1 /* 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * (c) UNIX System Laboratories, Inc. 5 * All or some portions of this file are derived from material licensed 6 * to the University of California by American Telephone and Telegraph 7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 8 * the permission of UNIX System Laboratories, Inc. 9 * Copyright (c) 2000-2001 Robert N. M. Watson. All rights reserved. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. All advertising materials mentioning features or use of this software 20 * must display the following acknowledgement: 21 * This product includes software developed by the University of 22 * California, Berkeley and its contributors. 23 * 4. Neither the name of the University nor the names of its contributors 24 * may be used to endorse or promote products derived from this software 25 * without specific prior written permission. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * 39 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 40 * $FreeBSD$ 41 */ 42 43 /* 44 * System calls related to processes and protection 45 */ 46 47 #include "opt_compat.h" 48 #include "opt_mac.h" 49 50 #include <sys/param.h> 51 #include <sys/systm.h> 52 #include <sys/acct.h> 53 #include <sys/kernel.h> 54 #include <sys/lock.h> 55 #include <sys/mac.h> 56 #include <sys/malloc.h> 57 #include <sys/mutex.h> 58 #include <sys/sx.h> 59 #include <sys/proc.h> 60 #include <sys/sysproto.h> 61 #include <sys/jail.h> 62 #include <sys/pioctl.h> 63 #include <sys/resourcevar.h> 64 #include <sys/socket.h> 65 #include <sys/socketvar.h> 66 #include <sys/sysctl.h> 67 68 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 69 70 SYSCTL_DECL(_security); 71 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, 72 "BSD security policy"); 73 74 #ifndef _SYS_SYSPROTO_H_ 75 struct getpid_args { 76 int dummy; 77 }; 78 #endif 79 /* 80 * MPSAFE 81 */ 82 /* ARGSUSED */ 83 int 84 getpid(struct thread *td, struct getpid_args *uap) 85 { 86 struct proc *p = td->td_proc; 87 88 td->td_retval[0] = p->p_pid; 89 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 90 PROC_LOCK(p); 91 td->td_retval[1] = p->p_pptr->p_pid; 92 PROC_UNLOCK(p); 93 #endif 94 return (0); 95 } 96 97 #ifndef _SYS_SYSPROTO_H_ 98 struct getppid_args { 99 int dummy; 100 }; 101 #endif 102 /* 103 * MPSAFE 104 */ 105 /* ARGSUSED */ 106 int 107 getppid(struct thread *td, struct getppid_args *uap) 108 { 109 struct proc *p = td->td_proc; 110 111 PROC_LOCK(p); 112 td->td_retval[0] = p->p_pptr->p_pid; 113 PROC_UNLOCK(p); 114 return (0); 115 } 116 117 /* 118 * Get process group ID; note that POSIX getpgrp takes no parameter. 119 */ 120 #ifndef _SYS_SYSPROTO_H_ 121 struct getpgrp_args { 122 int dummy; 123 }; 124 #endif 125 /* 126 * MPSAFE 127 */ 128 int 129 getpgrp(struct thread *td, struct getpgrp_args *uap) 130 { 131 struct proc *p = td->td_proc; 132 133 PROC_LOCK(p); 134 td->td_retval[0] = p->p_pgrp->pg_id; 135 PROC_UNLOCK(p); 136 return (0); 137 } 138 139 /* Get an arbitary pid's process group id */ 140 #ifndef _SYS_SYSPROTO_H_ 141 struct getpgid_args { 142 pid_t pid; 143 }; 144 #endif 145 /* 146 * MPSAFE 147 */ 148 int 149 getpgid(struct thread *td, struct getpgid_args *uap) 150 { 151 struct proc *p = td->td_proc; 152 struct proc *pt; 153 int error; 154 155 mtx_lock(&Giant); 156 error = 0; 157 if (uap->pid == 0) { 158 PROC_LOCK(p); 159 td->td_retval[0] = p->p_pgrp->pg_id; 160 PROC_UNLOCK(p); 161 } else if ((pt = pfind(uap->pid)) == NULL) 162 error = ESRCH; 163 else { 164 error = p_cansee(td, pt); 165 if (error == 0) 166 td->td_retval[0] = pt->p_pgrp->pg_id; 167 PROC_UNLOCK(pt); 168 } 169 mtx_unlock(&Giant); 170 return (error); 171 } 172 173 /* 174 * Get an arbitary pid's session id. 175 */ 176 #ifndef _SYS_SYSPROTO_H_ 177 struct getsid_args { 178 pid_t pid; 179 }; 180 #endif 181 /* 182 * MPSAFE 183 */ 184 int 185 getsid(struct thread *td, struct getsid_args *uap) 186 { 187 struct proc *p = td->td_proc; 188 struct proc *pt; 189 int error; 190 191 mtx_lock(&Giant); 192 error = 0; 193 if (uap->pid == 0) { 194 PROC_LOCK(p); 195 td->td_retval[0] = p->p_session->s_sid; 196 PROC_UNLOCK(p); 197 } else if ((pt = pfind(uap->pid)) == NULL) 198 error = ESRCH; 199 else { 200 error = p_cansee(td, pt); 201 if (error == 0) 202 td->td_retval[0] = pt->p_session->s_sid; 203 PROC_UNLOCK(pt); 204 } 205 mtx_unlock(&Giant); 206 return (error); 207 } 208 209 #ifndef _SYS_SYSPROTO_H_ 210 struct getuid_args { 211 int dummy; 212 }; 213 #endif 214 /* 215 * MPSAFE 216 */ 217 /* ARGSUSED */ 218 int 219 getuid(struct thread *td, struct getuid_args *uap) 220 { 221 222 td->td_retval[0] = td->td_ucred->cr_ruid; 223 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 224 td->td_retval[1] = td->td_ucred->cr_uid; 225 #endif 226 return (0); 227 } 228 229 #ifndef _SYS_SYSPROTO_H_ 230 struct geteuid_args { 231 int dummy; 232 }; 233 #endif 234 /* 235 * MPSAFE 236 */ 237 /* ARGSUSED */ 238 int 239 geteuid(struct thread *td, struct geteuid_args *uap) 240 { 241 242 td->td_retval[0] = td->td_ucred->cr_uid; 243 return (0); 244 } 245 246 #ifndef _SYS_SYSPROTO_H_ 247 struct getgid_args { 248 int dummy; 249 }; 250 #endif 251 /* 252 * MPSAFE 253 */ 254 /* ARGSUSED */ 255 int 256 getgid(struct thread *td, struct getgid_args *uap) 257 { 258 259 td->td_retval[0] = td->td_ucred->cr_rgid; 260 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 261 td->td_retval[1] = td->td_ucred->cr_groups[0]; 262 #endif 263 return (0); 264 } 265 266 /* 267 * Get effective group ID. The "egid" is groups[0], and could be obtained 268 * via getgroups. This syscall exists because it is somewhat painful to do 269 * correctly in a library function. 270 */ 271 #ifndef _SYS_SYSPROTO_H_ 272 struct getegid_args { 273 int dummy; 274 }; 275 #endif 276 /* 277 * MPSAFE 278 */ 279 /* ARGSUSED */ 280 int 281 getegid(struct thread *td, struct getegid_args *uap) 282 { 283 284 td->td_retval[0] = td->td_ucred->cr_groups[0]; 285 return (0); 286 } 287 288 #ifndef _SYS_SYSPROTO_H_ 289 struct getgroups_args { 290 u_int gidsetsize; 291 gid_t *gidset; 292 }; 293 #endif 294 /* 295 * MPSAFE 296 */ 297 int 298 getgroups(struct thread *td, register struct getgroups_args *uap) 299 { 300 struct ucred *cred; 301 u_int ngrp; 302 int error; 303 304 cred = td->td_ucred; 305 if ((ngrp = uap->gidsetsize) == 0) { 306 td->td_retval[0] = cred->cr_ngroups; 307 return (0); 308 } 309 if (ngrp < cred->cr_ngroups) 310 return (EINVAL); 311 ngrp = cred->cr_ngroups; 312 error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t)); 313 if (error == 0) 314 td->td_retval[0] = ngrp; 315 return (error); 316 } 317 318 #ifndef _SYS_SYSPROTO_H_ 319 struct setsid_args { 320 int dummy; 321 }; 322 #endif 323 /* 324 * MPSAFE 325 */ 326 /* ARGSUSED */ 327 int 328 setsid(register struct thread *td, struct setsid_args *uap) 329 { 330 struct pgrp *pgrp; 331 int error; 332 struct proc *p = td->td_proc; 333 struct pgrp *newpgrp; 334 struct session *newsess; 335 336 error = 0; 337 pgrp = NULL; 338 339 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 340 MALLOC(newsess, struct session *, sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); 341 342 sx_xlock(&proctree_lock); 343 344 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { 345 if (pgrp != NULL) 346 PGRP_UNLOCK(pgrp); 347 error = EPERM; 348 } else { 349 (void)enterpgrp(p, p->p_pid, newpgrp, newsess); 350 td->td_retval[0] = p->p_pid; 351 newpgrp = NULL; 352 newsess = NULL; 353 } 354 355 sx_xunlock(&proctree_lock); 356 357 if (newpgrp != NULL) 358 FREE(newpgrp, M_PGRP); 359 if (newsess != NULL) 360 FREE(newsess, M_SESSION); 361 362 return (error); 363 } 364 365 /* 366 * set process group (setpgid/old setpgrp) 367 * 368 * caller does setpgid(targpid, targpgid) 369 * 370 * pid must be caller or child of caller (ESRCH) 371 * if a child 372 * pid must be in same session (EPERM) 373 * pid can't have done an exec (EACCES) 374 * if pgid != pid 375 * there must exist some pid in same session having pgid (EPERM) 376 * pid must not be session leader (EPERM) 377 */ 378 #ifndef _SYS_SYSPROTO_H_ 379 struct setpgid_args { 380 int pid; /* target process id */ 381 int pgid; /* target pgrp id */ 382 }; 383 #endif 384 /* 385 * MPSAFE 386 */ 387 /* ARGSUSED */ 388 int 389 setpgid(struct thread *td, register struct setpgid_args *uap) 390 { 391 struct proc *curp = td->td_proc; 392 register struct proc *targp; /* target process */ 393 register struct pgrp *pgrp; /* target pgrp */ 394 int error; 395 struct pgrp *newpgrp; 396 397 if (uap->pgid < 0) 398 return (EINVAL); 399 400 error = 0; 401 402 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 403 404 sx_xlock(&proctree_lock); 405 if (uap->pid != 0 && uap->pid != curp->p_pid) { 406 if ((targp = pfind(uap->pid)) == NULL) { 407 if (targp) 408 PROC_UNLOCK(targp); 409 error = ESRCH; 410 goto done; 411 } 412 if (!inferior(targp)) { 413 PROC_UNLOCK(targp); 414 error = ESRCH; 415 goto done; 416 } 417 if ((error = p_cansee(curthread, targp))) { 418 PROC_UNLOCK(targp); 419 goto done; 420 } 421 if (targp->p_pgrp == NULL || 422 targp->p_session != curp->p_session) { 423 PROC_UNLOCK(targp); 424 error = EPERM; 425 goto done; 426 } 427 if (targp->p_flag & P_EXEC) { 428 PROC_UNLOCK(targp); 429 error = EACCES; 430 goto done; 431 } 432 PROC_UNLOCK(targp); 433 } else 434 targp = curp; 435 if (SESS_LEADER(targp)) { 436 error = EPERM; 437 goto done; 438 } 439 if (uap->pgid == 0) 440 uap->pgid = targp->p_pid; 441 if (uap->pgid == targp->p_pid) { 442 if (targp->p_pgid == uap->pgid) 443 goto done; 444 error = enterpgrp(targp, uap->pgid, newpgrp, NULL); 445 if (error == 0) 446 newpgrp = NULL; 447 } else { 448 if ((pgrp = pgfind(uap->pgid)) == NULL || 449 pgrp->pg_session != curp->p_session) { 450 if (pgrp != NULL) 451 PGRP_UNLOCK(pgrp); 452 error = EPERM; 453 goto done; 454 } 455 if (pgrp == targp->p_pgrp) { 456 PGRP_UNLOCK(pgrp); 457 goto done; 458 } 459 PGRP_UNLOCK(pgrp); 460 error = enterthispgrp(targp, pgrp); 461 } 462 done: 463 sx_xunlock(&proctree_lock); 464 KASSERT((error == 0) || (newpgrp != NULL), 465 ("setpgid failed and newpgrp is NULL")); 466 if (newpgrp != NULL) 467 FREE(newpgrp, M_PGRP); 468 return (error); 469 } 470 471 /* 472 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 473 * compatible. It says that setting the uid/gid to euid/egid is a special 474 * case of "appropriate privilege". Once the rules are expanded out, this 475 * basically means that setuid(nnn) sets all three id's, in all permitted 476 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 477 * does not set the saved id - this is dangerous for traditional BSD 478 * programs. For this reason, we *really* do not want to set 479 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 480 */ 481 #define POSIX_APPENDIX_B_4_2_2 482 483 #ifndef _SYS_SYSPROTO_H_ 484 struct setuid_args { 485 uid_t uid; 486 }; 487 #endif 488 /* 489 * MPSAFE 490 */ 491 /* ARGSUSED */ 492 int 493 setuid(struct thread *td, struct setuid_args *uap) 494 { 495 struct proc *p = td->td_proc; 496 struct ucred *newcred, *oldcred; 497 uid_t uid; 498 struct uidinfo *uip; 499 int error; 500 501 mtx_lock(&Giant); 502 uid = uap->uid; 503 newcred = crget(); 504 uip = uifind(uid); 505 PROC_LOCK(p); 506 oldcred = p->p_ucred; 507 508 /* 509 * See if we have "permission" by POSIX 1003.1 rules. 510 * 511 * Note that setuid(geteuid()) is a special case of 512 * "appropriate privileges" in appendix B.4.2.2. We need 513 * to use this clause to be compatible with traditional BSD 514 * semantics. Basically, it means that "setuid(xx)" sets all 515 * three id's (assuming you have privs). 516 * 517 * Notes on the logic. We do things in three steps. 518 * 1: We determine if the euid is going to change, and do EPERM 519 * right away. We unconditionally change the euid later if this 520 * test is satisfied, simplifying that part of the logic. 521 * 2: We determine if the real and/or saved uids are going to 522 * change. Determined by compile options. 523 * 3: Change euid last. (after tests in #2 for "appropriate privs") 524 */ 525 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 526 #ifdef _POSIX_SAVED_IDS 527 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 528 #endif 529 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 530 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 531 #endif 532 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 533 PROC_UNLOCK(p); 534 uifree(uip); 535 crfree(newcred); 536 mtx_unlock(&Giant); 537 return (error); 538 } 539 540 /* 541 * Copy credentials so other references do not see our changes. 542 */ 543 crcopy(newcred, oldcred); 544 #ifdef _POSIX_SAVED_IDS 545 /* 546 * Do we have "appropriate privileges" (are we root or uid == euid) 547 * If so, we are changing the real uid and/or saved uid. 548 */ 549 if ( 550 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 551 uid == oldcred->cr_uid || 552 #endif 553 suser_cred(oldcred, PRISON_ROOT) == 0) /* we are using privs */ 554 #endif 555 { 556 /* 557 * Set the real uid and transfer proc count to new user. 558 */ 559 if (uid != oldcred->cr_ruid) { 560 change_ruid(newcred, uip); 561 setsugid(p); 562 } 563 /* 564 * Set saved uid 565 * 566 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 567 * the security of seteuid() depends on it. B.4.2.2 says it 568 * is important that we should do this. 569 */ 570 if (uid != oldcred->cr_svuid) { 571 change_svuid(newcred, uid); 572 setsugid(p); 573 } 574 } 575 576 /* 577 * In all permitted cases, we are changing the euid. 578 */ 579 if (uid != oldcred->cr_uid) { 580 change_euid(newcred, uip); 581 setsugid(p); 582 } 583 p->p_ucred = newcred; 584 PROC_UNLOCK(p); 585 uifree(uip); 586 crfree(oldcred); 587 mtx_unlock(&Giant); 588 return (0); 589 } 590 591 #ifndef _SYS_SYSPROTO_H_ 592 struct seteuid_args { 593 uid_t euid; 594 }; 595 #endif 596 /* 597 * MPSAFE 598 */ 599 /* ARGSUSED */ 600 int 601 seteuid(struct thread *td, struct seteuid_args *uap) 602 { 603 struct proc *p = td->td_proc; 604 struct ucred *newcred, *oldcred; 605 uid_t euid; 606 struct uidinfo *euip; 607 int error; 608 609 euid = uap->euid; 610 mtx_lock(&Giant); 611 newcred = crget(); 612 euip = uifind(euid); 613 PROC_LOCK(p); 614 oldcred = p->p_ucred; 615 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 616 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 617 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 618 PROC_UNLOCK(p); 619 uifree(euip); 620 crfree(newcred); 621 mtx_unlock(&Giant); 622 return (error); 623 } 624 /* 625 * Everything's okay, do it. Copy credentials so other references do 626 * not see our changes. 627 */ 628 crcopy(newcred, oldcred); 629 if (oldcred->cr_uid != euid) { 630 change_euid(newcred, euip); 631 setsugid(p); 632 } 633 p->p_ucred = newcred; 634 PROC_UNLOCK(p); 635 uifree(euip); 636 crfree(oldcred); 637 mtx_unlock(&Giant); 638 return (0); 639 } 640 641 #ifndef _SYS_SYSPROTO_H_ 642 struct setgid_args { 643 gid_t gid; 644 }; 645 #endif 646 /* 647 * MPSAFE 648 */ 649 /* ARGSUSED */ 650 int 651 setgid(struct thread *td, struct setgid_args *uap) 652 { 653 struct proc *p = td->td_proc; 654 struct ucred *newcred, *oldcred; 655 gid_t gid; 656 int error; 657 658 gid = uap->gid; 659 mtx_lock(&Giant); 660 newcred = crget(); 661 PROC_LOCK(p); 662 oldcred = p->p_ucred; 663 664 /* 665 * See if we have "permission" by POSIX 1003.1 rules. 666 * 667 * Note that setgid(getegid()) is a special case of 668 * "appropriate privileges" in appendix B.4.2.2. We need 669 * to use this clause to be compatible with traditional BSD 670 * semantics. Basically, it means that "setgid(xx)" sets all 671 * three id's (assuming you have privs). 672 * 673 * For notes on the logic here, see setuid() above. 674 */ 675 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 676 #ifdef _POSIX_SAVED_IDS 677 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 678 #endif 679 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 680 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 681 #endif 682 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 683 PROC_UNLOCK(p); 684 crfree(newcred); 685 mtx_unlock(&Giant); 686 return (error); 687 } 688 689 crcopy(newcred, oldcred); 690 #ifdef _POSIX_SAVED_IDS 691 /* 692 * Do we have "appropriate privileges" (are we root or gid == egid) 693 * If so, we are changing the real uid and saved gid. 694 */ 695 if ( 696 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 697 gid == oldcred->cr_groups[0] || 698 #endif 699 suser_cred(oldcred, PRISON_ROOT) == 0) /* we are using privs */ 700 #endif 701 { 702 /* 703 * Set real gid 704 */ 705 if (oldcred->cr_rgid != gid) { 706 change_rgid(newcred, gid); 707 setsugid(p); 708 } 709 /* 710 * Set saved gid 711 * 712 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 713 * the security of setegid() depends on it. B.4.2.2 says it 714 * is important that we should do this. 715 */ 716 if (oldcred->cr_svgid != gid) { 717 change_svgid(newcred, gid); 718 setsugid(p); 719 } 720 } 721 /* 722 * In all cases permitted cases, we are changing the egid. 723 * Copy credentials so other references do not see our changes. 724 */ 725 if (oldcred->cr_groups[0] != gid) { 726 change_egid(newcred, gid); 727 setsugid(p); 728 } 729 p->p_ucred = newcred; 730 PROC_UNLOCK(p); 731 crfree(oldcred); 732 mtx_unlock(&Giant); 733 return (0); 734 } 735 736 #ifndef _SYS_SYSPROTO_H_ 737 struct setegid_args { 738 gid_t egid; 739 }; 740 #endif 741 /* 742 * MPSAFE 743 */ 744 /* ARGSUSED */ 745 int 746 setegid(struct thread *td, struct setegid_args *uap) 747 { 748 struct proc *p = td->td_proc; 749 struct ucred *newcred, *oldcred; 750 gid_t egid; 751 int error; 752 753 egid = uap->egid; 754 mtx_lock(&Giant); 755 newcred = crget(); 756 PROC_LOCK(p); 757 oldcred = p->p_ucred; 758 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 759 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 760 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 761 PROC_UNLOCK(p); 762 crfree(newcred); 763 mtx_unlock(&Giant); 764 return (error); 765 } 766 crcopy(newcred, oldcred); 767 if (oldcred->cr_groups[0] != egid) { 768 change_egid(newcred, egid); 769 setsugid(p); 770 } 771 p->p_ucred = newcred; 772 PROC_UNLOCK(p); 773 crfree(oldcred); 774 mtx_unlock(&Giant); 775 return (0); 776 } 777 778 #ifndef _SYS_SYSPROTO_H_ 779 struct setgroups_args { 780 u_int gidsetsize; 781 gid_t *gidset; 782 }; 783 #endif 784 /* 785 * MPSAFE 786 */ 787 /* ARGSUSED */ 788 int 789 setgroups(struct thread *td, struct setgroups_args *uap) 790 { 791 struct proc *p = td->td_proc; 792 struct ucred *newcred, *tempcred, *oldcred; 793 u_int ngrp; 794 int error; 795 796 ngrp = uap->gidsetsize; 797 if (ngrp > NGROUPS) 798 return (EINVAL); 799 mtx_lock(&Giant); 800 tempcred = crget(); 801 error = copyin(uap->gidset, tempcred->cr_groups, ngrp * sizeof(gid_t)); 802 if (error != 0) { 803 crfree(tempcred); 804 mtx_unlock(&Giant); 805 return (error); 806 } 807 newcred = crget(); 808 PROC_LOCK(p); 809 oldcred = p->p_ucred; 810 error = suser_cred(oldcred, PRISON_ROOT); 811 if (error) { 812 PROC_UNLOCK(p); 813 crfree(newcred); 814 crfree(tempcred); 815 mtx_unlock(&Giant); 816 return (error); 817 } 818 819 /* 820 * XXX A little bit lazy here. We could test if anything has 821 * changed before crcopy() and setting P_SUGID. 822 */ 823 crcopy(newcred, oldcred); 824 if (ngrp < 1) { 825 /* 826 * setgroups(0, NULL) is a legitimate way of clearing the 827 * groups vector on non-BSD systems (which generally do not 828 * have the egid in the groups[0]). We risk security holes 829 * when running non-BSD software if we do not do the same. 830 */ 831 newcred->cr_ngroups = 1; 832 } else { 833 bcopy(tempcred->cr_groups, newcred->cr_groups, 834 ngrp * sizeof(gid_t)); 835 newcred->cr_ngroups = ngrp; 836 } 837 setsugid(p); 838 p->p_ucred = newcred; 839 PROC_UNLOCK(p); 840 crfree(tempcred); 841 crfree(oldcred); 842 mtx_unlock(&Giant); 843 return (0); 844 } 845 846 #ifndef _SYS_SYSPROTO_H_ 847 struct setreuid_args { 848 uid_t ruid; 849 uid_t euid; 850 }; 851 #endif 852 /* 853 * MPSAFE 854 */ 855 /* ARGSUSED */ 856 int 857 setreuid(register struct thread *td, struct setreuid_args *uap) 858 { 859 struct proc *p = td->td_proc; 860 struct ucred *newcred, *oldcred; 861 uid_t euid, ruid; 862 struct uidinfo *euip, *ruip; 863 int error; 864 865 euid = uap->euid; 866 ruid = uap->ruid; 867 mtx_lock(&Giant); 868 newcred = crget(); 869 euip = uifind(euid); 870 ruip = uifind(ruid); 871 PROC_LOCK(p); 872 oldcred = p->p_ucred; 873 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 874 ruid != oldcred->cr_svuid) || 875 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 876 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 877 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 878 PROC_UNLOCK(p); 879 uifree(ruip); 880 uifree(euip); 881 crfree(newcred); 882 mtx_unlock(&Giant); 883 return (error); 884 } 885 crcopy(newcred, oldcred); 886 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 887 change_euid(newcred, euip); 888 setsugid(p); 889 } 890 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 891 change_ruid(newcred, ruip); 892 setsugid(p); 893 } 894 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 895 newcred->cr_svuid != newcred->cr_uid) { 896 change_svuid(newcred, newcred->cr_uid); 897 setsugid(p); 898 } 899 p->p_ucred = newcred; 900 PROC_UNLOCK(p); 901 uifree(ruip); 902 uifree(euip); 903 crfree(oldcred); 904 mtx_unlock(&Giant); 905 return (0); 906 } 907 908 #ifndef _SYS_SYSPROTO_H_ 909 struct setregid_args { 910 gid_t rgid; 911 gid_t egid; 912 }; 913 #endif 914 /* 915 * MPSAFE 916 */ 917 /* ARGSUSED */ 918 int 919 setregid(register struct thread *td, struct setregid_args *uap) 920 { 921 struct proc *p = td->td_proc; 922 struct ucred *newcred, *oldcred; 923 gid_t egid, rgid; 924 int error; 925 926 egid = uap->egid; 927 rgid = uap->rgid; 928 mtx_lock(&Giant); 929 newcred = crget(); 930 PROC_LOCK(p); 931 oldcred = p->p_ucred; 932 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 933 rgid != oldcred->cr_svgid) || 934 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 935 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 936 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 937 PROC_UNLOCK(p); 938 crfree(newcred); 939 mtx_unlock(&Giant); 940 return (error); 941 } 942 943 crcopy(newcred, oldcred); 944 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 945 change_egid(newcred, egid); 946 setsugid(p); 947 } 948 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 949 change_rgid(newcred, rgid); 950 setsugid(p); 951 } 952 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 953 newcred->cr_svgid != newcred->cr_groups[0]) { 954 change_svgid(newcred, newcred->cr_groups[0]); 955 setsugid(p); 956 } 957 p->p_ucred = newcred; 958 PROC_UNLOCK(p); 959 crfree(oldcred); 960 mtx_unlock(&Giant); 961 return (0); 962 } 963 964 /* 965 * setresuid(ruid, euid, suid) is like setreuid except control over the 966 * saved uid is explicit. 967 */ 968 969 #ifndef _SYS_SYSPROTO_H_ 970 struct setresuid_args { 971 uid_t ruid; 972 uid_t euid; 973 uid_t suid; 974 }; 975 #endif 976 /* 977 * MPSAFE 978 */ 979 /* ARGSUSED */ 980 int 981 setresuid(register struct thread *td, struct setresuid_args *uap) 982 { 983 struct proc *p = td->td_proc; 984 struct ucred *newcred, *oldcred; 985 uid_t euid, ruid, suid; 986 struct uidinfo *euip, *ruip; 987 int error; 988 989 euid = uap->euid; 990 ruid = uap->ruid; 991 suid = uap->suid; 992 mtx_lock(&Giant); 993 newcred = crget(); 994 euip = uifind(euid); 995 ruip = uifind(ruid); 996 PROC_LOCK(p); 997 oldcred = p->p_ucred; 998 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 999 ruid != oldcred->cr_svuid && 1000 ruid != oldcred->cr_uid) || 1001 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 1002 euid != oldcred->cr_svuid && 1003 euid != oldcred->cr_uid) || 1004 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 1005 suid != oldcred->cr_svuid && 1006 suid != oldcred->cr_uid)) && 1007 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 1008 PROC_UNLOCK(p); 1009 uifree(ruip); 1010 uifree(euip); 1011 crfree(newcred); 1012 mtx_unlock(&Giant); 1013 return (error); 1014 } 1015 1016 crcopy(newcred, oldcred); 1017 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1018 change_euid(newcred, euip); 1019 setsugid(p); 1020 } 1021 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1022 change_ruid(newcred, ruip); 1023 setsugid(p); 1024 } 1025 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1026 change_svuid(newcred, suid); 1027 setsugid(p); 1028 } 1029 p->p_ucred = newcred; 1030 PROC_UNLOCK(p); 1031 uifree(ruip); 1032 uifree(euip); 1033 crfree(oldcred); 1034 mtx_unlock(&Giant); 1035 return (0); 1036 } 1037 1038 /* 1039 * setresgid(rgid, egid, sgid) is like setregid except control over the 1040 * saved gid is explicit. 1041 */ 1042 1043 #ifndef _SYS_SYSPROTO_H_ 1044 struct setresgid_args { 1045 gid_t rgid; 1046 gid_t egid; 1047 gid_t sgid; 1048 }; 1049 #endif 1050 /* 1051 * MPSAFE 1052 */ 1053 /* ARGSUSED */ 1054 int 1055 setresgid(register struct thread *td, struct setresgid_args *uap) 1056 { 1057 struct proc *p = td->td_proc; 1058 struct ucred *newcred, *oldcred; 1059 gid_t egid, rgid, sgid; 1060 int error; 1061 1062 egid = uap->egid; 1063 rgid = uap->rgid; 1064 sgid = uap->sgid; 1065 mtx_lock(&Giant); 1066 newcred = crget(); 1067 PROC_LOCK(p); 1068 oldcred = p->p_ucred; 1069 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1070 rgid != oldcred->cr_svgid && 1071 rgid != oldcred->cr_groups[0]) || 1072 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1073 egid != oldcred->cr_svgid && 1074 egid != oldcred->cr_groups[0]) || 1075 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1076 sgid != oldcred->cr_svgid && 1077 sgid != oldcred->cr_groups[0])) && 1078 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 1079 PROC_UNLOCK(p); 1080 crfree(newcred); 1081 mtx_unlock(&Giant); 1082 return (error); 1083 } 1084 1085 crcopy(newcred, oldcred); 1086 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1087 change_egid(newcred, egid); 1088 setsugid(p); 1089 } 1090 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1091 change_rgid(newcred, rgid); 1092 setsugid(p); 1093 } 1094 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1095 change_svgid(newcred, sgid); 1096 setsugid(p); 1097 } 1098 p->p_ucred = newcred; 1099 PROC_UNLOCK(p); 1100 crfree(oldcred); 1101 mtx_unlock(&Giant); 1102 return (0); 1103 } 1104 1105 #ifndef _SYS_SYSPROTO_H_ 1106 struct getresuid_args { 1107 uid_t *ruid; 1108 uid_t *euid; 1109 uid_t *suid; 1110 }; 1111 #endif 1112 /* 1113 * MPSAFE 1114 */ 1115 /* ARGSUSED */ 1116 int 1117 getresuid(register struct thread *td, struct getresuid_args *uap) 1118 { 1119 struct ucred *cred; 1120 int error1 = 0, error2 = 0, error3 = 0; 1121 1122 cred = td->td_ucred; 1123 if (uap->ruid) 1124 error1 = copyout(&cred->cr_ruid, 1125 uap->ruid, sizeof(cred->cr_ruid)); 1126 if (uap->euid) 1127 error2 = copyout(&cred->cr_uid, 1128 uap->euid, sizeof(cred->cr_uid)); 1129 if (uap->suid) 1130 error3 = copyout(&cred->cr_svuid, 1131 uap->suid, sizeof(cred->cr_svuid)); 1132 return (error1 ? error1 : error2 ? error2 : error3); 1133 } 1134 1135 #ifndef _SYS_SYSPROTO_H_ 1136 struct getresgid_args { 1137 gid_t *rgid; 1138 gid_t *egid; 1139 gid_t *sgid; 1140 }; 1141 #endif 1142 /* 1143 * MPSAFE 1144 */ 1145 /* ARGSUSED */ 1146 int 1147 getresgid(register struct thread *td, struct getresgid_args *uap) 1148 { 1149 struct ucred *cred; 1150 int error1 = 0, error2 = 0, error3 = 0; 1151 1152 cred = td->td_ucred; 1153 if (uap->rgid) 1154 error1 = copyout(&cred->cr_rgid, 1155 uap->rgid, sizeof(cred->cr_rgid)); 1156 if (uap->egid) 1157 error2 = copyout(&cred->cr_groups[0], 1158 uap->egid, sizeof(cred->cr_groups[0])); 1159 if (uap->sgid) 1160 error3 = copyout(&cred->cr_svgid, 1161 uap->sgid, sizeof(cred->cr_svgid)); 1162 return (error1 ? error1 : error2 ? error2 : error3); 1163 } 1164 1165 #ifndef _SYS_SYSPROTO_H_ 1166 struct issetugid_args { 1167 int dummy; 1168 }; 1169 #endif 1170 /* 1171 * NOT MPSAFE? 1172 */ 1173 /* ARGSUSED */ 1174 int 1175 issetugid(register struct thread *td, struct issetugid_args *uap) 1176 { 1177 struct proc *p = td->td_proc; 1178 1179 /* 1180 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1181 * we use P_SUGID because we consider changing the owners as 1182 * "tainting" as well. 1183 * This is significant for procs that start as root and "become" 1184 * a user without an exec - programs cannot know *everything* 1185 * that libc *might* have put in their data segment. 1186 */ 1187 PROC_LOCK(p); 1188 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1189 PROC_UNLOCK(p); 1190 return (0); 1191 } 1192 1193 /* 1194 * MPSAFE 1195 */ 1196 int 1197 __setugid(struct thread *td, struct __setugid_args *uap) 1198 { 1199 #ifdef REGRESSION 1200 struct proc *p; 1201 1202 p = td->td_proc; 1203 switch (uap->flag) { 1204 case 0: 1205 mtx_lock(&Giant); 1206 PROC_LOCK(p); 1207 p->p_flag &= ~P_SUGID; 1208 PROC_UNLOCK(p); 1209 mtx_unlock(&Giant); 1210 return (0); 1211 case 1: 1212 mtx_lock(&Giant); 1213 PROC_LOCK(p); 1214 p->p_flag |= P_SUGID; 1215 PROC_UNLOCK(p); 1216 mtx_unlock(&Giant); 1217 return (0); 1218 default: 1219 return (EINVAL); 1220 } 1221 #else /* !REGRESSION */ 1222 1223 return (ENOSYS); 1224 #endif /* REGRESSION */ 1225 } 1226 1227 /* 1228 * Check if gid is a member of the group set. 1229 * 1230 * MPSAFE (cred must be held) 1231 */ 1232 int 1233 groupmember(gid_t gid, struct ucred *cred) 1234 { 1235 register gid_t *gp; 1236 gid_t *egp; 1237 1238 egp = &(cred->cr_groups[cred->cr_ngroups]); 1239 for (gp = cred->cr_groups; gp < egp; gp++) 1240 if (*gp == gid) 1241 return (1); 1242 return (0); 1243 } 1244 1245 /* 1246 * `suser_enabled' (which can be set by the security.suser_enabled 1247 * sysctl) determines whether the system 'super-user' policy is in effect. 1248 * If it is nonzero, an effective uid of 0 connotes special privilege, 1249 * overriding many mandatory and discretionary protections. If it is zero, 1250 * uid 0 is offered no special privilege in the kernel security policy. 1251 * Setting it to zero may seriously impact the functionality of many 1252 * existing userland programs, and should not be done without careful 1253 * consideration of the consequences. 1254 */ 1255 int suser_enabled = 1; 1256 SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW, 1257 &suser_enabled, 0, "processes with uid 0 have privilege"); 1258 TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled); 1259 1260 /* 1261 * Test whether the specified credentials imply "super-user" privilege. 1262 * Return 0 or EPERM. The flag argument is currently used only to 1263 * specify jail interaction. 1264 */ 1265 int 1266 suser_cred(struct ucred *cred, int flag) 1267 { 1268 1269 if (!suser_enabled) 1270 return (EPERM); 1271 if (cred->cr_uid != 0) 1272 return (EPERM); 1273 if (jailed(cred) && !(flag & PRISON_ROOT)) 1274 return (EPERM); 1275 return (0); 1276 } 1277 1278 /* 1279 * Shortcut to hide contents of struct td and struct proc from the 1280 * caller, promoting binary compatibility. 1281 */ 1282 int 1283 suser(struct thread *td) 1284 { 1285 1286 return (suser_cred(td->td_ucred, 0)); 1287 } 1288 1289 /* 1290 * Test the active securelevel against a given level. securelevel_gt() 1291 * implements (securelevel > level). securelevel_ge() implements 1292 * (securelevel >= level). Note that the logic is inverted -- these 1293 * functions return EPERM on "success" and 0 on "failure". 1294 * 1295 * MPSAFE 1296 */ 1297 int 1298 securelevel_gt(struct ucred *cr, int level) 1299 { 1300 int active_securelevel; 1301 1302 active_securelevel = securelevel; 1303 KASSERT(cr != NULL, ("securelevel_gt: null cr")); 1304 if (cr->cr_prison != NULL) { 1305 mtx_lock(&cr->cr_prison->pr_mtx); 1306 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1307 active_securelevel); 1308 mtx_unlock(&cr->cr_prison->pr_mtx); 1309 } 1310 return (active_securelevel > level ? EPERM : 0); 1311 } 1312 1313 int 1314 securelevel_ge(struct ucred *cr, int level) 1315 { 1316 int active_securelevel; 1317 1318 active_securelevel = securelevel; 1319 KASSERT(cr != NULL, ("securelevel_ge: null cr")); 1320 if (cr->cr_prison != NULL) { 1321 mtx_lock(&cr->cr_prison->pr_mtx); 1322 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1323 active_securelevel); 1324 mtx_unlock(&cr->cr_prison->pr_mtx); 1325 } 1326 return (active_securelevel >= level ? EPERM : 0); 1327 } 1328 1329 /* 1330 * 'see_other_uids' determines whether or not visibility of processes 1331 * and sockets with credentials holding different real uids is possible 1332 * using a variety of system MIBs. 1333 * XXX: data declarations should be together near the beginning of the file. 1334 */ 1335 static int see_other_uids = 1; 1336 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1337 &see_other_uids, 0, 1338 "Unprivileged processes may see subjects/objects with different real uid"); 1339 1340 /*- 1341 * Determine if u1 "can see" the subject specified by u2, according to the 1342 * 'see_other_uids' policy. 1343 * Returns: 0 for permitted, ESRCH otherwise 1344 * Locks: none 1345 * References: *u1 and *u2 must not change during the call 1346 * u1 may equal u2, in which case only one reference is required 1347 */ 1348 static int 1349 cr_seeotheruids(struct ucred *u1, struct ucred *u2) 1350 { 1351 1352 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1353 if (suser_cred(u1, PRISON_ROOT) != 0) 1354 return (ESRCH); 1355 } 1356 return (0); 1357 } 1358 1359 /*- 1360 * Determine if u1 "can see" the subject specified by u2. 1361 * Returns: 0 for permitted, an errno value otherwise 1362 * Locks: none 1363 * References: *u1 and *u2 must not change during the call 1364 * u1 may equal u2, in which case only one reference is required 1365 */ 1366 int 1367 cr_cansee(struct ucred *u1, struct ucred *u2) 1368 { 1369 int error; 1370 1371 if ((error = prison_check(u1, u2))) 1372 return (error); 1373 #ifdef MAC 1374 if ((error = mac_check_cred_visible(u1, u2))) 1375 return (error); 1376 #endif 1377 if ((error = cr_seeotheruids(u1, u2))) 1378 return (error); 1379 return (0); 1380 } 1381 1382 /*- 1383 * Determine if td "can see" the subject specified by p. 1384 * Returns: 0 for permitted, an errno value otherwise 1385 * Locks: Sufficient locks to protect p->p_ucred must be held. td really 1386 * should be curthread. 1387 * References: td and p must be valid for the lifetime of the call 1388 */ 1389 int 1390 p_cansee(struct thread *td, struct proc *p) 1391 { 1392 1393 /* Wrap cr_cansee() for all functionality. */ 1394 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1395 PROC_LOCK_ASSERT(p, MA_OWNED); 1396 return (cr_cansee(td->td_ucred, p->p_ucred)); 1397 } 1398 1399 /*- 1400 * Determine whether cred may deliver the specified signal to proc. 1401 * Returns: 0 for permitted, an errno value otherwise. 1402 * Locks: A lock must be held for proc. 1403 * References: cred and proc must be valid for the lifetime of the call. 1404 */ 1405 int 1406 cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 1407 { 1408 int error; 1409 1410 PROC_LOCK_ASSERT(proc, MA_OWNED); 1411 /* 1412 * Jail semantics limit the scope of signalling to proc in the 1413 * same jail as cred, if cred is in jail. 1414 */ 1415 error = prison_check(cred, proc->p_ucred); 1416 if (error) 1417 return (error); 1418 #ifdef MAC 1419 if ((error = mac_check_proc_signal(cred, proc, signum))) 1420 return (error); 1421 #endif 1422 error = cr_seeotheruids(cred, proc->p_ucred); 1423 if (error) 1424 return (error); 1425 1426 /* 1427 * UNIX signal semantics depend on the status of the P_SUGID 1428 * bit on the target process. If the bit is set, then additional 1429 * restrictions are placed on the set of available signals. 1430 */ 1431 if (proc->p_flag & P_SUGID) { 1432 switch (signum) { 1433 case 0: 1434 case SIGKILL: 1435 case SIGINT: 1436 case SIGTERM: 1437 case SIGSTOP: 1438 case SIGTTIN: 1439 case SIGTTOU: 1440 case SIGTSTP: 1441 case SIGHUP: 1442 case SIGUSR1: 1443 case SIGUSR2: 1444 /* 1445 * Generally, permit job and terminal control 1446 * signals. 1447 */ 1448 break; 1449 default: 1450 /* Not permitted without privilege. */ 1451 error = suser_cred(cred, PRISON_ROOT); 1452 if (error) 1453 return (error); 1454 } 1455 } 1456 1457 /* 1458 * Generally, the target credential's ruid or svuid must match the 1459 * subject credential's ruid or euid. 1460 */ 1461 if (cred->cr_ruid != proc->p_ucred->cr_ruid && 1462 cred->cr_ruid != proc->p_ucred->cr_svuid && 1463 cred->cr_uid != proc->p_ucred->cr_ruid && 1464 cred->cr_uid != proc->p_ucred->cr_svuid) { 1465 /* Not permitted without privilege. */ 1466 error = suser_cred(cred, PRISON_ROOT); 1467 if (error) 1468 return (error); 1469 } 1470 1471 return (0); 1472 } 1473 1474 1475 /*- 1476 * Determine whether td may deliver the specified signal to p. 1477 * Returns: 0 for permitted, an errno value otherwise 1478 * Locks: Sufficient locks to protect various components of td and p 1479 * must be held. td must be curthread, and a lock must be 1480 * held for p. 1481 * References: td and p must be valid for the lifetime of the call 1482 */ 1483 int 1484 p_cansignal(struct thread *td, struct proc *p, int signum) 1485 { 1486 1487 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1488 PROC_LOCK_ASSERT(p, MA_OWNED); 1489 if (td->td_proc == p) 1490 return (0); 1491 1492 /* 1493 * UNIX signalling semantics require that processes in the same 1494 * session always be able to deliver SIGCONT to one another, 1495 * overriding the remaining protections. 1496 */ 1497 /* XXX: This will require an additional lock of some sort. */ 1498 if (signum == SIGCONT && td->td_proc->p_session == p->p_session) 1499 return (0); 1500 1501 return (cr_cansignal(td->td_ucred, p, signum)); 1502 } 1503 1504 /*- 1505 * Determine whether td may reschedule p. 1506 * Returns: 0 for permitted, an errno value otherwise 1507 * Locks: Sufficient locks to protect various components of td and p 1508 * must be held. td must be curthread, and a lock must 1509 * be held for p. 1510 * References: td and p must be valid for the lifetime of the call 1511 */ 1512 int 1513 p_cansched(struct thread *td, struct proc *p) 1514 { 1515 int error; 1516 1517 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1518 PROC_LOCK_ASSERT(p, MA_OWNED); 1519 if (td->td_proc == p) 1520 return (0); 1521 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1522 return (error); 1523 #ifdef MAC 1524 if ((error = mac_check_proc_sched(td->td_ucred, p))) 1525 return (error); 1526 #endif 1527 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1528 return (error); 1529 if (td->td_ucred->cr_ruid == p->p_ucred->cr_ruid) 1530 return (0); 1531 if (td->td_ucred->cr_uid == p->p_ucred->cr_ruid) 1532 return (0); 1533 if (suser_cred(td->td_ucred, PRISON_ROOT) == 0) 1534 return (0); 1535 1536 #ifdef CAPABILITIES 1537 if (!cap_check(NULL, td, CAP_SYS_NICE, PRISON_ROOT)) 1538 return (0); 1539 #endif 1540 1541 return (EPERM); 1542 } 1543 1544 /* 1545 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 1546 * unprivileged inter-process debugging services, including some procfs 1547 * functionality, ptrace(), and ktrace(). In the past, inter-process 1548 * debugging has been involved in a variety of security problems, and sites 1549 * not requiring the service might choose to disable it when hardening 1550 * systems. 1551 * 1552 * XXX: Should modifying and reading this variable require locking? 1553 * XXX: data declarations should be together near the beginning of the file. 1554 */ 1555 static int unprivileged_proc_debug = 1; 1556 SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW, 1557 &unprivileged_proc_debug, 0, 1558 "Unprivileged processes may use process debugging facilities"); 1559 1560 /*- 1561 * Determine whether td may debug p. 1562 * Returns: 0 for permitted, an errno value otherwise 1563 * Locks: Sufficient locks to protect various components of td and p 1564 * must be held. td must be curthread, and a lock must 1565 * be held for p. 1566 * References: td and p must be valid for the lifetime of the call 1567 */ 1568 int 1569 p_candebug(struct thread *td, struct proc *p) 1570 { 1571 int credentialchanged, error, grpsubset, i, uidsubset; 1572 1573 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1574 PROC_LOCK_ASSERT(p, MA_OWNED); 1575 if (!unprivileged_proc_debug) { 1576 error = suser_cred(td->td_ucred, PRISON_ROOT); 1577 if (error) 1578 return (error); 1579 } 1580 if (td->td_proc == p) 1581 return (0); 1582 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1583 return (error); 1584 #ifdef MAC 1585 if ((error = mac_check_proc_debug(td->td_ucred, p))) 1586 return (error); 1587 #endif 1588 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1589 return (error); 1590 1591 /* 1592 * Is p's group set a subset of td's effective group set? This 1593 * includes p's egid, group access list, rgid, and svgid. 1594 */ 1595 grpsubset = 1; 1596 for (i = 0; i < p->p_ucred->cr_ngroups; i++) { 1597 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) { 1598 grpsubset = 0; 1599 break; 1600 } 1601 } 1602 grpsubset = grpsubset && 1603 groupmember(p->p_ucred->cr_rgid, td->td_ucred) && 1604 groupmember(p->p_ucred->cr_svgid, td->td_ucred); 1605 1606 /* 1607 * Are the uids present in p's credential equal to td's 1608 * effective uid? This includes p's euid, svuid, and ruid. 1609 */ 1610 uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid && 1611 td->td_ucred->cr_uid == p->p_ucred->cr_svuid && 1612 td->td_ucred->cr_uid == p->p_ucred->cr_ruid); 1613 1614 /* 1615 * Has the credential of the process changed since the last exec()? 1616 */ 1617 credentialchanged = (p->p_flag & P_SUGID); 1618 1619 /* 1620 * If p's gids aren't a subset, or the uids aren't a subset, 1621 * or the credential has changed, require appropriate privilege 1622 * for td to debug p. For POSIX.1e capabilities, this will 1623 * require CAP_SYS_PTRACE. 1624 */ 1625 if (!grpsubset || !uidsubset || credentialchanged) { 1626 error = suser_cred(td->td_ucred, PRISON_ROOT); 1627 if (error) 1628 return (error); 1629 } 1630 1631 /* Can't trace init when securelevel > 0. */ 1632 if (p == initproc) { 1633 error = securelevel_gt(td->td_ucred, 0); 1634 if (error) 1635 return (error); 1636 } 1637 1638 /* 1639 * Can't trace a process that's currently exec'ing. 1640 * XXX: Note, this is not a security policy decision, it's a 1641 * basic correctness/functionality decision. Therefore, this check 1642 * should be moved to the caller's of p_candebug(). 1643 */ 1644 if ((p->p_flag & P_INEXEC) != 0) 1645 return (EAGAIN); 1646 1647 return (0); 1648 } 1649 1650 /*- 1651 * Determine whether the subject represented by cred can "see" a socket. 1652 * Returns: 0 for permitted, ENOENT otherwise. 1653 */ 1654 int 1655 cr_canseesocket(struct ucred *cred, struct socket *so) 1656 { 1657 int error; 1658 1659 error = prison_check(cred, so->so_cred); 1660 if (error) 1661 return (ENOENT); 1662 #ifdef MAC 1663 error = mac_check_socket_visible(cred, so); 1664 if (error) 1665 return (error); 1666 #endif 1667 if (cr_seeotheruids(cred, so->so_cred)) 1668 return (ENOENT); 1669 1670 return (0); 1671 } 1672 1673 /* 1674 * Allocate a zeroed cred structure. 1675 */ 1676 struct ucred * 1677 crget(void) 1678 { 1679 register struct ucred *cr; 1680 1681 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 1682 cr->cr_ref = 1; 1683 cr->cr_mtxp = mtx_pool_find(cr); 1684 #ifdef MAC 1685 mac_init_cred(cr); 1686 #endif 1687 return (cr); 1688 } 1689 1690 /* 1691 * Claim another reference to a ucred structure. 1692 */ 1693 struct ucred * 1694 crhold(struct ucred *cr) 1695 { 1696 1697 mtx_lock(cr->cr_mtxp); 1698 cr->cr_ref++; 1699 mtx_unlock(cr->cr_mtxp); 1700 return (cr); 1701 } 1702 1703 /* 1704 * Free a cred structure. 1705 * Throws away space when ref count gets to 0. 1706 */ 1707 void 1708 crfree(struct ucred *cr) 1709 { 1710 struct mtx *mtxp = cr->cr_mtxp; 1711 1712 mtx_lock(mtxp); 1713 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); 1714 if (--cr->cr_ref == 0) { 1715 /* 1716 * Some callers of crget(), such as nfs_statfs(), 1717 * allocate a temporary credential, but don't 1718 * allocate a uidinfo structure. 1719 */ 1720 mtx_unlock(mtxp); 1721 mtx_lock(&Giant); 1722 if (cr->cr_uidinfo != NULL) 1723 uifree(cr->cr_uidinfo); 1724 if (cr->cr_ruidinfo != NULL) 1725 uifree(cr->cr_ruidinfo); 1726 /* 1727 * Free a prison, if any. 1728 */ 1729 if (jailed(cr)) 1730 prison_free(cr->cr_prison); 1731 #ifdef MAC 1732 mac_destroy_cred(cr); 1733 #endif 1734 FREE(cr, M_CRED); 1735 mtx_unlock(&Giant); 1736 } else { 1737 mtx_unlock(mtxp); 1738 } 1739 } 1740 1741 /* 1742 * Check to see if this ucred is shared. 1743 */ 1744 int 1745 crshared(struct ucred *cr) 1746 { 1747 int shared; 1748 1749 mtx_lock(cr->cr_mtxp); 1750 shared = (cr->cr_ref > 1); 1751 mtx_unlock(cr->cr_mtxp); 1752 return (shared); 1753 } 1754 1755 /* 1756 * Copy a ucred's contents from a template. Does not block. 1757 */ 1758 void 1759 crcopy(struct ucred *dest, struct ucred *src) 1760 { 1761 1762 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred")); 1763 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 1764 (unsigned)((caddr_t)&src->cr_endcopy - 1765 (caddr_t)&src->cr_startcopy)); 1766 uihold(dest->cr_uidinfo); 1767 uihold(dest->cr_ruidinfo); 1768 if (jailed(dest)) 1769 prison_hold(dest->cr_prison); 1770 #ifdef MAC 1771 mac_create_cred(src, dest); 1772 #endif 1773 } 1774 1775 /* 1776 * Dup cred struct to a new held one. 1777 */ 1778 struct ucred * 1779 crdup(struct ucred *cr) 1780 { 1781 struct ucred *newcr; 1782 1783 newcr = crget(); 1784 crcopy(newcr, cr); 1785 return (newcr); 1786 } 1787 1788 #ifdef DIAGNOSTIC 1789 void 1790 cred_free_thread(struct thread *td) 1791 { 1792 struct ucred *cred; 1793 1794 cred = td->td_ucred; 1795 td->td_ucred = NULL; 1796 if (cred != NULL) 1797 crfree(cred); 1798 } 1799 #endif 1800 1801 /* 1802 * Fill in a struct xucred based on a struct ucred. 1803 */ 1804 void 1805 cru2x(struct ucred *cr, struct xucred *xcr) 1806 { 1807 1808 bzero(xcr, sizeof(*xcr)); 1809 xcr->cr_version = XUCRED_VERSION; 1810 xcr->cr_uid = cr->cr_uid; 1811 xcr->cr_ngroups = cr->cr_ngroups; 1812 bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups)); 1813 } 1814 1815 /* 1816 * small routine to swap a thread's current ucred for the correct one 1817 * taken from the process. 1818 */ 1819 void 1820 cred_update_thread(struct thread *td) 1821 { 1822 struct proc *p; 1823 struct ucred *cred; 1824 1825 p = td->td_proc; 1826 cred = td->td_ucred; 1827 mtx_lock(&Giant); 1828 PROC_LOCK(p); 1829 td->td_ucred = crhold(p->p_ucred); 1830 PROC_UNLOCK(p); 1831 if (cred != NULL) 1832 crfree(cred); 1833 mtx_unlock(&Giant); 1834 } 1835 1836 /* 1837 * Get login name, if available. 1838 */ 1839 #ifndef _SYS_SYSPROTO_H_ 1840 struct getlogin_args { 1841 char *namebuf; 1842 u_int namelen; 1843 }; 1844 #endif 1845 /* 1846 * MPSAFE 1847 */ 1848 /* ARGSUSED */ 1849 int 1850 getlogin(struct thread *td, struct getlogin_args *uap) 1851 { 1852 int error; 1853 char login[MAXLOGNAME]; 1854 struct proc *p = td->td_proc; 1855 1856 if (uap->namelen > MAXLOGNAME) 1857 uap->namelen = MAXLOGNAME; 1858 PROC_LOCK(p); 1859 SESS_LOCK(p->p_session); 1860 bcopy(p->p_session->s_login, login, uap->namelen); 1861 SESS_UNLOCK(p->p_session); 1862 PROC_UNLOCK(p); 1863 error = copyout(login, uap->namebuf, uap->namelen); 1864 return(error); 1865 } 1866 1867 /* 1868 * Set login name. 1869 */ 1870 #ifndef _SYS_SYSPROTO_H_ 1871 struct setlogin_args { 1872 char *namebuf; 1873 }; 1874 #endif 1875 /* 1876 * MPSAFE 1877 */ 1878 /* ARGSUSED */ 1879 int 1880 setlogin(struct thread *td, struct setlogin_args *uap) 1881 { 1882 struct proc *p = td->td_proc; 1883 int error; 1884 char logintmp[MAXLOGNAME]; 1885 1886 error = suser_cred(td->td_ucred, PRISON_ROOT); 1887 if (error) 1888 return (error); 1889 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); 1890 if (error == ENAMETOOLONG) 1891 error = EINVAL; 1892 else if (!error) { 1893 PROC_LOCK(p); 1894 SESS_LOCK(p->p_session); 1895 (void) memcpy(p->p_session->s_login, logintmp, 1896 sizeof(logintmp)); 1897 SESS_UNLOCK(p->p_session); 1898 PROC_UNLOCK(p); 1899 } 1900 return (error); 1901 } 1902 1903 void 1904 setsugid(struct proc *p) 1905 { 1906 1907 PROC_LOCK_ASSERT(p, MA_OWNED); 1908 p->p_flag |= P_SUGID; 1909 if (!(p->p_pfsflags & PF_ISUGID)) 1910 p->p_stops = 0; 1911 } 1912 1913 /*- 1914 * Change a process's effective uid. 1915 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 1916 * References: newcred must be an exclusive credential reference for the 1917 * duration of the call. 1918 */ 1919 void 1920 change_euid(struct ucred *newcred, struct uidinfo *euip) 1921 { 1922 1923 newcred->cr_uid = euip->ui_uid; 1924 uihold(euip); 1925 uifree(newcred->cr_uidinfo); 1926 newcred->cr_uidinfo = euip; 1927 } 1928 1929 /*- 1930 * Change a process's effective gid. 1931 * Side effects: newcred->cr_gid will be modified. 1932 * References: newcred must be an exclusive credential reference for the 1933 * duration of the call. 1934 */ 1935 void 1936 change_egid(struct ucred *newcred, gid_t egid) 1937 { 1938 1939 newcred->cr_groups[0] = egid; 1940 } 1941 1942 /*- 1943 * Change a process's real uid. 1944 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 1945 * will be updated, and the old and new cr_ruidinfo proc 1946 * counts will be updated. 1947 * References: newcred must be an exclusive credential reference for the 1948 * duration of the call. 1949 */ 1950 void 1951 change_ruid(struct ucred *newcred, struct uidinfo *ruip) 1952 { 1953 1954 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 1955 newcred->cr_ruid = ruip->ui_uid; 1956 uihold(ruip); 1957 uifree(newcred->cr_ruidinfo); 1958 newcred->cr_ruidinfo = ruip; 1959 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 1960 } 1961 1962 /*- 1963 * Change a process's real gid. 1964 * Side effects: newcred->cr_rgid will be updated. 1965 * References: newcred must be an exclusive credential reference for the 1966 * duration of the call. 1967 */ 1968 void 1969 change_rgid(struct ucred *newcred, gid_t rgid) 1970 { 1971 1972 newcred->cr_rgid = rgid; 1973 } 1974 1975 /*- 1976 * Change a process's saved uid. 1977 * Side effects: newcred->cr_svuid will be updated. 1978 * References: newcred must be an exclusive credential reference for the 1979 * duration of the call. 1980 */ 1981 void 1982 change_svuid(struct ucred *newcred, uid_t svuid) 1983 { 1984 1985 newcred->cr_svuid = svuid; 1986 } 1987 1988 /*- 1989 * Change a process's saved gid. 1990 * Side effects: newcred->cr_svgid will be updated. 1991 * References: newcred must be an exclusive credential reference for the 1992 * duration of the call. 1993 */ 1994 void 1995 change_svgid(struct ucred *newcred, gid_t svgid) 1996 { 1997 1998 newcred->cr_svgid = svgid; 1999 } 2000