FreeBSD/Linux Kernel Cross Reference
sys/kern/kern_prot.c
1 /*
2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993
3 * The Regents of the University of California. All rights reserved.
4 * (c) UNIX System Laboratories, Inc.
5 * All or some portions of this file are derived from material licensed
6 * to the University of California by American Telephone and Telegraph
7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
8 * the permission of UNIX System Laboratories, Inc.
9 * Copyright (c) 2000-2001 Robert N. M. Watson. All rights reserved.
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. All advertising materials mentioning features or use of this software
20 * must display the following acknowledgement:
21 * This product includes software developed by the University of
22 * California, Berkeley and its contributors.
23 * 4. Neither the name of the University nor the names of its contributors
24 * may be used to endorse or promote products derived from this software
25 * without specific prior written permission.
26 *
27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 * SUCH DAMAGE.
38 *
39 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94
40 */
41
42 /*
43 * System calls related to processes and protection
44 */
45
46 #include <sys/cdefs.h>
47 __FBSDID("$FreeBSD: releng/5.2/sys/kern/kern_prot.c 123173 2003-12-06 21:48:03Z rwatson $");
48
49 #include "opt_compat.h"
50 #include "opt_mac.h"
51
52 #include <sys/param.h>
53 #include <sys/systm.h>
54 #include <sys/acct.h>
55 #include <sys/kernel.h>
56 #include <sys/lock.h>
57 #include <sys/mac.h>
58 #include <sys/malloc.h>
59 #include <sys/mutex.h>
60 #include <sys/sx.h>
61 #include <sys/proc.h>
62 #include <sys/sysproto.h>
63 #include <sys/jail.h>
64 #include <sys/pioctl.h>
65 #include <sys/resourcevar.h>
66 #include <sys/socket.h>
67 #include <sys/socketvar.h>
68 #include <sys/sysctl.h>
69
70 static MALLOC_DEFINE(M_CRED, "cred", "credentials");
71
72 SYSCTL_DECL(_security);
73 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0,
74 "BSD security policy");
75
76 #ifndef _SYS_SYSPROTO_H_
77 struct getpid_args {
78 int dummy;
79 };
80 #endif
81 /*
82 * MPSAFE
83 */
84 /* ARGSUSED */
85 int
86 getpid(struct thread *td, struct getpid_args *uap)
87 {
88 struct proc *p = td->td_proc;
89
90 td->td_retval[0] = p->p_pid;
91 #if defined(COMPAT_43) || defined(COMPAT_SUNOS)
92 PROC_LOCK(p);
93 td->td_retval[1] = p->p_pptr->p_pid;
94 PROC_UNLOCK(p);
95 #endif
96 return (0);
97 }
98
99 #ifndef _SYS_SYSPROTO_H_
100 struct getppid_args {
101 int dummy;
102 };
103 #endif
104 /*
105 * MPSAFE
106 */
107 /* ARGSUSED */
108 int
109 getppid(struct thread *td, struct getppid_args *uap)
110 {
111 struct proc *p = td->td_proc;
112
113 PROC_LOCK(p);
114 td->td_retval[0] = p->p_pptr->p_pid;
115 PROC_UNLOCK(p);
116 return (0);
117 }
118
119 /*
120 * Get process group ID; note that POSIX getpgrp takes no parameter.
121 */
122 #ifndef _SYS_SYSPROTO_H_
123 struct getpgrp_args {
124 int dummy;
125 };
126 #endif
127 /*
128 * MPSAFE
129 */
130 int
131 getpgrp(struct thread *td, struct getpgrp_args *uap)
132 {
133 struct proc *p = td->td_proc;
134
135 PROC_LOCK(p);
136 td->td_retval[0] = p->p_pgrp->pg_id;
137 PROC_UNLOCK(p);
138 return (0);
139 }
140
141 /* Get an arbitary pid's process group id */
142 #ifndef _SYS_SYSPROTO_H_
143 struct getpgid_args {
144 pid_t pid;
145 };
146 #endif
147 /*
148 * MPSAFE
149 */
150 int
151 getpgid(struct thread *td, struct getpgid_args *uap)
152 {
153 struct proc *p;
154 int error;
155
156 if (uap->pid == 0) {
157 p = td->td_proc;
158 PROC_LOCK(p);
159 } else {
160 p = pfind(uap->pid);
161 if (p == NULL)
162 return (ESRCH);
163 error = p_cansee(td, p);
164 if (error) {
165 PROC_UNLOCK(p);
166 return (error);
167 }
168 }
169 td->td_retval[0] = p->p_pgrp->pg_id;
170 PROC_UNLOCK(p);
171 return (0);
172 }
173
174 /*
175 * Get an arbitary pid's session id.
176 */
177 #ifndef _SYS_SYSPROTO_H_
178 struct getsid_args {
179 pid_t pid;
180 };
181 #endif
182 /*
183 * MPSAFE
184 */
185 int
186 getsid(struct thread *td, struct getsid_args *uap)
187 {
188 struct proc *p;
189 int error;
190
191 if (uap->pid == 0) {
192 p = td->td_proc;
193 PROC_LOCK(p);
194 } else {
195 p = pfind(uap->pid);
196 if (p == NULL)
197 return (ESRCH);
198 error = p_cansee(td, p);
199 if (error) {
200 PROC_UNLOCK(p);
201 return (error);
202 }
203 }
204 td->td_retval[0] = p->p_session->s_sid;
205 PROC_UNLOCK(p);
206 return (0);
207 }
208
209 #ifndef _SYS_SYSPROTO_H_
210 struct getuid_args {
211 int dummy;
212 };
213 #endif
214 /*
215 * MPSAFE
216 */
217 /* ARGSUSED */
218 int
219 getuid(struct thread *td, struct getuid_args *uap)
220 {
221
222 td->td_retval[0] = td->td_ucred->cr_ruid;
223 #if defined(COMPAT_43) || defined(COMPAT_SUNOS)
224 td->td_retval[1] = td->td_ucred->cr_uid;
225 #endif
226 return (0);
227 }
228
229 #ifndef _SYS_SYSPROTO_H_
230 struct geteuid_args {
231 int dummy;
232 };
233 #endif
234 /*
235 * MPSAFE
236 */
237 /* ARGSUSED */
238 int
239 geteuid(struct thread *td, struct geteuid_args *uap)
240 {
241
242 td->td_retval[0] = td->td_ucred->cr_uid;
243 return (0);
244 }
245
246 #ifndef _SYS_SYSPROTO_H_
247 struct getgid_args {
248 int dummy;
249 };
250 #endif
251 /*
252 * MPSAFE
253 */
254 /* ARGSUSED */
255 int
256 getgid(struct thread *td, struct getgid_args *uap)
257 {
258
259 td->td_retval[0] = td->td_ucred->cr_rgid;
260 #if defined(COMPAT_43) || defined(COMPAT_SUNOS)
261 td->td_retval[1] = td->td_ucred->cr_groups[0];
262 #endif
263 return (0);
264 }
265
266 /*
267 * Get effective group ID. The "egid" is groups[0], and could be obtained
268 * via getgroups. This syscall exists because it is somewhat painful to do
269 * correctly in a library function.
270 */
271 #ifndef _SYS_SYSPROTO_H_
272 struct getegid_args {
273 int dummy;
274 };
275 #endif
276 /*
277 * MPSAFE
278 */
279 /* ARGSUSED */
280 int
281 getegid(struct thread *td, struct getegid_args *uap)
282 {
283
284 td->td_retval[0] = td->td_ucred->cr_groups[0];
285 return (0);
286 }
287
288 #ifndef _SYS_SYSPROTO_H_
289 struct getgroups_args {
290 u_int gidsetsize;
291 gid_t *gidset;
292 };
293 #endif
294 /*
295 * MPSAFE
296 */
297 int
298 getgroups(struct thread *td, register struct getgroups_args *uap)
299 {
300 struct ucred *cred;
301 u_int ngrp;
302 int error;
303
304 cred = td->td_ucred;
305 if ((ngrp = uap->gidsetsize) == 0) {
306 td->td_retval[0] = cred->cr_ngroups;
307 return (0);
308 }
309 if (ngrp < cred->cr_ngroups)
310 return (EINVAL);
311 ngrp = cred->cr_ngroups;
312 error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t));
313 if (error == 0)
314 td->td_retval[0] = ngrp;
315 return (error);
316 }
317
318 #ifndef _SYS_SYSPROTO_H_
319 struct setsid_args {
320 int dummy;
321 };
322 #endif
323 /*
324 * MPSAFE
325 */
326 /* ARGSUSED */
327 int
328 setsid(register struct thread *td, struct setsid_args *uap)
329 {
330 struct pgrp *pgrp;
331 int error;
332 struct proc *p = td->td_proc;
333 struct pgrp *newpgrp;
334 struct session *newsess;
335
336 error = 0;
337 pgrp = NULL;
338
339 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO);
340 MALLOC(newsess, struct session *, sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO);
341
342 sx_xlock(&proctree_lock);
343
344 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) {
345 if (pgrp != NULL)
346 PGRP_UNLOCK(pgrp);
347 error = EPERM;
348 } else {
349 (void)enterpgrp(p, p->p_pid, newpgrp, newsess);
350 td->td_retval[0] = p->p_pid;
351 newpgrp = NULL;
352 newsess = NULL;
353 }
354
355 sx_xunlock(&proctree_lock);
356
357 if (newpgrp != NULL)
358 FREE(newpgrp, M_PGRP);
359 if (newsess != NULL)
360 FREE(newsess, M_SESSION);
361
362 return (error);
363 }
364
365 /*
366 * set process group (setpgid/old setpgrp)
367 *
368 * caller does setpgid(targpid, targpgid)
369 *
370 * pid must be caller or child of caller (ESRCH)
371 * if a child
372 * pid must be in same session (EPERM)
373 * pid can't have done an exec (EACCES)
374 * if pgid != pid
375 * there must exist some pid in same session having pgid (EPERM)
376 * pid must not be session leader (EPERM)
377 */
378 #ifndef _SYS_SYSPROTO_H_
379 struct setpgid_args {
380 int pid; /* target process id */
381 int pgid; /* target pgrp id */
382 };
383 #endif
384 /*
385 * MPSAFE
386 */
387 /* ARGSUSED */
388 int
389 setpgid(struct thread *td, register struct setpgid_args *uap)
390 {
391 struct proc *curp = td->td_proc;
392 register struct proc *targp; /* target process */
393 register struct pgrp *pgrp; /* target pgrp */
394 int error;
395 struct pgrp *newpgrp;
396
397 if (uap->pgid < 0)
398 return (EINVAL);
399
400 error = 0;
401
402 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO);
403
404 sx_xlock(&proctree_lock);
405 if (uap->pid != 0 && uap->pid != curp->p_pid) {
406 if ((targp = pfind(uap->pid)) == NULL) {
407 error = ESRCH;
408 goto done;
409 }
410 if (!inferior(targp)) {
411 PROC_UNLOCK(targp);
412 error = ESRCH;
413 goto done;
414 }
415 if ((error = p_cansee(curthread, targp))) {
416 PROC_UNLOCK(targp);
417 goto done;
418 }
419 if (targp->p_pgrp == NULL ||
420 targp->p_session != curp->p_session) {
421 PROC_UNLOCK(targp);
422 error = EPERM;
423 goto done;
424 }
425 if (targp->p_flag & P_EXEC) {
426 PROC_UNLOCK(targp);
427 error = EACCES;
428 goto done;
429 }
430 PROC_UNLOCK(targp);
431 } else
432 targp = curp;
433 if (SESS_LEADER(targp)) {
434 error = EPERM;
435 goto done;
436 }
437 if (uap->pgid == 0)
438 uap->pgid = targp->p_pid;
439 if ((pgrp = pgfind(uap->pgid)) == NULL) {
440 if (uap->pgid == targp->p_pid) {
441 error = enterpgrp(targp, uap->pgid, newpgrp,
442 NULL);
443 if (error == 0)
444 newpgrp = NULL;
445 } else
446 error = EPERM;
447 } else {
448 if (pgrp == targp->p_pgrp) {
449 PGRP_UNLOCK(pgrp);
450 goto done;
451 }
452 if (pgrp->pg_id != targp->p_pid &&
453 pgrp->pg_session != curp->p_session) {
454 PGRP_UNLOCK(pgrp);
455 error = EPERM;
456 goto done;
457 }
458 PGRP_UNLOCK(pgrp);
459 error = enterthispgrp(targp, pgrp);
460 }
461 done:
462 sx_xunlock(&proctree_lock);
463 KASSERT((error == 0) || (newpgrp != NULL),
464 ("setpgid failed and newpgrp is NULL"));
465 if (newpgrp != NULL)
466 FREE(newpgrp, M_PGRP);
467 return (error);
468 }
469
470 /*
471 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD
472 * compatible. It says that setting the uid/gid to euid/egid is a special
473 * case of "appropriate privilege". Once the rules are expanded out, this
474 * basically means that setuid(nnn) sets all three id's, in all permitted
475 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid())
476 * does not set the saved id - this is dangerous for traditional BSD
477 * programs. For this reason, we *really* do not want to set
478 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2.
479 */
480 #define POSIX_APPENDIX_B_4_2_2
481
482 #ifndef _SYS_SYSPROTO_H_
483 struct setuid_args {
484 uid_t uid;
485 };
486 #endif
487 /*
488 * MPSAFE
489 */
490 /* ARGSUSED */
491 int
492 setuid(struct thread *td, struct setuid_args *uap)
493 {
494 struct proc *p = td->td_proc;
495 struct ucred *newcred, *oldcred;
496 uid_t uid;
497 struct uidinfo *uip;
498 int error;
499
500 uid = uap->uid;
501 newcred = crget();
502 uip = uifind(uid);
503 PROC_LOCK(p);
504 oldcred = p->p_ucred;
505
506 /*
507 * See if we have "permission" by POSIX 1003.1 rules.
508 *
509 * Note that setuid(geteuid()) is a special case of
510 * "appropriate privileges" in appendix B.4.2.2. We need
511 * to use this clause to be compatible with traditional BSD
512 * semantics. Basically, it means that "setuid(xx)" sets all
513 * three id's (assuming you have privs).
514 *
515 * Notes on the logic. We do things in three steps.
516 * 1: We determine if the euid is going to change, and do EPERM
517 * right away. We unconditionally change the euid later if this
518 * test is satisfied, simplifying that part of the logic.
519 * 2: We determine if the real and/or saved uids are going to
520 * change. Determined by compile options.
521 * 3: Change euid last. (after tests in #2 for "appropriate privs")
522 */
523 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */
524 #ifdef _POSIX_SAVED_IDS
525 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */
526 #endif
527 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
528 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */
529 #endif
530 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) {
531 PROC_UNLOCK(p);
532 uifree(uip);
533 crfree(newcred);
534 return (error);
535 }
536
537 /*
538 * Copy credentials so other references do not see our changes.
539 */
540 crcopy(newcred, oldcred);
541 #ifdef _POSIX_SAVED_IDS
542 /*
543 * Do we have "appropriate privileges" (are we root or uid == euid)
544 * If so, we are changing the real uid and/or saved uid.
545 */
546 if (
547 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */
548 uid == oldcred->cr_uid ||
549 #endif
550 suser_cred(oldcred, PRISON_ROOT) == 0) /* we are using privs */
551 #endif
552 {
553 /*
554 * Set the real uid and transfer proc count to new user.
555 */
556 if (uid != oldcred->cr_ruid) {
557 change_ruid(newcred, uip);
558 setsugid(p);
559 }
560 /*
561 * Set saved uid
562 *
563 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as
564 * the security of seteuid() depends on it. B.4.2.2 says it
565 * is important that we should do this.
566 */
567 if (uid != oldcred->cr_svuid) {
568 change_svuid(newcred, uid);
569 setsugid(p);
570 }
571 }
572
573 /*
574 * In all permitted cases, we are changing the euid.
575 */
576 if (uid != oldcred->cr_uid) {
577 change_euid(newcred, uip);
578 setsugid(p);
579 }
580 p->p_ucred = newcred;
581 PROC_UNLOCK(p);
582 uifree(uip);
583 crfree(oldcred);
584 return (0);
585 }
586
587 #ifndef _SYS_SYSPROTO_H_
588 struct seteuid_args {
589 uid_t euid;
590 };
591 #endif
592 /*
593 * MPSAFE
594 */
595 /* ARGSUSED */
596 int
597 seteuid(struct thread *td, struct seteuid_args *uap)
598 {
599 struct proc *p = td->td_proc;
600 struct ucred *newcred, *oldcred;
601 uid_t euid;
602 struct uidinfo *euip;
603 int error;
604
605 euid = uap->euid;
606 newcred = crget();
607 euip = uifind(euid);
608 PROC_LOCK(p);
609 oldcred = p->p_ucred;
610 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */
611 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */
612 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) {
613 PROC_UNLOCK(p);
614 uifree(euip);
615 crfree(newcred);
616 return (error);
617 }
618 /*
619 * Everything's okay, do it. Copy credentials so other references do
620 * not see our changes.
621 */
622 crcopy(newcred, oldcred);
623 if (oldcred->cr_uid != euid) {
624 change_euid(newcred, euip);
625 setsugid(p);
626 }
627 p->p_ucred = newcred;
628 PROC_UNLOCK(p);
629 uifree(euip);
630 crfree(oldcred);
631 return (0);
632 }
633
634 #ifndef _SYS_SYSPROTO_H_
635 struct setgid_args {
636 gid_t gid;
637 };
638 #endif
639 /*
640 * MPSAFE
641 */
642 /* ARGSUSED */
643 int
644 setgid(struct thread *td, struct setgid_args *uap)
645 {
646 struct proc *p = td->td_proc;
647 struct ucred *newcred, *oldcred;
648 gid_t gid;
649 int error;
650
651 gid = uap->gid;
652 newcred = crget();
653 PROC_LOCK(p);
654 oldcred = p->p_ucred;
655
656 /*
657 * See if we have "permission" by POSIX 1003.1 rules.
658 *
659 * Note that setgid(getegid()) is a special case of
660 * "appropriate privileges" in appendix B.4.2.2. We need
661 * to use this clause to be compatible with traditional BSD
662 * semantics. Basically, it means that "setgid(xx)" sets all
663 * three id's (assuming you have privs).
664 *
665 * For notes on the logic here, see setuid() above.
666 */
667 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */
668 #ifdef _POSIX_SAVED_IDS
669 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */
670 #endif
671 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
672 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */
673 #endif
674 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) {
675 PROC_UNLOCK(p);
676 crfree(newcred);
677 return (error);
678 }
679
680 crcopy(newcred, oldcred);
681 #ifdef _POSIX_SAVED_IDS
682 /*
683 * Do we have "appropriate privileges" (are we root or gid == egid)
684 * If so, we are changing the real uid and saved gid.
685 */
686 if (
687 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */
688 gid == oldcred->cr_groups[0] ||
689 #endif
690 suser_cred(oldcred, PRISON_ROOT) == 0) /* we are using privs */
691 #endif
692 {
693 /*
694 * Set real gid
695 */
696 if (oldcred->cr_rgid != gid) {
697 change_rgid(newcred, gid);
698 setsugid(p);
699 }
700 /*
701 * Set saved gid
702 *
703 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as
704 * the security of setegid() depends on it. B.4.2.2 says it
705 * is important that we should do this.
706 */
707 if (oldcred->cr_svgid != gid) {
708 change_svgid(newcred, gid);
709 setsugid(p);
710 }
711 }
712 /*
713 * In all cases permitted cases, we are changing the egid.
714 * Copy credentials so other references do not see our changes.
715 */
716 if (oldcred->cr_groups[0] != gid) {
717 change_egid(newcred, gid);
718 setsugid(p);
719 }
720 p->p_ucred = newcred;
721 PROC_UNLOCK(p);
722 crfree(oldcred);
723 return (0);
724 }
725
726 #ifndef _SYS_SYSPROTO_H_
727 struct setegid_args {
728 gid_t egid;
729 };
730 #endif
731 /*
732 * MPSAFE
733 */
734 /* ARGSUSED */
735 int
736 setegid(struct thread *td, struct setegid_args *uap)
737 {
738 struct proc *p = td->td_proc;
739 struct ucred *newcred, *oldcred;
740 gid_t egid;
741 int error;
742
743 egid = uap->egid;
744 newcred = crget();
745 PROC_LOCK(p);
746 oldcred = p->p_ucred;
747 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */
748 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */
749 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) {
750 PROC_UNLOCK(p);
751 crfree(newcred);
752 return (error);
753 }
754 crcopy(newcred, oldcred);
755 if (oldcred->cr_groups[0] != egid) {
756 change_egid(newcred, egid);
757 setsugid(p);
758 }
759 p->p_ucred = newcred;
760 PROC_UNLOCK(p);
761 crfree(oldcred);
762 return (0);
763 }
764
765 #ifndef _SYS_SYSPROTO_H_
766 struct setgroups_args {
767 u_int gidsetsize;
768 gid_t *gidset;
769 };
770 #endif
771 /*
772 * MPSAFE
773 */
774 /* ARGSUSED */
775 int
776 setgroups(struct thread *td, struct setgroups_args *uap)
777 {
778 struct proc *p = td->td_proc;
779 struct ucred *newcred, *tempcred, *oldcred;
780 u_int ngrp;
781 int error;
782
783 ngrp = uap->gidsetsize;
784 if (ngrp > NGROUPS)
785 return (EINVAL);
786 tempcred = crget();
787 error = copyin(uap->gidset, tempcred->cr_groups, ngrp * sizeof(gid_t));
788 if (error != 0) {
789 crfree(tempcred);
790 return (error);
791 }
792 newcred = crget();
793 PROC_LOCK(p);
794 oldcred = p->p_ucred;
795 error = suser_cred(oldcred, PRISON_ROOT);
796 if (error) {
797 PROC_UNLOCK(p);
798 crfree(newcred);
799 crfree(tempcred);
800 return (error);
801 }
802
803 /*
804 * XXX A little bit lazy here. We could test if anything has
805 * changed before crcopy() and setting P_SUGID.
806 */
807 crcopy(newcred, oldcred);
808 if (ngrp < 1) {
809 /*
810 * setgroups(0, NULL) is a legitimate way of clearing the
811 * groups vector on non-BSD systems (which generally do not
812 * have the egid in the groups[0]). We risk security holes
813 * when running non-BSD software if we do not do the same.
814 */
815 newcred->cr_ngroups = 1;
816 } else {
817 bcopy(tempcred->cr_groups, newcred->cr_groups,
818 ngrp * sizeof(gid_t));
819 newcred->cr_ngroups = ngrp;
820 }
821 setsugid(p);
822 p->p_ucred = newcred;
823 PROC_UNLOCK(p);
824 crfree(tempcred);
825 crfree(oldcred);
826 return (0);
827 }
828
829 #ifndef _SYS_SYSPROTO_H_
830 struct setreuid_args {
831 uid_t ruid;
832 uid_t euid;
833 };
834 #endif
835 /*
836 * MPSAFE
837 */
838 /* ARGSUSED */
839 int
840 setreuid(register struct thread *td, struct setreuid_args *uap)
841 {
842 struct proc *p = td->td_proc;
843 struct ucred *newcred, *oldcred;
844 uid_t euid, ruid;
845 struct uidinfo *euip, *ruip;
846 int error;
847
848 euid = uap->euid;
849 ruid = uap->ruid;
850 newcred = crget();
851 euip = uifind(euid);
852 ruip = uifind(ruid);
853 PROC_LOCK(p);
854 oldcred = p->p_ucred;
855 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
856 ruid != oldcred->cr_svuid) ||
857 (euid != (uid_t)-1 && euid != oldcred->cr_uid &&
858 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) &&
859 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) {
860 PROC_UNLOCK(p);
861 uifree(ruip);
862 uifree(euip);
863 crfree(newcred);
864 return (error);
865 }
866 crcopy(newcred, oldcred);
867 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
868 change_euid(newcred, euip);
869 setsugid(p);
870 }
871 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
872 change_ruid(newcred, ruip);
873 setsugid(p);
874 }
875 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) &&
876 newcred->cr_svuid != newcred->cr_uid) {
877 change_svuid(newcred, newcred->cr_uid);
878 setsugid(p);
879 }
880 p->p_ucred = newcred;
881 PROC_UNLOCK(p);
882 uifree(ruip);
883 uifree(euip);
884 crfree(oldcred);
885 return (0);
886 }
887
888 #ifndef _SYS_SYSPROTO_H_
889 struct setregid_args {
890 gid_t rgid;
891 gid_t egid;
892 };
893 #endif
894 /*
895 * MPSAFE
896 */
897 /* ARGSUSED */
898 int
899 setregid(register struct thread *td, struct setregid_args *uap)
900 {
901 struct proc *p = td->td_proc;
902 struct ucred *newcred, *oldcred;
903 gid_t egid, rgid;
904 int error;
905
906 egid = uap->egid;
907 rgid = uap->rgid;
908 newcred = crget();
909 PROC_LOCK(p);
910 oldcred = p->p_ucred;
911 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
912 rgid != oldcred->cr_svgid) ||
913 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] &&
914 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) &&
915 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) {
916 PROC_UNLOCK(p);
917 crfree(newcred);
918 return (error);
919 }
920
921 crcopy(newcred, oldcred);
922 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
923 change_egid(newcred, egid);
924 setsugid(p);
925 }
926 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
927 change_rgid(newcred, rgid);
928 setsugid(p);
929 }
930 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) &&
931 newcred->cr_svgid != newcred->cr_groups[0]) {
932 change_svgid(newcred, newcred->cr_groups[0]);
933 setsugid(p);
934 }
935 p->p_ucred = newcred;
936 PROC_UNLOCK(p);
937 crfree(oldcred);
938 return (0);
939 }
940
941 /*
942 * setresuid(ruid, euid, suid) is like setreuid except control over the
943 * saved uid is explicit.
944 */
945
946 #ifndef _SYS_SYSPROTO_H_
947 struct setresuid_args {
948 uid_t ruid;
949 uid_t euid;
950 uid_t suid;
951 };
952 #endif
953 /*
954 * MPSAFE
955 */
956 /* ARGSUSED */
957 int
958 setresuid(register struct thread *td, struct setresuid_args *uap)
959 {
960 struct proc *p = td->td_proc;
961 struct ucred *newcred, *oldcred;
962 uid_t euid, ruid, suid;
963 struct uidinfo *euip, *ruip;
964 int error;
965
966 euid = uap->euid;
967 ruid = uap->ruid;
968 suid = uap->suid;
969 newcred = crget();
970 euip = uifind(euid);
971 ruip = uifind(ruid);
972 PROC_LOCK(p);
973 oldcred = p->p_ucred;
974 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
975 ruid != oldcred->cr_svuid &&
976 ruid != oldcred->cr_uid) ||
977 (euid != (uid_t)-1 && euid != oldcred->cr_ruid &&
978 euid != oldcred->cr_svuid &&
979 euid != oldcred->cr_uid) ||
980 (suid != (uid_t)-1 && suid != oldcred->cr_ruid &&
981 suid != oldcred->cr_svuid &&
982 suid != oldcred->cr_uid)) &&
983 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) {
984 PROC_UNLOCK(p);
985 uifree(ruip);
986 uifree(euip);
987 crfree(newcred);
988 return (error);
989 }
990
991 crcopy(newcred, oldcred);
992 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
993 change_euid(newcred, euip);
994 setsugid(p);
995 }
996 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
997 change_ruid(newcred, ruip);
998 setsugid(p);
999 }
1000 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) {
1001 change_svuid(newcred, suid);
1002 setsugid(p);
1003 }
1004 p->p_ucred = newcred;
1005 PROC_UNLOCK(p);
1006 uifree(ruip);
1007 uifree(euip);
1008 crfree(oldcred);
1009 return (0);
1010 }
1011
1012 /*
1013 * setresgid(rgid, egid, sgid) is like setregid except control over the
1014 * saved gid is explicit.
1015 */
1016
1017 #ifndef _SYS_SYSPROTO_H_
1018 struct setresgid_args {
1019 gid_t rgid;
1020 gid_t egid;
1021 gid_t sgid;
1022 };
1023 #endif
1024 /*
1025 * MPSAFE
1026 */
1027 /* ARGSUSED */
1028 int
1029 setresgid(register struct thread *td, struct setresgid_args *uap)
1030 {
1031 struct proc *p = td->td_proc;
1032 struct ucred *newcred, *oldcred;
1033 gid_t egid, rgid, sgid;
1034 int error;
1035
1036 egid = uap->egid;
1037 rgid = uap->rgid;
1038 sgid = uap->sgid;
1039 newcred = crget();
1040 PROC_LOCK(p);
1041 oldcred = p->p_ucred;
1042 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
1043 rgid != oldcred->cr_svgid &&
1044 rgid != oldcred->cr_groups[0]) ||
1045 (egid != (gid_t)-1 && egid != oldcred->cr_rgid &&
1046 egid != oldcred->cr_svgid &&
1047 egid != oldcred->cr_groups[0]) ||
1048 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid &&
1049 sgid != oldcred->cr_svgid &&
1050 sgid != oldcred->cr_groups[0])) &&
1051 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) {
1052 PROC_UNLOCK(p);
1053 crfree(newcred);
1054 return (error);
1055 }
1056
1057 crcopy(newcred, oldcred);
1058 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
1059 change_egid(newcred, egid);
1060 setsugid(p);
1061 }
1062 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
1063 change_rgid(newcred, rgid);
1064 setsugid(p);
1065 }
1066 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) {
1067 change_svgid(newcred, sgid);
1068 setsugid(p);
1069 }
1070 p->p_ucred = newcred;
1071 PROC_UNLOCK(p);
1072 crfree(oldcred);
1073 return (0);
1074 }
1075
1076 #ifndef _SYS_SYSPROTO_H_
1077 struct getresuid_args {
1078 uid_t *ruid;
1079 uid_t *euid;
1080 uid_t *suid;
1081 };
1082 #endif
1083 /*
1084 * MPSAFE
1085 */
1086 /* ARGSUSED */
1087 int
1088 getresuid(register struct thread *td, struct getresuid_args *uap)
1089 {
1090 struct ucred *cred;
1091 int error1 = 0, error2 = 0, error3 = 0;
1092
1093 cred = td->td_ucred;
1094 if (uap->ruid)
1095 error1 = copyout(&cred->cr_ruid,
1096 uap->ruid, sizeof(cred->cr_ruid));
1097 if (uap->euid)
1098 error2 = copyout(&cred->cr_uid,
1099 uap->euid, sizeof(cred->cr_uid));
1100 if (uap->suid)
1101 error3 = copyout(&cred->cr_svuid,
1102 uap->suid, sizeof(cred->cr_svuid));
1103 return (error1 ? error1 : error2 ? error2 : error3);
1104 }
1105
1106 #ifndef _SYS_SYSPROTO_H_
1107 struct getresgid_args {
1108 gid_t *rgid;
1109 gid_t *egid;
1110 gid_t *sgid;
1111 };
1112 #endif
1113 /*
1114 * MPSAFE
1115 */
1116 /* ARGSUSED */
1117 int
1118 getresgid(register struct thread *td, struct getresgid_args *uap)
1119 {
1120 struct ucred *cred;
1121 int error1 = 0, error2 = 0, error3 = 0;
1122
1123 cred = td->td_ucred;
1124 if (uap->rgid)
1125 error1 = copyout(&cred->cr_rgid,
1126 uap->rgid, sizeof(cred->cr_rgid));
1127 if (uap->egid)
1128 error2 = copyout(&cred->cr_groups[0],
1129 uap->egid, sizeof(cred->cr_groups[0]));
1130 if (uap->sgid)
1131 error3 = copyout(&cred->cr_svgid,
1132 uap->sgid, sizeof(cred->cr_svgid));
1133 return (error1 ? error1 : error2 ? error2 : error3);
1134 }
1135
1136 #ifndef _SYS_SYSPROTO_H_
1137 struct issetugid_args {
1138 int dummy;
1139 };
1140 #endif
1141 /*
1142 * MPSAFE
1143 */
1144 /* ARGSUSED */
1145 int
1146 issetugid(register struct thread *td, struct issetugid_args *uap)
1147 {
1148 struct proc *p = td->td_proc;
1149
1150 /*
1151 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time,
1152 * we use P_SUGID because we consider changing the owners as
1153 * "tainting" as well.
1154 * This is significant for procs that start as root and "become"
1155 * a user without an exec - programs cannot know *everything*
1156 * that libc *might* have put in their data segment.
1157 */
1158 PROC_LOCK(p);
1159 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0;
1160 PROC_UNLOCK(p);
1161 return (0);
1162 }
1163
1164 /*
1165 * MPSAFE
1166 */
1167 int
1168 __setugid(struct thread *td, struct __setugid_args *uap)
1169 {
1170 #ifdef REGRESSION
1171 struct proc *p;
1172
1173 p = td->td_proc;
1174 switch (uap->flag) {
1175 case 0:
1176 PROC_LOCK(p);
1177 p->p_flag &= ~P_SUGID;
1178 PROC_UNLOCK(p);
1179 return (0);
1180 case 1:
1181 PROC_LOCK(p);
1182 p->p_flag |= P_SUGID;
1183 PROC_UNLOCK(p);
1184 return (0);
1185 default:
1186 return (EINVAL);
1187 }
1188 #else /* !REGRESSION */
1189
1190 return (ENOSYS);
1191 #endif /* REGRESSION */
1192 }
1193
1194 /*
1195 * Check if gid is a member of the group set.
1196 *
1197 * MPSAFE (cred must be held)
1198 */
1199 int
1200 groupmember(gid_t gid, struct ucred *cred)
1201 {
1202 register gid_t *gp;
1203 gid_t *egp;
1204
1205 egp = &(cred->cr_groups[cred->cr_ngroups]);
1206 for (gp = cred->cr_groups; gp < egp; gp++)
1207 if (*gp == gid)
1208 return (1);
1209 return (0);
1210 }
1211
1212 /*
1213 * `suser_enabled' (which can be set by the security.suser_enabled
1214 * sysctl) determines whether the system 'super-user' policy is in effect.
1215 * If it is nonzero, an effective uid of 0 connotes special privilege,
1216 * overriding many mandatory and discretionary protections. If it is zero,
1217 * uid 0 is offered no special privilege in the kernel security policy.
1218 * Setting it to zero may seriously impact the functionality of many
1219 * existing userland programs, and should not be done without careful
1220 * consideration of the consequences.
1221 */
1222 int suser_enabled = 1;
1223 SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW,
1224 &suser_enabled, 0, "processes with uid 0 have privilege");
1225 TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled);
1226
1227 /*
1228 * Test whether the specified credentials imply "super-user" privilege.
1229 * Return 0 or EPERM. The flag argument is currently used only to
1230 * specify jail interaction.
1231 */
1232 int
1233 suser_cred(struct ucred *cred, int flag)
1234 {
1235
1236 if (!suser_enabled)
1237 return (EPERM);
1238 if (cred->cr_uid != 0)
1239 return (EPERM);
1240 if (jailed(cred) && !(flag & PRISON_ROOT))
1241 return (EPERM);
1242 return (0);
1243 }
1244
1245 /*
1246 * Shortcut to hide contents of struct td and struct proc from the
1247 * caller, promoting binary compatibility.
1248 */
1249 int
1250 suser(struct thread *td)
1251 {
1252
1253 return (suser_cred(td->td_ucred, 0));
1254 }
1255
1256 /*
1257 * Test the active securelevel against a given level. securelevel_gt()
1258 * implements (securelevel > level). securelevel_ge() implements
1259 * (securelevel >= level). Note that the logic is inverted -- these
1260 * functions return EPERM on "success" and 0 on "failure".
1261 *
1262 * MPSAFE
1263 */
1264 int
1265 securelevel_gt(struct ucred *cr, int level)
1266 {
1267 int active_securelevel;
1268
1269 active_securelevel = securelevel;
1270 KASSERT(cr != NULL, ("securelevel_gt: null cr"));
1271 if (cr->cr_prison != NULL) {
1272 mtx_lock(&cr->cr_prison->pr_mtx);
1273 active_securelevel = imax(cr->cr_prison->pr_securelevel,
1274 active_securelevel);
1275 mtx_unlock(&cr->cr_prison->pr_mtx);
1276 }
1277 return (active_securelevel > level ? EPERM : 0);
1278 }
1279
1280 int
1281 securelevel_ge(struct ucred *cr, int level)
1282 {
1283 int active_securelevel;
1284
1285 active_securelevel = securelevel;
1286 KASSERT(cr != NULL, ("securelevel_ge: null cr"));
1287 if (cr->cr_prison != NULL) {
1288 mtx_lock(&cr->cr_prison->pr_mtx);
1289 active_securelevel = imax(cr->cr_prison->pr_securelevel,
1290 active_securelevel);
1291 mtx_unlock(&cr->cr_prison->pr_mtx);
1292 }
1293 return (active_securelevel >= level ? EPERM : 0);
1294 }
1295
1296 /*
1297 * 'see_other_uids' determines whether or not visibility of processes
1298 * and sockets with credentials holding different real uids is possible
1299 * using a variety of system MIBs.
1300 * XXX: data declarations should be together near the beginning of the file.
1301 */
1302 static int see_other_uids = 1;
1303 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW,
1304 &see_other_uids, 0,
1305 "Unprivileged processes may see subjects/objects with different real uid");
1306
1307 /*-
1308 * Determine if u1 "can see" the subject specified by u2, according to the
1309 * 'see_other_uids' policy.
1310 * Returns: 0 for permitted, ESRCH otherwise
1311 * Locks: none
1312 * References: *u1 and *u2 must not change during the call
1313 * u1 may equal u2, in which case only one reference is required
1314 */
1315 static int
1316 cr_seeotheruids(struct ucred *u1, struct ucred *u2)
1317 {
1318
1319 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) {
1320 if (suser_cred(u1, PRISON_ROOT) != 0)
1321 return (ESRCH);
1322 }
1323 return (0);
1324 }
1325
1326 /*
1327 * 'see_other_gids' determines whether or not visibility of processes
1328 * and sockets with credentials holding different real gids is possible
1329 * using a variety of system MIBs.
1330 * XXX: data declarations should be together near the beginning of the file.
1331 */
1332 static int see_other_gids = 1;
1333 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW,
1334 &see_other_gids, 0,
1335 "Unprivileged processes may see subjects/objects with different real gid");
1336
1337 /*
1338 * Determine if u1 can "see" the subject specified by u2, according to the
1339 * 'see_other_gids' policy.
1340 * Returns: 0 for permitted, ESRCH otherwise
1341 * Locks: none
1342 * References: *u1 and *u2 must not change during the call
1343 * u1 may equal u2, in which case only one reference is required
1344 */
1345 static int
1346 cr_seeothergids(struct ucred *u1, struct ucred *u2)
1347 {
1348 int i, match;
1349
1350 if (!see_other_gids) {
1351 match = 0;
1352 for (i = 0; i < u1->cr_ngroups; i++) {
1353 if (groupmember(u1->cr_groups[i], u2))
1354 match = 1;
1355 if (match)
1356 break;
1357 }
1358 if (!match) {
1359 if (suser_cred(u1, PRISON_ROOT) != 0)
1360 return (ESRCH);
1361 }
1362 }
1363 return (0);
1364 }
1365
1366 /*-
1367 * Determine if u1 "can see" the subject specified by u2.
1368 * Returns: 0 for permitted, an errno value otherwise
1369 * Locks: none
1370 * References: *u1 and *u2 must not change during the call
1371 * u1 may equal u2, in which case only one reference is required
1372 */
1373 int
1374 cr_cansee(struct ucred *u1, struct ucred *u2)
1375 {
1376 int error;
1377
1378 if ((error = prison_check(u1, u2)))
1379 return (error);
1380 #ifdef MAC
1381 if ((error = mac_check_cred_visible(u1, u2)))
1382 return (error);
1383 #endif
1384 if ((error = cr_seeotheruids(u1, u2)))
1385 return (error);
1386 if ((error = cr_seeothergids(u1, u2)))
1387 return (error);
1388 return (0);
1389 }
1390
1391 /*-
1392 * Determine if td "can see" the subject specified by p.
1393 * Returns: 0 for permitted, an errno value otherwise
1394 * Locks: Sufficient locks to protect p->p_ucred must be held. td really
1395 * should be curthread.
1396 * References: td and p must be valid for the lifetime of the call
1397 */
1398 int
1399 p_cansee(struct thread *td, struct proc *p)
1400 {
1401
1402 /* Wrap cr_cansee() for all functionality. */
1403 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1404 PROC_LOCK_ASSERT(p, MA_OWNED);
1405 return (cr_cansee(td->td_ucred, p->p_ucred));
1406 }
1407
1408 /*
1409 * 'conservative_signals' prevents the delivery of a broad class of
1410 * signals by unprivileged processes to processes that have changed their
1411 * credentials since the last invocation of execve(). This can prevent
1412 * the leakage of cached information or retained privileges as a result
1413 * of a common class of signal-related vulnerabilities. However, this
1414 * may interfere with some applications that expect to be able to
1415 * deliver these signals to peer processes after having given up
1416 * privilege.
1417 */
1418 static int conservative_signals = 1;
1419 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW,
1420 &conservative_signals, 0, "Unprivileged processes prevented from "
1421 "sending certain signals to processes whose credentials have changed");
1422 /*-
1423 * Determine whether cred may deliver the specified signal to proc.
1424 * Returns: 0 for permitted, an errno value otherwise.
1425 * Locks: A lock must be held for proc.
1426 * References: cred and proc must be valid for the lifetime of the call.
1427 */
1428 int
1429 cr_cansignal(struct ucred *cred, struct proc *proc, int signum)
1430 {
1431 int error;
1432
1433 PROC_LOCK_ASSERT(proc, MA_OWNED);
1434 /*
1435 * Jail semantics limit the scope of signalling to proc in the
1436 * same jail as cred, if cred is in jail.
1437 */
1438 error = prison_check(cred, proc->p_ucred);
1439 if (error)
1440 return (error);
1441 #ifdef MAC
1442 if ((error = mac_check_proc_signal(cred, proc, signum)))
1443 return (error);
1444 #endif
1445 if ((error = cr_seeotheruids(cred, proc->p_ucred)))
1446 return (error);
1447 if ((error = cr_seeothergids(cred, proc->p_ucred)))
1448 return (error);
1449
1450 /*
1451 * UNIX signal semantics depend on the status of the P_SUGID
1452 * bit on the target process. If the bit is set, then additional
1453 * restrictions are placed on the set of available signals.
1454 */
1455 if (conservative_signals && (proc->p_flag & P_SUGID)) {
1456 switch (signum) {
1457 case 0:
1458 case SIGKILL:
1459 case SIGINT:
1460 case SIGTERM:
1461 case SIGALRM:
1462 case SIGSTOP:
1463 case SIGTTIN:
1464 case SIGTTOU:
1465 case SIGTSTP:
1466 case SIGHUP:
1467 case SIGUSR1:
1468 case SIGUSR2:
1469 /*
1470 * Generally, permit job and terminal control
1471 * signals.
1472 */
1473 break;
1474 default:
1475 /* Not permitted without privilege. */
1476 error = suser_cred(cred, PRISON_ROOT);
1477 if (error)
1478 return (error);
1479 }
1480 }
1481
1482 /*
1483 * Generally, the target credential's ruid or svuid must match the
1484 * subject credential's ruid or euid.
1485 */
1486 if (cred->cr_ruid != proc->p_ucred->cr_ruid &&
1487 cred->cr_ruid != proc->p_ucred->cr_svuid &&
1488 cred->cr_uid != proc->p_ucred->cr_ruid &&
1489 cred->cr_uid != proc->p_ucred->cr_svuid) {
1490 /* Not permitted without privilege. */
1491 error = suser_cred(cred, PRISON_ROOT);
1492 if (error)
1493 return (error);
1494 }
1495
1496 return (0);
1497 }
1498
1499
1500 /*-
1501 * Determine whether td may deliver the specified signal to p.
1502 * Returns: 0 for permitted, an errno value otherwise
1503 * Locks: Sufficient locks to protect various components of td and p
1504 * must be held. td must be curthread, and a lock must be
1505 * held for p.
1506 * References: td and p must be valid for the lifetime of the call
1507 */
1508 int
1509 p_cansignal(struct thread *td, struct proc *p, int signum)
1510 {
1511
1512 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1513 PROC_LOCK_ASSERT(p, MA_OWNED);
1514 if (td->td_proc == p)
1515 return (0);
1516
1517 /*
1518 * UNIX signalling semantics require that processes in the same
1519 * session always be able to deliver SIGCONT to one another,
1520 * overriding the remaining protections.
1521 */
1522 /* XXX: This will require an additional lock of some sort. */
1523 if (signum == SIGCONT && td->td_proc->p_session == p->p_session)
1524 return (0);
1525
1526 return (cr_cansignal(td->td_ucred, p, signum));
1527 }
1528
1529 /*-
1530 * Determine whether td may reschedule p.
1531 * Returns: 0 for permitted, an errno value otherwise
1532 * Locks: Sufficient locks to protect various components of td and p
1533 * must be held. td must be curthread, and a lock must
1534 * be held for p.
1535 * References: td and p must be valid for the lifetime of the call
1536 */
1537 int
1538 p_cansched(struct thread *td, struct proc *p)
1539 {
1540 int error;
1541
1542 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1543 PROC_LOCK_ASSERT(p, MA_OWNED);
1544 if (td->td_proc == p)
1545 return (0);
1546 if ((error = prison_check(td->td_ucred, p->p_ucred)))
1547 return (error);
1548 #ifdef MAC
1549 if ((error = mac_check_proc_sched(td->td_ucred, p)))
1550 return (error);
1551 #endif
1552 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
1553 return (error);
1554 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred)))
1555 return (error);
1556 if (td->td_ucred->cr_ruid == p->p_ucred->cr_ruid)
1557 return (0);
1558 if (td->td_ucred->cr_uid == p->p_ucred->cr_ruid)
1559 return (0);
1560 if (suser_cred(td->td_ucred, PRISON_ROOT) == 0)
1561 return (0);
1562
1563 #ifdef CAPABILITIES
1564 if (!cap_check(NULL, td, CAP_SYS_NICE, PRISON_ROOT))
1565 return (0);
1566 #endif
1567
1568 return (EPERM);
1569 }
1570
1571 /*
1572 * The 'unprivileged_proc_debug' flag may be used to disable a variety of
1573 * unprivileged inter-process debugging services, including some procfs
1574 * functionality, ptrace(), and ktrace(). In the past, inter-process
1575 * debugging has been involved in a variety of security problems, and sites
1576 * not requiring the service might choose to disable it when hardening
1577 * systems.
1578 *
1579 * XXX: Should modifying and reading this variable require locking?
1580 * XXX: data declarations should be together near the beginning of the file.
1581 */
1582 static int unprivileged_proc_debug = 1;
1583 SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW,
1584 &unprivileged_proc_debug, 0,
1585 "Unprivileged processes may use process debugging facilities");
1586
1587 /*-
1588 * Determine whether td may debug p.
1589 * Returns: 0 for permitted, an errno value otherwise
1590 * Locks: Sufficient locks to protect various components of td and p
1591 * must be held. td must be curthread, and a lock must
1592 * be held for p.
1593 * References: td and p must be valid for the lifetime of the call
1594 */
1595 int
1596 p_candebug(struct thread *td, struct proc *p)
1597 {
1598 int credentialchanged, error, grpsubset, i, uidsubset;
1599
1600 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1601 PROC_LOCK_ASSERT(p, MA_OWNED);
1602 if (!unprivileged_proc_debug) {
1603 error = suser_cred(td->td_ucred, PRISON_ROOT);
1604 if (error)
1605 return (error);
1606 }
1607 if (td->td_proc == p)
1608 return (0);
1609 if ((error = prison_check(td->td_ucred, p->p_ucred)))
1610 return (error);
1611 #ifdef MAC
1612 if ((error = mac_check_proc_debug(td->td_ucred, p)))
1613 return (error);
1614 #endif
1615 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
1616 return (error);
1617 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred)))
1618 return (error);
1619
1620 /*
1621 * Is p's group set a subset of td's effective group set? This
1622 * includes p's egid, group access list, rgid, and svgid.
1623 */
1624 grpsubset = 1;
1625 for (i = 0; i < p->p_ucred->cr_ngroups; i++) {
1626 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) {
1627 grpsubset = 0;
1628 break;
1629 }
1630 }
1631 grpsubset = grpsubset &&
1632 groupmember(p->p_ucred->cr_rgid, td->td_ucred) &&
1633 groupmember(p->p_ucred->cr_svgid, td->td_ucred);
1634
1635 /*
1636 * Are the uids present in p's credential equal to td's
1637 * effective uid? This includes p's euid, svuid, and ruid.
1638 */
1639 uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid &&
1640 td->td_ucred->cr_uid == p->p_ucred->cr_svuid &&
1641 td->td_ucred->cr_uid == p->p_ucred->cr_ruid);
1642
1643 /*
1644 * Has the credential of the process changed since the last exec()?
1645 */
1646 credentialchanged = (p->p_flag & P_SUGID);
1647
1648 /*
1649 * If p's gids aren't a subset, or the uids aren't a subset,
1650 * or the credential has changed, require appropriate privilege
1651 * for td to debug p. For POSIX.1e capabilities, this will
1652 * require CAP_SYS_PTRACE.
1653 */
1654 if (!grpsubset || !uidsubset || credentialchanged) {
1655 error = suser_cred(td->td_ucred, PRISON_ROOT);
1656 if (error)
1657 return (error);
1658 }
1659
1660 /* Can't trace init when securelevel > 0. */
1661 if (p == initproc) {
1662 error = securelevel_gt(td->td_ucred, 0);
1663 if (error)
1664 return (error);
1665 }
1666
1667 /*
1668 * Can't trace a process that's currently exec'ing.
1669 * XXX: Note, this is not a security policy decision, it's a
1670 * basic correctness/functionality decision. Therefore, this check
1671 * should be moved to the caller's of p_candebug().
1672 */
1673 if ((p->p_flag & P_INEXEC) != 0)
1674 return (EAGAIN);
1675
1676 return (0);
1677 }
1678
1679 /*-
1680 * Determine whether the subject represented by cred can "see" a socket.
1681 * Returns: 0 for permitted, ENOENT otherwise.
1682 */
1683 int
1684 cr_canseesocket(struct ucred *cred, struct socket *so)
1685 {
1686 int error;
1687
1688 error = prison_check(cred, so->so_cred);
1689 if (error)
1690 return (ENOENT);
1691 #ifdef MAC
1692 error = mac_check_socket_visible(cred, so);
1693 if (error)
1694 return (error);
1695 #endif
1696 if (cr_seeotheruids(cred, so->so_cred))
1697 return (ENOENT);
1698 if (cr_seeothergids(cred, so->so_cred))
1699 return (ENOENT);
1700
1701 return (0);
1702 }
1703
1704 /*
1705 * Allocate a zeroed cred structure.
1706 * MPSAFE
1707 */
1708 struct ucred *
1709 crget(void)
1710 {
1711 register struct ucred *cr;
1712
1713 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO);
1714 cr->cr_ref = 1;
1715 cr->cr_mtxp = mtx_pool_find(mtxpool_sleep, cr);
1716 #ifdef MAC
1717 mac_init_cred(cr);
1718 #endif
1719 return (cr);
1720 }
1721
1722 /*
1723 * Claim another reference to a ucred structure.
1724 * MPSAFE
1725 */
1726 struct ucred *
1727 crhold(struct ucred *cr)
1728 {
1729
1730 mtx_lock(cr->cr_mtxp);
1731 cr->cr_ref++;
1732 mtx_unlock(cr->cr_mtxp);
1733 return (cr);
1734 }
1735
1736 /*
1737 * Free a cred structure.
1738 * Throws away space when ref count gets to 0.
1739 * MPSAFE
1740 */
1741 void
1742 crfree(struct ucred *cr)
1743 {
1744 struct mtx *mtxp = cr->cr_mtxp;
1745
1746 mtx_lock(mtxp);
1747 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref));
1748 if (--cr->cr_ref == 0) {
1749 /*
1750 * Some callers of crget(), such as nfs_statfs(),
1751 * allocate a temporary credential, but don't
1752 * allocate a uidinfo structure.
1753 */
1754 mtx_unlock(mtxp);
1755 mtx_lock(&Giant);
1756 if (cr->cr_uidinfo != NULL)
1757 uifree(cr->cr_uidinfo);
1758 if (cr->cr_ruidinfo != NULL)
1759 uifree(cr->cr_ruidinfo);
1760 /*
1761 * Free a prison, if any.
1762 */
1763 if (jailed(cr))
1764 prison_free(cr->cr_prison);
1765 #ifdef MAC
1766 mac_destroy_cred(cr);
1767 #endif
1768 FREE(cr, M_CRED);
1769 mtx_unlock(&Giant);
1770 } else {
1771 mtx_unlock(mtxp);
1772 }
1773 }
1774
1775 /*
1776 * Check to see if this ucred is shared.
1777 * MPSAFE
1778 */
1779 int
1780 crshared(struct ucred *cr)
1781 {
1782 int shared;
1783
1784 mtx_lock(cr->cr_mtxp);
1785 shared = (cr->cr_ref > 1);
1786 mtx_unlock(cr->cr_mtxp);
1787 return (shared);
1788 }
1789
1790 /*
1791 * Copy a ucred's contents from a template. Does not block.
1792 * MPSAFE
1793 */
1794 void
1795 crcopy(struct ucred *dest, struct ucred *src)
1796 {
1797
1798 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred"));
1799 bcopy(&src->cr_startcopy, &dest->cr_startcopy,
1800 (unsigned)((caddr_t)&src->cr_endcopy -
1801 (caddr_t)&src->cr_startcopy));
1802 uihold(dest->cr_uidinfo);
1803 uihold(dest->cr_ruidinfo);
1804 if (jailed(dest))
1805 prison_hold(dest->cr_prison);
1806 #ifdef MAC
1807 mac_copy_cred(src, dest);
1808 #endif
1809 }
1810
1811 /*
1812 * Dup cred struct to a new held one.
1813 * MPSAFE
1814 */
1815 struct ucred *
1816 crdup(struct ucred *cr)
1817 {
1818 struct ucred *newcr;
1819
1820 newcr = crget();
1821 crcopy(newcr, cr);
1822 return (newcr);
1823 }
1824
1825 #ifdef DIAGNOSTIC
1826 void
1827 cred_free_thread(struct thread *td)
1828 {
1829 struct ucred *cred;
1830
1831 cred = td->td_ucred;
1832 td->td_ucred = NULL;
1833 if (cred != NULL)
1834 crfree(cred);
1835 }
1836 #endif
1837
1838 /*
1839 * Fill in a struct xucred based on a struct ucred.
1840 * MPSAFE
1841 */
1842 void
1843 cru2x(struct ucred *cr, struct xucred *xcr)
1844 {
1845
1846 bzero(xcr, sizeof(*xcr));
1847 xcr->cr_version = XUCRED_VERSION;
1848 xcr->cr_uid = cr->cr_uid;
1849 xcr->cr_ngroups = cr->cr_ngroups;
1850 bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups));
1851 }
1852
1853 /*
1854 * small routine to swap a thread's current ucred for the correct one
1855 * taken from the process.
1856 * MPSAFE
1857 */
1858 void
1859 cred_update_thread(struct thread *td)
1860 {
1861 struct proc *p;
1862 struct ucred *cred;
1863
1864 p = td->td_proc;
1865 cred = td->td_ucred;
1866 PROC_LOCK(p);
1867 td->td_ucred = crhold(p->p_ucred);
1868 PROC_UNLOCK(p);
1869 if (cred != NULL)
1870 crfree(cred);
1871 }
1872
1873 /*
1874 * Get login name, if available.
1875 */
1876 #ifndef _SYS_SYSPROTO_H_
1877 struct getlogin_args {
1878 char *namebuf;
1879 u_int namelen;
1880 };
1881 #endif
1882 /*
1883 * MPSAFE
1884 */
1885 /* ARGSUSED */
1886 int
1887 getlogin(struct thread *td, struct getlogin_args *uap)
1888 {
1889 int error;
1890 char login[MAXLOGNAME];
1891 struct proc *p = td->td_proc;
1892
1893 if (uap->namelen > MAXLOGNAME)
1894 uap->namelen = MAXLOGNAME;
1895 PROC_LOCK(p);
1896 SESS_LOCK(p->p_session);
1897 bcopy(p->p_session->s_login, login, uap->namelen);
1898 SESS_UNLOCK(p->p_session);
1899 PROC_UNLOCK(p);
1900 error = copyout(login, uap->namebuf, uap->namelen);
1901 return(error);
1902 }
1903
1904 /*
1905 * Set login name.
1906 */
1907 #ifndef _SYS_SYSPROTO_H_
1908 struct setlogin_args {
1909 char *namebuf;
1910 };
1911 #endif
1912 /*
1913 * MPSAFE
1914 */
1915 /* ARGSUSED */
1916 int
1917 setlogin(struct thread *td, struct setlogin_args *uap)
1918 {
1919 struct proc *p = td->td_proc;
1920 int error;
1921 char logintmp[MAXLOGNAME];
1922
1923 error = suser_cred(td->td_ucred, PRISON_ROOT);
1924 if (error)
1925 return (error);
1926 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
1927 if (error == ENAMETOOLONG)
1928 error = EINVAL;
1929 else if (!error) {
1930 PROC_LOCK(p);
1931 SESS_LOCK(p->p_session);
1932 (void) memcpy(p->p_session->s_login, logintmp,
1933 sizeof(logintmp));
1934 SESS_UNLOCK(p->p_session);
1935 PROC_UNLOCK(p);
1936 }
1937 return (error);
1938 }
1939
1940 void
1941 setsugid(struct proc *p)
1942 {
1943
1944 PROC_LOCK_ASSERT(p, MA_OWNED);
1945 p->p_flag |= P_SUGID;
1946 if (!(p->p_pfsflags & PF_ISUGID))
1947 p->p_stops = 0;
1948 }
1949
1950 /*-
1951 * Change a process's effective uid.
1952 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified.
1953 * References: newcred must be an exclusive credential reference for the
1954 * duration of the call.
1955 */
1956 void
1957 change_euid(struct ucred *newcred, struct uidinfo *euip)
1958 {
1959
1960 newcred->cr_uid = euip->ui_uid;
1961 uihold(euip);
1962 uifree(newcred->cr_uidinfo);
1963 newcred->cr_uidinfo = euip;
1964 }
1965
1966 /*-
1967 * Change a process's effective gid.
1968 * Side effects: newcred->cr_gid will be modified.
1969 * References: newcred must be an exclusive credential reference for the
1970 * duration of the call.
1971 */
1972 void
1973 change_egid(struct ucred *newcred, gid_t egid)
1974 {
1975
1976 newcred->cr_groups[0] = egid;
1977 }
1978
1979 /*-
1980 * Change a process's real uid.
1981 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo
1982 * will be updated, and the old and new cr_ruidinfo proc
1983 * counts will be updated.
1984 * References: newcred must be an exclusive credential reference for the
1985 * duration of the call.
1986 */
1987 void
1988 change_ruid(struct ucred *newcred, struct uidinfo *ruip)
1989 {
1990
1991 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0);
1992 newcred->cr_ruid = ruip->ui_uid;
1993 uihold(ruip);
1994 uifree(newcred->cr_ruidinfo);
1995 newcred->cr_ruidinfo = ruip;
1996 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0);
1997 }
1998
1999 /*-
2000 * Change a process's real gid.
2001 * Side effects: newcred->cr_rgid will be updated.
2002 * References: newcred must be an exclusive credential reference for the
2003 * duration of the call.
2004 */
2005 void
2006 change_rgid(struct ucred *newcred, gid_t rgid)
2007 {
2008
2009 newcred->cr_rgid = rgid;
2010 }
2011
2012 /*-
2013 * Change a process's saved uid.
2014 * Side effects: newcred->cr_svuid will be updated.
2015 * References: newcred must be an exclusive credential reference for the
2016 * duration of the call.
2017 */
2018 void
2019 change_svuid(struct ucred *newcred, uid_t svuid)
2020 {
2021
2022 newcred->cr_svuid = svuid;
2023 }
2024
2025 /*-
2026 * Change a process's saved gid.
2027 * Side effects: newcred->cr_svgid will be updated.
2028 * References: newcred must be an exclusive credential reference for the
2029 * duration of the call.
2030 */
2031 void
2032 change_svgid(struct ucred *newcred, gid_t svgid)
2033 {
2034
2035 newcred->cr_svgid = svgid;
2036 }
Cache object: 0b3b4e3a57e61c916a388837a3834ee8
|