1 /*- 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. 4 * (c) UNIX System Laboratories, Inc. 5 * Copyright (c) 2000-2001 Robert N. M. Watson. 6 * All rights reserved. 7 * 8 * All or some portions of this file are derived from material licensed 9 * to the University of California by American Telephone and Telegraph 10 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 11 * the permission of UNIX System Laboratories, Inc. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 4. Neither the name of the University nor the names of its contributors 22 * may be used to endorse or promote products derived from this software 23 * without specific prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 * 37 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 38 */ 39 40 /* 41 * System calls related to processes and protection 42 */ 43 44 #include <sys/cdefs.h> 45 __FBSDID("$FreeBSD$"); 46 47 #include "opt_compat.h" 48 #include "opt_inet.h" 49 #include "opt_inet6.h" 50 51 #include <sys/param.h> 52 #include <sys/systm.h> 53 #include <sys/acct.h> 54 #include <sys/kdb.h> 55 #include <sys/kernel.h> 56 #include <sys/lock.h> 57 #include <sys/malloc.h> 58 #include <sys/mutex.h> 59 #include <sys/refcount.h> 60 #include <sys/sx.h> 61 #include <sys/priv.h> 62 #include <sys/proc.h> 63 #include <sys/sysproto.h> 64 #include <sys/jail.h> 65 #include <sys/pioctl.h> 66 #include <sys/resourcevar.h> 67 #include <sys/socket.h> 68 #include <sys/socketvar.h> 69 #include <sys/syscallsubr.h> 70 #include <sys/sysctl.h> 71 #include <sys/vimage.h> 72 73 #if defined(INET) || defined(INET6) 74 #include <netinet/in.h> 75 #include <netinet/in_pcb.h> 76 #endif 77 78 #include <security/audit/audit.h> 79 #include <security/mac/mac_framework.h> 80 81 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 82 83 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, "BSD security policy"); 84 85 #ifndef _SYS_SYSPROTO_H_ 86 struct getpid_args { 87 int dummy; 88 }; 89 #endif 90 /* ARGSUSED */ 91 int 92 getpid(struct thread *td, struct getpid_args *uap) 93 { 94 struct proc *p = td->td_proc; 95 96 td->td_retval[0] = p->p_pid; 97 #if defined(COMPAT_43) 98 PROC_LOCK(p); 99 td->td_retval[1] = p->p_pptr->p_pid; 100 PROC_UNLOCK(p); 101 #endif 102 return (0); 103 } 104 105 #ifndef _SYS_SYSPROTO_H_ 106 struct getppid_args { 107 int dummy; 108 }; 109 #endif 110 /* ARGSUSED */ 111 int 112 getppid(struct thread *td, struct getppid_args *uap) 113 { 114 struct proc *p = td->td_proc; 115 116 PROC_LOCK(p); 117 td->td_retval[0] = p->p_pptr->p_pid; 118 PROC_UNLOCK(p); 119 return (0); 120 } 121 122 /* 123 * Get process group ID; note that POSIX getpgrp takes no parameter. 124 */ 125 #ifndef _SYS_SYSPROTO_H_ 126 struct getpgrp_args { 127 int dummy; 128 }; 129 #endif 130 int 131 getpgrp(struct thread *td, struct getpgrp_args *uap) 132 { 133 struct proc *p = td->td_proc; 134 135 PROC_LOCK(p); 136 td->td_retval[0] = p->p_pgrp->pg_id; 137 PROC_UNLOCK(p); 138 return (0); 139 } 140 141 /* Get an arbitary pid's process group id */ 142 #ifndef _SYS_SYSPROTO_H_ 143 struct getpgid_args { 144 pid_t pid; 145 }; 146 #endif 147 int 148 getpgid(struct thread *td, struct getpgid_args *uap) 149 { 150 struct proc *p; 151 int error; 152 153 if (uap->pid == 0) { 154 p = td->td_proc; 155 PROC_LOCK(p); 156 } else { 157 p = pfind(uap->pid); 158 if (p == NULL) 159 return (ESRCH); 160 error = p_cansee(td, p); 161 if (error) { 162 PROC_UNLOCK(p); 163 return (error); 164 } 165 } 166 td->td_retval[0] = p->p_pgrp->pg_id; 167 PROC_UNLOCK(p); 168 return (0); 169 } 170 171 /* 172 * Get an arbitary pid's session id. 173 */ 174 #ifndef _SYS_SYSPROTO_H_ 175 struct getsid_args { 176 pid_t pid; 177 }; 178 #endif 179 int 180 getsid(struct thread *td, struct getsid_args *uap) 181 { 182 struct proc *p; 183 int error; 184 185 if (uap->pid == 0) { 186 p = td->td_proc; 187 PROC_LOCK(p); 188 } else { 189 p = pfind(uap->pid); 190 if (p == NULL) 191 return (ESRCH); 192 error = p_cansee(td, p); 193 if (error) { 194 PROC_UNLOCK(p); 195 return (error); 196 } 197 } 198 td->td_retval[0] = p->p_session->s_sid; 199 PROC_UNLOCK(p); 200 return (0); 201 } 202 203 #ifndef _SYS_SYSPROTO_H_ 204 struct getuid_args { 205 int dummy; 206 }; 207 #endif 208 /* ARGSUSED */ 209 int 210 getuid(struct thread *td, struct getuid_args *uap) 211 { 212 213 td->td_retval[0] = td->td_ucred->cr_ruid; 214 #if defined(COMPAT_43) 215 td->td_retval[1] = td->td_ucred->cr_uid; 216 #endif 217 return (0); 218 } 219 220 #ifndef _SYS_SYSPROTO_H_ 221 struct geteuid_args { 222 int dummy; 223 }; 224 #endif 225 /* ARGSUSED */ 226 int 227 geteuid(struct thread *td, struct geteuid_args *uap) 228 { 229 230 td->td_retval[0] = td->td_ucred->cr_uid; 231 return (0); 232 } 233 234 #ifndef _SYS_SYSPROTO_H_ 235 struct getgid_args { 236 int dummy; 237 }; 238 #endif 239 /* ARGSUSED */ 240 int 241 getgid(struct thread *td, struct getgid_args *uap) 242 { 243 244 td->td_retval[0] = td->td_ucred->cr_rgid; 245 #if defined(COMPAT_43) 246 td->td_retval[1] = td->td_ucred->cr_groups[0]; 247 #endif 248 return (0); 249 } 250 251 /* 252 * Get effective group ID. The "egid" is groups[0], and could be obtained 253 * via getgroups. This syscall exists because it is somewhat painful to do 254 * correctly in a library function. 255 */ 256 #ifndef _SYS_SYSPROTO_H_ 257 struct getegid_args { 258 int dummy; 259 }; 260 #endif 261 /* ARGSUSED */ 262 int 263 getegid(struct thread *td, struct getegid_args *uap) 264 { 265 266 td->td_retval[0] = td->td_ucred->cr_groups[0]; 267 return (0); 268 } 269 270 #ifndef _SYS_SYSPROTO_H_ 271 struct getgroups_args { 272 u_int gidsetsize; 273 gid_t *gidset; 274 }; 275 #endif 276 int 277 getgroups(struct thread *td, register struct getgroups_args *uap) 278 { 279 gid_t groups[NGROUPS]; 280 u_int ngrp; 281 int error; 282 283 ngrp = MIN(uap->gidsetsize, NGROUPS); 284 error = kern_getgroups(td, &ngrp, groups); 285 if (error) 286 return (error); 287 if (uap->gidsetsize > 0) 288 error = copyout(groups, uap->gidset, ngrp * sizeof(gid_t)); 289 if (error == 0) 290 td->td_retval[0] = ngrp; 291 return (error); 292 } 293 294 int 295 kern_getgroups(struct thread *td, u_int *ngrp, gid_t *groups) 296 { 297 struct ucred *cred; 298 299 cred = td->td_ucred; 300 if (*ngrp == 0) { 301 *ngrp = cred->cr_ngroups; 302 return (0); 303 } 304 if (*ngrp < cred->cr_ngroups) 305 return (EINVAL); 306 *ngrp = cred->cr_ngroups; 307 bcopy(cred->cr_groups, groups, *ngrp * sizeof(gid_t)); 308 return (0); 309 } 310 311 #ifndef _SYS_SYSPROTO_H_ 312 struct setsid_args { 313 int dummy; 314 }; 315 #endif 316 /* ARGSUSED */ 317 int 318 setsid(register struct thread *td, struct setsid_args *uap) 319 { 320 struct pgrp *pgrp; 321 int error; 322 struct proc *p = td->td_proc; 323 struct pgrp *newpgrp; 324 struct session *newsess; 325 326 error = 0; 327 pgrp = NULL; 328 329 newpgrp = malloc(sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 330 newsess = malloc(sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); 331 332 sx_xlock(&proctree_lock); 333 334 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { 335 if (pgrp != NULL) 336 PGRP_UNLOCK(pgrp); 337 error = EPERM; 338 } else { 339 (void)enterpgrp(p, p->p_pid, newpgrp, newsess); 340 td->td_retval[0] = p->p_pid; 341 newpgrp = NULL; 342 newsess = NULL; 343 } 344 345 sx_xunlock(&proctree_lock); 346 347 if (newpgrp != NULL) 348 free(newpgrp, M_PGRP); 349 if (newsess != NULL) 350 free(newsess, M_SESSION); 351 352 return (error); 353 } 354 355 /* 356 * set process group (setpgid/old setpgrp) 357 * 358 * caller does setpgid(targpid, targpgid) 359 * 360 * pid must be caller or child of caller (ESRCH) 361 * if a child 362 * pid must be in same session (EPERM) 363 * pid can't have done an exec (EACCES) 364 * if pgid != pid 365 * there must exist some pid in same session having pgid (EPERM) 366 * pid must not be session leader (EPERM) 367 */ 368 #ifndef _SYS_SYSPROTO_H_ 369 struct setpgid_args { 370 int pid; /* target process id */ 371 int pgid; /* target pgrp id */ 372 }; 373 #endif 374 /* ARGSUSED */ 375 int 376 setpgid(struct thread *td, register struct setpgid_args *uap) 377 { 378 struct proc *curp = td->td_proc; 379 register struct proc *targp; /* target process */ 380 register struct pgrp *pgrp; /* target pgrp */ 381 int error; 382 struct pgrp *newpgrp; 383 384 if (uap->pgid < 0) 385 return (EINVAL); 386 387 error = 0; 388 389 newpgrp = malloc(sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 390 391 sx_xlock(&proctree_lock); 392 if (uap->pid != 0 && uap->pid != curp->p_pid) { 393 if ((targp = pfind(uap->pid)) == NULL) { 394 error = ESRCH; 395 goto done; 396 } 397 if (!inferior(targp)) { 398 PROC_UNLOCK(targp); 399 error = ESRCH; 400 goto done; 401 } 402 if ((error = p_cansee(td, targp))) { 403 PROC_UNLOCK(targp); 404 goto done; 405 } 406 if (targp->p_pgrp == NULL || 407 targp->p_session != curp->p_session) { 408 PROC_UNLOCK(targp); 409 error = EPERM; 410 goto done; 411 } 412 if (targp->p_flag & P_EXEC) { 413 PROC_UNLOCK(targp); 414 error = EACCES; 415 goto done; 416 } 417 PROC_UNLOCK(targp); 418 } else 419 targp = curp; 420 if (SESS_LEADER(targp)) { 421 error = EPERM; 422 goto done; 423 } 424 if (uap->pgid == 0) 425 uap->pgid = targp->p_pid; 426 if ((pgrp = pgfind(uap->pgid)) == NULL) { 427 if (uap->pgid == targp->p_pid) { 428 error = enterpgrp(targp, uap->pgid, newpgrp, 429 NULL); 430 if (error == 0) 431 newpgrp = NULL; 432 } else 433 error = EPERM; 434 } else { 435 if (pgrp == targp->p_pgrp) { 436 PGRP_UNLOCK(pgrp); 437 goto done; 438 } 439 if (pgrp->pg_id != targp->p_pid && 440 pgrp->pg_session != curp->p_session) { 441 PGRP_UNLOCK(pgrp); 442 error = EPERM; 443 goto done; 444 } 445 PGRP_UNLOCK(pgrp); 446 error = enterthispgrp(targp, pgrp); 447 } 448 done: 449 sx_xunlock(&proctree_lock); 450 KASSERT((error == 0) || (newpgrp != NULL), 451 ("setpgid failed and newpgrp is NULL")); 452 if (newpgrp != NULL) 453 free(newpgrp, M_PGRP); 454 return (error); 455 } 456 457 /* 458 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 459 * compatible. It says that setting the uid/gid to euid/egid is a special 460 * case of "appropriate privilege". Once the rules are expanded out, this 461 * basically means that setuid(nnn) sets all three id's, in all permitted 462 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 463 * does not set the saved id - this is dangerous for traditional BSD 464 * programs. For this reason, we *really* do not want to set 465 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 466 */ 467 #define POSIX_APPENDIX_B_4_2_2 468 469 #ifndef _SYS_SYSPROTO_H_ 470 struct setuid_args { 471 uid_t uid; 472 }; 473 #endif 474 /* ARGSUSED */ 475 int 476 setuid(struct thread *td, struct setuid_args *uap) 477 { 478 struct proc *p = td->td_proc; 479 struct ucred *newcred, *oldcred; 480 uid_t uid; 481 struct uidinfo *uip; 482 int error; 483 484 uid = uap->uid; 485 AUDIT_ARG(uid, uid); 486 newcred = crget(); 487 uip = uifind(uid); 488 PROC_LOCK(p); 489 oldcred = p->p_ucred; 490 491 #ifdef MAC 492 error = mac_cred_check_setuid(oldcred, uid); 493 if (error) 494 goto fail; 495 #endif 496 497 /* 498 * See if we have "permission" by POSIX 1003.1 rules. 499 * 500 * Note that setuid(geteuid()) is a special case of 501 * "appropriate privileges" in appendix B.4.2.2. We need 502 * to use this clause to be compatible with traditional BSD 503 * semantics. Basically, it means that "setuid(xx)" sets all 504 * three id's (assuming you have privs). 505 * 506 * Notes on the logic. We do things in three steps. 507 * 1: We determine if the euid is going to change, and do EPERM 508 * right away. We unconditionally change the euid later if this 509 * test is satisfied, simplifying that part of the logic. 510 * 2: We determine if the real and/or saved uids are going to 511 * change. Determined by compile options. 512 * 3: Change euid last. (after tests in #2 for "appropriate privs") 513 */ 514 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 515 #ifdef _POSIX_SAVED_IDS 516 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 517 #endif 518 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 519 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 520 #endif 521 (error = priv_check_cred(oldcred, PRIV_CRED_SETUID, 0)) != 0) 522 goto fail; 523 524 /* 525 * Copy credentials so other references do not see our changes. 526 */ 527 crcopy(newcred, oldcred); 528 #ifdef _POSIX_SAVED_IDS 529 /* 530 * Do we have "appropriate privileges" (are we root or uid == euid) 531 * If so, we are changing the real uid and/or saved uid. 532 */ 533 if ( 534 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 535 uid == oldcred->cr_uid || 536 #endif 537 /* We are using privs. */ 538 priv_check_cred(oldcred, PRIV_CRED_SETUID, 0) == 0) 539 #endif 540 { 541 /* 542 * Set the real uid and transfer proc count to new user. 543 */ 544 if (uid != oldcred->cr_ruid) { 545 change_ruid(newcred, uip); 546 setsugid(p); 547 } 548 /* 549 * Set saved uid 550 * 551 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 552 * the security of seteuid() depends on it. B.4.2.2 says it 553 * is important that we should do this. 554 */ 555 if (uid != oldcred->cr_svuid) { 556 change_svuid(newcred, uid); 557 setsugid(p); 558 } 559 } 560 561 /* 562 * In all permitted cases, we are changing the euid. 563 */ 564 if (uid != oldcred->cr_uid) { 565 change_euid(newcred, uip); 566 setsugid(p); 567 } 568 p->p_ucred = newcred; 569 PROC_UNLOCK(p); 570 uifree(uip); 571 crfree(oldcred); 572 return (0); 573 574 fail: 575 PROC_UNLOCK(p); 576 uifree(uip); 577 crfree(newcred); 578 return (error); 579 } 580 581 #ifndef _SYS_SYSPROTO_H_ 582 struct seteuid_args { 583 uid_t euid; 584 }; 585 #endif 586 /* ARGSUSED */ 587 int 588 seteuid(struct thread *td, struct seteuid_args *uap) 589 { 590 struct proc *p = td->td_proc; 591 struct ucred *newcred, *oldcred; 592 uid_t euid; 593 struct uidinfo *euip; 594 int error; 595 596 euid = uap->euid; 597 AUDIT_ARG(euid, euid); 598 newcred = crget(); 599 euip = uifind(euid); 600 PROC_LOCK(p); 601 oldcred = p->p_ucred; 602 603 #ifdef MAC 604 error = mac_cred_check_seteuid(oldcred, euid); 605 if (error) 606 goto fail; 607 #endif 608 609 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 610 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 611 (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID, 0)) != 0) 612 goto fail; 613 614 /* 615 * Everything's okay, do it. Copy credentials so other references do 616 * not see our changes. 617 */ 618 crcopy(newcred, oldcred); 619 if (oldcred->cr_uid != euid) { 620 change_euid(newcred, euip); 621 setsugid(p); 622 } 623 p->p_ucred = newcred; 624 PROC_UNLOCK(p); 625 uifree(euip); 626 crfree(oldcred); 627 return (0); 628 629 fail: 630 PROC_UNLOCK(p); 631 uifree(euip); 632 crfree(newcred); 633 return (error); 634 } 635 636 #ifndef _SYS_SYSPROTO_H_ 637 struct setgid_args { 638 gid_t gid; 639 }; 640 #endif 641 /* ARGSUSED */ 642 int 643 setgid(struct thread *td, struct setgid_args *uap) 644 { 645 struct proc *p = td->td_proc; 646 struct ucred *newcred, *oldcred; 647 gid_t gid; 648 int error; 649 650 gid = uap->gid; 651 AUDIT_ARG(gid, gid); 652 newcred = crget(); 653 PROC_LOCK(p); 654 oldcred = p->p_ucred; 655 656 #ifdef MAC 657 error = mac_cred_check_setgid(oldcred, gid); 658 if (error) 659 goto fail; 660 #endif 661 662 /* 663 * See if we have "permission" by POSIX 1003.1 rules. 664 * 665 * Note that setgid(getegid()) is a special case of 666 * "appropriate privileges" in appendix B.4.2.2. We need 667 * to use this clause to be compatible with traditional BSD 668 * semantics. Basically, it means that "setgid(xx)" sets all 669 * three id's (assuming you have privs). 670 * 671 * For notes on the logic here, see setuid() above. 672 */ 673 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 674 #ifdef _POSIX_SAVED_IDS 675 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 676 #endif 677 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 678 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 679 #endif 680 (error = priv_check_cred(oldcred, PRIV_CRED_SETGID, 0)) != 0) 681 goto fail; 682 683 crcopy(newcred, oldcred); 684 #ifdef _POSIX_SAVED_IDS 685 /* 686 * Do we have "appropriate privileges" (are we root or gid == egid) 687 * If so, we are changing the real uid and saved gid. 688 */ 689 if ( 690 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 691 gid == oldcred->cr_groups[0] || 692 #endif 693 /* We are using privs. */ 694 priv_check_cred(oldcred, PRIV_CRED_SETGID, 0) == 0) 695 #endif 696 { 697 /* 698 * Set real gid 699 */ 700 if (oldcred->cr_rgid != gid) { 701 change_rgid(newcred, gid); 702 setsugid(p); 703 } 704 /* 705 * Set saved gid 706 * 707 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 708 * the security of setegid() depends on it. B.4.2.2 says it 709 * is important that we should do this. 710 */ 711 if (oldcred->cr_svgid != gid) { 712 change_svgid(newcred, gid); 713 setsugid(p); 714 } 715 } 716 /* 717 * In all cases permitted cases, we are changing the egid. 718 * Copy credentials so other references do not see our changes. 719 */ 720 if (oldcred->cr_groups[0] != gid) { 721 change_egid(newcred, gid); 722 setsugid(p); 723 } 724 p->p_ucred = newcred; 725 PROC_UNLOCK(p); 726 crfree(oldcred); 727 return (0); 728 729 fail: 730 PROC_UNLOCK(p); 731 crfree(newcred); 732 return (error); 733 } 734 735 #ifndef _SYS_SYSPROTO_H_ 736 struct setegid_args { 737 gid_t egid; 738 }; 739 #endif 740 /* ARGSUSED */ 741 int 742 setegid(struct thread *td, struct setegid_args *uap) 743 { 744 struct proc *p = td->td_proc; 745 struct ucred *newcred, *oldcred; 746 gid_t egid; 747 int error; 748 749 egid = uap->egid; 750 AUDIT_ARG(egid, egid); 751 newcred = crget(); 752 PROC_LOCK(p); 753 oldcred = p->p_ucred; 754 755 #ifdef MAC 756 error = mac_cred_check_setegid(oldcred, egid); 757 if (error) 758 goto fail; 759 #endif 760 761 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 762 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 763 (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID, 0)) != 0) 764 goto fail; 765 766 crcopy(newcred, oldcred); 767 if (oldcred->cr_groups[0] != egid) { 768 change_egid(newcred, egid); 769 setsugid(p); 770 } 771 p->p_ucred = newcred; 772 PROC_UNLOCK(p); 773 crfree(oldcred); 774 return (0); 775 776 fail: 777 PROC_UNLOCK(p); 778 crfree(newcred); 779 return (error); 780 } 781 782 #ifndef _SYS_SYSPROTO_H_ 783 struct setgroups_args { 784 u_int gidsetsize; 785 gid_t *gidset; 786 }; 787 #endif 788 /* ARGSUSED */ 789 int 790 setgroups(struct thread *td, struct setgroups_args *uap) 791 { 792 gid_t groups[NGROUPS]; 793 int error; 794 795 if (uap->gidsetsize > NGROUPS) 796 return (EINVAL); 797 error = copyin(uap->gidset, groups, uap->gidsetsize * sizeof(gid_t)); 798 if (error) 799 return (error); 800 return (kern_setgroups(td, uap->gidsetsize, groups)); 801 } 802 803 int 804 kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups) 805 { 806 struct proc *p = td->td_proc; 807 struct ucred *newcred, *oldcred; 808 int error; 809 810 if (ngrp > NGROUPS) 811 return (EINVAL); 812 AUDIT_ARG(groupset, groups, ngrp); 813 newcred = crget(); 814 PROC_LOCK(p); 815 oldcred = p->p_ucred; 816 817 #ifdef MAC 818 error = mac_cred_check_setgroups(oldcred, ngrp, groups); 819 if (error) 820 goto fail; 821 #endif 822 823 error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS, 0); 824 if (error) 825 goto fail; 826 827 /* 828 * XXX A little bit lazy here. We could test if anything has 829 * changed before crcopy() and setting P_SUGID. 830 */ 831 crcopy(newcred, oldcred); 832 if (ngrp < 1) { 833 /* 834 * setgroups(0, NULL) is a legitimate way of clearing the 835 * groups vector on non-BSD systems (which generally do not 836 * have the egid in the groups[0]). We risk security holes 837 * when running non-BSD software if we do not do the same. 838 */ 839 newcred->cr_ngroups = 1; 840 } else { 841 bcopy(groups, newcred->cr_groups, ngrp * sizeof(gid_t)); 842 newcred->cr_ngroups = ngrp; 843 } 844 setsugid(p); 845 p->p_ucred = newcred; 846 PROC_UNLOCK(p); 847 crfree(oldcred); 848 return (0); 849 850 fail: 851 PROC_UNLOCK(p); 852 crfree(newcred); 853 return (error); 854 } 855 856 #ifndef _SYS_SYSPROTO_H_ 857 struct setreuid_args { 858 uid_t ruid; 859 uid_t euid; 860 }; 861 #endif 862 /* ARGSUSED */ 863 int 864 setreuid(register struct thread *td, struct setreuid_args *uap) 865 { 866 struct proc *p = td->td_proc; 867 struct ucred *newcred, *oldcred; 868 uid_t euid, ruid; 869 struct uidinfo *euip, *ruip; 870 int error; 871 872 euid = uap->euid; 873 ruid = uap->ruid; 874 AUDIT_ARG(euid, euid); 875 AUDIT_ARG(ruid, ruid); 876 newcred = crget(); 877 euip = uifind(euid); 878 ruip = uifind(ruid); 879 PROC_LOCK(p); 880 oldcred = p->p_ucred; 881 882 #ifdef MAC 883 error = mac_cred_check_setreuid(oldcred, ruid, euid); 884 if (error) 885 goto fail; 886 #endif 887 888 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 889 ruid != oldcred->cr_svuid) || 890 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 891 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 892 (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID, 0)) != 0) 893 goto fail; 894 895 crcopy(newcred, oldcred); 896 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 897 change_euid(newcred, euip); 898 setsugid(p); 899 } 900 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 901 change_ruid(newcred, ruip); 902 setsugid(p); 903 } 904 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 905 newcred->cr_svuid != newcred->cr_uid) { 906 change_svuid(newcred, newcred->cr_uid); 907 setsugid(p); 908 } 909 p->p_ucred = newcred; 910 PROC_UNLOCK(p); 911 uifree(ruip); 912 uifree(euip); 913 crfree(oldcred); 914 return (0); 915 916 fail: 917 PROC_UNLOCK(p); 918 uifree(ruip); 919 uifree(euip); 920 crfree(newcred); 921 return (error); 922 } 923 924 #ifndef _SYS_SYSPROTO_H_ 925 struct setregid_args { 926 gid_t rgid; 927 gid_t egid; 928 }; 929 #endif 930 /* ARGSUSED */ 931 int 932 setregid(register struct thread *td, struct setregid_args *uap) 933 { 934 struct proc *p = td->td_proc; 935 struct ucred *newcred, *oldcred; 936 gid_t egid, rgid; 937 int error; 938 939 egid = uap->egid; 940 rgid = uap->rgid; 941 AUDIT_ARG(egid, egid); 942 AUDIT_ARG(rgid, rgid); 943 newcred = crget(); 944 PROC_LOCK(p); 945 oldcred = p->p_ucred; 946 947 #ifdef MAC 948 error = mac_cred_check_setregid(oldcred, rgid, egid); 949 if (error) 950 goto fail; 951 #endif 952 953 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 954 rgid != oldcred->cr_svgid) || 955 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 956 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 957 (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID, 0)) != 0) 958 goto fail; 959 960 crcopy(newcred, oldcred); 961 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 962 change_egid(newcred, egid); 963 setsugid(p); 964 } 965 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 966 change_rgid(newcred, rgid); 967 setsugid(p); 968 } 969 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 970 newcred->cr_svgid != newcred->cr_groups[0]) { 971 change_svgid(newcred, newcred->cr_groups[0]); 972 setsugid(p); 973 } 974 p->p_ucred = newcred; 975 PROC_UNLOCK(p); 976 crfree(oldcred); 977 return (0); 978 979 fail: 980 PROC_UNLOCK(p); 981 crfree(newcred); 982 return (error); 983 } 984 985 /* 986 * setresuid(ruid, euid, suid) is like setreuid except control over the saved 987 * uid is explicit. 988 */ 989 #ifndef _SYS_SYSPROTO_H_ 990 struct setresuid_args { 991 uid_t ruid; 992 uid_t euid; 993 uid_t suid; 994 }; 995 #endif 996 /* ARGSUSED */ 997 int 998 setresuid(register struct thread *td, struct setresuid_args *uap) 999 { 1000 struct proc *p = td->td_proc; 1001 struct ucred *newcred, *oldcred; 1002 uid_t euid, ruid, suid; 1003 struct uidinfo *euip, *ruip; 1004 int error; 1005 1006 euid = uap->euid; 1007 ruid = uap->ruid; 1008 suid = uap->suid; 1009 AUDIT_ARG(euid, euid); 1010 AUDIT_ARG(ruid, ruid); 1011 AUDIT_ARG(suid, suid); 1012 newcred = crget(); 1013 euip = uifind(euid); 1014 ruip = uifind(ruid); 1015 PROC_LOCK(p); 1016 oldcred = p->p_ucred; 1017 1018 #ifdef MAC 1019 error = mac_cred_check_setresuid(oldcred, ruid, euid, suid); 1020 if (error) 1021 goto fail; 1022 #endif 1023 1024 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1025 ruid != oldcred->cr_svuid && 1026 ruid != oldcred->cr_uid) || 1027 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 1028 euid != oldcred->cr_svuid && 1029 euid != oldcred->cr_uid) || 1030 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 1031 suid != oldcred->cr_svuid && 1032 suid != oldcred->cr_uid)) && 1033 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID, 0)) != 0) 1034 goto fail; 1035 1036 crcopy(newcred, oldcred); 1037 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1038 change_euid(newcred, euip); 1039 setsugid(p); 1040 } 1041 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1042 change_ruid(newcred, ruip); 1043 setsugid(p); 1044 } 1045 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1046 change_svuid(newcred, suid); 1047 setsugid(p); 1048 } 1049 p->p_ucred = newcred; 1050 PROC_UNLOCK(p); 1051 uifree(ruip); 1052 uifree(euip); 1053 crfree(oldcred); 1054 return (0); 1055 1056 fail: 1057 PROC_UNLOCK(p); 1058 uifree(ruip); 1059 uifree(euip); 1060 crfree(newcred); 1061 return (error); 1062 1063 } 1064 1065 /* 1066 * setresgid(rgid, egid, sgid) is like setregid except control over the saved 1067 * gid is explicit. 1068 */ 1069 #ifndef _SYS_SYSPROTO_H_ 1070 struct setresgid_args { 1071 gid_t rgid; 1072 gid_t egid; 1073 gid_t sgid; 1074 }; 1075 #endif 1076 /* ARGSUSED */ 1077 int 1078 setresgid(register struct thread *td, struct setresgid_args *uap) 1079 { 1080 struct proc *p = td->td_proc; 1081 struct ucred *newcred, *oldcred; 1082 gid_t egid, rgid, sgid; 1083 int error; 1084 1085 egid = uap->egid; 1086 rgid = uap->rgid; 1087 sgid = uap->sgid; 1088 AUDIT_ARG(egid, egid); 1089 AUDIT_ARG(rgid, rgid); 1090 AUDIT_ARG(sgid, sgid); 1091 newcred = crget(); 1092 PROC_LOCK(p); 1093 oldcred = p->p_ucred; 1094 1095 #ifdef MAC 1096 error = mac_cred_check_setresgid(oldcred, rgid, egid, sgid); 1097 if (error) 1098 goto fail; 1099 #endif 1100 1101 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1102 rgid != oldcred->cr_svgid && 1103 rgid != oldcred->cr_groups[0]) || 1104 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1105 egid != oldcred->cr_svgid && 1106 egid != oldcred->cr_groups[0]) || 1107 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1108 sgid != oldcred->cr_svgid && 1109 sgid != oldcred->cr_groups[0])) && 1110 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID, 0)) != 0) 1111 goto fail; 1112 1113 crcopy(newcred, oldcred); 1114 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1115 change_egid(newcred, egid); 1116 setsugid(p); 1117 } 1118 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1119 change_rgid(newcred, rgid); 1120 setsugid(p); 1121 } 1122 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1123 change_svgid(newcred, sgid); 1124 setsugid(p); 1125 } 1126 p->p_ucred = newcred; 1127 PROC_UNLOCK(p); 1128 crfree(oldcred); 1129 return (0); 1130 1131 fail: 1132 PROC_UNLOCK(p); 1133 crfree(newcred); 1134 return (error); 1135 } 1136 1137 #ifndef _SYS_SYSPROTO_H_ 1138 struct getresuid_args { 1139 uid_t *ruid; 1140 uid_t *euid; 1141 uid_t *suid; 1142 }; 1143 #endif 1144 /* ARGSUSED */ 1145 int 1146 getresuid(register struct thread *td, struct getresuid_args *uap) 1147 { 1148 struct ucred *cred; 1149 int error1 = 0, error2 = 0, error3 = 0; 1150 1151 cred = td->td_ucred; 1152 if (uap->ruid) 1153 error1 = copyout(&cred->cr_ruid, 1154 uap->ruid, sizeof(cred->cr_ruid)); 1155 if (uap->euid) 1156 error2 = copyout(&cred->cr_uid, 1157 uap->euid, sizeof(cred->cr_uid)); 1158 if (uap->suid) 1159 error3 = copyout(&cred->cr_svuid, 1160 uap->suid, sizeof(cred->cr_svuid)); 1161 return (error1 ? error1 : error2 ? error2 : error3); 1162 } 1163 1164 #ifndef _SYS_SYSPROTO_H_ 1165 struct getresgid_args { 1166 gid_t *rgid; 1167 gid_t *egid; 1168 gid_t *sgid; 1169 }; 1170 #endif 1171 /* ARGSUSED */ 1172 int 1173 getresgid(register struct thread *td, struct getresgid_args *uap) 1174 { 1175 struct ucred *cred; 1176 int error1 = 0, error2 = 0, error3 = 0; 1177 1178 cred = td->td_ucred; 1179 if (uap->rgid) 1180 error1 = copyout(&cred->cr_rgid, 1181 uap->rgid, sizeof(cred->cr_rgid)); 1182 if (uap->egid) 1183 error2 = copyout(&cred->cr_groups[0], 1184 uap->egid, sizeof(cred->cr_groups[0])); 1185 if (uap->sgid) 1186 error3 = copyout(&cred->cr_svgid, 1187 uap->sgid, sizeof(cred->cr_svgid)); 1188 return (error1 ? error1 : error2 ? error2 : error3); 1189 } 1190 1191 #ifndef _SYS_SYSPROTO_H_ 1192 struct issetugid_args { 1193 int dummy; 1194 }; 1195 #endif 1196 /* ARGSUSED */ 1197 int 1198 issetugid(register struct thread *td, struct issetugid_args *uap) 1199 { 1200 struct proc *p = td->td_proc; 1201 1202 /* 1203 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1204 * we use P_SUGID because we consider changing the owners as 1205 * "tainting" as well. 1206 * This is significant for procs that start as root and "become" 1207 * a user without an exec - programs cannot know *everything* 1208 * that libc *might* have put in their data segment. 1209 */ 1210 PROC_LOCK(p); 1211 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1212 PROC_UNLOCK(p); 1213 return (0); 1214 } 1215 1216 int 1217 __setugid(struct thread *td, struct __setugid_args *uap) 1218 { 1219 #ifdef REGRESSION 1220 struct proc *p; 1221 1222 p = td->td_proc; 1223 switch (uap->flag) { 1224 case 0: 1225 PROC_LOCK(p); 1226 p->p_flag &= ~P_SUGID; 1227 PROC_UNLOCK(p); 1228 return (0); 1229 case 1: 1230 PROC_LOCK(p); 1231 p->p_flag |= P_SUGID; 1232 PROC_UNLOCK(p); 1233 return (0); 1234 default: 1235 return (EINVAL); 1236 } 1237 #else /* !REGRESSION */ 1238 1239 return (ENOSYS); 1240 #endif /* REGRESSION */ 1241 } 1242 1243 /* 1244 * Check if gid is a member of the group set. 1245 */ 1246 int 1247 groupmember(gid_t gid, struct ucred *cred) 1248 { 1249 register gid_t *gp; 1250 gid_t *egp; 1251 1252 egp = &(cred->cr_groups[cred->cr_ngroups]); 1253 for (gp = cred->cr_groups; gp < egp; gp++) 1254 if (*gp == gid) 1255 return (1); 1256 return (0); 1257 } 1258 1259 /* 1260 * Test the active securelevel against a given level. securelevel_gt() 1261 * implements (securelevel > level). securelevel_ge() implements 1262 * (securelevel >= level). Note that the logic is inverted -- these 1263 * functions return EPERM on "success" and 0 on "failure". 1264 * 1265 * Due to care taken when setting the securelevel, we know that no jail will 1266 * be less secure that its parent (or the physical system), so it is sufficient 1267 * to test the current jail only. 1268 * 1269 * XXXRW: Possibly since this has to do with privilege, it should move to 1270 * kern_priv.c. 1271 */ 1272 int 1273 securelevel_gt(struct ucred *cr, int level) 1274 { 1275 1276 return (cr->cr_prison->pr_securelevel > level ? EPERM : 0); 1277 } 1278 1279 int 1280 securelevel_ge(struct ucred *cr, int level) 1281 { 1282 1283 return (cr->cr_prison->pr_securelevel >= level ? EPERM : 0); 1284 } 1285 1286 /* 1287 * 'see_other_uids' determines whether or not visibility of processes 1288 * and sockets with credentials holding different real uids is possible 1289 * using a variety of system MIBs. 1290 * XXX: data declarations should be together near the beginning of the file. 1291 */ 1292 static int see_other_uids = 1; 1293 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1294 &see_other_uids, 0, 1295 "Unprivileged processes may see subjects/objects with different real uid"); 1296 1297 /*- 1298 * Determine if u1 "can see" the subject specified by u2, according to the 1299 * 'see_other_uids' policy. 1300 * Returns: 0 for permitted, ESRCH otherwise 1301 * Locks: none 1302 * References: *u1 and *u2 must not change during the call 1303 * u1 may equal u2, in which case only one reference is required 1304 */ 1305 static int 1306 cr_seeotheruids(struct ucred *u1, struct ucred *u2) 1307 { 1308 1309 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1310 if (priv_check_cred(u1, PRIV_SEEOTHERUIDS, 0) != 0) 1311 return (ESRCH); 1312 } 1313 return (0); 1314 } 1315 1316 /* 1317 * 'see_other_gids' determines whether or not visibility of processes 1318 * and sockets with credentials holding different real gids is possible 1319 * using a variety of system MIBs. 1320 * XXX: data declarations should be together near the beginning of the file. 1321 */ 1322 static int see_other_gids = 1; 1323 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW, 1324 &see_other_gids, 0, 1325 "Unprivileged processes may see subjects/objects with different real gid"); 1326 1327 /* 1328 * Determine if u1 can "see" the subject specified by u2, according to the 1329 * 'see_other_gids' policy. 1330 * Returns: 0 for permitted, ESRCH otherwise 1331 * Locks: none 1332 * References: *u1 and *u2 must not change during the call 1333 * u1 may equal u2, in which case only one reference is required 1334 */ 1335 static int 1336 cr_seeothergids(struct ucred *u1, struct ucred *u2) 1337 { 1338 int i, match; 1339 1340 if (!see_other_gids) { 1341 match = 0; 1342 for (i = 0; i < u1->cr_ngroups; i++) { 1343 if (groupmember(u1->cr_groups[i], u2)) 1344 match = 1; 1345 if (match) 1346 break; 1347 } 1348 if (!match) { 1349 if (priv_check_cred(u1, PRIV_SEEOTHERGIDS, 0) != 0) 1350 return (ESRCH); 1351 } 1352 } 1353 return (0); 1354 } 1355 1356 /*- 1357 * Determine if u1 "can see" the subject specified by u2. 1358 * Returns: 0 for permitted, an errno value otherwise 1359 * Locks: none 1360 * References: *u1 and *u2 must not change during the call 1361 * u1 may equal u2, in which case only one reference is required 1362 */ 1363 int 1364 cr_cansee(struct ucred *u1, struct ucred *u2) 1365 { 1366 int error; 1367 1368 if ((error = prison_check(u1, u2))) 1369 return (error); 1370 #ifdef MAC 1371 if ((error = mac_cred_check_visible(u1, u2))) 1372 return (error); 1373 #endif 1374 if ((error = cr_seeotheruids(u1, u2))) 1375 return (error); 1376 if ((error = cr_seeothergids(u1, u2))) 1377 return (error); 1378 return (0); 1379 } 1380 1381 /*- 1382 * Determine if td "can see" the subject specified by p. 1383 * Returns: 0 for permitted, an errno value otherwise 1384 * Locks: Sufficient locks to protect p->p_ucred must be held. td really 1385 * should be curthread. 1386 * References: td and p must be valid for the lifetime of the call 1387 */ 1388 int 1389 p_cansee(struct thread *td, struct proc *p) 1390 { 1391 1392 /* Wrap cr_cansee() for all functionality. */ 1393 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1394 PROC_LOCK_ASSERT(p, MA_OWNED); 1395 return (cr_cansee(td->td_ucred, p->p_ucred)); 1396 } 1397 1398 /* 1399 * 'conservative_signals' prevents the delivery of a broad class of 1400 * signals by unprivileged processes to processes that have changed their 1401 * credentials since the last invocation of execve(). This can prevent 1402 * the leakage of cached information or retained privileges as a result 1403 * of a common class of signal-related vulnerabilities. However, this 1404 * may interfere with some applications that expect to be able to 1405 * deliver these signals to peer processes after having given up 1406 * privilege. 1407 */ 1408 static int conservative_signals = 1; 1409 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW, 1410 &conservative_signals, 0, "Unprivileged processes prevented from " 1411 "sending certain signals to processes whose credentials have changed"); 1412 /*- 1413 * Determine whether cred may deliver the specified signal to proc. 1414 * Returns: 0 for permitted, an errno value otherwise. 1415 * Locks: A lock must be held for proc. 1416 * References: cred and proc must be valid for the lifetime of the call. 1417 */ 1418 int 1419 cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 1420 { 1421 int error; 1422 1423 PROC_LOCK_ASSERT(proc, MA_OWNED); 1424 /* 1425 * Jail semantics limit the scope of signalling to proc in the 1426 * same jail as cred, if cred is in jail. 1427 */ 1428 error = prison_check(cred, proc->p_ucred); 1429 if (error) 1430 return (error); 1431 #ifdef MAC 1432 if ((error = mac_proc_check_signal(cred, proc, signum))) 1433 return (error); 1434 #endif 1435 if ((error = cr_seeotheruids(cred, proc->p_ucred))) 1436 return (error); 1437 if ((error = cr_seeothergids(cred, proc->p_ucred))) 1438 return (error); 1439 1440 /* 1441 * UNIX signal semantics depend on the status of the P_SUGID 1442 * bit on the target process. If the bit is set, then additional 1443 * restrictions are placed on the set of available signals. 1444 */ 1445 if (conservative_signals && (proc->p_flag & P_SUGID)) { 1446 switch (signum) { 1447 case 0: 1448 case SIGKILL: 1449 case SIGINT: 1450 case SIGTERM: 1451 case SIGALRM: 1452 case SIGSTOP: 1453 case SIGTTIN: 1454 case SIGTTOU: 1455 case SIGTSTP: 1456 case SIGHUP: 1457 case SIGUSR1: 1458 case SIGUSR2: 1459 /* 1460 * Generally, permit job and terminal control 1461 * signals. 1462 */ 1463 break; 1464 default: 1465 /* Not permitted without privilege. */ 1466 error = priv_check_cred(cred, PRIV_SIGNAL_SUGID, 0); 1467 if (error) 1468 return (error); 1469 } 1470 } 1471 1472 /* 1473 * Generally, the target credential's ruid or svuid must match the 1474 * subject credential's ruid or euid. 1475 */ 1476 if (cred->cr_ruid != proc->p_ucred->cr_ruid && 1477 cred->cr_ruid != proc->p_ucred->cr_svuid && 1478 cred->cr_uid != proc->p_ucred->cr_ruid && 1479 cred->cr_uid != proc->p_ucred->cr_svuid) { 1480 error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED, 0); 1481 if (error) 1482 return (error); 1483 } 1484 1485 return (0); 1486 } 1487 1488 /*- 1489 * Determine whether td may deliver the specified signal to p. 1490 * Returns: 0 for permitted, an errno value otherwise 1491 * Locks: Sufficient locks to protect various components of td and p 1492 * must be held. td must be curthread, and a lock must be 1493 * held for p. 1494 * References: td and p must be valid for the lifetime of the call 1495 */ 1496 int 1497 p_cansignal(struct thread *td, struct proc *p, int signum) 1498 { 1499 1500 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1501 PROC_LOCK_ASSERT(p, MA_OWNED); 1502 if (td->td_proc == p) 1503 return (0); 1504 1505 /* 1506 * UNIX signalling semantics require that processes in the same 1507 * session always be able to deliver SIGCONT to one another, 1508 * overriding the remaining protections. 1509 */ 1510 /* XXX: This will require an additional lock of some sort. */ 1511 if (signum == SIGCONT && td->td_proc->p_session == p->p_session) 1512 return (0); 1513 /* 1514 * Some compat layers use SIGTHR and higher signals for 1515 * communication between different kernel threads of the same 1516 * process, so that they expect that it's always possible to 1517 * deliver them, even for suid applications where cr_cansignal() can 1518 * deny such ability for security consideration. It should be 1519 * pretty safe to do since the only way to create two processes 1520 * with the same p_leader is via rfork(2). 1521 */ 1522 if (td->td_proc->p_leader != NULL && signum >= SIGTHR && 1523 signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader) 1524 return (0); 1525 1526 return (cr_cansignal(td->td_ucred, p, signum)); 1527 } 1528 1529 /*- 1530 * Determine whether td may reschedule p. 1531 * Returns: 0 for permitted, an errno value otherwise 1532 * Locks: Sufficient locks to protect various components of td and p 1533 * must be held. td must be curthread, and a lock must 1534 * be held for p. 1535 * References: td and p must be valid for the lifetime of the call 1536 */ 1537 int 1538 p_cansched(struct thread *td, struct proc *p) 1539 { 1540 int error; 1541 1542 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1543 PROC_LOCK_ASSERT(p, MA_OWNED); 1544 if (td->td_proc == p) 1545 return (0); 1546 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1547 return (error); 1548 #ifdef MAC 1549 if ((error = mac_proc_check_sched(td->td_ucred, p))) 1550 return (error); 1551 #endif 1552 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1553 return (error); 1554 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) 1555 return (error); 1556 if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid && 1557 td->td_ucred->cr_uid != p->p_ucred->cr_ruid) { 1558 error = priv_check(td, PRIV_SCHED_DIFFCRED); 1559 if (error) 1560 return (error); 1561 } 1562 return (0); 1563 } 1564 1565 /* 1566 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 1567 * unprivileged inter-process debugging services, including some procfs 1568 * functionality, ptrace(), and ktrace(). In the past, inter-process 1569 * debugging has been involved in a variety of security problems, and sites 1570 * not requiring the service might choose to disable it when hardening 1571 * systems. 1572 * 1573 * XXX: Should modifying and reading this variable require locking? 1574 * XXX: data declarations should be together near the beginning of the file. 1575 */ 1576 static int unprivileged_proc_debug = 1; 1577 SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW, 1578 &unprivileged_proc_debug, 0, 1579 "Unprivileged processes may use process debugging facilities"); 1580 1581 /*- 1582 * Determine whether td may debug p. 1583 * Returns: 0 for permitted, an errno value otherwise 1584 * Locks: Sufficient locks to protect various components of td and p 1585 * must be held. td must be curthread, and a lock must 1586 * be held for p. 1587 * References: td and p must be valid for the lifetime of the call 1588 */ 1589 int 1590 p_candebug(struct thread *td, struct proc *p) 1591 { 1592 int credentialchanged, error, grpsubset, i, uidsubset; 1593 1594 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1595 PROC_LOCK_ASSERT(p, MA_OWNED); 1596 if (!unprivileged_proc_debug) { 1597 error = priv_check(td, PRIV_DEBUG_UNPRIV); 1598 if (error) 1599 return (error); 1600 } 1601 if (td->td_proc == p) 1602 return (0); 1603 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1604 return (error); 1605 #ifdef MAC 1606 if ((error = mac_proc_check_debug(td->td_ucred, p))) 1607 return (error); 1608 #endif 1609 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1610 return (error); 1611 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) 1612 return (error); 1613 1614 /* 1615 * Is p's group set a subset of td's effective group set? This 1616 * includes p's egid, group access list, rgid, and svgid. 1617 */ 1618 grpsubset = 1; 1619 for (i = 0; i < p->p_ucred->cr_ngroups; i++) { 1620 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) { 1621 grpsubset = 0; 1622 break; 1623 } 1624 } 1625 grpsubset = grpsubset && 1626 groupmember(p->p_ucred->cr_rgid, td->td_ucred) && 1627 groupmember(p->p_ucred->cr_svgid, td->td_ucred); 1628 1629 /* 1630 * Are the uids present in p's credential equal to td's 1631 * effective uid? This includes p's euid, svuid, and ruid. 1632 */ 1633 uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid && 1634 td->td_ucred->cr_uid == p->p_ucred->cr_svuid && 1635 td->td_ucred->cr_uid == p->p_ucred->cr_ruid); 1636 1637 /* 1638 * Has the credential of the process changed since the last exec()? 1639 */ 1640 credentialchanged = (p->p_flag & P_SUGID); 1641 1642 /* 1643 * If p's gids aren't a subset, or the uids aren't a subset, 1644 * or the credential has changed, require appropriate privilege 1645 * for td to debug p. 1646 */ 1647 if (!grpsubset || !uidsubset) { 1648 error = priv_check(td, PRIV_DEBUG_DIFFCRED); 1649 if (error) 1650 return (error); 1651 } 1652 1653 if (credentialchanged) { 1654 error = priv_check(td, PRIV_DEBUG_SUGID); 1655 if (error) 1656 return (error); 1657 } 1658 1659 /* Can't trace init when securelevel > 0. */ 1660 if (p == initproc) { 1661 error = securelevel_gt(td->td_ucred, 0); 1662 if (error) 1663 return (error); 1664 } 1665 1666 /* 1667 * Can't trace a process that's currently exec'ing. 1668 * 1669 * XXX: Note, this is not a security policy decision, it's a 1670 * basic correctness/functionality decision. Therefore, this check 1671 * should be moved to the caller's of p_candebug(). 1672 */ 1673 if ((p->p_flag & P_INEXEC) != 0) 1674 return (EBUSY); 1675 1676 return (0); 1677 } 1678 1679 /*- 1680 * Determine whether the subject represented by cred can "see" a socket. 1681 * Returns: 0 for permitted, ENOENT otherwise. 1682 */ 1683 int 1684 cr_canseesocket(struct ucred *cred, struct socket *so) 1685 { 1686 int error; 1687 1688 error = prison_check(cred, so->so_cred); 1689 if (error) 1690 return (ENOENT); 1691 #ifdef MAC 1692 error = mac_socket_check_visible(cred, so); 1693 if (error) 1694 return (error); 1695 #endif 1696 if (cr_seeotheruids(cred, so->so_cred)) 1697 return (ENOENT); 1698 if (cr_seeothergids(cred, so->so_cred)) 1699 return (ENOENT); 1700 1701 return (0); 1702 } 1703 1704 #if defined(INET) || defined(INET6) 1705 /*- 1706 * Determine whether the subject represented by cred can "see" a socket. 1707 * Returns: 0 for permitted, ENOENT otherwise. 1708 */ 1709 int 1710 cr_canseeinpcb(struct ucred *cred, struct inpcb *inp) 1711 { 1712 int error; 1713 1714 error = prison_check(cred, inp->inp_cred); 1715 if (error) 1716 return (ENOENT); 1717 #ifdef MAC 1718 INP_LOCK_ASSERT(inp); 1719 error = mac_inpcb_check_visible(cred, inp); 1720 if (error) 1721 return (error); 1722 #endif 1723 if (cr_seeotheruids(cred, inp->inp_cred)) 1724 return (ENOENT); 1725 if (cr_seeothergids(cred, inp->inp_cred)) 1726 return (ENOENT); 1727 1728 return (0); 1729 } 1730 #endif 1731 1732 /*- 1733 * Determine whether td can wait for the exit of p. 1734 * Returns: 0 for permitted, an errno value otherwise 1735 * Locks: Sufficient locks to protect various components of td and p 1736 * must be held. td must be curthread, and a lock must 1737 * be held for p. 1738 * References: td and p must be valid for the lifetime of the call 1739 1740 */ 1741 int 1742 p_canwait(struct thread *td, struct proc *p) 1743 { 1744 int error; 1745 1746 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1747 PROC_LOCK_ASSERT(p, MA_OWNED); 1748 if ( 1749 #ifdef VIMAGE /* XXX temporary until struct vimage goes away */ 1750 !vi_child_of(TD_TO_VIMAGE(td), P_TO_VIMAGE(p)) && 1751 #endif 1752 (error = prison_check(td->td_ucred, p->p_ucred))) 1753 return (error); 1754 #ifdef MAC 1755 if ((error = mac_proc_check_wait(td->td_ucred, p))) 1756 return (error); 1757 #endif 1758 #if 0 1759 /* XXXMAC: This could have odd effects on some shells. */ 1760 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1761 return (error); 1762 #endif 1763 1764 return (0); 1765 } 1766 1767 /* 1768 * Allocate a zeroed cred structure. 1769 */ 1770 struct ucred * 1771 crget(void) 1772 { 1773 register struct ucred *cr; 1774 1775 cr = malloc(sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 1776 refcount_init(&cr->cr_ref, 1); 1777 #ifdef AUDIT 1778 audit_cred_init(cr); 1779 #endif 1780 #ifdef MAC 1781 mac_cred_init(cr); 1782 #endif 1783 return (cr); 1784 } 1785 1786 /* 1787 * Claim another reference to a ucred structure. 1788 */ 1789 struct ucred * 1790 crhold(struct ucred *cr) 1791 { 1792 1793 refcount_acquire(&cr->cr_ref); 1794 return (cr); 1795 } 1796 1797 /* 1798 * Free a cred structure. Throws away space when ref count gets to 0. 1799 */ 1800 void 1801 crfree(struct ucred *cr) 1802 { 1803 1804 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); 1805 KASSERT(cr->cr_ref != 0xdeadc0de, ("dangling reference to ucred")); 1806 if (refcount_release(&cr->cr_ref)) { 1807 /* 1808 * Some callers of crget(), such as nfs_statfs(), 1809 * allocate a temporary credential, but don't 1810 * allocate a uidinfo structure. 1811 */ 1812 if (cr->cr_uidinfo != NULL) 1813 uifree(cr->cr_uidinfo); 1814 if (cr->cr_ruidinfo != NULL) 1815 uifree(cr->cr_ruidinfo); 1816 /* 1817 * Free a prison, if any. 1818 */ 1819 if (cr->cr_prison != NULL) 1820 prison_free(cr->cr_prison); 1821 #ifdef VIMAGE 1822 /* XXX TODO: find out why and when cr_vimage can be NULL here! */ 1823 if (cr->cr_vimage != NULL) 1824 refcount_release(&cr->cr_vimage->vi_ucredrefc); 1825 #endif 1826 #ifdef AUDIT 1827 audit_cred_destroy(cr); 1828 #endif 1829 #ifdef MAC 1830 mac_cred_destroy(cr); 1831 #endif 1832 free(cr, M_CRED); 1833 } 1834 } 1835 1836 /* 1837 * Check to see if this ucred is shared. 1838 */ 1839 int 1840 crshared(struct ucred *cr) 1841 { 1842 1843 return (cr->cr_ref > 1); 1844 } 1845 1846 /* 1847 * Copy a ucred's contents from a template. Does not block. 1848 */ 1849 void 1850 crcopy(struct ucred *dest, struct ucred *src) 1851 { 1852 1853 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred")); 1854 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 1855 (unsigned)((caddr_t)&src->cr_endcopy - 1856 (caddr_t)&src->cr_startcopy)); 1857 uihold(dest->cr_uidinfo); 1858 uihold(dest->cr_ruidinfo); 1859 prison_hold(dest->cr_prison); 1860 #ifdef VIMAGE 1861 KASSERT(src->cr_vimage != NULL, ("cr_vimage == NULL")); 1862 refcount_acquire(&dest->cr_vimage->vi_ucredrefc); 1863 #endif 1864 #ifdef AUDIT 1865 audit_cred_copy(src, dest); 1866 #endif 1867 #ifdef MAC 1868 mac_cred_copy(src, dest); 1869 #endif 1870 } 1871 1872 /* 1873 * Dup cred struct to a new held one. 1874 */ 1875 struct ucred * 1876 crdup(struct ucred *cr) 1877 { 1878 struct ucred *newcr; 1879 1880 newcr = crget(); 1881 crcopy(newcr, cr); 1882 return (newcr); 1883 } 1884 1885 /* 1886 * Fill in a struct xucred based on a struct ucred. 1887 */ 1888 void 1889 cru2x(struct ucred *cr, struct xucred *xcr) 1890 { 1891 1892 bzero(xcr, sizeof(*xcr)); 1893 xcr->cr_version = XUCRED_VERSION; 1894 xcr->cr_uid = cr->cr_uid; 1895 xcr->cr_ngroups = cr->cr_ngroups; 1896 bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups)); 1897 } 1898 1899 /* 1900 * small routine to swap a thread's current ucred for the correct one taken 1901 * from the process. 1902 */ 1903 void 1904 cred_update_thread(struct thread *td) 1905 { 1906 struct proc *p; 1907 struct ucred *cred; 1908 1909 p = td->td_proc; 1910 cred = td->td_ucred; 1911 PROC_LOCK(p); 1912 td->td_ucred = crhold(p->p_ucred); 1913 PROC_UNLOCK(p); 1914 if (cred != NULL) 1915 crfree(cred); 1916 } 1917 1918 /* 1919 * Get login name, if available. 1920 */ 1921 #ifndef _SYS_SYSPROTO_H_ 1922 struct getlogin_args { 1923 char *namebuf; 1924 u_int namelen; 1925 }; 1926 #endif 1927 /* ARGSUSED */ 1928 int 1929 getlogin(struct thread *td, struct getlogin_args *uap) 1930 { 1931 int error; 1932 char login[MAXLOGNAME]; 1933 struct proc *p = td->td_proc; 1934 1935 if (uap->namelen > MAXLOGNAME) 1936 uap->namelen = MAXLOGNAME; 1937 PROC_LOCK(p); 1938 SESS_LOCK(p->p_session); 1939 bcopy(p->p_session->s_login, login, uap->namelen); 1940 SESS_UNLOCK(p->p_session); 1941 PROC_UNLOCK(p); 1942 error = copyout(login, uap->namebuf, uap->namelen); 1943 return(error); 1944 } 1945 1946 /* 1947 * Set login name. 1948 */ 1949 #ifndef _SYS_SYSPROTO_H_ 1950 struct setlogin_args { 1951 char *namebuf; 1952 }; 1953 #endif 1954 /* ARGSUSED */ 1955 int 1956 setlogin(struct thread *td, struct setlogin_args *uap) 1957 { 1958 struct proc *p = td->td_proc; 1959 int error; 1960 char logintmp[MAXLOGNAME]; 1961 1962 error = priv_check(td, PRIV_PROC_SETLOGIN); 1963 if (error) 1964 return (error); 1965 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); 1966 if (error == ENAMETOOLONG) 1967 error = EINVAL; 1968 else if (!error) { 1969 PROC_LOCK(p); 1970 SESS_LOCK(p->p_session); 1971 (void) memcpy(p->p_session->s_login, logintmp, 1972 sizeof(logintmp)); 1973 SESS_UNLOCK(p->p_session); 1974 PROC_UNLOCK(p); 1975 } 1976 return (error); 1977 } 1978 1979 void 1980 setsugid(struct proc *p) 1981 { 1982 1983 PROC_LOCK_ASSERT(p, MA_OWNED); 1984 p->p_flag |= P_SUGID; 1985 if (!(p->p_pfsflags & PF_ISUGID)) 1986 p->p_stops = 0; 1987 } 1988 1989 /*- 1990 * Change a process's effective uid. 1991 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 1992 * References: newcred must be an exclusive credential reference for the 1993 * duration of the call. 1994 */ 1995 void 1996 change_euid(struct ucred *newcred, struct uidinfo *euip) 1997 { 1998 1999 newcred->cr_uid = euip->ui_uid; 2000 uihold(euip); 2001 uifree(newcred->cr_uidinfo); 2002 newcred->cr_uidinfo = euip; 2003 } 2004 2005 /*- 2006 * Change a process's effective gid. 2007 * Side effects: newcred->cr_gid will be modified. 2008 * References: newcred must be an exclusive credential reference for the 2009 * duration of the call. 2010 */ 2011 void 2012 change_egid(struct ucred *newcred, gid_t egid) 2013 { 2014 2015 newcred->cr_groups[0] = egid; 2016 } 2017 2018 /*- 2019 * Change a process's real uid. 2020 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 2021 * will be updated, and the old and new cr_ruidinfo proc 2022 * counts will be updated. 2023 * References: newcred must be an exclusive credential reference for the 2024 * duration of the call. 2025 */ 2026 void 2027 change_ruid(struct ucred *newcred, struct uidinfo *ruip) 2028 { 2029 2030 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 2031 newcred->cr_ruid = ruip->ui_uid; 2032 uihold(ruip); 2033 uifree(newcred->cr_ruidinfo); 2034 newcred->cr_ruidinfo = ruip; 2035 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 2036 } 2037 2038 /*- 2039 * Change a process's real gid. 2040 * Side effects: newcred->cr_rgid will be updated. 2041 * References: newcred must be an exclusive credential reference for the 2042 * duration of the call. 2043 */ 2044 void 2045 change_rgid(struct ucred *newcred, gid_t rgid) 2046 { 2047 2048 newcred->cr_rgid = rgid; 2049 } 2050 2051 /*- 2052 * Change a process's saved uid. 2053 * Side effects: newcred->cr_svuid will be updated. 2054 * References: newcred must be an exclusive credential reference for the 2055 * duration of the call. 2056 */ 2057 void 2058 change_svuid(struct ucred *newcred, uid_t svuid) 2059 { 2060 2061 newcred->cr_svuid = svuid; 2062 } 2063 2064 /*- 2065 * Change a process's saved gid. 2066 * Side effects: newcred->cr_svgid will be updated. 2067 * References: newcred must be an exclusive credential reference for the 2068 * duration of the call. 2069 */ 2070 void 2071 change_svgid(struct ucred *newcred, gid_t svgid) 2072 { 2073 2074 newcred->cr_svgid = svgid; 2075 } 2076