FreeBSD/Linux Kernel Cross Reference
sys/kern/kern_prot.c
1 /*
2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993
3 * The Regents of the University of California. All rights reserved.
4 * (c) UNIX System Laboratories, Inc.
5 * All or some portions of this file are derived from material licensed
6 * to the University of California by American Telephone and Telegraph
7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
8 * the permission of UNIX System Laboratories, Inc.
9 * Copyright (c) 2000-2001 Robert N. M. Watson. All rights reserved.
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. All advertising materials mentioning features or use of this software
20 * must display the following acknowledgement:
21 * This product includes software developed by the University of
22 * California, Berkeley and its contributors.
23 * 4. Neither the name of the University nor the names of its contributors
24 * may be used to endorse or promote products derived from this software
25 * without specific prior written permission.
26 *
27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 * SUCH DAMAGE.
38 *
39 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94
40 * $FreeBSD: releng/5.1/sys/kern/kern_prot.c 114465 2003-05-01 21:21:42Z jhb $
41 */
42
43 /*
44 * System calls related to processes and protection
45 */
46
47 #include "opt_compat.h"
48 #include "opt_mac.h"
49
50 #include <sys/param.h>
51 #include <sys/systm.h>
52 #include <sys/acct.h>
53 #include <sys/kernel.h>
54 #include <sys/lock.h>
55 #include <sys/mac.h>
56 #include <sys/malloc.h>
57 #include <sys/mutex.h>
58 #include <sys/sx.h>
59 #include <sys/proc.h>
60 #include <sys/sysproto.h>
61 #include <sys/jail.h>
62 #include <sys/pioctl.h>
63 #include <sys/resourcevar.h>
64 #include <sys/socket.h>
65 #include <sys/socketvar.h>
66 #include <sys/sysctl.h>
67
68 static MALLOC_DEFINE(M_CRED, "cred", "credentials");
69
70 SYSCTL_DECL(_security);
71 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0,
72 "BSD security policy");
73
74 #ifndef _SYS_SYSPROTO_H_
75 struct getpid_args {
76 int dummy;
77 };
78 #endif
79 /*
80 * MPSAFE
81 */
82 /* ARGSUSED */
83 int
84 getpid(struct thread *td, struct getpid_args *uap)
85 {
86 struct proc *p = td->td_proc;
87
88 td->td_retval[0] = p->p_pid;
89 #if defined(COMPAT_43) || defined(COMPAT_SUNOS)
90 PROC_LOCK(p);
91 td->td_retval[1] = p->p_pptr->p_pid;
92 PROC_UNLOCK(p);
93 #endif
94 return (0);
95 }
96
97 #ifndef _SYS_SYSPROTO_H_
98 struct getppid_args {
99 int dummy;
100 };
101 #endif
102 /*
103 * MPSAFE
104 */
105 /* ARGSUSED */
106 int
107 getppid(struct thread *td, struct getppid_args *uap)
108 {
109 struct proc *p = td->td_proc;
110
111 PROC_LOCK(p);
112 td->td_retval[0] = p->p_pptr->p_pid;
113 PROC_UNLOCK(p);
114 return (0);
115 }
116
117 /*
118 * Get process group ID; note that POSIX getpgrp takes no parameter.
119 */
120 #ifndef _SYS_SYSPROTO_H_
121 struct getpgrp_args {
122 int dummy;
123 };
124 #endif
125 /*
126 * MPSAFE
127 */
128 int
129 getpgrp(struct thread *td, struct getpgrp_args *uap)
130 {
131 struct proc *p = td->td_proc;
132
133 PROC_LOCK(p);
134 td->td_retval[0] = p->p_pgrp->pg_id;
135 PROC_UNLOCK(p);
136 return (0);
137 }
138
139 /* Get an arbitary pid's process group id */
140 #ifndef _SYS_SYSPROTO_H_
141 struct getpgid_args {
142 pid_t pid;
143 };
144 #endif
145 /*
146 * MPSAFE
147 */
148 int
149 getpgid(struct thread *td, struct getpgid_args *uap)
150 {
151 struct proc *p;
152 int error;
153
154 if (uap->pid == 0) {
155 p = td->td_proc;
156 PROC_LOCK(p);
157 } else {
158 p = pfind(uap->pid);
159 if (p == NULL)
160 return (ESRCH);
161 error = p_cansee(td, p);
162 if (error) {
163 PROC_UNLOCK(p);
164 return (error);
165 }
166 }
167 td->td_retval[0] = p->p_pgrp->pg_id;
168 PROC_UNLOCK(p);
169 return (0);
170 }
171
172 /*
173 * Get an arbitary pid's session id.
174 */
175 #ifndef _SYS_SYSPROTO_H_
176 struct getsid_args {
177 pid_t pid;
178 };
179 #endif
180 /*
181 * MPSAFE
182 */
183 int
184 getsid(struct thread *td, struct getsid_args *uap)
185 {
186 struct proc *p;
187 int error;
188
189 if (uap->pid == 0) {
190 p = td->td_proc;
191 PROC_LOCK(p);
192 } else {
193 p = pfind(uap->pid);
194 if (p == NULL)
195 return (ESRCH);
196 error = p_cansee(td, p);
197 if (error) {
198 PROC_UNLOCK(p);
199 return (error);
200 }
201 }
202 td->td_retval[0] = p->p_session->s_sid;
203 PROC_UNLOCK(p);
204 return (0);
205 }
206
207 #ifndef _SYS_SYSPROTO_H_
208 struct getuid_args {
209 int dummy;
210 };
211 #endif
212 /*
213 * MPSAFE
214 */
215 /* ARGSUSED */
216 int
217 getuid(struct thread *td, struct getuid_args *uap)
218 {
219
220 td->td_retval[0] = td->td_ucred->cr_ruid;
221 #if defined(COMPAT_43) || defined(COMPAT_SUNOS)
222 td->td_retval[1] = td->td_ucred->cr_uid;
223 #endif
224 return (0);
225 }
226
227 #ifndef _SYS_SYSPROTO_H_
228 struct geteuid_args {
229 int dummy;
230 };
231 #endif
232 /*
233 * MPSAFE
234 */
235 /* ARGSUSED */
236 int
237 geteuid(struct thread *td, struct geteuid_args *uap)
238 {
239
240 td->td_retval[0] = td->td_ucred->cr_uid;
241 return (0);
242 }
243
244 #ifndef _SYS_SYSPROTO_H_
245 struct getgid_args {
246 int dummy;
247 };
248 #endif
249 /*
250 * MPSAFE
251 */
252 /* ARGSUSED */
253 int
254 getgid(struct thread *td, struct getgid_args *uap)
255 {
256
257 td->td_retval[0] = td->td_ucred->cr_rgid;
258 #if defined(COMPAT_43) || defined(COMPAT_SUNOS)
259 td->td_retval[1] = td->td_ucred->cr_groups[0];
260 #endif
261 return (0);
262 }
263
264 /*
265 * Get effective group ID. The "egid" is groups[0], and could be obtained
266 * via getgroups. This syscall exists because it is somewhat painful to do
267 * correctly in a library function.
268 */
269 #ifndef _SYS_SYSPROTO_H_
270 struct getegid_args {
271 int dummy;
272 };
273 #endif
274 /*
275 * MPSAFE
276 */
277 /* ARGSUSED */
278 int
279 getegid(struct thread *td, struct getegid_args *uap)
280 {
281
282 td->td_retval[0] = td->td_ucred->cr_groups[0];
283 return (0);
284 }
285
286 #ifndef _SYS_SYSPROTO_H_
287 struct getgroups_args {
288 u_int gidsetsize;
289 gid_t *gidset;
290 };
291 #endif
292 /*
293 * MPSAFE
294 */
295 int
296 getgroups(struct thread *td, register struct getgroups_args *uap)
297 {
298 struct ucred *cred;
299 u_int ngrp;
300 int error;
301
302 cred = td->td_ucred;
303 if ((ngrp = uap->gidsetsize) == 0) {
304 td->td_retval[0] = cred->cr_ngroups;
305 return (0);
306 }
307 if (ngrp < cred->cr_ngroups)
308 return (EINVAL);
309 ngrp = cred->cr_ngroups;
310 error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t));
311 if (error == 0)
312 td->td_retval[0] = ngrp;
313 return (error);
314 }
315
316 #ifndef _SYS_SYSPROTO_H_
317 struct setsid_args {
318 int dummy;
319 };
320 #endif
321 /*
322 * MPSAFE
323 */
324 /* ARGSUSED */
325 int
326 setsid(register struct thread *td, struct setsid_args *uap)
327 {
328 struct pgrp *pgrp;
329 int error;
330 struct proc *p = td->td_proc;
331 struct pgrp *newpgrp;
332 struct session *newsess;
333
334 error = 0;
335 pgrp = NULL;
336
337 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO);
338 MALLOC(newsess, struct session *, sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO);
339
340 sx_xlock(&proctree_lock);
341
342 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) {
343 if (pgrp != NULL)
344 PGRP_UNLOCK(pgrp);
345 error = EPERM;
346 } else {
347 (void)enterpgrp(p, p->p_pid, newpgrp, newsess);
348 td->td_retval[0] = p->p_pid;
349 newpgrp = NULL;
350 newsess = NULL;
351 }
352
353 sx_xunlock(&proctree_lock);
354
355 if (newpgrp != NULL)
356 FREE(newpgrp, M_PGRP);
357 if (newsess != NULL)
358 FREE(newsess, M_SESSION);
359
360 return (error);
361 }
362
363 /*
364 * set process group (setpgid/old setpgrp)
365 *
366 * caller does setpgid(targpid, targpgid)
367 *
368 * pid must be caller or child of caller (ESRCH)
369 * if a child
370 * pid must be in same session (EPERM)
371 * pid can't have done an exec (EACCES)
372 * if pgid != pid
373 * there must exist some pid in same session having pgid (EPERM)
374 * pid must not be session leader (EPERM)
375 */
376 #ifndef _SYS_SYSPROTO_H_
377 struct setpgid_args {
378 int pid; /* target process id */
379 int pgid; /* target pgrp id */
380 };
381 #endif
382 /*
383 * MPSAFE
384 */
385 /* ARGSUSED */
386 int
387 setpgid(struct thread *td, register struct setpgid_args *uap)
388 {
389 struct proc *curp = td->td_proc;
390 register struct proc *targp; /* target process */
391 register struct pgrp *pgrp; /* target pgrp */
392 int error;
393 struct pgrp *newpgrp;
394
395 if (uap->pgid < 0)
396 return (EINVAL);
397
398 error = 0;
399
400 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO);
401
402 sx_xlock(&proctree_lock);
403 if (uap->pid != 0 && uap->pid != curp->p_pid) {
404 if ((targp = pfind(uap->pid)) == NULL) {
405 if (targp)
406 PROC_UNLOCK(targp);
407 error = ESRCH;
408 goto done;
409 }
410 if (!inferior(targp)) {
411 PROC_UNLOCK(targp);
412 error = ESRCH;
413 goto done;
414 }
415 if ((error = p_cansee(curthread, targp))) {
416 PROC_UNLOCK(targp);
417 goto done;
418 }
419 if (targp->p_pgrp == NULL ||
420 targp->p_session != curp->p_session) {
421 PROC_UNLOCK(targp);
422 error = EPERM;
423 goto done;
424 }
425 if (targp->p_flag & P_EXEC) {
426 PROC_UNLOCK(targp);
427 error = EACCES;
428 goto done;
429 }
430 PROC_UNLOCK(targp);
431 } else
432 targp = curp;
433 if (SESS_LEADER(targp)) {
434 error = EPERM;
435 goto done;
436 }
437 if (uap->pgid == 0)
438 uap->pgid = targp->p_pid;
439 if (uap->pgid == targp->p_pid) {
440 if (targp->p_pgid == uap->pgid)
441 goto done;
442 error = enterpgrp(targp, uap->pgid, newpgrp, NULL);
443 if (error == 0)
444 newpgrp = NULL;
445 } else {
446 if ((pgrp = pgfind(uap->pgid)) == NULL ||
447 pgrp->pg_session != curp->p_session) {
448 if (pgrp != NULL)
449 PGRP_UNLOCK(pgrp);
450 error = EPERM;
451 goto done;
452 }
453 if (pgrp == targp->p_pgrp) {
454 PGRP_UNLOCK(pgrp);
455 goto done;
456 }
457 PGRP_UNLOCK(pgrp);
458 error = enterthispgrp(targp, pgrp);
459 }
460 done:
461 sx_xunlock(&proctree_lock);
462 KASSERT((error == 0) || (newpgrp != NULL),
463 ("setpgid failed and newpgrp is NULL"));
464 if (newpgrp != NULL)
465 FREE(newpgrp, M_PGRP);
466 return (error);
467 }
468
469 /*
470 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD
471 * compatible. It says that setting the uid/gid to euid/egid is a special
472 * case of "appropriate privilege". Once the rules are expanded out, this
473 * basically means that setuid(nnn) sets all three id's, in all permitted
474 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid())
475 * does not set the saved id - this is dangerous for traditional BSD
476 * programs. For this reason, we *really* do not want to set
477 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2.
478 */
479 #define POSIX_APPENDIX_B_4_2_2
480
481 #ifndef _SYS_SYSPROTO_H_
482 struct setuid_args {
483 uid_t uid;
484 };
485 #endif
486 /*
487 * MPSAFE
488 */
489 /* ARGSUSED */
490 int
491 setuid(struct thread *td, struct setuid_args *uap)
492 {
493 struct proc *p = td->td_proc;
494 struct ucred *newcred, *oldcred;
495 uid_t uid;
496 struct uidinfo *uip;
497 int error;
498
499 uid = uap->uid;
500 newcred = crget();
501 uip = uifind(uid);
502 PROC_LOCK(p);
503 oldcred = p->p_ucred;
504
505 /*
506 * See if we have "permission" by POSIX 1003.1 rules.
507 *
508 * Note that setuid(geteuid()) is a special case of
509 * "appropriate privileges" in appendix B.4.2.2. We need
510 * to use this clause to be compatible with traditional BSD
511 * semantics. Basically, it means that "setuid(xx)" sets all
512 * three id's (assuming you have privs).
513 *
514 * Notes on the logic. We do things in three steps.
515 * 1: We determine if the euid is going to change, and do EPERM
516 * right away. We unconditionally change the euid later if this
517 * test is satisfied, simplifying that part of the logic.
518 * 2: We determine if the real and/or saved uids are going to
519 * change. Determined by compile options.
520 * 3: Change euid last. (after tests in #2 for "appropriate privs")
521 */
522 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */
523 #ifdef _POSIX_SAVED_IDS
524 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */
525 #endif
526 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
527 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */
528 #endif
529 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) {
530 PROC_UNLOCK(p);
531 uifree(uip);
532 crfree(newcred);
533 return (error);
534 }
535
536 /*
537 * Copy credentials so other references do not see our changes.
538 */
539 crcopy(newcred, oldcred);
540 #ifdef _POSIX_SAVED_IDS
541 /*
542 * Do we have "appropriate privileges" (are we root or uid == euid)
543 * If so, we are changing the real uid and/or saved uid.
544 */
545 if (
546 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */
547 uid == oldcred->cr_uid ||
548 #endif
549 suser_cred(oldcred, PRISON_ROOT) == 0) /* we are using privs */
550 #endif
551 {
552 /*
553 * Set the real uid and transfer proc count to new user.
554 */
555 if (uid != oldcred->cr_ruid) {
556 change_ruid(newcred, uip);
557 setsugid(p);
558 }
559 /*
560 * Set saved uid
561 *
562 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as
563 * the security of seteuid() depends on it. B.4.2.2 says it
564 * is important that we should do this.
565 */
566 if (uid != oldcred->cr_svuid) {
567 change_svuid(newcred, uid);
568 setsugid(p);
569 }
570 }
571
572 /*
573 * In all permitted cases, we are changing the euid.
574 */
575 if (uid != oldcred->cr_uid) {
576 change_euid(newcred, uip);
577 setsugid(p);
578 }
579 p->p_ucred = newcred;
580 PROC_UNLOCK(p);
581 uifree(uip);
582 crfree(oldcred);
583 return (0);
584 }
585
586 #ifndef _SYS_SYSPROTO_H_
587 struct seteuid_args {
588 uid_t euid;
589 };
590 #endif
591 /*
592 * MPSAFE
593 */
594 /* ARGSUSED */
595 int
596 seteuid(struct thread *td, struct seteuid_args *uap)
597 {
598 struct proc *p = td->td_proc;
599 struct ucred *newcred, *oldcred;
600 uid_t euid;
601 struct uidinfo *euip;
602 int error;
603
604 euid = uap->euid;
605 newcred = crget();
606 euip = uifind(euid);
607 PROC_LOCK(p);
608 oldcred = p->p_ucred;
609 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */
610 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */
611 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) {
612 PROC_UNLOCK(p);
613 uifree(euip);
614 crfree(newcred);
615 return (error);
616 }
617 /*
618 * Everything's okay, do it. Copy credentials so other references do
619 * not see our changes.
620 */
621 crcopy(newcred, oldcred);
622 if (oldcred->cr_uid != euid) {
623 change_euid(newcred, euip);
624 setsugid(p);
625 }
626 p->p_ucred = newcred;
627 PROC_UNLOCK(p);
628 uifree(euip);
629 crfree(oldcred);
630 return (0);
631 }
632
633 #ifndef _SYS_SYSPROTO_H_
634 struct setgid_args {
635 gid_t gid;
636 };
637 #endif
638 /*
639 * MPSAFE
640 */
641 /* ARGSUSED */
642 int
643 setgid(struct thread *td, struct setgid_args *uap)
644 {
645 struct proc *p = td->td_proc;
646 struct ucred *newcred, *oldcred;
647 gid_t gid;
648 int error;
649
650 gid = uap->gid;
651 newcred = crget();
652 PROC_LOCK(p);
653 oldcred = p->p_ucred;
654
655 /*
656 * See if we have "permission" by POSIX 1003.1 rules.
657 *
658 * Note that setgid(getegid()) is a special case of
659 * "appropriate privileges" in appendix B.4.2.2. We need
660 * to use this clause to be compatible with traditional BSD
661 * semantics. Basically, it means that "setgid(xx)" sets all
662 * three id's (assuming you have privs).
663 *
664 * For notes on the logic here, see setuid() above.
665 */
666 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */
667 #ifdef _POSIX_SAVED_IDS
668 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */
669 #endif
670 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
671 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */
672 #endif
673 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) {
674 PROC_UNLOCK(p);
675 crfree(newcred);
676 return (error);
677 }
678
679 crcopy(newcred, oldcred);
680 #ifdef _POSIX_SAVED_IDS
681 /*
682 * Do we have "appropriate privileges" (are we root or gid == egid)
683 * If so, we are changing the real uid and saved gid.
684 */
685 if (
686 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */
687 gid == oldcred->cr_groups[0] ||
688 #endif
689 suser_cred(oldcred, PRISON_ROOT) == 0) /* we are using privs */
690 #endif
691 {
692 /*
693 * Set real gid
694 */
695 if (oldcred->cr_rgid != gid) {
696 change_rgid(newcred, gid);
697 setsugid(p);
698 }
699 /*
700 * Set saved gid
701 *
702 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as
703 * the security of setegid() depends on it. B.4.2.2 says it
704 * is important that we should do this.
705 */
706 if (oldcred->cr_svgid != gid) {
707 change_svgid(newcred, gid);
708 setsugid(p);
709 }
710 }
711 /*
712 * In all cases permitted cases, we are changing the egid.
713 * Copy credentials so other references do not see our changes.
714 */
715 if (oldcred->cr_groups[0] != gid) {
716 change_egid(newcred, gid);
717 setsugid(p);
718 }
719 p->p_ucred = newcred;
720 PROC_UNLOCK(p);
721 crfree(oldcred);
722 return (0);
723 }
724
725 #ifndef _SYS_SYSPROTO_H_
726 struct setegid_args {
727 gid_t egid;
728 };
729 #endif
730 /*
731 * MPSAFE
732 */
733 /* ARGSUSED */
734 int
735 setegid(struct thread *td, struct setegid_args *uap)
736 {
737 struct proc *p = td->td_proc;
738 struct ucred *newcred, *oldcred;
739 gid_t egid;
740 int error;
741
742 egid = uap->egid;
743 newcred = crget();
744 PROC_LOCK(p);
745 oldcred = p->p_ucred;
746 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */
747 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */
748 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) {
749 PROC_UNLOCK(p);
750 crfree(newcred);
751 return (error);
752 }
753 crcopy(newcred, oldcred);
754 if (oldcred->cr_groups[0] != egid) {
755 change_egid(newcred, egid);
756 setsugid(p);
757 }
758 p->p_ucred = newcred;
759 PROC_UNLOCK(p);
760 crfree(oldcred);
761 return (0);
762 }
763
764 #ifndef _SYS_SYSPROTO_H_
765 struct setgroups_args {
766 u_int gidsetsize;
767 gid_t *gidset;
768 };
769 #endif
770 /*
771 * MPSAFE
772 */
773 /* ARGSUSED */
774 int
775 setgroups(struct thread *td, struct setgroups_args *uap)
776 {
777 struct proc *p = td->td_proc;
778 struct ucred *newcred, *tempcred, *oldcred;
779 u_int ngrp;
780 int error;
781
782 ngrp = uap->gidsetsize;
783 if (ngrp > NGROUPS)
784 return (EINVAL);
785 tempcred = crget();
786 error = copyin(uap->gidset, tempcred->cr_groups, ngrp * sizeof(gid_t));
787 if (error != 0) {
788 crfree(tempcred);
789 return (error);
790 }
791 newcred = crget();
792 PROC_LOCK(p);
793 oldcred = p->p_ucred;
794 error = suser_cred(oldcred, PRISON_ROOT);
795 if (error) {
796 PROC_UNLOCK(p);
797 crfree(newcred);
798 crfree(tempcred);
799 return (error);
800 }
801
802 /*
803 * XXX A little bit lazy here. We could test if anything has
804 * changed before crcopy() and setting P_SUGID.
805 */
806 crcopy(newcred, oldcred);
807 if (ngrp < 1) {
808 /*
809 * setgroups(0, NULL) is a legitimate way of clearing the
810 * groups vector on non-BSD systems (which generally do not
811 * have the egid in the groups[0]). We risk security holes
812 * when running non-BSD software if we do not do the same.
813 */
814 newcred->cr_ngroups = 1;
815 } else {
816 bcopy(tempcred->cr_groups, newcred->cr_groups,
817 ngrp * sizeof(gid_t));
818 newcred->cr_ngroups = ngrp;
819 }
820 setsugid(p);
821 p->p_ucred = newcred;
822 PROC_UNLOCK(p);
823 crfree(tempcred);
824 crfree(oldcred);
825 return (0);
826 }
827
828 #ifndef _SYS_SYSPROTO_H_
829 struct setreuid_args {
830 uid_t ruid;
831 uid_t euid;
832 };
833 #endif
834 /*
835 * MPSAFE
836 */
837 /* ARGSUSED */
838 int
839 setreuid(register struct thread *td, struct setreuid_args *uap)
840 {
841 struct proc *p = td->td_proc;
842 struct ucred *newcred, *oldcred;
843 uid_t euid, ruid;
844 struct uidinfo *euip, *ruip;
845 int error;
846
847 euid = uap->euid;
848 ruid = uap->ruid;
849 newcred = crget();
850 euip = uifind(euid);
851 ruip = uifind(ruid);
852 PROC_LOCK(p);
853 oldcred = p->p_ucred;
854 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
855 ruid != oldcred->cr_svuid) ||
856 (euid != (uid_t)-1 && euid != oldcred->cr_uid &&
857 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) &&
858 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) {
859 PROC_UNLOCK(p);
860 uifree(ruip);
861 uifree(euip);
862 crfree(newcred);
863 return (error);
864 }
865 crcopy(newcred, oldcred);
866 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
867 change_euid(newcred, euip);
868 setsugid(p);
869 }
870 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
871 change_ruid(newcred, ruip);
872 setsugid(p);
873 }
874 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) &&
875 newcred->cr_svuid != newcred->cr_uid) {
876 change_svuid(newcred, newcred->cr_uid);
877 setsugid(p);
878 }
879 p->p_ucred = newcred;
880 PROC_UNLOCK(p);
881 uifree(ruip);
882 uifree(euip);
883 crfree(oldcred);
884 return (0);
885 }
886
887 #ifndef _SYS_SYSPROTO_H_
888 struct setregid_args {
889 gid_t rgid;
890 gid_t egid;
891 };
892 #endif
893 /*
894 * MPSAFE
895 */
896 /* ARGSUSED */
897 int
898 setregid(register struct thread *td, struct setregid_args *uap)
899 {
900 struct proc *p = td->td_proc;
901 struct ucred *newcred, *oldcred;
902 gid_t egid, rgid;
903 int error;
904
905 egid = uap->egid;
906 rgid = uap->rgid;
907 newcred = crget();
908 PROC_LOCK(p);
909 oldcred = p->p_ucred;
910 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
911 rgid != oldcred->cr_svgid) ||
912 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] &&
913 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) &&
914 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) {
915 PROC_UNLOCK(p);
916 crfree(newcred);
917 return (error);
918 }
919
920 crcopy(newcred, oldcred);
921 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
922 change_egid(newcred, egid);
923 setsugid(p);
924 }
925 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
926 change_rgid(newcred, rgid);
927 setsugid(p);
928 }
929 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) &&
930 newcred->cr_svgid != newcred->cr_groups[0]) {
931 change_svgid(newcred, newcred->cr_groups[0]);
932 setsugid(p);
933 }
934 p->p_ucred = newcred;
935 PROC_UNLOCK(p);
936 crfree(oldcred);
937 return (0);
938 }
939
940 /*
941 * setresuid(ruid, euid, suid) is like setreuid except control over the
942 * saved uid is explicit.
943 */
944
945 #ifndef _SYS_SYSPROTO_H_
946 struct setresuid_args {
947 uid_t ruid;
948 uid_t euid;
949 uid_t suid;
950 };
951 #endif
952 /*
953 * MPSAFE
954 */
955 /* ARGSUSED */
956 int
957 setresuid(register struct thread *td, struct setresuid_args *uap)
958 {
959 struct proc *p = td->td_proc;
960 struct ucred *newcred, *oldcred;
961 uid_t euid, ruid, suid;
962 struct uidinfo *euip, *ruip;
963 int error;
964
965 euid = uap->euid;
966 ruid = uap->ruid;
967 suid = uap->suid;
968 newcred = crget();
969 euip = uifind(euid);
970 ruip = uifind(ruid);
971 PROC_LOCK(p);
972 oldcred = p->p_ucred;
973 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
974 ruid != oldcred->cr_svuid &&
975 ruid != oldcred->cr_uid) ||
976 (euid != (uid_t)-1 && euid != oldcred->cr_ruid &&
977 euid != oldcred->cr_svuid &&
978 euid != oldcred->cr_uid) ||
979 (suid != (uid_t)-1 && suid != oldcred->cr_ruid &&
980 suid != oldcred->cr_svuid &&
981 suid != oldcred->cr_uid)) &&
982 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) {
983 PROC_UNLOCK(p);
984 uifree(ruip);
985 uifree(euip);
986 crfree(newcred);
987 return (error);
988 }
989
990 crcopy(newcred, oldcred);
991 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
992 change_euid(newcred, euip);
993 setsugid(p);
994 }
995 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
996 change_ruid(newcred, ruip);
997 setsugid(p);
998 }
999 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) {
1000 change_svuid(newcred, suid);
1001 setsugid(p);
1002 }
1003 p->p_ucred = newcred;
1004 PROC_UNLOCK(p);
1005 uifree(ruip);
1006 uifree(euip);
1007 crfree(oldcred);
1008 return (0);
1009 }
1010
1011 /*
1012 * setresgid(rgid, egid, sgid) is like setregid except control over the
1013 * saved gid is explicit.
1014 */
1015
1016 #ifndef _SYS_SYSPROTO_H_
1017 struct setresgid_args {
1018 gid_t rgid;
1019 gid_t egid;
1020 gid_t sgid;
1021 };
1022 #endif
1023 /*
1024 * MPSAFE
1025 */
1026 /* ARGSUSED */
1027 int
1028 setresgid(register struct thread *td, struct setresgid_args *uap)
1029 {
1030 struct proc *p = td->td_proc;
1031 struct ucred *newcred, *oldcred;
1032 gid_t egid, rgid, sgid;
1033 int error;
1034
1035 egid = uap->egid;
1036 rgid = uap->rgid;
1037 sgid = uap->sgid;
1038 newcred = crget();
1039 PROC_LOCK(p);
1040 oldcred = p->p_ucred;
1041 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
1042 rgid != oldcred->cr_svgid &&
1043 rgid != oldcred->cr_groups[0]) ||
1044 (egid != (gid_t)-1 && egid != oldcred->cr_rgid &&
1045 egid != oldcred->cr_svgid &&
1046 egid != oldcred->cr_groups[0]) ||
1047 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid &&
1048 sgid != oldcred->cr_svgid &&
1049 sgid != oldcred->cr_groups[0])) &&
1050 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) {
1051 PROC_UNLOCK(p);
1052 crfree(newcred);
1053 return (error);
1054 }
1055
1056 crcopy(newcred, oldcred);
1057 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
1058 change_egid(newcred, egid);
1059 setsugid(p);
1060 }
1061 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
1062 change_rgid(newcred, rgid);
1063 setsugid(p);
1064 }
1065 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) {
1066 change_svgid(newcred, sgid);
1067 setsugid(p);
1068 }
1069 p->p_ucred = newcred;
1070 PROC_UNLOCK(p);
1071 crfree(oldcred);
1072 return (0);
1073 }
1074
1075 #ifndef _SYS_SYSPROTO_H_
1076 struct getresuid_args {
1077 uid_t *ruid;
1078 uid_t *euid;
1079 uid_t *suid;
1080 };
1081 #endif
1082 /*
1083 * MPSAFE
1084 */
1085 /* ARGSUSED */
1086 int
1087 getresuid(register struct thread *td, struct getresuid_args *uap)
1088 {
1089 struct ucred *cred;
1090 int error1 = 0, error2 = 0, error3 = 0;
1091
1092 cred = td->td_ucred;
1093 if (uap->ruid)
1094 error1 = copyout(&cred->cr_ruid,
1095 uap->ruid, sizeof(cred->cr_ruid));
1096 if (uap->euid)
1097 error2 = copyout(&cred->cr_uid,
1098 uap->euid, sizeof(cred->cr_uid));
1099 if (uap->suid)
1100 error3 = copyout(&cred->cr_svuid,
1101 uap->suid, sizeof(cred->cr_svuid));
1102 return (error1 ? error1 : error2 ? error2 : error3);
1103 }
1104
1105 #ifndef _SYS_SYSPROTO_H_
1106 struct getresgid_args {
1107 gid_t *rgid;
1108 gid_t *egid;
1109 gid_t *sgid;
1110 };
1111 #endif
1112 /*
1113 * MPSAFE
1114 */
1115 /* ARGSUSED */
1116 int
1117 getresgid(register struct thread *td, struct getresgid_args *uap)
1118 {
1119 struct ucred *cred;
1120 int error1 = 0, error2 = 0, error3 = 0;
1121
1122 cred = td->td_ucred;
1123 if (uap->rgid)
1124 error1 = copyout(&cred->cr_rgid,
1125 uap->rgid, sizeof(cred->cr_rgid));
1126 if (uap->egid)
1127 error2 = copyout(&cred->cr_groups[0],
1128 uap->egid, sizeof(cred->cr_groups[0]));
1129 if (uap->sgid)
1130 error3 = copyout(&cred->cr_svgid,
1131 uap->sgid, sizeof(cred->cr_svgid));
1132 return (error1 ? error1 : error2 ? error2 : error3);
1133 }
1134
1135 #ifndef _SYS_SYSPROTO_H_
1136 struct issetugid_args {
1137 int dummy;
1138 };
1139 #endif
1140 /*
1141 * NOT MPSAFE?
1142 */
1143 /* ARGSUSED */
1144 int
1145 issetugid(register struct thread *td, struct issetugid_args *uap)
1146 {
1147 struct proc *p = td->td_proc;
1148
1149 /*
1150 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time,
1151 * we use P_SUGID because we consider changing the owners as
1152 * "tainting" as well.
1153 * This is significant for procs that start as root and "become"
1154 * a user without an exec - programs cannot know *everything*
1155 * that libc *might* have put in their data segment.
1156 */
1157 PROC_LOCK(p);
1158 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0;
1159 PROC_UNLOCK(p);
1160 return (0);
1161 }
1162
1163 /*
1164 * MPSAFE
1165 */
1166 int
1167 __setugid(struct thread *td, struct __setugid_args *uap)
1168 {
1169 #ifdef REGRESSION
1170 struct proc *p;
1171
1172 p = td->td_proc;
1173 switch (uap->flag) {
1174 case 0:
1175 mtx_lock(&Giant);
1176 PROC_LOCK(p);
1177 p->p_flag &= ~P_SUGID;
1178 PROC_UNLOCK(p);
1179 mtx_unlock(&Giant);
1180 return (0);
1181 case 1:
1182 mtx_lock(&Giant);
1183 PROC_LOCK(p);
1184 p->p_flag |= P_SUGID;
1185 PROC_UNLOCK(p);
1186 mtx_unlock(&Giant);
1187 return (0);
1188 default:
1189 return (EINVAL);
1190 }
1191 #else /* !REGRESSION */
1192
1193 return (ENOSYS);
1194 #endif /* REGRESSION */
1195 }
1196
1197 /*
1198 * Check if gid is a member of the group set.
1199 *
1200 * MPSAFE (cred must be held)
1201 */
1202 int
1203 groupmember(gid_t gid, struct ucred *cred)
1204 {
1205 register gid_t *gp;
1206 gid_t *egp;
1207
1208 egp = &(cred->cr_groups[cred->cr_ngroups]);
1209 for (gp = cred->cr_groups; gp < egp; gp++)
1210 if (*gp == gid)
1211 return (1);
1212 return (0);
1213 }
1214
1215 /*
1216 * `suser_enabled' (which can be set by the security.suser_enabled
1217 * sysctl) determines whether the system 'super-user' policy is in effect.
1218 * If it is nonzero, an effective uid of 0 connotes special privilege,
1219 * overriding many mandatory and discretionary protections. If it is zero,
1220 * uid 0 is offered no special privilege in the kernel security policy.
1221 * Setting it to zero may seriously impact the functionality of many
1222 * existing userland programs, and should not be done without careful
1223 * consideration of the consequences.
1224 */
1225 int suser_enabled = 1;
1226 SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW,
1227 &suser_enabled, 0, "processes with uid 0 have privilege");
1228 TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled);
1229
1230 /*
1231 * Test whether the specified credentials imply "super-user" privilege.
1232 * Return 0 or EPERM. The flag argument is currently used only to
1233 * specify jail interaction.
1234 */
1235 int
1236 suser_cred(struct ucred *cred, int flag)
1237 {
1238
1239 if (!suser_enabled)
1240 return (EPERM);
1241 if (cred->cr_uid != 0)
1242 return (EPERM);
1243 if (jailed(cred) && !(flag & PRISON_ROOT))
1244 return (EPERM);
1245 return (0);
1246 }
1247
1248 /*
1249 * Shortcut to hide contents of struct td and struct proc from the
1250 * caller, promoting binary compatibility.
1251 */
1252 int
1253 suser(struct thread *td)
1254 {
1255
1256 return (suser_cred(td->td_ucred, 0));
1257 }
1258
1259 /*
1260 * Test the active securelevel against a given level. securelevel_gt()
1261 * implements (securelevel > level). securelevel_ge() implements
1262 * (securelevel >= level). Note that the logic is inverted -- these
1263 * functions return EPERM on "success" and 0 on "failure".
1264 *
1265 * MPSAFE
1266 */
1267 int
1268 securelevel_gt(struct ucred *cr, int level)
1269 {
1270 int active_securelevel;
1271
1272 active_securelevel = securelevel;
1273 KASSERT(cr != NULL, ("securelevel_gt: null cr"));
1274 if (cr->cr_prison != NULL) {
1275 mtx_lock(&cr->cr_prison->pr_mtx);
1276 active_securelevel = imax(cr->cr_prison->pr_securelevel,
1277 active_securelevel);
1278 mtx_unlock(&cr->cr_prison->pr_mtx);
1279 }
1280 return (active_securelevel > level ? EPERM : 0);
1281 }
1282
1283 int
1284 securelevel_ge(struct ucred *cr, int level)
1285 {
1286 int active_securelevel;
1287
1288 active_securelevel = securelevel;
1289 KASSERT(cr != NULL, ("securelevel_ge: null cr"));
1290 if (cr->cr_prison != NULL) {
1291 mtx_lock(&cr->cr_prison->pr_mtx);
1292 active_securelevel = imax(cr->cr_prison->pr_securelevel,
1293 active_securelevel);
1294 mtx_unlock(&cr->cr_prison->pr_mtx);
1295 }
1296 return (active_securelevel >= level ? EPERM : 0);
1297 }
1298
1299 /*
1300 * 'see_other_uids' determines whether or not visibility of processes
1301 * and sockets with credentials holding different real uids is possible
1302 * using a variety of system MIBs.
1303 * XXX: data declarations should be together near the beginning of the file.
1304 */
1305 static int see_other_uids = 1;
1306 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW,
1307 &see_other_uids, 0,
1308 "Unprivileged processes may see subjects/objects with different real uid");
1309
1310 /*-
1311 * Determine if u1 "can see" the subject specified by u2, according to the
1312 * 'see_other_uids' policy.
1313 * Returns: 0 for permitted, ESRCH otherwise
1314 * Locks: none
1315 * References: *u1 and *u2 must not change during the call
1316 * u1 may equal u2, in which case only one reference is required
1317 */
1318 static int
1319 cr_seeotheruids(struct ucred *u1, struct ucred *u2)
1320 {
1321
1322 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) {
1323 if (suser_cred(u1, PRISON_ROOT) != 0)
1324 return (ESRCH);
1325 }
1326 return (0);
1327 }
1328
1329 /*-
1330 * Determine if u1 "can see" the subject specified by u2.
1331 * Returns: 0 for permitted, an errno value otherwise
1332 * Locks: none
1333 * References: *u1 and *u2 must not change during the call
1334 * u1 may equal u2, in which case only one reference is required
1335 */
1336 int
1337 cr_cansee(struct ucred *u1, struct ucred *u2)
1338 {
1339 int error;
1340
1341 if ((error = prison_check(u1, u2)))
1342 return (error);
1343 #ifdef MAC
1344 if ((error = mac_check_cred_visible(u1, u2)))
1345 return (error);
1346 #endif
1347 if ((error = cr_seeotheruids(u1, u2)))
1348 return (error);
1349 return (0);
1350 }
1351
1352 /*-
1353 * Determine if td "can see" the subject specified by p.
1354 * Returns: 0 for permitted, an errno value otherwise
1355 * Locks: Sufficient locks to protect p->p_ucred must be held. td really
1356 * should be curthread.
1357 * References: td and p must be valid for the lifetime of the call
1358 */
1359 int
1360 p_cansee(struct thread *td, struct proc *p)
1361 {
1362
1363 /* Wrap cr_cansee() for all functionality. */
1364 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1365 PROC_LOCK_ASSERT(p, MA_OWNED);
1366 return (cr_cansee(td->td_ucred, p->p_ucred));
1367 }
1368
1369 /*-
1370 * Determine whether cred may deliver the specified signal to proc.
1371 * Returns: 0 for permitted, an errno value otherwise.
1372 * Locks: A lock must be held for proc.
1373 * References: cred and proc must be valid for the lifetime of the call.
1374 */
1375 int
1376 cr_cansignal(struct ucred *cred, struct proc *proc, int signum)
1377 {
1378 int error;
1379
1380 PROC_LOCK_ASSERT(proc, MA_OWNED);
1381 /*
1382 * Jail semantics limit the scope of signalling to proc in the
1383 * same jail as cred, if cred is in jail.
1384 */
1385 error = prison_check(cred, proc->p_ucred);
1386 if (error)
1387 return (error);
1388 #ifdef MAC
1389 if ((error = mac_check_proc_signal(cred, proc, signum)))
1390 return (error);
1391 #endif
1392 error = cr_seeotheruids(cred, proc->p_ucred);
1393 if (error)
1394 return (error);
1395
1396 /*
1397 * UNIX signal semantics depend on the status of the P_SUGID
1398 * bit on the target process. If the bit is set, then additional
1399 * restrictions are placed on the set of available signals.
1400 */
1401 if (proc->p_flag & P_SUGID) {
1402 switch (signum) {
1403 case 0:
1404 case SIGKILL:
1405 case SIGINT:
1406 case SIGTERM:
1407 case SIGSTOP:
1408 case SIGTTIN:
1409 case SIGTTOU:
1410 case SIGTSTP:
1411 case SIGHUP:
1412 case SIGUSR1:
1413 case SIGUSR2:
1414 /*
1415 * Generally, permit job and terminal control
1416 * signals.
1417 */
1418 break;
1419 default:
1420 /* Not permitted without privilege. */
1421 error = suser_cred(cred, PRISON_ROOT);
1422 if (error)
1423 return (error);
1424 }
1425 }
1426
1427 /*
1428 * Generally, the target credential's ruid or svuid must match the
1429 * subject credential's ruid or euid.
1430 */
1431 if (cred->cr_ruid != proc->p_ucred->cr_ruid &&
1432 cred->cr_ruid != proc->p_ucred->cr_svuid &&
1433 cred->cr_uid != proc->p_ucred->cr_ruid &&
1434 cred->cr_uid != proc->p_ucred->cr_svuid) {
1435 /* Not permitted without privilege. */
1436 error = suser_cred(cred, PRISON_ROOT);
1437 if (error)
1438 return (error);
1439 }
1440
1441 return (0);
1442 }
1443
1444
1445 /*-
1446 * Determine whether td may deliver the specified signal to p.
1447 * Returns: 0 for permitted, an errno value otherwise
1448 * Locks: Sufficient locks to protect various components of td and p
1449 * must be held. td must be curthread, and a lock must be
1450 * held for p.
1451 * References: td and p must be valid for the lifetime of the call
1452 */
1453 int
1454 p_cansignal(struct thread *td, struct proc *p, int signum)
1455 {
1456
1457 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1458 PROC_LOCK_ASSERT(p, MA_OWNED);
1459 if (td->td_proc == p)
1460 return (0);
1461
1462 /*
1463 * UNIX signalling semantics require that processes in the same
1464 * session always be able to deliver SIGCONT to one another,
1465 * overriding the remaining protections.
1466 */
1467 /* XXX: This will require an additional lock of some sort. */
1468 if (signum == SIGCONT && td->td_proc->p_session == p->p_session)
1469 return (0);
1470
1471 return (cr_cansignal(td->td_ucred, p, signum));
1472 }
1473
1474 /*-
1475 * Determine whether td may reschedule p.
1476 * Returns: 0 for permitted, an errno value otherwise
1477 * Locks: Sufficient locks to protect various components of td and p
1478 * must be held. td must be curthread, and a lock must
1479 * be held for p.
1480 * References: td and p must be valid for the lifetime of the call
1481 */
1482 int
1483 p_cansched(struct thread *td, struct proc *p)
1484 {
1485 int error;
1486
1487 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1488 PROC_LOCK_ASSERT(p, MA_OWNED);
1489 if (td->td_proc == p)
1490 return (0);
1491 if ((error = prison_check(td->td_ucred, p->p_ucred)))
1492 return (error);
1493 #ifdef MAC
1494 if ((error = mac_check_proc_sched(td->td_ucred, p)))
1495 return (error);
1496 #endif
1497 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
1498 return (error);
1499 if (td->td_ucred->cr_ruid == p->p_ucred->cr_ruid)
1500 return (0);
1501 if (td->td_ucred->cr_uid == p->p_ucred->cr_ruid)
1502 return (0);
1503 if (suser_cred(td->td_ucred, PRISON_ROOT) == 0)
1504 return (0);
1505
1506 #ifdef CAPABILITIES
1507 if (!cap_check(NULL, td, CAP_SYS_NICE, PRISON_ROOT))
1508 return (0);
1509 #endif
1510
1511 return (EPERM);
1512 }
1513
1514 /*
1515 * The 'unprivileged_proc_debug' flag may be used to disable a variety of
1516 * unprivileged inter-process debugging services, including some procfs
1517 * functionality, ptrace(), and ktrace(). In the past, inter-process
1518 * debugging has been involved in a variety of security problems, and sites
1519 * not requiring the service might choose to disable it when hardening
1520 * systems.
1521 *
1522 * XXX: Should modifying and reading this variable require locking?
1523 * XXX: data declarations should be together near the beginning of the file.
1524 */
1525 static int unprivileged_proc_debug = 1;
1526 SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW,
1527 &unprivileged_proc_debug, 0,
1528 "Unprivileged processes may use process debugging facilities");
1529
1530 /*-
1531 * Determine whether td may debug p.
1532 * Returns: 0 for permitted, an errno value otherwise
1533 * Locks: Sufficient locks to protect various components of td and p
1534 * must be held. td must be curthread, and a lock must
1535 * be held for p.
1536 * References: td and p must be valid for the lifetime of the call
1537 */
1538 int
1539 p_candebug(struct thread *td, struct proc *p)
1540 {
1541 int credentialchanged, error, grpsubset, i, uidsubset;
1542
1543 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1544 PROC_LOCK_ASSERT(p, MA_OWNED);
1545 if (!unprivileged_proc_debug) {
1546 error = suser_cred(td->td_ucred, PRISON_ROOT);
1547 if (error)
1548 return (error);
1549 }
1550 if (td->td_proc == p)
1551 return (0);
1552 if ((error = prison_check(td->td_ucred, p->p_ucred)))
1553 return (error);
1554 #ifdef MAC
1555 if ((error = mac_check_proc_debug(td->td_ucred, p)))
1556 return (error);
1557 #endif
1558 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
1559 return (error);
1560
1561 /*
1562 * Is p's group set a subset of td's effective group set? This
1563 * includes p's egid, group access list, rgid, and svgid.
1564 */
1565 grpsubset = 1;
1566 for (i = 0; i < p->p_ucred->cr_ngroups; i++) {
1567 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) {
1568 grpsubset = 0;
1569 break;
1570 }
1571 }
1572 grpsubset = grpsubset &&
1573 groupmember(p->p_ucred->cr_rgid, td->td_ucred) &&
1574 groupmember(p->p_ucred->cr_svgid, td->td_ucred);
1575
1576 /*
1577 * Are the uids present in p's credential equal to td's
1578 * effective uid? This includes p's euid, svuid, and ruid.
1579 */
1580 uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid &&
1581 td->td_ucred->cr_uid == p->p_ucred->cr_svuid &&
1582 td->td_ucred->cr_uid == p->p_ucred->cr_ruid);
1583
1584 /*
1585 * Has the credential of the process changed since the last exec()?
1586 */
1587 credentialchanged = (p->p_flag & P_SUGID);
1588
1589 /*
1590 * If p's gids aren't a subset, or the uids aren't a subset,
1591 * or the credential has changed, require appropriate privilege
1592 * for td to debug p. For POSIX.1e capabilities, this will
1593 * require CAP_SYS_PTRACE.
1594 */
1595 if (!grpsubset || !uidsubset || credentialchanged) {
1596 error = suser_cred(td->td_ucred, PRISON_ROOT);
1597 if (error)
1598 return (error);
1599 }
1600
1601 /* Can't trace init when securelevel > 0. */
1602 if (p == initproc) {
1603 error = securelevel_gt(td->td_ucred, 0);
1604 if (error)
1605 return (error);
1606 }
1607
1608 /*
1609 * Can't trace a process that's currently exec'ing.
1610 * XXX: Note, this is not a security policy decision, it's a
1611 * basic correctness/functionality decision. Therefore, this check
1612 * should be moved to the caller's of p_candebug().
1613 */
1614 if ((p->p_flag & P_INEXEC) != 0)
1615 return (EAGAIN);
1616
1617 return (0);
1618 }
1619
1620 /*-
1621 * Determine whether the subject represented by cred can "see" a socket.
1622 * Returns: 0 for permitted, ENOENT otherwise.
1623 */
1624 int
1625 cr_canseesocket(struct ucred *cred, struct socket *so)
1626 {
1627 int error;
1628
1629 error = prison_check(cred, so->so_cred);
1630 if (error)
1631 return (ENOENT);
1632 #ifdef MAC
1633 error = mac_check_socket_visible(cred, so);
1634 if (error)
1635 return (error);
1636 #endif
1637 if (cr_seeotheruids(cred, so->so_cred))
1638 return (ENOENT);
1639
1640 return (0);
1641 }
1642
1643 /*
1644 * Allocate a zeroed cred structure.
1645 */
1646 struct ucred *
1647 crget(void)
1648 {
1649 register struct ucred *cr;
1650
1651 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO);
1652 cr->cr_ref = 1;
1653 cr->cr_mtxp = mtx_pool_find(cr);
1654 #ifdef MAC
1655 mac_init_cred(cr);
1656 #endif
1657 return (cr);
1658 }
1659
1660 /*
1661 * Claim another reference to a ucred structure.
1662 */
1663 struct ucred *
1664 crhold(struct ucred *cr)
1665 {
1666
1667 mtx_lock(cr->cr_mtxp);
1668 cr->cr_ref++;
1669 mtx_unlock(cr->cr_mtxp);
1670 return (cr);
1671 }
1672
1673 /*
1674 * Free a cred structure.
1675 * Throws away space when ref count gets to 0.
1676 */
1677 void
1678 crfree(struct ucred *cr)
1679 {
1680 struct mtx *mtxp = cr->cr_mtxp;
1681
1682 mtx_lock(mtxp);
1683 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref));
1684 if (--cr->cr_ref == 0) {
1685 /*
1686 * Some callers of crget(), such as nfs_statfs(),
1687 * allocate a temporary credential, but don't
1688 * allocate a uidinfo structure.
1689 */
1690 mtx_unlock(mtxp);
1691 mtx_lock(&Giant);
1692 if (cr->cr_uidinfo != NULL)
1693 uifree(cr->cr_uidinfo);
1694 if (cr->cr_ruidinfo != NULL)
1695 uifree(cr->cr_ruidinfo);
1696 /*
1697 * Free a prison, if any.
1698 */
1699 if (jailed(cr))
1700 prison_free(cr->cr_prison);
1701 #ifdef MAC
1702 mac_destroy_cred(cr);
1703 #endif
1704 FREE(cr, M_CRED);
1705 mtx_unlock(&Giant);
1706 } else {
1707 mtx_unlock(mtxp);
1708 }
1709 }
1710
1711 /*
1712 * Check to see if this ucred is shared.
1713 */
1714 int
1715 crshared(struct ucred *cr)
1716 {
1717 int shared;
1718
1719 mtx_lock(cr->cr_mtxp);
1720 shared = (cr->cr_ref > 1);
1721 mtx_unlock(cr->cr_mtxp);
1722 return (shared);
1723 }
1724
1725 /*
1726 * Copy a ucred's contents from a template. Does not block.
1727 */
1728 void
1729 crcopy(struct ucred *dest, struct ucred *src)
1730 {
1731
1732 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred"));
1733 bcopy(&src->cr_startcopy, &dest->cr_startcopy,
1734 (unsigned)((caddr_t)&src->cr_endcopy -
1735 (caddr_t)&src->cr_startcopy));
1736 uihold(dest->cr_uidinfo);
1737 uihold(dest->cr_ruidinfo);
1738 if (jailed(dest))
1739 prison_hold(dest->cr_prison);
1740 #ifdef MAC
1741 mac_create_cred(src, dest);
1742 #endif
1743 }
1744
1745 /*
1746 * Dup cred struct to a new held one.
1747 */
1748 struct ucred *
1749 crdup(struct ucred *cr)
1750 {
1751 struct ucred *newcr;
1752
1753 newcr = crget();
1754 crcopy(newcr, cr);
1755 return (newcr);
1756 }
1757
1758 #ifdef DIAGNOSTIC
1759 void
1760 cred_free_thread(struct thread *td)
1761 {
1762 struct ucred *cred;
1763
1764 cred = td->td_ucred;
1765 td->td_ucred = NULL;
1766 if (cred != NULL)
1767 crfree(cred);
1768 }
1769 #endif
1770
1771 /*
1772 * Fill in a struct xucred based on a struct ucred.
1773 */
1774 void
1775 cru2x(struct ucred *cr, struct xucred *xcr)
1776 {
1777
1778 bzero(xcr, sizeof(*xcr));
1779 xcr->cr_version = XUCRED_VERSION;
1780 xcr->cr_uid = cr->cr_uid;
1781 xcr->cr_ngroups = cr->cr_ngroups;
1782 bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups));
1783 }
1784
1785 /*
1786 * small routine to swap a thread's current ucred for the correct one
1787 * taken from the process.
1788 */
1789 void
1790 cred_update_thread(struct thread *td)
1791 {
1792 struct proc *p;
1793 struct ucred *cred;
1794
1795 p = td->td_proc;
1796 cred = td->td_ucred;
1797 PROC_LOCK(p);
1798 td->td_ucred = crhold(p->p_ucred);
1799 PROC_UNLOCK(p);
1800 if (cred != NULL)
1801 crfree(cred);
1802 }
1803
1804 /*
1805 * Get login name, if available.
1806 */
1807 #ifndef _SYS_SYSPROTO_H_
1808 struct getlogin_args {
1809 char *namebuf;
1810 u_int namelen;
1811 };
1812 #endif
1813 /*
1814 * MPSAFE
1815 */
1816 /* ARGSUSED */
1817 int
1818 getlogin(struct thread *td, struct getlogin_args *uap)
1819 {
1820 int error;
1821 char login[MAXLOGNAME];
1822 struct proc *p = td->td_proc;
1823
1824 if (uap->namelen > MAXLOGNAME)
1825 uap->namelen = MAXLOGNAME;
1826 PROC_LOCK(p);
1827 SESS_LOCK(p->p_session);
1828 bcopy(p->p_session->s_login, login, uap->namelen);
1829 SESS_UNLOCK(p->p_session);
1830 PROC_UNLOCK(p);
1831 error = copyout(login, uap->namebuf, uap->namelen);
1832 return(error);
1833 }
1834
1835 /*
1836 * Set login name.
1837 */
1838 #ifndef _SYS_SYSPROTO_H_
1839 struct setlogin_args {
1840 char *namebuf;
1841 };
1842 #endif
1843 /*
1844 * MPSAFE
1845 */
1846 /* ARGSUSED */
1847 int
1848 setlogin(struct thread *td, struct setlogin_args *uap)
1849 {
1850 struct proc *p = td->td_proc;
1851 int error;
1852 char logintmp[MAXLOGNAME];
1853
1854 error = suser_cred(td->td_ucred, PRISON_ROOT);
1855 if (error)
1856 return (error);
1857 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
1858 if (error == ENAMETOOLONG)
1859 error = EINVAL;
1860 else if (!error) {
1861 PROC_LOCK(p);
1862 SESS_LOCK(p->p_session);
1863 (void) memcpy(p->p_session->s_login, logintmp,
1864 sizeof(logintmp));
1865 SESS_UNLOCK(p->p_session);
1866 PROC_UNLOCK(p);
1867 }
1868 return (error);
1869 }
1870
1871 void
1872 setsugid(struct proc *p)
1873 {
1874
1875 PROC_LOCK_ASSERT(p, MA_OWNED);
1876 p->p_flag |= P_SUGID;
1877 if (!(p->p_pfsflags & PF_ISUGID))
1878 p->p_stops = 0;
1879 }
1880
1881 /*-
1882 * Change a process's effective uid.
1883 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified.
1884 * References: newcred must be an exclusive credential reference for the
1885 * duration of the call.
1886 */
1887 void
1888 change_euid(struct ucred *newcred, struct uidinfo *euip)
1889 {
1890
1891 newcred->cr_uid = euip->ui_uid;
1892 uihold(euip);
1893 uifree(newcred->cr_uidinfo);
1894 newcred->cr_uidinfo = euip;
1895 }
1896
1897 /*-
1898 * Change a process's effective gid.
1899 * Side effects: newcred->cr_gid will be modified.
1900 * References: newcred must be an exclusive credential reference for the
1901 * duration of the call.
1902 */
1903 void
1904 change_egid(struct ucred *newcred, gid_t egid)
1905 {
1906
1907 newcred->cr_groups[0] = egid;
1908 }
1909
1910 /*-
1911 * Change a process's real uid.
1912 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo
1913 * will be updated, and the old and new cr_ruidinfo proc
1914 * counts will be updated.
1915 * References: newcred must be an exclusive credential reference for the
1916 * duration of the call.
1917 */
1918 void
1919 change_ruid(struct ucred *newcred, struct uidinfo *ruip)
1920 {
1921
1922 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0);
1923 newcred->cr_ruid = ruip->ui_uid;
1924 uihold(ruip);
1925 uifree(newcred->cr_ruidinfo);
1926 newcred->cr_ruidinfo = ruip;
1927 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0);
1928 }
1929
1930 /*-
1931 * Change a process's real gid.
1932 * Side effects: newcred->cr_rgid will be updated.
1933 * References: newcred must be an exclusive credential reference for the
1934 * duration of the call.
1935 */
1936 void
1937 change_rgid(struct ucred *newcred, gid_t rgid)
1938 {
1939
1940 newcred->cr_rgid = rgid;
1941 }
1942
1943 /*-
1944 * Change a process's saved uid.
1945 * Side effects: newcred->cr_svuid will be updated.
1946 * References: newcred must be an exclusive credential reference for the
1947 * duration of the call.
1948 */
1949 void
1950 change_svuid(struct ucred *newcred, uid_t svuid)
1951 {
1952
1953 newcred->cr_svuid = svuid;
1954 }
1955
1956 /*-
1957 * Change a process's saved gid.
1958 * Side effects: newcred->cr_svgid will be updated.
1959 * References: newcred must be an exclusive credential reference for the
1960 * duration of the call.
1961 */
1962 void
1963 change_svgid(struct ucred *newcred, gid_t svgid)
1964 {
1965
1966 newcred->cr_svgid = svgid;
1967 }
Cache object: c2650f484a52cb3f6580c9804680ac3e
|