FreeBSD/Linux Kernel Cross Reference
sys/kern/kern_prot.c
1 /*-
2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993
3 * The Regents of the University of California. All rights reserved.
4 * (c) UNIX System Laboratories, Inc.
5 * All or some portions of this file are derived from material licensed
6 * to the University of California by American Telephone and Telegraph
7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
8 * the permission of UNIX System Laboratories, Inc.
9 * Copyright (c) 2000-2001 Robert N. M. Watson. All rights reserved.
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 4. Neither the name of the University nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 *
35 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94
36 */
37
38 /*
39 * System calls related to processes and protection
40 */
41
42 #include <sys/cdefs.h>
43 __FBSDID("$FreeBSD: src/sys/kern/kern_prot.c,v 1.187.2.3 2005/01/31 23:26:16 imp Exp $");
44
45 #include "opt_compat.h"
46 #include "opt_mac.h"
47
48 #include <sys/param.h>
49 #include <sys/systm.h>
50 #include <sys/acct.h>
51 #include <sys/kdb.h>
52 #include <sys/kernel.h>
53 #include <sys/lock.h>
54 #include <sys/mac.h>
55 #include <sys/malloc.h>
56 #include <sys/mutex.h>
57 #include <sys/sx.h>
58 #include <sys/proc.h>
59 #include <sys/sysproto.h>
60 #include <sys/jail.h>
61 #include <sys/pioctl.h>
62 #include <sys/resourcevar.h>
63 #include <sys/socket.h>
64 #include <sys/socketvar.h>
65 #include <sys/sysctl.h>
66
67 static MALLOC_DEFINE(M_CRED, "cred", "credentials");
68
69 SYSCTL_DECL(_security);
70 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0,
71 "BSD security policy");
72
73 #ifndef _SYS_SYSPROTO_H_
74 struct getpid_args {
75 int dummy;
76 };
77 #endif
78 /*
79 * MPSAFE
80 */
81 /* ARGSUSED */
82 int
83 getpid(struct thread *td, struct getpid_args *uap)
84 {
85 struct proc *p = td->td_proc;
86
87 td->td_retval[0] = p->p_pid;
88 #if defined(COMPAT_43)
89 PROC_LOCK(p);
90 td->td_retval[1] = p->p_pptr->p_pid;
91 PROC_UNLOCK(p);
92 #endif
93 return (0);
94 }
95
96 #ifndef _SYS_SYSPROTO_H_
97 struct getppid_args {
98 int dummy;
99 };
100 #endif
101 /*
102 * MPSAFE
103 */
104 /* ARGSUSED */
105 int
106 getppid(struct thread *td, struct getppid_args *uap)
107 {
108 struct proc *p = td->td_proc;
109
110 PROC_LOCK(p);
111 td->td_retval[0] = p->p_pptr->p_pid;
112 PROC_UNLOCK(p);
113 return (0);
114 }
115
116 /*
117 * Get process group ID; note that POSIX getpgrp takes no parameter.
118 */
119 #ifndef _SYS_SYSPROTO_H_
120 struct getpgrp_args {
121 int dummy;
122 };
123 #endif
124 /*
125 * MPSAFE
126 */
127 int
128 getpgrp(struct thread *td, struct getpgrp_args *uap)
129 {
130 struct proc *p = td->td_proc;
131
132 PROC_LOCK(p);
133 td->td_retval[0] = p->p_pgrp->pg_id;
134 PROC_UNLOCK(p);
135 return (0);
136 }
137
138 /* Get an arbitary pid's process group id */
139 #ifndef _SYS_SYSPROTO_H_
140 struct getpgid_args {
141 pid_t pid;
142 };
143 #endif
144 /*
145 * MPSAFE
146 */
147 int
148 getpgid(struct thread *td, struct getpgid_args *uap)
149 {
150 struct proc *p;
151 int error;
152
153 if (uap->pid == 0) {
154 p = td->td_proc;
155 PROC_LOCK(p);
156 } else {
157 p = pfind(uap->pid);
158 if (p == NULL)
159 return (ESRCH);
160 error = p_cansee(td, p);
161 if (error) {
162 PROC_UNLOCK(p);
163 return (error);
164 }
165 }
166 td->td_retval[0] = p->p_pgrp->pg_id;
167 PROC_UNLOCK(p);
168 return (0);
169 }
170
171 /*
172 * Get an arbitary pid's session id.
173 */
174 #ifndef _SYS_SYSPROTO_H_
175 struct getsid_args {
176 pid_t pid;
177 };
178 #endif
179 /*
180 * MPSAFE
181 */
182 int
183 getsid(struct thread *td, struct getsid_args *uap)
184 {
185 struct proc *p;
186 int error;
187
188 if (uap->pid == 0) {
189 p = td->td_proc;
190 PROC_LOCK(p);
191 } else {
192 p = pfind(uap->pid);
193 if (p == NULL)
194 return (ESRCH);
195 error = p_cansee(td, p);
196 if (error) {
197 PROC_UNLOCK(p);
198 return (error);
199 }
200 }
201 td->td_retval[0] = p->p_session->s_sid;
202 PROC_UNLOCK(p);
203 return (0);
204 }
205
206 #ifndef _SYS_SYSPROTO_H_
207 struct getuid_args {
208 int dummy;
209 };
210 #endif
211 /*
212 * MPSAFE
213 */
214 /* ARGSUSED */
215 int
216 getuid(struct thread *td, struct getuid_args *uap)
217 {
218
219 td->td_retval[0] = td->td_ucred->cr_ruid;
220 #if defined(COMPAT_43)
221 td->td_retval[1] = td->td_ucred->cr_uid;
222 #endif
223 return (0);
224 }
225
226 #ifndef _SYS_SYSPROTO_H_
227 struct geteuid_args {
228 int dummy;
229 };
230 #endif
231 /*
232 * MPSAFE
233 */
234 /* ARGSUSED */
235 int
236 geteuid(struct thread *td, struct geteuid_args *uap)
237 {
238
239 td->td_retval[0] = td->td_ucred->cr_uid;
240 return (0);
241 }
242
243 #ifndef _SYS_SYSPROTO_H_
244 struct getgid_args {
245 int dummy;
246 };
247 #endif
248 /*
249 * MPSAFE
250 */
251 /* ARGSUSED */
252 int
253 getgid(struct thread *td, struct getgid_args *uap)
254 {
255
256 td->td_retval[0] = td->td_ucred->cr_rgid;
257 #if defined(COMPAT_43)
258 td->td_retval[1] = td->td_ucred->cr_groups[0];
259 #endif
260 return (0);
261 }
262
263 /*
264 * Get effective group ID. The "egid" is groups[0], and could be obtained
265 * via getgroups. This syscall exists because it is somewhat painful to do
266 * correctly in a library function.
267 */
268 #ifndef _SYS_SYSPROTO_H_
269 struct getegid_args {
270 int dummy;
271 };
272 #endif
273 /*
274 * MPSAFE
275 */
276 /* ARGSUSED */
277 int
278 getegid(struct thread *td, struct getegid_args *uap)
279 {
280
281 td->td_retval[0] = td->td_ucred->cr_groups[0];
282 return (0);
283 }
284
285 #ifndef _SYS_SYSPROTO_H_
286 struct getgroups_args {
287 u_int gidsetsize;
288 gid_t *gidset;
289 };
290 #endif
291 /*
292 * MPSAFE
293 */
294 int
295 getgroups(struct thread *td, register struct getgroups_args *uap)
296 {
297 struct ucred *cred;
298 u_int ngrp;
299 int error;
300
301 cred = td->td_ucred;
302 if ((ngrp = uap->gidsetsize) == 0) {
303 td->td_retval[0] = cred->cr_ngroups;
304 return (0);
305 }
306 if (ngrp < cred->cr_ngroups)
307 return (EINVAL);
308 ngrp = cred->cr_ngroups;
309 error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t));
310 if (error == 0)
311 td->td_retval[0] = ngrp;
312 return (error);
313 }
314
315 #ifndef _SYS_SYSPROTO_H_
316 struct setsid_args {
317 int dummy;
318 };
319 #endif
320 /*
321 * MPSAFE
322 */
323 /* ARGSUSED */
324 int
325 setsid(register struct thread *td, struct setsid_args *uap)
326 {
327 struct pgrp *pgrp;
328 int error;
329 struct proc *p = td->td_proc;
330 struct pgrp *newpgrp;
331 struct session *newsess;
332
333 error = 0;
334 pgrp = NULL;
335
336 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO);
337 MALLOC(newsess, struct session *, sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO);
338
339 sx_xlock(&proctree_lock);
340
341 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) {
342 if (pgrp != NULL)
343 PGRP_UNLOCK(pgrp);
344 error = EPERM;
345 } else {
346 (void)enterpgrp(p, p->p_pid, newpgrp, newsess);
347 td->td_retval[0] = p->p_pid;
348 newpgrp = NULL;
349 newsess = NULL;
350 }
351
352 sx_xunlock(&proctree_lock);
353
354 if (newpgrp != NULL)
355 FREE(newpgrp, M_PGRP);
356 if (newsess != NULL)
357 FREE(newsess, M_SESSION);
358
359 return (error);
360 }
361
362 /*
363 * set process group (setpgid/old setpgrp)
364 *
365 * caller does setpgid(targpid, targpgid)
366 *
367 * pid must be caller or child of caller (ESRCH)
368 * if a child
369 * pid must be in same session (EPERM)
370 * pid can't have done an exec (EACCES)
371 * if pgid != pid
372 * there must exist some pid in same session having pgid (EPERM)
373 * pid must not be session leader (EPERM)
374 */
375 #ifndef _SYS_SYSPROTO_H_
376 struct setpgid_args {
377 int pid; /* target process id */
378 int pgid; /* target pgrp id */
379 };
380 #endif
381 /*
382 * MPSAFE
383 */
384 /* ARGSUSED */
385 int
386 setpgid(struct thread *td, register struct setpgid_args *uap)
387 {
388 struct proc *curp = td->td_proc;
389 register struct proc *targp; /* target process */
390 register struct pgrp *pgrp; /* target pgrp */
391 int error;
392 struct pgrp *newpgrp;
393
394 if (uap->pgid < 0)
395 return (EINVAL);
396
397 error = 0;
398
399 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO);
400
401 sx_xlock(&proctree_lock);
402 if (uap->pid != 0 && uap->pid != curp->p_pid) {
403 if ((targp = pfind(uap->pid)) == NULL) {
404 error = ESRCH;
405 goto done;
406 }
407 if (!inferior(targp)) {
408 PROC_UNLOCK(targp);
409 error = ESRCH;
410 goto done;
411 }
412 if ((error = p_cansee(td, targp))) {
413 PROC_UNLOCK(targp);
414 goto done;
415 }
416 if (targp->p_pgrp == NULL ||
417 targp->p_session != curp->p_session) {
418 PROC_UNLOCK(targp);
419 error = EPERM;
420 goto done;
421 }
422 if (targp->p_flag & P_EXEC) {
423 PROC_UNLOCK(targp);
424 error = EACCES;
425 goto done;
426 }
427 PROC_UNLOCK(targp);
428 } else
429 targp = curp;
430 if (SESS_LEADER(targp)) {
431 error = EPERM;
432 goto done;
433 }
434 if (uap->pgid == 0)
435 uap->pgid = targp->p_pid;
436 if ((pgrp = pgfind(uap->pgid)) == NULL) {
437 if (uap->pgid == targp->p_pid) {
438 error = enterpgrp(targp, uap->pgid, newpgrp,
439 NULL);
440 if (error == 0)
441 newpgrp = NULL;
442 } else
443 error = EPERM;
444 } else {
445 if (pgrp == targp->p_pgrp) {
446 PGRP_UNLOCK(pgrp);
447 goto done;
448 }
449 if (pgrp->pg_id != targp->p_pid &&
450 pgrp->pg_session != curp->p_session) {
451 PGRP_UNLOCK(pgrp);
452 error = EPERM;
453 goto done;
454 }
455 PGRP_UNLOCK(pgrp);
456 error = enterthispgrp(targp, pgrp);
457 }
458 done:
459 sx_xunlock(&proctree_lock);
460 KASSERT((error == 0) || (newpgrp != NULL),
461 ("setpgid failed and newpgrp is NULL"));
462 if (newpgrp != NULL)
463 FREE(newpgrp, M_PGRP);
464 return (error);
465 }
466
467 /*
468 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD
469 * compatible. It says that setting the uid/gid to euid/egid is a special
470 * case of "appropriate privilege". Once the rules are expanded out, this
471 * basically means that setuid(nnn) sets all three id's, in all permitted
472 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid())
473 * does not set the saved id - this is dangerous for traditional BSD
474 * programs. For this reason, we *really* do not want to set
475 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2.
476 */
477 #define POSIX_APPENDIX_B_4_2_2
478
479 #ifndef _SYS_SYSPROTO_H_
480 struct setuid_args {
481 uid_t uid;
482 };
483 #endif
484 /*
485 * MPSAFE
486 */
487 /* ARGSUSED */
488 int
489 setuid(struct thread *td, struct setuid_args *uap)
490 {
491 struct proc *p = td->td_proc;
492 struct ucred *newcred, *oldcred;
493 uid_t uid;
494 struct uidinfo *uip;
495 int error;
496
497 uid = uap->uid;
498 newcred = crget();
499 uip = uifind(uid);
500 PROC_LOCK(p);
501 oldcred = p->p_ucred;
502
503 /*
504 * See if we have "permission" by POSIX 1003.1 rules.
505 *
506 * Note that setuid(geteuid()) is a special case of
507 * "appropriate privileges" in appendix B.4.2.2. We need
508 * to use this clause to be compatible with traditional BSD
509 * semantics. Basically, it means that "setuid(xx)" sets all
510 * three id's (assuming you have privs).
511 *
512 * Notes on the logic. We do things in three steps.
513 * 1: We determine if the euid is going to change, and do EPERM
514 * right away. We unconditionally change the euid later if this
515 * test is satisfied, simplifying that part of the logic.
516 * 2: We determine if the real and/or saved uids are going to
517 * change. Determined by compile options.
518 * 3: Change euid last. (after tests in #2 for "appropriate privs")
519 */
520 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */
521 #ifdef _POSIX_SAVED_IDS
522 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */
523 #endif
524 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
525 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */
526 #endif
527 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) {
528 PROC_UNLOCK(p);
529 uifree(uip);
530 crfree(newcred);
531 return (error);
532 }
533
534 /*
535 * Copy credentials so other references do not see our changes.
536 */
537 crcopy(newcred, oldcred);
538 #ifdef _POSIX_SAVED_IDS
539 /*
540 * Do we have "appropriate privileges" (are we root or uid == euid)
541 * If so, we are changing the real uid and/or saved uid.
542 */
543 if (
544 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */
545 uid == oldcred->cr_uid ||
546 #endif
547 suser_cred(oldcred, SUSER_ALLOWJAIL) == 0) /* we are using privs */
548 #endif
549 {
550 /*
551 * Set the real uid and transfer proc count to new user.
552 */
553 if (uid != oldcred->cr_ruid) {
554 change_ruid(newcred, uip);
555 setsugid(p);
556 }
557 /*
558 * Set saved uid
559 *
560 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as
561 * the security of seteuid() depends on it. B.4.2.2 says it
562 * is important that we should do this.
563 */
564 if (uid != oldcred->cr_svuid) {
565 change_svuid(newcred, uid);
566 setsugid(p);
567 }
568 }
569
570 /*
571 * In all permitted cases, we are changing the euid.
572 */
573 if (uid != oldcred->cr_uid) {
574 change_euid(newcred, uip);
575 setsugid(p);
576 }
577 p->p_ucred = newcred;
578 PROC_UNLOCK(p);
579 uifree(uip);
580 crfree(oldcred);
581 return (0);
582 }
583
584 #ifndef _SYS_SYSPROTO_H_
585 struct seteuid_args {
586 uid_t euid;
587 };
588 #endif
589 /*
590 * MPSAFE
591 */
592 /* ARGSUSED */
593 int
594 seteuid(struct thread *td, struct seteuid_args *uap)
595 {
596 struct proc *p = td->td_proc;
597 struct ucred *newcred, *oldcred;
598 uid_t euid;
599 struct uidinfo *euip;
600 int error;
601
602 euid = uap->euid;
603 newcred = crget();
604 euip = uifind(euid);
605 PROC_LOCK(p);
606 oldcred = p->p_ucred;
607 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */
608 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */
609 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) {
610 PROC_UNLOCK(p);
611 uifree(euip);
612 crfree(newcred);
613 return (error);
614 }
615 /*
616 * Everything's okay, do it. Copy credentials so other references do
617 * not see our changes.
618 */
619 crcopy(newcred, oldcred);
620 if (oldcred->cr_uid != euid) {
621 change_euid(newcred, euip);
622 setsugid(p);
623 }
624 p->p_ucred = newcred;
625 PROC_UNLOCK(p);
626 uifree(euip);
627 crfree(oldcred);
628 return (0);
629 }
630
631 #ifndef _SYS_SYSPROTO_H_
632 struct setgid_args {
633 gid_t gid;
634 };
635 #endif
636 /*
637 * MPSAFE
638 */
639 /* ARGSUSED */
640 int
641 setgid(struct thread *td, struct setgid_args *uap)
642 {
643 struct proc *p = td->td_proc;
644 struct ucred *newcred, *oldcred;
645 gid_t gid;
646 int error;
647
648 gid = uap->gid;
649 newcred = crget();
650 PROC_LOCK(p);
651 oldcred = p->p_ucred;
652
653 /*
654 * See if we have "permission" by POSIX 1003.1 rules.
655 *
656 * Note that setgid(getegid()) is a special case of
657 * "appropriate privileges" in appendix B.4.2.2. We need
658 * to use this clause to be compatible with traditional BSD
659 * semantics. Basically, it means that "setgid(xx)" sets all
660 * three id's (assuming you have privs).
661 *
662 * For notes on the logic here, see setuid() above.
663 */
664 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */
665 #ifdef _POSIX_SAVED_IDS
666 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */
667 #endif
668 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
669 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */
670 #endif
671 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) {
672 PROC_UNLOCK(p);
673 crfree(newcred);
674 return (error);
675 }
676
677 crcopy(newcred, oldcred);
678 #ifdef _POSIX_SAVED_IDS
679 /*
680 * Do we have "appropriate privileges" (are we root or gid == egid)
681 * If so, we are changing the real uid and saved gid.
682 */
683 if (
684 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */
685 gid == oldcred->cr_groups[0] ||
686 #endif
687 suser_cred(oldcred, SUSER_ALLOWJAIL) == 0) /* we are using privs */
688 #endif
689 {
690 /*
691 * Set real gid
692 */
693 if (oldcred->cr_rgid != gid) {
694 change_rgid(newcred, gid);
695 setsugid(p);
696 }
697 /*
698 * Set saved gid
699 *
700 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as
701 * the security of setegid() depends on it. B.4.2.2 says it
702 * is important that we should do this.
703 */
704 if (oldcred->cr_svgid != gid) {
705 change_svgid(newcred, gid);
706 setsugid(p);
707 }
708 }
709 /*
710 * In all cases permitted cases, we are changing the egid.
711 * Copy credentials so other references do not see our changes.
712 */
713 if (oldcred->cr_groups[0] != gid) {
714 change_egid(newcred, gid);
715 setsugid(p);
716 }
717 p->p_ucred = newcred;
718 PROC_UNLOCK(p);
719 crfree(oldcred);
720 return (0);
721 }
722
723 #ifndef _SYS_SYSPROTO_H_
724 struct setegid_args {
725 gid_t egid;
726 };
727 #endif
728 /*
729 * MPSAFE
730 */
731 /* ARGSUSED */
732 int
733 setegid(struct thread *td, struct setegid_args *uap)
734 {
735 struct proc *p = td->td_proc;
736 struct ucred *newcred, *oldcred;
737 gid_t egid;
738 int error;
739
740 egid = uap->egid;
741 newcred = crget();
742 PROC_LOCK(p);
743 oldcred = p->p_ucred;
744 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */
745 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */
746 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) {
747 PROC_UNLOCK(p);
748 crfree(newcred);
749 return (error);
750 }
751 crcopy(newcred, oldcred);
752 if (oldcred->cr_groups[0] != egid) {
753 change_egid(newcred, egid);
754 setsugid(p);
755 }
756 p->p_ucred = newcred;
757 PROC_UNLOCK(p);
758 crfree(oldcred);
759 return (0);
760 }
761
762 #ifndef _SYS_SYSPROTO_H_
763 struct setgroups_args {
764 u_int gidsetsize;
765 gid_t *gidset;
766 };
767 #endif
768 /*
769 * MPSAFE
770 */
771 /* ARGSUSED */
772 int
773 setgroups(struct thread *td, struct setgroups_args *uap)
774 {
775 struct proc *p = td->td_proc;
776 struct ucred *newcred, *tempcred, *oldcred;
777 u_int ngrp;
778 int error;
779
780 ngrp = uap->gidsetsize;
781 if (ngrp > NGROUPS)
782 return (EINVAL);
783 tempcred = crget();
784 error = copyin(uap->gidset, tempcred->cr_groups, ngrp * sizeof(gid_t));
785 if (error != 0) {
786 crfree(tempcred);
787 return (error);
788 }
789 newcred = crget();
790 PROC_LOCK(p);
791 oldcred = p->p_ucred;
792 error = suser_cred(oldcred, SUSER_ALLOWJAIL);
793 if (error) {
794 PROC_UNLOCK(p);
795 crfree(newcred);
796 crfree(tempcred);
797 return (error);
798 }
799
800 /*
801 * XXX A little bit lazy here. We could test if anything has
802 * changed before crcopy() and setting P_SUGID.
803 */
804 crcopy(newcred, oldcred);
805 if (ngrp < 1) {
806 /*
807 * setgroups(0, NULL) is a legitimate way of clearing the
808 * groups vector on non-BSD systems (which generally do not
809 * have the egid in the groups[0]). We risk security holes
810 * when running non-BSD software if we do not do the same.
811 */
812 newcred->cr_ngroups = 1;
813 } else {
814 bcopy(tempcred->cr_groups, newcred->cr_groups,
815 ngrp * sizeof(gid_t));
816 newcred->cr_ngroups = ngrp;
817 }
818 setsugid(p);
819 p->p_ucred = newcred;
820 PROC_UNLOCK(p);
821 crfree(tempcred);
822 crfree(oldcred);
823 return (0);
824 }
825
826 #ifndef _SYS_SYSPROTO_H_
827 struct setreuid_args {
828 uid_t ruid;
829 uid_t euid;
830 };
831 #endif
832 /*
833 * MPSAFE
834 */
835 /* ARGSUSED */
836 int
837 setreuid(register struct thread *td, struct setreuid_args *uap)
838 {
839 struct proc *p = td->td_proc;
840 struct ucred *newcred, *oldcred;
841 uid_t euid, ruid;
842 struct uidinfo *euip, *ruip;
843 int error;
844
845 euid = uap->euid;
846 ruid = uap->ruid;
847 newcred = crget();
848 euip = uifind(euid);
849 ruip = uifind(ruid);
850 PROC_LOCK(p);
851 oldcred = p->p_ucred;
852 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
853 ruid != oldcred->cr_svuid) ||
854 (euid != (uid_t)-1 && euid != oldcred->cr_uid &&
855 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) &&
856 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) {
857 PROC_UNLOCK(p);
858 uifree(ruip);
859 uifree(euip);
860 crfree(newcred);
861 return (error);
862 }
863 crcopy(newcred, oldcred);
864 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
865 change_euid(newcred, euip);
866 setsugid(p);
867 }
868 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
869 change_ruid(newcred, ruip);
870 setsugid(p);
871 }
872 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) &&
873 newcred->cr_svuid != newcred->cr_uid) {
874 change_svuid(newcred, newcred->cr_uid);
875 setsugid(p);
876 }
877 p->p_ucred = newcred;
878 PROC_UNLOCK(p);
879 uifree(ruip);
880 uifree(euip);
881 crfree(oldcred);
882 return (0);
883 }
884
885 #ifndef _SYS_SYSPROTO_H_
886 struct setregid_args {
887 gid_t rgid;
888 gid_t egid;
889 };
890 #endif
891 /*
892 * MPSAFE
893 */
894 /* ARGSUSED */
895 int
896 setregid(register struct thread *td, struct setregid_args *uap)
897 {
898 struct proc *p = td->td_proc;
899 struct ucred *newcred, *oldcred;
900 gid_t egid, rgid;
901 int error;
902
903 egid = uap->egid;
904 rgid = uap->rgid;
905 newcred = crget();
906 PROC_LOCK(p);
907 oldcred = p->p_ucred;
908 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
909 rgid != oldcred->cr_svgid) ||
910 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] &&
911 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) &&
912 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) {
913 PROC_UNLOCK(p);
914 crfree(newcred);
915 return (error);
916 }
917
918 crcopy(newcred, oldcred);
919 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
920 change_egid(newcred, egid);
921 setsugid(p);
922 }
923 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
924 change_rgid(newcred, rgid);
925 setsugid(p);
926 }
927 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) &&
928 newcred->cr_svgid != newcred->cr_groups[0]) {
929 change_svgid(newcred, newcred->cr_groups[0]);
930 setsugid(p);
931 }
932 p->p_ucred = newcred;
933 PROC_UNLOCK(p);
934 crfree(oldcred);
935 return (0);
936 }
937
938 /*
939 * setresuid(ruid, euid, suid) is like setreuid except control over the
940 * saved uid is explicit.
941 */
942
943 #ifndef _SYS_SYSPROTO_H_
944 struct setresuid_args {
945 uid_t ruid;
946 uid_t euid;
947 uid_t suid;
948 };
949 #endif
950 /*
951 * MPSAFE
952 */
953 /* ARGSUSED */
954 int
955 setresuid(register struct thread *td, struct setresuid_args *uap)
956 {
957 struct proc *p = td->td_proc;
958 struct ucred *newcred, *oldcred;
959 uid_t euid, ruid, suid;
960 struct uidinfo *euip, *ruip;
961 int error;
962
963 euid = uap->euid;
964 ruid = uap->ruid;
965 suid = uap->suid;
966 newcred = crget();
967 euip = uifind(euid);
968 ruip = uifind(ruid);
969 PROC_LOCK(p);
970 oldcred = p->p_ucred;
971 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
972 ruid != oldcred->cr_svuid &&
973 ruid != oldcred->cr_uid) ||
974 (euid != (uid_t)-1 && euid != oldcred->cr_ruid &&
975 euid != oldcred->cr_svuid &&
976 euid != oldcred->cr_uid) ||
977 (suid != (uid_t)-1 && suid != oldcred->cr_ruid &&
978 suid != oldcred->cr_svuid &&
979 suid != oldcred->cr_uid)) &&
980 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) {
981 PROC_UNLOCK(p);
982 uifree(ruip);
983 uifree(euip);
984 crfree(newcred);
985 return (error);
986 }
987
988 crcopy(newcred, oldcred);
989 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
990 change_euid(newcred, euip);
991 setsugid(p);
992 }
993 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
994 change_ruid(newcred, ruip);
995 setsugid(p);
996 }
997 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) {
998 change_svuid(newcred, suid);
999 setsugid(p);
1000 }
1001 p->p_ucred = newcred;
1002 PROC_UNLOCK(p);
1003 uifree(ruip);
1004 uifree(euip);
1005 crfree(oldcred);
1006 return (0);
1007 }
1008
1009 /*
1010 * setresgid(rgid, egid, sgid) is like setregid except control over the
1011 * saved gid is explicit.
1012 */
1013
1014 #ifndef _SYS_SYSPROTO_H_
1015 struct setresgid_args {
1016 gid_t rgid;
1017 gid_t egid;
1018 gid_t sgid;
1019 };
1020 #endif
1021 /*
1022 * MPSAFE
1023 */
1024 /* ARGSUSED */
1025 int
1026 setresgid(register struct thread *td, struct setresgid_args *uap)
1027 {
1028 struct proc *p = td->td_proc;
1029 struct ucred *newcred, *oldcred;
1030 gid_t egid, rgid, sgid;
1031 int error;
1032
1033 egid = uap->egid;
1034 rgid = uap->rgid;
1035 sgid = uap->sgid;
1036 newcred = crget();
1037 PROC_LOCK(p);
1038 oldcred = p->p_ucred;
1039 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
1040 rgid != oldcred->cr_svgid &&
1041 rgid != oldcred->cr_groups[0]) ||
1042 (egid != (gid_t)-1 && egid != oldcred->cr_rgid &&
1043 egid != oldcred->cr_svgid &&
1044 egid != oldcred->cr_groups[0]) ||
1045 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid &&
1046 sgid != oldcred->cr_svgid &&
1047 sgid != oldcred->cr_groups[0])) &&
1048 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) {
1049 PROC_UNLOCK(p);
1050 crfree(newcred);
1051 return (error);
1052 }
1053
1054 crcopy(newcred, oldcred);
1055 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
1056 change_egid(newcred, egid);
1057 setsugid(p);
1058 }
1059 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
1060 change_rgid(newcred, rgid);
1061 setsugid(p);
1062 }
1063 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) {
1064 change_svgid(newcred, sgid);
1065 setsugid(p);
1066 }
1067 p->p_ucred = newcred;
1068 PROC_UNLOCK(p);
1069 crfree(oldcred);
1070 return (0);
1071 }
1072
1073 #ifndef _SYS_SYSPROTO_H_
1074 struct getresuid_args {
1075 uid_t *ruid;
1076 uid_t *euid;
1077 uid_t *suid;
1078 };
1079 #endif
1080 /*
1081 * MPSAFE
1082 */
1083 /* ARGSUSED */
1084 int
1085 getresuid(register struct thread *td, struct getresuid_args *uap)
1086 {
1087 struct ucred *cred;
1088 int error1 = 0, error2 = 0, error3 = 0;
1089
1090 cred = td->td_ucred;
1091 if (uap->ruid)
1092 error1 = copyout(&cred->cr_ruid,
1093 uap->ruid, sizeof(cred->cr_ruid));
1094 if (uap->euid)
1095 error2 = copyout(&cred->cr_uid,
1096 uap->euid, sizeof(cred->cr_uid));
1097 if (uap->suid)
1098 error3 = copyout(&cred->cr_svuid,
1099 uap->suid, sizeof(cred->cr_svuid));
1100 return (error1 ? error1 : error2 ? error2 : error3);
1101 }
1102
1103 #ifndef _SYS_SYSPROTO_H_
1104 struct getresgid_args {
1105 gid_t *rgid;
1106 gid_t *egid;
1107 gid_t *sgid;
1108 };
1109 #endif
1110 /*
1111 * MPSAFE
1112 */
1113 /* ARGSUSED */
1114 int
1115 getresgid(register struct thread *td, struct getresgid_args *uap)
1116 {
1117 struct ucred *cred;
1118 int error1 = 0, error2 = 0, error3 = 0;
1119
1120 cred = td->td_ucred;
1121 if (uap->rgid)
1122 error1 = copyout(&cred->cr_rgid,
1123 uap->rgid, sizeof(cred->cr_rgid));
1124 if (uap->egid)
1125 error2 = copyout(&cred->cr_groups[0],
1126 uap->egid, sizeof(cred->cr_groups[0]));
1127 if (uap->sgid)
1128 error3 = copyout(&cred->cr_svgid,
1129 uap->sgid, sizeof(cred->cr_svgid));
1130 return (error1 ? error1 : error2 ? error2 : error3);
1131 }
1132
1133 #ifndef _SYS_SYSPROTO_H_
1134 struct issetugid_args {
1135 int dummy;
1136 };
1137 #endif
1138 /*
1139 * MPSAFE
1140 */
1141 /* ARGSUSED */
1142 int
1143 issetugid(register struct thread *td, struct issetugid_args *uap)
1144 {
1145 struct proc *p = td->td_proc;
1146
1147 /*
1148 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time,
1149 * we use P_SUGID because we consider changing the owners as
1150 * "tainting" as well.
1151 * This is significant for procs that start as root and "become"
1152 * a user without an exec - programs cannot know *everything*
1153 * that libc *might* have put in their data segment.
1154 */
1155 PROC_LOCK(p);
1156 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0;
1157 PROC_UNLOCK(p);
1158 return (0);
1159 }
1160
1161 /*
1162 * MPSAFE
1163 */
1164 int
1165 __setugid(struct thread *td, struct __setugid_args *uap)
1166 {
1167 #ifdef REGRESSION
1168 struct proc *p;
1169
1170 p = td->td_proc;
1171 switch (uap->flag) {
1172 case 0:
1173 PROC_LOCK(p);
1174 p->p_flag &= ~P_SUGID;
1175 PROC_UNLOCK(p);
1176 return (0);
1177 case 1:
1178 PROC_LOCK(p);
1179 p->p_flag |= P_SUGID;
1180 PROC_UNLOCK(p);
1181 return (0);
1182 default:
1183 return (EINVAL);
1184 }
1185 #else /* !REGRESSION */
1186
1187 return (ENOSYS);
1188 #endif /* REGRESSION */
1189 }
1190
1191 /*
1192 * Check if gid is a member of the group set.
1193 *
1194 * MPSAFE (cred must be held)
1195 */
1196 int
1197 groupmember(gid_t gid, struct ucred *cred)
1198 {
1199 register gid_t *gp;
1200 gid_t *egp;
1201
1202 egp = &(cred->cr_groups[cred->cr_ngroups]);
1203 for (gp = cred->cr_groups; gp < egp; gp++)
1204 if (*gp == gid)
1205 return (1);
1206 return (0);
1207 }
1208
1209 /*
1210 * `suser_enabled' (which can be set by the security.suser_enabled
1211 * sysctl) determines whether the system 'super-user' policy is in effect.
1212 * If it is nonzero, an effective uid of 0 connotes special privilege,
1213 * overriding many mandatory and discretionary protections. If it is zero,
1214 * uid 0 is offered no special privilege in the kernel security policy.
1215 * Setting it to zero may seriously impact the functionality of many
1216 * existing userland programs, and should not be done without careful
1217 * consideration of the consequences.
1218 */
1219 int suser_enabled = 1;
1220 SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW,
1221 &suser_enabled, 0, "processes with uid 0 have privilege");
1222 TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled);
1223
1224 /*
1225 * Test whether the specified credentials imply "super-user" privilege.
1226 * Return 0 or EPERM.
1227 */
1228 int
1229 suser_cred(struct ucred *cred, int flag)
1230 {
1231
1232 if (!suser_enabled)
1233 return (EPERM);
1234 if (((flag & SUSER_RUID) ? cred->cr_ruid : cred->cr_uid) != 0)
1235 return (EPERM);
1236 if (jailed(cred) && !(flag & SUSER_ALLOWJAIL))
1237 return (EPERM);
1238 return (0);
1239 }
1240
1241 /*
1242 * Shortcut to hide contents of struct td and struct proc from the
1243 * caller, promoting binary compatibility.
1244 */
1245 int
1246 suser(struct thread *td)
1247 {
1248
1249 #ifdef INVARIANTS
1250 if (td != curthread) {
1251 printf("suser: thread %p (%d %s) != curthread %p (%d %s)\n",
1252 td, td->td_proc->p_pid, td->td_proc->p_comm,
1253 curthread, curthread->td_proc->p_pid,
1254 curthread->td_proc->p_comm);
1255 #ifdef KDB
1256 kdb_backtrace();
1257 #endif
1258 }
1259 #endif
1260 return (suser_cred(td->td_ucred, 0));
1261 }
1262
1263 /*
1264 * Test the active securelevel against a given level. securelevel_gt()
1265 * implements (securelevel > level). securelevel_ge() implements
1266 * (securelevel >= level). Note that the logic is inverted -- these
1267 * functions return EPERM on "success" and 0 on "failure".
1268 *
1269 * MPSAFE
1270 */
1271 int
1272 securelevel_gt(struct ucred *cr, int level)
1273 {
1274 int active_securelevel;
1275
1276 active_securelevel = securelevel;
1277 KASSERT(cr != NULL, ("securelevel_gt: null cr"));
1278 if (cr->cr_prison != NULL)
1279 active_securelevel = imax(cr->cr_prison->pr_securelevel,
1280 active_securelevel);
1281 return (active_securelevel > level ? EPERM : 0);
1282 }
1283
1284 int
1285 securelevel_ge(struct ucred *cr, int level)
1286 {
1287 int active_securelevel;
1288
1289 active_securelevel = securelevel;
1290 KASSERT(cr != NULL, ("securelevel_ge: null cr"));
1291 if (cr->cr_prison != NULL)
1292 active_securelevel = imax(cr->cr_prison->pr_securelevel,
1293 active_securelevel);
1294 return (active_securelevel >= level ? EPERM : 0);
1295 }
1296
1297 /*
1298 * 'see_other_uids' determines whether or not visibility of processes
1299 * and sockets with credentials holding different real uids is possible
1300 * using a variety of system MIBs.
1301 * XXX: data declarations should be together near the beginning of the file.
1302 */
1303 static int see_other_uids = 1;
1304 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW,
1305 &see_other_uids, 0,
1306 "Unprivileged processes may see subjects/objects with different real uid");
1307
1308 /*-
1309 * Determine if u1 "can see" the subject specified by u2, according to the
1310 * 'see_other_uids' policy.
1311 * Returns: 0 for permitted, ESRCH otherwise
1312 * Locks: none
1313 * References: *u1 and *u2 must not change during the call
1314 * u1 may equal u2, in which case only one reference is required
1315 */
1316 static int
1317 cr_seeotheruids(struct ucred *u1, struct ucred *u2)
1318 {
1319
1320 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) {
1321 if (suser_cred(u1, SUSER_ALLOWJAIL) != 0)
1322 return (ESRCH);
1323 }
1324 return (0);
1325 }
1326
1327 /*
1328 * 'see_other_gids' determines whether or not visibility of processes
1329 * and sockets with credentials holding different real gids is possible
1330 * using a variety of system MIBs.
1331 * XXX: data declarations should be together near the beginning of the file.
1332 */
1333 static int see_other_gids = 1;
1334 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW,
1335 &see_other_gids, 0,
1336 "Unprivileged processes may see subjects/objects with different real gid");
1337
1338 /*
1339 * Determine if u1 can "see" the subject specified by u2, according to the
1340 * 'see_other_gids' policy.
1341 * Returns: 0 for permitted, ESRCH otherwise
1342 * Locks: none
1343 * References: *u1 and *u2 must not change during the call
1344 * u1 may equal u2, in which case only one reference is required
1345 */
1346 static int
1347 cr_seeothergids(struct ucred *u1, struct ucred *u2)
1348 {
1349 int i, match;
1350
1351 if (!see_other_gids) {
1352 match = 0;
1353 for (i = 0; i < u1->cr_ngroups; i++) {
1354 if (groupmember(u1->cr_groups[i], u2))
1355 match = 1;
1356 if (match)
1357 break;
1358 }
1359 if (!match) {
1360 if (suser_cred(u1, SUSER_ALLOWJAIL) != 0)
1361 return (ESRCH);
1362 }
1363 }
1364 return (0);
1365 }
1366
1367 /*-
1368 * Determine if u1 "can see" the subject specified by u2.
1369 * Returns: 0 for permitted, an errno value otherwise
1370 * Locks: none
1371 * References: *u1 and *u2 must not change during the call
1372 * u1 may equal u2, in which case only one reference is required
1373 */
1374 int
1375 cr_cansee(struct ucred *u1, struct ucred *u2)
1376 {
1377 int error;
1378
1379 if ((error = prison_check(u1, u2)))
1380 return (error);
1381 #ifdef MAC
1382 if ((error = mac_check_cred_visible(u1, u2)))
1383 return (error);
1384 #endif
1385 if ((error = cr_seeotheruids(u1, u2)))
1386 return (error);
1387 if ((error = cr_seeothergids(u1, u2)))
1388 return (error);
1389 return (0);
1390 }
1391
1392 /*-
1393 * Determine if td "can see" the subject specified by p.
1394 * Returns: 0 for permitted, an errno value otherwise
1395 * Locks: Sufficient locks to protect p->p_ucred must be held. td really
1396 * should be curthread.
1397 * References: td and p must be valid for the lifetime of the call
1398 */
1399 int
1400 p_cansee(struct thread *td, struct proc *p)
1401 {
1402
1403 /* Wrap cr_cansee() for all functionality. */
1404 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1405 PROC_LOCK_ASSERT(p, MA_OWNED);
1406 return (cr_cansee(td->td_ucred, p->p_ucred));
1407 }
1408
1409 /*
1410 * 'conservative_signals' prevents the delivery of a broad class of
1411 * signals by unprivileged processes to processes that have changed their
1412 * credentials since the last invocation of execve(). This can prevent
1413 * the leakage of cached information or retained privileges as a result
1414 * of a common class of signal-related vulnerabilities. However, this
1415 * may interfere with some applications that expect to be able to
1416 * deliver these signals to peer processes after having given up
1417 * privilege.
1418 */
1419 static int conservative_signals = 1;
1420 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW,
1421 &conservative_signals, 0, "Unprivileged processes prevented from "
1422 "sending certain signals to processes whose credentials have changed");
1423 /*-
1424 * Determine whether cred may deliver the specified signal to proc.
1425 * Returns: 0 for permitted, an errno value otherwise.
1426 * Locks: A lock must be held for proc.
1427 * References: cred and proc must be valid for the lifetime of the call.
1428 */
1429 int
1430 cr_cansignal(struct ucred *cred, struct proc *proc, int signum)
1431 {
1432 int error;
1433
1434 PROC_LOCK_ASSERT(proc, MA_OWNED);
1435 /*
1436 * Jail semantics limit the scope of signalling to proc in the
1437 * same jail as cred, if cred is in jail.
1438 */
1439 error = prison_check(cred, proc->p_ucred);
1440 if (error)
1441 return (error);
1442 #ifdef MAC
1443 if ((error = mac_check_proc_signal(cred, proc, signum)))
1444 return (error);
1445 #endif
1446 if ((error = cr_seeotheruids(cred, proc->p_ucred)))
1447 return (error);
1448 if ((error = cr_seeothergids(cred, proc->p_ucred)))
1449 return (error);
1450
1451 /*
1452 * UNIX signal semantics depend on the status of the P_SUGID
1453 * bit on the target process. If the bit is set, then additional
1454 * restrictions are placed on the set of available signals.
1455 */
1456 if (conservative_signals && (proc->p_flag & P_SUGID)) {
1457 switch (signum) {
1458 case 0:
1459 case SIGKILL:
1460 case SIGINT:
1461 case SIGTERM:
1462 case SIGALRM:
1463 case SIGSTOP:
1464 case SIGTTIN:
1465 case SIGTTOU:
1466 case SIGTSTP:
1467 case SIGHUP:
1468 case SIGUSR1:
1469 case SIGUSR2:
1470 /*
1471 * Generally, permit job and terminal control
1472 * signals.
1473 */
1474 break;
1475 default:
1476 /* Not permitted without privilege. */
1477 error = suser_cred(cred, SUSER_ALLOWJAIL);
1478 if (error)
1479 return (error);
1480 }
1481 }
1482
1483 /*
1484 * Generally, the target credential's ruid or svuid must match the
1485 * subject credential's ruid or euid.
1486 */
1487 if (cred->cr_ruid != proc->p_ucred->cr_ruid &&
1488 cred->cr_ruid != proc->p_ucred->cr_svuid &&
1489 cred->cr_uid != proc->p_ucred->cr_ruid &&
1490 cred->cr_uid != proc->p_ucred->cr_svuid) {
1491 /* Not permitted without privilege. */
1492 error = suser_cred(cred, SUSER_ALLOWJAIL);
1493 if (error)
1494 return (error);
1495 }
1496
1497 return (0);
1498 }
1499
1500
1501 /*-
1502 * Determine whether td may deliver the specified signal to p.
1503 * Returns: 0 for permitted, an errno value otherwise
1504 * Locks: Sufficient locks to protect various components of td and p
1505 * must be held. td must be curthread, and a lock must be
1506 * held for p.
1507 * References: td and p must be valid for the lifetime of the call
1508 */
1509 int
1510 p_cansignal(struct thread *td, struct proc *p, int signum)
1511 {
1512
1513 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1514 PROC_LOCK_ASSERT(p, MA_OWNED);
1515 if (td->td_proc == p)
1516 return (0);
1517
1518 /*
1519 * UNIX signalling semantics require that processes in the same
1520 * session always be able to deliver SIGCONT to one another,
1521 * overriding the remaining protections.
1522 */
1523 /* XXX: This will require an additional lock of some sort. */
1524 if (signum == SIGCONT && td->td_proc->p_session == p->p_session)
1525 return (0);
1526
1527 return (cr_cansignal(td->td_ucred, p, signum));
1528 }
1529
1530 /*-
1531 * Determine whether td may reschedule p.
1532 * Returns: 0 for permitted, an errno value otherwise
1533 * Locks: Sufficient locks to protect various components of td and p
1534 * must be held. td must be curthread, and a lock must
1535 * be held for p.
1536 * References: td and p must be valid for the lifetime of the call
1537 */
1538 int
1539 p_cansched(struct thread *td, struct proc *p)
1540 {
1541 int error;
1542
1543 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1544 PROC_LOCK_ASSERT(p, MA_OWNED);
1545 if (td->td_proc == p)
1546 return (0);
1547 if ((error = prison_check(td->td_ucred, p->p_ucred)))
1548 return (error);
1549 #ifdef MAC
1550 if ((error = mac_check_proc_sched(td->td_ucred, p)))
1551 return (error);
1552 #endif
1553 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
1554 return (error);
1555 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred)))
1556 return (error);
1557 if (td->td_ucred->cr_ruid == p->p_ucred->cr_ruid)
1558 return (0);
1559 if (td->td_ucred->cr_uid == p->p_ucred->cr_ruid)
1560 return (0);
1561 if (suser_cred(td->td_ucred, SUSER_ALLOWJAIL) == 0)
1562 return (0);
1563
1564 #ifdef CAPABILITIES
1565 if (!cap_check(NULL, td, CAP_SYS_NICE, SUSER_ALLOWJAIL))
1566 return (0);
1567 #endif
1568
1569 return (EPERM);
1570 }
1571
1572 /*
1573 * The 'unprivileged_proc_debug' flag may be used to disable a variety of
1574 * unprivileged inter-process debugging services, including some procfs
1575 * functionality, ptrace(), and ktrace(). In the past, inter-process
1576 * debugging has been involved in a variety of security problems, and sites
1577 * not requiring the service might choose to disable it when hardening
1578 * systems.
1579 *
1580 * XXX: Should modifying and reading this variable require locking?
1581 * XXX: data declarations should be together near the beginning of the file.
1582 */
1583 static int unprivileged_proc_debug = 1;
1584 SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW,
1585 &unprivileged_proc_debug, 0,
1586 "Unprivileged processes may use process debugging facilities");
1587
1588 /*-
1589 * Determine whether td may debug p.
1590 * Returns: 0 for permitted, an errno value otherwise
1591 * Locks: Sufficient locks to protect various components of td and p
1592 * must be held. td must be curthread, and a lock must
1593 * be held for p.
1594 * References: td and p must be valid for the lifetime of the call
1595 */
1596 int
1597 p_candebug(struct thread *td, struct proc *p)
1598 {
1599 int credentialchanged, error, grpsubset, i, uidsubset;
1600
1601 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1602 PROC_LOCK_ASSERT(p, MA_OWNED);
1603 if (!unprivileged_proc_debug) {
1604 error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL);
1605 if (error)
1606 return (error);
1607 }
1608 if (td->td_proc == p)
1609 return (0);
1610 if ((error = prison_check(td->td_ucred, p->p_ucred)))
1611 return (error);
1612 #ifdef MAC
1613 if ((error = mac_check_proc_debug(td->td_ucred, p)))
1614 return (error);
1615 #endif
1616 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
1617 return (error);
1618 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred)))
1619 return (error);
1620
1621 /*
1622 * Is p's group set a subset of td's effective group set? This
1623 * includes p's egid, group access list, rgid, and svgid.
1624 */
1625 grpsubset = 1;
1626 for (i = 0; i < p->p_ucred->cr_ngroups; i++) {
1627 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) {
1628 grpsubset = 0;
1629 break;
1630 }
1631 }
1632 grpsubset = grpsubset &&
1633 groupmember(p->p_ucred->cr_rgid, td->td_ucred) &&
1634 groupmember(p->p_ucred->cr_svgid, td->td_ucred);
1635
1636 /*
1637 * Are the uids present in p's credential equal to td's
1638 * effective uid? This includes p's euid, svuid, and ruid.
1639 */
1640 uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid &&
1641 td->td_ucred->cr_uid == p->p_ucred->cr_svuid &&
1642 td->td_ucred->cr_uid == p->p_ucred->cr_ruid);
1643
1644 /*
1645 * Has the credential of the process changed since the last exec()?
1646 */
1647 credentialchanged = (p->p_flag & P_SUGID);
1648
1649 /*
1650 * If p's gids aren't a subset, or the uids aren't a subset,
1651 * or the credential has changed, require appropriate privilege
1652 * for td to debug p. For POSIX.1e capabilities, this will
1653 * require CAP_SYS_PTRACE.
1654 */
1655 if (!grpsubset || !uidsubset || credentialchanged) {
1656 error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL);
1657 if (error)
1658 return (error);
1659 }
1660
1661 /* Can't trace init when securelevel > 0. */
1662 if (p == initproc) {
1663 error = securelevel_gt(td->td_ucred, 0);
1664 if (error)
1665 return (error);
1666 }
1667
1668 /*
1669 * Can't trace a process that's currently exec'ing.
1670 * XXX: Note, this is not a security policy decision, it's a
1671 * basic correctness/functionality decision. Therefore, this check
1672 * should be moved to the caller's of p_candebug().
1673 */
1674 if ((p->p_flag & P_INEXEC) != 0)
1675 return (EAGAIN);
1676
1677 return (0);
1678 }
1679
1680 /*-
1681 * Determine whether the subject represented by cred can "see" a socket.
1682 * Returns: 0 for permitted, ENOENT otherwise.
1683 */
1684 int
1685 cr_canseesocket(struct ucred *cred, struct socket *so)
1686 {
1687 int error;
1688
1689 error = prison_check(cred, so->so_cred);
1690 if (error)
1691 return (ENOENT);
1692 #ifdef MAC
1693 SOCK_LOCK(so);
1694 error = mac_check_socket_visible(cred, so);
1695 SOCK_UNLOCK(so);
1696 if (error)
1697 return (error);
1698 #endif
1699 if (cr_seeotheruids(cred, so->so_cred))
1700 return (ENOENT);
1701 if (cr_seeothergids(cred, so->so_cred))
1702 return (ENOENT);
1703
1704 return (0);
1705 }
1706
1707 /*
1708 * Allocate a zeroed cred structure.
1709 * MPSAFE
1710 */
1711 struct ucred *
1712 crget(void)
1713 {
1714 register struct ucred *cr;
1715
1716 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO);
1717 cr->cr_ref = 1;
1718 cr->cr_mtxp = mtx_pool_find(mtxpool_sleep, cr);
1719 #ifdef MAC
1720 mac_init_cred(cr);
1721 #endif
1722 return (cr);
1723 }
1724
1725 /*
1726 * Claim another reference to a ucred structure.
1727 * MPSAFE
1728 */
1729 struct ucred *
1730 crhold(struct ucred *cr)
1731 {
1732
1733 mtx_lock(cr->cr_mtxp);
1734 cr->cr_ref++;
1735 mtx_unlock(cr->cr_mtxp);
1736 return (cr);
1737 }
1738
1739 /*
1740 * Free a cred structure.
1741 * Throws away space when ref count gets to 0.
1742 * MPSAFE
1743 */
1744 void
1745 crfree(struct ucred *cr)
1746 {
1747 struct mtx *mtxp = cr->cr_mtxp;
1748
1749 mtx_lock(mtxp);
1750 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref));
1751 if (--cr->cr_ref == 0) {
1752 mtx_unlock(mtxp);
1753 /*
1754 * Some callers of crget(), such as nfs_statfs(),
1755 * allocate a temporary credential, but don't
1756 * allocate a uidinfo structure.
1757 */
1758 if (cr->cr_uidinfo != NULL)
1759 uifree(cr->cr_uidinfo);
1760 if (cr->cr_ruidinfo != NULL)
1761 uifree(cr->cr_ruidinfo);
1762 /*
1763 * Free a prison, if any.
1764 */
1765 if (jailed(cr))
1766 prison_free(cr->cr_prison);
1767 #ifdef MAC
1768 mac_destroy_cred(cr);
1769 #endif
1770 FREE(cr, M_CRED);
1771 } else {
1772 mtx_unlock(mtxp);
1773 }
1774 }
1775
1776 /*
1777 * Check to see if this ucred is shared.
1778 * MPSAFE
1779 */
1780 int
1781 crshared(struct ucred *cr)
1782 {
1783 int shared;
1784
1785 mtx_lock(cr->cr_mtxp);
1786 shared = (cr->cr_ref > 1);
1787 mtx_unlock(cr->cr_mtxp);
1788 return (shared);
1789 }
1790
1791 /*
1792 * Copy a ucred's contents from a template. Does not block.
1793 * MPSAFE
1794 */
1795 void
1796 crcopy(struct ucred *dest, struct ucred *src)
1797 {
1798
1799 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred"));
1800 bcopy(&src->cr_startcopy, &dest->cr_startcopy,
1801 (unsigned)((caddr_t)&src->cr_endcopy -
1802 (caddr_t)&src->cr_startcopy));
1803 uihold(dest->cr_uidinfo);
1804 uihold(dest->cr_ruidinfo);
1805 if (jailed(dest))
1806 prison_hold(dest->cr_prison);
1807 #ifdef MAC
1808 mac_copy_cred(src, dest);
1809 #endif
1810 }
1811
1812 /*
1813 * Dup cred struct to a new held one.
1814 * MPSAFE
1815 */
1816 struct ucred *
1817 crdup(struct ucred *cr)
1818 {
1819 struct ucred *newcr;
1820
1821 newcr = crget();
1822 crcopy(newcr, cr);
1823 return (newcr);
1824 }
1825
1826 /*
1827 * Fill in a struct xucred based on a struct ucred.
1828 * MPSAFE
1829 */
1830 void
1831 cru2x(struct ucred *cr, struct xucred *xcr)
1832 {
1833
1834 bzero(xcr, sizeof(*xcr));
1835 xcr->cr_version = XUCRED_VERSION;
1836 xcr->cr_uid = cr->cr_uid;
1837 xcr->cr_ngroups = cr->cr_ngroups;
1838 bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups));
1839 }
1840
1841 /*
1842 * small routine to swap a thread's current ucred for the correct one
1843 * taken from the process.
1844 * MPSAFE
1845 */
1846 void
1847 cred_update_thread(struct thread *td)
1848 {
1849 struct proc *p;
1850 struct ucred *cred;
1851
1852 p = td->td_proc;
1853 cred = td->td_ucred;
1854 PROC_LOCK(p);
1855 td->td_ucred = crhold(p->p_ucred);
1856 PROC_UNLOCK(p);
1857 if (cred != NULL)
1858 crfree(cred);
1859 }
1860
1861 /*
1862 * Get login name, if available.
1863 */
1864 #ifndef _SYS_SYSPROTO_H_
1865 struct getlogin_args {
1866 char *namebuf;
1867 u_int namelen;
1868 };
1869 #endif
1870 /*
1871 * MPSAFE
1872 */
1873 /* ARGSUSED */
1874 int
1875 getlogin(struct thread *td, struct getlogin_args *uap)
1876 {
1877 int error;
1878 char login[MAXLOGNAME];
1879 struct proc *p = td->td_proc;
1880
1881 if (uap->namelen > MAXLOGNAME)
1882 uap->namelen = MAXLOGNAME;
1883 PROC_LOCK(p);
1884 SESS_LOCK(p->p_session);
1885 bcopy(p->p_session->s_login, login, uap->namelen);
1886 SESS_UNLOCK(p->p_session);
1887 PROC_UNLOCK(p);
1888 error = copyout(login, uap->namebuf, uap->namelen);
1889 return(error);
1890 }
1891
1892 /*
1893 * Set login name.
1894 */
1895 #ifndef _SYS_SYSPROTO_H_
1896 struct setlogin_args {
1897 char *namebuf;
1898 };
1899 #endif
1900 /*
1901 * MPSAFE
1902 */
1903 /* ARGSUSED */
1904 int
1905 setlogin(struct thread *td, struct setlogin_args *uap)
1906 {
1907 struct proc *p = td->td_proc;
1908 int error;
1909 char logintmp[MAXLOGNAME];
1910
1911 error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL);
1912 if (error)
1913 return (error);
1914 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
1915 if (error == ENAMETOOLONG)
1916 error = EINVAL;
1917 else if (!error) {
1918 PROC_LOCK(p);
1919 SESS_LOCK(p->p_session);
1920 (void) memcpy(p->p_session->s_login, logintmp,
1921 sizeof(logintmp));
1922 SESS_UNLOCK(p->p_session);
1923 PROC_UNLOCK(p);
1924 }
1925 return (error);
1926 }
1927
1928 void
1929 setsugid(struct proc *p)
1930 {
1931
1932 PROC_LOCK_ASSERT(p, MA_OWNED);
1933 p->p_flag |= P_SUGID;
1934 if (!(p->p_pfsflags & PF_ISUGID))
1935 p->p_stops = 0;
1936 }
1937
1938 /*-
1939 * Change a process's effective uid.
1940 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified.
1941 * References: newcred must be an exclusive credential reference for the
1942 * duration of the call.
1943 */
1944 void
1945 change_euid(struct ucred *newcred, struct uidinfo *euip)
1946 {
1947
1948 newcred->cr_uid = euip->ui_uid;
1949 uihold(euip);
1950 uifree(newcred->cr_uidinfo);
1951 newcred->cr_uidinfo = euip;
1952 }
1953
1954 /*-
1955 * Change a process's effective gid.
1956 * Side effects: newcred->cr_gid will be modified.
1957 * References: newcred must be an exclusive credential reference for the
1958 * duration of the call.
1959 */
1960 void
1961 change_egid(struct ucred *newcred, gid_t egid)
1962 {
1963
1964 newcred->cr_groups[0] = egid;
1965 }
1966
1967 /*-
1968 * Change a process's real uid.
1969 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo
1970 * will be updated, and the old and new cr_ruidinfo proc
1971 * counts will be updated.
1972 * References: newcred must be an exclusive credential reference for the
1973 * duration of the call.
1974 */
1975 void
1976 change_ruid(struct ucred *newcred, struct uidinfo *ruip)
1977 {
1978
1979 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0);
1980 newcred->cr_ruid = ruip->ui_uid;
1981 uihold(ruip);
1982 uifree(newcred->cr_ruidinfo);
1983 newcred->cr_ruidinfo = ruip;
1984 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0);
1985 }
1986
1987 /*-
1988 * Change a process's real gid.
1989 * Side effects: newcred->cr_rgid will be updated.
1990 * References: newcred must be an exclusive credential reference for the
1991 * duration of the call.
1992 */
1993 void
1994 change_rgid(struct ucred *newcred, gid_t rgid)
1995 {
1996
1997 newcred->cr_rgid = rgid;
1998 }
1999
2000 /*-
2001 * Change a process's saved uid.
2002 * Side effects: newcred->cr_svuid will be updated.
2003 * References: newcred must be an exclusive credential reference for the
2004 * duration of the call.
2005 */
2006 void
2007 change_svuid(struct ucred *newcred, uid_t svuid)
2008 {
2009
2010 newcred->cr_svuid = svuid;
2011 }
2012
2013 /*-
2014 * Change a process's saved gid.
2015 * Side effects: newcred->cr_svgid will be updated.
2016 * References: newcred must be an exclusive credential reference for the
2017 * duration of the call.
2018 */
2019 void
2020 change_svgid(struct ucred *newcred, gid_t svgid)
2021 {
2022
2023 newcred->cr_svgid = svgid;
2024 }
Cache object: c52f764351e3b954bbc4fed0397ec076
|