1 /*- 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * (c) UNIX System Laboratories, Inc. 5 * All or some portions of this file are derived from material licensed 6 * to the University of California by American Telephone and Telegraph 7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 8 * the permission of UNIX System Laboratories, Inc. 9 * Copyright (c) 2000-2001 Robert N. M. Watson. All rights reserved. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 4. Neither the name of the University nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 * 35 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 36 */ 37 38 /* 39 * System calls related to processes and protection 40 */ 41 42 #include <sys/cdefs.h> 43 __FBSDID("$FreeBSD$"); 44 45 #include "opt_compat.h" 46 #include "opt_mac.h" 47 48 #include <sys/param.h> 49 #include <sys/systm.h> 50 #include <sys/acct.h> 51 #include <sys/kdb.h> 52 #include <sys/kernel.h> 53 #include <sys/lock.h> 54 #include <sys/malloc.h> 55 #include <sys/mutex.h> 56 #include <sys/refcount.h> 57 #include <sys/sx.h> 58 #include <sys/priv.h> 59 #include <sys/proc.h> 60 #include <sys/sysproto.h> 61 #include <sys/jail.h> 62 #include <sys/pioctl.h> 63 #include <sys/resourcevar.h> 64 #include <sys/socket.h> 65 #include <sys/socketvar.h> 66 #include <sys/syscallsubr.h> 67 #include <sys/sysctl.h> 68 69 #include <security/audit/audit.h> 70 #include <security/mac/mac_framework.h> 71 72 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 73 74 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, "BSD security policy"); 75 76 #ifndef _SYS_SYSPROTO_H_ 77 struct getpid_args { 78 int dummy; 79 }; 80 #endif 81 /* 82 * MPSAFE 83 */ 84 /* ARGSUSED */ 85 int 86 getpid(struct thread *td, struct getpid_args *uap) 87 { 88 struct proc *p = td->td_proc; 89 90 td->td_retval[0] = p->p_pid; 91 #if defined(COMPAT_43) 92 PROC_LOCK(p); 93 td->td_retval[1] = p->p_pptr->p_pid; 94 PROC_UNLOCK(p); 95 #endif 96 return (0); 97 } 98 99 #ifndef _SYS_SYSPROTO_H_ 100 struct getppid_args { 101 int dummy; 102 }; 103 #endif 104 /* 105 * MPSAFE 106 */ 107 /* ARGSUSED */ 108 int 109 getppid(struct thread *td, struct getppid_args *uap) 110 { 111 struct proc *p = td->td_proc; 112 113 PROC_LOCK(p); 114 td->td_retval[0] = p->p_pptr->p_pid; 115 PROC_UNLOCK(p); 116 return (0); 117 } 118 119 /* 120 * Get process group ID; note that POSIX getpgrp takes no parameter. 121 */ 122 #ifndef _SYS_SYSPROTO_H_ 123 struct getpgrp_args { 124 int dummy; 125 }; 126 #endif 127 /* 128 * MPSAFE 129 */ 130 int 131 getpgrp(struct thread *td, struct getpgrp_args *uap) 132 { 133 struct proc *p = td->td_proc; 134 135 PROC_LOCK(p); 136 td->td_retval[0] = p->p_pgrp->pg_id; 137 PROC_UNLOCK(p); 138 return (0); 139 } 140 141 /* Get an arbitary pid's process group id */ 142 #ifndef _SYS_SYSPROTO_H_ 143 struct getpgid_args { 144 pid_t pid; 145 }; 146 #endif 147 /* 148 * MPSAFE 149 */ 150 int 151 getpgid(struct thread *td, struct getpgid_args *uap) 152 { 153 struct proc *p; 154 int error; 155 156 if (uap->pid == 0) { 157 p = td->td_proc; 158 PROC_LOCK(p); 159 } else { 160 p = pfind(uap->pid); 161 if (p == NULL) 162 return (ESRCH); 163 error = p_cansee(td, p); 164 if (error) { 165 PROC_UNLOCK(p); 166 return (error); 167 } 168 } 169 td->td_retval[0] = p->p_pgrp->pg_id; 170 PROC_UNLOCK(p); 171 return (0); 172 } 173 174 /* 175 * Get an arbitary pid's session id. 176 */ 177 #ifndef _SYS_SYSPROTO_H_ 178 struct getsid_args { 179 pid_t pid; 180 }; 181 #endif 182 /* 183 * MPSAFE 184 */ 185 int 186 getsid(struct thread *td, struct getsid_args *uap) 187 { 188 struct proc *p; 189 int error; 190 191 if (uap->pid == 0) { 192 p = td->td_proc; 193 PROC_LOCK(p); 194 } else { 195 p = pfind(uap->pid); 196 if (p == NULL) 197 return (ESRCH); 198 error = p_cansee(td, p); 199 if (error) { 200 PROC_UNLOCK(p); 201 return (error); 202 } 203 } 204 td->td_retval[0] = p->p_session->s_sid; 205 PROC_UNLOCK(p); 206 return (0); 207 } 208 209 #ifndef _SYS_SYSPROTO_H_ 210 struct getuid_args { 211 int dummy; 212 }; 213 #endif 214 /* 215 * MPSAFE 216 */ 217 /* ARGSUSED */ 218 int 219 getuid(struct thread *td, struct getuid_args *uap) 220 { 221 222 td->td_retval[0] = td->td_ucred->cr_ruid; 223 #if defined(COMPAT_43) 224 td->td_retval[1] = td->td_ucred->cr_uid; 225 #endif 226 return (0); 227 } 228 229 #ifndef _SYS_SYSPROTO_H_ 230 struct geteuid_args { 231 int dummy; 232 }; 233 #endif 234 /* 235 * MPSAFE 236 */ 237 /* ARGSUSED */ 238 int 239 geteuid(struct thread *td, struct geteuid_args *uap) 240 { 241 242 td->td_retval[0] = td->td_ucred->cr_uid; 243 return (0); 244 } 245 246 #ifndef _SYS_SYSPROTO_H_ 247 struct getgid_args { 248 int dummy; 249 }; 250 #endif 251 /* 252 * MPSAFE 253 */ 254 /* ARGSUSED */ 255 int 256 getgid(struct thread *td, struct getgid_args *uap) 257 { 258 259 td->td_retval[0] = td->td_ucred->cr_rgid; 260 #if defined(COMPAT_43) 261 td->td_retval[1] = td->td_ucred->cr_groups[0]; 262 #endif 263 return (0); 264 } 265 266 /* 267 * Get effective group ID. The "egid" is groups[0], and could be obtained 268 * via getgroups. This syscall exists because it is somewhat painful to do 269 * correctly in a library function. 270 */ 271 #ifndef _SYS_SYSPROTO_H_ 272 struct getegid_args { 273 int dummy; 274 }; 275 #endif 276 /* 277 * MPSAFE 278 */ 279 /* ARGSUSED */ 280 int 281 getegid(struct thread *td, struct getegid_args *uap) 282 { 283 284 td->td_retval[0] = td->td_ucred->cr_groups[0]; 285 return (0); 286 } 287 288 #ifndef _SYS_SYSPROTO_H_ 289 struct getgroups_args { 290 u_int gidsetsize; 291 gid_t *gidset; 292 }; 293 #endif 294 /* 295 * MPSAFE 296 */ 297 int 298 getgroups(struct thread *td, register struct getgroups_args *uap) 299 { 300 gid_t groups[NGROUPS]; 301 u_int ngrp; 302 int error; 303 304 ngrp = MIN(uap->gidsetsize, NGROUPS); 305 error = kern_getgroups(td, &ngrp, groups); 306 if (error) 307 return (error); 308 if (uap->gidsetsize > 0) 309 error = copyout(groups, uap->gidset, ngrp * sizeof(gid_t)); 310 if (error == 0) 311 td->td_retval[0] = ngrp; 312 return (error); 313 } 314 315 int 316 kern_getgroups(struct thread *td, u_int *ngrp, gid_t *groups) 317 { 318 struct ucred *cred; 319 320 cred = td->td_ucred; 321 if (*ngrp == 0) { 322 *ngrp = cred->cr_ngroups; 323 return (0); 324 } 325 if (*ngrp < cred->cr_ngroups) 326 return (EINVAL); 327 *ngrp = cred->cr_ngroups; 328 bcopy(cred->cr_groups, groups, *ngrp * sizeof(gid_t)); 329 return (0); 330 } 331 332 #ifndef _SYS_SYSPROTO_H_ 333 struct setsid_args { 334 int dummy; 335 }; 336 #endif 337 /* 338 * MPSAFE 339 */ 340 /* ARGSUSED */ 341 int 342 setsid(register struct thread *td, struct setsid_args *uap) 343 { 344 struct pgrp *pgrp; 345 int error; 346 struct proc *p = td->td_proc; 347 struct pgrp *newpgrp; 348 struct session *newsess; 349 350 error = 0; 351 pgrp = NULL; 352 353 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 354 MALLOC(newsess, struct session *, sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); 355 356 sx_xlock(&proctree_lock); 357 358 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { 359 if (pgrp != NULL) 360 PGRP_UNLOCK(pgrp); 361 error = EPERM; 362 } else { 363 (void)enterpgrp(p, p->p_pid, newpgrp, newsess); 364 td->td_retval[0] = p->p_pid; 365 newpgrp = NULL; 366 newsess = NULL; 367 } 368 369 sx_xunlock(&proctree_lock); 370 371 if (newpgrp != NULL) 372 FREE(newpgrp, M_PGRP); 373 if (newsess != NULL) 374 FREE(newsess, M_SESSION); 375 376 return (error); 377 } 378 379 /* 380 * set process group (setpgid/old setpgrp) 381 * 382 * caller does setpgid(targpid, targpgid) 383 * 384 * pid must be caller or child of caller (ESRCH) 385 * if a child 386 * pid must be in same session (EPERM) 387 * pid can't have done an exec (EACCES) 388 * if pgid != pid 389 * there must exist some pid in same session having pgid (EPERM) 390 * pid must not be session leader (EPERM) 391 */ 392 #ifndef _SYS_SYSPROTO_H_ 393 struct setpgid_args { 394 int pid; /* target process id */ 395 int pgid; /* target pgrp id */ 396 }; 397 #endif 398 /* 399 * MPSAFE 400 */ 401 /* ARGSUSED */ 402 int 403 setpgid(struct thread *td, register struct setpgid_args *uap) 404 { 405 struct proc *curp = td->td_proc; 406 register struct proc *targp; /* target process */ 407 register struct pgrp *pgrp; /* target pgrp */ 408 int error; 409 struct pgrp *newpgrp; 410 411 if (uap->pgid < 0) 412 return (EINVAL); 413 414 error = 0; 415 416 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 417 418 sx_xlock(&proctree_lock); 419 if (uap->pid != 0 && uap->pid != curp->p_pid) { 420 if ((targp = pfind(uap->pid)) == NULL) { 421 error = ESRCH; 422 goto done; 423 } 424 if (!inferior(targp)) { 425 PROC_UNLOCK(targp); 426 error = ESRCH; 427 goto done; 428 } 429 if ((error = p_cansee(td, targp))) { 430 PROC_UNLOCK(targp); 431 goto done; 432 } 433 if (targp->p_pgrp == NULL || 434 targp->p_session != curp->p_session) { 435 PROC_UNLOCK(targp); 436 error = EPERM; 437 goto done; 438 } 439 if (targp->p_flag & P_EXEC) { 440 PROC_UNLOCK(targp); 441 error = EACCES; 442 goto done; 443 } 444 PROC_UNLOCK(targp); 445 } else 446 targp = curp; 447 if (SESS_LEADER(targp)) { 448 error = EPERM; 449 goto done; 450 } 451 if (uap->pgid == 0) 452 uap->pgid = targp->p_pid; 453 if ((pgrp = pgfind(uap->pgid)) == NULL) { 454 if (uap->pgid == targp->p_pid) { 455 error = enterpgrp(targp, uap->pgid, newpgrp, 456 NULL); 457 if (error == 0) 458 newpgrp = NULL; 459 } else 460 error = EPERM; 461 } else { 462 if (pgrp == targp->p_pgrp) { 463 PGRP_UNLOCK(pgrp); 464 goto done; 465 } 466 if (pgrp->pg_id != targp->p_pid && 467 pgrp->pg_session != curp->p_session) { 468 PGRP_UNLOCK(pgrp); 469 error = EPERM; 470 goto done; 471 } 472 PGRP_UNLOCK(pgrp); 473 error = enterthispgrp(targp, pgrp); 474 } 475 done: 476 sx_xunlock(&proctree_lock); 477 KASSERT((error == 0) || (newpgrp != NULL), 478 ("setpgid failed and newpgrp is NULL")); 479 if (newpgrp != NULL) 480 FREE(newpgrp, M_PGRP); 481 return (error); 482 } 483 484 /* 485 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 486 * compatible. It says that setting the uid/gid to euid/egid is a special 487 * case of "appropriate privilege". Once the rules are expanded out, this 488 * basically means that setuid(nnn) sets all three id's, in all permitted 489 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 490 * does not set the saved id - this is dangerous for traditional BSD 491 * programs. For this reason, we *really* do not want to set 492 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 493 */ 494 #define POSIX_APPENDIX_B_4_2_2 495 496 #ifndef _SYS_SYSPROTO_H_ 497 struct setuid_args { 498 uid_t uid; 499 }; 500 #endif 501 /* 502 * MPSAFE 503 */ 504 /* ARGSUSED */ 505 int 506 setuid(struct thread *td, struct setuid_args *uap) 507 { 508 struct proc *p = td->td_proc; 509 struct ucred *newcred, *oldcred; 510 uid_t uid; 511 struct uidinfo *uip; 512 int error; 513 514 uid = uap->uid; 515 AUDIT_ARG(uid, uid); 516 newcred = crget(); 517 uip = uifind(uid); 518 PROC_LOCK(p); 519 oldcred = p->p_ucred; 520 521 #ifdef MAC 522 error = mac_check_proc_setuid(p, oldcred, uid); 523 if (error) 524 goto fail; 525 #endif 526 527 /* 528 * See if we have "permission" by POSIX 1003.1 rules. 529 * 530 * Note that setuid(geteuid()) is a special case of 531 * "appropriate privileges" in appendix B.4.2.2. We need 532 * to use this clause to be compatible with traditional BSD 533 * semantics. Basically, it means that "setuid(xx)" sets all 534 * three id's (assuming you have privs). 535 * 536 * Notes on the logic. We do things in three steps. 537 * 1: We determine if the euid is going to change, and do EPERM 538 * right away. We unconditionally change the euid later if this 539 * test is satisfied, simplifying that part of the logic. 540 * 2: We determine if the real and/or saved uids are going to 541 * change. Determined by compile options. 542 * 3: Change euid last. (after tests in #2 for "appropriate privs") 543 */ 544 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 545 #ifdef _POSIX_SAVED_IDS 546 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 547 #endif 548 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 549 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 550 #endif 551 (error = priv_check_cred(oldcred, PRIV_CRED_SETUID, 552 SUSER_ALLOWJAIL)) != 0) 553 goto fail; 554 555 /* 556 * Copy credentials so other references do not see our changes. 557 */ 558 crcopy(newcred, oldcred); 559 #ifdef _POSIX_SAVED_IDS 560 /* 561 * Do we have "appropriate privileges" (are we root or uid == euid) 562 * If so, we are changing the real uid and/or saved uid. 563 */ 564 if ( 565 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 566 uid == oldcred->cr_uid || 567 #endif 568 /* We are using privs. */ 569 priv_check_cred(oldcred, PRIV_CRED_SETUID, SUSER_ALLOWJAIL) == 0) 570 #endif 571 { 572 /* 573 * Set the real uid and transfer proc count to new user. 574 */ 575 if (uid != oldcred->cr_ruid) { 576 change_ruid(newcred, uip); 577 setsugid(p); 578 } 579 /* 580 * Set saved uid 581 * 582 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 583 * the security of seteuid() depends on it. B.4.2.2 says it 584 * is important that we should do this. 585 */ 586 if (uid != oldcred->cr_svuid) { 587 change_svuid(newcred, uid); 588 setsugid(p); 589 } 590 } 591 592 /* 593 * In all permitted cases, we are changing the euid. 594 */ 595 if (uid != oldcred->cr_uid) { 596 change_euid(newcred, uip); 597 setsugid(p); 598 } 599 p->p_ucred = newcred; 600 PROC_UNLOCK(p); 601 uifree(uip); 602 crfree(oldcred); 603 return (0); 604 605 fail: 606 PROC_UNLOCK(p); 607 uifree(uip); 608 crfree(newcred); 609 return (error); 610 } 611 612 #ifndef _SYS_SYSPROTO_H_ 613 struct seteuid_args { 614 uid_t euid; 615 }; 616 #endif 617 /* 618 * MPSAFE 619 */ 620 /* ARGSUSED */ 621 int 622 seteuid(struct thread *td, struct seteuid_args *uap) 623 { 624 struct proc *p = td->td_proc; 625 struct ucred *newcred, *oldcred; 626 uid_t euid; 627 struct uidinfo *euip; 628 int error; 629 630 euid = uap->euid; 631 AUDIT_ARG(euid, euid); 632 newcred = crget(); 633 euip = uifind(euid); 634 PROC_LOCK(p); 635 oldcred = p->p_ucred; 636 637 #ifdef MAC 638 error = mac_check_proc_seteuid(p, oldcred, euid); 639 if (error) 640 goto fail; 641 #endif 642 643 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 644 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 645 (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID, 646 SUSER_ALLOWJAIL)) != 0) 647 goto fail; 648 649 /* 650 * Everything's okay, do it. Copy credentials so other references do 651 * not see our changes. 652 */ 653 crcopy(newcred, oldcred); 654 if (oldcred->cr_uid != euid) { 655 change_euid(newcred, euip); 656 setsugid(p); 657 } 658 p->p_ucred = newcred; 659 PROC_UNLOCK(p); 660 uifree(euip); 661 crfree(oldcred); 662 return (0); 663 664 fail: 665 PROC_UNLOCK(p); 666 uifree(euip); 667 crfree(newcred); 668 return (error); 669 } 670 671 #ifndef _SYS_SYSPROTO_H_ 672 struct setgid_args { 673 gid_t gid; 674 }; 675 #endif 676 /* 677 * MPSAFE 678 */ 679 /* ARGSUSED */ 680 int 681 setgid(struct thread *td, struct setgid_args *uap) 682 { 683 struct proc *p = td->td_proc; 684 struct ucred *newcred, *oldcred; 685 gid_t gid; 686 int error; 687 688 gid = uap->gid; 689 AUDIT_ARG(gid, gid); 690 newcred = crget(); 691 PROC_LOCK(p); 692 oldcred = p->p_ucred; 693 694 #ifdef MAC 695 error = mac_check_proc_setgid(p, oldcred, gid); 696 if (error) 697 goto fail; 698 #endif 699 700 /* 701 * See if we have "permission" by POSIX 1003.1 rules. 702 * 703 * Note that setgid(getegid()) is a special case of 704 * "appropriate privileges" in appendix B.4.2.2. We need 705 * to use this clause to be compatible with traditional BSD 706 * semantics. Basically, it means that "setgid(xx)" sets all 707 * three id's (assuming you have privs). 708 * 709 * For notes on the logic here, see setuid() above. 710 */ 711 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 712 #ifdef _POSIX_SAVED_IDS 713 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 714 #endif 715 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 716 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 717 #endif 718 (error = priv_check_cred(oldcred, PRIV_CRED_SETGID, 719 SUSER_ALLOWJAIL)) != 0) 720 goto fail; 721 722 crcopy(newcred, oldcred); 723 #ifdef _POSIX_SAVED_IDS 724 /* 725 * Do we have "appropriate privileges" (are we root or gid == egid) 726 * If so, we are changing the real uid and saved gid. 727 */ 728 if ( 729 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 730 gid == oldcred->cr_groups[0] || 731 #endif 732 /* We are using privs. */ 733 priv_check_cred(oldcred, PRIV_CRED_SETGID, SUSER_ALLOWJAIL) == 0) 734 #endif 735 { 736 /* 737 * Set real gid 738 */ 739 if (oldcred->cr_rgid != gid) { 740 change_rgid(newcred, gid); 741 setsugid(p); 742 } 743 /* 744 * Set saved gid 745 * 746 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 747 * the security of setegid() depends on it. B.4.2.2 says it 748 * is important that we should do this. 749 */ 750 if (oldcred->cr_svgid != gid) { 751 change_svgid(newcred, gid); 752 setsugid(p); 753 } 754 } 755 /* 756 * In all cases permitted cases, we are changing the egid. 757 * Copy credentials so other references do not see our changes. 758 */ 759 if (oldcred->cr_groups[0] != gid) { 760 change_egid(newcred, gid); 761 setsugid(p); 762 } 763 p->p_ucred = newcred; 764 PROC_UNLOCK(p); 765 crfree(oldcred); 766 return (0); 767 768 fail: 769 PROC_UNLOCK(p); 770 crfree(newcred); 771 return (error); 772 } 773 774 #ifndef _SYS_SYSPROTO_H_ 775 struct setegid_args { 776 gid_t egid; 777 }; 778 #endif 779 /* 780 * MPSAFE 781 */ 782 /* ARGSUSED */ 783 int 784 setegid(struct thread *td, struct setegid_args *uap) 785 { 786 struct proc *p = td->td_proc; 787 struct ucred *newcred, *oldcred; 788 gid_t egid; 789 int error; 790 791 egid = uap->egid; 792 AUDIT_ARG(egid, egid); 793 newcred = crget(); 794 PROC_LOCK(p); 795 oldcred = p->p_ucred; 796 797 #ifdef MAC 798 error = mac_check_proc_setegid(p, oldcred, egid); 799 if (error) 800 goto fail; 801 #endif 802 803 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 804 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 805 (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID, 806 SUSER_ALLOWJAIL)) != 0) 807 goto fail; 808 809 crcopy(newcred, oldcred); 810 if (oldcred->cr_groups[0] != egid) { 811 change_egid(newcred, egid); 812 setsugid(p); 813 } 814 p->p_ucred = newcred; 815 PROC_UNLOCK(p); 816 crfree(oldcred); 817 return (0); 818 819 fail: 820 PROC_UNLOCK(p); 821 crfree(newcred); 822 return (error); 823 } 824 825 #ifndef _SYS_SYSPROTO_H_ 826 struct setgroups_args { 827 u_int gidsetsize; 828 gid_t *gidset; 829 }; 830 #endif 831 /* 832 * MPSAFE 833 */ 834 /* ARGSUSED */ 835 int 836 setgroups(struct thread *td, struct setgroups_args *uap) 837 { 838 gid_t groups[NGROUPS]; 839 int error; 840 841 if (uap->gidsetsize > NGROUPS) 842 return (EINVAL); 843 error = copyin(uap->gidset, groups, uap->gidsetsize * sizeof(gid_t)); 844 if (error) 845 return (error); 846 return (kern_setgroups(td, uap->gidsetsize, groups)); 847 } 848 849 int 850 kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups) 851 { 852 struct proc *p = td->td_proc; 853 struct ucred *newcred, *oldcred; 854 int error; 855 856 if (ngrp > NGROUPS) 857 return (EINVAL); 858 AUDIT_ARG(groupset, groups, ngrp); 859 newcred = crget(); 860 PROC_LOCK(p); 861 oldcred = p->p_ucred; 862 863 #ifdef MAC 864 error = mac_check_proc_setgroups(p, oldcred, ngrp, groups); 865 if (error) 866 goto fail; 867 #endif 868 869 error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS, 870 SUSER_ALLOWJAIL); 871 if (error) 872 goto fail; 873 874 /* 875 * XXX A little bit lazy here. We could test if anything has 876 * changed before crcopy() and setting P_SUGID. 877 */ 878 crcopy(newcred, oldcred); 879 if (ngrp < 1) { 880 /* 881 * setgroups(0, NULL) is a legitimate way of clearing the 882 * groups vector on non-BSD systems (which generally do not 883 * have the egid in the groups[0]). We risk security holes 884 * when running non-BSD software if we do not do the same. 885 */ 886 newcred->cr_ngroups = 1; 887 } else { 888 bcopy(groups, newcred->cr_groups, ngrp * sizeof(gid_t)); 889 newcred->cr_ngroups = ngrp; 890 } 891 setsugid(p); 892 p->p_ucred = newcred; 893 PROC_UNLOCK(p); 894 crfree(oldcred); 895 return (0); 896 897 fail: 898 PROC_UNLOCK(p); 899 crfree(newcred); 900 return (error); 901 } 902 903 #ifndef _SYS_SYSPROTO_H_ 904 struct setreuid_args { 905 uid_t ruid; 906 uid_t euid; 907 }; 908 #endif 909 /* 910 * MPSAFE 911 */ 912 /* ARGSUSED */ 913 int 914 setreuid(register struct thread *td, struct setreuid_args *uap) 915 { 916 struct proc *p = td->td_proc; 917 struct ucred *newcred, *oldcred; 918 uid_t euid, ruid; 919 struct uidinfo *euip, *ruip; 920 int error; 921 922 euid = uap->euid; 923 ruid = uap->ruid; 924 AUDIT_ARG(euid, euid); 925 AUDIT_ARG(ruid, ruid); 926 newcred = crget(); 927 euip = uifind(euid); 928 ruip = uifind(ruid); 929 PROC_LOCK(p); 930 oldcred = p->p_ucred; 931 932 #ifdef MAC 933 error = mac_check_proc_setreuid(p, oldcred, ruid, euid); 934 if (error) 935 goto fail; 936 #endif 937 938 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 939 ruid != oldcred->cr_svuid) || 940 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 941 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 942 (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID, 943 SUSER_ALLOWJAIL)) != 0) 944 goto fail; 945 946 crcopy(newcred, oldcred); 947 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 948 change_euid(newcred, euip); 949 setsugid(p); 950 } 951 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 952 change_ruid(newcred, ruip); 953 setsugid(p); 954 } 955 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 956 newcred->cr_svuid != newcred->cr_uid) { 957 change_svuid(newcred, newcred->cr_uid); 958 setsugid(p); 959 } 960 p->p_ucred = newcred; 961 PROC_UNLOCK(p); 962 uifree(ruip); 963 uifree(euip); 964 crfree(oldcred); 965 return (0); 966 967 fail: 968 PROC_UNLOCK(p); 969 uifree(ruip); 970 uifree(euip); 971 crfree(newcred); 972 return (error); 973 } 974 975 #ifndef _SYS_SYSPROTO_H_ 976 struct setregid_args { 977 gid_t rgid; 978 gid_t egid; 979 }; 980 #endif 981 /* 982 * MPSAFE 983 */ 984 /* ARGSUSED */ 985 int 986 setregid(register struct thread *td, struct setregid_args *uap) 987 { 988 struct proc *p = td->td_proc; 989 struct ucred *newcred, *oldcred; 990 gid_t egid, rgid; 991 int error; 992 993 egid = uap->egid; 994 rgid = uap->rgid; 995 AUDIT_ARG(egid, egid); 996 AUDIT_ARG(rgid, rgid); 997 newcred = crget(); 998 PROC_LOCK(p); 999 oldcred = p->p_ucred; 1000 1001 #ifdef MAC 1002 error = mac_check_proc_setregid(p, oldcred, rgid, egid); 1003 if (error) 1004 goto fail; 1005 #endif 1006 1007 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1008 rgid != oldcred->cr_svgid) || 1009 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 1010 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 1011 (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID, 1012 SUSER_ALLOWJAIL)) != 0) 1013 goto fail; 1014 1015 crcopy(newcred, oldcred); 1016 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1017 change_egid(newcred, egid); 1018 setsugid(p); 1019 } 1020 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1021 change_rgid(newcred, rgid); 1022 setsugid(p); 1023 } 1024 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 1025 newcred->cr_svgid != newcred->cr_groups[0]) { 1026 change_svgid(newcred, newcred->cr_groups[0]); 1027 setsugid(p); 1028 } 1029 p->p_ucred = newcred; 1030 PROC_UNLOCK(p); 1031 crfree(oldcred); 1032 return (0); 1033 1034 fail: 1035 PROC_UNLOCK(p); 1036 crfree(newcred); 1037 return (error); 1038 } 1039 1040 /* 1041 * setresuid(ruid, euid, suid) is like setreuid except control over the 1042 * saved uid is explicit. 1043 */ 1044 1045 #ifndef _SYS_SYSPROTO_H_ 1046 struct setresuid_args { 1047 uid_t ruid; 1048 uid_t euid; 1049 uid_t suid; 1050 }; 1051 #endif 1052 /* 1053 * MPSAFE 1054 */ 1055 /* ARGSUSED */ 1056 int 1057 setresuid(register struct thread *td, struct setresuid_args *uap) 1058 { 1059 struct proc *p = td->td_proc; 1060 struct ucred *newcred, *oldcred; 1061 uid_t euid, ruid, suid; 1062 struct uidinfo *euip, *ruip; 1063 int error; 1064 1065 euid = uap->euid; 1066 ruid = uap->ruid; 1067 suid = uap->suid; 1068 AUDIT_ARG(euid, euid); 1069 AUDIT_ARG(ruid, ruid); 1070 AUDIT_ARG(suid, suid); 1071 newcred = crget(); 1072 euip = uifind(euid); 1073 ruip = uifind(ruid); 1074 PROC_LOCK(p); 1075 oldcred = p->p_ucred; 1076 1077 #ifdef MAC 1078 error = mac_check_proc_setresuid(p, oldcred, ruid, euid, suid); 1079 if (error) 1080 goto fail; 1081 #endif 1082 1083 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1084 ruid != oldcred->cr_svuid && 1085 ruid != oldcred->cr_uid) || 1086 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 1087 euid != oldcred->cr_svuid && 1088 euid != oldcred->cr_uid) || 1089 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 1090 suid != oldcred->cr_svuid && 1091 suid != oldcred->cr_uid)) && 1092 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID, 1093 SUSER_ALLOWJAIL)) != 0) 1094 goto fail; 1095 1096 crcopy(newcred, oldcred); 1097 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1098 change_euid(newcred, euip); 1099 setsugid(p); 1100 } 1101 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1102 change_ruid(newcred, ruip); 1103 setsugid(p); 1104 } 1105 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1106 change_svuid(newcred, suid); 1107 setsugid(p); 1108 } 1109 p->p_ucred = newcred; 1110 PROC_UNLOCK(p); 1111 uifree(ruip); 1112 uifree(euip); 1113 crfree(oldcred); 1114 return (0); 1115 1116 fail: 1117 PROC_UNLOCK(p); 1118 uifree(ruip); 1119 uifree(euip); 1120 crfree(newcred); 1121 return (error); 1122 1123 } 1124 1125 /* 1126 * setresgid(rgid, egid, sgid) is like setregid except control over the 1127 * saved gid is explicit. 1128 */ 1129 1130 #ifndef _SYS_SYSPROTO_H_ 1131 struct setresgid_args { 1132 gid_t rgid; 1133 gid_t egid; 1134 gid_t sgid; 1135 }; 1136 #endif 1137 /* 1138 * MPSAFE 1139 */ 1140 /* ARGSUSED */ 1141 int 1142 setresgid(register struct thread *td, struct setresgid_args *uap) 1143 { 1144 struct proc *p = td->td_proc; 1145 struct ucred *newcred, *oldcred; 1146 gid_t egid, rgid, sgid; 1147 int error; 1148 1149 egid = uap->egid; 1150 rgid = uap->rgid; 1151 sgid = uap->sgid; 1152 AUDIT_ARG(egid, egid); 1153 AUDIT_ARG(rgid, rgid); 1154 AUDIT_ARG(sgid, sgid); 1155 newcred = crget(); 1156 PROC_LOCK(p); 1157 oldcred = p->p_ucred; 1158 1159 #ifdef MAC 1160 error = mac_check_proc_setresgid(p, oldcred, rgid, egid, sgid); 1161 if (error) 1162 goto fail; 1163 #endif 1164 1165 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1166 rgid != oldcred->cr_svgid && 1167 rgid != oldcred->cr_groups[0]) || 1168 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1169 egid != oldcred->cr_svgid && 1170 egid != oldcred->cr_groups[0]) || 1171 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1172 sgid != oldcred->cr_svgid && 1173 sgid != oldcred->cr_groups[0])) && 1174 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID, 1175 SUSER_ALLOWJAIL)) != 0) 1176 goto fail; 1177 1178 crcopy(newcred, oldcred); 1179 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1180 change_egid(newcred, egid); 1181 setsugid(p); 1182 } 1183 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1184 change_rgid(newcred, rgid); 1185 setsugid(p); 1186 } 1187 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1188 change_svgid(newcred, sgid); 1189 setsugid(p); 1190 } 1191 p->p_ucred = newcred; 1192 PROC_UNLOCK(p); 1193 crfree(oldcred); 1194 return (0); 1195 1196 fail: 1197 PROC_UNLOCK(p); 1198 crfree(newcred); 1199 return (error); 1200 } 1201 1202 #ifndef _SYS_SYSPROTO_H_ 1203 struct getresuid_args { 1204 uid_t *ruid; 1205 uid_t *euid; 1206 uid_t *suid; 1207 }; 1208 #endif 1209 /* 1210 * MPSAFE 1211 */ 1212 /* ARGSUSED */ 1213 int 1214 getresuid(register struct thread *td, struct getresuid_args *uap) 1215 { 1216 struct ucred *cred; 1217 int error1 = 0, error2 = 0, error3 = 0; 1218 1219 cred = td->td_ucred; 1220 if (uap->ruid) 1221 error1 = copyout(&cred->cr_ruid, 1222 uap->ruid, sizeof(cred->cr_ruid)); 1223 if (uap->euid) 1224 error2 = copyout(&cred->cr_uid, 1225 uap->euid, sizeof(cred->cr_uid)); 1226 if (uap->suid) 1227 error3 = copyout(&cred->cr_svuid, 1228 uap->suid, sizeof(cred->cr_svuid)); 1229 return (error1 ? error1 : error2 ? error2 : error3); 1230 } 1231 1232 #ifndef _SYS_SYSPROTO_H_ 1233 struct getresgid_args { 1234 gid_t *rgid; 1235 gid_t *egid; 1236 gid_t *sgid; 1237 }; 1238 #endif 1239 /* 1240 * MPSAFE 1241 */ 1242 /* ARGSUSED */ 1243 int 1244 getresgid(register struct thread *td, struct getresgid_args *uap) 1245 { 1246 struct ucred *cred; 1247 int error1 = 0, error2 = 0, error3 = 0; 1248 1249 cred = td->td_ucred; 1250 if (uap->rgid) 1251 error1 = copyout(&cred->cr_rgid, 1252 uap->rgid, sizeof(cred->cr_rgid)); 1253 if (uap->egid) 1254 error2 = copyout(&cred->cr_groups[0], 1255 uap->egid, sizeof(cred->cr_groups[0])); 1256 if (uap->sgid) 1257 error3 = copyout(&cred->cr_svgid, 1258 uap->sgid, sizeof(cred->cr_svgid)); 1259 return (error1 ? error1 : error2 ? error2 : error3); 1260 } 1261 1262 #ifndef _SYS_SYSPROTO_H_ 1263 struct issetugid_args { 1264 int dummy; 1265 }; 1266 #endif 1267 /* 1268 * MPSAFE 1269 */ 1270 /* ARGSUSED */ 1271 int 1272 issetugid(register struct thread *td, struct issetugid_args *uap) 1273 { 1274 struct proc *p = td->td_proc; 1275 1276 /* 1277 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1278 * we use P_SUGID because we consider changing the owners as 1279 * "tainting" as well. 1280 * This is significant for procs that start as root and "become" 1281 * a user without an exec - programs cannot know *everything* 1282 * that libc *might* have put in their data segment. 1283 */ 1284 PROC_LOCK(p); 1285 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1286 PROC_UNLOCK(p); 1287 return (0); 1288 } 1289 1290 /* 1291 * MPSAFE 1292 */ 1293 int 1294 __setugid(struct thread *td, struct __setugid_args *uap) 1295 { 1296 #ifdef REGRESSION 1297 struct proc *p; 1298 1299 p = td->td_proc; 1300 switch (uap->flag) { 1301 case 0: 1302 PROC_LOCK(p); 1303 p->p_flag &= ~P_SUGID; 1304 PROC_UNLOCK(p); 1305 return (0); 1306 case 1: 1307 PROC_LOCK(p); 1308 p->p_flag |= P_SUGID; 1309 PROC_UNLOCK(p); 1310 return (0); 1311 default: 1312 return (EINVAL); 1313 } 1314 #else /* !REGRESSION */ 1315 1316 return (ENOSYS); 1317 #endif /* REGRESSION */ 1318 } 1319 1320 /* 1321 * Check if gid is a member of the group set. 1322 * 1323 * MPSAFE (cred must be held) 1324 */ 1325 int 1326 groupmember(gid_t gid, struct ucred *cred) 1327 { 1328 register gid_t *gp; 1329 gid_t *egp; 1330 1331 egp = &(cred->cr_groups[cred->cr_ngroups]); 1332 for (gp = cred->cr_groups; gp < egp; gp++) 1333 if (*gp == gid) 1334 return (1); 1335 return (0); 1336 } 1337 1338 /* 1339 * Test the active securelevel against a given level. securelevel_gt() 1340 * implements (securelevel > level). securelevel_ge() implements 1341 * (securelevel >= level). Note that the logic is inverted -- these 1342 * functions return EPERM on "success" and 0 on "failure". 1343 * 1344 * XXXRW: Possibly since this has to do with privilege, it should move to 1345 * kern_priv.c. 1346 * 1347 * MPSAFE 1348 */ 1349 int 1350 securelevel_gt(struct ucred *cr, int level) 1351 { 1352 int active_securelevel; 1353 1354 active_securelevel = securelevel; 1355 KASSERT(cr != NULL, ("securelevel_gt: null cr")); 1356 if (cr->cr_prison != NULL) 1357 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1358 active_securelevel); 1359 return (active_securelevel > level ? EPERM : 0); 1360 } 1361 1362 int 1363 securelevel_ge(struct ucred *cr, int level) 1364 { 1365 int active_securelevel; 1366 1367 active_securelevel = securelevel; 1368 KASSERT(cr != NULL, ("securelevel_ge: null cr")); 1369 if (cr->cr_prison != NULL) 1370 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1371 active_securelevel); 1372 return (active_securelevel >= level ? EPERM : 0); 1373 } 1374 1375 /* 1376 * 'see_other_uids' determines whether or not visibility of processes 1377 * and sockets with credentials holding different real uids is possible 1378 * using a variety of system MIBs. 1379 * XXX: data declarations should be together near the beginning of the file. 1380 */ 1381 static int see_other_uids = 1; 1382 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1383 &see_other_uids, 0, 1384 "Unprivileged processes may see subjects/objects with different real uid"); 1385 1386 /*- 1387 * Determine if u1 "can see" the subject specified by u2, according to the 1388 * 'see_other_uids' policy. 1389 * Returns: 0 for permitted, ESRCH otherwise 1390 * Locks: none 1391 * References: *u1 and *u2 must not change during the call 1392 * u1 may equal u2, in which case only one reference is required 1393 */ 1394 static int 1395 cr_seeotheruids(struct ucred *u1, struct ucred *u2) 1396 { 1397 1398 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1399 if (priv_check_cred(u1, PRIV_SEEOTHERUIDS, SUSER_ALLOWJAIL) 1400 != 0) 1401 return (ESRCH); 1402 } 1403 return (0); 1404 } 1405 1406 /* 1407 * 'see_other_gids' determines whether or not visibility of processes 1408 * and sockets with credentials holding different real gids is possible 1409 * using a variety of system MIBs. 1410 * XXX: data declarations should be together near the beginning of the file. 1411 */ 1412 static int see_other_gids = 1; 1413 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW, 1414 &see_other_gids, 0, 1415 "Unprivileged processes may see subjects/objects with different real gid"); 1416 1417 /* 1418 * Determine if u1 can "see" the subject specified by u2, according to the 1419 * 'see_other_gids' policy. 1420 * Returns: 0 for permitted, ESRCH otherwise 1421 * Locks: none 1422 * References: *u1 and *u2 must not change during the call 1423 * u1 may equal u2, in which case only one reference is required 1424 */ 1425 static int 1426 cr_seeothergids(struct ucred *u1, struct ucred *u2) 1427 { 1428 int i, match; 1429 1430 if (!see_other_gids) { 1431 match = 0; 1432 for (i = 0; i < u1->cr_ngroups; i++) { 1433 if (groupmember(u1->cr_groups[i], u2)) 1434 match = 1; 1435 if (match) 1436 break; 1437 } 1438 if (!match) { 1439 if (priv_check_cred(u1, PRIV_SEEOTHERGIDS, 1440 SUSER_ALLOWJAIL) != 0) 1441 return (ESRCH); 1442 } 1443 } 1444 return (0); 1445 } 1446 1447 /*- 1448 * Determine if u1 "can see" the subject specified by u2. 1449 * Returns: 0 for permitted, an errno value otherwise 1450 * Locks: none 1451 * References: *u1 and *u2 must not change during the call 1452 * u1 may equal u2, in which case only one reference is required 1453 */ 1454 int 1455 cr_cansee(struct ucred *u1, struct ucred *u2) 1456 { 1457 int error; 1458 1459 if ((error = prison_check(u1, u2))) 1460 return (error); 1461 #ifdef MAC 1462 if ((error = mac_check_cred_visible(u1, u2))) 1463 return (error); 1464 #endif 1465 if ((error = cr_seeotheruids(u1, u2))) 1466 return (error); 1467 if ((error = cr_seeothergids(u1, u2))) 1468 return (error); 1469 return (0); 1470 } 1471 1472 /*- 1473 * Determine if td "can see" the subject specified by p. 1474 * Returns: 0 for permitted, an errno value otherwise 1475 * Locks: Sufficient locks to protect p->p_ucred must be held. td really 1476 * should be curthread. 1477 * References: td and p must be valid for the lifetime of the call 1478 */ 1479 int 1480 p_cansee(struct thread *td, struct proc *p) 1481 { 1482 1483 /* Wrap cr_cansee() for all functionality. */ 1484 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1485 PROC_LOCK_ASSERT(p, MA_OWNED); 1486 return (cr_cansee(td->td_ucred, p->p_ucred)); 1487 } 1488 1489 /* 1490 * 'conservative_signals' prevents the delivery of a broad class of 1491 * signals by unprivileged processes to processes that have changed their 1492 * credentials since the last invocation of execve(). This can prevent 1493 * the leakage of cached information or retained privileges as a result 1494 * of a common class of signal-related vulnerabilities. However, this 1495 * may interfere with some applications that expect to be able to 1496 * deliver these signals to peer processes after having given up 1497 * privilege. 1498 */ 1499 static int conservative_signals = 1; 1500 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW, 1501 &conservative_signals, 0, "Unprivileged processes prevented from " 1502 "sending certain signals to processes whose credentials have changed"); 1503 /*- 1504 * Determine whether cred may deliver the specified signal to proc. 1505 * Returns: 0 for permitted, an errno value otherwise. 1506 * Locks: A lock must be held for proc. 1507 * References: cred and proc must be valid for the lifetime of the call. 1508 */ 1509 int 1510 cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 1511 { 1512 int error; 1513 1514 PROC_LOCK_ASSERT(proc, MA_OWNED); 1515 /* 1516 * Jail semantics limit the scope of signalling to proc in the 1517 * same jail as cred, if cred is in jail. 1518 */ 1519 error = prison_check(cred, proc->p_ucred); 1520 if (error) 1521 return (error); 1522 #ifdef MAC 1523 if ((error = mac_check_proc_signal(cred, proc, signum))) 1524 return (error); 1525 #endif 1526 if ((error = cr_seeotheruids(cred, proc->p_ucred))) 1527 return (error); 1528 if ((error = cr_seeothergids(cred, proc->p_ucred))) 1529 return (error); 1530 1531 /* 1532 * UNIX signal semantics depend on the status of the P_SUGID 1533 * bit on the target process. If the bit is set, then additional 1534 * restrictions are placed on the set of available signals. 1535 */ 1536 if (conservative_signals && (proc->p_flag & P_SUGID)) { 1537 switch (signum) { 1538 case 0: 1539 case SIGKILL: 1540 case SIGINT: 1541 case SIGTERM: 1542 case SIGALRM: 1543 case SIGSTOP: 1544 case SIGTTIN: 1545 case SIGTTOU: 1546 case SIGTSTP: 1547 case SIGHUP: 1548 case SIGUSR1: 1549 case SIGUSR2: 1550 /* 1551 * Generally, permit job and terminal control 1552 * signals. 1553 */ 1554 break; 1555 default: 1556 /* Not permitted without privilege. */ 1557 error = priv_check_cred(cred, PRIV_SIGNAL_SUGID, 1558 SUSER_ALLOWJAIL); 1559 if (error) 1560 return (error); 1561 } 1562 } 1563 1564 /* 1565 * Generally, the target credential's ruid or svuid must match the 1566 * subject credential's ruid or euid. 1567 */ 1568 if (cred->cr_ruid != proc->p_ucred->cr_ruid && 1569 cred->cr_ruid != proc->p_ucred->cr_svuid && 1570 cred->cr_uid != proc->p_ucred->cr_ruid && 1571 cred->cr_uid != proc->p_ucred->cr_svuid) { 1572 /* Not permitted without privilege. */ 1573 error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED, 1574 SUSER_ALLOWJAIL); 1575 if (error) 1576 return (error); 1577 } 1578 1579 return (0); 1580 } 1581 1582 /*- 1583 * Determine whether td may deliver the specified signal to p. 1584 * Returns: 0 for permitted, an errno value otherwise 1585 * Locks: Sufficient locks to protect various components of td and p 1586 * must be held. td must be curthread, and a lock must be 1587 * held for p. 1588 * References: td and p must be valid for the lifetime of the call 1589 */ 1590 int 1591 p_cansignal(struct thread *td, struct proc *p, int signum) 1592 { 1593 1594 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1595 PROC_LOCK_ASSERT(p, MA_OWNED); 1596 if (td->td_proc == p) 1597 return (0); 1598 1599 /* 1600 * UNIX signalling semantics require that processes in the same 1601 * session always be able to deliver SIGCONT to one another, 1602 * overriding the remaining protections. 1603 */ 1604 /* XXX: This will require an additional lock of some sort. */ 1605 if (signum == SIGCONT && td->td_proc->p_session == p->p_session) 1606 return (0); 1607 /* 1608 * Some compat layers use SIGTHR and higher signals for 1609 * communication between different kernel threads of the same 1610 * process, so that they expect that it's always possible to 1611 * deliver them, even for suid applications where cr_cansignal() can 1612 * deny such ability for security consideration. It should be 1613 * pretty safe to do since the only way to create two processes 1614 * with the same p_leader is via rfork(2). 1615 */ 1616 if (td->td_proc->p_leader != NULL && signum >= SIGTHR && 1617 signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader) 1618 return (0); 1619 1620 return (cr_cansignal(td->td_ucred, p, signum)); 1621 } 1622 1623 /*- 1624 * Determine whether td may reschedule p. 1625 * Returns: 0 for permitted, an errno value otherwise 1626 * Locks: Sufficient locks to protect various components of td and p 1627 * must be held. td must be curthread, and a lock must 1628 * be held for p. 1629 * References: td and p must be valid for the lifetime of the call 1630 */ 1631 int 1632 p_cansched(struct thread *td, struct proc *p) 1633 { 1634 int error; 1635 1636 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1637 PROC_LOCK_ASSERT(p, MA_OWNED); 1638 if (td->td_proc == p) 1639 return (0); 1640 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1641 return (error); 1642 #ifdef MAC 1643 if ((error = mac_check_proc_sched(td->td_ucred, p))) 1644 return (error); 1645 #endif 1646 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1647 return (error); 1648 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) 1649 return (error); 1650 if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid && 1651 td->td_ucred->cr_uid != p->p_ucred->cr_ruid) { 1652 error = priv_check_cred(td->td_ucred, PRIV_SCHED_DIFFCRED, 1653 SUSER_ALLOWJAIL); 1654 if (error) 1655 return (error); 1656 } 1657 return (0); 1658 } 1659 1660 /* 1661 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 1662 * unprivileged inter-process debugging services, including some procfs 1663 * functionality, ptrace(), and ktrace(). In the past, inter-process 1664 * debugging has been involved in a variety of security problems, and sites 1665 * not requiring the service might choose to disable it when hardening 1666 * systems. 1667 * 1668 * XXX: Should modifying and reading this variable require locking? 1669 * XXX: data declarations should be together near the beginning of the file. 1670 */ 1671 static int unprivileged_proc_debug = 1; 1672 SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW, 1673 &unprivileged_proc_debug, 0, 1674 "Unprivileged processes may use process debugging facilities"); 1675 1676 /*- 1677 * Determine whether td may debug p. 1678 * Returns: 0 for permitted, an errno value otherwise 1679 * Locks: Sufficient locks to protect various components of td and p 1680 * must be held. td must be curthread, and a lock must 1681 * be held for p. 1682 * References: td and p must be valid for the lifetime of the call 1683 */ 1684 int 1685 p_candebug(struct thread *td, struct proc *p) 1686 { 1687 int credentialchanged, error, grpsubset, i, uidsubset; 1688 1689 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1690 PROC_LOCK_ASSERT(p, MA_OWNED); 1691 if (!unprivileged_proc_debug) { 1692 error = priv_check_cred(td->td_ucred, PRIV_DEBUG_UNPRIV, 1693 SUSER_ALLOWJAIL); 1694 if (error) 1695 return (error); 1696 } 1697 if (td->td_proc == p) 1698 return (0); 1699 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1700 return (error); 1701 #ifdef MAC 1702 if ((error = mac_check_proc_debug(td->td_ucred, p))) 1703 return (error); 1704 #endif 1705 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1706 return (error); 1707 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) 1708 return (error); 1709 1710 /* 1711 * Is p's group set a subset of td's effective group set? This 1712 * includes p's egid, group access list, rgid, and svgid. 1713 */ 1714 grpsubset = 1; 1715 for (i = 0; i < p->p_ucred->cr_ngroups; i++) { 1716 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) { 1717 grpsubset = 0; 1718 break; 1719 } 1720 } 1721 grpsubset = grpsubset && 1722 groupmember(p->p_ucred->cr_rgid, td->td_ucred) && 1723 groupmember(p->p_ucred->cr_svgid, td->td_ucred); 1724 1725 /* 1726 * Are the uids present in p's credential equal to td's 1727 * effective uid? This includes p's euid, svuid, and ruid. 1728 */ 1729 uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid && 1730 td->td_ucred->cr_uid == p->p_ucred->cr_svuid && 1731 td->td_ucred->cr_uid == p->p_ucred->cr_ruid); 1732 1733 /* 1734 * Has the credential of the process changed since the last exec()? 1735 */ 1736 credentialchanged = (p->p_flag & P_SUGID); 1737 1738 /* 1739 * If p's gids aren't a subset, or the uids aren't a subset, 1740 * or the credential has changed, require appropriate privilege 1741 * for td to debug p. 1742 */ 1743 if (!grpsubset || !uidsubset) { 1744 error = priv_check_cred(td->td_ucred, PRIV_DEBUG_DIFFCRED, 1745 SUSER_ALLOWJAIL); 1746 if (error) 1747 return (error); 1748 } 1749 1750 if (credentialchanged) { 1751 error = priv_check_cred(td->td_ucred, PRIV_DEBUG_SUGID, 1752 SUSER_ALLOWJAIL); 1753 if (error) 1754 return (error); 1755 } 1756 1757 /* Can't trace init when securelevel > 0. */ 1758 if (p == initproc) { 1759 error = securelevel_gt(td->td_ucred, 0); 1760 if (error) 1761 return (error); 1762 } 1763 1764 /* 1765 * Can't trace a process that's currently exec'ing. 1766 * 1767 * XXX: Note, this is not a security policy decision, it's a 1768 * basic correctness/functionality decision. Therefore, this check 1769 * should be moved to the caller's of p_candebug(). 1770 */ 1771 if ((p->p_flag & P_INEXEC) != 0) 1772 return (EAGAIN); 1773 1774 return (0); 1775 } 1776 1777 /*- 1778 * Determine whether the subject represented by cred can "see" a socket. 1779 * Returns: 0 for permitted, ENOENT otherwise. 1780 */ 1781 int 1782 cr_canseesocket(struct ucred *cred, struct socket *so) 1783 { 1784 int error; 1785 1786 error = prison_check(cred, so->so_cred); 1787 if (error) 1788 return (ENOENT); 1789 #ifdef MAC 1790 SOCK_LOCK(so); 1791 error = mac_check_socket_visible(cred, so); 1792 SOCK_UNLOCK(so); 1793 if (error) 1794 return (error); 1795 #endif 1796 if (cr_seeotheruids(cred, so->so_cred)) 1797 return (ENOENT); 1798 if (cr_seeothergids(cred, so->so_cred)) 1799 return (ENOENT); 1800 1801 return (0); 1802 } 1803 1804 /*- 1805 * Determine whether td can wait for the exit of p. 1806 * Returns: 0 for permitted, an errno value otherwise 1807 * Locks: Sufficient locks to protect various components of td and p 1808 * must be held. td must be curthread, and a lock must 1809 * be held for p. 1810 * References: td and p must be valid for the lifetime of the call 1811 1812 */ 1813 int 1814 p_canwait(struct thread *td, struct proc *p) 1815 { 1816 int error; 1817 1818 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1819 PROC_LOCK_ASSERT(p, MA_OWNED); 1820 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1821 return (error); 1822 #ifdef MAC 1823 if ((error = mac_check_proc_wait(td->td_ucred, p))) 1824 return (error); 1825 #endif 1826 #if 0 1827 /* XXXMAC: This could have odd effects on some shells. */ 1828 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1829 return (error); 1830 #endif 1831 1832 return (0); 1833 } 1834 1835 /* 1836 * Allocate a zeroed cred structure. 1837 * MPSAFE 1838 */ 1839 struct ucred * 1840 crget(void) 1841 { 1842 register struct ucred *cr; 1843 1844 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 1845 refcount_init(&cr->cr_ref, 1); 1846 #ifdef MAC 1847 mac_init_cred(cr); 1848 #endif 1849 return (cr); 1850 } 1851 1852 /* 1853 * Claim another reference to a ucred structure. 1854 * MPSAFE 1855 */ 1856 struct ucred * 1857 crhold(struct ucred *cr) 1858 { 1859 1860 refcount_acquire(&cr->cr_ref); 1861 return (cr); 1862 } 1863 1864 /* 1865 * Free a cred structure. 1866 * Throws away space when ref count gets to 0. 1867 * MPSAFE 1868 */ 1869 void 1870 crfree(struct ucred *cr) 1871 { 1872 1873 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); 1874 KASSERT(cr->cr_ref != 0xdeadc0de, ("dangling reference to ucred")); 1875 if (refcount_release(&cr->cr_ref)) { 1876 /* 1877 * Some callers of crget(), such as nfs_statfs(), 1878 * allocate a temporary credential, but don't 1879 * allocate a uidinfo structure. 1880 */ 1881 if (cr->cr_uidinfo != NULL) 1882 uifree(cr->cr_uidinfo); 1883 if (cr->cr_ruidinfo != NULL) 1884 uifree(cr->cr_ruidinfo); 1885 /* 1886 * Free a prison, if any. 1887 */ 1888 if (jailed(cr)) 1889 prison_free(cr->cr_prison); 1890 #ifdef MAC 1891 mac_destroy_cred(cr); 1892 #endif 1893 FREE(cr, M_CRED); 1894 } 1895 } 1896 1897 /* 1898 * Check to see if this ucred is shared. 1899 * MPSAFE 1900 */ 1901 int 1902 crshared(struct ucred *cr) 1903 { 1904 1905 return (cr->cr_ref > 1); 1906 } 1907 1908 /* 1909 * Copy a ucred's contents from a template. Does not block. 1910 * MPSAFE 1911 */ 1912 void 1913 crcopy(struct ucred *dest, struct ucred *src) 1914 { 1915 1916 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred")); 1917 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 1918 (unsigned)((caddr_t)&src->cr_endcopy - 1919 (caddr_t)&src->cr_startcopy)); 1920 uihold(dest->cr_uidinfo); 1921 uihold(dest->cr_ruidinfo); 1922 if (jailed(dest)) 1923 prison_hold(dest->cr_prison); 1924 #ifdef MAC 1925 mac_copy_cred(src, dest); 1926 #endif 1927 } 1928 1929 /* 1930 * Dup cred struct to a new held one. 1931 * MPSAFE 1932 */ 1933 struct ucred * 1934 crdup(struct ucred *cr) 1935 { 1936 struct ucred *newcr; 1937 1938 newcr = crget(); 1939 crcopy(newcr, cr); 1940 return (newcr); 1941 } 1942 1943 /* 1944 * Fill in a struct xucred based on a struct ucred. 1945 * MPSAFE 1946 */ 1947 void 1948 cru2x(struct ucred *cr, struct xucred *xcr) 1949 { 1950 1951 bzero(xcr, sizeof(*xcr)); 1952 xcr->cr_version = XUCRED_VERSION; 1953 xcr->cr_uid = cr->cr_uid; 1954 xcr->cr_ngroups = cr->cr_ngroups; 1955 bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups)); 1956 } 1957 1958 /* 1959 * small routine to swap a thread's current ucred for the correct one 1960 * taken from the process. 1961 * MPSAFE 1962 */ 1963 void 1964 cred_update_thread(struct thread *td) 1965 { 1966 struct proc *p; 1967 struct ucred *cred; 1968 1969 p = td->td_proc; 1970 cred = td->td_ucred; 1971 PROC_LOCK(p); 1972 td->td_ucred = crhold(p->p_ucred); 1973 PROC_UNLOCK(p); 1974 if (cred != NULL) 1975 crfree(cred); 1976 } 1977 1978 /* 1979 * Get login name, if available. 1980 */ 1981 #ifndef _SYS_SYSPROTO_H_ 1982 struct getlogin_args { 1983 char *namebuf; 1984 u_int namelen; 1985 }; 1986 #endif 1987 /* 1988 * MPSAFE 1989 */ 1990 /* ARGSUSED */ 1991 int 1992 getlogin(struct thread *td, struct getlogin_args *uap) 1993 { 1994 int error; 1995 char login[MAXLOGNAME]; 1996 struct proc *p = td->td_proc; 1997 1998 if (uap->namelen > MAXLOGNAME) 1999 uap->namelen = MAXLOGNAME; 2000 PROC_LOCK(p); 2001 SESS_LOCK(p->p_session); 2002 bcopy(p->p_session->s_login, login, uap->namelen); 2003 SESS_UNLOCK(p->p_session); 2004 PROC_UNLOCK(p); 2005 error = copyout(login, uap->namebuf, uap->namelen); 2006 return(error); 2007 } 2008 2009 /* 2010 * Set login name. 2011 */ 2012 #ifndef _SYS_SYSPROTO_H_ 2013 struct setlogin_args { 2014 char *namebuf; 2015 }; 2016 #endif 2017 /* 2018 * MPSAFE 2019 */ 2020 /* ARGSUSED */ 2021 int 2022 setlogin(struct thread *td, struct setlogin_args *uap) 2023 { 2024 struct proc *p = td->td_proc; 2025 int error; 2026 char logintmp[MAXLOGNAME]; 2027 2028 error = priv_check_cred(td->td_ucred, PRIV_PROC_SETLOGIN, 2029 SUSER_ALLOWJAIL); 2030 if (error) 2031 return (error); 2032 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); 2033 if (error == ENAMETOOLONG) 2034 error = EINVAL; 2035 else if (!error) { 2036 PROC_LOCK(p); 2037 SESS_LOCK(p->p_session); 2038 (void) memcpy(p->p_session->s_login, logintmp, 2039 sizeof(logintmp)); 2040 SESS_UNLOCK(p->p_session); 2041 PROC_UNLOCK(p); 2042 } 2043 return (error); 2044 } 2045 2046 void 2047 setsugid(struct proc *p) 2048 { 2049 2050 PROC_LOCK_ASSERT(p, MA_OWNED); 2051 p->p_flag |= P_SUGID; 2052 if (!(p->p_pfsflags & PF_ISUGID)) 2053 p->p_stops = 0; 2054 } 2055 2056 /*- 2057 * Change a process's effective uid. 2058 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 2059 * References: newcred must be an exclusive credential reference for the 2060 * duration of the call. 2061 */ 2062 void 2063 change_euid(struct ucred *newcred, struct uidinfo *euip) 2064 { 2065 2066 newcred->cr_uid = euip->ui_uid; 2067 uihold(euip); 2068 uifree(newcred->cr_uidinfo); 2069 newcred->cr_uidinfo = euip; 2070 } 2071 2072 /*- 2073 * Change a process's effective gid. 2074 * Side effects: newcred->cr_gid will be modified. 2075 * References: newcred must be an exclusive credential reference for the 2076 * duration of the call. 2077 */ 2078 void 2079 change_egid(struct ucred *newcred, gid_t egid) 2080 { 2081 2082 newcred->cr_groups[0] = egid; 2083 } 2084 2085 /*- 2086 * Change a process's real uid. 2087 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 2088 * will be updated, and the old and new cr_ruidinfo proc 2089 * counts will be updated. 2090 * References: newcred must be an exclusive credential reference for the 2091 * duration of the call. 2092 */ 2093 void 2094 change_ruid(struct ucred *newcred, struct uidinfo *ruip) 2095 { 2096 2097 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 2098 newcred->cr_ruid = ruip->ui_uid; 2099 uihold(ruip); 2100 uifree(newcred->cr_ruidinfo); 2101 newcred->cr_ruidinfo = ruip; 2102 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 2103 } 2104 2105 /*- 2106 * Change a process's real gid. 2107 * Side effects: newcred->cr_rgid will be updated. 2108 * References: newcred must be an exclusive credential reference for the 2109 * duration of the call. 2110 */ 2111 void 2112 change_rgid(struct ucred *newcred, gid_t rgid) 2113 { 2114 2115 newcred->cr_rgid = rgid; 2116 } 2117 2118 /*- 2119 * Change a process's saved uid. 2120 * Side effects: newcred->cr_svuid will be updated. 2121 * References: newcred must be an exclusive credential reference for the 2122 * duration of the call. 2123 */ 2124 void 2125 change_svuid(struct ucred *newcred, uid_t svuid) 2126 { 2127 2128 newcred->cr_svuid = svuid; 2129 } 2130 2131 /*- 2132 * Change a process's saved gid. 2133 * Side effects: newcred->cr_svgid will be updated. 2134 * References: newcred must be an exclusive credential reference for the 2135 * duration of the call. 2136 */ 2137 void 2138 change_svgid(struct ucred *newcred, gid_t svgid) 2139 { 2140 2141 newcred->cr_svgid = svgid; 2142 } 2143