FreeBSD/Linux Kernel Cross Reference
sys/kern/kern_prot.c
1 /*-
2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993
3 * The Regents of the University of California. All rights reserved.
4 * (c) UNIX System Laboratories, Inc.
5 * All or some portions of this file are derived from material licensed
6 * to the University of California by American Telephone and Telegraph
7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
8 * the permission of UNIX System Laboratories, Inc.
9 * Copyright (c) 2000-2001 Robert N. M. Watson. All rights reserved.
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 4. Neither the name of the University nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 *
35 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94
36 */
37
38 /*
39 * System calls related to processes and protection
40 */
41
42 #include <sys/cdefs.h>
43 __FBSDID("$FreeBSD: releng/6.0/sys/kern/kern_prot.c 145234 2005-04-18 13:36:57Z rwatson $");
44
45 #include "opt_compat.h"
46 #include "opt_mac.h"
47
48 #include <sys/param.h>
49 #include <sys/systm.h>
50 #include <sys/acct.h>
51 #include <sys/kdb.h>
52 #include <sys/kernel.h>
53 #include <sys/lock.h>
54 #include <sys/mac.h>
55 #include <sys/malloc.h>
56 #include <sys/mutex.h>
57 #include <sys/sx.h>
58 #include <sys/proc.h>
59 #include <sys/sysproto.h>
60 #include <sys/jail.h>
61 #include <sys/pioctl.h>
62 #include <sys/resourcevar.h>
63 #include <sys/socket.h>
64 #include <sys/socketvar.h>
65 #include <sys/sysctl.h>
66
67 static MALLOC_DEFINE(M_CRED, "cred", "credentials");
68
69 SYSCTL_DECL(_security);
70 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0,
71 "BSD security policy");
72
73 #ifndef _SYS_SYSPROTO_H_
74 struct getpid_args {
75 int dummy;
76 };
77 #endif
78 /*
79 * MPSAFE
80 */
81 /* ARGSUSED */
82 int
83 getpid(struct thread *td, struct getpid_args *uap)
84 {
85 struct proc *p = td->td_proc;
86
87 td->td_retval[0] = p->p_pid;
88 #if defined(COMPAT_43)
89 PROC_LOCK(p);
90 td->td_retval[1] = p->p_pptr->p_pid;
91 PROC_UNLOCK(p);
92 #endif
93 return (0);
94 }
95
96 #ifndef _SYS_SYSPROTO_H_
97 struct getppid_args {
98 int dummy;
99 };
100 #endif
101 /*
102 * MPSAFE
103 */
104 /* ARGSUSED */
105 int
106 getppid(struct thread *td, struct getppid_args *uap)
107 {
108 struct proc *p = td->td_proc;
109
110 PROC_LOCK(p);
111 td->td_retval[0] = p->p_pptr->p_pid;
112 PROC_UNLOCK(p);
113 return (0);
114 }
115
116 /*
117 * Get process group ID; note that POSIX getpgrp takes no parameter.
118 */
119 #ifndef _SYS_SYSPROTO_H_
120 struct getpgrp_args {
121 int dummy;
122 };
123 #endif
124 /*
125 * MPSAFE
126 */
127 int
128 getpgrp(struct thread *td, struct getpgrp_args *uap)
129 {
130 struct proc *p = td->td_proc;
131
132 PROC_LOCK(p);
133 td->td_retval[0] = p->p_pgrp->pg_id;
134 PROC_UNLOCK(p);
135 return (0);
136 }
137
138 /* Get an arbitary pid's process group id */
139 #ifndef _SYS_SYSPROTO_H_
140 struct getpgid_args {
141 pid_t pid;
142 };
143 #endif
144 /*
145 * MPSAFE
146 */
147 int
148 getpgid(struct thread *td, struct getpgid_args *uap)
149 {
150 struct proc *p;
151 int error;
152
153 if (uap->pid == 0) {
154 p = td->td_proc;
155 PROC_LOCK(p);
156 } else {
157 p = pfind(uap->pid);
158 if (p == NULL)
159 return (ESRCH);
160 error = p_cansee(td, p);
161 if (error) {
162 PROC_UNLOCK(p);
163 return (error);
164 }
165 }
166 td->td_retval[0] = p->p_pgrp->pg_id;
167 PROC_UNLOCK(p);
168 return (0);
169 }
170
171 /*
172 * Get an arbitary pid's session id.
173 */
174 #ifndef _SYS_SYSPROTO_H_
175 struct getsid_args {
176 pid_t pid;
177 };
178 #endif
179 /*
180 * MPSAFE
181 */
182 int
183 getsid(struct thread *td, struct getsid_args *uap)
184 {
185 struct proc *p;
186 int error;
187
188 if (uap->pid == 0) {
189 p = td->td_proc;
190 PROC_LOCK(p);
191 } else {
192 p = pfind(uap->pid);
193 if (p == NULL)
194 return (ESRCH);
195 error = p_cansee(td, p);
196 if (error) {
197 PROC_UNLOCK(p);
198 return (error);
199 }
200 }
201 td->td_retval[0] = p->p_session->s_sid;
202 PROC_UNLOCK(p);
203 return (0);
204 }
205
206 #ifndef _SYS_SYSPROTO_H_
207 struct getuid_args {
208 int dummy;
209 };
210 #endif
211 /*
212 * MPSAFE
213 */
214 /* ARGSUSED */
215 int
216 getuid(struct thread *td, struct getuid_args *uap)
217 {
218
219 td->td_retval[0] = td->td_ucred->cr_ruid;
220 #if defined(COMPAT_43)
221 td->td_retval[1] = td->td_ucred->cr_uid;
222 #endif
223 return (0);
224 }
225
226 #ifndef _SYS_SYSPROTO_H_
227 struct geteuid_args {
228 int dummy;
229 };
230 #endif
231 /*
232 * MPSAFE
233 */
234 /* ARGSUSED */
235 int
236 geteuid(struct thread *td, struct geteuid_args *uap)
237 {
238
239 td->td_retval[0] = td->td_ucred->cr_uid;
240 return (0);
241 }
242
243 #ifndef _SYS_SYSPROTO_H_
244 struct getgid_args {
245 int dummy;
246 };
247 #endif
248 /*
249 * MPSAFE
250 */
251 /* ARGSUSED */
252 int
253 getgid(struct thread *td, struct getgid_args *uap)
254 {
255
256 td->td_retval[0] = td->td_ucred->cr_rgid;
257 #if defined(COMPAT_43)
258 td->td_retval[1] = td->td_ucred->cr_groups[0];
259 #endif
260 return (0);
261 }
262
263 /*
264 * Get effective group ID. The "egid" is groups[0], and could be obtained
265 * via getgroups. This syscall exists because it is somewhat painful to do
266 * correctly in a library function.
267 */
268 #ifndef _SYS_SYSPROTO_H_
269 struct getegid_args {
270 int dummy;
271 };
272 #endif
273 /*
274 * MPSAFE
275 */
276 /* ARGSUSED */
277 int
278 getegid(struct thread *td, struct getegid_args *uap)
279 {
280
281 td->td_retval[0] = td->td_ucred->cr_groups[0];
282 return (0);
283 }
284
285 #ifndef _SYS_SYSPROTO_H_
286 struct getgroups_args {
287 u_int gidsetsize;
288 gid_t *gidset;
289 };
290 #endif
291 /*
292 * MPSAFE
293 */
294 int
295 getgroups(struct thread *td, register struct getgroups_args *uap)
296 {
297 struct ucred *cred;
298 u_int ngrp;
299 int error;
300
301 cred = td->td_ucred;
302 if ((ngrp = uap->gidsetsize) == 0) {
303 td->td_retval[0] = cred->cr_ngroups;
304 return (0);
305 }
306 if (ngrp < cred->cr_ngroups)
307 return (EINVAL);
308 ngrp = cred->cr_ngroups;
309 error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t));
310 if (error == 0)
311 td->td_retval[0] = ngrp;
312 return (error);
313 }
314
315 #ifndef _SYS_SYSPROTO_H_
316 struct setsid_args {
317 int dummy;
318 };
319 #endif
320 /*
321 * MPSAFE
322 */
323 /* ARGSUSED */
324 int
325 setsid(register struct thread *td, struct setsid_args *uap)
326 {
327 struct pgrp *pgrp;
328 int error;
329 struct proc *p = td->td_proc;
330 struct pgrp *newpgrp;
331 struct session *newsess;
332
333 error = 0;
334 pgrp = NULL;
335
336 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO);
337 MALLOC(newsess, struct session *, sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO);
338
339 sx_xlock(&proctree_lock);
340
341 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) {
342 if (pgrp != NULL)
343 PGRP_UNLOCK(pgrp);
344 error = EPERM;
345 } else {
346 (void)enterpgrp(p, p->p_pid, newpgrp, newsess);
347 td->td_retval[0] = p->p_pid;
348 newpgrp = NULL;
349 newsess = NULL;
350 }
351
352 sx_xunlock(&proctree_lock);
353
354 if (newpgrp != NULL)
355 FREE(newpgrp, M_PGRP);
356 if (newsess != NULL)
357 FREE(newsess, M_SESSION);
358
359 return (error);
360 }
361
362 /*
363 * set process group (setpgid/old setpgrp)
364 *
365 * caller does setpgid(targpid, targpgid)
366 *
367 * pid must be caller or child of caller (ESRCH)
368 * if a child
369 * pid must be in same session (EPERM)
370 * pid can't have done an exec (EACCES)
371 * if pgid != pid
372 * there must exist some pid in same session having pgid (EPERM)
373 * pid must not be session leader (EPERM)
374 */
375 #ifndef _SYS_SYSPROTO_H_
376 struct setpgid_args {
377 int pid; /* target process id */
378 int pgid; /* target pgrp id */
379 };
380 #endif
381 /*
382 * MPSAFE
383 */
384 /* ARGSUSED */
385 int
386 setpgid(struct thread *td, register struct setpgid_args *uap)
387 {
388 struct proc *curp = td->td_proc;
389 register struct proc *targp; /* target process */
390 register struct pgrp *pgrp; /* target pgrp */
391 int error;
392 struct pgrp *newpgrp;
393
394 if (uap->pgid < 0)
395 return (EINVAL);
396
397 error = 0;
398
399 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO);
400
401 sx_xlock(&proctree_lock);
402 if (uap->pid != 0 && uap->pid != curp->p_pid) {
403 if ((targp = pfind(uap->pid)) == NULL) {
404 error = ESRCH;
405 goto done;
406 }
407 if (!inferior(targp)) {
408 PROC_UNLOCK(targp);
409 error = ESRCH;
410 goto done;
411 }
412 if ((error = p_cansee(td, targp))) {
413 PROC_UNLOCK(targp);
414 goto done;
415 }
416 if (targp->p_pgrp == NULL ||
417 targp->p_session != curp->p_session) {
418 PROC_UNLOCK(targp);
419 error = EPERM;
420 goto done;
421 }
422 if (targp->p_flag & P_EXEC) {
423 PROC_UNLOCK(targp);
424 error = EACCES;
425 goto done;
426 }
427 PROC_UNLOCK(targp);
428 } else
429 targp = curp;
430 if (SESS_LEADER(targp)) {
431 error = EPERM;
432 goto done;
433 }
434 if (uap->pgid == 0)
435 uap->pgid = targp->p_pid;
436 if ((pgrp = pgfind(uap->pgid)) == NULL) {
437 if (uap->pgid == targp->p_pid) {
438 error = enterpgrp(targp, uap->pgid, newpgrp,
439 NULL);
440 if (error == 0)
441 newpgrp = NULL;
442 } else
443 error = EPERM;
444 } else {
445 if (pgrp == targp->p_pgrp) {
446 PGRP_UNLOCK(pgrp);
447 goto done;
448 }
449 if (pgrp->pg_id != targp->p_pid &&
450 pgrp->pg_session != curp->p_session) {
451 PGRP_UNLOCK(pgrp);
452 error = EPERM;
453 goto done;
454 }
455 PGRP_UNLOCK(pgrp);
456 error = enterthispgrp(targp, pgrp);
457 }
458 done:
459 sx_xunlock(&proctree_lock);
460 KASSERT((error == 0) || (newpgrp != NULL),
461 ("setpgid failed and newpgrp is NULL"));
462 if (newpgrp != NULL)
463 FREE(newpgrp, M_PGRP);
464 return (error);
465 }
466
467 /*
468 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD
469 * compatible. It says that setting the uid/gid to euid/egid is a special
470 * case of "appropriate privilege". Once the rules are expanded out, this
471 * basically means that setuid(nnn) sets all three id's, in all permitted
472 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid())
473 * does not set the saved id - this is dangerous for traditional BSD
474 * programs. For this reason, we *really* do not want to set
475 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2.
476 */
477 #define POSIX_APPENDIX_B_4_2_2
478
479 #ifndef _SYS_SYSPROTO_H_
480 struct setuid_args {
481 uid_t uid;
482 };
483 #endif
484 /*
485 * MPSAFE
486 */
487 /* ARGSUSED */
488 int
489 setuid(struct thread *td, struct setuid_args *uap)
490 {
491 struct proc *p = td->td_proc;
492 struct ucred *newcred, *oldcred;
493 uid_t uid;
494 struct uidinfo *uip;
495 int error;
496
497 uid = uap->uid;
498 newcred = crget();
499 uip = uifind(uid);
500 PROC_LOCK(p);
501 oldcred = p->p_ucred;
502
503 #ifdef MAC
504 error = mac_check_proc_setuid(p, oldcred, uid);
505 if (error)
506 goto fail;
507 #endif
508
509 /*
510 * See if we have "permission" by POSIX 1003.1 rules.
511 *
512 * Note that setuid(geteuid()) is a special case of
513 * "appropriate privileges" in appendix B.4.2.2. We need
514 * to use this clause to be compatible with traditional BSD
515 * semantics. Basically, it means that "setuid(xx)" sets all
516 * three id's (assuming you have privs).
517 *
518 * Notes on the logic. We do things in three steps.
519 * 1: We determine if the euid is going to change, and do EPERM
520 * right away. We unconditionally change the euid later if this
521 * test is satisfied, simplifying that part of the logic.
522 * 2: We determine if the real and/or saved uids are going to
523 * change. Determined by compile options.
524 * 3: Change euid last. (after tests in #2 for "appropriate privs")
525 */
526 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */
527 #ifdef _POSIX_SAVED_IDS
528 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */
529 #endif
530 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
531 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */
532 #endif
533 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
534 goto fail;
535
536 /*
537 * Copy credentials so other references do not see our changes.
538 */
539 crcopy(newcred, oldcred);
540 #ifdef _POSIX_SAVED_IDS
541 /*
542 * Do we have "appropriate privileges" (are we root or uid == euid)
543 * If so, we are changing the real uid and/or saved uid.
544 */
545 if (
546 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */
547 uid == oldcred->cr_uid ||
548 #endif
549 suser_cred(oldcred, SUSER_ALLOWJAIL) == 0) /* we are using privs */
550 #endif
551 {
552 /*
553 * Set the real uid and transfer proc count to new user.
554 */
555 if (uid != oldcred->cr_ruid) {
556 change_ruid(newcred, uip);
557 setsugid(p);
558 }
559 /*
560 * Set saved uid
561 *
562 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as
563 * the security of seteuid() depends on it. B.4.2.2 says it
564 * is important that we should do this.
565 */
566 if (uid != oldcred->cr_svuid) {
567 change_svuid(newcred, uid);
568 setsugid(p);
569 }
570 }
571
572 /*
573 * In all permitted cases, we are changing the euid.
574 */
575 if (uid != oldcred->cr_uid) {
576 change_euid(newcred, uip);
577 setsugid(p);
578 }
579 p->p_ucred = newcred;
580 PROC_UNLOCK(p);
581 uifree(uip);
582 crfree(oldcred);
583 return (0);
584
585 fail:
586 PROC_UNLOCK(p);
587 uifree(uip);
588 crfree(newcred);
589 return (error);
590 }
591
592 #ifndef _SYS_SYSPROTO_H_
593 struct seteuid_args {
594 uid_t euid;
595 };
596 #endif
597 /*
598 * MPSAFE
599 */
600 /* ARGSUSED */
601 int
602 seteuid(struct thread *td, struct seteuid_args *uap)
603 {
604 struct proc *p = td->td_proc;
605 struct ucred *newcred, *oldcred;
606 uid_t euid;
607 struct uidinfo *euip;
608 int error;
609
610 euid = uap->euid;
611 newcred = crget();
612 euip = uifind(euid);
613 PROC_LOCK(p);
614 oldcred = p->p_ucred;
615
616 #ifdef MAC
617 error = mac_check_proc_seteuid(p, oldcred, euid);
618 if (error)
619 goto fail;
620 #endif
621
622 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */
623 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */
624 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
625 goto fail;
626
627 /*
628 * Everything's okay, do it. Copy credentials so other references do
629 * not see our changes.
630 */
631 crcopy(newcred, oldcred);
632 if (oldcred->cr_uid != euid) {
633 change_euid(newcred, euip);
634 setsugid(p);
635 }
636 p->p_ucred = newcred;
637 PROC_UNLOCK(p);
638 uifree(euip);
639 crfree(oldcred);
640 return (0);
641
642 fail:
643 PROC_UNLOCK(p);
644 uifree(euip);
645 crfree(newcred);
646 return (error);
647 }
648
649 #ifndef _SYS_SYSPROTO_H_
650 struct setgid_args {
651 gid_t gid;
652 };
653 #endif
654 /*
655 * MPSAFE
656 */
657 /* ARGSUSED */
658 int
659 setgid(struct thread *td, struct setgid_args *uap)
660 {
661 struct proc *p = td->td_proc;
662 struct ucred *newcred, *oldcred;
663 gid_t gid;
664 int error;
665
666 gid = uap->gid;
667 newcred = crget();
668 PROC_LOCK(p);
669 oldcred = p->p_ucred;
670
671 #ifdef MAC
672 error = mac_check_proc_setgid(p, oldcred, gid);
673 if (error)
674 goto fail;
675 #endif
676
677 /*
678 * See if we have "permission" by POSIX 1003.1 rules.
679 *
680 * Note that setgid(getegid()) is a special case of
681 * "appropriate privileges" in appendix B.4.2.2. We need
682 * to use this clause to be compatible with traditional BSD
683 * semantics. Basically, it means that "setgid(xx)" sets all
684 * three id's (assuming you have privs).
685 *
686 * For notes on the logic here, see setuid() above.
687 */
688 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */
689 #ifdef _POSIX_SAVED_IDS
690 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */
691 #endif
692 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
693 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */
694 #endif
695 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
696 goto fail;
697
698 crcopy(newcred, oldcred);
699 #ifdef _POSIX_SAVED_IDS
700 /*
701 * Do we have "appropriate privileges" (are we root or gid == egid)
702 * If so, we are changing the real uid and saved gid.
703 */
704 if (
705 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */
706 gid == oldcred->cr_groups[0] ||
707 #endif
708 suser_cred(oldcred, SUSER_ALLOWJAIL) == 0) /* we are using privs */
709 #endif
710 {
711 /*
712 * Set real gid
713 */
714 if (oldcred->cr_rgid != gid) {
715 change_rgid(newcred, gid);
716 setsugid(p);
717 }
718 /*
719 * Set saved gid
720 *
721 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as
722 * the security of setegid() depends on it. B.4.2.2 says it
723 * is important that we should do this.
724 */
725 if (oldcred->cr_svgid != gid) {
726 change_svgid(newcred, gid);
727 setsugid(p);
728 }
729 }
730 /*
731 * In all cases permitted cases, we are changing the egid.
732 * Copy credentials so other references do not see our changes.
733 */
734 if (oldcred->cr_groups[0] != gid) {
735 change_egid(newcred, gid);
736 setsugid(p);
737 }
738 p->p_ucred = newcred;
739 PROC_UNLOCK(p);
740 crfree(oldcred);
741 return (0);
742
743 fail:
744 PROC_UNLOCK(p);
745 crfree(newcred);
746 return (error);
747 }
748
749 #ifndef _SYS_SYSPROTO_H_
750 struct setegid_args {
751 gid_t egid;
752 };
753 #endif
754 /*
755 * MPSAFE
756 */
757 /* ARGSUSED */
758 int
759 setegid(struct thread *td, struct setegid_args *uap)
760 {
761 struct proc *p = td->td_proc;
762 struct ucred *newcred, *oldcred;
763 gid_t egid;
764 int error;
765
766 egid = uap->egid;
767 newcred = crget();
768 PROC_LOCK(p);
769 oldcred = p->p_ucred;
770
771 #ifdef MAC
772 error = mac_check_proc_setegid(p, oldcred, egid);
773 if (error)
774 goto fail;
775 #endif
776
777 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */
778 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */
779 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
780 goto fail;
781
782 crcopy(newcred, oldcred);
783 if (oldcred->cr_groups[0] != egid) {
784 change_egid(newcred, egid);
785 setsugid(p);
786 }
787 p->p_ucred = newcred;
788 PROC_UNLOCK(p);
789 crfree(oldcred);
790 return (0);
791
792 fail:
793 PROC_UNLOCK(p);
794 crfree(newcred);
795 return (error);
796 }
797
798 #ifndef _SYS_SYSPROTO_H_
799 struct setgroups_args {
800 u_int gidsetsize;
801 gid_t *gidset;
802 };
803 #endif
804 /*
805 * MPSAFE
806 */
807 /* ARGSUSED */
808 int
809 setgroups(struct thread *td, struct setgroups_args *uap)
810 {
811 struct proc *p = td->td_proc;
812 struct ucred *newcred, *tempcred, *oldcred;
813 u_int ngrp;
814 int error;
815
816 ngrp = uap->gidsetsize;
817 if (ngrp > NGROUPS)
818 return (EINVAL);
819 tempcred = crget();
820 error = copyin(uap->gidset, tempcred->cr_groups, ngrp * sizeof(gid_t));
821 if (error != 0) {
822 crfree(tempcred);
823 return (error);
824 }
825 newcred = crget();
826 PROC_LOCK(p);
827 oldcred = p->p_ucred;
828
829 #ifdef MAC
830 error = mac_check_proc_setgroups(p, oldcred, ngrp,
831 tempcred->cr_groups);
832 if (error)
833 goto fail;
834 #endif
835
836 error = suser_cred(oldcred, SUSER_ALLOWJAIL);
837 if (error)
838 goto fail;
839
840 /*
841 * XXX A little bit lazy here. We could test if anything has
842 * changed before crcopy() and setting P_SUGID.
843 */
844 crcopy(newcred, oldcred);
845 if (ngrp < 1) {
846 /*
847 * setgroups(0, NULL) is a legitimate way of clearing the
848 * groups vector on non-BSD systems (which generally do not
849 * have the egid in the groups[0]). We risk security holes
850 * when running non-BSD software if we do not do the same.
851 */
852 newcred->cr_ngroups = 1;
853 } else {
854 bcopy(tempcred->cr_groups, newcred->cr_groups,
855 ngrp * sizeof(gid_t));
856 newcred->cr_ngroups = ngrp;
857 }
858 setsugid(p);
859 p->p_ucred = newcred;
860 PROC_UNLOCK(p);
861 crfree(tempcred);
862 crfree(oldcred);
863 return (0);
864
865 fail:
866 PROC_UNLOCK(p);
867 crfree(newcred);
868 crfree(tempcred);
869 return (error);
870 }
871
872 #ifndef _SYS_SYSPROTO_H_
873 struct setreuid_args {
874 uid_t ruid;
875 uid_t euid;
876 };
877 #endif
878 /*
879 * MPSAFE
880 */
881 /* ARGSUSED */
882 int
883 setreuid(register struct thread *td, struct setreuid_args *uap)
884 {
885 struct proc *p = td->td_proc;
886 struct ucred *newcred, *oldcred;
887 uid_t euid, ruid;
888 struct uidinfo *euip, *ruip;
889 int error;
890
891 euid = uap->euid;
892 ruid = uap->ruid;
893 newcred = crget();
894 euip = uifind(euid);
895 ruip = uifind(ruid);
896 PROC_LOCK(p);
897 oldcred = p->p_ucred;
898
899 #ifdef MAC
900 error = mac_check_proc_setreuid(p, oldcred, ruid, euid);
901 if (error)
902 goto fail;
903 #endif
904
905 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
906 ruid != oldcred->cr_svuid) ||
907 (euid != (uid_t)-1 && euid != oldcred->cr_uid &&
908 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) &&
909 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
910 goto fail;
911
912 crcopy(newcred, oldcred);
913 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
914 change_euid(newcred, euip);
915 setsugid(p);
916 }
917 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
918 change_ruid(newcred, ruip);
919 setsugid(p);
920 }
921 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) &&
922 newcred->cr_svuid != newcred->cr_uid) {
923 change_svuid(newcred, newcred->cr_uid);
924 setsugid(p);
925 }
926 p->p_ucred = newcred;
927 PROC_UNLOCK(p);
928 uifree(ruip);
929 uifree(euip);
930 crfree(oldcred);
931 return (0);
932
933 fail:
934 PROC_UNLOCK(p);
935 uifree(ruip);
936 uifree(euip);
937 crfree(newcred);
938 return (error);
939 }
940
941 #ifndef _SYS_SYSPROTO_H_
942 struct setregid_args {
943 gid_t rgid;
944 gid_t egid;
945 };
946 #endif
947 /*
948 * MPSAFE
949 */
950 /* ARGSUSED */
951 int
952 setregid(register struct thread *td, struct setregid_args *uap)
953 {
954 struct proc *p = td->td_proc;
955 struct ucred *newcred, *oldcred;
956 gid_t egid, rgid;
957 int error;
958
959 egid = uap->egid;
960 rgid = uap->rgid;
961 newcred = crget();
962 PROC_LOCK(p);
963 oldcred = p->p_ucred;
964
965 #ifdef MAC
966 error = mac_check_proc_setregid(p, oldcred, rgid, egid);
967 if (error)
968 goto fail;
969 #endif
970
971 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
972 rgid != oldcred->cr_svgid) ||
973 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] &&
974 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) &&
975 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
976 goto fail;
977
978 crcopy(newcred, oldcred);
979 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
980 change_egid(newcred, egid);
981 setsugid(p);
982 }
983 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
984 change_rgid(newcred, rgid);
985 setsugid(p);
986 }
987 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) &&
988 newcred->cr_svgid != newcred->cr_groups[0]) {
989 change_svgid(newcred, newcred->cr_groups[0]);
990 setsugid(p);
991 }
992 p->p_ucred = newcred;
993 PROC_UNLOCK(p);
994 crfree(oldcred);
995 return (0);
996
997 fail:
998 PROC_UNLOCK(p);
999 crfree(newcred);
1000 return (error);
1001 }
1002
1003 /*
1004 * setresuid(ruid, euid, suid) is like setreuid except control over the
1005 * saved uid is explicit.
1006 */
1007
1008 #ifndef _SYS_SYSPROTO_H_
1009 struct setresuid_args {
1010 uid_t ruid;
1011 uid_t euid;
1012 uid_t suid;
1013 };
1014 #endif
1015 /*
1016 * MPSAFE
1017 */
1018 /* ARGSUSED */
1019 int
1020 setresuid(register struct thread *td, struct setresuid_args *uap)
1021 {
1022 struct proc *p = td->td_proc;
1023 struct ucred *newcred, *oldcred;
1024 uid_t euid, ruid, suid;
1025 struct uidinfo *euip, *ruip;
1026 int error;
1027
1028 euid = uap->euid;
1029 ruid = uap->ruid;
1030 suid = uap->suid;
1031 newcred = crget();
1032 euip = uifind(euid);
1033 ruip = uifind(ruid);
1034 PROC_LOCK(p);
1035 oldcred = p->p_ucred;
1036
1037 #ifdef MAC
1038 error = mac_check_proc_setresuid(p, oldcred, ruid, euid, suid);
1039 if (error)
1040 goto fail;
1041 #endif
1042
1043 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
1044 ruid != oldcred->cr_svuid &&
1045 ruid != oldcred->cr_uid) ||
1046 (euid != (uid_t)-1 && euid != oldcred->cr_ruid &&
1047 euid != oldcred->cr_svuid &&
1048 euid != oldcred->cr_uid) ||
1049 (suid != (uid_t)-1 && suid != oldcred->cr_ruid &&
1050 suid != oldcred->cr_svuid &&
1051 suid != oldcred->cr_uid)) &&
1052 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
1053 goto fail;
1054
1055 crcopy(newcred, oldcred);
1056 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
1057 change_euid(newcred, euip);
1058 setsugid(p);
1059 }
1060 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
1061 change_ruid(newcred, ruip);
1062 setsugid(p);
1063 }
1064 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) {
1065 change_svuid(newcred, suid);
1066 setsugid(p);
1067 }
1068 p->p_ucred = newcred;
1069 PROC_UNLOCK(p);
1070 uifree(ruip);
1071 uifree(euip);
1072 crfree(oldcred);
1073 return (0);
1074
1075 fail:
1076 PROC_UNLOCK(p);
1077 uifree(ruip);
1078 uifree(euip);
1079 crfree(newcred);
1080 return (error);
1081
1082 }
1083
1084 /*
1085 * setresgid(rgid, egid, sgid) is like setregid except control over the
1086 * saved gid is explicit.
1087 */
1088
1089 #ifndef _SYS_SYSPROTO_H_
1090 struct setresgid_args {
1091 gid_t rgid;
1092 gid_t egid;
1093 gid_t sgid;
1094 };
1095 #endif
1096 /*
1097 * MPSAFE
1098 */
1099 /* ARGSUSED */
1100 int
1101 setresgid(register struct thread *td, struct setresgid_args *uap)
1102 {
1103 struct proc *p = td->td_proc;
1104 struct ucred *newcred, *oldcred;
1105 gid_t egid, rgid, sgid;
1106 int error;
1107
1108 egid = uap->egid;
1109 rgid = uap->rgid;
1110 sgid = uap->sgid;
1111 newcred = crget();
1112 PROC_LOCK(p);
1113 oldcred = p->p_ucred;
1114
1115 #ifdef MAC
1116 error = mac_check_proc_setresgid(p, oldcred, rgid, egid, sgid);
1117 if (error)
1118 goto fail;
1119 #endif
1120
1121 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
1122 rgid != oldcred->cr_svgid &&
1123 rgid != oldcred->cr_groups[0]) ||
1124 (egid != (gid_t)-1 && egid != oldcred->cr_rgid &&
1125 egid != oldcred->cr_svgid &&
1126 egid != oldcred->cr_groups[0]) ||
1127 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid &&
1128 sgid != oldcred->cr_svgid &&
1129 sgid != oldcred->cr_groups[0])) &&
1130 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
1131 goto fail;
1132
1133 crcopy(newcred, oldcred);
1134 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
1135 change_egid(newcred, egid);
1136 setsugid(p);
1137 }
1138 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
1139 change_rgid(newcred, rgid);
1140 setsugid(p);
1141 }
1142 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) {
1143 change_svgid(newcred, sgid);
1144 setsugid(p);
1145 }
1146 p->p_ucred = newcred;
1147 PROC_UNLOCK(p);
1148 crfree(oldcred);
1149 return (0);
1150
1151 fail:
1152 PROC_UNLOCK(p);
1153 crfree(newcred);
1154 return (error);
1155 }
1156
1157 #ifndef _SYS_SYSPROTO_H_
1158 struct getresuid_args {
1159 uid_t *ruid;
1160 uid_t *euid;
1161 uid_t *suid;
1162 };
1163 #endif
1164 /*
1165 * MPSAFE
1166 */
1167 /* ARGSUSED */
1168 int
1169 getresuid(register struct thread *td, struct getresuid_args *uap)
1170 {
1171 struct ucred *cred;
1172 int error1 = 0, error2 = 0, error3 = 0;
1173
1174 cred = td->td_ucred;
1175 if (uap->ruid)
1176 error1 = copyout(&cred->cr_ruid,
1177 uap->ruid, sizeof(cred->cr_ruid));
1178 if (uap->euid)
1179 error2 = copyout(&cred->cr_uid,
1180 uap->euid, sizeof(cred->cr_uid));
1181 if (uap->suid)
1182 error3 = copyout(&cred->cr_svuid,
1183 uap->suid, sizeof(cred->cr_svuid));
1184 return (error1 ? error1 : error2 ? error2 : error3);
1185 }
1186
1187 #ifndef _SYS_SYSPROTO_H_
1188 struct getresgid_args {
1189 gid_t *rgid;
1190 gid_t *egid;
1191 gid_t *sgid;
1192 };
1193 #endif
1194 /*
1195 * MPSAFE
1196 */
1197 /* ARGSUSED */
1198 int
1199 getresgid(register struct thread *td, struct getresgid_args *uap)
1200 {
1201 struct ucred *cred;
1202 int error1 = 0, error2 = 0, error3 = 0;
1203
1204 cred = td->td_ucred;
1205 if (uap->rgid)
1206 error1 = copyout(&cred->cr_rgid,
1207 uap->rgid, sizeof(cred->cr_rgid));
1208 if (uap->egid)
1209 error2 = copyout(&cred->cr_groups[0],
1210 uap->egid, sizeof(cred->cr_groups[0]));
1211 if (uap->sgid)
1212 error3 = copyout(&cred->cr_svgid,
1213 uap->sgid, sizeof(cred->cr_svgid));
1214 return (error1 ? error1 : error2 ? error2 : error3);
1215 }
1216
1217 #ifndef _SYS_SYSPROTO_H_
1218 struct issetugid_args {
1219 int dummy;
1220 };
1221 #endif
1222 /*
1223 * MPSAFE
1224 */
1225 /* ARGSUSED */
1226 int
1227 issetugid(register struct thread *td, struct issetugid_args *uap)
1228 {
1229 struct proc *p = td->td_proc;
1230
1231 /*
1232 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time,
1233 * we use P_SUGID because we consider changing the owners as
1234 * "tainting" as well.
1235 * This is significant for procs that start as root and "become"
1236 * a user without an exec - programs cannot know *everything*
1237 * that libc *might* have put in their data segment.
1238 */
1239 PROC_LOCK(p);
1240 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0;
1241 PROC_UNLOCK(p);
1242 return (0);
1243 }
1244
1245 /*
1246 * MPSAFE
1247 */
1248 int
1249 __setugid(struct thread *td, struct __setugid_args *uap)
1250 {
1251 #ifdef REGRESSION
1252 struct proc *p;
1253
1254 p = td->td_proc;
1255 switch (uap->flag) {
1256 case 0:
1257 PROC_LOCK(p);
1258 p->p_flag &= ~P_SUGID;
1259 PROC_UNLOCK(p);
1260 return (0);
1261 case 1:
1262 PROC_LOCK(p);
1263 p->p_flag |= P_SUGID;
1264 PROC_UNLOCK(p);
1265 return (0);
1266 default:
1267 return (EINVAL);
1268 }
1269 #else /* !REGRESSION */
1270
1271 return (ENOSYS);
1272 #endif /* REGRESSION */
1273 }
1274
1275 /*
1276 * Check if gid is a member of the group set.
1277 *
1278 * MPSAFE (cred must be held)
1279 */
1280 int
1281 groupmember(gid_t gid, struct ucred *cred)
1282 {
1283 register gid_t *gp;
1284 gid_t *egp;
1285
1286 egp = &(cred->cr_groups[cred->cr_ngroups]);
1287 for (gp = cred->cr_groups; gp < egp; gp++)
1288 if (*gp == gid)
1289 return (1);
1290 return (0);
1291 }
1292
1293 /*
1294 * `suser_enabled' (which can be set by the security.suser_enabled
1295 * sysctl) determines whether the system 'super-user' policy is in effect.
1296 * If it is nonzero, an effective uid of 0 connotes special privilege,
1297 * overriding many mandatory and discretionary protections. If it is zero,
1298 * uid 0 is offered no special privilege in the kernel security policy.
1299 * Setting it to zero may seriously impact the functionality of many
1300 * existing userland programs, and should not be done without careful
1301 * consideration of the consequences.
1302 */
1303 int suser_enabled = 1;
1304 SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW,
1305 &suser_enabled, 0, "processes with uid 0 have privilege");
1306 TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled);
1307
1308 /*
1309 * Test whether the specified credentials imply "super-user" privilege.
1310 * Return 0 or EPERM.
1311 */
1312 int
1313 suser_cred(struct ucred *cred, int flag)
1314 {
1315
1316 if (!suser_enabled)
1317 return (EPERM);
1318 if (((flag & SUSER_RUID) ? cred->cr_ruid : cred->cr_uid) != 0)
1319 return (EPERM);
1320 if (jailed(cred) && !(flag & SUSER_ALLOWJAIL))
1321 return (EPERM);
1322 return (0);
1323 }
1324
1325 /*
1326 * Shortcut to hide contents of struct td and struct proc from the
1327 * caller, promoting binary compatibility.
1328 */
1329 int
1330 suser(struct thread *td)
1331 {
1332
1333 #ifdef INVARIANTS
1334 if (td != curthread) {
1335 printf("suser: thread %p (%d %s) != curthread %p (%d %s)\n",
1336 td, td->td_proc->p_pid, td->td_proc->p_comm,
1337 curthread, curthread->td_proc->p_pid,
1338 curthread->td_proc->p_comm);
1339 #ifdef KDB
1340 kdb_backtrace();
1341 #endif
1342 }
1343 #endif
1344 return (suser_cred(td->td_ucred, 0));
1345 }
1346
1347 /*
1348 * Test the active securelevel against a given level. securelevel_gt()
1349 * implements (securelevel > level). securelevel_ge() implements
1350 * (securelevel >= level). Note that the logic is inverted -- these
1351 * functions return EPERM on "success" and 0 on "failure".
1352 *
1353 * MPSAFE
1354 */
1355 int
1356 securelevel_gt(struct ucred *cr, int level)
1357 {
1358 int active_securelevel;
1359
1360 active_securelevel = securelevel;
1361 KASSERT(cr != NULL, ("securelevel_gt: null cr"));
1362 if (cr->cr_prison != NULL)
1363 active_securelevel = imax(cr->cr_prison->pr_securelevel,
1364 active_securelevel);
1365 return (active_securelevel > level ? EPERM : 0);
1366 }
1367
1368 int
1369 securelevel_ge(struct ucred *cr, int level)
1370 {
1371 int active_securelevel;
1372
1373 active_securelevel = securelevel;
1374 KASSERT(cr != NULL, ("securelevel_ge: null cr"));
1375 if (cr->cr_prison != NULL)
1376 active_securelevel = imax(cr->cr_prison->pr_securelevel,
1377 active_securelevel);
1378 return (active_securelevel >= level ? EPERM : 0);
1379 }
1380
1381 /*
1382 * 'see_other_uids' determines whether or not visibility of processes
1383 * and sockets with credentials holding different real uids is possible
1384 * using a variety of system MIBs.
1385 * XXX: data declarations should be together near the beginning of the file.
1386 */
1387 static int see_other_uids = 1;
1388 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW,
1389 &see_other_uids, 0,
1390 "Unprivileged processes may see subjects/objects with different real uid");
1391
1392 /*-
1393 * Determine if u1 "can see" the subject specified by u2, according to the
1394 * 'see_other_uids' policy.
1395 * Returns: 0 for permitted, ESRCH otherwise
1396 * Locks: none
1397 * References: *u1 and *u2 must not change during the call
1398 * u1 may equal u2, in which case only one reference is required
1399 */
1400 static int
1401 cr_seeotheruids(struct ucred *u1, struct ucred *u2)
1402 {
1403
1404 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) {
1405 if (suser_cred(u1, SUSER_ALLOWJAIL) != 0)
1406 return (ESRCH);
1407 }
1408 return (0);
1409 }
1410
1411 /*
1412 * 'see_other_gids' determines whether or not visibility of processes
1413 * and sockets with credentials holding different real gids is possible
1414 * using a variety of system MIBs.
1415 * XXX: data declarations should be together near the beginning of the file.
1416 */
1417 static int see_other_gids = 1;
1418 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW,
1419 &see_other_gids, 0,
1420 "Unprivileged processes may see subjects/objects with different real gid");
1421
1422 /*
1423 * Determine if u1 can "see" the subject specified by u2, according to the
1424 * 'see_other_gids' policy.
1425 * Returns: 0 for permitted, ESRCH otherwise
1426 * Locks: none
1427 * References: *u1 and *u2 must not change during the call
1428 * u1 may equal u2, in which case only one reference is required
1429 */
1430 static int
1431 cr_seeothergids(struct ucred *u1, struct ucred *u2)
1432 {
1433 int i, match;
1434
1435 if (!see_other_gids) {
1436 match = 0;
1437 for (i = 0; i < u1->cr_ngroups; i++) {
1438 if (groupmember(u1->cr_groups[i], u2))
1439 match = 1;
1440 if (match)
1441 break;
1442 }
1443 if (!match) {
1444 if (suser_cred(u1, SUSER_ALLOWJAIL) != 0)
1445 return (ESRCH);
1446 }
1447 }
1448 return (0);
1449 }
1450
1451 /*-
1452 * Determine if u1 "can see" the subject specified by u2.
1453 * Returns: 0 for permitted, an errno value otherwise
1454 * Locks: none
1455 * References: *u1 and *u2 must not change during the call
1456 * u1 may equal u2, in which case only one reference is required
1457 */
1458 int
1459 cr_cansee(struct ucred *u1, struct ucred *u2)
1460 {
1461 int error;
1462
1463 if ((error = prison_check(u1, u2)))
1464 return (error);
1465 #ifdef MAC
1466 if ((error = mac_check_cred_visible(u1, u2)))
1467 return (error);
1468 #endif
1469 if ((error = cr_seeotheruids(u1, u2)))
1470 return (error);
1471 if ((error = cr_seeothergids(u1, u2)))
1472 return (error);
1473 return (0);
1474 }
1475
1476 /*-
1477 * Determine if td "can see" the subject specified by p.
1478 * Returns: 0 for permitted, an errno value otherwise
1479 * Locks: Sufficient locks to protect p->p_ucred must be held. td really
1480 * should be curthread.
1481 * References: td and p must be valid for the lifetime of the call
1482 */
1483 int
1484 p_cansee(struct thread *td, struct proc *p)
1485 {
1486
1487 /* Wrap cr_cansee() for all functionality. */
1488 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1489 PROC_LOCK_ASSERT(p, MA_OWNED);
1490 return (cr_cansee(td->td_ucred, p->p_ucred));
1491 }
1492
1493 /*
1494 * 'conservative_signals' prevents the delivery of a broad class of
1495 * signals by unprivileged processes to processes that have changed their
1496 * credentials since the last invocation of execve(). This can prevent
1497 * the leakage of cached information or retained privileges as a result
1498 * of a common class of signal-related vulnerabilities. However, this
1499 * may interfere with some applications that expect to be able to
1500 * deliver these signals to peer processes after having given up
1501 * privilege.
1502 */
1503 static int conservative_signals = 1;
1504 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW,
1505 &conservative_signals, 0, "Unprivileged processes prevented from "
1506 "sending certain signals to processes whose credentials have changed");
1507 /*-
1508 * Determine whether cred may deliver the specified signal to proc.
1509 * Returns: 0 for permitted, an errno value otherwise.
1510 * Locks: A lock must be held for proc.
1511 * References: cred and proc must be valid for the lifetime of the call.
1512 */
1513 int
1514 cr_cansignal(struct ucred *cred, struct proc *proc, int signum)
1515 {
1516 int error;
1517
1518 PROC_LOCK_ASSERT(proc, MA_OWNED);
1519 /*
1520 * Jail semantics limit the scope of signalling to proc in the
1521 * same jail as cred, if cred is in jail.
1522 */
1523 error = prison_check(cred, proc->p_ucred);
1524 if (error)
1525 return (error);
1526 #ifdef MAC
1527 if ((error = mac_check_proc_signal(cred, proc, signum)))
1528 return (error);
1529 #endif
1530 if ((error = cr_seeotheruids(cred, proc->p_ucred)))
1531 return (error);
1532 if ((error = cr_seeothergids(cred, proc->p_ucred)))
1533 return (error);
1534
1535 /*
1536 * UNIX signal semantics depend on the status of the P_SUGID
1537 * bit on the target process. If the bit is set, then additional
1538 * restrictions are placed on the set of available signals.
1539 */
1540 if (conservative_signals && (proc->p_flag & P_SUGID)) {
1541 switch (signum) {
1542 case 0:
1543 case SIGKILL:
1544 case SIGINT:
1545 case SIGTERM:
1546 case SIGALRM:
1547 case SIGSTOP:
1548 case SIGTTIN:
1549 case SIGTTOU:
1550 case SIGTSTP:
1551 case SIGHUP:
1552 case SIGUSR1:
1553 case SIGUSR2:
1554 /*
1555 * Generally, permit job and terminal control
1556 * signals.
1557 */
1558 break;
1559 default:
1560 /* Not permitted without privilege. */
1561 error = suser_cred(cred, SUSER_ALLOWJAIL);
1562 if (error)
1563 return (error);
1564 }
1565 }
1566
1567 /*
1568 * Generally, the target credential's ruid or svuid must match the
1569 * subject credential's ruid or euid.
1570 */
1571 if (cred->cr_ruid != proc->p_ucred->cr_ruid &&
1572 cred->cr_ruid != proc->p_ucred->cr_svuid &&
1573 cred->cr_uid != proc->p_ucred->cr_ruid &&
1574 cred->cr_uid != proc->p_ucred->cr_svuid) {
1575 /* Not permitted without privilege. */
1576 error = suser_cred(cred, SUSER_ALLOWJAIL);
1577 if (error)
1578 return (error);
1579 }
1580
1581 return (0);
1582 }
1583
1584
1585 /*-
1586 * Determine whether td may deliver the specified signal to p.
1587 * Returns: 0 for permitted, an errno value otherwise
1588 * Locks: Sufficient locks to protect various components of td and p
1589 * must be held. td must be curthread, and a lock must be
1590 * held for p.
1591 * References: td and p must be valid for the lifetime of the call
1592 */
1593 int
1594 p_cansignal(struct thread *td, struct proc *p, int signum)
1595 {
1596
1597 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1598 PROC_LOCK_ASSERT(p, MA_OWNED);
1599 if (td->td_proc == p)
1600 return (0);
1601
1602 /*
1603 * UNIX signalling semantics require that processes in the same
1604 * session always be able to deliver SIGCONT to one another,
1605 * overriding the remaining protections.
1606 */
1607 /* XXX: This will require an additional lock of some sort. */
1608 if (signum == SIGCONT && td->td_proc->p_session == p->p_session)
1609 return (0);
1610 /*
1611 * Some compat layers use SIGTHR and higher signals for
1612 * communication between different kernel threads of the same
1613 * process, so that they expect that it's always possible to
1614 * deliver them, even for suid applications where cr_cansignal() can
1615 * deny such ability for security consideration. It should be
1616 * pretty safe to do since the only way to create two processes
1617 * with the same p_leader is via rfork(2).
1618 */
1619 if (td->td_proc->p_leader != NULL && signum >= SIGTHR &&
1620 signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader)
1621 return (0);
1622
1623 return (cr_cansignal(td->td_ucred, p, signum));
1624 }
1625
1626 /*-
1627 * Determine whether td may reschedule p.
1628 * Returns: 0 for permitted, an errno value otherwise
1629 * Locks: Sufficient locks to protect various components of td and p
1630 * must be held. td must be curthread, and a lock must
1631 * be held for p.
1632 * References: td and p must be valid for the lifetime of the call
1633 */
1634 int
1635 p_cansched(struct thread *td, struct proc *p)
1636 {
1637 int error;
1638
1639 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1640 PROC_LOCK_ASSERT(p, MA_OWNED);
1641 if (td->td_proc == p)
1642 return (0);
1643 if ((error = prison_check(td->td_ucred, p->p_ucred)))
1644 return (error);
1645 #ifdef MAC
1646 if ((error = mac_check_proc_sched(td->td_ucred, p)))
1647 return (error);
1648 #endif
1649 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
1650 return (error);
1651 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred)))
1652 return (error);
1653 if (td->td_ucred->cr_ruid == p->p_ucred->cr_ruid)
1654 return (0);
1655 if (td->td_ucred->cr_uid == p->p_ucred->cr_ruid)
1656 return (0);
1657 if (suser_cred(td->td_ucred, SUSER_ALLOWJAIL) == 0)
1658 return (0);
1659
1660 #ifdef CAPABILITIES
1661 if (!cap_check(NULL, td, CAP_SYS_NICE, SUSER_ALLOWJAIL))
1662 return (0);
1663 #endif
1664
1665 return (EPERM);
1666 }
1667
1668 /*
1669 * The 'unprivileged_proc_debug' flag may be used to disable a variety of
1670 * unprivileged inter-process debugging services, including some procfs
1671 * functionality, ptrace(), and ktrace(). In the past, inter-process
1672 * debugging has been involved in a variety of security problems, and sites
1673 * not requiring the service might choose to disable it when hardening
1674 * systems.
1675 *
1676 * XXX: Should modifying and reading this variable require locking?
1677 * XXX: data declarations should be together near the beginning of the file.
1678 */
1679 static int unprivileged_proc_debug = 1;
1680 SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW,
1681 &unprivileged_proc_debug, 0,
1682 "Unprivileged processes may use process debugging facilities");
1683
1684 /*-
1685 * Determine whether td may debug p.
1686 * Returns: 0 for permitted, an errno value otherwise
1687 * Locks: Sufficient locks to protect various components of td and p
1688 * must be held. td must be curthread, and a lock must
1689 * be held for p.
1690 * References: td and p must be valid for the lifetime of the call
1691 */
1692 int
1693 p_candebug(struct thread *td, struct proc *p)
1694 {
1695 int credentialchanged, error, grpsubset, i, uidsubset;
1696
1697 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1698 PROC_LOCK_ASSERT(p, MA_OWNED);
1699 if (!unprivileged_proc_debug) {
1700 error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL);
1701 if (error)
1702 return (error);
1703 }
1704 if (td->td_proc == p)
1705 return (0);
1706 if ((error = prison_check(td->td_ucred, p->p_ucred)))
1707 return (error);
1708 #ifdef MAC
1709 if ((error = mac_check_proc_debug(td->td_ucred, p)))
1710 return (error);
1711 #endif
1712 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
1713 return (error);
1714 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred)))
1715 return (error);
1716
1717 /*
1718 * Is p's group set a subset of td's effective group set? This
1719 * includes p's egid, group access list, rgid, and svgid.
1720 */
1721 grpsubset = 1;
1722 for (i = 0; i < p->p_ucred->cr_ngroups; i++) {
1723 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) {
1724 grpsubset = 0;
1725 break;
1726 }
1727 }
1728 grpsubset = grpsubset &&
1729 groupmember(p->p_ucred->cr_rgid, td->td_ucred) &&
1730 groupmember(p->p_ucred->cr_svgid, td->td_ucred);
1731
1732 /*
1733 * Are the uids present in p's credential equal to td's
1734 * effective uid? This includes p's euid, svuid, and ruid.
1735 */
1736 uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid &&
1737 td->td_ucred->cr_uid == p->p_ucred->cr_svuid &&
1738 td->td_ucred->cr_uid == p->p_ucred->cr_ruid);
1739
1740 /*
1741 * Has the credential of the process changed since the last exec()?
1742 */
1743 credentialchanged = (p->p_flag & P_SUGID);
1744
1745 /*
1746 * If p's gids aren't a subset, or the uids aren't a subset,
1747 * or the credential has changed, require appropriate privilege
1748 * for td to debug p. For POSIX.1e capabilities, this will
1749 * require CAP_SYS_PTRACE.
1750 */
1751 if (!grpsubset || !uidsubset || credentialchanged) {
1752 error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL);
1753 if (error)
1754 return (error);
1755 }
1756
1757 /* Can't trace init when securelevel > 0. */
1758 if (p == initproc) {
1759 error = securelevel_gt(td->td_ucred, 0);
1760 if (error)
1761 return (error);
1762 }
1763
1764 /*
1765 * Can't trace a process that's currently exec'ing.
1766 * XXX: Note, this is not a security policy decision, it's a
1767 * basic correctness/functionality decision. Therefore, this check
1768 * should be moved to the caller's of p_candebug().
1769 */
1770 if ((p->p_flag & P_INEXEC) != 0)
1771 return (EAGAIN);
1772
1773 return (0);
1774 }
1775
1776 /*-
1777 * Determine whether the subject represented by cred can "see" a socket.
1778 * Returns: 0 for permitted, ENOENT otherwise.
1779 */
1780 int
1781 cr_canseesocket(struct ucred *cred, struct socket *so)
1782 {
1783 int error;
1784
1785 error = prison_check(cred, so->so_cred);
1786 if (error)
1787 return (ENOENT);
1788 #ifdef MAC
1789 SOCK_LOCK(so);
1790 error = mac_check_socket_visible(cred, so);
1791 SOCK_UNLOCK(so);
1792 if (error)
1793 return (error);
1794 #endif
1795 if (cr_seeotheruids(cred, so->so_cred))
1796 return (ENOENT);
1797 if (cr_seeothergids(cred, so->so_cred))
1798 return (ENOENT);
1799
1800 return (0);
1801 }
1802
1803 /*-
1804 * Determine whether td can wait for the exit of p.
1805 * Returns: 0 for permitted, an errno value otherwise
1806 * Locks: Sufficient locks to protect various components of td and p
1807 * must be held. td must be curthread, and a lock must
1808 * be held for p.
1809 * References: td and p must be valid for the lifetime of the call
1810
1811 */
1812 int
1813 p_canwait(struct thread *td, struct proc *p)
1814 {
1815 int error;
1816
1817 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1818 PROC_LOCK_ASSERT(p, MA_OWNED);
1819 if ((error = prison_check(td->td_ucred, p->p_ucred)))
1820 return (error);
1821 #ifdef MAC
1822 if ((error = mac_check_proc_wait(td->td_ucred, p)))
1823 return (error);
1824 #endif
1825 #if 0
1826 /* XXXMAC: This could have odd effects on some shells. */
1827 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
1828 return (error);
1829 #endif
1830
1831 return (0);
1832 }
1833
1834 /*
1835 * Allocate a zeroed cred structure.
1836 * MPSAFE
1837 */
1838 struct ucred *
1839 crget(void)
1840 {
1841 register struct ucred *cr;
1842
1843 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO);
1844 cr->cr_ref = 1;
1845 cr->cr_mtxp = mtx_pool_find(mtxpool_sleep, cr);
1846 #ifdef MAC
1847 mac_init_cred(cr);
1848 #endif
1849 return (cr);
1850 }
1851
1852 /*
1853 * Claim another reference to a ucred structure.
1854 * MPSAFE
1855 */
1856 struct ucred *
1857 crhold(struct ucred *cr)
1858 {
1859
1860 mtx_lock(cr->cr_mtxp);
1861 cr->cr_ref++;
1862 mtx_unlock(cr->cr_mtxp);
1863 return (cr);
1864 }
1865
1866 /*
1867 * Free a cred structure.
1868 * Throws away space when ref count gets to 0.
1869 * MPSAFE
1870 */
1871 void
1872 crfree(struct ucred *cr)
1873 {
1874 struct mtx *mtxp = cr->cr_mtxp;
1875
1876 mtx_lock(mtxp);
1877 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref));
1878 if (--cr->cr_ref == 0) {
1879 mtx_unlock(mtxp);
1880 /*
1881 * Some callers of crget(), such as nfs_statfs(),
1882 * allocate a temporary credential, but don't
1883 * allocate a uidinfo structure.
1884 */
1885 if (cr->cr_uidinfo != NULL)
1886 uifree(cr->cr_uidinfo);
1887 if (cr->cr_ruidinfo != NULL)
1888 uifree(cr->cr_ruidinfo);
1889 /*
1890 * Free a prison, if any.
1891 */
1892 if (jailed(cr))
1893 prison_free(cr->cr_prison);
1894 #ifdef MAC
1895 mac_destroy_cred(cr);
1896 #endif
1897 FREE(cr, M_CRED);
1898 } else {
1899 mtx_unlock(mtxp);
1900 }
1901 }
1902
1903 /*
1904 * Check to see if this ucred is shared.
1905 * MPSAFE
1906 */
1907 int
1908 crshared(struct ucred *cr)
1909 {
1910 int shared;
1911
1912 mtx_lock(cr->cr_mtxp);
1913 shared = (cr->cr_ref > 1);
1914 mtx_unlock(cr->cr_mtxp);
1915 return (shared);
1916 }
1917
1918 /*
1919 * Copy a ucred's contents from a template. Does not block.
1920 * MPSAFE
1921 */
1922 void
1923 crcopy(struct ucred *dest, struct ucred *src)
1924 {
1925
1926 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred"));
1927 bcopy(&src->cr_startcopy, &dest->cr_startcopy,
1928 (unsigned)((caddr_t)&src->cr_endcopy -
1929 (caddr_t)&src->cr_startcopy));
1930 uihold(dest->cr_uidinfo);
1931 uihold(dest->cr_ruidinfo);
1932 if (jailed(dest))
1933 prison_hold(dest->cr_prison);
1934 #ifdef MAC
1935 mac_copy_cred(src, dest);
1936 #endif
1937 }
1938
1939 /*
1940 * Dup cred struct to a new held one.
1941 * MPSAFE
1942 */
1943 struct ucred *
1944 crdup(struct ucred *cr)
1945 {
1946 struct ucred *newcr;
1947
1948 newcr = crget();
1949 crcopy(newcr, cr);
1950 return (newcr);
1951 }
1952
1953 /*
1954 * Fill in a struct xucred based on a struct ucred.
1955 * MPSAFE
1956 */
1957 void
1958 cru2x(struct ucred *cr, struct xucred *xcr)
1959 {
1960
1961 bzero(xcr, sizeof(*xcr));
1962 xcr->cr_version = XUCRED_VERSION;
1963 xcr->cr_uid = cr->cr_uid;
1964 xcr->cr_ngroups = cr->cr_ngroups;
1965 bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups));
1966 }
1967
1968 /*
1969 * small routine to swap a thread's current ucred for the correct one
1970 * taken from the process.
1971 * MPSAFE
1972 */
1973 void
1974 cred_update_thread(struct thread *td)
1975 {
1976 struct proc *p;
1977 struct ucred *cred;
1978
1979 p = td->td_proc;
1980 cred = td->td_ucred;
1981 PROC_LOCK(p);
1982 td->td_ucred = crhold(p->p_ucred);
1983 PROC_UNLOCK(p);
1984 if (cred != NULL)
1985 crfree(cred);
1986 }
1987
1988 /*
1989 * Get login name, if available.
1990 */
1991 #ifndef _SYS_SYSPROTO_H_
1992 struct getlogin_args {
1993 char *namebuf;
1994 u_int namelen;
1995 };
1996 #endif
1997 /*
1998 * MPSAFE
1999 */
2000 /* ARGSUSED */
2001 int
2002 getlogin(struct thread *td, struct getlogin_args *uap)
2003 {
2004 int error;
2005 char login[MAXLOGNAME];
2006 struct proc *p = td->td_proc;
2007
2008 if (uap->namelen > MAXLOGNAME)
2009 uap->namelen = MAXLOGNAME;
2010 PROC_LOCK(p);
2011 SESS_LOCK(p->p_session);
2012 bcopy(p->p_session->s_login, login, uap->namelen);
2013 SESS_UNLOCK(p->p_session);
2014 PROC_UNLOCK(p);
2015 error = copyout(login, uap->namebuf, uap->namelen);
2016 return(error);
2017 }
2018
2019 /*
2020 * Set login name.
2021 */
2022 #ifndef _SYS_SYSPROTO_H_
2023 struct setlogin_args {
2024 char *namebuf;
2025 };
2026 #endif
2027 /*
2028 * MPSAFE
2029 */
2030 /* ARGSUSED */
2031 int
2032 setlogin(struct thread *td, struct setlogin_args *uap)
2033 {
2034 struct proc *p = td->td_proc;
2035 int error;
2036 char logintmp[MAXLOGNAME];
2037
2038 error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL);
2039 if (error)
2040 return (error);
2041 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
2042 if (error == ENAMETOOLONG)
2043 error = EINVAL;
2044 else if (!error) {
2045 PROC_LOCK(p);
2046 SESS_LOCK(p->p_session);
2047 (void) memcpy(p->p_session->s_login, logintmp,
2048 sizeof(logintmp));
2049 SESS_UNLOCK(p->p_session);
2050 PROC_UNLOCK(p);
2051 }
2052 return (error);
2053 }
2054
2055 void
2056 setsugid(struct proc *p)
2057 {
2058
2059 PROC_LOCK_ASSERT(p, MA_OWNED);
2060 p->p_flag |= P_SUGID;
2061 if (!(p->p_pfsflags & PF_ISUGID))
2062 p->p_stops = 0;
2063 }
2064
2065 /*-
2066 * Change a process's effective uid.
2067 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified.
2068 * References: newcred must be an exclusive credential reference for the
2069 * duration of the call.
2070 */
2071 void
2072 change_euid(struct ucred *newcred, struct uidinfo *euip)
2073 {
2074
2075 newcred->cr_uid = euip->ui_uid;
2076 uihold(euip);
2077 uifree(newcred->cr_uidinfo);
2078 newcred->cr_uidinfo = euip;
2079 }
2080
2081 /*-
2082 * Change a process's effective gid.
2083 * Side effects: newcred->cr_gid will be modified.
2084 * References: newcred must be an exclusive credential reference for the
2085 * duration of the call.
2086 */
2087 void
2088 change_egid(struct ucred *newcred, gid_t egid)
2089 {
2090
2091 newcred->cr_groups[0] = egid;
2092 }
2093
2094 /*-
2095 * Change a process's real uid.
2096 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo
2097 * will be updated, and the old and new cr_ruidinfo proc
2098 * counts will be updated.
2099 * References: newcred must be an exclusive credential reference for the
2100 * duration of the call.
2101 */
2102 void
2103 change_ruid(struct ucred *newcred, struct uidinfo *ruip)
2104 {
2105
2106 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0);
2107 newcred->cr_ruid = ruip->ui_uid;
2108 uihold(ruip);
2109 uifree(newcred->cr_ruidinfo);
2110 newcred->cr_ruidinfo = ruip;
2111 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0);
2112 }
2113
2114 /*-
2115 * Change a process's real gid.
2116 * Side effects: newcred->cr_rgid will be updated.
2117 * References: newcred must be an exclusive credential reference for the
2118 * duration of the call.
2119 */
2120 void
2121 change_rgid(struct ucred *newcred, gid_t rgid)
2122 {
2123
2124 newcred->cr_rgid = rgid;
2125 }
2126
2127 /*-
2128 * Change a process's saved uid.
2129 * Side effects: newcred->cr_svuid will be updated.
2130 * References: newcred must be an exclusive credential reference for the
2131 * duration of the call.
2132 */
2133 void
2134 change_svuid(struct ucred *newcred, uid_t svuid)
2135 {
2136
2137 newcred->cr_svuid = svuid;
2138 }
2139
2140 /*-
2141 * Change a process's saved gid.
2142 * Side effects: newcred->cr_svgid will be updated.
2143 * References: newcred must be an exclusive credential reference for the
2144 * duration of the call.
2145 */
2146 void
2147 change_svgid(struct ucred *newcred, gid_t svgid)
2148 {
2149
2150 newcred->cr_svgid = svgid;
2151 }
Cache object: 17e5bbb81bf466cfc65f739a9e064822
|