1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 5 * The Regents of the University of California. 6 * (c) UNIX System Laboratories, Inc. 7 * Copyright (c) 2000-2001 Robert N. M. Watson. 8 * All rights reserved. 9 * 10 * All or some portions of this file are derived from material licensed 11 * to the University of California by American Telephone and Telegraph 12 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 13 * the permission of UNIX System Laboratories, Inc. 14 * 15 * Redistribution and use in source and binary forms, with or without 16 * modification, are permitted provided that the following conditions 17 * are met: 18 * 1. Redistributions of source code must retain the above copyright 19 * notice, this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright 21 * notice, this list of conditions and the following disclaimer in the 22 * documentation and/or other materials provided with the distribution. 23 * 3. Neither the name of the University nor the names of its contributors 24 * may be used to endorse or promote products derived from this software 25 * without specific prior written permission. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * 39 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 40 */ 41 42 /* 43 * System calls related to processes and protection 44 */ 45 46 #include <sys/cdefs.h> 47 #include "opt_inet.h" 48 #include "opt_inet6.h" 49 50 #include <sys/param.h> 51 #include <sys/systm.h> 52 #include <sys/acct.h> 53 #include <sys/kdb.h> 54 #include <sys/kernel.h> 55 #include <sys/lock.h> 56 #include <sys/loginclass.h> 57 #include <sys/malloc.h> 58 #include <sys/mutex.h> 59 #include <sys/ptrace.h> 60 #include <sys/refcount.h> 61 #include <sys/sx.h> 62 #include <sys/priv.h> 63 #include <sys/proc.h> 64 #ifdef COMPAT_43 65 #include <sys/sysent.h> 66 #endif 67 #include <sys/sysproto.h> 68 #include <sys/jail.h> 69 #include <sys/racct.h> 70 #include <sys/rctl.h> 71 #include <sys/resourcevar.h> 72 #include <sys/socket.h> 73 #include <sys/socketvar.h> 74 #include <sys/syscallsubr.h> 75 #include <sys/sysctl.h> 76 77 #ifdef REGRESSION 78 FEATURE(regression, 79 "Kernel support for interfaces necessary for regression testing (SECURITY RISK!)"); 80 #endif 81 82 #include <security/audit/audit.h> 83 #include <security/mac/mac_framework.h> 84 85 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 86 87 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW | CTLFLAG_MPSAFE, 0, 88 "BSD security policy"); 89 90 static void crfree_final(struct ucred *cr); 91 static void crsetgroups_locked(struct ucred *cr, int ngrp, 92 gid_t *groups); 93 94 static int cr_canseeotheruids(struct ucred *u1, struct ucred *u2); 95 static int cr_canseeothergids(struct ucred *u1, struct ucred *u2); 96 static int cr_canseejailproc(struct ucred *u1, struct ucred *u2); 97 98 #ifndef _SYS_SYSPROTO_H_ 99 struct getpid_args { 100 int dummy; 101 }; 102 #endif 103 /* ARGSUSED */ 104 int 105 sys_getpid(struct thread *td, struct getpid_args *uap) 106 { 107 struct proc *p = td->td_proc; 108 109 td->td_retval[0] = p->p_pid; 110 #if defined(COMPAT_43) 111 if (SV_PROC_FLAG(p, SV_AOUT)) 112 td->td_retval[1] = kern_getppid(td); 113 #endif 114 return (0); 115 } 116 117 #ifndef _SYS_SYSPROTO_H_ 118 struct getppid_args { 119 int dummy; 120 }; 121 #endif 122 /* ARGSUSED */ 123 int 124 sys_getppid(struct thread *td, struct getppid_args *uap) 125 { 126 127 td->td_retval[0] = kern_getppid(td); 128 return (0); 129 } 130 131 int 132 kern_getppid(struct thread *td) 133 { 134 struct proc *p = td->td_proc; 135 136 return (p->p_oppid); 137 } 138 139 /* 140 * Get process group ID; note that POSIX getpgrp takes no parameter. 141 */ 142 #ifndef _SYS_SYSPROTO_H_ 143 struct getpgrp_args { 144 int dummy; 145 }; 146 #endif 147 int 148 sys_getpgrp(struct thread *td, struct getpgrp_args *uap) 149 { 150 struct proc *p = td->td_proc; 151 152 PROC_LOCK(p); 153 td->td_retval[0] = p->p_pgrp->pg_id; 154 PROC_UNLOCK(p); 155 return (0); 156 } 157 158 /* Get an arbitrary pid's process group id */ 159 #ifndef _SYS_SYSPROTO_H_ 160 struct getpgid_args { 161 pid_t pid; 162 }; 163 #endif 164 int 165 sys_getpgid(struct thread *td, struct getpgid_args *uap) 166 { 167 struct proc *p; 168 int error; 169 170 if (uap->pid == 0) { 171 p = td->td_proc; 172 PROC_LOCK(p); 173 } else { 174 p = pfind(uap->pid); 175 if (p == NULL) 176 return (ESRCH); 177 error = p_cansee(td, p); 178 if (error) { 179 PROC_UNLOCK(p); 180 return (error); 181 } 182 } 183 td->td_retval[0] = p->p_pgrp->pg_id; 184 PROC_UNLOCK(p); 185 return (0); 186 } 187 188 /* 189 * Get an arbitrary pid's session id. 190 */ 191 #ifndef _SYS_SYSPROTO_H_ 192 struct getsid_args { 193 pid_t pid; 194 }; 195 #endif 196 int 197 sys_getsid(struct thread *td, struct getsid_args *uap) 198 { 199 200 return (kern_getsid(td, uap->pid)); 201 } 202 203 int 204 kern_getsid(struct thread *td, pid_t pid) 205 { 206 struct proc *p; 207 int error; 208 209 if (pid == 0) { 210 p = td->td_proc; 211 PROC_LOCK(p); 212 } else { 213 p = pfind(pid); 214 if (p == NULL) 215 return (ESRCH); 216 error = p_cansee(td, p); 217 if (error) { 218 PROC_UNLOCK(p); 219 return (error); 220 } 221 } 222 td->td_retval[0] = p->p_session->s_sid; 223 PROC_UNLOCK(p); 224 return (0); 225 } 226 227 #ifndef _SYS_SYSPROTO_H_ 228 struct getuid_args { 229 int dummy; 230 }; 231 #endif 232 /* ARGSUSED */ 233 int 234 sys_getuid(struct thread *td, struct getuid_args *uap) 235 { 236 237 td->td_retval[0] = td->td_ucred->cr_ruid; 238 #if defined(COMPAT_43) 239 td->td_retval[1] = td->td_ucred->cr_uid; 240 #endif 241 return (0); 242 } 243 244 #ifndef _SYS_SYSPROTO_H_ 245 struct geteuid_args { 246 int dummy; 247 }; 248 #endif 249 /* ARGSUSED */ 250 int 251 sys_geteuid(struct thread *td, struct geteuid_args *uap) 252 { 253 254 td->td_retval[0] = td->td_ucred->cr_uid; 255 return (0); 256 } 257 258 #ifndef _SYS_SYSPROTO_H_ 259 struct getgid_args { 260 int dummy; 261 }; 262 #endif 263 /* ARGSUSED */ 264 int 265 sys_getgid(struct thread *td, struct getgid_args *uap) 266 { 267 268 td->td_retval[0] = td->td_ucred->cr_rgid; 269 #if defined(COMPAT_43) 270 td->td_retval[1] = td->td_ucred->cr_groups[0]; 271 #endif 272 return (0); 273 } 274 275 /* 276 * Get effective group ID. The "egid" is groups[0], and could be obtained 277 * via getgroups. This syscall exists because it is somewhat painful to do 278 * correctly in a library function. 279 */ 280 #ifndef _SYS_SYSPROTO_H_ 281 struct getegid_args { 282 int dummy; 283 }; 284 #endif 285 /* ARGSUSED */ 286 int 287 sys_getegid(struct thread *td, struct getegid_args *uap) 288 { 289 290 td->td_retval[0] = td->td_ucred->cr_groups[0]; 291 return (0); 292 } 293 294 #ifndef _SYS_SYSPROTO_H_ 295 struct getgroups_args { 296 int gidsetsize; 297 gid_t *gidset; 298 }; 299 #endif 300 int 301 sys_getgroups(struct thread *td, struct getgroups_args *uap) 302 { 303 struct ucred *cred; 304 int ngrp, error; 305 306 cred = td->td_ucred; 307 ngrp = cred->cr_ngroups; 308 309 if (uap->gidsetsize == 0) { 310 error = 0; 311 goto out; 312 } 313 if (uap->gidsetsize < ngrp) 314 return (EINVAL); 315 316 error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t)); 317 out: 318 td->td_retval[0] = ngrp; 319 return (error); 320 } 321 322 #ifndef _SYS_SYSPROTO_H_ 323 struct setsid_args { 324 int dummy; 325 }; 326 #endif 327 /* ARGSUSED */ 328 int 329 sys_setsid(struct thread *td, struct setsid_args *uap) 330 { 331 struct pgrp *pgrp; 332 int error; 333 struct proc *p = td->td_proc; 334 struct pgrp *newpgrp; 335 struct session *newsess; 336 337 pgrp = NULL; 338 339 newpgrp = uma_zalloc(pgrp_zone, M_WAITOK); 340 newsess = malloc(sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); 341 342 again: 343 error = 0; 344 sx_xlock(&proctree_lock); 345 346 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { 347 if (pgrp != NULL) 348 PGRP_UNLOCK(pgrp); 349 error = EPERM; 350 } else { 351 error = enterpgrp(p, p->p_pid, newpgrp, newsess); 352 if (error == ERESTART) 353 goto again; 354 MPASS(error == 0); 355 td->td_retval[0] = p->p_pid; 356 newpgrp = NULL; 357 newsess = NULL; 358 } 359 360 sx_xunlock(&proctree_lock); 361 362 uma_zfree(pgrp_zone, newpgrp); 363 free(newsess, M_SESSION); 364 365 return (error); 366 } 367 368 /* 369 * set process group (setpgid/old setpgrp) 370 * 371 * caller does setpgid(targpid, targpgid) 372 * 373 * pid must be caller or child of caller (ESRCH) 374 * if a child 375 * pid must be in same session (EPERM) 376 * pid can't have done an exec (EACCES) 377 * if pgid != pid 378 * there must exist some pid in same session having pgid (EPERM) 379 * pid must not be session leader (EPERM) 380 */ 381 #ifndef _SYS_SYSPROTO_H_ 382 struct setpgid_args { 383 int pid; /* target process id */ 384 int pgid; /* target pgrp id */ 385 }; 386 #endif 387 /* ARGSUSED */ 388 int 389 sys_setpgid(struct thread *td, struct setpgid_args *uap) 390 { 391 struct proc *curp = td->td_proc; 392 struct proc *targp; /* target process */ 393 struct pgrp *pgrp; /* target pgrp */ 394 int error; 395 struct pgrp *newpgrp; 396 397 if (uap->pgid < 0) 398 return (EINVAL); 399 400 newpgrp = uma_zalloc(pgrp_zone, M_WAITOK); 401 402 again: 403 error = 0; 404 405 sx_xlock(&proctree_lock); 406 if (uap->pid != 0 && uap->pid != curp->p_pid) { 407 if ((targp = pfind(uap->pid)) == NULL) { 408 error = ESRCH; 409 goto done; 410 } 411 if (!inferior(targp)) { 412 PROC_UNLOCK(targp); 413 error = ESRCH; 414 goto done; 415 } 416 if ((error = p_cansee(td, targp))) { 417 PROC_UNLOCK(targp); 418 goto done; 419 } 420 if (targp->p_pgrp == NULL || 421 targp->p_session != curp->p_session) { 422 PROC_UNLOCK(targp); 423 error = EPERM; 424 goto done; 425 } 426 if (targp->p_flag & P_EXEC) { 427 PROC_UNLOCK(targp); 428 error = EACCES; 429 goto done; 430 } 431 PROC_UNLOCK(targp); 432 } else 433 targp = curp; 434 if (SESS_LEADER(targp)) { 435 error = EPERM; 436 goto done; 437 } 438 if (uap->pgid == 0) 439 uap->pgid = targp->p_pid; 440 if ((pgrp = pgfind(uap->pgid)) == NULL) { 441 if (uap->pgid == targp->p_pid) { 442 error = enterpgrp(targp, uap->pgid, newpgrp, 443 NULL); 444 if (error == 0) 445 newpgrp = NULL; 446 } else 447 error = EPERM; 448 } else { 449 if (pgrp == targp->p_pgrp) { 450 PGRP_UNLOCK(pgrp); 451 goto done; 452 } 453 if (pgrp->pg_id != targp->p_pid && 454 pgrp->pg_session != curp->p_session) { 455 PGRP_UNLOCK(pgrp); 456 error = EPERM; 457 goto done; 458 } 459 PGRP_UNLOCK(pgrp); 460 error = enterthispgrp(targp, pgrp); 461 } 462 done: 463 KASSERT(error == 0 || newpgrp != NULL, 464 ("setpgid failed and newpgrp is NULL")); 465 if (error == ERESTART) 466 goto again; 467 sx_xunlock(&proctree_lock); 468 uma_zfree(pgrp_zone, newpgrp); 469 return (error); 470 } 471 472 /* 473 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 474 * compatible. It says that setting the uid/gid to euid/egid is a special 475 * case of "appropriate privilege". Once the rules are expanded out, this 476 * basically means that setuid(nnn) sets all three id's, in all permitted 477 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 478 * does not set the saved id - this is dangerous for traditional BSD 479 * programs. For this reason, we *really* do not want to set 480 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 481 */ 482 #define POSIX_APPENDIX_B_4_2_2 483 484 #ifndef _SYS_SYSPROTO_H_ 485 struct setuid_args { 486 uid_t uid; 487 }; 488 #endif 489 /* ARGSUSED */ 490 int 491 sys_setuid(struct thread *td, struct setuid_args *uap) 492 { 493 struct proc *p = td->td_proc; 494 struct ucred *newcred, *oldcred; 495 uid_t uid; 496 struct uidinfo *uip; 497 int error; 498 499 uid = uap->uid; 500 AUDIT_ARG_UID(uid); 501 newcred = crget(); 502 uip = uifind(uid); 503 PROC_LOCK(p); 504 /* 505 * Copy credentials so other references do not see our changes. 506 */ 507 oldcred = crcopysafe(p, newcred); 508 509 #ifdef MAC 510 error = mac_cred_check_setuid(oldcred, uid); 511 if (error) 512 goto fail; 513 #endif 514 515 /* 516 * See if we have "permission" by POSIX 1003.1 rules. 517 * 518 * Note that setuid(geteuid()) is a special case of 519 * "appropriate privileges" in appendix B.4.2.2. We need 520 * to use this clause to be compatible with traditional BSD 521 * semantics. Basically, it means that "setuid(xx)" sets all 522 * three id's (assuming you have privs). 523 * 524 * Notes on the logic. We do things in three steps. 525 * 1: We determine if the euid is going to change, and do EPERM 526 * right away. We unconditionally change the euid later if this 527 * test is satisfied, simplifying that part of the logic. 528 * 2: We determine if the real and/or saved uids are going to 529 * change. Determined by compile options. 530 * 3: Change euid last. (after tests in #2 for "appropriate privs") 531 */ 532 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 533 #ifdef _POSIX_SAVED_IDS 534 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 535 #endif 536 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 537 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 538 #endif 539 (error = priv_check_cred(oldcred, PRIV_CRED_SETUID)) != 0) 540 goto fail; 541 542 #ifdef _POSIX_SAVED_IDS 543 /* 544 * Do we have "appropriate privileges" (are we root or uid == euid) 545 * If so, we are changing the real uid and/or saved uid. 546 */ 547 if ( 548 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 549 uid == oldcred->cr_uid || 550 #endif 551 /* We are using privs. */ 552 priv_check_cred(oldcred, PRIV_CRED_SETUID) == 0) 553 #endif 554 { 555 /* 556 * Set the real uid and transfer proc count to new user. 557 */ 558 if (uid != oldcred->cr_ruid) { 559 change_ruid(newcred, uip); 560 setsugid(p); 561 } 562 /* 563 * Set saved uid 564 * 565 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 566 * the security of seteuid() depends on it. B.4.2.2 says it 567 * is important that we should do this. 568 */ 569 if (uid != oldcred->cr_svuid) { 570 change_svuid(newcred, uid); 571 setsugid(p); 572 } 573 } 574 575 /* 576 * In all permitted cases, we are changing the euid. 577 */ 578 if (uid != oldcred->cr_uid) { 579 change_euid(newcred, uip); 580 setsugid(p); 581 } 582 proc_set_cred(p, newcred); 583 #ifdef RACCT 584 racct_proc_ucred_changed(p, oldcred, newcred); 585 crhold(newcred); 586 #endif 587 PROC_UNLOCK(p); 588 #ifdef RCTL 589 rctl_proc_ucred_changed(p, newcred); 590 crfree(newcred); 591 #endif 592 uifree(uip); 593 crfree(oldcred); 594 return (0); 595 596 fail: 597 PROC_UNLOCK(p); 598 uifree(uip); 599 crfree(newcred); 600 return (error); 601 } 602 603 #ifndef _SYS_SYSPROTO_H_ 604 struct seteuid_args { 605 uid_t euid; 606 }; 607 #endif 608 /* ARGSUSED */ 609 int 610 sys_seteuid(struct thread *td, struct seteuid_args *uap) 611 { 612 struct proc *p = td->td_proc; 613 struct ucred *newcred, *oldcred; 614 uid_t euid; 615 struct uidinfo *euip; 616 int error; 617 618 euid = uap->euid; 619 AUDIT_ARG_EUID(euid); 620 newcred = crget(); 621 euip = uifind(euid); 622 PROC_LOCK(p); 623 /* 624 * Copy credentials so other references do not see our changes. 625 */ 626 oldcred = crcopysafe(p, newcred); 627 628 #ifdef MAC 629 error = mac_cred_check_seteuid(oldcred, euid); 630 if (error) 631 goto fail; 632 #endif 633 634 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 635 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 636 (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID)) != 0) 637 goto fail; 638 639 /* 640 * Everything's okay, do it. 641 */ 642 if (oldcred->cr_uid != euid) { 643 change_euid(newcred, euip); 644 setsugid(p); 645 } 646 proc_set_cred(p, newcred); 647 PROC_UNLOCK(p); 648 uifree(euip); 649 crfree(oldcred); 650 return (0); 651 652 fail: 653 PROC_UNLOCK(p); 654 uifree(euip); 655 crfree(newcred); 656 return (error); 657 } 658 659 #ifndef _SYS_SYSPROTO_H_ 660 struct setgid_args { 661 gid_t gid; 662 }; 663 #endif 664 /* ARGSUSED */ 665 int 666 sys_setgid(struct thread *td, struct setgid_args *uap) 667 { 668 struct proc *p = td->td_proc; 669 struct ucred *newcred, *oldcred; 670 gid_t gid; 671 int error; 672 673 gid = uap->gid; 674 AUDIT_ARG_GID(gid); 675 newcred = crget(); 676 PROC_LOCK(p); 677 oldcred = crcopysafe(p, newcred); 678 679 #ifdef MAC 680 error = mac_cred_check_setgid(oldcred, gid); 681 if (error) 682 goto fail; 683 #endif 684 685 /* 686 * See if we have "permission" by POSIX 1003.1 rules. 687 * 688 * Note that setgid(getegid()) is a special case of 689 * "appropriate privileges" in appendix B.4.2.2. We need 690 * to use this clause to be compatible with traditional BSD 691 * semantics. Basically, it means that "setgid(xx)" sets all 692 * three id's (assuming you have privs). 693 * 694 * For notes on the logic here, see setuid() above. 695 */ 696 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 697 #ifdef _POSIX_SAVED_IDS 698 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 699 #endif 700 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 701 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 702 #endif 703 (error = priv_check_cred(oldcred, PRIV_CRED_SETGID)) != 0) 704 goto fail; 705 706 #ifdef _POSIX_SAVED_IDS 707 /* 708 * Do we have "appropriate privileges" (are we root or gid == egid) 709 * If so, we are changing the real uid and saved gid. 710 */ 711 if ( 712 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 713 gid == oldcred->cr_groups[0] || 714 #endif 715 /* We are using privs. */ 716 priv_check_cred(oldcred, PRIV_CRED_SETGID) == 0) 717 #endif 718 { 719 /* 720 * Set real gid 721 */ 722 if (oldcred->cr_rgid != gid) { 723 change_rgid(newcred, gid); 724 setsugid(p); 725 } 726 /* 727 * Set saved gid 728 * 729 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 730 * the security of setegid() depends on it. B.4.2.2 says it 731 * is important that we should do this. 732 */ 733 if (oldcred->cr_svgid != gid) { 734 change_svgid(newcred, gid); 735 setsugid(p); 736 } 737 } 738 /* 739 * In all cases permitted cases, we are changing the egid. 740 * Copy credentials so other references do not see our changes. 741 */ 742 if (oldcred->cr_groups[0] != gid) { 743 change_egid(newcred, gid); 744 setsugid(p); 745 } 746 proc_set_cred(p, newcred); 747 PROC_UNLOCK(p); 748 crfree(oldcred); 749 return (0); 750 751 fail: 752 PROC_UNLOCK(p); 753 crfree(newcred); 754 return (error); 755 } 756 757 #ifndef _SYS_SYSPROTO_H_ 758 struct setegid_args { 759 gid_t egid; 760 }; 761 #endif 762 /* ARGSUSED */ 763 int 764 sys_setegid(struct thread *td, struct setegid_args *uap) 765 { 766 struct proc *p = td->td_proc; 767 struct ucred *newcred, *oldcred; 768 gid_t egid; 769 int error; 770 771 egid = uap->egid; 772 AUDIT_ARG_EGID(egid); 773 newcred = crget(); 774 PROC_LOCK(p); 775 oldcred = crcopysafe(p, newcred); 776 777 #ifdef MAC 778 error = mac_cred_check_setegid(oldcred, egid); 779 if (error) 780 goto fail; 781 #endif 782 783 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 784 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 785 (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID)) != 0) 786 goto fail; 787 788 if (oldcred->cr_groups[0] != egid) { 789 change_egid(newcred, egid); 790 setsugid(p); 791 } 792 proc_set_cred(p, newcred); 793 PROC_UNLOCK(p); 794 crfree(oldcred); 795 return (0); 796 797 fail: 798 PROC_UNLOCK(p); 799 crfree(newcred); 800 return (error); 801 } 802 803 #ifndef _SYS_SYSPROTO_H_ 804 struct setgroups_args { 805 int gidsetsize; 806 gid_t *gidset; 807 }; 808 #endif 809 /* ARGSUSED */ 810 int 811 sys_setgroups(struct thread *td, struct setgroups_args *uap) 812 { 813 gid_t smallgroups[XU_NGROUPS]; 814 gid_t *groups; 815 int gidsetsize, error; 816 817 gidsetsize = uap->gidsetsize; 818 if (gidsetsize > ngroups_max + 1 || gidsetsize < 0) 819 return (EINVAL); 820 821 if (gidsetsize > XU_NGROUPS) 822 groups = malloc(gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK); 823 else 824 groups = smallgroups; 825 826 error = copyin(uap->gidset, groups, gidsetsize * sizeof(gid_t)); 827 if (error == 0) 828 error = kern_setgroups(td, gidsetsize, groups); 829 830 if (gidsetsize > XU_NGROUPS) 831 free(groups, M_TEMP); 832 return (error); 833 } 834 835 int 836 kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups) 837 { 838 struct proc *p = td->td_proc; 839 struct ucred *newcred, *oldcred; 840 int error; 841 842 MPASS(ngrp <= ngroups_max + 1); 843 AUDIT_ARG_GROUPSET(groups, ngrp); 844 newcred = crget(); 845 crextend(newcred, ngrp); 846 PROC_LOCK(p); 847 oldcred = crcopysafe(p, newcred); 848 849 #ifdef MAC 850 error = mac_cred_check_setgroups(oldcred, ngrp, groups); 851 if (error) 852 goto fail; 853 #endif 854 855 error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS); 856 if (error) 857 goto fail; 858 859 if (ngrp == 0) { 860 /* 861 * setgroups(0, NULL) is a legitimate way of clearing the 862 * groups vector on non-BSD systems (which generally do not 863 * have the egid in the groups[0]). We risk security holes 864 * when running non-BSD software if we do not do the same. 865 */ 866 newcred->cr_ngroups = 1; 867 } else { 868 crsetgroups_locked(newcred, ngrp, groups); 869 } 870 setsugid(p); 871 proc_set_cred(p, newcred); 872 PROC_UNLOCK(p); 873 crfree(oldcred); 874 return (0); 875 876 fail: 877 PROC_UNLOCK(p); 878 crfree(newcred); 879 return (error); 880 } 881 882 #ifndef _SYS_SYSPROTO_H_ 883 struct setreuid_args { 884 uid_t ruid; 885 uid_t euid; 886 }; 887 #endif 888 /* ARGSUSED */ 889 int 890 sys_setreuid(struct thread *td, struct setreuid_args *uap) 891 { 892 struct proc *p = td->td_proc; 893 struct ucred *newcred, *oldcred; 894 uid_t euid, ruid; 895 struct uidinfo *euip, *ruip; 896 int error; 897 898 euid = uap->euid; 899 ruid = uap->ruid; 900 AUDIT_ARG_EUID(euid); 901 AUDIT_ARG_RUID(ruid); 902 newcred = crget(); 903 euip = uifind(euid); 904 ruip = uifind(ruid); 905 PROC_LOCK(p); 906 oldcred = crcopysafe(p, newcred); 907 908 #ifdef MAC 909 error = mac_cred_check_setreuid(oldcred, ruid, euid); 910 if (error) 911 goto fail; 912 #endif 913 914 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 915 ruid != oldcred->cr_svuid) || 916 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 917 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 918 (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID)) != 0) 919 goto fail; 920 921 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 922 change_euid(newcred, euip); 923 setsugid(p); 924 } 925 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 926 change_ruid(newcred, ruip); 927 setsugid(p); 928 } 929 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 930 newcred->cr_svuid != newcred->cr_uid) { 931 change_svuid(newcred, newcred->cr_uid); 932 setsugid(p); 933 } 934 proc_set_cred(p, newcred); 935 #ifdef RACCT 936 racct_proc_ucred_changed(p, oldcred, newcred); 937 crhold(newcred); 938 #endif 939 PROC_UNLOCK(p); 940 #ifdef RCTL 941 rctl_proc_ucred_changed(p, newcred); 942 crfree(newcred); 943 #endif 944 uifree(ruip); 945 uifree(euip); 946 crfree(oldcred); 947 return (0); 948 949 fail: 950 PROC_UNLOCK(p); 951 uifree(ruip); 952 uifree(euip); 953 crfree(newcred); 954 return (error); 955 } 956 957 #ifndef _SYS_SYSPROTO_H_ 958 struct setregid_args { 959 gid_t rgid; 960 gid_t egid; 961 }; 962 #endif 963 /* ARGSUSED */ 964 int 965 sys_setregid(struct thread *td, struct setregid_args *uap) 966 { 967 struct proc *p = td->td_proc; 968 struct ucred *newcred, *oldcred; 969 gid_t egid, rgid; 970 int error; 971 972 egid = uap->egid; 973 rgid = uap->rgid; 974 AUDIT_ARG_EGID(egid); 975 AUDIT_ARG_RGID(rgid); 976 newcred = crget(); 977 PROC_LOCK(p); 978 oldcred = crcopysafe(p, newcred); 979 980 #ifdef MAC 981 error = mac_cred_check_setregid(oldcred, rgid, egid); 982 if (error) 983 goto fail; 984 #endif 985 986 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 987 rgid != oldcred->cr_svgid) || 988 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 989 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 990 (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID)) != 0) 991 goto fail; 992 993 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 994 change_egid(newcred, egid); 995 setsugid(p); 996 } 997 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 998 change_rgid(newcred, rgid); 999 setsugid(p); 1000 } 1001 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 1002 newcred->cr_svgid != newcred->cr_groups[0]) { 1003 change_svgid(newcred, newcred->cr_groups[0]); 1004 setsugid(p); 1005 } 1006 proc_set_cred(p, newcred); 1007 PROC_UNLOCK(p); 1008 crfree(oldcred); 1009 return (0); 1010 1011 fail: 1012 PROC_UNLOCK(p); 1013 crfree(newcred); 1014 return (error); 1015 } 1016 1017 /* 1018 * setresuid(ruid, euid, suid) is like setreuid except control over the saved 1019 * uid is explicit. 1020 */ 1021 #ifndef _SYS_SYSPROTO_H_ 1022 struct setresuid_args { 1023 uid_t ruid; 1024 uid_t euid; 1025 uid_t suid; 1026 }; 1027 #endif 1028 /* ARGSUSED */ 1029 int 1030 sys_setresuid(struct thread *td, struct setresuid_args *uap) 1031 { 1032 struct proc *p = td->td_proc; 1033 struct ucred *newcred, *oldcred; 1034 uid_t euid, ruid, suid; 1035 struct uidinfo *euip, *ruip; 1036 int error; 1037 1038 euid = uap->euid; 1039 ruid = uap->ruid; 1040 suid = uap->suid; 1041 AUDIT_ARG_EUID(euid); 1042 AUDIT_ARG_RUID(ruid); 1043 AUDIT_ARG_SUID(suid); 1044 newcred = crget(); 1045 euip = uifind(euid); 1046 ruip = uifind(ruid); 1047 PROC_LOCK(p); 1048 oldcred = crcopysafe(p, newcred); 1049 1050 #ifdef MAC 1051 error = mac_cred_check_setresuid(oldcred, ruid, euid, suid); 1052 if (error) 1053 goto fail; 1054 #endif 1055 1056 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1057 ruid != oldcred->cr_svuid && 1058 ruid != oldcred->cr_uid) || 1059 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 1060 euid != oldcred->cr_svuid && 1061 euid != oldcred->cr_uid) || 1062 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 1063 suid != oldcred->cr_svuid && 1064 suid != oldcred->cr_uid)) && 1065 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID)) != 0) 1066 goto fail; 1067 1068 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1069 change_euid(newcred, euip); 1070 setsugid(p); 1071 } 1072 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1073 change_ruid(newcred, ruip); 1074 setsugid(p); 1075 } 1076 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1077 change_svuid(newcred, suid); 1078 setsugid(p); 1079 } 1080 proc_set_cred(p, newcred); 1081 #ifdef RACCT 1082 racct_proc_ucred_changed(p, oldcred, newcred); 1083 crhold(newcred); 1084 #endif 1085 PROC_UNLOCK(p); 1086 #ifdef RCTL 1087 rctl_proc_ucred_changed(p, newcred); 1088 crfree(newcred); 1089 #endif 1090 uifree(ruip); 1091 uifree(euip); 1092 crfree(oldcred); 1093 return (0); 1094 1095 fail: 1096 PROC_UNLOCK(p); 1097 uifree(ruip); 1098 uifree(euip); 1099 crfree(newcred); 1100 return (error); 1101 1102 } 1103 1104 /* 1105 * setresgid(rgid, egid, sgid) is like setregid except control over the saved 1106 * gid is explicit. 1107 */ 1108 #ifndef _SYS_SYSPROTO_H_ 1109 struct setresgid_args { 1110 gid_t rgid; 1111 gid_t egid; 1112 gid_t sgid; 1113 }; 1114 #endif 1115 /* ARGSUSED */ 1116 int 1117 sys_setresgid(struct thread *td, struct setresgid_args *uap) 1118 { 1119 struct proc *p = td->td_proc; 1120 struct ucred *newcred, *oldcred; 1121 gid_t egid, rgid, sgid; 1122 int error; 1123 1124 egid = uap->egid; 1125 rgid = uap->rgid; 1126 sgid = uap->sgid; 1127 AUDIT_ARG_EGID(egid); 1128 AUDIT_ARG_RGID(rgid); 1129 AUDIT_ARG_SGID(sgid); 1130 newcred = crget(); 1131 PROC_LOCK(p); 1132 oldcred = crcopysafe(p, newcred); 1133 1134 #ifdef MAC 1135 error = mac_cred_check_setresgid(oldcred, rgid, egid, sgid); 1136 if (error) 1137 goto fail; 1138 #endif 1139 1140 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1141 rgid != oldcred->cr_svgid && 1142 rgid != oldcred->cr_groups[0]) || 1143 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1144 egid != oldcred->cr_svgid && 1145 egid != oldcred->cr_groups[0]) || 1146 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1147 sgid != oldcred->cr_svgid && 1148 sgid != oldcred->cr_groups[0])) && 1149 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID)) != 0) 1150 goto fail; 1151 1152 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1153 change_egid(newcred, egid); 1154 setsugid(p); 1155 } 1156 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1157 change_rgid(newcred, rgid); 1158 setsugid(p); 1159 } 1160 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1161 change_svgid(newcred, sgid); 1162 setsugid(p); 1163 } 1164 proc_set_cred(p, newcred); 1165 PROC_UNLOCK(p); 1166 crfree(oldcred); 1167 return (0); 1168 1169 fail: 1170 PROC_UNLOCK(p); 1171 crfree(newcred); 1172 return (error); 1173 } 1174 1175 #ifndef _SYS_SYSPROTO_H_ 1176 struct getresuid_args { 1177 uid_t *ruid; 1178 uid_t *euid; 1179 uid_t *suid; 1180 }; 1181 #endif 1182 /* ARGSUSED */ 1183 int 1184 sys_getresuid(struct thread *td, struct getresuid_args *uap) 1185 { 1186 struct ucred *cred; 1187 int error1 = 0, error2 = 0, error3 = 0; 1188 1189 cred = td->td_ucred; 1190 if (uap->ruid) 1191 error1 = copyout(&cred->cr_ruid, 1192 uap->ruid, sizeof(cred->cr_ruid)); 1193 if (uap->euid) 1194 error2 = copyout(&cred->cr_uid, 1195 uap->euid, sizeof(cred->cr_uid)); 1196 if (uap->suid) 1197 error3 = copyout(&cred->cr_svuid, 1198 uap->suid, sizeof(cred->cr_svuid)); 1199 return (error1 ? error1 : error2 ? error2 : error3); 1200 } 1201 1202 #ifndef _SYS_SYSPROTO_H_ 1203 struct getresgid_args { 1204 gid_t *rgid; 1205 gid_t *egid; 1206 gid_t *sgid; 1207 }; 1208 #endif 1209 /* ARGSUSED */ 1210 int 1211 sys_getresgid(struct thread *td, struct getresgid_args *uap) 1212 { 1213 struct ucred *cred; 1214 int error1 = 0, error2 = 0, error3 = 0; 1215 1216 cred = td->td_ucred; 1217 if (uap->rgid) 1218 error1 = copyout(&cred->cr_rgid, 1219 uap->rgid, sizeof(cred->cr_rgid)); 1220 if (uap->egid) 1221 error2 = copyout(&cred->cr_groups[0], 1222 uap->egid, sizeof(cred->cr_groups[0])); 1223 if (uap->sgid) 1224 error3 = copyout(&cred->cr_svgid, 1225 uap->sgid, sizeof(cred->cr_svgid)); 1226 return (error1 ? error1 : error2 ? error2 : error3); 1227 } 1228 1229 #ifndef _SYS_SYSPROTO_H_ 1230 struct issetugid_args { 1231 int dummy; 1232 }; 1233 #endif 1234 /* ARGSUSED */ 1235 int 1236 sys_issetugid(struct thread *td, struct issetugid_args *uap) 1237 { 1238 struct proc *p = td->td_proc; 1239 1240 /* 1241 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1242 * we use P_SUGID because we consider changing the owners as 1243 * "tainting" as well. 1244 * This is significant for procs that start as root and "become" 1245 * a user without an exec - programs cannot know *everything* 1246 * that libc *might* have put in their data segment. 1247 */ 1248 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1249 return (0); 1250 } 1251 1252 int 1253 sys___setugid(struct thread *td, struct __setugid_args *uap) 1254 { 1255 #ifdef REGRESSION 1256 struct proc *p; 1257 1258 p = td->td_proc; 1259 switch (uap->flag) { 1260 case 0: 1261 PROC_LOCK(p); 1262 p->p_flag &= ~P_SUGID; 1263 PROC_UNLOCK(p); 1264 return (0); 1265 case 1: 1266 PROC_LOCK(p); 1267 p->p_flag |= P_SUGID; 1268 PROC_UNLOCK(p); 1269 return (0); 1270 default: 1271 return (EINVAL); 1272 } 1273 #else /* !REGRESSION */ 1274 1275 return (ENOSYS); 1276 #endif /* REGRESSION */ 1277 } 1278 1279 /* 1280 * Returns whether gid designates a supplementary group in cred. 1281 */ 1282 static bool 1283 supplementary_group_member(gid_t gid, struct ucred *cred) 1284 { 1285 int l, h, m; 1286 1287 /* 1288 * Perform a binary search of the supplemental groups. This is possible 1289 * because we sort the groups in crsetgroups(). 1290 */ 1291 l = 1; 1292 h = cred->cr_ngroups; 1293 1294 while (l < h) { 1295 m = l + (h - l) / 2; 1296 if (cred->cr_groups[m] < gid) 1297 l = m + 1; 1298 else 1299 h = m; 1300 } 1301 1302 return (l < cred->cr_ngroups && cred->cr_groups[l] == gid); 1303 } 1304 1305 /* 1306 * Check if gid is a member of the (effective) group set (i.e., effective and 1307 * supplementary groups). 1308 */ 1309 bool 1310 groupmember(gid_t gid, struct ucred *cred) 1311 { 1312 1313 if (gid == cred->cr_groups[0]) 1314 return (true); 1315 1316 return (supplementary_group_member(gid, cred)); 1317 } 1318 1319 /* 1320 * Check if gid is a member of the real group set (i.e., real and supplementary 1321 * groups). 1322 */ 1323 bool 1324 realgroupmember(gid_t gid, struct ucred *cred) 1325 { 1326 if (gid == cred->cr_rgid) 1327 return (true); 1328 1329 return (supplementary_group_member(gid, cred)); 1330 } 1331 1332 /* 1333 * Test the active securelevel against a given level. securelevel_gt() 1334 * implements (securelevel > level). securelevel_ge() implements 1335 * (securelevel >= level). Note that the logic is inverted -- these 1336 * functions return EPERM on "success" and 0 on "failure". 1337 * 1338 * Due to care taken when setting the securelevel, we know that no jail will 1339 * be less secure that its parent (or the physical system), so it is sufficient 1340 * to test the current jail only. 1341 * 1342 * XXXRW: Possibly since this has to do with privilege, it should move to 1343 * kern_priv.c. 1344 */ 1345 int 1346 securelevel_gt(struct ucred *cr, int level) 1347 { 1348 1349 return (cr->cr_prison->pr_securelevel > level ? EPERM : 0); 1350 } 1351 1352 int 1353 securelevel_ge(struct ucred *cr, int level) 1354 { 1355 1356 return (cr->cr_prison->pr_securelevel >= level ? EPERM : 0); 1357 } 1358 1359 /* 1360 * 'see_other_uids' determines whether or not visibility of processes 1361 * and sockets with credentials holding different real uids is possible 1362 * using a variety of system MIBs. 1363 * XXX: data declarations should be together near the beginning of the file. 1364 */ 1365 static int see_other_uids = 1; 1366 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1367 &see_other_uids, 0, 1368 "Unprivileged processes may see subjects/objects with different real uid"); 1369 1370 /*- 1371 * Determine if u1 "can see" the subject specified by u2, according to the 1372 * 'see_other_uids' policy. 1373 * Returns: 0 for permitted, ESRCH otherwise 1374 * Locks: none 1375 * References: *u1 and *u2 must not change during the call 1376 * u1 may equal u2, in which case only one reference is required 1377 */ 1378 static int 1379 cr_canseeotheruids(struct ucred *u1, struct ucred *u2) 1380 { 1381 1382 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1383 if (priv_check_cred(u1, PRIV_SEEOTHERUIDS) != 0) 1384 return (ESRCH); 1385 } 1386 return (0); 1387 } 1388 1389 /* 1390 * 'see_other_gids' determines whether or not visibility of processes 1391 * and sockets with credentials holding different real gids is possible 1392 * using a variety of system MIBs. 1393 * XXX: data declarations should be together near the beginning of the file. 1394 */ 1395 static int see_other_gids = 1; 1396 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW, 1397 &see_other_gids, 0, 1398 "Unprivileged processes may see subjects/objects with different real gid"); 1399 1400 /* 1401 * Determine if u1 can "see" the subject specified by u2, according to the 1402 * 'see_other_gids' policy. 1403 * Returns: 0 for permitted, ESRCH otherwise 1404 * Locks: none 1405 * References: *u1 and *u2 must not change during the call 1406 * u1 may equal u2, in which case only one reference is required 1407 */ 1408 static int 1409 cr_canseeothergids(struct ucred *u1, struct ucred *u2) 1410 { 1411 if (!see_other_gids) { 1412 if (realgroupmember(u1->cr_rgid, u2)) 1413 return (0); 1414 1415 for (int i = 1; i < u1->cr_ngroups; i++) 1416 if (realgroupmember(u1->cr_groups[i], u2)) 1417 return (0); 1418 1419 if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) != 0) 1420 return (ESRCH); 1421 } 1422 1423 return (0); 1424 } 1425 1426 /* 1427 * 'see_jail_proc' determines whether or not visibility of processes and 1428 * sockets with credentials holding different jail ids is possible using a 1429 * variety of system MIBs. 1430 * 1431 * XXX: data declarations should be together near the beginning of the file. 1432 */ 1433 1434 static int see_jail_proc = 1; 1435 SYSCTL_INT(_security_bsd, OID_AUTO, see_jail_proc, CTLFLAG_RW, 1436 &see_jail_proc, 0, 1437 "Unprivileged processes may see subjects/objects with different jail ids"); 1438 1439 /*- 1440 * Determine if u1 "can see" the subject specified by u2, according to the 1441 * 'see_jail_proc' policy. 1442 * Returns: 0 for permitted, ESRCH otherwise 1443 * Locks: none 1444 * References: *u1 and *u2 must not change during the call 1445 * u1 may equal u2, in which case only one reference is required 1446 */ 1447 static int 1448 cr_canseejailproc(struct ucred *u1, struct ucred *u2) 1449 { 1450 if (see_jail_proc || /* Policy deactivated. */ 1451 u1->cr_prison == u2->cr_prison || /* Same jail. */ 1452 priv_check_cred(u1, PRIV_SEEJAILPROC) == 0) /* Privileged. */ 1453 return (0); 1454 1455 return (ESRCH); 1456 } 1457 1458 /* 1459 * Helper for cr_cansee*() functions to abide by system-wide security.bsd.see_* 1460 * policies. Determines if u1 "can see" u2 according to these policies. 1461 * Returns: 0 for permitted, ESRCH otherwise 1462 */ 1463 int 1464 cr_bsd_visible(struct ucred *u1, struct ucred *u2) 1465 { 1466 int error; 1467 1468 if ((error = cr_canseeotheruids(u1, u2))) 1469 return (error); 1470 if ((error = cr_canseeothergids(u1, u2))) 1471 return (error); 1472 if ((error = cr_canseejailproc(u1, u2))) 1473 return (error); 1474 return (0); 1475 } 1476 1477 /*- 1478 * Determine if u1 "can see" the subject specified by u2. 1479 * Returns: 0 for permitted, an errno value otherwise 1480 * Locks: none 1481 * References: *u1 and *u2 must not change during the call 1482 * u1 may equal u2, in which case only one reference is required 1483 */ 1484 int 1485 cr_cansee(struct ucred *u1, struct ucred *u2) 1486 { 1487 int error; 1488 1489 if ((error = prison_check(u1, u2))) 1490 return (error); 1491 #ifdef MAC 1492 if ((error = mac_cred_check_visible(u1, u2))) 1493 return (error); 1494 #endif 1495 if ((error = cr_bsd_visible(u1, u2))) 1496 return (error); 1497 return (0); 1498 } 1499 1500 /*- 1501 * Determine if td "can see" the subject specified by p. 1502 * Returns: 0 for permitted, an errno value otherwise 1503 * Locks: Sufficient locks to protect p->p_ucred must be held. td really 1504 * should be curthread. 1505 * References: td and p must be valid for the lifetime of the call 1506 */ 1507 int 1508 p_cansee(struct thread *td, struct proc *p) 1509 { 1510 /* Wrap cr_cansee() for all functionality. */ 1511 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1512 PROC_LOCK_ASSERT(p, MA_OWNED); 1513 1514 if (td->td_proc == p) 1515 return (0); 1516 return (cr_cansee(td->td_ucred, p->p_ucred)); 1517 } 1518 1519 /* 1520 * 'conservative_signals' prevents the delivery of a broad class of 1521 * signals by unprivileged processes to processes that have changed their 1522 * credentials since the last invocation of execve(). This can prevent 1523 * the leakage of cached information or retained privileges as a result 1524 * of a common class of signal-related vulnerabilities. However, this 1525 * may interfere with some applications that expect to be able to 1526 * deliver these signals to peer processes after having given up 1527 * privilege. 1528 */ 1529 static int conservative_signals = 1; 1530 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW, 1531 &conservative_signals, 0, "Unprivileged processes prevented from " 1532 "sending certain signals to processes whose credentials have changed"); 1533 /*- 1534 * Determine whether cred may deliver the specified signal to proc. 1535 * Returns: 0 for permitted, an errno value otherwise. 1536 * Locks: A lock must be held for proc. 1537 * References: cred and proc must be valid for the lifetime of the call. 1538 */ 1539 int 1540 cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 1541 { 1542 int error; 1543 1544 PROC_LOCK_ASSERT(proc, MA_OWNED); 1545 /* 1546 * Jail semantics limit the scope of signalling to proc in the 1547 * same jail as cred, if cred is in jail. 1548 */ 1549 error = prison_check(cred, proc->p_ucred); 1550 if (error) 1551 return (error); 1552 #ifdef MAC 1553 if ((error = mac_proc_check_signal(cred, proc, signum))) 1554 return (error); 1555 #endif 1556 if ((error = cr_bsd_visible(cred, proc->p_ucred))) 1557 return (error); 1558 1559 /* 1560 * UNIX signal semantics depend on the status of the P_SUGID 1561 * bit on the target process. If the bit is set, then additional 1562 * restrictions are placed on the set of available signals. 1563 */ 1564 if (conservative_signals && (proc->p_flag & P_SUGID)) { 1565 switch (signum) { 1566 case 0: 1567 case SIGKILL: 1568 case SIGINT: 1569 case SIGTERM: 1570 case SIGALRM: 1571 case SIGSTOP: 1572 case SIGTTIN: 1573 case SIGTTOU: 1574 case SIGTSTP: 1575 case SIGHUP: 1576 case SIGUSR1: 1577 case SIGUSR2: 1578 /* 1579 * Generally, permit job and terminal control 1580 * signals. 1581 */ 1582 break; 1583 default: 1584 /* Not permitted without privilege. */ 1585 error = priv_check_cred(cred, PRIV_SIGNAL_SUGID); 1586 if (error) 1587 return (error); 1588 } 1589 } 1590 1591 /* 1592 * Generally, the target credential's ruid or svuid must match the 1593 * subject credential's ruid or euid. 1594 */ 1595 if (cred->cr_ruid != proc->p_ucred->cr_ruid && 1596 cred->cr_ruid != proc->p_ucred->cr_svuid && 1597 cred->cr_uid != proc->p_ucred->cr_ruid && 1598 cred->cr_uid != proc->p_ucred->cr_svuid) { 1599 error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED); 1600 if (error) 1601 return (error); 1602 } 1603 1604 return (0); 1605 } 1606 1607 /*- 1608 * Determine whether td may deliver the specified signal to p. 1609 * Returns: 0 for permitted, an errno value otherwise 1610 * Locks: Sufficient locks to protect various components of td and p 1611 * must be held. td must be curthread, and a lock must be 1612 * held for p. 1613 * References: td and p must be valid for the lifetime of the call 1614 */ 1615 int 1616 p_cansignal(struct thread *td, struct proc *p, int signum) 1617 { 1618 1619 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1620 PROC_LOCK_ASSERT(p, MA_OWNED); 1621 if (td->td_proc == p) 1622 return (0); 1623 1624 /* 1625 * UNIX signalling semantics require that processes in the same 1626 * session always be able to deliver SIGCONT to one another, 1627 * overriding the remaining protections. 1628 */ 1629 /* XXX: This will require an additional lock of some sort. */ 1630 if (signum == SIGCONT && td->td_proc->p_session == p->p_session) 1631 return (0); 1632 /* 1633 * Some compat layers use SIGTHR and higher signals for 1634 * communication between different kernel threads of the same 1635 * process, so that they expect that it's always possible to 1636 * deliver them, even for suid applications where cr_cansignal() can 1637 * deny such ability for security consideration. It should be 1638 * pretty safe to do since the only way to create two processes 1639 * with the same p_leader is via rfork(2). 1640 */ 1641 if (td->td_proc->p_leader != NULL && signum >= SIGTHR && 1642 signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader) 1643 return (0); 1644 1645 return (cr_cansignal(td->td_ucred, p, signum)); 1646 } 1647 1648 /*- 1649 * Determine whether td may reschedule p. 1650 * Returns: 0 for permitted, an errno value otherwise 1651 * Locks: Sufficient locks to protect various components of td and p 1652 * must be held. td must be curthread, and a lock must 1653 * be held for p. 1654 * References: td and p must be valid for the lifetime of the call 1655 */ 1656 int 1657 p_cansched(struct thread *td, struct proc *p) 1658 { 1659 int error; 1660 1661 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1662 PROC_LOCK_ASSERT(p, MA_OWNED); 1663 if (td->td_proc == p) 1664 return (0); 1665 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1666 return (error); 1667 #ifdef MAC 1668 if ((error = mac_proc_check_sched(td->td_ucred, p))) 1669 return (error); 1670 #endif 1671 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) 1672 return (error); 1673 1674 if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid && 1675 td->td_ucred->cr_uid != p->p_ucred->cr_ruid) { 1676 error = priv_check(td, PRIV_SCHED_DIFFCRED); 1677 if (error) 1678 return (error); 1679 } 1680 return (0); 1681 } 1682 1683 /* 1684 * Handle getting or setting the prison's unprivileged_proc_debug 1685 * value. 1686 */ 1687 static int 1688 sysctl_unprivileged_proc_debug(SYSCTL_HANDLER_ARGS) 1689 { 1690 int error, val; 1691 1692 val = prison_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG); 1693 error = sysctl_handle_int(oidp, &val, 0, req); 1694 if (error != 0 || req->newptr == NULL) 1695 return (error); 1696 if (val != 0 && val != 1) 1697 return (EINVAL); 1698 prison_set_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG, val); 1699 return (0); 1700 } 1701 1702 /* 1703 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 1704 * unprivileged inter-process debugging services, including some procfs 1705 * functionality, ptrace(), and ktrace(). In the past, inter-process 1706 * debugging has been involved in a variety of security problems, and sites 1707 * not requiring the service might choose to disable it when hardening 1708 * systems. 1709 */ 1710 SYSCTL_PROC(_security_bsd, OID_AUTO, unprivileged_proc_debug, 1711 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_PRISON | CTLFLAG_SECURE | 1712 CTLFLAG_MPSAFE, 0, 0, sysctl_unprivileged_proc_debug, "I", 1713 "Unprivileged processes may use process debugging facilities"); 1714 1715 /*- 1716 * Determine whether td may debug p. 1717 * Returns: 0 for permitted, an errno value otherwise 1718 * Locks: Sufficient locks to protect various components of td and p 1719 * must be held. td must be curthread, and a lock must 1720 * be held for p. 1721 * References: td and p must be valid for the lifetime of the call 1722 */ 1723 int 1724 p_candebug(struct thread *td, struct proc *p) 1725 { 1726 int error, grpsubset, i, uidsubset; 1727 1728 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1729 PROC_LOCK_ASSERT(p, MA_OWNED); 1730 if (td->td_proc == p) 1731 return (0); 1732 if ((error = priv_check(td, PRIV_DEBUG_UNPRIV))) 1733 return (error); 1734 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1735 return (error); 1736 #ifdef MAC 1737 if ((error = mac_proc_check_debug(td->td_ucred, p))) 1738 return (error); 1739 #endif 1740 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) 1741 return (error); 1742 1743 /* 1744 * Is p's group set a subset of td's effective group set? This 1745 * includes p's egid, group access list, rgid, and svgid. 1746 */ 1747 grpsubset = 1; 1748 for (i = 0; i < p->p_ucred->cr_ngroups; i++) { 1749 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) { 1750 grpsubset = 0; 1751 break; 1752 } 1753 } 1754 grpsubset = grpsubset && 1755 groupmember(p->p_ucred->cr_rgid, td->td_ucred) && 1756 groupmember(p->p_ucred->cr_svgid, td->td_ucred); 1757 1758 /* 1759 * Are the uids present in p's credential equal to td's 1760 * effective uid? This includes p's euid, svuid, and ruid. 1761 */ 1762 uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid && 1763 td->td_ucred->cr_uid == p->p_ucred->cr_svuid && 1764 td->td_ucred->cr_uid == p->p_ucred->cr_ruid); 1765 1766 /* 1767 * If p's gids aren't a subset, or the uids aren't a subset, 1768 * or the credential has changed, require appropriate privilege 1769 * for td to debug p. 1770 */ 1771 if (!grpsubset || !uidsubset) { 1772 error = priv_check(td, PRIV_DEBUG_DIFFCRED); 1773 if (error) 1774 return (error); 1775 } 1776 1777 /* 1778 * Has the credential of the process changed since the last exec()? 1779 */ 1780 if ((p->p_flag & P_SUGID) != 0) { 1781 error = priv_check(td, PRIV_DEBUG_SUGID); 1782 if (error) 1783 return (error); 1784 } 1785 1786 /* Can't trace init when securelevel > 0. */ 1787 if (p == initproc) { 1788 error = securelevel_gt(td->td_ucred, 0); 1789 if (error) 1790 return (error); 1791 } 1792 1793 /* 1794 * Can't trace a process that's currently exec'ing. 1795 * 1796 * XXX: Note, this is not a security policy decision, it's a 1797 * basic correctness/functionality decision. Therefore, this check 1798 * should be moved to the caller's of p_candebug(). 1799 */ 1800 if ((p->p_flag & P_INEXEC) != 0) 1801 return (EBUSY); 1802 1803 /* Denied explicitly */ 1804 if ((p->p_flag2 & P2_NOTRACE) != 0) { 1805 error = priv_check(td, PRIV_DEBUG_DENIED); 1806 if (error != 0) 1807 return (error); 1808 } 1809 1810 return (0); 1811 } 1812 1813 /*- 1814 * Determine whether the subject represented by cred can "see" a socket. 1815 * Returns: 0 for permitted, ENOENT otherwise. 1816 */ 1817 int 1818 cr_canseesocket(struct ucred *cred, struct socket *so) 1819 { 1820 int error; 1821 1822 error = prison_check(cred, so->so_cred); 1823 if (error) 1824 return (ENOENT); 1825 #ifdef MAC 1826 error = mac_socket_check_visible(cred, so); 1827 if (error) 1828 return (error); 1829 #endif 1830 if (cr_bsd_visible(cred, so->so_cred)) 1831 return (ENOENT); 1832 1833 return (0); 1834 } 1835 1836 /*- 1837 * Determine whether td can wait for the exit of p. 1838 * Returns: 0 for permitted, an errno value otherwise 1839 * Locks: Sufficient locks to protect various components of td and p 1840 * must be held. td must be curthread, and a lock must 1841 * be held for p. 1842 * References: td and p must be valid for the lifetime of the call 1843 1844 */ 1845 int 1846 p_canwait(struct thread *td, struct proc *p) 1847 { 1848 int error; 1849 1850 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1851 PROC_LOCK_ASSERT(p, MA_OWNED); 1852 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1853 return (error); 1854 #ifdef MAC 1855 if ((error = mac_proc_check_wait(td->td_ucred, p))) 1856 return (error); 1857 #endif 1858 #if 0 1859 /* XXXMAC: This could have odd effects on some shells. */ 1860 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) 1861 return (error); 1862 #endif 1863 1864 return (0); 1865 } 1866 1867 /* 1868 * Credential management. 1869 * 1870 * struct ucred objects are rarely allocated but gain and lose references all 1871 * the time (e.g., on struct file alloc/dealloc) turning refcount updates into 1872 * a significant source of cache-line ping ponging. Common cases are worked 1873 * around by modifying thread-local counter instead if the cred to operate on 1874 * matches td_realucred. 1875 * 1876 * The counter is split into 2 parts: 1877 * - cr_users -- total count of all struct proc and struct thread objects 1878 * which have given cred in p_ucred and td_ucred respectively 1879 * - cr_ref -- the actual ref count, only valid if cr_users == 0 1880 * 1881 * If users == 0 then cr_ref behaves similarly to refcount(9), in particular if 1882 * the count reaches 0 the object is freeable. 1883 * If users > 0 and curthread->td_realucred == cred, then updates are performed 1884 * against td_ucredref. 1885 * In other cases updates are performed against cr_ref. 1886 * 1887 * Changing td_realucred into something else decrements cr_users and transfers 1888 * accumulated updates. 1889 */ 1890 struct ucred * 1891 crcowget(struct ucred *cr) 1892 { 1893 1894 mtx_lock(&cr->cr_mtx); 1895 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 1896 __func__, cr->cr_users, cr)); 1897 cr->cr_users++; 1898 cr->cr_ref++; 1899 mtx_unlock(&cr->cr_mtx); 1900 return (cr); 1901 } 1902 1903 static struct ucred * 1904 crunuse(struct thread *td) 1905 { 1906 struct ucred *cr, *crold; 1907 1908 MPASS(td->td_realucred == td->td_ucred); 1909 cr = td->td_realucred; 1910 mtx_lock(&cr->cr_mtx); 1911 cr->cr_ref += td->td_ucredref; 1912 td->td_ucredref = 0; 1913 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 1914 __func__, cr->cr_users, cr)); 1915 cr->cr_users--; 1916 if (cr->cr_users == 0) { 1917 KASSERT(cr->cr_ref > 0, ("%s: ref %ld not > 0 on cred %p", 1918 __func__, cr->cr_ref, cr)); 1919 crold = cr; 1920 } else { 1921 cr->cr_ref--; 1922 crold = NULL; 1923 } 1924 mtx_unlock(&cr->cr_mtx); 1925 td->td_realucred = NULL; 1926 return (crold); 1927 } 1928 1929 static void 1930 crunusebatch(struct ucred *cr, int users, int ref) 1931 { 1932 1933 KASSERT(users > 0, ("%s: passed users %d not > 0 ; cred %p", 1934 __func__, users, cr)); 1935 mtx_lock(&cr->cr_mtx); 1936 KASSERT(cr->cr_users >= users, ("%s: users %d not > %d on cred %p", 1937 __func__, cr->cr_users, users, cr)); 1938 cr->cr_users -= users; 1939 cr->cr_ref += ref; 1940 cr->cr_ref -= users; 1941 if (cr->cr_users > 0) { 1942 mtx_unlock(&cr->cr_mtx); 1943 return; 1944 } 1945 KASSERT(cr->cr_ref >= 0, ("%s: ref %ld not >= 0 on cred %p", 1946 __func__, cr->cr_ref, cr)); 1947 if (cr->cr_ref > 0) { 1948 mtx_unlock(&cr->cr_mtx); 1949 return; 1950 } 1951 crfree_final(cr); 1952 } 1953 1954 void 1955 crcowfree(struct thread *td) 1956 { 1957 struct ucred *cr; 1958 1959 cr = crunuse(td); 1960 if (cr != NULL) 1961 crfree(cr); 1962 } 1963 1964 struct ucred * 1965 crcowsync(void) 1966 { 1967 struct thread *td; 1968 struct proc *p; 1969 struct ucred *crnew, *crold; 1970 1971 td = curthread; 1972 p = td->td_proc; 1973 PROC_LOCK_ASSERT(p, MA_OWNED); 1974 1975 MPASS(td->td_realucred == td->td_ucred); 1976 if (td->td_realucred == p->p_ucred) 1977 return (NULL); 1978 1979 crnew = crcowget(p->p_ucred); 1980 crold = crunuse(td); 1981 td->td_realucred = crnew; 1982 td->td_ucred = td->td_realucred; 1983 return (crold); 1984 } 1985 1986 /* 1987 * Batching. 1988 */ 1989 void 1990 credbatch_add(struct credbatch *crb, struct thread *td) 1991 { 1992 struct ucred *cr; 1993 1994 MPASS(td->td_realucred != NULL); 1995 MPASS(td->td_realucred == td->td_ucred); 1996 MPASS(TD_GET_STATE(td) == TDS_INACTIVE); 1997 cr = td->td_realucred; 1998 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 1999 __func__, cr->cr_users, cr)); 2000 if (crb->cred != cr) { 2001 if (crb->users > 0) { 2002 MPASS(crb->cred != NULL); 2003 crunusebatch(crb->cred, crb->users, crb->ref); 2004 crb->users = 0; 2005 crb->ref = 0; 2006 } 2007 } 2008 crb->cred = cr; 2009 crb->users++; 2010 crb->ref += td->td_ucredref; 2011 td->td_ucredref = 0; 2012 td->td_realucred = NULL; 2013 } 2014 2015 void 2016 credbatch_final(struct credbatch *crb) 2017 { 2018 2019 MPASS(crb->cred != NULL); 2020 MPASS(crb->users > 0); 2021 crunusebatch(crb->cred, crb->users, crb->ref); 2022 } 2023 2024 /* 2025 * Allocate a zeroed cred structure. 2026 */ 2027 struct ucred * 2028 crget(void) 2029 { 2030 struct ucred *cr; 2031 2032 cr = malloc(sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 2033 mtx_init(&cr->cr_mtx, "cred", NULL, MTX_DEF); 2034 cr->cr_ref = 1; 2035 #ifdef AUDIT 2036 audit_cred_init(cr); 2037 #endif 2038 #ifdef MAC 2039 mac_cred_init(cr); 2040 #endif 2041 cr->cr_groups = cr->cr_smallgroups; 2042 cr->cr_agroups = 2043 sizeof(cr->cr_smallgroups) / sizeof(cr->cr_smallgroups[0]); 2044 return (cr); 2045 } 2046 2047 /* 2048 * Claim another reference to a ucred structure. 2049 */ 2050 struct ucred * 2051 crhold(struct ucred *cr) 2052 { 2053 struct thread *td; 2054 2055 td = curthread; 2056 if (__predict_true(td->td_realucred == cr)) { 2057 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2058 __func__, cr->cr_users, cr)); 2059 td->td_ucredref++; 2060 return (cr); 2061 } 2062 mtx_lock(&cr->cr_mtx); 2063 cr->cr_ref++; 2064 mtx_unlock(&cr->cr_mtx); 2065 return (cr); 2066 } 2067 2068 /* 2069 * Free a cred structure. Throws away space when ref count gets to 0. 2070 */ 2071 void 2072 crfree(struct ucred *cr) 2073 { 2074 struct thread *td; 2075 2076 td = curthread; 2077 if (__predict_true(td->td_realucred == cr)) { 2078 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2079 __func__, cr->cr_users, cr)); 2080 td->td_ucredref--; 2081 return; 2082 } 2083 mtx_lock(&cr->cr_mtx); 2084 KASSERT(cr->cr_users >= 0, ("%s: users %d not >= 0 on cred %p", 2085 __func__, cr->cr_users, cr)); 2086 cr->cr_ref--; 2087 if (cr->cr_users > 0) { 2088 mtx_unlock(&cr->cr_mtx); 2089 return; 2090 } 2091 KASSERT(cr->cr_ref >= 0, ("%s: ref %ld not >= 0 on cred %p", 2092 __func__, cr->cr_ref, cr)); 2093 if (cr->cr_ref > 0) { 2094 mtx_unlock(&cr->cr_mtx); 2095 return; 2096 } 2097 crfree_final(cr); 2098 } 2099 2100 static void 2101 crfree_final(struct ucred *cr) 2102 { 2103 2104 KASSERT(cr->cr_users == 0, ("%s: users %d not == 0 on cred %p", 2105 __func__, cr->cr_users, cr)); 2106 KASSERT(cr->cr_ref == 0, ("%s: ref %ld not == 0 on cred %p", 2107 __func__, cr->cr_ref, cr)); 2108 2109 /* 2110 * Some callers of crget(), such as nfs_statfs(), allocate a temporary 2111 * credential, but don't allocate a uidinfo structure. 2112 */ 2113 if (cr->cr_uidinfo != NULL) 2114 uifree(cr->cr_uidinfo); 2115 if (cr->cr_ruidinfo != NULL) 2116 uifree(cr->cr_ruidinfo); 2117 if (cr->cr_prison != NULL) 2118 prison_free(cr->cr_prison); 2119 if (cr->cr_loginclass != NULL) 2120 loginclass_free(cr->cr_loginclass); 2121 #ifdef AUDIT 2122 audit_cred_destroy(cr); 2123 #endif 2124 #ifdef MAC 2125 mac_cred_destroy(cr); 2126 #endif 2127 mtx_destroy(&cr->cr_mtx); 2128 if (cr->cr_groups != cr->cr_smallgroups) 2129 free(cr->cr_groups, M_CRED); 2130 free(cr, M_CRED); 2131 } 2132 2133 /* 2134 * Copy a ucred's contents from a template. Does not block. 2135 */ 2136 void 2137 crcopy(struct ucred *dest, struct ucred *src) 2138 { 2139 2140 KASSERT(dest->cr_ref == 1, ("crcopy of shared ucred")); 2141 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 2142 (unsigned)((caddr_t)&src->cr_endcopy - 2143 (caddr_t)&src->cr_startcopy)); 2144 dest->cr_flags = src->cr_flags; 2145 crsetgroups(dest, src->cr_ngroups, src->cr_groups); 2146 uihold(dest->cr_uidinfo); 2147 uihold(dest->cr_ruidinfo); 2148 prison_hold(dest->cr_prison); 2149 loginclass_hold(dest->cr_loginclass); 2150 #ifdef AUDIT 2151 audit_cred_copy(src, dest); 2152 #endif 2153 #ifdef MAC 2154 mac_cred_copy(src, dest); 2155 #endif 2156 } 2157 2158 /* 2159 * Dup cred struct to a new held one. 2160 */ 2161 struct ucred * 2162 crdup(struct ucred *cr) 2163 { 2164 struct ucred *newcr; 2165 2166 newcr = crget(); 2167 crcopy(newcr, cr); 2168 return (newcr); 2169 } 2170 2171 /* 2172 * Fill in a struct xucred based on a struct ucred. 2173 */ 2174 void 2175 cru2x(struct ucred *cr, struct xucred *xcr) 2176 { 2177 int ngroups; 2178 2179 bzero(xcr, sizeof(*xcr)); 2180 xcr->cr_version = XUCRED_VERSION; 2181 xcr->cr_uid = cr->cr_uid; 2182 2183 ngroups = MIN(cr->cr_ngroups, XU_NGROUPS); 2184 xcr->cr_ngroups = ngroups; 2185 bcopy(cr->cr_groups, xcr->cr_groups, 2186 ngroups * sizeof(*cr->cr_groups)); 2187 } 2188 2189 void 2190 cru2xt(struct thread *td, struct xucred *xcr) 2191 { 2192 2193 cru2x(td->td_ucred, xcr); 2194 xcr->cr_pid = td->td_proc->p_pid; 2195 } 2196 2197 /* 2198 * Set initial process credentials. 2199 * Callers are responsible for providing the reference for provided credentials. 2200 */ 2201 void 2202 proc_set_cred_init(struct proc *p, struct ucred *newcred) 2203 { 2204 2205 p->p_ucred = crcowget(newcred); 2206 } 2207 2208 /* 2209 * Change process credentials. 2210 * Callers are responsible for providing the reference for passed credentials 2211 * and for freeing old ones. 2212 * 2213 * Process has to be locked except when it does not have credentials (as it 2214 * should not be visible just yet) or when newcred is NULL (as this can be 2215 * only used when the process is about to be freed, at which point it should 2216 * not be visible anymore). 2217 */ 2218 void 2219 proc_set_cred(struct proc *p, struct ucred *newcred) 2220 { 2221 struct ucred *cr; 2222 2223 cr = p->p_ucred; 2224 MPASS(cr != NULL); 2225 PROC_LOCK_ASSERT(p, MA_OWNED); 2226 KASSERT(newcred->cr_users == 0, ("%s: users %d not 0 on cred %p", 2227 __func__, newcred->cr_users, newcred)); 2228 mtx_lock(&cr->cr_mtx); 2229 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2230 __func__, cr->cr_users, cr)); 2231 cr->cr_users--; 2232 mtx_unlock(&cr->cr_mtx); 2233 p->p_ucred = newcred; 2234 newcred->cr_users = 1; 2235 PROC_UPDATE_COW(p); 2236 } 2237 2238 void 2239 proc_unset_cred(struct proc *p) 2240 { 2241 struct ucred *cr; 2242 2243 MPASS(p->p_state == PRS_ZOMBIE || p->p_state == PRS_NEW); 2244 cr = p->p_ucred; 2245 p->p_ucred = NULL; 2246 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", 2247 __func__, cr->cr_users, cr)); 2248 mtx_lock(&cr->cr_mtx); 2249 cr->cr_users--; 2250 if (cr->cr_users == 0) 2251 KASSERT(cr->cr_ref > 0, ("%s: ref %ld not > 0 on cred %p", 2252 __func__, cr->cr_ref, cr)); 2253 mtx_unlock(&cr->cr_mtx); 2254 crfree(cr); 2255 } 2256 2257 struct ucred * 2258 crcopysafe(struct proc *p, struct ucred *cr) 2259 { 2260 struct ucred *oldcred; 2261 int groups; 2262 2263 PROC_LOCK_ASSERT(p, MA_OWNED); 2264 2265 oldcred = p->p_ucred; 2266 while (cr->cr_agroups < oldcred->cr_agroups) { 2267 groups = oldcred->cr_agroups; 2268 PROC_UNLOCK(p); 2269 crextend(cr, groups); 2270 PROC_LOCK(p); 2271 oldcred = p->p_ucred; 2272 } 2273 crcopy(cr, oldcred); 2274 2275 return (oldcred); 2276 } 2277 2278 /* 2279 * Extend the passed in credential to hold n items. 2280 */ 2281 void 2282 crextend(struct ucred *cr, int n) 2283 { 2284 int cnt; 2285 2286 /* Truncate? */ 2287 if (n <= cr->cr_agroups) 2288 return; 2289 2290 /* 2291 * We extend by 2 each time since we're using a power of two 2292 * allocator until we need enough groups to fill a page. 2293 * Once we're allocating multiple pages, only allocate as many 2294 * as we actually need. The case of processes needing a 2295 * non-power of two number of pages seems more likely than 2296 * a real world process that adds thousands of groups one at a 2297 * time. 2298 */ 2299 if ( n < PAGE_SIZE / sizeof(gid_t) ) { 2300 if (cr->cr_agroups == 0) 2301 cnt = MAX(1, MINALLOCSIZE / sizeof(gid_t)); 2302 else 2303 cnt = cr->cr_agroups * 2; 2304 2305 while (cnt < n) 2306 cnt *= 2; 2307 } else 2308 cnt = roundup2(n, PAGE_SIZE / sizeof(gid_t)); 2309 2310 /* Free the old array. */ 2311 if (cr->cr_groups != cr->cr_smallgroups) 2312 free(cr->cr_groups, M_CRED); 2313 2314 cr->cr_groups = malloc(cnt * sizeof(gid_t), M_CRED, M_WAITOK | M_ZERO); 2315 cr->cr_agroups = cnt; 2316 } 2317 2318 /* 2319 * Copy groups in to a credential, preserving any necessary invariants. 2320 * Currently this includes the sorting of all supplemental gids. 2321 * crextend() must have been called before hand to ensure sufficient 2322 * space is available. 2323 */ 2324 static void 2325 crsetgroups_locked(struct ucred *cr, int ngrp, gid_t *groups) 2326 { 2327 int i; 2328 int j; 2329 gid_t g; 2330 2331 KASSERT(cr->cr_agroups >= ngrp, ("cr_ngroups is too small")); 2332 2333 bcopy(groups, cr->cr_groups, ngrp * sizeof(gid_t)); 2334 cr->cr_ngroups = ngrp; 2335 2336 /* 2337 * Sort all groups except cr_groups[0] to allow groupmember to 2338 * perform a binary search. 2339 * 2340 * XXX: If large numbers of groups become common this should 2341 * be replaced with shell sort like linux uses or possibly 2342 * heap sort. 2343 */ 2344 for (i = 2; i < ngrp; i++) { 2345 g = cr->cr_groups[i]; 2346 for (j = i-1; j >= 1 && g < cr->cr_groups[j]; j--) 2347 cr->cr_groups[j + 1] = cr->cr_groups[j]; 2348 cr->cr_groups[j + 1] = g; 2349 } 2350 } 2351 2352 /* 2353 * Copy groups in to a credential after expanding it if required. 2354 * Truncate the list to (ngroups_max + 1) if it is too large. 2355 */ 2356 void 2357 crsetgroups(struct ucred *cr, int ngrp, gid_t *groups) 2358 { 2359 2360 if (ngrp > ngroups_max + 1) 2361 ngrp = ngroups_max + 1; 2362 2363 crextend(cr, ngrp); 2364 crsetgroups_locked(cr, ngrp, groups); 2365 } 2366 2367 /* 2368 * Get login name, if available. 2369 */ 2370 #ifndef _SYS_SYSPROTO_H_ 2371 struct getlogin_args { 2372 char *namebuf; 2373 u_int namelen; 2374 }; 2375 #endif 2376 /* ARGSUSED */ 2377 int 2378 sys_getlogin(struct thread *td, struct getlogin_args *uap) 2379 { 2380 char login[MAXLOGNAME]; 2381 struct proc *p = td->td_proc; 2382 size_t len; 2383 2384 if (uap->namelen > MAXLOGNAME) 2385 uap->namelen = MAXLOGNAME; 2386 PROC_LOCK(p); 2387 SESS_LOCK(p->p_session); 2388 len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1; 2389 SESS_UNLOCK(p->p_session); 2390 PROC_UNLOCK(p); 2391 if (len > uap->namelen) 2392 return (ERANGE); 2393 return (copyout(login, uap->namebuf, len)); 2394 } 2395 2396 /* 2397 * Set login name. 2398 */ 2399 #ifndef _SYS_SYSPROTO_H_ 2400 struct setlogin_args { 2401 char *namebuf; 2402 }; 2403 #endif 2404 /* ARGSUSED */ 2405 int 2406 sys_setlogin(struct thread *td, struct setlogin_args *uap) 2407 { 2408 struct proc *p = td->td_proc; 2409 int error; 2410 char logintmp[MAXLOGNAME]; 2411 2412 CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp)); 2413 2414 error = priv_check(td, PRIV_PROC_SETLOGIN); 2415 if (error) 2416 return (error); 2417 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); 2418 if (error != 0) { 2419 if (error == ENAMETOOLONG) 2420 error = EINVAL; 2421 return (error); 2422 } 2423 AUDIT_ARG_LOGIN(logintmp); 2424 PROC_LOCK(p); 2425 SESS_LOCK(p->p_session); 2426 strcpy(p->p_session->s_login, logintmp); 2427 SESS_UNLOCK(p->p_session); 2428 PROC_UNLOCK(p); 2429 return (0); 2430 } 2431 2432 void 2433 setsugid(struct proc *p) 2434 { 2435 2436 PROC_LOCK_ASSERT(p, MA_OWNED); 2437 p->p_flag |= P_SUGID; 2438 } 2439 2440 /*- 2441 * Change a process's effective uid. 2442 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 2443 * References: newcred must be an exclusive credential reference for the 2444 * duration of the call. 2445 */ 2446 void 2447 change_euid(struct ucred *newcred, struct uidinfo *euip) 2448 { 2449 2450 newcred->cr_uid = euip->ui_uid; 2451 uihold(euip); 2452 uifree(newcred->cr_uidinfo); 2453 newcred->cr_uidinfo = euip; 2454 } 2455 2456 /*- 2457 * Change a process's effective gid. 2458 * Side effects: newcred->cr_gid will be modified. 2459 * References: newcred must be an exclusive credential reference for the 2460 * duration of the call. 2461 */ 2462 void 2463 change_egid(struct ucred *newcred, gid_t egid) 2464 { 2465 2466 newcred->cr_groups[0] = egid; 2467 } 2468 2469 /*- 2470 * Change a process's real uid. 2471 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 2472 * will be updated, and the old and new cr_ruidinfo proc 2473 * counts will be updated. 2474 * References: newcred must be an exclusive credential reference for the 2475 * duration of the call. 2476 */ 2477 void 2478 change_ruid(struct ucred *newcred, struct uidinfo *ruip) 2479 { 2480 2481 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 2482 newcred->cr_ruid = ruip->ui_uid; 2483 uihold(ruip); 2484 uifree(newcred->cr_ruidinfo); 2485 newcred->cr_ruidinfo = ruip; 2486 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 2487 } 2488 2489 /*- 2490 * Change a process's real gid. 2491 * Side effects: newcred->cr_rgid will be updated. 2492 * References: newcred must be an exclusive credential reference for the 2493 * duration of the call. 2494 */ 2495 void 2496 change_rgid(struct ucred *newcred, gid_t rgid) 2497 { 2498 2499 newcred->cr_rgid = rgid; 2500 } 2501 2502 /*- 2503 * Change a process's saved uid. 2504 * Side effects: newcred->cr_svuid will be updated. 2505 * References: newcred must be an exclusive credential reference for the 2506 * duration of the call. 2507 */ 2508 void 2509 change_svuid(struct ucred *newcred, uid_t svuid) 2510 { 2511 2512 newcred->cr_svuid = svuid; 2513 } 2514 2515 /*- 2516 * Change a process's saved gid. 2517 * Side effects: newcred->cr_svgid will be updated. 2518 * References: newcred must be an exclusive credential reference for the 2519 * duration of the call. 2520 */ 2521 void 2522 change_svgid(struct ucred *newcred, gid_t svgid) 2523 { 2524 2525 newcred->cr_svgid = svgid; 2526 } 2527 2528 bool allow_ptrace = true; 2529 SYSCTL_BOOL(_security_bsd, OID_AUTO, allow_ptrace, CTLFLAG_RWTUN, 2530 &allow_ptrace, 0, 2531 "Deny ptrace(2) use by returning ENOSYS"); 2532