1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 5 * The Regents of the University of California. 6 * (c) UNIX System Laboratories, Inc. 7 * Copyright (c) 2000-2001 Robert N. M. Watson. 8 * All rights reserved. 9 * 10 * All or some portions of this file are derived from material licensed 11 * to the University of California by American Telephone and Telegraph 12 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 13 * the permission of UNIX System Laboratories, Inc. 14 * 15 * Redistribution and use in source and binary forms, with or without 16 * modification, are permitted provided that the following conditions 17 * are met: 18 * 1. Redistributions of source code must retain the above copyright 19 * notice, this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright 21 * notice, this list of conditions and the following disclaimer in the 22 * documentation and/or other materials provided with the distribution. 23 * 3. Neither the name of the University nor the names of its contributors 24 * may be used to endorse or promote products derived from this software 25 * without specific prior written permission. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 */ 39 40 /* 41 * System calls related to processes and protection 42 */ 43 44 #include <sys/cdefs.h> 45 #include "opt_inet.h" 46 #include "opt_inet6.h" 47 48 #include <sys/param.h> 49 #include <sys/systm.h> 50 #include <sys/abi_compat.h> 51 #include <sys/acct.h> 52 #include <sys/kdb.h> 53 #include <sys/kernel.h> 54 #include <sys/libkern.h> 55 #include <sys/lock.h> 56 #include <sys/loginclass.h> 57 #include <sys/malloc.h> 58 #include <sys/mutex.h> 59 #include <sys/ptrace.h> 60 #include <sys/refcount.h> 61 #include <sys/sx.h> 62 #include <sys/priv.h> 63 #include <sys/proc.h> 64 #ifdef COMPAT_43 65 #include <sys/sysent.h> 66 #endif 67 #include <sys/sysproto.h> 68 #include <sys/jail.h> 69 #include <sys/racct.h> 70 #include <sys/rctl.h> 71 #include <sys/resourcevar.h> 72 #include <sys/socket.h> 73 #include <sys/socketvar.h> 74 #include <sys/syscallsubr.h> 75 #include <sys/sysctl.h> 76 77 #ifdef MAC 78 #include <security/mac/mac_syscalls.h> 79 #endif 80 81 #include <vm/uma.h> 82 83 #ifdef REGRESSION 84 FEATURE(regression, 85 "Kernel support for interfaces necessary for regression testing (SECURITY RISK!)"); 86 #endif 87 88 #include <security/audit/audit.h> 89 #include <security/mac/mac_framework.h> 90 91 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 92 93 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW | CTLFLAG_MPSAFE, 0, 94 "BSD security policy"); 95 96 static void crfree_final(struct ucred *cr); 97 98 static inline void 99 groups_check_positive_len(int ngrp) 100 { 101 MPASS2(ngrp >= 0, "negative number of groups"); 102 } 103 static inline void 104 groups_check_max_len(int ngrp) 105 { 106 MPASS2(ngrp <= ngroups_max, "too many supplementary groups"); 107 } 108 109 static void groups_normalize(int *ngrp, gid_t *groups); 110 static void crsetgroups_internal(struct ucred *cr, int ngrp, 111 const gid_t *groups); 112 113 static int cr_canseeotheruids(struct ucred *u1, struct ucred *u2); 114 static int cr_canseeothergids(struct ucred *u1, struct ucred *u2); 115 static int cr_canseejailproc(struct ucred *u1, struct ucred *u2); 116 117 #ifndef _SYS_SYSPROTO_H_ 118 struct getpid_args { 119 int dummy; 120 }; 121 #endif 122 /* ARGSUSED */ 123 int 124 sys_getpid(struct thread *td, struct getpid_args *uap) 125 { 126 struct proc *p = td->td_proc; 127 128 td->td_retval[0] = p->p_pid; 129 #if defined(COMPAT_43) 130 if (SV_PROC_FLAG(p, SV_AOUT)) 131 td->td_retval[1] = kern_getppid(td); 132 #endif 133 return (0); 134 } 135 136 #ifndef _SYS_SYSPROTO_H_ 137 struct getppid_args { 138 int dummy; 139 }; 140 #endif 141 /* ARGSUSED */ 142 int 143 sys_getppid(struct thread *td, struct getppid_args *uap) 144 { 145 146 td->td_retval[0] = kern_getppid(td); 147 return (0); 148 } 149 150 int 151 kern_getppid(struct thread *td) 152 { 153 struct proc *p = td->td_proc; 154 155 return (p->p_oppid); 156 } 157 158 /* 159 * Get process group ID; note that POSIX getpgrp takes no parameter. 160 */ 161 #ifndef _SYS_SYSPROTO_H_ 162 struct getpgrp_args { 163 int dummy; 164 }; 165 #endif 166 int 167 sys_getpgrp(struct thread *td, struct getpgrp_args *uap) 168 { 169 struct proc *p = td->td_proc; 170 171 PROC_LOCK(p); 172 td->td_retval[0] = p->p_pgrp->pg_id; 173 PROC_UNLOCK(p); 174 return (0); 175 } 176 177 /* Get an arbitrary pid's process group id */ 178 #ifndef _SYS_SYSPROTO_H_ 179 struct getpgid_args { 180 pid_t pid; 181 }; 182 #endif 183 int 184 sys_getpgid(struct thread *td, struct getpgid_args *uap) 185 { 186 struct proc *p; 187 int error; 188 189 if (uap->pid == 0) { 190 p = td->td_proc; 191 PROC_LOCK(p); 192 } else { 193 p = pfind(uap->pid); 194 if (p == NULL) 195 return (ESRCH); 196 error = p_cansee(td, p); 197 if (error) { 198 PROC_UNLOCK(p); 199 return (error); 200 } 201 } 202 td->td_retval[0] = p->p_pgrp->pg_id; 203 PROC_UNLOCK(p); 204 return (0); 205 } 206 207 /* 208 * Get an arbitrary pid's session id. 209 */ 210 #ifndef _SYS_SYSPROTO_H_ 211 struct getsid_args { 212 pid_t pid; 213 }; 214 #endif 215 int 216 sys_getsid(struct thread *td, struct getsid_args *uap) 217 { 218 219 return (kern_getsid(td, uap->pid)); 220 } 221 222 int 223 kern_getsid(struct thread *td, pid_t pid) 224 { 225 struct proc *p; 226 int error; 227 228 if (pid == 0) { 229 p = td->td_proc; 230 PROC_LOCK(p); 231 } else { 232 p = pfind(pid); 233 if (p == NULL) 234 return (ESRCH); 235 error = p_cansee(td, p); 236 if (error) { 237 PROC_UNLOCK(p); 238 return (error); 239 } 240 } 241 td->td_retval[0] = p->p_session->s_sid; 242 PROC_UNLOCK(p); 243 return (0); 244 } 245 246 #ifndef _SYS_SYSPROTO_H_ 247 struct getuid_args { 248 int dummy; 249 }; 250 #endif 251 /* ARGSUSED */ 252 int 253 sys_getuid(struct thread *td, struct getuid_args *uap) 254 { 255 256 td->td_retval[0] = td->td_ucred->cr_ruid; 257 #if defined(COMPAT_43) 258 td->td_retval[1] = td->td_ucred->cr_uid; 259 #endif 260 return (0); 261 } 262 263 #ifndef _SYS_SYSPROTO_H_ 264 struct geteuid_args { 265 int dummy; 266 }; 267 #endif 268 /* ARGSUSED */ 269 int 270 sys_geteuid(struct thread *td, struct geteuid_args *uap) 271 { 272 273 td->td_retval[0] = td->td_ucred->cr_uid; 274 return (0); 275 } 276 277 #ifndef _SYS_SYSPROTO_H_ 278 struct getgid_args { 279 int dummy; 280 }; 281 #endif 282 /* ARGSUSED */ 283 int 284 sys_getgid(struct thread *td, struct getgid_args *uap) 285 { 286 287 td->td_retval[0] = td->td_ucred->cr_rgid; 288 #if defined(COMPAT_43) 289 td->td_retval[1] = td->td_ucred->cr_gid; 290 #endif 291 return (0); 292 } 293 294 /* 295 * Get effective group ID. The "egid" is groups[0], and could be obtained 296 * via getgroups. This syscall exists because it is somewhat painful to do 297 * correctly in a library function. 298 */ 299 #ifndef _SYS_SYSPROTO_H_ 300 struct getegid_args { 301 int dummy; 302 }; 303 #endif 304 /* ARGSUSED */ 305 int 306 sys_getegid(struct thread *td, struct getegid_args *uap) 307 { 308 309 td->td_retval[0] = td->td_ucred->cr_gid; 310 return (0); 311 } 312 313 #ifndef _SYS_SYSPROTO_H_ 314 struct getgroups_args { 315 int gidsetsize; 316 gid_t *gidset; 317 }; 318 #endif 319 int 320 sys_getgroups(struct thread *td, struct getgroups_args *uap) 321 { 322 struct ucred *cred; 323 gid_t *ugidset; 324 int ngrp, error; 325 326 cred = td->td_ucred; 327 328 /* 329 * cr_gid has been moved out of cr_groups, but we'll continue exporting 330 * the egid as groups[0] for the time being until we audit userland for 331 * any surprises. 332 */ 333 ngrp = cred->cr_ngroups + 1; 334 335 if (uap->gidsetsize == 0) { 336 error = 0; 337 goto out; 338 } 339 if (uap->gidsetsize < ngrp) 340 return (EINVAL); 341 342 ugidset = uap->gidset; 343 error = copyout(&cred->cr_gid, ugidset, sizeof(*ugidset)); 344 if (error != 0) 345 goto out; 346 347 if (ngrp > 1) 348 error = copyout(cred->cr_groups, ugidset + 1, 349 (ngrp - 1) * sizeof(*ugidset)); 350 out: 351 td->td_retval[0] = ngrp; 352 return (error); 353 } 354 355 #ifndef _SYS_SYSPROTO_H_ 356 struct setsid_args { 357 int dummy; 358 }; 359 #endif 360 /* ARGSUSED */ 361 int 362 sys_setsid(struct thread *td, struct setsid_args *uap) 363 { 364 struct pgrp *pgrp; 365 int error; 366 struct proc *p = td->td_proc; 367 struct pgrp *newpgrp; 368 struct session *newsess; 369 370 pgrp = NULL; 371 372 newpgrp = uma_zalloc(pgrp_zone, M_WAITOK); 373 newsess = malloc(sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); 374 375 again: 376 error = 0; 377 sx_xlock(&proctree_lock); 378 379 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { 380 if (pgrp != NULL) 381 PGRP_UNLOCK(pgrp); 382 error = EPERM; 383 } else { 384 error = enterpgrp(p, p->p_pid, newpgrp, newsess); 385 if (error == ERESTART) 386 goto again; 387 MPASS(error == 0); 388 td->td_retval[0] = p->p_pid; 389 newpgrp = NULL; 390 newsess = NULL; 391 } 392 393 sx_xunlock(&proctree_lock); 394 395 uma_zfree(pgrp_zone, newpgrp); 396 free(newsess, M_SESSION); 397 398 return (error); 399 } 400 401 /* 402 * set process group (setpgid/old setpgrp) 403 * 404 * caller does setpgid(targpid, targpgid) 405 * 406 * pid must be caller or child of caller (ESRCH) 407 * if a child 408 * pid must be in same session (EPERM) 409 * pid can't have done an exec (EACCES) 410 * if pgid != pid 411 * there must exist some pid in same session having pgid (EPERM) 412 * pid must not be session leader (EPERM) 413 */ 414 #ifndef _SYS_SYSPROTO_H_ 415 struct setpgid_args { 416 int pid; /* target process id */ 417 int pgid; /* target pgrp id */ 418 }; 419 #endif 420 /* ARGSUSED */ 421 int 422 sys_setpgid(struct thread *td, struct setpgid_args *uap) 423 { 424 struct proc *curp = td->td_proc; 425 struct proc *targp; /* target process */ 426 struct pgrp *pgrp; /* target pgrp */ 427 int error; 428 struct pgrp *newpgrp; 429 430 if (uap->pgid < 0) 431 return (EINVAL); 432 433 newpgrp = uma_zalloc(pgrp_zone, M_WAITOK); 434 435 again: 436 error = 0; 437 438 sx_xlock(&proctree_lock); 439 if (uap->pid != 0 && uap->pid != curp->p_pid) { 440 if ((targp = pfind(uap->pid)) == NULL) { 441 error = ESRCH; 442 goto done; 443 } 444 if (!inferior(targp)) { 445 PROC_UNLOCK(targp); 446 error = ESRCH; 447 goto done; 448 } 449 if ((error = p_cansee(td, targp))) { 450 PROC_UNLOCK(targp); 451 goto done; 452 } 453 if (targp->p_pgrp == NULL || 454 targp->p_session != curp->p_session) { 455 PROC_UNLOCK(targp); 456 error = EPERM; 457 goto done; 458 } 459 if (targp->p_flag & P_EXEC) { 460 PROC_UNLOCK(targp); 461 error = EACCES; 462 goto done; 463 } 464 PROC_UNLOCK(targp); 465 } else 466 targp = curp; 467 if (SESS_LEADER(targp)) { 468 error = EPERM; 469 goto done; 470 } 471 if (uap->pgid == 0) 472 uap->pgid = targp->p_pid; 473 if ((pgrp = pgfind(uap->pgid)) == NULL) { 474 if (uap->pgid == targp->p_pid) { 475 error = enterpgrp(targp, uap->pgid, newpgrp, 476 NULL); 477 if (error == 0) 478 newpgrp = NULL; 479 } else 480 error = EPERM; 481 } else { 482 if (pgrp == targp->p_pgrp) { 483 PGRP_UNLOCK(pgrp); 484 goto done; 485 } 486 if (pgrp->pg_id != targp->p_pid && 487 pgrp->pg_session != curp->p_session) { 488 PGRP_UNLOCK(pgrp); 489 error = EPERM; 490 goto done; 491 } 492 PGRP_UNLOCK(pgrp); 493 error = enterthispgrp(targp, pgrp); 494 } 495 done: 496 KASSERT(error == 0 || newpgrp != NULL, 497 ("setpgid failed and newpgrp is NULL")); 498 if (error == ERESTART) 499 goto again; 500 sx_xunlock(&proctree_lock); 501 uma_zfree(pgrp_zone, newpgrp); 502 return (error); 503 } 504 505 static int 506 gidp_cmp(const void *p1, const void *p2) 507 { 508 const gid_t g1 = *(const gid_t *)p1; 509 const gid_t g2 = *(const gid_t *)p2; 510 511 return ((g1 > g2) - (g1 < g2)); 512 } 513 514 /* 515 * Final storage for supplementary groups will be returned via 'groups'. 516 * '*groups' must be NULL on input, and if not equal to 'smallgroups' 517 * on output, must be freed (M_TEMP) *even if* an error is returned. 518 */ 519 static int 520 kern_setcred_copyin_supp_groups(struct setcred *const wcred, 521 const u_int flags, gid_t *const smallgroups, gid_t **const groups) 522 { 523 MPASS(*groups == NULL); 524 525 if (flags & SETCREDF_SUPP_GROUPS) { 526 int error; 527 528 /* 529 * Check for the limit for number of groups right now in order 530 * to limit the amount of bytes to copy. 531 */ 532 if (wcred->sc_supp_groups_nb > ngroups_max) 533 return (EINVAL); 534 535 /* 536 * Since we are going to be copying the supplementary groups 537 * from userland, make room also for the effective GID right 538 * now, to avoid having to allocate and copy again the 539 * supplementary groups. 540 */ 541 *groups = wcred->sc_supp_groups_nb <= CRED_SMALLGROUPS_NB ? 542 smallgroups : malloc(wcred->sc_supp_groups_nb * 543 sizeof(*groups), M_TEMP, M_WAITOK); 544 545 error = copyin(wcred->sc_supp_groups, *groups, 546 wcred->sc_supp_groups_nb * sizeof(*groups)); 547 if (error != 0) 548 return (error); 549 wcred->sc_supp_groups = *groups; 550 } else { 551 wcred->sc_supp_groups_nb = 0; 552 wcred->sc_supp_groups = NULL; 553 } 554 555 return (0); 556 } 557 558 int 559 user_setcred(struct thread *td, const u_int flags, 560 const void *const uwcred, const size_t size, bool is_32bit) 561 { 562 struct setcred wcred; 563 #ifdef MAC 564 struct mac mac; 565 /* Pointer to 'struct mac' or 'struct mac32'. */ 566 void *umac; 567 #endif 568 gid_t smallgroups[CRED_SMALLGROUPS_NB]; 569 gid_t *groups = NULL; 570 int error; 571 572 /* 573 * As the only point of this wrapper function is to copyin() from 574 * userland, we only interpret the data pieces we need to perform this 575 * operation and defer further sanity checks to kern_setcred(), except 576 * that we redundantly check here that no unknown flags have been 577 * passed. 578 */ 579 if ((flags & ~SETCREDF_MASK) != 0) 580 return (EINVAL); 581 582 #ifdef COMPAT_FREEBSD32 583 if (is_32bit) { 584 struct setcred32 wcred32; 585 586 if (size != sizeof(wcred32)) 587 return (EINVAL); 588 error = copyin(uwcred, &wcred32, sizeof(wcred32)); 589 if (error != 0) 590 return (error); 591 /* These fields have exactly the same sizes and positions. */ 592 memcpy(&wcred, &wcred32, &wcred32.setcred32_copy_end - 593 &wcred32.setcred32_copy_start); 594 /* Remaining fields are pointers and need PTRIN*(). */ 595 PTRIN_CP(wcred32, wcred, sc_supp_groups); 596 PTRIN_CP(wcred32, wcred, sc_label); 597 } else 598 #endif /* COMPAT_FREEBSD32 */ 599 { 600 if (size != sizeof(wcred)) 601 return (EINVAL); 602 error = copyin(uwcred, &wcred, sizeof(wcred)); 603 if (error != 0) 604 return (error); 605 } 606 #ifdef MAC 607 umac = wcred.sc_label; 608 #endif 609 /* Also done on !MAC as a defensive measure. */ 610 wcred.sc_label = NULL; 611 612 /* 613 * Copy supplementary groups as needed. There is no specific 614 * alternative for 32-bit compatibility as 'gid_t' has the same size 615 * everywhere. 616 */ 617 error = kern_setcred_copyin_supp_groups(&wcred, flags, smallgroups, 618 &groups); 619 if (error != 0) 620 goto free_groups; 621 622 #ifdef MAC 623 if ((flags & SETCREDF_MAC_LABEL) != 0) { 624 #ifdef COMPAT_FREEBSD32 625 if (is_32bit) 626 error = mac_label_copyin32(umac, &mac, NULL); 627 else 628 #endif 629 error = mac_label_copyin(umac, &mac, NULL); 630 if (error != 0) 631 goto free_groups; 632 wcred.sc_label = &mac; 633 } 634 #endif 635 636 error = kern_setcred(td, flags, &wcred, groups); 637 638 #ifdef MAC 639 if (wcred.sc_label != NULL) 640 free_copied_label(wcred.sc_label); 641 #endif 642 643 free_groups: 644 if (groups != smallgroups) 645 free(groups, M_TEMP); 646 647 return (error); 648 } 649 650 #ifndef _SYS_SYSPROTO_H_ 651 struct setcred_args { 652 u_int flags; /* Flags. */ 653 const struct setcred *wcred; 654 size_t size; /* Passed 'setcred' structure length. */ 655 }; 656 #endif 657 /* ARGSUSED */ 658 int 659 sys_setcred(struct thread *td, struct setcred_args *uap) 660 { 661 return (user_setcred(td, uap->flags, uap->wcred, uap->size, false)); 662 } 663 664 /* 665 * CAUTION: This function normalizes groups in 'wcred'. 666 * 667 * If 'preallocated_groups' is non-NULL, it must be an already allocated array 668 * of size 'wcred->sc_supp_groups_nb' containing the supplementary groups, and 669 * 'wcred->sc_supp_groups' then must point to it. 670 */ 671 int 672 kern_setcred(struct thread *const td, const u_int flags, 673 struct setcred *const wcred, gid_t *preallocated_groups) 674 { 675 struct proc *const p = td->td_proc; 676 struct ucred *new_cred, *old_cred, *to_free_cred; 677 struct uidinfo *uip = NULL, *ruip = NULL; 678 #ifdef MAC 679 void *mac_set_proc_data = NULL; 680 bool proc_label_set = false; 681 #endif 682 gid_t *groups = NULL; 683 gid_t smallgroups[CRED_SMALLGROUPS_NB]; 684 int error; 685 bool cred_set; 686 687 /* Bail out on unrecognized flags. */ 688 if (flags & ~SETCREDF_MASK) 689 return (EINVAL); 690 691 /* 692 * Part 1: We allocate and perform preparatory operations with no locks. 693 */ 694 695 if (flags & SETCREDF_SUPP_GROUPS) { 696 if (wcred->sc_supp_groups_nb > ngroups_max) 697 return (EINVAL); 698 if (preallocated_groups != NULL) { 699 groups = preallocated_groups; 700 MPASS(preallocated_groups == wcred->sc_supp_groups); 701 } else { 702 if (wcred->sc_supp_groups_nb <= CRED_SMALLGROUPS_NB) 703 groups = smallgroups; 704 else 705 groups = malloc(wcred->sc_supp_groups_nb * 706 sizeof(*groups), M_TEMP, M_WAITOK); 707 memcpy(groups, wcred->sc_supp_groups, 708 wcred->sc_supp_groups_nb * sizeof(*groups)); 709 } 710 } 711 712 if (flags & SETCREDF_MAC_LABEL) { 713 #ifdef MAC 714 error = mac_set_proc_prepare(td, wcred->sc_label, 715 &mac_set_proc_data); 716 if (error != 0) 717 goto free_groups; 718 #else 719 error = ENOTSUP; 720 goto free_groups; 721 #endif 722 } 723 724 if (flags & SETCREDF_UID) { 725 AUDIT_ARG_EUID(wcred->sc_uid); 726 uip = uifind(wcred->sc_uid); 727 } 728 if (flags & SETCREDF_RUID) { 729 AUDIT_ARG_RUID(wcred->sc_ruid); 730 ruip = uifind(wcred->sc_ruid); 731 } 732 if (flags & SETCREDF_SVUID) 733 AUDIT_ARG_SUID(wcred->sc_svuid); 734 735 if (flags & SETCREDF_GID) 736 AUDIT_ARG_EGID(wcred->sc_gid); 737 if (flags & SETCREDF_RGID) 738 AUDIT_ARG_RGID(wcred->sc_rgid); 739 if (flags & SETCREDF_SVGID) 740 AUDIT_ARG_SGID(wcred->sc_svgid); 741 if (flags & SETCREDF_SUPP_GROUPS) { 742 /* 743 * Output the raw supplementary groups array for better 744 * traceability. 745 */ 746 AUDIT_ARG_GROUPSET(groups, wcred->sc_supp_groups_nb); 747 groups_normalize(&wcred->sc_supp_groups_nb, groups); 748 } 749 750 /* 751 * We first completely build the new credentials and only then pass them 752 * to MAC along with the old ones so that modules can check whether the 753 * requested transition is allowed. 754 */ 755 new_cred = crget(); 756 to_free_cred = new_cred; 757 if (flags & SETCREDF_SUPP_GROUPS) 758 crextend(new_cred, wcred->sc_supp_groups_nb); 759 760 #ifdef MAC 761 mac_cred_setcred_enter(); 762 #endif 763 764 /* 765 * Part 2: We grab the process lock as to have a stable view of its 766 * current credentials, and prepare a copy of them with the requested 767 * changes applied under that lock. 768 */ 769 770 PROC_LOCK(p); 771 old_cred = crcopysafe(p, new_cred); 772 773 /* 774 * Change user IDs. 775 */ 776 if (flags & SETCREDF_UID) 777 change_euid(new_cred, uip); 778 if (flags & SETCREDF_RUID) 779 change_ruid(new_cred, ruip); 780 if (flags & SETCREDF_SVUID) 781 change_svuid(new_cred, wcred->sc_svuid); 782 783 /* 784 * Change groups. 785 */ 786 if (flags & SETCREDF_SUPP_GROUPS) 787 crsetgroups_internal(new_cred, wcred->sc_supp_groups_nb, 788 groups); 789 if (flags & SETCREDF_GID) 790 change_egid(new_cred, wcred->sc_gid); 791 if (flags & SETCREDF_RGID) 792 change_rgid(new_cred, wcred->sc_rgid); 793 if (flags & SETCREDF_SVGID) 794 change_svgid(new_cred, wcred->sc_svgid); 795 796 #ifdef MAC 797 /* 798 * Change the MAC label. 799 */ 800 if (flags & SETCREDF_MAC_LABEL) { 801 error = mac_set_proc_core(td, new_cred, mac_set_proc_data); 802 if (error != 0) 803 goto unlock_finish; 804 proc_label_set = true; 805 } 806 807 /* 808 * MAC security modules checks. 809 */ 810 error = mac_cred_check_setcred(flags, old_cred, new_cred); 811 if (error != 0) 812 goto unlock_finish; 813 #endif 814 /* 815 * Privilege check. 816 */ 817 error = priv_check_cred(old_cred, PRIV_CRED_SETCRED); 818 if (error != 0) 819 goto unlock_finish; 820 821 /* 822 * Set the new credentials, noting that they have changed. 823 */ 824 cred_set = proc_set_cred_enforce_proc_lim(p, new_cred); 825 if (cred_set) { 826 setsugid(p); 827 to_free_cred = old_cred; 828 MPASS(error == 0); 829 } else 830 error = EAGAIN; 831 832 unlock_finish: 833 PROC_UNLOCK(p); 834 /* 835 * Part 3: After releasing the process lock, we perform cleanups and 836 * finishing operations. 837 */ 838 839 #ifdef MAC 840 if (mac_set_proc_data != NULL) 841 mac_set_proc_finish(td, proc_label_set, mac_set_proc_data); 842 mac_cred_setcred_exit(); 843 #endif 844 crfree(to_free_cred); 845 if (uip != NULL) 846 uifree(uip); 847 if (ruip != NULL) 848 uifree(ruip); 849 free_groups: 850 if (groups != preallocated_groups && groups != smallgroups) 851 free(groups, M_TEMP); /* Deals with 'groups' being NULL. */ 852 return (error); 853 } 854 855 /* 856 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 857 * compatible. It says that setting the uid/gid to euid/egid is a special 858 * case of "appropriate privilege". Once the rules are expanded out, this 859 * basically means that setuid(nnn) sets all three id's, in all permitted 860 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 861 * does not set the saved id - this is dangerous for traditional BSD 862 * programs. For this reason, we *really* do not want to set 863 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 864 */ 865 #define POSIX_APPENDIX_B_4_2_2 866 867 #ifndef _SYS_SYSPROTO_H_ 868 struct setuid_args { 869 uid_t uid; 870 }; 871 #endif 872 /* ARGSUSED */ 873 int 874 sys_setuid(struct thread *td, struct setuid_args *uap) 875 { 876 struct proc *p = td->td_proc; 877 struct ucred *newcred, *oldcred; 878 uid_t uid; 879 struct uidinfo *uip; 880 int error; 881 882 uid = uap->uid; 883 AUDIT_ARG_UID(uid); 884 newcred = crget(); 885 uip = uifind(uid); 886 PROC_LOCK(p); 887 /* 888 * Copy credentials so other references do not see our changes. 889 */ 890 oldcred = crcopysafe(p, newcred); 891 892 #ifdef MAC 893 error = mac_cred_check_setuid(oldcred, uid); 894 if (error) 895 goto fail; 896 #endif 897 898 /* 899 * See if we have "permission" by POSIX 1003.1 rules. 900 * 901 * Note that setuid(geteuid()) is a special case of 902 * "appropriate privileges" in appendix B.4.2.2. We need 903 * to use this clause to be compatible with traditional BSD 904 * semantics. Basically, it means that "setuid(xx)" sets all 905 * three id's (assuming you have privs). 906 * 907 * Notes on the logic. We do things in three steps. 908 * 1: We determine if the euid is going to change, and do EPERM 909 * right away. We unconditionally change the euid later if this 910 * test is satisfied, simplifying that part of the logic. 911 * 2: We determine if the real and/or saved uids are going to 912 * change. Determined by compile options. 913 * 3: Change euid last. (after tests in #2 for "appropriate privs") 914 */ 915 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 916 #ifdef _POSIX_SAVED_IDS 917 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 918 #endif 919 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 920 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 921 #endif 922 (error = priv_check_cred(oldcred, PRIV_CRED_SETUID)) != 0) 923 goto fail; 924 925 #ifdef _POSIX_SAVED_IDS 926 /* 927 * Do we have "appropriate privileges" (are we root or uid == euid) 928 * If so, we are changing the real uid and/or saved uid. 929 */ 930 if ( 931 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 932 uid == oldcred->cr_uid || 933 #endif 934 /* We are using privs. */ 935 priv_check_cred(oldcred, PRIV_CRED_SETUID) == 0) 936 #endif 937 { 938 /* 939 * Set the real uid. 940 */ 941 if (uid != oldcred->cr_ruid) { 942 change_ruid(newcred, uip); 943 setsugid(p); 944 } 945 /* 946 * Set saved uid 947 * 948 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 949 * the security of seteuid() depends on it. B.4.2.2 says it 950 * is important that we should do this. 951 */ 952 if (uid != oldcred->cr_svuid) { 953 change_svuid(newcred, uid); 954 setsugid(p); 955 } 956 } 957 958 /* 959 * In all permitted cases, we are changing the euid. 960 */ 961 if (uid != oldcred->cr_uid) { 962 change_euid(newcred, uip); 963 setsugid(p); 964 } 965 /* 966 * This also transfers the proc count to the new user. 967 */ 968 proc_set_cred(p, newcred); 969 #ifdef RACCT 970 racct_proc_ucred_changed(p, oldcred, newcred); 971 crhold(newcred); 972 #endif 973 PROC_UNLOCK(p); 974 #ifdef RCTL 975 rctl_proc_ucred_changed(p, newcred); 976 crfree(newcred); 977 #endif 978 uifree(uip); 979 crfree(oldcred); 980 return (0); 981 982 fail: 983 PROC_UNLOCK(p); 984 uifree(uip); 985 crfree(newcred); 986 return (error); 987 } 988 989 #ifndef _SYS_SYSPROTO_H_ 990 struct seteuid_args { 991 uid_t euid; 992 }; 993 #endif 994 /* ARGSUSED */ 995 int 996 sys_seteuid(struct thread *td, struct seteuid_args *uap) 997 { 998 struct proc *p = td->td_proc; 999 struct ucred *newcred, *oldcred; 1000 uid_t euid; 1001 struct uidinfo *euip; 1002 int error; 1003 1004 euid = uap->euid; 1005 AUDIT_ARG_EUID(euid); 1006 newcred = crget(); 1007 euip = uifind(euid); 1008 PROC_LOCK(p); 1009 /* 1010 * Copy credentials so other references do not see our changes. 1011 */ 1012 oldcred = crcopysafe(p, newcred); 1013 1014 #ifdef MAC 1015 error = mac_cred_check_seteuid(oldcred, euid); 1016 if (error) 1017 goto fail; 1018 #endif 1019 1020 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 1021 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 1022 (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID)) != 0) 1023 goto fail; 1024 1025 /* 1026 * Everything's okay, do it. 1027 */ 1028 if (oldcred->cr_uid != euid) { 1029 change_euid(newcred, euip); 1030 setsugid(p); 1031 } 1032 proc_set_cred(p, newcred); 1033 PROC_UNLOCK(p); 1034 uifree(euip); 1035 crfree(oldcred); 1036 return (0); 1037 1038 fail: 1039 PROC_UNLOCK(p); 1040 uifree(euip); 1041 crfree(newcred); 1042 return (error); 1043 } 1044 1045 #ifndef _SYS_SYSPROTO_H_ 1046 struct setgid_args { 1047 gid_t gid; 1048 }; 1049 #endif 1050 /* ARGSUSED */ 1051 int 1052 sys_setgid(struct thread *td, struct setgid_args *uap) 1053 { 1054 struct proc *p = td->td_proc; 1055 struct ucred *newcred, *oldcred; 1056 gid_t gid; 1057 int error; 1058 1059 gid = uap->gid; 1060 AUDIT_ARG_GID(gid); 1061 newcred = crget(); 1062 PROC_LOCK(p); 1063 oldcred = crcopysafe(p, newcred); 1064 1065 #ifdef MAC 1066 error = mac_cred_check_setgid(oldcred, gid); 1067 if (error) 1068 goto fail; 1069 #endif 1070 1071 /* 1072 * See if we have "permission" by POSIX 1003.1 rules. 1073 * 1074 * Note that setgid(getegid()) is a special case of 1075 * "appropriate privileges" in appendix B.4.2.2. We need 1076 * to use this clause to be compatible with traditional BSD 1077 * semantics. Basically, it means that "setgid(xx)" sets all 1078 * three id's (assuming you have privs). 1079 * 1080 * For notes on the logic here, see setuid() above. 1081 */ 1082 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 1083 #ifdef _POSIX_SAVED_IDS 1084 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 1085 #endif 1086 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 1087 gid != oldcred->cr_gid && /* allow setgid(getegid()) */ 1088 #endif 1089 (error = priv_check_cred(oldcred, PRIV_CRED_SETGID)) != 0) 1090 goto fail; 1091 1092 #ifdef _POSIX_SAVED_IDS 1093 /* 1094 * Do we have "appropriate privileges" (are we root or gid == egid) 1095 * If so, we are changing the real uid and saved gid. 1096 */ 1097 if ( 1098 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 1099 gid == oldcred->cr_gid || 1100 #endif 1101 /* We are using privs. */ 1102 priv_check_cred(oldcred, PRIV_CRED_SETGID) == 0) 1103 #endif 1104 { 1105 /* 1106 * Set real gid 1107 */ 1108 if (oldcred->cr_rgid != gid) { 1109 change_rgid(newcred, gid); 1110 setsugid(p); 1111 } 1112 /* 1113 * Set saved gid 1114 * 1115 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 1116 * the security of setegid() depends on it. B.4.2.2 says it 1117 * is important that we should do this. 1118 */ 1119 if (oldcred->cr_svgid != gid) { 1120 change_svgid(newcred, gid); 1121 setsugid(p); 1122 } 1123 } 1124 /* 1125 * In all cases permitted cases, we are changing the egid. 1126 * Copy credentials so other references do not see our changes. 1127 */ 1128 if (oldcred->cr_gid != gid) { 1129 change_egid(newcred, gid); 1130 setsugid(p); 1131 } 1132 proc_set_cred(p, newcred); 1133 PROC_UNLOCK(p); 1134 crfree(oldcred); 1135 return (0); 1136 1137 fail: 1138 PROC_UNLOCK(p); 1139 crfree(newcred); 1140 return (error); 1141 } 1142 1143 #ifndef _SYS_SYSPROTO_H_ 1144 struct setegid_args { 1145 gid_t egid; 1146 }; 1147 #endif 1148 /* ARGSUSED */ 1149 int 1150 sys_setegid(struct thread *td, struct setegid_args *uap) 1151 { 1152 struct proc *p = td->td_proc; 1153 struct ucred *newcred, *oldcred; 1154 gid_t egid; 1155 int error; 1156 1157 egid = uap->egid; 1158 AUDIT_ARG_EGID(egid); 1159 newcred = crget(); 1160 PROC_LOCK(p); 1161 oldcred = crcopysafe(p, newcred); 1162 1163 #ifdef MAC 1164 error = mac_cred_check_setegid(oldcred, egid); 1165 if (error) 1166 goto fail; 1167 #endif 1168 1169 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 1170 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 1171 (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID)) != 0) 1172 goto fail; 1173 1174 if (oldcred->cr_gid != egid) { 1175 change_egid(newcred, egid); 1176 setsugid(p); 1177 } 1178 proc_set_cred(p, newcred); 1179 PROC_UNLOCK(p); 1180 crfree(oldcred); 1181 return (0); 1182 1183 fail: 1184 PROC_UNLOCK(p); 1185 crfree(newcred); 1186 return (error); 1187 } 1188 1189 #ifndef _SYS_SYSPROTO_H_ 1190 struct setgroups_args { 1191 int gidsetsize; 1192 gid_t *gidset; 1193 }; 1194 #endif 1195 /* ARGSUSED */ 1196 int 1197 sys_setgroups(struct thread *td, struct setgroups_args *uap) 1198 { 1199 gid_t smallgroups[CRED_SMALLGROUPS_NB]; 1200 gid_t *groups; 1201 int gidsetsize, error; 1202 1203 /* 1204 * Sanity check size now to avoid passing too big a value to copyin(), 1205 * even if kern_setgroups() will do it again. 1206 * 1207 * Ideally, the 'gidsetsize' argument should have been a 'u_int' (and it 1208 * was, in this implementation, for a long time), but POSIX standardized 1209 * getgroups() to take an 'int' and it would be quite entrapping to have 1210 * setgroups() differ. 1211 */ 1212 gidsetsize = uap->gidsetsize; 1213 /* XXXKE Limit to ngroups_max when we change the userland interface. */ 1214 if (gidsetsize > ngroups_max + 1 || gidsetsize < 0) 1215 return (EINVAL); 1216 1217 if (gidsetsize > CRED_SMALLGROUPS_NB) 1218 groups = malloc(gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK); 1219 else 1220 groups = smallgroups; 1221 1222 error = copyin(uap->gidset, groups, gidsetsize * sizeof(gid_t)); 1223 if (error == 0) 1224 error = kern_setgroups(td, &gidsetsize, groups); 1225 1226 if (groups != smallgroups) 1227 free(groups, M_TEMP); 1228 return (error); 1229 } 1230 1231 /* 1232 * CAUTION: This function normalizes 'groups', possibly also changing the value 1233 * of '*ngrpp' as a consequence. 1234 */ 1235 int 1236 kern_setgroups(struct thread *td, int *ngrpp, gid_t *groups) 1237 { 1238 struct proc *p = td->td_proc; 1239 struct ucred *newcred, *oldcred; 1240 int ngrp, error; 1241 gid_t egid; 1242 1243 ngrp = *ngrpp; 1244 /* Sanity check size. */ 1245 /* XXXKE Limit to ngroups_max when we change the userland interface. */ 1246 if (ngrp < 0 || ngrp > ngroups_max + 1) 1247 return (EINVAL); 1248 1249 AUDIT_ARG_GROUPSET(groups, ngrp); 1250 /* 1251 * setgroups(0, NULL) is a legitimate way of clearing the groups vector 1252 * on non-BSD systems (which generally do not have the egid in the 1253 * groups[0]). We risk security holes when running non-BSD software if 1254 * we do not do the same. So we allow and treat 0 for 'ngrp' specially 1255 * below (twice). 1256 */ 1257 if (ngrp != 0) { 1258 /* 1259 * To maintain userland compat for now, we use the first group 1260 * as our egid and we'll use the rest as our supplemental 1261 * groups. 1262 */ 1263 egid = groups[0]; 1264 ngrp--; 1265 groups++; 1266 1267 groups_normalize(&ngrp, groups); 1268 *ngrpp = ngrp; 1269 } 1270 newcred = crget(); 1271 crextend(newcred, ngrp); 1272 PROC_LOCK(p); 1273 oldcred = crcopysafe(p, newcred); 1274 1275 #ifdef MAC 1276 /* 1277 * We pass NULL here explicitly if we don't have any supplementary 1278 * groups mostly for the sake of normalization, but also to avoid/detect 1279 * a situation where a MAC module has some assumption about the layout 1280 * of `groups` matching historical behavior. 1281 */ 1282 error = mac_cred_check_setgroups(oldcred, ngrp, 1283 ngrp == 0 ? NULL : groups); 1284 if (error) 1285 goto fail; 1286 #endif 1287 1288 error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS); 1289 if (error) 1290 goto fail; 1291 1292 /* 1293 * If some groups were passed, the first one is currently the desired 1294 * egid. This code is to be removed (along with some commented block 1295 * above) when setgroups() is changed to take only supplementary groups. 1296 */ 1297 if (ngrp != 0) 1298 newcred->cr_gid = egid; 1299 crsetgroups_internal(newcred, ngrp, groups); 1300 1301 setsugid(p); 1302 proc_set_cred(p, newcred); 1303 PROC_UNLOCK(p); 1304 crfree(oldcred); 1305 return (0); 1306 1307 fail: 1308 PROC_UNLOCK(p); 1309 crfree(newcred); 1310 return (error); 1311 } 1312 1313 #ifndef _SYS_SYSPROTO_H_ 1314 struct setreuid_args { 1315 uid_t ruid; 1316 uid_t euid; 1317 }; 1318 #endif 1319 /* ARGSUSED */ 1320 int 1321 sys_setreuid(struct thread *td, struct setreuid_args *uap) 1322 { 1323 struct proc *p = td->td_proc; 1324 struct ucred *newcred, *oldcred; 1325 uid_t euid, ruid; 1326 struct uidinfo *euip, *ruip; 1327 int error; 1328 1329 euid = uap->euid; 1330 ruid = uap->ruid; 1331 AUDIT_ARG_EUID(euid); 1332 AUDIT_ARG_RUID(ruid); 1333 newcred = crget(); 1334 euip = uifind(euid); 1335 ruip = uifind(ruid); 1336 PROC_LOCK(p); 1337 oldcred = crcopysafe(p, newcred); 1338 1339 #ifdef MAC 1340 error = mac_cred_check_setreuid(oldcred, ruid, euid); 1341 if (error) 1342 goto fail; 1343 #endif 1344 1345 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1346 ruid != oldcred->cr_svuid) || 1347 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 1348 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 1349 (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID)) != 0) 1350 goto fail; 1351 1352 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1353 change_euid(newcred, euip); 1354 setsugid(p); 1355 } 1356 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1357 change_ruid(newcred, ruip); 1358 setsugid(p); 1359 } 1360 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 1361 newcred->cr_svuid != newcred->cr_uid) { 1362 change_svuid(newcred, newcred->cr_uid); 1363 setsugid(p); 1364 } 1365 proc_set_cred(p, newcred); 1366 #ifdef RACCT 1367 racct_proc_ucred_changed(p, oldcred, newcred); 1368 crhold(newcred); 1369 #endif 1370 PROC_UNLOCK(p); 1371 #ifdef RCTL 1372 rctl_proc_ucred_changed(p, newcred); 1373 crfree(newcred); 1374 #endif 1375 uifree(ruip); 1376 uifree(euip); 1377 crfree(oldcred); 1378 return (0); 1379 1380 fail: 1381 PROC_UNLOCK(p); 1382 uifree(ruip); 1383 uifree(euip); 1384 crfree(newcred); 1385 return (error); 1386 } 1387 1388 #ifndef _SYS_SYSPROTO_H_ 1389 struct setregid_args { 1390 gid_t rgid; 1391 gid_t egid; 1392 }; 1393 #endif 1394 /* ARGSUSED */ 1395 int 1396 sys_setregid(struct thread *td, struct setregid_args *uap) 1397 { 1398 struct proc *p = td->td_proc; 1399 struct ucred *newcred, *oldcred; 1400 gid_t egid, rgid; 1401 int error; 1402 1403 egid = uap->egid; 1404 rgid = uap->rgid; 1405 AUDIT_ARG_EGID(egid); 1406 AUDIT_ARG_RGID(rgid); 1407 newcred = crget(); 1408 PROC_LOCK(p); 1409 oldcred = crcopysafe(p, newcred); 1410 1411 #ifdef MAC 1412 error = mac_cred_check_setregid(oldcred, rgid, egid); 1413 if (error) 1414 goto fail; 1415 #endif 1416 1417 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1418 rgid != oldcred->cr_svgid) || 1419 (egid != (gid_t)-1 && egid != oldcred->cr_gid && 1420 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 1421 (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID)) != 0) 1422 goto fail; 1423 1424 if (egid != (gid_t)-1 && oldcred->cr_gid != egid) { 1425 change_egid(newcred, egid); 1426 setsugid(p); 1427 } 1428 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1429 change_rgid(newcred, rgid); 1430 setsugid(p); 1431 } 1432 if ((rgid != (gid_t)-1 || newcred->cr_gid != newcred->cr_rgid) && 1433 newcred->cr_svgid != newcred->cr_gid) { 1434 change_svgid(newcred, newcred->cr_gid); 1435 setsugid(p); 1436 } 1437 proc_set_cred(p, newcred); 1438 PROC_UNLOCK(p); 1439 crfree(oldcred); 1440 return (0); 1441 1442 fail: 1443 PROC_UNLOCK(p); 1444 crfree(newcred); 1445 return (error); 1446 } 1447 1448 /* 1449 * setresuid(ruid, euid, suid) is like setreuid except control over the saved 1450 * uid is explicit. 1451 */ 1452 #ifndef _SYS_SYSPROTO_H_ 1453 struct setresuid_args { 1454 uid_t ruid; 1455 uid_t euid; 1456 uid_t suid; 1457 }; 1458 #endif 1459 /* ARGSUSED */ 1460 int 1461 sys_setresuid(struct thread *td, struct setresuid_args *uap) 1462 { 1463 struct proc *p = td->td_proc; 1464 struct ucred *newcred, *oldcred; 1465 uid_t euid, ruid, suid; 1466 struct uidinfo *euip, *ruip; 1467 int error; 1468 1469 euid = uap->euid; 1470 ruid = uap->ruid; 1471 suid = uap->suid; 1472 AUDIT_ARG_EUID(euid); 1473 AUDIT_ARG_RUID(ruid); 1474 AUDIT_ARG_SUID(suid); 1475 newcred = crget(); 1476 euip = uifind(euid); 1477 ruip = uifind(ruid); 1478 PROC_LOCK(p); 1479 oldcred = crcopysafe(p, newcred); 1480 1481 #ifdef MAC 1482 error = mac_cred_check_setresuid(oldcred, ruid, euid, suid); 1483 if (error) 1484 goto fail; 1485 #endif 1486 1487 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1488 ruid != oldcred->cr_svuid && 1489 ruid != oldcred->cr_uid) || 1490 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 1491 euid != oldcred->cr_svuid && 1492 euid != oldcred->cr_uid) || 1493 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 1494 suid != oldcred->cr_svuid && 1495 suid != oldcred->cr_uid)) && 1496 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID)) != 0) 1497 goto fail; 1498 1499 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1500 change_euid(newcred, euip); 1501 setsugid(p); 1502 } 1503 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1504 change_ruid(newcred, ruip); 1505 setsugid(p); 1506 } 1507 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1508 change_svuid(newcred, suid); 1509 setsugid(p); 1510 } 1511 proc_set_cred(p, newcred); 1512 #ifdef RACCT 1513 racct_proc_ucred_changed(p, oldcred, newcred); 1514 crhold(newcred); 1515 #endif 1516 PROC_UNLOCK(p); 1517 #ifdef RCTL 1518 rctl_proc_ucred_changed(p, newcred); 1519 crfree(newcred); 1520 #endif 1521 uifree(ruip); 1522 uifree(euip); 1523 crfree(oldcred); 1524 return (0); 1525 1526 fail: 1527 PROC_UNLOCK(p); 1528 uifree(ruip); 1529 uifree(euip); 1530 crfree(newcred); 1531 return (error); 1532 1533 } 1534 1535 /* 1536 * setresgid(rgid, egid, sgid) is like setregid except control over the saved 1537 * gid is explicit. 1538 */ 1539 #ifndef _SYS_SYSPROTO_H_ 1540 struct setresgid_args { 1541 gid_t rgid; 1542 gid_t egid; 1543 gid_t sgid; 1544 }; 1545 #endif 1546 /* ARGSUSED */ 1547 int 1548 sys_setresgid(struct thread *td, struct setresgid_args *uap) 1549 { 1550 struct proc *p = td->td_proc; 1551 struct ucred *newcred, *oldcred; 1552 gid_t egid, rgid, sgid; 1553 int error; 1554 1555 egid = uap->egid; 1556 rgid = uap->rgid; 1557 sgid = uap->sgid; 1558 AUDIT_ARG_EGID(egid); 1559 AUDIT_ARG_RGID(rgid); 1560 AUDIT_ARG_SGID(sgid); 1561 newcred = crget(); 1562 PROC_LOCK(p); 1563 oldcred = crcopysafe(p, newcred); 1564 1565 #ifdef MAC 1566 error = mac_cred_check_setresgid(oldcred, rgid, egid, sgid); 1567 if (error) 1568 goto fail; 1569 #endif 1570 1571 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1572 rgid != oldcred->cr_svgid && 1573 rgid != oldcred->cr_gid) || 1574 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1575 egid != oldcred->cr_svgid && 1576 egid != oldcred->cr_gid) || 1577 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1578 sgid != oldcred->cr_svgid && 1579 sgid != oldcred->cr_gid)) && 1580 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID)) != 0) 1581 goto fail; 1582 1583 if (egid != (gid_t)-1 && oldcred->cr_gid != egid) { 1584 change_egid(newcred, egid); 1585 setsugid(p); 1586 } 1587 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1588 change_rgid(newcred, rgid); 1589 setsugid(p); 1590 } 1591 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1592 change_svgid(newcred, sgid); 1593 setsugid(p); 1594 } 1595 proc_set_cred(p, newcred); 1596 PROC_UNLOCK(p); 1597 crfree(oldcred); 1598 return (0); 1599 1600 fail: 1601 PROC_UNLOCK(p); 1602 crfree(newcred); 1603 return (error); 1604 } 1605 1606 #ifndef _SYS_SYSPROTO_H_ 1607 struct getresuid_args { 1608 uid_t *ruid; 1609 uid_t *euid; 1610 uid_t *suid; 1611 }; 1612 #endif 1613 /* ARGSUSED */ 1614 int 1615 sys_getresuid(struct thread *td, struct getresuid_args *uap) 1616 { 1617 struct ucred *cred; 1618 int error1 = 0, error2 = 0, error3 = 0; 1619 1620 cred = td->td_ucred; 1621 if (uap->ruid) 1622 error1 = copyout(&cred->cr_ruid, 1623 uap->ruid, sizeof(cred->cr_ruid)); 1624 if (uap->euid) 1625 error2 = copyout(&cred->cr_uid, 1626 uap->euid, sizeof(cred->cr_uid)); 1627 if (uap->suid) 1628 error3 = copyout(&cred->cr_svuid, 1629 uap->suid, sizeof(cred->cr_svuid)); 1630 return (error1 ? error1 : error2 ? error2 : error3); 1631 } 1632 1633 #ifndef _SYS_SYSPROTO_H_ 1634 struct getresgid_args { 1635 gid_t *rgid; 1636 gid_t *egid; 1637 gid_t *sgid; 1638 }; 1639 #endif 1640 /* ARGSUSED */ 1641 int 1642 sys_getresgid(struct thread *td, struct getresgid_args *uap) 1643 { 1644 struct ucred *cred; 1645 int error1 = 0, error2 = 0, error3 = 0; 1646 1647 cred = td->td_ucred; 1648 if (uap->rgid) 1649 error1 = copyout(&cred->cr_rgid, 1650 uap->rgid, sizeof(cred->cr_rgid)); 1651 if (uap->egid) 1652 error2 = copyout(&cred->cr_gid, 1653 uap->egid, sizeof(cred->cr_gid)); 1654 if (uap->sgid) 1655 error3 = copyout(&cred->cr_svgid, 1656 uap->sgid, sizeof(cred->cr_svgid)); 1657 return (error1 ? error1 : error2 ? error2 : error3); 1658 } 1659 1660 #ifndef _SYS_SYSPROTO_H_ 1661 struct issetugid_args { 1662 int dummy; 1663 }; 1664 #endif 1665 /* ARGSUSED */ 1666 int 1667 sys_issetugid(struct thread *td, struct issetugid_args *uap) 1668 { 1669 struct proc *p = td->td_proc; 1670 1671 /* 1672 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1673 * we use P_SUGID because we consider changing the owners as 1674 * "tainting" as well. 1675 * This is significant for procs that start as root and "become" 1676 * a user without an exec - programs cannot know *everything* 1677 * that libc *might* have put in their data segment. 1678 */ 1679 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1680 return (0); 1681 } 1682 1683 int 1684 sys___setugid(struct thread *td, struct __setugid_args *uap) 1685 { 1686 #ifdef REGRESSION 1687 struct proc *p; 1688 1689 p = td->td_proc; 1690 switch (uap->flag) { 1691 case 0: 1692 PROC_LOCK(p); 1693 p->p_flag &= ~P_SUGID; 1694 PROC_UNLOCK(p); 1695 return (0); 1696 case 1: 1697 PROC_LOCK(p); 1698 p->p_flag |= P_SUGID; 1699 PROC_UNLOCK(p); 1700 return (0); 1701 default: 1702 return (EINVAL); 1703 } 1704 #else /* !REGRESSION */ 1705 1706 return (ENOSYS); 1707 #endif /* REGRESSION */ 1708 } 1709 1710 #ifdef INVARIANTS 1711 static void 1712 groups_check_normalized(int ngrp, const gid_t *groups) 1713 { 1714 gid_t prev_g; 1715 1716 groups_check_positive_len(ngrp); 1717 groups_check_max_len(ngrp); 1718 1719 if (ngrp <= 1) 1720 return; 1721 1722 prev_g = groups[0]; 1723 for (int i = 1; i < ngrp; ++i) { 1724 const gid_t g = groups[i]; 1725 1726 if (prev_g >= g) 1727 panic("%s: groups[%d] (%u) >= groups[%d] (%u)", 1728 __func__, i - 1, prev_g, i, g); 1729 prev_g = g; 1730 } 1731 } 1732 #else 1733 #define groups_check_normalized(...) 1734 #endif 1735 1736 /* 1737 * Returns whether gid designates a supplementary group in cred. 1738 */ 1739 bool 1740 group_is_supplementary(const gid_t gid, const struct ucred *const cred) 1741 { 1742 1743 groups_check_normalized(cred->cr_ngroups, cred->cr_groups); 1744 1745 /* 1746 * Perform a binary search of the supplementary groups. This is 1747 * possible because we sort the groups in crsetgroups(). 1748 */ 1749 return (bsearch(&gid, cred->cr_groups, cred->cr_ngroups, 1750 sizeof(gid), gidp_cmp) != NULL); 1751 } 1752 1753 /* 1754 * Check if gid is a member of the (effective) group set (i.e., effective and 1755 * supplementary groups). 1756 */ 1757 bool 1758 groupmember(gid_t gid, const struct ucred *cred) 1759 { 1760 1761 groups_check_positive_len(cred->cr_ngroups); 1762 1763 if (gid == cred->cr_gid) 1764 return (true); 1765 1766 return (group_is_supplementary(gid, cred)); 1767 } 1768 1769 /* 1770 * Check if gid is a member of the real group set (i.e., real and supplementary 1771 * groups). 1772 */ 1773 bool 1774 realgroupmember(gid_t gid, const struct ucred *cred) 1775 { 1776 /* 1777 * Although the equality test on 'cr_rgid' below doesn't access 1778 * 'cr_groups', we check for the latter's length here as we assume that, 1779 * if 'cr_ngroups' is 0, the passed 'struct ucred' is invalid, and 1780 * 'cr_rgid' may not have been filled. 1781 */ 1782 groups_check_positive_len(cred->cr_ngroups); 1783 1784 if (gid == cred->cr_rgid) 1785 return (true); 1786 1787 return (group_is_supplementary(gid, cred)); 1788 } 1789 1790 /* 1791 * Test the active securelevel against a given level. securelevel_gt() 1792 * implements (securelevel > level). securelevel_ge() implements 1793 * (securelevel >= level). Note that the logic is inverted -- these 1794 * functions return EPERM on "success" and 0 on "failure". 1795 * 1796 * Due to care taken when setting the securelevel, we know that no jail will 1797 * be less secure that its parent (or the physical system), so it is sufficient 1798 * to test the current jail only. 1799 * 1800 * XXXRW: Possibly since this has to do with privilege, it should move to 1801 * kern_priv.c. 1802 */ 1803 int 1804 securelevel_gt(struct ucred *cr, int level) 1805 { 1806 1807 return (cr->cr_prison->pr_securelevel > level ? EPERM : 0); 1808 } 1809 1810 int 1811 securelevel_ge(struct ucred *cr, int level) 1812 { 1813 1814 return (cr->cr_prison->pr_securelevel >= level ? EPERM : 0); 1815 } 1816 1817 /* 1818 * 'see_other_uids' determines whether or not visibility of processes 1819 * and sockets with credentials holding different real uids is possible 1820 * using a variety of system MIBs. 1821 * XXX: data declarations should be together near the beginning of the file. 1822 */ 1823 static int see_other_uids = 1; 1824 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1825 &see_other_uids, 0, 1826 "Unprivileged processes may see subjects/objects with different real uid"); 1827 1828 /*- 1829 * Determine if u1 "can see" the subject specified by u2, according to the 1830 * 'see_other_uids' policy. 1831 * Returns: 0 for permitted, ESRCH otherwise 1832 * Locks: none 1833 * References: *u1 and *u2 must not change during the call 1834 * u1 may equal u2, in which case only one reference is required 1835 */ 1836 static int 1837 cr_canseeotheruids(struct ucred *u1, struct ucred *u2) 1838 { 1839 1840 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1841 if (priv_check_cred(u1, PRIV_SEEOTHERUIDS) != 0) 1842 return (ESRCH); 1843 } 1844 return (0); 1845 } 1846 1847 /* 1848 * 'see_other_gids' determines whether or not visibility of processes 1849 * and sockets with credentials holding different real gids is possible 1850 * using a variety of system MIBs. 1851 * XXX: data declarations should be together near the beginning of the file. 1852 */ 1853 static int see_other_gids = 1; 1854 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW, 1855 &see_other_gids, 0, 1856 "Unprivileged processes may see subjects/objects with different real gid"); 1857 1858 /* 1859 * Determine if u1 can "see" the subject specified by u2, according to the 1860 * 'see_other_gids' policy. 1861 * Returns: 0 for permitted, ESRCH otherwise 1862 * Locks: none 1863 * References: *u1 and *u2 must not change during the call 1864 * u1 may equal u2, in which case only one reference is required 1865 */ 1866 static int 1867 cr_canseeothergids(struct ucred *u1, struct ucred *u2) 1868 { 1869 if (!see_other_gids) { 1870 if (realgroupmember(u1->cr_rgid, u2)) 1871 return (0); 1872 1873 for (int i = 1; i < u1->cr_ngroups; i++) 1874 if (realgroupmember(u1->cr_groups[i], u2)) 1875 return (0); 1876 1877 if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) != 0) 1878 return (ESRCH); 1879 } 1880 1881 return (0); 1882 } 1883 1884 /* 1885 * 'see_jail_proc' determines whether or not visibility of processes and 1886 * sockets with credentials holding different jail ids is possible using a 1887 * variety of system MIBs. 1888 * 1889 * XXX: data declarations should be together near the beginning of the file. 1890 */ 1891 1892 static int see_jail_proc = 1; 1893 SYSCTL_INT(_security_bsd, OID_AUTO, see_jail_proc, CTLFLAG_RW, 1894 &see_jail_proc, 0, 1895 "Unprivileged processes may see subjects/objects with different jail ids"); 1896 1897 /*- 1898 * Determine if u1 "can see" the subject specified by u2, according to the 1899 * 'see_jail_proc' policy. 1900 * Returns: 0 for permitted, ESRCH otherwise 1901 * Locks: none 1902 * References: *u1 and *u2 must not change during the call 1903 * u1 may equal u2, in which case only one reference is required 1904 */ 1905 static int 1906 cr_canseejailproc(struct ucred *u1, struct ucred *u2) 1907 { 1908 if (see_jail_proc || /* Policy deactivated. */ 1909 u1->cr_prison == u2->cr_prison || /* Same jail. */ 1910 priv_check_cred(u1, PRIV_SEEJAILPROC) == 0) /* Privileged. */ 1911 return (0); 1912 1913 return (ESRCH); 1914 } 1915 1916 /* 1917 * Determine if u1 can tamper with the subject specified by u2, if they are in 1918 * different jails and 'unprivileged_parent_tampering' jail policy allows it. 1919 * 1920 * May be called if u1 and u2 are in the same jail, but it is expected that the 1921 * caller has already done a prison_check() prior to calling it. 1922 * 1923 * Returns: 0 for permitted, EPERM otherwise 1924 */ 1925 static int 1926 cr_can_tamper_with_subjail(struct ucred *u1, struct ucred *u2, int priv) 1927 { 1928 1929 MPASS(prison_check(u1, u2) == 0); 1930 if (u1->cr_prison == u2->cr_prison) 1931 return (0); 1932 1933 if (priv_check_cred(u1, priv) == 0) 1934 return (0); 1935 1936 /* 1937 * Jails do not maintain a distinct UID space, so process visibility is 1938 * all that would control an unprivileged process' ability to tamper 1939 * with a process in a subjail by default if we did not have the 1940 * allow.unprivileged_parent_tampering knob to restrict it by default. 1941 */ 1942 if (prison_allow(u2, PR_ALLOW_UNPRIV_PARENT_TAMPER)) 1943 return (0); 1944 1945 return (EPERM); 1946 } 1947 1948 /* 1949 * Helper for cr_cansee*() functions to abide by system-wide security.bsd.see_* 1950 * policies. Determines if u1 "can see" u2 according to these policies. 1951 * Returns: 0 for permitted, ESRCH otherwise 1952 */ 1953 int 1954 cr_bsd_visible(struct ucred *u1, struct ucred *u2) 1955 { 1956 int error; 1957 1958 error = cr_canseeotheruids(u1, u2); 1959 if (error != 0) 1960 return (error); 1961 error = cr_canseeothergids(u1, u2); 1962 if (error != 0) 1963 return (error); 1964 error = cr_canseejailproc(u1, u2); 1965 if (error != 0) 1966 return (error); 1967 return (0); 1968 } 1969 1970 /*- 1971 * Determine if u1 "can see" the subject specified by u2. 1972 * Returns: 0 for permitted, an errno value otherwise 1973 * Locks: none 1974 * References: *u1 and *u2 must not change during the call 1975 * u1 may equal u2, in which case only one reference is required 1976 */ 1977 int 1978 cr_cansee(struct ucred *u1, struct ucred *u2) 1979 { 1980 int error; 1981 1982 if ((error = prison_check(u1, u2))) 1983 return (error); 1984 #ifdef MAC 1985 if ((error = mac_cred_check_visible(u1, u2))) 1986 return (error); 1987 #endif 1988 if ((error = cr_bsd_visible(u1, u2))) 1989 return (error); 1990 return (0); 1991 } 1992 1993 /*- 1994 * Determine if td "can see" the subject specified by p. 1995 * Returns: 0 for permitted, an errno value otherwise 1996 * Locks: Sufficient locks to protect p->p_ucred must be held. td really 1997 * should be curthread. 1998 * References: td and p must be valid for the lifetime of the call 1999 */ 2000 int 2001 p_cansee(struct thread *td, struct proc *p) 2002 { 2003 /* Wrap cr_cansee() for all functionality. */ 2004 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2005 PROC_LOCK_ASSERT(p, MA_OWNED); 2006 2007 if (td->td_proc == p) 2008 return (0); 2009 return (cr_cansee(td->td_ucred, p->p_ucred)); 2010 } 2011 2012 /* 2013 * 'conservative_signals' prevents the delivery of a broad class of 2014 * signals by unprivileged processes to processes that have changed their 2015 * credentials since the last invocation of execve(). This can prevent 2016 * the leakage of cached information or retained privileges as a result 2017 * of a common class of signal-related vulnerabilities. However, this 2018 * may interfere with some applications that expect to be able to 2019 * deliver these signals to peer processes after having given up 2020 * privilege. 2021 */ 2022 static int conservative_signals = 1; 2023 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW, 2024 &conservative_signals, 0, "Unprivileged processes prevented from " 2025 "sending certain signals to processes whose credentials have changed"); 2026 /*- 2027 * Determine whether cred may deliver the specified signal to proc. 2028 * Returns: 0 for permitted, an errno value otherwise. 2029 * Locks: A lock must be held for proc. 2030 * References: cred and proc must be valid for the lifetime of the call. 2031 */ 2032 int 2033 cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 2034 { 2035 int error; 2036 2037 PROC_LOCK_ASSERT(proc, MA_OWNED); 2038 /* 2039 * Jail semantics limit the scope of signalling to proc in the 2040 * same jail as cred, if cred is in jail. 2041 */ 2042 error = prison_check(cred, proc->p_ucred); 2043 if (error) 2044 return (error); 2045 #ifdef MAC 2046 if ((error = mac_proc_check_signal(cred, proc, signum))) 2047 return (error); 2048 #endif 2049 if ((error = cr_bsd_visible(cred, proc->p_ucred))) 2050 return (error); 2051 2052 /* 2053 * UNIX signal semantics depend on the status of the P_SUGID 2054 * bit on the target process. If the bit is set, then additional 2055 * restrictions are placed on the set of available signals. 2056 */ 2057 if (conservative_signals && (proc->p_flag & P_SUGID)) { 2058 switch (signum) { 2059 case 0: 2060 case SIGKILL: 2061 case SIGINT: 2062 case SIGTERM: 2063 case SIGALRM: 2064 case SIGSTOP: 2065 case SIGTTIN: 2066 case SIGTTOU: 2067 case SIGTSTP: 2068 case SIGHUP: 2069 case SIGUSR1: 2070 case SIGUSR2: 2071 /* 2072 * Generally, permit job and terminal control 2073 * signals. 2074 */ 2075 break; 2076 default: 2077 /* Not permitted without privilege. */ 2078 error = priv_check_cred(cred, PRIV_SIGNAL_SUGID); 2079 if (error) 2080 return (error); 2081 } 2082 } 2083 2084 /* 2085 * Generally, the target credential's ruid or svuid must match the 2086 * subject credential's ruid or euid. 2087 */ 2088 if (cred->cr_ruid != proc->p_ucred->cr_ruid && 2089 cred->cr_ruid != proc->p_ucred->cr_svuid && 2090 cred->cr_uid != proc->p_ucred->cr_ruid && 2091 cred->cr_uid != proc->p_ucred->cr_svuid) { 2092 error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED); 2093 if (error) 2094 return (error); 2095 } 2096 2097 /* 2098 * At this point, the target may be in a different jail than the 2099 * subject -- the subject must be in a parent jail to the target, 2100 * whether it is prison0 or a subordinate of prison0 that has 2101 * children. Additional privileges are required to allow this, as 2102 * whether the creds are truly equivalent or not must be determined on 2103 * a case-by-case basis. 2104 */ 2105 error = cr_can_tamper_with_subjail(cred, proc->p_ucred, 2106 PRIV_SIGNAL_DIFFJAIL); 2107 if (error) 2108 return (error); 2109 2110 return (0); 2111 } 2112 2113 /*- 2114 * Determine whether td may deliver the specified signal to p. 2115 * Returns: 0 for permitted, an errno value otherwise 2116 * Locks: Sufficient locks to protect various components of td and p 2117 * must be held. td must be curthread, and a lock must be 2118 * held for p. 2119 * References: td and p must be valid for the lifetime of the call 2120 */ 2121 int 2122 p_cansignal(struct thread *td, struct proc *p, int signum) 2123 { 2124 2125 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2126 PROC_LOCK_ASSERT(p, MA_OWNED); 2127 if (td->td_proc == p) 2128 return (0); 2129 2130 /* 2131 * UNIX signalling semantics require that processes in the same 2132 * session always be able to deliver SIGCONT to one another, 2133 * overriding the remaining protections. 2134 */ 2135 /* XXX: This will require an additional lock of some sort. */ 2136 if (signum == SIGCONT && td->td_proc->p_session == p->p_session) 2137 return (0); 2138 /* 2139 * Some compat layers use SIGTHR and higher signals for 2140 * communication between different kernel threads of the same 2141 * process, so that they expect that it's always possible to 2142 * deliver them, even for suid applications where cr_cansignal() can 2143 * deny such ability for security consideration. It should be 2144 * pretty safe to do since the only way to create two processes 2145 * with the same p_leader is via rfork(2). 2146 */ 2147 if (td->td_proc->p_leader != NULL && signum >= SIGTHR && 2148 signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader) 2149 return (0); 2150 2151 return (cr_cansignal(td->td_ucred, p, signum)); 2152 } 2153 2154 /*- 2155 * Determine whether td may reschedule p. 2156 * Returns: 0 for permitted, an errno value otherwise 2157 * Locks: Sufficient locks to protect various components of td and p 2158 * must be held. td must be curthread, and a lock must 2159 * be held for p. 2160 * References: td and p must be valid for the lifetime of the call 2161 */ 2162 int 2163 p_cansched(struct thread *td, struct proc *p) 2164 { 2165 int error; 2166 2167 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2168 PROC_LOCK_ASSERT(p, MA_OWNED); 2169 if (td->td_proc == p) 2170 return (0); 2171 if ((error = prison_check(td->td_ucred, p->p_ucred))) 2172 return (error); 2173 #ifdef MAC 2174 if ((error = mac_proc_check_sched(td->td_ucred, p))) 2175 return (error); 2176 #endif 2177 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) 2178 return (error); 2179 2180 if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid && 2181 td->td_ucred->cr_uid != p->p_ucred->cr_ruid) { 2182 error = priv_check(td, PRIV_SCHED_DIFFCRED); 2183 if (error) 2184 return (error); 2185 } 2186 2187 error = cr_can_tamper_with_subjail(td->td_ucred, p->p_ucred, 2188 PRIV_SCHED_DIFFJAIL); 2189 if (error) 2190 return (error); 2191 2192 return (0); 2193 } 2194 2195 /* 2196 * Handle getting or setting the prison's unprivileged_proc_debug 2197 * value. 2198 */ 2199 static int 2200 sysctl_unprivileged_proc_debug(SYSCTL_HANDLER_ARGS) 2201 { 2202 int error, val; 2203 2204 val = prison_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG); 2205 error = sysctl_handle_int(oidp, &val, 0, req); 2206 if (error != 0 || req->newptr == NULL) 2207 return (error); 2208 if (val != 0 && val != 1) 2209 return (EINVAL); 2210 prison_set_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG, val); 2211 return (0); 2212 } 2213 2214 /* 2215 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 2216 * unprivileged inter-process debugging services, including some procfs 2217 * functionality, ptrace(), and ktrace(). In the past, inter-process 2218 * debugging has been involved in a variety of security problems, and sites 2219 * not requiring the service might choose to disable it when hardening 2220 * systems. 2221 */ 2222 SYSCTL_PROC(_security_bsd, OID_AUTO, unprivileged_proc_debug, 2223 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_PRISON | CTLFLAG_SECURE | 2224 CTLFLAG_MPSAFE, 0, 0, sysctl_unprivileged_proc_debug, "I", 2225 "Unprivileged processes may use process debugging facilities"); 2226 2227 /* 2228 * Return true if the object owner/group ids are subset of the active 2229 * credentials. 2230 */ 2231 bool 2232 cr_xids_subset(struct ucred *active_cred, struct ucred *obj_cred) 2233 { 2234 int i; 2235 bool grpsubset, uidsubset; 2236 2237 /* 2238 * Is p's group set a subset of td's effective group set? This 2239 * includes p's egid, group access list, rgid, and svgid. 2240 */ 2241 grpsubset = true; 2242 for (i = 0; i < obj_cred->cr_ngroups; i++) { 2243 if (!groupmember(obj_cred->cr_groups[i], active_cred)) { 2244 grpsubset = false; 2245 break; 2246 } 2247 } 2248 grpsubset = grpsubset && 2249 groupmember(obj_cred->cr_rgid, active_cred) && 2250 groupmember(obj_cred->cr_svgid, active_cred); 2251 2252 /* 2253 * Are the uids present in obj_cred's credential equal to 2254 * active_cred's effective uid? This includes obj_cred's 2255 * euid, svuid, and ruid. 2256 */ 2257 uidsubset = (active_cred->cr_uid == obj_cred->cr_uid && 2258 active_cred->cr_uid == obj_cred->cr_svuid && 2259 active_cred->cr_uid == obj_cred->cr_ruid); 2260 2261 return (uidsubset && grpsubset); 2262 } 2263 2264 /*- 2265 * Determine whether td may debug p. 2266 * Returns: 0 for permitted, an errno value otherwise 2267 * Locks: Sufficient locks to protect various components of td and p 2268 * must be held. td must be curthread, and a lock must 2269 * be held for p. 2270 * References: td and p must be valid for the lifetime of the call 2271 */ 2272 int 2273 p_candebug(struct thread *td, struct proc *p) 2274 { 2275 int error; 2276 2277 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2278 PROC_LOCK_ASSERT(p, MA_OWNED); 2279 if (td->td_proc == p) 2280 return (0); 2281 if ((error = priv_check(td, PRIV_DEBUG_UNPRIV))) 2282 return (error); 2283 if ((error = prison_check(td->td_ucred, p->p_ucred))) 2284 return (error); 2285 #ifdef MAC 2286 if ((error = mac_proc_check_debug(td->td_ucred, p))) 2287 return (error); 2288 #endif 2289 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) 2290 return (error); 2291 2292 /* 2293 * If p's gids aren't a subset, or the uids aren't a subset, 2294 * or the credential has changed, require appropriate privilege 2295 * for td to debug p. 2296 */ 2297 if (!cr_xids_subset(td->td_ucred, p->p_ucred)) { 2298 error = priv_check(td, PRIV_DEBUG_DIFFCRED); 2299 if (error) 2300 return (error); 2301 } 2302 2303 /* 2304 * Has the credential of the process changed since the last exec()? 2305 */ 2306 if ((p->p_flag & P_SUGID) != 0) { 2307 error = priv_check(td, PRIV_DEBUG_SUGID); 2308 if (error) 2309 return (error); 2310 } 2311 2312 error = cr_can_tamper_with_subjail(td->td_ucred, p->p_ucred, 2313 PRIV_DEBUG_DIFFJAIL); 2314 if (error) 2315 return (error); 2316 2317 /* Can't trace init when securelevel > 0. */ 2318 if (p == initproc) { 2319 error = securelevel_gt(td->td_ucred, 0); 2320 if (error) 2321 return (error); 2322 } 2323 2324 /* 2325 * Can't trace a process that's currently exec'ing. 2326 * 2327 * XXX: Note, this is not a security policy decision, it's a 2328 * basic correctness/functionality decision. Therefore, this check 2329 * should be moved to the caller's of p_candebug(). 2330 */ 2331 if ((p->p_flag & P_INEXEC) != 0) 2332 return (EBUSY); 2333 2334 /* Denied explicitly */ 2335 if ((p->p_flag2 & P2_NOTRACE) != 0) { 2336 error = priv_check(td, PRIV_DEBUG_DENIED); 2337 if (error != 0) 2338 return (error); 2339 } 2340 2341 return (0); 2342 } 2343 2344 /*- 2345 * Determine whether the subject represented by cred can "see" a socket. 2346 * Returns: 0 for permitted, ENOENT otherwise. 2347 */ 2348 int 2349 cr_canseesocket(struct ucred *cred, struct socket *so) 2350 { 2351 int error; 2352 2353 error = prison_check(cred, so->so_cred); 2354 if (error) 2355 return (ENOENT); 2356 #ifdef MAC 2357 error = mac_socket_check_visible(cred, so); 2358 if (error) 2359 return (error); 2360 #endif 2361 if (cr_bsd_visible(cred, so->so_cred)) 2362 return (ENOENT); 2363 2364 return (0); 2365 } 2366 2367 /*- 2368 * Determine whether td can wait for the exit of p. 2369 * Returns: 0 for permitted, an errno value otherwise 2370 * Locks: Sufficient locks to protect various components of td and p 2371 * must be held. td must be curthread, and a lock must 2372 * be held for p. 2373 * References: td and p must be valid for the lifetime of the call 2374 2375 */ 2376 int 2377 p_canwait(struct thread *td, struct proc *p) 2378 { 2379 int error; 2380 2381 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 2382 PROC_LOCK_ASSERT(p, MA_OWNED); 2383 if ((error = prison_check(td->td_ucred, p->p_ucred))) 2384 return (error); 2385 #ifdef MAC 2386 if ((error = mac_proc_check_wait(td->td_ucred, p))) 2387 return (error); 2388 #endif 2389 #if 0 2390 /* XXXMAC: This could have odd effects on some shells. */ 2391 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) 2392 return (error); 2393 #endif 2394 2395 return (0); 2396 } 2397 2398 /* 2399 * Credential management. 2400 * 2401 * struct ucred objects are rarely allocated but gain and lose references all 2402 * the time (e.g., on struct file alloc/dealloc) turning refcount updates into 2403 * a significant source of cache-line ping ponging. Common cases are worked 2404 * around by modifying thread-local counter instead if the cred to operate on 2405 * matches td_realucred. 2406 * 2407 * The counter is split into 2 parts: 2408 * - cr_users -- total count of all struct proc and struct thread objects 2409 * which have given cred in p_ucred and td_ucred respectively 2410 * - cr_ref -- the actual ref count, only valid if cr_users == 0 2411 * 2412 * If users == 0 then cr_ref behaves similarly to refcount(9), in particular if 2413 * the count reaches 0 the object is freeable. 2414 * If users > 0 and curthread->td_realucred == cred, then updates are performed 2415 * against td_ucredref. 2416 * In other cases updates are performed against cr_ref. 2417 * 2418 * Changing td_realucred into something else decrements cr_users and transfers 2419 * accumulated updates. 2420 */ 2421 struct ucred * 2422 crcowget(struct ucred *cr) 2423 { 2424 2425 mtx_lock(&cr->cr_mtx); 2426 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2427 __func__, cr->cr_users, cr)); 2428 cr->cr_users++; 2429 cr->cr_ref++; 2430 mtx_unlock(&cr->cr_mtx); 2431 return (cr); 2432 } 2433 2434 static struct ucred * 2435 crunuse(struct thread *td) 2436 { 2437 struct ucred *cr, *crold; 2438 2439 MPASS(td->td_realucred == td->td_ucred); 2440 cr = td->td_realucred; 2441 mtx_lock(&cr->cr_mtx); 2442 cr->cr_ref += td->td_ucredref; 2443 td->td_ucredref = 0; 2444 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2445 __func__, cr->cr_users, cr)); 2446 cr->cr_users--; 2447 if (cr->cr_users == 0) { 2448 KASSERT(cr->cr_ref > 0, ("%s: ref %ld not > 0 on cred %p", 2449 __func__, cr->cr_ref, cr)); 2450 crold = cr; 2451 } else { 2452 cr->cr_ref--; 2453 crold = NULL; 2454 } 2455 mtx_unlock(&cr->cr_mtx); 2456 td->td_realucred = NULL; 2457 return (crold); 2458 } 2459 2460 static void 2461 crunusebatch(struct ucred *cr, u_int users, long ref) 2462 { 2463 2464 KASSERT(users > 0, ("%s: passed users %d not > 0 ; cred %p", 2465 __func__, users, cr)); 2466 mtx_lock(&cr->cr_mtx); 2467 KASSERT(cr->cr_users >= users, ("%s: users %d not > %d on cred %p", 2468 __func__, cr->cr_users, users, cr)); 2469 cr->cr_users -= users; 2470 cr->cr_ref += ref; 2471 cr->cr_ref -= users; 2472 if (cr->cr_users > 0) { 2473 mtx_unlock(&cr->cr_mtx); 2474 return; 2475 } 2476 KASSERT(cr->cr_ref >= 0, ("%s: ref %ld not >= 0 on cred %p", 2477 __func__, cr->cr_ref, cr)); 2478 if (cr->cr_ref > 0) { 2479 mtx_unlock(&cr->cr_mtx); 2480 return; 2481 } 2482 crfree_final(cr); 2483 } 2484 2485 void 2486 crcowfree(struct thread *td) 2487 { 2488 struct ucred *cr; 2489 2490 cr = crunuse(td); 2491 if (cr != NULL) 2492 crfree(cr); 2493 } 2494 2495 struct ucred * 2496 crcowsync(void) 2497 { 2498 struct thread *td; 2499 struct proc *p; 2500 struct ucred *crnew, *crold; 2501 2502 td = curthread; 2503 p = td->td_proc; 2504 PROC_LOCK_ASSERT(p, MA_OWNED); 2505 2506 MPASS(td->td_realucred == td->td_ucred); 2507 if (td->td_realucred == p->p_ucred) 2508 return (NULL); 2509 2510 crnew = crcowget(p->p_ucred); 2511 crold = crunuse(td); 2512 td->td_realucred = crnew; 2513 td->td_ucred = td->td_realucred; 2514 return (crold); 2515 } 2516 2517 /* 2518 * Batching. 2519 */ 2520 void 2521 credbatch_add(struct credbatch *crb, struct thread *td) 2522 { 2523 struct ucred *cr; 2524 2525 MPASS(td->td_realucred != NULL); 2526 MPASS(td->td_realucred == td->td_ucred); 2527 MPASS(TD_GET_STATE(td) == TDS_INACTIVE); 2528 cr = td->td_realucred; 2529 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2530 __func__, cr->cr_users, cr)); 2531 if (crb->cred != cr) { 2532 if (crb->users > 0) { 2533 MPASS(crb->cred != NULL); 2534 crunusebatch(crb->cred, crb->users, crb->ref); 2535 crb->users = 0; 2536 crb->ref = 0; 2537 } 2538 } 2539 crb->cred = cr; 2540 crb->users++; 2541 crb->ref += td->td_ucredref; 2542 td->td_ucredref = 0; 2543 td->td_realucred = NULL; 2544 } 2545 2546 void 2547 credbatch_final(struct credbatch *crb) 2548 { 2549 2550 MPASS(crb->cred != NULL); 2551 MPASS(crb->users > 0); 2552 crunusebatch(crb->cred, crb->users, crb->ref); 2553 } 2554 2555 /* 2556 * Allocate a zeroed cred structure. 2557 */ 2558 struct ucred * 2559 crget(void) 2560 { 2561 struct ucred *cr; 2562 2563 cr = malloc(sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 2564 mtx_init(&cr->cr_mtx, "cred", NULL, MTX_DEF); 2565 cr->cr_ref = 1; 2566 #ifdef AUDIT 2567 audit_cred_init(cr); 2568 #endif 2569 #ifdef MAC 2570 mac_cred_init(cr); 2571 #endif 2572 cr->cr_groups = cr->cr_smallgroups; 2573 cr->cr_agroups = nitems(cr->cr_smallgroups); 2574 return (cr); 2575 } 2576 2577 /* 2578 * Claim another reference to a ucred structure. 2579 */ 2580 struct ucred * 2581 crhold(struct ucred *cr) 2582 { 2583 struct thread *td; 2584 2585 td = curthread; 2586 if (__predict_true(td->td_realucred == cr)) { 2587 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2588 __func__, cr->cr_users, cr)); 2589 td->td_ucredref++; 2590 return (cr); 2591 } 2592 mtx_lock(&cr->cr_mtx); 2593 cr->cr_ref++; 2594 mtx_unlock(&cr->cr_mtx); 2595 return (cr); 2596 } 2597 2598 /* 2599 * Free a cred structure. Throws away space when ref count gets to 0. 2600 */ 2601 void 2602 crfree(struct ucred *cr) 2603 { 2604 struct thread *td; 2605 2606 td = curthread; 2607 if (__predict_true(td->td_realucred == cr)) { 2608 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2609 __func__, cr->cr_users, cr)); 2610 td->td_ucredref--; 2611 return; 2612 } 2613 mtx_lock(&cr->cr_mtx); 2614 KASSERT(cr->cr_users >= 0, ("%s: users %d not >= 0 on cred %p", 2615 __func__, cr->cr_users, cr)); 2616 cr->cr_ref--; 2617 if (cr->cr_users > 0) { 2618 mtx_unlock(&cr->cr_mtx); 2619 return; 2620 } 2621 KASSERT(cr->cr_ref >= 0, ("%s: ref %ld not >= 0 on cred %p", 2622 __func__, cr->cr_ref, cr)); 2623 if (cr->cr_ref > 0) { 2624 mtx_unlock(&cr->cr_mtx); 2625 return; 2626 } 2627 crfree_final(cr); 2628 } 2629 2630 static void 2631 crfree_final(struct ucred *cr) 2632 { 2633 2634 KASSERT(cr->cr_users == 0, ("%s: users %d not == 0 on cred %p", 2635 __func__, cr->cr_users, cr)); 2636 KASSERT(cr->cr_ref == 0, ("%s: ref %ld not == 0 on cred %p", 2637 __func__, cr->cr_ref, cr)); 2638 2639 /* 2640 * Some callers of crget(), such as nfs_statfs(), allocate a temporary 2641 * credential, but don't allocate a uidinfo structure. 2642 */ 2643 if (cr->cr_uidinfo != NULL) 2644 uifree(cr->cr_uidinfo); 2645 if (cr->cr_ruidinfo != NULL) 2646 uifree(cr->cr_ruidinfo); 2647 if (cr->cr_prison != NULL) 2648 prison_free(cr->cr_prison); 2649 if (cr->cr_loginclass != NULL) 2650 loginclass_free(cr->cr_loginclass); 2651 #ifdef AUDIT 2652 audit_cred_destroy(cr); 2653 #endif 2654 #ifdef MAC 2655 mac_cred_destroy(cr); 2656 #endif 2657 mtx_destroy(&cr->cr_mtx); 2658 if (cr->cr_groups != cr->cr_smallgroups) 2659 free(cr->cr_groups, M_CRED); 2660 free(cr, M_CRED); 2661 } 2662 2663 /* 2664 * Copy a ucred's contents from a template. Does not block. 2665 */ 2666 void 2667 crcopy(struct ucred *dest, struct ucred *src) 2668 { 2669 2670 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 2671 (unsigned)((caddr_t)&src->cr_endcopy - 2672 (caddr_t)&src->cr_startcopy)); 2673 dest->cr_flags = src->cr_flags; 2674 crsetgroups(dest, src->cr_ngroups, src->cr_groups); 2675 uihold(dest->cr_uidinfo); 2676 uihold(dest->cr_ruidinfo); 2677 prison_hold(dest->cr_prison); 2678 loginclass_hold(dest->cr_loginclass); 2679 #ifdef AUDIT 2680 audit_cred_copy(src, dest); 2681 #endif 2682 #ifdef MAC 2683 mac_cred_copy(src, dest); 2684 #endif 2685 } 2686 2687 /* 2688 * Dup cred struct to a new held one. 2689 */ 2690 struct ucred * 2691 crdup(struct ucred *cr) 2692 { 2693 struct ucred *newcr; 2694 2695 newcr = crget(); 2696 crcopy(newcr, cr); 2697 return (newcr); 2698 } 2699 2700 /* 2701 * Fill in a struct xucred based on a struct ucred. 2702 */ 2703 void 2704 cru2x(struct ucred *cr, struct xucred *xcr) 2705 { 2706 int ngroups; 2707 2708 bzero(xcr, sizeof(*xcr)); 2709 xcr->cr_version = XUCRED_VERSION; 2710 xcr->cr_uid = cr->cr_uid; 2711 xcr->cr_gid = cr->cr_gid; 2712 2713 /* 2714 * We use a union to alias cr_gid to cr_groups[0] in the xucred, so 2715 * this is kind of ugly; cr_ngroups still includes the egid for our 2716 * purposes to avoid bumping the xucred version. 2717 */ 2718 ngroups = MIN(cr->cr_ngroups + 1, nitems(xcr->cr_groups)); 2719 xcr->cr_ngroups = ngroups; 2720 bcopy(cr->cr_groups, xcr->cr_sgroups, 2721 (ngroups - 1) * sizeof(*cr->cr_groups)); 2722 } 2723 2724 void 2725 cru2xt(struct thread *td, struct xucred *xcr) 2726 { 2727 2728 cru2x(td->td_ucred, xcr); 2729 xcr->cr_pid = td->td_proc->p_pid; 2730 } 2731 2732 /* 2733 * Change process credentials. 2734 * 2735 * Callers are responsible for providing the reference for passed credentials 2736 * and for freeing old ones. Calls chgproccnt() to correctly account the 2737 * current process to the proper real UID, if the latter has changed. Returns 2738 * whether the operation was successful. Failure can happen only on 2739 * 'enforce_proc_lim' being true and if no new process can be accounted to the 2740 * new real UID because of the current limit (see the inner comment for more 2741 * details) and the caller does not have privilege (PRIV_PROC_LIMIT) to override 2742 * that. 2743 */ 2744 static bool 2745 _proc_set_cred(struct proc *p, struct ucred *newcred, bool enforce_proc_lim) 2746 { 2747 struct ucred *const oldcred = p->p_ucred; 2748 2749 MPASS(oldcred != NULL); 2750 PROC_LOCK_ASSERT(p, MA_OWNED); 2751 KASSERT(newcred->cr_users == 0, ("%s: users %d not 0 on cred %p", 2752 __func__, newcred->cr_users, newcred)); 2753 KASSERT(newcred->cr_ref == 1, ("%s: ref %ld not 1 on cred %p", 2754 __func__, newcred->cr_ref, newcred)); 2755 2756 if (newcred->cr_ruidinfo != oldcred->cr_ruidinfo) { 2757 /* 2758 * XXXOC: This check is flawed but nonetheless the best we can 2759 * currently do as we don't really track limits per UID contrary 2760 * to what we pretend in setrlimit(2). Until this is reworked, 2761 * we just check here that the number of processes for our new 2762 * real UID doesn't exceed this process' process number limit 2763 * (which is meant to be associated with the current real UID). 2764 */ 2765 const int proccnt_changed = chgproccnt(newcred->cr_ruidinfo, 1, 2766 enforce_proc_lim ? lim_cur_proc(p, RLIMIT_NPROC) : 0); 2767 2768 if (!proccnt_changed) { 2769 if (priv_check_cred(oldcred, PRIV_PROC_LIMIT) != 0) 2770 return (false); 2771 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 2772 } 2773 } 2774 2775 mtx_lock(&oldcred->cr_mtx); 2776 KASSERT(oldcred->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2777 __func__, oldcred->cr_users, oldcred)); 2778 oldcred->cr_users--; 2779 mtx_unlock(&oldcred->cr_mtx); 2780 p->p_ucred = newcred; 2781 newcred->cr_users = 1; 2782 PROC_UPDATE_COW(p); 2783 if (newcred->cr_ruidinfo != oldcred->cr_ruidinfo) 2784 (void)chgproccnt(oldcred->cr_ruidinfo, -1, 0); 2785 return (true); 2786 } 2787 2788 void 2789 proc_set_cred(struct proc *p, struct ucred *newcred) 2790 { 2791 bool success __diagused = _proc_set_cred(p, newcred, false); 2792 2793 MPASS(success); 2794 } 2795 2796 bool 2797 proc_set_cred_enforce_proc_lim(struct proc *p, struct ucred *newcred) 2798 { 2799 return (_proc_set_cred(p, newcred, true)); 2800 } 2801 2802 void 2803 proc_unset_cred(struct proc *p, bool decrement_proc_count) 2804 { 2805 struct ucred *cr; 2806 2807 MPASS(p->p_state == PRS_ZOMBIE || p->p_state == PRS_NEW); 2808 cr = p->p_ucred; 2809 p->p_ucred = NULL; 2810 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2811 __func__, cr->cr_users, cr)); 2812 mtx_lock(&cr->cr_mtx); 2813 cr->cr_users--; 2814 if (cr->cr_users == 0) 2815 KASSERT(cr->cr_ref > 0, ("%s: ref %ld not > 0 on cred %p", 2816 __func__, cr->cr_ref, cr)); 2817 mtx_unlock(&cr->cr_mtx); 2818 if (decrement_proc_count) 2819 (void)chgproccnt(cr->cr_ruidinfo, -1, 0); 2820 crfree(cr); 2821 } 2822 2823 struct ucred * 2824 crcopysafe(struct proc *p, struct ucred *cr) 2825 { 2826 struct ucred *oldcred; 2827 int groups; 2828 2829 PROC_LOCK_ASSERT(p, MA_OWNED); 2830 2831 oldcred = p->p_ucred; 2832 while (cr->cr_agroups < oldcred->cr_ngroups) { 2833 groups = oldcred->cr_ngroups; 2834 PROC_UNLOCK(p); 2835 crextend(cr, groups); 2836 PROC_LOCK(p); 2837 oldcred = p->p_ucred; 2838 } 2839 crcopy(cr, oldcred); 2840 2841 return (oldcred); 2842 } 2843 2844 /* 2845 * Extend the passed-in credentials to hold n groups. 2846 * 2847 * Must not be called after groups have been set. 2848 */ 2849 void 2850 crextend(struct ucred *cr, int n) 2851 { 2852 size_t nbytes; 2853 2854 MPASS2(cr->cr_ref == 1, "'cr_ref' must be 1 (referenced, unshared)"); 2855 MPASS2((cr->cr_flags & CRED_FLAG_GROUPSET) == 0, 2856 "groups on 'cr' already set!"); 2857 groups_check_positive_len(n); 2858 groups_check_max_len(n); 2859 2860 if (n <= cr->cr_agroups) 2861 return; 2862 2863 nbytes = n * sizeof(gid_t); 2864 if (nbytes < n) 2865 panic("Too many groups (memory size overflow)! " 2866 "Computation of 'kern.ngroups' should have prevented this, " 2867 "please fix it. In the meantime, reduce 'kern.ngroups'."); 2868 2869 /* 2870 * We allocate a power of 2 larger than 'nbytes', except when that 2871 * exceeds PAGE_SIZE, in which case we allocate the right multiple of 2872 * pages. We assume PAGE_SIZE is a power of 2 (the call to roundup2() 2873 * below) but do not need to for sizeof(gid_t). 2874 */ 2875 if (nbytes < PAGE_SIZE) { 2876 if (!powerof2(nbytes)) 2877 /* fls*() return a bit index starting at 1. */ 2878 nbytes = 1 << flsl(nbytes); 2879 } else 2880 nbytes = roundup2(nbytes, PAGE_SIZE); 2881 2882 /* Free the old array. */ 2883 if (cr->cr_groups != cr->cr_smallgroups) 2884 free(cr->cr_groups, M_CRED); 2885 2886 cr->cr_groups = malloc(nbytes, M_CRED, M_WAITOK | M_ZERO); 2887 cr->cr_agroups = nbytes / sizeof(gid_t); 2888 } 2889 2890 /* 2891 * Normalizes a set of groups to be applied to a 'struct ucred'. 2892 * 2893 * Normalization ensures that the supplementary groups are sorted in ascending 2894 * order and do not contain duplicates. 2895 */ 2896 static void 2897 groups_normalize(int *ngrp, gid_t *groups) 2898 { 2899 gid_t prev_g; 2900 int ins_idx; 2901 2902 groups_check_positive_len(*ngrp); 2903 groups_check_max_len(*ngrp); 2904 2905 if (*ngrp <= 1) 2906 return; 2907 2908 qsort(groups, *ngrp, sizeof(*groups), gidp_cmp); 2909 2910 /* Remove duplicates. */ 2911 prev_g = groups[0]; 2912 ins_idx = 1; 2913 for (int i = ins_idx; i < *ngrp; ++i) { 2914 const gid_t g = groups[i]; 2915 2916 if (g != prev_g) { 2917 if (i != ins_idx) 2918 groups[ins_idx] = g; 2919 ++ins_idx; 2920 prev_g = g; 2921 } 2922 } 2923 *ngrp = ins_idx; 2924 2925 groups_check_normalized(*ngrp, groups); 2926 } 2927 2928 /* 2929 * Internal function copying groups into a credential. 2930 * 2931 * 'ngrp' must be strictly positive. Either the passed 'groups' array must have 2932 * been normalized in advance (see groups_normalize()), else it must be so 2933 * before the structure is to be used again. 2934 * 2935 * This function is suitable to be used under any lock (it doesn't take any lock 2936 * itself nor sleep, and in particular doesn't allocate memory). crextend() 2937 * must have been called beforehand to ensure sufficient space is available. 2938 * See also crsetgroups(), which handles that. 2939 */ 2940 static void 2941 crsetgroups_internal(struct ucred *cr, int ngrp, const gid_t *groups) 2942 { 2943 2944 MPASS2(cr->cr_ref == 1, "'cr_ref' must be 1 (referenced, unshared)"); 2945 MPASS2(cr->cr_agroups >= ngrp, "'cr_agroups' too small"); 2946 groups_check_positive_len(ngrp); 2947 2948 bcopy(groups, cr->cr_groups, ngrp * sizeof(gid_t)); 2949 cr->cr_ngroups = ngrp; 2950 cr->cr_flags |= CRED_FLAG_GROUPSET; 2951 } 2952 2953 /* 2954 * Copy groups in to a credential after expanding it if required. 2955 * 2956 * May sleep in order to allocate memory (except if, e.g., crextend() was called 2957 * before with 'ngrp' or greater). Truncates the list to ngroups_max if 2958 * it is too large. Array 'groups' doesn't need to be sorted. 'ngrp' must be 2959 * strictly positive. 2960 */ 2961 void 2962 crsetgroups(struct ucred *cr, int ngrp, const gid_t *groups) 2963 { 2964 2965 if (ngrp > ngroups_max) 2966 ngrp = ngroups_max; 2967 cr->cr_ngroups = 0; 2968 if (ngrp == 0) { 2969 cr->cr_flags |= CRED_FLAG_GROUPSET; 2970 return; 2971 } 2972 2973 /* 2974 * crextend() asserts that groups are not set, as it may allocate a new 2975 * backing storage without copying the content of the old one. Since we 2976 * are going to install a completely new set anyway, signal that we 2977 * consider the old ones thrown away. 2978 */ 2979 cr->cr_flags &= ~CRED_FLAG_GROUPSET; 2980 2981 crextend(cr, ngrp); 2982 crsetgroups_internal(cr, ngrp, groups); 2983 groups_normalize(&cr->cr_ngroups, cr->cr_groups); 2984 } 2985 2986 /* 2987 * Same as crsetgroups() but sets the effective GID as well. 2988 * 2989 * This function ensures that an effective GID is always present in credentials. 2990 * An empty array will only set the effective GID to the default_egid, while a 2991 * non-empty array will peel off groups[0] to set as the effective GID and use 2992 * the remainder, if any, as supplementary groups. 2993 */ 2994 void 2995 crsetgroups_and_egid(struct ucred *cr, int ngrp, const gid_t *groups, 2996 const gid_t default_egid) 2997 { 2998 if (ngrp == 0) { 2999 cr->cr_gid = default_egid; 3000 cr->cr_ngroups = 0; 3001 cr->cr_flags |= CRED_FLAG_GROUPSET; 3002 return; 3003 } 3004 3005 crsetgroups(cr, ngrp - 1, groups + 1); 3006 cr->cr_gid = groups[0]; 3007 } 3008 3009 /* 3010 * Get login name, if available. 3011 */ 3012 #ifndef _SYS_SYSPROTO_H_ 3013 struct getlogin_args { 3014 char *namebuf; 3015 u_int namelen; 3016 }; 3017 #endif 3018 /* ARGSUSED */ 3019 int 3020 sys_getlogin(struct thread *td, struct getlogin_args *uap) 3021 { 3022 char login[MAXLOGNAME]; 3023 struct proc *p = td->td_proc; 3024 size_t len; 3025 3026 if (uap->namelen > MAXLOGNAME) 3027 uap->namelen = MAXLOGNAME; 3028 PROC_LOCK(p); 3029 SESS_LOCK(p->p_session); 3030 len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1; 3031 SESS_UNLOCK(p->p_session); 3032 PROC_UNLOCK(p); 3033 if (len > uap->namelen) 3034 return (ERANGE); 3035 return (copyout(login, uap->namebuf, len)); 3036 } 3037 3038 /* 3039 * Set login name. 3040 */ 3041 #ifndef _SYS_SYSPROTO_H_ 3042 struct setlogin_args { 3043 char *namebuf; 3044 }; 3045 #endif 3046 /* ARGSUSED */ 3047 int 3048 sys_setlogin(struct thread *td, struct setlogin_args *uap) 3049 { 3050 struct proc *p = td->td_proc; 3051 int error; 3052 char logintmp[MAXLOGNAME]; 3053 3054 CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp)); 3055 3056 error = priv_check(td, PRIV_PROC_SETLOGIN); 3057 if (error) 3058 return (error); 3059 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); 3060 if (error != 0) { 3061 if (error == ENAMETOOLONG) 3062 error = EINVAL; 3063 return (error); 3064 } 3065 AUDIT_ARG_LOGIN(logintmp); 3066 PROC_LOCK(p); 3067 SESS_LOCK(p->p_session); 3068 strcpy(p->p_session->s_login, logintmp); 3069 SESS_UNLOCK(p->p_session); 3070 PROC_UNLOCK(p); 3071 return (0); 3072 } 3073 3074 void 3075 setsugid(struct proc *p) 3076 { 3077 3078 PROC_LOCK_ASSERT(p, MA_OWNED); 3079 p->p_flag |= P_SUGID; 3080 } 3081 3082 /*- 3083 * Change a process's effective uid. 3084 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 3085 * References: newcred must be an exclusive credential reference for the 3086 * duration of the call. 3087 */ 3088 void 3089 change_euid(struct ucred *newcred, struct uidinfo *euip) 3090 { 3091 3092 newcred->cr_uid = euip->ui_uid; 3093 uihold(euip); 3094 uifree(newcred->cr_uidinfo); 3095 newcred->cr_uidinfo = euip; 3096 } 3097 3098 /*- 3099 * Change a process's effective gid. 3100 * Side effects: newcred->cr_gid will be modified. 3101 * References: newcred must be an exclusive credential reference for the 3102 * duration of the call. 3103 */ 3104 void 3105 change_egid(struct ucred *newcred, gid_t egid) 3106 { 3107 3108 newcred->cr_gid = egid; 3109 } 3110 3111 /*- 3112 * Change a process's real uid. 3113 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 3114 * will be updated. 3115 * References: newcred must be an exclusive credential reference for the 3116 * duration of the call. 3117 */ 3118 void 3119 change_ruid(struct ucred *newcred, struct uidinfo *ruip) 3120 { 3121 3122 newcred->cr_ruid = ruip->ui_uid; 3123 uihold(ruip); 3124 uifree(newcred->cr_ruidinfo); 3125 newcred->cr_ruidinfo = ruip; 3126 } 3127 3128 /*- 3129 * Change a process's real gid. 3130 * Side effects: newcred->cr_rgid will be updated. 3131 * References: newcred must be an exclusive credential reference for the 3132 * duration of the call. 3133 */ 3134 void 3135 change_rgid(struct ucred *newcred, gid_t rgid) 3136 { 3137 3138 newcred->cr_rgid = rgid; 3139 } 3140 3141 /*- 3142 * Change a process's saved uid. 3143 * Side effects: newcred->cr_svuid will be updated. 3144 * References: newcred must be an exclusive credential reference for the 3145 * duration of the call. 3146 */ 3147 void 3148 change_svuid(struct ucred *newcred, uid_t svuid) 3149 { 3150 3151 newcred->cr_svuid = svuid; 3152 } 3153 3154 /*- 3155 * Change a process's saved gid. 3156 * Side effects: newcred->cr_svgid will be updated. 3157 * References: newcred must be an exclusive credential reference for the 3158 * duration of the call. 3159 */ 3160 void 3161 change_svgid(struct ucred *newcred, gid_t svgid) 3162 { 3163 3164 newcred->cr_svgid = svgid; 3165 } 3166 3167 bool allow_ptrace = true; 3168 SYSCTL_BOOL(_security_bsd, OID_AUTO, allow_ptrace, CTLFLAG_RWTUN, 3169 &allow_ptrace, 0, 3170 "Deny ptrace(2) use by returning ENOSYS"); 3171