1 /*- 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. 4 * (c) UNIX System Laboratories, Inc. 5 * Copyright (c) 2000-2001 Robert N. M. Watson. 6 * All rights reserved. 7 * 8 * All or some portions of this file are derived from material licensed 9 * to the University of California by American Telephone and Telegraph 10 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 11 * the permission of UNIX System Laboratories, Inc. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 4. Neither the name of the University nor the names of its contributors 22 * may be used to endorse or promote products derived from this software 23 * without specific prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 * 37 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 38 */ 39 40 /* 41 * System calls related to processes and protection 42 */ 43 44 #include <sys/cdefs.h> 45 __FBSDID("$FreeBSD$"); 46 47 #include "opt_compat.h" 48 #include "opt_mac.h" 49 50 #include <sys/param.h> 51 #include <sys/systm.h> 52 #include <sys/acct.h> 53 #include <sys/kdb.h> 54 #include <sys/kernel.h> 55 #include <sys/lock.h> 56 #include <sys/malloc.h> 57 #include <sys/mutex.h> 58 #include <sys/refcount.h> 59 #include <sys/sx.h> 60 #include <sys/priv.h> 61 #include <sys/proc.h> 62 #include <sys/sysproto.h> 63 #include <sys/jail.h> 64 #include <sys/pioctl.h> 65 #include <sys/resourcevar.h> 66 #include <sys/socket.h> 67 #include <sys/socketvar.h> 68 #include <sys/syscallsubr.h> 69 #include <sys/sysctl.h> 70 71 #include <security/audit/audit.h> 72 #include <security/mac/mac_framework.h> 73 74 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 75 76 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, "BSD security policy"); 77 78 #ifndef _SYS_SYSPROTO_H_ 79 struct getpid_args { 80 int dummy; 81 }; 82 #endif 83 /* ARGSUSED */ 84 int 85 getpid(struct thread *td, struct getpid_args *uap) 86 { 87 struct proc *p = td->td_proc; 88 89 td->td_retval[0] = p->p_pid; 90 #if defined(COMPAT_43) 91 PROC_LOCK(p); 92 td->td_retval[1] = p->p_pptr->p_pid; 93 PROC_UNLOCK(p); 94 #endif 95 return (0); 96 } 97 98 #ifndef _SYS_SYSPROTO_H_ 99 struct getppid_args { 100 int dummy; 101 }; 102 #endif 103 /* ARGSUSED */ 104 int 105 getppid(struct thread *td, struct getppid_args *uap) 106 { 107 struct proc *p = td->td_proc; 108 109 PROC_LOCK(p); 110 td->td_retval[0] = p->p_pptr->p_pid; 111 PROC_UNLOCK(p); 112 return (0); 113 } 114 115 /* 116 * Get process group ID; note that POSIX getpgrp takes no parameter. 117 */ 118 #ifndef _SYS_SYSPROTO_H_ 119 struct getpgrp_args { 120 int dummy; 121 }; 122 #endif 123 int 124 getpgrp(struct thread *td, struct getpgrp_args *uap) 125 { 126 struct proc *p = td->td_proc; 127 128 PROC_LOCK(p); 129 td->td_retval[0] = p->p_pgrp->pg_id; 130 PROC_UNLOCK(p); 131 return (0); 132 } 133 134 /* Get an arbitary pid's process group id */ 135 #ifndef _SYS_SYSPROTO_H_ 136 struct getpgid_args { 137 pid_t pid; 138 }; 139 #endif 140 int 141 getpgid(struct thread *td, struct getpgid_args *uap) 142 { 143 struct proc *p; 144 int error; 145 146 if (uap->pid == 0) { 147 p = td->td_proc; 148 PROC_LOCK(p); 149 } else { 150 p = pfind(uap->pid); 151 if (p == NULL) 152 return (ESRCH); 153 error = p_cansee(td, p); 154 if (error) { 155 PROC_UNLOCK(p); 156 return (error); 157 } 158 } 159 td->td_retval[0] = p->p_pgrp->pg_id; 160 PROC_UNLOCK(p); 161 return (0); 162 } 163 164 /* 165 * Get an arbitary pid's session id. 166 */ 167 #ifndef _SYS_SYSPROTO_H_ 168 struct getsid_args { 169 pid_t pid; 170 }; 171 #endif 172 int 173 getsid(struct thread *td, struct getsid_args *uap) 174 { 175 struct proc *p; 176 int error; 177 178 if (uap->pid == 0) { 179 p = td->td_proc; 180 PROC_LOCK(p); 181 } else { 182 p = pfind(uap->pid); 183 if (p == NULL) 184 return (ESRCH); 185 error = p_cansee(td, p); 186 if (error) { 187 PROC_UNLOCK(p); 188 return (error); 189 } 190 } 191 td->td_retval[0] = p->p_session->s_sid; 192 PROC_UNLOCK(p); 193 return (0); 194 } 195 196 #ifndef _SYS_SYSPROTO_H_ 197 struct getuid_args { 198 int dummy; 199 }; 200 #endif 201 /* ARGSUSED */ 202 int 203 getuid(struct thread *td, struct getuid_args *uap) 204 { 205 206 td->td_retval[0] = td->td_ucred->cr_ruid; 207 #if defined(COMPAT_43) 208 td->td_retval[1] = td->td_ucred->cr_uid; 209 #endif 210 return (0); 211 } 212 213 #ifndef _SYS_SYSPROTO_H_ 214 struct geteuid_args { 215 int dummy; 216 }; 217 #endif 218 /* ARGSUSED */ 219 int 220 geteuid(struct thread *td, struct geteuid_args *uap) 221 { 222 223 td->td_retval[0] = td->td_ucred->cr_uid; 224 return (0); 225 } 226 227 #ifndef _SYS_SYSPROTO_H_ 228 struct getgid_args { 229 int dummy; 230 }; 231 #endif 232 /* ARGSUSED */ 233 int 234 getgid(struct thread *td, struct getgid_args *uap) 235 { 236 237 td->td_retval[0] = td->td_ucred->cr_rgid; 238 #if defined(COMPAT_43) 239 td->td_retval[1] = td->td_ucred->cr_groups[0]; 240 #endif 241 return (0); 242 } 243 244 /* 245 * Get effective group ID. The "egid" is groups[0], and could be obtained 246 * via getgroups. This syscall exists because it is somewhat painful to do 247 * correctly in a library function. 248 */ 249 #ifndef _SYS_SYSPROTO_H_ 250 struct getegid_args { 251 int dummy; 252 }; 253 #endif 254 /* ARGSUSED */ 255 int 256 getegid(struct thread *td, struct getegid_args *uap) 257 { 258 259 td->td_retval[0] = td->td_ucred->cr_groups[0]; 260 return (0); 261 } 262 263 #ifndef _SYS_SYSPROTO_H_ 264 struct getgroups_args { 265 u_int gidsetsize; 266 gid_t *gidset; 267 }; 268 #endif 269 int 270 getgroups(struct thread *td, register struct getgroups_args *uap) 271 { 272 gid_t groups[NGROUPS]; 273 u_int ngrp; 274 int error; 275 276 ngrp = MIN(uap->gidsetsize, NGROUPS); 277 error = kern_getgroups(td, &ngrp, groups); 278 if (error) 279 return (error); 280 if (uap->gidsetsize > 0) 281 error = copyout(groups, uap->gidset, ngrp * sizeof(gid_t)); 282 if (error == 0) 283 td->td_retval[0] = ngrp; 284 return (error); 285 } 286 287 int 288 kern_getgroups(struct thread *td, u_int *ngrp, gid_t *groups) 289 { 290 struct ucred *cred; 291 292 cred = td->td_ucred; 293 if (*ngrp == 0) { 294 *ngrp = cred->cr_ngroups; 295 return (0); 296 } 297 if (*ngrp < cred->cr_ngroups) 298 return (EINVAL); 299 *ngrp = cred->cr_ngroups; 300 bcopy(cred->cr_groups, groups, *ngrp * sizeof(gid_t)); 301 return (0); 302 } 303 304 #ifndef _SYS_SYSPROTO_H_ 305 struct setsid_args { 306 int dummy; 307 }; 308 #endif 309 /* ARGSUSED */ 310 int 311 setsid(register struct thread *td, struct setsid_args *uap) 312 { 313 struct pgrp *pgrp; 314 int error; 315 struct proc *p = td->td_proc; 316 struct pgrp *newpgrp; 317 struct session *newsess; 318 319 error = 0; 320 pgrp = NULL; 321 322 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 323 MALLOC(newsess, struct session *, sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); 324 325 sx_xlock(&proctree_lock); 326 327 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { 328 if (pgrp != NULL) 329 PGRP_UNLOCK(pgrp); 330 error = EPERM; 331 } else { 332 (void)enterpgrp(p, p->p_pid, newpgrp, newsess); 333 td->td_retval[0] = p->p_pid; 334 newpgrp = NULL; 335 newsess = NULL; 336 } 337 338 sx_xunlock(&proctree_lock); 339 340 if (newpgrp != NULL) 341 FREE(newpgrp, M_PGRP); 342 if (newsess != NULL) 343 FREE(newsess, M_SESSION); 344 345 return (error); 346 } 347 348 /* 349 * set process group (setpgid/old setpgrp) 350 * 351 * caller does setpgid(targpid, targpgid) 352 * 353 * pid must be caller or child of caller (ESRCH) 354 * if a child 355 * pid must be in same session (EPERM) 356 * pid can't have done an exec (EACCES) 357 * if pgid != pid 358 * there must exist some pid in same session having pgid (EPERM) 359 * pid must not be session leader (EPERM) 360 */ 361 #ifndef _SYS_SYSPROTO_H_ 362 struct setpgid_args { 363 int pid; /* target process id */ 364 int pgid; /* target pgrp id */ 365 }; 366 #endif 367 /* ARGSUSED */ 368 int 369 setpgid(struct thread *td, register struct setpgid_args *uap) 370 { 371 struct proc *curp = td->td_proc; 372 register struct proc *targp; /* target process */ 373 register struct pgrp *pgrp; /* target pgrp */ 374 int error; 375 struct pgrp *newpgrp; 376 377 if (uap->pgid < 0) 378 return (EINVAL); 379 380 error = 0; 381 382 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 383 384 sx_xlock(&proctree_lock); 385 if (uap->pid != 0 && uap->pid != curp->p_pid) { 386 if ((targp = pfind(uap->pid)) == NULL) { 387 error = ESRCH; 388 goto done; 389 } 390 if (!inferior(targp)) { 391 PROC_UNLOCK(targp); 392 error = ESRCH; 393 goto done; 394 } 395 if ((error = p_cansee(td, targp))) { 396 PROC_UNLOCK(targp); 397 goto done; 398 } 399 if (targp->p_pgrp == NULL || 400 targp->p_session != curp->p_session) { 401 PROC_UNLOCK(targp); 402 error = EPERM; 403 goto done; 404 } 405 if (targp->p_flag & P_EXEC) { 406 PROC_UNLOCK(targp); 407 error = EACCES; 408 goto done; 409 } 410 PROC_UNLOCK(targp); 411 } else 412 targp = curp; 413 if (SESS_LEADER(targp)) { 414 error = EPERM; 415 goto done; 416 } 417 if (uap->pgid == 0) 418 uap->pgid = targp->p_pid; 419 if ((pgrp = pgfind(uap->pgid)) == NULL) { 420 if (uap->pgid == targp->p_pid) { 421 error = enterpgrp(targp, uap->pgid, newpgrp, 422 NULL); 423 if (error == 0) 424 newpgrp = NULL; 425 } else 426 error = EPERM; 427 } else { 428 if (pgrp == targp->p_pgrp) { 429 PGRP_UNLOCK(pgrp); 430 goto done; 431 } 432 if (pgrp->pg_id != targp->p_pid && 433 pgrp->pg_session != curp->p_session) { 434 PGRP_UNLOCK(pgrp); 435 error = EPERM; 436 goto done; 437 } 438 PGRP_UNLOCK(pgrp); 439 error = enterthispgrp(targp, pgrp); 440 } 441 done: 442 sx_xunlock(&proctree_lock); 443 KASSERT((error == 0) || (newpgrp != NULL), 444 ("setpgid failed and newpgrp is NULL")); 445 if (newpgrp != NULL) 446 FREE(newpgrp, M_PGRP); 447 return (error); 448 } 449 450 /* 451 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 452 * compatible. It says that setting the uid/gid to euid/egid is a special 453 * case of "appropriate privilege". Once the rules are expanded out, this 454 * basically means that setuid(nnn) sets all three id's, in all permitted 455 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 456 * does not set the saved id - this is dangerous for traditional BSD 457 * programs. For this reason, we *really* do not want to set 458 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 459 */ 460 #define POSIX_APPENDIX_B_4_2_2 461 462 #ifndef _SYS_SYSPROTO_H_ 463 struct setuid_args { 464 uid_t uid; 465 }; 466 #endif 467 /* ARGSUSED */ 468 int 469 setuid(struct thread *td, struct setuid_args *uap) 470 { 471 struct proc *p = td->td_proc; 472 struct ucred *newcred, *oldcred; 473 uid_t uid; 474 struct uidinfo *uip; 475 int error; 476 477 uid = uap->uid; 478 AUDIT_ARG(uid, uid); 479 newcred = crget(); 480 uip = uifind(uid); 481 PROC_LOCK(p); 482 oldcred = p->p_ucred; 483 484 #ifdef MAC 485 error = mac_check_proc_setuid(p, oldcred, uid); 486 if (error) 487 goto fail; 488 #endif 489 490 /* 491 * See if we have "permission" by POSIX 1003.1 rules. 492 * 493 * Note that setuid(geteuid()) is a special case of 494 * "appropriate privileges" in appendix B.4.2.2. We need 495 * to use this clause to be compatible with traditional BSD 496 * semantics. Basically, it means that "setuid(xx)" sets all 497 * three id's (assuming you have privs). 498 * 499 * Notes on the logic. We do things in three steps. 500 * 1: We determine if the euid is going to change, and do EPERM 501 * right away. We unconditionally change the euid later if this 502 * test is satisfied, simplifying that part of the logic. 503 * 2: We determine if the real and/or saved uids are going to 504 * change. Determined by compile options. 505 * 3: Change euid last. (after tests in #2 for "appropriate privs") 506 */ 507 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 508 #ifdef _POSIX_SAVED_IDS 509 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 510 #endif 511 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 512 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 513 #endif 514 (error = priv_check_cred(oldcred, PRIV_CRED_SETUID, 515 SUSER_ALLOWJAIL)) != 0) 516 goto fail; 517 518 /* 519 * Copy credentials so other references do not see our changes. 520 */ 521 crcopy(newcred, oldcred); 522 #ifdef _POSIX_SAVED_IDS 523 /* 524 * Do we have "appropriate privileges" (are we root or uid == euid) 525 * If so, we are changing the real uid and/or saved uid. 526 */ 527 if ( 528 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 529 uid == oldcred->cr_uid || 530 #endif 531 /* We are using privs. */ 532 priv_check_cred(oldcred, PRIV_CRED_SETUID, SUSER_ALLOWJAIL) == 0) 533 #endif 534 { 535 /* 536 * Set the real uid and transfer proc count to new user. 537 */ 538 if (uid != oldcred->cr_ruid) { 539 change_ruid(newcred, uip); 540 setsugid(p); 541 } 542 /* 543 * Set saved uid 544 * 545 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 546 * the security of seteuid() depends on it. B.4.2.2 says it 547 * is important that we should do this. 548 */ 549 if (uid != oldcred->cr_svuid) { 550 change_svuid(newcred, uid); 551 setsugid(p); 552 } 553 } 554 555 /* 556 * In all permitted cases, we are changing the euid. 557 */ 558 if (uid != oldcred->cr_uid) { 559 change_euid(newcred, uip); 560 setsugid(p); 561 } 562 p->p_ucred = newcred; 563 PROC_UNLOCK(p); 564 uifree(uip); 565 crfree(oldcred); 566 return (0); 567 568 fail: 569 PROC_UNLOCK(p); 570 uifree(uip); 571 crfree(newcred); 572 return (error); 573 } 574 575 #ifndef _SYS_SYSPROTO_H_ 576 struct seteuid_args { 577 uid_t euid; 578 }; 579 #endif 580 /* ARGSUSED */ 581 int 582 seteuid(struct thread *td, struct seteuid_args *uap) 583 { 584 struct proc *p = td->td_proc; 585 struct ucred *newcred, *oldcred; 586 uid_t euid; 587 struct uidinfo *euip; 588 int error; 589 590 euid = uap->euid; 591 AUDIT_ARG(euid, euid); 592 newcred = crget(); 593 euip = uifind(euid); 594 PROC_LOCK(p); 595 oldcred = p->p_ucred; 596 597 #ifdef MAC 598 error = mac_check_proc_seteuid(p, oldcred, euid); 599 if (error) 600 goto fail; 601 #endif 602 603 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 604 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 605 (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID, 606 SUSER_ALLOWJAIL)) != 0) 607 goto fail; 608 609 /* 610 * Everything's okay, do it. Copy credentials so other references do 611 * not see our changes. 612 */ 613 crcopy(newcred, oldcred); 614 if (oldcred->cr_uid != euid) { 615 change_euid(newcred, euip); 616 setsugid(p); 617 } 618 p->p_ucred = newcred; 619 PROC_UNLOCK(p); 620 uifree(euip); 621 crfree(oldcred); 622 return (0); 623 624 fail: 625 PROC_UNLOCK(p); 626 uifree(euip); 627 crfree(newcred); 628 return (error); 629 } 630 631 #ifndef _SYS_SYSPROTO_H_ 632 struct setgid_args { 633 gid_t gid; 634 }; 635 #endif 636 /* ARGSUSED */ 637 int 638 setgid(struct thread *td, struct setgid_args *uap) 639 { 640 struct proc *p = td->td_proc; 641 struct ucred *newcred, *oldcred; 642 gid_t gid; 643 int error; 644 645 gid = uap->gid; 646 AUDIT_ARG(gid, gid); 647 newcred = crget(); 648 PROC_LOCK(p); 649 oldcred = p->p_ucred; 650 651 #ifdef MAC 652 error = mac_check_proc_setgid(p, oldcred, gid); 653 if (error) 654 goto fail; 655 #endif 656 657 /* 658 * See if we have "permission" by POSIX 1003.1 rules. 659 * 660 * Note that setgid(getegid()) is a special case of 661 * "appropriate privileges" in appendix B.4.2.2. We need 662 * to use this clause to be compatible with traditional BSD 663 * semantics. Basically, it means that "setgid(xx)" sets all 664 * three id's (assuming you have privs). 665 * 666 * For notes on the logic here, see setuid() above. 667 */ 668 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 669 #ifdef _POSIX_SAVED_IDS 670 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 671 #endif 672 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 673 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 674 #endif 675 (error = priv_check_cred(oldcred, PRIV_CRED_SETGID, 676 SUSER_ALLOWJAIL)) != 0) 677 goto fail; 678 679 crcopy(newcred, oldcred); 680 #ifdef _POSIX_SAVED_IDS 681 /* 682 * Do we have "appropriate privileges" (are we root or gid == egid) 683 * If so, we are changing the real uid and saved gid. 684 */ 685 if ( 686 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 687 gid == oldcred->cr_groups[0] || 688 #endif 689 /* We are using privs. */ 690 priv_check_cred(oldcred, PRIV_CRED_SETGID, SUSER_ALLOWJAIL) == 0) 691 #endif 692 { 693 /* 694 * Set real gid 695 */ 696 if (oldcred->cr_rgid != gid) { 697 change_rgid(newcred, gid); 698 setsugid(p); 699 } 700 /* 701 * Set saved gid 702 * 703 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 704 * the security of setegid() depends on it. B.4.2.2 says it 705 * is important that we should do this. 706 */ 707 if (oldcred->cr_svgid != gid) { 708 change_svgid(newcred, gid); 709 setsugid(p); 710 } 711 } 712 /* 713 * In all cases permitted cases, we are changing the egid. 714 * Copy credentials so other references do not see our changes. 715 */ 716 if (oldcred->cr_groups[0] != gid) { 717 change_egid(newcred, gid); 718 setsugid(p); 719 } 720 p->p_ucred = newcred; 721 PROC_UNLOCK(p); 722 crfree(oldcred); 723 return (0); 724 725 fail: 726 PROC_UNLOCK(p); 727 crfree(newcred); 728 return (error); 729 } 730 731 #ifndef _SYS_SYSPROTO_H_ 732 struct setegid_args { 733 gid_t egid; 734 }; 735 #endif 736 /* ARGSUSED */ 737 int 738 setegid(struct thread *td, struct setegid_args *uap) 739 { 740 struct proc *p = td->td_proc; 741 struct ucred *newcred, *oldcred; 742 gid_t egid; 743 int error; 744 745 egid = uap->egid; 746 AUDIT_ARG(egid, egid); 747 newcred = crget(); 748 PROC_LOCK(p); 749 oldcred = p->p_ucred; 750 751 #ifdef MAC 752 error = mac_check_proc_setegid(p, oldcred, egid); 753 if (error) 754 goto fail; 755 #endif 756 757 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 758 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 759 (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID, 760 SUSER_ALLOWJAIL)) != 0) 761 goto fail; 762 763 crcopy(newcred, oldcred); 764 if (oldcred->cr_groups[0] != egid) { 765 change_egid(newcred, egid); 766 setsugid(p); 767 } 768 p->p_ucred = newcred; 769 PROC_UNLOCK(p); 770 crfree(oldcred); 771 return (0); 772 773 fail: 774 PROC_UNLOCK(p); 775 crfree(newcred); 776 return (error); 777 } 778 779 #ifndef _SYS_SYSPROTO_H_ 780 struct setgroups_args { 781 u_int gidsetsize; 782 gid_t *gidset; 783 }; 784 #endif 785 /* ARGSUSED */ 786 int 787 setgroups(struct thread *td, struct setgroups_args *uap) 788 { 789 gid_t groups[NGROUPS]; 790 int error; 791 792 if (uap->gidsetsize > NGROUPS) 793 return (EINVAL); 794 error = copyin(uap->gidset, groups, uap->gidsetsize * sizeof(gid_t)); 795 if (error) 796 return (error); 797 return (kern_setgroups(td, uap->gidsetsize, groups)); 798 } 799 800 int 801 kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups) 802 { 803 struct proc *p = td->td_proc; 804 struct ucred *newcred, *oldcred; 805 int error; 806 807 if (ngrp > NGROUPS) 808 return (EINVAL); 809 AUDIT_ARG(groupset, groups, ngrp); 810 newcred = crget(); 811 PROC_LOCK(p); 812 oldcred = p->p_ucred; 813 814 #ifdef MAC 815 error = mac_check_proc_setgroups(p, oldcred, ngrp, groups); 816 if (error) 817 goto fail; 818 #endif 819 820 error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS, 821 SUSER_ALLOWJAIL); 822 if (error) 823 goto fail; 824 825 /* 826 * XXX A little bit lazy here. We could test if anything has 827 * changed before crcopy() and setting P_SUGID. 828 */ 829 crcopy(newcred, oldcred); 830 if (ngrp < 1) { 831 /* 832 * setgroups(0, NULL) is a legitimate way of clearing the 833 * groups vector on non-BSD systems (which generally do not 834 * have the egid in the groups[0]). We risk security holes 835 * when running non-BSD software if we do not do the same. 836 */ 837 newcred->cr_ngroups = 1; 838 } else { 839 bcopy(groups, newcred->cr_groups, ngrp * sizeof(gid_t)); 840 newcred->cr_ngroups = ngrp; 841 } 842 setsugid(p); 843 p->p_ucred = newcred; 844 PROC_UNLOCK(p); 845 crfree(oldcred); 846 return (0); 847 848 fail: 849 PROC_UNLOCK(p); 850 crfree(newcred); 851 return (error); 852 } 853 854 #ifndef _SYS_SYSPROTO_H_ 855 struct setreuid_args { 856 uid_t ruid; 857 uid_t euid; 858 }; 859 #endif 860 /* ARGSUSED */ 861 int 862 setreuid(register struct thread *td, struct setreuid_args *uap) 863 { 864 struct proc *p = td->td_proc; 865 struct ucred *newcred, *oldcred; 866 uid_t euid, ruid; 867 struct uidinfo *euip, *ruip; 868 int error; 869 870 euid = uap->euid; 871 ruid = uap->ruid; 872 AUDIT_ARG(euid, euid); 873 AUDIT_ARG(ruid, ruid); 874 newcred = crget(); 875 euip = uifind(euid); 876 ruip = uifind(ruid); 877 PROC_LOCK(p); 878 oldcred = p->p_ucred; 879 880 #ifdef MAC 881 error = mac_check_proc_setreuid(p, oldcred, ruid, euid); 882 if (error) 883 goto fail; 884 #endif 885 886 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 887 ruid != oldcred->cr_svuid) || 888 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 889 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 890 (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID, 891 SUSER_ALLOWJAIL)) != 0) 892 goto fail; 893 894 crcopy(newcred, oldcred); 895 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 896 change_euid(newcred, euip); 897 setsugid(p); 898 } 899 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 900 change_ruid(newcred, ruip); 901 setsugid(p); 902 } 903 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 904 newcred->cr_svuid != newcred->cr_uid) { 905 change_svuid(newcred, newcred->cr_uid); 906 setsugid(p); 907 } 908 p->p_ucred = newcred; 909 PROC_UNLOCK(p); 910 uifree(ruip); 911 uifree(euip); 912 crfree(oldcred); 913 return (0); 914 915 fail: 916 PROC_UNLOCK(p); 917 uifree(ruip); 918 uifree(euip); 919 crfree(newcred); 920 return (error); 921 } 922 923 #ifndef _SYS_SYSPROTO_H_ 924 struct setregid_args { 925 gid_t rgid; 926 gid_t egid; 927 }; 928 #endif 929 /* ARGSUSED */ 930 int 931 setregid(register struct thread *td, struct setregid_args *uap) 932 { 933 struct proc *p = td->td_proc; 934 struct ucred *newcred, *oldcred; 935 gid_t egid, rgid; 936 int error; 937 938 egid = uap->egid; 939 rgid = uap->rgid; 940 AUDIT_ARG(egid, egid); 941 AUDIT_ARG(rgid, rgid); 942 newcred = crget(); 943 PROC_LOCK(p); 944 oldcred = p->p_ucred; 945 946 #ifdef MAC 947 error = mac_check_proc_setregid(p, oldcred, rgid, egid); 948 if (error) 949 goto fail; 950 #endif 951 952 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 953 rgid != oldcred->cr_svgid) || 954 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 955 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 956 (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID, 957 SUSER_ALLOWJAIL)) != 0) 958 goto fail; 959 960 crcopy(newcred, oldcred); 961 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 962 change_egid(newcred, egid); 963 setsugid(p); 964 } 965 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 966 change_rgid(newcred, rgid); 967 setsugid(p); 968 } 969 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 970 newcred->cr_svgid != newcred->cr_groups[0]) { 971 change_svgid(newcred, newcred->cr_groups[0]); 972 setsugid(p); 973 } 974 p->p_ucred = newcred; 975 PROC_UNLOCK(p); 976 crfree(oldcred); 977 return (0); 978 979 fail: 980 PROC_UNLOCK(p); 981 crfree(newcred); 982 return (error); 983 } 984 985 /* 986 * setresuid(ruid, euid, suid) is like setreuid except control over the saved 987 * uid is explicit. 988 */ 989 #ifndef _SYS_SYSPROTO_H_ 990 struct setresuid_args { 991 uid_t ruid; 992 uid_t euid; 993 uid_t suid; 994 }; 995 #endif 996 /* ARGSUSED */ 997 int 998 setresuid(register struct thread *td, struct setresuid_args *uap) 999 { 1000 struct proc *p = td->td_proc; 1001 struct ucred *newcred, *oldcred; 1002 uid_t euid, ruid, suid; 1003 struct uidinfo *euip, *ruip; 1004 int error; 1005 1006 euid = uap->euid; 1007 ruid = uap->ruid; 1008 suid = uap->suid; 1009 AUDIT_ARG(euid, euid); 1010 AUDIT_ARG(ruid, ruid); 1011 AUDIT_ARG(suid, suid); 1012 newcred = crget(); 1013 euip = uifind(euid); 1014 ruip = uifind(ruid); 1015 PROC_LOCK(p); 1016 oldcred = p->p_ucred; 1017 1018 #ifdef MAC 1019 error = mac_check_proc_setresuid(p, oldcred, ruid, euid, suid); 1020 if (error) 1021 goto fail; 1022 #endif 1023 1024 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1025 ruid != oldcred->cr_svuid && 1026 ruid != oldcred->cr_uid) || 1027 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 1028 euid != oldcred->cr_svuid && 1029 euid != oldcred->cr_uid) || 1030 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 1031 suid != oldcred->cr_svuid && 1032 suid != oldcred->cr_uid)) && 1033 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID, 1034 SUSER_ALLOWJAIL)) != 0) 1035 goto fail; 1036 1037 crcopy(newcred, oldcred); 1038 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1039 change_euid(newcred, euip); 1040 setsugid(p); 1041 } 1042 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1043 change_ruid(newcred, ruip); 1044 setsugid(p); 1045 } 1046 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1047 change_svuid(newcred, suid); 1048 setsugid(p); 1049 } 1050 p->p_ucred = newcred; 1051 PROC_UNLOCK(p); 1052 uifree(ruip); 1053 uifree(euip); 1054 crfree(oldcred); 1055 return (0); 1056 1057 fail: 1058 PROC_UNLOCK(p); 1059 uifree(ruip); 1060 uifree(euip); 1061 crfree(newcred); 1062 return (error); 1063 1064 } 1065 1066 /* 1067 * setresgid(rgid, egid, sgid) is like setregid except control over the saved 1068 * gid is explicit. 1069 */ 1070 #ifndef _SYS_SYSPROTO_H_ 1071 struct setresgid_args { 1072 gid_t rgid; 1073 gid_t egid; 1074 gid_t sgid; 1075 }; 1076 #endif 1077 /* ARGSUSED */ 1078 int 1079 setresgid(register struct thread *td, struct setresgid_args *uap) 1080 { 1081 struct proc *p = td->td_proc; 1082 struct ucred *newcred, *oldcred; 1083 gid_t egid, rgid, sgid; 1084 int error; 1085 1086 egid = uap->egid; 1087 rgid = uap->rgid; 1088 sgid = uap->sgid; 1089 AUDIT_ARG(egid, egid); 1090 AUDIT_ARG(rgid, rgid); 1091 AUDIT_ARG(sgid, sgid); 1092 newcred = crget(); 1093 PROC_LOCK(p); 1094 oldcred = p->p_ucred; 1095 1096 #ifdef MAC 1097 error = mac_check_proc_setresgid(p, oldcred, rgid, egid, sgid); 1098 if (error) 1099 goto fail; 1100 #endif 1101 1102 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1103 rgid != oldcred->cr_svgid && 1104 rgid != oldcred->cr_groups[0]) || 1105 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1106 egid != oldcred->cr_svgid && 1107 egid != oldcred->cr_groups[0]) || 1108 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1109 sgid != oldcred->cr_svgid && 1110 sgid != oldcred->cr_groups[0])) && 1111 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID, 1112 SUSER_ALLOWJAIL)) != 0) 1113 goto fail; 1114 1115 crcopy(newcred, oldcred); 1116 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1117 change_egid(newcred, egid); 1118 setsugid(p); 1119 } 1120 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1121 change_rgid(newcred, rgid); 1122 setsugid(p); 1123 } 1124 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1125 change_svgid(newcred, sgid); 1126 setsugid(p); 1127 } 1128 p->p_ucred = newcred; 1129 PROC_UNLOCK(p); 1130 crfree(oldcred); 1131 return (0); 1132 1133 fail: 1134 PROC_UNLOCK(p); 1135 crfree(newcred); 1136 return (error); 1137 } 1138 1139 #ifndef _SYS_SYSPROTO_H_ 1140 struct getresuid_args { 1141 uid_t *ruid; 1142 uid_t *euid; 1143 uid_t *suid; 1144 }; 1145 #endif 1146 /* ARGSUSED */ 1147 int 1148 getresuid(register struct thread *td, struct getresuid_args *uap) 1149 { 1150 struct ucred *cred; 1151 int error1 = 0, error2 = 0, error3 = 0; 1152 1153 cred = td->td_ucred; 1154 if (uap->ruid) 1155 error1 = copyout(&cred->cr_ruid, 1156 uap->ruid, sizeof(cred->cr_ruid)); 1157 if (uap->euid) 1158 error2 = copyout(&cred->cr_uid, 1159 uap->euid, sizeof(cred->cr_uid)); 1160 if (uap->suid) 1161 error3 = copyout(&cred->cr_svuid, 1162 uap->suid, sizeof(cred->cr_svuid)); 1163 return (error1 ? error1 : error2 ? error2 : error3); 1164 } 1165 1166 #ifndef _SYS_SYSPROTO_H_ 1167 struct getresgid_args { 1168 gid_t *rgid; 1169 gid_t *egid; 1170 gid_t *sgid; 1171 }; 1172 #endif 1173 /* ARGSUSED */ 1174 int 1175 getresgid(register struct thread *td, struct getresgid_args *uap) 1176 { 1177 struct ucred *cred; 1178 int error1 = 0, error2 = 0, error3 = 0; 1179 1180 cred = td->td_ucred; 1181 if (uap->rgid) 1182 error1 = copyout(&cred->cr_rgid, 1183 uap->rgid, sizeof(cred->cr_rgid)); 1184 if (uap->egid) 1185 error2 = copyout(&cred->cr_groups[0], 1186 uap->egid, sizeof(cred->cr_groups[0])); 1187 if (uap->sgid) 1188 error3 = copyout(&cred->cr_svgid, 1189 uap->sgid, sizeof(cred->cr_svgid)); 1190 return (error1 ? error1 : error2 ? error2 : error3); 1191 } 1192 1193 #ifndef _SYS_SYSPROTO_H_ 1194 struct issetugid_args { 1195 int dummy; 1196 }; 1197 #endif 1198 /* ARGSUSED */ 1199 int 1200 issetugid(register struct thread *td, struct issetugid_args *uap) 1201 { 1202 struct proc *p = td->td_proc; 1203 1204 /* 1205 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1206 * we use P_SUGID because we consider changing the owners as 1207 * "tainting" as well. 1208 * This is significant for procs that start as root and "become" 1209 * a user without an exec - programs cannot know *everything* 1210 * that libc *might* have put in their data segment. 1211 */ 1212 PROC_LOCK(p); 1213 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1214 PROC_UNLOCK(p); 1215 return (0); 1216 } 1217 1218 int 1219 __setugid(struct thread *td, struct __setugid_args *uap) 1220 { 1221 #ifdef REGRESSION 1222 struct proc *p; 1223 1224 p = td->td_proc; 1225 switch (uap->flag) { 1226 case 0: 1227 PROC_LOCK(p); 1228 p->p_flag &= ~P_SUGID; 1229 PROC_UNLOCK(p); 1230 return (0); 1231 case 1: 1232 PROC_LOCK(p); 1233 p->p_flag |= P_SUGID; 1234 PROC_UNLOCK(p); 1235 return (0); 1236 default: 1237 return (EINVAL); 1238 } 1239 #else /* !REGRESSION */ 1240 1241 return (ENOSYS); 1242 #endif /* REGRESSION */ 1243 } 1244 1245 /* 1246 * Check if gid is a member of the group set. 1247 */ 1248 int 1249 groupmember(gid_t gid, struct ucred *cred) 1250 { 1251 register gid_t *gp; 1252 gid_t *egp; 1253 1254 egp = &(cred->cr_groups[cred->cr_ngroups]); 1255 for (gp = cred->cr_groups; gp < egp; gp++) 1256 if (*gp == gid) 1257 return (1); 1258 return (0); 1259 } 1260 1261 /* 1262 * Test the active securelevel against a given level. securelevel_gt() 1263 * implements (securelevel > level). securelevel_ge() implements 1264 * (securelevel >= level). Note that the logic is inverted -- these 1265 * functions return EPERM on "success" and 0 on "failure". 1266 * 1267 * XXXRW: Possibly since this has to do with privilege, it should move to 1268 * kern_priv.c. 1269 */ 1270 int 1271 securelevel_gt(struct ucred *cr, int level) 1272 { 1273 int active_securelevel; 1274 1275 active_securelevel = securelevel; 1276 KASSERT(cr != NULL, ("securelevel_gt: null cr")); 1277 if (cr->cr_prison != NULL) 1278 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1279 active_securelevel); 1280 return (active_securelevel > level ? EPERM : 0); 1281 } 1282 1283 int 1284 securelevel_ge(struct ucred *cr, int level) 1285 { 1286 int active_securelevel; 1287 1288 active_securelevel = securelevel; 1289 KASSERT(cr != NULL, ("securelevel_ge: null cr")); 1290 if (cr->cr_prison != NULL) 1291 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1292 active_securelevel); 1293 return (active_securelevel >= level ? EPERM : 0); 1294 } 1295 1296 /* 1297 * 'see_other_uids' determines whether or not visibility of processes 1298 * and sockets with credentials holding different real uids is possible 1299 * using a variety of system MIBs. 1300 * XXX: data declarations should be together near the beginning of the file. 1301 */ 1302 static int see_other_uids = 1; 1303 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1304 &see_other_uids, 0, 1305 "Unprivileged processes may see subjects/objects with different real uid"); 1306 1307 /*- 1308 * Determine if u1 "can see" the subject specified by u2, according to the 1309 * 'see_other_uids' policy. 1310 * Returns: 0 for permitted, ESRCH otherwise 1311 * Locks: none 1312 * References: *u1 and *u2 must not change during the call 1313 * u1 may equal u2, in which case only one reference is required 1314 */ 1315 static int 1316 cr_seeotheruids(struct ucred *u1, struct ucred *u2) 1317 { 1318 1319 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1320 if (priv_check_cred(u1, PRIV_SEEOTHERUIDS, SUSER_ALLOWJAIL) 1321 != 0) 1322 return (ESRCH); 1323 } 1324 return (0); 1325 } 1326 1327 /* 1328 * 'see_other_gids' determines whether or not visibility of processes 1329 * and sockets with credentials holding different real gids is possible 1330 * using a variety of system MIBs. 1331 * XXX: data declarations should be together near the beginning of the file. 1332 */ 1333 static int see_other_gids = 1; 1334 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW, 1335 &see_other_gids, 0, 1336 "Unprivileged processes may see subjects/objects with different real gid"); 1337 1338 /* 1339 * Determine if u1 can "see" the subject specified by u2, according to the 1340 * 'see_other_gids' policy. 1341 * Returns: 0 for permitted, ESRCH otherwise 1342 * Locks: none 1343 * References: *u1 and *u2 must not change during the call 1344 * u1 may equal u2, in which case only one reference is required 1345 */ 1346 static int 1347 cr_seeothergids(struct ucred *u1, struct ucred *u2) 1348 { 1349 int i, match; 1350 1351 if (!see_other_gids) { 1352 match = 0; 1353 for (i = 0; i < u1->cr_ngroups; i++) { 1354 if (groupmember(u1->cr_groups[i], u2)) 1355 match = 1; 1356 if (match) 1357 break; 1358 } 1359 if (!match) { 1360 if (priv_check_cred(u1, PRIV_SEEOTHERGIDS, 1361 SUSER_ALLOWJAIL) != 0) 1362 return (ESRCH); 1363 } 1364 } 1365 return (0); 1366 } 1367 1368 /*- 1369 * Determine if u1 "can see" the subject specified by u2. 1370 * Returns: 0 for permitted, an errno value otherwise 1371 * Locks: none 1372 * References: *u1 and *u2 must not change during the call 1373 * u1 may equal u2, in which case only one reference is required 1374 */ 1375 int 1376 cr_cansee(struct ucred *u1, struct ucred *u2) 1377 { 1378 int error; 1379 1380 if ((error = prison_check(u1, u2))) 1381 return (error); 1382 #ifdef MAC 1383 if ((error = mac_check_cred_visible(u1, u2))) 1384 return (error); 1385 #endif 1386 if ((error = cr_seeotheruids(u1, u2))) 1387 return (error); 1388 if ((error = cr_seeothergids(u1, u2))) 1389 return (error); 1390 return (0); 1391 } 1392 1393 /*- 1394 * Determine if td "can see" the subject specified by p. 1395 * Returns: 0 for permitted, an errno value otherwise 1396 * Locks: Sufficient locks to protect p->p_ucred must be held. td really 1397 * should be curthread. 1398 * References: td and p must be valid for the lifetime of the call 1399 */ 1400 int 1401 p_cansee(struct thread *td, struct proc *p) 1402 { 1403 1404 /* Wrap cr_cansee() for all functionality. */ 1405 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1406 PROC_LOCK_ASSERT(p, MA_OWNED); 1407 return (cr_cansee(td->td_ucred, p->p_ucred)); 1408 } 1409 1410 /* 1411 * 'conservative_signals' prevents the delivery of a broad class of 1412 * signals by unprivileged processes to processes that have changed their 1413 * credentials since the last invocation of execve(). This can prevent 1414 * the leakage of cached information or retained privileges as a result 1415 * of a common class of signal-related vulnerabilities. However, this 1416 * may interfere with some applications that expect to be able to 1417 * deliver these signals to peer processes after having given up 1418 * privilege. 1419 */ 1420 static int conservative_signals = 1; 1421 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW, 1422 &conservative_signals, 0, "Unprivileged processes prevented from " 1423 "sending certain signals to processes whose credentials have changed"); 1424 /*- 1425 * Determine whether cred may deliver the specified signal to proc. 1426 * Returns: 0 for permitted, an errno value otherwise. 1427 * Locks: A lock must be held for proc. 1428 * References: cred and proc must be valid for the lifetime of the call. 1429 */ 1430 int 1431 cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 1432 { 1433 int error; 1434 1435 PROC_LOCK_ASSERT(proc, MA_OWNED); 1436 /* 1437 * Jail semantics limit the scope of signalling to proc in the 1438 * same jail as cred, if cred is in jail. 1439 */ 1440 error = prison_check(cred, proc->p_ucred); 1441 if (error) 1442 return (error); 1443 #ifdef MAC 1444 if ((error = mac_check_proc_signal(cred, proc, signum))) 1445 return (error); 1446 #endif 1447 if ((error = cr_seeotheruids(cred, proc->p_ucred))) 1448 return (error); 1449 if ((error = cr_seeothergids(cred, proc->p_ucred))) 1450 return (error); 1451 1452 /* 1453 * UNIX signal semantics depend on the status of the P_SUGID 1454 * bit on the target process. If the bit is set, then additional 1455 * restrictions are placed on the set of available signals. 1456 */ 1457 if (conservative_signals && (proc->p_flag & P_SUGID)) { 1458 switch (signum) { 1459 case 0: 1460 case SIGKILL: 1461 case SIGINT: 1462 case SIGTERM: 1463 case SIGALRM: 1464 case SIGSTOP: 1465 case SIGTTIN: 1466 case SIGTTOU: 1467 case SIGTSTP: 1468 case SIGHUP: 1469 case SIGUSR1: 1470 case SIGUSR2: 1471 /* 1472 * Generally, permit job and terminal control 1473 * signals. 1474 */ 1475 break; 1476 default: 1477 /* Not permitted without privilege. */ 1478 error = priv_check_cred(cred, PRIV_SIGNAL_SUGID, 1479 SUSER_ALLOWJAIL); 1480 if (error) 1481 return (error); 1482 } 1483 } 1484 1485 /* 1486 * Generally, the target credential's ruid or svuid must match the 1487 * subject credential's ruid or euid. 1488 */ 1489 if (cred->cr_ruid != proc->p_ucred->cr_ruid && 1490 cred->cr_ruid != proc->p_ucred->cr_svuid && 1491 cred->cr_uid != proc->p_ucred->cr_ruid && 1492 cred->cr_uid != proc->p_ucred->cr_svuid) { 1493 /* Not permitted without privilege. */ 1494 error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED, 1495 SUSER_ALLOWJAIL); 1496 if (error) 1497 return (error); 1498 } 1499 1500 return (0); 1501 } 1502 1503 /*- 1504 * Determine whether td may deliver the specified signal to p. 1505 * Returns: 0 for permitted, an errno value otherwise 1506 * Locks: Sufficient locks to protect various components of td and p 1507 * must be held. td must be curthread, and a lock must be 1508 * held for p. 1509 * References: td and p must be valid for the lifetime of the call 1510 */ 1511 int 1512 p_cansignal(struct thread *td, struct proc *p, int signum) 1513 { 1514 1515 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1516 PROC_LOCK_ASSERT(p, MA_OWNED); 1517 if (td->td_proc == p) 1518 return (0); 1519 1520 /* 1521 * UNIX signalling semantics require that processes in the same 1522 * session always be able to deliver SIGCONT to one another, 1523 * overriding the remaining protections. 1524 */ 1525 /* XXX: This will require an additional lock of some sort. */ 1526 if (signum == SIGCONT && td->td_proc->p_session == p->p_session) 1527 return (0); 1528 /* 1529 * Some compat layers use SIGTHR and higher signals for 1530 * communication between different kernel threads of the same 1531 * process, so that they expect that it's always possible to 1532 * deliver them, even for suid applications where cr_cansignal() can 1533 * deny such ability for security consideration. It should be 1534 * pretty safe to do since the only way to create two processes 1535 * with the same p_leader is via rfork(2). 1536 */ 1537 if (td->td_proc->p_leader != NULL && signum >= SIGTHR && 1538 signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader) 1539 return (0); 1540 1541 return (cr_cansignal(td->td_ucred, p, signum)); 1542 } 1543 1544 /*- 1545 * Determine whether td may reschedule p. 1546 * Returns: 0 for permitted, an errno value otherwise 1547 * Locks: Sufficient locks to protect various components of td and p 1548 * must be held. td must be curthread, and a lock must 1549 * be held for p. 1550 * References: td and p must be valid for the lifetime of the call 1551 */ 1552 int 1553 p_cansched(struct thread *td, struct proc *p) 1554 { 1555 int error; 1556 1557 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1558 PROC_LOCK_ASSERT(p, MA_OWNED); 1559 if (td->td_proc == p) 1560 return (0); 1561 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1562 return (error); 1563 #ifdef MAC 1564 if ((error = mac_check_proc_sched(td->td_ucred, p))) 1565 return (error); 1566 #endif 1567 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1568 return (error); 1569 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) 1570 return (error); 1571 if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid && 1572 td->td_ucred->cr_uid != p->p_ucred->cr_ruid) { 1573 error = priv_check_cred(td->td_ucred, PRIV_SCHED_DIFFCRED, 1574 SUSER_ALLOWJAIL); 1575 if (error) 1576 return (error); 1577 } 1578 return (0); 1579 } 1580 1581 /* 1582 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 1583 * unprivileged inter-process debugging services, including some procfs 1584 * functionality, ptrace(), and ktrace(). In the past, inter-process 1585 * debugging has been involved in a variety of security problems, and sites 1586 * not requiring the service might choose to disable it when hardening 1587 * systems. 1588 * 1589 * XXX: Should modifying and reading this variable require locking? 1590 * XXX: data declarations should be together near the beginning of the file. 1591 */ 1592 static int unprivileged_proc_debug = 1; 1593 SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW, 1594 &unprivileged_proc_debug, 0, 1595 "Unprivileged processes may use process debugging facilities"); 1596 1597 /*- 1598 * Determine whether td may debug p. 1599 * Returns: 0 for permitted, an errno value otherwise 1600 * Locks: Sufficient locks to protect various components of td and p 1601 * must be held. td must be curthread, and a lock must 1602 * be held for p. 1603 * References: td and p must be valid for the lifetime of the call 1604 */ 1605 int 1606 p_candebug(struct thread *td, struct proc *p) 1607 { 1608 int credentialchanged, error, grpsubset, i, uidsubset; 1609 1610 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1611 PROC_LOCK_ASSERT(p, MA_OWNED); 1612 if (!unprivileged_proc_debug) { 1613 error = priv_check_cred(td->td_ucred, PRIV_DEBUG_UNPRIV, 1614 SUSER_ALLOWJAIL); 1615 if (error) 1616 return (error); 1617 } 1618 if (td->td_proc == p) 1619 return (0); 1620 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1621 return (error); 1622 #ifdef MAC 1623 if ((error = mac_check_proc_debug(td->td_ucred, p))) 1624 return (error); 1625 #endif 1626 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1627 return (error); 1628 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) 1629 return (error); 1630 1631 /* 1632 * Is p's group set a subset of td's effective group set? This 1633 * includes p's egid, group access list, rgid, and svgid. 1634 */ 1635 grpsubset = 1; 1636 for (i = 0; i < p->p_ucred->cr_ngroups; i++) { 1637 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) { 1638 grpsubset = 0; 1639 break; 1640 } 1641 } 1642 grpsubset = grpsubset && 1643 groupmember(p->p_ucred->cr_rgid, td->td_ucred) && 1644 groupmember(p->p_ucred->cr_svgid, td->td_ucred); 1645 1646 /* 1647 * Are the uids present in p's credential equal to td's 1648 * effective uid? This includes p's euid, svuid, and ruid. 1649 */ 1650 uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid && 1651 td->td_ucred->cr_uid == p->p_ucred->cr_svuid && 1652 td->td_ucred->cr_uid == p->p_ucred->cr_ruid); 1653 1654 /* 1655 * Has the credential of the process changed since the last exec()? 1656 */ 1657 credentialchanged = (p->p_flag & P_SUGID); 1658 1659 /* 1660 * If p's gids aren't a subset, or the uids aren't a subset, 1661 * or the credential has changed, require appropriate privilege 1662 * for td to debug p. 1663 */ 1664 if (!grpsubset || !uidsubset) { 1665 error = priv_check_cred(td->td_ucred, PRIV_DEBUG_DIFFCRED, 1666 SUSER_ALLOWJAIL); 1667 if (error) 1668 return (error); 1669 } 1670 1671 if (credentialchanged) { 1672 error = priv_check_cred(td->td_ucred, PRIV_DEBUG_SUGID, 1673 SUSER_ALLOWJAIL); 1674 if (error) 1675 return (error); 1676 } 1677 1678 /* Can't trace init when securelevel > 0. */ 1679 if (p == initproc) { 1680 error = securelevel_gt(td->td_ucred, 0); 1681 if (error) 1682 return (error); 1683 } 1684 1685 /* 1686 * Can't trace a process that's currently exec'ing. 1687 * 1688 * XXX: Note, this is not a security policy decision, it's a 1689 * basic correctness/functionality decision. Therefore, this check 1690 * should be moved to the caller's of p_candebug(). 1691 */ 1692 if ((p->p_flag & P_INEXEC) != 0) 1693 return (EAGAIN); 1694 1695 return (0); 1696 } 1697 1698 /*- 1699 * Determine whether the subject represented by cred can "see" a socket. 1700 * Returns: 0 for permitted, ENOENT otherwise. 1701 */ 1702 int 1703 cr_canseesocket(struct ucred *cred, struct socket *so) 1704 { 1705 int error; 1706 1707 error = prison_check(cred, so->so_cred); 1708 if (error) 1709 return (ENOENT); 1710 #ifdef MAC 1711 SOCK_LOCK(so); 1712 error = mac_check_socket_visible(cred, so); 1713 SOCK_UNLOCK(so); 1714 if (error) 1715 return (error); 1716 #endif 1717 if (cr_seeotheruids(cred, so->so_cred)) 1718 return (ENOENT); 1719 if (cr_seeothergids(cred, so->so_cred)) 1720 return (ENOENT); 1721 1722 return (0); 1723 } 1724 1725 /*- 1726 * Determine whether td can wait for the exit of p. 1727 * Returns: 0 for permitted, an errno value otherwise 1728 * Locks: Sufficient locks to protect various components of td and p 1729 * must be held. td must be curthread, and a lock must 1730 * be held for p. 1731 * References: td and p must be valid for the lifetime of the call 1732 1733 */ 1734 int 1735 p_canwait(struct thread *td, struct proc *p) 1736 { 1737 int error; 1738 1739 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1740 PROC_LOCK_ASSERT(p, MA_OWNED); 1741 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1742 return (error); 1743 #ifdef MAC 1744 if ((error = mac_check_proc_wait(td->td_ucred, p))) 1745 return (error); 1746 #endif 1747 #if 0 1748 /* XXXMAC: This could have odd effects on some shells. */ 1749 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1750 return (error); 1751 #endif 1752 1753 return (0); 1754 } 1755 1756 /* 1757 * Allocate a zeroed cred structure. 1758 */ 1759 struct ucred * 1760 crget(void) 1761 { 1762 register struct ucred *cr; 1763 1764 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 1765 refcount_init(&cr->cr_ref, 1); 1766 #ifdef MAC 1767 mac_init_cred(cr); 1768 #endif 1769 return (cr); 1770 } 1771 1772 /* 1773 * Claim another reference to a ucred structure. 1774 */ 1775 struct ucred * 1776 crhold(struct ucred *cr) 1777 { 1778 1779 refcount_acquire(&cr->cr_ref); 1780 return (cr); 1781 } 1782 1783 /* 1784 * Free a cred structure. Throws away space when ref count gets to 0. 1785 */ 1786 void 1787 crfree(struct ucred *cr) 1788 { 1789 1790 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); 1791 KASSERT(cr->cr_ref != 0xdeadc0de, ("dangling reference to ucred")); 1792 if (refcount_release(&cr->cr_ref)) { 1793 /* 1794 * Some callers of crget(), such as nfs_statfs(), 1795 * allocate a temporary credential, but don't 1796 * allocate a uidinfo structure. 1797 */ 1798 if (cr->cr_uidinfo != NULL) 1799 uifree(cr->cr_uidinfo); 1800 if (cr->cr_ruidinfo != NULL) 1801 uifree(cr->cr_ruidinfo); 1802 /* 1803 * Free a prison, if any. 1804 */ 1805 if (jailed(cr)) 1806 prison_free(cr->cr_prison); 1807 #ifdef MAC 1808 mac_destroy_cred(cr); 1809 #endif 1810 FREE(cr, M_CRED); 1811 } 1812 } 1813 1814 /* 1815 * Check to see if this ucred is shared. 1816 */ 1817 int 1818 crshared(struct ucred *cr) 1819 { 1820 1821 return (cr->cr_ref > 1); 1822 } 1823 1824 /* 1825 * Copy a ucred's contents from a template. Does not block. 1826 */ 1827 void 1828 crcopy(struct ucred *dest, struct ucred *src) 1829 { 1830 1831 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred")); 1832 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 1833 (unsigned)((caddr_t)&src->cr_endcopy - 1834 (caddr_t)&src->cr_startcopy)); 1835 uihold(dest->cr_uidinfo); 1836 uihold(dest->cr_ruidinfo); 1837 if (jailed(dest)) 1838 prison_hold(dest->cr_prison); 1839 #ifdef MAC 1840 mac_copy_cred(src, dest); 1841 #endif 1842 } 1843 1844 /* 1845 * Dup cred struct to a new held one. 1846 */ 1847 struct ucred * 1848 crdup(struct ucred *cr) 1849 { 1850 struct ucred *newcr; 1851 1852 newcr = crget(); 1853 crcopy(newcr, cr); 1854 return (newcr); 1855 } 1856 1857 /* 1858 * Fill in a struct xucred based on a struct ucred. 1859 */ 1860 void 1861 cru2x(struct ucred *cr, struct xucred *xcr) 1862 { 1863 1864 bzero(xcr, sizeof(*xcr)); 1865 xcr->cr_version = XUCRED_VERSION; 1866 xcr->cr_uid = cr->cr_uid; 1867 xcr->cr_ngroups = cr->cr_ngroups; 1868 bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups)); 1869 } 1870 1871 /* 1872 * small routine to swap a thread's current ucred for the correct one taken 1873 * from the process. 1874 */ 1875 void 1876 cred_update_thread(struct thread *td) 1877 { 1878 struct proc *p; 1879 struct ucred *cred; 1880 1881 p = td->td_proc; 1882 cred = td->td_ucred; 1883 PROC_LOCK(p); 1884 td->td_ucred = crhold(p->p_ucred); 1885 PROC_UNLOCK(p); 1886 if (cred != NULL) 1887 crfree(cred); 1888 } 1889 1890 /* 1891 * Get login name, if available. 1892 */ 1893 #ifndef _SYS_SYSPROTO_H_ 1894 struct getlogin_args { 1895 char *namebuf; 1896 u_int namelen; 1897 }; 1898 #endif 1899 /* ARGSUSED */ 1900 int 1901 getlogin(struct thread *td, struct getlogin_args *uap) 1902 { 1903 int error; 1904 char login[MAXLOGNAME]; 1905 struct proc *p = td->td_proc; 1906 1907 if (uap->namelen > MAXLOGNAME) 1908 uap->namelen = MAXLOGNAME; 1909 PROC_LOCK(p); 1910 SESS_LOCK(p->p_session); 1911 bcopy(p->p_session->s_login, login, uap->namelen); 1912 SESS_UNLOCK(p->p_session); 1913 PROC_UNLOCK(p); 1914 error = copyout(login, uap->namebuf, uap->namelen); 1915 return(error); 1916 } 1917 1918 /* 1919 * Set login name. 1920 */ 1921 #ifndef _SYS_SYSPROTO_H_ 1922 struct setlogin_args { 1923 char *namebuf; 1924 }; 1925 #endif 1926 /* ARGSUSED */ 1927 int 1928 setlogin(struct thread *td, struct setlogin_args *uap) 1929 { 1930 struct proc *p = td->td_proc; 1931 int error; 1932 char logintmp[MAXLOGNAME]; 1933 1934 error = priv_check_cred(td->td_ucred, PRIV_PROC_SETLOGIN, 1935 SUSER_ALLOWJAIL); 1936 if (error) 1937 return (error); 1938 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); 1939 if (error == ENAMETOOLONG) 1940 error = EINVAL; 1941 else if (!error) { 1942 PROC_LOCK(p); 1943 SESS_LOCK(p->p_session); 1944 (void) memcpy(p->p_session->s_login, logintmp, 1945 sizeof(logintmp)); 1946 SESS_UNLOCK(p->p_session); 1947 PROC_UNLOCK(p); 1948 } 1949 return (error); 1950 } 1951 1952 void 1953 setsugid(struct proc *p) 1954 { 1955 1956 PROC_LOCK_ASSERT(p, MA_OWNED); 1957 p->p_flag |= P_SUGID; 1958 if (!(p->p_pfsflags & PF_ISUGID)) 1959 p->p_stops = 0; 1960 } 1961 1962 /*- 1963 * Change a process's effective uid. 1964 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 1965 * References: newcred must be an exclusive credential reference for the 1966 * duration of the call. 1967 */ 1968 void 1969 change_euid(struct ucred *newcred, struct uidinfo *euip) 1970 { 1971 1972 newcred->cr_uid = euip->ui_uid; 1973 uihold(euip); 1974 uifree(newcred->cr_uidinfo); 1975 newcred->cr_uidinfo = euip; 1976 } 1977 1978 /*- 1979 * Change a process's effective gid. 1980 * Side effects: newcred->cr_gid will be modified. 1981 * References: newcred must be an exclusive credential reference for the 1982 * duration of the call. 1983 */ 1984 void 1985 change_egid(struct ucred *newcred, gid_t egid) 1986 { 1987 1988 newcred->cr_groups[0] = egid; 1989 } 1990 1991 /*- 1992 * Change a process's real uid. 1993 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 1994 * will be updated, and the old and new cr_ruidinfo proc 1995 * counts will be updated. 1996 * References: newcred must be an exclusive credential reference for the 1997 * duration of the call. 1998 */ 1999 void 2000 change_ruid(struct ucred *newcred, struct uidinfo *ruip) 2001 { 2002 2003 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 2004 newcred->cr_ruid = ruip->ui_uid; 2005 uihold(ruip); 2006 uifree(newcred->cr_ruidinfo); 2007 newcred->cr_ruidinfo = ruip; 2008 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 2009 } 2010 2011 /*- 2012 * Change a process's real gid. 2013 * Side effects: newcred->cr_rgid will be updated. 2014 * References: newcred must be an exclusive credential reference for the 2015 * duration of the call. 2016 */ 2017 void 2018 change_rgid(struct ucred *newcred, gid_t rgid) 2019 { 2020 2021 newcred->cr_rgid = rgid; 2022 } 2023 2024 /*- 2025 * Change a process's saved uid. 2026 * Side effects: newcred->cr_svuid will be updated. 2027 * References: newcred must be an exclusive credential reference for the 2028 * duration of the call. 2029 */ 2030 void 2031 change_svuid(struct ucred *newcred, uid_t svuid) 2032 { 2033 2034 newcred->cr_svuid = svuid; 2035 } 2036 2037 /*- 2038 * Change a process's saved gid. 2039 * Side effects: newcred->cr_svgid will be updated. 2040 * References: newcred must be an exclusive credential reference for the 2041 * duration of the call. 2042 */ 2043 void 2044 change_svgid(struct ucred *newcred, gid_t svgid) 2045 { 2046 2047 newcred->cr_svgid = svgid; 2048 } 2049