr_groups[0]; 285 return (0); 286 } 287 288 #ifndef _SYS_SYSPROTO_H_ 289 struct getgroups_args { 290 u_int gidsetsize; 291 gid_t *gidset; 292 }; 293 #endif 294 /* 295 * MPSAFE 296 */ 297 int 298 getgroups(struct thread *td, register struct getgroups_args *uap) 299 { 300 struct ucred *cred; 301 u_int ngrp; 302 int error; 303 304 cred = td->td_ucred; 305 if ((ngrp = uap->gidsetsize) == 0) { 306 td->td_retval[0] = cred->cr_ngroups; 307 return (0); 308 } 309 if (ngrp < cred->cr_ngroups) 310 return (EINVAL); 311 ngrp = cred->cr_ngroups; 312 error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t)); 313 if (error == 0) 314 td->td_retval[0] = ngrp; 315 return (error); 316 } 317 318 #ifndef _SYS_SYSPROTO_H_ 319 struct setsid_args { 320 int dummy; 321 }; 322 #endif 323 /* 324 * MPSAFE 325 */ 326 /* ARGSUSED */ 327 int 328 setsid(register struct thread *td, struct setsid_args *uap) 329 { 330 struct pgrp *pgrp; 331 int error; 332 struct proc *p = td->td_proc; 333 struct pgrp *newpgrp; 334 struct session *newsess; 335 336 error = 0; 337 pgrp = NULL; 338 339 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 340 MALLOC(newsess, struct session *, sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); 341 342 sx_xlock(&proctree_lock); 343 344 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { 345 if (pgrp != NULL) 346 PGRP_UNLOCK(pgrp); 347 error = EPERM; 348 } else { 349 (void)enterpgrp(p, p->p_pid, newpgrp, newsess); 350 td->td_retval[0] = p->p_pid; 351 newpgrp = NULL; 352 newsess = NULL; 353 } 354 355 sx_xunlock(&proctree_lock); 356 357 if (newpgrp != NULL) 358 FREE(newpgrp, M_PGRP); 359 if (newsess != NULL) 360 FREE(newsess, M_SESSION); 361 362 return (error); 363 } 364 365 /* 366 * set process group (setpgid/old setpgrp) 367 * 368 * caller does setpgid(targpid, targpgid) 369 * 370 * pid must be caller or child of caller (ESRCH) 371 * if a child 372 * pid must be in same session (EPERM) 373 * pid can't have done an exec (EACCES) 374 * if pgid != pid 375 * there must exist some pid in same session having pgid (EPERM) 376 * pid must not be session leader (EPERM) 377 */ 378 #ifndef _SYS_SYSPROTO_H_ 379 struct setpgid_args { 380 int pid; /* target process id */ 381 int pgid; /* target pgrp id */ 382 }; 383 #endif 384 /* 385 * MPSAFE 386 */ 387 /* ARGSUSED */ 388 int 389 setpgid(struct thread *td, register struct setpgid_args *uap) 390 { 391 struct proc *curp = td->td_proc; 392 register struct proc *targp; /* target process */ 393 register struct pgrp *pgrp; /* target pgrp */ 394 int error; 395 struct pgrp *newpgrp; 396 397 if (uap->pgid < 0) 398 return (EINVAL); 399 400 error = 0; 401 402 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 403 404 sx_xlock(&proctree_lock); 405 if (uap->pid != 0 && uap->pid != curp->p_pid) { 406 if ((targp = pfind(uap->pid)) == NULL) { 407 if (targp) 408 PROC_UNLOCK(targp); 409 error = ESRCH; 410 goto done; 411 } 412 if (!inferior(targp)) { 413 PROC_UNLOCK(targp); 414 error = ESRCH; 415 goto done; 416 } 417 if ((error = p_cansee(curthread, targp))) { 418 PROC_UNLOCK(targp); 419 goto done; 420 } 421 if (targp->p_pgrp == NULL || 422 targp->p_session != curp->p_session) { 423 PROC_UNLOCK(targp); 424 error = EPERM; 425 goto done; 426 } 427 if (targp->p_flag & P_EXEC) { 428 PROC_UNLOCK(targp); 429 error = EACCES; 430 goto done; 431 } 432 PROC_UNLOCK(targp); 433 } else 434 targp = curp; 435 if (SESS_LEADER(targp)) { 436 error = EPERM; 437 goto done; 438 } 439 if (uap->pgid == 0) 440 uap->pgid = targp->p_pid; 441 if (uap->pgid == targp->p_pid) { 442 if (targp->p_pgid == uap->pgid) 443 goto done; 444 error = enterpgrp(targp, uap->pgid, newpgrp, NULL); 445 if (error == 0) 446 newpgrp = NULL; 447 } else { 448 if ((pgrp = pgfind(uap->pgid)) == NULL || 449 pgrp->pg_session != curp->p_session) { 450 if (pgrp != NULL) 451 PGRP_UNLOCK(pgrp); 452 error = EPERM; 453 goto done; 454 } 455 if (pgrp == targp->p_pgrp) { 456 PGRP_UNLOCK(pgrp); 457 goto done; 458 } 459 PGRP_UNLOCK(pgrp); 460 error = enterthispgrp(targp, pgrp); 461 } 462 done: 463 sx_xunlock(&proctree_lock); 464 KASSERT((error == 0) || (newpgrp != NULL), 465 ("setpgid failed and newpgrp is NULL")); 466 if (newpgrp != NULL) 467 FREE(newpgrp, M_PGRP); 468 return (error); 469 } 470 471 /* 472 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 473 * compatible. It says that setting the uid/gid to euid/egid is a special 474 * case of "appropriate privilege". Once the rules are expanded out, this 475 * basically means that setuid(nnn) sets all three id's, in all permitted 476 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 477 * does not set the saved id - this is dangerous for traditional BSD 478 * programs. For this reason, we *really* do not want to set 479 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 480 */ 481 #define POSIX_APPENDIX_B_4_2_2 482 483 #ifndef _SYS_SYSPROTO_H_ 484 struct setuid_args { 485 uid_t uid; 486 }; 487 #endif 488 /* 489 * MPSAFE 490 */ 491 /* ARGSUSED */ 492 int 493 setuid(struct thread *td, struct setuid_args *uap) 494 { 495 struct proc *p = td->td_proc; 496 struct ucred *newcred, *oldcred; 497 uid_t uid; 498 struct uidinfo *uip; 499 int error; 500 501 uid = uap->uid; 502 newcred = crget(); 503 uip = uifind(uid); 504 PROC_LOCK(p); 505 oldcred = p->p_ucred; 506 507 /* 508 * See if we have "permission" by POSIX 1003.1 rules. 509 * 510 * Note that setuid(geteuid()) is a special case of 511 * "appropriate privileges" in appendix B.4.2.2. We need 512 * to use this clause to be compatible with traditional BSD 513 * semantics. Basically, it means that "setuid(xx)" sets all 514 * three id's (assuming you have privs). 515 * 516 * Notes on the logic. We do things in three steps. 517 * 1: We determine if the euid is going to change, and do EPERM 518 * right away. We unconditionally change the euid later if this 519 * test is satisfied, simplifying that part of the logic. 520 * 2: We determine if the real and/or saved uids are going to 521 * change. Determined by compile options. 522 * 3: Change euid last. (after tests in #2 for "appropriate privs") 523 */ 524 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 525 #ifdef _POSIX_SAVED_IDS 526 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 527 #endif 528 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 529 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 530 #endif 531 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 532 PROC_UNLOCK(p); 533 uifree(uip); 534 crfree(newcred); 535 return (error); 536 } 537 538 /* 539 * Copy credentials so other references do not see our changes. 540 */ 541 crcopy(newcred, oldcred); 542 #ifdef _POSIX_SAVED_IDS 543 /* 544 * Do we have "appropriate privileges" (are we root or uid == euid) 545 * If so, we are changing the real uid and/or saved uid. 546 */ 547 if ( 548 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 549 uid == oldcred->cr_uid || 550 #endif 551 suser_cred(oldcred, PRISON_ROOT) == 0) /* we are using privs */ 552 #endif 553 { 554 /* 555 * Set the real uid and transfer proc count to new user. 556 */ 557 if (uid != oldcred->cr_ruid) { 558 change_ruid(newcred, uip); 559 setsugid(p); 560 } 561 /* 562 * Set saved uid 563 * 564 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 565 * the security of seteuid() depends on it. B.4.2.2 says it 566 * is important that we should do this. 567 */ 568 if (uid != oldcred->cr_svuid) { 569 change_svuid(newcred, uid); 570 setsugid(p); 571 } 572 } 573 574 /* 575 * In all permitted cases, we are changing the euid. 576 */ 577 if (uid != oldcred->cr_uid) { 578 change_euid(newcred, uip); 579 setsugid(p); 580 } 581 p->p_ucred = newcred; 582 PROC_UNLOCK(p); 583 uifree(uip); 584 crfree(oldcred); 585 return (0); 586 } 587 588 #ifndef _SYS_SYSPROTO_H_ 589 struct seteuid_args { 590 uid_t euid; 591 }; 592 #endif 593 /* 594 * MPSAFE 595 */ 596 /* ARGSUSED */ 597 int 598 seteuid(struct thread *td, struct seteuid_args *uap) 599 { 600 struct proc *p = td->td_proc; 601 struct ucred *newcred, *oldcred; 602 uid_t euid; 603 struct uidinfo *euip; 604 int error; 605 606 euid = uap->euid; 607 newcred = crget(); 608 euip = uifind(euid); 609 PROC_LOCK(p); 610 oldcred = p->p_ucred; 611 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 612 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 613 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 614 PROC_UNLOCK(p); 615 uifree(euip); 616 crfree(newcred); 617 return (error); 618 } 619 /* 620 * Everything's okay, do it. Copy credentials so other references do 621 * not see our changes. 622 */ 623 crcopy(newcred, oldcred); 624 if (oldcred->cr_uid != euid) { 625 change_euid(newcred, euip); 626 setsugid(p); 627 } 628 p->p_ucred = newcred; 629 PROC_UNLOCK(p); 630 uifree(euip); 631 crfree(oldcred); 632 return (0); 633 } 634 635 #ifndef _SYS_SYSPROTO_H_ 636 struct setgid_args { 637 gid_t gid; 638 }; 639 #endif 640 /* 641 * MPSAFE 642 */ 643 /* ARGSUSED */ 644 int 645 setgid(struct thread *td, struct setgid_args *uap) 646 { 647 struct proc *p = td->td_proc; 648 struct ucred *newcred, *oldcred; 649 gid_t gid; 650 int error; 651 652 gid = uap->gid; 653 newcred = crget(); 654 PROC_LOCK(p); 655 oldcred = p->p_ucred; 656 657 /* 658 * See if we have "permission" by POSIX 1003.1 rules. 659 * 660 * Note that setgid(getegid()) is a special case of 661 * "appropriate privileges" in appendix B.4.2.2. We need 662 * to use this clause to be compatible with traditional BSD 663 * semantics. Basically, it means that "setgid(xx)" sets all 664 * three id's (assuming you have privs). 665 * 666 * For notes on the logic here, see setuid() above. 667 */ 668 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 669 #ifdef _POSIX_SAVED_IDS 670 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 671 #endif 672 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 673 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 674 #endif 675 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 676 PROC_UNLOCK(p); 677 crfree(newcred); 678 return (error); 679 } 680 681 crcopy(newcred, oldcred); 682 #ifdef _POSIX_SAVED_IDS 683 /* 684 * Do we have "appropriate privileges" (are we root or gid == egid) 685 * If so, we are changing the real uid and saved gid. 686 */ 687 if ( 688 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 689 gid == oldcred->cr_groups[0] || 690 #endif 691 suser_cred(oldcred, PRISON_ROOT) == 0) /* we are using privs */ 692 #endif 693 { 694 /* 695 * Set real gid 696 */ 697 if (oldcred->cr_rgid != gid) { 698 change_rgid(newcred, gid); 699 setsugid(p); 700 } 701 /* 702 * Set saved gid 703 * 704 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 705 * the security of setegid() depends on it. B.4.2.2 says it 706 * is important that we should do this. 707 */ 708 if (oldcred->cr_svgid != gid) { 709 change_svgid(newcred, gid); 710 setsugid(p); 711 } 712 } 713 /* 714 * In all cases permitted cases, we are changing the egid. 715 * Copy credentials so other references do not see our changes. 716 */ 717 if (oldcred->cr_groups[0] != gid) { 718 change_egid(newcred, gid); 719 setsugid(p); 720 } 721 p->p_ucred = newcred; 722 PROC_UNLOCK(p); 723 crfree(oldcred); 724 return (0); 725 } 726 727 #ifndef _SYS_SYSPROTO_H_ 728 struct setegid_args { 729 gid_t egid; 730 }; 731 #endif 732 /* 733 * MPSAFE 734 */ 735 /* ARGSUSED */ 736 int 737 setegid(struct thread *td, struct setegid_args *uap) 738 { 739 struct proc *p = td->td_proc; 740 struct ucred *newcred, *oldcred; 741 gid_t egid; 742 int error; 743 744 egid = uap->egid; 745 newcred = crget(); 746 PROC_LOCK(p); 747 oldcred = p->p_ucred; 748 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 749 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 750 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 751 PROC_UNLOCK(p); 752 crfree(newcred); 753 return (error); 754 } 755 crcopy(newcred, oldcred); 756 if (oldcred->cr_groups[0] != egid) { 757 change_egid(newcred, egid); 758 setsugid(p); 759 } 760 p->p_ucred = newcred; 761 PROC_UNLOCK(p); 762 crfree(oldcred); 763 return (0); 764 } 765 766 #ifndef _SYS_SYSPROTO_H_ 767 struct setgroups_args { 768 u_int gidsetsize; 769 gid_t *gidset; 770 }; 771 #endif 772 /* 773 * MPSAFE 774 */ 775 /* ARGSUSED */ 776 int 777 setgroups(struct thread *td, struct setgroups_args *uap) 778 { 779 struct proc *p = td->td_proc; 780 struct ucred *newcred, *tempcred, *oldcred; 781 u_int ngrp; 782 int error; 783 784 ngrp = uap->gidsetsize; 785 if (ngrp > NGROUPS) 786 return (EINVAL); 787 tempcred = crget(); 788 error = copyin(uap->gidset, tempcred->cr_groups, ngrp * sizeof(gid_t)); 789 if (error != 0) { 790 crfree(tempcred); 791 return (error); 792 } 793 newcred = crget(); 794 PROC_LOCK(p); 795 oldcred = p->p_ucred; 796 error = suser_cred(oldcred, PRISON_ROOT); 797 if (error) { 798 PROC_UNLOCK(p); 799 crfree(newcred); 800 crfree(tempcred); 801 return (error); 802 } 803 804 /* 805 * XXX A little bit lazy here. We could test if anything has 806 * changed before crcopy() and setting P_SUGID. 807 */ 808 crcopy(newcred, oldcred); 809 if (ngrp < 1) { 810 /* 811 * setgroups(0, NULL) is a legitimate way of clearing the 812 * groups vector on non-BSD systems (which generally do not 813 * have the egid in the groups[0]). We risk security holes 814 * when running non-BSD software if we do not do the same. 815 */ 816 newcred->cr_ngroups = 1; 817 } else { 818 bcopy(tempcred->cr_groups, newcred->cr_groups, 819 ngrp * sizeof(gid_t)); 820 newcred->cr_ngroups = ngrp; 821 } 822 setsugid(p); 823 p->p_ucred = newcred; 824 PROC_UNLOCK(p); 825 crfree(tempcred); 826 crfree(oldcred); 827 return (0); 828 } 829 830 #ifndef _SYS_SYSPROTO_H_ 831 struct setreuid_args { 832 uid_t ruid; 833 uid_t euid; 834 }; 835 #endif 836 /* 837 * MPSAFE 838 */ 839 /* ARGSUSED */ 840 int 841 setreuid(register struct thread *td, struct setreuid_args *uap) 842 { 843 struct proc *p = td->td_proc; 844 struct ucred *newcred, *oldcred; 845 uid_t euid, ruid; 846 struct uidinfo *euip, *ruip; 847 int error; 848 849 euid = uap->euid; 850 ruid = uap->ruid; 851 newcred = crget(); 852 euip = uifind(euid); 853 ruip = uifind(ruid); 854 PROC_LOCK(p); 855 oldcred = p->p_ucred; 856 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 857 ruid != oldcred->cr_svuid) || 858 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 859 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 860 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 861 PROC_UNLOCK(p); 862 uifree(ruip); 863 uifree(euip); 864 crfree(newcred); 865 return (error); 866 } 867 crcopy(newcred, oldcred); 868 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 869 change_euid(newcred, euip); 870 setsugid(p); 871 } 872 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 873 change_ruid(newcred, ruip); 874 setsugid(p); 875 } 876 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 877 newcred->cr_svuid != newcred->cr_uid) { 878 change_svuid(newcred, newcred->cr_uid); 879 setsugid(p); 880 } 881 p->p_ucred = newcred; 882 PROC_UNLOCK(p); 883 uifree(ruip); 884 uifree(euip); 885 crfree(oldcred); 886 return (0); 887 } 888 889 #ifndef _SYS_SYSPROTO_H_ 890 struct setregid_args { 891 gid_t rgid; 892 gid_t egid; 893 }; 894 #endif 895 /* 896 * MPSAFE 897 */ 898 /* ARGSUSED */ 899 int 900 setregid(register struct thread *td, struct setregid_args *uap) 901 { 902 struct proc *p = td->td_proc; 903 struct ucred *newcred, *oldcred; 904 gid_t egid, rgid; 905 int error; 906 907 egid = uap->egid; 908 rgid = uap->rgid; 909 newcred = crget(); 910 PROC_LOCK(p); 911 oldcred = p->p_ucred; 912 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 913 rgid != oldcred->cr_svgid) || 914 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 915 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 916 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 917 PROC_UNLOCK(p); 918 crfree(newcred); 919 return (error); 920 } 921 922 crcopy(newcred, oldcred); 923 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 924 change_egid(newcred, egid); 925 setsugid(p); 926 } 927 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 928 change_rgid(newcred, rgid); 929 setsugid(p); 930 } 931 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 932 newcred->cr_svgid != newcred->cr_groups[0]) { 933 change_svgid(newcred, newcred->cr_groups[0]); 934 setsugid(p); 935 } 936 p->p_ucred = newcred; 937 PROC_UNLOCK(p); 938 crfree(oldcred); 939 return (0); 940 } 941 942 /* 943 * setresuid(ruid, euid, suid) is like setreuid except control over the 944 * saved uid is explicit. 945 */ 946 947 #ifndef _SYS_SYSPROTO_H_ 948 struct setresuid_args { 949 uid_t ruid; 950 uid_t euid; 951 uid_t suid; 952 }; 953 #endif 954 /* 955 * MPSAFE 956 */ 957 /* ARGSUSED */ 958 int 959 setresuid(register struct thread *td, struct setresuid_args *uap) 960 { 961 struct proc *p = td->td_proc; 962 struct ucred *newcred, *oldcred; 963 uid_t euid, ruid, suid; 964 struct uidinfo *euip, *ruip; 965 int error; 966 967 euid = uap->euid; 968 ruid = uap->ruid; 969 suid = uap->suid; 970 newcred = crget(); 971 euip = uifind(euid); 972 ruip = uifind(ruid); 973 PROC_LOCK(p); 974 oldcred = p->p_ucred; 975 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 976 ruid != oldcred->cr_svuid && 977 ruid != oldcred->cr_uid) || 978 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 979 euid != oldcred->cr_svuid && 980 euid != oldcred->cr_uid) || 981 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 982 suid != oldcred->cr_svuid && 983 suid != oldcred->cr_uid)) && 984 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 985 PROC_UNLOCK(p); 986 uifree(ruip); 987 uifree(euip); 988 crfree(newcred); 989 return (error); 990 } 991 992 crcopy(newcred, oldcred); 993 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 994 change_euid(newcred, euip); 995 setsugid(p); 996 } 997 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 998 change_ruid(newcred, ruip); 999 setsugid(p); 1000 } 1001 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1002 change_svuid(newcred, suid); 1003 setsugid(p); 1004 } 1005 p->p_ucred = newcred; 1006 PROC_UNLOCK(p); 1007 uifree(ruip); 1008 uifree(euip); 1009 crfree(oldcred); 1010 return (0); 1011 } 1012 1013 /* 1014 * setresgid(rgid, egid, sgid) is like setregid except control over the 1015 * saved gid is explicit. 1016 */ 1017 1018 #ifndef _SYS_SYSPROTO_H_ 1019 struct setresgid_args { 1020 gid_t rgid; 1021 gid_t egid; 1022 gid_t sgid; 1023 }; 1024 #endif 1025 /* 1026 * MPSAFE 1027 */ 1028 /* ARGSUSED */ 1029 int 1030 setresgid(register struct thread *td, struct setresgid_args *uap) 1031 { 1032 struct proc *p = td->td_proc; 1033 struct ucred *newcred, *oldcred; 1034 gid_t egid, rgid, sgid; 1035 int error; 1036 1037 egid = uap->egid; 1038 rgid = uap->rgid; 1039 sgid = uap->sgid; 1040 newcred = crget(); 1041 PROC_LOCK(p); 1042 oldcred = p->p_ucred; 1043 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1044 rgid != oldcred->cr_svgid && 1045 rgid != oldcred->cr_groups[0]) || 1046 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1047 egid != oldcred->cr_svgid && 1048 egid != oldcred->cr_groups[0]) || 1049 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1050 sgid != oldcred->cr_svgid && 1051 sgid != oldcred->cr_groups[0])) && 1052 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 1053 PROC_UNLOCK(p); 1054 crfree(newcred); 1055 return (error); 1056 } 1057 1058 crcopy(newcred, oldcred); 1059 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1060 change_egid(newcred, egid); 1061 setsugid(p); 1062 } 1063 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1064 change_rgid(newcred, rgid); 1065 setsugid(p); 1066 } 1067 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1068 change_svgid(newcred, sgid); 1069 setsugid(p); 1070 } 1071 p->p_ucred = newcred; 1072 PROC_UNLOCK(p); 1073 crfree(oldcred); 1074 return (0); 1075 } 1076 1077 #ifndef _SYS_SYSPROTO_H_ 1078 struct getresuid_args { 1079 uid_t *ruid; 1080 uid_t *euid; 1081 uid_t *suid; 1082 }; 1083 #endif 1084 /* 1085 * MPSAFE 1086 */ 1087 /* ARGSUSED */ 1088 int 1089 getresuid(register struct thread *td, struct getresuid_args *uap) 1090 { 1091 struct ucred *cred; 1092 int error1 = 0, error2 = 0, error3 = 0; 1093 1094 cred = td->td_ucred; 1095 if (uap->ruid) 1096 error1 = copyout(&cred->cr_ruid, 1097 uap->ruid, sizeof(cred->cr_ruid)); 1098 if (uap->euid) 1099 error2 = copyout(&cred->cr_uid, 1100 uap->euid, sizeof(cred->cr_uid)); 1101 if (uap->suid) 1102 error3 = copyout(&cred->cr_svuid, 1103 uap->suid, sizeof(cred->cr_svuid)); 1104 return (error1 ? error1 : error2 ? error2 : error3); 1105 } 1106 1107 #ifndef _SYS_SYSPROTO_H_ 1108 struct getresgid_args { 1109 gid_t *rgid; 1110 gid_t *egid; 1111 gid_t *sgid; 1112 }; 1113 #endif 1114 /* 1115 * MPSAFE 1116 */ 1117 /* ARGSUSED */ 1118 int 1119 getresgid(register struct thread *td, struct getresgid_args *uap) 1120 { 1121 struct ucred *cred; 1122 int error1 = 0, error2 = 0, error3 = 0; 1123 1124 cred = td->td_ucred; 1125 if (uap->rgid) 1126 error1 = copyout(&cred->cr_rgid, 1127 uap->rgid, sizeof(cred->cr_rgid)); 1128 if (uap->egid) 1129 error2 = copyout(&cred->cr_groups[0], 1130 uap->egid, sizeof(cred->cr_groups[0])); 1131 if (uap->sgid) 1132 error3 = copyout(&cred->cr_svgid, 1133 uap->sgid, sizeof(cred->cr_svgid)); 1134 return (error1 ? error1 : error2 ? error2 : error3); 1135 } 1136 1137 #ifndef _SYS_SYSPROTO_H_ 1138 struct issetugid_args { 1139 int dummy; 1140 }; 1141 #endif 1142 /* 1143 * MPSAFE 1144 */ 1145 /* ARGSUSED */ 1146 int 1147 issetugid(register struct thread *td, struct issetugid_args *uap) 1148 { 1149 struct proc *p = td->td_proc; 1150 1151 /* 1152 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1153 * we use P_SUGID because we consider changing the owners as 1154 * "tainting" as well. 1155 * This is significant for procs that start as root and "become" 1156 * a user without an exec - programs cannot know *everything* 1157 * that libc *might* have put in their data segment. 1158 */ 1159 PROC_LOCK(p); 1160 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1161 PROC_UNLOCK(p); 1162 return (0); 1163 } 1164 1165 /* 1166 * MPSAFE 1167 */ 1168 int 1169 __setugid(struct thread *td, struct __setugid_args *uap) 1170 { 1171 #ifdef REGRESSION 1172 struct proc *p; 1173 1174 p = td->td_proc; 1175 switch (uap->flag) { 1176 case 0: 1177 mtx_lock(&Giant); 1178 PROC_LOCK(p); 1179 p->p_flag &= ~P_SUGID; 1180 PROC_UNLOCK(p); 1181 mtx_unlock(&Giant); 1182 return (0); 1183 case 1: 1184 mtx_lock(&Giant); 1185 PROC_LOCK(p); 1186 p->p_flag |= P_SUGID; 1187 PROC_UNLOCK(p); 1188 mtx_unlock(&Giant); 1189 return (0); 1190 default: 1191 return (EINVAL); 1192 } 1193 #else /* !REGRESSION */ 1194 1195 return (ENOSYS); 1196 #endif /* REGRESSION */ 1197 } 1198 1199 /* 1200 * Check if gid is a member of the group set. 1201 * 1202 * MPSAFE (cred must be held) 1203 */ 1204 int 1205 groupmember(gid_t gid, struct ucred *cred) 1206 { 1207 register gid_t *gp; 1208 gid_t *egp; 1209 1210 egp = &(cred->cr_groups[cred->cr_ngroups]); 1211 for (gp = cred->cr_groups; gp < egp; gp++) 1212 if (*gp == gid) 1213 return (1); 1214 return (0); 1215 } 1216 1217 /* 1218 * `suser_enabled' (which can be set by the security.suser_enabled 1219 * sysctl) determines whether the system 'super-user' policy is in effect. 1220 * If it is nonzero, an effective uid of 0 connotes special privilege, 1221 * overriding many mandatory and discretionary protections. If it is zero, 1222 * uid 0 is offered no special privilege in the kernel security policy. 1223 * Setting it to zero may seriously impact the functionality of many 1224 * existing userland programs, and should not be done without careful 1225 * consideration of the consequences. 1226 */ 1227 int suser_enabled = 1; 1228 SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW, 1229 &suser_enabled, 0, "processes with uid 0 have privilege"); 1230 TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled); 1231 1232 /* 1233 * Test whether the specified credentials imply "super-user" privilege. 1234 * Return 0 or EPERM. The flag argument is currently used only to 1235 * specify jail interaction. 1236 */ 1237 int 1238 suser_cred(struct ucred *cred, int flag) 1239 { 1240 1241 if (!suser_enabled) 1242 return (EPERM); 1243 if (cred->cr_uid != 0) 1244 return (EPERM); 1245 if (jailed(cred) && !(flag & PRISON_ROOT)) 1246 return (EPERM); 1247 return (0); 1248 } 1249 1250 /* 1251 * Shortcut to hide contents of struct td and struct proc from the 1252 * caller, promoting binary compatibility. 1253 */ 1254 int 1255 suser(struct thread *td) 1256 { 1257 1258 return (suser_cred(td->td_ucred, 0)); 1259 } 1260 1261 /* 1262 * Test the active securelevel against a given level. securelevel_gt() 1263 * implements (securelevel > level). securelevel_ge() implements 1264 * (securelevel >= level). Note that the logic is inverted -- these 1265 * functions return EPERM on "success" and 0 on "failure". 1266 * 1267 * MPSAFE 1268 */ 1269 int 1270 securelevel_gt(struct ucred *cr, int level) 1271 { 1272 int active_securelevel; 1273 1274 active_securelevel = securelevel; 1275 KASSERT(cr != NULL, ("securelevel_gt: null cr")); 1276 if (cr->cr_prison != NULL) { 1277 mtx_lock(&cr->cr_prison->pr_mtx); 1278 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1279 active_securelevel); 1280 mtx_unlock(&cr->cr_prison->pr_mtx); 1281 } 1282 return (active_securelevel > level ? EPERM : 0); 1283 } 1284 1285 int 1286 securelevel_ge(struct ucred *cr, int level) 1287 { 1288 int active_securelevel; 1289 1290 active_securelevel = securelevel; 1291 KASSERT(cr != NULL, ("securelevel_ge: null cr")); 1292 if (cr->cr_prison != NULL) { 1293 mtx_lock(&cr->cr_prison->pr_mtx); 1294 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1295 active_securelevel); 1296 mtx_unlock(&cr->cr_prison->pr_mtx); 1297 } 1298 return (active_securelevel >= level ? EPERM : 0); 1299 } 1300 1301 /* 1302 * 'see_other_uids' determines whether or not visibility of processes 1303 * and sockets with credentials holding different real uids is possible 1304 * using a variety of system MIBs. 1305 * XXX: data declarations should be together near the beginning of the file. 1306 */ 1307 static int see_other_uids = 1; 1308 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1309 &see_other_uids, 0, 1310 "Unprivileged processes may see subjects/objects with different real uid"); 1311 1312 /*- 1313 * Determine if u1 "can see" the subject specified by u2, according to the 1314 * 'see_other_uids' policy. 1315 * Returns: 0 for permitted, ESRCH otherwise 1316 * Locks: none 1317 * References: *u1 and *u2 must not change during the call 1318 * u1 may equal u2, in which case only one reference is required 1319 */ 1320 static int 1321 cr_seeotheruids(struct ucred *u1, struct ucred *u2) 1322 { 1323 1324 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1325 if (suser_cred(u1, PRISON_ROOT) != 0) 1326 return (ESRCH); 1327 } 1328 return (0); 1329 } 1330 1331 /*- 1332 * Determine if u1 "can see" the subject specified by u2. 1333 * Returns: 0 for permitted, an errno value otherwise 1334 * Locks: none 1335 * References: *u1 and *u2 must not change during the call 1336 * u1 may equal u2, in which case only one reference is required 1337 */ 1338 int 1339 cr_cansee(struct ucred *u1, struct ucred *u2) 1340 { 1341 int error; 1342 1343 if ((error = prison_check(u1, u2))) 1344 return (error); 1345 #ifdef MAC 1346 if ((error = mac_check_cred_visible(u1, u2))) 1347 return (error); 1348 #endif 1349 if ((error = cr_seeotheruids(u1, u2))) 1350 return (error); 1351 return (0); 1352 } 1353 1354 /*- 1355 * Determine if td "can see" the subject specified by p. 1356 * Returns: 0 for permitted, an errno value otherwise 1357 * Locks: Sufficient locks to protect p->p_ucred must be held. td really 1358 * should be curthread. 1359 * References: td and p must be valid for the lifetime of the call 1360 */ 1361 int 1362 p_cansee(struct thread *td, struct proc *p) 1363 { 1364 1365 /* Wrap cr_cansee() for all functionality. */ 1366 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1367 PROC_LOCK_ASSERT(p, MA_OWNED); 1368 return (cr_cansee(td->td_ucred, p->p_ucred)); 1369 } 1370 1371 /*- 1372 * Determine whether cred may deliver the specified signal to proc. 1373 * Returns: 0 for permitted, an errno value otherwise. 1374 * Locks: A lock must be held for proc. 1375 * References: cred and proc must be valid for the lifetime of the call. 1376 */ 1377 int 1378 cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 1379 { 1380 int error; 1381 1382 PROC_LOCK_ASSERT(proc, MA_OWNED); 1383 /* 1384 * Jail semantics limit the scope of signalling to proc in the 1385 * same jail as cred, if cred is in jail. 1386 */ 1387 error = prison_check(cred, proc->p_ucred); 1388 if (error) 1389 return (error); 1390 #ifdef MAC 1391 if ((error = mac_check_proc_signal(cred, proc, signum))) 1392 return (error); 1393 #endif 1394 error = cr_seeotheruids(cred, proc->p_ucred); 1395 if (error) 1396 return (error); 1397 1398 /* 1399 * UNIX signal semantics depend on the status of the P_SUGID 1400 * bit on the target process. If the bit is set, then additional 1401 * restrictions are placed on the set of available signals. 1402 */ 1403 if (proc->p_flag & P_SUGID) { 1404 switch (signum) { 1405 case 0: 1406 case SIGKILL: 1407 case SIGINT: 1408 case SIGTERM: 1409 case SIGSTOP: 1410 case SIGTTIN: 1411 case SIGTTOU: 1412 case SIGTSTP: 1413 case SIGHUP: 1414 case SIGUSR1: 1415 case SIGUSR2: 1416 /* 1417 * Generally, permit job and terminal control 1418 * signals. 1419 */ 1420 break; 1421 default: 1422 /* Not permitted without privilege. */ 1423 error = suser_cred(cred, PRISON_ROOT); 1424 if (error) 1425 return (error); 1426 } 1427 } 1428 1429 /* 1430 * Generally, the target credential's ruid or svuid must match the 1431 * subject credential's ruid or euid. 1432 */ 1433 if (cred->cr_ruid != proc->p_ucred->cr_ruid && 1434 cred->cr_ruid != proc->p_ucred->cr_svuid && 1435 cred->cr_uid != proc->p_ucred->cr_ruid && 1436 cred->cr_uid != proc->p_ucred->cr_svuid) { 1437 /* Not permitted without privilege. */ 1438 error = suser_cred(cred, PRISON_ROOT); 1439 if (error) 1440 return (error); 1441 } 1442 1443 return (0); 1444 } 1445 1446 1447 /*- 1448 * Determine whether td may deliver the specified signal to p. 1449 * Returns: 0 for permitted, an errno value otherwise 1450 * Locks: Sufficient locks to protect various components of td and p 1451 * must be held. td must be curthread, and a lock must be 1452 * held for p. 1453 * References: td and p must be valid for the lifetime of the call 1454 */ 1455 int 1456 p_cansignal(struct thread *td, struct proc *p, int signum) 1457 { 1458 1459 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1460 PROC_LOCK_ASSERT(p, MA_OWNED); 1461 if (td->td_proc == p) 1462 return (0); 1463 1464 /* 1465 * UNIX signalling semantics require that processes in the same 1466 * session always be able to deliver SIGCONT to one another, 1467 * overriding the remaining protections. 1468 */ 1469 /* XXX: This will require an additional lock of some sort. */ 1470 if (signum == SIGCONT && td->td_proc->p_session == p->p_session) 1471 return (0); 1472 1473 return (cr_cansignal(td->td_ucred, p, signum)); 1474 } 1475 1476 /*- 1477 * Determine whether td may reschedule p. 1478 * Returns: 0 for permitted, an errno value otherwise 1479 * Locks: Sufficient locks to protect various components of td and p 1480 * must be held. td must be curthread, and a lock must 1481 * be held for p. 1482 * References: td and p must be valid for the lifetime of the call 1483 */ 1484 int 1485 p_cansched(struct thread *td, struct proc *p) 1486 { 1487 int error; 1488 1489 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1490 PROC_LOCK_ASSERT(p, MA_OWNED); 1491 if (td->td_proc == p) 1492 return (0); 1493 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1494 return (error); 1495 #ifdef MAC 1496 if ((error = mac_check_proc_sched(td->td_ucred, p))) 1497 return (error); 1498 #endif 1499 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1500 return (error); 1501 if (td->td_ucred->cr_ruid == p->p_ucred->cr_ruid) 1502 return (0); 1503 if (td->td_ucred->cr_uid == p->p_ucred->cr_ruid) 1504 return (0); 1505 if (suser_cred(td->td_ucred, PRISON_ROOT) == 0) 1506 return (0); 1507 1508 #ifdef CAPABILITIES 1509 if (!cap_check(NULL, td, CAP_SYS_NICE, PRISON_ROOT)) 1510 return (0); 1511 #endif 1512 1513 return (EPERM); 1514 } 1515 1516 /* 1517 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 1518 * unprivileged inter-process debugging services, including some procfs 1519 * functionality, ptrace(), and ktrace(). In the past, inter-process 1520 * debugging has been involved in a variety of security problems, and sites 1521 * not requiring the service might choose to disable it when hardening 1522 * systems. 1523 * 1524 * XXX: Should modifying and reading this variable require locking? 1525 * XXX: data declarations should be together near the beginning of the file. 1526 */ 1527 static int unprivileged_proc_debug = 1; 1528 SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW, 1529 &unprivileged_proc_debug, 0, 1530 "Unprivileged processes may use process debugging facilities"); 1531 1532 /*- 1533 * Determine whether td may debug p. 1534 * Returns: 0 for permitted, an errno value otherwise 1535 * Locks: Sufficient locks to protect various components of td and p 1536 * must be held. td must be curthread, and a lock must 1537 * be held for p. 1538 * References: td and p must be valid for the lifetime of the call 1539 */ 1540 int 1541 p_candebug(struct thread *td, struct proc *p) 1542 { 1543 int credentialchanged, error, grpsubset, i, uidsubset; 1544 1545 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1546 PROC_LOCK_ASSERT(p, MA_OWNED); 1547 if (!unprivileged_proc_debug) { 1548 error = suser_cred(td->td_ucred, PRISON_ROOT); 1549 if (error) 1550 return (error); 1551 } 1552 if (td->td_proc == p) 1553 return (0); 1554 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1555 return (error); 1556 #ifdef MAC 1557 if ((error = mac_check_proc_debug(td->td_ucred, p))) 1558 return (error); 1559 #endif 1560 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1561 return (error); 1562 1563 /* 1564 * Is p's group set a subset of td's effective group set? This 1565 * includes p's egid, group access list, rgid, and svgid. 1566 */ 1567 grpsubset = 1; 1568 for (i = 0; i < p->p_ucred->cr_ngroups; i++) { 1569 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) { 1570 grpsubset = 0; 1571 break; 1572 } 1573 } 1574 grpsubset = grpsubset && 1575 groupmember(p->p_ucred->cr_rgid, td->td_ucred) && 1576 groupmember(p->p_ucred->cr_svgid, td->td_ucred); 1577 1578 /* 1579 * Are the uids present in p's credential equal to td's 1580 * effective uid? This includes p's euid, svuid, and ruid. 1581 */ 1582 uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid && 1583 td->td_ucred->cr_uid == p->p_ucred->cr_svuid && 1584 td->td_ucred->cr_uid == p->p_ucred->cr_ruid); 1585 1586 /* 1587 * Has the credential of the process changed since the last exec()? 1588 */ 1589 credentialchanged = (p->p_flag & P_SUGID); 1590 1591 /* 1592 * If p's gids aren't a subset, or the uids aren't a subset, 1593 * or the credential has changed, require appropriate privilege 1594 * for td to debug p. For POSIX.1e capabilities, this will 1595 * require CAP_SYS_PTRACE. 1596 */ 1597 if (!grpsubset || !uidsubset || credentialchanged) { 1598 error = suser_cred(td->td_ucred, PRISON_ROOT); 1599 if (error) 1600 return (error); 1601 } 1602 1603 /* Can't trace init when securelevel > 0. */ 1604 if (p == initproc) { 1605 error = securelevel_gt(td->td_ucred, 0); 1606 if (error) 1607 return (error); 1608 } 1609 1610 /* 1611 * Can't trace a process that's currently exec'ing. 1612 * XXX: Note, this is not a security policy decision, it's a 1613 * basic correctness/functionality decision. Therefore, this check 1614 * should be moved to the caller's of p_candebug(). 1615 */ 1616 if ((p->p_flag & P_INEXEC) != 0) 1617 return (EAGAIN); 1618 1619 return (0); 1620 } 1621 1622 /*- 1623 * Determine whether the subject represented by cred can "see" a socket. 1624 * Returns: 0 for permitted, ENOENT otherwise. 1625 */ 1626 int 1627 cr_canseesocket(struct ucred *cred, struct socket *so) 1628 { 1629 int error; 1630 1631 error = prison_check(cred, so->so_cred); 1632 if (error) 1633 return (ENOENT); 1634 #ifdef MAC 1635 error = mac_check_socket_visible(cred, so); 1636 if (error) 1637 return (error); 1638 #endif 1639 if (cr_seeotheruids(cred, so->so_cred)) 1640 return (ENOENT); 1641 1642 return (0); 1643 } 1644 1645 /* 1646 * Allocate a zeroed cred structure. 1647 * MPSAFE 1648 */ 1649 struct ucred * 1650 crget(void) 1651 { 1652 register struct ucred *cr; 1653 1654 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 1655 cr->cr_ref = 1; 1656 cr->cr_mtxp = mtx_pool_find(cr); 1657 #ifdef MAC 1658 mac_init_cred(cr); 1659 #endif 1660 return (cr); 1661 } 1662 1663 /* 1664 * Claim another reference to a ucred structure. 1665 * MPSAFE 1666 */ 1667 struct ucred * 1668 crhold(struct ucred *cr) 1669 { 1670 1671 mtx_lock(cr->cr_mtxp); 1672 cr->cr_ref++; 1673 mtx_unlock(cr->cr_mtxp); 1674 return (cr); 1675 } 1676 1677 /* 1678 * Free a cred structure. 1679 * Throws away space when ref count gets to 0. 1680 * MPSAFE 1681 */ 1682 void 1683 crfree(struct ucred *cr) 1684 { 1685 struct mtx *mtxp = cr->cr_mtxp; 1686 1687 mtx_lock(mtxp); 1688 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); 1689 if (--cr->cr_ref == 0) { 1690 /* 1691 * Some callers of crget(), such as nfs_statfs(), 1692 * allocate a temporary credential, but don't 1693 * allocate a uidinfo structure. 1694 */ 1695 mtx_unlock(mtxp); 1696 mtx_lock(&Giant); 1697 if (cr->cr_uidinfo != NULL) 1698 uifree(cr->cr_uidinfo); 1699 if (cr->cr_ruidinfo != NULL) 1700 uifree(cr->cr_ruidinfo); 1701 /* 1702 * Free a prison, if any. 1703 */ 1704 if (jailed(cr)) 1705 prison_free(cr->cr_prison); 1706 #ifdef MAC 1707 mac_destroy_cred(cr); 1708 #endif 1709 FREE(cr, M_CRED); 1710 mtx_unlock(&Giant); 1711 } else { 1712 mtx_unlock(mtxp); 1713 } 1714 } 1715 1716 /* 1717 * Check to see if this ucred is shared. 1718 * MPSAFE 1719 */ 1720 int 1721 crshared(struct ucred *cr) 1722 { 1723 int shared; 1724 1725 mtx_lock(cr->cr_mtxp); 1726 shared = (cr->cr_ref > 1); 1727 mtx_unlock(cr->cr_mtxp); 1728 return (shared); 1729 } 1730 1731 /* 1732 * Copy a ucred's contents from a template. Does not block. 1733 * MPSAFE 1734 */ 1735 void 1736 crcopy(struct ucred *dest, struct ucred *src) 1737 { 1738 1739 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred")); 1740 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 1741 (unsigned)((caddr_t)&src->cr_endcopy - 1742 (caddr_t)&src->cr_startcopy)); 1743 uihold(dest->cr_uidinfo); 1744 uihold(dest->cr_ruidinfo); 1745 if (jailed(dest)) 1746 prison_hold(dest->cr_prison); 1747 #ifdef MAC 1748 mac_create_cred(src, dest); 1749 #endif 1750 } 1751 1752 /* 1753 * Dup cred struct to a new held one. 1754 * MPSAFE 1755 */ 1756 struct ucred * 1757 crdup(struct ucred *cr) 1758 { 1759 struct ucred *newcr; 1760 1761 newcr = crget(); 1762 crcopy(newcr, cr); 1763 return (newcr); 1764 } 1765 1766 #ifdef DIAGNOSTIC 1767 void 1768 cred_free_thread(struct thread *td) 1769 { 1770 struct ucred *cred; 1771 1772 cred = td->td_ucred; 1773 td->td_ucred = NULL; 1774 if (cred != NULL) 1775 crfree(cred); 1776 } 1777 #endif 1778 1779 /* 1780 * Fill in a struct xucred based on a struct ucred. 1781 * MPSAFE 1782 */ 1783 void 1784 cru2x(struct ucred *cr, struct xucred *xcr) 1785 { 1786 1787 bzero(xcr, sizeof(*xcr)); 1788 xcr->cr_version = XUCRED_VERSION; 1789 xcr->cr_uid = cr->cr_uid; 1790 xcr->cr_ngroups = cr->cr_ngroups; 1791 bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups)); 1792 } 1793 1794 /* 1795 * small routine to swap a thread's current ucred for the correct one 1796 * taken from the process. 1797 * MPSAFE 1798 */ 1799 void 1800 cred_update_thread(struct thread *td) 1801 { 1802 struct proc *p; 1803 struct ucred *cred; 1804 1805 p = td->td_proc; 1806 cred = td->td_ucred; 1807 PROC_LOCK(p); 1808 td->td_ucred = crhold(p->p_ucred); 1809 PROC_UNLOCK(p); 1810 if (cred != NULL) 1811 crfree(cred); 1812 } 1813 1814 /* 1815 * Get login name, if available. 1816 */ 1817 #ifndef _SYS_SYSPROTO_H_ 1818 struct getlogin_args { 1819 char *namebuf; 1820 u_int namelen; 1821 }; 1822 #endif 1823 /* 1824 * MPSAFE 1825 */ 1826 /* ARGSUSED */ 1827 int 1828 getlogin(struct thread *td, struct getlogin_args *uap) 1829 { 1830 int error; 1831 char login[MAXLOGNAME]; 1832 struct proc *p = td->td_proc; 1833 1834 if (uap->namelen > MAXLOGNAME) 1835 uap->namelen = MAXLOGNAME; 1836 PROC_LOCK(p); 1837 SESS_LOCK(p->p_session); 1838 bcopy(p->p_session->s_login, login, uap->namelen); 1839 SESS_UNLOCK(p->p_session); 1840 PROC_UNLOCK(p); 1841 error = copyout(login, uap->namebuf, uap->namelen); 1842 return(error); 1843 } 1844 1845 /* 1846 * Set login name. 1847 */ 1848 #ifndef _SYS_SYSPROTO_H_ 1849 struct setlogin_args { 1850 char *namebuf; 1851 }; 1852 #endif 1853 /* 1854 * MPSAFE 1855 */ 1856 /* ARGSUSED */ 1857 int 1858 setlogin(struct thread *td, struct setlogin_args *uap) 1859 { 1860 struct proc *p = td->td_proc; 1861 int error; 1862 char logintmp[MAXLOGNAME]; 1863 1864 error = suser_cred(td->td_ucred, PRISON_ROOT); 1865 if (error) 1866 return (error); 1867 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); 1868 if (error == ENAMETOOLONG) 1869 error = EINVAL; 1870 else if (!error) { 1871 PROC_LOCK(p); 1872 SESS_LOCK(p->p_session); 1873 (void) memcpy(p->p_session->s_login, logintmp, 1874 sizeof(logintmp)); 1875 SESS_UNLOCK(p->p_session); 1876 PROC_UNLOCK(p); 1877 } 1878 return (error); 1879 } 1880 1881 void 1882 setsugid(struct proc *p) 1883 { 1884 1885 PROC_LOCK_ASSERT(p, MA_OWNED); 1886 p->p_flag |= P_SUGID; 1887 if (!(p->p_pfsflags & PF_ISUGID)) 1888 p->p_stops = 0; 1889 } 1890 1891 /*- 1892 * Change a process's effective uid. 1893 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 1894 * References: newcred must be an exclusive credential reference for the 1895 * duration of the call. 1896 */ 1897 void 1898 change_euid(struct ucred *newcred, struct uidinfo *euip) 1899 { 1900 1901 newcred->cr_uid = euip->ui_uid; 1902 uihold(euip); 1903 uifree(newcred->cr_uidinfo); 1904 newcred->cr_uidinfo = euip; 1905 } 1906 1907 /*- 1908 * Change a process's effective gid. 1909 * Side effects: newcred->cr_gid will be modified. 1910 * References: newcred must be an exclusive credential reference for the 1911 * duration of the call. 1912 */ 1913 void 1914 change_egid(struct ucred *newcred, gid_t egid) 1915 { 1916 1917 newcred->cr_groups[0] = egid; 1918 } 1919 1920 /*- 1921 * Change a process's real uid. 1922 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 1923 * will be updated, and the old and new cr_ruidinfo proc 1924 * counts will be updated. 1925 * References: newcred must be an exclusive credential reference for the 1926 * duration of the call. 1927 */ 1928 void 1929 change_ruid(struct ucred *newcred, struct uidinfo *ruip) 1930 { 1931 1932 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 1933 newcred->cr_ruid = ruip->ui_uid; 1934 uihold(ruip); 1935 uifree(newcred->cr_ruidinfo); 1936 newcred->cr_ruidinfo = ruip; 1937 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 1938 } 1939 1940 /*- 1941 * Change a process's real gid. 1942 * Side effects: newcred->cr_rgid will be updated. 1943 * References: newcred must be an exclusive credential reference for the 1944 * duration of the call. 1945 */ 1946 void 1947 change_rgid(struct ucred *newcred, gid_t rgid) 1948 { 1949 1950 newcred->cr_rgid = rgid; 1951 } 1952 1953 /*- 1954 * Change a process's saved uid. 1955 * Side effects: newcred->cr_svuid will be updated. 1956 * References: newcred must be an exclusive credential reference for the 1957 * duration of the call. 1958 */ 1959 void 1960 change_svuid(struct ucred *newcred, uid_t svuid) 1961 { 1962 1963 newcred->cr_svuid = svuid; 1964 } 1965 1966 /*- 1967 * Change a process's saved gid. 1968 * Side effects: newcred->cr_svgid will be updated. 1969 * References: newcred must be an exclusive credential reference for the 1970 * duration of the call. 1971 */ 1972 void 1973 change_svgid(struct ucred *newcred, gid_t svgid) 1974 { 1975 1976 newcred->cr_svgid = svgid; 1977 } 1978